cloulu 0.0.0 → 0.1.1

data/lib/uaa/http.rb

@@ -0,0 +1,168 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'base64'
+require 'net/http'
+require 'uaa/util'
+
+module CF::UAA
+
+# Indicates URL for the target is bad or not accessible.
+class BadTarget < UAAError; end
+
+# Indicates the resource within the target server was not found.
+class NotFound < UAAError; end
+
+# Indicates a syntax error in a response from the UAA, e.g. missing required response field.
+class BadResponse < UAAError; end
+
+# Indicates an error from the http client stack.
+class HTTPException < UAAError; end
+
+# An application level error from the UAA which includes error info in the reply.
+class TargetError < UAAError
+  attr_reader :info
+  def initialize(error_info = {})
+    @info = error_info
+  end
+end
+
+# Indicates a token is malformed or expired.
+class InvalidToken < TargetError; end
+
+# Utility accessors and methods for objects that want to access JSON web APIs.
+module Http
+
+  # Sets the current logger instance to recieve error messages.
+  # @param [Logger] logr
+  # @return [Logger]
+  def logger=(logr); @logger = logr end
+
+  # The current logger or {Util.default_logger} if none has been set.
+  # @return [Logger]
+  def logger ; @logger || Util.default_logger end
+
+  # Indicates if the current logger is set to +:trace+ level.
+  # @return [Boolean]
+  def trace? ; (lgr = logger).respond_to?(:trace?) && lgr.trace? end
+
+  # Sets a handler for outgoing http requests. If no handler is set, an
+  # internal cache of net/http connections is used. Arguments to the handler
+  # are url, method, body, headers.
+  # @param [Proc] blk handler block
+  # @return [nil]
+  def set_request_handler(&blk) @req_handler = blk; nil end
+
+  # Constructs an http basic authentication header.
+  # @return [String]
+  def self.basic_auth(name, password)
+    str = "#{name}:#{password}"
+    "Basic " + (Base64.respond_to?(:strict_encode64)?
+        Base64.strict_encode64(str): [str].pack("m").gsub(/\n/, ''))
+  end
+
+  JSON_UTF8 = "application/json;charset=utf-8"
+  FORM_UTF8 = "application/x-www-form-urlencoded;charset=utf-8"
+
+  private
+
+  def json_get(target, path = nil, style = nil, headers = {})
+    raise ArgumentError unless style.nil? || style.is_a?(Symbol)
+    json_parse_reply(style, *http_get(target, path, headers.merge("accept" => JSON_UTF8)))
+  end
+
+  def json_post(target, path, body, headers = {})
+    http_post(target, path, Util.json(body), headers.merge("content-type" => JSON_UTF8))
+  end
+
+  def json_put(target, path, body, headers = {})
+    http_put(target, path, Util.json(body), headers.merge("content-type" => JSON_UTF8))
+  end
+
+  def json_parse_reply(style, status, body, headers)
+    raise ArgumentError unless style.nil? || style.is_a?(Symbol)
+    unless [200, 201, 204, 400, 401, 403, 409].include? status
+      raise (status == 404 ? NotFound : BadResponse), "invalid status response: #{status}"
+    end
+    if body && !body.empty? && (status == 204 || headers.nil? ||
+          headers["content-type"] !~ /application\/json/i)
+      raise BadResponse, "received invalid response content or type"
+    end
+    parsed_reply = Util.json_parse(body, style)
+    if status >= 400
+      raise parsed_reply && parsed_reply["error"] == "invalid_token" ?
+          InvalidToken.new(parsed_reply) : TargetError.new(parsed_reply), "error response"
+    end
+    parsed_reply
+  rescue DecodeError
+    raise BadResponse, "invalid JSON response"
+  end
+
+  def http_get(target, path = nil, headers = {}) request(target, :get, path, nil, headers) end
+  def http_post(target, path, body, headers = {}) request(target, :post, path, body, headers) end
+  def http_put(target, path, body, headers = {}) request(target, :put, path, body, headers) end
+
+  def http_delete(target, path, authorization)
+    status = request(target, :delete, path, nil, "authorization" => authorization)[0]
+    unless [200, 204].include?(status)
+      raise (status == 404 ? NotFound : BadResponse), "invalid response from #{path}: #{status}"
+    end
+  end
+
+  def request(target, method, path, body = nil, headers = {})
+    headers["accept"] = headers["content-type"] if headers["content-type"] && !headers["accept"]
+    url = "#{target}#{path}"
+
+    logger.debug { "--->\nrequest: #{method} #{url}\n" +
+        "headers: #{headers}\n#{'body: ' + Util.truncate(body.to_s, trace? ? 50000 : 50) if body}" }
+    status, body, headers = @req_handler ? @req_handler.call(url, method, body, headers) :
+        net_http_request(url, method, body, headers)
+    logger.debug { "<---\nresponse: #{status}\nheaders: #{headers}\n" +
+        "#{'body: ' + Util.truncate(body.to_s, trace? ? 50000: 50) if body}" }
+
+    [status, body, headers]
+
+  rescue Exception => e
+    logger.debug { "<---- no response due to exception: #{e.inspect}" }
+    raise e
+  end
+
+  def net_http_request(url, method, body, headers)
+    raise ArgumentError unless reqtype = {:delete => Net::HTTP::Delete,
+        :get => Net::HTTP::Get, :post => Net::HTTP::Post, :put => Net::HTTP::Put}[method]
+    headers["content-length"] = body.length if body
+    uri = URI.parse(url)
+    req = reqtype.new(uri.request_uri)
+    headers.each { |k, v| req[k] = v }
+    http_key = "#{uri.scheme}://#{uri.host}:#{uri.port}"
+    @http_cache ||= {}
+    unless http = @http_cache[http_key]
+      @http_cache[http_key] = http = Net::HTTP.new(uri.host, uri.port)
+      if uri.is_a?(URI::HTTPS)
+        http.use_ssl = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      end
+    end
+    reply, outhdrs = http.request(req, body), {}
+    reply.each_header { |k, v| outhdrs[k] = v }
+    [reply.code.to_i, reply.body, outhdrs]
+
+  rescue URI::Error, SocketError, SystemCallError => e
+    raise BadTarget, "error: #{e.message}"
+  rescue Net::HTTPBadResponse => e
+    raise HTTPException, "HTTP exception: #{e.class}: #{e}"
+  end
+
+end
+
+end

data/lib/uaa/misc.rb

@@ -0,0 +1,121 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'uaa/http'
+
+module CF::UAA
+
+# Provides interfaces to various UAA endpoints that are not in the context
+# of an overall class of operations like SCIM resources or OAuth2 tokens.
+class Misc
+
+  class << self
+    include Http
+  end
+
+  # sets whether the keys in returned hashes should be symbols.
+  # @return [Boolean] the new state
+  def self.symbolize_keys=(bool) !!(@key_style = bool ? :sym : nil) end
+
+  # Gets information about the user authenticated by the token in the
+  # +auth_header+. It GETs from the +target+'s +/userinfo+ endpoint and
+  # returns user information as specified by OpenID Connect.
+  # @see http://openid.net/connect/
+  # @see http://openid.net/specs/openid-connect-standard-1_0.html#userinfo_ep
+  # @see http://openid.net/specs/openid-connect-messages-1_0.html#anchor9
+  # @param (see Misc.server)
+  # @param [String] auth_header see {TokenInfo#auth_header}
+  # @return [Hash]
+  def self.whoami(target, auth_header)
+    json_get(target, "/userinfo?schema=openid", @key_style, "authorization" => auth_header)
+  end
+
+  # Gets various monitoring and status variables from the server.
+  # Authenticates using +name+ and +pwd+ for basic authentication.
+  # @param (see Misc.server)
+  # @return [Hash]
+  def self.varz(target, name, pwd)
+    json_get(target, "/varz", @key_style, "authorization" => Http.basic_auth(name, pwd))
+  end
+
+  # Gets basic information about the target server, including version number,
+  # commit ID, and links to API endpoints.
+  # @param [String] target The base URL of the server. For example the target could
+  #   be {https://login.cloudfoundry.com}, {https://uaa.cloudfoundry.com}, or
+  #   {http://localhost:8080/uaa}.
+  # @return [Hash]
+  def self.server(target)
+    reply = json_get(target, '/login', @key_style)
+    return reply if reply && (reply[:prompts] || reply['prompts'])
+    raise BadResponse, "Invalid response from target #{target}"
+  end
+
+  # Gets a base url for the associated UAA from the target server by inspecting the
+  # links returned from its info endpoint.
+  # @param [String] target The base URL of the server. For example the target could
+  #   be {https://login.cloudfoundry.com}, {https://uaa.cloudfoundry.com}, or
+  #   {http://localhost:8080/uaa}.
+  # @return [String] url of UAA (or the target itself if it didn't provide a response)
+  def self.discover_uaa(target)
+    info = server(target)
+    links = info['links'] || info[:links]
+    uaa = links && (links['uaa'] || links[:uaa])
+
+    uaa || target
+  end
+
+  # Gets the key from the server that is used to validate token signatures. If
+  # the server is configured to use a symetric key, the caller must authenticate
+  # by providing a a +client_id+ and +client_secret+. If the server
+  # is configured to sign with a private key, this call will retrieve the
+  # public key and +client_id+ must be nil.
+  # @param (see Misc.server)
+  # @return [Hash]
+  def self.validation_key(target, client_id = nil, client_secret = nil)
+    hdrs = client_id && client_secret ?
+        { "authorization" => Http.basic_auth(client_id, client_secret)} : {}
+    json_get(target, "/token_key", @key_style, hdrs)
+  end
+
+  # Sends +token+ to the server to validate and decode. Authenticates with
+  # +client_id+ and +client_secret+. If +audience_ids+ are specified and the
+  # token's "aud" attribute does not contain one or more of the audience_ids,
+  # raises AuthError -- meaning the token is not for this audience.
+  # @param (see Misc.server)
+  # @param [String] token an access token as retrieved by {TokenIssuer}. See
+  #   also {TokenInfo}.
+  # @param [String] token_type as retrieved by {TokenIssuer}. See {TokenInfo}.
+  # @return [Hash] contents of the token
+  def self.decode_token(target, client_id, client_secret, token, token_type = "bearer", audience_ids = nil)
+    reply = json_get(target, "/check_token?token_type=#{token_type}&token=#{token}",
+        @key_style, "authorization" => Http.basic_auth(client_id, client_secret))
+    auds = Util.arglist(reply[:aud] || reply['aud'])
+    if audience_ids && (!auds || (auds & audience_ids).empty?)
+      raise AuthError, "invalid audience: #{auds.join(' ')}"
+    end
+    reply
+  end
+
+  # Gets information about the given password, including a strength score and
+  # an indication of what strength is required.
+  # @param (see Misc.server)
+  # @return [Hash]
+  def self.password_strength(target, password)
+    json_parse_reply(@key_style, *request(target, :post, '/password/score',
+        Util.encode_form(:password => password), "content-type" => Http::FORM_UTF8,
+        "accept" => Http::JSON_UTF8))
+  end
+
+end
+
+end

data/lib/uaa/scim.rb

@@ -0,0 +1,292 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'uaa/http'
+
+module CF::UAA
+
+# This class is for apps that need to manage User Accounts, Groups, or OAuth
+# Client Registrations. It provides access to the SCIM endpoints on the UAA.
+# For more information about SCIM -- the IETF's System for Cross-domain
+# Identity Management (formerly known as Simple Cloud Identity Management) --
+# see {http://www.simplecloud.info}.
+#
+# The types of objects and links to their schema are as follows:
+# * +:user+ -- {http://www.simplecloud.info/specs/draft-scim-core-schema-01.html#user-resource}
+#   or {http://www.simplecloud.info/specs/draft-scim-core-schema-01.html#anchor8}
+# * +:group+ -- {http://www.simplecloud.info/specs/draft-scim-core-schema-01.html#group-resource}
+#   or {http://www.simplecloud.info/specs/draft-scim-core-schema-01.html#anchor10}
+# * +:client+
+# * +:user_id+ -- {https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#converting-userids-to-names}
+#
+# Naming attributes by type of object:
+# * +:user+ is "username"
+# * +:group+ is "displayname"
+# * +:client+ is "client_id"
+class Scim
+
+  include Http
+
+  private
+
+  def force_attr(k)
+    kd = k.to_s.downcase
+    kc = {"username" => "userName", "familyname" => "familyName",
+      "givenname" => "givenName", "middlename" => "middleName",
+      "honorificprefix" => "honorificPrefix",
+      "honorificsuffix" => "honorificSuffix", "displayname" => "displayName",
+      "nickname" => "nickName", "profileurl" => "profileUrl",
+      "streetaddress" => "streetAddress", "postalcode" => "postalCode",
+      "usertype" => "userType", "preferredlanguage" => "preferredLanguage",
+      "x509certificates" => "x509Certificates", "lastmodified" => "lastModified",
+      "externalid" => "externalId", "phonenumbers" => "phoneNumbers",
+      "startindex" => "startIndex"}[kd]
+    kc || kd
+  end
+
+  # This is very inefficient and should be unnecessary. SCIM (1.1 and early
+  # 2.0 drafts) specify that attribute names are case insensitive. However
+  # in the UAA attribute names are currently case sensitive. This hack takes
+  # a hash with keys as symbols or strings and with any case, and forces
+  # the attribute name to the case that the uaa expects.
+  def force_case(obj)
+    return obj.collect {|o| force_case(o)} if obj.is_a? Array
+    return obj unless obj.is_a? Hash
+    new_obj = {}
+    obj.each {|(k, v)| new_obj[force_attr(k)] = force_case(v) }
+    new_obj
+  end
+
+  # an attempt to hide some scim and uaa oddities
+  def type_info(type, elem)
+    scimfo = {:user => ["/Users", "userName"], :group => ["/Groups", "displayName"],
+      :client => ["/oauth/clients", 'client_id'], :user_id => ["/ids/Users", 'userName']}
+    unless elem == :path || elem == :name_attr
+      raise ArgumentError, "scim schema element must be :path or :name_attr"
+    end
+    unless ary = scimfo[type]
+      raise ArgumentError, "scim resource type must be one of #{scimfo.keys.inspect}"
+    end
+    ary[elem == :path ? 0 : 1]
+  end
+
+  def jkey(k) @key_style == :down ? k.to_s : k end
+
+  def fake_client_id(info)
+    idk, ck = jkey(:id), jkey(:client_id)
+    info[idk] = info[ck] if info[ck] && !info[idk]
+  end
+
+  public
+
+  # @param (see Misc.server)
+  # @param [String] auth_header a string that can be used in an
+  #   authorization header. For OAuth2 with JWT tokens this would be something
+  #   like "bearer xxxx.xxxx.xxxx". The {TokenInfo} class provides
+  #   {TokenInfo#auth_header} for this purpose.
+  # @param [Hash] options can be
+  #   * +:symbolize_keys+, if true, returned hash keys are symbols.
+  def initialize(target, auth_header, options = {})
+    @target, @auth_header = target, auth_header
+    @key_style = options[:symbolize_keys] ? :downsym : :down
+  end
+
+  # Convenience method to get the naming attribute, e.g. userName for user,
+  # displayName for group, client_id for client.
+  # @param type (see #add)
+  # @return [String] naming attribute
+  def name_attr(type) type_info(type, :name_attr) end
+
+  # Creates a SCIM resource.
+  # @param [Symbol] type can be :user, :group, :client, :user_id.
+  # @param [Hash] info converted to json and sent to the scim endpoint. For schema of
+  #   each type of object see {Scim}.
+  # @return [Hash] contents of the object, including its +id+ and meta-data.
+  def add(type, info)
+    path, info = type_info(type, :path), force_case(info)
+    reply = json_parse_reply(@key_style, *json_post(@target, path, info,
+        "authorization" => @auth_header))
+    fake_client_id(reply) if type == :client # hide client reply, not quite scim
+    reply
+  end
+
+  # Deletes a SCIM resource
+  # @param type (see #add)
+  # @param [String] id the id attribute of the SCIM object
+  # @return [nil]
+  def delete(type, id)
+    http_delete @target, "#{type_info(type, :path)}/#{URI.encode(id)}", @auth_header
+  end
+
+  # Replaces the contents of a SCIM object.
+  # @param (see #add)
+  # @return (see #add)
+  def put(type, info)
+    path, info = type_info(type, :path), force_case(info)
+    ida = type == :client ? 'client_id' : 'id'
+    raise ArgumentError, "info must include #{ida}" unless id = info[ida]
+    hdrs = {'authorization' => @auth_header}
+    if info && info['meta'] && (etag = info['meta']['version'])
+      hdrs.merge!('if-match' => etag)
+    end
+    reply = json_parse_reply(@key_style,
+        *json_put(@target, "#{path}/#{URI.encode(id)}", info, hdrs))
+
+    # hide client endpoints that are not quite scim compatible
+    type == :client && !reply ? get(type, info['client_id']): reply
+  end
+
+  # Gets a set of attributes for each object that matches a given filter.
+  # @param (see #add)
+  # @param [Hash] query may contain the following keys:
+  #   * +attributes+: a comma or space separated list of attribute names to be
+  #     returned for each object that matches the filter. If no attribute
+  #     list is given, all attributes are returned.
+  #   * +filter+: a filter to select which objects are returned. See
+  #     {http://www.simplecloud.info/specs/draft-scim-api-01.html#query-resources}
+  #   * +startIndex+: for paged output, start index of requested result set.
+  #   * +count+: maximum number of results per reply
+  # @return [Hash] including a +resources+ array of results and
+  #   pagination data.
+  def query(type, query = {})
+    query = force_case(query).reject {|k, v| v.nil? }
+    if attrs = query['attributes']
+      attrs = Util.arglist(attrs).map {|a| force_attr(a)}
+      query['attributes'] = Util.strlist(attrs, ",")
+    end
+    qstr = query.empty?? '': "?#{Util.encode_form(query)}"
+    info = json_get(@target, "#{type_info(type, :path)}#{qstr}",
+        @key_style,  'authorization' => @auth_header)
+    unless info.is_a?(Hash) && info[rk = jkey(:resources)].is_a?(Array)
+
+      # hide client endpoints that are not yet scim compatible
+      if type == :client && info.is_a?(Hash)
+        info = info.each{ |k, v| fake_client_id(v) }.values
+        if m = /^client_id\s+eq\s+"([^"]+)"$/i.match(query['filter'])
+          idk = jkey(:client_id)
+          info = info.select { |c| c[idk].casecmp(m[1]) == 0 }
+        end
+        return {rk => info}
+      end
+
+      raise BadResponse, "invalid reply to #{type} query of #{@target}"
+    end
+    info
+  end
+
+  # Get information about a specific object.
+  # @param (see #delete)
+  # @return (see #add)
+  def get(type, id)
+    info = json_get(@target, "#{type_info(type, :path)}/#{URI.encode(id)}",
+        @key_style, 'authorization' => @auth_header)
+
+    fake_client_id(info) if type == :client # hide client reply, not quite scim
+    info
+  end
+
+  # Collects all pages of entries from a query
+  # @param type (see #query)
+  # @param [Hash] query may contain the following keys:
+  #   * +attributes+: a comma or space separated list of attribute names to be
+  #     returned for each object that matches the filter. If no attribute
+  #     list is given, all attributes are returned.
+  #   * +filter+: a filter to select which objects are returned. See
+  #     {http://www.simplecloud.info/specs/draft-scim-api-01.html#query-resources}
+  # @return [Array] results
+  def all_pages(type, query = {})
+    query = force_case(query).reject {|k, v| v.nil? }
+    query["startindex"], info, rk = 1, [], jkey(:resources)
+    while true
+      qinfo = query(type, query)
+      raise BadResponse unless qinfo[rk]
+      return info if qinfo[rk].empty?
+      info.concat(qinfo[rk])
+      total = qinfo[jkey :totalresults]
+      return info unless total && total > info.length
+      unless qinfo[jkey :startindex] && qinfo[jkey :itemsperpage]
+        raise BadResponse, "incomplete #{type} pagination data from #{@target}"
+      end
+      query["startindex"] = info.length + 1
+    end
+  end
+
+  # Gets id/name pairs for given names. For naming attribute of each object type see {Scim}
+  # @param type (see #add)
+  # @return [Array] array of name/id hashes for each object found
+  def ids(type, *names)
+    na = type_info(type, :name_attr)
+    filter = names.map { |n| "#{na} eq \"#{n}\""}
+    all_pages(type, :attributes => "id,#{na}", :filter => filter.join(" or "))
+  end
+
+  # Convenience method to query for single object by name.
+  # @param type (see #add)
+  # @param [String] name Value of the Scim object's name attribue. For naming
+  #   attribute of each type of object see {Scim}.
+  # @return [String] the +id+ attribute of the object
+  def id(type, name)
+    res = ids(type, name)
+
+    # hide client endpoints that are not scim compatible
+    ik, ck = jkey(:id), jkey(:client_id)
+    if type == :client && res && res.length > 0 && (res.length > 1 || res[0][ik].nil?)
+      cr = res.find { |o| o[ck] && name.casecmp(o[ck]) == 0 }
+      return cr[ik] || cr[ck] if cr
+    end
+
+    unless res && res.is_a?(Array) && res.length == 1 &&
+        res[0].is_a?(Hash) && (id = res[0][jkey :id])
+      raise NotFound, "#{name} not found in #{@target}#{type_info(type, :path)}"
+    end
+    id
+  end
+
+  # Change password.
+  # * For a user to change their own password, the token in @auth_header must
+  #   contain "password.write" scope and the correct +old_password+ must be given.
+  # * For an admin to set a user's password, the token in @auth_header must
+  #   contain "uaa.admin" scope.
+  # @see https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#change-password-put-useridpassword
+  # @see https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-Security.md#password-change
+  # @param [String] user_id the {Scim} +id+ attribute of the user
+  # @return [Hash] success message from server
+  def change_password(user_id, new_password, old_password = nil)
+    req = {"password" => new_password}
+    req["oldPassword"] = old_password if old_password
+    json_parse_reply(@key_style, *json_put(@target,
+        "#{type_info(:user, :path)}/#{URI.encode(user_id)}/password", req,
+        'authorization' => @auth_header))
+  end
+
+  # Change client secret.
+  # * For a client to change its own secret, the token in @auth_header must contain
+  #   "client.secret" scope and the correct +old_secret+ must be given.
+  # * For an admin to set a client secret, the token in @auth_header must contain
+  #   "uaa.admin" scope.
+  # @see https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#change-client-secret-put-oauthclientsclient_idsecret
+  # @see https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-Security.md#client-secret-mangagement
+  # @param [String] client_id the {Scim} +id+ attribute of the client
+  # @return [Hash] success message from server
+  def change_secret(client_id, new_secret, old_secret = nil)
+    req = {"secret" => new_secret }
+    req["oldSecret"] = old_secret if old_secret
+    json_parse_reply(@key_style, *json_put(@target,
+        "#{type_info(:client, :path)}/#{URI.encode(client_id)}/secret", req,
+        'authorization' => @auth_header))
+  end
+
+end
+
+end
+