@sap/cds 7.8.2 → 7.9.0

package/libx/_runtime/fiori/utils/handler.js

@@ -1,7 +1,7 @@
 const cds = require('../../cds')
 const { Object_keys } = cds.utils
 const { UPDATE, SELECT } = cds.ql
-const { getColumns } = require('../../cds-services/services/utils/columns')
+const { getColumns } = require('../../common/utils/columns')
 const { ensureNoDraftsSuffix, ensureDraftsSuffix, ensureUnlocalized } = require('../../common/utils/draft')
 const getTemplate = require('../../common/utils/template')
 

package/libx/_runtime/hana/execute.js

@@ -404,10 +404,14 @@ async function executeSelectStreamCQN({ model, query, dbc, user, locale, txTimes
   if (result.length === 0) return
 
   if (cds.env.features.stream_compat) {
-    const val = Object.values(result[0])[0]
+    const res = _convertNames(result[0], query.SELECT?.columns)
+    let [key, val] = Object.entries(res)[0]
     if (val === null) return null
 
-    return { value: val }
+    res.value = val
+    delete res[key]
+
+    return res
   } else {
     return dbc.name === 'hdb' ? result[0] : _convertNames(result[0], query.SELECT?.columns)
   }

package/libx/_runtime/hana/search2cqn4sql.js

@@ -1,5 +1,5 @@
 const cds = require('../cds')
-const { computeColumnsToBeSearched } = require('../cds-services/services/utils/columns')
+const { computeColumnsToBeSearched } = require('../common/utils/columns')
 const searchToLike = require('../common/utils/searchToLike')
 const { isContainsPredicateSupported, search2Contains } = require('./search2Contains')
 const { addAliasToExpression } = require('../db/utils/generateAliases')

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -11,7 +11,6 @@ const _isAll = a => a && a.includes('all')
 class EndpointRegistry {
   constructor(basePath, LOG) {
     const deployPath = basePath + '/deploy'
-    const paths = [basePath, deployPath]
     this.webhookCallbacks = new Map()
     this.deployCallbacks = new Map()
     if (isSecured()) {
@@ -60,7 +59,7 @@ class EndpointRegistry {
     cds.app.options(basePath, (req, res) => {
       try {
         if (isSecured() && !req.user.is('emcallback')) return res.sendStatus(403)
-        res.set('WebHook-Allowed-Origin', req.headers['webhook-request-origin'])
+        res.set('webhook-allowed-origin', req.headers['webhook-request-origin'])
         res.sendStatus(200)
       } catch (error) {
         res.sendStatus(500)

package/libx/_runtime/messaging/event-broker.js

@@ -0,0 +1,212 @@
+const cds = require('../cds')
+
+// eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
+const express = require('express')
+const https = require('https')
+const crypto = require('crypto')
+
+async function request(options, data) {
+  return new Promise((resolve, reject) => {
+    const req = https.request(options, res => {
+      const chunks = []
+      res.on('data', chunk => {
+        chunks.push(chunk)
+      })
+      res.on('end', () => {
+        const response = {
+          statusCode: res.statusCode,
+          headers: res.headers,
+          body: Buffer.concat(chunks).toString()
+        }
+        if (res.statusCode > 299) {
+          reject({ message: response.body })
+        } else {
+          resolve(response)
+        }
+      })
+    })
+    req.on('error', error => {
+      reject(error)
+    })
+    if (data) {
+      req.write(JSON.stringify(data))
+    }
+    req.end()
+  })
+}
+
+function _validateCertificate(req, res, next) {
+  this.LOG.debug('event broker trying to authenticate via mTLS')
+
+  if (req.headers['x-ssl-client-verify'] !== '0') {
+    this.LOG.info('cf did not validate client certificate.')
+    return res.status(401).json({ message: 'Authentication Failed' })
+  }
+
+  if (!req.headers['x-forwarded-client-cert']) {
+    this.LOG.info('no certificate in xfcc header.')
+    return res.status(401).json({ message: 'Authentication Failed' })
+  }
+
+  const bindingCert = new crypto.X509Certificate(this.options.credentials.certificate).toLegacyObject()
+  const clientCert = new crypto.X509Certificate(
+    `-----BEGIN CERTIFICATE-----\n${req.headers['x-forwarded-client-cert']}\n-----END CERTIFICATE-----`
+  ).toLegacyObject()
+
+  const cfSubject = Buffer.from(req.headers['x-ssl-client-subject-cn'], 'base64').toString()
+  if (bindingCert.subject.CN !== clientCert.subject.CN || bindingCert.subject.CN !== cfSubject) {
+    this.LOG.info('certificate subject does not match')
+    return res.status(401).json({ message: 'Authentication Failed' })
+  }
+  this.LOG.debug('incoming Subject CN is valid.')
+
+  if (bindingCert.issuer.CN !== clientCert.issuer.CN) {
+    this.LOG.info('Certificate issuer subject does not match')
+    return res.status(401).json({ message: 'Authentication Failed' })
+  }
+  this.LOG.debug('incoming issuer subject CN is valid.')
+
+  if (bindingCert.issuer.O !== clientCert.issuer.O) {
+    this.LOG.info('Certificate issuer org does not match')
+    return res.status(401).json({ message: 'Authentication Failed' })
+  }
+  this.LOG.debug('incoming Issuer Org is valid.')
+
+  if (bindingCert.issuer.OU !== clientCert.issuer.OU) {
+    this.LOG.info('certificate issuer OU does not match')
+    return res.status(401).json({ message: 'Authentication Failed' })
+  }
+  this.LOG.debug('certificate issuer OU is valid.')
+
+  const valid_from = new Date(clientCert.valid_from)
+  const valid_to = new Date(clientCert.valid_to)
+  const now = new Date(Date.now())
+  if (valid_from <= now && valid_to >= now) {
+    this.LOG.debug('certificate validation completed')
+    next()
+  } else {
+    this.LOG.error('Certificate expired')
+    return res.status(401).json({ message: 'Authentication Failed' })
+  }
+}
+
+// TODO: seems unused
+function _checkAppDomains() {
+  const pattern = /.*\.cert\.cfapps\..*\.hana\.ondemand\.com/
+  const uris = JSON.parse(process.env.VCAP_APPLICATION).application_uris
+  const matchFound = uris.some(uri => pattern.test(uri))
+  if (matchFound)
+    this.LOG.warn(
+      `*.cert.cfapps.*.hana.ondemand.com domain is in use, this is not recommended in production! Please use 'mesh.cf.<region>.hana.ondemand.com' instead!`
+    )
+}
+
+let instantiated = false
+
+class EventBroker extends cds.MessagingService {
+  async init() {
+    // TODO: Only needed if there are subscriptions
+    if (instantiated)
+      throw new Error('Event Broker service must be a singleton service, you cannot have more than one instance.')
+    instantiated = true
+    await super.init()
+    cds.once('listening', () => {
+      this.startListening()
+    })
+    this.agent = this.getAgent()
+  }
+
+  getAgent() {
+    try {
+      if (this.options.x509.certPath && this.options.x509.pkeyPath) {
+        return new https.Agent({
+          cert: cds.utils.fs.readFileSync(cds.utils.path.resolve(cds.root, this.options.x509.certPath)),
+          key: cds.utils.fs.readFileSync(cds.utils.path.resolve(cds.root, this.options.x509.pkeyPath))
+        })
+      }
+    } catch (error) {
+      if (this.LOG) this.LOG.error('GetCredentials', { error: error.message })
+      throw error
+    }
+  }
+
+  async handle(msg) {
+    if (msg.inbound) return super.handle(msg)
+    const _msg = this.message4(msg)
+    await this.emitToEventBroker(_msg)
+  }
+
+  async startListening() {
+    if (!this._listenToAll.value && !this.subscribedTopics.size) return
+    await this.registerWebhookEndpoints()
+  }
+
+  async emitToEventBroker(msg) {
+    // TODO: CSN definition probably not needed, just in case...
+    //   See if there's a CSN entry for that event
+    //   const found = cds?.model.definitions[topicOrEvent]
+    //   if (found) return found  // case for fully-qualified event name
+    //   for (const def in cds.model?.definitions) {
+    //     const definition = cds.model.definitions[def]
+    //     if (definition['@topic'] === topicOrEvent) return definition
+    //   }
+
+    // TODO: What if we're in single tenant variant?
+    try {
+      const ceSource = `${this.options.credentials.ceSource[0]}/${cds.context.tenant}`
+      const hostname = this.options.credentials.eventing.http.x509.url.replace(/^https?:\/\//, '')
+      // TODO Cloud Events Handler CAP
+      const options = {
+        hostname: hostname,
+        method: 'POST',
+        headers: {
+          'ce-id': cds.utils.uuid(),
+          'ce-source': ceSource,
+          'ce-type': msg.event,
+          'ce-specversion': '1.0',
+          'Content-Type': 'application/json'
+        },
+        agent: this.agent
+      }
+      this.LOG.debug('HTTP headers:', JSON.stringify(options.headers))
+      this.LOG.debug('HTTP body:', JSON.stringify(msg.data))
+      await request(options, msg.data) // TODO: fetch does not work with mTLS as of today, requires another module. see https://github.com/nodejs/node/issues/48977
+      if (this.LOG._info) this.LOG.info('Emit', { topic: msg.event })
+    } catch (e) {
+      this.LOG.error('Emit failed:', e.message)
+    }
+  }
+
+  async registerWebhookEndpoints() {
+    const webhookBasePath = this.options.webhookPath || '/-/cds/event-broker/webhook'
+    cds.app.post(webhookBasePath, _validateCertificate.bind(this))
+    cds.app.post(webhookBasePath, express.json())
+    cds.app.post(webhookBasePath, this.onEventReceived.bind(this))
+  }
+
+  async onEventReceived(req, res) {
+    try {
+      const event = req.headers['ce-type'] // TG27: type contains namespace, so there's no collision
+      const tenant = req.headers['ce-sapconsumertenant']
+      const msg = {
+        inbound: true,
+        event,
+        tenant,
+        data: req.body ? req.body : undefined,
+        headers: req.headers
+      }
+      cds.context = { user: cds.User.privileged }
+      if (tenant) cds.context.tenant = tenant // TODO: In single tenant case, we don't need a tenant
+      const tx = await this.tx()
+      await tx.emit(msg)
+      this.LOG.debug('Event processed successfully.')
+      return res.status(200).json({ message: 'OK' })
+    } catch (e) {
+      this.LOG.error('ERROR during inbound event processing:', e) // TODO: How does Event Broker do error handling?
+      res.status(500).json({ message: 'Internal Server Error!' })
+      throw e
+    }
+  }
+}
+
+module.exports = EventBroker

package/libx/_runtime/remote/Service.js

@@ -3,8 +3,8 @@ const cds = require('../cds')
 const { run, getReqOptions } = require('./utils/client')
 const { getCloudSdk, getCloudSdkConnectivity, getCloudSdkResilience } = require('./utils/cloudSdkProvider')
 const { hasAliasedColumns } = require('./utils/data')
-const { resolveView, getTransition, restoreLink, findQueryTarget } = require('../common/utils/resolveView')
-const { postProcess } = require('../common/utils/postProcessing')
+const { resolveView, getTransition, findQueryTarget } = require('../common/utils/resolveView')
+const postProcess = require('../common/utils/postProcess')
 const { formatVal } = require('../../odata/utils')
 
 const _isSimpleCqnQuery = q => typeof q === 'object' && q !== null && !Array.isArray(q) && Object.keys(q).length > 0
@@ -268,51 +268,28 @@ class RemoteService extends cds.Service {
     })
   }
 
-  // FIXME: This is a dirty hack for this situation:
-  // - This PR has cds.Service.model setter to always consistently apply cds.compile.for.odata, also for RemoteServices, which wasn't the case before
-  // - because of that tests/_runtime/remote/__tests__/integration/odata.test.js fails, which relies on the former behavior of RemoteServices
-  // NOTE: that test would never have worked for RemoteServices bootstrapped from single cds.model, which is always cds.compiled.for.odata
-  // REVISIT: should become obsolete with Universal CSN
-  // set model(m) {
-  //   const fn = cds.compile.for.odata
-  //   try {
-  //     cds.compile.for.odata = m => m
-  //     super.model = m
-  //   } finally {
-  //     cds.compile.for.odata = fn
-  //   }
-  // }
-
   // Overload .handle in order to resolve projections up to a definition that is known by the remote service instance.
   // Result is post processed according to the inverse projection in order to reflect the correct result of the original query.
   async handle(req) {
-    // compat mode
-    if (req._resolved || cds.env.features.resolve_views === false) return super.handle(req)
-
-    if (req.target && req.target.name && this.definition && req.target.name.startsWith(this.definition.name + '.')) {
-      const result = await super.handle(req)
+    if (req._resolved) return super.handle(req)
 
+    if (req.target?.name?.startsWith(this.definition?.name + '.')) {
+      let result = await super.handle(req)
       // only post process if alias was explicitly set in query
-      if (_selectOnlyWithAlias(req.query)) {
-        return postProcess(req.query, result, this, true)
-      }
-
+      if (_selectOnlyWithAlias(req.query)) result = postProcess(req.query, result, this, true)
       return result
     }
 
     // req.query can be:
     // - empty object in case of unbound action/function
     // - undefined/null in case of plain string queries
-    if (_isSimpleCqnQuery(req.query) && this.model) {
+    if (this.model && _isSimpleCqnQuery(req.query)) {
       const q = resolveView(req.query, this.model, this)
       const t = findQueryTarget(q) || req.target
 
-      // compat
-      restoreLink(req)
-
       // REVISIT: We need to provide target explicitly because it's cached already within ensure_target
-      const newReq = new cds.Request({ query: q, target: t, headers: req.headers, _resolved: true, method: req.method })
-      const result = await super.dispatch(newReq)
+      const _req = new cds.Request({ query: q, target: t, _resolved: true, headers: req.headers, method: req.method })
+      const result = await super.dispatch(_req)
       return postProcess(q, result, this, true)
     }
 

package/libx/_runtime/remote/utils/client.js

@@ -166,27 +166,17 @@ const TYPES_TO_REMOVE = { function: 1, object: 1 }
 const PROPS_TO_IGNORE = { cause: 1, name: 1 }
 
 const _getSanitizedError = (e, reqOptions, options = { suppressRemoteResponseBody: false, batchRequest: false }) => {
-  e.request = {
+  const request = {
     method: reqOptions.method,
     url: e.config ? e.config.baseURL + e.config.url : reqOptions.url,
     headers: e.config ? e.config.headers : reqOptions.headers
   }
-
-  if (options.batchRequest) {
-    e.request.body = reqOptions.data
-  }
+  if (options.batchRequest) request.body = reqOptions.data
+  e.request = request
 
   if (e.response) {
-    const response = {
-      status: e.response.status,
-      statusText: e.response.statusText,
-      headers: e.response.headers
-    }
-
-    if (e.response.data && !options.suppressRemoteResponseBody) {
-      response.body = e.response.data
-    }
-
+    const response = { status: e.response.status, statusText: e.response.statusText, headers: e.response.headers }
+    if (e.response.data && !options.suppressRemoteResponseBody) response.body = e.response.data
     e.response = response
   }
 
@@ -214,6 +204,11 @@ const _getSanitizedError = (e, reqOptions, options = { suppressRemoteResponseBod
     e = _e
   }
 
+  // AxiosError's toJSON() method doesn't include the request and response objects
+  e.toJSON = function () {
+    return { ...this.__proto__.toJSON(), request: this.request, response: this.response }
+  }
+
   return e
 }
 
@@ -232,7 +227,7 @@ const run = async (requestConfig, options) => {
   } catch (e) {
     // > axios received status >= 400 -> gateway error
     const msg = e?.response?.data?.error?.message?.value ?? e?.response?.data?.error?.message ?? e.message
-    e.message = msg ? 'Error during request to remote service: \n' + msg : 'Request to remote service failed.'
+    e.message = msg ? 'Error during request to remote service: ' + msg : 'Request to remote service failed.'
     const sanitizedError = _getSanitizedError(e, requestConfig, { suppressRemoteResponseBody })
     const err = Object.assign(new Error(e.message), { statusCode: 502, reason: sanitizedError })
     LOG._warn && LOG.warn(err)
@@ -251,11 +246,8 @@ const run = async (requestConfig, options) => {
     const e = new Error("Received content-type 'text/html' which is not part of accepted content types")
     e.response = response
     const sanitizedError = _getSanitizedError(e, requestConfig, { suppressRemoteResponseBody })
-    const err = Object.assign(new Error(`Error during request to remote service: ${e.message}`), {
-      statusCode: 502,
-      reason: sanitizedError
-    })
-
+    const message = 'Error during request to remote service: ' + e.message
+    const err = Object.assign(new Error(message), { statusCode: 502, reason: sanitizedError })
     LOG._warn && LOG.warn(err)
     throw err
   }

package/libx/_runtime/sqlite/convertAssocToOneManaged.js

@@ -28,8 +28,14 @@ const _convert = (refEntries, req) => {
       // only check refs in format {ref: ['assoc', 'id']}
       continue
     }
+    let element
+    if (req.target.elements[refEntry.ref[0]]) {
+      element = req.target.elements[refEntry.ref[0]]
+    } else if (req.target.elements[refEntry.ref[1]]?.isAssociation) {
+      // fallback: if first ref is not an element and second is an association, we assume first is an alias
+      element = req.target.elements[refEntry.ref[1]]
+    }
 
-    const element = req.target.elements[refEntry.ref[0]]
     if (!element || !element.is2one) return
 
     _convertRefForAssocToOneManaged(element, refEntry)

package/libx/_runtime/sqlite/execute.js

@@ -302,7 +302,7 @@ function executeGenericCQN(model, dbc, cqn, user, locale, txTimestamp) {
 
 // REVISIT: consider deleting this function after removing stream_compat
 async function executeSelectStreamCQN({ model, dbc, query, user, locale, txTimestamp }) {
-  const result = await executeSelectCQN(model, dbc, query, user, locale, txTimestamp)
+  let result = await executeSelectCQN(model, dbc, query, user, locale, txTimestamp)
 
   if (result == null || result.length === 0) {
     return
@@ -313,7 +313,9 @@ async function executeSelectStreamCQN({ model, dbc, query, user, locale, txTimes
     return result
   }
 
-  let val = Array.isArray(result) ? Object.values(result[0])[0] : Object.values(result)[0]
+  // REVISIT: following code to be deleted after cds.env.features.stream_compat is removed
+  if (Array.isArray(result)) result = result[0]
+  let [key, val] = Object.entries(result)[0]
   if (val === null) {
     return null
   }
@@ -325,7 +327,10 @@ async function executeSelectStreamCQN({ model, dbc, query, user, locale, txTimes
   stream_.push(val)
   stream_.push(null)
 
-  return { value: stream_ }
+  result.value = stream_
+  delete result[key]
+
+  return result
 }
 
 module.exports = {