UNPKG

@sap/cds

Version:

SAP Cloud Application Programming Model - CDS for Node.js

cap.cloud.sap

394 lines (328 loc) 15 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
const cds = require('../cds') const LOG = cds.log('ucl') const fs = require('fs').promises const https = require('https') const { getCloudSdk } = require('../remote/utils/cloudSdkProvider') const { READ_QUERY, CREATE_MUTATION, UPDATE_MUTATION, DELETE_MUTATION } = require('./queries') const TRUSTED_CERT = { CANARY: { ISSUER: 'CN=SAP PKI Certificate Service Client CA,OU=SAP BTP Clients,O=SAP SE,L=cf-eu10-canary,C=DE', SUBJECT: 'CN=cmp-stage,OU=SAP Cloud Platform Clients,OU=Canary,OU=cmp-cf-eu10-canary,O=SAP SE,L=Stage,C=DE' }, LIVE: { ISSUER: 'CN=SAP PKI Certificate Service Client CA,OU=SAP BTP Clients,O=SAP SE,L=cf-eu10,C=DE', SUBJECT: 'CN=cmp-prod,OU=SAP Cloud Platform Clients,OU=cmp-cf-eu10,O=SAP SE,L=Prod,C=DE' } } module.exports = class UCLService extends cds.Service { constructor(...args) { super(...args) // REVISIT: cds.connect.to('ucl') should return this, but no cds.requires.kinds.ucl config achieved this cds.services.ucl = this } async init() { this.on('*', 'tenantMappings', async req => { if (req.method !== 'PATCH') req.reject(405, `Method ${req.method} not allowed for tenant mapping notifications`) await this._validateCertificate(req) return await this._dispatchNotification(req) }) if (cds.env.requires.ucl?.destination) { LOG.debug('Destination for asynchronous UCL callbacks configured.') this.after( [`assign/#succeeded`, `unassign/#succeeded`], async (res, req) => await this.schedule('successfulMapping', { res, req }) ) this.after( [`assign/#failed`, `unassign/#failed`], async (res, req) => await this.schedule('failedMapping', { res, req }) ) this.on('successfulMapping', req => this.handleSuccessfulMapping(req.data.res, req.data.req)) this.on('failedMapping', req => this.handleFailedMapping(req.data.res, req.data.req)) } await super.init() if (cds.env.requires.ucl?.applicationTemplate) await this._upsertApplicationTemplate(cds.env.requires.ucl) } async _validateCertificate(req) { // Allow bypassing certificate validation in development if (process.env.NODE_ENV !== 'production' && cds.env.requires.ucl?.skipCertValidation) return // Check if the request uses a 'cert' or 'mesh.cf' domain if (!req.http?.req.hostname.match(/\.cert\.|\.mesh\.cf\./)) req.reject(403) // Verify presence of required .cert domain headers const reqClientVerificationStatus = req.headers['x-ssl-client-verify'] if (reqClientVerificationStatus !== '0') throw new cds.error(401, 'Client certificate not verified') const reqClientCertSubjectB64 = req.headers['x-ssl-client-subject-dn'] if (!reqClientCertSubjectB64) throw new cds.error(401, 'No client certificate subject provided') const reqClientCertIssuerB64 = req.headers['x-ssl-client-issuer-dn'] if (!reqClientCertIssuerB64) throw new cds.error(401, 'No client certificate issuer provided') // Extract tokens from base64 encoded subject and issuer .cert domain headers const reqClientCertSubject = Buffer.from(reqClientCertSubjectB64, 'base64').toString('ascii') const reqClientCertSubjectTokens = reqClientCertSubject .replace('\n', '') .split('/') .filter(token => token) const reqClientCertIssuer = Buffer.from(reqClientCertIssuerB64, 'base64').toString('ascii') const reqClientCertIssuerTokens = reqClientCertIssuer .replace('\n', '') .split('/') .filter(token => token) // Determine trusted certificate subject and issuer information let trustedCertSubject = process.env.CDS_UCL_X509_CERTSUBJECT || cds.env.requires.ucl.x509?.certSubject let trustedCertIssuer = process.env.CDS_UCL_X509_CERTISSUER || cds.env.requires.ucl.x509?.certIssuer if (!trustedCertIssuer?.length || !trustedCertSubject?.length) { let stage = 'CANARY' const VCAP_APPLICATION = JSON.parse(process.env.VCAP_APPLICATION || '{}') if (VCAP_APPLICATION.cf_api && !VCAP_APPLICATION.cf_api.endsWith('.cf.sap.hana.ondemand.com')) stage = 'LIVE' trustedCertIssuer = TRUSTED_CERT[stage].ISSUER trustedCertSubject = TRUSTED_CERT[stage].SUBJECT } // Match received with trusted info - As done in UCL reference implementation const matchesUclInfoSubject = trustedCertSubject .split(',') .map(token => token.trim()) .every(token => reqClientCertSubjectTokens.includes(token)) if (!matchesUclInfoSubject) { LOG.debug('Received Request Subject Info:', reqClientCertSubject) LOG.debug('Expected UCL Subject Info:', trustedCertSubject) throw new cds.error(401, 'Received .cert subject does not match trusted UCL info subject') } const matchesUclInfoIssuer = trustedCertIssuer .split(',') .map(token => token.trim()) .every(token => reqClientCertIssuerTokens.includes(token)) if (!matchesUclInfoIssuer) { LOG.debug('Received Request Issuer Info:', reqClientCertIssuer) LOG.debug('Expected UCL Issuer Info:', trustedCertIssuer) throw new cds.error(401, 'Received .cert issuer does not match trusted UCL info issuer') } } async _dispatchNotification(req) { // Call User defined handlers for tenant mapping notifications LOG.debug('Tenant mapping notification: ', req.data) const { operation } = req.data?.context ?? {} if (operation !== 'assign' && operation !== 'unassign') throw new cds.error( 400, `Invalid operation "${operation}" in tenant mapping notification. Expected "assign" or "unassign".` ) const locationUrl = req.headers.location if (locationUrl?.length) return this._dispatchAsyncMappingNotification(req, operation, locationUrl) return this._dispatchSyncMappingNotification(req, operation) } async _dispatchAsyncMappingNotification(req, operation, locationUrl) { // Get destination based on configured destination name const destinationName = cds.env.requires.ucl.destination if (typeof destinationName != 'string' || !destinationName?.length) throw new cds.error(500, 'UCL Notification includes location but no callback destination was configured') const destination = await getCloudSdk().getDestination(destinationName) // Make sure the received callback location matches the configured destination let destinationHost, locationHost try { locationHost = new URL(locationUrl).host } catch (e) { throw new cds.error(400, `Failed parsing URL in location header: ${e.message}`) } try { destinationHost = new URL(destination.url).host } catch (e) { throw new cds.error(500, `Failed parsing URL in destination "${destinationName}": ${e.message}`) } if (locationHost !== destinationHost) { throw new cds.error( 400, `Host mismatch: locationUrl host (${locationHost}) does not match destination.url host (${destinationHost})` ) } // Schedule the tenant mapping task await this.schedule(operation, req.data, req.headers) // Respond 202 Accepted to UCL req.http.res.status(202) return } async _dispatchSyncMappingNotification(req, operation) { const response = (await this.send(operation, req.data)) ?? {} if (response.error) req.http.res.status(400) else response.state ??= operation === 'assign' ? 'CONFIG_PENDING' : 'READY' return response } async handleSuccessfulMapping(callbackResult, tenantMapping) { const { operation, operationId } = tenantMapping.data.context LOG.debug(`UCL ${operation} operation succeeded:`, callbackResult, tenantMapping) // SPII v3 (operationId exists) vs v2 const method = operationId ? 'PUT' : 'PATCH' const data = { ...callbackResult, state: callbackResult.state ?? (operation === 'assign' ? 'CONFIG_PENDING' : 'READY') } const response = await getCloudSdk().executeHttpRequest( { destinationName: cds.env.requires.ucl.destination }, { method, url: tenantMapping.headers.location, data } ) if (response.status >= 500) cds.error(`Callback to UCL for successful ${operation} operation failed: ${response.data.error}`) if (response.status >= 400) cds.error(`UCL rejected successful ${operation} operation callback: ${response.data.error}`, { unrecoverable: true }) } async handleFailedMapping(callbackError, tenantMapping) { const { operation, operationId } = tenantMapping.data.context LOG.error(`UCL ${operation} operation failed:`, callbackError, tenantMapping) // SPII v3 (operationId exists) vs v2 const method = operationId ? 'PUT' : 'PATCH' const response = await getCloudSdk().executeHttpRequest( { destinationName: cds.env.requires.ucl.destination }, { method, url: tenantMapping.headers.location, data: { state: 'ERROR' } } ) if (response.status >= 500) cds.error(`Callback to UCL for failed ${operation} operation failed: ${response.data.error}`) if (response.status >= 400) cds.error(`UCL rejected failed ${operation} operation callback: ${response.data.error}`, { unrecoverable: true }) } /* * the rest is for upserting the application template */ async _upsertApplicationTemplate() { const _getApplicationTemplate = options => { let applicationTemplate = { applicationInput: { providerName: 'SAP', localTenantID: '{{tenant-id}}', labels: { displayName: '{{subdomain}}' } }, labels: { managed_app_provisioning: true, xsappname: '${xsappname}' }, placeholders: [ { name: 'subdomain', description: 'The subdomain of the consumer tenant' }, { name: 'tenant-id', description: "The tenant id as it's known in the product's domain", jsonPath: '$.subscribedTenantId' } ], accessLevel: 'GLOBAL' } applicationTemplate = cds.utils.merge(applicationTemplate, options.applicationTemplate) const pkg = require(cds.root + '/package') if (!applicationTemplate.name) applicationTemplate.name = pkg.name if (!applicationTemplate.applicationInput.name) applicationTemplate.applicationInput.name = pkg.name if (applicationTemplate.labels.xsappname === '${xsappname}') applicationTemplate.labels.xsappname = options.credentials.xsappname return applicationTemplate } this._applicationTemplate = _getApplicationTemplate(cds.env.requires.ucl) if (!this._applicationTemplate.applicationNamespace) { cds.error( 'The UCL service requires a valid `applicationTemplate`, please provide it as described in the documentation.' ) } if (!cds.requires.multitenancy && cds.env.profile !== 'mtx-sidecar') cds.error( 'The UCL service requires multitenancy, please enable it in your cds configuration with `cds.requires.multitenancy` or by using the mtx sidecar.' ) if (!cds.env.requires.ucl.credentials) cds.error('No credentials found for the UCL service, please bind the service to your app.') if (!cds.env.requires.ucl.x509?.cert && !cds.env.requires.ucl.x509?.certPath) cds.error('UCL requires `x509.cert` or `x509.certPath`.') if (!cds.env.requires.ucl.x509?.pkey && !cds.env.requires.ucl.x509?.pkeyPath) cds.error('UCL requires `x509.pkey` or `x509.pkeyPath`.') const [cert, key] = await Promise.all([ cds.env.requires.ucl.x509?.cert ?? fs.readFile(cds.utils.path.resolve(cds.root, cds.env.requires.ucl.x509?.certPath)), cds.env.requires.ucl.x509?.pkey ?? fs.readFile(cds.utils.path.resolve(cds.root, cds.env.requires.ucl.x509?.pkeyPath)) ]) this.agent = new https.Agent({ cert, key }) const existingTemplate = await this._readTemplate() const template = existingTemplate ? await this._updateTemplate(existingTemplate) : await this._createTemplate() // TODO: Make sure return value is correct if (!template) cds.error('The UCL service could not create an application template.') cds.once('listening', async () => { const provisioning = await cds.connect.to('cds.xt.SaasProvisioningService') provisioning.prepend(() => { provisioning.on('dependencies', async (_, next) => { const dependencies = await next() dependencies.push({ xsappname: template.labels.xsappnameCMPClone }) return dependencies }) }) }) } // REVISIT: Replace with fetch (?) async _request(query, variables) { // Query GraphQL API const opts = { host: cds.env.requires.ucl.host || 'compass-gateway-sap-mtls.mps.kyma.cloud.sap', path: cds.env.requires.ucl.path || '/director/graphql', agent: this.agent, method: 'POST', headers: { 'Content-Type': 'application/json' } } return new Promise((resolve, reject) => { const req = https.request(opts, res => { const chunks = [] res.on('data', chunk => { chunks.push(chunk) }) res.on('end', () => { const response = { statusCode: res.statusCode, headers: res.headers, body: Buffer.concat(chunks).toString() } const body = JSON.parse(response.body) if (body.errors) cds.error('Request to UCL service failed with:\n' + JSON.stringify(body.errors, null, 2)) resolve(body.data) }) }) req.on('error', error => { reject(error) }) if (query) { req.write(JSON.stringify({ query, variables })) } req.end() }) } _handleResponse(result) { if (result.response && result.response.errors) { let errorMessage = result.response.errors[0].message throw new Error(errorMessage) } else { return result.result } } async _readTemplate() { const xsappname = cds.env.requires.ucl.credentials.xsappname const variables = { key: 'xsappname', value: `"${xsappname}"` } const res = await this._request(READ_QUERY, variables) if (res) return res.applicationTemplates.data[0] } async _createTemplate() { try { return this._handleResponse(await this._request(CREATE_MUTATION, { input: this._applicationTemplate })) } catch (e) { this._handleResponse(e) } } async _updateTemplate(template) { try { const input = { ...this._applicationTemplate } delete input.labels const response = this._handleResponse(await this._request(UPDATE_MUTATION, { id: template.id, input })) LOG.info('Application template updated successfully.') return response } catch (e) { this._handleResponse(e) } } async _deleteTemplate() { const template = await this._readTemplate() if (!template) return return this._handleResponse(await this._request(DELETE_MUTATION, { id: template.id })) } }