googleauth 1.8.1 → 1.14.0

data/lib/googleauth/external_account/base_credentials.rb

@@ -42,6 +42,7 @@ module Google
 
         attr_reader :expires_at
         attr_accessor :access_token
+        attr_accessor :universe_domain
 
         def expires_within? seconds
           # This method is needed for BaseClient
@@ -75,7 +76,7 @@ module Google
         #     The retrieved subject token.
         #
         def retrieve_subject_token!
-          raise NotImplementedError
+          raise NoMethodError, "retrieve_subject_token! not implemented"
         end
 
         # Returns whether the credentials represent a workforce pool (True) or
@@ -85,8 +86,7 @@ module Google
         #     true if the credentials represent a workforce pool.
         #     false if they represent a workload.
         def is_workforce_pool?
-          pattern = "//iam\.googleapis\.com/locations/[^/]+/workforcePools/"
-          /#{pattern}/.match?(@audience || "")
+          %r{/iam\.googleapis\.com/locations/[^/]+/workforcePools/}.match?(@audience || "")
         end
 
         private
@@ -111,6 +111,7 @@ module Google
           @quota_project_id = options[:quota_project_id]
           @project_id = nil
           @workforce_pool_user_project = options[:workforce_pool_user_project]
+          @universe_domain = options[:universe_domain] || "googleapis.com"
 
           @expires_at = nil
           @access_token = nil
@@ -128,7 +129,7 @@ module Google
           if @client_id.nil? && @workforce_pool_user_project
             additional_options = { userProject: @workforce_pool_user_project }
           end
-          @sts_client.exchange_token(
+          token_request = {
             audience: @audience,
             grant_type: STS_GRANT_TYPE,
             subject_token: retrieve_subject_token!,
@@ -136,10 +137,31 @@ module Google
             scopes: @service_account_impersonation_url ? IAM_SCOPE : @scope,
             requested_token_type: STS_REQUESTED_TOKEN_TYPE,
             additional_options: additional_options
-          )
+          }
+          log_token_request token_request
+          @sts_client.exchange_token token_request
+        end
+
+        def log_token_request token_request
+          logger&.info do
+            Google::Logging::Message.from(
+              message: "Requesting access token from #{token_request[:grant_type]}",
+              "credentialsId" => object_id
+            )
+          end
+          logger&.debug do
+            digest = Digest::SHA256.hexdigest token_request[:subject_token].to_s
+            loggable_request = token_request.merge subject_token: "(sha256:#{digest})"
+            Google::Logging::Message.from(
+              message: "Request data",
+              "request" => loggable_request,
+              "credentialsId" => object_id
+            )
+          end
         end
 
         def get_impersonated_access_token token, _options = {}
+          log_impersonated_token_request token
           response = connection.post @service_account_impersonation_url do |req|
             req.headers["Authorization"] = "Bearer #{token}"
             req.headers["Content-Type"] = "application/json"
@@ -152,6 +174,16 @@ module Google
 
           MultiJson.load response.body
         end
+
+        def log_impersonated_token_request original_token
+          logger&.info do
+            digest = Digest::SHA256.hexdigest original_token
+            Google::Logging::Message.from(
+              message: "Requesting impersonated access token with original token (sha256:#{digest})",
+              "credentialsId" => object_id
+            )
+          end
+        end
       end
     end
   end

data/lib/googleauth/external_account.rb

@@ -73,7 +73,8 @@ module Google
               subject_token_type: user_creds[:subject_token_type],
               token_url: user_creds[:token_url],
               credential_source: user_creds[:credential_source],
-              service_account_impersonation_url: user_creds[:service_account_impersonation_url]
+              service_account_impersonation_url: user_creds[:service_account_impersonation_url],
+              universe_domain: user_creds[:universe_domain]
             )
           end
 

data/lib/googleauth/helpers/connection.rb

@@ -24,7 +24,13 @@ module Google
       module Connection
         module_function
 
-        attr_accessor :default_connection
+        def default_connection
+          @default_connection
+        end
+
+        def default_connection= conn
+          @default_connection = conn
+        end
 
         def connection
           @default_connection || Faraday.default_connection

data/lib/googleauth/id_tokens.rb

@@ -168,7 +168,6 @@ module Google
                         aud: nil,
                         azp: nil,
                         iss: OIDC_ISSUERS
-
           verifier = Verifier.new key_source: oidc_key_source,
                                   aud:        aud,
                                   azp:        azp,
@@ -206,7 +205,6 @@ module Google
                        aud: nil,
                        azp: nil,
                        iss: IAP_ISSUERS
-
           verifier = Verifier.new key_source: iap_key_source,
                                   aud:        aud,
                                   azp:        azp,

data/lib/googleauth/impersonated_service_account.rb

@@ -0,0 +1,282 @@
+# Copyright 2024 Google, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "googleauth/signet"
+require "googleauth/base_client"
+require "googleauth/helpers/connection"
+
+module Google
+  module Auth
+    # Authenticates requests using impersonation from base credentials.
+    # This is a two-step process: first authentication claim from the base credentials is created
+    # and then that claim is exchanged for a short-lived token at an IAMCredentials endpoint.
+    # The short-lived token and its expiration time are cached.
+    class ImpersonatedServiceAccountCredentials
+      # @private
+      ERROR_SUFFIX = <<~ERROR.freeze
+        when trying to get security access token
+        from IAM Credentials endpoint using the credentials provided.
+      ERROR
+
+      # @private
+      IAM_SCOPE = ["https://www.googleapis.com/auth/iam".freeze].freeze
+
+      # BaseClient most importantly implements the `:updater_proc` getter,
+      # that returns a reference to an `apply!` method that updates
+      # a hash argument provided with the authorization header containing
+      # the access token (impersonation token in this case).
+      include Google::Auth::BaseClient
+
+      include Helpers::Connection
+
+      # @return [Object] The original authenticated credentials used to fetch short-lived impersonation access tokens
+      attr_reader :base_credentials
+
+      # @return [Object] The modified version of base credentials, tailored for impersonation purposes
+      #   with necessary scope adjustments
+      attr_reader :source_credentials
+
+      # @return [String] The URL endpoint used to generate an impersonation token. This URL should follow a specific
+      #   format to specify the impersonated service account.
+      attr_reader :impersonation_url
+
+      # @return [Array<String>, String] The scope(s) required for the impersonated access token,
+      #   indicating the permissions needed for the short-lived token
+      attr_reader :scope
+
+      # @return [String, nil] The short-lived impersonation access token, retrieved and cached
+      #   after making the impersonation request
+      attr_reader :access_token
+
+      # @return [Time, nil] The expiration time of the current access token, used to determine
+      #   if the token is still valid
+      attr_reader :expires_at
+
+      # Create a ImpersonatedServiceAccountCredentials
+      # When you use service account impersonation, you start with an authenticated principal
+      # (e.g. your user account or a service account)
+      # and request short-lived credentials for a service account
+      # that has the authorization that your use case requires.
+      #
+      # @param options [Hash] A hash of options to configure the credentials.
+      # @option options [Object] :base_credentials (required) The authenticated principal.
+      #   It will be used as following:
+      #   * will be duplicated (with IAM scope) to create the source credentials if it supports duplication
+      #   * as source credentials otherwise.
+      # @option options [String] :impersonation_url (required) The URL to impersonate the service account.
+      #   This URL should follow the format:
+      #   `https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken`,
+      #   where:
+      #     - `{universe_domain}` is the domain of the IAMCredentials API endpoint (e.g., `googleapis.com`).
+      #     - `{source_sa_email}` is the email address of the service account to impersonate.
+      # @option options [Array<String>, String] :scope (required) The scope(s) for the short-lived impersonation token,
+      #   defining the permissions required for the token.
+      # @option options [Object] :source_credentials The authenticated principal that will be used
+      #   to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def self.make_creds options = {}
+        new options
+      end
+
+      # Initializes a new instance of ImpersonatedServiceAccountCredentials.
+      #
+      # @param options [Hash] A hash of options to configure the credentials.
+      # @option options [Object] :base_credentials (required) The authenticated principal.
+      #   It will be used as following:
+      #   * will be duplicated (with IAM scope) to create the source credentials if it supports duplication
+      #   * as source credentials otherwise.
+      # @option options [String] :impersonation_url (required) The URL to impersonate the service account.
+      #   This URL should follow the format:
+      #   `https://iamcredentials.{universe_domain}/v1/projects/-/serviceAccounts/{source_sa_email}:generateAccessToken`,
+      #   where:
+      #     - `{universe_domain}` is the domain of the IAMCredentials API endpoint (e.g., `googleapis.com`).
+      #     - `{source_sa_email}` is the email address of the service account to impersonate.
+      # @option options [Array<String>, String] :scope (required) The scope(s) for the short-lived impersonation token,
+      #   defining the permissions required for the token.
+      # @option options [Object] :source_credentials The authenticated principal that will be used
+      #   to fetch the short-lived impersonation access token. It is an alternative to providing the base credentials.
+      #   It is redundant to provide both source and base credentials as only source will be used,
+      #   but it can be done, e.g. when duplicating existing credentials.
+      #
+      # @raise [ArgumentError] If any of the required options are missing.
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def initialize options = {}
+        @base_credentials, @impersonation_url, @scope =
+          options.values_at :base_credentials,
+                            :impersonation_url,
+                            :scope
+
+        # Fail-fast checks for required parameters
+        if @base_credentials.nil? && !options.key?(:source_credentials)
+          raise ArgumentError, "Missing required option: either :base_credentials or :source_credentials"
+        end
+        raise ArgumentError, "Missing required option: :impersonation_url" if @impersonation_url.nil?
+        raise ArgumentError, "Missing required option: :scope" if @scope.nil?
+
+        # Some credentials (all Signet-based ones and this one) include scope and a bunch of transient state
+        # (e.g. refresh status) as part of themselves
+        # so a copy needs to be created with the scope overriden and transient state dropped.
+        #
+        # If a credentials does not support `duplicate` we'll try to use it as is assuming it has a broad enough scope.
+        # This might result in an "access denied" error downstream when the token from that credentials is being used
+        # for the token exchange.
+        @source_credentials = if options.key? :source_credentials
+                                options[:source_credentials]
+                              elsif @base_credentials.respond_to? :duplicate
+                                @base_credentials.duplicate({
+                                                              scope: IAM_SCOPE
+                                                            })
+                              else
+                                @base_credentials
+                              end
+      end
+
+      # Determines whether the current access token expires within the specified number of seconds.
+      #
+      # @param seconds [Integer] The number of seconds to check against the token's expiration time.
+      #
+      # @return [Boolean] Whether the access token expires within the given time frame
+      def expires_within? seconds
+        # This method is needed for BaseClient
+        @expires_at && @expires_at - Time.now.utc < seconds
+      end
+
+      # The universe domain of the impersonated credentials.
+      # Effectively this retrieves the universe domain of the source credentials.
+      #
+      # @return [String] The universe domain of the credentials.
+      def universe_domain
+        @source_credentials.universe_domain
+      end
+
+      # @return [Logger, nil] The logger of the credentials.
+      def logger
+        @source_credentials.logger if source_credentials.respond_to? :logger
+      end
+
+      # Creates a duplicate of these credentials without transient token state
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized
+      #   * `base_credentials` the base credentials used to initialize the impersonation
+      #   * `source_credentials` the authenticated credentials which usually would be
+      #     base credentials with scope overridden to IAM_SCOPE
+      #   * `impersonation_url` the URL to use to make an impersonation token exchange
+      #   * `scope` the scope(s) to access
+      #
+      # @return [Google::Auth::ImpersonatedServiceAccountCredentials]
+      def duplicate options = {}
+        options = deep_hash_normalize options
+
+        options = {
+          base_credentials: @base_credentials,
+          source_credentials: @source_credentials,
+          impersonation_url: @impersonation_url,
+          scope: @scope
+        }.merge(options)
+
+        self.class.new options
+      end
+
+      private
+
+      # Generates a new impersonation access token by exchanging the source credentials' token
+      # at the impersonation URL.
+      #
+      # This method first fetches an access token from the source credentials and then exchanges it
+      # for an impersonation token using the specified impersonation URL. The generated token and
+      # its expiration time are cached for subsequent use.
+      #
+      # @param _options [Hash] (optional) Additional options for token retrieval (currently unused).
+      #
+      # @raise [Signet::UnexpectedStatusError] If the response status is 403 or 500.
+      # @raise [Signet::AuthorizationError] For other unexpected response statuses.
+      #
+      # @return [String] The newly generated impersonation access token.
+      def fetch_access_token! _options = {}
+        auth_header = {}
+        auth_header = @source_credentials.updater_proc.call auth_header
+
+        resp = connection.post @impersonation_url do |req|
+          req.headers.merge! auth_header
+          req.headers["Content-Type"] = "application/json"
+          req.body = MultiJson.dump({ scope: @scope })
+        end
+
+        case resp.status
+        when 200
+          response = MultiJson.load resp.body
+          self.expires_at = response["expireTime"]
+          @access_token = response["accessToken"]
+          access_token
+        when 403, 500
+          msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
+          raise Signet::UnexpectedStatusError, msg
+        else
+          msg = "Unexpected error code #{resp.status}.\n #{resp.env.response_body} #{ERROR_SUFFIX}"
+          raise Signet::AuthorizationError, msg
+        end
+      end
+
+      # Setter for the expires_at value that makes sure it is converted
+      # to Time object.
+      def expires_at= new_expires_at
+        @expires_at = normalize_timestamp new_expires_at
+      end
+
+      # Returns the type of token (access_token).
+      # This method is needed for BaseClient.
+      def token_type
+        :access_token
+      end
+
+      # Normalizes a timestamp to a Time object.
+      #
+      # @param time [Time, String, nil] The timestamp to normalize.
+      #
+      # @return [Time, nil] The normalized Time object, or nil if the input is nil.
+      #
+      # @raise [RuntimeError] If the input is not a Time, String, or nil.
+      def normalize_timestamp time
+        case time
+        when NilClass
+          nil
+        when Time
+          time
+        when String
+          Time.parse time
+        else
+          raise "Invalid time value #{time}"
+        end
+      end
+
+      # Convert all keys in this hash (nested) to symbols for uniform retrieval
+      def recursive_hash_normalize_keys val
+        if val.is_a? Hash
+          deep_hash_normalize val
+        else
+          val
+        end
+      end
+
+      def deep_hash_normalize old_hash
+        sym_hash = {}
+        old_hash&.each { |k, v| sym_hash[k.to_sym] = recursive_hash_normalize_keys v }
+        sym_hash
+      end
+    end
+  end
+end

data/lib/googleauth/json_key_reader.rb

@@ -27,7 +27,8 @@ module Google
           json_key["private_key"],
           json_key["client_email"],
           json_key["project_id"],
-          json_key["quota_project_id"]
+          json_key["quota_project_id"],
+          json_key["universe_domain"]
         ]
       end
     end

data/lib/googleauth/service_account.rb

@@ -12,13 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "googleauth/signet"
-require "googleauth/credentials_loader"
-require "googleauth/json_key_reader"
 require "jwt"
 require "multi_json"
 require "stringio"
 
+require "google/logging/message"
+require "googleauth/signet"
+require "googleauth/credentials_loader"
+require "googleauth/json_key_reader"
+require "googleauth/service_account_jwt_header"
+
 module Google
   # Module Auth provides classes that provide Google-specific authorization
   # used to access Google APIs.
@@ -39,7 +42,11 @@ module Google
       attr_reader :quota_project_id
 
       def enable_self_signed_jwt?
-        @enable_self_signed_jwt
+        # Use a self-singed JWT if there's no information that can be used to
+        # obtain an OAuth token, OR if there are scopes but also an assertion
+        # that they are default scopes that shouldn't be used to fetch a token,
+        # OR we are not in the default universe and thus OAuth isn't supported.
+        target_audience.nil? && (scope.nil? || @enable_self_signed_jwt || universe_domain != "googleapis.com")
       end
 
       # Creates a ServiceAccountCredentials.
@@ -53,12 +60,13 @@ module Google
         raise ArgumentError, "Cannot specify both scope and target_audience" if scope && target_audience
 
         if json_key_io
-          private_key, client_email, project_id, quota_project_id = read_json_key json_key_io
+          private_key, client_email, project_id, quota_project_id, universe_domain = read_json_key json_key_io
         else
           private_key = unescape ENV[CredentialsLoader::PRIVATE_KEY_VAR]
           client_email = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
           project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
           quota_project_id = nil
+          universe_domain = nil
         end
         project_id ||= CredentialsLoader.load_gcloud_project_id
 
@@ -70,10 +78,35 @@ module Google
             issuer:                 client_email,
             signing_key:            OpenSSL::PKey::RSA.new(private_key),
             project_id:             project_id,
-            quota_project_id:       quota_project_id)
+            quota_project_id:       quota_project_id,
+            universe_domain:        universe_domain || "googleapis.com")
           .configure_connection(options)
       end
 
+      # Creates a duplicate of these credentials
+      # without the Signet::OAuth2::Client-specific
+      # transient state (e.g. cached tokens)
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:enable_self_signed_jwt` Whether the self-signed JWT should
+      #     be used for the authentication
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      def duplicate options = {}
+        options = deep_hash_normalize options
+        super(
+          {
+            enable_self_signed_jwt: @enable_self_signed_jwt,
+            project_id: project_id,
+            quota_project_id: quota_project_id,
+            logger: logger
+          }.merge(options)
+        )
+      end
+
       # Handles certain escape sequences that sometimes appear in input.
       # Specifically, interprets the "\n" sequence for newline, and removes
       # enclosing quotes.
@@ -93,16 +126,44 @@ module Google
       # Extends the base class to use a transient
       # ServiceAccountJwtHeaderCredentials for certain cases.
       def apply! a_hash, opts = {}
-        # Use a self-singed JWT if there's no information that can be used to
-        # obtain an OAuth token, OR if there are scopes but also an assertion
-        # that they are default scopes that shouldn't be used to fetch a token.
-        if target_audience.nil? && (scope.nil? || enable_self_signed_jwt?)
+        if enable_self_signed_jwt?
           apply_self_signed_jwt! a_hash
         else
           super
         end
       end
 
+      # Modifies this logic so it also requires self-signed-jwt to be disabled
+      def needs_access_token?
+        super && !enable_self_signed_jwt?
+      end
+
+      # Destructively updates these credentials
+      #
+      # This method is called by `Signet::OAuth2::Client`'s constructor
+      #
+      # @param options [Hash] Overrides for the credentials parameters.
+      #   The following keys are recognized in addition to keys in the
+      #   Signet::OAuth2::Client
+      #   * `:enable_self_signed_jwt` Whether the self-signed JWT should
+      #     be used for the authentication
+      #   * `project_id` the project id to use during the authentication
+      #   * `quota_project_id` the quota project id to use
+      #     during the authentication
+      # @return [Google::Auth::ServiceAccountCredentials]
+      def update! options = {}
+        # Normalize all keys to symbols to allow indifferent access.
+        options = deep_hash_normalize options
+
+        @enable_self_signed_jwt = options[:enable_self_signed_jwt] ? true : false
+        @project_id = options[:project_id] if options.key? :project_id
+        @quota_project_id = options[:quota_project_id] if options.key? :quota_project_id
+
+        super(options)
+
+        self
+      end
+
       private
 
       def apply_self_signed_jwt! a_hash
@@ -115,101 +176,9 @@ module Google
         }
         key_io = StringIO.new MultiJson.dump(cred_json)
         alt = ServiceAccountJwtHeaderCredentials.make_creds json_key_io: key_io, scope: scope
+        alt.logger = logger
         alt.apply! a_hash
       end
     end
-
-    # Authenticates requests using Google's Service Account credentials via
-    # JWT Header.
-    #
-    # This class allows authorizing requests for service accounts directly
-    # from credentials from a json key file downloaded from the developer
-    # console (via 'Generate new Json Key').  It is not part of any OAuth2
-    # flow, rather it creates a JWT and sends that as a credential.
-    #
-    # cf [Application Default Credentials](https://cloud.google.com/docs/authentication/production)
-    class ServiceAccountJwtHeaderCredentials
-      JWT_AUD_URI_KEY = :jwt_aud_uri
-      AUTH_METADATA_KEY = Google::Auth::BaseClient::AUTH_METADATA_KEY
-      TOKEN_CRED_URI = "https://www.googleapis.com/oauth2/v4/token".freeze
-      SIGNING_ALGORITHM = "RS256".freeze
-      EXPIRY = 60
-      extend CredentialsLoader
-      extend JsonKeyReader
-      attr_reader :project_id
-      attr_reader :quota_project_id
-
-      # Create a ServiceAccountJwtHeaderCredentials.
-      #
-      # @param json_key_io [IO] an IO from which the JSON key can be read
-      # @param scope [string|array|nil] the scope(s) to access
-      def self.make_creds options = {}
-        json_key_io, scope = options.values_at :json_key_io, :scope
-        new json_key_io: json_key_io, scope: scope
-      end
-
-      # Initializes a ServiceAccountJwtHeaderCredentials.
-      #
-      # @param json_key_io [IO] an IO from which the JSON key can be read
-      def initialize options = {}
-        json_key_io = options[:json_key_io]
-        if json_key_io
-          @private_key, @issuer, @project_id, @quota_project_id =
-            self.class.read_json_key json_key_io
-        else
-          @private_key = ENV[CredentialsLoader::PRIVATE_KEY_VAR]
-          @issuer = ENV[CredentialsLoader::CLIENT_EMAIL_VAR]
-          @project_id = ENV[CredentialsLoader::PROJECT_ID_VAR]
-          @quota_project_id = nil
-        end
-        @project_id ||= CredentialsLoader.load_gcloud_project_id
-        @signing_key = OpenSSL::PKey::RSA.new @private_key
-        @scope = options[:scope]
-      end
-
-      # Construct a jwt token if the JWT_AUD_URI key is present in the input
-      # hash.
-      #
-      # The jwt token is used as the value of a 'Bearer '.
-      def apply! a_hash, opts = {}
-        jwt_aud_uri = a_hash.delete JWT_AUD_URI_KEY
-        return a_hash if jwt_aud_uri.nil? && @scope.nil?
-        jwt_token = new_jwt_token jwt_aud_uri, opts
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{jwt_token}"
-        a_hash
-      end
-
-      # Returns a clone of a_hash updated with the authoriation header
-      def apply a_hash, opts = {}
-        a_copy = a_hash.clone
-        apply! a_copy, opts
-        a_copy
-      end
-
-      # Returns a reference to the #apply method, suitable for passing as
-      # a closure
-      def updater_proc
-        proc { |a_hash, opts = {}| apply a_hash, opts }
-      end
-
-      # Creates a jwt uri token.
-      def new_jwt_token jwt_aud_uri = nil, options = {}
-        now = Time.new
-        skew = options[:skew] || 60
-        assertion = {
-          "iss" => @issuer,
-          "sub" => @issuer,
-          "exp" => (now + EXPIRY).to_i,
-          "iat" => (now - skew).to_i
-        }
-
-        jwt_aud_uri = nil if @scope
-
-        assertion["scope"] = Array(@scope).join " " if @scope
-        assertion["aud"] = jwt_aud_uri if jwt_aud_uri
-
-        JWT.encode assertion, @signing_key, SIGNING_ALGORITHM
-      end
-    end
   end
 end