@sap/cds 9.6.4 → 9.7.1

package/lib/srv/protocols/http.js

@@ -51,7 +51,7 @@ class HttpAdapter {
       const user = cds.context.user
       if (required.some(role => user.has(role))) return next()
       else if (user._is_anonymous) return next(401) // request login
-      else throw Object.assign(new Error, { code: 403, reason: `User '${user.id}' is lacking required roles: [${required}]`, user, required })
+      else throw Object.assign(new Error, { code: 403, reason: `User '${user.id}' is lacking required roles: [${required}]` })
     }
   }
 

package/lib/srv/protocols/index.js

@@ -98,6 +98,7 @@ class Protocols {
    */
   endpoints4 (srv, o = srv.options) {
     const def = srv.definition || {}
+    if (def.kind !== 'service') return [] //> no endpoints, e.g. for cds.db
 
     // get @protocol annotations from service definition
     let annos = o?.to || def['@protocol']

package/lib/utils/cds-utils.js

@@ -332,13 +332,40 @@ exports.redacted = function _redacted(cred) {
   if (Array.isArray(cred)) return cred.map(c => typeof c === 'string' ? '...' : _redacted(c))
   if (typeof cred === 'object') {
     const newCred = Object.assign({}, cred)
-    Object.keys(newCred).forEach(k => (typeof newCred[k] === 'string' && SECRETS.test(k)) ? (newCred[k] = '...') : (newCred[k] = _redacted(newCred[k])))
+    Object.keys(newCred).forEach(k => {
+      if (typeof newCred[k] === 'string' && SECRETS.test(k)) {
+        newCred[k] = '...'
+      } else if (k === 'uri' && typeof newCred[k] === 'string') {
+        // redact secrets in URIs, e.g., s3://access_key_id:secret_access_key@...
+        newCred[k] = newCred[k].replace(/\/\/(.*?):(.*?)@/g, '//...:...@')
+      } else {
+        newCred[k] = _redacted(newCred[k])
+      }
+    })
     return newCred
   }
   return cred
 }
 
 
+/**
+ * A variant of child_process.exec that returns a promise, 
+ * which resolves with the command's stdout split into lines.
+ * @example
+ * await cds.utils.sh `npm ls -lp --depth=0`
+ * @param {string|TemplateStringsArray} cmd - the command to execute, may be a tagged template
+ * @returns {string[]} array of stdout lines
+ */
+exports.sh = function shell (cmd,..._) {
+  if (cmd.raw) cmd = String.raw (cmd,..._) // the cmd may be a tagged template
+  let debug = shell.debug ??= cds.debug('shell'); debug?.(cmd)
+  let exec = shell.exec ??= require('node:child_process').exec
+  return new Promise ((resolve, reject) => exec (cmd, (e, stdout, stderr) => {
+    if (e) reject (Object.assign (e, { stdout, stderr }))
+    else resolve (stdout?.trim().split('\n'))
+  }))
+}
+
 /**
  * Converts a time span with a unit into milliseconds. @example
  * ms4(5,'s') //> 5000

package/lib/utils/colors.js

@@ -3,7 +3,7 @@ module.exports = Object.assign (_colors4 (process.stdout), {
 })
 
 function _colors4 (stdout_or_stderr = process.stdout) {
-  const enabled = stdout_or_stderr.isTTY && !process.env.NO_COLOR || process.env.FORCE_COLOR
+  const enabled = (process.env.GITHUB_ACTIONS || stdout_or_stderr.isTTY) && !process.env.NO_COLOR || process.env.FORCE_COLOR
   const color = enabled ? ttl => ttl[0] : ()=>''
   return {
     enabled,

package/libx/_runtime/common/generic/assert.js

@@ -127,13 +127,7 @@ module.exports = cds.service.impl(async function () {
             if (failedColumns.length === 0) continue
 
             const failedAsserts = failedColumns.map(([element, message]) => {
-              const error = {
-                status: 400,
-                code: 'ASSERT',
-                target: element,
-                numericSeverity: 4,
-                '@Common.numericSeverity': 4
-              }
+              const error = { status: 400, code: 'ASSERT', target: element }
 
               // if error function was used in @assert expression -> use its output
               try {

package/libx/_runtime/common/generic/flows.js

@@ -1,7 +1,5 @@
 const cds = require('../../cds')
 
-const { getFrom } = require('../../../../lib/compile/for/flows')
-
 const FLOW_STATUS = '@flow.status'
 const FROM = '@from'
 const TO = '@to'
@@ -9,6 +7,11 @@ const FLOW_PREVIOUS = '$flow.previous'
 
 const $transitions_ = Symbol.for('transitions_')
 
+const getFrom = action => {
+  let from = action[FROM]
+  return Array.isArray(from) ? from : [from]
+}
+
 function isCurrentStatusInFrom(result, action, statusElementName, statusEnum) {
   const fromList = getFrom(action)
   const allowed = fromList.filter(from => {
@@ -162,10 +165,17 @@ module.exports = cds.service.impl(function () {
       entity[$transitions_] = base.compositions.transitions_
       // track changes on db level
       cds.connect.to('db').then(db => {
+        db.before('UPSERT', entity, async req => {
+          const status = req.data[statusInfo.statusElementName]
+          if (status === undefined) req._upsert_exists = await SELECT.one.from(req.subject).columns([1])
+        })
         db.after(['CREATE', 'UPDATE', 'UPSERT'], entity, async (res, req) => {
           if ((res.affectedRows ?? res) !== 1) return
-          if (!(statusInfo.statusElementName in req.data)) return
-          const status = req.data[statusInfo.statusElementName]
+          let status = req.data[statusInfo.statusElementName]
+          if (status === undefined && (req.event === 'CREATE' || (req.event === 'UPSERT' && !req._upsert_exists))) {
+            status = entity.elements[statusInfo.statusElementName]?.default?.val
+          }
+          if (!status) return
           const upKeys = await buildUpKeys(entity, req.data, req.subject)
           const last = await SELECT.one.from(entity[$transitions_].target).orderBy('timestamp desc').where(upKeys)
           if (last?.status !== status) await UPSERT.into(entity[$transitions_].target).entries({ ...upKeys, status })

package/libx/_runtime/common/utils/resolveView.js

@@ -639,6 +639,10 @@ const _entityTransitionsForTarget = (from, model, service, options) => {
     )
   }
 
+  if (typeof from === 'object' && from.SELECT) {
+    return _entityTransitionsForTarget(from.SELECT.from, model, service, options)
+  }
+
   return from.ref.map((f, i) => {
     const element = f.id || f
     if (element === options.alias) return

package/libx/_runtime/fiori/lean-draft.js

@@ -463,12 +463,13 @@ const compileUpdatedDraftMessages = (newMessages, persistedMessages, requestData
     if (!message.target) return acc //> silently ignore messages without target
 
     message.numericSeverity ??= message['@Common.numericSeverity'] ?? 4
+    delete message['@Common.numericSeverity']
     if (message['@Common.additionalTargets']) message.additionalTargets ??= message['@Common.additionalTargets']
-    message.additionalTargets = message.additionalTargets?.map(t => (t.startsWith('in/') ? t.slice(3) : t))
+    message.additionalTargets = message.additionalTargets?.map(t => t.replace(/^in\//, ''))
     delete message['@Common.additionalTargets']
 
     // Remove prefix 'in/' in favor of fully qualified path to the target
-    const messageTarget = message.target.startsWith('in/') ? message.target.slice(3) : message.target
+    const messageTarget = message.target.replace(/^in\//, '')
     if (message.code) delete message.code // > Expect _only_ message to be set and contain the code
 
     // Process the message target produced by validation
@@ -966,8 +967,12 @@ const draftHandle = async function (req) {
 
     if (IS_PERSISTED_DRAFT_MESSAGES_ENABLED) {
       _req.on('failed', async error => {
+        if (!error && !_req.errors?.length) {
+          LOG.debug('Draft activation failed without error information: Skip update of DraftMessages.')
+          return
+        }
         const errors = []
-        if (_req.errors) {
+        if (_req.errors?.length) {
           // REVISIT: e._message hack for draft validation messages
           // Errors procesed during 'failed' will have undergone error._normalize at this point
           // > We need to revert the code - message swap _normalize includes

package/libx/_runtime/messaging/common-utils/authorizedRequest.js

@@ -4,6 +4,10 @@ const cds = require('../../cds')
 const LOG = cds.log('http-messaging') // not public
 
 const authorizedRequest = ({ method, uri, path, oa2, tenant, dataObj, headers, tokenStore }) => {
+  if (tenant) {
+    if (!tokenStore[tenant]) tokenStore[tenant] = {}
+    tokenStore = tokenStore[tenant]
+  }
   return new Promise((resolve, reject) => {
     if (LOG._debug) LOG.debug({ method, uri, path, oa2, tenant, dataObj, headers, tokenStore })
     ;((tokenStore.token && Promise.resolve(tokenStore.token)) || requestToken(oa2, tenant, tokenStore))

package/libx/_runtime/messaging/enterprise-messaging-utils/EMManagement.js

@@ -46,7 +46,7 @@ class EMManagement {
         uri: this.options.uri,
         path: `/hub/rest/api/v1/management/messaging/queues/${encodeURIComponent(queueName)}`,
         oa2: this.options.oa2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       return res.body
     } catch (e) {
@@ -67,7 +67,7 @@ class EMManagement {
         uri: this.options.uri,
         path: `/hub/rest/api/v1/management/messaging/queues`,
         oa2: this.options.oa2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       return res.body
     } catch (e) {
@@ -96,7 +96,7 @@ class EMManagement {
         path: `/hub/rest/api/v1/management/messaging/queues/${encodeURIComponent(queueName)}`,
         oa2: this.options.oa2,
         dataObj: queueConfig,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       if (res.statusCode === 201) return true
     } catch (e) {
@@ -121,7 +121,7 @@ class EMManagement {
         uri: this.options.uri,
         path: `/hub/rest/api/v1/management/messaging/queues/${encodeURIComponent(queueName)}`,
         oa2: this.options.oa2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
     } catch (e) {
       const error = new Error(`Queue "${queueName}" could not be deleted ${this.subdomainInfo}`)
@@ -146,7 +146,7 @@ class EMManagement {
         path: `/hub/rest/api/v1/management/messaging/queues/${encodeURIComponent(queueName)}/subscriptions`,
         oa2: this.options.oa2,
         target: { kind: 'SUBSCRIPTION', queue: queueName },
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       return res.body
     } catch (e) {
@@ -175,7 +175,7 @@ class EMManagement {
           queueName
         )}/subscriptions/${encodeURIComponent(topicPattern)}`,
         oa2: this.options.oa2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       if (res.statusCode === 201) return true
     } catch (e) {
@@ -206,7 +206,7 @@ class EMManagement {
           queueName
         )}/subscriptions/${encodeURIComponent(topicPattern)}`,
         oa2: this.options.oa2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
     } catch (e) {
       const error = new Error(
@@ -235,7 +235,7 @@ class EMManagement {
         uri: this.optionsMessagingREST.uri,
         path: `/messagingrest/v1/subscriptions/${encodeURIComponent(webhookName)}`,
         oa2: this.optionsMessagingREST.oa2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       return res.body
     } catch (e) {
@@ -263,7 +263,7 @@ class EMManagement {
         uri: this.optionsMessagingREST.uri,
         path: `/messagingrest/v1/subscriptions/${encodeURIComponent(webhookName)}`,
         oa2: this.optionsMessagingREST.oa2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
     } catch (e) {
       const error = new Error(`Webhook "${webhookName}" could not be deleted ${this.subdomainInfo}`)
@@ -331,7 +331,7 @@ class EMManagement {
         path: '/messagingrest/v1/subscriptions',
         oa2: this.optionsMessagingREST.oa2,
         dataObj,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       if (res.statusCode === 201) return true
     } catch (e) {
@@ -360,7 +360,7 @@ class EMManagement {
         uri: this.optionsMessagingREST.uri,
         path: `/messagingrest/v1/subscriptions/${encodeURIComponent(webhookName)}`,
         oa2: this.optionsMessagingREST.oa2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
     } catch (e) {
       const error = new Error(`Webhook "${webhookName}" could not be deleted ${this.subdomainInfo}`)
@@ -420,7 +420,7 @@ class EMManagement {
         uri: this.options.uri,
         path: `/hub/rest/api/v1/management/messaging/readinessCheck`,
         oa2: this.options.oa2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
     } catch (e) {
       const error = new Error(`Readiness Check failed ${this.subdomainInfo}`)

package/libx/_runtime/messaging/enterprise-messaging.js

@@ -182,7 +182,7 @@ class EnterpriseMessaging extends AMQPWebhookMessaging {
           'Content-Type': contentType,
           'x-qos': 1
         },
-        tokenStore: {}
+        tokenStore: (this._tokenStore ??= {})
       }
       if (tenant) params.tenant = tenant
       await authorizedRequest(params)

package/libx/_runtime/messaging/http-utils/token.js

@@ -7,8 +7,8 @@ const _errorObj = result => {
   return errorObj
 }
 
-const requestToken = ({ client, secret, endpoint, mTLS }, tenant, tokenStore) =>
-  new Promise((resolve, reject) => {
+const requestToken = ({ client, secret, endpoint, mTLS }, tenant, tokenStore) => {
+  const promise = new Promise((resolve, reject) => {
     const options = {
       host: endpoint.replace('/oauth/token', '').replace('https://', ''),
       headers: {}
@@ -44,7 +44,18 @@ const requestToken = ({ client, secret, endpoint, mTLS }, tenant, tokenStore) =>
             reject(_errorObj(result))
             return
           }
-          // store token on tokenStore
+          // set timeout to delete token from cache 5 minutes (300 seconds) before it expires
+          const expiresIn = json.expires_in || 3600
+          const timeout = Math.max(0, (expiresIn - 300) * 1000)
+          if (tokenStore.expirationTimeout) clearTimeout(tokenStore.expirationTimeout)
+          tokenStore.expires_in = json.expires_in
+          tokenStore.expirationTimeout = setTimeout(() => {
+            delete tokenStore.token
+            delete tokenStore.expires_in
+            delete tokenStore.expirationTimeout
+          }, timeout)
+
+          // store token value on tokenStore
           tokenStore.token = json.access_token
           resolve(json.access_token)
         } catch {
@@ -56,4 +67,8 @@ const requestToken = ({ client, secret, endpoint, mTLS }, tenant, tokenStore) =>
     req.end()
   })
 
+  tokenStore.token = promise
+  return promise
+}
+
 module.exports = requestToken

package/libx/_runtime/messaging/message-queuing.js

@@ -23,7 +23,7 @@ class MQManagement {
         path: `/v1/management/queues/${encodeURIComponent(queueName)}`,
         oa2: this.options.auth.oauth2,
         target: { kind: 'QUEUE', queue: queueName },
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       return res.body
     } catch (e) {
@@ -45,7 +45,7 @@ class MQManagement {
         path: `/v1/management/queues`,
         oa2: this.options.auth.oauth2,
         target: { kind: 'QUEUE' },
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       return res.body && res.body.results
     } catch (e) {
@@ -70,7 +70,7 @@ class MQManagement {
         path: `/v1/management/queues/${encodeURIComponent(queueName)}`,
         oa2: this.options.auth.oauth2,
         dataObj: queueConfig,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       if (res.statusCode === 201) return true
     } catch (e) {
@@ -91,7 +91,7 @@ class MQManagement {
         uri: this.options.url,
         path: `/v1/management/queues/${encodeURIComponent(queueName)}`,
         oa2: this.options.auth.oauth2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
     } catch (e) {
       const error = new Error(`Queue "${queueName}" could not be deleted`)
@@ -111,7 +111,7 @@ class MQManagement {
         uri: this.options.url,
         path: `/v1/management/queues/${encodeURIComponent(queueName)}/subscriptions/topics`,
         oa2: this.options.auth.oauth2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       return res.body
     } catch (e) {
@@ -134,7 +134,7 @@ class MQManagement {
           topicPattern
         )}`,
         oa2: this.options.auth.oauth2,
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
       if (res.statusCode === 201) return true
     } catch (e) {
@@ -159,7 +159,7 @@ class MQManagement {
         oa2: this.options.auth.oauth2,
 
         target: { kind: 'SUBSCRIPTION', queue: queueName, topic: topicPattern },
-        tokenStore: this
+        tokenStore: (this._tokenStore ??= {})
       })
     } catch (e) {
       const error = new Error(`Subscription "${topicPattern}" could not be deleted from queue "${queueName}"`)

package/libx/_runtime/remote/Service.js

@@ -45,7 +45,7 @@ const _buildPartialUrlFunctions = (url, data, params, kind = 'odata-v4') => {
     : `${url}(${funcParams.join(',')})?${queryOptions.join('&')}`
 }
 
-const _extractParamsFromData = (data, params = {}) => {
+const _extractParamsFromData = (data = {}, params = {}) => {
   return Object.keys(data).reduce((res, el) => {
     if (params[el]) Object.assign(res, { [el]: data[el] })
     return res
@@ -142,7 +142,16 @@ const _addHandlerActionFunction = (srv, def, target) => {
     srv.on(event, target, async function (req) {
       const shortEntityName = req.target.name.replace(`${this.definition.name}.`, '')
       if (this.kind === 'odata-v2') return _handleV2BoundActionFunction(srv, def, req, event, this.kind)
-      const url = `/${shortEntityName}(${_buildKeys(req, this.kind).join(',')})/${this.definition.name}.${event}`
+
+      const action = req.target.actions[req.event]
+      const onCollection = !!(
+        action['@cds.odata.bindingparameter.collection'] ||
+        (action?.params && [...action.params].some(p => p?.items?.type === '$self'))
+      )
+
+      const url = onCollection
+        ? `/${shortEntityName}/${this.definition.name}.${event}`
+        : `/${shortEntityName}(${_buildKeys(req, this.kind).join(',')})/${this.definition.name}.${event}`
       return _handleBoundActionFunction(srv, def, req, url)
     })
   } else {
@@ -260,8 +269,10 @@ class RemoteService extends cds.Service {
         returnType: req._returnType
       }
 
+      // REVISIT: use xssec's getIdToken() for full list of audiences?
+      let jwt = cds.context?.user?.authInfo?.token?.jwt
       // REVISIT: i don't believe req.context.headers is an official API
-      let jwt = req?.context?.headers?.authorization?.split(/^bearer /i)[1]
+      if (!jwt) jwt = req?.context?.headers?.authorization?.split(/^bearer /i)[1]
       if (!jwt) jwt = req?.context?.http?.req?.headers?.authorization?.split(/^bearer /i)[1]
       if (jwt) additionalOptions.jwt = jwt
 

package/libx/_runtime/remote/utils/client.js

@@ -250,6 +250,7 @@ module.exports.run = async (requestConfig, options) => {
   }
 
   const { kind, resolvedTarget, returnType } = options
+  if (kind === 'hcql') return response.data.data
   if (kind === 'odata-v4') return _purgeODataV4(response.data)
   if (kind === 'odata-v2') return _purgeODataV2(response.data, resolvedTarget, returnType)
   if (kind === 'odata') {

package/libx/_runtime/remote/utils/query.js

@@ -103,7 +103,6 @@ const KINDS_SUPPORTING_BATCH = { odata: true, 'odata-v2': true, 'odata-v4': true
 
 const _extractRequestConfig = (req, query, service) => {
   if (service.kind === 'hcql' && typeof query === 'object') return _cqnToHcqlRequestConfig(query)
-  if (service.kind === 'hcql') throw new Error('The request has no query and cannot be served by HCQL remote services!')
   if (typeof query === 'object') return _cqnToRequestConfig(query, service, req)
   if (typeof query === 'string') return _stringToRequestConfig(query, req.data, req.target)
   //> no model, no service.definition