diff --git a/config/config.sample.php b/config/config.sample.php
index 59f892d133b602a98ecfeb43fd1da5b5714c85bb..daca5aed3628b15261ac02b24f6f650005d48029 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -671,6 +671,12 @@ $CONFIG = array(
*/
'forcessl' => false,
+/**
+ * Change this to ``true`` to require HTTPS connections also for all subdomains.
+ * Works only together when `forcessl` is set to true.
+ */
+'forceSSLforSubdomains' => false,
+
/**
* Extra SSL options to be used for configuration.
*/
diff --git a/lib/base.php b/lib/base.php
index 3cbab52ed7c04ae3fe4fbae33b309a7fa889848e..d365a4a306fa8c806913de5383cda475f3a95967 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -229,11 +229,18 @@ class OC {
public static function checkSSL() {
// redirect to https site if configured
- if (OC_Config::getValue("forcessl", false)) {
- header('Strict-Transport-Security: max-age=31536000');
- ini_set("session.cookie_secure", "on");
+ if (\OC::$server->getConfig()->getSystemValue('forcessl', false)) {
+ // Default HSTS policy
+ $header = 'Strict-Transport-Security: max-age=31536000';
+
+ // If SSL for subdomains is enabled add "; includeSubDomains" to the header
+ if(\OC::$server->getConfig()->getSystemValue('forceSSLforSubdomains', false)) {
+ $header .= '; includeSubDomains';
+ }
+ header($header);
+ ini_set('session.cookie_secure', 'on');
if (OC_Request::serverProtocol() <> 'https' and !OC::$CLI) {
- $url = "https://" . OC_Request::serverHost() . OC_Request::requestUri();
+ $url = 'https://' . OC_Request::serverHost() . OC_Request::requestUri();
header("Location: $url");
exit();
}
diff --git a/settings/admin.php b/settings/admin.php
index d58b9a597b9c0f238afb21f19c2afcf399881595..1c1cbd9975f30e1be8271fcee637d08fe65be1a7 100644
--- a/settings/admin.php
+++ b/settings/admin.php
@@ -53,7 +53,8 @@ $template->assign('shareExcludedGroupsList', implode('|', $excludedGroupsList));
// Check if connected using HTTPS
$template->assign('isConnectedViaHTTPS', OC_Request::serverProtocol() === 'https');
-$template->assign('enforceHTTPSEnabled', $config->getSystemValue("forcessl", false));
+$template->assign('enforceHTTPSEnabled', $config->getSystemValue('forcessl', false));
+$template->assign('forceSSLforSubdomainsEnabled', $config->getSystemValue('forceSSLforSubdomains', false));
// If the current web root is non-empty but the web root from the config is,
// and system cron is used, the URL generator fails to build valid URLs.
diff --git a/settings/ajax/setsecurity.php b/settings/ajax/setsecurity.php
deleted file mode 100644
index f1f737a4943de06fba102c281ea74f247cc8781a..0000000000000000000000000000000000000000
--- a/settings/ajax/setsecurity.php
+++ /dev/null
@@ -1,21 +0,0 @@
-<?php
-/**
- * Copyright (c) 2013-2014, Lukas Reschke <lukas@owncloud.com>
- * This file is licensed under the Affero General Public License version 3 or later.
- * See the COPYING-README file.
- */
-
-OC_Util::checkAdminUser();
-OCP\JSON::callCheck();
-
-if(isset($_POST['enforceHTTPS'])) {
- \OC::$server->getConfig()->setSystemValue('forcessl', filter_var($_POST['enforceHTTPS'], FILTER_VALIDATE_BOOLEAN));
-}
-
-if(isset($_POST['trustedDomain'])) {
- $trustedDomains = \OC::$server->getConfig()->getSystemValue('trusted_domains');
- $trustedDomains[] = $_POST['trustedDomain'];
- \OC::$server->getConfig()->setSystemValue('trusted_domains', $trustedDomains);
-}
-
-echo 'true';
diff --git a/settings/application.php b/settings/application.php
index 99d78aff2cc9540997597a41bb6efaeb9304dc9d..64aa4671228dc4061afbab8222a1949d7bba6460 100644
--- a/settings/application.php
+++ b/settings/application.php
@@ -13,6 +13,7 @@ namespace OC\Settings;
use OC\AppFramework\Utility\SimpleContainer;
use OC\Settings\Controller\AppSettingsController;
use OC\Settings\Controller\MailSettingsController;
+use OC\Settings\Controller\SecuritySettingsController;
use \OCP\AppFramework\App;
use \OCP\Util;
@@ -53,6 +54,14 @@ class Application extends App {
$c->query('Config')
);
});
+ $container->registerService('SecuritySettingsController', function(SimpleContainer $c) {
+ return new SecuritySettingsController(
+ $c->query('AppName'),
+ $c->query('Request'),
+ $c->query('Config')
+ );
+ });
+
/**
* Core class wrappers
*/
diff --git a/settings/controller/securitysettingscontroller.php b/settings/controller/securitysettingscontroller.php
new file mode 100644
index 0000000000000000000000000000000000000000..af60df8dc3b94bc910059d1bc72b609d506f40ab
--- /dev/null
+++ b/settings/controller/securitysettingscontroller.php
@@ -0,0 +1,95 @@
+<?php
+/**
+ * @author Lukas Reschke
+ * @copyright 2014 Lukas Reschke lukas@owncloud.com
+ *
+ * This file is licensed under the Affero General Public License version 3 or
+ * later.
+ * See the COPYING-README file.
+ */
+
+namespace OC\Settings\Controller;
+
+use \OCP\AppFramework\Controller;
+use OCP\IRequest;
+use OCP\IConfig;
+
+/**
+ * @package OC\Settings\Controller
+ */
+class SecuritySettingsController extends Controller {
+ /** @var \OCP\IConfig */
+ private $config;
+
+ /**
+ * @param string $appName
+ * @param IRequest $request
+ * @param IConfig $config
+ */
+ public function __construct($appName,
+ IRequest $request,
+ IConfig $config) {
+ parent::__construct($appName, $request);
+ $this->config = $config;
+ }
+
+ /**
+ * @return array
+ */
+ protected function returnSuccess() {
+ return array(
+ 'status' => 'success'
+ );
+ }
+
+ /**
+ * @return array
+ */
+ protected function returnError() {
+ return array(
+ 'status' => 'error'
+ );
+ }
+
+ /**
+ * Enforce or disable the enforcement of SSL
+ * @param boolean $enforceHTTPS Whether SSL should be enforced
+ * @return array
+ */
+ public function enforceSSL($enforceHTTPS = false) {
+ if(!is_bool($enforceHTTPS)) {
+ return $this->returnError();
+ }
+ $this->config->setSystemValue('forcessl', $enforceHTTPS);
+
+ return $this->returnSuccess();
+ }
+
+ /**
+ * Enforce or disable the enforcement for SSL on subdomains
+ * @param bool $forceSSLforSubdomains Whether SSL on subdomains should be enforced
+ * @return array
+ */
+ public function enforceSSLForSubdomains($forceSSLforSubdomains = false) {
+ if(!is_bool($forceSSLforSubdomains)) {
+ return $this->returnError();
+ }
+ $this->config->setSystemValue('forceSSLforSubdomains', $forceSSLforSubdomains);
+
+ return $this->returnSuccess();
+ }
+
+ /**
+ * Add a new trusted domain
+ * @param string $newTrustedDomain The newly to add trusted domain
+ * @return array
+ */
+ public function trustedDomains($newTrustedDomain) {
+ $trustedDomains = $this->config->getSystemValue('trusted_domains');
+ $trustedDomains[] = $newTrustedDomain;
+ $this->config->setSystemValue('trusted_domains', $trustedDomains);
+
+ return $this->returnSuccess();
+ }
+
+}
diff --git a/settings/js/admin.js b/settings/js/admin.js
index e3a092f71b0d1d2bd2bd9ea59e865db18b6a2fce..059e48ebabe700122f95c77fda2ed2805bbf514e 100644
--- a/settings/js/admin.js
+++ b/settings/js/admin.js
@@ -9,8 +9,8 @@ $(document).ready(function(){
if(answer) {
$.ajax({
type: 'POST',
- url: OC.generateUrl('settings/ajax/setsecurity.php'),
- data: { trustedDomain: params.trustDomain }
+ url: OC.generateUrl('settings/admin/security/trustedDomains'),
+ data: { newTrustedDomain: params.trustDomain }
}).done(function() {
window.location.replace(OC.generateUrl('settings/admin'));
});
@@ -73,10 +73,32 @@ $(document).ready(function(){
$('#setDefaultExpireDate').toggleClass('hidden', !(this.checked && $('#shareapiDefaultExpireDate')[0].checked));
});
- $('#security').change(function(){
- $.post(OC.filePath('settings','ajax','setsecurity.php'), { enforceHTTPS: $('#forcessl').val() },function(){} );
+ $('#forcessl').change(function(){
+ $(this).val(($(this).val() !== 'true'));
+ var forceSSLForSubdomain = $('#forceSSLforSubdomainsSpan');
+
+ $.post(OC.generateUrl('settings/admin/security/ssl'), {
+ enforceHTTPS: $(this).val()
+ },function(){} );
+
+ if($(this).val() === 'true') {
+ forceSSLForSubdomain.prop('disabled', false);
+ forceSSLForSubdomain.removeClass('hidden');
+ } else {
+ forceSSLForSubdomain.prop('disabled', true);
+ forceSSLForSubdomain.addClass('hidden');
+ }
});
+ $('#forceSSLforSubdomains').change(function(){
+ $(this).val(($(this).val() !== 'true'));
+
+ $.post(OC.generateUrl('settings/admin/security/ssl/subdomains'), {
+ forceSSLforSubdomains: $(this).val()
+ },function(){} );
+ });
+
+
$('#mail_smtpauth').change(function() {
if (!this.checked) {
$('#mail_credentials').addClass('hidden');
diff --git a/settings/routes.php b/settings/routes.php
index 82167ea639698f2ea7bd521fece39dfd6c2432ac..7ca33fc27459a29b2d88bfee283e8a77bc44a12f 100644
--- a/settings/routes.php
+++ b/settings/routes.php
@@ -14,7 +14,11 @@ $application->registerRoutes($this, array('routes' =>array(
array('name' => 'MailSettings#storeCredentials', 'url' => '/settings/admin/mailsettings/credentials', 'verb' => 'POST'),
array('name' => 'MailSettings#sendTestMail', 'url' => '/settings/admin/mailtest', 'verb' => 'POST'),
array('name' => 'AppSettings#listCategories', 'url' => '/settings/apps/categories', 'verb' => 'GET'),
- array('name' => 'AppSettings#listApps', 'url' => '/settings/apps/list', 'verb' => 'GET')
+ array('name' => 'AppSettings#listApps', 'url' => '/settings/apps/list', 'verb' => 'GET'),
+ array('name' => 'SecuritySettings#enforceSSL', 'url' => '/settings/admin/security/ssl', 'verb' => 'POST'),
+ array('name' => 'SecuritySettings#enforceSSLForSubdomains', 'url' => '/settings/admin/security/ssl/subdomains', 'verb' => 'POST'),
+ array('name' => 'SecuritySettings#trustedDomains', 'url' => '/settings/admin/security/trustedDomains', 'verb' => 'POST'),
+
)));
/** @var $this \OCP\Route\IRouter */
@@ -95,8 +99,6 @@ $this->create('settings_ajax_getlog', '/settings/ajax/getlog.php')
->actionInclude('settings/ajax/getlog.php');
$this->create('settings_ajax_setloglevel', '/settings/ajax/setloglevel.php')
->actionInclude('settings/ajax/setloglevel.php');
-$this->create('settings_ajax_setsecurity', '/settings/ajax/setsecurity.php')
- ->actionInclude('settings/ajax/setsecurity.php');
$this->create('settings_ajax_excludegroups', '/settings/ajax/excludegroups.php')
->actionInclude('settings/ajax/excludegroups.php');
$this->create('settings_ajax_checksetup', '/settings/ajax/checksetup')
diff --git a/settings/templates/admin.php b/settings/templates/admin.php
index 0033845c74ec8802e1ab0973233475d827d443a6..ddac77508c71b9ebacf3bad4b9a8fcddecd3daaf 100644
--- a/settings/templates/admin.php
+++ b/settings/templates/admin.php
@@ -336,9 +336,9 @@ if ($_['suggestedOverwriteWebroot']) {
<input type="checkbox" name="forcessl" id="forcessl"
<?php if ($_['enforceHTTPSEnabled']) {
print_unescaped('checked="checked" ');
- print_unescaped('value="false"');
- } else {
print_unescaped('value="true"');
+ } else {
+ print_unescaped('value="false"');
}
?>
<?php if (!$_['isConnectedViaHTTPS']) p('disabled'); ?> />
@@ -346,7 +346,23 @@ if ($_['suggestedOverwriteWebroot']) {
<em><?php p($l->t(
'Forces the clients to connect to %s via an encrypted connection.',
$theme->getName()
- )); ?></em>
+ )); ?></em><br/>
+ <span id="forceSSLforSubdomainsSpan" <?php if(!$_['enforceHTTPSEnabled']) { print_unescaped('class="hidden"'); } ?>>
+ <input type="checkbox" name="forceSSLforSubdomains" id="forceSSLforSubdomains"
+ <?php if ($_['forceSSLforSubdomainsEnabled']) {
+ print_unescaped('checked="checked" ');
+ print_unescaped('value="true"');
+ } else {
+ print_unescaped('value="false"');
+ }
+ ?>
+ <?php if (!$_['isConnectedViaHTTPS']) { p('disabled'); } ?> />
+ <label for="forceSSLforSubdomains"><?php p($l->t('Enforce HTTPS for subdomains'));?></label><br/>
+ <em><?php p($l->t(
+ 'Forces the clients to connect to %s and subdomains via an encrypted connection.',
+ $theme->getName()
+ )); ?></em>
+ </span>
<?php if (!$_['isConnectedViaHTTPS']) {
print_unescaped("<br/><em>");
p($l->t(
diff --git a/tests/settings/controller/securitysettingscontrollertest.php b/tests/settings/controller/securitysettingscontrollertest.php
new file mode 100644
index 0000000000000000000000000000000000000000..d89e4932368082b32340c1c65aaa42c07501bd80
--- /dev/null
+++ b/tests/settings/controller/securitysettingscontrollertest.php
@@ -0,0 +1,138 @@
+<?php
+/**
+ * @author Lukas Reschke
+ * @copyright 2014 Lukas Reschke lukas@owncloud.com
+ *
+ * This file is licensed under the Affero General Public License version 3 or
+ * later.
+ * See the COPYING-README file.
+ */
+namespace OC\Settings\Controller;
+
+use \OC\Settings\Application;
+
+/**
+ * @package OC\Settings\Controller
+ */
+class SecuritySettingsControllerTest extends \PHPUnit_Framework_TestCase {
+
+ /** @var \OCP\AppFramework\IAppContainer */
+ private $container;
+
+ /** @var SecuritySettingsController */
+ private $securitySettingsController;
+
+ protected function setUp() {
+ $app = new Application();
+ $this->container = $app->getContainer();
+ $this->container['Config'] = $this->getMockBuilder('\OCP\IConfig')
+ ->disableOriginalConstructor()->getMock();
+ $this->container['AppName'] = 'settings';
+ $this->securitySettingsController = $this->container['SecuritySettingsController'];
+ }
+
+
+ public function testEnforceSSLEmpty() {
+ $this->container['Config']
+ ->expects($this->once())
+ ->method('setSystemValue')
+ ->with('forcessl', false);
+
+ $response = $this->securitySettingsController->enforceSSL();
+ $expectedResponse = array('status' => 'success');
+
+ $this->assertSame($expectedResponse, $response);
+ }
+
+ public function testEnforceSSL() {
+ $this->container['Config']
+ ->expects($this->once())
+ ->method('setSystemValue')
+ ->with('forcessl', true);
+
+ $response = $this->securitySettingsController->enforceSSL(true);
+ $expectedResponse = array('status' => 'success');
+
+ $this->assertSame($expectedResponse, $response);
+ }
+
+ public function testEnforceSSLInvalid() {
+ $this->container['Config']
+ ->expects($this->exactly(0))
+ ->method('setSystemValue');
+
+ $response = $this->securitySettingsController->enforceSSL('blah');
+ $expectedResponse = array('status' => 'error');
+
+ $this->assertSame($expectedResponse, $response);
+ }
+
+ public function testEnforceSSLForSubdomainsEmpty() {
+ $this->container['Config']
+ ->expects($this->once())
+ ->method('setSystemValue')
+ ->with('forceSSLforSubdomains', false);
+
+ $response = $this->securitySettingsController->enforceSSLForSubdomains();
+ $expectedResponse = array('status' => 'success');
+
+ $this->assertSame($expectedResponse, $response);
+ }
+
+ public function testEnforceSSLForSubdomains() {
+ $this->container['Config']
+ ->expects($this->once())
+ ->method('setSystemValue')
+ ->with('forceSSLforSubdomains', true);
+
+ $response = $this->securitySettingsController->enforceSSLForSubdomains(true);
+ $expectedResponse = array('status' => 'success');
+
+ $this->assertSame($expectedResponse, $response);
+ }
+
+ public function testEnforceSSLForSubdomainsInvalid() {
+ $this->container['Config']
+ ->expects($this->exactly(0))
+ ->method('setSystemValue');
+
+ $response = $this->securitySettingsController->enforceSSLForSubdomains('blah');
+ $expectedResponse = array('status' => 'error');
+
+ $this->assertSame($expectedResponse, $response);
+ }
+
+ public function testTrustedDomainsWithExistingValues() {
+ $this->container['Config']
+ ->expects($this->once())
+ ->method('setSystemValue')
+ ->with('trusted_domains', array('owncloud.org', 'owncloud.com', 'newdomain.com'));
+ $this->container['Config']
+ ->expects($this->once())
+ ->method('getSystemValue')
+ ->with('trusted_domains')
+ ->will($this->returnValue(array('owncloud.org', 'owncloud.com')));
+
+ $response = $this->securitySettingsController->trustedDomains('newdomain.com');
+ $expectedResponse = array('status' => 'success');
+
+ $this->assertSame($expectedResponse, $response);
+ }
+
+ public function testTrustedDomainsEmpty() {
+ $this->container['Config']
+ ->expects($this->once())
+ ->method('setSystemValue')
+ ->with('trusted_domains', array('newdomain.com'));
+ $this->container['Config']
+ ->expects($this->once())
+ ->method('getSystemValue')
+ ->with('trusted_domains')
+ ->will($this->returnValue(''));
+
+ $response = $this->securitySettingsController->trustedDomains('newdomain.com');
+ $expectedResponse = array('status' => 'success');
+
+ $this->assertSame($expectedResponse, $response);
+ }
+}