package net.shibboleth.idp.saml.saml2.profile.impl;

import com.google.common.base.Strings;
import com.google.common.collect.HashMultimap;
import com.google.common.collect.Multimap;
import java.security.Principal;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.attribute.AttributeDecodingException;
import net.shibboleth.idp.attribute.IdPAttribute;
import net.shibboleth.idp.attribute.context.AttributeContext;
import net.shibboleth.idp.attribute.filter.AttributeFilter;
import net.shibboleth.idp.attribute.filter.AttributeFilterException;
import net.shibboleth.idp.attribute.filter.context.AttributeFilterContext;
import net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry;
import net.shibboleth.idp.attribute.transcoding.TranscoderSupport;
import net.shibboleth.idp.attribute.transcoding.TranscodingRule;
import net.shibboleth.idp.authn.AbstractValidationAction;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.principal.IdPAttributePrincipal;
import net.shibboleth.idp.authn.principal.ProxyAuthenticationPrincipal;
import net.shibboleth.idp.profile.IdPEventIds;
import net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal;
import net.shibboleth.idp.saml.authn.principal.AuthnContextDeclRefPrincipal;
import net.shibboleth.idp.saml.authn.principal.NameIDPrincipal;
import net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.saml.profile.context.navigate.SAMLMetadataContextLookupFunction;
import net.shibboleth.shared.annotation.constraint.Live;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import net.shibboleth.shared.service.ReloadableService;
import net.shibboleth.shared.service.ServiceException;
import net.shibboleth.shared.service.ServiceableComponent;
import org.opensaml.messaging.context.BaseContext;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.RecursiveTypedParentContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnContextDeclRef;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.ProxyRestriction;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/idp-saml-impl-5.1.3.jar:net/shibboleth/idp/saml/saml2/profile/impl/ValidateSAMLAuthentication.class */
public class ValidateSAMLAuthentication extends AbstractValidationAction {

    @Nonnull
    @NotEmpty
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.saml";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) ValidateSAMLAuthentication.class);

    @Nullable
    private ReloadableService<AttributeTranscoderRegistry> transcoderRegistry;

    @Nullable
    private ReloadableService<AttributeFilter> attributeFilterService;

    @Nullable
    private MetadataResolver metadataResolver;

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy;

    @Nullable
    private Function<ProfileRequestContext, Collection<IdPAttribute>> attributeExtractionStrategy;

    @NotEmpty
    @Nullable
    private String loggedAttributeId;

    @NonnullBeforeExec
    private SAMLAuthnContext samlAuthnContext;

    @NonnullBeforeExec
    private BrowserSSOProfileConfiguration profileConfiguration;

    @Nullable
    private Function<AuthnContext, Collection<Principal>> authnContextTranslator;

    @Nullable
    private Function<ProfileRequestContext, Collection<Principal>> authnContextTranslatorEx;

    @Nullable
    private AttributeContext attributeContext;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ValidateSAMLAuthentication() {
        setMetricName(DEFAULT_METRIC_NAME);
        this.relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);
    }

    public void setTranscoderRegistry(@Nullable ReloadableService<AttributeTranscoderRegistry> reloadableService) {
        checkSetterPreconditions();
        this.transcoderRegistry = reloadableService;
    }

    public void setAttributeFilter(@Nullable ReloadableService<AttributeFilter> reloadableService) {
        checkSetterPreconditions();
        this.attributeFilterService = reloadableService;
    }

    public void setMetadataResolver(@Nullable MetadataResolver metadataResolver) {
        checkSetterPreconditions();
        this.metadataResolver = metadataResolver;
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        checkSetterPreconditions();
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    public void setAttributeExtractionStrategy(@Nullable Function<ProfileRequestContext, Collection<IdPAttribute>> function) {
        checkSetterPreconditions();
        this.attributeExtractionStrategy = function;
    }

    public void setLoggedAttributeId(@NotEmpty @Nullable String str) {
        checkSetterPreconditions();
        this.loggedAttributeId = StringSupport.trimOrNull(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractValidationAction, net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        if (authenticationContext.getAttemptedFlow() == null) {
            this.log.debug("{} No attempted flow within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        this.samlAuthnContext = (SAMLAuthnContext) authenticationContext.getSubcontext(SAMLAuthnContext.class);
        if (this.samlAuthnContext == null) {
            this.log.debug("{} No SAMLAuthnContext available within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_CREDENTIALS);
            return false;
        }
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("{} Unable to locate RelyingPartyContext", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, IdPEventIds.INVALID_RELYING_PARTY_CTX);
            return false;
        }
        if (apply.getProfileConfig() == null) {
            this.log.error("{} Unable to locate profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, IdPEventIds.INVALID_PROFILE_CONFIG);
            return false;
        }
        if (apply.getProfileConfig() instanceof BrowserSSOProfileConfiguration) {
            this.profileConfiguration = (BrowserSSOProfileConfiguration) apply.getProfileConfig();
            return true;
        }
        this.log.error("{} Not a SAML 2 profile configuration", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, IdPEventIds.INVALID_PROFILE_CONFIG);
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        recordSuccess(profileRequestContext);
        if (this.transcoderRegistry != null) {
            processAttributes(profileRequestContext);
        }
        Function<ProfileRequestContext, Collection<IdPAttribute>> function = this.attributeExtractionStrategy;
        AttributeContext attributeContext = this.attributeContext;
        if (function != null) {
            this.log.debug("{} Applying custom extraction strategy function", getLogPrefix());
            if (attributeContext == null) {
                RelyingPartyContext relyingPartyContext = (RelyingPartyContext) profileRequestContext.getSubcontext(RelyingPartyContext.class);
                if (!$assertionsDisabled && relyingPartyContext == null) {
                    throw new AssertionError();
                }
                AttributeContext attributeContext2 = (AttributeContext) relyingPartyContext.ensureSubcontext(AttributeContext.class);
                this.attributeContext = attributeContext2;
                attributeContext = attributeContext2;
            }
            ArrayList arrayList = new ArrayList(attributeContext.getIdPAttributes().values());
            Collection<IdPAttribute> apply = function.apply(profileRequestContext);
            if (apply != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("{} Extracted attributes with custom strategy: {}", getLogPrefix(), apply.stream().map((v0) -> {
                        return v0.getId();
                    }).collect(Collectors.toUnmodifiableList()));
                }
                arrayList.addAll(apply);
                attributeContext.setIdPAttributes(arrayList);
            }
        }
        logSuccess();
        this.authnContextTranslator = this.profileConfiguration.getAuthnContextTranslationStrategy(profileRequestContext);
        this.authnContextTranslatorEx = this.profileConfiguration.getAuthnContextTranslationStrategyEx(profileRequestContext);
        buildAuthenticationResult(profileRequestContext, authenticationContext);
        AuthenticationResult authenticationResult = authenticationContext.getAuthenticationResult();
        if (authenticationResult == null || !this.profileConfiguration.isProxiedAuthnInstant(profileRequestContext)) {
            return;
        }
        AuthnStatement authnStatement = this.samlAuthnContext.getAuthnStatement();
        if (!$assertionsDisabled && authnStatement == null) {
            throw new AssertionError();
        }
        Instant authnInstant = authnStatement.getAuthnInstant();
        if (!$assertionsDisabled && authnInstant == null) {
            throw new AssertionError();
        }
        this.log.debug("{} Resetting authentication time to proxied value: {}", getLogPrefix(), authnInstant);
        if (authnStatement.getAuthnInstant() != null) {
            authenticationResult.setAuthenticationInstant(authnInstant);
        }
    }

    protected void logSuccess() {
        IdPAttribute idPAttribute;
        String str = null;
        if (this.loggedAttributeId != null && this.attributeContext != null && (idPAttribute = this.attributeContext.getIdPAttributes().get(this.loggedAttributeId)) != null && !idPAttribute.getValues().isEmpty()) {
            str = idPAttribute.getValues().get(0).getDisplayValue();
        }
        if (!$assertionsDisabled && this.samlAuthnContext == null) {
            throw new AssertionError();
        }
        Subject subject = this.samlAuthnContext.getSubject();
        if (str == null && subject != null) {
            NameID nameID = subject.getNameID();
            str = nameID != null ? nameID.getValue() : null;
        }
        this.log.info("{} SAML authentication succeeded for '{}'", getLogPrefix(), str);
    }

    @Override // net.shibboleth.idp.authn.AbstractValidationAction
    @Nonnull
    protected javax.security.auth.Subject populateSubject(@Nonnull javax.security.auth.Subject subject) {
        Collection<Principal> apply;
        Collection<Principal> apply2;
        SAMLAuthnContext sAMLAuthnContext = this.samlAuthnContext;
        AttributeContext attributeContext = this.attributeContext;
        if (!$assertionsDisabled && (sAMLAuthnContext == null || attributeContext == null)) {
            throw new AssertionError();
        }
        BaseContext parent = sAMLAuthnContext.getParent();
        if (!$assertionsDisabled && parent == null) {
            throw new AssertionError();
        }
        Subject subject2 = sAMLAuthnContext.getSubject();
        NameID nameID = subject2 == null ? null : subject2.getNameID();
        if (nameID != null) {
            subject.getPrincipals().add(new NameIDPrincipal(nameID));
        }
        AuthnStatement authnStatement = sAMLAuthnContext.getAuthnStatement();
        if (!$assertionsDisabled && authnStatement == null) {
            throw new AssertionError();
        }
        AuthnContext authnContext = (AuthnContext) Constraint.isNotNull(authnStatement.getAuthnContext(), "No Authn Context");
        boolean z = false;
        if (this.authnContextTranslatorEx != null && (apply2 = this.authnContextTranslatorEx.apply((ProfileRequestContext) parent.getSubcontext(ProfileRequestContext.class))) != null && !apply2.isEmpty()) {
            subject.getPrincipals().addAll(apply2);
            if (this.log.isDebugEnabled()) {
                this.log.debug("{} Added translated Principals: {}", getLogPrefix(), apply2.stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toUnmodifiableList()));
            }
            z = true;
        }
        if (!z && this.authnContextTranslator != null && (apply = this.authnContextTranslator.apply(authnContext)) != null && !apply.isEmpty()) {
            subject.getPrincipals().addAll(apply);
            if (this.log.isDebugEnabled()) {
                this.log.debug("{} Added translated AuthnContext Principals: {}", getLogPrefix(), apply.stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toUnmodifiableList()));
            }
            z = true;
        }
        if (!z) {
            AuthnContextClassRef authnContextClassRef = authnContext.getAuthnContextClassRef();
            if (authnContextClassRef != null) {
                String uri = authnContextClassRef.getURI();
                if (uri != null) {
                    subject.getPrincipals().add(new AuthnContextClassRefPrincipal(uri));
                    this.log.debug("{} Added AuthnContextClassRef from assertion: {}", getLogPrefix(), uri);
                }
                z = true;
            }
            AuthnContextDeclRef authnContextDeclRef = authnContext.getAuthnContextDeclRef();
            if (authnContextDeclRef != null) {
                String uri2 = authnContextDeclRef.getURI();
                if (uri2 != null) {
                    subject.getPrincipals().add(new AuthnContextDeclRefPrincipal(uri2));
                    this.log.debug("{} Added AuthnContextDeclRef from assertion: {}", getLogPrefix(), uri2);
                }
                z = true;
            }
        }
        if (!z) {
            this.log.warn("{} No AuthnContext information usable from assertion", getLogPrefix());
        }
        subject.getPrincipals().add(buildProxyPrincipal(authnContext));
        if (attributeContext != null && !attributeContext.getIdPAttributes().isEmpty()) {
            this.log.debug("{} Adding filtered inbound attributes to Subject", getLogPrefix());
            subject.getPrincipals().addAll((Collection) attributeContext.getIdPAttributes().values().stream().map(idPAttribute -> {
                if ($assertionsDisabled || idPAttribute != null) {
                    return new IdPAttributePrincipal(idPAttribute);
                }
                throw new AssertionError();
            }).collect(Collectors.toUnmodifiableList()));
        }
        return subject;
    }

    @Nonnull
    private ProxyAuthenticationPrincipal buildProxyPrincipal(@Nonnull AuthnContext authnContext) {
        ProxyAuthenticationPrincipal proxyAuthenticationPrincipal = new ProxyAuthenticationPrincipal();
        if (!$assertionsDisabled && this.samlAuthnContext == null) {
            throw new AssertionError();
        }
        AuthnStatement authnStatement = this.samlAuthnContext.getAuthnStatement();
        if (!$assertionsDisabled && authnStatement == null) {
            throw new AssertionError();
        }
        Assertion assertion = (Assertion) authnStatement.getParent();
        if (!$assertionsDisabled && assertion == null) {
            throw new AssertionError();
        }
        if (!authnContext.getAuthenticatingAuthorities().isEmpty()) {
            proxyAuthenticationPrincipal.getAuthorities().addAll((Collection) authnContext.getAuthenticatingAuthorities().stream().map((v0) -> {
                return v0.getURI();
            }).filter(str -> {
                return !Strings.isNullOrEmpty(str);
            }).collect(Collectors.toUnmodifiableList()));
        }
        Issuer issuer = assertion.getIssuer();
        if (issuer != null) {
            proxyAuthenticationPrincipal.getAuthorities().add(issuer.getValue());
        }
        Conditions conditions = assertion.getConditions();
        ProxyRestriction proxyRestriction = conditions != null ? conditions.getProxyRestriction() : null;
        if (proxyRestriction != null) {
            proxyAuthenticationPrincipal.setProxyCount(proxyRestriction.getProxyCount());
            List<Audience> audiences = proxyRestriction.getAudiences();
            if (audiences != null) {
                proxyAuthenticationPrincipal.getAudiences().addAll((Collection) audiences.stream().map((v0) -> {
                    return v0.getURI();
                }).filter(str2 -> {
                    return !Strings.isNullOrEmpty(str2);
                }).collect(Collectors.toUnmodifiableList()));
            }
        }
        return proxyAuthenticationPrincipal;
    }

    private void processAttributes(@Nonnull ProfileRequestContext profileRequestContext) {
        this.log.debug("{} Decoding incoming SAML Attributes", getLogPrefix());
        HashMultimap create = HashMultimap.create();
        if (!$assertionsDisabled && create == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.transcoderRegistry == null) {
            throw new AssertionError();
        }
        try {
            ServiceableComponent<AttributeTranscoderRegistry> serviceableComponent = this.transcoderRegistry.getServiceableComponent();
            try {
                MessageContext inboundMessageContext = profileRequestContext.getInboundMessageContext();
                if (!$assertionsDisabled && inboundMessageContext == null) {
                    throw new AssertionError();
                }
                Response response = (Response) inboundMessageContext.getMessage();
                if (!$assertionsDisabled && response == null) {
                    throw new AssertionError();
                }
                Iterator<Assertion> it = response.getAssertions().iterator();
                while (it.hasNext()) {
                    Iterator<AttributeStatement> it2 = it.next().getAttributeStatements().iterator();
                    while (it2.hasNext()) {
                        for (Attribute attribute : it2.next().getAttributes()) {
                            if (!$assertionsDisabled && attribute == null) {
                                throw new AssertionError();
                            }
                            try {
                                decodeAttribute(serviceableComponent.getComponent(), profileRequestContext, attribute, create);
                            } catch (AttributeDecodingException e) {
                                this.log.error("{} Error decoding inbound Attribute", getLogPrefix(), e);
                            }
                        }
                    }
                }
                if (serviceableComponent != null) {
                    serviceableComponent.close();
                }
                this.log.debug("{} Incoming SAML Attributes mapped to attribute IDs: {}", getLogPrefix(), create.keySet());
                if (create.isEmpty()) {
                    return;
                }
                RelyingPartyContext relyingPartyContext = (RelyingPartyContext) profileRequestContext.getSubcontext(RelyingPartyContext.class);
                if (!$assertionsDisabled && relyingPartyContext == null) {
                    throw new AssertionError();
                }
                AttributeContext attributeContext = (AttributeContext) relyingPartyContext.ensureSubcontext(AttributeContext.class);
                this.attributeContext = attributeContext;
                attributeContext.setUnfilteredIdPAttributes(create.values());
                attributeContext.setIdPAttributes(null);
                filterAttributes(profileRequestContext);
            } finally {
            }
        } catch (ServiceException e2) {
            this.log.error("Attribute transcoder service unavailable", (Throwable) e2);
        }
    }

    private void decodeAttribute(@Nonnull AttributeTranscoderRegistry attributeTranscoderRegistry, @Nonnull ProfileRequestContext profileRequestContext, @Nonnull Attribute attribute, @Nonnull @Live Multimap<String, IdPAttribute> multimap) throws AttributeDecodingException {
        Collection<TranscodingRule> transcodingRules = attributeTranscoderRegistry.getTranscodingRules(attribute);
        if (transcodingRules.isEmpty()) {
            Logger logger = this.log;
            Object[] objArr = new Object[3];
            objArr[0] = getLogPrefix();
            objArr[1] = attribute.getName();
            objArr[2] = attribute.getNameFormat() != null ? attribute.getNameFormat() : Attribute.UNSPECIFIED;
            logger.info("{} No transcoding rule for Attribute (Name '{}', NameFormat: '{}')", objArr);
            return;
        }
        for (TranscodingRule transcodingRule : transcodingRules) {
            if (!$assertionsDisabled && transcodingRule == null) {
                throw new AssertionError();
            }
            IdPAttribute decode = TranscoderSupport.getTranscoder(transcodingRule).decode(profileRequestContext, attribute, transcodingRule);
            if (decode != null) {
                multimap.put(decode.getId(), decode);
            }
        }
    }

    private void filterAttributes(@Nonnull ProfileRequestContext profileRequestContext) {
        ReloadableService<AttributeFilter> reloadableService = this.attributeFilterService;
        if (reloadableService == null) {
            this.log.warn("{} No AttributeFilter service provided", getLogPrefix());
            return;
        }
        AttributeFilterContext attributeFilterContext = (AttributeFilterContext) profileRequestContext.ensureSubcontext(AttributeFilterContext.class);
        populateFilterContext(profileRequestContext, attributeFilterContext);
        try {
            ServiceableComponent<AttributeFilter> serviceableComponent = reloadableService.getServiceableComponent();
            try {
                serviceableComponent.getComponent().filterAttributes(attributeFilterContext);
                attributeFilterContext.removeFromParent();
                if (!$assertionsDisabled && this.attributeContext == null) {
                    throw new AssertionError();
                }
                this.attributeContext.setIdPAttributes(attributeFilterContext.getFilteredIdPAttributes().values());
                if (serviceableComponent != null) {
                    serviceableComponent.close();
                }
            } catch (Throwable th) {
                if (serviceableComponent != null) {
                    try {
                        serviceableComponent.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (AttributeFilterException e) {
            this.log.error("{} Error while filtering inbound attributes", getLogPrefix(), e);
        } catch (ServiceException e2) {
            this.log.error("{} Invalid AttributeFilter configuration", getLogPrefix(), e2);
        }
    }

    private void populateFilterContext(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AttributeFilterContext attributeFilterContext) {
        AttributeContext attributeContext = this.attributeContext;
        if (!$assertionsDisabled && attributeContext == null) {
            throw new AssertionError();
        }
        attributeFilterContext.setDirection(AttributeFilterContext.Direction.INBOUND).setPrefilteredIdPAttributes(attributeContext.getUnfilteredIdPAttributes().values()).setMetadataResolver(this.metadataResolver).setRequesterMetadataContextLookupStrategy(null).setIssuerMetadataContextLookupStrategy(new SAMLMetadataContextLookupFunction().compose(new RecursiveTypedParentContextLookup(ProfileRequestContext.class))).setProxiedRequesterContextLookupStrategy(null).setAttributeIssuerID((String) ((Function) Constraint.isNotNull(getResponderLookupStrategy(), "No responder Strategy")).apply(profileRequestContext)).setAttributeRecipientID((String) ((Function) Constraint.isNotNull(getRequesterLookupStrategy(), "No requester strategy")).apply(profileRequestContext));
    }

    static {
        $assertionsDisabled = !ValidateSAMLAuthentication.class.desiredAssertionStatus();
    }
}
