@sap/cds 7.8.2 → 7.9.0

package/libx/odata/middleware/update.js

@@ -1,13 +1,12 @@
 const cds = require('../../../')
-const { INSERT, UPDATE } = cds.ql
+const { UPDATE } = cds.ql
 
 const { toODataResult, postProcess } = require('../utils/result')
-const { getKeysAndParamsFromPath, handleSapMessages } = require('../utils')
+const { getKeysAndParamsFromPath, handleSapMessages, getPreferReturnHeader } = require('../utils')
 const { deepCopy } = require('../../_runtime/common/utils/copy')
 
-// REVISIT: move to or rewrite in libx/odata
-const { readAfterWrite } = require('../../_runtime/cds-services/adapter/odata-v4/utils/readAfterWrite')
-const metaInfo = require('../../_runtime/cds-services/adapter/odata-v4/utils/metaInfo')
+const readAfterWrite = require('../utils/readAfterWrite')
+const metaInfo = require('../utils/metaInfo')
 
 const _isUpsertAllowed = ({ target, data, event }) => {
   return (
@@ -42,7 +41,7 @@ const _isNavigationWithKeyInParent = (keys, data, pathExpression, model) => {
   return parent && navElement && where
 }
 
-module.exports = srv =>
+module.exports = (srv, router) =>
   function update(req, res, next) {
     // REVISIT: better solution for _propertyAccess
     const {
@@ -53,16 +52,11 @@ module.exports = srv =>
 
     // REVISIT: patch on collection is allowed in odata 4.01
     if (!one) {
-      // REVISIT: don't use "ENTITY.COLLECTION" as that's an okra term
-      throw Object.assign(new Error(`Method ${req.method} not allowed for ENTITY.COLLECTION`), {
-        statusCode: 405
-      })
+      throw Object.assign(new Error(`Method ${req.method} is not allowed for entity collections`), { statusCode: 405 })
     }
 
     if (_propertyAccess && req.method === 'PATCH') {
-      throw Object.assign(new Error(`Method ${req.method} not allowed for PRIMITIVE.PROPERTY`), {
-        statusCode: 405
-      })
+      throw Object.assign(new Error(`Method ${req.method} is not allowed for properties`), { statusCode: 405 })
     }
 
     // payload & params
@@ -87,11 +81,16 @@ module.exports = srv =>
     // query
     let query = UPDATE.entity(from).with(data)
 
+    // cdsReq.headers should contain merged headers of envelope and subreq
+    const headers = { ...cds.context.http.req.headers, ...req.headers }
+
     // we need a cds.Request for multiple reasons, incl. params, headers, sap-messages, read after write, ...
-    let cdsReq = new cds.Request({ query, params, req, res })
+    let cdsReq = new cds.Request({ query, params, headers, req, res })
     Object.defineProperty(cdsReq, 'protocol', { value: 'odata-v4' })
 
-    let crudEvent = 'UPDATE'
+    // API for subrequests of $batch (or incoming request)
+    cdsReq.req = req
+    cdsReq.res = res
 
     // REVISIT: adjust in getter?
     if (req.method === 'PUT') cdsReq.method = 'PUT'
@@ -104,98 +103,60 @@ module.exports = srv =>
     //          or the auto-managed tx opened for the respective atomicity group, if exists
     return srv
       .run(() => {
-        return srv
-          .dispatch(cdsReq)
-          .catch(async e => {
-            // if no UPSERT is allowed, continue with error
-            const is404 = e.code === 404 || e.status === 404 || e.statusCode === 404
-
-            const isForcedInsert =
-              (e.code === 412 || e.status === 412 || e.statusCode === 412) && req.headers['if-none-match'] === '*'
-
-            if (
-              _propertyAccess ||
-              !((is404 || isForcedInsert) && _isUpsertAllowed({ target, data, event: req.method }))
-            ) {
-              throw e
-            }
-
-            // PUT / PATCH with if-match header means "only if already exists" -> no insert if it does not
-            if (req.headers['if-match']) throw Object.assign(new Error('412'), { statusCode: 412 })
-
-            // check only works with req.body and not with updateDate
-            if (_isNavigationWithKeyInParent(target.keys, req.body, from, srv.model)) {
-              // REVISIT: better error message
-              throw Object.assign(new Error('Unprocessable Content'), { statusCode: 422 })
-            }
-
-            // REVISIT:
-            //   can we somehow "replay" the request with POST?
-            //   or should we call the create handler directly?
-
-            // payload & params
-            data = deepCopy(req.body)
-            // add keys from url into payload (overwriting if already present)
-            Object.assign(data, keys)
-
-            // assert payload
-            const assertOptions = { filter: true, http: { req }, mandatories: true }
-            const errs = cds.assert(data, target, assertOptions)
-            if (errs) {
-              if (errs.length === 1) throw errs[0]
-              throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
-            }
-
-            crudEvent = 'CREATE'
-
-            // query
-            // REVISIT: up_XX needs to be looked up -> composition of aspect
-            query = INSERT.into(from).entries(data)
-
-            // we need a cds.Request for multiple reasons, incl. params, headers, sap-messages, read after write, ...
-            cdsReq = new cds.Request({ query: query, params, req, res })
-
-            return srv.dispatch(cdsReq)
-          })
-          .then(result => {
-            // REVISIT: not great, but avoids try catch in catch callback above
-            if (result.constructor.name === 'ServerResponse') return
-            handleSapMessages(cdsReq, req, res)
-
-            // TODO: any other checks needed?
-            if (cdsReq._.readAfterWrite && !(_propertyAccess && !target._etag))
-              return readAfterWrite(cdsReq, srv, { operation: { result } })
-
-            return result
-          })
+        return srv.dispatch(cdsReq).then(result => {
+          handleSapMessages(cdsReq, req, res)
+
+          // TODO: any other checks needed?
+          if (cdsReq._.readAfterWrite && !(_propertyAccess && !target._etag)) {
+            return readAfterWrite(cdsReq, srv, SELECT.one(cdsReq.subject))
+          }
+
+          return result
+        })
       })
       .then(result => {
         // we use an extra then block, after getting the result, so the transaction is commited, before sending the response
 
+        if (result == null) return res.sendStatus(204)
+
         // REVISIT: metaInfo needs original query in case of property access, but why?
-        const info = metaInfo(_propertyAccess ? req._query : query, crudEvent, srv, result, req)
+        const info = metaInfo(_propertyAccess ? req._query : query, 'UPDATE', srv, result, req)
 
-        if (result == null) return res.sendStatus(204)
+        const isMinimal = getPreferReturnHeader(req) === 'minimal'
 
-        const isMinimal = req._preferReturn === 'minimal'
         postProcess(cdsReq.target, srv, result, isMinimal)
-        if (result['$etag']) res.set('etag', result['$etag'])
 
-        if (crudEvent === 'CREATE') {
-          // UPSERT
-          return res
-            .set('Content-Type', 'application/json;IEEE754Compatible=true')
-            .status(201)
-            .send(toODataResult(result, info))
-        }
+        if (result['$etag']) res.set('etag', result['$etag'])
 
         if (isMinimal || (query._propertyAccess && result[query._propertyAccess] == null) || info.metadata.isStream) {
           return res.sendStatus(204)
         }
 
         result = toODataResult(result, info)
+        res.set('content-type', 'application/json;IEEE754Compatible=true')
+        res.send(result)
+      })
+      .catch(e => {
+        // if UPSERT is allowed, redirect to POST
+        const is404 = e.code === 404 || e.status === 404 || e.statusCode === 404
+        const isForcedInsert =
+          (e.code === 412 || e.status === 412 || e.statusCode === 412) && req.headers['if-none-match'] === '*'
+        if (!_propertyAccess && (is404 || isForcedInsert) && _isUpsertAllowed({ target, data, event: req.method })) {
+          // PUT / PATCH with if-match header means "only if already exists" -> no insert if it does not
+          if (req.headers['if-match']) {
+            return next(Object.assign(new Error('412'), { statusCode: 412 }))
+          }
+          // (check only works with req.body and not with data)
+          if (_isNavigationWithKeyInParent(target.keys, req.body, from, srv.model)) {
+            return next(Object.assign(new Error('422'), { statusCode: 422 }))
+          }
+          // -> redirect to POST
+          return router.handle(Object.assign(Object.create(req), { method: 'POST' }), res)
+        }
+
+        handleSapMessages(cdsReq, req, res)
 
-        return res.set('Content-Type', 'application/json;IEEE754Compatible=true').send(result)
+        // continue with caught error
+        next(e)
       })
-      .catch(next)
   }

package/libx/odata/parse/afterburner.js

@@ -178,14 +178,20 @@ function _convertVal(value, element) {
     case 'cds.Integer':
     case 'cds.Int16':
     case 'cds.Int32':
-      if (!/^-?\+?\d+$/.test(value))
-        throw Object.assign(new Error(`${element.name} does not contain a valid Integer`), { statusCode: 400 })
+      if (!/^-?\+?\d+$/.test(value)) {
+        const msg = `Element "${element.name}" does not contain a valid Integer`
+        throw Object.assign(new Error(msg), { statusCode: 400 })
+      }
       // eslint-disable-next-line no-case-declarations
       const n = Number(value)
-      if (!Number.isSafeInteger(n))
-        throw Object.assign(new Error(`${element.name} does not contain a valid Integer`), { statusCode: 400 })
-      if (element._type === 'cds.UInt8' && n < 0)
-        throw Object.assign(new Error(`${element.name} does not contain a valid positive Integer`), { statusCode: 400 })
+      if (!Number.isSafeInteger(n)) {
+        const msg = `Element "${element.name}" does not contain a valid Integer`
+        throw Object.assign(new Error(msg), { statusCode: 400 })
+      }
+      if (element._type === 'cds.UInt8' && n < 0) {
+        const msg = `Element "${element.name}" does not contain a valid positive Integer`
+        throw Object.assign(new Error(msg), { statusCode: 400 })
+      }
       return n
     case 'cds.Double':
       return parseFloat(value)
@@ -260,7 +266,7 @@ function _processSegments(from, model, namespace, cqn, protocol) {
       ) {
         incompleteKeys = false
       } else {
-        const msg = `"${action.name}" must be called on a single instance of "${current.name}".`
+        const msg = `${action.kind[0].toUpperCase() + action.kind.slice(1)} "${action.name}" must be called on a single instance of ${current.name}`
         throw Object.assign(new Error(msg), { statusCode: 400 })
       }
     }
@@ -332,10 +338,8 @@ function _processSegments(from, model, namespace, cqn, protocol) {
         ref[i].where = undefined
         if (ref[i + 1] !== 'Set') {
           // /Set is missing
-          throw cds.error(`Invalid call to "${current.name}". You need to navigate to Set`, {
-            code: '400',
-            statusCode: 400
-          })
+          const msg = `Invalid call to "${current.name}". You need to navigate to Set`
+          throw cds.error(msg, { code: '400', statusCode: 400 })
         }
         ref[++i] = null
       } else if (current.kind === 'entity') {
@@ -356,18 +360,25 @@ function _processSegments(from, model, namespace, cqn, protocol) {
       } else if ({ action: 1, function: 1 }[current.kind]) {
         // > action or function
         if (current.kind === 'action' && ref && ref[ref.length - 1]?.where?.length === 0) {
-          const msg = `Round brackets (parentheses) are not allowed for action calls.`
+          const msg = `Parentheses are not allowed for action calls.`
           throw Object.assign(new Error(msg), { statusCode: 400 })
         }
 
         if (i !== ref.length - 1) {
-          const msg = `${i ? 'Unbound' : 'Bound'} ${current.kind} are only supported as the last path segment.`
+          const msg = `${i ? 'Unbound' : 'Bound'} ${current.kind}s are only supported as the last path segment`
           throw Object.assign(new Error(msg), { statusCode: 501 })
         }
         ref[i] = { operation: current.name }
         if (params) ref[i].args = params
         if (current.returns && current.returns._type) one = true
       } else if (current.isAssociation) {
+        if (!current._target._service) {
+          // not exposed target
+          cds.error(`Property '${current.name}' does not exist in type '${target.name.replace(namespace + '.', '')}'`, {
+            statusCode: 404
+          })
+        }
+
         // > navigation
         one = !!(current.is2one || ref[i].where)
         incompleteKeys = one || i === ref.length - 1 ? false : true
@@ -425,14 +436,8 @@ function _processSegments(from, model, namespace, cqn, protocol) {
 
   if (incompleteKeys) {
     // > last segment not fully qualified
-    throw Object.assign(
-      new Error(
-        `Entity "${current.name}" has ${_keysOf(current).length} keys. Only ${keyCount} ${
-          keyCount === 1 ? 'was' : 'were'
-        } provided.`
-      ),
-      { statusCode: 400 }
-    )
+    const msg = `Entity "${current.name}" has ${_keysOf(current).length} keys. Only ${keyCount} ${keyCount === 1 ? 'was' : 'were'} provided.`
+    throw Object.assign(new Error(msg), { statusCode: 400 })
   }
 
   // remove all nulled refs
@@ -441,7 +446,8 @@ function _processSegments(from, model, namespace, cqn, protocol) {
   return { one, current, target }
 }
 
-const AGGREGATION_DEFAULT = '@Aggregation.default'
+const AGGR_DFLT = '@Aggregation.default'
+const CSTM_AGGR = '@Aggregation.CustomAggregate'
 
 function _addKeys(columns, target) {
   let hasAggregatedColumn = false,
@@ -506,7 +512,7 @@ function _processColumns(cqn, target, protocol) {
 
   if (!Array.isArray(columns)) return
 
-  let aggrProp, aggrElem
+  let aggrProp, aggrElem, defaultAggregation
   for (let i = 0; i < columns.length; i++) {
     if (
       columns[i].func === null &&
@@ -518,15 +524,14 @@ function _processColumns(cqn, target, protocol) {
       // REVISIT: also support aggregate(Sales/Amount)?
       aggrProp = columns[i].args[0].ref[0]
       aggrElem = target.elements[aggrProp]
-      if (
-        aggrElem &&
-        target[`@Aggregation.CustomAggregate#${aggrProp}`] &&
-        aggrElem[AGGREGATION_DEFAULT] &&
-        aggrElem[AGGREGATION_DEFAULT]['#']
-      ) {
-        columns[i].func = aggrElem[AGGREGATION_DEFAULT]['#'].toLowerCase()
+      if (aggrElem && target[`${CSTM_AGGR}#${aggrProp}`] && aggrElem[AGGR_DFLT] && aggrElem[AGGR_DFLT]['#']) {
+        defaultAggregation = aggrElem[AGGR_DFLT]['#'].toLowerCase()
+        if (defaultAggregation === 'count_distinct') defaultAggregation = 'countdistinct'
+        columns[i].func = defaultAggregation
         columns[i].as = columns[i].as || aggrProp
-      } else throw new Error(`Default aggregation for property '${aggrProp}' not found.`)
+      } else {
+        throw new Error(`Default aggregation for property "${aggrProp}" not found`)
+      }
     }
   }
 }
@@ -555,26 +560,18 @@ const _checkAllKeysProvided = (params, entity) => {
         continue
       }
 
-      throw Object.assign(
-        new Error(
-          `${isView ? 'Parameter' : 'Key'} "${keyOfEntity}" is missing for ${isView ? 'view' : 'entity'} "${
-            entity.name
-          }"`
-        ),
-        { statusCode: 400 }
-      )
+      // prettier-ignore
+      const msg = `${isView ? 'Parameter' : 'Key'} "${keyOfEntity}" is missing for ${isView ? 'view' : 'entity'} "${entity.name}"`
+      throw Object.assign(new Error(msg), { statusCode: 400 })
     }
   }
 }
 
 const _doesNotExistError = (isExpand, refName, targetName) => {
-  if (isExpand) {
-    throw Object.assign(new Error(`Navigation property '${refName}' is not defined in '${targetName}'`), {
-      statusCode: 400
-    })
-  } else {
-    throw Object.assign(new Error(`Property '${refName}' does not exist in '${targetName}'`), { statusCode: 400 })
-  }
+  const msg = isExpand
+    ? `Navigation property "${refName}" is not defined in ${targetName}`
+    : `Property "${refName}" does not exist in ${targetName}`
+  throw Object.assign(new Error(msg), { statusCode: 400 })
 }
 
 function _validateXpr(xpr, ignoredColumns, target, isOne, model, aliases = []) {
@@ -706,8 +703,9 @@ function _4service(service) {
         namespace
       )
     // REVISIT: 404 or 400?
-    if (!root)
+    if (!root) {
       cds.error(`Invalid resource path "${namespace}.${ref[0].id || ref[0]}"`, { code: '404', statusCode: 404 })
+    }
     if (ref[0].id) ref[0].id = root.name
     else ref[0] = root.name
 

package/libx/odata/parse/grammar.peggy

@@ -714,7 +714,7 @@
   function 
     = func:functionName OPEN args:functionArgs CLOSE {
       if (strict && !(func.toLowerCase() in strict.functions)) {
-        throw Object.assign(new Error(`Function '${func}' is not supported`), { statusCode: 400 })
+        throw Object.assign(new Error(`Function "${func}" is not supported`), { statusCode: 501 })
       }
       return { func: func.toLowerCase(), args }
     }
@@ -723,7 +723,7 @@
     = args:(a:operand more:( COMMA o:operand { return o } )* { return [ a, ...more ] })* { return args.length ? args[0] : args }
 
   boolish
-    = func:("contains"i/"endswith"i/"startswith"i) OPEN a:operand COMMA b:operand CLOSE
+    = func:("contains"i/"endswith"i/"startswith"i/"matchespattern"i) OPEN a:operand COMMA b:operand CLOSE
     { return { func: func.toLowerCase(), args:[a,b] }}
 
   NOT = o "NOT"i _ {return 'not'}
@@ -871,7 +871,7 @@
       ( "Z" / (("+" / "-")[0-9][0-9]":"[0-9][0-9]) )? // timezone (Z or +-hh:mm)
     )?) {
       if (s.split('-')[0].length > 4)
-        throw Object.assign(new Error(`The type 'Edm.DateTimeOffset' is not compatible with '${s}'`), { statusCode: 400 })
+        throw Object.assign(new Error(`The type Edm.DateTimeOffset is not compatible with "${s}"`), { statusCode: 400 })
       return s
     }
 

package/libx/odata/parse/multipartToJson.js

@@ -10,6 +10,7 @@ const parseStream = async function* (body, boundary) {
 
   try {
     const boundaries = [boundary]
+    let content_id
     let yielded = 0
     const requests = []
     let idCount = 0
@@ -26,6 +27,7 @@ const parseStream = async function* (body, boundary) {
         }
         const newBoundary = req.headers['content-type']?.match(/boundary=(.*)/i)?.[1]
         if (newBoundary) boundaries.push(newBoundary)
+        content_id = req.headers['content-id']
         return
       }
 
@@ -54,6 +56,7 @@ const parseStream = async function* (body, boundary) {
       }
 
       if (boundaries.length > 1) request.atomicityGroup = boundaries.at(-1)
+      if (content_id) request.content_id = content_id
 
       requests.push(request)
     }
@@ -69,28 +72,13 @@ const parseStream = async function* (body, boundary) {
         .replace(/ \$/g, ' /$')
 
       // HACKS!!!
-      // eslint-disable-next-line no-constant-condition
-      while (true) {
-        // ensure URLs start with slashes
-        const m = changed.match(/(GET|PUT|POST|PATCH|DELETE) (\w)/)
-        if (!m) break
-        changed = changed.replace(m[0], `${m[1]} /${m[2]}`)
-        // add content-length header
-        try {
-          let x = changed.substr(m.index)
-          let y = x.indexOf(`${CRLF}HEAD`)
-          let z = changed.substr(m.index, y)
-          const lines = z.split(CRLF)
-          if (lines.some(l => l.match(/^content-length/i))) continue
-          const cl = lines.slice(-1)[0].length
-          if (cl) {
-            lines.splice(-2, 0, `content-length:${cl}`)
-            changed = changed.substr(0, m.index) + lines.join(CRLF) + x.substr(y)
-          }
-        } catch (e) {
-          console.error(e)
-        }
-      }
+      // ensure URLs start with slashes
+      changed = changed.replaceAll(/\r\n(GET|PUT|POST|PATCH|DELETE) (\w)/g, `\r\n$1 /$2`)
+      // add content-length headers
+      changed = changed.replaceAll(
+        /\r\n(.+)\r\nHEAD/g,
+        (match, p1) => `content-length: ${Buffer.byteLength(p1)}${CRLF}${match}`
+      )
       // remove strange "Group ID" appendix
       changed = changed.split(`${CRLF}Group ID`)[0] + CRLF