@sap/cds 5.5.4 → 5.6.2

package/libx/_runtime/audit/Service.js

@@ -3,6 +3,13 @@ const LOG = cds.log('audit-log')
 
 const v2utils = require('./utils/v2')
 
+const ANONYMOUS = 'anonymous'
+
+const _getTenantAndUser = () => ({
+  user: (cds.context && cds.context.user && cds.context.user.id) || ANONYMOUS,
+  tenant: (cds.context && cds.context.tenant) || ANONYMOUS
+})
+
 module.exports = class AuditLogService extends cds.MessagingService {
   async init() {
     // call MessagingService's init, which handles outboxing
@@ -13,7 +20,8 @@ module.exports = class AuditLogService extends cds.MessagingService {
     this.ready = !!this.alc
   }
 
-  async emit(event, data) {
+  async emit(first, second) {
+    const { event, data } = typeof first === 'object' ? first : { event: first, data: second }
     if (!this.options.outbox) return this.send(event, data)
 
     if (this.ready && this[event]) {
@@ -33,10 +41,7 @@ module.exports = class AuditLogService extends cds.MessagingService {
   async dataAccessLog({ accesses }) {
     if (!this.ready) throw new Error('AuditLogService not connected')
 
-    const {
-      tenant,
-      user: { id: user }
-    } = cds.context
+    const { tenant, user } = _getTenantAndUser()
 
     // build the logs
     const { entries, errors } = v2utils.buildDataAccessLogs(this.alc, accesses, tenant, user)
@@ -59,10 +64,7 @@ module.exports = class AuditLogService extends cds.MessagingService {
   async dataModificationLog({ modifications }) {
     if (!this.ready) throw new Error('AuditLogService not connected')
 
-    const {
-      tenant,
-      user: { id: user }
-    } = cds.context
+    const { tenant, user } = _getTenantAndUser()
 
     // build the logs
     const { entries, errors } = v2utils.buildDataModificationLogs(this.alc, modifications, tenant, user)
@@ -87,8 +89,9 @@ module.exports = class AuditLogService extends cds.MessagingService {
     // cds.context not always set on auth-related errors -> try to extract from data
     let user, tenant
     if (cds.context) {
-      tenant = cds.context.tenant
-      user = cds.context.user && cds.context.user.id
+      const tenantAndUser = _getTenantAndUser()
+      tenant = tenantAndUser.tenant
+      user = tenantAndUser.user
     } else {
       try {
         const parsed = JSON.parse(data)
@@ -101,10 +104,10 @@ module.exports = class AuditLogService extends cds.MessagingService {
           delete parsed.user
         }
         data = JSON.stringify(parsed)
-      } catch (e) {
-        // ignore
-      }
+      } catch (e) {}
     }
+    if (!tenant) tenant = ANONYMOUS
+    if (!user) user = ANONYMOUS
 
     // build the log
     const entry = v2utils.buildSecurityLog(this.alc, action, data, tenant, user)
@@ -117,10 +120,7 @@ module.exports = class AuditLogService extends cds.MessagingService {
   async configChangeLog({ action, success, configurations }) {
     if (!this.ready) throw new Error('AuditLogService not connected')
 
-    const {
-      tenant,
-      user: { id: user }
-    } = cds.context
+    const { tenant, user } = _getTenantAndUser()
 
     // build the logs
     const { entries, errors } = v2utils.buildConfigChangeLogs(this.alc, configurations, tenant, user)

package/libx/_runtime/audit/generic/personal/access.js

@@ -40,7 +40,7 @@ const _processorFnAccess = (accessLogs, model, req) => {
       element.parent['@PersonalData.EntitySemantics'] === 'DataSubjectDetails' &&
       accessLog.dataSubject.id.length === 0 // > id still an array -> promise not yet set
     ) {
-      addDataSubjectForDetailsEntity(row, accessLog, req, entity, model)
+      addDataSubjectForDetailsEntity(row, accessLog, req, entity, model, element)
     }
   }
 }

package/libx/_runtime/audit/generic/personal/modification.js

@@ -41,7 +41,8 @@ const _getOldAndNew = (action, row, key) => {
 const _addAttribute = (log, action, row, key) => {
   if (!log.attributes.find(ele => ele.name === key)) {
     const { oldValue, newValue } = _getOldAndNew(action, row, key)
-    if (oldValue !== newValue) log.attributes.push({ name: key, oldValue, newValue })
+    if (oldValue !== newValue)
+      log.attributes.push({ name: key, oldValue: String(oldValue), newValue: String(newValue) })
   }
 }
 
@@ -75,7 +76,7 @@ const _processorFnModification = (modificationLogs, model, req, beforeWrite) =>
     element.parent['@PersonalData.EntitySemantics'] === 'DataSubjectDetails' &&
     modificationLog.dataSubject.id.length === 0 // > id still an array -> promise not yet set
   ) {
-    addDataSubjectForDetailsEntity(row, modificationLog, req, entity, model)
+    addDataSubjectForDetailsEntity(row, modificationLog, req, entity, model, element)
   }
 }
 

package/libx/_runtime/audit/generic/personal/utils.js

@@ -1,7 +1,6 @@
 const cds = require('../../../cds')
 
 const { getDataSubject } = require('../../../common/utils/csn')
-const { getBackLinks, isSelfManaged } = require('../../../common/utils/backlinks')
 
 const WRITE = { CREATE: 1, UPDATE: 1, DELETE: 1 }
 const ASPECTS = { CREATE: '_auditCreate', READ: '_auditRead', UPDATE: '_auditUpdate', DELETE: '_auditDelete' }
@@ -23,8 +22,11 @@ const getPick = event => {
     const categories = []
     if (!element.isAssociation && element.key) categories.push('ObjectID')
     if (
-      element.parent['@PersonalData.EntitySemantics'] === 'DataSubject' &&
-      element['@PersonalData.FieldSemantics'] === 'DataSubjectID'
+      element['@PersonalData.FieldSemantics'] === 'DataSubjectID' &&
+      // item element of arrayed element has no parent, but
+      // at the moment annotation on item level is not supported
+      element.parent &&
+      element.parent['@PersonalData.EntitySemantics'] === 'DataSubject'
     )
       categories.push('DataSubjectID')
     if (event in WRITE && element['@PersonalData.IsPotentiallyPersonal']) categories.push('IsPotentiallyPersonal')
@@ -55,14 +57,15 @@ const createLogEntry = (logs, entity, row) => {
 }
 
 const addObjectID = (log, row, key) => {
-  if (!log.dataObject.id.find(ele => ele.keyName === key)) log.dataObject.id.push({ keyName: key, value: row[key] })
+  if (!log.dataObject.id.find(ele => ele.keyName === key))
+    log.dataObject.id.push({ keyName: key, value: String(row[key]) })
 }
 
 const addDataSubject = (log, row, key, entity) => {
   if (!log.dataSubject.type) log.dataSubject.type = entity.name
   if (!log.dataSubject.id.find(ele => ele.key === key)) {
     const value = row[key] || (row._old && row._old[key])
-    log.dataSubject.id.push({ keyName: key, value })
+    log.dataSubject.id.push({ keyName: key, value: String(value) })
   }
 }
 
@@ -77,82 +80,39 @@ const _addKeysToWhere = (child, row) => {
   return keysWithValue
 }
 
-const _addForeignKeysToWhere = (parent, child, assoc) => {
-  const foreignKeys = []
-  const backlinks = getBackLinks(assoc)
-  let parentName, childName
-  if (assoc.isComposition && assoc.is2one && !assoc.on) {
-    // look for foreign keys in parent
-    parentName = parent.name
-    childName = child.name
-  } else if (assoc.is2many && isSelfManaged(assoc)) {
-    // look for foreign keys in child
-    parentName = child.name
-    childName = parent.name
-  }
-
-  backlinks.forEach(el => {
-    if (foreignKeys.length > 0) foreignKeys.push('and')
-    foreignKeys.push({ ref: [parentName, el.entityKey] }, '=', {
-      ref: [childName, el.targetKey]
-    })
-  })
-  return foreignKeys
-}
-
-const _buildWhere = (child, dataSubjectInfo, row) => {
-  const where = []
-  where.push(
-    ..._addForeignKeysToWhere(dataSubjectInfo.entity, child, dataSubjectInfo.assoc),
-    'and',
-    ..._addKeysToWhere(child, row)
-  )
-  return where
-}
-
-const _buildSubSelect = (child, dataSubjectInfo, row) => {
-  let previousCqn
+const _buildSubSelect = (model, child, { element, up }, row, previousCqn) => {
+  const entity = element.parent
   const childCqn = SELECT.from(child.name)
     .columns(Object.keys(child.keys))
-    .where(_buildWhere(child, dataSubjectInfo.previous[0] ? dataSubjectInfo.previous[0] : dataSubjectInfo, row))
-  if (dataSubjectInfo.previous.length > 0) {
-    let currentCQN
-
-    dataSubjectInfo.previous.forEach((el, i) => {
-      const nextEl = dataSubjectInfo.previous[i + 1]
-      const args = nextEl
-        ? [nextEl.entity, el.entity, nextEl.assoc]
-        : [dataSubjectInfo.entity, el.entity, dataSubjectInfo.assoc]
-
-      currentCQN = SELECT.from(el.entity.name)
-        .columns(Object.keys(el.entity.keys))
-        .where([..._addForeignKeysToWhere(...args), 'and', 'exists', previousCqn || childCqn])
-
-      previousCqn = currentCQN
-    })
+    .where(entity._relations[element.name].join(child.name, entity.name))
+  if (previousCqn) {
+    childCqn.where('exists', previousCqn)
+  } else {
+    childCqn.where(_addKeysToWhere(child, row))
   }
-  return previousCqn || childCqn
+  if (up) return _buildSubSelect(model, entity, up, {}, childCqn)
+  return childCqn
 }
 
-const _getDataSubjectIdPromise = (child, dataSubjectInfo, row, req) => {
+const _getDataSubjectIdPromise = (child, dataSubjectInfo, row, req, model) => {
   const root = dataSubjectInfo.entity
   const cqn = SELECT.from(root.name)
     .columns(Object.keys(root.keys))
-    .where(['exists', _buildSubSelect(child, dataSubjectInfo, row)])
+    .where(['exists', _buildSubSelect(model, child, dataSubjectInfo.up, row)])
   return cds
     .tx(req)
     .run(cqn)
     .then(res => {
       const id = []
-      for (const k in res[0]) id.push({ keyName: k, value: res[0][k] })
+      for (const k in res[0]) id.push({ keyName: k, value: String(res[0][k]) })
       return id
     })
 }
 
-const addDataSubjectForDetailsEntity = (row, log, req, entity, model) => {
+const addDataSubjectForDetailsEntity = (row, log, req, entity, model, element) => {
   const role = entity['@PersonalData.DataSubjectRole']
 
-  const dataSubjectInfo = getDataSubject(entity, model, role)
+  const dataSubjectInfo = getDataSubject(entity, model, role, element)
 
   log.dataSubject.type = dataSubjectInfo.entity.name
 
@@ -165,7 +125,7 @@ const addDataSubjectForDetailsEntity = (row, log, req, entity, model) => {
   if (!req.context._audit.dataSubjects.has(mapKey)) req.context._audit.dataSubjects.set(mapKey, new Map())
   const map = req.context._audit.dataSubjects.get(mapKey)
   if (map.has(role)) log.dataSubject.id = map.get(role)
-  else map.set(role, _getDataSubjectIdPromise(entity, dataSubjectInfo, row, req))
+  else map.set(role, _getDataSubjectIdPromise(entity, dataSubjectInfo, row, req, model))
 }
 
 const resolveDataSubjectPromises = async logs => {

package/libx/_runtime/cds-services/adapter/odata-v4/Dispatcher.js

@@ -3,6 +3,8 @@ const LOG = cds.log('odata')
 
 const OData = require('./OData')
 
+const { alias2ref } = require('../../../common/utils/csn')
+
 function _createNewService(name, csn, defaultOptions) {
   const reflectedModel = cds.linked(cds.compile.for.odata(csn))
   const options = Object.assign({}, defaultOptions, { reflectedModel })
@@ -13,6 +15,8 @@ function _createNewService(name, csn, defaultOptions) {
   service._isExtended = true
 
   const edm = cds.compile.to.edm(csn, { service: name })
+  alias2ref(service, edm)
+
   const odataService = new OData(edm, csn, options)
   odataService.addCDSServiceToChannel(service)
 

package/libx/_runtime/cds-services/adapter/odata-v4/OData.js

@@ -159,6 +159,7 @@ class OData {
 
     this._odataService.on(ATOMICITY_GROUP_START, (odataContext, done) => {
       const data = odataContext.applicationData
+
       // start tx
       const txs = (data.txs = data.txs || {})
       const {
@@ -179,28 +180,14 @@ class OData {
     this._odataService.on(ATOMICITY_GROUP_END, async (odataErr, odataContext, done) => {
       const tx = odataContext.applicationData.txs[odataContext.id]
       let errors = odataErr || odataContext.failedRequests.length > 0
-      if (!errors) {
-        try {
-          await tx.commit(odataContext.applicationData.results[odataContext.id])
-          done()
-        } catch (e) {
-          // tx gets rolled back automatically
-          // set error on each request of changeset, if commit failed
-          const changesetResults = odataContext.applicationData.results[odataContext.id]
-          const failedRequests = changesetResults.reduce((obj, resultEntry) => {
-            const requestId = resultEntry.req._.odataReq.getOdataRequestId()
-            const { error, statusCode } = normalizeError(e, resultEntry.req)
-            obj[requestId] = Object.assign(error, { statusCode })
-            return obj
-          }, {})
-          done(e, { failedRequests })
-        }
-      } else {
+
+      if (errors) {
         // rollback without errors to not trigger srv.on('error') with array
         await tx.rollback()
         // invoke srv.on('error') for each error and build failedRequests that reflects error modifications
         errors = odataContext.applicationData.errors[odataContext.id]
         const failedRequests = {}
+
         for (const e of errors) {
           const { error: err, req } = e
           for (const each of cdsService._handlers._error) each.handler.call(cdsService, err, req)
@@ -208,7 +195,26 @@ class OData {
           const { error, statusCode } = normalizeError(err, req)
           failedRequests[requestId] = Object.assign(error, { statusCode })
         }
+
         done(new Error(`Atomicity group "${odataContext.id}" failed`), { failedRequests })
+        return
+      }
+
+      try {
+        await tx.commit(odataContext.applicationData.results[odataContext.id])
+        done()
+      } catch (e) {
+        // tx gets rolled back automatically
+        // set error on each request of changeset, if commit failed
+        const changesetResults = odataContext.applicationData.results[odataContext.id]
+        const failedRequests = changesetResults.reduce((obj, resultEntry) => {
+          const requestId = resultEntry.req._.odataReq.getOdataRequestId()
+          const { error, statusCode } = normalizeError(e, resultEntry.req)
+          obj[requestId] = Object.assign(error, { statusCode })
+          return obj
+        }, {})
+
+        done(e, { failedRequests })
       }
     })
 
@@ -233,37 +239,33 @@ class OData {
   /**
    * Process request.
    *
-   * @param req
-   * @param res
+   * @param {http.IncomingMessage} req
+   * @param {http.ServerResponse} res
    * @private
    */
   // REVISIT: Remove this when we replaced Okra
   process(req, res) {
+    const headers = req.headers
+    const acceptHeader = headers && headers.accept
+
     // default to combination [...];IEEE754Compatible=true;ExponentialDecimals=true if one is omitted
-    if (req.headers && req.headers.accept && req.headers.accept.startsWith('application/json')) {
-      if (
-        req.headers.accept.includes('IEEE754Compatible=true') &&
-        !req.headers.accept.includes('ExponentialDecimals')
-      ) {
+    if (acceptHeader && acceptHeader.startsWith('application/json')) {
+      if (acceptHeader.includes('IEEE754Compatible=true') && !acceptHeader.includes('ExponentialDecimals')) {
         req.headers.accept += ';ExponentialDecimals=true'
-      } else if (
-        req.headers.accept.includes('ExponentialDecimals=true') &&
-        !req.headers.accept.includes('IEEE754Compatible')
-      ) {
+      } else if (acceptHeader.includes('ExponentialDecimals=true') && !acceptHeader.includes('IEEE754Compatible')) {
         req.headers.accept += ';IEEE754Compatible=true'
       }
 
+      const contentType = headers['content-type']
+
       // add IEEE754Compatible=true if !strict_numbers
       if (
         !cds.env.features.strict_numbers &&
-        req.headers['content-type'] &&
-        req.headers['content-type'].includes('application/json') &&
-        !req.headers['content-type'].includes('IEEE754Compatible')
+        contentType &&
+        contentType.includes('application/json') &&
+        !contentType.includes('IEEE754Compatible')
       ) {
-        req.headers['content-type'] = req.headers['content-type'].replace(
-          'application/json',
-          'application/json;IEEE754Compatible=true'
-        )
+        req.headers['content-type'] = contentType.replace('application/json', 'application/json;IEEE754Compatible=true')
       }
     }
 

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/create.js

@@ -9,7 +9,7 @@ const { getSapMessages } = require('../../../../common/error/frontend')
 const { validateResourcePath } = require('../utils/request')
 const { isReturnMinimal } = require('../utils/handlerUtils')
 const readAfterWrite = require('../utils/readAfterWrite')
-const { toODataResult, postProcess } = require('../utils/result')
+const { toODataResult, postProcess, postProcessMinimal } = require('../utils/result')
 const { mergeJson } = require('../../../services/utils/compareJson')
 
 /**
@@ -44,6 +44,8 @@ const create = service => {
         }
 
         postProcess(req, odataRes, service, result)
+      } else {
+        postProcessMinimal(req, result)
       }
 
       if (changeset) {

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/error.js

@@ -93,6 +93,11 @@ const getErrorHandler = (crashOnError = true, srv) => {
       req = odataReq.getIncomingRequest()
     }
 
+    if (err.getRootCause && typeof err.getRootCause === 'function') {
+      // > an OKRA error
+      err = _betterOkraError(err)
+    }
+
     // invoke srv.on('error', function (err, req) { ... }) here in special situations
     // REVISIT: if for compat reasons, remove once cds^5.1
     if (srv._handlers._error) {
@@ -107,11 +112,6 @@ const getErrorHandler = (crashOnError = true, srv) => {
       }
     }
 
-    if (err.getRootCause && typeof err.getRootCause === 'function') {
-      // > an OKRA error
-      err = _betterOkraError(err)
-    }
-
     // add content id if not generated by okra ("~...")
     const contentId = odataReq.getOdataRequestId()
     if (contentId && !contentId.match(/^~/)) err['@Core.ContentID'] = contentId

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/read.js

@@ -1,6 +1,7 @@
 const cds = require('../../../../cds')
 const { SELECT } = cds.ql
 const ODataRequest = require('../ODataRequest')
+const { rewriteExpandAsterisk } = require('../../../../common/utils/rewriteAsterisks')
 
 const {
   QueryOptions,
@@ -78,7 +79,7 @@ const _getCount = async (tx, readReq) => {
 
   // Copy CQN including from and where and changing columns
   const select = SELECT.from(readReq.query.SELECT.from)
-  select.SELECT.columns = [{ func: 'count', args: [{ val: '1' }], as: '_counted_' }]
+  select.SELECT.columns = [{ func: 'count', args: [{ val: '1' }], as: '$count' }]
 
   if (readReq.query.SELECT.where) select.SELECT.where = readReq.query.SELECT.where
   if (readReq.query.SELECT.search) select.SELECT.search = readReq.query.SELECT.search
@@ -92,13 +93,13 @@ const _getCount = async (tx, readReq) => {
 
   // Define new CQN
   req.query = select
+  // todo check limit
+  const result = await tx.dispatch(req)
 
-  let result = await tx.dispatch(req)
+  const count = (result[0] && (result[0].$count || result[0]._counted_)) || 0
 
   // Transform into scalar result
-  result = result[0] && result[0]._counted_ ? result[0]._counted_ : 0
-
-  return toODataResult(result)
+  return toODataResult(count)
 }
 
 /**
@@ -318,6 +319,7 @@ const _readStream = async (tx, req, segments) => {
   if (
     headers &&
     headers.accept &&
+    contentType &&
     !headers.accept.includes('*/*') &&
     !headers.accept.includes(contentType) &&
     !headers.accept.includes(contentType.split('/')[0] + '/*')
@@ -327,7 +329,7 @@ const _readStream = async (tx, req, segments) => {
 
   if (contentType) streamObj['*@odata.mediaContentType'] = contentType
   if (contentDisposition) {
-    req._.odataRes.setHeader('Content-Disposition', `attachment; filename="${contentDisposition}"`)
+    req._.odataRes.setHeader('Content-Disposition', `attachment; filename="${encodeURIComponent(contentDisposition)}"`)
   }
   return streamObj
 }
@@ -381,6 +383,7 @@ const _readAndTransform = (tx, req, odataReq) => {
         break
       }
     }
+
     return _readStream(tx, req, segments)
   }
 
@@ -431,11 +434,13 @@ const _getTarget = (ref, target, definitions) => {
 }
 
 const _getRestrictedExpand = (columns, target, definitions) => {
-  if (!columns || !target) return
+  if (!columns || !target || columns === '*') return
 
   const annotation = target['@Capabilities.ExpandRestrictions.NonExpandableProperties']
   const restrictions = annotation && annotation.map(element => element['='])
 
+  rewriteExpandAsterisk(columns, target)
+
   for (const col of columns) {
     if (col.expand) {
       if (restrictions && restrictions.length !== 0) {
@@ -473,6 +478,7 @@ const read = service => {
       return next(e)
     }
 
+    // REVISIT: this should be in common/generic/auth.js with the rest of the access control stuff
     const restricted = _getRestrictedExpand(
       req.query.SELECT && req.query.SELECT.columns,
       req.target,