PolicyCommands.php

<?php

namespace Drush\Commands;

use Consolidation\AnnotatedCommand\CommandData;
use Consolidation\AnnotatedCommand\Hooks\HookManager;
use Drush\Attributes as CLI;
use Drush\Commands\core\RsyncCommands;
use Drush\Commands\core\UpdateDBCommands;
use Drush\Commands\sql\SqlSyncCommands;

/**
 * Load this commandfile using the --include option - e.g. `drush --include=/path/to/drush/examples`
 *
 * See [Drush Test Traits](https://github.com/drush-ops/drush/blob/13.x/docs/contribute/unish.md#about-the-test-suites) for info on testing Drush commands.
 */

class PolicyCommands extends DrushCommands
{
    /**
     * Prevent catastrophic braino. Note that this file has to be local to the
     * machine that initiates the sql:sync command.
     *
     * @throws \Exception
     */
    #[CLI\Hook(type: HookManager::ARGUMENT_VALIDATOR, target: SqlSyncCommands::SYNC)]
    public function sqlSyncValidate(CommandData $commandData)
    {
        if ($commandData->input()->getArgument('target') == '@prod') {
            throw new \Exception(dt('Per !file, you may never overwrite the production database.', ['!file' => __FILE__]));
        }
    }

    /**
     * Limit rsync operations to production site.
     */
    #[CLI\Hook(type: HookManager::ARGUMENT_VALIDATOR, target: RsyncCommands::RSYNC)]
    public function rsyncValidate(CommandData $commandData)
    {
        if (preg_match("/^@prod/", $commandData->input()->getArgument('target'))) {
            throw new \Exception(dt('Per !file, you may never rsync to the production site.', ['!file' => __FILE__]));
        }
    }

    /**
     * Unauthorized may not execute updates.
     */
    #[CLI\Hook(type: HookManager::ARGUMENT_VALIDATOR, target: UpdateDBCommands::UPDATEDB)]
    public function validateUpdateDb(CommandData $commandData)
    {
        if (!$commandData->input()->getOption('secret') == 'mysecret') {
            throw new \Exception(dt('UpdateDb command requires a secret token per site policy.'));
        }
    }

    #[CLI\Hook(type: HookManager::OPTION_HOOK, target: UpdateDBCommands::UPDATEDB)]
    #[CLI\Option(name: 'secret', description: 'A required token else user may not run updatedb command.')]
    public function optionsetUpdateDb($options = ['secret' => self::REQ])
    {
    }
}

Last update: March 15, 2023