@sap/cds 7.7.3 → 7.8.0

package/libx/odata/middleware/update.js

@@ -1,9 +1,8 @@
 const cds = require('../../../')
 const { INSERT, UPDATE } = cds.ql
 
-const { toODataResult } = require('../utils/result')
-const { odataError, getKeysFromPath } = require('../utils')
-
+const { toODataResult, postProcess } = require('../utils/result')
+const { getKeysAndParamsFromPath, handleSapMessages } = require('../utils')
 const { deepCopy } = require('../../_runtime/common/utils/copy')
 
 // REVISIT: move to or rewrite in libx/odata
@@ -43,33 +42,40 @@ const _isNavigationWithKeyInParent = (keys, data, pathExpression, model) => {
   return parent && navElement && where
 }
 
-const _hasEtag = target => target._etag
-
 module.exports = srv =>
   function update(req, res, next) {
-    const { _query: query } = req
-
+    // REVISIT: better solution for _propertyAccess
     const {
-      SELECT: { one, from }
-    } = query
+      SELECT: { one, from },
+      target,
+      _propertyAccess
+    } = req._query
 
     // REVISIT: patch on collection is allowed in odata 4.01
     if (!one) {
-      return res.status(405).json(odataError('405', `Method ${req.method} not allowed for ENTITY.COLLECTION`))
+      // REVISIT: don't use "ENTITY.COLLECTION" as that's an okra term
+      throw Object.assign(new Error(`Method ${req.method} not allowed for ENTITY.COLLECTION`), {
+        statusCode: 405
+      })
     }
 
-    // REVISIT: better
-    const isPropertyAccess = !!query._propertyAccess
-
-    const updateData = isPropertyAccess ? { [query._propertyAccess]: req.body.value } : deepCopy(req.body)
+    if (_propertyAccess && req.method === 'PATCH') {
+      throw Object.assign(new Error(`Method ${req.method} not allowed for PRIMITIVE.PROPERTY`), {
+        statusCode: 405
+      })
+    }
 
-    if (!isPropertyAccess) {
-      // add keys from url into payload (overwriting if already present)
-      Object.assign(updateData, getKeysFromPath(from, srv))
+    // payload & params
+    let data = _propertyAccess ? { [_propertyAccess]: req.body.value } : deepCopy(req.body)
+    const { keys, params } = getKeysAndParamsFromPath(from, srv)
+    // add keys from url into payload (overwriting if already present)
+    if (!_propertyAccess) Object.assign(data, keys)
 
+    // assert payload
+    if (!_propertyAccess) {
       // assert complex
       const assertOptions = { filter: true, http: { req }, mandatories: req.method === 'PUT' || undefined }
-      const errs = cds.assert(updateData, query.target, assertOptions)
+      const errs = cds.assert(data, target, assertOptions)
       if (errs) {
         if (errs.length === 1) throw errs[0]
         throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
@@ -78,88 +84,118 @@ module.exports = srv =>
       // TODO: assert primitive
     }
 
-    const updateQuery = UPDATE.entity(from).with(updateData)
+    // query
+    let query = UPDATE.entity(from).with(data)
+
+    // we need a cds.Request for multiple reasons, incl. params, headers, sap-messages, read after write, ...
+    let cdsReq = new cds.Request({ query, params, req, res })
+    Object.defineProperty(cdsReq, 'protocol', { value: 'odata-v4' })
 
-    // we need the cds request, so we can access req._.readAfterWrite
-    const cdsReq = new cds.Request({ query: updateQuery })
+    let crudEvent = 'UPDATE'
 
     // REVISIT: adjust in getter?
     if (req.method === 'PUT') cdsReq.method = 'PUT'
 
     // rewrite event for draft-enabled entities
-    if (query.target._isDraftEnabled) cdsReq.event = 'PATCH'
+    if (target._isDraftEnabled) cdsReq.event = 'PATCH'
 
+    // REVISIT: only via srv.run in combination with srv.dispatch inside
+    //          we automatically either use a single auto-managed tx for the req (i.e., insert and read after write in same tx)
+    //          or the auto-managed tx opened for the respective atomicity group, if exists
     return srv
-      .dispatch(cdsReq)
-      .then(async result => {
-        if (!(isPropertyAccess && !_hasEtag(query.target)) && cdsReq._.readAfterWrite) {
-          // TODO see if in old odata impl for other checks that should happen
-          result = await readAfterWrite(cdsReq, srv, { operation: { result } })
-        }
+      .run(() => {
+        return srv
+          .dispatch(cdsReq)
+          .catch(async e => {
+            // if no UPSERT is allowed, continue with error
+            const is404 = e.code === 404 || e.status === 404 || e.statusCode === 404
+
+            const isForcedInsert =
+              (e.code === 412 || e.status === 412 || e.statusCode === 412) && req.headers['if-none-match'] === '*'
+
+            if (
+              _propertyAccess ||
+              !((is404 || isForcedInsert) && _isUpsertAllowed({ target, data, event: req.method }))
+            ) {
+              throw e
+            }
+
+            // PUT / PATCH with if-match header means "only if already exists" -> no insert if it does not
+            if (req.headers['if-match']) throw Object.assign(new Error('412'), { statusCode: 412 })
+
+            // check only works with req.body and not with updateDate
+            if (_isNavigationWithKeyInParent(target.keys, req.body, from, srv.model)) {
+              // REVISIT: better error message
+              throw Object.assign(new Error('Unprocessable Content'), { statusCode: 422 })
+            }
+
+            // REVISIT:
+            //   can we somehow "replay" the request with POST?
+            //   or should we call the create handler directly?
+
+            // payload & params
+            data = deepCopy(req.body)
+            // add keys from url into payload (overwriting if already present)
+            Object.assign(data, keys)
+
+            // assert payload
+            const assertOptions = { filter: true, http: { req }, mandatories: true }
+            const errs = cds.assert(data, target, assertOptions)
+            if (errs) {
+              if (errs.length === 1) throw errs[0]
+              throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
+            }
+
+            crudEvent = 'CREATE'
+
+            // query
+            // REVISIT: up_XX needs to be looked up -> composition of aspect
+            query = INSERT.into(from).entries(data)
+
+            // we need a cds.Request for multiple reasons, incl. params, headers, sap-messages, read after write, ...
+            cdsReq = new cds.Request({ query: query, params, req, res })
+
+            return srv.dispatch(cdsReq)
+          })
+          .then(result => {
+            // REVISIT: not great, but avoids try catch in catch callback above
+            if (result.constructor.name === 'ServerResponse') return
+            handleSapMessages(cdsReq, req, res)
+
+            // TODO: any other checks needed?
+            if (cdsReq._.readAfterWrite && !(_propertyAccess && !target._etag))
+              return readAfterWrite(cdsReq, srv, { operation: { result } })
+
+            return result
+          })
+      })
+      .then(result => {
+        // we use an extra then block, after getting the result, so the transaction is commited, before sending the response
 
         // REVISIT: metaInfo needs original query in case of property access, but why?
-        const info = metaInfo(isPropertyAccess ? query : updateQuery, 'UPDATE', srv, result, req)
-
-        if (
-          result == null ||
-          req._preferReturn === 'minimal' ||
-          (isPropertyAccess && result[query._propertyAccess] == null) ||
-          info.metadata.isStream
-        )
+        const info = metaInfo(_propertyAccess ? req._query : query, crudEvent, srv, result, req)
+
+        if (result == null) return res.sendStatus(204)
+
+        const isMinimal = req._preferReturn === 'minimal'
+        postProcess(cdsReq.target, srv, result, isMinimal)
+        if (result['$etag']) res.set('etag', result['$etag'])
+
+        if (crudEvent === 'CREATE') {
+          // UPSERT
+          return res
+            .set('Content-Type', 'application/json;IEEE754Compatible=true')
+            .status(201)
+            .send(toODataResult(result, info))
+        }
+
+        if (isMinimal || (query._propertyAccess && result[query._propertyAccess] == null) || info.metadata.isStream) {
           return res.sendStatus(204)
+        }
 
         result = toODataResult(result, info)
-        return res.send(result)
-      })
-      .catch(async e => {
-        // UPSERT
-        const is404 = e.code === 404 || e.status === 404 || e.statusCode === 404
-        if (
-          is404 &&
-          !isPropertyAccess &&
-          _isUpsertAllowed({ target: query.target, data: updateData, event: req.method })
-        ) {
-          // PUT / PATCH with if-match header means "only if already exists" -> no insert if it does not
-          if (req.headers['if-match']) throw Object.assign(new Error('412'), { statusCode: 412 })
-
-          // check only works with req.body and not with updateDate
-          if (_isNavigationWithKeyInParent(query.target.keys, req.body, from, srv.model)) {
-            // REVISIT: better error message
-            return res.status(422).json(odataError('422', `Unprocessable Entity`))
-          }
-
-          // REVISIT:
-          //   can we somehow "replay" the request with POST?
-          //   or should we call the create handler directly?
-
-          const insertData = deepCopy(req.body)
-
-          // add keys from url into payload (overwriting if already present)
-          Object.assign(insertData, getKeysFromPath(from, srv))
-
-          // assert payload
-          const assertOptions = { filter: true, http: { req }, mandatories: true }
-          const errs = cds.assert(insertData, query.target, assertOptions)
-          if (errs) {
-            if (errs.length === 1) throw errs[0]
-            throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
-          }
-
-          // REVISIT: up_XX needs to be looked up -> composition of aspect
-          const insertQuery = INSERT.into(from).entries(insertData)
-          const cdsReq = new cds.Request({ query: insertQuery })
-          let result = await srv.dispatch(cdsReq)
-
-          if (cdsReq._.readAfterWrite) {
-            // TODO see if in old odata impl for other checks that should happen
-            result = await readAfterWrite(cdsReq, srv, { operation: { result } })
-          }
-
-          const info = metaInfo(insertQuery, 'CREATE', srv, result, req)
-          result = toODataResult(result, info)
-          return res.status(201).send(result)
-        }
-        throw e
+
+        return res.set('Content-Type', 'application/json;IEEE754Compatible=true').send(result)
       })
       .catch(next)
   }

package/libx/odata/parse/afterburner.js

@@ -1,6 +1,6 @@
 const cds = require('../../../')
 
-const { where2obj, resolveFromSelect } = require('../../_runtime/common/utils/cqn')
+const { where2obj, resolveFromSelect, targetFromPath } = require('../../_runtime/common/utils/cqn')
 const { findCsnTargetFor } = require('../../_runtime/common/utils/csn')
 const normalizeTimestamp = require('../../_runtime/common/utils/normalizeTimestamp')
 const { rewriteExpandAsterisk } = require('../../_runtime/common/utils/rewriteAsterisks')
@@ -304,7 +304,7 @@ function _processSegments(from, model, namespace, cqn, protocol) {
       // REVISIT: replace use case: <namespace>.<entity>_history is at <namespace>.<entity>.history
       current = _getDefinition(current, seg, namespace) || _getDefinition(current, seg.replace(/_/g, '.'), namespace)
       // REVISIT: 404 or 400?
-      if (!current) cds.error(`Invalid resource path "${path}"`, { code: 404 })
+      if (!current) cds.error(`Invalid resource path "${path}"`, { code: '404', statusCode: 404 })
 
       if (current.params && current.kind === 'entity') {
         // > View with params
@@ -333,8 +333,8 @@ function _processSegments(from, model, namespace, cqn, protocol) {
         if (ref[i + 1] !== 'Set') {
           // /Set is missing
           throw cds.error(`Invalid call to "${current.name}". You need to navigate to Set`, {
-            statusCode: 400,
-            code: 400
+            code: '400',
+            statusCode: 400
           })
         }
         ref[++i] = null
@@ -479,6 +479,13 @@ function _removeDuplicateAsterisk(columns) {
   }
 }
 
+const _structProperty = (ref, target) => {
+  if (target.elements && target.kind === 'element') {
+    return _structProperty(ref.slice(1), target.elements[ref[0]])
+  }
+  return target
+}
+
 function _processColumns(cqn, target, protocol) {
   if (cqn.SELECT.from.SELECT) _processColumns(cqn.SELECT.from, target)
 
@@ -530,7 +537,7 @@ const _checkAllKeysProvided = (params, entity) => {
   if (isView) {
     // view with params
     if (params === undefined) {
-      throw cds.error(`Invalid call to "${entity.name}". You need to navigate to Set`, { statusCode: 400, code: 400 })
+      throw cds.error(`Invalid call to "${entity.name}". You need to navigate to Set`, { code: '400', statusCode: 400 })
     } else if (Object.keys(params).length === 0) {
       throw new Error('KEY_EXPECTED')
     }
@@ -560,39 +567,120 @@ const _checkAllKeysProvided = (params, entity) => {
   }
 }
 
-function _cleanupIgnoredXpr(xpr, ignoredColumns, target, isOne) {
-  if (!xpr) return
+const _doesNotExistError = (isExpand, refName, targetName) => {
+  if (isExpand) {
+    throw Object.assign(new Error(`Navigation property '${refName}' is not defined in '${targetName}'`), {
+      statusCode: 400
+    })
+  } else {
+    throw Object.assign(new Error(`Property '${refName}' does not exist in '${targetName}'`), { statusCode: 400 })
+  }
+}
+
+function _validateXpr(xpr, ignoredColumns, target, isOne, model, aliases = []) {
+  if (!xpr) return []
+
+  const _aliases = []
 
   for (const x of xpr) {
+    if (x.as) _aliases.push(x.as)
+
     if (x.xpr) {
-      _cleanupIgnoredXpr(x.xpr, ignoredColumns, target, isOne)
+      _validateXpr(x.xpr, ignoredColumns, target, isOne, model)
       continue
     }
 
-    if (x.ref && ignoredColumns.includes(x.ref[0])) {
-      cds.error(
-        `Property '${x.ref}' does not exist in type '${
-          isOne ? target.name.replace(`${target._service.name}.`, '') : target.name
-        }'`,
-        {
-          code: 400
+    if (x.ref) {
+      const refName = x.ref[0].id ?? x.ref[0]
+
+      if (x.ref[0].where) {
+        const element = target.elements[refName]
+
+        if (!element) {
+          _doesNotExistError(true, refName, target.name)
         }
-      )
+        _validateXpr(x.ref[0].where, ignoredColumns, element._target ?? element.items, isOne, model)
+      }
+
+      if (ignoredColumns.includes(refName) || (!target.elements[refName] && !aliases.includes(refName))) {
+        _doesNotExistError(x.expand, refName, target.name)
+      } else if (x.ref.length > 1) {
+        const element = target.elements[refName]
+
+        if (element.isAssociation) {
+          // navigation
+          const _target = element._target
+          const _ignoredColumns = Object.values(_target.elements ?? {})
+            .filter(element => element['@cds.api.ignore'])
+            .map(element => element.name)
+          if (element.is2one) {
+            _validateXpr([{ ref: x.ref.slice(1) }], _ignoredColumns, _target, false, model)
+          } else {
+            _validateXpr([{ ref: x.ref.slice(1) }], _ignoredColumns, _target, false, model)
+          }
+        } else if (element.kind === 'element') {
+          // structured
+          _validateXpr([{ ref: x.ref.slice(1) }], ignoredColumns, element, isOne, model)
+        } else {
+          throw new Error('not yet validated')
+        }
+      }
+      if (x.expand) {
+        let element = target.elements[refName]
+        if (element.kind === 'element' && element.elements) {
+          // structured
+          _validateXpr([{ ref: x.ref.slice(1) }], ignoredColumns, element, isOne, model)
+          element = _structProperty(x.ref.slice(1), element)
+        }
+
+        const _ignoredColumns = Object.values(element._target.elements ?? {})
+          .filter(element => element['@cds.api.ignore'])
+          .map(element => element.name)
+        _validateXpr(x.expand, _ignoredColumns, element._target, false, model)
+
+        if (x.where) {
+          _validateXpr(x.where, _ignoredColumns, element._target, false, model)
+        }
+        if (x.orderBy) {
+          _validateXpr(x.orderBy, _ignoredColumns, element._target, false, model)
+        }
+      }
     }
 
     if (x.func) {
-      _cleanupIgnoredXpr(x.args, ignoredColumns, target, isOne)
+      _validateXpr(x.args, ignoredColumns, target, isOne, model)
       continue
     }
+
+    if (x.SELECT) {
+      const { target } = targetFromPath(x.SELECT.from, model)
+      const _ignoredColumns = Object.values(target.elements ?? {})
+        .filter(element => element['@cds.api.ignore'])
+        .map(element => element.name)
+      _validateQuery(x.SELECT, _ignoredColumns, target, x.SELECT.one, model)
+    }
   }
+  return _aliases
 }
 
-function _cleanupIgnored(SELECT, ignoredColumns, target, isOne) {
-  _cleanupIgnoredXpr(SELECT.columns, ignoredColumns, target, isOne)
-  _cleanupIgnoredXpr(SELECT.orderBy, ignoredColumns, target, isOne)
-  _cleanupIgnoredXpr(SELECT.where, ignoredColumns, target, isOne)
-  _cleanupIgnoredXpr(SELECT.groupBy, ignoredColumns, target, isOne)
-  _cleanupIgnoredXpr(SELECT.having, ignoredColumns, target, isOne)
+function _validateQuery(SELECT, ignoredColumns, target, isOne, model) {
+  const aliases = []
+  if (SELECT.from.SELECT) {
+    const { target } = targetFromPath(SELECT.from.SELECT.from, model)
+    const _ignoredColumns = Object.values(target.elements ?? {})
+      .filter(element => element['@cds.api.ignore'])
+      .map(element => element.name)
+    const subselectAliases = _validateQuery(SELECT.from.SELECT, _ignoredColumns, target, SELECT.from.SELECT.one, model)
+    aliases.push(...subselectAliases)
+  }
+
+  const columnAliases = _validateXpr(SELECT.columns, ignoredColumns, target, isOne, model)
+  aliases.push(...columnAliases)
+  _validateXpr(SELECT.orderBy, ignoredColumns, target, isOne, model, aliases)
+  _validateXpr(SELECT.where, ignoredColumns, target, isOne, model, aliases)
+  _validateXpr(SELECT.groupBy, ignoredColumns, target, isOne, model, aliases)
+  _validateXpr(SELECT.having, ignoredColumns, target, isOne, model, aliases)
+  return aliases
 }
 
 function _4service(service) {
@@ -618,7 +706,8 @@ function _4service(service) {
         namespace
       )
     // REVISIT: 404 or 400?
-    if (!root) cds.error(`Invalid resource path "${namespace}.${ref[0].id || ref[0]}"`, { code: 404 })
+    if (!root)
+      cds.error(`Invalid resource path "${namespace}.${ref[0].id || ref[0]}"`, { code: '404', statusCode: 404 })
     if (ref[0].id) ref[0].id = root.name
     else ref[0] = root.name
 
@@ -627,6 +716,18 @@ function _4service(service) {
      */
     const { one, current, target } = _processSegments(from, model, namespace, cqn, protocol)
 
+    if (cds.env.effective.odata.proxies && cds.env.effective.odata.xrefs && target) {
+      if (!target._service) {
+        // proxy navigation, add keys as columns only
+        const columns = []
+        for (const key in target.keys) {
+          if (target.keys[key].isAssociation) continue
+          columns.push({ ref: [key] })
+        }
+        cqn.SELECT.columns = columns
+      }
+    }
+
     if (cqn.SELECT.where) {
       _processWhere(cqn.SELECT.where, root)
     }
@@ -646,11 +747,13 @@ function _4service(service) {
      */
     _processColumns(cqn, current, protocol)
 
-    const ignoredColumns = Object.values(root.elements ?? {})
-      .filter(element => element['@cds.api.ignore'])
-      .map(element => element.name)
+    if (target && cds.env.features.odata_new_parser) {
+      const ignoredColumns = Object.values(target.elements ?? {})
+        .filter(element => element['@cds.api.ignore'])
+        .map(element => element.name)
 
-    _cleanupIgnored(cqn.SELECT, ignoredColumns, root, one)
+      _validateQuery(cqn.SELECT, ignoredColumns, target, one, model)
+    }
 
     return cqn
   }

package/libx/odata/parse/cqn2odata.js

@@ -254,7 +254,7 @@ function _getQueryTarget(entity, propOrEntity, model) {
 
 const _params = (args, kind, target) => {
   if (!args) {
-    throw cds.error(`Invalid call to "${target.name}". You need to navigate to Set`, { status: 400, code: 400 })
+    throw cds.error(`Invalid call to "${target.name}". You need to navigate to Set`, { code: '400', statusCode: 400 })
   }
   const params = Object.keys(args)
   if (params.length !== Object.keys(target.params).length) {

package/libx/odata/parse/grammar.peggy

@@ -485,10 +485,9 @@
   search_clause
     = p:( n:NOT? {return n?[n]:[]} )(
       OPEN xpr:search_clause CLOSE {p.push({xpr})}
-      / (
+      / ( 
           val:doubleQuotedString {p.push({val})} /
-          val:string {p.push({val})} /
-          val:word {p.push({val})}
+          !"'" val:word {p.push({val})}
         )
     )( ao:(AND/OR/AND_SPACE) more:search_clause {p.push(ao,...more)} )*
     { return p }
@@ -715,7 +714,7 @@
   function 
     = func:functionName OPEN args:functionArgs CLOSE {
       if (strict && !(func.toLowerCase() in strict.functions)) {
-        throw Object.assign(new Error(`"${func}" is an unknown function in OData URL spec (strict mode)`), { statusCode: 400 })
+        throw Object.assign(new Error(`Function '${func}' is not supported`), { statusCode: 400 })
       }
       return { func: func.toLowerCase(), args }
     }
@@ -857,7 +856,7 @@
     {return s.replace(/''/g,"'")}
 
   doubleQuotedString "a doubled quoted string"
-    = '"' s:$('\\"'/[^"])* '"'
+    = '"' s:$('\\"' / '\\\\' / [^"])* '"'
     {return s.replace(/\\\\/g,"\\").replace(/\\"/g,'"')}
 
   word "a string"