@p0security/cli 0.19.9 → 0.19.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/dist/common/fetch.d.ts +1 -3
- package/build/dist/common/fetch.js +1 -3
- package/build/dist/common/fetch.js.map +1 -1
- package/build/dist/plugins/okta/aws.js +4 -3
- package/build/dist/plugins/okta/aws.js.map +1 -1
- package/build/dist/plugins/okta/login.d.ts +20 -2
- package/build/dist/plugins/okta/login.js +42 -6
- package/build/dist/plugins/okta/login.js.map +1 -1
- package/build/tsconfig.build.tsbuildinfo +1 -1
- package/p0 +1 -1
- package/package.json +1 -1
|
@@ -10,7 +10,5 @@ You should have received a copy of the GNU General Public License along with @p0
|
|
|
10
10
|
**/
|
|
11
11
|
/** Converts object data to a URL encoded form */
|
|
12
12
|
export declare const urlEncode: (data: Record<string, string>) => string;
|
|
13
|
-
/** Validates an HTTP response, throwing a friendly
|
|
14
|
-
* error message if invalid
|
|
15
|
-
*/
|
|
13
|
+
/** Validates an HTTP response, throwing a friendly error message if invalid */
|
|
16
14
|
export declare const validateResponse: (response: Response) => Promise<Response>;
|
|
@@ -25,9 +25,7 @@ const urlEncode = (data) => Object.entries(data)
|
|
|
25
25
|
.map((kv) => kv.map(encodeURIComponent).join("="))
|
|
26
26
|
.join("&");
|
|
27
27
|
exports.urlEncode = urlEncode;
|
|
28
|
-
/** Validates an HTTP response, throwing a friendly
|
|
29
|
-
* error message if invalid
|
|
30
|
-
*/
|
|
28
|
+
/** Validates an HTTP response, throwing a friendly error message if invalid */
|
|
31
29
|
const validateResponse = (response) => __awaiter(void 0, void 0, void 0, function* () {
|
|
32
30
|
if (response.ok)
|
|
33
31
|
return response;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../../../src/common/fetch.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAiD;AAC1C,MAAM,SAAS,GAAG,CAAC,IAA4B,EAAE,EAAE,CACxD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;KACjB,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;KACjD,IAAI,CAAC,GAAG,CAAC,CAAC;AAHF,QAAA,SAAS,aAGP;AAEf
|
|
1
|
+
{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../../../src/common/fetch.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAiD;AAC1C,MAAM,SAAS,GAAG,CAAC,IAA4B,EAAE,EAAE,CACxD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;KACjB,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;KACjD,IAAI,CAAC,GAAG,CAAC,CAAC;AAHF,QAAA,SAAS,aAGP;AAEf,+EAA+E;AACxE,MAAM,gBAAgB,GAAG,CAAO,QAAkB,EAAE,EAAE;IAC3D,IAAI,QAAQ,CAAC,EAAE;QAAE,OAAO,QAAQ,CAAC;IACjC,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;EACvE,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU;;EAEtC,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC,CAAA,CAAC;AANW,QAAA,gBAAgB,oBAM3B"}
|
|
@@ -28,11 +28,12 @@ const config_1 = require("../aws/config");
|
|
|
28
28
|
const login_1 = require("./login");
|
|
29
29
|
const lodash_1 = require("lodash");
|
|
30
30
|
// Retry configuration for handling Okta eventual consistency
|
|
31
|
+
// With exponential backoff: 1s, 2s, 4s, 8s, 16s, 30s, 30s, 30s... ≈ 5 minutes total
|
|
31
32
|
const ROLE_NOT_AVAILABLE_PATTERN = /^Role .+ not available\./;
|
|
32
|
-
const RETRY_ATTEMPTS =
|
|
33
|
+
const RETRY_ATTEMPTS = 14;
|
|
33
34
|
const INITIAL_RETRY_DELAY_MS = 1000;
|
|
34
35
|
const RETRY_MULTIPLIER = 2.0;
|
|
35
|
-
const MAX_RETRY_DELAY_MS =
|
|
36
|
+
const MAX_RETRY_DELAY_MS = 30000;
|
|
36
37
|
/** Extracts all roles from a SAML assertion */
|
|
37
38
|
const rolesFromSaml = (account, saml) => {
|
|
38
39
|
var _a;
|
|
@@ -59,7 +60,7 @@ const initOktaSaml = (authn, account, debug) => __awaiter(void 0, void 0, void 0
|
|
|
59
60
|
const { identity, config } = yield (0, config_1.getAwsConfig)(authn, account, debug);
|
|
60
61
|
if (!isFederatedLogin(config))
|
|
61
62
|
throw `Account ${(_a = config.label) !== null && _a !== void 0 ? _a : config.id} is not configured for Okta SAML login.`;
|
|
62
|
-
const samlResponse = yield (0, login_1.
|
|
63
|
+
const samlResponse = yield (0, login_1.fetchSamlAssertionForAws)(identity, config.login);
|
|
63
64
|
return {
|
|
64
65
|
samlResponse,
|
|
65
66
|
config,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../../../src/plugins/okta/aws.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,8CAAoD;AACpD,0CAA4C;AAC5C,6CAA4C;AAE5C,kDAAuD;AACvD,0CAA6C;AAE7C,
|
|
1
|
+
{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../../../src/plugins/okta/aws.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,8CAAoD;AACpD,0CAA4C;AAC5C,6CAA4C;AAE5C,kDAAuD;AACvD,0CAA6C;AAE7C,mCAAmD;AACnD,mCAAiC;AAEjC,6DAA6D;AAC7D,oFAAoF;AACpF,MAAM,0BAA0B,GAAG,0BAA0B,CAAC;AAC9D,MAAM,cAAc,GAAG,EAAE,CAAC;AAC1B,MAAM,sBAAsB,GAAG,IAAI,CAAC;AACpC,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAC7B,MAAM,kBAAkB,GAAG,KAAK,CAAC;AAEjC,+CAA+C;AAC/C,MAAM,aAAa,GAAG,CAAC,OAAe,EAAE,IAAY,EAAE,EAAE;;IACtD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC/D,MAAM,UAAU,GAAG,IAAA,cAAQ,EAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,cAAc,GAClB,UAAU,CAAC,iBAAiB,CAAC,CAAC,iBAAiB,CAAC,CAC9C,0BAA0B,CAC3B,CAAC,iBAAiB,CAAC,CAAC;IACvB,MAAM,aAAa,GAAG,cAAc,CAAC,IAAI,CACvC,CAAC,CAAM,EAAE,EAAE,CACT,CAAC,CAAC,WAAW,CAAC,IAAI,KAAK,6CAA6C,CACvE,CAAC;IACF,UAAU;IACV,mIAAmI;IACnI,MAAM,IAAI,GAAG,MACX,IAAA,gBAAO,EAAC,CAAC,aAAa,aAAb,aAAa,uBAAb,aAAa,CAAG,sBAAsB,CAAC,CAAC,CAClD,0CAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;IAChC,MAAM,KAAK,GAAG,IAAI;SACf,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,gBAAgB,OAAO,QAAQ,CAAC,CAAC;SAC5D,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/C,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AACzB,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,CACvB,MAAe,EACmC,EAAE,WACpD,OAAA,CAAA,MAAA,MAAM,CAAC,KAAK,0CAAE,IAAI,MAAK,WAAW,CAAA,EAAA,CAAC;AAErC;;;;GAIG;AACH,MAAM,YAAY,GAAG,CACnB,KAAY,EACZ,OAA2B,EAC3B,KAAe,EACf,EAAE;;IACF,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,IAAA,qBAAY,EAAC,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IACvE,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC;QAC3B,MAAM,WAAW,MAAA,MAAM,CAAC,KAAK,mCAAI,MAAM,CAAC,EAAE,yCAAyC,CAAC;IACtF,MAAM,YAAY,GAAG,MAAM,IAAA,gCAAwB,EAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5E,OAAO;QACL,YAAY;QACZ,MAAM;QACN,OAAO,EAAE,MAAM,CAAC,EAAE;KACnB,CAAC;AACJ,CAAC,CAAA,CAAC;AAEK,MAAM,sBAAsB,GAAG,CACpC,KAAY,EACZ,IAA0C,EAC1C,KAAe,EACf,EAAE;IACF,OAAA,MAAM,IAAA,aAAM,EACV,YAAY,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,IAAI,EAAE,EACzC,GAAS,EAAE;QACT,+FAA+F;QAC/F,2FAA2F;QAC3F,iDAAiD;QACjD,OAAO,MAAM,IAAA,sBAAc,EACzB,GAAS,EAAE;YACT,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,YAAY,CAC1D,KAAK,EACL,IAAI,CAAC,SAAS,EACd,KAAK,CACN,CAAC;YACF,MAAM,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;YACvD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC9B,MAAM,QAAQ,IAAI,CAAC,IAAI,qCAAqC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;aACrG;YACD,OAAO,MAAM,IAAA,+BAAkB,EAAC;gBAC9B,OAAO;gBACP,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE;oBACJ,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,gBAAgB;oBACpD,QAAQ,EAAE,YAAY;iBACvB;aACF,CAAC,CAAC;QACL,CAAC,CAAA,EACD;YACE,WAAW,EAAE,CAAC,KAAc,EAAE,EAAE;gBAC9B,0EAA0E;gBAC1E,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;oBACzB,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,CACvC,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,cAAc;YACvB,OAAO,EAAE,sBAAsB;YAC/B,UAAU,EAAE,gBAAgB;YAC5B,UAAU,EAAE,kBAAkB;YAC9B,KAAK;SACN,CACF,CAAC;IACJ,CAAC,CAAA,EACD,EAAE,QAAQ,EAAE,MAAM,EAAE,CACrB,CAAA;EAAA,CAAC;AAhDS,QAAA,sBAAsB,0BAgD/B"}
|
|
@@ -4,5 +4,23 @@ import { OrgData } from "../../types/org";
|
|
|
4
4
|
import { AwsFederatedLogin } from "../aws/types";
|
|
5
5
|
/** Logs in to Okta via OIDC */
|
|
6
6
|
export declare const oktaLogin: (org: OrgData) => Promise<TokenResponse>;
|
|
7
|
-
/**
|
|
8
|
-
|
|
7
|
+
/**
|
|
8
|
+
* Converts OIDC tokens into a SAML assertion for AWS federated authentication.
|
|
9
|
+
*
|
|
10
|
+
* This function bridges the gap between modern OIDC authentication (used by P0 CLI)
|
|
11
|
+
* and legacy SAML federation (required by AWS IAM). It performs a two-step process:
|
|
12
|
+
*
|
|
13
|
+
* 1. **Token Exchange (OIDC → Web SSO Token)**:
|
|
14
|
+
* Exchanges the user's general-purpose OIDC tokens (access_token, id_token) for
|
|
15
|
+
* an app-specific Web SSO token scoped to the Okta AWS integration app.
|
|
16
|
+
*
|
|
17
|
+
* 2. **SAML Extraction (Web SSO Token → SAML Assertion)**:
|
|
18
|
+
* Uses the Web SSO token to initiate Okta's SSO flow and extracts the base64-encoded
|
|
19
|
+
* SAML assertion from the resulting HTML response.
|
|
20
|
+
*
|
|
21
|
+
* @param identity - The user's P0 identity containing OIDC tokens from login
|
|
22
|
+
* @param config - AWS federated login configuration with Okta app details
|
|
23
|
+
* @returns Base64-encoded SAML assertion for AWS authentication
|
|
24
|
+
* @throws Error if Okta session has expired or been terminated
|
|
25
|
+
*/
|
|
26
|
+
export declare const fetchSamlAssertionForAws: (identity: Identity, config: AwsFederatedLogin) => Promise<string>;
|
|
@@ -32,7 +32,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
32
32
|
});
|
|
33
33
|
};
|
|
34
34
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
35
|
-
exports.
|
|
35
|
+
exports.fetchSamlAssertionForAws = exports.oktaLogin = void 0;
|
|
36
36
|
/** Copyright © 2024-present P0 Security
|
|
37
37
|
|
|
38
38
|
This file is part of @p0security/cli
|
|
@@ -45,6 +45,7 @@ You should have received a copy of the GNU General Public License along with @p0
|
|
|
45
45
|
**/
|
|
46
46
|
const oidc_1 = require("../../common/auth/oidc");
|
|
47
47
|
const fetch_1 = require("../../common/fetch");
|
|
48
|
+
const auth_1 = require("../../drivers/auth");
|
|
48
49
|
const login_1 = require("../oidc/login");
|
|
49
50
|
const cheerio = __importStar(require("cheerio"));
|
|
50
51
|
const lodash_1 = require("lodash");
|
|
@@ -52,7 +53,14 @@ const ACCESS_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:access_token";
|
|
|
52
53
|
const ID_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:id_token";
|
|
53
54
|
const TOKEN_EXCHANGE_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange";
|
|
54
55
|
const WEB_SSO_TOKEN_TYPE = "urn:okta:oauth:token-type:web_sso_token";
|
|
55
|
-
/**
|
|
56
|
+
/**
|
|
57
|
+
* Exchanges an Okta OIDC SSO token for an Okta app SSO token.
|
|
58
|
+
*
|
|
59
|
+
* Performs OAuth 2.0 Token Exchange (RFC 8693) to convert general-purpose
|
|
60
|
+
* OIDC tokens into an app-specific Web SSO token.
|
|
61
|
+
*
|
|
62
|
+
* @throws Error if Okta session has expired or been terminated
|
|
63
|
+
*/
|
|
56
64
|
const fetchSsoWebToken = (appId, { org, credential }) => __awaiter(void 0, void 0, void 0, function* () {
|
|
57
65
|
const init = {
|
|
58
66
|
method: "POST",
|
|
@@ -70,7 +78,17 @@ const fetchSsoWebToken = (appId, { org, credential }) => __awaiter(void 0, void
|
|
|
70
78
|
};
|
|
71
79
|
(0, login_1.validateProviderDomain)(org);
|
|
72
80
|
const response = yield fetch(`https:${org.providerDomain}/oauth2/v1/token`, init);
|
|
73
|
-
|
|
81
|
+
if (!response.ok) {
|
|
82
|
+
if (response.status === 400) {
|
|
83
|
+
const data = yield response.json();
|
|
84
|
+
if (data.error === "invalid_grant") {
|
|
85
|
+
yield (0, auth_1.deleteIdentity)();
|
|
86
|
+
throw new Error("Your Okta session has expired. Please login again.");
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
// Throw a friendly error message if response is invalid
|
|
90
|
+
yield (0, fetch_1.validateResponse)(response);
|
|
91
|
+
}
|
|
74
92
|
return (yield response.json());
|
|
75
93
|
});
|
|
76
94
|
/** Retrieves an Okta app's SAML response */
|
|
@@ -101,9 +119,27 @@ const oktaLogin = (org) => __awaiter(void 0, void 0, void 0, function* () {
|
|
|
101
119
|
}));
|
|
102
120
|
});
|
|
103
121
|
exports.oktaLogin = oktaLogin;
|
|
104
|
-
/**
|
|
122
|
+
/**
|
|
123
|
+
* Converts OIDC tokens into a SAML assertion for AWS federated authentication.
|
|
124
|
+
*
|
|
125
|
+
* This function bridges the gap between modern OIDC authentication (used by P0 CLI)
|
|
126
|
+
* and legacy SAML federation (required by AWS IAM). It performs a two-step process:
|
|
127
|
+
*
|
|
128
|
+
* 1. **Token Exchange (OIDC → Web SSO Token)**:
|
|
129
|
+
* Exchanges the user's general-purpose OIDC tokens (access_token, id_token) for
|
|
130
|
+
* an app-specific Web SSO token scoped to the Okta AWS integration app.
|
|
131
|
+
*
|
|
132
|
+
* 2. **SAML Extraction (Web SSO Token → SAML Assertion)**:
|
|
133
|
+
* Uses the Web SSO token to initiate Okta's SSO flow and extracts the base64-encoded
|
|
134
|
+
* SAML assertion from the resulting HTML response.
|
|
135
|
+
*
|
|
136
|
+
* @param identity - The user's P0 identity containing OIDC tokens from login
|
|
137
|
+
* @param config - AWS federated login configuration with Okta app details
|
|
138
|
+
* @returns Base64-encoded SAML assertion for AWS authentication
|
|
139
|
+
* @throws Error if Okta session has expired or been terminated
|
|
140
|
+
*/
|
|
105
141
|
// TODO: Inject Okta app
|
|
106
|
-
const
|
|
142
|
+
const fetchSamlAssertionForAws = (identity, config) => __awaiter(void 0, void 0, void 0, function* () {
|
|
107
143
|
const webTokenResponse = yield fetchSsoWebToken(config.provider.appId, identity);
|
|
108
144
|
const samlResponse = yield fetchSamlResponse(identity.org, webTokenResponse);
|
|
109
145
|
if (!samlResponse) {
|
|
@@ -111,5 +147,5 @@ const getSamlResponse = (identity, config) => __awaiter(void 0, void 0, void 0,
|
|
|
111
147
|
}
|
|
112
148
|
return samlResponse;
|
|
113
149
|
});
|
|
114
|
-
exports.
|
|
150
|
+
exports.fetchSamlAssertionForAws = fetchSamlAssertionForAws;
|
|
115
151
|
//# sourceMappingURL=login.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../../src/plugins/okta/login.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,8CAAiE;
|
|
1
|
+
{"version":3,"file":"login.js","sourceRoot":"","sources":["../../../../src/plugins/okta/login.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;GASG;AACH,iDAAsD;AACtD,8CAAiE;AACjE,6CAAoD;AAKpD,yCAIuB;AACvB,iDAAmC;AACnC,mCAA8B;AAE9B,MAAM,iBAAiB,GAAG,+CAA+C,CAAC;AAC1E,MAAM,aAAa,GAAG,2CAA2C,CAAC;AAClE,MAAM,mBAAmB,GAAG,iDAAiD,CAAC;AAC9E,MAAM,kBAAkB,GAAG,yCAAyC,CAAC;AAErE;;;;;;;GAOG;AACH,MAAM,gBAAgB,GAAG,CACvB,KAAa,EACb,EAAE,GAAG,EAAE,UAAU,EAAY,EAC7B,EAAE;IACF,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,mBAAY;QACrB,IAAI,EAAE,IAAA,iBAAS,EAAC;YACd,QAAQ,EAAE,iBAAiB,KAAK,EAAE;YAClC,SAAS,EAAE,GAAG,CAAC,QAAQ;YACvB,WAAW,EAAE,UAAU,CAAC,YAAY;YACpC,gBAAgB,EAAE,iBAAiB;YACnC,aAAa,EAAE,UAAU,CAAC,QAAQ;YAClC,kBAAkB,EAAE,aAAa;YACjC,UAAU,EAAE,mBAAmB;YAC/B,oBAAoB,EAAE,kBAAkB;SACzC,CAAC;KACH,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,SAAS,GAAG,CAAC,cAAc,kBAAkB,EAC7C,IAAI,CACL,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,KAAK,KAAK,eAAe,EAAE;gBAClC,MAAM,IAAA,qBAAc,GAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;aACvE;SACF;QAED,wDAAwD;QACxD,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;KAClC;IAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC,CAAA,CAAC;AAEF,4CAA4C;AAC5C,MAAM,iBAAiB,GAAG,CACxB,GAAY,EACZ,EAAE,YAAY,EAAiB,EAC/B,EAAE;IACF,MAAM,IAAI,GAAG;QACX,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,IAAA,aAAI,EAAC,mBAAY,EAAE,cAAc,CAAC;KAC5C,CAAC;IACF,IAAA,8BAAsB,EAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,WACV,GAAG,CAAC,cACN,0BAA0B,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;IAC7D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,IAAA,wBAAgB,EAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,cAAc,GAAG,CAAC,CAAC,4BAA4B,CAAC,CAAC,GAAG,EAAE,CAAC;IAC7D,OAAO,OAAO,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;AACzE,CAAC,CAAA,CAAC;AAEF,+BAA+B;AACxB,MAAM,SAAS,GAAG,CAAO,GAAY,EAAE,EAAE;IAC9C,OAAA,IAAA,iBAAS,EACP,IAAA,sBAAc,EAAC,GAAG,EAAE,oCAAoC,EAAE,GAAG,EAAE;QAC7D,IAAI,GAAG,CAAC,YAAY,KAAK,MAAM,EAAE;YAC/B,MAAM,yBAAyB,GAAG,CAAC,YAAY,oBAAoB,CAAC;SACrE;QACD,OAAO;YACL,sBAAsB,EAAE,WAAW,GAAG,CAAC,cAAc,6BAA6B;YAClF,QAAQ,EAAE,WAAW,GAAG,CAAC,cAAc,kBAAkB;SAC1D,CAAC;IACJ,CAAC,CAAC,CACH,CAAA;EAAA,CAAC;AAXS,QAAA,SAAS,aAWlB;AAEJ;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAwB;AACjB,MAAM,wBAAwB,GAAG,CACtC,QAAkB,EAClB,MAAyB,EACR,EAAE;IACnB,MAAM,gBAAgB,GAAG,MAAM,gBAAgB,CAC7C,MAAM,CAAC,QAAQ,CAAC,KAAK,EACrB,QAAQ,CACT,CAAC;IACF,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAC7E,IAAI,CAAC,YAAY,EAAE;QACjB,MAAM,uCAAuC,CAAC;KAC/C;IACD,OAAO,YAAY,CAAC;AACtB,CAAC,CAAA,CAAC;AAbW,QAAA,wBAAwB,4BAanC"}
|