@backstage-community/plugin-rbac-backend 7.10.0 → 7.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/CHANGELOG.md +26 -0
  2. package/README.md +24 -0
  3. package/config.d.ts +23 -0
  4. package/dist/database/role-metadata.cjs.js +49 -3
  5. package/dist/database/role-metadata.cjs.js.map +1 -1
  6. package/dist/default-permissions/default-permissions.cjs.js +133 -0
  7. package/dist/default-permissions/default-permissions.cjs.js.map +1 -0
  8. package/dist/helper.cjs.js +19 -0
  9. package/dist/helper.cjs.js.map +1 -1
  10. package/dist/permissions/resource.cjs.js.map +1 -1
  11. package/dist/permissions/rules.cjs.js +3 -0
  12. package/dist/permissions/rules.cjs.js.map +1 -1
  13. package/dist/role-manager/role-manager.cjs.js +7 -2
  14. package/dist/role-manager/role-manager.cjs.js.map +1 -1
  15. package/dist/service/policies-rest-api.cjs.js +29 -12
  16. package/dist/service/policies-rest-api.cjs.js.map +1 -1
  17. package/dist/service/policy-builder.cjs.js +13 -1
  18. package/dist/service/policy-builder.cjs.js.map +1 -1
  19. package/migrations/20260216100000_add_is_default_to_role_metadata.js +43 -0
  20. package/package.json +4 -8
package/dist/role-manager/role-manager.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"role-manager.cjs.js","sources":["../../src/role-manager/role-manager.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport type { Config } from '@backstage/config';\n\nimport { RoleManager } from 'casbin';\nimport { Knex } from 'knex';\n\nimport { AncestorSearchMemo, ASMGroup } from './ancestor-search-memo';\nimport { RoleMemberList } from './member-list';\nimport { AncestorSearchFactory } from './ancestor-search-factory';\n\nexport class BackstageRoleManager implements RoleManager {\n private allRoles: Map<string, RoleMemberList>;\n private maxDepth?: number;\n constructor(\n private readonly catalogApi: CatalogApi,\n private readonly logger: LoggerService,\n private readonly catalogDBClient: Knex,\n private readonly rbacDBClient: Knex,\n private readonly config: Config,\n private readonly auth: AuthService,\n ) {\n this.allRoles = new Map<string, RoleMemberList>();\n const rbacConfig = this.config.getOptionalConfig('permission.rbac');\n this.maxDepth = rbacConfig?.getOptionalNumber('maxDepth');\n if (this.maxDepth !== undefined && this.maxDepth! < 0) {\n throw new Error(\n 'Max Depth for RBAC group hierarchy must be greater than or equal to zero',\n );\n }\n }\n\n /**\n * clear clears all stored data and resets the role manager to the initial state.\n */\n async clear(): Promise<void> {\n // do nothing\n }\n\n /**\n * addLink adds the inheritance link between name1 and role: name2.\n * aka name1 inherits role: name2.\n * The link that is established is based on the defined grouping policies that are added by the enforcer.\n *\n * ex. `g, name1, name2`.\n * @param name1 User or group that will be assigned to a role.\n * @param name2 The role that will be created or updated.\n * @param _domain Unimplemented prefix to the role.\n */\n async addLink(\n name1: string,\n name2: string,\n ..._domain: string[]\n ): Promise<void> {\n if (!this.isPGClient()) {\n const role1 = this.getOrCreateRole(name2);\n role1.addMember(name1);\n }\n }\n\n /**\n * deleteLink deletes the inheritance link between name1 and role: name2.\n * aka name1 does not inherit role: name2 any more.\n * The link that is deleted is based on the defined grouping policies that are removed by the enforcer.\n *\n * ex. `g, name1, name2`.\n * @param name1 User or group that will be removed from assignment of a role.\n * @param name2 The role that will be deleted or updated.\n * @param _domain Unimplemented.\n */\n async deleteLink(\n name1: string,\n name2: string,\n ..._domain: string[]\n ): Promise<void> {\n if (!this.isPGClient()) {\n const role1 = this.getOrCreateRole(name2);\n role1.deleteMember(name1);\n\n // Clean up in the event that there are no more members in the role\n if (role1.getMembers().length === 0) {\n this.allRoles.delete(name2);\n }\n }\n }\n\n /**\n * hasLink determines whether name1 inherits role: name2.\n * Before this check is called in the background by the enforcer,\n * we filter out all roles that the user is not connected to\n * directly or indirectly through the use of retrieving roles through\n * enforcer.getRolesForUser and apply those roles to a tempEnforcer.\n *\n * This means that hasLink will almost always be true in the event that a user\n * is assigned to a role (either directly or indirectly)\n *\n * In the event that a user or group is not assigned to a role and instead\n * are assigned directly to permissions, then name2 will become either that\n * user or group through the filtering. In this case we will build the graph\n * if necessary for name2 group presence or evaulate based on the names matching.\n * @param name1 The user that we are authorizing.\n * @param name2 The name of the role that we are checking against.\n * @param domain Unimplemented.\n * @returns True if the user is directly or indirectly attached to the role.\n */\n async hasLink(\n name1: string,\n name2: string,\n ...domain: string[]\n ): Promise<boolean> {\n if (domain.length > 0) {\n throw new Error('domain argument is not supported.');\n }\n\n // Name2 can be an empty string in the event that there is not a role associated with the user\n // This happens because of the filtering of the roles reduces the number of roles that we iterate through.\n if (name2.length === 0) {\n return false;\n }\n\n if (name1 === name2) {\n return true;\n }\n\n // name1 is always user in our case.\n // name2 is user or group.\n // user(name1) couldn't inherit user(name2).\n // We can use this fact for optimization.\n const { kind } = parseEntityRef(name2);\n if (kind.toLocaleLowerCase() === 'user') {\n return false;\n }\n\n // if it is a group, then we will have to build the graph,\n if (kind.toLocaleLowerCase() === 'group') {\n const memo = await AncestorSearchFactory.createAncestorSearchMemo(\n name1,\n this.config,\n this.catalogApi,\n this.catalogDBClient,\n this.auth,\n this.maxDepth,\n );\n\n await memo.buildUserGraph();\n memo.debugNodesAndEdges(this.logger, name1);\n\n if (!memo.isAcyclic()) {\n const cycles = memo.findCycles();\n\n this.logger.warn(\n `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n cycles,\n )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n cycles,\n )}`,\n );\n return false;\n }\n\n return memo.hasEntityRef(name2);\n }\n\n return true;\n }\n\n /**\n * syncedHasLink determines whether role: name1 inherits role: name2.\n * domain is a prefix to the roles.\n */\n syncedHasLink?(\n _name1: string,\n _name2: string,\n ..._domain: string[]\n ): boolean {\n throw new Error('Method \"syncedHasLink\" not implemented.');\n }\n\n /**\n * getRoles gets the roles that a subject inherits.\n *\n * name - is a string entity reference, for example: user:default/tom, role:default/dev,\n * so format is <kind>:<namespace>/<entity-name>.\n * GetRoles method supports only two kind values: 'user' and 'role'.\n *\n * domain - is a prefix to the roles, unused parameter.\n *\n * If name's kind === 'user' we return all inherited roles from groups and roles directly assigned to the user.\n * if name's kind === 'role' we return empty array, because we don't support role inheritance.\n * Case kind === 'group' - should not happen, because:\n * 1) Method getRoles returns only role entity references, so casbin engine doesn't call this\n * method again to ask about name with kind \"group\".\n * 2) We implemented getRoles method only to use:\n * 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n * so name argument can be only with kind 'user' or 'role'.\n *\n * Info: when we call 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n * then casbin engine executes 'getRoles' method few times.\n * Firstly casbin asks about roles for 'userEntityRef'.\n * Let's imagine, that 'getRoles' returned two roles for userEntityRef.\n * Then casbin calls 'getRoles' two more times to\n * find parent roles. But we return empty array for each such call,\n * because we don't support role inheritance and we notify casbin about end of the role sub-tree.\n */\n async getRoles(name: string, ..._domain: string[]): Promise<string[]> {\n const { kind } = parseEntityRef(name);\n if (kind === 'user') {\n const memo = await AncestorSearchFactory.createAncestorSearchMemo(\n name,\n this.config,\n this.catalogApi,\n this.catalogDBClient,\n this.auth,\n this.maxDepth,\n );\n await memo.buildUserGraph();\n memo.debugNodesAndEdges(this.logger, name);\n\n // Account for the user not being in the graph (this can happen during direct assignment to roles)\n memo.setNode(name);\n\n if (!memo.isAcyclic()) {\n const cycles = memo.findCycles();\n\n this.logger.warn(\n `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n cycles,\n )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n cycles,\n )}`,\n );\n return Promise.resolve([]);\n }\n\n if (this.isPGClient()) {\n const currentRole = new RoleMemberList(name);\n await currentRole.buildRoles(\n currentRole,\n memo.getNodes(),\n this.rbacDBClient,\n );\n return Promise.resolve(currentRole.getRoles());\n }\n\n const allRoles: string[] = [];\n for (const value of this.allRoles.values()) {\n if (this.hasMember(value, memo)) {\n allRoles.push(value.name);\n }\n }\n\n return Promise.resolve(allRoles);\n }\n\n return [];\n }\n\n /**\n * getUsers gets the users that inherits a subject.\n * domain is an unreferenced parameter here, may be used in other implementations.\n */\n async getUsers(_name: string, ..._domain: string[]): Promise<string[]> {\n throw new Error('Method \"getUsers\" not implemented.');\n }\n\n /**\n * printRoles prints all the roles to log.\n */\n async printRoles(): Promise<void> {\n // do nothing\n }\n\n /**\n * getOrCreateRole will get a role if it has already been cached\n * or it will create a new role to be cached.\n * This cache is a simple tree that is used to quickly compare\n * users and groups to roles.\n * @param name The user or group whose cache we will be getting / creating.\n * @returns The cached role as a RoleList.\n */\n private getOrCreateRole(name: string): RoleMemberList {\n const role = this.allRoles.get(name);\n if (role) {\n return role;\n }\n const newRole = new RoleMemberList(name);\n this.allRoles.set(name, newRole);\n\n return newRole;\n }\n\n /**\n * isPGClient checks what the current database client is at them time.\n * This is to ensure that we are querying the database in the event of postgres\n * or using in memory cache for better sqlite3.\n * @returns True if the database client is pg.\n */\n isPGClient(): boolean {\n const client = this.rbacDBClient.client.config.client;\n return client === 'pg';\n }\n\n /**\n * hasMember checks if the members from a particular role is associated with the user\n * that the AncestorSearchMemo graph is built for.\n * @param role The role that we are getting the members from.\n * @param memo The user graph that we are comparing members with.\n * @returns True if a member from the role is also associated with the user.\n */\n private hasMember(\n role: RoleMemberList | undefined,\n memo: AncestorSearchMemo<ASMGroup>,\n ): boolean {\n if (role === undefined) {\n return false;\n }\n\n for (const member of role.getMembers()) {\n if (memo.hasEntityRef(member)) {\n return true;\n }\n }\n return false;\n }\n}\n"],"names":["parseEntityRef","AncestorSearchFactory","RoleMemberList"],"mappings":";;;;;;AA2BO,MAAM,oBAA4C,CAAA;AAAA,EAGvD,YACmB,UACA,EAAA,MAAA,EACA,eACA,EAAA,YAAA,EACA,QACA,IACjB,EAAA;AANiB,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAEjB,IAAK,IAAA,CAAA,QAAA,uBAAe,GAA4B,EAAA;AAChD,IAAA,MAAM,UAAa,GAAA,IAAA,CAAK,MAAO,CAAA,iBAAA,CAAkB,iBAAiB,CAAA;AAClE,IAAK,IAAA,CAAA,QAAA,GAAW,UAAY,EAAA,iBAAA,CAAkB,UAAU,CAAA;AACxD,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,SAAa,IAAA,IAAA,CAAK,WAAY,CAAG,EAAA;AACrD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AACF;AACF,EAlBQ,QAAA;AAAA,EACA,QAAA;AAAA;AAAA;AAAA;AAAA,EAsBR,MAAM,KAAuB,GAAA;AAAA;AAE7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,UAAU,KAAK,CAAA;AAAA;AACvB;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,aAAa,KAAK,CAAA;AAGxB,MAAA,IAAI,KAAM,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACnC,QAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA;AAAA;AAC5B;AACF;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,MACe,EAAA;AAClB,IAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,MAAM,MAAA,IAAI,MAAM,mCAAmC,CAAA;AAAA;AAKrD,IAAI,IAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAA,IAAI,UAAU,KAAO,EAAA;AACnB,MAAO,OAAA,IAAA;AAAA;AAOT,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAA,2BAAA,CAAe,KAAK,CAAA;AACrC,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,MAAQ,EAAA;AACvC,MAAO,OAAA,KAAA;AAAA;AAIT,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,OAAS,EAAA;AACxC,MAAM,MAAA,IAAA,GAAO,MAAMC,2CAAsB,CAAA,wBAAA;AAAA,QACvC,KAAA;AAAA,QACA,IAAK,CAAA,MAAA;AAAA,QACL,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA;AAAA,OACP;AAEA,MAAA,MAAM,KAAK,cAAe,EAAA;AAC1B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,KAAK,CAAA;AAE1C,MAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,QAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA;AAE/B,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,YACtD;AAAA,WACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,YACrG;AAAA,WACD,CAAA;AAAA,SACH;AACA,QAAO,OAAA,KAAA;AAAA;AAGT,MAAO,OAAA,IAAA,CAAK,aAAa,KAAK,CAAA;AAAA;AAGhC,IAAO,OAAA,IAAA;AAAA;AACT;AAAA;AAAA;AAAA;AAAA,EAMA,aAAA,CACE,MACA,EAAA,MAAA,EAAA,GACG,OACM,EAAA;AACT,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA;AAAA;AAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,QAAS,CAAA,IAAA,EAAA,GAAiB,OAAsC,EAAA;AACpE,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAD,2BAAA,CAAe,IAAI,CAAA;AACpC,IAAA,IAAI,SAAS,MAAQ,EAAA;AACnB,MAAM,MAAA,IAAA,GAAO,MAAMC,2CAAsB,CAAA,wBAAA;AAAA,QACvC,IAAA;AAAA,QACA,IAAK,CAAA,MAAA;AAAA,QACL,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA;AAAA,OACP;AACA,MAAA,MAAM,KAAK,cAAe,EAAA;AAC1B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,IAAI,CAAA;AAGzC,MAAA,IAAA,CAAK,QAAQ,IAAI,CAAA;AAEjB,MAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,QAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA;AAE/B,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,YACtD;AAAA,WACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,YACrG;AAAA,WACD,CAAA;AAAA,SACH;AACA,QAAO,OAAA,OAAA,CAAQ,OAAQ,CAAA,EAAE,CAAA;AAAA;AAG3B,MAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,QAAM,MAAA,WAAA,GAAc,IAAIC,yBAAA,CAAe,IAAI,CAAA;AAC3C,QAAA,MAAM,WAAY,CAAA,UAAA;AAAA,UAChB,WAAA;AAAA,UACA,KAAK,QAAS,EAAA;AAAA,UACd,IAAK,CAAA;AAAA,SACP;AACA,QAAA,OAAO,OAAQ,CAAA,OAAA,CAAQ,WAAY,CAAA,QAAA,EAAU,CAAA;AAAA;AAG/C,MAAA,MAAM,WAAqB,EAAC;AAC5B,MAAA,KAAA,MAAW,KAAS,IAAA,IAAA,CAAK,QAAS,CAAA,MAAA,EAAU,EAAA;AAC1C,QAAA,IAAI,IAAK,CAAA,SAAA,CAAU,KAAO,EAAA,IAAI,CAAG,EAAA;AAC/B,UAAS,QAAA,CAAA,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA;AAC1B;AAGF,MAAO,OAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA;AAAA;AAGjC,IAAA,OAAO,EAAC;AAAA;AACV;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAS,CAAA,KAAA,EAAA,GAAkB,OAAsC,EAAA;AACrE,IAAM,MAAA,IAAI,MAAM,oCAAoC,CAAA;AAAA;AACtD;AAAA;AAAA;AAAA,EAKA,MAAM,UAA4B,GAAA;AAAA;AAElC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,gBAAgB,IAA8B,EAAA;AACpD,IAAA,MAAM,IAAO,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA;AACnC,IAAA,IAAI,IAAM,EAAA;AACR,MAAO,OAAA,IAAA;AAAA;AAET,IAAM,MAAA,OAAA,GAAU,IAAIA,yBAAA,CAAe,IAAI,CAAA;AACvC,IAAK,IAAA,CAAA,QAAA,CAAS,GAAI,CAAA,IAAA,EAAM,OAAO,CAAA;AAE/B,IAAO,OAAA,OAAA;AAAA;AACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAsB,GAAA;AACpB,IAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAa,CAAA,MAAA,CAAO,MAAO,CAAA,MAAA;AAC/C,IAAA,OAAO,MAAW,KAAA,IAAA;AAAA;AACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,SAAA,CACN,MACA,IACS,EAAA;AACT,IAAA,IAAI,SAAS,SAAW,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAW,KAAA,MAAA,MAAA,IAAU,IAAK,CAAA,UAAA,EAAc,EAAA;AACtC,MAAI,IAAA,IAAA,CAAK,YAAa,CAAA,MAAM,CAAG,EAAA;AAC7B,QAAO,OAAA,IAAA;AAAA;AACT;AAEF,IAAO,OAAA,KAAA;AAAA;AAEX;;;;"}
1
+ {"version":3,"file":"role-manager.cjs.js","sources":["../../src/role-manager/role-manager.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { AuthService, LoggerService } from '@backstage/backend-plugin-api';\nimport type { CatalogApi } from '@backstage/catalog-client';\nimport { parseEntityRef } from '@backstage/catalog-model';\nimport type { Config } from '@backstage/config';\n\nimport { RoleManager } from 'casbin';\nimport { Knex } from 'knex';\n\nimport { AncestorSearchMemo, ASMGroup } from './ancestor-search-memo';\nimport { RoleMemberList } from './member-list';\nimport { AncestorSearchFactory } from './ancestor-search-factory';\nimport { DefaultPermissionsReader } from '../default-permissions/default-permissions';\n\nexport class BackstageRoleManager implements RoleManager {\n private allRoles: Map<string, RoleMemberList>;\n private maxDepth?: number;\n private defaultRoleRef?: string;\n constructor(\n private readonly catalogApi: CatalogApi,\n private readonly logger: LoggerService,\n private readonly catalogDBClient: Knex,\n private readonly rbacDBClient: Knex,\n private readonly config: Config,\n private readonly auth: AuthService,\n defaultPermissionReader: DefaultPermissionsReader,\n ) {\n this.allRoles = new Map<string, RoleMemberList>();\n const rbacConfig = this.config.getOptionalConfig('permission.rbac');\n this.maxDepth = rbacConfig?.getOptionalNumber('maxDepth');\n this.defaultRoleRef = defaultPermissionReader.readRole();\n if (this.maxDepth !== undefined && this.maxDepth! < 0) {\n throw new Error(\n 'Max Depth for RBAC group hierarchy must be greater than or equal to zero',\n );\n }\n }\n\n /**\n * clear clears all stored data and resets the role manager to the initial state.\n */\n async clear(): Promise<void> {\n // do nothing\n }\n\n /**\n * addLink adds the inheritance link between name1 and role: name2.\n * aka name1 inherits role: name2.\n * The link that is established is based on the defined grouping policies that are added by the enforcer.\n *\n * ex. `g, name1, name2`.\n * @param name1 User or group that will be assigned to a role.\n * @param name2 The role that will be created or updated.\n * @param _domain Unimplemented prefix to the role.\n */\n async addLink(\n name1: string,\n name2: string,\n ..._domain: string[]\n ): Promise<void> {\n if (!this.isPGClient()) {\n const role1 = this.getOrCreateRole(name2);\n role1.addMember(name1);\n }\n }\n\n /**\n * deleteLink deletes the inheritance link between name1 and role: name2.\n * aka name1 does not inherit role: name2 any more.\n * The link that is deleted is based on the defined grouping policies that are removed by the enforcer.\n *\n * ex. `g, name1, name2`.\n * @param name1 User or group that will be removed from assignment of a role.\n * @param name2 The role that will be deleted or updated.\n * @param _domain Unimplemented.\n */\n async deleteLink(\n name1: string,\n name2: string,\n ..._domain: string[]\n ): Promise<void> {\n if (!this.isPGClient()) {\n const role1 = this.getOrCreateRole(name2);\n role1.deleteMember(name1);\n\n // Clean up in the event that there are no more members in the role\n if (role1.getMembers().length === 0) {\n this.allRoles.delete(name2);\n }\n }\n }\n\n /**\n * hasLink determines whether name1 inherits role: name2.\n * Before this check is called in the background by the enforcer,\n * we filter out all roles that the user is not connected to\n * directly or indirectly through the use of retrieving roles through\n * enforcer.getRolesForUser and apply those roles to a tempEnforcer.\n *\n * This means that hasLink will almost always be true in the event that a user\n * is assigned to a role (either directly or indirectly)\n *\n * In the event that a user or group is not assigned to a role and instead\n * are assigned directly to permissions, then name2 will become either that\n * user or group through the filtering. In this case we will build the graph\n * if necessary for name2 group presence or evaulate based on the names matching.\n * @param name1 The user that we are authorizing.\n * @param name2 The name of the role that we are checking against.\n * @param domain Unimplemented.\n * @returns True if the user is directly or indirectly attached to the role.\n */\n async hasLink(\n name1: string,\n name2: string,\n ...domain: string[]\n ): Promise<boolean> {\n if (domain.length > 0) {\n throw new Error('domain argument is not supported.');\n }\n\n // Name2 can be an empty string in the event that there is not a role associated with the user\n // This happens because of the filtering of the roles reduces the number of roles that we iterate through.\n if (name2.length === 0) {\n return false;\n }\n\n if (name1 === name2) {\n return true;\n }\n\n // name1 is always user in our case.\n // name2 is user or group.\n // user(name1) couldn't inherit user(name2).\n // We can use this fact for optimization.\n const { kind } = parseEntityRef(name2);\n if (kind.toLocaleLowerCase() === 'user') {\n return false;\n }\n\n // if it is a group, then we will have to build the graph,\n if (kind.toLocaleLowerCase() === 'group') {\n const memo = await AncestorSearchFactory.createAncestorSearchMemo(\n name1,\n this.config,\n this.catalogApi,\n this.catalogDBClient,\n this.auth,\n this.maxDepth,\n );\n\n await memo.buildUserGraph();\n memo.debugNodesAndEdges(this.logger, name1);\n\n if (!memo.isAcyclic()) {\n const cycles = memo.findCycles();\n\n this.logger.warn(\n `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n cycles,\n )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n cycles,\n )}`,\n );\n return false;\n }\n\n return memo.hasEntityRef(name2);\n }\n\n return true;\n }\n\n /**\n * syncedHasLink determines whether role: name1 inherits role: name2.\n * domain is a prefix to the roles.\n */\n syncedHasLink?(\n _name1: string,\n _name2: string,\n ..._domain: string[]\n ): boolean {\n throw new Error('Method \"syncedHasLink\" not implemented.');\n }\n\n /**\n * getRoles gets the roles that a subject inherits.\n *\n * name - is a string entity reference, for example: user:default/tom, role:default/dev,\n * so format is <kind>:<namespace>/<entity-name>.\n * GetRoles method supports only two kind values: 'user' and 'role'.\n *\n * domain - is a prefix to the roles, unused parameter.\n *\n * If name's kind === 'user' we return all inherited roles from groups and roles directly assigned to the user.\n * if name's kind === 'role' we return empty array, because we don't support role inheritance.\n * Case kind === 'group' - should not happen, because:\n * 1) Method getRoles returns only role entity references, so casbin engine doesn't call this\n * method again to ask about name with kind \"group\".\n * 2) We implemented getRoles method only to use:\n * 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n * so name argument can be only with kind 'user' or 'role'.\n *\n * Info: when we call 'await enforcer.getImplicitPermissionsForUser(userEntityRef)',\n * then casbin engine executes 'getRoles' method few times.\n * Firstly casbin asks about roles for 'userEntityRef'.\n * Let's imagine, that 'getRoles' returned two roles for userEntityRef.\n * Then casbin calls 'getRoles' two more times to\n * find parent roles. But we return empty array for each such call,\n * because we don't support role inheritance and we notify casbin about end of the role sub-tree.\n */\n async getRoles(name: string, ..._domain: string[]): Promise<string[]> {\n const { kind } = parseEntityRef(name);\n if (kind === 'user') {\n const memo = await AncestorSearchFactory.createAncestorSearchMemo(\n name,\n this.config,\n this.catalogApi,\n this.catalogDBClient,\n this.auth,\n this.maxDepth,\n );\n await memo.buildUserGraph();\n memo.debugNodesAndEdges(this.logger, name);\n\n // Account for the user not being in the graph (this can happen during direct assignment to roles)\n memo.setNode(name);\n\n if (!memo.isAcyclic()) {\n const cycles = memo.findCycles();\n\n this.logger.warn(\n `Detected cycle dependencies in the Group graph: ${JSON.stringify(\n cycles,\n )}. Admin/(catalog owner) have to fix it to make RBAC permission evaluation correct for groups: ${JSON.stringify(\n cycles,\n )}`,\n );\n return Promise.resolve([]);\n }\n\n if (this.isPGClient()) {\n const currentRole = new RoleMemberList(name);\n await currentRole.buildRoles(\n currentRole,\n memo.getNodes(),\n this.rbacDBClient,\n );\n const roles = currentRole.getRoles();\n if (this.defaultRoleRef) roles.push(this.defaultRoleRef);\n return Promise.resolve(roles);\n }\n\n const allRoles: string[] = [];\n for (const value of this.allRoles.values()) {\n if (this.hasMember(value, memo)) {\n allRoles.push(value.name);\n }\n }\n\n if (this.defaultRoleRef) allRoles.push(this.defaultRoleRef);\n return Promise.resolve(allRoles);\n }\n\n return [];\n }\n\n /**\n * getUsers gets the users that inherits a subject.\n * domain is an unreferenced parameter here, may be used in other implementations.\n */\n async getUsers(_name: string, ..._domain: string[]): Promise<string[]> {\n throw new Error('Method \"getUsers\" not implemented.');\n }\n\n /**\n * printRoles prints all the roles to log.\n */\n async printRoles(): Promise<void> {\n // do nothing\n }\n\n /**\n * getOrCreateRole will get a role if it has already been cached\n * or it will create a new role to be cached.\n * This cache is a simple tree that is used to quickly compare\n * users and groups to roles.\n * @param name The user or group whose cache we will be getting / creating.\n * @returns The cached role as a RoleList.\n */\n private getOrCreateRole(name: string): RoleMemberList {\n const role = this.allRoles.get(name);\n if (role) {\n return role;\n }\n const newRole = new RoleMemberList(name);\n this.allRoles.set(name, newRole);\n\n return newRole;\n }\n\n /**\n * isPGClient checks what the current database client is at them time.\n * This is to ensure that we are querying the database in the event of postgres\n * or using in memory cache for better sqlite3.\n * @returns True if the database client is pg.\n */\n isPGClient(): boolean {\n const client = this.rbacDBClient.client.config.client;\n return client === 'pg';\n }\n\n /**\n * hasMember checks if the members from a particular role is associated with the user\n * that the AncestorSearchMemo graph is built for.\n * @param role The role that we are getting the members from.\n * @param memo The user graph that we are comparing members with.\n * @returns True if a member from the role is also associated with the user.\n */\n private hasMember(\n role: RoleMemberList | undefined,\n memo: AncestorSearchMemo<ASMGroup>,\n ): boolean {\n if (role === undefined) {\n return false;\n }\n\n for (const member of role.getMembers()) {\n if (memo.hasEntityRef(member)) {\n return true;\n }\n }\n return false;\n }\n}\n"],"names":["parseEntityRef","AncestorSearchFactory","RoleMemberList"],"mappings":";;;;;;AA4BO,MAAM,oBAA4C,CAAA;AAAA,EAIvD,YACmB,UACA,EAAA,MAAA,EACA,iBACA,YACA,EAAA,MAAA,EACA,MACjB,uBACA,EAAA;AAPiB,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,eAAA,GAAA,eAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAGjB,IAAK,IAAA,CAAA,QAAA,uBAAe,GAA4B,EAAA;AAChD,IAAA,MAAM,UAAa,GAAA,IAAA,CAAK,MAAO,CAAA,iBAAA,CAAkB,iBAAiB,CAAA;AAClE,IAAK,IAAA,CAAA,QAAA,GAAW,UAAY,EAAA,iBAAA,CAAkB,UAAU,CAAA;AACxD,IAAK,IAAA,CAAA,cAAA,GAAiB,wBAAwB,QAAS,EAAA;AACvD,IAAA,IAAI,IAAK,CAAA,QAAA,KAAa,SAAa,IAAA,IAAA,CAAK,WAAY,CAAG,EAAA;AACrD,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AACF;AACF,EArBQ,QAAA;AAAA,EACA,QAAA;AAAA,EACA,cAAA;AAAA;AAAA;AAAA;AAAA,EAwBR,MAAM,KAAuB,GAAA;AAAA;AAE7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,UAAU,KAAK,CAAA;AAAA;AACvB;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,UAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,OACY,EAAA;AACf,IAAI,IAAA,CAAC,IAAK,CAAA,UAAA,EAAc,EAAA;AACtB,MAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,eAAA,CAAgB,KAAK,CAAA;AACxC,MAAA,KAAA,CAAM,aAAa,KAAK,CAAA;AAGxB,MAAA,IAAI,KAAM,CAAA,UAAA,EAAa,CAAA,MAAA,KAAW,CAAG,EAAA;AACnC,QAAK,IAAA,CAAA,QAAA,CAAS,OAAO,KAAK,CAAA;AAAA;AAC5B;AACF;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqBA,MAAM,OAAA,CACJ,KACA,EAAA,KAAA,EAAA,GACG,MACe,EAAA;AAClB,IAAI,IAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACrB,MAAM,MAAA,IAAI,MAAM,mCAAmC,CAAA;AAAA;AAKrD,IAAI,IAAA,KAAA,CAAM,WAAW,CAAG,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAA,IAAI,UAAU,KAAO,EAAA;AACnB,MAAO,OAAA,IAAA;AAAA;AAOT,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAA,2BAAA,CAAe,KAAK,CAAA;AACrC,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,MAAQ,EAAA;AACvC,MAAO,OAAA,KAAA;AAAA;AAIT,IAAI,IAAA,IAAA,CAAK,iBAAkB,EAAA,KAAM,OAAS,EAAA;AACxC,MAAM,MAAA,IAAA,GAAO,MAAMC,2CAAsB,CAAA,wBAAA;AAAA,QACvC,KAAA;AAAA,QACA,IAAK,CAAA,MAAA;AAAA,QACL,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA;AAAA,OACP;AAEA,MAAA,MAAM,KAAK,cAAe,EAAA;AAC1B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,KAAK,CAAA;AAE1C,MAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,QAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA;AAE/B,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,YACtD;AAAA,WACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,YACrG;AAAA,WACD,CAAA;AAAA,SACH;AACA,QAAO,OAAA,KAAA;AAAA;AAGT,MAAO,OAAA,IAAA,CAAK,aAAa,KAAK,CAAA;AAAA;AAGhC,IAAO,OAAA,IAAA;AAAA;AACT;AAAA;AAAA;AAAA;AAAA,EAMA,aAAA,CACE,MACA,EAAA,MAAA,EAAA,GACG,OACM,EAAA;AACT,IAAM,MAAA,IAAI,MAAM,yCAAyC,CAAA;AAAA;AAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,QAAS,CAAA,IAAA,EAAA,GAAiB,OAAsC,EAAA;AACpE,IAAA,MAAM,EAAE,IAAA,EAAS,GAAAD,2BAAA,CAAe,IAAI,CAAA;AACpC,IAAA,IAAI,SAAS,MAAQ,EAAA;AACnB,MAAM,MAAA,IAAA,GAAO,MAAMC,2CAAsB,CAAA,wBAAA;AAAA,QACvC,IAAA;AAAA,QACA,IAAK,CAAA,MAAA;AAAA,QACL,IAAK,CAAA,UAAA;AAAA,QACL,IAAK,CAAA,eAAA;AAAA,QACL,IAAK,CAAA,IAAA;AAAA,QACL,IAAK,CAAA;AAAA,OACP;AACA,MAAA,MAAM,KAAK,cAAe,EAAA;AAC1B,MAAK,IAAA,CAAA,kBAAA,CAAmB,IAAK,CAAA,MAAA,EAAQ,IAAI,CAAA;AAGzC,MAAA,IAAA,CAAK,QAAQ,IAAI,CAAA;AAEjB,MAAI,IAAA,CAAC,IAAK,CAAA,SAAA,EAAa,EAAA;AACrB,QAAM,MAAA,MAAA,GAAS,KAAK,UAAW,EAAA;AAE/B,QAAA,IAAA,CAAK,MAAO,CAAA,IAAA;AAAA,UACV,mDAAmD,IAAK,CAAA,SAAA;AAAA,YACtD;AAAA,WACD,iGAAiG,IAAK,CAAA,SAAA;AAAA,YACrG;AAAA,WACD,CAAA;AAAA,SACH;AACA,QAAO,OAAA,OAAA,CAAQ,OAAQ,CAAA,EAAE,CAAA;AAAA;AAG3B,MAAI,IAAA,IAAA,CAAK,YAAc,EAAA;AACrB,QAAM,MAAA,WAAA,GAAc,IAAIC,yBAAA,CAAe,IAAI,CAAA;AAC3C,QAAA,MAAM,WAAY,CAAA,UAAA;AAAA,UAChB,WAAA;AAAA,UACA,KAAK,QAAS,EAAA;AAAA,UACd,IAAK,CAAA;AAAA,SACP;AACA,QAAM,MAAA,KAAA,GAAQ,YAAY,QAAS,EAAA;AACnC,QAAA,IAAI,IAAK,CAAA,cAAA,EAAsB,KAAA,CAAA,IAAA,CAAK,KAAK,cAAc,CAAA;AACvD,QAAO,OAAA,OAAA,CAAQ,QAAQ,KAAK,CAAA;AAAA;AAG9B,MAAA,MAAM,WAAqB,EAAC;AAC5B,MAAA,KAAA,MAAW,KAAS,IAAA,IAAA,CAAK,QAAS,CAAA,MAAA,EAAU,EAAA;AAC1C,QAAA,IAAI,IAAK,CAAA,SAAA,CAAU,KAAO,EAAA,IAAI,CAAG,EAAA;AAC/B,UAAS,QAAA,CAAA,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA;AAC1B;AAGF,MAAA,IAAI,IAAK,CAAA,cAAA,EAAyB,QAAA,CAAA,IAAA,CAAK,KAAK,cAAc,CAAA;AAC1D,MAAO,OAAA,OAAA,CAAQ,QAAQ,QAAQ,CAAA;AAAA;AAGjC,IAAA,OAAO,EAAC;AAAA;AACV;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,QAAS,CAAA,KAAA,EAAA,GAAkB,OAAsC,EAAA;AACrE,IAAM,MAAA,IAAI,MAAM,oCAAoC,CAAA;AAAA;AACtD;AAAA;AAAA;AAAA,EAKA,MAAM,UAA4B,GAAA;AAAA;AAElC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,gBAAgB,IAA8B,EAAA;AACpD,IAAA,MAAM,IAAO,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,IAAI,CAAA;AACnC,IAAA,IAAI,IAAM,EAAA;AACR,MAAO,OAAA,IAAA;AAAA;AAET,IAAM,MAAA,OAAA,GAAU,IAAIA,yBAAA,CAAe,IAAI,CAAA;AACvC,IAAK,IAAA,CAAA,QAAA,CAAS,GAAI,CAAA,IAAA,EAAM,OAAO,CAAA;AAE/B,IAAO,OAAA,OAAA;AAAA;AACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,UAAsB,GAAA;AACpB,IAAA,MAAM,MAAS,GAAA,IAAA,CAAK,YAAa,CAAA,MAAA,CAAO,MAAO,CAAA,MAAA;AAC/C,IAAA,OAAO,MAAW,KAAA,IAAA;AAAA;AACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,SAAA,CACN,MACA,IACS,EAAA;AACT,IAAA,IAAI,SAAS,SAAW,EAAA;AACtB,MAAO,OAAA,KAAA;AAAA;AAGT,IAAW,KAAA,MAAA,MAAA,IAAU,IAAK,CAAA,UAAA,EAAc,EAAA;AACtC,MAAI,IAAA,IAAA,CAAK,YAAa,CAAA,MAAM,CAAG,EAAA;AAC7B,QAAO,OAAA,IAAA;AAAA;AACT;AAEF,IAAO,OAAA,KAAA;AAAA;AAEX;;;;"}
package/dist/service/policies-rest-api.cjs.js CHANGED
@@ -53,6 +53,15 @@ class PoliciesServer {
53
53
  async serve() {
54
54
  const router$1 = await router.createRouter(this.options);
55
55
  const { logger, auditor, auth, permissionsRegistry } = this.options;
56
+ const defRoleMeta = this.roleMetadata.getCachedDefaultRoleMetadata();
57
+ let defRole;
58
+ if (defRoleMeta) {
59
+ defRole = {
60
+ name: defRoleMeta.roleEntityRef,
61
+ memberReferences: [],
62
+ metadata: roleMetadata.daoToMetadata(defRoleMeta)
63
+ };
64
+ }
56
65
  const isPluginEnabled = this.options.config.getOptionalBoolean("permission.enabled");
57
66
  if (!isPluginEnabled) {
58
67
  return router$1;
@@ -285,6 +294,9 @@ class PoliciesServer {
285
294
  }
286
295
  const roles = await this.enforcer.getGroupingPolicy();
287
296
  const body = await this.transformRoleArray(conditionsFilter, ...roles);
297
+ if (defRole) {
298
+ body.push(defRole);
299
+ }
288
300
  response.json(body);
289
301
  }
290
302
  );
@@ -302,11 +314,16 @@ class PoliciesServer {
302
314
  conditionsFilter = transformConditions(decision.conditions);
303
315
  }
304
316
  const roleEntityRef = this.getEntityReference(request, true);
305
- const role = await this.enforcer.getFilteredGroupingPolicy(
306
- 1,
307
- roleEntityRef
308
- );
309
- const body = await this.transformRoleArray(conditionsFilter, ...role);
317
+ let body;
318
+ if (defRole && roleEntityRef === defRole.name) {
319
+ body = [defRole];
320
+ } else {
321
+ const role = await this.enforcer.getFilteredGroupingPolicy(
322
+ 1,
323
+ roleEntityRef
324
+ );
325
+ body = await this.transformRoleArray(conditionsFilter, ...role);
326
+ }
310
327
  if (body.length !== 0) {
311
328
  response.json(body);
312
329
  } else {
@@ -430,7 +447,7 @@ class PoliciesServer {
430
447
  if (err) {
431
448
  throw new errors.NotAllowedError(`Unable to edit role: ${err.message}`);
432
449
  }
433
- if (!helper.matches(oldMetadata, conditionsFilter)) {
450
+ if (!helper.matches(roleMetadata.daoToMetadata(oldMetadata), conditionsFilter)) {
434
451
  throw new errors.NotAllowedError();
435
452
  }
436
453
  if (lodash.isEqual(oldRole, newRole) && helper.deepSortedEqual(oldMetadata, newMetadata, [
@@ -512,7 +529,7 @@ class PoliciesServer {
512
529
  }
513
530
  const roleEntityRef = this.getEntityReference(request, true);
514
531
  const currentMetadata = await this.roleMetadata.findRoleMetadata(roleEntityRef);
515
- if (!helper.matches(currentMetadata, conditionsFilter)) {
532
+ if (!currentMetadata || !helper.matches(roleMetadata.daoToMetadata(currentMetadata), conditionsFilter)) {
516
533
  throw new errors.NotAllowedError();
517
534
  }
518
535
  const err = await policiesValidation.validateSource("rest", currentMetadata);
@@ -682,10 +699,10 @@ class PoliciesServer {
682
699
  ...condition,
683
700
  permissionMapping: condition.permissionMapping.map((pm) => pm.action)
684
701
  };
685
- const roleMetadata = await this.roleMetadata.findRoleMetadata(
702
+ const roleMetadata$1 = await this.roleMetadata.findRoleMetadata(
686
703
  conditionToDelete.roleEntityRef
687
704
  );
688
- if (!helper.matches(roleMetadata, conditionsFilter)) {
705
+ if (!roleMetadata$1 || !helper.matches(roleMetadata.daoToMetadata(roleMetadata$1), conditionsFilter)) {
689
706
  throw new errors.NotAllowedError();
690
707
  }
691
708
  await this.conditionalStorage.deleteCondition(id);
@@ -714,10 +731,10 @@ class PoliciesServer {
714
731
  if (!condition) {
715
732
  throw new errors.NotFoundError(`Condition with id ${id} was not found`);
716
733
  }
717
- const roleMetadata = await this.roleMetadata.findRoleMetadata(
734
+ const roleMetadata$1 = await this.roleMetadata.findRoleMetadata(
718
735
  condition.roleEntityRef
719
736
  );
720
- if (!helper.matches(roleMetadata, conditionsFilter)) {
737
+ if (!roleMetadata$1 || !helper.matches(roleMetadata.daoToMetadata(roleMetadata$1), conditionsFilter)) {
721
738
  throw new errors.NotAllowedError();
722
739
  }
723
740
  const roleConditionPolicy = request.body;
@@ -896,7 +913,7 @@ class PoliciesServer {
896
913
  const metadata = await this.roleMetadata.findRoleMetadata(
897
914
  policy.entityReference
898
915
  );
899
- if (!helper.matches(metadata, filter)) {
916
+ if (!metadata || !helper.matches(roleMetadata.daoToMetadata(metadata), filter)) {
900
917
  throw new errors.NotAllowedError();
901
918
  }
902
919
  let action = errorMessage ? "edit" : "delete";
package/dist/service/policies-rest-api.cjs.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"policies-rest-api.cjs.js","sources":["../../src/service/policies-rest-api.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type {\n AuthService,\n BackstageCredentials,\n BackstageServicePrincipal,\n BackstageUserPrincipal,\n HttpAuthService,\n PermissionsService,\n} from '@backstage/backend-plugin-api';\nimport {\n ConflictError,\n InputError,\n NotAllowedError,\n NotFoundError,\n} from '@backstage/errors';\nimport {\n AuthorizeResult,\n BasicPermission,\n PolicyDecision,\n ResourcePermission,\n} from '@backstage/plugin-permission-common';\n\nimport express from 'express';\nimport type { Request } from 'express-serve-static-core';\nimport { isEmpty, isEqual } from 'lodash';\nimport type { ParsedQs } from 'qs';\n\nimport {\n policyEntityCreatePermission,\n policyEntityDeletePermission,\n policyEntityReadPermission,\n policyEntityUpdatePermission,\n type PermissionAction,\n type Role,\n type RoleBasedPolicy,\n type RoleConditionalPolicyDecision,\n} from '@backstage-community/plugin-rbac-common';\nimport type { RBACProvider } from '@backstage-community/plugin-rbac-node';\n\nimport { setAuditorError, logAuditorEvent } from '../auditor/rest-interceptor';\nimport { ConditionalStorage } from '../database/conditional-storage';\nimport {\n daoToMetadata,\n RoleMetadataDao,\n RoleMetadataStorage,\n} from '../database/role-metadata';\nimport {\n buildRoleSourceMap,\n deepSortedEqual,\n isPermissionAction,\n policyToString,\n processConditionMapping,\n matches,\n} from '../helper';\nimport { validateRoleCondition } from '../validation/condition-validation';\nimport {\n validateEntityReference,\n validatePolicy,\n validateRole,\n validateSource,\n} from '../validation/policies-validation';\nimport { EnforcerDelegate } from './enforcer-delegate';\nimport { PluginPermissionMetadataCollector } from './plugin-endpoints';\nimport { RBACRouterOptions } from './policy-builder';\nimport { conditionTransformerFunc, RBACFilters } from '../permissions';\nimport { registerPermissionDefinitionRoutes } from './permission-definition-routes';\nimport { PermissionDependentPluginStore } from '../database/extra-permission-enabled-plugins-storage';\nimport { ExtendablePluginIdProvider } from './extendable-id-provider';\nimport { createRouter } from './router';\n\nexport async function authorizeConditional(\n request: Request,\n permission: ResourcePermission<'policy-entity'> | BasicPermission,\n deps: {\n auth: AuthService;\n httpAuth: HttpAuthService;\n permissions: PermissionsService;\n },\n): Promise<{\n decision: PolicyDecision;\n credentials: BackstageCredentials<\n BackstageUserPrincipal | BackstageServicePrincipal\n >;\n}> {\n const { auth, httpAuth, permissions } = deps;\n\n const credentials = await httpAuth.credentials(request, {\n allow: ['user', 'service'],\n });\n\n // allow service to service communication, but only with read permission\n if (\n auth.isPrincipal(credentials, 'service') &&\n permission !== policyEntityReadPermission\n ) {\n throw new NotAllowedError(\n `Only credential principal with type 'user' permitted to modify permissions`,\n );\n }\n\n let decision: PolicyDecision;\n if (permission.type === 'resource') {\n decision = (\n await permissions.authorizeConditional([{ permission }], {\n credentials,\n })\n )[0];\n } else {\n decision = (\n await permissions.authorize([{ permission }], {\n credentials,\n })\n )[0];\n }\n\n if (decision.result === AuthorizeResult.DENY) {\n throw new NotAllowedError(); // 403\n }\n\n return { decision, credentials };\n}\n\nexport class PoliciesServer {\n constructor(\n private readonly options: RBACRouterOptions,\n private readonly enforcer: EnforcerDelegate,\n private readonly conditionalStorage: ConditionalStorage,\n private readonly pluginPermMetaData: PluginPermissionMetadataCollector,\n private readonly roleMetadata: RoleMetadataStorage,\n private readonly extraPluginsIdStorage: PermissionDependentPluginStore,\n private readonly pluginIdProvider: ExtendablePluginIdProvider,\n private readonly rbacProviders?: RBACProvider[],\n ) {}\n\n async serve(): Promise<express.Router> {\n const router = await createRouter(this.options);\n\n const { logger, auditor, auth, permissionsRegistry } = this.options;\n\n const isPluginEnabled =\n this.options.config.getOptionalBoolean('permission.enabled');\n if (!isPluginEnabled) {\n return router;\n }\n\n const transformConditions = conditionTransformerFunc(permissionsRegistry);\n\n router.get('/', async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n response.send({ status: 'Authorized' });\n });\n\n // Policy CRUD\n\n router.get(\n '/policies',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n let policies: string[][] = [];\n if (this.isPolicyFilterEnabled(request)) {\n const entityRef = this.getFirstQuery(request.query.entityRef);\n const permission = this.getFirstQuery(request.query.permission);\n const policy = this.getFirstQuery(request.query.policy);\n const effect = this.getFirstQuery(request.query.effect);\n\n const matchedRoleName = roleMetadata.flatMap(\n role => role.roleEntityRef,\n );\n\n const filter: string[] = [entityRef, permission, policy, effect];\n policies = matchedRoleName.includes(entityRef)\n ? await this.enforcer.getFilteredPolicy(0, ...filter)\n : [];\n } else {\n for (const role of roleMetadata) {\n policies.push(\n ...(await this.enforcer.getFilteredPolicy(\n 0,\n ...[role.roleEntityRef],\n )),\n );\n }\n }\n\n const body = await this.transformPolicyArray(...policies);\n // TODO: Temporary workaround to prevent breakages after the removal of the resource type `policy-entity` from the permission `policy.entity.create`\n body.map(policy => {\n if (\n policy.permission === 'policy-entity' &&\n policy.policy === 'create'\n ) {\n policy.permission = 'policy.entity.create';\n logger.warn(\n `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[policy.entityReference, 'policy-entity', policy.policy, policy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${policy.metadata?.source}`,\n );\n }\n });\n\n response.json(body);\n },\n );\n\n router.get(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const entityRef = this.getEntityReference(request);\n\n const policy = matchedRoleName.includes(entityRef)\n ? await this.enforcer.getFilteredPolicy(0, entityRef)\n : [];\n if (policy.length !== 0) {\n const body = await this.transformPolicyArray(...policy);\n // TODO: Temporary workaround to prevent breakages after the removal of the resource type `policy-entity` from the permission `policy.entity.create`\n body.map(bodyPolicy => {\n if (\n bodyPolicy.permission === 'policy-entity' &&\n bodyPolicy.policy === 'create'\n ) {\n bodyPolicy.permission = 'policy.entity.create';\n logger.warn(\n `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[bodyPolicy.entityReference, 'policy-entity', bodyPolicy.policy, bodyPolicy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${bodyPolicy.metadata?.source}`,\n );\n }\n });\n\n response.json(body);\n } else {\n throw new NotFoundError(); // 404\n }\n },\n );\n\n router.delete(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityDeletePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const entityRef = this.getEntityReference(request);\n\n const policyRaw: RoleBasedPolicy[] = request.body;\n if (isEmpty(policyRaw)) {\n throw new InputError(`permission policy must be present`); // 400\n }\n\n policyRaw.forEach(element => {\n element.entityReference = entityRef;\n });\n\n const processedPolicies = await this.processPolicies(\n policyRaw,\n true,\n undefined,\n conditionsFilter,\n );\n\n await this.enforcer.removePolicies(processedPolicies);\n\n response.locals.meta = { policies: processedPolicies }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.post(\n '/policies',\n logAuditorEvent(auditor),\n async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n const policyRaw: RoleBasedPolicy[] = request.body;\n\n if (isEmpty(policyRaw)) {\n throw new InputError(`permission policy must be present`); // 400\n }\n\n const processedPolicies = await this.processPolicies(\n policyRaw,\n false,\n undefined,\n );\n\n const entityRef = processedPolicies[0][0];\n const roleMetadata =\n await this.roleMetadata.findRoleMetadata(entityRef);\n if (entityRef.startsWith('role:default') && !roleMetadata) {\n throw new Error(`Corresponding role ${entityRef} was not found`);\n }\n\n await this.enforcer.addPolicies(processedPolicies);\n\n response.locals.meta = { policies: processedPolicies }; // auditor\n\n response.status(201).end();\n },\n );\n\n router.put(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityUpdatePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const entityRef = this.getEntityReference(request);\n\n const oldPolicyRaw: RoleBasedPolicy[] = request.body.oldPolicy;\n if (isEmpty(oldPolicyRaw)) {\n throw new InputError(`'oldPolicy' object must be present`); // 400\n }\n const newPolicyRaw: RoleBasedPolicy[] = request.body.newPolicy;\n if (isEmpty(newPolicyRaw)) {\n throw new InputError(`'newPolicy' object must be present`); // 400\n }\n\n [...oldPolicyRaw, ...newPolicyRaw].forEach(element => {\n element.entityReference = entityRef;\n });\n\n const processedOldPolicy = await this.processPolicies(\n oldPolicyRaw,\n true,\n 'old policy',\n conditionsFilter,\n );\n\n oldPolicyRaw.sort((a, b) =>\n a.permission === b.permission\n ? this.nameSort(a.policy!, b.policy!)\n : this.nameSort(a.permission!, b.permission!),\n );\n\n newPolicyRaw.sort((a, b) =>\n a.permission === b.permission\n ? this.nameSort(a.policy!, b.policy!)\n : this.nameSort(a.permission!, b.permission!),\n );\n\n if (\n isEqual(oldPolicyRaw, newPolicyRaw) &&\n !oldPolicyRaw.some(isEmpty)\n ) {\n response.status(204).end();\n } else if (oldPolicyRaw.length > newPolicyRaw.length) {\n throw new InputError(\n `'oldPolicy' object has more permission policies compared to 'newPolicy' object`,\n );\n }\n\n const processedNewPolicy = await this.processPolicies(\n newPolicyRaw,\n false,\n 'new policy',\n conditionsFilter,\n );\n\n const roleMetadata =\n await this.roleMetadata.findRoleMetadata(entityRef);\n if (entityRef.startsWith('role:default') && !roleMetadata) {\n throw new Error(`Corresponding role ${entityRef} was not found`);\n }\n\n await this.enforcer.updatePolicies(\n processedOldPolicy,\n processedNewPolicy,\n );\n\n response.locals.meta = { policies: processedNewPolicy }; // auditor\n\n response.status(200).end();\n },\n );\n\n // Role CRUD\n\n router.get(\n '/roles',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roles = await this.enforcer.getGroupingPolicy();\n const body = await this.transformRoleArray(conditionsFilter, ...roles);\n\n response.json(body);\n },\n );\n\n router.get(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const role = await this.enforcer.getFilteredGroupingPolicy(\n 1,\n roleEntityRef,\n );\n\n const body = await this.transformRoleArray(conditionsFilter, ...role);\n if (body.length !== 0) {\n response.json(body);\n } else {\n throw new NotFoundError(); // 404\n }\n },\n );\n\n router.post(\n '/roles',\n logAuditorEvent(auditor),\n async (request, response) => {\n const uniqueItems = new Set<string>();\n const { credentials } = await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n const roleRaw: Role = request.body;\n let err = validateRole(roleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid role definition. Cause: ${err.message}`,\n );\n }\n this.transformMemberReferencesToLowercase(roleRaw);\n\n const rMetadata = await this.roleMetadata.findRoleMetadata(\n roleRaw.name,\n );\n\n err = await validateSource('rest', rMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to add role: ${err.message}`);\n }\n\n const roles = this.transformRoleToArray(roleRaw);\n\n for (const role of roles) {\n if (await this.enforcer.hasGroupingPolicy(...role)) {\n throw new ConflictError(); // 409\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const metadata: RoleMetadataDao = {\n roleEntityRef: roleRaw.name,\n source: 'rest',\n description: roleRaw.metadata?.description ?? '',\n author: modifiedBy,\n modifiedBy,\n owner: roleRaw.metadata?.owner ?? modifiedBy,\n };\n\n await this.enforcer.addGroupingPolicies(roles, metadata);\n\n response.locals.meta = { ...metadata, members: roles.map(gp => gp[0]) }; // auditor\n\n response.status(201).end();\n },\n );\n\n router.put(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n const uniqueItems = new Set<string>();\n let conditionsFilter: RBACFilters | undefined;\n const { decision, credentials } = await authorizeConditional(\n request,\n policyEntityUpdatePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const oldRoleRaw: Role = request.body.oldRole;\n\n if (!oldRoleRaw) {\n throw new InputError(`'oldRole' object must be present`); // 400\n }\n const newRoleRaw: Role = request.body.newRole;\n if (!newRoleRaw) {\n throw new InputError(`'newRole' object must be present`); // 400\n }\n\n oldRoleRaw.name = roleEntityRef;\n let err = validateRole(oldRoleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid old role object. Cause: ${err.message}`,\n );\n }\n err = validateRole(newRoleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid new role object. Cause: ${err.message}`,\n );\n }\n this.transformMemberReferencesToLowercase(oldRoleRaw);\n this.transformMemberReferencesToLowercase(newRoleRaw);\n\n const oldRole = this.transformRoleToArray(oldRoleRaw);\n const newRole = this.transformRoleToArray(newRoleRaw);\n // todo shell we allow newRole with an empty array?...\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const newMetadata: RoleMetadataDao = {\n ...newRoleRaw.metadata,\n source: newRoleRaw.metadata?.source ?? 'rest',\n roleEntityRef: newRoleRaw.name,\n modifiedBy,\n owner: newRoleRaw.metadata?.owner ?? '',\n };\n\n const oldMetadata =\n await this.roleMetadata.findRoleMetadata(roleEntityRef);\n if (!oldMetadata) {\n throw new NotFoundError(\n `Unable to find metadata for ${roleEntityRef}`,\n );\n }\n\n err = await validateSource('rest', oldMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to edit role: ${err.message}`);\n }\n\n if (!matches(oldMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n if (\n isEqual(oldRole, newRole) &&\n deepSortedEqual(oldMetadata, newMetadata, [\n 'author',\n 'modifiedBy',\n 'createdAt',\n 'lastModified',\n 'owner',\n ])\n ) {\n // no content: old role and new role are equal and their metadata too\n response.status(204).end();\n return;\n }\n\n for (const role of newRole) {\n const hasRole = oldRole.some(element => {\n return isEqual(element, role);\n });\n // if the role is already part of old role and is a grouping policy we want to skip returning a conflict error\n // to allow for other roles to be checked and added\n if (await this.enforcer.hasGroupingPolicy(...role)) {\n if (!hasRole) {\n throw new ConflictError(); // 409\n }\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n uniqueItems.clear();\n for (const role of oldRole) {\n if (!(await this.enforcer.hasGroupingPolicy(...role))) {\n throw new NotFoundError(\n `Member reference: ${role[0]} was not found for role ${roleEntityRef}`,\n ); // 404\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n await this.enforcer.updateGroupingPolicies(\n oldRole,\n newRole,\n newMetadata,\n );\n\n let message = `Updated ${oldMetadata.roleEntityRef}.`;\n if (newMetadata.roleEntityRef !== oldMetadata.roleEntityRef) {\n message = `${message}. Role entity reference renamed to ${newMetadata.roleEntityRef}`;\n }\n response.locals.meta = {\n ...newMetadata,\n members: newRole.map(gp => gp[0]),\n }; // auditor\n\n response.status(200).end();\n },\n );\n\n router.delete(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision, credentials } = await authorizeConditional(\n request,\n policyEntityDeletePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const currentMetadata =\n await this.roleMetadata.findRoleMetadata(roleEntityRef);\n\n if (!matches(currentMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n const err = await validateSource('rest', currentMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to delete role: ${err.message}`);\n }\n\n let roleMembers = [];\n if (request.query.memberReferences) {\n const memberReference = this.getFirstQuery(\n request.query.memberReferences!,\n ).toLocaleLowerCase('en-US');\n const gp = await this.enforcer.getFilteredGroupingPolicy(\n 0,\n memberReference,\n roleEntityRef,\n );\n if (gp.length > 0) {\n roleMembers.push(gp[0]);\n } else {\n throw new NotFoundError(\n `role member '${memberReference}' was not found`,\n ); // 404\n }\n } else {\n roleMembers = await this.enforcer.getFilteredGroupingPolicy(\n 1,\n roleEntityRef,\n );\n }\n\n for (const role of roleMembers) {\n if (!(await this.enforcer.hasGroupingPolicy(...role))) {\n throw new NotFoundError(`role member '${role[0]}' was not found`);\n }\n }\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const metadata: RoleMetadataDao = {\n roleEntityRef,\n source: 'rest',\n modifiedBy,\n };\n\n await this.enforcer.removeGroupingPolicies(\n roleMembers,\n metadata,\n false,\n );\n\n response.locals.meta = {\n ...metadata,\n members: roleMembers.map(gp => gp[0]),\n }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.get(\n '/roles/conditions',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const conditions = await this.conditionalStorage.filterConditions(\n this.getFirstQuery(request.query.roleEntityRef),\n this.getFirstQuery(request.query.pluginId),\n this.getFirstQuery(request.query.resourceType),\n this.getActionQueries(request.query.actions),\n );\n\n const body: RoleConditionalPolicyDecision<PermissionAction>[] =\n conditions\n .map(condition => {\n return {\n ...condition,\n permissionMapping: condition.permissionMapping.map(\n pm => pm.action,\n ),\n };\n })\n .filter(condition => {\n return matchedRoleName.includes(condition.roleEntityRef);\n });\n\n response.json(body);\n },\n );\n\n router.post(\n '/roles/conditions',\n logAuditorEvent(auditor),\n async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n const roleConditionPolicy: RoleConditionalPolicyDecision<PermissionAction> =\n request.body;\n validateRoleCondition(roleConditionPolicy);\n\n const conditionToCreate = await processConditionMapping(\n roleConditionPolicy,\n this.pluginPermMetaData,\n auth,\n );\n\n const id =\n await this.conditionalStorage.createCondition(conditionToCreate);\n\n const body = { id: id };\n\n response.locals.meta = { condition: roleConditionPolicy }; // auditor\n\n response.status(201).json(body);\n },\n );\n\n router.get(\n '/roles/conditions/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n if (!condition) {\n throw new NotFoundError();\n }\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const body: RoleConditionalPolicyDecision<PermissionAction> | [] =\n matchedRoleName.includes(condition.roleEntityRef)\n ? {\n ...condition,\n permissionMapping: condition.permissionMapping.map(\n pm => pm.action,\n ),\n }\n : [];\n\n response.json(body);\n },\n );\n\n router.delete(\n '/roles/conditions/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityDeletePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n if (!condition) {\n throw new NotFoundError(`Condition with id ${id} was not found`);\n }\n const conditionToDelete: RoleConditionalPolicyDecision<PermissionAction> =\n {\n ...condition,\n permissionMapping: condition.permissionMapping.map(pm => pm.action),\n };\n\n const roleMetadata = await this.roleMetadata.findRoleMetadata(\n conditionToDelete.roleEntityRef,\n );\n\n if (!matches(roleMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n await this.conditionalStorage.deleteCondition(id);\n response.locals.meta = { condition: conditionToDelete }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.put(\n '/roles/conditions/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityUpdatePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n\n if (!condition) {\n throw new NotFoundError(`Condition with id ${id} was not found`);\n }\n\n const roleMetadata = await this.roleMetadata.findRoleMetadata(\n condition.roleEntityRef,\n );\n\n if (!matches(roleMetadata, conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n const roleConditionPolicy: RoleConditionalPolicyDecision<PermissionAction> =\n request.body;\n\n validateRoleCondition(roleConditionPolicy);\n\n const conditionToUpdate = await processConditionMapping(\n roleConditionPolicy,\n this.pluginPermMetaData,\n auth,\n );\n\n await this.conditionalStorage.updateCondition(id, conditionToUpdate);\n\n response.locals.meta = { condition: roleConditionPolicy }; // auditor\n\n response.status(200).end();\n },\n );\n\n router.post(\n '/refresh/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n if (!this.rbacProviders) {\n throw new NotFoundError(`No RBAC providers were found`);\n }\n\n const idProvider = this.rbacProviders.find(provider => {\n const id = provider.getProviderName();\n return id === request.params.id;\n });\n\n if (!idProvider) {\n throw new NotFoundError(\n `The RBAC provider ${request.params.id} was not found`,\n );\n }\n\n await idProvider.refresh();\n response.status(200).end();\n },\n );\n\n registerPermissionDefinitionRoutes(\n router,\n this.pluginPermMetaData,\n this.pluginIdProvider,\n this.extraPluginsIdStorage,\n this.options,\n );\n\n router.use(setAuditorError());\n\n return router;\n }\n\n getEntityReference(request: Request, role?: boolean): string {\n const kind = request.params.kind;\n const namespace = request.params.namespace;\n const name = request.params.name;\n const entityRef = `${kind}:${namespace}/${name}`;\n\n const err = validateEntityReference(entityRef, role);\n if (err) {\n throw new InputError(err.message);\n }\n\n return entityRef;\n }\n\n async transformPolicyArray(\n ...policies: string[][]\n ): Promise<RoleBasedPolicy[]> {\n const roleToSourceMap = await buildRoleSourceMap(\n policies,\n this.roleMetadata,\n );\n\n const roleBasedPolices: RoleBasedPolicy[] = [];\n for (const p of policies) {\n const [entityReference, permission, policy, effect] = p;\n roleBasedPolices.push({\n entityReference,\n permission,\n policy,\n effect,\n metadata: { source: roleToSourceMap.get(entityReference)! },\n });\n }\n\n return roleBasedPolices;\n }\n\n async transformRoleArray(\n filter?: RBACFilters,\n ...roles: string[][]\n ): Promise<Role[]> {\n const combinedRoles: { [key: string]: string[] } = {};\n\n roles.forEach(([value, role]) => {\n if (combinedRoles.hasOwnProperty(role)) {\n combinedRoles[role].push(value);\n } else {\n combinedRoles[role] = [value];\n }\n });\n\n const result: Role[] = await Promise.all(\n Object.entries(combinedRoles).flatMap(async ([role, value]) => {\n const metadataDao = await this.roleMetadata.findRoleMetadata(role);\n const metadata = metadataDao ? daoToMetadata(metadataDao) : undefined;\n return Promise.resolve({\n memberReferences: value,\n name: role,\n metadata,\n });\n }),\n );\n\n const filteredResult = result.filter(role => {\n return role.metadata && matches(role.metadata, filter);\n });\n\n return filteredResult;\n }\n\n transformPolicyToArray(policy: RoleBasedPolicy): string[] {\n return [\n policy.entityReference!,\n policy.permission!,\n policy.policy!,\n policy.effect!,\n ];\n }\n\n transformRoleToArray(role: Role): string[][] {\n const roles: string[][] = [];\n for (const entity of role.memberReferences) {\n roles.push([entity, role.name]);\n }\n return roles;\n }\n\n transformMemberReferencesToLowercase(role: Role) {\n role.memberReferences = role.memberReferences.map(member =>\n member.toLocaleLowerCase('en-US'),\n );\n }\n\n getActionQueries(\n queryValue: string | string[] | ParsedQs | ParsedQs[] | undefined,\n ): PermissionAction[] | undefined {\n if (!queryValue) {\n return undefined;\n }\n if (Array.isArray(queryValue)) {\n const permissionNames: PermissionAction[] = [];\n for (const permissionQuery of queryValue) {\n if (\n typeof permissionQuery === 'string' &&\n isPermissionAction(permissionQuery)\n ) {\n permissionNames.push(permissionQuery);\n } else {\n throw new InputError(\n `Invalid permission action query value: ${permissionQuery}. Permission name should be string.`,\n );\n }\n }\n return permissionNames;\n }\n\n if (typeof queryValue === 'string' && isPermissionAction(queryValue)) {\n return [queryValue];\n }\n throw new InputError(\n `Invalid permission action query value: ${queryValue}. Permission name should be string.`,\n );\n }\n\n getFirstQuery(\n queryValue: string | string[] | ParsedQs | ParsedQs[] | undefined,\n ): string {\n if (!queryValue) {\n return '';\n }\n if (Array.isArray(queryValue)) {\n if (typeof queryValue[0] === 'string') {\n return queryValue[0].toString();\n }\n throw new InputError(`This api doesn't support nested query`);\n }\n\n if (typeof queryValue === 'string') {\n return queryValue;\n }\n throw new InputError(`This api doesn't support nested query`);\n }\n\n isPolicyFilterEnabled(request: Request): boolean {\n return (\n !!request.query.entityRef ||\n !!request.query.permission ||\n !!request.query.policy ||\n !!request.query.effect\n );\n }\n\n async processPolicies(\n policyArray: RoleBasedPolicy[],\n isOld?: boolean,\n errorMessage?: string,\n filter?: RBACFilters,\n ): Promise<string[][]> {\n const policies: string[][] = [];\n const uniqueItems = new Set<string>();\n for (const policy of policyArray) {\n let err = validatePolicy(policy);\n if (err) {\n throw new InputError(\n `Invalid ${errorMessage ?? 'policy'} definition. Cause: ${\n err.message\n }`,\n ); // 400\n }\n\n const metadata = await this.roleMetadata.findRoleMetadata(\n policy.entityReference!,\n );\n\n if (!matches(metadata, filter)) {\n throw new NotAllowedError(); // 403\n }\n\n let action = errorMessage ? 'edit' : 'delete';\n action = isOld ? action : 'add';\n\n err = await validateSource('rest', metadata);\n if (err) {\n throw new NotAllowedError(\n `Unable to ${action} policy ${policy.entityReference},${policy.permission},${policy.policy},${policy.effect}: ${err.message}`,\n );\n }\n\n const transformedPolicy = this.transformPolicyToArray(policy);\n if (isOld && !(await this.enforcer.hasPolicy(...transformedPolicy))) {\n throw new NotFoundError(\n `Policy '${policyToString(transformedPolicy)}' not found`,\n ); // 404\n }\n\n if (!isOld && (await this.enforcer.hasPolicy(...transformedPolicy))) {\n throw new ConflictError(\n `Policy '${policyToString(\n transformedPolicy,\n )}' has been already stored`,\n ); // 409\n }\n\n // We want to ensure that there are not duplicate permission policies\n const rowString = JSON.stringify(transformedPolicy);\n if (uniqueItems.has(rowString)) {\n throw new ConflictError(\n `Duplicate polices found; ${policy.entityReference}, ${policy.permission}, ${policy.policy}, ${policy.effect} is a duplicate`,\n );\n } else {\n uniqueItems.add(rowString);\n policies.push(transformedPolicy);\n }\n }\n return policies;\n }\n\n nameSort(nameA: string, nameB: string): number {\n if (nameA.toLocaleUpperCase('en-US') < nameB.toLocaleUpperCase('en-US')) {\n return -1;\n }\n if (nameA.toLocaleUpperCase('en-US') > nameB.toLocaleUpperCase('en-US')) {\n return 1;\n }\n return 0;\n }\n}\n"],"names":["policyEntityReadPermission","NotAllowedError","AuthorizeResult","router","createRouter","conditionTransformerFunc","logAuditorEvent","NotFoundError","policyEntityDeletePermission","isEmpty","InputError","policyEntityCreatePermission","policyEntityUpdatePermission","isEqual","validateRole","validateSource","ConflictError","matches","deepSortedEqual","validateRoleCondition","processConditionMapping","registerPermissionDefinitionRoutes","setAuditorError","validateEntityReference","buildRoleSourceMap","daoToMetadata","isPermissionAction","validatePolicy","policyToString"],"mappings":";;;;;;;;;;;;;;;;AAoFsB,eAAA,oBAAA,CACpB,OACA,EAAA,UAAA,EACA,IAUC,EAAA;AACD,EAAA,MAAM,EAAE,IAAA,EAAM,QAAU,EAAA,WAAA,EAAgB,GAAA,IAAA;AAExC,EAAA,MAAM,WAAc,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,OAAS,EAAA;AAAA,IACtD,KAAA,EAAO,CAAC,MAAA,EAAQ,SAAS;AAAA,GAC1B,CAAA;AAGD,EAAA,IACE,KAAK,WAAY,CAAA,WAAA,EAAa,SAAS,CAAA,IACvC,eAAeA,2CACf,EAAA;AACA,IAAA,MAAM,IAAIC,sBAAA;AAAA,MACR,CAAA,0EAAA;AAAA,KACF;AAAA;AAGF,EAAI,IAAA,QAAA;AACJ,EAAI,IAAA,UAAA,CAAW,SAAS,UAAY,EAAA;AAClC,IAAA,QAAA,GAAA,CACE,MAAM,WAAY,CAAA,oBAAA,CAAqB,CAAC,EAAE,UAAA,EAAY,CAAG,EAAA;AAAA,MACvD;AAAA,KACD,GACD,CAAC,CAAA;AAAA,GACE,MAAA;AACL,IAAA,QAAA,GAAA,CACE,MAAM,WAAY,CAAA,SAAA,CAAU,CAAC,EAAE,UAAA,EAAY,CAAG,EAAA;AAAA,MAC5C;AAAA,KACD,GACD,CAAC,CAAA;AAAA;AAGL,EAAI,IAAA,QAAA,CAAS,MAAW,KAAAC,sCAAA,CAAgB,IAAM,EAAA;AAC5C,IAAA,MAAM,IAAID,sBAAgB,EAAA;AAAA;AAG5B,EAAO,OAAA,EAAE,UAAU,WAAY,EAAA;AACjC;AAEO,MAAM,cAAe,CAAA;AAAA,EAC1B,WAAA,CACmB,SACA,QACA,EAAA,kBAAA,EACA,oBACA,YACA,EAAA,qBAAA,EACA,kBACA,aACjB,EAAA;AARiB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,qBAAA,GAAA,qBAAA;AACA,IAAA,IAAA,CAAA,gBAAA,GAAA,gBAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA;AAChB,EAEH,MAAM,KAAiC,GAAA;AACrC,IAAA,MAAME,QAAS,GAAA,MAAMC,mBAAa,CAAA,IAAA,CAAK,OAAO,CAAA;AAE9C,IAAA,MAAM,EAAE,MAAQ,EAAA,OAAA,EAAS,IAAM,EAAA,mBAAA,KAAwB,IAAK,CAAA,OAAA;AAE5D,IAAA,MAAM,eACJ,GAAA,IAAA,CAAK,OAAQ,CAAA,MAAA,CAAO,mBAAmB,oBAAoB,CAAA;AAC7D,IAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,MAAO,OAAAD,QAAA;AAAA;AAGT,IAAM,MAAA,mBAAA,GAAsBE,oCAAyB,mBAAmB,CAAA;AAExE,IAAAF,QAAA,CAAO,GAAI,CAAA,GAAA,EAAK,OAAO,OAAA,EAAS,QAAa,KAAA;AAC3C,MAAM,MAAA,oBAAA;AAAA,QACJ,OAAA;AAAA,QACAH,2CAAA;AAAA,QACA,IAAK,CAAA;AAAA,OACP;AAEA,MAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,YAAA,EAAc,CAAA;AAAA,KACvC,CAAA;AAID,IAAOG,QAAA,CAAA,GAAA;AAAA,MACL,WAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAN,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAA,IAAI,WAAuB,EAAC;AAC5B,QAAI,IAAA,IAAA,CAAK,qBAAsB,CAAA,OAAO,CAAG,EAAA;AACvC,UAAA,MAAM,SAAY,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,SAAS,CAAA;AAC5D,UAAA,MAAM,UAAa,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,UAAU,CAAA;AAC9D,UAAA,MAAM,MAAS,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,MAAM,CAAA;AACtD,UAAA,MAAM,MAAS,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,MAAM,CAAA;AAEtD,UAAA,MAAM,kBAAkB,YAAa,CAAA,OAAA;AAAA,YACnC,UAAQ,IAAK,CAAA;AAAA,WACf;AAEA,UAAA,MAAM,MAAmB,GAAA,CAAC,SAAW,EAAA,UAAA,EAAY,QAAQ,MAAM,CAAA;AAC/D,UAAA,QAAA,GAAW,eAAgB,CAAA,QAAA,CAAS,SAAS,CAAA,GACzC,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,CAAG,EAAA,GAAG,MAAM,CAAA,GAClD,EAAC;AAAA,SACA,MAAA;AACL,UAAA,KAAA,MAAW,QAAQ,YAAc,EAAA;AAC/B,YAAS,QAAA,CAAA,IAAA;AAAA,cACP,GAAI,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA;AAAA,gBACtB,CAAA;AAAA,gBACA,GAAG,CAAC,IAAA,CAAK,aAAa;AAAA;AACxB,aACF;AAAA;AACF;AAGF,QAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,GAAG,QAAQ,CAAA;AAExD,QAAA,IAAA,CAAK,IAAI,CAAU,MAAA,KAAA;AACjB,UAAA,IACE,MAAO,CAAA,UAAA,KAAe,eACtB,IAAA,MAAA,CAAO,WAAW,QAClB,EAAA;AACA,YAAA,MAAA,CAAO,UAAa,GAAA,sBAAA;AACpB,YAAO,MAAA,CAAA,IAAA;AAAA,cACL,CAA8H,2HAAA,EAAA,CAAC,MAAO,CAAA,eAAA,EAAiB,eAAiB,EAAA,MAAA,CAAO,MAAQ,EAAA,MAAA,CAAO,MAAM,CAAC,CAAyE,sEAAA,EAAA,MAAA,CAAO,UAAU,MAAM,CAAA;AAAA,aACvS;AAAA;AACF,SACD,CAAA;AAED,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAOC,QAAA,CAAA,GAAA;AAAA,MACL,kCAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAN,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAA,MAAM,MAAS,GAAA,eAAA,CAAgB,QAAS,CAAA,SAAS,CAC7C,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,CAAA,EAAG,SAAS,CAAA,GAClD,EAAC;AACL,QAAI,IAAA,MAAA,CAAO,WAAW,CAAG,EAAA;AACvB,UAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,GAAG,MAAM,CAAA;AAEtD,UAAA,IAAA,CAAK,IAAI,CAAc,UAAA,KAAA;AACrB,YAAA,IACE,UAAW,CAAA,UAAA,KAAe,eAC1B,IAAA,UAAA,CAAW,WAAW,QACtB,EAAA;AACA,cAAA,UAAA,CAAW,UAAa,GAAA,sBAAA;AACxB,cAAO,MAAA,CAAA,IAAA;AAAA,gBACL,CAA8H,2HAAA,EAAA,CAAC,UAAW,CAAA,eAAA,EAAiB,eAAiB,EAAA,UAAA,CAAW,MAAQ,EAAA,UAAA,CAAW,MAAM,CAAC,CAAyE,sEAAA,EAAA,UAAA,CAAW,UAAU,MAAM,CAAA;AAAA,eACvT;AAAA;AACF,WACD,CAAA;AAED,UAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,SACb,MAAA;AACL,UAAA,MAAM,IAAIK,oBAAc,EAAA;AAAA;AAC1B;AACF,KACF;AAEA,IAAOJ,QAAA,CAAA,MAAA;AAAA,MACL,kCAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAE,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAN,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAA,MAAM,YAA+B,OAAQ,CAAA,IAAA;AAC7C,QAAI,IAAAO,cAAA,CAAQ,SAAS,CAAG,EAAA;AACtB,UAAM,MAAA,IAAIC,kBAAW,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAG1D,QAAA,SAAA,CAAU,QAAQ,CAAW,OAAA,KAAA;AAC3B,UAAA,OAAA,CAAQ,eAAkB,GAAA,SAAA;AAAA,SAC3B,CAAA;AAED,QAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,eAAA;AAAA,UACnC,SAAA;AAAA,UACA,IAAA;AAAA,UACA,SAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAM,MAAA,IAAA,CAAK,QAAS,CAAA,cAAA,CAAe,iBAAiB,CAAA;AAEpD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,iBAAkB,EAAA;AAErD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOP,QAAA,CAAA,IAAA;AAAA,MACL,WAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,oBAAA;AAAA,UACJ,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,YAA+B,OAAQ,CAAA,IAAA;AAE7C,QAAI,IAAAF,cAAA,CAAQ,SAAS,CAAG,EAAA;AACtB,UAAM,MAAA,IAAIC,kBAAW,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAG1D,QAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,eAAA;AAAA,UACnC,SAAA;AAAA,UACA,KAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,SAAY,GAAA,iBAAA,CAAkB,CAAC,CAAA,CAAE,CAAC,CAAA;AACxC,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,SAAS,CAAA;AACpD,QAAA,IAAI,SAAU,CAAA,UAAA,CAAW,cAAc,CAAA,IAAK,CAAC,YAAc,EAAA;AACzD,UAAA,MAAM,IAAI,KAAA,CAAM,CAAsB,mBAAA,EAAA,SAAS,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAM,MAAA,IAAA,CAAK,QAAS,CAAA,WAAA,CAAY,iBAAiB,CAAA;AAEjD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,iBAAkB,EAAA;AAErD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOP,QAAA,CAAA,GAAA;AAAA,MACL,kCAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAM,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAV,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAM,MAAA,YAAA,GAAkC,QAAQ,IAAK,CAAA,SAAA;AACrD,QAAI,IAAAO,cAAA,CAAQ,YAAY,CAAG,EAAA;AACzB,UAAM,MAAA,IAAIC,kBAAW,CAAoC,kCAAA,CAAA,CAAA;AAAA;AAE3D,QAAM,MAAA,YAAA,GAAkC,QAAQ,IAAK,CAAA,SAAA;AACrD,QAAI,IAAAD,cAAA,CAAQ,YAAY,CAAG,EAAA;AACzB,UAAM,MAAA,IAAIC,kBAAW,CAAoC,kCAAA,CAAA,CAAA;AAAA;AAG3D,QAAA,CAAC,GAAG,YAAc,EAAA,GAAG,YAAY,CAAA,CAAE,QAAQ,CAAW,OAAA,KAAA;AACpD,UAAA,OAAA,CAAQ,eAAkB,GAAA,SAAA;AAAA,SAC3B,CAAA;AAED,QAAM,MAAA,kBAAA,GAAqB,MAAM,IAAK,CAAA,eAAA;AAAA,UACpC,YAAA;AAAA,UACA,IAAA;AAAA,UACA,YAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAa,YAAA,CAAA,IAAA;AAAA,UAAK,CAAC,CAAG,EAAA,CAAA,KACpB,EAAE,UAAe,KAAA,CAAA,CAAE,aACf,IAAK,CAAA,QAAA,CAAS,EAAE,MAAS,EAAA,CAAA,CAAE,MAAO,CAClC,GAAA,IAAA,CAAK,SAAS,CAAE,CAAA,UAAA,EAAa,EAAE,UAAW;AAAA,SAChD;AAEA,QAAa,YAAA,CAAA,IAAA;AAAA,UAAK,CAAC,CAAG,EAAA,CAAA,KACpB,EAAE,UAAe,KAAA,CAAA,CAAE,aACf,IAAK,CAAA,QAAA,CAAS,EAAE,MAAS,EAAA,CAAA,CAAE,MAAO,CAClC,GAAA,IAAA,CAAK,SAAS,CAAE,CAAA,UAAA,EAAa,EAAE,UAAW;AAAA,SAChD;AAEA,QACE,IAAAG,cAAA,CAAQ,cAAc,YAAY,CAAA,IAClC,CAAC,YAAa,CAAA,IAAA,CAAKJ,cAAO,CAC1B,EAAA;AACA,UAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA,SAChB,MAAA,IAAA,YAAA,CAAa,MAAS,GAAA,YAAA,CAAa,MAAQ,EAAA;AACpD,UAAA,MAAM,IAAIC,iBAAA;AAAA,YACR,CAAA,8EAAA;AAAA,WACF;AAAA;AAGF,QAAM,MAAA,kBAAA,GAAqB,MAAM,IAAK,CAAA,eAAA;AAAA,UACpC,YAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,SAAS,CAAA;AACpD,QAAA,IAAI,SAAU,CAAA,UAAA,CAAW,cAAc,CAAA,IAAK,CAAC,YAAc,EAAA;AACzD,UAAA,MAAM,IAAI,KAAA,CAAM,CAAsB,mBAAA,EAAA,SAAS,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAA,MAAM,KAAK,QAAS,CAAA,cAAA;AAAA,UAClB,kBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,kBAAmB,EAAA;AAEtD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAIA,IAAOP,QAAA,CAAA,GAAA;AAAA,MACL,QAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAN,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,KAAQ,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,EAAA;AACpD,QAAA,MAAM,OAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA,EAAkB,GAAG,KAAK,CAAA;AAErE,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAOC,QAAA,CAAA,GAAA;AAAA,MACL,+BAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAN,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAM,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA;AAAA,UAC/B,CAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,OAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA,EAAkB,GAAG,IAAI,CAAA;AACpE,QAAI,IAAA,IAAA,CAAK,WAAW,CAAG,EAAA;AACrB,UAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,SACb,MAAA;AACL,UAAA,MAAM,IAAIK,oBAAc,EAAA;AAAA;AAC1B;AACF,KACF;AAEA,IAAOJ,QAAA,CAAA,IAAA;AAAA,MACL,QAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,QAAM,MAAA,EAAE,WAAY,EAAA,GAAI,MAAM,oBAAA;AAAA,UAC5B,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,UAAgB,OAAQ,CAAA,IAAA;AAC9B,QAAI,IAAA,GAAA,GAAMG,gCAAa,OAAO,CAAA;AAC9B,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,IAAA,CAAK,qCAAqC,OAAO,CAAA;AAEjD,QAAM,MAAA,SAAA,GAAY,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UACxC,OAAQ,CAAA;AAAA,SACV;AAEA,QAAM,GAAA,GAAA,MAAMK,iCAAe,CAAA,MAAA,EAAQ,SAAS,CAAA;AAC5C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAId,sBAAA,CAAgB,CAAuB,oBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGhE,QAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,oBAAA,CAAqB,OAAO,CAAA;AAE/C,QAAA,KAAA,MAAW,QAAQ,KAAO,EAAA;AACxB,UAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,IAAI,CAAG,EAAA;AAClD,YAAA,MAAM,IAAIe,oBAAc,EAAA;AAAA;AAE1B,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,QAA4B,GAAA;AAAA,UAChC,eAAe,OAAQ,CAAA,IAAA;AAAA,UACvB,MAAQ,EAAA,MAAA;AAAA,UACR,WAAA,EAAa,OAAQ,CAAA,QAAA,EAAU,WAAe,IAAA,EAAA;AAAA,UAC9C,MAAQ,EAAA,UAAA;AAAA,UACR,UAAA;AAAA,UACA,KAAA,EAAO,OAAQ,CAAA,QAAA,EAAU,KAAS,IAAA;AAAA,SACpC;AAEA,QAAA,MAAM,IAAK,CAAA,QAAA,CAAS,mBAAoB,CAAA,KAAA,EAAO,QAAQ,CAAA;AAEvD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,GAAG,QAAU,EAAA,OAAA,EAAS,KAAM,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC,CAAE,EAAA;AAEtE,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOb,QAAA,CAAA,GAAA;AAAA,MACL,+BAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAU,WAAY,EAAA,GAAI,MAAM,oBAAA;AAAA,UACtC,OAAA;AAAA,UACAM,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAV,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAM,MAAA,UAAA,GAAmB,QAAQ,IAAK,CAAA,OAAA;AAEtC,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAM,MAAA,IAAIQ,kBAAW,CAAkC,gCAAA,CAAA,CAAA;AAAA;AAEzD,QAAM,MAAA,UAAA,GAAmB,QAAQ,IAAK,CAAA,OAAA;AACtC,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAM,MAAA,IAAIA,kBAAW,CAAkC,gCAAA,CAAA,CAAA;AAAA;AAGzD,QAAA,UAAA,CAAW,IAAO,GAAA,aAAA;AAClB,QAAI,IAAA,GAAA,GAAMI,gCAAa,UAAU,CAAA;AACjC,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,GAAA,GAAMI,gCAAa,UAAU,CAAA;AAC7B,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,IAAA,CAAK,qCAAqC,UAAU,CAAA;AACpD,QAAA,IAAA,CAAK,qCAAqC,UAAU,CAAA;AAEpD,QAAM,MAAA,OAAA,GAAU,IAAK,CAAA,oBAAA,CAAqB,UAAU,CAAA;AACpD,QAAM,MAAA,OAAA,GAAU,IAAK,CAAA,oBAAA,CAAqB,UAAU,CAAA;AAGpD,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,WAA+B,GAAA;AAAA,UACnC,GAAG,UAAW,CAAA,QAAA;AAAA,UACd,MAAA,EAAQ,UAAW,CAAA,QAAA,EAAU,MAAU,IAAA,MAAA;AAAA,UACvC,eAAe,UAAW,CAAA,IAAA;AAAA,UAC1B,UAAA;AAAA,UACA,KAAA,EAAO,UAAW,CAAA,QAAA,EAAU,KAAS,IAAA;AAAA,SACvC;AAEA,QAAA,MAAM,WACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,aAAa,CAAA;AACxD,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAA,MAAM,IAAIH,oBAAA;AAAA,YACR,+BAA+B,aAAa,CAAA;AAAA,WAC9C;AAAA;AAGF,QAAM,GAAA,GAAA,MAAMQ,iCAAe,CAAA,MAAA,EAAQ,WAAW,CAAA;AAC9C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAId,sBAAA,CAAgB,CAAwB,qBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGjE,QAAA,IAAI,CAACgB,cAAA,CAAQ,WAAa,EAAA,gBAAgB,CAAG,EAAA;AAC3C,UAAA,MAAM,IAAIhB,sBAAgB,EAAA;AAAA;AAG5B,QAAA,IACEY,eAAQ,OAAS,EAAA,OAAO,CACxB,IAAAK,sBAAA,CAAgB,aAAa,WAAa,EAAA;AAAA,UACxC,QAAA;AAAA,UACA,YAAA;AAAA,UACA,WAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACD,CACD,EAAA;AAEA,UAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AACzB,UAAA;AAAA;AAGF,QAAA,KAAA,MAAW,QAAQ,OAAS,EAAA;AAC1B,UAAM,MAAA,OAAA,GAAU,OAAQ,CAAA,IAAA,CAAK,CAAW,OAAA,KAAA;AACtC,YAAO,OAAAL,cAAA,CAAQ,SAAS,IAAI,CAAA;AAAA,WAC7B,CAAA;AAGD,UAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,IAAI,CAAG,EAAA;AAClD,YAAA,IAAI,CAAC,OAAS,EAAA;AACZ,cAAA,MAAM,IAAIG,oBAAc,EAAA;AAAA;AAC1B;AAEF,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAA,WAAA,CAAY,KAAM,EAAA;AAClB,QAAA,KAAA,MAAW,QAAQ,OAAS,EAAA;AAC1B,UAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACrD,YAAA,MAAM,IAAIT,oBAAA;AAAA,cACR,CAAqB,kBAAA,EAAA,IAAA,CAAK,CAAC,CAAC,2BAA2B,aAAa,CAAA;AAAA,aACtE;AAAA;AAEF,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIS,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAA,MAAM,KAAK,QAAS,CAAA,sBAAA;AAAA,UAClB,OAAA;AAAA,UACA,OAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAI,IAAA,OAAA,GAAU,CAAW,QAAA,EAAA,WAAA,CAAY,aAAa,CAAA,CAAA,CAAA;AAClD,QAAI,IAAA,WAAA,CAAY,aAAkB,KAAA,WAAA,CAAY,aAAe,EAAA;AAC3D,UAAA,OAAA,GAAU,CAAG,EAAA,OAAO,CAAsC,mCAAA,EAAA,WAAA,CAAY,aAAa,CAAA,CAAA;AAAA;AAErF,QAAA,QAAA,CAAS,OAAO,IAAO,GAAA;AAAA,UACrB,GAAG,WAAA;AAAA,UACH,SAAS,OAAQ,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC;AAAA,SAClC;AAEA,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOb,QAAA,CAAA,MAAA;AAAA,MACL,+BAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAU,WAAY,EAAA,GAAI,MAAM,oBAAA;AAAA,UACtC,OAAA;AAAA,UACAE,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAN,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAA,MAAM,eACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,aAAa,CAAA;AAExD,QAAA,IAAI,CAACe,cAAA,CAAQ,eAAiB,EAAA,gBAAgB,CAAG,EAAA;AAC/C,UAAA,MAAM,IAAIhB,sBAAgB,EAAA;AAAA;AAG5B,QAAA,MAAM,GAAM,GAAA,MAAMc,iCAAe,CAAA,MAAA,EAAQ,eAAe,CAAA;AACxD,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAId,sBAAA,CAAgB,CAA0B,uBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGnE,QAAA,IAAI,cAAc,EAAC;AACnB,QAAI,IAAA,OAAA,CAAQ,MAAM,gBAAkB,EAAA;AAClC,UAAA,MAAM,kBAAkB,IAAK,CAAA,aAAA;AAAA,YAC3B,QAAQ,KAAM,CAAA;AAAA,WAChB,CAAE,kBAAkB,OAAO,CAAA;AAC3B,UAAM,MAAA,EAAA,GAAK,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA;AAAA,YAC7B,CAAA;AAAA,YACA,eAAA;AAAA,YACA;AAAA,WACF;AACA,UAAI,IAAA,EAAA,CAAG,SAAS,CAAG,EAAA;AACjB,YAAY,WAAA,CAAA,IAAA,CAAK,EAAG,CAAA,CAAC,CAAC,CAAA;AAAA,WACjB,MAAA;AACL,YAAA,MAAM,IAAIM,oBAAA;AAAA,cACR,gBAAgB,eAAe,CAAA,eAAA;AAAA,aACjC;AAAA;AACF,SACK,MAAA;AACL,UAAc,WAAA,GAAA,MAAM,KAAK,QAAS,CAAA,yBAAA;AAAA,YAChC,CAAA;AAAA,YACA;AAAA,WACF;AAAA;AAGF,QAAA,KAAA,MAAW,QAAQ,WAAa,EAAA;AAC9B,UAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACrD,YAAA,MAAM,IAAIA,oBAAc,CAAA,CAAA,aAAA,EAAgB,IAAK,CAAA,CAAC,CAAC,CAAiB,eAAA,CAAA,CAAA;AAAA;AAClE;AAGF,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,QAA4B,GAAA;AAAA,UAChC,aAAA;AAAA,UACA,MAAQ,EAAA,MAAA;AAAA,UACR;AAAA,SACF;AAEA,QAAA,MAAM,KAAK,QAAS,CAAA,sBAAA;AAAA,UAClB,WAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,OAAO,IAAO,GAAA;AAAA,UACrB,GAAG,QAAA;AAAA,UACH,SAAS,WAAY,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC;AAAA,SACtC;AAEA,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOJ,QAAA,CAAA,GAAA;AAAA,MACL,mBAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAN,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAM,MAAA,UAAA,GAAa,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA;AAAA,UAC/C,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,aAAa,CAAA;AAAA,UAC9C,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,QAAQ,CAAA;AAAA,UACzC,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,YAAY,CAAA;AAAA,UAC7C,IAAK,CAAA,gBAAA,CAAiB,OAAQ,CAAA,KAAA,CAAM,OAAO;AAAA,SAC7C;AAEA,QAAM,MAAA,IAAA,GACJ,UACG,CAAA,GAAA,CAAI,CAAa,SAAA,KAAA;AAChB,UAAO,OAAA;AAAA,YACL,GAAG,SAAA;AAAA,YACH,iBAAA,EAAmB,UAAU,iBAAkB,CAAA,GAAA;AAAA,cAC7C,QAAM,EAAG,CAAA;AAAA;AACX,WACF;AAAA,SACD,CACA,CAAA,MAAA,CAAO,CAAa,SAAA,KAAA;AACnB,UAAO,OAAA,eAAA,CAAgB,QAAS,CAAA,SAAA,CAAU,aAAa,CAAA;AAAA,SACxD,CAAA;AAEL,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAOC,QAAA,CAAA,IAAA;AAAA,MACL,mBAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,oBAAA;AAAA,UACJ,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,sBACJ,OAAQ,CAAA,IAAA;AACV,QAAAQ,yCAAA,CAAsB,mBAAmB,CAAA;AAEzC,QAAA,MAAM,oBAAoB,MAAMC,8BAAA;AAAA,UAC9B,mBAAA;AAAA,UACA,IAAK,CAAA,kBAAA;AAAA,UACL;AAAA,SACF;AAEA,QAAA,MAAM,EACJ,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,gBAAgB,iBAAiB,CAAA;AAEjE,QAAM,MAAA,IAAA,GAAO,EAAE,EAAO,EAAA;AAEtB,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,mBAAoB,EAAA;AAExD,QAAA,QAAA,CAAS,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,IAAI,CAAA;AAAA;AAChC,KACF;AAEA,IAAOjB,QAAA,CAAA,GAAA;AAAA,MACL,uBAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAN,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIU,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAC/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAc,EAAA;AAAA;AAG1B,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAL,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAA,MAAM,IACJ,GAAA,eAAA,CAAgB,QAAS,CAAA,SAAA,CAAU,aAAa,CAC5C,GAAA;AAAA,UACE,GAAG,SAAA;AAAA,UACH,iBAAA,EAAmB,UAAU,iBAAkB,CAAA,GAAA;AAAA,YAC7C,QAAM,EAAG,CAAA;AAAA;AACX,YAEF,EAAC;AAEP,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAOC,QAAA,CAAA,MAAA;AAAA,MACL,uBAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAE,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAN,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIQ,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAC/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAA,CAAc,CAAqB,kBAAA,EAAA,EAAE,CAAgB,cAAA,CAAA,CAAA;AAAA;AAEjE,QAAA,MAAM,iBACJ,GAAA;AAAA,UACE,GAAG,SAAA;AAAA,UACH,mBAAmB,SAAU,CAAA,iBAAA,CAAkB,GAAI,CAAA,CAAA,EAAA,KAAM,GAAG,MAAM;AAAA,SACpE;AAEF,QAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UAC3C,iBAAkB,CAAA;AAAA,SACpB;AAEA,QAAA,IAAI,CAACU,cAAA,CAAQ,YAAc,EAAA,gBAAgB,CAAG,EAAA;AAC5C,UAAA,MAAM,IAAIhB,sBAAgB,EAAA;AAAA;AAG5B,QAAM,MAAA,IAAA,CAAK,kBAAmB,CAAA,eAAA,CAAgB,EAAE,CAAA;AAChD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,iBAAkB,EAAA;AAEtD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOE,QAAA,CAAA,GAAA;AAAA,MACL,uBAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAM,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAV,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIQ,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAE/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAA,CAAc,CAAqB,kBAAA,EAAA,EAAE,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAM,MAAA,YAAA,GAAe,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UAC3C,SAAU,CAAA;AAAA,SACZ;AAEA,QAAA,IAAI,CAACU,cAAA,CAAQ,YAAc,EAAA,gBAAgB,CAAG,EAAA;AAC5C,UAAA,MAAM,IAAIhB,sBAAgB,EAAA;AAAA;AAG5B,QAAA,MAAM,sBACJ,OAAQ,CAAA,IAAA;AAEV,QAAAkB,yCAAA,CAAsB,mBAAmB,CAAA;AAEzC,QAAA,MAAM,oBAAoB,MAAMC,8BAAA;AAAA,UAC9B,mBAAA;AAAA,UACA,IAAK,CAAA,kBAAA;AAAA,UACL;AAAA,SACF;AAEA,QAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,eAAgB,CAAA,EAAA,EAAI,iBAAiB,CAAA;AAEnE,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,mBAAoB,EAAA;AAExD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOjB,QAAA,CAAA,IAAA;AAAA,MACL,cAAA;AAAA,MACAG,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,oBAAA;AAAA,UACJ,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,CAAC,KAAK,aAAe,EAAA;AACvB,UAAM,MAAA,IAAIJ,qBAAc,CAA8B,4BAAA,CAAA,CAAA;AAAA;AAGxD,QAAA,MAAM,UAAa,GAAA,IAAA,CAAK,aAAc,CAAA,IAAA,CAAK,CAAY,QAAA,KAAA;AACrD,UAAM,MAAA,EAAA,GAAK,SAAS,eAAgB,EAAA;AACpC,UAAO,OAAA,EAAA,KAAO,QAAQ,MAAO,CAAA,EAAA;AAAA,SAC9B,CAAA;AAED,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAA,MAAM,IAAIA,oBAAA;AAAA,YACR,CAAA,kBAAA,EAAqB,OAAQ,CAAA,MAAA,CAAO,EAAE,CAAA,cAAA;AAAA,WACxC;AAAA;AAGF,QAAA,MAAM,WAAW,OAAQ,EAAA;AACzB,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAAc,6DAAA;AAAA,MACElB,QAAA;AAAA,MACA,IAAK,CAAA,kBAAA;AAAA,MACL,IAAK,CAAA,gBAAA;AAAA,MACL,IAAK,CAAA,qBAAA;AAAA,MACL,IAAK,CAAA;AAAA,KACP;AAEA,IAAOA,QAAA,CAAA,GAAA,CAAImB,iCAAiB,CAAA;AAE5B,IAAO,OAAAnB,QAAA;AAAA;AACT,EAEA,kBAAA,CAAmB,SAAkB,IAAwB,EAAA;AAC3D,IAAM,MAAA,IAAA,GAAO,QAAQ,MAAO,CAAA,IAAA;AAC5B,IAAM,MAAA,SAAA,GAAY,QAAQ,MAAO,CAAA,SAAA;AACjC,IAAM,MAAA,IAAA,GAAO,QAAQ,MAAO,CAAA,IAAA;AAC5B,IAAA,MAAM,YAAY,CAAG,EAAA,IAAI,CAAI,CAAA,EAAA,SAAS,IAAI,IAAI,CAAA,CAAA;AAE9C,IAAM,MAAA,GAAA,GAAMoB,0CAAwB,CAAA,SAAA,EAAW,IAAI,CAAA;AACnD,IAAA,IAAI,GAAK,EAAA;AACP,MAAM,MAAA,IAAIb,iBAAW,CAAA,GAAA,CAAI,OAAO,CAAA;AAAA;AAGlC,IAAO,OAAA,SAAA;AAAA;AACT,EAEA,MAAM,wBACD,QACyB,EAAA;AAC5B,IAAA,MAAM,kBAAkB,MAAMc,yBAAA;AAAA,MAC5B,QAAA;AAAA,MACA,IAAK,CAAA;AAAA,KACP;AAEA,IAAA,MAAM,mBAAsC,EAAC;AAC7C,IAAA,KAAA,MAAW,KAAK,QAAU,EAAA;AACxB,MAAA,MAAM,CAAC,eAAA,EAAiB,UAAY,EAAA,MAAA,EAAQ,MAAM,CAAI,GAAA,CAAA;AACtD,MAAA,gBAAA,CAAiB,IAAK,CAAA;AAAA,QACpB,eAAA;AAAA,QACA,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,UAAU,EAAE,MAAA,EAAQ,eAAgB,CAAA,GAAA,CAAI,eAAe,CAAG;AAAA,OAC3D,CAAA;AAAA;AAGH,IAAO,OAAA,gBAAA;AAAA;AACT,EAEA,MAAM,kBACJ,CAAA,MAAA,EAAA,GACG,KACc,EAAA;AACjB,IAAA,MAAM,gBAA6C,EAAC;AAEpD,IAAA,KAAA,CAAM,OAAQ,CAAA,CAAC,CAAC,KAAA,EAAO,IAAI,CAAM,KAAA;AAC/B,MAAI,IAAA,aAAA,CAAc,cAAe,CAAA,IAAI,CAAG,EAAA;AACtC,QAAc,aAAA,CAAA,IAAI,CAAE,CAAA,IAAA,CAAK,KAAK,CAAA;AAAA,OACzB,MAAA;AACL,QAAc,aAAA,CAAA,IAAI,CAAI,GAAA,CAAC,KAAK,CAAA;AAAA;AAC9B,KACD,CAAA;AAED,IAAM,MAAA,MAAA,GAAiB,MAAM,OAAQ,CAAA,GAAA;AAAA,MACnC,MAAA,CAAO,QAAQ,aAAa,CAAA,CAAE,QAAQ,OAAO,CAAC,IAAM,EAAA,KAAK,CAAM,KAAA;AAC7D,QAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,IAAI,CAAA;AACjE,QAAA,MAAM,QAAW,GAAA,WAAA,GAAcC,0BAAc,CAAA,WAAW,CAAI,GAAA,SAAA;AAC5D,QAAA,OAAO,QAAQ,OAAQ,CAAA;AAAA,UACrB,gBAAkB,EAAA,KAAA;AAAA,UAClB,IAAM,EAAA,IAAA;AAAA,UACN;AAAA,SACD,CAAA;AAAA,OACF;AAAA,KACH;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAO,CAAA,MAAA,CAAO,CAAQ,IAAA,KAAA;AAC3C,MAAA,OAAO,IAAK,CAAA,QAAA,IAAYR,cAAQ,CAAA,IAAA,CAAK,UAAU,MAAM,CAAA;AAAA,KACtD,CAAA;AAED,IAAO,OAAA,cAAA;AAAA;AACT,EAEA,uBAAuB,MAAmC,EAAA;AACxD,IAAO,OAAA;AAAA,MACL,MAAO,CAAA,eAAA;AAAA,MACP,MAAO,CAAA,UAAA;AAAA,MACP,MAAO,CAAA,MAAA;AAAA,MACP,MAAO,CAAA;AAAA,KACT;AAAA;AACF,EAEA,qBAAqB,IAAwB,EAAA;AAC3C,IAAA,MAAM,QAAoB,EAAC;AAC3B,IAAW,KAAA,MAAA,MAAA,IAAU,KAAK,gBAAkB,EAAA;AAC1C,MAAA,KAAA,CAAM,IAAK,CAAA,CAAC,MAAQ,EAAA,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA;AAEhC,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,qCAAqC,IAAY,EAAA;AAC/C,IAAK,IAAA,CAAA,gBAAA,GAAmB,KAAK,gBAAiB,CAAA,GAAA;AAAA,MAAI,CAAA,MAAA,KAChD,MAAO,CAAA,iBAAA,CAAkB,OAAO;AAAA,KAClC;AAAA;AACF,EAEA,iBACE,UACgC,EAAA;AAChC,IAAA,IAAI,CAAC,UAAY,EAAA;AACf,MAAO,OAAA,SAAA;AAAA;AAET,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7B,MAAA,MAAM,kBAAsC,EAAC;AAC7C,MAAA,KAAA,MAAW,mBAAmB,UAAY,EAAA;AACxC,QAAA,IACE,OAAO,eAAA,KAAoB,QAC3B,IAAAS,yBAAA,CAAmB,eAAe,CAClC,EAAA;AACA,UAAA,eAAA,CAAgB,KAAK,eAAe,CAAA;AAAA,SAC/B,MAAA;AACL,UAAA,MAAM,IAAIhB,iBAAA;AAAA,YACR,0CAA0C,eAAe,CAAA,mCAAA;AAAA,WAC3D;AAAA;AACF;AAEF,MAAO,OAAA,eAAA;AAAA;AAGT,IAAA,IAAI,OAAO,UAAA,KAAe,QAAY,IAAAgB,yBAAA,CAAmB,UAAU,CAAG,EAAA;AACpE,MAAA,OAAO,CAAC,UAAU,CAAA;AAAA;AAEpB,IAAA,MAAM,IAAIhB,iBAAA;AAAA,MACR,0CAA0C,UAAU,CAAA,mCAAA;AAAA,KACtD;AAAA;AACF,EAEA,cACE,UACQ,EAAA;AACR,IAAA,IAAI,CAAC,UAAY,EAAA;AACf,MAAO,OAAA,EAAA;AAAA;AAET,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7B,MAAA,IAAI,OAAO,UAAA,CAAW,CAAC,CAAA,KAAM,QAAU,EAAA;AACrC,QAAO,OAAA,UAAA,CAAW,CAAC,CAAA,CAAE,QAAS,EAAA;AAAA;AAEhC,MAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAG9D,IAAI,IAAA,OAAO,eAAe,QAAU,EAAA;AAClC,MAAO,OAAA,UAAA;AAAA;AAET,IAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAC9D,EAEA,sBAAsB,OAA2B,EAAA;AAC/C,IAAA,OACE,CAAC,CAAC,OAAA,CAAQ,MAAM,SAChB,IAAA,CAAC,CAAC,OAAQ,CAAA,KAAA,CAAM,UAChB,IAAA,CAAC,CAAC,OAAQ,CAAA,KAAA,CAAM,UAChB,CAAC,CAAC,QAAQ,KAAM,CAAA,MAAA;AAAA;AAEpB,EAEA,MAAM,eAAA,CACJ,WACA,EAAA,KAAA,EACA,cACA,MACqB,EAAA;AACrB,IAAA,MAAM,WAAuB,EAAC;AAC9B,IAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,IAAA,KAAA,MAAW,UAAU,WAAa,EAAA;AAChC,MAAI,IAAA,GAAA,GAAMiB,kCAAe,MAAM,CAAA;AAC/B,MAAA,IAAI,GAAK,EAAA;AACP,QAAA,MAAM,IAAIjB,iBAAA;AAAA,UACR,CAAW,QAAA,EAAA,YAAA,IAAgB,QAAQ,CAAA,oBAAA,EACjC,IAAI,OACN,CAAA;AAAA,SACF;AAAA;AAGF,MAAM,MAAA,QAAA,GAAW,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,QACvC,MAAO,CAAA;AAAA,OACT;AAEA,MAAA,IAAI,CAACO,cAAA,CAAQ,QAAU,EAAA,MAAM,CAAG,EAAA;AAC9B,QAAA,MAAM,IAAIhB,sBAAgB,EAAA;AAAA;AAG5B,MAAI,IAAA,MAAA,GAAS,eAAe,MAAS,GAAA,QAAA;AACrC,MAAA,MAAA,GAAS,QAAQ,MAAS,GAAA,KAAA;AAE1B,MAAM,GAAA,GAAA,MAAMc,iCAAe,CAAA,MAAA,EAAQ,QAAQ,CAAA;AAC3C,MAAA,IAAI,GAAK,EAAA;AACP,QAAA,MAAM,IAAId,sBAAA;AAAA,UACR,aAAa,MAAM,CAAA,QAAA,EAAW,MAAO,CAAA,eAAe,IAAI,MAAO,CAAA,UAAU,CAAI,CAAA,EAAA,MAAA,CAAO,MAAM,CAAI,CAAA,EAAA,MAAA,CAAO,MAAM,CAAA,EAAA,EAAK,IAAI,OAAO,CAAA;AAAA,SAC7H;AAAA;AAGF,MAAM,MAAA,iBAAA,GAAoB,IAAK,CAAA,sBAAA,CAAuB,MAAM,CAAA;AAC5D,MAAI,IAAA,KAAA,IAAS,CAAE,MAAM,IAAA,CAAK,SAAS,SAAU,CAAA,GAAG,iBAAiB,CAAI,EAAA;AACnE,QAAA,MAAM,IAAIM,oBAAA;AAAA,UACR,CAAA,QAAA,EAAWqB,qBAAe,CAAA,iBAAiB,CAAC,CAAA,WAAA;AAAA,SAC9C;AAAA;AAGF,MAAI,IAAA,CAAC,SAAU,MAAM,IAAA,CAAK,SAAS,SAAU,CAAA,GAAG,iBAAiB,CAAI,EAAA;AACnE,QAAA,MAAM,IAAIZ,oBAAA;AAAA,UACR,CAAW,QAAA,EAAAY,qBAAA;AAAA,YACT;AAAA,WACD,CAAA,yBAAA;AAAA,SACH;AAAA;AAIF,MAAM,MAAA,SAAA,GAAY,IAAK,CAAA,SAAA,CAAU,iBAAiB,CAAA;AAClD,MAAI,IAAA,WAAA,CAAY,GAAI,CAAA,SAAS,CAAG,EAAA;AAC9B,QAAA,MAAM,IAAIZ,oBAAA;AAAA,UACR,CAAA,yBAAA,EAA4B,MAAO,CAAA,eAAe,CAAK,EAAA,EAAA,MAAA,CAAO,UAAU,CAAA,EAAA,EAAK,MAAO,CAAA,MAAM,CAAK,EAAA,EAAA,MAAA,CAAO,MAAM,CAAA,eAAA;AAAA,SAC9G;AAAA,OACK,MAAA;AACL,QAAA,WAAA,CAAY,IAAI,SAAS,CAAA;AACzB,QAAA,QAAA,CAAS,KAAK,iBAAiB,CAAA;AAAA;AACjC;AAEF,IAAO,OAAA,QAAA;AAAA;AACT,EAEA,QAAA,CAAS,OAAe,KAAuB,EAAA;AAC7C,IAAA,IAAI,MAAM,iBAAkB,CAAA,OAAO,IAAI,KAAM,CAAA,iBAAA,CAAkB,OAAO,CAAG,EAAA;AACvE,MAAO,OAAA,EAAA;AAAA;AAET,IAAA,IAAI,MAAM,iBAAkB,CAAA,OAAO,IAAI,KAAM,CAAA,iBAAA,CAAkB,OAAO,CAAG,EAAA;AACvE,MAAO,OAAA,CAAA;AAAA;AAET,IAAO,OAAA,CAAA;AAAA;AAEX;;;;;"}
1
+ {"version":3,"file":"policies-rest-api.cjs.js","sources":["../../src/service/policies-rest-api.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type {\n AuthService,\n BackstageCredentials,\n BackstageServicePrincipal,\n BackstageUserPrincipal,\n HttpAuthService,\n PermissionsService,\n} from '@backstage/backend-plugin-api';\nimport {\n ConflictError,\n InputError,\n NotAllowedError,\n NotFoundError,\n} from '@backstage/errors';\nimport {\n AuthorizeResult,\n BasicPermission,\n PolicyDecision,\n ResourcePermission,\n} from '@backstage/plugin-permission-common';\n\nimport express, { Request } from 'express';\nimport { isEmpty, isEqual } from 'lodash';\nimport type { ParsedQs } from 'qs';\n\nimport {\n policyEntityCreatePermission,\n policyEntityDeletePermission,\n policyEntityReadPermission,\n policyEntityUpdatePermission,\n type PermissionAction,\n type Role,\n type RoleBasedPolicy,\n type RoleConditionalPolicyDecision,\n} from '@backstage-community/plugin-rbac-common';\nimport type { RBACProvider } from '@backstage-community/plugin-rbac-node';\n\nimport { setAuditorError, logAuditorEvent } from '../auditor/rest-interceptor';\nimport { ConditionalStorage } from '../database/conditional-storage';\nimport {\n daoToMetadata,\n RoleMetadataDao,\n RoleMetadataStorage,\n} from '../database/role-metadata';\nimport {\n buildRoleSourceMap,\n deepSortedEqual,\n isPermissionAction,\n policyToString,\n processConditionMapping,\n matches,\n} from '../helper';\nimport { validateRoleCondition } from '../validation/condition-validation';\nimport {\n validateEntityReference,\n validatePolicy,\n validateRole,\n validateSource,\n} from '../validation/policies-validation';\nimport { EnforcerDelegate } from './enforcer-delegate';\nimport { PluginPermissionMetadataCollector } from './plugin-endpoints';\nimport { RBACRouterOptions } from './policy-builder';\nimport { conditionTransformerFunc, RBACFilters } from '../permissions';\nimport { registerPermissionDefinitionRoutes } from './permission-definition-routes';\nimport { PermissionDependentPluginStore } from '../database/extra-permission-enabled-plugins-storage';\nimport { ExtendablePluginIdProvider } from './extendable-id-provider';\nimport { createRouter } from './router';\n\nexport async function authorizeConditional(\n request: Request,\n permission: ResourcePermission<'policy-entity'> | BasicPermission,\n deps: {\n auth: AuthService;\n httpAuth: HttpAuthService;\n permissions: PermissionsService;\n },\n): Promise<{\n decision: PolicyDecision;\n credentials: BackstageCredentials<\n BackstageUserPrincipal | BackstageServicePrincipal\n >;\n}> {\n const { auth, httpAuth, permissions } = deps;\n\n const credentials = await httpAuth.credentials(request, {\n allow: ['user', 'service'],\n });\n\n // allow service to service communication, but only with read permission\n if (\n auth.isPrincipal(credentials, 'service') &&\n permission !== policyEntityReadPermission\n ) {\n throw new NotAllowedError(\n `Only credential principal with type 'user' permitted to modify permissions`,\n );\n }\n\n let decision: PolicyDecision;\n if (permission.type === 'resource') {\n decision = (\n await permissions.authorizeConditional([{ permission }], {\n credentials,\n })\n )[0];\n } else {\n decision = (\n await permissions.authorize([{ permission }], {\n credentials,\n })\n )[0];\n }\n\n if (decision.result === AuthorizeResult.DENY) {\n throw new NotAllowedError(); // 403\n }\n\n return { decision, credentials };\n}\n\nexport class PoliciesServer {\n constructor(\n private readonly options: RBACRouterOptions,\n private readonly enforcer: EnforcerDelegate,\n private readonly conditionalStorage: ConditionalStorage,\n private readonly pluginPermMetaData: PluginPermissionMetadataCollector,\n private readonly roleMetadata: RoleMetadataStorage,\n private readonly extraPluginsIdStorage: PermissionDependentPluginStore,\n private readonly pluginIdProvider: ExtendablePluginIdProvider,\n private readonly rbacProviders?: RBACProvider[],\n ) {}\n\n async serve(): Promise<express.Router> {\n const router = await createRouter(this.options);\n\n const { logger, auditor, auth, permissionsRegistry } = this.options;\n\n const defRoleMeta = this.roleMetadata.getCachedDefaultRoleMetadata();\n let defRole: Role | undefined;\n if (defRoleMeta) {\n defRole = {\n name: defRoleMeta.roleEntityRef,\n memberReferences: [],\n metadata: daoToMetadata(defRoleMeta),\n };\n }\n\n const isPluginEnabled =\n this.options.config.getOptionalBoolean('permission.enabled');\n if (!isPluginEnabled) {\n return router;\n }\n\n const transformConditions = conditionTransformerFunc(permissionsRegistry);\n\n router.get('/', async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n response.send({ status: 'Authorized' });\n });\n\n // Policy CRUD\n\n router.get(\n '/policies',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n let policies: string[][] = [];\n if (this.isPolicyFilterEnabled(request)) {\n const entityRef = this.getFirstQuery(request.query.entityRef);\n const permission = this.getFirstQuery(request.query.permission);\n const policy = this.getFirstQuery(request.query.policy);\n const effect = this.getFirstQuery(request.query.effect);\n\n const matchedRoleName = roleMetadata.flatMap(\n role => role.roleEntityRef,\n );\n\n const filter: string[] = [entityRef, permission, policy, effect];\n policies = matchedRoleName.includes(entityRef)\n ? await this.enforcer.getFilteredPolicy(0, ...filter)\n : [];\n } else {\n for (const role of roleMetadata) {\n policies.push(\n ...(await this.enforcer.getFilteredPolicy(\n 0,\n ...[role.roleEntityRef],\n )),\n );\n }\n }\n\n const body = await this.transformPolicyArray(...policies);\n // TODO: Temporary workaround to prevent breakages after the removal of the resource type `policy-entity` from the permission `policy.entity.create`\n body.map(policy => {\n if (\n policy.permission === 'policy-entity' &&\n policy.policy === 'create'\n ) {\n policy.permission = 'policy.entity.create';\n logger.warn(\n `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[policy.entityReference, 'policy-entity', policy.policy, policy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${policy.metadata?.source}`,\n );\n }\n });\n\n response.json(body);\n },\n );\n\n router.get(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const entityRef = this.getEntityReference(request);\n\n const policy = matchedRoleName.includes(entityRef)\n ? await this.enforcer.getFilteredPolicy(0, entityRef)\n : [];\n if (policy.length !== 0) {\n const body = await this.transformPolicyArray(...policy);\n // TODO: Temporary workaround to prevent breakages after the removal of the resource type `policy-entity` from the permission `policy.entity.create`\n body.map(bodyPolicy => {\n if (\n bodyPolicy.permission === 'policy-entity' &&\n bodyPolicy.policy === 'create'\n ) {\n bodyPolicy.permission = 'policy.entity.create';\n logger.warn(\n `Permission policy with resource type 'policy-entity' and action 'create' has been removed. Please consider updating policy ${[bodyPolicy.entityReference, 'policy-entity', bodyPolicy.policy, bodyPolicy.effect]} to use 'policy.entity.create' instead of 'policy-entity' from source ${bodyPolicy.metadata?.source}`,\n );\n }\n });\n\n response.json(body);\n } else {\n throw new NotFoundError(); // 404\n }\n },\n );\n\n router.delete(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityDeletePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const entityRef = this.getEntityReference(request);\n\n const policyRaw: RoleBasedPolicy[] = request.body;\n if (isEmpty(policyRaw)) {\n throw new InputError(`permission policy must be present`); // 400\n }\n\n policyRaw.forEach(element => {\n element.entityReference = entityRef;\n });\n\n const processedPolicies = await this.processPolicies(\n policyRaw,\n true,\n undefined,\n conditionsFilter,\n );\n\n await this.enforcer.removePolicies(processedPolicies);\n\n response.locals.meta = { policies: processedPolicies }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.post(\n '/policies',\n logAuditorEvent(auditor),\n async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n const policyRaw: RoleBasedPolicy[] = request.body;\n\n if (isEmpty(policyRaw)) {\n throw new InputError(`permission policy must be present`); // 400\n }\n\n const processedPolicies = await this.processPolicies(\n policyRaw,\n false,\n undefined,\n );\n\n const entityRef = processedPolicies[0][0];\n const roleMetadata =\n await this.roleMetadata.findRoleMetadata(entityRef);\n if (entityRef.startsWith('role:default') && !roleMetadata) {\n throw new Error(`Corresponding role ${entityRef} was not found`);\n }\n\n await this.enforcer.addPolicies(processedPolicies);\n\n response.locals.meta = { policies: processedPolicies }; // auditor\n\n response.status(201).end();\n },\n );\n\n router.put(\n '/policies/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityUpdatePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const entityRef = this.getEntityReference(request);\n\n const oldPolicyRaw: RoleBasedPolicy[] = request.body.oldPolicy;\n if (isEmpty(oldPolicyRaw)) {\n throw new InputError(`'oldPolicy' object must be present`); // 400\n }\n const newPolicyRaw: RoleBasedPolicy[] = request.body.newPolicy;\n if (isEmpty(newPolicyRaw)) {\n throw new InputError(`'newPolicy' object must be present`); // 400\n }\n\n [...oldPolicyRaw, ...newPolicyRaw].forEach(element => {\n element.entityReference = entityRef;\n });\n\n const processedOldPolicy = await this.processPolicies(\n oldPolicyRaw,\n true,\n 'old policy',\n conditionsFilter,\n );\n\n oldPolicyRaw.sort((a, b) =>\n a.permission === b.permission\n ? this.nameSort(a.policy!, b.policy!)\n : this.nameSort(a.permission!, b.permission!),\n );\n\n newPolicyRaw.sort((a, b) =>\n a.permission === b.permission\n ? this.nameSort(a.policy!, b.policy!)\n : this.nameSort(a.permission!, b.permission!),\n );\n\n if (\n isEqual(oldPolicyRaw, newPolicyRaw) &&\n !oldPolicyRaw.some(isEmpty)\n ) {\n response.status(204).end();\n } else if (oldPolicyRaw.length > newPolicyRaw.length) {\n throw new InputError(\n `'oldPolicy' object has more permission policies compared to 'newPolicy' object`,\n );\n }\n\n const processedNewPolicy = await this.processPolicies(\n newPolicyRaw,\n false,\n 'new policy',\n conditionsFilter,\n );\n\n const roleMetadata =\n await this.roleMetadata.findRoleMetadata(entityRef);\n if (entityRef.startsWith('role:default') && !roleMetadata) {\n throw new Error(`Corresponding role ${entityRef} was not found`);\n }\n\n await this.enforcer.updatePolicies(\n processedOldPolicy,\n processedNewPolicy,\n );\n\n response.locals.meta = { policies: processedNewPolicy }; // auditor\n\n response.status(200).end();\n },\n );\n\n // Role CRUD\n\n router.get(\n '/roles',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roles = await this.enforcer.getGroupingPolicy();\n const body = await this.transformRoleArray(conditionsFilter, ...roles);\n\n if (defRole) {\n body.push(defRole);\n }\n\n response.json(body);\n },\n );\n\n router.get(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n let body: Role[];\n if (defRole && roleEntityRef === defRole.name) {\n body = [defRole];\n } else {\n const role = await this.enforcer.getFilteredGroupingPolicy(\n 1,\n roleEntityRef,\n );\n body = await this.transformRoleArray(conditionsFilter, ...role);\n }\n if (body.length !== 0) {\n response.json(body);\n } else {\n throw new NotFoundError(); // 404\n }\n },\n );\n\n router.post(\n '/roles',\n logAuditorEvent(auditor),\n async (request, response) => {\n const uniqueItems = new Set<string>();\n const { credentials } = await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n const roleRaw: Role = request.body;\n let err = validateRole(roleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid role definition. Cause: ${err.message}`,\n );\n }\n this.transformMemberReferencesToLowercase(roleRaw);\n\n const rMetadata = await this.roleMetadata.findRoleMetadata(\n roleRaw.name,\n );\n\n err = await validateSource('rest', rMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to add role: ${err.message}`);\n }\n\n const roles = this.transformRoleToArray(roleRaw);\n\n for (const role of roles) {\n if (await this.enforcer.hasGroupingPolicy(...role)) {\n throw new ConflictError(); // 409\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const metadata: RoleMetadataDao = {\n roleEntityRef: roleRaw.name,\n source: 'rest',\n description: roleRaw.metadata?.description ?? '',\n author: modifiedBy,\n modifiedBy,\n owner: roleRaw.metadata?.owner ?? modifiedBy,\n };\n\n await this.enforcer.addGroupingPolicies(roles, metadata);\n\n response.locals.meta = { ...metadata, members: roles.map(gp => gp[0]) }; // auditor\n\n response.status(201).end();\n },\n );\n\n router.put(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n const uniqueItems = new Set<string>();\n let conditionsFilter: RBACFilters | undefined;\n const { decision, credentials } = await authorizeConditional(\n request,\n policyEntityUpdatePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const oldRoleRaw: Role = request.body.oldRole;\n\n if (!oldRoleRaw) {\n throw new InputError(`'oldRole' object must be present`); // 400\n }\n const newRoleRaw: Role = request.body.newRole;\n if (!newRoleRaw) {\n throw new InputError(`'newRole' object must be present`); // 400\n }\n\n oldRoleRaw.name = roleEntityRef;\n let err = validateRole(oldRoleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid old role object. Cause: ${err.message}`,\n );\n }\n err = validateRole(newRoleRaw);\n if (err) {\n throw new InputError( // 400\n `Invalid new role object. Cause: ${err.message}`,\n );\n }\n this.transformMemberReferencesToLowercase(oldRoleRaw);\n this.transformMemberReferencesToLowercase(newRoleRaw);\n\n const oldRole = this.transformRoleToArray(oldRoleRaw);\n const newRole = this.transformRoleToArray(newRoleRaw);\n // todo shell we allow newRole with an empty array?...\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const newMetadata: RoleMetadataDao = {\n ...newRoleRaw.metadata,\n source: newRoleRaw.metadata?.source ?? 'rest',\n roleEntityRef: newRoleRaw.name,\n modifiedBy,\n owner: newRoleRaw.metadata?.owner ?? '',\n };\n\n const oldMetadata =\n await this.roleMetadata.findRoleMetadata(roleEntityRef);\n if (!oldMetadata) {\n throw new NotFoundError(\n `Unable to find metadata for ${roleEntityRef}`,\n );\n }\n\n err = await validateSource('rest', oldMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to edit role: ${err.message}`);\n }\n\n if (!matches(daoToMetadata(oldMetadata), conditionsFilter)) {\n throw new NotAllowedError(); // 403\n }\n\n if (\n isEqual(oldRole, newRole) &&\n deepSortedEqual(oldMetadata, newMetadata, [\n 'author',\n 'modifiedBy',\n 'createdAt',\n 'lastModified',\n 'owner',\n ])\n ) {\n // no content: old role and new role are equal and their metadata too\n response.status(204).end();\n return;\n }\n\n for (const role of newRole) {\n const hasRole = oldRole.some(element => {\n return isEqual(element, role);\n });\n // if the role is already part of old role and is a grouping policy we want to skip returning a conflict error\n // to allow for other roles to be checked and added\n if (await this.enforcer.hasGroupingPolicy(...role)) {\n if (!hasRole) {\n throw new ConflictError(); // 409\n }\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n uniqueItems.clear();\n for (const role of oldRole) {\n if (!(await this.enforcer.hasGroupingPolicy(...role))) {\n throw new NotFoundError(\n `Member reference: ${role[0]} was not found for role ${roleEntityRef}`,\n ); // 404\n }\n const roleString = JSON.stringify(role);\n\n if (uniqueItems.has(roleString)) {\n throw new ConflictError(\n `Duplicate role members found; ${role.at(0)}, ${role.at(\n 1,\n )} is a duplicate`,\n );\n } else {\n uniqueItems.add(roleString);\n }\n }\n\n await this.enforcer.updateGroupingPolicies(\n oldRole,\n newRole,\n newMetadata,\n );\n\n let message = `Updated ${oldMetadata.roleEntityRef}.`;\n if (newMetadata.roleEntityRef !== oldMetadata.roleEntityRef) {\n message = `${message}. Role entity reference renamed to ${newMetadata.roleEntityRef}`;\n }\n response.locals.meta = {\n ...newMetadata,\n members: newRole.map(gp => gp[0]),\n }; // auditor\n\n response.status(200).end();\n },\n );\n\n router.delete(\n '/roles/:kind/:namespace/:name',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision, credentials } = await authorizeConditional(\n request,\n policyEntityDeletePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleEntityRef = this.getEntityReference(request, true);\n\n const currentMetadata =\n await this.roleMetadata.findRoleMetadata(roleEntityRef);\n\n if (\n !currentMetadata ||\n !matches(daoToMetadata(currentMetadata), conditionsFilter)\n ) {\n throw new NotAllowedError(); // 403\n }\n\n const err = await validateSource('rest', currentMetadata);\n if (err) {\n throw new NotAllowedError(`Unable to delete role: ${err.message}`);\n }\n\n let roleMembers = [];\n if (request.query.memberReferences) {\n const memberReference = this.getFirstQuery(\n request.query.memberReferences!,\n ).toLocaleLowerCase('en-US');\n const gp = await this.enforcer.getFilteredGroupingPolicy(\n 0,\n memberReference,\n roleEntityRef,\n );\n if (gp.length > 0) {\n roleMembers.push(gp[0]);\n } else {\n throw new NotFoundError(\n `role member '${memberReference}' was not found`,\n ); // 404\n }\n } else {\n roleMembers = await this.enforcer.getFilteredGroupingPolicy(\n 1,\n roleEntityRef,\n );\n }\n\n for (const role of roleMembers) {\n if (!(await this.enforcer.hasGroupingPolicy(...role))) {\n throw new NotFoundError(`role member '${role[0]}' was not found`);\n }\n }\n\n const modifiedBy = (\n credentials as BackstageCredentials<BackstageUserPrincipal>\n ).principal.userEntityRef;\n const metadata: RoleMetadataDao = {\n roleEntityRef,\n source: 'rest',\n modifiedBy,\n };\n\n await this.enforcer.removeGroupingPolicies(\n roleMembers,\n metadata,\n false,\n );\n\n response.locals.meta = {\n ...metadata,\n members: roleMembers.map(gp => gp[0]),\n }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.get(\n '/roles/conditions',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const conditions = await this.conditionalStorage.filterConditions(\n this.getFirstQuery(request.query.roleEntityRef),\n this.getFirstQuery(request.query.pluginId),\n this.getFirstQuery(request.query.resourceType),\n this.getActionQueries(request.query.actions),\n );\n\n const body: RoleConditionalPolicyDecision<PermissionAction>[] =\n conditions\n .map(condition => {\n return {\n ...condition,\n permissionMapping: condition.permissionMapping.map(\n pm => pm.action,\n ),\n };\n })\n .filter(condition => {\n return matchedRoleName.includes(condition.roleEntityRef);\n });\n\n response.json(body);\n },\n );\n\n router.post(\n '/roles/conditions',\n logAuditorEvent(auditor),\n async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n const roleConditionPolicy: RoleConditionalPolicyDecision<PermissionAction> =\n request.body;\n validateRoleCondition(roleConditionPolicy);\n\n const conditionToCreate = await processConditionMapping(\n roleConditionPolicy,\n this.pluginPermMetaData,\n auth,\n );\n\n const id =\n await this.conditionalStorage.createCondition(conditionToCreate);\n\n const body = { id: id };\n\n response.locals.meta = { condition: roleConditionPolicy }; // auditor\n\n response.status(201).json(body);\n },\n );\n\n router.get(\n '/roles/conditions/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityReadPermission,\n this.options,\n );\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n if (!condition) {\n throw new NotFoundError();\n }\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const roleMetadata =\n await this.roleMetadata.filterForOwnerRoleMetadata(conditionsFilter);\n\n const matchedRoleName = roleMetadata.flatMap(role => {\n return role.roleEntityRef;\n });\n\n const body: RoleConditionalPolicyDecision<PermissionAction> | [] =\n matchedRoleName.includes(condition.roleEntityRef)\n ? {\n ...condition,\n permissionMapping: condition.permissionMapping.map(\n pm => pm.action,\n ),\n }\n : [];\n\n response.json(body);\n },\n );\n\n router.delete(\n '/roles/conditions/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityDeletePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n if (!condition) {\n throw new NotFoundError(`Condition with id ${id} was not found`);\n }\n const conditionToDelete: RoleConditionalPolicyDecision<PermissionAction> =\n {\n ...condition,\n permissionMapping: condition.permissionMapping.map(pm => pm.action),\n };\n\n const roleMetadata = await this.roleMetadata.findRoleMetadata(\n conditionToDelete.roleEntityRef,\n );\n\n if (\n !roleMetadata ||\n !matches(daoToMetadata(roleMetadata), conditionsFilter)\n ) {\n throw new NotAllowedError(); // 403\n }\n\n await this.conditionalStorage.deleteCondition(id);\n response.locals.meta = { condition: conditionToDelete }; // auditor\n\n response.status(204).end();\n },\n );\n\n router.put(\n '/roles/conditions/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n let conditionsFilter: RBACFilters | undefined;\n const { decision } = await authorizeConditional(\n request,\n policyEntityUpdatePermission,\n this.options,\n );\n\n if (decision.result === AuthorizeResult.CONDITIONAL) {\n conditionsFilter = transformConditions(decision.conditions);\n }\n\n const id: number = parseInt(request.params.id, 10);\n if (isNaN(id)) {\n throw new InputError('Id is not a valid number.');\n }\n\n const condition = await this.conditionalStorage.getCondition(id);\n\n if (!condition) {\n throw new NotFoundError(`Condition with id ${id} was not found`);\n }\n\n const roleMetadata = await this.roleMetadata.findRoleMetadata(\n condition.roleEntityRef,\n );\n\n if (\n !roleMetadata ||\n !matches(daoToMetadata(roleMetadata), conditionsFilter)\n ) {\n throw new NotAllowedError(); // 403\n }\n\n const roleConditionPolicy: RoleConditionalPolicyDecision<PermissionAction> =\n request.body;\n\n validateRoleCondition(roleConditionPolicy);\n\n const conditionToUpdate = await processConditionMapping(\n roleConditionPolicy,\n this.pluginPermMetaData,\n auth,\n );\n\n await this.conditionalStorage.updateCondition(id, conditionToUpdate);\n\n response.locals.meta = { condition: roleConditionPolicy }; // auditor\n\n response.status(200).end();\n },\n );\n\n router.post(\n '/refresh/:id',\n logAuditorEvent(auditor),\n async (request, response) => {\n await authorizeConditional(\n request,\n policyEntityCreatePermission,\n this.options,\n );\n\n if (!this.rbacProviders) {\n throw new NotFoundError(`No RBAC providers were found`);\n }\n\n const idProvider = this.rbacProviders.find(provider => {\n const id = provider.getProviderName();\n return id === request.params.id;\n });\n\n if (!idProvider) {\n throw new NotFoundError(\n `The RBAC provider ${request.params.id} was not found`,\n );\n }\n\n await idProvider.refresh();\n response.status(200).end();\n },\n );\n\n registerPermissionDefinitionRoutes(\n router,\n this.pluginPermMetaData,\n this.pluginIdProvider,\n this.extraPluginsIdStorage,\n this.options,\n );\n\n router.use(setAuditorError());\n\n return router;\n }\n\n getEntityReference(request: Request, role?: boolean): string {\n const kind = request.params.kind;\n const namespace = request.params.namespace;\n const name = request.params.name;\n const entityRef = `${kind}:${namespace}/${name}`;\n\n const err = validateEntityReference(entityRef, role);\n if (err) {\n throw new InputError(err.message);\n }\n\n return entityRef;\n }\n\n async transformPolicyArray(\n ...policies: string[][]\n ): Promise<RoleBasedPolicy[]> {\n const roleToSourceMap = await buildRoleSourceMap(\n policies,\n this.roleMetadata,\n );\n\n const roleBasedPolices: RoleBasedPolicy[] = [];\n for (const p of policies) {\n const [entityReference, permission, policy, effect] = p;\n roleBasedPolices.push({\n entityReference,\n permission,\n policy,\n effect,\n metadata: { source: roleToSourceMap.get(entityReference)! },\n });\n }\n\n return roleBasedPolices;\n }\n\n async transformRoleArray(\n filter?: RBACFilters,\n ...roles: string[][]\n ): Promise<Role[]> {\n const combinedRoles: { [key: string]: string[] } = {};\n\n roles.forEach(([value, role]) => {\n if (combinedRoles.hasOwnProperty(role)) {\n combinedRoles[role].push(value);\n } else {\n combinedRoles[role] = [value];\n }\n });\n\n const result: Role[] = await Promise.all(\n Object.entries(combinedRoles).flatMap(async ([role, value]) => {\n const metadataDao = await this.roleMetadata.findRoleMetadata(role);\n const metadata = metadataDao ? daoToMetadata(metadataDao) : undefined;\n return Promise.resolve({\n memberReferences: value,\n name: role,\n metadata,\n });\n }),\n );\n\n const filteredResult = result.filter(role => {\n return role.metadata && matches(role.metadata, filter);\n });\n\n return filteredResult;\n }\n\n transformPolicyToArray(policy: RoleBasedPolicy): string[] {\n return [\n policy.entityReference!,\n policy.permission!,\n policy.policy!,\n policy.effect!,\n ];\n }\n\n transformRoleToArray(role: Role): string[][] {\n const roles: string[][] = [];\n for (const entity of role.memberReferences) {\n roles.push([entity, role.name]);\n }\n return roles;\n }\n\n transformMemberReferencesToLowercase(role: Role) {\n role.memberReferences = role.memberReferences.map(member =>\n member.toLocaleLowerCase('en-US'),\n );\n }\n\n getActionQueries(\n queryValue: string | string[] | ParsedQs | ParsedQs[] | undefined,\n ): PermissionAction[] | undefined {\n if (!queryValue) {\n return undefined;\n }\n if (Array.isArray(queryValue)) {\n const permissionNames: PermissionAction[] = [];\n for (const permissionQuery of queryValue) {\n if (\n typeof permissionQuery === 'string' &&\n isPermissionAction(permissionQuery)\n ) {\n permissionNames.push(permissionQuery);\n } else {\n throw new InputError(\n `Invalid permission action query value: ${permissionQuery}. Permission name should be string.`,\n );\n }\n }\n return permissionNames;\n }\n\n if (typeof queryValue === 'string' && isPermissionAction(queryValue)) {\n return [queryValue];\n }\n throw new InputError(\n `Invalid permission action query value: ${queryValue}. Permission name should be string.`,\n );\n }\n\n getFirstQuery(\n queryValue: string | string[] | ParsedQs | ParsedQs[] | undefined,\n ): string {\n if (!queryValue) {\n return '';\n }\n if (Array.isArray(queryValue)) {\n if (typeof queryValue[0] === 'string') {\n return queryValue[0].toString();\n }\n throw new InputError(`This api doesn't support nested query`);\n }\n\n if (typeof queryValue === 'string') {\n return queryValue;\n }\n throw new InputError(`This api doesn't support nested query`);\n }\n\n isPolicyFilterEnabled(request: Request): boolean {\n return (\n !!request.query.entityRef ||\n !!request.query.permission ||\n !!request.query.policy ||\n !!request.query.effect\n );\n }\n\n async processPolicies(\n policyArray: RoleBasedPolicy[],\n isOld?: boolean,\n errorMessage?: string,\n filter?: RBACFilters,\n ): Promise<string[][]> {\n const policies: string[][] = [];\n const uniqueItems = new Set<string>();\n for (const policy of policyArray) {\n let err = validatePolicy(policy);\n if (err) {\n throw new InputError(\n `Invalid ${errorMessage ?? 'policy'} definition. Cause: ${\n err.message\n }`,\n ); // 400\n }\n\n const metadata = await this.roleMetadata.findRoleMetadata(\n policy.entityReference!,\n );\n\n if (!metadata || !matches(daoToMetadata(metadata), filter)) {\n throw new NotAllowedError(); // 403\n }\n\n let action = errorMessage ? 'edit' : 'delete';\n action = isOld ? action : 'add';\n\n err = await validateSource('rest', metadata);\n if (err) {\n throw new NotAllowedError(\n `Unable to ${action} policy ${policy.entityReference},${policy.permission},${policy.policy},${policy.effect}: ${err.message}`,\n );\n }\n\n const transformedPolicy = this.transformPolicyToArray(policy);\n if (isOld && !(await this.enforcer.hasPolicy(...transformedPolicy))) {\n throw new NotFoundError(\n `Policy '${policyToString(transformedPolicy)}' not found`,\n ); // 404\n }\n\n if (!isOld && (await this.enforcer.hasPolicy(...transformedPolicy))) {\n throw new ConflictError(\n `Policy '${policyToString(\n transformedPolicy,\n )}' has been already stored`,\n ); // 409\n }\n\n // We want to ensure that there are not duplicate permission policies\n const rowString = JSON.stringify(transformedPolicy);\n if (uniqueItems.has(rowString)) {\n throw new ConflictError(\n `Duplicate polices found; ${policy.entityReference}, ${policy.permission}, ${policy.policy}, ${policy.effect} is a duplicate`,\n );\n } else {\n uniqueItems.add(rowString);\n policies.push(transformedPolicy);\n }\n }\n return policies;\n }\n\n nameSort(nameA: string, nameB: string): number {\n if (nameA.toLocaleUpperCase('en-US') < nameB.toLocaleUpperCase('en-US')) {\n return -1;\n }\n if (nameA.toLocaleUpperCase('en-US') > nameB.toLocaleUpperCase('en-US')) {\n return 1;\n }\n return 0;\n }\n}\n"],"names":["policyEntityReadPermission","NotAllowedError","AuthorizeResult","router","createRouter","daoToMetadata","conditionTransformerFunc","logAuditorEvent","NotFoundError","policyEntityDeletePermission","isEmpty","InputError","policyEntityCreatePermission","policyEntityUpdatePermission","isEqual","validateRole","validateSource","ConflictError","matches","deepSortedEqual","validateRoleCondition","processConditionMapping","roleMetadata","registerPermissionDefinitionRoutes","setAuditorError","validateEntityReference","buildRoleSourceMap","isPermissionAction","validatePolicy","policyToString"],"mappings":";;;;;;;;;;;;;;;;AAmFsB,eAAA,oBAAA,CACpB,OACA,EAAA,UAAA,EACA,IAUC,EAAA;AACD,EAAA,MAAM,EAAE,IAAA,EAAM,QAAU,EAAA,WAAA,EAAgB,GAAA,IAAA;AAExC,EAAA,MAAM,WAAc,GAAA,MAAM,QAAS,CAAA,WAAA,CAAY,OAAS,EAAA;AAAA,IACtD,KAAA,EAAO,CAAC,MAAA,EAAQ,SAAS;AAAA,GAC1B,CAAA;AAGD,EAAA,IACE,KAAK,WAAY,CAAA,WAAA,EAAa,SAAS,CAAA,IACvC,eAAeA,2CACf,EAAA;AACA,IAAA,MAAM,IAAIC,sBAAA;AAAA,MACR,CAAA,0EAAA;AAAA,KACF;AAAA;AAGF,EAAI,IAAA,QAAA;AACJ,EAAI,IAAA,UAAA,CAAW,SAAS,UAAY,EAAA;AAClC,IAAA,QAAA,GAAA,CACE,MAAM,WAAY,CAAA,oBAAA,CAAqB,CAAC,EAAE,UAAA,EAAY,CAAG,EAAA;AAAA,MACvD;AAAA,KACD,GACD,CAAC,CAAA;AAAA,GACE,MAAA;AACL,IAAA,QAAA,GAAA,CACE,MAAM,WAAY,CAAA,SAAA,CAAU,CAAC,EAAE,UAAA,EAAY,CAAG,EAAA;AAAA,MAC5C;AAAA,KACD,GACD,CAAC,CAAA;AAAA;AAGL,EAAI,IAAA,QAAA,CAAS,MAAW,KAAAC,sCAAA,CAAgB,IAAM,EAAA;AAC5C,IAAA,MAAM,IAAID,sBAAgB,EAAA;AAAA;AAG5B,EAAO,OAAA,EAAE,UAAU,WAAY,EAAA;AACjC;AAEO,MAAM,cAAe,CAAA;AAAA,EAC1B,WAAA,CACmB,SACA,QACA,EAAA,kBAAA,EACA,oBACA,YACA,EAAA,qBAAA,EACA,kBACA,aACjB,EAAA;AARiB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,kBAAA,GAAA,kBAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,qBAAA,GAAA,qBAAA;AACA,IAAA,IAAA,CAAA,gBAAA,GAAA,gBAAA;AACA,IAAA,IAAA,CAAA,aAAA,GAAA,aAAA;AAAA;AAChB,EAEH,MAAM,KAAiC,GAAA;AACrC,IAAA,MAAME,QAAS,GAAA,MAAMC,mBAAa,CAAA,IAAA,CAAK,OAAO,CAAA;AAE9C,IAAA,MAAM,EAAE,MAAQ,EAAA,OAAA,EAAS,IAAM,EAAA,mBAAA,KAAwB,IAAK,CAAA,OAAA;AAE5D,IAAM,MAAA,WAAA,GAAc,IAAK,CAAA,YAAA,CAAa,4BAA6B,EAAA;AACnE,IAAI,IAAA,OAAA;AACJ,IAAA,IAAI,WAAa,EAAA;AACf,MAAU,OAAA,GAAA;AAAA,QACR,MAAM,WAAY,CAAA,aAAA;AAAA,QAClB,kBAAkB,EAAC;AAAA,QACnB,QAAA,EAAUC,2BAAc,WAAW;AAAA,OACrC;AAAA;AAGF,IAAA,MAAM,eACJ,GAAA,IAAA,CAAK,OAAQ,CAAA,MAAA,CAAO,mBAAmB,oBAAoB,CAAA;AAC7D,IAAA,IAAI,CAAC,eAAiB,EAAA;AACpB,MAAO,OAAAF,QAAA;AAAA;AAGT,IAAM,MAAA,mBAAA,GAAsBG,oCAAyB,mBAAmB,CAAA;AAExE,IAAAH,QAAA,CAAO,GAAI,CAAA,GAAA,EAAK,OAAO,OAAA,EAAS,QAAa,KAAA;AAC3C,MAAM,MAAA,oBAAA;AAAA,QACJ,OAAA;AAAA,QACAH,2CAAA;AAAA,QACA,IAAK,CAAA;AAAA,OACP;AAEA,MAAA,QAAA,CAAS,IAAK,CAAA,EAAE,MAAQ,EAAA,YAAA,EAAc,CAAA;AAAA,KACvC,CAAA;AAID,IAAOG,QAAA,CAAA,GAAA;AAAA,MACL,WAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAP,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAA,IAAI,WAAuB,EAAC;AAC5B,QAAI,IAAA,IAAA,CAAK,qBAAsB,CAAA,OAAO,CAAG,EAAA;AACvC,UAAA,MAAM,SAAY,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,SAAS,CAAA;AAC5D,UAAA,MAAM,UAAa,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,UAAU,CAAA;AAC9D,UAAA,MAAM,MAAS,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,MAAM,CAAA;AACtD,UAAA,MAAM,MAAS,GAAA,IAAA,CAAK,aAAc,CAAA,OAAA,CAAQ,MAAM,MAAM,CAAA;AAEtD,UAAA,MAAM,kBAAkB,YAAa,CAAA,OAAA;AAAA,YACnC,UAAQ,IAAK,CAAA;AAAA,WACf;AAEA,UAAA,MAAM,MAAmB,GAAA,CAAC,SAAW,EAAA,UAAA,EAAY,QAAQ,MAAM,CAAA;AAC/D,UAAA,QAAA,GAAW,eAAgB,CAAA,QAAA,CAAS,SAAS,CAAA,GACzC,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA,CAAkB,CAAG,EAAA,GAAG,MAAM,CAAA,GAClD,EAAC;AAAA,SACA,MAAA;AACL,UAAA,KAAA,MAAW,QAAQ,YAAc,EAAA;AAC/B,YAAS,QAAA,CAAA,IAAA;AAAA,cACP,GAAI,MAAM,IAAA,CAAK,QAAS,CAAA,iBAAA;AAAA,gBACtB,CAAA;AAAA,gBACA,GAAG,CAAC,IAAA,CAAK,aAAa;AAAA;AACxB,aACF;AAAA;AACF;AAGF,QAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,GAAG,QAAQ,CAAA;AAExD,QAAA,IAAA,CAAK,IAAI,CAAU,MAAA,KAAA;AACjB,UAAA,IACE,MAAO,CAAA,UAAA,KAAe,eACtB,IAAA,MAAA,CAAO,WAAW,QAClB,EAAA;AACA,YAAA,MAAA,CAAO,UAAa,GAAA,sBAAA;AACpB,YAAO,MAAA,CAAA,IAAA;AAAA,cACL,CAA8H,2HAAA,EAAA,CAAC,MAAO,CAAA,eAAA,EAAiB,eAAiB,EAAA,MAAA,CAAO,MAAQ,EAAA,MAAA,CAAO,MAAM,CAAC,CAAyE,sEAAA,EAAA,MAAA,CAAO,UAAU,MAAM,CAAA;AAAA,aACvS;AAAA;AACF,SACD,CAAA;AAED,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAOC,QAAA,CAAA,GAAA;AAAA,MACL,kCAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAP,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAA,MAAM,MAAS,GAAA,eAAA,CAAgB,QAAS,CAAA,SAAS,CAC7C,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,CAAA,EAAG,SAAS,CAAA,GAClD,EAAC;AACL,QAAI,IAAA,MAAA,CAAO,WAAW,CAAG,EAAA;AACvB,UAAA,MAAM,IAAO,GAAA,MAAM,IAAK,CAAA,oBAAA,CAAqB,GAAG,MAAM,CAAA;AAEtD,UAAA,IAAA,CAAK,IAAI,CAAc,UAAA,KAAA;AACrB,YAAA,IACE,UAAW,CAAA,UAAA,KAAe,eAC1B,IAAA,UAAA,CAAW,WAAW,QACtB,EAAA;AACA,cAAA,UAAA,CAAW,UAAa,GAAA,sBAAA;AACxB,cAAO,MAAA,CAAA,IAAA;AAAA,gBACL,CAA8H,2HAAA,EAAA,CAAC,UAAW,CAAA,eAAA,EAAiB,eAAiB,EAAA,UAAA,CAAW,MAAQ,EAAA,UAAA,CAAW,MAAM,CAAC,CAAyE,sEAAA,EAAA,UAAA,CAAW,UAAU,MAAM,CAAA;AAAA,eACvT;AAAA;AACF,WACD,CAAA;AAED,UAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,SACb,MAAA;AACL,UAAA,MAAM,IAAIM,oBAAc,EAAA;AAAA;AAC1B;AACF,KACF;AAEA,IAAOL,QAAA,CAAA,MAAA;AAAA,MACL,kCAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAE,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAP,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAA,MAAM,YAA+B,OAAQ,CAAA,IAAA;AAC7C,QAAI,IAAAQ,cAAA,CAAQ,SAAS,CAAG,EAAA;AACtB,UAAM,MAAA,IAAIC,kBAAW,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAG1D,QAAA,SAAA,CAAU,QAAQ,CAAW,OAAA,KAAA;AAC3B,UAAA,OAAA,CAAQ,eAAkB,GAAA,SAAA;AAAA,SAC3B,CAAA;AAED,QAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,eAAA;AAAA,UACnC,SAAA;AAAA,UACA,IAAA;AAAA,UACA,SAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAM,MAAA,IAAA,CAAK,QAAS,CAAA,cAAA,CAAe,iBAAiB,CAAA;AAEpD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,iBAAkB,EAAA;AAErD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOR,QAAA,CAAA,IAAA;AAAA,MACL,WAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,oBAAA;AAAA,UACJ,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,YAA+B,OAAQ,CAAA,IAAA;AAE7C,QAAI,IAAAF,cAAA,CAAQ,SAAS,CAAG,EAAA;AACtB,UAAM,MAAA,IAAIC,kBAAW,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAG1D,QAAM,MAAA,iBAAA,GAAoB,MAAM,IAAK,CAAA,eAAA;AAAA,UACnC,SAAA;AAAA,UACA,KAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,SAAY,GAAA,iBAAA,CAAkB,CAAC,CAAA,CAAE,CAAC,CAAA;AACxC,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,SAAS,CAAA;AACpD,QAAA,IAAI,SAAU,CAAA,UAAA,CAAW,cAAc,CAAA,IAAK,CAAC,YAAc,EAAA;AACzD,UAAA,MAAM,IAAI,KAAA,CAAM,CAAsB,mBAAA,EAAA,SAAS,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAM,MAAA,IAAA,CAAK,QAAS,CAAA,WAAA,CAAY,iBAAiB,CAAA;AAEjD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,iBAAkB,EAAA;AAErD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOR,QAAA,CAAA,GAAA;AAAA,MACL,kCAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAM,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAX,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAM,MAAA,SAAA,GAAY,IAAK,CAAA,kBAAA,CAAmB,OAAO,CAAA;AAEjD,QAAM,MAAA,YAAA,GAAkC,QAAQ,IAAK,CAAA,SAAA;AACrD,QAAI,IAAAQ,cAAA,CAAQ,YAAY,CAAG,EAAA;AACzB,UAAM,MAAA,IAAIC,kBAAW,CAAoC,kCAAA,CAAA,CAAA;AAAA;AAE3D,QAAM,MAAA,YAAA,GAAkC,QAAQ,IAAK,CAAA,SAAA;AACrD,QAAI,IAAAD,cAAA,CAAQ,YAAY,CAAG,EAAA;AACzB,UAAM,MAAA,IAAIC,kBAAW,CAAoC,kCAAA,CAAA,CAAA;AAAA;AAG3D,QAAA,CAAC,GAAG,YAAc,EAAA,GAAG,YAAY,CAAA,CAAE,QAAQ,CAAW,OAAA,KAAA;AACpD,UAAA,OAAA,CAAQ,eAAkB,GAAA,SAAA;AAAA,SAC3B,CAAA;AAED,QAAM,MAAA,kBAAA,GAAqB,MAAM,IAAK,CAAA,eAAA;AAAA,UACpC,YAAA;AAAA,UACA,IAAA;AAAA,UACA,YAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAa,YAAA,CAAA,IAAA;AAAA,UAAK,CAAC,CAAG,EAAA,CAAA,KACpB,EAAE,UAAe,KAAA,CAAA,CAAE,aACf,IAAK,CAAA,QAAA,CAAS,EAAE,MAAS,EAAA,CAAA,CAAE,MAAO,CAClC,GAAA,IAAA,CAAK,SAAS,CAAE,CAAA,UAAA,EAAa,EAAE,UAAW;AAAA,SAChD;AAEA,QAAa,YAAA,CAAA,IAAA;AAAA,UAAK,CAAC,CAAG,EAAA,CAAA,KACpB,EAAE,UAAe,KAAA,CAAA,CAAE,aACf,IAAK,CAAA,QAAA,CAAS,EAAE,MAAS,EAAA,CAAA,CAAE,MAAO,CAClC,GAAA,IAAA,CAAK,SAAS,CAAE,CAAA,UAAA,EAAa,EAAE,UAAW;AAAA,SAChD;AAEA,QACE,IAAAG,cAAA,CAAQ,cAAc,YAAY,CAAA,IAClC,CAAC,YAAa,CAAA,IAAA,CAAKJ,cAAO,CAC1B,EAAA;AACA,UAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA,SAChB,MAAA,IAAA,YAAA,CAAa,MAAS,GAAA,YAAA,CAAa,MAAQ,EAAA;AACpD,UAAA,MAAM,IAAIC,iBAAA;AAAA,YACR,CAAA,8EAAA;AAAA,WACF;AAAA;AAGF,QAAM,MAAA,kBAAA,GAAqB,MAAM,IAAK,CAAA,eAAA;AAAA,UACpC,YAAA;AAAA,UACA,KAAA;AAAA,UACA,YAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,SAAS,CAAA;AACpD,QAAA,IAAI,SAAU,CAAA,UAAA,CAAW,cAAc,CAAA,IAAK,CAAC,YAAc,EAAA;AACzD,UAAA,MAAM,IAAI,KAAA,CAAM,CAAsB,mBAAA,EAAA,SAAS,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAA,MAAM,KAAK,QAAS,CAAA,cAAA;AAAA,UAClB,kBAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,QAAA,EAAU,kBAAmB,EAAA;AAEtD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAIA,IAAOR,QAAA,CAAA,GAAA;AAAA,MACL,QAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAP,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,KAAQ,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,EAAA;AACpD,QAAA,MAAM,OAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA,EAAkB,GAAG,KAAK,CAAA;AAErE,QAAA,IAAI,OAAS,EAAA;AACX,UAAA,IAAA,CAAK,KAAK,OAAO,CAAA;AAAA;AAGnB,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAOC,QAAA,CAAA,GAAA;AAAA,MACL,+BAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAP,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAI,IAAA,IAAA;AACJ,QAAI,IAAA,OAAA,IAAW,aAAkB,KAAA,OAAA,CAAQ,IAAM,EAAA;AAC7C,UAAA,IAAA,GAAO,CAAC,OAAO,CAAA;AAAA,SACV,MAAA;AACL,UAAM,MAAA,IAAA,GAAO,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA;AAAA,YAC/B,CAAA;AAAA,YACA;AAAA,WACF;AACA,UAAA,IAAA,GAAO,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA,EAAkB,GAAG,IAAI,CAAA;AAAA;AAEhE,QAAI,IAAA,IAAA,CAAK,WAAW,CAAG,EAAA;AACrB,UAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,SACb,MAAA;AACL,UAAA,MAAM,IAAIM,oBAAc,EAAA;AAAA;AAC1B;AACF,KACF;AAEA,IAAOL,QAAA,CAAA,IAAA;AAAA,MACL,QAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,QAAM,MAAA,EAAE,WAAY,EAAA,GAAI,MAAM,oBAAA;AAAA,UAC5B,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,UAAgB,OAAQ,CAAA,IAAA;AAC9B,QAAI,IAAA,GAAA,GAAMG,gCAAa,OAAO,CAAA;AAC9B,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,IAAA,CAAK,qCAAqC,OAAO,CAAA;AAEjD,QAAM,MAAA,SAAA,GAAY,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UACxC,OAAQ,CAAA;AAAA,SACV;AAEA,QAAM,GAAA,GAAA,MAAMK,iCAAe,CAAA,MAAA,EAAQ,SAAS,CAAA;AAC5C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIf,sBAAA,CAAgB,CAAuB,oBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGhE,QAAM,MAAA,KAAA,GAAQ,IAAK,CAAA,oBAAA,CAAqB,OAAO,CAAA;AAE/C,QAAA,KAAA,MAAW,QAAQ,KAAO,EAAA;AACxB,UAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,IAAI,CAAG,EAAA;AAClD,YAAA,MAAM,IAAIgB,oBAAc,EAAA;AAAA;AAE1B,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,QAA4B,GAAA;AAAA,UAChC,eAAe,OAAQ,CAAA,IAAA;AAAA,UACvB,MAAQ,EAAA,MAAA;AAAA,UACR,WAAA,EAAa,OAAQ,CAAA,QAAA,EAAU,WAAe,IAAA,EAAA;AAAA,UAC9C,MAAQ,EAAA,UAAA;AAAA,UACR,UAAA;AAAA,UACA,KAAA,EAAO,OAAQ,CAAA,QAAA,EAAU,KAAS,IAAA;AAAA,SACpC;AAEA,QAAA,MAAM,IAAK,CAAA,QAAA,CAAS,mBAAoB,CAAA,KAAA,EAAO,QAAQ,CAAA;AAEvD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,GAAG,QAAU,EAAA,OAAA,EAAS,KAAM,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC,CAAE,EAAA;AAEtE,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOd,QAAA,CAAA,GAAA;AAAA,MACL,+BAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAU,WAAY,EAAA,GAAI,MAAM,oBAAA;AAAA,UACtC,OAAA;AAAA,UACAM,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAX,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAM,MAAA,UAAA,GAAmB,QAAQ,IAAK,CAAA,OAAA;AAEtC,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAM,MAAA,IAAIS,kBAAW,CAAkC,gCAAA,CAAA,CAAA;AAAA;AAEzD,QAAM,MAAA,UAAA,GAAmB,QAAQ,IAAK,CAAA,OAAA;AACtC,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAM,MAAA,IAAIA,kBAAW,CAAkC,gCAAA,CAAA,CAAA;AAAA;AAGzD,QAAA,UAAA,CAAW,IAAO,GAAA,aAAA;AAClB,QAAI,IAAA,GAAA,GAAMI,gCAAa,UAAU,CAAA;AACjC,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,GAAA,GAAMI,gCAAa,UAAU,CAAA;AAC7B,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIJ,iBAAA;AAAA;AAAA,YACR,CAAA,gCAAA,EAAmC,IAAI,OAAO,CAAA;AAAA,WAChD;AAAA;AAEF,QAAA,IAAA,CAAK,qCAAqC,UAAU,CAAA;AACpD,QAAA,IAAA,CAAK,qCAAqC,UAAU,CAAA;AAEpD,QAAM,MAAA,OAAA,GAAU,IAAK,CAAA,oBAAA,CAAqB,UAAU,CAAA;AACpD,QAAM,MAAA,OAAA,GAAU,IAAK,CAAA,oBAAA,CAAqB,UAAU,CAAA;AAGpD,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,WAA+B,GAAA;AAAA,UACnC,GAAG,UAAW,CAAA,QAAA;AAAA,UACd,MAAA,EAAQ,UAAW,CAAA,QAAA,EAAU,MAAU,IAAA,MAAA;AAAA,UACvC,eAAe,UAAW,CAAA,IAAA;AAAA,UAC1B,UAAA;AAAA,UACA,KAAA,EAAO,UAAW,CAAA,QAAA,EAAU,KAAS,IAAA;AAAA,SACvC;AAEA,QAAA,MAAM,WACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,aAAa,CAAA;AACxD,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAA,MAAM,IAAIH,oBAAA;AAAA,YACR,+BAA+B,aAAa,CAAA;AAAA,WAC9C;AAAA;AAGF,QAAM,GAAA,GAAA,MAAMQ,iCAAe,CAAA,MAAA,EAAQ,WAAW,CAAA;AAC9C,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIf,sBAAA,CAAgB,CAAwB,qBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGjE,QAAA,IAAI,CAACiB,cAAQ,CAAAb,0BAAA,CAAc,WAAW,CAAA,EAAG,gBAAgB,CAAG,EAAA;AAC1D,UAAA,MAAM,IAAIJ,sBAAgB,EAAA;AAAA;AAG5B,QAAA,IACEa,eAAQ,OAAS,EAAA,OAAO,CACxB,IAAAK,sBAAA,CAAgB,aAAa,WAAa,EAAA;AAAA,UACxC,QAAA;AAAA,UACA,YAAA;AAAA,UACA,WAAA;AAAA,UACA,cAAA;AAAA,UACA;AAAA,SACD,CACD,EAAA;AAEA,UAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AACzB,UAAA;AAAA;AAGF,QAAA,KAAA,MAAW,QAAQ,OAAS,EAAA;AAC1B,UAAM,MAAA,OAAA,GAAU,OAAQ,CAAA,IAAA,CAAK,CAAW,OAAA,KAAA;AACtC,YAAO,OAAAL,cAAA,CAAQ,SAAS,IAAI,CAAA;AAAA,WAC7B,CAAA;AAGD,UAAA,IAAI,MAAM,IAAK,CAAA,QAAA,CAAS,iBAAkB,CAAA,GAAG,IAAI,CAAG,EAAA;AAClD,YAAA,IAAI,CAAC,OAAS,EAAA;AACZ,cAAA,MAAM,IAAIG,oBAAc,EAAA;AAAA;AAC1B;AAEF,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAA,WAAA,CAAY,KAAM,EAAA;AAClB,QAAA,KAAA,MAAW,QAAQ,OAAS,EAAA;AAC1B,UAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACrD,YAAA,MAAM,IAAIT,oBAAA;AAAA,cACR,CAAqB,kBAAA,EAAA,IAAA,CAAK,CAAC,CAAC,2BAA2B,aAAa,CAAA;AAAA,aACtE;AAAA;AAEF,UAAM,MAAA,UAAA,GAAa,IAAK,CAAA,SAAA,CAAU,IAAI,CAAA;AAEtC,UAAI,IAAA,WAAA,CAAY,GAAI,CAAA,UAAU,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIS,oBAAA;AAAA,cACR,iCAAiC,IAAK,CAAA,EAAA,CAAG,CAAC,CAAC,KAAK,IAAK,CAAA,EAAA;AAAA,gBACnD;AAAA,eACD,CAAA,eAAA;AAAA,aACH;AAAA,WACK,MAAA;AACL,YAAA,WAAA,CAAY,IAAI,UAAU,CAAA;AAAA;AAC5B;AAGF,QAAA,MAAM,KAAK,QAAS,CAAA,sBAAA;AAAA,UAClB,OAAA;AAAA,UACA,OAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAI,IAAA,OAAA,GAAU,CAAW,QAAA,EAAA,WAAA,CAAY,aAAa,CAAA,CAAA,CAAA;AAClD,QAAI,IAAA,WAAA,CAAY,aAAkB,KAAA,WAAA,CAAY,aAAe,EAAA;AAC3D,UAAA,OAAA,GAAU,CAAG,EAAA,OAAO,CAAsC,mCAAA,EAAA,WAAA,CAAY,aAAa,CAAA,CAAA;AAAA;AAErF,QAAA,QAAA,CAAS,OAAO,IAAO,GAAA;AAAA,UACrB,GAAG,WAAA;AAAA,UACH,SAAS,OAAQ,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC;AAAA,SAClC;AAEA,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOd,QAAA,CAAA,MAAA;AAAA,MACL,+BAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAA,MAAM,EAAE,QAAA,EAAU,WAAY,EAAA,GAAI,MAAM,oBAAA;AAAA,UACtC,OAAA;AAAA,UACAE,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAP,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,aAAgB,GAAA,IAAA,CAAK,kBAAmB,CAAA,OAAA,EAAS,IAAI,CAAA;AAE3D,QAAA,MAAM,eACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,aAAa,CAAA;AAExD,QACE,IAAA,CAAC,mBACD,CAACgB,cAAA,CAAQb,2BAAc,eAAe,CAAA,EAAG,gBAAgB,CACzD,EAAA;AACA,UAAA,MAAM,IAAIJ,sBAAgB,EAAA;AAAA;AAG5B,QAAA,MAAM,GAAM,GAAA,MAAMe,iCAAe,CAAA,MAAA,EAAQ,eAAe,CAAA;AACxD,QAAA,IAAI,GAAK,EAAA;AACP,UAAA,MAAM,IAAIf,sBAAA,CAAgB,CAA0B,uBAAA,EAAA,GAAA,CAAI,OAAO,CAAE,CAAA,CAAA;AAAA;AAGnE,QAAA,IAAI,cAAc,EAAC;AACnB,QAAI,IAAA,OAAA,CAAQ,MAAM,gBAAkB,EAAA;AAClC,UAAA,MAAM,kBAAkB,IAAK,CAAA,aAAA;AAAA,YAC3B,QAAQ,KAAM,CAAA;AAAA,WAChB,CAAE,kBAAkB,OAAO,CAAA;AAC3B,UAAM,MAAA,EAAA,GAAK,MAAM,IAAA,CAAK,QAAS,CAAA,yBAAA;AAAA,YAC7B,CAAA;AAAA,YACA,eAAA;AAAA,YACA;AAAA,WACF;AACA,UAAI,IAAA,EAAA,CAAG,SAAS,CAAG,EAAA;AACjB,YAAY,WAAA,CAAA,IAAA,CAAK,EAAG,CAAA,CAAC,CAAC,CAAA;AAAA,WACjB,MAAA;AACL,YAAA,MAAM,IAAIO,oBAAA;AAAA,cACR,gBAAgB,eAAe,CAAA,eAAA;AAAA,aACjC;AAAA;AACF,SACK,MAAA;AACL,UAAc,WAAA,GAAA,MAAM,KAAK,QAAS,CAAA,yBAAA;AAAA,YAChC,CAAA;AAAA,YACA;AAAA,WACF;AAAA;AAGF,QAAA,KAAA,MAAW,QAAQ,WAAa,EAAA;AAC9B,UAAA,IAAI,CAAE,MAAM,IAAA,CAAK,SAAS,iBAAkB,CAAA,GAAG,IAAI,CAAI,EAAA;AACrD,YAAA,MAAM,IAAIA,oBAAc,CAAA,CAAA,aAAA,EAAgB,IAAK,CAAA,CAAC,CAAC,CAAiB,eAAA,CAAA,CAAA;AAAA;AAClE;AAGF,QAAM,MAAA,UAAA,GACJ,YACA,SAAU,CAAA,aAAA;AACZ,QAAA,MAAM,QAA4B,GAAA;AAAA,UAChC,aAAA;AAAA,UACA,MAAQ,EAAA,MAAA;AAAA,UACR;AAAA,SACF;AAEA,QAAA,MAAM,KAAK,QAAS,CAAA,sBAAA;AAAA,UAClB,WAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACF;AAEA,QAAA,QAAA,CAAS,OAAO,IAAO,GAAA;AAAA,UACrB,GAAG,QAAA;AAAA,UACH,SAAS,WAAY,CAAA,GAAA,CAAI,CAAM,EAAA,KAAA,EAAA,CAAG,CAAC,CAAC;AAAA,SACtC;AAEA,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOL,QAAA,CAAA,GAAA;AAAA,MACL,mBAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAP,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAE,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAM,MAAA,UAAA,GAAa,MAAM,IAAA,CAAK,kBAAmB,CAAA,gBAAA;AAAA,UAC/C,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,aAAa,CAAA;AAAA,UAC9C,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,QAAQ,CAAA;AAAA,UACzC,IAAK,CAAA,aAAA,CAAc,OAAQ,CAAA,KAAA,CAAM,YAAY,CAAA;AAAA,UAC7C,IAAK,CAAA,gBAAA,CAAiB,OAAQ,CAAA,KAAA,CAAM,OAAO;AAAA,SAC7C;AAEA,QAAM,MAAA,IAAA,GACJ,UACG,CAAA,GAAA,CAAI,CAAa,SAAA,KAAA;AAChB,UAAO,OAAA;AAAA,YACL,GAAG,SAAA;AAAA,YACH,iBAAA,EAAmB,UAAU,iBAAkB,CAAA,GAAA;AAAA,cAC7C,QAAM,EAAG,CAAA;AAAA;AACX,WACF;AAAA,SACD,CACA,CAAA,MAAA,CAAO,CAAa,SAAA,KAAA;AACnB,UAAO,OAAA,eAAA,CAAgB,QAAS,CAAA,SAAA,CAAU,aAAa,CAAA;AAAA,SACxD,CAAA;AAEL,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAOC,QAAA,CAAA,IAAA;AAAA,MACL,mBAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,oBAAA;AAAA,UACJ,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,sBACJ,OAAQ,CAAA,IAAA;AACV,QAAAQ,yCAAA,CAAsB,mBAAmB,CAAA;AAEzC,QAAA,MAAM,oBAAoB,MAAMC,8BAAA;AAAA,UAC9B,mBAAA;AAAA,UACA,IAAK,CAAA,kBAAA;AAAA,UACL;AAAA,SACF;AAEA,QAAA,MAAM,EACJ,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,gBAAgB,iBAAiB,CAAA;AAEjE,QAAM,MAAA,IAAA,GAAO,EAAE,EAAO,EAAA;AAEtB,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,mBAAoB,EAAA;AAExD,QAAA,QAAA,CAAS,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,IAAI,CAAA;AAAA;AAChC,KACF;AAEA,IAAOlB,QAAA,CAAA,GAAA;AAAA,MACL,uBAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAP,2CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIW,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAC/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAc,EAAA;AAAA;AAG1B,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAN,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,YACJ,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,2BAA2B,gBAAgB,CAAA;AAErE,QAAM,MAAA,eAAA,GAAkB,YAAa,CAAA,OAAA,CAAQ,CAAQ,IAAA,KAAA;AACnD,UAAA,OAAO,IAAK,CAAA,aAAA;AAAA,SACb,CAAA;AAED,QAAA,MAAM,IACJ,GAAA,eAAA,CAAgB,QAAS,CAAA,SAAA,CAAU,aAAa,CAC5C,GAAA;AAAA,UACE,GAAG,SAAA;AAAA,UACH,iBAAA,EAAmB,UAAU,iBAAkB,CAAA,GAAA;AAAA,YAC7C,QAAM,EAAG,CAAA;AAAA;AACX,YAEF,EAAC;AAEP,QAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA;AACpB,KACF;AAEA,IAAOC,QAAA,CAAA,MAAA;AAAA,MACL,uBAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAE,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAP,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIS,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAC/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAA,CAAc,CAAqB,kBAAA,EAAA,EAAE,CAAgB,cAAA,CAAA,CAAA;AAAA;AAEjE,QAAA,MAAM,iBACJ,GAAA;AAAA,UACE,GAAG,SAAA;AAAA,UACH,mBAAmB,SAAU,CAAA,iBAAA,CAAkB,GAAI,CAAA,CAAA,EAAA,KAAM,GAAG,MAAM;AAAA,SACpE;AAEF,QAAM,MAAAc,cAAA,GAAe,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UAC3C,iBAAkB,CAAA;AAAA,SACpB;AAEA,QACE,IAAA,CAACA,kBACD,CAACJ,cAAA,CAAQb,2BAAciB,cAAY,CAAA,EAAG,gBAAgB,CACtD,EAAA;AACA,UAAA,MAAM,IAAIrB,sBAAgB,EAAA;AAAA;AAG5B,QAAM,MAAA,IAAA,CAAK,kBAAmB,CAAA,eAAA,CAAgB,EAAE,CAAA;AAChD,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,iBAAkB,EAAA;AAEtD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOE,QAAA,CAAA,GAAA;AAAA,MACL,uBAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAI,IAAA,gBAAA;AACJ,QAAM,MAAA,EAAE,QAAS,EAAA,GAAI,MAAM,oBAAA;AAAA,UACzB,OAAA;AAAA,UACAM,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,QAAA,CAAS,MAAW,KAAAX,sCAAA,CAAgB,WAAa,EAAA;AACnD,UAAmB,gBAAA,GAAA,mBAAA,CAAoB,SAAS,UAAU,CAAA;AAAA;AAG5D,QAAA,MAAM,EAAa,GAAA,QAAA,CAAS,OAAQ,CAAA,MAAA,CAAO,IAAI,EAAE,CAAA;AACjD,QAAI,IAAA,KAAA,CAAM,EAAE,CAAG,EAAA;AACb,UAAM,MAAA,IAAIS,kBAAW,2BAA2B,CAAA;AAAA;AAGlD,QAAA,MAAM,SAAY,GAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,aAAa,EAAE,CAAA;AAE/D,QAAA,IAAI,CAAC,SAAW,EAAA;AACd,UAAA,MAAM,IAAIH,oBAAA,CAAc,CAAqB,kBAAA,EAAA,EAAE,CAAgB,cAAA,CAAA,CAAA;AAAA;AAGjE,QAAM,MAAAc,cAAA,GAAe,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,UAC3C,SAAU,CAAA;AAAA,SACZ;AAEA,QACE,IAAA,CAACA,kBACD,CAACJ,cAAA,CAAQb,2BAAciB,cAAY,CAAA,EAAG,gBAAgB,CACtD,EAAA;AACA,UAAA,MAAM,IAAIrB,sBAAgB,EAAA;AAAA;AAG5B,QAAA,MAAM,sBACJ,OAAQ,CAAA,IAAA;AAEV,QAAAmB,yCAAA,CAAsB,mBAAmB,CAAA;AAEzC,QAAA,MAAM,oBAAoB,MAAMC,8BAAA;AAAA,UAC9B,mBAAA;AAAA,UACA,IAAK,CAAA,kBAAA;AAAA,UACL;AAAA,SACF;AAEA,QAAA,MAAM,IAAK,CAAA,kBAAA,CAAmB,eAAgB,CAAA,EAAA,EAAI,iBAAiB,CAAA;AAEnE,QAAA,QAAA,CAAS,MAAO,CAAA,IAAA,GAAO,EAAE,SAAA,EAAW,mBAAoB,EAAA;AAExD,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAOlB,QAAA,CAAA,IAAA;AAAA,MACL,cAAA;AAAA,MACAI,gCAAgB,OAAO,CAAA;AAAA,MACvB,OAAO,SAAS,QAAa,KAAA;AAC3B,QAAM,MAAA,oBAAA;AAAA,UACJ,OAAA;AAAA,UACAK,6CAAA;AAAA,UACA,IAAK,CAAA;AAAA,SACP;AAEA,QAAI,IAAA,CAAC,KAAK,aAAe,EAAA;AACvB,UAAM,MAAA,IAAIJ,qBAAc,CAA8B,4BAAA,CAAA,CAAA;AAAA;AAGxD,QAAA,MAAM,UAAa,GAAA,IAAA,CAAK,aAAc,CAAA,IAAA,CAAK,CAAY,QAAA,KAAA;AACrD,UAAM,MAAA,EAAA,GAAK,SAAS,eAAgB,EAAA;AACpC,UAAO,OAAA,EAAA,KAAO,QAAQ,MAAO,CAAA,EAAA;AAAA,SAC9B,CAAA;AAED,QAAA,IAAI,CAAC,UAAY,EAAA;AACf,UAAA,MAAM,IAAIA,oBAAA;AAAA,YACR,CAAA,kBAAA,EAAqB,OAAQ,CAAA,MAAA,CAAO,EAAE,CAAA,cAAA;AAAA,WACxC;AAAA;AAGF,QAAA,MAAM,WAAW,OAAQ,EAAA;AACzB,QAAS,QAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA;AAAA;AAC3B,KACF;AAEA,IAAAe,6DAAA;AAAA,MACEpB,QAAA;AAAA,MACA,IAAK,CAAA,kBAAA;AAAA,MACL,IAAK,CAAA,gBAAA;AAAA,MACL,IAAK,CAAA,qBAAA;AAAA,MACL,IAAK,CAAA;AAAA,KACP;AAEA,IAAOA,QAAA,CAAA,GAAA,CAAIqB,iCAAiB,CAAA;AAE5B,IAAO,OAAArB,QAAA;AAAA;AACT,EAEA,kBAAA,CAAmB,SAAkB,IAAwB,EAAA;AAC3D,IAAM,MAAA,IAAA,GAAO,QAAQ,MAAO,CAAA,IAAA;AAC5B,IAAM,MAAA,SAAA,GAAY,QAAQ,MAAO,CAAA,SAAA;AACjC,IAAM,MAAA,IAAA,GAAO,QAAQ,MAAO,CAAA,IAAA;AAC5B,IAAA,MAAM,YAAY,CAAG,EAAA,IAAI,CAAI,CAAA,EAAA,SAAS,IAAI,IAAI,CAAA,CAAA;AAE9C,IAAM,MAAA,GAAA,GAAMsB,0CAAwB,CAAA,SAAA,EAAW,IAAI,CAAA;AACnD,IAAA,IAAI,GAAK,EAAA;AACP,MAAM,MAAA,IAAId,iBAAW,CAAA,GAAA,CAAI,OAAO,CAAA;AAAA;AAGlC,IAAO,OAAA,SAAA;AAAA;AACT,EAEA,MAAM,wBACD,QACyB,EAAA;AAC5B,IAAA,MAAM,kBAAkB,MAAMe,yBAAA;AAAA,MAC5B,QAAA;AAAA,MACA,IAAK,CAAA;AAAA,KACP;AAEA,IAAA,MAAM,mBAAsC,EAAC;AAC7C,IAAA,KAAA,MAAW,KAAK,QAAU,EAAA;AACxB,MAAA,MAAM,CAAC,eAAA,EAAiB,UAAY,EAAA,MAAA,EAAQ,MAAM,CAAI,GAAA,CAAA;AACtD,MAAA,gBAAA,CAAiB,IAAK,CAAA;AAAA,QACpB,eAAA;AAAA,QACA,UAAA;AAAA,QACA,MAAA;AAAA,QACA,MAAA;AAAA,QACA,UAAU,EAAE,MAAA,EAAQ,eAAgB,CAAA,GAAA,CAAI,eAAe,CAAG;AAAA,OAC3D,CAAA;AAAA;AAGH,IAAO,OAAA,gBAAA;AAAA;AACT,EAEA,MAAM,kBACJ,CAAA,MAAA,EAAA,GACG,KACc,EAAA;AACjB,IAAA,MAAM,gBAA6C,EAAC;AAEpD,IAAA,KAAA,CAAM,OAAQ,CAAA,CAAC,CAAC,KAAA,EAAO,IAAI,CAAM,KAAA;AAC/B,MAAI,IAAA,aAAA,CAAc,cAAe,CAAA,IAAI,CAAG,EAAA;AACtC,QAAc,aAAA,CAAA,IAAI,CAAE,CAAA,IAAA,CAAK,KAAK,CAAA;AAAA,OACzB,MAAA;AACL,QAAc,aAAA,CAAA,IAAI,CAAI,GAAA,CAAC,KAAK,CAAA;AAAA;AAC9B,KACD,CAAA;AAED,IAAM,MAAA,MAAA,GAAiB,MAAM,OAAQ,CAAA,GAAA;AAAA,MACnC,MAAA,CAAO,QAAQ,aAAa,CAAA,CAAE,QAAQ,OAAO,CAAC,IAAM,EAAA,KAAK,CAAM,KAAA;AAC7D,QAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,iBAAiB,IAAI,CAAA;AACjE,QAAA,MAAM,QAAW,GAAA,WAAA,GAAcrB,0BAAc,CAAA,WAAW,CAAI,GAAA,SAAA;AAC5D,QAAA,OAAO,QAAQ,OAAQ,CAAA;AAAA,UACrB,gBAAkB,EAAA,KAAA;AAAA,UAClB,IAAM,EAAA,IAAA;AAAA,UACN;AAAA,SACD,CAAA;AAAA,OACF;AAAA,KACH;AAEA,IAAM,MAAA,cAAA,GAAiB,MAAO,CAAA,MAAA,CAAO,CAAQ,IAAA,KAAA;AAC3C,MAAA,OAAO,IAAK,CAAA,QAAA,IAAYa,cAAQ,CAAA,IAAA,CAAK,UAAU,MAAM,CAAA;AAAA,KACtD,CAAA;AAED,IAAO,OAAA,cAAA;AAAA;AACT,EAEA,uBAAuB,MAAmC,EAAA;AACxD,IAAO,OAAA;AAAA,MACL,MAAO,CAAA,eAAA;AAAA,MACP,MAAO,CAAA,UAAA;AAAA,MACP,MAAO,CAAA,MAAA;AAAA,MACP,MAAO,CAAA;AAAA,KACT;AAAA;AACF,EAEA,qBAAqB,IAAwB,EAAA;AAC3C,IAAA,MAAM,QAAoB,EAAC;AAC3B,IAAW,KAAA,MAAA,MAAA,IAAU,KAAK,gBAAkB,EAAA;AAC1C,MAAA,KAAA,CAAM,IAAK,CAAA,CAAC,MAAQ,EAAA,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA;AAEhC,IAAO,OAAA,KAAA;AAAA;AACT,EAEA,qCAAqC,IAAY,EAAA;AAC/C,IAAK,IAAA,CAAA,gBAAA,GAAmB,KAAK,gBAAiB,CAAA,GAAA;AAAA,MAAI,CAAA,MAAA,KAChD,MAAO,CAAA,iBAAA,CAAkB,OAAO;AAAA,KAClC;AAAA;AACF,EAEA,iBACE,UACgC,EAAA;AAChC,IAAA,IAAI,CAAC,UAAY,EAAA;AACf,MAAO,OAAA,SAAA;AAAA;AAET,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7B,MAAA,MAAM,kBAAsC,EAAC;AAC7C,MAAA,KAAA,MAAW,mBAAmB,UAAY,EAAA;AACxC,QAAA,IACE,OAAO,eAAA,KAAoB,QAC3B,IAAAS,yBAAA,CAAmB,eAAe,CAClC,EAAA;AACA,UAAA,eAAA,CAAgB,KAAK,eAAe,CAAA;AAAA,SAC/B,MAAA;AACL,UAAA,MAAM,IAAIhB,iBAAA;AAAA,YACR,0CAA0C,eAAe,CAAA,mCAAA;AAAA,WAC3D;AAAA;AACF;AAEF,MAAO,OAAA,eAAA;AAAA;AAGT,IAAA,IAAI,OAAO,UAAA,KAAe,QAAY,IAAAgB,yBAAA,CAAmB,UAAU,CAAG,EAAA;AACpE,MAAA,OAAO,CAAC,UAAU,CAAA;AAAA;AAEpB,IAAA,MAAM,IAAIhB,iBAAA;AAAA,MACR,0CAA0C,UAAU,CAAA,mCAAA;AAAA,KACtD;AAAA;AACF,EAEA,cACE,UACQ,EAAA;AACR,IAAA,IAAI,CAAC,UAAY,EAAA;AACf,MAAO,OAAA,EAAA;AAAA;AAET,IAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,UAAU,CAAG,EAAA;AAC7B,MAAA,IAAI,OAAO,UAAA,CAAW,CAAC,CAAA,KAAM,QAAU,EAAA;AACrC,QAAO,OAAA,UAAA,CAAW,CAAC,CAAA,CAAE,QAAS,EAAA;AAAA;AAEhC,MAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAG9D,IAAI,IAAA,OAAO,eAAe,QAAU,EAAA;AAClC,MAAO,OAAA,UAAA;AAAA;AAET,IAAM,MAAA,IAAIA,kBAAW,CAAuC,qCAAA,CAAA,CAAA;AAAA;AAC9D,EAEA,sBAAsB,OAA2B,EAAA;AAC/C,IAAA,OACE,CAAC,CAAC,OAAA,CAAQ,MAAM,SAChB,IAAA,CAAC,CAAC,OAAQ,CAAA,KAAA,CAAM,UAChB,IAAA,CAAC,CAAC,OAAQ,CAAA,KAAA,CAAM,UAChB,CAAC,CAAC,QAAQ,KAAM,CAAA,MAAA;AAAA;AAEpB,EAEA,MAAM,eAAA,CACJ,WACA,EAAA,KAAA,EACA,cACA,MACqB,EAAA;AACrB,IAAA,MAAM,WAAuB,EAAC;AAC9B,IAAM,MAAA,WAAA,uBAAkB,GAAY,EAAA;AACpC,IAAA,KAAA,MAAW,UAAU,WAAa,EAAA;AAChC,MAAI,IAAA,GAAA,GAAMiB,kCAAe,MAAM,CAAA;AAC/B,MAAA,IAAI,GAAK,EAAA;AACP,QAAA,MAAM,IAAIjB,iBAAA;AAAA,UACR,CAAW,QAAA,EAAA,YAAA,IAAgB,QAAQ,CAAA,oBAAA,EACjC,IAAI,OACN,CAAA;AAAA,SACF;AAAA;AAGF,MAAM,MAAA,QAAA,GAAW,MAAM,IAAA,CAAK,YAAa,CAAA,gBAAA;AAAA,QACvC,MAAO,CAAA;AAAA,OACT;AAEA,MAAI,IAAA,CAAC,YAAY,CAACO,cAAA,CAAQb,2BAAc,QAAQ,CAAA,EAAG,MAAM,CAAG,EAAA;AAC1D,QAAA,MAAM,IAAIJ,sBAAgB,EAAA;AAAA;AAG5B,MAAI,IAAA,MAAA,GAAS,eAAe,MAAS,GAAA,QAAA;AACrC,MAAA,MAAA,GAAS,QAAQ,MAAS,GAAA,KAAA;AAE1B,MAAM,GAAA,GAAA,MAAMe,iCAAe,CAAA,MAAA,EAAQ,QAAQ,CAAA;AAC3C,MAAA,IAAI,GAAK,EAAA;AACP,QAAA,MAAM,IAAIf,sBAAA;AAAA,UACR,aAAa,MAAM,CAAA,QAAA,EAAW,MAAO,CAAA,eAAe,IAAI,MAAO,CAAA,UAAU,CAAI,CAAA,EAAA,MAAA,CAAO,MAAM,CAAI,CAAA,EAAA,MAAA,CAAO,MAAM,CAAA,EAAA,EAAK,IAAI,OAAO,CAAA;AAAA,SAC7H;AAAA;AAGF,MAAM,MAAA,iBAAA,GAAoB,IAAK,CAAA,sBAAA,CAAuB,MAAM,CAAA;AAC5D,MAAI,IAAA,KAAA,IAAS,CAAE,MAAM,IAAA,CAAK,SAAS,SAAU,CAAA,GAAG,iBAAiB,CAAI,EAAA;AACnE,QAAA,MAAM,IAAIO,oBAAA;AAAA,UACR,CAAA,QAAA,EAAWqB,qBAAe,CAAA,iBAAiB,CAAC,CAAA,WAAA;AAAA,SAC9C;AAAA;AAGF,MAAI,IAAA,CAAC,SAAU,MAAM,IAAA,CAAK,SAAS,SAAU,CAAA,GAAG,iBAAiB,CAAI,EAAA;AACnE,QAAA,MAAM,IAAIZ,oBAAA;AAAA,UACR,CAAW,QAAA,EAAAY,qBAAA;AAAA,YACT;AAAA,WACD,CAAA,yBAAA;AAAA,SACH;AAAA;AAIF,MAAM,MAAA,SAAA,GAAY,IAAK,CAAA,SAAA,CAAU,iBAAiB,CAAA;AAClD,MAAI,IAAA,WAAA,CAAY,GAAI,CAAA,SAAS,CAAG,EAAA;AAC9B,QAAA,MAAM,IAAIZ,oBAAA;AAAA,UACR,CAAA,yBAAA,EAA4B,MAAO,CAAA,eAAe,CAAK,EAAA,EAAA,MAAA,CAAO,UAAU,CAAA,EAAA,EAAK,MAAO,CAAA,MAAM,CAAK,EAAA,EAAA,MAAA,CAAO,MAAM,CAAA,eAAA;AAAA,SAC9G;AAAA,OACK,MAAA;AACL,QAAA,WAAA,CAAY,IAAI,SAAS,CAAA;AACzB,QAAA,QAAA,CAAS,KAAK,iBAAiB,CAAA;AAAA;AACjC;AAEF,IAAO,OAAA,QAAA;AAAA;AACT,EAEA,QAAA,CAAS,OAAe,KAAuB,EAAA;AAC7C,IAAA,IAAI,MAAM,iBAAkB,CAAA,OAAO,IAAI,KAAM,CAAA,iBAAA,CAAkB,OAAO,CAAG,EAAA;AACvE,MAAO,OAAA,EAAA;AAAA;AAET,IAAA,IAAI,MAAM,iBAAkB,CAAA,OAAO,IAAI,KAAM,CAAA,iBAAA,CAAkB,OAAO,CAAG,EAAA;AACvE,MAAO,OAAA,CAAA;AAAA;AAET,IAAO,OAAA,CAAA;AAAA;AAEX;;;;;"}
package/dist/service/policy-builder.cjs.js CHANGED
@@ -21,6 +21,7 @@ var rules = require('../permissions/rules.cjs.js');
21
21
  var resource = require('../permissions/resource.cjs.js');
22
22
  var extraPermissionEnabledPluginsStorage = require('../database/extra-permission-enabled-plugins-storage.cjs.js');
23
23
  var extendableIdProvider = require('./extendable-id-provider.cjs.js');
24
+ var defaultPermissions = require('../default-permissions/default-permissions.cjs.js');
24
25
 
25
26
  class PolicyBuilder {
26
27
  static async build(env, pluginIdProvider = { getPluginIds: () => [] }, rbacProviders) {
@@ -38,13 +39,15 @@ class PolicyBuilder {
38
39
  enf.enableAutoSave(true);
39
40
  const catalogClient$1 = new catalogClient.CatalogClient({ discoveryApi: env.discovery });
40
41
  const catalogDBClient = await database.DatabaseManager.fromConfig(env.config).forPlugin("catalog", { logger: env.logger, lifecycle: env.lifecycle }).getClient();
42
+ const defPermReader = new defaultPermissions.DefaultPermissionsReader(env.config);
41
43
  const rm = new roleManager.BackstageRoleManager(
42
44
  catalogClient$1,
43
45
  env.logger,
44
46
  catalogDBClient,
45
47
  databaseClient,
46
48
  env.config,
47
- env.auth
49
+ env.auth,
50
+ defPermReader
48
51
  );
49
52
  enf.setRoleManager(rm);
50
53
  enf.enableAutoBuildRoleLinks(false);
@@ -59,10 +62,19 @@ class PolicyBuilder {
59
62
  roleMetadataStorage,
60
63
  databaseClient
61
64
  );
65
+ const defPermSyncher = new defaultPermissions.DefaultPermissionsSyncher(
66
+ roleMetadataStorage,
67
+ enforcerDelegate$1,
68
+ defPermReader
69
+ );
70
+ await defPermSyncher.sync();
62
71
  env.permissionsRegistry.addResourceType({
63
72
  resourceRef: resource.permissionMetadataResourceRef,
64
73
  getResources: (resourceRefs) => Promise.all(
65
74
  resourceRefs.map((ref) => {
75
+ if (ref === roleMetadataStorage.getCachedDefaultRoleMetadata()?.roleEntityRef) {
76
+ return roleMetadataStorage.getCachedDefaultRoleMetadata();
77
+ }
66
78
  return roleMetadataStorage.findRoleMetadata(ref);
67
79
  })
68
80
  ),