Merge branch 'development'

Author: lmajano

.travis.yml

@@ -1,4 +1,6 @@
 language: java
+os: "linux"
+dist: focal
 
 notifications:
   slack:
@@ -18,16 +20,8 @@ branches:
   - development
   - master
 
-dist: trusty
-
-sudo: required
-
-addons:
-  apt:
-    packages:
-    - mysql-server-5.6
-    - mysql-client-core-5.6
-    - mysql-client-5.6
+services:
+  - mysql
 
 before_install:
   # CommandBox Keys
@@ -48,6 +42,10 @@ before_script:
   - printf "DB_DATABASE=cbsecurity\n" >> test-harness/.env
   - printf "DB_USER=root\n" >> test-harness/.env
   - printf "DB_PASSWORD=\n" >> test-harness/.env
+  - printf "DB_BUNDLEVERSION=8.0.19\n" >> test-harness/.env
+  - printf "DB_BUNDLENAME=com.mysql.cj\n" >> test-harness/.env
+  # MySQL 8
+  - printf "DB_CLASS=com.mysql.cj.jdbc.Driver\n" >> test-harness/.env
 
 install:
   # Install Commandbox

ModuleConfig.cfc

@@ -110,7 +110,7 @@ component {
 			customInterceptionPoints = [
 				// Validator Events
 				"cbSecurity_onInvalidAuthentication",
-				"cbSecurity_onInvalidAuhtorization",
+				"cbSecurity_onInvalidAuthorization",
 				// JWT Events
 				"cbSecurity_onJWTCreation",
 				"cbSecurity_onJWTInvalidation",

box.json

@@ -1,6 +1,6 @@
 {
     "name":"ColdBox Security",
-    "version":"2.8.0",
+    "version":"2.9.0",
     "location":"https://downloads.ortussolutions.com/ortussolutions/coldbox-modules/cbsecurity/@build.version@/[email protected]@.zip",
     "author":"Ortus Solutions.com <[email protected]>",
     "slug":"cbsecurity",

changelog.md

@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ----
 
+## [2.9.0] => 2020-DEC-11
+
+### Fixed
+
+* Fixes a typo in the `cbSecurity_onInvalidAuthorization` interception point declaration. Previously, the typo would prevent ColdBox from allowing the correctly-typed interception point from ever triggering an interception listener.
+* The `userValidator()` method has been changed to `roleValidator()`, but the error message was forgotten! So the developer is told they need a `userValidator()` method... because the `userValidator` method is no longer supported. :/
+
+### Added
+
+* The `isLoggedIn()` method now makes sure that a jwt is in place and valid, before determining if you are logged in or not.
+* Migrated all automated tests to `focal` and `mysql8` in preparation for latest updates
+* Add support for JSON/XML/model rules source when loading rules from modules.  Each module can now load rules not only inline but from the documented external sources.
+* Ensure non-configured `rules` default to empty array
+
+----
+
 ## [2.8.0] => 2020-NOV-09
 
 ### Added

interceptors/Security.cfc

@@ -99,12 +99,20 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 		param arguments.settings.defaultAuthorizationAction  = "";
 		param arguments.settings.validator                   = "";
 
+		// Verify setting configurations
+		variables.rulesLoader.rulesSourceChecks( arguments.settings );
+
 		// Store configuration in this firewall
 		variables.securityModules[ arguments.module ] = arguments.settings;
 
 		// Process Module Rules
 		arguments.settings.rules = variables.rulesLoader.normalizeRules( arguments.settings.rules, module );
 
+		// Load Rules if we have a ruleSource
+		if ( arguments.settings.rulesSource.len() ) {
+			arguments.settings.rules = variables.rulesLoader.loadRules( arguments.settings );
+		}
+
 		// prepend them so the don't interfere with MAIN rules
 		// one by one as I don't see a way to prepend the whole array at once
 		for ( var i = arguments.settings.rules.len(); i >= 1; i-- ){
@@ -460,7 +468,7 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 			variables.validator = arguments.validator;
 		} else {
 			throw(
-				message = "Validator object does not have a 'userValidator()' and `annotationValidator()' methods. I can only register objects with these interface methods.",
+				message = "Validator object requires either a 'ruleValidator()' or `annotationValidator()' method. I can only register objects with these interface methods.",
 				type    = "Security.ValidatorMethodException"
 			);
 		}

models/jwt/JwtService.cfc

@@ -166,6 +166,15 @@ component accessors="true" singleton {
 	 * Shortcut function to our authentication services to check if we are logged in
 	 */
 	boolean function isLoggedIn(){
+		// We try to authenticate because we need the JWT to be validated for the request
+		// There are ocassions where the user could have logged out but the token is still active
+		// Or the inverse, where there is no more token passed and user still logged in in session.
+		try{
+			authenticate();
+		} catch( any e ){
+			return false;
+		}
+
 		return variables.cbSecurity.getAuthService().isLoggedIn();
 	}
 

models/util/RulesLoader.cfc

@@ -63,6 +63,7 @@ component accessors="true" singleton {
 	 */
 	function rulesSourceChecks( required settings ){
 		param arguments.settings.rulesSource = "";
+		param arguments.settings.rules = [];
 
 		// Auto detect rules source
 		if ( isSimpleValue( arguments.settings.rules ) ) {

readme.md

@@ -433,7 +433,7 @@ You will receive the following data in the `interceptData` struct:
 
 ## Security Visualizer
 
-This module also ships with a security visualizer that will document all your security rules and your settings in a nice panel.  In order to activate it you must add the `enableSecurityVisualizer` setting to your config and mark it as `true`.  Once enabled you can navigate to: `/cbsecurity` and you will be presentd with the visualizer.
+This module also ships with a security visualizer that will document all your security rules and your settings in a nice panel.  In order to activate it you must add the `enableSecurityVisualizer` setting to your config and mark it as `true`.  Once enabled you can navigate to: `/cbsecurity` and you will be presented with the visualizer.
 
 > **Important** The visualizer is disabled by default and if it detects an environment of production, it will disable itself.
 

test-harness/.cfconfig.json

@@ -18,20 +18,22 @@
             "allowSelect":true,
             "allowUpdate":true,
             "blob":"false",
-            "class":"com.mysql.jdbc.Driver",
             "clob":"false",
             "connectionTimeout":"1",
             "custom":"useUnicode=true&characterEncoding=UTF-8&useLegacyDatetimeCode=true&useSSL=false",
             "database":"cbsecurity",
             "dbdriver":"MySQL",
             "dsn":"jdbc:mysql://{host}:{port}/{database}",
-            "host":"${DB_HOST}",
             "metaCacheTimeout":"60000",
-            "password":"${DB_PASSWORD}",
             "port":"3306",
             "storage":"false",
+			"validate":"false",
+            "class":"${DB_CLASS}",
+            "host":"${DB_HOST}",
+            "password":"${DB_PASSWORD}",
             "username":"${DB_USERNAME}",
-            "validate":"false"
+			"bundleName": "${DB_BUNDLENAME}",
+			"bundleVersion": "${DB_BUNDLEVERSION}"
         }
 	},
 }

test-harness/.env

@@ -1,3 +1,12 @@
 DB_HOST=localhost
 DB_USERNAME=root
-DB_PASSWORD=mysql
+DB_PASSWORD=mysql
+
+# MySQL 5.7
+#DB_CLASS=com.mysql.jdbc.Driver
+# MySQL 8
+DB_CLASS=com.mysql.cj.jdbc.Driver
+
+# MySQL Lucee Bundle
+DB_BUNDLEVERSION=8.0.19
+DB_BUNDLENAME=com.mysql.cj