@sap/cds 5.6.1 → 5.7.1

package/libx/_runtime/common/generic/auth.js

@@ -8,7 +8,8 @@ const { SELECT } = cds.ql
 const { getRequiresAsArray } = require('../utils/auth')
 const { cqn2cqn4sql } = require('../utils/cqn2cqn4sql')
 const { isActiveEntityRequested, removeIsActiveEntityRecursively } = require('../../fiori/utils/where')
-const { ensureDraftsSuffix } = require('../../fiori/utils/handler')
+const { ensureDraftsSuffix, ensureNoDraftsSuffix } = require('../../fiori/utils/handler')
+const { rewriteExpandAsterisk } = require('../../common/utils/rewriteAsterisks')
 
 const WRITE = ['CREATE', 'UPDATE', 'DELETE']
 const MOD = { UPDATE: 1, DELETE: 1, EDIT: 1 }
@@ -41,6 +42,48 @@ const _reject = req => {
   }
 }
 
+const _getTarget = (ref, target, definitions) => {
+  if (cds.env.effective.odata.proxies) {
+    const target_ = target.elements[ref[0]]
+
+    if (ref.length === 1) {
+      return definitions[ensureNoDraftsSuffix(target_.target)]
+    }
+
+    return _getTarget(ref.slice(1), target_, definitions)
+  }
+
+  const target_ = target.elements[ref.join('_')]
+  return definitions[ensureNoDraftsSuffix(target_.target)]
+}
+
+const _getRestrictedExpand = (columns, target, definitions) => {
+  if (!columns || !target || columns === '*') return
+
+  const annotation = target['@Capabilities.ExpandRestrictions.NonExpandableProperties']
+  const restrictions = annotation && annotation.map(element => element['='])
+
+  rewriteExpandAsterisk(columns, target)
+
+  for (const col of columns) {
+    if (col.expand) {
+      if (restrictions && restrictions.length !== 0) {
+        const ref = col.ref.join('_')
+        const ref_ = restrictions.find(element => element.replace(/\./g, '_') === ref)
+        if (ref_) return ref_
+      }
+
+      // expand: '**' or '*3' is only possible within custom handler, no check needed
+      if (typeof col.expand === 'string' && /^\*{1}[\d|*]+/.test(col.expand)) {
+        continue
+      } else {
+        const restricted = _getRestrictedExpand(col.expand, _getTarget(col.ref, target, definitions), definitions)
+        if (restricted) return restricted
+      }
+    }
+  }
+}
+
 const _getCurrentSubClause = (next, restrict) => {
   const escaped = next[0].replace(/\$/g, '\\$').replace(/\./g, '\\.')
   const re1 = new RegExp(`([\\w\\.']*)\\s*=\\s*(${escaped})|(${escaped})\\s*=\\s*([\\w\\.']*)`)
@@ -367,7 +410,7 @@ const _getRestrictionForTarget = (resolvedApplicables, target) => {
 
 const _addRestrictionsToRead = async (req, model, resolvedApplicables) => {
   if (req.target._isDraftEnabled) {
-    req.query._draftRestrictions = resolvedApplicables.map(ra => ra._xpr)
+    req.query._draftRestrictions = resolvedApplicables
     return
   }
 
@@ -541,36 +584,9 @@ const _addNormalizedRestrictPerGrant = (grant, where, restrict, restricts, defin
 }
 
 const _addNormalizedRestrict = (restrict, restricts, definition, definitions) => {
-  let where = restrict.where
+  const where = restrict.where
     ? restrict.where.replace(/\$user/g, '$user.id').replace(/\$user\.id\./g, '$user.')
     : undefined
-
-  // NOTE: "exists toMany.toOne[prop = $user]" -> "exists toMany[exists toOne[prop = $user]]"
-  try {
-    if (where) {
-      // operate on a copy
-      let _where = where
-      // find all path expressions in order to normalize shorthand (i.e., inject "[exists ...]")
-      const paths = (where.match(/ (\w\.*)*/g) || []).filter(m => m.match(/\./) && m !== ' ')
-      for (let i = 0; i < paths.length; i++) {
-        const parts = paths[i].trim().split('.')
-        let current = definition
-        while (parts.length) {
-          current = current.elements[parts.shift()]
-          if (current.isAssociation && _where.includes(current.name + '.')) {
-            const matches = _where.match(new RegExp(`(${current.name}).(.*)]`))
-            _where = _where.replace(`${matches[1]}.`, `${current.name}[exists `)
-            _where = _where.replace(matches[2], `${matches[2]}]`)
-          }
-          if (current.target) current = definitions[current.target]
-        }
-      }
-      where = _where
-    }
-  } catch (e) {
-    // ignore
-  }
-
   restrict.grant = Array.isArray(restrict.grant) ? restrict.grant : [restrict.grant || '*']
   restrict.grant.forEach(grant => _addNormalizedRestrictPerGrant(grant, where, restrict, restricts, definition))
 }
@@ -888,9 +904,24 @@ const _secureDependentEntities = srv => {
   }
 }
 
+const _restrictExpand = service => {
+  service.on('READ', '*', (req, next) => {
+    const restricted = _getRestrictedExpand(
+      req.query.SELECT && req.query.SELECT.columns,
+      req.target,
+      service.model.definitions
+    )
+    if (restricted) {
+      return req.reject(400, 'EXPAND_IS_RESTRICTED', [restricted])
+    }
+    return next()
+  })
+}
+
 module.exports = cds.service.impl(function () {
   // @restrict, @requires, @readonly, @insertonly, and @Capabilities for entities
   _secureDependentEntities(this)
+  _restrictExpand(this)
   for (const k in this.entities) {
     const entity = this.entities[k]
     if (!_authDependsOnParents(entity)) _registerAuthHandlers(entity, this)

package/libx/_runtime/common/generic/crud.js

@@ -9,7 +9,6 @@ const onlyKeysRemain = require('../utils/onlyKeysRemain')
 
 const _targetEntityDoesNotExist = async req => {
   const { query } = req
-
   const cqn = SELECT.from(query.UPDATE.entity, [1])
 
   if (query.UPDATE.entity.as) {
@@ -22,7 +21,6 @@ const _targetEntityDoesNotExist = async req => {
   }
 
   const exists = await cds.tx(req).run(cqn)
-
   return exists.length === 0
 }
 
@@ -54,6 +52,7 @@ const _pick = element => {
 
 const _updateReqData = (req, that) => {
   const template = getTemplate('app-output', that, req.target, { pick: _pick })
+
   if (template.elements.size > 0) {
     const arrayData = Array.isArray(req.data) ? req.data : [req.data]
     for (const row of arrayData) {
@@ -73,26 +72,19 @@ module.exports = cds.service.impl(function () {
       req.reject(501, 'PERSISTENCE_SKIP_NO_GENERIC_CRUD', [req.target.name])
     }
 
-    if (!cds.db) {
-      // REVISIT: error message
-      req.reject(501, 'NO_DATABASE_CONNECTION')
-    }
+    // REVISIT: error message
+    if (!cds.db) req.reject(501, 'NO_DATABASE_CONNECTION')
 
     let result
 
     // no changes, no op (otherwise, @cds.on.update gets new values), but we need to check existence
     if (req.event === 'UPDATE' && onlyKeysRemain(req)) {
-      if (await _targetEntityDoesNotExist(req)) {
-        req.reject(404)
-      }
-
+      if (await _targetEntityDoesNotExist(req)) req.reject(404)
       result = req.data
     }
 
     if (req.event === 'DELETE' && req.target._isSingleton) {
-      if (!req.target['@odata.singleton.nullable']) {
-        req.reject(400, 'SINGLETON_NOT_NULLABLE')
-      }
+      if (!req.target['@odata.singleton.nullable']) req.reject(400, 'SINGLETON_NOT_NULLABLE')
 
       const singleton = await cds.tx(req).run(SELECT.one(req.target))
       if (!singleton) req.reject(404)
@@ -103,21 +95,17 @@ module.exports = cds.service.impl(function () {
       result = await cds.tx(req).run(req.query, req.data)
     }
 
-    if (req.event === 'READ') {
-      return result
-    }
+    if (req.event === 'READ') return result
 
     if (req.event === 'DELETE') {
-      if (result === 0) {
-        req.reject(404)
-      }
-
+      if (result === 0) req.reject(404)
       return result
     }
 
-    // case: no authorization check and payload more than just keys but no changes -> affected rows === 0 -> no change or not exists?
-    if (!req._authChecked && req.event === 'UPDATE' && result === 0 && (await _targetEntityDoesNotExist(req))) {
-      req.reject(404)
+    // case: no authorization check and payload more than just keys but no changes
+    // -> affected rows === 0 -> no change or not exists?
+    if (req.event === 'UPDATE' && result === 0 && !req._authChecked) {
+      if (await _targetEntityDoesNotExist(req)) req.reject(404)
     }
 
     // flag to trigger read after write in protocol adapter

package/libx/_runtime/common/generic/input.js

@@ -59,6 +59,14 @@ const _isDraftCoreComputed = (req, element, event) =>
   element['@Core.Computed'] &&
   !((event === 'CREATE' && element['@cds.on.insert']) || element['@cds.on.update'])
 
+const _getMediaTypeProperty = element => element['@Core.MediaType'] && element['@Core.MediaType']['=']
+
+const _getMediaTypeValue = req =>
+  req._.req &&
+  req._.req.headers['content-type'] &&
+  !req._.req.headers['content-type'].match(/json|multipart/i) &&
+  req._.req.headers['content-type']
+
 const _processCategory = ({ row, key, category, isRoot, event, value, req, element }) => {
   category = getSimpleCategory(category)
 
@@ -91,6 +99,11 @@ const _processCategory = ({ row, key, category, isRoot, event, value, req, eleme
     // REVISIT: remove delay_assert_deep_assoc with cds^6
     if (!cds.env.features.delay_assert_deep_assoc) checkIfAssocDeep(element, value.val, req)
   }
+
+  // set media type from content-type header if streaming
+  const mtProperty = _getMediaTypeProperty(element)
+  const mtValue = _getMediaTypeValue(req)
+  if (category === 'stream' && row[key] && mtProperty && mtValue) row[mtProperty] = mtValue
 }
 
 const processorFn = (errors, req) => {
@@ -144,6 +157,8 @@ const _pick = element => {
     categories.push('uuid')
   }
 
+  if (element['@Core.MediaType']) categories.push('stream')
+
   if (categories.length) return { categories }
 }
 
@@ -289,6 +304,7 @@ function _actionFunctionHandler(req) {
   for (const row of arrayData) {
     _processActionFunction(row, eventParams, errors, req.event, this)
   }
+
   _callError(req, errors)
 }
 
@@ -302,18 +318,22 @@ module.exports = cds.service.impl(function () {
   for (const operation of this.operations) {
     operationNames.push(operation.name.substring(this.name.length + 1))
   }
+
   if (operationNames.length > 0) {
     this.before(operationNames, _actionFunctionHandler)
   }
 
   for (const entity of this.entities) {
     const boundOps = []
+
     if (entity.actions) {
       boundOps.push(...Object.keys(entity.actions))
     }
+
     if (entity.functions) {
       boundOps.push(...Object.keys(entity.functions))
     }
+
     if (boundOps.length > 0) {
       this.before(boundOps, entity.name, _actionFunctionHandler)
     }

package/libx/_runtime/common/generic/paging.js

@@ -1,5 +1,5 @@
 const cds = require('../../cds')
-const { getDefaultPageSize } = require('../utils/page')
+const { getDefaultPageSize, getMaxPageSize } = require('../utils/page')
 
 const _handler = function (req) {
   // only if http request
@@ -11,7 +11,7 @@ const _handler = function (req) {
   let { rows, offset } = req.query.SELECT.limit || {}
   rows = rows && 'val' in rows ? rows.val : getDefaultPageSize(req.target)
   offset = offset && 'val' in offset ? offset.val : 0
-  req.query.limit(...[rows, offset])
+  req.query.limit(...[Math.min(rows, getMaxPageSize(req.target)), offset])
 }
 
 /**

package/libx/_runtime/common/generic/put.js

@@ -40,24 +40,18 @@ const processorFn = req => {
       }
     }
 
-    /* istanbul ignore else */
     if (category === 'default') {
       row[key] = args.val
-    } else if (category === 'null') {
-      if (!element._isStructured) row[key] = null
+    } else if (category === 'null' && !element._isStructured) {
+      row[key] = null
     }
   }
 }
 
-// params: element, target, parent, templateElements
 const _pick = element => {
   if (!element.isAssociation && !element.key && !element._isReadOnly) {
-    /* istanbul ignore else */
-    if (element.default) {
-      return { category: 'default', args: element.default }
-    } else if (!element.notNull) {
-      return { category: 'null' }
-    }
+    if (element.default) return { category: 'default', args: element.default }
+    if (!element.notNull) return { category: 'null' }
   }
 }
 

package/libx/_runtime/common/generic/sorting.js

@@ -1,5 +1,6 @@
 const cds = require('../../cds')
 const LOG = cds.log('app')
+const { getAllKeys } = require('../../cds-services/adapter/odata-v4/odata-to-cqn/utils')
 
 const DRAFT_COLUMNS = ['IsActiveEntity', 'HasDraftEntity', 'HasActiveEntity']
 
@@ -17,14 +18,11 @@ const _getStaticOrders = req => {
 
   // implicit sorting?
   if (cds.env.features.implicit_sorting !== false && (req.target._isSingleton || query.SELECT.limit)) {
-    for (const keyName in entity.elements) {
-      if (
-        entity.elements[keyName].key &&
-        !entity.elements[keyName].is2one &&
-        !DRAFT_COLUMNS.includes(keyName) &&
-        !defaultOrders.some(o => o.by['='] === keyName)
-      )
-        ordersFromKeys.push({ by: { '=': keyName } })
+    const keys = getAllKeys(entity, true)
+    for (const key of keys) {
+      if (!DRAFT_COLUMNS.includes(key) && !defaultOrders.some(o => o.by['='] === key)) {
+        ordersFromKeys.push({ by: { '=': key } })
+      }
     }
   }
 
@@ -61,28 +59,12 @@ const _handler = function (req) {
   if (select.groupBy && select.groupBy.length > 0) {
     staticOrders = staticOrders.filter(d => select.groupBy.find(e => e.ref[0] === d.by['=']))
   }
-
-  if (!select.orderBy && staticOrders.length === 0) return
-  select.orderBy = select.orderBy || []
-
-  for (const defaultOrder of staticOrders) {
-    const some = select.orderBy.some(orderBy => {
-      const managedKey = orderBy.ref && orderBy.ref.length > 1 && orderBy.ref.join('_')
-      const element = managedKey && req.target.elements[managedKey]
-      const isManagedKey = element && element.key && !element.is2one
-
-      // don't add duplicates
-      return (
-        (orderBy.ref && orderBy.ref.length === 1 && orderBy.ref[0] === defaultOrder.by['=']) ||
-        (isManagedKey && managedKey === defaultOrder.by['='])
-      )
-    })
-
-    if (!some) {
-      const orderByItem = { ref: [defaultOrder.by['=']], sort: defaultOrder.desc ? 'desc' : 'asc' }
-      select.orderBy.push(orderByItem)
-    }
-  }
+  if (!staticOrders.length) return
+  ;(select.orderBy || (select.orderBy = [])).push(
+    ...staticOrders
+      .filter(d => !select.orderBy.find(o => o.ref && o.ref.join('_') === d.by['=']))
+      .map(d => ({ ref: [d.by['=']], sort: d.desc ? 'desc' : 'asc' }))
+  )
 }
 
 /**

package/libx/_runtime/common/perf/index.js

@@ -0,0 +1,24 @@
+const { performance } = require('perf_hooks')
+
+const _statisticsRequested = req =>
+  (req.query && req.query['sap-statistics'] === 'true') ||
+  (req.headers && req.headers['sap-statistics'] === 'true' && (!req.query || !req.query['sap-statistics']))
+
+module.exports = app => {
+  if (app._perf_measured) return
+  else app._perf_measured = true
+
+  app.use((req, res, next) => {
+    if (!_statisticsRequested(req)) return next()
+
+    const t0 = performance.now()
+    const { writeHead } = res
+    res.writeHead = function (...args) {
+      const total = Number((performance.now() - t0) / 1000).toFixed(2)
+      if (res.statusCode < 400) res.setHeader('sap-statistics', `total=${total}`)
+      writeHead.call(this, ...args)
+    }
+
+    next()
+  })
+}

package/libx/_runtime/common/utils/cqn.js

@@ -16,6 +16,15 @@ const getEntityNameFromUpdateCQN = cqn => {
   return (cqn.UPDATE.entity.ref && cqn.UPDATE.entity.ref[0]) || cqn.UPDATE.entity.name || cqn.UPDATE.entity
 }
 
+const addToWhere = (cqn, where) => {
+  const partial = cqn.SELECT || cqn.UPDATE || cqn.DELETE
+  if (!partial.where) partial.where = where
+  else {
+    partial.where.unshift('(')
+    partial.where.push(')', 'and', '(', ...where, ')')
+  }
+}
+
 // scope: simple wheres à la "[{ ref: ['foo'] }, '=', { val: 'bar' }, 'and', ... ]"
 function where2obj(where, target = null) {
   const data = {}
@@ -34,8 +43,56 @@ function where2obj(where, target = null) {
   return data
 }
 
+function targetFromPath(path, model) {
+  const { definitions } = model
+  let current
+  for (const r of path) {
+    if (r.id) {
+      current = current
+        ? definitions[current.elements[r.id].target]
+        : definitions[r.id] || definitions[r.id.replace(/_drafts$/, '')]
+    } else {
+      const next = current.elements[r]
+      if (next.isAssociation) {
+        current = definitions[next.target]
+      } else {
+        current = next
+      }
+    }
+  }
+  return current
+}
+
+function isPathToDraft(path, model) {
+  const { definitions } = model
+  let draft = false
+  let current
+  for (const r of path) {
+    if (r.id) {
+      const isaIndex = r.where.findIndex(ele => ele.ref && ele.ref[0] === 'IsActiveEntity')
+      if (isaIndex) draft = !r.where[isaIndex + 2].val
+      current = current ? definitions[current.elements[r.id].target] : definitions[r.id]
+    } else {
+      if (r === 'SiblingEntity') draft = !!draft
+      else {
+        const next = current.elements[r]
+        if (next.isAssociation) {
+          if (next._isAssociationStrict) draft = false
+          current = definitions[next.target]
+        } else {
+          current = next
+        }
+      }
+    }
+  }
+  return draft
+}
+
 module.exports = {
+  addToWhere,
   getEntityNameFromDeleteCQN,
   getEntityNameFromUpdateCQN,
-  where2obj
+  where2obj,
+  targetFromPath,
+  isPathToDraft
 }