tons of features in progress for v2.3

- cbSecurity Model
- cbsecure() mixin
- secure( permissions, [message] )
- secureAll( permissions, [message] )
- secureNone( permissions, [message] )
- secureWhen( context, [message] )
- guard() => secure()
- has( permissions ):boolean
- all( permissions ):boolean
- none( permissions ):boolean
- sameUser( user ):boolean

Author: lmajano

helpers/mixins.cfm

@@ -1,5 +1,16 @@
 <cfscript>
+	/**
+	 * Retrieve the JwtService
+	 */
 	function jwtAuth() {
         return wirebox.getInstance( "JwtService@cbSecurity" );
-    }
+	}
+
+	/**
+	 * Retrieve the CBSecurity Service Object
+	 */
+	function cbSecure() {
+        return wirebox.getInstance( "CBSecurity@cbSecurity" );
+	}
+
 </cfscript>

models/CBSecurity.cfc

@@ -0,0 +1,351 @@
+/**
+ * Copyright since 2016 by Ortus Solutions, Corp
+ * www.ortussolutions.com
+ * ---
+ * This service is in charge of offering security capabilties to your ColdBox applications
+ *
+ * It can be injected by using the `@cbSecurity` annotation
+ *
+ * <pre>
+ * property name="cbSecurity" inject="@cbsecurity";
+ * </pre>
+ *
+ * Or you can use the `cbSecure()` mixin
+ *
+ * <pre>
+ * cbsecure().secure();
+ * </pre>
+ */
+component singleton accessors="true" {
+
+	/*********************************************************************************************/
+	/** DI **/
+	/*********************************************************************************************/
+
+	property name="settings" 		inject="coldbox:moduleSettings:cbsecurity";
+	property name="log"             inject="logbox:logger:{this}";
+	property name="wirebox"			inject="wirebox";
+
+
+	/*********************************************************************************************/
+	/** PROPERTIES **/
+	/*********************************************************************************************/
+
+	/**
+	 * The auth service in use according to the configuration file
+	 */
+	property name="authService";
+
+	/**
+	 * The user service in use according to the configuration file
+	 */
+	property name="userService";
+
+	/*********************************************************************************************/
+	/** Static Vars **/
+	/*********************************************************************************************/
+
+	variables.DEFAULT_ERROR_MESSAGE = "Not authorized!";
+
+	/**
+	 * Constructor
+	 */
+	function init(){
+		return this;
+	}
+
+	/**
+	 * Get the user service object defined accordingly in the settings
+	 *
+	 * @throws IncompleteConfiguration
+	 *
+	 * @return cbsecurity.interfaces.IUserService
+	 */
+	any function getUserService(){
+		// If loaded, use it!
+		if ( !isNull( variables.userService ) ) {
+			return variables.userService;
+		}
+
+		// Check and Load Baby!
+		if ( !len( variables.settings.userService ) ) {
+			throw(
+				message = "No [userService] provided in the settings.  Please set it in the `config/ColdBox.cfc` under `moduleSettings.cbsecurity.userService`.",
+				type    = "IncompleteConfiguration"
+			);
+		}
+
+		return variables.userService = variables.wirebox.getInstance( variables.settings.userService );
+	}
+
+	/**
+	 * Get the authentication service defined accordingly in the settings
+	 *
+	 * @throws IncompleteConfiguration
+	 *
+	 * @return cbsecurity.interfaces.IAuthService
+	 */
+	any function getAuthService(){
+		// If loaded, use it!
+		if ( !isNull( variables.authService ) ) {
+			return variables.authService;
+		}
+
+		// Check and Load Baby!
+		if ( !len( variables.settings.authenticationService ) ) {
+			throw(
+				message = "No [authService] provided in the settings.  Please set in `config/ColdBox.cfc` under `moduleSettings.cbsecurity.authenticationService`.",
+				type    = "IncompleteConfiguration"
+			);
+		}
+
+		return variables.authService = variables.wirebox.getInstance( variables.settings.authenticationService );
+	}
+
+	/***************************************************************/
+	/* Verification Methods
+	/***************************************************************/
+
+	/**
+	 * Verify if the incoming permissions exist in the currently authenticated user.
+	 * All permissions are Or'ed together
+	 *
+	 * @throws NoUserLoggedIn
+	 *
+	 * @permissions One, a list or an array of permissions
+	 */
+	boolean function has( required permissions ){
+		var oUser = getAuthService().getUser();
+
+		return arrayWrap( arguments.permissions )
+			.filter( function( item ){
+				return oUser.hasPermission( arguments.item );
+			} ).len() > 0;
+	}
+
+	/**
+	 * Verify that ALL the permissions passed must exist within the authenticated user
+	 *
+	 * @throws NoUserLoggedIn
+	 *
+	 * @permissions One, a list or an array of permissions
+	 */
+	boolean function all( required permissions ){
+		var oUser 	= getAuthService().getUser();
+		var aPerms 	= arrayWrap( arguments.permissions );
+
+		return aPerms
+			.filter( function( item ){
+				return oUser.hasPermission( arguments.item );
+			} ).len() == aPerms.len();
+	}
+
+	/**
+	 * Verify that NONE of the permissions passed must exist within the authenticated user
+	 *
+	 * @throws NoUserLoggedIn
+	 *
+	 * @permissions One, a list or an array of permissions
+	 */
+	boolean function none( required permissions ){
+		var oUser = getAuthService().getUser();
+
+		return arrayWrap( arguments.permissions )
+			.filter( function( item ){
+				return oUser.hasPermission( arguments.item );
+			} ).len() == 0;
+	}
+
+	/**
+	 * Verify that the passed in user object must be the same as the authenticated user
+	 * Equality is done by evaluating the `getid()` method on both objects.
+	 *
+	 * @throws NoUserLoggedIn
+	 *
+	 * @user The user to test for equality
+	 */
+	boolean function sameUser( required user ){
+		return ( arguments.user.getId() == getAuthService().getUser().getId() );
+	}
+
+	/***************************************************************/
+	/* Blocking Methods
+	/***************************************************************/
+
+	/**
+	 * Verifies if the currently logged in user has any of the passed permissions.
+	 *
+	 * @throws NotAuthorized
+	 *
+	 * @permissions One, a list or an array of permissions
+	 * @message The error message to throw in the exception
+	 *
+	 * @returns CBSecurity
+	 */
+	CBSecurity function secure( required permissions, message=variables.DEFAULT_ERROR_MESSAGE ){
+		if( !has( arguments.permissions ) ){
+			throw( type = "NotAuthorized", message=arguments.message );
+		}
+		return this;
+	}
+
+	/**
+	 * Verifies if the currently logged in user has ALL of the passed permissions.
+	 *
+	 * @throws NotAuthorized
+	 *
+	 * @permissions One, a list or an array of permissions
+	 * @message The error message to throw in the exception
+	 *
+	 * @returns CBSecurity
+	 */
+	CBSecurity function secureAll( required permissions, message=variables.DEFAULT_ERROR_MESSAGE ){
+		if( !all( arguments.permissions ) ){
+			throw( type = "NotAuthorized", message=arguments.message );
+		}
+		return this;
+	}
+
+	/**
+	 * Verifies if the currently logged in user has NONE of the passed permissions.
+	 *
+	 * @throws NotAuthorized
+	 *
+	 * @permissions One, a list or an array of permissions
+	 * @message The error message to throw in the exception
+	 *
+	 * @returns CBSecurity
+	 */
+	CBSecurity function secureNone( required permissions, message=variables.DEFAULT_ERROR_MESSAGE ){
+		if( !none( arguments.permissions ) ){
+			throw( type = "NotAuthorized", message=arguments.message );
+		}
+		return this;
+	}
+
+	/**
+	 * Verifies the passed in context closure/lambda/udf to a boolean expression.
+	 * If the context is true, then the exception is thrown. The context must be false in order to pass.
+	 *
+	 * The context udf/closure/lambda must adhere to the following signature
+	 *
+	 * <pre>
+	 * function( user ){}
+	 * ( user ) => {}
+	 * </pre>
+	 *
+	 * It receives the currently logged in user
+	 *
+	 * @throws NotAuthorized
+	 *
+	 * @context A closure/lambda/udf that returns boolean, or a boolean expression
+	 * @message The error message to throw in the exception
+	 *
+	 * @returns CBSecurity
+	 */
+	CBSecurity function secureWhen( required context, message=variables.DEFAULT_ERROR_MESSAGE ){
+		var results = arguments.context;
+		// Check if udf/lambda
+		if( isCustomFunction( arguments.context ) || isClosure( arguments.context ) ){
+			results = arguments.context( getAuthService().getUser() );
+		}
+		if( results ){
+			throw( type = "NotAuthorized", message = arguments.message );
+		}
+		return this;
+	}
+
+	/**
+	 * Alias proxy if somebody is coming from cbguard, proxies to the secure() method
+	 */
+	function guard(){
+		return secure( argumentCollection=arguments );
+	}
+
+	/***************************************************************/
+	/* Action Context Methods
+	/***************************************************************/
+
+	/**
+	 * This method will verify that any permissions must exist in the currently logged in user.
+	 *
+	 * - If the result is true, then it will execute the success closure/lambda or udf.
+	 * - If the restul is false, then it will execute the fail closure/lambda or udf
+	 *
+	 * The success or fail closures/lambdas/udfs must match the following signature
+	 *
+	 * <pre>
+	 * function( user, permissions ){}
+	 * ( user, permissions ) => {}
+	 * </pre>
+	 *
+	 * They receive the currently logged in user and the permissions that where evaluated
+	 *
+	 * @permissions One, a list or an array of permissions
+	 * @success The closure/lambda/udf that executes if the context passes
+	 * @fail The closure/lambda/udf that executes if the context fails
+	 */
+	function when( required permissions, required success, fail ){
+
+	}
+
+	/**
+	 * This method will verify that ALL permissions must exist in the currently logged in user.
+	 *
+	 * - If the result is true, then it will execute the success closure/lambda or udf.
+	 * - If the restul is false, then it will execute the fail closure/lambda or udf
+	 *
+	 * The success or fail closures/lambdas/udfs must match the following signature
+	 *
+	 * <pre>
+	 * function( user, permissions ){}
+	 * ( user, permissions ) => {}
+	 * </pre>
+	 *
+	 * They receive the currently logged in user and the permissions that where evaluated
+	 *
+	 * @permissions One, a list or an array of permissions
+	 * @success The closure/lambda/udf that executes if the context passes
+	 * @fail The closure/lambda/udf that executes if the context fails
+	 */
+	function whenAll( required permissions, required success, fail ){
+
+	}
+
+	/**
+	 * This method will verify that NONE of the permissions must exist in the currently logged in user.
+	 *
+	 * - If the result is true, then it will execute the success closure/lambda or udf.
+	 * - If the restul is false, then it will execute the fail closure/lambda or udf
+	 *
+	 * The success or fail closures/lambdas/udfs must match the following signature
+	 *
+	 * <pre>
+	 * function( user, permissions ){}
+	 * ( user, permissions ) => {}
+	 * </pre>
+	 *
+	 * They receive the currently logged in user and the permissions that where evaluated
+	 *
+	 * @permissions One, a list or an array of permissions
+	 * @success The closure/lambda/udf that executes if the context passes
+	 * @fail The closure/lambda/udf that executes if the context fails
+	 */
+	function whenNone( required permissions, required success, fail ){
+
+	}
+
+	/***************************************************************/
+	/* Private Methods
+	/***************************************************************/
+
+	/**
+	 * convert one or a list of permissions to an array, if it's an array we don't touch it
+	 *
+	 * @items One, a list or an array
+	 */
+	private function arrayWrap( required items ){
+		return isArray( arguments.items ) ? items : items.listToArray();
+	}
+
+}

models/jwt/JwtService.cfc

@@ -51,7 +51,7 @@ component accessors="true" singleton {
 		"scopes"
 	];
 
-	// Default Settings
+	// Default JWT Settings
 	variables.DEFAULT_SETTINGS = {
 		// The jwt token issuer claim -> iss
 		"issuer"              : "",

models/CBAuthValidator.cfc renamed to models/validators/CBAuthValidator.cfc

@@ -28,8 +28,13 @@ component {
 	}
 
 
-	// Run on first init
-	any function onAppInit( event, rc, prc ){
+	/**
+	* cbSecureMixin
+	*/
+	function cbSecureMixin( event, rc, prc ){
+		cbsecure().getAuthService();
+		cbSecure().getUserService();
+		return cbsecure().getSettings();
 	}
 
-}
+}