@backstage-community/plugin-rbac-backend 6.2.5 → 6.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/CHANGELOG.md +20 -0
  2. package/README.md +41 -3
  3. package/dist/auditor/auditor.cjs.js +5 -0
  4. package/dist/auditor/auditor.cjs.js.map +1 -1
  5. package/dist/auditor/rest-interceptor.cjs.js +5 -0
  6. package/dist/auditor/rest-interceptor.cjs.js.map +1 -1
  7. package/dist/database/extra-permission-enabled-plugins-storage.cjs.js +21 -0
  8. package/dist/database/extra-permission-enabled-plugins-storage.cjs.js.map +1 -0
  9. package/dist/index.d.ts +5 -1
  10. package/dist/permissions/conditions.cjs.js +6 -5
  11. package/dist/permissions/conditions.cjs.js.map +1 -1
  12. package/dist/permissions/resource.cjs.js +12 -0
  13. package/dist/permissions/resource.cjs.js.map +1 -0
  14. package/dist/permissions/rules.cjs.js +3 -4
  15. package/dist/permissions/rules.cjs.js.map +1 -1
  16. package/dist/plugin.cjs.js +6 -3
  17. package/dist/plugin.cjs.js.map +1 -1
  18. package/dist/service/extendable-id-provider.cjs.js +32 -0
  19. package/dist/service/extendable-id-provider.cjs.js.map +1 -0
  20. package/dist/service/permission-definition-routes.cjs.js +104 -0
  21. package/dist/service/permission-definition-routes.cjs.js.map +1 -0
  22. package/dist/service/plugin-endpoints.cjs.js +5 -4
  23. package/dist/service/plugin-endpoints.cjs.js.map +1 -1
  24. package/dist/service/policies-rest-api.cjs.js +131 -125
  25. package/dist/service/policies-rest-api.cjs.js.map +1 -1
  26. package/dist/service/policy-builder.cjs.js +31 -15
  27. package/dist/service/policy-builder.cjs.js.map +1 -1
  28. package/dist/validation/plugin-validation.cjs.js +15 -0
  29. package/dist/validation/plugin-validation.cjs.js.map +1 -0
  30. package/migrations/20250509110032_migrations.js +29 -0
  31. package/package.json +4 -4
package/dist/service/policies-rest-api.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"policies-rest-api.cjs.js","sources":["../../src/service/policies-rest-api.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type {\n AuditorService,\n BackstageCredentials,\n BackstageServicePrincipal,\n BackstageUserPrincipal,\n PermissionsService,\n} from '@backstage/backend-plugin-api';\nimport {\n ConflictError,\n InputError,\n NotAllowedError,\n NotFoundError,\n} from '@backstage/errors';\nimport { createRouter } from '@backstage/plugin-permission-backend';\nimport {\n AuthorizeResult,\n BasicPermission,\n PolicyDecision,\n ResourcePermission,\n} from '@backstage/plugin-permission-common';\nimport { createPermissionIntegrationRouter } from '@backstage/plugin-permission-node';\n\nimport express from 'express';\nimport type { Request } from 'express-serve-static-core';\nimport { isEmpty, isEqual } from 'lodash';\nimport type { ParsedQs } from 'qs';\n\nimport {\n PermissionAction,\n policyEntityCreatePermission,\n policyEntityDeletePermission,\n policyEntityPermissions,\n policyEntityReadPermission,\n policyEntityUpdatePermission,\n RESOURCE_TYPE_POLICY_ENTITY,\n Role,\n RoleBasedPolicy,\n RoleConditionalPolicyDecision,\n} from '@backstage-community/plugin-rbac-common';\nimport type { RBACProvider } from '@backstage-community/plugin-rbac-node';\n\nimport { setAuditorError, logAuditorEvent } from '../auditor/rest-interceptor';\nimport { ConditionalStorage } from '../database/conditional-storage';\nimport {\n daoToMetadata,\n RoleMetadataDao,\n RoleMetadataStorage,\n} from '../database/role-metadata';\nimport {\n buildRoleSourceMap,\n deepSortedEqual,\n isPermissionAction,\n policyToString,\n processConditionMapping,\n matches,\n} from '../helper';\nimport { validateRoleCondition } from '../validation/condition-validation';\nimport {\n validateEntityReference,\n validatePolicy,\n validateRole,\n validateSource,\n} from '../validation/policies-validation';\nimport { EnforcerDelegate } from './enforcer-delegate';\nimport { PluginPermissionMetadataCollector } from './plugin-endpoints';\nimport { RBACRouterOptions } from './policy-builder';\nimport { RBACFilters, rules, transformConditions } from '../permissions';\n\nexport class PoliciesServer {\n constructor(\n private readonly permissions: PermissionsService,\n private readonly options: RBACRouterOptions,\n private readonly enforcer: EnforcerDelegate,\n private readonly conditionalStorage: ConditionalStorage,\n private readonly pluginPermMetaData: PluginPermissionMetadataCollector,\n private readonly roleMetadata: RoleMetadataStorage,\n private readonly auditor: AuditorService,\n private readonly rbacProviders?: RBACProvider[],\n ) {}\n\n private async authorizeConditional(\n request: Request,\n permission: ResourcePermission<'policy-entity'> | BasicPermission,\n ): Promise<{\n decision: PolicyDecision;\n credentials: BackstageCredentials<\n BackstageUserPrincipal | BackstageServicePrincipal\n >;\n }> {\n const credentials = await this.options.httpAuth.credentials(request, {\n allow: ['user', 'service'],\n });\n\n // allow service to service communication, but only with read permission\n if (\n this.options.auth.isPrincipal(credentials, 'service') &&\n permission !== policyEntityReadPermission\n ) {\n throw new NotAllowedError(\n `Only credential principal with type 'user' permitted to modify permissions`,\n );\n }\n\n let decision: PolicyDecision;\n if (permission.type === 'resource') {\n decision = (\n await this.permissions.authorizeConditional([{ permission }], {\n credentials,\n })\n )[0];\n } else {\n decision = (\n await this.permissions.authorize([{ permission }], {\n credentials,\n })\n )[0];\n }\n\n if (decision.result === AuthorizeResult.DENY) {\n throw new NotAllowedError(); // 403\n }\n\n return { decision, credentials };\n }\n\n async serve(): Promise<express.Router> {\n const router = await createRouter(this.options);\n\n const { logger } = this.options;\n\n const policyPermissionsIntegrationRouter =\n createPermissionIntegrationRouter({\n resourceType: RESOURCE_TYPE_POLICY_ENTITY,\n getResources: resourceRefs =>\n Promise.all(\n resourceRefs.map(ref => {\n return this.roleMetadata.findRoleMetadata(ref);\n }),\n ),\n permissions: policyEntityPermissions,\n rules: Object.values(rules),\n });\n\n router.use(policyPermissionsIntegrationRouter);\n\n const isPluginEnabled =\n this.options.config.getOptionalBoolean('permission.enabled');\n if (!isPluginEnabled) {\n return router;\n }\n\n router.get('/', async (request, response) => {\n await this.authorizeConditional(request, policyEntityReadPermission);\n\n response.send({ status: 'Authorized' });\n });\n\n // Policy CRUD\n\n router.get(\n '/policies',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityReadPermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n let policies: string[][] = [];\n if (this.isPolicyFilterEnabled(request)) {\n const entityRef = this.getFirstQuery(request.query.entityRef);\n const permission = this.getFirstQuery(request.query.permission);\n const policy = this.getFirstQuery(request.query.policy);\n const effect = this.getFirstQuery(request.query.effect);\n\n const matchedRoleName = roleMetadata.flatMap(\n role => role.roleEntityRef,\n );\n\n const filter: string[] = [entityRef, permission, policy, effect];\n policies = matchedRoleName.includes(entityRef)\n ? await this.enforcer.getFilteredPolicy(0, ...filter)\n : [];\n } else {\n for (const role of roleMetadata) {\n policies.push(\n ...(await this.enforcer.getFilteredPolicy(\n 0,\n ...[role.roleEntityRef],\n )),\n );\n }\n }\n\n const body = await this.transformPolicyArray(...policies);\n // TODO: Temporary workaround to prevent breakages after the removal of the resource type `policy-entity` from the permission `policy.entity.create`\n body.map(policy => {\n if (\n policy.permission === 'policy-entity' &&\n policy.policy === 'create'\n ) {\n policy.permission = 'policy.entity.create';\n logger.warn(\n `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[policy.entityReference, 'policy-entity', policy.policy, policy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${policy.metadata?.source}`,\n );\n }\n });\n\n response.json(body);\n },\n );\n\n router.get(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityReadPermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const entityRef = this.getEntityReference(request);\n\n const policy = matchedRoleName.includes(entityRef)\n ? await this.enforcer.getFilteredPolicy(0, entityRef)\n : [];\n if (policy.length !== 0) {\n const body = await this.transformPolicyArray(...policy);\n // TODO: Temporary workaround to prevent breakages after the removal of the resource type `policy-entity` from the permission `policy.entity.create`\n body.map(bodyPolicy => {\n if (\n bodyPolicy.permission === 'policy-entity' &&\n bodyPolicy.policy === 'create'\n ) {\n bodyPolicy.permission = 'policy.entity.create';\n logger.warn(\n `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[bodyPolicy.entityReference, 'policy-entity', bodyPolicy.policy, bodyPolicy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${bodyPolicy.metadata?.source}`,\n );\n }\n });\n\n response.json(body);\n } else {\n throw new NotFoundError(); // 404\n }\n },\n );\n\n router.delete(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityDeletePermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const entityRef = this.getEntityReference(request);\n\n const policyRaw: RoleBasedPolicy[] = request.body;\n if (isEmpty(policyRaw)) {\n throw new InputError(`permission policy must be present`); // 400\n }\n\n policyRaw.forEach(element => {\n element.entityReference = entityRef;\n });\n\n const processedPolicies = await this.processPolicies(\n policyRaw,\n true,\n undefined,\n conditionsFilter,\n );\n\n await this.enforcer.removePolicies(processedPolicies);\n\n response.locals.meta = { policies: processedPolicies }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.post(\n '/policies',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n await this.authorizeConditional(request, policyEntityCreatePermission);\n\n const policyRaw: RoleBasedPolicy[] = request.body;\n\n if (isEmpty(policyRaw)) {\n throw new InputError(`permission policy must be present`); // 400\n }\n\n const processedPolicies = await this.processPolicies(\n policyRaw,\n false,\n undefined,\n );\n\n const entityRef = processedPolicies[0][0];\n const roleMetadata =\n await this.roleMetadata.findRoleMetadata(entityRef);\n if (entityRef.startsWith('role:default') && !roleMetadata) {\n throw new Error(`Corresponding role ${entityRef} was not found`);\n }\n\n await this.enforcer.addPolicies(processedPolicies);\n\n response.locals.meta = { policies: processedPolicies }; // auditor\n\n response.status(201).end();\n },\n );\n\n router.put(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityUpdatePermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const entityRef = this.getEntityReference(request);\n\n const oldPolicyRaw: RoleBasedPolicy[] = request.body.oldPolicy;\n if (isEmpty(oldPolicyRaw)) {\n throw new InputError(`'oldPolicy' object must be present`); // 400\n }\n const newPolicyRaw: RoleBasedPolicy[] = request.body.newPolicy;\n if (isEmpty(newPolicyRaw)) {\n throw new InputError(`'newPolicy' object must be present`); // 400\n }\n\n [...oldPolicyRaw, ...newPolicyRaw].forEach(element => {\n element.entityReference = entityRef;\n });\n\n const processedOldPolicy = await this.processPolicies(\n oldPolicyRaw,\n true,\n 'old policy',\n conditionsFilter,\n );\n\n oldPolicyRaw.sort((a, b) =>\n a.permission === b.permission\n ? this.nameSort(a.policy!, b.policy!)\n : this.nameSort(a.permission!, b.permission!),\n );\n\n newPolicyRaw.sort((a, b) =>\n a.permission === b.permission\n ? this.nameSort(a.policy!, b.policy!)\n : this.nameSort(a.permission!, b.permission!),\n );\n\n if (\n isEqual(oldPolicyRaw, newPolicyRaw) &&\n !oldPolicyRaw.some(isEmpty)\n ) {\n response.status(204).end();\n } else if (oldPolicyRaw.length > newPolicyRaw.length) {\n throw new InputError(\n `'oldPolicy' object has more permission policies compared to 'newPolicy' object`,\n );\n }\n\n const processedNewPolicy = await this.processPolicies(\n newPolicyRaw,\n false,\n 'new policy',\n conditionsFilter,\n );\n\n const roleMetadata =\n await this.roleMetadata.findRoleMetadata(entityRef);\n if (entityRef.startsWith('role:default') && !roleMetadata) {\n throw new Error(`Corresponding role ${entityRef} was not found`);\n }\n\n await this.enforcer.updatePolicies(\n processedOldPolicy,\n processedNewPolicy,\n );\n\n response.locals.meta = { policies: processedNewPolicy }; // auditor\n\n response.status(200).end();\n },\n );\n\n // Role CRUD\n\n router.get(\n '/roles',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityReadPermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roles = await this.enforcer.getGroupingPolicy();\n const body = await this.transformRoleArray(conditionsFilter, ...roles);\n\n response.json(body);\n },\n );\n\n router.get(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityReadPermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const role = await this.enforcer.getFilteredGroupingPolicy(\n 1,\n roleEntityRef,\n );\n\n const body = await this.transformRoleArray(conditionsFilter, ...role);\n if (body.length !== 0) {\n response.json(body);\n } else {\n throw new NotFoundError(); // 404\n }\n },\n );\n\n router.post(\n '/roles',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n const uniqueItems = new Set<string>();\n const { credentials } = await this.authorizeConditional(\n request,\n policyEntityCreatePermission,\n );\n\n const roleRaw: Role = request.body;\n let err = validateRole(roleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid role definition. Cause: ${err.message}`,\n );\n }\n this.transformMemberReferencesToLowercase(roleRaw);\n\n const rMetadata = await this.roleMetadata.findRoleMetadata(\n roleRaw.name,\n );\n\n err = await validateSource('rest', rMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to add role: ${err.message}`);\n }\n\n const roles = this.transformRoleToArray(roleRaw);\n\n for (const role of roles) {\n if (await this.enforcer.hasGroupingPolicy(...role)) {\n throw new ConflictError(); // 409\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const metadata: RoleMetadataDao = {\n roleEntityRef: roleRaw.name,\n source: 'rest',\n description: roleRaw.metadata?.description ?? '',\n author: modifiedBy,\n modifiedBy,\n owner: roleRaw.metadata?.owner ?? modifiedBy,\n };\n\n await this.enforcer.addGroupingPolicies(roles, metadata);\n\n response.locals.meta = { ...metadata, members: roles.map(gp => gp[0]) }; // auditor\n\n response.status(201).end();\n },\n );\n\n router.put(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n const uniqueItems = new Set<string>();\n let conditionsFilter: RBACFilters | undefined;\n const { decision, credentials } = await this.authorizeConditional(\n request,\n policyEntityUpdatePermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const oldRoleRaw: Role = request.body.oldRole;\n\n if (!oldRoleRaw) {\n throw new InputError(`'oldRole' object must be present`); // 400\n }\n const newRoleRaw: Role = request.body.newRole;\n if (!newRoleRaw) {\n throw new InputError(`'newRole' object must be present`); // 400\n }\n\n oldRoleRaw.name = roleEntityRef;\n let err = validateRole(oldRoleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid old role object. Cause: ${err.message}`,\n );\n }\n err = validateRole(newRoleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid new role object. Cause: ${err.message}`,\n );\n }\n this.transformMemberReferencesToLowercase(oldRoleRaw);\n this.transformMemberReferencesToLowercase(newRoleRaw);\n\n const oldRole = this.transformRoleToArray(oldRoleRaw);\n const newRole = this.transformRoleToArray(newRoleRaw);\n // todo shell we allow newRole with an empty array?...\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const newMetadata: RoleMetadataDao = {\n ...newRoleRaw.metadata,\n source: newRoleRaw.metadata?.source ?? 'rest',\n roleEntityRef: newRoleRaw.name,\n modifiedBy,\n owner: newRoleRaw.metadata?.owner ?? '',\n };\n\n const oldMetadata =\n await this.roleMetadata.findRoleMetadata(roleEntityRef);\n if (!oldMetadata) {\n throw new NotFoundError(\n `Unable to find metadata for ${roleEntityRef}`,\n );\n }\n\n err = await validateSource('rest', oldMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to edit role: ${err.message}`);\n }\n\n if (!matches(oldMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n if (\n isEqual(oldRole, newRole) &&\n deepSortedEqual(oldMetadata, newMetadata, [\n 'author',\n 'modifiedBy',\n 'createdAt',\n 'lastModified',\n 'owner',\n ])\n ) {\n // no content: old role and new role are equal and their metadata too\n response.status(204).end();\n return;\n }\n\n for (const role of newRole) {\n const hasRole = oldRole.some(element => {\n return isEqual(element, role);\n });\n // if the role is already part of old role and is a grouping policy we want to skip returning a conflict error\n // to allow for other roles to be checked and added\n if (await this.enforcer.hasGroupingPolicy(...role)) {\n if (!hasRole) {\n throw new ConflictError(); // 409\n }\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n uniqueItems.clear();\n for (const role of oldRole) {\n if (!(await this.enforcer.hasGroupingPolicy(...role))) {\n throw new NotFoundError(\n `Member reference: ${role[0]} was not found for role ${roleEntityRef}`,\n ); // 404\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n await this.enforcer.updateGroupingPolicies(\n oldRole,\n newRole,\n newMetadata,\n );\n\n let message = `Updated ${oldMetadata.roleEntityRef}.`;\n if (newMetadata.roleEntityRef !== oldMetadata.roleEntityRef) {\n message = `${message}. Role entity reference renamed to ${newMetadata.roleEntityRef}`;\n }\n response.locals.meta = {\n ...newMetadata,\n members: newRole.map(gp => gp[0]),\n }; // auditor\n\n response.status(200).end();\n },\n );\n\n router.delete(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision, credentials } = await this.authorizeConditional(\n request,\n policyEntityDeletePermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const currentMetadata =\n await this.roleMetadata.findRoleMetadata(roleEntityRef);\n\n if (!matches(currentMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n const err = await validateSource('rest', currentMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to delete role: ${err.message}`);\n }\n\n let roleMembers = [];\n if (request.query.memberReferences) {\n const memberReference = this.getFirstQuery(\n request.query.memberReferences!,\n ).toLocaleLowerCase('en-US');\n const gp = await this.enforcer.getFilteredGroupingPolicy(\n 0,\n memberReference,\n roleEntityRef,\n );\n if (gp.length > 0) {\n roleMembers.push(gp[0]);\n } else {\n throw new NotFoundError(\n `role member '${memberReference}' was not found`,\n ); // 404\n }\n } else {\n roleMembers = await this.enforcer.getFilteredGroupingPolicy(\n 1,\n roleEntityRef,\n );\n }\n\n for (const role of roleMembers) {\n if (!(await this.enforcer.hasGroupingPolicy(...role))) {\n throw new NotFoundError(`role member '${role[0]}' was not found`);\n }\n }\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const metadata: RoleMetadataDao = {\n roleEntityRef,\n source: 'rest',\n modifiedBy,\n };\n\n await this.enforcer.removeGroupingPolicies(\n roleMembers,\n metadata,\n false,\n );\n\n response.locals.meta = {\n ...metadata,\n members: roleMembers.map(gp => gp[0]),\n }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.get(\n '/plugins/policies',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n await this.authorizeConditional(request, policyEntityReadPermission);\n\n const body = await this.pluginPermMetaData.getPluginPolicies(\n this.options.auth,\n );\n\n response.json(body);\n },\n );\n\n router.get(\n '/plugins/condition-rules',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n await this.authorizeConditional(request, policyEntityReadPermission);\n\n const body = await this.pluginPermMetaData.getPluginConditionRules(\n this.options.auth,\n );\n\n response.json(body);\n },\n );\n\n router.get(\n '/roles/conditions',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityReadPermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const conditions = await this.conditionalStorage.filterConditions(\n this.getFirstQuery(request.query.roleEntityRef),\n this.getFirstQuery(request.query.pluginId),\n this.getFirstQuery(request.query.resourceType),\n this.getActionQueries(request.query.actions),\n );\n\n const body: RoleConditionalPolicyDecision<PermissionAction>[] =\n conditions\n .map(condition => {\n return {\n ...condition,\n permissionMapping: condition.permissionMapping.map(\n pm => pm.action,\n ),\n };\n })\n .filter(condition => {\n return matchedRoleName.includes(condition.roleEntityRef);\n });\n\n response.json(body);\n },\n );\n\n router.post(\n '/roles/conditions',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n await this.authorizeConditional(request, policyEntityCreatePermission);\n\n const roleConditionPolicy: RoleConditionalPolicyDecision<PermissionAction> =\n request.body;\n validateRoleCondition(roleConditionPolicy);\n\n const conditionToCreate = await processConditionMapping(\n roleConditionPolicy,\n this.pluginPermMetaData,\n this.options.auth,\n );\n\n const id =\n await this.conditionalStorage.createCondition(conditionToCreate);\n\n const body = { id: id };\n\n response.locals.meta = { condition: roleConditionPolicy }; // auditor\n\n response.status(201).json(body);\n },\n );\n\n router.get(\n '/roles/conditions/:id',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityReadPermission,\n );\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n if (!condition) {\n throw new NotFoundError();\n }\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const body: RoleConditionalPolicyDecision<PermissionAction> | [] =\n matchedRoleName.includes(condition.roleEntityRef)\n ? {\n ...condition,\n permissionMapping: condition.permissionMapping.map(\n pm => pm.action,\n ),\n }\n : [];\n\n response.json(body);\n },\n );\n\n router.delete(\n '/roles/conditions/:id',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityDeletePermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n if (!condition) {\n throw new NotFoundError(`Condition with id ${id} was not found`);\n }\n const conditionToDelete: RoleConditionalPolicyDecision<PermissionAction> =\n {\n ...condition,\n permissionMapping: condition.permissionMapping.map(pm => pm.action),\n };\n\n const roleMetadata = await this.roleMetadata.findRoleMetadata(\n conditionToDelete.roleEntityRef,\n );\n\n if (!matches(roleMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n await this.conditionalStorage.deleteCondition(id);\n response.locals.meta = { condition: conditionToDelete }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.put(\n '/roles/conditions/:id',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await this.authorizeConditional(\n request,\n policyEntityUpdatePermission,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n\n if (!condition) {\n throw new NotFoundError(`Condition with id ${id} was not found`);\n }\n\n const roleMetadata = await this.roleMetadata.findRoleMetadata(\n condition.roleEntityRef,\n );\n\n if (!matches(roleMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n const roleConditionPolicy: RoleConditionalPolicyDecision<PermissionAction> =\n request.body;\n\n validateRoleCondition(roleConditionPolicy);\n\n const conditionToUpdate = await processConditionMapping(\n roleConditionPolicy,\n this.pluginPermMetaData,\n this.options.auth,\n );\n\n await this.conditionalStorage.updateCondition(id, conditionToUpdate);\n\n response.locals.meta = { condition: roleConditionPolicy }; // auditor\n\n response.status(200).end();\n },\n );\n\n router.post(\n '/refresh/:id',\n logAuditorEvent(this.auditor),\n async (request, response) => {\n await this.authorizeConditional(request, policyEntityCreatePermission);\n\n if (!this.rbacProviders) {\n throw new NotFoundError(`No RBAC providers were found`);\n }\n\n const idProvider = this.rbacProviders.find(provider => {\n const id = provider.getProviderName();\n return id === request.params.id;\n });\n\n if (!idProvider) {\n throw new NotFoundError(\n `The RBAC provider ${request.params.id} was not found`,\n );\n }\n\n await idProvider.refresh();\n response.status(200).end();\n },\n );\n\n router.use(setAuditorError());\n\n return router;\n }\n\n getEntityReference(request: Request, role?: boolean): string {\n const kind = request.params.kind;\n const namespace = request.params.namespace;\n const name = request.params.name;\n const entityRef = `${kind}:${namespace}/${name}`;\n\n const err = validateEntityReference(entityRef, role);\n if (err) {\n throw new InputError(err.message);\n }\n\n return entityRef;\n }\n\n async transformPolicyArray(\n ...policies: string[][]\n ): Promise<RoleBasedPolicy[]> {\n const roleToSourceMap = await buildRoleSourceMap(\n policies,\n this.roleMetadata,\n );\n\n const roleBasedPolices: RoleBasedPolicy[] = [];\n for (const p of policies) {\n const [entityReference, permission, policy, effect] = p;\n roleBasedPolices.push({\n entityReference,\n permission,\n policy,\n effect,\n metadata: { source: roleToSourceMap.get(entityReference)! },\n });\n }\n\n return roleBasedPolices;\n }\n\n async transformRoleArray(\n filter?: RBACFilters,\n ...roles: string[][]\n ): Promise<Role[]> {\n const combinedRoles: { [key: string]: string[] } = {};\n\n roles.forEach(([value, role]) => {\n if (combinedRoles.hasOwnProperty(role)) {\n combinedRoles[role].push(value);\n } else {\n combinedRoles[role] = [value];\n }\n });\n\n const result: Role[] = await Promise.all(\n Object.entries(combinedRoles).flatMap(async ([role, value]) => {\n const metadataDao = await this.roleMetadata.findRoleMetadata(role);\n const metadata = metadataDao ? daoToMetadata(metadataDao) : undefined;\n return Promise.resolve({\n memberReferences: value,\n name: role,\n metadata,\n });\n }),\n );\n\n const filteredResult = result.filter(role => {\n return role.metadata && matches(role.metadata, filter);\n });\n\n return filteredResult;\n }\n\n transformPolicyToArray(policy: RoleBasedPolicy): string[] {\n return [\n policy.entityReference!,\n policy.permission!,\n policy.policy!,\n policy.effect!,\n ];\n }\n\n transformRoleToArray(role: Role): string[][] {\n const roles: string[][] = [];\n for (const entity of role.memberReferences) {\n roles.push([entity, role.name]);\n }\n return roles;\n }\n\n transformMemberReferencesToLowercase(role: Role) {\n role.memberReferences = role.memberReferences.map(member =>\n member.toLocaleLowerCase('en-US'),\n );\n }\n\n getActionQueries(\n queryValue: string | string[] | ParsedQs | ParsedQs[] | undefined,\n ): PermissionAction[] | undefined {\n if (!queryValue) {\n return undefined;\n }\n if (Array.isArray(queryValue)) {\n const permissionNames: PermissionAction[] = [];\n for (const permissionQuery of queryValue) {\n if (\n typeof permissionQuery === 'string' &&\n isPermissionAction(permissionQuery)\n ) {\n permissionNames.push(permissionQuery);\n } else {\n throw new InputError(\n `Invalid permission action query value: ${permissionQuery}. Permission name should be string.`,\n );\n }\n }\n return permissionNames;\n }\n\n if (typeof queryValue === 'string' && isPermissionAction(queryValue)) {\n return [queryValue];\n }\n throw new InputError(\n `Invalid permission action query value: ${queryValue}. Permission name should be string.`,\n );\n }\n\n getFirstQuery(\n queryValue: string | string[] | ParsedQs | ParsedQs[] | undefined,\n ): string {\n if (!queryValue) {\n return '';\n }\n if (Array.isArray(queryValue)) {\n if (typeof queryValue[0] === 'string') {\n return queryValue[0].toString();\n }\n throw new InputError(`This api doesn't support nested query`);\n }\n\n if (typeof queryValue === 'string') {\n return queryValue;\n }\n throw new InputError(`This api doesn't support nested query`);\n }\n\n isPolicyFilterEnabled(request: Request): boolean {\n return (\n !!request.query.entityRef ||\n !!request.query.permission ||\n !!request.query.policy ||\n !!request.query.effect\n );\n }\n\n async processPolicies(\n policyArray: RoleBasedPolicy[],\n isOld?: boolean,\n errorMessage?: string,\n filter?: RBACFilters,\n ): Promise<string[][]> {\n const policies: string[][] = [];\n const uniqueItems = new Set<string>();\n for (const policy of policyArray) {\n let err = validatePolicy(policy);\n if (err) {\n throw new InputError(\n `Invalid ${errorMessage ?? 'policy'} definition. Cause: ${\n err.message\n }`,\n ); // 400\n }\n\n const metadata = await this.roleMetadata.findRoleMetadata(\n policy.entityReference!,\n );\n\n if (!matches(metadata, filter)) {\n throw new NotAllowedError(); // 403\n }\n\n let action = errorMessage ? 'edit' : 'delete';\n action = isOld ? action : 'add';\n\n err = await validateSource('rest', metadata);\n if (err) {\n throw new NotAllowedError(\n `Unable to ${action} policy ${policy.entityReference},${policy.permission},${policy.policy},${policy.effect}: ${err.message}`,\n );\n }\n\n const transformedPolicy = this.transformPolicyToArray(policy);\n if (isOld && !(await this.enforcer.hasPolicy(...transformedPolicy))) {\n throw new NotFoundError(\n `Policy '${policyToString(transformedPolicy)}' not found`,\n ); // 404\n }\n\n if (!isOld && (await this.enforcer.hasPolicy(...transformedPolicy))) {\n throw new ConflictError(\n `Policy '${policyToString(\n transformedPolicy,\n )}' has been already stored`,\n ); // 409\n }\n\n // We want to ensure that there are not duplicate permission policies\n const rowString = JSON.stringify(transformedPolicy);\n if (uniqueItems.has(rowString)) {\n throw new ConflictError(\n `Duplicate polices found; ${policy.entityReference}, ${policy.permission}, ${policy.policy}, ${policy.effect} is a duplicate`,\n );\n } else {\n uniqueItems.add(rowString);\n policies.push(transformedPolicy);\n }\n }\n return policies;\n }\n\n nameSort(nameA: string, nameB: string): number {\n if (nameA.toLocaleUpperCase('en-US') < nameB.toLocaleUpperCase('en-US')) {\n return -1;\n }\n if (nameA.toLocaleUpperCase('en-US') > nameB.toLocaleUpperCase('en-US')) {\n return 1;\n }\n return 0;\n }\n}\n"],"names":["policyEntityReadPermission","NotAllowedError","AuthorizeResult","createRouter","createPermissionIntegrationRouter","RESOURCE_TYPE_POLICY_ENTITY","policyEntityPermissions","rules","logAuditorEvent","transformConditions","NotFoundError","policyEntityDeletePermission","isEmpty","InputError","policyEntityCreatePermission","policyEntityUpdatePermission","isEqual","validateRole","validateSource","ConflictError","matches","deepSortedEqual","conditions","validateRoleCondition","processConditionMapping","setAuditorError","validateEntityReference","buildRoleSourceMap","daoToMetadata","isPermissionAction","validatePolicy","policyToString"],"mappings":";;;;;;;;;;;;;;;;AAmFO,MAAM,cAAe,CAAA;AAAA,EAC1B,WAAA,CACmB,aACA,OACA,EAAA,QAAA,EACA,oBACA,kBACA,EAAA,YAAA,EACA,SACA,aACjB,EAAA;AARiB,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AACA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA;AAChB,EAEH,MAAc,oBACZ,CAAA,OAAA,EACA,UAMC,EAAA;AACD,IAAA,MAAM,cAAc,MAAM,IAAA,CAAK,OAAQ,CAAA,QAAA,CAAS,YAAY,OAAS,EAAA;AAAA,MACnE,KAAA,EAAO,CAAC,MAAA,EAAQ,SAAS;AAAA,KAC1B,CAAA;AAGD,IACE,IAAA,IAAA,CAAK,QAAQ,IAAK,CAAA,WAAA,CAAY,aAAa,SAAS,CAAA,IACpD,eAAeA,2CACf,EAAA;AACA,MAAA,MAAM,IAAIC,sBAAA;AAAA,QACR,CAAA,0EAAA;AAAA,OACF;AAAA;AAGF,IAAI,IAAA,QAAA;AACJ,IAAI,IAAA,UAAA,CAAW,SAAS,UAAY,EAAA;AAClC,MACE,QAAA,GAAA,CAAA,MAAM,KAAK,WAAY,CAAA,oBAAA,CAAqB,CAAC,EAAE,UAAA,EAAY,CAAG,EAAA;AAAA,QAC5D;AAAA,OACD,GACD,CAAC,CAAA;AAAA,KACE,MAAA;AACL,MACE,QAAA,GAAA,CAAA,MAAM,KAAK,WAAY,CAAA,SAAA,CAAU,CAAC,EAAE,UAAA,EAAY,CAAG,EAAA;AAAA,QACjD;AAAA,OACD,GACD,CAAC,CAAA;AAAA;AAGL,IAAI,IAAA,QAAA,CAAS,MAAW,KAAAC,sCAAA,CAAgB,IAAM,EAAA;AAC5C,MAAA,MAAM,IAAID,sBAAgB,EAAA;AAAA;AAG5B,IAAO,OAAA,EAAE,UAAU,WAAY,EAAA;AAAA;AACjC,EAEA,MAAM,KAAiC,GAAA;AACrC,IAAA,MAAM,MAAS,GAAA,MAAME,oCAAa,CAAA,IAAA,CAAK,OAAO,CAAA;AAE9C,IAAM,MAAA,EAAE,MAAO,EAAA,GAAI,IAAK,CAAA,OAAA;AAExB,IAAA,MAAM,qCACJC,sDAAkC,CAAA;AAAA,MAChC,YAAc,EAAAC,4CAAA;AAAA,MACd,YAAA,EAAc,kBACZ,OAAQ,CAAA,GAAA;AAAA,QACN,YAAA,CAAa,IAAI,CAAO,GAAA,KAAA;AACtB,UAAO,OAAA,IAAA,CAAK,YAAa,CAAA,gBAAA,CAAiB,GAAG,CAAA;AAAA,SAC9C;AAAA,OACH;AAAA,MACF,WAAa,EAAAC,wCAAA;AAAA,MACb,KAAA,EAAO,MAAO,CAAA,MAAA,CAAOC,WAAK;AAAA,KAC3B,CAAA;AAEH,IAAA,MAAA,CAAO,IAAI,kCAAkC,CAAA;AAE7C,IAAA,MAAM,eACJ,GAAA,IAAA,CAAK,OAAQ,CAAA,MAAA,CAAO,mBAAmB,oBAAoB,CAAA;AAC7D,IAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,MAAO,OAAA,MAAA;AAAA;AAGT,IAAA,MAAA,CAAO,GAAI,CAAA,GAAA,EAAK,OAAO,OAAA,EAAS,QAAa,KAAA;AAC3C,MAAM,MAAA,IAAA,CAAK,oBAAqB,CAAA,OAAA,EAASP,2CAA0B,CAAA;AAEnE,MAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,YAAA,EAAc,CAAA;AAAA,KACvC,CAAA;AAID,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,WAAA;AAAA,MACAQ,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAR;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAA,IAAI,WAAuB,EAAC;AAC5B,QAAI,IAAA,IAAA,CAAK,qBAAsB,CAAA,OAAO,CAAG,EAAA;AACvC,UAAA,MAAM,SAAY,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,SAAS,CAAA;AAC5D,UAAA,MAAM,UAAa,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,UAAU,CAAA;AAC9D,UAAA,MAAM,MAAS,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,MAAM,CAAA;AACtD,UAAA,MAAM,MAAS,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,MAAM,CAAA;AAEtD,UAAA,MAAM,kBAAkB,YAAa,CAAA,OAAA;AAAA,YACnC,UAAQ,IAAK,CAAA;AAAA,WACf;AAEA,UAAA,MAAM,MAAmB,GAAA,CAAC,SAAW,EAAA,UAAA,EAAY,QAAQ,MAAM,CAAA;AAC/D,UAAA,QAAA,GAAW,eAAgB,CAAA,QAAA,CAAS,SAAS,CAAA,GACzC,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,CAAG,EAAA,GAAG,MAAM,CAAA,GAClD,EAAC;AAAA,SACA,MAAA;AACL,UAAA,KAAA,MAAW,QAAQ,YAAc,EAAA;AAC/B,YAAS,QAAA,CAAA,IAAA;AAAA,cACP,GAAI,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA;AAAA,gBACtB,CAAA;AAAA,gBACA,GAAG,CAAC,IAAA,CAAK,aAAa;AAAA;AACxB,aACF;AAAA;AACF;AAGF,QAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,GAAG,QAAQ,CAAA;AAExD,QAAA,IAAA,CAAK,IAAI,CAAU,MAAA,KAAA;AACjB,UAAA,IACE,MAAO,CAAA,UAAA,KAAe,eACtB,IAAA,MAAA,CAAO,WAAW,QAClB,EAAA;AACA,YAAA,MAAA,CAAO,UAAa,GAAA,sBAAA;AACpB,YAAO,MAAA,CAAA,IAAA;AAAA,cACL,CAA8H,2HAAA,EAAA,CAAC,MAAO,CAAA,eAAA,EAAiB,eAAiB,EAAA,MAAA,CAAO,MAAQ,EAAA,MAAA,CAAO,MAAM,CAAC,CAAyE,sEAAA,EAAA,MAAA,CAAO,UAAU,MAAM,CAAA;AAAA,aACvS;AAAA;AACF,SACD,CAAA;AAED,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,kCAAA;AAAA,MACAD,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAR;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAA,MAAM,MAAS,GAAA,eAAA,CAAgB,QAAS,CAAA,SAAS,CAC7C,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,CAAA,EAAG,SAAS,CAAA,GAClD,EAAC;AACL,QAAI,IAAA,MAAA,CAAO,WAAW,CAAG,EAAA;AACvB,UAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,GAAG,MAAM,CAAA;AAEtD,UAAA,IAAA,CAAK,IAAI,CAAc,UAAA,KAAA;AACrB,YAAA,IACE,UAAW,CAAA,UAAA,KAAe,eAC1B,IAAA,UAAA,CAAW,WAAW,QACtB,EAAA;AACA,cAAA,UAAA,CAAW,UAAa,GAAA,sBAAA;AACxB,cAAO,MAAA,CAAA,IAAA;AAAA,gBACL,CAA8H,2HAAA,EAAA,CAAC,UAAW,CAAA,eAAA,EAAiB,eAAiB,EAAA,UAAA,CAAW,MAAQ,EAAA,UAAA,CAAW,MAAM,CAAC,CAAyE,sEAAA,EAAA,UAAA,CAAW,UAAU,MAAM,CAAA;AAAA,eACvT;AAAA;AACF,WACD,CAAA;AAED,UAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,SACb,MAAA;AACL,UAAA,MAAM,IAAIC,oBAAc,EAAA;AAAA;AAC1B;AACF,KACF;AAEA,IAAO,MAAA,CAAA,MAAA;AAAA,MACL,kCAAA;AAAA,MACAF,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAG;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAT,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAA,MAAM,YAA+B,OAAQ,CAAA,IAAA;AAC7C,QAAI,IAAAG,cAAA,CAAQ,SAAS,CAAG,EAAA;AACtB,UAAM,MAAA,IAAIC,kBAAW,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAG1D,QAAA,SAAA,CAAU,QAAQ,CAAW,OAAA,KAAA;AAC3B,UAAA,OAAA,CAAQ,eAAkB,GAAA,SAAA;AAAA,SAC3B,CAAA;AAED,QAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,eAAA;AAAA,UACnC,SAAA;AAAA,UACA,IAAA;AAAA,UACA,SAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAM,MAAA,IAAA,CAAK,QAAS,CAAA,cAAA,CAAe,iBAAiB,CAAA;AAEpD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,iBAAkB,EAAA;AAErD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,WAAA;AAAA,MACAL,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,IAAA,CAAK,oBAAqB,CAAA,OAAA,EAASM,6CAA4B,CAAA;AAErE,QAAA,MAAM,YAA+B,OAAQ,CAAA,IAAA;AAE7C,QAAI,IAAAF,cAAA,CAAQ,SAAS,CAAG,EAAA;AACtB,UAAM,MAAA,IAAIC,kBAAW,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAG1D,QAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,eAAA;AAAA,UACnC,SAAA;AAAA,UACA,KAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,SAAY,GAAA,iBAAA,CAAkB,CAAC,CAAA,CAAE,CAAC,CAAA;AACxC,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,SAAS,CAAA;AACpD,QAAA,IAAI,SAAU,CAAA,UAAA,CAAW,cAAc,CAAA,IAAK,CAAC,YAAc,EAAA;AACzD,UAAA,MAAM,IAAI,KAAA,CAAM,CAAsB,mBAAA,EAAA,SAAS,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAM,MAAA,IAAA,CAAK,QAAS,CAAA,WAAA,CAAY,iBAAiB,CAAA;AAEjD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,iBAAkB,EAAA;AAErD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,kCAAA;AAAA,MACAL,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAO;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAb,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAM,MAAA,YAAA,GAAkC,QAAQ,IAAK,CAAA,SAAA;AACrD,QAAI,IAAAG,cAAA,CAAQ,YAAY,CAAG,EAAA;AACzB,UAAM,MAAA,IAAIC,kBAAW,CAAoC,kCAAA,CAAA,CAAA;AAAA;AAE3D,QAAM,MAAA,YAAA,GAAkC,QAAQ,IAAK,CAAA,SAAA;AACrD,QAAI,IAAAD,cAAA,CAAQ,YAAY,CAAG,EAAA;AACzB,UAAM,MAAA,IAAIC,kBAAW,CAAoC,kCAAA,CAAA,CAAA;AAAA;AAG3D,QAAA,CAAC,GAAG,YAAc,EAAA,GAAG,YAAY,CAAA,CAAE,QAAQ,CAAW,OAAA,KAAA;AACpD,UAAA,OAAA,CAAQ,eAAkB,GAAA,SAAA;AAAA,SAC3B,CAAA;AAED,QAAM,MAAA,kBAAA,GAAqB,MAAM,IAAK,CAAA,eAAA;AAAA,UACpC,YAAA;AAAA,UACA,IAAA;AAAA,UACA,YAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAa,YAAA,CAAA,IAAA;AAAA,UAAK,CAAC,CAAG,EAAA,CAAA,KACpB,EAAE,UAAe,KAAA,CAAA,CAAE,aACf,IAAK,CAAA,QAAA,CAAS,EAAE,MAAS,EAAA,CAAA,CAAE,MAAO,CAClC,GAAA,IAAA,CAAK,SAAS,CAAE,CAAA,UAAA,EAAa,EAAE,UAAW;AAAA,SAChD;AAEA,QAAa,YAAA,CAAA,IAAA;AAAA,UAAK,CAAC,CAAG,EAAA,CAAA,KACpB,EAAE,UAAe,KAAA,CAAA,CAAE,aACf,IAAK,CAAA,QAAA,CAAS,EAAE,MAAS,EAAA,CAAA,CAAE,MAAO,CAClC,GAAA,IAAA,CAAK,SAAS,CAAE,CAAA,UAAA,EAAa,EAAE,UAAW;AAAA,SAChD;AAEA,QACE,IAAAG,cAAA,CAAQ,cAAc,YAAY,CAAA,IAClC,CAAC,YAAa,CAAA,IAAA,CAAKJ,cAAO,CAC1B,EAAA;AACA,UAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA,SAChB,MAAA,IAAA,YAAA,CAAa,MAAS,GAAA,YAAA,CAAa,MAAQ,EAAA;AACpD,UAAA,MAAM,IAAIC,iBAAA;AAAA,YACR,CAAA,8EAAA;AAAA,WACF;AAAA;AAGF,QAAM,MAAA,kBAAA,GAAqB,MAAM,IAAK,CAAA,eAAA;AAAA,UACpC,YAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,SAAS,CAAA;AACpD,QAAA,IAAI,SAAU,CAAA,UAAA,CAAW,cAAc,CAAA,IAAK,CAAC,YAAc,EAAA;AACzD,UAAA,MAAM,IAAI,KAAA,CAAM,CAAsB,mBAAA,EAAA,SAAS,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAA,MAAM,KAAK,QAAS,CAAA,cAAA;AAAA,UAClB,kBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,kBAAmB,EAAA;AAEtD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAIA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,QAAA;AAAA,MACAL,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAR;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,KAAQ,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,EAAA;AACpD,QAAA,MAAM,OAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA,EAAkB,GAAG,KAAK,CAAA;AAErE,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,+BAAA;AAAA,MACAD,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAR;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAM,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA;AAAA,UAC/B,CAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,OAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA,EAAkB,GAAG,IAAI,CAAA;AACpE,QAAI,IAAA,IAAA,CAAK,WAAW,CAAG,EAAA;AACrB,UAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,SACb,MAAA;AACL,UAAA,MAAM,IAAIC,oBAAc,EAAA;AAAA;AAC1B;AACF,KACF;AAEA,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,QAAA;AAAA,MACAF,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,QAAA,MAAM,EAAE,WAAA,EAAgB,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UACjC,OAAA;AAAA,UACAM;AAAA,SACF;AAEA,QAAA,MAAM,UAAgB,OAAQ,CAAA,IAAA;AAC9B,QAAI,IAAA,GAAA,GAAMG,gCAAa,OAAO,CAAA;AAC9B,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,IAAA,CAAK,qCAAqC,OAAO,CAAA;AAEjD,QAAM,MAAA,SAAA,GAAY,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UACxC,OAAQ,CAAA;AAAA,SACV;AAEA,QAAM,GAAA,GAAA,MAAMK,iCAAe,CAAA,MAAA,EAAQ,SAAS,CAAA;AAC5C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIjB,sBAAA,CAAgB,CAAuB,oBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGhE,QAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,oBAAA,CAAqB,OAAO,CAAA;AAE/C,QAAA,KAAA,MAAW,QAAQ,KAAO,EAAA;AACxB,UAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,IAAI,CAAG,EAAA;AAClD,YAAA,MAAM,IAAIkB,oBAAc,EAAA;AAAA;AAE1B,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,QAA4B,GAAA;AAAA,UAChC,eAAe,OAAQ,CAAA,IAAA;AAAA,UACvB,MAAQ,EAAA,MAAA;AAAA,UACR,WAAA,EAAa,OAAQ,CAAA,QAAA,EAAU,WAAe,IAAA,EAAA;AAAA,UAC9C,MAAQ,EAAA,UAAA;AAAA,UACR,UAAA;AAAA,UACA,KAAA,EAAO,OAAQ,CAAA,QAAA,EAAU,KAAS,IAAA;AAAA,SACpC;AAEA,QAAA,MAAM,IAAK,CAAA,QAAA,CAAS,mBAAoB,CAAA,KAAA,EAAO,QAAQ,CAAA;AAEvD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,GAAG,QAAU,EAAA,OAAA,EAAS,KAAM,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC,CAAE,EAAA;AAEtE,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,+BAAA;AAAA,MACAX,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAU,WAAY,EAAA,GAAI,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC3C,OAAA;AAAA,UACAO;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAb,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAM,MAAA,UAAA,GAAmB,QAAQ,IAAK,CAAA,OAAA;AAEtC,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAM,MAAA,IAAII,kBAAW,CAAkC,gCAAA,CAAA,CAAA;AAAA;AAEzD,QAAM,MAAA,UAAA,GAAmB,QAAQ,IAAK,CAAA,OAAA;AACtC,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAM,MAAA,IAAIA,kBAAW,CAAkC,gCAAA,CAAA,CAAA;AAAA;AAGzD,QAAA,UAAA,CAAW,IAAO,GAAA,aAAA;AAClB,QAAI,IAAA,GAAA,GAAMI,gCAAa,UAAU,CAAA;AACjC,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,GAAA,GAAMI,gCAAa,UAAU,CAAA;AAC7B,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,IAAA,CAAK,qCAAqC,UAAU,CAAA;AACpD,QAAA,IAAA,CAAK,qCAAqC,UAAU,CAAA;AAEpD,QAAM,MAAA,OAAA,GAAU,IAAK,CAAA,oBAAA,CAAqB,UAAU,CAAA;AACpD,QAAM,MAAA,OAAA,GAAU,IAAK,CAAA,oBAAA,CAAqB,UAAU,CAAA;AAGpD,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,WAA+B,GAAA;AAAA,UACnC,GAAG,UAAW,CAAA,QAAA;AAAA,UACd,MAAA,EAAQ,UAAW,CAAA,QAAA,EAAU,MAAU,IAAA,MAAA;AAAA,UACvC,eAAe,UAAW,CAAA,IAAA;AAAA,UAC1B,UAAA;AAAA,UACA,KAAA,EAAO,UAAW,CAAA,QAAA,EAAU,KAAS,IAAA;AAAA,SACvC;AAEA,QAAA,MAAM,WACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,aAAa,CAAA;AACxD,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAA,MAAM,IAAIH,oBAAA;AAAA,YACR,+BAA+B,aAAa,CAAA;AAAA,WAC9C;AAAA;AAGF,QAAM,GAAA,GAAA,MAAMQ,iCAAe,CAAA,MAAA,EAAQ,WAAW,CAAA;AAC9C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIjB,sBAAA,CAAgB,CAAwB,qBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGjE,QAAA,IAAI,CAACmB,cAAA,CAAQ,WAAa,EAAA,gBAAgB,CAAG,EAAA;AAC3C,UAAA,MAAM,IAAInB,sBAAgB,EAAA;AAAA;AAG5B,QAAA,IACEe,eAAQ,OAAS,EAAA,OAAO,CACxB,IAAAK,sBAAA,CAAgB,aAAa,WAAa,EAAA;AAAA,UACxC,QAAA;AAAA,UACA,YAAA;AAAA,UACA,WAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACD,CACD,EAAA;AAEA,UAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AACzB,UAAA;AAAA;AAGF,QAAA,KAAA,MAAW,QAAQ,OAAS,EAAA;AAC1B,UAAM,MAAA,OAAA,GAAU,OAAQ,CAAA,IAAA,CAAK,CAAW,OAAA,KAAA;AACtC,YAAO,OAAAL,cAAA,CAAQ,SAAS,IAAI,CAAA;AAAA,WAC7B,CAAA;AAGD,UAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,IAAI,CAAG,EAAA;AAClD,YAAA,IAAI,CAAC,OAAS,EAAA;AACZ,cAAA,MAAM,IAAIG,oBAAc,EAAA;AAAA;AAC1B;AAEF,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAA,WAAA,CAAY,KAAM,EAAA;AAClB,QAAA,KAAA,MAAW,QAAQ,OAAS,EAAA;AAC1B,UAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACrD,YAAA,MAAM,IAAIT,oBAAA;AAAA,cACR,CAAqB,kBAAA,EAAA,IAAA,CAAK,CAAC,CAAC,2BAA2B,aAAa,CAAA;AAAA,aACtE;AAAA;AAEF,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIS,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAA,MAAM,KAAK,QAAS,CAAA,sBAAA;AAAA,UAClB,OAAA;AAAA,UACA,OAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAI,IAAA,OAAA,GAAU,CAAW,QAAA,EAAA,WAAA,CAAY,aAAa,CAAA,CAAA,CAAA;AAClD,QAAI,IAAA,WAAA,CAAY,aAAkB,KAAA,WAAA,CAAY,aAAe,EAAA;AAC3D,UAAA,OAAA,GAAU,CAAG,EAAA,OAAO,CAAsC,mCAAA,EAAA,WAAA,CAAY,aAAa,CAAA,CAAA;AAAA;AAErF,QAAA,QAAA,CAAS,OAAO,IAAO,GAAA;AAAA,UACrB,GAAG,WAAA;AAAA,UACH,SAAS,OAAQ,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC;AAAA,SAClC;AAEA,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,MAAA;AAAA,MACL,+BAAA;AAAA,MACAX,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAU,WAAY,EAAA,GAAI,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC3C,OAAA;AAAA,UACAG;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAT,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAA,MAAM,eACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,aAAa,CAAA;AAExD,QAAA,IAAI,CAACW,cAAA,CAAQ,eAAiB,EAAA,gBAAgB,CAAG,EAAA;AAC/C,UAAA,MAAM,IAAInB,sBAAgB,EAAA;AAAA;AAG5B,QAAA,MAAM,GAAM,GAAA,MAAMiB,iCAAe,CAAA,MAAA,EAAQ,eAAe,CAAA;AACxD,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIjB,sBAAA,CAAgB,CAA0B,uBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGnE,QAAA,IAAI,cAAc,EAAC;AACnB,QAAI,IAAA,OAAA,CAAQ,MAAM,gBAAkB,EAAA;AAClC,UAAA,MAAM,kBAAkB,IAAK,CAAA,aAAA;AAAA,YAC3B,QAAQ,KAAM,CAAA;AAAA,WAChB,CAAE,kBAAkB,OAAO,CAAA;AAC3B,UAAM,MAAA,EAAA,GAAK,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA;AAAA,YAC7B,CAAA;AAAA,YACA,eAAA;AAAA,YACA;AAAA,WACF;AACA,UAAI,IAAA,EAAA,CAAG,SAAS,CAAG,EAAA;AACjB,YAAY,WAAA,CAAA,IAAA,CAAK,EAAG,CAAA,CAAC,CAAC,CAAA;AAAA,WACjB,MAAA;AACL,YAAA,MAAM,IAAIS,oBAAA;AAAA,cACR,gBAAgB,eAAe,CAAA,eAAA;AAAA,aACjC;AAAA;AACF,SACK,MAAA;AACL,UAAc,WAAA,GAAA,MAAM,KAAK,QAAS,CAAA,yBAAA;AAAA,YAChC,CAAA;AAAA,YACA;AAAA,WACF;AAAA;AAGF,QAAA,KAAA,MAAW,QAAQ,WAAa,EAAA;AAC9B,UAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACrD,YAAA,MAAM,IAAIA,oBAAc,CAAA,CAAA,aAAA,EAAgB,IAAK,CAAA,CAAC,CAAC,CAAiB,eAAA,CAAA,CAAA;AAAA;AAClE;AAGF,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,QAA4B,GAAA;AAAA,UAChC,aAAA;AAAA,UACA,MAAQ,EAAA,MAAA;AAAA,UACR;AAAA,SACF;AAEA,QAAA,MAAM,KAAK,QAAS,CAAA,sBAAA;AAAA,UAClB,WAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,OAAO,IAAO,GAAA;AAAA,UACrB,GAAG,QAAA;AAAA,UACH,SAAS,WAAY,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC;AAAA,SACtC;AAEA,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,mBAAA;AAAA,MACAF,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,IAAA,CAAK,oBAAqB,CAAA,OAAA,EAASR,2CAA0B,CAAA;AAEnE,QAAM,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,iBAAA;AAAA,UACzC,KAAK,OAAQ,CAAA;AAAA,SACf;AAEA,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,0BAAA;AAAA,MACAQ,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,IAAA,CAAK,oBAAqB,CAAA,OAAA,EAASR,2CAA0B,CAAA;AAEnE,QAAM,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,uBAAA;AAAA,UACzC,KAAK,OAAQ,CAAA;AAAA,SACf;AAEA,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,mBAAA;AAAA,MACAQ,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAR;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAM,MAAAa,YAAA,GAAa,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA;AAAA,UAC/C,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,aAAa,CAAA;AAAA,UAC9C,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,QAAQ,CAAA;AAAA,UACzC,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,YAAY,CAAA;AAAA,UAC7C,IAAK,CAAA,gBAAA,CAAiB,OAAQ,CAAA,KAAA,CAAM,OAAO;AAAA,SAC7C;AAEA,QAAM,MAAA,IAAA,GACJA,YACG,CAAA,GAAA,CAAI,CAAa,SAAA,KAAA;AAChB,UAAO,OAAA;AAAA,YACL,GAAG,SAAA;AAAA,YACH,iBAAA,EAAmB,UAAU,iBAAkB,CAAA,GAAA;AAAA,cAC7C,QAAM,EAAG,CAAA;AAAA;AACX,WACF;AAAA,SACD,CACA,CAAA,MAAA,CAAO,CAAa,SAAA,KAAA;AACnB,UAAO,OAAA,eAAA,CAAgB,QAAS,CAAA,SAAA,CAAU,aAAa,CAAA;AAAA,SACxD,CAAA;AAEL,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,mBAAA;AAAA,MACAd,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,IAAA,CAAK,oBAAqB,CAAA,OAAA,EAASM,6CAA4B,CAAA;AAErE,QAAA,MAAM,sBACJ,OAAQ,CAAA,IAAA;AACV,QAAAS,yCAAA,CAAsB,mBAAmB,CAAA;AAEzC,QAAA,MAAM,oBAAoB,MAAMC,8BAAA;AAAA,UAC9B,mBAAA;AAAA,UACA,IAAK,CAAA,kBAAA;AAAA,UACL,KAAK,OAAQ,CAAA;AAAA,SACf;AAEA,QAAA,MAAM,EACJ,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,gBAAgB,iBAAiB,CAAA;AAEjE,QAAM,MAAA,IAAA,GAAO,EAAE,EAAO,EAAA;AAEtB,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,mBAAoB,EAAA;AAExD,QAAA,QAAA,CAAS,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,IAAI,CAAA;AAAA;AAChC,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,uBAAA;AAAA,MACAhB,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAR;AAAA,SACF;AAEA,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIa,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAC/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAc,EAAA;AAAA;AAG1B,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAR,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAA,MAAM,IACJ,GAAA,eAAA,CAAgB,QAAS,CAAA,SAAA,CAAU,aAAa,CAC5C,GAAA;AAAA,UACE,GAAG,SAAA;AAAA,UACH,iBAAA,EAAmB,UAAU,iBAAkB,CAAA,GAAA;AAAA,YAC7C,QAAM,EAAG,CAAA;AAAA;AACX,YAEF,EAAC;AAEP,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,MAAA;AAAA,MACL,uBAAA;AAAA,MACAD,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAG;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAT,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAII,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAC/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAA,CAAc,CAAqB,kBAAA,EAAA,EAAE,CAAgB,cAAA,CAAA,CAAA;AAAA;AAEjE,QAAA,MAAM,iBACJ,GAAA;AAAA,UACE,GAAG,SAAA;AAAA,UACH,mBAAmB,SAAU,CAAA,iBAAA,CAAkB,GAAI,CAAA,CAAA,EAAA,KAAM,GAAG,MAAM;AAAA,SACpE;AAEF,QAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UAC3C,iBAAkB,CAAA;AAAA,SACpB;AAEA,QAAA,IAAI,CAACU,cAAA,CAAQ,YAAc,EAAA,gBAAgB,CAAG,EAAA;AAC5C,UAAA,MAAM,IAAInB,sBAAgB,EAAA;AAAA;AAG5B,QAAM,MAAA,IAAA,CAAK,kBAAmB,CAAA,eAAA,CAAgB,EAAE,CAAA;AAChD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,iBAAkB,EAAA;AAEtD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,uBAAA;AAAA,MACAO,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAa,GAAA,MAAM,IAAK,CAAA,oBAAA;AAAA,UAC9B,OAAA;AAAA,UACAO;AAAA,SACF;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAb,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAAO,8BAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAII,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAE/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAA,CAAc,CAAqB,kBAAA,EAAA,EAAE,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UAC3C,SAAU,CAAA;AAAA,SACZ;AAEA,QAAA,IAAI,CAACU,cAAA,CAAQ,YAAc,EAAA,gBAAgB,CAAG,EAAA;AAC5C,UAAA,MAAM,IAAInB,sBAAgB,EAAA;AAAA;AAG5B,QAAA,MAAM,sBACJ,OAAQ,CAAA,IAAA;AAEV,QAAAsB,yCAAA,CAAsB,mBAAmB,CAAA;AAEzC,QAAA,MAAM,oBAAoB,MAAMC,8BAAA;AAAA,UAC9B,mBAAA;AAAA,UACA,IAAK,CAAA,kBAAA;AAAA,UACL,KAAK,OAAQ,CAAA;AAAA,SACf;AAEA,QAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,eAAgB,CAAA,EAAA,EAAI,iBAAiB,CAAA;AAEnE,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,mBAAoB,EAAA;AAExD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,cAAA;AAAA,MACAhB,+BAAA,CAAgB,KAAK,OAAO,CAAA;AAAA,MAC5B,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,IAAA,CAAK,oBAAqB,CAAA,OAAA,EAASM,6CAA4B,CAAA;AAErE,QAAI,IAAA,CAAC,KAAK,aAAe,EAAA;AACvB,UAAM,MAAA,IAAIJ,qBAAc,CAA8B,4BAAA,CAAA,CAAA;AAAA;AAGxD,QAAA,MAAM,UAAa,GAAA,IAAA,CAAK,aAAc,CAAA,IAAA,CAAK,CAAY,QAAA,KAAA;AACrD,UAAM,MAAA,EAAA,GAAK,SAAS,eAAgB,EAAA;AACpC,UAAO,OAAA,EAAA,KAAO,QAAQ,MAAO,CAAA,EAAA;AAAA,SAC9B,CAAA;AAED,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAA,MAAM,IAAIA,oBAAA;AAAA,YACR,CAAA,kBAAA,EAAqB,OAAQ,CAAA,MAAA,CAAO,EAAE,CAAA,cAAA;AAAA,WACxC;AAAA;AAGF,QAAA,MAAM,WAAW,OAAQ,EAAA;AACzB,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,GAAA,CAAIe,iCAAiB,CAAA;AAE5B,IAAO,OAAA,MAAA;AAAA;AACT,EAEA,kBAAA,CAAmB,SAAkB,IAAwB,EAAA;AAC3D,IAAM,MAAA,IAAA,GAAO,QAAQ,MAAO,CAAA,IAAA;AAC5B,IAAM,MAAA,SAAA,GAAY,QAAQ,MAAO,CAAA,SAAA;AACjC,IAAM,MAAA,IAAA,GAAO,QAAQ,MAAO,CAAA,IAAA;AAC5B,IAAA,MAAM,YAAY,CAAG,EAAA,IAAI,CAAI,CAAA,EAAA,SAAS,IAAI,IAAI,CAAA,CAAA;AAE9C,IAAM,MAAA,GAAA,GAAMC,0CAAwB,CAAA,SAAA,EAAW,IAAI,CAAA;AACnD,IAAA,IAAI,GAAK,EAAA;AACP,MAAM,MAAA,IAAIb,iBAAW,CAAA,GAAA,CAAI,OAAO,CAAA;AAAA;AAGlC,IAAO,OAAA,SAAA;AAAA;AACT,EAEA,MAAM,wBACD,QACyB,EAAA;AAC5B,IAAA,MAAM,kBAAkB,MAAMc,yBAAA;AAAA,MAC5B,QAAA;AAAA,MACA,IAAK,CAAA;AAAA,KACP;AAEA,IAAA,MAAM,mBAAsC,EAAC;AAC7C,IAAA,KAAA,MAAW,KAAK,QAAU,EAAA;AACxB,MAAA,MAAM,CAAC,eAAA,EAAiB,UAAY,EAAA,MAAA,EAAQ,MAAM,CAAI,GAAA,CAAA;AACtD,MAAA,gBAAA,CAAiB,IAAK,CAAA;AAAA,QACpB,eAAA;AAAA,QACA,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,UAAU,EAAE,MAAA,EAAQ,eAAgB,CAAA,GAAA,CAAI,eAAe,CAAG;AAAA,OAC3D,CAAA;AAAA;AAGH,IAAO,OAAA,gBAAA;AAAA;AACT,EAEA,MAAM,kBACJ,CAAA,MAAA,EAAA,GACG,KACc,EAAA;AACjB,IAAA,MAAM,gBAA6C,EAAC;AAEpD,IAAA,KAAA,CAAM,OAAQ,CAAA,CAAC,CAAC,KAAA,EAAO,IAAI,CAAM,KAAA;AAC/B,MAAI,IAAA,aAAA,CAAc,cAAe,CAAA,IAAI,CAAG,EAAA;AACtC,QAAc,aAAA,CAAA,IAAI,CAAE,CAAA,IAAA,CAAK,KAAK,CAAA;AAAA,OACzB,MAAA;AACL,QAAc,aAAA,CAAA,IAAI,CAAI,GAAA,CAAC,KAAK,CAAA;AAAA;AAC9B,KACD,CAAA;AAED,IAAM,MAAA,MAAA,GAAiB,MAAM,OAAQ,CAAA,GAAA;AAAA,MACnC,MAAA,CAAO,QAAQ,aAAa,CAAA,CAAE,QAAQ,OAAO,CAAC,IAAM,EAAA,KAAK,CAAM,KAAA;AAC7D,QAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,IAAI,CAAA;AACjE,QAAA,MAAM,QAAW,GAAA,WAAA,GAAcC,0BAAc,CAAA,WAAW,CAAI,GAAA,SAAA;AAC5D,QAAA,OAAO,QAAQ,OAAQ,CAAA;AAAA,UACrB,gBAAkB,EAAA,KAAA;AAAA,UAClB,IAAM,EAAA,IAAA;AAAA,UACN;AAAA,SACD,CAAA;AAAA,OACF;AAAA,KACH;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAO,CAAA,MAAA,CAAO,CAAQ,IAAA,KAAA;AAC3C,MAAA,OAAO,IAAK,CAAA,QAAA,IAAYR,cAAQ,CAAA,IAAA,CAAK,UAAU,MAAM,CAAA;AAAA,KACtD,CAAA;AAED,IAAO,OAAA,cAAA;AAAA;AACT,EAEA,uBAAuB,MAAmC,EAAA;AACxD,IAAO,OAAA;AAAA,MACL,MAAO,CAAA,eAAA;AAAA,MACP,MAAO,CAAA,UAAA;AAAA,MACP,MAAO,CAAA,MAAA;AAAA,MACP,MAAO,CAAA;AAAA,KACT;AAAA;AACF,EAEA,qBAAqB,IAAwB,EAAA;AAC3C,IAAA,MAAM,QAAoB,EAAC;AAC3B,IAAW,KAAA,MAAA,MAAA,IAAU,KAAK,gBAAkB,EAAA;AAC1C,MAAA,KAAA,CAAM,IAAK,CAAA,CAAC,MAAQ,EAAA,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA;AAEhC,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,qCAAqC,IAAY,EAAA;AAC/C,IAAK,IAAA,CAAA,gBAAA,GAAmB,KAAK,gBAAiB,CAAA,GAAA;AAAA,MAAI,CAAA,MAAA,KAChD,MAAO,CAAA,iBAAA,CAAkB,OAAO;AAAA,KAClC;AAAA;AACF,EAEA,iBACE,UACgC,EAAA;AAChC,IAAA,IAAI,CAAC,UAAY,EAAA;AACf,MAAO,OAAA,SAAA;AAAA;AAET,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7B,MAAA,MAAM,kBAAsC,EAAC;AAC7C,MAAA,KAAA,MAAW,mBAAmB,UAAY,EAAA;AACxC,QAAA,IACE,OAAO,eAAA,KAAoB,QAC3B,IAAAS,yBAAA,CAAmB,eAAe,CAClC,EAAA;AACA,UAAA,eAAA,CAAgB,KAAK,eAAe,CAAA;AAAA,SAC/B,MAAA;AACL,UAAA,MAAM,IAAIhB,iBAAA;AAAA,YACR,0CAA0C,eAAe,CAAA,mCAAA;AAAA,WAC3D;AAAA;AACF;AAEF,MAAO,OAAA,eAAA;AAAA;AAGT,IAAA,IAAI,OAAO,UAAA,KAAe,QAAY,IAAAgB,yBAAA,CAAmB,UAAU,CAAG,EAAA;AACpE,MAAA,OAAO,CAAC,UAAU,CAAA;AAAA;AAEpB,IAAA,MAAM,IAAIhB,iBAAA;AAAA,MACR,0CAA0C,UAAU,CAAA,mCAAA;AAAA,KACtD;AAAA;AACF,EAEA,cACE,UACQ,EAAA;AACR,IAAA,IAAI,CAAC,UAAY,EAAA;AACf,MAAO,OAAA,EAAA;AAAA;AAET,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7B,MAAA,IAAI,OAAO,UAAA,CAAW,CAAC,CAAA,KAAM,QAAU,EAAA;AACrC,QAAO,OAAA,UAAA,CAAW,CAAC,CAAA,CAAE,QAAS,EAAA;AAAA;AAEhC,MAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAG9D,IAAI,IAAA,OAAO,eAAe,QAAU,EAAA;AAClC,MAAO,OAAA,UAAA;AAAA;AAET,IAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAC9D,EAEA,sBAAsB,OAA2B,EAAA;AAC/C,IAAA,OACE,CAAC,CAAC,OAAA,CAAQ,MAAM,SAChB,IAAA,CAAC,CAAC,OAAQ,CAAA,KAAA,CAAM,UAChB,IAAA,CAAC,CAAC,OAAQ,CAAA,KAAA,CAAM,UAChB,CAAC,CAAC,QAAQ,KAAM,CAAA,MAAA;AAAA;AAEpB,EAEA,MAAM,eAAA,CACJ,WACA,EAAA,KAAA,EACA,cACA,MACqB,EAAA;AACrB,IAAA,MAAM,WAAuB,EAAC;AAC9B,IAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,IAAA,KAAA,MAAW,UAAU,WAAa,EAAA;AAChC,MAAI,IAAA,GAAA,GAAMiB,kCAAe,MAAM,CAAA;AAC/B,MAAA,IAAI,GAAK,EAAA;AACP,QAAA,MAAM,IAAIjB,iBAAA;AAAA,UACR,CAAW,QAAA,EAAA,YAAA,IAAgB,QAAQ,CAAA,oBAAA,EACjC,IAAI,OACN,CAAA;AAAA,SACF;AAAA;AAGF,MAAM,MAAA,QAAA,GAAW,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,QACvC,MAAO,CAAA;AAAA,OACT;AAEA,MAAA,IAAI,CAACO,cAAA,CAAQ,QAAU,EAAA,MAAM,CAAG,EAAA;AAC9B,QAAA,MAAM,IAAInB,sBAAgB,EAAA;AAAA;AAG5B,MAAI,IAAA,MAAA,GAAS,eAAe,MAAS,GAAA,QAAA;AACrC,MAAA,MAAA,GAAS,QAAQ,MAAS,GAAA,KAAA;AAE1B,MAAM,GAAA,GAAA,MAAMiB,iCAAe,CAAA,MAAA,EAAQ,QAAQ,CAAA;AAC3C,MAAA,IAAI,GAAK,EAAA;AACP,QAAA,MAAM,IAAIjB,sBAAA;AAAA,UACR,aAAa,MAAM,CAAA,QAAA,EAAW,MAAO,CAAA,eAAe,IAAI,MAAO,CAAA,UAAU,CAAI,CAAA,EAAA,MAAA,CAAO,MAAM,CAAI,CAAA,EAAA,MAAA,CAAO,MAAM,CAAA,EAAA,EAAK,IAAI,OAAO,CAAA;AAAA,SAC7H;AAAA;AAGF,MAAM,MAAA,iBAAA,GAAoB,IAAK,CAAA,sBAAA,CAAuB,MAAM,CAAA;AAC5D,MAAI,IAAA,KAAA,IAAS,CAAE,MAAM,IAAA,CAAK,SAAS,SAAU,CAAA,GAAG,iBAAiB,CAAI,EAAA;AACnE,QAAA,MAAM,IAAIS,oBAAA;AAAA,UACR,CAAA,QAAA,EAAWqB,qBAAe,CAAA,iBAAiB,CAAC,CAAA,WAAA;AAAA,SAC9C;AAAA;AAGF,MAAI,IAAA,CAAC,SAAU,MAAM,IAAA,CAAK,SAAS,SAAU,CAAA,GAAG,iBAAiB,CAAI,EAAA;AACnE,QAAA,MAAM,IAAIZ,oBAAA;AAAA,UACR,CAAW,QAAA,EAAAY,qBAAA;AAAA,YACT;AAAA,WACD,CAAA,yBAAA;AAAA,SACH;AAAA;AAIF,MAAM,MAAA,SAAA,GAAY,IAAK,CAAA,SAAA,CAAU,iBAAiB,CAAA;AAClD,MAAI,IAAA,WAAA,CAAY,GAAI,CAAA,SAAS,CAAG,EAAA;AAC9B,QAAA,MAAM,IAAIZ,oBAAA;AAAA,UACR,CAAA,yBAAA,EAA4B,MAAO,CAAA,eAAe,CAAK,EAAA,EAAA,MAAA,CAAO,UAAU,CAAA,EAAA,EAAK,MAAO,CAAA,MAAM,CAAK,EAAA,EAAA,MAAA,CAAO,MAAM,CAAA,eAAA;AAAA,SAC9G;AAAA,OACK,MAAA;AACL,QAAA,WAAA,CAAY,IAAI,SAAS,CAAA;AACzB,QAAA,QAAA,CAAS,KAAK,iBAAiB,CAAA;AAAA;AACjC;AAEF,IAAO,OAAA,QAAA;AAAA;AACT,EAEA,QAAA,CAAS,OAAe,KAAuB,EAAA;AAC7C,IAAA,IAAI,MAAM,iBAAkB,CAAA,OAAO,IAAI,KAAM,CAAA,iBAAA,CAAkB,OAAO,CAAG,EAAA;AACvE,MAAO,OAAA,EAAA;AAAA;AAET,IAAA,IAAI,MAAM,iBAAkB,CAAA,OAAO,IAAI,KAAM,CAAA,iBAAA,CAAkB,OAAO,CAAG,EAAA;AACvE,MAAO,OAAA,CAAA;AAAA;AAET,IAAO,OAAA,CAAA;AAAA;AAEX;;;;"}
1
+ {"version":3,"file":"policies-rest-api.cjs.js","sources":["../../src/service/policies-rest-api.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type {\n AuthService,\n BackstageCredentials,\n BackstageServicePrincipal,\n BackstageUserPrincipal,\n HttpAuthService,\n PermissionsService,\n} from '@backstage/backend-plugin-api';\nimport {\n ConflictError,\n InputError,\n NotAllowedError,\n NotFoundError,\n} from '@backstage/errors';\nimport { createRouter } from '@backstage/plugin-permission-backend';\nimport {\n AuthorizeResult,\n BasicPermission,\n PolicyDecision,\n ResourcePermission,\n} from '@backstage/plugin-permission-common';\n\nimport express from 'express';\nimport type { Request } from 'express-serve-static-core';\nimport { isEmpty, isEqual } from 'lodash';\nimport type { ParsedQs } from 'qs';\n\nimport {\n policyEntityCreatePermission,\n policyEntityDeletePermission,\n policyEntityReadPermission,\n policyEntityUpdatePermission,\n type PermissionAction,\n type Role,\n type RoleBasedPolicy,\n type RoleConditionalPolicyDecision,\n} from '@backstage-community/plugin-rbac-common';\nimport type { RBACProvider } from '@backstage-community/plugin-rbac-node';\n\nimport { setAuditorError, logAuditorEvent } from '../auditor/rest-interceptor';\nimport { ConditionalStorage } from '../database/conditional-storage';\nimport {\n daoToMetadata,\n RoleMetadataDao,\n RoleMetadataStorage,\n} from '../database/role-metadata';\nimport {\n buildRoleSourceMap,\n deepSortedEqual,\n isPermissionAction,\n policyToString,\n processConditionMapping,\n matches,\n} from '../helper';\nimport { validateRoleCondition } from '../validation/condition-validation';\nimport {\n validateEntityReference,\n validatePolicy,\n validateRole,\n validateSource,\n} from '../validation/policies-validation';\nimport { EnforcerDelegate } from './enforcer-delegate';\nimport { PluginPermissionMetadataCollector } from './plugin-endpoints';\nimport { RBACRouterOptions } from './policy-builder';\nimport { conditionTransformerFunc, RBACFilters } from '../permissions';\nimport { registerPermissionDefinitionRoutes } from './permission-definition-routes';\nimport { PermissionDependentPluginStore } from '../database/extra-permission-enabled-plugins-storage';\nimport { ExtendablePluginIdProvider } from './extendable-id-provider';\n\nexport async function authorizeConditional(\n request: Request,\n permission: ResourcePermission<'policy-entity'> | BasicPermission,\n deps: {\n auth: AuthService;\n httpAuth: HttpAuthService;\n permissions: PermissionsService;\n },\n): Promise<{\n decision: PolicyDecision;\n credentials: BackstageCredentials<\n BackstageUserPrincipal | BackstageServicePrincipal\n >;\n}> {\n const { auth, httpAuth, permissions } = deps;\n\n const credentials = await httpAuth.credentials(request, {\n allow: ['user', 'service'],\n });\n\n // allow service to service communication, but only with read permission\n if (\n auth.isPrincipal(credentials, 'service') &&\n permission !== policyEntityReadPermission\n ) {\n throw new NotAllowedError(\n `Only credential principal with type 'user' permitted to modify permissions`,\n );\n }\n\n let decision: PolicyDecision;\n if (permission.type === 'resource') {\n decision = (\n await permissions.authorizeConditional([{ permission }], {\n credentials,\n })\n )[0];\n } else {\n decision = (\n await permissions.authorize([{ permission }], {\n credentials,\n })\n )[0];\n }\n\n if (decision.result === AuthorizeResult.DENY) {\n throw new NotAllowedError(); // 403\n }\n\n return { decision, credentials };\n}\n\nexport class PoliciesServer {\n constructor(\n private readonly options: RBACRouterOptions,\n private readonly enforcer: EnforcerDelegate,\n private readonly conditionalStorage: ConditionalStorage,\n private readonly pluginPermMetaData: PluginPermissionMetadataCollector,\n private readonly roleMetadata: RoleMetadataStorage,\n private readonly extraPluginsIdStorage: PermissionDependentPluginStore,\n private readonly pluginIdProvider: ExtendablePluginIdProvider,\n private readonly rbacProviders?: RBACProvider[],\n ) {}\n\n async serve(): Promise<express.Router> {\n const router = await createRouter(this.options);\n\n const { logger, auditor, auth, permissionsRegistry } = this.options;\n\n const isPluginEnabled =\n this.options.config.getOptionalBoolean('permission.enabled');\n if (!isPluginEnabled) {\n return router;\n }\n\n const transformConditions = conditionTransformerFunc(permissionsRegistry);\n\n router.get('/', async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n response.send({ status: 'Authorized' });\n });\n\n // Policy CRUD\n\n router.get(\n '/policies',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n let policies: string[][] = [];\n if (this.isPolicyFilterEnabled(request)) {\n const entityRef = this.getFirstQuery(request.query.entityRef);\n const permission = this.getFirstQuery(request.query.permission);\n const policy = this.getFirstQuery(request.query.policy);\n const effect = this.getFirstQuery(request.query.effect);\n\n const matchedRoleName = roleMetadata.flatMap(\n role => role.roleEntityRef,\n );\n\n const filter: string[] = [entityRef, permission, policy, effect];\n policies = matchedRoleName.includes(entityRef)\n ? await this.enforcer.getFilteredPolicy(0, ...filter)\n : [];\n } else {\n for (const role of roleMetadata) {\n policies.push(\n ...(await this.enforcer.getFilteredPolicy(\n 0,\n ...[role.roleEntityRef],\n )),\n );\n }\n }\n\n const body = await this.transformPolicyArray(...policies);\n // TODO: Temporary workaround to prevent breakages after the removal of the resource type `policy-entity` from the permission `policy.entity.create`\n body.map(policy => {\n if (\n policy.permission === 'policy-entity' &&\n policy.policy === 'create'\n ) {\n policy.permission = 'policy.entity.create';\n logger.warn(\n `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[policy.entityReference, 'policy-entity', policy.policy, policy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${policy.metadata?.source}`,\n );\n }\n });\n\n response.json(body);\n },\n );\n\n router.get(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const entityRef = this.getEntityReference(request);\n\n const policy = matchedRoleName.includes(entityRef)\n ? await this.enforcer.getFilteredPolicy(0, entityRef)\n : [];\n if (policy.length !== 0) {\n const body = await this.transformPolicyArray(...policy);\n // TODO: Temporary workaround to prevent breakages after the removal of the resource type `policy-entity` from the permission `policy.entity.create`\n body.map(bodyPolicy => {\n if (\n bodyPolicy.permission === 'policy-entity' &&\n bodyPolicy.policy === 'create'\n ) {\n bodyPolicy.permission = 'policy.entity.create';\n logger.warn(\n `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[bodyPolicy.entityReference, 'policy-entity', bodyPolicy.policy, bodyPolicy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${bodyPolicy.metadata?.source}`,\n );\n }\n });\n\n response.json(body);\n } else {\n throw new NotFoundError(); // 404\n }\n },\n );\n\n router.delete(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityDeletePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const entityRef = this.getEntityReference(request);\n\n const policyRaw: RoleBasedPolicy[] = request.body;\n if (isEmpty(policyRaw)) {\n throw new InputError(`permission policy must be present`); // 400\n }\n\n policyRaw.forEach(element => {\n element.entityReference = entityRef;\n });\n\n const processedPolicies = await this.processPolicies(\n policyRaw,\n true,\n undefined,\n conditionsFilter,\n );\n\n await this.enforcer.removePolicies(processedPolicies);\n\n response.locals.meta = { policies: processedPolicies }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.post(\n '/policies',\n logAuditorEvent(auditor),\n async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n const policyRaw: RoleBasedPolicy[] = request.body;\n\n if (isEmpty(policyRaw)) {\n throw new InputError(`permission policy must be present`); // 400\n }\n\n const processedPolicies = await this.processPolicies(\n policyRaw,\n false,\n undefined,\n );\n\n const entityRef = processedPolicies[0][0];\n const roleMetadata =\n await this.roleMetadata.findRoleMetadata(entityRef);\n if (entityRef.startsWith('role:default') && !roleMetadata) {\n throw new Error(`Corresponding role ${entityRef} was not found`);\n }\n\n await this.enforcer.addPolicies(processedPolicies);\n\n response.locals.meta = { policies: processedPolicies }; // auditor\n\n response.status(201).end();\n },\n );\n\n router.put(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityUpdatePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const entityRef = this.getEntityReference(request);\n\n const oldPolicyRaw: RoleBasedPolicy[] = request.body.oldPolicy;\n if (isEmpty(oldPolicyRaw)) {\n throw new InputError(`'oldPolicy' object must be present`); // 400\n }\n const newPolicyRaw: RoleBasedPolicy[] = request.body.newPolicy;\n if (isEmpty(newPolicyRaw)) {\n throw new InputError(`'newPolicy' object must be present`); // 400\n }\n\n [...oldPolicyRaw, ...newPolicyRaw].forEach(element => {\n element.entityReference = entityRef;\n });\n\n const processedOldPolicy = await this.processPolicies(\n oldPolicyRaw,\n true,\n 'old policy',\n conditionsFilter,\n );\n\n oldPolicyRaw.sort((a, b) =>\n a.permission === b.permission\n ? this.nameSort(a.policy!, b.policy!)\n : this.nameSort(a.permission!, b.permission!),\n );\n\n newPolicyRaw.sort((a, b) =>\n a.permission === b.permission\n ? this.nameSort(a.policy!, b.policy!)\n : this.nameSort(a.permission!, b.permission!),\n );\n\n if (\n isEqual(oldPolicyRaw, newPolicyRaw) &&\n !oldPolicyRaw.some(isEmpty)\n ) {\n response.status(204).end();\n } else if (oldPolicyRaw.length > newPolicyRaw.length) {\n throw new InputError(\n `'oldPolicy' object has more permission policies compared to 'newPolicy' object`,\n );\n }\n\n const processedNewPolicy = await this.processPolicies(\n newPolicyRaw,\n false,\n 'new policy',\n conditionsFilter,\n );\n\n const roleMetadata =\n await this.roleMetadata.findRoleMetadata(entityRef);\n if (entityRef.startsWith('role:default') && !roleMetadata) {\n throw new Error(`Corresponding role ${entityRef} was not found`);\n }\n\n await this.enforcer.updatePolicies(\n processedOldPolicy,\n processedNewPolicy,\n );\n\n response.locals.meta = { policies: processedNewPolicy }; // auditor\n\n response.status(200).end();\n },\n );\n\n // Role CRUD\n\n router.get(\n '/roles',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roles = await this.enforcer.getGroupingPolicy();\n const body = await this.transformRoleArray(conditionsFilter, ...roles);\n\n response.json(body);\n },\n );\n\n router.get(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const role = await this.enforcer.getFilteredGroupingPolicy(\n 1,\n roleEntityRef,\n );\n\n const body = await this.transformRoleArray(conditionsFilter, ...role);\n if (body.length !== 0) {\n response.json(body);\n } else {\n throw new NotFoundError(); // 404\n }\n },\n );\n\n router.post(\n '/roles',\n logAuditorEvent(auditor),\n async (request, response) => {\n const uniqueItems = new Set<string>();\n const { credentials } = await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n const roleRaw: Role = request.body;\n let err = validateRole(roleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid role definition. Cause: ${err.message}`,\n );\n }\n this.transformMemberReferencesToLowercase(roleRaw);\n\n const rMetadata = await this.roleMetadata.findRoleMetadata(\n roleRaw.name,\n );\n\n err = await validateSource('rest', rMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to add role: ${err.message}`);\n }\n\n const roles = this.transformRoleToArray(roleRaw);\n\n for (const role of roles) {\n if (await this.enforcer.hasGroupingPolicy(...role)) {\n throw new ConflictError(); // 409\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const metadata: RoleMetadataDao = {\n roleEntityRef: roleRaw.name,\n source: 'rest',\n description: roleRaw.metadata?.description ?? '',\n author: modifiedBy,\n modifiedBy,\n owner: roleRaw.metadata?.owner ?? modifiedBy,\n };\n\n await this.enforcer.addGroupingPolicies(roles, metadata);\n\n response.locals.meta = { ...metadata, members: roles.map(gp => gp[0]) }; // auditor\n\n response.status(201).end();\n },\n );\n\n router.put(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n const uniqueItems = new Set<string>();\n let conditionsFilter: RBACFilters | undefined;\n const { decision, credentials } = await authorizeConditional(\n request,\n policyEntityUpdatePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const oldRoleRaw: Role = request.body.oldRole;\n\n if (!oldRoleRaw) {\n throw new InputError(`'oldRole' object must be present`); // 400\n }\n const newRoleRaw: Role = request.body.newRole;\n if (!newRoleRaw) {\n throw new InputError(`'newRole' object must be present`); // 400\n }\n\n oldRoleRaw.name = roleEntityRef;\n let err = validateRole(oldRoleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid old role object. Cause: ${err.message}`,\n );\n }\n err = validateRole(newRoleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid new role object. Cause: ${err.message}`,\n );\n }\n this.transformMemberReferencesToLowercase(oldRoleRaw);\n this.transformMemberReferencesToLowercase(newRoleRaw);\n\n const oldRole = this.transformRoleToArray(oldRoleRaw);\n const newRole = this.transformRoleToArray(newRoleRaw);\n // todo shell we allow newRole with an empty array?...\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const newMetadata: RoleMetadataDao = {\n ...newRoleRaw.metadata,\n source: newRoleRaw.metadata?.source ?? 'rest',\n roleEntityRef: newRoleRaw.name,\n modifiedBy,\n owner: newRoleRaw.metadata?.owner ?? '',\n };\n\n const oldMetadata =\n await this.roleMetadata.findRoleMetadata(roleEntityRef);\n if (!oldMetadata) {\n throw new NotFoundError(\n `Unable to find metadata for ${roleEntityRef}`,\n );\n }\n\n err = await validateSource('rest', oldMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to edit role: ${err.message}`);\n }\n\n if (!matches(oldMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n if (\n isEqual(oldRole, newRole) &&\n deepSortedEqual(oldMetadata, newMetadata, [\n 'author',\n 'modifiedBy',\n 'createdAt',\n 'lastModified',\n 'owner',\n ])\n ) {\n // no content: old role and new role are equal and their metadata too\n response.status(204).end();\n return;\n }\n\n for (const role of newRole) {\n const hasRole = oldRole.some(element => {\n return isEqual(element, role);\n });\n // if the role is already part of old role and is a grouping policy we want to skip returning a conflict error\n // to allow for other roles to be checked and added\n if (await this.enforcer.hasGroupingPolicy(...role)) {\n if (!hasRole) {\n throw new ConflictError(); // 409\n }\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n uniqueItems.clear();\n for (const role of oldRole) {\n if (!(await this.enforcer.hasGroupingPolicy(...role))) {\n throw new NotFoundError(\n `Member reference: ${role[0]} was not found for role ${roleEntityRef}`,\n ); // 404\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n await this.enforcer.updateGroupingPolicies(\n oldRole,\n newRole,\n newMetadata,\n );\n\n let message = `Updated ${oldMetadata.roleEntityRef}.`;\n if (newMetadata.roleEntityRef !== oldMetadata.roleEntityRef) {\n message = `${message}. Role entity reference renamed to ${newMetadata.roleEntityRef}`;\n }\n response.locals.meta = {\n ...newMetadata,\n members: newRole.map(gp => gp[0]),\n }; // auditor\n\n response.status(200).end();\n },\n );\n\n router.delete(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision, credentials } = await authorizeConditional(\n request,\n policyEntityDeletePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const currentMetadata =\n await this.roleMetadata.findRoleMetadata(roleEntityRef);\n\n if (!matches(currentMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n const err = await validateSource('rest', currentMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to delete role: ${err.message}`);\n }\n\n let roleMembers = [];\n if (request.query.memberReferences) {\n const memberReference = this.getFirstQuery(\n request.query.memberReferences!,\n ).toLocaleLowerCase('en-US');\n const gp = await this.enforcer.getFilteredGroupingPolicy(\n 0,\n memberReference,\n roleEntityRef,\n );\n if (gp.length > 0) {\n roleMembers.push(gp[0]);\n } else {\n throw new NotFoundError(\n `role member '${memberReference}' was not found`,\n ); // 404\n }\n } else {\n roleMembers = await this.enforcer.getFilteredGroupingPolicy(\n 1,\n roleEntityRef,\n );\n }\n\n for (const role of roleMembers) {\n if (!(await this.enforcer.hasGroupingPolicy(...role))) {\n throw new NotFoundError(`role member '${role[0]}' was not found`);\n }\n }\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const metadata: RoleMetadataDao = {\n roleEntityRef,\n source: 'rest',\n modifiedBy,\n };\n\n await this.enforcer.removeGroupingPolicies(\n roleMembers,\n metadata,\n false,\n );\n\n response.locals.meta = {\n ...metadata,\n members: roleMembers.map(gp => gp[0]),\n }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.get(\n '/roles/conditions',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const conditions = await this.conditionalStorage.filterConditions(\n this.getFirstQuery(request.query.roleEntityRef),\n this.getFirstQuery(request.query.pluginId),\n this.getFirstQuery(request.query.resourceType),\n this.getActionQueries(request.query.actions),\n );\n\n const body: RoleConditionalPolicyDecision<PermissionAction>[] =\n conditions\n .map(condition => {\n return {\n ...condition,\n permissionMapping: condition.permissionMapping.map(\n pm => pm.action,\n ),\n };\n })\n .filter(condition => {\n return matchedRoleName.includes(condition.roleEntityRef);\n });\n\n response.json(body);\n },\n );\n\n router.post(\n '/roles/conditions',\n logAuditorEvent(auditor),\n async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n const roleConditionPolicy: RoleConditionalPolicyDecision<PermissionAction> =\n request.body;\n validateRoleCondition(roleConditionPolicy);\n\n const conditionToCreate = await processConditionMapping(\n roleConditionPolicy,\n this.pluginPermMetaData,\n auth,\n );\n\n const id =\n await this.conditionalStorage.createCondition(conditionToCreate);\n\n const body = { id: id };\n\n response.locals.meta = { condition: roleConditionPolicy }; // auditor\n\n response.status(201).json(body);\n },\n );\n\n router.get(\n '/roles/conditions/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n if (!condition) {\n throw new NotFoundError();\n }\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const body: RoleConditionalPolicyDecision<PermissionAction> | [] =\n matchedRoleName.includes(condition.roleEntityRef)\n ? {\n ...condition,\n permissionMapping: condition.permissionMapping.map(\n pm => pm.action,\n ),\n }\n : [];\n\n response.json(body);\n },\n );\n\n router.delete(\n '/roles/conditions/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityDeletePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n if (!condition) {\n throw new NotFoundError(`Condition with id ${id} was not found`);\n }\n const conditionToDelete: RoleConditionalPolicyDecision<PermissionAction> =\n {\n ...condition,\n permissionMapping: condition.permissionMapping.map(pm => pm.action),\n };\n\n const roleMetadata = await this.roleMetadata.findRoleMetadata(\n conditionToDelete.roleEntityRef,\n );\n\n if (!matches(roleMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n await this.conditionalStorage.deleteCondition(id);\n response.locals.meta = { condition: conditionToDelete }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.put(\n '/roles/conditions/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityUpdatePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n\n if (!condition) {\n throw new NotFoundError(`Condition with id ${id} was not found`);\n }\n\n const roleMetadata = await this.roleMetadata.findRoleMetadata(\n condition.roleEntityRef,\n );\n\n if (!matches(roleMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n const roleConditionPolicy: RoleConditionalPolicyDecision<PermissionAction> =\n request.body;\n\n validateRoleCondition(roleConditionPolicy);\n\n const conditionToUpdate = await processConditionMapping(\n roleConditionPolicy,\n this.pluginPermMetaData,\n auth,\n );\n\n await this.conditionalStorage.updateCondition(id, conditionToUpdate);\n\n response.locals.meta = { condition: roleConditionPolicy }; // auditor\n\n response.status(200).end();\n },\n );\n\n router.post(\n '/refresh/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n if (!this.rbacProviders) {\n throw new NotFoundError(`No RBAC providers were found`);\n }\n\n const idProvider = this.rbacProviders.find(provider => {\n const id = provider.getProviderName();\n return id === request.params.id;\n });\n\n if (!idProvider) {\n throw new NotFoundError(\n `The RBAC provider ${request.params.id} was not found`,\n );\n }\n\n await idProvider.refresh();\n response.status(200).end();\n },\n );\n\n registerPermissionDefinitionRoutes(\n router,\n this.pluginPermMetaData,\n this.pluginIdProvider,\n this.extraPluginsIdStorage,\n this.options,\n );\n\n router.use(setAuditorError());\n\n return router;\n }\n\n getEntityReference(request: Request, role?: boolean): string {\n const kind = request.params.kind;\n const namespace = request.params.namespace;\n const name = request.params.name;\n const entityRef = `${kind}:${namespace}/${name}`;\n\n const err = validateEntityReference(entityRef, role);\n if (err) {\n throw new InputError(err.message);\n }\n\n return entityRef;\n }\n\n async transformPolicyArray(\n ...policies: string[][]\n ): Promise<RoleBasedPolicy[]> {\n const roleToSourceMap = await buildRoleSourceMap(\n policies,\n this.roleMetadata,\n );\n\n const roleBasedPolices: RoleBasedPolicy[] = [];\n for (const p of policies) {\n const [entityReference, permission, policy, effect] = p;\n roleBasedPolices.push({\n entityReference,\n permission,\n policy,\n effect,\n metadata: { source: roleToSourceMap.get(entityReference)! },\n });\n }\n\n return roleBasedPolices;\n }\n\n async transformRoleArray(\n filter?: RBACFilters,\n ...roles: string[][]\n ): Promise<Role[]> {\n const combinedRoles: { [key: string]: string[] } = {};\n\n roles.forEach(([value, role]) => {\n if (combinedRoles.hasOwnProperty(role)) {\n combinedRoles[role].push(value);\n } else {\n combinedRoles[role] = [value];\n }\n });\n\n const result: Role[] = await Promise.all(\n Object.entries(combinedRoles).flatMap(async ([role, value]) => {\n const metadataDao = await this.roleMetadata.findRoleMetadata(role);\n const metadata = metadataDao ? daoToMetadata(metadataDao) : undefined;\n return Promise.resolve({\n memberReferences: value,\n name: role,\n metadata,\n });\n }),\n );\n\n const filteredResult = result.filter(role => {\n return role.metadata && matches(role.metadata, filter);\n });\n\n return filteredResult;\n }\n\n transformPolicyToArray(policy: RoleBasedPolicy): string[] {\n return [\n policy.entityReference!,\n policy.permission!,\n policy.policy!,\n policy.effect!,\n ];\n }\n\n transformRoleToArray(role: Role): string[][] {\n const roles: string[][] = [];\n for (const entity of role.memberReferences) {\n roles.push([entity, role.name]);\n }\n return roles;\n }\n\n transformMemberReferencesToLowercase(role: Role) {\n role.memberReferences = role.memberReferences.map(member =>\n member.toLocaleLowerCase('en-US'),\n );\n }\n\n getActionQueries(\n queryValue: string | string[] | ParsedQs | ParsedQs[] | undefined,\n ): PermissionAction[] | undefined {\n if (!queryValue) {\n return undefined;\n }\n if (Array.isArray(queryValue)) {\n const permissionNames: PermissionAction[] = [];\n for (const permissionQuery of queryValue) {\n if (\n typeof permissionQuery === 'string' &&\n isPermissionAction(permissionQuery)\n ) {\n permissionNames.push(permissionQuery);\n } else {\n throw new InputError(\n `Invalid permission action query value: ${permissionQuery}. Permission name should be string.`,\n );\n }\n }\n return permissionNames;\n }\n\n if (typeof queryValue === 'string' && isPermissionAction(queryValue)) {\n return [queryValue];\n }\n throw new InputError(\n `Invalid permission action query value: ${queryValue}. Permission name should be string.`,\n );\n }\n\n getFirstQuery(\n queryValue: string | string[] | ParsedQs | ParsedQs[] | undefined,\n ): string {\n if (!queryValue) {\n return '';\n }\n if (Array.isArray(queryValue)) {\n if (typeof queryValue[0] === 'string') {\n return queryValue[0].toString();\n }\n throw new InputError(`This api doesn't support nested query`);\n }\n\n if (typeof queryValue === 'string') {\n return queryValue;\n }\n throw new InputError(`This api doesn't support nested query`);\n }\n\n isPolicyFilterEnabled(request: Request): boolean {\n return (\n !!request.query.entityRef ||\n !!request.query.permission ||\n !!request.query.policy ||\n !!request.query.effect\n );\n }\n\n async processPolicies(\n policyArray: RoleBasedPolicy[],\n isOld?: boolean,\n errorMessage?: string,\n filter?: RBACFilters,\n ): Promise<string[][]> {\n const policies: string[][] = [];\n const uniqueItems = new Set<string>();\n for (const policy of policyArray) {\n let err = validatePolicy(policy);\n if (err) {\n throw new InputError(\n `Invalid ${errorMessage ?? 'policy'} definition. Cause: ${\n err.message\n }`,\n ); // 400\n }\n\n const metadata = await this.roleMetadata.findRoleMetadata(\n policy.entityReference!,\n );\n\n if (!matches(metadata, filter)) {\n throw new NotAllowedError(); // 403\n }\n\n let action = errorMessage ? 'edit' : 'delete';\n action = isOld ? action : 'add';\n\n err = await validateSource('rest', metadata);\n if (err) {\n throw new NotAllowedError(\n `Unable to ${action} policy ${policy.entityReference},${policy.permission},${policy.policy},${policy.effect}: ${err.message}`,\n );\n }\n\n const transformedPolicy = this.transformPolicyToArray(policy);\n if (isOld && !(await this.enforcer.hasPolicy(...transformedPolicy))) {\n throw new NotFoundError(\n `Policy '${policyToString(transformedPolicy)}' not found`,\n ); // 404\n }\n\n if (!isOld && (await this.enforcer.hasPolicy(...transformedPolicy))) {\n throw new ConflictError(\n `Policy '${policyToString(\n transformedPolicy,\n )}' has been already stored`,\n ); // 409\n }\n\n // We want to ensure that there are not duplicate permission policies\n const rowString = JSON.stringify(transformedPolicy);\n if (uniqueItems.has(rowString)) {\n throw new ConflictError(\n `Duplicate polices found; ${policy.entityReference}, ${policy.permission}, ${policy.policy}, ${policy.effect} is a duplicate`,\n );\n } else {\n uniqueItems.add(rowString);\n policies.push(transformedPolicy);\n }\n }\n return policies;\n }\n\n nameSort(nameA: string, nameB: string): number {\n if (nameA.toLocaleUpperCase('en-US') < nameB.toLocaleUpperCase('en-US')) {\n return -1;\n }\n if (nameA.toLocaleUpperCase('en-US') > nameB.toLocaleUpperCase('en-US')) {\n return 1;\n }\n return 0;\n }\n}\n"],"names":["policyEntityReadPermission","NotAllowedError","AuthorizeResult","createRouter","conditionTransformerFunc","logAuditorEvent","NotFoundError","policyEntityDeletePermission","isEmpty","InputError","policyEntityCreatePermission","policyEntityUpdatePermission","isEqual","validateRole","validateSource","ConflictError","matches","deepSortedEqual","validateRoleCondition","processConditionMapping","registerPermissionDefinitionRoutes","setAuditorError","validateEntityReference","buildRoleSourceMap","daoToMetadata","isPermissionAction","validatePolicy","policyToString"],"mappings":";;;;;;;;;;;;;;;;AAoFsB,eAAA,oBAAA,CACpB,OACA,EAAA,UAAA,EACA,IAUC,EAAA;AACD,EAAA,MAAM,EAAE,IAAA,EAAM,QAAU,EAAA,WAAA,EAAgB,GAAA,IAAA;AAExC,EAAA,MAAM,WAAc,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,OAAS,EAAA;AAAA,IACtD,KAAA,EAAO,CAAC,MAAA,EAAQ,SAAS;AAAA,GAC1B,CAAA;AAGD,EAAA,IACE,KAAK,WAAY,CAAA,WAAA,EAAa,SAAS,CAAA,IACvC,eAAeA,2CACf,EAAA;AACA,IAAA,MAAM,IAAIC,sBAAA;AAAA,MACR,CAAA,0EAAA;AAAA,KACF;AAAA;AAGF,EAAI,IAAA,QAAA;AACJ,EAAI,IAAA,UAAA,CAAW,SAAS,UAAY,EAAA;AAClC,IAAA,QAAA,GAAA,CACE,MAAM,WAAY,CAAA,oBAAA,CAAqB,CAAC,EAAE,UAAA,EAAY,CAAG,EAAA;AAAA,MACvD;AAAA,KACD,GACD,CAAC,CAAA;AAAA,GACE,MAAA;AACL,IAAA,QAAA,GAAA,CACE,MAAM,WAAY,CAAA,SAAA,CAAU,CAAC,EAAE,UAAA,EAAY,CAAG,EAAA;AAAA,MAC5C;AAAA,KACD,GACD,CAAC,CAAA;AAAA;AAGL,EAAI,IAAA,QAAA,CAAS,MAAW,KAAAC,sCAAA,CAAgB,IAAM,EAAA;AAC5C,IAAA,MAAM,IAAID,sBAAgB,EAAA;AAAA;AAG5B,EAAO,OAAA,EAAE,UAAU,WAAY,EAAA;AACjC;AAEO,MAAM,cAAe,CAAA;AAAA,EAC1B,WAAA,CACmB,SACA,QACA,EAAA,kBAAA,EACA,oBACA,YACA,EAAA,qBAAA,EACA,kBACA,aACjB,EAAA;AARiB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,qBAAA,GAAA,qBAAA;AACA,IAAA,IAAA,CAAA,gBAAA,GAAA,gBAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA;AAChB,EAEH,MAAM,KAAiC,GAAA;AACrC,IAAA,MAAM,MAAS,GAAA,MAAME,oCAAa,CAAA,IAAA,CAAK,OAAO,CAAA;AAE9C,IAAA,MAAM,EAAE,MAAQ,EAAA,OAAA,EAAS,IAAM,EAAA,mBAAA,KAAwB,IAAK,CAAA,OAAA;AAE5D,IAAA,MAAM,eACJ,GAAA,IAAA,CAAK,OAAQ,CAAA,MAAA,CAAO,mBAAmB,oBAAoB,CAAA;AAC7D,IAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,MAAO,OAAA,MAAA;AAAA;AAGT,IAAM,MAAA,mBAAA,GAAsBC,oCAAyB,mBAAmB,CAAA;AAExE,IAAA,MAAA,CAAO,GAAI,CAAA,GAAA,EAAK,OAAO,OAAA,EAAS,QAAa,KAAA;AAC3C,MAAM,MAAA,oBAAA;AAAA,QACJ,OAAA;AAAA,QACAJ,2CAAA;AAAA,QACA,IAAK,CAAA;AAAA,OACP;AAEA,MAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,YAAA,EAAc,CAAA;AAAA,KACvC,CAAA;AAID,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,WAAA;AAAA,MACAK,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAL,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAA,IAAI,WAAuB,EAAC;AAC5B,QAAI,IAAA,IAAA,CAAK,qBAAsB,CAAA,OAAO,CAAG,EAAA;AACvC,UAAA,MAAM,SAAY,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,SAAS,CAAA;AAC5D,UAAA,MAAM,UAAa,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,UAAU,CAAA;AAC9D,UAAA,MAAM,MAAS,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,MAAM,CAAA;AACtD,UAAA,MAAM,MAAS,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,MAAM,CAAA;AAEtD,UAAA,MAAM,kBAAkB,YAAa,CAAA,OAAA;AAAA,YACnC,UAAQ,IAAK,CAAA;AAAA,WACf;AAEA,UAAA,MAAM,MAAmB,GAAA,CAAC,SAAW,EAAA,UAAA,EAAY,QAAQ,MAAM,CAAA;AAC/D,UAAA,QAAA,GAAW,eAAgB,CAAA,QAAA,CAAS,SAAS,CAAA,GACzC,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,CAAG,EAAA,GAAG,MAAM,CAAA,GAClD,EAAC;AAAA,SACA,MAAA;AACL,UAAA,KAAA,MAAW,QAAQ,YAAc,EAAA;AAC/B,YAAS,QAAA,CAAA,IAAA;AAAA,cACP,GAAI,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA;AAAA,gBACtB,CAAA;AAAA,gBACA,GAAG,CAAC,IAAA,CAAK,aAAa;AAAA;AACxB,aACF;AAAA;AACF;AAGF,QAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,GAAG,QAAQ,CAAA;AAExD,QAAA,IAAA,CAAK,IAAI,CAAU,MAAA,KAAA;AACjB,UAAA,IACE,MAAO,CAAA,UAAA,KAAe,eACtB,IAAA,MAAA,CAAO,WAAW,QAClB,EAAA;AACA,YAAA,MAAA,CAAO,UAAa,GAAA,sBAAA;AACpB,YAAO,MAAA,CAAA,IAAA;AAAA,cACL,CAA8H,2HAAA,EAAA,CAAC,MAAO,CAAA,eAAA,EAAiB,eAAiB,EAAA,MAAA,CAAO,MAAQ,EAAA,MAAA,CAAO,MAAM,CAAC,CAAyE,sEAAA,EAAA,MAAA,CAAO,UAAU,MAAM,CAAA;AAAA,aACvS;AAAA;AACF,SACD,CAAA;AAED,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,kCAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAL,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAA,MAAM,MAAS,GAAA,eAAA,CAAgB,QAAS,CAAA,SAAS,CAC7C,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,CAAA,EAAG,SAAS,CAAA,GAClD,EAAC;AACL,QAAI,IAAA,MAAA,CAAO,WAAW,CAAG,EAAA;AACvB,UAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,GAAG,MAAM,CAAA;AAEtD,UAAA,IAAA,CAAK,IAAI,CAAc,UAAA,KAAA;AACrB,YAAA,IACE,UAAW,CAAA,UAAA,KAAe,eAC1B,IAAA,UAAA,CAAW,WAAW,QACtB,EAAA;AACA,cAAA,UAAA,CAAW,UAAa,GAAA,sBAAA;AACxB,cAAO,MAAA,CAAA,IAAA;AAAA,gBACL,CAA8H,2HAAA,EAAA,CAAC,UAAW,CAAA,eAAA,EAAiB,eAAiB,EAAA,UAAA,CAAW,MAAQ,EAAA,UAAA,CAAW,MAAM,CAAC,CAAyE,sEAAA,EAAA,UAAA,CAAW,UAAU,MAAM,CAAA;AAAA,eACvT;AAAA;AACF,WACD,CAAA;AAED,UAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,SACb,MAAA;AACL,UAAA,MAAM,IAAII,oBAAc,EAAA;AAAA;AAC1B;AACF,KACF;AAEA,IAAO,MAAA,CAAA,MAAA;AAAA,MACL,kCAAA;AAAA,MACAD,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAE,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAL,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAA,MAAM,YAA+B,OAAQ,CAAA,IAAA;AAC7C,QAAI,IAAAM,cAAA,CAAQ,SAAS,CAAG,EAAA;AACtB,UAAM,MAAA,IAAIC,kBAAW,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAG1D,QAAA,SAAA,CAAU,QAAQ,CAAW,OAAA,KAAA;AAC3B,UAAA,OAAA,CAAQ,eAAkB,GAAA,SAAA;AAAA,SAC3B,CAAA;AAED,QAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,eAAA;AAAA,UACnC,SAAA;AAAA,UACA,IAAA;AAAA,UACA,SAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAM,MAAA,IAAA,CAAK,QAAS,CAAA,cAAA,CAAe,iBAAiB,CAAA;AAEpD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,iBAAkB,EAAA;AAErD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,WAAA;AAAA,MACAJ,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,oBAAA;AAAA,UACJ,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,YAA+B,OAAQ,CAAA,IAAA;AAE7C,QAAI,IAAAF,cAAA,CAAQ,SAAS,CAAG,EAAA;AACtB,UAAM,MAAA,IAAIC,kBAAW,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAG1D,QAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,eAAA;AAAA,UACnC,SAAA;AAAA,UACA,KAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,SAAY,GAAA,iBAAA,CAAkB,CAAC,CAAA,CAAE,CAAC,CAAA;AACxC,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,SAAS,CAAA;AACpD,QAAA,IAAI,SAAU,CAAA,UAAA,CAAW,cAAc,CAAA,IAAK,CAAC,YAAc,EAAA;AACzD,UAAA,MAAM,IAAI,KAAA,CAAM,CAAsB,mBAAA,EAAA,SAAS,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAM,MAAA,IAAA,CAAK,QAAS,CAAA,WAAA,CAAY,iBAAiB,CAAA;AAEjD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,iBAAkB,EAAA;AAErD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,kCAAA;AAAA,MACAJ,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAM,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAT,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAM,MAAA,YAAA,GAAkC,QAAQ,IAAK,CAAA,SAAA;AACrD,QAAI,IAAAM,cAAA,CAAQ,YAAY,CAAG,EAAA;AACzB,UAAM,MAAA,IAAIC,kBAAW,CAAoC,kCAAA,CAAA,CAAA;AAAA;AAE3D,QAAM,MAAA,YAAA,GAAkC,QAAQ,IAAK,CAAA,SAAA;AACrD,QAAI,IAAAD,cAAA,CAAQ,YAAY,CAAG,EAAA;AACzB,UAAM,MAAA,IAAIC,kBAAW,CAAoC,kCAAA,CAAA,CAAA;AAAA;AAG3D,QAAA,CAAC,GAAG,YAAc,EAAA,GAAG,YAAY,CAAA,CAAE,QAAQ,CAAW,OAAA,KAAA;AACpD,UAAA,OAAA,CAAQ,eAAkB,GAAA,SAAA;AAAA,SAC3B,CAAA;AAED,QAAM,MAAA,kBAAA,GAAqB,MAAM,IAAK,CAAA,eAAA;AAAA,UACpC,YAAA;AAAA,UACA,IAAA;AAAA,UACA,YAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAa,YAAA,CAAA,IAAA;AAAA,UAAK,CAAC,CAAG,EAAA,CAAA,KACpB,EAAE,UAAe,KAAA,CAAA,CAAE,aACf,IAAK,CAAA,QAAA,CAAS,EAAE,MAAS,EAAA,CAAA,CAAE,MAAO,CAClC,GAAA,IAAA,CAAK,SAAS,CAAE,CAAA,UAAA,EAAa,EAAE,UAAW;AAAA,SAChD;AAEA,QAAa,YAAA,CAAA,IAAA;AAAA,UAAK,CAAC,CAAG,EAAA,CAAA,KACpB,EAAE,UAAe,KAAA,CAAA,CAAE,aACf,IAAK,CAAA,QAAA,CAAS,EAAE,MAAS,EAAA,CAAA,CAAE,MAAO,CAClC,GAAA,IAAA,CAAK,SAAS,CAAE,CAAA,UAAA,EAAa,EAAE,UAAW;AAAA,SAChD;AAEA,QACE,IAAAG,cAAA,CAAQ,cAAc,YAAY,CAAA,IAClC,CAAC,YAAa,CAAA,IAAA,CAAKJ,cAAO,CAC1B,EAAA;AACA,UAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA,SAChB,MAAA,IAAA,YAAA,CAAa,MAAS,GAAA,YAAA,CAAa,MAAQ,EAAA;AACpD,UAAA,MAAM,IAAIC,iBAAA;AAAA,YACR,CAAA,8EAAA;AAAA,WACF;AAAA;AAGF,QAAM,MAAA,kBAAA,GAAqB,MAAM,IAAK,CAAA,eAAA;AAAA,UACpC,YAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,SAAS,CAAA;AACpD,QAAA,IAAI,SAAU,CAAA,UAAA,CAAW,cAAc,CAAA,IAAK,CAAC,YAAc,EAAA;AACzD,UAAA,MAAM,IAAI,KAAA,CAAM,CAAsB,mBAAA,EAAA,SAAS,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAA,MAAM,KAAK,QAAS,CAAA,cAAA;AAAA,UAClB,kBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,kBAAmB,EAAA;AAEtD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAIA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,QAAA;AAAA,MACAJ,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAL,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,KAAQ,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,EAAA;AACpD,QAAA,MAAM,OAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA,EAAkB,GAAG,KAAK,CAAA;AAErE,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,+BAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAL,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAM,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA;AAAA,UAC/B,CAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,OAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA,EAAkB,GAAG,IAAI,CAAA;AACpE,QAAI,IAAA,IAAA,CAAK,WAAW,CAAG,EAAA;AACrB,UAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,SACb,MAAA;AACL,UAAA,MAAM,IAAII,oBAAc,EAAA;AAAA;AAC1B;AACF,KACF;AAEA,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,QAAA;AAAA,MACAD,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,QAAM,MAAA,EAAE,WAAY,EAAA,GAAI,MAAM,oBAAA;AAAA,UAC5B,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,UAAgB,OAAQ,CAAA,IAAA;AAC9B,QAAI,IAAA,GAAA,GAAMG,gCAAa,OAAO,CAAA;AAC9B,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,IAAA,CAAK,qCAAqC,OAAO,CAAA;AAEjD,QAAM,MAAA,SAAA,GAAY,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UACxC,OAAQ,CAAA;AAAA,SACV;AAEA,QAAM,GAAA,GAAA,MAAMK,iCAAe,CAAA,MAAA,EAAQ,SAAS,CAAA;AAC5C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIb,sBAAA,CAAgB,CAAuB,oBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGhE,QAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,oBAAA,CAAqB,OAAO,CAAA;AAE/C,QAAA,KAAA,MAAW,QAAQ,KAAO,EAAA;AACxB,UAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,IAAI,CAAG,EAAA;AAClD,YAAA,MAAM,IAAIc,oBAAc,EAAA;AAAA;AAE1B,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,QAA4B,GAAA;AAAA,UAChC,eAAe,OAAQ,CAAA,IAAA;AAAA,UACvB,MAAQ,EAAA,MAAA;AAAA,UACR,WAAA,EAAa,OAAQ,CAAA,QAAA,EAAU,WAAe,IAAA,EAAA;AAAA,UAC9C,MAAQ,EAAA,UAAA;AAAA,UACR,UAAA;AAAA,UACA,KAAA,EAAO,OAAQ,CAAA,QAAA,EAAU,KAAS,IAAA;AAAA,SACpC;AAEA,QAAA,MAAM,IAAK,CAAA,QAAA,CAAS,mBAAoB,CAAA,KAAA,EAAO,QAAQ,CAAA;AAEvD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,GAAG,QAAU,EAAA,OAAA,EAAS,KAAM,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC,CAAE,EAAA;AAEtE,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,+BAAA;AAAA,MACAV,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAU,WAAY,EAAA,GAAI,MAAM,oBAAA;AAAA,UACtC,OAAA;AAAA,UACAM,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAT,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAM,MAAA,UAAA,GAAmB,QAAQ,IAAK,CAAA,OAAA;AAEtC,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAM,MAAA,IAAIO,kBAAW,CAAkC,gCAAA,CAAA,CAAA;AAAA;AAEzD,QAAM,MAAA,UAAA,GAAmB,QAAQ,IAAK,CAAA,OAAA;AACtC,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAM,MAAA,IAAIA,kBAAW,CAAkC,gCAAA,CAAA,CAAA;AAAA;AAGzD,QAAA,UAAA,CAAW,IAAO,GAAA,aAAA;AAClB,QAAI,IAAA,GAAA,GAAMI,gCAAa,UAAU,CAAA;AACjC,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,GAAA,GAAMI,gCAAa,UAAU,CAAA;AAC7B,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,IAAA,CAAK,qCAAqC,UAAU,CAAA;AACpD,QAAA,IAAA,CAAK,qCAAqC,UAAU,CAAA;AAEpD,QAAM,MAAA,OAAA,GAAU,IAAK,CAAA,oBAAA,CAAqB,UAAU,CAAA;AACpD,QAAM,MAAA,OAAA,GAAU,IAAK,CAAA,oBAAA,CAAqB,UAAU,CAAA;AAGpD,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,WAA+B,GAAA;AAAA,UACnC,GAAG,UAAW,CAAA,QAAA;AAAA,UACd,MAAA,EAAQ,UAAW,CAAA,QAAA,EAAU,MAAU,IAAA,MAAA;AAAA,UACvC,eAAe,UAAW,CAAA,IAAA;AAAA,UAC1B,UAAA;AAAA,UACA,KAAA,EAAO,UAAW,CAAA,QAAA,EAAU,KAAS,IAAA;AAAA,SACvC;AAEA,QAAA,MAAM,WACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,aAAa,CAAA;AACxD,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAA,MAAM,IAAIH,oBAAA;AAAA,YACR,+BAA+B,aAAa,CAAA;AAAA,WAC9C;AAAA;AAGF,QAAM,GAAA,GAAA,MAAMQ,iCAAe,CAAA,MAAA,EAAQ,WAAW,CAAA;AAC9C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIb,sBAAA,CAAgB,CAAwB,qBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGjE,QAAA,IAAI,CAACe,cAAA,CAAQ,WAAa,EAAA,gBAAgB,CAAG,EAAA;AAC3C,UAAA,MAAM,IAAIf,sBAAgB,EAAA;AAAA;AAG5B,QAAA,IACEW,eAAQ,OAAS,EAAA,OAAO,CACxB,IAAAK,sBAAA,CAAgB,aAAa,WAAa,EAAA;AAAA,UACxC,QAAA;AAAA,UACA,YAAA;AAAA,UACA,WAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACD,CACD,EAAA;AAEA,UAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AACzB,UAAA;AAAA;AAGF,QAAA,KAAA,MAAW,QAAQ,OAAS,EAAA;AAC1B,UAAM,MAAA,OAAA,GAAU,OAAQ,CAAA,IAAA,CAAK,CAAW,OAAA,KAAA;AACtC,YAAO,OAAAL,cAAA,CAAQ,SAAS,IAAI,CAAA;AAAA,WAC7B,CAAA;AAGD,UAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,IAAI,CAAG,EAAA;AAClD,YAAA,IAAI,CAAC,OAAS,EAAA;AACZ,cAAA,MAAM,IAAIG,oBAAc,EAAA;AAAA;AAC1B;AAEF,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAA,WAAA,CAAY,KAAM,EAAA;AAClB,QAAA,KAAA,MAAW,QAAQ,OAAS,EAAA;AAC1B,UAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACrD,YAAA,MAAM,IAAIT,oBAAA;AAAA,cACR,CAAqB,kBAAA,EAAA,IAAA,CAAK,CAAC,CAAC,2BAA2B,aAAa,CAAA;AAAA,aACtE;AAAA;AAEF,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIS,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAA,MAAM,KAAK,QAAS,CAAA,sBAAA;AAAA,UAClB,OAAA;AAAA,UACA,OAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAI,IAAA,OAAA,GAAU,CAAW,QAAA,EAAA,WAAA,CAAY,aAAa,CAAA,CAAA,CAAA;AAClD,QAAI,IAAA,WAAA,CAAY,aAAkB,KAAA,WAAA,CAAY,aAAe,EAAA;AAC3D,UAAA,OAAA,GAAU,CAAG,EAAA,OAAO,CAAsC,mCAAA,EAAA,WAAA,CAAY,aAAa,CAAA,CAAA;AAAA;AAErF,QAAA,QAAA,CAAS,OAAO,IAAO,GAAA;AAAA,UACrB,GAAG,WAAA;AAAA,UACH,SAAS,OAAQ,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC;AAAA,SAClC;AAEA,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,MAAA;AAAA,MACL,+BAAA;AAAA,MACAV,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAU,WAAY,EAAA,GAAI,MAAM,oBAAA;AAAA,UACtC,OAAA;AAAA,UACAE,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAL,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAA,MAAM,eACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,aAAa,CAAA;AAExD,QAAA,IAAI,CAACc,cAAA,CAAQ,eAAiB,EAAA,gBAAgB,CAAG,EAAA;AAC/C,UAAA,MAAM,IAAIf,sBAAgB,EAAA;AAAA;AAG5B,QAAA,MAAM,GAAM,GAAA,MAAMa,iCAAe,CAAA,MAAA,EAAQ,eAAe,CAAA;AACxD,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIb,sBAAA,CAAgB,CAA0B,uBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGnE,QAAA,IAAI,cAAc,EAAC;AACnB,QAAI,IAAA,OAAA,CAAQ,MAAM,gBAAkB,EAAA;AAClC,UAAA,MAAM,kBAAkB,IAAK,CAAA,aAAA;AAAA,YAC3B,QAAQ,KAAM,CAAA;AAAA,WAChB,CAAE,kBAAkB,OAAO,CAAA;AAC3B,UAAM,MAAA,EAAA,GAAK,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA;AAAA,YAC7B,CAAA;AAAA,YACA,eAAA;AAAA,YACA;AAAA,WACF;AACA,UAAI,IAAA,EAAA,CAAG,SAAS,CAAG,EAAA;AACjB,YAAY,WAAA,CAAA,IAAA,CAAK,EAAG,CAAA,CAAC,CAAC,CAAA;AAAA,WACjB,MAAA;AACL,YAAA,MAAM,IAAIK,oBAAA;AAAA,cACR,gBAAgB,eAAe,CAAA,eAAA;AAAA,aACjC;AAAA;AACF,SACK,MAAA;AACL,UAAc,WAAA,GAAA,MAAM,KAAK,QAAS,CAAA,yBAAA;AAAA,YAChC,CAAA;AAAA,YACA;AAAA,WACF;AAAA;AAGF,QAAA,KAAA,MAAW,QAAQ,WAAa,EAAA;AAC9B,UAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACrD,YAAA,MAAM,IAAIA,oBAAc,CAAA,CAAA,aAAA,EAAgB,IAAK,CAAA,CAAC,CAAC,CAAiB,eAAA,CAAA,CAAA;AAAA;AAClE;AAGF,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,QAA4B,GAAA;AAAA,UAChC,aAAA;AAAA,UACA,MAAQ,EAAA,MAAA;AAAA,UACR;AAAA,SACF;AAEA,QAAA,MAAM,KAAK,QAAS,CAAA,sBAAA;AAAA,UAClB,WAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,OAAO,IAAO,GAAA;AAAA,UACrB,GAAG,QAAA;AAAA,UACH,SAAS,WAAY,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC;AAAA,SACtC;AAEA,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,mBAAA;AAAA,MACAD,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAL,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAM,MAAA,UAAA,GAAa,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA;AAAA,UAC/C,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,aAAa,CAAA;AAAA,UAC9C,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,QAAQ,CAAA;AAAA,UACzC,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,YAAY,CAAA;AAAA,UAC7C,IAAK,CAAA,gBAAA,CAAiB,OAAQ,CAAA,KAAA,CAAM,OAAO;AAAA,SAC7C;AAEA,QAAM,MAAA,IAAA,GACJ,UACG,CAAA,GAAA,CAAI,CAAa,SAAA,KAAA;AAChB,UAAO,OAAA;AAAA,YACL,GAAG,SAAA;AAAA,YACH,iBAAA,EAAmB,UAAU,iBAAkB,CAAA,GAAA;AAAA,cAC7C,QAAM,EAAG,CAAA;AAAA;AACX,WACF;AAAA,SACD,CACA,CAAA,MAAA,CAAO,CAAa,SAAA,KAAA;AACnB,UAAO,OAAA,eAAA,CAAgB,QAAS,CAAA,SAAA,CAAU,aAAa,CAAA;AAAA,SACxD,CAAA;AAEL,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,mBAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,oBAAA;AAAA,UACJ,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,sBACJ,OAAQ,CAAA,IAAA;AACV,QAAAQ,yCAAA,CAAsB,mBAAmB,CAAA;AAEzC,QAAA,MAAM,oBAAoB,MAAMC,8BAAA;AAAA,UAC9B,mBAAA;AAAA,UACA,IAAK,CAAA,kBAAA;AAAA,UACL;AAAA,SACF;AAEA,QAAA,MAAM,EACJ,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,gBAAgB,iBAAiB,CAAA;AAEjE,QAAM,MAAA,IAAA,GAAO,EAAE,EAAO,EAAA;AAEtB,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,mBAAoB,EAAA;AAExD,QAAA,QAAA,CAAS,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,IAAI,CAAA;AAAA;AAChC,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,uBAAA;AAAA,MACAd,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAL,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIS,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAC/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAc,EAAA;AAAA;AAG1B,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAJ,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAA,MAAM,IACJ,GAAA,eAAA,CAAgB,QAAS,CAAA,SAAA,CAAU,aAAa,CAC5C,GAAA;AAAA,UACE,GAAG,SAAA;AAAA,UACH,iBAAA,EAAmB,UAAU,iBAAkB,CAAA,GAAA;AAAA,YAC7C,QAAM,EAAG,CAAA;AAAA;AACX,YAEF,EAAC;AAEP,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAO,MAAA,CAAA,MAAA;AAAA,MACL,uBAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAE,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAL,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIO,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAC/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAA,CAAc,CAAqB,kBAAA,EAAA,EAAE,CAAgB,cAAA,CAAA,CAAA;AAAA;AAEjE,QAAA,MAAM,iBACJ,GAAA;AAAA,UACE,GAAG,SAAA;AAAA,UACH,mBAAmB,SAAU,CAAA,iBAAA,CAAkB,GAAI,CAAA,CAAA,EAAA,KAAM,GAAG,MAAM;AAAA,SACpE;AAEF,QAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UAC3C,iBAAkB,CAAA;AAAA,SACpB;AAEA,QAAA,IAAI,CAACU,cAAA,CAAQ,YAAc,EAAA,gBAAgB,CAAG,EAAA;AAC5C,UAAA,MAAM,IAAIf,sBAAgB,EAAA;AAAA;AAG5B,QAAM,MAAA,IAAA,CAAK,kBAAmB,CAAA,eAAA,CAAgB,EAAE,CAAA;AAChD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,iBAAkB,EAAA;AAEtD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,GAAA;AAAA,MACL,uBAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAM,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAT,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIO,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAE/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAA,CAAc,CAAqB,kBAAA,EAAA,EAAE,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UAC3C,SAAU,CAAA;AAAA,SACZ;AAEA,QAAA,IAAI,CAACU,cAAA,CAAQ,YAAc,EAAA,gBAAgB,CAAG,EAAA;AAC5C,UAAA,MAAM,IAAIf,sBAAgB,EAAA;AAAA;AAG5B,QAAA,MAAM,sBACJ,OAAQ,CAAA,IAAA;AAEV,QAAAiB,yCAAA,CAAsB,mBAAmB,CAAA;AAEzC,QAAA,MAAM,oBAAoB,MAAMC,8BAAA;AAAA,UAC9B,mBAAA;AAAA,UACA,IAAK,CAAA,kBAAA;AAAA,UACL;AAAA,SACF;AAEA,QAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,eAAgB,CAAA,EAAA,EAAI,iBAAiB,CAAA;AAEnE,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,mBAAoB,EAAA;AAExD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAO,MAAA,CAAA,IAAA;AAAA,MACL,cAAA;AAAA,MACAd,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,oBAAA;AAAA,UACJ,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,CAAC,KAAK,aAAe,EAAA;AACvB,UAAM,MAAA,IAAIJ,qBAAc,CAA8B,4BAAA,CAAA,CAAA;AAAA;AAGxD,QAAA,MAAM,UAAa,GAAA,IAAA,CAAK,aAAc,CAAA,IAAA,CAAK,CAAY,QAAA,KAAA;AACrD,UAAM,MAAA,EAAA,GAAK,SAAS,eAAgB,EAAA;AACpC,UAAO,OAAA,EAAA,KAAO,QAAQ,MAAO,CAAA,EAAA;AAAA,SAC9B,CAAA;AAED,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAA,MAAM,IAAIA,oBAAA;AAAA,YACR,CAAA,kBAAA,EAAqB,OAAQ,CAAA,MAAA,CAAO,EAAE,CAAA,cAAA;AAAA,WACxC;AAAA;AAGF,QAAA,MAAM,WAAW,OAAQ,EAAA;AACzB,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAAc,6DAAA;AAAA,MACE,MAAA;AAAA,MACA,IAAK,CAAA,kBAAA;AAAA,MACL,IAAK,CAAA,gBAAA;AAAA,MACL,IAAK,CAAA,qBAAA;AAAA,MACL,IAAK,CAAA;AAAA,KACP;AAEA,IAAO,MAAA,CAAA,GAAA,CAAIC,iCAAiB,CAAA;AAE5B,IAAO,OAAA,MAAA;AAAA;AACT,EAEA,kBAAA,CAAmB,SAAkB,IAAwB,EAAA;AAC3D,IAAM,MAAA,IAAA,GAAO,QAAQ,MAAO,CAAA,IAAA;AAC5B,IAAM,MAAA,SAAA,GAAY,QAAQ,MAAO,CAAA,SAAA;AACjC,IAAM,MAAA,IAAA,GAAO,QAAQ,MAAO,CAAA,IAAA;AAC5B,IAAA,MAAM,YAAY,CAAG,EAAA,IAAI,CAAI,CAAA,EAAA,SAAS,IAAI,IAAI,CAAA,CAAA;AAE9C,IAAM,MAAA,GAAA,GAAMC,0CAAwB,CAAA,SAAA,EAAW,IAAI,CAAA;AACnD,IAAA,IAAI,GAAK,EAAA;AACP,MAAM,MAAA,IAAIb,iBAAW,CAAA,GAAA,CAAI,OAAO,CAAA;AAAA;AAGlC,IAAO,OAAA,SAAA;AAAA;AACT,EAEA,MAAM,wBACD,QACyB,EAAA;AAC5B,IAAA,MAAM,kBAAkB,MAAMc,yBAAA;AAAA,MAC5B,QAAA;AAAA,MACA,IAAK,CAAA;AAAA,KACP;AAEA,IAAA,MAAM,mBAAsC,EAAC;AAC7C,IAAA,KAAA,MAAW,KAAK,QAAU,EAAA;AACxB,MAAA,MAAM,CAAC,eAAA,EAAiB,UAAY,EAAA,MAAA,EAAQ,MAAM,CAAI,GAAA,CAAA;AACtD,MAAA,gBAAA,CAAiB,IAAK,CAAA;AAAA,QACpB,eAAA;AAAA,QACA,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,UAAU,EAAE,MAAA,EAAQ,eAAgB,CAAA,GAAA,CAAI,eAAe,CAAG;AAAA,OAC3D,CAAA;AAAA;AAGH,IAAO,OAAA,gBAAA;AAAA;AACT,EAEA,MAAM,kBACJ,CAAA,MAAA,EAAA,GACG,KACc,EAAA;AACjB,IAAA,MAAM,gBAA6C,EAAC;AAEpD,IAAA,KAAA,CAAM,OAAQ,CAAA,CAAC,CAAC,KAAA,EAAO,IAAI,CAAM,KAAA;AAC/B,MAAI,IAAA,aAAA,CAAc,cAAe,CAAA,IAAI,CAAG,EAAA;AACtC,QAAc,aAAA,CAAA,IAAI,CAAE,CAAA,IAAA,CAAK,KAAK,CAAA;AAAA,OACzB,MAAA;AACL,QAAc,aAAA,CAAA,IAAI,CAAI,GAAA,CAAC,KAAK,CAAA;AAAA;AAC9B,KACD,CAAA;AAED,IAAM,MAAA,MAAA,GAAiB,MAAM,OAAQ,CAAA,GAAA;AAAA,MACnC,MAAA,CAAO,QAAQ,aAAa,CAAA,CAAE,QAAQ,OAAO,CAAC,IAAM,EAAA,KAAK,CAAM,KAAA;AAC7D,QAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,IAAI,CAAA;AACjE,QAAA,MAAM,QAAW,GAAA,WAAA,GAAcC,0BAAc,CAAA,WAAW,CAAI,GAAA,SAAA;AAC5D,QAAA,OAAO,QAAQ,OAAQ,CAAA;AAAA,UACrB,gBAAkB,EAAA,KAAA;AAAA,UAClB,IAAM,EAAA,IAAA;AAAA,UACN;AAAA,SACD,CAAA;AAAA,OACF;AAAA,KACH;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAO,CAAA,MAAA,CAAO,CAAQ,IAAA,KAAA;AAC3C,MAAA,OAAO,IAAK,CAAA,QAAA,IAAYR,cAAQ,CAAA,IAAA,CAAK,UAAU,MAAM,CAAA;AAAA,KACtD,CAAA;AAED,IAAO,OAAA,cAAA;AAAA;AACT,EAEA,uBAAuB,MAAmC,EAAA;AACxD,IAAO,OAAA;AAAA,MACL,MAAO,CAAA,eAAA;AAAA,MACP,MAAO,CAAA,UAAA;AAAA,MACP,MAAO,CAAA,MAAA;AAAA,MACP,MAAO,CAAA;AAAA,KACT;AAAA;AACF,EAEA,qBAAqB,IAAwB,EAAA;AAC3C,IAAA,MAAM,QAAoB,EAAC;AAC3B,IAAW,KAAA,MAAA,MAAA,IAAU,KAAK,gBAAkB,EAAA;AAC1C,MAAA,KAAA,CAAM,IAAK,CAAA,CAAC,MAAQ,EAAA,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA;AAEhC,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,qCAAqC,IAAY,EAAA;AAC/C,IAAK,IAAA,CAAA,gBAAA,GAAmB,KAAK,gBAAiB,CAAA,GAAA;AAAA,MAAI,CAAA,MAAA,KAChD,MAAO,CAAA,iBAAA,CAAkB,OAAO;AAAA,KAClC;AAAA;AACF,EAEA,iBACE,UACgC,EAAA;AAChC,IAAA,IAAI,CAAC,UAAY,EAAA;AACf,MAAO,OAAA,SAAA;AAAA;AAET,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7B,MAAA,MAAM,kBAAsC,EAAC;AAC7C,MAAA,KAAA,MAAW,mBAAmB,UAAY,EAAA;AACxC,QAAA,IACE,OAAO,eAAA,KAAoB,QAC3B,IAAAS,yBAAA,CAAmB,eAAe,CAClC,EAAA;AACA,UAAA,eAAA,CAAgB,KAAK,eAAe,CAAA;AAAA,SAC/B,MAAA;AACL,UAAA,MAAM,IAAIhB,iBAAA;AAAA,YACR,0CAA0C,eAAe,CAAA,mCAAA;AAAA,WAC3D;AAAA;AACF;AAEF,MAAO,OAAA,eAAA;AAAA;AAGT,IAAA,IAAI,OAAO,UAAA,KAAe,QAAY,IAAAgB,yBAAA,CAAmB,UAAU,CAAG,EAAA;AACpE,MAAA,OAAO,CAAC,UAAU,CAAA;AAAA;AAEpB,IAAA,MAAM,IAAIhB,iBAAA;AAAA,MACR,0CAA0C,UAAU,CAAA,mCAAA;AAAA,KACtD;AAAA;AACF,EAEA,cACE,UACQ,EAAA;AACR,IAAA,IAAI,CAAC,UAAY,EAAA;AACf,MAAO,OAAA,EAAA;AAAA;AAET,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7B,MAAA,IAAI,OAAO,UAAA,CAAW,CAAC,CAAA,KAAM,QAAU,EAAA;AACrC,QAAO,OAAA,UAAA,CAAW,CAAC,CAAA,CAAE,QAAS,EAAA;AAAA;AAEhC,MAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAG9D,IAAI,IAAA,OAAO,eAAe,QAAU,EAAA;AAClC,MAAO,OAAA,UAAA;AAAA;AAET,IAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAC9D,EAEA,sBAAsB,OAA2B,EAAA;AAC/C,IAAA,OACE,CAAC,CAAC,OAAA,CAAQ,MAAM,SAChB,IAAA,CAAC,CAAC,OAAQ,CAAA,KAAA,CAAM,UAChB,IAAA,CAAC,CAAC,OAAQ,CAAA,KAAA,CAAM,UAChB,CAAC,CAAC,QAAQ,KAAM,CAAA,MAAA;AAAA;AAEpB,EAEA,MAAM,eAAA,CACJ,WACA,EAAA,KAAA,EACA,cACA,MACqB,EAAA;AACrB,IAAA,MAAM,WAAuB,EAAC;AAC9B,IAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,IAAA,KAAA,MAAW,UAAU,WAAa,EAAA;AAChC,MAAI,IAAA,GAAA,GAAMiB,kCAAe,MAAM,CAAA;AAC/B,MAAA,IAAI,GAAK,EAAA;AACP,QAAA,MAAM,IAAIjB,iBAAA;AAAA,UACR,CAAW,QAAA,EAAA,YAAA,IAAgB,QAAQ,CAAA,oBAAA,EACjC,IAAI,OACN,CAAA;AAAA,SACF;AAAA;AAGF,MAAM,MAAA,QAAA,GAAW,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,QACvC,MAAO,CAAA;AAAA,OACT;AAEA,MAAA,IAAI,CAACO,cAAA,CAAQ,QAAU,EAAA,MAAM,CAAG,EAAA;AAC9B,QAAA,MAAM,IAAIf,sBAAgB,EAAA;AAAA;AAG5B,MAAI,IAAA,MAAA,GAAS,eAAe,MAAS,GAAA,QAAA;AACrC,MAAA,MAAA,GAAS,QAAQ,MAAS,GAAA,KAAA;AAE1B,MAAM,GAAA,GAAA,MAAMa,iCAAe,CAAA,MAAA,EAAQ,QAAQ,CAAA;AAC3C,MAAA,IAAI,GAAK,EAAA;AACP,QAAA,MAAM,IAAIb,sBAAA;AAAA,UACR,aAAa,MAAM,CAAA,QAAA,EAAW,MAAO,CAAA,eAAe,IAAI,MAAO,CAAA,UAAU,CAAI,CAAA,EAAA,MAAA,CAAO,MAAM,CAAI,CAAA,EAAA,MAAA,CAAO,MAAM,CAAA,EAAA,EAAK,IAAI,OAAO,CAAA;AAAA,SAC7H;AAAA;AAGF,MAAM,MAAA,iBAAA,GAAoB,IAAK,CAAA,sBAAA,CAAuB,MAAM,CAAA;AAC5D,MAAI,IAAA,KAAA,IAAS,CAAE,MAAM,IAAA,CAAK,SAAS,SAAU,CAAA,GAAG,iBAAiB,CAAI,EAAA;AACnE,QAAA,MAAM,IAAIK,oBAAA;AAAA,UACR,CAAA,QAAA,EAAWqB,qBAAe,CAAA,iBAAiB,CAAC,CAAA,WAAA;AAAA,SAC9C;AAAA;AAGF,MAAI,IAAA,CAAC,SAAU,MAAM,IAAA,CAAK,SAAS,SAAU,CAAA,GAAG,iBAAiB,CAAI,EAAA;AACnE,QAAA,MAAM,IAAIZ,oBAAA;AAAA,UACR,CAAW,QAAA,EAAAY,qBAAA;AAAA,YACT;AAAA,WACD,CAAA,yBAAA;AAAA,SACH;AAAA;AAIF,MAAM,MAAA,SAAA,GAAY,IAAK,CAAA,SAAA,CAAU,iBAAiB,CAAA;AAClD,MAAI,IAAA,WAAA,CAAY,GAAI,CAAA,SAAS,CAAG,EAAA;AAC9B,QAAA,MAAM,IAAIZ,oBAAA;AAAA,UACR,CAAA,yBAAA,EAA4B,MAAO,CAAA,eAAe,CAAK,EAAA,EAAA,MAAA,CAAO,UAAU,CAAA,EAAA,EAAK,MAAO,CAAA,MAAM,CAAK,EAAA,EAAA,MAAA,CAAO,MAAM,CAAA,eAAA;AAAA,SAC9G;AAAA,OACK,MAAA;AACL,QAAA,WAAA,CAAY,IAAI,SAAS,CAAA;AACzB,QAAA,QAAA,CAAS,KAAK,iBAAiB,CAAA;AAAA;AACjC;AAEF,IAAO,OAAA,QAAA;AAAA;AACT,EAEA,QAAA,CAAS,OAAe,KAAuB,EAAA;AAC7C,IAAA,IAAI,MAAM,iBAAkB,CAAA,OAAO,IAAI,KAAM,CAAA,iBAAA,CAAkB,OAAO,CAAG,EAAA;AACvE,MAAO,OAAA,EAAA;AAAA;AAET,IAAA,IAAI,MAAM,iBAAkB,CAAA,OAAO,IAAI,KAAM,CAAA,iBAAA,CAAkB,OAAO,CAAG,EAAA;AACvE,MAAO,OAAA,CAAA;AAAA;AAET,IAAO,OAAA,CAAA;AAAA;AAEX;;;;;"}
package/dist/service/policy-builder.cjs.js CHANGED
@@ -15,6 +15,12 @@ var enforcerDelegate = require('./enforcer-delegate.cjs.js');
15
15
  var permissionModel = require('./permission-model.cjs.js');
16
16
  var pluginEndpoints = require('./plugin-endpoints.cjs.js');
17
17
  var policiesRestApi = require('./policies-rest-api.cjs.js');
18
+ var pluginRbacCommon = require('@backstage-community/plugin-rbac-common');
19
+ require('../permissions/conditions.cjs.js');
20
+ var rules = require('../permissions/rules.cjs.js');
21
+ var resource = require('../permissions/resource.cjs.js');
22
+ var extraPermissionEnabledPluginsStorage = require('../database/extra-permission-enabled-plugins-storage.cjs.js');
23
+ var extendableIdProvider = require('./extendable-id-provider.cjs.js');
18
24
 
19
25
  class PolicyBuilder {
20
26
  static async build(env, pluginIdProvider = { getPluginIds: () => [] }, rbacProviders) {
@@ -54,6 +60,16 @@ class PolicyBuilder {
54
60
  roleMetadataStorage,
55
61
  databaseClient
56
62
  );
63
+ env.permissionsRegistry.addResourceType({
64
+ resourceRef: resource.permissionMetadataResourceRef,
65
+ getResources: (resourceRefs) => Promise.all(
66
+ resourceRefs.map((ref) => {
67
+ return roleMetadataStorage.findRoleMetadata(ref);
68
+ })
69
+ ),
70
+ permissions: pluginRbacCommon.policyEntityPermissions,
71
+ rules: Object.values(rules.rules)
72
+ });
57
73
  if (rbacProviders) {
58
74
  await connectProviders.connectRBACProviders(
59
75
  rbacProviders,
@@ -63,22 +79,19 @@ class PolicyBuilder {
63
79
  env.auditor
64
80
  );
65
81
  }
66
- const pluginIdsConfig = env.config.getOptionalStringArray(
67
- "permission.rbac.pluginsWithPermission"
82
+ const extraPluginsIdStorage = new extraPermissionEnabledPluginsStorage.PermissionDependentPluginDatabaseStore(
83
+ databaseClient
68
84
  );
69
- if (pluginIdsConfig) {
70
- const pluginIds = /* @__PURE__ */ new Set([
71
- ...pluginIdsConfig,
72
- ...pluginIdProvider.getPluginIds()
73
- ]);
74
- pluginIdProvider.getPluginIds = () => {
75
- return [...pluginIds];
76
- };
77
- }
85
+ const extendablePluginIdProvider = new extendableIdProvider.ExtendablePluginIdProvider(
86
+ extraPluginsIdStorage,
87
+ pluginIdProvider,
88
+ env.config
89
+ );
90
+ await extendablePluginIdProvider.handleConflictedPluginIds();
78
91
  const pluginPermMetaData = new pluginEndpoints.PluginPermissionMetadataCollector({
79
92
  deps: {
80
93
  discovery: env.discovery,
81
- pluginIdProvider,
94
+ pluginIdProvider: extendablePluginIdProvider,
82
95
  logger: env.logger,
83
96
  config: env.config
84
97
  }
@@ -110,16 +123,19 @@ class PolicyBuilder {
110
123
  policy,
111
124
  auth: env.auth,
112
125
  httpAuth: env.httpAuth,
113
- userInfo: env.userInfo
126
+ userInfo: env.userInfo,
127
+ permissions: env.permissions,
128
+ permissionsRegistry: env.permissionsRegistry,
129
+ auditor: env.auditor
114
130
  };
115
131
  const server = new policiesRestApi.PoliciesServer(
116
- env.permissions,
117
132
  options,
118
133
  enforcerDelegate$1,
119
134
  conditionStorage,
120
135
  pluginPermMetaData,
121
136
  roleMetadataStorage,
122
- env.auditor,
137
+ extraPluginsIdStorage,
138
+ extendablePluginIdProvider,
123
139
  rbacProviders
124
140
  );
125
141
  return server.serve();
package/dist/service/policy-builder.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"policy-builder.cjs.js","sources":["../../src/service/policy-builder.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { DatabaseManager } from '@backstage/backend-defaults/database';\nimport type {\n AuditorService,\n AuthService,\n DiscoveryService,\n HttpAuthService,\n LifecycleService,\n LoggerService,\n UserInfoService,\n} from '@backstage/backend-plugin-api';\nimport { CatalogClient } from '@backstage/catalog-client';\nimport type { Config } from '@backstage/config';\nimport type { PermissionEvaluator } from '@backstage/plugin-permission-common';\nimport { PermissionPolicy } from '@backstage/plugin-permission-node';\n\nimport { newEnforcer, newModelFromString } from 'casbin';\nimport type { Router } from 'express';\n\nimport type {\n PluginIdProvider,\n RBACProvider,\n} from '@backstage-community/plugin-rbac-node';\n\nimport { CasbinDBAdapterFactory } from '../database/casbin-adapter-factory';\nimport { DataBaseConditionalStorage } from '../database/conditional-storage';\nimport { migrate } from '../database/migration';\nimport { DataBaseRoleMetadataStorage } from '../database/role-metadata';\nimport { AllowAllPolicy } from '../policies/allow-all-policy';\nimport { RBACPermissionPolicy } from '../policies/permission-policy';\nimport { connectRBACProviders } from '../providers/connect-providers';\nimport { BackstageRoleManager } from '../role-manager/role-manager';\nimport { EnforcerDelegate } from './enforcer-delegate';\nimport { MODEL } from './permission-model';\nimport { PluginPermissionMetadataCollector } from './plugin-endpoints';\nimport { PoliciesServer } from './policies-rest-api';\n\n/**\n * @public\n */\nexport type EnvOptions = {\n config: Config;\n logger: LoggerService;\n discovery: DiscoveryService;\n permissions: PermissionEvaluator;\n auth: AuthService;\n httpAuth: HttpAuthService;\n auditor: AuditorService;\n userInfo: UserInfoService;\n lifecycle: LifecycleService;\n};\n\n/**\n * @public\n */\nexport type RBACRouterOptions = {\n config: Config;\n logger: LoggerService;\n discovery: DiscoveryService;\n policy: PermissionPolicy;\n auth: AuthService;\n httpAuth: HttpAuthService;\n userInfo: UserInfoService;\n};\n\n/**\n * @public\n */\nexport class PolicyBuilder {\n public static async build(\n env: EnvOptions,\n pluginIdProvider: PluginIdProvider = { getPluginIds: () => [] },\n rbacProviders?: Array<RBACProvider>,\n ): Promise<Router> {\n let policy: PermissionPolicy;\n\n const databaseManager = DatabaseManager.fromConfig(env.config).forPlugin(\n 'permission',\n { logger: env.logger, lifecycle: env.lifecycle },\n );\n\n const databaseClient = await databaseManager.getClient();\n\n const adapter = await new CasbinDBAdapterFactory(\n env.config,\n databaseClient,\n ).createAdapter();\n\n const enf = await newEnforcer(newModelFromString(MODEL), adapter);\n await enf.loadPolicy();\n enf.enableAutoSave(true);\n\n const catalogClient = new CatalogClient({ discoveryApi: env.discovery });\n const catalogDBClient = await DatabaseManager.fromConfig(env.config)\n .forPlugin('catalog', { logger: env.logger, lifecycle: env.lifecycle })\n .getClient();\n\n const rm = new BackstageRoleManager(\n catalogClient,\n env.logger,\n catalogDBClient,\n databaseClient,\n env.config,\n env.auth,\n );\n enf.setRoleManager(rm);\n enf.enableAutoBuildRoleLinks(false);\n await enf.buildRoleLinks();\n\n await migrate(databaseManager);\n\n const conditionStorage = new DataBaseConditionalStorage(databaseClient);\n\n const roleMetadataStorage = new DataBaseRoleMetadataStorage(databaseClient);\n const enforcerDelegate = new EnforcerDelegate(\n enf,\n env.auditor,\n conditionStorage,\n roleMetadataStorage,\n databaseClient,\n );\n\n if (rbacProviders) {\n await connectRBACProviders(\n rbacProviders,\n enforcerDelegate,\n roleMetadataStorage,\n env.logger,\n env.auditor,\n );\n }\n\n const pluginIdsConfig = env.config.getOptionalStringArray(\n 'permission.rbac.pluginsWithPermission',\n );\n if (pluginIdsConfig) {\n const pluginIds = new Set([\n ...pluginIdsConfig,\n ...pluginIdProvider.getPluginIds(),\n ]);\n pluginIdProvider.getPluginIds = () => {\n return [...pluginIds];\n };\n }\n\n const pluginPermMetaData = new PluginPermissionMetadataCollector({\n deps: {\n discovery: env.discovery,\n pluginIdProvider: pluginIdProvider,\n logger: env.logger,\n config: env.config,\n },\n });\n\n const isPluginEnabled = env.config.getOptionalBoolean('permission.enabled');\n if (isPluginEnabled) {\n env.logger.info('RBAC backend plugin was enabled');\n\n policy = await RBACPermissionPolicy.build(\n env.logger,\n env.auditor,\n env.config,\n conditionStorage,\n enforcerDelegate,\n roleMetadataStorage,\n databaseClient,\n pluginPermMetaData,\n env.auth,\n );\n } else {\n env.logger.warn(\n 'RBAC backend plugin was disabled by application config permission.enabled: false',\n );\n\n policy = new AllowAllPolicy();\n }\n\n const options: RBACRouterOptions = {\n config: env.config,\n logger: env.logger,\n discovery: env.discovery,\n policy,\n auth: env.auth,\n httpAuth: env.httpAuth,\n userInfo: env.userInfo,\n };\n\n const server = new PoliciesServer(\n env.permissions,\n options,\n enforcerDelegate,\n conditionStorage,\n pluginPermMetaData,\n roleMetadataStorage,\n env.auditor,\n rbacProviders,\n );\n return server.serve();\n }\n}\n"],"names":["DatabaseManager","CasbinDBAdapterFactory","newEnforcer","newModelFromString","MODEL","catalogClient","CatalogClient","BackstageRoleManager","migrate","DataBaseConditionalStorage","DataBaseRoleMetadataStorage","enforcerDelegate","EnforcerDelegate","connectRBACProviders","PluginPermissionMetadataCollector","RBACPermissionPolicy","AllowAllPolicy","PoliciesServer"],"mappings":";;;;;;;;;;;;;;;;;;AAkFO,MAAM,aAAc,CAAA;AAAA,EACzB,aAAoB,KAClB,CAAA,GAAA,EACA,gBAAqC,GAAA,EAAE,cAAc,MAAM,EAAG,EAAA,EAC9D,aACiB,EAAA;AACjB,IAAI,IAAA,MAAA;AAEJ,IAAA,MAAM,eAAkB,GAAAA,wBAAA,CAAgB,UAAW,CAAA,GAAA,CAAI,MAAM,CAAE,CAAA,SAAA;AAAA,MAC7D,YAAA;AAAA,MACA,EAAE,MAAQ,EAAA,GAAA,CAAI,MAAQ,EAAA,SAAA,EAAW,IAAI,SAAU;AAAA,KACjD;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAM,eAAA,CAAgB,SAAU,EAAA;AAEvD,IAAM,MAAA,OAAA,GAAU,MAAM,IAAIC,2CAAA;AAAA,MACxB,GAAI,CAAA,MAAA;AAAA,MACJ;AAAA,MACA,aAAc,EAAA;AAEhB,IAAA,MAAM,MAAM,MAAMC,kBAAA,CAAYC,yBAAmB,CAAAC,qBAAK,GAAG,OAAO,CAAA;AAChE,IAAA,MAAM,IAAI,UAAW,EAAA;AACrB,IAAA,GAAA,CAAI,eAAe,IAAI,CAAA;AAEvB,IAAA,MAAMC,kBAAgB,IAAIC,2BAAA,CAAc,EAAE,YAAc,EAAA,GAAA,CAAI,WAAW,CAAA;AACvE,IAAA,MAAM,kBAAkB,MAAMN,wBAAA,CAAgB,WAAW,GAAI,CAAA,MAAM,EAChE,SAAU,CAAA,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAI,MAAQ,EAAA,SAAA,EAAW,IAAI,SAAU,EAAC,EACrE,SAAU,EAAA;AAEb,IAAA,MAAM,KAAK,IAAIO,gCAAA;AAAA,MACbF,eAAA;AAAA,MACA,GAAI,CAAA,MAAA;AAAA,MACJ,eAAA;AAAA,MACA,cAAA;AAAA,MACA,GAAI,CAAA,MAAA;AAAA,MACJ,GAAI,CAAA;AAAA,KACN;AACA,IAAA,GAAA,CAAI,eAAe,EAAE,CAAA;AACrB,IAAA,GAAA,CAAI,yBAAyB,KAAK,CAAA;AAClC,IAAA,MAAM,IAAI,cAAe,EAAA;AAEzB,IAAA,MAAMG,kBAAQ,eAAe,CAAA;AAE7B,IAAM,MAAA,gBAAA,GAAmB,IAAIC,6CAAA,CAA2B,cAAc,CAAA;AAEtE,IAAM,MAAA,mBAAA,GAAsB,IAAIC,wCAAA,CAA4B,cAAc,CAAA;AAC1E,IAAA,MAAMC,qBAAmB,IAAIC,iCAAA;AAAA,MAC3B,GAAA;AAAA,MACA,GAAI,CAAA,OAAA;AAAA,MACJ,gBAAA;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,IAAI,aAAe,EAAA;AACjB,MAAM,MAAAC,qCAAA;AAAA,QACJ,aAAA;AAAA,QACAF,kBAAA;AAAA,QACA,mBAAA;AAAA,QACA,GAAI,CAAA,MAAA;AAAA,QACJ,GAAI,CAAA;AAAA,OACN;AAAA;AAGF,IAAM,MAAA,eAAA,GAAkB,IAAI,MAAO,CAAA,sBAAA;AAAA,MACjC;AAAA,KACF;AACA,IAAA,IAAI,eAAiB,EAAA;AACnB,MAAM,MAAA,SAAA,uBAAgB,GAAI,CAAA;AAAA,QACxB,GAAG,eAAA;AAAA,QACH,GAAG,iBAAiB,YAAa;AAAA,OAClC,CAAA;AACD,MAAA,gBAAA,CAAiB,eAAe,MAAM;AACpC,QAAO,OAAA,CAAC,GAAG,SAAS,CAAA;AAAA,OACtB;AAAA;AAGF,IAAM,MAAA,kBAAA,GAAqB,IAAIG,iDAAkC,CAAA;AAAA,MAC/D,IAAM,EAAA;AAAA,QACJ,WAAW,GAAI,CAAA,SAAA;AAAA,QACf,gBAAA;AAAA,QACA,QAAQ,GAAI,CAAA,MAAA;AAAA,QACZ,QAAQ,GAAI,CAAA;AAAA;AACd,KACD,CAAA;AAED,IAAA,MAAM,eAAkB,GAAA,GAAA,CAAI,MAAO,CAAA,kBAAA,CAAmB,oBAAoB,CAAA;AAC1E,IAAA,IAAI,eAAiB,EAAA;AACnB,MAAI,GAAA,CAAA,MAAA,CAAO,KAAK,iCAAiC,CAAA;AAEjD,MAAA,MAAA,GAAS,MAAMC,qCAAqB,CAAA,KAAA;AAAA,QAClC,GAAI,CAAA,MAAA;AAAA,QACJ,GAAI,CAAA,OAAA;AAAA,QACJ,GAAI,CAAA,MAAA;AAAA,QACJ,gBAAA;AAAA,QACAJ,kBAAA;AAAA,QACA,mBAAA;AAAA,QACA,cAAA;AAAA,QACA,kBAAA;AAAA,QACA,GAAI,CAAA;AAAA,OACN;AAAA,KACK,MAAA;AACL,MAAA,GAAA,CAAI,MAAO,CAAA,IAAA;AAAA,QACT;AAAA,OACF;AAEA,MAAA,MAAA,GAAS,IAAIK,6BAAe,EAAA;AAAA;AAG9B,IAAA,MAAM,OAA6B,GAAA;AAAA,MACjC,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,WAAW,GAAI,CAAA,SAAA;AAAA,MACf,MAAA;AAAA,MACA,MAAM,GAAI,CAAA,IAAA;AAAA,MACV,UAAU,GAAI,CAAA,QAAA;AAAA,MACd,UAAU,GAAI,CAAA;AAAA,KAChB;AAEA,IAAA,MAAM,SAAS,IAAIC,8BAAA;AAAA,MACjB,GAAI,CAAA,WAAA;AAAA,MACJ,OAAA;AAAA,MACAN,kBAAA;AAAA,MACA,gBAAA;AAAA,MACA,kBAAA;AAAA,MACA,mBAAA;AAAA,MACA,GAAI,CAAA,OAAA;AAAA,MACJ;AAAA,KACF;AACA,IAAA,OAAO,OAAO,KAAM,EAAA;AAAA;AAExB;;;;"}
1
+ {"version":3,"file":"policy-builder.cjs.js","sources":["../../src/service/policy-builder.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { DatabaseManager } from '@backstage/backend-defaults/database';\nimport type {\n AuditorService,\n AuthService,\n DiscoveryService,\n HttpAuthService,\n LifecycleService,\n LoggerService,\n PermissionsRegistryService,\n PermissionsService,\n UserInfoService,\n} from '@backstage/backend-plugin-api';\nimport { CatalogClient } from '@backstage/catalog-client';\nimport type { Config } from '@backstage/config';\nimport type { PermissionEvaluator } from '@backstage/plugin-permission-common';\nimport { PermissionPolicy } from '@backstage/plugin-permission-node';\n\nimport { newEnforcer, newModelFromString } from 'casbin';\nimport type { Router } from 'express';\n\nimport type {\n PluginIdProvider,\n RBACProvider,\n} from '@backstage-community/plugin-rbac-node';\n\nimport { CasbinDBAdapterFactory } from '../database/casbin-adapter-factory';\nimport { DataBaseConditionalStorage } from '../database/conditional-storage';\nimport { migrate } from '../database/migration';\nimport { DataBaseRoleMetadataStorage } from '../database/role-metadata';\nimport { AllowAllPolicy } from '../policies/allow-all-policy';\nimport { RBACPermissionPolicy } from '../policies/permission-policy';\nimport { connectRBACProviders } from '../providers/connect-providers';\nimport { BackstageRoleManager } from '../role-manager/role-manager';\nimport { EnforcerDelegate } from './enforcer-delegate';\nimport { MODEL } from './permission-model';\nimport { PluginPermissionMetadataCollector } from './plugin-endpoints';\nimport { PoliciesServer } from './policies-rest-api';\nimport { policyEntityPermissions } from '@backstage-community/plugin-rbac-common';\nimport { rules } from '../permissions';\nimport { permissionMetadataResourceRef } from '../permissions/resource';\nimport { PermissionDependentPluginDatabaseStore } from '../database/extra-permission-enabled-plugins-storage';\nimport { ExtendablePluginIdProvider } from './extendable-id-provider';\n\n/**\n * @public\n */\nexport type EnvOptions = {\n config: Config;\n logger: LoggerService;\n discovery: DiscoveryService;\n permissions: PermissionEvaluator;\n auth: AuthService;\n httpAuth: HttpAuthService;\n auditor: AuditorService;\n userInfo: UserInfoService;\n lifecycle: LifecycleService;\n permissionsRegistry: PermissionsRegistryService;\n};\n\n/**\n * @public\n */\nexport type RBACRouterOptions = {\n config: Config;\n logger: LoggerService;\n discovery: DiscoveryService;\n policy: PermissionPolicy;\n auth: AuthService;\n httpAuth: HttpAuthService;\n userInfo: UserInfoService;\n permissions: PermissionsService;\n permissionsRegistry: PermissionsRegistryService;\n auditor: AuditorService;\n};\n\n/**\n * @public\n */\nexport class PolicyBuilder {\n public static async build(\n env: EnvOptions,\n pluginIdProvider: PluginIdProvider = { getPluginIds: () => [] },\n rbacProviders?: Array<RBACProvider>,\n ): Promise<Router> {\n let policy: PermissionPolicy;\n\n const databaseManager = DatabaseManager.fromConfig(env.config).forPlugin(\n 'permission',\n { logger: env.logger, lifecycle: env.lifecycle },\n );\n\n const databaseClient = await databaseManager.getClient();\n\n const adapter = await new CasbinDBAdapterFactory(\n env.config,\n databaseClient,\n ).createAdapter();\n\n const enf = await newEnforcer(newModelFromString(MODEL), adapter);\n await enf.loadPolicy();\n enf.enableAutoSave(true);\n\n const catalogClient = new CatalogClient({ discoveryApi: env.discovery });\n const catalogDBClient = await DatabaseManager.fromConfig(env.config)\n .forPlugin('catalog', { logger: env.logger, lifecycle: env.lifecycle })\n .getClient();\n\n const rm = new BackstageRoleManager(\n catalogClient,\n env.logger,\n catalogDBClient,\n databaseClient,\n env.config,\n env.auth,\n );\n enf.setRoleManager(rm);\n enf.enableAutoBuildRoleLinks(false);\n await enf.buildRoleLinks();\n\n await migrate(databaseManager);\n\n const conditionStorage = new DataBaseConditionalStorage(databaseClient);\n\n const roleMetadataStorage = new DataBaseRoleMetadataStorage(databaseClient);\n const enforcerDelegate = new EnforcerDelegate(\n enf,\n env.auditor,\n conditionStorage,\n roleMetadataStorage,\n databaseClient,\n );\n\n env.permissionsRegistry.addResourceType({\n resourceRef: permissionMetadataResourceRef,\n getResources: resourceRefs =>\n Promise.all(\n resourceRefs.map(ref => {\n return roleMetadataStorage.findRoleMetadata(ref);\n }),\n ),\n permissions: policyEntityPermissions,\n rules: Object.values(rules),\n });\n\n if (rbacProviders) {\n await connectRBACProviders(\n rbacProviders,\n enforcerDelegate,\n roleMetadataStorage,\n env.logger,\n env.auditor,\n );\n }\n\n const extraPluginsIdStorage = new PermissionDependentPluginDatabaseStore(\n databaseClient,\n );\n const extendablePluginIdProvider = new ExtendablePluginIdProvider(\n extraPluginsIdStorage,\n pluginIdProvider,\n env.config,\n );\n await extendablePluginIdProvider.handleConflictedPluginIds();\n const pluginPermMetaData = new PluginPermissionMetadataCollector({\n deps: {\n discovery: env.discovery,\n pluginIdProvider: extendablePluginIdProvider,\n logger: env.logger,\n config: env.config,\n },\n });\n\n const isPluginEnabled = env.config.getOptionalBoolean('permission.enabled');\n if (isPluginEnabled) {\n env.logger.info('RBAC backend plugin was enabled');\n\n policy = await RBACPermissionPolicy.build(\n env.logger,\n env.auditor,\n env.config,\n conditionStorage,\n enforcerDelegate,\n roleMetadataStorage,\n databaseClient,\n pluginPermMetaData,\n env.auth,\n );\n } else {\n env.logger.warn(\n 'RBAC backend plugin was disabled by application config permission.enabled: false',\n );\n\n policy = new AllowAllPolicy();\n }\n\n const options: RBACRouterOptions = {\n config: env.config,\n logger: env.logger,\n discovery: env.discovery,\n policy,\n auth: env.auth,\n httpAuth: env.httpAuth,\n userInfo: env.userInfo,\n permissions: env.permissions,\n permissionsRegistry: env.permissionsRegistry,\n auditor: env.auditor,\n };\n\n const server = new PoliciesServer(\n options,\n enforcerDelegate,\n conditionStorage,\n pluginPermMetaData,\n roleMetadataStorage,\n extraPluginsIdStorage,\n extendablePluginIdProvider,\n rbacProviders,\n );\n return server.serve();\n }\n}\n"],"names":["DatabaseManager","CasbinDBAdapterFactory","newEnforcer","newModelFromString","MODEL","catalogClient","CatalogClient","BackstageRoleManager","migrate","DataBaseConditionalStorage","DataBaseRoleMetadataStorage","enforcerDelegate","EnforcerDelegate","permissionMetadataResourceRef","policyEntityPermissions","rules","connectRBACProviders","PermissionDependentPluginDatabaseStore","ExtendablePluginIdProvider","PluginPermissionMetadataCollector","RBACPermissionPolicy","AllowAllPolicy","PoliciesServer"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AA6FO,MAAM,aAAc,CAAA;AAAA,EACzB,aAAoB,KAClB,CAAA,GAAA,EACA,gBAAqC,GAAA,EAAE,cAAc,MAAM,EAAG,EAAA,EAC9D,aACiB,EAAA;AACjB,IAAI,IAAA,MAAA;AAEJ,IAAA,MAAM,eAAkB,GAAAA,wBAAA,CAAgB,UAAW,CAAA,GAAA,CAAI,MAAM,CAAE,CAAA,SAAA;AAAA,MAC7D,YAAA;AAAA,MACA,EAAE,MAAQ,EAAA,GAAA,CAAI,MAAQ,EAAA,SAAA,EAAW,IAAI,SAAU;AAAA,KACjD;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAM,eAAA,CAAgB,SAAU,EAAA;AAEvD,IAAM,MAAA,OAAA,GAAU,MAAM,IAAIC,2CAAA;AAAA,MACxB,GAAI,CAAA,MAAA;AAAA,MACJ;AAAA,MACA,aAAc,EAAA;AAEhB,IAAA,MAAM,MAAM,MAAMC,kBAAA,CAAYC,yBAAmB,CAAAC,qBAAK,GAAG,OAAO,CAAA;AAChE,IAAA,MAAM,IAAI,UAAW,EAAA;AACrB,IAAA,GAAA,CAAI,eAAe,IAAI,CAAA;AAEvB,IAAA,MAAMC,kBAAgB,IAAIC,2BAAA,CAAc,EAAE,YAAc,EAAA,GAAA,CAAI,WAAW,CAAA;AACvE,IAAA,MAAM,kBAAkB,MAAMN,wBAAA,CAAgB,WAAW,GAAI,CAAA,MAAM,EAChE,SAAU,CAAA,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAI,MAAQ,EAAA,SAAA,EAAW,IAAI,SAAU,EAAC,EACrE,SAAU,EAAA;AAEb,IAAA,MAAM,KAAK,IAAIO,gCAAA;AAAA,MACbF,eAAA;AAAA,MACA,GAAI,CAAA,MAAA;AAAA,MACJ,eAAA;AAAA,MACA,cAAA;AAAA,MACA,GAAI,CAAA,MAAA;AAAA,MACJ,GAAI,CAAA;AAAA,KACN;AACA,IAAA,GAAA,CAAI,eAAe,EAAE,CAAA;AACrB,IAAA,GAAA,CAAI,yBAAyB,KAAK,CAAA;AAClC,IAAA,MAAM,IAAI,cAAe,EAAA;AAEzB,IAAA,MAAMG,kBAAQ,eAAe,CAAA;AAE7B,IAAM,MAAA,gBAAA,GAAmB,IAAIC,6CAAA,CAA2B,cAAc,CAAA;AAEtE,IAAM,MAAA,mBAAA,GAAsB,IAAIC,wCAAA,CAA4B,cAAc,CAAA;AAC1E,IAAA,MAAMC,qBAAmB,IAAIC,iCAAA;AAAA,MAC3B,GAAA;AAAA,MACA,GAAI,CAAA,OAAA;AAAA,MACJ,gBAAA;AAAA,MACA,mBAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,GAAA,CAAI,oBAAoB,eAAgB,CAAA;AAAA,MACtC,WAAa,EAAAC,sCAAA;AAAA,MACb,YAAA,EAAc,kBACZ,OAAQ,CAAA,GAAA;AAAA,QACN,YAAA,CAAa,IAAI,CAAO,GAAA,KAAA;AACtB,UAAO,OAAA,mBAAA,CAAoB,iBAAiB,GAAG,CAAA;AAAA,SAChD;AAAA,OACH;AAAA,MACF,WAAa,EAAAC,wCAAA;AAAA,MACb,KAAA,EAAO,MAAO,CAAA,MAAA,CAAOC,WAAK;AAAA,KAC3B,CAAA;AAED,IAAA,IAAI,aAAe,EAAA;AACjB,MAAM,MAAAC,qCAAA;AAAA,QACJ,aAAA;AAAA,QACAL,kBAAA;AAAA,QACA,mBAAA;AAAA,QACA,GAAI,CAAA,MAAA;AAAA,QACJ,GAAI,CAAA;AAAA,OACN;AAAA;AAGF,IAAA,MAAM,wBAAwB,IAAIM,2EAAA;AAAA,MAChC;AAAA,KACF;AACA,IAAA,MAAM,6BAA6B,IAAIC,+CAAA;AAAA,MACrC,qBAAA;AAAA,MACA,gBAAA;AAAA,MACA,GAAI,CAAA;AAAA,KACN;AACA,IAAA,MAAM,2BAA2B,yBAA0B,EAAA;AAC3D,IAAM,MAAA,kBAAA,GAAqB,IAAIC,iDAAkC,CAAA;AAAA,MAC/D,IAAM,EAAA;AAAA,QACJ,WAAW,GAAI,CAAA,SAAA;AAAA,QACf,gBAAkB,EAAA,0BAAA;AAAA,QAClB,QAAQ,GAAI,CAAA,MAAA;AAAA,QACZ,QAAQ,GAAI,CAAA;AAAA;AACd,KACD,CAAA;AAED,IAAA,MAAM,eAAkB,GAAA,GAAA,CAAI,MAAO,CAAA,kBAAA,CAAmB,oBAAoB,CAAA;AAC1E,IAAA,IAAI,eAAiB,EAAA;AACnB,MAAI,GAAA,CAAA,MAAA,CAAO,KAAK,iCAAiC,CAAA;AAEjD,MAAA,MAAA,GAAS,MAAMC,qCAAqB,CAAA,KAAA;AAAA,QAClC,GAAI,CAAA,MAAA;AAAA,QACJ,GAAI,CAAA,OAAA;AAAA,QACJ,GAAI,CAAA,MAAA;AAAA,QACJ,gBAAA;AAAA,QACAT,kBAAA;AAAA,QACA,mBAAA;AAAA,QACA,cAAA;AAAA,QACA,kBAAA;AAAA,QACA,GAAI,CAAA;AAAA,OACN;AAAA,KACK,MAAA;AACL,MAAA,GAAA,CAAI,MAAO,CAAA,IAAA;AAAA,QACT;AAAA,OACF;AAEA,MAAA,MAAA,GAAS,IAAIU,6BAAe,EAAA;AAAA;AAG9B,IAAA,MAAM,OAA6B,GAAA;AAAA,MACjC,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,WAAW,GAAI,CAAA,SAAA;AAAA,MACf,MAAA;AAAA,MACA,MAAM,GAAI,CAAA,IAAA;AAAA,MACV,UAAU,GAAI,CAAA,QAAA;AAAA,MACd,UAAU,GAAI,CAAA,QAAA;AAAA,MACd,aAAa,GAAI,CAAA,WAAA;AAAA,MACjB,qBAAqB,GAAI,CAAA,mBAAA;AAAA,MACzB,SAAS,GAAI,CAAA;AAAA,KACf;AAEA,IAAA,MAAM,SAAS,IAAIC,8BAAA;AAAA,MACjB,OAAA;AAAA,MACAX,kBAAA;AAAA,MACA,gBAAA;AAAA,MACA,kBAAA;AAAA,MACA,mBAAA;AAAA,MACA,qBAAA;AAAA,MACA,0BAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,OAAO,OAAO,KAAM,EAAA;AAAA;AAExB;;;;"}
package/dist/validation/plugin-validation.cjs.js ADDED
@@ -0,0 +1,15 @@
1
+ 'use strict';
2
+
3
+ function validatePermissionDependentPlugin(plugin) {
4
+ if (!plugin.ids) {
5
+ throw new Error(
6
+ `'ids' must be specified in the permission dependent plugin`
7
+ );
8
+ }
9
+ if (!Array.isArray(plugin.ids) || !plugin.ids.every((id) => typeof id === "string")) {
10
+ throw new Error(`'ids' must be an array of string plugin ID values`);
11
+ }
12
+ }
13
+
14
+ exports.validatePermissionDependentPlugin = validatePermissionDependentPlugin;
15
+ //# sourceMappingURL=plugin-validation.cjs.js.map
package/dist/validation/plugin-validation.cjs.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"plugin-validation.cjs.js","sources":["../../src/validation/plugin-validation.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { PermissionDependentPluginList } from '@backstage-community/plugin-rbac-common';\n\nexport function validatePermissionDependentPlugin(\n plugin: PermissionDependentPluginList,\n) {\n if (!plugin.ids) {\n throw new Error(\n `'ids' must be specified in the permission dependent plugin`,\n );\n }\n if (\n !Array.isArray(plugin.ids) ||\n !plugin.ids.every(id => typeof id === 'string')\n ) {\n throw new Error(`'ids' must be an array of string plugin ID values`);\n }\n}\n"],"names":[],"mappings":";;AAiBO,SAAS,kCACd,MACA,EAAA;AACA,EAAI,IAAA,CAAC,OAAO,GAAK,EAAA;AACf,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,0DAAA;AAAA,KACF;AAAA;AAEF,EAAA,IACE,CAAC,KAAA,CAAM,OAAQ,CAAA,MAAA,CAAO,GAAG,CACzB,IAAA,CAAC,MAAO,CAAA,GAAA,CAAI,KAAM,CAAA,CAAA,EAAA,KAAM,OAAO,EAAA,KAAO,QAAQ,CAC9C,EAAA;AACA,IAAM,MAAA,IAAI,MAAM,CAAmD,iDAAA,CAAA,CAAA;AAAA;AAEvE;;;;"}
package/migrations/20250509110032_migrations.js ADDED
@@ -0,0 +1,29 @@
1
+ /*
2
+ * Copyright 2025 The Backstage Authors
3
+ *
4
+ * Licensed under the Apache License, Version 2.0 (the "License");
5
+ * you may not use this file except in compliance with the License.
6
+ * You may obtain a copy of the License at
7
+ *
8
+ * http://www.apache.org/licenses/LICENSE-2.0
9
+ *
10
+ * Unless required by applicable law or agreed to in writing, software
11
+ * distributed under the License is distributed on an "AS IS" BASIS,
12
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+ * See the License for the specific language governing permissions and
14
+ * limitations under the License.
15
+ */
16
+
17
+ exports.up = async function up(knex) {
18
+ await knex.schema.createTable('extra_permission_enabled_plugins', table => {
19
+ table.string('pluginId').primary();
20
+ });
21
+ };
22
+
23
+ /**
24
+ * @param { import("knex").Knex } knex
25
+ * @returns { Promise<void> }
26
+ */
27
+ exports.down = async function down(knex) {
28
+ await knex.schema.dropTable('extra_permission_enabled_plugins');
29
+ };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@backstage-community/plugin-rbac-backend",
3
- "version": "6.2.5",
3
+ "version": "6.3.0",
4
4
  "main": "dist/index.cjs.js",
5
5
  "types": "dist/index.d.ts",
6
6
  "license": "Apache-2.0",
@@ -37,7 +37,7 @@
37
37
  "postpack": "backstage-cli package postpack"
38
38
  },
39
39
  "dependencies": {
40
- "@backstage-community/plugin-rbac-common": "^1.16.1",
40
+ "@backstage-community/plugin-rbac-common": "^1.17.0",
41
41
  "@backstage-community/plugin-rbac-node": "^1.11.1",
42
42
  "@backstage/backend-defaults": "^0.9.0",
43
43
  "@backstage/backend-plugin-api": "^1.3.0",
@@ -66,10 +66,10 @@
66
66
  "@backstage/config": "^1.3.2",
67
67
  "@backstage/core-plugin-api": "^1.10.6",
68
68
  "@backstage/types": "^1.2.1",
69
- "@types/express": "4.17.21",
69
+ "@types/express": "4.17.22",
70
70
  "@types/knex": "^0.16.1",
71
71
  "@types/lodash": "^4.14.151",
72
- "@types/node": "18.19.68",
72
+ "@types/node": "22.15.29",
73
73
  "@types/supertest": "2.0.16",
74
74
  "knex-mock-client": "2.0.1",
75
75
  "msw": "1.3.5",