kalai-attach 1.0.0

package/srv/malwareScanner.cds

@@ -0,0 +1,23 @@
+@protocol : 'none'
+service malwareScanner {
+
+  event ScanAttachmentsFile {
+    target: String; //CSN name of Attachments entity to scan
+    keys: Map; //Key value pairs of attachments entity to scan
+  };
+
+  action scan(file: LargeBinary) returns {
+    isMalware: Boolean;
+    encryptedContentDetected: Boolean;
+    scanSize: Integer;
+    finding: String;
+    /**
+     * Returns "empty" if no type could be detected
+     */
+    mimeType: String;
+    /**
+     * SHA256 hash of file
+     */
+    hash: String;
+  }
+}

package/srv/malwareScanner.js

@@ -0,0 +1,151 @@
+const cds = require('@sap/cds')
+const crypto = require("crypto")
+const https = require('https')
+const { URL } = require('url')
+const LOG = cds.log('attachments')
+
+class MalwareScanner extends require('./malwareScanner-mocked') {
+
+  get credentials() {
+    return getCredentials()
+  }
+
+  init() {
+    return super.init()
+  }
+
+  /**
+   * Scans the passed over file
+   * @param {*} req - The request object 
+   * @param {string} fileName - The name of the file being scanned
+   */
+  async scanFile(req) {
+    const { file } = req.data;
+    let response
+    const scanStartTime = Date.now()
+
+    try {
+      // Prepare request options
+      const url = new URL(`https://${this.credentials.uri}/scan`)
+      const requestOptions = {
+        method: 'POST',
+        hostname: url.hostname,
+        port: url.port || 443,
+        path: url.pathname,
+        headers: {}
+      }
+
+      if (this.credentials?.certificate && this.credentials?.key) {
+        LOG.debug('Using mTLS authentication for malware scanning')
+
+        const cert = new crypto.X509Certificate(this.credentials.certificate)
+        const expiryDate = new Date(cert.validTo)
+        const now = Date.now()
+
+        // Show warning if certificate is expired or expiring within 30 days
+        const msIn30Days = 30 * 24 * 60 * 60 * 1000
+
+        if (expiryDate.getTime() < now) {
+          LOG.error('Malware scanner certificate expired', { validTo: cert.validTo })
+          throw new Error('Malware scanner certificate expired')
+        } else if (expiryDate.getTime() - now < msIn30Days) {
+          LOG.warn('Malware scanner certificate expiring soon', { validTo: cert.validTo })
+        }
+
+        requestOptions.cert = this.credentials.certificate
+        requestOptions.key = this.credentials.key
+        requestOptions.rejectUnauthorized = false
+
+        LOG.debug('Using mTLS authorization')
+      } else if (this.credentials?.username && this.credentials?.password) {
+        // Basic Auth: set Authorization header
+        LOG.warn(
+          'Deprecated: Basic Authentication for malware scanning is deprecated and will be removed in future releases.',
+        )
+        requestOptions.headers.Authorization =
+          "Basic " + Buffer.from(`${this.credentials.username}:${this.credentials.password}`, "binary").toString("base64")
+        LOG.debug('Using basic authorization')
+      } else {
+        throw new Error("Could not find any credentials to authenticate against malware scanning service, please make sure binding and service key exists.")
+      }
+
+      response = await new Promise((resolve, reject) => {
+        const req = https.request(requestOptions, (res) => {
+          let data = ''
+          res.on('data', chunk => data += chunk)
+          res.on('end', () => {
+            resolve({
+              status: res.statusCode,
+              ok: res.statusCode >= 200 && res.statusCode < 300,
+              data
+            })
+          })
+        })
+        req.on('error', reject)
+
+        file.pipe(req)
+      })
+
+
+      if (!response.ok) {
+        const json = JSON.parse(response.data || '{}')
+        const errorMsg = JSON.stringify(json) || response.statusText || 'Unknown error from malware scanner'
+        return req.reject(response.status, `Scanning failed: ${errorMsg}`)
+      }
+    } catch (error) {
+      const scanDuration = Date.now() - scanStartTime
+      LOG.error(`Request to malware scanner failed`, error,
+        'Check malware scanner service binding and network connectivity',
+        { scanDuration, scannerUri: this.credentials?.uri }
+      )
+      file?.destroy()
+      return req.reject(500, 'Scanning failed')
+    } finally {
+      file?.destroy()
+    }
+
+    /**
+     * @typedef {Object} MalwareScanResponse
+     * @property {boolean} malwareDetected - Indicates whether the scan engine detected a threat.
+     * @property {boolean} encryptedContentDetected - Indicates whether the file has encrypted parts, which could not be scanned.
+     * @property {number} scanSize - Size in bytes of the scanned file. Use the file size to validate the success of data transmission.
+     * @property {string} finding - This field may contain information about detected malware.
+     * @property {string} mimeType - Indicates the detected MIME type for the scanned file. This data may not be reliable and results may vary on different service providers.
+     * @property {string} SHA256 - SHA-256 hash of the scanned file. Use the hash to validate the success of data transmission.
+     */
+    /** @type {MalwareScanResponse} */
+    const responseJson = JSON.parse(response.data)
+    const scanDuration = Date.now() - scanStartTime
+    LOG.debug(`Malware scan response`, { scanDuration, response: responseJson })
+
+    return {
+      isMalware: responseJson.malwareDetected,
+      encryptedContentDetected: responseJson.encryptedContentDetected,
+      scanSize: responseJson.scanSize,
+      finding: responseJson.finding,
+      mimeType: responseJson.mimeType,
+      hash: responseJson.SHA256,
+    };
+  }
+}
+
+module.exports = MalwareScanner
+
+function getCredentials() {
+  const credentials = cds.env.requires?.malwareScanner?.credentials
+  if (!credentials) {
+    throw new Error(`cds.env.requires.malwareScanner.credentials is empty! Please bind the SAP Malware Scanning service against your app!`)
+  }
+  const requiredFields = {
+    mTLS: ['uri', 'certificate', 'key'],
+    basic: ['uri', 'username', 'password']
+  }
+  const missingMTLS = requiredFields.mTLS.filter(field => !credentials[field])
+  const missingBasic = requiredFields.basic.filter(field => !credentials[field])
+
+  if (missingMTLS.length > 0 && missingBasic.length > 0) {
+    throw new Error(`Missing Malware Scanner credentials: mTLS [${missingMTLS.join(', ')}], Basic Auth [${missingBasic.join(', ')}]`)
+  }
+  LOG.debug(`Malware scanning credentials successfully retrieved.`)
+  return credentials
+}

package/srv/object-store.js

@@ -0,0 +1,44 @@
+const cds = require("@sap/cds")
+const LOG = cds.log('attachments')
+
+module.exports = class RemoteAttachmentsService extends require("./basic") {
+
+  clientsCache = new Map()
+  isMultiTenancyEnabled = !!cds.env.requires.multitenancy
+  objectStoreKind = cds.env.requires?.attachments?.objectStore?.kind
+  separateObjectStore = this.isMultiTenancyEnabled && this.objectStoreKind === "separate"
+
+  init() {
+    LOG.debug(`${this.constructor.name} initialization`, {
+      multiTenancy: this.isMultiTenancyEnabled,
+      objectStoreKind: this.objectStoreKind,
+      separateObjectStore: this.separateObjectStore,
+      attachmentsConfig: {
+        kind: cds.env.requires?.attachments?.kind,
+        scan: cds.env.requires?.attachments?.scan
+      }
+    })
+
+    return super.init()
+  }
+
+  /**
+   * @inheritdoc
+   */
+  registerHandlers(srv) {
+    srv.before(
+      "DELETE",
+      (req) => {
+        if (!req.target.isDraft || !req.target._attachments.isAttachmentsEntity) return;
+        return this.attachDraftDeletionData.bind(this)(req)
+      }
+    )
+    srv.after(
+      "DELETE",
+      (res, req) => {
+        if (!req.target.isDraft || !req.target._attachments.isAttachmentsEntity) return;
+        return this.deleteAttachmentsWithKeys.bind(this)(res, req)
+      }
+    )
+  }
+}

package/srv/standard.js

@@ -0,0 +1,3 @@
+const cds = require("@sap/cds")
+
+module.exports =  require('./azure-blob-storage')