Category Archives: Coding

Further update on SAP Gateway CSRF token farce

So an update on recent rant about CSRF protection that isn’t needed on SAP Gateway.

The folks in the very attentive HCI team have just added functionality into their solution, so if you configure an OData call to an onPrem system via SAP HANA Cloud Connector, it will automatically do the GET with a fetch for the CSRF token for you whenever you configure a data update operation.

That’s kinda cool, but all it does is sweep the offending rubbish under the rug.

https://www.flickr.com/photos/bruce_krasting/7695348682 - Sweep under the rug, credit Bruce Krasting

https://www.flickr.com/photos/bruce_krasting/7695348682 – Sweep under the rug, credit Bruce Krasting

So now we have logic built into an integration platform that is needlessly slowing our integration flow because of a superfluous system requirement. An extra round trip for no reason.

In this case it is truly superfluous, because the original PUT that I was using had the user credentials as part of the header. That alone should make the CSRF token not required.

What this does show, is how SAP Cloud solutions like SAP HCI are able to update and fix stuff far faster than their onPrem partners. Even if it is a work-around to a problem that shouldn’t exist.

Herding cats, or managing GitHub issues – Waffle and HuBoard considered

Today I needed to decide on a tool to use to manage GitHub issues. I’ve got so many of these now-a-days that it has become quite hard to decide which one to work on and also to communicate to others which ones I am working on.

So I turned to some of the simple Kanban board visualisations of GitHub issue tools that I’ve seen. There may well have been others (I’m pretty sure that it’s possible to get Trello to work with GitHub) but I wanted something that was simple.

I ended up comparing waffle.io and huboard.com .

HuBoard

I found that HuBoard had in many areas some cool functionality that could well be something I wanted. In particular it has the ability to mark a task/issue as “ready for next stage” and “blocked”. Blocked issues are particularly important to me – so having this clearly visible is important. Additionally HuBoard claims to have existing integration into Slack – that would be pretty cool, but given I already have GitHub integration into Slack, I’m not sure it’s needed. Would have been nice if the web-site had shown what that integration actually was, as that is something that could really decide me one way or other.

HuBoard has a nicely minimalistic view – more inline with newer design patterns like Android material design, SAP Fiori. Labels on issues are small colour coded lines that appear when you hover over them.

huboard design

It’s quite neat and tidy. It also has a cool “fade away” filter option that just fades out un-selected items rather than removing them (two clicks removes them). However, clicking the same button multiple times to get different affects, I’m not sure that’s really a great idea. I’ve definitely been slapped over the wrist for bad (and not very accessible) UX when I’ve done similar things in the past. But technically and from a usefulness stake (if you understand what you’re doing) that’s a pretty cool feature.

However, I there were some concerns – when I loaded the HuBoard site on my phone it was good to see that it adapted responsively to the space available and listed the items rather than displaying a grid (well, I’m still debating if that was good, but at least it was responsive.) However, when I then clicked on a issue:

mobile huboard issue small

Yuck! that’s not usable.

Edit: NB see note following stuff documented in following section about privacy has been changed.

I then looked at the site to understand what the privacy policy was:

privacy policy from HuBoard missing

The only info on the site was “This Application collects some Personal Data from its Users”.

I’m pretty sure this is because of HuBoard not paying someone for their generated policy:

huboard policy issue

 

However, I tweeted at HuBoard:

And as at time of writing this post, haven’t had a reply. To me, if I’m going to trust a cloud service, I need to be able to understand what it will and won’t do with my data. A non-working privacy policy page on the main site is a BIG #fail. Then not to respond to someone @ mentioning your twitter handle is a mark of the kind of service that I might expect if I was a customer. Not great.

Edit: so none other than the founder of HuBoard reached out to me. Privacy policy is fixed. It looks pretty good too, most of it is in plain English not legalese. Guess timezones for USA meant they were sleeping. The founder reaching out, that’s pretty good customer service. These guys will hopefully do some great things!

 

Waffle

I looked at Waffle.io. Now bizarrely the thing that most scares me about that product is its price – $0. I’ve learnt, if I’m not paying $ for something, then I am the product. I’m not sure if Waffle.io is still in beta/investor funding and is happy running without making any money but perhaps just piling up the company valuation? This whole SaaS valuation model sometime confuses the crap out of me. When you consider that companies the size Workday have profit margins of -24% (I mean WTF ?) It’s quite conceivable that charging money right now doesn’t boost the value of the company as much as having more subscribed users. Still paying nothing for something just makes me want to look for the catch. But I couldn’t really find a catch (I imagine it won’t be free forever and that payment will be required soon, but if it’s in same sort of price point as HuBoard then this shouldn’t be an issue $24 a month to be productive is not that bad!)

Waffle has some feature that I thought were pretty good, but specifically I liked the “size” attribute for an issue. By using this I can ensure that for each stage of the Kanban there aren’t too many issues being dealt with. So it can be fine to have quite a few small issues, but having the same number of large issues could cause a problem.

waffle

 

at the top of each column was a counter showing the number of issues and the total size. Next to my lovely picture was a number showing what I thought the size of this issue was.

This functionality I like, it will help manage all the issues and ensure we’re not going crazy pushing so much to into testing without actually testing it.

It was also nice in Waffle to be able to see the number of comments an issue has – it’s often worth drilling into those issue that have a lot of comments, even if it’s not yet my issue.

However, compared to HuBoard the amount of information shown can result in a quite busy screen – for example from Waffle’s own GitHub repo…

waffle2

 

Personally, I didn’t mind the “noise” but others I spoke to thought perhaps the minimal style of HuBoard better. Since I often have so many labels that colour alone is going to be an issue, I think I prefer this layout.

In contrast to HuBoard the mobile interface is not at all responsive, you see the same site but just zoomed out so you can’t read anything. That said, pinch zooming and scrolling around on the phone isn’t hard, and it does give you a better perspective of how the lanes compare. I’m pretty sure that there is probably a better responsive layout that could be adopted. But compared to the rendering mess that happened in HuBoard when accessing from mobile, it was much easier to use the Waffle site.

Conclusion

You can probably see where I’m heading! I decided to go with Waffle for the moment, but I’ll keep an eye out for HuBoard. As with all these SaaS apps, iteration is the name of the game, and I’m sure that feature parity won’t be far off. Neither tool has an Android mobile app, but neither tool is very usable on a phone – so perhaps when one of them makes that leap it will differentiate itself. We shall see.

After I’ve been using Waffle for a while, I’ll perhaps write another post about “real life” experience.

Cheers!

 

 

Security in depth – or a bug waiting to happen? – CSRF protection on SAP Gateway

What's that - It's the dragon that guards the locked door, we feed people who ask silly security questions to it

What’s that? – It’s the dragon that guards the locked door, we feed people who ask silly security questions to it.

<rant>

So I’ve got my knickers in a twist again. Recently I was playing around with sending some OData to my SAP server when it refused me. Now, I didn’t like that, but at least it was kind enough to tell me why. Apparently I hadn’t fed it a CSRF token. OK, so I looked in the headers of the GET that did work, and lo and behold there was a CSRF token there. I fed that into the POST I was doing, and bingo it worked.

Now it seems to me that many many people have hit the same thing and found the same solution. Indeed, I asked around some people I knew and they told me: “Get over it Chris, it’s in the header of your GET, it lasts all session, just use it!” But me being me, no, I wouldn’t accept that!

Slight aside – they also mentioned “Damnit, I remember when that patch came in, it buggered up my custom Gateway app and I had no warning that it was coming, took me ages to figure out why it wasn’t working.”

 

So I thought – OK? Why? Why do we have CSRF protection in the first place, what on earth is it?

CSRF protection – Cross Site Request Forgery protection, according to the websites I read is supposed to protect against the case where unknown to a user a cookie in the browser used for authentication allows a malicious site to alter data on your system. (And in the case of gateway, your SAP system).

So to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 things.

a) An injection of HTML on the page adds either a form that is going to POST some data (typical type of attack  CSRF protects against) or a link e.g. img tag which GETs data.

b) An injection of some script, e.g. JS on page that is going to do the PUT/POST/DELETE

In the case of (a – POST) the payload will be malformed and Gateway isn’t going to accept that as valid OData – so no security worries anyway. And for (a – GET) CSRF protection isn’t even applied.

In the case of (b) well if I can embed JS, I can just as easily embed a GET pull the header and then do an update with the CSRF token. Indeed the sites that advocate for the CSRF token approach make it clear that it cannot protect you in the case you have malicious Javascript.

In the case that the script is running on a page from a different domain, then CORS will kick in and stop the access – but if somehow the injection is on my own domain, I don’t see how we’re protected.

So I was at a loss. What protection does CSRF actually offer Gateway?

I further researched:

There’s a great explanation, which does better than I have at:

Play Framework

It is recommended that you familiarise yourself with CSRF, what the attack vectors are, and what the attack vectors are not. We recommend starting withthis information from OWASP.

Simply put, an attacker can coerce a victims browser to make the following types of requests:

  • All GET requests
  • POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain

An attacker can not:

  • Coerce the browser to use other request methods such as PUT and DELETE
  • Coerce the browser to post other content types, such asapplication/json
  • Coerce the browser to send new cookies, other than those that the server has already set
  • Coerce the browser to set arbitrary headers, other than the normal headers the browser adds to requests

Since GET requests are not meant to be mutative, there is no danger to an application that follows this best practice. So the only requests that need CSRF protection arePOST requests with the above mentioned content types.

Since Gateway does not support POST requests with bodies of type application/x-www-form-urlencoded,multipart/form-data and text/plain (or if it does there’s your problem right there!) there is no need for CSRF protection.

I then had a fun conversation on Twitter with Ethan

The great thing about chatting with Ethan is you always come out having learnt something.

He makes a good point, and I’ll paraphrase him:

“The best security is deep and many layered and protects not only against the things that you know may happen, but also against those that you’re pretty sure won’t.”

I was wrong –  “to send a PUT or POST or DELETE (the verbs that can change data) from a browser without user knowing is going to involve 1 of 2 3 things. With the third being:

An exploitation of a hitherto unknown browser bug that allows it.

So now I’m confused. Is it worthwhile implementing the hassle that is CSRF protection, including the potential slowdown in speed of response from the solution (a paramount concern in a mobile app) for a situation that might happen.

When I’m writing ABAP code, I’m happy to trade away performance of the code for ease of maintenance. I don’t use pointers (field symbols) to loop over data that I do not intend to change, because some fool could come along later and accidentally do just that. If I instead use a work area, there isn’t that risk.

So in some respects I already do work that makes the solution slower to ensure lower risk, so shouldn’t I just do the CSRF thingy?

However, it is the reason for the risk – I don’t trust that the people maintaining the code after I leave will understand what I have done in my implementation of CSRF protection and won’t make a mistake. Even if I’m using UI5 in my application to update my SAP system, will they remember to call the refreshSecurityToken method every time before a PUT, POST or DELETE? Will they test it? Will they let the session expire in the testing so that they actually need to call the refreshSecurityToken method? I really hope so, but I doubt it. I see applications going into error and data not being updated when it should have been, because of “needless” CSRF protection.

weighing Dodgy Code vs Browser Bug risks

weighing Dodgy Code vs Browser Bug risks

So what I see is this: Security in enterprise is paramount, Gateway is enterprise software, it needs to be secure. So SAP made it so, even if it hasn’t really made a big difference or fixed any known security holes. But, “just in case”. However, custom code (and even standard code 😉 ) will have bugs, ones that rely on sessions timing out are particularly hard to test and will get through. The risk to your Gateway based mobile app is greater by having CSRF protection enabled than it is to your data being maliciously hacked through zero-day exploits. But I guess it depends on what that data is 🙂 .

</rant>

OK, one final bit…

<rant>

Given that I might not actually be using my Gateway for a UI app but for machine to machine transactions, would it PLEASE be possible that if I provide a valid authentication header in the PUT/POST/DELETE that we ignore the CSRF thingy? If I can somehow come up with a valid auth header, then we aren’t protecting anything with a CSRF token, we’re just making transactions slower by requiring multiple round trips that shouldn’t be needed.

</rant>

I feel better now. 🙂

 

Read how this discussion unfolds over at SCN…

http://scn.sap.com/community/gateway/blog/2014/08/26/gateway-protection-against-cross-site-request-forgery-attacks#comment-611490

P.S. my last post from SCN comment thread as I think it’s an important summary:

The thing is, by not implementing CSRF protection, we aren’t making our services insecure. There are no known ways to use CSRF against Gateway currently.

There is the case of protection against unknown attacks, but is that worth the cost, risk, effort?

Not using CSRF protection does not mean you are making your service insecure. It just trading “just in case” against real life complexity, risk and cost.

Depending on the data concerned, that “just in case” might be worth it. It won’t always be.

Architects have a responsibility to their companies to balance these risks and decide. We have the responsibility to inform them clearly and not just pretend that security is the only and overwhelming factor to consider.

Sometimes we put security on a pedestal and everything has to be done to address it. But we should remember that everything should have a risk/reward curve and sometimes NOT coding for a security risk is actually less risk than coding for it.

 

 

Multitenant Spring Data JPA with EclipseLink on SAP HANA Cloud Platform

Just a quick post here today, and hopefully I flesh out a more detailed post on SCN later:

OEM model

There are probably two ways to make money developing apps on the HANA Cloud Platform:

1) be incredibly good at it, such that you can build truly awesome stuff that customers aren’t going to care about platform costs and still pay you bucket-loads

2) use the OEM model and build very efficient apps that solve a little problem for lots of people. Keep costs low, and sell to lots and lots of people.

3) be big consult, wine & dine the people with the money, put loadsa people on simple projects bill lots.

I’m aiming for a mix of 1 and 2 to just get into the sweet spot, of course that’s hard work. But this evening I made a step in the right direction by enabling multi-tenant access to one of my apps that auto-magically put the tenant key in all DB accesses in my app – without me having to do any work to specifically write that into the queries.

for reference the magic happens with a custom implementation/extension of JpaRepositoryFactory, JpaRepositoryFactoryBean and SimpleJpaRepository and one line in my Spring xml:

<jpa:repositories base-package=”com.wombling.blah.blah.dao ”
factory-class=”com.wombling.blah.blah.multitenancy.MultiTenantJpaRepositoryFactoryBean” />

my custom tenancy resolver:

public class CurrentTenantResolverImpl implements CurrentTenantResolver<String> {

	@Override
	public String getCurrentTenantId() {

		InitialContext ctx;
		try {
			ctx = new InitialContext();

			Context envCtx = (Context) ctx.lookup("java:comp/env");
			TenantContext tenantContext = (TenantContext) envCtx.lookup("TenantContext");

			return tenantContext.getTenantId();
		} catch (NamingException e) {
			return "NOT_CURRENTLY_RUNNING_MULTI_-_TENANT"; // 36 chars as per real tenant id
		}
	}

}

is called each time a DB query is made (which is already pretty invisible due to “magic” of Spring data and JPA.)

I have to give a huge shout out to   from Slovakia who posted up most of the code I reused. Thanks dude!

http://codecrafters.blogspot.sk/2013/03/multi-tenant-cloud-applications-with.html

I’ll get back to you with some more HR type stuff later.

 

iOS – not quite the Enterprise developers’ best choice

I was recently at a conference where there was a big cheer from the audience when the vendor announced that they were moving away from a model of updating all the customer’s development/test and production systems 4 times a year, to a model of still doing quarterly updates, but updating the dev/test environment one month earlier. The crowd cheered. Wow! (The conference was SuccessConnect, the product SuccessFactors and the vendor SAP, but that is irrelevant for this particular post).

So why on earth would people want to get their software updated later? And why would such a change cause them to cheer? It’s quite simple really! Risk reduction.

risk reducer

 

Reducing Risk

To quote Donald Rumsfeld “there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know”. Whilst it’s blinking difficult to deal with the third category of “unknown, unknowns”, it’s much easier to deal with the known unknowns. In our case of software upgrades, we know that there are likely to be changes, but we aren’t sure exactly what. So having a early release in a system that isn’t critical for the running of our business, means we have the possibility to make those known unknowns into known knowns and deal with them. (hmm perhaps I shouldn’t have quoted Donald, this is getting a bit confusing! – but hopefully you get the point!)

Basically what was being offered was a risk mitigation strategy, and the enterprise just LOOOOOOVES that.

Back to Mobile apps

OK, so what’s this got to do with mobile applications? We’ll basically for mobile applications in the enterprise space we should be able to offer the same thing. I’m not talking here about applications that companies develop internally and deploy to all their staff, but applications found in application marketplaces (app stores if you will) that are used by enterprises.

Say there is this great app out there that allows you to track the driving speed and location of all your delivery truck drivers. It’s great because the same functionality just a few years ago cost thousands of dollars per truck and had to be downloaded manually each night. Now, you have it instantly and at a subscription cost of $20 per user per year, with awesome real-time reporting and everything! Great! But the reason it is so cheap is the developer is selling this software in a SaaS model. They have a multi-tenant architecture and when they make an update they update all customers at once. Now what happens if they push out an “improvement” in the user interface of the solution? Well 90% of your users will probably adjust, but 10% (or more) are suddenly going to be referring back to that print-out of the training material that you sent them getting very confused, phoning the help desk and generally finding an excuse for not doing work. Bad!

But had you known that a change was coming, what could you have done? Well, you could have updated the training material, sent comms explaining the wonderful new feature, etc.

So how could you have know this change was coming? Well the company that you’re subscribing to could have sent you some details about the change. But what if they thought that the change was so insignificant it didn’t need any comms? And  what if it’s just the particular way that your workforce use the app that means that it might need explaining? Then you are going to need another plan.

Another plan

chrome beta

In the Android application marketplace (Google Play) there is allowed the concept of a Beta version of application. Many popular applications (for example Chrome and Firefox) have beta versions of their software that showcase and test out new versions of UI and functionality.

This allows companies to test out new versions of software before their major install base start using it. And because the software is flagged BETA people know that there might be things different. It is a risk reduction strategy for not only the consumers of the software but also the developers. Win-Win!

Apple however in their app store submission guidelines: https://developer.apple.com/app-store/review/guidelines/#functionality

2.9  Apps that are “demo”, “trial”, or “test” versions will be rejected. Beta Apps may only be submitted through TestFlight and must follow the TestFlight guidelines

and from the TestFlight guidelines: https://developer.apple.com/app-store/Testflight/

External Testers (Coming Soon)

Once you’re ready, you can invite up to 1,000 users who are not part of your development organization to beta test an app that you intend for public release on the App Store.

So instead of making a publicly available Beta version they are going to restrict to a maximum of 1000 Beta testers. Not so good for that SaaS developer with over 1000 customers is it? And even then – that functionality isn’t even release to the market yet! The whole TestFlight thing was only announced a few days ago!

In summary

So back to my title – if you’re a SaaS developer and you want to help your customers by reducing your risk and theirs in the mobile application deployment space, build for Android, not Apple. If you care about enterprise, then be aware that risk mitigation is a big thing. The reality is that as an enterprise developer we need to deliver for both Android and Apple devices, but one of them is clearly more enterprise friendly in one particular respect.

Would be great for Apple to take this on-board and offer a unrestricted “TestFlight” program for enterprise software developers… We can cross our fingers and hope!

Continuous Integration vs Phased Deployment in a SaaS world

I was very interested to read some links that Naomi Bloom posted about how Workday have moved to a continuous integration deployment model rather than a phased release.

As  developer, I love the idea of continuous integration, having a set of tests that can automatically check whether the code I have built will cause an issue in production and then allow me to move it up to prod immediately. It fits with TDD and all the other cool things I want to do. Awesome!

If I were writing code in the internal development teams of Workday or SuccessFactors, I’d want the software to be CI.

However! As a developer of extensions to one of those platforms, I couldn’t think of a worse option! If you look at the “disadvantages” section in the linked Wikipedia article on CI, you’ll notice that one very important thing is to have lots of good automatic test scripts. The problem is, a vendor can only possibly run their own test scripts, they can’t run mine. (Perhaps they could run mine if such an API was built, but could they justify not deploying to prod because a little used partner extension failed a script?) So what if some change that the vendor does breaks a behaviour in my code? Well, that’s bad for me. I’d better hurry up and fix it, because all my customers are now with broken code, and the first I found out about it – when it broke. And likely I’m not going to find out until I have one of my customers complain – unless I have proactively set my test scripts to run every hour and send me a message when something breaks, in which case I’d better be ready to do emergency support 24/7. Yeah, just what I want. NOT!

This would be a huge burden on a extension provider, you wouldn’t have a stable platform to build on.

With SuccessFactors being on a phased release rather than continuously integrated to production, it is much easier for me to join in with the testing of my solution before it hits the market. I know that my customers aren’t going to get a nasty shock because something suddenly breaks/changes behaviour, because I have a window to test that before it impacts them. I also know when that window is going to be, so I can plan around it and allocate my resources. Whilst the solution might be wonderfully cloudy and elastic, my skilled pool of extension developers is definitely less cloudy and more finite and fixed.

Now it might be possible to allow partners to have an early access box, and perhaps delay CI deploys to production by a week or so to allow partners to test their code. But that is one hell of an effort that you’re demanding of your partners to do that. And as one of those potential partners, I can say I’d be thinking very long and hard about the risk you as the vendor are putting me at, and probably would decide not to go there.

I think, that in a world where purchasing 3rd party add-ons for your cloud platform will become the norm (allow me my dreams please). And where the power of the platform is driven by these add-ons/apps, having a phased release makes sense. How cool would an iPhone be without any apps from the AppStore, how good would an S5 be without apps from Google Play? They are both great devices, but they are awesome when enhanced by external developer partners. These mobile solutions have phased releases. It’s not because they couldn’t have constant updates, the tech is easily there for that to happen, but because in order to sustain the applications/application developers that make them so cool they need to provide a stable platform.

I’m really glad that SuccessFactors provides a stable environment for me to build on, as I am convinced that HCM SaaS has a huge potential to be enhanced and extended to the better use and consumption of businesses. It’s a real strength of the solution, and I am very happy to be play a part this story, and that SAP and SuccessFactors are carefully considering the needs of the development partner in this scenario.

All that said, it would be cool to be developing in a continuous integration solution, but just not for the partners building on your solution.

Scaling or cropping profile images into circles when the source isn’t a square

WARNING CODE AHEAD

<geek>

It took me probably too long to figure out how to do this so I thought I’d share.

circles

To do this in a way that most browsers support wasn’t so obvious (to me).

in the end I did it by (approximately):

HTML

<div class="profile-image" style="background-image:url('profile-img1.jpg')">
 <img src="profile-img1.jpg">
</div>

CSS:

div.profile-image {
 width: 47px;
 height: 47px;
 background-repeat: no-repeat;
 background-position: center center;
 background-size: cover;
 overflow: hidden;
 border-radius: 23.5px;
 -webkit-border-radius: 23.5px;
 -moz-border-radius: 23.5px;
 box-shadow: 0 0 4px rgba(0, 0, 0, .8);
 -webkit-box-shadow: 0 0 4px rgba(0, 0, 0, .8);
 -moz-box-shadow: 0 0 4px rgba(0, 0, 0, .8);
 border-radius: 23.5px;
}
div.profile-image img {
min-height: 100%;
min-width: 100%;
 /* IE 8 */
-ms-filter: "progid:DXImageTransform.Microsoft.Alpha(Opacity=0)";
 /* IE 5-7 */
 filter: alpha(opacity = 0);
 /* modern browsers */
 opacity: 0;
}

The image tag is in there so it’s still possible for the user to interact with the image, i.e. save it if they want, but it is made see through.

So the user “sees” the background image which is positioned such that it covers the div, so all of circle will have content, and the middle bit of image will be shown. The circle is made by making the border radius half the width of the div.

The important bits were the “background-size: cover;” and the “background-position:center center;”

Obvious when you know how.

</geek> (as if!)

 

credits to : http://stackoverflow.com/questions/11552380/how-to-automatically-crop-and-center-an-image for the inspiration!

the future is fiori

#SAPPHIRENOW what it meant to a developer

I make no secret that I love developing. My favourite job title is “Chief HR Geek”, I adopt others as the need arises, but as a real in the dirt developer, content is always more important to me than flashy styling.

That’s why I was one of the only attendees at SAPPHIRENow 2014 wearing shorts. It’s fricking HOT in Orlando in June, wearing a suit?! Are you kidding me?

But it’s worth noting that to most businesses in the first instance, flashy styling is worth more than content! BUT – flashy styling with content, that’s awesome.

Fiori

With the announcement of Fiori being available as part of standard maintenance (yar boo sucks to those companies who’ve decided to skip SAP maintenance and have a third party do it) there comes the possibility of a double whammy of flashy styling and good underlying content.

The demo of a CFO drilling down in real-time to underperforming or problematic areas of the business and analysing why was compelling. I think Robbo has written about this as the killer app for HANA. I think he might be right.

But the key thing for a developer here, was the front end that this was achieved with, wasn’t a Business Objects add-on, wasn’t some WDA functionality. It was SAPUI5 over an OData layer exposed by Gateway.

If companies are going to be able to adopt these applications – and more and more of them are coming – there is going to be a clear need to support them.

Using tooling to build UI5 apps using ABAP won’t cut it

Whilst there are some amazing frameworks out there to help migrate stuck-in-the-mud ABAP developers across to building UI5 app, this does not help when there is a need to extend a standard Fiori app. Developers will need to learn JavaScript (or more properly ECMAScript, but that’s just me being pedantic.) If you can’t code JavaScript and refuse to learn, start calculating your redundancy payout because that’s what you’re going to be worth to your company. Alternatively, brush up on your SQL skills – and you can start writing some of the pushdown code for HANA. Either way, ABAP is going to be complementary to either DB manipulation or front-end display, but not a stand-alone skill set.

Fiori extension points

Did you know that many (not all!) Fiori apps have built-in extension points? You can use these to substantially alter the behaviour and appearance of the app. But to do so, there is something you should know – guess what? JavaScript!  Whilst the RDE (fingers cross for R to start meaning Rapid in near future) allows for some pretty amazing WYSIWYG modification to apps, the likelihood is that some form of developer intervention will be required. At the very least someone is going to have to figure out if the business requirement can/can’t be met using this simple customisation. And what skill set is going to be needed to figure out what those extensions can/can’t do? Yep you guessed it, JavaScript.

In Summary

For once I’m going to keep to a simple post without the detail that me as a developer I love so much. Because I want to emphasis this message.the future is fiori

I’m eventually learning to understand, unless you have flashy styling (Fiori), it doesn’t matter how good your content is (HANA) you can’t sell it. Combine the two together, and you have something that will change the marketplace and means developers need to change their game.

Perhaps if I ever attend SAPPHIRENow again, I’ll compromise and wear my jeans.

 

Code for UML sequence diagram extract from ABAP for plantUML

Well after a bit of umming and erring, I’ve decided that the safest way for me to share the code that I developed to extract the UML diagrams from SAP is to share it here. I could have potentially used GitHub, but an entire repository for one file that I doubt I’ll ever change again seemed like overkill.

It’s worth referencing this recent post by Nigel James and the responses to it:

http://scn.sap.com/community/abap/blog/2013/08/16/share-and-share-alike

This code is shared under an Apache Licence version 2.0 http://www.apache.org/licenses/LICENSE-2.0

class ZCL_XU_SEQUENCE_DIAGRAM definition
 public
 inheriting from CL_ATRA_UML
 create public .
public section.
* Copyright 2013 Chris Paine
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
 methods IF_ATRA_UML_TOOL~CREATE_UML_DATA
 redefinition .
 methods IF_ATRA_UML_TOOL~GET_XMI
 redefinition .
protected section.
private section.
data _T_CALL_STACK type TY_CALL_STACK_TAB .
interface IF_ATRA_UML_TOOL load .
 methods ADD_CALL
 importing
 !IV_DIAGRAM type STRING
 !IS_DETAILS type IF_ATRA_UML_TOOL=>TY_SAT_RECORD
 !IV_CALLER type I
 !IV_CALLED type I
 returning
 value(RV_DIAGRAM) type STRING .
 methods ADD_PARTICIPANT
 importing
 !IV_DIAGRAM type STRING
 !IS_OBJECT type TY_OBJECT
 !IT_OBJECTS type TY_OBJECT_TAB
 !IV_FIRST_TIME type BOOLE_D
 returning
 value(RV_DIAGRAM) type STRING .
 methods ADD_RETURN
 importing
 !IV_DIAGRAM type STRING
 !IV_RETURN_TO type I
 returning
 value(RV_DIAGRAM) type STRING .
 methods FILL_GAPS
 importing
 !IT_WITH_GAPS type IF_ATRA_UML_TOOL~TY_SAT_TAB
 returning
 value(RV_FILLED_GAPS) type IF_ATRA_UML_TOOL~TY_SAT_TAB .
 methods GET_SEQUENCE_DIAGRAM
 returning
 value(RV_DIAGRAM) type STRING .
ENDCLASS.

CLASS ZCL_XU_SEQUENCE_DIAGRAM IMPLEMENTATION.
* <SIGNATURE>---------------------------------------------------------------------------------------+
* | Instance Private Method ZCL_XU_SEQUENCE_DIAGRAM->ADD_CALL
* +-------------------------------------------------------------------------------------------------+
* | [--->] IV_DIAGRAM TYPE STRING
* | [--->] IS_DETAILS TYPE IF_ATRA_UML_TOOL=>TY_SAT_RECORD
* | [--->] IV_CALLER TYPE I
* | [--->] IV_CALLED TYPE I
* | [<-()] RV_DIAGRAM TYPE STRING
* +--------------------------------------------------------------------------------------</SIGNATURE>
METHOD add_call.
DATA: lv_call TYPE string,
 ls_call_stack TYPE ty_call_stack,
 lv_text TYPE string,
 lv_prefix TYPE string.
IF iv_caller = iv_called AND is_details-caller <> is_details-called.
 lv_text = is_details-called && '->' && is_details-called_mod.
 ELSE.
 lv_text = is_details-called_mod.
 ENDIF.
CASE is_details-id.
 WHEN 'F'.
 lv_prefix = 'Perform'.
 WHEN 'U'.
 lv_prefix = 'Call FM'.
 WHEN 'm'.
 lv_prefix = 'Call method'.
 WHEN 'R'.
 lv_prefix = 'Create instance of class'.
 lv_text = is_details-called.
 WHEN 'X'. "skip over SAP code
 lv_prefix = '<b>Skipping over SAP code until calling'.
 lv_text = is_details-called_mod && '</b>'.
 ENDCASE.
lv_call = iv_caller && ` -> ` &&
 iv_called && `: ` &&
 lv_prefix && ` ` &&
 lv_text && cl_abap_char_utilities=>cr_lf &&
 `activate ` && iv_called && cl_abap_char_utilities=>cr_lf.
IF is_details-id = 'X'.
 lv_call = lv_call && `note over ` && iv_caller && ',' && iv_called && cl_abap_char_utilities=>cr_lf &&
 'Standard SAP code has called some custom code' && cl_abap_char_utilities=>cr_lf &&
 'end note' && cl_abap_char_utilities=>cr_lf.
 ENDIF.
ls_call_stack-code = iv_called.
 ls_call_stack-sap_code = is_details-aus_ebene.
 APPEND ls_call_stack TO _t_call_stack.
rv_diagram = iv_diagram && lv_call.
ENDMETHOD.
* <SIGNATURE>---------------------------------------------------------------------------------------+
* | Instance Private Method ZCL_XU_SEQUENCE_DIAGRAM->ADD_PARTICIPANT
* +-------------------------------------------------------------------------------------------------+
* | [--->] IV_DIAGRAM TYPE STRING
* | [--->] IS_OBJECT TYPE TY_OBJECT
* | [--->] IT_OBJECTS TYPE TY_OBJECT_TAB
* | [--->] IV_FIRST_TIME TYPE BOOLE_D
* | [<-()] RV_DIAGRAM TYPE STRING
* +--------------------------------------------------------------------------------------</SIGNATURE>
METHOD add_participant.
DATA: lv_participant TYPE string,
 lv_name TYPE string,
 ls_object TYPE ty_object,
 lv_counter TYPE i,
 lv_create_or_not TYPE string.
CASE is_object-object_type.
 WHEN 'CLAS'.
 IF is_object-instance = 0.
 lv_name = 'Static Methods of Class\n' && is_object-object.
 ELSE.
* check how many other instances of same class exist.
 LOOP AT it_objects INTO ls_object
 WHERE object = is_object-object
 AND object_type = is_object-object_type
 AND instance <> 0.
 lv_counter = lv_counter + 1.
 IF ls_object-instance = is_object-instance.
 EXIT. "leave the loop.
 ENDIF.
 ENDLOOP.
 lv_name = `Instance ` && lv_counter && ` of Class\n` &&
 is_object-object.
 ENDIF.
 WHEN 'FUGR'.
 lv_name = `Function Group\n` && is_object-object+4.
 WHEN OTHERS.
 lv_name = is_object-object_type && '\n' && is_object-object.
 ENDCASE.
IF iv_first_time = abap_true.
 lv_create_or_not = 'participant "'.
 ELSE.
 lv_create_or_not = 'create "'.
 ENDIF.
 lv_participant = lv_create_or_not &&
 lv_name && `" as ` &&
 is_object-code && cl_abap_char_utilities=>cr_lf.
rv_diagram = iv_diagram && lv_participant.
ENDMETHOD.
* <SIGNATURE>---------------------------------------------------------------------------------------+
* | Instance Private Method ZCL_XU_SEQUENCE_DIAGRAM->ADD_RETURN
* +-------------------------------------------------------------------------------------------------+
* | [--->] IV_DIAGRAM TYPE STRING
* | [--->] IV_RETURN_TO TYPE I
* | [<-()] RV_DIAGRAM TYPE STRING
* +--------------------------------------------------------------------------------------</SIGNATURE>
METHOD add_return.
DATA: ls_call_stack_from TYPE ty_call_stack,
 ls_call_stack_to TYPE ty_call_stack,
 lv_stack_pointer TYPE i,
 lv_return TYPE string.
 lv_stack_pointer = lines( _t_call_stack ).
 rv_diagram = iv_diagram.
IF lv_stack_pointer > 0.
 READ TABLE _t_call_stack INTO ls_call_stack_from INDEX lv_stack_pointer.
 WHILE ls_call_stack_from-sap_code >= iv_return_to.
 READ TABLE _t_call_stack INTO ls_call_stack_to INDEX ( lv_stack_pointer - 1 ).
lv_return = ls_call_stack_from-code && ` --> ` && ls_call_stack_to-code && cl_abap_char_utilities=>cr_lf &&
 `deactivate ` && ls_call_stack_from-code && cl_abap_char_utilities=>cr_lf.
 rv_diagram = rv_diagram && lv_return.
DELETE _t_call_stack INDEX lv_stack_pointer.
 lv_stack_pointer = lv_stack_pointer - 1.
 IF lv_stack_pointer = 0.
 EXIT.
 ENDIF.
 READ TABLE _t_call_stack INTO ls_call_stack_from INDEX lv_stack_pointer.
 ENDWHILE.
 ENDIF.
ENDMETHOD.
* <SIGNATURE>---------------------------------------------------------------------------------------+
* | Instance Private Method ZCL_XU_SEQUENCE_DIAGRAM->FILL_GAPS
* +-------------------------------------------------------------------------------------------------+
* | [--->] IT_WITH_GAPS TYPE IF_ATRA_UML_TOOL~TY_SAT_TAB
* | [<-()] RV_FILLED_GAPS TYPE IF_ATRA_UML_TOOL~TY_SAT_TAB
* +--------------------------------------------------------------------------------------</SIGNATURE>
METHOD fill_gaps.
 DATA: lt_without_gaps TYPE if_atra_uml_tool=>ty_sat_tab,
 ls_previous_line TYPE if_atra_uml_tool=>ty_sat_record,
 ls_gap TYPE if_atra_uml_tool=>ty_sat_record,
 ls_line TYPE if_atra_uml_tool=>ty_sat_record.
LOOP AT it_with_gaps INTO ls_line.
 IF ls_previous_line IS NOT INITIAL.
 IF ( ls_line-caller <> ls_previous_line-called
 OR ls_line-caller_inst <> ls_previous_line-called_inst
 OR ls_line-caller_type <> ls_previous_line-called_type ) AND
 ls_line-aus_ebene > ls_previous_line-aus_ebene.
* need to insert a new line into the table at this point to link the two together.
 ls_gap-caller = ls_previous_line-called.
 ls_gap-caller_inst = ls_previous_line-called_inst.
 ls_gap-caller_type = ls_previous_line-called_type.
 ls_gap-called = ls_line-caller.
 ls_gap-called_inst = ls_line-caller_inst.
 ls_gap-called_type = ls_line-caller_type.
 ls_gap-aus_ebene = ls_previous_line-aus_ebene.
 ls_gap-id = 'X'. "skip
APPEND ls_gap TO lt_without_gaps.
 ELSE.
 ls_previous_line = ls_line.
 ENDIF.
 ELSE.
 ls_previous_line = ls_line.
 ENDIF.
APPEND ls_line TO lt_without_gaps.
 ENDLOOP.
rv_filled_gaps = lt_without_gaps.
ENDMETHOD.
* <SIGNATURE>---------------------------------------------------------------------------------------+
* | Instance Private Method ZCL_XU_SEQUENCE_DIAGRAM->GET_SEQUENCE_DIAGRAM
* +-------------------------------------------------------------------------------------------------+
* | [<-()] RV_DIAGRAM TYPE STRING
* +--------------------------------------------------------------------------------------</SIGNATURE>
METHOD get_sequence_diagram.
 DATA: ls_line TYPE if_atra_uml_tool=>ty_sat_record,
 ls_object TYPE ty_object,
 ls_last_call TYPE if_atra_uml_tool=>ty_sat_record,
 lv_next_object TYPE i,
 lv_first_time TYPE boole_d,
 ls_first_call TYPE ty_call_stack,
 lt_objects TYPE ty_object_tab.
FIELD-SYMBOLS: <ls_caller> TYPE ty_object,
 <ls_called> TYPE ty_object.
rv_diagram =
 '@startuml' && cl_abap_char_utilities=>cr_lf &&
 'hide footbox' && cl_abap_char_utilities=>cr_lf &&
 'autonumber' && cl_abap_char_utilities=>cr_lf.
* first of all, lets get all the objects
LOOP AT if_atra_uml_tool~sat_tab INTO ls_line.
IF ( ls_line-caller(1) = 'Z' OR ls_line-called(1) = 'Z' )
 AND ls_line-caller IS NOT INITIAL.
 ls_object-object = ls_line-caller.
 ls_object-object_type = ls_line-caller_type.
 ls_object-instance = ls_line-caller_inst.
IF ls_object-instance <> 0.
 READ TABLE lt_objects TRANSPORTING NO FIELDS
 WITH KEY instance = ls_object-instance.
 ELSE.
 READ TABLE lt_objects TRANSPORTING NO FIELDS
 WITH KEY object = ls_object-object
 instance = ls_object-instance.
 ENDIF.
 IF sy-subrc <> 0.
 APPEND ls_object TO lt_objects.
 ENDIF.
ls_object-object = ls_line-called.
 ls_object-object_type = ls_line-called_type.
 ls_object-instance = ls_line-called_inst.
IF ls_object-instance <> 0.
 READ TABLE lt_objects TRANSPORTING NO FIELDS
 WITH KEY instance = ls_object-instance.
 ELSE.
 READ TABLE lt_objects TRANSPORTING NO FIELDS
 WITH KEY object = ls_object-object
 instance = ls_object-instance.
 ENDIF.
 IF sy-subrc <> 0.
 APPEND ls_object TO lt_objects.
 ENDIF.
*we do special handling for construction - but don't want to show twice in diagram
 IF ls_last_call-id = 'R'. "constructor
 IF ls_line-called_mod = 'CONSTRUCTOR'
 AND ls_line-called = ls_last_call-called
 AND ls_line-called_inst = ls_last_call-called_inst.
* this line is a duplicate of the previous line
 DELETE if_atra_uml_tool~sat_tab.
 ENDIF.
 ENDIF.
ELSE.
* this line does not concern code that we are concerned about documenting
 DELETE if_atra_uml_tool~sat_tab.
 ENDIF.
ls_last_call = ls_line.
 ENDLOOP.
* now there will possibly be some gaps in the sequence if custom code calls standard SAP code
* that calls custom code.
if_atra_uml_tool~sat_tab = fill_gaps( if_atra_uml_tool~sat_tab ).

* ok now have all objects, let's go through and put together the diagram
 ls_last_call-aus_ebene = - 1.
 lv_first_time = abap_true.
 LOOP AT if_atra_uml_tool~sat_tab INTO ls_line.
* is this an implicit return?
 IF ls_line-aus_ebene <= ls_last_call-aus_ebene.
rv_diagram = add_return( iv_diagram = rv_diagram
 iv_return_to = ls_line-aus_ebene ).
 ENDIF.
* does caller object already exist?
 READ TABLE lt_objects ASSIGNING <ls_caller>
 WITH KEY object = ls_line-caller
 instance = ls_line-caller_inst.
IF <ls_caller>-code IS INITIAL.
 lv_next_object = lv_next_object + 1.
 <ls_caller>-code = lv_next_object.
* add participant
 rv_diagram = add_participant( iv_diagram = rv_diagram
 is_object = <ls_caller>
 it_objects = lt_objects
 iv_first_time = lv_first_time ).
 lv_first_time = abap_false.
ENDIF.
* handle the case of very first call
 IF ls_first_call IS INITIAL.
 ls_first_call-code = 1.
 ls_first_call-sap_code = ls_line-aus_ebene.
 APPEND ls_first_call TO _t_call_stack.
 rv_diagram = rv_diagram && 'activate 1' && cl_abap_char_utilities=>cr_lf.
 ENDIF.
* does called object already exist?
 READ TABLE lt_objects ASSIGNING <ls_called>
 WITH KEY object = ls_line-called
 instance = ls_line-called_inst.
IF <ls_called>-code IS INITIAL.
 lv_next_object = lv_next_object + 1.
 <ls_called>-code = lv_next_object.
* add participant
 rv_diagram = add_participant( iv_diagram = rv_diagram
 is_object = <ls_called>
 it_objects = lt_objects
 iv_first_time = abap_false ).
ENDIF.
rv_diagram = add_call( iv_diagram = rv_diagram
 iv_caller = <ls_caller>-code
 iv_called = <ls_called>-code
 is_details = ls_line ).
 ls_last_call = ls_line.
 ENDLOOP.
rv_diagram = add_return( iv_diagram = rv_diagram
 iv_return_to = ls_first_call-sap_code ).
rv_diagram = rv_diagram && '@enduml' && cl_abap_char_utilities=>newline.
ENDMETHOD.
* <SIGNATURE>---------------------------------------------------------------------------------------+
* | Instance Public Method ZCL_XU_SEQUENCE_DIAGRAM->IF_ATRA_UML_TOOL~CREATE_UML_DATA
* +-------------------------------------------------------------------------------------------------+
* | [--->] IT_SAT_TAB TYPE IF_ATRA_UML_TOOL=>TY_SAT_TAB
* +--------------------------------------------------------------------------------------</SIGNATURE>
METHOD if_atra_uml_tool~create_uml_data.
* rebuild to export data as UMLet compatible source
 if_atra_uml_tool~sat_tab = it_sat_tab.

DATA: lv_filename TYPE string,
 lv_path TYPE string,
 lv_fullpath TYPE string.
cl_gui_frontend_services=>file_save_dialog(
 EXPORTING
 window_title = 'Save As PlantUML data' " Window Title
 default_extension = '.txt'" Default Extension
* default_file_name = " Default File Name
* with_encoding =
* file_filter = " File Type Filter Table
* initial_directory = " Initial Directory
* prompt_on_overwrite = 'X'
 CHANGING
 filename = lv_filename " File Name to Save
 path = lv_path " Path to File
 fullpath = lv_fullpath " Path + File Name
* user_action = " User Action (C Class Const ACTION_OK, ACTION_OVERWRITE etc)
* file_encoding =
 EXCEPTIONS
 OTHERS = 0 ).
if_atra_uml_tool~fname = lv_fullpath.
if_atra_uml_tool~generate_xmi_file( ) .
ENDMETHOD.
* <SIGNATURE>---------------------------------------------------------------------------------------+
* | Instance Public Method ZCL_XU_SEQUENCE_DIAGRAM->IF_ATRA_UML_TOOL~GET_XMI
* +-------------------------------------------------------------------------------------------------+
* | [<---] C_DATA TYPE REF TO DATA
* +--------------------------------------------------------------------------------------</SIGNATURE>
METHOD if_atra_uml_tool~get_xmi.
DATA lv_ref_xstr TYPE REF TO xstring.
 FIELD-SYMBOLS <lv_xstr> TYPE xstring.
CREATE DATA lv_ref_xstr.
 ASSIGN lv_ref_xstr->* TO <lv_xstr>.
TRY.
 <lv_xstr> = cl_bcs_convert=>string_to_xstring( iv_string = get_sequence_diagram( ) ).
 CATCH cx_bcs. "#EC NO_HANDLER
* if this happens we're buggered. not much to do really
ENDTRY.
 c_data = lv_ref_xstr.
ENDMETHOD.
ENDCLASS.

 

 

run from doco

I hate doco

It’s kinda a mantra that I live a reasonable part of my life to. I think the above image is a not unjustifiable representation of my feelings about documentation:

But there are many good reasons that I should be doing doco. Most of them are supposed to save the customer money in the long run. And occasionally by doing the doco, I even find some small errors in my code that I hadn’t seen before.

 InnoJam Sydney 2011

Before InnoJam had any of that fun fluffy design thinking aspect to it, we ran one in Sydney. It was good fun, and people could build whatever the heck they wanted.

In staying true to my aversion for writing doco, I came up with an idea about auto-generation UML diagrams from SAP code.

Here’s a video of the solution we came up with:

here’s a link to the Prezi that I presented in that video:

http://prezi.com/zri5q-ib4vzp/?utm_campaign=share&utm_medium=copy&rc=ex0share

I wrote a blog post about it:

https://scn.sap.com/blogs/chris.paine2/2011/08/10/programmers-are-lazy–innojam-them

But it was long time ago and the move to a new version of SCN has kinda buggered it up.

Anyway, in short – Rui never managed to get the terms and conditions of CodeExchange changed to a level where I’m happy to support it and put code in there. I’m pretty sure he tried though. So I didn’t do anything with the code.

 

Fast forward 3 years

I have a whiteboard in the office covered in post-it notes. They all represent at least one development that I’ve done for the current project I’m working on. At the beginning of the project, I was very good, and did all my doco as I went along. Then the poo hit the fan, and everyone wanted everything done yesterday, and didn’t care about doco.

So I now have a whiteboard full of post-it notes that represent potentially weeks of doco hell for me. So in my “free time” in the evening I decided to see if I could recreate the solution that we’d built in Sydney, and perhaps make it a little nicer.

 

UML output

The first thing I decided, was that I was NOT going to try to build the graphical output myself. Having had lots of fun in Sydney trying to make Gravity do something it really wasn’t designed for I thought I’d research how else I could get my interaction diagrams created.

If in doubt Wikipedia

http://en.wikipedia.org/wiki/List_of_UML_tools

There were loads there, and I’d pretty much decided on UMLet when I discovered something about interaction diagrams. Basically, interaction diagrams are supposed to show interaction between objects. Bit bloody obvious really. However, the thing is, if I’m documenting my code, I’d really like to show the interaction within my objects too. I.e. if I make a call to a private method of my class, I’d really like that to show up in my diagram. Given that interaction diagrams are only supposed to show external interaction it’s not surprising that most of the tools for creating the diagrams don’t really support this idea of internal object calls.

So a bit of browsing later and I found PlantUML. It has some awesome functionality for creating sequence diagrams, actually, most UML diagrams it seems, but it was the sequence diagrams that I was interested in.

Here’s a simple example:simple_example

 

 

See how it’s quite possible to show “internal” calls of an instance and also show the life time of those calls. This feature I didn’t find on the other free UML tools that I looked at. There are a bunch of other formatting features that can be used too. If you’re interested check out their website: http://plantuml.sourceforge.net/sequence.html

 

Intercepting the SAP standard UML generation

So in transaction SAT there is the possibility to generate your own JNet UML sequence diagram (this exists as standard.)

press the button

 

However, it does not allow you to do things like filter out standard SAP routines (as far as I know! If anyone can tell me how to do this (without needing to list every method I call, please let me know!) When I was looking at one of my examples, where I ran a program to generate a performance review document for an employee, there were over 100,000 different routines called. Only about 400 of those calls involved my code, so you can imagine generating a UML diagram for the whole 100,000 calls would be a bit of overkill (not to mention an impossible to read diagram).

In customer systems there is a function module  ATRA_UML_DECIDER  that has been purposely handicapped. One does have to wonder why this has been done, but nevertheless it has.  It allows the user to chose from a list of potential UML extraction routines. All of these routines implement the IF_ATRA_UML_TOOL interface. There are classes for extracting to JNet, Borland Together and Altova. Now, I’m sure that Borland and Altova have good products, it’s just that I don’t really want to spend money on then when there are perfectly good (for my tasks) free and open source products out there.

There is a factory class/method CL_ATRA_UML_FACTORY  that creates an instance of a class implementing the interface. I overrode this method to use my particular extractor if it was me running the code. In the future, I might enhance this to check for a user role, or perhaps a user parameter, that’s trivial, the main point will be to allow others to access this logic too.

The guts of the code

Simply my implementation of the interface reads the table of data that is passed to the interface, removes all calls that aren’t to or from custom code and then builds a PlantUML representation of that code.

Here’s a very simple output that generates the diagram above.

@startuml
hide footbox
autonumber
participant "Instance 1 of Class\nZCL_HR_EMPLOYEE" as 1
1 -> 1: Call method GET_HELD_QUALIFICATIONS
activate 1
1 -> 1: Call method ZCL_HR_OBJECT->GET_RELATIONSHIPS
activate 1
create "Static Methods of Class\nCL_HRBAS_READ_INFOTYPE" as 2
1 -> 2: Call method GET_INSTANCE
activate 2
2 --> 1
deactivate 2
create "Instance 1 of Class\nCL_HRBAS_READ_INFOTYPE" as 3
1 -> 3: Call method IF_HRBAS_READ_INFOTYPE~READ_PLAIN_1001
activate 3
3 --> 1
deactivate 3
1 --> 1
deactivate 1
create "Instance 1 of Class\nZCL_HR_QUALIFICATION" as 4
1 -> 4: Create instance of class ZCL_HR_QUALIFICATION
activate 4
4 -> 4: Call method ZCL_HR_OBJECT->CONSTRUCTOR
activate 4
create "Function Group\nRHS0" as 5
4 -> 5: Call FM RH_GET_ACTIVE_WF_PLVAR
activate 5
5 --> 4
deactivate 5
4 --> 4
deactivate 4
4 --> 1
deactivate 4
deactivate 1
@enduml

 

 A slightly less trivial example

The following code does some pretty simple stuff, it finds who is my manager, and finds out what required qualifications my position/job has.

DATA: lo_emp TYPE REF TO zcl_hr_employee,
lt_managers TYPE ztthr_employee_objects,
lt_required_quals TYPE ztthr_qualifications.

TRY.
lo_emp = zcl_hr_employee=>get_employee_by_user_id( sy-uname ).

lt_managers = lo_emp->get_position( )->get_managers_recursive( ).
lt_required_quals = lo_emp->get_position( )->get_required_qualifications( ).

CATCH zcx_hr_no_managing_pos_found  ” No managing position found
zcx_hr_no_holders_found  ” no holders for position found.
zcx_hr_no_position_found    ” no position found
zcx_hr_user_id_not_found.  ” cannot find user id for employee
ENDTRY.

So I thought I’d trace it:

it works out at around 200,000 different routines being called. 62 of those are my code, the rest standard.

run through 1

First of all, I need to schedule a trace for myself…

run through 2

 

run through 3

 

Need to know which session I will be recording. If I left it as “Any” it will start recording this session, not very useful!

run through 4

 

Session 2 it is!

run through 5

run through 6

actually run it now!

and the schedule status changes to executed.

run through 7

 

I now need to delete the scheduled measurement. Despite the intimidating words, this does not delete my measurement, just the scheduling of it.

run through 8

 

now swapping to the “Evaluate” tab in SAT I can see my measurement, and I can click to output to UML

run through 9

 

 

Clicking on the button triggers a bit of a pause whilst the system code chugs away and does loads of stuff it doesn’t need to do…

 

Then

run through 10

Save the data and PlantUML starts converting it immediately:

run through 11

 

and the result:

example

Would probably have been a little bigger if my employee had a job assigned to their position, but you can see how incredibly easy this now makes documenting the functionality I’ve built.

I’m still considering how to make the code publicly available. I’m sure someone else would be happy to post it to CodeExchange, so perhaps I’ll let them.