From bb7c40237be4caf755e5bdff502afb409bed11ef Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Thu, 10 Jun 2021 20:56:12 +0530
Subject: [PATCH] detect new versions in server telemetry responses

---
 lib/api.js            | 31 -------------------
 lib/commands/quota.js | 69 +++++++++++++++++++++++++++++++++++--------
 lib/env.js            |  2 +-
 lib/stats.js          | 65 ++++++++++++++++++++++++++++++++++++++++
 www/admin/inner.js    | 10 +++----
 5 files changed, 127 insertions(+), 50 deletions(-)
 create mode 100644 lib/stats.js

diff --git a/lib/api.js b/lib/api.js
index 26aaa3527..277d085fa 100644
--- a/lib/api.js
+++ b/lib/api.js
@@ -11,7 +11,6 @@ module.exports.create = function (Env) {
 nThen(function (w) {
     Decrees.load(Env, w(function (err) {
         Env.flushCache();
-
         if (err) {
             log.error('DECREES_LOADING', {
                 error: err.code || err,
@@ -19,36 +18,6 @@ nThen(function (w) {
             });
             console.error(err);
         }
-
-        var stats = {
-            restrictRegistration: Env.restrictRegistration,
-            supportMailbox: Env.supportMailbox,
-
-            defaultStorageLimit: Env.defaultStorageLimit,
-            maxUploadSize: Env.maxUploadSize,
-            premiumUploadSize: Env.premiumUploadSize,
-
-            adminEmail: Env.adminEmail,
-            inactiveTime: Env.inactiveTime,
-
-            accountRetentionTime: Env.accountRetentionTime,
-            archiveRetentionTime: Env.archiveRetentionTime,
-
-            httpUnsafeOrigin: Env.httpUnsafeOrigin,
-            httpSafeOrigin: Env.httpSafeOrigin,
-
-            adminKeys: Env.admins,
-
-            consentToContact: Env.consentToContact,
-            listMyInstance: Env.listMyInstance,
-            provideAggregateStatistics: Env.provideAggregateStatistics,
-
-            removeDonateButton: Env.removeDonateButton,
-            blockDailyCheck: Env.blockDailyCheck,
-        };
-
-        console.log(stats);
-
     }));
 }).nThen(function () {
     // asynchronously create a historyKeeper and RPC together
diff --git a/lib/commands/quota.js b/lib/commands/quota.js
index b779d8e56..1bf9203f6 100644
--- a/lib/commands/quota.js
+++ b/lib/commands/quota.js
@@ -4,9 +4,9 @@ const Quota = module.exports;
 
 //const Util = require("../common-util");
 const Keys = require("../keys");
-const Package = require('../../package.json');
 const Https = require("https");
 const Util = require("../common-util");
+const Stats = require("../stats");
 
 var validLimitFields = ['limit', 'plan', 'note', 'users', 'origin'];
 
@@ -51,24 +51,66 @@ Quota.applyCustomLimits = function (Env) {
     // console.log(Env.limits);
 };
 
+var isRemoteVersionNewer = function (local, remote) {
+    try {
+        local = local.split('.').map(Number);
+        remote = remote.split('.').map(Number);
+        for (var i = 0; i < 3; i++) {
+            if (remote[i] < local[i]) { return false; }
+            if (remote[i] > local[i]) { return true; }
+        }
+    } catch (err) {
+        // if anything goes wrong just fall through and return false
+        // false negatives are better than false positives
+    }
+    return false;
+};
+
 /*
-Env = {
-    myDomain,
-    mySubdomain,
-    adminEmail,
-    Package.version,
+var Assert = require("assert");
+[
+// remote versions
+    ['4.5.0', '4.5.0', false], // equal semver should not prompt
+    ['4.5.0', '4.5.1', true], // patch versions should prompt
+    ['4.5.0', '4.6.0', true], // minor versions should prompt
+    ['4.5.0', '5.0.0', true], // major versions should prompt
+// local
+    ['5.3.1', '4.9.0', false], // newer major should not prompt
+    ['4.7.0', '4.6.0', false], // newer minor should not prompt
+    ['4.7.0', '4.6.1', false], // newer patch should not prompt if other values are greater
+].forEach(function (x) {
+    var result = isRemoteVersionNewer(x[0], x[1]);
+    Assert.equal(result, x[2]);
+});
+*/
 
+// check if the remote endpoint reported an available server version
+// which is newer than your current version (Env.version)
+// if so, set Env.updateAvailable to the URL of its release notes
+var checkUpdateAvailability = function (Env, json) {
+    if (!(json && typeof(json.updateAvailable) === 'string' && typeof(json.version) === 'string')) { return; }
+    // expects {updateAvailable: 'https://github.com/xwiki-labs/cryptpad/releases/4.7.0', version: '4.7.0'}
+    // the version string is provided explicitly even though it could be parsed from GitHub's URL
+    // this will allow old instances to understand responses of arbitrary URLs
+    // as long as we keep using semver for 'version'
+    if (!isRemoteVersionNewer(Env.version, json.version)) {
+        Env.updateAvailable = undefined;
+        return;
+    }
+    Env.updateAvailable = json.updateAvailable;
+    Env.Log.info('AN_UPDATE_IS_AVAILABLE', {
+        version: json.version,
+        updateAvailable: json.updateAvaiable,
+    });
 };
-*/
+
 var queryAccountServer = function (Env, cb) {
     var done = Util.once(Util.mkAsync(cb));
 
-    var body = JSON.stringify({
-        domain: Env.myDomain,
-        subdomain: Env.mySubdomain || null,
-        adminEmail: Env.adminEmail,
-        version: Package.version
-    });
+    var rawBody = Stats.instanceData(Env);
+    Env.Log.info("SERVER_TELEMETRY", rawBody);
+    var body = JSON.stringify(rawBody);
+
     var options = {
         host: 'accounts.cryptpad.fr',
         path: '/api/getauthorized',
@@ -92,6 +134,7 @@ var queryAccountServer = function (Env, cb) {
         response.on('end', function () {
             try {
                 var json = JSON.parse(str);
+                checkUpdateAvailability(Env, json);
                 // don't overwrite the limits with junk data
                 if (json && json.message === 'EINVAL') { return void cb(); }
                 done(void 0, json);
diff --git a/lib/env.js b/lib/env.js
index e71d1275e..6f1717c09 100644
--- a/lib/env.js
+++ b/lib/env.js
@@ -111,7 +111,7 @@ module.exports.create = function (config) {
         consentToContact: false,
         listMyInstance: false,
         provideAggregateStatistics: false,
-        updateAvailable: undefined || 'https://github.com/xwiki-labs/cryptpad/releases/4.5.0', // XXX
+        updateAvailable: undefined,
 
         myDomain: config.myDomain,
         mySubdomain: config.mySubdomain, // only exists for the accounts integration
diff --git a/lib/stats.js b/lib/stats.js
new file mode 100644
index 000000000..d1da0e202
--- /dev/null
+++ b/lib/stats.js
@@ -0,0 +1,65 @@
+/*jshint esversion: 6 */
+const Stats = module.exports;
+
+Stats.instanceData = function (Env) {
+    var data = {
+        version: Env.version,
+
+        domain: Env.myDomain,
+        subdomain: Env.mySubdomain,
+
+        httpUnsafeOrigin: Env.httpUnsafeOrigin,
+        httpSafeOrigin: Env.httpSafeOrigin,
+
+        adminEmail: Env.adminEmail,
+        consentToContact: Boolean(Env.consentToContact),
+    };
+
+/*  We reserve the right to choose not to include instances
+    in our public directory at our discretion.
+
+    The following details will be included in your telemetry
+    as factors that may contribute to that decision.
+
+    These values are publicly available via /api/config
+    posting them to our server just makes it easier for us.
+*/
+    if (Env.listMyInstance) {
+        // clearly indicate that you want to be listed
+        data.listMyInstance = Env.listMyInstance;
+
+        // you should have enabled your admin panel
+        data.adminKeys = Env.admins.length > 0;
+
+        // we expect that you enable your support mailbox
+        data.supportMailbox = Boolean(Env.supportMailbox);
+
+        // do you allow registration?
+        data.restrictRegistration = Boolean(Env.restrictRegistration);
+
+        // have you removed the donate button?
+        data.removeDonateButton = Boolean(Env.removeDonateButton);
+
+        // after how long do you consider a document to be inactive?
+        data.inactiveTime = Env.inactiveTime;
+
+        // how much storage do you offer to registered users?
+        data.defaultStorageLimit = Env.defaultStorageLimit;
+
+        // what size file upload do you permit
+        data.maxUploadSize = Env.maxUploadSize;
+
+        // how long do you retain inactive accounts?
+        data.accountRetentionTime = Env.accountRetentionTime;
+
+        // how long do you retain archived data?
+        //data.archiveRetentionTime = Env.archiveRetentionTime,
+    }
+
+    // we won't consider instances for public listings
+    // unless they opt to provide more info about themselves
+    if (!Env.provideAggregateStatistics) { return data; }
+
+    return data;
+};
+
diff --git a/www/admin/inner.js b/www/admin/inner.js
index 3e05de971..9e7c30370 100644
--- a/www/admin/inner.js
+++ b/www/admin/inner.js
@@ -90,7 +90,7 @@ define([
             'cp-admin-update-available',
             'cp-admin-checkup',
             'cp-admin-block-daily-check',
-            'cp-admin-provide-aggregate-statistics',
+            //'cp-admin-provide-aggregate-statistics',
             'cp-admin-list-my-instance',
             'cp-admin-consent-to-contact',
             'cp-admin-remove-donate-button',
@@ -1759,7 +1759,7 @@ define([
     };
 
     Messages.admin_consentToContactTitle = 'Consent to contact'; // XXX
-    Messages.admin_consentToContactHint = "Server telemetry includes the admin contact email so that the developers can notify you of vulnerabilities in the softare. This will never be shared, sold, or used for marketing purposes. Consent to contact if you'd like to be informed of critical issues in your server."; // XXX
+    Messages.admin_consentToContactHint = "Server telemetry includes the admin contact email so that the developers can notify you of vulnerabilities in the software or your configuration. This will never be shared, sold, or used for marketing purposes. Consent to contact if you'd like to be informed of critical issues in your server."; // XXX
     Messages.admin_consentToContactLabel = 'I consent'; // XXX
 
     create['consent-to-contact'] = makeAdminCheckbox({
@@ -1784,7 +1784,7 @@ define([
     });
 
     Messages.admin_listMyInstanceTitle = 'List my instance in public directories'; // XXX
-    Messages.admin_listMyInstanceHint = 'If your instance is suitable for public use you may consent to be listed in web directories.'; // XXX
+    Messages.admin_listMyInstanceHint = 'If your instance is suitable for public use you may consent to be listed in web directories. Server telemetry must be enabled for this to have any effect.'; // XXX
     Messages.admin_listMyInstanceLabel = 'List this instance'; // XXX
 
     create['list-my-instance'] = makeAdminCheckbox({ // XXX uncheck if server telemetry is disabled?
@@ -1858,8 +1858,8 @@ define([
         },
     });
 
-    Messages.admin_blockDailyCheckTitle = 'Opt-out of server telemetry'; // XXX
-    Messages.admin_blockDailyCheckHint = "CryptPad instances send a message to the developers' server when launched and once per day thereafter. This lets them keep track of how many servers are running which versions of the software. You can opt-out of this measurement below."; // XXX
+    Messages.admin_blockDailyCheckTitle = 'Server telemetry'; // XXX
+    Messages.admin_blockDailyCheckHint = "CryptPad instances send a message to the developers' server when launched and once per day thereafter. This lets them keep track of how many servers are running which versions of the software. You can opt-out of this measurement below. The contents of this message can be found in the application server's log for your review."; // XXX
     Messages.admin_blockDailyCheckLabel = 'Disable server telemetry'; // XXX
 
     /*  // XXX