@backstage-community/plugin-rbac-backend 5.2.3

package/dist/role-manager/ancestor-search-memo.cjs.js

@@ -0,0 +1,159 @@
+'use strict';
+
+var graphlib = require('@dagrejs/graphlib');
+
+class AncestorSearchMemo {
+  graph;
+  catalogApi;
+  catalogDBClient;
+  auth;
+  userEntityRef;
+  maxDepth;
+  constructor(userEntityRef, catalogApi, catalogDBClient, auth, maxDepth) {
+    this.graph = new graphlib.Graph({ directed: true });
+    this.userEntityRef = userEntityRef;
+    this.catalogApi = catalogApi;
+    this.catalogDBClient = catalogDBClient;
+    this.auth = auth;
+    this.maxDepth = maxDepth;
+  }
+  isAcyclic() {
+    return graphlib.alg.isAcyclic(this.graph);
+  }
+  findCycles() {
+    return graphlib.alg.findCycles(this.graph);
+  }
+  setEdge(parentEntityRef, childEntityRef) {
+    this.graph.setEdge(parentEntityRef, childEntityRef);
+  }
+  setNode(entityRef) {
+    this.graph.setNode(entityRef);
+  }
+  hasEntityRef(groupRef) {
+    return this.graph.hasNode(groupRef);
+  }
+  debugNodesAndEdges(logger, userEntity) {
+    logger.debug(
+      `SubGraph edges: ${JSON.stringify(this.graph.edges())} for ${userEntity}`
+    );
+    logger.debug(
+      `SubGraph nodes: ${JSON.stringify(this.graph.nodes())} for ${userEntity}`
+    );
+  }
+  getNodes() {
+    return this.graph.nodes();
+  }
+  async doesRelationTableExist() {
+    try {
+      return await this.catalogDBClient.schema.hasTable("relations");
+    } catch (error) {
+      return false;
+    }
+  }
+  async getAllGroups() {
+    const { token } = await this.auth.getPluginRequestToken({
+      onBehalfOf: await this.auth.getOwnServiceCredentials(),
+      targetPluginId: "catalog"
+    });
+    const { items } = await this.catalogApi.getEntities(
+      {
+        filter: { kind: "Group" },
+        fields: ["metadata.name", "metadata.namespace", "spec.parent"]
+      },
+      { token }
+    );
+    return items;
+  }
+  async getAllRelations() {
+    try {
+      const rows = await this.catalogDBClient("relations").select("source_entity_ref", "target_entity_ref").where("type", "childOf");
+      return rows;
+    } catch (error) {
+      return [];
+    }
+  }
+  async getUserGroups() {
+    const { token } = await this.auth.getPluginRequestToken({
+      onBehalfOf: await this.auth.getOwnServiceCredentials(),
+      targetPluginId: "catalog"
+    });
+    const { items } = await this.catalogApi.getEntities(
+      {
+        filter: { kind: "Group", "relations.hasMember": this.userEntityRef },
+        fields: ["metadata.name", "metadata.namespace", "spec.parent"]
+      },
+      { token }
+    );
+    return items;
+  }
+  async getUserRelations() {
+    try {
+      const rows = await this.catalogDBClient("relations").select("source_entity_ref", "target_entity_ref").where({ type: "memberOf", source_entity_ref: this.userEntityRef });
+      return rows;
+    } catch (error) {
+      return [];
+    }
+  }
+  traverseGroups(memo, group, allGroups, current_depth) {
+    const groupName = `group:${group.metadata.namespace?.toLocaleLowerCase(
+      "en-US"
+    )}/${group.metadata.name.toLocaleLowerCase("en-US")}`;
+    if (!memo.hasEntityRef(groupName)) {
+      memo.setNode(groupName);
+    }
+    if (this.maxDepth !== void 0 && current_depth >= this.maxDepth) {
+      return;
+    }
+    const depth = current_depth + 1;
+    const parent = group.spec?.parent;
+    const parentGroup = allGroups.find((g) => g.metadata.name === parent);
+    if (parentGroup) {
+      const parentName = `group:${group.metadata.namespace?.toLocaleLowerCase(
+        "en-US"
+      )}/${parentGroup.metadata.name.toLocaleLowerCase("en-US")}`;
+      memo.setEdge(parentName, groupName);
+      if (memo.isAcyclic()) {
+        this.traverseGroups(memo, parentGroup, allGroups, depth);
+      }
+    }
+  }
+  traverseRelations(memo, relation, allRelations, current_depth) {
+    if (this.maxDepth !== void 0 && current_depth >= this.maxDepth + 1) {
+      return;
+    }
+    const depth = current_depth + 1;
+    if (!memo.hasEntityRef(relation.source_entity_ref)) {
+      memo.setNode(relation.source_entity_ref);
+    }
+    memo.setEdge(relation.target_entity_ref, relation.source_entity_ref);
+    const parentGroup = allRelations.find(
+      (g) => g.source_entity_ref === relation.target_entity_ref
+    );
+    if (parentGroup && memo.isAcyclic()) {
+      this.traverseRelations(memo, parentGroup, allRelations, depth);
+    }
+  }
+  async buildUserGraph(memo) {
+    if (await this.doesRelationTableExist()) {
+      const userRelations = await this.getUserRelations();
+      const allRelations = await this.getAllRelations();
+      userRelations.forEach(
+        (group) => this.traverseRelations(
+          memo,
+          group,
+          allRelations,
+          0
+        )
+      );
+    } else {
+      const userGroups = await this.getUserGroups();
+      const allGroups = await this.getAllGroups();
+      userGroups.forEach(
+        (group) => this.traverseGroups(memo, group, allGroups, 0)
+      );
+    }
+  }
+}
+
+exports.AncestorSearchMemo = AncestorSearchMemo;
+//# sourceMappingURL=ancestor-search-memo.cjs.js.map

package/dist/role-manager/ancestor-search-memo.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ancestor-search-memo.cjs.js","sources":["../../src/role-manager/ancestor-search-memo.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport type { Entity } from '@backstage/catalog-model';\n\nimport { alg, Graph } from '@dagrejs/graphlib';\nimport { Knex } from 'knex';\n\nexport interface Relation {\n  source_entity_ref: string;\n  target_entity_ref: string;\n}\n\nexport type ASMGroup = Relation | Entity;\n\n// AncestorSearchMemo - should be used to build group hierarchy graph for User entity reference.\n// It supports search group entity reference link in the graph.\n// Also AncestorSearchMemo supports detection cycle dependencies between groups in the graph.\n//\nexport class AncestorSearchMemo {\n  private graph: Graph;\n\n  private catalogApi: CatalogApi;\n  private catalogDBClient: Knex;\n  private auth: AuthService;\n\n  private userEntityRef: string;\n  private maxDepth?: number;\n\n  constructor(\n    userEntityRef: string,\n    catalogApi: CatalogApi,\n    catalogDBClient: Knex,\n    auth: AuthService,\n    maxDepth?: number,\n  ) {\n    this.graph = new Graph({ directed: true });\n    this.userEntityRef = userEntityRef;\n    this.catalogApi = catalogApi;\n    this.catalogDBClient = catalogDBClient;\n    this.auth = auth;\n    this.maxDepth = maxDepth;\n  }\n\n  isAcyclic(): boolean {\n    return alg.isAcyclic(this.graph);\n  }\n\n  findCycles(): string[][] {\n    return alg.findCycles(this.graph);\n  }\n\n  setEdge(parentEntityRef: string, childEntityRef: string) {\n    this.graph.setEdge(parentEntityRef, childEntityRef);\n  }\n\n  setNode(entityRef: string): void {\n    this.graph.setNode(entityRef);\n  }\n\n  hasEntityRef(groupRef: string): boolean {\n    return this.graph.hasNode(groupRef);\n  }\n\n  debugNodesAndEdges(logger: LoggerService, userEntity: string): void {\n    logger.debug(\n      `SubGraph edges: ${JSON.stringify(this.graph.edges())} for ${userEntity}`,\n    );\n    logger.debug(\n      `SubGraph nodes: ${JSON.stringify(this.graph.nodes())} for ${userEntity}`,\n    );\n  }\n\n  getNodes(): string[] {\n    return this.graph.nodes();\n  }\n\n  async doesRelationTableExist(): Promise<boolean> {\n    try {\n      return await this.catalogDBClient.schema.hasTable('relations');\n    } catch (error) {\n      return false;\n    }\n  }\n\n  async getAllGroups(): Promise<ASMGroup[]> {\n    const { token } = await this.auth.getPluginRequestToken({\n      onBehalfOf: await this.auth.getOwnServiceCredentials(),\n      targetPluginId: 'catalog',\n    });\n\n    const { items } = await this.catalogApi.getEntities(\n      {\n        filter: { kind: 'Group' },\n        fields: ['metadata.name', 'metadata.namespace', 'spec.parent'],\n      },\n      { token },\n    );\n    return items;\n  }\n\n  async getAllRelations(): Promise<ASMGroup[]> {\n    try {\n      const rows = await this.catalogDBClient('relations')\n        .select('source_entity_ref', 'target_entity_ref')\n        .where('type', 'childOf');\n      return rows;\n    } catch (error) {\n      return [];\n    }\n  }\n\n  async getUserGroups(): Promise<ASMGroup[]> {\n    const { token } = await this.auth.getPluginRequestToken({\n      onBehalfOf: await this.auth.getOwnServiceCredentials(),\n      targetPluginId: 'catalog',\n    });\n    const { items } = await this.catalogApi.getEntities(\n      {\n        filter: { kind: 'Group', 'relations.hasMember': this.userEntityRef },\n        fields: ['metadata.name', 'metadata.namespace', 'spec.parent'],\n      },\n      { token },\n    );\n    return items;\n  }\n\n  async getUserRelations(): Promise<ASMGroup[]> {\n    try {\n      const rows = await this.catalogDBClient('relations')\n        .select('source_entity_ref', 'target_entity_ref')\n        .where({ type: 'memberOf', source_entity_ref: this.userEntityRef });\n      return rows;\n    } catch (error) {\n      return [];\n    }\n  }\n\n  traverseGroups(\n    memo: AncestorSearchMemo,\n    group: Entity,\n    allGroups: Entity[],\n    current_depth: number,\n  ) {\n    const groupName = `group:${group.metadata.namespace?.toLocaleLowerCase(\n      'en-US',\n    )}/${group.metadata.name.toLocaleLowerCase('en-US')}`;\n    if (!memo.hasEntityRef(groupName)) {\n      memo.setNode(groupName);\n    }\n\n    if (this.maxDepth !== undefined && current_depth >= this.maxDepth) {\n      return;\n    }\n    const depth = current_depth + 1;\n\n    const parent = group.spec?.parent as string;\n    const parentGroup = allGroups.find(g => g.metadata.name === parent);\n\n    if (parentGroup) {\n      const parentName = `group:${group.metadata.namespace?.toLocaleLowerCase(\n        'en-US',\n      )}/${parentGroup.metadata.name.toLocaleLowerCase('en-US')}`;\n      memo.setEdge(parentName, groupName);\n\n      if (memo.isAcyclic()) {\n        this.traverseGroups(memo, parentGroup, allGroups, depth);\n      }\n    }\n  }\n\n  traverseRelations(\n    memo: AncestorSearchMemo,\n    relation: Relation,\n    allRelations: Relation[],\n    current_depth: number,\n  ) {\n    // We add one to the maxDepth here because the user is considered the starting node\n    if (this.maxDepth !== undefined && current_depth >= this.maxDepth + 1) {\n      return;\n    }\n    const depth = current_depth + 1;\n\n    if (!memo.hasEntityRef(relation.source_entity_ref)) {\n      memo.setNode(relation.source_entity_ref);\n    }\n\n    memo.setEdge(relation.target_entity_ref, relation.source_entity_ref);\n\n    const parentGroup = allRelations.find(\n      g => g.source_entity_ref === relation.target_entity_ref,\n    );\n\n    if (parentGroup && memo.isAcyclic()) {\n      this.traverseRelations(memo, parentGroup, allRelations, depth);\n    }\n  }\n\n  async buildUserGraph(memo: AncestorSearchMemo) {\n    if (await this.doesRelationTableExist()) {\n      const userRelations = await this.getUserRelations();\n      const allRelations = await this.getAllRelations();\n      userRelations.forEach(group =>\n        this.traverseRelations(\n          memo,\n          group as Relation,\n          allRelations as Relation[],\n          0,\n        ),\n      );\n    } else {\n      const userGroups = await this.getUserGroups();\n      const allGroups = await this.getAllGroups();\n      userGroups.forEach(group =>\n        this.traverseGroups(memo, group as Entity, allGroups as Entity[], 0),\n      );\n    }\n  }\n}\n"],"names":["Graph","alg"],"mappings":";;;;AAiCO,MAAM,kBAAmB,CAAA;AAAA,EACtB,KAAA,CAAA;AAAA,EAEA,UAAA,CAAA;AAAA,EACA,eAAA,CAAA;AAAA,EACA,IAAA,CAAA;AAAA,EAEA,aAAA,CAAA;AAAA,EACA,QAAA,CAAA;AAAA,EAER,WACE,CAAA,aAAA,EACA,UACA,EAAA,eAAA,EACA,MACA,QACA,EAAA;AACA,IAAA,IAAA,CAAK,QAAQ,IAAIA,cAAA,CAAM,EAAE,QAAA,EAAU,MAAM,CAAA,CAAA;AACzC,IAAA,IAAA,CAAK,aAAgB,GAAA,aAAA,CAAA;AACrB,IAAA,IAAA,CAAK,UAAa,GAAA,UAAA,CAAA;AAClB,IAAA,IAAA,CAAK,eAAkB,GAAA,eAAA,CAAA;AACvB,IAAA,IAAA,CAAK,IAAO,GAAA,IAAA,CAAA;AACZ,IAAA,IAAA,CAAK,QAAW,GAAA,QAAA,CAAA;AAAA,GAClB;AAAA,EAEA,SAAqB,GAAA;AACnB,IAAO,OAAAC,YAAA,CAAI,SAAU,CAAA,IAAA,CAAK,KAAK,CAAA,CAAA;AAAA,GACjC;AAAA,EAEA,UAAyB,GAAA;AACvB,IAAO,OAAAA,YAAA,CAAI,UAAW,CAAA,IAAA,CAAK,KAAK,CAAA,CAAA;AAAA,GAClC;AAAA,EAEA,OAAA,CAAQ,iBAAyB,cAAwB,EAAA;AACvD,IAAK,IAAA,CAAA,KAAA,CAAM,OAAQ,CAAA,eAAA,EAAiB,cAAc,CAAA,CAAA;AAAA,GACpD;AAAA,EAEA,QAAQ,SAAyB,EAAA;AAC/B,IAAK,IAAA,CAAA,KAAA,CAAM,QAAQ,SAAS,CAAA,CAAA;AAAA,GAC9B;AAAA,EAEA,aAAa,QAA2B,EAAA;AACtC,IAAO,OAAA,IAAA,CAAK,KAAM,CAAA,OAAA,CAAQ,QAAQ,CAAA,CAAA;AAAA,GACpC;AAAA,EAEA,kBAAA,CAAmB,QAAuB,UAA0B,EAAA;AAClE,IAAO,MAAA,CAAA,KAAA;AAAA,MACL,CAAA,gBAAA,EAAmB,KAAK,SAAU,CAAA,IAAA,CAAK,MAAM,KAAM,EAAC,CAAC,CAAA,KAAA,EAAQ,UAAU,CAAA,CAAA;AAAA,KACzE,CAAA;AACA,IAAO,MAAA,CAAA,KAAA;AAAA,MACL,CAAA,gBAAA,EAAmB,KAAK,SAAU,CAAA,IAAA,CAAK,MAAM,KAAM,EAAC,CAAC,CAAA,KAAA,EAAQ,UAAU,CAAA,CAAA;AAAA,KACzE,CAAA;AAAA,GACF;AAAA,EAEA,QAAqB,GAAA;AACnB,IAAO,OAAA,IAAA,CAAK,MAAM,KAAM,EAAA,CAAA;AAAA,GAC1B;AAAA,EAEA,MAAM,sBAA2C,GAAA;AAC/C,IAAI,IAAA;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,eAAgB,CAAA,MAAA,CAAO,SAAS,WAAW,CAAA,CAAA;AAAA,aACtD,KAAO,EAAA;AACd,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAAA,GACF;AAAA,EAEA,MAAM,YAAoC,GAAA;AACxC,IAAA,MAAM,EAAE,KAAM,EAAA,GAAI,MAAM,IAAA,CAAK,KAAK,qBAAsB,CAAA;AAAA,MACtD,UAAY,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB,EAAA;AAAA,MACrD,cAAgB,EAAA,SAAA;AAAA,KACjB,CAAA,CAAA;AAED,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,UAAW,CAAA,WAAA;AAAA,MACtC;AAAA,QACE,MAAA,EAAQ,EAAE,IAAA,EAAM,OAAQ,EAAA;AAAA,QACxB,MAAQ,EAAA,CAAC,eAAiB,EAAA,oBAAA,EAAsB,aAAa,CAAA;AAAA,OAC/D;AAAA,MACA,EAAE,KAAM,EAAA;AAAA,KACV,CAAA;AACA,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAAA,EAEA,MAAM,eAAuC,GAAA;AAC3C,IAAI,IAAA;AACF,MAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,eAAA,CAAgB,WAAW,CAAA,CAChD,MAAO,CAAA,mBAAA,EAAqB,mBAAmB,CAAA,CAC/C,KAAM,CAAA,MAAA,EAAQ,SAAS,CAAA,CAAA;AAC1B,MAAO,OAAA,IAAA,CAAA;AAAA,aACA,KAAO,EAAA;AACd,MAAA,OAAO,EAAC,CAAA;AAAA,KACV;AAAA,GACF;AAAA,EAEA,MAAM,aAAqC,GAAA;AACzC,IAAA,MAAM,EAAE,KAAM,EAAA,GAAI,MAAM,IAAA,CAAK,KAAK,qBAAsB,CAAA;AAAA,MACtD,UAAY,EAAA,MAAM,IAAK,CAAA,IAAA,CAAK,wBAAyB,EAAA;AAAA,MACrD,cAAgB,EAAA,SAAA;AAAA,KACjB,CAAA,CAAA;AACD,IAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,UAAW,CAAA,WAAA;AAAA,MACtC;AAAA,QACE,QAAQ,EAAE,IAAA,EAAM,OAAS,EAAA,qBAAA,EAAuB,KAAK,aAAc,EAAA;AAAA,QACnE,MAAQ,EAAA,CAAC,eAAiB,EAAA,oBAAA,EAAsB,aAAa,CAAA;AAAA,OAC/D;AAAA,MACA,EAAE,KAAM,EAAA;AAAA,KACV,CAAA;AACA,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AAAA,EAEA,MAAM,gBAAwC,GAAA;AAC5C,IAAI,IAAA;AACF,MAAA,MAAM,OAAO,MAAM,IAAA,CAAK,eAAgB,CAAA,WAAW,EAChD,MAAO,CAAA,mBAAA,EAAqB,mBAAmB,CAAA,CAC/C,MAAM,EAAE,IAAA,EAAM,YAAY,iBAAmB,EAAA,IAAA,CAAK,eAAe,CAAA,CAAA;AACpE,MAAO,OAAA,IAAA,CAAA;AAAA,aACA,KAAO,EAAA;AACd,MAAA,OAAO,EAAC,CAAA;AAAA,KACV;AAAA,GACF;AAAA,EAEA,cACE,CAAA,IAAA,EACA,KACA,EAAA,SAAA,EACA,aACA,EAAA;AACA,IAAA,MAAM,SAAY,GAAA,CAAA,MAAA,EAAS,KAAM,CAAA,QAAA,CAAS,SAAW,EAAA,iBAAA;AAAA,MACnD,OAAA;AAAA,KACD,CAAI,CAAA,EAAA,KAAA,CAAM,SAAS,IAAK,CAAA,iBAAA,CAAkB,OAAO,CAAC,CAAA,CAAA,CAAA;AACnD,IAAA,IAAI,CAAC,IAAA,CAAK,YAAa,CAAA,SAAS,CAAG,EAAA;AACjC,MAAA,IAAA,CAAK,QAAQ,SAAS,CAAA,CAAA;AAAA,KACxB;AAEA,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,KAAa,CAAA,IAAA,aAAA,IAAiB,KAAK,QAAU,EAAA;AACjE,MAAA,OAAA;AAAA,KACF;AACA,IAAA,MAAM,QAAQ,aAAgB,GAAA,CAAA,CAAA;AAE9B,IAAM,MAAA,MAAA,GAAS,MAAM,IAAM,EAAA,MAAA,CAAA;AAC3B,IAAA,MAAM,cAAc,SAAU,CAAA,IAAA,CAAK,OAAK,CAAE,CAAA,QAAA,CAAS,SAAS,MAAM,CAAA,CAAA;AAElE,IAAA,IAAI,WAAa,EAAA;AACf,MAAA,MAAM,UAAa,GAAA,CAAA,MAAA,EAAS,KAAM,CAAA,QAAA,CAAS,SAAW,EAAA,iBAAA;AAAA,QACpD,OAAA;AAAA,OACD,CAAI,CAAA,EAAA,WAAA,CAAY,SAAS,IAAK,CAAA,iBAAA,CAAkB,OAAO,CAAC,CAAA,CAAA,CAAA;AACzD,MAAK,IAAA,CAAA,OAAA,CAAQ,YAAY,SAAS,CAAA,CAAA;AAElC,MAAI,IAAA,IAAA,CAAK,WAAa,EAAA;AACpB,QAAA,IAAA,CAAK,cAAe,CAAA,IAAA,EAAM,WAAa,EAAA,SAAA,EAAW,KAAK,CAAA,CAAA;AAAA,OACzD;AAAA,KACF;AAAA,GACF;AAAA,EAEA,iBACE,CAAA,IAAA,EACA,QACA,EAAA,YAAA,EACA,aACA,EAAA;AAEA,IAAA,IAAI,KAAK,QAAa,KAAA,KAAA,CAAA,IAAa,aAAiB,IAAA,IAAA,CAAK,WAAW,CAAG,EAAA;AACrE,MAAA,OAAA;AAAA,KACF;AACA,IAAA,MAAM,QAAQ,aAAgB,GAAA,CAAA,CAAA;AAE9B,IAAA,IAAI,CAAC,IAAA,CAAK,YAAa,CAAA,QAAA,CAAS,iBAAiB,CAAG,EAAA;AAClD,MAAK,IAAA,CAAA,OAAA,CAAQ,SAAS,iBAAiB,CAAA,CAAA;AAAA,KACzC;AAEA,IAAA,IAAA,CAAK,OAAQ,CAAA,QAAA,CAAS,iBAAmB,EAAA,QAAA,CAAS,iBAAiB,CAAA,CAAA;AAEnE,IAAA,MAAM,cAAc,YAAa,CAAA,IAAA;AAAA,MAC/B,CAAA,CAAA,KAAK,CAAE,CAAA,iBAAA,KAAsB,QAAS,CAAA,iBAAA;AAAA,KACxC,CAAA;AAEA,IAAI,IAAA,WAAA,IAAe,IAAK,CAAA,SAAA,EAAa,EAAA;AACnC,MAAA,IAAA,CAAK,iBAAkB,CAAA,IAAA,EAAM,WAAa,EAAA,YAAA,EAAc,KAAK,CAAA,CAAA;AAAA,KAC/D;AAAA,GACF;AAAA,EAEA,MAAM,eAAe,IAA0B,EAAA;AAC7C,IAAI,IAAA,MAAM,IAAK,CAAA,sBAAA,EAA0B,EAAA;AACvC,MAAM,MAAA,aAAA,GAAgB,MAAM,IAAA,CAAK,gBAAiB,EAAA,CAAA;AAClD,MAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,eAAgB,EAAA,CAAA;AAChD,MAAc,aAAA,CAAA,OAAA;AAAA,QAAQ,WACpB,IAAK,CAAA,iBAAA;AAAA,UACH,IAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA,UACA,CAAA;AAAA,SACF;AAAA,OACF,CAAA;AAAA,KACK,MAAA;AACL,MAAM,MAAA,UAAA,GAAa,MAAM,IAAA,CAAK,aAAc,EAAA,CAAA;AAC5C,MAAM,MAAA,SAAA,GAAY,MAAM,IAAA,CAAK,YAAa,EAAA,CAAA;AAC1C,MAAW,UAAA,CAAA,OAAA;AAAA,QAAQ,WACjB,IAAK,CAAA,cAAA,CAAe,IAAM,EAAA,KAAA,EAAiB,WAAuB,CAAC,CAAA;AAAA,OACrE,CAAA;AAAA,KACF;AAAA,GACF;AACF;;;;"}

package/dist/role-manager/member-list.cjs.js

@@ -0,0 +1,101 @@
+'use strict';
+
+class RoleMemberList {
+  name;
+  members;
+  roles;
+  constructor(name) {
+    this.name = name;
+    this.members = [];
+    this.roles = [];
+  }
+  /**
+   * addMembers will add members to the RoleMemberList
+   * @param members The members to be added.
+   */
+  addMembers(members) {
+    this.members = members;
+  }
+  /**
+   * addMember will add a single member to the RoleMemberList, skips adding the user in the
+   * event that they already exist in the members array.
+   * @param member The member to be added.
+   */
+  addMember(member) {
+    if (this.members.some((n) => n === member)) {
+      return;
+    }
+    this.members.push(member);
+  }
+  /**
+   * hasMember will check if a particular member exists in the members array.
+   * @param name The member to be checked for.
+   */
+  hasMember(name) {
+    return this.members.includes(name);
+  }
+  /**
+   * deleteMember will remove a user from the members array.
+   * @param member The member to be removed.
+   */
+  deleteMember(member) {
+    this.members = this.members.filter((n) => n !== member);
+  }
+  /**
+   * buildMembers will query the `casbin_rule` database table to ensure that the role
+   * that we have cached is up to date.
+   * This is important in multi node scenarios where the cached roles in role manager can become
+   * out of sync with the database.
+   * @param roleMemberList The RoleMemberList to be updated.
+   * @param client The database client.
+   */
+  async buildMembers(roleMemberList, client) {
+    try {
+      const members = await client.table("casbin_rule").where("v1", this.name).pluck("v0").distinct();
+      roleMemberList.addMembers(members);
+    } catch (error) {
+      throw new Error(
+        `Unable to find members for the role ${this.name}. Cause: ${error}`
+      );
+    }
+  }
+  /**
+   * getMembers will return the members of the RoleMemberList
+   * @returns The members.
+   */
+  getMembers() {
+    return this.members;
+  }
+  /**
+   * addRoles will add roles to the RoleMemberList
+   * @param roles The roles to be added.
+   */
+  addRoles(roles) {
+    this.roles = roles;
+  }
+  /**
+   * buildRoles will query the `casbin_rule` database table to quickly grab all of the
+   * roles that a particular user is attached to.
+   * @param roleMemberList The RoleMemberList to be updated.
+   * @param userAndGroups The user and groups to query with.
+   * @param client The database client.
+   */
+  async buildRoles(roleMemberList, userAndGroups, client) {
+    try {
+      const roles = await client.table("casbin_rule").whereIn("v0", userAndGroups).pluck("v1").distinct();
+      roleMemberList.addRoles(roles);
+    } catch (error) {
+      throw new Error(`Unable to find all roles. Cause: ${error}`);
+    }
+  }
+  /**
+   * getRoles will return the roles of the RoleMemberList.
+   * @returns The roles.
+   */
+  getRoles() {
+    return this.roles;
+  }
+}
+
+exports.RoleMemberList = RoleMemberList;
+//# sourceMappingURL=member-list.cjs.js.map

package/dist/role-manager/member-list.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"member-list.cjs.js","sources":["../../src/role-manager/member-list.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { Knex } from 'knex';\n\nexport class RoleMemberList {\n  public name: string;\n\n  private members: string[];\n  private roles: string[];\n\n  public constructor(name: string) {\n    this.name = name;\n    this.members = [];\n    this.roles = [];\n  }\n\n  /**\n   * addMembers will add members to the RoleMemberList\n   * @param members The members to be added.\n   */\n  public addMembers(members: string[]): void {\n    this.members = members;\n  }\n\n  /**\n   * addMember will add a single member to the RoleMemberList, skips adding the user in the\n   * event that they already exist in the members array.\n   * @param member The member to be added.\n   */\n  public addMember(member: string): void {\n    if (this.members.some(n => n === member)) {\n      return;\n    }\n    this.members.push(member);\n  }\n\n  /**\n   * hasMember will check if a particular member exists in the members array.\n   * @param name The member to be checked for.\n   */\n  public hasMember(name: string): boolean {\n    return this.members.includes(name);\n  }\n\n  /**\n   * deleteMember will remove a user from the members array.\n   * @param member The member to be removed.\n   */\n  public deleteMember(member: string): void {\n    this.members = this.members.filter(n => n !== member);\n  }\n\n  /**\n   * buildMembers will query the `casbin_rule` database table to ensure that the role\n   * that we have cached is up to date.\n   * This is important in multi node scenarios where the cached roles in role manager can become\n   * out of sync with the database.\n   * @param roleMemberList The RoleMemberList to be updated.\n   * @param client The database client.\n   */\n  public async buildMembers(\n    roleMemberList: RoleMemberList,\n    client: Knex,\n  ): Promise<void> {\n    try {\n      const members: string[] = await client\n        .table('casbin_rule')\n        .where('v1', this.name)\n        .pluck('v0')\n        .distinct();\n\n      roleMemberList.addMembers(members);\n    } catch (error) {\n      throw new Error(\n        `Unable to find members for the role ${this.name}. Cause: ${error}`,\n      );\n    }\n  }\n\n  /**\n   * getMembers will return the members of the RoleMemberList\n   * @returns The members.\n   */\n  getMembers(): string[] {\n    return this.members;\n  }\n\n  /**\n   * addRoles will add roles to the RoleMemberList\n   * @param roles The roles to be added.\n   */\n  public addRoles(roles: string[]): void {\n    this.roles = roles;\n  }\n\n  /**\n   * buildRoles will query the `casbin_rule` database table to quickly grab all of the\n   * roles that a particular user is attached to.\n   * @param roleMemberList The RoleMemberList to be updated.\n   * @param userAndGroups The user and groups to query with.\n   * @param client The database client.\n   */\n  public async buildRoles(\n    roleMemberList: RoleMemberList,\n    userAndGroups: string[],\n    client: Knex,\n  ): Promise<void> {\n    try {\n      const roles: string[] = await client\n        .table('casbin_rule')\n        .whereIn('v0', userAndGroups)\n        .pluck('v1')\n        .distinct();\n\n      roleMemberList.addRoles(roles);\n    } catch (error) {\n      throw new Error(`Unable to find all roles. Cause: ${error}`);\n    }\n  }\n\n  /**\n   * getRoles will return the roles of the RoleMemberList.\n   * @returns The roles.\n   */\n  getRoles(): string[] {\n    return this.roles;\n  }\n}\n"],"names":[],"mappings":";;AAiBO,MAAM,cAAe,CAAA;AAAA,EACnB,IAAA,CAAA;AAAA,EAEC,OAAA,CAAA;AAAA,EACA,KAAA,CAAA;AAAA,EAED,YAAY,IAAc,EAAA;AAC/B,IAAA,IAAA,CAAK,IAAO,GAAA,IAAA,CAAA;AACZ,IAAA,IAAA,CAAK,UAAU,EAAC,CAAA;AAChB,IAAA,IAAA,CAAK,QAAQ,EAAC,CAAA;AAAA,GAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMO,WAAW,OAAyB,EAAA;AACzC,IAAA,IAAA,CAAK,OAAU,GAAA,OAAA,CAAA;AAAA,GACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOO,UAAU,MAAsB,EAAA;AACrC,IAAA,IAAI,KAAK,OAAQ,CAAA,IAAA,CAAK,CAAK,CAAA,KAAA,CAAA,KAAM,MAAM,CAAG,EAAA;AACxC,MAAA,OAAA;AAAA,KACF;AACA,IAAK,IAAA,CAAA,OAAA,CAAQ,KAAK,MAAM,CAAA,CAAA;AAAA,GAC1B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMO,UAAU,IAAuB,EAAA;AACtC,IAAO,OAAA,IAAA,CAAK,OAAQ,CAAA,QAAA,CAAS,IAAI,CAAA,CAAA;AAAA,GACnC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMO,aAAa,MAAsB,EAAA;AACxC,IAAA,IAAA,CAAK,UAAU,IAAK,CAAA,OAAA,CAAQ,MAAO,CAAA,CAAA,CAAA,KAAK,MAAM,MAAM,CAAA,CAAA;AAAA,GACtD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAa,YACX,CAAA,cAAA,EACA,MACe,EAAA;AACf,IAAI,IAAA;AACF,MAAA,MAAM,OAAoB,GAAA,MAAM,MAC7B,CAAA,KAAA,CAAM,aAAa,CACnB,CAAA,KAAA,CAAM,IAAM,EAAA,IAAA,CAAK,IAAI,CAAA,CACrB,KAAM,CAAA,IAAI,EACV,QAAS,EAAA,CAAA;AAEZ,MAAA,cAAA,CAAe,WAAW,OAAO,CAAA,CAAA;AAAA,aAC1B,KAAO,EAAA;AACd,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAuC,oCAAA,EAAA,IAAA,CAAK,IAAI,CAAA,SAAA,EAAY,KAAK,CAAA,CAAA;AAAA,OACnE,CAAA;AAAA,KACF;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAuB,GAAA;AACrB,IAAA,OAAO,IAAK,CAAA,OAAA,CAAA;AAAA,GACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMO,SAAS,KAAuB,EAAA;AACrC,IAAA,IAAA,CAAK,KAAQ,GAAA,KAAA,CAAA;AAAA,GACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAa,UAAA,CACX,cACA,EAAA,aAAA,EACA,MACe,EAAA;AACf,IAAI,IAAA;AACF,MAAA,MAAM,KAAkB,GAAA,MAAM,MAC3B,CAAA,KAAA,CAAM,aAAa,CAAA,CACnB,OAAQ,CAAA,IAAA,EAAM,aAAa,CAAA,CAC3B,KAAM,CAAA,IAAI,EACV,QAAS,EAAA,CAAA;AAEZ,MAAA,cAAA,CAAe,SAAS,KAAK,CAAA,CAAA;AAAA,aACtB,KAAO,EAAA;AACd,MAAA,MAAM,IAAI,KAAA,CAAM,CAAoC,iCAAA,EAAA,KAAK,CAAE,CAAA,CAAA,CAAA;AAAA,KAC7D;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAqB,GAAA;AACnB,IAAA,OAAO,IAAK,CAAA,KAAA,CAAA;AAAA,GACd;AACF;;;;"}

package/dist/role-manager/role-manager.cjs.js

@@ -0,0 +1,281 @@
+'use strict';
+
+var catalogModel = require('@backstage/catalog-model');
+var ancestorSearchMemo = require('./ancestor-search-memo.cjs.js');
+var memberList = require('./member-list.cjs.js');
+
+class BackstageRoleManager {
+  constructor(catalogApi, logger, catalogDBClient, rbacDBClient, config, auth) {
+    this.catalogApi = catalogApi;
+    this.logger = logger;
+    this.catalogDBClient = catalogDBClient;
+    this.rbacDBClient = rbacDBClient;
+    this.config = config;
+    this.auth = auth;
+    this.allRoles = /* @__PURE__ */ new Map();
+    const rbacConfig = this.config.getOptionalConfig("permission.rbac");
+    this.maxDepth = rbacConfig?.getOptionalNumber("maxDepth");
+    if (this.maxDepth !== void 0 && this.maxDepth < 0) {
+      throw new Error(
+        "Max Depth for RBAC group hierarchy must be greater than or equal to zero"
+      );
+    }
+  }
+  allRoles;
+  maxDepth;
+  /**
+   * clear clears all stored data and resets the role manager to the initial state.
+   */
+  async clear() {
+  }
+  /**
+   * addLink adds the inheritance link between name1 and role: name2.
+   * aka name1 inherits role: name2.
+   * The link that is established is based on the defined grouping policies that are added by the enforcer.
+   *
+   * ex. `g, name1, name2`.
+   * @param name1 User or group that will be assigned to a role.
+   * @param name2 The role that will be created or updated.
+   * @param _domain Unimplemented prefix to the role.
+   */
+  async addLink(name1, name2, ..._domain) {
+    if (!this.isPGClient()) {
+      const role1 = this.getOrCreateRole(name2);
+      role1.addMember(name1);
+    }
+  }
+  /**
+   * deleteLink deletes the inheritance link between name1 and role: name2.
+   * aka name1 does not inherit role: name2 any more.
+   * The link that is deleted is based on the defined grouping policies that are removed by the enforcer.
+   *
+   * ex. `g, name1, name2`.
+   * @param name1 User or group that will be removed from assignment of a role.
+   * @param name2 The role that will be deleted or updated.
+   * @param _domain Unimplemented.
+   */
+  async deleteLink(name1, name2, ..._domain) {
+    if (!this.isPGClient()) {
+      const role1 = this.getOrCreateRole(name2);
+      role1.deleteMember(name1);
+      if (role1.getMembers().length === 0) {
+        this.allRoles.delete(name2);
+      }
+    }
+  }
+  /**
+   * hasLink determines whether name1 inherits role: name2.
+   * During this check we build the group hierarchy graph to determine if the particular user is directly or indirectly
+   * attached to the role that we are receiving.
+   * In the event that there is a postgres database connection, we will attempt to query the roles from the database.
+   * Otherwise we will use the cached allRoles to determine if there is a link.
+   * @param name1 The user that we are authorizing.
+   * @param name2 The name of the role that we are checking against.
+   * @param domain Unimplemented.
+   * @returns True if the user is directly or indirectly attached to the role.
+   */
+  async hasLink(name1, name2, ...domain) {
+    let currentRole;
+    if (domain.length > 0) {
+      throw new Error("domain argument is not supported.");
+    }
+    if (name2.length === 0) {
+      return false;
+    }
+    if (name1 === name2) {
+      return true;
+    }
+    if (this.isPGClient()) {
+      currentRole = new memberList.RoleMemberList(name2);
+      await currentRole.buildMembers(currentRole, this.rbacDBClient);
+    } else {
+      currentRole = this.allRoles.get(name2);
+    }
+    const directDeclaration = await this.checkForUserToRole(
+      name1,
+      name2,
+      currentRole
+    );
+    if (directDeclaration) {
+      return true;
+    }
+    const { kind } = catalogModel.parseEntityRef(name2);
+    if (kind.toLocaleLowerCase() === "user") {
+      return false;
+    }
+    const memo = new ancestorSearchMemo.AncestorSearchMemo(
+      name1,
+      this.catalogApi,
+      this.catalogDBClient,
+      this.auth,
+      this.maxDepth
+    );
+    await memo.buildUserGraph(memo);
+    memo.debugNodesAndEdges(this.logger, name1);
+    if (!memo.isAcyclic()) {
+      const cycles = memo.findCycles();
+      this.logger.warn(
+        `Detected cycle dependencies in the Group graph: ${JSON.stringify(
+          cycles
+        )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(
+          cycles
+        )}`
+      );
+      return false;
+    }
+    if (this.parseEntityKind(name2) === "role" && this.hasMember(currentRole, memo)) {
+      return true;
+    }
+    return memo.hasEntityRef(name2);
+  }
+  /**
+   * syncedHasLink determines whether role: name1 inherits role: name2.
+   * domain is a prefix to the roles.
+   */
+  syncedHasLink(_name1, _name2, ..._domain) {
+    throw new Error('Method "syncedHasLink" not implemented.');
+  }
+  /**
+   * getRoles gets the roles that a subject inherits.
+   *
+   * name - is a string entity reference, for example: user:default/tom, role:default/dev,
+   * so format is <kind>:<namespace>/<entity-name>.
+   * GetRoles method supports only two kind values: 'user' and 'role'.
+   *
+   * domain - is a prefix to the roles, unused parameter.
+   *
+   * If name's kind === 'user' we return all inherited roles from groups and roles directly assigned to the user.
+   * if name's kind === 'role' we return empty array, because we don't support role inheritance.
+   * Case kind === 'group' - should not happen, because:
+   * 1) Method getRoles returns only role entity references, so casbin engine doesn't call this
+   * method again to ask about name with kind "group".
+   * 2) We implemented getRoles method only to use:
+   * 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',
+   * so name argument can be only with kind 'user' or 'role'.
+   *
+   * Info: when we call 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',
+   * then casbin engine executes 'getRoles' method few times.
+   * Firstly casbin asks about roles for 'userEntityRef'.
+   * Let's imagine, that 'getRoles' returned two roles for userEntityRef.
+   * Then casbin calls 'getRoles' two more times to
+   * find parent roles. But we return empty array for each such call,
+   * because we don't support role inheritance and we notify casbin about end of the role sub-tree.
+   */
+  async getRoles(name, ..._domain) {
+    const { kind } = catalogModel.parseEntityRef(name);
+    if (kind === "user") {
+      const memo = new ancestorSearchMemo.AncestorSearchMemo(
+        name,
+        this.catalogApi,
+        this.catalogDBClient,
+        this.auth,
+        this.maxDepth
+      );
+      await memo.buildUserGraph(memo);
+      memo.debugNodesAndEdges(this.logger, name);
+      if (this.isPGClient()) {
+        const currentRole = new memberList.RoleMemberList(name);
+        await currentRole.buildRoles(
+          currentRole,
+          memo.getNodes(),
+          this.rbacDBClient
+        );
+        return Promise.resolve(currentRole.getRoles());
+      }
+      const allRoles = [];
+      memo.setNode(name);
+      for (const value of this.allRoles.values()) {
+        if (this.hasMember(value, memo)) {
+          allRoles.push(value.name);
+        }
+      }
+      return Promise.resolve(allRoles);
+    }
+    return [];
+  }
+  /**
+   * getUsers gets the users that inherits a subject.
+   * domain is an unreferenced parameter here, may be used in other implementations.
+   */
+  async getUsers(_name, ..._domain) {
+    throw new Error('Method "getUsers" not implemented.');
+  }
+  /**
+   * printRoles prints all the roles to log.
+   */
+  async printRoles() {
+  }
+  /**
+   * getOrCreateRole will get a role if it has already been cached
+   * or it will create a new role to be cached.
+   * This cache is a simple tree that is used to quickly compare
+   * users and groups to roles.
+   * @param name The user or group whose cache we will be getting / creating.
+   * @returns The cached role as a RoleList.
+   */
+  getOrCreateRole(name) {
+    const role = this.allRoles.get(name);
+    if (role) {
+      return role;
+    }
+    const newRole = new memberList.RoleMemberList(name);
+    this.allRoles.set(name, newRole);
+    return newRole;
+  }
+  // parse the entity to find out if it is a user / group / or role
+  parseEntityKind(name) {
+    const parsed = name.split(":");
+    return parsed[0];
+  }
+  /**
+   * isPGClient checks what the current database client is at them time.
+   * This is to ensure that we are querying the database in the event of postgres
+   * or using in memory cache for better sqlite3.
+   * @returns True if the database client is pg.
+   */
+  isPGClient() {
+    const client = this.rbacDBClient.client.config.client;
+    return client === "pg";
+  }
+  /**
+   * checkForUserToRole checks if there exists a direct declaration of a user to a role. Used to exit out of
+   * hasLink faster in the event to reduce the time it would take to build the user graph.
+   * @param name1 The user that we are checking for.
+   * @param name2 The role that we are checking for.
+   * @returns True if there is a user that is directly attached to a particular role.
+   */
+  async checkForUserToRole(name1, name2, currentRole) {
+    const tempRole = this.getOrCreateRole(name2);
+    if (this.parseEntityKind(name2) === "role" && tempRole.hasMember(name1)) {
+      return true;
+    }
+    if (tempRole.getMembers().length === 0) {
+      this.allRoles.delete(name2);
+    }
+    if (currentRole && currentRole.hasMember(name1)) {
+      return true;
+    }
+    return void 0;
+  }
+  /**
+   * hasMember checks if the members from a particular role is associated with the user
+   * that the AncestorSearchMemo graph is built for.
+   * @param role The role that we are getting the members from.
+   * @param memo The user graph that we are comparing members with.
+   * @returns True if a member from the role is also associated with the user.
+   */
+  hasMember(role, memo) {
+    if (role === void 0) {
+      return false;
+    }
+    for (const member of role.getMembers()) {
+      if (memo.hasEntityRef(member)) {
+        return true;
+      }
+    }
+    return false;
+  }
+}
+
+exports.BackstageRoleManager = BackstageRoleManager;
+//# sourceMappingURL=role-manager.cjs.js.map

package/dist/role-manager/role-manager.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-manager.cjs.js","sources":["../../src/role-manager/role-manager.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport type { Config } from '@backstage/config';\n\nimport { RoleManager } from 'casbin';\nimport { Knex } from 'knex';\n\nimport { AncestorSearchMemo } from './ancestor-search-memo';\nimport { RoleMemberList } from './member-list';\n\nexport class BackstageRoleManager implements RoleManager {\n  private allRoles: Map<string, RoleMemberList>;\n  private maxDepth?: number;\n  constructor(\n    private readonly catalogApi: CatalogApi,\n    private readonly logger: LoggerService,\n    private readonly catalogDBClient: Knex,\n    private readonly rbacDBClient: Knex,\n    private readonly config: Config,\n    private readonly auth: AuthService,\n  ) {\n    this.allRoles = new Map<string, RoleMemberList>();\n    const rbacConfig = this.config.getOptionalConfig('permission.rbac');\n    this.maxDepth = rbacConfig?.getOptionalNumber('maxDepth');\n    if (this.maxDepth !== undefined && this.maxDepth! < 0) {\n      throw new Error(\n        'Max Depth for RBAC group hierarchy must be greater than or equal to zero',\n      );\n    }\n  }\n\n  /**\n   * clear clears all stored data and resets the role manager to the initial state.\n   */\n  async clear(): Promise<void> {\n    // do nothing\n  }\n\n  /**\n   * addLink adds the inheritance link between name1 and role: name2.\n   * aka name1 inherits role: name2.\n   * The link that is established is based on the defined grouping policies that are added by the enforcer.\n   *\n   * ex. `g, name1, name2`.\n   * @param name1 User or group that will be assigned to a role.\n   * @param name2 The role that will be created or updated.\n   * @param _domain Unimplemented prefix to the role.\n   */\n  async addLink(\n    name1: string,\n    name2: string,\n    ..._domain: string[]\n  ): Promise<void> {\n    if (!this.isPGClient()) {\n      const role1 = this.getOrCreateRole(name2);\n      role1.addMember(name1);\n    }\n  }\n\n  /**\n   * deleteLink deletes the inheritance link between name1 and role: name2.\n   * aka name1 does not inherit role: name2 any more.\n   * The link that is deleted is based on the defined grouping policies that are removed by the enforcer.\n   *\n   * ex. `g, name1, name2`.\n   * @param name1 User or group that will be removed from assignment of a role.\n   * @param name2 The role that will be deleted or updated.\n   * @param _domain Unimplemented.\n   */\n  async deleteLink(\n    name1: string,\n    name2: string,\n    ..._domain: string[]\n  ): Promise<void> {\n    if (!this.isPGClient()) {\n      const role1 = this.getOrCreateRole(name2);\n      role1.deleteMember(name1);\n\n      // Clean up in the event that there are no more members in the role\n      if (role1.getMembers().length === 0) {\n        this.allRoles.delete(name2);\n      }\n    }\n  }\n\n  /**\n   * hasLink determines whether name1 inherits role: name2.\n   * During this check we build the group hierarchy graph to determine if the particular user is directly or indirectly\n   * attached to the role that we are receiving.\n   * In the event that there is a postgres database connection, we will attempt to query the roles from the database.\n   * Otherwise we will use the cached allRoles to determine if there is a link.\n   * @param name1 The user that we are authorizing.\n   * @param name2 The name of the role that we are checking against.\n   * @param domain Unimplemented.\n   * @returns True if the user is directly or indirectly attached to the role.\n   */\n  async hasLink(\n    name1: string,\n    name2: string,\n    ...domain: string[]\n  ): Promise<boolean> {\n    let currentRole: RoleMemberList;\n    if (domain.length > 0) {\n      throw new Error('domain argument is not supported.');\n    }\n\n    // Name2 can be an empty string in the event that there is not a role associated with the user\n    // This happens because of the filtering of the roles reduces the number of roles that we iterate through.\n    if (name2.length === 0) {\n      return false;\n    }\n\n    if (name1 === name2) {\n      return true;\n    }\n\n    if (this.isPGClient()) {\n      currentRole = new RoleMemberList(name2);\n      await currentRole.buildMembers(currentRole, this.rbacDBClient);\n    } else {\n      currentRole = this.allRoles.get(name2)!;\n    }\n\n    // Check for direct declaration of user to role\n    const directDeclaration = await this.checkForUserToRole(\n      name1,\n      name2,\n      currentRole,\n    );\n    if (directDeclaration) {\n      return true;\n    }\n\n    // name1 is always user in our case.\n    // name2 is user or group.\n    // user(name1) couldn't inherit user(name2).\n    // We can use this fact for optimization.\n    const { kind } = parseEntityRef(name2);\n    if (kind.toLocaleLowerCase() === 'user') {\n      return false;\n    }\n\n    const memo = new AncestorSearchMemo(\n      name1,\n      this.catalogApi,\n      this.catalogDBClient,\n      this.auth,\n      this.maxDepth,\n    );\n    await memo.buildUserGraph(memo);\n\n    memo.debugNodesAndEdges(this.logger, name1);\n    if (!memo.isAcyclic()) {\n      const cycles = memo.findCycles();\n\n      this.logger.warn(\n        `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n          cycles,\n        )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n          cycles,\n        )}`,\n      );\n\n      return false;\n    }\n\n    if (\n      this.parseEntityKind(name2) === 'role' &&\n      this.hasMember(currentRole, memo)\n    ) {\n      return true;\n    }\n    return memo.hasEntityRef(name2);\n  }\n\n  /**\n   * syncedHasLink determines whether role: name1 inherits role: name2.\n   * domain is a prefix to the roles.\n   */\n  syncedHasLink?(\n    _name1: string,\n    _name2: string,\n    ..._domain: string[]\n  ): boolean {\n    throw new Error('Method \"syncedHasLink\" not implemented.');\n  }\n\n  /**\n   * getRoles gets the roles that a subject inherits.\n   *\n   * name - is a string entity reference, for example: user:default/tom, role:default/dev,\n   * so format is <kind>:<namespace>/<entity-name>.\n   * GetRoles method supports only two kind values: 'user' and 'role'.\n   *\n   * domain - is a prefix to the roles, unused parameter.\n   *\n   * If name's kind === 'user' we return all inherited roles from groups and roles directly assigned to the user.\n   * if name's kind === 'role' we return empty array, because we don't support role inheritance.\n   * Case kind === 'group' - should not happen, because:\n   * 1) Method getRoles returns only role entity references, so casbin engine doesn't call this\n   * method again to ask about name with kind \"group\".\n   * 2) We implemented getRoles method only to use:\n   * 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n   * so name argument can be only with kind 'user' or 'role'.\n   *\n   * Info: when we call 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n   * then casbin engine executes 'getRoles' method few times.\n   * Firstly casbin asks about roles for 'userEntityRef'.\n   * Let's imagine, that 'getRoles' returned two roles for userEntityRef.\n   * Then casbin calls 'getRoles' two more times to\n   * find parent roles. But we return empty array for each such call,\n   * because we don't support role inheritance and we notify casbin about end of the role sub-tree.\n   */\n  async getRoles(name: string, ..._domain: string[]): Promise<string[]> {\n    const { kind } = parseEntityRef(name);\n    if (kind === 'user') {\n      const memo = new AncestorSearchMemo(\n        name,\n        this.catalogApi,\n        this.catalogDBClient,\n        this.auth,\n        this.maxDepth,\n      );\n      await memo.buildUserGraph(memo);\n      memo.debugNodesAndEdges(this.logger, name);\n\n      if (this.isPGClient()) {\n        const currentRole = new RoleMemberList(name);\n        await currentRole.buildRoles(\n          currentRole,\n          memo.getNodes(),\n          this.rbacDBClient,\n        );\n        return Promise.resolve(currentRole.getRoles());\n      }\n\n      const allRoles: string[] = [];\n      // Account for the user not being in the graph\n      memo.setNode(name);\n      for (const value of this.allRoles.values()) {\n        if (this.hasMember(value, memo)) {\n          allRoles.push(value.name);\n        }\n      }\n\n      return Promise.resolve(allRoles);\n    }\n\n    return [];\n  }\n\n  /**\n   * getUsers gets the users that inherits a subject.\n   * domain is an unreferenced parameter here, may be used in other implementations.\n   */\n  async getUsers(_name: string, ..._domain: string[]): Promise<string[]> {\n    throw new Error('Method \"getUsers\" not implemented.');\n  }\n\n  /**\n   * printRoles prints all the roles to log.\n   */\n  async printRoles(): Promise<void> {\n    // do nothing\n  }\n\n  /**\n   * getOrCreateRole will get a role if it has already been cached\n   * or it will create a new role to be cached.\n   * This cache is a simple tree that is used to quickly compare\n   * users and groups to roles.\n   * @param name The user or group whose cache we will be getting / creating.\n   * @returns The cached role as a RoleList.\n   */\n  private getOrCreateRole(name: string): RoleMemberList {\n    const role = this.allRoles.get(name);\n    if (role) {\n      return role;\n    }\n    const newRole = new RoleMemberList(name);\n    this.allRoles.set(name, newRole);\n\n    return newRole;\n  }\n\n  // parse the entity to find out if it is a user / group / or role\n  private parseEntityKind(name: string): string {\n    const parsed = name.split(':');\n    return parsed[0];\n  }\n\n  /**\n   * isPGClient checks what the current database client is at them time.\n   * This is to ensure that we are querying the database in the event of postgres\n   * or using in memory cache for better sqlite3.\n   * @returns True if the database client is pg.\n   */\n  isPGClient(): boolean {\n    const client = this.rbacDBClient.client.config.client;\n    return client === 'pg';\n  }\n\n  /**\n   * checkForUserToRole checks if there exists a direct declaration of a user to a role. Used to exit out of\n   * hasLink faster in the event to reduce the time it would take to build the user graph.\n   * @param name1 The user that we are checking for.\n   * @param name2 The role that we are checking for.\n   * @returns True if there is a user that is directly attached to a particular role.\n   */\n  private async checkForUserToRole(\n    name1: string,\n    name2: string,\n    currentRole: RoleMemberList | undefined,\n  ): Promise<boolean | undefined> {\n    const tempRole = this.getOrCreateRole(name2);\n\n    // Immediately check if the our temporary role has a link with the role that we are comparing it to\n    if (this.parseEntityKind(name2) === 'role' && tempRole.hasMember(name1)) {\n      return true;\n    }\n\n    // Clean up the temp role\n    if (tempRole.getMembers().length === 0) {\n      this.allRoles.delete(name2);\n    }\n\n    if (currentRole && currentRole.hasMember(name1)) {\n      return true;\n    }\n\n    return undefined;\n  }\n\n  /**\n   * hasMember checks if the members from a particular role is associated with the user\n   * that the AncestorSearchMemo graph is built for.\n   * @param role The role that we are getting the members from.\n   * @param memo The user graph that we are comparing members with.\n   * @returns True if a member from the role is also associated with the user.\n   */\n  private hasMember(\n    role: RoleMemberList | undefined,\n    memo: AncestorSearchMemo,\n  ): boolean {\n    if (role === undefined) {\n      return false;\n    }\n\n    for (const member of role.getMembers()) {\n      if (memo.hasEntityRef(member)) {\n        return true;\n      }\n    }\n    return false;\n  }\n}\n"],"names":["RoleMemberList","parseEntityRef","AncestorSearchMemo"],"mappings":";;;;;;AA0BO,MAAM,oBAA4C,CAAA;AAAA,EAGvD,YACmB,UACA,EAAA,MAAA,EACA,eACA,EAAA,YAAA,EACA,QACA,IACjB,EAAA;AANiB,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA,CAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA,CAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA,CAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA,CAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA,CAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA,CAAA;AAEjB,IAAK,IAAA,CAAA,QAAA,uBAAe,GAA4B,EAAA,CAAA;AAChD,IAAA,MAAM,UAAa,GAAA,IAAA,CAAK,MAAO,CAAA,iBAAA,CAAkB,iBAAiB,CAAA,CAAA;AAClE,IAAK,IAAA,CAAA,QAAA,GAAW,UAAY,EAAA,iBAAA,CAAkB,UAAU,CAAA,CAAA;AACxD,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,KAAa,CAAA,IAAA,IAAA,CAAK,WAAY,CAAG,EAAA;AACrD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,0EAAA;AAAA,OACF,CAAA;AAAA,KACF;AAAA,GACF;AAAA,EAlBQ,QAAA,CAAA;AAAA,EACA,QAAA,CAAA;AAAA;AAAA;AAAA;AAAA,EAsBR,MAAM,KAAuB,GAAA;AAAA,GAE7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA,CAAA;AACxC,MAAA,KAAA,CAAM,UAAU,KAAK,CAAA,CAAA;AAAA,KACvB;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA,CAAA;AACxC,MAAA,KAAA,CAAM,aAAa,KAAK,CAAA,CAAA;AAGxB,MAAA,IAAI,KAAM,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACnC,QAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA,CAAA;AAAA,OAC5B;AAAA,KACF;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,MACe,EAAA;AAClB,IAAI,IAAA,WAAA,CAAA;AACJ,IAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,MAAM,MAAA,IAAI,MAAM,mCAAmC,CAAA,CAAA;AAAA,KACrD;AAIA,IAAI,IAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AACtB,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAEA,IAAA,IAAI,UAAU,KAAO,EAAA;AACnB,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAEA,IAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,MAAc,WAAA,GAAA,IAAIA,0BAAe,KAAK,CAAA,CAAA;AACtC,MAAA,MAAM,WAAY,CAAA,YAAA,CAAa,WAAa,EAAA,IAAA,CAAK,YAAY,CAAA,CAAA;AAAA,KACxD,MAAA;AACL,MAAc,WAAA,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,KAAK,CAAA,CAAA;AAAA,KACvC;AAGA,IAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,kBAAA;AAAA,MACnC,KAAA;AAAA,MACA,KAAA;AAAA,MACA,WAAA;AAAA,KACF,CAAA;AACA,IAAA,IAAI,iBAAmB,EAAA;AACrB,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAMA,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAC,2BAAA,CAAe,KAAK,CAAA,CAAA;AACrC,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,MAAQ,EAAA;AACvC,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAEA,IAAA,MAAM,OAAO,IAAIC,qCAAA;AAAA,MACf,KAAA;AAAA,MACA,IAAK,CAAA,UAAA;AAAA,MACL,IAAK,CAAA,eAAA;AAAA,MACL,IAAK,CAAA,IAAA;AAAA,MACL,IAAK,CAAA,QAAA;AAAA,KACP,CAAA;AACA,IAAM,MAAA,IAAA,CAAK,eAAe,IAAI,CAAA,CAAA;AAE9B,IAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,KAAK,CAAA,CAAA;AAC1C,IAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,MAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA,CAAA;AAE/B,MAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,QACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,UACtD,MAAA;AAAA,SACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,UACrG,MAAA;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAEA,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAEA,IACE,IAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,KAAM,UAChC,IAAK,CAAA,SAAA,CAAU,WAAa,EAAA,IAAI,CAChC,EAAA;AACA,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AACA,IAAO,OAAA,IAAA,CAAK,aAAa,KAAK,CAAA,CAAA;AAAA,GAChC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,aAAA,CACE,MACA,EAAA,MAAA,EAAA,GACG,OACM,EAAA;AACT,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA,CAAA;AAAA,GAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,QAAS,CAAA,IAAA,EAAA,GAAiB,OAAsC,EAAA;AACpE,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAD,2BAAA,CAAe,IAAI,CAAA,CAAA;AACpC,IAAA,IAAI,SAAS,MAAQ,EAAA;AACnB,MAAA,MAAM,OAAO,IAAIC,qCAAA;AAAA,QACf,IAAA;AAAA,QACA,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA,QAAA;AAAA,OACP,CAAA;AACA,MAAM,MAAA,IAAA,CAAK,eAAe,IAAI,CAAA,CAAA;AAC9B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,IAAI,CAAA,CAAA;AAEzC,MAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,QAAM,MAAA,WAAA,GAAc,IAAIF,yBAAA,CAAe,IAAI,CAAA,CAAA;AAC3C,QAAA,MAAM,WAAY,CAAA,UAAA;AAAA,UAChB,WAAA;AAAA,UACA,KAAK,QAAS,EAAA;AAAA,UACd,IAAK,CAAA,YAAA;AAAA,SACP,CAAA;AACA,QAAA,OAAO,OAAQ,CAAA,OAAA,CAAQ,WAAY,CAAA,QAAA,EAAU,CAAA,CAAA;AAAA,OAC/C;AAEA,MAAA,MAAM,WAAqB,EAAC,CAAA;AAE5B,MAAA,IAAA,CAAK,QAAQ,IAAI,CAAA,CAAA;AACjB,MAAA,KAAA,MAAW,KAAS,IAAA,IAAA,CAAK,QAAS,CAAA,MAAA,EAAU,EAAA;AAC1C,QAAA,IAAI,IAAK,CAAA,SAAA,CAAU,KAAO,EAAA,IAAI,CAAG,EAAA;AAC/B,UAAS,QAAA,CAAA,IAAA,CAAK,MAAM,IAAI,CAAA,CAAA;AAAA,SAC1B;AAAA,OACF;AAEA,MAAO,OAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA,CAAA;AAAA,KACjC;AAEA,IAAA,OAAO,EAAC,CAAA;AAAA,GACV;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAS,CAAA,KAAA,EAAA,GAAkB,OAAsC,EAAA;AACrE,IAAM,MAAA,IAAI,MAAM,oCAAoC,CAAA,CAAA;AAAA,GACtD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAA4B,GAAA;AAAA,GAElC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,gBAAgB,IAA8B,EAAA;AACpD,IAAA,MAAM,IAAO,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA,CAAA;AACnC,IAAA,IAAI,IAAM,EAAA;AACR,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AACA,IAAM,MAAA,OAAA,GAAU,IAAIA,yBAAA,CAAe,IAAI,CAAA,CAAA;AACvC,IAAK,IAAA,CAAA,QAAA,CAAS,GAAI,CAAA,IAAA,EAAM,OAAO,CAAA,CAAA;AAE/B,IAAO,OAAA,OAAA,CAAA;AAAA,GACT;AAAA;AAAA,EAGQ,gBAAgB,IAAsB,EAAA;AAC5C,IAAM,MAAA,MAAA,GAAS,IAAK,CAAA,KAAA,CAAM,GAAG,CAAA,CAAA;AAC7B,IAAA,OAAO,OAAO,CAAC,CAAA,CAAA;AAAA,GACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAsB,GAAA;AACpB,IAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAa,CAAA,MAAA,CAAO,MAAO,CAAA,MAAA,CAAA;AAC/C,IAAA,OAAO,MAAW,KAAA,IAAA,CAAA;AAAA,GACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,kBAAA,CACZ,KACA,EAAA,KAAA,EACA,WAC8B,EAAA;AAC9B,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA,CAAA;AAG3C,IAAI,IAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,KAAM,UAAU,QAAS,CAAA,SAAA,CAAU,KAAK,CAAG,EAAA;AACvE,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAGA,IAAA,IAAI,QAAS,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACtC,MAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA,CAAA;AAAA,KAC5B;AAEA,IAAA,IAAI,WAAe,IAAA,WAAA,CAAY,SAAU,CAAA,KAAK,CAAG,EAAA;AAC/C,MAAO,OAAA,IAAA,CAAA;AAAA,KACT;AAEA,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,SAAA,CACN,MACA,IACS,EAAA;AACT,IAAA,IAAI,SAAS,KAAW,CAAA,EAAA;AACtB,MAAO,OAAA,KAAA,CAAA;AAAA,KACT;AAEA,IAAW,KAAA,MAAA,MAAA,IAAU,IAAK,CAAA,UAAA,EAAc,EAAA;AACtC,MAAI,IAAA,IAAA,CAAK,YAAa,CAAA,MAAM,CAAG,EAAA;AAC7B,QAAO,OAAA,IAAA,CAAA;AAAA,OACT;AAAA,KACF;AACA,IAAO,OAAA,KAAA,CAAA;AAAA,GACT;AACF;;;;"}