* New authorization and authentication delegates for usage in cb7

Author: lmajano

changelog.md

@@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+* New authorization and authentication delegates for usage in cb7
 * New ability for the firewall to log all action events to a database table.
 * New visualizer that can visualize all settings and all firewall events via the log table if enabled.
 * New Basic Auth validator and basic auth user credentials storage system. This will allow you to secure your apps where no database interaction is needed or required.

models/auth/User.cfc

@@ -1,12 +1,20 @@
 /**
  * This is a basic user object that can be used with CBSecurity.
  *
- * It implements the following interfaces
+ * It implements the following interfaces via it's delegates
  * - cbsecurity.interfaces.jwt.IJwtSubject
  * - cbsecurity.interfaces.IAuthUser
  */
-component accessors="true" {
+component
+	accessors="true"
+	delegates="Auth@cbSecurity,
+			Authorizable@cbSecurity,
+			JwtSubject@cbSecurity"
+{
 
+	/**
+	 * Properties
+	 */
 	property name="id";
 	property name="firstName";
 	property name="lastName";
@@ -21,18 +29,16 @@ component accessors="true" {
 	 */
 	this.constraints = {
 		firstName : { required : true, size : "1..255" },
-		lastName : { required : true, size : "1..255" },
-		username : { required : true, size : "1..255" },
-		password : { required : true, size : "1..255" }
+		lastName  : { required : true, size : "1..255" },
+		username  : { required : true, size : "1..255" },
+		password  : { required : true, size : "1..255" }
 	};
 
 	/**
 	 * Validation profiles
 	 * https://coldbox-validation.ortusbooks.com/overview/validating-constraints/validating-with-profiles
 	 */
-	this.constraintProfiles = {
-		"update" : "firstName,lastName,username"
-	};
+	this.constraintProfiles = { "update" : "firstName,lastName,username" };
 
 	/**
 	 * Mementifier serialization
@@ -48,21 +54,20 @@ component accessors="true" {
 			"roles"
 		],
 		// Default Exclusions
-		defaultExcludes : [
-		],
+		defaultExcludes : [],
 		// Never Include
-		neverInclude : [ "password" ]
+		neverInclude    : [ "password" ]
 	};
 
 	/**
 	 * Constructor
 	 */
 	function init(){
-		variables.id        = "";
-		variables.firstName = "";
-		variables.lastName  = "";
-		variables.username  = "";
-		variables.password  = "";
+		variables.id          = "";
+		variables.firstName   = "";
+		variables.lastName    = "";
+		variables.username    = "";
+		variables.password    = "";
 		variables.permissions = [];
 		variables.roles       = [];
 
@@ -102,52 +107,4 @@ component accessors="true" {
 		return ( !isNull( variables.id ) && len( variables.id ) );
 	}
 
-	/**
-	 * A struct of custom claims to add to the JWT token
-	 */
-	struct function getJWTCustomClaims( required struct payload ){
-		return { "role" : variables.roles.toList() };
-	}
-
-	/**
-	 * This function returns an array of all the scopes that should be attached to the JWT token that will be used for authorization.
-	 */
-	array function getJWTScopes(){
-		return variables.permissions;
-	}
-
-	/**
-	 * Verify if the user has one or more of the passed in permissions
-	 *
-	 * @permission One or a list of permissions to check for access
-	 */
-	boolean function hasPermission( required permission ){
-		if ( isSimpleValue( arguments.permission ) ) {
-			arguments.permission = listToArray( arguments.permission );
-		}
-
-		return arguments.permission
-			.filter( function( item ){
-				return ( variables.permissions.findNoCase( item ) );
-			} )
-			.len();
-	}
-
-	/**
-	 * Verify if the user has one or more of the passed in roles
-	 *
-	 * @role One or a list of roles to check for access
-	 */
-	boolean function hasRole( required role ){
-		if ( isSimpleValue( arguments.role ) ) {
-			arguments.role = listToArray( arguments.role );
-		}
-
-		return arguments.role
-			.filter( function( item ){
-				return ( variables.roles.findNoCase( item ) );
-			} )
-			.len();
-	}
-
 }

models/delegates/Auth.cfc

@@ -14,15 +14,15 @@ component singleton accessors="true" {
 	/**
 	 * Retrieve the Jwt Auth Service
 	 */
-	function jwtAuth() {
-        return variables.jwtService;
+	function jwtAuth(){
+		return variables.jwtService;
 	}
 
 	/**
 	 * Retrieve the CBSecurity Service Object
 	 */
-	function cbSecure() {
-        return variables.cbsecurity;
+	function cbSecure(){
+		return variables.cbsecurity;
 	}
 
 	/**

models/delegates/Authorizable.cfc

@@ -0,0 +1,112 @@
+/**
+ * Copyright since 2016 by Ortus Solutions, Corp
+ * www.ortussolutions.com
+ * ---
+ * This delegate allows for objects to verify permissions and roles on the $parent
+ * This delegate expects the following functions to be exposed in the $parent
+ * - getPermissions()
+ * - getRoles()
+ * - getId()
+ */
+component {
+
+	// DI
+	property name="cbSecurity" inject="cbSecurity@cbSecurity";
+
+	/***************************************************************/
+	/* IAuthUser Methods
+	/***************************************************************/
+
+	/**
+	 * Verify if the parent has one or more of the passed in permissions
+	 *
+	 * @permission One or a list of permissions to check for access
+	 */
+	boolean function hasPermission( required permission ){
+		return arrayWrap( arguments.permission )
+			.filter( function( item ){
+				return ( $parent.getPermissions().findNoCase( item ) );
+			} )
+			.len();
+	}
+
+	/**
+	 * Verify if the parent has one or more of the passed in roles
+	 *
+	 * @role One or a list of roles to check for access
+	 */
+	boolean function hasRole( required role ){
+		return arrayWrap( arguments.role )
+			.filter( function( item ){
+				return ( $parent.getRoles().findNoCase( item ) );
+			} )
+			.len();
+	}
+
+	/**
+	 * Verify if the current user is logged in or not.
+	 */
+	function isLoggedIn(){
+		return variables.cbSecurity.isLoggedIn();
+	}
+
+	/***************************************************************/
+	/* Verification Methods
+	/***************************************************************/
+
+	/**
+	 * Verify that ALL the permissions passed must exist within the authenticated user
+	 *
+	 * @permissions One, a list or an array of permissions
+	 *
+	 * @throws NoUserLoggedIn
+	 */
+	boolean function hasAll( required permissions ){
+		var aPerms = arrayWrap( arguments.permissions );
+
+		return aPerms
+			.filter( function( item ){
+				return $parent.hasPermission( arguments.item );
+			} )
+			.len() == aPerms.len();
+	}
+
+	/**
+	 * Verify that NONE of the permissions passed must exist within the authenticated user
+	 *
+	 * @permissions One, a list or an array of permissions
+	 *
+	 * @throws NoUserLoggedIn
+	 */
+	boolean function hasNone( required permissions ){
+		return arrayWrap( arguments.permissions )
+			.filter( function( item ){
+				return $parent.hasPermission( arguments.item );
+			} )
+			.len() == 0;
+	}
+
+	/**
+	 * Verify that the passed in user object must be the same as the authenticated user
+	 * Equality is done by evaluating the `getid()` method on both objects.
+	 *
+	 * @user The user to test for equality
+	 *
+	 * @throws NoUserLoggedIn
+	 */
+	boolean function sameUser( required user ){
+		return ( arguments.user.getId() == $parent.getId() );
+	}
+
+	/**
+	 * convert one or a list of permissions to an array, if it's an array we don't touch it
+	 *
+	 * @items One, a list or an array
+	 *
+	 * @return An array
+	 */
+	private array function arrayWrap( required items ){
+		return isArray( arguments.items ) ? arguments.items : listToArray( arguments.items );
+	}
+
+}

models/delegates/JwtSubject.cfc

@@ -0,0 +1,28 @@
+/**
+ * Copyright since 2016 by Ortus Solutions, Corp
+ * www.ortussolutions.com
+ * ---
+ * This delegate allows for objects to get JWT custom claims and Custom Scopes
+ * This delegate expects the following functions to be exposed in the $parent
+ * - getPermissions()
+ * - getRoles()
+ */
+component {
+
+	/**
+	 * A struct of custom claims to add to the JWT token
+	 * By default we add the $parent's roles
+	 */
+	struct function getJWTCustomClaims( required struct payload ){
+		return { "role" : $parent.getRoles().toList() };
+	}
+
+	/**
+	 * This function returns an array of all the scopes that should be attached to the JWT token that will be used for authorization.
+	 * By default we add the $parent's permissions
+	 */
+	array function getJWTScopes(){
+		return $parent.getPermissions();
+	}
+
+}

readme.md

@@ -38,6 +38,7 @@ Apache License, Version 2.0.
 
 - Lucee 5+
 - ColdFusion 2018+
+- ColdBox 7+ for delegates and basic auth
 
 ## Installation