Move permission determination algorithm to Node

Re ECFLOW-1960

Author: marcosbento

libs/CMakeLists.txt

@@ -57,7 +57,6 @@ set(srcs
   # Base -- Headers
   base/src/ecflow/base/AbstractClientEnv.hpp
   base/src/ecflow/base/AbstractServer.hpp
-  base/src/ecflow/base/Algorithms.hpp
   base/src/ecflow/base/Authentication.hpp
   base/src/ecflow/base/AuthenticationDetails.hpp
   base/src/ecflow/base/Authorisation.hpp
@@ -360,6 +359,7 @@ set(srcs
   node/src/ecflow/node/Node.hpp
   node/src/ecflow/node/NodeContainer.hpp
   node/src/ecflow/node/NodeFwd.hpp
+  node/src/ecflow/node/NodePathAlgorithms.hpp
   node/src/ecflow/node/NodeState.hpp
   node/src/ecflow/node/NodeStats.hpp
   node/src/ecflow/node/NodeTreeVisitor.hpp

libs/base/CMakeLists.txt

@@ -23,7 +23,6 @@ set(test_srcs
   test/TestInLimitAndLimit.cpp
   test/TestLogCmd.cpp
   test/TestMeterCmd.cpp
-  test/TestPermissions.cpp
   test/TestProgramOptions.cpp
   test/TestQueryCmd.cpp
   test/TestQueueCmd.cpp
@@ -59,30 +58,6 @@ target_clangformat(u_base
   CONDITION ENABLE_TESTS
 )
 
-set(test_srcs
-  # Sources
-  test/TestAlgorithms.cpp
-)
-
-ecbuild_add_test(
-  TARGET
-    u_base_algorithms
-  LABELS
-    unit nightly
-  SOURCES
-    ${test_srcs}
-  LIBS
-    ecflow_all
-    test_scaffold
-    test_harness.base
-    Threads::Threads
-    $<$<BOOL:${OPENSSL_FOUND}>:OpenSSL::SSL>
-)
-target_clangformat(u_base_algorithms
-  CONDITION ENABLE_TESTS
-)
-
-
 # The following is not technically a test (as it makes no checks),
 # but a tool to measure the time it takes to generate a job file
 if (ENABLE_ALL_TESTS)

libs/node/CMakeLists.txt

@@ -38,9 +38,11 @@ set(test_srcs
   test/TestMissNextTimeSlot.cpp
   test/TestMovePeer.cpp
   test/TestNodeBeginRequeue.cpp
+  test/TestNodePathAlgorithms.cpp
   test/TestNodeState.cpp
   test/TestNode_main.cpp # test entry point
   test/TestOrder.cpp
+  test/TestPermissions.cpp
   test/TestPersistence.cpp
   test/TestPreProcessing.cpp
   test/TestRepeatWithTimeDependencies.cpp

libs/base/src/ecflow/base/Algorithms.hpp renamed to libs/node/src/ecflow/node/NodePathAlgorithms.hpp

@@ -8,15 +8,14 @@
  * nor does it submit to any jurisdiction.
  */
 
-#ifndef ecflow_base_Algorithms_hpp
-#define ecflow_base_Algorithms_hpp
+#ifndef ecflow_node_NodePathAlgorithms_hpp
+#define ecflow_node_NodePathAlgorithms_hpp
 
 #include <string>
 
 #include <boost/algorithm/string.hpp>
 #include <boost/tokenizer.hpp>
 
-#include "ecflow/base/AbstractServer.hpp"
 #include "ecflow/core/Result.hpp"
 #include "ecflow/node/Defs.hpp"
 
@@ -25,7 +24,7 @@ namespace ecf {
 ///
 /// Represents a path in the server's hierarchy
 ///
-/// A path object is always represents a valid path (even if it does not exist).
+/// A path object always represents a valid path (even if it does not exist).
 ///
 /// A path with 0 tokens represents the root of the hierarchy (represented by a slash, "/").
 /// A path with N tokens represents a path from the root to a node.
@@ -104,9 +103,8 @@ void visit(const Defs& defs, const Path& path, PREDICATE& predicate) {
 
         predicate.handle(*current);
     }
-
 }
 
 } // namespace ecf
 
-#endif // ecflow_base_Algorithms_hpp
+#endif // ecflow_node_NodePathAlgorithms_hpp

libs/node/src/ecflow/node/permissions/ActivePermissions.cpp

@@ -10,6 +10,10 @@
 
 #include "ecflow/node/permissions/ActivePermissions.hpp"
 
+#include "ecflow/core/Overload.hpp"
+#include "ecflow/node/Defs.hpp"
+#include "ecflow/node/NodePathAlgorithms.hpp"
+
 namespace ecf {
 
 void ActivePermissions::bootstrap(const Permissions& p) {
@@ -28,4 +32,58 @@ void ActivePermissions::combine_override(const Permissions& p) {
     }
 }
 
+ActivePermissions
+permissions_at(const Defs& defs, const std::string& path, const std::variant<Unrestricted, Rules>& permissions) {
+    ActivePermissions active;
+
+    std::visit(overload{[&active](const Unrestricted&) {
+                            // when no rules are loaded, we allow everything...
+                            // Dangerous, but backward compatible!
+                            active = ActivePermissions::make_empty();
+                        },
+                        [&defs, &active, &path](const Rules& rules) {
+                            struct Visitor
+                            {
+                                Visitor(ActivePermissions& collected) : collected_{collected} {}
+
+                                void handle(const Defs& defs) {
+                                    auto p = defs.server_state().permissions();
+
+                                    // At server level, we only care about the server permissions
+                                    collected_.bootstrap(p);
+                                }
+                                void handle(const Node& n) {
+                                    auto p = n.permissions();
+
+                                    if (auto s = dynamic_cast<const Suite*>(&n); s) {
+                                        // At node level, if the node is a Suite we bootstrap the node permissions
+                                        collected_.combine_supersede(p);
+                                    }
+                                    else {
+                                        // ... otherwise, we combine the node permissions
+                                        //  -- in practice, this combination only restricts node permissions;
+                                        //     for example, a user can't be allowed to read/write/execute a
+                                        //     specific node if he can't do it at a higher node level
+                                        collected_.combine_override(p);
+                                    }
+                                }
+
+                                void not_found() { /* do nothing */ }
+
+                            private:
+                                ActivePermissions& collected_;
+                            };
+
+                            auto p = Path::make(path).value();
+                            auto v = Visitor{active};
+
+                            ecf::visit(defs, p, v);
+                        }
+
+               },
+               permissions);
+
+    return active;
+}
+
 } // namespace ecf

libs/node/src/ecflow/node/permissions/ActivePermissions.hpp

@@ -8,17 +8,20 @@
  * nor does it submit to any jurisdiction.
  */
 
-#ifndef ecflow_node_Permissions_HPP
-#define ecflow_node_Permissions_HPP
+#ifndef ecflow_node_permissions_ActivePermissions_HPP
+#define ecflow_node_permissions_ActivePermissions_HPP
 
 #include <algorithm>
 #include <iostream>
 #include <set>
 #include <string>
+#include <variant>
 #include <vector>
 
 #include "ecflow/node/permissions/Permissions.hpp"
 
+class Defs;
+
 namespace ecf {
 
 /**
@@ -84,6 +87,23 @@ class ActivePermissions {
     Permissions permissions_ = Permissions::make_empty();
 };
 
+/**
+ * \brief This is a Tag type used to indicate that the permissions follow the nominal rules.
+ */
+struct Rules
+{
+};
+
+/**
+ * \brief This is a Tag type used to indicate that the permissions are unrestricted.
+ */
+struct Unrestricted
+{
+};
+
+ActivePermissions
+permissions_at(const Defs& defs, const std::string& path, const std::variant<Unrestricted, Rules>& permissions);
+
 } // namespace ecf
 
-#endif /* ecflow_node_Permissions_HPP */
+#endif /* ecflow_node_permissions_ActivePermissions_HPP */

libs/base/test/TestAlgorithms.cpp renamed to libs/node/test/TestNodePathAlgorithms.cpp

@@ -8,16 +8,13 @@
  * nor does it submit to any jurisdiction.
  */
 
-#define BOOST_TEST_MODULE Test_Base
-#include <boost/test/included/unit_test.hpp>
+#include <boost/test/unit_test.hpp>
 
-#include "MockServer.hpp"
-#include "ecflow/base/Algorithms.hpp"
 #include "ecflow/node/Family.hpp"
-#include "ecflow/server/BaseServer.hpp"
+#include "ecflow/node/NodePathAlgorithms.hpp"
 #include "ecflow/test/scaffold/Naming.hpp"
 
-BOOST_AUTO_TEST_SUITE(U_Base)
+BOOST_AUTO_TEST_SUITE(U_Node)
 
 BOOST_AUTO_TEST_SUITE(T_Path)
 

libs/base/test/TestPermissions.cpp renamed to libs/node/test/TestPermissions.cpp

@@ -8,17 +8,19 @@
  * nor does it submit to any jurisdiction.
  */
 
+#include <string>
+#include <vector>
+
 #include <boost/test/unit_test.hpp>
 
+#include "ecflow/core/Filesystem.hpp"
 #include "ecflow/node/Defs.hpp"
 #include "ecflow/node/Family.hpp"
 #include "ecflow/node/Suite.hpp"
-#include "ecflow/server/AuthorisationService.hpp"
 #include "ecflow/test/scaffold/Naming.hpp"
 #include "ecflow/test/scaffold/Provisioning.hpp"
-#include "harness/MockServer.hpp"
 
-BOOST_AUTO_TEST_SUITE(U_Base)
+BOOST_AUTO_TEST_SUITE(U_Node)
 
 BOOST_AUTO_TEST_SUITE(T_Permissions)
 
@@ -69,7 +71,6 @@ BOOST_AUTO_TEST_CASE(can_do_permissions) {
     f->addVariable(Variable("PERMISSIONS", "u2:rx,u3:rw"));
     auto t = f->add_task("t1");
 
-    MockServer server(&d);
     d.server_state().add_or_update_server_variable("PERMISSIONS", "a:rwxos");
 
     AuthorisationService service = AuthorisationService::load_permissions_from_nodes().value();

libs/server/src/ecflow/server/AuthorisationService.cpp

@@ -11,20 +11,12 @@
 #include "ecflow/server/AuthorisationService.hpp"
 
 #include "ecflow/base/AbstractServer.hpp"
-#include "ecflow/base/Algorithms.hpp"
 #include "ecflow/core/Overload.hpp"
 #include "ecflow/node/Defs.hpp"
+#include "ecflow/node/permissions/ActivePermissions.hpp"
 
 namespace ecf {
 
-struct Rules
-{
-};
-
-struct Unrestricted
-{
-};
-
 struct AuthorisationService::Impl
 {
     Impl() : permissions_(Unrestricted{}) {}
@@ -56,57 +48,7 @@ bool AuthorisationService::good() const {
 
 ActivePermissions AuthorisationService::permissions_at(const Defs& defs, const path_t& path) const {
     assert(good()); // It is up to the caller to check has been properly configured
-
-    ActivePermissions active;
-
-    std::visit(overload{[&active](const Unrestricted&) {
-                            // when no rules are loaded, we allow everything...
-                            // Dangerous, but backward compatible!
-                            active = ActivePermissions::make_empty();
-                        },
-                        [&defs, &active, &path](const Rules& rules) {
-                            struct Visitor
-                            {
-                                Visitor(ActivePermissions& collected) : collected_{collected} {}
-
-                                void handle(const Defs& defs) {
-                                    auto p = defs.server_state().permissions();
-
-                                    // At server level, we only care about the server permissions
-                                    collected_.bootstrap(p);
-                                }
-                                void handle(const Node& n) {
-                                    auto p = n.permissions();
-
-                                    if (auto s = dynamic_cast<const Suite*>(&n); s) {
-                                        // At node level, if the node is a Suite we bootstrap the node permissions
-                                        collected_.combine_supersede(p);
-                                    }
-                                    else {
-                                        // ... otherwise, we combine the node permissions
-                                        //  -- in practice, this combination only restricts node permissions;
-                                        //     for example, a user can't be allowed to read/write/execute a
-                                        //     specific node if he can't do it at a higher node level
-                                        collected_.combine_override(p);
-                                    }
-                                }
-
-                                void not_found() { /* do nothing */ }
-
-                            private:
-                                ActivePermissions& collected_;
-                            };
-
-                            auto p = Path::make(path).value();
-                            auto v = Visitor{active};
-
-                            ecf::visit(defs, p, v);
-                        }
-
-               },
-               impl_->permissions_);
-
-    return active;
+    return ecf::permissions_at(defs, path, impl_->permissions_);
 }
 
 bool AuthorisationService::allows(const Identity& identity, const Defs& defs, Allowed required) const {