Allow unlinked CVEs and poll for valid links

This way new CVEs that are added will start off being listed, but not
with a link. When upstream (currently redhat) publishes the CVE, a
cronjob will pick this up and update it with a link.

Of course, we still only show CVEs that are listed as public, but this
should hopefully get rid of some of the questions of why we link to a
404.

5 files changed, 66 insertions, 0 deletions

diff --git a/pgweb/security/management/__init__.py b/pgweb/security/management/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/pgweb/security/management/__init__.py
diff --git a/pgweb/security/management/commands/__init__.py b/pgweb/security/management/commands/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/pgweb/security/management/commands/__init__.py
diff --git a/pgweb/security/management/commands/update_cve_links.py b/pgweb/security/management/commands/update_cve_links.py
new file mode 100644
index 00000000..799dd72c
--- /dev/null
+++ b/pgweb/security/management/commands/update_cve_links.py
@@ -0,0 +1,37 @@
+#
+# Script to poll for CVE links, to make the actual link visible
+# once they have showed up upstream.
+#
+
+from django.core.management.base import BaseCommand
+from django.db import connection, transaction
+from django.conf import settings
+
+from pgweb.security.models import SecurityPatch
+from pgweb.mailqueue.util import send_simple_mail
+from pgweb.util.misc import varnish_purge
+
+import requests
+
+class Command(BaseCommand):
+	help = 'Update CVE links'
+
+	def handle(self, *args, **options):
+		with transaction.atomic():
+			newly_visible = []
+			for s in SecurityPatch.objects.filter(cve_visible=False):
+				r = requests.get(s.cvelink, timeout=10)
+				if r.status_code == 200:
+					newly_visible.append(s.cve)
+					s.cve_visible = True
+					s.save()
+			if newly_visible:
+				send_simple_mail(settings.NOTIFICATION_FROM,
+								 settings.NOTIFICATION_EMAIL,
+								 "CVE entries made public",
+								 """The following CVE entries are now public upstream,
+and have been made visible on the website.
+
+{0}
+""".format("\n".join(newly_visible)))
+				map(varnish_purge, SecurityPatch.purge_urls)
diff --git a/pgweb/security/migrations/0002_cve_visible.py b/pgweb/security/migrations/0002_cve_visible.py
new file mode 100644
index 00000000..03661226
--- /dev/null
+++ b/pgweb/security/migrations/0002_cve_visible.py
@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('security', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='securitypatch',
+            name='cve_visible',
+            field=models.BooleanField(default=True),
+        ),
+		migrations.AlterField(
+            model_name='securitypatch',
+            name='cve_visible',
+            field=models.BooleanField(default=False),
+        ),
+    ]
diff --git a/pgweb/security/models.py b/pgweb/security/models.py
index e4ec6563..e8131675 100644
--- a/pgweb/security/models.py
+++ b/pgweb/security/models.py
@@ -49,6 +49,7 @@ class SecurityPatch(models.Model):
 	public = models.BooleanField(null=False, blank=False, default=False)
 	newspost = models.ForeignKey(NewsArticle, null=True, blank=True)
 	cve = models.CharField(max_length=32, null=False, blank=True, validators=[cve_validator,])
+	cve_visible = models.BooleanField(null=False, blank=False, default=False)
 	cvenumber = models.IntegerField(null=False, blank=False, db_index=True)
 	detailslink = models.URLField(null=False, blank=True)
 	description = models.TextField(null=False, blank=False)
@@ -100,6 +101,10 @@ class SecurityPatch(models.Model):
 		except Exception, e:
 			return -1
 
+	@property
+	def cvelink(self):
+		return "https://access.redhat.com/security/cve/CVE-{0}".format(self.cve)
+
 	class Meta:
 		verbose_name_plural = 'Security patches'
 		ordering = ('-cvenumber',)