@sap/cds 6.7.2 → 6.8.2

package/lib/utils/tar.js

@@ -83,7 +83,7 @@ exports.create = async (dir='.', ...args) => {
   let c, temp
   args = args.filter(el => el)
   if (process.platform === 'win32') {
-    const spawnDir = (dir, args) => {      
+    const spawnDir = (dir, args) => {
       if (args.some(arg => arg === '-f')) return spawn ('tar', ['c', '-C', win(dir), ...win(args)])
       else return spawn ('tar', ['cf', '-', '-C', win(dir), ...win(args)])
     }
@@ -101,7 +101,7 @@ exports.create = async (dir='.', ...args) => {
     } else {
       args.push('.')
     }
-  
+
     c = spawn ('tar', ['c', '-C', dir, ...args])
   }
 
@@ -112,21 +112,15 @@ exports.create = async (dir='.', ...args) => {
      * in-memory Buffer holding the tar output, hence enabling this usage:
      * @example const buffer = await tar.c('src/dir')
      */
-    then (r,e) {
-      const bb=[]
-      const eb=[]
-      c.stdout.on('data', b => bb.push(b))
-      c.stderr.on('data', b => eb.push(b))
-      c.on('close', (code) => {
-        if (code === 0) {
-          return r(Buffer.concat(bb))
-        }
-        e(new Error('tar: ' + Buffer.concat(eb)))
-      })
-      c.on('error', e)
+    then (resolve, reject) {
+      let data=[], stderr=''
+      c.stdout.on('data', d => data.push(d))
+      c.stderr.on('data', d => stderr += d)
+      c.on('close', code => code ? reject(new Error(stderr)) : resolve(Buffer.concat(data)))
+      c.on('error', reject)
       if (process.platform === 'win32') {
-        c.on('close', async () => temp && exists(temp) && await rimraf(temp))
-        c.on('error', async () => temp && exists(temp) && await rimraf(temp))
+        c.on('close', () => temp && exists(temp) && rimraf(temp))
+        c.on('error', () => temp && exists(temp) && rimraf(temp))
       }
     },
 
@@ -143,9 +137,9 @@ exports.create = async (dir='.', ...args) => {
       }
       // Returning a thenable ChildProcess.stdout
       return {__proto__: c.stdout.pipe (out),
-        then(r,e) {
-          out.on('close',r)
-          c.on('error',e)
+        then (resolve, reject) {
+          out.on('close', code => code ? reject(code) : resolve())
+          c.on('error', reject)
         }
       }
     }
@@ -175,18 +169,21 @@ exports.extract = (archive, ...args) => ({
   to (...dest) {
     if (typeof dest === 'string') dest = _resolve(...dest)
     const input = typeof archive !== 'string' || archive == '-' ? '-' : _resolve(archive)
-    const x = spawn('tar', ['xf', win(input), '-C', win(dest), ...args])
+    const x = spawn('tar', ['xf', win(input), '-C', win(dest), ...args], { env: { COPYFILE_DISABLE: 1 }})
     if (archive === '-') return x.stdin
     if (Buffer.isBuffer(archive)) archive = require('stream').Readable.from (archive)
     if (typeof archive !== 'string') archive.pipe (x.stdin)
-    if (args.includes('-v')) {
-      var list = '';
-      ;(process.platform === 'linux' ? x.stdout : x.stderr) .on ('data', d => list+=d)
-    }
+    let stdout='', stderr=''
+    x.stdout.on ('data', d => stdout += d)
+    x.stderr.on ('data', d => stderr += d)
     return {__proto__:x,
-      then(r,e) {
-        x.on('close',()=>r(list ? list.split('\n').slice(0,-1).map(x => x.replace(/^x |\r/g,'')) : undefined))
-        x.on('error',e)
+      then (resolve, reject) {
+        x.on('close', code => {
+          if (code) return reject (new Error(stderr))
+          if (process.platform === 'linux') stdout = stderr
+          resolve (stdout ? stdout.split('\n').slice(0,-1).map(x => x.replace(/^x |\r/g,'')): undefined)
+        })
+        x.on('error', reject)
       }
     }
   },
@@ -205,11 +202,13 @@ exports.extract = (archive, ...args) => ({
 exports.list = (archive, ...more) => {
   const input = typeof archive !== 'string' ? '-' : archive === '-' ? archive : _resolve(archive)
   const x = spawn(`tar tf`, [ input, ...more ], { shell:true })
-  let list = ''; x.stdout.on ('data', d => list+=d)
+  let stdout='', stderr=''
+  x.stdout.on ('data', d => stdout += d)
+  x.stderr.on ('data', d => stderr += d)
   return {__proto__:x,
-    then(r,e) {
-      x.on('close',()=>r(list.split('\n').slice(0,-1)))
-      x.on('error',e)
+    then (resolve, reject) {
+      x.on('close', code => code ? reject(new Error(stderr)) : resolve(stdout.split('\n').slice(0,-1)))
+      x.on('error', reject)
     }
   }
 }

package/libx/_runtime/audit/Service.js

@@ -1,28 +1,73 @@
 const cds = require('../cds')
 const OutboxService = require('../messaging/Outbox')
-const v2utils = require('./utils/v2')
+const {
+  connect,
+  buildDataAccessLogs,
+  sendDataAccessLog,
+  buildDataModificationLogs,
+  sendDataModificationLog,
+  buildSecurityLog,
+  sendSecurityLog,
+  buildConfigChangeLogs,
+  sendConfigChangeLog
+} = require('./utils/v2')
 const ANONYMOUS = 'anonymous'
+const PLAN = {
+  standard: 'standard',
+  OAuth2: 'OAuth2'
+}
+
+const _getTenantAndUser = options => {
+  // REVISIT: the standard plan is deprecated/insecure
+  if (options.plan === PLAN.standard) {
+    return {
+      user: cds.context?.user?.id ?? ANONYMOUS,
+      tenant: cds.context?.tenant
+    }
+  }
+
+  return {
+    user: '$USER',
+    tenant: '$PROVIDER'
+  }
+}
 
-const _getTenantAndUser = () => ({
-  user: cds.context?.user?.id ?? ANONYMOUS,
-  tenant: cds.context?.tenant
-})
+const _getSecurityContext = () => {
+  const securityContext = cds?.context?.http?.req?.authInfo
+
+  if (!securityContext) {
+    const errorMsg =
+      '[Audit Logging]: The Programmatic API of the Audit Logging service for the OAuth2 plan (API - V2) can only be ' +
+      'called within the context of a request event handler. The authInfo property of the request interface (req.authInfo) ' +
+      "is used to get the security context required for the implementation's proper functioning."
+    throw new Error(errorMsg)
+  }
+
+  return securityContext
+}
 
 module.exports = class AuditLogService extends OutboxService {
   async init() {
     // call OutboxService's init, which handles outboxing
     await super.init()
 
-    // connect to audit log service
-    this.alc = await v2utils.connect(this.options.credentials)
+    const credentials = this.options.credentials
+    this.options.plan = !credentials || !credentials.uaa ? PLAN.standard : PLAN.OAuth2
+
+    // REVISIT: the standard plan is deprecated/insecure
+    if (this.options.plan === PLAN.standard) {
+      const auditLogClient = await connect(credentials)
+      if (auditLogClient) this.#registerOnHandlers(auditLogClient)
+      return
+    }
 
-    // register handlers, if connected
-    if (this.alc) {
-      this.on('dataAccessLog', this._dataAccessLog)
-      this.on('dataModificationLog', this._dataModificationLog)
-      this.on('securityLog', this._securityLog)
-      this.on('configChangeLog', this._configChangeLog)
+    // OAuth2 plan
+    const outbox = cds.requires['audit-log'].outbox
+    if (outbox?.kind === 'persistent-outbox' || (outbox && cds.requires.outbox?.kind === 'persistent-outbox')) {
+      throw new Error('The OAuth2 plan is not currently supported with persistent outbox')
     }
+
+    if (credentials?.uaa) this.#registerOnHandlers()
   }
 
   async emit(first, second) {
@@ -70,17 +115,36 @@ module.exports = class AuditLogService extends OutboxService {
    * impl
    */
 
-  async _dataAccessLog({ data: { accesses } }) {
-    const { tenant, user } = _getTenantAndUser()
+  #registerOnHandlers(auditLogClient) {
+    this.on('dataAccessLog', function (req) {
+      return this._dataAccessLog(req, auditLogClient)
+    })
+
+    this.on('dataModificationLog', function (req) {
+      return this._dataModificationLog(req, auditLogClient)
+    })
+
+    this.on('securityLog', function (req) {
+      return this._securityLog(req, auditLogClient)
+    })
+
+    this.on('configChangeLog', function (req) {
+      return this._configChangeLog(req, auditLogClient)
+    })
+  }
+
+  async _dataAccessLog({ data: { accesses } }, auditLogClient) {
+    const { tenant, user } = _getTenantAndUser(this.options)
 
     // build the logs
-    const { entries, errors } = v2utils.buildDataAccessLogs(this.alc, accesses, tenant, user)
+    auditLogClient = auditLogClient ?? (await connect(this.options.credentials, _getSecurityContext()))
+    const { entries, errors } = buildDataAccessLogs(auditLogClient, accesses, tenant, user)
     if (errors.length) {
       throw errors.length === 1 ? errors[0] : Object.assign(new Error('MULTIPLE_ERRORS'), { details: errors })
     }
 
     // write the logs
-    await Promise.all(entries.map(entry => v2utils.sendDataAccessLog(entry).catch(err => errors.push(err))))
+    await Promise.all(entries.map(entry => sendDataAccessLog(entry).catch(err => errors.push(err))))
 
     if (errors.length) {
       throw errors.length === 1 ? errors[0] : Object.assign(new Error('MULTIPLE_ERRORS'), { details: errors })
@@ -88,29 +152,26 @@ module.exports = class AuditLogService extends OutboxService {
   }
 
   // REVISIT: modification.action not used in auditlog v2
-  async _dataModificationLog({ data: { modifications } }) {
-    const { tenant, user } = _getTenantAndUser()
+  async _dataModificationLog({ data: { modifications } }, auditLogClient) {
+    const { tenant, user } = _getTenantAndUser(this.options)
 
     // build the logs
-    const { entries, errors } = v2utils.buildDataModificationLogs(this.alc, modifications, tenant, user)
+    auditLogClient = auditLogClient ?? (await connect(this.options.credentials, _getSecurityContext()))
+    const { entries, errors } = buildDataModificationLogs(auditLogClient, modifications, tenant, user)
     if (errors.length) {
       throw errors.length === 1 ? errors[0] : Object.assign(new Error('MULTIPLE_ERRORS'), { details: errors })
     }
 
     // write the logs
-    await Promise.all(
-      entries.map(entry => {
-        v2utils.sendDataModificationLog(entry).catch(err => errors.push(err))
-      })
-    )
+    await Promise.all(entries.map(entry => sendDataModificationLog(entry).catch(err => errors.push(err))))
 
     if (errors.length) {
       throw errors.length === 1 ? errors[0] : Object.assign(new Error('MULTIPLE_ERRORS'), { details: errors })
     }
   }
 
-  async _securityLog({ data: { action, data } }) {
-    let { tenant, user } = _getTenantAndUser()
+  async _securityLog({ data: { action, data } }, auditLogClient) {
+    let { tenant, user } = _getTenantAndUser(this.options)
 
     // cds.context may not be proper on auth-related errors -> try to extract from data
     if (!tenant && user === ANONYMOUS) {
@@ -133,28 +194,26 @@ module.exports = class AuditLogService extends OutboxService {
     }
 
     // build the log
-    const entry = v2utils.buildSecurityLog(this.alc, action, data, tenant, user)
+    auditLogClient = auditLogClient ?? (await connect(this.options.credentials, _getSecurityContext()))
+    const entry = buildSecurityLog(auditLogClient, action, data, tenant, user)
 
     // write the log
-    await v2utils.sendSecurityLog(entry)
+    await sendSecurityLog(entry)
   }
 
   // REVISIT: action and success not used in auditlog v2
-  async _configChangeLog({ data: { configurations } }) {
-    const { tenant, user } = _getTenantAndUser()
+  async _configChangeLog({ data: { configurations } }, auditLogClient) {
+    const { tenant, user } = _getTenantAndUser(this.options)
 
     // build the logs
-    const { entries, errors } = v2utils.buildConfigChangeLogs(this.alc, configurations, tenant, user)
+    auditLogClient = auditLogClient ?? (await connect(this.options.credentials, _getSecurityContext()))
+    const { entries, errors } = buildConfigChangeLogs(auditLogClient, configurations, tenant, user)
     if (errors.length) {
       throw errors.length === 1 ? errors[0] : Object.assign(new Error('MULTIPLE_ERRORS'), { details: errors })
     }
 
     // write the logs
-    await Promise.all(
-      entries.map(entry => {
-        v2utils.sendConfigChangeLog(entry).catch(err => errors.push(err))
-      })
-    )
+    await Promise.all(entries.map(entry => sendConfigChangeLog(entry).catch(err => errors.push(err))))
 
     if (errors.length) {
       throw errors.length === 1 ? errors[0] : Object.assign(new Error('MULTIPLE_ERRORS'), { details: errors })

package/libx/_runtime/audit/generic/personal/utils.js

@@ -84,37 +84,50 @@ const addDataSubject = (log, row, key, entity) => {
   }
 }
 
-const _addKeysToWhere = (entity, row) =>
-  Object.values(entity.keys)
+const _addKeysToWhere = (keys, row, alias) =>
+  keys
     .filter(key => !key.isAssociation && key.name !== 'IsActiveEntity')
     .reduce((keys, key) => {
       if (keys.length) keys.push('and')
-      keys.push({ ref: [entity.name, key.name] }, '=', { val: row[key.name] })
+      keys.push({ ref: [alias, key.name] }, '=', { val: row[key.name] })
       return keys
     }, [])
 
-const _keyColumns = entity =>
-  Object.values(entity.keys)
-    .filter(key => !key.isAssociation && key.name !== 'IsActiveEntity')
-    .map(key => key.name)
+const _keyColumns = (keys, alias) =>
+  keys.filter(key => !key.isAssociation && key.name !== 'IsActiveEntity').map(key => ({ ref: [alias, key.name] }))
+
+const _alias = entity => entity.name.replace(`${entity._service.name}.`, '').replace('.', '_')
 
 const _buildSubSelect = (model, { entity, relative, element, next }, row, previousCqn) => {
   // relative is a parent or an entity itself
-  const childCqn = SELECT.from(entity.name)
-    .columns(_keyColumns(entity))
-    .where(relative._relations[element.name].join(element._target.name, relative.name))
+
+  const keys = Object.values(entity.keys)
+
+  const entityName = entity.name
+  const as = _alias(entity)
+
+  const childCqn = SELECT.from({ ref: [entityName], as }).columns(_keyColumns(keys, as))
+
+  const targetAlias = _alias(element._target)
+  const relativeAlias = _alias(relative)
+
+  childCqn.where(relative._relations[element.name].join(targetAlias, relativeAlias))
+
   if (previousCqn) {
     childCqn.where('exists', previousCqn)
   } else {
-    childCqn.where(_addKeysToWhere(entity, row))
+    childCqn.where(_addKeysToWhere(keys, row, as))
   }
   if (next) return _buildSubSelect(model, next, {}, childCqn)
   return childCqn
 }
 
 const _getDataSubjectIdPromise = ({ dataSubjectEntity, subs }, row, req, model) => {
-  const cqn = SELECT.from(dataSubjectEntity.name)
-    .columns(_keyColumns(dataSubjectEntity))
+  const keys = Object.values(dataSubjectEntity.keys)
+  const as = _alias(dataSubjectEntity)
+
+  const cqn = SELECT.from({ ref: [dataSubjectEntity.name], as })
+    .columns(_keyColumns(keys, as))
     .where(['exists', _buildSubSelect(model, subs[0], row)])
   // entity reused in different branches => must check all
   for (let i = 1; i < subs.length; i++) {

package/libx/_runtime/audit/utils/v2.js

@@ -1,9 +1,8 @@
 const cds = require('../../cds')
 const LOG = cds.log('audit-log')
-
 const { getObjectAndDataSubject, getAttributeToLog } = require('./log')
 
-async function connect(credentials) {
+async function connect(credentials, securityContext) {
   let auditLogging
 
   try {
@@ -15,7 +14,7 @@ async function connect(credentials) {
   }
 
   try {
-    return await auditLogging.v2(credentials)
+    return await auditLogging.v2(credentials, securityContext)
   } catch (error) {
     LOG._warn && LOG.warn('Unable to initialize audit-logging client with error:', error)
     return Promise.resolve()
@@ -26,7 +25,7 @@ function sendDataAccessLog(entry) {
   return new Promise((resolve, reject) => {
     entry.log(function (err) {
       if (err && LOG._warn) {
-        err.message = 'Writing data access log failed with error: ' + err.message
+        err.message = `Writing data access log failed with error: ${err.message}`
         return reject(err)
       }
 
@@ -39,13 +38,13 @@ function sendDataModificationLog(entry) {
   return new Promise((resolve, reject) => {
     entry.logPrepare(function (err) {
       if (err) {
-        err.message = 'Preparing data modification log failed with error: ' + err.message
+        err.message = `Preparing data modification log failed with error: ${err.message}`
         return reject(err)
       }
 
       entry.logSuccess(function (err) {
         if (err) {
-          err.message = 'Writing data modification log failed with error: ' + err.message
+          err.message = `Writing data modification log failed with error: ${err.message}`
           return reject(err)
         }
 
@@ -59,7 +58,7 @@ function sendSecurityLog(entry) {
   return new Promise((resolve, reject) => {
     entry.log(function (err) {
       if (err) {
-        err.message = 'Writing security log failed with error: ' + err.message
+        err.message = `Writing security log failed with error: ${err.message}`
         return reject(err)
       }
 
@@ -72,13 +71,13 @@ function sendConfigChangeLog(entry) {
   return new Promise((resolve, reject) => {
     entry.logPrepare(function (err) {
       if (err) {
-        err.message = 'Preparing configuration change log failed with error: ' + err.message
+        err.message = `Preparing configuration change log failed with error: ${err.message}`
         return reject(err)
       }
 
       entry.logSuccess(function (err) {
         if (err) {
-          err.message = 'Writing configuration change log failed with error: ' + err.message
+          err.message = `Writing configuration change log failed with error: ${err.message}`
           return reject(err)
         }
 
@@ -88,20 +87,20 @@ function sendConfigChangeLog(entry) {
   })
 }
 
-function buildDataAccessLogs(alc, accesses, tenant, user) {
+function buildDataAccessLogs(auditLogClient, accesses, tenant, user) {
   const entries = []
   const errors = []
 
   for (const access of accesses) {
     try {
       const { dataObject, dataSubject } = getObjectAndDataSubject(access)
-      const entry = alc.read(dataObject).dataSubject(dataSubject).by(user)
+      const entry = auditLogClient.read(dataObject).dataSubject(dataSubject).by(user)
       if (tenant) entry.tenant(tenant)
       for (const each of access.attributes) entry.attribute(each)
-      for (const each of access.attachments) entry.attachment(each)
+      if (access.attachments) for (const each of access.attachments) entry.attachment(each)
       entries.push(entry)
     } catch (err) {
-      err.message = 'Building data access log failed with error: ' + err.message
+      err.message = `Building data access log failed with error: ${err.message}`
       errors.push(err)
     }
   }
@@ -109,19 +108,19 @@ function buildDataAccessLogs(alc, accesses, tenant, user) {
   return { entries, errors }
 }
 
-function buildDataModificationLogs(alc, modifications, tenant, user) {
+function buildDataModificationLogs(auditLogClient, modifications, tenant, user) {
   const entries = []
   const errors = []
 
   for (const modification of modifications) {
     try {
       const { dataObject, dataSubject } = getObjectAndDataSubject(modification)
-      const entry = alc.update(dataObject).dataSubject(dataSubject).by(user)
+      const entry = auditLogClient.update(dataObject).dataSubject(dataSubject).by(user)
       if (tenant) entry.tenant(tenant)
       for (const each of modification.attributes) entry.attribute(getAttributeToLog(each))
       entries.push(entry)
     } catch (err) {
-      err.message = 'Building data modification log failed with error: ' + err.message
+      err.message = `Building data modification log failed with error: ${err.message}`
       errors.push(err)
     }
   }
@@ -129,34 +128,34 @@ function buildDataModificationLogs(alc, modifications, tenant, user) {
   return { entries, errors }
 }
 
-function buildSecurityLog(alc, action, data, tenant, user) {
+function buildSecurityLog(auditLogClient, action, data, tenant, user) {
   let entry
 
   try {
-    entry = alc.securityMessage('action: %s, data: %s', action, data)
+    entry = auditLogClient.securityMessage('action: %s, data: %s', action, data)
     if (tenant) entry.tenant(tenant)
     if (user) entry.by(user)
   } catch (err) {
-    err.message = 'Building security log failed with error: ' + err.message
+    err.message = `Building security log failed with error: ${err.message}`
     throw err
   }
 
   return entry
 }
 
-function buildConfigChangeLogs(alc, configurations, tenant, user) {
+function buildConfigChangeLogs(auditLogClient, configurations, tenant, user) {
   const entries = []
   const errors = []
 
   for (const configuration of configurations) {
     try {
       const { dataObject } = getObjectAndDataSubject(configuration)
-      const entry = alc.configurationChange(dataObject).by(user)
+      const entry = auditLogClient.configurationChange(dataObject).by(user)
       if (tenant) entry.tenant(tenant)
       for (const each of configuration.attributes) entry.attribute(getAttributeToLog(each))
       entries.push(entry)
     } catch (err) {
-      err.message = 'Building configuration change log failed with error: ' + err.message
+      err.message = `Building configuration change log failed with error: ${err.message}`
       errors.push(err)
     }
   }

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/action.js

@@ -60,7 +60,7 @@ const action = service => {
         await tx.commit(result)
       }
 
-      if (isReturnMinimal(req) || result === null) odataRes.setStatusCode(204, { overwrite: true })
+      if (result == null || isReturnMinimal(req)) odataRes.setStatusCode(204, { overwrite: true })
       else if (req.event === 'draftActivate' || req.event === 'EDIT') {
         const keys = Object.keys(req.target.keys).filter(k => {
           return k !== 'IsActiveEntity' && !req.target.keys[k]._isAssociationStrict

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/create.js

@@ -57,7 +57,7 @@ const create = service => {
         await tx.commit(result)
       }
 
-      if (isReturnMinimal(req) || result === null) {
+      if (result == null || isReturnMinimal(req)) {
         odataRes.setStatusCode(204)
       }
     } catch (e) {

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/metadata.js

@@ -22,6 +22,8 @@ const metadata = service => {
       const { 'cds.xt.ModelProviderService': mps } = cds.services
       let edmx = mps
         ? await mps.getEdmx({ tenant, model: service.model, service: service.definition.name, locale })
+        : cds.mtx && cds.mtx.isExtended(tenant)
+        ? await cds.mtx.getEdmx(tenant, service.definition.name, locale)
         : cds.localize(
             service.model,
             locale,

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/read.js

@@ -390,8 +390,7 @@ const _readStream = async (tx, req) => {
 
 const _readSingleton = async (tx, req, lastSegment) => {
   let result = await tx.dispatch(req)
-
-  if (result === null && !req.target['@odata.singleton.nullable']) throw getError(404)
+  if (result == null && !req.target['@odata.singleton.nullable']) throw getError(404)
 
   if (lastSegment.getKind() === PRIMITIVE_PROPERTY) {
     result = result[lastSegment.getProperty().getName()]
@@ -504,7 +503,7 @@ const read = service => {
       // REVISIT: refactor _readAndTransform
       result = await _readAndTransform(tx, req, odataReq)
 
-      if (result === null) {
+      if (result == null) {
         result = { value: null }
       } else {
         _postProcess(odataReq, req, odataRes, service, result)

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/update.js

@@ -168,7 +168,7 @@ const update = service => {
         await tx.commit(result)
       }
 
-      if (isReturnMinimal(req) || result === null) {
+      if (result == null || isReturnMinimal(req)) {
         odataRes.setStatusCode(204)
       }
     } catch (e) {

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-server/batch/BatchProcessor.js

@@ -9,6 +9,7 @@ const PlainHttpResponse = require('../core/PlainHttpResponse')
 const BatchExitHandler = require('./BatchExitHandler')
 const BatchedRequestExecutor = require('./BatchedRequestExecutor')
 const BatchContext = require('./BatchContext')
+const cds = require('../../../../../../cds')
 
 /**
  * The BatchProcessor executes the batched requests and handles possible errors.
@@ -35,6 +36,7 @@ class BatchProcessor {
    * @returns {Promise} the overall result
    */
   process () {
+    if(cds.odata.batch_limit < this._batchContext.getRequestList().length) return Promise.reject({statusCode: 429, message: 'Batch request contains too many requests'})
     const request = this._batchContext.getRequest()
     const componentManager = request.getService().getComponentManager()
 

package/libx/_runtime/cds-services/adapter/odata-v4/utils/handlerUtils.js

@@ -11,12 +11,13 @@ const { DRAFT_COLUMNS_MAP } = require('../../../../common/constants/draft')
 const { SELECT } = cds.ql
 
 const _keysOf = (row, target) => {
-  const keyElements = Object.values(target.keys || {})
+  const keyElements = Object.values(target.keys || {}).filter(v => !v.virtual)
   // > singleton
   if (!keyElements.length) return
   const keys = {}
   for (const key of keyElements) {
     if (key._isAssociationStrict) continue
+    if (row[key.name] === undefined) continue // key is not in data, so ignore it
     keys[key.name] = key.elements ? { val: JSON.stringify(row[key.name]) } : row[key.name]
   }
   return keys