From 852aec21e30d39747df78071e3aeea166dcc0fb4 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Sun, 25 Feb 2018 18:28:01 +0100
Subject: [PATCH] Allow unlinked CVEs and poll for valid links

This way new CVEs that are added will start off being listed, but not
with a link. When upstream (currently redhat) publishes the CVE, a
cronjob will pick this up and update it with a link.

Of course, we still only show CVEs that are listed as public, but this
should hopefully get rid of some of the questions of why we link to a
404.
---
 pgweb/security/management/__init__.py         |  0
 .../security/management/commands/__init__.py  |  0
 .../management/commands/update_cve_links.py   | 37 +++++++++++++++++++
 pgweb/security/migrations/0002_cve_visible.py | 24 ++++++++++++
 pgweb/security/models.py                      |  5 +++
 templates/security/security.html              |  2 +-
 6 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 pgweb/security/management/__init__.py
 create mode 100644 pgweb/security/management/commands/__init__.py
 create mode 100644 pgweb/security/management/commands/update_cve_links.py
 create mode 100644 pgweb/security/migrations/0002_cve_visible.py

diff --git a/pgweb/security/management/__init__.py b/pgweb/security/management/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/pgweb/security/management/commands/__init__.py b/pgweb/security/management/commands/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/pgweb/security/management/commands/update_cve_links.py b/pgweb/security/management/commands/update_cve_links.py
new file mode 100644
index 00000000..799dd72c
--- /dev/null
+++ b/pgweb/security/management/commands/update_cve_links.py
@@ -0,0 +1,37 @@
+#
+# Script to poll for CVE links, to make the actual link visible
+# once they have showed up upstream.
+#
+
+from django.core.management.base import BaseCommand
+from django.db import connection, transaction
+from django.conf import settings
+
+from pgweb.security.models import SecurityPatch
+from pgweb.mailqueue.util import send_simple_mail
+from pgweb.util.misc import varnish_purge
+
+import requests
+
+class Command(BaseCommand):
+	help = 'Update CVE links'
+
+	def handle(self, *args, **options):
+		with transaction.atomic():
+			newly_visible = []
+			for s in SecurityPatch.objects.filter(cve_visible=False):
+				r = requests.get(s.cvelink, timeout=10)
+				if r.status_code == 200:
+					newly_visible.append(s.cve)
+					s.cve_visible = True
+					s.save()
+			if newly_visible:
+				send_simple_mail(settings.NOTIFICATION_FROM,
+								 settings.NOTIFICATION_EMAIL,
+								 "CVE entries made public",
+								 """The following CVE entries are now public upstream,
+and have been made visible on the website.
+
+{0}
+""".format("\n".join(newly_visible)))
+				map(varnish_purge, SecurityPatch.purge_urls)
diff --git a/pgweb/security/migrations/0002_cve_visible.py b/pgweb/security/migrations/0002_cve_visible.py
new file mode 100644
index 00000000..03661226
--- /dev/null
+++ b/pgweb/security/migrations/0002_cve_visible.py
@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('security', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='securitypatch',
+            name='cve_visible',
+            field=models.BooleanField(default=True),
+        ),
+		migrations.AlterField(
+            model_name='securitypatch',
+            name='cve_visible',
+            field=models.BooleanField(default=False),
+        ),
+    ]
diff --git a/pgweb/security/models.py b/pgweb/security/models.py
index e4ec6563..e8131675 100644
--- a/pgweb/security/models.py
+++ b/pgweb/security/models.py
@@ -49,6 +49,7 @@ class SecurityPatch(models.Model):
 	public = models.BooleanField(null=False, blank=False, default=False)
 	newspost = models.ForeignKey(NewsArticle, null=True, blank=True)
 	cve = models.CharField(max_length=32, null=False, blank=True, validators=[cve_validator,])
+	cve_visible = models.BooleanField(null=False, blank=False, default=False)
 	cvenumber = models.IntegerField(null=False, blank=False, db_index=True)
 	detailslink = models.URLField(null=False, blank=True)
 	description = models.TextField(null=False, blank=False)
@@ -100,6 +101,10 @@ class SecurityPatch(models.Model):
 		except Exception, e:
 			return -1
 
+	@property
+	def cvelink(self):
+		return "https://access.redhat.com/security/cve/CVE-{0}".format(self.cve)
+
 	class Meta:
 		verbose_name_plural = 'Security patches'
 		ordering = ('-cvenumber',)
diff --git a/templates/security/security.html b/templates/security/security.html
index ee9632a8..ef4197b1 100644
--- a/templates/security/security.html
+++ b/templates/security/security.html
@@ -73,7 +73,7 @@ You can filter the view of patches to show just patches for version:<br/>
 {%for p in patches%}
   <tr valign="top">
     <td class="colFirst">
-{%if p.cve%}<nobr><a href="https://access.redhat.com/security/cve/CVE-{{p.cve}}">CVE-{{p.cve}}</a></nobr><br/>{%endif%}
+{%if p.cve%}<nobr>{%if p.cve_visible%}<a href="{{p.cvelink}}">CVE-{{p.cve}}</a>{%else%}CVE-{{p.cve}}{%endif%}</nobr><br/>{%endif%}
 {%if p.newspost%}<a href="/about/news/{{p.newspost.id}}/">Announcement</a><br/>{%endif%}
     </td>
     <td class="colMid">{{p.affected|join:", "}}</td>
-- 
2.39.5