@sap/cds 5.8.3 → 5.9.1

package/libx/_runtime/auth/index.js

@@ -1,10 +1,10 @@
 const cds = require('../cds')
-const LOG = cds.log('app')
+const LOG = cds.log()
 
 const _require = require('../common/utils/require')
-const { UNAUTHORIZED } = require('./utils')
+const { UNAUTHORIZED, isRestricted } = require('./utils')
 
-let passport
+let passport, logged
 
 // strategy initializers for lazy loading of dependencies
 const _initializers = {
@@ -21,125 +21,167 @@ const _initializers = {
     const DwcStrategy = require('./strategies/dwc')
     passport.use(new DwcStrategy())
   },
-  JWT: ({ uaa }) => {
+  jwt: ({ credentials, uaa }) => {
     const JWTStrategy = require('./strategies/JWT')
-    passport.use(new JWTStrategy(uaa))
+    if (credentials) {
+      passport.use(new JWTStrategy(credentials))
+    } else if (uaa) {
+      // REVISIT: compat, remove with cds^6
+      passport.use(new JWTStrategy(uaa.credentials))
+    } else {
+      throw Object.assign(new Error('No or malformed credentials for auth kind "jwt-auth"'), { credentials })
+    }
   },
   mock: ({ users }, srvName) => {
     const MockStrategy = require('./strategies/mock')
     passport.use(new MockStrategy(users, `mock_${srvName}`))
   },
-  xsuaa: ({ uaa }) => {
+  xsuaa: ({ credentials, uaa }) => {
     const XSUAAStrategy = require('./strategies/xsuaa')
-    passport.use(new XSUAAStrategy(uaa))
+    if (credentials) {
+      passport.use(new XSUAAStrategy(credentials))
+    } else if (uaa) {
+      // REVISIT: compat, remove with cds^6
+      passport.use(new XSUAAStrategy(uaa.credentials))
+    } else {
+      throw Object.assign(new Error('No or malformed credentials for auth kind "xsuaa"'), { credentials })
+    }
   }
 }
 
 // map for initialized authenticators
 const _authenticators = {}
 
-const _isRestricted = srv => {
-  return !!(
-    srv.definition['@requires'] ||
-    Object.keys(srv.entities).some(k => srv.entities[k]['@requires'] || srv.entities[k]['@restrict']) ||
-    Object.keys(srv.entities).some(
-      k =>
-        srv.entities[k].actions &&
-        Object.keys(srv.entities[k].actions).some(
-          l => srv.entities[k].actions[l]['@requires'] || srv.entities[k].actions[l]['@restrict']
-        )
-    ) ||
-    Object.keys(srv.operations).some(k => srv.operations[k]['@requires'] || srv.operations[k]['@restrict'])
-  )
+const _log = (req, challenges) => {
+  if (!LOG._debug) return
+  const challengesLog = challenges ? ['User challenges:', challenges] : []
+  LOG.debug(`User "${req.user.id}" request URL`, req.url, '\n', ...challengesLog)
 }
 
-const _initializeStrategy = (strategy, config, srv) => {
-  if (!_initializers[strategy]) {
-    // REVISIT: why?
-    process.exitCode = 1
-    throw new Error(`Authentication strategy "${strategy}" is not supported`)
+const _authCallback = (req, res, next, internalError, user, challenges) => {
+  // An internal error occurs during the authentication process
+  if (internalError) {
+    // REVISIT: What to do? Security log?
+    return res.status(401).json(UNAUTHORIZED) // no details to client
   }
 
-  if (!_authenticators[strategy] || strategy === 'mock' || process.env.NODE_ENV === 'test') {
-    _initializers[strategy](config, srv.name)
-    _authenticators[strategy] = true
+  let infoChallenges
+
+  if (challenges) {
+    if (Array.isArray(challenges)) {
+      infoChallenges = challenges.filter(ele => ele)
+      infoChallenges = infoChallenges.length ? infoChallenges : undefined
+    } else {
+      req.authInfo = challenges
+    }
   }
+
+  req.user = user || Object.defineProperty(new cds.User(), '_challenges', { enumerable: false, value: infoChallenges })
+  Object.defineProperty(req.user, '_req', { enumerable: false, value: req })
+  _log(req, infoChallenges)
+  next()
 }
 
-const _callback = (req, res, next, err, user, info) => {
-  // REVISIT: when is this the case and what to do?
-  if (err) {
-    // REVISIT: security log?
-    return res.status(401).json(UNAUTHORIZED) // > no details to client
-  }
+const _mountMockAuth = (srv, app, strategy, config) => {
+  const impl =
+    strategy === 'dummy'
+      ? new (require('./strategies/dummy'))()
+      : new (require('./strategies/mock'))(config.users, `mock_${srv.name}`)
 
-  let challenges
-  if (info && Array.isArray(info)) {
-    // > info === challenges
-    challenges = info.filter(ele => ele)
-    challenges = challenges.length ? challenges : undefined
-    info = null
-  }
+  app.use(srv.path, (req, res, next) => {
+    let user, challenge
+    impl.success = arg => (user = arg)
+    impl.fail = arg => (challenge = arg)
+    impl.authenticate(req)
+    _authCallback(req, res, next, undefined, user, [challenge])
+  })
+}
 
-  // compat req._.req.authInfo
-  if (info) req.authInfo = info
+const _mountPassportAuth = (srv, app, strategy, config) => {
+  passport = passport || _require('passport')
 
-  req.user = user || Object.defineProperty(new cds.User(), '_challenges', { enumerable: false, value: challenges })
-  Object.defineProperty(req.user, '_req', { enumerable: false, value: req })
+  // initialize strategy
+  if (!_authenticators[strategy] || strategy === 'mock' || process.env.NODE_ENV === 'test') {
+    _initializers[strategy](config, srv.name)
+    _authenticators[strategy] = true
+  }
 
-  next()
+  // authenticate
+  app.use(srv.path, passport.initialize())
+  app.use(srv.path, (req, res, next) => {
+    const options = { session: false, failWithError: true }
+    const callback = _authCallback.bind(undefined, req, res, next)
+    passport.authenticate(strategy === 'jwt' ? 'JWT' : strategy, options, callback)(req, res, next)
+  })
 }
 
+/*
+ * export authentication middleware
+ */
+// eslint-disable-next-line complexity
 module.exports = (srv, app, options) => {
-  let config = options.auth
+  // NOTE: options.auth is not an official API
+  let config = 'auth' in options ? options.auth : cds.env.requires.auth
 
-  const isRestricted = _isRestricted(srv) || (cds.env.requires.auth && cds.env.requires.auth.restrict_all_services)
-  const isMultiTenant = !!(cds.env.requires && cds.env.requires.db && cds.env.requires.db.multiTenant)
+  // cds.env.requires.auth = { kind: 'xsuaa-auth' } was briefly documented on capire -> also support
+  if (config && config.kind === 'xsuaa-auth' && !config.credentials) config = cds.env.requires.xsuaa
 
-  if (!config && !isRestricted && (!isMultiTenant || process.env.NODE_ENV !== 'production')) {
-    if (isMultiTenant) LOG._warn && LOG.warn(`[${srv.name}] - Authentication needed for multitenancy in production.`)
+  // mount custom authentication middleware
+  if (config && config.impl) {
+    app.use(srv.path, _require(cds.resolve(config.impl)))
     return
   }
 
-  config = config || cds.env.requires.auth
+  const restricted = isRestricted(srv)
+  if (restricted && !config) {
+    // REVISIT: why exitCode needed?
+    process.exitCode = 1
+    throw new Error('Authentication required for authorization checks')
+  }
 
-  if (config.impl) {
-    // > custom middleware
-    app.use(srv.path, _require(cds.resolve(config.impl)))
-    return
+  const isMultiTenant = cds.env.requires.db && cds.env.requires.db.multiTenant
+  if (isMultiTenant && !config) {
+    // REVISIT: why exitCode needed?
+    process.exitCode = 1
+    throw new Error('Authentication required for multitenancy')
   }
 
-  config.strategy = Array.isArray(config.strategy) ? config.strategy : [config.strategy]
-
-  if (config.strategy.length === 1 && config.strategy[0] in { dummy: 1, mock: 1 }) {
-    // > without passport
-    const impl =
-      config.strategy[0] === 'dummy'
-        ? new (require('./strategies/dummy'))()
-        : new (require('./strategies/mock'))(config.users, `mock_${srv.name}`)
-    app.use(srv.path, (req, res, next) => {
-      let user, challenge
-      impl.success = arg => (user = arg)
-      impl.fail = arg => (challenge = arg)
-      impl.authenticate(req)
-      _callback(req, res, next, undefined, user, [challenge])
-    })
+  if (!config) {
+    if (!logged) {
+      const msg = 'No authentication configured'
+      if (process.env.NODE_ENV !== 'production') LOG._debug && LOG.debug(msg)
+      else LOG._info && LOG.info(`${msg}. This is not recommended in production.`)
+    }
+
+    // no auth wanted > return
     return
   }
 
-  // here, we need passport
-  passport = passport || _require('passport')
+  // strategy from kind
+  let strategy
+  // compat for auth.strategy
+  if (config.strategy) {
+    strategy = config.strategy.toLowerCase()
+  }
+  strategy = strategy || config.kind.replace('-auth', '').toLowerCase()
+  if (strategy === 'mocked') strategy = 'mock'
 
-  // initialize strategies
-  for (const strategy of config.strategy) _initializeStrategy(strategy, config, srv)
+  if (!_initializers[strategy]) {
+    // REVISIT: why exitCode needed?
+    process.exitCode = 1
+    throw new Error(`Authentication kind "${config.kind}" is not supported`)
+  }
 
-  // authenticate
-  app.use(srv.path, passport.initialize())
-  app.use(srv.path, (req, res, next) => {
-    passport.authenticate(
-      config.strategy.map(s => (s === 'mock' ? `mock_${srv.name}` : s)),
-      { session: false, failWithError: true },
-      _callback.bind(undefined, req, res, next)
-    )(req, res, next)
-  })
+  if (!logged) LOG._debug && LOG.debug(`Using authentication kind "${config.kind}"`)
+
+  if (strategy in { dummy: 1, mock: 1 }) {
+    // > dummy or mock authentication (for development/testing)
+    _mountMockAuth(srv, app, strategy, config)
+  } else {
+    // > passport authentication
+    _mountPassportAuth(srv, app, strategy, config)
+  }
+
+  // so we don't log the same stuff multiple times
+  logged = true
 }

package/libx/_runtime/auth/strategies/JWT.js

@@ -1,40 +1,33 @@
 const cds = require('../../cds')
 
 const _require = require('../../common/utils/require')
-const uaaUtils = require('./utils/uaa')
-const xssecUtils = require('./utils/xssec')
+const xssecUtils = require('./xssecUtils')
 
 // use _require for a better error message
 const { JWTStrategy: JS } = _require('@sap/xssec')
 
 class JWTStrategy extends JS {
-  constructor(uaa) {
-    super(uaaUtils.getCredentials(uaa))
+  constructor(credentials) {
+    super(credentials)
+    this.credentials = credentials
   }
 
   authenticate(req, options) {
+    const credentials = this.credentials
+
     // monkey patch success
     const _success = this.success
     this.success = (user, info) => {
       // create cds.User
-      user = new cds.User(
-        Object.assign(
-          { id: xssecUtils.getUserId(user, info) },
-          {
-            _roles: xssecUtils.getRoles(['any', 'identified-user'], info),
-            attr: xssecUtils.getAttrForJWT(info),
-            tenant: xssecUtils.getTenant(info) || null
-          }
-        )
-      )
-
-      // set _req for locale getter
-      Object.defineProperty(user, '_req', { enumerable: false, value: req })
-
+      user = new cds.User({
+        id: xssecUtils.getUserId(user, info),
+        tenant: xssecUtils.getTenant(info) || null,
+        _roles: xssecUtils.getRoles(['any', 'identified-user'], info, credentials),
+        attr: xssecUtils.getAttrForJWT(info)
+      })
       // call "super.success"
       _success(user, info)
     }
-
     super.authenticate(req, options)
   }
 }

package/libx/_runtime/auth/strategies/dummy.js

@@ -5,12 +5,8 @@ class DummyStrategy {
     this.name = 'dummy'
   }
 
-  authenticate(req) {
+  authenticate() {
     const user = new cds.User.Privileged()
-
-    // set _req for locale getter
-    Object.defineProperty(user, '_req', { enumerable: false, value: req })
-
     this.success(user)
   }
 }

package/libx/_runtime/auth/strategies/dwc.js

@@ -1,11 +1,10 @@
 const cds = require('../../cds')
 const LOG = cds.log()
 
-function decode(req, header, parsed) {
+function decode(req, header, encoded) {
   if (!req.headers[header]) return
-  return parsed
-    ? JSON.parse(Buffer.from(req.headers[header], 'base64').toString('utf-8'))
-    : Buffer.from(req.headers[header], 'base64').toString('utf-8')
+  if (encoded) return JSON.parse(Buffer.from(req.headers[header], 'base64').toString('utf-8'))
+  return req.headers[header]
 }
 
 class DwcStrategy {
@@ -15,17 +14,23 @@ class DwcStrategy {
 
   authenticate(req) {
     let tenant, usr, scopes, attr
+
     try {
       tenant = decode(req, 'dwc-tenant')
       usr = decode(req, 'dwc-user', true)
-      scopes = decode(req, 'dwc-scopes', true) || []
+      scopes = decode(req, 'dwc-scopes') || ''
       attr = decode(req, 'dwc-xsuaa-attributes', true) || {}
     } catch (e) {
-      LOG._warn && LOG.warn('Error while parsing headers for dwc-auth:', e)
+      LOG._debug && LOG.debug('Error while parsing HTTP headers for DWC authentication:', e)
       return this.fail()
     }
+
     if (!tenant || !usr) return this.fail()
 
+    // make scopes app-local
+    const xsappname = decode(req, 'dwc-xsuaa-xsappname') || ''
+    scopes = scopes.split(' ').map(s => (s.startsWith(xsappname + '.') ? s.replace(xsappname + '.', '') : s))
+
     const user = new cds.User({
       id: usr.logonName,
       tenant,
@@ -33,9 +38,6 @@ class DwcStrategy {
       attr: Object.assign(attr, usr)
     })
 
-    // set _req for locale getter
-    Object.defineProperty(user, '_req', { enumerable: false, value: req })
-
     this.success(user)
   }
 }

package/libx/_runtime/auth/strategies/mock.js

@@ -69,10 +69,6 @@ class MockStrategy {
     const tenant = user.tenant || (user.jwt && user.jwt.zid) || null
 
     user = new cds.User({ id: user.ID || id, _roles, attr, tenant })
-
-    // set _req for locale getter
-    Object.defineProperty(user, '_req', { enumerable: false, value: req })
-
     this.success(user)
   }
 }

package/libx/_runtime/auth/strategies/{utils/xssec.js → xssecUtils.js}

@@ -1,21 +1,24 @@
+const CLIENT = { client_credentials: 1, client_x509: 1 }
+
 const getUserId = (user, info) => {
   // fallback for grant_type=client_credentials (xssec v3)
   return user.id || (info && info.getClientId && info.getClientId())
 }
 
-const _addRolesFromGrantType = (roles, info) => {
+const _addRolesFromGrantType = (roles, info, credentials) => {
   const grantType = info && (info.grantType || (info.getGrantType && info.getGrantType()))
   if (grantType) {
     // > not "weak"
     roles.push('authenticated-user')
-    if (['client_credentials', 'client_x509'].includes(grantType)) {
+    if (grantType in CLIENT) {
       roles.push('system-user')
+      if (info.getClientId() === credentials.clientid) roles.push('internal-user')
     }
   }
 }
 
-const getRoles = (roles, info) => {
-  _addRolesFromGrantType(roles, info)
+const getRoles = (roles, info, credentials) => {
+  _addRolesFromGrantType(roles, info, credentials)
 
   // convert to object
   roles = Object.assign(...roles.map(ele => ({ [ele]: true })))

package/libx/_runtime/auth/strategies/xsuaa.js

@@ -1,41 +1,34 @@
 const cds = require('../../cds')
 
 const _require = require('../../common/utils/require')
-const uaaUtils = require('./utils/uaa')
-const xssecUtils = require('./utils/xssec')
+const xssecUtils = require('./xssecUtils')
 
 // use _require for a better error message
 const { JWTStrategy: JS } = _require('@sap/xssec')
 
 class XSUAAStrategy extends JS {
-  constructor(uaa) {
-    super(uaaUtils.getCredentials(uaa))
+  constructor(credentials) {
+    super(credentials)
+    this.credentials = credentials
     this.name = 'xsuaa'
   }
 
   authenticate(req, options) {
+    const credentials = this.credentials
+
     // monkey patch success
     const _success = this.success
     this.success = (user, info) => {
       // create cds.User
-      user = new cds.User(
-        Object.assign(
-          { id: xssecUtils.getUserId(user, info) },
-          {
-            _roles: xssecUtils.getRoles(['any', 'identified-user'], info),
-            attr: xssecUtils.getAttrForXSSEC(info),
-            tenant: xssecUtils.getTenant(info) || null
-          }
-        )
-      )
-
-      // set _req for locale getter
-      Object.defineProperty(user, '_req', { enumerable: false, value: req })
-
+      user = new cds.User({
+        id: xssecUtils.getUserId(user, info),
+        tenant: xssecUtils.getTenant(info) || null,
+        _roles: xssecUtils.getRoles(['any', 'identified-user'], info, credentials),
+        attr: xssecUtils.getAttrForXSSEC(info)
+      })
       // call "super.success"
       _success(user, info)
     }
-
     super.authenticate(req, options)
   }
 }

package/libx/_runtime/auth/utils.js

@@ -17,8 +17,29 @@ const getRequiresAsArray = definition => {
   return requires
 }
 
+const isRestricted = srv => {
+  const envAuth = cds.env.requires.auth
+  if (envAuth && envAuth.restrict_all_services) return true
+  if (srv.definition['@requires']) return true
+
+  const entities = srv.entities
+  const entitiesKeys = Object.keys(entities)
+
+  return !!(
+    entitiesKeys.some(entity => entities[entity]['@requires'] || entities[entity]['@restrict']) ||
+    entitiesKeys.some(entity => {
+      const actions = entities[entity].actions
+      actions && Object.keys(actions).some(action => actions[action]['@requires'] || actions[action]['@restrict'])
+    }) ||
+    Object.keys(srv.operations).some(
+      operation => srv.operations[operation]['@requires'] || srv.operations[operation]['@restrict']
+    )
+  )
+}
+
 module.exports = {
   UNAUTHORIZED,
   FORBIDDEN,
-  getRequiresAsArray
+  getRequiresAsArray,
+  isRestricted
 }