@sap/eslint-plugin-cds 2.5.0 → 2.6.1

package/lib/rules/auth-valid-restrict-to.js

@@ -1,130 +1,134 @@
-const { isEmptyString, isStringInArray, findFuzzy, splitEntityName, isEmptyObject } = require("../utils/rules");
+const { isEmptyString, isStringInArray, findFuzzy, isEmptyObject } = require('../utils/rules')
 
-const VALID_PSEUDO_ROLES = ["authenticated-user", "system-user", "any"];
+const VALID_PSEUDO_ROLES = ['authenticated-user', 'system-user', 'any']
 
 module.exports = {
   meta: {
+    schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
-      description: "`@restrict.to` must have valid values.",
-      category: "Model Validation",
+      description: '`@restrict.to` must have valid values.',
+      category: 'Model Validation',
       recommended: true
     },
     hasSuggestions: true,
     messages: {
-      InvalidItem: `Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?`,
-      ReplaceItemWith: `Replace '{{invalid}}' with '{{candidates}}'`
+      InvalidItem: "Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?",
+      ReplaceItemWith: "Replace '{{invalid}}' with '{{candidates}}'"
     },
-    type: "problem",
-    model: "inferred"
+    type: 'problem',
+    model: 'inferred'
   },
-  create(context) {
+  create (context) {
     return {
-      entity: check_restrict_to
-    };
+      entity: checkRestrictTo
+    }
 
-    function check_restrict_to(e) {
-      const USER_ROLES = [];
-      const model = context.getModel();
+    function checkRestrictTo (e) {
+      const USER_ROLES = []
+      const model = context.getModel()
 
-      model.foreach("entity", (e) => {
-        if (e["@restrict"]) {
-          e["@restrict"].forEach((p) => {
+      model.foreach('entity', (e) => {
+        if (e['@restrict']) {
+          e['@restrict'].forEach((p) => {
             if (p.to) {
               switch (typeof p.to) {
-                case "string":
+                case 'string':
                   if (p.to !== p.to.toLowerCase() && !USER_ROLES.includes(p.to)) {
-                    USER_ROLES.push(p.to);
+                    USER_ROLES.push(p.to)
                   }
-                  break;
-                case "object":
+                  break
+                case 'object':
                   for (const r in p.to) {
                     if (r !== r.toLowerCase() && !USER_ROLES.includes(r)) {
-                      USER_ROLES.push(r);
+                      USER_ROLES.push(r)
                     }
                   }
               }
             }
-          });
+          })
         }
-      });
-      const ROLES = USER_ROLES.concat(VALID_PSEUDO_ROLES);
+      })
+      const ROLES = USER_ROLES.concat(VALID_PSEUDO_ROLES)
 
-      if (e["@restrict"]) {
-        let node = context.getNode(e);
-        let file = e.$location.file;
-        const { prefix } = splitEntityName(e);
-        const prefixSplit = prefix.split(".");
-        const serviceName = prefixSplit[prefixSplit.length - 1];
-        let services = model.services;
+      if (e['@restrict']) {
+        const node = context.getNode(e)
+        const file = e.$location.file
 
         // TODO: For hierachies, check whether service restriction exists
-        //let grantAllTo;
-        Object.values(services).map((s) => {
-          if (s.name === serviceName && s["@requires"]) {
-            //grantAllTo = s['@requires'];
-          }
-        });
+        // const { prefix } = splitDefName(e)
+        // const prefixSplit = prefix.split('.')
+        // const serviceName = prefixSplit[prefixSplit.length - 1]
+        // const services = model.services
+        // let grantAllTo;
+        // Object.values(services).map((s) => {
+        //   if (s.name === serviceName && s['@requires']) {
+        //     grantAllTo = s['@requires'];
+        //   }
+        // })
 
-        for (const entry of e["@restrict"]) {
-          if (Object.keys(entry).includes("to")) {
-            const toValue = entry.to;
+        for (const entry of e['@restrict']) {
+          if (Object.keys(entry).includes('to')) {
+            const toValue = entry.to
 
             switch (typeof toValue) {
-              case "string": {
+              case 'string': {
                 if (isEmptyString(toValue)) {
                   context.report({
                     message: `Missing role on ${e.name} for \`@restrict.to\`.`,
                     node,
                     file
-                  });
+                  })
                 } else {
-                  const isPseudoRole = entry.to && entry.to === entry.to.toLowerCase();
+                  const isPseudoRole = entry.to && entry.to === entry.to.toLowerCase()
                   if (!isStringInArray(toValue, ROLES, isPseudoRole)) {
-                    const candidates = findFuzzy(toValue, ROLES.sort());
+                    const candidates = findFuzzy(toValue, ROLES.sort())
                     context.report({
-                      messageId: "InvalidItem",
+                      messageId: 'InvalidItem',
                       data: { invalid: toValue, candidates },
                       node,
                       file
-                    });
+                    })
                   }
                 }
-                break;
+                break
               }
 
-              case "object":
+              case 'object':
                 if (isEmptyObject(toValue)) {
                   context.report({
                     message: `Missing roles on ${e.name} for \`@restrict.to\`.`,
                     node,
                     file
-                  });
+                  })
                 } else {
-                  if (toValue.includes("any")) {
+                  // If values contain 'any', 'any' only is enough
+                  if (toValue.length > 1 && toValue.includes('any')) {
                     context.report({
-                      messageId: "InvalidItem",
-                      data: { invalid: `[${toValue}]`, candidates: [`["any"]`] },
+                      messageId: 'InvalidItem',
+                      data: { invalid: `[${toValue}]`, candidates: ['["any"]'] },
                       node,
                       file
-                    });
+                    })
                   }
                   toValue.forEach((value) => {
                     if (!ROLES.includes(value)) {
-                      const candidates = findFuzzy(value, ROLES.sort());
-                      context.report({
-                        messageId: "InvalidItem",
-                        data: { invalid: value, candidates },
-                        node,
-                        file
-                      });
+                      const candidates = findFuzzy(value, ROLES.sort(), undefined, false, 2)
+                      if (candidates.length > 0) {
+                        context.report({
+                          messageId: 'InvalidItem',
+                          data: { invalid: value, candidates },
+                          node,
+                          file
+                        })
+                      }
                     }
-                  });
+                  })
                 }
-                break;
+                break
             }
           }
         }
       }
     }
   }
-};
+}

package/lib/rules/auth-valid-restrict-where.js

@@ -1,83 +1,84 @@
-const cds = require("@sap/cds");
+const cds = require('@sap/cds')
 
-const VALID_PSEUDO_ROLES = ["authenticated-user", "system-user", "any"];
+const VALID_PSEUDO_ROLES = ['authenticated-user', 'system-user', 'any']
 
 module.exports = {
   meta: {
+    schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
-      description: "`@restrict.where` must have valid values.",
-      category: "Model Validation",
+      description: '`@restrict.where` must have valid values.',
+      category: 'Model Validation',
       recommended: true
     },
-    severity: "error",
+    severity: 'error',
     hasSuggestions: true,
     messages: {
-      InvalidItem: `Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?`,
-      ReplaceItemWith: `Replace '{{invalid}}' with '{{candidates}}'`
+      InvalidItem: "Invalid item '{{invalid}}'. Did you mean '{{candidates}}'?",
+      ReplaceItemWith: "Replace '{{invalid}}' with '{{candidates}}'"
     },
-    type: "problem",
-    model: "inferred"
+    type: 'problem',
+    model: 'inferred'
   },
-  create(context) {
-    const model = context.getModel();
+  create (context) {
+    const model = context.getModel()
 
     return {
-      entity: check_restrict_grant
-    };
+      entity: checkRestrictGrant
+    }
 
-    function check_restrict_grant(e) {
-      const USER_ROLES = [];
+    function checkRestrictGrant (e) {
+      const USER_ROLES = []
 
-      model.foreach("entity", (e) => {
-        if (e["@restrict"]) {
-          e["@restrict"].forEach((p) => {
+      model.foreach('entity', (e) => {
+        if (e['@restrict']) {
+          e['@restrict'].forEach((p) => {
             if (p.to) {
               switch (typeof p.to) {
-                case "string":
+                case 'string':
                   if (p.to !== p.to.toLowerCase() && !USER_ROLES.includes(p.to)) {
-                    USER_ROLES.push(p.to);
+                    USER_ROLES.push(p.to)
                   }
-                  break;
-                case "object":
+                  break
+                case 'object':
                   for (const r in p.to) {
                     if (r !== r.toLowerCase() && !USER_ROLES.includes(r)) {
-                      USER_ROLES.push(r);
+                      USER_ROLES.push(r)
                     }
                   }
               }
             }
-          });
+          })
         }
-      });
-      const ROLES = USER_ROLES.concat(VALID_PSEUDO_ROLES);
+      })
+      const ROLES = USER_ROLES.concat(VALID_PSEUDO_ROLES)
 
-      if (e["@restrict"]) {
-        const node = context.getNode(e);
-        const file = e.$location.file;
-        for (const entry of e["@restrict"]) {
-          const whereValues = entry.where;
-          if (whereValues && typeof whereValues === "string") {
-            let cxn;
+      if (e['@restrict']) {
+        const node = context.getNode(e)
+        const file = e.$location.file
+        for (const entry of e['@restrict']) {
+          const whereValues = entry.where
+          if (whereValues && typeof whereValues === 'string') {
+            let cxn
             try {
-              cxn = cds.parse.expr(entry.where);
+              cxn = cds.parse.expr(entry.where)
             } catch (err) {
               context.report({
-                message: `Invalid \`where\` expression, CDS compilation failed.`,
+                message: 'Invalid `where` expression, CDS compilation failed.',
                 node,
                 file
-              });
+              })
             }
             if (cxn && cxn.xpr) {
-              const operator = cxn.xpr[1];
-              const role = cxn.xpr[2].ref;
-              if (operator === "=") {
-                const isValidRole = role == "$user" || ROLES.includes(role);
+              const operator = cxn.xpr[1]
+              const role = cxn.xpr[2].ref
+              if (operator === '=') {
+                const isValidRole = role === '$user' || ROLES.includes(role)
                 if (!isValidRole) {
                   context.report({
-                    message: `Invalid \`where\` expression, role \`${role}\` not found.`,
+                    message: `Invalid \`where\` expression, role ${role} not found.`,
                     node,
                     file
-                  });
+                  })
                 }
               }
             }
@@ -86,4 +87,4 @@ module.exports = {
       }
     }
   }
-};
+}

package/lib/rules/extension-restrictions.js

@@ -0,0 +1,69 @@
+const cds = requireMtx()
+
+const { dirname } = require('path')
+
+const rule = module.exports = {
+  meta: {
+    docs: {
+      description: 'Extensions must not violate restrictions set by the extended SaaS app.',
+      category: 'Model Validation',
+      recommended: true
+    },
+    hasSuggestions: false,
+    type: 'problem',
+    model: 'parsed'
+  },
+  mtxApi: () => {
+    if (!cds) return // no mtxs lib installed
+    if (!cds.xt?.linter) return // too old mtxs
+    return cds.xt.linter
+  },
+  create (context) {
+    if (!rule.mtxApi()) return // no mtxs lib installed
+
+    return () => {
+      const extModel = context.getModel()
+      if (!extModel) return
+
+      const base = baseModel(context)
+      if (!base) return
+
+      const file = context.getFilename()
+      const findings = rule.mtxApi().lint(extModel, base.model, base.env)
+      for (const finding of findings) {
+        context.report({
+          message: finding.message,
+          node: context.getNode(finding.element),
+          file
+        })
+      }
+    }
+  }
+}
+
+function baseModel (context) {
+  let dir = context.getFilename()
+  do {
+    dir = dirname(dir)
+    const projEnv = cds.env.for('cds', dir)
+    if (!projEnv.extends) continue
+    const files = cds.resolve(projEnv.extends, { root: dir }) // resolve local base model
+    if (files?.length) {
+      const model = cds.load(files, { sync: true })
+      // env of SaaS app is needed for extension rules
+      const env = cds.env.for('cds', dirname(files[0]))
+      return { env, model }
+    }
+  } while (dir && dir !== cds.root && dir.length > 1)
+}
+
+/** @returns { import('@sap/cds/apis/cds') } */
+function requireMtx () {
+  const cds = require('@sap/cds')
+  try {
+    const pkg = require.resolve('@sap/cds-mtxs', { paths: [cds.root, __dirname] })
+    return require(pkg)
+  } catch (e) {
+    if (e.code !== 'MODULE_NOT_FOUND') throw e
+  }
+}

package/lib/rules/index.js

@@ -1,26 +1,27 @@
-const Cache = require("../utils/Cache");
-const createRule = require("../utils/createRule");
+const Cache = require('../utils/Cache')
+const { createRule } = require('../api')
 
 const rules = {
-  "assoc2many-ambiguous-key": () => createRule(require("./assoc2many-ambiguous-key")),
-  "auth-no-empty-restrictions": () => createRule(require("./auth-no-empty-restrictions")),
-  "auth-use-requires": () => createRule(require("./auth-use-requires")),
-  "auth-valid-restrict-grant": () => createRule(require("./auth-valid-restrict-grant")),
-  "auth-valid-restrict-keys": () => createRule(require("./auth-valid-restrict-keys")),
-  "auth-valid-restrict-to": () => createRule(require("./auth-valid-restrict-to")),
-  "auth-valid-restrict-where": () => createRule(require("./auth-valid-restrict-where")),
-  "latest-cds-version": () => createRule(require("./latest-cds-version")),
-  "min-node-version": () => createRule(require("./min-node-version")),
-  "no-db-keywords": () => createRule(require("./no-db-keywords")),
-  "no-dollar-prefixed-names": () => createRule(require("./no-dollar-prefixed-names")),
-  "no-join-on-draft-enabled-entities": () => createRule(require("./no-join-on-draft-enabled-entities")),
-  "require-2many-oncond": () => createRule(require("./require-2many-oncond")),
-  "sql-cast-suggestion": () => createRule(require("./sql-cast-suggestion")),
-  "start-elements-lowercase": () => createRule(require("./start-elements-lowercase")),
-  "start-entities-uppercase": () => createRule(require("./start-entities-uppercase")),
-  "valid-csv-header": () => createRule(require("./valid-csv-header"))
-};
+  'assoc2many-ambiguous-key': () => createRule(require('./assoc2many-ambiguous-key')),
+  'auth-no-empty-restrictions': () => createRule(require('./auth-no-empty-restrictions')),
+  'auth-use-requires': () => createRule(require('./auth-use-requires')),
+  'auth-valid-restrict-grant': () => createRule(require('./auth-valid-restrict-grant')),
+  'auth-valid-restrict-keys': () => createRule(require('./auth-valid-restrict-keys')),
+  'auth-valid-restrict-to': () => createRule(require('./auth-valid-restrict-to')),
+  'auth-valid-restrict-where': () => createRule(require('./auth-valid-restrict-where')),
+  'latest-cds-version': () => createRule(require('./latest-cds-version')),
+  'min-node-version': () => createRule(require('./min-node-version')),
+  'no-db-keywords': () => createRule(require('./no-db-keywords')),
+  'no-dollar-prefixed-names': () => createRule(require('./no-dollar-prefixed-names')),
+  'no-join-on-draft': () => createRule(require('./no-join-on-draft')),
+  'require-2many-oncond': () => createRule(require('./require-2many-oncond')),
+  'sql-cast-suggestion': () => createRule(require('./sql-cast-suggestion')),
+  'start-elements-lowercase': () => createRule(require('./start-elements-lowercase')),
+  'start-entities-uppercase': () => createRule(require('./start-entities-uppercase')),
+  'valid-csv-header': () => createRule(require('./valid-csv-header')),
+  'extension-restrictions': () => createRule(require('./extension-restrictions'))
+}
 
-Cache.set("rules", rules);
+Cache.set('rules', rules)
 
-module.exports = rules;
+module.exports = rules

package/lib/rules/latest-cds-version.js

@@ -1,43 +1,44 @@
-const cp = require("child_process");
-const semver = require("semver");
+const cp = require('child_process')
+const semver = require('semver')
 
 module.exports = {
   meta: {
+    schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
-      description: "Checks whether the latest `@sap/cds` version is being used."
+      description: 'Checks whether the latest `@sap/cds` version is being used.'
     },
-    type: "suggestion",
+    type: 'suggestion',
     hasSuggestions: true,
     messages: {
-      latestCDSVersion: `A newer CDS version is available!`,
+      latestCDSVersion: 'A newer CDS version is available!'
     },
-    severity: "off",
-    model: "none"
+    severity: 'off',
+    model: 'none'
   },
   create: function (context) {
-    return check_latest_cds_version;
+    return checkLatestCdsVersion
 
-    function check_latest_cds_version() {
-      let cdsVersions;
-      let e = context.getEnvironment();
+    function checkLatestCdsVersion () {
+      let cdsVersions
+      let e = context.getEnvironment()
       if (!e) {
         e = cp
-          .execSync(`npm outdated @sap/cds --json`, {
+          .execSync('npm outdated @sap/cds --json', {
             cwd: process.cwd(),
-            stdio: "pipe",
+            stdio: 'pipe'
           })
-          .toString();
+          .toString()
       }
-      if (e && e["@sap/cds"]) {
-        cdsVersions = e["@sap/cds"];
+      if (e && e['@sap/cds']) {
+        cdsVersions = e['@sap/cds']
         // If current cds version is not the latest
         if (Object.keys(cdsVersions).length !== 0 && !semver.satisfies(cdsVersions.latest, cdsVersions.current)) {
           context.report({
-            messageId: "latestCDSVersion",
+            messageId: 'latestCDSVersion',
             node: context.getNode()
-          });
+          })
         }
       }
     }
-  },
-};
+  }
+}

package/lib/rules/min-node-version.js

@@ -1,36 +1,37 @@
-const path = require("path");
-const semver = require("semver");
+const path = require('path')
+const semver = require('semver')
 
 module.exports = {
   meta: {
+    schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
-      description: `Checks whether the minimum Node.js version required by \`@sap/cds\` is achieved.`
+      description: 'Checks whether the minimum Node.js version required by `@sap/cds` is achieved.'
     },
-    severity: "off",
-    type: "problem",
-    model: "none"
+    severity: 'off',
+    type: 'problem',
+    model: 'none'
   },
   create: function (context) {
-    return check_min_node_version;
+    return checkMinNodeVersion
 
-    function check_min_node_version() {
-      const e = context.getEnvironment();
-      let nodeVersion, nodeVersionCDS;
+    function checkMinNodeVersion () {
+      const e = context.getEnvironment()
+      let nodeVersion, nodeVersionCDS
       if (!e) {
         // Get current and required node versions
         try {
-          const CDSPath = require.resolve("@sap/cds/package.json", {
-            paths: [path.dirname(".")],
-          });
-          const jsonCDS = require(CDSPath);
-          nodeVersion = process.version;
-          nodeVersionCDS = jsonCDS.engines.node;
+          const CDSPath = require.resolve('@sap/cds/package.json', {
+            paths: [path.dirname('.')]
+          })
+          const jsonCDS = require(CDSPath)
+          nodeVersion = process.version
+          nodeVersionCDS = jsonCDS.engines.node
         } catch (err) {
           // Do not throw
         }
       } else {
-        nodeVersion = e.nodeVersion;
-        nodeVersionCDS = e.nodeVersionCDS;
+        nodeVersion = e.nodeVersion
+        nodeVersionCDS = e.nodeVersionCDS
       }
       if (
         nodeVersion &&
@@ -40,9 +41,8 @@ module.exports = {
         context.report({
           message: `CDS minimum node version of ${nodeVersionCDS} required, found ${nodeVersion}!`,
           node: context.getNode()
-        });
+        })
       }
     }
-
-  },
-};
+  }
+}

package/lib/rules/no-db-keywords.js

@@ -1,45 +1,39 @@
-const cds = require("@sap/cds");
+const cds = require('@sap/cds')
 
 module.exports = {
   meta: {
+    schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
-      description: `Avoid using reserved SQL keywords.`,
+      description: 'Avoid using reserved SQL keywords.',
       recommended: true
     },
-    type: "problem"
+    type: 'problem',
+    model: 'inferred'
   },
-  create(context) {
-    const { db = { kind: "sql" } } = cds.env.requires;
+  create (context) {
+    const { db = { kind: 'sql' } } = cds.env.requires
 
     return {
-      //> return standard eslint visitor callbacks registered to CSN kinds, types, ...
-      entity: check_name_is_not_reserved,
-      element: check_name_is_not_reserved
-    };
+      // > return standard eslint visitor callbacks registered to CSN kinds, types, ...
+      entity: checkNameIsNotReserved,
+      element: checkNameIsNotReserved
+    }
 
-    function check_name_is_not_reserved(d) {
-      if (d.name in RESERVED) {
+    function checkNameIsNotReserved (d) {
+      if (RESERVED.includes(d.name.toUpperCase())) {
         // Do not blame in case of external services
-        let srv = d._service || (d.parent && d.parent._service);
-        if (srv && srv["@cds.external"]) return;
+        const srv = d._service || (d.parent && d.parent._service)
+        if (srv && srv['@cds.external']) return
+        if (d.kind === 'entity' && d['@cds.persistence.skip'] === true) return
         context.report({
           message: `'${d.name}' is a reserved keyword in ${db.kind.toUpperCase()}`,
-          node: context.getNode(d)
-        });
+          node: context.getNode(d),
+          file: d.$location.file
+        })
       }
     }
   }
-};
+}
 
 // REVISIT: Replace by compiler-provided check
-const RESERVED = {
-  ORDER: 1,
-  Order: 1,
-  order: 1,
-  GROUP: 1,
-  Group: 1,
-  group: 1,
-  LIMIT: 1,
-  Limit: 1,
-  limit: 1
-};
+const RESERVED = cds.compile.to.sql.sqlite ? cds.compile.to.sql.sqlite.keywords : ['ORDER', 'GROUP', 'LIMIT']