require SSL for all API requests, refs #3956

An API request is defined as any path beginning with /api

Change-Id: I715a0b63bbe1d6025cab9cf5b2f1bd062b321eab
Reviewed-on: https://gerrit.instructure.com/2562
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Zach Wily <zach@instructure.com>
Reviewed-by: JT Olds <jt@instructure.com>

app/controllers/application_controller.rb

@@ -40,6 +40,8 @@ class ApplicationController < ActionController::Base
   before_filter :fix_xhr_requests
   before_filter :init_body_classes_and_active_tab
 
+  ssl_required_if(:api_request?)
+
   protected
   
   def init_body_classes_and_active_tab

vendor/plugins/ssl_requirement/lib/ssl_requirement.rb

@@ -61,11 +61,25 @@ module SslRequirement
     def ssl_allowed(*actions)
       write_inheritable_array(:ssl_allowed_actions, actions)
     end
+
+    # added by Instructure to support our API usage in the short-term, until
+    # the app is all-SSL and we remove this plugin completely.
+    # if any method returns !!true, this overrides the required/allowed list of
+    # actions.
+    def ssl_required_if(method_name)
+      write_inheritable_array(:ssl_required_if, [method_name])
+    end
   end
   
   protected
     # Returns true if the current action is supposed to run as SSL
     def ssl_required?
+      methods = (self.class.read_inheritable_attribute(:ssl_required_if) || [])
+
+      if methods && methods.any? { |m| self.send(m) }
+        return true
+      end
+
       required = (self.class.read_inheritable_attribute(:ssl_required_actions) || [])
       except  = self.class.read_inheritable_attribute(:ssl_required_except_actions)