Replace separate https and force_ssl flags with https + hsts

By default, https will be enabled in production in OpenProject 12.2. Right now, a separate flag exists called

rails_force_ssl that needs to be controlled separately, but the two settings are intermingled.

This PR fixes this so that:

HTTPS setting controls the secure cookies and generating links with
https throughout the application

HSTS setting is only active by default when HTTPS is enabled and
controls the HSTS headers as well as the HTTP->HTTPS request upgrade for
transport-security.

app/helpers/warning_bar_helper.rb

@@ -40,7 +40,7 @@ module WarningBarHelper
   end
 
   def setting_protocol_mismatched?
-    request.ssl? != OpenProject::Configuration.secure_connection?
+    request.ssl? != OpenProject::Configuration.https?
   end
 
   def setting_hostname_mismatched?

app/models/setting/aliases.rb

@@ -33,7 +33,7 @@ class Setting
     ##
     # Restore the previous Setting.protocol now replaced by https?
     def protocol
-      if OpenProject::Configuration.secure_connection?
+      if OpenProject::Configuration.https?
         'https'
       else
         'http'

config/constants/settings/definitions.rb

@@ -666,16 +666,16 @@ Settings::Definition.define do
       writable: false
 
   # Assume we're running in an TLS terminated connection.
-  # This does not affect HSTS, use +rails_force_ssl+ for that.
   add :https,
       format: :boolean,
       default: Rails.env.production?,
       writable: false
 
-  # Enable HTTPS and HSTS
-  add :rails_force_ssl,
+  # Allow disabling of HSTS headers and http -> https redirects
+  # for non-localhost hosts
+  add :hsts,
       format: :boolean,
-      default: Rails.env.production?,
+      default: -> { https? },
       writable: false
 
   add :registration_footer,

config/environments/production.rb

@@ -74,19 +74,30 @@ OpenProject::Application.configure do
   # Store uploaded files on the local file system (see config/storage.yml for options)
   # config.active_storage.service = :local
 
-  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  config.force_ssl = ActiveModel::Type::Boolean.new.cast(OpenProject::Configuration['rails_force_ssl'])
+  # When https is configured, Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # Allow disabling HSTS redirect by using OPENPROJECT_HSTS=false
+  config.force_ssl = OpenProject::Configuration.https?
   config.ssl_options = {
     # Disable redirect on the internal SYS API
     redirect: {
+      hsts: OpenProject::Configuration.hsts?,
       exclude: ->(request) do
+        # Disable redirects when hsts is disabled
+        return true unless OpenProject::Configuration.hsts?
+
         # Respect the relative URL
         relative_url = Regexp.escape(OpenProject::Configuration['rails_relative_url_root'])
+
         # When we match SYS controller API, allow non-https access
-        request.path =~ /#{relative_url}\/sys\// || request.path =~ /#{relative_url}\/health_checks/
+        return true if request.path =~ /#{relative_url}\/sys\//
+
+        # When we match health checks
+        return true if request.path =~ /#{relative_url}\/health_checks/
+
+        false
       end
     },
-    secure_cookies: true
+    secure_cookies: OpenProject::Configuration.https?
   }
 
   # Set to :debug to see everything in the log.

config/initializers/session_store.rb

@@ -79,7 +79,7 @@ relative_url_root = config['rails_relative_url_root'].presence
 session_options = {
   key: config['session_cookie_name'],
   httponly: true,
-  secure: config.secure_connection?,
+  secure: config.https?,
   path: relative_url_root
 }
 

lib_static/open_project/configuration/helpers.rb

@@ -32,12 +32,6 @@ module OpenProject
     # To be included into OpenProject::Configuration in order to provide
     # helper methods for easier access to certain configuration options.
     module Helpers
-      ##
-      # Are we behind a TLS terminated session?
-      def secure_connection?
-        https? || rails_force_ssl?
-      end
-
       def direct_uploads
         return false unless direct_uploads_supported?
 

modules/avatars/app/helpers/avatar_helper.rb

@@ -121,7 +121,7 @@ module AvatarHelper
 
   def default_gravatar_options
     {
-      secure: OpenProject::Configuration.secure_connection?,
+      secure: OpenProject::Configuration.https?,
       default: OpenProject::Configuration.gravatar_fallback_image
     }
   end

modules/two_factor_authentication/app/controllers/concerns/two_factor_authentication/remember_token.rb

@@ -29,7 +29,7 @@ module ::TwoFactorAuthentication
         value: new_token!(@authenticated_user),
         httponly: true,
         expires: remember_2fa_days.days.from_now,
-        secure: OpenProject::Configuration.secure_connection?
+        secure: OpenProject::Configuration.https?
       }
     end