## Changed

* `CBAuthValidator` has been renamed to just `AuthValidator` this way it can be used with ANY authentication service instead of binding it to just `cbauth`.  This validator just relies on the `IAuthUser` interface now.

### Added

* New `AuthValidator` now can validate permissions and roles according to our `IAuthUser` interface but can be used on ANY authentication service that implements `IAuthService`

Author: lmajano

changelog.md

@@ -16,9 +16,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * **COMPAT** New `JwtAuthValidator` instead of mixing concerns with the `JwtService`.  You will have to update your configuration to use this `validator` instead of the `JwtService`
 * `useSSL` is now defaulted to `true` for all security relocations as the default
 * Encapsulation of `jwt` settings from the `ModuleConfig` to the `JwtService`
+* `CBAuthValidator` has been renamed to just `AuthValidator` this way it can be used with ANY authentication service instead of binding it to just `cbauth`.  This validator just relies on the `IAuthUser` interface now.
 
 ### Added
 
+* New `AuthValidator` now can validate permissions and roles according to our `IAuthUser` interface but can be used on ANY authentication service that implements `IAuthService`
 * New authorization and authentication delegates for usage in cb7
 * New ability for the firewall to log all action events to a database table.
 * New visualizer that can visualize all settings and all firewall events via the log table if enabled.

models/CBSecurity.cfc

@@ -75,7 +75,7 @@ component threadsafe singleton accessors="true" {
 			// Auto load the global security firewall automatically, else you can load it a-la-carte via the `Security` interceptor
 			"autoLoadFirewall"            : true,
 			// The validator is an object that will validate the firewall rules and annotations and provide feedback on either authentication or authorization issues.
-			"validator"                   : "CBAuthValidator@cbsecurity",
+			"validator"                   : "AuthValidator@cbsecurity",
 			// Activate handler/action based annotation security
 			"handlerAnnotationSecurity"   : true,
 			// The global invalid authentication event or URI or URL to go if an invalid authentication occurs

models/validators/AuthValidator.cfc

@@ -0,0 +1,104 @@
+/**
+ * Copyright since 2016 by Ortus Solutions, Corp
+ * www.ortussolutions.com
+ * ---
+ * This is the core validator which leverages any Authentication Service
+ * that implements cbsecurity.models.interfaces.IAuthService and any User
+ * that implements cbsecurity.models.interfaces.IAuthUser
+ */
+component singleton threadsafe {
+
+	// DI
+	property name="cbSecurity" inject="CBSecurity@cbSecurity";
+	property name="log"        inject="logbox:logger:{this}";
+
+	/**
+	 * This function is called once an incoming event matches a security rule.
+	 * You will receive the security rule that matched and an instance of the
+	 * ColdBox controller.
+	 *
+	 * You must return a struct with three keys:
+	 * - allow:boolean True, user can continue access, false, invalid access actions will ensue
+	 * - type:string(authentication|authorization) The type of block that ocurred.  Either an authentication or an authorization issue.
+	 * - messages:string Info/debug messages
+	 *
+	 * @return { allow:boolean, type:string(authentication|authorization), messages:string }
+	 */
+	struct function ruleValidator( required rule, required controller ){
+		return validateSecurity( permissions: arguments.rule.permissions, roles: arguments.rule.roles );
+	}
+
+	/**
+	 * This function is called once access to a handler/action is detected.
+	 * You will receive the secured annotation value and an instance of the ColdBox Controller
+	 *
+	 * You must return a struct with three keys:
+	 * - allow:boolean True, user can continue access, false, invalid access actions will ensue
+	 * - type:string(authentication|authorization) The type of block that ocurred.  Either an authentication or an authorization issue.
+	 * - messages:string Info/debug messages
+	 *
+	 * @return { allow:boolean, type:string(authentication|authorization), messages:string }
+	 */
+	struct function annotationValidator( required securedValue, required controller ){
+		return validateSecurity( permissions = arguments.securedValue );
+	}
+
+	/**
+	 * Validate Security on the user
+	 *
+	 * @permissions The secured value of the annotation or the rule permissions
+	 * @roles       Rule roles
+	 *
+	 * @return Security Results Struct: { allow : boolean, type : (authentication|authorization), messages : "" }
+	 */
+	private function validateSecurity( string permissions = "", string roles = "" ){
+		var results = {
+			"allow"    : false,
+			"type"     : "authentication",
+			"messages" : ""
+		};
+		var authService = variables.cbSecurity.getAuthService();
+
+		// Normalize roles + perms
+		arguments.roles       = arguments.roles.listToArray();
+		arguments.permissions = arguments.permissions.listToArray();
+
+		if ( authService.isLoggedIn() ) {
+			// If we are here, we are logged in, verify authorizations
+			var oUser     = authService.getUser();
+			// Authentication passed, we are on to authorization now
+			results.type  = "authorization";
+			// Default to block, unless we validate either roles or permissions
+			results.allow = arrayLen( arguments.roles ) || arrayLen( arguments.permissions ) ? false : true;
+
+			// Validate new interface if not, just warn
+			// TODO: Change to just use the hasRole() by vNext : Compat for now.
+			if ( !structKeyExists( oUser, "hasRole" ) ) {
+				variables.log.warn( "CBSecurity User object does not implement the `hasRole()` method. Please add it." );
+			}
+
+			// Check roles
+			if ( arrayLen( arguments.roles ) && structKeyExists( oUser, "hasRole" ) ) {
+				for ( var thisRole in arguments.roles ) {
+					if ( oUser.hasRole( thisRole ) ) {
+						results.allow = true;
+						break;
+					}
+				}
+			}
+
+			// Check Perms
+			if ( listLen( arguments.permissions ) ) {
+				for ( var thisPermission in arguments.permissions ) {
+					if ( oUser.hasPermission( thisPermission ) ) {
+						results.allow = true;
+						break;
+					}
+				}
+			}
+		}
+
+		return results;
+	}
+
+}

models/validators/BasicAuthValidator.cfc

@@ -7,8 +7,9 @@
  */
 component singleton threadsafe {
 
-	// Injection
+	// DI
 	property name="cbSecurity" inject="CBSecurity@cbSecurity";
+	property name="log"        inject="logbox:logger:{this}";
 
 	/**
 	 * This function is called once an incoming event matches a security rule.
@@ -79,32 +80,40 @@ component singleton threadsafe {
 				results.allow = true;
 			} catch ( "InvalidCredentials" e ) {
 				// Not secure! Basic Auth Prompt
-				event.setHTTPHeader(
-					name  = "WWW-Authenticate",
-					value = "basic realm='Please enter your credentials'"
-				).setHTTPHeader( name = "Cache-Control", value = "no-cache, must-revalidate, max-age=0" );
+				event
+					.setHTTPHeader(
+						name  = "WWW-Authenticate",
+						value = "basic realm='Please enter your credentials'"
+					)
+					.setHTTPHeader( name = "Cache-Control", value = "no-cache, must-revalidate, max-age=0" );
 				results.processactions = false;
 				return results;
 			}
 		}
 
 		// If we are here, we are logged in, verify authorizations
-		var user      = authService.getUser();
+		var oUser     = authService.getUser();
 		// Authentication passed, we are on to authorization now
 		results.type  = "authorization";
 		// Default to block, unless we validate either roles or permissions
 		results.allow = arrayLen( arguments.roles ) || arrayLen( arguments.permissions ) ? false : true;
 
-		// Check if the access requires roles
+		// Validate new interface if not, just warn
+		// TODO: Change to just use the hasRole() by vNext : Compat for now.
+		if ( !structKeyExists( oUser, "hasRole" ) ) {
+			variables.log.warn( "CBSecurity User object does not implement the `hasRole()` method. Please add it." );
+		}
+
+		// Check roles
 		if ( arrayLen( arguments.roles ) && structKeyExists( user, "hasRole" ) ) {
-			if ( user.hasRole( arguments.roles ) ) {
+			if ( oUser.hasRole( arguments.roles ) ) {
 				results.allow = true;
 			}
 		}
 
-		// Check if the access requires permissions
+		// Check perms
 		if ( arrayLen( arguments.permissions ) ) {
-			if ( user.hasPermission( arguments.permissions ) ) {
+			if ( oUser.hasPermission( arguments.permissions ) ) {
 				results.allow = true;
 			}
 		}

models/validators/CBAuthValidator.cfc

@@ -1,71 +1,7 @@
-/**
- * Copyright since 2016 by Ortus Solutions, Corp
- * www.ortussolutions.com
- * ---
- * This is the core validator which leverages CBAuth
- * https://helpx.adobe.com/coldfusion/developing-applications/developing-cfml-applications/securing-applications/using-coldfusion-security-tags-and-functions.html
- */
-component singleton threadsafe {
+component singleton threadsafe extends="AuthValidator"{
 
-	// Injection
-	property name="cbSecurity" inject="CBSecurity@cbSecurity";
-
-	/**
-	 * This function is called once an incoming event matches a security rule.
-	 * You will receive the security rule that matched and an instance of the
-	 * ColdBox controller.
-	 *
-	 * You must return a struct with three keys:
-	 * - allow:boolean True, user can continue access, false, invalid access actions will ensue
-	 * - type:string(authentication|authorization) The type of block that ocurred.  Either an authentication or an authorization issue.
-	 * - messages:string Info/debug messages
-	 *
-	 * @return { allow:boolean, type:string(authentication|authorization), messages:string }
-	 */
-	struct function ruleValidator( required rule, required controller ){
-		return validateSecurity( arguments.rule.permissions );
-	}
-
-	/**
-	 * This function is called once access to a handler/action is detected.
-	 * You will receive the secured annotation value and an instance of the ColdBox Controller
-	 *
-	 * You must return a struct with three keys:
-	 * - allow:boolean True, user can continue access, false, invalid access actions will ensue
-	 * - type:string(authentication|authorization) The type of block that ocurred.  Either an authentication or an authorization issue.
-	 * - messages:string Info/debug messages
-	 *
-	 * @return { allow:boolean, type:string(authentication|authorization), messages:string }
-	 */
-	struct function annotationValidator( required securedValue, required controller ){
-		return validateSecurity( arguments.securedValue );
-	}
-
-	/**
-	 * Validate Security via CBAuth
-	 *
-	 * @permissions
-	 */
-	private function validateSecurity( required permissions ){
-		var results = {
-			"allow"    : false,
-			"type"     : "authentication",
-			"messages" : ""
-		};
-
-		// Are we logged in?
-		if ( variables.cbSecurity.getAuthService().isLoggedIn() ) {
-			// Do we have any permissions?
-			if ( listLen( arguments.permissions ) ) {
-				results.allow = variables.cbSecurity.has( arguments.permissions );
-				results.type  = "authorization";
-			} else {
-				// We are satisfied!
-				results.allow = true;
-			}
-		}
-
-		return results;
+	function onDIComplete(){
+		variables.log.warn( "The CBAuthValidator has been deprecated, please change your references to just `AuthValidator@cbsecurity` " );
 	}
 
 }

readme.md

@@ -134,7 +134,7 @@ moduleSettings = {
 			// Auto load the global security firewall automatically, else you can load it a-la-carte via the `Security` interceptor
 			"autoLoadFirewall"            : true,
 			// The Global validator is an object that will validate the firewall rules and annotations and provide feedback on either authentication or authorization issues.
-			"validator"                   : "CBAuthValidator@cbsecurity",
+			"validator"                   : "AuthValidator@cbsecurity",
 			// Activate handler/action based annotation security
 			"handlerAnnotationSecurity"   : true,
 			// The global invalid authentication event or URI or URL to go if an invalid authentication occurs

test-harness/tests/specs/integration/SecuritySpec.cfc

@@ -173,7 +173,7 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 
 				given( "A secured annotated handler and an annotated action and a valid access", function(){
 					then( "it should allow access", function(){
-						prepareMock( getInstance( "CBAuthValidator@cbSecurity" ) ).$(
+						prepareMock( getInstance( "AuthValidator@cbSecurity" ) ).$(
 							"annotationValidator",
 							{ allow : true, type : "authentication" }
 						);
@@ -184,7 +184,7 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 
 				given( "A secured annotated handler and an annotated action with invalid auth", function(){
 					then( "it should allow access to handler but not to action", function(){
-						prepareMock( getInstance( "CBAuthValidator@cbSecurity" ) )
+						prepareMock( getInstance( "AuthValidator@cbSecurity" ) )
 							.$( "annotationValidator" )
 							.$results(
 								{ allow : true, type : "authentication" },