@sap/cds 5.9.8 → 6.0.3

package/libx/_runtime/audit/Service.js

@@ -7,7 +7,7 @@ const ANONYMOUS = 'anonymous'
 
 const _getTenantAndUser = () => ({
   user: (cds.context && cds.context.user && cds.context.user.id) || ANONYMOUS,
-  tenant: (cds.context && cds.context.tenant) || ANONYMOUS
+  tenant: cds.context && cds.context.tenant
 })
 
 module.exports = class AuditLogService extends OutboxService {
@@ -117,7 +117,7 @@ module.exports = class AuditLogService extends OutboxService {
     let { tenant, user } = _getTenantAndUser()
 
     // cds.context may not be proper on auth-related errors -> try to extract from data
-    if (tenant === ANONYMOUS && user === ANONYMOUS) {
+    if (!tenant && user === ANONYMOUS) {
       try {
         const parsed = JSON.parse(data)
         if (parsed.tenant) {
@@ -129,7 +129,9 @@ module.exports = class AuditLogService extends OutboxService {
           delete parsed.user
         }
         data = JSON.stringify(parsed)
-      } catch (e) {}
+      } catch (e) {
+        // ignore
+      }
     }
 
     // build the log
@@ -140,7 +142,7 @@ module.exports = class AuditLogService extends OutboxService {
   }
 
   // REVISIT: action and success not used in auditlog v2
-  async _configChangeLog({ data: { action, success, configurations } }) {
+  async _configChangeLog({ data: { configurations } }) {
     const { tenant, user } = _getTenantAndUser()
 
     // build the logs

package/libx/_runtime/audit/generic/personal/access.js

@@ -13,8 +13,6 @@ const {
   resolveDataSubjectPromises
 } = require('./utils')
 
-let auditLogService
-
 const _processorFnAccess = (accessLogs, model, req) => {
   return ({ row, key, element, plain }) => {
     if (row.IsActiveEntity === false) return
@@ -22,64 +20,42 @@ const _processorFnAccess = (accessLogs, model, req) => {
     const entity = getRootEntity(element)
 
     // create or augment log entry
-    const accessLog = createLogEntry(accessLogs, entity, row)
+    const entry = createLogEntry(accessLogs, entity, row)
 
     // process categories
     for (const category of plain.categories) {
-      if (category === 'ObjectID') {
-        addObjectID(accessLog, row, key)
-      } else if (category === 'DataSubjectID') {
-        addDataSubject(accessLog, row, key, entity)
-      } else if (category === 'IsPotentiallySensitive' && key in row) {
-        // add attribute
-        if (!accessLog.attributes.find(ele => ele.name === key)) accessLog.attributes.push({ name: key })
+      if (category === 'ObjectID') addObjectID(entry, row, key)
+      else if (category === 'DataSubjectID') addDataSubject(entry, row, key, entity)
+      else if (category === 'IsPotentiallySensitive' && key in row) {
+        if (!entry.attributes.some(e => e.name === key)) entry.attributes.push({ name: key })
         // REVISIT: attribute vs. attachment?
       }
     }
 
     // add promise to determine data subject if a DataSubjectDetails entity
+    const semantics = entity['@PersonalData.EntitySemantics']
     if (
-      (entity['@PersonalData.EntitySemantics'] === 'DataSubjectDetails' ||
-        entity['@PersonalData.EntitySemantics'] === 'Other') &&
-      accessLog.dataSubject.id.length === 0 // > id still an array -> promise not yet set
+      (semantics === 'DataSubjectDetails' || semantics === 'Other') &&
+      entry.dataSubject.id.length === 0 // > id still an array -> promise not yet set
     ) {
-      addDataSubjectForDetailsEntity(row, accessLog, req, entity, model)
+      addDataSubjectForDetailsEntity(row, entry, req, entity, model)
     }
   }
 }
 
-const _getDataAccessLogs = (data, req, tx) => {
-  const template = getTemplate(
-    'personal_read',
-    Object.assign({ name: req.target._service.name, model: tx.model }),
-    req.target,
-    { pick: getPick('READ') }
-  )
-
+const auditAccessHandler = async function (data, req) {
+  const auditLogService = await cds.connect.to('audit-log')
+  const mock = Object.assign({ name: req.target._service.name, model: this.model })
+  const template = getTemplate('personal_read', mock, req.target, { pick: getPick('READ') })
+  if (!template.elements.size) return
   const accessLogs = {}
-
   if (typeof data === 'object' && data !== null) {
-    const processFn = _processorFnAccess(accessLogs, tx.model, req)
+    const processFn = _processorFnAccess(accessLogs, this.model, req)
     const data_ = Array.isArray(data) ? data : [data]
-    data_.forEach(row => {
-      templateProcessor({ processFn, row, template })
-    })
+    data_.forEach(row => templateProcessor({ processFn, row, template }))
+    const accesses = (await resolveDataSubjectPromises(accessLogs)).filter(ele => ele.attributes.length)
+    if (accesses.length) await auditLogService.emit('dataAccessLog', { accesses })
   }
-
-  return accessLogs
 }
 
-const auditAccessHandler = async function (data, req) {
-  auditLogService = auditLogService || (await cds.connect.to('audit-log'))
-
-  const accessLogs = _getDataAccessLogs(data, req, this)
-  // REVISIT: a function called resolveDataSubjectPromises should not also convert an object to an array
-  let accesses = await resolveDataSubjectPromises(accessLogs)
-  accesses = accesses.filter(ele => ele.attributes.length)
-
-  if (accesses.length) await auditLogService.emit('dataAccessLog', { accesses })
-}
-
-module.exports = {
-  auditAccessHandler
-}
+module.exports = { auditAccessHandler }

package/libx/_runtime/audit/generic/personal/index.js

@@ -1,5 +1,4 @@
 const cds = require('../../../cds')
-
 const {
   attachDiffToContextHandler,
   calcModificationLogsHandler4Before,
@@ -8,43 +7,50 @@ const {
 } = require('./modification')
 const { auditAccessHandler } = require('./access')
 
-module.exports = function () {
-  /*
-   * prep context
-   */
-  this.before('*', req => (req.context._audit = req.context._audit || {}))
-
-  /*
-   * data modification
-   */
+exports.impl = cds.service.impl(function () {
+  if (!cds.db) return cds.on('connect', srv => srv instanceof cds.DatabaseService && exports.impl.call(this))
   // REVISIT: diff() doesn't work in srv after phase but foreign key propagation has not yet taken place in srv before phase
   //          -> calc diff in db layer and store in audit data structure at context
   //          -> REVISIT for GA: clear req._.partialPersistentState?
   attachDiffToContextHandler._initial = true
-  for (const entity of Object.values(this.entities).filter(e => e._auditCreate)) {
-    cds.db.before('CREATE', entity, attachDiffToContextHandler)
-    // create -> all new -> calcModificationLogsHandler in after phase
-    cds.db.after('CREATE', entity, calcModificationLogsHandler4After)
-    this.after('CREATE', entity, emitModificationHandler)
-  }
-  for (const entity of Object.values(this.entities).filter(e => e._auditUpdate)) {
-    cds.db.before('UPDATE', entity, attachDiffToContextHandler)
-    // update -> mixed (via deep) -> calcModificationLogsHandler in before and after phase
-    cds.db.before('UPDATE', entity, calcModificationLogsHandler4Before)
-    cds.db.after('UPDATE', entity, calcModificationLogsHandler4After)
-    this.after('UPDATE', entity, emitModificationHandler)
-  }
-  for (const entity of Object.values(this.entities).filter(e => e._auditDelete)) {
-    cds.db.before('DELETE', entity, attachDiffToContextHandler)
-    // delete -> all done -> calcModificationLogsHandler in before phase
-    cds.db.before('DELETE', entity, calcModificationLogsHandler4Before)
-    this.after('DELETE', entity, emitModificationHandler)
-  }
+  for (const e of this.entities) {
+    if (!_hasPersonalData(e)) continue
 
-  /*
-   * data access
-   */
-  for (const entity of Object.values(this.entities).filter(e => e._auditRead)) {
-    this.after('READ', entity, auditAccessHandler)
+    if (e['@AuditLog.Operation.Insert']) {
+      cds.db.before('CREATE', e, attachDiffToContextHandler)
+      // create -> all new -> calcModificationLogsHandler in after phase
+      cds.db.after('CREATE', e, calcModificationLogsHandler4After)
+      this.after('CREATE', e, emitModificationHandler)
+    }
+
+    if (e['@AuditLog.Operation.Update']) {
+      cds.db.before('UPDATE', e, attachDiffToContextHandler)
+      // update -> mixed (via deep) -> calcModificationLogsHandler in before and after phase
+      cds.db.before('UPDATE', e, calcModificationLogsHandler4Before)
+      cds.db.after('UPDATE', e, calcModificationLogsHandler4After)
+      this.after('UPDATE', e, emitModificationHandler)
+    }
+
+    if (e['@AuditLog.Operation.Delete']) {
+      cds.db.before('DELETE', e, attachDiffToContextHandler)
+      // delete -> all done -> calcModificationLogsHandler in before phase
+      cds.db.before('DELETE', e, calcModificationLogsHandler4Before)
+      this.after('DELETE', e, emitModificationHandler)
+    }
+
+    if (e['@AuditLog.Operation.Read']) {
+      this.after('READ', e, auditAccessHandler)
+    }
   }
+})
+
+const _hasPersonalData = e => {
+  if (!e['@PersonalData.DataSubjectRole']) return
+  if (!e['@PersonalData.EntitySemantics']) return
+  return !!Object.values(e.elements).some(
+    e =>
+      e['@PersonalData.IsPotentiallyPersonal'] ||
+      e['@PersonalData.IsPotentiallySensitive'] ||
+      (e['@PersonalData.FieldSemantics'] && e['@PersonalData.FieldSemantics'] === 'DataSubjectID')
+  )
 }

package/libx/_runtime/audit/generic/personal/modification.js

@@ -18,8 +18,9 @@ let auditLogService
 
 const attachDiffToContextHandler = async function (req) {
   // store diff in audit data structure at context
-  if (!req.context._audit.diffs) req.context._audit.diffs = new Map()
-  req.context._audit.diffs.set(req._.query, await req.diff())
+  const _audit = req.context._audit || (req.context._audit = {})
+  if (!_audit.diffs) _audit.diffs = new Map()
+  _audit.diffs.set(req._.query, await req.diff())
 }
 
 const _getOldAndNew = (action, row, key) => {
@@ -38,10 +39,10 @@ const _addAttribute = (log, action, row, key) => {
   }
 }
 
-const _processorFnModification = (modificationLogs, model, req, beforeWrite) => processArgs => {
-  if (!processArgs.row._op) return
+const _processorFnModification = (modificationLogs, model, req, beforeWrite) => elementInfo => {
+  if (!elementInfo.row._op) return
 
-  const { row, key, element, plain } = processArgs
+  const { row, key, element, plain } = elementInfo
 
   // delete in before phase, create and update in after phase
   if ((row._op === 'delete') !== !!beforeWrite) return
@@ -91,12 +92,13 @@ const _getDataModificationLogs = (req, tx, diff, beforeWrite) => {
 const _calcModificationLogsHandler = async function (req, beforeWrite, that) {
   const mapKey = getMapKeyForCurrentRequest(req)
 
-  const modificationLogs = _getDataModificationLogs(req, that, req.context._audit.diffs.get(mapKey), beforeWrite)
+  const _audit = req.context._audit || (req.context._audit = {})
+  const modificationLogs = _getDataModificationLogs(req, that, _audit.diffs.get(mapKey), beforeWrite)
 
   // store modificationLogs in audit data structure at context
-  if (!req.context._audit.modificationLogs) req.context._audit.modificationLogs = new Map()
-  const existingLogs = req.context._audit.modificationLogs.get(mapKey) || {}
-  req.context._audit.modificationLogs.set(mapKey, Object.assign(existingLogs, modificationLogs))
+  if (!_audit.modificationLogs) _audit.modificationLogs = new Map()
+  const existingLogs = _audit.modificationLogs.get(mapKey) || {}
+  _audit.modificationLogs.set(mapKey, Object.assign(existingLogs, modificationLogs))
 
   // execute the data subject promises before going along to on phase
   // guarantees that the reads are executed before the data is modified

package/libx/_runtime/audit/generic/personal/utils.js

@@ -3,11 +3,11 @@ const cds = require('../../../cds')
 const { getDataSubject } = require('../../../common/utils/csn')
 
 const WRITE = { CREATE: 1, UPDATE: 1, DELETE: 1 }
-const ASPECTS = { CREATE: '_auditCreate', READ: '_auditRead', UPDATE: '_auditUpdate', DELETE: '_auditDelete' }
 
 const getMapKeyForCurrentRequest = req => {
   // running in srv or db layer? -> srv's req.query used as key of diff and logs maps at req.context
-  return req._tx instanceof cds.DatabaseService ? req._.query : req.query
+  // REVISIT: req._tx should not be used like that!
+  return req.tx instanceof cds.DatabaseService ? req._.query : req.query
 }
 
 const getRootEntity = element => {
@@ -18,7 +18,13 @@ const getRootEntity = element => {
 
 const getPick = event => {
   return (element, target) => {
-    if (!target[ASPECTS[event]]) return
+    const annotation = {
+      CREATE: '@AuditLog.Operation.Insert',
+      UPDATE: '@AuditLog.Operation.Update',
+      DELETE: '@AuditLog.Operation.Delete',
+      READ: '@AuditLog.Operation.Read'
+    }[event]
+    if (!annotation || !target[annotation]) return
     const categories = []
     if (!element.isAssociation && element.key) categories.push('ObjectID')
     if (
@@ -125,9 +131,10 @@ const addDataSubjectForDetailsEntity = (row, log, req, entity, model) => {
    * store (in audit data structure at context) and reuse a single promise to look up the respective data subject
    */
   const mapKey = getMapKeyForCurrentRequest(req)
-  if (!req.context._audit.dataSubjects) req.context._audit.dataSubjects = new Map()
-  if (!req.context._audit.dataSubjects.has(mapKey)) req.context._audit.dataSubjects.set(mapKey, new Map())
-  const map = req.context._audit.dataSubjects.get(mapKey)
+  const _audit = req.context._audit || (req.context._audit = {})
+  if (!_audit.dataSubjects) _audit.dataSubjects = new Map()
+  if (!_audit.dataSubjects.has(mapKey)) _audit.dataSubjects.set(mapKey, new Map())
+  const map = _audit.dataSubjects.get(mapKey)
   if (map.has(role)) log.dataSubject.id = map.get(role)
   // REVISIT by downward lookups row might already contain ID - some potential to optimize
   else map.set(role, _getDataSubjectIdPromise(dataSubjectInfo, row, req, model))

package/libx/_runtime/audit/utils/v2.js

@@ -97,7 +97,8 @@ function buildDataAccessLogs(alc, accesses, tenant, user) {
   for (const access of accesses) {
     try {
       const { dataObject, dataSubject } = getObjectAndDataSubject(access)
-      const entry = alc.read(dataObject).dataSubject(dataSubject).tenant(tenant).by(user)
+      const entry = alc.read(dataObject).dataSubject(dataSubject).by(user)
+      if (tenant) entry.tenant(tenant)
       for (const each of access.attributes) entry.attribute(each)
       for (const each of access.attachments) entry.attachment(each)
       entries.push(entry)
@@ -117,7 +118,8 @@ function buildDataModificationLogs(alc, modifications, tenant, user) {
   for (const modification of modifications) {
     try {
       const { dataObject, dataSubject } = getObjectAndDataSubject(modification)
-      const entry = alc.update(dataObject).dataSubject(dataSubject).tenant(tenant).by(user)
+      const entry = alc.update(dataObject).dataSubject(dataSubject).by(user)
+      if (tenant) entry.tenant(tenant)
       for (const each of modification.attributes) entry.attribute(getAttributeToLog(each))
       entries.push(entry)
     } catch (err) {
@@ -151,7 +153,8 @@ function buildConfigChangeLogs(alc, configurations, tenant, user) {
   for (const configuration of configurations) {
     try {
       const { dataObject } = getObjectAndDataSubject(configuration)
-      const entry = alc.configurationChange(dataObject).tenant(tenant).by(user)
+      const entry = alc.configurationChange(dataObject).by(user)
+      if (tenant) entry.tenant(tenant)
       for (const each of configuration.attributes) entry.attribute(getAttributeToLog(each))
       entries.push(entry)
     } catch (err) {

package/libx/_runtime/auth/index.js

@@ -2,7 +2,7 @@ const cds = require('../cds')
 const LOG = cds.log()
 
 const _require = require('../common/utils/require')
-const { UNAUTHORIZED, isRestricted } = require('./utils')
+const { UNAUTHORIZED, FORBIDDEN, isRestricted } = require('./utils')
 
 let passport, logged
 
@@ -17,10 +17,6 @@ const _initializers = {
     const DummyStrategy = require('./strategies/dummy')
     passport.use(new DummyStrategy())
   },
-  dwc: () => {
-    const DwcStrategy = require('./strategies/dwc')
-    passport.use(new DwcStrategy())
-  },
   jwt: ({ credentials, uaa }) => {
     const JWTStrategy = require('./strategies/JWT')
     if (credentials) {
@@ -85,11 +81,16 @@ const _authCallback = (req, res, next, internalError, user, challenges) => {
   next()
 }
 
+const _mountCustomAuth = (srv, app, config) => {
+  const impl = cds.resolve(config.impl)
+  app.use(srv.path, _require(impl))
+}
+
 const _mountMockAuth = (srv, app, strategy, config) => {
   const impl =
     strategy === 'dummy'
       ? new (require('./strategies/dummy'))()
-      : new (require('./strategies/mock'))(config.users, `mock_${srv.name}`)
+      : new (require('./strategies/mock'))(config, `mock_${srv.name}`)
 
   app.use(srv.path, (req, res, next) => {
     let user, challenge
@@ -101,10 +102,18 @@ const _mountMockAuth = (srv, app, strategy, config) => {
 }
 
 const _mountPassportAuth = (srv, app, strategy, config) => {
-  passport = passport || _require('passport')
+  if (!config.credentials)
+    return (
+      LOG._warn &&
+      LOG.warn(`
+    No XSUAA instance bound to application, but "${config.strategy}" configured.
+    This is NOT recommended in production!
+  `)
+    )
+  if (!passport) passport = _require('passport')
 
   // initialize strategy
-  if (!_authenticators[strategy] || strategy === 'mock' || process.env.NODE_ENV === 'test') {
+  if (!_authenticators[strategy] || process.env.NODE_ENV === 'test') {
     _initializers[strategy](config, srv.name)
     _authenticators[strategy] = true
   }
@@ -125,78 +134,74 @@ const _mountPassportAuth = (srv, app, strategy, config) => {
 module.exports = (srv, app, options) => {
   // NOTE: options.auth is not an official API
   let config = 'auth' in options ? options.auth : cds.env.requires.auth
-
-  // cds.env.requires.auth = { kind: 'xsuaa-auth' } was briefly documented on capire -> also support
-  if (config && config.kind === 'xsuaa-auth' && !config.credentials) config = cds.env.requires.xsuaa
-
-  // mount custom authentication middleware
-  if (config && config.impl) {
-    app.use(srv.path, _require(cds.resolve(config.impl)))
-    return
-  }
-
-  const restricted = isRestricted(srv)
-  if (restricted && !config) {
-    // REVISIT: why exitCode needed?
-    process.exitCode = 1
-    throw new Error('Authentication required for authorization checks')
-  }
-
-  const isMultiTenant = cds.env.requires.db && cds.env.requires.db.multiTenant
-  if (isMultiTenant && !config) {
-    // REVISIT: why exitCode needed?
-    process.exitCode = 1
-    throw new Error('Authentication required for multitenancy')
-  }
-
   if (!config) {
-    if (!logged) {
-      const msg = 'No authentication configured'
-      if (process.env.NODE_ENV !== 'production') LOG._debug && LOG.debug(msg)
-      else LOG._info && LOG.info(`${msg}. This is not recommended in production.`)
+    if (cds.requires.db && cds.requires.multitenancy) {
+      process.exitCode = 1 // REVISIT: why exitCode needed?
+      throw new Error('Authentication required for multitenancy')
+    }
+    if (isRestricted(srv)) {
+      process.exitCode = 1 // REVISIT: why exitCode needed?
+      throw new Error('Authentication required for authorization checks')
+    }
+    if (process.env.NODE_ENV !== 'production' && !logged) {
+      LOG._warn && LOG.warn(`No authentication configured. This is not recommended in production.`)
     }
-
     // no auth wanted > return
     return
   }
 
-  // strategy from kind
-  let strategy
-  // compat for auth.strategy
-  if (config.strategy) {
-    strategy = config.strategy.toLowerCase()
-  }
-  strategy = strategy || config.kind.replace('-auth', '').toLowerCase()
-  if (strategy === 'mocked') strategy = 'mock'
+  // cds.env.requires.auth = { kind: 'xsuaa-auth' } was briefly documented on capire -> also support
+  if (config.kind === 'xsuaa-auth' && !config.credentials) config = cds.env.requires.xsuaa
 
-  if (!_initializers[strategy]) {
-    // REVISIT: why exitCode needed?
-    process.exitCode = 1
-    throw new Error(`Authentication kind "${config.kind}" is not supported`)
-  }
+  // mount authentication middleware or strategy
+  if (!logged) LOG._debug && LOG.debug(`Using authentication`, { kind: config.kind })
 
-  if (!logged) LOG._debug && LOG.debug(`Using authentication kind "${config.kind}"`)
+  // Security by default: set restrict_all_services if not disabled
+  // this is done dynamically to also cover custom auth impl
+  if (process.env.NODE_ENV === 'production' && config.restrict_all_services !== false) {
+    config.restrict_all_services = true
+  }
 
-  if (strategy in { dummy: 1, mock: 1 }) {
-    // > dummy or mock authentication (for development/testing)
-    _mountMockAuth(srv, app, strategy, config)
+  if (config.impl) {
+    // mount custom authentication middleware
+    _mountCustomAuth(srv, app, config)
   } else {
-    // if no restriction and no binding, don't mount passport middleware
-    if (!restricted && !config.credentials) {
-      if (!logged) {
-        const msg = `Service ${srv.name} is unrestricted`
-        if (process.env.NODE_ENV !== 'production') LOG._debug && LOG.debug(msg)
-        else LOG._info && LOG.info(`${msg}. This is not recommended in production.`)
-      }
-
-      // no auth wanted > return
-      return
+    // mount our authentication strategies (legacy style)
+    const strategy = _strategy4(config)
+    if (strategy in { dummy: 1, mock: 1 }) {
+      _mountMockAuth(srv, app, strategy, config)
+    } else {
+      _mountPassportAuth(srv, app, strategy, config)
     }
+  }
 
-    // > passport authentication
-    _mountPassportAuth(srv, app, strategy, config)
+  // Security by default: enforce authenticated users in production if auth service bound
+  if (
+    cds.requires.multitenancy ||
+    (process.env.NODE_ENV === 'production' && config.credentials && config.restrict_all_services)
+  ) {
+    if (!logged) LOG._debug && LOG.debug(`Enforcing authenticated users for all services`)
+    app.use(srv.path, _enforce_authenticated_user)
   }
 
   // so we don't log the same stuff multiple times
   logged = true
 }
+
+const _strategy4 = config => {
+  const strategy = config.strategy ? config.strategy.toLowerCase() : config.kind.replace('-auth', '')
+  if (strategy === 'mocked') return 'mock'
+  if (strategy in _initializers) return strategy
+  process.exitCode = 1 // REVISIT: why exitCode needed?
+  throw new Error(`Authentication kind "${config.kind}" is not supported`)
+}
+
+const _enforce_authenticated_user = (req, res, next) => {
+  if (req.user && req.user.is('authenticated-user')) return next() // pass if user is authenticated
+  if (!req.user || req.user._is_anonymous) {
+    if (req.user && req.user._challenges) res.set('WWW-Authenticate', req.user._challenges.join(';'))
+    return res.status(401).json(UNAUTHORIZED) // no details to client // REVISIT: security log in else case?
+  } else {
+    return res.status(403).json(FORBIDDEN) // no details to client // REVISIT: security log?
+  }
+}

package/libx/_runtime/auth/strategies/JWT.js

@@ -21,10 +21,11 @@ class JWTStrategy extends JS {
       // create cds.User
       user = new cds.User({
         id: xssecUtils.getUserId(user, info),
-        tenant: xssecUtils.getTenant(info) || null,
-        _roles: xssecUtils.getRoles(['any', 'identified-user'], info, credentials),
+        roles: xssecUtils.getRoles(['any', 'identified-user'], info, credentials),
         attr: xssecUtils.getAttrForJWT(info)
       })
+      const tenant = xssecUtils.getTenant(info)
+      if (tenant) user.tenant = tenant
       // call "super.success"
       _success(user, info)
     }