copyparty 1.10.2__py3-none-any.whl → 1.11.1__py3-none-any.whl

copyparty/authsrv.py

@@ -18,7 +18,6 @@ from .cfg import flagdescs, permdescs, vf_bmap, vf_cmap, vf_vmap
 from .pwhash import PWHash
 from .util import (
     IMPLICATIONS,
-    META_NOBOTS,
     SQLITE_VER,
     UNPLICATIONS,
     UTC,
@@ -34,6 +33,7 @@ from .util import (
     uncyg,
     undot,
     unhumanize,
+    vsplit,
 )
 
 if TYPE_CHECKING:
@@ -54,6 +54,10 @@ BAD_CFG = "invalid config; {}".format(SEE_LOG)
 SBADCFG = " ({})".format(BAD_CFG)
 
 
+class CfgEx(Exception):
+    pass
+
+
 class AXS(object):
     def __init__(
         self,
@@ -773,6 +777,20 @@ class AuthSrv(object):
         self.line_ctr = 0
         self.indent = ""
 
+        # fwd-decl
+        self.vfs = VFS(log_func, "", "", AXS(), {})
+        self.acct   = {}
+        self.iacct   = {}
+        self.grps   = {}
+        self.re_pwd  = None
+
+        # all volumes observed since last restart
+        self.idp_vols   = {}  # vpath->abspath
+
+        # all users/groups observed since last restart
+        self.idp_accs   = {}  # username->groupnames
+        self.idp_usr_gh   = {}  # username->group-header-value (cache)
+
         self.mutex = threading.Lock()
         self.reload()
 
@@ -790,6 +808,86 @@ class AuthSrv(object):
 
         yield prev, True
 
+    def idp_checkin(
+        self, broker , uname , gname 
+    )  :
+        if uname in self.acct:
+            return False
+
+        if self.idp_usr_gh.get(uname) == gname:
+            return False
+
+        gnames = [x.strip() for x in self.args.idp_gsep.split(gname)]
+        gnames.sort()
+
+        with self.mutex:
+            self.idp_usr_gh[uname] = gname
+            if self.idp_accs.get(uname) == gnames:
+                return False
+
+            self.idp_accs[uname] = gnames
+
+            t = "reinitializing due to new user from IdP: [%s:%s]"
+            self.log(t % (uname, gnames), 3)
+
+            if not broker:
+                # only true for tests
+                self._reload()
+                return True
+
+        broker.ask("_reload_blocking", False).get()
+        return True
+
+    def _map_volume_idp(
+        self,
+        src ,
+        dst ,
+        mount  ,
+        daxs  ,
+        mflags   ,
+        un_gns  ,
+    )     :
+        ret     = []
+        visited = set()
+        src0 = src  # abspath
+        dst0 = dst  # vpath
+
+        un_gn = [(un, gn) for un, gns in un_gns.items() for gn in gns]
+        if not un_gn:
+            # ensure volume creation if there's no users
+            un_gn = [("", "")]
+
+        for un, gn in un_gn:
+            # if ap/vp has a user/group placeholder, make sure to keep
+            # track so the same user/gruop is mapped when setting perms;
+            # otherwise clear un/gn to indicate it's a regular volume
+
+            src1 = src0.replace("${u}", un or "\n")
+            dst1 = dst0.replace("${u}", un or "\n")
+            if src0 == src1 and dst0 == dst1:
+                un = ""
+
+            src = src1.replace("${g}", gn or "\n")
+            dst = dst1.replace("${g}", gn or "\n")
+            if src == src1 and dst == dst1:
+                gn = ""
+
+            if "\n" in (src + dst):
+                continue
+
+            label = "%s\n%s" % (src, dst)
+            if label in visited:
+                continue
+            visited.add(label)
+
+            src, dst = self._map_volume(src, dst, mount, daxs, mflags)
+            if src:
+                ret.append((src, dst, un, gn))
+                if un or gn:
+                    self.idp_vols[dst] = src
+
+        return ret
+
     def _map_volume(
         self,
         src ,
@@ -797,7 +895,11 @@ class AuthSrv(object):
         mount  ,
         daxs  ,
         mflags   ,
-    )  :
+    )   :
+        src = os.path.expandvars(os.path.expanduser(src))
+        src = absreal(src)
+        dst = dst.strip("/")
+
         if dst in mount:
             t = "multiple filesystem-paths mounted at [/{}]:\n  [{}]\n  [{}]"
             self.log(t.format(dst, mount[dst], src), c=1)
@@ -818,6 +920,7 @@ class AuthSrv(object):
         mount[dst] = src
         daxs[dst] = AXS()
         mflags[dst] = {}
+        return (src, dst)
 
     def _e(self, desc  = None)  :
         if not self.args.vc or not self.line_ctr:
@@ -845,31 +948,76 @@ class AuthSrv(object):
 
         self.log(t.format(self.line_ctr, c, self.indent, ln, desc))
 
+    def _all_un_gn(
+        self,
+        acct  ,
+        grps  ,
+    )   :
+        """
+        generate list of all confirmed pairs of username/groupname seen since last restart;
+        in case of conflicting group memberships then it is selected as follows:
+         * any non-zero value from IdP group header
+         * otherwise take --grps / [groups]
+        """
+        ret = {un: gns[:] for un, gns in self.idp_accs.items()}
+        ret.update({zs: [""] for zs in acct if zs not in ret})
+        for gn, uns in grps.items():
+            for un in uns:
+                try:
+                    ret[un].append(gn)
+                except:
+                    ret[un] = [gn]
+
+        return ret
+
     def _parse_config_file(
         self,
         fp ,
         cfg_lines ,
         acct  ,
+        grps  ,
         daxs  ,
         mflags   ,
         mount  ,
     )  :
         self.line_ctr = 0
 
-        expand_config_file(cfg_lines, fp, "")
+        expand_config_file(self.log, cfg_lines, fp, "")
         if self.args.vc:
             lns = ["{:4}: {}".format(n, s) for n, s in enumerate(cfg_lines, 1)]
             self.log("expanded config file (unprocessed):\n" + "\n".join(lns))
 
         cfg_lines = upgrade_cfg_fmt(self.log, self.args, cfg_lines, fp)
 
+        # due to IdP, volumes must be parsed after users and groups;
+        # do volumes in a 2nd pass to allow arbitrary order in config files
+        for npass in range(1, 3):
+            if self.args.vc:
+                self.log("parsing config files; pass %d/%d" % (npass, 2))
+            self._parse_config_file_2(cfg_lines, acct, grps, daxs, mflags, mount, npass)
+
+    def _parse_config_file_2(
+        self,
+        cfg_lines ,
+        acct  ,
+        grps  ,
+        daxs  ,
+        mflags   ,
+        mount  ,
+        npass ,
+    )  :
+        self.line_ctr = 0
+        all_un_gn = self._all_un_gn(acct, grps)
+
         cat = ""
         catg = "[global]"
         cata = "[accounts]"
+        catgrp = "[groups]"
         catx = "accs:"
         catf = "flags:"
         ap  = None
         vp  = None
+        vols     = []
         for ln in cfg_lines:
             self.line_ctr += 1
             ln = ln.split("  #")[0].strip()
@@ -882,7 +1030,7 @@ class AuthSrv(object):
             subsection = ln in (catx, catf)
             if ln.startswith("[") or subsection:
                 self._e()
-                if ap is None and vp is not None:
+                if npass > 1 and ap is None and vp is not None:
                     t = "the first line after [/{}] must be a filesystem path to share on that volume"
                     raise Exception(t.format(vp))
 
@@ -898,6 +1046,8 @@ class AuthSrv(object):
                     self._l(ln, 6, t)
                 elif ln == cata:
                     self._l(ln, 5, "begin user-accounts section")
+                elif ln == catgrp:
+                    self._l(ln, 5, "begin user-groups section")
                 elif ln.startswith("[/"):
                     vp = ln[1:-1].strip("/")
                     self._l(ln, 2, "define volume at URL [/{}]".format(vp))
@@ -934,15 +1084,39 @@ class AuthSrv(object):
                     raise Exception(t + SBADCFG)
                 continue
 
+            if cat == catgrp:
+                try:
+                    gn, zs1 = [zs.strip() for zs in ln.split(":", 1)]
+                    uns = [zs.strip() for zs in zs1.split(",")]
+                    t = "group [%s] = " % (gn,)
+                    t += ", ".join("user [%s]" % (x,) for x in uns)
+                    self._l(ln, 5, t)
+                    grps[gn] = uns
+                except:
+                    t = 'lines inside the [groups] section must be "groupname: user1, user2, user..."'
+                    raise Exception(t + SBADCFG)
+                continue
+
             if vp is not None and ap is None:
+                if npass != 2:
+                    continue
+
                 ap = ln
-                ap = os.path.expandvars(os.path.expanduser(ap))
-                ap = absreal(ap)
                 self._l(ln, 2, "bound to filesystem-path [{}]".format(ap))
-                self._map_volume(ap, vp, mount, daxs, mflags)
+                vols = self._map_volume_idp(ap, vp, mount, daxs, mflags, all_un_gn)
+                if not vols:
+                    ap = vp = None
+                    self._l(ln, 2, "└─no users/groups known; was not mapped")
+                elif len(vols) > 1:
+                    for vol in vols:
+                        self._l(ln, 2, "└─mapping: [%s] => [%s]" % (vol[1], vol[0]))
                 continue
 
             if cat == catx:
+                if npass != 2 or not ap:
+                    # not stage2, or unmapped ${u}/${g}
+                    continue
+
                 err = ""
                 try:
                     self._l(ln, 5, "volume access config:")
@@ -953,14 +1127,20 @@ class AuthSrv(object):
                     if " " in re.sub(", *", "", sv).strip():
                         err = "list of users is not comma-separated; "
                         raise Exception(err)
-                    assert vp is not None
-                    self._read_vol_str(sk, sv.replace(" ", ""), daxs[vp], mflags[vp])
+                    sv = sv.replace(" ", "")
+                    self._read_vol_str_idp(sk, sv, vols, all_un_gn, daxs, mflags)
                     continue
+                except CfgEx:
+                    raise
                 except:
                     err += "accs entries must be 'rwmdgGhaA.: user1, user2, ...'"
-                    raise Exception(err + SBADCFG)
+                    raise CfgEx(err + SBADCFG)
 
             if cat == catf:
+                if npass != 2 or not ap:
+                    # not stage2, or unmapped ${u}/${g}
+                    continue
+
                 err = ""
                 try:
                     self._l(ln, 6, "volume-specific config:")
@@ -977,11 +1157,14 @@ class AuthSrv(object):
                         else:
                             fstr += ",{}={}".format(sk, sv)
                             assert vp is not None
-                            self._read_vol_str("c", fstr[1:], daxs[vp], mflags[vp])
+                            self._read_vol_str_idp(
+                                "c", fstr[1:], vols, all_un_gn, daxs, mflags
+                            )
                             fstr = ""
                     if fstr:
-                        assert vp is not None
-                        self._read_vol_str("c", fstr[1:], daxs[vp], mflags[vp])
+                        self._read_vol_str_idp(
+                            "c", fstr[1:], vols, all_un_gn, daxs, mflags
+                        )
                     continue
                 except:
                     err += "flags entries (volflags) must be one of the following:\n  'flag1, flag2, ...'\n  'key: value'\n  'flag1, flag2, key: value'"
@@ -992,12 +1175,18 @@ class AuthSrv(object):
         self._e()
         self.line_ctr = 0
 
-    def _read_vol_str(
-        self, lvl , uname , axs , flags  
+    def _read_vol_str_idp(
+        self,
+        lvl ,
+        uname ,
+        vols    ,
+        un_gns  ,
+        axs  ,
+        flags   ,
     )  :
         if lvl.strip("crwmdgGhaA."):
             t = "%s,%s" % (lvl, uname) if uname else lvl
-            raise Exception("invalid config value (volume or volflag): %s" % (t,))
+            raise CfgEx("invalid config value (volume or volflag): %s" % (t,))
 
         if lvl == "c":
             # here, 'uname' is not a username; it is a volflag name... sorry
@@ -1012,16 +1201,63 @@ class AuthSrv(object):
             while "," in uname:
                 # one or more bools before the final flag; eat them
                 n1, uname = uname.split(",", 1)
-                self._read_volflag(flags, n1, True, False)
+                for _, vp, _, _ in vols:
+                    self._read_volflag(flags[vp], n1, True, False)
+
+            for _, vp, _, _ in vols:
+                self._read_volflag(flags[vp], uname, cval, False)
 
-            self._read_volflag(flags, uname, cval, False)
             return
 
         if uname == "":
             uname = "*"
 
-        junkset = set()
+        unames = []
         for un in uname.replace(",", " ").strip().split():
+            if un.startswith("@"):
+                grp = un[1:]
+                uns = [x[0] for x in un_gns.items() if grp in x[1]]
+                if not uns and grp != "${g}" and not self.args.idp_h_grp:
+                    t = "group [%s] must be defined with --grp argument (or in a [groups] config section)"
+                    raise CfgEx(t % (grp,))
+
+                unames.extend(uns)
+            else:
+                unames.append(un)
+
+        # unames may still contain ${u} and ${g} so now expand those;
+        un_gn = [(un, gn) for un, gns in un_gns.items() for gn in gns]
+        if "*" not in un_gns:
+            # need ("*","") to match "*" in unames
+            un_gn.append(("*", ""))
+
+        for _, dst, vu, vg in vols:
+            unames2 = set()
+            for un, gn in un_gn:
+                # if vu/vg (volume user/group) is non-null,
+                # then each non-null value corresponds to
+                # ${u}/${g}; consider this a filter to
+                # apply to unames, as well as un_gn
+                if (vu and vu != un) or (vg and vg != gn):
+                    continue
+
+                for uname in unames + ([un] if vu or vg else []):
+                    if uname == "${u}":
+                        uname = vu or un
+                    elif uname in ("${g}", "@${g}"):
+                        uname = vg or gn
+
+                    if vu and vu != uname:
+                        continue
+
+                    if uname:
+                        unames2.add(uname)
+
+            self._read_vol_str(lvl, list(unames2), axs[dst])
+
+    def _read_vol_str(self, lvl , unames , axs )  :
+        junkset = set()
+        for un in unames:
             for alias, mapping in [
                 ("h", "gh"),
                 ("G", "gG"),
@@ -1098,12 +1334,18 @@ class AuthSrv(object):
         then supplementing with config files
         before finally building the VFS
         """
+        with self.mutex:
+            self._reload()
 
+    def _reload(self)  :
         acct   = {}  # username:password
+        grps   = {}  # groupname:usernames
         daxs   = {}
         mflags    = {}  # moutpoint:flags
         mount   = {}  # dst:src (mountpoint:realpath)
 
+        self.idp_vols = {}  # yolo
+
         if self.args.a:
             # list of username:password
             for x in self.args.a:
@@ -1114,9 +1356,22 @@ class AuthSrv(object):
                     t = '\n  invalid value "{}" for argument -a, must be username:password'
                     raise Exception(t.format(x))
 
+        if self.args.grp:
+            # list of groupname:username,username,...
+            for x in self.args.grp:
+                try:
+                    # accept both = and : as separator between groupname and usernames,
+                    # accept both , and : as separators between usernames
+                    zs1, zs2 = x.replace("=", ":").split(":", 1)
+                    grps[zs1] = zs2.replace(":", ",").split(",")
+                except:
+                    t = '\n  invalid value "{}" for argument --grp, must be groupname:username1,username2,...'
+                    raise Exception(t.format(x))
+
         if self.args.v:
             # list of src:dst:permset:permset:...
             # permset is <rwmdgGhaA.>[,username][,username] or <c>,<flag>[=args]
+            all_un_gn = self._all_un_gn(acct, grps)
             for v_str in self.args.v:
                 m = re_vol.match(v_str)
                 if not m:
@@ -1126,20 +1381,19 @@ class AuthSrv(object):
                 if WINDOWS:
                     src = uncyg(src)
 
-                # print("\n".join([src, dst, perms]))
-                src = absreal(src)
-                dst = dst.strip("/")
-                self._map_volume(src, dst, mount, daxs, mflags)
+                vols = self._map_volume_idp(src, dst, mount, daxs, mflags, all_un_gn)
 
                 for x in perms.split(":"):
                     lvl, uname = x.split(",", 1) if "," in x else [x, ""]
-                    self._read_vol_str(lvl, uname, daxs[dst], mflags[dst])
+                    self._read_vol_str_idp(lvl, uname, vols, all_un_gn, daxs, mflags)
 
         if self.args.c:
             for cfg_fn in self.args.c:
                 lns  = []
                 try:
-                    self._parse_config_file(cfg_fn, lns, acct, daxs, mflags, mount)
+                    self._parse_config_file(
+                        cfg_fn, lns, acct, grps, daxs, mflags, mount
+                    )
 
                     zs = "#\033[36m cfg files in "
                     zst = [x[len(zs) :] for x in lns if x.startswith(zs)]
@@ -1170,7 +1424,7 @@ class AuthSrv(object):
 
             mount = cased
 
-        if not mount:
+        if not mount and not self.args.idp_h_usr:
             # -h says our defaults are CWD at root and read/write for everyone
             axs = AXS(["*"], ["*"], None, None)
             vfs = VFS(self.log_func, absreal("."), "", axs, {})
@@ -1206,9 +1460,13 @@ class AuthSrv(object):
             vol.all_vps.sort(key=lambda x: len(x[0]), reverse=True)
             vol.root = vfs
 
+        zss = set(acct)
+        zss.update(self.idp_accs)
+        zss.discard("*")
+        unames = ["*"] + list(sorted(zss))
+
         for perm in "read write move del get pget html admin dot".split():
             axs_key = "u" + perm
-            unames = ["*"] + list(acct.keys())
             for vp, vol in vfs.all_vols.items():
                 zx = getattr(vol.axs, axs_key)
                 if "*" in zx:
@@ -1242,18 +1500,20 @@ class AuthSrv(object):
             ]:
                 for usr in d:
                     all_users[usr] = 1
-                    if usr != "*" and usr not in acct:
+                    if usr != "*" and usr not in acct and usr not in self.idp_accs:
                         missing_users[usr] = 1
                     if "*" not in d:
                         associated_users[usr] = 1
 
         if missing_users:
-            self.log(
-                "you must -a the following users: "
-                + ", ".join(k for k in sorted(missing_users)),
-                c=1,
-            )
-            raise Exception(BAD_CFG)
+            zs = ", ".join(k for k in sorted(missing_users))
+            if self.args.idp_h_usr:
+                t = "the following users are unknown, and assumed to come from IdP: "
+                self.log(t + zs, c=6)
+            else:
+                t = "you must -a the following users: "
+                self.log(t + zs, c=1)
+                raise Exception(BAD_CFG)
 
         if LEELOO_DALLAS in all_users:
             raise Exception("sorry, reserved username: " + LEELOO_DALLAS)
@@ -1394,13 +1654,6 @@ class AuthSrv(object):
                 if not vol.flags.get("robots"):
                     vol.flags["norobots"] = True
 
-        for vol in vfs.all_vols.values():
-            h = [vol.flags.get("html_head", self.args.html_head)]
-            if vol.flags.get("norobots"):
-                h.insert(0, META_NOBOTS)
-
-            vol.flags["html_head"] = "\n".join([x for x in h if x])
-
         for vol in vfs.all_vols.values():
             if self.args.no_vthumb:
                 vol.flags["dvthumb"] = True
@@ -1478,7 +1731,7 @@ class AuthSrv(object):
                 if k not in vol.flags:
                     vol.flags[k] = getattr(self.args, k)
 
-            for k in ("nrand",):
+            for k in ("nrand", "u2abort"):
                 if k in vol.flags:
                     vol.flags[k] = int(vol.flags[k])
 
@@ -1742,20 +1995,37 @@ class AuthSrv(object):
         except Pebkac:
             self.warn_anonwrite = True
 
-        with self.mutex:
-            self.vfs = vfs
-            self.acct = acct
-            self.iacct = {v: k for k, v in acct.items()}
-
-            self.re_pwd = None
-            pwds = [re.escape(x) for x in self.iacct.keys()]
-            if pwds:
-                if self.ah.on:
-                    zs = r"(\[H\] pw:.*|[?&]pw=)([^&]+)"
-                else:
-                    zs = r"(\[H\] pw:.*|=)(" + "|".join(pwds) + r")([]&; ]|$)"
+        idp_err = "WARNING! The following IdP volumes are mounted directly below another volume where anonymous users can read and/or write files. This is a SECURITY HAZARD!! When copyparty is restarted, it will not know about these IdP volumes yet. These volumes will then be accessible by anonymous users UNTIL one of the users associated with their volume sends a request to the server. RECOMMENDATION: You should create a restricted volume where nobody can read/write files, and make sure that all IdP volumes are configured to appear somewhere below that volume."
+        for idp_vp in self.idp_vols:
+            parent_vp = vsplit(idp_vp)[0]
+            vn, _ = vfs.get(parent_vp, "*", False, False)
+            zs = (
+                "READABLE"
+                if "*" in vn.axs.uread
+                else "WRITABLE"
+                if "*" in vn.axs.uwrite
+                else ""
+            )
+            if zs:
+                t = '\nWARNING: Volume "/%s" appears below "/%s" and would be WORLD-%s'
+                idp_err += t % (idp_vp, vn.vpath, zs)
+        if "\n" in idp_err:
+            self.log(idp_err, 1)
+
+        self.vfs = vfs
+        self.acct = acct
+        self.grps = grps
+        self.iacct = {v: k for k, v in acct.items()}
+
+        self.re_pwd = None
+        pwds = [re.escape(x) for x in self.iacct.keys()]
+        if pwds:
+            if self.ah.on:
+                zs = r"(\[H\] pw:.*|[?&]pw=)([^&]+)"
+            else:
+                zs = r"(\[H\] pw:.*|=)(" + "|".join(pwds) + r")([]&; ]|$)"
 
-                self.re_pwd = re.compile(zs)
+            self.re_pwd = re.compile(zs)
 
     def setup_pwhash(self, acct  )  :
         self.ah = PWHash(self.args)
@@ -1997,6 +2267,12 @@ class AuthSrv(object):
                 ret.append("  {}: {}".format(u, p))
             ret.append("")
 
+        if self.grps:
+            ret.append("[groups]")
+            for gn, uns in self.grps.items():
+                ret.append("  %s: %s" % (gn, ", ".join(uns)))
+            ret.append("")
+
         for vol in self.vfs.all_vols.values():
             ret.append("[/{}]".format(vol.vpath))
             ret.append("  " + vol.realpath)
@@ -2094,27 +2370,50 @@ def split_cfg_ln(ln )   :
     return ret
 
 
-def expand_config_file(ret , fp , ipath )  :
+def expand_config_file(
+    log , ret , fp , ipath 
+)  :
     """expand all % file includes"""
     fp = absreal(fp)
     if len(ipath.split(" -> ")) > 64:
         raise Exception("hit max depth of 64 includes")
 
     if os.path.isdir(fp):
-        names = os.listdir(fp)
-        crumb = "#\033[36m cfg files in {} => {}\033[0m".format(fp, names)
-        ret.append(crumb)
-        for fn in sorted(names):
+        names = list(sorted(os.listdir(fp)))
+        cnames = [x for x in names if x.lower().endswith(".conf")]
+        if not cnames:
+            t = "warning: tried to read config-files from folder '%s' but it does not contain any "
+            if names:
+                t += ".conf files; the following files were ignored: %s"
+                t = t % (fp, ", ".join(names[:8]))
+            else:
+                t += "files at all"
+                t = t % (fp,)
+
+            if log:
+                log(t, 3)
+
+            ret.append("#\033[33m %s\033[0m" % (t,))
+        else:
+            zs = "#\033[36m cfg files in %s => %s\033[0m" % (fp, cnames)
+            ret.append(zs)
+
+        for fn in cnames:
             fp2 = os.path.join(fp, fn)
-            if not fp2.endswith(".conf") or fp2 in ipath:
+            if fp2 in ipath:
                 continue
 
-            expand_config_file(ret, fp2, ipath)
+            expand_config_file(log, ret, fp2, ipath)
+
+        return
 
-        if ret[-1] == crumb:
-            # no config files below; remove breadcrumb
-            ret.pop()
+    if not os.path.exists(fp):
+        t = "warning: tried to read config from '%s' but the file/folder does not exist"
+        t = t % (fp,)
+        if log:
+            log(t, 3)
 
+        ret.append("#\033[31m %s\033[0m" % (t,))
         return
 
     ipath += " -> " + fp
@@ -2128,7 +2427,7 @@ def expand_config_file(ret , fp , ipath )  :
                 fp2 = ln[1:].strip()
                 fp2 = os.path.join(os.path.dirname(fp), fp2)
                 ofs = len(ret)
-                expand_config_file(ret, fp2, ipath)
+                expand_config_file(log, ret, fp2, ipath)
                 for n in range(ofs, len(ret)):
                     ret[n] = pad + ret[n]
                 continue