@sap/eslint-plugin-cds/lib/rules/auth-restrict-grant-service.js

ESLint plugin including recommended SAP Cloud Application Programming model and environment rules

'use strict'

module.exports = {
  meta: {
    schema: [{/* to avoid deprecation warning for ESLint 9 */ }],
    docs: {
      description: '`@restrict.grant` on service level and for bound/unbound actions and functions is limited to grant: \'*\'',
      category: 'Model Validation',
      recommended: true,
      url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/auth-restrict-grant-service',
    },
    messages: {
      limitedGrant: `The grant value provided in @restrict is limited to '*' for {{kind}} '{{name}}'`,
    },
    type: 'problem',
    model: 'inferred'
  },
  create (context) {
    return {
      action: checkRestrictGrant,
      function: checkRestrictGrant,
      service: checkRestrictGrant
    }

    function checkRestrictGrant(def) {
      if (!Array.isArray(def['@restrict']))
        return

      const node = context.getNode(def)
      const file = def.$location.file
      const data = { kind: def.kind, name: def.name }

      for (const entry of def['@restrict']) {
        if (entry?.grant !== undefined) {

          if (typeof entry.grant === 'string') {
            if (entry.grant !== '*')
              context.report({ messageId: 'limitedGrant', data, node, file })

          } else if (Array.isArray(entry.grant)) {
            if (entry.grant.length === 0 || !entry.grant.some(val => val === '*'))
              context.report({ messageId: 'limitedGrant', data, node, file })

          } else {
            // invalid grant value; ignored by this rule
          }
        }

      }
    }
  }
}