Release 5.15.2

marcosbento · marcosbento · commit 7b30c1f06c20 · 2025-12-16T18:54:31.000Z
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -31,7 +31,7 @@ find_package( ecbuild 3.4 REQUIRED HINTS ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CUR
 # Project
 # =========================================================================================
 
-project( ecflow LANGUAGES CXX VERSION 5.15.1 )
+project( ecflow LANGUAGES CXX VERSION 5.15.2 )
 #
 # Important:
 #   The CMake project version is used, as generated CMake variables, to filter .../ecflow/core/ecflow_version.h.in
diff --git a/docs/conf.py b/docs/conf.py
@@ -97,7 +97,7 @@
 
 
 def get_ecflow_version():
-    version = "5.15.1"
+    version = "5.15.2"
     ecflow_version = version.split(".")
     print("Extracted ecflow version '" + str(ecflow_version))
     return ecflow_version
diff --git a/docs/release_notes/version_5.15.rst b/docs/release_notes/version_5.15.rst
@@ -6,6 +6,16 @@ Version 5.15 updates
 .. role:: jiraissue
    :class: hidden
 
+Version 5.15.2
+==============
+
+* `Released <https://confluence.ecmwf.int/display/ECFLOW/Releases>`__\  on 2025-12-17
+
+Server
+------
+
+- **Bug Fix** correct use of whitelist for authorisation purposes :jiraissue:`ECFLOW-2055`
+
 Version 5.15.1
 ==============
 
diff --git a/libs/base/src/ecflow/base/Client.cpp b/libs/base/src/ecflow/base/Client.cpp
@@ -103,7 +103,7 @@ bool Client::start_connect(endpoints_iterator_t endpoints_iterator) {
         // will soon be executed. If it returns 1 then the wait handler was successfully cancelled.
 
         // Set a deadline for the connect operation.
-        deadline_.expires_from_now(boost::posix_time::seconds(timeout_));
+        deadline_.expires_after(std::chrono::seconds(timeout_));
 
         auto endpoint = endpoints_iterator->endpoint();
         connection_.socket_ll().async_connect(endpoint,
@@ -190,7 +190,7 @@ void Client::start_write() {
     // executed. If it returns 1 then the wait handler was successfully cancelled.
 
     // Set a deadline for the write operation.
-    deadline_.expires_from_now(boost::posix_time::seconds(timeout_));
+    deadline_.expires_after(std::chrono::seconds(timeout_));
 
     connection_.async_write(outbound_request_,
                             [this](const boost::system::error_code& error) { this->handle_write(error); });
@@ -235,7 +235,7 @@ void Client::start_read() {
     // executed. If it returns 1 then the wait handler was successfully cancelled.
 
     // Set a deadline for the read operation.
-    deadline_.expires_from_now(boost::posix_time::seconds(timeout_));
+    deadline_.expires_after(std::chrono::seconds(timeout_));
 
     connection_.async_read(inbound_response_,
                            [this](const boost::system::error_code& error) { this->handle_read(error); });
@@ -340,7 +340,7 @@ void Client::check_deadline() {
     // Check whether the deadline has passed. We compare the deadline against
     // the current time since a new asynchronous operation may have moved the
     // deadline before this actor had a chance to run.
-    if (deadline_.expires_at() <= boost::asio::deadline_timer::traits_type::now()) {
+    if (deadline_.expiry() <= boost::asio::chrono::system_clock::now()) {
 #ifdef DEBUG_CLIENT
         std::cout << "   Client::check_deadline timed out" << std::endl;
 #endif
diff --git a/libs/base/src/ecflow/base/Client.hpp b/libs/base/src/ecflow/base/Client.hpp
@@ -70,7 +70,7 @@ class Client {
     ClientToServerRequest outbound_request_;  /// The request we will send to the server
     ServerToClientResponse inbound_response_; /// The response we get back from the server
 
-    boost::asio::deadline_timer deadline_;
+    boost::asio::system_timer deadline_;
 
     //    connect        : timeout_ second
     //    send request   : timeout_ second
diff --git a/libs/base/src/ecflow/base/SslClient.cpp b/libs/base/src/ecflow/base/SslClient.cpp
@@ -104,7 +104,7 @@ bool SslClient::start_connect(endpoints_iterator_t endpoints_iterator) {
         // will soon be executed. If it returns 1 then the wait handler was successfully cancelled.
 
         // Set a deadline for the connect operation.
-        deadline_.expires_from_now(boost::posix_time::seconds(timeout_));
+        deadline_.expires_after(std::chrono::seconds(timeout_));
 
         boost::asio::ip::tcp::endpoint endpoint = *endpoints_iterator;
         connection_.socket_ll().async_connect(endpoint,
@@ -192,7 +192,7 @@ void SslClient::start_handshake() {
     // cancelled. If it returns 0 then you were too late and the wait handler has already been executed, or will soon be
     // executed. If it returns 1 then the wait handler was successfully cancelled. Set a deadline for the write
     // operation.
-    deadline_.expires_from_now(boost::posix_time::seconds(timeout_));
+    deadline_.expires_after(std::chrono::seconds(timeout_));
 
     connection_.socket().async_handshake(boost::asio::ssl::stream_base::client,
                                          [this](const boost::system::error_code& e) { handle_handshake(e); });
@@ -222,7 +222,7 @@ void SslClient::start_write() {
     // executed. If it returns 1 then the wait handler was successfully cancelled.
 
     // Set a deadline for the write operation.
-    deadline_.expires_from_now(boost::posix_time::seconds(timeout_));
+    deadline_.expires_after(std::chrono::seconds(timeout_));
 
     connection_.async_write(outbound_request_,
                             [this](const boost::system::error_code& error) { this->handle_write(error); });
@@ -267,7 +267,7 @@ void SslClient::start_read() {
     // executed. If it returns 1 then the wait handler was successfully cancelled.
 
     // Set a deadline for the read operation.
-    deadline_.expires_from_now(boost::posix_time::seconds(timeout_));
+    deadline_.expires_after(std::chrono::seconds(timeout_));
 
     connection_.async_read(inbound_response_,
                            [this](const boost::system::error_code& error) { this->handle_read(error); });
@@ -369,7 +369,7 @@ void SslClient::check_deadline() {
     // Check whether the deadline has passed. We compare the deadline against
     // the current time since a new asynchronous operation may have moved the
     // deadline before this actor had a chance to run.
-    if (deadline_.expires_at() <= boost::asio::deadline_timer::traits_type::now()) {
+    if (deadline_.expiry() <= boost::asio::chrono::system_clock::now()) {
 #ifdef DEBUG_CLIENT
         std::cout << "   SslClient::check_deadline timed out" << std::endl;
 #endif
diff --git a/libs/base/src/ecflow/base/SslClient.hpp b/libs/base/src/ecflow/base/SslClient.hpp
@@ -72,7 +72,7 @@ class SslClient {
     ClientToServerRequest outbound_request_;  /// The request we will send to the server
     ServerToClientResponse inbound_response_; /// The response we get back from the server
 
-    boost::asio::deadline_timer deadline_;
+    boost::asio::system_timer deadline_;
 
     //    connect        : timeout_ second
     //    send request   : timeout_ second
diff --git a/libs/server/src/ecflow/server/AuthorisationService.cpp b/libs/server/src/ecflow/server/AuthorisationService.cpp
@@ -13,23 +13,40 @@
 #include "ecflow/base/AbstractServer.hpp"
 #include "ecflow/base/Algorithms.hpp"
 #include "ecflow/core/Overload.hpp"
+#include "ecflow/core/WhiteListFile.hpp"
 
 namespace ecf {
 
-struct Rules
+///
+/// NodeRules represent permissions derived from the nodes themselves (based on ECF_PERMISSIONS permissions)
+///
+struct NodeRules
 {
 };
 
+///
+/// WhiteListRules represent permissions define by a white list file
+///
+struct WhiteListRules
+{
+    WhiteListRules(const WhiteListFile& file) : file_(file) {}
+    const WhiteListFile& file_;
+};
+
+///
+/// Unrestricted represent no restrictions at all
+///
 struct Unrestricted
 {
 };
 
 struct AuthorisationService::Impl
 {
     Impl() : permissions_(Unrestricted{}) {}
-    explicit Impl(Rules&& rules) : permissions_(std::move(rules)) {}
+    explicit Impl(NodeRules&& rules) : permissions_(std::move(rules)) {}
+    explicit Impl(WhiteListRules&& rules) : permissions_(std::move(rules)) {}
 
-    std::variant<Unrestricted, Rules> permissions_;
+    std::variant<Unrestricted, NodeRules, WhiteListRules> permissions_;
 };
 
 AuthorisationService::AuthorisationService() = default;
@@ -83,7 +100,19 @@ bool AuthorisationService::allows(const Identity& identity,
                      // Dangerous, but backward compatible!
                      allowed = true;
                  },
-                 [&server, &identity, &paths, &permission, &allowed](const Rules& rules) {
+                 [&allowed, &identity, &paths, &permission](const WhiteListRules& rules) {
+                     // Apply white list rules
+                     if (permission == "read") {
+                         allowed = rules.file_.verify_read_access(identity.username(), paths);
+                     }
+                     else if (permission == "write") {
+                         allowed = rules.file_.verify_write_access(identity.username(), paths);
+                     }
+                     else {
+                         allowed = false;
+                     }
+                 },
+                 [&server, &identity, &paths, &permission, &allowed](const NodeRules& rules) {
                      for (auto&& path : paths) {
 
                          auto u = identity.as_string();
@@ -132,7 +161,11 @@ bool AuthorisationService::allows(const Identity& identity,
 }
 
 AuthorisationService::result_t AuthorisationService::load_permissions_from_nodes() {
-    return result_t::success(AuthorisationService(std::make_unique<Impl>(Rules{})));
+    return result_t::success(AuthorisationService(std::make_unique<Impl>(NodeRules{})));
+}
+
+AuthorisationService::result_t AuthorisationService::load_permissions_from_whitelist(const WhiteListFile& whitelist) {
+    return result_t::success(AuthorisationService(std::make_unique<Impl>(WhiteListRules{whitelist})));
 }
 
 } // namespace ecf
diff --git a/libs/server/src/ecflow/server/AuthorisationService.hpp b/libs/server/src/ecflow/server/AuthorisationService.hpp
@@ -14,6 +14,7 @@
 #include "ecflow/core/Filesystem.hpp"
 #include "ecflow/core/Identity.hpp"
 #include "ecflow/core/Result.hpp"
+#include "ecflow/core/WhiteListFile.hpp"
 
 class AbstractServer;
 
@@ -70,6 +71,7 @@ class AuthorisationService {
 
     [[nodiscard]]
     static result_t load_permissions_from_nodes();
+    static result_t load_permissions_from_whitelist(const WhiteListFile& whitelist);
 
 private:
     struct Impl;
diff --git a/libs/server/src/ecflow/server/CheckPtSaver.cpp b/libs/server/src/ecflow/server/CheckPtSaver.cpp
@@ -29,7 +29,7 @@ using namespace ecf;
 //-------------------------------------------------------------------------------------
 CheckPtSaver::CheckPtSaver(BaseServer* s, boost::asio::io_context& io, const ServerEnvironment* serverEnv)
     : server_(s),
-      timer_(io, boost::posix_time::seconds(0)),
+      timer_(io, std::chrono::seconds(0)),
       firstTime_(true),
       running_(false),
       serverEnv_(serverEnv),
@@ -67,7 +67,7 @@ void CheckPtSaver::start() {
     //               with explicit save each time server is halted/started.
     if (firstTime_) {
         firstTime_ = false;
-        timer_.expires_from_now(boost::posix_time::seconds(serverEnv_->checkPtInterval()));
+        timer_.expires_after(std::chrono::seconds(serverEnv_->checkPtInterval()));
         timer_.async_wait(boost::asio::bind_executor(
             server_->io_, [this](const boost::system::error_code& error) { periodicSaveCheckPt(error); }));
     }
@@ -170,7 +170,7 @@ void CheckPtSaver::periodicSaveCheckPt(const boost::system::error_code& error) {
     }
 
     /// Appears that expires_from_now is more accurate then expires_at
-    timer_.expires_from_now(boost::posix_time::seconds(serverEnv_->checkPtInterval()));
+    timer_.expires_after(std::chrono::seconds(serverEnv_->checkPtInterval()));
     timer_.async_wait(boost::asio::bind_executor(
         server_->io_, [this](const boost::system::error_code& error) { periodicSaveCheckPt(error); }));
 }
diff --git a/libs/server/src/ecflow/server/CheckPtSaver.hpp b/libs/server/src/ecflow/server/CheckPtSaver.hpp
@@ -115,7 +115,7 @@ class CheckPtSaver {
     void periodicSaveCheckPt(const boost::system::error_code& error);
 
     BaseServer* server_;
-    boost::asio::deadline_timer timer_;
+    boost::asio::system_timer timer_;
     bool firstTime_;
     bool running_;
     const ServerEnvironment* serverEnv_;
diff --git a/libs/server/src/ecflow/server/NodeTreeTraverser.cpp b/libs/server/src/ecflow/server/NodeTreeTraverser.cpp
@@ -37,7 +37,7 @@ using namespace ecf;
 NodeTreeTraverser::NodeTreeTraverser(BaseServer* s, boost::asio::io_context& io, const ServerEnvironment& serverEnv)
     : server_(s),
       serverEnv_(serverEnv),
-      timer_(io, boost::posix_time::seconds(0)),
+      timer_(io, std::chrono::seconds(0)),
       interval_(0, 0, serverEnv_.submitJobsInterval(), 0),
 #ifdef DEBUG_TRAVERSER
       count_(0),
@@ -283,7 +283,7 @@ void NodeTreeTraverser::do_traverse() {
 void NodeTreeTraverser::start_timer() {
     /// Appears that expires_from_now is more accurate then expires_at i.e timer_.expires_at( timer_.expires_at() +
     /// boost::posix_time::seconds( poll_at ) );
-    timer_.expires_from_now(boost::posix_time::seconds(1));
+    timer_.expires_after(std::chrono::seconds(1));
     timer_.async_wait(
         boost::asio::bind_executor(server_->io_, [this](const boost::system::error_code& error) { traverse(error); }));
 }
diff --git a/libs/server/src/ecflow/server/NodeTreeTraverser.hpp b/libs/server/src/ecflow/server/NodeTreeTraverser.hpp
@@ -77,7 +77,7 @@ class NodeTreeTraverser {
 
     BaseServer* server_;
     const ServerEnvironment& serverEnv_;
-    boost::asio::deadline_timer timer_;
+    boost::asio::system_timer timer_;
     boost::posix_time::ptime last_time_;        // ensure poll is in sync
     boost::posix_time::ptime next_poll_time_;   // Keep as sync as possible with hard real times
     boost::posix_time::time_duration interval_; // Job submission interval
diff --git a/libs/server/src/ecflow/server/PeriodicScheduler.hpp b/libs/server/src/ecflow/server/PeriodicScheduler.hpp
@@ -24,7 +24,7 @@ namespace ecf {
 
 class Timer {
 public:
-    explicit Timer(boost::asio::io_context& io) : io_{io}, timer_{io_, boost::posix_time::seconds(0)} {}
+    explicit Timer(boost::asio::io_context& io) : io_{io}, timer_{io_, std::chrono::seconds(0)} {}
     Timer(const Timer&) = delete;
 
     Timer& operator=(const Timer&) = delete;
@@ -33,15 +33,13 @@ class Timer {
 
     template <typename CALLBACK>
     void set(CALLBACK callback, std::chrono::seconds expiry) {
-        /// Appears that `expires_from_now` is more accurate `then expires_at`
-        ///   i.e. timer_.expires_at( timer_.expires_at() + boost::posix_time::seconds( poll_at ) );
-        timer_.expires_from_now(boost::posix_time::seconds(expiry.count()));
+        timer_.expires_after(expiry);
         timer_.async_wait(boost::asio::bind_executor(io_, callback));
     }
 
 private:
     boost::asio::io_context& io_;
-    boost::asio::deadline_timer timer_;
+    boost::asio::system_timer timer_;
 };
 
 ///
diff --git a/libs/server/src/ecflow/server/ServerEnvironment.cpp b/libs/server/src/ecflow/server/ServerEnvironment.cpp
@@ -315,10 +315,7 @@ bool ServerEnvironment::valid(std::string& errorMsg) const {
 
     if (auto result = AuthorisationService::load_permissions_from_nodes(); result.ok()) {
         authorisation_service_ = result.value();
-        std::cout << "Loaded server permissions file\n";
-    }
-    else {
-        std::cout << "Unable to load server permissions file, due to: " << result.reason() << '\n';
+        std::cout << "Loaded server permissions based on Nodes\n";
     }
 
     // Check that Authentication information is valid
@@ -338,7 +335,20 @@ bool ServerEnvironment::valid(std::string& errorMsg) const {
     /// read in the ecf white list file that specifies valid users and their access rights
     /// If the file can't be opened returns false and an error message and false;
     /// Automatically add server admin(user) with write access, as this will allow admin reload
-    return load_whitelist_file(errorMsg);
+    if (auto loaded = load_whitelist_file(errorMsg); loaded) {
+        if (auto result = AuthorisationService::load_permissions_from_whitelist(this->white_list_file_); result.ok()) {
+            authorisation_service_ = result.value();
+            std::cout << "Loaded server permissions based on Whitelist file\n";
+            return true;
+        }
+        else {
+            std::cout << "Unable to load server permissions, due to: " << result.reason() << '\n';
+            return false;
+        }
+    }
+    else {
+        return false;
+    }
 }
 
 std::pair<std::string, std::string> ServerEnvironment::hostPort() const {

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ find_package( ecbuild 3.4 REQUIRED HINTS ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CUR`
`31`	`31`	`# Project`
`32`	`32`	`# =========================================================================================`
`33`	`33`
`34`		`-project( ecflow LANGUAGES CXX VERSION 5.15.1 )`
	`34`	`+project( ecflow LANGUAGES CXX VERSION 5.15.2 )`
`35`	`35`	`#`
`36`	`36`	`# Important:`
`37`	`37`	`# The CMake project version is used, as generated CMake variables, to filter .../ecflow/core/ecflow_version.h.in`