@sap/eslint-plugin-cds 2.3.5 → 2.4.1

package/CHANGELOG.md

@@ -6,6 +6,25 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
+## [2.4.1] - 2022-06-17
+
+- Added authorization rules 'auth-*'.
+
+### Changed
+
+- Node.js 14 is now the minimum required Node.js version.  Version 12 is no longer supported.
+
+
+## [2.4.0] - 2022-04-14
+
+### Added
+
+- Rule report recycling ensures that rules are created/run only once for the root model
+### Changed
+
+- Rule `no-dollar-prefixed-names` no longer acts on compiler warning messages
+
+### Changed
 ## [2.3.5] - 2022-04-05
 
 ### Changed

package/lib/processor.js

@@ -31,7 +31,7 @@ module.exports = {
     messages.forEach(fileMessages => {
       const fileMessagesSanitized = [];
       fileMessages.forEach(r => {
-        if (r.message.startsWith(`CompilationError:`)) {
+        if (r && r.message && r.message.startsWith(`CompilationError:`)) {
           r.message = r.message.replace(`CompilationError: `,
             'CDS model could not be compiled!\n');
           r.ruleId = `❗${r.ruleId}`;
@@ -41,6 +41,9 @@ module.exports = {
       })
       messagesSanitized.push(fileMessagesSanitized);
     })
+    if (Cache.has("test")) {
+      Cache.clear();
+    }
     return [].concat(...messagesSanitized);
   },
   supportsAutofix: true,

package/lib/rules/auth-no-empty-restrictions.js

@@ -0,0 +1,45 @@
+const { splitEntityName } = require("../utils/ruleHelpers");
+
+const SEVERITY = "warn";
+const LABELS = ["@restrict", "@requires"];
+
+module.exports = {
+  meta: {
+    docs: {
+      description: "`@restrict` and `@requires` must not be empty",
+      category: "Model Validation",
+      recommended: true,
+      version: "2.4.1",
+    },
+    severity: SEVERITY,
+    hasSuggestions: true,
+    messages: {
+      InvalidItem: `Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?`,
+      ReplaceItemWith: `Replace '{{invalid}}' with '{{candidates}}'`,
+    },
+  },
+  create(context) {
+    return {
+      entity: check_restrictions,
+      service: check_restrictions,
+    };
+
+    function check_restrictions(e) {
+      const reports = [];
+
+      LABELS.forEach((l) => {
+        const invalid = (e[l] && typeof e[l] === "object" && e[l].length === 0) || (typeof e[l] === "string" && !e[l]);
+        if (invalid) {
+          const entityName = splitEntityName(e).entity;
+          const loc = context.cds.getLocation(entityName, e);
+          reports.push({
+            message: `No explicit restrictions provided on ${e.kind} \`${e.name}\` at \`${l}\`.`,
+            loc,
+          });
+        }
+      });
+
+      return reports.length > 0 ? reports : undefined;
+    }
+  },
+};

package/lib/rules/auth-use-requires.js

@@ -0,0 +1,38 @@
+const SEVERITY = "warn";
+
+module.exports = {
+  meta: {
+    docs: {
+      description: "Use `@requires` instead of `@restrict.to` in actions and services with unrestricted events",
+      category: "Model Validation",
+      recommended: true,
+      version: "2.4.1",
+    },
+    severity: SEVERITY,
+    hasSuggestions: true,
+    messages: {
+      InvalidItem: `Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?`,
+      ReplaceItemWith: `Replace '{{invalid}}' with '{{candidates}}'`,
+    },
+  },
+  create() {
+    return {
+      service: check_restrict,
+      action: check_restrict,
+    };
+
+    function check_restrict(e) {
+      const reports = [];
+
+      if (e && e["@restrict"] && typeof e["@restrict"] === "object") {
+        e["@restrict"].forEach((entry) => {
+          const keys = Object.keys(entry);
+          if (keys.includes("to") && keys.includes("grant") && entry.grant === "*") {
+            reports.push(`Use \`@requires\` instead of \`@restrict.to\` at ${e.kind} \`${e.name}\`.`);
+          }
+        });
+      }
+      return reports.length > 0 ? reports : undefined;
+    }
+  },
+};

package/lib/rules/auth-valid-restrict-grant.js

@@ -0,0 +1,68 @@
+const { validateObject, validateString } = require("../utils/ruleHelpers");
+
+const DEFAULT_SEVERITY = "error";
+const REPLACE_AS_WRITE_EVENTS = ["READ", "CREATE", "UPDATE", "DELETE"];
+const VALID_EVENTS = REPLACE_AS_WRITE_EVENTS.concat(["INSERT", "UPSERT", "WRITE", "*"]);
+
+module.exports = {
+  meta: {
+    docs: {
+      description: '`@restrict.grant` must have valid values',
+      category: "Model Validation",
+      recommended: true,
+      version: "2.4.1",
+    },
+    severity: DEFAULT_SEVERITY,
+    hasSuggestions: true,
+    messages: {
+      InvalidItem: `Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?`,
+      ReplaceItemWith: `Replace '{{invalid}}' with '{{candidates}}'`,
+    },
+  },
+  create(context) {
+    return {
+      entity: check_restrict_grant,
+      //service: check_hierarchy_action
+    };
+
+    function check_restrict_grant(e) {
+      const reports = [];
+
+      if (e["@restrict"]) {
+        const actions = e.actions;
+        const actionNames = actions ? Object.keys(actions).map((s) => actions[s].name) : [];
+        const validEventsAndActions = VALID_EVENTS.concat(actionNames);
+        for (const entry of e["@restrict"]) {
+          const grantValues = entry.grant;
+          if (Object.keys(entry).includes('grant')) {
+            switch (typeof grantValues) {
+              case "string": {
+                validateString(
+                  reports,
+                  context,
+                  e,
+                  { key: "grant", name: "event/action" },
+                  grantValues,
+                  validEventsAndActions
+                );
+                break;
+              }
+              case "object":
+                validateObject(
+                  reports,
+                  context,
+                  e,
+                  { key: "grant", name: "events/actions" },
+                  grantValues,
+                  validEventsAndActions
+                );
+                break;
+            }
+          }
+        }
+      }
+
+      return reports.length > 0 ? reports : undefined;
+    }
+  },
+};

package/lib/rules/auth-valid-restrict-keys.js

@@ -0,0 +1,37 @@
+const { suggestItems } = require("../utils/ruleHelpers");
+
+const DEFAULT_SEVERITY = "error";
+
+module.exports = {
+  meta: {
+    docs: {
+      description: '`@restrict` must have properly spelled `to`, `grant`, and `where` keys',
+      category: "Model Validation",
+      recommended: true,
+      version: "2.4.1",
+    },
+    severity: DEFAULT_SEVERITY,
+    hasSuggestions: true,
+    messages: {
+      InvalidItem: `Misspelled key '{{invalid}}'. Did you mean '{{candidates}}'?`,
+      ReplaceItemWith: `Replace '{{invalid}}' with '{{candidates}}'`,
+    },
+  },
+  create(context) {
+    return {
+      entity: check_restrict_keys,
+    };
+
+    function check_restrict_keys(e) {
+      const reports = [];
+
+      const validRestrictKeys = ["grant", "to", "where"];
+      if (e["@restrict"]) {
+        for (const entry of e["@restrict"]) {
+          suggestItems(reports, context, Object.keys(entry), validRestrictKeys, DEFAULT_SEVERITY);
+        }
+      }
+      return reports.length > 0 ? reports : undefined;
+    }
+  },
+};

package/lib/rules/auth-valid-restrict-to.js

@@ -0,0 +1,86 @@
+const { splitEntityName, validateObject, validateString } = require("../utils/ruleHelpers");
+
+const VALID_PSEUDO_ROLES = ["authenticated-user", "system-user", "any"];
+
+module.exports = {
+  meta: {
+    docs: {
+      description: '`@restrict.to` must have valid values',
+      category: "Model Validation",
+      recommended: true,
+      version: "2.4.1",
+    },
+    severity: "warn",
+    hasSuggestions: true,
+    messages: {
+      InvalidItem: `Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?`,
+      ReplaceItemWith: `Replace '{{invalid}}' with '{{candidates}}'`,
+    },
+  },
+  create(context) {
+    const { model } = context.cds;
+
+    return {
+      entity: check_restrict_to,
+    };
+
+    function check_restrict_to(e) {
+      const reports = [];
+
+      const USER_ROLES = [];
+      model.foreach('entity', e => {
+        if (e["@restrict"]) {
+          e["@restrict"].forEach(p => {
+            if (p.to) {
+              switch (typeof p.to) {
+                case "string":
+                  if (p.to !== p.to.toLowerCase() && !USER_ROLES.includes(p.to)) {
+                    USER_ROLES.push(p.to);
+                  }
+                  break;
+                case "object":
+                  for (const r in p.to) {
+                    if (r !== r.toLowerCase() && !USER_ROLES.includes(r)) {
+                      USER_ROLES.push(r);
+                    } 
+                  }
+              }
+            }
+          })
+        }
+      });  
+      const ROLES = USER_ROLES.concat(VALID_PSEUDO_ROLES);
+
+      if (e["@restrict"]) {
+        const { prefix } = splitEntityName(e);
+        const prefixSplit = prefix.split(".");
+        const serviceName = prefixSplit[prefixSplit.length - 1];
+        let services = model.services;
+
+        // For hierachies, check whether service restriction exists
+        let grantAllTo;
+        Object.values(services).map((s) => {
+          if (s.name === serviceName && s['@requires']) {
+            grantAllTo = s['@requires'];
+          }
+        });
+
+        for (const entry of e["@restrict"]) {
+          if (Object.keys(entry).includes('to')) {
+            switch (typeof entry.to) {
+              case "string": {
+                const isPseudoRole = entry.to && (entry.to === entry.to.toLowerCase());
+                validateString(reports, context, e, {key: 'to', name: 'role'}, entry.to, ROLES, isPseudoRole);
+                break;
+              }
+              case "object":
+                validateObject(reports, context, e, {key: 'to', name: 'roles'}, entry.to, ROLES);
+                break;
+            }
+          }
+        }
+      }
+      return reports.length > 0 ? reports : undefined;
+    }
+  },
+};

package/lib/rules/auth-valid-restrict-where.js

@@ -0,0 +1,80 @@
+const { splitEntityName, validateObject, validateString } = require("../utils/ruleHelpers");
+
+const VALID_PSEUDO_ROLES = ["authenticated-user", "system-user", "any"];
+
+module.exports = {
+  meta: {
+    docs: {
+      description: '`@restrict.where` must have valid values',
+      category: "Model Validation",
+      recommended: true,
+      version: "2.4.1",
+    },
+    severity: "error",
+    hasSuggestions: true,
+    messages: {
+      InvalidItem: `Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?`,
+      ReplaceItemWith: `Replace '{{invalid}}' with '{{candidates}}'`,
+    },
+  },
+  create(context) {
+    const { model } = context.cds;
+
+    return {
+      entity: check_restrict_grant,
+    };
+
+    function check_restrict_grant(e) {
+      const reports = [];
+
+      const USER_ROLES = [];
+      model.foreach("entity", (e) => {
+        if (e["@restrict"]) {
+          e["@restrict"].forEach((p) => {
+            if (p.to) {
+              switch (typeof p.to) {
+                case "string":
+                  if (p.to !== p.to.toLowerCase() && !USER_ROLES.includes(p.to)) {
+                    USER_ROLES.push(p.to);
+                  }
+                  break;
+                case "object":
+                  for (const r in p.to) {
+                    if (r !== r.toLowerCase() && !USER_ROLES.includes(r)) {
+                      USER_ROLES.push(r);
+                    }
+                  }
+              }
+            }
+          });
+        }
+      });
+      const ROLES = USER_ROLES.concat(VALID_PSEUDO_ROLES);
+
+      if (e["@restrict"]) {
+        for (const entry of e["@restrict"]) {
+          const whereValues = entry.where;
+          if (whereValues && typeof whereValues === "string") {
+            let cxn;
+            try {
+              cxn = context.cds.parse.expr(entry.where);
+            } catch (err) {
+              reports.push(`Invalid \`where\` expression, CDS compilation failed.`);
+            }
+            if (cxn && cxn.xpr) {
+              const operator = cxn.xpr[1];
+              const role = cxn.xpr[2].ref;
+              if (operator === "=") {
+                const isValidRole = (role == '$user') || ROLES.includes(role);
+                if (!isValidRole) {
+                  reports.push(`Invalid \`where\` expression, role \`${role}\` not found.`);
+                }
+              }
+            }
+          }
+        }
+      }
+      return reports.length > 0 ? reports : undefined;
+    }
+  },
+};

package/lib/rules/no-db-keywords.js

@@ -1,5 +1,3 @@
-// TODO: TEST API
-//module.exports = require("../../api").createRule({ // TODO: eliminate that and allow std eslint style module.export = { ...
 module.exports = {
   meta: {
     docs: {

package/lib/rules/no-dollar-prefixed-names.js

@@ -1,5 +1,3 @@
-const { isVSCodeEditor } = require("../utils/helpers");
-
 module.exports = {
   meta: {
     docs: {
@@ -14,36 +12,10 @@ module.exports = {
     return { element: _check };
 
     function _check(d) {
-
       // Do not blame in case of external services
       let srv = d._service || (d.parent && d.parent._service);
       if (srv && srv["@cds.external"]) return;
-
-      const results = [];
-      for (const m in context.cds.model.messages) {
-        const msg = context.cds.model.messages[m];
-        if (msg.messageId === "syntax-dollar-ident" && !isVSCodeEditor()) {
-          results.push({
-            message: msg.message,
-            loc: {
-              start: { line: msg.location.line, column: msg.location.col - 1 },
-              end: {
-                line: msg.location.endLine,
-                column: !msg.location.endCol
-                          ? context.sourcecode.lines[msg.location.line - 1].length 
-                          : msg.location.endCol - 1,
-              },
-            },
-            file: msg.location.file,
-          });
-        }
-      }
-
-      if (d.name.startsWith("$")) {
-        // Do blame
-        results.push(`“${d.name}” is prefixed with a dollar sign ($)`);
-      }
-      return results.length > 0 ? results : undefined;
+      return d.name.startsWith("$") ? [`“${d.name}” is prefixed with a dollar sign ($)`] : undefined;
     }
   },
 };

package/lib/rules/start-elements-lowercase.js

@@ -29,9 +29,9 @@ module.exports = {
             if (e.$location && e.$location.file) {
               const file = e.$location.file;
               const loc = cds.getLocation(elementName, e);
-              const fix = (fixer) => {
+              const fix = (fixer, source = sourcecode) => {
                 const elementNameSanitized = elementName.charAt(0).toLowerCase() + elementName.slice(1);
-                const rangeEnd = sourcecode.getIndexFromLoc({
+                const rangeEnd = source.getIndexFromLoc({
                   line: loc.end.line,
                   column: loc.end.column,
                 });

package/lib/rules/start-entities-uppercase.js

@@ -27,9 +27,9 @@ module.exports = {
         if (e.$location && e.$location.file) {
           const file = e.$location.file;
           const loc = cds.getLocation(entityName, e);
-          const fix = (fixer) => {
+          const fix = (fixer, source = sourcecode) => {
             const entityNameSanitized = entityName.charAt(0).toUpperCase() + entityName.slice(1);
-            const rangeEnd = sourcecode.getIndexFromLoc({
+            const rangeEnd = source.getIndexFromLoc({
               line: loc.end.line,
               column: loc.end.column,
             });

package/lib/utils/fuzzySearch.js

@@ -11,7 +11,7 @@
 const cache = {};
 
 
-module.exports = (input, list, log) => {
+module.exports = (input, list, log, keepCase=false) => {
   let minDistWords = [];
 
   if (input.length > 50 || list.length > 50) {
@@ -25,8 +25,15 @@ module.exports = (input, list, log) => {
   let runtime = 0;
 
   for (const word of list) {
+
+
     const start = log && Date.now();
-    const levDist = levDistance(input, word);
+    let levDist;
+    if (word === word.toUpperCase() && !keepCase) {
+      levDist = levDistance(input.toUpperCase(), word);
+    } else {
+      levDist = levDistance(input, word);
+    }
 
     if (log) {
       const duration = Date.now() - start;

package/lib/utils/helpers.js

@@ -44,4 +44,51 @@ module.exports = {
     return FILES;
   },
 
+  /**
+* Attempts to extract JSON from a text by looking for the longst substring
+* enclosed by braces or brackets. Input string can therefore either contain
+* a JSON object enclosed by braces, or a JSON array enclosed by brackets.
+* No semantic parsing is done whatsoever (aside from the final JSON.parse)
+* so if the input string is not sane, you will only notice from the
+* final parse step failing.
+* @param text text from which to extract JSON.
+* @param index the start index of the first opening "{" or "[" within text.
+* @returns a parsed JSON object or an empty object if not called with proper parameters.
+* @throws Errors when JSON contained within string is not valid.
+*/
+extractJSON: function(text, index) {
+  const [opening, closing] = {
+    "{": ["{", "}"],
+    "[": ["[", "]"],
+  }[text[index]] || [undefined, undefined];
+
+  // neither "[" nor "{" at beginning -> fail fast
+  if (opening === undefined) return {};
+
+  // we expect caller to call with an index of the first opening brace.
+  // So add that brace and increment index at start.
+  index++;
+  let result = opening;
+  let open = 1;
+  while (open > 0 && index < text.length) {
+    const char = text[index];
+    if (char === closing) {
+      open--;
+    } else if (char === opening) {
+      open++;
+    }
+
+    result += char;
+    index++;
+  }
+
+  if (open !== 0) {
+    throw new Error(
+      "text does not contain proper JSON (unmatched opening or closing brace)"
+    );
+  }
+
+  return JSON.parse(result);
+}
+
 };

package/lib/utils/model.js

@@ -2,6 +2,7 @@
  * @typedef { import("eslint").AST.SourceLocation } SourceLocation
  */
 
+
 const fs = require("fs");
 const path = require("path");
 const cds = require("@sap/cds");
@@ -353,8 +354,6 @@ module.exports = {
     if (isFileInModel) {
       // Only update on detected changes
       if (dictFiles[filePath] !== code) {
-        dictFiles[filePath] = code;
-        module.exports.Cache.set(`dictfiles:${configPath}`, dictFiles);
         result = true
       }
     } else if (dictFiles[filePath] !== code) {