@sap/cds 8.2.3 → 8.3.0

package/libx/odata/middleware/update.js

@@ -69,9 +69,11 @@ module.exports = adapter => {
       throw Object.assign(new Error(`Method ${req.method} is not allowed for properties`), { statusCode: 405 })
     }
 
+    const model = cds.context.model ?? service.model
+
     // payload & params
     const data = _propertyAccess ? { [_propertyAccess]: req.body.value } : req.body
-    const { keys, params } = getKeysAndParamsFromPath(from, service)
+    const { keys, params } = getKeysAndParamsFromPath(from, { model })
     // add keys from url into payload (overwriting if already present)
     if (!_propertyAccess) Object.assign(data, keys)
 
@@ -111,7 +113,7 @@ module.exports = adapter => {
         if (result == null) return res.sendStatus(204)
 
         const isMinimal = getPreferReturnHeader(req) === 'minimal'
-        postProcess(cdsReq.target, service, result, isMinimal)
+        postProcess(cdsReq.target, model, result, isMinimal)
 
         if (isMinimal && !target._isSingleton) {
           // determine calculation based on result with req.data as fallback
@@ -139,7 +141,7 @@ module.exports = adapter => {
           // PUT / PATCH with if-match header means "only if already exists" -> no insert if it does not
           if (req.headers['if-match']) return next(Object.assign(new Error('412'), { statusCode: 412 }))
 
-          if (!upsertSupported(from, service.model)) return next(Object.assign(new Error('422'), { statusCode: 422 }))
+          if (!upsertSupported(from, model)) return next(Object.assign(new Error('422'), { statusCode: 422 }))
 
           // -> forward to POST
           req.method = 'POST'

package/libx/odata/parse/afterburner.js

@@ -383,6 +383,14 @@ function _processSegments(from, model, namespace, cqn, protocol) {
         ref[i] = { operation: current.name }
         if (params) ref[i].args = _getDataFromParams(params, current)
         if (current.returns && current.returns._type) one = true
+
+        if (current.returns) {
+          if (current.returns._type) {
+            one = true
+          }
+
+          target = current.returns.items ?? current.returns
+        }
       } else if (current.isAssociation) {
         if (!current._target._service) {
           // not exposed target
@@ -589,23 +597,26 @@ const _checkAllKeysProvided = (params, entity) => {
   }
 }
 
-const _doesNotExistError = (isExpand, refName, targetName) => {
+const _doesNotExistError = (isExpand, refName, targetName, targetKind) => {
   const msg = isExpand
     ? `Navigation property "${refName}" is not defined in "${targetName}"`
-    : `Property "${refName}" does not exist in "${targetName}"`
+    : `Property "${refName}" does not exist in ${targetKind === 'type' ? 'type ' : ''}"${targetName}"`
   throw Object.assign(new Error(msg), { statusCode: 400 })
 }
 
-function _validateXpr(xpr, ignoredColumns, target, isOne, model, aliases = []) {
+function _validateXpr(xpr, target, isOne, model, aliases = []) {
   if (!xpr) return []
 
+  const ignoredColumns = Object.values(target.elements ?? {})
+    .filter(element => element['@cds.api.ignore'] && !element.isAssociation)
+    .map(element => element.name)
   const _aliases = []
 
   for (const x of xpr) {
     if (x.as) _aliases.push(x.as)
 
     if (x.xpr) {
-      _validateXpr(x.xpr, ignoredColumns, target, isOne, model)
+      _validateXpr(x.xpr, target, isOne, model)
       continue
     }
 
@@ -614,101 +625,82 @@ function _validateXpr(xpr, ignoredColumns, target, isOne, model, aliases = []) {
 
       if (x.ref[0].where) {
         const element = target.elements[refName]
-
         if (!element) {
           _doesNotExistError(true, refName, target.name)
         }
-        _validateXpr(x.ref[0].where, ignoredColumns, element._target ?? element.items, isOne, model)
+        _validateXpr(x.ref[0].where, element._target ?? element.items, isOne, model)
       }
 
       if (!target?.elements) {
-        _doesNotExistError(false, refName, target.name)
+        _doesNotExistError(false, refName, target.name, target.kind)
       }
 
       if (ignoredColumns.includes(refName) || (!target.elements[refName] && !aliases.includes(refName))) {
         _doesNotExistError(x.expand, refName, target.name)
       } else if (x.ref.length > 1) {
         const element = target.elements[refName]
-
         if (element.isAssociation) {
           // navigation
-          const _target = element._target
-          const _ignoredColumns = Object.values(_target.elements ?? {})
-            .filter(element => element['@cds.api.ignore'])
-            .map(element => element.name)
-          if (element.is2one) {
-            _validateXpr([{ ref: x.ref.slice(1) }], _ignoredColumns, _target, false, model)
-          } else {
-            _validateXpr([{ ref: x.ref.slice(1) }], _ignoredColumns, _target, false, model)
-          }
+          _validateXpr([{ ref: x.ref.slice(1) }], element._target, false, model)
         } else if (element.kind === 'element') {
           // structured
-          _validateXpr([{ ref: x.ref.slice(1) }], ignoredColumns, element, isOne, model)
+          _validateXpr([{ ref: x.ref.slice(1) }], element, isOne, model)
         } else {
           throw new Error('not yet validated')
         }
       }
+
       if (x.expand) {
         let element = target.elements[refName]
         if (element.kind === 'element' && element.elements) {
           // structured
-          _validateXpr([{ ref: x.ref.slice(1) }], ignoredColumns, element, isOne, model)
+          _validateXpr([{ ref: x.ref.slice(1) }], element, isOne, model)
           element = _structProperty(x.ref.slice(1), element)
         }
-
         if (!element._target) {
           _doesNotExistError(true, refName, target.name)
         }
-
-        const _ignoredColumns = Object.values(element._target.elements ?? {})
-          .filter(element => element['@cds.api.ignore'])
-          .map(element => element.name)
-        _validateXpr(x.expand, _ignoredColumns, element._target, false, model)
-
+        _validateXpr(x.expand, element._target, false, model)
         if (x.where) {
-          _validateXpr(x.where, _ignoredColumns, element._target, false, model)
+          _validateXpr(x.where, element._target, false, model)
         }
-
         if (x.orderBy) {
-          _validateXpr(x.orderBy, _ignoredColumns, element._target, false, model)
+          _validateXpr(x.orderBy, element._target, false, model)
         }
       }
     }
 
     if (x.func) {
-      _validateXpr(x.args, ignoredColumns, target, isOne, model)
+      _validateXpr(x.args, target, isOne, model)
       continue
     }
 
     if (x.SELECT) {
       const { target } = targetFromPath(x.SELECT.from, model)
-      const _ignoredColumns = Object.values(target.elements ?? {})
-        .filter(element => element['@cds.api.ignore'])
-        .map(element => element.name)
-      _validateQuery(x.SELECT, _ignoredColumns, target, x.SELECT.one, model)
+      _validateQuery(x.SELECT, target, x.SELECT.one, model)
     }
   }
 
   return _aliases
 }
 
-function _validateQuery(SELECT, ignoredColumns, target, isOne, model) {
+function _validateQuery(SELECT, target, isOne, model) {
   const aliases = []
+
   if (SELECT.from.SELECT) {
     const { target } = targetFromPath(SELECT.from.SELECT.from, model)
-    const _ignoredColumns = Object.values(target.elements ?? {})
-      .filter(element => element['@cds.api.ignore'])
-      .map(element => element.name)
-    const subselectAliases = _validateQuery(SELECT.from.SELECT, _ignoredColumns, target, SELECT.from.SELECT.one, model)
+    const subselectAliases = _validateQuery(SELECT.from.SELECT, target, SELECT.from.SELECT.one, model)
     aliases.push(...subselectAliases)
   }
 
-  const columnAliases = _validateXpr(SELECT.columns, ignoredColumns, target, isOne, model)
+  const columnAliases = _validateXpr(SELECT.columns, target, isOne, model)
   aliases.push(...columnAliases)
-  _validateXpr(SELECT.orderBy, ignoredColumns, target, isOne, model, aliases)
-  _validateXpr(SELECT.where, ignoredColumns, target, isOne, model, aliases)
-  _validateXpr(SELECT.groupBy, ignoredColumns, target, isOne, model, aliases)
-  _validateXpr(SELECT.having, ignoredColumns, target, isOne, model, aliases)
+
+  _validateXpr(SELECT.orderBy, target, isOne, model, aliases)
+  _validateXpr(SELECT.where, target, isOne, model, aliases)
+  _validateXpr(SELECT.groupBy, target, isOne, model, aliases)
+  _validateXpr(SELECT.having, target, isOne, model, aliases)
+
   return aliases
 }
 
@@ -773,12 +765,8 @@ module.exports = (cqn, model, namespace, protocol) => {
   _processColumns(cqn, current, protocol)
 
   if (target) {
-    const ignoredColumns = Object.values(target.elements ?? {})
-      .filter(element => element['@cds.api.ignore'])
-      .map(element => element.name)
-
     // validate whether only known properties are used in query options
-    _validateQuery(cqn.SELECT, ignoredColumns, target, one, model)
+    _validateQuery(cqn.SELECT, target, one, model)
   }
 
   return cqn

package/libx/odata/utils/postProcess.js

@@ -1,5 +1,3 @@
-const cds = require('../../_runtime/cds')
-
 const getTemplate = require('../../_runtime/common/utils/template')
 
 const _addEtags = (row, key) => {
@@ -38,18 +36,15 @@ const _processorFn = elementInfo => {
 const _pick = element => {
   const categories = []
   if (element['@odata.etag']) categories.push('@odata.etag')
-  if (element['@cds.api.ignore']) categories.push('@cds.api.ignore')
+  if (element['@cds.api.ignore'] && !element.isAssociation) categories.push('@cds.api.ignore')
   if (element._type === 'cds.Binary') categories.push('binary')
   if (element.items) categories.push('array')
   if (categories.length) return { categories }
 }
 
-module.exports = function postProcess(target, service, result, isMinimal) {
+module.exports = function postProcess(target, model, result, isMinimal) {
   if (!result) return
 
-  let { model } = service
-  if (service.isExtensible) model = cds.context?.model || model
-
   if (!model.definitions[target.name]) {
     if (model.definitions[target.items?.type]) target = target.items
     else return
@@ -57,7 +52,7 @@ module.exports = function postProcess(target, service, result, isMinimal) {
 
   const cacheKey = isMinimal ? 'postProcessMinimal' : 'postProcess'
   const options = { pick: _pick, ignore: isMinimal ? el => el.isAssociation : undefined }
-  const template = getTemplate(cacheKey, service, target, options)
+  const template = getTemplate(cacheKey, { model }, target, options)
 
   if (template.elements.size === 0) return
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "8.2.3",
+  "version": "8.3.0",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [

package/libx/_runtime/cds-services/services/utils/compareJson.js

@@ -1,2 +0,0 @@
-// REVISIT: remove with cds^8
-module.exports = require('../../../common/utils/compareJson')

package/libx/_runtime/messaging/event-broker.js

@@ -1,317 +0,0 @@
-const cds = require('../cds')
-
-const normalizeIncomingMessage = require('./common-utils/normalizeIncomingMessage')
-const express = require('express')
-const https = require('https')
-const crypto = require('crypto')
-
-const usedWebhookEndpoints = new Set()
-
-async function request(options, data) {
-  return new Promise((resolve, reject) => {
-    const req = https.request(options, res => {
-      const chunks = []
-      res.on('data', chunk => {
-        chunks.push(chunk)
-      })
-      res.on('end', () => {
-        const response = {
-          statusCode: res.statusCode,
-          headers: res.headers,
-          body: Buffer.concat(chunks).toString()
-        }
-        if (res.statusCode > 299) {
-          reject({ message: response.body })
-        } else {
-          resolve(response)
-        }
-      })
-    })
-    req.on('error', error => {
-      reject(error)
-    })
-    if (data) {
-      req.write(JSON.stringify(data))
-    }
-    req.end()
-  })
-}
-
-function _validateCertificate(req, res, next) {
-  this.LOG.debug('event broker trying to authenticate via mTLS')
-
-  if (req.headers['x-ssl-client-verify'] !== '0') {
-    this.LOG.info('cf did not validate client certificate.')
-    return res.status(401).json({ message: 'Authentication Failed' })
-  }
-
-  if (!req.headers['x-forwarded-client-cert']) {
-    this.LOG.info('no certificate in xfcc header.')
-    return res.status(401).json({ message: 'Authentication Failed' })
-  }
-
-  const clientCertObj = new crypto.X509Certificate(
-    `-----BEGIN CERTIFICATE-----\n${req.headers['x-forwarded-client-cert']}\n-----END CERTIFICATE-----`
-  )
-  const clientCert = clientCertObj.toLegacyObject()
-
-  if (!this.isMultitenancy && !clientCertObj.checkPrivateKey(this.auth.privateKey))
-    return res.status(401).josn({ message: 'Authentication Failed' })
-
-  const cfSubject = Buffer.from(req.headers['x-ssl-client-subject-cn'], 'base64').toString()
-  if (
-    this.auth.validationCert.subject.CN !== clientCert.subject.CN ||
-    this.auth.validationCert.subject.CN !== cfSubject
-  ) {
-    this.LOG.info('certificate subject does not match')
-    return res.status(401).json({ message: 'Authentication Failed' })
-  }
-  this.LOG.debug('incoming Subject CN is valid.')
-
-  if (this.auth.validationCert.issuer.CN !== clientCert.issuer.CN) {
-    this.LOG.info('Certificate issuer subject does not match')
-    return res.status(401).json({ message: 'Authentication Failed' })
-  }
-  this.LOG.debug('incoming issuer subject CN is valid.')
-
-  if (this.auth.validationCert.issuer.O !== clientCert.issuer.O) {
-    this.LOG.info('Certificate issuer org does not match')
-    return res.status(401).json({ message: 'Authentication Failed' })
-  }
-  this.LOG.debug('incoming Issuer Org is valid.')
-
-  if (this.auth.validationCert.issuer.OU !== clientCert.issuer.OU) {
-    this.LOG.info('certificate issuer OU does not match')
-    return res.status(401).json({ message: 'Authentication Failed' })
-  }
-  this.LOG.debug('certificate issuer OU is valid.')
-
-  const valid_from = new Date(clientCert.valid_from)
-  const valid_to = new Date(clientCert.valid_to)
-  const now = new Date(Date.now())
-  if (valid_from <= now && valid_to >= now) {
-    this.LOG.debug('certificate validation completed')
-    next()
-  } else {
-    this.LOG.error('Certificate expired')
-    return res.status(401).json({ message: 'Authentication Failed' })
-  }
-}
-
-class EventBroker extends cds.MessagingService {
-  async init() {
-    await super.init()
-    cds.once('listening', () => {
-      this.startListening()
-    })
-    this.isMultitenancy = cds.env.requires.multitenancy || cds.env.profiles.includes('mtx-sidecar')
-
-    this.auth = {} // { kind: 'cert', validationCert?, privateKey? } or { kind: 'ias', ias }
-
-    // determine auth.kind
-    if (this.options.x509) {
-      if (!this.options.x509.cert && !this.options.x509.certPath)
-        throw new Error(`${this.name}: Event Broker with x509 option requires \`x509.cert\` or \`x509.certPath\`.`)
-      if (!this.options.x509.pkey && !this.options.x509.pkeyPath)
-        throw new Error(`${this.name}: Event Broker with x509 option requires \`x509.pkey\` or \`x509.pkeyPath\`.`)
-      this.auth.kind = 'cert' // byo cert, unofficial
-    } else {
-      let ias
-      for (const k in cds.env.requires) {
-        const r = cds.env.requires[k]
-        if (r.vcap?.label === 'identity' || r.kind === 'ias') ias = r
-      }
-      // multitenant receiver-only services don't need x509, check for ias existence
-      if (!this.isMultitenancy || ias) {
-        this.auth.kind = 'ias'
-        this.auth.ias = ias
-      } else this.auth.kind = 'cert'
-    }
-
-    if (!this.auth.kind || (this.auth.kind === 'ias' && !this.auth.ias))
-      throw new Error(`${this.name}: Event Broker requires your app to be bound to an IAS instance.`) // do not mention byo cert
-
-    if (this.auth.kind === 'cert') {
-      if (this.isMultitenancy && !this.options.credentials?.certificate)
-        throw new Error(
-          `${this.name}: \`certificate\` not found in Event Broker binding information. You need to bind your app to an Event Broker instance.`
-        )
-      this.auth.validationCert = new crypto.X509Certificate(
-        this.isMultitenancy ? this.options.credentials.certificate : this.agent.options.cert
-      ).toLegacyObject()
-      this.auth.privateKey = !this.isMultitenancy && crypto.createPrivateKey(this.agent.options.key)
-    }
-
-    this.LOG._debug && this.LOG.debug('using auth: ' + this.auth.kind)
-  }
-
-  get agent() {
-    return (this.__agentCache ??=
-      this.auth.kind === 'ias'
-        ? new https.Agent({ cert: this.auth.ias.credentials.certificate, key: this.auth.ias.credentials.key })
-        : new https.Agent({
-            cert:
-              this.options.x509.cert ??
-              cds.utils.fs.readFileSync(cds.utils.path.resolve(cds.root, this.options.x509.certPath)),
-            key:
-              this.options.x509.pkey ??
-              cds.utils.fs.readFileSync(cds.utils.path.resolve(cds.root, this.options.x509.pkeyPath))
-          }))
-  }
-
-  async handle(msg) {
-    if (msg.inbound) return super.handle(msg)
-    if (!this.options.credentials) throw new Error(`${this.name}: No credentials found for Event Broker service.`)
-    if (!this.options.credentials.ceSource)
-      throw new Error(`${this.name}: Emitting events is not supported by Event Broker plan \`event-connectivity\`.`)
-    const _msg = this.message4(msg)
-    await this.emitToEventBroker(_msg)
-  }
-
-  startListening() {
-    if (!this._listenToAll.value && !this.subscribedTopics.size) return
-    this.registerWebhookEndpoints()
-  }
-
-  async emitToEventBroker(msg) {
-    // TODO: CSN definition probably not needed, just in case...
-    //   See if there's a CSN entry for that event
-    //   const found = cds?.model.definitions[topicOrEvent]
-    //   if (found) return found  // case for fully-qualified event name
-    //   for (const def in cds.model?.definitions) {
-    //     const definition = cds.model.definitions[def]
-    //     if (definition['@topic'] === topicOrEvent) return definition
-    //   }
-
-    try {
-      const hostname = this.options.credentials.eventing.http.x509.url.replace(/^https?:\/\//, '')
-
-      // take over and cleanse cloudevents headers
-      const headers = { ...(msg.headers ?? {}) }
-
-      const ceId = headers.id
-      delete headers.id
-
-      const ceSource = headers.source
-      delete headers.source
-
-      const ceType = headers.type
-      delete headers.type
-
-      const ceSpecversion = headers.specversion
-      delete headers.specversion
-
-      // const ceDatacontenttype = headers.datacontenttype // not part of the HTTP API
-      delete headers.datacontenttype
-
-      // const ceTime  = headers.time // not part of the HTTP API
-      delete headers.time
-
-      const options = {
-        hostname: hostname,
-        method: 'POST',
-        headers: {
-          'ce-id': ceId,
-          'ce-source': ceSource,
-          'ce-type': ceType,
-          'ce-specversion': ceSpecversion,
-          'Content-Type': 'application/json' // because of { data, ...headers } format
-        },
-        agent: this.agent
-      }
-      if (this.LOG._debug) {
-        this.LOG.debug('HTTP headers:', JSON.stringify(options.headers))
-        this.LOG.debug('HTTP body:', JSON.stringify(msg.data))
-      }
-      // what about headers?
-      // TODO: Clarify if we should send `{ data, ...headers }` vs.  `data` + HTTP headers (`ce-*`)
-      //       Disadvantage with `data` + HTTP headers is that they're case insensitive -> information loss, but they're 'closer' to the cloudevents standard
-      await request(options, { data: msg.data, ...headers }) // TODO: fetch does not work with mTLS as of today, requires another module. see https://github.com/nodejs/node/issues/48977
-      if (this.LOG._info) this.LOG.info('Emit', { topic: msg.event })
-    } catch (e) {
-      this.LOG.error('Emit failed:', e.message)
-      throw e
-    }
-  }
-
-  prepareHeaders(headers, event) {
-    if (!('source' in headers)) {
-      if (!this.options.credentials.ceSource)
-        throw new Error(`${this.name}: Cannot emit event: Parameter \`ceSource\` not found in Event Broker binding.`)
-      headers.source = `${this.options.credentials.ceSource[0]}/${cds.context.tenant}`
-    }
-    super.prepareHeaders(headers, event)
-  }
-
-  registerWebhookEndpoints() {
-    const webhookBasePath = this.options.webhookPath || '/-/cds/event-broker/webhook'
-    if (usedWebhookEndpoints.has(webhookBasePath))
-      throw new Error(
-        `${this.name}: Event Broker: Webhook endpoint already registered. Use a different one with \`options.webhookPath\`.`
-      )
-    usedWebhookEndpoints.add(webhookBasePath)
-    // auth
-    if (this.auth.kind === 'ias') {
-      const ias_auth = require('../../../lib/auth/ias-auth')
-      cds.app.use(webhookBasePath, cds.middlewares.context())
-      cds.app.use(webhookBasePath, ias_auth(this.auth.ias))
-      cds.app.use(webhookBasePath, (err, _req, res, next) => {
-        if (err.code === 401) return res.status(401).json({ message: 'Unauthorized' })
-        return next(err)
-      })
-      cds.app.use(webhookBasePath, (_req, res, next) => {
-        if (
-          cds.context.user.is('system-user') &&
-          cds.context.user.tokenInfo.azp === this.options.credentials.ias.clientId
-        ) {
-          // the token was fetched by event broker -> OK
-          return next()
-        }
-        if (cds.context.user.is('internal-user')) {
-          // the token was fetched by own credentials -> OK (for testing)
-          return next()
-        }
-        res.status(401).json({ message: 'Unauthorized' })
-      })
-    } else {
-      cds.app.post(webhookBasePath, _validateCertificate.bind(this))
-    }
-    cds.app.post(webhookBasePath, express.json())
-    cds.app.post(webhookBasePath, this.onEventReceived.bind(this))
-  }
-
-  async onEventReceived(req, res) {
-    try {
-      const event = req.headers['ce-type'] // TG27: type contains namespace, so there's no collision
-      const tenant = req.headers['ce-sapconsumertenant']
-
-      // take over cloudevents headers (`ce-*`) without the prefix
-      const headers = {}
-      for (const header in req.headers) {
-        if (header.startsWith('ce-')) headers[header.slice(3)] = req.headers[header]
-      }
-
-      const msg = normalizeIncomingMessage(req.body)
-      msg.event = event
-      Object.assign(msg.headers, headers)
-      if (this.isMultitenancy) msg.tenant = tenant
-
-      // for cds.context.http
-      msg._ = {}
-      msg._.req = req
-      msg._.res = res
-
-      const context = { user: cds.User.privileged, _: msg._ }
-      if (msg.tenant) context.tenant = msg.tenant
-
-      await this.tx(context, tx => tx.emit(msg))
-      this.LOG.debug('Event processed successfully.')
-      return res.status(200).json({ message: 'OK' })
-    } catch (e) {
-      this.LOG.error('ERROR during inbound event processing:', e) // TODO: How does Event Broker do error handling?
-      res.status(500).json({ message: 'Internal Server Error!' })
-    }
-  }
-}
-
-module.exports = EventBroker