@sap/cds 8.0.4 → 8.1.0

package/lib/srv/protocols/http.js

@@ -17,38 +17,50 @@ class HttpAdapter {
 
   /** The actual Router factory. Subclasses override this to add specific handlers. */
   get router() {
-    let router = super.router = (new express.Router) .use (this.http_log.bind(this))
-    let assert_roles = this.requires_check()
-    if (assert_roles) router.use (assert_roles)
+    let router = super.router = (new express.Router)
+    this.use (this.http_log)
+    this.use (this.requires_check)
     return router
   }
 
-  /** Handler to log all incoming requests */
-  http_log (r,_,next) {
-    this.logger = cds.log(this.kind)
-    this.log(r)
-    next()
+  use (middleware) {
+    if (middleware) this.router.use (middleware)
+    return this
   }
 
   /** Subclasses may override this method to log incoming requests. */
-  log (req, LOG = this.logger) { LOG._info && LOG.info (
+  log (req, LOG = this.logger) { LOG.info (
     req.method,
     decodeURI (req.baseUrl + req.path),
     Object.keys (req.query).length ? { ...req.query } : ''
   )}
 
+  /** Returns a handler to log all incoming requests */
+  get http_log() {
+    const LOG = this.logger = cds.log(this.kind); if (!LOG._info) return undefined
+    const log = this.log.bind(this)
+    return function http_log (req,_,next) { log(req,LOG); next() }
+  }
+
   /** Returns a handler to check required roles, or null if no check required. */
-  requires_check() {
+  get requires_check() {
     const d = this.service.definition
     const roles = d['@requires'] || d['@restrict']?.map(r => r.to).flat().filter(r => r)
     const required = !roles?.length ? restricted_by_default : Array.isArray(roles) ? roles : [roles]
-    if (required) return function requires_check (req, res, next) {
+    return required && function requires_check (req, res, next) {
       const user = cds.context.user
       if (required.some(role => user.has(role))) return next()
       else if (user._is_anonymous) return next(401) // request login
       else throw Object.assign(new Error, { code: 403, reason: `User '${user.id}' is lacking required roles: [${required}]`, user, required })
     }
   }
+
+  get body_parser_options() {
+    let options = cds.env.server.body_parser
+    let limit = this.service.definition['@cds.server.body_parser.limit']
+    if (limit) options = { ...options, limit }
+    return super.body_parser_options = options
+  }
 }
 
 

package/lib/test/expect.js

@@ -112,7 +112,7 @@ class Core {
       if (is.string(a)) return a.includes(x)
       if (is.array(a)) return a.includes(x) || this._deep && a.some(o => compare(o, x, true))
       if (is.set(a)) return a.has(x)
-      if (this._deep && is.object(a)) return compare(a, x, true)
+      if (is.object(a)) return compare(a, x, this._deep)
     }, _fail)
   }
 

package/lib/utils/cds-test.js

@@ -160,7 +160,7 @@ class Test extends require('./axios') {
     `)}}
   }
   set expect(x) { super.expect = x }
-  get expect() { return this.chai.expect }
+  get expect() { return _expect || this.chai.expect }
   get assert() { return this.chai.assert }
   get should() { return this.chai.should() }
 }
@@ -174,6 +174,7 @@ Object.setPrototypeOf (exports, Test.prototype)
 
 
 // Provide same global functions for jest and mocha
+let _expect = undefined
 ;(function _support_jest_and_mocha() {
   const _global = p => Object.getOwnPropertyDescriptor(global,p)?.value
   const is_jest = _global('beforeAll')
@@ -185,7 +186,7 @@ Object.setPrototypeOf (exports, Test.prototype)
     global.afterAll   = global.after     = (msg,fn) => repl.on?.('exit',fn||msg)
     global.beforeEach = global.afterEach = ()=>{}
     global.describe   = ()=>{}
-    exports.expect = global.expect = require('../test/expect')
+    global.expect = _expect = require('../test/expect')
 
   } else if (is_mocha) { // it's mocha
 
@@ -219,8 +220,7 @@ Object.setPrototypeOf (exports, Test.prototype)
     global.afterAll = global.after = (msg,fn) => after(fn||msg)
     global.beforeEach = beforeEach
     global.afterEach = afterEach
-    global.expect = require('../test/expect')
-    exports.expect = global.expect
+    global.expect = _expect = require('../test/expect')
     suite ('<next>', ()=>{}) //> to signal the start of a test file
 
   }

package/libx/_runtime/common/error/utils.js

@@ -12,7 +12,8 @@ const i18n = (...args) => {
  * @returns localized error message
  */
 function getErrorMessage(error, locale) {
-  const txt = i18n(error.message || error.code || error.status || error.statusCode, locale, error.args)
+  const key = error.message || error.code || error.status || error.statusCode || '500'
+  const txt = i18n(key, locale, error.args)
   return txt || error.message || String(error.code || error.status || error.statusCode)
 }
 

package/libx/_runtime/common/generic/input.js

@@ -349,15 +349,12 @@ const _getOperation = (req, service) => {
 
 function _actionFunctionHandler(req) {
   const operation = _getOperation(req, this)
-  if (!operation || !operation.params) return
+  if (!operation) return
 
   const data = req.data || {}
 
-  // REVISIT: skip for mtxs as their models contain invalidities (e.g., properties modeled as strings but provided as objects)
-  const is_mtxs = operation.name.match(/^cds\.xt\./)
-
   // validate data
-  if (cds.env.features.cds_validate && !is_mtxs) {
+  if (cds.env.features.cds_validate) {
     const assertOptions = { mandatories: true }
     let errs = cds.validate(data, operation, assertOptions)
     if (errs) {

package/libx/_runtime/common/generic/stream.js

@@ -1,4 +1,14 @@
 const cds = require('../../cds')
+// REVISIT: Remove after removing okra
+const { isStreaming } = require('../../cds-services/adapter/odata-v4/utils/stream')
+
+const _isStream = query => {
+  const { _propertyAccess, target } = query
+  if (!_propertyAccess) return
+
+  const element = target.elements[_propertyAccess]
+  return element._type === 'cds.LargeBinary' && element['@Core.MediaType']
+}
 
 const _getStreamingProperties = elements => {
   const result = []
@@ -14,9 +24,7 @@ const _getStreamingProperties = elements => {
 
 const _getMediaTypeValue = () => {
   const ctx = cds.context
-  return (
-    !ctx?.http?.req?.headers?.['content-type']?.match(/json|multipart/i) && ctx?.http?.req?.headers?.['content-type']
-  )
+  return !ctx?.http?.req?.headers?.['content-type']?.match(/multipart/i) && ctx?.http?.req?.headers?.['content-type']
 }
 
 function _addContentType(req, mtValue) {
@@ -27,12 +35,19 @@ function _addContentType(req, mtValue) {
 
 async function addContentType(req) {
   if (!req.query || !req.target) return
+  if (req._.odataReq) {
+    if (!isStreaming(req._.odataReq.getUriInfo().getPathSegments())) return
+  } else if (req.req?._query) {
+    if (!_isStream(req.req._query)) return
+  }
+
   const mtValue = _getMediaTypeValue()
   if (!mtValue) return
 
   _addContentType(req, mtValue)
 }
 
+// register after input.js in order to write content-type also for @Core.Computed fields
 module.exports = cds.service.impl(function () {
   this.before(['PATCH', 'UPDATE'], '*', addContentType)
 })

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -758,13 +758,16 @@ const _convertSelect = (query, model, _options) => {
     //          old db expects it as cqn xpr
     if (query.SELECT.search.length === 1) {
       query.SELECT.search = query.SELECT.search[0].val
-        .replace(/"/g, '')
-        .split(' ')
+        .match(/("")|("(?:[^"]|\\")*(?:[^\\]|\\\\)")|(\S*)/g)
+        .filter(el => el.length)
+        .map(el => (el.match(/^["](.*)["]$/) ? JSON.parse(el) : el))
         .reduce((arr, val, i) => {
           if (i > 0) arr.push('and')
           arr.push({ val })
           return arr
         }, [])
+
+      if (!query.SELECT.search.length) query.SELECT.search = [{ val: '' }]
     }
 
     search2cqn4sql(query, model, { ...query._searchOptions, ...{ entityName, alias } })

package/libx/_runtime/fiori/lean-draft.js

@@ -207,7 +207,7 @@ const _redirectRefToActives = (ref, model) => {
 }
 
 const lastCheckMap = new Map()
-const _cleanUpOldDrafts = async (service, tenant) => {
+const _cleanUpOldDrafts = (service, tenant) => {
   if (!DEL_TIMEOUT.value) return
 
   const expiryDate = new Date(Date.now() - DEL_TIMEOUT.value).toISOString()

package/libx/_runtime/hana/customBuilder/CustomReferenceBuilder.js

@@ -15,7 +15,7 @@ class CustomReferenceBuilder extends ReferenceBuilder {
       const args = Object.keys(ref[0].args)
         .map(argKey => {
           this._outputObj.values.push(ref[0].args[argKey].val)
-          return `${argKey} => ${this._options.placeholder}`
+          return `${this._quoteElement(argKey)} => ${this._options.placeholder}`
         })
         .join(', ')
 

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -22,7 +22,7 @@ class EndpointRegistry {
       // unsuccessful auth doesn't automatically reject!
       cds.app.use(basePath, (req, res, next) => {
         // REVISIT: we should probably pass an error into next so that a (custom) error middleware can handle it
-        if (!cds.context.user._is_anonymous) res.status(401).json({ error: ODATA_UNAUTHORIZED })
+        if (cds.context.user._is_anonymous) return res.status(401).json({ error: ODATA_UNAUTHORIZED })
         next()
       })
     } else if (process.env.NODE_ENV === 'production') {
@@ -32,7 +32,7 @@ class EndpointRegistry {
       cds.app.use(basePath, cds.middlewares.context())
     }
     cds.app.use(basePath, express.json({ type: 'application/*+json' }))
-    cds.app.use(basePath, express.json()) // REVISIT: Do we need both?
+    cds.app.use(basePath, express.json())
     cds.app.use(basePath, express.urlencoded({ extended: true }))
     LOG._debug && LOG.debug('Register inbound endpoint', { basePath, method: 'OPTIONS' })
 

package/libx/_runtime/messaging/event-broker.js

@@ -48,31 +48,34 @@ function _validateCertificate(req, res, next) {
     return res.status(401).json({ message: 'Authentication Failed' })
   }
 
-  const bindingCert = new crypto.X509Certificate(this.options.credentials.certificate).toLegacyObject()
-  const clientCert = new crypto.X509Certificate(
+  const clientCertObj = new crypto.X509Certificate(
     `-----BEGIN CERTIFICATE-----\n${req.headers['x-forwarded-client-cert']}\n-----END CERTIFICATE-----`
-  ).toLegacyObject()
+  )
+  const clientCert = clientCertObj.toLegacyObject()
+
+  if (!this.isMultitenancy && !clientCertObj.checkPrivateKey(this.privateKey))
+    return res.status(401).josn({ message: 'Authentication Failed' })
 
   const cfSubject = Buffer.from(req.headers['x-ssl-client-subject-cn'], 'base64').toString()
-  if (bindingCert.subject.CN !== clientCert.subject.CN || bindingCert.subject.CN !== cfSubject) {
+  if (this.validationCert.subject.CN !== clientCert.subject.CN || this.validationCert.subject.CN !== cfSubject) {
     this.LOG.info('certificate subject does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
   this.LOG.debug('incoming Subject CN is valid.')
 
-  if (bindingCert.issuer.CN !== clientCert.issuer.CN) {
+  if (this.validationCert.issuer.CN !== clientCert.issuer.CN) {
     this.LOG.info('Certificate issuer subject does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
   this.LOG.debug('incoming issuer subject CN is valid.')
 
-  if (bindingCert.issuer.O !== clientCert.issuer.O) {
+  if (this.validationCert.issuer.O !== clientCert.issuer.O) {
     this.LOG.info('Certificate issuer org does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
   this.LOG.debug('incoming Issuer Org is valid.')
 
-  if (bindingCert.issuer.OU !== clientCert.issuer.OU) {
+  if (this.validationCert.issuer.OU !== clientCert.issuer.OU) {
     this.LOG.info('certificate issuer OU does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
@@ -103,6 +106,11 @@ class EventBroker extends cds.MessagingService {
       this.startListening()
     })
     this.agent = this.getAgent()
+    this.isMultitenancy = cds.requires.multitenancy || cds.env.profiles.includes('mtx-sidecar')
+    this.validationCert = new crypto.X509Certificate(
+      this.isMultitenancy ? this.options.credentials.certificate : this.agent.options.cert
+    ).toLegacyObject()
+    this.privateKey = !this.isMultitenancy && crypto.createPrivateKey(this.agent.options.key)
   }
 
   getAgent() {
@@ -189,7 +197,13 @@ class EventBroker extends cds.MessagingService {
   }
 
   prepareHeaders(headers, event) {
-    if (!('source' in headers)) headers.source = `${this.options.credentials.ceSource[0]}/${cds.context.tenant}`
+    if (!('source' in headers)) {
+      if (!this.options.credentials.ceSource)
+        throw new Error(
+          'Cannot publish event because of missing source information, currently not part of binding information.'
+        )
+      headers.source = `${this.options.credentials.ceSource[0]}/${cds.context.tenant}`
+    }
     super.prepareHeaders(headers, event)
   }
 
@@ -214,7 +228,7 @@ class EventBroker extends cds.MessagingService {
       const msg = normalizeIncomingMessage(req.body)
       msg.event = event
       Object.assign(msg.headers, headers)
-      if (tenant) msg.tenant = tenant
+      if (this.isMultitenancy) msg.tenant = tenant
 
       // for cds.context.http
       msg._ = {}

package/libx/common/assert/utils.js

@@ -1,30 +1,3 @@
-function getNested(k, obj) {
-  let cur = obj
-  let p = ''
-  const parts = k.split('_')
-  while (parts.length) {
-    const q = parts.shift()
-    if (q in cur) {
-      cur = cur[q]
-      p = ''
-    } else {
-      p = p ? p + '_' + q : q
-      if (p in cur) {
-        cur = cur[p]
-        p = ''
-      } else {
-        if (Object.keys(cur).some(k => k.startsWith(p + '_'))) {
-          // continue for now as there's still a chance
-        } else {
-          // abort
-          return undefined
-        }
-      }
-    }
-  }
-  return cur[p] || cur !== obj ? cur : undefined
-}
-
 const getNormalizedDecimal = val => {
   let v = `${val}`
   const cgs = v.match(/^(\d*\.*\d*)e([+|-]*)(\d*)$/)
@@ -88,39 +61,10 @@ const resolveCDSType = ele => {
   return ele
 }
 
-function resolveSegment(prev, obj, def) {
-  if (prev.keys) {
-    let keys = []
-    for (const k of prev.keys) {
-      let val
-      if (k in obj) val = obj[k]
-      else val = getNested(k, obj)
-      if (val == null) {
-        // in some cases, k is not given, e.g., POST into collection via navigation
-        // TODO: what to put in target? "null", "transient", ...?
-        if (k === 'IsActiveEntity')
-          keys.push(`${k}=false`) //> always false if not in obj as it must be a draft activate
-        else keys.push(`${k}=null`)
-      } else {
-        const cdsType = resolveCDSType(def.elements[k])
-        const odataType = def.elements[k]['@odata.Type']
-        if (!odataType && cdsType === 'cds.String' || odataType === 'Edm.String') val = `'${val}'`
-        // TODO: more proper val encoding based on type
-        keys.push(`${k}=${val}`)
-      }
-    }
-    return `${prev.assoc}(${keys.join(',')})`
-  }
-  if (prev.index) {
-    return `${prev.prop}[${prev.index}]`
-  }
-}
 
 module.exports = {
-  getNested,
   getNormalizedDecimal,
   getTarget,
   isBase64String,
-  resolveCDSType,
-  resolveSegment
+  resolveCDSType
 }

package/libx/odata/middleware/batch.js

@@ -553,12 +553,11 @@ const _formatResponseJson = (request, atomicityGroup) => {
  */
 
 module.exports = adapter => {
-  const { options: config, router, service } = adapter
-  const { max_content_length } = config //> max_content_length is unofficial config
-
-  const options = { type: '*/*' }
-  if (max_content_length) options.limit = max_content_length
-  const textBodyParser = express.text(options)
+  const { router, service } = adapter
+  const textBodyParser = express.text({
+    ...adapter.body_parser_options,
+    type: '*/*' // REVISIT: why do we need to override type here?
+  })
 
   return function odata_batch(req, res, next) {
     if (req.headers['content-type'].includes('application/json')) {

package/libx/odata/middleware/body-parser.js

@@ -3,9 +3,8 @@ const express = require('express')
 // basically express.json() with string representation of body stored in req._raw for recovery
 // REVISIT: why do we need our own body parser? Only because of req._raw?
 module.exports = function bodyParser4(adapter, options = {}) {
-  if (!options.type) options.type = 'json'
-  const { max_content_length } = adapter.options //> max_content_length is unofficial config
-  if (!options.limit && max_content_length) options.limit = max_content_length
+  Object.assign(options, adapter.body_parser_options)
+  options.type ??= 'json' // REVISIT: why do we need to override type here?
   const textParser = express.text(options)
   return function http_body_parser(req, res, next) {
     if (typeof req.body === 'object') {

package/libx/odata/middleware/operation.js

@@ -51,9 +51,6 @@ module.exports = adapter => {
     let { operation, args } = req._query.SELECT?.from.ref?.slice(-1)[0] || {}
     if (!operation) return next() //> create or read
 
-    // REVISIT: should not be necessary
-    const _originalQuery = JSON.parse(JSON.stringify(req._query))
-
     // unbound vs. bound
     let entity, params
     if (service.model.definitions[operation]) {
@@ -102,7 +99,6 @@ module.exports = adapter => {
 
         if (operation.returns._type?.match?.(/^cds\./)) {
           const context = `${'../'.repeat(query?.SELECT?.from?.ref?.length)}$metadata#${cds2edm[operation.returns._type]}`
-
           result = { '@odata.context': context, value: result }
           return res.send(result)
         }
@@ -121,15 +117,19 @@ module.exports = adapter => {
         if (operation.returns.type !== 'sap.esh.SearchResult') {
           const isCollection = !!operation.returns.items
           const _target = operation.returns.items ?? operation.returns
-          // REVISIT: when is edmName needed?
-          const edmName = _opResultName({ service, operation, returnType: _target })
-          const metadata = getODataMetadata(
-            { SELECT: { from: _originalQuery?.SELECT?.from, one: !isCollection }, _target },
-
-            { result, isCollection, edmName }
-          )
+          const options = { result, isCollection }
+          if (!_target.name) {
+            // case: return inline type def
+            options.edmName = _opResultName({ service, operation, returnType: _target })
+          }
+          const SELECT = {
+            from: query ? { ref: [...query.SELECT.from.ref, { operation: operation.name }] } : {},
+            one: !isCollection
+          }
+          const metadata = getODataMetadata({ SELECT, _target }, options)
           result = getODataResult(result, metadata, { isCollection })
         }
+
         res.send(result)
       })
       .catch(err => {

package/libx/odata/parse/grammar.peggy

@@ -402,6 +402,7 @@
     "$skip="        o val:skip { _setLimitOffset(val) } /
     "$search="      o s:search_expand { if (s) SELECT.search = s } /
     "$count="       o count /
+    "$apply="       &{ return cds.env.features.skip_apply_parsing } o [^&]* { return null } /
     "$apply="       o trafos:transformations { return trafos } /
     // Workaround to support empty expand even if not OData compliant old adapter supported it and did not crash
     "$expand=" {return null}
@@ -486,7 +487,11 @@
       / o // Do not add search property for space only
 
   search_clause
-    = val:$( [^&]+ ) { return [{ val }] }
+    = val:$(($[ ]* (
+            [^"&]+
+            / ('"' ("\\\\" / "\\\"" / [^"])+ '"' [ ]*)+
+      ))+)
+      { return [{ val }] }
 
   search_expand
     = val:$( [^;)]+ ) { return [{ val }] }