@cap-js/ord 1.3.14 → 1.4.1

package/lib/templates.js

@@ -1,15 +1,16 @@
 const cds = require("@sap/cds");
 const { hasSAPPolicyLevel } = require("./utils");
+const { isMCPPluginReady } = require("./mcpAdapter");
 const defaults = require("./defaults");
 const _ = require("lodash");
 const {
-    AUTHENTICATION_TYPE,
     DATA_PRODUCT_ANNOTATION,
     DATA_PRODUCT_SIMPLE_ANNOTATION,
     DATA_PRODUCT_TYPE,
     DESCRIPTION_PREFIX,
     ENTITY_RELATIONSHIP_ANNOTATION,
     LEVEL,
+    MCP_CUSTOM_TYPE,
     ORD_EXTENSIONS_PREFIX,
     ORD_ODM_ENTITY_NAME_ANNOTATION,
     ORD_RESOURCE_TYPE,
@@ -21,7 +22,8 @@ const {
     CONTENT_MERGE_KEY,
     CDS_ELEMENT_KIND,
 } = require("./constants");
-const { Logger } = require("./logger");
+const Logger = require("./logger");
+const { ensureAccessStrategies } = require("./access-strategies");
 
 function unflatten(flattedObject) {
     let result = {};
@@ -66,8 +68,13 @@ const _generatePaths = (srv, srvDefinition) => {
 
     //putting OData as default in case of non-supported protocol
     if (paths.length === 0) {
-        srvDefinition["@odata"] = true;
-        paths.push({ kind: "odata", path: protocols.path4(srvDefinition) });
+        if (isPrimaryDataProductService(srvDefinition)) {
+            // Data product services use REST protocol, not OData
+            paths.push({ kind: "rest", path: protocols.path4(srvDefinition) });
+        } else {
+            srvDefinition["@odata"] = true;
+            paths.push({ kind: "odata", path: protocols.path4(srvDefinition) });
+        }
     }
 
     return paths;
@@ -152,29 +159,32 @@ function _getEntityVersion(entity) {
 }
 
 /**
- * This is a function to create a resource definition object.
+ * Pure template function for creating ORD resource definitions.
+ * This function does not make assumptions about access strategies - they must be provided explicitly.
+ * Access strategies are validated and will fallback to 'open' in non-strict mode if missing.
+ *
  * @param {string} resourceType The type of the resource.
  * @param {string} mediaType The media type of the resource.
  * @param {string} ordId The ordId of the resource.
  * @param {string} serviceName The name of the service.
  * @param {string} fileExtension The file extension of the resource.
- * @param {Array} accessStrategies The array of accessStrategies objects
+ * @param {Array} accessStrategies The array of accessStrategies objects (required, no default)
  * @returns {Object} A resource definition object.
  * @private
  */
-function _getResourceDefinition(
-    resourceType,
-    mediaType,
-    ordId,
-    serviceName,
-    fileExtension,
-    accessStrategies = [{ type: AUTHENTICATION_TYPE.Open }],
-) {
+function _getResourceDefinition(resourceType, mediaType, ordId, serviceName, fileExtension, accessStrategies) {
+    // Validate and ensure access strategies are present
+    // In non-strict mode, this will log error and fallback to 'open'
+    // In strict mode (cds.env.ord.strictAccessStrategies = true), this will throw
+    const validatedStrategies = ensureAccessStrategies(accessStrategies, {
+        resourceName: `${serviceName} (${resourceType})`,
+    });
+
     return {
         type: resourceType,
         mediaType: `application/${mediaType}`,
         url: `/ord/v1/${ordId}/${serviceName}.${fileExtension}`,
-        accessStrategies,
+        accessStrategies: validatedStrategies,
     };
 }
 
@@ -197,7 +207,7 @@ const createGroupsTemplateForService = (serviceName, serviceDefinition, appConfi
     const visibility = _handleVisibility(ordExtensions, serviceDefinition, appConfig.env?.defaultVisibility);
     if (visibility === RESOURCE_VISIBILITY.private) {
         // If the visibility of the service is private, do not create a group
-        Logger.debug("Skipping group creation for private service:", serviceName);
+        Logger.info("Skipping group creation for private service:", serviceName);
         return undefined;
     }
 
@@ -581,6 +591,107 @@ function _getPackageID(namespace, packageIds, resourceType, visibility = RESOURC
     return packageIds.find((id) => id.includes(`-${resourceType}-`)) || packageIds.find((id) => id.includes(namespace));
 }
 
+/**
+ * Helper function to create a single MCP API resource.
+ *
+ * @param {object} metadata - The MCP metadata object.
+ * @param {object} appConfig - The application configuration.
+ * @param {Array} packageIds - The available package identifiers.
+ * @param {Array} accessStrategies - The array of accessStrategies objects.
+ * @returns {Object} An MCP API resource object.
+ */
+function createSingleMCPResource(metadata, appConfig, packageIds, accessStrategies) {
+    const visibility = metadata?.visibility || RESOURCE_VISIBILITY.public;
+
+    // Generate ordId based on visibility
+    let resourceId;
+    if (visibility === RESOURCE_VISIBILITY.public) {
+        resourceId = "mcp-server"; // Default public resource
+    } else {
+        resourceId = `mcp-server-${visibility}`; // mcp-server-internal, mcp-server-private
+    }
+
+    const ordId = `${appConfig.ordNamespace}:apiResource:${resourceId}:v1`;
+
+    // Use metadata with proper fallbacks
+    const title = metadata?.title || `MCP Server for ${appConfig.appName}`;
+    const shortDescription =
+        metadata?.shortDescription || `This is the MCP server to interact with the ${appConfig.appName}`;
+    const description = metadata?.description || `This is the MCP server to interact with the ${appConfig.appName}`;
+    const version = metadata?.version || "1.0.0";
+
+    // Handle entryPoints: convert string to array, with fallback
+    const entryPoints = metadata?.entryPoints ? metadata.entryPoints : ["/rest/mcp/streaming"];
+
+    const packageId = _getPackageID(appConfig.ordNamespace, packageIds, ORD_RESOURCE_TYPE.api, visibility);
+    // Fallback: ensure partOfPackage never undefined to satisfy generic apiResources tests
+    const effectivePackageId = packageId || `${appConfig.ordNamespace}:package:${visibility}:v1`;
+
+    return {
+        ordId,
+        title,
+        shortDescription,
+        description,
+        version,
+        lastUpdate: appConfig.lastUpdate,
+        visibility,
+        partOfPackage: effectivePackageId,
+        releaseStatus: "active",
+        apiProtocol: "mcp",
+        resourceDefinitions: [
+            {
+                type: "custom",
+                customType: MCP_CUSTOM_TYPE,
+                mediaType: "application/json",
+                url: `/ord/v1/${ordId}/mcp-server-definition.mcp.json`,
+                accessStrategies,
+            },
+        ],
+        entryPoints,
+        extensible: { supported: "no" },
+    };
+}
+
+/**
+ * This is a template function to create MCP API Resource object(s).
+ *
+ * The generated MCP API resource(s) can be customized via the generic overwrite mechanism
+ * using custom.ord.json. Properties like visibility, title, version, entryPoints, etc.
+ * can be overridden by matching the ordId pattern.
+ *
+ * Metadata values are sourced from the MCP plugin's generateORDMetadata function when available,
+ * which reads from cds.env.mcp configuration. This allows users to customize MCP metadata via
+ * package.json or .cdsrc.json files.
+ *
+ * @param {object} appConfig - The application configuration.
+ * @param {Array} packageIds - The available package identifiers.
+ * @param {Array} accessStrategies The array of accessStrategies objects
+ * @returns {Object|Array} An MCP API resource object or array of objects.
+ */
+const createMCPAPIResourceTemplate = (appConfig, packageIds, accessStrategies) => {
+    // Get ORD metadata from MCP plugin if available
+    let ordMetadata = null;
+    // Use comprehensive check for MCP plugin readiness
+    const shouldAddMCP = isMCPPluginReady();
+    if (shouldAddMCP) {
+        try {
+            const { generateORDMetadata } = require("@btp-ai/mcp-plugin/lib/utils/metadata");
+            ordMetadata = generateORDMetadata();
+        } catch (error) {
+            Logger.warn("Failed to generate MCP ORD metadata:", error.message);
+        }
+    }
+
+    // Handle both array and single object responses from MCP plugin
+    if (Array.isArray(ordMetadata)) {
+        return ordMetadata.map((metadata) =>
+            createSingleMCPResource(metadata, appConfig, packageIds, accessStrategies),
+        );
+    } else {
+        return createSingleMCPResource(ordMetadata || {}, appConfig, packageIds, accessStrategies);
+    }
+};
+
 function _propagateORDVisibility(model) {
     for (const [name, def] of Object.entries(model.definitions)) {
         if (def.kind === CDS_ELEMENT_KIND.service && def[ORD_EXTENSIONS_PREFIX + "visibility"]) {
@@ -606,6 +717,7 @@ module.exports = {
     createGroupsTemplateForService,
     createAPIResourceTemplate,
     createEventResourceTemplate,
+    createMCPAPIResourceTemplate,
     _getPackageID,
     _getEntityTypeMappings,
     _getExposedEntityTypes,

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@cap-js/ord",
-    "version": "1.3.14",
+    "version": "1.4.1",
     "description": "CAP Plugin for generating ORD document.",
     "repository": "cap-js/ord",
     "author": "SAP SE (https://www.sap.com)",
@@ -9,7 +9,7 @@
     "workspaces": [
         "xmpl",
         "xmpl_java",
-        "__tests__/integration-test-app"
+        "__tests__/integration/integration-test-app"
     ],
     "main": "cds-plugin.js",
     "files": [
@@ -20,20 +20,23 @@
     ],
     "scripts": {
         "lint": "npx eslint .",
-        "test": "jest --ci --collectCoverage",
-        "test:integration": "jest __tests__/integration.test.js --testTimeout=30000 --testPathIgnorePatterns=/node_modules/ --forceExit",
+        "test": "jest __tests__/unit --ci --collectCoverage",
+        "test:integration:basic": "jest __tests__/integration/basic-auth.test.js --testPathIgnorePatterns=/node_modules/ --forceExit",
+        "test:integration:mtls": "jest __tests__/integration/mtls-auth.test.js --testPathIgnorePatterns=/node_modules/ --forceExit",
         "update-snapshot": "jest --ci --updateSnapshot",
         "cds:version": "cds v -i"
     },
     "devDependencies": {
         "eslint": "^9.2.0",
+        "express": "^4",
         "jest": "^30.0.0",
-        "prettier": "3.6.2",
-        "supertest": "^7.0.0"
+        "prettier": "3.7.4",
+        "supertest": "^7.0.0",
+        "@cap-js/sqlite": "^2",
+        "@sap/cds-dk": ">=8.9.5"
     },
     "peerDependencies": {
-        "@sap/cds": ">=8.9.4",
-        "@sap/cds-dk": ">=8.9.5"
+        "@sap/cds": ">=8.9.4"
     },
     "dependencies": {
         "@cap-js/asyncapi": "^1.0.3",

package/lib/authentication.js

@@ -1,153 +0,0 @@
-const cds = require("@sap/cds");
-const { AUTHENTICATION_TYPE, BASIC_AUTH_HEADER_KEY, AUTH_TYPE_ORD_ACCESS_STRATEGY_MAP } = require("./constants");
-const { Logger } = require("./logger");
-const bcrypt = require("bcryptjs");
-
-/**
- * Compares a plain text password with a hashed password
- * @param {string} password Plain text password to check
- * @param {string} hashedPassword Hashed password to compare against
- * @returns {Promise<boolean>} Promise resolving to true if passwords match, false otherwise
- */
-async function _comparePassword(password, hashedPassword) {
-    if (!password || !hashedPassword) {
-        throw new Error("Password and hashed password are required");
-    }
-    return await bcrypt.compare(password, hashedPassword.replace(/^\$2y/, "$2a"));
-}
-
-/**
- * Validates if a string is a bcrypt hash
- * @param {string} hash String to validate
- * @returns {boolean} boolean indicating if the string is a bcrypt hash
- */
-function _isBcryptHash(hash) {
-    return /^\$2[ayb]\$\d{2}\$[A-Za-z0-9./]{53}$/.test(hash);
-}
-
-/**
- * Create authentication configuration based on data given in the environment variables.
- * @returns {Object} Authentication configuration object or default configuration object as a fallback.
- */
-function createAuthConfig() {
-    const defaultAuthConfig = {
-        types: [AUTHENTICATION_TYPE.Open],
-        accessStrategies: [{ type: AUTHENTICATION_TYPE.Open }],
-    };
-
-    try {
-        const authConfig = {};
-
-        authConfig.types = process.env.ORD_AUTH_TYPE
-            ? [...new Set(JSON.parse(process.env.ORD_AUTH_TYPE))]
-            : [...new Set(cds.env.authentication?.types)];
-
-        if (!authConfig.types || authConfig.types.length === 0) {
-            Logger.error("createAuthConfig:", 'No authorization type is provided. Defaulting to "Open" authentication');
-            return defaultAuthConfig;
-        }
-
-        if (authConfig.types.some((authType) => !Object.values(AUTHENTICATION_TYPE).includes(authType))) {
-            return Object.assign(defaultAuthConfig, { error: "Invalid authentication type" });
-        }
-
-        if (
-            authConfig.types.includes(AUTHENTICATION_TYPE.Open) &&
-            authConfig.types.includes(AUTHENTICATION_TYPE.Basic)
-        ) {
-            return Object.assign(defaultAuthConfig, {
-                error: "Open authentication cannot be combined with any other authentication type",
-            });
-        }
-
-        if (authConfig.types.includes(AUTHENTICATION_TYPE.Basic)) {
-            const credentials = process.env.BASIC_AUTH
-                ? JSON.parse(process.env.BASIC_AUTH)
-                : cds.env.authentication.credentials;
-
-            // Check all passwords in credentials map
-            for (const [username, password] of Object.entries(credentials)) {
-                if (!_isBcryptHash(password)) {
-                    Logger.error("createAuthConfig:", `Password for user "${username}" must be a bcrypt hash`);
-                    return Object.assign(defaultAuthConfig, { error: "All passwords must be bcrypt hashes" });
-                }
-            }
-            // Store the complete credentials map
-            authConfig.credentials = credentials;
-        }
-        authConfig.accessStrategies = authConfig.types.map((type) => ({
-            type: AUTH_TYPE_ORD_ACCESS_STRATEGY_MAP[type],
-        }));
-        return authConfig;
-    } catch (error) {
-        return Object.assign(defaultAuthConfig, { error: error.message });
-    }
-}
-
-/**
- * Validate, store authentication configuration in cds.context if undefined, and return the context.
- */
-function getAuthConfig() {
-    if (cds.context?.authConfig) return cds.context?.authConfig;
-
-    const authConfig = createAuthConfig();
-
-    if (authConfig.error) {
-        Logger.error("Authentication configuration error: " + authConfig.error);
-        throw new Error("Invalid authentication configuration");
-    }
-
-    // set the context
-    cds.context = {
-        authConfig,
-    };
-    return cds.context?.authConfig;
-}
-
-/**
- * Middleware to authenticate the request based on the authentication configuration.
- */
-async function authenticate(req, res, next) {
-    const authConfig = cds.context.authConfig;
-
-    if (authConfig.types.includes(AUTHENTICATION_TYPE.Open)) {
-        res.status(200);
-        return next();
-    }
-
-    if (
-        !Object.keys(req.headers).includes(BASIC_AUTH_HEADER_KEY) &&
-        authConfig.types.includes(AUTHENTICATION_TYPE.Basic)
-    ) {
-        return res.status(401).setHeader("WWW-Authenticate", 'Basic realm="401"').send("Authentication required.");
-    }
-
-    if (req.headers[BASIC_AUTH_HEADER_KEY] && authConfig.types.includes(AUTHENTICATION_TYPE.Basic)) {
-        const authHeader = req.headers[BASIC_AUTH_HEADER_KEY];
-
-        if (!authHeader.startsWith("Basic ")) {
-            return res.status(401).send("Invalid authentication type");
-        }
-
-        const [username, password] = Buffer.from(authHeader.split(" ")[1], "base64").toString().split(":");
-        const credentials = authConfig.credentials;
-        const storedPassword = credentials[username];
-
-        if (storedPassword && (await _comparePassword(password, storedPassword))) {
-            res.status(200);
-            return next();
-        } else {
-            return res.status(401).send("Invalid credentials");
-        }
-    }
-
-    // In other cases, the request is unauthorized.
-    // TODO: Add support for UCL-mTLS authorization.
-    return res.status(401).send("Not authorized");
-}
-
-module.exports = {
-    authenticate,
-    createAuthConfig,
-    getAuthConfig,
-};