Add node level permissions ECFLOW-1960

[marcosbento]

🌦️ >> Documentation << 🌦️
https://sites.ecmwf.int/docs/dev-section/ecflow/pull-requests/PR-189

[codecov-commenter]

Codecov Report

❌ Patch coverage is 90.06772% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.01%. Comparing base (519a841) to head (f375e1e).

Files with missing lines	Patch %	Lines
libs/server/src/ecflow/server/HttpServer.cpp	23.80%	16 Missing ⚠️
libs/node/src/ecflow/node/permissions/Allowed.cpp	28.57%	10 Missing ⚠️
libs/core/src/ecflow/core/Identity.hpp	68.42%	6 Missing ⚠️
.../server/src/ecflow/server/AuthorisationService.cpp	57.14%	3 Missing ⚠️
libs/base/src/ecflow/base/stc/SSyncCmd.cpp	83.33%	2 Missing ⚠️
.../src/ecflow/node/permissions/ActivePermissions.cpp	93.10%	2 Missing ⚠️
libs/base/src/ecflow/base/AuthorisationDetails.hpp	85.71%	1 Missing ⚠️
libs/base/src/ecflow/base/cts/user/CSyncCmd.cpp	75.00%	1 Missing ⚠️
.../src/ecflow/node/permissions/ActivePermissions.hpp	75.00%	1 Missing ⚠️
libs/node/src/ecflow/node/permissions/Allowed.hpp	75.00%	1 Missing ⚠️
... and 1 more

Additional details and impacted files

@@             Coverage Diff             @@
##           develop     #189      +/-   ##
===========================================
+ Coverage    49.87%   50.01%   +0.13%     
===========================================
  Files         1218     1223       +5     
  Lines       100278   100595     +317     
  Branches     14827    14860      +33     
===========================================
+ Hits         50012    50308     +296     
- Misses       50266    50287      +21     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull Request Overview

This PR implements node-level permissions for the ECflow server system. The changes introduce a comprehensive authentication and authorization framework that enables fine-grained access control based on user permissions defined at different levels in the node hierarchy.

• Replaces legacy authentication methods with a new Identity-based system that supports multiple authentication types (user, custom user, secure user, and task)
• Introduces a permissions system using PERMISSIONS variables that can be defined at server, suite, and node levels with inheritance and override capabilities
• Refactors server environment handling to separate authentication and authorization concerns into dedicated services

Reviewed Changes

Copilot reviewed 144 out of 145 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
libs/server/src/ecflow/server/ServerEnvironment.hpp	Replaces password file handling with AuthenticationService and AuthorisationService
libs/server/src/ecflow/server/TcpBaseServer.cpp	Adds identity extraction and assignment to commands
libs/node/src/ecflow/node/permissions/*	New permissions framework with Allowed, Permission, Permissions, and ActivePermissions classes
libs/core/src/ecflow/core/Identity.hpp	New identity system supporting various user types and authentication methods
libs/base/src/ecflow/base/cts/user/*.cpp	Updates user commands to use new authentication/authorization framework

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Including detail headers from boost property_tree is generally discouraged as detail headers are implementation-specific and may change between versions. Consider using the public API instead.

Suggested change

#include <boost/property_tree/json_parser/detail/parser.hpp>

[Copilot]

Debug output should be removed or conditionally compiled for production builds. Consider using a proper logging mechanism or removing this debug statement.

Suggested change

std::cout << " [" << i << "]: " << ok_or_error_cmd->ok() << std::endl;

[Copilot]

The debug message incorrectly refers to 'ServerEnvironment::reload_custom_passwd_file' but this method is now in AuthenticationService. The message should be updated to reflect the correct class name.

Suggested change

	std::cout << "ServerEnvironment::reload_custom_passwd_file:(" << ecf_passwd_custom_file_ << ") CWD("
	std::cout << "AuthenticationService::reload_custom_passwd_file:(" << ecf_passwd_custom_file_ << ") CWD("

[Copilot]

The function signature declares return type 'ecf::Permission' but line 19 calls 'current->perms()' which likely returns a different type. This will cause compilation errors due to type mismatch.

Suggested change

	ecf::Permission perms(const Node& node) {
	auto current = &node;
	auto perms = current->perms();
	ecf::Permission perms = current->perms(); // Ensure perms is of type ecf::Permission

[Copilot]

The sys/param.h header is not portable across all platforms and is not used in the visible code. Consider removing this include or replacing it with more portable alternatives if needed.

Suggested change

#include <sys/param.h>