From c916b25427e3244e7699f7da326377052d8f9a78 Mon Sep 17 00:00:00 2001
From: MarkBryanMilligan <markbryanmilligan@gmail.com>
Date: Thu, 17 Feb 2022 15:26:32 -0600
Subject: [PATCH] Force all console pages to SSL.

---
 .../console/AuthenticatedConsoleServlet.java  | 56 +++++++++++++++++++
 .../servlet/console/ConsoleServlet.java       |  2 +-
 .../servlet/console/ExportServlet.java        |  2 +-
 .../servlet/console/GsoServlet.java           |  7 +--
 .../servlet/console/LoginServlet.java         | 15 +----
 .../servlet/console/LogoutServlet.java        | 10 +---
 .../servlet/console/SecureConsoleServlet.java | 42 ++++++--------
 7 files changed, 84 insertions(+), 50 deletions(-)
 create mode 100644 currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/AuthenticatedConsoleServlet.java

diff --git a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/AuthenticatedConsoleServlet.java b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/AuthenticatedConsoleServlet.java
new file mode 100644
index 0000000..033811a
--- /dev/null
+++ b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/AuthenticatedConsoleServlet.java
@@ -0,0 +1,56 @@
+package com.lanternsoftware.currentmonitor.servlet.console;
+
+import com.lanternsoftware.currentmonitor.context.Globals;
+import com.lanternsoftware.util.CollectionUtils;
+import com.lanternsoftware.util.NullUtils;
+import com.lanternsoftware.util.dao.DaoSerializer;
+import com.lanternsoftware.util.dao.auth.AuthCode;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public abstract class AuthenticatedConsoleServlet extends SecureConsoleServlet {
+	@Override
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
+		AuthCode code = getAuthCode(_req, _rep);
+		if (code != null)
+			get(code, _req, _rep);
+	}
+
+	protected void get(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
+	}
+
+	@Override
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
+		AuthCode code = getAuthCode(_req, _rep);
+		if (code != null)
+			post(code, _req, _rep);
+	}
+
+	private AuthCode getAuthCode(HttpServletRequest _req, HttpServletResponse _rep) {
+		String sRequestURL = _req.getRequestURL().toString();
+		String sURL = sRequestURL.replaceFirst("http://", "https://");
+		if (!sURL.equals(sRequestURL)) {
+			String sQuery = _req.getQueryString();
+			if (NullUtils.isNotEmpty(sQuery))
+				sURL += "?" + sQuery;
+			redirect(_rep, sURL);
+			return null;
+		}
+		AuthCode authCode = Globals.dao.decryptAuthCode(DaoSerializer.toString(_req.getSession().getAttribute("auth_code")));
+		if (authCode == null) {
+			Cookie authCookie = CollectionUtils.filterOne(CollectionUtils.asArrayList(_req.getCookies()), _c-> NullUtils.isEqual(_c.getName(), "auth_code"));
+			if (authCookie != null)
+				authCode = Globals.dao.decryptAuthCode(authCookie.getValue());
+		}
+		if (authCode == null) {
+			redirect(_rep, _req.getContextPath() + "/login");
+			return null;
+		}
+		return authCode;
+	}
+
+	protected void post(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
+	}
+}
diff --git a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ConsoleServlet.java b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ConsoleServlet.java
index 6ccdbe1..12b41bf 100644
--- a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ConsoleServlet.java
+++ b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ConsoleServlet.java
@@ -9,7 +9,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 @WebServlet("")
-public class ConsoleServlet extends SecureConsoleServlet {
+public class ConsoleServlet extends AuthenticatedConsoleServlet {
 	private static final Logger logger = LoggerFactory.getLogger(ConsoleServlet.class);
 
 	@Override
diff --git a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ExportServlet.java b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ExportServlet.java
index f45c17e..f68e713 100644
--- a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ExportServlet.java
+++ b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/ExportServlet.java
@@ -40,7 +40,7 @@ import java.util.zip.ZipInputStream;
 import java.util.zip.ZipOutputStream;
 
 @WebServlet("/export/*")
-public class ExportServlet extends SecureConsoleServlet {
+public class ExportServlet extends AuthenticatedConsoleServlet {
 	private static final Logger logger = LoggerFactory.getLogger(ExportServlet.class);
 
 	@Override
diff --git a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/GsoServlet.java b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/GsoServlet.java
index 4aeef81..5195f32 100644
--- a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/GsoServlet.java
+++ b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/GsoServlet.java
@@ -1,6 +1,5 @@
 package com.lanternsoftware.currentmonitor.servlet.console;
 
-import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
 import com.lanternsoftware.currentmonitor.util.GoogleAuthHelper;
 import com.lanternsoftware.util.NullUtils;
 
@@ -10,14 +9,14 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 @WebServlet("/gso")
-public class GsoServlet extends FreemarkerCMServlet {
+public class GsoServlet extends SecureConsoleServlet {
 	@Override
-	protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
 		render(_rep, "login.ftl", model(_req));
 	}
 
 	@Override
-	protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
 		String code = getRequestPayloadAsString(_req);
 		if (NullUtils.isNotEmpty(code)) {
 			String authCode = GoogleAuthHelper.signin(code, null);
diff --git a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LoginServlet.java b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LoginServlet.java
index 6b5035c..696fc3c 100644
--- a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LoginServlet.java
+++ b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LoginServlet.java
@@ -1,31 +1,22 @@
 package com.lanternsoftware.currentmonitor.servlet.console;
 
 import com.lanternsoftware.currentmonitor.context.Globals;
-import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
-import com.lanternsoftware.currentmonitor.util.GoogleAuthHelper;
-import com.lanternsoftware.util.DateUtils;
 import com.lanternsoftware.util.NullUtils;
-import com.lanternsoftware.util.dao.DaoEntity;
-import com.lanternsoftware.util.dao.DaoSerializer;
-import com.lanternsoftware.util.dao.auth.AuthCode;
-import com.lanternsoftware.util.servlet.LanternServlet;
 
-import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
 
 @WebServlet("/login")
-public class LoginServlet extends FreemarkerCMServlet {
+public class LoginServlet extends SecureConsoleServlet {
 	@Override
-	protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
 		render(_rep, "login.ftl", model(_req));
 	}
 
 	@Override
-	protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
 		String username = _req.getParameter("username");
 		String password = _req.getParameter("password");
 		String authCode = Globals.dao.authenticateAccount(username, password);
diff --git a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LogoutServlet.java b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LogoutServlet.java
index 0daa954..7500f5b 100644
--- a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LogoutServlet.java
+++ b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/LogoutServlet.java
@@ -1,18 +1,14 @@
 package com.lanternsoftware.currentmonitor.servlet.console;
 
-import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
-import com.lanternsoftware.currentmonitor.util.GoogleAuthHelper;
-import com.lanternsoftware.util.NullUtils;
-
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 @WebServlet("/logout")
-public class LogoutServlet extends FreemarkerCMServlet {
+public class LogoutServlet extends AuthenticatedConsoleServlet {
 	@Override
-	protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
 		_req.getSession().removeAttribute("auth_code");
 		Cookie authCookie = new Cookie("auth_code", "");
 		authCookie.setMaxAge(0);
@@ -22,6 +18,6 @@ public class LogoutServlet extends FreemarkerCMServlet {
 	}
 
 	@Override
-	protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
 	}
 }
diff --git a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/SecureConsoleServlet.java b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/SecureConsoleServlet.java
index 56c3e52..111f2f0 100644
--- a/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/SecureConsoleServlet.java
+++ b/currentmonitor/lantern-service-currentmonitor/src/main/java/com/lanternsoftware/currentmonitor/servlet/console/SecureConsoleServlet.java
@@ -1,48 +1,40 @@
 package com.lanternsoftware.currentmonitor.servlet.console;
 
-import com.lanternsoftware.currentmonitor.context.Globals;
 import com.lanternsoftware.currentmonitor.servlet.FreemarkerCMServlet;
-import com.lanternsoftware.util.CollectionUtils;
 import com.lanternsoftware.util.NullUtils;
-import com.lanternsoftware.util.dao.DaoSerializer;
-import com.lanternsoftware.util.dao.auth.AuthCode;
 
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 public abstract class SecureConsoleServlet extends FreemarkerCMServlet {
 	@Override
 	protected void doGet(HttpServletRequest _req, HttpServletResponse _rep) {
-		AuthCode code = getAuthCode(_req, _rep);
-		if (code != null)
-			get(code, _req, _rep);
+		if (isSecure(_req, _rep))
+			get(_req, _rep);
 	}
 
-	protected void get(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
+	protected void get(HttpServletRequest _req, HttpServletResponse _rep) {
 	}
 
 	@Override
 	protected void doPost(HttpServletRequest _req, HttpServletResponse _rep) {
-		AuthCode code = getAuthCode(_req, _rep);
-		if (code != null)
-			post(code, _req, _rep);
+		if (isSecure(_req, _rep))
+			post(_req, _rep);
 	}
 
-	private AuthCode getAuthCode(HttpServletRequest _req, HttpServletResponse _rep) {
-		AuthCode authCode = Globals.dao.decryptAuthCode(DaoSerializer.toString(_req.getSession().getAttribute("auth_code")));
-		if (authCode == null) {
-			Cookie authCookie = CollectionUtils.filterOne(CollectionUtils.asArrayList(_req.getCookies()), _c-> NullUtils.isEqual(_c.getName(), "auth_code"));
-			if (authCookie != null)
-				authCode = Globals.dao.decryptAuthCode(authCookie.getValue());
-		}
-		if (authCode == null) {
-			redirect(_rep, _req.getContextPath() + "/login");
-			return null;
-		}
-		return authCode;
+	protected void post(HttpServletRequest _req, HttpServletResponse _rep) {
 	}
 
-	protected void post(AuthCode _authCode, HttpServletRequest _req, HttpServletResponse _rep) {
+	private boolean isSecure(HttpServletRequest _req, HttpServletResponse _rep) {
+		String sRequestURL = _req.getRequestURL().toString();
+		String sURL = sRequestURL.replaceFirst("http://", "https://");
+		if (!sURL.equals(sRequestURL)) {
+			String sQuery = _req.getQueryString();
+			if (NullUtils.isNotEmpty(sQuery))
+				sURL += "?" + sQuery;
+			redirect(_rep, sURL);
+			return false;
+		}
+		return true;
 	}
 }