@sap/cds 6.0.3 → 6.1.1

package/libx/_runtime/extensibility/linter.js

@@ -0,0 +1,32 @@
+const cds = require('../cds')
+
+const NamespaceChecker = require('./linter/namespace_checker')
+const AnnotationsChecker = require('./linter/annotations_checker')
+const AllowlistChecker = require('./linter/allowlist_checker')
+
+const LINTER_OPTIONS = ['element-prefix', 'extension-allowlist', 'namespace-blocklist']
+const LEGACY_OPTIONS = ['entity-whitelist', 'service-whitelist', 'namespace-blacklist']
+
+const linter = async (extCsn, fullCsn, extensionFilenames, req) => {
+  const conf = cds.env.requires['cds.xt.ExtensibilityService'] || cds.env.mtx
+  const compat = cds.env.mtx
+  const linter_options = {}
+  let x
+  for (let p of LINTER_OPTIONS) if ((x = conf[p] || compat[p])) linter_options[p] = x // eslint-disable-line no-cond-assign
+  for (let p of LEGACY_OPTIONS) if ((x = compat[p])) linter_options[p] = x // eslint-disable-line no-cond-assign
+  if (!Object.keys(linter_options).length) return
+
+  const reflectedCsn = cds.reflect(extCsn)
+  const compileBaseDir = global.cds.root
+  const warnings = await Promise.all([
+    NamespaceChecker.check(reflectedCsn, fullCsn, compileBaseDir, linter_options),
+    AnnotationsChecker.check(reflectedCsn, extensionFilenames, compileBaseDir, linter_options),
+    AllowlistChecker.check(reflectedCsn, fullCsn, extensionFilenames, compileBaseDir, linter_options)
+  ])
+  const linterWarnings = [].concat.apply([], warnings) // REVISIT: What are we doing here?
+  if (linterWarnings.length > 0) {
+    req.reject(422, linterWarnings[0]) // REVISIT: Why are we returning the first warning only?
+  }
+}
+
+module.exports = linter

package/libx/_runtime/extensibility/push.js

@@ -3,29 +3,29 @@ const path = require('path')
 const cds = require('../cds')
 
 const activate = require('./activate')
-const { validateExtension } = require('./validation')
-const { collectFiles, getCompilerError, exists } = require('./utils')
+const { collectFiles, getCompilerError } = require('./utils')
 const { packTarArchive, unpackTarArchive } = require('../../../lib/utils/resources')
+const linter = require('./linter')
 
 const TEMP_DIR = fs.realpathSync(require('os').tmpdir())
+const LOG = cds.log('mtx')
 
 const _compileProject = async function (extension, req) {
-  let csn, root
+  let csn, root, files
   try {
     root = await fs.promises.mkdtemp(`${TEMP_DIR}${path.sep}extension-`)
     await unpackTarArchive(extension, root)
-    csn = await cds.compile(collectFiles(root, ['.cds', '.json']), { flavor: 'parsed' })
+    files = collectFiles(root, ['.cds', '.csn']) // REVISIT: don't we have exactly one ext.csn file for all extensions?
+    csn = await cds.compile(files, { flavor: 'parsed' })
     if (csn.requires) delete csn.requires
   } catch (err) {
     if (err.messages) req.reject(400, getCompilerError(err.messages))
     else throw err
   } finally {
-    if (await exists(root)) {
-      await (fs.promises.rm || fs.promises.rmdir)(root, { recursive: true, force: true })
-    }
+    fs.promises.rm(root, { recursive: true, force: true }).catch(() => {})
   }
 
-  return csn
+  return { csn, files }
 }
 
 const base = async function (req) {
@@ -38,24 +38,81 @@ const base = async function (req) {
   return packTarArchive([...cdsFiles, ...csvFiles, ...i18nFiles], cds.root)
 }
 
+// const _copyFile = async function (file, dir) {
+//   const destination = path.join(dir, path.relative(cds.root, file))
+//   const dirname = path.dirname(destination)
+//   if (!(await exists(dirname))) await fs.promises.mkdir(dirname, { recursive: true })
+//   await fs.promises.copyFile(file, destination)
+// }
+
+const pull = async function (req) {
+  LOG.info(`pulling latest model for tenant '${req.tenant}'`)
+  const { 'cds.xt.ModelProviderService': mps } = cds.services
+  const csn = await mps.getCsn({
+    tenant: req.tenant,
+    toggles: Object.keys(cds.context.features || {}), // with all enabled feature extensions
+    base: true, // without any custom extensions
+    flavor: 'xtended'
+  })
+  // const csvObj = await cds.deploy.resources()
+  // const csvFiles = Object.keys(csvObj).filter(f => f.startsWith(cds.root) && !f.includes('node_modules'))
+  // const i18nFiles = collectFiles(cds.root, ['.properties'])
+
+  req._.res?.set('content-type', 'application/octet-stream; charset=binary')
+
+  let temp, tgz
+  try {
+    temp = await fs.promises.mkdtemp(`${TEMP_DIR}${path.sep}extension-`)
+    await fs.promises.writeFile(path.join(temp, 'index.csn'), cds.compile.to.json(csn))
+    // for (const file of csvFiles) await _copyFile(file, temp)
+    // for (const file of i18nFiles) await _copyFile(file, temp)
+    tgz = await packTarArchive(temp)
+  } finally {
+    fs.promises.rm(temp, { recursive: true, force: true }).catch(() => {})
+  }
+
+  return tgz
+}
+
 const push = async function (req) {
-  let { extension } = req.data
-  if (!extension || !extension.data) req.reject(400, 'Missing extension')
-  const csn = await _compileProject(extension.data, req)
-  if (!csn) req.reject(400, 'Missing or bad extension')
+  let { extension, tag } = req.data
+  if (!extension) req.reject(400, 'Missing extension')
+  const sources = typeof extension === 'string' ? Buffer.from(extension, 'base64') : extension
+  const { csn: extCsn, files } = await _compileProject(sources, req)
+  if (!extCsn) req.reject(400, 'Missing or bad extension')
+  if (!tag) tag = null
   const tenant = req.tenant
-  await validateExtension(csn, tenant, req)
+  if (tenant) cds.context = { tenant }
+
+  // remove current extension with tag
+  if (tag) {
+    await DELETE.from('cds.xt.Extensions').where({ tag })
+  }
+
+  LOG.info(`validating extension '${tag}' ...`)
+  // validation
+  const { 'cds.xt.ModelProviderService': mps } = cds.services
+  // REVISIT: Isn't that also done during activate?
+  const csn = await mps.getCsn(tenant, Object.keys(cds.context.features || {}))
+  try {
+    cds.extend(csn).with(extCsn)
+  } catch (err) {
+    return req.reject(400, getCompilerError(err.messages))
+  }
+  await linter(extCsn, csn, files, req)
 
+  // insert and activate extension
   const ID = cds.utils.uuid()
-  await cds.tx({ tenant }, async tx => {
-    await tx.run(
-      INSERT.into('cds.xt.Extensions').entries([
-        { ID, csn: JSON.stringify(csn), sources: extension.data, activated: 'database' }
-      ])
-    )
+  await INSERT.into('cds.xt.Extensions').entries({
+    ID,
+    csn: JSON.stringify(extCsn),
+    sources,
+    activated: 'database',
+    tag
   })
 
+  LOG.info(`activating extension '${tag}' ...`)
   await activate(ID, null, tenant)
 }
 
-module.exports = { base, push }
+module.exports = { base, push, pull }

package/libx/_runtime/extensibility/service.js

@@ -2,20 +2,37 @@ const cds = require('../cds')
 
 const addExtension = require('./addExtension')
 const { add, promote } = require('./add')
-const { base, push } = require('./push')
+const { base, push, pull } = require('./push')
+const { token } = require('./token')
 const { transformExtendedFieldsCREATE, transformExtendedFieldsUPDATE } = require('./handler/transformWRITE')
 const { transformExtendedFieldsREAD } = require('./handler/transformREAD')
 const { transformExtendedFieldsRESULT } = require('./handler/transformRESULT')
 
-module.exports = async function () {
-  this.on('addExtension', addExtension)
-  this.on('add', add)
-  this.on('promote', promote)
-  this.on('base', base)
-  this.on('push', push)
-  cds.db
-    .before('CREATE', transformExtendedFieldsCREATE)
-    .before('UPDATE', transformExtendedFieldsUPDATE)
-    .before('READ', transformExtendedFieldsREAD)
-    .after('READ', transformExtendedFieldsRESULT)
+module.exports = class ExtensibilityService extends cds.ApplicationService {
+  init() {
+    this.on('addExtension', addExtension)
+    this.on('add', add)
+    this.on('promote', promote)
+    this.on('base', base)
+    this.on('push', push)
+    this.on('pull', pull)
+
+    cds.on('served', () => cds.app.get('/-/cds/login/token', token))
+
+    const { 'cds.xt.ModelProviderService': mps } = cds.services
+    // REVISIT: mps._in_sidecar -> revisit options
+    if (!mps?._in_sidecar)
+      cds.db
+        .before('CREATE', transformExtendedFieldsCREATE)
+        .before('UPDATE', transformExtendedFieldsUPDATE)
+        .before('READ', transformExtendedFieldsREAD)
+        .after('READ', transformExtendedFieldsRESULT)
+
+    return super.init()
+  }
+
+  // REVISIT: Do we want to keep this?
+  get isExtensible() {
+    return false
+  }
 }

package/libx/_runtime/extensibility/token.js

@@ -0,0 +1,56 @@
+const { URL } = require('url')
+const cds = require('../../../lib')
+const LOG = cds.log()
+
+module.exports = {
+  async token(request, response) {
+    if (request.method === 'HEAD') {
+      response.status(204).send()
+      return
+    }
+
+    const { passcode, refresh_token, subdomain, clientid, clientsecret } = request.query
+    const { credentials } = cds.env.requires.auth
+    if (!credentials) {
+      cds.error(
+        'No auth credentials defined. The application is likely not bound to an authentication service instance.'
+      )
+    }
+
+    const parsedUrl = new URL(credentials.url)
+    parsedUrl.hostname = subdomain + '.' + parsedUrl.hostname.split('.').slice(1).join('.')
+
+    LOG.info(`Get auth token using URL ${parsedUrl}`)
+
+    if (clientid) {
+      LOG.info(`Using clientid/clientsecret from API call with clientid ${clientid}`)
+    }
+
+    const username = clientid ? clientid : credentials.clientid
+    const password = clientid ? clientsecret : credentials.clientsecret
+    const { xsappname } = cds.env.requires.auth?.credentials ?? cds.env.requires.uaa?.credentials ?? {}
+    const path =
+      (refresh_token
+        ? `oauth/token?grant_type=refresh_token&refresh_token=${refresh_token}`
+        : `oauth/token?grant_type=password&passcode=${encodeURIComponent(passcode)}`) +
+      `&scope=${encodeURIComponent(xsappname + '.cds.ExtensionDeveloper')}`
+
+    try {
+      const { data } = await require('axios').post(
+        parsedUrl + path,
+        { 'Content-Type': 'application/json' },
+        { auth: { username, password } }
+      )
+      response.send(data)
+    } catch (error) {
+      error.message = `Authentication failed with root cause '${error.message}'. Passcode URL: https://${parsedUrl.hostname}/passcode`
+      const {
+        constructor: { name },
+        message
+      } = error
+      const status = name in { JwtRequestError: 1, IncompleteJwtResponseError: 1 } ? 401 : error.response.status ?? 500
+      LOG.error(message)
+      response.status(status).send({ message, status })
+    }
+  }
+}

package/libx/_runtime/extensibility/utils.js

@@ -8,7 +8,7 @@ const EXT_BACK_PACK = 'extensions__'
 
 const getTargetRead = req => {
   let name = ''
-  if (req.query.SELECT.from.join) {
+  if (req.query.SELECT.from.join && req.query.SELECT.from.args) {
     // join
     name = req.query.SELECT.from.args.find(arg => arg.ref && arg.ref[0] !== 'DRAFT.DraftAdministativeData').ref[0]
   } else if (req.target.name.SET) {
@@ -63,15 +63,17 @@ const hasExtendedEntity = (req, model) => {
     return true
   }
 
-  if (req.query.SELECT.from.join) {
+  if (req.query.SELECT.from.join && req.query.SELECT.from.args) {
     return _hasExtendedEntityArgs(req.query.SELECT.from.args, model)
   }
 
-  if (req.target.name.SET) {
-    return isExtendedEntity(req.target.name.SET.args[0]._target.name, model)
-  }
+  if (req.target) {
+    if (req.target.name.SET) {
+      return isExtendedEntity(req.target.name.SET.args[0]._target.name, model)
+    }
 
-  return isExtendedEntity(req.target.name, model)
+    return isExtendedEntity(req.target.name, model)
+  }
 }
 
 const getExtendedFields = (entityName, model) => {

package/libx/_runtime/extensibility/validation.js

@@ -2,12 +2,12 @@ const cds = require('../cds')
 
 const { getCompilerError } = require('./utils')
 
-const validateCsn = (csn, req) => {
+const validateCsn = (csn, appCsn, req) => {
   if (!csn) req.reject(400, 'Missing extension')
   if (!csn.extensions) return
 
   csn.extensions.forEach(extension => {
-    if (!extension.extend || !cds.model.definitions[extension.extend]) {
+    if (!extension.extend || !appCsn.definitions[extension.extend]) {
       req.reject(400, 'Invalid extension. Parameter "extend" missing or malformed')
     }
 
@@ -17,7 +17,7 @@ const validateCsn = (csn, req) => {
   })
 }
 
-const validateExtensionFields = (csn, req) => {
+const validateExtensionFields = (csn, appCsn, req) => {
   if (!csn.extensions) return
 
   csn.extensions.forEach(extension => {
@@ -27,7 +27,7 @@ const validateExtensionFields = (csn, req) => {
           req.reject(400, `Invalid extension. Bad element name "${name}"`)
         }
 
-        if (Object.keys(cds.model.definitions[extension.extend].elements).includes(name)) {
+        if (Object.keys(appCsn.definitions[extension.extend].elements).includes(name)) {
           req.reject(400, `Invalid extension. Element "${name}" already exists`)
         }
       })
@@ -35,12 +35,9 @@ const validateExtensionFields = (csn, req) => {
   })
 }
 
-const validateExtension = async (ext, tenant, req) => {
+const validateExtension = (ext, csn, req) => {
   try {
-    const { 'cds.xt.ModelProviderService': mps } = cds.services
-    const csn = await mps.getCsn(tenant, ['*'])
-    const extCsn = cds.compile.to.json(ext)
-    await cds.compile.to.csn({ 'base.csn': JSON.stringify(csn), 'ext.csn': extCsn })
+    cds.extend(csn).with(ext)
   } catch (err) {
     req.reject(400, getCompilerError(err.messages))
   }

package/libx/_runtime/fiori/generic/new.js

@@ -56,17 +56,6 @@ const _handler = async function (req, next) {
     return onDraftActivate(req, next)
   }
 
-  // fill default values
-  const elements = req.target.elements
-  for (const column in elements) {
-    const col = elements[column]
-    if (col.default !== undefined && !(column in DRAFT_COLUMNS_MAP)) {
-      if ('val' in col.default) req.data[col.name] = col.default.val
-      else if ('ref' in col.default) req.data[col.name] = col.default.ref[0]
-      else req.data[col.name] = col.default
-    }
-  }
-
   const navigationToMany = isNavigationToMany(req)
 
   const adminDataCQN = navigationToMany

package/libx/_runtime/hana/Service.js

@@ -91,7 +91,6 @@ class HanaDatabase extends DatabaseService {
   }
 
   _registerBeforeHandlers() {
-    this._ensureModel && this.before('*', this._ensureModel)
     this.before(['CREATE', 'UPDATE'], '*', this._input) // > has to run before rewrite
     this.before('READ', '*', search) // > has to run before rewrite
     this.before(['CREATE', 'READ', 'UPDATE', 'DELETE'], '*', this._rewrite)

package/libx/_runtime/hana/conversion.js

@@ -1,5 +1,8 @@
 const cds = require('../cds')
 
+const driver = require('./driver')
+const isHdb = driver?.name === 'hdb'
+
 const convertToBoolean = boolean => {
   if (boolean === null) {
     return null
@@ -35,7 +38,15 @@ const convertToISONoMillis = element => {
 
 const convertToString = element => {
   if (element) {
-    return element instanceof Buffer ? Buffer.from(element, 'base64').toString() : element
+    if (element instanceof Buffer) {
+      if (isHdb && driver.iconv) {
+        return driver.iconv.decode(element, 'cesu8')
+      }
+
+      return Buffer.from(element, 'base64').toString()
+    }
+
+    return element
   }
 
   return null

package/libx/_runtime/hana/customBuilder/CustomFunctionBuilder.js

@@ -21,12 +21,13 @@ class CustomFunctionBuilder extends FunctionBuilder {
 
   _handleContains(args) {
     // fuzzy search has three arguments, must not be converted to like expressions
-    if (args.length > 2 || args._$search) {
+    if (args.length > 2 || this._options.$searchUsingContains) {
       this._outputObj.sql.push('CONTAINS')
       this._addFunctionArgs(args, true)
-    } else {
-      super._handleContains(args)
+      return
     }
+
+    super._handleContains(args)
   }
 }
 

package/libx/_runtime/hana/customBuilder/CustomSelectBuilder.js

@@ -28,6 +28,11 @@ class CustomSelectBuilder extends SelectBuilder {
     return SelectBuilder
   }
 
+  getDefaultOptions() {
+    const options = { $searchUsingContains: !!this._obj.SELECT._$searchUsingContains }
+    return { ...super.getDefaultOptions(), ...options }
+  }
+
   _val(obj) {
     if (typeof obj.val === 'boolean') return { sql: obj.val ? 'true' : 'false', values: [] }
     return super._val(obj)

package/libx/_runtime/hana/pool.js

@@ -10,13 +10,9 @@ const getError = require('../common/error')
 function multiTenantInstanceManager(config = cds.env.requires.db) {
   const { credentials } = config
 
-  if (
-    !credentials ||
-    typeof credentials !== 'object' ||
-    !(credentials.get_managed_instance_url || credentials.sm_url)
-  ) {
-    throw Object.assign(new Error('No or malformed db credentials'), { credentials: credentials })
-  }
+  if (!credentials) throw Object.assign(new Error('No database credentials provided'))
+  else if (typeof credentials !== 'object' || !(credentials.get_managed_instance_url || credentials.sm_url))
+    throw Object.assign(new Error('Malformed database credentials provided'))
 
   // new instance manager
   return new Promise((resolve, reject) => {
@@ -53,9 +49,9 @@ function multiTenantInstanceManager(config = cds.env.requires.db) {
 function singleTenantInstanceManager(config = cds.env.requires.db) {
   const { credentials } = config
 
-  if (!credentials || typeof credentials !== 'object' || !credentials.host) {
-    throw Object.assign(new Error('No or malformed db credentials'), { credentials })
-  }
+  if (!credentials) throw Object.assign(new Error('No database credentials provided'))
+  else if (typeof credentials !== 'object' || !credentials.host)
+    throw Object.assign(new Error('Malformed database credentials provided'))
 
   // mock instance manager
   return {

package/libx/_runtime/hana/search2Contains.js

@@ -51,11 +51,6 @@ const search2Contains = (cqnSearchPhrase, columns) => {
 
   const expressionArgs = [{ list: columns }, { val: searchString }]
 
-  // REVISIT: Mark the expression args with a `_$search` flag, as the `CONTAINS`
-  // predicate is not fully supported in the CustomFunctionBuilder class.
-  // The `_$search` property is enumerable: false (default), writable: false (default)
-  Object.defineProperty(expressionArgs, '_$search', { value: true })
-
   const expression = {
     func: 'contains',
     args: expressionArgs

package/libx/_runtime/hana/search2cqn4sql.js

@@ -58,6 +58,7 @@ const search2cqn4sql = (query, entity, options) => {
 
   if (useContains) {
     expression = search2Contains(cqnSearchPhrase, columns2Search)
+    Object.defineProperty(query.SELECT, '_$searchUsingContains', { value: true, enumerable: true })
   } else {
     // No CONTAINS optimization possible. The search implementation for localized
     // texts falls back to the LIKE predicate.

package/libx/_runtime/messaging/outbox/utils.js

@@ -191,7 +191,7 @@ const _createMessage = (name, msg, context) => {
 const writeInOutbox = async (name, msg, context) => {
   const outboxMsg = _createMessage(name, msg, context)
   const messagesEntity = _getMessagesEntity()
-  return INSERT.into(messagesEntity).entries(outboxMsg)
+  return cds.tx(context).run(INSERT.into(messagesEntity).entries(outboxMsg))
 }
 
 module.exports = { processMessages, registerMessageProcessor, writeInOutbox, hasPersistentOutbox, isUnrecoverable }

package/libx/_runtime/messaging/service.js

@@ -1,6 +1,7 @@
 const cds = require('../cds')
 const queued = require('./common-utils/queued')
 const OutboxService = require('./Outbox')
+const ExtendedModels = require('../../../lib/srv/srv-models')
 
 const appId = require('./common-utils/appId')
 
@@ -76,9 +77,17 @@ class MessagingService extends OutboxService {
     return super.init()
   }
 
-  emit(event, data, headers) {
+  async emit(event, data, headers) {
     const _msg = typeof event === 'object' ? event : { event, data, headers }
-    const msg = _msg instanceof cds.Event ? _msg : new cds.Event(this.message4(_msg))
+    if (_msg instanceof cds.Event) return super.emit(_msg)
+    if (_msg.inbound && !cds.context) {
+      cds.context = { tenant: _msg.tenant, user: cds.User.privileged }
+      if (cds.model) {
+        const ctx = cds.context
+        ctx.model = await ExtendedModels.model4(ctx.tenant, ctx.features)
+      }
+    }
+    const msg = new cds.Event(this.message4(_msg))
     return super.emit(msg)
   }
 
@@ -112,10 +121,6 @@ class MessagingService extends OutboxService {
 
   message4(msg) {
     const _msg = { ...msg }
-    if (msg.inbound && !cds.context) {
-      // REVISIT: why are all inbound messages executed with privileged user?
-      cds.context = { tenant: msg.tenant, user: cds.User.privileged }
-    }
     _msg.event = _warnAndStripTopicPrefix(_msg.event, this.LOG)
     if (!_msg.headers) _msg.headers = {}
     if (!_msg.inbound) {

package/libx/_runtime/remote/utils/data.js

@@ -114,6 +114,7 @@ const _convertValue = (ieee754Compatible, exponentialDecimals) => (value, elemen
 
   return value
 }
+const _PT = ([hh, mm, ss]) => `PT${hh}H${mm}M${ss}S`
 
 const _convertPayloadValue = (value, element) => {
   const type = _elementType(element)
@@ -121,6 +122,10 @@ const _convertPayloadValue = (value, element) => {
   // see https://www.odata.org/documentation/odata-version-2-0/json-format/
   if (value == null) return value
   switch (type) {
+    case 'cds.Time':
+      return value.match(/^(PT)([H,M,S,0-9])*$/) ? value : _PT(value.split(':'))
+    case 'cds.Decimal':
+      return typeof value === 'string' ? value : new String(value)
     case 'cds.Date':
     case 'cds.DateTime':
       return `/Date(${new Date(value).getTime()})/`

package/libx/_runtime/sqlite/Service.js

@@ -70,7 +70,6 @@ module.exports = class SQLiteDatabase extends DatabaseService {
   }
 
   _registerBeforeHandlers() {
-    this._ensureModel && this.before('*', this._ensureModel)
     this.before(['CREATE', 'UPDATE'], '*', this._input) // > has to run before rewrite
     this.before(['CREATE', 'READ', 'UPDATE', 'DELETE'], '*', this._rewrite)
 
@@ -188,11 +187,13 @@ module.exports = class SQLiteDatabase extends DatabaseService {
       return
     }
 
-    const tx = this.transaction()
-    await tx.run(dropViews)
-    await tx.run(dropTables)
-    await tx.run(createEntities)
-    await tx.commit()
+    await this.run(async tx => {
+      // This starts a new transaction if called from CLI, while joining
+      // existing root tx, e.g. when called from DeploymenrService
+      await tx.run(dropViews)
+      await tx.run(dropTables)
+      await tx.run(createEntities)
+    })
 
     return true
   }