custom-adal 1.0.1

data/lib/adal/token_request.rb

@@ -0,0 +1,231 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './cache_driver'
+require_relative './logging'
+require_relative './noop_cache'
+require_relative './oauth_request'
+require_relative './request_parameters'
+
+require 'openssl'
+
+module ADAL
+  # A request for a token that may be fulfilled by a cache or an OAuthRequest
+  # to a token endpoint.
+  class TokenRequest
+    include Logging
+    include RequestParameters
+
+    # An error that signifies an attempt to perform OAuth with a UserIdentifier.
+    # UserIdentifiers can only be used to retrieve access tokens from the cache,
+    # so if no matching cache token is found, this error is thrown.
+    class UserCredentialError < StandardError; end
+
+    # All accepted grant types. This module can be mixed-in to other classes
+    # that require them.
+    module GrantType
+      AUTHORIZATION_CODE = 'authorization_code'
+      CLIENT_CREDENTIALS = 'client_credentials'
+      JWT_BEARER = 'urn:ietf:params:oauth:grant-type:jwt-bearer'
+      PASSWORD = 'password'
+      REFRESH_TOKEN = 'refresh_token'
+      SAML1 = 'urn:ietf:params:oauth:grant-type:saml1_1-bearer'
+      SAML2 = 'urn:ietf:params:oauth:grant-type:saml2-bearer'
+    end
+
+    ##
+    # Constructs a TokenRequest.
+    #
+    # @param [Authority] authority
+    #   The Authority providing authorization and token endpoints.
+    # @param ClientCredential|ClientAssertion|ClientAssertionCertificate
+    #   Used to identify the client. Provides a request_parameters method
+    #   that yields the relevant client credential parameters.
+    # @option [TokenCache] token_cache
+    #   The cache implementation to store tokens. A NoopCache that stores no
+    #   tokens will be used by default.
+    def initialize(authority, client, token_cache = NoopCache.new)
+      @authority = authority
+      @cache_driver = CacheDriver.new(authority, client, token_cache)
+      @client = client
+      @token_cache = token_cache
+    end
+
+    public
+
+    ##
+    # Gets a token based solely on the clients credentials that were used to
+    # initialize the token request.
+    #
+    # @param String resource
+    #   The resource for which the requested access token will provide access.
+    # @return TokenResponse
+    def get_for_client(resource)
+      logger.verbose("TokenRequest getting token for client for #{resource}.")
+      request(GRANT_TYPE => GrantType::CLIENT_CREDENTIALS,
+              RESOURCE => resource)
+    end
+
+    ##
+    # Gets a token based on a previously acquired authentication code.
+    #
+    # @param String auth_code
+    #   An authentication code that was previously acquired from an
+    #   authentication endpoint.
+    # @param String redirect_uri
+    #   The redirect uri that was passed to the authentication endpoint when the
+    #   auth code was acquired.
+    # @optional String resource
+    #   The resource for which the requested access token will provide access.
+    # @return TokenResponse
+    def get_with_authorization_code(auth_code, redirect_uri, resource = nil)
+      logger.verbose('TokenRequest getting token with authorization code ' \
+                     "#{auth_code}, redirect_uri #{redirect_uri} and " \
+                     "resource #{resource}.")
+      request(CODE => auth_code,
+              GRANT_TYPE => GrantType::AUTHORIZATION_CODE,
+              REDIRECT_URI => URI.parse(redirect_uri.to_s),
+              RESOURCE => resource)
+    end
+
+    ##
+    # Gets a token based on a previously acquired refresh token.
+    #
+    # @param String refresh_token
+    #   The refresh token that was previously acquired from a token response.
+    # @optional String resource
+    #   The resource for which the requested access token will provide access.
+    # @return TokenResponse
+    def get_with_refresh_token(refresh_token, resource = nil)
+      logger.verbose('TokenRequest getting token with refresh token digest ' \
+                     "#{Digest::SHA256.hexdigest refresh_token} and resource " \
+                     "#{resource}.")
+      request_no_cache(GRANT_TYPE => GrantType::REFRESH_TOKEN,
+                       REFRESH_TOKEN => refresh_token,
+                       RESOURCE => resource)
+    end
+
+    ##
+    # Gets a token based on possessing the users credentials.
+    #
+    # @param UserCredential|UserIdentifier user_cred
+    #   Something that can be used to verify the user. Typically a username
+    #   and password. If it is a UserIdentifier, only the cache will be checked.
+    #   If a matching token is not there, it will fail.
+    # @optional String resource
+    #   The resource for which the requested access token will provide access.
+    # @return TokenResponse
+    def get_with_user_credential(user_cred, resource = nil)
+      logger.verbose('TokenRequest getting token with user credential ' \
+                     "#{user_cred} and resource #{resource}.")
+      oauth = if user_cred.is_a? UserIdentifier
+                lambda do
+                  fail UserCredentialError,
+                       'UserIdentifier can only be used once there is a ' \
+                       'matching token in the cache.'
+                end
+              end || -> {}
+      request(user_cred.request_params.merge(RESOURCE => resource), &oauth)
+    end
+
+    private
+
+    ##
+    # The OAuth parameters that are specific to the client for which tokens will
+    # be requested.
+    #
+    # @return Hash
+    def client_params
+      @client.request_params
+    end
+
+    ##
+    # Attempts to fulfill a token request, first via the token cache and then
+    # through OAuth.
+    #
+    # @param Hash params
+    #   Any additional request parameters that should be used.
+    # @return TokenResponse
+    def request(params, &block)
+      cached_token = check_cache(request_params(params))
+      return cached_token if cached_token
+      cache_response(request_no_cache(request_params(params), &block))
+    end
+
+    ##
+    # Executes an OAuth request based on the params and returns it.
+    #
+    # @param Hash params
+    #   Any additional request parameters that should be used.
+    # @return TokenResponse
+    def request_no_cache(params)
+      yield if block_given?
+      oauth_request(request_params(params)).execute
+    end
+
+    ##
+    # Adds client params to additional params. If there is a conflict, the value
+    # from additional_params is used. It can be called multiple times, because
+    # request_params(request_params(x)) == request_params(x).
+    #
+    # @param Hash
+    # @return Hash
+    def request_params(additional_params)
+      client_params.merge(additional_params).select { |_, v| !v.nil? }
+    end
+
+    ##
+    # Helper method to chain OAuthRequest and cache operation.
+    #
+    # @param TokenResponse
+    #   The token response to cache.
+    # @return TokenResponse
+    def cache_response(token_response)
+      @cache_driver.add(token_response)
+      token_response
+    end
+
+    ##
+    # Attempts to fulfill the request from @token_cache.
+    #
+    # @return TokenResponse
+    #   If the cache contains a valid response it wil be returned as a
+    #   SuccessResponse. Otherwise returns nil.
+    def check_cache(params)
+      logger.verbose("TokenRequest checking cache #{@token_cache} for token.")
+      result = @cache_driver.find(params)
+      logger.info("#{result ? 'Found' : 'Did not find'} token in cache.")
+      result
+    end
+
+    ##
+    # Constructs an OAuthRequest from the TokenRequest instance.
+    #
+    # @param Hash params
+    #   The OAuth parameters specific to the TokenRequest instance.
+    # @return OAuthRequest
+    def oauth_request(params)
+      logger.verbose('Resorting to OAuth to fulfill token request.')
+      OAuthRequest.new(@authority.token_endpoint, params)
+    end
+  end
+end

data/lib/adal/token_response.rb

@@ -0,0 +1,144 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './logging'
+
+require 'digest'
+require 'json'
+require 'jwt'
+require 'securerandom'
+
+module ADAL
+  # The return type of all of the instance methods that return tokens.
+  class TokenResponse
+    extend Logging
+
+    ##
+    # Constructs a TokenResponse from a raw hash. It will return either a
+    # SuccessResponse or an ErrorResponse depending on the fields of the hash.
+    #
+    # @param Hash raw_response
+    #   The body of the HTTP response expressed as a raw hash.
+    # @return TokenResponse
+    def self.parse(raw_response)
+      logger.verbose('Attempting to create a TokenResponse from raw response.')
+      if raw_response.nil?
+        ErrorResponse.new
+      elsif raw_response['error']
+        ErrorResponse.new(JSON.parse(raw_response))
+      else
+        SuccessResponse.new(JSON.parse(raw_response))
+      end
+    end
+
+    public
+
+    ##
+    # Shorthand for checking if a token response is successful or failed.
+    #
+    # @return Boolean
+    def error?
+      self.respond_to? :error
+    end
+  end
+
+  # A token response that contains an access token. All fields are read only
+  # and may be nil. Some fields are only populated in certain flows.
+  class SuccessResponse < TokenResponse
+    include Logging
+
+    # These fields may or may not be included in the response from the token
+    # endpoint.
+    OAUTH_FIELDS = [:access_token, :expires_in, :expires_on, :id_token,
+                    :not_before, :refresh_token, :resource, :scope, :token_type]
+    OAUTH_FIELDS.each { |field| attr_reader field }
+    attr_reader :user_info
+    attr_reader :fields
+
+    ##
+    # Constructs a SuccessResponse from a collection of fields returned from a
+    # token endpoint.
+    #
+    # @param Hash
+    def initialize(fields = {})
+      @fields = fields
+      fields.each { |k, v| instance_variable_set("@#{k}", v) }
+      parse_id_token(id_token)
+      @expires_on = @expires_in.to_i + Time.now.to_i
+      logger.info('Parsed a SuccessResponse with access token digest ' \
+                  "#{Digest::SHA256.hexdigest @access_token.to_s} and " \
+                  'refresh token digest ' \
+                  "#{Digest::SHA256.hexdigest @refresh_token.to_s}.")
+    end
+
+    ##
+    # Converts the fields that were used to create this token response into
+    # a JSON string. This is helpful for storing then in a database.
+    #
+    # @param JSON::Ext::Generator::State
+    #   We don't care about this, because the JSON representation of this
+    #   object does not depend on the fields before it.
+    # @return String
+    def to_json(_ = nil)
+      JSON.unparse(fields)
+    end
+
+    ##
+    # Parses the raw id token into an ADAL::UserInformation.
+    # If the id token is missing, an ADAL::UserInformation will still be
+    # generated, it just won't contain any displayable information.
+    #
+    # @param String id_token
+    #   The id token to parse
+    #   Adds an id token to the token response if one is not present
+    def parse_id_token(id_token)
+      if id_token.nil?
+        logger.warn('No id token found.')
+        @user_info ||= ADAL::UserInformation.new(unique_id: SecureRandom.uuid)
+        return
+      end
+      logger.verbose('Attempting to decode id token in token response.')
+      claims = JWT.decode(id_token.to_s, nil, false).first
+      @id_token = id_token
+      @user_info = ADAL::UserInformation.new(claims)
+    end
+  end
+
+  # A token response that contains an error code.
+  class ErrorResponse < TokenResponse
+    include Logging
+
+    OAUTH_FIELDS = [:error, :error_description, :error_codes, :timestamp,
+                    :trace_id, :correlation_id, :submit_url, :context]
+    OAUTH_FIELDS.each { |field| attr_reader field }
+
+    # Constructs a Error from a collection of fields returned from a
+    # token endpoint.
+    #
+    # @param Hash
+    def initialize(fields = {})
+      fields.each { |k, v| instance_variable_set("@#{k}", v) }
+      logger.error("Parsed an ErrorResponse with error: #{@error} and error " \
+                   "description: #{@error_description}.")
+    end
+  end
+end

data/lib/adal/user_assertion.rb

@@ -0,0 +1,57 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './token_request'
+
+module ADAL
+  # An assertion and its representation type, stored as a JWT for
+  # the on-behalf-of flow.
+  class UserAssertion
+    attr_reader :assertion
+    attr_reader :assertion_type
+
+    ##
+    # Creates a new UserAssertion.
+    #
+    # @param String assertion
+    #   An OAuth assertion representing the user.
+    # @optional AssertionType assertion_type
+    #   The type of the assertion being made. Currently only JWT_BEARER is
+    #   supported.
+    def initialize(
+      assertion, assertion_type = ADAL::TokenRequest::GrantType::JWT_BEARER)
+      @assertion = assertion
+      @assertion_type = assertion_type
+    end
+
+    ##
+    # The relevant OAuth access token request parameters for this object.
+    #
+    # @return Hash
+    def request_params
+      { grant_type: assertion_type,
+        assertion: assertion,
+        requested_token_use: :on_behalf_of,
+        scope: :openid }
+    end
+  end
+end

data/lib/adal/user_credential.rb

@@ -0,0 +1,152 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './authority'
+require_relative './logger'
+require_relative './mex_request'
+require_relative './token_request'
+require_relative './wstrust_request'
+
+require 'base64'
+require 'json'
+require 'net/http'
+require 'uri'
+
+module ADAL
+  # A convenience class for username and password credentials.
+  class UserCredential
+    include Logging
+
+    # Federation response type from the userrealm endpoint.
+    module AccountType
+      FEDERATED = 'Federated'
+      MANAGED = 'Managed'
+      UNKNOWN = 'Unknown'
+    end
+
+    # ADAL only supports flows for managed and federated users.
+    class UnsupportedAccountTypeError < StandardError
+      def initialize(account_type)
+        super("Unsupported account type for authentication: #{account_type}.")
+      end
+    end
+
+    attr_reader :username
+    attr_reader :password
+
+    ##
+    # Constructs a new UserCredential.
+    #
+    # @param String username
+    # @param String password
+    # @optional String authority_host
+    #   The host name of the authority to verify the user against.
+    def initialize(
+      username, password, authority_host = Authority::WORLD_WIDE_AUTHORITY)
+      @username = username
+      @password = password
+      @authority_host = authority_host
+      @discovery_path = "/common/userrealm/#{URI.escape @username}"
+    end
+
+    ##
+    # Determines the account type based on a Home Realm Discovery request.
+    #
+    # @return UserCredential::AccountType
+    def account_type
+      realm_discovery_response['account_type']
+    end
+
+    ##
+    # The OAuth parameters that respresent this UserCredential.
+    #
+    # @return Hash
+    def request_params
+      case account_type
+      when AccountType::MANAGED
+        managed_request_params
+      when AccountType::FEDERATED
+        federated_request_params
+      else
+        fail UnsupportedAccountTypeError, account_type
+      end
+    end
+
+    # :nocov:
+    def to_s
+      "UserCredential[Username: #{@username}, AccountType: #{account_type}]"
+    end
+    # :nocov:
+
+    private
+
+    # Memoized response from the discovery endpoint. Since a UserCredential is
+    # read only, this should only ever need to be called once.
+    # @return Hash
+    def realm_discovery_response
+      @realm_discovery_response ||=
+        JSON.parse(Net::HTTP.get(realm_discovery_uri))
+    end
+
+    # @return URI
+    def realm_discovery_uri
+      URI::HTTPS.build(
+        host: @authority_host,
+        path: @discovery_path,
+        query: URI.encode_www_form('api-version' => '1.0'))
+    end
+
+    # @return Hash
+    def federated_request_params
+      logger.verbose("Getting OAuth parameters for Federated #{@username}.")
+      wstrust_response = wstrust_request.execute(@username, @password)
+      { assertion: Base64.encode64(wstrust_response.token).strip,
+        grant_type: wstrust_response.grant_type,
+        scope: :openid }
+    end
+
+    # @return URI
+    def federation_metadata_url
+      URI.parse(realm_discovery_response['federation_metadata_url'])
+    end
+
+    # @return Hash
+    def managed_request_params
+      logger.verbose("Getting OAuth parameters for Managed #{@username}.")
+      { username: @username,
+        password: @password,
+        grant_type: TokenRequest::GrantType::PASSWORD,
+        scope: :openid }
+    end
+
+    # @return MexResponse
+    def mex_response
+      @mex_response ||= MexRequest.new(federation_metadata_url).execute
+    end
+
+    # @return WSTrustRequest
+    def wstrust_request
+      @wstrust_request ||=
+        WSTrustRequest.new(mex_response.wstrust_url, mex_response.action)
+    end
+  end
+end

data/lib/adal/user_identifier.rb

@@ -0,0 +1,83 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+module ADAL
+  # Identifier for users in the cache.
+  #
+  # Ideally, the application will first use a different OAuth flow, such as the
+  # Authorization Code flow, to acquire an ADAL::SuccessResponse. Then, it can
+  # create ADAL::UserIdentifier to query the cache which will refresh tokens as
+  # necessary.
+  class UserIdentifier
+    attr_reader :id
+    attr_reader :type
+
+    # Displayable IDs are human readable (eg email addresses) while Unique Ids
+    # are generally random UUIDs.
+    module Type
+      UNIQUE_ID = :UNIQUE_ID
+      DISPLAYABLE_ID = :DISPLAYABLE_ID
+    end
+    include Type
+
+    ##
+    # Creates a UserIdentifier with a specific type. Used for cache lookups.
+    # Matches .NET ADAL implementation.
+    #
+    # @param String id
+    # @param UserIdentifier::Type
+    # @return ADAL::UserIdentifier
+    def initialize(id, type)
+      unless [UNIQUE_ID, DISPLAYABLE_ID].include? type
+        fail ArgumentError, 'type must be an ADAL::UserIdentifier::Type.'
+      end
+      @id = id
+      @type = type
+    end
+
+    ##
+    # These parameters should only be used for cache lookup. This is enforced
+    # by ADAL::TokenRequest.
+    #
+    # @return Hash
+    def request_params
+      { user_info: self }
+    end
+
+    ##
+    # Overrides comparison operator for cache lookups
+    #
+    # @param UserIdentifier other
+    # @return Boolean
+    def ==(other)
+      case other
+      when UserIdentifier
+        self.equal? other
+      when UserInformation
+        (type == UNIQUE_ID && id == other.unique_id) ||
+          (type == DISPLAYABLE_ID && id == other.displayable_id)
+      when String
+        @id == other
+      end
+    end
+  end
+end