@sap/cds 6.8.4 → 7.0.1

package/libx/_runtime/common/generic/auth/restrict.js

@@ -146,20 +146,15 @@ const _addRestrictionsToRead = async (req, model, resolvedApplicables) => {
     req.query._draftRestrictions = resolvedApplicables
     return
   }
+  // in case of $apply take a query from sub SELECT//
+  const query = req.query.SELECT.from.SELECT?.from?.ref ? req.query.SELECT.from : req.query
 
-  if (typeof req.query.SELECT.from === 'object')
-    // in case of $apply take a ref from sub SELECT//
-    req.query.SELECT.from.ref = _addWheresToRef(
-      req.query.SELECT.from.ref || req.query.SELECT.from.SELECT?.from?.ref,
-      model,
-      resolvedApplicables
-    )
+  query.SELECT.from.ref = _addWheresToRef(query.SELECT.from.ref, model, resolvedApplicables)
 
   const restrictionForTarget = _getRestrictionForTarget(resolvedApplicables, req.target)
   if (!restrictionForTarget) return
 
-  // apply restriction
-  req.query.where(restrictionForTarget)
+  query.where(restrictionForTarget)
 }
 
 const _getFromWithIsActiveEntityRemoved = from => {
@@ -229,7 +224,7 @@ async function handler(req) {
     return
   }
 
-  let restrictions = this.getRestrictions(definition, req.event, req.user)
+  let restrictions = this.getRestrictions.call(this, definition, req.event, req.user)
   if (restrictions instanceof Promise) restrictions = await restrictions
   if (!restrictions) {
     // > unrestricted

package/libx/_runtime/common/generic/auth/restrictions.js

@@ -1,3 +1,42 @@
+const WRITE_EVENTS = { CREATE: 1, NEW: 1, UPDATE: 1, PATCH: 1, DELETE: 1, CANCEL: 1, EDIT: 1 }
+const CRUD = Object.assign({ READ: 1 }, WRITE_EVENTS)
+
+/**
+ * Returns the applicable restrictions for the current request as follows:
+ * - null: unrestricted access
+ * - []: no access
+ * - [{ grant: '...', to: ['...'], where: '...' }, ...]: applicable restrictions with grant normalized to strings,
+ *     i.e., grant: ['CREATE', 'UPDATE'] in model becomes [{ grant: 'CREATE' }, { grant: 'UPDATE' }]
+ * - Promise resovling to any of the above (needed for CAS overrides)
+ *
+ * @param {object} definition - then csn definition of an entity or an (un)bound action or function
+ * @param {string} event - the event name
+ * @param {import('../../../../lib/req/user')} user - the current user
+ * @returns {Promise | Array | null}
+ */
+function getRestrictions(definition, event, user) {
+  const { model } = this
+  let restrictions = getNormalizedRestrictions(definition, model.definitions, event)
+  if (!restrictions && (event in CRUD || !definition.parent)) {
+    // > unrestricted entity or unbound
+    return null
+  }
+  if (event in CRUD && restrictions.length && restrictions.every(r => r.grant !== '*' && !(r.grant in CRUD))) {
+    // > only bounds are restricted
+    return null
+  }
+  if (!(event in CRUD) && !restrictions && definition.parent) {
+    // > bound without own restrictions -> get from parent
+    restrictions = getNormalizedRestrictions(definition.parent, model.definitions, event)
+    if (!restrictions) {
+      // > unrestricted bound
+      return null
+    }
+  }
+  // return the applicable restrictions (grant and to fit to request and user)
+  return getApplicableRestrictions(restrictions, event, user)
+}
+
 const _getLocalName = definition => {
   return definition._service ? definition.name.replace(`${definition._service.name}.`, '') : definition.name
 }
@@ -87,6 +126,7 @@ const getNormalizedPlainRestrictions = (restrictions, definition) => {
 }
 
 module.exports = {
+  getRestrictions,
   getNormalizedRestrictions,
   getApplicableRestrictions,
   getNormalizedPlainRestrictions

package/libx/_runtime/common/generic/auth/utils.js

@@ -10,11 +10,10 @@ const reject = (req, reason = null) => {
   if (req.user._is_anonymous) {
     // REVISIT: challenges handling should be done in protocol adapter (i.e., express error middleware)
     // REVISIT: improve `req.http.req` check if this is an HTTP request
-    if (req.http?.req && req.user._challenges && req.user._challenges.length > 0) {
+    if (req.http?.res && req.user._challenges && req.user._challenges.length > 0) {
       req.http.res.set('WWW-Authenticate', req.user._challenges.join(';'))
     }
 
-    // REVISIT: security log in else case?
     return req.reject(401)
   }
 

package/libx/_runtime/common/generic/crud.js

@@ -2,25 +2,12 @@ const cds = require('../../cds')
 const { SELECT } = cds.ql
 
 const { deepCopyArray } = require('../utils/copy')
-
 const { getColumns } = require('../../cds-services/services/utils/columns')
-
+const { enhanceStreamResult } = require('../utils/stream')
 const getError = require('../error')
 
 const _targetEntityDoesNotExist = async req => {
-  const { query } = req
-  const cqn = SELECT.from(query.UPDATE.entity, [1])
-
-  if (query.UPDATE.entity.as) {
-    cqn.SELECT.from.as = query.UPDATE.entity.as
-  }
-
-  // REVISIT: compat mode for service functions .update
-  if (query.UPDATE && query.UPDATE.where) {
-    cqn.where(query.UPDATE.where)
-  }
-
-  const exists = await cds.tx(req).run(cqn)
+  const exists = await cds.tx(req).run(SELECT.from(req.subject, [1]))
   return exists.length === 0
 }
 
@@ -80,22 +67,26 @@ exports.impl = cds.service.impl(function () {
       result = await cds.tx(req).run(req.query, req.data)
     }
 
+    // regarding etag validation: we do not want to execute an additional select to distinguish between 412 and 404
+
     if (req.event === 'READ') {
       if ((result == null || result.length === 0) && pathExistsQuery) {
         const res = await pathExistsQuery
         if (res.length === 0) req.reject(404)
       }
+      if (result == null && req._etagValidationType === 'if-match') req.reject(412)
       return result
     }
 
     if (req.event === 'DELETE') {
-      if (result === 0) req.reject(404)
+      if (result === 0) req.reject(req._etagValidationType ? 412 : 404)
       return result
     }
 
     // case: no authorization check and payload more than just keys but no changes
     // -> affected rows === 0 -> no change or not exists?
     if (req.event === 'UPDATE' && result === 0 && !req._authChecked) {
+      if (req._etagValidationType) req.reject(412)
       if (await _targetEntityDoesNotExist(req)) req.reject(404)
     }
 
@@ -104,4 +95,29 @@ exports.impl = cds.service.impl(function () {
 
     return req.data
   })
+
+  this.after('READ', '*', async function ([result], req) {
+    if (req.query?._streaming) {
+      await enhanceStreamResult(req, req.query, result, this.model)
+    }
+  })
+
+  this.on('STREAM', '*', async function (req) {
+    if (typeof req.query !== 'string' && req.target && req.target._hasPersistenceSkip) {
+      throw getError({
+        code: 501,
+        message: `Entity "${req.target.name}" is annotated with "@cds.persistence.skip" and cannot be served generically.`
+      })
+    }
+
+    if (req.query.STREAM.from) {
+      return { value: await cds.tx(req).run(req.query, req.data) }
+    } else {
+      return await cds.tx(req).run(req.query, req.data)
+    }
+  })
+
+  this.after(['STREAM'], '*', async function ([result], req) {
+    if (req.query.STREAM.from) await enhanceStreamResult(req, req.query, result, this.model)
+  })
 })

package/libx/_runtime/common/generic/etag.js

@@ -1,76 +1,66 @@
 const cds = require('../../cds')
 const { SELECT } = cds.ql
 
-// REVISIT: draft should not be handled here, e.g., target.name should be adjusted before
-const { isActiveEntityRequested } = require('../../fiori/utils/where')
-const { ensureDraftsSuffix } = require('../../fiori/utils/handler')
-const { cqn2cqn4sql } = require('../../common/utils/cqn2cqn4sql')
-const { isAsteriskColumn } = require('../../common/utils/rewriteAsterisks')
-const { resolveView } = require('../utils/resolveView')
-
-const C_U_ = {
-  CREATE: 1,
-  UPDATE: 1
-}
+const { convertPathExpressionToWhere } = require('../utils/cqn2cqn4sql')
+const { addEtagColumns } = require('../utils/etag')
 
-const getRequestedTarget = query => {
-  if (query.SELECT) {
-    return query.SELECT.from
-  } else if (query.UPDATE) {
-    return query.UPDATE.entity
-  } else {
-    return query.DELETE.from
+const _getMatchHeaders = req => {
+  return {
+    ifMatch: req.headers['if-match']?.replace(/^"\*"$/, '*'),
+    ifNoneMatch: req.headers['if-none-match']?.replace(/^"\*"$/, '*')
   }
 }
 
-const getSelectCQN = (query, target, model, isActive, etag) => {
-  const targetName = isActive ? target.name : ensureDraftsSuffix(target.name)
-  const cqn = cqn2cqn4sql(SELECT.from(getRequestedTarget(query)), model)
-  cqn.columns([etag || target._etag.name])
-  cqn.SELECT.from.ref[0] = targetName
-
-  return cqn
+const _parseHeaderEtagValue = value => {
+  return value.split(',').map(str => {
+    let result = str.trim()
+    if (result === '*') return result
+    if (result.startsWith('W/')) result = result.substring(2)
+    return result.startsWith('"') && result.endsWith('"') ? result.substring(1, result.length - 1) : null
+  })
 }
 
-/**
-Recursively adds etag columns if a manual list of columns is specified.
-If asterisk columns or no columns are given, the database layer will
-add the etag columns anyway.
-*/
-const _addEtagColumns = (columns, entity) => {
-  if (!columns || !Array.isArray(columns)) return
-  if (
-    entity._etag &&
-    !columns.some(c => isAsteriskColumn(c)) &&
-    !(columns.length === 1 && columns[0].func === 'count') &&
-    !columns.some(c => c.ref && c.ref[c.ref.length - 1] === entity._etag.name)
-  ) {
-    columns.push({ ref: [entity._etag.name] })
-  }
-  const expands = columns.filter(c => c.expand)
-  for (const expand of expands) {
-    const refName = expand.ref[expand.ref.length - 1]
-    const targetEntity = refName && entity.elements[refName] && entity.elements[refName]._target
-    if (targetEntity) {
-      _addEtagColumns(expand.expand, targetEntity)
+const _getValidationStmt = (ifMatchEtags, ifNoneMatchEtags, req, model) => {
+  const etagElement = req.target.elements[req.target._etag.name]
+
+  const { target, alias, where } = convertPathExpressionToWhere(req.subject, model, { tableAliasPrefix: 'ETAG_' })
+  const select = SELECT.from(target).columns(1).where(where)
+  if (alias) select.SELECT.from.as = alias
+  // tell resolveView to leave this select alone
+  select._doNotResolve = true
+  // tell db layer that this is a subselect for etag validation
+  // hacky solution for gap in @sap/hana-client
+  select._etagValidation = true
+
+  const cond = []
+  if (ifMatchEtags) {
+    if (ifMatchEtags.includes('*')) return true
+    // HANA does not allow malformed time values in prepared statements
+    if (etagElement.type === 'cds.Timestamp' || etagElement.type === 'cds.DateTime') {
+      ifMatchEtags = ifMatchEtags.filter(val => new Date(val).toString() !== 'Invalid Date')
+      if (!ifMatchEtags.length) return false
     }
+
+    cond.push({ ref: alias ? [alias, etagElement.name] : [etagElement.name] })
+    if (ifMatchEtags.length === 1) cond.push('=', { val: ifMatchEtags[0] })
+    else cond.push('in', { list: ifMatchEtags.map(val => ({ val })) })
+  } else {
+    if (ifNoneMatchEtags.includes('*')) return false
+    // if a malformed time value is present, it cannot match -> precondition true
+    if (
+      (etagElement.type === 'cds.Timestamp' || etagElement.type === 'cds.DateTime') &&
+      ifNoneMatchEtags.some(val => new Date(val).toString() === 'Invalid Date')
+    ) {
+      return true
+    }
+
+    cond.push({ ref: alias ? [alias, etagElement.name] : [etagElement.name] })
+    if (ifNoneMatchEtags.length === 1) cond.push('!=', { val: ifNoneMatchEtags[0] })
+    else cond.push('not', 'in', { list: ifNoneMatchEtags.map(val => ({ val })) })
   }
-}
+  if (!cond.length) return
 
-const _isConcurrentODataReq = req => {
-  const isReadAfterDraftAction =
-    req.event === 'READ' && req.target._isDraftEnabled && req.context.event in { draftActivate: 1, EDIT: 1 }
-  // It's allowed to also delete drafts when actives are deleted
-  if (
-    cds.env.fiori?.lean_draft &&
-    req.event === 'READ' &&
-    req.context.event === 'DELETE' &&
-    req.target?.name.endsWith('.drafts') &&
-    !req.context?.target?.name.endsWith('.drafts')
-  )
-    return
-  const _req = isReadAfterDraftAction ? req.context : req
-  return _req._isOData && _req.isConcurrentResource
+  return select.where(cond)
 }
 
 /**
@@ -78,71 +68,110 @@ const _isConcurrentODataReq = req => {
  *
  * @param req
  */
-const commonGenericEtag = async function (req) {
-  // REVISIT: The check for ODataRequest should be removed after etag logic is moved
-  // from okra to commons and etag handling is also allowed for rest.
-
-  if (_isConcurrentODataReq(req)) {
-    const etagElement = req.target.elements[req.target._etag.name]
-
-    // automatically add etag columns if not already there
-    if (req.query.SELECT) _addEtagColumns(req.query.SELECT.columns, req.target)
-
-    // validate
-    if (req.isConditional && !req.query.INSERT) {
-      let cqn
-      const isActive = isActiveEntityRequested(getRequestedTarget(req.query).ref[0].where)
-      if ((req.query.UPDATE || req.query.DELETE) && isActive) {
-        const query_ = resolveView(req.query, this.model, cds.db)
-        const transition = (query_.UPDATE && query_.UPDATE._transitions[0]) || query_.DELETE._transitions[0]
-        const etag = transition.mapping.get(req.target._etag.name).ref[0]
-        cqn = getSelectCQN(query_, transition.target, this.model, isActive, etag).forUpdate()
-      } else {
-        cqn = getSelectCQN(req.query, req.target, this.model, isActive)
-      }
+const commonGenericValidateETag = async function (req) {
+  /*
+   * currently, etag is only supported for OData requests
+   * REST requests should be added later
+   * other protocols, such as graphql, need to be checked
+   */
+  if (req.protocol !== 'odata-v4') return
+
+  // automatically add etag columns if not already there
+  if (req.query.SELECT) addEtagColumns(req.query.SELECT.columns, req.target)
+
+  // querying a collection?
+  if (req.event === 'READ' && !req.query.SELECT.one) return
+
+  // etag provided?
+  const { ifMatch, ifNoneMatch } = _getMatchHeaders(req)
+  if (!ifMatch && !ifNoneMatch) {
+    if (req.event === 'READ') return // > ok and nothing more to do
+    req.reject(428) // > on writes, an etag must be provided
+  }
 
-      const result = await cds.tx(req).run(cqn)
+  // normalize
+  const ifMatchEtags = ifMatch && _parseHeaderEtagValue(ifMatch)
+  const ifNoneMatchEtags = ifNoneMatch && _parseHeaderEtagValue(ifNoneMatch)
 
-      if (result.length === 1) {
-        const etag = Object.values(result[0])[0]
-        req.validateEtag(etag == null ? 'null' : etag)
-      } else {
-        req.validateEtag('*')
-      }
-    }
+  // get select for validation
+  const validationStmt = _getValidationStmt(ifMatchEtags, ifNoneMatchEtags, req, this.model)
 
-    // generate new etag, if UUID
-    if (C_U_[req.event] && etagElement.isUUID) {
-      req.data[etagElement.name] = cds.utils.uuid()
+  // shortcuts
+  if (validationStmt === true) {
+    // wildcard -> nothing to do
+    return
+  } else if (validationStmt === false) {
+    // never true -> reject
+    req.reject(412)
+  }
+
+  // bound action or CRUD?
+  if (req.event === 'EDIT' || (req.target.actions && req.event in req.target.actions)) {
+    // REVISIT: how to not directly access db?
+    if (cds.db) {
+      const result = await cds.tx(req).run(validationStmt)
+      if (!result.length) req.reject(412)
     }
+  } else if (validationStmt) {
+    // add where clause for validation
+    const validationClause = ['exists', validationStmt]
+    req.query.where(validationClause)
+    // HACK for current draft impl
+    req._etagValidationClause = validationClause
+    req._etagValidationType = ifMatchEtags ? 'if-match' : 'if-none-match'
   }
 }
 
 /**
- * handler registration
+ * adds a new uuid for the etag element to the request payload
  *
+ * @param req
+ */
+const commonGenericGenerateETag = function (req) {
+  const etagElement = req.target.elements[req.target._etag.name]
+  req.data[etagElement.name] = cds.utils.uuid()
+}
+
+/**
+ * handler registration
  */
 /* istanbul ignore next */
 module.exports = cds.service.impl(function () {
-  commonGenericEtag._initial = true
+  commonGenericValidateETag._initial = true
+  commonGenericGenerateETag._initial = true
 
   for (const k in this.entities) {
     const entity = this.entities[k]
 
     if (!entity._etag) continue
 
-    // handler for CREATE is registered for backwards compatibility w.r.t. ETag generation
-    let events = ['CREATE', 'READ', 'UPDATE', 'DELETE']
-
-    // if odata and fiori is separated, this will not be needed in the odata version
     if (entity._isDraftEnabled) {
-      events = ['READ', 'NEW', 'DELETE', 'PATCH', 'EDIT', 'CANCEL']
+      if (cds.env.fiori?.lean_draft) {
+        this.before(['READ', 'DELETE'], entity, commonGenericValidateETag)
+        // if draft compat is on, the read handler is automatically registered for <entity> and <entity>.drafts
+        const events = cds.env.fiori.draft_compat ? ['UPDATE', 'CANCEL'] : ['READ', 'UPDATE', 'CANCEL']
+        this.before(events, entity.drafts, commonGenericValidateETag)
+      } else {
+        this.before(['READ', 'PATCH', 'CANCEL', 'DELETE'], entity, commonGenericValidateETag)
+      }
+    } else {
+      this.before(['READ', 'UPDATE', 'DELETE'], entity, commonGenericValidateETag)
     }
 
-    this.before(events, entity, commonGenericEtag)
-
     for (const action in entity.actions) {
-      this.before(action, entity, commonGenericEtag)
+      // etag not applicable to functions and unbound actions
+      if (entity.actions[action].kind !== 'action') continue
+      if (entity._isDraftEnabled) {
+        let _entity = entity
+        if (cds.env.fiori?.lean_draft) _entity = action === 'draftEdit' ? entity : entity.drafts
+        this.before(action === 'draftEdit' ? 'EDIT' : action, _entity, commonGenericValidateETag)
+      } else {
+        this.before(action, entity, commonGenericValidateETag)
+      }
     }
+
+    // for backwards compatibility w.r.t. ETag generation if type UUID
+    const etagElement = entity.elements[entity._etag.name]
+    if (etagElement.isUUID) this.before(['CREATE', 'UPDATE', 'NEW'], entity, commonGenericGenerateETag)
   }
 })

package/libx/_runtime/common/generic/input.js

@@ -42,18 +42,6 @@ const _isDraftCoreComputed = (req, element, event) =>
   req._.event === 'draftActivate' &&
   !((event === 'CREATE' && element['@cds.on.insert']) || element['@cds.on.update'])
 
-const _isStreamingProperty = (elements, row, property) =>
-  Object.values(elements).some(
-    element => element['@Core.MediaType'] && element['@Core.MediaType']['='] === property && row[element.name]
-  )
-
-const _getMediaTypeValue = () => {
-  const ctx = cds.context
-  return (
-    !ctx?.http?.req?.headers?.['content-type']?.match(/json|multipart/i) && ctx?.http?.req?.headers?.['content-type']
-  )
-}
-
 const _preProcessAssertTarget = (assocInfo, assertMap) => {
   const { element: assoc, row } = assocInfo
   const assocTarget = assoc._target
@@ -147,14 +135,6 @@ const _processCategory = (req, category, value, elementInfo, assertMap) => {
   if ((event === 'UPDATE' || event === 'CREATE') && category === '@assert.target') {
     _preProcessAssertTarget(elementInfo, assertMap)
   }
-
-  // set media type from content-type header if streaming
-  if (category === 'stream') {
-    if (_isStreamingProperty(element.parent.elements, row, key)) {
-      const mtValue = _getMediaTypeValue()
-      if (mtValue) row[key] = mtValue
-    }
-  }
 }
 
 const _getProcessorFn = (req, errors, assertMap) => {
@@ -186,7 +166,12 @@ const _pick = element => {
     categories.push({ category: 'propagateForeignKeys' })
   }
 
-  if (element['@assert.range'] || element['@assert.enum'] || element['@assert.format']) {
+  if (
+    element['@assert.range'] ||
+    element['@assert.enum'] ||
+    element['@assert.format'] ||
+    element.type === 'cds.Decimal'
+  ) {
     categories.push('assert')
   }
 

package/libx/_runtime/common/generic/put.js

@@ -24,7 +24,7 @@ const _fillStructure = (row, parts, element, category, args) => {
 }
 
 const _getProcessorFn = req => {
-  const REST = req._isRest
+  const REST = req.protocol === 'rest'
 
   return ({ row, key, element, plain }) => {
     if (!row || row[key] !== undefined) return

package/libx/_runtime/common/generic/stream.js

@@ -0,0 +1,52 @@
+const { isNewStream } = require('../utils/stream')
+
+const cds = require('../../cds')
+
+const _getStreamingProperties = elements => {
+  const result = []
+  for (const key in elements) {
+    const element = elements[key]
+    if (typeof element['@Core.MediaType'] === 'object') {
+      result.push({ stream: key, type: element['@Core.MediaType']['='] })
+    }
+  }
+
+  return result
+}
+
+const _getMediaTypeValue = () => {
+  const ctx = cds.context
+  return (
+    !ctx?.http?.req?.headers?.['content-type']?.match(/json|multipart/i) && ctx?.http?.req?.headers?.['content-type']
+  )
+}
+
+function _addContentType(req, mtValue) {
+  if (!req.data) return
+  const streamProp = _getStreamingProperties(req.target.elements).find(prop => req.data[prop.stream])
+  if (streamProp) req.data[streamProp.type] = mtValue
+}
+
+async function _addContentTypeStream(req, mtValue) {
+  if (req.query.UPDATE || req.query.STREAM?.from) return
+  if (req.target._hasPersistenceSkip) return
+  const streamProp = _getStreamingProperties(req.target.elements).find(prop => req.query.STREAM.column === prop.stream)
+  // REVISIT: move this update to after handler and add etag
+  if (streamProp) await UPDATE.entity(req.query.STREAM.into).data({ [streamProp.type]: mtValue })
+}
+
+async function addContentType(req) {
+  if (!req.query || !req.target) return
+  const mtValue = _getMediaTypeValue()
+  if (!mtValue) return
+
+  if (isNewStream()) {
+    _addContentTypeStream(req, mtValue)
+  } else {
+    _addContentType(req, mtValue)
+  }
+}
+
+module.exports = cds.service.impl(function () {
+  this.before(['PATCH', 'UPDATE', 'STREAM'], '*', addContentType)
+})

package/libx/_runtime/common/generic/temporal.js

@@ -1,10 +1,11 @@
 const cds = require('../../cds')
+const normalizeTimestamp = require('../utils/normalizeTimestamp')
 
 const _getDateFromQueryOptions = str => {
   if (str) {
     const match = str.match(/^date'(.+)'$/)
     // REVISIT: What happens with invalid date values in query parameter? if match.length > 1
-    return new Date(match ? match[1] : str)
+    return normalizeTimestamp(match ? match[1] : str)
   }
 }
 
@@ -51,15 +52,31 @@ const commonGenericTemporal = function (req) {
 
   if (_isAsOfNow(_queryOptions)) {
     const date = new Date()
-    _['VALID-FROM'] = date
-    _['VALID-TO'] = new Date(date.getTime() + _getTimeDelta(req.target))
+    _['VALID-FROM'] = normalizeTimestamp(date)
+    _['VALID-TO'] = normalizeTimestamp(date.getTime() + _getTimeDelta(req.target))
   } else if (_queryOptions['sap-valid-at']) {
-    const date = _getDateFromQueryOptions(_queryOptions['sap-valid-at'])
-    _['VALID-FROM'] = date
-    _['VALID-TO'] = new Date(date.getTime() + _getTimeDelta(req.target, _queryOptions['sap-valid-at']))
+    const dateAsIsoString = _getDateFromQueryOptions(_queryOptions['sap-valid-at'])
+    _['VALID-FROM'] = dateAsIsoString
+
+    if (cds.env.features.precise_timestamps) {
+      const nanos = dateAsIsoString.slice(-5)
+      // we would lose the nano precision here, so we just cut it off before and attach it again here
+      _['VALID-TO'] =
+        normalizeTimestamp(
+          new Date(dateAsIsoString).getTime() + _getTimeDelta(req.target, _queryOptions['sap-valid-at'])
+        ).slice(0, -5) + nanos
+    } else {
+      _['VALID-TO'] = normalizeTimestamp(
+        new Date(dateAsIsoString).getTime() + _getTimeDelta(req.target, _queryOptions['sap-valid-at'])
+      )
+    }
   } else if (_queryOptions['sap-valid-from'] || _queryOptions['sap-valid-to']) {
-    _['VALID-FROM'] = _getDateFromQueryOptions(_queryOptions['sap-valid-from']) || new Date('0001-01-01T00:00:00.000Z')
-    _['VALID-TO'] = _getDateFromQueryOptions(_queryOptions['sap-valid-to']) || new Date('9999-12-31T23:59:59.999Z')
+    _['VALID-FROM'] = normalizeTimestamp(
+      _getDateFromQueryOptions(_queryOptions['sap-valid-from'] ?? normalizeTimestamp('0001-01-01T00:00:00.0000000Z'))
+    )
+    _['VALID-TO'] = normalizeTimestamp(
+      _getDateFromQueryOptions(_queryOptions['sap-valid-to'] ?? normalizeTimestamp('9999-12-31T23:59:59.9999999Z'))
+    )
   }
 }
 

package/libx/_runtime/common/i18n/messages.properties

@@ -45,9 +45,7 @@ ASSERT_FORMAT=Value "{0}" is not in specified format "{1}"
 ASSERT_DATA_TYPE=Value {0} is invalid according to type definition "{1}"
 ASSERT_ENUM=Value {0} is invalid according to enum declaration {{1}}
 ASSERT_NOT_NULL=Value is required
-ASSERT_REFERENCE_INTEGRITY=Reference integrity is violated for association "{0}"
 ASSERT_TARGET="Value doesn't exist"
-ASSERT_DEEP_ASSOCIATION=It is not allowed to modify sub documents in {0} Association "{1}"
 
 # db
 NO_DATABASE_CONNECTION=No database connection

package/libx/_runtime/common/utils/cqn.js

@@ -83,7 +83,7 @@ function isPathToDraft(path, model) {
   for (const r of path) {
     if (r.id) {
       const isaIndex = r.where.findIndex(ele => ele.ref && ele.ref[0] === 'IsActiveEntity')
-      if (isaIndex) draft = !r.where[isaIndex + 2].val
+      if (isaIndex !== -1) draft = !r.where[isaIndex + 2].val
       current = current ? definitions[current.elements[r.id].target] : definitions[r.id]
     } else {
       if (r === 'SiblingEntity') draft = !!draft