@opentdf/sdk 0.1.0-beta.1701

package/dist/web/src/errors.js

@@ -0,0 +1,123 @@
+function scrubCause(error, d) {
+    if (!error || (d && d > 4)) {
+        return {};
+    }
+    if (!error.name) {
+        return {};
+    }
+    const cause = new Error(error.name, scrubCause(error.cause, (d || 0) + 1));
+    if (error.message) {
+        cause.message = error.message;
+    }
+    if (error.stack) {
+        cause.stack = error.stack;
+    }
+    return { cause };
+}
+/**
+ * Root class for all errors thrown by this library.
+ * This should not be thrown directly, but rather one of its subclasses.
+ */
+export class TdfError extends Error {
+    constructor(message, cause) {
+        super(message, scrubCause(cause));
+        this.name = 'TdfError';
+        // Error is funny (only on ES5? So  guess just IE11 we have to worry about?)
+        // https://github.com/Microsoft/TypeScript-wiki/blob/main/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work
+        // https://stackoverflow.com/questions/41102060/typescript-extending-error-class#comment70895020_41102306
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+/**
+ * Errors that indicate the client or method does not have valid options.
+ */
+export class ConfigurationError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'ConfigurationError';
+    }
+}
+/**
+ * The assigned data attribute is not in the correct form.
+ */
+export class AttributeValidationError extends ConfigurationError {
+    constructor(message, attribute, cause) {
+        super(message, cause);
+        this.name = 'AttributeValidationError';
+        this.attribute = attribute;
+    }
+}
+/**
+ * Errors that indicate the TDF object is corrupt, invalid, or fails validation or decrypt.
+ */
+export class InvalidFileError extends TdfError {
+}
+/**
+ * Indicates a decrypt failure, either due to an incorrect key, corrupt ciphertext, or inappropriate key parameters.
+ */
+export class DecryptError extends InvalidFileError {
+    constructor() {
+        super(...arguments);
+        this.name = 'DecryptError';
+    }
+}
+export class IntegrityError extends InvalidFileError {
+    constructor() {
+        super(...arguments);
+        this.name = 'IntegrityError';
+    }
+}
+/**
+ * Thrown when a KAS URL found in one or more required key access objects are not in the list of known and allowed KASes in the client.
+ * This may indicate a malicious file - e.g. an attempt to DDoS a server by listing it as the KAS for many files, or to siphon credentials using a lookalike URL.
+ */
+export class UnsafeUrlError extends InvalidFileError {
+    constructor(message, ...url) {
+        super(message);
+        this.name = 'UnsafeUrlError';
+        Object.setPrototypeOf(this, new.target.prototype);
+        this.url = url;
+    }
+}
+/**
+ * A network error (no response) from rewrap or other endpoint, Possibly fixed by retrying or adjusting your network settings; could indicate network failure.
+ */
+export class NetworkError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'NetworkError';
+    }
+}
+/**
+ * The service reports an unexpected error on its behalf, or a subcomponent (5xx).
+ */
+export class ServiceError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'ServiceError';
+    }
+}
+/** Authentication failure (401) */
+export class UnauthenticatedError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'UnauthenticatedError';
+    }
+}
+/** Authorization failure (403) */
+export class PermissionDeniedError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'PermissionDeniedError';
+    }
+}
+/**
+ * Version of file is unsupported, or file uses a feature that is not supported by this version of the library.
+ */
+export class UnsupportedFeatureError extends TdfError {
+    constructor() {
+        super(...arguments);
+        this.name = 'UnsupportedFeatureError';
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXJyb3JzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2Vycm9ycy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxTQUFTLFVBQVUsQ0FBQyxLQUFhLEVBQUUsQ0FBVTtJQUMzQyxJQUFJLENBQUMsS0FBSyxJQUFJLENBQUMsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRTtRQUMxQixPQUFPLEVBQUUsQ0FBQztLQUNYO0lBQ0QsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUU7UUFDZixPQUFPLEVBQUUsQ0FBQztLQUNYO0lBQ0QsTUFBTSxLQUFLLEdBQUcsSUFBSSxLQUFLLENBQUMsS0FBSyxDQUFDLElBQUksRUFBRSxVQUFVLENBQUMsS0FBSyxDQUFDLEtBQWMsRUFBRSxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDO0lBQ3BGLElBQUksS0FBSyxDQUFDLE9BQU8sRUFBRTtRQUNqQixLQUFLLENBQUMsT0FBTyxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUM7S0FDL0I7SUFDRCxJQUFJLEtBQUssQ0FBQyxLQUFLLEVBQUU7UUFDZixLQUFLLENBQUMsS0FBSyxHQUFHLEtBQUssQ0FBQyxLQUFLLENBQUM7S0FDM0I7SUFDRCxPQUFPLEVBQUUsS0FBSyxFQUFFLENBQUM7QUFDbkIsQ0FBQztBQUVEOzs7R0FHRztBQUNILE1BQU0sT0FBTyxRQUFTLFNBQVEsS0FBSztJQUdqQyxZQUFZLE9BQWdCLEVBQUUsS0FBYTtRQUN6QyxLQUFLLENBQUMsT0FBTyxFQUFFLFVBQVUsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDO1FBSDNCLFNBQUksR0FBRyxVQUFVLENBQUM7UUFJekIsNEVBQTRFO1FBQzVFLDZJQUE2STtRQUM3SSx5R0FBeUc7UUFDekcsTUFBTSxDQUFDLGNBQWMsQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsQ0FBQztJQUNwRCxDQUFDO0NBQ0Y7QUFFRDs7R0FFRztBQUNILE1BQU0sT0FBTyxrQkFBbUIsU0FBUSxRQUFRO0lBQWhEOztRQUNXLFNBQUksR0FBRyxvQkFBb0IsQ0FBQztJQUN2QyxDQUFDO0NBQUE7QUFFRDs7R0FFRztBQUNILE1BQU0sT0FBTyx3QkFBeUIsU0FBUSxrQkFBa0I7SUFHOUQsWUFBWSxPQUFlLEVBQUUsU0FBa0IsRUFBRSxLQUFhO1FBQzVELEtBQUssQ0FBQyxPQUFPLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFIZixTQUFJLEdBQUcsMEJBQTBCLENBQUM7UUFJekMsSUFBSSxDQUFDLFNBQVMsR0FBRyxTQUFTLENBQUM7SUFDN0IsQ0FBQztDQUNGO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLE9BQU8sZ0JBQWlCLFNBQVEsUUFBUTtDQUFHO0FBRWpEOztHQUVHO0FBQ0gsTUFBTSxPQUFPLFlBQWEsU0FBUSxnQkFBZ0I7SUFBbEQ7O1FBQ1csU0FBSSxHQUFHLGNBQWMsQ0FBQztJQUNqQyxDQUFDO0NBQUE7QUFFRCxNQUFNLE9BQU8sY0FBZSxTQUFRLGdCQUFnQjtJQUFwRDs7UUFDVyxTQUFJLEdBQUcsZ0JBQWdCLENBQUM7SUFDbkMsQ0FBQztDQUFBO0FBRUQ7OztHQUdHO0FBQ0gsTUFBTSxPQUFPLGNBQWUsU0FBUSxnQkFBZ0I7SUFJbEQsWUFBWSxPQUFlLEVBQUUsR0FBRyxHQUFhO1FBQzNDLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUpSLFNBQUksR0FBRyxnQkFBZ0IsQ0FBQztRQUsvQixNQUFNLENBQUMsY0FBYyxDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQ2xELElBQUksQ0FBQyxHQUFHLEdBQUcsR0FBRyxDQUFDO0lBQ2pCLENBQUM7Q0FDRjtBQUVEOztHQUVHO0FBQ0gsTUFBTSxPQUFPLFlBQWEsU0FBUSxRQUFRO0lBQTFDOztRQUNXLFNBQUksR0FBRyxjQUFjLENBQUM7SUFDakMsQ0FBQztDQUFBO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLE9BQU8sWUFBYSxTQUFRLFFBQVE7SUFBMUM7O1FBQ1csU0FBSSxHQUFHLGNBQWMsQ0FBQztJQUNqQyxDQUFDO0NBQUE7QUFFRCxtQ0FBbUM7QUFDbkMsTUFBTSxPQUFPLG9CQUFxQixTQUFRLFFBQVE7SUFBbEQ7O1FBQ1csU0FBSSxHQUFHLHNCQUFzQixDQUFDO0lBQ3pDLENBQUM7Q0FBQTtBQUVELGtDQUFrQztBQUNsQyxNQUFNLE9BQU8scUJBQXNCLFNBQVEsUUFBUTtJQUFuRDs7UUFDVyxTQUFJLEdBQUcsdUJBQXVCLENBQUM7SUFDMUMsQ0FBQztDQUFBO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLE9BQU8sdUJBQXdCLFNBQVEsUUFBUTtJQUFyRDs7UUFDVyxTQUFJLEdBQUcseUJBQXlCLENBQUM7SUFDNUMsQ0FBQztDQUFBIn0=

package/dist/web/src/index.js

@@ -0,0 +1,313 @@
+import { Client, NanoTDF, encrypt, decrypt, encryptDataset, getHkdfSalt, DefaultParams, } from './nanotdf/index.js';
+import { keyAgreement } from './nanotdf-crypto/index.js';
+import { createAttribute, Policy } from './tdf/index.js';
+import { fetchECKasPubKey } from './access.js';
+import { ConfigurationError } from './errors.js';
+export { attributeFQNsAsValues } from './policy/api.js';
+// Define default options
+const defaultOptions = {
+    ecdsaBinding: false,
+};
+/**
+ * NanoTDF SDK Client
+ *
+ * @example
+ * ```
+ * import { clientSecretAuthProvider, NanoTDFClient } from '@opentdf/sdk';
+ *
+ * const OIDC_ENDPOINT = 'http://localhost:65432/auth/realms/opentdf-demo';
+ * const KAS_URL = 'http://localhost:65432/api/kas/';
+ *
+ * const ciphertext = '...';
+ * const client = new NanoTDFClient({
+ *   authProvider: await clientSecretAuthProvider({
+ *     clientId: 'tdf-client',
+ *     clientSecret: '123-456',
+ *     oidcOrigin: OIDC_ENDPOINT,
+ *   }),
+ *   kasEndpoint: KAS_URL
+ *  }
+ * );
+ * client.decrypt(ciphertext)
+ *   .then(plaintext => {
+ *     console.log('Plaintext', plaintext);
+ *   })
+ *   .catch(err => {
+ *     console.error('Some error occurred', err);
+ *   })
+ */
+export class NanoTDFClient extends Client {
+    /**
+     * Decrypt ciphertext
+     *
+     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+     *
+     * @param ciphertext Ciphertext to decrypt
+     */
+    async decrypt(ciphertext) {
+        // Parse ciphertext
+        const nanotdf = NanoTDF.from(ciphertext);
+        await this.fetchOIDCToken();
+        // TODO: The version number should be fetched from the API
+        const version = '0.0.1';
+        const kasUrl = nanotdf.header.getKasRewrapUrl();
+        // Rewrap key on every request
+        const ukey = await this.rewrapKey(nanotdf.header.toBuffer(), kasUrl, nanotdf.header.magicNumberVersion, version);
+        if (!ukey) {
+            throw new Error('internal: key rewrap failure');
+        }
+        // Return decrypt promise
+        return decrypt(ukey, nanotdf);
+    }
+    /**
+     * Decrypt ciphertext of the legacy TDF, with the older, smaller i.v. calculation.
+     *
+     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+     *
+     * @param ciphertext Ciphertext to decrypt
+     */
+    async decryptLegacyTDF(ciphertext) {
+        // Parse ciphertext
+        const nanotdf = NanoTDF.from(ciphertext, undefined, true);
+        await this.fetchOIDCToken();
+        const legacyVersion = '0.0.0';
+        // Rewrap key on every request
+        const key = await this.rewrapKey(nanotdf.header.toBuffer(), nanotdf.header.getKasRewrapUrl(), nanotdf.header.magicNumberVersion, legacyVersion);
+        if (!key) {
+            throw new Error('internal: failed unwrap');
+        }
+        // Return decrypt promise
+        return decrypt(key, nanotdf);
+    }
+    /**
+     * Encrypts the given data using the NanoTDF encryption scheme.
+     *
+     * @param {string | TypedArray | ArrayBuffer} data - The data to be encrypted.
+     * @param {EncryptOptions} [options=defaultOptions] - The encryption options (currently unused).
+     * @returns {Promise<ArrayBuffer>} A promise that resolves to the encrypted data as an ArrayBuffer.
+     * @throws {Error} If the initialization vector is not a number.
+     */
+    async encrypt(data, options) {
+        // For encrypt always generate the client ephemeralKeyPair
+        const ephemeralKeyPair = await this.ephemeralKeyPair;
+        const initializationVector = this.iv;
+        if (typeof initializationVector !== 'number') {
+            throw new ConfigurationError('NanoTDF clients are single use. Please generate a new client and keypair.');
+        }
+        delete this.iv;
+        if (!this.kasPubKey) {
+            this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
+        }
+        // Create a policy for the tdf
+        const policy = new Policy();
+        // Add data attributes.
+        for (const dataAttribute of this.dataAttributes) {
+            const attribute = await createAttribute(dataAttribute, this.kasPubKey, this.kasUrl);
+            policy.addAttribute(attribute);
+        }
+        if (this.dissems.length == 0 && this.dataAttributes.length == 0) {
+            console.warn('This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.');
+        }
+        // Encrypt the policy.
+        const policyObjectAsStr = policy.toJSON();
+        // IV is always '1', since the new keypair is generated on encrypt
+        // using the same key is fine.
+        const lengthAsUint32 = new Uint32Array(1);
+        lengthAsUint32[0] = initializationVector;
+        const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
+        // NOTE: We are only interested in only first 3 bytes.
+        const payloadIV = new Uint8Array(12).fill(0);
+        payloadIV[9] = lengthAsUint24[2];
+        payloadIV[10] = lengthAsUint24[1];
+        payloadIV[11] = lengthAsUint24[0];
+        const mergedOptions = { ...defaultOptions, ...options };
+        return encrypt(policyObjectAsStr, this.kasPubKey, ephemeralKeyPair, payloadIV, data, mergedOptions.ecdsaBinding);
+    }
+}
+/**
+ * NanoTDF Dataset SDK Client
+ *
+ *
+ * @example
+ * ```
+ * import { clientSecretAuthProvider, NanoTDFDatasetClient } from '@opentdf/sdk';
+ *
+ * const OIDC_ENDPOINT = 'http://localhost:65432/auth/realms/tdf';
+ * const KAS_URL = 'http://localhost:65432/api/kas/';
+ *
+ * const ciphertext = '...';
+ * const client = new NanoTDFDatasetClient({
+ *   authProvider: await clientSecretAuthProvider({
+ *     clientId: 'tdf-client',
+ *     clientSecret: '123-456',
+ *     exchange: 'client',
+ *     oidcOrigin: OIDC_ENDPOINT,
+ *   }),
+ *   kasEndpoint: KAS_URL,
+ * });
+ * const plaintext = client.decrypt(ciphertext);
+ * console.log('Plaintext', plaintext);
+ * ```
+ */
+export class NanoTDFDatasetClient extends Client {
+    /**
+     * Create new NanoTDF Dataset Client
+     *
+     * The Ephemeral Key Pair can either be provided or will be generate when fetching the entity object. Once set it
+     * cannot be changed. If a new ephemeral key is desired it a new client should be initialized.
+     * There is no performance impact for creating a new client IFF the ephemeral key pair is provided.
+     *
+     * @param clientConfig OIDC client credentials
+     * @param kasUrl Key access service URL
+     * @param ephemeralKeyPair (optional) ephemeral key pair to use
+     * @param maxKeyIterations Max iteration to performe without a key rotation
+     */
+    constructor(opts) {
+        if (opts.maxKeyIterations &&
+            opts.maxKeyIterations > NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS) {
+            throw new ConfigurationError(`key iteration exceeds max iterations(${NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS})`);
+        }
+        super(opts);
+        this.maxKeyIteration = opts.maxKeyIterations || NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS;
+        this.keyIterationCount = 0;
+    }
+    /**
+     * Encrypt data
+     *
+     * Pass a string, TypedArray, or ArrayBuffer data and get a promise which resolves ciphertext
+     *
+     * @param data to decrypt
+     */
+    async encrypt(data, options) {
+        // Intial encrypt
+        if (this.keyIterationCount == 0) {
+            const mergedOptions = { ...defaultOptions, ...options };
+            this.ecdsaBinding = mergedOptions.ecdsaBinding;
+            // For encrypt always generate the client ephemeralKeyPair
+            const ephemeralKeyPair = await this.ephemeralKeyPair;
+            if (!this.kasPubKey) {
+                this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
+            }
+            // Create a policy for the tdf
+            const policy = new Policy();
+            // Add data attributes.
+            for (const dataAttribute of this.dataAttributes) {
+                const attribute = await createAttribute(dataAttribute, this.kasPubKey, this.kasUrl);
+                policy.addAttribute(attribute);
+            }
+            if (this.dissems.length == 0 || this.dataAttributes.length == 0) {
+                console.warn('This policy has an empty attributes list and an empty dissemination list. This will allow any entity with a valid Entity Object to access this TDF.');
+            }
+            // Encrypt the policy.
+            const policyObjectAsStr = policy.toJSON();
+            const ivVector = this.generateIV();
+            // Generate a symmetric key.
+            this.symmetricKey = await keyAgreement(ephemeralKeyPair.privateKey, await this.kasPubKey.key, await getHkdfSalt(DefaultParams.magicNumberVersion));
+            const nanoTDFBuffer = await encrypt(policyObjectAsStr, this.kasPubKey, ephemeralKeyPair, ivVector, data, this.ecdsaBinding);
+            // Cache the header and increment the key iteration
+            if (!this.cachedHeader) {
+                const nanoTDF = NanoTDF.from(nanoTDFBuffer);
+                this.cachedHeader = nanoTDF.header;
+            }
+            this.keyIterationCount += 1;
+            return nanoTDFBuffer;
+        }
+        this.keyIterationCount += 1;
+        if (!this.cachedHeader) {
+            throw new ConfigurationError('invalid dataset client: empty nanoTDF header');
+        }
+        if (!this.symmetricKey) {
+            throw new ConfigurationError('invalid dataset client: empty dek');
+        }
+        this.keyIterationCount += 1;
+        if (this.keyIterationCount == this.maxKeyIteration) {
+            // reset the key iteration
+            this.keyIterationCount = 0;
+        }
+        const ivVector = this.generateIV();
+        return encryptDataset(this.symmetricKey, this.cachedHeader, ivVector, data);
+    }
+    /**
+     * Decrypt ciphertext
+     *
+     * Pass a base64 string, TypedArray, or ArrayBuffer ciphertext and get a promise which resolves plaintext
+     *
+     * @param ciphertext Ciphertext to decrypt
+     */
+    async decrypt(ciphertext) {
+        // Parse ciphertext
+        const nanotdf = NanoTDF.from(ciphertext);
+        if (!this.cachedEphemeralKey) {
+            // First decrypt
+            return this.rewrapAndDecrypt(nanotdf);
+        }
+        // Other encrypts
+        if (this.cachedEphemeralKey.toString() == nanotdf.header.ephemeralPublicKey.toString()) {
+            const ukey = this.unwrappedKey;
+            if (!ukey) {
+                // These should have thrown already.
+                throw new Error('internal: key rewrap failure');
+            }
+            // Return decrypt promise
+            return decrypt(ukey, nanotdf);
+        }
+        else {
+            return this.rewrapAndDecrypt(nanotdf);
+        }
+    }
+    async rewrapAndDecrypt(nanotdf) {
+        // TODO: The version number should be fetched from the API
+        await this.fetchOIDCToken();
+        const version = '0.0.1';
+        // Rewrap key on every request
+        const ukey = await this.rewrapKey(nanotdf.header.toBuffer(), nanotdf.header.getKasRewrapUrl(), nanotdf.header.magicNumberVersion, version);
+        if (!ukey) {
+            // These should have thrown already.
+            throw new Error('internal: key rewrap failure');
+        }
+        this.cachedEphemeralKey = nanotdf.header.ephemeralPublicKey;
+        this.unwrappedKey = ukey;
+        // Return decrypt promise
+        return decrypt(ukey, nanotdf);
+    }
+    generateIV() {
+        const iv = this.iv;
+        if (iv === undefined) {
+            // iv has passed the maximum iteration count for this dek
+            throw new ConfigurationError('dataset full');
+        }
+        // assert iv ∈ ℤ ∩ (0, 2^24)
+        if (!Number.isInteger(iv) || iv <= 0 || 16777215 < iv) {
+            // Something has fiddled with the iv outside of the expected behavior
+            // could indicate a race condition, e.g. if two workers or handlers are
+            // processing the file at once, for example.
+            throw new Error('internal: invalid state');
+        }
+        const lengthAsUint32 = new Uint32Array(1);
+        lengthAsUint32[0] = iv;
+        const lengthAsUint24 = new Uint8Array(lengthAsUint32.buffer);
+        // NOTE: We are only interested in only first 3 bytes.
+        const ivVector = new Uint8Array(Client.IV_SIZE).fill(0);
+        ivVector[9] = lengthAsUint24[2];
+        ivVector[10] = lengthAsUint24[1];
+        ivVector[11] = lengthAsUint24[0];
+        // Increment the IV
+        if (iv == 16777215) {
+            delete this.iv;
+        }
+        else {
+            this.iv = iv + 1;
+        }
+        return ivVector;
+    }
+}
+// Total unique IVs(2^24 -1) used for encrypting the nano tdf payloads
+// IV starts from 1 since the 0 IV is reserved for policy encryption
+NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS = 8388606;
+/**
+ * Authorization for connecting authZ tokens to
+ * remote requests.
+ */
+export * as AuthProviders from './auth/providers.js';
+export { version, clientType } from './version.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUNMLE1BQU0sRUFDTixPQUFPLEVBRVAsT0FBTyxFQUNQLE9BQU8sRUFDUCxjQUFjLEVBQ2QsV0FBVyxFQUNYLGFBQWEsR0FDZCxNQUFNLG9CQUFvQixDQUFDO0FBQzVCLE9BQU8sRUFBRSxZQUFZLEVBQUUsTUFBTSwyQkFBMkIsQ0FBQztBQUN6RCxPQUFPLEVBQWMsZUFBZSxFQUFFLE1BQU0sRUFBRSxNQUFNLGdCQUFnQixDQUFDO0FBQ3JFLE9BQU8sRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUUvQyxPQUFPLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFDakQsT0FBTyxFQUFFLHFCQUFxQixFQUFFLE1BQU0saUJBQWlCLENBQUM7QUFPeEQseUJBQXlCO0FBQ3pCLE1BQU0sY0FBYyxHQUFtQjtJQUNyQyxZQUFZLEVBQUUsS0FBSztDQUNwQixDQUFDO0FBRUY7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQTJCRztBQUNILE1BQU0sT0FBTyxhQUFjLFNBQVEsTUFBTTtJQUN2Qzs7Ozs7O09BTUc7SUFDSCxLQUFLLENBQUMsT0FBTyxDQUFDLFVBQTZDO1FBQ3pELG1CQUFtQjtRQUNuQixNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBRXpDLE1BQU0sSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1FBRTVCLDBEQUEwRDtRQUMxRCxNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUM7UUFDeEIsTUFBTSxNQUFNLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxlQUFlLEVBQUUsQ0FBQztRQUVoRCw4QkFBOEI7UUFDOUIsTUFBTSxJQUFJLEdBQUcsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUMvQixPQUFPLENBQUMsTUFBTSxDQUFDLFFBQVEsRUFBRSxFQUN6QixNQUFNLEVBQ04sT0FBTyxDQUFDLE1BQU0sQ0FBQyxrQkFBa0IsRUFDakMsT0FBTyxDQUNSLENBQUM7UUFFRixJQUFJLENBQUMsSUFBSSxFQUFFO1lBQ1QsTUFBTSxJQUFJLEtBQUssQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO1NBQ2pEO1FBQ0QseUJBQXlCO1FBQ3pCLE9BQU8sT0FBTyxDQUFDLElBQUksRUFBRSxPQUFPLENBQUMsQ0FBQztJQUNoQyxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLGdCQUFnQixDQUFDLFVBQTZDO1FBQ2xFLG1CQUFtQjtRQUNuQixNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxTQUFTLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFFMUQsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7UUFFNUIsTUFBTSxhQUFhLEdBQUcsT0FBTyxDQUFDO1FBQzlCLDhCQUE4QjtRQUM5QixNQUFNLEdBQUcsR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQzlCLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE9BQU8sQ0FBQyxNQUFNLENBQUMsZUFBZSxFQUFFLEVBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsa0JBQWtCLEVBQ2pDLGFBQWEsQ0FDZCxDQUFDO1FBRUYsSUFBSSxDQUFDLEdBQUcsRUFBRTtZQUNSLE1BQU0sSUFBSSxLQUFLLENBQUMseUJBQXlCLENBQUMsQ0FBQztTQUM1QztRQUNELHlCQUF5QjtRQUN6QixPQUFPLE9BQU8sQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDL0IsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSCxLQUFLLENBQUMsT0FBTyxDQUNYLElBQXVDLEVBQ3ZDLE9BQXdCO1FBRXhCLDBEQUEwRDtRQUMxRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDO1FBQ3JELE1BQU0sb0JBQW9CLEdBQUcsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUVyQyxJQUFJLE9BQU8sb0JBQW9CLEtBQUssUUFBUSxFQUFFO1lBQzVDLE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsMkVBQTJFLENBQzVFLENBQUM7U0FDSDtRQUNELE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUVmLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFO1lBQ25CLElBQUksQ0FBQyxTQUFTLEdBQUcsTUFBTSxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7U0FDdEQ7UUFFRCw4QkFBOEI7UUFDOUIsTUFBTSxNQUFNLEdBQUcsSUFBSSxNQUFNLEVBQUUsQ0FBQztRQUU1Qix1QkFBdUI7UUFDdkIsS0FBSyxNQUFNLGFBQWEsSUFBSSxJQUFJLENBQUMsY0FBYyxFQUFFO1lBQy9DLE1BQU0sU0FBUyxHQUFHLE1BQU0sZUFBZSxDQUFDLGFBQWEsRUFBRSxJQUFJLENBQUMsU0FBUyxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUNwRixNQUFNLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1NBQ2hDO1FBRUQsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksSUFBSSxDQUFDLGNBQWMsQ0FBQyxNQUFNLElBQUksQ0FBQyxFQUFFO1lBQy9ELE9BQU8sQ0FBQyxJQUFJLENBQ1YscUpBQXFKLENBQ3RKLENBQUM7U0FDSDtRQUVELHNCQUFzQjtRQUN0QixNQUFNLGlCQUFpQixHQUFHLE1BQU0sQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUUxQyxrRUFBa0U7UUFDbEUsOEJBQThCO1FBQzlCLE1BQU0sY0FBYyxHQUFHLElBQUksV0FBVyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsR0FBRyxvQkFBb0IsQ0FBQztRQUV6QyxNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFN0Qsc0RBQXNEO1FBQ3RELE1BQU0sU0FBUyxHQUFHLElBQUksVUFBVSxDQUFDLEVBQUUsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUM3QyxTQUFTLENBQUMsQ0FBQyxDQUFDLEdBQUcsY0FBYyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2pDLFNBQVMsQ0FBQyxFQUFFLENBQUMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDbEMsU0FBUyxDQUFDLEVBQUUsQ0FBQyxHQUFHLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUVsQyxNQUFNLGFBQWEsR0FBbUIsRUFBRSxHQUFHLGNBQWMsRUFBRSxHQUFHLE9BQU8sRUFBRSxDQUFDO1FBQ3hFLE9BQU8sT0FBTyxDQUNaLGlCQUFpQixFQUNqQixJQUFJLENBQUMsU0FBUyxFQUNkLGdCQUFnQixFQUNoQixTQUFTLEVBQ1QsSUFBSSxFQUNKLGFBQWEsQ0FBQyxZQUFZLENBQzNCLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUFNRDs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBd0JHO0FBQ0gsTUFBTSxPQUFPLG9CQUFxQixTQUFRLE1BQU07SUFhOUM7Ozs7Ozs7Ozs7O09BV0c7SUFDSCxZQUFZLElBQW1CO1FBQzdCLElBQ0UsSUFBSSxDQUFDLGdCQUFnQjtZQUNyQixJQUFJLENBQUMsZ0JBQWdCLEdBQUcsb0JBQW9CLENBQUMsdUJBQXVCLEVBQ3BFO1lBQ0EsTUFBTSxJQUFJLGtCQUFrQixDQUMxQix3Q0FBd0Msb0JBQW9CLENBQUMsdUJBQXVCLEdBQUcsQ0FDeEYsQ0FBQztTQUNIO1FBQ0QsS0FBSyxDQUFDLElBQUksQ0FBQyxDQUFDO1FBRVosSUFBSSxDQUFDLGVBQWUsR0FBRyxJQUFJLENBQUMsZ0JBQWdCLElBQUksb0JBQW9CLENBQUMsdUJBQXVCLENBQUM7UUFDN0YsSUFBSSxDQUFDLGlCQUFpQixHQUFHLENBQUMsQ0FBQztJQUM3QixDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLE9BQU8sQ0FDWCxJQUF1QyxFQUN2QyxPQUF3QjtRQUV4QixpQkFBaUI7UUFDakIsSUFBSSxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxFQUFFO1lBQy9CLE1BQU0sYUFBYSxHQUFtQixFQUFFLEdBQUcsY0FBYyxFQUFFLEdBQUcsT0FBTyxFQUFFLENBQUM7WUFDeEUsSUFBSSxDQUFDLFlBQVksR0FBRyxhQUFhLENBQUMsWUFBWSxDQUFDO1lBQy9DLDBEQUEwRDtZQUMxRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sSUFBSSxDQUFDLGdCQUFnQixDQUFDO1lBRXJELElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFO2dCQUNuQixJQUFJLENBQUMsU0FBUyxHQUFHLE1BQU0sZ0JBQWdCLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO2FBQ3REO1lBRUQsOEJBQThCO1lBQzlCLE1BQU0sTUFBTSxHQUFHLElBQUksTUFBTSxFQUFFLENBQUM7WUFFNUIsdUJBQXVCO1lBQ3ZCLEtBQUssTUFBTSxhQUFhLElBQUksSUFBSSxDQUFDLGNBQWMsRUFBRTtnQkFDL0MsTUFBTSxTQUFTLEdBQUcsTUFBTSxlQUFlLENBQUMsYUFBYSxFQUFFLElBQUksQ0FBQyxTQUFTLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDO2dCQUNwRixNQUFNLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQyxDQUFDO2FBQ2hDO1lBRUQsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksSUFBSSxDQUFDLGNBQWMsQ0FBQyxNQUFNLElBQUksQ0FBQyxFQUFFO2dCQUMvRCxPQUFPLENBQUMsSUFBSSxDQUNWLHFKQUFxSixDQUN0SixDQUFDO2FBQ0g7WUFFRCxzQkFBc0I7WUFDdEIsTUFBTSxpQkFBaUIsR0FBRyxNQUFNLENBQUMsTUFBTSxFQUFFLENBQUM7WUFFMUMsTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBRW5DLDRCQUE0QjtZQUM1QixJQUFJLENBQUMsWUFBWSxHQUFHLE1BQU0sWUFBWSxDQUNwQyxnQkFBZ0IsQ0FBQyxVQUFVLEVBQzNCLE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxHQUFHLEVBQ3hCLE1BQU0sV0FBVyxDQUFDLGFBQWEsQ0FBQyxrQkFBa0IsQ0FBQyxDQUNwRCxDQUFDO1lBRUYsTUFBTSxhQUFhLEdBQUcsTUFBTSxPQUFPLENBQ2pDLGlCQUFpQixFQUNqQixJQUFJLENBQUMsU0FBUyxFQUNkLGdCQUFnQixFQUNoQixRQUFRLEVBQ1IsSUFBSSxFQUNKLElBQUksQ0FBQyxZQUFZLENBQ2xCLENBQUM7WUFFRixtREFBbUQ7WUFDbkQsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUU7Z0JBQ3RCLE1BQU0sT0FBTyxHQUFHLE9BQU8sQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLENBQUM7Z0JBQzVDLElBQUksQ0FBQyxZQUFZLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQzthQUNwQztZQUVELElBQUksQ0FBQyxpQkFBaUIsSUFBSSxDQUFDLENBQUM7WUFFNUIsT0FBTyxhQUFhLENBQUM7U0FDdEI7UUFFRCxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxDQUFDO1FBRTVCLElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFO1lBQ3RCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyw4Q0FBOEMsQ0FBQyxDQUFDO1NBQzlFO1FBQ0QsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUU7WUFDdEIsTUFBTSxJQUFJLGtCQUFrQixDQUFDLG1DQUFtQyxDQUFDLENBQUM7U0FDbkU7UUFFRCxJQUFJLENBQUMsaUJBQWlCLElBQUksQ0FBQyxDQUFDO1FBQzVCLElBQUksSUFBSSxDQUFDLGlCQUFpQixJQUFJLElBQUksQ0FBQyxlQUFlLEVBQUU7WUFDbEQsMEJBQTBCO1lBQzFCLElBQUksQ0FBQyxpQkFBaUIsR0FBRyxDQUFDLENBQUM7U0FDNUI7UUFFRCxNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7UUFFbkMsT0FBTyxjQUFjLENBQUMsSUFBSSxDQUFDLFlBQVksRUFBRSxJQUFJLENBQUMsWUFBWSxFQUFFLFFBQVEsRUFBRSxJQUFJLENBQUMsQ0FBQztJQUM5RSxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLE9BQU8sQ0FBQyxVQUE2QztRQUN6RCxtQkFBbUI7UUFDbkIsTUFBTSxPQUFPLEdBQUcsT0FBTyxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQztRQUV6QyxJQUFJLENBQUMsSUFBSSxDQUFDLGtCQUFrQixFQUFFO1lBQzVCLGdCQUFnQjtZQUNoQixPQUFPLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztTQUN2QztRQUVELGlCQUFpQjtRQUNqQixJQUFJLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLEVBQUUsSUFBSSxPQUFPLENBQUMsTUFBTSxDQUFDLGtCQUFrQixDQUFDLFFBQVEsRUFBRSxFQUFFO1lBQ3RGLE1BQU0sSUFBSSxHQUFHLElBQUksQ0FBQyxZQUFZLENBQUM7WUFDL0IsSUFBSSxDQUFDLElBQUksRUFBRTtnQkFDVCxvQ0FBb0M7Z0JBQ3BDLE1BQU0sSUFBSSxLQUFLLENBQUMsOEJBQThCLENBQUMsQ0FBQzthQUNqRDtZQUNELHlCQUF5QjtZQUN6QixPQUFPLE9BQU8sQ0FBQyxJQUFJLEVBQUUsT0FBTyxDQUFDLENBQUM7U0FDL0I7YUFBTTtZQUNMLE9BQU8sSUFBSSxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxDQUFDO1NBQ3ZDO0lBQ0gsQ0FBQztJQUVELEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFnQjtRQUNyQywwREFBMEQ7UUFDMUQsTUFBTSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7UUFFNUIsTUFBTSxPQUFPLEdBQUcsT0FBTyxDQUFDO1FBQ3hCLDhCQUE4QjtRQUM5QixNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQy9CLE9BQU8sQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQ3pCLE9BQU8sQ0FBQyxNQUFNLENBQUMsZUFBZSxFQUFFLEVBQ2hDLE9BQU8sQ0FBQyxNQUFNLENBQUMsa0JBQWtCLEVBQ2pDLE9BQU8sQ0FDUixDQUFDO1FBQ0YsSUFBSSxDQUFDLElBQUksRUFBRTtZQUNULG9DQUFvQztZQUNwQyxNQUFNLElBQUksS0FBSyxDQUFDLDhCQUE4QixDQUFDLENBQUM7U0FDakQ7UUFFRCxJQUFJLENBQUMsa0JBQWtCLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQyxrQkFBa0IsQ0FBQztRQUM1RCxJQUFJLENBQUMsWUFBWSxHQUFHLElBQUksQ0FBQztRQUV6Qix5QkFBeUI7UUFDekIsT0FBTyxPQUFPLENBQUMsSUFBSSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQ2hDLENBQUM7SUFFRCxVQUFVO1FBQ1IsTUFBTSxFQUFFLEdBQUcsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUNuQixJQUFJLEVBQUUsS0FBSyxTQUFTLEVBQUU7WUFDcEIseURBQXlEO1lBQ3pELE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyxjQUFjLENBQUMsQ0FBQztTQUM5QztRQUNELDRCQUE0QjtRQUM1QixJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJLFFBQVMsR0FBRyxFQUFFLEVBQUU7WUFDdEQscUVBQXFFO1lBQ3JFLHVFQUF1RTtZQUN2RSw0Q0FBNEM7WUFDNUMsTUFBTSxJQUFJLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO1NBQzVDO1FBRUQsTUFBTSxjQUFjLEdBQUcsSUFBSSxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDMUMsY0FBYyxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUV2QixNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLENBQUM7UUFFN0Qsc0RBQXNEO1FBQ3RELE1BQU0sUUFBUSxHQUFHLElBQUksVUFBVSxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDeEQsUUFBUSxDQUFDLENBQUMsQ0FBQyxHQUFHLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNoQyxRQUFRLENBQUMsRUFBRSxDQUFDLEdBQUcsY0FBYyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2pDLFFBQVEsQ0FBQyxFQUFFLENBQUMsR0FBRyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFakMsbUJBQW1CO1FBQ25CLElBQUksRUFBRSxJQUFJLFFBQVMsRUFBRTtZQUNuQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUM7U0FDaEI7YUFBTTtZQUNMLElBQUksQ0FBQyxFQUFFLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQztTQUNsQjtRQUVELE9BQU8sUUFBUSxDQUFDO0lBQ2xCLENBQUM7O0FBdk5ELHNFQUFzRTtBQUN0RSxvRUFBb0U7QUFDcEQsNENBQXVCLEdBQUcsT0FBTyxDQUFDO0FBd05wRDs7O0dBR0c7QUFDSCxPQUFPLEtBQUssYUFBYSxNQUFNLHFCQUFxQixDQUFDO0FBQ3JELE9BQU8sRUFBRSxPQUFPLEVBQUUsVUFBVSxFQUFFLE1BQU0sY0FBYyxDQUFDIn0=