Item11621: Improve redirecting for http/https sites

 - Redirect all scripts in the {AuthScripts} list.  They will need https
   for authentication.
 - Monkeypatch the TemplateLogin login manager to redirect to https
   whenver forceAuthenticaiton is called.  The https session may already
   be authenticated.

Author: gac410

data/System/HttpsRedirectPlugin.txt

@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1458439803" format="1.1"  version="1.2"}%
+%META:TOPICINFO{author="ProjectContributor" date="1490669264" format="1.1"  version="1.2"}%
 %META:TOPICPARENT{name="Plugins"}%
 ---+!! !HttpsRedirectPlugin
 <!--
@@ -15,6 +15,16 @@ The HTTPS redirect plug-in is designed to help you run a web site where guest us
 Simply activate the plug-in from =configure= to take advantage of its functionality.
 Once enabled it will force authenticated users to use HTTPS by redirecting them to HTTPS URL if needed. Guests will be redirected to HTTPS only when accessing the login screen.
 
+Redirect happens on the following conditions:
+   * Request for the login script.
+   * Request for any script listed in ={AuthScripts}=
+   * Any request that triggers the LoginManager::TemplateLogin::forceAuthentication() event.
+
+Note tht as of this release, only the !TemplateLogin method is supported for
+forceAuthentication based redirects.
+
+Be sure to set the https:// URL in ={PermittedRedirectHostUrls}=.
+
 ---++ Installation Instructions
 
 %$INSTALL_INSTRUCTIONS%
@@ -24,11 +34,12 @@ Once enabled it will force authenticated users to use HTTPS by redirecting them
 Many thanks to the following sponsors for supporting this work:
    * http://slion.net
 
-|  Plugin Author(s): | Foswiki:Main.StephaneLenclud |
-|  Copyright: | &copy; 2008-2009 St&eacute;phaneLenclud, 2011-2016 Foswiki Contributors |
+|  Plugin Author(s): | Foswiki:Main.StephaneLenclud Foswiki:Main.GeorgeClark |
+|  Copyright: | &copy; 2008-2009 St&eacute;phaneLenclud, 2011-2017 Foswiki Contributors |
 |  License: | [[http://www.gnu.org/licenses/gpl.html][GPL (Gnu General Public License)]] |
 |  Plugin Version: | %$VERSION% |
 |  Change History: | <!-- versions below in reverse order -->&nbsp; |
+|  26 Mar 2017 | v1.3 Foswikitask:Item11621 - Redirect auth scripts and forceAuthentication events. |
 |  19 mar 2016 | v1.2 Foswikitask:Item14030 - Use new version strings, remove non-utf8 characters from topic. Other minor cleanup. |
 |  28 Mar 2011 | v1.1 Foswikitask:Item10551 - fixed a problem where foswiki scripts would produce no output if run from CLI |
 |  28 Apr 2009 | v1.0 First actually working version for Foswiki  |

lib/Foswiki/Plugins/HttpsRedirectPlugin.pm

@@ -1,68 +1,29 @@
-# Plugin for Foswiki - The Free and Open Source Wiki, http://foswiki.org/
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details, published at
-# http://www.gnu.org/copyleft/gpl.html
+# See bottom of file for notices
 
 =pod
 
 ---+ package Foswiki::Plugins::HttpsRedirectPlugin
 
-To interact with Foswiki use ONLY the official API functions
-in the Foswiki::Func module. Do not reference any functions or
-variables elsewhere in Foswiki, as these are subject to change
-without prior warning, and your plugin may suddenly stop
-working.
-
-For increased performance, all handlers except initPlugin are
-disabled below. *To enable a handler* remove the leading DISABLE_ from
-the function name. For efficiency and clarity, you should comment out or
-delete the whole of handlers you don't use before you release your
-plugin.
-
-__NOTE:__ When developing a plugin it is important to remember that
-Foswiki is tolerant of plugins that do not compile. In this case,
-the failure will be silent but the plugin will not be available.
-See [[%SYSTEMWEB%.Plugins#FAILEDPLUGINS]] for error messages.
-
-__NOTE:__ Defining deprecated handlers will cause the handlers to be 
-listed in [[%SYSTEMWEB%.Plugins#FAILEDPLUGINS]]. See
-[[%SYSTEMWEB%.Plugins#Handlig_deprecated_functions]]
-for information on regarding deprecated handlers that are defined for
-compatibility with older Foswiki versions.
-
-__NOTE:__ When writing handlers, keep in mind that these may be invoked
-on included topics. For example, if a plugin generates links to the current
-topic, these need to be generated before the afterCommonTagsHandler is run,
-as at that point in the rendering loop we have lost the information that we
-the text had been included from another topic.
+Intercept any http: requests that should be done over https
+and redirect the requests to an https: URL
+   * Any request to login
+   * Requests to any script in the ={AuthScripts}= list
+   * Any request that triggers a forceAuthentication event.
 
 =cut
 
 package Foswiki::Plugins::HttpsRedirectPlugin;
 
-# Always use strict to enforce variable scoping
 use strict;
+use warnings;
 
-require Foswiki::Func;       # The plugins API
-require Foswiki::Plugins;    # For the API version
+use Foswiki::Func;       # The plugins API
+use Foswiki::Plugins;    # For the API version
 
-our $VERSION = '1.2';
-our $RELEASE = '19 Mar 2016';
+our $VERSION = '1.3';
+our $RELEASE = '26 Mar 2017';
 
-# Short description of this plugin
-# One line description, is shown in the %SYSTEMWEB%.TextFormattingRules topic:
-our $SHORTDESCRIPTION = 'Redirect authenticated users to HTTPS url.';
-
-# You must set $NO_PREFS_IN_TOPIC to 0 if you want your plugin to use preferences
-# stored in the plugin topic. 
+our $SHORTDESCRIPTION  = 'Redirect authenticated users to HTTPS url.';
 our $NO_PREFS_IN_TOPIC = 1;
 
 # Name of this Plugin, only used in this module
@@ -72,12 +33,37 @@ our $debug = 0;
 
 =pod
 
+---++ earlyInitPlugin
+
+Determines if TemplateLogin is in use.  If it is, enable a hook that
+monkey-patches TemplateLogin::forceAuthentication. This hook will force
+a redirect to https if any page is accessed that would require authentication.
+
+=cut
+
+sub earlyInitPlugin {
+    return if !$Foswiki::cfg{Plugins}{HttpsRedirectPlugin}{Enabled};
+    return undef
+      unless (
+        $Foswiki::cfg{LoginManager} eq 'Foswiki::LoginManager::TemplateLogin' );
+    require Foswiki::Plugins::HttpsRedirectPlugin::CoreHooks;
+    Foswiki::Plugins::HttpsRedirectPlugin::CoreHooks::hook();
+    return undef;
+}
+
+=pod
+
 ---++ initPlugin($topic, $web, $user, $installWeb) -> $boolean
    * =$topic= - the name of the topic in the current CGI query
    * =$web= - the name of the web in the current CGI query
    * =$user= - the login name of the user
    * =$installWeb= - the name of the web the plugin is installed in
 
+Redirects requests to https:
+   * Any request to login
+   * Requests to any ={AuthScripts}=
+   * Any authenticated requests.
+
 =cut
 
 sub initPlugin {
@@ -90,74 +76,86 @@ sub initPlugin {
         return 0;
     }
 
-    # Example code of how to get a preference value, register a variable handler
-    # and register a RESTHandler. (remove code you do not need)
-
-    # Set plugin preferences in LocalSite.cfg, like this:
-    # $Foswiki::cfg{Plugins}{HttpsRedirectPlugin}{ExampleSetting} = 1;
-    # Always provide a default in case the setting is not defined in
-    # LocalSite.cfg. See %SYSTEMWEB%.Plugins for help in adding your plugin
-    # configuration to the =configure= interface.
     $debug = $Foswiki::cfg{Plugins}{HttpsRedirectPlugin}{Debug} || 0;
 
+    my $query = Foswiki::Func::getCgiQuery();
+
+    return 1 if $query->secure();    # Nothing needed if already secure
+    return 1
+      if Foswiki::Func::getContext()->{'command_line'};    #Not needed for CLI
+
     if (Foswiki::Func::isGuest) {
 
-        #If we are guest, force HTTPS on login
-        if ( Foswiki::Func::getContext()
-            ->{'login'} )    #If we are on the login script
-        {
+        my $actionRegex =
+          '\b' . Foswiki::Func::getRequestObject()->action() . '\b';
 
-            #Build up our URL
-            my $query = Foswiki::Func::getCgiQuery();
-            my $url   = $query->url() . $query->path_info();
-            if ( $query->query_string() ) {
-                $url .= '?' . $query->query_string();
-            }
-
-            unless ( $url =~ /^https/ )    #Unless we are already using HTTPS
-            {
-
-                #Redirect to HTTPS URL and quite
-                $url =~ s/^http/https/;
-                Foswiki::Func::writeDebug("HTTPS redirect to: $url")
-                  if ($debug);
-                Foswiki::Func::redirectCgiQuery( $query, $url );
-
-                #$Foswiki::Plugins::SESSION->finish();
-                #exit(0);
-            }
+#If we are guest, force HTTPS on login, or any script that requires authentication.
+        if (
+            Foswiki::Func::getContext()
+            ->{'login'}    #If we are on the login script
+            || $Foswiki::cfg{AuthScripts} =~ m/$actionRegex/
+          )
+        {
+            _redirectRequest($query);
         }
-
     }
     else {
+        # Force redirect on all requests
+        _redirectRequest($query);
 
-        #If the user is no guest always force HTTPS
+    }
 
-        #Get our URL
-        my $query = Foswiki::Func::getCgiQuery();
-        my $url   = $query->url() . $query->path_info();
-        if ( $query->query_string() ) {
-            $url .= '?' . $query->query_string();
-        }
+    # Plugin correctly initialized
+    return 1;
+}
 
-        #Unless we are already using HTTPS, or running from CLI
-        unless ( $url =~ /^https/
-            or Foswiki::Func::getContext()->{'command_line'} )
-        {
+=pod
+---++ Private _redirectRequest($query)
 
-            #Redirect to HTTPS URL and quite
-            $url =~ s/^http/https/;
-            Foswiki::Func::writeDebug("HTTPS redirect to: $url") if ($debug);
-            Foswiki::Func::redirectCgiQuery( $query, $url );
+Convert the URL to https: and redirect.
 
-            #$Foswiki::Plugins::SESSION->finish();
-            #exit(0);
-        }
-    }
+=cut
 
+sub _redirectRequest {
+    my $query = shift;
 
-    # Plugin correctly initialized
-    return 1;
+    #Get our URL
+    my $url = $query->url() . $query->path_info();
+    if ( $query->query_string() ) {
+        $url .= '?' . $query->query_string();
+    }
+
+    #Redirect to HTTPS URL
+    $url =~ s/^http/https/;
+    $url = Foswiki::decode_utf8($url) if $Foswiki::UNICODE;
+    Foswiki::Func::writeDebug("HTTPS redirect to: $url") if ($debug);
+    Foswiki::Func::redirectCgiQuery( $query, $url );
 }
 
 1;
+__END__
+
+Plugin for Foswiki - The Free and Open Source Wiki, http://foswiki.org/
+
+Copyright (C) 2008-2017 Foswiki Contributors. Foswiki Contributors
+are listed in the AUTHORS file in the root of this distribution.
+NOTE: Please extend that file, not this notice.
+
+Additional copyrights may apply to some or all of the code in this
+file as follows:
+
+Copyright (C) 2013 Modell Aachen GmbH, http://modell-aachen.de
+Author: Jan Krueger
+
+Copyright (C) 1999-2007 Peter Thoeny, peter@thoeny.org
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details, published at
+http://www.gnu.org/copyleft/gpl.html
+

lib/Foswiki/Plugins/HttpsRedirectPlugin/CoreHooks.pm

@@ -0,0 +1,78 @@
+# See bottom of file for notices
+
+package Foswiki::Plugins::HttpsRedirectPlugin::CoreHooks;
+
+use strict;
+use warnings;
+use Assert;
+use Foswiki::Plugins::HttpsRedirectPlugin;
+
+my $hooked;
+my $oldforceAuthentication;
+
+sub hook {
+
+    # Prevent nasties on FastCGI/mod_perl
+    # If the hooks were applied twice, the $old... variables would end up
+    # containing the hooks themselves and we'd get ourselves stuck in an
+    # infinite loop...
+    return if defined $hooked;
+
+    # Overwrite the normal Foswiki functions for adding zones.
+    # This is, sadly, necessary if we want to have the ability to
+    # magically let through all zone code added directly by plugins
+    # (e.g. JQueryPlugin's prefs object).
+
+    $oldforceAuthentication =
+      \&Foswiki::LoginManager::TemplateLogin::forceAuthentication;
+    undef *Foswiki::LoginManager::TemplateLogin::forceAuthentication;
+    *Foswiki::LoginManager::TemplateLogin::forceAuthentication =
+      \&Foswiki::Plugins::HttpsRedirectPlugin::CoreHooks::forceAuthentication;
+
+    $hooked = 1;
+    return;
+}
+
+sub forceAuthentication {
+
+    my $query = Foswiki::Func::getCgiQuery();
+
+    # No need to redirect if already a secure request.
+    return $oldforceAuthentication->(@_) if $query->secure();
+
+    Foswiki::Plugins::HttpsRedirectPlugin::_redirectRequest($query);
+}
+
+1;
+__DATA__
+
+Foswiki - The Free and Open Source Wiki, http://foswiki.org/
+
+Copyright (C) 2008-2017 Foswiki Contributors. Foswiki Contributors
+are listed in the AUTHORS file in the root of this distribution.
+NOTE: Please extend that file, not this notice.
+
+Additional copyrights may apply to some or all of the code in this
+file as follows:
+
+Copyright (C) 2013 Modell Aachen GmbH, http://modell-aachen.de
+Author: Jan Krueger
+
+Copyright (C) 1999-2007 Peter Thoeny, peter@thoeny.org
+and TWiki Contributors. All Rights Reserved. TWiki Contributors
+are listed in the AUTHORS file in the root of this distribution.
+Based on parts of Ward Cunninghams original Wiki and JosWiki.
+Copyright (C) 1998 Markus Peter - SPiN GmbH (warpi@spin.de)
+Some changes by Dave Harris (drh@bhresearch.co.uk) incorporated
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version. For
+more details read LICENSE in the root of this distribution.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+As per the GPL, removal of this notice is prohibited.

lib/Foswiki/Plugins/HttpsRedirectPlugin/MANIFEST

@@ -1,3 +1,4 @@
 data/System/HttpsRedirectPlugin.txt 0644
 lib/Foswiki/Plugins/HttpsRedirectPlugin.pm 0644
 lib/Foswiki/Plugins/HttpsRedirectPlugin/Config.spec 0664
+lib/Foswiki/Plugins/HttpsRedirectPlugin/CoreHooks.pm 0664