@kalisio/kdk 2.6.2 → 2.6.4

package/core/api/authentication.js

@@ -30,6 +30,16 @@ export class Authentication extends AuthenticationService {
       return {}
     }
   }
+
+  // Similarly the subject will not be set by Feathers for stateless tokens that do not target existing users.
+  async getTokenOptions (authResult, params) {
+    const jwtOptions = await super.getTokenOptions(authResult, params)
+    if (!jwtOptions.subject) {
+      const subject = _.get(authResult, 'authentication.payload.sub')
+      if (subject) jwtOptions.subject = subject
+    }
+    return jwtOptions
+  }
 }
 
 export class AuthenticationProviderStrategy extends OAuthStrategy {
@@ -105,6 +115,7 @@ export class JWTAuthenticationStrategy extends JWTStrategy {
     const { identityFields } = authConfig
     const { entity } = this.configuration
     const renewJwt = _.get(this.configuration, 'renewJwt', true)
+    const { provider, ...paramsWithoutProvider } = params
 
     if (!accessToken) {
       throw new NotAuthenticated('No access token')
@@ -142,7 +153,8 @@ export class JWTAuthenticationStrategy extends JWTStrategy {
           $or: _.reduce(identityFields, (or, field) => or.concat([{ [field]: payload.sub }]), []),
           $limit: 1
         }
-        const response = await this.entityService.find({ ...params, query })
+        // Avoid sending provider to internal call as it might raises some issues with hooks relying on it otherwise
+        const response = await this.entityService.find({ ...paramsWithoutProvider, query })
         const [value = null] = response.data ? response.data : response
         // Otherwise assume a stateless token
         if (value) {

package/core/api/hooks/hooks.query.js

@@ -1,10 +1,12 @@
 import _ from 'lodash'
 import { marshallComparisonFields, marshallTime, marshallBooleanFields, marshallNumberFields, marshallDateFields } from '../marshall.js'
 import mongodb from 'mongodb'
+import errors from '@feathersjs/errors'
 import makeDebug from 'debug'
 import { makeDiacriticPattern } from '../../common/utils.js'
 
 const { ObjectID } = mongodb
+const { Forbidden } = errors
 const debug = makeDebug('kdk:core:query:hooks')
 
 export function marshallTimeQuery (hook) {
@@ -59,10 +61,17 @@ export function marshallHttpQuery (hook) {
 }
 
 export async function aggregationQuery (hook) {
+  if (hook.type !== 'before') {
+    throw new Error('The \'aggregationQuery\' hook should only be used as a \'before\' hook.')
+  }
   const query = hook.params.query
   if (!query) return
   const service = hook.service
   if (query.$aggregation) {
+    // Generic aggregation request could allow to disclose or update information in DB so that it should only be used through controlled internal calls
+    if (hook.params.provider) {
+      throw new Forbidden('You are not allowed to perform aggregation')
+    }
     const collection = service.Model
     // Set result to avoid service DB call
     hook.result = await collection.aggregate(query.$aggregation.pipeline, query.$aggregation.options).toArray()

package/core/client/capabilities.js

@@ -17,7 +17,12 @@ export const Capabilities = {
       const capabilities = await window.fetch(api.getConfig('domain') + _.get(config, 'apiPath') + '/capabilities')
       this.content = await capabilities.json()
       // Store latest capabilities data for offline mode
-      await LocalCache.setItem('capabilities', this.content)
+      // Avoid blocking on eg QuotaExceededError
+      try {
+        await LocalCache.setItem('capabilities', this.content)
+      } catch (error) {
+        logger.error(error)
+      }
     }
     logger.debug('[KDK] Capabilities initialized with content:', this.content)
     if (!this.content) return

package/core/client/components/KChip.vue

@@ -2,7 +2,7 @@
   <q-chip
     v-model="computedState"
     :selected="selected"
-    :icon="icon"
+    :icon="computedIcon"
     :iconRight="iconRight"
     :iconRemove="iconRemove"
     :iconSelected="iconSelected"
@@ -17,7 +17,7 @@
     @click="event => emit('click', event)"
     class="k-chip"
   >
-    <div v-if="computedLabel"
+    <div v-if="!hideLabel && computedLabel"
       :id="id"
       class="ellipsis"
       :class="{ 'q-pl-sm': !dense && (icon || isTruncated ) , 'q-pl-xs': dense && (icon || isTruncated) }"
@@ -46,10 +46,21 @@ const props = defineProps({
     type: [String, Number],
     default: ''
   },
+  hideLabel: {
+    type: Boolean,
+    default: false
+  },
   tooltip: {
     type: String,
     default: undefined
   },
+  tooltipBehavior: {
+    type: String,
+    default: 'truncated',
+    validator: (value) => {
+      return ['always', 'truncated', 'never'].includes(value)
+    }
+  },
   icon: {
     type: String,
     default: undefined
@@ -66,6 +77,10 @@ const props = defineProps({
     type: String,
     default: 'check'
   },
+  hideIcon: {
+    type: Boolean,
+    default: false
+  },
   modelValue: {
     type: Boolean,
     default: true
@@ -129,11 +144,17 @@ const computedState = computed({
   }
 })
 const computedLabel = computed(() => {
-  return i18n.tie(props.label)
+  if (!props.hideLabel && props.label) return i18n.tie(props.label)
+})
+const computedIcon = computed(() => {
+  if (!props.hideIcon) return props.icon
 })
 const computedTooltip = computed(() => {
-  if (props.tooltip) return i18n.tie(props.tooltip)
-  if (props.label && isTruncated.value) return computedLabel.value
+  if (props.tooltipBehavior === 'never') return
+  if (props.tooltipBehavior === 'truncated') {
+    if (!isTruncated.value) return
+  }
+  return props.label ? i18n.tie(props.label) : props.tooltip
 })
 const computedColor = computed(() => {
   return props.outline ? 'transparent' : getHtmlColor(props.color)
@@ -153,7 +174,7 @@ const computedBorderColor = computed(() => {
 function onResize () {
   // check whether the label is truncated
   const chipElement = document.getElementById(id)
-  if (chipElement) isTruncated.value = (chipElement && chipElement.offsetWidth < chipElement.scrollWidth)
+  if (chipElement) isTruncated.value = (chipElement && (chipElement.offsetWidth < chipElement.scrollWidth))
 }
 </script>
 

package/core/client/components/collection/KCard.vue

@@ -163,10 +163,10 @@ export default {
     computedSections () {
       return _.map(this.sections, (value, key) => {
         return {
-          ...value,
           item: this.item,
           actions: _.filter(this.itemActions, { scope: key }),
-          dense: this.dense
+          dense: this.dense,
+          ...value
         }
       })
     },

package/core/client/utils/utils.session.js

@@ -11,7 +11,11 @@ async function authenticate(authentication) {
   let user = Store.get('user')
   if (user) return
   // Store latest authentication data for offline mode
-  await LocalCache.setItem('authentication', authentication)
+  try {    
+    await LocalCache.setItem('authentication', authentication)
+  } catch (error) {
+    logger.error(error)
+  }
   // Anonymous user or user account ?
   user = authentication.user ? authentication.user : { name: i18n.t('composables.ANONYMOUS'), anonymous: true }
   Store.set('user', user)

package/extras/tours/pane.top.js

@@ -105,6 +105,15 @@ module.exports = {
       }
     }, options)
   },
+  toggleZoomControl: (options) => {
+    return Object.assign({
+      target: '#toggle-zoom-control-sticky',
+      title: 'tours.navigation-bar.ZOOM_CONTROL_LABEL',
+      params: {
+        placement: 'bottom'
+      }
+    }, options)
+  },
   positionIndicator: (options) => {
     return Object.assign({
       target: '#position-indicator',

package/map/api/hooks/hooks.query.js

@@ -1,8 +1,10 @@
 import _ from 'lodash'
+import errors from '@feathersjs/errors'
 import { marshallGeometry } from '../marshall.js'
 import makeDebug from 'debug'
 
 const debug = makeDebug('kdk:map:query:hooks')
+const { Forbidden } = errors
 
 export function marshallGeometryQuery (hook) {
   const query = hook.params.query
@@ -238,6 +240,62 @@ export function asGeoJson (options = {}) {
   }
 }
 
+
+
+// Verifies that only authorized accumulation operators are used
+function validateGroupExpression(expression) {
+  // Safe accumulation operators for $group
+  const SAFE_GROUP_ACCUMULATORS = new Set([
+    '$sum', '$avg', '$first', '$last', '$max', '$min'
+  ])
+  // Safe expression operators usable in $group
+  const SAFE_GROUP_EXPRESSIONS = new Set([
+    // Arithmetic operators
+    '$add', '$subtract', '$multiply', '$divide', '$mod',
+    '$abs', '$ceil', '$floor', '$round', '$trunc',
+    '$sqrt', '$pow', '$exp', '$ln', '$log', '$log10',
+    // Comparison operators
+    '$eq', '$ne', '$gt', '$gte', '$lt', '$lte', '$cmp',
+    // Logical operators
+    '$and', '$or', '$not',
+    // Date operators
+    '$dateToString', '$year', '$month', '$dayOfMonth', '$hour',
+    '$minute', '$second', '$dayOfWeek', '$dayOfYear', '$week',
+    // Conditional operators
+    '$cond', '$ifNull', '$switch',
+    // Type operators
+    '$toString', '$toInt', '$toDouble'
+  ])
+  // Dangerous operators to reject in $group (arbitrary code execution)
+  const DANGEROUS_GROUP_OPERATORS = new Set([
+    '$accumulator',  // Custom JavaScript execution
+    '$function',     // JavaScript function execution
+    '$where'         // JavaScript code execution
+  ])
+
+  if (_.isNil(expression)) {
+    return
+  } else if (Array.isArray(expression)) {
+    expression.forEach(validateGroupExpression)
+    return
+  } else if (typeof expression === 'object') {
+    for (const [key, value] of Object.entries(expression)) {
+      // Check if it's an operator
+      if (key.startsWith('$')) {
+        if (DANGEROUS_GROUP_OPERATORS.has(key)) throw new Forbidden(`You are not allowed to use ${key} operator`)
+
+        // Check if operator is in the allowed list
+        const isAccumulator = SAFE_GROUP_ACCUMULATORS.has(key)
+        const isExpression = SAFE_GROUP_EXPRESSIONS.has(key)
+        if (!isAccumulator && !isExpression) throw new Forbidden(`You are not allowed to use ${key} operator`)
+      }
+
+      // Recursively validate the value
+      validateGroupExpression(value)
+    }
+  }
+}
+
 export async function aggregateFeaturesQuery (hook) {
   const query = hook.params.query
   const service = hook.service
@@ -294,6 +352,8 @@ export async function aggregateFeaturesQuery (hook) {
     }
     // Merge with any additional group expression
     const group = _.get(query, '$group', {})
+    // Check for possible injection
+    validateGroupExpression(group)
     Object.assign(groupBy, group)
     // The query contains the match stage except options relevent to the aggregation pipeline
     const match = _.omit(query, ['$group', '$groupBy', '$aggregate', '$geoNear', '$sort', '$limit', '$skip'])

package/map/client/components/stickies/KZoomControl.vue

@@ -4,8 +4,8 @@
       id="zoom-out"
       icon="remove"
       tooltip="mixins.activity.ZOOM_OUT"
-      color="white"
-      text-color="grey-9"
+      :color="color"
+      :text-color="textColor"
       :flat="square"
       round
       @click="onZoomOutFn"
@@ -17,8 +17,8 @@
       id="zoom-in"
       icon="add"
       tooltip="mixins.activity.ZOOM_IN"
-      color="white"
-      text-color="grey-9"
+      :color="color"
+      :text-color="textColor"
       :flat="square"
       round
       @click="onZoomInFn"
@@ -33,16 +33,24 @@ import { composables as kCoreComposables } from '@kalisio/kdk/core.client'
 // Props
 defineProps({
   vertical: {
-    default: true,
-    type: Boolean
+    type: Boolean,
+    default: true
   },
   square: {
-    default: false,
-    type: Boolean
+    type: Boolean,
+    default: false
   },
   size: {
+    type: String,
     default: '10px',
-    type: String
+  },
+  color: {
+    type: String,
+    default: 'white'
+  },
+  textColor: {
+    type: String,
+    default: 'grey-9'
   }
 })
 

package/map/client/i18n/map_en.json

@@ -114,6 +114,12 @@
       "PRINT_VIEW": "Print view",
       "REMOVE_LABEL": "Remove"
     },
+    "gesture": {
+      "TOUCH": "Use two fingers to move the map",
+      "SCROLL": "Use Ctrl + scroll to zoom the map",
+      "SCROLL_MAC": "Use ⌘ + scroll to zoom the map",
+      "CTRL": "Use Ctrl + scroll to zoom the map"
+    },
     "timeseries": {
       "FORECAST_PROBE": "Forecast"
     },
@@ -312,7 +318,8 @@
       "TOGGLE_VR_LABEL": "Switch to Virtual Reality (VR) mode with this button.",
       "TOGGLE_FULLSCREEN_LABEL": "Switch to fullscreen mode with this button.",
       "TOGGLE_CATALOG_LABEL": "Open the catalog with this button.",
-      "NORTH_ARROW_LABEL": "Display or hide the north arrow using this button."
+      "NORTH_ARROW_LABEL": "Display or hide the north arrow using this button.",
+      "ZOOM_CONTROL_LABEL": "Display or hide the zoom control buttons using this button."
     },
     "catalog-panel": {
       "CATALOG_LABEL": "The <b>catalog</b> allows to manage data displayed on your map.<br/>The catalogd is divided into 3 different tabs.",

package/map/client/i18n/map_fr.json

@@ -114,6 +114,12 @@
       "PRINT_VIEW": "Imprimer la vue",
       "REMOVE_LABEL": "Supprimer"
     },
+    "gesture": {
+      "TOUCH": "Utilisez deux doigts pour déplacer la carte",
+      "SCROLL": "Utilisez Ctrl + molette pour zoomer",
+      "SCROLL_MAC": "Utilisez ⌘ + molette pour zoomer",
+      "CTRL": "Utilisez Ctrl + molette pour zoomer"
+    },
     "timeseries": {
       "FORECAST_PROBE": "Prévisions"
     },
@@ -312,7 +318,8 @@
       "TOGGLE_VR_LABEL": "Basculez en mode <b>Réalité Virtuelle</b> (VR) avec ce bouton.",
       "TOGGLE_FULLSCREEN_LABEL": "Basculez en mode plein écran avec ce bouton.",
       "TOGGLE_CATALOG_LABEL": "Ouvrez le <b>catalogue</b> avec ce bouton.",
-      "NORTH_ARROW_LABEL": "Affichez ou cachez la flèche nord avec ce bouton."
+      "NORTH_ARROW_LABEL": "Affichez ou cachez la flèche nord avec ce bouton.",
+      "ZOOM_CONTROL_LABEL": "Affichez ou cachez les boutons de zoom avec ce bouton."
     },
     "catalog-panel": {
       "CATALOG_LABEL": "Le <b>catalogue</b> permet de gérer les données affichées sur votre carte.<br/>Le catalogue se décompose en 3 onglets.",

package/map/client/mixins/map/mixin.base-map.js

@@ -3,6 +3,8 @@ import sift from 'sift'
 import logger from 'loglevel'
 import moment from 'moment'
 import { EventBus } from 'quasar'
+import { Platform } from '../../../../core/client/platform.js'
+import { i18n } from '../../../../core/client/i18n.js'
 import { point, rhumbDistance, rhumbBearing, rhumbDestination } from '@turf/turf'
 import L from 'leaflet'
 import 'leaflet/dist/leaflet.css'
@@ -24,6 +26,8 @@ import 'leaflet-timedimension/dist/leaflet.timedimension.control.css'
 import '@geoman-io/leaflet-geoman-free'
 import '@geoman-io/leaflet-geoman-free/dist/leaflet-geoman.css'
 import 'leaflet-rotate/dist/leaflet-rotate-src.js'
+import 'leaflet-gesture-handling'
+import 'leaflet-gesture-handling/dist/leaflet-gesture-handling.css'
 
 import { Time } from '../../../../core/client/time.js'
 import { Events } from '../../../../core/client/events.js'
@@ -108,8 +112,22 @@ export const baseMap = {
         geolocate: true,
         rotateControl: false // Rotate plugin show this even if rotation is disabled
       })
+      const gestureHandlingOptions = {
+        text: {
+          touch: i18n.t('mixins.gesture.TOUCH'),
+          scroll: i18n.t('mixins.gesture.SCROLL'),
+          scrollMac: i18n.t('mixins.gesture.SCROLL_MAC'),
+          ctrl: i18n.t('mixins.gesture.CTRL')
+        },
+        duration: 1000
+      }
       // Initialize the map
-      this.map = L.map(domEl, Object.assign({ zoomControl: false }, viewerOptions))
+      this.map = L.map(domEl, Object.assign({ 
+        zoomControl: false,
+        touchZoom: true,
+        gestureHandling: Platform.has.touch && Platform.is.desktop && !Platform.is.firefox,
+        gestureHandlingOptions
+      }, viewerOptions))
       const backgroundColor = _.get(viewerOptions, 'backgroundColor')
       if (backgroundColor) this.map._container.style.backgroundColor = backgroundColor
       // Make sure geoman is initialized on the map

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@kalisio/kdk",
   "description": "Kalisio Development Kit",
-  "version": "2.6.2",
+  "version": "2.6.4",
   "homepage": "https://github.com/kalisio/kdk",
   "type": "module",
   "keywords": [
@@ -94,7 +94,7 @@
     "@feathersjs/feathers": "^5.0.8",
     "@feathersjs/schema": "^5.0.8",
     "@feathersjs/socketio": "^5.0.8",
-    "@kalisio/feathers-import-export": "^1.3.2",
+    "@kalisio/feathers-import-export": "^1.4.0",
     "@kalisio/feathers-s3": "^1.5.0",
     "@kalisio/feathers-webpush": "^1.0.2",
     "@turf/bbox": "^6.0.1",

package/scripts/kash/CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+  - added `get_toml_value` to extract values from TOML fields
   - support for mongo 8 (`install_mongo8`)
   - added `get_flavor_from_git_ref` `get_version_from_git_ref` `get_custom_from_git_ref` helpers to parse git ref names (tag or branch names).
   - added `install_sona_scanner_cli` to install SonarQube scanner cli tool
@@ -18,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - support for mongo 4,5,6
   - helper to install k9s
   - support for node 16,18
+  - support for Code Climate
   
 ### Changed
 
@@ -32,6 +34,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - node22 bumped to `22.16`
   - mongodb7 bumped to `7.0.21`
   - mongodb8 bumped to `8.0.10`
+  - allow `_` character in custom fields (see `get_custom_from_git_ref`)
+  - run_app_tests now run lint on whole project repo (using `yarn lint`)
 
 ### Fixed
 

package/scripts/kash/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017-20xx Kalisio
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/scripts/kash/README.md

@@ -2,3 +2,12 @@
 Kalisio's bash snippets repository
 
 ## HOWTO use
+
+
+## License
+
+Licensed under the [MIT license](LICENSE).
+
+Copyright (c) 2017-present [Kalisio](https://kalisio.com)
+
+[![Kalisio](https://kalisio.github.io/kalisioscope/kalisio/kalisio-logo-black-256x84.png)](https://kalisio.com)

package/scripts/kash/kash.sh

@@ -129,11 +129,11 @@ AGE_VERSION=1.1.1
 SOPS_VERSION=3.8.1
 
 # https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG
-KUBECTL_VERSION=1.28.13
+KUBECTL_VERSION=1.31.11
 # https://github.com/helm/helm/releases
-HELM_VERSION=3.14.4
+HELM_VERSION=3.18.4
 # https://github.com/helmfile/helmfile/releases
-HELMFILE_VERSION=0.167.1
+HELMFILE_VERSION=1.1.3
 
 # https://github.com/nvm-sh/nvm/releases
 NVM_VERSION=0.40.3
@@ -246,34 +246,6 @@ ensure_sops() {
     fi
 }
 
-# Install code climate test reporter in ~/.local/bin
-# Arg1: a writable folder where to write downloaded files
-install_cc_test_reporter() {
-    local DL_ROOT=$1
-    local DL_PATH="$DL_ROOT/cc"
-    if [ ! -d "$DL_PATH" ]; then
-        mkdir -p "$DL_PATH" && cd "$DL_PATH"
-        curl -OLsS https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64
-        curl -OLsS https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64.sha256
-        sha256sum --ignore-missing --quiet -c test-reporter-latest-linux-amd64.sha256
-        cd ~-
-    fi
-    cd "$DL_PATH"
-    cp test-reporter-latest-linux-amd64 ~/.local/bin/cc-test-reporter
-    chmod +x ~/.local/bin/cc-test-reporter
-    cd ~-
-}
-
-# Sends test coverage to code climate
-# Arg1: code climate identifier for authentication
-# Arg2: prefix to use when using format-coverage (can be empty)
-send_coverage_to_cc() {
-    local CC_TEST_REPORTER_ID=$1
-    local CC_PREFIX=${2:-}
-    ~/.local/bin/cc-test-reporter format-coverage -t lcov --add-prefix "$CC_PREFIX" coverage/lcov.info
-    ~/.local/bin/cc-test-reporter upload-coverage -r "$CC_TEST_REPORTER_ID"
-}
-
 # Make sure nvm is installed
 # Arg1: a writable folder where to write downloaded files
 # NOTE: also define 'yarn' as a default package, ie. it'll be automatically
@@ -486,12 +458,28 @@ use_mongo() {
 ### Utils
 ###
 
+# Extract a value from a TOML file
+# Expected args:
+# 1. the toml file
+# 2. the field to extract
+get_toml_value() {
+    local TOML_SRC="$1"
+    local TOML_FIELD="$2"
+
+    ensure_yq
+    yq --input-format=toml --output-format=yaml ".$TOML_FIELD" "$TOML_SRC"
+}
+
+# Extract a value from a JSON file
+# Expected args:
+# 1. the toml file
+# 2. the field to extract
 get_json_value() {
     local JSON_SRC="$1"
     local JSON_FIELD="$2"
 
     ensure_yq
-    yq --output-format=yaml ".$JSON_FIELD" "$JSON_SRC"
+    yq --input-format=yaml --output-format=yaml ".$JSON_FIELD" "$JSON_SRC"
 }
 
 # Extract version major from a version string.
@@ -1003,7 +991,7 @@ get_version_from_git_ref() {
 get_custom_from_git_ref() {
     local GIT_REF=$1
 
-    local CUSTOM_REGEX="(^|-)([a-zA-Z0-9]+)$"
+    local CUSTOM_REGEX="(^|-)([a-zA-Z0-9_]+)$"
     if [[ "$GIT_REF" =~ $CUSTOM_REGEX ]]; then
         if [[ "${BASH_REMATCH[1]}" == "" ]]; then
             # If first capture group is empty => that's probably a 'dev' flavor.
@@ -1284,13 +1272,13 @@ get_app_kli_file() {
 # Expected arguments:
 # 1. the app repository directory
 # 2. the directory in which we'll find kli files relative to the 'development' repository root directory
-# 3. wether to publish code coverage results (boolean)
+# 3. whether to run SonarQube analysis and publish code quality & coverage results (boolean)
 # 4. the node version to use (16, 18, ...)
 # 5. the mongo version to use (5, 6, ...). Mongo will not be started if not provided
 run_app_tests() {
     local REPO_DIR="$1"
     local KLI_BASE="$2"
-    local CODE_COVERAGE="$3"
+    local RUN_SONAR="$3"
     local NODE_VER="$4"
     local MONGO_VER="$5"
     local WORKSPACE_DIR
@@ -1307,6 +1295,13 @@ run_app_tests() {
 
     echo "About to run tests for $APP v$VERSION-$FLAVOR ..."
 
+    ## Lint whole project
+    ##
+
+    cd "$REPO_DIR"
+    yarn lint
+    cd ~-
+
     ## Start mongo
     ##
 
@@ -1322,19 +1317,19 @@ run_app_tests() {
     ## Run tests
     ##
 
-    pushd "$REPO_DIR/api"
+    cd "$REPO_DIR/api"
 
     use_node "$NODE_VER"
     yarn test
 
-    ## Publish code coverage
+    ## Run SonarQube analysis and publish code quality & coverage reports
     ##
 
-    if [ "$CODE_COVERAGE" = true ]; then
-        send_coverage_to_cc "$CC_TEST_REPORTER_ID" "api"
+    if [ "$RUN_SONAR" = true ]; then
+        cd "$ROOT_DIR" && sonar-scanner
     fi
 
-    popd
+    cd ~-
 }
 
 # Setup the workspace for a lib project.
@@ -1397,12 +1392,12 @@ get_lib_branch() {
 # Run tests for a library module
 # Expected arguments
 # 1. Root directory
-# 2. true to publish code coverage to code climate (CC_TEST_REPORTER_ID env var should be defined in this case)
+# 2. whether to run SonarQube analysis and publish code quality & coverage results (boolean)
 # 3. node version to be used
 # 4. mongo version to be used if required by tests
 run_lib_tests () {
     local ROOT_DIR="$1"
-    local CODE_COVERAGE="$2"
+    local RUN_SONAR="$2"
     local NODE_VER="$3"
     local MONGO_VER="$4"
     local WORKSPACE_DIR
@@ -1437,11 +1432,11 @@ run_lib_tests () {
     use_node "$NODE_VER"
     yarn && yarn test
 
-    ## Publish code coverage
+    ## Run SonarQube analysis and publish code quality & coverage reports
     ##
 
-    if [ "$CODE_COVERAGE" = true ]; then
-        send_coverage_to_cc "$CC_TEST_REPORTER_ID"
+    if [ "$RUN_SONAR" = true ]; then
+        cd "$ROOT_DIR" && sonar-scanner
     fi
 }
 

package/scripts/kash/scripts/run_tests.sh

@@ -11,7 +11,7 @@ ROOT_DIR=$(dirname "$THIS_DIR")
 ### Github Actions
 
 init_github() {
-    install_reqs yq age sops nvm node20 node22 cc_test_reporter sonar_scanner_cli
+    install_reqs yq age sops nvm node20 node22 sonar_scanner_cli
 
     # mongo is not available for alpine hosts
     if [ "$OS_ID" != "alpine" ]; then
@@ -49,6 +49,8 @@ mkdir -p "$TMP_DIR/utils"
 cd "$TMP_DIR/utils"
 curl -OLsS "https://raw.githubusercontent.com/kalisio/krawler/master/package.json"
 [ "$(get_json_value "$TMP_DIR/utils/package.json" 'name')" != "@kalisio/krawler" ] && exit 1
+curl -OLsS "https://raw.githubusercontent.com/kalisio/kazarr/refs/heads/master/pyproject.toml"
+[ "$(get_toml_value "$TMP_DIR/utils/pyproject.toml" 'project.name')" != "kazarr" ] && exit 1
 cd ~-
 
 [ "$(get_semver_major "1" )" != "1" ] && exit 1
@@ -129,6 +131,7 @@ git_shallow_clone https://github.com/kalisio/kApp.git "$TMP_DIR/kApp.v1.3.0" pro
 [[ "$(get_custom_from_git_ref "test-v4.3-blabla")" != "blabla" ]] && exit 1
 [[ "$(get_custom_from_git_ref "prod-v4.5.3")" != "" ]] && exit 1
 [[ "$(get_custom_from_git_ref "prod-v4.5.3-custom")" != "custom" ]] && exit 1
+[[ "$(get_custom_from_git_ref "prod-v4.5.3-custom_foo")" != "custom_foo" ]] && exit 1
 
 # Setup a fake workspace with additional dependencies
 mkdir -p "$TMP_DIR/fake"

package/test/api/core/config/default.cjs

@@ -83,6 +83,7 @@ module.exports = {
       bucket: process.env.S3_BUCKET,
       prefix: 'import-export'
     },
+    allowedServicePaths: 'api/users',
     workingDir: 'test/api/core/tmp'
   },
   mailer: {

package/test/api/map/index.test.js

@@ -402,6 +402,27 @@ describe('map:services', () => {
     $aggregate: ['H']
   }
 
+  it('performs unauthorised element aggregation on vigicrues observations service', async () => {
+    try {
+      await vigicruesObsService.find({
+        query: Object.assign({ $sort: { time: -1 }, $limit: 1, $group: { property: { $accumulator: { lang: 'js' } } } }, aggregationQuery)
+      })
+    } catch (error) {
+      expect(error).toExist()
+      expect(error.name).to.equal('Forbidden')
+    }
+    try {
+      await vigicruesObsService.find({
+        query: Object.assign({ $sort: { time: -1 }, $limit: 1, $group: { property: { $sum: { $function: { lang: 'js' } } } } }, aggregationQuery)
+      })
+    } catch (error) {
+      expect(error).toExist()
+      expect(error.name).to.equal('Forbidden')
+    }
+  })
+  // Let enough time to process
+    .timeout(5000)
+
   it('performs element aggregation on vigicrues observations service', async () => {
     const result = await vigicruesObsService.find({
       query: Object.assign({}, aggregationQuery)