From 2aa709e968482756c0343dbecf079913cd16ba52 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 20 Mar 2017 21:30:33 +0100
Subject: [webinterface] Remember last HTTPS config; add redirect to HTTPS
 setting

Functionality in the LighttpdHttps task is still missing, so the new
redirect setting doesn't really do anything yet.
This refs #3058 @2h
---
 modules-available/webinterface/page.inc.php | 87 +++++++++++++++++++++++++++--
 1 file changed, 83 insertions(+), 4 deletions(-)

(limited to 'modules-available/webinterface/page.inc.php')

diff --git a/modules-available/webinterface/page.inc.php b/modules-available/webinterface/page.inc.php
index 3c4304cd..35e14dc5 100644
--- a/modules-available/webinterface/page.inc.php
+++ b/modules-available/webinterface/page.inc.php
@@ -3,6 +3,9 @@
 class Page_WebInterface extends Page
 {
 
+	const PROP_REDIRECT = 'webinterface.https-redirect';
+	const PROP_TYPE = 'webinterface.https-type';
+
 	protected function doPreprocess()
 	{
 		User::load();
@@ -33,13 +36,17 @@ class Page_WebInterface extends Page
 			case 'custom':
 				$task = $this->setHttpsCustomCert();
 				break;
+			default:
+				$task = $this->setRedirectMode();
+				break;
 		}
 		if (isset($task['id'])) {
 			Session::set('https-id', $task['id']);
 			Util::redirect('?do=WebInterface&show=httpsupdate');
 		}
+		Util::redirect('?do=WebInterface');
 	}
-	
+
 	private function actionShowHidePassword()
 	{
 		Property::setPasswordFieldType(Request::post('mode') === 'show' ? 'text' : 'password');
@@ -48,10 +55,57 @@ class Page_WebInterface extends Page
 
 	protected function doRender()
 	{
+		//
+		// HTTPS
+		//
 		if (Request::get('show') === 'httpsupdate') {
 			Render::addTemplate('httpd-restart', array('taskid' => Session::get('https-id')));
 		}
-		Render::addTemplate('https', array('httpsEnabled' => file_exists('/etc/lighttpd/server.pem')));
+		$type = Property::get(self::PROP_TYPE);
+		$force = Property::get(self::PROP_REDIRECT) === 'True';
+		$https = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
+		$exists = file_exists('/etc/lighttpd/server.pem');
+		$data = array(
+			'httpsUsed' => $https,
+			'redirect_checked' => ($force ? 'checked' : '')
+		);
+		// Type should be 'off', 'generated', 'supplied'
+		if ($type === 'off') {
+			if ($exists) {
+				// HTTPS is set to off, but a certificate exists
+				if ($https) {
+					// User is using https, just warn to prevent lockout
+					Message::addWarning('https-want-off-is-used');
+				} else {
+					// User is not using https, try to delete stray certificate
+					$this->setHttpsOff();
+				}
+			} elseif ($https) {
+				// Set to off, no cert found, but still using HTTPS apparently
+				// Admin might have modified web server config in another way
+				Message::addWarning('https-used-without-cert');
+			}
+		} elseif ($type === 'generated' || $type === 'supplied') {
+			$data['httpsEnabled'] = true;
+			if ($force && !$https) {
+				Message::addWarning('https-want-redirect-is-plain');
+			}
+			if (!$exists) {
+				Message::addWarning('https-on-cert-missing');
+			}
+		} else {
+			// Unknown config - maybe upgraded old install that doesn't keep track
+			if ($exists || $https) {
+				$type = 'unknown'; // Legacy fallback
+			} else {
+				$type = 'off';
+			}
+		}
+		$data[$type . 'Selected'] = true;
+		Render::addTemplate('https', $data);
+		//
+		// Password fields
+		//
 		$data = array();
 		if (Property::getPasswordFieldType() === 'text')
 			$data['selected_show'] = 'checked';
@@ -62,23 +116,48 @@ class Page_WebInterface extends Page
 
 	private function setHttpsOff()
 	{
+		Property::set(self::PROP_TYPE, 'off');
 		return Taskmanager::submit('LighttpdHttps', array());
 	}
 
 	private function setHttpsRandomCert()
 	{
+		$force = Request::post('httpsredirect', false, 'string') === 'on';
+		Property::set(self::PROP_TYPE, 'generated');
+		Property::set(self::PROP_REDIRECT, $force ? 'True' : 'False');
 		return Taskmanager::submit('LighttpdHttps', array(
-				'proxyip' => Property::getServerIp()
+				'proxyip' => Property::getServerIp(),
+				'redirect' => $force,
 		));
 	}
 
 	private function setHttpsCustomCert()
 	{
+		$force = Request::post('httpsredirect', false, 'string') === 'on';
+		Property::set(self::PROP_TYPE, 'supplied');
+		Property::set(self::PROP_REDIRECT, $force ? 'True' : 'False');
 		return Taskmanager::submit('LighttpdHttps', array(
 				'importcert' => Request::post('certificate', 'bla'),
 				'importkey' => Request::post('privatekey', 'bla'),
-				'importchain' => Request::post('cachain', '')
+				'importchain' => Request::post('cachain', ''),
+				'redirect' => $force,
+		));
+	}
+
+	private function setRedirectMode()
+	{
+		$force = Request::post('httpsredirect', false, 'string') === 'on';
+		Property::set(self::PROP_REDIRECT, $force ? 'True' : 'False');
+		if (Property::get(self::PROP_TYPE) === 'off') {
+			// Don't bother running the task if https isn't enabled - just
+			// update the state in DB
+			return false;
+		}
+		return Taskmanager::submit('LighttpdHttps', array(
+			'redirectOnly' => true,
+			'redirect' => $force,
 		));
 	}
 
 }
+
-- 
cgit v1.2.3-55-g7522