doorkeeper-openid_connect 1.7.5 → 1.8.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8faf5bba278059c030aab079426353b543baa68bc374991f6ba243454cd09aac
-  data.tar.gz: 06f56eb8b593086cc03fee056efb4d82447fd40cdd341b354ed371fde47dec63
+  metadata.gz: 580964e8b1538ed3a9eb35826fe502698ab43c7a7343909d5371d2e177592737
+  data.tar.gz: 3593a4e8975761cff3aa38840a88f8e21da5e65109fb90b7296dccb7442c6382
 SHA512:
-  metadata.gz: d40202cdca7cddf5606674a4c08a4894ba9be7f8ec072520c73e81e1da48c87ba3e1c95573e0baa1ddcccaa20201eeb76d9af947e3f772223f2a4c658c730e92
-  data.tar.gz: a36e15a4cdc316a82a67cc842731149ec5522e27dc21569d2c33bdbe292afc5bc81d6c4f93679c0b7ada133dcfb5e43ae4250470709a58371664f83d983e38bb
+  metadata.gz: 80e1ca10f0d89071970458b2ac237164cba4c8e143abcd2ea3f45b727f35f59e3f106d4435d2066b759eec8cc599e904255b57ff560743e29c5eb3a78ef8efca
+  data.tar.gz: 741c3d256765a8bd6ca5d838ac2ced86dadf98635b5d39c64a2a589231c9ba2151be4822ec7b9c11aac48d819261823319d4161a5702d00cab492acb00aa04d3

data/CHANGELOG.md

@@ -1,5 +1,35 @@
 ## Unreleased
 
+- [#] Add here
+
+## v1.8.2 (2022-07-13)
+
+- [#168] Allow to use custom doorkeeper access grant model (thanks @nov).
+- [#170] Controllers inherit `Doorkeeper::AppliactionMetalController` (thanks @sato11).
+- [#171] Correctly override `AuthorizationsController` params (thanks to @nbulaj).
+
+## v1.8.1 (2022-02-09)
+
+- [#153] Fix ArgumentError caused by client credential validation introduced in Doorkeeper 5.5.1 (thanks to @CircumnavigatingFlatEarther)
+- [#161] Fix .well-known/openid-connect issuer (respond to block if provided) (thanks to @fkowal).
+- [#152] Expose oauth-authorization-server in routes (thanks to @mitar)
+
+## v1.8.0 (2021-05-11)
+
+No changes from v1.8.0-rc1.
+
+## v1.8.0-rc1 (2021-04-20)
+
+### Upgrading
+
+This gem now requires Doorkeeper 5.5 and Ruby 2.5.
+
+### Changes
+
+- [#138] Support form_post response mode (thanks to @linhdangduy)
+- [#144] Support block syntax for `issuer` configuration (thanks to @maxxsnake)
+- [#145] Register token flows with the strategy instead of the token class (thanks to @paukul)
+
 ## v1.7.5 (2020-12-15)
 
 ### Changes

data/README.md

@@ -1,6 +1,6 @@
 # Doorkeeper::OpenidConnect
 
-[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper-openid_connect.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper-openid_connect)
+[![Build Status](https://app.travis-ci.com/doorkeeper-gem/doorkeeper-openid_connect.svg?branch=master)](https://app.travis-ci.com/github/doorkeeper-gem/doorkeeper-openid_connect)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
 [![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
 
@@ -34,6 +34,7 @@ The following parts of [OpenID Connect Core 1.0](http://openid.net/specs/openid-
 - [Requesting Claims using Scope Values](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
 - [UserInfo Endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
 - [Normal Claims](http://openid.net/specs/openid-connect-core-1_0.html#NormalClaims)
+- [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)
 
 In addition we also support most of [OpenID Connect Discovery 1.0](http://openid.net/specs/openid-connect-discovery-1_0.html) for automatic configuration discovery.
 
@@ -103,6 +104,7 @@ The following settings are required in `config/initializers/doorkeeper_openid_co
 
 - `issuer`
   - Identifier for the issuer of the response (i.e. your application URL). The value is a case sensitive URL using the `https` scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
+  - You can either pass a string value, or a block to generate the issuer dynamically based on the `resource_owner` and `application` or [request](app/controllers/doorkeeper/openid_connect/discovery_controller.rb#L123) passed to the block.
 - `subject`
   - Identifier for the resource owner (i.e. the authenticated user). A locally unique and never reassigned identifier within the issuer for the end-user, which is intended to be consumed by the client. The value is a case-sensitive string and must not exceed 255 ASCII characters in length.
   - The database ID of the user is an acceptable choice if you don't mind leaking that information.

data/app/controllers/concerns/doorkeeper/openid_connect/authorizations_extension.rb

@@ -0,0 +1,12 @@
+module Doorkeeper
+  module OpenidConnect
+    module AuthorizationsExtension
+      private
+
+      def pre_auth_param_fields
+        super.append(:nonce)
+      end
+    end
+  end
+end
+

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

@@ -2,7 +2,7 @@
 
 module Doorkeeper
   module OpenidConnect
-    class DiscoveryController < ::Doorkeeper::ApplicationController
+    class DiscoveryController < ::Doorkeeper::ApplicationMetalController
       include Doorkeeper::Helpers::Controller
 
       WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
@@ -24,12 +24,13 @@ module Doorkeeper
       def provider_response
         doorkeeper = ::Doorkeeper.configuration
         openid_connect = ::Doorkeeper::OpenidConnect.configuration
+
         {
-          issuer: openid_connect.issuer,
+          issuer: issuer,
           authorization_endpoint: oauth_authorization_url(authorization_url_options),
           token_endpoint: oauth_token_url(token_url_options),
           revocation_endpoint: oauth_revoke_url(revocation_url_options),
-          introspection_endpoint: oauth_introspect_url(introspection_url_options),
+          introspection_endpoint: respond_to?(:oauth_introspect_url) ? oauth_introspect_url(introspection_url_options) : nil,
           userinfo_endpoint: oauth_userinfo_url(userinfo_url_options),
           jwks_uri: oauth_discovery_keys_url(jwks_url_options),
           end_session_endpoint: instance_exec(&openid_connect.end_session_endpoint),
@@ -38,7 +39,7 @@ module Doorkeeper
 
           # TODO: support id_token response type
           response_types_supported: doorkeeper.authorization_response_types,
-          response_modes_supported: %w[query fragment],
+          response_modes_supported: response_modes_supported(doorkeeper),
           grant_types_supported: grant_types_supported(doorkeeper),
 
           # TODO: look into doorkeeper-jwt_assertion for these
@@ -76,6 +77,10 @@ module Doorkeeper
         grant_types_supported
       end
 
+      def response_modes_supported(doorkeeper)
+        doorkeeper.authorization_response_flows.flat_map(&:response_mode_matches).uniq
+      end
+
       def webfinger_response
         {
           subject: params.require(:resource),
@@ -115,6 +120,14 @@ module Doorkeeper
         }
       end
 
+      def issuer
+        if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
+          Doorkeeper::OpenidConnect.configuration.issuer.call(request).to_s
+        else
+          Doorkeeper::OpenidConnect.configuration.issuer
+        end
+      end
+
       %i[authorization token revocation introspection userinfo jwks webfinger].each do |endpoint|
         define_method :"#{endpoint}_url_options" do
           discovery_url_default_options.merge(discovery_url_options[endpoint.to_sym] || {})

data/app/controllers/doorkeeper/openid_connect/userinfo_controller.rb

@@ -2,10 +2,7 @@
 
 module Doorkeeper
   module OpenidConnect
-    class UserinfoController < ::Doorkeeper::ApplicationController
-      unless Doorkeeper.configuration.api_only
-        skip_before_action :verify_authenticity_token
-      end
+    class UserinfoController < ::Doorkeeper::ApplicationMetalController
       before_action -> { doorkeeper_authorize! :openid }
 
       def show

data/lib/doorkeeper/oauth/id_token_response.rb

@@ -17,19 +17,17 @@ module Doorkeeper
         true
       end
 
-      def redirect_uri
-        Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, redirect_uri_params)
-      end
-
-      private
-
-      def redirect_uri_params
+      def body
         {
           expires_in: auth.token.expires_in_seconds,
           state: pre_auth.state,
           id_token: id_token.as_jws_token
         }
       end
+
+      def redirect_uri
+        Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, body)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/id_token_token_response.rb

@@ -3,9 +3,7 @@
 module Doorkeeper
   module OAuth
     class IdTokenTokenResponse < IdTokenResponse
-      private
-
-      def redirect_uri_params
+      def body
         super.merge({
           access_token: auth.token.token,
           token_type: auth.token.token_type

data/lib/doorkeeper/openid_connect/engine.rb

@@ -6,6 +6,10 @@ module Doorkeeper
       initializer 'doorkeeper.openid_connect.routes' do
         Doorkeeper::OpenidConnect::Rails::Routes.install!
       end
+
+      config.to_prepare do
+        Doorkeeper::AuthorizationsController.prepend Doorkeeper::OpenidConnect::AuthorizationsExtension
+      end
     end
   end
 end

data/lib/doorkeeper/openid_connect/helpers/controller.rb

@@ -52,15 +52,16 @@ module Doorkeeper
                                redirect_uri: params[:redirect_uri],
                                response_on_fragment: pre_auth.response_on_fragment?,
                              )
-          end
+                           end
 
           response.headers.merge!(error_response.headers)
 
-          if error_response.redirectable?
-            render json: error_response.body, status: :found, location: error_response.redirect_uri
-          else
-            render json: error_response.body, status: error_response.status
-          end
+          # NOTE: Assign error_response to @authorize_response then use redirect_or_render method that are defined at
+          #   doorkeeper's authorizations_controller.
+          # - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L110
+          # - https://github.com/doorkeeper-gem/doorkeeper/blob/v5.5.0/app/controllers/doorkeeper/authorizations_controller.rb#L52
+          @authorize_response = error_response
+          redirect_or_render(@authorize_response)
         end
 
         def handle_oidc_prompt_param!(owner)

data/lib/doorkeeper/openid_connect/id_token.rb

@@ -40,7 +40,11 @@ module Doorkeeper
       private
 
       def issuer
-        Doorkeeper::OpenidConnect.configuration.issuer
+        if Doorkeeper::OpenidConnect.configuration.issuer.respond_to?(:call)
+          Doorkeeper::OpenidConnect.configuration.issuer.call(@resource_owner, @access_token.application).to_s
+        else
+          Doorkeeper::OpenidConnect.configuration.issuer
+        end
       end
 
       def subject

data/lib/doorkeeper/openid_connect/oauth/password_access_token_request.rb

@@ -6,9 +6,16 @@ module Doorkeeper
       module PasswordAccessTokenRequest
         attr_reader :nonce
 
-        def initialize(server, client, resource_owner, parameters = {})
-          super
-          @nonce = parameters[:nonce]
+        if Gem.loaded_specs['doorkeeper'].version >= Gem::Version.create('5.5.1')
+          def initialize(server, client, credentials, resource_owner, parameters = {})
+            super
+            @nonce = parameters[:nonce]
+          end
+        else
+          def initialize(server, client, resource_owner, parameters = {})
+            super
+            @nonce = parameters[:nonce]
+          end
         end
 
         private

data/lib/doorkeeper/openid_connect/oauth/pre_authorization.rb

@@ -7,27 +7,20 @@ module Doorkeeper
         attr_reader :nonce
 
         def initialize(server, attrs = {}, resource_owner = nil)
-          if (Doorkeeper::VERSION::MAJOR >= 5 && Doorkeeper::VERSION::MINOR >= 4) ||
-             Doorkeeper::VERSION::MAJOR >= 6
-            super
-          else
-            super(server, attrs)
-          end
+          super
           @nonce = attrs[:nonce]
         end
 
-        # This method will be updated when doorkeeper move to version > 5.2.2
-        # TODO: delete this method and refactor response_on_fragment? method (below) when doorkeeper gem version constrains is > 5.2.2
-        def error_response
-          if error == :invalid_request
-            Doorkeeper::OAuth::InvalidRequestResponse.from_request(self, response_on_fragment: response_on_fragment?)
-          else
-            Doorkeeper::OAuth::ErrorResponse.from_request(self, response_on_fragment: response_on_fragment?)
+        # NOTE: Auto get default response_mode of specified response_type if response_mode is not
+        #   yet present. We can delete this method after Doorkeeper's minimize version support it.
+        def response_on_fragment?
+          return response_mode == 'fragment' if response_mode.present?
+
+          grant_flow = server.authorization_response_flows.detect do |flow|
+            flow.matches_response_type?(response_type)
           end
-        end
 
-        def response_on_fragment?
-          Doorkeeper::OpenidConnect::ResponseMode.new(response_type).fragment?
+          grant_flow&.default_response_mode == 'fragment'
         end
       end
     end

data/lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb

@@ -7,12 +7,11 @@ module Doorkeeper
         base.class_eval do
           has_one :openid_request,
             class_name: 'Doorkeeper::OpenidConnect::Request',
+            foreign_key: 'access_grant_id',
             inverse_of: :access_grant,
             dependent: :delete
         end
       end
     end
   end
-
-  AccessGrant.prepend OpenidConnect::AccessGrant
 end

data/lib/doorkeeper/openid_connect/orm/active_record/request.rb

@@ -6,9 +6,16 @@ module Doorkeeper
       self.table_name = "#{table_name_prefix}oauth_openid_requests#{table_name_suffix}".to_sym
 
       validates :access_grant_id, :nonce, presence: true
-      belongs_to :access_grant,
-                 class_name: 'Doorkeeper::AccessGrant',
-                 inverse_of: :openid_request
+
+      if Gem.loaded_specs['doorkeeper'].version >= Gem::Version.create('5.5.0')
+        belongs_to :access_grant,
+                   class_name: Doorkeeper.config.access_grant_class.to_s,
+                   inverse_of: :openid_request
+      else
+        belongs_to :access_grant,
+                   class_name: 'Doorkeeper::AccessGrant',
+                   inverse_of: :openid_request
+      end
     end
   end
 end

data/lib/doorkeeper/openid_connect/orm/active_record.rb

@@ -4,14 +4,39 @@ require 'active_support/lazy_load_hooks'
 
 module Doorkeeper
   module OpenidConnect
+    autoload :AccessGrant, "doorkeeper/openid_connect/orm/active_record/access_grant"
+    autoload :Request, "doorkeeper/openid_connect/orm/active_record/request"
+
     module Orm
       module ActiveRecord
+        def run_hooks
+          super
+
+          if Gem.loaded_specs['doorkeeper'].version >= Gem::Version.create('5.5.0')
+            Doorkeeper.config.access_grant_model.prepend Doorkeeper::OpenidConnect::AccessGrant
+          else
+            Doorkeeper::AccessGrant.prepend Doorkeeper::OpenidConnect::AccessGrant
+          end
+
+          if Doorkeeper.configuration.active_record_options[:establish_connection]
+            [Doorkeeper::OpenidConnect::Request].each do |c|
+              c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]
+            end
+          end
+        end
+
         def initialize_models!
           super
           ActiveSupport.on_load(:active_record) do
             require 'doorkeeper/openid_connect/orm/active_record/access_grant'
             require 'doorkeeper/openid_connect/orm/active_record/request'
 
+            if Gem.loaded_specs['doorkeeper'].version >= Gem::Version.create('5.5.0')
+              Doorkeeper.config.access_grant_model.prepend Doorkeeper::OpenidConnect::AccessGrant
+            else
+              Doorkeeper::AccessGrant.prepend Doorkeeper::OpenidConnect::AccessGrant
+            end
+
             if Doorkeeper.configuration.active_record_options[:establish_connection]
               [Doorkeeper::OpenidConnect::Request].each do |c|
                 c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]

data/lib/doorkeeper/openid_connect/rails/routes.rb

@@ -62,6 +62,7 @@ module Doorkeeper
         def discovery_well_known_routes
           routes.scope path: '.well-known' do
             routes.get :provider, path: 'openid-configuration'
+            routes.get :provider, path: 'oauth-authorization-server'
             routes.get :webfinger
           end
         end

data/lib/doorkeeper/openid_connect/version.rb

@@ -2,6 +2,6 @@
 
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.7.5'
+    VERSION = '1.8.2'
   end
 end

data/lib/doorkeeper/openid_connect.rb

@@ -16,13 +16,11 @@ require 'doorkeeper/openid_connect/claims_builder'
 require 'doorkeeper/openid_connect/claims/claim'
 require 'doorkeeper/openid_connect/claims/normal_claim'
 require 'doorkeeper/openid_connect/config'
-require 'doorkeeper/openid_connect/response_types_config'
 require 'doorkeeper/openid_connect/engine'
 require 'doorkeeper/openid_connect/errors'
 require 'doorkeeper/openid_connect/id_token'
 require 'doorkeeper/openid_connect/id_token_token'
 require 'doorkeeper/openid_connect/user_info'
-require 'doorkeeper/openid_connect/response_mode'
 require 'doorkeeper/openid_connect/version'
 
 require 'doorkeeper/openid_connect/helpers/controller'
@@ -65,26 +63,22 @@ module Doorkeeper
       end
     end
 
-    if defined?(::Doorkeeper::GrantFlow)
-      Doorkeeper::GrantFlow.register(
-        :id_token,
-        response_type_matches: 'id_token',
-        response_type_strategy: Doorkeeper::OpenidConnect::IdToken,
-      )
+    Doorkeeper::GrantFlow.register(
+      :id_token,
+      response_type_matches: 'id_token',
+      response_mode_matches: %w[fragment form_post],
+      response_type_strategy: Doorkeeper::Request::IdToken,
+    )
 
-      Doorkeeper::GrantFlow.register(
-        'id_token token',
-        response_type_matches: 'id_token token',
-        response_type_strategy: Doorkeeper::OpenidConnect::IdTokenToken,
-      )
+    Doorkeeper::GrantFlow.register(
+      'id_token token',
+      response_type_matches: 'id_token token',
+      response_mode_matches: %w[fragment form_post],
+      response_type_strategy: Doorkeeper::Request::IdTokenToken,
+    )
 
-      Doorkeeper::GrantFlow.register_alias(
-        'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
-      )
-    else
-      # TODO: drop this and corresponding file when we will set minimal
-      # required Doorkeeper version to 5.5.
-      Doorkeeper::Config.prepend OpenidConnect::ResponseTypeConfig
-    end
+    Doorkeeper::GrantFlow.register_alias(
+      'implicit_oidc', as: ['implicit', 'id_token', 'id_token token']
+    )
   end
 end

data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 Doorkeeper::OpenidConnect.configure do
-  issuer 'issuer string'
+  issuer do |resource_owner, application|
+    'issuer string'
+  end
 
   signing_key <<~KEY
     -----BEGIN RSA PRIVATE KEY-----

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.7.5
+  version: 1.8.2
 platform: ruby
 authors:
 - Sam Dengler
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-16 00:00:00.000000000 Z
+date: 2022-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -17,20 +17,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.5'
+        version: '5.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.5'
+        version: '5.7'
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
@@ -126,7 +126,7 @@ files:
 - CHANGELOG.md
 - LICENSE.txt
 - README.md
-- app/controllers/doorkeeper/authorizations_controller.rb
+- app/controllers/concerns/doorkeeper/openid_connect/authorizations_extension.rb
 - app/controllers/doorkeeper/openid_connect/discovery_controller.rb
 - app/controllers/doorkeeper/openid_connect/userinfo_controller.rb
 - config/locales/en.yml
@@ -157,8 +157,6 @@ files:
 - lib/doorkeeper/openid_connect/rails/routes.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapper.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapping.rb
-- lib/doorkeeper/openid_connect/response_mode.rb
-- lib/doorkeeper/openid_connect/response_types_config.rb
 - lib/doorkeeper/openid_connect/user_info.rb
 - lib/doorkeeper/openid_connect/version.rb
 - lib/doorkeeper/request/id_token.rb
@@ -179,7 +177,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-require_dependency "#{Doorkeeper::Engine.root}/app/controllers/doorkeeper/authorizations_controller.rb"
-
-module Doorkeeper
-  class AuthorizationsController
-    module AuthorizationsExtension
-      private
-
-      def pre_auth_param_fields
-        super.append(:nonce)
-      end
-    end
-
-    Doorkeeper::AuthorizationsController.prepend AuthorizationsExtension
-  end
-end

data/lib/doorkeeper/openid_connect/response_mode.rb

@@ -1,30 +0,0 @@
-# frozen_string_literal: true
-
-module Doorkeeper
-  module OpenidConnect
-    class ResponseMode
-      attr_reader :type
-
-      def initialize(response_type)
-        @type = response_type
-      end
-
-      def fragment?
-        mode == 'fragment'
-      end
-
-      def query?
-        mode == 'query'
-      end
-
-      def mode
-        case type
-        when 'token', 'id_token', 'id_token token'
-          'fragment'
-        else
-          'query'
-        end
-      end
-    end
-  end
-end

data/lib/doorkeeper/openid_connect/response_types_config.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-module Doorkeeper
-  module OpenidConnect
-    module ResponseTypeConfig
-      private def calculate_authorization_response_types
-        types = super
-        if grant_flows.include? 'implicit_oidc'
-          types << 'token'
-          types << 'id_token'
-          types << 'id_token token'
-        end
-        types
-      end
-    end
-  end
-end