@sap/cds 6.0.4 → 6.1.2

package/libx/_runtime/extensibility/addExtension.js

@@ -18,9 +18,9 @@ const _addAnnotation = extension => {
   })
 }
 
-const _addViews = csn => {
+const _addViews = (csn, appCsn) => {
   csn.extensions.forEach(extension => {
-    const target = cds.model.definitions[extension.extend]
+    const target = appCsn.definitions[extension.extend]
     const views_ = []
     const view = resolveViews(target, views_)
     extension.extend = view && view.name
@@ -41,28 +41,32 @@ const _addViews = csn => {
   })
 }
 
-const _addExtension = async function (csn, req) {
-  const tx = cds.tx(req)
-  await tx.run(
+const _addExtension = async function (csn, appCsn, req) {
+  if (req.tenant) cds.context = { tenant: req.tenant }
+  await cds.db.run(
     INSERT.into('cds.xt.Extensions').entries([
       { ID: cds.utils.uuid(), tag: 'uiflex', csn: JSON.stringify(csn), activated: 'propertyBag' }
     ])
   )
 
-  // defaults
   for (const ext of req.data.extensions) {
     const extension = JSON.parse(ext)
-    await handleDefaults(extension, tx, false)
+    await handleDefaults(extension, appCsn, false)
   }
 }
 
 const addExtension = async function (req) {
-  const csn = _getCsn(req)
-  validateCsn(csn, req)
-  validateExtensionFields(csn, req)
-  _addViews(csn, cds)
-  await validateExtension(csn, req.tenant, req)
-  await _addExtension(csn, req)
+  const { 'cds.xt.ModelProviderService': mps } = cds.services
+  const csn = await mps.getCsn(req.tenant, ['*'])
+  const extCsn = _getCsn(req)
+  const njCsn = cds.compile.for['nodejs'](csn)
+  // REVISIT: Optimize the validations
+  // REVISIT: Why do we need njCsn?
+  validateCsn(extCsn, njCsn, req)
+  validateExtensionFields(extCsn, njCsn, req)
+  _addViews(extCsn, njCsn)
+  validateExtension(extCsn, csn, req)
+  await _addExtension(extCsn, njCsn, req)
 }
 
 module.exports = addExtension

package/libx/_runtime/extensibility/defaults.js

@@ -1,38 +1,33 @@
 const cds = require('../cds')
-
-const { ensureDraftsSuffix } = require('../common/utils/draft')
 const resolveViews = require('./views')
-const { EXT_BACK_PACK } = require('./utils')
-
-const _needsQuotations = t => t instanceof cds.builtin.classes.string || t instanceof cds.builtin.classes.date
-
-const _getDraftTable = view => {
-  return cds.model.definitions[view]._isDraftEnabled ? ensureDraftsSuffix(view) : undefined
-}
-
-const handleDefaults = async (extension, tx, checkDb = true) => {
-  const target = cds.model.definitions[extension.extend]
-  const dbEntity = resolveViews(target).name
-
-  if (checkDb && target.name !== dbEntity) return // only db entities
-
-  const draft = _getDraftTable(extension.extend)
-  const ext = Object.keys(extension.elements)
-    .filter(key => extension.elements[key].default)
+const builtin = cds.builtin.types
+const needsQuotes = Symbol()
+builtin.string[needsQuotes] = true
+builtin.date[needsQuotes] = true
+
+const handleDefaults = async (extension, { definitions }, checkDb = true) => {
+  const target = definitions[extension.extend]
+  const entity = resolveViews(target)
+  if (checkDb && target !== entity) return // only db entities
+
+  const elements = extension.elements
+  const defaults = Object.keys(elements)
+    .filter(key => elements[key].default)
     .map(key => {
-      const element = extension.elements[key]
-      // .type as ui flex extensions are not linked
-      const t = cds.model.definitions[element.type] || cds.builtin.types[element.type]
-      const value = t && _needsQuotations(t) ? `"${element.default.val}"` : element.default.val
-      return `"${key}":${value}`
+      const e = elements[key],
+        { val } = e.default
+      const t = definitions[e.type] || builtin[e.type]
+      return `"${key}":${t && t[needsQuotes] ? `"${val}"` : val}`
     })
 
-  if (ext.length !== 0) {
-    const extStr = ext.join(',')
-    const changed = `'{${extStr},' || substr(${EXT_BACK_PACK}, 2, length(${EXT_BACK_PACK})-1)`
-    const assign = `${EXT_BACK_PACK} = CASE WHEN ${EXT_BACK_PACK} IS NULL THEN '{${extStr}}' ELSE ${changed} END`
-    await tx.run(UPDATE(dbEntity).with(assign))
-    if (draft) await tx.run(UPDATE(draft).with(assign))
+  if (defaults.length) {
+    const newDefaults = defaults.join(',')
+    const newBagpack = `extensions__ = CASE
+      WHEN extensions__ is null THEN '{${newDefaults}}'
+      ELSE '{${newDefaults},' || substr(extensions__, 2, length(extensions__)-1)
+    END`
+    await Promise.all([UPDATE(entity).with(newBagpack), entity.drafts && UPDATE(entity.drafts).with(newBagpack)])
+    // NOTE: We don't need the model definitions for `entity` in cds.db.model to run these queries
   }
 }
 

package/libx/_runtime/extensibility/handler/transformREAD.js

@@ -42,23 +42,25 @@ const _removeExtendedFields = (columns, extFields, alias) => {
 
 const _transformUnion = (req, model) => {
   // second element is active entity
-  const name = req.target.name.SET ? req.target.name.SET.args[1]._target.name : req.target.name
-  const extFields = getExtendedFields(name, model)
-  _addBackPack(req.query.SELECT.columns, extFields)
-  _removeExtendedFields(req.query.SELECT.columns, extFields)
-
-  _addBackPack(
-    req.query.SELECT.from.SET.args[0].SELECT.columns,
-    extFields,
-    req.query.SELECT.from.SET.args[0].SELECT.from.args[0].as
-  )
-  _addBackPack(req.query.SELECT.from.SET.args[1].SELECT.columns, extFields)
-  _removeExtendedFields(
-    req.query.SELECT.from.SET.args[0].SELECT.columns,
-    extFields,
-    req.query.SELECT.from.SET.args[0].SELECT.from.args[0].as
-  )
-  _removeExtendedFields(req.query.SELECT.from.SET.args[1].SELECT.columns, extFields)
+  if (req.target) {
+    const name = req.target.name.SET ? req.target.name.SET.args[1]._target.name : req.target.name
+    const extFields = getExtendedFields(name, model)
+    _addBackPack(req.query.SELECT.columns, extFields)
+    _removeExtendedFields(req.query.SELECT.columns, extFields)
+
+    _addBackPack(
+      req.query.SELECT.from.SET.args[0].SELECT.columns,
+      extFields,
+      req.query.SELECT.from.SET.args[0].SELECT.from.args[0].as
+    )
+    _addBackPack(req.query.SELECT.from.SET.args[1].SELECT.columns, extFields)
+    _removeExtendedFields(
+      req.query.SELECT.from.SET.args[0].SELECT.columns,
+      extFields,
+      req.query.SELECT.from.SET.args[0].SELECT.from.args[0].as
+    )
+    _removeExtendedFields(req.query.SELECT.from.SET.args[1].SELECT.columns, extFields)
+  }
 }
 
 const _getAliasedEntitiesForJoin = (args, model) => {
@@ -111,7 +113,7 @@ function transformExtendedFieldsREAD(req) {
   _transformColumns(req.query.SELECT.columns, target.name, this.model)
 
   if (req.query.SELECT.from.SET) return _transformUnion(req, this.model) // union
-  if (req.query.SELECT.from.join) return _transformJoin(req, this.model) // join
+  if (req.query.SELECT.from.join && req.query.SELECT.from.args) return _transformJoin(req, this.model) // join
 }
 
 module.exports = {

package/libx/_runtime/extensibility/linter/allowlist_checker.js

@@ -0,0 +1,373 @@
+const Checker = require('./checker_base')
+
+const LABELS = {
+  service: 'Service',
+  entity: 'Entity',
+  aspect: 'Aspect',
+  type: 'Type'
+}
+
+const LEGACY_ENTITY_WHITELIST = 'entity-whitelist'
+const LEGACY_SERVICE_WHITELIST = 'service-whitelist'
+const EXTENSION_ALLOWLIST = 'extension-allowlist'
+const NEW_FIELDS = 'new-fields'
+const NEW_ENTITIES = 'new-entities'
+
+class Allowlist {
+  constructor(mtxConfig, fullCsn) {
+    this.allowlist = Allowlist._setupPermissionList(mtxConfig, fullCsn)
+  }
+
+  get all() {
+    return this.allowlist.all
+  }
+
+  get entity() {
+    return this.allowlist.entity
+  }
+
+  get service() {
+    return this.allowlist.service
+  }
+
+  getList(kind) {
+    return this.allowlist[kind]
+  }
+
+  getPermission(kind, name) {
+    function findInList(list, name) {
+      if (list) {
+        const splitName = name.split('.')
+        while (splitName.length > 0) {
+          const nameOrPrefix = splitName.join('.')
+          if (list[nameOrPrefix]) {
+            return list[nameOrPrefix]
+          }
+          splitName.pop()
+        }
+        return list['*'] ? list['*'] : null
+      }
+      return null
+    }
+
+    return findInList(this.allowlist[kind], name) || findInList(this.allowlist['all'], name)
+  }
+
+  isAllowed(kind, name) {
+    return !!this.getPermission(kind, name)
+  }
+
+  static _setupPermissionList(mtxConfig, fullCsn) {
+    // internal structure:
+    // result[name] = { kind, new-fields | new-entities }
+
+    const result = {}
+
+    // create from legacy lists
+    let { entityWhitelist, serviceWhitelist } = Allowlist._getLegacyLists(mtxConfig)
+
+    // create from new lists
+    const allowlistNewFormat = mtxConfig[EXTENSION_ALLOWLIST]
+
+    Allowlist._addLegacyLists(result, serviceWhitelist, entityWhitelist)
+
+    if (allowlistNewFormat) {
+      // seperate into single entities /services for better processing
+      for (const permission of allowlistNewFormat) {
+        if (permission.for) {
+          for (const name of permission.for) {
+            if (permission.kind) {
+              // kind is specfied
+              result[permission.kind] = result[permission.kind] || {}
+              result[permission.kind][name] = permission
+            } else {
+              // check kind
+              if (fullCsn.definitions[name]) {
+                result[fullCsn.definitions[name].kind] = result[fullCsn.definitions[name].kind] || {}
+                result[fullCsn.definitions[name].kind][name] = permission
+              } else {
+                // allow all
+                result.all = result.all || {}
+                result.all[name] = permission
+              }
+            }
+          }
+        }
+      }
+    }
+    return result
+  }
+
+  static _addLegacyLists(result, serviceWhitelist, entityWhitelist) {
+    if (serviceWhitelist) {
+      result.service = result.service || {}
+      for (const service of serviceWhitelist) {
+        result.service[service] = {}
+      }
+    }
+
+    if (entityWhitelist) {
+      result.entity = result.entity || {}
+      for (const entity of entityWhitelist) {
+        result.entity[entity] = {}
+      }
+    }
+    return result
+  }
+
+  static _getLegacyLists(mtxConfig) {
+    let entityWhitelist = mtxConfig[LEGACY_ENTITY_WHITELIST]
+    let serviceWhitelist = mtxConfig[LEGACY_SERVICE_WHITELIST]
+
+    if (entityWhitelist && !Array.isArray(entityWhitelist)) {
+      entityWhitelist = [entityWhitelist]
+    }
+
+    if (serviceWhitelist && !Array.isArray(serviceWhitelist)) {
+      serviceWhitelist = [serviceWhitelist]
+    }
+    return { entityWhitelist, serviceWhitelist }
+  }
+}
+
+class AllowlistChecker extends Checker {
+  static _setupPermissionList(mtxConfig, fullCsn) {
+    return new Allowlist(mtxConfig, fullCsn)
+  }
+
+  static async check(reflectedExtensionCsn, fullCsn, extensionFiles, compileDir, mtxConfig) {
+    const allowList = this._setupPermissionList(mtxConfig, fullCsn)
+
+    const warnings = []
+
+    // check entities
+    if (reflectedExtensionCsn.extensions && allowList) {
+      for (const extension of reflectedExtensionCsn.extensions) {
+        this._checkEntity(extension, reflectedExtensionCsn, fullCsn, compileDir, allowList, warnings)
+      }
+    }
+
+    // check services
+    const foundServiceExt = {}
+    reflectedExtensionCsn.forall(
+      element => {
+        return ['entity', 'element', 'function', 'action'].includes(element.kind)
+      },
+      (element, name, parent) => {
+        if (allowList) {
+          this._checkService(
+            reflectedExtensionCsn,
+            fullCsn,
+            element,
+            parent,
+            { extensionFiles, compileDir },
+            allowList,
+            warnings,
+            foundServiceExt
+          ) // NOSONAR
+        }
+      }
+    )
+    this._addServiceLimitWarnings(foundServiceExt, allowList, compileDir, warnings)
+
+    return warnings
+  }
+
+  static _checkEntity(extension, extCsn, fullCsn, compileDir, allowlist, warnings) {
+    const extendedEntity = extension.extend
+    if (extendedEntity) {
+      if (
+        fullCsn &&
+        fullCsn.definitions &&
+        (!extCsn.definitions[extendedEntity] || extCsn.definitions[extendedEntity].kind !== 'entity')
+      ) {
+        const kind = this._getExtendedKind(fullCsn, extendedEntity)
+
+        if (!allowlist.isAllowed(kind, extendedEntity)) {
+          // not allowed at all
+          this._addColumnWarnings(extension, warnings, compileDir, allowlist.getList(kind), kind)
+          this._addElementWarnings(extension, warnings, compileDir, allowlist.getList(kind), kind)
+        } else {
+          // might have limits
+          this._addEntityLimitWarnings(extension, warnings, compileDir, allowlist, kind)
+        }
+      }
+    }
+  }
+
+  static _getExtendedKind(fullCsn, extendedEntity) {
+    const elementFromBase = fullCsn.definitions[extendedEntity]
+    return elementFromBase ? elementFromBase.kind : null
+  }
+
+  static _addElementWarnings(extension, warnings, compileDir, allowlist, kind) {
+    if (extension.elements) {
+      for (const element in extension.elements) {
+        warnings.push(
+          this._createAllowlistWarning(
+            extension.extend,
+            extension.elements[element],
+            compileDir,
+            allowlist,
+            LABELS[kind]
+          )
+        )
+      }
+    }
+  }
+
+  static _addColumnWarnings(extension, warnings, compileDir, allowlist, kind) {
+    // loop columns + elements
+    if (extension.columns) {
+      for (const column of extension.columns) {
+        warnings.push(this._createAllowlistWarning(extension.extend, column, compileDir, allowlist, LABELS[kind]))
+      }
+    }
+  }
+
+  static _addEntityLimitWarnings(extension, warnings, compileDir, allowlist, kind) {
+    const limit = allowlist.getPermission(kind, extension.extend)[NEW_FIELDS]
+
+    if (!limit) {
+      return
+    }
+
+    if (
+      (extension.columns ? extension.columns.length : 0) +
+        (extension.elements ? Object.keys(extension.elements).length : 0) <=
+      limit
+    ) {
+      return
+    }
+
+    // loop columns + elements
+    if (extension.columns) {
+      for (const column of extension.columns) {
+        warnings.push(this._createLimitWarning(extension.extend, column, compileDir, limit, LABELS[kind]))
+      }
+    }
+
+    if (extension.elements) {
+      for (const element in extension.elements) {
+        warnings.push(
+          this._createLimitWarning(extension.extend, extension.elements[element], compileDir, limit, LABELS[kind])
+        )
+      }
+    }
+  }
+
+  static _addServiceLimitWarnings(foundServiceExt, allowlist, compileDir, warnings) {
+    if (!allowlist) {
+      return
+    }
+
+    for (const service in foundServiceExt) {
+      let extLimit = allowlist.getPermission('service', service)[NEW_ENTITIES]
+      if (extLimit && extLimit <= foundServiceExt[service].length) {
+        // loop all extension for one service
+        for (const element of foundServiceExt[service]) {
+          warnings.push(this._createLimitWarning(service, element, compileDir, extLimit, LABELS['service']))
+        }
+      }
+    }
+  }
+
+  static _getParentName(element) {
+    if (element.name) {
+      const splitEntityName = element.name.split('.')
+      if (splitEntityName.length > 1) {
+        splitEntityName.pop()
+        return splitEntityName.join('.')
+      }
+    }
+    return null
+  }
+
+  static _isDefinedInExtension(reflectedCsn, name) {
+    return reflectedCsn.definitions ? !!reflectedCsn.definitions[name] : false
+  }
+
+  static _isDefinedInBasemodel(fullCsn, name) {
+    return !!this._getFromBasemodel(fullCsn, name)
+  }
+
+  static _getFromBasemodel(fullCsn, name) {
+    return fullCsn.definitions[name]
+  }
+
+  static _checkService(reflectedExtensionCsn, fullCsn, element, parent, extension, allowlist, warnings, foundExt) {
+    if (parent && parent.kind && parent.kind !== 'service') {
+      return
+    }
+
+    let parentName
+    if (!parent) {
+      parentName = this._getParentName(element)
+    } else {
+      parentName = this._getEntityName(parent)
+    }
+
+    // definition of element in extension itself
+    if (!parentName) {
+      return
+    }
+
+    // check if parent is defined in extension itself
+    if (this._isDefinedInExtension(reflectedExtensionCsn, parentName)) {
+      return
+    }
+
+    // check if parent is defined in basemodel
+    if (!this._isDefinedInBasemodel(fullCsn, parentName)) {
+      return
+    }
+
+    if (allowlist.isAllowed('service', parentName)) {
+      foundExt[parentName] = foundExt[parentName] || []
+      foundExt[parentName].push(element)
+      return
+    }
+
+    warnings.push(
+      this._createAllowlistWarning(parentName, element, extension.compileDir, allowlist.service, LABELS['service'])
+    )
+  }
+
+  static _createAllowlistWarning(entityName, element, compileDir, allowlist = {}, label) {
+    const originFile = this._localizeFile(element.$location.file, compileDir)
+
+    return (
+      label +
+      ' ' +
+      entityName +
+      ' must not be extended. See ' +
+      '(line:' +
+      element.$location.line +
+      ', col:' +
+      element.$location.col +
+      ')' +
+      ' in ' +
+      originFile +
+      '. Check ' +
+      label +
+      ' allowlist: ' +
+      (Object.keys(allowlist).length > 0 ? Object.keys(allowlist) : '<empty list>')
+    )
+  }
+
+  static _createLimitWarning(entityName, element, compileDir, limit, label) {
+    const originFile = this._localizeFile(element.$location.file, compileDir)
+
+    return (
+      `Extension limit of ${limit} for ${label} ${entityName} has been exceeded` +
+      `(line: ${element.$location.line}, col:  ${element.$location.col})` +
+      ` in ${originFile}`
+    )
+  }
+
+  static _getEntityName(entity) {
+    return entity.extend ? entity.extend : entity.name
+  }
+}
+
+module.exports = AllowlistChecker

package/libx/_runtime/extensibility/linter/annotations_checker.js

@@ -0,0 +1,113 @@
+const Checker = require('./checker_base')
+
+const AT_REQUIRES = '@requires'
+const AT_RESTRICT = '@restrict'
+const AT_CDS_PERSISTENCE_JOURNAL = '@cds.persistence.journal'
+const AT_SQL_APPEND = '@sql.append'
+const AT_SQL_PREPEND = '@sql.prepend'
+
+const checkedAnnotations = new Map([
+  [AT_REQUIRES, _createSecurityAnnotationWarning],
+  [AT_RESTRICT, _createSecurityAnnotationWarning],
+  [AT_CDS_PERSISTENCE_JOURNAL, _createJournalAnnotationWarning],
+  [AT_SQL_APPEND, _createSqlAnnotationWarning],
+  [AT_SQL_PREPEND, _createSqlAnnotationWarning]
+])
+
+function _createSqlAnnotationWarning(annotationName, originFile, annotation) {
+  return (
+    `Annotation ${annotationName} is not supported in extensions: ${originFile}` +
+    `(line: ${annotation.$location.line}, col: ${annotation.$location.col})`
+  )
+}
+
+function _createSecurityAnnotationWarning(annotationName, originFile, annotation) {
+  return (
+    `Security relevant annotation ${annotationName} cannot be overwritten: ${originFile}` +
+    `(line: ${annotation.$location.line}, col: ${annotation.$location.col})`
+  )
+}
+
+function _createJournalAnnotationWarning(journalAnnotationName, originFile, annotation) {
+  return (
+    `Enabling schema evolution in extensions using ${journalAnnotationName} not yet supported: ${originFile}` +
+    ` (line: ${annotation.$location.line}, col: ${annotation.$location.col})`
+  )
+}
+
+class AnnotationsChecker extends Checker {
+  static async check(reflectedCsn, extensionFiles, compileDir) {
+    if (!reflectedCsn.extensions) {
+      return []
+    }
+
+    // annotations via annotate - applies for all
+    const annotationExtensions = Object.values(reflectedCsn.extensions).filter(
+      value => value.annotate && Object.getOwnPropertyNames(value).filter(property => checkedAnnotations.get(property))
+    )
+
+    // check annotations for extensions including fields
+    reflectedCsn.forall(
+      () => true,
+      element => {
+        if (element[AT_SQL_PREPEND] || element[AT_SQL_APPEND]) {
+          if (!element.annotate) {
+            // do not add annotation extensions again
+            annotationExtensions.push(element)
+          }
+        }
+      },
+      reflectedCsn.extensions
+    )
+
+    // check entities and fields from definitions
+    const annotatedDefinitions = []
+    reflectedCsn.forall(
+      () => true,
+      element => {
+        if (element[AT_SQL_PREPEND] || element[AT_SQL_APPEND] || element[AT_CDS_PERSISTENCE_JOURNAL]) {
+          annotatedDefinitions.push(element)
+        }
+      },
+      reflectedCsn.definitions
+    )
+
+    const warnings = []
+
+    for (const annotationExtension of annotationExtensions) {
+      const warning = this._checkAnnotation(annotationExtension, reflectedCsn.definitions, compileDir)
+      if (warning) {
+        warnings.push(warning)
+      }
+    }
+
+    for (const annotatedDefinition of annotatedDefinitions) {
+      const warning = this._checkAnnotation(annotatedDefinition, reflectedCsn.definitions, compileDir)
+      if (warning) {
+        warnings.push(warning)
+      }
+    }
+
+    return warnings
+  }
+
+  static _checkAnnotation(annotation, definitions, compileDir) {
+    if (!definitions[annotation.annotate]) {
+      return this._createAnnotationsWarning(annotation, compileDir)
+    }
+
+    return null
+  }
+
+  static _createAnnotationsWarning(annotation, compileDir) {
+    const annotationName = Object.getOwnPropertyNames(annotation).filter(property => checkedAnnotations.get(property))
+
+    const originFile = this._localizeFile(annotation.$location.file, compileDir)
+
+    if (annotationName.length) {
+      return checkedAnnotations.get(annotationName[0])(annotationName, originFile, annotation)
+    }
+  }
+}
+
+module.exports = AnnotationsChecker

package/libx/_runtime/extensibility/linter/checker_base.js

@@ -0,0 +1,20 @@
+const path = require('path')
+
+class Checker {
+  static _isFromExtension(element, extensionFiles, compileDir) {
+    if (!element.$location) {
+      return false
+    }
+    const originFile = this._localizeFile(element.$location.file, compileDir)
+    return extensionFiles.includes(originFile)
+  }
+
+  static _localizeFile(filename, compileDir) {
+    if (path.isAbsolute(filename) || filename.startsWith('..')) {
+      filename = path.relative(compileDir, filename)
+    }
+    return filename.replace(/\\/g, '/')
+  }
+}
+
+module.exports = Checker