@sap/cds 5.9.5 → 5.9.8

package/CHANGELOG.md

@@ -4,6 +4,34 @@
 - The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](http://semver.org/).
 
+## Version 5.9.8 - 2022-06-24
+
+### Fixed
+
+- Application model is now again properly updated after extension activation
+- Avoid crashes during `cds version` when `folders.db` or `folders.srv` are array-valued instead of strings
+- `cds build` correctly validates MTX extension allow lists and doesn't log false positive warning messages
+
+## Version 5.9.7 - 2022-06-13
+
+### Fixed
+
+- Deleting a parent will delete all compositions, also texts
+- Views with aliased elements in `orderBy`
+
+## Version 5.9.6 - 2022-05-24
+
+### Fixed
+
+- Ignored requests in batch requests
+- `pool` module for logger facade is separated from `hana` database logger. Timeout error by acquiring client from pool is now enhanced with `_poolState` providing current pool attibutes.
+- Multiple errors did not have correct HTTP response status code
+- `POST|PUT|PATCH` requests with `charset` directive in `Content-Type` header (e.g. `Content-Type: application/json; charset=utf-8`) no longer issues an error "Invalid content type" in REST adapters
+- Call hana procedure:
+  + accepted are any symbols in a procedure name if it is delimited with a double quotation (`"`)
+  + fixed results for table output parameters when using `@sap/hana-client`; **limitation**: output parameters in a `CALL` statement must follow the same order used in a stored procedure definition
+- `@odata.context` considers `cds.env.odata.contextAbsoluteUrl` when requesting an OData Service
+
 ## Version 5.9.5 - 2022-05-09
 
 ### Fixed

package/bin/build/provider/mtx/index.js

@@ -127,26 +127,21 @@ class MtxModuleBuilder extends BuildTaskHandlerEdmx {
             }
         }
 
+        function isValid(e, pattern, nsPattern, kind) {
+            return e && e.name && (e.name === pattern || (nsPattern && e.name.startsWith(nsPattern))) && (!kind || e.kind === kind)
+        }
+
         if (extensionAllowlist || entityWhitelist || serviceWhitelist) {
             const invalidEntries = new Set()
             const reflected = this.cds.reflect(model)
-            const services = reflected.services
-            const entities = Object.values(reflected.entities)
 
             if (Array.isArray(extensionAllowlist)) {
                 extensionAllowlist.forEach(allowListEntry => {
                     if (Array.isArray(allowListEntry.for)) {
                         allowListEntry.for.forEach(pattern => {
                             if (pattern !== '*') {
-                                const nsPattern = pattern + '.'
-                                if (allowListEntry.kind === 'service') {
-                                    if (!services.some(service => service.name === pattern || service.name.startsWith(nsPattern))) {
-                                        invalidEntries.add(pattern)
-                                    }
-                                } else {
-                                    if (!entities.some(entity => entity.name === pattern || entity.name.startsWith(nsPattern))) {
-                                        invalidEntries.add(pattern)
-                                    }
+                                if (!reflected.find(e => isValid(e, pattern, pattern + '.', allowListEntry.kind))) {
+                                    invalidEntries.add(pattern)
                                 }
                             }
                         })
@@ -159,14 +154,14 @@ class MtxModuleBuilder extends BuildTaskHandlerEdmx {
                 // validate whitelist entries
                 if (Array.isArray(entityWhitelist)) {
                     entityWhitelist.forEach(name => {
-                        if (!entities.some(entity => entity.name === name && entity.kind === 'entity')) {
+                        if (!reflected.find(e => isValid(e, name, null, "entity"))) {
                             invalidEntries.add(name)
                         }
                     })
                 }
                 if (Array.isArray(serviceWhitelist)) {
                     serviceWhitelist.forEach(name => {
-                        if (!services.some(service => service.name === name && service.kind === 'service')) {
+                        if (!reflected.find(e => isValid(e, name, null, "service"))) {
                             invalidEntries.add(name)
                         }
                     })

package/bin/version.js

@@ -159,7 +159,7 @@ function _findMTX() {
 
     // mtx still not found via cds.env? Try looking in well-known subdirectories
     const folders = cds.env.folders
-                    ? [cds.env.folders.db, cds.env.folders.srv].filter(d => d)
+                    ? [cds.env.folders.db, cds.env.folders.srv].flat().filter(d => d)
                     : []
     let i = 0
     while(res[cdsmtx] === undefined && i < folders.length) {

package/libx/_runtime/cds-services/adapter/odata-v4/Dispatcher.js

@@ -33,8 +33,8 @@ class Dispatcher {
     }
 
     if (cds._mtxEnabled) {
-      cds.mtx.eventEmitter.on(cds.mtx.events.TENANT_UPDATED, async hash => {
-        this._extMap.delete(hash)
+      cds.mtx.eventEmitter.on(cds.mtx.events.TENANT_UPDATED, async tenant => {
+        this._extMap.delete(getModelHash(tenant))
       })
     }
   }

package/libx/_runtime/cds-services/adapter/odata-v4/OData.js

@@ -28,11 +28,7 @@ const _read = require('./handlers/read')
 const _action = require('./handlers/action')
 const { normalizeError, isClientError } = require('../../../common/error/frontend')
 
-let _i18n
-const i18n = (...args) => {
-  if (!_i18n) _i18n = require('../../../common/i18n')
-  return _i18n(...args)
-}
+const { getErrorMessage } = require('../../../common/error/utils')
 
 function _log(level, arg) {
   const { params } = arg
@@ -51,31 +47,30 @@ function _log(level, arg) {
   if (!obj.level) obj.level = arg.level
   if (!obj.timestamp) obj.timestamp = arg.timestamp
 
-  // replace messages in toLog with developer texts (i.e., undefined locale) iff level === 'error' (cf. req.reject() etc.)
-  const _message = obj.message
-  const _details = obj.details
   if (level === 'error') {
-    obj.message = i18n(obj.message || obj.code, undefined, obj.args) || obj.message
-    if (obj.details) {
-      const details = []
-      for (const d of obj.details) {
-        details.push(Object.assign({}, d, { message: i18n(d.message || d.code, undefined, d.args) || d.message }))
-      }
-      obj.details = details
-    }
-
     // reduce 4xx to warning
     if (isClientError(obj)) {
       if (!LOG._warn) {
         // restore
-        obj.message = _message
-        if (_details) obj.details = _details
         return
       }
       level = 'warn'
     }
   }
 
+  // replace messages in toLog with developer texts (i.e., undefined locale) (cf. req.reject() etc.)
+  const _message = obj.message
+  const _details = obj.details
+
+  obj.message = getErrorMessage(obj)
+  if (obj.details) {
+    const details = []
+    for (const d of obj.details) {
+      details.push(Object.assign({}, d, { message: getErrorMessage(d) }))
+    }
+    obj.details = details
+  }
+
   // log it
   LOG[level](obj)
 

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/deserializer/MultipartReader.js

@@ -243,7 +243,7 @@ class MultipartParser extends Reader {
     // the nested multipart is finished.
 
     if (this._stopPattern) {
-      if (cache.length - cache.getReadPos() < this._stopPattern.length) {
+      if (cache._length - cache.getReadPos() < this._stopPattern.length) {
         return true
       }
       if (cache.indexOf(this._stopPattern, cache.getSearchPosition()) === cache.getSearchPosition()) {

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/serializer/ContextURLFactory.js

@@ -28,14 +28,12 @@ class ContextURLFactory {
   createContextURL(uriInfo, expand, representationKind, providedKeyMap = new Map(), edm, request, logger) {
     const pathSegments = uriInfo.getPathSegments()
     const lastSegment = pathSegments[pathSegments.length - 1]
-
-    if (lastSegment.getKind() === ResourceKind.SERVICE) return '$metadata'
-    if (lastSegment.getKind() === ResourceKind.METADATA) return ''
-
     const contextUrlInfo = this._parseSegments(pathSegments, providedKeyMap, edm)
-
     const contextUrlPrefix = this._buildContextUrlPrefix(contextUrlInfo, pathSegments, request, logger)
 
+    if (lastSegment.getKind() === ResourceKind.SERVICE) return `${contextUrlPrefix}$metadata`
+    if (lastSegment.getKind() === ResourceKind.METADATA) return ''
+
     const finalEdmType = uriInfo.getFinalEdmType()
     const structuredType =
       finalEdmType && (finalEdmType.getKind() === EdmTypeKind.ENTITY || finalEdmType.getKind() === EdmTypeKind.COMPLEX)
@@ -93,6 +91,9 @@ class ContextURLFactory {
 
       const kind = segment.getKind()
       switch (kind) {
+        case ResourceKind.SERVICE:
+        case ResourceKind.METADATA:
+          return { result: '', isOnlyTyped, isEntity, hasReferencedSegment }
         case ResourceKind.ENTITY:
           target = segment.getEntitySet()
           result.unshift(

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/serializer/ServiceJsonSerializer.js

@@ -34,7 +34,7 @@ class ServiceJsonSerializer {
   serialize (data) {
     try {
       let outputJson = {
-        [JsonAnnotations.CONTEXT]: '$metadata',
+        [JsonAnnotations.CONTEXT]: data[MetaProperties.CONTEXT] || '$metadata',
         [JsonAnnotations.METADATA_ETAG]:
           data[MetaProperties.ETAG] === null || data[MetaProperties.ETAG] === undefined
             ? undefined

package/libx/_runtime/cds-services/adapter/rest/utils/header-checks.js

@@ -1,7 +1,11 @@
 const getError = require('../../../../common/error')
 
 const contentTypeCheck = req => {
-  if (req.headers['content-type'] && req.headers['content-type'] !== 'application/json') {
+  const contentType = req.headers['content-type'] && req.headers['content-type'].split(';')
+  if (
+    contentType &&
+    (!contentType[0].match(/^application\/json$/) || (typeof contentType[1] === 'string' && !contentType[1]))
+  ) {
     throw getError(415, 'INVALID_CONTENT_TYPE_ONLY_JSON')
   }
 }

package/libx/_runtime/common/composition/delete.js

@@ -135,20 +135,17 @@ function _getStaticWhere(allBackLinks, entity1) {
   }, [])
 }
 
-const _is2oneComposition = (element, model) => {
-  const csnElement = element.target && model.definitions[element.target].elements[element.name]
-  return csnElement && csnElement.is2one && csnElement._isCompositionEffective
-}
-
 const _addToCQNs = (cqns, subCQN, element, model, level) => {
+  // REVISIT:
+  // The compiler generates foreign-key constraints (except if !cds.env.features._db_foreign_key_constraints)
+  // and enables DELETE CASCADE. For these cases, the runtime doesn't need to delete compositions
+  // manually, it's done by the database itself.
+  // However, there are cases (unmanaged compositions), where this doesn't happen.
+  // As a first step, the runtime will delete _all_ compositions regardless of the database.
+  // In the future, the runtime can enable the deletion of only those compositions
+  // which wouldn't be deleted by the database.
   cqns[level] = cqns[level] || []
-  // Since `>2.5.2` compiler generates constraints for compositions of one like for annotations
-  // Thus only single 2one case (`$self`-managed composition) has DELETE CASCADE
-  // Here it's ignored to simplify i.e. handle all "2ones" in a same manner
-  // REVISIT: why is _db_foreign_key_constraints necessary?
-  if (!cds.env.features._db_foreign_key_constraints || _is2oneComposition(element, model)) {
-    cqns[level].push(subCQN)
-  }
+  cqns[level].push(subCQN)
 }
 
 // unofficial config!

package/libx/_runtime/common/error/frontend.js

@@ -6,6 +6,9 @@
  *   Error responses MAY contain annotations in any of its JSON objects.
  */
 
+const localeFrom = require('../../../../lib/req/locale')
+const { getErrorMessage } = require('./utils')
+
 let _i18n
 const i18n = (...args) => {
   if (!_i18n) _i18n = require('../i18n')
@@ -60,7 +63,7 @@ const _rewrite = error => {
 
 const _normalize = (err, locale, inner = false) => {
   // message (i18n)
-  err.message = i18n(err.message || err.code, locale, err.args) || err.message || `${err.code}`
+  err.message = getErrorMessage(err, locale)
 
   // only allowed properties
   const error = _getFiltered(err)
@@ -68,31 +71,37 @@ const _normalize = (err, locale, inner = false) => {
   // ensure code is set and a string
   error.code = String(error.code || 'null')
 
+  // REVISIT: code and message rewriting
+  _rewrite(error)
+
+  let statusCode = err.status || err.statusCode || (_isAllowedError(error.code) && error.code)
+
   // details
   if (!inner && err.details) {
-    error.details = err.details.map(ele => _normalize(ele, locale, true))
+    const childErrorCodes = new Set()
+    error.details = err.details.map(ele => {
+      const { error: childError, statusCode: childStatusCode } = _normalize(ele, locale, true)
+      childErrorCodes.add(childStatusCode)
+      return childError
+    })
+    statusCode = statusCode || _statusCodeFromDetails(childErrorCodes)
   }
 
-  // REVISIT: code and message rewriting
-  _rewrite(error)
+  // make sure it's a number, if it's an inner error don't set to 500, as will be set on root level if no other inner error has a statusCode
+  statusCode = statusCode ? Number(statusCode) : inner ? undefined : 500
 
-  return error
+  return { error, statusCode }
 }
 
 const _isAllowedError = errorCode => {
   return errorCode >= 300 && errorCode < 505
 }
 
-const localeFrom = require('../../../../lib/req/locale')
-
 // - for one unique value, we use it
 // - if at least one 5xx exists, we use 500
 // - else if at least one 4xx exists, we use 400
 // - else we use 500
-const _statusCodeFromDetails = details => {
-  const uniqueStatusCodes = new Set(
-    details.map(d => d.status || d.statusCode || d.code).map(c => (!isNaN(c) && Number(c)) || c)
-  )
+const _statusCodeFromDetails = uniqueStatusCodes => {
   if (uniqueStatusCodes.size === 1) return uniqueStatusCodes.values().next().value
   if ([...uniqueStatusCodes].some(s => s >= 500)) return 500
   if ([...uniqueStatusCodes].some(s => s >= 400)) return 400
@@ -101,17 +110,7 @@ const _statusCodeFromDetails = details => {
 
 const normalizeError = (err, req) => {
   const locale = req.locale || (req.locale = localeFrom(req))
-  const error = _normalize(err, locale)
-
-  // derive status code from err status OR root code OR matching detail codes
-  let statusCode = err.status || err.statusCode || (_isAllowedError(error.code) && error.code)
-  if (!statusCode && error.details) {
-    const detailsCode = _statusCodeFromDetails(error.details)
-    if (_isAllowedError(detailsCode)) statusCode = detailsCode
-  }
-
-  // make sure it's a number
-  statusCode = statusCode ? Number(statusCode) : 500
+  const { error, statusCode } = _normalize(err, locale)
 
   // REVISIT: make === 500 in cds^6
   // error[SKIP_SANITIZATION] is not an official API!!!
@@ -138,7 +137,7 @@ const _ensureSeverity = arg => {
 }
 
 const _normalizeMessage = (message, locale) => {
-  const normalized = _normalize(message, locale)
+  const { error: normalized } = _normalize(message, locale)
 
   // numericSeverity without @Common
   normalized.numericSeverity = _ensureSeverity(message.numericSeverity)
@@ -164,7 +163,7 @@ const getSapMessages = (messages, req) => {
 
 const isClientError = e => {
   // e.code may be undefined, string, number, ... -> NaN -> not a client error
-  const numericCode = e.statusCode || Number(e.code)
+  const numericCode = e.statusCode || e.status || Number(e.code)
   return numericCode >= 400 && numericCode < 500
 }
 

package/libx/_runtime/common/error/utils.js

@@ -0,0 +1,24 @@
+let _i18n
+// REVISIT does it really make sense to delay i18n require here?
+const i18n = (...args) => {
+  if (!_i18n) _i18n = require('../i18n')
+  return _i18n(...args)
+}
+
+/**
+ * Gets the localized error message for an error based on message, code, statusCode or status
+ * @param {*} error
+ * @param {*} locale can be undefined for default language
+ * @returns localized error message
+ */
+function getErrorMessage(error, locale) {
+  return (
+    i18n(error.message || error.code || error.status || error.statusCode, locale, error.args) ||
+    error.message ||
+    `${error.code || error.status || error.statusCode}`
+  )
+}
+
+module.exports = {
+  getErrorMessage
+}

package/libx/_runtime/common/generic/sorting.js

@@ -27,7 +27,10 @@ const _getStaticOrders = req => {
 
   if (entity.query && entity.query.SELECT && entity.query.SELECT.orderBy) {
     const orderBy = entity.query.SELECT.orderBy
-    const ordersFromView = orderBy.map(keyName => ({ by: { '=': keyName.ref[0] }, desc: keyName.sort === 'desc' }))
+    const ordersFromView = orderBy.map(keyName => ({
+      by: { '=': keyName.ref[keyName.ref.length - 1] },
+      desc: keyName.sort === 'desc'
+    }))
     return [...ordersFromView, ...defaultOrders, ...ordersFromKeys]
   }
 

package/libx/_runtime/hana/execute.js

@@ -49,13 +49,10 @@ function _getBinaries(stmt) {
 
 const BASE64 = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}={2})$/
 
-function _isProcedureCall(sql) {
-  return sql.trim().match(/^call \s*"{0,1}\w*/i)
-}
-
 function _getProcedureName(sql) {
-  const match = sql.trim().match(/^call \s*"{0,1}(\w*)/i)
-  return match && match[1]
+  // name delimited with "" allows any character
+  const match = sql.trim().match(/^call \s*(("(?<delimited>.+)")|(?<undelimited>\w+))\s*\(/i)
+  return match && (match.groups.undelimited || match.groups.delimited)
 }
 
 function _hdbGetResultForProcedure(rows, args, outParameters) {
@@ -83,14 +80,16 @@ function _hcGetResultForProcedure(stmt, resultSet, outParameters) {
     }
   }
   // merge table output params into scalar params
-  if (outParameters && outParameters.length) {
-    const params = outParameters.filter(md => !(md.PARAMETER_NAME in result))
+  const params = Array.isArray(outParameters) && outParameters.filter(md => !(md.PARAMETER_NAME in result))
+  if (params && params.length) {
     let i = 0
-    while (resultSet.next()) {
-      result[params[i].PARAMETER_NAME] = [resultSet.getValues()]
-      resultSet.nextResult()
-      i++
-    }
+    do {
+      const parameterName = params[i++].PARAMETER_NAME
+      result[parameterName] = []
+      while (resultSet.next()) {
+        result[parameterName].push(resultSet.getValues())
+      }
+    } while (resultSet.nextResult())
   }
   return result
 }
@@ -132,10 +131,9 @@ function _executeAsPreparedStatement(dbc, sql, values, reject, resolve) {
 
     // procedure call metadata
     let outParameters
-    const isProcedureCall = _isProcedureCall(sql)
-    if (isProcedureCall) {
+    const procedureName = _getProcedureName(sql)
+    if (procedureName) {
       try {
-        const procedureName = _getProcedureName(sql)
         outParameters = await _getProcedureMetadata(procedureName, dbc)
       } catch (e) {
         LOG._warn && LOG.warn('Unable to fetch procedure metadata due to error:', e)
@@ -143,7 +141,7 @@ function _executeAsPreparedStatement(dbc, sql, values, reject, resolve) {
     }
 
     // on @sap/hana-client, we need to use execQuery in case of calling procedures
-    stmt[isProcedureCall && dbc.name !== 'hdb' ? 'execQuery' : 'exec'](values, function (err, rows, ...args) {
+    stmt[procedureName && dbc.name !== 'hdb' ? 'execQuery' : 'exec'](values, function (err, rows, ...args) {
       if (err) {
         stmt.drop(() => {})
         err.query = sql
@@ -152,7 +150,7 @@ function _executeAsPreparedStatement(dbc, sql, values, reject, resolve) {
       }
 
       let result
-      if (isProcedureCall) {
+      if (procedureName) {
         result =
           dbc.name === 'hdb'
             ? _hdbGetResultForProcedure(rows, args, outParameters)
@@ -183,7 +181,7 @@ function _executeSimpleSQL(dbc, sql, values) {
       values = Object.values(values)
     }
     // ensure that stored procedure with parameters is always executed as prepared
-    if (_hasValues(values) || _isProcedureCall(sql)) {
+    if (_hasValues(values) || !!_getProcedureName(sql)) {
       _executeAsPreparedStatement(dbc, sql, values, reject, resolve)
     } else {
       dbc.exec(sql, function (err, result) {

package/libx/_runtime/hana/pool.js

@@ -1,5 +1,5 @@
 const cds = require('../cds')
-const LOG = cds.log('hana|db|sql')
+const LOG = cds.log('pool|db')
 
 const { pool } = require('@sap/cds-foss')
 const hana = require('./driver')
@@ -225,6 +225,9 @@ async function resilientAcquire(pool, attempts = 1) {
   err.message =
     'Acquiring client from pool timed out. Please review your system setup, transaction handling, and pool configuration.'
   err._attempts = attempt
+  const { borrowed, pending, size, available, max } = pool
+  err._poolState = { borrowed, pending, size, available, max }
+  LOG._debug && LOG.debug(err)
   throw err
 }
 

package/libx/rest/RestAdapter.js

@@ -22,14 +22,14 @@ class RestAdapter extends express.Router {
 
     alias2ref(srv)
 
-    this.use(express.json())
-
     // pass srv-reated stuff to middlewares via req
     this.use('/', (req, res, next) => {
       req._srv = srv
       next()
     })
 
+    this.use(express.json())
+
     // check @requires as soon as possible (DoS)
     this.use('/', auth)
 

package/libx/rest/middleware/content.js

@@ -3,7 +3,11 @@ const UPDATE = { PUT: 1, PATCH: 1 }
 
 module.exports = (req, res, next) => {
   if (PPP[req.method]) {
-    if (req.headers['content-type'] && req.headers['content-type'] !== 'application/json') {
+    const contentType = req.headers['content-type'] && req.headers['content-type'].split(';')
+    if (
+      contentType &&
+      (!contentType[0].match(/^application\/json$/) || (typeof contentType[1] === 'string' && !contentType[1]))
+    ) {
       throw { statusCode: 415, code: '415', message: 'INVALID_CONTENT_TYPE_ONLY_JSON' }
     }
     if (UPDATE[req.method] && Array.isArray(req.body)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "5.9.5",
+  "version": "5.9.8",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [