ruby-saml 0.8.9 → 0.8.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 646f99f7f6a7590eb22b51fad5f183cfed8038be
-  data.tar.gz: 008e10e85a4aea26fdf2c067cc8f6112d18f55a7
+SHA256:
+  metadata.gz: 1a564ad5fdd002f4648b22638bf51dd7ad029ea633484289c7ce2e8759a3c5d6
+  data.tar.gz: 15d0f1c459006f4c65fc9cb916b29b55098e68d9e3c5123080737b41b4e5e449
 SHA512:
-  metadata.gz: 7d239d7038cf7041e4dab1dd27dd92e5bb1f53d777ace0aa0c4ed9f08b4a9b077555e7d1eeed2ed8a8e21767039267747b9194172148e74bac7703205b862a16
-  data.tar.gz: 151df4d9fc610fbef47e5c93c73b8f25f9297b0bd457106e6fcd427933eebbe164c415d807ca9f70749937d5df66a4e49fb5423a7be2de6b1cd24641a077f94e
+  metadata.gz: 943d65750b9895285e60b24d612c1cce77bef3a262387121ccf9b7f8536ebfea27874d3a68ff095dc1a36e2bc3c53f509de07d2e4e31c02a20437e18015af561
+  data.tar.gz: ccf1223639a43235641ba2533e61473e4ff248624571cd05177ccd1dd0611f7d8df16f405fd74af2987112a988f5fcb0f2f6c54fe3830f89d3688964780ea333

data/Gemfile

@@ -5,9 +5,16 @@ source 'http://rubygems.org'
 
 gemspec
 
+if RUBY_VERSION < '1.9'
+  gem 'nokogiri',   '~> 1.5.0'
+elsif RUBY_VERSION < '2.1'
+  gem 'nokogiri',   '>= 1.5.0', '<= 1.6.8.1'
+else
+  gem 'nokogiri',   '>= 1.5.0'
+end
+
 group :test do
   if RUBY_VERSION < '1.9'
-    gem 'nokogiri',   '~> 1.5.0'
     gem 'ruby-debug', '~> 0.10.4'
   elsif RUBY_VERSION < '2.0'
     gem 'debugger-linecache', '~> 1.2.0'
@@ -23,5 +30,6 @@ group :test do
   gem 'shoulda',   '~> 2.11'
   gem 'systemu',   '~> 2'
   gem 'test-unit', '~> 3.0.9'
+  gem 'minitest',  '~> 5.5'
   gem 'timecop',   '<= 0.6.0'
 end

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -1,16 +1,49 @@
 require "base64"
-require "uuid"
 require "zlib"
 require "cgi"
-require "rexml/document"
-require "rexml/xpath"
+require "onelogin/ruby-saml/utils"
 
 module OneLogin
   module RubySaml
-  include REXML
+
     class Authrequest
+      # AuthNRequest ID
+      attr_reader :uuid
+
+      # Initializes the AuthNRequest. An Authrequest Object.
+      # Asigns an ID, a random uuid.
+      #
+      def initialize
+        @uuid = OneLogin::RubySaml::Utils.uuid
+      end
+
       def create(settings, params = {})
-        params = {} if params.nil?
+        params = create_params(settings, params)
+        params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        saml_request = CGI.escape(params.delete("SAMLRequest"))
+        request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+        params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        raise "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil?
+        @login_url = settings.idp_sso_target_url + request_params
+      end
+
+      # Creates the Get parameters for the request.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, params={})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
 
         request_doc = create_authentication_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -20,28 +53,49 @@ module OneLogin
 
         Logging.debug "Created AuthnRequest: #{request}"
 
-        request           = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
+        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
         if Base64.respond_to?('strict_encode64')
-            base64_request    = Base64.strict_encode64(request)
+          base64_request = Base64.strict_encode64(request)
         else
-            base64_request    = Base64.encode64(request).gsub(/\n/, "")
+          base64_request = Base64.encode64(request).gsub(/\n/, "")
+        end
+
+        request_params = {"SAMLRequest" => base64_request}
+
+        if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLRequest',
+            :data => base64_request,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          if Base64.respond_to?('strict_encode64')
+            params['Signature'] = Base64.strict_encode64(signature)
+          else
+            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          end
         end
-        encoded_request   = CGI.escape(base64_request)
-        params_prefix     = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
-        request_params    = "#{params_prefix}SAMLRequest=#{encoded_request}"
 
         params.each_pair do |key, value|
-          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+          request_params[key] = value.to_s
         end
 
-        settings.idp_sso_target_url + request_params
+        request_params
       end
 
       def create_authentication_xml_doc(settings)
-        uuid = "_" + UUID.new.generate
-        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
-        # Create AuthnRequest root element using REXML
-        request_doc = REXML::Document.new
+        document = create_xml_document(settings)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        request_doc = XMLSecurity::Document.new
+        request_doc.uuid = uuid
 
         root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
         root.attributes['ID'] = uuid
@@ -97,6 +151,17 @@ module OneLogin
         request_doc
       end
 
+      def sign_document(document, settings)
+        # embed signature
+        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        document
+      end
+
     end
   end
 end

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -1,49 +1,106 @@
 require "base64"
-require "uuid"
 require "zlib"
 require "cgi"
+require 'rexml/document'
+require "onelogin/ruby-saml/utils"
 
 module OneLogin
   module RubySaml
-    include REXML
+
     class Logoutrequest
 
       attr_reader :uuid # Can be obtained if neccessary
 
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       def create(settings, params={})
-        request_doc = create_unauth_xml_doc(settings, params)
+        params = create_params(settings, params)
+        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        saml_request = CGI.escape(params.delete("SAMLRequest"))
+        request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+        params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        @logout_url = settings.idp_slo_target_url + request_params
+      end
+
+      # Creates the Get parameters for the logout request.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, params={})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
+
+        request_doc = create_logout_request_xml_doc(settings)
+        request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
         request = ""
         request_doc.write(request)
 
-        deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+        Logging.debug "Created SLO Logout Request: #{request}"
+
+        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
         if Base64.respond_to?('strict_encode64')
-            base64_request    = Base64.strict_encode64(deflated_request)
+          base64_request = Base64.strict_encode64(request)
         else
-            base64_request    = Base64.encode64(deflated_request).gsub(/\n/, "")
+          base64_request = Base64.encode64(request).gsub(/\n/, "")
         end
-        encoded_request   = CGI.escape(base64_request)
+        request_params = {"SAMLRequest" => base64_request}
 
-        params_prefix     = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
-        request_params    = "#{params_prefix}SAMLRequest=#{encoded_request}"
+        if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLRequest',
+            :data => base64_request,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          if Base64.respond_to?('strict_encode64')
+            params['Signature'] = Base64.strict_encode64(signature)
+          else
+            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          end
+        end
 
         params.each_pair do |key, value|
-          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+          request_params[key] = value.to_s
         end
 
-        @logout_url = settings.idp_slo_target_url + request_params
+        request_params
       end
 
-      def create_unauth_xml_doc(settings, params)
+      # Creates the SAMLRequest String.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @return [String] The SAMLRequest String.
+      #
+      def create_logout_request_xml_doc(settings)
+        document = create_xml_document(settings)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings, request_doc=nil)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
 
-        time = Time.new().strftime("%Y-%m-%dT%H:%M:%S")
+        if request_doc.nil?
+          request_doc = XMLSecurity::Document.new
+          request_doc.uuid = uuid
+        end
 
-        request_doc = REXML::Document.new
         root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
-        root.attributes['ID'] = @uuid
+        root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
 
@@ -57,8 +114,6 @@ module OneLogin
           name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
           name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
           name_id.text = settings.name_identifier_value
-        else
-          raise ValidationError.new("Missing required name identifier")
         end
 
         if settings.sessionindex
@@ -81,6 +136,23 @@ module OneLogin
         end
         request_doc
       end
+
+      def sign_document(document, settings)
+        # embed signature
+        if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        document
+      end
+
+      # Leave due compatibility
+      def create_unauth_xml_doc(settings, params)
+        request_doc = ReXML::Document.new
+        create_xml_document(settings, request_doc)
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/settings.rb

@@ -1,27 +1,52 @@
+require "xml_security"
+require "onelogin/ruby-saml/utils"
+
 module OneLogin
   module RubySaml
     class Settings
-      def initialize(overrides = {})
-        config = DEFAULTS.merge(overrides)
-        config.each do |k,v|
-          acc = "#{k.to_s}=".to_sym
-          self.send(acc, v) if self.respond_to? acc
-        end
+      def initialize(overrides = {}, keep_security_attributes = false)
+        if keep_security_attributes
+           security_attributes = overrides.delete(:security) || {}
+           config = DEFAULTS.merge(overrides)
+           config[:security] = DEFAULTS[:security].merge(security_attributes)
+         else
+           config = DEFAULTS.merge(overrides)
+         end
+
+         config.each do |k,v|
+           acc = "#{k.to_s}=".to_sym
+           if respond_to? acc
+             value = v.is_a?(Hash) ? v.dup : v
+             send(acc, value)
+           end
+         end
       end
-      attr_accessor :assertion_consumer_service_url, :sp_entity_id, :sp_name_qualifier
-      attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
-      attr_accessor :authn_context
+
+      #idp data
+      attr_accessor :idp_sso_target_url
+      attr_accessor :idp_cert_fingerprint
+      attr_accessor :idp_cert
       attr_accessor :idp_slo_target_url
+      #sp data
+      attr_accessor :sp_entity_id
+      attr_accessor :assertion_consumer_service_url
+      attr_accessor :authn_context
+      attr_accessor :sp_name_qualifier
+      attr_accessor :name_identifier_format
       attr_accessor :name_identifier_value
       attr_accessor :name_identifier_value_requested
       attr_accessor :sessionindex
       attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :compress_request
+      attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
       attr_accessor :force_authn
       attr_accessor :passive
       attr_accessor :protocol_binding
-
+      attr_accessor :certificate
+      attr_accessor :private_key
+      # Work-flow
+      attr_accessor :security
       # Compability
       attr_accessor :issuer
       attr_accessor :assertion_consumer_logout_service_url
@@ -92,14 +117,50 @@ module OneLogin
         @single_logout_service_binding = url
       end
 
+      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
+      #
+      def get_sp_cert
+        return nil if certificate.nil? || certificate.empty?
+
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
+        OpenSSL::X509::Certificate.new(formatted_cert)
+      end
+
+      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
+      #
+      def get_sp_cert_new
+        return nil if certificate_new.nil? || certificate_new.empty?
+
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate_new)
+        OpenSSL::X509::Certificate.new(formatted_cert)
+      end
+
+      # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
+      #
+      def get_sp_key
+        return nil if private_key.nil? || private_key.empty?
+
+        formatted_private_key = OneLogin::RubySaml::Utils.format_private_key(private_key)
+        OpenSSL::PKey::RSA.new(formatted_private_key)
+      end
+
       private
 
       DEFAULTS = {
         :compress_request => true,
+        :compress_response => true,
         :double_quote_xml_attribute_values => false,
         :assertion_consumer_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
-        :single_logout_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze
-      }
+        :single_logout_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
+        :security                                  => {
+          :authn_requests_signed      => false,
+          :logout_requests_signed     => false,
+          :logout_responses_signed    => false,
+          :embed_sign                 => false,
+          :digest_method              => XMLSecurity::Document::SHA1,
+          :signature_method           => XMLSecurity::Document::RSA_SHA1
+        }.freeze
+      }.freeze
     end
   end
 end

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -0,0 +1,157 @@
+require "base64"
+require "zlib"
+require "cgi"
+require "onelogin/ruby-saml/utils"
+
+module OneLogin
+  module RubySaml
+
+    # SAML2 Logout Response (SLO SP initiated)
+    #
+    class SloLogoutresponse
+
+      # Logout Response ID
+      attr_reader :uuid
+
+      # Initializes the Logout Response. A SloLogoutresponse Object.
+      # Asigns an ID, a random uuid.
+      #
+      def initialize
+        @uuid = OneLogin::RubySaml::Utils.uuid
+      end
+
+      # Creates the Logout Response string.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [String] Logout Request string that includes the SAMLRequest
+      #
+      def create(settings, request_id = nil, logout_message = nil, params = {})
+        params = create_params(settings, request_id, logout_message, params)
+        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        saml_response = CGI.escape(params.delete("SAMLResponse"))
+        response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
+        params.each_pair do |key, value|
+          response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+
+        @logout_url = settings.idp_slo_target_url + response_params
+      end
+
+      # Creates the Get parameters for the logout response.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, request_id = nil, logout_message = nil, params = {})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
+
+        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message)
+        response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        response = ""
+        response_doc.write(response)
+
+        Logging.debug "Created SLO Logout Response: #{response}"
+
+        response = Zlib::Deflate.deflate(response, 9)[2..-5] if settings.compress_response
+        if Base64.respond_to?('strict_encode64')
+          base64_response = Base64.strict_encode64(response)
+        else
+          base64_response = Base64.encode64(response).gsub(/\n/, "")
+        end
+        response_params = {"SAMLResponse" => base64_response}
+
+        if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLResponse',
+            :data => base64_response,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          if Base64.respond_to?('strict_encode64')
+            params['Signature'] = Base64.strict_encode64(signature)
+          else
+            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          end
+        end
+
+        params.each_pair do |key, value|
+          response_params[key] = value.to_s
+        end
+
+        response_params
+      end
+
+      # Creates the SAMLResponse String.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @return [String] The SAMLResponse String.
+      #
+      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
+        document = create_xml_document(settings, request_id, logout_message)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings, request_id = nil, logout_message = nil)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        response_doc = XMLSecurity::Document.new
+        response_doc.uuid = uuid
+
+        root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = '2.0'
+        root.attributes['InResponseTo'] = request_id unless request_id.nil?
+        root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil?
+
+        if settings.sp_entity_id != nil
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.sp_entity_id
+        end
+
+        # add success message
+        status = root.add_element 'samlp:Status'
+
+        # success status code
+        status_code = status.add_element 'samlp:StatusCode'
+        status_code.attributes['Value'] = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+
+        # success status message
+        logout_message ||= 'Successfully Signed Out'
+        status_message = status.add_element 'samlp:StatusMessage'
+        status_message.text = logout_message
+
+        response_doc
+      end
+
+      def sign_document(document, settings)
+        # embed signature
+        if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        document
+      end
+
+    end
+  end
+end