github.com/jlevesy/mattermost-server@v5.3.2-0.20181003190404-7468f35cb0c8+incompatible/app/security_update_check.go (about)

     1  // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
     2  // See License.txt for license information.
     3  
     4  package app
     5  
     6  import (
     7  	"fmt"
     8  	"io/ioutil"
     9  	"net/http"
    10  	"net/url"
    11  	"runtime"
    12  	"strconv"
    13  
    14  	"github.com/mattermost/mattermost-server/mlog"
    15  	"github.com/mattermost/mattermost-server/model"
    16  	"github.com/mattermost/mattermost-server/utils"
    17  )
    18  
    19  const (
    20  	SECURITY_URL           = "https://securityupdatecheck.mattermost.com"
    21  	SECURITY_UPDATE_PERIOD = 86400000 // 24 hours in milliseconds.
    22  
    23  	PROP_SECURITY_ID                = "id"
    24  	PROP_SECURITY_BUILD             = "b"
    25  	PROP_SECURITY_ENTERPRISE_READY  = "be"
    26  	PROP_SECURITY_DATABASE          = "db"
    27  	PROP_SECURITY_OS                = "os"
    28  	PROP_SECURITY_USER_COUNT        = "uc"
    29  	PROP_SECURITY_TEAM_COUNT        = "tc"
    30  	PROP_SECURITY_ACTIVE_USER_COUNT = "auc"
    31  	PROP_SECURITY_UNIT_TESTS        = "ut"
    32  )
    33  
    34  func (a *App) DoSecurityUpdateCheck() {
    35  	if *a.Config().ServiceSettings.EnableSecurityFixAlert {
    36  		if result := <-a.Srv.Store.System().Get(); result.Err == nil {
    37  			props := result.Data.(model.StringMap)
    38  			lastSecurityTime, _ := strconv.ParseInt(props[model.SYSTEM_LAST_SECURITY_TIME], 10, 0)
    39  			currentTime := model.GetMillis()
    40  
    41  			if (currentTime - lastSecurityTime) > SECURITY_UPDATE_PERIOD {
    42  				mlog.Debug("Checking for security update from Mattermost")
    43  
    44  				v := url.Values{}
    45  
    46  				v.Set(PROP_SECURITY_ID, a.DiagnosticId())
    47  				v.Set(PROP_SECURITY_BUILD, model.CurrentVersion+"."+model.BuildNumber)
    48  				v.Set(PROP_SECURITY_ENTERPRISE_READY, model.BuildEnterpriseReady)
    49  				v.Set(PROP_SECURITY_DATABASE, *a.Config().SqlSettings.DriverName)
    50  				v.Set(PROP_SECURITY_OS, runtime.GOOS)
    51  
    52  				if len(props[model.SYSTEM_RAN_UNIT_TESTS]) > 0 {
    53  					v.Set(PROP_SECURITY_UNIT_TESTS, "1")
    54  				} else {
    55  					v.Set(PROP_SECURITY_UNIT_TESTS, "0")
    56  				}
    57  
    58  				systemSecurityLastTime := &model.System{Name: model.SYSTEM_LAST_SECURITY_TIME, Value: strconv.FormatInt(currentTime, 10)}
    59  				if lastSecurityTime == 0 {
    60  					<-a.Srv.Store.System().Save(systemSecurityLastTime)
    61  				} else {
    62  					<-a.Srv.Store.System().Update(systemSecurityLastTime)
    63  				}
    64  
    65  				if ucr := <-a.Srv.Store.User().GetTotalUsersCount(); ucr.Err == nil {
    66  					v.Set(PROP_SECURITY_USER_COUNT, strconv.FormatInt(ucr.Data.(int64), 10))
    67  				}
    68  
    69  				if ucr := <-a.Srv.Store.Status().GetTotalActiveUsersCount(); ucr.Err == nil {
    70  					v.Set(PROP_SECURITY_ACTIVE_USER_COUNT, strconv.FormatInt(ucr.Data.(int64), 10))
    71  				}
    72  
    73  				if tcr := <-a.Srv.Store.Team().AnalyticsTeamCount(); tcr.Err == nil {
    74  					v.Set(PROP_SECURITY_TEAM_COUNT, strconv.FormatInt(tcr.Data.(int64), 10))
    75  				}
    76  
    77  				res, err := http.Get(SECURITY_URL + "/security?" + v.Encode())
    78  				if err != nil {
    79  					mlog.Error("Failed to get security update information from Mattermost.")
    80  					return
    81  				}
    82  
    83  				bulletins := model.SecurityBulletinsFromJson(res.Body)
    84  				consumeAndClose(res)
    85  
    86  				for _, bulletin := range bulletins {
    87  					if bulletin.AppliesToVersion == model.CurrentVersion {
    88  						if props["SecurityBulletin_"+bulletin.Id] == "" {
    89  							if results := <-a.Srv.Store.User().GetSystemAdminProfiles(); results.Err != nil {
    90  								mlog.Error("Failed to get system admins for security update information from Mattermost.")
    91  								return
    92  							} else {
    93  								users := results.Data.(map[string]*model.User)
    94  
    95  								resBody, err := http.Get(SECURITY_URL + "/bulletins/" + bulletin.Id)
    96  								if err != nil {
    97  									mlog.Error("Failed to get security bulletin details")
    98  									return
    99  								}
   100  
   101  								body, err := ioutil.ReadAll(resBody.Body)
   102  								res.Body.Close()
   103  								if err != nil || resBody.StatusCode != 200 {
   104  									mlog.Error("Failed to read security bulletin details")
   105  									return
   106  								}
   107  
   108  								for _, user := range users {
   109  									mlog.Info(fmt.Sprintf("Sending security bulletin for %v to %v", bulletin.Id, user.Email))
   110  									a.SendMail(user.Email, utils.T("mattermost.bulletin.subject"), string(body))
   111  								}
   112  							}
   113  
   114  							bulletinSeen := &model.System{Name: "SecurityBulletin_" + bulletin.Id, Value: bulletin.Id}
   115  							<-a.Srv.Store.System().Save(bulletinSeen)
   116  						}
   117  					}
   118  				}
   119  			}
   120  		}
   121  	}
   122  }