@sap/cds 8.5.0 → 8.6.0

package/libx/odata/parse/afterburner.js

@@ -19,7 +19,7 @@ function _getDefinition(definition, name, namespace) {
 
 function _resolveAliasesInRef(ref, target) {
   if (ref.length === 1) {
-    if (target.keys[ref[0]]) return ref
+    if (target.keys?.[ref[0]]) return ref
 
     // resolve multi-part refs for innermost ref in url
     if (target._flattenedKeys === undefined) {
@@ -266,6 +266,23 @@ function _handleCollectionBoundActions(current, ref, i, namespace, one) {
   return incompleteKeys
 }
 
+function _resolveImplicitFunctionParameters(args) {
+  Object.entries(args).forEach(([key, value]) => {
+    if (typeof value !== 'boolean' && !!Number(value)) {
+      args[key] = Number(value)
+    } else if (typeof value === 'string') {
+      let result
+      result = value.match(/^'(\w*)'$/)?.[1]
+      if (result) {
+        args[key] = result
+      } else {
+        result = value.match(/^binary'([^']+)'$/)?.[1]
+        if (result) args[key] = Buffer.from(result, 'base64')
+      }
+    }
+  })
+}
+
 function _processSegments(from, model, namespace, cqn, protocol) {
   const { ref } = from
 
@@ -386,16 +403,19 @@ function _processSegments(from, model, namespace, cqn, protocol) {
 
         ref[i] = { operation: current.name }
 
-        if (params) ref[i].args = _getDataFromParams(params, current)
-        // REVISIT: SELECT.from._params is a temporary hack
-        else if (from._params && current.kind === 'function') {
-          // only take known params to allow additional instructions like sap-language, etc.
-          ref[i].args = current['@open']
-            ? Object.assign({}, from._params)
-            : Object.keys(from._params).reduce((acc, cur) => {
-                if (current.params && cur in current.params) acc[cur] = from._params[cur]
-                return acc
-              }, {})
+        if (current.kind === 'function') {
+          if (params) ref[i].args = _getDataFromParams(params, current)
+          // REVISIT: SELECT.from._params is a temporary hack
+          else if (from._params) {
+            // only take known params to allow additional instructions like sap-language, etc.
+            ref[i].args = current['@open']
+              ? Object.assign({}, from._params)
+              : Object.keys(from._params).reduce((acc, cur) => {
+                  if (current.params && cur in current.params) acc[cur] = from._params[cur]
+                  return acc
+                }, {})
+            _resolveImplicitFunctionParameters(ref[i].args)
+          }
         }
         if (current.returns && current.returns._type) one = true
 
@@ -494,12 +514,11 @@ function _addKeys(columns, target) {
   let hasAggregatedColumn = false,
     hasStarColumn = false
 
-  for (let k = 0; k < columns.length; k++) {
-    if (columns[k] === '*') hasStarColumn = true
-    else if (columns[k].func || columns[k].func === null) hasAggregatedColumn = true
+  for (const column of columns) {
+    if (column === '*') hasStarColumn = true
+    else if (column.func || column.func === null) hasAggregatedColumn = true
     // Add keys to (sub-)expands
-    else if (columns[k].expand && columns[k].expand[0] !== '*')
-      _addKeys(columns[k].expand, target.elements[columns[k].ref]._target)
+    else if (column.expand && column.ref) _addKeys(column.expand, target.elements[column.ref]._target)
   }
 
   // Don't add keys to queries with calculated properties, especially aggregations
@@ -515,15 +534,27 @@ function _addKeys(columns, target) {
   }
 }
 
-// remove duplicate * in expand (e.g. expand=*,*)
-function _removeDuplicateAsterisk(columns) {
+/**
+ * Recursively, for each depth, remove all other select columns if a select star is present
+ * (including duplicates) and remove duplicate expand stars.
+ *
+ * @param {*} columns CQN `SELECT` columns array.
+ */
+function _removeUnneededColumnsIfHasAsterisk(columns) {
+  // We need to know if column contains a select * before we can remove other selected columns below
+  const hasSelectStar = columns.some(column => column === '*')
   let hasExpandStar = false
 
   columns.forEach((column, i) => {
+    // Remove other select columns if we have a select star
+    if (hasSelectStar && column.ref && !column.expand) columns.splice(i, 1)
+    // Remove duplicate expand stars
     if (!column.ref && column.expand?.[0] === '*') {
       if (hasExpandStar) columns.splice(i, 1)
       hasExpandStar = true
     }
+    // Recursively remove unneeded columns in expand
+    if (column.expand) _removeUnneededColumnsIfHasAsterisk(column.expand)
   })
 }
 
@@ -548,7 +579,7 @@ function _processColumns(cqn, target, protocol) {
     else if (target.kind === 'action' && target.returns?.kind === 'entity') entity = target.returns
     if (!entity) return
 
-    _removeDuplicateAsterisk(columns)
+    _removeUnneededColumnsIfHasAsterisk(columns)
     rewriteExpandAsterisk(columns, entity)
     if (protocol !== 'rest') _addKeys(columns, entity)
   }
@@ -720,24 +751,27 @@ module.exports = (cqn, model, namespace, protocol) => {
   const from = resolveFromSelect(cqn)
   const { ref } = from
 
+  let edmName = ref[0].id || ref[0]
   // REVISIT: shouldn't be necessary
-  // Second findCsnTargetFor is required for concat query, where the root is already identified with the first query
-  // and subsequent queries already have correct root
+  if (edmName.split('.').length > 1)
+    //required for concat query, where the root is already identified with the first query and subsequent queries already have correct root
+    edmName = edmName.split('.')[edmName.split('.').length - 1]
+
   /*
    * make first path segment fully qualified
    */
-  const root =
-    findCsnTargetFor(ref[0].id || ref[0], model, namespace) ||
-    findCsnTargetFor(
-      ref[0].id?.split('.')[ref[0].id?.split('.').length - 1] || ref[0].split('.')[ref[0].split('.').length - 1],
-      model,
-      namespace
-    )
-
-  // REVISIT: 404 or 400?
+  const root = findCsnTargetFor(edmName, model, namespace)
+
   if (!root) {
+    //404 else we would expose knowledge to potential attackers
     cds.error(`Invalid resource path "${namespace}.${ref[0].id || ref[0]}"`, { code: '404', statusCode: 404 })
   }
+  if (cds.env.effective.odata.containment && model.definitions[namespace]._containedEntities.has(root.name)) {
+    cds.error(`Invalid resource path "${namespace}.${ref[0].id || ref[0]}"! It is not an entity set nor a singleton.`, {
+      code: '404',
+      statusCode: 404
+    })
+  }
   if (ref[0].id) ref[0].id = root.name
   else ref[0] = root.name
 

package/libx/odata/parse/grammar.peggy

@@ -204,6 +204,9 @@
       ) {
         cqn.from = { SELECT: { ...cqn } }
       }
+      if (apply.topLevels) cqn.__topLevels = apply.topLevels
+      if (apply.ancestors) cqn.__ancestors = apply.ancestors
+      if (apply.descendants) cqn.__descendants = apply.descendants
       if (apply.where) cqn.where = apply.where
       if (apply.search) cqn.search = apply.search
       if (apply.groupBy) {
@@ -379,6 +382,19 @@
       return args
     }
 
+  // `path` cannot be used in hierarchy functions, hence use a simpler definition
+  simplePath
+    = i:identifier filter:(OPEN CLOSE/OPEN a:args CLOSE{ return a })? tail:("/" s:simplePath{ return s })*{
+      const ref = [filter ? { id: i, where: filter } : i]
+      if (tail.length) ref.push(...tail.map(t => t.from.ref[0]))
+      return {
+        from: {
+          ref 
+        }
+      }
+    }
+
+
 //
 // ---------- Query Options ------------
 
@@ -778,6 +794,9 @@
       "top" top:topTrafo{return top} /
       "skip" skip:skipTrafo{return skip} /
       "orderby" order:orderbyTrafo{return order} /
+      "com.sap.vocabularies.Hierarchy.v1.TopLevels" toplevels:topLevelsTrafo{return toplevels} /
+      "ancestors" ancestors:ansDescTrafo{return { ancestors: ancestors }} /
+      "descendants" descendants:ansDescTrafo{return { descendants: descendants }} /
       func:("topcount"i/"bottomcount"i/"topsum"i/"bottomsum"i/"toppercent"i/"bottompercent"i) args:commonFuncTrafo {
         func = func.toLowerCase()
         if (!SUPPORTED_APPLY_TRANSFORMATIONS[func]) {
@@ -873,6 +892,82 @@
       return {orderBy: [o,...o2]}
     }
 
+  topLevelsTrafo
+    = OPEN o t:topLevelsArg ts:(o COMMA o t2:topLevelsArg{ return t2 })* o CLOSE {
+      ts.forEach(_t => Object.assign(t, _t))
+      return { 
+        topLevels: t
+      }
+    }
+
+  topLevelsArg
+    = hierarchyNodes /
+      hierarchyQualifier /
+      nodeProperty /
+      levels /
+      expandLevels
+
+  hierarchyNodes
+    = o "HierarchyNodes" o "=" o "$root/" p:simplePath o {
+      return { hierarchyNodes: p }
+    }
+
+  hierarchyQualifier
+    = o "HierarchyQualifier" o "=" o s:string o {
+      return { hierarchyQualifier: s }
+    }
+
+  nodeProperty
+    = o "NodeProperty" o "=" o s:string o {
+      return { nodeProperty: s }
+    }
+
+  levels
+    = o "Levels" o "=" o i:integer o {
+       return { levels: i}
+    }
+
+  expandLevels
+    = o "ExpandLevels" o "=" o "[" o e:expandItem es:(o COMMA o e2:expandItem{ return e2 })* "]" {
+      return { expandLevels: [e, ...es] }
+    }
+
+  expandItem
+    = o "{" o e1:expandItemProp o "," o e2:expandItemProp o "}" {
+      return Object.assign(e1,e2)
+    }
+
+  expandItemProp
+    = "\"NodeID\"" o ":" o s:doubleQuotedString{return { nodeID: s } } /
+      "\"Levels\"" o ":" o i:integer{return { levels: i } }
+
+  ansDescTrafo
+    = OPEN o "$root/" p:simplePath o COMMA o h:identifier o COMMA o e:identifier o COMMA? t:ansDescGetNodes? o COMMA? d:integer? o COMMA? k:ansDescKeepStart? CLOSE {
+        return { 
+            path: p,
+            hierarchy: h,
+            id: e,
+            nodes: t,
+            keepStart: k?.keepStart || false
+        }
+    }
+
+    ansDescGetNodes
+    = g:ansDescGetNode gs:( o "/" o g2:ansDescGetNode{return g2} )*{ return [g, ...gs] }
+
+    ansDescGetNode
+    = ansDescSearchNode /
+      ansDescFilterNode
+
+    ansDescFilterNode
+    = "filter(" f:filter ")"{ return { filter: f } }
+
+    ansDescSearchNode
+    = "search(" s:search_expand ")"{ return { search: s } }
+
+    ansDescKeepStart
+    = "keep start"{ return { keepStart: true } }
+
 //
 // ---------- Literals -----------