@backstage-community/plugin-rbac-backend 5.2.3

package/dist/service/enforcer-delegate.cjs.js

@@ -0,0 +1,353 @@
+'use strict';
+
+var casbin = require('casbin');
+var EventEmitter = require('events');
+var adminCreation = require('../admin-permissions/admin-creation.cjs.js');
+var helper = require('../helper.cjs.js');
+var permissionModel = require('./permission-model.cjs.js');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+var EventEmitter__default = /*#__PURE__*/_interopDefaultCompat(EventEmitter);
+
+class EnforcerDelegate {
+  constructor(enforcer, roleMetadataStorage, knex) {
+    this.enforcer = enforcer;
+    this.roleMetadataStorage = roleMetadataStorage;
+    this.knex = knex;
+  }
+  roleEventEmitter = new EventEmitter__default.default();
+  on(event, listener) {
+    this.roleEventEmitter.on(event, listener);
+    return this;
+  }
+  async hasPolicy(...policy) {
+    return await this.enforcer.hasPolicy(...policy);
+  }
+  async hasGroupingPolicy(...policy) {
+    return await this.enforcer.hasGroupingPolicy(...policy);
+  }
+  async getPolicy() {
+    return await this.enforcer.getPolicy();
+  }
+  async getGroupingPolicy() {
+    return await this.enforcer.getGroupingPolicy();
+  }
+  async getRolesForUser(userEntityRef) {
+    return await this.enforcer.getRolesForUser(userEntityRef);
+  }
+  async getFilteredPolicy(fieldIndex, ...filter) {
+    return await this.enforcer.getFilteredPolicy(fieldIndex, ...filter);
+  }
+  async getFilteredGroupingPolicy(fieldIndex, ...filter) {
+    return await this.enforcer.getFilteredGroupingPolicy(fieldIndex, ...filter);
+  }
+  async addPolicy(policy, externalTrx) {
+    const trx = externalTrx ?? await this.knex.transaction();
+    if (await this.enforcer.hasPolicy(...policy)) {
+      return;
+    }
+    try {
+      const ok = await this.enforcer.addPolicy(...policy);
+      if (!ok) {
+        throw new Error(`failed to create policy ${helper.policyToString(policy)}`);
+      }
+      if (!externalTrx) {
+        await trx.commit();
+      }
+    } catch (err) {
+      if (!externalTrx) {
+        await trx.rollback(err);
+      }
+      throw err;
+    }
+  }
+  async addPolicies(policies, externalTrx) {
+    if (policies.length === 0) {
+      return;
+    }
+    const trx = externalTrx || await this.knex.transaction();
+    try {
+      const ok = await this.enforcer.addPolicies(policies);
+      if (!ok) {
+        throw new Error(
+          `Failed to store policies ${helper.policiesToString(policies)}`
+        );
+      }
+      if (!externalTrx) {
+        await trx.commit();
+      }
+    } catch (err) {
+      if (!externalTrx) {
+        await trx.rollback(err);
+      }
+      throw err;
+    }
+  }
+  async addGroupingPolicy(policy, roleMetadata, externalTrx) {
+    const trx = externalTrx ?? await this.knex.transaction();
+    const entityRef = roleMetadata.roleEntityRef;
+    if (await this.enforcer.hasGroupingPolicy(...policy)) {
+      return;
+    }
+    try {
+      let currentMetadata;
+      if (entityRef.startsWith(`role:`)) {
+        currentMetadata = await this.roleMetadataStorage.findRoleMetadata(
+          entityRef,
+          trx
+        );
+      }
+      if (currentMetadata) {
+        await this.roleMetadataStorage.updateRoleMetadata(
+          helper.mergeRoleMetadata(currentMetadata, roleMetadata),
+          entityRef,
+          trx
+        );
+      } else {
+        const currentDate = /* @__PURE__ */ new Date();
+        roleMetadata.createdAt = currentDate.toUTCString();
+        roleMetadata.lastModified = currentDate.toUTCString();
+        await this.roleMetadataStorage.createRoleMetadata(roleMetadata, trx);
+      }
+      const ok = await this.enforcer.addGroupingPolicy(...policy);
+      if (!ok) {
+        throw new Error(`failed to create policy ${helper.policyToString(policy)}`);
+      }
+      if (!externalTrx) {
+        await trx.commit();
+      }
+      if (!currentMetadata) {
+        this.roleEventEmitter.emit("roleAdded", roleMetadata.roleEntityRef);
+      }
+    } catch (err) {
+      if (!externalTrx) {
+        await trx.rollback(err);
+      }
+      throw err;
+    }
+  }
+  async addGroupingPolicies(policies, roleMetadata, externalTrx) {
+    if (policies.length === 0) {
+      return;
+    }
+    const trx = externalTrx ?? await this.knex.transaction();
+    try {
+      const currentRoleMetadata = await this.roleMetadataStorage.findRoleMetadata(
+        roleMetadata.roleEntityRef,
+        trx
+      );
+      if (currentRoleMetadata) {
+        await this.roleMetadataStorage.updateRoleMetadata(
+          helper.mergeRoleMetadata(currentRoleMetadata, roleMetadata),
+          roleMetadata.roleEntityRef,
+          trx
+        );
+      } else {
+        const currentDate = /* @__PURE__ */ new Date();
+        roleMetadata.createdAt = currentDate.toUTCString();
+        roleMetadata.lastModified = currentDate.toUTCString();
+        await this.roleMetadataStorage.createRoleMetadata(roleMetadata, trx);
+      }
+      const ok = await this.enforcer.addGroupingPolicies(policies);
+      if (!ok) {
+        throw new Error(
+          `Failed to store policies ${helper.policiesToString(policies)}`
+        );
+      }
+      if (!externalTrx) {
+        await trx.commit();
+      }
+      if (!currentRoleMetadata) {
+        this.roleEventEmitter.emit("roleAdded", roleMetadata.roleEntityRef);
+      }
+    } catch (err) {
+      if (!externalTrx) {
+        await trx.rollback(err);
+      }
+      throw err;
+    }
+  }
+  async updateGroupingPolicies(oldRole, newRole, newRoleMetadata) {
+    const oldRoleName = oldRole.at(0)?.at(1);
+    const trx = await this.knex.transaction();
+    try {
+      const currentMetadata = await this.roleMetadataStorage.findRoleMetadata(
+        oldRoleName,
+        trx
+      );
+      if (!currentMetadata) {
+        throw new Error(`Role metadata ${oldRoleName} was not found`);
+      }
+      await this.removeGroupingPolicies(oldRole, currentMetadata, true, trx);
+      await this.addGroupingPolicies(newRole, newRoleMetadata, trx);
+      await trx.commit();
+    } catch (err) {
+      await trx.rollback(err);
+      throw err;
+    }
+  }
+  async updatePolicies(oldPolicies, newPolicies) {
+    const trx = await this.knex.transaction();
+    try {
+      await this.removePolicies(oldPolicies, trx);
+      await this.addPolicies(newPolicies, trx);
+      await trx.commit();
+    } catch (err) {
+      await trx.rollback(err);
+      throw err;
+    }
+  }
+  async removePolicy(policy, externalTrx) {
+    const trx = externalTrx ?? await this.knex.transaction();
+    try {
+      const ok = await this.enforcer.removePolicy(...policy);
+      if (!ok) {
+        throw new Error(`fail to delete policy ${policy}`);
+      }
+      if (!externalTrx) {
+        await trx.commit();
+      }
+    } catch (err) {
+      if (!externalTrx) {
+        await trx.rollback(err);
+      }
+      throw err;
+    }
+  }
+  async removePolicies(policies, externalTrx) {
+    const trx = externalTrx ?? await this.knex.transaction();
+    try {
+      const ok = await this.enforcer.removePolicies(policies);
+      if (!ok) {
+        throw new Error(
+          `Failed to delete policies ${helper.policiesToString(policies)}`
+        );
+      }
+      if (!externalTrx) {
+        await trx.commit();
+      }
+    } catch (err) {
+      if (!externalTrx) {
+        await trx.rollback(err);
+      }
+      throw err;
+    }
+  }
+  async removeGroupingPolicy(policy, roleMetadata, isUpdate, externalTrx) {
+    const trx = externalTrx ?? await this.knex.transaction();
+    const roleEntity = policy[1];
+    try {
+      const ok = await this.enforcer.removeGroupingPolicy(...policy);
+      if (!ok) {
+        throw new Error(`Failed to delete policy ${helper.policyToString(policy)}`);
+      }
+      if (!isUpdate) {
+        const currentRoleMetadata = await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);
+        const remainingGroupPolicies = await this.enforcer.getFilteredGroupingPolicy(1, roleEntity);
+        if (currentRoleMetadata && remainingGroupPolicies.length === 0 && roleEntity !== adminCreation.ADMIN_ROLE_NAME) {
+          await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);
+        } else if (currentRoleMetadata) {
+          await this.roleMetadataStorage.updateRoleMetadata(
+            helper.mergeRoleMetadata(currentRoleMetadata, roleMetadata),
+            roleEntity,
+            trx
+          );
+        }
+      }
+      if (!externalTrx) {
+        await trx.commit();
+      }
+    } catch (err) {
+      if (!externalTrx) {
+        await trx.rollback(err);
+      }
+      throw err;
+    }
+  }
+  async removeGroupingPolicies(policies, roleMetadata, isUpdate, externalTrx) {
+    const trx = externalTrx ?? await this.knex.transaction();
+    const roleEntity = roleMetadata.roleEntityRef;
+    try {
+      const ok = await this.enforcer.removeGroupingPolicies(policies);
+      if (!ok) {
+        throw new Error(
+          `Failed to delete grouping policies: ${helper.policiesToString(policies)}`
+        );
+      }
+      if (!isUpdate) {
+        const currentRoleMetadata = await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);
+        const remainingGroupPolicies = await this.enforcer.getFilteredGroupingPolicy(1, roleEntity);
+        if (currentRoleMetadata && remainingGroupPolicies.length === 0 && roleEntity !== adminCreation.ADMIN_ROLE_NAME) {
+          await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);
+        } else if (currentRoleMetadata) {
+          await this.roleMetadataStorage.updateRoleMetadata(
+            helper.mergeRoleMetadata(currentRoleMetadata, roleMetadata),
+            roleEntity,
+            trx
+          );
+        }
+      }
+      if (!externalTrx) {
+        await trx.commit();
+      }
+    } catch (err) {
+      if (!externalTrx) {
+        await trx.rollback(err);
+      }
+      throw err;
+    }
+  }
+  /**
+   * enforce aims to enforce a particular permission policy based on the user that it receives.
+   * Under the hood, enforce uses the `enforce` method from the enforcer`.
+   *
+   * Before enforcement, a filter is set up to reduce the number of permission policies that will
+   * be loaded in.
+   * This will reduce the amount of checks that need to be made to determine if a user is authorize
+   * to perform an action
+   *
+   * A temporary enforcer will also be used while enforcing.
+   * This is to ensure that the filter does not interact with the base enforcer.
+   * The temporary enforcer has lazy loading of the permission policies enabled to reduce the amount
+   * of time it takes to initialize the temporary enforcer.
+   * The justification for lazy loading is because permission policies are already present in the
+   * role manager / database and it will be filtered and loaded whenever `loadFilteredPolicy` is called.
+   * @param entityRef The user to enforce
+   * @param resourceType The resource type / name of the permission policy
+   * @param action The action of the permission policy
+   * @param roles Any roles that the user is directly or indirectly attached to.
+   * Used for filtering permission policies.
+   * @returns True if the user is allowed based on the particular permission
+   */
+  async enforce(entityRef, resourceType, action, roles) {
+    const filter = [];
+    if (roles.length > 0) {
+      roles.forEach((role) => {
+        filter.push({ ptype: "p", v0: role, v1: resourceType, v2: action });
+      });
+    } else {
+      filter.push({ ptype: "p", v1: resourceType, v2: action });
+    }
+    const adapt = this.enforcer.getAdapter();
+    const roleManager = this.enforcer.getRoleManager();
+    const tempEnforcer = new casbin.Enforcer();
+    await tempEnforcer.initWithModelAndAdapter(
+      casbin.newModelFromString(permissionModel.MODEL),
+      adapt,
+      true
+    );
+    tempEnforcer.setRoleManager(roleManager);
+    await tempEnforcer.loadFilteredPolicy(filter);
+    return await tempEnforcer.enforce(entityRef, resourceType, action);
+  }
+  async getImplicitPermissionsForUser(user) {
+    return this.enforcer.getImplicitPermissionsForUser(user);
+  }
+  async getAllRoles() {
+    return this.enforcer.getAllRoles();
+  }
+}
+
+exports.EnforcerDelegate = EnforcerDelegate;
+//# sourceMappingURL=enforcer-delegate.cjs.js.map

package/dist/service/enforcer-delegate.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforcer-delegate.cjs.js","sources":["../../src/service/enforcer-delegate.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { Enforcer, newModelFromString } from 'casbin';\nimport { Knex } from 'knex';\n\nimport EventEmitter from 'events';\n\nimport { ADMIN_ROLE_NAME } from '../admin-permissions/admin-creation';\nimport {\n  RoleMetadataDao,\n  RoleMetadataStorage,\n} from '../database/role-metadata';\nimport { mergeRoleMetadata, policiesToString, policyToString } from '../helper';\nimport { MODEL } from './permission-model';\n\nexport type RoleEvents = 'roleAdded';\nexport interface RoleEventEmitter<T extends RoleEvents> {\n  on(event: T, listener: (roleEntityRef: string | string[]) => void): this;\n}\n\ntype EventMap = {\n  [event in RoleEvents]: any[];\n};\n\nexport class EnforcerDelegate implements RoleEventEmitter<RoleEvents> {\n  private readonly roleEventEmitter = new EventEmitter<EventMap>();\n\n  constructor(\n    private readonly enforcer: Enforcer,\n    private readonly roleMetadataStorage: RoleMetadataStorage,\n    private readonly knex: Knex,\n  ) {}\n\n  on(event: RoleEvents, listener: (role: string) => void): this {\n    this.roleEventEmitter.on(event, listener);\n    return this;\n  }\n\n  async hasPolicy(...policy: string[]): Promise<boolean> {\n    return await this.enforcer.hasPolicy(...policy);\n  }\n\n  async hasGroupingPolicy(...policy: string[]): Promise<boolean> {\n    return await this.enforcer.hasGroupingPolicy(...policy);\n  }\n\n  async getPolicy(): Promise<string[][]> {\n    return await this.enforcer.getPolicy();\n  }\n\n  async getGroupingPolicy(): Promise<string[][]> {\n    return await this.enforcer.getGroupingPolicy();\n  }\n\n  async getRolesForUser(userEntityRef: string): Promise<string[]> {\n    return await this.enforcer.getRolesForUser(userEntityRef);\n  }\n\n  async getFilteredPolicy(\n    fieldIndex: number,\n    ...filter: string[]\n  ): Promise<string[][]> {\n    return await this.enforcer.getFilteredPolicy(fieldIndex, ...filter);\n  }\n\n  async getFilteredGroupingPolicy(\n    fieldIndex: number,\n    ...filter: string[]\n  ): Promise<string[][]> {\n    return await this.enforcer.getFilteredGroupingPolicy(fieldIndex, ...filter);\n  }\n\n  async addPolicy(\n    policy: string[],\n    externalTrx?: Knex.Transaction,\n  ): Promise<void> {\n    const trx = externalTrx ?? (await this.knex.transaction());\n\n    if (await this.enforcer.hasPolicy(...policy)) {\n      return;\n    }\n    try {\n      const ok = await this.enforcer.addPolicy(...policy);\n      if (!ok) {\n        throw new Error(`failed to create policy ${policyToString(policy)}`);\n      }\n      if (!externalTrx) {\n        await trx.commit();\n      }\n    } catch (err) {\n      if (!externalTrx) {\n        await trx.rollback(err);\n      }\n      throw err;\n    }\n  }\n\n  async addPolicies(\n    policies: string[][],\n    externalTrx?: Knex.Transaction,\n  ): Promise<void> {\n    if (policies.length === 0) {\n      return;\n    }\n\n    const trx = externalTrx || (await this.knex.transaction());\n\n    try {\n      const ok = await this.enforcer.addPolicies(policies);\n      if (!ok) {\n        throw new Error(\n          `Failed to store policies ${policiesToString(policies)}`,\n        );\n      }\n      if (!externalTrx) {\n        await trx.commit();\n      }\n    } catch (err) {\n      if (!externalTrx) {\n        await trx.rollback(err);\n      }\n      throw err;\n    }\n  }\n\n  async addGroupingPolicy(\n    policy: string[],\n    roleMetadata: RoleMetadataDao,\n    externalTrx?: Knex.Transaction,\n  ): Promise<void> {\n    const trx = externalTrx ?? (await this.knex.transaction());\n    const entityRef = roleMetadata.roleEntityRef;\n\n    if (await this.enforcer.hasGroupingPolicy(...policy)) {\n      return;\n    }\n    try {\n      let currentMetadata;\n      if (entityRef.startsWith(`role:`)) {\n        currentMetadata = await this.roleMetadataStorage.findRoleMetadata(\n          entityRef,\n          trx,\n        );\n      }\n\n      if (currentMetadata) {\n        await this.roleMetadataStorage.updateRoleMetadata(\n          mergeRoleMetadata(currentMetadata, roleMetadata),\n          entityRef,\n          trx,\n        );\n      } else {\n        const currentDate: Date = new Date();\n        roleMetadata.createdAt = currentDate.toUTCString();\n        roleMetadata.lastModified = currentDate.toUTCString();\n        await this.roleMetadataStorage.createRoleMetadata(roleMetadata, trx);\n      }\n\n      const ok = await this.enforcer.addGroupingPolicy(...policy);\n      if (!ok) {\n        throw new Error(`failed to create policy ${policyToString(policy)}`);\n      }\n      if (!externalTrx) {\n        await trx.commit();\n      }\n      if (!currentMetadata) {\n        this.roleEventEmitter.emit('roleAdded', roleMetadata.roleEntityRef);\n      }\n    } catch (err) {\n      if (!externalTrx) {\n        await trx.rollback(err);\n      }\n      throw err;\n    }\n  }\n\n  async addGroupingPolicies(\n    policies: string[][],\n    roleMetadata: RoleMetadataDao,\n    externalTrx?: Knex.Transaction,\n  ): Promise<void> {\n    if (policies.length === 0) {\n      return;\n    }\n\n    const trx = externalTrx ?? (await this.knex.transaction());\n\n    try {\n      const currentRoleMetadata =\n        await this.roleMetadataStorage.findRoleMetadata(\n          roleMetadata.roleEntityRef,\n          trx,\n        );\n      if (currentRoleMetadata) {\n        await this.roleMetadataStorage.updateRoleMetadata(\n          mergeRoleMetadata(currentRoleMetadata, roleMetadata),\n          roleMetadata.roleEntityRef,\n          trx,\n        );\n      } else {\n        const currentDate: Date = new Date();\n        roleMetadata.createdAt = currentDate.toUTCString();\n        roleMetadata.lastModified = currentDate.toUTCString();\n        await this.roleMetadataStorage.createRoleMetadata(roleMetadata, trx);\n      }\n\n      const ok = await this.enforcer.addGroupingPolicies(policies);\n      if (!ok) {\n        throw new Error(\n          `Failed to store policies ${policiesToString(policies)}`,\n        );\n      }\n\n      if (!externalTrx) {\n        await trx.commit();\n      }\n      if (!currentRoleMetadata) {\n        this.roleEventEmitter.emit('roleAdded', roleMetadata.roleEntityRef);\n      }\n    } catch (err) {\n      if (!externalTrx) {\n        await trx.rollback(err);\n      }\n      throw err;\n    }\n  }\n\n  async updateGroupingPolicies(\n    oldRole: string[][],\n    newRole: string[][],\n    newRoleMetadata: RoleMetadataDao,\n  ): Promise<void> {\n    const oldRoleName = oldRole.at(0)?.at(1)!;\n\n    const trx = await this.knex.transaction();\n    try {\n      const currentMetadata = await this.roleMetadataStorage.findRoleMetadata(\n        oldRoleName,\n        trx,\n      );\n      if (!currentMetadata) {\n        throw new Error(`Role metadata ${oldRoleName} was not found`);\n      }\n\n      await this.removeGroupingPolicies(oldRole, currentMetadata, true, trx);\n      await this.addGroupingPolicies(newRole, newRoleMetadata, trx);\n      await trx.commit();\n    } catch (err) {\n      await trx.rollback(err);\n      throw err;\n    }\n  }\n\n  async updatePolicies(\n    oldPolicies: string[][],\n    newPolicies: string[][],\n  ): Promise<void> {\n    const trx = await this.knex.transaction();\n\n    try {\n      await this.removePolicies(oldPolicies, trx);\n      await this.addPolicies(newPolicies, trx);\n      await trx.commit();\n    } catch (err) {\n      await trx.rollback(err);\n      throw err;\n    }\n  }\n\n  async removePolicy(policy: string[], externalTrx?: Knex.Transaction) {\n    const trx = externalTrx ?? (await this.knex.transaction());\n\n    try {\n      const ok = await this.enforcer.removePolicy(...policy);\n      if (!ok) {\n        throw new Error(`fail to delete policy ${policy}`);\n      }\n      if (!externalTrx) {\n        await trx.commit();\n      }\n    } catch (err) {\n      if (!externalTrx) {\n        await trx.rollback(err);\n      }\n      throw err;\n    }\n  }\n\n  async removePolicies(\n    policies: string[][],\n    externalTrx?: Knex.Transaction,\n  ): Promise<void> {\n    const trx = externalTrx ?? (await this.knex.transaction());\n\n    try {\n      const ok = await this.enforcer.removePolicies(policies);\n      if (!ok) {\n        throw new Error(\n          `Failed to delete policies ${policiesToString(policies)}`,\n        );\n      }\n\n      if (!externalTrx) {\n        await trx.commit();\n      }\n    } catch (err) {\n      if (!externalTrx) {\n        await trx.rollback(err);\n      }\n      throw err;\n    }\n  }\n\n  async removeGroupingPolicy(\n    policy: string[],\n    roleMetadata: RoleMetadataDao,\n    isUpdate?: boolean,\n    externalTrx?: Knex.Transaction,\n  ): Promise<void> {\n    const trx = externalTrx ?? (await this.knex.transaction());\n    const roleEntity = policy[1];\n\n    try {\n      const ok = await this.enforcer.removeGroupingPolicy(...policy);\n      if (!ok) {\n        throw new Error(`Failed to delete policy ${policyToString(policy)}`);\n      }\n\n      if (!isUpdate) {\n        const currentRoleMetadata =\n          await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);\n        const remainingGroupPolicies =\n          await this.enforcer.getFilteredGroupingPolicy(1, roleEntity);\n        if (\n          currentRoleMetadata &&\n          remainingGroupPolicies.length === 0 &&\n          roleEntity !== ADMIN_ROLE_NAME\n        ) {\n          await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);\n        } else if (currentRoleMetadata) {\n          await this.roleMetadataStorage.updateRoleMetadata(\n            mergeRoleMetadata(currentRoleMetadata, roleMetadata),\n            roleEntity,\n            trx,\n          );\n        }\n      }\n\n      if (!externalTrx) {\n        await trx.commit();\n      }\n    } catch (err) {\n      if (!externalTrx) {\n        await trx.rollback(err);\n      }\n      throw err;\n    }\n  }\n\n  async removeGroupingPolicies(\n    policies: string[][],\n    roleMetadata: RoleMetadataDao,\n    isUpdate?: boolean,\n    externalTrx?: Knex.Transaction,\n  ): Promise<void> {\n    const trx = externalTrx ?? (await this.knex.transaction());\n\n    const roleEntity = roleMetadata.roleEntityRef;\n    try {\n      const ok = await this.enforcer.removeGroupingPolicies(policies);\n      if (!ok) {\n        throw new Error(\n          `Failed to delete grouping policies: ${policiesToString(policies)}`,\n        );\n      }\n\n      if (!isUpdate) {\n        const currentRoleMetadata =\n          await this.roleMetadataStorage.findRoleMetadata(roleEntity, trx);\n        const remainingGroupPolicies =\n          await this.enforcer.getFilteredGroupingPolicy(1, roleEntity);\n        if (\n          currentRoleMetadata &&\n          remainingGroupPolicies.length === 0 &&\n          roleEntity !== ADMIN_ROLE_NAME\n        ) {\n          await this.roleMetadataStorage.removeRoleMetadata(roleEntity, trx);\n        } else if (currentRoleMetadata) {\n          await this.roleMetadataStorage.updateRoleMetadata(\n            mergeRoleMetadata(currentRoleMetadata, roleMetadata),\n            roleEntity,\n            trx,\n          );\n        }\n      }\n\n      if (!externalTrx) {\n        await trx.commit();\n      }\n    } catch (err) {\n      if (!externalTrx) {\n        await trx.rollback(err);\n      }\n      throw err;\n    }\n  }\n\n  /**\n   * enforce aims to enforce a particular permission policy based on the user that it receives.\n   * Under the hood, enforce uses the `enforce` method from the enforcer`.\n   *\n   * Before enforcement, a filter is set up to reduce the number of permission policies that will\n   * be loaded in.\n   * This will reduce the amount of checks that need to be made to determine if a user is authorize\n   * to perform an action\n   *\n   * A temporary enforcer will also be used while enforcing.\n   * This is to ensure that the filter does not interact with the base enforcer.\n   * The temporary enforcer has lazy loading of the permission policies enabled to reduce the amount\n   * of time it takes to initialize the temporary enforcer.\n   * The justification for lazy loading is because permission policies are already present in the\n   * role manager / database and it will be filtered and loaded whenever `loadFilteredPolicy` is called.\n   * @param entityRef The user to enforce\n   * @param resourceType The resource type / name of the permission policy\n   * @param action The action of the permission policy\n   * @param roles Any roles that the user is directly or indirectly attached to.\n   * Used for filtering permission policies.\n   * @returns True if the user is allowed based on the particular permission\n   */\n  async enforce(\n    entityRef: string,\n    resourceType: string,\n    action: string,\n    roles: string[],\n  ): Promise<boolean> {\n    const filter = [];\n    if (roles.length > 0) {\n      roles.forEach(role => {\n        filter.push({ ptype: 'p', v0: role, v1: resourceType, v2: action });\n      });\n    } else {\n      filter.push({ ptype: 'p', v1: resourceType, v2: action });\n    }\n\n    const adapt = this.enforcer.getAdapter();\n    const roleManager = this.enforcer.getRoleManager();\n    const tempEnforcer = new Enforcer();\n    await tempEnforcer.initWithModelAndAdapter(\n      newModelFromString(MODEL),\n      adapt,\n      true,\n    );\n    tempEnforcer.setRoleManager(roleManager);\n\n    await tempEnforcer.loadFilteredPolicy(filter);\n\n    return await tempEnforcer.enforce(entityRef, resourceType, action);\n  }\n\n  async getImplicitPermissionsForUser(user: string): Promise<string[][]> {\n    return this.enforcer.getImplicitPermissionsForUser(user);\n  }\n\n  async getAllRoles(): Promise<string[]> {\n    return this.enforcer.getAllRoles();\n  }\n}\n"],"names":["EventEmitter","policyToString","policiesToString","mergeRoleMetadata","ADMIN_ROLE_NAME","Enforcer","newModelFromString","MODEL"],"mappings":";;;;;;;;;;;;AAqCO,MAAM,gBAAyD,CAAA;AAAA,EAGpE,WAAA,CACmB,QACA,EAAA,mBAAA,EACA,IACjB,EAAA;AAHiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA,CAAA;AACA,IAAA,IAAA,CAAA,mBAAA,GAAA,mBAAA,CAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA,CAAA;AAAA,GAChB;AAAA,EANc,gBAAA,GAAmB,IAAIA,6BAAuB,EAAA,CAAA;AAAA,EAQ/D,EAAA,CAAG,OAAmB,QAAwC,EAAA;AAC5D,IAAK,IAAA,CAAA,gBAAA,CAAiB,EAAG,CAAA,KAAA,EAAO,QAAQ,CAAA,CAAA;AACxC,IAAO,OAAA,IAAA,CAAA;AAAA,GACT;AAAA,EAEA,MAAM,aAAa,MAAoC,EAAA;AACrD,IAAA,OAAO,MAAM,IAAA,CAAK,QAAS,CAAA,SAAA,CAAU,GAAG,MAAM,CAAA,CAAA;AAAA,GAChD;AAAA,EAEA,MAAM,qBAAqB,MAAoC,EAAA;AAC7D,IAAA,OAAO,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,GAAG,MAAM,CAAA,CAAA;AAAA,GACxD;AAAA,EAEA,MAAM,SAAiC,GAAA;AACrC,IAAO,OAAA,MAAM,IAAK,CAAA,QAAA,CAAS,SAAU,EAAA,CAAA;AAAA,GACvC;AAAA,EAEA,MAAM,iBAAyC,GAAA;AAC7C,IAAO,OAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,EAAA,CAAA;AAAA,GAC/C;AAAA,EAEA,MAAM,gBAAgB,aAA0C,EAAA;AAC9D,IAAA,OAAO,MAAM,IAAA,CAAK,QAAS,CAAA,eAAA,CAAgB,aAAa,CAAA,CAAA;AAAA,GAC1D;AAAA,EAEA,MAAM,iBACJ,CAAA,UAAA,EAAA,GACG,MACkB,EAAA;AACrB,IAAA,OAAO,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,UAAA,EAAY,GAAG,MAAM,CAAA,CAAA;AAAA,GACpE;AAAA,EAEA,MAAM,yBACJ,CAAA,UAAA,EAAA,GACG,MACkB,EAAA;AACrB,IAAA,OAAO,MAAM,IAAK,CAAA,QAAA,CAAS,yBAA0B,CAAA,UAAA,EAAY,GAAG,MAAM,CAAA,CAAA;AAAA,GAC5E;AAAA,EAEA,MAAM,SACJ,CAAA,MAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,SAAU,CAAA,GAAG,MAAM,CAAG,EAAA;AAC5C,MAAA,OAAA;AAAA,KACF;AACA,IAAI,IAAA;AACF,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,SAAA,CAAU,GAAG,MAAM,CAAA,CAAA;AAClD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAM,CAAA,CAAA,wBAAA,EAA2BC,qBAAe,CAAA,MAAM,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,OACrE;AACA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,WACJ,CAAA,QAAA,EACA,WACe,EAAA;AACf,IAAI,IAAA,QAAA,CAAS,WAAW,CAAG,EAAA;AACzB,MAAA,OAAA;AAAA,KACF;AAEA,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAI,IAAA;AACF,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,YAAY,QAAQ,CAAA,CAAA;AACnD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,yBAAA,EAA4BC,uBAAiB,CAAA,QAAQ,CAAC,CAAA,CAAA;AAAA,SACxD,CAAA;AAAA,OACF;AACA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,iBAAA,CACJ,MACA,EAAA,YAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AACxD,IAAA,MAAM,YAAY,YAAa,CAAA,aAAA,CAAA;AAE/B,IAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,MAAM,CAAG,EAAA;AACpD,MAAA,OAAA;AAAA,KACF;AACA,IAAI,IAAA;AACF,MAAI,IAAA,eAAA,CAAA;AACJ,MAAI,IAAA,SAAA,CAAU,UAAW,CAAA,CAAA,KAAA,CAAO,CAAG,EAAA;AACjC,QAAkB,eAAA,GAAA,MAAM,KAAK,mBAAoB,CAAA,gBAAA;AAAA,UAC/C,SAAA;AAAA,UACA,GAAA;AAAA,SACF,CAAA;AAAA,OACF;AAEA,MAAA,IAAI,eAAiB,EAAA;AACnB,QAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,UAC7BC,wBAAA,CAAkB,iBAAiB,YAAY,CAAA;AAAA,UAC/C,SAAA;AAAA,UACA,GAAA;AAAA,SACF,CAAA;AAAA,OACK,MAAA;AACL,QAAM,MAAA,WAAA,uBAAwB,IAAK,EAAA,CAAA;AACnC,QAAa,YAAA,CAAA,SAAA,GAAY,YAAY,WAAY,EAAA,CAAA;AACjD,QAAa,YAAA,CAAA,YAAA,GAAe,YAAY,WAAY,EAAA,CAAA;AACpD,QAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,YAAA,EAAc,GAAG,CAAA,CAAA;AAAA,OACrE;AAEA,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,GAAG,MAAM,CAAA,CAAA;AAC1D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAM,CAAA,CAAA,wBAAA,EAA2BF,qBAAe,CAAA,MAAM,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,OACrE;AACA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AACA,MAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,QAAA,IAAA,CAAK,gBAAiB,CAAA,IAAA,CAAK,WAAa,EAAA,YAAA,CAAa,aAAa,CAAA,CAAA;AAAA,OACpE;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,mBAAA,CACJ,QACA,EAAA,YAAA,EACA,WACe,EAAA;AACf,IAAI,IAAA,QAAA,CAAS,WAAW,CAAG,EAAA;AACzB,MAAA,OAAA;AAAA,KACF;AAEA,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAI,IAAA;AACF,MAAM,MAAA,mBAAA,GACJ,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA;AAAA,QAC7B,YAAa,CAAA,aAAA;AAAA,QACb,GAAA;AAAA,OACF,CAAA;AACF,MAAA,IAAI,mBAAqB,EAAA;AACvB,QAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,UAC7BE,wBAAA,CAAkB,qBAAqB,YAAY,CAAA;AAAA,UACnD,YAAa,CAAA,aAAA;AAAA,UACb,GAAA;AAAA,SACF,CAAA;AAAA,OACK,MAAA;AACL,QAAM,MAAA,WAAA,uBAAwB,IAAK,EAAA,CAAA;AACnC,QAAa,YAAA,CAAA,SAAA,GAAY,YAAY,WAAY,EAAA,CAAA;AACjD,QAAa,YAAA,CAAA,YAAA,GAAe,YAAY,WAAY,EAAA,CAAA;AACpD,QAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,YAAA,EAAc,GAAG,CAAA,CAAA;AAAA,OACrE;AAEA,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,oBAAoB,QAAQ,CAAA,CAAA;AAC3D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,yBAAA,EAA4BD,uBAAiB,CAAA,QAAQ,CAAC,CAAA,CAAA;AAAA,SACxD,CAAA;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AACA,MAAA,IAAI,CAAC,mBAAqB,EAAA;AACxB,QAAA,IAAA,CAAK,gBAAiB,CAAA,IAAA,CAAK,WAAa,EAAA,YAAA,CAAa,aAAa,CAAA,CAAA;AAAA,OACpE;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,sBAAA,CACJ,OACA,EAAA,OAAA,EACA,eACe,EAAA;AACf,IAAA,MAAM,cAAc,OAAQ,CAAA,EAAA,CAAG,CAAC,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA;AAEvC,IAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,IAAA,CAAK,WAAY,EAAA,CAAA;AACxC,IAAI,IAAA;AACF,MAAM,MAAA,eAAA,GAAkB,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA;AAAA,QACrD,WAAA;AAAA,QACA,GAAA;AAAA,OACF,CAAA;AACA,MAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,QAAA,MAAM,IAAI,KAAA,CAAM,CAAiB,cAAA,EAAA,WAAW,CAAgB,cAAA,CAAA,CAAA,CAAA;AAAA,OAC9D;AAEA,MAAA,MAAM,IAAK,CAAA,sBAAA,CAAuB,OAAS,EAAA,eAAA,EAAiB,MAAM,GAAG,CAAA,CAAA;AACrE,MAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,OAAS,EAAA,eAAA,EAAiB,GAAG,CAAA,CAAA;AAC5D,MAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,aACV,GAAK,EAAA;AACZ,MAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AACtB,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,cACJ,CAAA,WAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,IAAA,CAAK,WAAY,EAAA,CAAA;AAExC,IAAI,IAAA;AACF,MAAM,MAAA,IAAA,CAAK,cAAe,CAAA,WAAA,EAAa,GAAG,CAAA,CAAA;AAC1C,MAAM,MAAA,IAAA,CAAK,WAAY,CAAA,WAAA,EAAa,GAAG,CAAA,CAAA;AACvC,MAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,aACV,GAAK,EAAA;AACZ,MAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AACtB,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,YAAa,CAAA,MAAA,EAAkB,WAAgC,EAAA;AACnE,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAI,IAAA;AACF,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,YAAA,CAAa,GAAG,MAAM,CAAA,CAAA;AACrD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA,CAAM,CAAyB,sBAAA,EAAA,MAAM,CAAE,CAAA,CAAA,CAAA;AAAA,OACnD;AACA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,cACJ,CAAA,QAAA,EACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAI,IAAA;AACF,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,eAAe,QAAQ,CAAA,CAAA;AACtD,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,0BAAA,EAA6BA,uBAAiB,CAAA,QAAQ,CAAC,CAAA,CAAA;AAAA,SACzD,CAAA;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,oBAAA,CACJ,MACA,EAAA,YAAA,EACA,UACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AACxD,IAAM,MAAA,UAAA,GAAa,OAAO,CAAC,CAAA,CAAA;AAE3B,IAAI,IAAA;AACF,MAAA,MAAM,KAAK,MAAM,IAAA,CAAK,QAAS,CAAA,oBAAA,CAAqB,GAAG,MAAM,CAAA,CAAA;AAC7D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAM,CAAA,CAAA,wBAAA,EAA2BD,qBAAe,CAAA,MAAM,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,OACrE;AAEA,MAAA,IAAI,CAAC,QAAU,EAAA;AACb,QAAA,MAAM,sBACJ,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA,CAAiB,YAAY,GAAG,CAAA,CAAA;AACjE,QAAA,MAAM,yBACJ,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA,CAA0B,GAAG,UAAU,CAAA,CAAA;AAC7D,QAAA,IACE,mBACA,IAAA,sBAAA,CAAuB,MAAW,KAAA,CAAA,IAClC,eAAeG,6BACf,EAAA;AACA,UAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,UAAA,EAAY,GAAG,CAAA,CAAA;AAAA,mBACxD,mBAAqB,EAAA;AAC9B,UAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,YAC7BD,wBAAA,CAAkB,qBAAqB,YAAY,CAAA;AAAA,YACnD,UAAA;AAAA,YACA,GAAA;AAAA,WACF,CAAA;AAAA,SACF;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA,EAEA,MAAM,sBAAA,CACJ,QACA,EAAA,YAAA,EACA,UACA,WACe,EAAA;AACf,IAAA,MAAM,GAAM,GAAA,WAAA,IAAgB,MAAM,IAAA,CAAK,KAAK,WAAY,EAAA,CAAA;AAExD,IAAA,MAAM,aAAa,YAAa,CAAA,aAAA,CAAA;AAChC,IAAI,IAAA;AACF,MAAA,MAAM,EAAK,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,uBAAuB,QAAQ,CAAA,CAAA;AAC9D,MAAA,IAAI,CAAC,EAAI,EAAA;AACP,QAAA,MAAM,IAAI,KAAA;AAAA,UACR,CAAA,oCAAA,EAAuCD,uBAAiB,CAAA,QAAQ,CAAC,CAAA,CAAA;AAAA,SACnE,CAAA;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,QAAU,EAAA;AACb,QAAA,MAAM,sBACJ,MAAM,IAAA,CAAK,mBAAoB,CAAA,gBAAA,CAAiB,YAAY,GAAG,CAAA,CAAA;AACjE,QAAA,MAAM,yBACJ,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA,CAA0B,GAAG,UAAU,CAAA,CAAA;AAC7D,QAAA,IACE,mBACA,IAAA,sBAAA,CAAuB,MAAW,KAAA,CAAA,IAClC,eAAeE,6BACf,EAAA;AACA,UAAA,MAAM,IAAK,CAAA,mBAAA,CAAoB,kBAAmB,CAAA,UAAA,EAAY,GAAG,CAAA,CAAA;AAAA,mBACxD,mBAAqB,EAAA;AAC9B,UAAA,MAAM,KAAK,mBAAoB,CAAA,kBAAA;AAAA,YAC7BD,wBAAA,CAAkB,qBAAqB,YAAY,CAAA;AAAA,YACnD,UAAA;AAAA,YACA,GAAA;AAAA,WACF,CAAA;AAAA,SACF;AAAA,OACF;AAEA,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAA,MAAM,IAAI,MAAO,EAAA,CAAA;AAAA,OACnB;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAI,CAAC,WAAa,EAAA;AAChB,QAAM,MAAA,GAAA,CAAI,SAAS,GAAG,CAAA,CAAA;AAAA,OACxB;AACA,MAAM,MAAA,GAAA,CAAA;AAAA,KACR;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,MAAM,OAAA,CACJ,SACA,EAAA,YAAA,EACA,QACA,KACkB,EAAA;AAClB,IAAA,MAAM,SAAS,EAAC,CAAA;AAChB,IAAI,IAAA,KAAA,CAAM,SAAS,CAAG,EAAA;AACpB,MAAA,KAAA,CAAM,QAAQ,CAAQ,IAAA,KAAA;AACpB,QAAO,MAAA,CAAA,IAAA,CAAK,EAAE,KAAA,EAAO,GAAK,EAAA,EAAA,EAAI,MAAM,EAAI,EAAA,YAAA,EAAc,EAAI,EAAA,MAAA,EAAQ,CAAA,CAAA;AAAA,OACnE,CAAA,CAAA;AAAA,KACI,MAAA;AACL,MAAO,MAAA,CAAA,IAAA,CAAK,EAAE,KAAO,EAAA,GAAA,EAAK,IAAI,YAAc,EAAA,EAAA,EAAI,QAAQ,CAAA,CAAA;AAAA,KAC1D;AAEA,IAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,QAAA,CAAS,UAAW,EAAA,CAAA;AACvC,IAAM,MAAA,WAAA,GAAc,IAAK,CAAA,QAAA,CAAS,cAAe,EAAA,CAAA;AACjD,IAAM,MAAA,YAAA,GAAe,IAAIE,eAAS,EAAA,CAAA;AAClC,IAAA,MAAM,YAAa,CAAA,uBAAA;AAAA,MACjBC,0BAAmBC,qBAAK,CAAA;AAAA,MACxB,KAAA;AAAA,MACA,IAAA;AAAA,KACF,CAAA;AACA,IAAA,YAAA,CAAa,eAAe,WAAW,CAAA,CAAA;AAEvC,IAAM,MAAA,YAAA,CAAa,mBAAmB,MAAM,CAAA,CAAA;AAE5C,IAAA,OAAO,MAAM,YAAA,CAAa,OAAQ,CAAA,SAAA,EAAW,cAAc,MAAM,CAAA,CAAA;AAAA,GACnE;AAAA,EAEA,MAAM,8BAA8B,IAAmC,EAAA;AACrE,IAAO,OAAA,IAAA,CAAK,QAAS,CAAA,6BAAA,CAA8B,IAAI,CAAA,CAAA;AAAA,GACzD;AAAA,EAEA,MAAM,WAAiC,GAAA;AACrC,IAAO,OAAA,IAAA,CAAK,SAAS,WAAY,EAAA,CAAA;AAAA,GACnC;AACF;;;;"}

package/dist/service/permission-model.cjs.js

@@ -0,0 +1,21 @@
+'use strict';
+
+const MODEL = `
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[policy_effect]
+e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+
+[role_definition]
+g = _, _
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
+`;
+
+exports.MODEL = MODEL;
+//# sourceMappingURL=permission-model.cjs.js.map

package/dist/service/permission-model.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-model.cjs.js","sources":["../../src/service/permission-model.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nexport const MODEL = `\n[request_definition]\nr = sub, obj, act\n\n[policy_definition]\np = sub, obj, act, eft\n\n[policy_effect]\ne = some(where (p.eft == allow)) && !some(where (p.eft == deny))\n\n[role_definition]\ng = _, _\n\n[matchers]\nm = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act\n`;\n"],"names":[],"mappings":";;AAeO,MAAM,KAAQ,GAAA,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;;"}

package/dist/service/plugin-endpoints.cjs.js

@@ -0,0 +1,121 @@
+'use strict';
+
+var urlReader = require('@backstage/backend-defaults/urlReader');
+var errors = require('@backstage/errors');
+var pluginPermissionCommon = require('@backstage/plugin-permission-common');
+
+class PluginPermissionMetadataCollector {
+  pluginIds;
+  discovery;
+  logger;
+  urlReader;
+  constructor({
+    deps,
+    optional
+  }) {
+    const { discovery, pluginIdProvider, logger, config } = deps;
+    this.pluginIds = pluginIdProvider.getPluginIds();
+    this.discovery = discovery;
+    this.logger = logger;
+    this.urlReader = optional?.urlReader ?? urlReader.UrlReaders.default({
+      config,
+      logger,
+      factories: [PluginPermissionMetadataCollector.permissionFactory]
+    });
+  }
+  async getPluginConditionRules(auth) {
+    const pluginMetadata = await this.getPluginMetaData(auth);
+    return pluginMetadata.filter((metadata) => metadata.metaDataResponse.rules.length > 0).map((metadata) => {
+      return {
+        pluginId: metadata.pluginId,
+        rules: metadata.metaDataResponse.rules
+      };
+    });
+  }
+  async getPluginPolicies(auth) {
+    const pluginMetadata = await this.getPluginMetaData(auth);
+    return pluginMetadata.filter((metadata) => metadata.metaDataResponse.permissions !== void 0).map((metadata) => {
+      return {
+        pluginId: metadata.pluginId,
+        policies: permissionsToCasbinPolicies(
+          metadata.metaDataResponse.permissions
+        )
+      };
+    });
+  }
+  static permissionFactory = () => {
+    return [{ reader: new urlReader.FetchUrlReader(), predicate: (_url) => true }];
+  };
+  async getPluginMetaData(auth) {
+    let pluginResponses = [];
+    for (const pluginId of this.pluginIds) {
+      try {
+        const { token } = await auth.getPluginRequestToken({
+          onBehalfOf: await auth.getOwnServiceCredentials(),
+          targetPluginId: pluginId
+        });
+        const permMetaData = await this.getMetadataByPluginId(pluginId, token);
+        if (permMetaData) {
+          pluginResponses = [
+            ...pluginResponses,
+            {
+              metaDataResponse: permMetaData,
+              pluginId
+            }
+          ];
+        }
+      } catch (error) {
+        this.logger.error(
+          `Failed to retrieve permission metadata for ${pluginId}. ${error}`
+        );
+      }
+    }
+    return pluginResponses;
+  }
+  async getMetadataByPluginId(pluginId, token) {
+    let permMetaData;
+    try {
+      const baseEndpoint = await this.discovery.getBaseUrl(pluginId);
+      const wellKnownURL = `${baseEndpoint}/.well-known/backstage/permissions/metadata`;
+      const permResp = await this.urlReader.readUrl(wellKnownURL, { token });
+      const permMetaDataRaw = (await permResp.buffer()).toString();
+      try {
+        permMetaData = JSON.parse(permMetaDataRaw);
+      } catch (err) {
+        return void 0;
+      }
+    } catch (err) {
+      if (errors.isError(err) && err.name === "NotFoundError") {
+        this.logger.warn(
+          `No permission metadata found for ${pluginId}. ${err}`
+        );
+        return void 0;
+      }
+      this.logger.error(
+        `Failed to retrieve permission metadata for ${pluginId}. ${err}`
+      );
+    }
+    return permMetaData;
+  }
+}
+function permissionsToCasbinPolicies(permissions) {
+  const policies = [];
+  for (const permission of permissions) {
+    if (pluginPermissionCommon.isResourcePermission(permission)) {
+      policies.push({
+        resourceType: permission.resourceType,
+        name: permission.name,
+        policy: permission.attributes.action || "use"
+      });
+    } else {
+      policies.push({
+        name: permission.name,
+        policy: permission.attributes.action || "use"
+      });
+    }
+  }
+  return policies;
+}
+
+exports.PluginPermissionMetadataCollector = PluginPermissionMetadataCollector;
+//# sourceMappingURL=plugin-endpoints.cjs.js.map

package/dist/service/plugin-endpoints.cjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-endpoints.cjs.js","sources":["../../src/service/plugin-endpoints.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n  FetchUrlReader,\n  ReaderFactory,\n  UrlReaders,\n} from '@backstage/backend-defaults/urlReader';\nimport type {\n  AuthService,\n  DiscoveryService,\n  LoggerService,\n  UrlReaderService,\n} from '@backstage/backend-plugin-api';\nimport type { Config } from '@backstage/config';\nimport { isError } from '@backstage/errors';\nimport {\n  isResourcePermission,\n  Permission,\n} from '@backstage/plugin-permission-common';\nimport type {\n  MetadataResponse,\n  MetadataResponseSerializedRule,\n} from '@backstage/plugin-permission-node';\n\nimport type {\n  PluginPermissionMetaData,\n  PolicyDetails,\n} from '@backstage-community/plugin-rbac-common';\nimport type { PluginIdProvider } from '@backstage-community/plugin-rbac-node';\n\ntype PluginMetadataResponse = {\n  pluginId: string;\n  metaDataResponse: MetadataResponse;\n};\n\nexport type PluginMetadataResponseSerializedRule = {\n  pluginId: string;\n  rules: MetadataResponseSerializedRule[];\n};\n\nexport class PluginPermissionMetadataCollector {\n  private readonly pluginIds: string[];\n  private readonly discovery: DiscoveryService;\n  private readonly logger: LoggerService;\n  private readonly urlReader: UrlReaderService;\n\n  constructor({\n    deps,\n    optional,\n  }: {\n    deps: {\n      discovery: DiscoveryService;\n      pluginIdProvider: PluginIdProvider;\n      logger: LoggerService;\n      config: Config;\n    };\n    optional?: {\n      urlReader?: UrlReaderService;\n    };\n  }) {\n    const { discovery, pluginIdProvider, logger, config } = deps;\n    this.pluginIds = pluginIdProvider.getPluginIds();\n    this.discovery = discovery;\n    this.logger = logger;\n    this.urlReader =\n      optional?.urlReader ??\n      UrlReaders.default({\n        config,\n        logger,\n        factories: [PluginPermissionMetadataCollector.permissionFactory],\n      });\n  }\n\n  async getPluginConditionRules(\n    auth: AuthService,\n  ): Promise<PluginMetadataResponseSerializedRule[]> {\n    const pluginMetadata = await this.getPluginMetaData(auth);\n\n    return pluginMetadata\n      .filter(metadata => metadata.metaDataResponse.rules.length > 0)\n      .map(metadata => {\n        return {\n          pluginId: metadata.pluginId,\n          rules: metadata.metaDataResponse.rules,\n        };\n      });\n  }\n\n  async getPluginPolicies(\n    auth: AuthService,\n  ): Promise<PluginPermissionMetaData[]> {\n    const pluginMetadata = await this.getPluginMetaData(auth);\n\n    return pluginMetadata\n      .filter(metadata => metadata.metaDataResponse.permissions !== undefined)\n      .map(metadata => {\n        return {\n          pluginId: metadata.pluginId,\n          policies: permissionsToCasbinPolicies(\n            metadata.metaDataResponse.permissions!,\n          ),\n        };\n      });\n  }\n\n  private static permissionFactory: ReaderFactory = () => {\n    return [{ reader: new FetchUrlReader(), predicate: (_url: URL) => true }];\n  };\n\n  private async getPluginMetaData(\n    auth: AuthService,\n  ): Promise<PluginMetadataResponse[]> {\n    let pluginResponses: PluginMetadataResponse[] = [];\n\n    for (const pluginId of this.pluginIds) {\n      try {\n        const { token } = await auth.getPluginRequestToken({\n          onBehalfOf: await auth.getOwnServiceCredentials(),\n          targetPluginId: pluginId,\n        });\n\n        const permMetaData = await this.getMetadataByPluginId(pluginId, token);\n        if (permMetaData) {\n          pluginResponses = [\n            ...pluginResponses,\n            {\n              metaDataResponse: permMetaData,\n              pluginId,\n            },\n          ];\n        }\n      } catch (error) {\n        this.logger.error(\n          `Failed to retrieve permission metadata for ${pluginId}. ${error}`,\n        );\n      }\n    }\n\n    return pluginResponses;\n  }\n\n  async getMetadataByPluginId(\n    pluginId: string,\n    token: string | undefined,\n  ): Promise<MetadataResponse | undefined> {\n    let permMetaData: MetadataResponse | undefined;\n    try {\n      const baseEndpoint = await this.discovery.getBaseUrl(pluginId);\n      const wellKnownURL = `${baseEndpoint}/.well-known/backstage/permissions/metadata`;\n\n      const permResp = await this.urlReader.readUrl(wellKnownURL, { token });\n      const permMetaDataRaw = (await permResp.buffer()).toString();\n\n      try {\n        permMetaData = JSON.parse(permMetaDataRaw);\n      } catch (err) {\n        // workaround for https://issues.redhat.com/browse/RHIDP-1456\n        return undefined;\n      }\n    } catch (err) {\n      if (isError(err) && err.name === 'NotFoundError') {\n        this.logger.warn(\n          `No permission metadata found for ${pluginId}. ${err}`,\n        );\n        return undefined;\n      }\n      this.logger.error(\n        `Failed to retrieve permission metadata for ${pluginId}. ${err}`,\n      );\n    }\n    return permMetaData;\n  }\n}\n\nfunction permissionsToCasbinPolicies(\n  permissions: Permission[],\n): PolicyDetails[] {\n  const policies: PolicyDetails[] = [];\n  for (const permission of permissions) {\n    if (isResourcePermission(permission)) {\n      policies.push({\n        resourceType: permission.resourceType,\n        name: permission.name,\n        policy: permission.attributes.action || 'use',\n      });\n    } else {\n      policies.push({\n        name: permission.name,\n        policy: permission.attributes.action || 'use',\n      });\n    }\n  }\n\n  return policies;\n}\n"],"names":["UrlReaders","FetchUrlReader","isError","isResourcePermission"],"mappings":";;;;;;AAqDO,MAAM,iCAAkC,CAAA;AAAA,EAC5B,SAAA,CAAA;AAAA,EACA,SAAA,CAAA;AAAA,EACA,MAAA,CAAA;AAAA,EACA,SAAA,CAAA;AAAA,EAEjB,WAAY,CAAA;AAAA,IACV,IAAA;AAAA,IACA,QAAA;AAAA,GAWC,EAAA;AACD,IAAA,MAAM,EAAE,SAAA,EAAW,gBAAkB,EAAA,MAAA,EAAQ,QAAW,GAAA,IAAA,CAAA;AACxD,IAAK,IAAA,CAAA,SAAA,GAAY,iBAAiB,YAAa,EAAA,CAAA;AAC/C,IAAA,IAAA,CAAK,SAAY,GAAA,SAAA,CAAA;AACjB,IAAA,IAAA,CAAK,MAAS,GAAA,MAAA,CAAA;AACd,IAAA,IAAA,CAAK,SACH,GAAA,QAAA,EAAU,SACV,IAAAA,oBAAA,CAAW,OAAQ,CAAA;AAAA,MACjB,MAAA;AAAA,MACA,MAAA;AAAA,MACA,SAAA,EAAW,CAAC,iCAAA,CAAkC,iBAAiB,CAAA;AAAA,KAChE,CAAA,CAAA;AAAA,GACL;AAAA,EAEA,MAAM,wBACJ,IACiD,EAAA;AACjD,IAAA,MAAM,cAAiB,GAAA,MAAM,IAAK,CAAA,iBAAA,CAAkB,IAAI,CAAA,CAAA;AAExD,IAAO,OAAA,cAAA,CACJ,MAAO,CAAA,CAAA,QAAA,KAAY,QAAS,CAAA,gBAAA,CAAiB,MAAM,MAAS,GAAA,CAAC,CAC7D,CAAA,GAAA,CAAI,CAAY,QAAA,KAAA;AACf,MAAO,OAAA;AAAA,QACL,UAAU,QAAS,CAAA,QAAA;AAAA,QACnB,KAAA,EAAO,SAAS,gBAAiB,CAAA,KAAA;AAAA,OACnC,CAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACL;AAAA,EAEA,MAAM,kBACJ,IACqC,EAAA;AACrC,IAAA,MAAM,cAAiB,GAAA,MAAM,IAAK,CAAA,iBAAA,CAAkB,IAAI,CAAA,CAAA;AAExD,IAAO,OAAA,cAAA,CACJ,OAAO,CAAY,QAAA,KAAA,QAAA,CAAS,iBAAiB,WAAgB,KAAA,KAAA,CAAS,CACtE,CAAA,GAAA,CAAI,CAAY,QAAA,KAAA;AACf,MAAO,OAAA;AAAA,QACL,UAAU,QAAS,CAAA,QAAA;AAAA,QACnB,QAAU,EAAA,2BAAA;AAAA,UACR,SAAS,gBAAiB,CAAA,WAAA;AAAA,SAC5B;AAAA,OACF,CAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACL;AAAA,EAEA,OAAe,oBAAmC,MAAM;AACtD,IAAO,OAAA,CAAC,EAAE,MAAA,EAAQ,IAAIC,wBAAA,IAAkB,SAAW,EAAA,CAAC,IAAc,KAAA,IAAA,EAAM,CAAA,CAAA;AAAA,GAC1E,CAAA;AAAA,EAEA,MAAc,kBACZ,IACmC,EAAA;AACnC,IAAA,IAAI,kBAA4C,EAAC,CAAA;AAEjD,IAAW,KAAA,MAAA,QAAA,IAAY,KAAK,SAAW,EAAA;AACrC,MAAI,IAAA;AACF,QAAA,MAAM,EAAE,KAAA,EAAU,GAAA,MAAM,KAAK,qBAAsB,CAAA;AAAA,UACjD,UAAA,EAAY,MAAM,IAAA,CAAK,wBAAyB,EAAA;AAAA,UAChD,cAAgB,EAAA,QAAA;AAAA,SACjB,CAAA,CAAA;AAED,QAAA,MAAM,YAAe,GAAA,MAAM,IAAK,CAAA,qBAAA,CAAsB,UAAU,KAAK,CAAA,CAAA;AACrE,QAAA,IAAI,YAAc,EAAA;AAChB,UAAkB,eAAA,GAAA;AAAA,YAChB,GAAG,eAAA;AAAA,YACH;AAAA,cACE,gBAAkB,EAAA,YAAA;AAAA,cAClB,QAAA;AAAA,aACF;AAAA,WACF,CAAA;AAAA,SACF;AAAA,eACO,KAAO,EAAA;AACd,QAAA,IAAA,CAAK,MAAO,CAAA,KAAA;AAAA,UACV,CAAA,2CAAA,EAA8C,QAAQ,CAAA,EAAA,EAAK,KAAK,CAAA,CAAA;AAAA,SAClE,CAAA;AAAA,OACF;AAAA,KACF;AAEA,IAAO,OAAA,eAAA,CAAA;AAAA,GACT;AAAA,EAEA,MAAM,qBACJ,CAAA,QAAA,EACA,KACuC,EAAA;AACvC,IAAI,IAAA,YAAA,CAAA;AACJ,IAAI,IAAA;AACF,MAAA,MAAM,YAAe,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,QAAQ,CAAA,CAAA;AAC7D,MAAM,MAAA,YAAA,GAAe,GAAG,YAAY,CAAA,2CAAA,CAAA,CAAA;AAEpC,MAAM,MAAA,QAAA,GAAW,MAAM,IAAK,CAAA,SAAA,CAAU,QAAQ,YAAc,EAAA,EAAE,OAAO,CAAA,CAAA;AACrE,MAAA,MAAM,eAAmB,GAAA,CAAA,MAAM,QAAS,CAAA,MAAA,IAAU,QAAS,EAAA,CAAA;AAE3D,MAAI,IAAA;AACF,QAAe,YAAA,GAAA,IAAA,CAAK,MAAM,eAAe,CAAA,CAAA;AAAA,eAClC,GAAK,EAAA;AAEZ,QAAO,OAAA,KAAA,CAAA,CAAA;AAAA,OACT;AAAA,aACO,GAAK,EAAA;AACZ,MAAA,IAAIC,cAAQ,CAAA,GAAG,CAAK,IAAA,GAAA,CAAI,SAAS,eAAiB,EAAA;AAChD,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,CAAA,iCAAA,EAAoC,QAAQ,CAAA,EAAA,EAAK,GAAG,CAAA,CAAA;AAAA,SACtD,CAAA;AACA,QAAO,OAAA,KAAA,CAAA,CAAA;AAAA,OACT;AACA,MAAA,IAAA,CAAK,MAAO,CAAA,KAAA;AAAA,QACV,CAAA,2CAAA,EAA8C,QAAQ,CAAA,EAAA,EAAK,GAAG,CAAA,CAAA;AAAA,OAChE,CAAA;AAAA,KACF;AACA,IAAO,OAAA,YAAA,CAAA;AAAA,GACT;AACF,CAAA;AAEA,SAAS,4BACP,WACiB,EAAA;AACjB,EAAA,MAAM,WAA4B,EAAC,CAAA;AACnC,EAAA,KAAA,MAAW,cAAc,WAAa,EAAA;AACpC,IAAI,IAAAC,2CAAA,CAAqB,UAAU,CAAG,EAAA;AACpC,MAAA,QAAA,CAAS,IAAK,CAAA;AAAA,QACZ,cAAc,UAAW,CAAA,YAAA;AAAA,QACzB,MAAM,UAAW,CAAA,IAAA;AAAA,QACjB,MAAA,EAAQ,UAAW,CAAA,UAAA,CAAW,MAAU,IAAA,KAAA;AAAA,OACzC,CAAA,CAAA;AAAA,KACI,MAAA;AACL,MAAA,QAAA,CAAS,IAAK,CAAA;AAAA,QACZ,MAAM,UAAW,CAAA,IAAA;AAAA,QACjB,MAAA,EAAQ,UAAW,CAAA,UAAA,CAAW,MAAU,IAAA,KAAA;AAAA,OACzC,CAAA,CAAA;AAAA,KACH;AAAA,GACF;AAEA,EAAO,OAAA,QAAA,CAAA;AACT;;;;"}