@sap/cds 5.8.4 → 5.9.2

package/libx/_runtime/common/generic/auth/readOnly.js

@@ -0,0 +1,26 @@
+const { getAuthRelevantEntity } = require('./utils')
+const { WRITE_EVENTS } = require('./constants')
+
+const _isAutoexposed = entity => {
+  if (!entity) return false
+  return (entity['@cds.autoexpose'] && entity['@cds.autoexposed']) || entity.name.match(/\.DraftAdministrativeData$/)
+}
+
+function handler(req) {
+  // autoexposed
+  const isAutoexposed = _isAutoexposed(req.target)
+  if (isAutoexposed && req.event !== 'READ') {
+    req.reject(405, 'ENTITY_IS_AUTOEXPOSED', [req.target.name])
+  }
+
+  // @read-only
+  const entity = getAuthRelevantEntity(req, this.model, ['@readonly'])
+  if (!entity || !entity['@readonly']) return
+  if (entity['@readonly'] && req.event in WRITE_EVENTS) {
+    req.reject(405, 'ENTITY_IS_READ_ONLY', [entity.name])
+  }
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/requires.js

@@ -0,0 +1,34 @@
+const { reject, getRejectReason, getAuthRelevantEntity } = require('./utils')
+const { CRUD_EVENTS } = require('./constants')
+
+const { getRequiresAsArray } = require('../../../auth/utils')
+
+function handler(req) {
+  if (req.user._is_privileged) {
+    // > skip checks
+    return
+  }
+
+  let definition
+  if (req.event in CRUD_EVENTS) {
+    // > CRUD
+    definition = getAuthRelevantEntity(req, this.model, ['@requires', '@restrict'])
+  } else if (req.target && req.target.actions) {
+    // > bound
+    definition = req.target.actions[req.event]
+  } else {
+    // > unbound
+    definition = this.operations[req.event]
+  }
+
+  if (!definition) return
+
+  const requires = getRequiresAsArray(definition)
+  if (!requires.length || requires.some(role => req.user.is(role))) return
+
+  reject(req, getRejectReason(req, '@requires', definition))
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/restrict.js

@@ -0,0 +1,298 @@
+const cds = require('../../../cds')
+
+const { reject, getRejectReason, resolveUserAttrs, getAuthRelevantEntity } = require('./utils')
+const { DRAFT_EVENTS, MOD_EVENTS } = require('./constants')
+const { getNormalizedPlainRestrictions } = require('./restrictions')
+
+const { cqn2cqn4sql } = require('../../utils/cqn2cqn4sql')
+
+const { isActiveEntityRequested, removeIsActiveEntityRecursively } = require('../../../fiori/utils/where')
+
+const _getResolvedApplicables = (applicables, req) => {
+  const resolvedApplicables = []
+
+  // REVISIT: the static portion of "mixed wheres" could already grant access -> optimization potential
+  for (const restrict of applicables) {
+    // replace $user.x with respective values
+    const resolved = resolveUserAttrs({ grant: restrict.grant, target: restrict.target, where: restrict.where }, req)
+
+    // check for duplicates
+    if (
+      !resolvedApplicables.find(
+        restrict =>
+          resolved.grant === restrict.grant &&
+          (!resolved.target || resolved.target === restrict.target) &&
+          (!resolved.where || resolved.where === restrict.where)
+      )
+    ) {
+      if (resolved.where) resolved._xpr = cds.parse.expr(resolved.where).xpr
+      resolvedApplicables.push(resolved)
+    }
+  }
+
+  return resolvedApplicables
+}
+
+const _isStaticAuth = resolvedApplicables => {
+  return (
+    resolvedApplicables.length === 1 &&
+    resolvedApplicables[0]._xpr.length === 3 &&
+    resolvedApplicables[0]._xpr.every(ele => typeof ele !== 'object' || ele.val)
+  )
+}
+
+const _evalStatic = (op, vals) => {
+  vals[0] = Number.isNaN(Number(vals[0])) ? vals[0] : Number(vals[0])
+  vals[1] = Number.isNaN(Number(vals[1])) ? vals[1] : Number(vals[1])
+
+  switch (op) {
+    case '=':
+      return vals[0] === vals[1]
+    case '!=':
+      return vals[0] !== vals[1]
+    case '<':
+      return vals[0] < vals[1]
+    case '<=':
+      return vals[0] <= vals[1]
+    case '>':
+      return vals[0] > vals[1]
+    case '>=':
+      return vals[0] >= vals[1]
+    default:
+      throw new Error(`Operator "${op}" is not supported in @restrict.where`)
+  }
+}
+
+const _handleStaticAuth = (resolvedApplicables, req) => {
+  const op = resolvedApplicables[0]._xpr.find(ele => typeof ele === 'string')
+  const vals = resolvedApplicables[0]._xpr.filter(ele => typeof ele === 'object' && ele.val).map(ele => ele.val)
+
+  if (_evalStatic(op, vals)) {
+    // static clause grants access => done
+    return
+  }
+
+  // static clause forbids access => forbidden
+  return reject(req)
+}
+
+const _getMergedWhere = restricts => {
+  const xprs = []
+  restricts.forEach(ele => {
+    xprs.push('(', ...ele._xpr, ')', 'or')
+  })
+  xprs.pop()
+  return xprs
+}
+
+const _addWheresToRef = (ref, model, resolvedApplicables) => {
+  const newRef = []
+  let lastEntity = model.definitions[ref[0].id || ref[0]]
+
+  ref.forEach((identifier, idx) => {
+    if (idx === ref.length - 1) {
+      newRef.push(identifier)
+      return // determine last one separately
+    }
+
+    const entity = idx === 0 ? lastEntity : lastEntity.elements[identifier.id || identifier]._target
+    lastEntity = entity
+    const applicablesForEntity = resolvedApplicables.filter(
+      restrict => restrict.target && restrict.target.name === entity.name
+    )
+
+    let newIdentifier = identifier
+
+    if (applicablesForEntity.length) {
+      if (typeof newIdentifier === 'string') {
+        newIdentifier = { id: identifier, where: [] }
+      }
+
+      if (!newIdentifier.where) newIdentifier.where = []
+
+      if (newIdentifier.where && newIdentifier.where.length) {
+        newIdentifier.where.unshift('(')
+        newIdentifier.where.push(')')
+        newIdentifier.where.push('and')
+      }
+
+      newIdentifier.where.push(..._getMergedWhere(applicablesForEntity))
+    }
+
+    newRef.push(newIdentifier)
+  })
+
+  return newRef
+}
+
+const _getRestrictionForTarget = (resolvedApplicables, target) => {
+  const reqTarget = target && (target._isDraftEnabled ? target.name.replace(/_drafts$/, '') : target.name)
+  const applicablesForTarget = resolvedApplicables.filter(
+    restrict => restrict.target && restrict.target.name === reqTarget
+  )
+
+  if (applicablesForTarget.length) {
+    return _getMergedWhere(applicablesForTarget)
+  }
+}
+
+const _addRestrictionsToRead = async (req, model, resolvedApplicables) => {
+  if (req.target._isDraftEnabled) {
+    req.query._draftRestrictions = resolvedApplicables
+    return
+  }
+
+  if (typeof req.query.SELECT.from === 'object')
+    req.query.SELECT.from.ref = _addWheresToRef(req.query.SELECT.from.ref, model, resolvedApplicables)
+
+  const restrictionForTarget = _getRestrictionForTarget(resolvedApplicables, req.target)
+  if (!restrictionForTarget) return
+
+  // adjust free subselects, if necessary
+  if (resolvedApplicables.some(ra => ra.where.match(/\s*exists\s*\(\s*select\s*1\s*/i))) {
+    for (const ele of restrictionForTarget) {
+      if (typeof ele !== 'object' || !ele.SELECT || !ele.SELECT.where) continue
+
+      for (const w of ele.SELECT.where) {
+        if (w.ref && w.ref.length > 2) {
+          let path = w.ref[0]
+          if (!model.definitions[path]) continue
+          let i = 1
+
+          for (; i < w.ref.length; i++) {
+            if (model.definitions[`${path}.${w.ref[i]}`]) path += `.${w.ref[i]}`
+            else break
+          }
+
+          w.ref = [path, ...w.ref.slice(i)]
+        }
+      }
+    }
+  }
+
+  // apply restriction
+  req.query.where(restrictionForTarget)
+}
+
+const _getFromWithIsActiveEntityRemoved = from => {
+  for (const element of from.ref) {
+    if (element.where && isActiveEntityRequested(element.where)) {
+      element.where = removeIsActiveEntityRecursively(element.where)
+    }
+  }
+
+  return from
+}
+
+const _getUnrestrictedCount = async req => {
+  const dbtx = cds.tx(req)
+  const target =
+    (req.query.UPDATE && req.query.UPDATE.entity) ||
+    (req.query.DELETE && req.query.DELETE.from) ||
+    (req.query.SELECT && req.query.SELECT.from)
+  const selectUnrestricted = SELECT.one(['count(*) as n']).from(target)
+  const whereUnrestricted = (req.query.UPDATE && req.query.UPDATE.where) || (req.query.DELETE && req.query.DELETE.where)
+
+  if (whereUnrestricted) selectUnrestricted.where(whereUnrestricted)
+
+  // Because of side effects, the statements have to be fired sequentially.
+  const { n } = await dbtx.run(selectUnrestricted)
+  return n
+}
+
+const _getRestrictedCount = async (req, model, resolvedApplicables) => {
+  const dbtx = cds.tx(req)
+  const target =
+    (req.query.UPDATE && req.query.UPDATE.entity) ||
+    (req.query.DELETE && req.query.DELETE.from) ||
+    (req.query.SELECT && req.query.SELECT.from)
+  const selectRestricted = SELECT.one(['count(*) as n']).from(target)
+  const whereRestricted = (req.query.UPDATE && req.query.UPDATE.where) || (req.query.DELETE && req.query.DELETE.where)
+
+  if (whereRestricted) selectRestricted.where(whereRestricted)
+
+  if (typeof selectRestricted.SELECT === 'object') {
+    selectRestricted.SELECT.from.ref = _addWheresToRef(selectRestricted.SELECT.from.ref, model, resolvedApplicables)
+  }
+
+  const restrictionForTarget = _getRestrictionForTarget(resolvedApplicables, req.target)
+  if (restrictionForTarget) selectRestricted.where(restrictionForTarget)
+
+  const { n } = await dbtx.run(cqn2cqn4sql(selectRestricted, model, { suppressSearch: true }))
+  return n
+}
+
+// eslint-disable-next-line complexity
+async function handler(req) {
+  if (req.user._is_privileged || DRAFT_EVENTS[req.event]) {
+    // > skip checks (events in DRAFT_EVENTS are checked in draft handlers via InProcessByUser)
+    return
+  }
+
+  const authRelevantEntity = getAuthRelevantEntity(req, this.model, ['@requires', '@restrict'])
+  const definition =
+    authRelevantEntity ||
+    (req.target && req.target.actions && req.target.actions[req.event]) ||
+    (this.operations && this.operations[req.event])
+
+  if (!definition) {
+    // > nothing to restrict
+    return
+  }
+
+  let restrictions = this.getRestrictions(definition, req.event, req.user)
+  if (restrictions instanceof Promise) restrictions = await restrictions
+  if (!restrictions) {
+    // > unrestricted
+    return
+  }
+
+  if (!restrictions.length) {
+    // > no applicable restrictions -> 403
+    reject(req, getRejectReason(req, '@restrict', definition))
+  }
+  // normalize
+  restrictions = getNormalizedPlainRestrictions(restrictions, definition)
+  // at least one if the user's roles grants unrestricted access => done
+  if (restrictions.some(restrict => !restrict.where)) return
+
+  const resolvedApplicables = _getResolvedApplicables(restrictions, req)
+
+  // REVISIT: support more complex statics
+  if (_isStaticAuth(resolvedApplicables)) {
+    return _handleStaticAuth(resolvedApplicables, req)
+  }
+
+  if (req.event === 'READ') {
+    _addRestrictionsToRead(req, this.model, resolvedApplicables)
+    return
+  }
+
+  // no modification -> nothing more to do
+  if (!MOD_EVENTS[req.event]) return
+
+  if (req.query.DELETE) req.query.DELETE.from = _getFromWithIsActiveEntityRemoved(req.query.DELETE.from)
+  if (req.query.SELECT) req.query.SELECT.from = _getFromWithIsActiveEntityRemoved(req.query.SELECT.from)
+
+  // REVISIT: selected data could be used for etag check, diff, etc.
+
+  /*
+   * Here we check if UPDATE/DELETE requests add additional restrictions
+   * Note: Needs to happen sequentially because of side effects
+   */
+  const unrestrictedCount = await _getUnrestrictedCount(req)
+  if (unrestrictedCount === 0) req.reject(404)
+
+  const restrictedCount = await _getRestrictedCount(req, this.model, resolvedApplicables)
+
+  if (restrictedCount < unrestrictedCount) {
+    reject(req, getRejectReason(req, '@restrict', definition, restrictedCount, unrestrictedCount))
+  }
+
+  // for minor optimization in generic crud handler
+  req._authChecked = true
+}
+
+handler._initial = true
+
+module.exports = handler

package/libx/_runtime/common/generic/auth/restrictions.js

@@ -0,0 +1,85 @@
+const _getLocalName = definition => {
+  return definition._service ? definition.name.replace(`${definition._service.name}.`, '') : definition.name
+}
+
+const _getRestrictWithEventRewrite = (grant, to, where, target) => {
+  // REVISIT: req.event should be 'SAVE' and 'PREPARE'
+  if (grant === 'SAVE') grant = 'draftActivate'
+  else if (grant === 'PREPARE') grant = 'draftPrepare'
+  return { grant, to, where, target }
+}
+
+const WRITE = ['CREATE', 'UPDATE', 'DELETE']
+
+const _addNormalizedRestrictPerGrant = (grant, where, restrict, restricts, definition) => {
+  const to = restrict.to ? (Array.isArray(restrict.to) ? restrict.to : [restrict.to]) : ['any']
+
+  if (definition.kind === 'entity') {
+    if (grant === 'WRITE') {
+      WRITE.forEach(g => {
+        restricts.push(_getRestrictWithEventRewrite(g, to, where, definition))
+      })
+    } else {
+      restricts.push(_getRestrictWithEventRewrite(grant, to, where, definition))
+    }
+  } else {
+    restricts.push({ grant: _getLocalName(definition), to, where, target: definition.parent })
+  }
+}
+
+const _addNormalizedRestrict = (restrict, restricts, definition) => {
+  const where = restrict.where
+    ? restrict.where.replace(/\$user/g, '$user.id').replace(/\$user\.id\./g, '$user.')
+    : undefined
+
+  restrict.grant = Array.isArray(restrict.grant) ? restrict.grant : [restrict.grant || '*']
+  restrict.grant.forEach(grant => _addNormalizedRestrictPerGrant(grant, where, restrict, restricts, definition))
+}
+
+const getNormalizedRestrictions = (definition, definitions, event) => {
+  const restricts = []
+
+  // own
+  definition['@restrict'] &&
+    definition['@restrict'].forEach(restrict => _addNormalizedRestrict(restrict, restricts, definition))
+
+  // bounds
+  const actions = definition.actions
+
+  if (actions && Object.keys(actions).some(k => actions[k]['@restrict'])) {
+    for (const k in actions) {
+      const action = actions[k]
+
+      if (action['@restrict']) {
+        restricts.push(...getNormalizedRestrictions(action, definitions))
+      } else if (!definition['@restrict']) {
+        // > no entity-level restrictions => unrestricted action
+        restricts.push({ grant: action.name, to: ['any'], target: action.parent })
+      }
+    }
+  }
+
+  return restricts
+}
+
+const _isGrantAccessAllowed = (eventName, restrict) => restrict.grant === '*' || restrict.grant === eventName
+const _isToAccessAllowed = (user, restrict) => restrict.to.some(role => user.is(role))
+
+const getApplicableRestrictions = (restrictions, event, user) => {
+  return restrictions.filter(restrict => {
+    const eventName = { NEW: 'CREATE', EDIT: 'UPDATE' }[event] || event
+    return _isGrantAccessAllowed(eventName, restrict) && _isToAccessAllowed(user, restrict)
+  })
+}
+
+const getNormalizedPlainRestrictions = (restrictions, definition) => {
+  const result = []
+  for (const restriction of restrictions) _addNormalizedRestrict(restriction, result, definition)
+  return result
+}
+
+module.exports = {
+  getNormalizedRestrictions,
+  getApplicableRestrictions,
+  getNormalizedPlainRestrictions
+}

package/libx/_runtime/common/generic/auth/utils.js

@@ -0,0 +1,213 @@
+const cds = require('../../../cds')
+const LOG = cds.log('app')
+
+const { CRUD_EVENTS } = require('./constants')
+
+const { getDraftTreeRoot } = require('../../utils/csn')
+
+const reject = (req, reason = null) => {
+  // unauthorized or forbidden?
+  if (req.user._is_anonymous) {
+    // REVISIT: challenges handling should be done in protocol adapter (i.e., express error middleware)
+    // REVISIT: improve `req._.req` check if this is an HTTP request
+    if (req._.req && req.user._challenges && req.user._challenges.length > 0) {
+      req._.res.set('WWW-Authenticate', req.user._challenges.join(';'))
+    }
+
+    // REVISIT: security log in else case?
+    return req.reject(401)
+  }
+
+  return req.reject({
+    code: 403,
+    internal: reason
+  })
+}
+
+const getRejectReason = (req, annotation, definition, restrictedCount, unrestrictedCount) => {
+  if (!LOG._debug) return
+  // it is not possible to specify the reason further than the source as there are multiple factors
+  const appendix = unrestrictedCount
+    ? ` (${unrestrictedCount - restrictedCount} out of ${unrestrictedCount} instances are restricted)`
+    : ''
+  return {
+    reason: `Access denied to user "${req.user.id}" for event "${req.event}"${appendix}`,
+    source: `${annotation} of "${definition.name}"`
+  }
+}
+
+const _getCurrentSubClause = (next, restrict) => {
+  const escaped = next[0].replace(/\$/g, '\\$').replace(/\./g, '\\.')
+  const re1 = new RegExp(`([\\w\\.']*)\\s*=\\s*(${escaped})|(${escaped})\\s*=\\s*([\\w\\.']*)`)
+  const re2 = new RegExp(`([\\w\\.']*)\\s*in\\s*(${escaped})|(${escaped})\\s*in\\s*([\\w\\.']*)`)
+  const clause = restrict.where.match(re1) || restrict.where.match(re2)
+
+  if (clause) return clause
+
+  // NOTE: arrayed attr with "=" as operator is some kind of legacy case
+  throw new Error('user attribute array must be used with operator "=" or "in"')
+}
+
+const _processUserAttr = (next, restrict, user, attr) => {
+  const clause = _getCurrentSubClause(next, restrict)
+  const valOrRef = clause[1] || clause[4]
+
+  if (clause[0].match(/ in /)) {
+    if (!user[attr] || user[attr].length === 0) {
+      restrict.where = restrict.where.replace(clause[0], '1 = 2')
+    } else if (user[attr].length === 1) {
+      restrict.where = restrict.where.replace(clause[0], `${valOrRef} = '${user[attr][0]}'`)
+    } else {
+      restrict.where = restrict.where.replace(
+        clause[0],
+        `${valOrRef} in (${user[attr].map(ele => `'${ele}'`).join(', ')})`
+      )
+    }
+  } else if (valOrRef.startsWith("'") && user[attr].includes(valOrRef.split("'")[1])) {
+    restrict.where = restrict.where.replace(clause[0], `${valOrRef} = ${valOrRef}`)
+  } else {
+    restrict.where = restrict.where.replace(
+      clause[0],
+      `(${user[attr].map(ele => `${valOrRef} = '${ele}'`).join(' or ')})`
+    )
+  }
+}
+
+const _getShortcut = (attrs, attr) => {
+  // undefined
+  if (attrs[attr] === undefined) {
+    return '1 = 2'
+  }
+
+  // $UNRESTRICTED
+  if (
+    (typeof attrs[attr] === 'string' && attrs[attr].match(/\$UNRESTRICTED/i)) ||
+    (Array.isArray(attrs[attr]) && attrs[attr].some(a => a.match(/\$UNRESTRICTED/i)))
+  ) {
+    return '1 = 1'
+  }
+
+  return null
+}
+
+/*
+ * for supporting xssec v3
+ */
+const _getAttrsAsProxy = (attrs, additional = {}) => {
+  return new Proxy(
+    {},
+    {
+      get: function (_, attr) {
+        if (attr in additional) return additional[attr]
+        return attrs[attr]
+      }
+    }
+  )
+}
+
+/*
+ * resolves user attributes deeply, even though nested attributes are officially not supported
+ */
+const resolveUserAttrs = (restrict, req) => {
+  const _getNext = where => where.match(/\$user\.([\w.]*)/)
+  let next = _getNext(restrict.where)
+
+  while (next !== null) {
+    const parts = next[1].split('.')
+    let skip
+    let val
+    let attrs = _getAttrsAsProxy(req.user.attr, { id: req.user.id })
+    let attr = parts.shift()
+
+    while (attr) {
+      const shortcut = _getShortcut(attrs, attr)
+      if (shortcut) {
+        const clause = _getCurrentSubClause(next, restrict)
+        restrict.where = restrict.where.replace(clause[0], shortcut)
+        skip = true
+        break
+      }
+
+      if (Array.isArray(attrs[attr])) {
+        _processUserAttr(next, restrict, attrs, attr)
+        skip = true
+        break
+      }
+
+      val = !Number.isNaN(Number(attrs[attr])) && attr !== 'id' ? attrs[attr] : `'${attrs[attr]}'`
+      if (val === null || val === undefined) break
+
+      attrs = _getAttrsAsProxy(attrs[attr])
+      attr = parts.shift()
+    }
+
+    if (!skip) restrict.where = restrict.where.replace(next[0], val === undefined ? null : val)
+    next = _getNext(restrict.where)
+  }
+
+  return restrict
+}
+
+const _authDependsOnParent = (entity, annotations) => {
+  // @cds.autoexposed and not @cds.autoexpose -> not explicitly exposed by modeling
+  return (
+    entity.name.match(/\.DraftAdministrativeData$/) ||
+    (entity['@cds.autoexposed'] && !entity['@cds.autoexpose'] && !annotations.some(a => a in entity))
+  )
+}
+
+const cqnFrom = req => {
+  const { query } = req
+  if (!query) return
+  if (query.SELECT) return query.SELECT.from
+  if (query.INSERT) return query.INSERT.into
+  if (query.UPDATE) return query.UPDATE.entity
+  if (query.DELETE) return query.DELETE.from
+}
+
+const getAuthRelevantEntity = (req, model, annotations) => {
+  if (!req.target || !(req.event in CRUD_EVENTS)) return
+  if (!_authDependsOnParent(req.target, annotations)) return req.target
+
+  let cqn = cqnFrom(req)
+
+  // REVISIT: needed in draft for some reason
+  if (typeof cqn === 'string') cqn = { ref: [cqn] }
+
+  if (cqn.ref.length === 1 && req.target._isDraftEnabled) {
+    // > direct access to children in draft
+    const root = getDraftTreeRoot(req.target, model)
+    if (!root)
+      reject(
+        req,
+        LOG._debug ? { reason: `Unable to determine single draft tree root for entity "${req.target.name}"` } : null
+      )
+    return root
+  }
+
+  // find and return the restrictions (may be none!) of the right-most entity that is non-autoexposed or explicitly restricted
+  const segments = []
+  let current = { elements: model.definitions }
+  for (let i = 0; i < cqn.ref.length; i++) {
+    current = current.elements[cqn.ref[i].id || cqn.ref[i]]
+    if (current && current.target) current = model.definitions[current.target]
+    segments.push(current)
+  }
+  let authRelevantEntity
+  for (let i = segments.length - 1; i >= 0; i--) {
+    const segment = segments[i]
+    if (segment.kind === 'entity' && !_authDependsOnParent(segment, annotations)) {
+      authRelevantEntity = segment
+      break
+    }
+  }
+  return authRelevantEntity
+}
+
+module.exports = {
+  reject,
+  getRejectReason,
+  resolveUserAttrs,
+  cqnFrom,
+  getAuthRelevantEntity
+}

package/libx/_runtime/common/generic/crud.js

@@ -30,12 +30,13 @@ const _processorFn = req => {
   const { event, user, timestamp } = req
   const ts = new Date(timestamp).toISOString()
 
-  return ({ row, key, plain }) => {
-    const categories = plain.categories
-
-    for (const category of categories) {
-      if (category === '@cds.on.update' || (event === 'CREATE' && category === '@cds.on.insert')) {
+  return ({ row, key, plain, isRoot }) => {
+    for (const category of plain.categories) {
+      if (event === 'CREATE' && category === '@cds.on.insert') {
         replaceManagedData(row, key, user, ts)
+      } else if (category === '@cds.on.update') {
+        if (isRoot) replaceManagedData(row, key, user, ts)
+        else if (row[key] === '$user' || row[key] === '$now') delete row[key]
       }
     }
   }
@@ -93,8 +94,9 @@ module.exports = cds.service.impl(function () {
       if (res.length === 0) req.reject(404)
     }
 
+    // REVISIT: remove block with cds^6 (i.e., update_managed_properties is always true)
     // no changes, no op (otherwise, @cds.on.update gets new values), but we need to check existence
-    if (req.event === 'UPDATE' && onlyKeysRemain(req)) {
+    if (cds.env.features.update_managed_properties === false && req.event === 'UPDATE' && onlyKeysRemain(req)) {
       if (await _targetEntityDoesNotExist(req)) req.reject(404)
       result = req.data
     }

package/libx/_runtime/common/generic/etag.js

@@ -55,7 +55,7 @@ const _handler = async function (req) {
     }
 
     // generate new etag, if UUID
-    if (C_U_[req.event] && etagElement.type === 'cds.UUID') {
+    if (C_U_[req.event] && etagElement.isUUID) {
       req.data[etagElement.name] = cds.utils.uuid()
     }
   }