@sap/cds 7.9.2 → 8.0.3

package/libx/common/assert/index.js

@@ -1,10 +1,11 @@
 const { cds } = global
 
-const typeCheckers = require('./type')
-const { checkMandatory, checkEnum, checkRange, checkFormat } = require('./validation')
-const { getNested, getNormalizedDecimal, getTarget, resolveCDSType, resolveSegment } = require('./utils')
+const strictTypeCheckers = require('./type-strict')
+const relaxedTypeCheckers = require('./type-relaxed')
+let typeCheckers
 
-const NUMBER_TYPES = new Set(['cds.UInt8', 'cds.Int16', 'cds.Int32', 'cds.Integer', 'cds.Double'])
+const { checkMandatory, checkEnum, checkRange, checkFormat } = require('./validation')
+const { getNested, getTarget, resolveCDSType, resolveSegment } = require('./utils')
 
 const _no_op = () => {}
 
@@ -91,6 +92,10 @@ function _process(obj, def, errs, opts) {
       continue
     }
 
+    if (ele['@cds.api.ignore']) {
+      opts._handle_unknown(obj, k, def, errs)
+      continue
+    }
     if (ele.isAssociation) {
       const keys = ele.keys?.map(k => k.ref[0]) || Object.keys(ele._target.keys)
       opts.path.push(ele.is2many || Object.keys(keys).length ? { assoc: k, keys } : k)
@@ -114,7 +119,13 @@ function _process(obj, def, errs, opts) {
       opts.path.pop()
       continue
     }
-    if (ele instanceof cds.builtin.classes.array) {
+    if (ele instanceof cds.builtin.classes.array && v !== undefined) {
+      if (!Array.isArray(v)) {
+        // REVISIT: allow null if served via REST or OData v4.02
+        const target = getTarget(opts.path, k)
+        errs.push(new cds.error('ASSERT_ARRAY', { target, statusCode: 400, code: '400' }))
+        continue
+      }
       for (let i = 0; i < v.length; i++) {
         opts.path.push({ prop: k, index: i })
         const _def = ele.items?.__proto__.elements ? ele.items.__proto__ : ele.__proto__
@@ -138,26 +149,14 @@ function _process(obj, def, errs, opts) {
     if (typeChecker) {
       if (v == null) continue
 
-      // if used in protocol adapter, adjust val/ checker if necessary
-      if (opts.http) {
-        if (typeof v !== 'boolean') {
-          if (type === 'cds.Decimal') v = getNormalizedDecimal(v)
-          else if (type === 'cds.Int64') v = String(v)
-          else if (NUMBER_TYPES.has(type)) v = Number(v)
-        }
-      }
-
-      // use relaxed uuid check if not in strict mode
-      if (type === 'cds.UUID' && !opts.strict) typeChecker = typeCheckers['relaxed.UUID']
-
       // type check
       // REVISIT: all checkers should add errors themselves!
-      if (type === 'cds.Decimal')
+      if (type === 'cds.Decimal' && opts.strict) {
         typeChecker(v, ele, errs, opts.path, k) //> _checkDecimal adds error itself
-      else if (!typeChecker(v, ele) || (opts.strict && typeChecker.name === '_checkBuffer' && typeof v === 'string')) {
+      } else if (!typeChecker(v, ele)) {
         errs.push(
           new cds.error('ASSERT_DATA_TYPE', {
-            args: [typeof obj[k] === 'string' ? `"${obj[k]}"` : obj[k], ele._type],
+            args: [typeof v === 'string' ? `"${v}"` : v, ele._type],
             target: getTarget(opts.path, k),
             statusCode: 400,
             code: '400'
@@ -169,7 +168,7 @@ function _process(obj, def, errs, opts) {
       if (obj[k] !== v) obj[k] = v
 
       // @assert
-      if (ele['@assert.enum'] || (ele['@assert.range'] && ele.enum)) checkEnum(v, ele, errs, opts.path, k)
+      if (ele['@assert.range'] && ele.enum) checkEnum(v, ele, errs, opts.path, k)
       if (ele['@assert.range']) checkRange(v, ele, errs, opts.path, k)
       if (ele['@assert.format']) checkFormat(v, ele, errs, opts.path, k)
       // REVISIT: @assert.target? -> no because async, but maybe return the necessary query to execute?
@@ -212,6 +211,8 @@ module.exports = (data, definition, options = {}) => {
   options.path ??= []
 
   // materialize what is done ...
+  // ... re type checks
+  typeCheckers = options.strict ? strictTypeCheckers : relaxedTypeCheckers
   // ... in case of unknown elements
   if (options.strict) options._handle_unknown = _reject_unknown
   else if (options.filter) options._handle_unknown = _filter_unknown

package/libx/common/assert/type-relaxed.js

@@ -0,0 +1,39 @@
+const { Readable } = require('stream')
+
+const _isString = v => typeof v === 'string'
+
+const _isBoolean = v => typeof v === 'boolean'
+
+const _isNumber = v => typeof v === 'number'
+
+const _isNumberish = v => !!Number(v) || v === 0 //> string representation of number is ok, e.g., '1e3'
+
+const _isDate = v => !!Date.parse(v)
+
+const _isTime = v => !!Date.parse('2000-01-01T' + v)
+
+const _isBuffer = v => Buffer.isBuffer(v) || v.type === 'Buffer' || _isString(v) //> base64 encoded string is ok as well
+
+const _isStreamOrBuffer = v => v instanceof Readable || _isBuffer(v)
+
+module.exports = {
+  'cds.UUID': _isString,
+  'cds.Boolean': _isBoolean,
+  'cds.Integer': _isNumber,
+  'cds.UInt8': _isNumber,
+  'cds.Int16': _isNumber,
+  'cds.Int32': _isNumber,
+  'cds.Integer64': _isNumberish,
+  'cds.Int64': _isNumberish,
+  'cds.Decimal': _isNumberish,
+  'cds.DecimalFloat': _isNumber,
+  'cds.Double': _isNumber,
+  'cds.Date': _isDate,
+  'cds.Time': _isTime,
+  'cds.DateTime': _isDate,
+  'cds.Timestamp': _isDate,
+  'cds.String': _isString,
+  'cds.Binary': _isBuffer,
+  'cds.LargeString': _isString,
+  'cds.LargeBinary': _isStreamOrBuffer
+}

package/libx/common/assert/utils.js

@@ -102,8 +102,9 @@ function resolveSegment(prev, obj, def) {
           keys.push(`${k}=false`) //> always false if not in obj as it must be a draft activate
         else keys.push(`${k}=null`)
       } else {
-        const type = resolveCDSType(def.elements[k])
-        if (type === 'cds.String') val = `'${val}'`
+        const cdsType = resolveCDSType(def.elements[k])
+        const odataType = def.elements[k]['@odata.Type']
+        if (!odataType && cdsType === 'cds.String' || odataType === 'Edm.String') val = `'${val}'`
         // TODO: more proper val encoding based on type
         keys.push(`${k}=${val}`)
       }

package/libx/common/assert/validation.js

@@ -6,7 +6,7 @@ const {
   'cds.DateTime': checkISODateTime,
   'cds.Timestamp': checkISOTimestamp,
   'cds.String': checkString
-} = require('./type')
+} = require('./type-strict')
 const { getTarget, resolveCDSType } = require('./utils')
 
 const _isNavigationColumn = (col, as) => col.ref?.length > 1 && (col.as === as || col.ref[col.ref.length - 1] === as)
@@ -14,7 +14,7 @@ const _isNavigationColumn = (col, as) => col.ref?.length > 1 && (col.as === as |
 // REVISIT: mandatory is actually not the same as not null or empty string
 const _isNotFilled = val => val === null || val === undefined || (typeof val === 'string' && val.trim() === '')
 
-const _getEnumElement = ele => ((ele['@assert.range'] && ele.enum) || ele['@assert.enum'] ? ele.enum : undefined)
+const _getEnumElement = ele => ((ele['@assert.range'] && ele.enum) ? ele.enum : undefined)
 
 const _enumValues = ele => {
   return Object.keys(ele).map(enumKey => {
@@ -73,12 +73,7 @@ const checkMandatory = (v, ele, errs, path, k) => {
 const checkEnum = (v, ele, errs, path, k) => {
   const enumElements = _getEnumElement(ele)
   const enumValues = enumElements && _enumValues(enumElements)
-  const includes = (enumValues, v) => {
-    if (ele._type in { 'cds.Decimal': 1, 'cds.Int64': 1 }) {
-      return enumValues.map(ev => String(ev)).includes(String(v))
-    } else return enumValues.includes(v)
-  }
-  if (enumElements && !includes(enumValues, v)) {
+  if (enumElements && !enumValues.some(ev => ev == v)) { //> use == for automatic type coercion
     const args =
       typeof v === 'string'
         ? ['"' + v + '"', enumValues.map(ele => '"' + ele + '"').join(', ')]

package/libx/common/utils/index.js

@@ -0,0 +1,5 @@
+const { getKeysAndParamsFromPath } = require('./path')
+
+module.exports = {
+  getKeysAndParamsFromPath
+}

package/libx/common/utils/path.js

@@ -0,0 +1,51 @@
+const cds = require('../../_runtime/cds')
+const { where2obj } = require('../../_runtime/common/utils/cqn')
+const { getKeysForNavigationFromRefPath } = require('../../_runtime/common/utils/keys')
+
+// REVISIT: do we already have something like this _without using okra api_?
+// REVISIT: should we still support process.env.CDS_FEATURES_PARAMS? probably nobody uses it...
+const getKeysAndParamsFromPath = (from, srv) => {
+  if (!from.ref || !from.ref.length) return {}
+
+  const keys = {}
+  const params = []
+
+  const model = cds.context.model ?? srv.model
+
+  let cur = model.definitions
+  let lastElement
+
+  for (let i = 0; i < from.ref.length; i++) {
+    const ref = from.ref[i]
+    const id = ref.id || ref
+    lastElement = cur[id]
+    const target = cur[id]._target ?? lastElement
+    cur = target.elements
+
+    if (i === from.ref.length - 1) {
+      // last element
+      if (ref.where) {
+        const seg_keys = where2obj(ref.where)
+        Object.assign(keys, seg_keys)
+        params[i] = seg_keys.ID && Object.keys(seg_keys).length === 1 ? seg_keys.ID : seg_keys
+      }
+      if (lastElement.isAssociation && from.ref.length > 1) {
+        // add keys for navigation from path
+        const rootRef = from.ref[0]
+        const rootTarget = model.definitions[rootRef.id || rootRef]
+        const seg_keys = getKeysForNavigationFromRefPath(from.ref, rootTarget)
+        // only take if a known property
+        for (const k in seg_keys) if (k in cur) keys[k] = seg_keys[k]
+      }
+    } else if (ref.where) {
+      const seg_keys = where2obj(ref.where)
+      params[i] = seg_keys.ID && Object.keys(seg_keys).length === 1 ? seg_keys.ID : seg_keys
+    }
+  }
+
+  return { keys, params }
+}
+
+module.exports = {
+  getKeysAndParamsFromPath
+}

package/libx/odata/ODataAdapter.js

@@ -0,0 +1,126 @@
+const HttpAdapter = require('../../lib/srv/protocols/http')
+const cds = require('../../lib')
+const LOG = cds.log('odata')
+
+const operation4 = require('./middleware/operation')
+const create4 = require('./middleware/create')
+const stream4 = require('./middleware/stream')
+const read4 = require('./middleware/read')
+const update4 = require('./middleware/update')
+const delete4 = require('./middleware/delete')
+const error4 = require('./middleware/error')
+const bodyParser4 = require('./middleware/body-parser')
+
+// REVISIT: copied from lib/req/request.js
+const Http2Crud = { POST: 'CREATE', GET: 'READ', PUT: 'UPDATE', PATCH: 'UPDATE', DELETE: 'DELETE' }
+
+const { isStream } = require('./utils')
+
+class ODataAdapter extends HttpAdapter {
+  log(req) {
+    // REVISIT: this impl recreates the behavior of the old adapter, but is not very clean
+
+    // req.__proto__.method is set in case of upsert
+    if (req.__proto__.method in { PUT: 1, PATCH: 1 }) return // REVISIT: voodoo magic
+
+    if (req._subrequest)
+      //> req._subrequest is set for batch subrequests
+      LOG._info && LOG.info('>', Http2Crud[req.method], req.path, Object.keys(req.query).length ? { ...req.query } : '')
+    else super.log(req)
+  }
+
+  // early_access_check4(srv) { // REVISIT: let's remove that!
+  //   const super_early_access_check = super.early_access_check4(srv)
+  //   // REVISIT: We should remove the protectMetadata option in cds8, and always just do the right thing -> DOUBLE CHECK: Bad fiori behavior on 403ers
+  //   return function early_access_check(req, res, next) {
+  //     if (cds.env.odata.protectMetadata === false && (req.path === '/' || req.path === '/$metadata')) { // REVISIT: do that statically!
+  //       // > nothing to do
+  //       return next()
+  //     }
+
+  //     // REVISIT: Why exactly was that required?
+  //     // > It was wrong, as it requested a login for any service operation, even though only one action was restricted (submitOrder)
+  //     // we need to challenge in case of $batch requests if the service has restrictions
+  //     // const user = cds.context.user
+  //     // if (user._is_anonymous && req.path === '/$batch' && containsAnyRestrictions(srv)) {
+  //     //   if (!req._login) throw cds.error({ code: '401', statusCode: 401 })
+  //     //   return req._login()
+  //     // }
+
+  //     return super_early_access_check(req, res, next)
+  //   }
+  // }
+
+  get router() {
+    const jsonBodyParser = bodyParser4(this)
+    return (
+      super.router
+        .use(function odata_version(req, res, next) {
+          res.set('OData-Version', '4.0')
+          next()
+        })
+        // REVISIT: add middleware for negative cases?
+        // service root
+        .use(/^\/$/, require('./middleware/service-document')(this))
+        .use('/\\$metadata', require('./middleware/metadata')(this))
+        // parse
+        .use(require('./middleware/parse')(this))
+        .use(function odata_streams(req, res, next) {
+          if (req.method === 'PUT' && isStream(req._query)) {
+            req.body = { value: req }
+            return next()
+          }
+          if (req.method === 'POST' && req.headers['content-type']?.match(/multipart\/mixed/)) {
+            return next()
+          }
+          if (req.method in { POST: 1, PUT: 1, PATCH: 1 } && req.headers['content-type']) {
+            const parts = req.headers['content-type'].split(';')
+            // header ending with semicolon is not allowed
+            if (!parts[0].match(/^application\/json$/) || parts[1] === '') {
+              throw cds.error('415', { statusCode: 415, code: '415' }) // FIXME: use res.status
+            }
+          }
+          // POST with empty body is allowed by actions
+          if (req.method in { PUT: 1, PATCH: 1 }) {
+            if (req.headers['content-length'] === '0') {
+              res.status(400).json({ error: { message: 'Expected non-empty body', statusCode: 400, code: '400' } })
+              return
+            }
+          }
+
+          return jsonBodyParser(req, res, next)
+        })
+        // batch
+        .post('/\\$batch', require('./middleware/batch')(this))
+        // handle
+        // REVISIT: with old adapter, we return 405 for HEAD requests -> check OData spec
+        .head('*', (_, res) => res.sendStatus(405))
+        .post('*', operation4(this), create4(this))
+        .get('*', operation4(this), stream4(this), read4(this))
+        .put('*', update4(this), create4(this, 'upsert'))
+        .patch('*', update4(this), create4(this, 'upsert'))
+        .delete('*', delete4(this))
+        // error
+        .use(error4(this))
+    )
+  }
+
+  request4(args) {
+    return new NoaRequest(args)
+  }
+}
+
+// REVISIT: ugly hack -> eliminate
+class NoaRequest extends cds.Request {
+  // REVISIT: all usages of .protocol are very bad style, violating modularization
+  get protocol() {
+    return 'odata'
+  }
+  // AFC uses unofficial req._queryOptions -> which is bad! -> should eliminate
+  get _queryOptions() {
+    cds.utils.deprecated({ kind: '', old: 'req._queryOptions', new: 'req._.req.query' })
+    return this.req?.query
+  }
+}
+
+module.exports = Object.assign(ODataAdapter, { NoaRequest })

package/libx/odata/index.js

@@ -78,7 +78,12 @@ const _2query = cqn => {
 }
 
 const enhanceCqn = (cqn, options) => {
-  if (options.afterburner) cqn = options.afterburner(cqn)
+  if (options.afterburner) {
+    const { service, protocol } = options
+    let { model, definition: { name: namespace } } = service // prettier-ignore
+    if (service.isExtensible) model = cds.context?.model || model
+    cqn = options.afterburner(cqn, model, namespace, protocol)
+  }
 
   const query = _2query(cqn)
 
@@ -101,8 +106,16 @@ module.exports = {
 
     url = decodeURIComponent(url)
 
+    // REVISIT: compat for bad url in mtxs tests (cf. #957)
+    if (url.match(/\?\?/)) {
+      const split = url.split('?')
+      url = split.shift() + '?'
+      while (split[0] === '') split.shift()
+      url += split.join('?')
+    }
+
     options = options === 'strict' ? { strict } : options.strict ? { ...options, strict } : options
-    if (options.service) Object.assign(options, { minimal: true, afterburner: afterburner.for(options.service) })
+    if (options.service?.model) Object.assign(options, { minimal: true, afterburner })
     options.safeNumber = safeNumber
     options.skipToken = require('./utils').skipToken