Merge branch 'development' into master

Author: lmajano

.travis.yml

@@ -133,7 +133,7 @@ deploy:
     edge: true
     file_glob: true
     file: $TRAVIS_BUILD_DIR/.artifacts/$MODULE_ID/**/*
-    release_notes_file: changelog-latest.md
+    release_notes_file: $TRAVIS_BUILD_DIR/changelog-latest.md
     name: v${TRAVIS_TAG}
     tag_name: v${TRAVIS_TAG}
     overwrite: true

box.json

@@ -1,6 +1,6 @@
 {
     "name":"ColdBox Security",
-    "version":"2.6.0",
+    "version":"2.7.0",
     "location":"https://downloads.ortussolutions.com/ortussolutions/coldbox-modules/cbsecurity/@build.version@/[email protected]@.zip",
     "author":"Ortus Solutions.com <[email protected]>",
     "slug":"cbsecurity",

changelog.md

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+----
+
+## [2.7.0] => 2020-SEP-14
+
+### Added
+
+* Contributed module rules are now pre-pended instead of appended. (@wpdebruin)
+
+
+### Fixed
+
+* Not loading rules by source file detection due to invalid setting check
+* Don't trigger ColdBox's invalid event looping protection. It also auto-senses between ColdBox 6 and 5 (@homestar9)
+* Fixed token scopes according to JWT spec, it is called `scope` and it is a space separated list. This doesn't change the User interface for it. (@wpdebruin)
+* Update token storages so no token rejection anymore when storage is not enabled. (@wpdebruin)
+
+
 ----
 
 ## [2.6.0] => 2020-JUL-22

interceptors/Security.cfc

@@ -1,4 +1,4 @@
-/**
+/**
  * Copyright since 2016 by Ortus Solutions, Corp
  * www.ortussolutions.com
  * ---
@@ -12,6 +12,7 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	property name="rulesLoader"    inject="rulesLoader@cbSecurity";
 	property name="handlerService" inject="coldbox:handlerService";
 	property name="cbSecurity"		inject="@cbSecurity";
+	property name="invalidEventHandler" inject="coldbox:setting:invalidEventHandler";
 
 	/**
 	 * The reference to the security validator for this interceptor
@@ -27,6 +28,11 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 	 * Configure the security firewall
 	 */
 	function configure(){
+		variables.onInvalidEventHandlerBean = javacast( "null", "" );
+        if ( len( variables.invalidEventHandler ) ) {
+            variables.onInvalidEventHandlerBean = handlerService.getHandlerBean( variables.invalidEventHandler );
+        }
+		
 		// init the security modules dictionary
 		variables.securityModules = {};
 
@@ -45,6 +51,9 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 
 		// Load up the validator
 		registerValidator( getInstance( getProperty( "validator" ) ) );
+
+		// Coldbox version 5 (and lower) needs a little extra invalid event handler checking. 
+		variables.enableInvalidHandlerCheck = ( listGetAt( controller.getColdboxSettings().version, 1, "." ) <= 5 );
 	}
 
 	/**
@@ -96,12 +105,14 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 		// Process Module Rules
 		arguments.settings.rules = variables.rulesLoader.normalizeRules( arguments.settings.rules, module );
 
-		// Append them
-		arrayAppend(
-			getProperty( "rules" ),
-			arguments.settings.rules,
-			true
-		);
+		// prepend them so the don't interfere with MAIN rules
+		// one by one as I don't see a way to prepend the whole array at once
+		for ( var i = arguments.settings.rules.len(); i >= 1; i-- ){
+			arrayPrepend(
+				getProperty( "rules" ),
+				arguments.settings.rules[i]
+			);
+		}
 
 		// Log it
 		log.info( "+ Registered module (#arguments.module#) with cbSecurity" );
@@ -221,7 +232,27 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 		required currentEvent
 	){
 		// Get handler bean for the current event
-		var handlerBean = variables.handlerService.getHandlerBean( arguments.event.getCurrentEvent() );
+        var handlerBean = variables.handlerService.getHandlerBean( arguments.event.getCurrentEvent() );
+		
+		// Are we running Coldbox 5 or older?
+		// is an onInvalidHandlerBean configured?
+		// is the current handlerBean the configured onInvalidEventHandlerBean?
+		if ( 
+            variables.enableInvalidHandlerCheck && 
+            !isNull( variables.onInvalidEventHandlerBean ) && 
+            isInvalidEventHandlerBean( handlerBean ) 
+        ) {
+            // ColdBox tries to detect invalid event handler loops by keeping
+            // track of the last invalid event to fire.  If that invalid event
+            // fires twice, it throws a hard exception to prevent infinite loops.
+            // Unfortunately for us, just attempting to get a handler bean
+            // starts the invalid event handling.  Here, if we got the invalid
+            // event handler bean back, we reset the `_lastInvalidEvent` so
+            // ColdBox can handle the invalid event properly.
+            request._lastInvalidEvent = variables.invalidEventHandler;
+            return;
+        }
+		
 		if ( handlerBean.getHandler() == "" ) {
 			return;
 		}
@@ -702,5 +733,19 @@ component accessors="true" extends="coldbox.system.Interceptor" {
 
 		return len( CGI.REMOTE_ADDR ) ? CGI.REMOTE_ADDR : "127.0.0.1";
 	}
+	
+	/**
+	 * Returns true of the passed handlerBean matches Coldbox's configured invalid event handler.
+	 *
+	 * @handlerBean the current handler bean to check against
+	 */
+	private boolean function isInvalidEventHandlerBean( required handlerBean ) {
+        return (
+            variables.onInvalidEventHandlerBean.getInvocationPath() == arguments.handlerBean.getInvocationPath() &&
+            variables.onInvalidEventHandlerBean.getHandler() == arguments.handlerBean.getHandler() &&
+            variables.onInvalidEventHandlerBean.getMethod() == arguments.handlerBean.getMethod() &&
+            variables.onInvalidEventHandlerBean.getModule() == arguments.handlerBean.getModule()
+        );
+    }
 
 }

models/jwt/JwtService.cfc

@@ -39,7 +39,7 @@ component accessors="true" singleton {
 		"iat",
 		"sub",
 		"exp",
-		"scopes"
+		"scope"
 	];
 
 	// Default JWT Settings
@@ -189,7 +189,7 @@ component accessors="true" singleton {
 			// The unique identifier of the token
 			"jti"    : hash( timestamp & arguments.user.getId() ),
 			// Get the user scopes for the JWT token
-			"scopes" : arguments.user.getJwtScopes()
+			"scope" : arguments.user.getJwtScopes().toList(" ")
 		};
 
 		// Append user custom claims with override, they take prescedence
@@ -712,7 +712,7 @@ component accessors="true" singleton {
 			if ( listLen( arguments.permissions ) ) {
 				// Check if the user has the right permissions?
 				results.allow = (
-					tokenHasScopes( arguments.permissions, payload.scopes )
+					tokenHasScopes( arguments.permissions, payload.scope )
 					||
 					variables.cbSecurity
 						.getAuthService()
@@ -731,6 +731,8 @@ component accessors="true" singleton {
 
 	/**
 	 * Verify if the jwt token has the appropriate scopes
+	 * @permission
+	 * @scopes a space delimited string of scopes
 	 */
 	private function tokenHasScopes( required permission, required scopes ){
 		if ( isSimpleValue( arguments.permission ) ) {
@@ -739,7 +741,7 @@ component accessors="true" singleton {
 
 		return arguments.permission
 			.filter( function( item ){
-				return ( scopes.findNoCase( item ) );
+				return ( scopes.listfindNoCase( item, " " ) );
 			} )
 			.len();
 	}

models/util/RulesLoader.cfc

@@ -77,11 +77,11 @@ component accessors="true" singleton {
 					break;
 				}
 				default: {
-					arguments.settings.rulesFile = arguments.settings.rulesSource;
-					if ( findNoCase( "json", arguments.settings.rulesSource ) ) {
+					arguments.settings.rulesFile = arguments.settings.rules;
+					if ( findNoCase( "json", arguments.settings.rulesFile ) ) {
 						arguments.settings.rulesSource = "json";
 					}
-					if ( findNoCase( "xml", arguments.settings.rulesSource ) ) {
+					if ( findNoCase( "xml", arguments.settings.rulesFile ) ) {
 						arguments.settings.rulesSource = "xml";
 					}
 				}

test-harness/modules_app/mod1/ModuleConfig.cfc

@@ -34,8 +34,8 @@ component {
 				"invalidAuthorizationEvent"  : "mod1:secure.auth",
 				// You can define your security rules here or externally via a source
 				"rules"                      : [
-					{ "secureList" : "mod1:home" },
-					{ "secureList" : "mod1/modOverride", "match" : "url", "action" : "override" }
+					{ "secureList" : "mod1/modOverride", "match" : "url", "action" : "override" },
+					{ "secureList" : "mod1:home" }
 				]
 			}
 		};

test-harness/tests/specs/integration/JWTSpec.cfc

@@ -156,7 +156,7 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 			// The unique identifier of the token
 			"jti"    : hash( timestamp & userId ),
 			// Get the user scopes for the JWT token
-			"scopes" : [],
+			"scope" : [],
 			"role"   : "admin"
 		};
 

test-harness/tests/specs/unit/SecurityTest.cfc

@@ -13,8 +13,14 @@ component extends="coldbox.system.testing.BaseInterceptorTest" interceptor="cbse
 				// setup properties
 				setup();
 				variables.wirebox = new coldbox.system.ioc.Injector();
-				mockController.$( "getAppHash", hash( "appHash" ) ).$( "getAppRootPath", expandPath( "/root" ) );
-				security = interceptor;
+                mockController
+                    .$( "getAppHash", hash( "appHash" ) )
+                    .$( "getAppRootPath", expandPath( "/root" ) )
+                    .$( "getColdboxSettings", {
+                        "version": "6.0.0"
+                    }, false  );
+                security = interceptor;
+                security.setInvalidEventHandler( '' );
 				settings = {
 					// The global invalid authentication event or URI or URL to go if an invalid authentication occurs
 					"invalidAuthenticationEvent"  : "",
@@ -131,7 +137,32 @@ component extends="coldbox.system.testing.BaseInterceptorTest" interceptor="cbse
 				expect( function(){
 					security.configure();
 				} ).toThrow( "Security.ValidatorMethodException" );
-			} );
+            } );
+
+            it( "does not enable invalid event handler processing on Coldbox versions 6+", function() {
+                security.setProperties( settings );
+				security
+					.$( "getInstance" )
+					.$args( settings.validator )
+					.$results( wirebox.getInstance( settings.validator ) );
+				security.configure();
+				expect( security.$getProperty( "enableInvalidHandlerCheck" ) ).toBeFalse();
+            } );
+            
+            it( "enables invalid event handler processing on Coldbox versions prior to 6", function() {
+                
+                mockController.$( "getColdboxSettings", {
+                    "version": "5.0.0"
+                }, false  );
+                
+                security.setProperties( settings );
+				security
+					.$( "getInstance" )
+					.$args( settings.validator )
+					.$results( wirebox.getInstance( settings.validator ) );
+				security.configure();
+				expect( security.$getProperty( "enableInvalidHandlerCheck" ) ).toBeTrue();
+            } );   
 
 			describe( "It can load many types of rules", function(){
 				beforeEach( function(currentSpec){
@@ -173,7 +204,8 @@ component extends="coldbox.system.testing.BaseInterceptorTest" interceptor="cbse
 
 					expect( security.getProperty( "rules", [] ) ).toHaveLength( 1 );
 				} );
-			} );
+            } );
+            
 		} );
 	}