@rockcarver/frodo-lib 0.17.0 → 0.17.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/CHANGELOG.md +7 -2
  2. package/cjs/ops/AuthenticateOps.js +2 -1
  3. package/cjs/ops/AuthenticateOps.js.map +1 -1
  4. package/esm/ops/AuthenticateOps.mjs +2 -1
  5. package/package.json +1 -1
  6. package/types/ops/AuthenticateOps.d.ts.map +1 -1
package/CHANGELOG.md CHANGED
@@ -7,7 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
- ## [0.17.0] - 2022-12-18
10
+ ## [0.17.1] - 2022-12-18
11
11
 
12
12
  ### Added
13
13
 
@@ -171,8 +171,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
171
171
 
172
172
  ### Fixed
173
173
 
174
+ - \#194: Default realm is not properly detected and leading to errors
174
175
  - \#137: Error fetching logs with txId
175
176
 
177
+ ## [0.17.0] - 2022-12-18 [YANKED]
178
+
176
179
  ## [0.16.2-20] - 2022-12-17
177
180
 
178
181
  ## [0.16.2-19] - 2022-12-14
@@ -892,7 +895,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
892
895
  - Fixed problem with adding connection profiles
893
896
  - Miscellaneous bug fixes
894
897
 
895
- [Unreleased]: https://github.com/rockcarver/frodo-lib/compare/v0.17.0...HEAD
898
+ [Unreleased]: https://github.com/rockcarver/frodo-lib/compare/v0.17.1...HEAD
899
+
900
+ [0.17.1]: https://github.com/rockcarver/frodo-lib/compare/v0.17.0...v0.17.1
896
901
 
897
902
  [0.17.0]: https://github.com/rockcarver/frodo-lib/compare/v0.16.2-20...v0.17.0
898
903
 
package/cjs/ops/AuthenticateOps.js CHANGED
@@ -104,7 +104,7 @@ function checkAndHandle2FA(payload) {
104
104
  * @param {string} deploymentType deployment type
105
105
  */
106
106
  function determineDefaultRealm(deploymentType) {
107
- if (state.getRealm() === globalConfig.DEFAULT_REALM_KEY) {
107
+ if (!state.getRealm() || state.getRealm() === globalConfig.DEFAULT_REALM_KEY) {
108
108
  state.setRealm(globalConfig.DEPLOYMENT_TYPE_REALM_MAP[deploymentType]);
109
109
  }
110
110
  }
@@ -381,6 +381,7 @@ function _determineDeploymentTypeAndDefaultRealmAndVersion() {
381
381
  state.setDeploymentType(yield determineDeploymentType());
382
382
  }
383
383
  determineDefaultRealm(state.getDeploymentType());
384
+ (0, _Console.debugMessage)("AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: realm=".concat(state.getRealm(), ", type=").concat(state.getDeploymentType()));
384
385
  var versionInfo = (yield (0, _ServerInfoApi.getServerVersionInfo)()).data;
385
386
 
386
387
  // https://github.com/rockcarver/frodo-cli/issues/109
package/cjs/ops/AuthenticateOps.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticateOps.js","names":["adminClientPassword","redirectUrlTemplate","idmAdminScopes","serviceAccountScopes","adminClientId","determineCookieName","data","getServerInfo","debugMessage","cookieName","error","printMessage","stack","checkAndHandle2FA","payload","element","callbacks","type","input","value","includes","need2fa","output","code","readlineSync","question","determineDefaultRealm","deploymentType","state","getRealm","globalConfig","DEFAULT_REALM_KEY","setRealm","DEPLOYMENT_TYPE_REALM_MAP","determineDeploymentType","cookieValue","getCookieValue","getUseBearerTokenForAmApis","CLOUD_DEPLOYMENT_TYPE_KEY","fidcClientId","forgeopsClientId","verifier","encodeBase64Url","randomBytes","challenge","createHash","update","digest","challengeMethod","redirectURL","url","resolve","getHost","config","maxRedirects","headers","getCookieName","bodyFormData","CLASSIC_DEPLOYMENT_TYPE_KEY","authorize","e","response","status","location","indexOf","verboseMessage","ex","FORGEOPS_DEPLOYMENT_TYPE_KEY","getSemanticVersion","versionInfo","versionString","version","rx","match","Error","authenticate","username","password","response1","step","skip2FA","response2","getAuthCode","codeChallenge","codeChallengeMethod","undefined","redirectLocationURL","queryObject","parse","query","message","getAccessTokenForUser","authCode","getDeploymentType","auth","accessToken","access_token","createPayload","serviceAccountId","u","parseUrl","aud","origin","port","protocol","pathname","exp","Math","floor","Date","getTime","jti","v4","iss","sub","getAccessTokenForServiceAccount","jwk","jwt","createSignedJwtToken","determineDeploymentTypeAndDefaultRealmAndVersion","setDeploymentType","getServerVersionInfo","fullVersion","setAmVersion","getLoggedInSubject","subjectString","getUsername","name","getManagedObject","getServiceAccountId","getTokens","getPassword","getServiceAccountJwk","conn","getConnectionProfile","setHost","tenant","setUsername","setPassword","setAuthenticationService","authenticationService","setAuthenticationHeaderOverrides","authenticationHeaderOverrides","setServiceAccountId","svcacctId","setServiceAccountJwk","svcacctJwk","setCookieName","token","setBearerToken","setUseBearerTokenForAmApis","saErr","error_description","setCookieValue","getBearerToken"],"sources":["ops/AuthenticateOps.ts"],"sourcesContent":["import url from 'url';\nimport { createHash, randomBytes } from 'crypto';\nimport readlineSync from 'readline-sync';\nimport { encodeBase64Url } from '../api/utils/Base64';\nimport * as state from '../shared/State';\nimport * as globalConfig from '../storage/StaticStorage';\nimport { debugMessage, printMessage, verboseMessage } from './utils/Console';\nimport { getServerInfo, getServerVersionInfo } from '../api/ServerInfoApi';\nimport { step } from '../api/AuthenticateApi';\nimport { accessToken, authorize } from '../api/OAuth2OIDCApi';\nimport { getConnectionProfile } from './ConnectionProfileOps';\nimport { v4 } from 'uuid';\nimport { parseUrl } from '../api/utils/ApiUtils';\nimport { JwkRsa, createSignedJwtToken } from './JoseOps';\nimport { getManagedObject } from '../api/ManagedObjectApi';\n\nconst adminClientPassword = 'doesnotmatter';\nconst redirectUrlTemplate = '/platform/appAuthHelperRedirect.html';\n\nconst idmAdminScopes = 'fr:idm:* openid';\nconst serviceAccountScopes = 'fr:am:* fr:idm:* fr:idc:esv:*';\n\nlet adminClientId = 'idmAdminClient';\n\n/**\n * Helper function to get cookie name\n * @returns {String} cookie name\n */\nasync function determineCookieName() {\n try {\n const { data } = await getServerInfo();\n debugMessage(\n `AuthenticateOps.getCookieName: cookieName=${data.cookieName}`\n );\n return data.cookieName;\n } catch (error) {\n printMessage(`Error getting cookie name: ${error}`, 'error');\n debugMessage(error.stack);\n return null;\n }\n}\n\n/**\n * Helper function to determine if this is a setup mfa prompt in the ID Cloud tenant admin login journey\n * @param {Object} payload response from the previous authentication journey step\n * @returns {Object} an object indicating if 2fa is required and the original payload\n */\nfunction checkAndHandle2FA(payload) {\n // let skippable = false;\n if ('callbacks' in payload) {\n for (const element of payload.callbacks) {\n if (element.type === 'HiddenValueCallback') {\n if (element.input[0].value.includes('skip')) {\n // skippable = true;\n element.input[0].value = 'Skip';\n return {\n need2fa: true,\n payload,\n };\n }\n }\n if (element.type === 'NameCallback') {\n if (element.output[0].value.includes('code')) {\n // skippable = false;\n printMessage('2FA is enabled and required for this user...');\n const code = readlineSync.question(`${element.output[0].value}: `);\n element.input[0].value = code;\n return {\n need2fa: true,\n payload,\n };\n }\n }\n }\n // console.info(\"NO2FA\");\n return {\n need2fa: false,\n payload,\n };\n }\n // console.info(\"NO2FA\");\n return {\n need2fa: false,\n payload,\n };\n}\n\n/**\n * Helper function to set the default realm by deployment type\n * @param {string} deploymentType deployment type\n */\nfunction determineDefaultRealm(deploymentType: string) {\n if (state.getRealm() === globalConfig.DEFAULT_REALM_KEY) {\n state.setRealm(globalConfig.DEPLOYMENT_TYPE_REALM_MAP[deploymentType]);\n }\n}\n\n/**\n * Helper function to determine the deployment type\n * @returns {Promise<string>} deployment type\n */\nasync function determineDeploymentType(): Promise<string> {\n const cookieValue = state.getCookieValue();\n // https://bugster.forgerock.org/jira/browse/FRAAS-13018\n // There is a chance that this will be blocked due to security concerns and thus is probably best not to keep active\n // if (!cookieValue && getUseBearerTokenForAmApis()) {\n // const token = await getTokenInfo();\n // cookieValue = token.sessionToken;\n // setCookieValue(cookieValue);\n // }\n\n // if we are using a service account, we know it's cloud\n if (state.getUseBearerTokenForAmApis())\n return globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n\n const fidcClientId = 'idmAdminClient';\n const forgeopsClientId = 'idm-admin-ui';\n\n const verifier = encodeBase64Url(randomBytes(32));\n const challenge = encodeBase64Url(\n createHash('sha256').update(verifier).digest()\n );\n const challengeMethod = 'S256';\n const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n\n const config = {\n maxRedirects: 0,\n headers: {\n [state.getCookieName()]: state.getCookieValue(),\n },\n };\n let bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${fidcClientId}&csrf=${cookieValue}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n\n let deploymentType = globalConfig.CLASSIC_DEPLOYMENT_TYPE_KEY;\n try {\n await authorize(bodyFormData, config);\n } catch (e) {\n // debugMessage(e.response);\n if (\n e.response?.status === 302 &&\n e.response.headers?.location?.indexOf('code=') > -1\n ) {\n verboseMessage(`ForgeRock Identity Cloud`['brightCyan'] + ` detected.`);\n deploymentType = globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n } else {\n try {\n bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${forgeopsClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n await authorize(bodyFormData, config);\n } catch (ex) {\n if (\n ex.response?.status === 302 &&\n ex.response.headers?.location?.indexOf('code=') > -1\n ) {\n adminClientId = forgeopsClientId;\n verboseMessage(`ForgeOps deployment`['brightCyan'] + ` detected.`);\n deploymentType = globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY;\n } else {\n verboseMessage(`Classic deployment`['brightCyan'] + ` detected.`);\n }\n }\n }\n }\n return deploymentType;\n}\n\n/**\n * Helper function to extract the semantic version string from a version info object\n * @param {Object} versionInfo version info object\n * @returns {String} semantic version\n */\nasync function getSemanticVersion(versionInfo) {\n if ('version' in versionInfo) {\n const versionString = versionInfo.version;\n const rx = /([\\d]\\.[\\d]\\.[\\d](\\.[\\d])*)/g;\n const version = versionString.match(rx);\n return version[0];\n }\n throw new Error('Cannot extract semantic version from version info object.');\n}\n\n/**\n * Helper function to authenticate and obtain and store session cookie\n * @returns {string} Session token or null\n */\nasync function authenticate(\n username: string,\n password: string\n): Promise<string> {\n const config = {\n headers: {\n 'X-OpenAM-Username': username,\n 'X-OpenAM-Password': password,\n },\n };\n const response1 = await step({}, config);\n const skip2FA = checkAndHandle2FA(response1);\n let response2 = {};\n if (skip2FA.need2fa) {\n response2 = await step(skip2FA.payload);\n } else {\n response2 = skip2FA.payload;\n }\n if ('tokenId' in response2) {\n return response2['tokenId'] as string;\n }\n return null;\n}\n\n/**\n * Helper function to obtain an oauth2 authorization code\n * @param {string} redirectURL oauth2 redirect uri\n * @param {string} codeChallenge PKCE code challenge\n * @param {string} codeChallengeMethod PKCE code challenge method\n * @returns {string} oauth2 authorization code or null\n */\nasync function getAuthCode(redirectURL, codeChallenge, codeChallengeMethod) {\n try {\n const bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${adminClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${codeChallenge}&code_challenge_method=${codeChallengeMethod}`;\n const config = {\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n },\n maxRedirects: 0,\n };\n let response = undefined;\n try {\n response = await authorize(bodyFormData, config);\n } catch (error) {\n response = error.response;\n }\n if (response.status < 200 || response.status > 399) {\n printMessage('error getting auth code', 'error');\n printMessage(\n 'likely cause: mismatched parameters with OAuth client config',\n 'error'\n );\n return null;\n }\n const redirectLocationURL = response.headers?.location;\n const queryObject = url.parse(redirectLocationURL, true).query;\n if ('code' in queryObject) {\n return queryObject.code;\n }\n printMessage('auth code not found', 'error');\n return null;\n } catch (error) {\n printMessage(`error getting auth code - ${error.message}`, 'error');\n printMessage(error.response?.data, 'error');\n debugMessage(error.stack);\n return null;\n }\n}\n\n/**\n * Helper function to obtain oauth2 access token\n * @returns {Promise<string | null>} access token or null\n */\nasync function getAccessTokenForUser(): Promise<string | null> {\n try {\n const verifier = encodeBase64Url(randomBytes(32));\n const challenge = encodeBase64Url(\n createHash('sha256').update(verifier).digest()\n );\n const challengeMethod = 'S256';\n const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n const authCode = await getAuthCode(redirectURL, challenge, challengeMethod);\n if (authCode == null) {\n printMessage('error getting auth code', 'error');\n return null;\n }\n let response = null;\n if (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY) {\n const config = {\n auth: {\n username: adminClientId,\n password: adminClientPassword,\n },\n };\n const bodyFormData = `redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n response = await accessToken(bodyFormData, config);\n } else {\n const bodyFormData = `client_id=${adminClientId}&redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n response = await accessToken(bodyFormData);\n }\n if ('access_token' in response.data) {\n return response.data.access_token;\n }\n printMessage('No access token in response.', 'error');\n } catch (error) {\n debugMessage(`Error getting access token for user: ${error}`);\n debugMessage(error.response?.data);\n }\n return null;\n}\n\nfunction createPayload(serviceAccountId: string) {\n const u = parseUrl(state.getHost());\n const aud = `${u.origin}:${\n u.port ? u.port : u.protocol === 'https' ? '443' : '80'\n }${u.pathname}/oauth2/access_token`;\n\n // Cross platform way of setting JWT expiry time 3 minutes in the future, expressed as number of seconds since EPOCH\n const exp = Math.floor(new Date().getTime() / 1000 + 180);\n\n // A unique ID for the JWT which is required when requesting the openid scope\n const jti = v4();\n\n const iss = serviceAccountId;\n const sub = serviceAccountId;\n\n // Create the payload for our bearer token\n const payload = { iss, sub, aud, exp, jti };\n\n return payload;\n}\n\n/**\n * Get access token for service account\n * @param {string} serviceAccountId UUID of service account\n * @param {JwkRsa} jwk Java Wek Key\n * @returns {string | null} Access token or null\n */\nexport async function getAccessTokenForServiceAccount(\n serviceAccountId: string,\n jwk: JwkRsa\n): Promise<string | null> {\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: start`);\n const payload = createPayload(serviceAccountId);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: payload:`);\n debugMessage(payload);\n const jwt = await createSignedJwtToken(payload, jwk);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: jwt:`);\n debugMessage(jwt);\n const bodyFormData = `assertion=${jwt}&client_id=service-account&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&scope=${serviceAccountScopes}`;\n const response = await accessToken(bodyFormData);\n if ('access_token' in response.data) {\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: token:`);\n debugMessage(response.data.access_token);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n return response.data.access_token;\n }\n debugMessage(\n `AuthenticateOps.getAccessTokenForServiceAccount: No access token in response.`\n );\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n return null;\n}\n\nasync function determineDeploymentTypeAndDefaultRealmAndVersion() {\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: start`\n );\n if (!state.getDeploymentType()) {\n state.setDeploymentType(await determineDeploymentType());\n }\n determineDefaultRealm(state.getDeploymentType());\n\n const versionInfo = (await getServerVersionInfo()).data;\n\n // https://github.com/rockcarver/frodo-cli/issues/109\n debugMessage(`Full version: ${versionInfo.fullVersion}`);\n\n const version = await getSemanticVersion(versionInfo);\n state.setAmVersion(version);\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: end`\n );\n}\n\nasync function getLoggedInSubject(): Promise<string> {\n let subjectString = `user ${state.getUsername()}`;\n if (state.getUseBearerTokenForAmApis()) {\n const name = (\n await getManagedObject('svcacct', state.getServiceAccountId(), ['name'])\n ).data.name;\n subjectString = `service account ${name} [${state.getServiceAccountId()}]`;\n }\n return subjectString;\n}\n\n/**\n * Get tokens\n * @param {boolean} save true to save a connection profile upon successful authentication, false otherwise\n * @returns {Promise<boolean>} true if tokens were successfully obtained, false otherwise\n */\nexport async function getTokens(): Promise<boolean> {\n if (!state.getHost()) {\n printMessage(\n `No host specified and FRODO_HOST env variable not set!`,\n 'error'\n );\n return false;\n }\n try {\n // if username/password on cli are empty, try to read from connections.json\n if (\n state.getUsername() == null &&\n state.getPassword() == null &&\n !state.getServiceAccountId() &&\n !state.getServiceAccountJwk()\n ) {\n const conn = await getConnectionProfile();\n if (conn) {\n state.setHost(conn.tenant);\n state.setUsername(conn.username);\n state.setPassword(conn.password);\n state.setAuthenticationService(conn.authenticationService);\n state.setAuthenticationHeaderOverrides(\n conn.authenticationHeaderOverrides\n );\n state.setServiceAccountId(conn.svcacctId);\n state.setServiceAccountJwk(conn.svcacctJwk);\n } else {\n return false;\n }\n }\n // now that we have the full tenant URL we can lookup the cookie name\n state.setCookieName(await determineCookieName());\n\n // use service account to login?\n if (state.getServiceAccountId() && state.getServiceAccountJwk()) {\n debugMessage(\n `AuthenticateOps.getTokens: Authenticating with service account ${state.getServiceAccountId()}`\n );\n try {\n const token = await getAccessTokenForServiceAccount(\n state.getServiceAccountId(),\n state.getServiceAccountJwk()\n );\n state.setBearerToken(token);\n state.setUseBearerTokenForAmApis(true);\n await determineDeploymentTypeAndDefaultRealmAndVersion();\n } catch (saErr) {\n throw new Error(\n `Service account login error: ${\n saErr.response?.data?.error_description ||\n saErr.response?.data?.message\n }`\n );\n }\n }\n // use user account to login\n else if (state.getUsername() && state.getPassword()) {\n debugMessage(\n `AuthenticateOps.getTokens: Authenticating with user account ${state.getUsername()}`\n );\n const token = await authenticate(\n state.getUsername(),\n state.getPassword()\n );\n if (token) state.setCookieValue(token);\n await determineDeploymentTypeAndDefaultRealmAndVersion();\n if (\n state.getCookieValue() &&\n !state.getBearerToken() &&\n (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY ||\n state.getDeploymentType() ===\n globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY)\n ) {\n const accessToken = await getAccessTokenForUser();\n if (accessToken) state.setBearerToken(accessToken);\n }\n }\n // incomplete or no credentials\n else {\n printMessage(`Incomplete or no credentials!`, 'error');\n return false;\n }\n if (\n state.getCookieValue() ||\n (state.getUseBearerTokenForAmApis() && state.getBearerToken())\n ) {\n // https://github.com/rockcarver/frodo-cli/issues/102\n printMessage(\n `Connected to ${state.getHost()} [${\n state.getRealm() ? state.getRealm() : 'root'\n }] as ${await getLoggedInSubject()}`,\n 'info'\n );\n return true;\n }\n } catch (error) {\n // regular error\n printMessage(error.message, 'error');\n // axios error am api\n printMessage(error.response?.data?.message, 'error');\n // axios error am oauth2 api\n printMessage(error.response?.data?.error_description, 'error');\n // axios error data\n debugMessage(error.response?.data);\n // stack trace\n debugMessage(error.stack || new Error().stack);\n }\n return false;\n}\n"],"mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAA2D;AAAA;AAAA;AAAA;AAAA;AAE3D,IAAMA,mBAAmB,GAAG,eAAe;AAC3C,IAAMC,mBAAmB,GAAG,sCAAsC;AAElE,IAAMC,cAAc,GAAG,iBAAiB;AACxC,IAAMC,oBAAoB,GAAG,+BAA+B;AAE5D,IAAIC,aAAa,GAAG,gBAAgB;;AAEpC;AACA;AACA;AACA;AAHA,SAIeC,mBAAmB;EAAA;AAAA;AAclC;AACA;AACA;AACA;AACA;AAJA;EAAA,yCAdA,aAAqC;IACnC,IAAI;MACF,IAAM;QAAEC;MAAK,CAAC,SAAS,IAAAC,4BAAa,GAAE;MACtC,IAAAC,qBAAY,sDACmCF,IAAI,CAACG,UAAU,EAC7D;MACD,OAAOH,IAAI,CAACG,UAAU;IACxB,CAAC,CAAC,OAAOC,KAAK,EAAE;MACd,IAAAC,qBAAY,uCAA+BD,KAAK,GAAI,OAAO,CAAC;MAC5D,IAAAF,qBAAY,EAACE,KAAK,CAACE,KAAK,CAAC;MACzB,OAAO,IAAI;IACb;EACF,CAAC;EAAA;AAAA;AAOD,SAASC,iBAAiB,CAACC,OAAO,EAAE;EAClC;EACA,IAAI,WAAW,IAAIA,OAAO,EAAE;IAC1B,KAAK,IAAMC,OAAO,IAAID,OAAO,CAACE,SAAS,EAAE;MACvC,IAAID,OAAO,CAACE,IAAI,KAAK,qBAAqB,EAAE;QAC1C,IAAIF,OAAO,CAACG,KAAK,CAAC,CAAC,CAAC,CAACC,KAAK,CAACC,QAAQ,CAAC,MAAM,CAAC,EAAE;UAC3C;UACAL,OAAO,CAACG,KAAK,CAAC,CAAC,CAAC,CAACC,KAAK,GAAG,MAAM;UAC/B,OAAO;YACLE,OAAO,EAAE,IAAI;YACbP;UACF,CAAC;QACH;MACF;MACA,IAAIC,OAAO,CAACE,IAAI,KAAK,cAAc,EAAE;QACnC,IAAIF,OAAO,CAACO,MAAM,CAAC,CAAC,CAAC,CAACH,KAAK,CAACC,QAAQ,CAAC,MAAM,CAAC,EAAE;UAC5C;UACA,IAAAT,qBAAY,EAAC,8CAA8C,CAAC;UAC5D,IAAMY,IAAI,GAAGC,qBAAY,CAACC,QAAQ,WAAIV,OAAO,CAACO,MAAM,CAAC,CAAC,CAAC,CAACH,KAAK,QAAK;UAClEJ,OAAO,CAACG,KAAK,CAAC,CAAC,CAAC,CAACC,KAAK,GAAGI,IAAI;UAC7B,OAAO;YACLF,OAAO,EAAE,IAAI;YACbP;UACF,CAAC;QACH;MACF;IACF;IACA;IACA,OAAO;MACLO,OAAO,EAAE,KAAK;MACdP;IACF,CAAC;EACH;EACA;EACA,OAAO;IACLO,OAAO,EAAE,KAAK;IACdP;EACF,CAAC;AACH;;AAEA;AACA;AACA;AACA;AACA,SAASY,qBAAqB,CAACC,cAAsB,EAAE;EACrD,IAAIC,KAAK,CAACC,QAAQ,EAAE,KAAKC,YAAY,CAACC,iBAAiB,EAAE;IACvDH,KAAK,CAACI,QAAQ,CAACF,YAAY,CAACG,yBAAyB,CAACN,cAAc,CAAC,CAAC;EACxE;AACF;;AAEA;AACA;AACA;AACA;AAHA,SAIeO,uBAAuB;EAAA;AAAA;AAgEtC;AACA;AACA;AACA;AACA;AAJA;EAAA,6CAhEA,aAA0D;IACxD,IAAMC,WAAW,GAAGP,KAAK,CAACQ,cAAc,EAAE;IAC1C;IACA;IACA;IACA;IACA;IACA;IACA;;IAEA;IACA,IAAIR,KAAK,CAACS,0BAA0B,EAAE,EACpC,OAAOP,YAAY,CAACQ,yBAAyB;IAE/C,IAAMC,YAAY,GAAG,gBAAgB;IACrC,IAAMC,gBAAgB,GAAG,cAAc;IAEvC,IAAMC,QAAQ,GAAG,IAAAC,qBAAe,EAAC,IAAAC,mBAAW,EAAC,EAAE,CAAC,CAAC;IACjD,IAAMC,SAAS,GAAG,IAAAF,qBAAe,EAC/B,IAAAG,kBAAU,EAAC,QAAQ,CAAC,CAACC,MAAM,CAACL,QAAQ,CAAC,CAACM,MAAM,EAAE,CAC/C;IACD,IAAMC,eAAe,GAAG,MAAM;IAC9B,IAAMC,WAAW,GAAGC,YAAG,CAACC,OAAO,CAACvB,KAAK,CAACwB,OAAO,EAAE,EAAEnD,mBAAmB,CAAC;IAErE,IAAMoD,MAAM,GAAG;MACbC,YAAY,EAAE,CAAC;MACfC,OAAO,EAAE;QACP,CAAC3B,KAAK,CAAC4B,aAAa,EAAE,GAAG5B,KAAK,CAACQ,cAAc;MAC/C;IACF,CAAC;IACD,IAAIqB,YAAY,0BAAmBR,WAAW,oBAAU/C,cAAc,2CAAiCqC,YAAY,mBAASJ,WAAW,4CAAkCS,SAAS,oCAA0BI,eAAe,CAAE;IAE7N,IAAIrB,cAAc,GAAGG,YAAY,CAAC4B,2BAA2B;IAC7D,IAAI;MACF,MAAM,IAAAC,wBAAS,EAACF,YAAY,EAAEJ,MAAM,CAAC;IACvC,CAAC,CAAC,OAAOO,CAAC,EAAE;MAAA;MACV;MACA,IACE,gBAAAA,CAAC,CAACC,QAAQ,gDAAV,YAAYC,MAAM,MAAK,GAAG,IAC1B,wBAAAF,CAAC,CAACC,QAAQ,CAACN,OAAO,iFAAlB,oBAAoBQ,QAAQ,0DAA5B,sBAA8BC,OAAO,CAAC,OAAO,CAAC,IAAG,CAAC,CAAC,EACnD;QACA,IAAAC,uBAAc,EAAC,2BAA2B,YAAY,CAAC,eAAe,CAAC;QACvEtC,cAAc,GAAGG,YAAY,CAACQ,yBAAyB;MACzD,CAAC,MAAM;QACL,IAAI;UACFmB,YAAY,0BAAmBR,WAAW,oBAAU/C,cAAc,2CAAiCsC,gBAAgB,mBAASZ,KAAK,CAACQ,cAAc,EAAE,4CAAkCQ,SAAS,oCAA0BI,eAAe,CAAE;UACxO,MAAM,IAAAW,wBAAS,EAACF,YAAY,EAAEJ,MAAM,CAAC;QACvC,CAAC,CAAC,OAAOa,EAAE,EAAE;UAAA;UACX,IACE,iBAAAA,EAAE,CAACL,QAAQ,iDAAX,aAAaC,MAAM,MAAK,GAAG,IAC3B,yBAAAI,EAAE,CAACL,QAAQ,CAACN,OAAO,kFAAnB,qBAAqBQ,QAAQ,0DAA7B,sBAA+BC,OAAO,CAAC,OAAO,CAAC,IAAG,CAAC,CAAC,EACpD;YACA5D,aAAa,GAAGoC,gBAAgB;YAChC,IAAAyB,uBAAc,EAAC,sBAAsB,YAAY,CAAC,eAAe,CAAC;YAClEtC,cAAc,GAAGG,YAAY,CAACqC,4BAA4B;UAC5D,CAAC,MAAM;YACL,IAAAF,uBAAc,EAAC,qBAAqB,YAAY,CAAC,eAAe,CAAC;UACnE;QACF;MACF;IACF;IACA,OAAOtC,cAAc;EACvB,CAAC;EAAA;AAAA;AAAA,SAOcyC,kBAAkB;EAAA;AAAA;AAUjC;AACA;AACA;AACA;AAHA;EAAA,wCAVA,WAAkCC,WAAW,EAAE;IAC7C,IAAI,SAAS,IAAIA,WAAW,EAAE;MAC5B,IAAMC,aAAa,GAAGD,WAAW,CAACE,OAAO;MACzC,IAAMC,EAAE,GAAG,8BAA8B;MACzC,IAAMD,OAAO,GAAGD,aAAa,CAACG,KAAK,CAACD,EAAE,CAAC;MACvC,OAAOD,OAAO,CAAC,CAAC,CAAC;IACnB;IACA,MAAM,IAAIG,KAAK,CAAC,2DAA2D,CAAC;EAC9E,CAAC;EAAA;AAAA;AAAA,SAMcC,YAAY;EAAA;AAAA;AAwB3B;AACA;AACA;AACA;AACA;AACA;AACA;AANA;EAAA,kCAxBA,WACEC,QAAgB,EAChBC,QAAgB,EACC;IACjB,IAAMxB,MAAM,GAAG;MACbE,OAAO,EAAE;QACP,mBAAmB,EAAEqB,QAAQ;QAC7B,mBAAmB,EAAEC;MACvB;IACF,CAAC;IACD,IAAMC,SAAS,SAAS,IAAAC,qBAAI,EAAC,CAAC,CAAC,EAAE1B,MAAM,CAAC;IACxC,IAAM2B,OAAO,GAAGnE,iBAAiB,CAACiE,SAAS,CAAC;IAC5C,IAAIG,SAAS,GAAG,CAAC,CAAC;IAClB,IAAID,OAAO,CAAC3D,OAAO,EAAE;MACnB4D,SAAS,SAAS,IAAAF,qBAAI,EAACC,OAAO,CAAClE,OAAO,CAAC;IACzC,CAAC,MAAM;MACLmE,SAAS,GAAGD,OAAO,CAAClE,OAAO;IAC7B;IACA,IAAI,SAAS,IAAImE,SAAS,EAAE;MAC1B,OAAOA,SAAS,CAAC,SAAS,CAAC;IAC7B;IACA,OAAO,IAAI;EACb,CAAC;EAAA;AAAA;AAAA,SAScC,WAAW;EAAA;AAAA;AAsC1B;AACA;AACA;AACA;AAHA;EAAA,iCAtCA,WAA2BjC,WAAW,EAAEkC,aAAa,EAAEC,mBAAmB,EAAE;IAC1E,IAAI;MAAA;MACF,IAAM3B,YAAY,0BAAmBR,WAAW,oBAAU/C,cAAc,2CAAiCE,aAAa,mBAASwB,KAAK,CAACQ,cAAc,EAAE,4CAAkC+C,aAAa,oCAA0BC,mBAAmB,CAAE;MACnP,IAAM/B,MAAM,GAAG;QACbE,OAAO,EAAE;UACP,cAAc,EAAE;QAClB,CAAC;QACDD,YAAY,EAAE;MAChB,CAAC;MACD,IAAIO,QAAQ,GAAGwB,SAAS;MACxB,IAAI;QACFxB,QAAQ,SAAS,IAAAF,wBAAS,EAACF,YAAY,EAAEJ,MAAM,CAAC;MAClD,CAAC,CAAC,OAAO3C,KAAK,EAAE;QACdmD,QAAQ,GAAGnD,KAAK,CAACmD,QAAQ;MAC3B;MACA,IAAIA,QAAQ,CAACC,MAAM,GAAG,GAAG,IAAID,QAAQ,CAACC,MAAM,GAAG,GAAG,EAAE;QAClD,IAAAnD,qBAAY,EAAC,yBAAyB,EAAE,OAAO,CAAC;QAChD,IAAAA,qBAAY,EACV,8DAA8D,EAC9D,OAAO,CACR;QACD,OAAO,IAAI;MACb;MACA,IAAM2E,mBAAmB,wBAAGzB,QAAQ,CAACN,OAAO,sDAAhB,kBAAkBQ,QAAQ;MACtD,IAAMwB,WAAW,GAAGrC,YAAG,CAACsC,KAAK,CAACF,mBAAmB,EAAE,IAAI,CAAC,CAACG,KAAK;MAC9D,IAAI,MAAM,IAAIF,WAAW,EAAE;QACzB,OAAOA,WAAW,CAAChE,IAAI;MACzB;MACA,IAAAZ,qBAAY,EAAC,qBAAqB,EAAE,OAAO,CAAC;MAC5C,OAAO,IAAI;IACb,CAAC,CAAC,OAAOD,KAAK,EAAE;MAAA;MACd,IAAAC,qBAAY,sCAA8BD,KAAK,CAACgF,OAAO,GAAI,OAAO,CAAC;MACnE,IAAA/E,qBAAY,qBAACD,KAAK,CAACmD,QAAQ,oDAAd,gBAAgBvD,IAAI,EAAE,OAAO,CAAC;MAC3C,IAAAE,qBAAY,EAACE,KAAK,CAACE,KAAK,CAAC;MACzB,OAAO,IAAI;IACb;EACF,CAAC;EAAA;AAAA;AAAA,SAMc+E,qBAAqB;EAAA;AAAA;AAAA;EAAA,2CAApC,aAA+D;IAC7D,IAAI;MACF,IAAMlD,QAAQ,GAAG,IAAAC,qBAAe,EAAC,IAAAC,mBAAW,EAAC,EAAE,CAAC,CAAC;MACjD,IAAMC,SAAS,GAAG,IAAAF,qBAAe,EAC/B,IAAAG,kBAAU,EAAC,QAAQ,CAAC,CAACC,MAAM,CAACL,QAAQ,CAAC,CAACM,MAAM,EAAE,CAC/C;MACD,IAAMC,eAAe,GAAG,MAAM;MAC9B,IAAMC,WAAW,GAAGC,YAAG,CAACC,OAAO,CAACvB,KAAK,CAACwB,OAAO,EAAE,EAAEnD,mBAAmB,CAAC;MACrE,IAAM2F,QAAQ,SAASV,WAAW,CAACjC,WAAW,EAAEL,SAAS,EAAEI,eAAe,CAAC;MAC3E,IAAI4C,QAAQ,IAAI,IAAI,EAAE;QACpB,IAAAjF,qBAAY,EAAC,yBAAyB,EAAE,OAAO,CAAC;QAChD,OAAO,IAAI;MACb;MACA,IAAIkD,QAAQ,GAAG,IAAI;MACnB,IAAIjC,KAAK,CAACiE,iBAAiB,EAAE,KAAK/D,YAAY,CAACQ,yBAAyB,EAAE;QACxE,IAAMe,MAAM,GAAG;UACbyC,IAAI,EAAE;YACJlB,QAAQ,EAAExE,aAAa;YACvByE,QAAQ,EAAE7E;UACZ;QACF,CAAC;QACD,IAAMyD,YAAY,0BAAmBR,WAAW,iDAAuC2C,QAAQ,4BAAkBnD,QAAQ,CAAE;QAC3HoB,QAAQ,SAAS,IAAAkC,0BAAW,EAACtC,YAAY,EAAEJ,MAAM,CAAC;MACpD,CAAC,MAAM;QACL,IAAMI,aAAY,uBAAgBrD,aAAa,2BAAiB6C,WAAW,iDAAuC2C,QAAQ,4BAAkBnD,QAAQ,CAAE;QACtJoB,QAAQ,SAAS,IAAAkC,0BAAW,EAACtC,aAAY,CAAC;MAC5C;MACA,IAAI,cAAc,IAAII,QAAQ,CAACvD,IAAI,EAAE;QACnC,OAAOuD,QAAQ,CAACvD,IAAI,CAAC0F,YAAY;MACnC;MACA,IAAArF,qBAAY,EAAC,8BAA8B,EAAE,OAAO,CAAC;IACvD,CAAC,CAAC,OAAOD,KAAK,EAAE;MAAA;MACd,IAAAF,qBAAY,iDAAyCE,KAAK,EAAG;MAC7D,IAAAF,qBAAY,sBAACE,KAAK,CAACmD,QAAQ,qDAAd,iBAAgBvD,IAAI,CAAC;IACpC;IACA,OAAO,IAAI;EACb,CAAC;EAAA;AAAA;AAED,SAAS2F,aAAa,CAACC,gBAAwB,EAAE;EAC/C,IAAMC,CAAC,GAAG,IAAAC,kBAAQ,EAACxE,KAAK,CAACwB,OAAO,EAAE,CAAC;EACnC,IAAMiD,GAAG,aAAMF,CAAC,CAACG,MAAM,cACrBH,CAAC,CAACI,IAAI,GAAGJ,CAAC,CAACI,IAAI,GAAGJ,CAAC,CAACK,QAAQ,KAAK,OAAO,GAAG,KAAK,GAAG,IAAI,SACtDL,CAAC,CAACM,QAAQ,yBAAsB;;EAEnC;EACA,IAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAAC,IAAIC,IAAI,EAAE,CAACC,OAAO,EAAE,GAAG,IAAI,GAAG,GAAG,CAAC;;EAEzD;EACA,IAAMC,GAAG,GAAG,IAAAC,QAAE,GAAE;EAEhB,IAAMC,GAAG,GAAGf,gBAAgB;EAC5B,IAAMgB,GAAG,GAAGhB,gBAAgB;;EAE5B;EACA,IAAMpF,OAAO,GAAG;IAAEmG,GAAG;IAAEC,GAAG;IAAEb,GAAG;IAAEK,GAAG;IAAEK;EAAI,CAAC;EAE3C,OAAOjG,OAAO;AAChB;;AAEA;AACA;AACA;AACA;AACA;AACA;AALA,SAMsBqG,+BAA+B;EAAA;AAAA;AAAA;EAAA,qDAA9C,WACLjB,gBAAwB,EACxBkB,GAAW,EACa;IACxB,IAAA5G,qBAAY,2DAA0D;IACtE,IAAMM,OAAO,GAAGmF,aAAa,CAACC,gBAAgB,CAAC;IAC/C,IAAA1F,qBAAY,8DAA6D;IACzE,IAAAA,qBAAY,EAACM,OAAO,CAAC;IACrB,IAAMuG,GAAG,SAAS,IAAAC,6BAAoB,EAACxG,OAAO,EAAEsG,GAAG,CAAC;IACpD,IAAA5G,qBAAY,0DAAyD;IACrE,IAAAA,qBAAY,EAAC6G,GAAG,CAAC;IACjB,IAAM5D,YAAY,uBAAgB4D,GAAG,qGAA2FlH,oBAAoB,CAAE;IACtJ,IAAM0D,QAAQ,SAAS,IAAAkC,0BAAW,EAACtC,YAAY,CAAC;IAChD,IAAI,cAAc,IAAII,QAAQ,CAACvD,IAAI,EAAE;MACnC,IAAAE,qBAAY,4DAA2D;MACvE,IAAAA,qBAAY,EAACqD,QAAQ,CAACvD,IAAI,CAAC0F,YAAY,CAAC;MACxC,IAAAxF,qBAAY,yDAAwD;MACpE,OAAOqD,QAAQ,CAACvD,IAAI,CAAC0F,YAAY;IACnC;IACA,IAAAxF,qBAAY,kFAEX;IACD,IAAAA,qBAAY,yDAAwD;IACpE,OAAO,IAAI;EACb,CAAC;EAAA;AAAA;AAAA,SAEc+G,gDAAgD;EAAA;AAAA;AAAA;EAAA,sEAA/D,aAAkE;IAChE,IAAA/G,qBAAY,4EAEX;IACD,IAAI,CAACoB,KAAK,CAACiE,iBAAiB,EAAE,EAAE;MAC9BjE,KAAK,CAAC4F,iBAAiB,OAAOtF,uBAAuB,EAAE,CAAC;IAC1D;IACAR,qBAAqB,CAACE,KAAK,CAACiE,iBAAiB,EAAE,CAAC;IAEhD,IAAMxB,WAAW,GAAG,OAAO,IAAAoD,mCAAoB,GAAE,EAAEnH,IAAI;;IAEvD;IACA,IAAAE,qBAAY,0BAAkB6D,WAAW,CAACqD,WAAW,EAAG;IAExD,IAAMnD,OAAO,SAASH,kBAAkB,CAACC,WAAW,CAAC;IACrDzC,KAAK,CAAC+F,YAAY,CAACpD,OAAO,CAAC;IAC3B,IAAA/D,qBAAY,0EAEX;EACH,CAAC;EAAA;AAAA;AAAA,SAEcoH,kBAAkB;EAAA;AAAA;AAWjC;AACA;AACA;AACA;AACA;AAJA;EAAA,wCAXA,aAAqD;IACnD,IAAIC,aAAa,kBAAWjG,KAAK,CAACkG,WAAW,EAAE,CAAE;IACjD,IAAIlG,KAAK,CAACS,0BAA0B,EAAE,EAAE;MACtC,IAAM0F,IAAI,GAAG,OACL,IAAAC,kCAAgB,EAAC,SAAS,EAAEpG,KAAK,CAACqG,mBAAmB,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,EACxE3H,IAAI,CAACyH,IAAI;MACXF,aAAa,6BAAsBE,IAAI,eAAKnG,KAAK,CAACqG,mBAAmB,EAAE,MAAG;IAC5E;IACA,OAAOJ,aAAa;EACtB,CAAC;EAAA;AAAA;AAAA,SAOqBK,SAAS;EAAA;AAAA;AAAA;EAAA,+BAAxB,aAA6C;IAClD,IAAI,CAACtG,KAAK,CAACwB,OAAO,EAAE,EAAE;MACpB,IAAAzC,qBAAY,4DAEV,OAAO,CACR;MACD,OAAO,KAAK;IACd;IACA,IAAI;MACF;MACA,IACEiB,KAAK,CAACkG,WAAW,EAAE,IAAI,IAAI,IAC3BlG,KAAK,CAACuG,WAAW,EAAE,IAAI,IAAI,IAC3B,CAACvG,KAAK,CAACqG,mBAAmB,EAAE,IAC5B,CAACrG,KAAK,CAACwG,oBAAoB,EAAE,EAC7B;QACA,IAAMC,IAAI,SAAS,IAAAC,0CAAoB,GAAE;QACzC,IAAID,IAAI,EAAE;UACRzG,KAAK,CAAC2G,OAAO,CAACF,IAAI,CAACG,MAAM,CAAC;UAC1B5G,KAAK,CAAC6G,WAAW,CAACJ,IAAI,CAACzD,QAAQ,CAAC;UAChChD,KAAK,CAAC8G,WAAW,CAACL,IAAI,CAACxD,QAAQ,CAAC;UAChCjD,KAAK,CAAC+G,wBAAwB,CAACN,IAAI,CAACO,qBAAqB,CAAC;UAC1DhH,KAAK,CAACiH,gCAAgC,CACpCR,IAAI,CAACS,6BAA6B,CACnC;UACDlH,KAAK,CAACmH,mBAAmB,CAACV,IAAI,CAACW,SAAS,CAAC;UACzCpH,KAAK,CAACqH,oBAAoB,CAACZ,IAAI,CAACa,UAAU,CAAC;QAC7C,CAAC,MAAM;UACL,OAAO,KAAK;QACd;MACF;MACA;MACAtH,KAAK,CAACuH,aAAa,OAAO9I,mBAAmB,EAAE,CAAC;;MAEhD;MACA,IAAIuB,KAAK,CAACqG,mBAAmB,EAAE,IAAIrG,KAAK,CAACwG,oBAAoB,EAAE,EAAE;QAC/D,IAAA5H,qBAAY,2EACwDoB,KAAK,CAACqG,mBAAmB,EAAE,EAC9F;QACD,IAAI;UACF,IAAMmB,KAAK,SAASjC,+BAA+B,CACjDvF,KAAK,CAACqG,mBAAmB,EAAE,EAC3BrG,KAAK,CAACwG,oBAAoB,EAAE,CAC7B;UACDxG,KAAK,CAACyH,cAAc,CAACD,KAAK,CAAC;UAC3BxH,KAAK,CAAC0H,0BAA0B,CAAC,IAAI,CAAC;UACtC,MAAM/B,gDAAgD,EAAE;QAC1D,CAAC,CAAC,OAAOgC,KAAK,EAAE;UAAA;UACd,MAAM,IAAI7E,KAAK,wCAEX,oBAAA6E,KAAK,CAAC1F,QAAQ,4EAAd,gBAAgBvD,IAAI,yDAApB,qBAAsBkJ,iBAAiB,0BACvCD,KAAK,CAAC1F,QAAQ,8EAAd,iBAAgBvD,IAAI,0DAApB,sBAAsBoF,OAAO,GAEhC;QACH;MACF;MACA;MAAA,KACK,IAAI9D,KAAK,CAACkG,WAAW,EAAE,IAAIlG,KAAK,CAACuG,WAAW,EAAE,EAAE;QACnD,IAAA3H,qBAAY,wEACqDoB,KAAK,CAACkG,WAAW,EAAE,EACnF;QACD,IAAMsB,MAAK,SAASzE,YAAY,CAC9B/C,KAAK,CAACkG,WAAW,EAAE,EACnBlG,KAAK,CAACuG,WAAW,EAAE,CACpB;QACD,IAAIiB,MAAK,EAAExH,KAAK,CAAC6H,cAAc,CAACL,MAAK,CAAC;QACtC,MAAM7B,gDAAgD,EAAE;QACxD,IACE3F,KAAK,CAACQ,cAAc,EAAE,IACtB,CAACR,KAAK,CAAC8H,cAAc,EAAE,KACtB9H,KAAK,CAACiE,iBAAiB,EAAE,KAAK/D,YAAY,CAACQ,yBAAyB,IACnEV,KAAK,CAACiE,iBAAiB,EAAE,KACvB/D,YAAY,CAACqC,4BAA4B,CAAC,EAC9C;UACA,IAAM4B,YAAW,SAASJ,qBAAqB,EAAE;UACjD,IAAII,YAAW,EAAEnE,KAAK,CAACyH,cAAc,CAACtD,YAAW,CAAC;QACpD;MACF;MACA;MAAA,KACK;QACH,IAAApF,qBAAY,mCAAkC,OAAO,CAAC;QACtD,OAAO,KAAK;MACd;MACA,IACEiB,KAAK,CAACQ,cAAc,EAAE,IACrBR,KAAK,CAACS,0BAA0B,EAAE,IAAIT,KAAK,CAAC8H,cAAc,EAAG,EAC9D;QACA;QACA,IAAA/I,qBAAY,yBACMiB,KAAK,CAACwB,OAAO,EAAE,eAC7BxB,KAAK,CAACC,QAAQ,EAAE,GAAGD,KAAK,CAACC,QAAQ,EAAE,GAAG,MAAM,wBAChC+F,kBAAkB,EAAE,GAClC,MAAM,CACP;QACD,OAAO,IAAI;MACb;IACF,CAAC,CAAC,OAAOlH,KAAK,EAAE;MAAA;MACd;MACA,IAAAC,qBAAY,EAACD,KAAK,CAACgF,OAAO,EAAE,OAAO,CAAC;MACpC;MACA,IAAA/E,qBAAY,sBAACD,KAAK,CAACmD,QAAQ,8EAAd,iBAAgBvD,IAAI,0DAApB,sBAAsBoF,OAAO,EAAE,OAAO,CAAC;MACpD;MACA,IAAA/E,qBAAY,sBAACD,KAAK,CAACmD,QAAQ,8EAAd,iBAAgBvD,IAAI,0DAApB,sBAAsBkJ,iBAAiB,EAAE,OAAO,CAAC;MAC9D;MACA,IAAAhJ,qBAAY,sBAACE,KAAK,CAACmD,QAAQ,qDAAd,iBAAgBvD,IAAI,CAAC;MAClC;MACA,IAAAE,qBAAY,EAACE,KAAK,CAACE,KAAK,IAAI,IAAI8D,KAAK,EAAE,CAAC9D,KAAK,CAAC;IAChD;IACA,OAAO,KAAK;EACd,CAAC;EAAA;AAAA"}
1
+ {"version":3,"file":"AuthenticateOps.js","names":["adminClientPassword","redirectUrlTemplate","idmAdminScopes","serviceAccountScopes","adminClientId","determineCookieName","data","getServerInfo","debugMessage","cookieName","error","printMessage","stack","checkAndHandle2FA","payload","element","callbacks","type","input","value","includes","need2fa","output","code","readlineSync","question","determineDefaultRealm","deploymentType","state","getRealm","globalConfig","DEFAULT_REALM_KEY","setRealm","DEPLOYMENT_TYPE_REALM_MAP","determineDeploymentType","cookieValue","getCookieValue","getUseBearerTokenForAmApis","CLOUD_DEPLOYMENT_TYPE_KEY","fidcClientId","forgeopsClientId","verifier","encodeBase64Url","randomBytes","challenge","createHash","update","digest","challengeMethod","redirectURL","url","resolve","getHost","config","maxRedirects","headers","getCookieName","bodyFormData","CLASSIC_DEPLOYMENT_TYPE_KEY","authorize","e","response","status","location","indexOf","verboseMessage","ex","FORGEOPS_DEPLOYMENT_TYPE_KEY","getSemanticVersion","versionInfo","versionString","version","rx","match","Error","authenticate","username","password","response1","step","skip2FA","response2","getAuthCode","codeChallenge","codeChallengeMethod","undefined","redirectLocationURL","queryObject","parse","query","message","getAccessTokenForUser","authCode","getDeploymentType","auth","accessToken","access_token","createPayload","serviceAccountId","u","parseUrl","aud","origin","port","protocol","pathname","exp","Math","floor","Date","getTime","jti","v4","iss","sub","getAccessTokenForServiceAccount","jwk","jwt","createSignedJwtToken","determineDeploymentTypeAndDefaultRealmAndVersion","setDeploymentType","getServerVersionInfo","fullVersion","setAmVersion","getLoggedInSubject","subjectString","getUsername","name","getManagedObject","getServiceAccountId","getTokens","getPassword","getServiceAccountJwk","conn","getConnectionProfile","setHost","tenant","setUsername","setPassword","setAuthenticationService","authenticationService","setAuthenticationHeaderOverrides","authenticationHeaderOverrides","setServiceAccountId","svcacctId","setServiceAccountJwk","svcacctJwk","setCookieName","token","setBearerToken","setUseBearerTokenForAmApis","saErr","error_description","setCookieValue","getBearerToken"],"sources":["ops/AuthenticateOps.ts"],"sourcesContent":["import url from 'url';\nimport { createHash, randomBytes } from 'crypto';\nimport readlineSync from 'readline-sync';\nimport { encodeBase64Url } from '../api/utils/Base64';\nimport * as state from '../shared/State';\nimport * as globalConfig from '../storage/StaticStorage';\nimport { debugMessage, printMessage, verboseMessage } from './utils/Console';\nimport { getServerInfo, getServerVersionInfo } from '../api/ServerInfoApi';\nimport { step } from '../api/AuthenticateApi';\nimport { accessToken, authorize } from '../api/OAuth2OIDCApi';\nimport { getConnectionProfile } from './ConnectionProfileOps';\nimport { v4 } from 'uuid';\nimport { parseUrl } from '../api/utils/ApiUtils';\nimport { JwkRsa, createSignedJwtToken } from './JoseOps';\nimport { getManagedObject } from '../api/ManagedObjectApi';\n\nconst adminClientPassword = 'doesnotmatter';\nconst redirectUrlTemplate = '/platform/appAuthHelperRedirect.html';\n\nconst idmAdminScopes = 'fr:idm:* openid';\nconst serviceAccountScopes = 'fr:am:* fr:idm:* fr:idc:esv:*';\n\nlet adminClientId = 'idmAdminClient';\n\n/**\n * Helper function to get cookie name\n * @returns {String} cookie name\n */\nasync function determineCookieName() {\n try {\n const { data } = await getServerInfo();\n debugMessage(\n `AuthenticateOps.getCookieName: cookieName=${data.cookieName}`\n );\n return data.cookieName;\n } catch (error) {\n printMessage(`Error getting cookie name: ${error}`, 'error');\n debugMessage(error.stack);\n return null;\n }\n}\n\n/**\n * Helper function to determine if this is a setup mfa prompt in the ID Cloud tenant admin login journey\n * @param {Object} payload response from the previous authentication journey step\n * @returns {Object} an object indicating if 2fa is required and the original payload\n */\nfunction checkAndHandle2FA(payload) {\n // let skippable = false;\n if ('callbacks' in payload) {\n for (const element of payload.callbacks) {\n if (element.type === 'HiddenValueCallback') {\n if (element.input[0].value.includes('skip')) {\n // skippable = true;\n element.input[0].value = 'Skip';\n return {\n need2fa: true,\n payload,\n };\n }\n }\n if (element.type === 'NameCallback') {\n if (element.output[0].value.includes('code')) {\n // skippable = false;\n printMessage('2FA is enabled and required for this user...');\n const code = readlineSync.question(`${element.output[0].value}: `);\n element.input[0].value = code;\n return {\n need2fa: true,\n payload,\n };\n }\n }\n }\n // console.info(\"NO2FA\");\n return {\n need2fa: false,\n payload,\n };\n }\n // console.info(\"NO2FA\");\n return {\n need2fa: false,\n payload,\n };\n}\n\n/**\n * Helper function to set the default realm by deployment type\n * @param {string} deploymentType deployment type\n */\nfunction determineDefaultRealm(deploymentType: string) {\n if (\n !state.getRealm() ||\n state.getRealm() === globalConfig.DEFAULT_REALM_KEY\n ) {\n state.setRealm(globalConfig.DEPLOYMENT_TYPE_REALM_MAP[deploymentType]);\n }\n}\n\n/**\n * Helper function to determine the deployment type\n * @returns {Promise<string>} deployment type\n */\nasync function determineDeploymentType(): Promise<string> {\n const cookieValue = state.getCookieValue();\n // https://bugster.forgerock.org/jira/browse/FRAAS-13018\n // There is a chance that this will be blocked due to security concerns and thus is probably best not to keep active\n // if (!cookieValue && getUseBearerTokenForAmApis()) {\n // const token = await getTokenInfo();\n // cookieValue = token.sessionToken;\n // setCookieValue(cookieValue);\n // }\n\n // if we are using a service account, we know it's cloud\n if (state.getUseBearerTokenForAmApis())\n return globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n\n const fidcClientId = 'idmAdminClient';\n const forgeopsClientId = 'idm-admin-ui';\n\n const verifier = encodeBase64Url(randomBytes(32));\n const challenge = encodeBase64Url(\n createHash('sha256').update(verifier).digest()\n );\n const challengeMethod = 'S256';\n const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n\n const config = {\n maxRedirects: 0,\n headers: {\n [state.getCookieName()]: state.getCookieValue(),\n },\n };\n let bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${fidcClientId}&csrf=${cookieValue}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n\n let deploymentType = globalConfig.CLASSIC_DEPLOYMENT_TYPE_KEY;\n try {\n await authorize(bodyFormData, config);\n } catch (e) {\n // debugMessage(e.response);\n if (\n e.response?.status === 302 &&\n e.response.headers?.location?.indexOf('code=') > -1\n ) {\n verboseMessage(`ForgeRock Identity Cloud`['brightCyan'] + ` detected.`);\n deploymentType = globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n } else {\n try {\n bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${forgeopsClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n await authorize(bodyFormData, config);\n } catch (ex) {\n if (\n ex.response?.status === 302 &&\n ex.response.headers?.location?.indexOf('code=') > -1\n ) {\n adminClientId = forgeopsClientId;\n verboseMessage(`ForgeOps deployment`['brightCyan'] + ` detected.`);\n deploymentType = globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY;\n } else {\n verboseMessage(`Classic deployment`['brightCyan'] + ` detected.`);\n }\n }\n }\n }\n return deploymentType;\n}\n\n/**\n * Helper function to extract the semantic version string from a version info object\n * @param {Object} versionInfo version info object\n * @returns {String} semantic version\n */\nasync function getSemanticVersion(versionInfo) {\n if ('version' in versionInfo) {\n const versionString = versionInfo.version;\n const rx = /([\\d]\\.[\\d]\\.[\\d](\\.[\\d])*)/g;\n const version = versionString.match(rx);\n return version[0];\n }\n throw new Error('Cannot extract semantic version from version info object.');\n}\n\n/**\n * Helper function to authenticate and obtain and store session cookie\n * @returns {string} Session token or null\n */\nasync function authenticate(\n username: string,\n password: string\n): Promise<string> {\n const config = {\n headers: {\n 'X-OpenAM-Username': username,\n 'X-OpenAM-Password': password,\n },\n };\n const response1 = await step({}, config);\n const skip2FA = checkAndHandle2FA(response1);\n let response2 = {};\n if (skip2FA.need2fa) {\n response2 = await step(skip2FA.payload);\n } else {\n response2 = skip2FA.payload;\n }\n if ('tokenId' in response2) {\n return response2['tokenId'] as string;\n }\n return null;\n}\n\n/**\n * Helper function to obtain an oauth2 authorization code\n * @param {string} redirectURL oauth2 redirect uri\n * @param {string} codeChallenge PKCE code challenge\n * @param {string} codeChallengeMethod PKCE code challenge method\n * @returns {string} oauth2 authorization code or null\n */\nasync function getAuthCode(redirectURL, codeChallenge, codeChallengeMethod) {\n try {\n const bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${adminClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${codeChallenge}&code_challenge_method=${codeChallengeMethod}`;\n const config = {\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n },\n maxRedirects: 0,\n };\n let response = undefined;\n try {\n response = await authorize(bodyFormData, config);\n } catch (error) {\n response = error.response;\n }\n if (response.status < 200 || response.status > 399) {\n printMessage('error getting auth code', 'error');\n printMessage(\n 'likely cause: mismatched parameters with OAuth client config',\n 'error'\n );\n return null;\n }\n const redirectLocationURL = response.headers?.location;\n const queryObject = url.parse(redirectLocationURL, true).query;\n if ('code' in queryObject) {\n return queryObject.code;\n }\n printMessage('auth code not found', 'error');\n return null;\n } catch (error) {\n printMessage(`error getting auth code - ${error.message}`, 'error');\n printMessage(error.response?.data, 'error');\n debugMessage(error.stack);\n return null;\n }\n}\n\n/**\n * Helper function to obtain oauth2 access token\n * @returns {Promise<string | null>} access token or null\n */\nasync function getAccessTokenForUser(): Promise<string | null> {\n try {\n const verifier = encodeBase64Url(randomBytes(32));\n const challenge = encodeBase64Url(\n createHash('sha256').update(verifier).digest()\n );\n const challengeMethod = 'S256';\n const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n const authCode = await getAuthCode(redirectURL, challenge, challengeMethod);\n if (authCode == null) {\n printMessage('error getting auth code', 'error');\n return null;\n }\n let response = null;\n if (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY) {\n const config = {\n auth: {\n username: adminClientId,\n password: adminClientPassword,\n },\n };\n const bodyFormData = `redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n response = await accessToken(bodyFormData, config);\n } else {\n const bodyFormData = `client_id=${adminClientId}&redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n response = await accessToken(bodyFormData);\n }\n if ('access_token' in response.data) {\n return response.data.access_token;\n }\n printMessage('No access token in response.', 'error');\n } catch (error) {\n debugMessage(`Error getting access token for user: ${error}`);\n debugMessage(error.response?.data);\n }\n return null;\n}\n\nfunction createPayload(serviceAccountId: string) {\n const u = parseUrl(state.getHost());\n const aud = `${u.origin}:${\n u.port ? u.port : u.protocol === 'https' ? '443' : '80'\n }${u.pathname}/oauth2/access_token`;\n\n // Cross platform way of setting JWT expiry time 3 minutes in the future, expressed as number of seconds since EPOCH\n const exp = Math.floor(new Date().getTime() / 1000 + 180);\n\n // A unique ID for the JWT which is required when requesting the openid scope\n const jti = v4();\n\n const iss = serviceAccountId;\n const sub = serviceAccountId;\n\n // Create the payload for our bearer token\n const payload = { iss, sub, aud, exp, jti };\n\n return payload;\n}\n\n/**\n * Get access token for service account\n * @param {string} serviceAccountId UUID of service account\n * @param {JwkRsa} jwk Java Wek Key\n * @returns {string | null} Access token or null\n */\nexport async function getAccessTokenForServiceAccount(\n serviceAccountId: string,\n jwk: JwkRsa\n): Promise<string | null> {\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: start`);\n const payload = createPayload(serviceAccountId);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: payload:`);\n debugMessage(payload);\n const jwt = await createSignedJwtToken(payload, jwk);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: jwt:`);\n debugMessage(jwt);\n const bodyFormData = `assertion=${jwt}&client_id=service-account&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&scope=${serviceAccountScopes}`;\n const response = await accessToken(bodyFormData);\n if ('access_token' in response.data) {\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: token:`);\n debugMessage(response.data.access_token);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n return response.data.access_token;\n }\n debugMessage(\n `AuthenticateOps.getAccessTokenForServiceAccount: No access token in response.`\n );\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n return null;\n}\n\nasync function determineDeploymentTypeAndDefaultRealmAndVersion() {\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: start`\n );\n if (!state.getDeploymentType()) {\n state.setDeploymentType(await determineDeploymentType());\n }\n determineDefaultRealm(state.getDeploymentType());\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: realm=${state.getRealm()}, type=${state.getDeploymentType()}`\n );\n\n const versionInfo = (await getServerVersionInfo()).data;\n\n // https://github.com/rockcarver/frodo-cli/issues/109\n debugMessage(`Full version: ${versionInfo.fullVersion}`);\n\n const version = await getSemanticVersion(versionInfo);\n state.setAmVersion(version);\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: end`\n );\n}\n\nasync function getLoggedInSubject(): Promise<string> {\n let subjectString = `user ${state.getUsername()}`;\n if (state.getUseBearerTokenForAmApis()) {\n const name = (\n await getManagedObject('svcacct', state.getServiceAccountId(), ['name'])\n ).data.name;\n subjectString = `service account ${name} [${state.getServiceAccountId()}]`;\n }\n return subjectString;\n}\n\n/**\n * Get tokens\n * @param {boolean} save true to save a connection profile upon successful authentication, false otherwise\n * @returns {Promise<boolean>} true if tokens were successfully obtained, false otherwise\n */\nexport async function getTokens(): Promise<boolean> {\n if (!state.getHost()) {\n printMessage(\n `No host specified and FRODO_HOST env variable not set!`,\n 'error'\n );\n return false;\n }\n try {\n // if username/password on cli are empty, try to read from connections.json\n if (\n state.getUsername() == null &&\n state.getPassword() == null &&\n !state.getServiceAccountId() &&\n !state.getServiceAccountJwk()\n ) {\n const conn = await getConnectionProfile();\n if (conn) {\n state.setHost(conn.tenant);\n state.setUsername(conn.username);\n state.setPassword(conn.password);\n state.setAuthenticationService(conn.authenticationService);\n state.setAuthenticationHeaderOverrides(\n conn.authenticationHeaderOverrides\n );\n state.setServiceAccountId(conn.svcacctId);\n state.setServiceAccountJwk(conn.svcacctJwk);\n } else {\n return false;\n }\n }\n // now that we have the full tenant URL we can lookup the cookie name\n state.setCookieName(await determineCookieName());\n\n // use service account to login?\n if (state.getServiceAccountId() && state.getServiceAccountJwk()) {\n debugMessage(\n `AuthenticateOps.getTokens: Authenticating with service account ${state.getServiceAccountId()}`\n );\n try {\n const token = await getAccessTokenForServiceAccount(\n state.getServiceAccountId(),\n state.getServiceAccountJwk()\n );\n state.setBearerToken(token);\n state.setUseBearerTokenForAmApis(true);\n await determineDeploymentTypeAndDefaultRealmAndVersion();\n } catch (saErr) {\n throw new Error(\n `Service account login error: ${\n saErr.response?.data?.error_description ||\n saErr.response?.data?.message\n }`\n );\n }\n }\n // use user account to login\n else if (state.getUsername() && state.getPassword()) {\n debugMessage(\n `AuthenticateOps.getTokens: Authenticating with user account ${state.getUsername()}`\n );\n const token = await authenticate(\n state.getUsername(),\n state.getPassword()\n );\n if (token) state.setCookieValue(token);\n await determineDeploymentTypeAndDefaultRealmAndVersion();\n if (\n state.getCookieValue() &&\n !state.getBearerToken() &&\n (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY ||\n state.getDeploymentType() ===\n globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY)\n ) {\n const accessToken = await getAccessTokenForUser();\n if (accessToken) state.setBearerToken(accessToken);\n }\n }\n // incomplete or no credentials\n else {\n printMessage(`Incomplete or no credentials!`, 'error');\n return false;\n }\n if (\n state.getCookieValue() ||\n (state.getUseBearerTokenForAmApis() && state.getBearerToken())\n ) {\n // https://github.com/rockcarver/frodo-cli/issues/102\n printMessage(\n `Connected to ${state.getHost()} [${\n state.getRealm() ? state.getRealm() : 'root'\n }] as ${await getLoggedInSubject()}`,\n 'info'\n );\n return true;\n }\n } catch (error) {\n // regular error\n printMessage(error.message, 'error');\n // axios error am api\n printMessage(error.response?.data?.message, 'error');\n // axios error am oauth2 api\n printMessage(error.response?.data?.error_description, 'error');\n // axios error data\n debugMessage(error.response?.data);\n // stack trace\n debugMessage(error.stack || new Error().stack);\n }\n return false;\n}\n"],"mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAA2D;AAAA;AAAA;AAAA;AAAA;AAE3D,IAAMA,mBAAmB,GAAG,eAAe;AAC3C,IAAMC,mBAAmB,GAAG,sCAAsC;AAElE,IAAMC,cAAc,GAAG,iBAAiB;AACxC,IAAMC,oBAAoB,GAAG,+BAA+B;AAE5D,IAAIC,aAAa,GAAG,gBAAgB;;AAEpC;AACA;AACA;AACA;AAHA,SAIeC,mBAAmB;EAAA;AAAA;AAclC;AACA;AACA;AACA;AACA;AAJA;EAAA,yCAdA,aAAqC;IACnC,IAAI;MACF,IAAM;QAAEC;MAAK,CAAC,SAAS,IAAAC,4BAAa,GAAE;MACtC,IAAAC,qBAAY,sDACmCF,IAAI,CAACG,UAAU,EAC7D;MACD,OAAOH,IAAI,CAACG,UAAU;IACxB,CAAC,CAAC,OAAOC,KAAK,EAAE;MACd,IAAAC,qBAAY,uCAA+BD,KAAK,GAAI,OAAO,CAAC;MAC5D,IAAAF,qBAAY,EAACE,KAAK,CAACE,KAAK,CAAC;MACzB,OAAO,IAAI;IACb;EACF,CAAC;EAAA;AAAA;AAOD,SAASC,iBAAiB,CAACC,OAAO,EAAE;EAClC;EACA,IAAI,WAAW,IAAIA,OAAO,EAAE;IAC1B,KAAK,IAAMC,OAAO,IAAID,OAAO,CAACE,SAAS,EAAE;MACvC,IAAID,OAAO,CAACE,IAAI,KAAK,qBAAqB,EAAE;QAC1C,IAAIF,OAAO,CAACG,KAAK,CAAC,CAAC,CAAC,CAACC,KAAK,CAACC,QAAQ,CAAC,MAAM,CAAC,EAAE;UAC3C;UACAL,OAAO,CAACG,KAAK,CAAC,CAAC,CAAC,CAACC,KAAK,GAAG,MAAM;UAC/B,OAAO;YACLE,OAAO,EAAE,IAAI;YACbP;UACF,CAAC;QACH;MACF;MACA,IAAIC,OAAO,CAACE,IAAI,KAAK,cAAc,EAAE;QACnC,IAAIF,OAAO,CAACO,MAAM,CAAC,CAAC,CAAC,CAACH,KAAK,CAACC,QAAQ,CAAC,MAAM,CAAC,EAAE;UAC5C;UACA,IAAAT,qBAAY,EAAC,8CAA8C,CAAC;UAC5D,IAAMY,IAAI,GAAGC,qBAAY,CAACC,QAAQ,WAAIV,OAAO,CAACO,MAAM,CAAC,CAAC,CAAC,CAACH,KAAK,QAAK;UAClEJ,OAAO,CAACG,KAAK,CAAC,CAAC,CAAC,CAACC,KAAK,GAAGI,IAAI;UAC7B,OAAO;YACLF,OAAO,EAAE,IAAI;YACbP;UACF,CAAC;QACH;MACF;IACF;IACA;IACA,OAAO;MACLO,OAAO,EAAE,KAAK;MACdP;IACF,CAAC;EACH;EACA;EACA,OAAO;IACLO,OAAO,EAAE,KAAK;IACdP;EACF,CAAC;AACH;;AAEA;AACA;AACA;AACA;AACA,SAASY,qBAAqB,CAACC,cAAsB,EAAE;EACrD,IACE,CAACC,KAAK,CAACC,QAAQ,EAAE,IACjBD,KAAK,CAACC,QAAQ,EAAE,KAAKC,YAAY,CAACC,iBAAiB,EACnD;IACAH,KAAK,CAACI,QAAQ,CAACF,YAAY,CAACG,yBAAyB,CAACN,cAAc,CAAC,CAAC;EACxE;AACF;;AAEA;AACA;AACA;AACA;AAHA,SAIeO,uBAAuB;EAAA;AAAA;AAgEtC;AACA;AACA;AACA;AACA;AAJA;EAAA,6CAhEA,aAA0D;IACxD,IAAMC,WAAW,GAAGP,KAAK,CAACQ,cAAc,EAAE;IAC1C;IACA;IACA;IACA;IACA;IACA;IACA;;IAEA;IACA,IAAIR,KAAK,CAACS,0BAA0B,EAAE,EACpC,OAAOP,YAAY,CAACQ,yBAAyB;IAE/C,IAAMC,YAAY,GAAG,gBAAgB;IACrC,IAAMC,gBAAgB,GAAG,cAAc;IAEvC,IAAMC,QAAQ,GAAG,IAAAC,qBAAe,EAAC,IAAAC,mBAAW,EAAC,EAAE,CAAC,CAAC;IACjD,IAAMC,SAAS,GAAG,IAAAF,qBAAe,EAC/B,IAAAG,kBAAU,EAAC,QAAQ,CAAC,CAACC,MAAM,CAACL,QAAQ,CAAC,CAACM,MAAM,EAAE,CAC/C;IACD,IAAMC,eAAe,GAAG,MAAM;IAC9B,IAAMC,WAAW,GAAGC,YAAG,CAACC,OAAO,CAACvB,KAAK,CAACwB,OAAO,EAAE,EAAEnD,mBAAmB,CAAC;IAErE,IAAMoD,MAAM,GAAG;MACbC,YAAY,EAAE,CAAC;MACfC,OAAO,EAAE;QACP,CAAC3B,KAAK,CAAC4B,aAAa,EAAE,GAAG5B,KAAK,CAACQ,cAAc;MAC/C;IACF,CAAC;IACD,IAAIqB,YAAY,0BAAmBR,WAAW,oBAAU/C,cAAc,2CAAiCqC,YAAY,mBAASJ,WAAW,4CAAkCS,SAAS,oCAA0BI,eAAe,CAAE;IAE7N,IAAIrB,cAAc,GAAGG,YAAY,CAAC4B,2BAA2B;IAC7D,IAAI;MACF,MAAM,IAAAC,wBAAS,EAACF,YAAY,EAAEJ,MAAM,CAAC;IACvC,CAAC,CAAC,OAAOO,CAAC,EAAE;MAAA;MACV;MACA,IACE,gBAAAA,CAAC,CAACC,QAAQ,gDAAV,YAAYC,MAAM,MAAK,GAAG,IAC1B,wBAAAF,CAAC,CAACC,QAAQ,CAACN,OAAO,iFAAlB,oBAAoBQ,QAAQ,0DAA5B,sBAA8BC,OAAO,CAAC,OAAO,CAAC,IAAG,CAAC,CAAC,EACnD;QACA,IAAAC,uBAAc,EAAC,2BAA2B,YAAY,CAAC,eAAe,CAAC;QACvEtC,cAAc,GAAGG,YAAY,CAACQ,yBAAyB;MACzD,CAAC,MAAM;QACL,IAAI;UACFmB,YAAY,0BAAmBR,WAAW,oBAAU/C,cAAc,2CAAiCsC,gBAAgB,mBAASZ,KAAK,CAACQ,cAAc,EAAE,4CAAkCQ,SAAS,oCAA0BI,eAAe,CAAE;UACxO,MAAM,IAAAW,wBAAS,EAACF,YAAY,EAAEJ,MAAM,CAAC;QACvC,CAAC,CAAC,OAAOa,EAAE,EAAE;UAAA;UACX,IACE,iBAAAA,EAAE,CAACL,QAAQ,iDAAX,aAAaC,MAAM,MAAK,GAAG,IAC3B,yBAAAI,EAAE,CAACL,QAAQ,CAACN,OAAO,kFAAnB,qBAAqBQ,QAAQ,0DAA7B,sBAA+BC,OAAO,CAAC,OAAO,CAAC,IAAG,CAAC,CAAC,EACpD;YACA5D,aAAa,GAAGoC,gBAAgB;YAChC,IAAAyB,uBAAc,EAAC,sBAAsB,YAAY,CAAC,eAAe,CAAC;YAClEtC,cAAc,GAAGG,YAAY,CAACqC,4BAA4B;UAC5D,CAAC,MAAM;YACL,IAAAF,uBAAc,EAAC,qBAAqB,YAAY,CAAC,eAAe,CAAC;UACnE;QACF;MACF;IACF;IACA,OAAOtC,cAAc;EACvB,CAAC;EAAA;AAAA;AAAA,SAOcyC,kBAAkB;EAAA;AAAA;AAUjC;AACA;AACA;AACA;AAHA;EAAA,wCAVA,WAAkCC,WAAW,EAAE;IAC7C,IAAI,SAAS,IAAIA,WAAW,EAAE;MAC5B,IAAMC,aAAa,GAAGD,WAAW,CAACE,OAAO;MACzC,IAAMC,EAAE,GAAG,8BAA8B;MACzC,IAAMD,OAAO,GAAGD,aAAa,CAACG,KAAK,CAACD,EAAE,CAAC;MACvC,OAAOD,OAAO,CAAC,CAAC,CAAC;IACnB;IACA,MAAM,IAAIG,KAAK,CAAC,2DAA2D,CAAC;EAC9E,CAAC;EAAA;AAAA;AAAA,SAMcC,YAAY;EAAA;AAAA;AAwB3B;AACA;AACA;AACA;AACA;AACA;AACA;AANA;EAAA,kCAxBA,WACEC,QAAgB,EAChBC,QAAgB,EACC;IACjB,IAAMxB,MAAM,GAAG;MACbE,OAAO,EAAE;QACP,mBAAmB,EAAEqB,QAAQ;QAC7B,mBAAmB,EAAEC;MACvB;IACF,CAAC;IACD,IAAMC,SAAS,SAAS,IAAAC,qBAAI,EAAC,CAAC,CAAC,EAAE1B,MAAM,CAAC;IACxC,IAAM2B,OAAO,GAAGnE,iBAAiB,CAACiE,SAAS,CAAC;IAC5C,IAAIG,SAAS,GAAG,CAAC,CAAC;IAClB,IAAID,OAAO,CAAC3D,OAAO,EAAE;MACnB4D,SAAS,SAAS,IAAAF,qBAAI,EAACC,OAAO,CAAClE,OAAO,CAAC;IACzC,CAAC,MAAM;MACLmE,SAAS,GAAGD,OAAO,CAAClE,OAAO;IAC7B;IACA,IAAI,SAAS,IAAImE,SAAS,EAAE;MAC1B,OAAOA,SAAS,CAAC,SAAS,CAAC;IAC7B;IACA,OAAO,IAAI;EACb,CAAC;EAAA;AAAA;AAAA,SAScC,WAAW;EAAA;AAAA;AAsC1B;AACA;AACA;AACA;AAHA;EAAA,iCAtCA,WAA2BjC,WAAW,EAAEkC,aAAa,EAAEC,mBAAmB,EAAE;IAC1E,IAAI;MAAA;MACF,IAAM3B,YAAY,0BAAmBR,WAAW,oBAAU/C,cAAc,2CAAiCE,aAAa,mBAASwB,KAAK,CAACQ,cAAc,EAAE,4CAAkC+C,aAAa,oCAA0BC,mBAAmB,CAAE;MACnP,IAAM/B,MAAM,GAAG;QACbE,OAAO,EAAE;UACP,cAAc,EAAE;QAClB,CAAC;QACDD,YAAY,EAAE;MAChB,CAAC;MACD,IAAIO,QAAQ,GAAGwB,SAAS;MACxB,IAAI;QACFxB,QAAQ,SAAS,IAAAF,wBAAS,EAACF,YAAY,EAAEJ,MAAM,CAAC;MAClD,CAAC,CAAC,OAAO3C,KAAK,EAAE;QACdmD,QAAQ,GAAGnD,KAAK,CAACmD,QAAQ;MAC3B;MACA,IAAIA,QAAQ,CAACC,MAAM,GAAG,GAAG,IAAID,QAAQ,CAACC,MAAM,GAAG,GAAG,EAAE;QAClD,IAAAnD,qBAAY,EAAC,yBAAyB,EAAE,OAAO,CAAC;QAChD,IAAAA,qBAAY,EACV,8DAA8D,EAC9D,OAAO,CACR;QACD,OAAO,IAAI;MACb;MACA,IAAM2E,mBAAmB,wBAAGzB,QAAQ,CAACN,OAAO,sDAAhB,kBAAkBQ,QAAQ;MACtD,IAAMwB,WAAW,GAAGrC,YAAG,CAACsC,KAAK,CAACF,mBAAmB,EAAE,IAAI,CAAC,CAACG,KAAK;MAC9D,IAAI,MAAM,IAAIF,WAAW,EAAE;QACzB,OAAOA,WAAW,CAAChE,IAAI;MACzB;MACA,IAAAZ,qBAAY,EAAC,qBAAqB,EAAE,OAAO,CAAC;MAC5C,OAAO,IAAI;IACb,CAAC,CAAC,OAAOD,KAAK,EAAE;MAAA;MACd,IAAAC,qBAAY,sCAA8BD,KAAK,CAACgF,OAAO,GAAI,OAAO,CAAC;MACnE,IAAA/E,qBAAY,qBAACD,KAAK,CAACmD,QAAQ,oDAAd,gBAAgBvD,IAAI,EAAE,OAAO,CAAC;MAC3C,IAAAE,qBAAY,EAACE,KAAK,CAACE,KAAK,CAAC;MACzB,OAAO,IAAI;IACb;EACF,CAAC;EAAA;AAAA;AAAA,SAMc+E,qBAAqB;EAAA;AAAA;AAAA;EAAA,2CAApC,aAA+D;IAC7D,IAAI;MACF,IAAMlD,QAAQ,GAAG,IAAAC,qBAAe,EAAC,IAAAC,mBAAW,EAAC,EAAE,CAAC,CAAC;MACjD,IAAMC,SAAS,GAAG,IAAAF,qBAAe,EAC/B,IAAAG,kBAAU,EAAC,QAAQ,CAAC,CAACC,MAAM,CAACL,QAAQ,CAAC,CAACM,MAAM,EAAE,CAC/C;MACD,IAAMC,eAAe,GAAG,MAAM;MAC9B,IAAMC,WAAW,GAAGC,YAAG,CAACC,OAAO,CAACvB,KAAK,CAACwB,OAAO,EAAE,EAAEnD,mBAAmB,CAAC;MACrE,IAAM2F,QAAQ,SAASV,WAAW,CAACjC,WAAW,EAAEL,SAAS,EAAEI,eAAe,CAAC;MAC3E,IAAI4C,QAAQ,IAAI,IAAI,EAAE;QACpB,IAAAjF,qBAAY,EAAC,yBAAyB,EAAE,OAAO,CAAC;QAChD,OAAO,IAAI;MACb;MACA,IAAIkD,QAAQ,GAAG,IAAI;MACnB,IAAIjC,KAAK,CAACiE,iBAAiB,EAAE,KAAK/D,YAAY,CAACQ,yBAAyB,EAAE;QACxE,IAAMe,MAAM,GAAG;UACbyC,IAAI,EAAE;YACJlB,QAAQ,EAAExE,aAAa;YACvByE,QAAQ,EAAE7E;UACZ;QACF,CAAC;QACD,IAAMyD,YAAY,0BAAmBR,WAAW,iDAAuC2C,QAAQ,4BAAkBnD,QAAQ,CAAE;QAC3HoB,QAAQ,SAAS,IAAAkC,0BAAW,EAACtC,YAAY,EAAEJ,MAAM,CAAC;MACpD,CAAC,MAAM;QACL,IAAMI,aAAY,uBAAgBrD,aAAa,2BAAiB6C,WAAW,iDAAuC2C,QAAQ,4BAAkBnD,QAAQ,CAAE;QACtJoB,QAAQ,SAAS,IAAAkC,0BAAW,EAACtC,aAAY,CAAC;MAC5C;MACA,IAAI,cAAc,IAAII,QAAQ,CAACvD,IAAI,EAAE;QACnC,OAAOuD,QAAQ,CAACvD,IAAI,CAAC0F,YAAY;MACnC;MACA,IAAArF,qBAAY,EAAC,8BAA8B,EAAE,OAAO,CAAC;IACvD,CAAC,CAAC,OAAOD,KAAK,EAAE;MAAA;MACd,IAAAF,qBAAY,iDAAyCE,KAAK,EAAG;MAC7D,IAAAF,qBAAY,sBAACE,KAAK,CAACmD,QAAQ,qDAAd,iBAAgBvD,IAAI,CAAC;IACpC;IACA,OAAO,IAAI;EACb,CAAC;EAAA;AAAA;AAED,SAAS2F,aAAa,CAACC,gBAAwB,EAAE;EAC/C,IAAMC,CAAC,GAAG,IAAAC,kBAAQ,EAACxE,KAAK,CAACwB,OAAO,EAAE,CAAC;EACnC,IAAMiD,GAAG,aAAMF,CAAC,CAACG,MAAM,cACrBH,CAAC,CAACI,IAAI,GAAGJ,CAAC,CAACI,IAAI,GAAGJ,CAAC,CAACK,QAAQ,KAAK,OAAO,GAAG,KAAK,GAAG,IAAI,SACtDL,CAAC,CAACM,QAAQ,yBAAsB;;EAEnC;EACA,IAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAAC,IAAIC,IAAI,EAAE,CAACC,OAAO,EAAE,GAAG,IAAI,GAAG,GAAG,CAAC;;EAEzD;EACA,IAAMC,GAAG,GAAG,IAAAC,QAAE,GAAE;EAEhB,IAAMC,GAAG,GAAGf,gBAAgB;EAC5B,IAAMgB,GAAG,GAAGhB,gBAAgB;;EAE5B;EACA,IAAMpF,OAAO,GAAG;IAAEmG,GAAG;IAAEC,GAAG;IAAEb,GAAG;IAAEK,GAAG;IAAEK;EAAI,CAAC;EAE3C,OAAOjG,OAAO;AAChB;;AAEA;AACA;AACA;AACA;AACA;AACA;AALA,SAMsBqG,+BAA+B;EAAA;AAAA;AAAA;EAAA,qDAA9C,WACLjB,gBAAwB,EACxBkB,GAAW,EACa;IACxB,IAAA5G,qBAAY,2DAA0D;IACtE,IAAMM,OAAO,GAAGmF,aAAa,CAACC,gBAAgB,CAAC;IAC/C,IAAA1F,qBAAY,8DAA6D;IACzE,IAAAA,qBAAY,EAACM,OAAO,CAAC;IACrB,IAAMuG,GAAG,SAAS,IAAAC,6BAAoB,EAACxG,OAAO,EAAEsG,GAAG,CAAC;IACpD,IAAA5G,qBAAY,0DAAyD;IACrE,IAAAA,qBAAY,EAAC6G,GAAG,CAAC;IACjB,IAAM5D,YAAY,uBAAgB4D,GAAG,qGAA2FlH,oBAAoB,CAAE;IACtJ,IAAM0D,QAAQ,SAAS,IAAAkC,0BAAW,EAACtC,YAAY,CAAC;IAChD,IAAI,cAAc,IAAII,QAAQ,CAACvD,IAAI,EAAE;MACnC,IAAAE,qBAAY,4DAA2D;MACvE,IAAAA,qBAAY,EAACqD,QAAQ,CAACvD,IAAI,CAAC0F,YAAY,CAAC;MACxC,IAAAxF,qBAAY,yDAAwD;MACpE,OAAOqD,QAAQ,CAACvD,IAAI,CAAC0F,YAAY;IACnC;IACA,IAAAxF,qBAAY,kFAEX;IACD,IAAAA,qBAAY,yDAAwD;IACpE,OAAO,IAAI;EACb,CAAC;EAAA;AAAA;AAAA,SAEc+G,gDAAgD;EAAA;AAAA;AAAA;EAAA,sEAA/D,aAAkE;IAChE,IAAA/G,qBAAY,4EAEX;IACD,IAAI,CAACoB,KAAK,CAACiE,iBAAiB,EAAE,EAAE;MAC9BjE,KAAK,CAAC4F,iBAAiB,OAAOtF,uBAAuB,EAAE,CAAC;IAC1D;IACAR,qBAAqB,CAACE,KAAK,CAACiE,iBAAiB,EAAE,CAAC;IAChD,IAAArF,qBAAY,oFACiEoB,KAAK,CAACC,QAAQ,EAAE,oBAAUD,KAAK,CAACiE,iBAAiB,EAAE,EAC/H;IAED,IAAMxB,WAAW,GAAG,OAAO,IAAAoD,mCAAoB,GAAE,EAAEnH,IAAI;;IAEvD;IACA,IAAAE,qBAAY,0BAAkB6D,WAAW,CAACqD,WAAW,EAAG;IAExD,IAAMnD,OAAO,SAASH,kBAAkB,CAACC,WAAW,CAAC;IACrDzC,KAAK,CAAC+F,YAAY,CAACpD,OAAO,CAAC;IAC3B,IAAA/D,qBAAY,0EAEX;EACH,CAAC;EAAA;AAAA;AAAA,SAEcoH,kBAAkB;EAAA;AAAA;AAWjC;AACA;AACA;AACA;AACA;AAJA;EAAA,wCAXA,aAAqD;IACnD,IAAIC,aAAa,kBAAWjG,KAAK,CAACkG,WAAW,EAAE,CAAE;IACjD,IAAIlG,KAAK,CAACS,0BAA0B,EAAE,EAAE;MACtC,IAAM0F,IAAI,GAAG,OACL,IAAAC,kCAAgB,EAAC,SAAS,EAAEpG,KAAK,CAACqG,mBAAmB,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,EACxE3H,IAAI,CAACyH,IAAI;MACXF,aAAa,6BAAsBE,IAAI,eAAKnG,KAAK,CAACqG,mBAAmB,EAAE,MAAG;IAC5E;IACA,OAAOJ,aAAa;EACtB,CAAC;EAAA;AAAA;AAAA,SAOqBK,SAAS;EAAA;AAAA;AAAA;EAAA,+BAAxB,aAA6C;IAClD,IAAI,CAACtG,KAAK,CAACwB,OAAO,EAAE,EAAE;MACpB,IAAAzC,qBAAY,4DAEV,OAAO,CACR;MACD,OAAO,KAAK;IACd;IACA,IAAI;MACF;MACA,IACEiB,KAAK,CAACkG,WAAW,EAAE,IAAI,IAAI,IAC3BlG,KAAK,CAACuG,WAAW,EAAE,IAAI,IAAI,IAC3B,CAACvG,KAAK,CAACqG,mBAAmB,EAAE,IAC5B,CAACrG,KAAK,CAACwG,oBAAoB,EAAE,EAC7B;QACA,IAAMC,IAAI,SAAS,IAAAC,0CAAoB,GAAE;QACzC,IAAID,IAAI,EAAE;UACRzG,KAAK,CAAC2G,OAAO,CAACF,IAAI,CAACG,MAAM,CAAC;UAC1B5G,KAAK,CAAC6G,WAAW,CAACJ,IAAI,CAACzD,QAAQ,CAAC;UAChChD,KAAK,CAAC8G,WAAW,CAACL,IAAI,CAACxD,QAAQ,CAAC;UAChCjD,KAAK,CAAC+G,wBAAwB,CAACN,IAAI,CAACO,qBAAqB,CAAC;UAC1DhH,KAAK,CAACiH,gCAAgC,CACpCR,IAAI,CAACS,6BAA6B,CACnC;UACDlH,KAAK,CAACmH,mBAAmB,CAACV,IAAI,CAACW,SAAS,CAAC;UACzCpH,KAAK,CAACqH,oBAAoB,CAACZ,IAAI,CAACa,UAAU,CAAC;QAC7C,CAAC,MAAM;UACL,OAAO,KAAK;QACd;MACF;MACA;MACAtH,KAAK,CAACuH,aAAa,OAAO9I,mBAAmB,EAAE,CAAC;;MAEhD;MACA,IAAIuB,KAAK,CAACqG,mBAAmB,EAAE,IAAIrG,KAAK,CAACwG,oBAAoB,EAAE,EAAE;QAC/D,IAAA5H,qBAAY,2EACwDoB,KAAK,CAACqG,mBAAmB,EAAE,EAC9F;QACD,IAAI;UACF,IAAMmB,KAAK,SAASjC,+BAA+B,CACjDvF,KAAK,CAACqG,mBAAmB,EAAE,EAC3BrG,KAAK,CAACwG,oBAAoB,EAAE,CAC7B;UACDxG,KAAK,CAACyH,cAAc,CAACD,KAAK,CAAC;UAC3BxH,KAAK,CAAC0H,0BAA0B,CAAC,IAAI,CAAC;UACtC,MAAM/B,gDAAgD,EAAE;QAC1D,CAAC,CAAC,OAAOgC,KAAK,EAAE;UAAA;UACd,MAAM,IAAI7E,KAAK,wCAEX,oBAAA6E,KAAK,CAAC1F,QAAQ,4EAAd,gBAAgBvD,IAAI,yDAApB,qBAAsBkJ,iBAAiB,0BACvCD,KAAK,CAAC1F,QAAQ,8EAAd,iBAAgBvD,IAAI,0DAApB,sBAAsBoF,OAAO,GAEhC;QACH;MACF;MACA;MAAA,KACK,IAAI9D,KAAK,CAACkG,WAAW,EAAE,IAAIlG,KAAK,CAACuG,WAAW,EAAE,EAAE;QACnD,IAAA3H,qBAAY,wEACqDoB,KAAK,CAACkG,WAAW,EAAE,EACnF;QACD,IAAMsB,MAAK,SAASzE,YAAY,CAC9B/C,KAAK,CAACkG,WAAW,EAAE,EACnBlG,KAAK,CAACuG,WAAW,EAAE,CACpB;QACD,IAAIiB,MAAK,EAAExH,KAAK,CAAC6H,cAAc,CAACL,MAAK,CAAC;QACtC,MAAM7B,gDAAgD,EAAE;QACxD,IACE3F,KAAK,CAACQ,cAAc,EAAE,IACtB,CAACR,KAAK,CAAC8H,cAAc,EAAE,KACtB9H,KAAK,CAACiE,iBAAiB,EAAE,KAAK/D,YAAY,CAACQ,yBAAyB,IACnEV,KAAK,CAACiE,iBAAiB,EAAE,KACvB/D,YAAY,CAACqC,4BAA4B,CAAC,EAC9C;UACA,IAAM4B,YAAW,SAASJ,qBAAqB,EAAE;UACjD,IAAII,YAAW,EAAEnE,KAAK,CAACyH,cAAc,CAACtD,YAAW,CAAC;QACpD;MACF;MACA;MAAA,KACK;QACH,IAAApF,qBAAY,mCAAkC,OAAO,CAAC;QACtD,OAAO,KAAK;MACd;MACA,IACEiB,KAAK,CAACQ,cAAc,EAAE,IACrBR,KAAK,CAACS,0BAA0B,EAAE,IAAIT,KAAK,CAAC8H,cAAc,EAAG,EAC9D;QACA;QACA,IAAA/I,qBAAY,yBACMiB,KAAK,CAACwB,OAAO,EAAE,eAC7BxB,KAAK,CAACC,QAAQ,EAAE,GAAGD,KAAK,CAACC,QAAQ,EAAE,GAAG,MAAM,wBAChC+F,kBAAkB,EAAE,GAClC,MAAM,CACP;QACD,OAAO,IAAI;MACb;IACF,CAAC,CAAC,OAAOlH,KAAK,EAAE;MAAA;MACd;MACA,IAAAC,qBAAY,EAACD,KAAK,CAACgF,OAAO,EAAE,OAAO,CAAC;MACpC;MACA,IAAA/E,qBAAY,sBAACD,KAAK,CAACmD,QAAQ,8EAAd,iBAAgBvD,IAAI,0DAApB,sBAAsBoF,OAAO,EAAE,OAAO,CAAC;MACpD;MACA,IAAA/E,qBAAY,sBAACD,KAAK,CAACmD,QAAQ,8EAAd,iBAAgBvD,IAAI,0DAApB,sBAAsBkJ,iBAAiB,EAAE,OAAO,CAAC;MAC9D;MACA,IAAAhJ,qBAAY,sBAACE,KAAK,CAACmD,QAAQ,qDAAd,iBAAgBvD,IAAI,CAAC;MAClC;MACA,IAAAE,qBAAY,EAACE,KAAK,CAACE,KAAK,IAAI,IAAI8D,KAAK,EAAE,CAAC9D,KAAK,CAAC;IAChD;IACA,OAAO,KAAK;EACd,CAAC;EAAA;AAAA"}
package/esm/ops/AuthenticateOps.mjs CHANGED
@@ -87,7 +87,7 @@ function checkAndHandle2FA(payload) {
87
87
  * @param {string} deploymentType deployment type
88
88
  */
89
89
  function determineDefaultRealm(deploymentType) {
90
- if (state.getRealm() === globalConfig.DEFAULT_REALM_KEY) {
90
+ if (!state.getRealm() || state.getRealm() === globalConfig.DEFAULT_REALM_KEY) {
91
91
  state.setRealm(globalConfig.DEPLOYMENT_TYPE_REALM_MAP[deploymentType]);
92
92
  }
93
93
  }
@@ -328,6 +328,7 @@ async function determineDeploymentTypeAndDefaultRealmAndVersion() {
328
328
  state.setDeploymentType(await determineDeploymentType());
329
329
  }
330
330
  determineDefaultRealm(state.getDeploymentType());
331
+ debugMessage(`AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: realm=${state.getRealm()}, type=${state.getDeploymentType()}`);
331
332
  const versionInfo = (await getServerVersionInfo()).data;
332
333
 
333
334
  // https://github.com/rockcarver/frodo-cli/issues/109
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@rockcarver/frodo-lib",
3
- "version": "0.17.0",
3
+ "version": "0.17.1",
4
4
  "type": "commonjs",
5
5
  "main": "./cjs/index.js",
6
6
  "module": "./esm/index.mjs",
package/types/ops/AuthenticateOps.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/ops/AuthenticateOps.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,MAAM,EAAwB,MAAM,WAAW,CAAC;AA+SzD;;;;;GAKG;AACH,wBAAsB,+BAA+B,CACnD,gBAAgB,EAAE,MAAM,EACxB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqBxB;AAkCD;;;;GAIG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC,CA6GlD","file":"AuthenticateOps.d.ts","sourcesContent":["import url from 'url';\nimport { createHash, randomBytes } from 'crypto';\nimport readlineSync from 'readline-sync';\nimport { encodeBase64Url } from '../api/utils/Base64';\nimport * as state from '../shared/State';\nimport * as globalConfig from '../storage/StaticStorage';\nimport { debugMessage, printMessage, verboseMessage } from './utils/Console';\nimport { getServerInfo, getServerVersionInfo } from '../api/ServerInfoApi';\nimport { step } from '../api/AuthenticateApi';\nimport { accessToken, authorize } from '../api/OAuth2OIDCApi';\nimport { getConnectionProfile } from './ConnectionProfileOps';\nimport { v4 } from 'uuid';\nimport { parseUrl } from '../api/utils/ApiUtils';\nimport { JwkRsa, createSignedJwtToken } from './JoseOps';\nimport { getManagedObject } from '../api/ManagedObjectApi';\n\nconst adminClientPassword = 'doesnotmatter';\nconst redirectUrlTemplate = '/platform/appAuthHelperRedirect.html';\n\nconst idmAdminScopes = 'fr:idm:* openid';\nconst serviceAccountScopes = 'fr:am:* fr:idm:* fr:idc:esv:*';\n\nlet adminClientId = 'idmAdminClient';\n\n/**\n * Helper function to get cookie name\n * @returns {String} cookie name\n */\nasync function determineCookieName() {\n try {\n const { data } = await getServerInfo();\n debugMessage(\n `AuthenticateOps.getCookieName: cookieName=${data.cookieName}`\n );\n return data.cookieName;\n } catch (error) {\n printMessage(`Error getting cookie name: ${error}`, 'error');\n debugMessage(error.stack);\n return null;\n }\n}\n\n/**\n * Helper function to determine if this is a setup mfa prompt in the ID Cloud tenant admin login journey\n * @param {Object} payload response from the previous authentication journey step\n * @returns {Object} an object indicating if 2fa is required and the original payload\n */\nfunction checkAndHandle2FA(payload) {\n // let skippable = false;\n if ('callbacks' in payload) {\n for (const element of payload.callbacks) {\n if (element.type === 'HiddenValueCallback') {\n if (element.input[0].value.includes('skip')) {\n // skippable = true;\n element.input[0].value = 'Skip';\n return {\n need2fa: true,\n payload,\n };\n }\n }\n if (element.type === 'NameCallback') {\n if (element.output[0].value.includes('code')) {\n // skippable = false;\n printMessage('2FA is enabled and required for this user...');\n const code = readlineSync.question(`${element.output[0].value}: `);\n element.input[0].value = code;\n return {\n need2fa: true,\n payload,\n };\n }\n }\n }\n // console.info(\"NO2FA\");\n return {\n need2fa: false,\n payload,\n };\n }\n // console.info(\"NO2FA\");\n return {\n need2fa: false,\n payload,\n };\n}\n\n/**\n * Helper function to set the default realm by deployment type\n * @param {string} deploymentType deployment type\n */\nfunction determineDefaultRealm(deploymentType: string) {\n if (state.getRealm() === globalConfig.DEFAULT_REALM_KEY) {\n state.setRealm(globalConfig.DEPLOYMENT_TYPE_REALM_MAP[deploymentType]);\n }\n}\n\n/**\n * Helper function to determine the deployment type\n * @returns {Promise<string>} deployment type\n */\nasync function determineDeploymentType(): Promise<string> {\n const cookieValue = state.getCookieValue();\n // https://bugster.forgerock.org/jira/browse/FRAAS-13018\n // There is a chance that this will be blocked due to security concerns and thus is probably best not to keep active\n // if (!cookieValue && getUseBearerTokenForAmApis()) {\n // const token = await getTokenInfo();\n // cookieValue = token.sessionToken;\n // setCookieValue(cookieValue);\n // }\n\n // if we are using a service account, we know it's cloud\n if (state.getUseBearerTokenForAmApis())\n return globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n\n const fidcClientId = 'idmAdminClient';\n const forgeopsClientId = 'idm-admin-ui';\n\n const verifier = encodeBase64Url(randomBytes(32));\n const challenge = encodeBase64Url(\n createHash('sha256').update(verifier).digest()\n );\n const challengeMethod = 'S256';\n const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n\n const config = {\n maxRedirects: 0,\n headers: {\n [state.getCookieName()]: state.getCookieValue(),\n },\n };\n let bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${fidcClientId}&csrf=${cookieValue}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n\n let deploymentType = globalConfig.CLASSIC_DEPLOYMENT_TYPE_KEY;\n try {\n await authorize(bodyFormData, config);\n } catch (e) {\n // debugMessage(e.response);\n if (\n e.response?.status === 302 &&\n e.response.headers?.location?.indexOf('code=') > -1\n ) {\n verboseMessage(`ForgeRock Identity Cloud`['brightCyan'] + ` detected.`);\n deploymentType = globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n } else {\n try {\n bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${forgeopsClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n await authorize(bodyFormData, config);\n } catch (ex) {\n if (\n ex.response?.status === 302 &&\n ex.response.headers?.location?.indexOf('code=') > -1\n ) {\n adminClientId = forgeopsClientId;\n verboseMessage(`ForgeOps deployment`['brightCyan'] + ` detected.`);\n deploymentType = globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY;\n } else {\n verboseMessage(`Classic deployment`['brightCyan'] + ` detected.`);\n }\n }\n }\n }\n return deploymentType;\n}\n\n/**\n * Helper function to extract the semantic version string from a version info object\n * @param {Object} versionInfo version info object\n * @returns {String} semantic version\n */\nasync function getSemanticVersion(versionInfo) {\n if ('version' in versionInfo) {\n const versionString = versionInfo.version;\n const rx = /([\\d]\\.[\\d]\\.[\\d](\\.[\\d])*)/g;\n const version = versionString.match(rx);\n return version[0];\n }\n throw new Error('Cannot extract semantic version from version info object.');\n}\n\n/**\n * Helper function to authenticate and obtain and store session cookie\n * @returns {string} Session token or null\n */\nasync function authenticate(\n username: string,\n password: string\n): Promise<string> {\n const config = {\n headers: {\n 'X-OpenAM-Username': username,\n 'X-OpenAM-Password': password,\n },\n };\n const response1 = await step({}, config);\n const skip2FA = checkAndHandle2FA(response1);\n let response2 = {};\n if (skip2FA.need2fa) {\n response2 = await step(skip2FA.payload);\n } else {\n response2 = skip2FA.payload;\n }\n if ('tokenId' in response2) {\n return response2['tokenId'] as string;\n }\n return null;\n}\n\n/**\n * Helper function to obtain an oauth2 authorization code\n * @param {string} redirectURL oauth2 redirect uri\n * @param {string} codeChallenge PKCE code challenge\n * @param {string} codeChallengeMethod PKCE code challenge method\n * @returns {string} oauth2 authorization code or null\n */\nasync function getAuthCode(redirectURL, codeChallenge, codeChallengeMethod) {\n try {\n const bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${adminClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${codeChallenge}&code_challenge_method=${codeChallengeMethod}`;\n const config = {\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n },\n maxRedirects: 0,\n };\n let response = undefined;\n try {\n response = await authorize(bodyFormData, config);\n } catch (error) {\n response = error.response;\n }\n if (response.status < 200 || response.status > 399) {\n printMessage('error getting auth code', 'error');\n printMessage(\n 'likely cause: mismatched parameters with OAuth client config',\n 'error'\n );\n return null;\n }\n const redirectLocationURL = response.headers?.location;\n const queryObject = url.parse(redirectLocationURL, true).query;\n if ('code' in queryObject) {\n return queryObject.code;\n }\n printMessage('auth code not found', 'error');\n return null;\n } catch (error) {\n printMessage(`error getting auth code - ${error.message}`, 'error');\n printMessage(error.response?.data, 'error');\n debugMessage(error.stack);\n return null;\n }\n}\n\n/**\n * Helper function to obtain oauth2 access token\n * @returns {Promise<string | null>} access token or null\n */\nasync function getAccessTokenForUser(): Promise<string | null> {\n try {\n const verifier = encodeBase64Url(randomBytes(32));\n const challenge = encodeBase64Url(\n createHash('sha256').update(verifier).digest()\n );\n const challengeMethod = 'S256';\n const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n const authCode = await getAuthCode(redirectURL, challenge, challengeMethod);\n if (authCode == null) {\n printMessage('error getting auth code', 'error');\n return null;\n }\n let response = null;\n if (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY) {\n const config = {\n auth: {\n username: adminClientId,\n password: adminClientPassword,\n },\n };\n const bodyFormData = `redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n response = await accessToken(bodyFormData, config);\n } else {\n const bodyFormData = `client_id=${adminClientId}&redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n response = await accessToken(bodyFormData);\n }\n if ('access_token' in response.data) {\n return response.data.access_token;\n }\n printMessage('No access token in response.', 'error');\n } catch (error) {\n debugMessage(`Error getting access token for user: ${error}`);\n debugMessage(error.response?.data);\n }\n return null;\n}\n\nfunction createPayload(serviceAccountId: string) {\n const u = parseUrl(state.getHost());\n const aud = `${u.origin}:${\n u.port ? u.port : u.protocol === 'https' ? '443' : '80'\n }${u.pathname}/oauth2/access_token`;\n\n // Cross platform way of setting JWT expiry time 3 minutes in the future, expressed as number of seconds since EPOCH\n const exp = Math.floor(new Date().getTime() / 1000 + 180);\n\n // A unique ID for the JWT which is required when requesting the openid scope\n const jti = v4();\n\n const iss = serviceAccountId;\n const sub = serviceAccountId;\n\n // Create the payload for our bearer token\n const payload = { iss, sub, aud, exp, jti };\n\n return payload;\n}\n\n/**\n * Get access token for service account\n * @param {string} serviceAccountId UUID of service account\n * @param {JwkRsa} jwk Java Wek Key\n * @returns {string | null} Access token or null\n */\nexport async function getAccessTokenForServiceAccount(\n serviceAccountId: string,\n jwk: JwkRsa\n): Promise<string | null> {\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: start`);\n const payload = createPayload(serviceAccountId);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: payload:`);\n debugMessage(payload);\n const jwt = await createSignedJwtToken(payload, jwk);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: jwt:`);\n debugMessage(jwt);\n const bodyFormData = `assertion=${jwt}&client_id=service-account&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&scope=${serviceAccountScopes}`;\n const response = await accessToken(bodyFormData);\n if ('access_token' in response.data) {\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: token:`);\n debugMessage(response.data.access_token);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n return response.data.access_token;\n }\n debugMessage(\n `AuthenticateOps.getAccessTokenForServiceAccount: No access token in response.`\n );\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n return null;\n}\n\nasync function determineDeploymentTypeAndDefaultRealmAndVersion() {\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: start`\n );\n if (!state.getDeploymentType()) {\n state.setDeploymentType(await determineDeploymentType());\n }\n determineDefaultRealm(state.getDeploymentType());\n\n const versionInfo = (await getServerVersionInfo()).data;\n\n // https://github.com/rockcarver/frodo-cli/issues/109\n debugMessage(`Full version: ${versionInfo.fullVersion}`);\n\n const version = await getSemanticVersion(versionInfo);\n state.setAmVersion(version);\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: end`\n );\n}\n\nasync function getLoggedInSubject(): Promise<string> {\n let subjectString = `user ${state.getUsername()}`;\n if (state.getUseBearerTokenForAmApis()) {\n const name = (\n await getManagedObject('svcacct', state.getServiceAccountId(), ['name'])\n ).data.name;\n subjectString = `service account ${name} [${state.getServiceAccountId()}]`;\n }\n return subjectString;\n}\n\n/**\n * Get tokens\n * @param {boolean} save true to save a connection profile upon successful authentication, false otherwise\n * @returns {Promise<boolean>} true if tokens were successfully obtained, false otherwise\n */\nexport async function getTokens(): Promise<boolean> {\n if (!state.getHost()) {\n printMessage(\n `No host specified and FRODO_HOST env variable not set!`,\n 'error'\n );\n return false;\n }\n try {\n // if username/password on cli are empty, try to read from connections.json\n if (\n state.getUsername() == null &&\n state.getPassword() == null &&\n !state.getServiceAccountId() &&\n !state.getServiceAccountJwk()\n ) {\n const conn = await getConnectionProfile();\n if (conn) {\n state.setHost(conn.tenant);\n state.setUsername(conn.username);\n state.setPassword(conn.password);\n state.setAuthenticationService(conn.authenticationService);\n state.setAuthenticationHeaderOverrides(\n conn.authenticationHeaderOverrides\n );\n state.setServiceAccountId(conn.svcacctId);\n state.setServiceAccountJwk(conn.svcacctJwk);\n } else {\n return false;\n }\n }\n // now that we have the full tenant URL we can lookup the cookie name\n state.setCookieName(await determineCookieName());\n\n // use service account to login?\n if (state.getServiceAccountId() && state.getServiceAccountJwk()) {\n debugMessage(\n `AuthenticateOps.getTokens: Authenticating with service account ${state.getServiceAccountId()}`\n );\n try {\n const token = await getAccessTokenForServiceAccount(\n state.getServiceAccountId(),\n state.getServiceAccountJwk()\n );\n state.setBearerToken(token);\n state.setUseBearerTokenForAmApis(true);\n await determineDeploymentTypeAndDefaultRealmAndVersion();\n } catch (saErr) {\n throw new Error(\n `Service account login error: ${\n saErr.response?.data?.error_description ||\n saErr.response?.data?.message\n }`\n );\n }\n }\n // use user account to login\n else if (state.getUsername() && state.getPassword()) {\n debugMessage(\n `AuthenticateOps.getTokens: Authenticating with user account ${state.getUsername()}`\n );\n const token = await authenticate(\n state.getUsername(),\n state.getPassword()\n );\n if (token) state.setCookieValue(token);\n await determineDeploymentTypeAndDefaultRealmAndVersion();\n if (\n state.getCookieValue() &&\n !state.getBearerToken() &&\n (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY ||\n state.getDeploymentType() ===\n globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY)\n ) {\n const accessToken = await getAccessTokenForUser();\n if (accessToken) state.setBearerToken(accessToken);\n }\n }\n // incomplete or no credentials\n else {\n printMessage(`Incomplete or no credentials!`, 'error');\n return false;\n }\n if (\n state.getCookieValue() ||\n (state.getUseBearerTokenForAmApis() && state.getBearerToken())\n ) {\n // https://github.com/rockcarver/frodo-cli/issues/102\n printMessage(\n `Connected to ${state.getHost()} [${\n state.getRealm() ? state.getRealm() : 'root'\n }] as ${await getLoggedInSubject()}`,\n 'info'\n );\n return true;\n }\n } catch (error) {\n // regular error\n printMessage(error.message, 'error');\n // axios error am api\n printMessage(error.response?.data?.message, 'error');\n // axios error am oauth2 api\n printMessage(error.response?.data?.error_description, 'error');\n // axios error data\n debugMessage(error.response?.data);\n // stack trace\n debugMessage(error.stack || new Error().stack);\n }\n return false;\n}\n"]}
1
+ {"version":3,"sources":["../src/ops/AuthenticateOps.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,MAAM,EAAwB,MAAM,WAAW,CAAC;AAkTzD;;;;;GAKG;AACH,wBAAsB,+BAA+B,CACnD,gBAAgB,EAAE,MAAM,EACxB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqBxB;AAqCD;;;;GAIG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC,CA6GlD","file":"AuthenticateOps.d.ts","sourcesContent":["import url from 'url';\nimport { createHash, randomBytes } from 'crypto';\nimport readlineSync from 'readline-sync';\nimport { encodeBase64Url } from '../api/utils/Base64';\nimport * as state from '../shared/State';\nimport * as globalConfig from '../storage/StaticStorage';\nimport { debugMessage, printMessage, verboseMessage } from './utils/Console';\nimport { getServerInfo, getServerVersionInfo } from '../api/ServerInfoApi';\nimport { step } from '../api/AuthenticateApi';\nimport { accessToken, authorize } from '../api/OAuth2OIDCApi';\nimport { getConnectionProfile } from './ConnectionProfileOps';\nimport { v4 } from 'uuid';\nimport { parseUrl } from '../api/utils/ApiUtils';\nimport { JwkRsa, createSignedJwtToken } from './JoseOps';\nimport { getManagedObject } from '../api/ManagedObjectApi';\n\nconst adminClientPassword = 'doesnotmatter';\nconst redirectUrlTemplate = '/platform/appAuthHelperRedirect.html';\n\nconst idmAdminScopes = 'fr:idm:* openid';\nconst serviceAccountScopes = 'fr:am:* fr:idm:* fr:idc:esv:*';\n\nlet adminClientId = 'idmAdminClient';\n\n/**\n * Helper function to get cookie name\n * @returns {String} cookie name\n */\nasync function determineCookieName() {\n try {\n const { data } = await getServerInfo();\n debugMessage(\n `AuthenticateOps.getCookieName: cookieName=${data.cookieName}`\n );\n return data.cookieName;\n } catch (error) {\n printMessage(`Error getting cookie name: ${error}`, 'error');\n debugMessage(error.stack);\n return null;\n }\n}\n\n/**\n * Helper function to determine if this is a setup mfa prompt in the ID Cloud tenant admin login journey\n * @param {Object} payload response from the previous authentication journey step\n * @returns {Object} an object indicating if 2fa is required and the original payload\n */\nfunction checkAndHandle2FA(payload) {\n // let skippable = false;\n if ('callbacks' in payload) {\n for (const element of payload.callbacks) {\n if (element.type === 'HiddenValueCallback') {\n if (element.input[0].value.includes('skip')) {\n // skippable = true;\n element.input[0].value = 'Skip';\n return {\n need2fa: true,\n payload,\n };\n }\n }\n if (element.type === 'NameCallback') {\n if (element.output[0].value.includes('code')) {\n // skippable = false;\n printMessage('2FA is enabled and required for this user...');\n const code = readlineSync.question(`${element.output[0].value}: `);\n element.input[0].value = code;\n return {\n need2fa: true,\n payload,\n };\n }\n }\n }\n // console.info(\"NO2FA\");\n return {\n need2fa: false,\n payload,\n };\n }\n // console.info(\"NO2FA\");\n return {\n need2fa: false,\n payload,\n };\n}\n\n/**\n * Helper function to set the default realm by deployment type\n * @param {string} deploymentType deployment type\n */\nfunction determineDefaultRealm(deploymentType: string) {\n if (\n !state.getRealm() ||\n state.getRealm() === globalConfig.DEFAULT_REALM_KEY\n ) {\n state.setRealm(globalConfig.DEPLOYMENT_TYPE_REALM_MAP[deploymentType]);\n }\n}\n\n/**\n * Helper function to determine the deployment type\n * @returns {Promise<string>} deployment type\n */\nasync function determineDeploymentType(): Promise<string> {\n const cookieValue = state.getCookieValue();\n // https://bugster.forgerock.org/jira/browse/FRAAS-13018\n // There is a chance that this will be blocked due to security concerns and thus is probably best not to keep active\n // if (!cookieValue && getUseBearerTokenForAmApis()) {\n // const token = await getTokenInfo();\n // cookieValue = token.sessionToken;\n // setCookieValue(cookieValue);\n // }\n\n // if we are using a service account, we know it's cloud\n if (state.getUseBearerTokenForAmApis())\n return globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n\n const fidcClientId = 'idmAdminClient';\n const forgeopsClientId = 'idm-admin-ui';\n\n const verifier = encodeBase64Url(randomBytes(32));\n const challenge = encodeBase64Url(\n createHash('sha256').update(verifier).digest()\n );\n const challengeMethod = 'S256';\n const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n\n const config = {\n maxRedirects: 0,\n headers: {\n [state.getCookieName()]: state.getCookieValue(),\n },\n };\n let bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${fidcClientId}&csrf=${cookieValue}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n\n let deploymentType = globalConfig.CLASSIC_DEPLOYMENT_TYPE_KEY;\n try {\n await authorize(bodyFormData, config);\n } catch (e) {\n // debugMessage(e.response);\n if (\n e.response?.status === 302 &&\n e.response.headers?.location?.indexOf('code=') > -1\n ) {\n verboseMessage(`ForgeRock Identity Cloud`['brightCyan'] + ` detected.`);\n deploymentType = globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n } else {\n try {\n bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${forgeopsClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n await authorize(bodyFormData, config);\n } catch (ex) {\n if (\n ex.response?.status === 302 &&\n ex.response.headers?.location?.indexOf('code=') > -1\n ) {\n adminClientId = forgeopsClientId;\n verboseMessage(`ForgeOps deployment`['brightCyan'] + ` detected.`);\n deploymentType = globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY;\n } else {\n verboseMessage(`Classic deployment`['brightCyan'] + ` detected.`);\n }\n }\n }\n }\n return deploymentType;\n}\n\n/**\n * Helper function to extract the semantic version string from a version info object\n * @param {Object} versionInfo version info object\n * @returns {String} semantic version\n */\nasync function getSemanticVersion(versionInfo) {\n if ('version' in versionInfo) {\n const versionString = versionInfo.version;\n const rx = /([\\d]\\.[\\d]\\.[\\d](\\.[\\d])*)/g;\n const version = versionString.match(rx);\n return version[0];\n }\n throw new Error('Cannot extract semantic version from version info object.');\n}\n\n/**\n * Helper function to authenticate and obtain and store session cookie\n * @returns {string} Session token or null\n */\nasync function authenticate(\n username: string,\n password: string\n): Promise<string> {\n const config = {\n headers: {\n 'X-OpenAM-Username': username,\n 'X-OpenAM-Password': password,\n },\n };\n const response1 = await step({}, config);\n const skip2FA = checkAndHandle2FA(response1);\n let response2 = {};\n if (skip2FA.need2fa) {\n response2 = await step(skip2FA.payload);\n } else {\n response2 = skip2FA.payload;\n }\n if ('tokenId' in response2) {\n return response2['tokenId'] as string;\n }\n return null;\n}\n\n/**\n * Helper function to obtain an oauth2 authorization code\n * @param {string} redirectURL oauth2 redirect uri\n * @param {string} codeChallenge PKCE code challenge\n * @param {string} codeChallengeMethod PKCE code challenge method\n * @returns {string} oauth2 authorization code or null\n */\nasync function getAuthCode(redirectURL, codeChallenge, codeChallengeMethod) {\n try {\n const bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${adminClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${codeChallenge}&code_challenge_method=${codeChallengeMethod}`;\n const config = {\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n },\n maxRedirects: 0,\n };\n let response = undefined;\n try {\n response = await authorize(bodyFormData, config);\n } catch (error) {\n response = error.response;\n }\n if (response.status < 200 || response.status > 399) {\n printMessage('error getting auth code', 'error');\n printMessage(\n 'likely cause: mismatched parameters with OAuth client config',\n 'error'\n );\n return null;\n }\n const redirectLocationURL = response.headers?.location;\n const queryObject = url.parse(redirectLocationURL, true).query;\n if ('code' in queryObject) {\n return queryObject.code;\n }\n printMessage('auth code not found', 'error');\n return null;\n } catch (error) {\n printMessage(`error getting auth code - ${error.message}`, 'error');\n printMessage(error.response?.data, 'error');\n debugMessage(error.stack);\n return null;\n }\n}\n\n/**\n * Helper function to obtain oauth2 access token\n * @returns {Promise<string | null>} access token or null\n */\nasync function getAccessTokenForUser(): Promise<string | null> {\n try {\n const verifier = encodeBase64Url(randomBytes(32));\n const challenge = encodeBase64Url(\n createHash('sha256').update(verifier).digest()\n );\n const challengeMethod = 'S256';\n const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n const authCode = await getAuthCode(redirectURL, challenge, challengeMethod);\n if (authCode == null) {\n printMessage('error getting auth code', 'error');\n return null;\n }\n let response = null;\n if (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY) {\n const config = {\n auth: {\n username: adminClientId,\n password: adminClientPassword,\n },\n };\n const bodyFormData = `redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n response = await accessToken(bodyFormData, config);\n } else {\n const bodyFormData = `client_id=${adminClientId}&redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n response = await accessToken(bodyFormData);\n }\n if ('access_token' in response.data) {\n return response.data.access_token;\n }\n printMessage('No access token in response.', 'error');\n } catch (error) {\n debugMessage(`Error getting access token for user: ${error}`);\n debugMessage(error.response?.data);\n }\n return null;\n}\n\nfunction createPayload(serviceAccountId: string) {\n const u = parseUrl(state.getHost());\n const aud = `${u.origin}:${\n u.port ? u.port : u.protocol === 'https' ? '443' : '80'\n }${u.pathname}/oauth2/access_token`;\n\n // Cross platform way of setting JWT expiry time 3 minutes in the future, expressed as number of seconds since EPOCH\n const exp = Math.floor(new Date().getTime() / 1000 + 180);\n\n // A unique ID for the JWT which is required when requesting the openid scope\n const jti = v4();\n\n const iss = serviceAccountId;\n const sub = serviceAccountId;\n\n // Create the payload for our bearer token\n const payload = { iss, sub, aud, exp, jti };\n\n return payload;\n}\n\n/**\n * Get access token for service account\n * @param {string} serviceAccountId UUID of service account\n * @param {JwkRsa} jwk Java Wek Key\n * @returns {string | null} Access token or null\n */\nexport async function getAccessTokenForServiceAccount(\n serviceAccountId: string,\n jwk: JwkRsa\n): Promise<string | null> {\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: start`);\n const payload = createPayload(serviceAccountId);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: payload:`);\n debugMessage(payload);\n const jwt = await createSignedJwtToken(payload, jwk);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: jwt:`);\n debugMessage(jwt);\n const bodyFormData = `assertion=${jwt}&client_id=service-account&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&scope=${serviceAccountScopes}`;\n const response = await accessToken(bodyFormData);\n if ('access_token' in response.data) {\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: token:`);\n debugMessage(response.data.access_token);\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n return response.data.access_token;\n }\n debugMessage(\n `AuthenticateOps.getAccessTokenForServiceAccount: No access token in response.`\n );\n debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n return null;\n}\n\nasync function determineDeploymentTypeAndDefaultRealmAndVersion() {\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: start`\n );\n if (!state.getDeploymentType()) {\n state.setDeploymentType(await determineDeploymentType());\n }\n determineDefaultRealm(state.getDeploymentType());\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: realm=${state.getRealm()}, type=${state.getDeploymentType()}`\n );\n\n const versionInfo = (await getServerVersionInfo()).data;\n\n // https://github.com/rockcarver/frodo-cli/issues/109\n debugMessage(`Full version: ${versionInfo.fullVersion}`);\n\n const version = await getSemanticVersion(versionInfo);\n state.setAmVersion(version);\n debugMessage(\n `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: end`\n );\n}\n\nasync function getLoggedInSubject(): Promise<string> {\n let subjectString = `user ${state.getUsername()}`;\n if (state.getUseBearerTokenForAmApis()) {\n const name = (\n await getManagedObject('svcacct', state.getServiceAccountId(), ['name'])\n ).data.name;\n subjectString = `service account ${name} [${state.getServiceAccountId()}]`;\n }\n return subjectString;\n}\n\n/**\n * Get tokens\n * @param {boolean} save true to save a connection profile upon successful authentication, false otherwise\n * @returns {Promise<boolean>} true if tokens were successfully obtained, false otherwise\n */\nexport async function getTokens(): Promise<boolean> {\n if (!state.getHost()) {\n printMessage(\n `No host specified and FRODO_HOST env variable not set!`,\n 'error'\n );\n return false;\n }\n try {\n // if username/password on cli are empty, try to read from connections.json\n if (\n state.getUsername() == null &&\n state.getPassword() == null &&\n !state.getServiceAccountId() &&\n !state.getServiceAccountJwk()\n ) {\n const conn = await getConnectionProfile();\n if (conn) {\n state.setHost(conn.tenant);\n state.setUsername(conn.username);\n state.setPassword(conn.password);\n state.setAuthenticationService(conn.authenticationService);\n state.setAuthenticationHeaderOverrides(\n conn.authenticationHeaderOverrides\n );\n state.setServiceAccountId(conn.svcacctId);\n state.setServiceAccountJwk(conn.svcacctJwk);\n } else {\n return false;\n }\n }\n // now that we have the full tenant URL we can lookup the cookie name\n state.setCookieName(await determineCookieName());\n\n // use service account to login?\n if (state.getServiceAccountId() && state.getServiceAccountJwk()) {\n debugMessage(\n `AuthenticateOps.getTokens: Authenticating with service account ${state.getServiceAccountId()}`\n );\n try {\n const token = await getAccessTokenForServiceAccount(\n state.getServiceAccountId(),\n state.getServiceAccountJwk()\n );\n state.setBearerToken(token);\n state.setUseBearerTokenForAmApis(true);\n await determineDeploymentTypeAndDefaultRealmAndVersion();\n } catch (saErr) {\n throw new Error(\n `Service account login error: ${\n saErr.response?.data?.error_description ||\n saErr.response?.data?.message\n }`\n );\n }\n }\n // use user account to login\n else if (state.getUsername() && state.getPassword()) {\n debugMessage(\n `AuthenticateOps.getTokens: Authenticating with user account ${state.getUsername()}`\n );\n const token = await authenticate(\n state.getUsername(),\n state.getPassword()\n );\n if (token) state.setCookieValue(token);\n await determineDeploymentTypeAndDefaultRealmAndVersion();\n if (\n state.getCookieValue() &&\n !state.getBearerToken() &&\n (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY ||\n state.getDeploymentType() ===\n globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY)\n ) {\n const accessToken = await getAccessTokenForUser();\n if (accessToken) state.setBearerToken(accessToken);\n }\n }\n // incomplete or no credentials\n else {\n printMessage(`Incomplete or no credentials!`, 'error');\n return false;\n }\n if (\n state.getCookieValue() ||\n (state.getUseBearerTokenForAmApis() && state.getBearerToken())\n ) {\n // https://github.com/rockcarver/frodo-cli/issues/102\n printMessage(\n `Connected to ${state.getHost()} [${\n state.getRealm() ? state.getRealm() : 'root'\n }] as ${await getLoggedInSubject()}`,\n 'info'\n );\n return true;\n }\n } catch (error) {\n // regular error\n printMessage(error.message, 'error');\n // axios error am api\n printMessage(error.response?.data?.message, 'error');\n // axios error am oauth2 api\n printMessage(error.response?.data?.error_description, 'error');\n // axios error data\n debugMessage(error.response?.data);\n // stack trace\n debugMessage(error.stack || new Error().stack);\n }\n return false;\n}\n"]}