@aligent/cdk-header-change-detection 1.6.1 → 1.7.0

package/CHANGELOG.md

@@ -0,0 +1,7 @@
+# @aligent/cdk-header-change-detection
+
+## 1.7.0
+
+### Minor Changes
+
+- [#1512](https://github.com/aligent/cdk-constructs/pull/1512) [`a9a6231`](https://github.com/aligent/cdk-constructs/commit/a9a62319e4528ac2d23f3af96e96cb2427f242f8) Thanks [@TheOrangePuff](https://github.com/TheOrangePuff)! - Adds changeset package to handle release management

package/README.md

@@ -0,0 +1,65 @@
+# Aligent Header Change Detection Service
+
+## Overview
+
+Creates a Lambda function that periodically scans security headers and sends the results to SNS.
+
+### Diagram
+
+![diagram](docs/diagram.jpg)
+
+This service aims to comply with PCI DSS to cover the requirements outlined by section 11.6.1.
+
+**11.6.1**: A change- and tamper-detection mechanism is deployed as follows:
+
+> - To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser.
+> - The mechanism is configured to evaluate the received HTTP headers and payment pages.
+> - The mechanism functions are performed as follows:
+>   - At least weekly
+>     OR
+>   - Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1)
+
+## Default config
+
+By default, the following headers are monitored:
+
+- Content-Security-Policy
+- Content-Security-Policy-Report-Only
+- Reporting-Endpoints
+- Strict-Transport-Security
+- X-Frame-Options
+- X-Content-Type-Options
+- Cross-Origin-Opener-Policy
+- Cross-Origin-Embedder-Policy
+- Cross-Origin-Resource-Policy
+- Referrer-Policy
+- Permission-Policy
+- Cache-Control
+
+## Usage
+
+To include this in your CDK stack, add the following:
+
+```typescript
+// Import required packages
+import { SnsTopic } from "aws-cdk-lib/aws-events-targets";
+import { Topic } from "aws-cdk-lib/aws-sns";
+import { HeaderChangeDetection } from "@aligent/cdk-header-change-detection";
+
+// Create a new SNS topic
+const topic = new Topic(this, "Topic");
+const snsTopic = new SnsTopic(topic);
+
+// Pass the required props
+new HeaderChangeDetection(this, "HeaderChangeDetection", { snsTopic });
+```
+
+## Local development
+
+[NPM link](https://docs.npmjs.com/cli/v7/commands/npm-link) can be used to develop the module locally.
+
+1. Pull this repository locally
+2. `cd` into this repository
+3. run `npm link`
+4. `cd` into the downstream repo (target project, etc) and run `npm link '@aligent/cdk-header-change-detection'`
+   The downstream repository should now include a symlink to this module. Allowing local changes to be tested before pushing. You may want to update the version notation of the package in the downstream repository's `package.json`.

package/index.ts

@@ -0,0 +1,6 @@
+import {
+  HeaderChangeDetection,
+  HeaderChangeDetectionProps,
+} from "./lib/header-change-detection";
+
+export { HeaderChangeDetection, HeaderChangeDetectionProps };

package/jest.config.ts

@@ -0,0 +1,11 @@
+/* eslint-disable */
+export default {
+  displayName: "header-change-detection",
+  preset: "../../jest.preset.js",
+  testEnvironment: "node",
+  transform: {
+    "^.+\\.[tj]s$": ["ts-jest", { tsconfig: "<rootDir>/tsconfig.spec.json" }],
+  },
+  moduleFileExtensions: ["ts", "js", "html"],
+  coverageDirectory: "../../coverage/packages/header-change-detection",
+};

package/lib/header-change-detection.ts

@@ -0,0 +1,133 @@
+import { DockerImage, Duration } from "aws-cdk-lib";
+import { AttributeType, BillingMode, Table } from "aws-cdk-lib/aws-dynamodb";
+import { Rule, RuleProps, Schedule } from "aws-cdk-lib/aws-events";
+import { LambdaFunction, SnsTopic } from "aws-cdk-lib/aws-events-targets";
+import { Architecture, Code, Function, Runtime } from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+import { join } from "path";
+import { Esbuild } from "@aligent/cdk-esbuild";
+
+export interface HeaderChangeDetectionProps {
+  /**
+   * List of URLs to monitor for header changes
+   */
+  urls: string[];
+
+  /**
+   * Optional list of additional headers to monitor
+   *
+   * @default []
+   */
+  additionalHeaders?: string[];
+
+  /**
+   * Optionally disable all the default headers
+   *
+   * @default false
+   */
+  disableDefaults?: boolean;
+
+  /**
+   * SNS Topic to send change detection notifications to
+   */
+  snsTopic: SnsTopic;
+
+  /**
+   * The schedule for performing the header check
+   *
+   * @default Schedule.rate(Duration.hours(1))
+   */
+  schedule?: Schedule;
+
+  /**
+   * Optionally pass any rule properties
+   */
+  ruleProps?: Partial<RuleProps>;
+
+  /**
+   * Optionally accept HTTP status codes other than 200
+   *
+   * @default ["200"]
+   */
+  acceptedHttpStatus?: string[];
+
+  /**
+   * For extended Lambda timeout. Default: 10 seconds
+   */
+  lambdaTimeout?: Duration;
+}
+
+const command = [
+  "sh",
+  "-c",
+  'echo "Docker build not supported. Please install esbuild."',
+];
+
+const defaultHeaders = [
+  "content-security-policy",
+  "content-security-policy-report-only",
+  "reporting-endpoints",
+  "strict-transport-security",
+  "x-frame-options",
+  "x-content-type-options",
+  "cross-origin-opener-policy",
+  "cross-origin-embedder-policy",
+  "cross-origin-resource-policy",
+  "referrer-policy",
+  "permission-policy",
+  "cache-control",
+];
+
+export class HeaderChangeDetection extends Construct {
+  constructor(scope: Construct, id: string, props: HeaderChangeDetectionProps) {
+    super(scope, id);
+
+    const headers = props.disableDefaults ? [] : defaultHeaders;
+
+    headers.push(
+      ...(props.additionalHeaders?.map(header => header.toLowerCase()) || [])
+    );
+
+    const table = new Table(this, "Table", {
+      partitionKey: {
+        name: "Url",
+        type: AttributeType.STRING,
+      },
+      billingMode: BillingMode.PAY_PER_REQUEST,
+    });
+
+    const schedule = new Rule(this, "EventRule", {
+      schedule: props.schedule || Schedule.rate(Duration.hours(1)),
+      ...props.ruleProps,
+    });
+
+    const lambda = new Function(this, "HeaderCheck", {
+      architecture: Architecture.X86_64,
+      runtime: Runtime.NODEJS_22_X,
+      handler: "header-check.handler",
+      timeout: props.lambdaTimeout || Duration.seconds(10),
+      code: Code.fromAsset(join(__dirname, "lambda"), {
+        bundling: {
+          command,
+          image: DockerImage.fromRegistry("busybox"),
+          local: new Esbuild({
+            entryPoints: [join(__dirname, "lambda/header-check.ts")],
+          }),
+        },
+      }),
+      environment: {
+        URLS: props.urls.join(","),
+        HEADERS: headers.join(","),
+        TABLE: table.tableName,
+        TOPIC_ARN: props.snsTopic.topic.topicArn,
+        ACCEPTED_HTTP_STATUS: (props.acceptedHttpStatus || ["200"]).join(","),
+      },
+    });
+
+    schedule.addTarget(new LambdaFunction(lambda));
+
+    table.grantWriteData(lambda);
+    table.grantReadData(lambda);
+    props.snsTopic.topic.grantPublish(lambda);
+  }
+}

package/package.json

@@ -1,35 +1,39 @@
 {
   "name": "@aligent/cdk-header-change-detection",
+  "version": "1.7.0",
   "main": "index.js",
   "license": "MIT",
-  "homepage": "https://github.com/aligent/cdk-constructs/packages/header-change-detection-stack#readme",
+  "homepage": "https://github.com/aligent/aws-cdk-constructs/tree/main/packages/header-change-detection#readme",
   "repository": {
     "type": "git",
-    "url": "https://github.com/aligent/aws-cdk-header-change-detection-stack"
+    "url": "git+https://github.com/aligent/aws-cdk-constructs.git"
+  },
+  "bugs": {
+    "url": "https://github.com/aligent/aws-cdk-constructs/issues"
   },
   "types": "index.d.ts",
   "scripts": {
-    "build": "tsc"
+    "build": "tsc",
+    "test": "npx nx test header-change-detection",
+    "lint": "npx nx lint header-change-detection"
   },
   "devDependencies": {
     "@types/jest": "^29.5.10",
     "@types/node": "^20.6.3",
-    "aws-cdk": "^2.113.0",
+    "aws-cdk": "^2.1019.1",
     "jest": "^29.7.0",
     "ts-jest": "^29.1.1",
     "ts-node": "^10.9.1",
     "typescript": "^5.3.2"
   },
   "dependencies": {
-    "@aws-sdk/client-dynamodb": "^3.726.1",
-    "@aws-sdk/client-sns": "3.732.0",
+    "@aws-sdk/client-dynamodb": "^3.830.0",
+    "@aws-sdk/client-sns": "3.830.0",
     "axios": "^1.8.3",
     "source-map-support": "^0.5.21"
   },
   "peerDependencies": {
     "aws-cdk-lib": "^2.168.0",
     "constructs": "^10.4.2"
-  },
-  "type": "commonjs",
-  "version": "1.6.1"
-}
+  }
+}

package/project.json

@@ -0,0 +1,45 @@
+{
+  "name": "header-change-detection",
+  "$schema": "../../node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "packages/header-change-detection/lib",
+  "projectType": "application",
+  "targets": {
+    "build": {
+      "executor": "@nx/js:tsc",
+      "options": {
+        "main": "packages/header-change-detection/index.ts",
+        "outputPath": "dist/header-change-detection",
+        "tsConfig": "packages/header-change-detection/tsconfig.app.json",
+        "assets": [
+          "packages/header-change-detection/lib/lambda/**",
+          "packages/header-change-detection/README.md",
+          "packages/header-change-detection/docs/**"
+        ]
+      },
+      "dependsOn": ["merge-gitignore"]
+    },
+    "lint": {
+      "executor": "@nx/eslint:lint",
+      "outputs": ["{options.outputFile}"]
+    },
+    "test": {
+      "executor": "@nx/jest:jest",
+      "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
+      "options": {
+        "jestConfig": "packages/header-change-detection/jest.config.ts",
+        "passWithNoTests": true
+      }
+    },
+    "publish": {
+      "command": "node tools/scripts/publish.mjs header-change-detection {args.ver} {args.tag}",
+      "dependsOn": ["build"]
+    },
+    "merge-gitignore": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "node tools/scripts/merge-gitignore.mjs header-change-detection"
+      }
+    }
+  },
+  "tags": []
+}

package/tsconfig.app.json

@@ -0,0 +1,10 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "../../dist/out-tsc",
+    "module": "commonjs",
+    "types": ["node"]
+  },
+  "exclude": ["./jest.config.ts", "lib/lambda/**/*.ts"],
+  "include": ["lib/**/*.ts", "index.ts"]
+}

package/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "files": [],
+  "include": [],
+  "references": [
+    {
+      "path": "./tsconfig.app.json"
+    },
+    {
+      "path": "./tsconfig.spec.json"
+    }
+  ],
+  "compilerOptions": {
+    "esModuleInterop": true
+  }
+}

package/tsconfig.spec.json

@@ -0,0 +1,8 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "../../dist/out-tsc",
+    "module": "commonjs",
+    "types": ["jest", "node"]
+  }
+}

package/index.d.ts

@@ -1,2 +0,0 @@
-import { HeaderChangeDetection, HeaderChangeDetectionProps } from "./lib/header-change-detection";
-export { HeaderChangeDetection, HeaderChangeDetectionProps };

package/index.js

@@ -1,6 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.HeaderChangeDetection = void 0;
-const header_change_detection_1 = require("./lib/header-change-detection");
-Object.defineProperty(exports, "HeaderChangeDetection", { enumerable: true, get: function () { return header_change_detection_1.HeaderChangeDetection; } });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9wYWNrYWdlcy9oZWFkZXItY2hhbmdlLWRldGVjdGlvbi9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwyRUFHdUM7QUFFOUIsc0dBSlAsK0NBQXFCLE9BSU8iLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQge1xuICBIZWFkZXJDaGFuZ2VEZXRlY3Rpb24sXG4gIEhlYWRlckNoYW5nZURldGVjdGlvblByb3BzLFxufSBmcm9tIFwiLi9saWIvaGVhZGVyLWNoYW5nZS1kZXRlY3Rpb25cIjtcblxuZXhwb3J0IHsgSGVhZGVyQ2hhbmdlRGV0ZWN0aW9uLCBIZWFkZXJDaGFuZ2VEZXRlY3Rpb25Qcm9wcyB9O1xuIl19

package/lib/header-change-detection.d.ts

@@ -1,49 +0,0 @@
-import { Duration } from "aws-cdk-lib";
-import { RuleProps, Schedule } from "aws-cdk-lib/aws-events";
-import { SnsTopic } from "aws-cdk-lib/aws-events-targets";
-import { Construct } from "constructs";
-export interface HeaderChangeDetectionProps {
-    /**
-     * List of URLs to monitor for header changes
-     */
-    urls: string[];
-    /**
-     * Optional list of additional headers to monitor
-     *
-     * @default []
-     */
-    additionalHeaders?: string[];
-    /**
-     * Optionally disable all the default headers
-     *
-     * @default false
-     */
-    disableDefaults?: boolean;
-    /**
-     * SNS Topic to send change detection notifications to
-     */
-    snsTopic: SnsTopic;
-    /**
-     * The schedule for performing the header check
-     *
-     * @default Schedule.rate(Duration.hours(1))
-     */
-    schedule?: Schedule;
-    /**
-     * Optionally pass any rule properties
-     */
-    ruleProps?: Partial<RuleProps>;
-    /**
-     * Optionally accept HTTP status codes other than 200
-     *
-     * @default ["200"]
-     */
-    acceptedHttpStatus?: string[];
-    /**
-     * For extended Lambda timeout. Default: 10 seconds
-     */
-    lambdaTimeout?: Duration;
-}
-export declare class HeaderChangeDetection extends Construct {
-    constructor(scope: Construct, id: string, props: HeaderChangeDetectionProps);
-}

package/lib/header-change-detection.js

@@ -1,77 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.HeaderChangeDetection = void 0;
-const aws_cdk_lib_1 = require("aws-cdk-lib");
-const aws_dynamodb_1 = require("aws-cdk-lib/aws-dynamodb");
-const aws_events_1 = require("aws-cdk-lib/aws-events");
-const aws_events_targets_1 = require("aws-cdk-lib/aws-events-targets");
-const aws_lambda_1 = require("aws-cdk-lib/aws-lambda");
-const constructs_1 = require("constructs");
-const path_1 = require("path");
-const cdk_esbuild_1 = require("@aligent/cdk-esbuild");
-const command = [
-    "sh",
-    "-c",
-    'echo "Docker build not supported. Please install esbuild."',
-];
-const defaultHeaders = [
-    "content-security-policy",
-    "content-security-policy-report-only",
-    "reporting-endpoints",
-    "strict-transport-security",
-    "x-frame-options",
-    "x-content-type-options",
-    "cross-origin-opener-policy",
-    "cross-origin-embedder-policy",
-    "cross-origin-resource-policy",
-    "referrer-policy",
-    "permission-policy",
-    "cache-control",
-];
-class HeaderChangeDetection extends constructs_1.Construct {
-    constructor(scope, id, props) {
-        var _a;
-        super(scope, id);
-        const headers = props.disableDefaults ? [] : defaultHeaders;
-        headers.push(...(((_a = props.additionalHeaders) === null || _a === void 0 ? void 0 : _a.map(header => header.toLowerCase())) || []));
-        const table = new aws_dynamodb_1.Table(this, "Table", {
-            partitionKey: {
-                name: "Url",
-                type: aws_dynamodb_1.AttributeType.STRING,
-            },
-            billingMode: aws_dynamodb_1.BillingMode.PAY_PER_REQUEST,
-        });
-        const schedule = new aws_events_1.Rule(this, "EventRule", {
-            schedule: props.schedule || aws_events_1.Schedule.rate(aws_cdk_lib_1.Duration.hours(1)),
-            ...props.ruleProps,
-        });
-        const lambda = new aws_lambda_1.Function(this, "HeaderCheck", {
-            architecture: aws_lambda_1.Architecture.X86_64,
-            runtime: aws_lambda_1.Runtime.NODEJS_22_X,
-            handler: "header-check.handler",
-            timeout: props.lambdaTimeout || aws_cdk_lib_1.Duration.seconds(10),
-            code: aws_lambda_1.Code.fromAsset((0, path_1.join)(__dirname, "lambda"), {
-                bundling: {
-                    command,
-                    image: aws_cdk_lib_1.DockerImage.fromRegistry("busybox"),
-                    local: new cdk_esbuild_1.Esbuild({
-                        entryPoints: [(0, path_1.join)(__dirname, "lambda/header-check.ts")],
-                    }),
-                },
-            }),
-            environment: {
-                URLS: props.urls.join(","),
-                HEADERS: headers.join(","),
-                TABLE: table.tableName,
-                TOPIC_ARN: props.snsTopic.topic.topicArn,
-                ACCEPTED_HTTP_STATUS: (props.acceptedHttpStatus || ["200"]).join(","),
-            },
-        });
-        schedule.addTarget(new aws_events_targets_1.LambdaFunction(lambda));
-        table.grantWriteData(lambda);
-        table.grantReadData(lambda);
-        props.snsTopic.topic.grantPublish(lambda);
-    }
-}
-exports.HeaderChangeDetection = HeaderChangeDetection;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGVhZGVyLWNoYW5nZS1kZXRlY3Rpb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9wYWNrYWdlcy9oZWFkZXItY2hhbmdlLWRldGVjdGlvbi9saWIvaGVhZGVyLWNoYW5nZS1kZXRlY3Rpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsNkNBQW9EO0FBQ3BELDJEQUE2RTtBQUM3RSx1REFBbUU7QUFDbkUsdUVBQTBFO0FBQzFFLHVEQUErRTtBQUMvRSwyQ0FBdUM7QUFDdkMsK0JBQTRCO0FBQzVCLHNEQUErQztBQW9EL0MsTUFBTSxPQUFPLEdBQUc7SUFDZCxJQUFJO0lBQ0osSUFBSTtJQUNKLDREQUE0RDtDQUM3RCxDQUFDO0FBRUYsTUFBTSxjQUFjLEdBQUc7SUFDckIseUJBQXlCO0lBQ3pCLHFDQUFxQztJQUNyQyxxQkFBcUI7SUFDckIsMkJBQTJCO0lBQzNCLGlCQUFpQjtJQUNqQix3QkFBd0I7SUFDeEIsNEJBQTRCO0lBQzVCLDhCQUE4QjtJQUM5Qiw4QkFBOEI7SUFDOUIsaUJBQWlCO0lBQ2pCLG1CQUFtQjtJQUNuQixlQUFlO0NBQ2hCLENBQUM7QUFFRixNQUFhLHFCQUFzQixTQUFRLHNCQUFTO0lBQ2xELFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBaUM7O1FBQ3pFLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFakIsTUFBTSxPQUFPLEdBQUcsS0FBSyxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxjQUFjLENBQUM7UUFFNUQsT0FBTyxDQUFDLElBQUksQ0FDVixHQUFHLENBQUMsQ0FBQSxNQUFBLEtBQUssQ0FBQyxpQkFBaUIsMENBQUUsR0FBRyxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsTUFBTSxDQUFDLFdBQVcsRUFBRSxDQUFDLEtBQUksRUFBRSxDQUFDLENBQ3hFLENBQUM7UUFFRixNQUFNLEtBQUssR0FBRyxJQUFJLG9CQUFLLENBQUMsSUFBSSxFQUFFLE9BQU8sRUFBRTtZQUNyQyxZQUFZLEVBQUU7Z0JBQ1osSUFBSSxFQUFFLEtBQUs7Z0JBQ1gsSUFBSSxFQUFFLDRCQUFhLENBQUMsTUFBTTthQUMzQjtZQUNELFdBQVcsRUFBRSwwQkFBVyxDQUFDLGVBQWU7U0FDekMsQ0FBQyxDQUFDO1FBRUgsTUFBTSxRQUFRLEdBQUcsSUFBSSxpQkFBSSxDQUFDLElBQUksRUFBRSxXQUFXLEVBQUU7WUFDM0MsUUFBUSxFQUFFLEtBQUssQ0FBQyxRQUFRLElBQUkscUJBQVEsQ0FBQyxJQUFJLENBQUMsc0JBQVEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7WUFDNUQsR0FBRyxLQUFLLENBQUMsU0FBUztTQUNuQixDQUFDLENBQUM7UUFFSCxNQUFNLE1BQU0sR0FBRyxJQUFJLHFCQUFRLENBQUMsSUFBSSxFQUFFLGFBQWEsRUFBRTtZQUMvQyxZQUFZLEVBQUUseUJBQVksQ0FBQyxNQUFNO1lBQ2pDLE9BQU8sRUFBRSxvQkFBTyxDQUFDLFdBQVc7WUFDNUIsT0FBTyxFQUFFLHNCQUFzQjtZQUMvQixPQUFPLEVBQUUsS0FBSyxDQUFDLGFBQWEsSUFBSSxzQkFBUSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDcEQsSUFBSSxFQUFFLGlCQUFJLENBQUMsU0FBUyxDQUFDLElBQUEsV0FBSSxFQUFDLFNBQVMsRUFBRSxRQUFRLENBQUMsRUFBRTtnQkFDOUMsUUFBUSxFQUFFO29CQUNSLE9BQU87b0JBQ1AsS0FBSyxFQUFFLHlCQUFXLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQztvQkFDMUMsS0FBSyxFQUFFLElBQUkscUJBQU8sQ0FBQzt3QkFDakIsV0FBVyxFQUFFLENBQUMsSUFBQSxXQUFJLEVBQUMsU0FBUyxFQUFFLHdCQUF3QixDQUFDLENBQUM7cUJBQ3pELENBQUM7aUJBQ0g7YUFDRixDQUFDO1lBQ0YsV0FBVyxFQUFFO2dCQUNYLElBQUksRUFBRSxLQUFLLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUM7Z0JBQzFCLE9BQU8sRUFBRSxPQUFPLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQztnQkFDMUIsS0FBSyxFQUFFLEtBQUssQ0FBQyxTQUFTO2dCQUN0QixTQUFTLEVBQUUsS0FBSyxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUMsUUFBUTtnQkFDeEMsb0JBQW9CLEVBQUUsQ0FBQyxLQUFLLENBQUMsa0JBQWtCLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUM7YUFDdEU7U0FDRixDQUFDLENBQUM7UUFFSCxRQUFRLENBQUMsU0FBUyxDQUFDLElBQUksbUNBQWMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDO1FBRS9DLEtBQUssQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDN0IsS0FBSyxDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUM1QixLQUFLLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxZQUFZLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDNUMsQ0FBQztDQUNGO0FBcERELHNEQW9EQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IERvY2tlckltYWdlLCBEdXJhdGlvbiB9IGZyb20gXCJhd3MtY2RrLWxpYlwiO1xuaW1wb3J0IHsgQXR0cmlidXRlVHlwZSwgQmlsbGluZ01vZGUsIFRhYmxlIH0gZnJvbSBcImF3cy1jZGstbGliL2F3cy1keW5hbW9kYlwiO1xuaW1wb3J0IHsgUnVsZSwgUnVsZVByb3BzLCBTY2hlZHVsZSB9IGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtZXZlbnRzXCI7XG5pbXBvcnQgeyBMYW1iZGFGdW5jdGlvbiwgU25zVG9waWMgfSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWV2ZW50cy10YXJnZXRzXCI7XG5pbXBvcnQgeyBBcmNoaXRlY3R1cmUsIENvZGUsIEZ1bmN0aW9uLCBSdW50aW1lIH0gZnJvbSBcImF3cy1jZGstbGliL2F3cy1sYW1iZGFcIjtcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gXCJjb25zdHJ1Y3RzXCI7XG5pbXBvcnQgeyBqb2luIH0gZnJvbSBcInBhdGhcIjtcbmltcG9ydCB7IEVzYnVpbGQgfSBmcm9tIFwiQGFsaWdlbnQvY2RrLWVzYnVpbGRcIjtcblxuZXhwb3J0IGludGVyZmFjZSBIZWFkZXJDaGFuZ2VEZXRlY3Rpb25Qcm9wcyB7XG4gIC8qKlxuICAgKiBMaXN0IG9mIFVSTHMgdG8gbW9uaXRvciBmb3IgaGVhZGVyIGNoYW5nZXNcbiAgICovXG4gIHVybHM6IHN0cmluZ1tdO1xuXG4gIC8qKlxuICAgKiBPcHRpb25hbCBsaXN0IG9mIGFkZGl0aW9uYWwgaGVhZGVycyB0byBtb25pdG9yXG4gICAqXG4gICAqIEBkZWZhdWx0IFtdXG4gICAqL1xuICBhZGRpdGlvbmFsSGVhZGVycz86IHN0cmluZ1tdO1xuXG4gIC8qKlxuICAgKiBPcHRpb25hbGx5IGRpc2FibGUgYWxsIHRoZSBkZWZhdWx0IGhlYWRlcnNcbiAgICpcbiAgICogQGRlZmF1bHQgZmFsc2VcbiAgICovXG4gIGRpc2FibGVEZWZhdWx0cz86IGJvb2xlYW47XG5cbiAgLyoqXG4gICAqIFNOUyBUb3BpYyB0byBzZW5kIGNoYW5nZSBkZXRlY3Rpb24gbm90aWZpY2F0aW9ucyB0b1xuICAgKi9cbiAgc25zVG9waWM6IFNuc1RvcGljO1xuXG4gIC8qKlxuICAgKiBUaGUgc2NoZWR1bGUgZm9yIHBlcmZvcm1pbmcgdGhlIGhlYWRlciBjaGVja1xuICAgKlxuICAgKiBAZGVmYXVsdCBTY2hlZHVsZS5yYXRlKER1cmF0aW9uLmhvdXJzKDEpKVxuICAgKi9cbiAgc2NoZWR1bGU/OiBTY2hlZHVsZTtcblxuICAvKipcbiAgICogT3B0aW9uYWxseSBwYXNzIGFueSBydWxlIHByb3BlcnRpZXNcbiAgICovXG4gIHJ1bGVQcm9wcz86IFBhcnRpYWw8UnVsZVByb3BzPjtcblxuICAvKipcbiAgICogT3B0aW9uYWxseSBhY2NlcHQgSFRUUCBzdGF0dXMgY29kZXMgb3RoZXIgdGhhbiAyMDBcbiAgICpcbiAgICogQGRlZmF1bHQgW1wiMjAwXCJdXG4gICAqL1xuICBhY2NlcHRlZEh0dHBTdGF0dXM/OiBzdHJpbmdbXTtcblxuICAvKipcbiAgICogRm9yIGV4dGVuZGVkIExhbWJkYSB0aW1lb3V0LiBEZWZhdWx0OiAxMCBzZWNvbmRzXG4gICAqL1xuICBsYW1iZGFUaW1lb3V0PzogRHVyYXRpb247XG59XG5cbmNvbnN0IGNvbW1hbmQgPSBbXG4gIFwic2hcIixcbiAgXCItY1wiLFxuICAnZWNobyBcIkRvY2tlciBidWlsZCBub3Qgc3VwcG9ydGVkLiBQbGVhc2UgaW5zdGFsbCBlc2J1aWxkLlwiJyxcbl07XG5cbmNvbnN0IGRlZmF1bHRIZWFkZXJzID0gW1xuICBcImNvbnRlbnQtc2VjdXJpdHktcG9saWN5XCIsXG4gIFwiY29udGVudC1zZWN1cml0eS1wb2xpY3ktcmVwb3J0LW9ubHlcIixcbiAgXCJyZXBvcnRpbmctZW5kcG9pbnRzXCIsXG4gIFwic3RyaWN0LXRyYW5zcG9ydC1zZWN1cml0eVwiLFxuICBcIngtZnJhbWUtb3B0aW9uc1wiLFxuICBcIngtY29udGVudC10eXBlLW9wdGlvbnNcIixcbiAgXCJjcm9zcy1vcmlnaW4tb3BlbmVyLXBvbGljeVwiLFxuICBcImNyb3NzLW9yaWdpbi1lbWJlZGRlci1wb2xpY3lcIixcbiAgXCJjcm9zcy1vcmlnaW4tcmVzb3VyY2UtcG9saWN5XCIsXG4gIFwicmVmZXJyZXItcG9saWN5XCIsXG4gIFwicGVybWlzc2lvbi1wb2xpY3lcIixcbiAgXCJjYWNoZS1jb250cm9sXCIsXG5dO1xuXG5leHBvcnQgY2xhc3MgSGVhZGVyQ2hhbmdlRGV0ZWN0aW9uIGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IEhlYWRlckNoYW5nZURldGVjdGlvblByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKTtcblxuICAgIGNvbnN0IGhlYWRlcnMgPSBwcm9wcy5kaXNhYmxlRGVmYXVsdHMgPyBbXSA6IGRlZmF1bHRIZWFkZXJzO1xuXG4gICAgaGVhZGVycy5wdXNoKFxuICAgICAgLi4uKHByb3BzLmFkZGl0aW9uYWxIZWFkZXJzPy5tYXAoaGVhZGVyID0+IGhlYWRlci50b0xvd2VyQ2FzZSgpKSB8fCBbXSlcbiAgICApO1xuXG4gICAgY29uc3QgdGFibGUgPSBuZXcgVGFibGUodGhpcywgXCJUYWJsZVwiLCB7XG4gICAgICBwYXJ0aXRpb25LZXk6IHtcbiAgICAgICAgbmFtZTogXCJVcmxcIixcbiAgICAgICAgdHlwZTogQXR0cmlidXRlVHlwZS5TVFJJTkcsXG4gICAgICB9LFxuICAgICAgYmlsbGluZ01vZGU6IEJpbGxpbmdNb2RlLlBBWV9QRVJfUkVRVUVTVCxcbiAgICB9KTtcblxuICAgIGNvbnN0IHNjaGVkdWxlID0gbmV3IFJ1bGUodGhpcywgXCJFdmVudFJ1bGVcIiwge1xuICAgICAgc2NoZWR1bGU6IHByb3BzLnNjaGVkdWxlIHx8IFNjaGVkdWxlLnJhdGUoRHVyYXRpb24uaG91cnMoMSkpLFxuICAgICAgLi4ucHJvcHMucnVsZVByb3BzLFxuICAgIH0pO1xuXG4gICAgY29uc3QgbGFtYmRhID0gbmV3IEZ1bmN0aW9uKHRoaXMsIFwiSGVhZGVyQ2hlY2tcIiwge1xuICAgICAgYXJjaGl0ZWN0dXJlOiBBcmNoaXRlY3R1cmUuWDg2XzY0LFxuICAgICAgcnVudGltZTogUnVudGltZS5OT0RFSlNfMjJfWCxcbiAgICAgIGhhbmRsZXI6IFwiaGVhZGVyLWNoZWNrLmhhbmRsZXJcIixcbiAgICAgIHRpbWVvdXQ6IHByb3BzLmxhbWJkYVRpbWVvdXQgfHwgRHVyYXRpb24uc2Vjb25kcygxMCksXG4gICAgICBjb2RlOiBDb2RlLmZyb21Bc3NldChqb2luKF9fZGlybmFtZSwgXCJsYW1iZGFcIiksIHtcbiAgICAgICAgYnVuZGxpbmc6IHtcbiAgICAgICAgICBjb21tYW5kLFxuICAgICAgICAgIGltYWdlOiBEb2NrZXJJbWFnZS5mcm9tUmVnaXN0cnkoXCJidXN5Ym94XCIpLFxuICAgICAgICAgIGxvY2FsOiBuZXcgRXNidWlsZCh7XG4gICAgICAgICAgICBlbnRyeVBvaW50czogW2pvaW4oX19kaXJuYW1lLCBcImxhbWJkYS9oZWFkZXItY2hlY2sudHNcIildLFxuICAgICAgICAgIH0pLFxuICAgICAgICB9LFxuICAgICAgfSksXG4gICAgICBlbnZpcm9ubWVudDoge1xuICAgICAgICBVUkxTOiBwcm9wcy51cmxzLmpvaW4oXCIsXCIpLFxuICAgICAgICBIRUFERVJTOiBoZWFkZXJzLmpvaW4oXCIsXCIpLFxuICAgICAgICBUQUJMRTogdGFibGUudGFibGVOYW1lLFxuICAgICAgICBUT1BJQ19BUk46IHByb3BzLnNuc1RvcGljLnRvcGljLnRvcGljQXJuLFxuICAgICAgICBBQ0NFUFRFRF9IVFRQX1NUQVRVUzogKHByb3BzLmFjY2VwdGVkSHR0cFN0YXR1cyB8fCBbXCIyMDBcIl0pLmpvaW4oXCIsXCIpLFxuICAgICAgfSxcbiAgICB9KTtcblxuICAgIHNjaGVkdWxlLmFkZFRhcmdldChuZXcgTGFtYmRhRnVuY3Rpb24obGFtYmRhKSk7XG5cbiAgICB0YWJsZS5ncmFudFdyaXRlRGF0YShsYW1iZGEpO1xuICAgIHRhYmxlLmdyYW50UmVhZERhdGEobGFtYmRhKTtcbiAgICBwcm9wcy5zbnNUb3BpYy50b3BpYy5ncmFudFB1Ymxpc2gobGFtYmRhKTtcbiAgfVxufVxuIl19