<?php
/*
Plugin Name: Admin SSL
Plugin URI: http://kerrins.co.uk/blog/?p=128
Description: Secures Login and Admin pages using Private or Shared SSL
Author: BCG
Version: 0.71
Author URI: http://kerrins.co.uk/

* Release Notes

	Version 0.71
		full legacy version (0.64) added (realised it was incomplete!)
		filtering $location in wp_redirect() to ensure redirection to secure URL
		bugfixes for creating siteurl cookie for use in Shared SSL setups
		WordPress compliant readme added, with screenhots

	Version 0.70
		support for both WP 2.5 and WP pre-2.5
		using WP options and configuration page for Shared SSL
		forces SSL login if meta redirect is enabled
		code cleanup and commenting, removing all unnecessary functions
		fixing redirect problem from http to https when signed in

	Version 0.67 - removing unnecessary overloaded functions
	Version 0.66 - updated to work with WP 2.5
	Version 0.65 - securing /wp-content/ pages

* Development History

 	(for the code see admin-ssl-legacy.php)

	admin-ssl 0.64 by Haris (haris.tv)
	secure-admin 0.2 by Ryan Boren

$Id: admin-ssl.php 0.71 2008-04-12 21:35:12Z bcg $
*/

//
//	support for latest versions of WordPress
//

	if($wp_version >= 2.5)
	{
	//
	//	operating folder
	//
	
		$folder = "admin-ssl";
		
	//
	//	get options from the database
	//

		$use_ssl = get_option("admin_ssl_use_ssl") === "1" ? true : false;
		$use_shared = get_option("admin_ssl_use_shared") === "1" ? true : false;
		$shared_url = get_option("admin_ssl_shared_url");
		$secure_url = "";
		
	//
	//	remember cookie value
	//
	
		$cookie_value = false;
		$cookie_expire = false;

	//
	//	return scheme based on whether or not SSL is enabled
	//

		function scheme()
		{
			global $use_ssl;
			return($use_ssl ? "https" : "http");
		}

		function cookiepath()
		{
			if($use_ssl && $use_shared){
				$url = parse_url($shared_url);
				return($url["path"]);
			}
		}

	//
	//	initialize Admin SSL - set $secure_url
	//

		function as_init()
		{
			global $folder,$use_ssl,$use_shared,$shared_url,$secure_url;

		//
		//	work out operating folder - for use in 
		//
		
			$file = __FILE__;
		
			if(strpos($file,"/") !== false)
				$slash = "/";
			elseif(strpos($file,"\\") !== false)
				$slash = "\\";

			$file = str_replace($slash."admin-ssl.php","",__FILE__);
			$folder = substr($file,strrpos($file,$slash)+1);
			
		//
		//	start output buffering to secure all links
		//

			if($use_ssl) ob_start("as_ob_handler");

		//
		//	build secure site url
		//

			$shared_url = rtrim(str_replace("wp-admin","",$shared_url),"/");

			$secure_url = $use_shared ? $shared_url : preg_replace("/^https?/",scheme(),get_option("siteurl"));
			$secure_url = rtrim(trim($secure_url),"/");
		}

	//
	//	checks if user is logged in and that page is using HTTPS
	//	replaces default WP function definition in /wp-includes/pluggable.php
	//

		if(!function_exists("auth_redirect")):
			function auth_redirect()
			{
				global $use_ssl,$use_shared,$shared_url,$secure_url;

			//
			//	check if user is logged in - WP 2.5 compatible
			//

				if((!empty($_COOKIE[AUTH_COOKIE]) && !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE]))
					|| empty($_COOKIE[AUTH_COOKIE])){
					if(strpos($_SERVER["REQUEST_URI"],"wp-login.php") === false || "on" !== $_SERVER["HTTPS"])
					{
						nocache_headers();
						$location = $secure_url . "/wp-login.php?redirect_to=" . urlencode($_SERVER["REQUEST_URI"]);
						wp_redirect($location);
						exit();
					}
				}

			//
			//	if user is on admin pages but not using https redirect
			//

				elseif(is_admin())
				{
					if(($use_ssl && "on" !== $_SERVER["HTTPS"]) || (!$use_ssl && "on" === $_SERVER["HTTPS"]))
					{
						nocache_headers();

						if($use_ssl && $use_shared){
							$url = parse_url($shared_url);
							if(!isset($url["path"])) $url["path"] = "";
							$location = scheme()."://".$url["host"].$url["path"]."/wp-admin";
						}
						else $location = scheme()."://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"];

						wp_redirect($location);
						exit;
					}
				}
			}
		endif;

	//
	//	overloads check_admin_referer in case Shared SSL is being used
	//

		if(!function_exists("check_admin_referer")):
			function check_admin_referer($action=-1,$query_arg="_wpnonce")
			{
				global $secure_url;
				$adminurl = strtolower($secure_url)."/wp-admin";
				$referer = strtolower(wp_get_referer());
				$result = wp_verify_nonce($_REQUEST[$query_arg], $action);
				if(!$result && !(-1 == $action && strpos($referer,$adminurl) !== false)){
					wp_nonce_ays($action);
					die();
				}
				do_action("check_admin_referer",$action,$result);
				return $result;
			}
		endif;

	//
	//	add Admin SSL config page
	//

		function as_config_page()
		{
			if(function_exists("add_submenu_page"))
				add_submenu_page(
					"plugins.php",
					__("Admin SSL"),
					__("Admin SSL"),
					"manage_options",
					"admin-ssl-config",
					"as_conf"
				);
		}

	//
	//	display/update Admin SSL configuration
	//

		function as_conf()
		{
			global $use_ssl,$use_shared,$shared_url,$secure_url;

			if(isset($_POST["submit"]))
			{
			//
			//	make sure current user can set permissions,
			//	and that the referer was a page from this site
			//

				if(function_exists("current_user_can") && !current_user_can("manage_options"))
					exit(__("You don't have permission to change these options!"));

				check_admin_referer();

			//
			//	get the configuration options
			//

				$use_ssl = "on" === $_POST["use_ssl"] ? 1 : 0;
				$use_shared = "on" === $_POST["use_shared"] ? 1 : 0;
				$shared_url = $use_shared ? $_POST["shared_url"] : "";

			//
			//	strip index.php off the end of the URL if present
			//

				if(strpos($shared_url,"index.php") !== false)
					$shared_url = str_replace("index.php","",$shared_url);

			//
			//	verify that $shared_url is indeed a URL
			//

				if($use_shared && !preg_match("/(http|https):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/",$shared_url))
				{
					$message = "The url you entered ('$shared_url') is invalid.";
					$error = true;

					$use_shared = get_option("admin_ssl_use_shared");
					$shared_url = get_option("admin_ssl_shared_url");
				}

			//
			//	verify that the shared url ends with /wp-admin/
			//

				if($use_shared && strpos($shared_url,"wp-admin") === false)
				{
					$message = "The url you entered ('$shared_url') does not end with '/wp-admin/'.";
					$error = true;

					$use_shared = get_option("admin_ssl_use_shared");
					$shared_url = get_option("admin_ssl_shared_url");
				}

			//
			//	update options in database
			//

				update_option("admin_ssl_use_ssl",$use_ssl);
				update_option("admin_ssl_use_shared",$use_shared);
				update_option("admin_ssl_shared_url",$shared_url);

				if(!$message){
					$message = "Options saved.";
					$error = false;
				}
			}

			require_once("admin-ssl-config.php");
		}

	//
	//	output buffer handler to replace page hrefs with https urls
	//

		function as_ob_handler($buffer)
		{
			global $secure_url;

			$admin_url = get_option("siteurl") . "/wp-admin";
			$secure_admin_url = $secure_url."/wp-admin";

			$login_url = get_option("siteurl") . "/wp-login.php";
			$secure_login_url = $secure_url."/wp-login.php";

			$comment_url = get_option("siteurl") . "/wp-comments-post.php";
			$secure_comment_url = $secure_url."/wp-comments-post.php";

			$replace_this = array($admin_url, $login_url, $comment_url);
			$with_this = array($secure_admin_url, $secure_login_url, $secure_comment_url);

			if(is_admin())
			{
				$includes_url = get_option("siteurl") . "/wp-includes";
				$secure_includes_url = $secure_url . "/wp-includes";
				$replace_this[] = $includes_url;
				$with_this[] = $secure_includes_url;

				$content_url = get_option("siteurl") . "/wp-content";
				$secure_content_url = $secure_url . "/wp-content";
				$replace_this[] = $content_url;
				$with_this[] = $secure_content_url;
			}

			if(is_preview() && ("on" === $_SERVER["HTTPS"]))
			{
				$site_url = get_option("siteurl");
				$secure_site_url = $secure_url;
				$replace_this[] = $site_url;
				$with_this[] = $secure_site_url;
			}

			return(str_replace($replace_this, $with_this, $buffer));
		}

		function as_post_link($link)
		{
			global $secure_url,$pagenow;

			if(("on" === $_SERVER["HTTPS"]) && ("wp-comments-post.php" != $pagenow))
				$link = preg_replace("|^".get_option("siteurl")."|", $secure_url, $link);
			return $link;
		}

	//
	//	redirect to wp-admin/ if on login page and insecure connection being used
	//	this means auth_redirect() is called and so secure login is forced
	//

		function as_login_redirect()
		{
			global $use_ssl;

			if($use_ssl && "on" !== $_SERVER["HTTPS"])
				echo('<meta http-equiv="Refresh" content="0;url=wp-admin/" />');
		}

	//
	//	sets auth cookie for shared SSL setup
	//

		function as_set_auth_cookie($cookie,$expire=false)
		{
			global $cookie_value,$cookie_expire,$use_ssl,$use_shared;
			
			$cookie_value = $cookie;
			$cookie_expire = $expire;
			
			if($use_ssl && $use_shared) setcookie(AUTH_COOKIE,$cookie,$expire,cookiepath(),COOKIE_DOMAIN);
		}

	//
	//	clear shared SSL cookies
	//

		function as_clear_auth_cookie()
		{
			global $use_ssl,$use_shared;
			setcookie(AUTH_COOKIE," ",time()-31536000,cookiepath(),COOKIE_DOMAIN);
			if($use_ssl && $use_shared) as_siteurl_cookie("clear");
		}
		
	//
	//	if using shared SSL, set cookie for siteurl
	//
	
		function as_login($credentials=false)
		{
			global $use_ssl,$use_shared;
			if($use_ssl && $use_shared) as_siteurl_cookie("set");
		}
		
	//
	//	sets or clears siteurl cookie
	//
	
		function as_siteurl_cookie($action)
		{
			global $cookie_value,$cookie_expire,$folder,$secure_url;

		//
		//	continue only if action is 'set' and there is a cookie value,
		//	or if action is 'clear'
		//
		
			$continue = false;
			if($action == "set" && $cookie_value)
			{
				$continue = true;
			}
			elseif($action == "clear")
			{
				$cookie_value = " ";
				$continue = true;
			}
			
		//
		//	redirect to cookie script
		//
		
			if($continue)
			{
				$path = "/wp-content/plugins/$folder/admin-ssl-cookie.php";
				$file = str_replace("/wp-login.php","",$_SERVER["SCRIPT_FILENAME"]).$path;
				
				if(file_exists($file))
				{
					$url = rtrim(get_option("siteurl"),"/");
					$url .= "$path?name=".AUTH_COOKIE."&value=$cookie_value";
					$url .= "&expire=$cookie_expire&path=".COOKIEPATH."&domain=".COOKIE_DOMAIN;
					$url .= "&redirect=".(isset($_REQUEST["redirect_to"]) ? $_REQUEST["redirect_to"] :
						wp_sanitize_redirect($secure_url."/wp-login.php"));
	
					header("location: $url");
					exit();
				}
			}
		}

	//
	//	ensure wp_redirect() sends people to the correct location
	//

		function as_redirect_check($location,$status=false)
		{
			return(as_ob_handler($location));
		}

	//
	//	add custom hooks
	//

		add_action("admin_menu","as_config_page");
		add_action("init", "as_init");
		add_action("login_head","as_login_redirect");
		add_action("set_auth_cookie","as_set_auth_cookie");
		add_action("wp_login","as_login");
		add_action("wp_logout","as_clear_auth_cookie");

		add_filter("preview_page_link","as_post_link");
		add_filter("preview_post_link","as_post_link");
		add_filter("wp_redirect","as_redirect_check");
	}

//
//	support for WordPress versions pre-2.5
//

	else require_once("admin-ssl-legacy.php");

?>