@certd/plugin-cert 1.22.2 → 1.22.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +10 -0
- package/LICENSE +661 -0
- package/dist/plugin/cert-plugin/acme.d.ts +58 -54
- package/dist/plugin/cert-plugin/acme.js +213 -203
- package/dist/plugin/cert-plugin/base.js +259 -259
- package/dist/plugin/cert-plugin/cert-reader.js +45 -45
- package/dist/plugin/cert-plugin/index.d.ts +17 -16
- package/dist/plugin/cert-plugin/index.js +15 -1
- package/package.json +4 -4
- package/test/user.secret.js +7 -0
- package/tsconfig.tsbuildinfo +1 -0
|
@@ -1,54 +1,58 @@
|
|
|
1
|
-
import * as acme from "@certd/acme-client";
|
|
2
|
-
import { Logger } from "log4js";
|
|
3
|
-
import { IContext } from "@certd/pipeline";
|
|
4
|
-
import { IDnsProvider } from "../../dns-provider/index.js";
|
|
5
|
-
import { ClientExternalAccountBindingOptions } from "@certd/acme-client";
|
|
6
|
-
export type CertInfo = {
|
|
7
|
-
crt: string;
|
|
8
|
-
key: string;
|
|
9
|
-
csr: string;
|
|
10
|
-
};
|
|
11
|
-
export type SSLProvider = "letsencrypt" | "buypass" | "zerossl";
|
|
12
|
-
|
|
13
|
-
userContext: IContext;
|
|
14
|
-
logger: Logger;
|
|
15
|
-
sslProvider: SSLProvider;
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
*
|
|
37
|
-
*
|
|
38
|
-
* @param
|
|
39
|
-
* @param
|
|
40
|
-
* @
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
1
|
+
import * as acme from "@certd/acme-client";
|
|
2
|
+
import { Logger } from "log4js";
|
|
3
|
+
import { IContext } from "@certd/pipeline";
|
|
4
|
+
import { IDnsProvider } from "../../dns-provider/index.js";
|
|
5
|
+
import { ClientExternalAccountBindingOptions } from "@certd/acme-client";
|
|
6
|
+
export type CertInfo = {
|
|
7
|
+
crt: string;
|
|
8
|
+
key: string;
|
|
9
|
+
csr: string;
|
|
10
|
+
};
|
|
11
|
+
export type SSLProvider = "letsencrypt" | "buypass" | "zerossl";
|
|
12
|
+
type AcmeServiceOptions = {
|
|
13
|
+
userContext: IContext;
|
|
14
|
+
logger: Logger;
|
|
15
|
+
sslProvider: SSLProvider;
|
|
16
|
+
eab?: ClientExternalAccountBindingOptions;
|
|
17
|
+
skipLocalVerify?: boolean;
|
|
18
|
+
useMappingProxy?: boolean;
|
|
19
|
+
};
|
|
20
|
+
export declare class AcmeService {
|
|
21
|
+
options: AcmeServiceOptions;
|
|
22
|
+
userContext: IContext;
|
|
23
|
+
logger: Logger;
|
|
24
|
+
sslProvider: SSLProvider;
|
|
25
|
+
skipLocalVerify: boolean;
|
|
26
|
+
eab?: ClientExternalAccountBindingOptions;
|
|
27
|
+
constructor(options: AcmeServiceOptions);
|
|
28
|
+
getAccountConfig(email: string): Promise<any>;
|
|
29
|
+
buildAccountKey(email: string): string;
|
|
30
|
+
saveAccountConfig(email: string, conf: any): Promise<void>;
|
|
31
|
+
getAcmeClient(email: string, isTest?: boolean): Promise<acme.Client>;
|
|
32
|
+
createNewKey(): Promise<string>;
|
|
33
|
+
parseDomain(fullDomain: string): string;
|
|
34
|
+
challengeCreateFn(authz: any, challenge: any, keyAuthorization: string, dnsProvider: IDnsProvider): Promise<any>;
|
|
35
|
+
/**
|
|
36
|
+
* Function used to remove an ACME challenge response
|
|
37
|
+
*
|
|
38
|
+
* @param {object} authz Authorization object
|
|
39
|
+
* @param {object} challenge Selected challenge
|
|
40
|
+
* @param {string} keyAuthorization Authorization key
|
|
41
|
+
* @param recordItem challengeCreateFn create record item
|
|
42
|
+
* @param dnsProvider dnsProvider
|
|
43
|
+
* @returns {Promise}
|
|
44
|
+
*/
|
|
45
|
+
challengeRemoveFn(authz: any, challenge: any, keyAuthorization: string, recordItem: any, dnsProvider: IDnsProvider): Promise<void>;
|
|
46
|
+
order(options: {
|
|
47
|
+
email: string;
|
|
48
|
+
domains: string | string[];
|
|
49
|
+
dnsProvider: any;
|
|
50
|
+
csrInfo: any;
|
|
51
|
+
isTest?: boolean;
|
|
52
|
+
}): Promise<CertInfo>;
|
|
53
|
+
buildCommonNameByDomains(domains: string | string[]): {
|
|
54
|
+
commonName: string;
|
|
55
|
+
altNames: string[] | undefined;
|
|
56
|
+
};
|
|
57
|
+
}
|
|
58
|
+
export {};
|
|
@@ -1,203 +1,213 @@
|
|
|
1
|
-
// @ts-ignore
|
|
2
|
-
import * as acme from "@certd/acme-client";
|
|
3
|
-
import _ from "lodash-es";
|
|
4
|
-
import psl from "psl";
|
|
5
|
-
export class AcmeService {
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
this.
|
|
14
|
-
this.
|
|
15
|
-
this.
|
|
16
|
-
this.
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
}
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
}
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
const
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
});
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
this.logger.info(`
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
}
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
/*
|
|
161
|
-
const
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
}
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
}
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
1
|
+
// @ts-ignore
|
|
2
|
+
import * as acme from "@certd/acme-client";
|
|
3
|
+
import _ from "lodash-es";
|
|
4
|
+
import psl from "psl";
|
|
5
|
+
export class AcmeService {
|
|
6
|
+
options;
|
|
7
|
+
userContext;
|
|
8
|
+
logger;
|
|
9
|
+
sslProvider;
|
|
10
|
+
skipLocalVerify = true;
|
|
11
|
+
eab;
|
|
12
|
+
constructor(options) {
|
|
13
|
+
this.options = options;
|
|
14
|
+
this.userContext = options.userContext;
|
|
15
|
+
this.logger = options.logger;
|
|
16
|
+
this.sslProvider = options.sslProvider || "letsencrypt";
|
|
17
|
+
this.eab = options.eab;
|
|
18
|
+
this.skipLocalVerify = options.skipLocalVerify ?? false;
|
|
19
|
+
acme.setLogger((text) => {
|
|
20
|
+
this.logger.info(text);
|
|
21
|
+
});
|
|
22
|
+
}
|
|
23
|
+
async getAccountConfig(email) {
|
|
24
|
+
return (await this.userContext.getObj(this.buildAccountKey(email))) || {};
|
|
25
|
+
}
|
|
26
|
+
buildAccountKey(email) {
|
|
27
|
+
return `acme.config.${this.sslProvider}.${email}`;
|
|
28
|
+
}
|
|
29
|
+
async saveAccountConfig(email, conf) {
|
|
30
|
+
await this.userContext.setObj(this.buildAccountKey(email), conf);
|
|
31
|
+
}
|
|
32
|
+
async getAcmeClient(email, isTest = false) {
|
|
33
|
+
const conf = await this.getAccountConfig(email);
|
|
34
|
+
if (conf.key == null) {
|
|
35
|
+
conf.key = await this.createNewKey();
|
|
36
|
+
await this.saveAccountConfig(email, conf);
|
|
37
|
+
}
|
|
38
|
+
let directoryUrl = "";
|
|
39
|
+
if (isTest) {
|
|
40
|
+
directoryUrl = acme.directory[this.sslProvider].staging;
|
|
41
|
+
}
|
|
42
|
+
else {
|
|
43
|
+
directoryUrl = acme.directory[this.sslProvider].production;
|
|
44
|
+
}
|
|
45
|
+
const urlMapping = { enabled: false, mappings: {} };
|
|
46
|
+
if (this.options.useMappingProxy) {
|
|
47
|
+
urlMapping.enabled = true;
|
|
48
|
+
urlMapping.mappings = {
|
|
49
|
+
"acme-v02.api.letsencrypt.org": "letsencrypt.proxy.handsfree.work",
|
|
50
|
+
};
|
|
51
|
+
}
|
|
52
|
+
const client = new acme.Client({
|
|
53
|
+
directoryUrl: directoryUrl,
|
|
54
|
+
accountKey: conf.key,
|
|
55
|
+
accountUrl: conf.accountUrl,
|
|
56
|
+
externalAccountBinding: this.eab,
|
|
57
|
+
backoffAttempts: 30,
|
|
58
|
+
backoffMin: 5000,
|
|
59
|
+
backoffMax: 10000,
|
|
60
|
+
urlMapping,
|
|
61
|
+
});
|
|
62
|
+
if (conf.accountUrl == null) {
|
|
63
|
+
const accountPayload = {
|
|
64
|
+
termsOfServiceAgreed: true,
|
|
65
|
+
contact: [`mailto:${email}`],
|
|
66
|
+
externalAccountBinding: this.eab,
|
|
67
|
+
};
|
|
68
|
+
await client.createAccount(accountPayload);
|
|
69
|
+
conf.accountUrl = client.getAccountUrl();
|
|
70
|
+
await this.saveAccountConfig(email, conf);
|
|
71
|
+
}
|
|
72
|
+
return client;
|
|
73
|
+
}
|
|
74
|
+
async createNewKey() {
|
|
75
|
+
const key = await acme.forge.createPrivateKey();
|
|
76
|
+
return key.toString();
|
|
77
|
+
}
|
|
78
|
+
parseDomain(fullDomain) {
|
|
79
|
+
const parsed = psl.parse(fullDomain);
|
|
80
|
+
if (parsed.error) {
|
|
81
|
+
throw new Error(`解析${fullDomain}域名失败:` + JSON.stringify(parsed.error));
|
|
82
|
+
}
|
|
83
|
+
return parsed.domain;
|
|
84
|
+
}
|
|
85
|
+
async challengeCreateFn(authz, challenge, keyAuthorization, dnsProvider) {
|
|
86
|
+
this.logger.info("Triggered challengeCreateFn()");
|
|
87
|
+
/* http-01 */
|
|
88
|
+
const fullDomain = authz.identifier.value;
|
|
89
|
+
if (challenge.type === "http-01") {
|
|
90
|
+
const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
|
|
91
|
+
const fileContents = keyAuthorization;
|
|
92
|
+
this.logger.info(`Creating challenge response for ${fullDomain} at path: ${filePath}`);
|
|
93
|
+
/* Replace this */
|
|
94
|
+
this.logger.info(`Would write "${fileContents}" to path "${filePath}"`);
|
|
95
|
+
// await fs.writeFileAsync(filePath, fileContents);
|
|
96
|
+
}
|
|
97
|
+
else if (challenge.type === "dns-01") {
|
|
98
|
+
/* dns-01 */
|
|
99
|
+
const dnsRecord = `_acme-challenge.${fullDomain}`;
|
|
100
|
+
const recordValue = keyAuthorization;
|
|
101
|
+
this.logger.info(`Creating TXT record for ${fullDomain}: ${dnsRecord}`);
|
|
102
|
+
/* Replace this */
|
|
103
|
+
this.logger.info(`Would create TXT record "${dnsRecord}" with value "${recordValue}"`);
|
|
104
|
+
const domain = this.parseDomain(fullDomain);
|
|
105
|
+
this.logger.info("解析到域名domain=", domain);
|
|
106
|
+
return await dnsProvider.createRecord({
|
|
107
|
+
fullRecord: dnsRecord,
|
|
108
|
+
type: "TXT",
|
|
109
|
+
value: recordValue,
|
|
110
|
+
domain,
|
|
111
|
+
});
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
/**
|
|
115
|
+
* Function used to remove an ACME challenge response
|
|
116
|
+
*
|
|
117
|
+
* @param {object} authz Authorization object
|
|
118
|
+
* @param {object} challenge Selected challenge
|
|
119
|
+
* @param {string} keyAuthorization Authorization key
|
|
120
|
+
* @param recordItem challengeCreateFn create record item
|
|
121
|
+
* @param dnsProvider dnsProvider
|
|
122
|
+
* @returns {Promise}
|
|
123
|
+
*/
|
|
124
|
+
async challengeRemoveFn(authz, challenge, keyAuthorization, recordItem, dnsProvider) {
|
|
125
|
+
this.logger.info("Triggered challengeRemoveFn()");
|
|
126
|
+
/* http-01 */
|
|
127
|
+
const fullDomain = authz.identifier.value;
|
|
128
|
+
if (challenge.type === "http-01") {
|
|
129
|
+
const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
|
|
130
|
+
this.logger.info(`Removing challenge response for ${fullDomain} at path: ${filePath}`);
|
|
131
|
+
/* Replace this */
|
|
132
|
+
this.logger.info(`Would remove file on path "${filePath}"`);
|
|
133
|
+
// await fs.unlinkAsync(filePath);
|
|
134
|
+
}
|
|
135
|
+
else if (challenge.type === "dns-01") {
|
|
136
|
+
const dnsRecord = `_acme-challenge.${fullDomain}`;
|
|
137
|
+
const recordValue = keyAuthorization;
|
|
138
|
+
this.logger.info(`Removing TXT record for ${fullDomain}: ${dnsRecord}`);
|
|
139
|
+
/* Replace this */
|
|
140
|
+
this.logger.info(`Would remove TXT record "${dnsRecord}" with value "${recordValue}"`);
|
|
141
|
+
const domain = this.parseDomain(fullDomain);
|
|
142
|
+
try {
|
|
143
|
+
await dnsProvider.removeRecord({
|
|
144
|
+
fullRecord: dnsRecord,
|
|
145
|
+
type: "TXT",
|
|
146
|
+
value: keyAuthorization,
|
|
147
|
+
record: recordItem,
|
|
148
|
+
domain,
|
|
149
|
+
});
|
|
150
|
+
}
|
|
151
|
+
catch (e) {
|
|
152
|
+
this.logger.error("删除解析记录出错:", e);
|
|
153
|
+
throw e;
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
}
|
|
157
|
+
async order(options) {
|
|
158
|
+
const { email, isTest, domains, csrInfo, dnsProvider } = options;
|
|
159
|
+
const client = await this.getAcmeClient(email, isTest);
|
|
160
|
+
/* Create CSR */
|
|
161
|
+
const { commonName, altNames } = this.buildCommonNameByDomains(domains);
|
|
162
|
+
const [key, csr] = await acme.forge.createCsr({
|
|
163
|
+
commonName,
|
|
164
|
+
...csrInfo,
|
|
165
|
+
altNames,
|
|
166
|
+
});
|
|
167
|
+
if (dnsProvider == null) {
|
|
168
|
+
throw new Error("dnsProvider 不能为空");
|
|
169
|
+
}
|
|
170
|
+
/* 自动申请证书 */
|
|
171
|
+
const crt = await client.auto({
|
|
172
|
+
csr,
|
|
173
|
+
email: email,
|
|
174
|
+
termsOfServiceAgreed: true,
|
|
175
|
+
skipChallengeVerification: this.skipLocalVerify,
|
|
176
|
+
challengePriority: ["dns-01"],
|
|
177
|
+
challengeCreateFn: async (authz, challenge, keyAuthorization) => {
|
|
178
|
+
return await this.challengeCreateFn(authz, challenge, keyAuthorization, dnsProvider);
|
|
179
|
+
},
|
|
180
|
+
challengeRemoveFn: async (authz, challenge, keyAuthorization, recordItem) => {
|
|
181
|
+
return await this.challengeRemoveFn(authz, challenge, keyAuthorization, recordItem, dnsProvider);
|
|
182
|
+
},
|
|
183
|
+
});
|
|
184
|
+
const cert = {
|
|
185
|
+
crt: crt.toString(),
|
|
186
|
+
key: key.toString(),
|
|
187
|
+
csr: csr.toString(),
|
|
188
|
+
};
|
|
189
|
+
/* Done */
|
|
190
|
+
this.logger.debug(`CSR:\n${cert.csr}`);
|
|
191
|
+
this.logger.debug(`Certificate:\n${cert.crt}`);
|
|
192
|
+
this.logger.info("证书申请成功");
|
|
193
|
+
return cert;
|
|
194
|
+
}
|
|
195
|
+
buildCommonNameByDomains(domains) {
|
|
196
|
+
if (typeof domains === "string") {
|
|
197
|
+
domains = domains.split(",");
|
|
198
|
+
}
|
|
199
|
+
if (domains.length === 0) {
|
|
200
|
+
throw new Error("domain can not be empty");
|
|
201
|
+
}
|
|
202
|
+
const commonName = domains[0];
|
|
203
|
+
let altNames = undefined;
|
|
204
|
+
if (domains.length > 1) {
|
|
205
|
+
altNames = _.slice(domains, 1);
|
|
206
|
+
}
|
|
207
|
+
return {
|
|
208
|
+
commonName,
|
|
209
|
+
altNames,
|
|
210
|
+
};
|
|
211
|
+
}
|
|
212
|
+
}
|
|
213
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNtZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9wbHVnaW4vY2VydC1wbHVnaW4vYWNtZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxhQUFhO0FBQ2IsT0FBTyxLQUFLLElBQUksTUFBTSxvQkFBb0IsQ0FBQztBQUMzQyxPQUFPLENBQUMsTUFBTSxXQUFXLENBQUM7QUFLMUIsT0FBTyxHQUFHLE1BQU0sS0FBSyxDQUFDO0FBa0J0QixNQUFNLE9BQU8sV0FBVztJQUN0QixPQUFPLENBQXFCO0lBQzVCLFdBQVcsQ0FBVztJQUN0QixNQUFNLENBQVM7SUFDZixXQUFXLENBQWM7SUFDekIsZUFBZSxHQUFHLElBQUksQ0FBQztJQUN2QixHQUFHLENBQXVDO0lBQzFDLFlBQVksT0FBMkI7UUFDckMsSUFBSSxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUM7UUFDdkIsSUFBSSxDQUFDLFdBQVcsR0FBRyxPQUFPLENBQUMsV0FBVyxDQUFDO1FBQ3ZDLElBQUksQ0FBQyxNQUFNLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQztRQUM3QixJQUFJLENBQUMsV0FBVyxHQUFHLE9BQU8sQ0FBQyxXQUFXLElBQUksYUFBYSxDQUFDO1FBQ3hELElBQUksQ0FBQyxHQUFHLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQztRQUN2QixJQUFJLENBQUMsZUFBZSxHQUFHLE9BQU8sQ0FBQyxlQUFlLElBQUksS0FBSyxDQUFDO1FBQ3hELElBQUksQ0FBQyxTQUFTLENBQUMsQ0FBQyxJQUFZLEVBQUUsRUFBRTtZQUM5QixJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUN6QixDQUFDLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRCxLQUFLLENBQUMsZ0JBQWdCLENBQUMsS0FBYTtRQUNsQyxPQUFPLENBQUMsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsZUFBZSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUM7SUFDNUUsQ0FBQztJQUVELGVBQWUsQ0FBQyxLQUFhO1FBQzNCLE9BQU8sZUFBZSxJQUFJLENBQUMsV0FBVyxJQUFJLEtBQUssRUFBRSxDQUFDO0lBQ3BELENBQUM7SUFFRCxLQUFLLENBQUMsaUJBQWlCLENBQUMsS0FBYSxFQUFFLElBQVM7UUFDOUMsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsZUFBZSxDQUFDLEtBQUssQ0FBQyxFQUFFLElBQUksQ0FBQyxDQUFDO0lBQ25FLENBQUM7SUFFRCxLQUFLLENBQUMsYUFBYSxDQUFDLEtBQWEsRUFBRSxNQUFNLEdBQUcsS0FBSztRQUMvQyxNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUNoRCxJQUFJLElBQUksQ0FBQyxHQUFHLElBQUksSUFBSSxFQUFFO1lBQ3BCLElBQUksQ0FBQyxHQUFHLEdBQUcsTUFBTSxJQUFJLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDckMsTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLElBQUksQ0FBQyxDQUFDO1NBQzNDO1FBQ0QsSUFBSSxZQUFZLEdBQUcsRUFBRSxDQUFDO1FBQ3RCLElBQUksTUFBTSxFQUFFO1lBQ1YsWUFBWSxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLE9BQU8sQ0FBQztTQUN6RDthQUFNO1lBQ0wsWUFBWSxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLFVBQVUsQ0FBQztTQUM1RDtRQUNELE1BQU0sVUFBVSxHQUFlLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRSxRQUFRLEVBQUUsRUFBRSxFQUFFLENBQUM7UUFDaEUsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLGVBQWUsRUFBRTtZQUNoQyxVQUFVLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQztZQUMxQixVQUFVLENBQUMsUUFBUSxHQUFHO2dCQUNwQiw4QkFBOEIsRUFBRSxrQ0FBa0M7YUFDbkUsQ0FBQztTQUNIO1FBQ0QsTUFBTSxNQUFNLEdBQUcsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDO1lBQzdCLFlBQVksRUFBRSxZQUFZO1lBQzFCLFVBQVUsRUFBRSxJQUFJLENBQUMsR0FBRztZQUNwQixVQUFVLEVBQUUsSUFBSSxDQUFDLFVBQVU7WUFDM0Isc0JBQXNCLEVBQUUsSUFBSSxDQUFDLEdBQUc7WUFDaEMsZUFBZSxFQUFFLEVBQUU7WUFDbkIsVUFBVSxFQUFFLElBQUk7WUFDaEIsVUFBVSxFQUFFLEtBQUs7WUFDakIsVUFBVTtTQUNYLENBQUMsQ0FBQztRQUVILElBQUksSUFBSSxDQUFDLFVBQVUsSUFBSSxJQUFJLEVBQUU7WUFDM0IsTUFBTSxjQUFjLEdBQUc7Z0JBQ3JCLG9CQUFvQixFQUFFLElBQUk7Z0JBQzFCLE9BQU8sRUFBRSxDQUFDLFVBQVUsS0FBSyxFQUFFLENBQUM7Z0JBQzVCLHNCQUFzQixFQUFFLElBQUksQ0FBQyxHQUFHO2FBQ2pDLENBQUM7WUFDRixNQUFNLE1BQU0sQ0FBQyxhQUFhLENBQUMsY0FBYyxDQUFDLENBQUM7WUFDM0MsSUFBSSxDQUFDLFVBQVUsR0FBRyxNQUFNLENBQUMsYUFBYSxFQUFFLENBQUM7WUFDekMsTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLElBQUksQ0FBQyxDQUFDO1NBQzNDO1FBQ0QsT0FBTyxNQUFNLENBQUM7SUFDaEIsQ0FBQztJQUVELEtBQUssQ0FBQyxZQUFZO1FBQ2hCLE1BQU0sR0FBRyxHQUFHLE1BQU0sSUFBSSxDQUFDLEtBQUssQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO1FBQ2hELE9BQU8sR0FBRyxDQUFDLFFBQVEsRUFBRSxDQUFDO0lBQ3hCLENBQUM7SUFFRCxXQUFXLENBQUMsVUFBa0I7UUFDNUIsTUFBTSxNQUFNLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxVQUFVLENBQXFCLENBQUM7UUFDekQsSUFBSSxNQUFNLENBQUMsS0FBSyxFQUFFO1lBQ2hCLE1BQU0sSUFBSSxLQUFLLENBQUMsS0FBSyxVQUFVLE9BQU8sR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDO1NBQ3hFO1FBQ0QsT0FBTyxNQUFNLENBQUMsTUFBZ0IsQ0FBQztJQUNqQyxDQUFDO0lBQ0QsS0FBSyxDQUFDLGlCQUFpQixDQUFDLEtBQVUsRUFBRSxTQUFjLEVBQUUsZ0JBQXdCLEVBQUUsV0FBeUI7UUFDckcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsK0JBQStCLENBQUMsQ0FBQztRQUVsRCxhQUFhO1FBQ2IsTUFBTSxVQUFVLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxLQUFLLENBQUM7UUFDMUMsSUFBSSxTQUFTLENBQUMsSUFBSSxLQUFLLFNBQVMsRUFBRTtZQUNoQyxNQUFNLFFBQVEsR0FBRyw0Q0FBNEMsU0FBUyxDQUFDLEtBQUssRUFBRSxDQUFDO1lBQy9FLE1BQU0sWUFBWSxHQUFHLGdCQUFnQixDQUFDO1lBRXRDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLG1DQUFtQyxVQUFVLGFBQWEsUUFBUSxFQUFFLENBQUMsQ0FBQztZQUV2RixrQkFBa0I7WUFDbEIsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLFlBQVksY0FBYyxRQUFRLEdBQUcsQ0FBQyxDQUFDO1lBQ3hFLG1EQUFtRDtTQUNwRDthQUFNLElBQUksU0FBUyxDQUFDLElBQUksS0FBSyxRQUFRLEVBQUU7WUFDdEMsWUFBWTtZQUNaLE1BQU0sU0FBUyxHQUFHLG1CQUFtQixVQUFVLEVBQUUsQ0FBQztZQUNsRCxNQUFNLFdBQVcsR0FBRyxnQkFBZ0IsQ0FBQztZQUVyQyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQywyQkFBMkIsVUFBVSxLQUFLLFNBQVMsRUFBRSxDQUFDLENBQUM7WUFDeEUsa0JBQWtCO1lBQ2xCLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLDRCQUE0QixTQUFTLGlCQUFpQixXQUFXLEdBQUcsQ0FBQyxDQUFDO1lBRXZGLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsVUFBVSxDQUFDLENBQUM7WUFDNUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsY0FBYyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1lBQ3pDLE9BQU8sTUFBTSxXQUFXLENBQUMsWUFBWSxDQUFDO2dCQUNwQyxVQUFVLEVBQUUsU0FBUztnQkFDckIsSUFBSSxFQUFFLEtBQUs7Z0JBQ1gsS0FBSyxFQUFFLFdBQVc7Z0JBQ2xCLE1BQU07YUFDUCxDQUFDLENBQUM7U0FDSjtJQUNILENBQUM7SUFFRDs7Ozs7Ozs7O09BU0c7SUFFSCxLQUFLLENBQUMsaUJBQWlCLENBQUMsS0FBVSxFQUFFLFNBQWMsRUFBRSxnQkFBd0IsRUFBRSxVQUFlLEVBQUUsV0FBeUI7UUFDdEgsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsK0JBQStCLENBQUMsQ0FBQztRQUVsRCxhQUFhO1FBQ2IsTUFBTSxVQUFVLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxLQUFLLENBQUM7UUFDMUMsSUFBSSxTQUFTLENBQUMsSUFBSSxLQUFLLFNBQVMsRUFBRTtZQUNoQyxNQUFNLFFBQVEsR0FBRyw0Q0FBNEMsU0FBUyxDQUFDLEtBQUssRUFBRSxDQUFDO1lBRS9FLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLG1DQUFtQyxVQUFVLGFBQWEsUUFBUSxFQUFFLENBQUMsQ0FBQztZQUV2RixrQkFBa0I7WUFDbEIsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsOEJBQThCLFFBQVEsR0FBRyxDQUFDLENBQUM7WUFDNUQsa0NBQWtDO1NBQ25DO2FBQU0sSUFBSSxTQUFTLENBQUMsSUFBSSxLQUFLLFFBQVEsRUFBRTtZQUN0QyxNQUFNLFNBQVMsR0FBRyxtQkFBbUIsVUFBVSxFQUFFLENBQUM7WUFDbEQsTUFBTSxXQUFXLEdBQUcsZ0JBQWdCLENBQUM7WUFFckMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsMkJBQTJCLFVBQVUsS0FBSyxTQUFTLEVBQUUsQ0FBQyxDQUFDO1lBRXhFLGtCQUFrQjtZQUNsQixJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyw0QkFBNEIsU0FBUyxpQkFBaUIsV0FBVyxHQUFHLENBQUMsQ0FBQztZQUV2RixNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLFVBQVUsQ0FBQyxDQUFDO1lBRTVDLElBQUk7Z0JBQ0YsTUFBTSxXQUFXLENBQUMsWUFBWSxDQUFDO29CQUM3QixVQUFVLEVBQUUsU0FBUztvQkFDckIsSUFBSSxFQUFFLEtBQUs7b0JBQ1gsS0FBSyxFQUFFLGdCQUFnQjtvQkFDdkIsTUFBTSxFQUFFLFVBQVU7b0JBQ2xCLE1BQU07aUJBQ1AsQ0FBQyxDQUFDO2FBQ0o7WUFBQyxPQUFPLENBQUMsRUFBRTtnQkFDVixJQUFJLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLENBQUM7Z0JBQ2xDLE1BQU0sQ0FBQyxDQUFDO2FBQ1Q7U0FDRjtJQUNILENBQUM7SUFFRCxLQUFLLENBQUMsS0FBSyxDQUFDLE9BQXdHO1FBQ2xILE1BQU0sRUFBRSxLQUFLLEVBQUUsTUFBTSxFQUFFLE9BQU8sRUFBRSxPQUFPLEVBQUUsV0FBVyxFQUFFLEdBQUcsT0FBTyxDQUFDO1FBQ2pFLE1BQU0sTUFBTSxHQUFnQixNQUFNLElBQUksQ0FBQyxhQUFhLENBQUMsS0FBSyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBRXBFLGdCQUFnQjtRQUNoQixNQUFNLEVBQUUsVUFBVSxFQUFFLFFBQVEsRUFBRSxHQUFHLElBQUksQ0FBQyx3QkFBd0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUV4RSxNQUFNLENBQUMsR0FBRyxFQUFFLEdBQUcsQ0FBQyxHQUFHLE1BQU0sSUFBSSxDQUFDLEtBQUssQ0FBQyxTQUFTLENBQUM7WUFDNUMsVUFBVTtZQUNWLEdBQUcsT0FBTztZQUNWLFFBQVE7U0FDVCxDQUFDLENBQUM7UUFDSCxJQUFJLFdBQVcsSUFBSSxJQUFJLEVBQUU7WUFDdkIsTUFBTSxJQUFJLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO1NBQ3JDO1FBQ0QsWUFBWTtRQUNaLE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLElBQUksQ0FBQztZQUM1QixHQUFHO1lBQ0gsS0FBSyxFQUFFLEtBQUs7WUFDWixvQkFBb0IsRUFBRSxJQUFJO1lBQzFCLHlCQUF5QixFQUFFLElBQUksQ0FBQyxlQUFlO1lBQy9DLGlCQUFpQixFQUFFLENBQUMsUUFBUSxDQUFDO1lBQzdCLGlCQUFpQixFQUFFLEtBQUssRUFBRSxLQUF5QixFQUFFLFNBQW9CLEVBQUUsZ0JBQXdCLEVBQWdCLEVBQUU7Z0JBQ25ILE9BQU8sTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLFNBQVMsRUFBRSxnQkFBZ0IsRUFBRSxXQUFXLENBQUMsQ0FBQztZQUN2RixDQUFDO1lBQ0QsaUJBQWlCLEVBQUUsS0FBSyxFQUFFLEtBQXlCLEVBQUUsU0FBb0IsRUFBRSxnQkFBd0IsRUFBRSxVQUFlLEVBQWdCLEVBQUU7Z0JBQ3BJLE9BQU8sTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLFNBQVMsRUFBRSxnQkFBZ0IsRUFBRSxVQUFVLEVBQUUsV0FBVyxDQUFDLENBQUM7WUFDbkcsQ0FBQztTQUNGLENBQUMsQ0FBQztRQUVILE1BQU0sSUFBSSxHQUFhO1lBQ3JCLEdBQUcsRUFBRSxHQUFHLENBQUMsUUFBUSxFQUFFO1lBQ25CLEdBQUcsRUFBRSxHQUFHLENBQUMsUUFBUSxFQUFFO1lBQ25CLEdBQUcsRUFBRSxHQUFHLENBQUMsUUFBUSxFQUFFO1NBQ3BCLENBQUM7UUFDRixVQUFVO1FBQ1YsSUFBSSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsU0FBUyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUMsQ0FBQztRQUN2QyxJQUFJLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDLENBQUM7UUFDL0MsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDM0IsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsd0JBQXdCLENBQUMsT0FBMEI7UUFJakQsSUFBSSxPQUFPLE9BQU8sS0FBSyxRQUFRLEVBQUU7WUFDL0IsT0FBTyxHQUFHLE9BQU8sQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7U0FDOUI7UUFDRCxJQUFJLE9BQU8sQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFO1lBQ3hCLE1BQU0sSUFBSSxLQUFLLENBQUMseUJBQXlCLENBQUMsQ0FBQztTQUM1QztRQUNELE1BQU0sVUFBVSxHQUFHLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUM5QixJQUFJLFFBQVEsR0FBeUIsU0FBUyxDQUFDO1FBQy9DLElBQUksT0FBTyxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUU7WUFDdEIsUUFBUSxHQUFHLENBQUMsQ0FBQyxLQUFLLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQyxDQUFDO1NBQ2hDO1FBQ0QsT0FBTztZQUNMLFVBQVU7WUFDVixRQUFRO1NBQ1QsQ0FBQztJQUNKLENBQUM7Q0FDRiJ9
|