samlesa 2.12.3

package/build/src/flow.js

@@ -0,0 +1,320 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.flow = flow;
+const utility_js_1 = require("./utility.js");
+const validator_js_1 = require("./validator.js");
+const libsaml_js_1 = __importDefault(require("./libsaml.js"));
+const extractor_js_1 = require("./extractor.js");
+const urn_js_1 = require("./urn.js");
+const bindDict = urn_js_1.wording.binding;
+const urlParams = urn_js_1.wording.urlParams;
+// get the default extractor fields based on the parserType
+function getDefaultExtractorFields(parserType, assertion) {
+    switch (parserType) {
+        case urn_js_1.ParserType.SAMLRequest:
+            return extractor_js_1.loginRequestFields;
+        case urn_js_1.ParserType.SAMLResponse:
+            if (!assertion) {
+                // unexpected hit
+                throw new Error('ERR_EMPTY_ASSERTION');
+            }
+            return (0, extractor_js_1.loginResponseFields)(assertion);
+        case urn_js_1.ParserType.LogoutRequest:
+            return extractor_js_1.logoutRequestFields;
+        case urn_js_1.ParserType.LogoutResponse:
+            return extractor_js_1.logoutResponseFields;
+        default:
+            throw new Error('ERR_UNDEFINED_PARSERTYPE');
+    }
+}
+// proceed the redirect binding flow
+async function redirectFlow(options) {
+    const { request, parserType, self, checkSignature = true, from } = options;
+    const { query, octetString } = request;
+    const { SigAlg: sigAlg, Signature: signature } = query;
+    const targetEntityMetadata = from.entityMeta;
+    // ?SAMLRequest= or ?SAMLResponse=
+    const direction = libsaml_js_1.default.getQueryParamByType(parserType);
+    const content = query[direction];
+    // query must contain the saml content
+    if (content === undefined) {
+        return Promise.reject('ERR_REDIRECT_FLOW_BAD_ARGS');
+    }
+    const xmlString = (0, utility_js_1.inflateString)(decodeURIComponent(content));
+    // validate the xml
+    try {
+        await libsaml_js_1.default.isValidXml(xmlString);
+    }
+    catch (e) {
+        return Promise.reject('ERR_INVALID_XML');
+    }
+    // check status based on different scenarios
+    await checkStatus(xmlString, parserType);
+    let assertion = '';
+    if (parserType === urlParams.samlResponse) {
+        // Extract assertion shortcut
+        const verifiedDoc = (0, extractor_js_1.extract)(xmlString, [{
+                key: 'assertion',
+                localPath: ['~Response', 'Assertion'],
+                attributes: [],
+                context: true
+            }]);
+        if (verifiedDoc && verifiedDoc.assertion) {
+            assertion = verifiedDoc.assertion;
+        }
+    }
+    const extractorFields = getDefaultExtractorFields(parserType, assertion.length > 0 ? assertion : null);
+    const parseResult = {
+        samlContent: xmlString,
+        sigAlg: null,
+        extract: (0, extractor_js_1.extract)(xmlString, extractorFields),
+    };
+    // see if signature check is required
+    // only verify message signature is enough
+    if (checkSignature) {
+        if (!signature || !sigAlg) {
+            return Promise.reject('ERR_MISSING_SIG_ALG');
+        }
+        // put the below two assignments into verifyMessageSignature function
+        const base64Signature = Buffer.from(decodeURIComponent(signature), 'base64');
+        const decodeSigAlg = decodeURIComponent(sigAlg);
+        const verified = libsaml_js_1.default.verifyMessageSignature(targetEntityMetadata, octetString, base64Signature, sigAlg);
+        if (!verified) {
+            // Fail to verify message signature
+            return Promise.reject('ERR_FAILED_MESSAGE_SIGNATURE_VERIFICATION');
+        }
+        parseResult.sigAlg = decodeSigAlg;
+    }
+    /**
+     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+     */
+    const issuer = targetEntityMetadata.getEntityID();
+    const extractedProperties = parseResult.extract;
+    // unmatched issuer
+    if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+        && extractedProperties
+        && extractedProperties.issuer !== issuer) {
+        return Promise.reject('ERR_UNMATCH_ISSUER');
+    }
+    // invalid session time
+    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.sessionIndex.sessionNotOnOrAfter
+        && !(0, validator_js_1.verifyTime)(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, self.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_EXPIRED_SESSION');
+    }
+    // invalid time
+    // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.conditions
+        && !(0, validator_js_1.verifyTime)(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, self.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
+    }
+    return Promise.resolve(parseResult);
+}
+// proceed the post flow
+async function postFlow(options) {
+    const { request, from, self, parserType, checkSignature = true } = options;
+    const { body } = request;
+    const direction = libsaml_js_1.default.getQueryParamByType(parserType);
+    const encodedRequest = body[direction];
+    let samlContent = String((0, utility_js_1.base64Decode)(encodedRequest));
+    const verificationOptions = {
+        metadata: from.entityMeta,
+        signatureAlgorithm: from.entitySetting.requestSignatureAlgorithm,
+    };
+    const decryptRequired = from.entitySetting.isAssertionEncrypted;
+    let extractorFields = [];
+    // validate the xml first
+    await libsaml_js_1.default.isValidXml(samlContent);
+    if (parserType !== urlParams.samlResponse) {
+        extractorFields = getDefaultExtractorFields(parserType, null);
+    }
+    // check status based on different scenarios
+    await checkStatus(samlContent, parserType);
+    // verify the signatures (the response is encrypted then signed, then verify first then decrypt)
+    if (checkSignature &&
+        from.entitySetting.messageSigningOrder === urn_js_1.MessageSignatureOrder.ETS) {
+        const [verified, verifiedAssertionNode] = libsaml_js_1.default.verifySignature(samlContent, verificationOptions);
+        if (!verified) {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_ETS_SIGNATURE');
+        }
+        if (!decryptRequired) {
+            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        }
+    }
+    if (parserType === 'SAMLResponse' && decryptRequired) {
+        const result = await libsaml_js_1.default.decryptAssertion(self, samlContent);
+        samlContent = result[0];
+        extractorFields = getDefaultExtractorFields(parserType, result[1]);
+    }
+    // verify the signatures (the response is signed then encrypted, then decrypt first then verify)
+    if (checkSignature &&
+        from.entitySetting.messageSigningOrder === urn_js_1.MessageSignatureOrder.STE) {
+        const [verified, verifiedAssertionNode] = libsaml_js_1.default.verifySignature(samlContent, verificationOptions);
+        if (verified) {
+            extractorFields = getDefaultExtractorFields(parserType, verifiedAssertionNode);
+        }
+        else {
+            return Promise.reject('ERR_FAIL_TO_VERIFY_STE_SIGNATURE');
+        }
+    }
+    const parseResult = {
+        samlContent: samlContent,
+        extract: (0, extractor_js_1.extract)(samlContent, extractorFields),
+    };
+    /**
+     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+     */
+    const targetEntityMetadata = from.entityMeta;
+    const issuer = targetEntityMetadata.getEntityID();
+    const extractedProperties = parseResult.extract;
+    // unmatched issuer
+    if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+        && extractedProperties
+        && extractedProperties.issuer !== issuer) {
+        return Promise.reject('ERR_UNMATCH_ISSUER');
+    }
+    // invalid session time
+    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.sessionIndex.sessionNotOnOrAfter
+        && !(0, validator_js_1.verifyTime)(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, self.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_EXPIRED_SESSION');
+    }
+    // invalid time
+    // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.conditions
+        && !(0, validator_js_1.verifyTime)(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, self.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
+    }
+    return Promise.resolve(parseResult);
+}
+// proceed the post simple sign binding flow
+async function postSimpleSignFlow(options) {
+    const { request, parserType, self, checkSignature = true, from } = options;
+    const { body, octetString } = request;
+    const targetEntityMetadata = from.entityMeta;
+    // ?SAMLRequest= or ?SAMLResponse=
+    const direction = libsaml_js_1.default.getQueryParamByType(parserType);
+    const encodedRequest = body[direction];
+    const sigAlg = body['SigAlg'];
+    const signature = body['Signature'];
+    // query must contain the saml content
+    if (encodedRequest === undefined) {
+        return Promise.reject('ERR_SIMPLESIGN_FLOW_BAD_ARGS');
+    }
+    const xmlString = String((0, utility_js_1.base64Decode)(encodedRequest));
+    // validate the xml
+    try {
+        await libsaml_js_1.default.isValidXml(xmlString);
+    }
+    catch (e) {
+        return Promise.reject('ERR_INVALID_XML');
+    }
+    // check status based on different scenarios
+    await checkStatus(xmlString, parserType);
+    let assertion = '';
+    if (parserType === urlParams.samlResponse) {
+        // Extract assertion shortcut
+        const verifiedDoc = (0, extractor_js_1.extract)(xmlString, [{
+                key: 'assertion',
+                localPath: ['~Response', 'Assertion'],
+                attributes: [],
+                context: true
+            }]);
+        if (verifiedDoc && verifiedDoc.assertion) {
+            assertion = verifiedDoc.assertion;
+        }
+    }
+    const extractorFields = getDefaultExtractorFields(parserType, assertion.length > 0 ? assertion : null);
+    const parseResult = {
+        samlContent: xmlString,
+        sigAlg: null,
+        extract: (0, extractor_js_1.extract)(xmlString, extractorFields),
+    };
+    // see if signature check is required
+    // only verify message signature is enough
+    if (checkSignature) {
+        if (!signature || !sigAlg) {
+            return Promise.reject('ERR_MISSING_SIG_ALG');
+        }
+        // put the below two assignments into verifyMessageSignature function
+        const base64Signature = Buffer.from(signature, 'base64');
+        const verified = libsaml_js_1.default.verifyMessageSignature(targetEntityMetadata, octetString, base64Signature, sigAlg);
+        if (!verified) {
+            // Fail to verify message signature
+            return Promise.reject('ERR_FAILED_MESSAGE_SIGNATURE_VERIFICATION');
+        }
+        parseResult.sigAlg = sigAlg;
+    }
+    /**
+     *  Validation part: validate the context of response after signature is verified and decrypted (optional)
+     */
+    const issuer = targetEntityMetadata.getEntityID();
+    const extractedProperties = parseResult.extract;
+    // unmatched issuer
+    if ((parserType === 'LogoutResponse' || parserType === 'SAMLResponse')
+        && extractedProperties
+        && extractedProperties.issuer !== issuer) {
+        return Promise.reject('ERR_UNMATCH_ISSUER');
+    }
+    // invalid session time
+    // only run the verifyTime when `SessionNotOnOrAfter` exists
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.sessionIndex.sessionNotOnOrAfter
+        && !(0, validator_js_1.verifyTime)(undefined, extractedProperties.sessionIndex.sessionNotOnOrAfter, self.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_EXPIRED_SESSION');
+    }
+    // invalid time
+    // 2.4.1.2 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+    if (parserType === 'SAMLResponse'
+        && extractedProperties.conditions
+        && !(0, validator_js_1.verifyTime)(extractedProperties.conditions.notBefore, extractedProperties.conditions.notOnOrAfter, self.entitySetting.clockDrifts)) {
+        return Promise.reject('ERR_SUBJECT_UNCONFIRMED');
+    }
+    return Promise.resolve(parseResult);
+}
+function checkStatus(content, parserType) {
+    // only check response parser
+    if (parserType !== urlParams.samlResponse && parserType !== urlParams.logoutResponse) {
+        return Promise.resolve('SKIPPED');
+    }
+    const fields = parserType === urlParams.samlResponse
+        ? extractor_js_1.loginResponseStatusFields
+        : extractor_js_1.logoutResponseStatusFields;
+    const { top, second } = (0, extractor_js_1.extract)(content, fields);
+    // only resolve when top-tier status code is success
+    if (top === urn_js_1.StatusCode.Success) {
+        return Promise.resolve('OK');
+    }
+    if (!top) {
+        throw new Error('ERR_UNDEFINED_STATUS');
+    }
+    // returns a detailed error for two-tier error code
+    throw new Error(`ERR_FAILED_STATUS with top tier code: ${top}, second tier code: ${second}`);
+}
+function flow(options) {
+    const binding = options.binding;
+    const parserType = options.parserType;
+    options.supportBindings = [urn_js_1.BindingNamespace.Redirect, urn_js_1.BindingNamespace.Post, urn_js_1.BindingNamespace.SimpleSign];
+    // saml response  allows POST, REDIRECT
+    if (parserType === urn_js_1.ParserType.SAMLResponse) {
+        options.supportBindings = [urn_js_1.BindingNamespace.Post, urn_js_1.BindingNamespace.Redirect, urn_js_1.BindingNamespace.SimpleSign];
+    }
+    if (binding === bindDict.post) {
+        return postFlow(options);
+    }
+    if (binding === bindDict.redirect) {
+        return redirectFlow(options);
+    }
+    if (binding === bindDict.simpleSign) {
+        return postSimpleSignFlow(options);
+    }
+    return Promise.reject('ERR_UNEXPECTED_FLOW');
+}
+//# sourceMappingURL=flow.js.map

package/build/src/flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"flow.js","sourceRoot":"","sources":["../../src/flow.ts"],"names":[],"mappings":";;;;;AAybA,oBAyBC;AAldD,6CAA2D;AAC3D,iDAA4C;AAC5C,8DAAmC;AACnC,iDASwB;AAExB,qCAMkB;AAElB,MAAM,QAAQ,GAAG,gBAAO,CAAC,OAAO,CAAC;AACjC,MAAM,SAAS,GAAG,gBAAO,CAAC,SAAS,CAAC;AAQpC,2DAA2D;AAC3D,SAAS,yBAAyB,CAAC,UAAsB,EAAE,SAAe;IACxE,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,mBAAU,CAAC,WAAW;YACzB,OAAO,iCAAkB,CAAC;QAC5B,KAAK,mBAAU,CAAC,YAAY;YAC1B,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,iBAAiB;gBACjB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACzC,CAAC;YACD,OAAO,IAAA,kCAAmB,EAAC,SAAS,CAAC,CAAC;QACxC,KAAK,mBAAU,CAAC,aAAa;YAC3B,OAAO,kCAAmB,CAAC;QAC7B,KAAK,mBAAU,CAAC,cAAc;YAC5B,OAAO,mCAAoB,CAAC;QAC9B;YACE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED,oCAAoC;AACpC,KAAK,UAAU,YAAY,CAAC,OAAO;IAEjC,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,cAAc,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IAC3E,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,KAAK,CAAC;IAEvD,MAAM,oBAAoB,GAAG,IAAI,CAAC,UAAU,CAAC;IAE7C,kCAAkC;IAClC,MAAM,SAAS,GAAG,oBAAO,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC;IAEjC,sCAAsC;IACtC,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,MAAM,CAAC,4BAA4B,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,SAAS,GAAG,IAAA,0BAAa,EAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;IAE7D,mBAAmB;IACnB,IAAI,CAAC;QACH,MAAM,oBAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAC3C,CAAC;IAED,4CAA4C;IAC5C,MAAM,WAAW,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAEzC,IAAI,SAAS,GAAW,EAAE,CAAC;IAE3B,IAAI,UAAU,KAAK,SAAS,CAAC,YAAY,EAAC,CAAC;QACzC,6BAA6B;QAC7B,MAAM,WAAW,GAAG,IAAA,sBAAO,EAAC,SAAS,EAAE,CAAC;gBACtC,GAAG,EAAE,WAAW;gBAChB,SAAS,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC;gBACrC,UAAU,EAAE,EAAE;gBACd,OAAO,EAAE,IAAI;aACd,CAAC,CAAC,CAAC;QACJ,IAAI,WAAW,IAAI,WAAW,CAAC,SAAS,EAAC,CAAC;YACxC,SAAS,GAAG,WAAW,CAAC,SAAmB,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,yBAAyB,CAAC,UAAU,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAEvG,MAAM,WAAW,GAAmE;QAClF,WAAW,EAAE,SAAS;QACtB,MAAM,EAAE,IAAI;QACZ,OAAO,EAAE,IAAA,sBAAO,EAAC,SAAS,EAAE,eAAe,CAAC;KAC7C,CAAC;IAEF,qCAAqC;IACrC,0CAA0C;IAC1C,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1B,OAAO,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;QAC/C,CAAC;QAED,qEAAqE;QACrE,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC7E,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAEhD,MAAM,QAAQ,GAAG,oBAAO,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;QAE5G,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,mCAAmC;YACnC,OAAO,OAAO,CAAC,MAAM,CAAC,2CAA2C,CAAC,CAAC;QACrE,CAAC;QAED,WAAW,CAAC,MAAM,GAAG,YAAY,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,MAAM,MAAM,GAAG,oBAAoB,CAAC,WAAW,EAAE,CAAC;IAClD,MAAM,mBAAmB,GAAG,WAAW,CAAC,OAAO,CAAC;IAEhD,mBAAmB;IACnB,IACE,CAAC,UAAU,KAAK,gBAAgB,IAAI,UAAU,KAAK,cAAc,CAAC;WAC/D,mBAAmB;WACnB,mBAAmB,CAAC,MAAM,KAAK,MAAM,EACxC,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAuB;IACvB,4DAA4D;IAC5D,IACE,UAAU,KAAK,cAAc;WAC1B,mBAAmB,CAAC,YAAY,CAAC,mBAAmB;WACpD,CAAC,IAAA,yBAAU,EACZ,SAAS,EACT,mBAAmB,CAAC,YAAY,CAAC,mBAAmB,EACpD,IAAI,CAAC,aAAa,CAAC,WAAW,CAC/B,EACD,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAC/C,CAAC;IAED,eAAe;IACf,8EAA8E;IAC9E,IACE,UAAU,KAAK,cAAc;WAC1B,mBAAmB,CAAC,UAAU;WAC9B,CAAC,IAAA,yBAAU,EACZ,mBAAmB,CAAC,UAAU,CAAC,SAAS,EACxC,mBAAmB,CAAC,UAAU,CAAC,YAAY,EAC3C,IAAI,CAAC,aAAa,CAAC,WAAW,CAC/B,EACD,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;AACtC,CAAC;AAED,wBAAwB;AACxB,KAAK,UAAU,QAAQ,CAAC,OAAO;IAE7B,MAAM,EACJ,OAAO,EACP,IAAI,EACJ,IAAI,EACJ,UAAU,EACV,cAAc,GAAG,IAAI,EACtB,GAAG,OAAO,CAAC;IAEZ,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IAEzB,MAAM,SAAS,GAAG,oBAAO,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAC1D,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;IAEvC,IAAI,WAAW,GAAG,MAAM,CAAC,IAAA,yBAAY,EAAC,cAAc,CAAC,CAAC,CAAC;IAEvD,MAAM,mBAAmB,GAAG;QAC1B,QAAQ,EAAE,IAAI,CAAC,UAAU;QACzB,kBAAkB,EAAE,IAAI,CAAC,aAAa,CAAC,yBAAyB;KACjE,CAAC;IAEF,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,CAAC,oBAAoB,CAAC;IAChE,IAAI,eAAe,GAAoB,EAAE,CAAC;IAE1C,yBAAyB;IACzB,MAAM,oBAAO,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;IAEtC,IAAI,UAAU,KAAK,SAAS,CAAC,YAAY,EAAE,CAAC;QAC1C,eAAe,GAAG,yBAAyB,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAChE,CAAC;IAED,4CAA4C;IAC5C,MAAM,WAAW,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAE3C,gGAAgG;IAChG,IACE,cAAc;QACd,IAAI,CAAC,aAAa,CAAC,mBAAmB,KAAK,8BAAqB,CAAC,GAAG,EACpE,CAAC;QACD,MAAM,CAAC,QAAQ,EAAE,qBAAqB,CAAC,GAAG,oBAAO,CAAC,eAAe,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;QACpG,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,OAAO,CAAC,MAAM,CAAC,kCAAkC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,eAAe,GAAG,yBAAyB,CAAC,UAAU,EAAE,qBAAqB,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;IAED,IAAI,UAAU,KAAK,cAAc,IAAI,eAAe,EAAE,CAAC;QACrD,MAAM,MAAM,GAAG,MAAM,oBAAO,CAAC,gBAAgB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjE,WAAW,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACxB,eAAe,GAAG,yBAAyB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,gGAAgG;IAChG,IACE,cAAc;QACd,IAAI,CAAC,aAAa,CAAC,mBAAmB,KAAK,8BAAqB,CAAC,GAAG,EACpE,CAAC;QACD,MAAM,CAAC,QAAQ,EAAE,qBAAqB,CAAC,GAAG,oBAAO,CAAC,eAAe,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;QACpG,IAAI,QAAQ,EAAE,CAAC;YACb,eAAe,GAAG,yBAAyB,CAAC,UAAU,EAAE,qBAAqB,CAAC,CAAC;QACjF,CAAC;aAAM,CAAC;YACN,OAAO,OAAO,CAAC,MAAM,CAAC,kCAAkC,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG;QAClB,WAAW,EAAE,WAAW;QACxB,OAAO,EAAE,IAAA,sBAAO,EAAC,WAAW,EAAE,eAAe,CAAC;KAC/C,CAAC;IAEF;;OAEG;IACH,MAAM,oBAAoB,GAAG,IAAI,CAAC,UAAU,CAAC;IAC7C,MAAM,MAAM,GAAG,oBAAoB,CAAC,WAAW,EAAE,CAAC;IAClD,MAAM,mBAAmB,GAAG,WAAW,CAAC,OAAO,CAAC;IAEhD,mBAAmB;IACnB,IACE,CAAC,UAAU,KAAK,gBAAgB,IAAI,UAAU,KAAK,cAAc,CAAC;WAC/D,mBAAmB;WACnB,mBAAmB,CAAC,MAAM,KAAK,MAAM,EACxC,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAuB;IACvB,4DAA4D;IAC5D,IACE,UAAU,KAAK,cAAc;WAC1B,mBAAmB,CAAC,YAAY,CAAC,mBAAmB;WACpD,CAAC,IAAA,yBAAU,EACZ,SAAS,EACT,mBAAmB,CAAC,YAAY,CAAC,mBAAmB,EACpD,IAAI,CAAC,aAAa,CAAC,WAAW,CAC/B,EACD,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAC/C,CAAC;IAED,eAAe;IACf,8EAA8E;IAC9E,IACE,UAAU,KAAK,cAAc;WAC1B,mBAAmB,CAAC,UAAU;WAC9B,CAAC,IAAA,yBAAU,EACZ,mBAAmB,CAAC,UAAU,CAAC,SAAS,EACxC,mBAAmB,CAAC,UAAU,CAAC,YAAY,EAC3C,IAAI,CAAC,aAAa,CAAC,WAAW,CAC/B,EACD,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;AACtC,CAAC;AAGD,4CAA4C;AAC5C,KAAK,UAAU,kBAAkB,CAAC,OAAO;IAEvC,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,cAAc,GAAG,IAAI,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IAE3E,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAEtC,MAAM,oBAAoB,GAAG,IAAI,CAAC,UAAU,CAAC;IAE7C,kCAAkC;IAClC,MAAM,SAAS,GAAG,oBAAO,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAC1D,MAAM,cAAc,GAAW,IAAI,CAAC,SAAS,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAW,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,SAAS,GAAW,IAAI,CAAC,WAAW,CAAC,CAAC;IAE5C,sCAAsC;IACtC,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,OAAO,OAAO,CAAC,MAAM,CAAC,8BAA8B,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,IAAA,yBAAY,EAAC,cAAc,CAAC,CAAC,CAAC;IAEvD,mBAAmB;IACnB,IAAI,CAAC;QACH,MAAM,oBAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAC3C,CAAC;IAED,4CAA4C;IAC5C,MAAM,WAAW,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAEzC,IAAI,SAAS,GAAW,EAAE,CAAC;IAE3B,IAAI,UAAU,KAAK,SAAS,CAAC,YAAY,EAAC,CAAC;QACzC,6BAA6B;QAC7B,MAAM,WAAW,GAAG,IAAA,sBAAO,EAAC,SAAS,EAAE,CAAC;gBACtC,GAAG,EAAE,WAAW;gBAChB,SAAS,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC;gBACrC,UAAU,EAAE,EAAE;gBACd,OAAO,EAAE,IAAI;aACd,CAAC,CAAC,CAAC;QACJ,IAAI,WAAW,IAAI,WAAW,CAAC,SAAS,EAAC,CAAC;YACxC,SAAS,GAAG,WAAW,CAAC,SAAmB,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,yBAAyB,CAAC,UAAU,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAEvG,MAAM,WAAW,GAAmE;QAClF,WAAW,EAAE,SAAS;QACtB,MAAM,EAAE,IAAI;QACZ,OAAO,EAAE,IAAA,sBAAO,EAAC,SAAS,EAAE,eAAe,CAAC;KAC7C,CAAC;IAEF,qCAAqC;IACrC,0CAA0C;IAC1C,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC,SAAS,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1B,OAAO,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;QAC/C,CAAC;QAED,qEAAqE;QACrE,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAEzD,MAAM,QAAQ,GAAG,oBAAO,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;QAE5G,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,mCAAmC;YACnC,OAAO,OAAO,CAAC,MAAM,CAAC,2CAA2C,CAAC,CAAC;QACrE,CAAC;QAED,WAAW,CAAC,MAAM,GAAG,MAAM,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,MAAM,MAAM,GAAG,oBAAoB,CAAC,WAAW,EAAE,CAAC;IAClD,MAAM,mBAAmB,GAAG,WAAW,CAAC,OAAO,CAAC;IAEhD,mBAAmB;IACnB,IACE,CAAC,UAAU,KAAK,gBAAgB,IAAI,UAAU,KAAK,cAAc,CAAC;WAC/D,mBAAmB;WACnB,mBAAmB,CAAC,MAAM,KAAK,MAAM,EACxC,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAuB;IACvB,4DAA4D;IAC5D,IACE,UAAU,KAAK,cAAc;WAC1B,mBAAmB,CAAC,YAAY,CAAC,mBAAmB;WACpD,CAAC,IAAA,yBAAU,EACZ,SAAS,EACT,mBAAmB,CAAC,YAAY,CAAC,mBAAmB,EACpD,IAAI,CAAC,aAAa,CAAC,WAAW,CAC/B,EACD,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAC/C,CAAC;IAED,eAAe;IACf,8EAA8E;IAC9E,IACE,UAAU,KAAK,cAAc;WAC1B,mBAAmB,CAAC,UAAU;WAC9B,CAAC,IAAA,yBAAU,EACZ,mBAAmB,CAAC,UAAU,CAAC,SAAS,EACxC,mBAAmB,CAAC,UAAU,CAAC,YAAY,EAC3C,IAAI,CAAC,aAAa,CAAC,WAAW,CAC/B,EACD,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;AACtC,CAAC;AAGD,SAAS,WAAW,CAAC,OAAe,EAAE,UAAkB;IAEtD,6BAA6B;IAC7B,IAAI,UAAU,KAAK,SAAS,CAAC,YAAY,IAAI,UAAU,KAAK,SAAS,CAAC,cAAc,EAAE,CAAC;QACrF,OAAO,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,MAAM,GAAG,UAAU,KAAK,SAAS,CAAC,YAAY;QAClD,CAAC,CAAC,wCAAyB;QAC3B,CAAC,CAAC,yCAA0B,CAAC;IAE/B,MAAM,EAAC,GAAG,EAAE,MAAM,EAAC,GAAG,IAAA,sBAAO,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAE/C,oDAAoD;IACpD,IAAI,GAAG,KAAK,mBAAU,CAAC,OAAO,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,mDAAmD;IACnD,MAAM,IAAI,KAAK,CAAC,yCAAyC,GAAG,uBAAuB,MAAM,EAAE,CAAC,CAAC;AAC/F,CAAC;AAED,SAAgB,IAAI,CAAC,OAAO;IAE1B,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAChC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAEtC,OAAO,CAAC,eAAe,GAAG,CAAC,yBAAgB,CAAC,QAAQ,EAAE,yBAAgB,CAAC,IAAI,EAAE,yBAAgB,CAAC,UAAU,CAAC,CAAC;IAC1G,uCAAuC;IACvC,IAAI,UAAU,KAAK,mBAAU,CAAC,YAAY,EAAE,CAAC;QAC3C,OAAO,CAAC,eAAe,GAAG,CAAC,yBAAgB,CAAC,IAAI,EAAE,yBAAgB,CAAC,QAAQ,EAAE,yBAAgB,CAAC,UAAU,CAAC,CAAC;IAC5G,CAAC;IAED,IAAI,OAAO,KAAK,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC3B,CAAC;IAED,IAAI,OAAO,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAClC,OAAO,YAAY,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAED,IAAI,OAAO,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;AAE/C,CAAC"}