From 84276d4b56d1510f416f2a20d03e68c7e0bb9987 Mon Sep 17 00:00:00 2001
From: Nick Anderson <nick@cmdln.org>
Date: Mon, 17 Jul 2023 13:35:33 -0500
Subject: [PATCH 1/2] Added ability to disable plain http for CFEngine
 Enterprise Mission Portal

This change adds the ability to completely prevent Apache from listening
on port 80 by defining a class.

Ticket: ENT-10411
Changelog: Title
---
 MPF.md                                        | 20 +++++++++++++++++++
 .../enterprise/templates/httpd.conf.mustache  |  4 ++++
 2 files changed, 24 insertions(+)

diff --git a/MPF.md b/MPF.md
index 27f2f9a44..d353d8025 100644
--- a/MPF.md
+++ b/MPF.md
@@ -239,6 +239,26 @@ manage High Availability of Enterprise Hubs is enabled.
 
 **Note:** This class is **not** defined by default.
 
+### Disable plain http for CFEngine Enterprise Mission Portal
+
+By default Mission Portal listens for HTTP requests on port 80, redirecting to HTTPS on port 443. To prevent the web server from listening on port 80 at all define `default:cfe_cfengine_enterprise_disable_plain_http`.
+
+**For example:**
+
+```json
+{
+  "classes": {
+    "default:cfe_enterprise_disable_plain_http": {
+      "class_expressions": [ "am_policy_hub|policy_server::" ]
+    }
+  }
+}
+```
+
+**History:**
+
+- Added in CFEngine 3.23.0
+
 ### Disable cf\_promises\_validated check
 
 For non policy hubs the default update policy only performs a full scan of
diff --git a/cfe_internal/enterprise/templates/httpd.conf.mustache b/cfe_internal/enterprise/templates/httpd.conf.mustache
index 81eef3088..3ac6569b5 100644
--- a/cfe_internal/enterprise/templates/httpd.conf.mustache
+++ b/cfe_internal/enterprise/templates/httpd.conf.mustache
@@ -5,7 +5,11 @@ ServerSignature Off
 ServerTokens ProductOnly
 ServerName {{{vars.sys.fqhost}}}
 ServerRoot "{{{vars.sys.workdir}}}/httpd"
+{{#classes.cfe_enterprise_disable_plain_http}}
+# ENT-10411
 Listen 80
+{{/classes.cfe_enterprise_disable_plain_http}}
+
 PidFile "{{{vars.mission_portal_apache_from_stage.httpd_pid_file}}}"
 
 # Modules

From 9708c62e9455e1dfcf15427a7d29ed04e968d9e7 Mon Sep 17 00:00:00 2001
From: Nick Anderson <nick@cmdln.org>
Date: Mon, 17 Jul 2023 13:38:03 -0500
Subject: [PATCH 2/2] Adjusted and documented class names and for disabling
 http -> https redirection

While implementing the ability to prevent listening on port 80 I noticed this
documentation was missing so I added it.

Based on feedback from the PR providing capability to disable listening on port
80 these related settings to avoid redirecting from http -> https were updated
to be more clear.

Warnings were also introduced to highlight the case of using the older less
understandable value and redirection to http is automatically disabled if plain
http is disabled.

Ticket: ENT-2071
Changelog: None
---
 MPF.md                                        | 29 +++++++++++++++++++
 .../enterprise/templates/httpd.conf.mustache  |  4 +--
 controls/def.cf                               | 15 ++++++++++
 3 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/MPF.md b/MPF.md
index d353d8025..1e5a7a619 100644
--- a/MPF.md
+++ b/MPF.md
@@ -255,10 +255,39 @@ By default Mission Portal listens for HTTP requests on port 80, redirecting to H
 }
 ```
 
+**Notes:**
+
+- If this class (`default:cfe_enterprise_disable_http_redirect_to_https`) is defined the class `default:cfe_enterprise_disable_plain_http` is defined is automatically defined.
+
 **History:**
 
 - Added in CFEngine 3.23.0
 
+### Disable plain http redirect to https for CFEngine Enterprise Mission Portal
+
+By default Mission Portal listens for HTTP requests on port 80, redirecting to HTTPS on port 443. To prevent redirection of requests on HTTP to HTTPS define `default:cfe_enterprise_disable_http_redirect_to_https`.
+
+**For example:**
+
+```json
+{
+  "classes": {
+    "default:cfe_enterprise_disable_http_redirect_to_https": {
+      "class_expressions": [ "(am_policy_hub|policy_server).test_server::" ]
+    }
+  }
+}
+```
+
+**Notes:**
+
+- If `default:cfe_enterprise_disable_plain_http` is defined, this class (`default:cfe_enterprise_disable_http_redirect_to_https`) is automatically defined.
+
+**History:**
+
+- Added in CFEngine 3.6.0
+- Class renamed from `cfe_cfengine_enterprise_enable_plain_http` to `cfe_enterprise_disable_http_redirect_to_https` in CFEngine 3.23.0
+
 ### Disable cf\_promises\_validated check
 
 For non policy hubs the default update policy only performs a full scan of
diff --git a/cfe_internal/enterprise/templates/httpd.conf.mustache b/cfe_internal/enterprise/templates/httpd.conf.mustache
index 3ac6569b5..26e74c928 100644
--- a/cfe_internal/enterprise/templates/httpd.conf.mustache
+++ b/cfe_internal/enterprise/templates/httpd.conf.mustache
@@ -234,11 +234,11 @@ AddType    application/x-httpd-php-source php{{{vars.cfe_internal_hub_vars.php_v
   <IfModule rewrite_module>
     RewriteEngine On
 
-    {{^classes.cfe_enterprise_enable_plain_http}}
+    {{^classes.cfe_enterprise_disable_http_redirect_to_https}}
     # Force https with redirection
     RewriteCond %{HTTPS} off
     RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
-    {{/classes.cfe_enterprise_enable_plain_http}}
+    {{/classes.cfe_enterprise_disable_http_redirect_to_https}}
 
     {{#classes.mission_portal_index_php_redirect_enabled}}
     # redirect from `index.php/path` to `/path`
diff --git a/controls/def.cf b/controls/def.cf
index deacc57e4..b4d1a1924 100644
--- a/controls/def.cf
+++ b/controls/def.cf
@@ -676,6 +676,21 @@ bundle common def
       # Enable paths to POSIX tools instead of native tools when possible.
       "mpf_stdlib_use_posix_utils" expression => "any";
 
+    enterprise_edition.(policy_server|am_policy_hub)::
+      "cfe_enterprise_disable_http_redirect_to_https"
+        scope => "namespace",
+        expression => "cfe_cfengine_enterprise_enable_plain_http";
+
+      "cfe_enterprise_disable_http_redirect_to_https"
+        expression => "cfe_enterprise_disable_plain_http",
+        comment => "If plain http is disabled, it makes no sense to redirect to it, so we disable that as well.";
+
+  reports:
+      "Warning: the 'cfe_cfengine_enterprise_enable_plain_http' class has been deprecated in favor of 'cfe_enterprise_disable_http_redirect_to_https', please adjust accordingly. The  'cfe_enterprise_disable_http_redirect_to_https' class has been set automatically."
+        if => "cfe_enterprise_disable_http_redirect_to_https.cfe_cfengine_enterprise_enable_plain_http";
+      "Warning: the 'cfe_cfengine_enterprise_enable_plain_http' class has been deprecated in favor of 'cfe_enterprise_disable_http_redirect_to_https', please adjust accordingly."
+        if => "cfe_cfengine_enterprise_enable_plain_http.!cfe_enterprise_disable_http_redirect_to_https";
+
 }
 
 bundle common inventory_control