@sap/cds 6.4.1 → 6.5.0

package/libx/_runtime/auth/strategies/ias-auth.js

@@ -42,9 +42,10 @@ module.exports = function ias_auth(config) {
       if (req.tokenInfo.getClientId() === req.tokenInfo.getSubject()) {
         req.user = new cds.User({
           id: 'system',
-          roles: ['system-user', 'authenticated-user'],
+          roles: ['authenticated-user'],
           attr: {}
         })
+        req.user._is_system = true
       } else {
         // add all unknown attributes to req.user.attr in order to keep public API small
         const payload = req.tokenInfo.getPayload()

package/libx/_runtime/auth/strategies/mock.js

@@ -21,6 +21,17 @@ class MockStrategy {
     if (user.password && user.password !== password) return this.fail(CHALLENGE)
 
     const { features } = req.headers
+    // Only in the mock strategy the pseudo roles are kept in the role list.
+    // In all other cases pseudo roles are filtered out.
+    if (user.roles) {
+      if (Array.isArray(user.roles)) {
+        if (user.roles.includes('system-user')) user._is_system = true
+        if (user.roles.includes('internal-user')) user._is_internal = true
+      } else {
+        if ('system-user' in user.roles) user._is_system = true
+        if ('internal-user' in user.roles) user._is_internal = true
+      }
+    }
     this.success(new cds.User(features ? { ...user, features } : user))
   }
 }
@@ -44,7 +55,7 @@ const _init_users = (users, tenants = {}) => {
           Array.isArray(user.roles) ? user.roles.push(...scopes) : (user.roles = scopes)
         }
         if (user.jwt.grant_type === 'client_credentials' || user.jwt.grant_type === 'client_x509') {
-          user.roles.push('system-user')
+          user._is_system = true
         }
         if (!user.tenant && user.jwt.zid) user.tenant = user.jwt.zid
       }

package/libx/_runtime/auth/strategies/xssecUtils.js

@@ -5,21 +5,19 @@ const getUserId = (user, info) => {
   return user.id || (info && info.getClientId && info.getClientId())
 }
 
-const _addRolesFromGrantType = (roles, info, credentials) => {
+const addRolesFromGrantType = (user, info, credentials) => {
   const grantType = info && (info.grantType || (info.getGrantType && info.getGrantType()))
   if (grantType) {
     // > not "weak"
-    roles.push('authenticated-user')
+    user.roles['authenticated-user'] = true
     if (grantType in CLIENT) {
-      roles.push('system-user')
-      if (info.getClientId() === credentials.clientid) roles.push('internal-user')
+      user._is_system = true
+      if (info.getClientId() === credentials.clientid) user._is_internal = true
     }
   }
 }
 
-const getRoles = (roles, info, credentials) => {
-  _addRolesFromGrantType(roles, info, credentials)
-
+const getRoles = (roles, info) => {
   // convert to object
   roles = Object.assign(...roles.map(ele => ({ [ele]: true })))
 
@@ -90,5 +88,6 @@ module.exports = {
   getRoles,
   getAttrForJWT,
   getAttrForXSSEC,
-  getTenant
+  getTenant,
+  addRolesFromGrantType
 }

package/libx/_runtime/auth/strategies/xsuaa.js

@@ -25,6 +25,7 @@ class XSUAAStrategy extends JS {
         roles: xssecUtils.getRoles(['any', 'identified-user'], info, credentials),
         attr: xssecUtils.getAttrForXSSEC(info)
       })
+      xssecUtils.addRolesFromGrantType(user, info, credentials)
       const tenant = xssecUtils.getTenant(info)
       if (tenant) user.tenant = tenant
       // call "super.success"

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/action.js

@@ -60,9 +60,8 @@ const action = service => {
         await tx.commit(result)
       }
 
-      if (isReturnMinimal(req) || result === null) odataRes.setStatusCode(204)
+      if (isReturnMinimal(req) || result === null) odataRes.setStatusCode(204, { overwrite: true })
       else if (req.event === 'draftActivate' || req.event === 'EDIT') {
-        odataRes.setStatusCode(201)
         const keys = Object.keys(req.target.keys).filter(k => {
           return k !== 'IsActiveEntity' && !req.target.keys[k]._isAssociationStrict
         })

package/libx/_runtime/cds-services/services/Service.js

@@ -22,6 +22,9 @@ class ApplicationService extends cds.Service {
     require('../../common/generic/temporal').call(this, this)
     require('../../common/generic/paging').call(this, this) // > paging must be executed before sorting
     require('../../common/generic/sorting').call(this, this)
+
+    if (cds.env.requires.extensibility?.code) require('../../common/code-ext/handlers').call(this, this)
+
     this.registerFioriHandlers(this)
     this.registerPersonalDataHandlers(this)
     this.registerCrudHandlers(this) // default .on handlers, have to go last

package/libx/_runtime/cds-services/services/utils/columns.js

@@ -122,44 +122,43 @@ const _getSearchableColumns = entity => {
  * @returns {import('../../../types/api').ColumnRefs}
  */
 const computeColumnsToBeSearched = (cqn, entity = { __searchableColumns: [] }, alias) => {
-  // if there is a group by clause, only columns in it may be searched
-  let toBeSearched =
-    entity.own('__searchableColumns') || entity.set('__searchableColumns', _getSearchableColumns(entity))
-
-  if (cqn.SELECT.groupBy) toBeSearched = toBeSearched.filter(tbs => cqn.SELECT.groupBy.some(gb => gb.ref[0] === tbs))
-  toBeSearched = toBeSearched.map(c => {
-    const col = { ref: [c] }
-    if (alias) col.ref.unshift(alias)
-    return col
-  })
-
-  // add aggregations
-  cqn.SELECT.columns &&
-    cqn.SELECT.columns.forEach(column => {
-      if (column.func) {
-        // exclude $count by SELECT of number of Items in a Collection
-        if (
-          cqn.SELECT.columns.length === 1 &&
-          column.func === 'count' &&
-          (column.as === '_counted_' || column.as === '$count')
-        )
+  let toBeSearched = []
+
+  // aggregations case
+  // in the new parser groupBy is moved to sub select.
+  if (cqn._aggregated || /* new parser */ cqn.SELECT.groupBy || cqn.SELECT?.from?.SELECT?.groupBy) {
+    cqn.SELECT.columns &&
+      cqn.SELECT.columns.forEach(column => {
+        if (column.func) {
+          // exclude $count by SELECT of number of Items in a Collection
+          if (
+            cqn.SELECT.columns.length === 1 &&
+            column.func === 'count' &&
+            (column.as === '_counted_' || column.as === '$count')
+          )
+            return
+
+          toBeSearched.push(column)
           return
-
-        toBeSearched.push(column)
-        return
-      }
-
-      const columnRef = column.ref
-      if (columnRef) {
-        const columnName = columnRef[columnRef.length - 1]
-        const csnColumn = entity.elements[columnName]
-        if (csnColumn) return
-        const col = { ref: [columnName] }
-        if (alias) col.ref.unshift(alias)
-        toBeSearched.push(col)
-      }
+        }
+
+        const columnRef = column.ref
+        if (columnRef) {
+          column = { ref: [...column.ref] }
+          if (alias) column.ref.unshift(alias)
+          toBeSearched.push(column)
+        }
+      })
+  } else {
+    toBeSearched = entity.own('__searchableColumns') || entity.set('__searchableColumns', _getSearchableColumns(entity))
+
+    if (cqn.SELECT.groupBy) toBeSearched = toBeSearched.filter(tbs => cqn.SELECT.groupBy.some(gb => gb.ref[0] === tbs))
+    toBeSearched = toBeSearched.map(c => {
+      const col = { ref: [c] }
+      if (alias) col.ref.unshift(alias)
+      return col
     })
-
+  }
   return toBeSearched
 }
 

package/libx/_runtime/common/code-ext/WorkerReq.js

@@ -0,0 +1,79 @@
+const { parentPort } = require('worker_threads')
+const { Responses, Errors } = require('../../../../lib/req/response')
+
+class WorkerReq {
+  constructor(reqData) {
+    Object.assign(this, reqData)
+    this.postMessages = []
+    this.messages = this.messages ?? []
+    this.errors = this.errors ?? new Errors()
+  }
+
+  #push(args) {
+    this.postMessages.push({
+      kind: 'run',
+      target: 'req',
+      ...args
+    })
+  }
+
+  notify(...args) {
+    this.#push({
+      prop: 'notify',
+      args
+    })
+
+    const notify = Responses.get(1, ...args)
+    this.messages.push(notify)
+    return notify
+  }
+
+  info(...args) {
+    this.#push({
+      prop: 'info',
+      args
+    })
+
+    const info = Responses.get(2, ...args)
+    this.messages.push(info)
+    return info
+  }
+
+  warn(...args) {
+    this.#push({
+      prop: 'warn',
+      args
+    })
+
+    const warn = Responses.get(3, ...args)
+    this.messages.push(warn)
+    return warn
+  }
+
+  error(...args) {
+    this.#push({
+      prop: 'error',
+      args
+    })
+
+    let error = Responses.get(4, ...args)
+    if (!error.stack) Error.captureStackTrace((error = Object.assign(new Error(), error)), this.error)
+    this.errors.push(error)
+    return error
+  }
+
+  reject(...args) {
+    parentPort.postMessage({
+      kind: 'run',
+      target: 'req',
+      prop: 'reject',
+      args
+    })
+
+    let error = Responses.get(4, ...args)
+    if (!error.stack) Error.captureStackTrace((error = Object.assign(new Error(), error)), this.reject)
+    throw error
+  }
+}
+
+module.exports = WorkerReq

package/libx/_runtime/common/code-ext/config.js

@@ -0,0 +1,13 @@
+const os = require('os')
+const totalMemory = os.totalmem() // total amount of system memory in bytes
+const maxOldGenerationSizeMb = Math.floor(totalMemory / 1024 ** 2 / 8) // max size of the main heap in MB
+const maxYoungGenerationSizeMb = Math.floor(totalMemory / 1024 ** 2 / 8) // max size of a heap space for recently created objects
+
+module.exports = {
+  timeout: 10000,
+  resourceLimits: {
+    maxOldGenerationSizeMb,
+    maxYoungGenerationSizeMb,
+    stackSizeMb: 4 // default
+  }
+}

package/libx/_runtime/common/code-ext/execute.js

@@ -0,0 +1,106 @@
+const cds = require('../../cds')
+const { Worker } = require('worker_threads')
+const path = require('node:path')
+const { timeout, resourceLimits } = require('./config')
+const workerPath = path.resolve(__dirname, 'worker.js')
+const { Errors } = require('../../../../lib/req/response')
+
+const _getReqData = req => {
+  return {
+    data: req.data,
+    params: req.params,
+    results: req.results,
+    messages: req.messages,
+    errors: req.errors ?? new Errors()
+  }
+}
+
+module.exports = async function executeCode(code, req) {
+  const reqData = _getReqData(req)
+  const _getTarget = target => {
+    switch (target) {
+      case 'srv':
+        return this
+
+      case 'req':
+        return req
+
+      // no default
+    }
+  }
+  const workerId = cds.utils.uuid()
+  const worker = new Worker(workerPath, {
+    workerData: { id: workerId },
+    resourceLimits
+  })
+
+  const executePromise = new Promise(function executeCodePromiseExecutor(resolve, reject) {
+    worker.on('online', onStarted)
+    worker.on('message', onMessageReceived)
+    worker.on('error', onError)
+    worker.on('exit', onExit)
+
+    let onStartTimeoutID
+
+    function onStarted() {
+      onStartTimeoutID = setTimeout(() => {
+        worker.terminate()
+        reject(new Error(`Script execution timed out after ${timeout}ms`))
+      }, timeout)
+    }
+
+    function onMessageReceived(message) {
+      switch (message.kind) {
+        case 'run':
+          run(message)
+          return
+
+        case 'success':
+          onSuccess(message)
+          cleanup()
+          return
+
+        case 'error':
+          onError(message.error)
+          return
+
+        // no default
+      }
+    }
+
+    async function onSuccess(message) {
+      for (const m of message.postMessages) await run(m)
+      req.data && Object.assign(req.data, message.req.data) // REVISIT: Why Object.assign(...) is a required?
+      req.results = message.req.results
+      resolve(req.results ?? message.result)
+    }
+
+    function onError(error) {
+      reject(error)
+    }
+
+    function onExit(exitCode) {
+      if (exitCode !== 0) reject(new Error(`Worker thread stopped with exit code ${exitCode}`))
+    }
+
+    async function run(message) {
+      try {
+        let result = _getTarget(message.target)[message.prop](...message.args)
+        if (typeof result?.then === 'function') result = await result
+        if (message.responseData) worker.postMessage({ id: message.id, kind: 'responseData', result })
+      } catch (error) {
+        worker.postMessage({ id: message.id, kind: 'cleanup' })
+        reject(error)
+      }
+    }
+
+    function cleanup() {
+      clearTimeout(onStartTimeoutID)
+      worker.terminate()
+    }
+  })
+
+  // triggers execution of the code in the worker thread
+  worker.postMessage({ id: workerId, code, reqData })
+  return executePromise
+}

package/libx/_runtime/common/code-ext/handlers.js

@@ -0,0 +1,49 @@
+const cds = require('../../cds')
+const executeCode = require('./execute')
+
+const CODE_ANNOTATION = '@extension.code'
+
+module.exports = cds.service.impl(function () {
+  const getCodeFromAnnotation = async (defName, operation, registration) => {
+    // REVISIT: tenant info in not in this.model and cds.context.model is undefined for single tenancy
+    const model = cds.context.model || this.model
+    const el = model.definitions[defName]
+    const boundEl = el.actions?.[operation]
+    const extensionCode = boundEl?.[CODE_ANNOTATION] ?? el[CODE_ANNOTATION]
+    if (extensionCode) {
+      const annotation = extensionCode.filter(element => element[registration] === operation)
+      return annotation.length && annotation[0].code
+    }
+  }
+
+  this.after('READ', async function (result, req) {
+    if (result == null) return // whether result is null or undefined
+    const code = await getCodeFromAnnotation(req.target.name, req.event, 'after')
+    if (!code) return
+    await executeCode.call(this, code, req)
+  })
+
+  this.before(['CREATE', 'UPDATE', 'DELETE'], async function (req) {
+    const code = await getCodeFromAnnotation(req.target.name, req.event, 'before')
+    if (!code) return
+    await executeCode.call(this, code, req)
+  })
+
+  this.on('*', async function (req, next) {
+    if (this.name.startsWith('cds.xt')) return next()
+    // REVISIT: req.target -> wait until implementation task finished
+    let fqn = req.target?.actions?.[`${req.event}`] // check for bound action/function
+    if (!fqn) {
+      if (req.target) return next()
+      fqn = this.model.definitions[`${this.name}.${req.event}`] // check for unbound action/function or event
+    }
+
+    // REVISIT: DO NOT OVERWRITE EXISTING Action Implementations!
+    // REVISIT: check whether action/function or event is part of an extension
+    if (fqn.kind === 'action' || fqn.kind === 'function' || req.constructor.name === 'EventMessage') {
+      const code = await getCodeFromAnnotation(req?.target?.name ?? fqn.name, req.event, 'on')
+      if (!code) return
+      return await executeCode.call(this, code, req)
+    }
+  })
+})

package/libx/_runtime/common/code-ext/worker.js

@@ -0,0 +1,36 @@
+const { parentPort, workerData } = require('worker_threads')
+const { WorkerSELECT, WorkerINSERT, WorkerUPSERT, WorkerUPDATE, WorkerDELETE } = require('./workerQuery')
+const WorkerReq = require('./WorkerReq')
+const { timeout } = require('./config')
+
+parentPort.once('message', function onMessageReceived({ id, code, reqData }) {
+  if (id !== workerData.id) return
+
+  // eslint-disable-next-line cds/no-missing-dependencies
+  const { VM } = require('vm2')
+  const workerReq = new WorkerReq(reqData)
+  const vm = new VM({
+    console: 'inherit',
+    timeout, // specifies the number of milliseconds to execute code before terminating execution
+    allowAsync: true,
+
+    // the sandbox represents the global object inside the vm instance
+    sandbox: {
+      req: workerReq,
+      SELECT: WorkerSELECT._api(),
+      INSERT: WorkerINSERT._api(),
+      UPSERT: WorkerUPSERT._api(),
+      UPDATE: WorkerUPDATE._api(),
+      DELETE: WorkerDELETE._api()
+    }
+  })
+
+  try {
+    ;(async function () {
+      const result = await vm.run(code)
+      parentPort.postMessage({ kind: 'success', req: reqData, postMessages: workerReq.postMessages, result })
+    })()
+  } catch (error) {
+    parentPort.postMessage({ kind: 'error', error })
+  }
+})

package/libx/_runtime/common/code-ext/workerQuery.js

@@ -0,0 +1,45 @@
+const SELECT = require('../../../../lib/ql/SELECT')
+const INSERT = require('../../../../lib/ql/INSERT')
+const UPSERT = require('../../../../lib/ql/UPSERT')
+const UPDATE = require('../../../../lib/ql/UPDATE')
+const DELETE = require('../../../../lib/ql/DELETE')
+const queryExecutor = require('./workerQueryExecutor')
+
+class WorkerSELECT extends SELECT {
+  // intercept await SELECT.from(...) calls
+  then(r, e) {
+    return new Promise(queryExecutor.bind(this)).then(r, e)
+  }
+}
+
+class WorkerINSERT extends INSERT {
+  then(r, e) {
+    return new Promise(queryExecutor.bind(this)).then(r, e)
+  }
+}
+
+class WorkerUPSERT extends UPSERT {
+  then(r, e) {
+    return new Promise(queryExecutor.bind(this)).then(r, e)
+  }
+}
+
+class WorkerUPDATE extends UPDATE {
+  then(r, e) {
+    return new Promise(queryExecutor.bind(this)).then(r, e)
+  }
+}
+
+class WorkerDELETE extends DELETE {
+  then(r, e) {
+    return new Promise(queryExecutor.bind(this)).then(r, e)
+  }
+}
+
+Object.defineProperty(WorkerSELECT.prototype, 'cmd', { value: 'SELECT' })
+Object.defineProperty(WorkerINSERT.prototype, 'cmd', { value: 'INSERT' })
+Object.defineProperty(WorkerUPSERT.prototype, 'cmd', { value: 'UPSERT' })
+Object.defineProperty(WorkerUPDATE.prototype, 'cmd', { value: 'UPDATE' })
+Object.defineProperty(WorkerDELETE.prototype, 'cmd', { value: 'DELETE' })
+
+module.exports = { WorkerSELECT, WorkerINSERT, WorkerUPSERT, WorkerUPDATE, WorkerDELETE }

package/libx/_runtime/common/code-ext/workerQueryExecutor.js

@@ -0,0 +1,33 @@
+const cds = require('../../cds')
+const { parentPort } = require('worker_threads')
+const executorCallbackMap = new Map()
+
+parentPort.on('message', function onMessageReceived({ id, kind, result }) {
+  if (!executorCallbackMap.has(id)) return
+
+  switch (kind) {
+    case 'responseData':
+      executorCallbackMap.get(id)(result)
+      executorCallbackMap.delete(id)
+      return
+
+    case 'cleanup':
+      executorCallbackMap.delete(id)
+      return
+  }
+})
+
+function queryExecutor(resolve, reject) {
+  const id = cds.utils.uuid()
+  executorCallbackMap.set(id, result => resolve(result))
+  parentPort.postMessage({
+    id,
+    kind: 'run',
+    target: 'srv',
+    prop: 'run',
+    responseData: true,
+    args: [this]
+  })
+}
+
+module.exports = queryExecutor

package/libx/_runtime/common/generic/crud.js

@@ -61,6 +61,10 @@ exports.impl = cds.service.impl(function () {
       req.query.where(singleton)
     }
 
+    if (req.event === 'READ' && req.query?.SELECT) {
+      req.query.SELECT.localized = true
+    }
+
     if (!result) {
       result = await cds.tx(req).run(req.query, req.data)
     }

package/libx/_runtime/common/i18n/index.js

@@ -8,7 +8,7 @@ const dirs = (cds.env.i18n && cds.env.i18n.folders) || []
 const i18ns = {}
 
 function exists(args, locale) {
-  const file = path.join(process.cwd(), ...args, locale ? `messages_${locale}.properties` : 'messages.properties')
+  const file = path.join(cds.root, ...args, locale ? `messages_${locale}.properties` : 'messages.properties')
   return fs.existsSync(file) ? file : undefined
 }
 

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -11,7 +11,7 @@ const search2cqn4sql = require('./search2cqn4sql')
 const { getEntityNameFromCQN } = require('./entityFromCqn')
 const getError = require('../../common/error')
 const { rewriteAsterisks } = require('./rewriteAsterisks')
-const { getPathFromRef, getEntityFromPath } = require('../../common/utils/path')
+const { getEntityFromPath } = require('../../common/utils/path')
 const { removeIsActiveEntityRecursively } = require('../../fiori/utils/where')
 const { addRefToWhereIfNecessary } = require('../../../odata/afterburner')
 const { addAliasToExpression, PARENT_ALIAS, FOREIGN_ALIAS } = require('../../db/utils/generateAliases')
@@ -445,7 +445,7 @@ const convertWhereExists = (query, model, options, currentTarget) => {
   if (currentTarget) {
     queryTarget = getEntityFromPath({ ref }, currentTarget)
   } else {
-    queryTarget = getEntityFromPath(getPathFromRef(ref), model)
+    queryTarget = getEntityFromPath({ ref }, model)
     outerAlias = as || PARENT_ALIAS + lambdaIteration
     innerAlias = FOREIGN_ALIAS + lambdaIteration
   }
@@ -604,14 +604,19 @@ const _convertExpand = expand => {
   })
 }
 
-const _convertRefWhereInExpand = columns => {
-  if (!columns) return
+const _simplifyWhere = col => {
+  if (col.ref?.[0].where) {
+    col.where = col.ref[0].where
+    col.ref[0] = col.ref[0].id
+  }
+}
 
-  columns.forEach(col => {
-    if (col.expand && typeof col.expand !== 'string') {
-      _convertExpand(col.expand)
-    }
-  })
+const _simplifyWhereInColumns = columns => {
+  if (!columns) return
+  for (const col of columns) {
+    _simplifyWhere(col)
+    if (col.expand) _simplifyWhereInColumns(col.expand)
+  }
 }
 
 const _convertPathExpression = (query, model, options = {}) => {
@@ -742,8 +747,8 @@ const _convertSelect = (query, model, _options) => {
     _convertToOneEqNullInFilter(query.SELECT, target)
   }
 
-  // extract where clause if it is in column expand ref
-  _convertRefWhereInExpand(query.SELECT.columns)
+  // extract where clause if it is in an expand column
+  _simplifyWhereInColumns(query.SELECT.columns)
 
   // REVISIT: The following operations only work for _one_ entity.
   // We must also enable them for joins etc.