@certd/plugin-cert 1.22.5 → 1.22.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +10 -0
- package/dist/access/eab-access.js +46 -46
- package/dist/dns-provider/api.js +1 -1
- package/dist/dns-provider/decorator.js +26 -26
- package/dist/dns-provider/registry.js +2 -2
- package/dist/plugin/cert-plugin/acme.js +213 -213
- package/dist/plugin/cert-plugin/base.js +260 -259
- package/dist/plugin/cert-plugin/index.js +186 -186
- package/dist/plugin/cert-plugin/lego/dns.d.ts +1 -1
- package/dist/plugin/cert-plugin/lego/dns.js +1 -1
- package/dist/plugin/cert-plugin/lego/index.js +171 -171
- package/package.json +4 -4
- package/tsconfig.tsbuildinfo +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -3,6 +3,16 @@
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
|
|
5
5
|
|
|
6
|
+
## [1.22.7](https://github.com/certd/certd/compare/v1.22.6...v1.22.7) (2024-08-04)
|
|
7
|
+
|
|
8
|
+
**Note:** Version bump only for package @certd/plugin-cert
|
|
9
|
+
|
|
10
|
+
## [1.22.6](https://github.com/certd/certd/compare/v1.22.5...v1.22.6) (2024-08-03)
|
|
11
|
+
|
|
12
|
+
### Performance Improvements
|
|
13
|
+
|
|
14
|
+
* 流水线支持名称模糊查询 ([59897c4](https://github.com/certd/certd/commit/59897c4ceae992ebe2972ca9e8f9196616ffdfd7))
|
|
15
|
+
|
|
6
16
|
## [1.22.5](https://github.com/certd/certd/compare/v1.22.4...v1.22.5) (2024-07-26)
|
|
7
17
|
|
|
8
18
|
**Note:** Version bump only for package @certd/plugin-cert
|
|
@@ -1,46 +1,46 @@
|
|
|
1
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
-
};
|
|
7
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
-
};
|
|
10
|
-
import { IsAccess, AccessInput } from "@certd/pipeline";
|
|
11
|
-
let EabAccess = class EabAccess {
|
|
12
|
-
kid = "";
|
|
13
|
-
hmacKey = "";
|
|
14
|
-
};
|
|
15
|
-
__decorate([
|
|
16
|
-
AccessInput({
|
|
17
|
-
title: "KID",
|
|
18
|
-
component: {
|
|
19
|
-
placeholder: "kid",
|
|
20
|
-
},
|
|
21
|
-
helper: "EAB KID",
|
|
22
|
-
required: true,
|
|
23
|
-
}),
|
|
24
|
-
__metadata("design:type", Object)
|
|
25
|
-
], EabAccess.prototype, "kid", void 0);
|
|
26
|
-
__decorate([
|
|
27
|
-
AccessInput({
|
|
28
|
-
title: "HMACKey",
|
|
29
|
-
component: {
|
|
30
|
-
placeholder: "HMAC Key",
|
|
31
|
-
},
|
|
32
|
-
helper: "EAB HMAC Key",
|
|
33
|
-
required: true,
|
|
34
|
-
}),
|
|
35
|
-
__metadata("design:type", Object)
|
|
36
|
-
], EabAccess.prototype, "hmacKey", void 0);
|
|
37
|
-
EabAccess = __decorate([
|
|
38
|
-
IsAccess({
|
|
39
|
-
name: "eab",
|
|
40
|
-
title: "EAB授权",
|
|
41
|
-
desc: "ZeroSSL证书申请需要EAB授权",
|
|
42
|
-
})
|
|
43
|
-
], EabAccess);
|
|
44
|
-
export { EabAccess };
|
|
45
|
-
new EabAccess();
|
|
46
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
1
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
2
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
3
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
4
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
5
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
6
|
+
};
|
|
7
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
8
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
9
|
+
};
|
|
10
|
+
import { IsAccess, AccessInput } from "@certd/pipeline";
|
|
11
|
+
let EabAccess = class EabAccess {
|
|
12
|
+
kid = "";
|
|
13
|
+
hmacKey = "";
|
|
14
|
+
};
|
|
15
|
+
__decorate([
|
|
16
|
+
AccessInput({
|
|
17
|
+
title: "KID",
|
|
18
|
+
component: {
|
|
19
|
+
placeholder: "kid",
|
|
20
|
+
},
|
|
21
|
+
helper: "EAB KID",
|
|
22
|
+
required: true,
|
|
23
|
+
}),
|
|
24
|
+
__metadata("design:type", Object)
|
|
25
|
+
], EabAccess.prototype, "kid", void 0);
|
|
26
|
+
__decorate([
|
|
27
|
+
AccessInput({
|
|
28
|
+
title: "HMACKey",
|
|
29
|
+
component: {
|
|
30
|
+
placeholder: "HMAC Key",
|
|
31
|
+
},
|
|
32
|
+
helper: "EAB HMAC Key",
|
|
33
|
+
required: true,
|
|
34
|
+
}),
|
|
35
|
+
__metadata("design:type", Object)
|
|
36
|
+
], EabAccess.prototype, "hmacKey", void 0);
|
|
37
|
+
EabAccess = __decorate([
|
|
38
|
+
IsAccess({
|
|
39
|
+
name: "eab",
|
|
40
|
+
title: "EAB授权",
|
|
41
|
+
desc: "ZeroSSL证书申请需要EAB授权",
|
|
42
|
+
})
|
|
43
|
+
], EabAccess);
|
|
44
|
+
export { EabAccess };
|
|
45
|
+
new EabAccess();
|
|
46
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZWFiLWFjY2Vzcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9hY2Nlc3MvZWFiLWFjY2Vzcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7QUFBQSxPQUFPLEVBQUUsUUFBUSxFQUFFLFdBQVcsRUFBRSxNQUFNLGlCQUFpQixDQUFDO0FBT2pELElBQU0sU0FBUyxHQUFmLE1BQU0sU0FBUztJQVNwQixHQUFHLEdBQUcsRUFBRSxDQUFDO0lBU1QsT0FBTyxHQUFHLEVBQUUsQ0FBQztDQUNkLENBQUE7QUFsQkM7SUFBQyxXQUFXLENBQUM7UUFDWCxLQUFLLEVBQUUsS0FBSztRQUNaLFNBQVMsRUFBRTtZQUNULFdBQVcsRUFBRSxLQUFLO1NBQ25CO1FBQ0QsTUFBTSxFQUFFLFNBQVM7UUFDakIsUUFBUSxFQUFFLElBQUk7S0FDZixDQUFDOztzQ0FDTztBQUNUO0lBQUMsV0FBVyxDQUFDO1FBQ1gsS0FBSyxFQUFFLFNBQVM7UUFDaEIsU0FBUyxFQUFFO1lBQ1QsV0FBVyxFQUFFLFVBQVU7U0FDeEI7UUFDRCxNQUFNLEVBQUUsY0FBYztRQUN0QixRQUFRLEVBQUUsSUFBSTtLQUNmLENBQUM7OzBDQUNXO0FBbEJGLFNBQVM7SUFMckIsUUFBUSxDQUFDO1FBQ1IsSUFBSSxFQUFFLEtBQUs7UUFDWCxLQUFLLEVBQUUsT0FBTztRQUNkLElBQUksRUFBRSxvQkFBb0I7S0FDM0IsQ0FBQztHQUNXLFNBQVMsQ0FtQnJCO1NBbkJZLFNBQVM7QUFxQnRCLElBQUksU0FBUyxFQUFFLENBQUMifQ==
|
package/dist/dns-provider/api.js
CHANGED
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
export {};
|
|
1
|
+
export {};
|
|
2
2
|
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBpLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2Rucy1wcm92aWRlci9hcGkudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9
|
|
@@ -1,26 +1,26 @@
|
|
|
1
|
-
import { dnsProviderRegistry } from "./registry.js";
|
|
2
|
-
import { Decorator, AUTOWIRE_KEY } from "@certd/pipeline";
|
|
3
|
-
import _ from "lodash-es";
|
|
4
|
-
// 提供一个唯一 key
|
|
5
|
-
export const DNS_PROVIDER_CLASS_KEY = "pipeline:dns-provider";
|
|
6
|
-
export function IsDnsProvider(define) {
|
|
7
|
-
return (target) => {
|
|
8
|
-
target = Decorator.target(target);
|
|
9
|
-
const autowires = {};
|
|
10
|
-
const properties = Decorator.getClassProperties(target);
|
|
11
|
-
for (const property in properties) {
|
|
12
|
-
const autowire = Reflect.getMetadata(AUTOWIRE_KEY, target, property);
|
|
13
|
-
if (autowire) {
|
|
14
|
-
autowires[property] = autowire;
|
|
15
|
-
}
|
|
16
|
-
}
|
|
17
|
-
_.merge(define, { autowire: autowires });
|
|
18
|
-
Reflect.defineMetadata(DNS_PROVIDER_CLASS_KEY, define, target);
|
|
19
|
-
target.define = define;
|
|
20
|
-
dnsProviderRegistry.register(define.name, {
|
|
21
|
-
define,
|
|
22
|
-
target,
|
|
23
|
-
});
|
|
24
|
-
};
|
|
25
|
-
}
|
|
26
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
1
|
+
import { dnsProviderRegistry } from "./registry.js";
|
|
2
|
+
import { Decorator, AUTOWIRE_KEY } from "@certd/pipeline";
|
|
3
|
+
import _ from "lodash-es";
|
|
4
|
+
// 提供一个唯一 key
|
|
5
|
+
export const DNS_PROVIDER_CLASS_KEY = "pipeline:dns-provider";
|
|
6
|
+
export function IsDnsProvider(define) {
|
|
7
|
+
return (target) => {
|
|
8
|
+
target = Decorator.target(target);
|
|
9
|
+
const autowires = {};
|
|
10
|
+
const properties = Decorator.getClassProperties(target);
|
|
11
|
+
for (const property in properties) {
|
|
12
|
+
const autowire = Reflect.getMetadata(AUTOWIRE_KEY, target, property);
|
|
13
|
+
if (autowire) {
|
|
14
|
+
autowires[property] = autowire;
|
|
15
|
+
}
|
|
16
|
+
}
|
|
17
|
+
_.merge(define, { autowire: autowires });
|
|
18
|
+
Reflect.defineMetadata(DNS_PROVIDER_CLASS_KEY, define, target);
|
|
19
|
+
target.define = define;
|
|
20
|
+
dnsProviderRegistry.register(define.name, {
|
|
21
|
+
define,
|
|
22
|
+
target,
|
|
23
|
+
});
|
|
24
|
+
};
|
|
25
|
+
}
|
|
26
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZGVjb3JhdG9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2Rucy1wcm92aWRlci9kZWNvcmF0b3IudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLG1CQUFtQixFQUFFLE1BQU0sZUFBZSxDQUFDO0FBRXBELE9BQU8sRUFBRSxTQUFTLEVBQUUsWUFBWSxFQUFFLE1BQU0saUJBQWlCLENBQUM7QUFDMUQsT0FBTyxDQUFDLE1BQU0sV0FBVyxDQUFDO0FBRTFCLGFBQWE7QUFDYixNQUFNLENBQUMsTUFBTSxzQkFBc0IsR0FBRyx1QkFBdUIsQ0FBQztBQUU5RCxNQUFNLFVBQVUsYUFBYSxDQUFDLE1BQXlCO0lBQ3JELE9BQU8sQ0FBQyxNQUFXLEVBQUUsRUFBRTtRQUNyQixNQUFNLEdBQUcsU0FBUyxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNsQyxNQUFNLFNBQVMsR0FBUSxFQUFFLENBQUM7UUFDMUIsTUFBTSxVQUFVLEdBQUcsU0FBUyxDQUFDLGtCQUFrQixDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ3hELEtBQUssTUFBTSxRQUFRLElBQUksVUFBVSxFQUFFO1lBQ2pDLE1BQU0sUUFBUSxHQUFHLE9BQU8sQ0FBQyxXQUFXLENBQUMsWUFBWSxFQUFFLE1BQU0sRUFBRSxRQUFRLENBQUMsQ0FBQztZQUNyRSxJQUFJLFFBQVEsRUFBRTtnQkFDWixTQUFTLENBQUMsUUFBUSxDQUFDLEdBQUcsUUFBUSxDQUFDO2FBQ2hDO1NBQ0Y7UUFDRCxDQUFDLENBQUMsS0FBSyxDQUFDLE1BQU0sRUFBRSxFQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsQ0FBQyxDQUFDO1FBRXpDLE9BQU8sQ0FBQyxjQUFjLENBQUMsc0JBQXNCLEVBQUUsTUFBTSxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBRS9ELE1BQU0sQ0FBQyxNQUFNLEdBQUcsTUFBTSxDQUFDO1FBQ3ZCLG1CQUFtQixDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsSUFBSSxFQUFFO1lBQ3hDLE1BQU07WUFDTixNQUFNO1NBQ1AsQ0FBQyxDQUFDO0lBQ0wsQ0FBQyxDQUFDO0FBQ0osQ0FBQyJ9
|
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
import { Registry } from "@certd/pipeline";
|
|
2
|
-
export const dnsProviderRegistry = new Registry("dnsProvider");
|
|
1
|
+
import { Registry } from "@certd/pipeline";
|
|
2
|
+
export const dnsProviderRegistry = new Registry("dnsProvider");
|
|
3
3
|
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicmVnaXN0cnkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvZG5zLXByb3ZpZGVyL3JlZ2lzdHJ5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxRQUFRLEVBQUUsTUFBTSxpQkFBaUIsQ0FBQztBQUUzQyxNQUFNLENBQUMsTUFBTSxtQkFBbUIsR0FBRyxJQUFJLFFBQVEsQ0FBQyxhQUFhLENBQUMsQ0FBQyJ9
|
|
@@ -1,213 +1,213 @@
|
|
|
1
|
-
// @ts-ignore
|
|
2
|
-
import * as acme from "@certd/acme-client";
|
|
3
|
-
import _ from "lodash-es";
|
|
4
|
-
import psl from "psl";
|
|
5
|
-
export class AcmeService {
|
|
6
|
-
options;
|
|
7
|
-
userContext;
|
|
8
|
-
logger;
|
|
9
|
-
sslProvider;
|
|
10
|
-
skipLocalVerify = true;
|
|
11
|
-
eab;
|
|
12
|
-
constructor(options) {
|
|
13
|
-
this.options = options;
|
|
14
|
-
this.userContext = options.userContext;
|
|
15
|
-
this.logger = options.logger;
|
|
16
|
-
this.sslProvider = options.sslProvider || "letsencrypt";
|
|
17
|
-
this.eab = options.eab;
|
|
18
|
-
this.skipLocalVerify = options.skipLocalVerify ?? false;
|
|
19
|
-
acme.setLogger((text) => {
|
|
20
|
-
this.logger.info(text);
|
|
21
|
-
});
|
|
22
|
-
}
|
|
23
|
-
async getAccountConfig(email) {
|
|
24
|
-
return (await this.userContext.getObj(this.buildAccountKey(email))) || {};
|
|
25
|
-
}
|
|
26
|
-
buildAccountKey(email) {
|
|
27
|
-
return `acme.config.${this.sslProvider}.${email}`;
|
|
28
|
-
}
|
|
29
|
-
async saveAccountConfig(email, conf) {
|
|
30
|
-
await this.userContext.setObj(this.buildAccountKey(email), conf);
|
|
31
|
-
}
|
|
32
|
-
async getAcmeClient(email, isTest = false) {
|
|
33
|
-
const conf = await this.getAccountConfig(email);
|
|
34
|
-
if (conf.key == null) {
|
|
35
|
-
conf.key = await this.createNewKey();
|
|
36
|
-
await this.saveAccountConfig(email, conf);
|
|
37
|
-
}
|
|
38
|
-
let directoryUrl = "";
|
|
39
|
-
if (isTest) {
|
|
40
|
-
directoryUrl = acme.directory[this.sslProvider].staging;
|
|
41
|
-
}
|
|
42
|
-
else {
|
|
43
|
-
directoryUrl = acme.directory[this.sslProvider].production;
|
|
44
|
-
}
|
|
45
|
-
const urlMapping = { enabled: false, mappings: {} };
|
|
46
|
-
if (this.options.useMappingProxy) {
|
|
47
|
-
urlMapping.enabled = true;
|
|
48
|
-
urlMapping.mappings = {
|
|
49
|
-
"acme-v02.api.letsencrypt.org": "letsencrypt.proxy.handsfree.work",
|
|
50
|
-
};
|
|
51
|
-
}
|
|
52
|
-
const client = new acme.Client({
|
|
53
|
-
directoryUrl: directoryUrl,
|
|
54
|
-
accountKey: conf.key,
|
|
55
|
-
accountUrl: conf.accountUrl,
|
|
56
|
-
externalAccountBinding: this.eab,
|
|
57
|
-
backoffAttempts: 30,
|
|
58
|
-
backoffMin: 5000,
|
|
59
|
-
backoffMax: 10000,
|
|
60
|
-
urlMapping,
|
|
61
|
-
});
|
|
62
|
-
if (conf.accountUrl == null) {
|
|
63
|
-
const accountPayload = {
|
|
64
|
-
termsOfServiceAgreed: true,
|
|
65
|
-
contact: [`mailto:${email}`],
|
|
66
|
-
externalAccountBinding: this.eab,
|
|
67
|
-
};
|
|
68
|
-
await client.createAccount(accountPayload);
|
|
69
|
-
conf.accountUrl = client.getAccountUrl();
|
|
70
|
-
await this.saveAccountConfig(email, conf);
|
|
71
|
-
}
|
|
72
|
-
return client;
|
|
73
|
-
}
|
|
74
|
-
async createNewKey() {
|
|
75
|
-
const key = await acme.forge.createPrivateKey();
|
|
76
|
-
return key.toString();
|
|
77
|
-
}
|
|
78
|
-
parseDomain(fullDomain) {
|
|
79
|
-
const parsed = psl.parse(fullDomain);
|
|
80
|
-
if (parsed.error) {
|
|
81
|
-
throw new Error(`解析${fullDomain}域名失败:` + JSON.stringify(parsed.error));
|
|
82
|
-
}
|
|
83
|
-
return parsed.domain;
|
|
84
|
-
}
|
|
85
|
-
async challengeCreateFn(authz, challenge, keyAuthorization, dnsProvider) {
|
|
86
|
-
this.logger.info("Triggered challengeCreateFn()");
|
|
87
|
-
/* http-01 */
|
|
88
|
-
const fullDomain = authz.identifier.value;
|
|
89
|
-
if (challenge.type === "http-01") {
|
|
90
|
-
const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
|
|
91
|
-
const fileContents = keyAuthorization;
|
|
92
|
-
this.logger.info(`Creating challenge response for ${fullDomain} at path: ${filePath}`);
|
|
93
|
-
/* Replace this */
|
|
94
|
-
this.logger.info(`Would write "${fileContents}" to path "${filePath}"`);
|
|
95
|
-
// await fs.writeFileAsync(filePath, fileContents);
|
|
96
|
-
}
|
|
97
|
-
else if (challenge.type === "dns-01") {
|
|
98
|
-
/* dns-01 */
|
|
99
|
-
const dnsRecord = `_acme-challenge.${fullDomain}`;
|
|
100
|
-
const recordValue = keyAuthorization;
|
|
101
|
-
this.logger.info(`Creating TXT record for ${fullDomain}: ${dnsRecord}`);
|
|
102
|
-
/* Replace this */
|
|
103
|
-
this.logger.info(`Would create TXT record "${dnsRecord}" with value "${recordValue}"`);
|
|
104
|
-
const domain = this.parseDomain(fullDomain);
|
|
105
|
-
this.logger.info("解析到域名domain=", domain);
|
|
106
|
-
return await dnsProvider.createRecord({
|
|
107
|
-
fullRecord: dnsRecord,
|
|
108
|
-
type: "TXT",
|
|
109
|
-
value: recordValue,
|
|
110
|
-
domain,
|
|
111
|
-
});
|
|
112
|
-
}
|
|
113
|
-
}
|
|
114
|
-
/**
|
|
115
|
-
* Function used to remove an ACME challenge response
|
|
116
|
-
*
|
|
117
|
-
* @param {object} authz Authorization object
|
|
118
|
-
* @param {object} challenge Selected challenge
|
|
119
|
-
* @param {string} keyAuthorization Authorization key
|
|
120
|
-
* @param recordItem challengeCreateFn create record item
|
|
121
|
-
* @param dnsProvider dnsProvider
|
|
122
|
-
* @returns {Promise}
|
|
123
|
-
*/
|
|
124
|
-
async challengeRemoveFn(authz, challenge, keyAuthorization, recordItem, dnsProvider) {
|
|
125
|
-
this.logger.info("Triggered challengeRemoveFn()");
|
|
126
|
-
/* http-01 */
|
|
127
|
-
const fullDomain = authz.identifier.value;
|
|
128
|
-
if (challenge.type === "http-01") {
|
|
129
|
-
const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
|
|
130
|
-
this.logger.info(`Removing challenge response for ${fullDomain} at path: ${filePath}`);
|
|
131
|
-
/* Replace this */
|
|
132
|
-
this.logger.info(`Would remove file on path "${filePath}"`);
|
|
133
|
-
// await fs.unlinkAsync(filePath);
|
|
134
|
-
}
|
|
135
|
-
else if (challenge.type === "dns-01") {
|
|
136
|
-
const dnsRecord = `_acme-challenge.${fullDomain}`;
|
|
137
|
-
const recordValue = keyAuthorization;
|
|
138
|
-
this.logger.info(`Removing TXT record for ${fullDomain}: ${dnsRecord}`);
|
|
139
|
-
/* Replace this */
|
|
140
|
-
this.logger.info(`Would remove TXT record "${dnsRecord}" with value "${recordValue}"`);
|
|
141
|
-
const domain = this.parseDomain(fullDomain);
|
|
142
|
-
try {
|
|
143
|
-
await dnsProvider.removeRecord({
|
|
144
|
-
fullRecord: dnsRecord,
|
|
145
|
-
type: "TXT",
|
|
146
|
-
value: keyAuthorization,
|
|
147
|
-
record: recordItem,
|
|
148
|
-
domain,
|
|
149
|
-
});
|
|
150
|
-
}
|
|
151
|
-
catch (e) {
|
|
152
|
-
this.logger.error("删除解析记录出错:", e);
|
|
153
|
-
throw e;
|
|
154
|
-
}
|
|
155
|
-
}
|
|
156
|
-
}
|
|
157
|
-
async order(options) {
|
|
158
|
-
const { email, isTest, domains, csrInfo, dnsProvider } = options;
|
|
159
|
-
const client = await this.getAcmeClient(email, isTest);
|
|
160
|
-
/* Create CSR */
|
|
161
|
-
const { commonName, altNames } = this.buildCommonNameByDomains(domains);
|
|
162
|
-
const [key, csr] = await acme.forge.createCsr({
|
|
163
|
-
commonName,
|
|
164
|
-
...csrInfo,
|
|
165
|
-
altNames,
|
|
166
|
-
});
|
|
167
|
-
if (dnsProvider == null) {
|
|
168
|
-
throw new Error("dnsProvider 不能为空");
|
|
169
|
-
}
|
|
170
|
-
/* 自动申请证书 */
|
|
171
|
-
const crt = await client.auto({
|
|
172
|
-
csr,
|
|
173
|
-
email: email,
|
|
174
|
-
termsOfServiceAgreed: true,
|
|
175
|
-
skipChallengeVerification: this.skipLocalVerify,
|
|
176
|
-
challengePriority: ["dns-01"],
|
|
177
|
-
challengeCreateFn: async (authz, challenge, keyAuthorization) => {
|
|
178
|
-
return await this.challengeCreateFn(authz, challenge, keyAuthorization, dnsProvider);
|
|
179
|
-
},
|
|
180
|
-
challengeRemoveFn: async (authz, challenge, keyAuthorization, recordItem) => {
|
|
181
|
-
return await this.challengeRemoveFn(authz, challenge, keyAuthorization, recordItem, dnsProvider);
|
|
182
|
-
},
|
|
183
|
-
});
|
|
184
|
-
const cert = {
|
|
185
|
-
crt: crt.toString(),
|
|
186
|
-
key: key.toString(),
|
|
187
|
-
csr: csr.toString(),
|
|
188
|
-
};
|
|
189
|
-
/* Done */
|
|
190
|
-
this.logger.debug(`CSR:\n${cert.csr}`);
|
|
191
|
-
this.logger.debug(`Certificate:\n${cert.crt}`);
|
|
192
|
-
this.logger.info("证书申请成功");
|
|
193
|
-
return cert;
|
|
194
|
-
}
|
|
195
|
-
buildCommonNameByDomains(domains) {
|
|
196
|
-
if (typeof domains === "string") {
|
|
197
|
-
domains = domains.split(",");
|
|
198
|
-
}
|
|
199
|
-
if (domains.length === 0) {
|
|
200
|
-
throw new Error("domain can not be empty");
|
|
201
|
-
}
|
|
202
|
-
const commonName = domains[0];
|
|
203
|
-
let altNames = undefined;
|
|
204
|
-
if (domains.length > 1) {
|
|
205
|
-
altNames = _.slice(domains, 1);
|
|
206
|
-
}
|
|
207
|
-
return {
|
|
208
|
-
commonName,
|
|
209
|
-
altNames,
|
|
210
|
-
};
|
|
211
|
-
}
|
|
212
|
-
}
|
|
213
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
1
|
+
// @ts-ignore
|
|
2
|
+
import * as acme from "@certd/acme-client";
|
|
3
|
+
import _ from "lodash-es";
|
|
4
|
+
import psl from "psl";
|
|
5
|
+
export class AcmeService {
|
|
6
|
+
options;
|
|
7
|
+
userContext;
|
|
8
|
+
logger;
|
|
9
|
+
sslProvider;
|
|
10
|
+
skipLocalVerify = true;
|
|
11
|
+
eab;
|
|
12
|
+
constructor(options) {
|
|
13
|
+
this.options = options;
|
|
14
|
+
this.userContext = options.userContext;
|
|
15
|
+
this.logger = options.logger;
|
|
16
|
+
this.sslProvider = options.sslProvider || "letsencrypt";
|
|
17
|
+
this.eab = options.eab;
|
|
18
|
+
this.skipLocalVerify = options.skipLocalVerify ?? false;
|
|
19
|
+
acme.setLogger((text) => {
|
|
20
|
+
this.logger.info(text);
|
|
21
|
+
});
|
|
22
|
+
}
|
|
23
|
+
async getAccountConfig(email) {
|
|
24
|
+
return (await this.userContext.getObj(this.buildAccountKey(email))) || {};
|
|
25
|
+
}
|
|
26
|
+
buildAccountKey(email) {
|
|
27
|
+
return `acme.config.${this.sslProvider}.${email}`;
|
|
28
|
+
}
|
|
29
|
+
async saveAccountConfig(email, conf) {
|
|
30
|
+
await this.userContext.setObj(this.buildAccountKey(email), conf);
|
|
31
|
+
}
|
|
32
|
+
async getAcmeClient(email, isTest = false) {
|
|
33
|
+
const conf = await this.getAccountConfig(email);
|
|
34
|
+
if (conf.key == null) {
|
|
35
|
+
conf.key = await this.createNewKey();
|
|
36
|
+
await this.saveAccountConfig(email, conf);
|
|
37
|
+
}
|
|
38
|
+
let directoryUrl = "";
|
|
39
|
+
if (isTest) {
|
|
40
|
+
directoryUrl = acme.directory[this.sslProvider].staging;
|
|
41
|
+
}
|
|
42
|
+
else {
|
|
43
|
+
directoryUrl = acme.directory[this.sslProvider].production;
|
|
44
|
+
}
|
|
45
|
+
const urlMapping = { enabled: false, mappings: {} };
|
|
46
|
+
if (this.options.useMappingProxy) {
|
|
47
|
+
urlMapping.enabled = true;
|
|
48
|
+
urlMapping.mappings = {
|
|
49
|
+
"acme-v02.api.letsencrypt.org": "letsencrypt.proxy.handsfree.work",
|
|
50
|
+
};
|
|
51
|
+
}
|
|
52
|
+
const client = new acme.Client({
|
|
53
|
+
directoryUrl: directoryUrl,
|
|
54
|
+
accountKey: conf.key,
|
|
55
|
+
accountUrl: conf.accountUrl,
|
|
56
|
+
externalAccountBinding: this.eab,
|
|
57
|
+
backoffAttempts: 30,
|
|
58
|
+
backoffMin: 5000,
|
|
59
|
+
backoffMax: 10000,
|
|
60
|
+
urlMapping,
|
|
61
|
+
});
|
|
62
|
+
if (conf.accountUrl == null) {
|
|
63
|
+
const accountPayload = {
|
|
64
|
+
termsOfServiceAgreed: true,
|
|
65
|
+
contact: [`mailto:${email}`],
|
|
66
|
+
externalAccountBinding: this.eab,
|
|
67
|
+
};
|
|
68
|
+
await client.createAccount(accountPayload);
|
|
69
|
+
conf.accountUrl = client.getAccountUrl();
|
|
70
|
+
await this.saveAccountConfig(email, conf);
|
|
71
|
+
}
|
|
72
|
+
return client;
|
|
73
|
+
}
|
|
74
|
+
async createNewKey() {
|
|
75
|
+
const key = await acme.forge.createPrivateKey();
|
|
76
|
+
return key.toString();
|
|
77
|
+
}
|
|
78
|
+
parseDomain(fullDomain) {
|
|
79
|
+
const parsed = psl.parse(fullDomain);
|
|
80
|
+
if (parsed.error) {
|
|
81
|
+
throw new Error(`解析${fullDomain}域名失败:` + JSON.stringify(parsed.error));
|
|
82
|
+
}
|
|
83
|
+
return parsed.domain;
|
|
84
|
+
}
|
|
85
|
+
async challengeCreateFn(authz, challenge, keyAuthorization, dnsProvider) {
|
|
86
|
+
this.logger.info("Triggered challengeCreateFn()");
|
|
87
|
+
/* http-01 */
|
|
88
|
+
const fullDomain = authz.identifier.value;
|
|
89
|
+
if (challenge.type === "http-01") {
|
|
90
|
+
const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
|
|
91
|
+
const fileContents = keyAuthorization;
|
|
92
|
+
this.logger.info(`Creating challenge response for ${fullDomain} at path: ${filePath}`);
|
|
93
|
+
/* Replace this */
|
|
94
|
+
this.logger.info(`Would write "${fileContents}" to path "${filePath}"`);
|
|
95
|
+
// await fs.writeFileAsync(filePath, fileContents);
|
|
96
|
+
}
|
|
97
|
+
else if (challenge.type === "dns-01") {
|
|
98
|
+
/* dns-01 */
|
|
99
|
+
const dnsRecord = `_acme-challenge.${fullDomain}`;
|
|
100
|
+
const recordValue = keyAuthorization;
|
|
101
|
+
this.logger.info(`Creating TXT record for ${fullDomain}: ${dnsRecord}`);
|
|
102
|
+
/* Replace this */
|
|
103
|
+
this.logger.info(`Would create TXT record "${dnsRecord}" with value "${recordValue}"`);
|
|
104
|
+
const domain = this.parseDomain(fullDomain);
|
|
105
|
+
this.logger.info("解析到域名domain=", domain);
|
|
106
|
+
return await dnsProvider.createRecord({
|
|
107
|
+
fullRecord: dnsRecord,
|
|
108
|
+
type: "TXT",
|
|
109
|
+
value: recordValue,
|
|
110
|
+
domain,
|
|
111
|
+
});
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
/**
|
|
115
|
+
* Function used to remove an ACME challenge response
|
|
116
|
+
*
|
|
117
|
+
* @param {object} authz Authorization object
|
|
118
|
+
* @param {object} challenge Selected challenge
|
|
119
|
+
* @param {string} keyAuthorization Authorization key
|
|
120
|
+
* @param recordItem challengeCreateFn create record item
|
|
121
|
+
* @param dnsProvider dnsProvider
|
|
122
|
+
* @returns {Promise}
|
|
123
|
+
*/
|
|
124
|
+
async challengeRemoveFn(authz, challenge, keyAuthorization, recordItem, dnsProvider) {
|
|
125
|
+
this.logger.info("Triggered challengeRemoveFn()");
|
|
126
|
+
/* http-01 */
|
|
127
|
+
const fullDomain = authz.identifier.value;
|
|
128
|
+
if (challenge.type === "http-01") {
|
|
129
|
+
const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
|
|
130
|
+
this.logger.info(`Removing challenge response for ${fullDomain} at path: ${filePath}`);
|
|
131
|
+
/* Replace this */
|
|
132
|
+
this.logger.info(`Would remove file on path "${filePath}"`);
|
|
133
|
+
// await fs.unlinkAsync(filePath);
|
|
134
|
+
}
|
|
135
|
+
else if (challenge.type === "dns-01") {
|
|
136
|
+
const dnsRecord = `_acme-challenge.${fullDomain}`;
|
|
137
|
+
const recordValue = keyAuthorization;
|
|
138
|
+
this.logger.info(`Removing TXT record for ${fullDomain}: ${dnsRecord}`);
|
|
139
|
+
/* Replace this */
|
|
140
|
+
this.logger.info(`Would remove TXT record "${dnsRecord}" with value "${recordValue}"`);
|
|
141
|
+
const domain = this.parseDomain(fullDomain);
|
|
142
|
+
try {
|
|
143
|
+
await dnsProvider.removeRecord({
|
|
144
|
+
fullRecord: dnsRecord,
|
|
145
|
+
type: "TXT",
|
|
146
|
+
value: keyAuthorization,
|
|
147
|
+
record: recordItem,
|
|
148
|
+
domain,
|
|
149
|
+
});
|
|
150
|
+
}
|
|
151
|
+
catch (e) {
|
|
152
|
+
this.logger.error("删除解析记录出错:", e);
|
|
153
|
+
throw e;
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
}
|
|
157
|
+
async order(options) {
|
|
158
|
+
const { email, isTest, domains, csrInfo, dnsProvider } = options;
|
|
159
|
+
const client = await this.getAcmeClient(email, isTest);
|
|
160
|
+
/* Create CSR */
|
|
161
|
+
const { commonName, altNames } = this.buildCommonNameByDomains(domains);
|
|
162
|
+
const [key, csr] = await acme.forge.createCsr({
|
|
163
|
+
commonName,
|
|
164
|
+
...csrInfo,
|
|
165
|
+
altNames,
|
|
166
|
+
});
|
|
167
|
+
if (dnsProvider == null) {
|
|
168
|
+
throw new Error("dnsProvider 不能为空");
|
|
169
|
+
}
|
|
170
|
+
/* 自动申请证书 */
|
|
171
|
+
const crt = await client.auto({
|
|
172
|
+
csr,
|
|
173
|
+
email: email,
|
|
174
|
+
termsOfServiceAgreed: true,
|
|
175
|
+
skipChallengeVerification: this.skipLocalVerify,
|
|
176
|
+
challengePriority: ["dns-01"],
|
|
177
|
+
challengeCreateFn: async (authz, challenge, keyAuthorization) => {
|
|
178
|
+
return await this.challengeCreateFn(authz, challenge, keyAuthorization, dnsProvider);
|
|
179
|
+
},
|
|
180
|
+
challengeRemoveFn: async (authz, challenge, keyAuthorization, recordItem) => {
|
|
181
|
+
return await this.challengeRemoveFn(authz, challenge, keyAuthorization, recordItem, dnsProvider);
|
|
182
|
+
},
|
|
183
|
+
});
|
|
184
|
+
const cert = {
|
|
185
|
+
crt: crt.toString(),
|
|
186
|
+
key: key.toString(),
|
|
187
|
+
csr: csr.toString(),
|
|
188
|
+
};
|
|
189
|
+
/* Done */
|
|
190
|
+
this.logger.debug(`CSR:\n${cert.csr}`);
|
|
191
|
+
this.logger.debug(`Certificate:\n${cert.crt}`);
|
|
192
|
+
this.logger.info("证书申请成功");
|
|
193
|
+
return cert;
|
|
194
|
+
}
|
|
195
|
+
buildCommonNameByDomains(domains) {
|
|
196
|
+
if (typeof domains === "string") {
|
|
197
|
+
domains = domains.split(",");
|
|
198
|
+
}
|
|
199
|
+
if (domains.length === 0) {
|
|
200
|
+
throw new Error("domain can not be empty");
|
|
201
|
+
}
|
|
202
|
+
const commonName = domains[0];
|
|
203
|
+
let altNames = undefined;
|
|
204
|
+
if (domains.length > 1) {
|
|
205
|
+
altNames = _.slice(domains, 1);
|
|
206
|
+
}
|
|
207
|
+
return {
|
|
208
|
+
commonName,
|
|
209
|
+
altNames,
|
|
210
|
+
};
|
|
211
|
+
}
|
|
212
|
+
}
|
|
213
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNtZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9wbHVnaW4vY2VydC1wbHVnaW4vYWNtZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxhQUFhO0FBQ2IsT0FBTyxLQUFLLElBQUksTUFBTSxvQkFBb0IsQ0FBQztBQUMzQyxPQUFPLENBQUMsTUFBTSxXQUFXLENBQUM7QUFLMUIsT0FBTyxHQUFHLE1BQU0sS0FBSyxDQUFDO0FBa0J0QixNQUFNLE9BQU8sV0FBVztJQUN0QixPQUFPLENBQXFCO0lBQzVCLFdBQVcsQ0FBVztJQUN0QixNQUFNLENBQVM7SUFDZixXQUFXLENBQWM7SUFDekIsZUFBZSxHQUFHLElBQUksQ0FBQztJQUN2QixHQUFHLENBQXVDO0lBQzFDLFlBQVksT0FBMkI7UUFDckMsSUFBSSxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUM7UUFDdkIsSUFBSSxDQUFDLFdBQVcsR0FBRyxPQUFPLENBQUMsV0FBVyxDQUFDO1FBQ3ZDLElBQUksQ0FBQyxNQUFNLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQztRQUM3QixJQUFJLENBQUMsV0FBVyxHQUFHLE9BQU8sQ0FBQyxXQUFXLElBQUksYUFBYSxDQUFDO1FBQ3hELElBQUksQ0FBQyxHQUFHLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQztRQUN2QixJQUFJLENBQUMsZUFBZSxHQUFHLE9BQU8sQ0FBQyxlQUFlLElBQUksS0FBSyxDQUFDO1FBQ3hELElBQUksQ0FBQyxTQUFTLENBQUMsQ0FBQyxJQUFZLEVBQUUsRUFBRTtZQUM5QixJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUN6QixDQUFDLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRCxLQUFLLENBQUMsZ0JBQWdCLENBQUMsS0FBYTtRQUNsQyxPQUFPLENBQUMsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsZUFBZSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUM7SUFDNUUsQ0FBQztJQUVELGVBQWUsQ0FBQyxLQUFhO1FBQzNCLE9BQU8sZUFBZSxJQUFJLENBQUMsV0FBVyxJQUFJLEtBQUssRUFBRSxDQUFDO0lBQ3BELENBQUM7SUFFRCxLQUFLLENBQUMsaUJBQWlCLENBQUMsS0FBYSxFQUFFLElBQVM7UUFDOUMsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsZUFBZSxDQUFDLEtBQUssQ0FBQyxFQUFFLElBQUksQ0FBQyxDQUFDO0lBQ25FLENBQUM7SUFFRCxLQUFLLENBQUMsYUFBYSxDQUFDLEtBQWEsRUFBRSxNQUFNLEdBQUcsS0FBSztRQUMvQyxNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUNoRCxJQUFJLElBQUksQ0FBQyxHQUFHLElBQUksSUFBSSxFQUFFO1lBQ3BCLElBQUksQ0FBQyxHQUFHLEdBQUcsTUFBTSxJQUFJLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDckMsTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLElBQUksQ0FBQyxDQUFDO1NBQzNDO1FBQ0QsSUFBSSxZQUFZLEdBQUcsRUFBRSxDQUFDO1FBQ3RCLElBQUksTUFBTSxFQUFFO1lBQ1YsWUFBWSxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLE9BQU8sQ0FBQztTQUN6RDthQUFNO1lBQ0wsWUFBWSxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLFVBQVUsQ0FBQztTQUM1RDtRQUNELE1BQU0sVUFBVSxHQUFlLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRSxRQUFRLEVBQUUsRUFBRSxFQUFFLENBQUM7UUFDaEUsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLGVBQWUsRUFBRTtZQUNoQyxVQUFVLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQztZQUMxQixVQUFVLENBQUMsUUFBUSxHQUFHO2dCQUNwQiw4QkFBOEIsRUFBRSxrQ0FBa0M7YUFDbkUsQ0FBQztTQUNIO1FBQ0QsTUFBTSxNQUFNLEdBQUcsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDO1lBQzdCLFlBQVksRUFBRSxZQUFZO1lBQzFCLFVBQVUsRUFBRSxJQUFJLENBQUMsR0FBRztZQUNwQixVQUFVLEVBQUUsSUFBSSxDQUFDLFVBQVU7WUFDM0Isc0JBQXNCLEVBQUUsSUFBSSxDQUFDLEdBQUc7WUFDaEMsZUFBZSxFQUFFLEVBQUU7WUFDbkIsVUFBVSxFQUFFLElBQUk7WUFDaEIsVUFBVSxFQUFFLEtBQUs7WUFDakIsVUFBVTtTQUNYLENBQUMsQ0FBQztRQUVILElBQUksSUFBSSxDQUFDLFVBQVUsSUFBSSxJQUFJLEVBQUU7WUFDM0IsTUFBTSxjQUFjLEdBQUc7Z0JBQ3JCLG9CQUFvQixFQUFFLElBQUk7Z0JBQzFCLE9BQU8sRUFBRSxDQUFDLFVBQVUsS0FBSyxFQUFFLENBQUM7Z0JBQzVCLHNCQUFzQixFQUFFLElBQUksQ0FBQyxHQUFHO2FBQ2pDLENBQUM7WUFDRixNQUFNLE1BQU0sQ0FBQyxhQUFhLENBQUMsY0FBYyxDQUFDLENBQUM7WUFDM0MsSUFBSSxDQUFDLFVBQVUsR0FBRyxNQUFNLENBQUMsYUFBYSxFQUFFLENBQUM7WUFDekMsTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLElBQUksQ0FBQyxDQUFDO1NBQzNDO1FBQ0QsT0FBTyxNQUFNLENBQUM7SUFDaEIsQ0FBQztJQUVELEtBQUssQ0FBQyxZQUFZO1FBQ2hCLE1BQU0sR0FBRyxHQUFHLE1BQU0sSUFBSSxDQUFDLEtBQUssQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO1FBQ2hELE9BQU8sR0FBRyxDQUFDLFFBQVEsRUFBRSxDQUFDO0lBQ3hCLENBQUM7SUFFRCxXQUFXLENBQUMsVUFBa0I7UUFDNUIsTUFBTSxNQUFNLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxVQUFVLENBQXFCLENBQUM7UUFDekQsSUFBSSxNQUFNLENBQUMsS0FBSyxFQUFFO1lBQ2hCLE1BQU0sSUFBSSxLQUFLLENBQUMsS0FBSyxVQUFVLE9BQU8sR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDO1NBQ3hFO1FBQ0QsT0FBTyxNQUFNLENBQUMsTUFBZ0IsQ0FBQztJQUNqQyxDQUFDO0lBQ0QsS0FBSyxDQUFDLGlCQUFpQixDQUFDLEtBQVUsRUFBRSxTQUFjLEVBQUUsZ0JBQXdCLEVBQUUsV0FBeUI7UUFDckcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsK0JBQStCLENBQUMsQ0FBQztRQUVsRCxhQUFhO1FBQ2IsTUFBTSxVQUFVLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxLQUFLLENBQUM7UUFDMUMsSUFBSSxTQUFTLENBQUMsSUFBSSxLQUFLLFNBQVMsRUFBRTtZQUNoQyxNQUFNLFFBQVEsR0FBRyw0Q0FBNEMsU0FBUyxDQUFDLEtBQUssRUFBRSxDQUFDO1lBQy9FLE1BQU0sWUFBWSxHQUFHLGdCQUFnQixDQUFDO1lBRXRDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLG1DQUFtQyxVQUFVLGFBQWEsUUFBUSxFQUFFLENBQUMsQ0FBQztZQUV2RixrQkFBa0I7WUFDbEIsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLFlBQVksY0FBYyxRQUFRLEdBQUcsQ0FBQyxDQUFDO1lBQ3hFLG1EQUFtRDtTQUNwRDthQUFNLElBQUksU0FBUyxDQUFDLElBQUksS0FBSyxRQUFRLEVBQUU7WUFDdEMsWUFBWTtZQUNaLE1BQU0sU0FBUyxHQUFHLG1CQUFtQixVQUFVLEVBQUUsQ0FBQztZQUNsRCxNQUFNLFdBQVcsR0FBRyxnQkFBZ0IsQ0FBQztZQUVyQyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQywyQkFBMkIsVUFBVSxLQUFLLFNBQVMsRUFBRSxDQUFDLENBQUM7WUFDeEUsa0JBQWtCO1lBQ2xCLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLDRCQUE0QixTQUFTLGlCQUFpQixXQUFXLEdBQUcsQ0FBQyxDQUFDO1lBRXZGLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsVUFBVSxDQUFDLENBQUM7WUFDNUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsY0FBYyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1lBQ3pDLE9BQU8sTUFBTSxXQUFXLENBQUMsWUFBWSxDQUFDO2dCQUNwQyxVQUFVLEVBQUUsU0FBUztnQkFDckIsSUFBSSxFQUFFLEtBQUs7Z0JBQ1gsS0FBSyxFQUFFLFdBQVc7Z0JBQ2xCLE1BQU07YUFDUCxDQUFDLENBQUM7U0FDSjtJQUNILENBQUM7SUFFRDs7Ozs7Ozs7O09BU0c7SUFFSCxLQUFLLENBQUMsaUJBQWlCLENBQUMsS0FBVSxFQUFFLFNBQWMsRUFBRSxnQkFBd0IsRUFBRSxVQUFlLEVBQUUsV0FBeUI7UUFDdEgsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsK0JBQStCLENBQUMsQ0FBQztRQUVsRCxhQUFhO1FBQ2IsTUFBTSxVQUFVLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxLQUFLLENBQUM7UUFDMUMsSUFBSSxTQUFTLENBQUMsSUFBSSxLQUFLLFNBQVMsRUFBRTtZQUNoQyxNQUFNLFFBQVEsR0FBRyw0Q0FBNEMsU0FBUyxDQUFDLEtBQUssRUFBRSxDQUFDO1lBRS9FLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLG1DQUFtQyxVQUFVLGFBQWEsUUFBUSxFQUFFLENBQUMsQ0FBQztZQUV2RixrQkFBa0I7WUFDbEIsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsOEJBQThCLFFBQVEsR0FBRyxDQUFDLENBQUM7WUFDNUQsa0NBQWtDO1NBQ25DO2FBQU0sSUFBSSxTQUFTLENBQUMsSUFBSSxLQUFLLFFBQVEsRUFBRTtZQUN0QyxNQUFNLFNBQVMsR0FBRyxtQkFBbUIsVUFBVSxFQUFFLENBQUM7WUFDbEQsTUFBTSxXQUFXLEdBQUcsZ0JBQWdCLENBQUM7WUFFckMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsMkJBQTJCLFVBQVUsS0FBSyxTQUFTLEVBQUUsQ0FBQyxDQUFDO1lBRXhFLGtCQUFrQjtZQUNsQixJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyw0QkFBNEIsU0FBUyxpQkFBaUIsV0FBVyxHQUFHLENBQUMsQ0FBQztZQUV2RixNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLFVBQVUsQ0FBQyxDQUFDO1lBRTVDLElBQUk7Z0JBQ0YsTUFBTSxXQUFXLENBQUMsWUFBWSxDQUFDO29CQUM3QixVQUFVLEVBQUUsU0FBUztvQkFDckIsSUFBSSxFQUFFLEtBQUs7b0JBQ1gsS0FBSyxFQUFFLGdCQUFnQjtvQkFDdkIsTUFBTSxFQUFFLFVBQVU7b0JBQ2xCLE1BQU07aUJBQ1AsQ0FBQyxDQUFDO2FBQ0o7WUFBQyxPQUFPLENBQUMsRUFBRTtnQkFDVixJQUFJLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLENBQUM7Z0JBQ2xDLE1BQU0sQ0FBQyxDQUFDO2FBQ1Q7U0FDRjtJQUNILENBQUM7SUFFRCxLQUFLLENBQUMsS0FBSyxDQUFDLE9BQXdHO1FBQ2xILE1BQU0sRUFBRSxLQUFLLEVBQUUsTUFBTSxFQUFFLE9BQU8sRUFBRSxPQUFPLEVBQUUsV0FBVyxFQUFFLEdBQUcsT0FBTyxDQUFDO1FBQ2pFLE1BQU0sTUFBTSxHQUFnQixNQUFNLElBQUksQ0FBQyxhQUFhLENBQUMsS0FBSyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBRXBFLGdCQUFnQjtRQUNoQixNQUFNLEVBQUUsVUFBVSxFQUFFLFFBQVEsRUFBRSxHQUFHLElBQUksQ0FBQyx3QkFBd0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUV4RSxNQUFNLENBQUMsR0FBRyxFQUFFLEdBQUcsQ0FBQyxHQUFHLE1BQU0sSUFBSSxDQUFDLEtBQUssQ0FBQyxTQUFTLENBQUM7WUFDNUMsVUFBVTtZQUNWLEdBQUcsT0FBTztZQUNWLFFBQVE7U0FDVCxDQUFDLENBQUM7UUFDSCxJQUFJLFdBQVcsSUFBSSxJQUFJLEVBQUU7WUFDdkIsTUFBTSxJQUFJLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO1NBQ3JDO1FBQ0QsWUFBWTtRQUNaLE1BQU0sR0FBRyxHQUFHLE1BQU0sTUFBTSxDQUFDLElBQUksQ0FBQztZQUM1QixHQUFHO1lBQ0gsS0FBSyxFQUFFLEtBQUs7WUFDWixvQkFBb0IsRUFBRSxJQUFJO1lBQzFCLHlCQUF5QixFQUFFLElBQUksQ0FBQyxlQUFlO1lBQy9DLGlCQUFpQixFQUFFLENBQUMsUUFBUSxDQUFDO1lBQzdCLGlCQUFpQixFQUFFLEtBQUssRUFBRSxLQUF5QixFQUFFLFNBQW9CLEVBQUUsZ0JBQXdCLEVBQWdCLEVBQUU7Z0JBQ25ILE9BQU8sTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLFNBQVMsRUFBRSxnQkFBZ0IsRUFBRSxXQUFXLENBQUMsQ0FBQztZQUN2RixDQUFDO1lBQ0QsaUJBQWlCLEVBQUUsS0FBSyxFQUFFLEtBQXlCLEVBQUUsU0FBb0IsRUFBRSxnQkFBd0IsRUFBRSxVQUFlLEVBQWdCLEVBQUU7Z0JBQ3BJLE9BQU8sTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsS0FBSyxFQUFFLFNBQVMsRUFBRSxnQkFBZ0IsRUFBRSxVQUFVLEVBQUUsV0FBVyxDQUFDLENBQUM7WUFDbkcsQ0FBQztTQUNGLENBQUMsQ0FBQztRQUVILE1BQU0sSUFBSSxHQUFhO1lBQ3JCLEdBQUcsRUFBRSxHQUFHLENBQUMsUUFBUSxFQUFFO1lBQ25CLEdBQUcsRUFBRSxHQUFHLENBQUMsUUFBUSxFQUFFO1lBQ25CLEdBQUcsRUFBRSxHQUFHLENBQUMsUUFBUSxFQUFFO1NBQ3BCLENBQUM7UUFDRixVQUFVO1FBQ1YsSUFBSSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsU0FBUyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUMsQ0FBQztRQUN2QyxJQUFJLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDLENBQUM7UUFDL0MsSUFBSSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDM0IsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsd0JBQXdCLENBQUMsT0FBMEI7UUFJakQsSUFBSSxPQUFPLE9BQU8sS0FBSyxRQUFRLEVBQUU7WUFDL0IsT0FBTyxHQUFHLE9BQU8sQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7U0FDOUI7UUFDRCxJQUFJLE9BQU8sQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFO1lBQ3hCLE1BQU0sSUFBSSxLQUFLLENBQUMseUJBQXlCLENBQUMsQ0FBQztTQUM1QztRQUNELE1BQU0sVUFBVSxHQUFHLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUM5QixJQUFJLFFBQVEsR0FBeUIsU0FBUyxDQUFDO1FBQy9DLElBQUksT0FBTyxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUU7WUFDdEIsUUFBUSxHQUFHLENBQUMsQ0FBQyxLQUFLLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQyxDQUFDO1NBQ2hDO1FBQ0QsT0FBTztZQUNMLFVBQVU7WUFDVixRQUFRO1NBQ1QsQ0FBQztJQUNKLENBQUM7Q0FDRiJ9
|