@sap/cds 5.8.2 → 5.9.0

package/libx/_runtime/common/generic/auth/expand.js

@@ -0,0 +1,54 @@
+const cds = require('../../../cds')
+
+const { rewriteExpandAsterisk } = require('../../utils/rewriteAsterisks')
+
+const { ensureNoDraftsSuffix } = require('../../../fiori/utils/handler')
+
+const _getTarget = (ref, target, definitions) => {
+  if (cds.env.effective.odata.proxies) {
+    const target_ = target.elements[ref[0]]
+    if (ref.length === 1) return definitions[ensureNoDraftsSuffix(target_.target)]
+    return _getTarget(ref.slice(1), target_, definitions)
+  }
+  const target_ = target.elements[ref.join('_')]
+  return definitions[ensureNoDraftsSuffix(target_.target)]
+}
+
+const _getRestrictedExpand = (columns, target, definitions) => {
+  if (!columns || !target || columns === '*') return
+
+  const annotation = target['@Capabilities.ExpandRestrictions.NonExpandableProperties']
+  const restrictions = annotation && annotation.map(element => element['='])
+
+  rewriteExpandAsterisk(columns, target)
+
+  for (const col of columns) {
+    if (col.expand) {
+      if (restrictions && restrictions.length !== 0) {
+        const ref = col.ref.join('_')
+        const ref_ = restrictions.find(element => element.replace(/\./g, '_') === ref)
+        if (ref_) return ref_
+      }
+      // expand: '**' or '*3' is only possible within custom handler, no check needed
+      if (typeof col.expand === 'string' && /^\*{1}[\d|*]+/.test(col.expand)) {
+        continue
+      } else {
+        const restricted = _getRestrictedExpand(col.expand, _getTarget(col.ref, target, definitions), definitions)
+        if (restricted) return restricted
+      }
+    }
+  }
+}
+
+function handler(req) {
+  const restricted = _getRestrictedExpand(
+    req.query.SELECT && req.query.SELECT.columns,
+    req.target,
+    this.model.definitions
+  )
+  if (restricted) req.reject(400, 'EXPAND_IS_RESTRICTED', [restricted])
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/index.js

@@ -0,0 +1,32 @@
+const cds = require('../../../cds')
+
+const requiresHandler = require('./requires')
+const readOnlyHandler = require('./readOnly')
+const insertOnlyHandler = require('./insertOnly')
+const capabilitiesHandler = require('./capabilities')
+const restrictHandler = require('./restrict')
+const restrictExpandHandler = require('./expand')
+
+module.exports = cds.service.impl(function authorization() {
+  /*
+   * @requires
+   */
+  this.before('*', requiresHandler)
+
+  /*
+   * access control (cheaper than @restrict -> do first)
+   */
+  this.before('*', readOnlyHandler)
+  this.before('*', insertOnlyHandler)
+  this.before('*', capabilitiesHandler)
+
+  /*
+   * @restrict
+   */
+  this.before('*', restrictHandler)
+
+  /*
+   * expand restrictions
+   */
+  this.before('READ', '*', restrictExpandHandler)
+})

package/libx/_runtime/common/generic/auth/insertOnly.js

@@ -0,0 +1,15 @@
+const { getAuthRelevantEntity } = require('./utils')
+
+function handler(req) {
+  const entity = getAuthRelevantEntity(req, this.model, ['@insertonly'])
+  if (!entity || !entity['@insertonly']) return
+
+  const allowed = entity._isDraftEnabled ? { NEW: 1, PATCH: 1 } : { CREATE: 1 }
+  if (!(req.event in allowed)) {
+    req.reject(405, 'ENTITY_IS_INSERT_ONLY', [entity.name])
+  }
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/readOnly.js

@@ -0,0 +1,26 @@
+const { getAuthRelevantEntity } = require('./utils')
+const { WRITE_EVENTS } = require('./constants')
+
+const _isAutoexposed = entity => {
+  if (!entity) return false
+  return (entity['@cds.autoexpose'] && entity['@cds.autoexposed']) || entity.name.match(/\.DraftAdministrativeData$/)
+}
+
+function handler(req) {
+  // autoexposed
+  const isAutoexposed = _isAutoexposed(req.target)
+  if (isAutoexposed && req.event !== 'READ') {
+    req.reject(405, 'ENTITY_IS_AUTOEXPOSED', [req.target.name])
+  }
+
+  // @read-only
+  const entity = getAuthRelevantEntity(req, this.model, ['@readonly'])
+  if (!entity || !entity['@readonly']) return
+  if (entity['@readonly'] && req.event in WRITE_EVENTS) {
+    req.reject(405, 'ENTITY_IS_READ_ONLY', [entity.name])
+  }
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/requires.js

@@ -0,0 +1,34 @@
+const { reject, getRejectReason, getAuthRelevantEntity } = require('./utils')
+const { CRUD_EVENTS } = require('./constants')
+
+const { getRequiresAsArray } = require('../../../auth/utils')
+
+function handler(req) {
+  if (req.user._is_privileged) {
+    // > skip checks
+    return
+  }
+
+  let definition
+  if (req.event in CRUD_EVENTS) {
+    // > CRUD
+    definition = getAuthRelevantEntity(req, this.model, ['@requires', '@restrict'])
+  } else if (req.target && req.target.actions) {
+    // > bound
+    definition = req.target.actions[req.event]
+  } else {
+    // > unbound
+    definition = this.operations[req.event]
+  }
+
+  if (!definition) return
+
+  const requires = getRequiresAsArray(definition)
+  if (!requires.length || requires.some(role => req.user.is(role))) return
+
+  reject(req, getRejectReason(req, '@requires', definition))
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/restrict.js

@@ -0,0 +1,296 @@
+const cds = require('../../../cds')
+
+const { reject, getRejectReason, resolveUserAttrs, getAuthRelevantEntity } = require('./utils')
+const { DRAFT_EVENTS, MOD_EVENTS } = require('./constants')
+
+const { cqn2cqn4sql } = require('../../utils/cqn2cqn4sql')
+
+const { isActiveEntityRequested, removeIsActiveEntityRecursively } = require('../../../fiori/utils/where')
+
+const _getResolvedApplicables = (applicables, req) => {
+  const resolvedApplicables = []
+
+  // REVISIT: the static portion of "mixed wheres" could already grant access -> optimization potential
+  for (const restrict of applicables) {
+    // replace $user.x with respective values
+    const resolved = resolveUserAttrs({ grant: restrict.grant, target: restrict.target, where: restrict.where }, req)
+
+    // check for duplicates
+    if (
+      !resolvedApplicables.find(
+        restrict =>
+          resolved.grant === restrict.grant &&
+          (!resolved.target || resolved.target === restrict.target) &&
+          (!resolved.where || resolved.where === restrict.where)
+      )
+    ) {
+      if (resolved.where) resolved._xpr = cds.parse.expr(resolved.where).xpr
+      resolvedApplicables.push(resolved)
+    }
+  }
+
+  return resolvedApplicables
+}
+
+const _isStaticAuth = resolvedApplicables => {
+  return (
+    resolvedApplicables.length === 1 &&
+    resolvedApplicables[0]._xpr.length === 3 &&
+    resolvedApplicables[0]._xpr.every(ele => typeof ele !== 'object' || ele.val)
+  )
+}
+
+const _evalStatic = (op, vals) => {
+  vals[0] = Number.isNaN(Number(vals[0])) ? vals[0] : Number(vals[0])
+  vals[1] = Number.isNaN(Number(vals[1])) ? vals[1] : Number(vals[1])
+
+  switch (op) {
+    case '=':
+      return vals[0] === vals[1]
+    case '!=':
+      return vals[0] !== vals[1]
+    case '<':
+      return vals[0] < vals[1]
+    case '<=':
+      return vals[0] <= vals[1]
+    case '>':
+      return vals[0] > vals[1]
+    case '>=':
+      return vals[0] >= vals[1]
+    default:
+      throw new Error(`Operator "${op}" is not supported in @restrict.where`)
+  }
+}
+
+const _handleStaticAuth = (resolvedApplicables, req) => {
+  const op = resolvedApplicables[0]._xpr.find(ele => typeof ele === 'string')
+  const vals = resolvedApplicables[0]._xpr.filter(ele => typeof ele === 'object' && ele.val).map(ele => ele.val)
+
+  if (_evalStatic(op, vals)) {
+    // static clause grants access => done
+    return
+  }
+
+  // static clause forbids access => forbidden
+  return reject(req)
+}
+
+const _getMergedWhere = restricts => {
+  const xprs = []
+  restricts.forEach(ele => {
+    xprs.push('(', ...ele._xpr, ')', 'or')
+  })
+  xprs.pop()
+  return xprs
+}
+
+const _addWheresToRef = (ref, model, resolvedApplicables) => {
+  const newRef = []
+  let lastEntity = model.definitions[ref[0].id || ref[0]]
+
+  ref.forEach((identifier, idx) => {
+    if (idx === ref.length - 1) {
+      newRef.push(identifier)
+      return // determine last one separately
+    }
+
+    const entity = idx === 0 ? lastEntity : lastEntity.elements[identifier.id || identifier]._target
+    lastEntity = entity
+    const applicablesForEntity = resolvedApplicables.filter(
+      restrict => restrict.target && restrict.target.name === entity.name
+    )
+
+    let newIdentifier = identifier
+
+    if (applicablesForEntity.length) {
+      if (typeof newIdentifier === 'string') {
+        newIdentifier = { id: identifier, where: [] }
+      }
+
+      if (!newIdentifier.where) newIdentifier.where = []
+
+      if (newIdentifier.where && newIdentifier.where.length) {
+        newIdentifier.where.unshift('(')
+        newIdentifier.where.push(')')
+        newIdentifier.where.push('and')
+      }
+
+      newIdentifier.where.push(..._getMergedWhere(applicablesForEntity))
+    }
+
+    newRef.push(newIdentifier)
+  })
+
+  return newRef
+}
+
+const _getRestrictionForTarget = (resolvedApplicables, target) => {
+  const reqTarget = target && (target._isDraftEnabled ? target.name.replace(/_drafts$/, '') : target.name)
+  const applicablesForTarget = resolvedApplicables.filter(
+    restrict => restrict.target && restrict.target.name === reqTarget
+  )
+
+  if (applicablesForTarget.length) {
+    return _getMergedWhere(applicablesForTarget)
+  }
+}
+
+const _addRestrictionsToRead = async (req, model, resolvedApplicables) => {
+  if (req.target._isDraftEnabled) {
+    req.query._draftRestrictions = resolvedApplicables
+    return
+  }
+
+  if (typeof req.query.SELECT.from === 'object')
+    req.query.SELECT.from.ref = _addWheresToRef(req.query.SELECT.from.ref, model, resolvedApplicables)
+
+  const restrictionForTarget = _getRestrictionForTarget(resolvedApplicables, req.target)
+  if (!restrictionForTarget) return
+
+  // adjust free subselects, if necessary
+  if (resolvedApplicables.some(ra => ra.where.match(/\s*exists\s*\(\s*select\s*1\s*/i))) {
+    for (const ele of restrictionForTarget) {
+      if (typeof ele !== 'object' || !ele.SELECT || !ele.SELECT.where) continue
+
+      for (const w of ele.SELECT.where) {
+        if (w.ref && w.ref.length > 2) {
+          let path = w.ref[0]
+          if (!model.definitions[path]) continue
+          let i = 1
+
+          for (; i < w.ref.length; i++) {
+            if (model.definitions[`${path}.${w.ref[i]}`]) path += `.${w.ref[i]}`
+            else break
+          }
+
+          w.ref = [path, ...w.ref.slice(i)]
+        }
+      }
+    }
+  }
+
+  // apply restriction
+  req.query.where(restrictionForTarget)
+}
+
+const _getFromWithIsActiveEntityRemoved = from => {
+  for (const element of from.ref) {
+    if (element.where && isActiveEntityRequested(element.where)) {
+      element.where = removeIsActiveEntityRecursively(element.where)
+    }
+  }
+
+  return from
+}
+
+const _getUnrestrictedCount = async req => {
+  const dbtx = cds.tx(req)
+  const target =
+    (req.query.UPDATE && req.query.UPDATE.entity) ||
+    (req.query.DELETE && req.query.DELETE.from) ||
+    (req.query.SELECT && req.query.SELECT.from)
+  const selectUnrestricted = SELECT.one(['count(*) as n']).from(target)
+  const whereUnrestricted = (req.query.UPDATE && req.query.UPDATE.where) || (req.query.DELETE && req.query.DELETE.where)
+
+  if (whereUnrestricted) selectUnrestricted.where(whereUnrestricted)
+
+  // Because of side effects, the statements have to be fired sequentially.
+  const { n } = await dbtx.run(selectUnrestricted)
+  return n
+}
+
+const _getRestrictedCount = async (req, model, resolvedApplicables) => {
+  const dbtx = cds.tx(req)
+  const target =
+    (req.query.UPDATE && req.query.UPDATE.entity) ||
+    (req.query.DELETE && req.query.DELETE.from) ||
+    (req.query.SELECT && req.query.SELECT.from)
+  const selectRestricted = SELECT.one(['count(*) as n']).from(target)
+  const whereRestricted = (req.query.UPDATE && req.query.UPDATE.where) || (req.query.DELETE && req.query.DELETE.where)
+
+  if (whereRestricted) selectRestricted.where(whereRestricted)
+
+  if (typeof selectRestricted.SELECT === 'object') {
+    selectRestricted.SELECT.from.ref = _addWheresToRef(selectRestricted.SELECT.from.ref, model, resolvedApplicables)
+  }
+
+  const restrictionForTarget = _getRestrictionForTarget(resolvedApplicables, req.target)
+  if (restrictionForTarget) selectRestricted.where(restrictionForTarget)
+
+  const { n } = await dbtx.run(cqn2cqn4sql(selectRestricted, model, { suppressSearch: true }))
+  return n
+}
+
+// eslint-disable-next-line complexity
+async function handler(req) {
+  if (req.user._is_privileged || DRAFT_EVENTS[req.event]) {
+    // > skip checks (events in DRAFT_EVENTS are checked in draft handlers via InProcessByUser)
+    return
+  }
+
+  const authRelevantEntity = getAuthRelevantEntity(req, this.model, ['@requires', '@restrict'])
+  const definition =
+    authRelevantEntity ||
+    (req.target && req.target.actions && req.target.actions[req.event]) ||
+    (this.operations && this.operations[req.event])
+
+  if (!definition) {
+    // > nothing to restrict
+    return
+  }
+
+  let restrictions = this.getRestrictions(definition, req.event, req.user)
+  if (restrictions instanceof Promise) restrictions = await restrictions
+  if (!restrictions) {
+    // > unrestricted
+    return
+  }
+
+  if (!restrictions.length) {
+    // > no applicable restrictions -> 403
+    reject(req, getRejectReason(req, '@restrict', definition))
+  }
+
+  // at least one if the user's roles grants unrestricted access => done
+  if (restrictions.some(restrict => !restrict.where)) return
+
+  const resolvedApplicables = _getResolvedApplicables(restrictions, req)
+
+  // REVISIT: support more complex statics
+  if (_isStaticAuth(resolvedApplicables)) {
+    return _handleStaticAuth(resolvedApplicables, req)
+  }
+
+  if (req.event === 'READ') {
+    _addRestrictionsToRead(req, this.model, resolvedApplicables)
+    return
+  }
+
+  // no modification -> nothing more to do
+  if (!MOD_EVENTS[req.event]) return
+
+  if (req.query.DELETE) req.query.DELETE.from = _getFromWithIsActiveEntityRemoved(req.query.DELETE.from)
+  if (req.query.SELECT) req.query.SELECT.from = _getFromWithIsActiveEntityRemoved(req.query.SELECT.from)
+
+  // REVISIT: selected data could be used for etag check, diff, etc.
+
+  /*
+   * Here we check if UPDATE/DELETE requests add additional restrictions
+   * Note: Needs to happen sequentially because of side effects
+   */
+  const unrestrictedCount = await _getUnrestrictedCount(req)
+  if (unrestrictedCount === 0) req.reject(404)
+
+  const restrictedCount = await _getRestrictedCount(req, this.model, resolvedApplicables)
+
+  if (restrictedCount < unrestrictedCount) {
+    reject(req, getRejectReason(req, '@restrict', definition, restrictedCount, unrestrictedCount))
+  }
+
+  // for minor optimization in generic crud handler
+  req._authChecked = true
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/utils.js

@@ -0,0 +1,213 @@
+const cds = require('../../../cds')
+const LOG = cds.log('app')
+
+const { CRUD_EVENTS } = require('./constants')
+
+const { getDraftTreeRoot } = require('../../utils/csn')
+
+const reject = (req, reason = null) => {
+  // unauthorized or forbidden?
+  if (req.user._is_anonymous) {
+    // REVISIT: challenges handling should be done in protocol adapter (i.e., express error middleware)
+    // REVISIT: improve `req._.req` check if this is an HTTP request
+    if (req._.req && req.user._challenges && req.user._challenges.length > 0) {
+      req._.res.set('WWW-Authenticate', req.user._challenges.join(';'))
+    }
+
+    // REVISIT: security log in else case?
+    return req.reject(401)
+  }
+
+  return req.reject({
+    code: 403,
+    internal: reason
+  })
+}
+
+const getRejectReason = (req, annotation, definition, restrictedCount, unrestrictedCount) => {
+  if (!LOG._debug) return
+  // it is not possible to specify the reason further than the source as there are multiple factors
+  const appendix = unrestrictedCount
+    ? ` (${unrestrictedCount - restrictedCount} out of ${unrestrictedCount} instances are restricted)`
+    : ''
+  return {
+    reason: `Access denied to user "${req.user.id}" for event "${req.event}"${appendix}`,
+    source: `${annotation} of "${definition.name}"`
+  }
+}
+
+const _getCurrentSubClause = (next, restrict) => {
+  const escaped = next[0].replace(/\$/g, '\\$').replace(/\./g, '\\.')
+  const re1 = new RegExp(`([\\w\\.']*)\\s*=\\s*(${escaped})|(${escaped})\\s*=\\s*([\\w\\.']*)`)
+  const re2 = new RegExp(`([\\w\\.']*)\\s*in\\s*(${escaped})|(${escaped})\\s*in\\s*([\\w\\.']*)`)
+  const clause = restrict.where.match(re1) || restrict.where.match(re2)
+
+  if (clause) return clause
+
+  // NOTE: arrayed attr with "=" as operator is some kind of legacy case
+  throw new Error('user attribute array must be used with operator "=" or "in"')
+}
+
+const _processUserAttr = (next, restrict, user, attr) => {
+  const clause = _getCurrentSubClause(next, restrict)
+  const valOrRef = clause[1] || clause[4]
+
+  if (clause[0].match(/ in /)) {
+    if (!user[attr] || user[attr].length === 0) {
+      restrict.where = restrict.where.replace(clause[0], '1 = 2')
+    } else if (user[attr].length === 1) {
+      restrict.where = restrict.where.replace(clause[0], `${valOrRef} = '${user[attr][0]}'`)
+    } else {
+      restrict.where = restrict.where.replace(
+        clause[0],
+        `${valOrRef} in (${user[attr].map(ele => `'${ele}'`).join(', ')})`
+      )
+    }
+  } else if (valOrRef.startsWith("'") && user[attr].includes(valOrRef.split("'")[1])) {
+    restrict.where = restrict.where.replace(clause[0], `${valOrRef} = ${valOrRef}`)
+  } else {
+    restrict.where = restrict.where.replace(
+      clause[0],
+      `(${user[attr].map(ele => `${valOrRef} = '${ele}'`).join(' or ')})`
+    )
+  }
+}
+
+const _getShortcut = (attrs, attr) => {
+  // undefined
+  if (attrs[attr] === undefined) {
+    return '1 = 2'
+  }
+
+  // $UNRESTRICTED
+  if (
+    (typeof attrs[attr] === 'string' && attrs[attr].match(/\$UNRESTRICTED/i)) ||
+    (Array.isArray(attrs[attr]) && attrs[attr].some(a => a.match(/\$UNRESTRICTED/i)))
+  ) {
+    return '1 = 1'
+  }
+
+  return null
+}
+
+/*
+ * for supporting xssec v3
+ */
+const _getAttrsAsProxy = (attrs, additional = {}) => {
+  return new Proxy(
+    {},
+    {
+      get: function (_, attr) {
+        if (attr in additional) return additional[attr]
+        return attrs[attr]
+      }
+    }
+  )
+}
+
+/*
+ * resolves user attributes deeply, even though nested attributes are officially not supported
+ */
+const resolveUserAttrs = (restrict, req) => {
+  const _getNext = where => where.match(/\$user\.([\w.]*)/)
+  let next = _getNext(restrict.where)
+
+  while (next !== null) {
+    const parts = next[1].split('.')
+    let skip
+    let val
+    let attrs = _getAttrsAsProxy(req.user.attr, { id: req.user.id })
+    let attr = parts.shift()
+
+    while (attr) {
+      const shortcut = _getShortcut(attrs, attr)
+      if (shortcut) {
+        const clause = _getCurrentSubClause(next, restrict)
+        restrict.where = restrict.where.replace(clause[0], shortcut)
+        skip = true
+        break
+      }
+
+      if (Array.isArray(attrs[attr])) {
+        _processUserAttr(next, restrict, attrs, attr)
+        skip = true
+        break
+      }
+
+      val = !Number.isNaN(Number(attrs[attr])) && attr !== 'id' ? attrs[attr] : `'${attrs[attr]}'`
+      if (val === null || val === undefined) break
+
+      attrs = _getAttrsAsProxy(attrs[attr])
+      attr = parts.shift()
+    }
+
+    if (!skip) restrict.where = restrict.where.replace(next[0], val === undefined ? null : val)
+    next = _getNext(restrict.where)
+  }
+
+  return restrict
+}
+
+const _authDependsOnParent = (entity, annotations) => {
+  // @cds.autoexposed and not @cds.autoexpose -> not explicitly exposed by modeling
+  return (
+    entity.name.match(/\.DraftAdministrativeData$/) ||
+    (entity['@cds.autoexposed'] && !entity['@cds.autoexpose'] && !annotations.some(a => a in entity))
+  )
+}
+
+const cqnFrom = req => {
+  const { query } = req
+  if (!query) return
+  if (query.SELECT) return query.SELECT.from
+  if (query.INSERT) return query.INSERT.into
+  if (query.UPDATE) return query.UPDATE.entity
+  if (query.DELETE) return query.DELETE.from
+}
+
+const getAuthRelevantEntity = (req, model, annotations) => {
+  if (!req.target || !(req.event in CRUD_EVENTS)) return
+  if (!_authDependsOnParent(req.target, annotations)) return req.target
+
+  let cqn = cqnFrom(req)
+
+  // REVISIT: needed in draft for some reason
+  if (typeof cqn === 'string') cqn = { ref: [cqn] }
+
+  if (cqn.ref.length === 1 && req.target._isDraftEnabled) {
+    // > direct access to children in draft
+    const root = getDraftTreeRoot(req.target, model)
+    if (!root)
+      reject(
+        req,
+        LOG._debug ? { reason: `Unable to determine single draft tree root for entity "${req.target.name}"` } : null
+      )
+    return root
+  }
+
+  // find and return the restrictions (may be none!) of the right-most entity that is non-autoexposed or explicitly restricted
+  const segments = []
+  let current = { elements: model.definitions }
+  for (let i = 0; i < cqn.ref.length; i++) {
+    current = current.elements[cqn.ref[i].id || cqn.ref[i]]
+    if (current && current.target) current = model.definitions[current.target]
+    segments.push(current)
+  }
+  let authRelevantEntity
+  for (let i = segments.length - 1; i >= 0; i--) {
+    const segment = segments[i]
+    if (segment.kind === 'entity' && !_authDependsOnParent(segment, annotations)) {
+      authRelevantEntity = segment
+      break
+    }
+  }
+  return authRelevantEntity
+}
+
+module.exports = {
+  reject,
+  getRejectReason,
+  resolveUserAttrs,
+  cqnFrom,
+  getAuthRelevantEntity
+}