raindancers-cloudfront 0.0.0

package/lib/cloudfront/logging/auditLogArchive.js

@@ -0,0 +1,205 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditLogArchive = void 0;
+const core = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const constructs = __importStar(require("constructs"));
+class AuditLogArchive extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const archiveRetentionDays = props.archiveRetentionDays ?? 365;
+        const databaseName = props.databaseName ?? 'audit_logs';
+        const tableName = 'logs';
+        // Create S3 bucket for audit log archive
+        this.bucket = new aws_cdk_lib_1.aws_s3.Bucket(this, 'Bucket', {
+            bucketName: props.bucketName ?? `audit-logs-${core.Stack.of(this).account}-${core.Stack.of(this).region}`,
+            encryption: aws_cdk_lib_1.aws_s3.BucketEncryption.S3_MANAGED,
+            blockPublicAccess: aws_cdk_lib_1.aws_s3.BlockPublicAccess.BLOCK_ALL,
+            intelligentTieringConfigurations: [{
+                    name: 'archive-tiering',
+                    archiveAccessTierTime: core.Duration.days(90),
+                    deepArchiveAccessTierTime: core.Duration.days(180),
+                }],
+            lifecycleRules: [{
+                    id: 'delete-old-logs',
+                    enabled: true,
+                    expiration: core.Duration.days(archiveRetentionDays),
+                }],
+            removalPolicy: props.removalPolicy ?? aws_cdk_lib_1.RemovalPolicy.RETAIN,
+            autoDeleteObjects: props.removalPolicy === aws_cdk_lib_1.RemovalPolicy.DESTROY,
+        });
+        // Create Glue database
+        this.database = new aws_cdk_lib_1.aws_glue.CfnDatabase(this, 'Database', {
+            catalogId: core.Stack.of(this).account,
+            databaseInput: {
+                name: databaseName,
+                description: 'Audit logs database for Athena queries',
+            },
+        });
+        // Create Glue table for Parquet schema
+        this.table = new aws_cdk_lib_1.aws_glue.CfnTable(this, 'Table', {
+            catalogId: core.Stack.of(this).account,
+            databaseName: this.database.ref,
+            tableInput: {
+                name: tableName,
+                description: 'Audit logs in Parquet format',
+                storageDescriptor: {
+                    columns: [
+                        { name: 'timestamp', type: 'bigint', comment: 'Log timestamp in milliseconds' },
+                        { name: 'message', type: 'string', comment: 'Log message' },
+                        { name: 'log_group', type: 'string', comment: 'CloudWatch log group name' },
+                        { name: 'log_stream', type: 'string', comment: 'CloudWatch log stream name' },
+                        { name: 'event_type', type: 'string', comment: 'Event type (extracted from message)' },
+                        { name: 'user_id', type: 'string', comment: 'User identifier (if available)' },
+                        { name: 'ip_address', type: 'string', comment: 'Client IP address (if available)' },
+                    ],
+                    location: `s3://${this.bucket.bucketName}/logs/`,
+                    inputFormat: 'org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat',
+                    outputFormat: 'org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat',
+                    serdeInfo: {
+                        serializationLibrary: 'org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe',
+                        parameters: {
+                            'serialization.format': '1',
+                        },
+                    },
+                },
+                partitionKeys: [
+                    { name: 'year', type: 'string' },
+                    { name: 'month', type: 'string' },
+                    { name: 'day', type: 'string' },
+                ],
+                tableType: 'EXTERNAL_TABLE',
+            },
+        });
+        // Create IAM role for Firehose
+        const firehoseRole = new aws_cdk_lib_1.aws_iam.Role(this, 'FirehoseRole', {
+            assumedBy: new aws_cdk_lib_1.aws_iam.ServicePrincipal('firehose.amazonaws.com'),
+        });
+        this.bucket.grantWrite(firehoseRole);
+        props.kmsKey.grantEncryptDecrypt(firehoseRole);
+        firehoseRole.addToPolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({
+            actions: ['glue:GetTable', 'glue:GetTableVersion', 'glue:GetTableVersions'],
+            resources: [
+                `arn:aws:glue:${core.Stack.of(this).region}:${core.Stack.of(this).account}:catalog`,
+                `arn:aws:glue:${core.Stack.of(this).region}:${core.Stack.of(this).account}:database/${databaseName}`,
+                `arn:aws:glue:${core.Stack.of(this).region}:${core.Stack.of(this).account}:table/${databaseName}/${tableName}`,
+            ],
+        }));
+        // Create Kinesis Firehose delivery stream with Parquet conversion
+        this.deliveryStream = new aws_cdk_lib_1.aws_kinesisfirehose.CfnDeliveryStream(this, 'DeliveryStream', {
+            deliveryStreamType: 'DirectPut',
+            extendedS3DestinationConfiguration: {
+                bucketArn: this.bucket.bucketArn,
+                roleArn: firehoseRole.roleArn,
+                prefix: 'logs/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/',
+                errorOutputPrefix: 'errors/!{firehose:error-output-type}/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/',
+                bufferingHints: {
+                    intervalInSeconds: 300,
+                    sizeInMBs: 128,
+                },
+                compressionFormat: 'UNCOMPRESSED',
+                dataFormatConversionConfiguration: {
+                    enabled: true,
+                    schemaConfiguration: {
+                        roleArn: firehoseRole.roleArn,
+                        databaseName: this.database.ref,
+                        tableName: this.table.ref,
+                        region: core.Stack.of(this).region,
+                        versionId: 'LATEST',
+                    },
+                    inputFormatConfiguration: {
+                        deserializer: {
+                            openXJsonSerDe: {},
+                        },
+                    },
+                    outputFormatConfiguration: {
+                        serializer: {
+                            parquetSerDe: {
+                                compression: 'SNAPPY',
+                            },
+                        },
+                    },
+                },
+            },
+        });
+        this.deliveryStream.addDependency(this.database);
+        this.deliveryStream.addDependency(this.table);
+        this.deliveryStream.node.addDependency(firehoseRole);
+        // Create IAM role for CloudWatch Logs subscription
+        const logsRole = new aws_cdk_lib_1.aws_iam.Role(this, 'LogsRole', {
+            assumedBy: new aws_cdk_lib_1.aws_iam.ServicePrincipal('logs.amazonaws.com'),
+            inlinePolicies: {
+                FirehosePermissions: new aws_cdk_lib_1.aws_iam.PolicyDocument({
+                    statements: [
+                        new aws_cdk_lib_1.aws_iam.PolicyStatement({
+                            effect: aws_cdk_lib_1.aws_iam.Effect.ALLOW,
+                            actions: ['firehose:PutRecord'],
+                            resources: [this.deliveryStream.attrArn],
+                        }),
+                    ],
+                }),
+            },
+        });
+        // Create subscription filters for each log group
+        props.logGroupNames.forEach((logGroupName, index) => {
+            new aws_cdk_lib_1.aws_logs.CfnSubscriptionFilter(this, `Subscription${index}`, {
+                logGroupName: logGroupName,
+                filterPattern: '',
+                destinationArn: this.deliveryStream.attrArn,
+                roleArn: logsRole.roleArn,
+            });
+        });
+        // Outputs
+        new core.CfnOutput(this, 'BucketName', {
+            value: this.bucket.bucketName,
+            description: 'S3 Bucket for Audit Log Archive',
+        });
+        new core.CfnOutput(this, 'DatabaseName', {
+            value: this.database.ref,
+            description: 'Glue Database Name for Athena Queries',
+        });
+        new core.CfnOutput(this, 'TableName', {
+            value: this.table.ref,
+            description: 'Glue Table Name for Athena Queries',
+        });
+        new core.CfnOutput(this, 'DeliveryStreamArn', {
+            value: this.deliveryStream.attrArn,
+            description: 'Kinesis Firehose Delivery Stream ARN',
+        });
+    }
+}
+exports.AuditLogArchive = AuditLogArchive;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXVkaXRMb2dBcmNoaXZlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2Nsb3VkZnJvbnQvbG9nZ2luZy9hdWRpdExvZ0FyY2hpdmUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsa0RBQW9DO0FBQ3BDLDZDQVFxQjtBQUNyQix1REFBeUM7QUFZekMsTUFBYSxlQUFnQixTQUFRLFVBQVUsQ0FBQyxTQUFTO0lBTXZELFlBQVksS0FBMkIsRUFBRSxFQUFVLEVBQUUsS0FBMkI7UUFDOUUsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixNQUFNLG9CQUFvQixHQUFHLEtBQUssQ0FBQyxvQkFBb0IsSUFBSSxHQUFHLENBQUM7UUFDL0QsTUFBTSxZQUFZLEdBQUcsS0FBSyxDQUFDLFlBQVksSUFBSSxZQUFZLENBQUM7UUFDeEQsTUFBTSxTQUFTLEdBQUcsTUFBTSxDQUFDO1FBRXpCLHlDQUF5QztRQUN6QyxJQUFJLENBQUMsTUFBTSxHQUFHLElBQUksb0JBQUUsQ0FBQyxNQUFNLENBQUMsSUFBSSxFQUFFLFFBQVEsRUFBRTtZQUMxQyxVQUFVLEVBQUUsS0FBSyxDQUFDLFVBQVUsSUFBSSxjQUFjLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE9BQU8sSUFBSSxJQUFJLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNLEVBQUU7WUFDekcsVUFBVSxFQUFFLG9CQUFFLENBQUMsZ0JBQWdCLENBQUMsVUFBVTtZQUMxQyxpQkFBaUIsRUFBRSxvQkFBRSxDQUFDLGlCQUFpQixDQUFDLFNBQVM7WUFDakQsZ0NBQWdDLEVBQUUsQ0FBQztvQkFDakMsSUFBSSxFQUFFLGlCQUFpQjtvQkFDdkIscUJBQXFCLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO29CQUM3Qyx5QkFBeUIsRUFBRSxJQUFJLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUM7aUJBQ25ELENBQUM7WUFDRixjQUFjLEVBQUUsQ0FBQztvQkFDZixFQUFFLEVBQUUsaUJBQWlCO29CQUNyQixPQUFPLEVBQUUsSUFBSTtvQkFDYixVQUFVLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsb0JBQW9CLENBQUM7aUJBQ3JELENBQUM7WUFDRixhQUFhLEVBQUUsS0FBSyxDQUFDLGFBQWEsSUFBSSwyQkFBYSxDQUFDLE1BQU07WUFDMUQsaUJBQWlCLEVBQUUsS0FBSyxDQUFDLGFBQWEsS0FBSywyQkFBYSxDQUFDLE9BQU87U0FDakUsQ0FBQyxDQUFDO1FBRUgsdUJBQXVCO1FBQ3ZCLElBQUksQ0FBQyxRQUFRLEdBQUcsSUFBSSxzQkFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLEVBQUUsVUFBVSxFQUFFO1lBQ3JELFNBQVMsRUFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxPQUFPO1lBQ3RDLGFBQWEsRUFBRTtnQkFDYixJQUFJLEVBQUUsWUFBWTtnQkFDbEIsV0FBVyxFQUFFLHdDQUF3QzthQUN0RDtTQUNGLENBQUMsQ0FBQztRQUVILHVDQUF1QztRQUN2QyxJQUFJLENBQUMsS0FBSyxHQUFHLElBQUksc0JBQUksQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLE9BQU8sRUFBRTtZQUM1QyxTQUFTLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsT0FBTztZQUN0QyxZQUFZLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHO1lBQy9CLFVBQVUsRUFBRTtnQkFDVixJQUFJLEVBQUUsU0FBUztnQkFDZixXQUFXLEVBQUUsOEJBQThCO2dCQUMzQyxpQkFBaUIsRUFBRTtvQkFDakIsT0FBTyxFQUFFO3dCQUNQLEVBQUUsSUFBSSxFQUFFLFdBQVcsRUFBRSxJQUFJLEVBQUUsUUFBUSxFQUFFLE9BQU8sRUFBRSwrQkFBK0IsRUFBRTt3QkFDL0UsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLElBQUksRUFBRSxRQUFRLEVBQUUsT0FBTyxFQUFFLGFBQWEsRUFBRTt3QkFDM0QsRUFBRSxJQUFJLEVBQUUsV0FBVyxFQUFFLElBQUksRUFBRSxRQUFRLEVBQUUsT0FBTyxFQUFFLDJCQUEyQixFQUFFO3dCQUMzRSxFQUFFLElBQUksRUFBRSxZQUFZLEVBQUUsSUFBSSxFQUFFLFFBQVEsRUFBRSxPQUFPLEVBQUUsNEJBQTRCLEVBQUU7d0JBQzdFLEVBQUUsSUFBSSxFQUFFLFlBQVksRUFBRSxJQUFJLEVBQUUsUUFBUSxFQUFFLE9BQU8sRUFBRSxxQ0FBcUMsRUFBRTt3QkFDdEYsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLElBQUksRUFBRSxRQUFRLEVBQUUsT0FBTyxFQUFFLGdDQUFnQyxFQUFFO3dCQUM5RSxFQUFFLElBQUksRUFBRSxZQUFZLEVBQUUsSUFBSSxFQUFFLFFBQVEsRUFBRSxPQUFPLEVBQUUsa0NBQWtDLEVBQUU7cUJBQ3BGO29CQUNELFFBQVEsRUFBRSxRQUFRLElBQUksQ0FBQyxNQUFNLENBQUMsVUFBVSxRQUFRO29CQUNoRCxXQUFXLEVBQUUsK0RBQStEO29CQUM1RSxZQUFZLEVBQUUsZ0VBQWdFO29CQUM5RSxTQUFTLEVBQUU7d0JBQ1Qsb0JBQW9CLEVBQUUsNkRBQTZEO3dCQUNuRixVQUFVLEVBQUU7NEJBQ1Ysc0JBQXNCLEVBQUUsR0FBRzt5QkFDNUI7cUJBQ0Y7aUJBQ0Y7Z0JBQ0QsYUFBYSxFQUFFO29CQUNiLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxJQUFJLEVBQUUsUUFBUSxFQUFFO29CQUNoQyxFQUFFLElBQUksRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLFFBQVEsRUFBRTtvQkFDakMsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLElBQUksRUFBRSxRQUFRLEVBQUU7aUJBQ2hDO2dCQUNELFNBQVMsRUFBRSxnQkFBZ0I7YUFDNUI7U0FDRixDQUFDLENBQUM7UUFFSCwrQkFBK0I7UUFDL0IsTUFBTSxZQUFZLEdBQUcsSUFBSSxxQkFBRyxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsY0FBYyxFQUFFO1lBQ3RELFNBQVMsRUFBRSxJQUFJLHFCQUFHLENBQUMsZ0JBQWdCLENBQUMsd0JBQXdCLENBQUM7U0FDOUQsQ0FBQyxDQUFDO1FBRUgsSUFBSSxDQUFDLE1BQU0sQ0FBQyxVQUFVLENBQUMsWUFBWSxDQUFDLENBQUM7UUFDckMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxtQkFBbUIsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUUvQyxZQUFZLENBQUMsV0FBVyxDQUFDLElBQUkscUJBQUcsQ0FBQyxlQUFlLENBQUM7WUFDL0MsT0FBTyxFQUFFLENBQUMsZUFBZSxFQUFFLHNCQUFzQixFQUFFLHVCQUF1QixDQUFDO1lBQzNFLFNBQVMsRUFBRTtnQkFDVCxnQkFBZ0IsSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsTUFBTSxJQUFJLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE9BQU8sVUFBVTtnQkFDbkYsZ0JBQWdCLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE1BQU0sSUFBSSxJQUFJLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxPQUFPLGFBQWEsWUFBWSxFQUFFO2dCQUNwRyxnQkFBZ0IsSUFBSSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsTUFBTSxJQUFJLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE9BQU8sVUFBVSxZQUFZLElBQUksU0FBUyxFQUFFO2FBQy9HO1NBQ0YsQ0FBQyxDQUFDLENBQUM7UUFFSixrRUFBa0U7UUFDbEUsSUFBSSxDQUFDLGNBQWMsR0FBRyxJQUFJLGlDQUFRLENBQUMsaUJBQWlCLENBQUMsSUFBSSxFQUFFLGdCQUFnQixFQUFFO1lBQzNFLGtCQUFrQixFQUFFLFdBQVc7WUFDL0Isa0NBQWtDLEVBQUU7Z0JBQ2xDLFNBQVMsRUFBRSxJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVM7Z0JBQ2hDLE9BQU8sRUFBRSxZQUFZLENBQUMsT0FBTztnQkFDN0IsTUFBTSxFQUFFLHdFQUF3RTtnQkFDaEYsaUJBQWlCLEVBQUUsd0dBQXdHO2dCQUMzSCxjQUFjLEVBQUU7b0JBQ2QsaUJBQWlCLEVBQUUsR0FBRztvQkFDdEIsU0FBUyxFQUFFLEdBQUc7aUJBQ2Y7Z0JBQ0QsaUJBQWlCLEVBQUUsY0FBYztnQkFDakMsaUNBQWlDLEVBQUU7b0JBQ2pDLE9BQU8sRUFBRSxJQUFJO29CQUNiLG1CQUFtQixFQUFFO3dCQUNuQixPQUFPLEVBQUUsWUFBWSxDQUFDLE9BQU87d0JBQzdCLFlBQVksRUFBRSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUc7d0JBQy9CLFNBQVMsRUFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUc7d0JBQ3pCLE1BQU0sRUFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNO3dCQUNsQyxTQUFTLEVBQUUsUUFBUTtxQkFDcEI7b0JBQ0Qsd0JBQXdCLEVBQUU7d0JBQ3hCLFlBQVksRUFBRTs0QkFDWixjQUFjLEVBQUUsRUFBRTt5QkFDbkI7cUJBQ0Y7b0JBQ0QseUJBQXlCLEVBQUU7d0JBQ3pCLFVBQVUsRUFBRTs0QkFDVixZQUFZLEVBQUU7Z0NBQ1osV0FBVyxFQUFFLFFBQVE7NkJBQ3RCO3lCQUNGO3FCQUNGO2lCQUNGO2FBQ0Y7U0FDRixDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsY0FBYyxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDakQsSUFBSSxDQUFDLGNBQWMsQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQzlDLElBQUksQ0FBQyxjQUFjLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUVyRCxtREFBbUQ7UUFDbkQsTUFBTSxRQUFRLEdBQUcsSUFBSSxxQkFBRyxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsVUFBVSxFQUFFO1lBQzlDLFNBQVMsRUFBRSxJQUFJLHFCQUFHLENBQUMsZ0JBQWdCLENBQUMsb0JBQW9CLENBQUM7WUFDekQsY0FBYyxFQUFFO2dCQUNkLG1CQUFtQixFQUFFLElBQUkscUJBQUcsQ0FBQyxjQUFjLENBQUM7b0JBQzFDLFVBQVUsRUFBRTt3QkFDVixJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDOzRCQUN0QixNQUFNLEVBQUUscUJBQUcsQ0FBQyxNQUFNLENBQUMsS0FBSzs0QkFDeEIsT0FBTyxFQUFFLENBQUMsb0JBQW9CLENBQUM7NEJBQy9CLFNBQVMsRUFBRSxDQUFDLElBQUksQ0FBQyxjQUFjLENBQUMsT0FBTyxDQUFDO3lCQUN6QyxDQUFDO3FCQUNIO2lCQUNGLENBQUM7YUFDSDtTQUNGLENBQUMsQ0FBQztRQUVILGlEQUFpRDtRQUNqRCxLQUFLLENBQUMsYUFBYSxDQUFDLE9BQU8sQ0FBQyxDQUFDLFlBQVksRUFBRSxLQUFLLEVBQUUsRUFBRTtZQUNsRCxJQUFJLHNCQUFJLENBQUMscUJBQXFCLENBQUMsSUFBSSxFQUFFLGVBQWUsS0FBSyxFQUFFLEVBQUU7Z0JBQzNELFlBQVksRUFBRSxZQUFZO2dCQUMxQixhQUFhLEVBQUUsRUFBRTtnQkFDakIsY0FBYyxFQUFFLElBQUksQ0FBQyxjQUFjLENBQUMsT0FBTztnQkFDM0MsT0FBTyxFQUFFLFFBQVEsQ0FBQyxPQUFPO2FBQzFCLENBQUMsQ0FBQztRQUNMLENBQUMsQ0FBQyxDQUFDO1FBRUgsVUFBVTtRQUNWLElBQUksSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQUUsWUFBWSxFQUFFO1lBQ3JDLEtBQUssRUFBRSxJQUFJLENBQUMsTUFBTSxDQUFDLFVBQVU7WUFDN0IsV0FBVyxFQUFFLGlDQUFpQztTQUMvQyxDQUFDLENBQUM7UUFFSCxJQUFJLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxFQUFFLGNBQWMsRUFBRTtZQUN2QyxLQUFLLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHO1lBQ3hCLFdBQVcsRUFBRSx1Q0FBdUM7U0FDckQsQ0FBQyxDQUFDO1FBRUgsSUFBSSxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksRUFBRSxXQUFXLEVBQUU7WUFDcEMsS0FBSyxFQUFFLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRztZQUNyQixXQUFXLEVBQUUsb0NBQW9DO1NBQ2xELENBQUMsQ0FBQztRQUVILElBQUksSUFBSSxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQUUsbUJBQW1CLEVBQUU7WUFDNUMsS0FBSyxFQUFFLElBQUksQ0FBQyxjQUFjLENBQUMsT0FBTztZQUNsQyxXQUFXLEVBQUUsc0NBQXNDO1NBQ3BELENBQUMsQ0FBQztJQUNMLENBQUM7Q0FDRjtBQXZMRCwwQ0F1TEMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBjb3JlIGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7XG4gIGF3c19zMyBhcyBzMyxcbiAgYXdzX2ttcyBhcyBrbXMsXG4gIGF3c19sb2dzIGFzIGxvZ3MsXG4gIGF3c19raW5lc2lzZmlyZWhvc2UgYXMgZmlyZWhvc2UsXG4gIGF3c19nbHVlIGFzIGdsdWUsXG4gIGF3c19pYW0gYXMgaWFtLFxuICBSZW1vdmFsUG9saWN5LFxufSBmcm9tICdhd3MtY2RrLWxpYic7XG5pbXBvcnQgKiBhcyBjb25zdHJ1Y3RzIGZyb20gJ2NvbnN0cnVjdHMnO1xuXG5leHBvcnQgaW50ZXJmYWNlIEF1ZGl0TG9nQXJjaGl2ZVByb3BzIHtcbiAgcmVhZG9ubHkgbG9nR3JvdXBOYW1lczogc3RyaW5nW107XG4gIHJlYWRvbmx5IGttc0tleToga21zLklLZXk7XG4gIHJlYWRvbmx5IHJldGVudGlvbkRheXM/OiBudW1iZXI7XG4gIHJlYWRvbmx5IGFyY2hpdmVSZXRlbnRpb25EYXlzPzogbnVtYmVyO1xuICByZWFkb25seSBidWNrZXROYW1lPzogc3RyaW5nO1xuICByZWFkb25seSBkYXRhYmFzZU5hbWU/OiBzdHJpbmc7XG4gIHJlYWRvbmx5IHJlbW92YWxQb2xpY3k/OiBSZW1vdmFsUG9saWN5O1xufVxuXG5leHBvcnQgY2xhc3MgQXVkaXRMb2dBcmNoaXZlIGV4dGVuZHMgY29uc3RydWN0cy5Db25zdHJ1Y3Qge1xuICBwdWJsaWMgcmVhZG9ubHkgYnVja2V0OiBzMy5CdWNrZXQ7XG4gIHB1YmxpYyByZWFkb25seSBkYXRhYmFzZTogZ2x1ZS5DZm5EYXRhYmFzZTtcbiAgcHVibGljIHJlYWRvbmx5IHRhYmxlOiBnbHVlLkNmblRhYmxlO1xuICBwdWJsaWMgcmVhZG9ubHkgZGVsaXZlcnlTdHJlYW06IGZpcmVob3NlLkNmbkRlbGl2ZXJ5U3RyZWFtO1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBjb25zdHJ1Y3RzLkNvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IEF1ZGl0TG9nQXJjaGl2ZVByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKTtcblxuICAgIGNvbnN0IGFyY2hpdmVSZXRlbnRpb25EYXlzID0gcHJvcHMuYXJjaGl2ZVJldGVudGlvbkRheXMgPz8gMzY1O1xuICAgIGNvbnN0IGRhdGFiYXNlTmFtZSA9IHByb3BzLmRhdGFiYXNlTmFtZSA/PyAnYXVkaXRfbG9ncyc7XG4gICAgY29uc3QgdGFibGVOYW1lID0gJ2xvZ3MnO1xuXG4gICAgLy8gQ3JlYXRlIFMzIGJ1Y2tldCBmb3IgYXVkaXQgbG9nIGFyY2hpdmVcbiAgICB0aGlzLmJ1Y2tldCA9IG5ldyBzMy5CdWNrZXQodGhpcywgJ0J1Y2tldCcsIHtcbiAgICAgIGJ1Y2tldE5hbWU6IHByb3BzLmJ1Y2tldE5hbWUgPz8gYGF1ZGl0LWxvZ3MtJHtjb3JlLlN0YWNrLm9mKHRoaXMpLmFjY291bnR9LSR7Y29yZS5TdGFjay5vZih0aGlzKS5yZWdpb259YCxcbiAgICAgIGVuY3J5cHRpb246IHMzLkJ1Y2tldEVuY3J5cHRpb24uUzNfTUFOQUdFRCxcbiAgICAgIGJsb2NrUHVibGljQWNjZXNzOiBzMy5CbG9ja1B1YmxpY0FjY2Vzcy5CTE9DS19BTEwsXG4gICAgICBpbnRlbGxpZ2VudFRpZXJpbmdDb25maWd1cmF0aW9uczogW3tcbiAgICAgICAgbmFtZTogJ2FyY2hpdmUtdGllcmluZycsXG4gICAgICAgIGFyY2hpdmVBY2Nlc3NUaWVyVGltZTogY29yZS5EdXJhdGlvbi5kYXlzKDkwKSxcbiAgICAgICAgZGVlcEFyY2hpdmVBY2Nlc3NUaWVyVGltZTogY29yZS5EdXJhdGlvbi5kYXlzKDE4MCksXG4gICAgICB9XSxcbiAgICAgIGxpZmVjeWNsZVJ1bGVzOiBbe1xuICAgICAgICBpZDogJ2RlbGV0ZS1vbGQtbG9ncycsXG4gICAgICAgIGVuYWJsZWQ6IHRydWUsXG4gICAgICAgIGV4cGlyYXRpb246IGNvcmUuRHVyYXRpb24uZGF5cyhhcmNoaXZlUmV0ZW50aW9uRGF5cyksXG4gICAgICB9XSxcbiAgICAgIHJlbW92YWxQb2xpY3k6IHByb3BzLnJlbW92YWxQb2xpY3kgPz8gUmVtb3ZhbFBvbGljeS5SRVRBSU4sXG4gICAgICBhdXRvRGVsZXRlT2JqZWN0czogcHJvcHMucmVtb3ZhbFBvbGljeSA9PT0gUmVtb3ZhbFBvbGljeS5ERVNUUk9ZLFxuICAgIH0pO1xuXG4gICAgLy8gQ3JlYXRlIEdsdWUgZGF0YWJhc2VcbiAgICB0aGlzLmRhdGFiYXNlID0gbmV3IGdsdWUuQ2ZuRGF0YWJhc2UodGhpcywgJ0RhdGFiYXNlJywge1xuICAgICAgY2F0YWxvZ0lkOiBjb3JlLlN0YWNrLm9mKHRoaXMpLmFjY291bnQsXG4gICAgICBkYXRhYmFzZUlucHV0OiB7XG4gICAgICAgIG5hbWU6IGRhdGFiYXNlTmFtZSxcbiAgICAgICAgZGVzY3JpcHRpb246ICdBdWRpdCBsb2dzIGRhdGFiYXNlIGZvciBBdGhlbmEgcXVlcmllcycsXG4gICAgICB9LFxuICAgIH0pO1xuXG4gICAgLy8gQ3JlYXRlIEdsdWUgdGFibGUgZm9yIFBhcnF1ZXQgc2NoZW1hXG4gICAgdGhpcy50YWJsZSA9IG5ldyBnbHVlLkNmblRhYmxlKHRoaXMsICdUYWJsZScsIHtcbiAgICAgIGNhdGFsb2dJZDogY29yZS5TdGFjay5vZih0aGlzKS5hY2NvdW50LFxuICAgICAgZGF0YWJhc2VOYW1lOiB0aGlzLmRhdGFiYXNlLnJlZixcbiAgICAgIHRhYmxlSW5wdXQ6IHtcbiAgICAgICAgbmFtZTogdGFibGVOYW1lLFxuICAgICAgICBkZXNjcmlwdGlvbjogJ0F1ZGl0IGxvZ3MgaW4gUGFycXVldCBmb3JtYXQnLFxuICAgICAgICBzdG9yYWdlRGVzY3JpcHRvcjoge1xuICAgICAgICAgIGNvbHVtbnM6IFtcbiAgICAgICAgICAgIHsgbmFtZTogJ3RpbWVzdGFtcCcsIHR5cGU6ICdiaWdpbnQnLCBjb21tZW50OiAnTG9nIHRpbWVzdGFtcCBpbiBtaWxsaXNlY29uZHMnIH0sXG4gICAgICAgICAgICB7IG5hbWU6ICdtZXNzYWdlJywgdHlwZTogJ3N0cmluZycsIGNvbW1lbnQ6ICdMb2cgbWVzc2FnZScgfSxcbiAgICAgICAgICAgIHsgbmFtZTogJ2xvZ19ncm91cCcsIHR5cGU6ICdzdHJpbmcnLCBjb21tZW50OiAnQ2xvdWRXYXRjaCBsb2cgZ3JvdXAgbmFtZScgfSxcbiAgICAgICAgICAgIHsgbmFtZTogJ2xvZ19zdHJlYW0nLCB0eXBlOiAnc3RyaW5nJywgY29tbWVudDogJ0Nsb3VkV2F0Y2ggbG9nIHN0cmVhbSBuYW1lJyB9LFxuICAgICAgICAgICAgeyBuYW1lOiAnZXZlbnRfdHlwZScsIHR5cGU6ICdzdHJpbmcnLCBjb21tZW50OiAnRXZlbnQgdHlwZSAoZXh0cmFjdGVkIGZyb20gbWVzc2FnZSknIH0sXG4gICAgICAgICAgICB7IG5hbWU6ICd1c2VyX2lkJywgdHlwZTogJ3N0cmluZycsIGNvbW1lbnQ6ICdVc2VyIGlkZW50aWZpZXIgKGlmIGF2YWlsYWJsZSknIH0sXG4gICAgICAgICAgICB7IG5hbWU6ICdpcF9hZGRyZXNzJywgdHlwZTogJ3N0cmluZycsIGNvbW1lbnQ6ICdDbGllbnQgSVAgYWRkcmVzcyAoaWYgYXZhaWxhYmxlKScgfSxcbiAgICAgICAgICBdLFxuICAgICAgICAgIGxvY2F0aW9uOiBgczM6Ly8ke3RoaXMuYnVja2V0LmJ1Y2tldE5hbWV9L2xvZ3MvYCxcbiAgICAgICAgICBpbnB1dEZvcm1hdDogJ29yZy5hcGFjaGUuaGFkb29wLmhpdmUucWwuaW8ucGFycXVldC5NYXByZWRQYXJxdWV0SW5wdXRGb3JtYXQnLFxuICAgICAgICAgIG91dHB1dEZvcm1hdDogJ29yZy5hcGFjaGUuaGFkb29wLmhpdmUucWwuaW8ucGFycXVldC5NYXByZWRQYXJxdWV0T3V0cHV0Rm9ybWF0JyxcbiAgICAgICAgICBzZXJkZUluZm86IHtcbiAgICAgICAgICAgIHNlcmlhbGl6YXRpb25MaWJyYXJ5OiAnb3JnLmFwYWNoZS5oYWRvb3AuaGl2ZS5xbC5pby5wYXJxdWV0LnNlcmRlLlBhcnF1ZXRIaXZlU2VyRGUnLFxuICAgICAgICAgICAgcGFyYW1ldGVyczoge1xuICAgICAgICAgICAgICAnc2VyaWFsaXphdGlvbi5mb3JtYXQnOiAnMScsXG4gICAgICAgICAgICB9LFxuICAgICAgICAgIH0sXG4gICAgICAgIH0sXG4gICAgICAgIHBhcnRpdGlvbktleXM6IFtcbiAgICAgICAgICB7IG5hbWU6ICd5ZWFyJywgdHlwZTogJ3N0cmluZycgfSxcbiAgICAgICAgICB7IG5hbWU6ICdtb250aCcsIHR5cGU6ICdzdHJpbmcnIH0sXG4gICAgICAgICAgeyBuYW1lOiAnZGF5JywgdHlwZTogJ3N0cmluZycgfSxcbiAgICAgICAgXSxcbiAgICAgICAgdGFibGVUeXBlOiAnRVhURVJOQUxfVEFCTEUnLFxuICAgICAgfSxcbiAgICB9KTtcblxuICAgIC8vIENyZWF0ZSBJQU0gcm9sZSBmb3IgRmlyZWhvc2VcbiAgICBjb25zdCBmaXJlaG9zZVJvbGUgPSBuZXcgaWFtLlJvbGUodGhpcywgJ0ZpcmVob3NlUm9sZScsIHtcbiAgICAgIGFzc3VtZWRCeTogbmV3IGlhbS5TZXJ2aWNlUHJpbmNpcGFsKCdmaXJlaG9zZS5hbWF6b25hd3MuY29tJyksXG4gICAgfSk7XG5cbiAgICB0aGlzLmJ1Y2tldC5ncmFudFdyaXRlKGZpcmVob3NlUm9sZSk7XG4gICAgcHJvcHMua21zS2V5LmdyYW50RW5jcnlwdERlY3J5cHQoZmlyZWhvc2VSb2xlKTtcblxuICAgIGZpcmVob3NlUm9sZS5hZGRUb1BvbGljeShuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICBhY3Rpb25zOiBbJ2dsdWU6R2V0VGFibGUnLCAnZ2x1ZTpHZXRUYWJsZVZlcnNpb24nLCAnZ2x1ZTpHZXRUYWJsZVZlcnNpb25zJ10sXG4gICAgICByZXNvdXJjZXM6IFtcbiAgICAgICAgYGFybjphd3M6Z2x1ZToke2NvcmUuU3RhY2sub2YodGhpcykucmVnaW9ufToke2NvcmUuU3RhY2sub2YodGhpcykuYWNjb3VudH06Y2F0YWxvZ2AsXG4gICAgICAgIGBhcm46YXdzOmdsdWU6JHtjb3JlLlN0YWNrLm9mKHRoaXMpLnJlZ2lvbn06JHtjb3JlLlN0YWNrLm9mKHRoaXMpLmFjY291bnR9OmRhdGFiYXNlLyR7ZGF0YWJhc2VOYW1lfWAsXG4gICAgICAgIGBhcm46YXdzOmdsdWU6JHtjb3JlLlN0YWNrLm9mKHRoaXMpLnJlZ2lvbn06JHtjb3JlLlN0YWNrLm9mKHRoaXMpLmFjY291bnR9OnRhYmxlLyR7ZGF0YWJhc2VOYW1lfS8ke3RhYmxlTmFtZX1gLFxuICAgICAgXSxcbiAgICB9KSk7XG5cbiAgICAvLyBDcmVhdGUgS2luZXNpcyBGaXJlaG9zZSBkZWxpdmVyeSBzdHJlYW0gd2l0aCBQYXJxdWV0IGNvbnZlcnNpb25cbiAgICB0aGlzLmRlbGl2ZXJ5U3RyZWFtID0gbmV3IGZpcmVob3NlLkNmbkRlbGl2ZXJ5U3RyZWFtKHRoaXMsICdEZWxpdmVyeVN0cmVhbScsIHtcbiAgICAgIGRlbGl2ZXJ5U3RyZWFtVHlwZTogJ0RpcmVjdFB1dCcsXG4gICAgICBleHRlbmRlZFMzRGVzdGluYXRpb25Db25maWd1cmF0aW9uOiB7XG4gICAgICAgIGJ1Y2tldEFybjogdGhpcy5idWNrZXQuYnVja2V0QXJuLFxuICAgICAgICByb2xlQXJuOiBmaXJlaG9zZVJvbGUucm9sZUFybixcbiAgICAgICAgcHJlZml4OiAnbG9ncy95ZWFyPSF7dGltZXN0YW1wOnl5eXl9L21vbnRoPSF7dGltZXN0YW1wOk1NfS9kYXk9IXt0aW1lc3RhbXA6ZGR9LycsXG4gICAgICAgIGVycm9yT3V0cHV0UHJlZml4OiAnZXJyb3JzLyF7ZmlyZWhvc2U6ZXJyb3Itb3V0cHV0LXR5cGV9L3llYXI9IXt0aW1lc3RhbXA6eXl5eX0vbW9udGg9IXt0aW1lc3RhbXA6TU19L2RheT0he3RpbWVzdGFtcDpkZH0vJyxcbiAgICAgICAgYnVmZmVyaW5nSGludHM6IHtcbiAgICAgICAgICBpbnRlcnZhbEluU2Vjb25kczogMzAwLFxuICAgICAgICAgIHNpemVJbk1CczogMTI4LFxuICAgICAgICB9LFxuICAgICAgICBjb21wcmVzc2lvbkZvcm1hdDogJ1VOQ09NUFJFU1NFRCcsXG4gICAgICAgIGRhdGFGb3JtYXRDb252ZXJzaW9uQ29uZmlndXJhdGlvbjoge1xuICAgICAgICAgIGVuYWJsZWQ6IHRydWUsXG4gICAgICAgICAgc2NoZW1hQ29uZmlndXJhdGlvbjoge1xuICAgICAgICAgICAgcm9sZUFybjogZmlyZWhvc2VSb2xlLnJvbGVBcm4sXG4gICAgICAgICAgICBkYXRhYmFzZU5hbWU6IHRoaXMuZGF0YWJhc2UucmVmLFxuICAgICAgICAgICAgdGFibGVOYW1lOiB0aGlzLnRhYmxlLnJlZixcbiAgICAgICAgICAgIHJlZ2lvbjogY29yZS5TdGFjay5vZih0aGlzKS5yZWdpb24sXG4gICAgICAgICAgICB2ZXJzaW9uSWQ6ICdMQVRFU1QnLFxuICAgICAgICAgIH0sXG4gICAgICAgICAgaW5wdXRGb3JtYXRDb25maWd1cmF0aW9uOiB7XG4gICAgICAgICAgICBkZXNlcmlhbGl6ZXI6IHtcbiAgICAgICAgICAgICAgb3BlblhKc29uU2VyRGU6IHt9LFxuICAgICAgICAgICAgfSxcbiAgICAgICAgICB9LFxuICAgICAgICAgIG91dHB1dEZvcm1hdENvbmZpZ3VyYXRpb246IHtcbiAgICAgICAgICAgIHNlcmlhbGl6ZXI6IHtcbiAgICAgICAgICAgICAgcGFycXVldFNlckRlOiB7XG4gICAgICAgICAgICAgICAgY29tcHJlc3Npb246ICdTTkFQUFknLFxuICAgICAgICAgICAgICB9LFxuICAgICAgICAgICAgfSxcbiAgICAgICAgICB9LFxuICAgICAgICB9LFxuICAgICAgfSxcbiAgICB9KTtcblxuICAgIHRoaXMuZGVsaXZlcnlTdHJlYW0uYWRkRGVwZW5kZW5jeSh0aGlzLmRhdGFiYXNlKTtcbiAgICB0aGlzLmRlbGl2ZXJ5U3RyZWFtLmFkZERlcGVuZGVuY3kodGhpcy50YWJsZSk7XG4gICAgdGhpcy5kZWxpdmVyeVN0cmVhbS5ub2RlLmFkZERlcGVuZGVuY3koZmlyZWhvc2VSb2xlKTtcblxuICAgIC8vIENyZWF0ZSBJQU0gcm9sZSBmb3IgQ2xvdWRXYXRjaCBMb2dzIHN1YnNjcmlwdGlvblxuICAgIGNvbnN0IGxvZ3NSb2xlID0gbmV3IGlhbS5Sb2xlKHRoaXMsICdMb2dzUm9sZScsIHtcbiAgICAgIGFzc3VtZWRCeTogbmV3IGlhbS5TZXJ2aWNlUHJpbmNpcGFsKCdsb2dzLmFtYXpvbmF3cy5jb20nKSxcbiAgICAgIGlubGluZVBvbGljaWVzOiB7XG4gICAgICAgIEZpcmVob3NlUGVybWlzc2lvbnM6IG5ldyBpYW0uUG9saWN5RG9jdW1lbnQoe1xuICAgICAgICAgIHN0YXRlbWVudHM6IFtcbiAgICAgICAgICAgIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICAgICAgZWZmZWN0OiBpYW0uRWZmZWN0LkFMTE9XLFxuICAgICAgICAgICAgICBhY3Rpb25zOiBbJ2ZpcmVob3NlOlB1dFJlY29yZCddLFxuICAgICAgICAgICAgICByZXNvdXJjZXM6IFt0aGlzLmRlbGl2ZXJ5U3RyZWFtLmF0dHJBcm5dLFxuICAgICAgICAgICAgfSksXG4gICAgICAgICAgXSxcbiAgICAgICAgfSksXG4gICAgICB9LFxuICAgIH0pO1xuXG4gICAgLy8gQ3JlYXRlIHN1YnNjcmlwdGlvbiBmaWx0ZXJzIGZvciBlYWNoIGxvZyBncm91cFxuICAgIHByb3BzLmxvZ0dyb3VwTmFtZXMuZm9yRWFjaCgobG9nR3JvdXBOYW1lLCBpbmRleCkgPT4ge1xuICAgICAgbmV3IGxvZ3MuQ2ZuU3Vic2NyaXB0aW9uRmlsdGVyKHRoaXMsIGBTdWJzY3JpcHRpb24ke2luZGV4fWAsIHtcbiAgICAgICAgbG9nR3JvdXBOYW1lOiBsb2dHcm91cE5hbWUsXG4gICAgICAgIGZpbHRlclBhdHRlcm46ICcnLFxuICAgICAgICBkZXN0aW5hdGlvbkFybjogdGhpcy5kZWxpdmVyeVN0cmVhbS5hdHRyQXJuLFxuICAgICAgICByb2xlQXJuOiBsb2dzUm9sZS5yb2xlQXJuLFxuICAgICAgfSk7XG4gICAgfSk7XG5cbiAgICAvLyBPdXRwdXRzXG4gICAgbmV3IGNvcmUuQ2ZuT3V0cHV0KHRoaXMsICdCdWNrZXROYW1lJywge1xuICAgICAgdmFsdWU6IHRoaXMuYnVja2V0LmJ1Y2tldE5hbWUsXG4gICAgICBkZXNjcmlwdGlvbjogJ1MzIEJ1Y2tldCBmb3IgQXVkaXQgTG9nIEFyY2hpdmUnLFxuICAgIH0pO1xuXG4gICAgbmV3IGNvcmUuQ2ZuT3V0cHV0KHRoaXMsICdEYXRhYmFzZU5hbWUnLCB7XG4gICAgICB2YWx1ZTogdGhpcy5kYXRhYmFzZS5yZWYsXG4gICAgICBkZXNjcmlwdGlvbjogJ0dsdWUgRGF0YWJhc2UgTmFtZSBmb3IgQXRoZW5hIFF1ZXJpZXMnLFxuICAgIH0pO1xuXG4gICAgbmV3IGNvcmUuQ2ZuT3V0cHV0KHRoaXMsICdUYWJsZU5hbWUnLCB7XG4gICAgICB2YWx1ZTogdGhpcy50YWJsZS5yZWYsXG4gICAgICBkZXNjcmlwdGlvbjogJ0dsdWUgVGFibGUgTmFtZSBmb3IgQXRoZW5hIFF1ZXJpZXMnLFxuICAgIH0pO1xuXG4gICAgbmV3IGNvcmUuQ2ZuT3V0cHV0KHRoaXMsICdEZWxpdmVyeVN0cmVhbUFybicsIHtcbiAgICAgIHZhbHVlOiB0aGlzLmRlbGl2ZXJ5U3RyZWFtLmF0dHJBcm4sXG4gICAgICBkZXNjcmlwdGlvbjogJ0tpbmVzaXMgRmlyZWhvc2UgRGVsaXZlcnkgU3RyZWFtIEFSTicsXG4gICAgfSk7XG4gIH1cbn1cbiJdfQ==

package/lib/cloudfront/logging/index.d.ts

@@ -0,0 +1 @@
+export * from './auditLogArchive';

package/lib/cloudfront/logging/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./auditLogArchive"), exports);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY2xvdWRmcm9udC9sb2dnaW5nL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxvREFBa0MiLCJzb3VyY2VzQ29udGVudCI6WyJleHBvcnQgKiBmcm9tICcuL2F1ZGl0TG9nQXJjaGl2ZSc7XG4iXX0=

package/lib/cloudfront/oauthEdgeRole.d.ts

@@ -0,0 +1,9 @@
+import { aws_iam as iam } from 'aws-cdk-lib';
+import * as constructs from 'constructs';
+export interface OAuthEdgeRoleProps {
+    readonly roleName: string;
+}
+export declare class OAuthEdgeRole extends constructs.Construct {
+    readonly role: iam.Role;
+    constructor(scope: constructs.Construct, id: string, props: OAuthEdgeRoleProps);
+}

package/lib/cloudfront/oauthEdgeRole.js

@@ -0,0 +1,56 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthEdgeRole = void 0;
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const constructs = __importStar(require("constructs"));
+class OAuthEdgeRole extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.role = new aws_cdk_lib_1.aws_iam.Role(this, 'Role', {
+            roleName: props.roleName,
+            assumedBy: new aws_cdk_lib_1.aws_iam.CompositePrincipal(new aws_cdk_lib_1.aws_iam.ServicePrincipal('lambda.amazonaws.com'), new aws_cdk_lib_1.aws_iam.ServicePrincipal('edgelambda.amazonaws.com')),
+            managedPolicies: [
+                aws_cdk_lib_1.aws_iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'),
+            ],
+        });
+        this.role.addToPolicy(new aws_cdk_lib_1.aws_iam.PolicyStatement({
+            actions: ['sts:GetWebIdentityToken'],
+            resources: ['*'],
+        }));
+    }
+}
+exports.OAuthEdgeRole = OAuthEdgeRole;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2F1dGhFZGdlUm9sZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9jbG91ZGZyb250L29hdXRoRWRnZVJvbGUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsNkNBRXFCO0FBQ3JCLHVEQUF5QztBQU16QyxNQUFhLGFBQWMsU0FBUSxVQUFVLENBQUMsU0FBUztJQUdyRCxZQUFZLEtBQTJCLEVBQUUsRUFBVSxFQUFFLEtBQXlCO1FBQzVFLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFakIsSUFBSSxDQUFDLElBQUksR0FBRyxJQUFJLHFCQUFHLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxNQUFNLEVBQUU7WUFDckMsUUFBUSxFQUFFLEtBQUssQ0FBQyxRQUFRO1lBQ3hCLFNBQVMsRUFBRSxJQUFJLHFCQUFHLENBQUMsa0JBQWtCLENBQ25DLElBQUkscUJBQUcsQ0FBQyxnQkFBZ0IsQ0FBQyxzQkFBc0IsQ0FBQyxFQUNoRCxJQUFJLHFCQUFHLENBQUMsZ0JBQWdCLENBQUMsMEJBQTBCLENBQUMsQ0FDckQ7WUFDRCxlQUFlLEVBQUU7Z0JBQ2YscUJBQUcsQ0FBQyxhQUFhLENBQUMsd0JBQXdCLENBQUMsMENBQTBDLENBQUM7YUFDdkY7U0FDRixDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLHFCQUFHLENBQUMsZUFBZSxDQUFDO1lBQzVDLE9BQU8sRUFBRSxDQUFDLHlCQUF5QixDQUFDO1lBQ3BDLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQUMsQ0FBQztJQUNOLENBQUM7Q0FDRjtBQXRCRCxzQ0FzQkMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQge1xuICBhd3NfaWFtIGFzIGlhbSxcbn0gZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0ICogYXMgY29uc3RydWN0cyBmcm9tICdjb25zdHJ1Y3RzJztcblxuZXhwb3J0IGludGVyZmFjZSBPQXV0aEVkZ2VSb2xlUHJvcHMge1xuICByZWFkb25seSByb2xlTmFtZTogc3RyaW5nO1xufVxuXG5leHBvcnQgY2xhc3MgT0F1dGhFZGdlUm9sZSBleHRlbmRzIGNvbnN0cnVjdHMuQ29uc3RydWN0IHtcbiAgcHVibGljIHJlYWRvbmx5IHJvbGU6IGlhbS5Sb2xlO1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBjb25zdHJ1Y3RzLkNvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IE9BdXRoRWRnZVJvbGVQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICB0aGlzLnJvbGUgPSBuZXcgaWFtLlJvbGUodGhpcywgJ1JvbGUnLCB7XG4gICAgICByb2xlTmFtZTogcHJvcHMucm9sZU5hbWUsXG4gICAgICBhc3N1bWVkQnk6IG5ldyBpYW0uQ29tcG9zaXRlUHJpbmNpcGFsKFxuICAgICAgICBuZXcgaWFtLlNlcnZpY2VQcmluY2lwYWwoJ2xhbWJkYS5hbWF6b25hd3MuY29tJyksXG4gICAgICAgIG5ldyBpYW0uU2VydmljZVByaW5jaXBhbCgnZWRnZWxhbWJkYS5hbWF6b25hd3MuY29tJyksXG4gICAgICApLFxuICAgICAgbWFuYWdlZFBvbGljaWVzOiBbXG4gICAgICAgIGlhbS5NYW5hZ2VkUG9saWN5LmZyb21Bd3NNYW5hZ2VkUG9saWN5TmFtZSgnc2VydmljZS1yb2xlL0FXU0xhbWJkYUJhc2ljRXhlY3V0aW9uUm9sZScpLFxuICAgICAgXSxcbiAgICB9KTtcblxuICAgIHRoaXMucm9sZS5hZGRUb1BvbGljeShuZXcgaWFtLlBvbGljeVN0YXRlbWVudCh7XG4gICAgICBhY3Rpb25zOiBbJ3N0czpHZXRXZWJJZGVudGl0eVRva2VuJ10sXG4gICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgIH0pKTtcbiAgfVxufVxuIl19

package/lib/cloudfront/patterns/authInfrastructure.d.ts

@@ -0,0 +1,34 @@
+import * as core from 'aws-cdk-lib';
+import { aws_iam as iam } from 'aws-cdk-lib';
+import * as constructs from 'constructs';
+export interface AppSpec {
+    readonly name: string;
+    readonly groups?: string[];
+}
+export interface AuthInfrastructureProps {
+    readonly ssmParamPrefix?: string;
+    readonly zoneName: string;
+    readonly tenantId: string;
+    readonly clientId: string;
+    readonly oauth2CallbackRoleName: string;
+    readonly appSpec: AppSpec;
+    readonly securityAlertsTopicArn?: string;
+    readonly sessionRevocationTopicArn?: string;
+    readonly autoRevokeOnReuse?: boolean;
+    readonly jwtClaimsWhitelist?: string[];
+    readonly hmacSecretRotationSchedule?: core.Duration;
+    readonly auditLogRetentionDays?: number;
+    readonly auditArchiveRetentionDays?: number;
+    readonly removalPolicy?: core.RemovalPolicy;
+}
+export declare class AuthInfrastructure extends constructs.Construct {
+    readonly configSecretArn: string;
+    readonly kmsKeyArn: string;
+    readonly authTableArn: string;
+    readonly kvsArn: string;
+    readonly tenantId: string;
+    readonly clientId: string;
+    readonly oauth2CallbackRoleName: string;
+    readonly oidcProvider: iam.IOpenIdConnectProvider;
+    constructor(scope: constructs.Construct, id: string, props: AuthInfrastructureProps);
+}

package/lib/cloudfront/patterns/authInfrastructure.js

@@ -0,0 +1,140 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthInfrastructure = void 0;
+const core = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const constructs = __importStar(require("constructs"));
+const authLambdaFunctions_1 = require("../auth/authLambdaFunctions");
+const authSecretManager_1 = require("../auth/authSecretManager");
+const authSecurityTable_1 = require("../authSecurityTable");
+const auditLogArchive_1 = require("../logging/auditLogArchive");
+const ssmCrossRegionWriter_1 = require("../ssmCrossRegionWriter");
+const AZURE_RESERVED_WORDS = [
+    'admin', 'administrator', 'root', 'sys', 'system', 'guest', 'public',
+    'user', 'users', 'microsoft', 'windows', 'office', 'azure', 'exchange',
+    'sharepoint', 'teams', 'support', 'help', 'service',
+];
+function validateGroupNames(groups) {
+    const invalidGroups = [];
+    groups.forEach(group => {
+        const reservedWord = AZURE_RESERVED_WORDS.find(word => {
+            if (group.toLowerCase() === word)
+                return true;
+            return new RegExp(`\\b${word}\\b`, 'i').test(group);
+        });
+        if (reservedWord) {
+            invalidGroups.push(`'${group}' (contains reserved word '${reservedWord}')`);
+        }
+    });
+    if (invalidGroups.length > 0) {
+        throw new Error(`Invalid Azure AD group names detected:\n${invalidGroups.join('\n')}\n\n` +
+            'Azure AD blocks group names containing reserved words.');
+    }
+}
+// SHA-1 fingerprint of DigiCert Global Root G2 (Azure AD root CA). Stable 10-20 years.
+const AZURE_AD_THUMBPRINT = '6938fd4d98bab03faadb97b34396831e3780aea1';
+class AuthInfrastructure extends constructs.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        if (props.appSpec.groups && props.appSpec.groups.length > 0) {
+            validateGroupNames(props.appSpec.groups);
+        }
+        this.tenantId = props.tenantId;
+        this.clientId = props.clientId;
+        this.oauth2CallbackRoleName = props.oauth2CallbackRoleName;
+        const authSecurityTable = new authSecurityTable_1.AuthSecurityTable(this, 'AuthSecurityTable', {
+            tableName: `auth-security-${props.zoneName}`,
+            removalPolicy: props.removalPolicy ?? core.RemovalPolicy.RETAIN,
+        });
+        const secretManager = new authSecretManager_1.AuthSecretManager(this, 'SecretManager', {
+            domainName: props.zoneName,
+            tableName: authSecurityTable.table.tableName,
+            tableRegion: core.Stack.of(this).region,
+            azureTenantId: props.tenantId,
+            azureClientId: props.clientId,
+            stsAudience: 'api://AzureADTokenExchange',
+            securityAlertsTopicArn: props.securityAlertsTopicArn,
+            autoRevokeOnReuse: props.autoRevokeOnReuse,
+            jwtClaimsWhitelist: props.jwtClaimsWhitelist,
+        });
+        const auditLogRetentionDays = props.auditLogRetentionDays ?? 30;
+        const auditArchiveRetentionDays = props.auditArchiveRetentionDays ?? 365;
+        const lambdaFunctions = new authLambdaFunctions_1.AuthLambdaFunctions(this, 'LambdaFunctions', {
+            configSecret: secretManager.configSecret,
+            kmsKey: secretManager.kmsKey,
+            kvs: secretManager.kvs,
+            authTable: authSecurityTable.table,
+            rotationSchedule: props.hmacSecretRotationSchedule,
+            sessionRevocationTopicArn: props.sessionRevocationTopicArn,
+            logRetentionDays: auditLogRetentionDays,
+        });
+        new auditLogArchive_1.AuditLogArchive(this, 'AuditLogArchive', {
+            logGroupNames: lambdaFunctions.logGroups.map(lg => lg.logGroupName),
+            kmsKey: secretManager.kmsKey,
+            retentionDays: auditLogRetentionDays,
+            archiveRetentionDays: auditArchiveRetentionDays,
+            bucketName: `auth-audit-logs-${core.Stack.of(this).account}-${core.Stack.of(this).region}`,
+            databaseName: 'auth_audit_logs',
+            removalPolicy: props.removalPolicy ?? core.RemovalPolicy.RETAIN,
+        });
+        const oidcProvider = new aws_cdk_lib_1.aws_iam.OpenIdConnectProvider(this, 'OidcProvider', {
+            url: `https://login.microsoftonline.com/${props.tenantId}/v2.0`,
+            clientIds: [props.clientId],
+            thumbprints: [AZURE_AD_THUMBPRINT],
+        });
+        this.configSecretArn = secretManager.configSecret.secretArn;
+        this.kmsKeyArn = secretManager.kmsKey.keyArn;
+        this.authTableArn = authSecurityTable.table.tableArn;
+        this.kvsArn = secretManager.kvs.keyValueStoreArn;
+        this.oidcProvider = oidcProvider;
+        const prefix = props.ssmParamPrefix ?? `/auth/${props.zoneName}`;
+        new ssmCrossRegionWriter_1.SsmCrossRegionWriter(this, 'SsmWriter', {
+            prefix: prefix,
+            region: 'us-east-1',
+            params: {
+                configSecretArn: secretManager.configSecret.secretArn,
+                kmsKeyArn: secretManager.kmsKey.keyArn,
+                authTableArn: authSecurityTable.table.tableArn,
+                kvsArn: secretManager.kvs.keyValueStoreArn,
+                tenantId: props.tenantId,
+                clientId: props.clientId,
+                oauth2CallbackRoleName: props.oauth2CallbackRoleName,
+            },
+        });
+    }
+}
+exports.AuthInfrastructure = AuthInfrastructure;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXV0aEluZnJhc3RydWN0dXJlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2Nsb3VkZnJvbnQvcGF0dGVybnMvYXV0aEluZnJhc3RydWN0dXJlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGtEQUFvQztBQUNwQyw2Q0FFcUI7QUFDckIsdURBQXlDO0FBQ3pDLHFFQUFrRTtBQUNsRSxpRUFBOEQ7QUFDOUQsNERBQXlEO0FBQ3pELGdFQUE2RDtBQUM3RCxrRUFBK0Q7QUFFL0QsTUFBTSxvQkFBb0IsR0FBRztJQUMzQixPQUFPLEVBQUUsZUFBZSxFQUFFLE1BQU0sRUFBRSxLQUFLLEVBQUUsUUFBUSxFQUFFLE9BQU8sRUFBRSxRQUFRO0lBQ3BFLE1BQU0sRUFBRSxPQUFPLEVBQUUsV0FBVyxFQUFFLFNBQVMsRUFBRSxRQUFRLEVBQUUsT0FBTyxFQUFFLFVBQVU7SUFDdEUsWUFBWSxFQUFFLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxFQUFFLFNBQVM7Q0FDcEQsQ0FBQztBQUVGLFNBQVMsa0JBQWtCLENBQUMsTUFBZ0I7SUFDMUMsTUFBTSxhQUFhLEdBQWEsRUFBRSxDQUFDO0lBQ25DLE1BQU0sQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDLEVBQUU7UUFDckIsTUFBTSxZQUFZLEdBQUcsb0JBQW9CLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxFQUFFO1lBQ3BELElBQUksS0FBSyxDQUFDLFdBQVcsRUFBRSxLQUFLLElBQUk7Z0JBQUUsT0FBTyxJQUFJLENBQUM7WUFDOUMsT0FBTyxJQUFJLE1BQU0sQ0FBQyxNQUFNLElBQUksS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUN0RCxDQUFDLENBQUMsQ0FBQztRQUNILElBQUksWUFBWSxFQUFFLENBQUM7WUFDakIsYUFBYSxDQUFDLElBQUksQ0FBQyxJQUFJLEtBQUssOEJBQThCLFlBQVksSUFBSSxDQUFDLENBQUM7UUFDOUUsQ0FBQztJQUNILENBQUMsQ0FBQyxDQUFDO0lBQ0gsSUFBSSxhQUFhLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQzdCLE1BQU0sSUFBSSxLQUFLLENBQ2IsMkNBQTJDLGFBQWEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLE1BQU07WUFDekUsd0RBQXdELENBQ3pELENBQUM7SUFDSixDQUFDO0FBQ0gsQ0FBQztBQUVELHVGQUF1RjtBQUN2RixNQUFNLG1CQUFtQixHQUFHLDBDQUEwQyxDQUFDO0FBd0J2RSxNQUFhLGtCQUFtQixTQUFRLFVBQVUsQ0FBQyxTQUFTO0lBVTFELFlBQVksS0FBMkIsRUFBRSxFQUFVLEVBQUUsS0FBOEI7UUFDakYsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsTUFBTSxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUM1RCxrQkFBa0IsQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQzNDLENBQUM7UUFFRCxJQUFJLENBQUMsUUFBUSxHQUFHLEtBQUssQ0FBQyxRQUFRLENBQUM7UUFDL0IsSUFBSSxDQUFDLFFBQVEsR0FBRyxLQUFLLENBQUMsUUFBUSxDQUFDO1FBQy9CLElBQUksQ0FBQyxzQkFBc0IsR0FBRyxLQUFLLENBQUMsc0JBQXNCLENBQUM7UUFFM0QsTUFBTSxpQkFBaUIsR0FBRyxJQUFJLHFDQUFpQixDQUFDLElBQUksRUFBRSxtQkFBbUIsRUFBRTtZQUN6RSxTQUFTLEVBQUUsaUJBQWlCLEtBQUssQ0FBQyxRQUFRLEVBQUU7WUFDNUMsYUFBYSxFQUFFLEtBQUssQ0FBQyxhQUFhLElBQUksSUFBSSxDQUFDLGFBQWEsQ0FBQyxNQUFNO1NBQ2hFLENBQUMsQ0FBQztRQUVILE1BQU0sYUFBYSxHQUFHLElBQUkscUNBQWlCLENBQUMsSUFBSSxFQUFFLGVBQWUsRUFBRTtZQUNqRSxVQUFVLEVBQUUsS0FBSyxDQUFDLFFBQVE7WUFDMUIsU0FBUyxFQUFFLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxTQUFTO1lBQzVDLFdBQVcsRUFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNO1lBQ3ZDLGFBQWEsRUFBRSxLQUFLLENBQUMsUUFBUTtZQUM3QixhQUFhLEVBQUUsS0FBSyxDQUFDLFFBQVE7WUFDN0IsV0FBVyxFQUFFLDRCQUE0QjtZQUN6QyxzQkFBc0IsRUFBRSxLQUFLLENBQUMsc0JBQXNCO1lBQ3BELGlCQUFpQixFQUFFLEtBQUssQ0FBQyxpQkFBaUI7WUFDMUMsa0JBQWtCLEVBQUUsS0FBSyxDQUFDLGtCQUFrQjtTQUM3QyxDQUFDLENBQUM7UUFFSCxNQUFNLHFCQUFxQixHQUFHLEtBQUssQ0FBQyxxQkFBcUIsSUFBSSxFQUFFLENBQUM7UUFDaEUsTUFBTSx5QkFBeUIsR0FBRyxLQUFLLENBQUMseUJBQXlCLElBQUksR0FBRyxDQUFDO1FBRXpFLE1BQU0sZUFBZSxHQUFHLElBQUkseUNBQW1CLENBQUMsSUFBSSxFQUFFLGlCQUFpQixFQUFFO1lBQ3ZFLFlBQVksRUFBRSxhQUFhLENBQUMsWUFBWTtZQUN4QyxNQUFNLEVBQUUsYUFBYSxDQUFDLE1BQU07WUFDNUIsR0FBRyxFQUFFLGFBQWEsQ0FBQyxHQUFHO1lBQ3RCLFNBQVMsRUFBRSxpQkFBaUIsQ0FBQyxLQUFLO1lBQ2xDLGdCQUFnQixFQUFFLEtBQUssQ0FBQywwQkFBMEI7WUFDbEQseUJBQXlCLEVBQUUsS0FBSyxDQUFDLHlCQUF5QjtZQUMxRCxnQkFBZ0IsRUFBRSxxQkFBcUI7U0FDeEMsQ0FBQyxDQUFDO1FBRUgsSUFBSSxpQ0FBZSxDQUFDLElBQUksRUFBRSxpQkFBaUIsRUFBRTtZQUMzQyxhQUFhLEVBQUUsZUFBZSxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEVBQUUsQ0FBQyxFQUFFLENBQUMsWUFBWSxDQUFDO1lBQ25FLE1BQU0sRUFBRSxhQUFhLENBQUMsTUFBTTtZQUM1QixhQUFhLEVBQUUscUJBQXFCO1lBQ3BDLG9CQUFvQixFQUFFLHlCQUF5QjtZQUMvQyxVQUFVLEVBQUUsbUJBQW1CLElBQUksQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE9BQU8sSUFBSSxJQUFJLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNLEVBQUU7WUFDMUYsWUFBWSxFQUFFLGlCQUFpQjtZQUMvQixhQUFhLEVBQUUsS0FBSyxDQUFDLGFBQWEsSUFBSSxJQUFJLENBQUMsYUFBYSxDQUFDLE1BQU07U0FDaEUsQ0FBQyxDQUFDO1FBRUgsTUFBTSxZQUFZLEdBQUcsSUFBSSxxQkFBRyxDQUFDLHFCQUFxQixDQUFDLElBQUksRUFBRSxjQUFjLEVBQUU7WUFDdkUsR0FBRyxFQUFFLHFDQUFxQyxLQUFLLENBQUMsUUFBUSxPQUFPO1lBQy9ELFNBQVMsRUFBRSxDQUFDLEtBQUssQ0FBQyxRQUFRLENBQUM7WUFDM0IsV0FBVyxFQUFFLENBQUMsbUJBQW1CLENBQUM7U0FDbkMsQ0FBQyxDQUFDO1FBRUgsSUFBSSxDQUFDLGVBQWUsR0FBRyxhQUFhLENBQUMsWUFBWSxDQUFDLFNBQVMsQ0FBQztRQUM1RCxJQUFJLENBQUMsU0FBUyxHQUFHLGFBQWEsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDO1FBQzdDLElBQUksQ0FBQyxZQUFZLEdBQUcsaUJBQWlCLENBQUMsS0FBSyxDQUFDLFFBQVEsQ0FBQztRQUNyRCxJQUFJLENBQUMsTUFBTSxHQUFHLGFBQWEsQ0FBQyxHQUFHLENBQUMsZ0JBQWdCLENBQUM7UUFDakQsSUFBSSxDQUFDLFlBQVksR0FBRyxZQUFZLENBQUM7UUFFakMsTUFBTSxNQUFNLEdBQUcsS0FBSyxDQUFDLGNBQWMsSUFBSSxTQUFTLEtBQUssQ0FBQyxRQUFRLEVBQUUsQ0FBQztRQUVqRSxJQUFJLDJDQUFvQixDQUFDLElBQUksRUFBRSxXQUFXLEVBQUU7WUFDMUMsTUFBTSxFQUFFLE1BQU07WUFDZCxNQUFNLEVBQUUsV0FBVztZQUNuQixNQUFNLEVBQUU7Z0JBQ04sZUFBZSxFQUFFLGFBQWEsQ0FBQyxZQUFZLENBQUMsU0FBUztnQkFDckQsU0FBUyxFQUFFLGFBQWEsQ0FBQyxNQUFNLENBQUMsTUFBTTtnQkFDdEMsWUFBWSxFQUFFLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxRQUFRO2dCQUM5QyxNQUFNLEVBQUUsYUFBYSxDQUFDLEdBQUcsQ0FBQyxnQkFBZ0I7Z0JBQzFDLFFBQVEsRUFBRSxLQUFLLENBQUMsUUFBUTtnQkFDeEIsUUFBUSxFQUFFLEtBQUssQ0FBQyxRQUFRO2dCQUN4QixzQkFBc0IsRUFBRSxLQUFLLENBQUMsc0JBQXNCO2FBQ3JEO1NBQ0YsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztDQUNGO0FBekZELGdEQXlGQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGNvcmUgZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0IHtcbiAgYXdzX2lhbSBhcyBpYW0sXG59IGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCAqIGFzIGNvbnN0cnVjdHMgZnJvbSAnY29uc3RydWN0cyc7XG5pbXBvcnQgeyBBdXRoTGFtYmRhRnVuY3Rpb25zIH0gZnJvbSAnLi4vYXV0aC9hdXRoTGFtYmRhRnVuY3Rpb25zJztcbmltcG9ydCB7IEF1dGhTZWNyZXRNYW5hZ2VyIH0gZnJvbSAnLi4vYXV0aC9hdXRoU2VjcmV0TWFuYWdlcic7XG5pbXBvcnQgeyBBdXRoU2VjdXJpdHlUYWJsZSB9IGZyb20gJy4uL2F1dGhTZWN1cml0eVRhYmxlJztcbmltcG9ydCB7IEF1ZGl0TG9nQXJjaGl2ZSB9IGZyb20gJy4uL2xvZ2dpbmcvYXVkaXRMb2dBcmNoaXZlJztcbmltcG9ydCB7IFNzbUNyb3NzUmVnaW9uV3JpdGVyIH0gZnJvbSAnLi4vc3NtQ3Jvc3NSZWdpb25Xcml0ZXInO1xuXG5jb25zdCBBWlVSRV9SRVNFUlZFRF9XT1JEUyA9IFtcbiAgJ2FkbWluJywgJ2FkbWluaXN0cmF0b3InLCAncm9vdCcsICdzeXMnLCAnc3lzdGVtJywgJ2d1ZXN0JywgJ3B1YmxpYycsXG4gICd1c2VyJywgJ3VzZXJzJywgJ21pY3Jvc29mdCcsICd3aW5kb3dzJywgJ29mZmljZScsICdhenVyZScsICdleGNoYW5nZScsXG4gICdzaGFyZXBvaW50JywgJ3RlYW1zJywgJ3N1cHBvcnQnLCAnaGVscCcsICdzZXJ2aWNlJyxcbl07XG5cbmZ1bmN0aW9uIHZhbGlkYXRlR3JvdXBOYW1lcyhncm91cHM6IHN0cmluZ1tdKTogdm9pZCB7XG4gIGNvbnN0IGludmFsaWRHcm91cHM6IHN0cmluZ1tdID0gW107XG4gIGdyb3Vwcy5mb3JFYWNoKGdyb3VwID0+IHtcbiAgICBjb25zdCByZXNlcnZlZFdvcmQgPSBBWlVSRV9SRVNFUlZFRF9XT1JEUy5maW5kKHdvcmQgPT4ge1xuICAgICAgaWYgKGdyb3VwLnRvTG93ZXJDYXNlKCkgPT09IHdvcmQpIHJldHVybiB0cnVlO1xuICAgICAgcmV0dXJuIG5ldyBSZWdFeHAoYFxcXFxiJHt3b3JkfVxcXFxiYCwgJ2knKS50ZXN0KGdyb3VwKTtcbiAgICB9KTtcbiAgICBpZiAocmVzZXJ2ZWRXb3JkKSB7XG4gICAgICBpbnZhbGlkR3JvdXBzLnB1c2goYCcke2dyb3VwfScgKGNvbnRhaW5zIHJlc2VydmVkIHdvcmQgJyR7cmVzZXJ2ZWRXb3JkfScpYCk7XG4gICAgfVxuICB9KTtcbiAgaWYgKGludmFsaWRHcm91cHMubGVuZ3RoID4gMCkge1xuICAgIHRocm93IG5ldyBFcnJvcihcbiAgICAgIGBJbnZhbGlkIEF6dXJlIEFEIGdyb3VwIG5hbWVzIGRldGVjdGVkOlxcbiR7aW52YWxpZEdyb3Vwcy5qb2luKCdcXG4nKX1cXG5cXG5gICtcbiAgICAgICdBenVyZSBBRCBibG9ja3MgZ3JvdXAgbmFtZXMgY29udGFpbmluZyByZXNlcnZlZCB3b3Jkcy4nLFxuICAgICk7XG4gIH1cbn1cblxuLy8gU0hBLTEgZmluZ2VycHJpbnQgb2YgRGlnaUNlcnQgR2xvYmFsIFJvb3QgRzIgKEF6dXJlIEFEIHJvb3QgQ0EpLiBTdGFibGUgMTAtMjAgeWVhcnMuXG5jb25zdCBBWlVSRV9BRF9USFVNQlBSSU5UID0gJzY5MzhmZDRkOThiYWIwM2ZhYWRiOTdiMzQzOTY4MzFlMzc4MGFlYTEnO1xuXG5leHBvcnQgaW50ZXJmYWNlIEFwcFNwZWMge1xuICByZWFkb25seSBuYW1lOiBzdHJpbmc7XG4gIHJlYWRvbmx5IGdyb3Vwcz86IHN0cmluZ1tdO1xufVxuXG5leHBvcnQgaW50ZXJmYWNlIEF1dGhJbmZyYXN0cnVjdHVyZVByb3BzIHtcbiAgcmVhZG9ubHkgc3NtUGFyYW1QcmVmaXg/OiBzdHJpbmc7XG4gIHJlYWRvbmx5IHpvbmVOYW1lOiBzdHJpbmc7XG4gIHJlYWRvbmx5IHRlbmFudElkOiBzdHJpbmc7XG4gIHJlYWRvbmx5IGNsaWVudElkOiBzdHJpbmc7XG4gIHJlYWRvbmx5IG9hdXRoMkNhbGxiYWNrUm9sZU5hbWU6IHN0cmluZztcbiAgcmVhZG9ubHkgYXBwU3BlYzogQXBwU3BlYztcbiAgcmVhZG9ubHkgc2VjdXJpdHlBbGVydHNUb3BpY0Fybj86IHN0cmluZztcbiAgcmVhZG9ubHkgc2Vzc2lvblJldm9jYXRpb25Ub3BpY0Fybj86IHN0cmluZztcbiAgcmVhZG9ubHkgYXV0b1Jldm9rZU9uUmV1c2U/OiBib29sZWFuO1xuICByZWFkb25seSBqd3RDbGFpbXNXaGl0ZWxpc3Q/OiBzdHJpbmdbXTtcbiAgcmVhZG9ubHkgaG1hY1NlY3JldFJvdGF0aW9uU2NoZWR1bGU/OiBjb3JlLkR1cmF0aW9uO1xuICByZWFkb25seSBhdWRpdExvZ1JldGVudGlvbkRheXM/OiBudW1iZXI7XG4gIHJlYWRvbmx5IGF1ZGl0QXJjaGl2ZVJldGVudGlvbkRheXM/OiBudW1iZXI7XG4gIHJlYWRvbmx5IHJlbW92YWxQb2xpY3k/OiBjb3JlLlJlbW92YWxQb2xpY3k7XG59XG5cbmV4cG9ydCBjbGFzcyBBdXRoSW5mcmFzdHJ1Y3R1cmUgZXh0ZW5kcyBjb25zdHJ1Y3RzLkNvbnN0cnVjdCB7XG4gIHB1YmxpYyByZWFkb25seSBjb25maWdTZWNyZXRBcm46IHN0cmluZztcbiAgcHVibGljIHJlYWRvbmx5IGttc0tleUFybjogc3RyaW5nO1xuICBwdWJsaWMgcmVhZG9ubHkgYXV0aFRhYmxlQXJuOiBzdHJpbmc7XG4gIHB1YmxpYyByZWFkb25seSBrdnNBcm46IHN0cmluZztcbiAgcHVibGljIHJlYWRvbmx5IHRlbmFudElkOiBzdHJpbmc7XG4gIHB1YmxpYyByZWFkb25seSBjbGllbnRJZDogc3RyaW5nO1xuICBwdWJsaWMgcmVhZG9ubHkgb2F1dGgyQ2FsbGJhY2tSb2xlTmFtZTogc3RyaW5nO1xuICBwdWJsaWMgcmVhZG9ubHkgb2lkY1Byb3ZpZGVyOiBpYW0uSU9wZW5JZENvbm5lY3RQcm92aWRlcjtcblxuICBjb25zdHJ1Y3RvcihzY29wZTogY29uc3RydWN0cy5Db25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBBdXRoSW5mcmFzdHJ1Y3R1cmVQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICBpZiAocHJvcHMuYXBwU3BlYy5ncm91cHMgJiYgcHJvcHMuYXBwU3BlYy5ncm91cHMubGVuZ3RoID4gMCkge1xuICAgICAgdmFsaWRhdGVHcm91cE5hbWVzKHByb3BzLmFwcFNwZWMuZ3JvdXBzKTtcbiAgICB9XG5cbiAgICB0aGlzLnRlbmFudElkID0gcHJvcHMudGVuYW50SWQ7XG4gICAgdGhpcy5jbGllbnRJZCA9IHByb3BzLmNsaWVudElkO1xuICAgIHRoaXMub2F1dGgyQ2FsbGJhY2tSb2xlTmFtZSA9IHByb3BzLm9hdXRoMkNhbGxiYWNrUm9sZU5hbWU7XG5cbiAgICBjb25zdCBhdXRoU2VjdXJpdHlUYWJsZSA9IG5ldyBBdXRoU2VjdXJpdHlUYWJsZSh0aGlzLCAnQXV0aFNlY3VyaXR5VGFibGUnLCB7XG4gICAgICB0YWJsZU5hbWU6IGBhdXRoLXNlY3VyaXR5LSR7cHJvcHMuem9uZU5hbWV9YCxcbiAgICAgIHJlbW92YWxQb2xpY3k6IHByb3BzLnJlbW92YWxQb2xpY3kgPz8gY29yZS5SZW1vdmFsUG9saWN5LlJFVEFJTixcbiAgICB9KTtcblxuICAgIGNvbnN0IHNlY3JldE1hbmFnZXIgPSBuZXcgQXV0aFNlY3JldE1hbmFnZXIodGhpcywgJ1NlY3JldE1hbmFnZXInLCB7XG4gICAgICBkb21haW5OYW1lOiBwcm9wcy56b25lTmFtZSxcbiAgICAgIHRhYmxlTmFtZTogYXV0aFNlY3VyaXR5VGFibGUudGFibGUudGFibGVOYW1lLFxuICAgICAgdGFibGVSZWdpb246IGNvcmUuU3RhY2sub2YodGhpcykucmVnaW9uLFxuICAgICAgYXp1cmVUZW5hbnRJZDogcHJvcHMudGVuYW50SWQsXG4gICAgICBhenVyZUNsaWVudElkOiBwcm9wcy5jbGllbnRJZCxcbiAgICAgIHN0c0F1ZGllbmNlOiAnYXBpOi8vQXp1cmVBRFRva2VuRXhjaGFuZ2UnLFxuICAgICAgc2VjdXJpdHlBbGVydHNUb3BpY0FybjogcHJvcHMuc2VjdXJpdHlBbGVydHNUb3BpY0FybixcbiAgICAgIGF1dG9SZXZva2VPblJldXNlOiBwcm9wcy5hdXRvUmV2b2tlT25SZXVzZSxcbiAgICAgIGp3dENsYWltc1doaXRlbGlzdDogcHJvcHMuand0Q2xhaW1zV2hpdGVsaXN0LFxuICAgIH0pO1xuXG4gICAgY29uc3QgYXVkaXRMb2dSZXRlbnRpb25EYXlzID0gcHJvcHMuYXVkaXRMb2dSZXRlbnRpb25EYXlzID8/IDMwO1xuICAgIGNvbnN0IGF1ZGl0QXJjaGl2ZVJldGVudGlvbkRheXMgPSBwcm9wcy5hdWRpdEFyY2hpdmVSZXRlbnRpb25EYXlzID8/IDM2NTtcblxuICAgIGNvbnN0IGxhbWJkYUZ1bmN0aW9ucyA9IG5ldyBBdXRoTGFtYmRhRnVuY3Rpb25zKHRoaXMsICdMYW1iZGFGdW5jdGlvbnMnLCB7XG4gICAgICBjb25maWdTZWNyZXQ6IHNlY3JldE1hbmFnZXIuY29uZmlnU2VjcmV0LFxuICAgICAga21zS2V5OiBzZWNyZXRNYW5hZ2VyLmttc0tleSxcbiAgICAgIGt2czogc2VjcmV0TWFuYWdlci5rdnMsXG4gICAgICBhdXRoVGFibGU6IGF1dGhTZWN1cml0eVRhYmxlLnRhYmxlLFxuICAgICAgcm90YXRpb25TY2hlZHVsZTogcHJvcHMuaG1hY1NlY3JldFJvdGF0aW9uU2NoZWR1bGUsXG4gICAgICBzZXNzaW9uUmV2b2NhdGlvblRvcGljQXJuOiBwcm9wcy5zZXNzaW9uUmV2b2NhdGlvblRvcGljQXJuLFxuICAgICAgbG9nUmV0ZW50aW9uRGF5czogYXVkaXRMb2dSZXRlbnRpb25EYXlzLFxuICAgIH0pO1xuXG4gICAgbmV3IEF1ZGl0TG9nQXJjaGl2ZSh0aGlzLCAnQXVkaXRMb2dBcmNoaXZlJywge1xuICAgICAgbG9nR3JvdXBOYW1lczogbGFtYmRhRnVuY3Rpb25zLmxvZ0dyb3Vwcy5tYXAobGcgPT4gbGcubG9nR3JvdXBOYW1lKSxcbiAgICAgIGttc0tleTogc2VjcmV0TWFuYWdlci5rbXNLZXksXG4gICAgICByZXRlbnRpb25EYXlzOiBhdWRpdExvZ1JldGVudGlvbkRheXMsXG4gICAgICBhcmNoaXZlUmV0ZW50aW9uRGF5czogYXVkaXRBcmNoaXZlUmV0ZW50aW9uRGF5cyxcbiAgICAgIGJ1Y2tldE5hbWU6IGBhdXRoLWF1ZGl0LWxvZ3MtJHtjb3JlLlN0YWNrLm9mKHRoaXMpLmFjY291bnR9LSR7Y29yZS5TdGFjay5vZih0aGlzKS5yZWdpb259YCxcbiAgICAgIGRhdGFiYXNlTmFtZTogJ2F1dGhfYXVkaXRfbG9ncycsXG4gICAgICByZW1vdmFsUG9saWN5OiBwcm9wcy5yZW1vdmFsUG9saWN5ID8/IGNvcmUuUmVtb3ZhbFBvbGljeS5SRVRBSU4sXG4gICAgfSk7XG5cbiAgICBjb25zdCBvaWRjUHJvdmlkZXIgPSBuZXcgaWFtLk9wZW5JZENvbm5lY3RQcm92aWRlcih0aGlzLCAnT2lkY1Byb3ZpZGVyJywge1xuICAgICAgdXJsOiBgaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLyR7cHJvcHMudGVuYW50SWR9L3YyLjBgLFxuICAgICAgY2xpZW50SWRzOiBbcHJvcHMuY2xpZW50SWRdLFxuICAgICAgdGh1bWJwcmludHM6IFtBWlVSRV9BRF9USFVNQlBSSU5UXSxcbiAgICB9KTtcblxuICAgIHRoaXMuY29uZmlnU2VjcmV0QXJuID0gc2VjcmV0TWFuYWdlci5jb25maWdTZWNyZXQuc2VjcmV0QXJuO1xuICAgIHRoaXMua21zS2V5QXJuID0gc2VjcmV0TWFuYWdlci5rbXNLZXkua2V5QXJuO1xuICAgIHRoaXMuYXV0aFRhYmxlQXJuID0gYXV0aFNlY3VyaXR5VGFibGUudGFibGUudGFibGVBcm47XG4gICAgdGhpcy5rdnNBcm4gPSBzZWNyZXRNYW5hZ2VyLmt2cy5rZXlWYWx1ZVN0b3JlQXJuO1xuICAgIHRoaXMub2lkY1Byb3ZpZGVyID0gb2lkY1Byb3ZpZGVyO1xuXG4gICAgY29uc3QgcHJlZml4ID0gcHJvcHMuc3NtUGFyYW1QcmVmaXggPz8gYC9hdXRoLyR7cHJvcHMuem9uZU5hbWV9YDtcblxuICAgIG5ldyBTc21Dcm9zc1JlZ2lvbldyaXRlcih0aGlzLCAnU3NtV3JpdGVyJywge1xuICAgICAgcHJlZml4OiBwcmVmaXgsXG4gICAgICByZWdpb246ICd1cy1lYXN0LTEnLFxuICAgICAgcGFyYW1zOiB7XG4gICAgICAgIGNvbmZpZ1NlY3JldEFybjogc2VjcmV0TWFuYWdlci5jb25maWdTZWNyZXQuc2VjcmV0QXJuLFxuICAgICAgICBrbXNLZXlBcm46IHNlY3JldE1hbmFnZXIua21zS2V5LmtleUFybixcbiAgICAgICAgYXV0aFRhYmxlQXJuOiBhdXRoU2VjdXJpdHlUYWJsZS50YWJsZS50YWJsZUFybixcbiAgICAgICAga3ZzQXJuOiBzZWNyZXRNYW5hZ2VyLmt2cy5rZXlWYWx1ZVN0b3JlQXJuLFxuICAgICAgICB0ZW5hbnRJZDogcHJvcHMudGVuYW50SWQsXG4gICAgICAgIGNsaWVudElkOiBwcm9wcy5jbGllbnRJZCxcbiAgICAgICAgb2F1dGgyQ2FsbGJhY2tSb2xlTmFtZTogcHJvcHMub2F1dGgyQ2FsbGJhY2tSb2xlTmFtZSxcbiAgICAgIH0sXG4gICAgfSk7XG4gIH1cbn1cbiJdfQ==

package/lib/cloudfront/patterns/cognito-secured-cloudfront.d.ts

@@ -0,0 +1,36 @@
+import { aws_cloudfront as cloudfront } from 'aws-cdk-lib';
+import * as constructs from 'constructs';
+import { Extension, ExtensionConfig, AddBehaviorOptions } from './securedCloudFront';
+export interface CognitoCloudFrontProps<TRole extends string = string> {
+    readonly defaultBehavior: Omit<cloudfront.BehaviorOptions, 'functionAssociations'>;
+    readonly domainNames: string[];
+    readonly certificate: any;
+    readonly authSsmParamPrefix: string;
+    readonly authRegion: string;
+    readonly defaultExtensions?: Extension[];
+    readonly defaultExtensionConfig?: ExtensionConfig<TRole>;
+    readonly defaultRootObject?: string;
+    readonly errorResponsePagePath?: string;
+    readonly enableUserInfoInjection?: boolean;
+    readonly userInfoNameFields?: string[];
+}
+export declare class CognitoSecuredCloudFront<TRole extends string = string> extends constructs.Construct {
+    readonly distribution: cloudfront.Distribution;
+    private readonly authCheckFunction;
+    private readonly userInfoFunction?;
+    private readonly functionComposer;
+    private readonly composedFunctions;
+    private lastCreatedFunction;
+    private readonly tlsOriginRequestPolicy;
+    private readonly cognitoDomain;
+    private readonly clientId;
+    private readonly redirectUri;
+    private readonly kvs;
+    constructor(scope: constructs.Construct, id: string, props: CognitoCloudFrontProps<TRole>);
+    addBehavior(pathPattern: string, origin: cloudfront.IOrigin, options?: AddBehaviorOptions<TRole>): void;
+    private buildFunctionAssociations;
+    private generateFunctionCacheKey;
+    private generateFunctionId;
+    private buildAuthCheckCode;
+    private loadAndReplaceUserInfoCode;
+}