@sap/cds 8.0.3 → 8.1.0

package/lib/srv/protocols/http.js

@@ -17,38 +17,50 @@ class HttpAdapter {
 
   /** The actual Router factory. Subclasses override this to add specific handlers. */
   get router() {
-    let router = super.router = (new express.Router) .use (this.http_log.bind(this))
-    let assert_roles = this.requires_check()
-    if (assert_roles) router.use (assert_roles)
+    let router = super.router = (new express.Router)
+    this.use (this.http_log)
+    this.use (this.requires_check)
     return router
   }
 
-  /** Handler to log all incoming requests */
-  http_log (r,_,next) {
-    this.logger = cds.log(this.kind)
-    this.log(r)
-    next()
+  use (middleware) {
+    if (middleware) this.router.use (middleware)
+    return this
   }
 
   /** Subclasses may override this method to log incoming requests. */
-  log (req, LOG = this.logger) { LOG._info && LOG.info (
+  log (req, LOG = this.logger) { LOG.info (
     req.method,
     decodeURI (req.baseUrl + req.path),
     Object.keys (req.query).length ? { ...req.query } : ''
   )}
 
+  /** Returns a handler to log all incoming requests */
+  get http_log() {
+    const LOG = this.logger = cds.log(this.kind); if (!LOG._info) return undefined
+    const log = this.log.bind(this)
+    return function http_log (req,_,next) { log(req,LOG); next() }
+  }
+
   /** Returns a handler to check required roles, or null if no check required. */
-  requires_check() {
+  get requires_check() {
     const d = this.service.definition
     const roles = d['@requires'] || d['@restrict']?.map(r => r.to).flat().filter(r => r)
     const required = !roles?.length ? restricted_by_default : Array.isArray(roles) ? roles : [roles]
-    if (required) return function requires_check (req, res, next) {
+    return required && function requires_check (req, res, next) {
       const user = cds.context.user
       if (required.some(role => user.has(role))) return next()
       else if (user._is_anonymous) return next(401) // request login
       else throw Object.assign(new Error, { code: 403, reason: `User '${user.id}' is lacking required roles: [${required}]`, user, required })
     }
   }
+
+  get body_parser_options() {
+    let options = cds.env.server.body_parser
+    let limit = this.service.definition['@cds.server.body_parser.limit']
+    if (limit) options = { ...options, limit }
+    return super.body_parser_options = options
+  }
 }
 
 

package/lib/test/expect.js

@@ -112,7 +112,7 @@ class Core {
       if (is.string(a)) return a.includes(x)
       if (is.array(a)) return a.includes(x) || this._deep && a.some(o => compare(o, x, true))
       if (is.set(a)) return a.has(x)
-      if (this._deep && is.object(a)) return compare(a, x, true)
+      if (is.object(a)) return compare(a, x, this._deep)
     }, _fail)
   }
 

package/lib/utils/cds-test.js

@@ -160,7 +160,7 @@ class Test extends require('./axios') {
     `)}}
   }
   set expect(x) { super.expect = x }
-  get expect() { return this.chai.expect }
+  get expect() { return _expect || this.chai.expect }
   get assert() { return this.chai.assert }
   get should() { return this.chai.should() }
 }
@@ -174,6 +174,7 @@ Object.setPrototypeOf (exports, Test.prototype)
 
 
 // Provide same global functions for jest and mocha
+let _expect = undefined
 ;(function _support_jest_and_mocha() {
   const _global = p => Object.getOwnPropertyDescriptor(global,p)?.value
   const is_jest = _global('beforeAll')
@@ -185,7 +186,7 @@ Object.setPrototypeOf (exports, Test.prototype)
     global.afterAll   = global.after     = (msg,fn) => repl.on?.('exit',fn||msg)
     global.beforeEach = global.afterEach = ()=>{}
     global.describe   = ()=>{}
-    exports.expect = global.expect = require('../test/expect')
+    global.expect = _expect = require('../test/expect')
 
   } else if (is_mocha) { // it's mocha
 
@@ -219,8 +220,7 @@ Object.setPrototypeOf (exports, Test.prototype)
     global.afterAll = global.after = (msg,fn) => after(fn||msg)
     global.beforeEach = beforeEach
     global.afterEach = afterEach
-    global.expect = require('../test/expect')
-    exports.expect = global.expect
+    global.expect = _expect = require('../test/expect')
     suite ('<next>', ()=>{}) //> to signal the start of a test file
 
   }

package/libx/_runtime/common/composition/insert.js

@@ -82,7 +82,7 @@ const hasDeepInsert = (model, cqn) => {
 const getDeepInsertCQNs = (model, cqn) => {
   const into = (cqn.INSERT.into.ref && cqn.INSERT.into.ref[0]) || cqn.INSERT.into.name || cqn.INSERT.into
   const entityName = ensureNoDraftsSuffix(into)
-  const draft = entityName !== into
+  const draft = entityName !== into || into.endsWith('.drafts') //lean draft
   const dataEntries = cqn.INSERT.entries ? deepCopy(cqn.INSERT.entries) : []
   const entity = model.definitions[entityName]
   const compositionTree = getCompositionTree({

package/libx/_runtime/common/error/utils.js

@@ -12,7 +12,8 @@ const i18n = (...args) => {
  * @returns localized error message
  */
 function getErrorMessage(error, locale) {
-  const txt = i18n(error.message || error.code || error.status || error.statusCode, locale, error.args)
+  const key = error.message || error.code || error.status || error.statusCode || '500'
+  const txt = i18n(key, locale, error.args)
   return txt || error.message || String(error.code || error.status || error.statusCode)
 }
 

package/libx/_runtime/common/generic/input.js

@@ -349,15 +349,12 @@ const _getOperation = (req, service) => {
 
 function _actionFunctionHandler(req) {
   const operation = _getOperation(req, this)
-  if (!operation || !operation.params) return
+  if (!operation) return
 
   const data = req.data || {}
 
-  // REVISIT: skip for mtxs as their models contain invalidities (e.g., properties modeled as strings but provided as objects)
-  const is_mtxs = operation.name.match(/^cds\.xt\./)
-
   // validate data
-  if (cds.env.features.cds_validate && !is_mtxs) {
+  if (cds.env.features.cds_validate) {
     const assertOptions = { mandatories: true }
     let errs = cds.validate(data, operation, assertOptions)
     if (errs) {

package/libx/_runtime/common/generic/stream.js

@@ -1,4 +1,14 @@
 const cds = require('../../cds')
+// REVISIT: Remove after removing okra
+const { isStreaming } = require('../../cds-services/adapter/odata-v4/utils/stream')
+
+const _isStream = query => {
+  const { _propertyAccess, target } = query
+  if (!_propertyAccess) return
+
+  const element = target.elements[_propertyAccess]
+  return element._type === 'cds.LargeBinary' && element['@Core.MediaType']
+}
 
 const _getStreamingProperties = elements => {
   const result = []
@@ -14,9 +24,7 @@ const _getStreamingProperties = elements => {
 
 const _getMediaTypeValue = () => {
   const ctx = cds.context
-  return (
-    !ctx?.http?.req?.headers?.['content-type']?.match(/json|multipart/i) && ctx?.http?.req?.headers?.['content-type']
-  )
+  return !ctx?.http?.req?.headers?.['content-type']?.match(/multipart/i) && ctx?.http?.req?.headers?.['content-type']
 }
 
 function _addContentType(req, mtValue) {
@@ -27,12 +35,19 @@ function _addContentType(req, mtValue) {
 
 async function addContentType(req) {
   if (!req.query || !req.target) return
+  if (req._.odataReq) {
+    if (!isStreaming(req._.odataReq.getUriInfo().getPathSegments())) return
+  } else if (req.req?._query) {
+    if (!_isStream(req.req._query)) return
+  }
+
   const mtValue = _getMediaTypeValue()
   if (!mtValue) return
 
   _addContentType(req, mtValue)
 }
 
+// register after input.js in order to write content-type also for @Core.Computed fields
 module.exports = cds.service.impl(function () {
   this.before(['PATCH', 'UPDATE'], '*', addContentType)
 })

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -758,13 +758,16 @@ const _convertSelect = (query, model, _options) => {
     //          old db expects it as cqn xpr
     if (query.SELECT.search.length === 1) {
       query.SELECT.search = query.SELECT.search[0].val
-        .replace(/"/g, '')
-        .split(' ')
+        .match(/("")|("(?:[^"]|\\")*(?:[^\\]|\\\\)")|(\S*)/g)
+        .filter(el => el.length)
+        .map(el => (el.match(/^["](.*)["]$/) ? JSON.parse(el) : el))
         .reduce((arr, val, i) => {
           if (i > 0) arr.push('and')
           arr.push({ val })
           return arr
         }, [])
+
+      if (!query.SELECT.search.length) query.SELECT.search = [{ val: '' }]
     }
 
     search2cqn4sql(query, model, { ...query._searchOptions, ...{ entityName, alias } })

package/libx/_runtime/db/query/read.js

@@ -60,17 +60,26 @@ const read = (executeSelectCQN, executeStreamCQN, convertStreams) => (model, dbc
 
   if (query.SELECT.count) {
     if (query.SELECT.limit) {
+      // IMPORTANT: do not change order!
+      // 1. create the count query synchronously, because it works on a copy
+      // 2. run the result query, duplicate names ( SELECT ID, ID ...) throw an error synchronously
+      // 3. run the count query
+      // reason is that executeSelectCQN modifies the query
       const countQuery = _createCountQuery(query)
-      const countResultPromise = executeSelectCQN(model, dbc, countQuery, user, locale, isoTs)
-      if (query.SELECT.limit?.rows?.val === 0) {
-        // We don't need to perform our result query
-        return countResultPromise.then(countResults => _arrayWithCount([], countValue(countResults)))
-      }
+      const resultPromise =
+        query.SELECT.limit?.rows?.val === 0
+          ? Promise.resolve([])
+          : executeSelectCQN(model, dbc, query, user, locale, isoTs)
+      const countPromise = executeSelectCQN(model, dbc, countQuery, user, locale, isoTs)
 
-      const resultPromise = executeSelectCQN(model, dbc, query, user, locale, isoTs)
-      return Promise.all([countResultPromise, resultPromise]).then(([countResults, result]) =>
-        _arrayWithCount(result, countValue(countResults))
-      )
+      // use allSettled here, so all executions are awaited before we rollback
+      return Promise.allSettled([countPromise, resultPromise]).then(results => {
+        const rejection = results.find(p => p.status === 'rejected')
+        if (rejection) throw rejection.reason
+
+        const [{ value: countResult }, { value: result }] = results
+        return _arrayWithCount(result, countValue(countResult))
+      })
     }
 
     return executeSelectCQN(model, dbc, query, user, locale, isoTs).then(result =>

package/libx/_runtime/fiori/lean-draft.js

@@ -207,7 +207,7 @@ const _redirectRefToActives = (ref, model) => {
 }
 
 const lastCheckMap = new Map()
-const _cleanUpOldDrafts = async (service, tenant) => {
+const _cleanUpOldDrafts = (service, tenant) => {
   if (!DEL_TIMEOUT.value) return
 
   const expiryDate = new Date(Date.now() - DEL_TIMEOUT.value).toISOString()
@@ -824,7 +824,7 @@ const Read = {
       else ownNewDrafts.push(draft)
     }
 
-    const $count = ownDrafts.length + (isCount ? actives[0]?.$count : actives.$count ?? 0)
+    const $count = ownDrafts.length + (isCount ? actives[0]?.$count : (actives.$count ?? 0))
     if (isCount) return { $count }
 
     Read.merge(query._target, ownDrafts, [], row => {

package/libx/_runtime/hana/customBuilder/CustomReferenceBuilder.js

@@ -15,7 +15,7 @@ class CustomReferenceBuilder extends ReferenceBuilder {
       const args = Object.keys(ref[0].args)
         .map(argKey => {
           this._outputObj.values.push(ref[0].args[argKey].val)
-          return `${argKey} => ${this._options.placeholder}`
+          return `${this._quoteElement(argKey)} => ${this._options.placeholder}`
         })
         .join(', ')
 

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -22,7 +22,7 @@ class EndpointRegistry {
       // unsuccessful auth doesn't automatically reject!
       cds.app.use(basePath, (req, res, next) => {
         // REVISIT: we should probably pass an error into next so that a (custom) error middleware can handle it
-        if (!cds.context.user._is_anonymous) res.status(401).json({ error: ODATA_UNAUTHORIZED })
+        if (cds.context.user._is_anonymous) return res.status(401).json({ error: ODATA_UNAUTHORIZED })
         next()
       })
     } else if (process.env.NODE_ENV === 'production') {
@@ -32,7 +32,7 @@ class EndpointRegistry {
       cds.app.use(basePath, cds.middlewares.context())
     }
     cds.app.use(basePath, express.json({ type: 'application/*+json' }))
-    cds.app.use(basePath, express.json()) // REVISIT: Do we need both?
+    cds.app.use(basePath, express.json())
     cds.app.use(basePath, express.urlencoded({ extended: true }))
     LOG._debug && LOG.debug('Register inbound endpoint', { basePath, method: 'OPTIONS' })
 

package/libx/_runtime/messaging/event-broker.js

@@ -1,5 +1,6 @@
 const cds = require('../cds')
 
+const normalizeIncomingMessage = require('./common-utils/normalizeIncomingMessage')
 const express = require('express')
 const https = require('https')
 const crypto = require('crypto')
@@ -47,31 +48,34 @@ function _validateCertificate(req, res, next) {
     return res.status(401).json({ message: 'Authentication Failed' })
   }
 
-  const bindingCert = new crypto.X509Certificate(this.options.credentials.certificate).toLegacyObject()
-  const clientCert = new crypto.X509Certificate(
+  const clientCertObj = new crypto.X509Certificate(
     `-----BEGIN CERTIFICATE-----\n${req.headers['x-forwarded-client-cert']}\n-----END CERTIFICATE-----`
-  ).toLegacyObject()
+  )
+  const clientCert = clientCertObj.toLegacyObject()
+
+  if (!this.isMultitenancy && !clientCertObj.checkPrivateKey(this.privateKey))
+    return res.status(401).josn({ message: 'Authentication Failed' })
 
   const cfSubject = Buffer.from(req.headers['x-ssl-client-subject-cn'], 'base64').toString()
-  if (bindingCert.subject.CN !== clientCert.subject.CN || bindingCert.subject.CN !== cfSubject) {
+  if (this.validationCert.subject.CN !== clientCert.subject.CN || this.validationCert.subject.CN !== cfSubject) {
     this.LOG.info('certificate subject does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
   this.LOG.debug('incoming Subject CN is valid.')
 
-  if (bindingCert.issuer.CN !== clientCert.issuer.CN) {
+  if (this.validationCert.issuer.CN !== clientCert.issuer.CN) {
     this.LOG.info('Certificate issuer subject does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
   this.LOG.debug('incoming issuer subject CN is valid.')
 
-  if (bindingCert.issuer.O !== clientCert.issuer.O) {
+  if (this.validationCert.issuer.O !== clientCert.issuer.O) {
     this.LOG.info('Certificate issuer org does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
   this.LOG.debug('incoming Issuer Org is valid.')
 
-  if (bindingCert.issuer.OU !== clientCert.issuer.OU) {
+  if (this.validationCert.issuer.OU !== clientCert.issuer.OU) {
     this.LOG.info('certificate issuer OU does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
@@ -102,6 +106,11 @@ class EventBroker extends cds.MessagingService {
       this.startListening()
     })
     this.agent = this.getAgent()
+    this.isMultitenancy = cds.requires.multitenancy || cds.env.profiles.includes('mtx-sidecar')
+    this.validationCert = new crypto.X509Certificate(
+      this.isMultitenancy ? this.options.credentials.certificate : this.agent.options.cert
+    ).toLegacyObject()
+    this.privateKey = !this.isMultitenancy && crypto.createPrivateKey(this.agent.options.key)
   }
 
   getAgent() {
@@ -141,30 +150,63 @@ class EventBroker extends cds.MessagingService {
 
     // TODO: What if we're in single tenant variant?
     try {
-      const ceSource = `${this.options.credentials.ceSource[0]}/${cds.context.tenant}`
       const hostname = this.options.credentials.eventing.http.x509.url.replace(/^https?:\/\//, '')
-      // TODO Cloud Events Handler CAP
+
+      // take over and cleanse cloudevents headers
+      const headers = { ...(msg.headers ?? {}) }
+
+      const ceId = headers.id
+      delete headers.id
+
+      const ceSource = headers.source
+      delete headers.source
+
+      const ceType = headers.type
+      delete headers.type
+
+      const ceSpecversion = headers.specversion
+      delete headers.specversion
+
+      // const ceDatacontenttype = headers.datacontenttype // not part of the HTTP API
+      delete headers.datacontenttype
+
+      // const ceTime  = headers.time // not part of the HTTP API
+      delete headers.time
+
       const options = {
         hostname: hostname,
         method: 'POST',
         headers: {
-          'ce-id': cds.utils.uuid(),
+          'ce-id': ceId,
           'ce-source': ceSource,
-          'ce-type': msg.event,
-          'ce-specversion': '1.0',
-          'Content-Type': 'application/json'
+          'ce-type': ceType,
+          'ce-specversion': ceSpecversion,
+          'Content-Type': 'application/json' // because of { data, ...headers } format
         },
         agent: this.agent
       }
       this.LOG.debug('HTTP headers:', JSON.stringify(options.headers))
       this.LOG.debug('HTTP body:', JSON.stringify(msg.data))
-      await request(options, msg.data) // TODO: fetch does not work with mTLS as of today, requires another module. see https://github.com/nodejs/node/issues/48977
+      // what about headers?
+      // TODO: Clarify if we should send `{ data, ...headers }` vs.  `data` + HTTP headers (`ce-*`)
+      await request(options, { data: msg.data, ...headers }) // TODO: fetch does not work with mTLS as of today, requires another module. see https://github.com/nodejs/node/issues/48977
       if (this.LOG._info) this.LOG.info('Emit', { topic: msg.event })
     } catch (e) {
       this.LOG.error('Emit failed:', e.message)
     }
   }
 
+  prepareHeaders(headers, event) {
+    if (!('source' in headers)) {
+      if (!this.options.credentials.ceSource)
+        throw new Error(
+          'Cannot publish event because of missing source information, currently not part of binding information.'
+        )
+      headers.source = `${this.options.credentials.ceSource[0]}/${cds.context.tenant}`
+    }
+    super.prepareHeaders(headers, event)
+  }
+
   async registerWebhookEndpoints() {
     const webhookBasePath = this.options.webhookPath || '/-/cds/event-broker/webhook'
     cds.app.post(webhookBasePath, _validateCertificate.bind(this))
@@ -176,17 +218,27 @@ class EventBroker extends cds.MessagingService {
     try {
       const event = req.headers['ce-type'] // TG27: type contains namespace, so there's no collision
       const tenant = req.headers['ce-sapconsumertenant']
-      const msg = {
-        inbound: true,
-        event,
-        tenant,
-        data: req.body ? req.body : undefined,
-        headers: req.headers
+
+      // take over cloudevents headers (`ce-*`) without the prefix
+      const headers = {}
+      for (const header in req.headers) {
+        if (header.startsWith('ce-')) headers[header.slice(3)] = req.headers[header]
       }
-      cds.context = { user: cds.User.privileged }
-      if (tenant) cds.context.tenant = tenant // TODO: In single tenant case, we don't need a tenant
-      const tx = await this.tx()
-      await tx.emit(msg)
+
+      const msg = normalizeIncomingMessage(req.body)
+      msg.event = event
+      Object.assign(msg.headers, headers)
+      if (this.isMultitenancy) msg.tenant = tenant
+
+      // for cds.context.http
+      msg._ = {}
+      msg._.req = req
+      msg._.res = res
+
+      const context = { user: cds.User.privileged, _: msg._ }
+      if (msg.tenant) context.tenant = msg.tenant
+
+      await this.tx(context, tx => tx.emit(msg))
       this.LOG.debug('Event processed successfully.')
       return res.status(200).json({ message: 'OK' })
     } catch (e) {

package/libx/common/assert/utils.js

@@ -1,30 +1,3 @@
-function getNested(k, obj) {
-  let cur = obj
-  let p = ''
-  const parts = k.split('_')
-  while (parts.length) {
-    const q = parts.shift()
-    if (q in cur) {
-      cur = cur[q]
-      p = ''
-    } else {
-      p = p ? p + '_' + q : q
-      if (p in cur) {
-        cur = cur[p]
-        p = ''
-      } else {
-        if (Object.keys(cur).some(k => k.startsWith(p + '_'))) {
-          // continue for now as there's still a chance
-        } else {
-          // abort
-          return undefined
-        }
-      }
-    }
-  }
-  return cur[p] || cur !== obj ? cur : undefined
-}
-
 const getNormalizedDecimal = val => {
   let v = `${val}`
   const cgs = v.match(/^(\d*\.*\d*)e([+|-]*)(\d*)$/)
@@ -88,39 +61,10 @@ const resolveCDSType = ele => {
   return ele
 }
 
-function resolveSegment(prev, obj, def) {
-  if (prev.keys) {
-    let keys = []
-    for (const k of prev.keys) {
-      let val
-      if (k in obj) val = obj[k]
-      else val = getNested(k, obj)
-      if (val == null) {
-        // in some cases, k is not given, e.g., POST into collection via navigation
-        // TODO: what to put in target? "null", "transient", ...?
-        if (k === 'IsActiveEntity')
-          keys.push(`${k}=false`) //> always false if not in obj as it must be a draft activate
-        else keys.push(`${k}=null`)
-      } else {
-        const cdsType = resolveCDSType(def.elements[k])
-        const odataType = def.elements[k]['@odata.Type']
-        if (!odataType && cdsType === 'cds.String' || odataType === 'Edm.String') val = `'${val}'`
-        // TODO: more proper val encoding based on type
-        keys.push(`${k}=${val}`)
-      }
-    }
-    return `${prev.assoc}(${keys.join(',')})`
-  }
-  if (prev.index) {
-    return `${prev.prop}[${prev.index}]`
-  }
-}
 
 module.exports = {
-  getNested,
   getNormalizedDecimal,
   getTarget,
   isBase64String,
-  resolveCDSType,
-  resolveSegment
+  resolveCDSType
 }