@icure/api 8.6.5 → 8.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (76) hide show
  1. package/icc-api/api/IccFormApi.d.ts +81 -0
  2. package/icc-api/api/IccFormApi.js +213 -0
  3. package/icc-api/api/IccFormApi.js.map +1 -1
  4. package/icc-api/model/CryptoActorStub.d.ts +0 -2
  5. package/icc-api/model/CryptoActorStub.js.map +1 -1
  6. package/icc-api/model/Device.d.ts +0 -1
  7. package/icc-api/model/Device.js.map +1 -1
  8. package/icc-api/model/HealthcareParty.d.ts +0 -1
  9. package/icc-api/model/HealthcareParty.js.map +1 -1
  10. package/icc-api/model/Patient.d.ts +0 -1
  11. package/icc-api/model/Patient.js.map +1 -1
  12. package/icc-x-api/crypto/CryptoStrategies.d.ts +1 -2
  13. package/icc-x-api/crypto/CryptoStrategies.js.map +1 -1
  14. package/icc-x-api/crypto/UserEncryptionKeysManager.js +2 -2
  15. package/icc-x-api/crypto/UserEncryptionKeysManager.js.map +1 -1
  16. package/icc-x-api/icc-accesslog-x-api.d.ts +93 -0
  17. package/icc-x-api/icc-accesslog-x-api.js +93 -0
  18. package/icc-x-api/icc-accesslog-x-api.js.map +1 -1
  19. package/icc-x-api/icc-calendar-item-x-api.d.ts +122 -0
  20. package/icc-x-api/icc-calendar-item-x-api.js +122 -0
  21. package/icc-x-api/icc-calendar-item-x-api.js.map +1 -1
  22. package/icc-x-api/icc-classification-x-api.d.ts +20 -0
  23. package/icc-x-api/icc-classification-x-api.js +20 -0
  24. package/icc-x-api/icc-classification-x-api.js.map +1 -1
  25. package/icc-x-api/icc-code-x-api.d.ts +23 -0
  26. package/icc-x-api/icc-code-x-api.js +23 -0
  27. package/icc-x-api/icc-code-x-api.js.map +1 -1
  28. package/icc-x-api/icc-contact-x-api.d.ts +219 -1
  29. package/icc-x-api/icc-contact-x-api.js +219 -2
  30. package/icc-x-api/icc-contact-x-api.js.map +1 -1
  31. package/icc-x-api/icc-data-owner-x-api.d.ts +14 -3
  32. package/icc-x-api/icc-data-owner-x-api.js +14 -3
  33. package/icc-x-api/icc-data-owner-x-api.js.map +1 -1
  34. package/icc-x-api/icc-device-x-api.d.ts +8 -0
  35. package/icc-x-api/icc-device-x-api.js +8 -0
  36. package/icc-x-api/icc-device-x-api.js.map +1 -1
  37. package/icc-x-api/icc-doctemplate-x-api.d.ts +26 -0
  38. package/icc-x-api/icc-doctemplate-x-api.js +26 -0
  39. package/icc-x-api/icc-doctemplate-x-api.js.map +1 -1
  40. package/icc-x-api/icc-document-x-api.d.ts +114 -1
  41. package/icc-x-api/icc-document-x-api.js +127 -1
  42. package/icc-x-api/icc-document-x-api.js.map +1 -1
  43. package/icc-x-api/icc-form-x-api.d.ts +34 -4
  44. package/icc-x-api/icc-form-x-api.js +34 -4
  45. package/icc-x-api/icc-form-x-api.js.map +1 -1
  46. package/icc-x-api/icc-hcparty-x-api.d.ts +67 -0
  47. package/icc-x-api/icc-hcparty-x-api.js +67 -0
  48. package/icc-x-api/icc-hcparty-x-api.js.map +1 -1
  49. package/icc-x-api/icc-helement-x-api.d.ts +141 -0
  50. package/icc-x-api/icc-helement-x-api.js +141 -0
  51. package/icc-x-api/icc-helement-x-api.js.map +1 -1
  52. package/icc-x-api/icc-invoice-x-api.d.ts +54 -0
  53. package/icc-x-api/icc-invoice-x-api.js +54 -0
  54. package/icc-x-api/icc-invoice-x-api.js.map +1 -1
  55. package/icc-x-api/icc-message-x-api.d.ts +162 -0
  56. package/icc-x-api/icc-message-x-api.js +162 -0
  57. package/icc-x-api/icc-message-x-api.js.map +1 -1
  58. package/icc-x-api/icc-patient-x-api.d.ts +245 -0
  59. package/icc-x-api/icc-patient-x-api.js +245 -1
  60. package/icc-x-api/icc-patient-x-api.js.map +1 -1
  61. package/icc-x-api/icc-receipt-x-api.d.ts +25 -0
  62. package/icc-x-api/icc-receipt-x-api.js +25 -0
  63. package/icc-x-api/icc-receipt-x-api.js.map +1 -1
  64. package/icc-x-api/icc-user-x-api.d.ts +25 -0
  65. package/icc-x-api/icc-user-x-api.js +25 -0
  66. package/icc-x-api/icc-user-x-api.js.map +1 -1
  67. package/package.json +1 -1
  68. package/test/icc-x-api/icc-form-x-api.js +265 -1
  69. package/test/icc-x-api/icc-form-x-api.js.map +1 -1
  70. package/test/utils/roles.js +5 -0
  71. package/test/utils/roles.js.map +1 -1
  72. package/test/utils/test_utils.js +1 -21
  73. package/test/utils/test_utils.js.map +1 -1
  74. package/test/support/CSM-729.d.ts +0 -1
  75. package/test/support/CSM-729.js +0 -225
  76. package/test/support/CSM-729.js.map +0 -1
@@ -1,225 +0,0 @@
1
- "use strict";
2
- var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
3
- function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
4
- return new (P || (P = Promise))(function (resolve, reject) {
5
- function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
6
- function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
7
- function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
8
- step((generator = generator.apply(thisArg, _arguments || [])).next());
9
- });
10
- };
11
- Object.defineProperty(exports, "__esModule", { value: true });
12
- const test_utils_1 = require("../utils/test_utils");
13
- const icc_x_api_1 = require("../../icc-x-api");
14
- const chai_1 = require("chai");
15
- require("isomorphic-fetch");
16
- const types_1 = require("@icure/test-setup/types");
17
- const chaiAsPromised = require("chai-as-promised");
18
- const utils_1 = require("../../icc-x-api/crypto/utils");
19
- const DataOwnerTypeEnum_1 = require("../../icc-api/model/DataOwnerTypeEnum");
20
- const crypto_1 = require("crypto");
21
- const TestStorage_1 = require("../utils/TestStorage");
22
- const SecureDelegation_1 = require("../../icc-api/model/SecureDelegation");
23
- var AccessLevelEnum = SecureDelegation_1.SecureDelegation.AccessLevelEnum;
24
- var initMasterApi = test_utils_1.TestUtils.initMasterApi;
25
- (0, test_utils_1.setLocalStorage)(fetch);
26
- (0, chai_1.use)(chaiAsPromised);
27
- let env;
28
- const untrustedKeyPropId = 'untrustedKey';
29
- class TrustedKeysStrategy {
30
- constructor(parentKeys, selfKeys, options = {}) {
31
- this.parentKeys = parentKeys;
32
- this.selfKeys = selfKeys;
33
- this.options = options;
34
- }
35
- dataOwnerRequiresAnonymousDelegation(dataOwner) {
36
- return dataOwner.type != DataOwnerTypeEnum_1.DataOwnerTypeEnum.Hcp;
37
- }
38
- recoverAndVerifySelfHierarchyKeys(keysData, cryptoPrimitives, keyPairRecoverer) {
39
- return __awaiter(this, void 0, void 0, function* () {
40
- if (this.options.failRecoverAndVerifySelfHierarchyKeys) {
41
- throw new Error("Shouldn't call this method now");
42
- }
43
- (0, chai_1.expect)(keysData).to.have.length(2);
44
- const parentKeysWithFp = yield Promise.all(this.parentKeys.map((k) => __awaiter(this, void 0, void 0, function* () {
45
- return ({
46
- trusted: k.trusted,
47
- fp: (0, utils_1.fingerprintV1)(k.pub),
48
- keypair: yield cryptoPrimitives.RSA.importKeyPair('pkcs8', (0, icc_x_api_1.ua2ab)((0, icc_x_api_1.hex2ua)(k.priv)), 'spki', (0, icc_x_api_1.ua2ab)((0, icc_x_api_1.hex2ua)(k.pub)), k.shaVersion),
49
- });
50
- })));
51
- const selfKeysWithFp = yield Promise.all(this.selfKeys.map((k) => __awaiter(this, void 0, void 0, function* () {
52
- return ({
53
- trusted: k.trusted,
54
- fp: (0, utils_1.fingerprintV1)(k.pub),
55
- keypair: yield cryptoPrimitives.RSA.importKeyPair('pkcs8', (0, icc_x_api_1.ua2ab)((0, icc_x_api_1.hex2ua)(k.priv)), 'spki', (0, icc_x_api_1.ua2ab)((0, icc_x_api_1.hex2ua)(k.pub)), k.shaVersion),
56
- });
57
- })));
58
- return {
59
- [keysData[0].dataOwner.dataOwner.id]: {
60
- recoveredKeys: Object.fromEntries(parentKeysWithFp.map((k) => [k.fp, k.keypair])),
61
- keyAuthenticity: Object.fromEntries(parentKeysWithFp.map((k) => [k.fp, k.trusted])),
62
- },
63
- [keysData[1].dataOwner.dataOwner.id]: {
64
- recoveredKeys: Object.fromEntries(selfKeysWithFp.map((k) => [k.fp, k.keypair])),
65
- keyAuthenticity: Object.fromEntries(selfKeysWithFp.map((k) => [k.fp, k.trusted])),
66
- },
67
- };
68
- });
69
- }
70
- verifyDelegatePublicKeys(delegate, publicKeys, cryptoPrimitives) {
71
- var _a;
72
- const untrusted = new Set((_a = delegate.stub.cryptoActorProperties) === null || _a === void 0 ? void 0 : _a.flatMap((p) => {
73
- var _a;
74
- if (p.id == untrustedKeyPropId && ((_a = p.typedValue) === null || _a === void 0 ? void 0 : _a.stringValue) != undefined) {
75
- return [p.typedValue.stringValue];
76
- }
77
- else {
78
- return [];
79
- }
80
- }));
81
- return Promise.resolve(publicKeys.filter((k) => !untrusted.has((0, utils_1.fingerprintV2)(k))));
82
- }
83
- generateNewKeyForDataOwner(self, cryptoPrimitives) {
84
- if (this.options.overrideGenerateNewKeyForDataOwner) {
85
- return this.options.overrideGenerateNewKeyForDataOwner();
86
- }
87
- return Promise.reject(new Error('Should not be called now'));
88
- }
89
- }
90
- describe('CSM-729', function () {
91
- return __awaiter(this, void 0, void 0, function* () {
92
- before(function () {
93
- return __awaiter(this, void 0, void 0, function* () {
94
- this.timeout(600000);
95
- const initializer = yield (0, test_utils_1.getEnvironmentInitializer)();
96
- env = yield initializer.execute((0, types_1.getEnvVariables)());
97
- });
98
- });
99
- it('User with untrusted key', function () {
100
- return __awaiter(this, void 0, void 0, function* () {
101
- const { grandCredentials: parent, parentCredentials: hcp } = yield (0, test_utils_1.createHcpHierarchyApis)(env);
102
- // Create some data to use the original keys
103
- const initialApi = yield icc_x_api_1.IcureApi.initialise(env.iCureUrl, { username: hcp.user, password: hcp.password }, new TrustedKeysStrategy([{ priv: parent.privateKey, pub: parent.publicKey, trusted: true, shaVersion: icc_x_api_1.ShaVersion.Sha1 }], [{ priv: hcp.privateKey, pub: hcp.publicKey, trusted: true, shaVersion: icc_x_api_1.ShaVersion.Sha1 }]), crypto_1.webcrypto, fetch, {
104
- storage: new TestStorage_1.TestStorage(),
105
- keyStorage: new TestStorage_1.TestKeyStorage(),
106
- });
107
- const user = yield initialApi.userApi.getCurrentUser();
108
- const pat1 = yield initialApi.patientApi.createPatientWithUser(user, yield initialApi.patientApi.newInstance(user, {
109
- firstName: 'John',
110
- lastName: 'Doe',
111
- note: 'Secret note',
112
- }, {
113
- additionalDelegates: { [parent.dataOwnerId]: AccessLevelEnum.WRITE },
114
- }));
115
- // Check exchange data was created as expected
116
- const selfSelfXdata = yield initialApi.cryptoApi.exchangeData.base.getExchangeDataByDelegatorDelegatePair(hcp.dataOwnerId, hcp.dataOwnerId);
117
- const selfParentXdata = yield initialApi.cryptoApi.exchangeData.base.getExchangeDataByDelegatorDelegatePair(hcp.dataOwnerId, parent.dataOwnerId);
118
- (0, chai_1.expect)(selfSelfXdata).to.not.be.undefined;
119
- (0, chai_1.expect)(selfParentXdata).to.not.be.undefined;
120
- (0, chai_1.expect)(selfSelfXdata).to.have.length(1);
121
- (0, chai_1.expect)(selfParentXdata).to.have.length(1);
122
- // Prepare for new api with untrusted key
123
- //// Mark self hcp keys as untrusted
124
- let selfHcp = yield initialApi.healthcarePartyApi.getCurrentHealthcareParty();
125
- selfHcp = yield initialApi.healthcarePartyApi.modifyHealthcareParty(Object.assign(Object.assign({}, selfHcp), { cryptoActorProperties: [
126
- ...(selfHcp.cryptoActorProperties || []),
127
- {
128
- id: untrustedKeyPropId,
129
- typedValue: { stringValue: (0, utils_1.fingerprintV2)(hcp.publicKey) },
130
- },
131
- ] }));
132
- //// Mark parent hcp keys as untrusted and add new key (currently can't be done through crypto strategies)
133
- const newParentKey = yield initialApi.cryptoApi.primitives.RSA.generateKeyPair(icc_x_api_1.ShaVersion.Sha256);
134
- const newParentKeySpki = (0, icc_x_api_1.ua2hex)(yield initialApi.cryptoApi.primitives.RSA.exportKey(newParentKey.publicKey, 'spki'));
135
- const newParentKeyPkcs8 = (0, icc_x_api_1.ua2hex)(yield initialApi.cryptoApi.primitives.RSA.exportKey(newParentKey.privateKey, 'pkcs8'));
136
- const adminApi = yield initMasterApi(env);
137
- let parentHcp = yield adminApi.healthcarePartyApi.getHealthcareParty(parent.dataOwnerId);
138
- parentHcp = yield adminApi.healthcarePartyApi.modifyHealthcareParty(Object.assign(Object.assign({}, parentHcp), { cryptoActorProperties: [
139
- ...(parentHcp.cryptoActorProperties || []),
140
- {
141
- id: untrustedKeyPropId,
142
- typedValue: { stringValue: (0, utils_1.fingerprintV2)(parent.publicKey) },
143
- },
144
- ], publicKeysForOaepWithSha256: [...(parentHcp.publicKeysForOaepWithSha256 || []), newParentKeySpki] }));
145
- //// No need to invalidate exchange data, as untrusted keys are not used to validate it
146
- // Setup new api
147
- let didCreateNewKey = false;
148
- const newHcpKey = yield initialApi.cryptoApi.primitives.RSA.generateKeyPair(icc_x_api_1.ShaVersion.Sha256);
149
- const newHcpKeySpki = (0, icc_x_api_1.ua2hex)(yield initialApi.cryptoApi.primitives.RSA.exportKey(newHcpKey.publicKey, 'spki'));
150
- const newHcpKeyPkcs8 = (0, icc_x_api_1.ua2hex)(yield initialApi.cryptoApi.primitives.RSA.exportKey(newHcpKey.privateKey, 'pkcs8'));
151
- const apiWithUntrustedKeysStorages = {
152
- // Using a new storage, simulates wiping the local storage
153
- storage: new TestStorage_1.TestStorage(),
154
- keyStorage: new TestStorage_1.TestKeyStorage(),
155
- };
156
- const apiWithUntrustedKey = yield icc_x_api_1.IcureApi.initialise(env.iCureUrl, { username: hcp.user, password: hcp.password }, new TrustedKeysStrategy([
157
- { priv: parent.privateKey, pub: parent.publicKey, trusted: false, shaVersion: icc_x_api_1.ShaVersion.Sha1 },
158
- { priv: newParentKeyPkcs8, pub: newParentKeySpki, trusted: true, shaVersion: icc_x_api_1.ShaVersion.Sha256 },
159
- ], [{ priv: hcp.privateKey, pub: hcp.publicKey, trusted: false, shaVersion: icc_x_api_1.ShaVersion.Sha1 }], {
160
- overrideGenerateNewKeyForDataOwner: () => {
161
- didCreateNewKey = true;
162
- return Promise.resolve(newHcpKey);
163
- },
164
- }), crypto_1.webcrypto, fetch, apiWithUntrustedKeysStorages);
165
- (0, chai_1.expect)(didCreateNewKey).to.eq(true);
166
- // Check all keys are available but only new keys are trusted
167
- (0, chai_1.expect)(yield apiWithUntrustedKey.cryptoApi.userKeysManager.getVerifiedPublicKeysFor(yield apiWithUntrustedKey.healthcarePartyApi.getHealthcareParty(hcp.dataOwnerId))).to.have.members([newHcpKeySpki]);
168
- (0, chai_1.expect)(yield apiWithUntrustedKey.cryptoApi.userKeysManager.getVerifiedPublicKeysFor(yield apiWithUntrustedKey.healthcarePartyApi.getHealthcareParty(parent.dataOwnerId))).to.have.members([newParentKeySpki]);
169
- (0, chai_1.expect)(yield apiWithUntrustedKey.cryptoApi.userKeysManager.getCurrentUserHierarchyAvailablePublicKeysHex()).to.have.members([
170
- newHcpKeySpki,
171
- hcp.publicKey,
172
- parent.publicKey,
173
- newParentKeySpki,
174
- ]);
175
- (0, chai_1.expect)(yield apiWithUntrustedKey.cryptoApi.userKeysManager.getCurrentUserAvailablePublicKeysHex(false)).to.have.members([
176
- newHcpKeySpki,
177
- hcp.publicKey,
178
- ]);
179
- // Check can still read old data
180
- const pat1Recovered = yield apiWithUntrustedKey.patientApi.getPatientWithUser(user, pat1.id);
181
- (0, chai_1.expect)(pat1Recovered.note).to.eq('Secret note');
182
- // Check can create new data
183
- const pat2 = yield initialApi.patientApi.createPatientWithUser(user, yield initialApi.patientApi.newInstance(user, {
184
- firstName: 'Joe',
185
- lastName: 'Doe',
186
- note: 'Secret note',
187
- }, {
188
- additionalDelegates: { [parent.dataOwnerId]: AccessLevelEnum.WRITE },
189
- }));
190
- // Check created new exchange data and only used the new trusted keys for it
191
- const selfSelfXdata2 = yield initialApi.cryptoApi.exchangeData.base.getExchangeDataByDelegatorDelegatePair(hcp.dataOwnerId, hcp.dataOwnerId);
192
- const selfParentXdata2 = yield initialApi.cryptoApi.exchangeData.base.getExchangeDataByDelegatorDelegatePair(hcp.dataOwnerId, parent.dataOwnerId);
193
- (0, chai_1.expect)(selfSelfXdata2).to.not.be.undefined;
194
- (0, chai_1.expect)(selfParentXdata2).to.not.be.undefined;
195
- (0, chai_1.expect)(selfSelfXdata2).to.have.length(2);
196
- (0, chai_1.expect)(selfParentXdata2).to.have.length(2);
197
- const newSelfSelfXdata = selfSelfXdata2.filter((xd) => xd.id !== selfSelfXdata[0].id);
198
- (0, chai_1.expect)(newSelfSelfXdata).to.have.length(1);
199
- const newSelfSelfXDataUsedFps = Object.keys(newSelfSelfXdata[0].exchangeKey);
200
- (0, chai_1.expect)(newSelfSelfXDataUsedFps).to.have.length(1);
201
- (0, chai_1.expect)(newSelfSelfXDataUsedFps[0]).to.eq((0, utils_1.fingerprintV2)(newHcpKeySpki));
202
- const newSelfParentXdata = selfParentXdata2.filter((xd) => xd.id !== selfParentXdata[0].id);
203
- (0, chai_1.expect)(newSelfParentXdata).to.have.length(1);
204
- const newSelfParentXDataUsedFps = Object.keys(newSelfParentXdata[0].exchangeKey);
205
- (0, chai_1.expect)(newSelfParentXDataUsedFps).to.have.length(2);
206
- (0, chai_1.expect)(newSelfParentXDataUsedFps).to.have.members([(0, utils_1.fingerprintV2)(newHcpKeySpki), (0, utils_1.fingerprintV2)(newParentKeySpki)]);
207
- // Check after reinitialization with keys already in storage the "verified" situation is unchanged.
208
- const apiWithUntrustedKey2 = yield icc_x_api_1.IcureApi.initialise(env.iCureUrl, { username: hcp.user, password: hcp.password }, new TrustedKeysStrategy([], [], { failRecoverAndVerifySelfHierarchyKeys: true }), crypto_1.webcrypto, fetch, apiWithUntrustedKeysStorages);
209
- (0, chai_1.expect)(yield apiWithUntrustedKey2.cryptoApi.userKeysManager.getVerifiedPublicKeysFor(yield apiWithUntrustedKey2.healthcarePartyApi.getHealthcareParty(hcp.dataOwnerId))).to.have.members([newHcpKeySpki]);
210
- (0, chai_1.expect)(yield apiWithUntrustedKey2.cryptoApi.userKeysManager.getVerifiedPublicKeysFor(yield apiWithUntrustedKey2.healthcarePartyApi.getHealthcareParty(parent.dataOwnerId))).to.have.members([newParentKeySpki]);
211
- (0, chai_1.expect)(yield apiWithUntrustedKey2.cryptoApi.userKeysManager.getCurrentUserHierarchyAvailablePublicKeysHex()).to.have.members([
212
- newHcpKeySpki,
213
- hcp.publicKey,
214
- parent.publicKey,
215
- newParentKeySpki,
216
- ]);
217
- (0, chai_1.expect)(yield apiWithUntrustedKey2.cryptoApi.userKeysManager.getCurrentUserAvailablePublicKeysHex(false)).to.have.members([
218
- newHcpKeySpki,
219
- hcp.publicKey,
220
- ]);
221
- });
222
- });
223
- });
224
- });
225
- //# sourceMappingURL=CSM-729.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"CSM-729.js","sourceRoot":"","sources":["../../../test/support/CSM-729.ts"],"names":[],"mappings":";;;;;;;;;;;AAAA,oDAAmH;AACnH,+CAA0H;AAC1H,+BAA6C;AAC7C,4BAAyB;AACzB,mDAAmE;AACnE,mDAAkD;AAClD,wDAA2E;AAI3E,6EAAyE;AACzE,mCAAkC;AAClC,sDAAkE;AAClE,2EAAuE;AACvE,IAAO,eAAe,GAAG,mCAAgB,CAAC,eAAe,CAAA;AACzD,IAAO,aAAa,GAAG,sBAAS,CAAC,aAAa,CAAA;AAE9C,IAAA,4BAAe,EAAC,KAAK,CAAC,CAAA;AAEtB,IAAA,UAAO,EAAC,cAAc,CAAC,CAAA;AAEvB,IAAI,GAAa,CAAA;AAEjB,MAAM,kBAAkB,GAAG,cAAc,CAAA;AAEzC,MAAM,mBAAmB;IACvB,YACmB,UAAqF,EACrF,QAAmF,EACnF,UAGb,EAAE;QALW,eAAU,GAAV,UAAU,CAA2E;QACrF,aAAQ,GAAR,QAAQ,CAA2E;QACnF,YAAO,GAAP,OAAO,CAGlB;IACL,CAAC;IAEJ,oCAAoC,CAAC,SAAkC;QACrE,OAAO,SAAS,CAAC,IAAI,IAAI,qCAAiB,CAAC,GAAG,CAAA;IAChD,CAAC;IAEK,iCAAiC,CACrC,QAIG,EACH,gBAAkC,EAClC,gBAAkC;;YAIlC,IAAI,IAAI,CAAC,OAAO,CAAC,qCAAqC,EAAE,CAAC;gBACvD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;YACnD,CAAC;YACD,IAAA,aAAM,EAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;YAClC,MAAM,gBAAgB,GAAG,MAAM,OAAO,CAAC,GAAG,CACxC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAO,CAAC,EAAE,EAAE;gBAAC,OAAA,CAAC;oBAChC,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,EAAE,EAAE,IAAA,qBAAa,EAAC,CAAC,CAAC,GAAG,CAAC;oBACxB,OAAO,EAAE,MAAM,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,OAAO,EAAE,IAAA,iBAAK,EAAC,IAAA,kBAAM,EAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,IAAA,iBAAK,EAAC,IAAA,kBAAM,EAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC;iBAC9H,CAAC,CAAA;cAAA,CAAC,CACJ,CAAA;YACD,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,GAAG,CACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAO,CAAC,EAAE,EAAE;gBAAC,OAAA,CAAC;oBAC9B,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,EAAE,EAAE,IAAA,qBAAa,EAAC,CAAC,CAAC,GAAG,CAAC;oBACxB,OAAO,EAAE,MAAM,gBAAgB,CAAC,GAAG,CAAC,aAAa,CAAC,OAAO,EAAE,IAAA,iBAAK,EAAC,IAAA,kBAAM,EAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,IAAA,iBAAK,EAAC,IAAA,kBAAM,EAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC;iBAC9H,CAAC,CAAA;cAAA,CAAC,CACJ,CAAA;YACD,OAAO;gBACL,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,EAAG,CAAC,EAAE;oBACrC,aAAa,EAAE,MAAM,CAAC,WAAW,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;oBACjF,eAAe,EAAE,MAAM,CAAC,WAAW,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;iBACpF;gBACD,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,EAAG,CAAC,EAAE;oBACrC,aAAa,EAAE,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;oBAC/E,eAAe,EAAE,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;iBAClF;aACF,CAAA;QACH,CAAC;KAAA;IAED,wBAAwB,CAAC,QAAiC,EAAE,UAAoB,EAAE,gBAAkC;;QAClH,MAAM,SAAS,GAAG,IAAI,GAAG,CACvB,MAAA,QAAQ,CAAC,IAAI,CAAC,qBAAqB,0CAAE,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;;YACjD,IAAI,CAAC,CAAC,EAAE,IAAI,kBAAkB,IAAI,CAAA,MAAA,CAAC,CAAC,UAAU,0CAAE,WAAW,KAAI,SAAS,EAAE,CAAC;gBACzE,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;YACnC,CAAC;iBAAM,CAAC;gBACN,OAAO,EAAE,CAAA;YACX,CAAC;QACH,CAAC,CAAC,CACH,CAAA;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,IAAA,qBAAa,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IACpF,CAAC;IAED,0BAA0B,CAAC,IAAuB,EAAE,gBAAkC;QACpF,IAAI,IAAI,CAAC,OAAO,CAAC,kCAAkC,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC,OAAO,CAAC,kCAAkC,EAAE,CAAA;QAC1D,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAA;IAC9D,CAAC;CACF;AAED,QAAQ,CAAC,SAAS,EAAE;;QAClB,MAAM,CAAC;;gBACL,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;gBACpB,MAAM,WAAW,GAAG,MAAM,IAAA,sCAAyB,GAAE,CAAA;gBACrD,GAAG,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,IAAA,uBAAe,GAAE,CAAC,CAAA;YACpD,CAAC;SAAA,CAAC,CAAA;QAEF,EAAE,CAAC,yBAAyB,EAAE;;gBAC5B,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,iBAAiB,EAAE,GAAG,EAAE,GAAG,MAAM,IAAA,mCAAsB,EAAC,GAAG,CAAC,CAAA;gBAC9F,4CAA4C;gBAC5C,MAAM,UAAU,GAAG,MAAM,oBAAQ,CAAC,UAAU,CAC1C,GAAG,CAAC,QAAQ,EACZ,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,EAC9C,IAAI,mBAAmB,CACrB,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,UAAU,EAAE,GAAG,EAAE,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,sBAAU,CAAC,IAAI,EAAE,CAAC,EAChG,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,sBAAU,CAAC,IAAI,EAAE,CAAC,CAC3F,EACD,kBAAgB,EAChB,KAAK,EACL;oBACE,OAAO,EAAE,IAAI,yBAAW,EAAE;oBAC1B,UAAU,EAAE,IAAI,4BAAc,EAAE;iBACjC,CACF,CAAA;gBACD,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,cAAc,EAAE,CAAA;gBACtD,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,UAAU,CAAC,qBAAqB,CAC5D,IAAI,EACJ,MAAM,UAAU,CAAC,UAAU,CAAC,WAAW,CACrC,IAAI,EACJ;oBACE,SAAS,EAAE,MAAM;oBACjB,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAE,aAAa;iBACpB,EACD;oBACE,mBAAmB,EAAE,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,eAAe,CAAC,KAAK,EAAE;iBACrE,CACF,CACF,CAAA;gBACD,8CAA8C;gBAC9C,MAAM,aAAa,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,sCAAsC,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,WAAW,CAAC,CAAA;gBAC3I,MAAM,eAAe,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,sCAAsC,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,CAAA;gBAChJ,IAAA,aAAM,EAAC,aAAa,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAA;gBACzC,IAAA,aAAM,EAAC,eAAe,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAA;gBAC3C,IAAA,aAAM,EAAC,aAAa,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;gBACvC,IAAA,aAAM,EAAC,eAAe,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;gBACzC,yCAAyC;gBACzC,oCAAoC;gBACpC,IAAI,OAAO,GAAG,MAAM,UAAU,CAAC,kBAAkB,CAAC,yBAAyB,EAAE,CAAA;gBAC7E,OAAO,GAAG,MAAM,UAAU,CAAC,kBAAkB,CAAC,qBAAqB,iCAC9D,OAAO,KACV,qBAAqB,EAAE;wBACrB,GAAG,CAAC,OAAO,CAAC,qBAAqB,IAAI,EAAE,CAAC;wBACxC;4BACE,EAAE,EAAE,kBAAkB;4BACtB,UAAU,EAAE,EAAE,WAAW,EAAE,IAAA,qBAAa,EAAC,GAAG,CAAC,SAAS,CAAC,EAAE;yBAC1D;qBACF,IACD,CAAA;gBACF,0GAA0G;gBAC1G,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC,sBAAU,CAAC,MAAM,CAAC,CAAA;gBACjG,MAAM,gBAAgB,GAAG,IAAA,kBAAM,EAAC,MAAM,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAA;gBACpH,MAAM,iBAAiB,GAAG,IAAA,kBAAM,EAAC,MAAM,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAA;gBACvH,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,CAAA;gBACzC,IAAI,SAAS,GAAG,MAAM,QAAQ,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;gBACxF,SAAS,GAAG,MAAM,QAAQ,CAAC,kBAAkB,CAAC,qBAAqB,iCAE9D,SAAS,KACZ,qBAAqB,EAAE;wBACrB,GAAG,CAAC,SAAS,CAAC,qBAAqB,IAAI,EAAE,CAAC;wBAC1C;4BACE,EAAE,EAAE,kBAAkB;4BACtB,UAAU,EAAE,EAAE,WAAW,EAAE,IAAA,qBAAa,EAAC,MAAM,CAAC,SAAS,CAAC,EAAE;yBAC7D;qBACF,EACD,2BAA2B,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,2BAA2B,IAAI,EAAE,CAAC,EAAE,gBAAgB,CAAC,IACjG,CAAA;gBACF,uFAAuF;gBACvF,gBAAgB;gBAChB,IAAI,eAAe,GAAG,KAAK,CAAA;gBAC3B,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,eAAe,CAAC,sBAAU,CAAC,MAAM,CAAC,CAAA;gBAC9F,MAAM,aAAa,GAAG,IAAA,kBAAM,EAAC,MAAM,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAA;gBAC9G,MAAM,cAAc,GAAG,IAAA,kBAAM,EAAC,MAAM,UAAU,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAA;gBACjH,MAAM,4BAA4B,GAAG;oBACnC,0DAA0D;oBAC1D,OAAO,EAAE,IAAI,yBAAW,EAAE;oBAC1B,UAAU,EAAE,IAAI,4BAAc,EAAE;iBACjC,CAAA;gBACD,MAAM,mBAAmB,GAAG,MAAM,oBAAQ,CAAC,UAAU,CACnD,GAAG,CAAC,QAAQ,EACZ,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,EAC9C,IAAI,mBAAmB,CACrB;oBACE,EAAE,IAAI,EAAE,MAAM,CAAC,UAAU,EAAE,GAAG,EAAE,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,sBAAU,CAAC,IAAI,EAAE;oBAC/F,EAAE,IAAI,EAAE,iBAAiB,EAAE,GAAG,EAAE,gBAAgB,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,sBAAU,CAAC,MAAM,EAAE;iBACjG,EACD,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,sBAAU,CAAC,IAAI,EAAE,CAAC,EAC3F;oBACE,kCAAkC,EAAE,GAAG,EAAE;wBACvC,eAAe,GAAG,IAAI,CAAA;wBACtB,OAAO,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;oBACnC,CAAC;iBACF,CACF,EACD,kBAAgB,EAChB,KAAK,EACL,4BAA4B,CAC7B,CAAA;gBACD,IAAA,aAAM,EAAC,eAAe,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAA;gBACnC,6DAA6D;gBAC7D,IAAA,aAAM,EACJ,MAAM,mBAAmB,CAAC,SAAS,CAAC,eAAe,CAAC,wBAAwB,CAC1E,MAAM,mBAAmB,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,GAAG,CAAC,WAAW,CAAC,CACjF,CACF,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAA;gBAClC,IAAA,aAAM,EACJ,MAAM,mBAAmB,CAAC,SAAS,CAAC,eAAe,CAAC,wBAAwB,CAC1E,MAAM,mBAAmB,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CACpF,CACF,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAA;gBACrC,IAAA,aAAM,EAAC,MAAM,mBAAmB,CAAC,SAAS,CAAC,eAAe,CAAC,6CAA6C,EAAE,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;oBAC1H,aAAa;oBACb,GAAG,CAAC,SAAS;oBACb,MAAM,CAAC,SAAS;oBAChB,gBAAgB;iBACjB,CAAC,CAAA;gBACF,IAAA,aAAM,EAAC,MAAM,mBAAmB,CAAC,SAAS,CAAC,eAAe,CAAC,oCAAoC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;oBACtH,aAAa;oBACb,GAAG,CAAC,SAAS;iBACd,CAAC,CAAA;gBACF,gCAAgC;gBAChC,MAAM,aAAa,GAAG,MAAM,mBAAmB,CAAC,UAAU,CAAC,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAC,EAAG,CAAC,CAAA;gBAC7F,IAAA,aAAM,EAAC,aAAa,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,aAAa,CAAC,CAAA;gBAC/C,4BAA4B;gBAC5B,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,UAAU,CAAC,qBAAqB,CAC5D,IAAI,EACJ,MAAM,UAAU,CAAC,UAAU,CAAC,WAAW,CACrC,IAAI,EACJ;oBACE,SAAS,EAAE,KAAK;oBAChB,QAAQ,EAAE,KAAK;oBACf,IAAI,EAAE,aAAa;iBACpB,EACD;oBACE,mBAAmB,EAAE,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,eAAe,CAAC,KAAK,EAAE;iBACrE,CACF,CACF,CAAA;gBACD,4EAA4E;gBAC5E,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,sCAAsC,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,WAAW,CAAC,CAAA;gBAC5I,MAAM,gBAAgB,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,sCAAsC,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,CAAA;gBACjJ,IAAA,aAAM,EAAC,cAAc,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAA;gBAC1C,IAAA,aAAM,EAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,SAAS,CAAA;gBAC5C,IAAA,aAAM,EAAC,cAAc,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;gBACxC,IAAA,aAAM,EAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;gBAC1C,MAAM,gBAAgB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,KAAK,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE,CAAE,CAAA;gBACtF,IAAA,aAAM,EAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;gBAC1C,MAAM,uBAAuB,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAA;gBAC5E,IAAA,aAAM,EAAC,uBAAuB,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;gBACjD,IAAA,aAAM,EAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,IAAA,qBAAa,EAAC,aAAa,CAAC,CAAC,CAAA;gBACtE,MAAM,kBAAkB,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC,CAAC,CAAC,EAAE,CAAE,CAAA;gBAC5F,IAAA,aAAM,EAAC,kBAAkB,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;gBAC5C,MAAM,yBAAyB,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAA;gBAChF,IAAA,aAAM,EAAC,yBAAyB,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;gBACnD,IAAA,aAAM,EAAC,yBAAyB,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAA,qBAAa,EAAC,aAAa,CAAC,EAAE,IAAA,qBAAa,EAAC,gBAAgB,CAAC,CAAC,CAAC,CAAA;gBAClH,mGAAmG;gBACnG,MAAM,oBAAoB,GAAG,MAAM,oBAAQ,CAAC,UAAU,CACpD,GAAG,CAAC,QAAQ,EACZ,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,EAC9C,IAAI,mBAAmB,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,qCAAqC,EAAE,IAAI,EAAE,CAAC,EAChF,kBAAgB,EAChB,KAAK,EACL,4BAA4B,CAC7B,CAAA;gBACD,IAAA,aAAM,EACJ,MAAM,oBAAoB,CAAC,SAAS,CAAC,eAAe,CAAC,wBAAwB,CAC3E,MAAM,oBAAoB,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,GAAG,CAAC,WAAW,CAAC,CAClF,CACF,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAA;gBAClC,IAAA,aAAM,EACJ,MAAM,oBAAoB,CAAC,SAAS,CAAC,eAAe,CAAC,wBAAwB,CAC3E,MAAM,oBAAoB,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAAC,CACrF,CACF,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAA;gBACrC,IAAA,aAAM,EAAC,MAAM,oBAAoB,CAAC,SAAS,CAAC,eAAe,CAAC,6CAA6C,EAAE,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;oBAC3H,aAAa;oBACb,GAAG,CAAC,SAAS;oBACb,MAAM,CAAC,SAAS;oBAChB,gBAAgB;iBACjB,CAAC,CAAA;gBACF,IAAA,aAAM,EAAC,MAAM,oBAAoB,CAAC,SAAS,CAAC,eAAe,CAAC,oCAAoC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;oBACvH,aAAa;oBACb,GAAG,CAAC,SAAS;iBACd,CAAC,CAAA;YACJ,CAAC;SAAA,CAAC,CAAA;IACJ,CAAC;CAAA,CAAC,CAAA","sourcesContent":["import { createHcpHierarchyApis, getEnvironmentInitializer, setLocalStorage, TestUtils } from '../utils/test_utils'\nimport { CryptoPrimitives, CryptoStrategies, hex2ua, IcureApi, KeyPair, ShaVersion, ua2ab, ua2hex } from '../../icc-x-api'\nimport { expect, use as chaiUse } from 'chai'\nimport 'isomorphic-fetch'\nimport { getEnvVariables, TestVars } from '@icure/test-setup/types'\nimport * as chaiAsPromised from 'chai-as-promised'\nimport { fingerprintV1, fingerprintV2 } from '../../icc-x-api/crypto/utils'\nimport { KeyPairRecoverer } from '../../icc-x-api/crypto/KeyPairRecoverer'\nimport { CryptoActorStubWithType } from '../../icc-api/model/CryptoActorStub'\nimport { DataOwnerWithType } from '../../icc-api/model/DataOwnerWithType'\nimport { DataOwnerTypeEnum } from '../../icc-api/model/DataOwnerTypeEnum'\nimport { webcrypto } from 'crypto'\nimport { TestKeyStorage, TestStorage } from '../utils/TestStorage'\nimport { SecureDelegation } from '../../icc-api/model/SecureDelegation'\nimport AccessLevelEnum = SecureDelegation.AccessLevelEnum\nimport initMasterApi = TestUtils.initMasterApi\n\nsetLocalStorage(fetch)\n\nchaiUse(chaiAsPromised)\n\nlet env: TestVars\n\nconst untrustedKeyPropId = 'untrustedKey'\n\nclass TrustedKeysStrategy implements CryptoStrategies {\n constructor(\n private readonly parentKeys: { pub: string; priv: string; trusted: boolean; shaVersion: ShaVersion }[],\n private readonly selfKeys: { pub: string; priv: string; trusted: boolean; shaVersion: ShaVersion }[],\n private readonly options: {\n failRecoverAndVerifySelfHierarchyKeys?: boolean\n overrideGenerateNewKeyForDataOwner?: () => Promise<KeyPair<CryptoKey> | boolean | 'keyless'>\n } = {}\n ) {}\n\n dataOwnerRequiresAnonymousDelegation(dataOwner: CryptoActorStubWithType): boolean {\n return dataOwner.type != DataOwnerTypeEnum.Hcp\n }\n\n async recoverAndVerifySelfHierarchyKeys(\n keysData: {\n dataOwner: DataOwnerWithType\n unknownKeys: string[]\n unavailableKeys: string[]\n }[],\n cryptoPrimitives: CryptoPrimitives,\n keyPairRecoverer: KeyPairRecoverer\n ): Promise<{\n [p: string]: { recoveredKeys: { [p: string]: KeyPair<CryptoKey> }; keyAuthenticity: { [p: string]: boolean } }\n }> {\n if (this.options.failRecoverAndVerifySelfHierarchyKeys) {\n throw new Error(\"Shouldn't call this method now\")\n }\n expect(keysData).to.have.length(2)\n const parentKeysWithFp = await Promise.all(\n this.parentKeys.map(async (k) => ({\n trusted: k.trusted,\n fp: fingerprintV1(k.pub),\n keypair: await cryptoPrimitives.RSA.importKeyPair('pkcs8', ua2ab(hex2ua(k.priv)), 'spki', ua2ab(hex2ua(k.pub)), k.shaVersion),\n }))\n )\n const selfKeysWithFp = await Promise.all(\n this.selfKeys.map(async (k) => ({\n trusted: k.trusted,\n fp: fingerprintV1(k.pub),\n keypair: await cryptoPrimitives.RSA.importKeyPair('pkcs8', ua2ab(hex2ua(k.priv)), 'spki', ua2ab(hex2ua(k.pub)), k.shaVersion),\n }))\n )\n return {\n [keysData[0].dataOwner.dataOwner.id!]: {\n recoveredKeys: Object.fromEntries(parentKeysWithFp.map((k) => [k.fp, k.keypair])),\n keyAuthenticity: Object.fromEntries(parentKeysWithFp.map((k) => [k.fp, k.trusted])),\n },\n [keysData[1].dataOwner.dataOwner.id!]: {\n recoveredKeys: Object.fromEntries(selfKeysWithFp.map((k) => [k.fp, k.keypair])),\n keyAuthenticity: Object.fromEntries(selfKeysWithFp.map((k) => [k.fp, k.trusted])),\n },\n }\n }\n\n verifyDelegatePublicKeys(delegate: CryptoActorStubWithType, publicKeys: string[], cryptoPrimitives: CryptoPrimitives): Promise<string[]> {\n const untrusted = new Set(\n delegate.stub.cryptoActorProperties?.flatMap((p) => {\n if (p.id == untrustedKeyPropId && p.typedValue?.stringValue != undefined) {\n return [p.typedValue.stringValue]\n } else {\n return []\n }\n })\n )\n return Promise.resolve(publicKeys.filter((k) => !untrusted.has(fingerprintV2(k))))\n }\n\n generateNewKeyForDataOwner(self: DataOwnerWithType, cryptoPrimitives: CryptoPrimitives): Promise<KeyPair<CryptoKey> | boolean | 'keyless'> {\n if (this.options.overrideGenerateNewKeyForDataOwner) {\n return this.options.overrideGenerateNewKeyForDataOwner()\n }\n return Promise.reject(new Error('Should not be called now'))\n }\n}\n\ndescribe('CSM-729', async function () {\n before(async function () {\n this.timeout(600000)\n const initializer = await getEnvironmentInitializer()\n env = await initializer.execute(getEnvVariables())\n })\n\n it('User with untrusted key', async function () {\n const { grandCredentials: parent, parentCredentials: hcp } = await createHcpHierarchyApis(env)\n // Create some data to use the original keys\n const initialApi = await IcureApi.initialise(\n env.iCureUrl,\n { username: hcp.user, password: hcp.password },\n new TrustedKeysStrategy(\n [{ priv: parent.privateKey, pub: parent.publicKey, trusted: true, shaVersion: ShaVersion.Sha1 }],\n [{ priv: hcp.privateKey, pub: hcp.publicKey, trusted: true, shaVersion: ShaVersion.Sha1 }]\n ),\n webcrypto as any,\n fetch,\n {\n storage: new TestStorage(),\n keyStorage: new TestKeyStorage(),\n }\n )\n const user = await initialApi.userApi.getCurrentUser()\n const pat1 = await initialApi.patientApi.createPatientWithUser(\n user,\n await initialApi.patientApi.newInstance(\n user,\n {\n firstName: 'John',\n lastName: 'Doe',\n note: 'Secret note',\n },\n {\n additionalDelegates: { [parent.dataOwnerId]: AccessLevelEnum.WRITE },\n }\n )\n )\n // Check exchange data was created as expected\n const selfSelfXdata = await initialApi.cryptoApi.exchangeData.base.getExchangeDataByDelegatorDelegatePair(hcp.dataOwnerId, hcp.dataOwnerId)\n const selfParentXdata = await initialApi.cryptoApi.exchangeData.base.getExchangeDataByDelegatorDelegatePair(hcp.dataOwnerId, parent.dataOwnerId)\n expect(selfSelfXdata).to.not.be.undefined\n expect(selfParentXdata).to.not.be.undefined\n expect(selfSelfXdata).to.have.length(1)\n expect(selfParentXdata).to.have.length(1)\n // Prepare for new api with untrusted key\n //// Mark self hcp keys as untrusted\n let selfHcp = await initialApi.healthcarePartyApi.getCurrentHealthcareParty()\n selfHcp = await initialApi.healthcarePartyApi.modifyHealthcareParty({\n ...selfHcp,\n cryptoActorProperties: [\n ...(selfHcp.cryptoActorProperties || []),\n {\n id: untrustedKeyPropId,\n typedValue: { stringValue: fingerprintV2(hcp.publicKey) },\n },\n ],\n })\n //// Mark parent hcp keys as untrusted and add new key (currently can't be done through crypto strategies)\n const newParentKey = await initialApi.cryptoApi.primitives.RSA.generateKeyPair(ShaVersion.Sha256)\n const newParentKeySpki = ua2hex(await initialApi.cryptoApi.primitives.RSA.exportKey(newParentKey.publicKey, 'spki'))\n const newParentKeyPkcs8 = ua2hex(await initialApi.cryptoApi.primitives.RSA.exportKey(newParentKey.privateKey, 'pkcs8'))\n const adminApi = await initMasterApi(env)\n let parentHcp = await adminApi.healthcarePartyApi.getHealthcareParty(parent.dataOwnerId)\n parentHcp = await adminApi.healthcarePartyApi.modifyHealthcareParty({\n // Hcp normally doesn't have right to modify parent, depends on permissions\n ...parentHcp,\n cryptoActorProperties: [\n ...(parentHcp.cryptoActorProperties || []),\n {\n id: untrustedKeyPropId,\n typedValue: { stringValue: fingerprintV2(parent.publicKey) },\n },\n ],\n publicKeysForOaepWithSha256: [...(parentHcp.publicKeysForOaepWithSha256 || []), newParentKeySpki],\n })\n //// No need to invalidate exchange data, as untrusted keys are not used to validate it\n // Setup new api\n let didCreateNewKey = false\n const newHcpKey = await initialApi.cryptoApi.primitives.RSA.generateKeyPair(ShaVersion.Sha256)\n const newHcpKeySpki = ua2hex(await initialApi.cryptoApi.primitives.RSA.exportKey(newHcpKey.publicKey, 'spki'))\n const newHcpKeyPkcs8 = ua2hex(await initialApi.cryptoApi.primitives.RSA.exportKey(newHcpKey.privateKey, 'pkcs8'))\n const apiWithUntrustedKeysStorages = {\n // Using a new storage, simulates wiping the local storage\n storage: new TestStorage(),\n keyStorage: new TestKeyStorage(),\n }\n const apiWithUntrustedKey = await IcureApi.initialise(\n env.iCureUrl,\n { username: hcp.user, password: hcp.password },\n new TrustedKeysStrategy(\n [\n { priv: parent.privateKey, pub: parent.publicKey, trusted: false, shaVersion: ShaVersion.Sha1 },\n { priv: newParentKeyPkcs8, pub: newParentKeySpki, trusted: true, shaVersion: ShaVersion.Sha256 },\n ],\n [{ priv: hcp.privateKey, pub: hcp.publicKey, trusted: false, shaVersion: ShaVersion.Sha1 }],\n {\n overrideGenerateNewKeyForDataOwner: () => {\n didCreateNewKey = true\n return Promise.resolve(newHcpKey)\n },\n }\n ),\n webcrypto as any,\n fetch,\n apiWithUntrustedKeysStorages\n )\n expect(didCreateNewKey).to.eq(true)\n // Check all keys are available but only new keys are trusted\n expect(\n await apiWithUntrustedKey.cryptoApi.userKeysManager.getVerifiedPublicKeysFor(\n await apiWithUntrustedKey.healthcarePartyApi.getHealthcareParty(hcp.dataOwnerId)\n )\n ).to.have.members([newHcpKeySpki])\n expect(\n await apiWithUntrustedKey.cryptoApi.userKeysManager.getVerifiedPublicKeysFor(\n await apiWithUntrustedKey.healthcarePartyApi.getHealthcareParty(parent.dataOwnerId)\n )\n ).to.have.members([newParentKeySpki])\n expect(await apiWithUntrustedKey.cryptoApi.userKeysManager.getCurrentUserHierarchyAvailablePublicKeysHex()).to.have.members([\n newHcpKeySpki,\n hcp.publicKey,\n parent.publicKey,\n newParentKeySpki,\n ])\n expect(await apiWithUntrustedKey.cryptoApi.userKeysManager.getCurrentUserAvailablePublicKeysHex(false)).to.have.members([\n newHcpKeySpki,\n hcp.publicKey,\n ])\n // Check can still read old data\n const pat1Recovered = await apiWithUntrustedKey.patientApi.getPatientWithUser(user, pat1.id!)\n expect(pat1Recovered.note).to.eq('Secret note')\n // Check can create new data\n const pat2 = await initialApi.patientApi.createPatientWithUser(\n user,\n await initialApi.patientApi.newInstance(\n user,\n {\n firstName: 'Joe',\n lastName: 'Doe',\n note: 'Secret note',\n },\n {\n additionalDelegates: { [parent.dataOwnerId]: AccessLevelEnum.WRITE },\n }\n )\n )\n // Check created new exchange data and only used the new trusted keys for it\n const selfSelfXdata2 = await initialApi.cryptoApi.exchangeData.base.getExchangeDataByDelegatorDelegatePair(hcp.dataOwnerId, hcp.dataOwnerId)\n const selfParentXdata2 = await initialApi.cryptoApi.exchangeData.base.getExchangeDataByDelegatorDelegatePair(hcp.dataOwnerId, parent.dataOwnerId)\n expect(selfSelfXdata2).to.not.be.undefined\n expect(selfParentXdata2).to.not.be.undefined\n expect(selfSelfXdata2).to.have.length(2)\n expect(selfParentXdata2).to.have.length(2)\n const newSelfSelfXdata = selfSelfXdata2.filter((xd) => xd.id !== selfSelfXdata[0].id)!\n expect(newSelfSelfXdata).to.have.length(1)\n const newSelfSelfXDataUsedFps = Object.keys(newSelfSelfXdata[0].exchangeKey)\n expect(newSelfSelfXDataUsedFps).to.have.length(1)\n expect(newSelfSelfXDataUsedFps[0]).to.eq(fingerprintV2(newHcpKeySpki))\n const newSelfParentXdata = selfParentXdata2.filter((xd) => xd.id !== selfParentXdata[0].id)!\n expect(newSelfParentXdata).to.have.length(1)\n const newSelfParentXDataUsedFps = Object.keys(newSelfParentXdata[0].exchangeKey)\n expect(newSelfParentXDataUsedFps).to.have.length(2)\n expect(newSelfParentXDataUsedFps).to.have.members([fingerprintV2(newHcpKeySpki), fingerprintV2(newParentKeySpki)])\n // Check after reinitialization with keys already in storage the \"verified\" situation is unchanged.\n const apiWithUntrustedKey2 = await IcureApi.initialise(\n env.iCureUrl,\n { username: hcp.user, password: hcp.password },\n new TrustedKeysStrategy([], [], { failRecoverAndVerifySelfHierarchyKeys: true }),\n webcrypto as any,\n fetch,\n apiWithUntrustedKeysStorages\n )\n expect(\n await apiWithUntrustedKey2.cryptoApi.userKeysManager.getVerifiedPublicKeysFor(\n await apiWithUntrustedKey2.healthcarePartyApi.getHealthcareParty(hcp.dataOwnerId)\n )\n ).to.have.members([newHcpKeySpki])\n expect(\n await apiWithUntrustedKey2.cryptoApi.userKeysManager.getVerifiedPublicKeysFor(\n await apiWithUntrustedKey2.healthcarePartyApi.getHealthcareParty(parent.dataOwnerId)\n )\n ).to.have.members([newParentKeySpki])\n expect(await apiWithUntrustedKey2.cryptoApi.userKeysManager.getCurrentUserHierarchyAvailablePublicKeysHex()).to.have.members([\n newHcpKeySpki,\n hcp.publicKey,\n parent.publicKey,\n newParentKeySpki,\n ])\n expect(await apiWithUntrustedKey2.cryptoApi.userKeysManager.getCurrentUserAvailablePublicKeysHex(false)).to.have.members([\n newHcpKeySpki,\n hcp.publicKey,\n ])\n })\n})\n"]}