{"version":3,"file":"OnBehalfOfClient.js","sources":["../../src/client/OnBehalfOfClient.ts"],"sourcesContent":["/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { ClientConfiguration } from \"../config/ClientConfiguration\";\nimport { BaseClient } from \"./BaseClient\";\nimport { Authority } from \"../authority/Authority\";\nimport { RequestParameterBuilder } from \"../request/RequestParameterBuilder\";\nimport { ScopeSet } from \"../request/ScopeSet\";\nimport { GrantType, AADServerParamKeys , CredentialType, Constants, CacheOutcome, AuthenticationScheme } from \"../utils/Constants\";\nimport { ResponseHandler } from \"../response/ResponseHandler\";\nimport { AuthenticationResult } from \"../response/AuthenticationResult\";\nimport { CommonOnBehalfOfRequest } from \"../request/CommonOnBehalfOfRequest\";\nimport { TimeUtils } from \"../utils/TimeUtils\";\nimport { CredentialFilter, CredentialCache } from \"../cache/utils/CacheTypes\";\nimport { AccessTokenEntity } from \"../cache/entities/AccessTokenEntity\";\nimport { IdTokenEntity } from \"../cache/entities/IdTokenEntity\";\nimport { AccountEntity } from \"../cache/entities/AccountEntity\";\nimport { AuthToken } from \"../account/AuthToken\";\nimport { ClientAuthError } from \"../error/ClientAuthError\";\nimport { RequestThumbprint } from \"../network/RequestThumbprint\";\nimport { AccountInfo } from \"../account/AccountInfo\";\n\n/**\n * On-Behalf-Of client\n */\nexport class OnBehalfOfClient extends BaseClient {\n\n    private scopeSet: ScopeSet;\n    private userAssertionHash: string;\n\n    constructor(configuration: ClientConfiguration) {\n        super(configuration);\n    }\n\n    /**\n     * Public API to acquire tokens with on behalf of flow\n     * @param request\n     */\n    public async acquireToken(request: CommonOnBehalfOfRequest): Promise<AuthenticationResult | null> {\n        this.scopeSet = new ScopeSet(request.scopes || []);\n\n        // generate the user_assertion_hash for OBOAssertion\n        this.userAssertionHash = await this.cryptoUtils.hashString(request.oboAssertion);\n\n        if (request.skipCache) {\n            return await this.executeTokenRequest(request, this.authority, this.userAssertionHash);\n        }\n\n        try {\n            return await this.getCachedAuthenticationResult(request);\n        } catch (e) {\n            // Any failure falls back to interactive request, once we implement distributed cache, we plan to handle `createRefreshRequiredError` to refresh using the RT\n            return await this.executeTokenRequest(request, this.authority, this.userAssertionHash);\n        }\n    }\n\n    /**\n     * look up cache for tokens\n     * Find idtoken in the cache\n     * Find accessToken based on user assertion and account info in the cache\n     * Please note we are not yet supported OBO tokens refreshed with long lived RT. User will have to send a new assertion if the current access token expires\n     * This is to prevent security issues when the assertion changes over time, however, longlived RT helps retaining the session\n     * @param request\n     */\n    private async getCachedAuthenticationResult(request: CommonOnBehalfOfRequest): Promise<AuthenticationResult | null> {\n\n        // look in the cache for the access_token which matches the incoming_assertion\n        const cachedAccessToken = this.readAccessTokenFromCacheForOBO(this.config.authOptions.clientId, request);\n        if (!cachedAccessToken) {\n            // Must refresh due to non-existent access_token.\n            this.serverTelemetryManager?.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN);\n            this.logger.info(\"SilentFlowClient:acquireCachedToken - No access token found in cache for the given properties.\");\n            throw ClientAuthError.createRefreshRequiredError();\n        } else if (TimeUtils.isTokenExpired(cachedAccessToken.expiresOn, this.config.systemOptions.tokenRenewalOffsetSeconds)) {\n            // Access token expired, will need to renewed\n            this.serverTelemetryManager?.setCacheOutcome(CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED);\n            this.logger.info(`OnbehalfofFlow:getCachedAuthenticationResult - Cached access token is expired or will expire within ${this.config.systemOptions.tokenRenewalOffsetSeconds} seconds.`);\n            throw ClientAuthError.createRefreshRequiredError();\n        }\n\n        // fetch the idToken from cache\n        const cachedIdToken = this.readIdTokenFromCacheForOBO(request, cachedAccessToken.homeAccountId);\n        let idTokenObject: AuthToken | undefined;\n        let cachedAccount: AccountEntity | null = null;\n        if (cachedIdToken) {\n            idTokenObject = new AuthToken(cachedIdToken.secret, this.config.cryptoInterface);\n            const localAccountId = idTokenObject.claims.oid ? idTokenObject.claims.oid : idTokenObject.claims.sub;\n            const accountInfo: AccountInfo = {\n                homeAccountId: cachedIdToken.homeAccountId,\n                environment: cachedIdToken.environment,\n                tenantId: cachedIdToken.realm,\n                username: Constants.EMPTY_STRING,\n                localAccountId: localAccountId || Constants.EMPTY_STRING\n            };\n\n            cachedAccount = this.cacheManager.readAccountFromCache(accountInfo);\n        }\n\n        // increment telemetry cache hit counter\n        if (this.config.serverTelemetryManager) {\n            this.config.serverTelemetryManager.incrementCacheHits();\n        }\n\n        return await ResponseHandler.generateAuthenticationResult(\n            this.cryptoUtils,\n            this.authority,\n            {\n                account: cachedAccount,\n                accessToken: cachedAccessToken,\n                idToken: cachedIdToken,\n                refreshToken: null,\n                appMetadata: null\n            },\n            true,\n            request,\n            idTokenObject);\n    }\n\n    /**\n     * read idtoken from cache, this is a specific implementation for OBO as the requirements differ from a generic lookup in the cacheManager\n     * Certain use cases of OBO flow do not expect an idToken in the cache/or from the service\n     * @param request\n     */\n    private readIdTokenFromCacheForOBO(request: CommonOnBehalfOfRequest, atHomeAccountId: string): IdTokenEntity | null {\n\n        const idTokenFilter: CredentialFilter = {\n            homeAccountId: atHomeAccountId,\n            environment: this.authority.canonicalAuthorityUrlComponents.HostNameAndPort,\n            credentialType: CredentialType.ID_TOKEN,\n            clientId: this.config.authOptions.clientId,\n            realm: this.authority.tenant\n        };\n\n        const credentialCache: CredentialCache = this.cacheManager.getCredentialsFilteredBy(idTokenFilter);\n        const idTokens = Object.keys(credentialCache.idTokens).map(key => credentialCache.idTokens[key]);\n        // When acquiring a token on behalf of an application, there might not be an id token in the cache\n        if (idTokens.length < 1) {\n            return null;\n        }\n        return idTokens[0] as IdTokenEntity;\n    }\n\n    /**\n     * Fetches the cached access token based on incoming assertion\n     * @param clientId\n     * @param request\n     * @param userAssertionHash\n     */\n    private readAccessTokenFromCacheForOBO(clientId: string, request: CommonOnBehalfOfRequest) {\n        const authScheme = request.authenticationScheme || AuthenticationScheme.BEARER;\n        /*\n         * Distinguish between Bearer and PoP/SSH token cache types\n         * Cast to lowercase to handle \"bearer\" from ADFS\n         */\n        const credentialType = (authScheme && authScheme.toLowerCase() !== AuthenticationScheme.BEARER.toLowerCase()) ? CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME : CredentialType.ACCESS_TOKEN;\n\n        const accessTokenFilter: CredentialFilter = {\n            credentialType: credentialType,\n            clientId,\n            target: this.scopeSet.printScopesLowerCase(),\n            tokenType: authScheme,\n            keyId: request.sshKid,\n            requestedClaimsHash: request.requestedClaimsHash,\n            userAssertionHash: this.userAssertionHash\n        };\n\n        const credentialCache: CredentialCache = this.cacheManager.getCredentialsFilteredBy(accessTokenFilter);\n\n        const accessTokens = Object.keys(credentialCache.accessTokens).map((key) => credentialCache.accessTokens[key]);\n\n        const numAccessTokens = accessTokens.length;\n        if (numAccessTokens < 1) {\n            return null;\n        } else if (numAccessTokens > 1) {\n            throw ClientAuthError.createMultipleMatchingTokensInCacheError();\n        }\n\n        return accessTokens[0] as AccessTokenEntity;\n    }\n\n    /**\n     * Make a network call to the server requesting credentials\n     * @param request\n     * @param authority\n     */\n    private async executeTokenRequest(request: CommonOnBehalfOfRequest, authority: Authority, userAssertionHash: string)\n        : Promise<AuthenticationResult | null> {\n\n        const requestBody = this.createTokenRequestBody(request);\n        const headers: Record<string, string> = this.createTokenRequestHeaders();\n        const thumbprint: RequestThumbprint = {\n            clientId: this.config.authOptions.clientId,\n            authority: request.authority,\n            scopes: request.scopes,\n            claims: request.claims,\n            authenticationScheme: request.authenticationScheme,\n            resourceRequestMethod: request.resourceRequestMethod,\n            resourceRequestUri: request.resourceRequestUri,\n            shrClaims: request.shrClaims,\n            sshKid: request.sshKid\n        };\n\n        const reqTimestamp = TimeUtils.nowSeconds();\n        const response = await this.executePostToTokenEndpoint(authority.tokenEndpoint, requestBody, headers, thumbprint);\n\n        const responseHandler = new ResponseHandler(\n            this.config.authOptions.clientId,\n            this.cacheManager,\n            this.cryptoUtils,\n            this.logger,\n            this.config.serializableCache,\n            this.config.persistencePlugin\n        );\n\n        responseHandler.validateTokenResponse(response.body);\n        const tokenResponse = await responseHandler.handleServerTokenResponse(\n            response.body,\n            this.authority,\n            reqTimestamp,\n            request,\n            undefined,\n            userAssertionHash\n        );\n\n        return tokenResponse;\n    }\n\n    /**\n     * generate a server request in accepable format\n     * @param request\n     */\n    private createTokenRequestBody(request: CommonOnBehalfOfRequest): string {\n        const parameterBuilder = new RequestParameterBuilder();\n\n        parameterBuilder.addClientId(this.config.authOptions.clientId);\n\n        parameterBuilder.addScopes(request.scopes);\n\n        parameterBuilder.addGrantType(GrantType.JWT_BEARER);\n\n        parameterBuilder.addClientInfo();\n\n        parameterBuilder.addLibraryInfo(this.config.libraryInfo);\n        parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);\n        parameterBuilder.addThrottling();\n\n        if (this.serverTelemetryManager) {\n            parameterBuilder.addServerTelemetry(this.serverTelemetryManager);\n        }\n\n        const correlationId = request.correlationId || this.config.cryptoInterface.createNewGuid();\n        parameterBuilder.addCorrelationId(correlationId);\n\n        parameterBuilder.addRequestTokenUse(AADServerParamKeys.ON_BEHALF_OF);\n\n        parameterBuilder.addOboAssertion(request.oboAssertion);\n\n        if (this.config.clientCredentials.clientSecret) {\n            parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);\n        }\n\n        if (this.config.clientCredentials.clientAssertion) {\n            const clientAssertion = this.config.clientCredentials.clientAssertion;\n            parameterBuilder.addClientAssertion(clientAssertion.assertion);\n            parameterBuilder.addClientAssertionType(clientAssertion.assertionType);\n        }\n\n        return parameterBuilder.createQueryString();\n    }\n}\n"],"names":[],"mappings":";;;;;;;;;;;;AAAA;;;AAGG;AAqBH;;AAEG;AACH,IAAA,gBAAA,kBAAA,UAAA,MAAA,EAAA;IAAsC,SAAU,CAAA,gBAAA,EAAA,MAAA,CAAA,CAAA;AAK5C,IAAA,SAAA,gBAAA,CAAY,aAAkC,EAAA;AAC1C,QAAA,OAAA,MAAA,CAAA,IAAA,CAAA,IAAA,EAAM,aAAa,CAAC,IAAA,IAAA,CAAA;KACvB;AAED;;;AAGG;IACU,gBAAY,CAAA,SAAA,CAAA,YAAA,GAAzB,UAA0B,OAAgC,EAAA;;;;;;AACtD,wBAAA,IAAI,CAAC,QAAQ,GAAG,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;;AAGnD,wBAAA,EAAA,GAAA,IAAI,CAAA;wBAAqB,OAAM,CAAA,CAAA,YAAA,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,CAAC,YAAY,CAAC,CAAA,CAAA;;;wBAAhF,EAAK,CAAA,iBAAiB,GAAG,EAAA,CAAA,IAAA,EAAuD,CAAC;6BAE7E,OAAO,CAAC,SAAS,EAAjB,OAAiB,CAAA,CAAA,YAAA,CAAA,CAAA,CAAA;AACV,wBAAA,OAAA,CAAA,CAAA,YAAM,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAA,CAAA;AAAtF,oBAAA,KAAA,CAAA,EAAA,OAAA,CAAA,CAAA,aAAO,SAA+E,CAAC,CAAA;;;AAIhF,wBAAA,OAAA,CAAA,CAAA,YAAM,IAAI,CAAC,6BAA6B,CAAC,OAAO,CAAC,CAAA,CAAA;AAAxD,oBAAA,KAAA,CAAA,EAAA,OAAA,CAAA,CAAA,aAAO,SAAiD,CAAC,CAAA;;;AAGlD,wBAAA,OAAA,CAAA,CAAA,YAAM,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAA,CAAA;;;AAAtF,oBAAA,OAAA,CAAA,CAAA,aAAO,SAA+E,CAAC,CAAA;;;;;AAE9F,KAAA,CAAA;AAED;;;;;;;AAOG;IACW,gBAA6B,CAAA,SAAA,CAAA,6BAAA,GAA3C,UAA4C,OAAgC,EAAA;;;;;;;AAGlE,wBAAA,iBAAiB,GAAG,IAAI,CAAC,8BAA8B,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;wBACzG,IAAI,CAAC,iBAAiB,EAAE;;4BAEpB,CAAA,EAAA,GAAA,IAAI,CAAC,sBAAsB,MAAA,IAAA,IAAA,EAAA,KAAA,KAAA,CAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAE,eAAe,CAAC,YAAY,CAAC,sBAAsB,CAAE,CAAA;AAClF,4BAAA,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gGAAgG,CAAC,CAAC;AACnH,4BAAA,MAAM,eAAe,CAAC,0BAA0B,EAAE,CAAC;AACtD,yBAAA;AAAM,6BAAA,IAAI,SAAS,CAAC,cAAc,CAAC,iBAAiB,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,yBAAyB,CAAC,EAAE;;4BAEnH,CAAA,EAAA,GAAA,IAAI,CAAC,sBAAsB,MAAA,IAAA,IAAA,EAAA,KAAA,KAAA,CAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAE,eAAe,CAAC,YAAY,CAAC,2BAA2B,CAAE,CAAA;AACvF,4BAAA,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sGAAuG,GAAA,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,yBAAyB,GAAA,WAAW,CAAC,CAAC;AACxL,4BAAA,MAAM,eAAe,CAAC,0BAA0B,EAAE,CAAC;AACtD,yBAAA;wBAGK,aAAa,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,EAAE,iBAAiB,CAAC,aAAa,CAAC,CAAC;wBAE5F,aAAa,GAAyB,IAAI,CAAC;AAC/C,wBAAA,IAAI,aAAa,EAAE;AACf,4BAAA,aAAa,GAAG,IAAI,SAAS,CAAC,aAAa,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;4BAC3E,cAAc,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC;AAChG,4BAAA,WAAW,GAAgB;gCAC7B,aAAa,EAAE,aAAa,CAAC,aAAa;gCAC1C,WAAW,EAAE,aAAa,CAAC,WAAW;gCACtC,QAAQ,EAAE,aAAa,CAAC,KAAK;gCAC7B,QAAQ,EAAE,SAAS,CAAC,YAAY;AAChC,gCAAA,cAAc,EAAE,cAAc,IAAI,SAAS,CAAC,YAAY;6BAC3D,CAAC;4BAEF,aAAa,GAAG,IAAI,CAAC,YAAY,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC;AACvE,yBAAA;;AAGD,wBAAA,IAAI,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE;AACpC,4BAAA,IAAI,CAAC,MAAM,CAAC,sBAAsB,CAAC,kBAAkB,EAAE,CAAC;AAC3D,yBAAA;wBAEM,OAAM,CAAA,CAAA,YAAA,eAAe,CAAC,4BAA4B,CACrD,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,SAAS,EACd;AACI,gCAAA,OAAO,EAAE,aAAa;AACtB,gCAAA,WAAW,EAAE,iBAAiB;AAC9B,gCAAA,OAAO,EAAE,aAAa;AACtB,gCAAA,YAAY,EAAE,IAAI;AAClB,gCAAA,WAAW,EAAE,IAAI;AACpB,6BAAA,EACD,IAAI,EACJ,OAAO,EACP,aAAa,CAAC,CAAA,CAAA;AAZlB,oBAAA,KAAA,CAAA,EAAA,OAAA,CAAA,CAAA,aAAO,SAYW,CAAC,CAAA;;;;AACtB,KAAA,CAAA;AAED;;;;AAIG;AACK,IAAA,gBAAA,CAAA,SAAA,CAAA,0BAA0B,GAAlC,UAAmC,OAAgC,EAAE,eAAuB,EAAA;AAExF,QAAA,IAAM,aAAa,GAAqB;AACpC,YAAA,aAAa,EAAE,eAAe;AAC9B,YAAA,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,+BAA+B,CAAC,eAAe;YAC3E,cAAc,EAAE,cAAc,CAAC,QAAQ;AACvC,YAAA,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ;AAC1C,YAAA,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM;SAC/B,CAAC;QAEF,IAAM,eAAe,GAAoB,IAAI,CAAC,YAAY,CAAC,wBAAwB,CAAC,aAAa,CAAC,CAAC;QACnG,IAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,UAAA,GAAG,EAAA,EAAI,OAAA,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA,EAAA,CAAC,CAAC;;AAEjG,QAAA,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;AACrB,YAAA,OAAO,IAAI,CAAC;AACf,SAAA;AACD,QAAA,OAAO,QAAQ,CAAC,CAAC,CAAkB,CAAC;KACvC,CAAA;AAED;;;;;AAKG;AACK,IAAA,gBAAA,CAAA,SAAA,CAAA,8BAA8B,GAAtC,UAAuC,QAAgB,EAAE,OAAgC,EAAA;QACrF,IAAM,UAAU,GAAG,OAAO,CAAC,oBAAoB,IAAI,oBAAoB,CAAC,MAAM,CAAC;AAC/E;;;AAGG;AACH,QAAA,IAAM,cAAc,GAAG,CAAC,UAAU,IAAI,UAAU,CAAC,WAAW,EAAE,KAAK,oBAAoB,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,cAAc,CAAC,6BAA6B,GAAG,cAAc,CAAC,YAAY,CAAC;AAE3L,QAAA,IAAM,iBAAiB,GAAqB;AACxC,YAAA,cAAc,EAAE,cAAc;AAC9B,YAAA,QAAQ,EAAA,QAAA;AACR,YAAA,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,oBAAoB,EAAE;AAC5C,YAAA,SAAS,EAAE,UAAU;YACrB,KAAK,EAAE,OAAO,CAAC,MAAM;YACrB,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;YAChD,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;SAC5C,CAAC;QAEF,IAAM,eAAe,GAAoB,IAAI,CAAC,YAAY,CAAC,wBAAwB,CAAC,iBAAiB,CAAC,CAAC;QAEvG,IAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,UAAC,GAAG,EAAA,EAAK,OAAA,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,CAAA,EAAA,CAAC,CAAC;AAE/G,QAAA,IAAM,eAAe,GAAG,YAAY,CAAC,MAAM,CAAC;QAC5C,IAAI,eAAe,GAAG,CAAC,EAAE;AACrB,YAAA,OAAO,IAAI,CAAC;AACf,SAAA;aAAM,IAAI,eAAe,GAAG,CAAC,EAAE;AAC5B,YAAA,MAAM,eAAe,CAAC,wCAAwC,EAAE,CAAC;AACpE,SAAA;AAED,QAAA,OAAO,YAAY,CAAC,CAAC,CAAsB,CAAC;KAC/C,CAAA;AAED;;;;AAIG;AACW,IAAA,gBAAA,CAAA,SAAA,CAAA,mBAAmB,GAAjC,UAAkC,OAAgC,EAAE,SAAoB,EAAE,iBAAyB,EAAA;;;;;;AAGzG,wBAAA,WAAW,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;AACnD,wBAAA,OAAO,GAA2B,IAAI,CAAC,yBAAyB,EAAE,CAAC;AACnE,wBAAA,UAAU,GAAsB;AAClC,4BAAA,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ;4BAC1C,SAAS,EAAE,OAAO,CAAC,SAAS;4BAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;4BACtB,MAAM,EAAE,OAAO,CAAC,MAAM;4BACtB,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;4BAClD,qBAAqB,EAAE,OAAO,CAAC,qBAAqB;4BACpD,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;4BAC9C,SAAS,EAAE,OAAO,CAAC,SAAS;4BAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;yBACzB,CAAC;AAEI,wBAAA,YAAY,GAAG,SAAS,CAAC,UAAU,EAAE,CAAC;AAC3B,wBAAA,OAAA,CAAA,CAAA,YAAM,IAAI,CAAC,0BAA0B,CAAC,SAAS,CAAC,aAAa,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,CAAC,CAAA,CAAA;;AAA3G,wBAAA,QAAQ,GAAG,EAAgG,CAAA,IAAA,EAAA,CAAA;AAE3G,wBAAA,eAAe,GAAG,IAAI,eAAe,CACvC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,EAChC,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAC7B,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAChC,CAAC;AAEF,wBAAA,eAAe,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;wBAC/B,OAAM,CAAA,CAAA,YAAA,eAAe,CAAC,yBAAyB,CACjE,QAAQ,CAAC,IAAI,EACb,IAAI,CAAC,SAAS,EACd,YAAY,EACZ,OAAO,EACP,SAAS,EACT,iBAAiB,CACpB,CAAA,CAAA;;AAPK,wBAAA,aAAa,GAAG,EAOrB,CAAA,IAAA,EAAA,CAAA;AAED,wBAAA,OAAA,CAAA,CAAA,aAAO,aAAa,CAAC,CAAA;;;;AACxB,KAAA,CAAA;AAED;;;AAGG;IACK,gBAAsB,CAAA,SAAA,CAAA,sBAAA,GAA9B,UAA+B,OAAgC,EAAA;AAC3D,QAAA,IAAM,gBAAgB,GAAG,IAAI,uBAAuB,EAAE,CAAC;QAEvD,gBAAgB,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;AAE/D,QAAA,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;AAE3C,QAAA,gBAAgB,CAAC,YAAY,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAEpD,gBAAgB,CAAC,aAAa,EAAE,CAAC;QAEjC,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACzD,gBAAgB,CAAC,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC5E,gBAAgB,CAAC,aAAa,EAAE,CAAC;QAEjC,IAAI,IAAI,CAAC,sBAAsB,EAAE;AAC7B,YAAA,gBAAgB,CAAC,kBAAkB,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;AACpE,SAAA;AAED,QAAA,IAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,aAAa,EAAE,CAAC;AAC3F,QAAA,gBAAgB,CAAC,gBAAgB,CAAC,aAAa,CAAC,CAAC;AAEjD,QAAA,gBAAgB,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;AAErE,QAAA,gBAAgB,CAAC,eAAe,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;AAEvD,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,YAAY,EAAE;YAC5C,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC;AAChF,SAAA;AAED,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,eAAe,EAAE;YAC/C,IAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,eAAe,CAAC;AACtE,YAAA,gBAAgB,CAAC,kBAAkB,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;AAC/D,YAAA,gBAAgB,CAAC,sBAAsB,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;AAC1E,SAAA;AAED,QAAA,OAAO,gBAAgB,CAAC,iBAAiB,EAAE,CAAC;KAC/C,CAAA;IACL,OAAC,gBAAA,CAAA;AAAD,CApPA,CAAsC,UAAU,CAoP/C;;;;"}