@sap/cds 9.2.1 → 9.3.1

package/libx/_runtime/ucl/Service.js

@@ -4,11 +4,163 @@ const LOG = cds.log('ucl')
 const fs = require('fs').promises
 const https = require('https')
 
-class UCLService extends cds.Service {
+const { READ_QUERY, CREATE_MUTATION, UPDATE_MUTATION, DELETE_MUTATION } = require('./queries')
+const TRUSTED_CERT = {
+  CANARY: {
+    ISSUER: 'CN=SAP PKI Certificate Service Client CA,OU=SAP BTP Clients,O=SAP SE,L=cf-eu10-canary,C=DE',
+    SUBJECT: 'CN=cmp-stage,OU=SAP Cloud Platform Clients,OU=Canary,OU=cmp-cf-eu10-canary,O=SAP SE,L=Stage,C=DE'
+  },
+  LIVE: {
+    ISSUER: 'CN=SAP PKI Certificate Service Client CA,OU=SAP BTP Clients,O=SAP SE,L=cf-eu10,C=DE',
+    SUBJECT: 'CN=cmp-prod,OU=SAP Cloud Platform Clients,OU=cmp-cf-eu10,O=SAP SE,L=Prod,C=DE'
+  }
+}
+
+module.exports = class UCLService extends cds.Service {
+  constructor(...args) {
+    super(...args)
+
+    // REVISIT: cds.connect.to('ucl') should return this, but no cds.requires.kinds.ucl config achieved this
+    cds.services.ucl = this
+  }
+
   async init() {
+    this.on('*', 'tenantMappings', async req => {
+      if (req.method !== 'PATCH') req.reject(405, `Method ${req.method} not allowed for tenant mapping notifications`)
+
+      await this._validateCertificate(req)
+
+      return await this._dispatchNotification(req)
+    })
+
     await super.init()
 
-    this._applicationTemplate = _getApplicationTemplate(this.options)
+    if (cds.env.requires.ucl?.applicationTemplate) await this._upsertApplicationTemplate(cds.env.requires.ucl)
+  }
+
+  async _validateCertificate(req) {
+    // Allow bypassing certificate validation in development
+    if (process.env.NODE_ENV !== 'production' && cds.env.requires.ucl?.skipCertValidation) return
+
+    // Check if the request uses a 'cert' or 'mesh.cf' domain
+    if (!req.http?.req.hostname.match(/\.cert\.|\.mesh\.cf\./)) req.reject(403)
+
+    // Verify presence of required .cert domain headers
+    const reqClientVerificationStatus = req.headers['x-ssl-client-verify']
+    if (reqClientVerificationStatus !== '0') throw new cds.error(401, 'Client certificate not verified')
+    const reqClientCertSubjectB64 = req.headers['x-ssl-client-subject-dn']
+    if (!reqClientCertSubjectB64) throw new cds.error(401, 'No client certificate subject provided')
+    const reqClientCertIssuerB64 = req.headers['x-ssl-client-issuer-dn']
+    if (!reqClientCertIssuerB64) throw new cds.error(401, 'No client certificate issuer provided')
+
+    // Extract tokens from base64 encoded subject and issuer .cert domain headers
+    const reqClientCertSubject = Buffer.from(reqClientCertSubjectB64, 'base64').toString('ascii')
+    const reqClientCertSubjectTokens = reqClientCertSubject
+      .replace('\n', '')
+      .split('/')
+      .filter(token => token)
+    const reqClientCertIssuer = Buffer.from(reqClientCertIssuerB64, 'base64').toString('ascii')
+    const reqClientCertIssuerTokens = reqClientCertIssuer
+      .replace('\n', '')
+      .split('/')
+      .filter(token => token)
+
+    // Determine trusted certificate subject and issuer information
+    let trustedCertSubject = process.env.CDS_UCL_X509_CERTSUBJECT || cds.env.requires.ucl.x509?.certSubject
+    let trustedCertIssuer = process.env.CDS_UCL_X509_CERTISSUER || cds.env.requires.ucl.x509?.certIssuer
+    if (!trustedCertIssuer?.length || !trustedCertSubject?.length) {
+      let stage = 'CANARY'
+      const VCAP_APPLICATION = JSON.parse(process.env.VCAP_APPLICATION || '{}')
+      if (VCAP_APPLICATION.cf_api && !VCAP_APPLICATION.cf_api.endsWith('.cf.sap.hana.ondemand.com')) stage = 'LIVE'
+      trustedCertIssuer = TRUSTED_CERT[stage].ISSUER
+      trustedCertSubject = TRUSTED_CERT[stage].SUBJECT
+    }
+
+    // Match received with trusted info - As done in UCL reference implementation
+    const matchesUclInfoSubject = trustedCertSubject
+      .split(',')
+      .map(token => token.trim())
+      .every(token => reqClientCertSubjectTokens.includes(token))
+    if (!matchesUclInfoSubject) {
+      LOG.debug('Received Request Subject Info: ', reqClientCertSubject)
+      LOG.debug('Expected UCL Subject Info: ', trustedCertSubject)
+      throw new cds.error(401, 'Received .cert subject does not match trusted UCL info subject')
+    }
+    const matchesUclInfoIssuer = trustedCertIssuer
+      .split(',')
+      .map(token => token.trim())
+      .every(token => reqClientCertIssuerTokens.includes(token))
+    if (!matchesUclInfoIssuer) {
+      LOG.debug('Received Request Issuer Info: ', reqClientCertIssuer)
+      LOG.debug('Expected UCL Issuer Info: ', trustedCertIssuer)
+      throw new cds.error(401, 'Received .cert issuer does not match trusted UCL info issuer')
+    }
+  }
+
+  async _dispatchNotification(req) {
+    // Call User defined handlers for tenant mapping notifications
+
+    // REVISIT: Java unpacks the location header and enables the async flow aswell
+    if (req.headers.location)
+      throw new cds.error(400, 'Location header found in tenant mapping notification: Async flow not supported!')
+
+    LOG.debug('Tenant mapping notification: ', req.data)
+
+    const { operation } = req.data?.context ?? {}
+    if (operation !== 'assign' && operation !== 'unassign')
+      throw new cds.error(
+        400,
+        `Invalid operation "${operation}" in tenant mapping notification. Expected "assign" or "unassign".`
+      )
+
+    const response = (await this.send(operation, req.data)) ?? {}
+
+    if (response.error) req.http.res.status(400)
+    else response.state ??= operation === 'assign' ? 'CONFIG_PENDING' : 'READY'
+
+    return response
+  }
+
+  /*
+   * the rest is for upserting the application template
+   */
+
+  async _upsertApplicationTemplate() {
+    const _getApplicationTemplate = options => {
+      let applicationTemplate = {
+        applicationInput: {
+          providerName: 'SAP',
+          localTenantID: '{{tenant-id}}',
+          labels: {
+            displayName: '{{subdomain}}'
+          }
+        },
+        labels: {
+          managed_app_provisioning: true,
+          xsappname: '${xsappname}'
+        },
+        placeholders: [
+          { name: 'subdomain', description: 'The subdomain of the consumer tenant' },
+          {
+            name: 'tenant-id',
+            description: "The tenant id as it's known in the product's domain",
+            jsonPath: '$.subscribedTenantId'
+          }
+        ],
+        accessLevel: 'GLOBAL'
+      }
+      applicationTemplate = cds.utils.merge(applicationTemplate, options.applicationTemplate)
+
+      const pkg = require(cds.root + '/package')
+      if (!applicationTemplate.name) applicationTemplate.name = pkg.name
+      if (!applicationTemplate.applicationInput.name) applicationTemplate.applicationInput.name = pkg.name
+      if (applicationTemplate.labels.xsappname === '${xsappname}')
+        applicationTemplate.labels.xsappname = options.credentials.xsappname
+
+      return applicationTemplate
+    }
+
+    this._applicationTemplate = _getApplicationTemplate(cds.env.requires.ucl)
     if (!this._applicationTemplate.applicationNamespace) {
       throw new Error(
         'The UCL service requires a valid `applicationTemplate`, please provide it as described in the documentation.'
@@ -19,22 +171,25 @@ class UCLService extends cds.Service {
       throw new Error(
         'The UCL service requires multitenancy, please enable it in your cds configuration with `cds.requires.multitenancy` or by using the mtx sidecar.'
       )
-    if (!this.options.credentials)
+    if (!cds.env.requires.ucl.credentials)
       throw new Error('No credentials found for the UCL service, please bind the service to your app.')
 
-    if (!this.options.x509.cert && !this.options.x509.certPath)
+    if (!cds.env.requires.ucl.x509?.cert && !cds.env.requires.ucl.x509?.certPath)
       throw new Error('UCL requires `x509.cert` or `x509.certPath`.')
-    if (!this.options.x509.pkey && !this.options.x509.pkeyPath)
+    if (!cds.env.requires.ucl.x509?.pkey && !cds.env.requires.ucl.x509?.pkeyPath)
       throw new Error('UCL requires `x509.pkey` or `x509.pkeyPath`.')
 
     const [cert, key] = await Promise.all([
-      this.options.x509.cert ?? fs.readFile(cds.utils.path.resolve(cds.root, this.options.x509.certPath)),
-      this.options.x509.pkey ?? fs.readFile(cds.utils.path.resolve(cds.root, this.options.x509.pkeyPath))
+      cds.env.requires.ucl.x509?.cert ??
+        fs.readFile(cds.utils.path.resolve(cds.root, cds.env.requires.ucl.x509?.certPath)),
+      cds.env.requires.ucl.x509?.pkey ??
+        fs.readFile(cds.utils.path.resolve(cds.root, cds.env.requires.ucl.x509?.pkeyPath))
     ])
+
     this.agent = new https.Agent({ cert, key })
 
-    const existingTemplate = await this.readTemplate()
-    const template = existingTemplate ? await this.updateTemplate(existingTemplate) : await this.createTemplate() // TODO: Make sure return value is correct
+    const existingTemplate = await this._readTemplate()
+    const template = existingTemplate ? await this._updateTemplate(existingTemplate) : await this._createTemplate() // TODO: Make sure return value is correct
 
     if (!template) throw new Error('The UCL service could not create an application template.')
 
@@ -50,15 +205,18 @@ class UCLService extends cds.Service {
     })
   }
 
-  // Replace with fetch
+  // REVISIT: Replace with fetch (?)
   async _request(query, variables) {
+    // Query GraphQL API
+
     const opts = {
-      host: this.options.host,
-      path: this.options.path,
+      host: cds.env.requires.ucl.host || 'compass-gateway-sap-mtls.mps.kyma.cloud.sap',
+      path: cds.env.requires.ucl.path || '/director/graphql',
       agent: this.agent,
       method: 'POST',
       headers: { 'Content-Type': 'application/json' }
     }
+
     return new Promise((resolve, reject) => {
       const req = https.request(opts, res => {
         const chunks = []
@@ -73,9 +231,12 @@ class UCLService extends cds.Service {
             headers: res.headers,
             body: Buffer.concat(chunks).toString()
           }
+
           const body = JSON.parse(response.body)
+
           if (body.errors)
             throw new Error('Request to UCL service failed with:\n' + JSON.stringify(body.errors, null, 2))
+
           resolve(body.data)
         })
       })
@@ -87,6 +248,7 @@ class UCLService extends cds.Service {
       if (query) {
         req.write(JSON.stringify({ query, variables }))
       }
+
       req.end()
     })
   }
@@ -100,14 +262,14 @@ class UCLService extends cds.Service {
     }
   }
 
-  async readTemplate() {
-    const xsappname = this.options.credentials.xsappname
+  async _readTemplate() {
+    const xsappname = cds.env.requires.ucl.credentials.xsappname
     const variables = { key: 'xsappname', value: `"${xsappname}"` }
     const res = await this._request(READ_QUERY, variables)
     if (res) return res.applicationTemplates.data[0]
   }
 
-  async createTemplate() {
+  async _createTemplate() {
     try {
       return this._handleResponse(await this._request(CREATE_MUTATION, { input: this._applicationTemplate }))
     } catch (e) {
@@ -115,7 +277,7 @@ class UCLService extends cds.Service {
     }
   }
 
-  async updateTemplate(template) {
+  async _updateTemplate(template) {
     try {
       const input = { ...this._applicationTemplate }
       delete input.labels
@@ -127,103 +289,9 @@ class UCLService extends cds.Service {
     }
   }
 
-  async deleteTemplate() {
-    const template = await this.readTemplate()
+  async _deleteTemplate() {
+    const template = await this._readTemplate()
     if (!template) return
     return this._handleResponse(await this._request(DELETE_MUTATION, { id: template.id }))
   }
 }
-
-const READ_QUERY = `
-  query ($key: String!, $value: String!) {
-    applicationTemplates(filter: { key: $key, query: $value }) {
-      data {
-        id
-        name
-        description
-        placeholders {
-          name
-          description
-        }
-        applicationInput
-        labels
-        webhooks {
-          type
-        }
-      }
-    }
-  }`
-
-const CREATE_MUTATION = `
-  mutation ($input: ApplicationTemplateInput!) {
-    result: createApplicationTemplate (
-      in: $input
-    ) {
-      id
-      name
-      labels
-      applicationInput
-      applicationNamespace
-    }
-  }`
-
-const UPDATE_MUTATION = `
-  mutation ($id: ID!, $input: ApplicationTemplateUpdateInput!) {
-    result: updateApplicationTemplate(
-      id: $id
-      in: $input
-    ) {
-      id
-      name
-      labels
-      description
-      applicationInput
-    }
-  }`
-
-const DELETE_MUTATION = `
-  mutation ($id: ID!) {
-    result: deleteApplicationTemplate(
-      id: $id
-    ) {
-      id
-      name
-      description
-    }
-  }`
-
-const _getApplicationTemplate = options => {
-  let applicationTemplate = {
-    applicationInput: {
-      providerName: 'SAP',
-      localTenantID: '{{tenant-id}}',
-      labels: {
-        displayName: '{{subdomain}}'
-      }
-    },
-    labels: {
-      managed_app_provisioning: true,
-      xsappname: '${xsappname}'
-    },
-    placeholders: [
-      { name: 'subdomain', description: 'The subdomain of the consumer tenant' },
-      {
-        name: 'tenant-id',
-        description: "The tenant id as it's known in the product's domain",
-        jsonPath: '$.subscribedTenantId'
-      }
-    ],
-    accessLevel: 'GLOBAL'
-  }
-  applicationTemplate = cds.utils.merge(applicationTemplate, options.applicationTemplate)
-
-  const pkg = require(cds.root + '/package')
-  if (!applicationTemplate.name) applicationTemplate.name = pkg.name
-  if (!applicationTemplate.applicationInput.name) applicationTemplate.applicationInput.name = pkg.name
-  if (applicationTemplate.labels.xsappname === '${xsappname}')
-    applicationTemplate.labels.xsappname = options.credentials.xsappname
-
-  return applicationTemplate
-}
-
-module.exports = UCLService

package/libx/_runtime/ucl/queries.js

@@ -0,0 +1,61 @@
+const READ_QUERY = /* GraphQL */ `
+  query ($key: String!, $value: String!) {
+    applicationTemplates(filter: { key: $key, query: $value }) {
+      data {
+        id
+        name
+        description
+        placeholders {
+          name
+          description
+        }
+        applicationInput
+        labels
+        webhooks {
+          type
+        }
+      }
+    }
+  }
+`
+
+const CREATE_MUTATION = /* GraphQL */ `
+  mutation ($input: ApplicationTemplateInput!) {
+    result: createApplicationTemplate(in: $input) {
+      id
+      name
+      labels
+      applicationInput
+      applicationNamespace
+    }
+  }
+`
+
+const UPDATE_MUTATION = /* GraphQL */ `
+  mutation ($id: ID!, $input: ApplicationTemplateUpdateInput!) {
+    result: updateApplicationTemplate(id: $id, in: $input) {
+      id
+      name
+      labels
+      description
+      applicationInput
+    }
+  }
+`
+
+const DELETE_MUTATION = /* GraphQL */ `
+  mutation ($id: ID!) {
+    result: deleteApplicationTemplate(id: $id) {
+      id
+      name
+      description
+    }
+  }
+`
+
+module.exports = {
+  READ_QUERY,
+  CREATE_MUTATION,
+  UPDATE_MUTATION,
+  DELETE_MUTATION
+}

package/libx/odata/ODataAdapter.js

@@ -21,9 +21,6 @@ const error4 = require('./middleware/error')
 
 const { isStream } = require('./utils')
 
-// REVISIT: copied from lib/req/request.js
-const Http2Crud = { POST: 'CREATE', GET: 'READ', PUT: 'UPDATE', PATCH: 'UPDATE', DELETE: 'DELETE' }
-
 module.exports = class ODataAdapter extends HttpAdapter {
   request4(args) {
     return new ODataRequest(args)
@@ -105,7 +102,7 @@ module.exports = class ODataAdapter extends HttpAdapter {
 
     if (req._subrequest) {
       //> req._subrequest is set for batch subrequests
-      LOG._info && LOG.info('>', Http2Crud[req.method], req.path, Object.keys(req.query).length ? { ...req.query } : '')
+      LOG._info && LOG.info('>', req.method, req.path, Object.keys(req.query).length ? { ...req.query } : '')
     } else {
       super.log(req)
     }

package/libx/odata/index.js

@@ -3,8 +3,8 @@
 const cds = require('../..')
 const { decodeURIComponent } = cds.utils
 
-const odata2cqn = require('./parse/parser').parse
-const cqn2odata = require('./parse/cqn2odata')
+const { parse: odata2cqn } = require('./parse/parser')
+const { cqn2odata } = require('./parse/cqn2odata')
 
 const afterburner = require('./parse/afterburner')
 const { getSafeNumber: safeNumber, skipToken } = require('./utils')
@@ -95,14 +95,6 @@ module.exports = {
 
     url = decodeURIComponent(url)
 
-    // REVISIT: compat for bad url in mtxs tests (cf. #957)
-    if (url.match(/\?\?/)) {
-      const split = url.split('?')
-      url = split.shift() + '?'
-      while (split[0] === '') split.shift()
-      url += split.join('?')
-    }
-
     options = options === 'strict' ? { strict } : options.strict ? { ...options, strict } : options
     if (options.service?.model) Object.assign(options, { minimal: true, afterburner })
     options.safeNumber = safeNumber

package/libx/odata/middleware/error.js

@@ -36,7 +36,13 @@ exports.getSapMessages = (messages, req) => {
 
 const { i18n } = require('../../../lib')
 const ODATA_PROPERTIES = { code: 1, message: 1, target: 1, details: 1, innererror: 1 }
-const SAP_MSG_PROPERTIES = { ...ODATA_PROPERTIES, longtextUrl: 2, transition: 2, numericSeverity: 2 }
+const SAP_MSG_PROPERTIES = {
+  ...ODATA_PROPERTIES,
+  longtextUrl: 2,
+  transition: 2,
+  numericSeverity: 2,
+  additionalTargets: 2
+}
 const BAD_REQUESTS = { ENTITY_ALREADY_EXISTS: 1, FK_CONSTRAINT_VIOLATION: 2, UNIQUE_CONSTRAINT_VIOLATION: 3 }
 
 // prettier-ignore
@@ -64,6 +70,7 @@ const _normalize = (err, req, keep,
     if (keep) for (let k in this) if (k in keep || k[0] === '@') that[k] = this[k]
     if (req._is_odata && keep !== SAP_MSG_PROPERTIES) {
       that['@Common.numericSeverity'] ??= err.numericSeverity || 4
+      if (this.additionalTargets) that['@Common.additionalTargets'] ??= this.additionalTargets
       if (content_id) that['@Core.ContentID'] = content_id
     }
     if (locale) that.message = _message4 (err, key, locale)

package/libx/odata/middleware/stream.js

@@ -19,7 +19,7 @@ const _resolveContentProperty = (target, annotName, resolvedProp) => {
       `"${annotName}" in entity "${target.name}" points to property "${resolvedProp}" which was renamed or is not part of the projection. You must update the annotation value.`
     )
   // REVISIT: do not allow renaming of content type property. always rely on compiler resolving.
-  const mapping = cds.ql.resolve.transitions({ _target: target }, cds.db).mapping
+  const mapping = cds.db.resolve.transitions({ _target: target }).mapping
   const key = [...mapping.entries()].find(({ 1: val }) => val.ref[0] === resolvedProp)
   return key?.length && key[0]
 }

package/libx/odata/middleware/update.js

@@ -53,13 +53,23 @@ module.exports = adapter => {
 
     // REVISIT: patch on collection is allowed in odata 4.01
     if (!one) {
-      throw Object.assign(new Error(`Method ${req.method} is not allowed for entity collections`), { statusCode: 405 })
+      if (req.method === 'PATCH')
+        throw cds.error(`Method ${req.method} is not allowed for entity collections`, { status: 405 })
+      const entity = service.model?.definitions[req._query._subject.ref[0]]
+      const keys = {},
+        data = req.body || {}
+      for (let k in entity.keys)
+        keys[k] =
+          data[k] ||
+          (entity.keys[k]['@cds.on.insert']?.['='] === '$user' && cds.context?.user?.id) ||
+          cds.error(`All keys must be provided for ${req.method} on entity collections`, { status: 405 })
+      from.ref[0] = { id: from.ref[0], where: cds.ql.predicate(keys) }
     }
 
     const _isStream = isStream(req._query)
 
     if (_propertyAccess && req.method === 'PATCH' && !_isStream) {
-      throw Object.assign(new Error(`Method ${req.method} is not allowed for properties`), { statusCode: 405 })
+      throw new cds.error(`Method ${req.method} is not allowed for properties`, { status: 405 })
     }
 
     const model = cds.context.model ?? service.model