Move XSRF_TOKEN cookie from HostPageServlet to filter

Use this filter both for the GWT UI in HostPageServlet and the static
PolyGerrit UI. Browsers should respect Set-Cookie headers in the
response even when the HTTP code is 304.

Change-Id: Ibb6997c3c4846310427f11e9e8d39422c3c19632

gerrit-httpd/src/main/java/com/google/gerrit/httpd/UrlModule.java

@@ -64,6 +64,7 @@ class UrlModule extends ServletModule {
     bind(Key.get(CacheControlFilter.class)).in(SINGLETON);
 
     if (options.enableDefaultUi()) {
+      filter("/").through(XsrfCookieFilter.class);
       serve("/").with(HostPageServlet.class);
       serve("/Gerrit").with(LegacyGerritServlet.class);
       serve("/Gerrit/*").with(legacyGerritScreen());

gerrit-httpd/src/main/java/com/google/gerrit/httpd/XsrfCookieFilter.java

@@ -0,0 +1,81 @@
+// Copyright (C) 2015 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.httpd;
+
+import com.google.gerrit.common.data.HostPageData;
+import com.google.gerrit.extensions.registration.DynamicItem;
+import com.google.gerrit.server.CurrentUser;
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@Singleton
+public class XsrfCookieFilter implements Filter {
+  private final Provider<CurrentUser> user;
+  private final DynamicItem<WebSession> session;
+
+  @Inject
+  XsrfCookieFilter(
+      Provider<CurrentUser> user,
+      DynamicItem<WebSession> session) {
+    this.user = user;
+    this.session = session;
+  }
+
+  @Override
+  public void doFilter(ServletRequest req, ServletResponse rsp,
+      FilterChain chain) throws IOException, ServletException {
+    WebSession s = user.get().isIdentifiedUser() ? session.get() : null;
+    setXsrfTokenCookie(
+        (HttpServletRequest) req, (HttpServletResponse) rsp, s);
+    chain.doFilter(req, rsp);
+  }
+
+  private static void setXsrfTokenCookie(HttpServletRequest req,
+      HttpServletResponse rsp, WebSession session) {
+    String v = session != null ? session.getXGerritAuth() : "";
+    Cookie c = new Cookie(HostPageData.XSRF_COOKIE_NAME, v);
+    c.setPath("/");
+    c.setSecure(isSecure(req));
+    c.setMaxAge(session != null
+        ? -1 // Set the cookie for this browser session.
+        : 0); // Remove the cookie (expire immediately).
+    rsp.addCookie(c);
+  }
+
+  private static boolean isSecure(HttpServletRequest req) {
+    return req.isSecure() || "https".equals(req.getScheme());
+  }
+
+  @Override
+  public void init(FilterConfig config) {
+  }
+
+  @Override
+  public void destroy() {
+  }
+}

gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java

@@ -25,13 +25,11 @@ import com.google.common.primitives.Bytes;
 import com.google.gerrit.common.Version;
 import com.google.gerrit.common.data.HostPageData;
 import com.google.gerrit.extensions.client.DiffPreferencesInfo;
-import com.google.gerrit.extensions.registration.DynamicItem;
 import com.google.gerrit.extensions.registration.DynamicSet;
 import com.google.gerrit.extensions.restapi.AuthException;
 import com.google.gerrit.extensions.systemstatus.MessageOfTheDay;
 import com.google.gerrit.extensions.webui.WebUiPlugin;
 import com.google.gerrit.httpd.HtmlDomUtil;
-import com.google.gerrit.httpd.WebSession;
 import com.google.gerrit.server.CurrentUser;
 import com.google.gerrit.server.IdentifiedUser;
 import com.google.gerrit.server.account.AccountResource;
@@ -67,7 +65,6 @@ import java.util.concurrent.TimeUnit;
 
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -83,7 +80,6 @@ public class HostPageServlet extends HttpServlet {
   private static final int DEFAULT_JS_LOAD_TIMEOUT = 5000;
 
   private final Provider<CurrentUser> currentUser;
-  private final DynamicItem<WebSession> session;
   private final DynamicSet<WebUiPlugin> plugins;
   private final DynamicSet<MessageOfTheDay> messages;
   private final HostPageData.Theme signedOutTheme;
@@ -101,7 +97,6 @@ public class HostPageServlet extends HttpServlet {
   @Inject
   HostPageServlet(
       Provider<CurrentUser> cu,
-      DynamicItem<WebSession> w,
       SitePaths sp,
       ThemeFactory themeFactory,
       ServletContext servletContext,
@@ -113,7 +108,6 @@ public class HostPageServlet extends HttpServlet {
       GetDiffPreferences diffPref)
       throws IOException, ServletException {
     currentUser = cu;
-    session = w;
     plugins = webUiPlugins;
     messages = motd;
     signedOutTheme = themeFactory.getSignedOutTheme();
@@ -193,7 +187,6 @@ public class HostPageServlet extends HttpServlet {
     StringWriter w = new StringWriter();
     CurrentUser user = currentUser.get();
     if (user.isIdentifiedUser()) {
-      setXGerritAuthCookie(req, rsp, session.get());
       w.write(HPD_ID + ".accountDiffPref=");
       json(getDiffPreferences(user.asIdentifiedUser()), w);
       w.write(";");
@@ -202,7 +195,6 @@ public class HostPageServlet extends HttpServlet {
       json(signedInTheme, w);
       w.write(";");
     } else {
-      setXGerritAuthCookie(req, rsp, null);
       w.write(HPD_ID + ".theme=");
       json(signedOutTheme, w);
       w.write(";");
@@ -229,22 +221,6 @@ public class HostPageServlet extends HttpServlet {
     }
   }
 
-  private static void setXGerritAuthCookie(HttpServletRequest req,
-      HttpServletResponse rsp, WebSession session) {
-    String v = session != null ? session.getXGerritAuth() : "";
-    Cookie c = new Cookie(HostPageData.XSRF_COOKIE_NAME, v);
-    c.setPath("/");
-    c.setSecure(isSecure(req));
-    c.setMaxAge(session != null
-        ? -1 // Set the cookie for this browser session.
-        : 0); // Remove the cookie (expire immediately).
-    rsp.addCookie(c);
-  }
-
-  private static boolean isSecure(HttpServletRequest req) {
-    return req.isSecure() || "https".equals(req.getScheme());
-  }
-
   private DiffPreferencesInfo getDiffPreferences(IdentifiedUser user) {
     try {
       return getDiff.apply(new AccountResource(user));

gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/StaticModule.java

@@ -19,6 +19,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import com.google.common.cache.Cache;
 import com.google.common.collect.ImmutableList;
 import com.google.gerrit.httpd.GerritOptions;
+import com.google.gerrit.httpd.XsrfCookieFilter;
 import com.google.gerrit.httpd.raw.ResourceServlet.Resource;
 import com.google.gerrit.launcher.GerritLauncher;
 import com.google.gerrit.server.cache.CacheModule;
@@ -163,6 +164,7 @@ public class StaticModule extends ServletModule {
       }
 
       for (String p : POLYGERRIT_INDEX_PATHS) {
+        filter(p).through(XsrfCookieFilter.class);
         serve(p).with(PolyGerritUiIndexServlet.class);
       }
       serve("/*").with(PolyGerritUiServlet.class);