aws-sdk-core 3.131.1 → 3.168.1

data/lib/aws-sdk-core/sso_token_provider.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+module Aws
+  class SSOTokenProvider
+
+    include TokenProvider
+    include RefreshingToken
+
+    # @api private
+    SSO_REQUIRED_OPTS = [:sso_region, :sso_session].freeze
+
+    # @api private
+    SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
+    'expired or is otherwise invalid. To refresh this SSO session run '\
+    'aws sso login with the corresponding profile.'.freeze
+
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [required, String] :sso_session The SSO Session used to
+    #   for fetching this token.
+    #
+    # @option options [SSOOIDC::Client] :client Optional `SSOOIDC::Client`.  If not
+    #   provided, a client will be constructed.
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
+    def initialize(options = {})
+
+      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
+      unless missing_keys.empty?
+        raise ArgumentError, "Missing required keys: #{missing_keys}"
+      end
+
+      @sso_session = options.delete(:sso_session)
+      @sso_region = options.delete(:sso_region)
+
+      options[:region] = @sso_region
+      options[:credentials] = nil
+      options[:token_provider] = nil
+      @client = options[:client] || Aws::SSOOIDC::Client.new(options)
+
+      super
+    end
+
+    # @return [SSOOIDC::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # token is valid and not in refresh window - do not refresh it.
+      return if @token && @token.expiration && !near_expiration?
+
+      # token may not exist or is out of the expiration window
+      # attempt to refresh from disk first (another process/application may have refreshed already)
+      token_json = read_cached_token
+      @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+      return if @token && @token.expiration && !near_expiration?
+
+      # The token is expired and needs to be refreshed
+      if can_refresh_token?(token_json)
+        begin
+          current_time = Time.now
+          resp = @client.create_token(
+            grant_type: 'refresh_token',
+            client_id: token_json['clientId'],
+            client_secret: token_json['clientSecret'],
+            refresh_token: token_json['refreshToken']
+          )
+          token_json['accessToken'] = resp.access_token
+          token_json['expiresAt'] = current_time + resp.expires_in
+          @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+
+          if resp.refresh_token
+            token_json['refreshToken'] = resp.refresh_token
+          else
+            token_json.delete('refreshToken')
+          end
+
+          update_token_cache(token_json)
+        rescue
+          # refresh has failed, continue attempting to use the token if its not hard expired
+        end
+      end
+
+      if !@token.expiration || @token.expiration < Time.now
+        # Token is hard expired, raise an exception
+        raise Errors::InvalidSSOToken, 'Token is invalid and failed to refresh.'
+      end
+    end
+
+    def read_cached_token
+      cached_token = Json.load(File.read(sso_cache_file))
+      # validation
+      unless cached_token['accessToken'] && cached_token['expiresAt']
+        raise ArgumentError, 'Missing required field(s)'
+      end
+      cached_token['expiresAt'] = Time.parse(cached_token['expiresAt'])
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
+      raise Errors::InvalidSSOToken, SSO_LOGIN_GUIDANCE
+    end
+
+    def update_token_cache(token_json)
+      cached_token = token_json.dup
+      cached_token['expiresAt'] = cached_token['expiresAt'].iso8601
+      File.write(sso_cache_file, Json.dump(cached_token))
+    end
+
+    def sso_cache_file
+      sso_session_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_session.encode('utf-8'))
+      File.join(Dir.home, '.aws', 'sso', 'cache', "#{sso_session_sha1}.json")
+    rescue ArgumentError
+      # Dir.home raises ArgumentError when ENV['home'] is not set
+      raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
+    end
+
+    # return true if all required fields are present
+    # return false if registrationExpiresAt exists and is later than now
+    def can_refresh_token?(token_json)
+      if token_json['clientId'] &&
+        token_json['clientSecret'] &&
+        token_json['refreshToken']
+
+        return !token_json['registrationExpiresAt'] ||
+          Time.parse(token_json['registrationExpiresAt']) > Time.now
+      else
+        false
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/static_token_provider.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Aws
+  class StaticTokenProvider
+
+    include TokenProvider
+
+    # @param [String] token
+    # @param [Time] expiration
+    def initialize(token, expiration=nil)
+      @token = Token.new(token, expiration)
+    end
+  end
+end

data/lib/aws-sdk-core/structure.rb

@@ -28,18 +28,20 @@ module Aws
     # in stdlib Struct.
     #
     # @return [Hash]
-    def to_h(obj = self)
+    def to_h(obj = self, options = {})
       case obj
       when Struct
         obj.each_pair.with_object({}) do |(member, value), hash|
-          hash[member] = to_hash(value) unless value.nil?
+          member = member.to_s if options[:as_json]
+          hash[member] = to_hash(value, options) unless value.nil?
         end
       when Hash
         obj.each.with_object({}) do |(key, value), hash|
-          hash[key] = to_hash(value)
+          key = key.to_s if options[:as_json]
+          hash[key] = to_hash(value, options)
         end
       when Array
-        obj.collect { |value| to_hash(value) }
+        obj.collect { |value| to_hash(value, options) }
       else
         obj
       end

data/lib/aws-sdk-core/token.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Aws
+  class Token
+
+    # @param [String] token
+    # @param [Time] expiration
+    def initialize(token, expiration=nil)
+      @token = token
+      @expiration = expiration
+    end
+
+    # @return [String, nil]
+    attr_reader :token
+
+    # @return [Time, nil]
+    attr_reader :expiration
+
+    # @return [Boolean] Returns `true` if token is set
+    def set?
+      !token.nil? && !token.empty?
+    end
+
+    # Removing the token from the default inspect string.
+    # @api private
+    def inspect
+      "#<#{self.class.name} token=[FILTERED]> expiration=#{expiration}>"
+    end
+
+  end
+end

data/lib/aws-sdk-core/token_provider.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Aws
+  module TokenProvider
+
+    # @return [Token]
+    attr_reader :token
+
+    # @return [Boolean]
+    def set?
+      !!token && token.set?
+    end
+
+  end
+end

data/lib/aws-sdk-core/token_provider_chain.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  class TokenProviderChain
+    def initialize(config = nil)
+      @config = config
+    end
+
+    # @return [TokenProvider, nil]
+    def resolve
+      providers.each do |method_name, options|
+        provider = send(method_name, options.merge(config: @config))
+        return provider if provider && provider.set?
+      end
+      nil
+    end
+
+    private
+
+    def providers
+      [
+        [:static_profile_sso_token, {}],
+        [:sso_token, {}]
+      ]
+    end
+
+    def static_profile_sso_token(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        Aws.shared_config.sso_token_from_config(
+          profile: options[:config].profile
+        )
+      end
+    end
+
+
+    def sso_token(options)
+      profile_name = determine_profile_name(options)
+      if Aws.shared_config.config_enabled?
+        Aws.shared_config.sso_token_from_config(profile: profile_name)
+      end
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
+    def determine_profile_name(options)
+      (options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+    end
+
+  end
+end

data/lib/aws-sdk-core/xml/error_handler.rb

@@ -24,6 +24,7 @@ module Aws
         else
           code, message, data = extract_error(body, context)
         end
+        context[:request_id] = request_id(body)
         errors_module = context.client.class.errors_module
         error_class = errors_module.error_class(code).new(context, message, data)
         error_class
@@ -94,6 +95,12 @@ module Aws
         end
       end
 
+      def request_id(body)
+        if matches = body.match(/<RequestId>(.+?)<\/RequestId>/m)
+          matches[1]
+        end
+      end
+
       def unescape(str)
         CGI.unescapeHTML(str)
       end

data/lib/aws-sdk-core.rb

@@ -20,6 +20,15 @@ require_relative 'aws-sdk-core/shared_credentials'
 require_relative 'aws-sdk-core/process_credentials'
 require_relative 'aws-sdk-core/sso_credentials'
 
+# tokens and token providers
+require_relative 'aws-sdk-core/token'
+require_relative 'aws-sdk-core/token_provider'
+require_relative 'aws-sdk-core/static_token_provider'
+require_relative 'aws-sdk-core/refreshing_token'
+require_relative 'aws-sdk-core/sso_token_provider'
+require_relative 'aws-sdk-core/token_provider_chain'
+require_relative 'aws-sdk-core/plugins/bearer_authorization'
+
 # client modules
 
 require_relative 'aws-sdk-core/client_stubs'
@@ -88,6 +97,10 @@ require_relative 'aws-sdk-core/arn'
 require_relative 'aws-sdk-core/arn_parser'
 require_relative 'aws-sdk-core/ec2_metadata'
 
+# dynamic endpoints
+require_relative 'aws-sdk-core/endpoints'
+require_relative 'aws-sdk-core/plugins/signature_v4'
+
 # defaults
 require_relative 'aws-defaults'
 
@@ -99,6 +112,7 @@ require_relative 'aws-sdk-sts'
 
 # aws-sdk-sso is included to support Aws::SSOCredentials
 require_relative 'aws-sdk-sso'
+require_relative 'aws-sdk-ssooidc'
 
 module Aws
 

data/lib/aws-sdk-sso/client.rb

@@ -30,7 +30,7 @@ require 'aws-sdk-core/plugins/http_checksum.rb'
 require 'aws-sdk-core/plugins/checksum_algorithm.rb'
 require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/recursion_detection.rb'
-require 'aws-sdk-core/plugins/signature_v4.rb'
+require 'aws-sdk-core/plugins/sign.rb'
 require 'aws-sdk-core/plugins/protocols/rest_json.rb'
 
 Aws::Plugins::GlobalConfiguration.add_identifier(:sso)
@@ -79,8 +79,9 @@ module Aws::SSO
     add_plugin(Aws::Plugins::ChecksumAlgorithm)
     add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::RecursionDetection)
-    add_plugin(Aws::Plugins::SignatureV4)
+    add_plugin(Aws::Plugins::Sign)
     add_plugin(Aws::Plugins::Protocols::RestJson)
+    add_plugin(Aws::SSO::Plugins::Endpoints)
 
     # @overload initialize(options)
     #   @param [Hash] options
@@ -287,6 +288,19 @@ module Aws::SSO
     #     ** Please note ** When response stubbing is enabled, no HTTP
     #     requests are made, and retries are disabled.
     #
+    #   @option options [Aws::TokenProvider] :token_provider
+    #     A Bearer Token Provider. This can be an instance of any one of the
+    #     following classes:
+    #
+    #     * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+    #       tokens.
+    #
+    #     * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+    #       access token generated from `aws login`.
+    #
+    #     When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+    #     will be used to search for tokens configured for your profile in shared configuration files.
+    #
     #   @option options [Boolean] :use_dualstack_endpoint
     #     When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
     #     will be used if available.
@@ -300,6 +314,9 @@ module Aws::SSO
     #     When `true`, request parameters are validated before
     #     sending the request.
     #
+    #   @option options [Aws::SSO::EndpointProvider] :endpoint_provider
+    #     The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::SSO::EndpointParameters`
+    #
     #   @option options [URI::HTTP,String] :http_proxy A proxy to send
     #     requests through.  Formatted like 'http://proxy.com:123'.
     #
@@ -362,7 +379,8 @@ module Aws::SSO
     #
     # @option params [required, String] :access_token
     #   The token issued by the `CreateToken` API call. For more information,
-    #   see [CreateToken][1] in the *AWS SSO OIDC API Reference Guide*.
+    #   see [CreateToken][1] in the *IAM Identity Center OIDC API Reference
+    #   Guide*.
     #
     #
     #
@@ -407,7 +425,8 @@ module Aws::SSO
     #
     # @option params [required, String] :access_token
     #   The token issued by the `CreateToken` API call. For more information,
-    #   see [CreateToken][1] in the *AWS SSO OIDC API Reference Guide*.
+    #   see [CreateToken][1] in the *IAM Identity Center OIDC API Reference
+    #   Guide*.
     #
     #
     #
@@ -450,8 +469,8 @@ module Aws::SSO
 
     # Lists all AWS accounts assigned to the user. These AWS accounts are
     # assigned by the administrator of the account. For more information,
-    # see [Assign User Access][1] in the *AWS SSO User Guide*. This
-    # operation returns a paginated response.
+    # see [Assign User Access][1] in the *IAM Identity Center User Guide*.
+    # This operation returns a paginated response.
     #
     #
     #
@@ -466,7 +485,8 @@ module Aws::SSO
     #
     # @option params [required, String] :access_token
     #   The token issued by the `CreateToken` API call. For more information,
-    #   see [CreateToken][1] in the *AWS SSO OIDC API Reference Guide*.
+    #   see [CreateToken][1] in the *IAM Identity Center OIDC API Reference
+    #   Guide*.
     #
     #
     #
@@ -504,12 +524,32 @@ module Aws::SSO
       req.send_request(options)
     end
 
-    # Removes the client- and server-side session that is associated with
-    # the user.
+    # Removes the locally stored SSO tokens from the client-side cache and
+    # sends an API call to the IAM Identity Center service to invalidate the
+    # corresponding server-side IAM Identity Center sign in session.
+    #
+    # <note markdown="1"> If a user uses IAM Identity Center to access the AWS CLI, the user’s
+    # IAM Identity Center sign in session is used to obtain an IAM session,
+    # as specified in the corresponding IAM Identity Center permission set.
+    # More specifically, IAM Identity Center assumes an IAM role in the
+    # target account on behalf of the user, and the corresponding temporary
+    # AWS credentials are returned to the client.
+    #
+    #  After user logout, any existing IAM role sessions that were created by
+    # using IAM Identity Center permission sets continue based on the
+    # duration configured in the permission set. For more information, see
+    # [User authentications][1] in the *IAM Identity Center User Guide*.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/singlesignon/latest/userguide/authconcept.html
     #
     # @option params [required, String] :access_token
     #   The token issued by the `CreateToken` API call. For more information,
-    #   see [CreateToken][1] in the *AWS SSO OIDC API Reference Guide*.
+    #   see [CreateToken][1] in the *IAM Identity Center OIDC API Reference
+    #   Guide*.
     #
     #
     #
@@ -545,7 +585,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.131.1'
+      context[:gem_version] = '3.168.1'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso/endpoint_parameters.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+# WARNING ABOUT GENERATED CODE
+#
+# This file is generated. See the contributing guide for more information:
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
+#
+# WARNING ABOUT GENERATED CODE
+
+module Aws::SSO
+  # Endpoint parameters used to influence endpoints per request.
+  #
+  # @!attribute region
+  #   The AWS region used to dispatch the request.
+  #
+  #   @return [String]
+  #
+  # @!attribute use_dual_stack
+  #   When true, use the dual-stack endpoint. If the configured endpoint does not support dual-stack, dispatching the request MAY return an error.
+  #
+  #   @return [Boolean]
+  #
+  # @!attribute use_fips
+  #   When true, send this request to the FIPS-compliant regional endpoint. If the configured endpoint does not have a FIPS compliant endpoint, dispatching the request will return an error.
+  #
+  #   @return [Boolean]
+  #
+  # @!attribute endpoint
+  #   Override the endpoint used to send this request
+  #
+  #   @return [String]
+  #
+  EndpointParameters = Struct.new(
+    :region,
+    :use_dual_stack,
+    :use_fips,
+    :endpoint,
+  ) do
+    include Aws::Structure
+
+    # @api private
+    class << self
+      PARAM_MAP = {
+        'Region' => :region,
+        'UseDualStack' => :use_dual_stack,
+        'UseFIPS' => :use_fips,
+        'Endpoint' => :endpoint,
+      }.freeze
+    end
+
+    def initialize(options = {})
+      self[:region] = options[:region]
+      self[:use_dual_stack] = options[:use_dual_stack]
+      self[:use_dual_stack] = false if self[:use_dual_stack].nil?
+      if self[:use_dual_stack].nil?
+        raise ArgumentError, "Missing required EndpointParameter: :use_dual_stack"
+      end
+      self[:use_fips] = options[:use_fips]
+      self[:use_fips] = false if self[:use_fips].nil?
+      if self[:use_fips].nil?
+        raise ArgumentError, "Missing required EndpointParameter: :use_fips"
+      end
+      self[:endpoint] = options[:endpoint]
+    end
+  end
+end

data/lib/aws-sdk-sso/endpoint_provider.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+# WARNING ABOUT GENERATED CODE
+#
+# This file is generated. See the contributing guide for more information:
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
+#
+# WARNING ABOUT GENERATED CODE
+
+module Aws::SSO
+  class EndpointProvider
+    def initialize(rule_set = nil)
+      @@rule_set ||= begin
+        endpoint_rules = Aws::Json.load(Base64.decode64(RULES))
+        Aws::Endpoints::RuleSet.new(
+          version: endpoint_rules['version'],
+          service_id: endpoint_rules['serviceId'],
+          parameters: endpoint_rules['parameters'],
+          rules: endpoint_rules['rules']
+        )
+      end
+      @provider = Aws::Endpoints::RulesProvider.new(rule_set || @@rule_set)
+    end
+
+    def resolve_endpoint(parameters)
+      @provider.resolve_endpoint(parameters)
+    end
+
+    # @api private
+    RULES = <<-JSON
+eyJ2ZXJzaW9uIjoiMS4wIiwicGFyYW1ldGVycyI6eyJSZWdpb24iOnsiYnVp
+bHRJbiI6IkFXUzo6UmVnaW9uIiwicmVxdWlyZWQiOmZhbHNlLCJkb2N1bWVu
+dGF0aW9uIjoiVGhlIEFXUyByZWdpb24gdXNlZCB0byBkaXNwYXRjaCB0aGUg
+cmVxdWVzdC4iLCJ0eXBlIjoiU3RyaW5nIn0sIlVzZUR1YWxTdGFjayI6eyJi
+dWlsdEluIjoiQVdTOjpVc2VEdWFsU3RhY2siLCJyZXF1aXJlZCI6dHJ1ZSwi
+ZGVmYXVsdCI6ZmFsc2UsImRvY3VtZW50YXRpb24iOiJXaGVuIHRydWUsIHVz
+ZSB0aGUgZHVhbC1zdGFjayBlbmRwb2ludC4gSWYgdGhlIGNvbmZpZ3VyZWQg
+ZW5kcG9pbnQgZG9lcyBub3Qgc3VwcG9ydCBkdWFsLXN0YWNrLCBkaXNwYXRj
+aGluZyB0aGUgcmVxdWVzdCBNQVkgcmV0dXJuIGFuIGVycm9yLiIsInR5cGUi
+OiJCb29sZWFuIn0sIlVzZUZJUFMiOnsiYnVpbHRJbiI6IkFXUzo6VXNlRklQ
+UyIsInJlcXVpcmVkIjp0cnVlLCJkZWZhdWx0IjpmYWxzZSwiZG9jdW1lbnRh
+dGlvbiI6IldoZW4gdHJ1ZSwgc2VuZCB0aGlzIHJlcXVlc3QgdG8gdGhlIEZJ
+UFMtY29tcGxpYW50IHJlZ2lvbmFsIGVuZHBvaW50LiBJZiB0aGUgY29uZmln
+dXJlZCBlbmRwb2ludCBkb2VzIG5vdCBoYXZlIGEgRklQUyBjb21wbGlhbnQg
+ZW5kcG9pbnQsIGRpc3BhdGNoaW5nIHRoZSByZXF1ZXN0IHdpbGwgcmV0dXJu
+IGFuIGVycm9yLiIsInR5cGUiOiJCb29sZWFuIn0sIkVuZHBvaW50Ijp7ImJ1
+aWx0SW4iOiJTREs6OkVuZHBvaW50IiwicmVxdWlyZWQiOmZhbHNlLCJkb2N1
+bWVudGF0aW9uIjoiT3ZlcnJpZGUgdGhlIGVuZHBvaW50IHVzZWQgdG8gc2Vu
+ZCB0aGlzIHJlcXVlc3QiLCJ0eXBlIjoiU3RyaW5nIn19LCJydWxlcyI6W3si
+Y29uZGl0aW9ucyI6W3siZm4iOiJhd3MucGFydGl0aW9uIiwiYXJndiI6W3si
+cmVmIjoiUmVnaW9uIn1dLCJhc3NpZ24iOiJQYXJ0aXRpb25SZXN1bHQifV0s
+InR5cGUiOiJ0cmVlIiwicnVsZXMiOlt7ImNvbmRpdGlvbnMiOlt7ImZuIjoi
+aXNTZXQiLCJhcmd2IjpbeyJyZWYiOiJFbmRwb2ludCJ9XX0seyJmbiI6InBh
+cnNlVVJMIiwiYXJndiI6W3sicmVmIjoiRW5kcG9pbnQifV0sImFzc2lnbiI6
+InVybCJ9XSwidHlwZSI6InRyZWUiLCJydWxlcyI6W3siY29uZGl0aW9ucyI6
+W3siZm4iOiJib29sZWFuRXF1YWxzIiwiYXJndiI6W3sicmVmIjoiVXNlRklQ
+UyJ9LHRydWVdfV0sImVycm9yIjoiSW52YWxpZCBDb25maWd1cmF0aW9uOiBG
+SVBTIGFuZCBjdXN0b20gZW5kcG9pbnQgYXJlIG5vdCBzdXBwb3J0ZWQiLCJ0
+eXBlIjoiZXJyb3IifSx7ImNvbmRpdGlvbnMiOltdLCJ0eXBlIjoidHJlZSIs
+InJ1bGVzIjpbeyJjb25kaXRpb25zIjpbeyJmbiI6ImJvb2xlYW5FcXVhbHMi
+LCJhcmd2IjpbeyJyZWYiOiJVc2VEdWFsU3RhY2sifSx0cnVlXX1dLCJlcnJv
+ciI6IkludmFsaWQgQ29uZmlndXJhdGlvbjogRHVhbHN0YWNrIGFuZCBjdXN0
+b20gZW5kcG9pbnQgYXJlIG5vdCBzdXBwb3J0ZWQiLCJ0eXBlIjoiZXJyb3Ii
+fSx7ImNvbmRpdGlvbnMiOltdLCJlbmRwb2ludCI6eyJ1cmwiOnsicmVmIjoi
+RW5kcG9pbnQifSwicHJvcGVydGllcyI6e30sImhlYWRlcnMiOnt9fSwidHlw
+ZSI6ImVuZHBvaW50In1dfV19LHsiY29uZGl0aW9ucyI6W3siZm4iOiJib29s
+ZWFuRXF1YWxzIiwiYXJndiI6W3sicmVmIjoiVXNlRklQUyJ9LHRydWVdfSx7
+ImZuIjoiYm9vbGVhbkVxdWFscyIsImFyZ3YiOlt7InJlZiI6IlVzZUR1YWxT
+dGFjayJ9LHRydWVdfV0sInR5cGUiOiJ0cmVlIiwicnVsZXMiOlt7ImNvbmRp
+dGlvbnMiOlt7ImZuIjoiYm9vbGVhbkVxdWFscyIsImFyZ3YiOlt0cnVlLHsi
+Zm4iOiJnZXRBdHRyIiwiYXJndiI6W3sicmVmIjoiUGFydGl0aW9uUmVzdWx0
+In0sInN1cHBvcnRzRklQUyJdfV19LHsiZm4iOiJib29sZWFuRXF1YWxzIiwi
+YXJndiI6W3RydWUseyJmbiI6ImdldEF0dHIiLCJhcmd2IjpbeyJyZWYiOiJQ
+YXJ0aXRpb25SZXN1bHQifSwic3VwcG9ydHNEdWFsU3RhY2siXX1dfV0sInR5
+cGUiOiJ0cmVlIiwicnVsZXMiOlt7ImNvbmRpdGlvbnMiOltdLCJlbmRwb2lu
+dCI6eyJ1cmwiOiJodHRwczovL3BvcnRhbC5zc28tZmlwcy57UmVnaW9ufS57
+UGFydGl0aW9uUmVzdWx0I2R1YWxTdGFja0Ruc1N1ZmZpeH0iLCJwcm9wZXJ0
+aWVzIjp7fSwiaGVhZGVycyI6e319LCJ0eXBlIjoiZW5kcG9pbnQifV19LHsi
+Y29uZGl0aW9ucyI6W10sImVycm9yIjoiRklQUyBhbmQgRHVhbFN0YWNrIGFy
+ZSBlbmFibGVkLCBidXQgdGhpcyBwYXJ0aXRpb24gZG9lcyBub3Qgc3VwcG9y
+dCBvbmUgb3IgYm90aCIsInR5cGUiOiJlcnJvciJ9XX0seyJjb25kaXRpb25z
+IjpbeyJmbiI6ImJvb2xlYW5FcXVhbHMiLCJhcmd2IjpbeyJyZWYiOiJVc2VG
+SVBTIn0sdHJ1ZV19XSwidHlwZSI6InRyZWUiLCJydWxlcyI6W3siY29uZGl0
+aW9ucyI6W3siZm4iOiJib29sZWFuRXF1YWxzIiwiYXJndiI6W3RydWUseyJm
+biI6ImdldEF0dHIiLCJhcmd2IjpbeyJyZWYiOiJQYXJ0aXRpb25SZXN1bHQi
+fSwic3VwcG9ydHNGSVBTIl19XX1dLCJ0eXBlIjoidHJlZSIsInJ1bGVzIjpb
+eyJjb25kaXRpb25zIjpbXSwidHlwZSI6InRyZWUiLCJydWxlcyI6W3siY29u
+ZGl0aW9ucyI6W10sImVuZHBvaW50Ijp7InVybCI6Imh0dHBzOi8vcG9ydGFs
+LnNzby1maXBzLntSZWdpb259LntQYXJ0aXRpb25SZXN1bHQjZG5zU3VmZml4
+fSIsInByb3BlcnRpZXMiOnt9LCJoZWFkZXJzIjp7fX0sInR5cGUiOiJlbmRw
+b2ludCJ9XX1dfSx7ImNvbmRpdGlvbnMiOltdLCJlcnJvciI6IkZJUFMgaXMg
+ZW5hYmxlZCBidXQgdGhpcyBwYXJ0aXRpb24gZG9lcyBub3Qgc3VwcG9ydCBG
+SVBTIiwidHlwZSI6ImVycm9yIn1dfSx7ImNvbmRpdGlvbnMiOlt7ImZuIjoi
+Ym9vbGVhbkVxdWFscyIsImFyZ3YiOlt7InJlZiI6IlVzZUR1YWxTdGFjayJ9
+LHRydWVdfV0sInR5cGUiOiJ0cmVlIiwicnVsZXMiOlt7ImNvbmRpdGlvbnMi
+Olt7ImZuIjoiYm9vbGVhbkVxdWFscyIsImFyZ3YiOlt0cnVlLHsiZm4iOiJn
+ZXRBdHRyIiwiYXJndiI6W3sicmVmIjoiUGFydGl0aW9uUmVzdWx0In0sInN1
+cHBvcnRzRHVhbFN0YWNrIl19XX1dLCJ0eXBlIjoidHJlZSIsInJ1bGVzIjpb
+eyJjb25kaXRpb25zIjpbXSwiZW5kcG9pbnQiOnsidXJsIjoiaHR0cHM6Ly9w
+b3J0YWwuc3NvLntSZWdpb259LntQYXJ0aXRpb25SZXN1bHQjZHVhbFN0YWNr
+RG5zU3VmZml4fSIsInByb3BlcnRpZXMiOnt9LCJoZWFkZXJzIjp7fX0sInR5
+cGUiOiJlbmRwb2ludCJ9XX0seyJjb25kaXRpb25zIjpbXSwiZXJyb3IiOiJE
+dWFsU3RhY2sgaXMgZW5hYmxlZCBidXQgdGhpcyBwYXJ0aXRpb24gZG9lcyBu
+b3Qgc3VwcG9ydCBEdWFsU3RhY2siLCJ0eXBlIjoiZXJyb3IifV19LHsiY29u
+ZGl0aW9ucyI6W10sImVuZHBvaW50Ijp7InVybCI6Imh0dHBzOi8vcG9ydGFs
+LnNzby57UmVnaW9ufS57UGFydGl0aW9uUmVzdWx0I2Ruc1N1ZmZpeH0iLCJw
+cm9wZXJ0aWVzIjp7fSwiaGVhZGVycyI6e319LCJ0eXBlIjoiZW5kcG9pbnQi
+fV19XX0=
+
+    JSON
+  end
+end