From a3cb656afec67cfc88c00cf53238b9c2974a2415 Mon Sep 17 00:00:00 2001 From: Christian Roggia Date: Thu, 9 Sep 2021 01:37:11 +0200 Subject: [PATCH] feat: initial commit --- .dockerignore | 8 + .github/workflows/release-please.yml | 14 + .github/workflows/release.yml | 45 ++ .gitignore | 2 + .gitmodules | 6 + Dockerfile | 24 + LICENSE | 201 +++++ README.md | 121 +++ assets/docs/examples/examples-rbac-graph.png | Bin 0 -> 106433 bytes assets/logo-128x-128-transparent.png | Bin 0 -> 3642 bytes assets/logo.svg | 1 + cmd/accesscontrol_service.go | 107 +++ cmd/add-group-member.go | 76 ++ cmd/completion.go | 28 + cmd/create-group.go | 78 ++ cmd/create-permission.go | 74 ++ cmd/create-resource.go | 80 ++ cmd/create-role.go | 80 ++ cmd/create-subject.go | 74 ++ cmd/delete-group.go | 65 ++ cmd/delete-permission.go | 65 ++ cmd/delete-resource.go | 65 ++ cmd/delete-role.go | 65 ++ cmd/delete-subject.go | 65 ++ cmd/get-group.go | 72 ++ cmd/get-iam-policy.go | 76 ++ cmd/get-resource.go | 72 ++ cmd/get-role.go | 72 ++ cmd/grbac.go | 61 ++ cmd/init.go | 37 + cmd/remove-group-member.go | 76 ++ cmd/run.go | 76 ++ cmd/set-iam-policy.go | 93 +++ cmd/test-iam-policy.go | 75 ++ cmd/transfer-resource.go | 95 +++ cmd/update-group.go | 84 +++ cmd/update-role.go | 86 +++ examples/grpc/docker-compose.yaml | 12 + go.mod | 27 + go.sum | 700 ++++++++++++++++++ pkg/bootstrap/data/schema.rdf | 59 ++ .../data/system.all-users.condition.rdf | 1 + .../data/system.all-users.mutation.rdf | 2 + pkg/bootstrap/data/system.all-users.query.rdf | 3 + .../data/system.animeshon.condition.rdf | 1 + .../data/system.animeshon.mutation.rdf | 2 + pkg/bootstrap/data/system.animeshon.query.rdf | 3 + pkg/bootstrap/schema.go | 76 ++ pkg/fieldmask/fieldmask.go | 33 + pkg/graceful/grpc_listener.go | 60 ++ pkg/graph/data/groups.exists.query.dql | 5 + pkg/graph/data/groups.get.query.dql | 10 + pkg/graph/data/permissions.exists.query.dql | 5 + pkg/graph/data/resources.exists.query.dql | 5 + pkg/graph/data/resources.get.query.dql | 22 + .../data/resources.has_children.query.dql | 7 + pkg/graph/data/roles.exists.query.dql | 5 + pkg/graph/data/roles.get.query.dql | 9 + pkg/graph/data/subjects.exists.query.dql | 5 + pkg/graph/groups.go | 56 ++ pkg/graph/permissions.go | 31 + pkg/graph/resources.go | 77 ++ pkg/graph/roles.go | 56 ++ pkg/graph/subjects.go | 31 + pkg/graph/types.go | 44 ++ pkg/interrupt/interrupt.go | 104 +++ pkg/services/authorize.go | 119 +++ pkg/services/authorize_integration_test.go | 350 +++++++++ pkg/services/authorizer_service.go | 118 +++ pkg/services/data/authorize.query.dql | 17 + .../groups/groups.create.mutation.go.tmpl | 7 + .../data/groups/groups.create.query.go.tmpl | 15 + .../groups/groups.delete.mutation.go.tmpl | 1 + .../data/groups/groups.delete.query.go.tmpl | 3 + .../data/groups/groups.update.delete.go.tmpl | 5 + .../data/groups/groups.update.query.go.tmpl | 17 + .../data/groups/groups.update.set.go.tmpl | 7 + .../permissions.create.mutation.go.tmpl | 2 + .../permissions.create.query.go.tmpl | 3 + .../permissions.delete.mutation.go.tmpl | 1 + .../permissions.delete.query.go.tmpl | 3 + .../policies/policies.update.delete.go.tmpl | 5 + .../policies/policies.update.query.go.tmpl | 23 + .../data/policies/policies.update.set.go.tmpl | 17 + .../resources.create.mutation.go.tmpl | 7 + .../resources/resources.create.query.go.tmpl | 7 + .../resources.delete.mutation.go.tmpl | 3 + .../resources/resources.delete.query.go.tmpl | 7 + .../data/roles/roles.create.mutation.go.tmpl | 7 + .../data/roles/roles.create.query.go.tmpl | 7 + .../data/roles/roles.delete.mutation.go.tmpl | 1 + .../data/roles/roles.delete.query.go.tmpl | 3 + .../data/roles/roles.update.delete.go.tmpl | 3 + .../data/roles/roles.update.query.go.tmpl | 9 + .../data/roles/roles.update.set.go.tmpl | 8 + .../subjects/subjects.create.mutation.go.tmpl | 2 + .../subjects/subjects.create.query.go.tmpl | 3 + .../subjects/subjects.delete.mutation.go.tmpl | 1 + .../subjects/subjects.delete.query.go.tmpl | 3 + pkg/services/groups.go | 110 +++ pkg/services/groups_create.go | 120 +++ pkg/services/groups_delete.go | 77 ++ pkg/services/groups_get.go | 63 ++ pkg/services/groups_integration_test.go | 383 ++++++++++ pkg/services/groups_members_add.go | 15 + pkg/services/groups_members_remove.go | 15 + pkg/services/groups_update.go | 146 ++++ pkg/services/iam_policies_get.go | 80 ++ pkg/services/iam_policies_integration_test.go | 334 +++++++++ pkg/services/iam_policies_set.go | 154 ++++ pkg/services/permissions.go | 21 + pkg/services/permissions_create.go | 81 ++ pkg/services/permissions_delete.go | 77 ++ pkg/services/permissions_integration_test.go | 109 +++ pkg/services/resources.go | 16 + pkg/services/resources_create.go | 114 +++ pkg/services/resources_delete.go | 88 +++ pkg/services/resources_get.go | 64 ++ pkg/services/resources_integration_test.go | 174 +++++ pkg/services/resources_transfer.go | 15 + pkg/services/roles.go | 7 + pkg/services/roles_create.go | 110 +++ pkg/services/roles_delete.go | 77 ++ pkg/services/roles_get.go | 61 ++ pkg/services/roles_integration_test.go | 294 ++++++++ pkg/services/roles_update.go | 128 ++++ pkg/services/subjects.go | 21 + pkg/services/subjects_create.go | 81 ++ pkg/services/subjects_delete.go | 77 ++ pkg/services/subjects_integration_test.go | 115 +++ pkg/services/template.go | 45 ++ schema/animeapis | 1 + schema/api-common-protos | 1 + scripts/docker-compose.sh | 12 + scripts/gapic.sh | 23 + scripts/run-integration.sh | 24 + scripts/update.sh | 22 + 137 files changed, 7909 insertions(+) create mode 100644 .dockerignore create mode 100644 .github/workflows/release-please.yml create mode 100644 .github/workflows/release.yml create mode 100644 .gitignore create mode 100644 .gitmodules create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 README.md create mode 100644 assets/docs/examples/examples-rbac-graph.png create mode 100644 assets/logo-128x-128-transparent.png create mode 100644 assets/logo.svg create mode 100644 cmd/accesscontrol_service.go create mode 100644 cmd/add-group-member.go create mode 100644 cmd/completion.go create mode 100644 cmd/create-group.go create mode 100644 cmd/create-permission.go create mode 100644 cmd/create-resource.go create mode 100644 cmd/create-role.go create mode 100644 cmd/create-subject.go create mode 100644 cmd/delete-group.go create mode 100644 cmd/delete-permission.go create mode 100644 cmd/delete-resource.go create mode 100644 cmd/delete-role.go create mode 100644 cmd/delete-subject.go create mode 100644 cmd/get-group.go create mode 100644 cmd/get-iam-policy.go create mode 100644 cmd/get-resource.go create mode 100644 cmd/get-role.go create mode 100644 cmd/grbac.go create mode 100644 cmd/init.go create mode 100644 cmd/remove-group-member.go create mode 100644 cmd/run.go create mode 100644 cmd/set-iam-policy.go create mode 100644 cmd/test-iam-policy.go create mode 100644 cmd/transfer-resource.go create mode 100644 cmd/update-group.go create mode 100644 cmd/update-role.go create mode 100644 examples/grpc/docker-compose.yaml create mode 100644 go.mod create mode 100644 go.sum create mode 100644 pkg/bootstrap/data/schema.rdf create mode 100644 pkg/bootstrap/data/system.all-users.condition.rdf create mode 100644 pkg/bootstrap/data/system.all-users.mutation.rdf create mode 100644 pkg/bootstrap/data/system.all-users.query.rdf create mode 100644 pkg/bootstrap/data/system.animeshon.condition.rdf create mode 100644 pkg/bootstrap/data/system.animeshon.mutation.rdf create mode 100644 pkg/bootstrap/data/system.animeshon.query.rdf create mode 100644 pkg/bootstrap/schema.go create mode 100644 pkg/fieldmask/fieldmask.go create mode 100644 pkg/graceful/grpc_listener.go create mode 100644 pkg/graph/data/groups.exists.query.dql create mode 100644 pkg/graph/data/groups.get.query.dql create mode 100644 pkg/graph/data/permissions.exists.query.dql create mode 100644 pkg/graph/data/resources.exists.query.dql create mode 100644 pkg/graph/data/resources.get.query.dql create mode 100644 pkg/graph/data/resources.has_children.query.dql create mode 100644 pkg/graph/data/roles.exists.query.dql create mode 100644 pkg/graph/data/roles.get.query.dql create mode 100644 pkg/graph/data/subjects.exists.query.dql create mode 100644 pkg/graph/groups.go create mode 100644 pkg/graph/permissions.go create mode 100644 pkg/graph/resources.go create mode 100644 pkg/graph/roles.go create mode 100644 pkg/graph/subjects.go create mode 100644 pkg/graph/types.go create mode 100644 pkg/interrupt/interrupt.go create mode 100644 pkg/services/authorize.go create mode 100644 pkg/services/authorize_integration_test.go create mode 100644 pkg/services/authorizer_service.go create mode 100644 pkg/services/data/authorize.query.dql create mode 100644 pkg/services/data/groups/groups.create.mutation.go.tmpl create mode 100644 pkg/services/data/groups/groups.create.query.go.tmpl create mode 100644 pkg/services/data/groups/groups.delete.mutation.go.tmpl create mode 100644 pkg/services/data/groups/groups.delete.query.go.tmpl create mode 100644 pkg/services/data/groups/groups.update.delete.go.tmpl create mode 100644 pkg/services/data/groups/groups.update.query.go.tmpl create mode 100644 pkg/services/data/groups/groups.update.set.go.tmpl create mode 100644 pkg/services/data/permissions/permissions.create.mutation.go.tmpl create mode 100644 pkg/services/data/permissions/permissions.create.query.go.tmpl create mode 100644 pkg/services/data/permissions/permissions.delete.mutation.go.tmpl create mode 100644 pkg/services/data/permissions/permissions.delete.query.go.tmpl create mode 100644 pkg/services/data/policies/policies.update.delete.go.tmpl create mode 100644 pkg/services/data/policies/policies.update.query.go.tmpl create mode 100644 pkg/services/data/policies/policies.update.set.go.tmpl create mode 100644 pkg/services/data/resources/resources.create.mutation.go.tmpl create mode 100644 pkg/services/data/resources/resources.create.query.go.tmpl create mode 100644 pkg/services/data/resources/resources.delete.mutation.go.tmpl create mode 100644 pkg/services/data/resources/resources.delete.query.go.tmpl create mode 100644 pkg/services/data/roles/roles.create.mutation.go.tmpl create mode 100644 pkg/services/data/roles/roles.create.query.go.tmpl create mode 100644 pkg/services/data/roles/roles.delete.mutation.go.tmpl create mode 100644 pkg/services/data/roles/roles.delete.query.go.tmpl create mode 100644 pkg/services/data/roles/roles.update.delete.go.tmpl create mode 100644 pkg/services/data/roles/roles.update.query.go.tmpl create mode 100644 pkg/services/data/roles/roles.update.set.go.tmpl create mode 100644 pkg/services/data/subjects/subjects.create.mutation.go.tmpl create mode 100644 pkg/services/data/subjects/subjects.create.query.go.tmpl create mode 100644 pkg/services/data/subjects/subjects.delete.mutation.go.tmpl create mode 100644 pkg/services/data/subjects/subjects.delete.query.go.tmpl create mode 100644 pkg/services/groups.go create mode 100644 pkg/services/groups_create.go create mode 100644 pkg/services/groups_delete.go create mode 100644 pkg/services/groups_get.go create mode 100644 pkg/services/groups_integration_test.go create mode 100644 pkg/services/groups_members_add.go create mode 100644 pkg/services/groups_members_remove.go create mode 100644 pkg/services/groups_update.go create mode 100644 pkg/services/iam_policies_get.go create mode 100644 pkg/services/iam_policies_integration_test.go create mode 100644 pkg/services/iam_policies_set.go create mode 100644 pkg/services/permissions.go create mode 100644 pkg/services/permissions_create.go create mode 100644 pkg/services/permissions_delete.go create mode 100644 pkg/services/permissions_integration_test.go create mode 100644 pkg/services/resources.go create mode 100644 pkg/services/resources_create.go create mode 100644 pkg/services/resources_delete.go create mode 100644 pkg/services/resources_get.go create mode 100644 pkg/services/resources_integration_test.go create mode 100644 pkg/services/resources_transfer.go create mode 100644 pkg/services/roles.go create mode 100644 pkg/services/roles_create.go create mode 100644 pkg/services/roles_delete.go create mode 100644 pkg/services/roles_get.go create mode 100644 pkg/services/roles_integration_test.go create mode 100644 pkg/services/roles_update.go create mode 100644 pkg/services/subjects.go create mode 100644 pkg/services/subjects_create.go create mode 100644 pkg/services/subjects_delete.go create mode 100644 pkg/services/subjects_integration_test.go create mode 100644 pkg/services/template.go create mode 160000 schema/animeapis create mode 160000 schema/api-common-protos create mode 100755 scripts/docker-compose.sh create mode 100755 scripts/gapic.sh create mode 100755 scripts/run-integration.sh create mode 100755 scripts/update.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..89ffc85 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,8 @@ +.cache +.dockerignore +.git +.github +.gitignore +*.md +/Dockerfile +/LICENSE \ No newline at end of file diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..2f061d7 --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,14 @@ +name: Animeshon gRBAC [release-please] + +on: + push: + branches: [master] + +jobs: + release-please: + runs-on: ubuntu-latest + steps: + - uses: GoogleCloudPlatform/release-please-action@v2 + with: + token: ${{ secrets.WORKFLOW_GITHUB_TOKEN }} + release-type: simple diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..98e3de0 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,45 @@ +name: Animeshon gRBAC + +on: + push: + branches: [master] + release: + types: [published] + +jobs: + docker: + environment: release + runs-on: ubuntu-latest + steps: + - name: Clone the repository code + uses: actions/checkout@v2 + + - name: Set up Docker versioning labels and tags + id: docker-metadata + uses: docker/metadata-action@v3 + with: + images: grbac/grbac + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + + - name: Build and push + uses: docker/build-push-action@v2 + with: + push: true + tags: ${{ steps.docker-metadata.outputs.tags }} + labels: ${{ steps.docker-metadata.outputs.labels }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..419ae98 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.vscode +bin/* \ No newline at end of file diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..0ca213d --- /dev/null +++ b/.gitmodules @@ -0,0 +1,6 @@ +[submodule "schema/api-common-protos"] + path = schema/api-common-protos + url = https://github.com/googleapis/api-common-protos.git +[submodule "schema/animeapis"] + path = schema/animeapis + url = https://github.com/animeapis/animeapis.git diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..65263fa --- /dev/null +++ b/Dockerfile @@ -0,0 +1,24 @@ +FROM golang:1.16-alpine AS builder + +WORKDIR /build + +COPY go.mod . +COPY go.sum . + +RUN go mod download + +COPY . . + +RUN go build -o grbac ./cmd + +FROM alpine + +WORKDIR /usr/local/grbac + +COPY --from=builder /build/grbac bin/grbac +COPY scripts/docker-compose.sh docker-compose.sh + +ENV PATH=/usr/local/grbac/bin:$PATH + +ENTRYPOINT [ "grbac" ] +CMD [ "version" ] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f49a4e1 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..aba20fa --- /dev/null +++ b/README.md @@ -0,0 +1,121 @@ +# gRBAC - Graph Role-Based Access Control + +[![Go Reference](https://pkg.go.dev/badge/github.com/grbac/grbac.svg)](https://pkg.go.dev/github.com/grbac/grbac) + + + gRBAC logo + + +--- + +A cloud-native graph implementation of the Role-Based Access Control (RBAC) authorization architecture powered by [dgraph](https://dgraph.io/). + +**NOTE: This project is developed and maintained by [Animeshon](https://animeshon.com) where it is running in production.** + + +## Build with Golang + +``` +go build -o bin/grbac ./cmd +``` + +## Build with Docker + +``` +docker build -t grbac/grbac:latest . +``` + +## Run examples (gRPC only) + +Run gRPC docker-compose: + +``` +docker-compose -f examples/grpc/docker-compose.yaml up +``` + +Run integration tests: + +``` +export INTEGRATION_TEST_DGRAPH_ENDPOINT=127.0.0.1:9060 +go test -tag=integration ./... +``` + +Visit `https://play.dgraph.io/?latest` and connect to the endpoint `http://127.0.0.1:8060`. + +Run the following generic DQL query: +``` +{ + query(func:type(Resource)){ + expand(_all_) { + expand(_all_) { + expand(_all_) { + expand(_all_) { + expand(_all_) { + expand(_all_) + } + } + } + } + } + } +} +``` + +The following image is an example of the expected output: + +![gRBAC Example Graph](./assets/docs/examples/examples-rbac-graph.png) + +## Play with gRBAC + +After succesfully running the gRPC `docker-compose` as described in the **previous paragraph**, build gRBAC locally and execute a random CLI command: + +``` +go build -o bin/grbac ./cmd +``` + +``` +./bin/grbac accesscontrol create-permission \ + --address "127.0.0.1:9070" --insecure \ + --permission.name="permissions/grbac.test.permission" +``` + +_Keep experimenting with other commands or through a gRPC client!_ + +## Resources + +- [Animeshon APIs](https://github.com/animeapis/animeapis/tree/master/animeshon/grbac) +- [Animeshon APIs Client Library for Go](https://github.com/animeapis/api-go-client/tree/master/grbac) +- [Animeshon Protocol Buffers for Go](https://github.com/animeapis/go-genproto/tree/master/grbac) +- [Animeshon Compiled Protocol Buffers](https://github.com/animeapis/proto-binary/tree/master/grbac) + +## Known Issues + +- etags are not implemented +- atomic group changes (AddGroupMember and RemoveGroupMemeber) are not implemented +- resource parent transfer (TransferResource) is not implemented +- [limits and quotas](https://cloud.google.com/iam/quotas) are not implemented +- there is no maximum distance set for `shortest` queries +- groups can currently include other groups - this behavior should be discussed +- partial updates will return partial resources - complete resources should be returned instead + +## Roadmap + +- [ ] resolve known issues +- [ ] remove Animeshon internal business logic +- [ ] move protobuf definitions to this organization +- [ ] generate missing grpc clients (e.g. Java, Python, C#, ...) +- [ ] publish docker image to Docker Hub +- [ ] build the project through Bazel instead of the Go toolchain +- [ ] add unit tests on top of integration tests +- [ ] add monitoring and tracing + +## Off-topic: gRBAC meaning + +The name gRBAC comes from `g` + `RBAC` where `g` stands for: + +- `graph` as it is implemented on top of a graph database and leverages graph's properties +- `gRPC` as its implementation is completely gRPC native +- `google` as this implementation aims at mirroring the Google Cloud IAM architecture + +and RBAC stands for [Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control). diff --git a/assets/docs/examples/examples-rbac-graph.png b/assets/docs/examples/examples-rbac-graph.png new file mode 100644 index 0000000000000000000000000000000000000000..66bdff3fb14a81178d81ae4930a35d71a0a6d798 GIT binary patch literal 106433 zcmdRVglZQTUl5bSlS~9+ZyQD8|c4uGO;&)DJCu@tNaZe9|7Sdg1E?g1?Rb)MWgSpVIHsx zD?^v1;<>BT>TyJE1k@Ge??2yRy?iW(MH!4k(9)=+{Tc&mTRNY4=G;f2#tr$iKhR<^TPP!z23t{OA9x?=WK4e0oVi5ijAX<2|v8Dp5eU zZl{Xc@tPQYTxIENNj0vFsJbW?CT3k5VVnUstxsT}`lq_B&rp|b2mf&nD_1pf-_><~ za!Cl4%EyuK8q25GTsQC{`yJk|HRVd8*qE4~f8$_cx>&K5@OM;*89C=4Ix0~N!Wylv z#@-9WI{P({of8U?Tq*DY1N%v1Vn$Z*Ube5f>$PoO_+JfQv8-J4q^Y_GM=ZH~m7N}> z%?J$aLHmG$92D3?S?0P=Nt(u_DZBjW;}zY7YX{_FRDvl=D?yeV9LYcDBCVv7xRzZ5 zUD>*P0-av7gFam0|{wR zuhoaUz$yIai`xHN<5xO@>_utysOp6cES)pMB#OU3?_HChTD?l)ucu|NR@E#1=fw|2 zh5zhW#DrCnHpK5y$w1cpyV_DFVyrAzSrqrb15uV(l5&50!@+oU!-OzV>Y1#T`P_K- z^Z#}Y-6*hJhpL?&EnipcZ6CA=MadNNLz?Gzm014U#L#o%D=UMS)jb+)g0(*(qPAvy zJXcbEZszE&N-6_PE6cxrf`xKE1@Yri5fa#Q6<5YOu(_GoH&FUTJ<~0}b6+GbH(#LD zwsIpm0zN!aF;Yp?O@p(-4{_o(+yIToX(EpwP_U&U^-+zQ$6 zTpiFiQXOE3bb7Xf?DV-j#90!<;r0uznuy3cPtIbEsK~lUkSm3LBjF1~G~!RFpVtc7 z^lDkqu)XX!$&7b%TsAEpzLFWS*hyC}WtNJzHt@Zych$^k{W3CKk74@F{~iDMtZIEb z39(GXD9Nnwf^v~i$iJS}W2vwG{6vI1h9HA;YEZ%TN6tssDO|Ln2UF(RU90Dd0;^ZM z1>9Q)u>~ANU5_ARdfM-bn52b&rWVHPSye`?OkkSl7AAra`6o_h!)!N*g@Z78ge;s< zIklh9+uUp%OmOMQBz)z4H`M2|7sK>&T)3zu?q~n7vnv*&4_KMR1*OpLbDy#Y{@AZ# zQdq;jA>pduZ##R^3~bvQ7f#X9`|9oE7kNk1SVx`4C@l@fBkGo<{WRFtkAEF2e5ZpA z?LXFkex@8<%QJ@hGYx$wh?d2bb3RY#=;jN#!v4vOGE3_h zo0On|m|&*A-p*OSvW}Ut`?M&1lMPC08&F&I2alMT&p+uGwKsewcdT$)4k4Vzuz(v!frRa@jbat#E2qHmCBF zWEx~rTH>Brh4OeY^vVSn#`2rFS&k2Cn}7AzSpWDZLGvj{Puqc~TR50??+bA)Qq|ua zL|0)Ih`!-P*Qsf{ea4w)yg%~7UPIwZOde83k_0tAI~~65NJn)Lz`v`X_nNyAix#U9 z-f&CokzC>8AXzy*Yuq#b^QPKjoNRkTtwOY!MS0x{-IpB!EVlUbmnJ2Vb)^04PeCm| z-t5a31$ZstXAK$Yz9{`{>ui(V>BSebHa+LzUORQvJVz!GAzvx~j3s^ZThRk-tvzQFBwIWq5WsR}4XSx-e7o-)yBm)mo>%x;_5* z)|&Za(cO9h6)hhU*id;(``})4bUNKm27|MXvXZ1>PLGP}Y4@c}L(wby&FaIAhX%Ql zBP3iUu&1@x3eI};cyYhZrkh|lXCgd=!;-9NYLD{SpZ;flTNQ@6>n-PRg2bq@+ng>A zgR2G6E^#R6Hfe2pJIMPDd-~`7^BsI+%Nx9QqPH;qq}+BqivU3~ru{X=kSqiFHFlS* zwvOB+4*X;8AB;y<(4qY#IJc&Xg%iYkep>Z>rg}WA1q>G~iK8XuU)7-J^ ztJ{~ujIqu-T@(hhe9zDJ=TnkAtiO6CGw!eJ2A$~gvqW@J6FqaU?+q|9hu)saKTiEZ zTc%kVR4=ugXLGa-_XL6VXi;KDIuaIFalIHbXxo-fsl9LI>TPfNc(rn4A0PWM^h?c0 zHT19tKEu`Lbp@_Rbo+N)$=Q^@+utt7vWM9B=J2krE;&94bVWsD1+Em5<>w2|Sx<&B zrnX^D%5J1fMv37zEtA``fv$CWFLb}5>A~&ZD6vhNc-Zjz=_gJxxv5jV79Q1gh#6js zAi;9lZs_5Bis!9+V{6iO(wQn#@q>NGjG(1?qE#jgUzaRshZlbwwX(oX%$MmYlQJ2G zxO1(Bsq>ao0~XYCr#<~&M?}|K7UZ5@%$<66qW)0^2+jOz>p^~4cj-($Eep6CY=iyo zcEznVuxAL3rE;tD;6&uTzI!#(_3dFGIlE;Ja2j!1mFz2gXKFaVz2>=dXt;8ls;wK(>o=Sj9_mZJrsiL^fnemOJm8ix+b2FLetkBEMa)X4WH2vKq!^ zZ~f~djy3qopTHR{BY1J7!a^(rkTR1{kgAY0?ETeu7B9VK&}K<^#=)IV=!=q-`jtGsK!HA zZr?s{nK|4&rM)O`i|1V&&_~zfp%GBu)-m0Fms?=~g_fSnHKg&h1VMbCnDHNrs`FK; z%vokqYTL>TZthrgT9k7B(PdSeLI9|!?vcG~QDBdQdD-#^0dr#i>;TMSH($Ud{pXf? zVw%MQsym(NuQ{7~U(gOBBD|IZ z*B{>kLy~A0+)KNK^;#DW+^IBHcrr-w1EOE4IAT0@J376%HWW-kq&`dM)@ChxrI6~% zP&oayvgm;F-;7)y5}Pu(k8ev@h|AeAIi&H~^T!*u*s84{bI*yEYQwUY)y0ULC89p8 zBZBKT?XREq41Zr1aYhy5C~bwDmTEqGV1mlHQ{OE~BQW%FD7;jT5 zBG8lV6?oucpr{>=o)rT7_8Ghz&?{9aH902oT|^o#QQ>NxC&F7wq+4c3<3l3;6ysu2 z)k$4#$j=tnAu_c&O10#;oZO$SI>0+|p8xAusd3LUy9o8O%sT%bj1A4yoeCnID0kdo znmELOC|gdh=4gyoe{LTgAvlA-`pQAGnayi+o1vgF7F5wPl7Q^?XHsfx8S-_}Muxc+ z9D@(yks|-5+vI*wFPMsA_8U-dHMG834db1kOpjk1=XJL1qVJcvV%%+6$9W|%?z_49 zh*TF3qSkW?|CuLBB6pxoTEh?<@4We5=8iv^TNz8W8lF7uA-MQ^;|fJoQ>*3;FLN}* zkrz5IU&}(PoQ~g}C*QD_K#T!-i%UKHQ=1{He9ji}H+JN;JGhCJg0Vp0=H}Fs7^|5wN>qdMOPivi?<;4G%u9Z zS@aCS1yPrmP9L53Ij53cbBR~gw3bx9SnqpqYv0&<=k|7(nrKPuO}~n&F7&s{;@Kz_ z(?xj)8Od;kQfZKj6ltKFbL|jB$TF45N$DuI>|x85bew)K)g}wK?8YW15A+oQ5iW z`jF8of?XY}Rbl)ER4C|b%~D{=)m65_JVZE1C*MP{@=+3FJyV|C54|mxQ)Q?b=)5_Xf&KkIIl-kG#bIVF)qw#}~T)5OAw(aBl! zlsnpoNLYkVXHK{%K8viP&gD=ky!a!G(%3A#FgBBS%;7UUW(P|+=rctsbIOV%8s1+t zSBK?~o$0Kh34mjK<=_i1b{nlh(HaA8JV8~LFy4HOWfrDg)93SLgwo-wY)w0LJf8ZAK}#Dg`W90c_uxsh{PZ$|Kf%9OR`=19l;5xZ;;;A# z5yL2RZV9a{SX504eKwQnXc}9PbNjg@Q$bgi#FU|oK89y}8nA#$b@qGm|E_Acck~a_ z^}aP`^4C%KA4z=uCrtg&aU0QLzzCnwBng-yBlT$jRtF9|11aD?FcNxk{ZQh<;4;&r zcCf!f)UG^+V)dEUq2pTfi}DR(LOM6`c?*mxxwV4TSd@C1PSNZRcGd#pl*c+*^|KYj|% ziH(rdnh!@;G7i(jkR5KhLi{NEq%Wds772`hGEDTXtUo2{@TA`#qy$nwMzAcWl^KX?4URi&G zSf)waSk`~%9&hb6RPm(a3!be+e9?`m74FTb=7%UT6`DfR=O7&aIl4ssLV5uFPknjw z4wW=dVRqIZW98!A8)D=Yo%O(>eOWmi6j8dM1*Z;kc1`xXjzWt5yVRW+CVT?v@G(5o z^eM6yis8gJR6(^J3EdlapYkv!G^^#!WddC?cEV0sViOG+K`H#3=qXC;ymvm@#<+Sh zpnbcfJ8h)dKGYnplLv6wH})G90W{%<$%C7O= z)E>w6*wqJ_o}`Xq*g#trR$@?A>OPxBw|vM3g1f48$k|oSNAllO)IWP69g1ZeV2o0w zc>t3J+w*W(NcrO)e}^-V-N?vvMT_)NjW9eH!anjhC>_&A*FW>+1PobU;d<>>#)6*h z;0KiMH2J;LR}c|h-nsqOECk!R#`uI%q~l-z@)EQB00&!J{|>j;h=s|-7B8G6^G-hb zqXI&p4914)1AKOwIhlB}_3zKu9fajl_r@O`i@FtmA&XMhE{I_RhoH-CfYr5*>j8xt zb83!vq=%9BNvrzE{=1j;?zbr^$hMpEZ$8G!i7Z4G94-J~q;m|0OKYr1gYE~o zf6Pu4Qs!T~g&8n%4$FD^-KsD#b~sF4Ml#`-rm((uTF&S50yf`ReJ0xA+?CewYT*O0 zEeN>vJ{Po4|K^fNq7Gfppu` zF{8_XnYs7Fy5=GrrF*FUeEZe%q1MUmYl%F%YC+iS#D!U6i#N)%lzf_*k9MU&!a?Lw z*;z<=f0ub;QdBx*{D%NIY5VR7`)IB{i+HD{tHH(>Aak9~C_D^oLv9%?eKmN>5&ZQlh-)BjjxMEj9+D4Ys4_5>-GOTG@6E8tt z{>LyJvBV*f>u=D$x&FCvm{z}w%3fETPdf@tA6M?z^(5@4(K=}s;ln&tL}gA&(WBxm zXrrf~c$Px@EwHDmt6PVQMX0JKIOp9O`z$0TmTEIhlkMi9zH!32pk(fpCihvr4{A4( z%1{Y&V#?G{@XUJxtj-aY`a@uCN2ULl;=xwcPoVdQEKUjH1{>V z4i@ho!+tRXI4HBf)Lc)M&TE%PH7kZPSx0|7SO~hgt{4XXy(82wg&v!&72~Gw5`;2 z#S=(`Auijw)V1si{O}1=kxqo+Yw5DG`F(pofxXe@e--4CaczI|Tr5iLLUKO$!JApi z+xg#VhiZ#0A7;zW3)Z|K{09xr1{)5|BNq|~d`Q#YL%zXHdT$*YIU>kJp$EObYtzYUa%wbSH#Jh z@)BDn1TV)OtJ*r-?={oV73f^U?}(GsDyph)Tuc0?H*hn(3Z*zxElM&g*Fa8XufC6m zPqDYel~A_%WW7qDum6_ryA~V zQG0%HSm17T`sCX7iYd7QgRw(uwu}bYNO9Oon*izV?S<42A1U|z4eZyS#G83e&j3y{ zc{*`Wv;}b~z4Zis`!O!+dhuKk^K4pntw1181JP%8hwp3(DhdcQU>hy|TL+%@qDPD5 z&AeByF*pT8jIvTL79QR)AE5EPBJo{#zu+G-yF=Vk4MS186L6D~lr)F5nYrejK(>N* zR<@(>1^`1hpKql@&o8Z2X~g?q2I_gN##qQ4nX0SRrFqSG$G$jSGv(FCOBC>+G#Tr? z)At)iPOD*raH@zglC6w(BE+9`V{O1ptkEfy>&TH+wjj8F2iuR4T4wSuAhniF5Io7Z z0w;dbCl%{+t-rx;yRqPMQXn`LqC>FW$8A_{$2WG(f}orFM(g)EJs}-L!4WB~zoE(0 zd;&Y0ZDGiG^$mN~WNsDV$p_=76Ns`KMOkCYZR(ESnpH4b7H`aIYor4#o=&WBEWQp# z7TSG@;6{-$53w!&k^Hp5sT<=vJtg6%(B}stAHSG1vHXQlj01^E-xl9cCG-#4$!{z> zYS$@U5ub?Ea(Z&sC@qC?>zxzu~-bOFKwfp~#yAadP? zn4{zs1Mddh3-OUtV_cnWc+fG9JjAftOQ~F9y^#1^nlC=S`yC=_hJ3qiA$;B(lFmElXGTZwDArId zY&AoY!8<3~TfLtMh4Ta~yf?j`L{-||*bHtv;(;zGwJzMY#CGgGV~$H*j*aC!SHCg} zbjjoj2R+h7UoQrsUv^B z;%VijRln?b5PRm2sYyvYJfndkT-hsCOmn)%|=@+8H(>YK(UM?S6m2j!S3v_8(Bx7r^#+g+I zm@rR7tcffe{gd3eBj7UtdYamt6yBU9kODw|RQDJ(K{$Pn(JfI&@weN``swxYO;D<3 zSHg67IZBF~rNw@w)W2f@KL-xES{9|WZWzGTsBmi{lsZwYuGfR=AKLOyi-HoHK)wk6KoYEc_>Wrjc?PE2W# zT`g>+@iVS$f@_$eIdCK9;$sIQD1ok-i=k8z2l$X%ytMxQZ-3MP_+NW+G`w$DBxXyP0#Qqdm6Tw(fm*F3s3&lUo@=#o3%_CyN!F`{K2w{N_;@WH@|qs%>SB2?X{k#E zn8E~Nf?1cdle~4EIa;#+aa?#lWOycgP{cJDVwASbW|5X7AnT-f7xP)el&du9D z()|XMTleZ4m`weRifO13Ug}y+y%*YYC4&Gc)1R~|pL|X4d|Fb}90WHX5`Zdspm18G z@LUdclS99_J%QNlCy?$IHH83wF!OV`b=@($wz_GlxJlMZI;XZQsP_X18x*#Zy6itx zQ1u%cCy3y?QN~r)g~qy5jyMZY4fZ21G0K#_Qj|$-z?=-z!jTc(W#I0RYNuu3mNfW4> zc6Bb6B~UL#h(a4<`FFL~e}c^S*j=jywDv3~*03-mqfK(;MT$$_nI_nOn9Dm>ERWGj z7myX3>)YR1MJZfYW?}w~T4N^zPXVC?IxAqzTy6X}yc{IyN&*x6?R&sq^Ch7uUQbwQ2Tf})GE&2p!zxknbp zQvOEYPrt+%BQS0)@0Zl45?3<;jVCBOpQ`gz&pG&oU0G(D@3aiWzzpz)~ zJ<@*Rg|?J>%Lr2T;Rc^zf}20@Y7Mqyz^{X;{XcWtz}(Iz7r4N{_xJSlJe& z?$zxB`uVxr$4ktp0J`GzC$;75#Bg3Eq^?S6q`|Cp6Jpz6K;-o9-6!u<@!x^FWTBW zjP%DCCE1#rJ6$KsJ5ZEgE9f?;Pw108su;x3dqEX3=pNz3fo>ynEp1s$tY1~yEk;Dj zm*;hN)06hOTw>mfnVI>io6y_GL?xF5OX}LcQYTkmfN35sbcWE#sf07LHxs1YYGpGe z(0l#UVNhA@Vsa0C(FyY}QXQg(d49~!_11!46C32-m(*_F?SNX~>!}*0#t;!@? zE6VUSYp+HALVWC)KG7UDw)qD`7PW+hGyQER`q6c2O;<6?eF@N$rUzY( z0@ODM8R_klq=W&-COQjjhyzl4Qk|5m zPn4qHP;wI4av&N^^`$oA=dbM>A9c)^RQYrOYdc#Wh@L9$ERw1z!~19LvCk$;W3<|6 zc;?wsmHUIfI<}W)Gx*h_@c0pk;FB9tIF0 zpq{Lg8Fj%w$paUWc!6LwE5PQ+0zECG zQeA|lsZZ6G<5Kl8E5i{tXz1vo4ZbMR0GZS%ElN6Ng-lOFS1+>TIZANfO1fq&#+ZlX zyrV>j(~EpV2?!hz`1wtW2!-oQO-kby^&E&~+PbOs-qs+&&SRpg`=iX$$U}Lu&&a4+ z$};gzxrIB2a9x}H<4?wr5Vrl$JR7fRgXFL}n0vl((>9L6FOk&0!662H++*1|_ss}E zWYr9(<{Ed%Nhqu-0OeO(v|M?i0ymhZ2|&7ygUEA6#!Ha z#3(hZPq|m)00V(J?#J@|zKs%xnSDs@pE&F81^_&~kduU{_;0rq!0GRz2e&YXP%VR; zSbz2F1R~>x)+~61qd6{|lT4{+Kr@d=R@{=-t&Lb(*E-o2)-e_C>qGV`uH zX1yf*j^wO!ZxuNFg%FGh(>`G6OY}BOTTm#ApU*!#Iv>-t5=PslMO&>>9vCiKy%~C2o zE2s?k^59$@V)S(PsUIw=%C@sHi7m9w){@uP(`%Oobj*AU*UyoVN=lj?#w20VI!=KJ zoZTgkp1U3q>EG!@Mj0`!Q(U};*am;L)F1NL)jbwiI=Gi=3^O+NjH3)62IWK?bpKHU zkj&F#7~h&WU|MNOpO3u_5F_qhy8)oXzt2j2(un}`49Uc4tu@y-4Bz;<_n}^HI(z+? z(q?n}Bk-|4dF3FHIuB(+uAJdM#SS}NQvl=KLm0P9oBKQ0D2WMh%SL2VpX*LDt+9FB zGYQnNv`vYWG$VnURv9JDwds0Kzwf*~1$0*X9ezd^x-h0S)`b|7q$rJ5t&?jcf1Ulc z4dvl4*oe_v$6$c6G~`j`RFSN;VupR!IjDH$oOO{&OeoNut0v$wc3S}G9Nq-LAF0di z7Bz$b9FDEV#-Jl(%=`3aGnMHu$*s93zM-WPpGOeIJax*&=^7m%6IIXbqj-?6ZLM#f zgC2B;=8AH&?*dN9G0r^8eWOgD=7ACd61Jh(M>V=az(D7Y5q0bxj$@j@fb78pnFCO* zT(Tb9rvnQl>^0H!l-!jpkKV<$L?y@S@$rlIR+o|_;m3Qmw}p}8*@b`(b{2apgKa^& zbpv8xehV)JQKn)Vr9cw~IWGMyslB$}Hs^N!?!+R&U);xwO|l4Yswd9Qh(8q|D^T8n zkb)OYzYfa7qLQ+raQlrtEAB&nZcy!eHZ z!)W6d#)OXc_cxS)!sXx2FD^hpW(Dwe6Waz}K5t*POm=Y~YWf$vno4cP^se-p z=5r@g3#br2Tj{$YRds8H!Dq502tBNW0(WeGY~e(1e;UDE9{PdESFz8hwR1@qo}O*AF&zYE48#H>l#8 z9FQbXk89Wgz@;%V2Ve#h2BfWqk5f)jJZk+wTIn2Jw*fs)crF#VF+;s8k1^^*MS|8G z`ja?4mdL~m{)u3p4p$qW2D80ozpi+fpSuF(N^t>6f_?oGCEv@(RI0n6!2<26&sk(1 zF`v(M3Ig~!6W;N})G`xvM+4X!L+5aJy-OBiNE=XXg_6yrsxBy(#X}66#Xx6TvXwrk z>>!6QPdKIvC2)f5EfdK{=y2mHHq-7x>y?f(!^l=_&QB&oTMNri<47eZ0)Y5QGPD}sz(eN0K zIZvL9=6HYZ7t(t|?|iiVh^saABgB!5FCKKERz){4f`Ye-0@JsI!D?<{?R7>YI(B$B z7hUlH-NwSxTqH46>G}s_eE>Q)E3i6ToTWCws5yMM=&{~^Q6wnR$cw$h>7ie=;1af% z!uFfm@Ia=~A3$c%Rnxk7TySXH9Kat9VvADWs^CzWhrSM{alD{z>AhwMm#(f-V=IKN))AtL`6y zp|I3_X5{tGWZQl$P8<7*_K6J;D*QN6fYidp7jzr1)M`qr1)0fG?<2LIqtyUB3=M>qJWz9}ZZ|u?ee#%sLlY`SiJml8#D&l#P zm-9?=tib$903ber4((kp;{ot6zJ~LMz<)5zQblMkw^W&2HZ42@p$ zu;X;`eI_mR`da^vxMl@9s_X-5T2b5PxZqbQPNykit}P?daiFuisk}nccmSFeKFZ^r z#oMzyxU&=n82cLSctL335P;K)bR{J%=SCUdrK`W*3~DZ!-jl4zQx563)*+XU+JHaK_P08Tolh;@3*7&`Cdyc zBB!EK;*jLn4vShQV=d8nXno0=I$N8aorB)AY6%OU1JVsBV>tbyfP!`)CVp5vh^za+ zvY^@Tp4R|4kA?Zye)svu8$<;6!h=_Q73X|jF4tBp%wTS5`*V{6!7^_S;$)PzzDIqV z2q+-6Uw)I9X_q*teIZu15w_pMRLdca2J8B`0C|$mqRnhZN#m*5z=1;j=q;F#uwCitpJKl5%fH4PMOYAppnXm zdAVCK+pKh?ATx0Ly_C8Wj4m|fJ)DSP-nZX@0AQMF&_1|_9p-u=YTs1b1_)TU%o}G$ zYpQ)oQq%K&cBgBiuFlgFU(VoCUXi&^@>@lXyAhPD$e_~>xu7(?IjGo8%(tcnQ=sT- zNuVMpi^|5y%*zBlJzz@~Y9XqUSO+4Og(F+Y(ToPgdD~Jr(GawWvO=p{E_843U>nUfjbxi$@hQ(vyX19$VJ=o=oSCLfV!}&06<<(|5 zOCyUAD4nKOC#M$Fh9fe>E#OA6IY4?Fi6UDW0(2BW^jfd;uzxmL1%CWNVWUW&gV#xz zM7|R{hqpdpEf0CqcCHx&^u6A+m=|>Nvbw%JUdjINZqU3Md*%N4CvNa50;fgwIa$37 z!{uAl0Xo$I16X43;Fc5+cHED@rlSE*1_(ni25DGzj?R9K>9p?8-|Xr|f^xAzv|H=F z`w}EPm0mDAOdKOp{`;`_Rzd)&FsgQc=t--Z0J#ksF^}2o8_VxZFsoX%csZIzcQqUq#OXwjku*e%bAd(xrLK#JQ$??ob4qNMku8cV zgR}DQB@$Gu^7=(!G!4~o+UeDe`ioQ0GxgeL!dyRJ~iYpMP-}mx8 zvDFD$_l53VA%4l$Vl4Z|xUmMqxFg@ocO)U4zrBTWO;M__&Ze!cJpv13CzCY)8a@Uv z#cPSkfR}ir{!K$IK%Yi@qM<>^=zdy%4W{*#bm2AJBOmojzX9EmoYEI7&%b+H0A1_7 zN8xXgm-ic9NMoeXP!#VM^BC4_Kduc!79Q8K4F*dFKa~bc_doFH{E{Ifw|FLLcoA&#=sq|NksJ`iHFMDexT>WGp(`%9ze;p_l0)T>HA zwZJP=h379-CE>w9SYXIG_Tb+Y?#26bfPkUZq8$A80ass4 z<6fgJW3N1&E>PNlhcidBgI-pm`?YHUOFogXiRSO{J$nu(kSE>mEja?H#fTy4)b(OrTs|T!q7x*a$!EUE8po&V zx_S3A6NaM6R!R_ylZ^j-{?AZ9(hl?vQ8mv1NL3820CF855yO25q&Br^@u$U)kgB0< z9YLSbQ2#wz?&!Q7)LvcFt9T=Bjk&&MmIY_2lHjsz0oh!*aP_gs=`ssHAd}{*rt5($ z;@)Wq2RAoWdrN?RWAOxKJ(<`3kL!^9*iWOEQz4M!UoT;xqYrYm=Z7VF!*o4W{bt56O*27X2P!_Gg>e5(X8LDe7zfcy07pUj$?!tb!D%riVEJnzHbC*?$G=)Ph31j5S8W4|HF-_Mu{ zwvDn&`}7UJ{P&nI)Ijvk=O#Y^suE_7cg4v-R#W?5O7H-Z4^R++ zK@~znkdw1<9w;NkugI|s$%mB$yVrq6UXBIoqeHM0b|UX+4s>kyz6Ufek=q^mhCeD} zbzV;8>Z)gD#Zu*q`ZB6`{0x80@Wvi`nXw2o4*?whWh81~KmX9=j)Uu)Ds;tc&$qi; zW#2P$*n=Z-FopXCNP97aTo};L-#-;FoIiP6(>qK5P*Iel)G0p1tRo$O;R8h@&;vm% zerIk+`AXA?=H_bn)xHDhxTwY7uN{lM7i+2;D@Y$}z8V?H=TU~Da{-Y}fFA7>I`FWZ z@^LU{mh>vbXz9-dFQ5IB+KA#%=p+qt2t!ZSoGui(B2jy**F&$uQcvxG8NEDyjf1VN?+}a7f7~|+4$K5 zg;1+Yb#K1fJy0yl>adM>_vM(=yRLa1ftDViV7OH&ISs=7*M_bf!9>K;;mptB*<)&X z-s(c&EftU!-kxtOh91ReC9gwd_`9bwoY<5dJarb$He8%n2nA;4Wp0Wveg*OZ0+X;` z64a^m_5%4xQ4vf1FCRaO6pNeC4SxLdrYVy2@lgLu@J^P4ng5o1tlW0v)CMAq zgzG`DrQnjOXTlyyBDKdl8m?^sc&qEaG+_yY(sb{B_fA1atvqyJF+imK)Z)oj-asQ>V?Ocg~B5jmL)}IGmM}ebSRqTBHmQP(wk*{|rL< z9(6IcWN7Gv00o*g9xwIBb*T5kSP75|&JxrUH{iW4;nRCwOBUe8#b%<};hi2C#SwXh z3tEu4nd3-}$XkAS|2=Aff6!YDSa0{&V)jOLx$MeQSR;bOnwT^Bh}$S!vik|Qr~cE1 z1m({%U>r^WZV;Vfz`>jQ-wjBC*cS|)8QQ3D*H}N{M2py)!d;S5Z|-K@_TJQ$H$cxS zWC~{{xt~2;fwmX$r2pV3|msiS8+e;D6Ds@~DDeD(DV&*__#H9{yN zx;9YW#)zY(XR3+F<9VUzA8>CYzTCUEn zJiKl~Cm8E?Y#t6Smri^~jP&_QEUs|pdzgy$v>n}*s=NxXMS2>Uw*@ie8&i+yNv>(s? zgwka*!%pvg1^jgLSK341~2!(BlmAdh4FX(Q6Fl7&)>j)a)E~ZrhXb4~8YM zpP0%qMH%F2hHqZo-@1yupw!+0o$i18!u!y#hl&$XAy9#&Rx{~K|5oSY%6@<2;hbeS ztPgcYN-~(>p}5EQ%qI7Tv$o#sX4BEXRSPz^9|k&===2ZayRdNfIM*LVLF$|~4W<^F z6s3MsjwSuk`N`F@yTxDFTS(RX6-nlw&6Gb~I?Min1op%INE&nN%Gf{15HfsOi)<7H zj~y`qQY-$qn6}PMV?j4ZzJ3YSG<+;Nf`Y9!7Ng80 zmXdcz_GI%RPinJix_&UsTbr8B@HYj-viF;mD)7$>t%aT*ojWym30CuW+OMu=#1+Yl zop+6)n0p;Hu#7pFvJMMd?j5<`L6{Cc-lT-;$0Z+?#c6GZkHVbgyLCD=FfypwOdsNZ zw=wd*H@tL77E}pV41(;W>V%``HoPUunN#b$Ut5OT{>)#94Mi-{MOyb?wueQ*MDBXt5zAbAB= z`n{W^JKb<&QDNkvhQa#r|Fi&fADa{*^#d3#k4V(IHq&ynSpke0|gN zOzPID`c%*!&M(l9@Myv1-5PeiECqg;(BT}Ee`mlPbR9UvLZvZfiEUk*FJqVGf+{k@aG@DdYUEU)(9_*II)X9 zzo1W7Ln0s16)&7Kd@I4dLi;y@SAW>9$KqcoT{_wxNJwZUeX2f$C$b;!dPY*tdkRVY zez*dwK$VhasjGySLtYfCbsv07DU=;|MG`~tIA_gb8yz}WMaKG&JoC7E`?*Pobzxv? z^}AnnjdEFoI7Ft?Wln}<>8M+h_6lCqh-vMS%Ck*p?EX1NsH$O-W-M4+lpCQ|Cwm|At!HNYV(8e6R3yk8nJmpY}1vX49vfXpikC7N5sf782hw63){86 zOJ92#M#VCg&tb{f)JuxsD7l-#Iot7VfqZrDaj^9KyH2Tg!Y2%wmt&gZV40w@?4)pi zWkQU5-C*M%QNA`yeIBXS-(NM~b2_y2;g_AR;MvV`z(QGJG^N@ux6wBBef3c1%O4R* zmrcet%8I~;Lmv~G85QC?Wob$Md5FnFnbXyt{TMHl>zlk1HZR6a*L%4SQ7`Dw9u|fe zCsLTwC)kiHGxsEaynAJ z@lJ{G4Ef1iM0H=X{;2@UA#Lg8{!wrgRwb>%*vLq7_B<5dkw>N0LLYp|g? zc2E-yr^HbIXv*)#!Zj>^eQv+K6JqMhwS~C z-B)~d6Ws%@YGw8BW#%Qm76ns}Q2ael`oU?R~^_=x;PA5YMRYhtLi=a z(WVzPIdHtEjGZt02IrGKElx0r7>T`+od`g+dQxT~aTw)uF z7SF#~WGPsdb2Yin__C}zdttOLoH zq%?A4%*jQHqD}MI-hS+Z0NHjK!K5|pZR|qnZ9d+WBbgfmB#Edm^44Z4ZA^@1W$bCq zLV_3C3|<~w!$IYpW7-}cV9Igb1dI{_r(a^auf~Tron_*?8hD1ygIE>NFLokX-RvGn zBWT#PJsFE)$V1TCcGnwO$+L;5shPj-|JhNA;XrlW9sH75_FdfcAQH-;8iqS7(vD{P^&UhZ%CgHT&B zOti30ZSd$}#ZI-Ga|HXx;Tbdhn}smp;RD&sESt4$yc@oqghLgzOziPjPoNza-{lat zO;Mra7Dw74UG(JW8UY&`Y;6ml>wxdT^_+g(=gnWhH$WYe8da#(c4q z8I@>`1E28IE`7}{_w-_Y6Gv;|M@HM!`Eg_vPZ`s<5gJxs-{JiTN|36fHV|1P2wso5(Y0}uXZQHhO+fEwW zwynla8XG&dZ5!Y2x%b>LzJD3{k^Sb`3vCB7r;wRR<{9`1URw5C!nVp&3K6qqKEv9MUR}#+$9BqR zFs>Gk9h)u`bjMmvh0Ru&Mwz~hg{6vPi%SV2OTHrURgqQSP(pJb;wP$kXV5)@sJ2Yi ze=8|1@(K7zK`6C*9#msc_+kdg-n#^x)Rp@WzPEWI^Wog>;21BuGtEy(QYrPX6evFfZEwMJvSXR2)Yz;kBNIkMK_&&d!9kebZg8!Py4mZ zaB$br0mVIUdbgwd);Y|)6Xb2}7T?mW@xGbCoNWu+y*UB24Vr#RyN99 zKj0HnimG4r`VPr>0*+3LfSxxf9c1&n+P?;I@W1Scfr`0{9x+1%u1J_zy0HYbuf26M zvyWcGYisTKI%Zg-ZLh+-YzQf}>s?)t1C}{I<syUlnas0It_S50Yvk-B9J7 zb(vF4?X@AaER%hD*D8tp4)SIOo4{ZN0SRdmhFd8ROJeu@)a^vMy^+00LFjCIhWtB? zHqD-dDQ94D2M33>=SDHd4w{pD-qwNKFY5}%jef_{+Y*YK_4KB#(1f>{wYMTkmLsa5 zl!gID=eG_6^(kEl^J+j4?XzN!keT*gH)-Nwnkolt?h;GJc{-%K`-lh{{bf)XCsYyA z0!&WeuqaQ+7{S#=Owgsj_ur>b9^QGY#2GLTz1tTfSUc+`^?Yo*Hj@ug+pU{lv7}q} zqecT8*tJeEamU?s?e{C-%Xy_h+XfmT4lwcK=DsVANfImn)ap5w;rVYPriL{ZF+bF? z4QkNBWMbw1ca4Bq;6R`4}`|oXuhBv+F#a{qIdkGO*u%7){q- z#Bc$onhlIBA?5^&2oWeh;Mc!tz{YX>6ogMvMX2;77FEG*0y52TgzhV<7LZ^=2Bllb zU$jZy!V~<&lj7zTU{f-KMO-4A(?%Ao8f=mLg;O=fE4IpsPT$YdH|2&T=Me0APHS;u zPz$bXW)<-UKz3xawok6S1O2M}c#K%kmP$@y@=HDBtVSX_wmdQLDuh#fijb5Qoqqgr zZcM`{-di2&EV21Nl4%=f(nHA_oS$Dz9hM29Lt|*`>T32hgK0-_CY#8Z*f^v)Uz8OJ z>6Xy_{!Q!Du8no;C_#)}Mbu8N63*y51su*n+i*`m-&%`(l}En^p4|(HF5fM)on?c% z$FvaCJAsrj$2T^7YBk|9gm5{8x!zfXkO)PfzVJ`<8Eit$u>CeDnO#CUlYlw^6I6~$ z8393Nzs&K#xQ5kIG1?08AH2UH)TQD!8AE_hlSe`=Jf@5{0!g1)caEO3BR0wc zy+lhgBTK^}o?LpI&iVJp%Z7E25f_V9i%zyxJJN3^ESO}$yuqll$IaP=CY}FfvNedl z``lQl+z>=Z8u84@5`%;XN}*%l7Ep2IVm!P({vOO}p$;7%xm$!4=oyQ6re~Z(8UJz4 z>eSMAF+E`6fz^0~B$GVGp@J$%#T-#7EqK8+8YJim zcxW_;1{32^G4Rt)pkBCiLn0&NFX#XhY&sfCm_foPnJcLoHZ(wTrF%62eoxGNT5Zl} zF%QY13%#t2z^aF3|GYx$)f@8#%zhS&?3A?C9?mN>rh^8~>O|%OxR(C~#>elq8zQbI zKF;62Jo^sL)@H@G&wjveVcn!TlF%?j=bE#+i-ks$@`LD|xVbye8;!w8oF-^7>R8tV z`e8UfkNp-R-zm+Vya|7RR4tv3%IgM#Y{Oh3KL%m6Kb+Nf@x=_Qdw`>tpS36_lE>yC zIl1?vUIbLLoIP!Xve9j=LexsODHwFa6&WZ?vAFfl!t4A%#vfJP%^aaL4W}dQ^6u~h z2a7o9fSgG55Zhi*5T~&fLqvcECW#{+SWaZ+)rf+3EumzF$+9Sspbz7iWE*F!WeQlx z5G3yEXNz5BU)DA4a>#lSHE_(5b<_^QSdto^IX5a71yMI(!YVKzK8)%${Ccr9G;u z0pTYBe7d=LMEQ3OI;?tIs3N-EKI;b^{kT0HoV`HE{Bn`((CyQ=w?f08#rL>g1Ul)-HuD@`| zRq%|=uaCpVE0TsvTZmuQw3M(Zg1p}bc4PA%QNYy`PTM|h$5>c*q5`1>ABq*S#DYaZ zl*X6MCnXwdm^Fp4p`-J*x8V*TV~!xmBu6^27NY*qB^E&uPLzmB0_HA_BMr!72`E4U ze;Sk-1aUZ_T2BKdub4CVx~AFfsq^1qU8-*i`)52ls8^?rC%{twXrA81^gRWfN|Cc? z-fAv8Eaps{VBbkh5}Psz6wwnA6HgP-$R>KKBWH3aC}GR5dZa`%n@>HHeJ^cY{@;P- zWM8M>2w~Dhw=}1B77|75Vo&_^c2@J}+eq8Ti%Cg$CV_DGYnl9*WRs;SpxaqE`JJ1I zWU|SD@~8OnJayYH$NnWWXYO|eJ@Mu=ZJ^et2R^Ibn&eySP%Ji@B8hT)ZZHbh@1T2{}&flfD6vOg_D zAaTR~11Af^gnJ|_vMjnhvUGRXxy+bygGgzGje<+{!(rJ`X*TC#b>_ zf1NcEKCz^~U!IDW`L=BxJh`SmuiHofnS|M!)OrHorHciU`FkvM+dE*B5Xg;ouWY4m z@96e{)MG$n(yn{?==Qv58m~5X4s~uN`QfFXN5m76Q|lDk8G$0x4wmzMryZ0+=$bAN zHkVu3)GJWn9sGo=-HenU?N2?TgR{`671MXT(`-HEB#_Y{q+2#%x1Zd(El0bMw7dwc zCgrNJ)ToT*Y~-|ID15Iio#iNEu~)QP;hw3L@x;zpKPOR`_BH|V9GyE!%SOBEb;_D zi3^yY|Ky6+?qE~$NF_? zsxf);wGJG1^wUnuJ+IFhGoFMHLlKG(=*=AQmx07Yi^)4X_Vr`g=FP&xautz|Qh zwmP58#yof%b&XU$U};{!dhcflMG&heb}*v$1r`A73YLny_fuzn!O+e9_kdmFq#HNY z!L}BQ&oDbdw0A%|=*Qr1Kc3CucyFXH7qgtNI?5@X=%ZLfKAj; z|DM{4UiQVqNR-d2{Xk!W@j?Qq8cksIa4EzHYV>q-59wi3-wmV<(_jQ@ojEtNX}hnU zHIluQ`i6eI#5v+4fRJXxUp0zrH1K%EnVR_Tt@F!9ag}i6T4ve=I@EXHSxa$fAu+FF zhTal9u}*%zC1D{hfidW82X9MAM8_XphHz(|rQVJTnSA<;bm0TqyoSsq1ov_{VtL{^ z>dqj{I?z{T$HCrLBc8GI z_wN33oDv5Aj%l4Tvz5ttU~pr}SXVW>zIFZ^Ly_CVt9_U`tn=wCbQ=(Jw&xXLEZzIn zz$>dWsPNQtNuA|E&1T=wM!~jkPGIb`u@2+^+s!R!H4=cBfK(jUNhfg};MS<+UB0!G zqM1F}1TIwk`>U&VfTjr?PXlwW7A_To9K5rGN=mFV-hr&B7Jeo>ig1lVhki%WlsmjS z5UuYhmZP(7!B9l95P%4sOd@m;XR5XLMnwDOs4$-5AU2EJ^JjWr>H{|0A^MFnzT*D~ z$*CIL{*P|H^P7C#%mEhJ)Jr<(nZ#33v?V{B%$cT&^0-BNBT=p+%Mq;YSzgD{N>?tbM<^kxNAoa^B#Cq@9M1Ko{iy>fj)8 zw(t*g6CDsjLd4Sdi}Nfk#eN)E@>UkkDyJ`w-TVBs+bwE2K6R@YXi-T&Ou0QI-y-uB z#kEYbs>sS&z})7s))nlo8+1_d+zF<;wfT=cge7`Yv8h7dKUalS?5ErlfOp^=jJ+tb z<}u~ZSzDn9pfSorFKc_93SLy(pyqO&{;_KROU6dx?iDJ+5%<2Z!l zuzxkScNO&OE*YffLDHYE?QeAO@Gv*4NmRwLw+W}d9Bo;|)ZSp+6?8{u?OJiY6Y7$!+((9b769rYb=Y(=cSWG^KYoP3}^Cpe>3XZ^^cDGoCYO!b)HU*gSya zT{eZQOl`RFChn=F4!isI?U@r4VfXPwgZFga56S#oq&yTZFq9?k!nd4Oyv4`*out5d zDS=>FSzP>|vgtqpm7BStj2{Oog0>T)Fy|^YY%Qgyl20)`N9_xg4#u;Pn{+gC7t>rL z%A<5Nm>s1C7f<2)ouUf;lSb2f^jBj zJNaY;zH|k3;RZb7dzVCX5`k>EBMG#?82tIzt93OSI#sCmt$cb)+EA<04$$*24m^=k z;q&bY^R3!aWXrXis#RGVnnE^s$ z+Ak}asLPsV4vCt&O&St&Ljk7C zAl?1)JKz;GmrLoZ(<8Ke1eB_53{F*RH3@=H5@f@ z8rQ|$dtz^zl~gX=5ptVNZRq73z!=M$S;$2DoNVIo`s;fx$LTfN&+&KT4wua*U(cc{ z>=7kGS9{aO3sZwCZeJhZ-4dE_0)yC0Vy+EO+rC4;Ook>ku?-AEX`?TZY0{ak)M|_i zic>TzQ#7d>o@;t6s7}{39t*{1Vfuiz|E>uoV?11O#0iPluYp9Ri+5wr{I(w<_6i7g zR&UW0ZNth1WQt*CQZxf=?Ru_R1%arh`wxqV4+&EtSAIkBqW)DB+yw5DPPAxK^?XI6 zY<4j~4|+w}E72Fh#a}!_A@?Ma>zC|rXOKQ?jCJ~m->OVN zSx7ROT^vcdcu}_G4H3u)Ofze9=#!&^AEGA2%p4S~G&lyj-dz#S-dQ+81I;dkUHGqW zk2T|~Con<_4^blA+c08#1zt*sB`5 zG*R+ktL-_HF;3a6XQz|#i2ZY1K=){Mj@`X}WzUXx{g(XMT`T?5+t4n))>eur%rf8a zGnm`2o?sOCJwqibbQHfVD_dOynG?7q0p6Ap@sR|pae?NsSH?sI(_<-Y@-)VYv*73w zxOPtNH97e2-&tfQvgYqEGyo^x!!~RnTDm*r(165ycgSIDNqe8r0Bs<=<%hSOXF_Hp zp68FuGy!s2O*(WTe5qbF`PM3y~Axg~H z6jX=bH5O!}zqMGS7>Nuu6~rY`o!&+Pc62Nycir_7$i4oWxNqcQ=Cdwc5RZoB=9Jf( zvD+Ybb7<(_{@_O2{zRonI*}Al0*BDUzL<;+R;vC_>>hUmem;}AW)o?&<; z{Wqp+x(Cj~yKQR+7^)|&zdxID`3|qogQl;lC6pV;KVR+BgPKj@WWfrpkg8%yf5>VKgS{n^Nqm^T0h(WZt%r~Wu|Q? zcxuyY^j(b`+SwAJ)4)feA!OiFzb$8KLYiT}8)+0_{Vq44trn6J>zL^^_um$V#Sjn5 z&u=Q8VPYjTB|2oEZvRPI&`3ZR1sx=a5v}BK4;6CvEX2W&@9YoA7O3QD%BjYDs1oK3 z+~NKV#|}b_XRb?OgWt#L3``uby()`P@*|d`Pa58wub5&O?2JktwusvBE^k^{$~n+` zg1ftz%I(}fk|xV|mVA=ix%`CNG|?zh-E2PIY|+IcOQS6Wj^CVk3mfLver3ywkraQ) z^BP-yRN-S#gfg#SW`s?QTkHI37BvI%xVLs|--lulxhM}6qe`bbuhpX((FRI(5_|lk zLdYhoR`|ZVB!()sc7#` zfA$K;|2bC8zUb_=Fy0*8T#o2!gQ3Q`x>mmL*kgha>ff9VX(~pk9wJSP$N+f#BqJy> zva{&loCmS}%|`F@-K-9Og2S9VQi5G)2rq3&b1kZ?4W*DQu)`1g zy`i)>WDfRo8+!58v`T9YzS-Z+9kGixW(KTx-}+RYUAH}7@dOzv63tWEV~$yqE%lfh z4)1`^t-G)Pg3kdk4HG=nqJ_6zXO=sRfu-$j$BS@*FkaAe%r^`S^g}Bu=A|;~E2-68 z%r#8t&z&@&0)n5UAUCb&RsPp0kr(m#cpQw^sc0gKEdDRRP<%1lWiMw?CGZ5?Q+>L-vd|V zr_;UMJ~~ zm<4~iQnEk1^i($n{xj7@Yuw)86L@*)J)Um(0XpoIR*4BnK;e1_SDY6usyC-!odZP@ zi9?)Zg}B4rQN|$XJ+A6Cm+;3!oMK0}L2;8In8{3BFh6Mvt`$DkWI13`0T?suX|vP?dr}(C?E|juudYxn2kfAz2-Yb1^8JMM$8m|^0ZtBvjovfT$y$4 z)N7s&-TnA>E{H}csac0;cDSX@sa`cV>M1PO=;$m8y4UF&=l>*x!2Xo?Y}xr$&!6u z-orXC&&MORk{>zfPj+EfMJe@RHdhs&b!<(9#I2#Ev{u^rD#GU6i20f_&R0o{j$<(O zCdQl9n~564y?j;{Jf>#g!Mmoy#Y>d5m`*A}D%&2Rqy!LvGqbs(BD8Is@!hBCaK%%Q zlaP3Hlx@6R0`BdCr6C4St4gj^L)+?@e1A0UWf)7@jF@|nAXqH z>$fL4gJ}h2?JAu-wel0aokg-@YtlYAY#=`0A{w4>FJ+Ity*F00#wV6U&271IYl3uH zpfko(uf)~9J|ApOn0&wBS|(#w%&kfrNdxX$P}<|+Q(_jg2KX3NK3eG2DBNyHAm}+~ zkCSB<^c#QsaicX6{kU&N7S&=NHls2C_M@j{216~bIDcYi?@l$cnM_1;7|2c@BXb&x zzIbj?Iq)t5e>Z9=c9j^`p0mBQE*JbMA8V(06Fjpccu_l=9b=3WaB~*a!`WAIs#EL( zfl_O4oOEGzPE$FX`z#`jz5*8g7}Jm> zvykvNW#!E&&5%RCf)Y*co0B-(knbXE|K_77ng2Ppt9Z)ByF3D`G!qzFHF&x%0r-oM zaefz$7GXcgBa?YBk=OQfC+M~BKJ~%>fVaD1AFAiP4*{LManQpRkkSlG^LH~x^pe6N zG{xWec6CkMSVYLcP9NP=hhlIRG-tBzvo~OCliLum01pnx5Lhbk>aOvJAF)=(3@qP! zFae&amlTz_y<6-q+ySt3nDI3aSZviMLdEeLR$B$g@1A3lqSNKEk=($_5-O5Do{GjH zx?Qnv{$)N)Xm|qr`z<5uW5$rUdN+4eO5@C_A}{) z$#P$V*;%Nxph~IflcirI|G_blQn-awybel~%uJ%gKM^)-Bm+}DRC8`A8bA#kv8WK1 z_01C95qyK(5mx>gftUUcuUZgW60?~hs5|9V+gtU#5wr$)i zORo_DdMcsAj&orS0%{~8+y{&cQKS0yHIG}K-B9!NhAVxsX$lb*3dP+AlbfS?*W*cv zfF17o{d^!sYb#Dmb#O}n@Axe7+UhqdlrBacQnz9T^vxWP>~>lV%LJ7ZIMuu|lGkt; zY-ZE6c-Y3>#vm!2NSY9FWV!yGsd!>GzzSXZNV7FEze zVESWcBPOMB49txiLlzVEEb@Goau$EXn?l0uh;hE~)mcy?kM~}Ts7q*3GZ} zX9kwWQJ}JTMcu&Nrq!Dk=QVk) zKnvMO2@?w?v&#h;@PMin&?9Hp{-i^_PeC#Z^q#FqD^Mn*UTB9kim)pP%4wZK<+nCx z;!{9b86`2`kMmB|7~H4qSFKf{DQmAEB{c@sYbF@knfGF4gxJZytmtv=? zgnOPUG^$9gg(acz@IgRI@j4C(aDJbPr5YxcHcY zZv%`cI+d7M15t=D0*yfcR@PnGe?&nx;yNzQqqbj2ZSzwvE82=scSXrzLE%l^9-onI zHp091-COCLLlLj!2dWUjDB)y`SC`gMs6JlDl8uh`8Glzm=;H8DHCvw3N`g=t*5>sC zddxF8_gv(W)QJs90<~0Xr5g3qw3!NIdMk=gM{aJw>X3#t~xg9~pv-Kj9 z9BbVsISHAkR_dIyP&19k?$_UBgyxscR~Uy*L&&Wt;~;c?=Zh4`FHPAu#c~rB6gwSH zKR$*yCH>4ckx{~_-IXB7{$>z1f?h`A9B>b#Mqa~0*`@06p;+z#?F1_@ zC4fJZK&r`E0mjkA|20PKSi8CQ@YAdyBPl6DmwK5{9D-S)<~klOQ9!J>f$C< zx+Ki&1&o7k*EUDk(4n+4923fPU1V>yyp@B#gE7b?_RsE6jhUf1U0JgzQIdNo8RQ*p z{qfEvZZ#&Pr2|qvWKq%)wE;p2uE`G-N!vb*QcXrCJRs}PXU9th1R>ge2^%k~VG-Sf z7_W#)tsS$le%kY5F2O*E{(2^J3=*mJ#P%)b7JnsR)Do?Y&Tip0_XTKpOl?c6*mHJ- zKvG>v*hz@m7!F0CPg)XbIvC{vGw$xJrVkH!}n~9)<&OD6SR_VcIbF+B%$%Fhs2vaw>ka>4d zzOk;@@>xG@VPRe1`USCfGBu7@$u7MXks{*53ne8+3f*_&IKL{9--8fWlBI>uo4pg@-cjeG@W`O0? zPU(zB;87@hM+m=YHfWmJYXM6AlG__O~tq*<;}+69TYHss13}q+8E=+)TbTIQ(?^xw#h4|DZ(l!XZ9R~2>_D(YI~F=-Q|?`vO$T_P@rhu zSTQ++5+T+77g8a*DjPZb%jTh0Ka4zk6wXICYk5>EvG#hLickIH$?B1ZpKwZX<}8R7 z=^(svmGVG)*ok2O14NJKkE8-;()}aioNj1`*)d|1-5^+h=o1;&yVqu~nHhBI zobA#0QU}4GGUmXYft|&W$#34Tf4A;ZV%TPr&%bSl$K&k;beThxc{aIqb@r%XJ@XU8Xavf5T4FBitu` zJ@m*H$Bg*Qxc!q1chB7dBD|=#=BT&%O#%~Acl^@iYl1*}68}v0?z5P0Sl%LyOf;ti zI|&dxWdoC`k*ERocMI>6Q0vroM?F8+5uQV|r)e*GAevo|>rv*HZ#*6L%P+e#?{Slb zg4Ic#Dhu&hPM4sacB!j{6^^=Cm5a$pU3*`49Alr>tt-olzG7N@ZJ}*uF@KQU2OvX=b=Ke zOscp*yZZHoznHt!aNvE3C;78TxA(mj^YR0=M0Q6@5rH#stLBzTYExiUoI##@Dsqp@ zUGAzw;uI1W%Oe2~mT#*1A=BOT9Sn1#-6Pf}=Kw*d*kE(zfi(#JefZ|;=Kk1;d)b$d zi&U5JOy(|fd^3`ixtr%2Vmh{GWmhQm7Mnc)-uL2MP7VaS!^bd1YcU>1f)C z0eq5NiwKrkbGE#EfFAb#g^ryF{&P$3*Y-iV+P{(j*Ss<926XEGOzAcg;H_VKZ-~kNHJIEPyA`Css$ub+teCqY zW)&WSs2vxQ0y6uXHr|Ppy-$z@zKlQp!wB;+H`du^PMxI{T6uV-sv>Z20Z`uhUG-Drkl&3z_%Ql!Xhjg-K&C{&WitGZVDo5Gde=a{sxTg zSy5wD2m4oeDJ3a!jQIZBE*dwb>tDuQ)Pcc!ofd;whdj+M!0n=f_VI4+uBg)CoFDpD zd)3zEJz!l4vg^sm+v)~+^<@ERrfOSKeh%p;6q zsVVyx341L>b4*k9UVt}AP<6iqnwEu{4`sj!W2?ZvvYtcUP=-rSHSNR_bH$75za129 zdVgWmuH#rVd_>d&+7MKw(yZOp+xTR>K6p+70zK|qm3E|T=H+-3zg{|!>n5YEET=iR z@DqUHXYb>ihl3$mEG&=cCfy&_hKP=gtD<8x3G~wT{GogFxy=bMoVoQQ)Ida+Me9sl z9pRcLvQ%6%u4a!Vi42}2_jAkFv!uj>l{&PvM^kt~`Fp8(&4v;*2ct!ox^1*kFArX~ zW2gqbs~O-98tdS~tZ6iD5WJdmzH)~x7vF)$z|#j89NVS{uj}W1gS10b=upn?WJ?us z*XbkHW!9plbsv(4c)A(2KF}J)A}nlU5azFoq(debA+K>8w}M{*6`dKc-sIdwQ2Q^5 z+36GoDe$RVp=Zpboel4SUs|~EHW1R}4_EG@ z6(DcN-;(o;UOM5fc_Rm|I7IlSyNl%c9t{*aldgJ59R)&w^5wXPcME=X8WlwmV^HH~7t_bJ^#{!vj+58{TA!l0Xv~Va>35w#KMhtWV(2 zHN3o0Tl{jeFf2&ogdAlwK6KwKqZeM_Dgf|QV)kQifxSYsZ&I4!pWg}~KtT>r!`7D& z5zd*4m~h0!eW%rM%ZSqG-|LrSI55@7)bLp}(o*XP$w~z-@)cNK|M+9~`mK_wawd4_ zbNzdJqJpNyC>;RPP5>VmG|PNW_PR`jzb}n}QJBo0aaG8+5Qz8sue$-)X#j|PEf{jh z#Sf6i@-hcH((GzjCU}w>}-t60!s@xE}ln358u6rATdoHDX>w( z=^R_zv?gBxV@wyF<@!?6`A@zrPsogi){&OGPKL-xm!O= zz#hZ^`z5s;P2{@yQ9c!*_pzkf+i8328YEV;BjqjQ3WWWv?mKWV^m%%ROb#I%C)~Ar z^GPN`cYX_K8pipyzR;OnDw=!HR)=Qs=gcGTLHE;T+rXFoo*gIIh&Q}g<6U`4%foQr z0vF2{5t3T&X%^Xv`)ZwaI8z*pg4gT%4rt-kI#%CyrSs$#*;wUjb-KWLZliebgC6c~gUr*q}4`uQi|_Vu|XqVs<_Y(+bqe+@pk`)lp<91te}&rl~kra_c&dgut&$3NG+ zqc$VOYooKYa>0l;DQNi4T<0Y7Gz(64AO68Xg|AkAedMgJ9#2GQT;SeMCyP=rIT3iX zyzoXc@=^Dn7XsvuGFhf1a|x(wiu_+2KzkEEfG(bX7mbGf=vQYZsti7ifcm2y<@b_> zE#D%7V1FGaBltxD_7dch}uZBFzl4Zzq3j3eqt(kRl-vN94^{OIsU&8Tn*5_E{U z>O$ezIxSB;6c*Tz(|U{t8eKKQgD~~2D8cj`Y^Icwbt}s@=jEE&DPF^Z6o6J6G*Te) z+YZL1lf5(s?lPrfpLCwoT9Cxr4++>w=%gHTQ*eJEal9L?C}o8KSQ>#2_eR{BM8zK` z;NoojQW{J94;z6<|CpR2*2l&ygO??pls)CYt^h6oVJohF8z=kC7d;&@TY9(&Ca7d0 z99a#unB3N}ui$6#2r`70m{giMjKe`xiM+PaP&OoHl_v>1-46sN{YLaAC(S&ojFkF6 ztj$@3*Y8A1Kw0w7BC`(O)!Ho49s*tKp$}Je@x!UGGLV6_gF95O_Q{4Yo}!%w(eDv% zAkIb!mxW>ITL7H?!&_4WodYbDk$CD)7A=kPsPchNC|A%x1n4G@^%;Zl_=58IH}C60 zq0#=YS;m5~w%`>}|4aeMO2;~DfOg$O;?MZ<)1F|CpI_>zCsOeG&P9OC0^C2n=HI{E zX%YK=Z>IE_M^3~5b(BweSa=8>eP^>7OQVs5(7RdsInQo#gI0x}cp5 zBJ=@+CnHdV4v6PAXvT&-cx5-W!wHKJ=go*_#f~?3xgr1Mv3j7F;**svgx=K@lz2ey zsA&Y8^u!K1ystO}@fXolZMHLA5?#iRS{5mB@_xos8vwuvX1He2X(-m!L}xIO&@TYo z;uH>U!nM^vX=ji>U;X$jg%sWaY4@9}i4A)A4F1t?tN_#pWF88^+6V9y;8b{!WLqW{ z3E64nuMj$^Ct;w5lZjhkF&cg(Z~eCaw|M$wf;d5kY{g$=$bpCtsv8B|pV=$FbAnV+ zvI=EKZVdmHtRAP_HGL1wy{Jb!e*juT)Dssi!n50$^s3J~1q+bqh|#AC7nD(LeZyMZ zu#GfuJcU3`o?Gc+^GIku{T?^D+iT9cuRhM1HeU>LAg2=9!{({SGpMz24OblY*{3CN zhFw=1WfB*XWvy6nR5QDqN4;w8NTy~ur<^c{9d-vSw1?x#R_cwV76&}QCE`FKe-r

gG}KOlS{cX1dyR74}*x~p!x{SoGBZdbyrlb+ge6DcdyPEF*%eR znh~$bN{>{XKNWh$d)Cv6co^;kPibPewBb`M*=uvMGmQ7XPHZfqHof0pgP=lKFY=X| z{Vk=p^{9t&MU?vSXbqf=hWiE)CU;WsPqd0u;7|@riM$$@EdIwO8Xf+t< z;Zipc3!LidIg`9flSFrKikrr%y&Y5kTZA`jXz?ywIx5y~w6mu6>$%ix?EUbOS?|~l zy>if?F88>}qvB)CkURCrSu`fL!wkKP$ETbw2aV0aZ40~8IFVk^F5<$#&T5#8OX6ZX zm`YIkCZLish>8d`qCucz;tYNvKz$+|Q$Ysd<@;C+Pvy6!kE7aF{iU-LH;*}w$(eBM zSbIxs6CKyAf5RT2!#8!4?c<~IWO^ne;rU2PJ)N|#j`C5bnh^n_&k!*`1U!Vb3ljCk zV4Y|lCTs{NK+|1A_E1$ zL0`nNHYc*~8|-E|L53<%psmhYpan73$Rjs@eSOR*UQd8t27b#$d?ntx2^>p*jhpfV zFfPhuRdObm%UIhw1LW}GB*d9E&0xtuzCe?3Ib2(W`* zc#iHz>3-%9;cKUx-14d(@LNwX)bc&FucbppsZH|!oNGqThRo*K zx6(NugpH(a5<&wsumYe9Xm0yj2`}egL=>FMgQe_?(YrcZE9>tq;!CXq?Po=VWV{qE zE^r!Z8nHaSOXjwx_s-@b%nq{Wg+i3qo%l| zd~vLsGrWtsm)Ss#Dvis6uP)roEe)fY%!ui;Ptw4cqM@DLWWuX-+Q^Bdzusk|d8ndU zwYpn#<~1WooVYu|%Yl_gNW!}O@@2Ag1D!}lLB*H~gN3f!g69O^fSZ=HySf#kQl9Pl zaPXm^ZwA<=R;LbS7A(zT>?cDad^P@?NyO;1gBB6|X_TAN zDIUik0g(q(L$}kZyG!qJ=Ia7>;(5|AG-h%rJP|!c_W9VM&$>#^vN%jA0a$I{FLMm~ z%CCwXQICJs_Wa%?Y|9Fe_lpn&Duh^w#}^p)C>o6+ppt6BCb9Nq!t~07*p)-&db;eT zcvmr5M)#R|z2pbx>My`s7OcdeR$#iA?|Fk2Yz}vw^m;LPX_oB1!<#V5u?G&9WAjSi zox*MQJ;sZ6pJhjNzrswE$eyRz_5}#-zaB?RlzBcAnIx6un@}r@y|(Wt1mMrZp=B$u z9xg6jyj)Q}bI)6A-#lG-WLvRAacD)ST@&&?_gCJ1|C#Nsa9eqX`0kq94@c{{p3TCC|@KLkmb6u`i?e_@rw`Zg<(p%kzPX*YwXsD@63buAZN$Wkm{ z64KNL_BGG$`^7Ho&|RF;92Pcn%i7e{KLDBhtBVWmNf>-$(;M5BOQmaZeV&o01*;2Y zJ|=2FH?T20MN0dvcQdj7PH3G+2;P4&j(>bjSRtsb8?wg_+igkS+tvcg=_2WC&J4}sFof|dX^Y@_oxJ+kZ-(E^Kys#vKe z8$modhR41o3!klNeO7Vxp0FuSW5*{d;|$mJ*O2&h;<-QBxBhJOY;62A-)J^JR4I_U zSZI>_K@G|$v2+n+=0-9eH1_i_g|R8X-xD8FxpnPOy>l#?YFlXYxytX_ylQEfH&+ZD z^$L48!+*0u@%H%j?bJ>$JWtv*Ad!95O%vet0$=&Z9f!k%R4-%?X?8- z=>C0WMoONF>E#g4-1oH5G5!$2A$Ib|)HOw)Aq>}+lhz)w7Tb0fd+-_`|8eL|O}q_1 z{2&yB0DKBE(It7c>qp4qB@UeVA7)kJJuxXjEW0Z7@{0Y%$7D{?ZYL7`iOz`vb~|;I z%X*~vam3F|=+B!~(A$q=6Ts$!0~uYjU;HwbLrLsVf~W{d zh-=3(nu*!t)@RTcc`f*?cclG!bIC|#JMstV_O2G?<xdT(@8E-t<)KjbWd>G4$YO2BEVzEjz*25`gjoG8)0{vG2|taO4)FQU-csmh>LB z#i6>Rexqo6kegL;`vKJ?^4b{7Mk8c)W263RMr!{AUD#9#xNVjO4fvxCKp}={95U{_ zyqGF*RMqCMRwv@-l2E>pZQ#xz6oIvRNdoenn8nw}DdJK1 z{ncw#=JU_iL2x8)PZQ5%cld9i!QZ(TO$vW&ZNzVZe`gC9QX?MrIn*jKi}t5?&DKH7 z8+Oh~yKnJ4Jv0XSPi{8ty(86C;-rF8G2qWeUV&5X&fd6m+Skhf_#5|e!t7cZ5qfRW zCbKYGWs%wWKe(r)#1T^P)1|nVqlOR0r8YDW0pIeNQCi-m0>;+n;(ZMU1IY*Qs18xu{_hc9~u3%1X_yIRywuiww{O>`qv#lt@QAho=2*v7IoGBrcCXX`D*5P zszOsiNTqe}LMnPjTq>8M8|6Su$qsQOj<;TGGG8JF@3>G+{sM*+X9aJsIheFh1zeqM zwX^>X9=F)uDcr=U7_zKiW{6wY&yFUsa~?SHsKa-24_jV`Lrtn62oi9VAd+cwn<&%{ z3225~CZ|47HuX)>5skaq8h&_C1Km28`y6afFU)F=@G%YHj8M~w4e*Q_k}z&HYnp-v z-vrIKWIx_^0pT`=%lEYgPq?j!*t53!2 zCbk38_tYoJe9k&^1Ws^`8C4`i=b2G8#0Q?~2&I55V`q4irHA{4+3!V!hP z6J4Uyqy#NaaVfQBDcGb((tvsL3b0cc7z0}&ooRQl_(E6!M;Rt=FsJ}Rr2y-15$DCk zW9u^!yNPXN*{wzPWT;Sy8tusV#KAIrYL#79ifHr<2PH=a3cMBeDad&qo zxO|i6J>NO|2hQ$HPjz+Gy|=1+@`z`y{-~u!pBu}IXywm|#>(_aH>g+X@l0Et?i~A! zVc|y7!0cwb2a>?JhOM^;4y1EpKySA0v&tU2nLM~99O*Jb0oKbgz4U_d-j#(b=?*tw z9Jfc+CMb41&@pw}P%vLdV$COEFp{(>;8<0lv5IPRJi;4gQ=Va?(1+NwrHN=!LkWJS z?73wHvxy%K>F4&f-S0CJ*d=@NCdL*6v5!8yNsqJis6Rijzwct#jx)t8oU*D-Xhu%V zcxGPjK3WI92E`_vEt7Li+b!$yPSt8H|F${ceifX;7_I&gSYhe(y(U0N znflH}N7*J1Ods|89!^L~cfiHLAD4CR3X_P#4T@Sg4xx9Eaoq+S74gFv5*NBeCBobp zcN~8og8ordNvQ0@d?|^_WG+?w3$iwA_;jQ2UI?RbHAI4YtovJKxwiv5117#K%}G&@ zwe=vX4xRJ41zdsHerR}q}xzXXupTAC<1Z3CB$Z^;M{(c^iExSkA@YA?oefwac zyU59fC?=GNVKb7IC5n)%;>>hS^lvGk>B&M$O;(YQZ5^GR17C_CC zL+@deQKn_%I$_Zcp3vc+Lbqa#B4Hp0X@It&m~0wslB13|xH*7Mm6AjRh!DDsI+e;Q zJ9wt6>Y93zOqZz}_|@3+@6+MMVb-5VXB-^jFhL5bjvjeYvO1-W9{hlBI;_Qs&`~3A zX9|g^-%dqy7{ScTrin|EPj@8Wt#s6`YJ}Bcp_EPgQ%7Zw8WnzD3Y9|fI)Ys`LJi&@ zl5kI)KTeW+fTx?vh=-6#C{+)Nf<*NwfeYSMWYAWlI#?-g^)Dt?J;kRie?}SnYChqr zKqE)}-S_qVx^*jBwX`y%sU6it;`|7P&dT`y;4{on`6KWqGj}&MT^jT#b>)A_>5Pyt zIDzTC%!!QqOB&wLiezIYA+dK}l(1GXjVRE{QXYys`2Bo|<_K;-M7-$-O%%%_$Iw&U zz;^k&GO99-p3&XGG#(l|{1mN{1&eNkFn^S?6}pWcyU57kDL%QA|3f49oUj2I4xQ2E zQR?bgQWFe3QhS&pFi`{@Mex9f$b;Lj?#q#elMQK!Qm@$M5i0mPY2mLa!T}CW0fUHd zFn!+(_EN6Ja-isYTzX7_j?<7@)ktqqu#IKdd{snmZ|HlFVy#Ojx>FqIB4RPE*Q zKzj)|qXjxf`L&I&$*-w8;6EGFNKKy{42`jrcqFu3rdMX`q~S$7$;ol(Z&P)2fWJMY zBuRkn{(7D7U<<`qXIWWCddp>t=2&woy}i1d!A)I+1>`~QK2bElmk3@1U@JRTYTexo zE63IN`M?&_PWxf8Kh7u?7PujR5Ta@a`c&gF4@WRqx zK>CFtUk#g|k!Y@f)|^BQMcbmycjkRZaS0LUhVQ#E86Yg;th@7a_L7ov(ig=4co_ZE z+eUUUgw^Q6z*jJBoylD~Y|mdnFUO)CKqK0K*ay5K-BB48kdUJ85gq{{C~`V2Lsbf{ zi&5~Lv8($kTDhHz@CF})066%@2h8lm@*6%N-zi5J76xu)ic;=;BI%;V^(LVLdjXOC@z( zVTO^rOdI9HPHvqT-S$_`L2=cCwq%xH2ucJevZaM17keuUZ&=tlEk#vRyom*?0PfW} zA$ZvO2vH_#9#LG4NYqTPS<2dSYr_7fQ^11lX6Kjory_b$;Y_TUM^ceIS&y_oQGqbk z^V$+U>TgoG*En&+f!Ol!i*hv;r(S$X#QA6`Ax-6SyZGn0YwKcwa~n3ItuAKfycwI} z8xC)PS~_Qe&@CtBV$Gu{%~ux5D(=F>zIzHci5yO*JX5TMk_=@eef(&DPqZ{#26v}Z zr8~za{>7PRlD!VOl$z!vZva#-b}L1`~gwQ5ljI8X5(w)9md zH^4HhPq7yZq(X>jsZyZxDJqa5NVqVm$&2+PlgWz_T?8s$wqipq-R=@!fm07x4^h)J z>n%T=LR{hfa-&{yHYC2}yQ94D9!95VUtkb4NyU4PAkg>!%)j|LUDQSvEt7e8LrDQO zh98KN2Pcx&!&1`?ZVY^`kg(vRM5A*+?f?RY^H=a-)ZP%bl|<;T-@J5vV0OwI3+8RI z<2OVHqJ|nja&9`)}l3*|y&C4aEY=Xm=M1r0FKt*V)}IsML%d6x%Mw zXknJmBEcI1Jt2pQMFsIt)24_?E&Ec8FnwrfS$JQi`fUE0#D!3Rd4OYJo*CwEl=B6T z@bksy&3^GP?uoYd`a|-$K#iN==*Y-tsvQ3qY9jCWxzUc~4e(-iImhl`e>b!O?%3&s zetyB24htSE9zYQu;pq78K@I94}$+iq(|s4=oxQ1o&_#&Z+`@TAr+ zpaOZqc|)s%*EOhzkplmd`cppM0`w3 z>y*h(3uq0qO?@t7DRX6iIr4GE;JkbUXBphOa?A zVkYhaC)%ZokALuU^AXO#(l@_u&5Gbd2jpC#I7bJ=5hwl^s-aleVC^HFUPT8VFH%6E=0PA8Z(%4o zq^YG^`5Qgx+!oED1c(lX6L!|YM!}a-II40I;)nGepP**ABv4LL(T8KMcJGQ;i7edx z;GvN(5ByNG;9m&CVBo*r4V+c<;o0D0AH1Bx-Dby>-R_O5cEbMv)+n@`IPPu40y_|R z{*LN&@inN*nf1n9t?)-#S$bp#GsBAN!C`HhJlYEPN4FUGx-ra-Tpi(vc&Z|F{GgHh zNfOU8gR2RnwgEC$uq6e&8a0bAh8{H(Q1D4Z^C&tsP);y<)D6WaQ6^Mmrj06aYj~(a z^(?ooPPb(Lj704*^hHP=$qq^Z={d(#wBN}r0l;!>0~{FH)cI;CCvmk0%F~C{4#p~S zD4x|gZg~fFF5EROd|^;i_SV&?pq| zLk=&%64F|EOuVq!pe}%+9sp?a!^MI2+6DMQ_K`LPZ&sjkP0yxjXs1DD!?ku0nKl_C zFhmuz6B>2hL5OpvB7*XE@`6G40Z|;%6tx}7r=4~MJ6j|92IjH4TFV3+) zrp0nVj%e(gbfI17eQGy+H4ZsZuzu3&n6b40B4^;ULoA{C&osOFUp04*F@pKb-&R~* zVhKCWoxCJtXF9wHM_C3--9^gT8rt^SlLx(pEbxl7nsbuu!Sg%I{!K4DsXiOx@963OUpf9^ph9`Sm#!S|P@5qUkYOy-(LU8Vo@(>VhPFAEL0Qq%x;PA#sw+yb|QdO+;*nH{z#@C(Wr$2#slRAJrA z@*|;=A35zrl>z67E@f!@_Y7r6iTYW9U(grl$>^7m%<}}-61pxKZ;-E%?J_Opu%w<_%{kl86CQ%4Oj%$Ub0pgzL^SO zAikvbTDCr~xa~3Bpo7Kt2;yZM-fW#Qt>V*&2hPOFhVMHNu_?&6zu%B&TK^IncMb+t zp+|?OwxiM+<$mK+sS6z)H4g{;U!qR~AvWv?Fcbo-0-^!eBBYVbuXPV$rF;8>ynq6N zOX1&IAMT~%c(Sx;j~pB=b@r=xGxS0saaJfnj8v>eHo5d<++jMUFpF)|jD6E||AUxLai)SyEFibkBah*FAo0;h3rXa{_G5?8H%Db zQ6+E}D!!t?D!{+OjA*O@=Y$Yxy%m*JGqes?9dvWMAJrBg#FLKrHym+bIJ#*qSn8Jy zBR>tZAT2Fs`DCqJ-8VkPd4L1S-q;eB{oajAfpsW4yQMfLxefrijYGjW;sA9-0ZK3B z9()omprR`uJBPSK10t!Mn`7(rd{&36qc>izO2u`@%o<@~S*oJjy?#WWwQ<%+FyI${iydN9b&`-Y;6e=&;+Mqo?zWwZZdB^E_4QIM1 zq-}U`OjGhHQ~=7jFntrhros!6_s>SYi66>}e}gxZ{**)l6G^TQk~yd z)eA?F)~HQEBKUCsdZvvj&+Gi*6e#Q0SnnBQ0wcU6mRzhaIH)mSNlga7+J&T@7ui^P zW?1$~aE>`kp#%>q^=Sa+p62bb#Iw~;+4<`$@eEC%ogq&ZDYW^%%|i}}T!cZ-2Pn+a zv`*wzIx*RViEp8{Yp+eyHQ0Gdf+?_XSTLzWan3 zJehKr4J7gZeu+u+v~vL7d@-|bf2(%cG|lnYXMm*S&G)e-C$`ojDE9F~&b7Q`N-Eo) zDr35ght&V&l?EGL=(up``D=`ClcQ%fHLBAygnH zdvv${jL?+@5B2jq`@DIZyuRfe=aO1ny^cXXD-OcDuFiNokR#r?$$0wY2`vL<*~kj! zH$}JTm$g|G%|t<6ge$S7VG5}F6r`jJF+IGz$(K3)j8|6E5~;Cj`ty5^yO-V z?$Wn1Jm8ffuYQ4t+*(4q;r+51#CfkYu6LcN%+YH{u3f^kiok+c5{)_!vTW93y4NZ za3-v}cYF6Mkv9qVF3*GASbic|*21xM3lIBIy=(uxkzd9lMM=NcYB~a3!Zm2T%$X@x z_?Hwdi_2hhbjrZq>bG^1gvQ+vHJyf$3hzz4ej~lhqQ#5lbhC#%EiLm|z9j2E0R@x` zHHvl3+#@Ucuvus)33`w@3g5CCQ9n`@HAShcNdbBIYll^(%e-R(29&yOtt*Yqnh?^-&t7bxBHs3HJW|J}{$h8m2g zN4Ut?d)@QvHNXQ0XPGSMNZSK}n;B>)N3@$ngZU)4NH$yH&IBzCnkPK!0M4V zN?duN@7&p?y3H?g_W=7GCEKj9Oe|2BKdZ4C@a_$qFn!o!ihR!1GA>)tohrr9lAvAi*k645O-hAyQrpKvpZ@svme9@HQ0OX*bTiqCfJ2l z=RL;bA~50wlR75!52i&k4xu@-n~7T?;^SsqXL1fmPjm#xF50Zg3we|Ao02$AOoLWt zv4uGn3)-k7JUBNbpAnU_S||bqiM?TuRPrUa(G;PZ4>>%@4zsSCuP#q(Rsb6iGLh5 zvHfpkvU?)h1}BA^(BW5)Ns3Fq!nhID-yaVt{XVa08hqM}%?`4+yUfV!J}SG*4@0D_ zhoFwR&Z7t}8gJl4o3j9cuhe^Mj?vV_pv}3q2e)N{ql#K9JGjZ%CHK99TSjj_Tm22r z5fkKKt>U567ungGb6$1hBje}?p_Slb5xIgr9C5z??*#}K?}q>TCvW7FUT>&vr;Iv0 zIg%ojkJsOENMoQCpcMZGnwsE!YapqLJ*sSKrG#I8gW%z59G~)H^aMDj*rReV6DhiD zdxyZIYwLExC^iuLqkfHqEb4bGS!G#tR&$G;7cxteQUChek=th9ER)63@k5E0K;=@BF%l@T7u81wl*j zE2{?WA2S!B5A1&R^ZfHQcq_e0#bZM!^ZAP*Tq9i?W_}NB0nd6 zJ;QVtwt71n&iGX&X$KEnX%&&%U*A)prqw&i@ABNaBU98$`Q0#m+&FMLT@NpEV5E<0 z`2-uj_>7G`0_{wmovsJXvb1{F_&TbYWe}a;t~~9=563KY-v@^%E^XVK=!-Qaef=I< z`-L}C_olJXAv-yCt_@<{eBeV3XxXk;9$=W{f7!2v&M){)JhY=9rusZdse3C< zUH$HumWS=n+E5`V&{8mUs8*>((B+F9$g?Q1eYfw(-`_p4 z87uOqo2kX$_givKHme|)@7pP<4&jDjkrZ$D*r4l4zq-TnWL8aLY*dMz7Yr=np8Adf zXnw|xRaE#O;WPKtQi<2w=oBumjqKT{kwrOy1>>8v`4rLb@J+u8tEG?Nm?4-Wr1h|b zK9+ZpEGjl)*LDBL^E3MOU@ECJ$*2wv?8NvUC8~c;xpA(;>GV``y zeep&Q9$%DXOYBY_cy>Y&)WO`ibiXm2QS&hhZC=(} zxMJd6jdlYBxt!Cc>Z?(>6dFQb@FDOS`sVeS>$GZbn#^~mBsFN6s+Ib)b6iXtKnomQ z4&FsNf}>0as$YXtfe0bRA`_7V%k`famakU4Os+cRaA>{wPUxAX`)vLdECcoyah@wC zr&LV zI~Ods^^9YcFjb*~Pe?(731iJ9J3Fn0TN&yWrJJx81*ly-BjRgZ65{_91ZPs0E6PJz zV2(w~5D^V24~q|r&6?CYJQT$bb^6#H(2wCRm4(rV4f+VrhwIa)q6K8XiL3lT&o*6a z1BwWuUSo<@BIGcAeG!T}1$12in`5Gu7u)tE1Eek#EVLRHSvpQ`&s53s@RcP`))O=J zP-In}E4`U$9m{WTMu|esVO9K2$s;KSc{6^&q0rglO8WyIfh6Pn;lW&b@@lCDgR%zTXhv2Jsq4sa{s@~>o0(=LetnqYFrc%;z-3;Q(c+u?*nTvGR7 z<>GxWcr}ydZZa#j{c{raX{J#RCHRRlZOV}V^`B;e8d?oA(7_B7SX=AtP#uuVCq!-X z1cLCYHdE3!jS%pqh3bj$q}t=@6R1wHo!%EJh01NHC*U@$4pH5E{j?pTwhg1>{Ufj4iJle zb76j!5)cN)k#LpR31FgNNUSV+rwZ^ELB*qvxizD+=A^Ne>;Sdm?`I^(F{|{TLXIGH zbH@1w-|q=E2={RW@ttQly0%Xalv%UIe z3p-O3`gz#WRid%czdM;1DH%Xv#q*yf^!~F%!qFUNH?tcG!1H0s75@a7U^4ApnAd-g z*S=opv(4(G_38R@Q4O8krSP_c)1IA^ffyhUzp*6IrUEIFs#*9?VKDn?^*@0@>k|l} zy|cYVoU6cj^KHGc=M-EXp+~yP!`YW>{hA#^%7FSK<{?+!dwG@9rQFioSaC>Imb$V{ zTwlRn3$Tomi!7uLYStK{m=xU-Fu&vEA+R~z$cd>m&j6#H7_HW#p=w{4xvNHIb9t5+ z?T0q!)Hq&ak}dM(=s7HrZmdGt9g>Y}s|+jQfJ|rj3L%mzHEjh5gG|97RCER+W2KUT zM0nt`oJKIzARb+usychK_}u$CBSv*|6{Pg>S3QQ3t|TJ zP6#7KUf~_5ohUK6f?hHH`lIK0341`L9-ib`YpIHqw}!mX6C?0=LdgQ5&MooeUFM}> znTw%^cWA_)dqJ>ok`4L3p#%k4p&MyG}Ge7U6sv)NST z34W1eeAo#`9GnDBm;W9S7L$5!4;OkEak-I8L~WzfrH zD)YgFVaxpwL_aeG@_82>6W;w<(-t`=DiM@z-jBu>Er`#l=DuYhFVsxn;;VyGNgn?K z!od&rAWlUjp2}}=hNn=c?U#a1L!?$VE=>kr21b1)WxW_;8(_y(56a8VzjRNgb%+YM zc%@BWC^T&`g5X56ZZ#*P9ba8A?PMp@iX|;72GwFYrdC{bJ?|g7dH%c*Ihfix#BaXr zkPv&+htCVPXx7?p#<6uECqM2roL}?e!ZC-jC=7~EA3l7zg!%uKqqpZPdWEiuVgCl_ zaZqO7{r*bR76sZx=K7;RlJ8s>u6R643lr$bk3l7%h%{F#KM20cUKqb0n4Pu`7jXy}f6h{WK~f>)m8>`GpFl*zONvOY>dSjD{|`0y5H^7a)-8AhFqlg_q%7Pl*fIQLjq z9*^s~uL}nGE|KE9f{G^kq=!t?tWl>dSO~^Aa+;g) zPh38;gkXOl_3$YIs1Px>4D)ANXKSR|z3hedQ!b7QN-~QI#z)Diva9I(Nn51P(fUNC zPFkTl>=PiQP0yItH@hE92oEDZop4J%mOXGa)bj({31;{68q7aA(nW0Ay}WOTllBu5 zaZSCQ$#XetC{sHSr}_aO-WkCC+4I^Fxz@$&T*NX@0+XkU__(Chxb=kk@g^5^mlHk9 z{eJ&qverdA0RYf6hUeF7&B+F@!TG$Nbf}+78c%mhEeVaB`l~v7gNsyJ^9fsj!r`P| z2!(FzkkFEcTJ#CXVaPZTpC|bUgwL;#g*L*gd&AkkA`vq$79AxXXht5B+R^!xEiu3Z zve47b{|NHM1Y)zTc7}0(`9NjJ&Q=KCS8Buc(F$y6C!vzFkqsudRXFX94=44X#(R&8 zG|1<}?o`#f9#BN~+Z+kt!nwLDV!H*gbr<38PPH|nMRXapfwdS;HmIBaW|_%U3B{cw zfEqRu3~EoR`#oOBu}~%Z{Z;*Mx=AMA=`Y3O%CnfmD+QZ`*O^H-W1I*(d{uxeLFMWq z;^KT?s^7MrPLn;c)yIaP%|?pU9WpeW%DTR7u8xi6MwBqwFs(mQql1o$^0Zw>iH#e> zt32*nlqhdv zoAR+!CZ+j77uLdG|CF^#K=GOp-l{JjHXnPQQy|o-hPcc6-fAJ|HMBT9BnZf_;ca8!Xa)?^Gfz41lU^U@_3j9L9!tc5knmaY@x=4gX0d_kfaTNz?o=dHieM zBp}lh*IY2(Ja-#2tjR}XW^oC>y<>4iA73qv$*kaojM#V^%O)9W{}v$tthn2@b1{MY zKAiHCCJ8(yv$D3B+jIW0u63Sy;%jIh8|GK{gUQCqF=6;Vm~u5j>iGL2Cso+!8&0lq zTRA;eNsJ+z_j2^<6&IQK{f3nHwH4Ewvlnd-6aVnbE;b!VZmx6(>?L6%DYnZMiw#g)^h8#BV zdGaQ`u@3HrmlabQXL$AIV_4Jv(`$lxv5|=d4#ae4Ptv@!fz8zr?Lk-zjEEFswQ^lr z6e&2OXkK7dizxk^=y#T*VqG^~6V zb$+e_ptf74H;b%e)`KmV}oL_`cLXEE%JSXa!Q(Mq6wy_C4t19(D-hNzHCezc>SCtnnU~+T0v<_gCN2VaEDX=$f4c zw+Ok^$TiqvKv!$#Yu!#cme&o3KKNr^4b#NC!}j^P!skJ17vgj0Z8rg|PCv3a^=YE2 z&y}8nz=LSO;sd6Y9mjG#sYIKXGo*I2y}Yye)V8w$5m^f7zbpxqCsbtXJoO@GgP3|g zibOat{V$QbI@&HeGe3={Q1nUk_IASo8tN^!P34J9?Spj4@Wo`l98)Cl+==Drmp=UV zf6_6z6k4_e5cZ%4pGtGmg)JV7He_0zGJ!oFly;>jPbvZ6x8BAlEITe zRZ%BaRm?7r48CxS1QKX*nN!`?^o(WL76ydTG8>Ef?tB+zy;asrvzfh|qiE*vaw0dd z(`J~;hmBSb;*d;i5mSe&5Qry^Msw&v0Mrok>$HgX(a34q3T{oEvhB)r9$7X@*?ih{ z#waOYzTi{N?;7mP+p6RSnycfcez8kab4F0+z-Tp)kxHThw`3JMcK-f*kY(##hXLcx z4HWAkpB!j|mEZwyl~nH`L&?!xsZ{siXjX0(pi3>Hb+!hJoVgq7^Ue%PP&@{nx;TUH zXBbaTqh~-4`1(24gZ}$_^b-o z0HdlEfDz;2-TH@26l#3c1_`RA<`F%e{nM)Obm)>}KAHY(PC z{cFka1wzz{npXB4o{qz7_hx6O?ttuRPeVb-Jx~=w#)HjUr9j2WyrXQ8l;vJz=B$Ad z%u5~zu$Jq=@FU%P4|H-}f!3eSFAwZHoUFPNsFtvx*K^PGO272Kw~ekX^*0+?{~=CT zpkJ(%kCYl(7s!IqHu26xD_-WcPy?874*vp#j40P>ATaOg*iKg-A%rvifFi&vs%DrD z*MeoFQ=bQ*4_K9x)rq`IpIG0d2@E!3QVxaIN{yjEb06#_llAXw^tMZmiI}kh;n`>{ zJwVZU;A*?Dz08*BEZZc(_u&gu&nVKrq)3wTCn! z4Fe;7*x?OS4X8c%QEXDkhV!H`?h}b~L=_GX$(tHFl)eFRy!Wae;R}F6%q&h!puS=(>bC8U8q^&53lWh0$6R=_PW{Cdn zY+=(`Z8+N0{i+}!2xrni0g?C_H<3yLSRCC~a=VGK-HO*&$gJu=iY30lsE7v#9ENBy z(*Lpd4cr@@Fs{W%2}K2rAIiL-)xySW!|Fi~&wQQ!O}jryq5ro~YT{AGd%x|r>RN(%i#mx=4L+(>a z6ay6*=0Atogx>*dF;8#);2By?5*P^?JJbmjQki^9O#5@Qt*kh-I@o#xy5Z~O_IJW!3Vv8{>e(G^m%ZwuD zfsU;kj%=HF<}@Xe0d;LH{VEX!kRn`T)T+^roEu7ElL9W)!@))jP=ii7Hf>(<3|&(v?X9L%?D%x^3e zt0pastLOGjlse56^vV>J5i%&?5MGEI6NqAXypzek3!aG~^k83p6QYtEV|xykAD77mxg(_%gwisl=*sG7 zt(@*vA!mOf+-Y}uR{s9;CAfIc+j~&m=JU@OY)?mno%UtRO#zMElG*%Is^qUVsg&Lq zJhRlpBZs4jUjx&r%aTV6n+Q-F5^`#g*dM)PIbaUG2mD`8II2rp*;G+=Oll{0!l5(5 zmbh~shCzuQr>1c=KHWhk7P16_dOMpRUN7G5IRKCMf7)idF5NqhZRrG3Qz zp%!Qza1>KQoAXFIqi7f_a2G%XZE-+xG0tlI@V@YJ^S)8>w=5u|-_>_C39mTM1P3oP zuORb;a6iz`K4vZU1Klehx4;>p%k`6yWND@c7OKp~J>HE5RcWSI_5is*2555`eE`Yl zIOaitthmnGrcyD{kn_~(z&K5Cm7*@JSrVeblbANIqyINY^?9q{>W)!N)fqjm(1ZFIV@sVK$LP^-Z)6EnG6w&x zXQMTT9lPX5ey1!`-NVVAnRSv(M2;)cKs(rE4g7Dl_=UIN2o+ti_ohFR#+2DNbWop! zeB&3kp~YrOaV^V0oM=S?KTp!I9ZO=-mT$jZ>5=gZ2f$&#LCTV<|G3dbVIonc`|(=} zasx`Ve2tFmO2r=1`_3rXo(t-`-WjAHE5x<+PFbR{wO2^UAi;h_5EbNfsf3a{JK=d* zNA;po?4)5jUw;tcWsDXj`D1qMu7|n}QHXJpbzLax8gEr`RAH?YF<42M^D$?m3%4|4 zgFmt8ENnR>3fp)*eWS7w1?3J_YRz&JWP$HvO782AWU4H2dGeHpa0w19P2J)HYlzR% zuuu6Q!N1HHpfWX8!RT1KE;4&igQ%>mxUCEFW|Y|i6cCpwobP|H2yZlJXv z+cPJ_S9ZG_gbUI`GJ#=KyV(=7;&Rn-|BI9sX0z7AJ<^h+gOo(wy%Q3&+%BQ_OVQHj zb((6%p&=}XPjkaC;Pok-%z=o0%PS%VD@aLbqc211w$c=+L84dL9QqzgjfvYumk@0{ z`eD*^KaH~u#>d*p2wiKTcV#Vvp89-HSBNvnbnof8pZVX-I-Zdyn{LKDwi_25Rej@= zGt2q7v}y3!sWVs1srkk1)yReKb3cL={Nsu8Cvj(L-T{P5BOV8(>kVb>q|ox{S$@BB zjcMrun2!N#=g5IcEC=@=TX4izI_VPHQVsmV1`$5tEu3x#W^6x?cxQpvYGC7s`O&4a z_zRbTf!3TtRCQHitS_<^wP^3jRS(+oJqBBRzQ@qI{rM@ht9%a&;Utp(DGX2%ub0U>d$$T8nzf+iGNg&4=kh>I5f+P8+cw)Io~_l zXhq-@3-m?r*$Uj3>!hCEqt$4BPYCBbqee^gd3NU9PCUA+X&vbBC_z6pY}uOB!Ef2U z6XUx{-=)j)sCA|?_-a?U^V0Cy9kcn^#mdypOj{Gw*)Xy-*(E^PIpi>4?R*({@TYWv z)fkT=U$&raa*|Xb{J!M&nG~Y@;Zs2q%^gm7JOR<5sH5ac%;FG|L+mqv=2Vo0X2O&S zKV({|xXz1w9u21Xn^E@6RrDDt5`!MdDtSho9hrJ$ltHBO_*GWuG!n{;TTGe#Iyltr zm$$9(7S~uHGITqLCy797q5=!-h2QUvz7yH`Zr7Z@@Vr)8M2t|od@&l_4@13?${}}# zKVqz(MMi-$YGo@(MWFbwCQTSIv~&f3yRgVRkLGH2d^x`%%{0qda|xcSjs=4))GWN( z?IFYT|Kw>NXv{bk0k~+`&=2ltgHaZ}6*1dIq8S-Pw!hw)kG$QxEEt5pr?TO!M5}`R zpCOy~Ql=DT++1QwS_FRUl#FsPcKyH&XKVGsrS(!VL7qcrqZipYv>y(6Ji=B z>e+Xq7l-00D8b>mA&C7@L{|{g@z}KtNZI_uI%VU0Aewe9_x1fMGHa=LZ#hNt+BYQ8 z(W-s)DV)y#Mn}&QjY(dE$G6*MF#+VL5UAlEE%bORAXmZUe^;dFqHr~u!P|ZN3TN>2 z8jUH9&d!NM1iF36xg^0#5_phJChqPWmAX{AUffJAQHKqapvbP_@oyWw^to7R1|rkb zgi`aiS47z|-ln%vlJHvh?HI{O?smgx^)En<;^2zEkKC7+Akg zMG=$O!t)WQwC^`I4Z7*oY;zX3>)0C0ZIq*L-ti1o?LO!Hkq8cO4===B=|-2$I2|oR z*FJ;D2HIvu%Xt-Dc}I4+0S0`>jg<4D-gZGQep9HMow0ShCEqdyl$iLwuO7nhH>e4Z z|LIrSc%;0XcQjWtY;@=b$*CYSrpuys9m3OW7CfG8hKf2hW&tUAYE_DrPx5+<*V@7_ zD)~gzl24Q!MG}H>IJv{@BJV>)-=kU}-C zAg0tvx?7cd{FsKjgZv>Roi&4RFnqKgvfKa;7JE}hyo;SY6~724)Re>Ied^9G$cC%gzg4xL$1B+Wn_=Lh=myy3Y8+jW=>}veP~(9h-PlvOuF?IS)V5 zu^m++TF9jG{s7;8bsMHb=5aN;MU*dWxMnV`=n4s$0)i48)~rj!@mKpvVA#xzj+cVu z;}aI&w8qiGQxnIKst;#p*Tt0;3Ihtu=W2pS^U#Bo)+i{~U}lFzt&3RNEljwZzFUZSy+l8C&LNg_oHPak=k$ z3e7fDJU;z!nI?6DUTD=BH*rJClTh`L!#<6`3jZ!f8Oma7T8Ud2Q*IhY^k`fP!Tap+ z7-DvIuR>>`|K$kl`o$j_Eam3fLNufOGVl@r*gdULFZs^&8<6N&KKs#%z2fgP7g~#qb4hTRg8y=2a z>!BWb8pBkD&5BvD+4Y8gw)NtZkDw%8L|Np5@4dl_*ItU>o=a=?i`fHX?DJR!Q^$}fy_HUbh{0leAS>!3k9(V}PJ@hQ$4H6r z$_z>>p5>M%#OyDKfWF&#{?G`HDUz&96BtP%@4(TP_q0V>D2a{_E)c>JVdtN0DR>_@oK0|}Iso)R6hhQ2Xei1c(Nzy2AP;Bv{ zL;dmC+LceC=bwOBG~Griz%?HdRea6Ho@)iO-gmU5>%bnqz!%Ie93wb`hn999*M!4i zM17UQv^A_Vtx72F?(^FIrYG>?%qILs6;~?hrM8GTOnD_hN1apf{T?x$=nV~*T7(UC z{R>ac@A{~U#=Ah>?(yb2BJFgs6BjR^P}4Q@;btMQA|5~E_^|}Jmc8Wku_RnPOX{>J zRVMyU&qo191z20}f-lq%3^iChwGKE62?Rpl!>=0}&Q|%usQND><#+*nkeaGXl~Yse ze~FS##p`dB-Eerg)ZK)QV(M)6{Gz=)XTi!^HxRC-X1hKkX3+r}U!%jOPR3c9i@1E* zyTxp_KPSbiOU;^Ol2ir&cS)4wJA?iH2tFSQj|`O<|v7oBoR!p$E@9JWLrbD ztK%pdLDOE7s?6*^!jX`iwak{%*c6ZTA*|qoo}QYoGyFRX=OGCv^5dI3bn-NndR3Sz z@UqSVm_)Tz*z(Uwzx!;7`^G@IO$b|6ibiV>tUU0=X1QK&JL3dWjWGczM-yEhemoig z%jDm+3>nMxefkPILhe4jrq{_LFgVVC*drA`^et^)buB8lw9)rBD@HrbSxrY2`f#ED zN65D=c+=JRlmrrsTW&8JT>Ng+_Wz2DqDD`EqZ0X(+&R)F`Q*pBnn?}7#WHBxpABi0 zLo^mHJ`gHY>nOTM4+7yN8&FSpUAxCYjCH5<-ls(_JFL-I+ypH*uDXW|YPL(O)lt4p z#g;M#uA6Zg)O+j-ZFyN=M2h^n=qCw4q%uW{t-^mj;A^^)4xyQ=RT*B+*3kCrUNWZe zE}8(oNFVUEX8x(-&*%n87UCK&qO2S?ztAmjBk}tWvB+;4XdRo^nU;3h=PRW5g6#=& zF*cBNjPrHbI8u-v6>5nak5F~s23q9C_tF2JD-Qb^f7D=ZSEI(K zfosS^hMl6z14TU&L;oqGA~iSGl6d)x)?#q%IdOm69o0OLZssD6^j5=c|Btb+3aX^A*l?%GNERpIO+!gscXiJbq|{MnCB#pvW~xg0NZ zW|0VF#fm+;69hGfJgj!6QdoXNnuEJDGA)n7~M<_To3tnJXz17E@` zVa$aPMV=pjqrzHiIPpAm{;ZU^6<#MhZf{`2g&m@xszl+;`!d7xJQd0Hc`pD(==Urw zuYR6nEC}kjzgQoEHaD{IRObiepd|Tl|X` z?X#D#^s9DB`0E(U*lWnfN!JNVfNqw=;aR9yBO=tz*RAli!2SV}ctejjJg_oaIRAu2 zRwb!owl7=Xu62~OvMT@m@SO-^Radcz#a;KBXOrcaPPh7RrKfwN&QqYYvXY+7$j_6g#iI z%9cbHmzd3%7Y*gj5n7*PCO#|om;b7@J7HG-k1sg9q*_P4D zY^t#PxRt}sfh6#;Ws!X^e{k?VSTgwLVQY|nH;m#9{ewY;|HP45wv(E1AJ{uGV3Zim zCtg>6*0diICxHTXu^j4_^%+X}z23OtYO@ij6mD2HTE=qH8aq)ATe%YmQEO1e;Ghe( z*ST0M_NU*t*X_HjVlbB^w$~*TfW3qaLW*Tj5iZY1)vMO{v)#gvsyrqmS3O^nC^$z3 zyf`PGSZyE@y(v%4(%ciA;HrhE)FlPi-j3tesuryFs+g0fiVBPoV`;1I7oXod&;5(f z7H_My6KgVZbSyr$-%3npO`Y@UrceQ5TK%MrlSOQ7&bO)f6LPKT?LBhGUIdsji-Rm) ztrV)2S-`4jr3=$QLm>uT*QzAF+q7CxA`l~fBi^cBp~gI%Qt@}1B^)>n;~bH^Goj9$ zVrC(d>6+?*K1p&gw_KHyMSFm(LteU^cnu;Q7OZLE15IkOsS0?HY(I+xK2S)*C$5pb zbt2C@BY#IN`9u22XbO{yyJ~6PW^Tb&f$9m3;*WEBe6#qNh`aNQb3s^q6LG>*pmX)ln4DBArqbd?8Lv zhzwpAI3?X^Zz`bm{;n@%5OhYwVrNQw34vYiqWqFhrubo#<} z_@Yk)3s;y-UT%80CD@ON>#y8#XM`eyD@baz4XKL*vH%T#Gb#{g?&X$l$%jI|pp)l* zPlk_~ST8|lZRo#?g}Sw}Vnc>*BM06~J%KP2wp9WhOFz|yj-(u-z%!l-|{ zAG){kPoi*A{i8HyFX!mW@5T8D9$)AJCt%>xrK$Y-{p*a9?qkp%;~?h@MpfU>&hM|Q zc%x3!+RtF4V^N7Jd%SS4g_CoS>HaIy^J#siOB1r4ZGOQ>9``#*;}R(qoel>e0dNWbsqHvH*X0L&^g7*R zd6rku7!vIzv|!m1Vm5Q%RPe9acJ9IHX4m)jBUrys5H!1FL?~vr?tJn~5td{{KyGh7 z#-4IRcraszXJ~O%-45OKLG5*%bs*=Rk2${QbR&kx3#CjO_D3{}H$;IKuG)+Fq1=zV z>7?n0-cbUQZ88ls{H|pHwH0{fpo#zByA$)!2uR9`AnDZiPe8|tO z)@c!_5oD-fHzO8=C}*0%+fy1qae(qOv?Z3dl9u>QHkQ(b7g8 zpENVKkt8bm$);><(l~r*e_-<BQrTN-3>+|W$H<>8qw>s`6jBviTY zxHSu*4Qj8pAXNx&j@B_8+qd0j!kwFERI0>+=?Zl^esRCK>F3^fTJMlblWGd&bN^Jp zE%qMNt&zYSg#Gt$)t~Lx$63_Np@@ncuk=>Yhd-lHD&NW#17TYwyD@82=MyrGH~{O` z4NV5d`QA~mTux>R3lN$!0orhMf4!OpkWg&Ng0+i{&0mOY=L!(yUtv{mOJyW0{2(J; zDHR)0f}CpX#5?qG_QR(MzLcS=pbZpFfBnG=AK1^LZLaSVeeHG~A# zpdc#K)M1mo4Qti%wJ(GYF&2b5y9c3d6!`ymC*DU?vvfOuW_T*&sbk<_2KCxMe(%O? zE44!5f162W8;bcMy4FNiO#FD75Y^A{u|jyiuCqDakEr_-sBxCqFxvN7dfxFJ?k`&S zKT8j?ku(`QGuE*ad>nktH{ZXQ*)r3AKbK}+GE=5{{N1xhJL&@TLJTb2UeJmbf4&Ch)i{5YSs_hVu#n6P%R^c0*r>Ye<+>i zL|asJO8`>#0UI9Yy10VgZ|>Ug)w$w&2c7A&~95EEY z>J^)*|7-RlqWz9SMS~s^k%C#Kf`{a9+*@2<0H@&Y)6;K!cyE1(Q>GF)Fu?or@U5;T z)69oon%6dAA_)#+pr=@kn@6~LKqQ1=b|x;rx+Lhzsop%@*qDmU3?LbQVx6$D{wL9C za*IIXQx&ziTg2@xK$ON}#UQxF%ZT>ANB5AyJ&7;I!SX1mz(kG%>fcecZD z^6>{$S*g&-rFN<%SYw}&C{k|Tz#AA63&6%I)s-~|O-8du?>JoE)$?9&E@>eg&pKw0 zp-MjrNf6DJQDum?DaxgtPUV#Rx@SXBHYl3KO@xu6UKJ)N(GkOjn|<(3UfPU)*kV?} zUEPU*`S`JTNQz}6l1TG;AYPu928>eqTBleAEwiAD(1>dc>#QR-p-5(UVXfr3!|*{W zpr+qK`jAYMvjZl)J@VY7{#1Nm^}kDkznI*T{cL)Ci3g`e%)XaFliFC&jeq%G`=FkF z(2^a!gabK}uz2}jQkZq!3Bw`PaR#mi)+3H6x=z%`k_(2p<-)5Om<+09@AvZzc-}XO zIUIv7Z2#P?eK6n%kVzZ`d>ctEc5b9qZGaY5Q8uE7yD6kHQ(#+WNpjqFQ_p5K}95d`tRMs;6)-LSTrHNU}iLl`Q;5Z>Nw_1 zLg8THyhM@;S?U3vuVFXvT&4#srz?E+;Oe2}QQD+2N@{)n=oDSS`4_oE43L+=)y$hH zdld2Ag8^MErhM}GB*8&$L0Uqh6VYkrL2lPLq-_`_eT9e^!Q=*E{VZh3)MF=EK z9rV=j5LC&K`Avf0ffY>X(K4hK0J5>S)Ht8dE-w8)PTa3MQ+`-b{NPo-97(_42HK0xvvltJWAOK9a-)}Z_d#`%H!W=DsyI}e7DPG(t*b}u|&eQGD&FEEt4;g+^>FZN1!p?T^^U!~? z$!bL2$Ky*SV^G--BpjN55#=Sdv|&|izX-W}TZNsLbGa&=j&;JiY$HTZF)`yD`0}{b zFPU6w5D9-_s(y%X21$+-eoGIVMhrByf1;eaep9wVvn@bdh^m=*f|GwAd=uSJ%RZLl z*N40yq^0%JNv)`H(>^T@i^4I_^=pTzCKz?PIPcd=K7wAy#bL_2;HdB_^2z;zWwiNe zu*c7>y_j+K4<-`a?4XH zb%ZwCq6KZ7D+oq414;g(t|?-m?IK;WXXk5w{iDdGNqo*c{hu<}wg2OnZGsA(6Iw4q+HEWyYd(qJaoURSLSk6UP zO)p?HI>>JGIZb7G!T_>#WTg^)>ToA$&$a|Qkr*OT3B8DFpGLi@oBQGTW@e#ZuO5!1 z9|UgqXy>PJ`47Jw&K}&IScKZJi*l9V8J&gZ!mq1*|A(KoF;&1I`nY}&4$&ddq%^LFMPzIJfTQYT5bcLgpit`J4I0ft8x zJn;7X6EgtUJ|+a85Lu^tUSN=ajQ_O4iPFkKoPEk8&x%UH7dE^<&-L8@0*JE{HPl`A zY$Pkdf|;WdK$J7IUJmJY^r&nQH3pZ&x39Ss5JGpG%|^&|q1TW|O88b%TeL;T0ncXQuYH)IH@KK;#8 zJomXT+lo*TJHo|4zdi+)6S~5CBdyAm?XvoFo!tWvxJZoTrG%9nhZMt^|`837N(pu1`Vu zkIwk^rE!PzJu@!czzCW56TXWm@E7%Mbe)qI+A57rqTqYLdRuV_8H8=0d_Y<~e)hMF zTYkzhwEMu)A`5DECSYKRTAvqDnDjTDucYHFZ2nd+3f>W_eOvrm|< zq^dpttl|^h6Ta2XzYspw8xE=}-D%@*(;>o`np;^DE#!@wnGeE{4Y=5z2*M5s!WJw0 zq^co$u^c>2_d1T2D_n>8_)pW{(R8BnDZqbjhb4926Qw|ZIbF3vQ;dE}#bYlD&-eAB zEfhrduVbiJG9hEc!a)5S51N%)7Z~0nRm0; zr3Whsp1;RRetx|G1FR{Q&J-D4gEl5LXkvDQh9+0H{KVx5jJaD+7ub`K7lKls^~J25(mbg5WSm2Te>CiFW&(H-+wk)4>442Q%9+sGd7N;ltL`__%(8u00y<=M`^0+uflzJ zEim;~KRy+K-*Nl2wNl^yNoUIZx?h9CKL6@9i)pcP)gI;jNZ)VYJyCXJGO1I+$c|>= zECGqQI$%D3Yz?>*xlVSgnw2|%{)C`2me(h+02{)7b3PDVnTwuoJ3o`tQ9a@^SC#S|Fg@3-d^Gr4cDcvzY?^? zfDns9BMNhTzvWqRgX4bmZJ0LgPZvaFS@x~{5=K%CTUiH3Vxr{vrOtvJiT*-PmvB}2 zo!dt|BVBGLx@c_|IEWxCS7LRiLx-?ygu)sB1Gt7BNP~P!O=GSI;3j6*+%B%m+m+TW zt*yH@uj>0e*ug<_SMcZ{c5L$jE~y9)gpGi41Xa=@^!Bi8OQ;*lk+gt9zoZKBdNgz9 zjwS>1hET42FaEyS3iuS?-+bN(T$e=mvnQ!=S%==fp$hza%|JoOU1W3!foU#zG7f`c zw?+HD&rp{-hZPaMBikLE^~#o?G^T1y({s3ar?ws*N4D&#SZz*w!rlqJ-vQtSd4H$JDsBGlE(37s5XHKIRE%5Ic8-$ z%2XCaDuU~^aYp)N=Q0J+J|Txqlr!zX)m@@{^Eat$D}alw;hN-rnm-a>e)C|Ts`Cml zvWa+Fb`%i0y-rZE@G}4*U8>p_kq@9>^ks*_MVC6eV|r^j(i*<6uEWnT)T;9gFP3Br z$CTh+6tttQfb#$IZ_cVj{pBy8AqFhA&GB;5r0Tag_%lRVgr>6|5BxsYq`qI3zSr|5 zvn0m&VD2S?EAVj5E>vyZgaaukdmj}HD%uAmZw8kwukP7@()}oIdFCaKjZ-l%3b#cA z1z3JI(D+ScKT3Qx&zj#^prX!T#L?VU!e53yM&`EO&d-!+Xxi$J2IDD+%5Yg8W0;-{j%v{!4NoT^z(=plaTSjrT zTwpN^U#AQb6)3o!)5`|~pqBA~JuS*i+_RE29yT_uEM{giY?2dKr7HMPzykMy-FfE5 zbih90YI`A4PU!UB%Uh&`4%NU)iG>4uBDpTd^Qr2@>9(J2PYGQYyu`cQ=<2I3RR&D| zMaYWV`i61^y8txig-o)rPEYpFqrluFCX6JfRuIBZgXe_Z)DN?NJ^u>IAxQtOFY!OB zUQ~u=Psb(1+TITB)K@ZoVJQ-}5G8W?t#M*#WxCyixkK4CT5ZBSLi^R9fFv#a(fecsNd`d%J7BAlk8kJwQrF zbN_(~ltyBYqyqzV!|Vbudn2w^nzpCS52kQBLApB!jh z32TipnGN!a+RNm!3bp8oD{EX0D(oWDo^a%53{}2B9o2|NN3!Qxl1q_)A3_XGQ;eLX zv-(PiExTi4Dmd3W{ue(3oCwl7L7IH!yqEYv1tbiI8|{!&FBtn_n5{@2Smf(Zs+g4% zwc@@}-tv5+4Zc=8y3Wn0Q!}uD55fq`e_gH~IDQp>HM9E0DmTG2M1u83ha(u{#nGUH zU&B8&{f`~{X8!?4Qfs#C+;Y~Vag)w);_!^reGIc&p4(1>tg?|){&%ig+uI2)hI?ak z+}P_~%)+gU($~iUlWE!bc0z-zwC-M8pNF^2Bxx!>xdvZcD&MnHuO!wTQ zrF1|2TEJy&M88L!nPIY`!9X|Rz&mC3tF2d~T2}i538-HWDic0>wF0r!KBG-XPn~m3JDdJNml=w z$;mbF_7F{Cl1eo69fF|E7v4|lze~MgK%q+%jp<{p@Hfs4Av^6ZWR9|F0k2`|BVAXz zP5&U;%h4TV-+~Dsz+IMNulBW_JBa()Md~g+W7KW>b#%FLdBw=t8M}o%XH=+# z@ub!zkj*YQsY2RGl%ygm9KizA%XTKDK&RxsXIGW}z@P8E`^TuyDMaA?q;Oe3?`ELd zX>>)Fz71Pn&#JL*&7|$E-r9DgZttq3)(eD#YY&OlW;|q`2;`Be!MU9S=FX#QwCNt- zif+WIGTp;+Gljt9!jHLvaEM?;Ablcp<(IQI<`8COCi2BXswGR(`rjV)5LdH;IEhkv z_i{%J-y;aml`}X$EoFxDSM12i396003_gz)F!(?E+XV2eXyqfC9h*xWA745-QBAd4 zG%1!_g+4|PQAK_1>ZZt1Ps+?(-{ue_qV83|U-;xQy2RvW0zL(mYt3)+hoMI%Xw%k` zO{`|0!>X(b{mK1tjK6*rL1kS?*h(#yb3#+Yz_7504nQ&wj+R4Q13F|8i6P>{VB4x@ zW;1iksO6BLut4EqBPM^?Fh#&u0l$f06=)hbDYoOLxv8O=Y)F7fE@=LrR@ecmlNT83 zeY&3=+wfIL-7LNJiI#7TSldo&XpuJU|47uGk&_~(M@<={t7yQbMCoAODn<=xuZ@9JxXNx zY(ff)y7Kt#2X=~ts7Q5^pb*8yOagQnTrvwm8%2wvc?+X;qBq76EdXkAs?JPu#2rA)f;TWYt zFcldHzZ!iH8)~@s|DQ~-&78yjWbU6JH(H0dt^*@lnVfu94(W=MMI-VgCA5Qmrfs+i z6`byxz*1B?^hd0=9%S}E@dKKzk->%^O}2nz>)#VXk#K6~;+O~4A(2cWcAoI?(k5}Izy(3qw{O}+15?G)+{NGI5T|wt1V7trh#@=2D4W%zF4$tAPV-HQ znwKG0?M`C??K9`ETP4oZz(F5feM*+)l~?|~l`ehV+3jN`hG1kLS6xEzjix4D{798{ zr?)_l!&{?R9*b3G8OP)xhsNJ)(vYq zPLZjfXzAM{b;$9gkr%7Ps8N_>7!5gDC;<&i5*Nbv9P3kAGFk~{e*d32(R3{ZSNJZf zK!>d3tj2rK7pmH)i@37WtqCK3xXymTCl`9nm`}uM+FCBDIwt0XFJF3}GtXF87pLqcM45-5Mf5jX>Mx=J~%m8Lof55~Jfb*fp zqtPv}aWbf2YFob2@YY)FM6O^U-n;VK+>WDaJY|m9c!6KeekVPx$^%jQ^cZOSrx(;zLLdEC9pE3SxS8B* z(ap$Rmwnt750Mc(6*Nv=h4|R*6f?f|ESnh&hMvDfMfF?GtzUj*p8@iNh|(-q@C;Ye zR!jNC-_wndf8D-kUKUrY={!cpr&lhHH%+eNRh3q7p@H+}AGbNR&vU*-oZkKt$`BK6 z9@x+&u?1T8p%-s#v+V?MW0H>syntwhyQgX)C!Utgz>H=yAmQpC3kx(&O&5xqbAujS zok?R#D=XrR=2-2My8LLp{CecrjBJksTkD652?A{^k?Rp3_A9i#bipgY44_~n2;yVW z$xqZ@+N$DYM2`>5Q;R`$1a_@PRt#-b3zbEAYD@{#+imc}j#`-oHswg17oRdTNH(H)o&cYSZ9;$#b)r$a9 zE0yWgx7865gu8#7N<%kL?IDnV%&e$}3dFPvi*%6_BVa!VKr#iciYSaIbKUW-sX z5{!;vnp;H8Ev6LSEerz>4$48j<^j!p6R|OU%+Bt%Q3B!}-hl(?$egArR0DRT> zQB>!qji74>o8ty)8IeHyad;uwKrvG=qs>1h#X)=rF*fzVcb4hN~Z0b_^GTlx+*gGl~9mT-JyCh7T zkIJcO^FF3ifBxdf)Vf#ah(nQCb~h@2C$*g)gu-QTE@g&s!YKv0i?roGY{|+v zQ?~Yc%=VYl$$@utuSU!pUY;LOrg!FrX>n<3=gC@1xNW9$2}FYK$~8gP^xiE__arEq zs)C7OIhNY z4^j$0DX32kmXmkO4lDcOtUJ_%Nm{H#W9jmp9KDN>BrsQ{3Kc3|sTEYFGt`7QICvmQ zZX=^yQqMP5#=?PxXFlX0qXRye-GjSF*ueI#Qo+^fV4d`PgG>#MHp%#bvfBFnJzMnt zuQm;=?vUJJqFjgE5XXn=$wxxW8^)imX_WqSIe|gz5_x^8l5>jKc3<=%SVpnmU%khL z8617k_|k@!UQh!0C(jR%+rFgxO(Wh43z%*g`u^+pQ`dG$Y@TfrtEV(MKHAV z>3pW?TyuLma0+}&?R?R$bp1qer#p_(?DUh<56Pbe^JKRUr?)AE%bAsO&QrHKnDZZ= z>rLZ=8&dhj<{G|AD}j>y`(*gV+Ii%xk_{Q*$C=3oWp(mS+Y^=*$Tubmv!^V=CHho$ z5cL|pXSMw!%Xm@`b<4Uk>Ifm4XQEf!SAMA67fpVjBG?EXNAENx=nI>v$;o#|B|W16`!1`CFeQnhSfGRkJ|;GOC16V)b_jcjp)eF zo6OU#ijzb71ddhq@{m+SrV1HypoA@A_GB@MHm^gz>VK7KPQ~8%?%Am?{qwDeM$6}S+xm93=^X4tKzh7>io?AjWbv0E5g3>{~b;Tsr&u*yUS*SM5p4Ho;b8}AAeUVz6^fd6!e3Et z%gfX;QPV9BpAV8zxd!)1v!dll&lg(hk%W-?Z@ozkiv4Ik%tijW(;Kb|aTETD)rB7J zi3l|Z9?ExNLSpCXs8a7pTM|}OgH*R$aXu$ov=!zhriLe_AQBg?AcVc`?jq5VQ0HK! zCKWdqxE>_R)Ile}8aF`_17*H@QvbMShh-ju=cPZWsAS)N1sHF*2Bry`L(|*} z!ID9%s`n*8|EmxoF$r*Y_g}>Fi22F-2L?S1Z*o0lX3j?ckgbe^Y|e?lQy1eIQvzad z7{ZvY;a)UT4|m7U{?$6kS;_1m7gc@`V_4pt10)5!cNPLQ)w^#vi|#B5#$=ykD5;Y6^ZZ=@??& z&ZJ6rDvonFhr+N3x-|{hCJNa_{61fNe+A~U2E-Hh${92u{&YbwbVk^QA!betoZwcb zM!$hqEuPBGFNxL45nEy|%kqYoen1+5AW0IJcd@U}G~8_)5{wy`7BpU!`cfM5(4w`H z)4%+_>&Q&e%_(n-M8nUeY3fcDwmE5jb0EbH`A+cnF?GM}D8umE+bqH!s-05%BXKcYn~lLg zb|Qr&>esS4R=K0YG&#qZHxkz=`di$zllHUn6As-u&&~9kV9cBkujLOn600OR;4lvA#p;VxAJpT^=3LG!@PKGgT;; zeie)#>o;966<0_X;Q-sMp?k8L(o!{ON|u0tlZu@%NjFMk7#D%1kGIvaA!k9Z-Mo|i zrbttEjZ4)XeQOz*q?xE6(Qh6os6ic=B&Z=7m?T;spKF&{eB5Ydmg>F3P&*N;^C1N- z2*H9{)bx^sQeXXnZ3{-emiNgBG>RJo9Vkh2&D6KqI??qwx9~z6C4A$7Zk|~&u$5G- z%|Io%3pV~pQANd!XdKXhA;Zst?4yp(sxmx;lR}q7`jhHx`&nYcgwMM)y_mQY#9Nzz z)>MQXj1+ua#aC?9U+9#;9I-?cURz5n17pA)OH14B0*QH~hU^1*qy{UU5Soj8)U+fE zVM$)lCdOl#brpm%IYyc0eZnBwY{H20K*?*$9gsGuki{$XSk~|1pvbf!feyRI#Co$e zMSQD+v+Mq$k@jnGbA*(d*2zk$Ufqfqvx=3|b8`&UKrv6aKUgHv1sE3NWY0O0Chc;6 zE@AIlI9O%lkabYJvBT=8HI(SG5pQEtjWEX<1?PNf*bi!A%Q$d zhPxT(D6)ijkYcqI5x4W-hH`sUBuz7hnCKc!9dFRJrQ%avlIT*|Uf``$sh2~EE#u9g ze(c$J0gn~SSLG~x6_9+5eMQ3ROv>k)cGu19*57GT0( zY-^)LiI#2cP-yL!;ZjEHO?Jp1m$7fe)W2bb489dKLtWpDCpQIvt;}3;Q#l zSL^UpulR=`vr%Q5{km{ld&Co}z~3Xn!E>yh^EIKpz@K~#r#OwV;@SVA;?|ePuJ&;0 z+vu?lYr9t=!|EjsD^O=8vrYgS%`!Akq>&~q9g(UKy{Mkh;i%6@W}Z2+-KND8Iw+X< z1nq9_7E2({?E$G%oUqUKB7)Kh^6#h%QBiO_N*-UP5QX>mxM3rg^H0PIU;SHgbJODb z79<0bgzM*WBKp_{pNY22=XcsBfn&)vNsTTXqiGgd-Fs{#X6ZA+`>8oz4G41`IFBxc z+G483aI2Q{^n*GTm{FGE%3~as-O&O*7rHedE=Ht*Eb0>XyvFhqg>p~xD@zRT z^sWa)pdqC5S1Q-{zXj-bBM#vq*?%Ptnr@5elSG_l?SFFK?cMOfwUreZZns_&pf$&8 zvH=@HbSOrCQExt{4oyg=9F3)1ZG5CECvbr()nUicR+EDSV00j^DW@DRdpGPK_soV* zy_vJ85g`mx$z1UUJD;fKR{9zTEXOC}*FQ)WFK+_t)#GlA4$nkjDPi=`kJMssIN;X4 z!d8lj1|>z0DvWdLdWpo!X-A-21CN^A?X|^3Dzf@9*p4mC_`QjBjof&?ocPC_qA^+! zV@9u-D@vym<{#!L-#eqo`?Glv|3Cv_*S9|ECKirs>gywYF()PCn6BP&fj1^K3eiI= zLV;4S17Fsw-$C>3U80hM$-D{p9x52Q(xwRfVKdK=TuS(-Mk&=BrZ$A6uif>Ua3&LB zvZ}h$;Vm)I=h`>H=Uo4@g2&57!rT5wSI2?1Qxtkep!29FHFu2Nt6i>lm$s`6Cn3U9 zg%H2hbmiLaPRx5;4taJ-=925i#RTQUW!36rue{GBY7!29OgEPNKD3bMl(LNeb6`l` zFDa>2=v_C0FM2=21B)CIwZ*2#Umcj^5*Fl$ zD>#R4B7$w;_oW;PSpeXOc19`j82}bhGUGf0A>sN&F}+GXLaT#yl-0CKf#;3=-`_h) zeHI&3J6F6CH%hq&SLT>s3D+eb5>3@+vQsvPttzHtX!@`8rnXk_k~%H3L-pZO5>(Zl_VZ#2b z(s$GFn*7iGF*rk^{z=9Q`|T~~vhj4N&`khCejh}HjSoroz%OmHs~ey7J(*lNBc1$Z ziNO$^TU(BvFHVGz)BhURjk7B->C=zTNB4U#8Tv8HDIRPp-rvxnVaGm``Z3};^L#cX z=`ug5m0BOT+F$Yy#^u>FoW)-G!escXair9iB;KRIj8auG zum3D7^AS=ah5c8q-nFS3`z=VNAXX5w%LY@&EJR}vbP%Rb$Zpe{_H}w@r%FlpP`*|I zZ6ahgZ+z>^9V!GLI3U}WvSPyMQ)7K~BT3esvVd^vw>m}Jg%55o{a&hX5aEOWI4&s} zNMvBjKQ2j{D^j%MUPCqFAE+N?Nh=)4I?dIu25CcHMD))hf-U0x%D07H) zq9nod;`LsuV)5&}Z_mFMlE1rOj9tDtZBhvfGCHAaX7u5B;*?(qic(<=nrC{UqO%Gf zYOD|r9sjf3`DpncF93|--kHF_semx28@^_i*qE!q9YIg~J9Qm@j2;$I?FDYc!^9zV zhgD84#PT@A|y*5uD)lkGu7wwtbHEy;UtP zwo}My1LYgp@UdGZB$#J;4dcIiT4l8d{H!wdWuaxHO@@P|!Zvw_A_yd?>-tS2?`JFa zR&ZD9#@^Ow!OYFhyagq(#9f7%@Ly%>YHdm4W+hbKRk!C}eLjI(Y_!XZ&CJbTg~JUSIpEml~S zx9ZE$~LelzX^7XxPs{XWnY^W`Xv(}k6eaAvEL-8|&%~LulK~?eULxG-Y zQyG)iJy!#VcgR+O8BfajZQxD8@H4OJP&7J*Sk%vL-m(&3LIZAhb%DQ~kKYCp0v>k` zu1e_ReD1#^1h`m>g|0|J^bOTw?iU?;7uY3Mk<(da$bQPiR9vWtz)>+`eFXsPE3_ zc1SZ8fAJ0qGDcF!$R0T56WnUu(79rH_`z@qlHc0kl{^mf^#R{iEVNlW5Q{w#G#Y)N z7Z|~S9B>=uyF>VHjdycdWCCr)@_jNQLz8{)Dar1=Q473ZQpA(fi-^0b87Gz`Vk8gL zt{NoJy^0O{-H9Oo{yoLAorG`1l?hNkNFt6=zj%kD312vWHh$9mHDzjn0QSsS4w5Wi=-P`MOg$UK=tDkhLAt^<>> zQTSdIm_?;ANKjm3T$WB((c=zOkQ1#t7nQ^cwLcfZnpP7d;MQBY-RhAvKt>*J#huxx2M^=9vw6yMFur`- zit)jSlSAuuW=x0DTB1%=?`!vfu6LpYz1%Y_#IDe!b~;B(uTSzo1uXK)9e?8Bf6;Es z`9&PAG4OaDwX2eRul^BwZ6;v!zT?|d_jhuiF@EfXCO`|lS*3U;7OHRK=K*~6y3?vx z5~c>97bA~bl?#k$s;j6(C97vu#%;YXlGsII;54aoInpES+NZv7iBj99uI7PCD+2a> zr*d_(RvPNv@fH-oeyP3Fic}k`0Ay=Fu4tP7JYBsZZP25fx?{7cia>u(H>l{_vG`f+ zba=$hn-9GWupQYaAS?QQ#Rg-}jp**drO#+kx ztX7gjQQ42{f=`dm9v6jnOju(7^<7@VS(ivgs0>4?Mkc;(A#wmjd3x&grE{7vPQN;u zj5+*{Y)Jd#KXW-Z48Te)d zgWnaCxxJqjs7Md&L`&2%w0U)j6>O7!?jK*DT(rmeX{L)FLXTRBcB`jaupq2lm z@U|(?9Icz%Q$xCU&?CZvU#KqrDLreD>oNk0L!giE1H<#r@5UR=$X|B1vgC>eOQ)tA zk*V-A&Qzh~(V_16TH!}y;8M;hzSn0GXH$Rn)uRkD&*1H_HL92J;yAu*mw29Uirucs z%fn1GU=VT}h>ARqLGs>~^y!ep9Cvl>mxz&TlW?v32W>{uD11k)Q>8?SfGf1`DS}op zB=8y8rBb~^YMaFyyWc02TSzbbre`7o#GfaAWK4L-cSgZ>v8ZDhr&GqO||B0QZOL#-mi&B1r15)rH! ziN$o)A)px_&WHd9A&C?`tRO}$4e}SIiCS(VwA<#C+uHi#)nWN%tw|`N^mn$!P)^5h zfp<9gHwGhhka* zoH$yNG38-USpU2FB_%ykc|BD%XnVR@%i_-r=$VNs%#^(5p(8N+Ovee41oqg>M~c%M z`^(ZwP7e+z1T0O-#{Qs}9kYOPaj{aM8bKecq|#tse@~uwssUW{iIqwP|8nt$=*_`! zK9Q>6xo>0AaYZP}T;;qOWdN6b;&RCbY20ugE9682@HnPr6K(U0@)udtwZA}lwjmmn zD8k+rUk=hK6_;QHao$=}jz&n7B%g!0ZVp=~hvzPgwaK){oLOH+{M%d+D#$=9j$f3H z)bgY1rz56iRSNLlKvnR0*uz@Xo&s~xj$?;mcq5cPW+T^KSbm_n{Pp@~C_zz`oJd>x zD^c^(V(a9utB2l#fdp9W!ZFbt4u{%tHN&%^t?ChYkW%@pjz8KexhyL1<&7kR1YE+F z!@5ZU@FbljV1<=ZUJVZh4mxYD?Mns*vCSKu+G97lZ-iIZR8|hSVgEtR=i?hnNAF91 zT35^M$3mS^x6P`_M&}C?-CLD2t_mi`<=vg+PEKi2+(MAM!A2;wQ?bN;PrdOs-iWWf z!p(A6K z6?z+&m*l(RIs7N*e>664o7r>7=gwngn}kUg^Uh6!KytlACBFBi#5ZuJp0NCa=x;C7 zU4lUW@B_-^nz@+h%*1eO%V^yv1M+iiJtUc^Sf73U-?mCX1W*>ZGy0Fw6y_-Pxy-qw zm^8Q(^D^ReVw2)nM6?|065r{alEiaQ8XSfh4$3IZey11aD9iB*7);BF=X@P=OT;W? z%=I}QD$IEyoJQeNDUbo~wAS-GD0-ruC~dlx{Wxyoa2_}QNom;6fX|1>aJCg)g0j}r zCQ`LP$;N)~80`k0t(UQ%6)`-Bm8Z$gP*eNn>YIopQXo_w83I{eB35v4-bp5}ch*)G zUqiDA>>kAI-Ha=~$^CJkEYvA*0gn;-HBBS+cdCuyPh=Z9ljX?>r+<(Dw zv4?c{8g1*;<+k{9DUJz1Fr@OmAXPRPA_fLq78k-zgf6G8GV3^_)_cQ5)mNj^M>Zl5 z013awTgY_1E^-(XJ}b`xi9@eUE?3&V8qxHr@retk6QU8g9>_)nIKt~+zT5)aI2@3C zJ)z7VpUkVOeIglAHN0V_%UJ>e;0wz{U5}cAl}4pQCMgnrotc_;;sf6QN}D9)CUPQ)Jm9ckIIYh4>e7`ne$?<$`B+7*`?QFpvrZGGDfhqmunQs_@_#w8b$^Pd3zF9MdA^P5)cWC)3nX2dIJ*>8 zwUkC0@jo|M19C>5VA$}0xB><+q90)rdyA_7GVkywzB#`?69ES6jkH7+GHcBpf(+l9 zGOe}#AQe5cgB9rF#Mx*fhSuA=?=6A7 z!n5KVkQbysyo;ER@QxI8yKY#mE!a9b%@%0E!$F8qR5n}k{>MAQ$4PFk-pF|u` zX{`GywxP3DMl+(e+|(~UZ9@`9Xx|{9hX|ySbM25<{e~$7S7@a#Y zyM_U94*mk}xi_f1{ii4;(X(C4RB!K`uj`cG{?leHsS`y>AH>nQB+@9jyVw6gwzJK& z1%~ws`p?d;+jyD^T84LwjSo%J5JC`!a@k&#%_OMRJWAy{+030DiR9s5Y1LCJw@Uro z8`MtxkmTWSuSjs0KX*hK41VJ_F(DB5Xq|E^lcP0`l&vffmW(5uOfyjt^niDl=Udh(y+j(kAvgc8ai_e zHFB8*yN7$YIX1_Qn=_z5*L8LbbyCQusMTCP`1lepKEK$?ml-~aF;y*&ly7i!dMF6p#QPgjA_u{r8>mwYb8?%^H)N~IbX zMTsK9@v>lCu}a=<3K)sk+qaE}67LPgjA@R9SIxc2JEdc$nvGxJ+;<~5!=WTIX9kl@7M zVYY3@-t%HBoi_E@Z{KsA6=0ciFvpdmES-4+q^! zVQUdtl;Yt{s-j&(zeltx#s)N`bqzlVmyu3@LLtT2*c_>(jdl+Qu&`5DeTSNkxV3oQ z>=yZInUGDgwQ2{?Eh5@X*$0q~@@<50xrvHyMZ}XRdZ?w^BBy8Q1B$RZ521%%VE+0g+_`Cj zdJUoLxXPqt=GgbtQ)IXIFgIW2^3_QmKe_|kHkqHV^4aO@JpIJ*s(!mvu5tL_AVLUE zpS{7zl}YyQ?!9v}6VYc6?(Zj*ig(^Sho)&9Ixs*GNZxt>9Nk@cgeEv~>N*2`Me_L+ zGE|&8dxLx~NuiKN*97&3$DsoQE06QuIR^UMNF*X+H9KG7(IZ1pndIcfSuS6lWY6#b z{{C+>b?kez_Z2V_$yLvFZE^}N*Gr}AQL43oP--|@fUALRX{BZlv4^!X zXMX%6j@iG0Ypy*yeA0N4)af7c)OWr~_ULvRXJ5xX_d1Cqzw%{2I4e5!YRCQ?TB;3a z_X|-P+0-SRy)VZLO^g*bX;38>DgmnGK|Lg&?IblhO4-@=(8ITDlURk$c%C;AOw%9? zB;3Y9Y|9{*OENoGp{p~0_gm^g%M0>-G^%ri3*+dyZv63cEitoIlg>4i7uW(yZg zC&~m$x1ndd@va?l$r|| zoxAWyKf~A{{wq_|&%QzO$gf1D4aq_z2&eAdf773zqLS79!8@tkp;N0WB-?gv}OgvLqt5!&B*heQ8t7@RCrrZ&X-$_nb>&hD?%IP()KKl_s?<*NVC1GFrN zv1PaAiVqbZRq{|}ACWR3VS&V+Ytu7e~i;S9O=x|uh6-x4?UHOCw(&+(uPJ5 zge$&R$fvkIIzzSQl1eV_uj^4>pe3?6dtah<;_ncE-o68)IM7mNT^;NEe98-iX}8J? zqUdW>USM?XLIpuHJ=i6f8*OIsxKW+CUymZ9OUD9?wr!EdfLB9Lx8dx1CL;DjPtXWF zD)0SyWbarBoINX-f{0W*MxmeT`+w1#KplJglXoq7kZz5MPu}6uC#N`H-$B_qLZi6o zjMS@jQYXjgKl3r$+TLOJ3(w>9562HgOgcBy?xr9PbjG;vCa0qbL2Y)LsW)F^vZSaF ze;Z|3cWfxi$r3tQ<{73mf1Skf*U1h)0=xT`jpzFTcerX-B2P7o2_i^iKu8B7Ez2C(i`xNKgS+W@mJC#7QY=kC|zE4oE5d?xjPf;0qg>ica;&RA9 zUeOsGBhXEZY}akQFIQn8B=b1CpQrxm_YkIo-mw!c)7c{0-q=}GQ%&%`8@i@P{n!#Y ztV9lh!oB=q5C@i$u>3oF!?pN~!yLmp>nGjYNs){#u4a9_P{DT5fPi880+n)or*Q zAj&?nm>+%tiD4C-9*+GNImskFifm%kFBs7>NvY!fZZ?L zd0lQVFAxHI=QG$lpSkZf^=8L8|D%84lbc1xQojW&WW0x3f>L4!r`f@k=`m)%{~AYM zm?n4dnfRfIN#|zS?TFQDW89x~0L7Hx`s@FdYO;^8Z*{31GCx2q-HE#THl;IpviqI_ zzz;$!%V-fGrBv(RLAc!bj>u_qVfF$nQ(sY0Hf$0>+crrh^@wEJRx84K3$|^NNLW1i z*!o14fK-xe~ImbopiKkfT!^nrfG~{#htiBX=0p8rAk--Hk_dW z?5-h1+cpxV1_{SN$$;Z0uTeO1kW@1ooO$7YTDyU;?a^f$XLa&IOTZzqBpvAXajc$w zt^Q`W|0aOhdjPZdz@3wkZjXLn2FSoe7y;>L{s7r1A*(Y8p_6**_XunAnC;s!yN0RX z9AVNqh}5iyz7{w11Gq&&+heb6jO8_yD@HnFe8u5~sFIH=d#I9!&;%-DA&L%STLw&R z+1k4jhM#|qneY9C57oCGsJ64S{4v9i_u};Jim%5egKp^fRrjv%CzBSny2JS z;g0`HFE6-NUb58ZErY1#Q|KezGE}`t^29I^h8<-A>1Io{c0J*jW;pZr-{;-w-7KV5 z7rCt2J$#^k3HPlxcp75j8I#UU0!f@(8)H>SPo3n3(?!^|wps#Z*wnT^&y^3~U^v%K zJ<)~lhvf4qG!d!4R%W)D`p6#uk?)b8MDkA%(7MltPC&vyWXbJcgVqF*7XYD=soW5Zmduaym_18JB zy@(X6H-_7*CwOLOiT-DQGrl;R(U3MYf-t<#K9}bD=nTokosQQp8}{%E)KC9}@>_q5 z&<(8qLl_-9zMO27mUky=Z?eqM6Z%N6jtX34y@c}XC>chgLZ*#oCJ?4`hobLVarw=k z^8VD&stIRnT@gCRwHLA9`XNu{+eyT!wlV44_@qhbb9R@hXRU)G{;U{!Se#r zDVyzsQN6}Me;c8cd~|Fis)w~qb`32T?5H;+p0CJeY}(s1e0K6GN-Bh=v2CEE73F-e zJ=DP2|0<31Z^4H~f zqqZg%!{+Y$oS;}pF*94aYwyl4Z68P$NIt$?QT$6KoOgp}Ae;=4Sx!XV3d*e# z*2a*H3WOfQP9f}cq?m4|qJGG$So^CZCpdpKU@o=)!L}Ho^I7m1#h<;+;opr(=NL>^3FS4yV>BXw~dX8l)D4D`W9)wZ8M6DH zj4#+`UpKE$)7w+PFzy{Czd1ffCgnU(7Eg>-KKo&S@~SAeigGIv5%p`4Qm>stv(sRu zB4Vm7zh0mHmp|k6$s^RQj)yvi{od<*^E;1|h*fQu;VU2M6dTOzEgU@(DcC@VwN;Jl z%?fXRit_Xfa_F =$_XZ-9bGRZ!4T@Xr%3?;guV_61C!&=tDN45Ug8VEwg{6av( zlN56%$;6#1UYe$na4hN#uO$TWr3vAD0kBg^jIg#YV;Nx$E1B8?Ha6%003ZNKL_t(A zbETw;Bb{5-(5(4T4i@V&9X(Q*?M_By^9!uywY!Jd_Zvg(7`x2ul}pUtIEGtZKuLv} zNs{U4pmWDwoW5U1carhN+XB!Hogk3+C7s25nu)0eQYq)5OEzNM#g5huL?Q=?+!8xh zE|O5U8ntrqs$eG2tQ4A)CaBk$o~}JK;RLu5Ze!xY1-8eeGbWuInsnwP70nH`na8Aa zW0B6e2^v;$UB;5xZpv5RK-=3u(*%xfB9)Fwlnx|>Sa$uz79w1eGd^RJ9_(j6TX_0!C)!&nJ_icDw6#yL5q;+9lfg=D&6t1eS6c%TbJ)>qtaI zl~<*4{Uj4^ab1{E)$U<_^mIJ&G3mTJ+&@1Hfs8!inm{CUwA}@aBkchAZ;c|72FBxS z6#kG3_y0SC_0OXGZtt%yVE@Z~Uz&>Spw48<3Hvl&`S5mrmM`ue2iD8oTl zKK-33Fl;<8AP7P{FCdvP?;v4MKE89)J0i-}kW1GZ0PGmB$)=4}oln9snVzlC)0N-S z_n6h*N00s^F0I2@J=zW0hmLHVlanCg(uK_lUq&^Vr6`g~sL*m2WGu9vR212a5#!4u zop)&;wi1ek6xVOeP)ph*6IMKVUnUu~Q!QNuIX+HVmDb13))Kgt3et1YEIXd)m~`G{ z;do^btv?+Zp;HaKf4YiRu+auHn9n@Czfz=3tl!g@J#^;cE#q0lDP&s~G7M2- z9Stl^N68Rf6F82^{XDgs8JDlS+!%M+G3e0OwYJSZn@LbEH>g(KhY}Rp@S8$9Pv5>> z6po)^F17E0$FYMs1~YRw{TrtRL?j9ouZ^2yp;J+x%w{wbSGMXgwax@2V)G@&23j`_ zokqi7ogF9y#bTPdxhlzo729iTux-~JzC`&F0!cVqM~U@YS5%Z67GJ!WbgphupfiD1 zaF8Vr4e;L`YehQ!pWQ^*IH(?|Vm#fA)|&za!TaNcS4s$5N8ejmya}uRVx+Sk z;{NpojIZ?|FP9>L3&%k3O@jb6(;#^JCdvyDZ3#riL{)vv7yFmr*cBh|Z!Tgy-bwK3 z6xOfpgoHux!8mfX3Iash!g#hPs%^P#WA{ItK;4KGCPl%)e75I-B;#XzG0<%r5xVPl zugd_<*xKIK>A8TBYYj3fjVF(!v8@M7y(<(_QIqe~*7jWX9({sC=l&D#gxd)82dg<7 zR>#=${IeVC-V!RV>DNTFqmAq1F=S zlQRwc?~N=5C3Jz7v(X=EM;naNLcgjRcdI6yQbi=vmxxeBq%w$JD=%#Qn?NA~i82Hj z8p6^sLk(S4*YBP%b%Ys5vSZS@Iu`|UqJ}ED7=tTxnbSaCDPetQ2iQ8{$r*xACb4>l z2rn-nua&WXV;5K&!ABD-|Af|jKpFw&tAi*n#QW=u$eR_kzBK-uqiDl9%tP&{xd#3Z zuObHSR1Fonh{g#d)_3sNPxso}pr zPVmkc#>@TjJ+M(9+H`@0tWsVNBfPPIQ|Le#ThpNPe8r_}4N8@eodY)Q#fLl3WWu6s z8Z4A*Q!3#4{EvawD~5(%|!0(>Q+AHD=v zqUt_0B*GMkw1sF-pe%h=w_U6`5Mxy&r%}aUm_hjsPzudSVrJXX?DZ*CF$|4hmFcy& zP{^maJ~~4>xCQ{MT+^|L$(E_0K)yZe7gh_0G7H3RMrH^`c26 zxkV&>iSolH$t0@VZxTsN4b9Y}`ff`{q)gC3v!ee~(gnASY|JAYWrQ~#~%3F^~e)06-b4Cr2Ve)>Y_IVb`%j5MF&pKM9;^~Dxxn1&1j0g zw@7$m=B~e~?~H21grOmlMkMuK4^ZUqx9nTHo5*8OhNK!OzFA{@HL8eKY~l_jzXA$!79tBO;T*@oCgpq?#@=Cfb1_!qg*MT!5UaA(}+;R%DW-iDqgj9Wa~! zceg!RhR8+<)hOf7l~Ii{XgZpeK*|up05jJ?r#R2)b+E0n?sd9$ZHphkm~`G}5qNn3 ztv}kdRXrehZyfLS>sT)jtnguN+2WvN)4StI$Sy`y?k8{{ZjE!Rak*5Bl?)O~^v#tA=}Tyj@vs9F%GGi^|4PLks8L(EQ`C+ytw za0_GYI_bfux77TUD~m!wNA@Pkrq?%B+_ntTX@~iR>Xz$QdI!Ni{2b4wbL4;UkDRLS zVkWs4Utb~HLP_$qbL_LvviI48bUgO;jhV)()TWlMy;lUp`qdpRN9O}Op?2h2Bz9e< zJCsd=86vze+9MquVH;>!EAB@f<8y;QKgq(+Uq@XplTbtC5-SUuH7;Id;qs5E?m9v4 znU^tAxd%6>jYv$$G*`dpvxrF(h zA%tTPoSY&2WD2b})y%l7VEy_|gsl^PJhhTn3vSD}BUJauxO4G-cm;ihHA0AJ9N{Uf z-`oXK5qvm-nr>izy$=P*vvc@Az7|DmD**%wRq>G*7oyL-G60rNczgJ@wBjn_yGXx=^6KE%QK6486KGZfVLFIJhOj!1ax3VmHnc(!kt)(R<5T?LB(v#5 z4|V_Tb}o?~{N4CLj7jI}Arc1qo&x@ludQvPHN`S=sOqavxwvJg39A`F^%Yp6B zyJhAj5(@IzF<{fz{rS~WJL7tszBQKQw?USzz~ z7p0dqLj1QzQS&Z12HN1F6CoT~Xhk~1iwnq03y7kPnrWaaKHA;_#=*Aevlr$GKb-~* zv~3yGjEmToLEoN878MnB$JVfs{5DcqBjDGuyl;C^(@}=OM?3fh1Q>L1st?C2fvwd zr^ae%18GDv;Gpfz!||!*x;9J1D~)ExUDSHWgld2)`%%W-wk)a^MCq#S4tNq~-N=a) zMp=Q%TiA~Nl$z(ZDM2N)Z_hd=u>eje_?*HaI4AN18eV&^jlvGSeq!x)p!HIT@=N_y*X(u!`LbKJ|6{;~%lm|Ft!LUz@){ zr<$bWk>B4E^AQOJ)ybrdrclu5Yn1A`MzN4$e!fO$$JTb(sL=}MP!DanZL}SI4tHh@ zSzSN{KIl4nB8{2v+8na*N}-yXf}0vr5!{M^6rB|waNuSY^P2-8Ao$63!ZWi`O5Vp4 zpb4zs9*%_MesmY7ss{3A1@n=1v?sbyGYz~ST*la21TQ4``55N6x1;4O!n1RPV^xec z2dV*B8d}~4OG7pS>T?3A~9mD1b=>#nZN(9WZgs9>D4>HQrQD&bC;R@r|;A8Yrl)0T>H9i7#cw! z*ZjRi!XlZpm?_uD0rv0h0X^!Gtrk3j*KVLULS%jtS!sYLk(aNa$_|?2fb0ZKhcJM^ zkJdRiMC2A7udPhDTST$x)S(#^2}Z9Xl38>sgQ_=>(-pKP(G$J`DWe|8DJya&C5=c4 zT#s4|YRxP<(UXc&U19MUn!yfXL{24DU#{}2>OR2-6R;#2D=ZyV^AYJ4oX3HO4BRHs zbU{jlVMQd<&S0e5L1@&D{{VqN%SQ8~r`j+(htU#uzqV$+gM+WWMCnIA=M!FC^R>*? zE^xGWj*g?R#1CUkI#;n^{rFld+$d}v(VfJ2ac!P^eP<3iQN{h+iwH|cKirPg=A(!G z9v)hy6ylaSB*1vCm*Cwo!c((|b_Z=&F7hw|a;8r3?$}*Pr*Wi%z#Yf?@0UP$6vAFP&lFmES~9eYu3m z9ls1h$L<<@pzlXQL3I|&A-lFEXfJ$mOIj`)MLTPCZ_D;tQ)9JAL3D}nVz>1`+a_&y zf2)LHlj8OWi2k*nyQT|^q3q&&1v^rPZC+FT(T?anU7+pC5gwabd5nyO))l3-iJ}vw z;Vrnx@oE$`^(At_L))H3oS1=}g=ll`m~t#Fa%=)LLgYjZ>(;)i3H050f={PmDd}`W z4`1$LkYCG3NI9uc|HAFa7Vd4EZDZcb8YyQ4z8msQr zc{|#Q8Lm!`;Lj`l1fZ=-L^Ag`4n51N%k6ml3todh>Wk&Su6*_-_T?7erK zTxWgn|9+lR=1ia2o$W=t>eaGj%e@zh!KSxRLJ5#uE(8*8E-&Dhn|29=+=L6^hwp^| zi3!9&2pwE-6~?w~EL)bWzS6F?mzkYDbINo7IIES`>cv;H_KtSWbK28B-}3ot ziFR-WLi)NOLV(KGQ4v>~h@SXS_Ql>zK4uZzI?AabG{YyDx`nh7 zh#7@+r94z=3TLVxw={*S6~Rhkwy&D4#d$J_FTIEj<(jL!-;#Mwc*~gNb zZ$k@3g25P&&f_EW&gI9SP_8*Ni5XYU4M~)3QQtZ>Ll})K+u<+=l(zIxl6dI7D`yAf z!QcJE1lr{-$Y#H@%JwMc>le>%9GpjnQ8S)OZ9xLbOT1@F$SKvmuzAQZsyoE5k)mmcyb4sh)dhc-$E$!yAP|KeB>ug zKXo6ap+4N)C@6o?6S|4f*g>>wF%6f!n)u2i^GqvMkG=ynmiAicnqX+O&Yu1%?JXvk zUHIZm@C~Ubxm@YIB%P|}qJ~O{Rp-wJU%ARx`<}0B)L|YF@;3Ip{ZMhxRvhIW9Yb?~ znmZ@r<+z(iL;B?h>aHIy3wYCYKSwjHBikZ}jI{A%8@*)MIBer-AKH-4-k5fT-oU{P zYW-(@hyKk|h)}R?32<~&26o`}=T8_?dpyLFYna@AFSV8X3ALP>5R9%#Dt7&}&MT!L z9Sf6-zIU8q~G| z-cp64jJvlEXmgB0c5xf3E&vl@xS%V4%-4!|brUU;0!v|UJpgSLRL(^W3A6=?nYo~h zvwJ@@Rgg0RP4$7NF&D1$@2Mw_yEBLEN#IQNp?0{4Mu9!C4V4uLFN`y~6B_E+n+Gu3 zmVhDf`g3@D$6;|51;}s$8EZtCNvb;^Lg*%{R>Cdk5Gc&3+O+rhrC$wNa zmC7_iXjHb|g;$&eJw$lrO=u~9?_&>brMB-$P#)3@6IymXTA~@Rl1HC-ic8iu5!?9B zJgZ+%HoEed_0hxiQ5Le5<;%nLT=PcscwiI@NauXm5IwJkoPBpcq)d!UT2U1Tx4(dX zMO*No0?f6_t+-_3i!(~KUZ4KL_*18bWxULJbt>tXBs;DaTyfW_M`D zEU6UHncu7KQS}A@Umz){8y(;zP=01J5f+|tJ7Kqn@{X-@NT-_cQ=GIljmO?l>+6F3hFgsG#iY{nU!M0qX(-`J}+Edea*?8K`T z(P%zmo)N2D)b=v$F_2AhypB9xz2cM3fnn5EMd)4YQKcF#d*;lq+65V?jZy#4J>WSg z%f`H62_kM`4{gJ1%H|&tyZXHdO#|f;?&xL1AKpmU(@!w)$d{OmUcgv2g`-&r z<&o5jH0k3sw?ygPu#QOY>R=ECr1K<*-nnuuj$d!+;5Eq&&3L~V^%JV4KwF+hcEtjj z_y9*Bl`#oL?r^ZgwUZ)Xk^ zsA>P5<9NQ;QS(a^$kro6%VcvHCtJmvsv;XK-0fMEduUzq#>!xOM=jqXEDhNj#o0FH z=Wx0TZ)fhv`!FT4J&Lns0)0aZN-4Z&r@+ze(`0QTR0^9p#fu0qDZ_BF>ck5W4gY zEg`@3hbLWz+!Co9yUFEBgfxk0NnwT#iy){tsKq&4nZxVvhjtekZ9s(mG%L|!A+DII z;4KAm6&PKIBKTaZ4-ozKa+GQ)ps$172woVTAGO74&2qZeuq>Gtkq1B%%zbP}Sn0OK9ju zMt!j$vwan{-M@x<343IRpWhkr=MtlN5w)EU;7lDri~0K#vuy=3oTU5OSCVx5ARI+^pAz~hVmhHP}@albzqU(3ejUt-1JSLvSk1v@|YZo2;GM)vHl5w--H zrgOov2)1+XJo9ka#0nW?b0yNL=y}nP)Nt9aLwufzgeupY*R@q^cWj?wZhm;G>`kDr zKQ)C!9nX-61`Cm^9h_~)w{M~Br_1x5lZ3p7k#6Q2!Wnz!)WZlY-~ffOzgoe7@bEU+fqB)rWfTp zAfLDWm&XW?f6BnglrXMnL{%KTAscPYOuMc#_Z<2mL$LB(pHM3Q|H`c+r0z$XXa;B| zLemlE47n8oP$<`rn6QVo`rlImX6Kq<;02^}{z4#7 zGI$OF&L8af?7IPYXvJ5km?xh%{9MQT$wiiNLH`%n@|C|Px9%gDW{AnG%XFbaETYkv z(#{zIkxoT8Fq9=8v(WYV9SW!>X3A4!tn;r!&Ql>F*=QY^xBontZ(eff_czSV?bcQ| zqSZaW^hwo0+t7?|X}&l}NJG2a7mw3cG|YzTY73KS3+D>e9exeksz$Wchdkl+AMBZ} z2W?z-C=KLj?TDCxepA=cN%3LY2_mAS-_RLMqybI{uUT`RoYHlMTfvEHCoH9Pv=SheWzgBt!1zR-!GSSG`k%x)@Hm>V(KOIPA%v88qhnP1 zAE)4IXo(i03szvX*$7QT#xe*g5qbz2NzFNrjAf9zju(m`?AV;YiBJq-S_mP~q74Wm zgb)I`HiFvX%tYLQTpUF%nE6{g;}b_AK)DE|&>{_BS7z#oY6#5)AyJVu2#GvM{H&P& z_k%S@Lor_J0qLBlq*EzW zP<|}Hd4dCXexCYxKLd>~KPAF>5X0$fXqo;EEeGzR`^sx+SavP3h=#78dxOLQ#`yewX-fIxK|S&FvQHi~?49@1tmD_oR8<%1u3wupB>f!9bjUAtaE9&I@7#rc zO$V|ohBs0|73;{RFaZL*D25rSF}Dci86qT+m$snAGJfd!bR9KTL3YL9I0iYx&~R+` zlt^b`+*~Mw{Pu+!GDv-MP<#^>B%JclXl+`@> z`@c-|Qol4>W!v3oSG*gfiB}lMi)RpK6jjQiN|UHi3>8v%l{_MnMj2r|y@-BeH*zL~ z*Ub(2LPK^PJO^iL06py+hV1MR0uR~P?a#HPNr1gFnXp3VMY;}ei(U<&Z^mpP!z8+?JM5u zA-vKQTB-wKSjbc-&e$%LT|*claOyZy`_VHCK}er?&#V+)ah%Hb2Z*e_)jxKI5C@Tm z0qLCQraI=eoPU4-vwPA)mWcxU`!o|P3wmuOeF<7^s*-wcB;F|O;Jt4JFl!0&3kQ7%Iwk0eL(Yz-+YXjTNm zIwGtiS|h#~&S#aNpM9BBB19;4V&O<57RQLiDev3F zL}{AjqJv?l$`5O`{V;iH#V|Y8_{7!-p*M74kL&~#GSVztXo*(bsebIyU4A}hq6u$$2q7fObFjyDqj#)9hV)sbdcS=a+!~%!h3o*r zun;IP!iZQCdN_$Yv5$KHQ~vdZVrZG(Q+|g6(4q}E<9ktd6(KeB=0&s5LvQTH9@!4c zLrCeX+Dgq23qHJ^Xa+sqN$IhFo3U_cgnBMPi#G*>FCd-sd3VH1zyu%QrGUzTod6tY zJhKAHeT)P35f0Qw8LE%bEgHB~jh~hFJ-3Ro&aB9uI}H6+r~LTPjd)731I;cW=r!t6RA`Cc0U03ZNKL_t)P=joQR)b>3=Xz`VJ z)dHnWcM@KCGxd?}sKKqsSO%+Q8On9g;>}c^{t3#hBcly|%}cwCwesc2%)&Wd+UlN1 zF}p9s9@&9coIscnL^w@-U^8AhhgUCSEx!T1p$lhXKgHkN;S)ejC$wNaTFX)plJe6( z#q7S2^8TlMk7S|+qkYwEJ9_qj-%h3%q3O7VQL4Kh2D^fcH4=_CB0^EL#vW?Be@*qd z`}}n|mcd$n1Huer4{f8i?H-UiUO7kPvUi|{wqcL&_22J-XR(%DhnDWZTzIH#n-GG~ zqRR;_x;z+s0qH!CIH%_Yq%**If#Tk004Rkz&bX~YcmbKhZ>bDyC(^U(oWAcwJWQcb zp8GPQ_KvlUH9rWXHz>Yn{rkuy`$tCsf@ zUcdCTjx`L8;&I9c9S^z9_ap05gj!lp>-cC(E4ke}iCy?#i7c2=Y6Wnrh{L>hz9-Vf ztCa{}@G5X@N{@XDXJk7@V>gv;_hNRe!suR)SI$!2^gZ%AK0lev9liY zHQ2*jsXTWd&e%>O>t2gjEl}L}b@YaAgr-y3dKcERYcbka;Z^dK9{o3Dssk;SK}ZcZ zH%w&RYr(CPf8hThbc4vc*P@&ng$HiO>|Q^sHtSCACwj?S5K^bS`N!1uJc70IX6*e> z;ARJjT>5(m&7ijPA*#>aOL*-1I30tA@vs2LkMqQ-uL(w>WGEse$J{Y+CIT7_@zul%$OmWQRI0P{(Qbd1gSEog=x3Q zSbdT)dy-LmiZOeV7BfS$p624%DsC~aA)y^zB|NfbE&09oU~y)ov!w5%aoHPB>sU=n z9Ou+M{)NZCOMcgO8dsi~B5I_$h2pati7Z%!-nyJx-{XFbOx-uMd9~7PNf8-uLeH|-qg_8&~f{Zo!xt~fQ%`ggq za%_ZQ%?kI(Z~~)cG4{v~w8a?|3cYzo08KLyW(2L#kE9TK2pNjvRSQ1pRG_!6m=zE* z+E!58^9TU;$WF|jixHZi2Wxa)Nb%QSC#*a_V%P|w&xGoVP!z9L#vXnSqiGR(rUyOK zGj|>i@-_p~c|McQz+4^Re1KD!@)rQ@%t=g5pAj%9Waq`bMiA=6Urv*b(( z>E~VAGbKZeLt;t7isRYUqjYeI&`f0G0zbdesrtE@y5ZNl)J>F-2u;T;XYr~<3J-tn zunyoJBAN=nl*(aaM;!K9!E9crLd`9OVubyiQ^2d2sP24->On6re!Hqx0@SQ}E`S!x z5M6g0_5RJ&c0PoRrm>b@>*scIf)s}U0qLCoq*Dc?Gr)O)P-_pRy<3RXhbdTRW_6C% z24~vroj3QNN=6tNohBZ$&iRd}8n60pnV4)Vokwy^pa=zdz!~f2w_kR&n9NI+3wJ297F5)x2 zAEm`OaUS*B-@cxISomk$n7Ztozu#|<{fuvo|Ae2fx_!>SSG<}}GMyQs=@v<7F%nvo zCZmBx;cmh*bj;&VYVN(_2FAy}gUs$F99?)y$CmQX;dIr>Tzt)G-@B$sKX+WIQ=0p0 zqx&#oXQ$4yuDMkEw-V`EI!n4_*f#*nXlhO^$|HEBKC=$Eb(s0xs}|-ELQtrB1ywJj zTnAMzA+$C`xEX|oG-GpWc7k6LMMjduuK4}4W3V{v9+X`{7~$FTm^~W~tK)fs_m%D< zobCb?^?_$7KmB83*L*NA7zL#Br9e6f)N2FG-|ky=eNmH=gQfW)v60%@Af3a0TfM91 z&9exF3?h*b*<6{1boAW4P*33v6_JaQ=T%?yY86U5pQ7-@CiH3q!%3lu2$DGN{X-PY z?bPKY(Y5P|ty+&BPrvXN<#oYg; z%7&{?Z&Mpf(Rj=2nEb^LamPx;k|!6gS}Z<|(^aG4=G&0QnHk_TO<>zDrg`#PY&$xdaVH|gA06o)-S1sZe$MAAP=*>$J zW*DLA$Vhs&q{=bhOG7uRehA9|)2A`1}$;wCDokK9hmLQ0f{}b9j&3; zKTq>w?7=MaX4={&DUrxL-2 zBfvcAu0Np$Jn#qAa&Er&wjqJ z0&lv8DB8YaZq=`xO4m$ zEDiUtrL>cQ+9?0H@W1nusR!6q*~geY#pineluomS?@!*%PbVMXi;F(RKy8?R9Q;>G zUIp88xH)w>pY8n@t^U

N?TKOFTBTi?R_THnAAChnc}bXL6@|6~7`xo`SW zq>yxn+W36$$LR@m@ZE`D^4*EMSRGl+)1@68sEzRM=GXC|_P3FF-P`#7FaDO!{ZFz+ zzXmJXjS$Zh!trWUOZzG7`>@t8qjAG^XG}N&bVJ8+Jfw8d^^+53bEXCn?U}REw}hrq z+3_IJ>)(MrybUd!1aXo^10e{ndKuO2_fhYE3N6;?lSHQqP8C%vQy+Mm(Bi93@u8SR z*1eYMjt8l3zaLO&O^Z*f?1%vL#s!ofzZ0)sMvFCKE%udVL%kcQI(3SV-T_J>%rMrn z>yO%w(Yg#LJ3wLM*L}~XZV_H{OW@@UNassr6YqHlJqW1^a1O%ud~#W=L&-1Gph6ll zZXi=3=!oJuIo$jZsx*n2NutNnESUHi0}VG*Gfq!br=hrobZHyWWgF(-isib(|7~@wP9}9@*Y-4m#{LjXwEq#5)Y4xTjM`h ze37zO@JD<8iX~Pz-&pcLsj3=pcsJzJ60b$&&?n6=e|&M_VEiSf`E*C$Uz(3_K5EhNOYwMT}!qR zz2vP&z2;MCCpPoDx!|IsF>b7-*TB+ijzTh*W3(jydTozJqi{~vjL z(O;j|b*$A}z1P z2%S8U*3C2x?o~|v>R~i1M!4&Fr4lA<5YZrf%?9E> z0cP-2@i}@o`E`pO<)VPMHQmCeyFLiOL(@;tpr^PweFXq5Mk6mzU&US7jdMunL-{93 z>TzDvcmn|4p*CKTx{CjtxR;gPi;jBkH#EHrfQYoXF?A`AOmF7q)D=85{RIEC=+g)x z2n&mMHQ&a+j{TVTx4sDhTpGK84zrnxS0m>ZXg8awdUYO{-b7rB(iv*u;>2naT8zEb z1Kc_BOS(d>gyo@J>2|Z3pJyLpWn>W-#+LI>i$4wcA-hdRntvJn5$|ldjfGYx-&y|m zM_l_)ryk^^?eD~rz6bI>t*_(rgI{OT&duKcC2>E5c2#sSj&d2PPta;MF>Yu1k$jF< zUUMz0ufG+0dJ?Z*ogrS~BkFLTjXhj;x5J-&4kL% zcrwc_O3sAJ#tdkQAPx%!RCWb-dK9-X27s1m#^|^JVa`=*&0PIDN;{u`C-0>t_Zvo2 zr&d^b^}s)2*%NfW^V5VH+vn}$O{ZgQy<>2sZ5J(^%p?;h6FZsMwr677oY=N)+qT`Y zHL;D3Z988-@2T_ad{yaG|LE$v`@-I9ueD)RDs_Z*qTGg4VMT(OEkLGt8_WB9Lnlx_ zyZuPjLLX%+c>l5|bw;bh6f#8F7nwm%>~Zj;yzOvmX(Ke|@*uau@vF z^*Y1)3tb84-F}_NU2WXjF@~^_;)pl3>2g|QFQ(RnK%mNNtgll^t*t7Ic3*3pf8-1Q zg}`^~OO6)M{&EIMcsO?m_g??;jWSWRkmxoT_8~)R)80-e7@fNf8miI|d(ql88-4Di z{aa)G1B7s6K!w`%=>hglE+cWupJVc+h|Ds6SB9a`o*#k+E;W5-x@hqK2fF+$Th7rE z^}Aa*tFoXk*xyD!D=UbmUj5e!qwu|&D7WOM7wYob7@Oo>rB zXt2~a3l%bEmR)~WBB%DlrB^=L?*1MTKTgkPe~7H)P5PT@l&i73t*Ijw5<@x_^6 zWJ8$z!y`S2^&12yUUNKu2qN!5?~1BqG1WC*&{)G-S_zg$+3=cOu9r?G0v7%iv!C~Dd^H6qLn)x_}aZfa*I#i8t$ zRhKT7k@!EQ-dY$>l|Y0lIIIXp@4m#narj4?05l5pG!^^rpSqriC~`y)51*x!8*h-X zJ+COiZ=d12fh|hzrvf*UN{v7&n|ITV^3T<2inl%42c?bYX=oylE~4PG+flkPeB(pO zRaOtXwZ(fmk6L!2(OFL2zc7PA%E;bSP;K`6EQVx`$Vi;WsY+*vMrQZmhk^?NwnV`WF=xQO3FxuMPO{!P32V?fw4 zkX6^7M(T6_5fupJ{Y{Ndlu46~J3pZgSqvwh3$g^%>i~oDOBNdnEBd1QUh)lKRKcyY zaNi$e%b!c20LILc{GcPkErkaZ@!ZHZ{+-2F9bg-K-1Aa4Z&)ptbd&ywsAb+f`Rt*ow*}k3%54Y zF{d&SlSSXOjp8i~_|!#Bxc%b*X7Q{yan%Z9A*jQqby%|2PwFH!kY?W0Eq(e@*FWV8=l=M(+vcu2L!N2%on(P~vBben3E(ivv>Om#6m8mh7g zDl|Kb-h(Ye@F-jYGw7tGs-Dk@PL6 zz9aa~ei{4t9#PmQjjydRZ*AVTH$G~E{6T#T@aTKTCzSE@ba5xQJ@S=}J6#E5D|dYk zE}(PdtA_Pi{jEbC9Tdw9;Wt`)HSJ{^Jsq`~jCWiojWmcev@m=UQt&>VF>^F9eUYB! zdVJ5A5kIx>ZhvObvlB9Qw!_r?l8xG&X6l+Ow8A;Q`7x0q613(KTiKt}dQC3s(~4fG z&0o#9e!Bwgai`dS@&gp+mT4k`RQgB`BF$7Hqra4J*Smt8F{tt{ju2Zp=0<_ey6(RY zAGSFs5>?l~v_OG!V-ad^`i9&KsCQZGr_kr{-cBtth!^+R`xb%Q6EoXI;Oam)_K3ND z4OuIwX`iH%e|yew6Y(Flx78H(x{a}`_67dXSG^)Mjk0--L9KNqiiM%uyp5?}lUkpm z7rQlsKv}^A-c|O#C>^WAc|nLF-Wi;0}9BH&3kF0_EheI)V8Ad z+Tm(h4_Z1-5B|wR)FzA&cwxADU=;~Rn$)Rog)#P*S@`!4+y15NK{U0()TN4?ZAK(| zH{D5YOzTS3cd5F)GPHwZ-U{NG4gDs_hihk?^zIm|wAL1W+lzQ^KmegGlP&DQ@C#r@ zC+aScFM?b5#$ia`21_z8bg6bM`VEikV26GxTIE7t3;!%`>Xbk)8ZlQW=ZV^+4T^AK7>F{@Mr# zMR}H-1pkJ&r3d&3SsYkK<06UHt)OG06rR}~d&z{8Dz3G~~V36Em`Rfy0RiD)NF#JHZL z)cEU<+l80Aifr`jb|coLRBRtVsV*QFM1+F{jLi#_@L#hoB~+GO`alGUo>x5iJ5YT* zhK^VbU~fv?H@Nm!u3A* ztIoE5E94G)3=rx!(GFGaQ}I383N!eiGN>WSKoZYBt%-&nAa+^wRFG5v zw!nCHA~iZra;dT3zoCYXuHQG+njeDspJAiOyaO>|&qD+lqW5ME!a0def478EjOZ&s8#e1j z$~V!Ler8g{bj2f5#546kH#QlF(}bwe5lJHQLiwlV{vI?3GFYJfUo9a$LAA?Vq7Gi>){|JzIl@wbeB_;3z! zZIYbXW9%wXlIdjsUzy+WX<#zX!fxbIN;h2tFhKB+8M#@}&Ao zHY+s}=h3t9+E!LKZ18V$*xSnD6#k`mcp)iPTxhzLyjkVolCeMur-4ipn9Yq@=QLxD zFb(FC^HaQLPA(-2;bg0S{u9M^IXS;$hJL~K$A#5kRTKxko&Rj$i5WXU-VrJ$DoW

@n zHm%$)+G1vSQUl4M5|vfX>M(}Z0J^%N9U@RIgkcHT;@;452pI?05Hw!Z=oeBj zP7YC>FH00NUME57sa(q+SF93kR^qgH_(PekIcH-nJ zw|9{)${Hk}sG>Y8N-tN)Cic^Q{wcyH2MosH4<4I_(Bt52$|S;`l1S$3lWU>gMpUCa z-d%H~ydNkzO}FO9H(@D=y*X9JoaI>F;4X7C=e*;mr>0gV4f1nZ%0G>(zlX)=i%K;JE{jLS6K4#fn!UbLWQuUio3caEK!KF`l8gW@`d<5+ zjqXtQU$~NLtp7I`fN3hdW~BoMQqHO)_sWWp1WhJ!357QeC|tTKX<8PXnUFe*Z6Si` z4?WQqw6+2kZ0aLYad$tVqqrPSN(Y)Ll(w|&4PVO|%maXQf3!_4By!qH?r4`@fWZGcuX7k+*gQj%&`y7I(3&<>x0 zKmCxy-(cHYjNl~U`5AH$+N{Z>Eh8qXNRjh11Je-6rq4_hA|r;SjnLGKVd?fv&ilI_ z-LCYx(DeQGq1eqBSCbQkB8$ROSvU#i_1IF!tfDpl$pU;( zaxabS#P|(9cG=8ndQ=GMLB3DO(?vntRpHXIBpZgmHgZtlfeQ2kLgMEr3XX02k2WDc zv@~1I-Ng2ex7hkbaNDvld;K46`H*ZHL!T0awPWI(6FguRiwA<3lCzl;~aCeY~snf&&MEFd(eL3K&i z>EixV7k3+C7$!D9-uj+_m&bAygC>-pO_a}QCXehGv3a(rRN}hHv$@itjtw5O$<(F=8r;l$RSL}46k%XHaXs2yqr;bkw zz_+xo4HBvdBI)SkWNX$#c9yOW@WK=S{cLMUgv2_ z$bJCIli0>JI|uCVw?BhE(rONbkShLSd;G3iq6XkumXy%itP_F1DYv&Z!W}=iMeWn zTvJl&6&j~Fw6Hupdq1tS8$*}4-tcqhj9L_3mOTyZSBcpg)wAKSQjyzwG;>NOO zK(h;?%lSncg==po@rHaK{sp!+ORDNVgnoC~$1X&}EJ#f|R;@D6f-LFi8ECHU$Jjqe z@4I|%FM8$>H85ogsP47WvOjhlsn8hG2nuPw$5Ho~j5i`jBeTC7K}5Ev;eT@EWO`dY zSC3w;f90HRj6No_ll`3iEVD5leyWg;k~ zwH^Nb-g5DCwY=5rx5X6U+U<|6&iCISz^=7J+c`bC5@H~DF?GzEGO#r#rLW_r^%oio z)0S3YoZ0py#zazQA~JuwQ!f9QzELtTsuMx_88-#S@H0q}VKhi~7Hzn*dHL(F=SmOu zu)7)b9{U$?VjUxZYWf(Df&}0&SI5`$xAWr9W+6YDw96TTT_hCrkYEu8zWIl8jg-ul z;d#8y;P`U9wkzr!XSB$;^j`crbmWK~H;=Renoi2u#dM8A;xnQFB z$sMj`R=|f(h+=}nG8N@DZ1h|L4L0vJ#PHtJjMM039w@oWG(2BgizNj7B2GPS50q0n zsUJj7WJ7E)edd_LFGYLA?7gGc!CBUAMVvXn$(EU=Yp_PgY#tk@!zt@yK&Vu%py&}W z>;V_PB#PlwL%caB92n0nsDP@A#WuMz_pq|Jx1YNzOx(GX6hnuWBTC0Eq2r~)==Lqk zjgN_z_;NMVP;pG~^bf+y%eNNo-;{4wbgJ8Jtq(XJtk`BA|BDlV$lo3`8A;a)K(j@l zOuouL_qw`ES&S9la;_fkUvJA20>#s@mYoB@YzqQ9?6HhJLA>Rx(B_+6J^I@Yk+Apx z&1zUgU`6|JYBTYAVP3Dh7lf@Ixc-TmB~Be74)J{iB&E=+uo9?(Wd|{ZQs9kNNl1Wr z4w-yz%L{KSPv1DBj#+-~<>$lB2Wd5K9ONW$+jV4inIk_5u52}d42ma2jpmI&rZj@J z5R?nRXhBA;<+Ia5D2t-|5%Cv3Tc`+ChnQ!tF{H@h%O%A1qNH>Cb>5<8!JTQKgW%WN zM!0bck*2AjS>ca@QSSS_*8ClkBa%~sncHxqOvS4H7KG9Q&pDbHT zozcf(-P^Ie-Us99OP6FFFGL0o=pn0a?~{c}MP{~tYQ*R5E@)tkHoj%S7oij3n-gmS zB~EBLJ5#vKo6MNq>h6py4>?U$e1)KajQGDmlFj$`OLAs8q5~<<`NC8BsTkUZCvkgJ zvKt|dO2pyu_P(1kZ(EKndE`~(0nll;Hixx#F0Ac-+3Wf@RT#7{dHs06q}TXU5a+Tn zk+TPX!0KvflO=jtt+%xvu9$bjl)O*L%`fZ}S}C*IQGK1I-w5~=&S2Xgmg9A7+f*EU zyTb2~*pv6bNBF00dt))S(HVaBNg%rVZE54Upgs8;JKt* znS5f|?A(pIBumwtx*kAkI8MGA#^-9!xPCo(x*j^GXj^LkcU23;!A^uwO%l_>5jzJ# zjNTtD8BrnJmQ$KEuINDB>AYO}EWf_q%Gwl^wk|G=G;hES4sx#>Ys0DJCghIMOQ!It0Z3J&kWi-8j({DOwICEv6V zj=!6RpP$o@XMDkl&m%HXRtoBc%au#tIzC})r=Yomof(YDvbs~0bVdacToo7jHXMg| zTRIG;z2l&}?M9neL2;o)ZRr21i)@R6S{P!jqJOIkrTut)B|rUu1SS8WhLj}{KW$8h z(@SQf?C^$(JJKA?GC5>kQ8ZtQ3fBg=(1dmuAsj4#NDolDD~J)BZDWs<6cF-I za>fRWad=U=RM=`fQ=)}o*e+P9z%=0%b83S7*r+=F#~)GB8=1R0JSWwpIAL9S7=x_2 zd68R66tuJ*dKj)8_O|4k=*9*SB9Lx|X;S9NZe04COCukzR`HQKX#>`!O<0*M%-y~} zozr}Ef{#wGkSwXs%y;YdFIbmYZoy$t4cyNQWMR*J5l>)zj>@??`)b#nPfd1}JdQhj zi!vxb8gJ;_YDlvw#OY`*Z&=6gYkA8%bVMQBoA7ID;;{x$q1t$0qixss7nc$LTN=)< z-@l4@;9##1*l`9cR+3z z(AI8Hceq=fb+ z8?1xWInGr3n)1)h?D6T(k5ZyCBBFJISY^cg7D z`?gg_yl3v;9lnH?cx|+tcv3+#xe2UaNwiQW-B>An@m>t^GO|(CbcZ&FmYM(H4mnQN z-jo7TXJzowgQaLG91rU581WIidmb>Y5SI;{Xq4N=+{$i!N9%v2HNAc#sOStteV;Fr z1K4Rjd{{*-7J!YslwN<#o!MK;)&LzCRxt#kM^!VF@SDhao+XCpCLZx+#M(1$tvE_~aF8)7614-+o%h$y|z2OOpd1Yy~dTQrhq*?>p7%e&93mp z6jSkt_`>I0kjEhr=2(=c{)?I7kB{4w1QglSA;VDYbC6=1$9SivMFE=UeeQV?hPoE>on5xRHqbw7#S>UBOee^R|U^!z?12i(MN-^J(4&H>q z`Ro;|pL~BRD^=&b(TH)0-K)gy=@_rS3RS(n$Ov__Scp~UJkh9O=*${l0!lh?h>)?0 z>;bdC4(gFz9UAX=;ng1fHhc%NW$ah_I9lHQctUl?8ALZkOe;cj+23=9@)wH`vN@@g zMfUtdD4y5TLe=>WAV1kY)vD$yZa6C6%`Y7HNqK1rK4_&%-?I(764hruK4lq%vGvxU zbwu07G+0ljJ6Ueb0mGTCJv%U9RT06yPPE(Ix0&wt6NO$(Zu9~xuTo$Hwy!L!7=)1& zAHl_m0$ZPb%PFS?RI5{NFj>35xGip9HWpao`)5AUhh8<6U`i)D5i9j777@uKhC(_l zaBgA%-)(5H<@Rb4PCf($OF8%R=aXj417@-Mj>8J~FF%?%hK&E*XiC&x_MV3o+Mf2A zK^vZuuPjK{qh*F9?DaNL=23OvtEk@TU^(YY_x(b>XUqNoUN47;+f<7oHS62syXm84 z3jA*9KrLQHs-{y|q z$Gfs4va!fKoCe&fqv#5WRdnd_Ot&y>pP!?aI~kSu=En2kW*QuHZ5?!k2n}otf5E?J zq#Dr%m^;HyC=H&HO0}?T=|HBrv2hgYB(I?3vP9RfpwSG)cv0gI?Q1r;l^o<+g)b{v z!QGbHKkeZwiA&gHOEpK+GN%6I*xgX~B2$9^m9}7iI~I4n`(p;FH`>GKSVOH!Kh6`W z*1oms!k38ZJwFOCDrt&!jLxH9h5sE-7dy1W*17cYNq<2IOGA8?wogDu(al*_<^QWR z#|;%|jV0y&v;`$6hSRN~^$$}_JG#^&!fF54K7luUcv^V8?3F8Sc#Uk+IWwNfK(WwJ z+^>1d*rHw-AqS7@RSc4w!L{z#KWMcG;}h14MgkIRz0$^jAVw0ZsA1?eg|_2LZgK0= zKcg;rs*t}@rXXakuU=JfcSg)&;-1&Zm1EJJy%2|o@%u=+s-lBx(I=T1V-tsVid=ON z+IfOLo?+{(G6}5ek)BgfgjP{Wt}e9Z-9HXJPZkHV;`utRj;hNMZ>x9$d_WU2|5ea! zF4krPoG5Ia81}1khP+cnqA0D)r#820^zN)YHEDQq_MpU>5V9~R2C5*HxyHfjXaLgj z)#~k6g~I5`sUu$jp{KdK8?oK~GR+P`JLuZ!zKD8b0)&wTH+FmT+KoFrSy*XPNaMBz zcBLn^)uR(vNgYZ(Mp|AUuY;8r>MiBe)a~i%=5-twgwo?AXRWtCL$sNkxFRY!&zg8{ zI-jI+5E*ta{#wPNTaN%TyoxPJ?@Dw+P48JxdjE{2pp!D*dG$-_4l31Mkt}-f%CaVr zy1l2*rT=#W7Dg@2e#nkL{d*4r%8N2>y(U&aVr_9!dYq?=&g9HK3EXF z@ClNygw0bihW)7#d)5*vs!j>l~q4Qzs0nRw=B_USY2kVOBRlxQx^SQZEFL? zsSrOiTO*JfvHdDZcf9EU^G@^WEekIV=65$+C}1ImvDrI_1-SOLG0}2p=QBmMq36D? zySenpexWO1A&2D+CR&#)oEB!tQHw6|ooqT}wP~-w!IKFIq363F$mVF*J&Klij4&;+ zWzhs4IT&AS_lqX+R1j|aS`zGs$3H#d<2IR;d~Ydjr))3=e7BHuy_%!Q-Jf3*P+t<} zKyETY-57tP8uV{CO0^$5x-^+L8A;SPB8xTHru&A#%Ttf`e=)o~LfOQxO)kk;erxI(IRyU$?cw z#1^TjCww7Oz-sotbE4zAynSwYxQ#Nd7- zJ!qXPC9|+_^#w$ zbYt#8{NPns8kCiQ4dn&w3dd;wZu4p_p1{hu`5}OXeTFw>1w=cnX~zM}v^Xd!pus-E z>2nrIb+CMpYXiAOWo2r7vJJiZv*U}sfva6WMlQ4U%TQUwnD!UE4Q=Ev*y17E0g>)F0fdSBF!_P4un!TJoriV$+`F#r9SJRi4fb2#85{c zf1p@9W8M6Ws3>rEsDqNKhYZ!XeR|&(f2bKBMpX z58kwUcS<=!H&FG#X8TM0Ozzd8ttNVWP(w zUb~`^LEB{2yA@Q~YMpE&K&Ne;>bfA^p8JJw-Th74^e<44!a!$Vls(>cVUdS^L1sc8 zmhD*B2o_o=!861u=;v---2s}xIMpDFMTJwyPZaLh-kEgkkutc#w7;4vXt~zcArs=T z{pMjsjQv!M6BF%HvFOEvfxGoS9D&kI}hTr-}d7Q z>~8fpvw8@8_**;D@SfTj7!M?Fe5x|c%XT6TabF+3<%rH2h-MM+N!xNu*COY0;FpLY z8D{+OnT(v?9WM2N)@;1d>hvZ_eRII&$=TqkF}*obGPkL zw^ENa_m^B(d(%GHjIOs&iGG*|j7zF#oWj_y`@D^wOQ$e^GR4J-&6;9%Q*pbQoNGZr zyy+}=uE{!m0L1D4Ul91jL#{>O4B% zoUEFfA=z4Bfk9k>k577yyO0DomwMX}ZjGdq)#K48hpp<3fZlpf!+{_xf=a?v`^a$J*GrkOPHMEZI`N!=QQH`v$+i7>LT$YOb< zgD+;4KnR}>{U`X=rH-_Ctb^(j-UmAlYncO*#h!b)s>wOt|rXT*%dwX;3tMcH2d$eLhVRRdf;v6g+%B-zz?_L zHyuTj2$&k`VJ@+sr{*Orwtq2D*;jV8OH_W^M;DDi7gAwpX9Ut##@iw|F@NKGhF*X>bW~0$91~ch0^v$x>~mMQGi;>Em?C1_Bz%neg3ue`B$~oHNHin-1;FFVi;^Kjyo~ zx6X8?beaVU#gOu;aMbp*2bLpUsukC=td3$bpww~K10u#w{58Bf?kzi_EEY*|(g5do z8(Kc!8C*Y7ON?+w+$rt~BfdgKW*=9koHH+p#&`Fsw?rnc@rEYJ)R>%CMK;uYP#Ijh z`$E*|zLc)reH@5Cxv&V*$SRLh}dRtj>RZwu*{Sg4?;#iViB!j=Xz@o<_o_W%J)$&z) zb>G-jZus~7_U=L;o=VaR42&RMLimsJyiE2tOT_AOS=}>@f77SAMka2k-`M~e3)^T< z%94>&;CcMBfniZKTroo?f_xlp^$K9Z|2}g6^Sl4Vov$`6d2mML~PlBx1Rg z*F?3l`6f_3XYjCdPDj*k57{lz$b?IhR?XC;PavHcv5K;e%#1G23y}Ud;cT>ILLf|6 zj+kTSos-@j4(3$s`O^QY^|BatWiPo@-&DlSX@8&+<)U)VT>Q8;`6ZTIm;_Y&@M}%q z4ru1MeM>odmh2Pxs3|Ql`1^An_1$oSL^ztWQBAwg5x>^K{_@1rYNTe(t?kVElk3tx z!upS<5v!*ofzGuD0uEK+h;d)z>t<*!$7eWgWG-3a zSA=;6@5VD)txMN*uzRW9z#-x7XOStE2?J4Bd;GR}`5Jmy6#o*D*>EOxBmVo~1C@Qb^#5Q>zGGNqwQisijli~xcFm3x!wXmo6OIU!Hjbza^n7`~ zhgF#dBGw`JdLKTd28ON_h)4nhF{|Wu=3D6-T<4ZxotuqmR#JXS4Ka|vfEfek8jWtn zXW2gajWnC%>wJ;!PS4qt5dli}cE;CupxDknb*60-(!JEcz(B1k>o|9chfgZ~AhRFz z(HDi6$)IS;A3rb;bH*Akz6^AyMnPd@B5$FB->Wc7bvZrQa7V=o+ImEV8EDn1O{px2 zGiR90WC4w=@5s&JqM#sLBwwXy)}5j$Nem~~q{#{Me(;vl z-pV#gS2Sd%-J~_R(dHk|w$mu|2sxuxU&=8^(n5bkRM5~+OFU!x142sRt?Ekw%9w;f zYIUUV$YP$ux6xJOlud^>sFLM1p_@)rlA&$dKW9%IwK>a zG-_mlVxpOmV<#ehc8C$&=oTqhY0amD9uXe?_t;Y-1vB&zbA!KszfG32gQ<$J*Dmp;GmRyc?w2VeY`NIvv5}knj_wlTzuJ!WfpCu^#YH%TZpQvKbSMaZSVDbN!>f z(nY%>Fpn?LDco_^ zYrD5146bre8aN%Rcgd%gd2RT2msZH9B?Z*W_5IJ<=5zX zk*?qYBV-yCEf|snSpP2+!N2S)aD%Gi8#*X8R>X5aDcU8P3n%r^g59kCo3@m_bWkh+ zsF4Gj>*&220!?cg@3_0Om!A<_5e?J2exe7r3$q~ejaB^np^SzmVhq}_4TU?fScEUc zih{pN)=gwQCo-W5Xz1v{vR$dXmh7rS0pB>4d6Hu$OrHL;X&~gkU`^thUQ0a&_)vd6$mNRkJMBBIfh@RYqPxa;NKp({E8~iS*huyib;8py(doZ}06xVb-^sKS- z29{N{bx9E1N73TXD45N@EN0&di}BaHyN6V$J>)l<26~t4^3IIVfI6xoiy^c#3Q;Xs zb#&%k8o3+sC2lkvs{Ic@P%+L+EP!igrm*h>ZWRymPO2*-Ocv|g+iI1juDEaN9{P3| zoM{a#`|9YK(B+n>^XqTweX;qh3yqu}i>8>{n7Fwr&*JY@8Liz$Y7l6QC-*sGn=owq z4-3erS{?59N`scPbG|E~1igc8_qM^NaTKDQ!@}Sc>(bc{1$-PR|iPgJf9uY_$$;er?=J|f`I{C!B z$P)wN5_c7JKo&*=e{(S7nEbNLJ&r=`GmbVgc4tcQJOkm*urT&$f8sz2_p*p+RkEJ$ z-`OVIiTD%aI7e_&`s?8O=K3R2av|T|^E6YBN%|wMD#up}I^>(c&?B6Vv2?a0Js3$= zF@&Nn`>-X9rXyA(o%~2NDW6AJj#FBRFfJ2`KX7*wL)iP74QWg_Wq>bfXq>Z_G?8mlRo=rcyTnw0*Z7AHLo4k~qJDmT=D1i_er^l)Y$Vi3fC~WB2 zf{)d z%i7jxW>4fsZ>6-3QwuPwisa0Q8lx;r2+()E#pHsV4E{j(M6jjpU~g}&`^#P#VWRQP zLv;7$l={)NoYj{dj=%x0O;%5oZE(um{^rxRyF+$zVMNSM=Vk89;%uZ${q1BwgPrc> zs8dn9EBBE#Yw0dt%P!piK%;Y)jA28v#3hqg@wQ<92_?vh*JgZ4$`lY(8f+Rq>|%Ep zK0B`WV4cvKsu+ED4#yy<>db!0wryZi71FAR)Kl?}4Zl?QsK8`^soi-zg*u)UB8_G( zg)ni@8=5SO=y$d78Sd%W0`Il7ceGuN26?N6tLOh;2~>ANZ|!SRZ%t3X6ZF%G&&uUk z9aXmRY94gLuqAG?k89nH?>ZkKk_X=mk3p-u&$E*g#^^hP7ppsI!U%v<|HIg zELP0SXV*R;W*R}<^P(PdU)zfxkR{X-BcYJg9X~Z-Y*`RKI!>QwKCGp_xflay=c4N1_?YG3C1mZy7=I75DZMl-OSyiS%rI^y-sH@!5%#b=43 zH`NnIxbTti^+v0XHC^ z{E$iD`FdLG;C^jIkCY>`A#OLGl4}Qo-cF?+ZPkZ9TiMTIRuRdNn}pYr%RKL`yD2^+ zK&>a5Eu`x0+CswK{I#~)OODR1#yGX%&w!)MuSo>9r<)cS0n>KZZy;5g(|nQ5iv9(P z@YJ%c>q37E`;8PawNmdbboWL8g%1>QmYPnM^efOZfPtLG;ICgK*-+_+c822&zgE{m zCUabWTVsoUo6i|e$rdR3juDZi7CJvtiHStR*xJC9yDU`gr4BJnK#==)&`7jvH2OeI zQJ@{obv`sJlLgaH(UYhY%H$^YaT!ai{jIqIb3Yr_Ps-U&@h@n2AMH_6Z+$1QBTG-# zJ;y-nr{AzJoLuwN(MDFA(=i`NIf5=8V9k$XOh{Ufd=rhR%raKyj3{?VdGPLGZE#6l zr*D9C2Vv>q_7Ij)mJBhm4Vd1wV~jOLo%iAkAV|2%O#C)--oW;=SAYk&J6u3xSLULq zL#Mr_9cFEh*?jdGggnaFBOYb6Qqpolxg{u~g3irNSI-Wc&DE62_fFU8$6}Sc@hM+V zrW;#8iNYBS0;Vw82BuRthT%Q8v*4jq>TaktCwsrSK(QL)lla)bILjON0d8ob*SEX$ z!b+~0-g^Ju4L~&sXnd@bWyrgr96M-q1HntlaX|T~Y0YPDckanC1g$OzbpC5Gf>nQ^ zC1{@~0+46^8Ldiwup~$jt_8ek^j>OK>tM~<_vJ~ zvY-vg8P-$O?($l!D!F>$z zvMbJc308FlmtE_)z5G=2jU+d}wq))4NLBsFIpAY}@8Ux~5*G$UCOBGdtGnOAfR-jO zEJ=tLE!)a*TR@+l$Px0~bZB;KQ1P8&q7MUFGBko@jE+oA3Db7B9DrHh>OGNVhup(p zRbX|AKEZwF;!!GlFuBV*qMW^Y)w=pw-c;J|)_leX1|pI(0q#n-M9fML%k1L>?L)?%9;$gHilycnuXIqF#vO~iv zt!Piuvz@x0=)u?F(VVX$ckYKV^s#eeT_@mA#O()P+#YuMR8A01;=A{}GBQoYK9c@( z*C1!i#Q3bebR%sS3$cBLU#pmEb_nVp(QSyR`d|PV%xn1{(L81)^2~~497BApA>A+C zK-rYx=y2$;7-AdGs0i{`ctGWvv0Sk^=^NQAloHwwFqzqFtfP-&y4jV- zY!YB@wI&_=s&2bpeuavLtCP%jR-h}pAu_$Xu9@8xVgEZpQBh6= z23t%lbw2`vFuUZc?BM`LKP&l=CU-^u{8=t6Lb)KN{r}p!@^GlvFP=hCxnk7Kl6?zV zvy70jGi1wJWEYZUgeEt#hK6Pk25FeFXSsG`sfd1z-B>f0WT$M|((gOty6$tIJAcgc z%=bIr^Pcy-=lz_|dCz&CuUNdpJO2(kc|ELa1mox_;$*(fQdIy@P`KCSVGbf@ZDgy# zaPVBjVCcy|2&0$Ol~T_JcVk)tDoRhoMjyFc=&2NIUXYs-&0|Hz)q@zBfOX@8MF&j? z6*hSr(0orS;$tm%eq9#Hu!%_)NNo+}SK+k%M9r>|*lRh}MhB1FWbpXq^Cfnn=C+_G z8pR{ESeW%V)>BE{AFS?I7?PdROhR)Ni$n~h1WgpPJ-*PR&*lY+``u^OwijB;QyaoY zFaAm}i*f{Dvebue+c#$4!Ae-}LbNBwP)ybb7i{Z?^1xpC4D>~T6K%0!#Qp|^SR&0S z!yg~Nw&mp5eTpv}$4ixk7$JP{sn!|s6u09Wa1Upk;sW}tBCz-&7E*9|j^$YPW4Ofm zptjAKwKlN8r+%wL^kRfW9YB@N|F5aO<0_6$O%z5Hw2HdyouB6910nBXCNK~NHsB$C zH4?GSP1F`9S`~_hqLthOks=u5o7#t@KaA17s<6T1oO{5{5nX=8p{eK+2|O~%anGfe zw*QlWoSL0 zYUU%QYpVxw#1x!ChgECxy7Yrw<1U1sGZE?VcB+^hG?Le92$ao0=W3 zEkE7iRUo1aD}J7R_U4;ZxdZ+8TS}A6#eE4LSpq%Ues}~>S_mY1TwQ7b;(4yuIW-g7 zF1P5B0NyUYhKOg7$`-9RVr{}9DLy_&hPHRrMT28_3oJoaFGy2PsV+Ah(h`GIek-I*L%z$68e&tr(t(`4X1lI07PGXj+AZsqr#FXyJ^ zS8aRWh=2 zrmk}OYyVMy?Ic5aKW`+5{dxBZ`b^WT=4(b{w{lCivRtV`DkFIaFmZyw$ zOGZdLlcEaj@oB+;qlSeUaEEPsSY5GfjhwuF0{R1b4+-C(s=CjI;Zsc2j;!m>k}Pqx z_^d1%!c|!~VfQl#jRaD82wSc}KXdul4gD4|AP$)uVPFphAL6%|S4tZRBlvpKE}sak zzfA1Jdh5Q*SR(TmM-T|9x5AO*rDGg1T6h?kvf+{2d!zSFufr@ZX0 zb(Ef|(>0;&Ps;Q?=w+|XtD=tTU_|09@x6|^M zpvi+nZU_X0>WZ9NOLiN=R2!>6b$;@~6|GVwTd*@a?h^k(k6OZT%r0)K)>IH^M{I7I z05VWI3%t5)@k9oeG*jjDU@xf7VFdceLUqEtV367s>LW}#rwp7UUW^qgGy zjwwLF&cSIw0Xa}XaI?-s(M0GEv<|>MCps2bppRulc_LfaU+Dv{SRL} zLgURqKR-HUg`-PM!+e^U*1H-R-@fu8;|frN0b4A4&YK<$x@3u|Nj;Aq$JKgD>O24T znFvbFL!!%&t7oJtpU8%@^p!fTlFax;ve+y@RvNw9k_5#Jy|vDG0~P500ngO}r9uIp zrUx^c(6W=j8wdVYtKKvh6_=#k%0?(&_kSpc2Hv>JiGDn<<7w~sx$e$^5sPoDEu^Q} z#Hj!7tV;us@YNh#RveM-6J;p2GYVj#BD8xq2m|F8?Ho?$$}|Y##n*KnYli9~qk7qo zh;-rftH6fWo&!Om?($nL222-eRg<=^w2Oe0^GcvYw0be1Bs4nN{O6fLn8(E2^jlTn z1yg1_k5=tvTNmYtiqETGI(j<-$v^?X0Pops=>SJU*bi}xW>2q8)8nKt4$^3!t;Xbd zxA%B$noi6lWn#@-S-O{ihLTECf3~yZ0r7P~tEG6a)n}1!ntb`|_qq1vlInjbN=RGN zH}=&f#9`11<8p~l{p&wC5V|taw6=uCsC8e1q^3aXRGAfzw@djqGGz@s%DtD8*Gsm` zuxdveuZPsz()Epb5K`&5yr(?~*Pv}&3=IF8cy^ns{F!+jsTJc2bb-m%5Jf$O514Xj z5WKCd@d#yz0=+t@SAR$?bGP37w#x3z=|{gFU9vb=k^hWna8t{l`d|vE64mKz)A4-y>{_P-aHkx8z&wHblR( z8%rywcF?&pO;l;;^r>9({-UTz>r(0D9Rin?HmIj}=Mv%&I$F-S@D?vQ>ybf2Ib(&1 zN?AuWJD1dHJPPY@y3|hVb;~RIR*AsPvxVd3vHlzc(@`Ei(ae;1RCjWUkRuWsJIpNp z&g8lVSpO&p-Hg-fX7`*QQ|&M^{nUX$%hwhpwu8}gb8iKc z=2|e8bh~<`w9n+}{|A8oUks$wMe~MkJu7R;7FbO999{bB%aw%yfOB~Y=(+&IFut}k z*494b-JP6#x-7xhJbEJ!ccF@a%al38I;IejvHPh~`*>fJ{=-dVeLVI%_!S*iGL;V?!;BM>6x zKx4&~L(k5Y6gsg=6yWO^`Kd+8Db4f=*a4Rj z_jN;imP{88_ia6MkxdKIPuye_V7;AZmUYk32=#uBjjG8LRf&+~z4g(^f;*j`Y%lIN zCP4GgEpV?Mxc_-dY$zsk=KFkhd^}|az}F!plYf!zLXqi?;i`I0Q}))3U~gupyPr5Q_w#KB2$Hb3;Iuu{~_oPeg>bg3sMOb3>-eM7=ld#%uh#tfe zCCU=L*H|q)_kDPu-tjS>(j(7u34t6 z!fG4Sz&AwV@EAP58e2W=KNL7ee3(vtqf_GlWg9-!`c|tWgjH$Nv5Mqwyk)aEs}etR z%na4~ZO{{gGY!S`z=C_3L8GJ+u?Aw}N$;TTl>uBSVa1&8A=pp@ zv(rg>Zjzuls5e(a!T^Be52jOXvc2WS7CvvX>=LccP!Ui5<&T~K;W{SrO}->=j>72@ zSr}X?j7c<&-xor8*|OmPrXYQQKj`LAS@`+s1(Rw7o-1J(jyD8W$N5;TMA5%LO|Uj% zAWc}O-y5rXK>XOA_iEmXR3<;9y6kWO%MN67M{PF03%Z{^I7i6RbCU+Ormut?Z;iuW zPESB)NeeLVbfx)rV{D}esxm*bhU{0Vnws=)+VVgAEXTNh7wh~3#DojHIS%qAIZ@5E zJfQ+v#-4@jq8t~@VKktin)^4w=ahW!pOscE{OSs$nx{;5bI-pk-x%j}YzkyA&6s4h zv`nPD{$?tcLLFVr_nm(|Ls8`_H4g4Rz41dl3wRfa$(P$b(UU!=h2>K)lrQ2*An7t~ ze~xp5wrY*;v9&5V=)ZjF@{wYm$!Cs+C*OtqGPNB$O1f9-c%p&iDf@G-qP6}K*jP^m zpFY(*+n9VMt7+-53SIG1xq-R$Kmx7n8H3!9RCjiG$LL zsgDa9e6_68aeJ>7Y0eYhAY3ql)vydF$Blhdez_Bk#2_ zHP?lRCwpT>Mo$zUoude1eD^ke5!`86T=%$f}98plHzt#YEF) z!P5u}h*2&7z_tTm>bi*em2$2XKC%or1cHmLnpGqfg)i_CIWVETxW93p{21sgz!upk z^-+-?Q?5lFMN`M0w(?qr!=({UpZKXavT2!XrV|sAa$ZPs8}os|97XMf8k#4a@nQhQ z5tXU9lS}HGTe?<-=;RFpnc|0FJdou~y@5F7^HHNViPP!*m6z(gr|4!bHS{-<+v1Et z9VkJyGUH$o_NIoP67-YJ=f-{pz_KpH(4}hS;W+*G@LLEcNGH$Xg4*1z${bX`y^4)8 zuBBk!X_&MI(ZwXQ1l4gs#ywwK_+Hpn>pCgVfXt2Z@Z(0;$L>gK;*7vd8x_4-*FzBz z5Gmoilc6UY_?qq{j%0{MqN<(#yFDs&dh0yFgykiJ7@tC$t*ObNVMX& zrVZ3$2cc_Vx#$2K@$5qL%BSi@OFSPfeMNaotLcX=Z7@vg1H(d;mx%Uu8!eqS*-Hin z*V zf%I!)kRp|(nFI?9J;S(*QZ{FEg`AYKlGC{$ynJDbxpn~%WJi_SAmEp2+|jKbp`YeW zpwe|<>kcr2-3~jYd<3zKXi(EgD>j-GvQktp)HPU@l0F2{$$B*Pi_Kfv5fd+1bI&Eh zdN$b`sp>G@4q=FVim9zG)Q-^GO7khE45D#~TC9v0r(6TsQ|{3c9hCp(xC_s|wjv{@(6B^Ys8JYd#-zOp zWs1RyPMq}n7L=vfkJytWAjpKWXvLO%L+PzZ5UwL^lbooJ<@e{`_6$QA#K00h+GOV7 zI=^v`HeUC*qoWIlVh7#E#(Y69h2Dg;Sp8UKf;~y}z`QF2F^dWSZGD_C#%dqTIg3V+ zKX5NeUZJ;VpWCcP-x6VUf zf!W^y*0tU#`2}SIk<{|@e4(>LxmU{d9sjub_&nB5?$I=<3@H2M{dI8yLYa0$;cs+W ze{gdR?Y5i%Vj(&_I&)ibvg*Q9e3)*4VtqpqiJ373OeXx-ttOl5MmBwyzLB$LzWz~% zSo|)IQSRj;9+*8QmM_2)y{LqNtFe^6pwbav(s+5$9qZ50*xd6NN1=w;*;)SdG^c&* z^r@y=QB<0d(%)#?$u)CNb!q_w?p}`#2;PQB7~@9J7dncXq}DwVNk2D)M{W;G z@do|vrdwabHmj66ojd+_hso=(r^Y}A^Fv(~Qv+JoikT7jfali>WxC7mTuD)Rt@qxe z{vF8aqPBpyZrP_`isoj4NN>z`R47-%*=2>-FrE#W%SavNCaCbS=EHAefDm`qPN4Kz z)@4m-5#nhT!m@md1F92y~Wa>=d2frY5 zA;uRJUhN1X(Z3emm0=K;s?SHtA=pm=!@DzUzfRL1q4(9 z2)I_yEDsh~KTv-}Z|6HkYylwK{u5MwPjQ+29LMug`+R^n3!UW~#%cU0&V<^5348zG z!12j&2?-~sV02El8zNOC%tAF%xsi{@EJ&R8$*`qI%FB{iphy%==Bvu}Ny$HRPoJ~$Mp_W&jmSA~( z+>`fHTjHY&9tG-;(miVQjYIA@Px9OHc2m41{W6apJo`e}q(T2>%&C6e^y02Be#_C9 zNMje4d?&%>@-O$f z{oZQ%o#-PWv=*p>;}<(C@uG(&u{WLK*ZwF-wRSRwWP7__5AeY!X2Q$|7(FEm#!uwegkt({To`7)pz5jhPAoEeZz8n;@IuK)ax#%}LB z&RNuFKwgO{=3C`FsYPc{__tx$97@WBC32rDLcF2U>=O;{3SgIJp#IzI?cVdMndIdA zP-U~p_=}KE6TUy-ZV9QN{S)r#&e1&Lu<-D+pNDB?+jq$P5i%Y&{fEtvhnDhv=lvb* z=e#ccMXCU0c)F@R>Pc%PaFk?jxUDMq|Gq`+8W&uFO~RR{89g@FUmgI{(1%v3TZR7z D(uLMp literal 0 HcmV?d00001 diff --git a/assets/logo.svg b/assets/logo.svg new file mode 100644 index 0000000..ccaa3b3 --- /dev/null +++ b/assets/logo.svg @@ -0,0 +1 @@ +gRBAC \ No newline at end of file diff --git a/cmd/accesscontrol_service.go b/cmd/accesscontrol_service.go new file mode 100644 index 0000000..49c4433 --- /dev/null +++ b/cmd/accesscontrol_service.go @@ -0,0 +1,107 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "fmt" + + "github.com/spf13/cobra" + "github.com/spf13/viper" + "golang.org/x/oauth2" + "google.golang.org/api/option" + "google.golang.org/grpc" + + gapic "github.com/animeapis/api-go-client/grbac/v1alpha1" +) + +var AccessControlConfig *viper.Viper +var AccessControlClient *gapic.AccessControlClient +var AccessControlSubCommands []string = []string{ + "test-iam-policy", + "get-iam-policy", + "set-iam-policy", + "get-resource", + "create-resource", + "transfer-resource", + "delete-resource", + "create-subject", + "delete-subject", + "get-group", + "create-group", + "update-group", + "add-group-member", + "remove-group-member", + "delete-group", + "create-permission", + "delete-permission", + "get-role", + "create-role", + "update-role", + "delete-role", +} + +func init() { + rootCmd.AddCommand(AccessControlServiceCmd) + + AccessControlConfig = viper.New() + AccessControlConfig.SetEnvPrefix("GRBAC_ACCESSCONTROL") + AccessControlConfig.AutomaticEnv() + + AccessControlServiceCmd.PersistentFlags().Bool("insecure", false, "Make insecure client connection. Or use GRBAC_ACCESSCONTROL_INSECURE. Must be used with \"address\" option") + AccessControlConfig.BindPFlag("insecure", AccessControlServiceCmd.PersistentFlags().Lookup("insecure")) + AccessControlConfig.BindEnv("insecure") + + AccessControlServiceCmd.PersistentFlags().String("address", "", "Set API address used by client. Or use GRBAC_ACCESSCONTROL_ADDRESS.") + AccessControlConfig.BindPFlag("address", AccessControlServiceCmd.PersistentFlags().Lookup("address")) + AccessControlConfig.BindEnv("address") + + AccessControlServiceCmd.PersistentFlags().String("token", "", "Set Bearer token used by the client. Or use GRBAC_ACCESSCONTROL_TOKEN.") + AccessControlConfig.BindPFlag("token", AccessControlServiceCmd.PersistentFlags().Lookup("token")) + AccessControlConfig.BindEnv("token") + + AccessControlServiceCmd.PersistentFlags().String("api_key", "", "Set API Key used by the client. Or use GRBAC_ACCESSCONTROL_API_KEY.") + AccessControlConfig.BindPFlag("api_key", AccessControlServiceCmd.PersistentFlags().Lookup("api_key")) + AccessControlConfig.BindEnv("api_key") +} + +var AccessControlServiceCmd = &cobra.Command{ + Use: "accesscontrol", + Short: "AccessControl is the internal service used by...", + Long: "AccessControl is the internal service used by Animeshon to enforce RBAC rules.", + ValidArgs: AccessControlSubCommands, + PersistentPreRunE: func(cmd *cobra.Command, args []string) (err error) { + var opts []option.ClientOption + + address := AccessControlConfig.GetString("address") + if address != "" { + opts = append(opts, option.WithEndpoint(address)) + } + + if AccessControlConfig.GetBool("insecure") { + if address == "" { + return fmt.Errorf("Missing address to use with insecure connection") + } + + conn, err := grpc.Dial(address, grpc.WithInsecure()) + if err != nil { + return err + } + opts = append(opts, option.WithGRPCConn(conn)) + } + + if token := AccessControlConfig.GetString("token"); token != "" { + opts = append(opts, option.WithTokenSource(oauth2.StaticTokenSource( + &oauth2.Token{ + AccessToken: token, + TokenType: "Bearer", + }))) + } + + if key := AccessControlConfig.GetString("api_key"); key != "" { + opts = append(opts, option.WithAPIKey(key)) + } + + AccessControlClient, err = gapic.NewAccessControlClient(ctx, opts...) + return + }, +} diff --git a/cmd/add-group-member.go b/cmd/add-group-member.go new file mode 100644 index 0000000..4535152 --- /dev/null +++ b/cmd/add-group-member.go @@ -0,0 +1,76 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var AddGroupMemberInput grbacpb.AddGroupMemberRequest + +var AddGroupMemberFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(AddGroupMemberCmd) + + AddGroupMemberCmd.Flags().StringVar(&AddGroupMemberInput.Group, "group", "", "Required. The name of the group to add a member to.") + + AddGroupMemberCmd.Flags().StringVar(&AddGroupMemberInput.Member, "member", "", "Required. The member to be added.") + + AddGroupMemberCmd.Flags().StringVar(&AddGroupMemberFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var AddGroupMemberCmd = &cobra.Command{ + Use: "add-group-member", + Short: "AddGroupMember adds a member to a group.", + Long: "AddGroupMember adds a member to a group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if AddGroupMemberFromFile == "" { + + cmd.MarkFlagRequired("group") + + cmd.MarkFlagRequired("member") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if AddGroupMemberFromFile != "" { + in, err = os.Open(AddGroupMemberFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &AddGroupMemberInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "AddGroupMember", &AddGroupMemberInput) + } + resp, err := AccessControlClient.AddGroupMember(ctx, &AddGroupMemberInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/completion.go b/cmd/completion.go new file mode 100644 index 0000000..123a5e5 --- /dev/null +++ b/cmd/completion.go @@ -0,0 +1,28 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "os" + + "github.com/spf13/cobra" +) + +func init() { + rootCmd.AddCommand(completionCmd) +} + +// completionCmd represents the completion command +var completionCmd = &cobra.Command{ + Use: "completion", + Short: "Emits bash a completion for grbac", + Long: `Enable bash completion like so: + Linux: + source <(grbac completion) + Mac: + brew install bash-completion + grbac completion > $(brew --prefix)/etc/bash_completion.d/grbac`, + Run: func(cmd *cobra.Command, args []string) { + rootCmd.GenBashCompletion(os.Stdout) + }, +} diff --git a/cmd/create-group.go b/cmd/create-group.go new file mode 100644 index 0000000..fc7a003 --- /dev/null +++ b/cmd/create-group.go @@ -0,0 +1,78 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreateGroupInput grbacpb.CreateGroupRequest + +var CreateGroupFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreateGroupCmd) + + CreateGroupInput.Group = new(grbacpb.Group) + + CreateGroupCmd.Flags().StringVar(&CreateGroupInput.Group.Name, "group.name", "", "Required. The resource name of the group.") + + CreateGroupCmd.Flags().StringSliceVar(&CreateGroupInput.Group.Members, "group.members", []string{}, "The list of members of the group. Groups might...") + + CreateGroupCmd.Flags().BytesHexVar(&CreateGroupInput.Group.Etag, "group.etag", []byte{}, "An etag for concurrency control, ignored during...") + + CreateGroupCmd.Flags().StringVar(&CreateGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreateGroupCmd = &cobra.Command{ + Use: "create-group", + Short: "CreateGroup creates a new group.", + Long: "CreateGroup creates a new group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreateGroupFromFile == "" { + + cmd.MarkFlagRequired("group.name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreateGroupFromFile != "" { + in, err = os.Open(CreateGroupFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreateGroupInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreateGroup", &CreateGroupInput) + } + resp, err := AccessControlClient.CreateGroup(ctx, &CreateGroupInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/create-permission.go b/cmd/create-permission.go new file mode 100644 index 0000000..4c9c639 --- /dev/null +++ b/cmd/create-permission.go @@ -0,0 +1,74 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreatePermissionInput grbacpb.CreatePermissionRequest + +var CreatePermissionFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreatePermissionCmd) + + CreatePermissionInput.Permission = new(grbacpb.Permission) + + CreatePermissionCmd.Flags().StringVar(&CreatePermissionInput.Permission.Name, "permission.name", "", "Required. The resource name of the permission.") + + CreatePermissionCmd.Flags().StringVar(&CreatePermissionFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreatePermissionCmd = &cobra.Command{ + Use: "create-permission", + Short: "CreatePermission creates a new permission.", + Long: "CreatePermission creates a new permission.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreatePermissionFromFile == "" { + + cmd.MarkFlagRequired("permission.name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreatePermissionFromFile != "" { + in, err = os.Open(CreatePermissionFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreatePermissionInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreatePermission", &CreatePermissionInput) + } + resp, err := AccessControlClient.CreatePermission(ctx, &CreatePermissionInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/create-resource.go b/cmd/create-resource.go new file mode 100644 index 0000000..00ce1a8 --- /dev/null +++ b/cmd/create-resource.go @@ -0,0 +1,80 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreateResourceInput grbacpb.CreateResourceRequest + +var CreateResourceFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreateResourceCmd) + + CreateResourceInput.Resource = new(grbacpb.Resource) + + CreateResourceCmd.Flags().StringVar(&CreateResourceInput.Resource.Name, "resource.name", "", "Required. The full resource name that identifies the...") + + CreateResourceCmd.Flags().StringVar(&CreateResourceInput.Resource.Parent, "resource.parent", "", "Required. The full resource name that identifies the parent...") + + CreateResourceCmd.Flags().BytesHexVar(&CreateResourceInput.Resource.Etag, "resource.etag", []byte{}, "An etag for concurrency control, ignored during...") + + CreateResourceCmd.Flags().StringVar(&CreateResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreateResourceCmd = &cobra.Command{ + Use: "create-resource", + Short: "CreateResource creates a new resource.", + Long: "CreateResource creates a new resource.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreateResourceFromFile == "" { + + cmd.MarkFlagRequired("resource.name") + + cmd.MarkFlagRequired("resource.parent") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreateResourceFromFile != "" { + in, err = os.Open(CreateResourceFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreateResourceInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreateResource", &CreateResourceInput) + } + resp, err := AccessControlClient.CreateResource(ctx, &CreateResourceInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/create-role.go b/cmd/create-role.go new file mode 100644 index 0000000..f628ac3 --- /dev/null +++ b/cmd/create-role.go @@ -0,0 +1,80 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreateRoleInput grbacpb.CreateRoleRequest + +var CreateRoleFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreateRoleCmd) + + CreateRoleInput.Role = new(grbacpb.Role) + + CreateRoleCmd.Flags().StringVar(&CreateRoleInput.Role.Name, "role.name", "", "Required. The resource name of the role.") + + CreateRoleCmd.Flags().StringSliceVar(&CreateRoleInput.Role.Permissions, "role.permissions", []string{}, "Required. The list of permissions granted by the role.") + + CreateRoleCmd.Flags().BytesHexVar(&CreateRoleInput.Role.Etag, "role.etag", []byte{}, "An etag for concurrency control, ignored during...") + + CreateRoleCmd.Flags().StringVar(&CreateRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreateRoleCmd = &cobra.Command{ + Use: "create-role", + Short: "CreateRole creates a new role.", + Long: "CreateRole creates a new role.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreateRoleFromFile == "" { + + cmd.MarkFlagRequired("role.name") + + cmd.MarkFlagRequired("role.permissions") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreateRoleFromFile != "" { + in, err = os.Open(CreateRoleFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreateRoleInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreateRole", &CreateRoleInput) + } + resp, err := AccessControlClient.CreateRole(ctx, &CreateRoleInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/create-subject.go b/cmd/create-subject.go new file mode 100644 index 0000000..5b4aeee --- /dev/null +++ b/cmd/create-subject.go @@ -0,0 +1,74 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreateSubjectInput grbacpb.CreateSubjectRequest + +var CreateSubjectFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreateSubjectCmd) + + CreateSubjectInput.Subject = new(grbacpb.Subject) + + CreateSubjectCmd.Flags().StringVar(&CreateSubjectInput.Subject.Name, "subject.name", "", "Required. The resource name of the subject.") + + CreateSubjectCmd.Flags().StringVar(&CreateSubjectFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreateSubjectCmd = &cobra.Command{ + Use: "create-subject", + Short: "CreateSubject creates a new subject.", + Long: "CreateSubject creates a new subject.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreateSubjectFromFile == "" { + + cmd.MarkFlagRequired("subject.name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreateSubjectFromFile != "" { + in, err = os.Open(CreateSubjectFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreateSubjectInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreateSubject", &CreateSubjectInput) + } + resp, err := AccessControlClient.CreateSubject(ctx, &CreateSubjectInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/delete-group.go b/cmd/delete-group.go new file mode 100644 index 0000000..f70b2ea --- /dev/null +++ b/cmd/delete-group.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeleteGroupInput grbacpb.DeleteGroupRequest + +var DeleteGroupFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeleteGroupCmd) + + DeleteGroupCmd.Flags().StringVar(&DeleteGroupInput.Name, "name", "", "Required. The resource name of the group to delete.") + + DeleteGroupCmd.Flags().StringVar(&DeleteGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeleteGroupCmd = &cobra.Command{ + Use: "delete-group", + Short: "DeleteGroup deletes a group.", + Long: "DeleteGroup deletes a group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeleteGroupFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeleteGroupFromFile != "" { + in, err = os.Open(DeleteGroupFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeleteGroupInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeleteGroup", &DeleteGroupInput) + } + err = AccessControlClient.DeleteGroup(ctx, &DeleteGroupInput) + + return err + }, +} diff --git a/cmd/delete-permission.go b/cmd/delete-permission.go new file mode 100644 index 0000000..943731d --- /dev/null +++ b/cmd/delete-permission.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeletePermissionInput grbacpb.DeletePermissionRequest + +var DeletePermissionFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeletePermissionCmd) + + DeletePermissionCmd.Flags().StringVar(&DeletePermissionInput.Name, "name", "", "Required. The resource name of the permission to delete.") + + DeletePermissionCmd.Flags().StringVar(&DeletePermissionFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeletePermissionCmd = &cobra.Command{ + Use: "delete-permission", + Short: "DeletePermission deletes a permission.", + Long: "DeletePermission deletes a permission.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeletePermissionFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeletePermissionFromFile != "" { + in, err = os.Open(DeletePermissionFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeletePermissionInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeletePermission", &DeletePermissionInput) + } + err = AccessControlClient.DeletePermission(ctx, &DeletePermissionInput) + + return err + }, +} diff --git a/cmd/delete-resource.go b/cmd/delete-resource.go new file mode 100644 index 0000000..9c78cc0 --- /dev/null +++ b/cmd/delete-resource.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeleteResourceInput grbacpb.DeleteResourceRequest + +var DeleteResourceFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeleteResourceCmd) + + DeleteResourceCmd.Flags().StringVar(&DeleteResourceInput.Name, "name", "", "Required. The full resource name that identifies the...") + + DeleteResourceCmd.Flags().StringVar(&DeleteResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeleteResourceCmd = &cobra.Command{ + Use: "delete-resource", + Short: "DeleteResource deletes a resource.", + Long: "DeleteResource deletes a resource.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeleteResourceFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeleteResourceFromFile != "" { + in, err = os.Open(DeleteResourceFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeleteResourceInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeleteResource", &DeleteResourceInput) + } + err = AccessControlClient.DeleteResource(ctx, &DeleteResourceInput) + + return err + }, +} diff --git a/cmd/delete-role.go b/cmd/delete-role.go new file mode 100644 index 0000000..21759e0 --- /dev/null +++ b/cmd/delete-role.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeleteRoleInput grbacpb.DeleteRoleRequest + +var DeleteRoleFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeleteRoleCmd) + + DeleteRoleCmd.Flags().StringVar(&DeleteRoleInput.Name, "name", "", "Required. The resource name of the role to delete.") + + DeleteRoleCmd.Flags().StringVar(&DeleteRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeleteRoleCmd = &cobra.Command{ + Use: "delete-role", + Short: "DeleteRole deletes a role.", + Long: "DeleteRole deletes a role.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeleteRoleFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeleteRoleFromFile != "" { + in, err = os.Open(DeleteRoleFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeleteRoleInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeleteRole", &DeleteRoleInput) + } + err = AccessControlClient.DeleteRole(ctx, &DeleteRoleInput) + + return err + }, +} diff --git a/cmd/delete-subject.go b/cmd/delete-subject.go new file mode 100644 index 0000000..d126084 --- /dev/null +++ b/cmd/delete-subject.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeleteSubjectInput grbacpb.DeleteSubjectRequest + +var DeleteSubjectFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeleteSubjectCmd) + + DeleteSubjectCmd.Flags().StringVar(&DeleteSubjectInput.Name, "name", "", "Required. The subject to delete.") + + DeleteSubjectCmd.Flags().StringVar(&DeleteSubjectFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeleteSubjectCmd = &cobra.Command{ + Use: "delete-subject", + Short: "DeleteSubject deletes a subject.", + Long: "DeleteSubject deletes a subject.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeleteSubjectFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeleteSubjectFromFile != "" { + in, err = os.Open(DeleteSubjectFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeleteSubjectInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeleteSubject", &DeleteSubjectInput) + } + err = AccessControlClient.DeleteSubject(ctx, &DeleteSubjectInput) + + return err + }, +} diff --git a/cmd/get-group.go b/cmd/get-group.go new file mode 100644 index 0000000..58d03b5 --- /dev/null +++ b/cmd/get-group.go @@ -0,0 +1,72 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var GetGroupInput grbacpb.GetGroupRequest + +var GetGroupFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(GetGroupCmd) + + GetGroupCmd.Flags().StringVar(&GetGroupInput.Name, "name", "", "Required. The name of the group to retrieve.") + + GetGroupCmd.Flags().StringVar(&GetGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var GetGroupCmd = &cobra.Command{ + Use: "get-group", + Short: "GetGroup returns a group.", + Long: "GetGroup returns a group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if GetGroupFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if GetGroupFromFile != "" { + in, err = os.Open(GetGroupFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &GetGroupInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "GetGroup", &GetGroupInput) + } + resp, err := AccessControlClient.GetGroup(ctx, &GetGroupInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/get-iam-policy.go b/cmd/get-iam-policy.go new file mode 100644 index 0000000..65ceedd --- /dev/null +++ b/cmd/get-iam-policy.go @@ -0,0 +1,76 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + iampb "google.golang.org/genproto/googleapis/iam/v1" + + "os" +) + +var GetIamPolicyInput iampb.GetIamPolicyRequest + +var GetIamPolicyFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(GetIamPolicyCmd) + + GetIamPolicyInput.Options = new(iampb.GetPolicyOptions) + + GetIamPolicyCmd.Flags().StringVar(&GetIamPolicyInput.Resource, "resource", "", "Required. REQUIRED: The resource for which the policy is...") + + GetIamPolicyCmd.Flags().Int32Var(&GetIamPolicyInput.Options.RequestedPolicyVersion, "options.requested_policy_version", 0, "Optional. The policy format version to be...") + + GetIamPolicyCmd.Flags().StringVar(&GetIamPolicyFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var GetIamPolicyCmd = &cobra.Command{ + Use: "get-iam-policy", + Short: "Gets the IAM policy that is attached to a generic...", + Long: "Gets the IAM policy that is attached to a generic resource. Note: the full resource name that identifies the resource must be provided.", + PreRun: func(cmd *cobra.Command, args []string) { + + if GetIamPolicyFromFile == "" { + + cmd.MarkFlagRequired("resource") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if GetIamPolicyFromFile != "" { + in, err = os.Open(GetIamPolicyFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &GetIamPolicyInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "GetIamPolicy", &GetIamPolicyInput) + } + resp, err := AccessControlClient.GetIamPolicy(ctx, &GetIamPolicyInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/get-resource.go b/cmd/get-resource.go new file mode 100644 index 0000000..e0d9f2c --- /dev/null +++ b/cmd/get-resource.go @@ -0,0 +1,72 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var GetResourceInput grbacpb.GetResourceRequest + +var GetResourceFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(GetResourceCmd) + + GetResourceCmd.Flags().StringVar(&GetResourceInput.Name, "name", "", "Required. The full resource name of the resource to...") + + GetResourceCmd.Flags().StringVar(&GetResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var GetResourceCmd = &cobra.Command{ + Use: "get-resource", + Short: "GetResource returns a resource.", + Long: "GetResource returns a resource.", + PreRun: func(cmd *cobra.Command, args []string) { + + if GetResourceFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if GetResourceFromFile != "" { + in, err = os.Open(GetResourceFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &GetResourceInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "GetResource", &GetResourceInput) + } + resp, err := AccessControlClient.GetResource(ctx, &GetResourceInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/get-role.go b/cmd/get-role.go new file mode 100644 index 0000000..7d4cbbe --- /dev/null +++ b/cmd/get-role.go @@ -0,0 +1,72 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var GetRoleInput grbacpb.GetRoleRequest + +var GetRoleFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(GetRoleCmd) + + GetRoleCmd.Flags().StringVar(&GetRoleInput.Name, "name", "", "Required. The name of the role to retrieve.") + + GetRoleCmd.Flags().StringVar(&GetRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var GetRoleCmd = &cobra.Command{ + Use: "get-role", + Short: "GetRole returns a role.", + Long: "GetRole returns a role.", + PreRun: func(cmd *cobra.Command, args []string) { + + if GetRoleFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if GetRoleFromFile != "" { + in, err = os.Open(GetRoleFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &GetRoleInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "GetRole", &GetRoleInput) + } + resp, err := AccessControlClient.GetRole(ctx, &GetRoleInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/grbac.go b/cmd/grbac.go new file mode 100644 index 0000000..6882645 --- /dev/null +++ b/cmd/grbac.go @@ -0,0 +1,61 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "bytes" + "context" + "fmt" + "os" + + "github.com/golang/protobuf/jsonpb" + "github.com/golang/protobuf/proto" + "github.com/spf13/cobra" +) + +var Verbose, OutputJSON bool +var ctx = context.Background() +var marshaler = &jsonpb.Marshaler{Indent: " "} + +func init() { + rootCmd.PersistentFlags().BoolVarP(&Verbose, "verbose", "v", false, "Print verbose output") + rootCmd.PersistentFlags().BoolVarP(&OutputJSON, "json", "j", false, "Print JSON output") +} + +var rootCmd = &cobra.Command{ + Use: "grbac", + Short: "Root command of grbac", +} + +func Execute() { + if err := rootCmd.Execute(); err != nil { + fmt.Println(err) + os.Exit(1) + } +} + +func main() { + Execute() +} + +func printVerboseInput(srv, mthd string, data interface{}) { + fmt.Println("Service:", srv) + fmt.Println("Method:", mthd) + fmt.Print("Input: ") + printMessage(data) +} + +func printMessage(data interface{}) { + var s string + + if msg, ok := data.(proto.Message); ok { + s = msg.String() + if OutputJSON { + var b bytes.Buffer + marshaler.Marshal(&b, msg) + s = b.String() + } + } + + fmt.Println(s) +} diff --git a/cmd/init.go b/cmd/init.go new file mode 100644 index 0000000..14d71e7 --- /dev/null +++ b/cmd/init.go @@ -0,0 +1,37 @@ +package main + +import ( + "context" + + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/sirupsen/logrus" + "github.com/spf13/cobra" +) + +func init() { + type RuntimeConfig struct { + dgraphEndpoint string + } + + config := RuntimeConfig{} + initCmd := &cobra.Command{ + Use: "init", + Short: "Runs the API server initializer", + Run: func(cmd *cobra.Command, args []string) { + ctx := context.Background() + if err := bootstrap.Schema(ctx, config.dgraphEndpoint); err != nil { + logrus.Fatalf("failed to migrate the schema: %v", err) + } + + logrus.Info("finished migrating the schema") + }, + } + + rootCmd.AddCommand(initCmd) + + initCmd.Flags().StringVar( + &config.dgraphEndpoint, + "dgraph-endpoint", + "127.0.0.1:9080", + "The endpoint of the dgraph database.") +} diff --git a/cmd/remove-group-member.go b/cmd/remove-group-member.go new file mode 100644 index 0000000..3908c0d --- /dev/null +++ b/cmd/remove-group-member.go @@ -0,0 +1,76 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var RemoveGroupMemberInput grbacpb.RemoveGroupMemberRequest + +var RemoveGroupMemberFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(RemoveGroupMemberCmd) + + RemoveGroupMemberCmd.Flags().StringVar(&RemoveGroupMemberInput.Group, "group", "", "Required. The name of the group to remove an member from.") + + RemoveGroupMemberCmd.Flags().StringVar(&RemoveGroupMemberInput.Member, "member", "", "Required. The member to be removed.") + + RemoveGroupMemberCmd.Flags().StringVar(&RemoveGroupMemberFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var RemoveGroupMemberCmd = &cobra.Command{ + Use: "remove-group-member", + Short: "RemoveGroupMember removes a member from a group.", + Long: "RemoveGroupMember removes a member from a group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if RemoveGroupMemberFromFile == "" { + + cmd.MarkFlagRequired("group") + + cmd.MarkFlagRequired("member") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if RemoveGroupMemberFromFile != "" { + in, err = os.Open(RemoveGroupMemberFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &RemoveGroupMemberInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "RemoveGroupMember", &RemoveGroupMemberInput) + } + resp, err := AccessControlClient.RemoveGroupMember(ctx, &RemoveGroupMemberInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/run.go b/cmd/run.go new file mode 100644 index 0000000..0baec83 --- /dev/null +++ b/cmd/run.go @@ -0,0 +1,76 @@ +package main + +import ( + "context" + "os" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/grbac/grbac/pkg/graceful" + "github.com/grbac/grbac/pkg/interrupt" + "github.com/grbac/grbac/pkg/services" + "github.com/sirupsen/logrus" + "github.com/spf13/cobra" + "google.golang.org/grpc" + "google.golang.org/grpc/reflection" +) + +type RuntimeConfig struct { + port string + dgraphEndpoint string +} + +// TODO: Investigate whether mTLS could be useful. +// TODO: Investigate whether fallback server for HTTP/1.1 could be useful. + +// See https://github.com/googleapis/gapic-showcase/blob/master/cmd/gapic-showcase/endpoint.go + +func init() { + config := RuntimeConfig{} + runCmd := &cobra.Command{ + Use: "run", + Short: "Runs the API server", + Run: func(cmd *cobra.Command, args []string) { + ctx, cancel := context.WithCancel(ctx) + intr := interrupt.New(func(os.Signal) {}, cancel) + + opts := []grpc.ServerOption{} + server := grpc.NewServer(opts...) + + cfg := &services.AccessControlServerConfig{ + DgraphHostname: config.dgraphEndpoint, + } + + accessControlServer, err := services.NewAccessControlServer(cfg) + if err != nil { + logrus.WithError(err).Fatalf("failed to start the [authorizer] server") + } + defer accessControlServer.(*services.AccessControlServerImpl).Close() + + // Register Services to the server. + grbac.RegisterAccessControlServer(server, accessControlServer) + + // Register reflection service on gRPC server. + reflection.Register(server) + + if err := intr.Run(func() error { return graceful.NewGrpcListener(ctx, config.port, server) }); err != nil { + logrus.WithError(err).Fatalf("http server exited with error") + } + }, + } + + rootCmd.AddCommand(runCmd) + + runCmd.Flags().StringVarP( + &config.port, + "port", + "p", + ":9080", + "The port that this serice will be served on.") + + runCmd.Flags().StringVar( + &config.dgraphEndpoint, + "dgraph-endpoint", + "127.0.0.1:9080", + "The endpoint of the dgraph database.") +} diff --git a/cmd/set-iam-policy.go b/cmd/set-iam-policy.go new file mode 100644 index 0000000..9252875 --- /dev/null +++ b/cmd/set-iam-policy.go @@ -0,0 +1,93 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + iampb "google.golang.org/genproto/googleapis/iam/v1" + + "os" +) + +var SetIamPolicyInput iampb.SetIamPolicyRequest + +var SetIamPolicyFromFile string + +var SetIamPolicyInputPolicyBindings []string + +func init() { + AccessControlServiceCmd.AddCommand(SetIamPolicyCmd) + + SetIamPolicyInput.Policy = new(iampb.Policy) + + SetIamPolicyCmd.Flags().StringVar(&SetIamPolicyInput.Resource, "resource", "", "Required. REQUIRED: The resource for which the policy is...") + + SetIamPolicyCmd.Flags().Int32Var(&SetIamPolicyInput.Policy.Version, "policy.version", 0, "Specifies the format of the policy. Valid...") + + SetIamPolicyCmd.Flags().StringArrayVar(&SetIamPolicyInputPolicyBindings, "policy.bindings", []string{}, "Associates a list of `members` to a `role`....") + + SetIamPolicyCmd.Flags().BytesHexVar(&SetIamPolicyInput.Policy.Etag, "policy.etag", []byte{}, "`etag` is used for optimistic concurrency control...") + + SetIamPolicyCmd.Flags().StringVar(&SetIamPolicyFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var SetIamPolicyCmd = &cobra.Command{ + Use: "set-iam-policy", + Short: "Sets the IAM policy that is attached to a generic...", + Long: "Sets the IAM policy that is attached to a generic resource. Note: the full resource name that identifies the resource must be provided.", + PreRun: func(cmd *cobra.Command, args []string) { + + if SetIamPolicyFromFile == "" { + + cmd.MarkFlagRequired("resource") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if SetIamPolicyFromFile != "" { + in, err = os.Open(SetIamPolicyFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &SetIamPolicyInput) + if err != nil { + return err + } + + } + + // unmarshal JSON strings into slice of structs + for _, item := range SetIamPolicyInputPolicyBindings { + tmp := iampb.Binding{} + err = jsonpb.UnmarshalString(item, &tmp) + if err != nil { + return + } + + SetIamPolicyInput.Policy.Bindings = append(SetIamPolicyInput.Policy.Bindings, &tmp) + } + + if Verbose { + printVerboseInput("AccessControl", "SetIamPolicy", &SetIamPolicyInput) + } + resp, err := AccessControlClient.SetIamPolicy(ctx, &SetIamPolicyInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/test-iam-policy.go b/cmd/test-iam-policy.go new file mode 100644 index 0000000..59fbdcc --- /dev/null +++ b/cmd/test-iam-policy.go @@ -0,0 +1,75 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var TestIamPolicyInput grbacpb.TestIamPolicyRequest + +var TestIamPolicyFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(TestIamPolicyCmd) + + TestIamPolicyInput.AccessTuple = new(grbacpb.AccessTuple) + + TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyInput.AccessTuple.Principal, "access_tuple.principal", "", "Required. The member, or principal, whose access you want...") + + TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyInput.AccessTuple.FullResourceName, "access_tuple.full_resource_name", "", "Required. The full resource name that identifies the...") + + TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyInput.AccessTuple.Permission, "access_tuple.permission", "", "Required. The IAM permission to check for the specified...") + + TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var TestIamPolicyCmd = &cobra.Command{ + Use: "test-iam-policy", + Short: "Checks whether a member has a specific permission...", + Long: "Checks whether a member has a specific permission for a specific resource. If not allowed an Unauthorized (403) error will be returned.", + PreRun: func(cmd *cobra.Command, args []string) { + + if TestIamPolicyFromFile == "" { + + cmd.MarkFlagRequired("access_tuple.principal") + + cmd.MarkFlagRequired("access_tuple.full_resource_name") + + cmd.MarkFlagRequired("access_tuple.permission") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if TestIamPolicyFromFile != "" { + in, err = os.Open(TestIamPolicyFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &TestIamPolicyInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "TestIamPolicy", &TestIamPolicyInput) + } + err = AccessControlClient.TestIamPolicy(ctx, &TestIamPolicyInput) + + return err + }, +} diff --git a/cmd/transfer-resource.go b/cmd/transfer-resource.go new file mode 100644 index 0000000..293757a --- /dev/null +++ b/cmd/transfer-resource.go @@ -0,0 +1,95 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" + + "strings" +) + +var TransferResourceInput grbacpb.TransferResourceRequest + +var TransferResourceFromFile string + +var TransferResourceInputSubstitutions []string + +func init() { + AccessControlServiceCmd.AddCommand(TransferResourceCmd) + + TransferResourceCmd.Flags().StringVar(&TransferResourceInput.Name, "name", "", "Required. The full resource name that identifies the...") + + TransferResourceCmd.Flags().StringVar(&TransferResourceInput.TargetParent, "target_parent", "", "Required. The full resource name that identifies the new...") + + TransferResourceCmd.Flags().StringArrayVar(&TransferResourceInputSubstitutions, "substitutions", []string{}, "key=value pairs. The map of substitutions to apply to the full...") + + TransferResourceCmd.Flags().StringVar(&TransferResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var TransferResourceCmd = &cobra.Command{ + Use: "transfer-resource", + Short: "TransferResource transfers a resource to a new...", + Long: "TransferResource transfers a resource to a new parent.", + PreRun: func(cmd *cobra.Command, args []string) { + + if TransferResourceFromFile == "" { + + cmd.MarkFlagRequired("name") + + cmd.MarkFlagRequired("target_parent") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if TransferResourceFromFile != "" { + in, err = os.Open(TransferResourceFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &TransferResourceInput) + if err != nil { + return err + } + + } + + if len(TransferResourceInputSubstitutions) > 0 { + TransferResourceInput.Substitutions = make(map[string]string) + } + for _, item := range TransferResourceInputSubstitutions { + split := strings.Split(item, "=") + if len(split) < 2 { + err = fmt.Errorf("Invalid map item: %q", item) + return + } + + TransferResourceInput.Substitutions[split[0]] = split[1] + } + + if Verbose { + printVerboseInput("AccessControl", "TransferResource", &TransferResourceInput) + } + resp, err := AccessControlClient.TransferResource(ctx, &TransferResourceInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/update-group.go b/cmd/update-group.go new file mode 100644 index 0000000..15cbadc --- /dev/null +++ b/cmd/update-group.go @@ -0,0 +1,84 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + fieldmaskpb "google.golang.org/protobuf/types/known/fieldmaskpb" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var UpdateGroupInput grbacpb.UpdateGroupRequest + +var UpdateGroupFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(UpdateGroupCmd) + + UpdateGroupInput.Group = new(grbacpb.Group) + + UpdateGroupInput.UpdateMask = new(fieldmaskpb.FieldMask) + + UpdateGroupCmd.Flags().StringVar(&UpdateGroupInput.Group.Name, "group.name", "", "Required. The resource name of the group.") + + UpdateGroupCmd.Flags().StringSliceVar(&UpdateGroupInput.Group.Members, "group.members", []string{}, "The list of members of the group. Groups might...") + + UpdateGroupCmd.Flags().BytesHexVar(&UpdateGroupInput.Group.Etag, "group.etag", []byte{}, "An etag for concurrency control, ignored during...") + + UpdateGroupCmd.Flags().StringSliceVar(&UpdateGroupInput.UpdateMask.Paths, "update_mask.paths", []string{}, "The set of field mask paths.") + + UpdateGroupCmd.Flags().StringVar(&UpdateGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var UpdateGroupCmd = &cobra.Command{ + Use: "update-group", + Short: "UpdateGroup updates a group with a field mask.", + Long: "UpdateGroup updates a group with a field mask.", + PreRun: func(cmd *cobra.Command, args []string) { + + if UpdateGroupFromFile == "" { + + cmd.MarkFlagRequired("group.name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if UpdateGroupFromFile != "" { + in, err = os.Open(UpdateGroupFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &UpdateGroupInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "UpdateGroup", &UpdateGroupInput) + } + resp, err := AccessControlClient.UpdateGroup(ctx, &UpdateGroupInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/update-role.go b/cmd/update-role.go new file mode 100644 index 0000000..62ad084 --- /dev/null +++ b/cmd/update-role.go @@ -0,0 +1,86 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + fieldmaskpb "google.golang.org/protobuf/types/known/fieldmaskpb" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var UpdateRoleInput grbacpb.UpdateRoleRequest + +var UpdateRoleFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(UpdateRoleCmd) + + UpdateRoleInput.Role = new(grbacpb.Role) + + UpdateRoleInput.UpdateMask = new(fieldmaskpb.FieldMask) + + UpdateRoleCmd.Flags().StringVar(&UpdateRoleInput.Role.Name, "role.name", "", "Required. The resource name of the role.") + + UpdateRoleCmd.Flags().StringSliceVar(&UpdateRoleInput.Role.Permissions, "role.permissions", []string{}, "Required. The list of permissions granted by the role.") + + UpdateRoleCmd.Flags().BytesHexVar(&UpdateRoleInput.Role.Etag, "role.etag", []byte{}, "An etag for concurrency control, ignored during...") + + UpdateRoleCmd.Flags().StringSliceVar(&UpdateRoleInput.UpdateMask.Paths, "update_mask.paths", []string{}, "The set of field mask paths.") + + UpdateRoleCmd.Flags().StringVar(&UpdateRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var UpdateRoleCmd = &cobra.Command{ + Use: "update-role", + Short: "UpdateRole updates a role with a field mask.", + Long: "UpdateRole updates a role with a field mask.", + PreRun: func(cmd *cobra.Command, args []string) { + + if UpdateRoleFromFile == "" { + + cmd.MarkFlagRequired("role.name") + + cmd.MarkFlagRequired("role.permissions") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if UpdateRoleFromFile != "" { + in, err = os.Open(UpdateRoleFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &UpdateRoleInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "UpdateRole", &UpdateRoleInput) + } + resp, err := AccessControlClient.UpdateRole(ctx, &UpdateRoleInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/examples/grpc/docker-compose.yaml b/examples/grpc/docker-compose.yaml new file mode 100644 index 0000000..a2f0eb9 --- /dev/null +++ b/examples/grpc/docker-compose.yaml @@ -0,0 +1,12 @@ +version: '3' +services: + dgraph: + image: dgraph/standalone:v21.03.0 + ports: + - "8060:8080" + - "9060:9080" + grbac: + build: ../../ + entrypoint: /usr/local/grbac/docker-compose.sh + ports: + - "9070:9080" diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..fbdad60 --- /dev/null +++ b/go.mod @@ -0,0 +1,27 @@ +module github.com/grbac/grbac + +go 1.16 + +require ( + github.com/animeapis/api-go-client v0.0.0-20210719185158-3f1ebfbc688e + github.com/animeapis/go-genproto v0.0.0-20210720022825-bf3232b11660 + github.com/dgraph-io/dgo/v210 v210.0.0-20210421093152-78a2fece3ebd + github.com/fsnotify/fsnotify v1.4.9 // indirect + github.com/golang/protobuf v1.5.2 + github.com/google/go-cmp v0.5.6 // indirect + github.com/google/uuid v1.1.2 + github.com/kr/text v0.2.0 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/sirupsen/logrus v1.8.1 + github.com/spf13/cobra v1.1.3 + github.com/spf13/viper v1.7.1 + github.com/stretchr/testify v1.7.0 + golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c + golang.org/x/sync v0.0.0-20210220032951-036812b2e83c + google.golang.org/api v0.47.0 + google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced + google.golang.org/grpc v1.38.0 + google.golang.org/protobuf v1.26.0 + gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..d012cb1 --- /dev/null +++ b/go.sum @@ -0,0 +1,700 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0 h1:at8Tk2zUz63cLPR0JPWm5vp77pEZmzxEQBEfRKn1VV8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/animeapis/api-go-client v0.0.0-20210702020008-910be5621ed0 h1:lny9qbtbsTRkBTw7Xa2IqobVH+icoUna3Z5st5RSs30= +github.com/animeapis/api-go-client v0.0.0-20210702020008-910be5621ed0/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/api-go-client v0.0.0-20210706005357-61f55569ce4f h1:gACgGhge+bvE9h0y+dk9EDSCLxPMRwbMIUpBieopoJM= +github.com/animeapis/api-go-client v0.0.0-20210706005357-61f55569ce4f/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/api-go-client v0.0.0-20210706012355-5c7d0a25dc1f h1:qsbZJro93Yi4B0optb+HPGkoSPSnaGSRoAHlp+lRoMg= +github.com/animeapis/api-go-client v0.0.0-20210706012355-5c7d0a25dc1f/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/api-go-client v0.0.0-20210706130016-f43925eaefe0 h1:9WPMGKnlSFMlvuJTKmv+EkEaFG2elatH80igIyHN+Bo= +github.com/animeapis/api-go-client v0.0.0-20210706130016-f43925eaefe0/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/api-go-client v0.0.0-20210719185158-3f1ebfbc688e h1:enf+AfSGCjGnyrmbotM1VClz46mI45ZbRaDh7lFbTd0= +github.com/animeapis/api-go-client v0.0.0-20210719185158-3f1ebfbc688e/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/go-genproto v0.0.0-20210521234542-490e9b696088/go.mod h1:uKRvemxPZyVEy2+4cCWJ6WXDeBXyR4YjBFnHgV5cGcg= +github.com/animeapis/go-genproto v0.0.0-20210705160300-2b8f84d86720 h1:n+ozc7P73xOjhvoFjB86vaZF0RA5wSwIcuxFVXiFtsQ= +github.com/animeapis/go-genproto v0.0.0-20210705160300-2b8f84d86720/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210705231000-2747288cb6e8 h1:3zOJPt/mL2KSDYOT7MewwGRIcNxSKvY5hn4oDKHP4N0= +github.com/animeapis/go-genproto v0.0.0-20210705231000-2747288cb6e8/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210706005359-67393cbcd97d h1:UEzSoNDmUTqtuB9lGuUtAUzo44vgxHpnz5HDuLoBFEM= +github.com/animeapis/go-genproto v0.0.0-20210706005359-67393cbcd97d/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210706012357-9e992faa07a7 h1:1myeoc83fA4rpu1QeT0LtZZKKK0rCs3H1qIsLAlEv4c= +github.com/animeapis/go-genproto v0.0.0-20210706012357-9e992faa07a7/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210706130018-a53e1fd61c52 h1:FSzleLHwQCE2k+FsxSNPPR3d28Bdo249SlrGPlxeHTI= +github.com/animeapis/go-genproto v0.0.0-20210706130018-a53e1fd61c52/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210706183531-6bde4cfe3722 h1:wH+1TPwGpMJtN+v7BzVT7b53A4fhcLXT9PLDe1uWqMk= +github.com/animeapis/go-genproto v0.0.0-20210706183531-6bde4cfe3722/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210720022825-bf3232b11660 h1:19vlhXVKZsLRuw4VhJjpzneK8WkURErvGmjKHUpLW/U= +github.com/animeapis/go-genproto v0.0.0-20210720022825-bf3232b11660/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgraph-io/dgo/v210 v210.0.0-20210421093152-78a2fece3ebd h1:bKck5FnruuJxL1oCmrDSYWRl634IxBwL/IwwWx4UgEM= +github.com/dgraph-io/dgo/v210 v210.0.0-20210421093152-78a2fece3ebd/go.mod h1:dCzdThGGTPYOAuNtrM6BiXj/86voHn7ZzkPL6noXR3s= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v1.1.3 h1:xghbfqPkxzxP3C/f3n5DdpAbdKLj4ZE4BWQI362l53M= +github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= +github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/spf13/viper v1.7.1 h1:pM5oEahlgWv/WnHXpgbKz7iLIxRf65tye2Ci+XFK5sk= +github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= +github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420 h1:a8jGStKg0XqKDlKqjLrXn0ioF5MH36pT7Z0BRTqLhbk= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c h1:pkQiBZBvdos9qq4wBAHqlzuZHEXo07pqV06ef90u1WI= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 h1:hZR0X1kPW+nwyJ9xRxqZk1vx5RUObAPBdKVvXPDUH/E= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.47.0 h1:sQLWZQvP6jPGIP4JGPkJu4zHswrv81iobiyszr3b/0I= +google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210521181308-5ccab8a35a9a/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced h1:c5geK1iMU3cDKtFrCVQIcjR3W+JOZMuhIyICMCTbtus= +google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0= +google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno= +gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/pkg/bootstrap/data/schema.rdf b/pkg/bootstrap/data/schema.rdf new file mode 100644 index 0000000..4b56e2e --- /dev/null +++ b/pkg/bootstrap/data/schema.rdf @@ -0,0 +1,59 @@ +type Resource { + Resource.etag + Resource.name + Resource.parent + Resource.policy +} + +type Policy { + Policy.bindings + Policy.version + Policy.etag +} + +type Binding { + Binding.role + Binding.members +} + +type Role { + Role.description + Role.displayName + Role.etag + Role.name + Role.permissions +} + +type Permission { + Permission.name +} + +type Group { + Group.etag + Group.members + Group.name +} + +type Subject { + Subject.name +} + +: [uid] . +: uid . +: string @index(hash) @upsert . +: [uid] . +: string @index(hash) @upsert . +: string @index(hash) @upsert . +: [uid] . +: string @index(hash) @upsert . +: int . +: string @index(hash) @upsert . +: string @index(hash) @upsert . +: uid @reverse . +: uid . +: string . +: string . +: string @index(hash) @upsert . +: string @index(hash) @upsert . +: [uid] @reverse . +: string @index(hash) @upsert . \ No newline at end of file diff --git a/pkg/bootstrap/data/system.all-users.condition.rdf b/pkg/bootstrap/data/system.all-users.condition.rdf new file mode 100644 index 0000000..09e363c --- /dev/null +++ b/pkg/bootstrap/data/system.all-users.condition.rdf @@ -0,0 +1 @@ +@if(eq(len(allUsers), 0)) \ No newline at end of file diff --git a/pkg/bootstrap/data/system.all-users.mutation.rdf b/pkg/bootstrap/data/system.all-users.mutation.rdf new file mode 100644 index 0000000..f17db9d --- /dev/null +++ b/pkg/bootstrap/data/system.all-users.mutation.rdf @@ -0,0 +1,2 @@ +uid(allUsers) "Subject" . +uid(allUsers) "system/allUsers" . \ No newline at end of file diff --git a/pkg/bootstrap/data/system.all-users.query.rdf b/pkg/bootstrap/data/system.all-users.query.rdf new file mode 100644 index 0000000..9f7e3e9 --- /dev/null +++ b/pkg/bootstrap/data/system.all-users.query.rdf @@ -0,0 +1,3 @@ +query { + var(func: eq(Subject.name, "system/allUsers")) { allUsers as uid } +} \ No newline at end of file diff --git a/pkg/bootstrap/data/system.animeshon.condition.rdf b/pkg/bootstrap/data/system.animeshon.condition.rdf new file mode 100644 index 0000000..8f6f919 --- /dev/null +++ b/pkg/bootstrap/data/system.animeshon.condition.rdf @@ -0,0 +1 @@ +@if(eq(len(animeshon), 0)) \ No newline at end of file diff --git a/pkg/bootstrap/data/system.animeshon.mutation.rdf b/pkg/bootstrap/data/system.animeshon.mutation.rdf new file mode 100644 index 0000000..25a44f5 --- /dev/null +++ b/pkg/bootstrap/data/system.animeshon.mutation.rdf @@ -0,0 +1,2 @@ +uid(animeshon) "Resource" . +uid(animeshon) "@animeshon" . \ No newline at end of file diff --git a/pkg/bootstrap/data/system.animeshon.query.rdf b/pkg/bootstrap/data/system.animeshon.query.rdf new file mode 100644 index 0000000..1a35324 --- /dev/null +++ b/pkg/bootstrap/data/system.animeshon.query.rdf @@ -0,0 +1,3 @@ +query { + var(func: eq(Resource.name, "@animeshon")) { animeshon as uid } +} \ No newline at end of file diff --git a/pkg/bootstrap/schema.go b/pkg/bootstrap/schema.go new file mode 100644 index 0000000..b0d561b --- /dev/null +++ b/pkg/bootstrap/schema.go @@ -0,0 +1,76 @@ +package bootstrap + +import ( + "context" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "google.golang.org/grpc" +) + +//go:embed data/schema.rdf +var schema string + +//go:embed data/system.all-users.query.rdf +var allUsersQuery string + +//go:embed data/system.all-users.mutation.rdf +var allUsersMutation []byte + +//go:embed data/system.all-users.condition.rdf +var allUsersCondition string + +//go:embed data/system.animeshon.query.rdf +var animeshonQuery string + +//go:embed data/system.animeshon.mutation.rdf +var animeshonMutation []byte + +//go:embed data/system.animeshon.condition.rdf +var animeshonCondition string + +func Schema(ctx context.Context, endpoint string) error { + connection, err := grpc.Dial(endpoint, grpc.WithInsecure()) + if err != nil { + return err + } + defer connection.Close() + + op := &api.Operation{ + Schema: schema, + } + + cli := dgo.NewDgraphClient(api.NewDgraphClient(connection)) + if err := cli.Alter(context.Background(), op); err != nil { + return err + } + + allUsers := &api.Request{ + Query: allUsersQuery, + Mutations: []*api.Mutation{{ + Cond: allUsersCondition, + SetNquads: allUsersMutation, + }}, + CommitNow: true, + } + + if _, err := cli.NewTxn().Do(ctx, allUsers); err != nil { + return err + } + + animeshon := &api.Request{ + Query: animeshonQuery, + Mutations: []*api.Mutation{{ + Cond: animeshonCondition, + SetNquads: animeshonMutation, + }}, + CommitNow: true, + } + + if _, err := cli.NewTxn().Do(ctx, animeshon); err != nil { + return err + } + return nil +} diff --git a/pkg/fieldmask/fieldmask.go b/pkg/fieldmask/fieldmask.go new file mode 100644 index 0000000..b746ddd --- /dev/null +++ b/pkg/fieldmask/fieldmask.go @@ -0,0 +1,33 @@ +package fieldmask + +import ( + "strings" + + "google.golang.org/protobuf/types/known/fieldmaskpb" +) + +type FieldMask struct { + paths []string +} + +func (mask *FieldMask) Contains(field string) bool { + if mask == nil { + return true + } + + for _, mask := range mask.paths { + if strings.HasPrefix(field, mask) { + return true + } + } + + return false +} + +func NewFieldMask(mask *fieldmaskpb.FieldMask) *FieldMask { + if len(mask.GetPaths()) == 0 { + return nil + } + + return &FieldMask{paths: mask.GetPaths()} +} diff --git a/pkg/graceful/grpc_listener.go b/pkg/graceful/grpc_listener.go new file mode 100644 index 0000000..139367c --- /dev/null +++ b/pkg/graceful/grpc_listener.go @@ -0,0 +1,60 @@ +package graceful + +import ( + "context" + "net" + + "github.com/sirupsen/logrus" + "golang.org/x/sync/errgroup" + "google.golang.org/grpc" +) + +// NewGrpcListener listens for incoming gRPC requests. +func NewGrpcListener(ctx context.Context, address string, server *grpc.Server) error { + listener, err := net.Listen("tcp", address) + if err != nil { + return err + } + + logrus.Infof("gRPC server listening to [%s]", address) + return ServeWithContext(ctx, server, listener) +} + +// ServeWithContext is a wrapper around the Serve function which also implements +// context cancellation and graceful shutdown. +func ServeWithContext(ctx context.Context, server *grpc.Server, listener net.Listener) error { + serverCtx, cancel := context.WithCancel(context.Background()) + defer cancel() + + gr := new(errgroup.Group) + gr.Go(func() error { + defer cancel() + + if err := server.Serve(listener); err != nil { + return err + } + + return nil + }) + + gr.Go(func() error { + for { + select { + case <-serverCtx.Done(): + // ListenAndServe exited already - nothing to do. + return nil + case <-ctx.Done(): + // SIGTERM or SIGINT received - initiate graceful shutdown. + goto shutdown + } + } + + shutdown: + logrus.Info("gracefully shutting down the server - waiting for active connections to close") + server.GracefulStop() + + return nil + }) + + return gr.Wait() +} diff --git a/pkg/graph/data/groups.exists.query.dql b/pkg/graph/data/groups.exists.query.dql new file mode 100644 index 0000000..d9190d9 --- /dev/null +++ b/pkg/graph/data/groups.exists.query.dql @@ -0,0 +1,5 @@ +query queryExistsGroup($name: string) { + groups(func: eq(Group.name, $name)) { + Group.name + } +} \ No newline at end of file diff --git a/pkg/graph/data/groups.get.query.dql b/pkg/graph/data/groups.get.query.dql new file mode 100644 index 0000000..b302d14 --- /dev/null +++ b/pkg/graph/data/groups.get.query.dql @@ -0,0 +1,10 @@ +query queryGetGroup($name: string) { + groups(func: eq(Group.name, $name)) { + Group.name + Group.etag + Group.members { + Group.name + Subject.name + } + } +} \ No newline at end of file diff --git a/pkg/graph/data/permissions.exists.query.dql b/pkg/graph/data/permissions.exists.query.dql new file mode 100644 index 0000000..549e6b8 --- /dev/null +++ b/pkg/graph/data/permissions.exists.query.dql @@ -0,0 +1,5 @@ +query queryExistsPermission($name: string) { + permissions(func: eq(Permission.name, $name)) { + Permission.name + } +} \ No newline at end of file diff --git a/pkg/graph/data/resources.exists.query.dql b/pkg/graph/data/resources.exists.query.dql new file mode 100644 index 0000000..a158fa4 --- /dev/null +++ b/pkg/graph/data/resources.exists.query.dql @@ -0,0 +1,5 @@ +query queryGetResource($name: string) { + resources(func: eq(Resource.name, $name)) { + Resource.name + } +} diff --git a/pkg/graph/data/resources.get.query.dql b/pkg/graph/data/resources.get.query.dql new file mode 100644 index 0000000..1b41d5f --- /dev/null +++ b/pkg/graph/data/resources.get.query.dql @@ -0,0 +1,22 @@ +query queryGetResource($name: string) { + resources(func: eq(Resource.name, $name)) { + Resource.name + Resource.etag + Resource.policy { + Policy.etag + Policy.version + Policy.bindings { + Binding.role { + Role.name + } + Binding.members { + Group.name + Subject.name + } + } + } + Resource.parent { + Resource.name + } + } +} diff --git a/pkg/graph/data/resources.has_children.query.dql b/pkg/graph/data/resources.has_children.query.dql new file mode 100644 index 0000000..6b2f534 --- /dev/null +++ b/pkg/graph/data/resources.has_children.query.dql @@ -0,0 +1,7 @@ +query queryHasChildren($name: string) { + children(func: eq(Resource.name, $name)) { + ~Resource.parent { + Resource.name + } + } +} \ No newline at end of file diff --git a/pkg/graph/data/roles.exists.query.dql b/pkg/graph/data/roles.exists.query.dql new file mode 100644 index 0000000..7ea6959 --- /dev/null +++ b/pkg/graph/data/roles.exists.query.dql @@ -0,0 +1,5 @@ +query queryExistsRole($name: string) { + roles(func: eq(Role.name, $name)) { + Role.name + } +} \ No newline at end of file diff --git a/pkg/graph/data/roles.get.query.dql b/pkg/graph/data/roles.get.query.dql new file mode 100644 index 0000000..3d21453 --- /dev/null +++ b/pkg/graph/data/roles.get.query.dql @@ -0,0 +1,9 @@ +query queryGetRole($name: string) { + roles(func: eq(Role.name, $name)) { + Role.name + Role.etag + Role.permissions { + Permission.name + } + } +} \ No newline at end of file diff --git a/pkg/graph/data/subjects.exists.query.dql b/pkg/graph/data/subjects.exists.query.dql new file mode 100644 index 0000000..f4a7464 --- /dev/null +++ b/pkg/graph/data/subjects.exists.query.dql @@ -0,0 +1,5 @@ +query queryExistsSubject($name: string) { + subjects(func: eq(Subject.name, $name)) { + Subject.name + } +} \ No newline at end of file diff --git a/pkg/graph/groups.go b/pkg/graph/groups.go new file mode 100644 index 0000000..b9fef89 --- /dev/null +++ b/pkg/graph/groups.go @@ -0,0 +1,56 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/groups.get.query.dql +var queryGetGroup string + +//go:embed data/groups.exists.query.dql +var queryExistsGroup string + +func GetGroup(ctx context.Context, txn *dgo.Txn, name string) (*Group, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryGetGroup, m) + if err != nil { + return nil, err + } + + groups := new(struct { + Groups []*Group `json:"groups"` + }) + + if err := json.Unmarshal(resp.Json, &groups); err != nil { + return nil, err + } + + if len(groups.Groups) == 0 { + return nil, nil + } + + return groups.Groups[0], nil +} + +func ExistsGroup(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsGroup, m) + if err != nil { + return false, err + } + + groups := new(struct { + Groups []*Group `json:"groups"` + }) + + if err := json.Unmarshal(resp.Json, &groups); err != nil { + return false, err + } + + return len(groups.Groups) != 0, nil +} diff --git a/pkg/graph/permissions.go b/pkg/graph/permissions.go new file mode 100644 index 0000000..e690014 --- /dev/null +++ b/pkg/graph/permissions.go @@ -0,0 +1,31 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/permissions.exists.query.dql +var queryExistsPermission string + +func ExistsPermission(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsPermission, m) + if err != nil { + return false, err + } + + permissions := new(struct { + Permissions []*Permission `json:"permissions"` + }) + + if err := json.Unmarshal(resp.Json, &permissions); err != nil { + return false, err + } + + return len(permissions.Permissions) != 0, nil +} diff --git a/pkg/graph/resources.go b/pkg/graph/resources.go new file mode 100644 index 0000000..6f6a4af --- /dev/null +++ b/pkg/graph/resources.go @@ -0,0 +1,77 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/resources.get.query.dql +var queryGetResource string + +//go:embed data/resources.exists.query.dql +var queryExistsResource string + +//go:embed data/resources.has_children.query.dql +var queryHasChildren string + +func GetResource(ctx context.Context, txn *dgo.Txn, name string) (*Resource, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryGetResource, m) + if err != nil { + return nil, err + } + + resources := new(struct { + Resources []*Resource `json:"resources"` + }) + + if err := json.Unmarshal(resp.Json, &resources); err != nil { + return nil, err + } + + if len(resources.Resources) == 0 { + return nil, nil + } + + return resources.Resources[0], nil +} + +func ExistsResource(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsResource, m) + if err != nil { + return false, err + } + + resources := new(struct { + Resources []*Resource `json:"resources"` + }) + + if err := json.Unmarshal(resp.Json, &resources); err != nil { + return false, err + } + + return len(resources.Resources) != 0, nil +} + +func HasChildren(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryHasChildren, m) + if err != nil { + return false, err + } + + children := new(struct { + Resources []*Resource `json:"children"` + }) + + if err := json.Unmarshal(resp.Json, &children); err != nil { + return false, err + } + + return len(children.Resources) != 0, nil +} diff --git a/pkg/graph/roles.go b/pkg/graph/roles.go new file mode 100644 index 0000000..969e6f4 --- /dev/null +++ b/pkg/graph/roles.go @@ -0,0 +1,56 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/roles.get.query.dql +var queryGetRole string + +//go:embed data/roles.exists.query.dql +var queryExistsRole string + +func GetRole(ctx context.Context, txn *dgo.Txn, name string) (*Role, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryGetRole, m) + if err != nil { + return nil, err + } + + roles := new(struct { + Roles []*Role `json:"roles"` + }) + + if err := json.Unmarshal(resp.Json, &roles); err != nil { + return nil, err + } + + if len(roles.Roles) == 0 { + return nil, nil + } + + return roles.Roles[0], nil +} + +func ExistsRole(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsRole, m) + if err != nil { + return false, err + } + + roles := new(struct { + Roles []*Role `json:"roles"` + }) + + if err := json.Unmarshal(resp.Json, &roles); err != nil { + return false, err + } + + return len(roles.Roles) != 0, nil +} diff --git a/pkg/graph/subjects.go b/pkg/graph/subjects.go new file mode 100644 index 0000000..a73ef4b --- /dev/null +++ b/pkg/graph/subjects.go @@ -0,0 +1,31 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/subjects.exists.query.dql +var queryExistsSubject string + +func ExistsSubject(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsSubject, m) + if err != nil { + return false, err + } + + subjects := new(struct { + Subjects []*Subject `json:"subjects"` + }) + + if err := json.Unmarshal(resp.Json, &subjects); err != nil { + return false, err + } + + return len(subjects.Subjects) != 0, nil +} diff --git a/pkg/graph/types.go b/pkg/graph/types.go new file mode 100644 index 0000000..8b7d5fa --- /dev/null +++ b/pkg/graph/types.go @@ -0,0 +1,44 @@ +package graph + +type Permission struct { + Name string `json:"Permission.name"` +} + +type Role struct { + Name string `json:"Role.name"` + Permissions []*Permission `json:"Role.permissions"` + ETag string `json:"Role.etag"` +} + +type Resource struct { + Name string `json:"Resource.name"` + Policy *Policy `json:"Resource.policy"` + Parent *Resource `json:"Resource.parent"` + ETag string `json:"Resource.etag"` +} + +type Policy struct { + Bindings []*Binding `json:"Policy.bindings"` + Version int32 `json:"Policy.version"` + ETag string `json:"Policy.etag"` +} + +type Binding struct { + Role *Role `json:"Binding.role"` + Members []Member `json:"Binding.members"` +} + +type Member struct { + Group string `json:"Group.name"` + Subject string `json:"Subject.name"` +} + +type Group struct { + Name string `json:"Group.name"` + Members []Member `json:"Group.members"` + ETag string `json:"Group.etag"` +} + +type Subject struct { + Name string `json:"Subject.name"` +} diff --git a/pkg/interrupt/interrupt.go b/pkg/interrupt/interrupt.go new file mode 100644 index 0000000..0265b9f --- /dev/null +++ b/pkg/interrupt/interrupt.go @@ -0,0 +1,104 @@ +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package interrupt + +import ( + "os" + "os/signal" + "sync" + "syscall" +) + +// terminationSignals are signals that cause the program to exit in the +// supported platforms (linux, darwin, windows). +var terminationSignals = []os.Signal{syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT} + +// Handler guarantees execution of notifications after a critical section (the function passed +// to a Run method), even in the presence of process termination. It guarantees exactly once +// invocation of the provided notify functions. +type Handler struct { + notify []func() + final func(os.Signal) + once sync.Once +} + +// Chain creates a new handler that invokes all notify functions when the critical section exits +// and then invokes the optional handler's notifications. This allows critical sections to be +// nested without losing exactly once invocations. Notify functions can invoke any cleanup needed +// but should not exit (which is the responsibility of the parent handler). +func Chain(handler *Handler, notify ...func()) *Handler { + if handler == nil { + return New(nil, notify...) + } + return New(handler.Signal, append(notify, handler.Close)...) +} + +// New creates a new handler that guarantees all notify functions are run after the critical +// section exits (or is interrupted by the OS), then invokes the final handler. If no final +// handler is specified, the default final is `os.Exit(1)`. A handler can only be used for +// one critical section. +func New(final func(os.Signal), notify ...func()) *Handler { + return &Handler{ + final: final, + notify: notify, + } +} + +// Close executes all the notification handlers if they have not yet been executed. +func (h *Handler) Close() { + h.once.Do(func() { + for _, fn := range h.notify { + fn() + } + }) +} + +// Signal is called when an os.Signal is received, and guarantees that all notifications +// are executed, then the final handler is executed. This function should only be called once +// per Handler instance. +func (h *Handler) Signal(s os.Signal) { + h.once.Do(func() { + for _, fn := range h.notify { + fn() + } + if h.final == nil { + os.Exit(1) + } + h.final(s) + }) +} + +// Run ensures that any notifications are invoked after the provided fn exits (even if the +// process is interrupted by an OS termination signal). Notifications are only invoked once +// per Handler instance, so calling Run more than once will not behave as the user expects. +func (h *Handler) Run(fn func() error) error { + ch := make(chan os.Signal, 1) + signal.Notify(ch, terminationSignals...) + defer func() { + signal.Stop(ch) + close(ch) + }() + go func() { + sig, ok := <-ch + if !ok { + return + } + h.Signal(sig) + }() + defer h.Close() + return fn() +} diff --git a/pkg/services/authorize.go b/pkg/services/authorize.go new file mode 100644 index 0000000..f522c14 --- /dev/null +++ b/pkg/services/authorize.go @@ -0,0 +1,119 @@ +package services + +import ( + "context" + "encoding/json" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/sirupsen/logrus" + "golang.org/x/sync/errgroup" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// TODO(christia-roggia): collapse into a single query as soon as dgraph +// allows `shortest` to be performed with multiple exit nodes. + +//go:embed data/authorize.query.dql +var queryAuthorize string + +func (s *AccessControlServerImpl) validateTestIamPolicy(ctx context.Context, req *grbac.TestIamPolicyRequest) error { + if req.AccessTuple == nil { + return status.New(codes.InvalidArgument, "invalid argument {access tuple not defined}").Err() + } + + if len(req.AccessTuple.FullResourceName) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {full resource name not defined}").Err() + } + if len(req.AccessTuple.Permission) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {permission not defined}").Err() + } + if len(req.AccessTuple.Principal) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {principal not defined}").Err() + } + + if !isUserMember(req.AccessTuple.Principal) && !isServiceAccountMember(req.AccessTuple.Principal) { + return status.New(codes.InvalidArgument, "invalid argument {invalid principal name format}").Err() + } + + return nil +} + +// Checks whether a member has a specific permission for a specific resource. +// If not allowed an Unauthorized (403) error will be returned. +func (s *AccessControlServerImpl) TestIamPolicy(ctx context.Context, req *grbac.TestIamPolicyRequest) (*empty.Empty, error) { + if err := s.validateTestIamPolicy(ctx, req); err != nil { + return nil, err + } + + m := map[string]string{ + "$resource": req.AccessTuple.FullResourceName, + "$permission": toPermissionName(req.AccessTuple.Permission), + } + + if isUserMember(req.AccessTuple.Principal) { + m["$principal"] = toUserName(req.AccessTuple.Principal) + } else if isServiceAccountMember(req.AccessTuple.Principal) { + m["$principal"] = toServiceAccountName(req.AccessTuple.Principal) + } + + allUsers := map[string]string{ + "$principal": allUsers, + "$resource": req.AccessTuple.FullResourceName, + "$permission": toPermissionName(req.AccessTuple.Permission), + } + + // Ask in parallel whether the user is allowed or allUsers is allowed. + var isAllowed, isAllUsersAllowed bool + group, ctx := errgroup.WithContext(ctx) + + group.Go(func() error { + allowed, err := s.testIamPolicy(ctx, m) + + isAllowed = allowed + return err + }) + + group.Go(func() error { + allowed, err := s.testIamPolicy(ctx, allUsers) + + isAllUsersAllowed = allowed + return err + }) + + if err := group.Wait(); err != nil { + logrus.WithError(err).Errorf("failed to execute authorize query") + return nil, status.New(codes.Internal, "internal error").Err() + } + + if isAllowed || isAllUsersAllowed { + return &empty.Empty{}, nil + } + + return nil, status.New(codes.PermissionDenied, "permission denied").Err() +} + +func (s *AccessControlServerImpl) testIamPolicy(ctx context.Context, m map[string]string) (bool, error) { + resp, err := s.cli.NewReadOnlyTxn().QueryWithVars(ctx, queryAuthorize, m) + if err != nil { + return false, err + } + + payload := new(struct { + Ok []json.RawMessage `json:"ok"` + }) + + if err := json.Unmarshal(resp.Json, &payload); err != nil { + return false, err + } + + if len(payload.Ok) == 0 { + return false, nil + } + + return true, nil +} diff --git a/pkg/services/authorize_integration_test.go b/pkg/services/authorize_integration_test.go new file mode 100644 index 0000000..37f475a --- /dev/null +++ b/pkg/services/authorize_integration_test.go @@ -0,0 +1,350 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationAuthorize(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Anonymous = "user:anonymous" + + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + User1 = &grbac.Subject{ + Name: "users/user-1." + uuid.New().String(), + } + User2 = &grbac.Subject{ + Name: "users/user-2." + uuid.New().String(), + } + UserNotFound = &grbac.Subject{ + Name: "users/user-?." + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + ServiceAccount1 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-1." + uuid.New().String(), + } + ServiceAccount2 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-2." + uuid.New().String(), + } + ServiceAccountNotFound = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-?." + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/group-0." + uuid.New().String(), + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + }, + } + Group1 = &grbac.Group{ + Name: "groups/group-1." + uuid.New().String(), + Members: []string{ + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount1.Name), + }, + } + + PermissionGet = &grbac.Permission{ + Name: "permissions/grbac.test.get", + } + PermissionCreate = &grbac.Permission{ + Name: "permissions/grbac.test.create", + } + PermissionDelete = &grbac.Permission{ + Name: "permissions/grbac.test.delete", + } + PermissionNotFound = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + RoleAdmin = &grbac.Role{ + Name: "roles/grbac.admin", + Permissions: []string{ + toPermissionId(PermissionGet.Name), + toPermissionId(PermissionCreate.Name), + toPermissionId(PermissionDelete.Name), + }, + } + RoleEditor = &grbac.Role{ + Name: "roles/grbac.editor", + Permissions: []string{ + toPermissionId(PermissionGet.Name), + toPermissionId(PermissionCreate.Name), + }, + } + RoleViewer = &grbac.Role{ + Name: "roles/grbac.viewer", + Permissions: []string{ + toPermissionId(PermissionGet.Name), + }, + } + + Resource0 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-0." + uuid.New().String(), + Parent: "@animeshon", + } + Resource1 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-1." + uuid.New().String(), + Parent: Resource0.Name, + } + Resource2 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-2." + uuid.New().String(), + Parent: "@animeshon", + } + ResourceNotFound = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-?." + uuid.New().String(), + Parent: "@animeshon", + } + + Policy0 = &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: RoleEditor.Name, + Members: []string{ + toGroupMember(Group0.Name), + }, + }, + }, + } + Policy1 = &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: RoleAdmin.Name, + Members: []string{ + toGroupMember(Group0.Name), + }, + }, + { + Role: RoleEditor.Name, + Members: []string{ + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount1.Name), + }, + }, + { + Role: RoleViewer.Name, + Members: []string{ + "allUsers", + }, + }, + }, + } + Policy2 = &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: RoleViewer.Name, + Members: []string{ + toGroupMember(Group0.Name), + toGroupMember(Group1.Name), + }, + }, + }, + } + ) + + // Create new random resources. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + require.NoError(t, err) + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource1}) + require.NoError(t, err) + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource2}) + require.NoError(t, err) + + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionGet}) + require.NoError(t, err) + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionCreate}) + require.NoError(t, err) + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionDelete}) + require.NoError(t, err) + + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: RoleAdmin}) + require.NoError(t, err) + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: RoleEditor}) + require.NoError(t, err) + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: RoleViewer}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User1}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User2}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount1}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount2}) + require.NoError(t, err) + + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group1}) + require.NoError(t, err) + + // Set IAM polices to resources. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{Resource: Resource0.Name, Policy: Policy0}) + require.NoError(t, err) + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{Resource: Resource1.Name, Policy: Policy1}) + require.NoError(t, err) + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{Resource: Resource2.Name, Policy: Policy2}) + require.NoError(t, err) + + type T struct { + object string + subject string + relation string + allowed bool + } + + for _, i := range []*T{ + // Test: authorization rule on non-existing resource should return permission denied. + {ResourceNotFound.Name, User0.Name, PermissionGet.Name, false}, + {ResourceNotFound.Name, Anonymous, PermissionGet.Name, false}, + + // Test: authorization rule on non-existing permission should return permission denied. + {Resource0.Name, User0.Name, PermissionNotFound.Name, false}, + {Resource0.Name, Anonymous, PermissionNotFound.Name, false}, + + // Test: only members of group-0 should be granted "grbac.test.create" permission on resource-0. + {Resource0.Name, User0.Name, PermissionCreate.Name, true}, + {Resource0.Name, ServiceAccount0.Name, PermissionCreate.Name, true}, + + {Resource0.Name, User1.Name, PermissionCreate.Name, false}, + {Resource0.Name, User2.Name, PermissionCreate.Name, false}, + {Resource0.Name, UserNotFound.Name, PermissionCreate.Name, false}, + {Resource0.Name, ServiceAccount1.Name, PermissionCreate.Name, false}, + {Resource0.Name, ServiceAccount2.Name, PermissionCreate.Name, false}, + {Resource0.Name, ServiceAccountNotFound.Name, PermissionCreate.Name, false}, + {Resource0.Name, Anonymous, PermissionCreate.Name, false}, + + // Test: only members of group-0 should be granted "grbac.test.get" permission on resource-0. + {Resource0.Name, User0.Name, PermissionGet.Name, true}, + {Resource0.Name, ServiceAccount0.Name, PermissionGet.Name, true}, + + {Resource0.Name, User1.Name, PermissionGet.Name, false}, + {Resource0.Name, User2.Name, PermissionGet.Name, false}, + {Resource0.Name, UserNotFound.Name, PermissionGet.Name, false}, + {Resource0.Name, ServiceAccount1.Name, PermissionGet.Name, false}, + {Resource0.Name, ServiceAccount2.Name, PermissionGet.Name, false}, + {Resource0.Name, ServiceAccountNotFound.Name, PermissionGet.Name, false}, + {Resource0.Name, Anonymous, PermissionGet.Name, false}, + + // Test: nobody should be granted "grbac.test.delete" permission on resource-0. + {Resource0.Name, User0.Name, PermissionDelete.Name, false}, + {Resource0.Name, User1.Name, PermissionDelete.Name, false}, + {Resource0.Name, User2.Name, PermissionDelete.Name, false}, + {Resource0.Name, UserNotFound.Name, PermissionDelete.Name, false}, + {Resource0.Name, ServiceAccount0.Name, PermissionDelete.Name, false}, + {Resource0.Name, ServiceAccount1.Name, PermissionDelete.Name, false}, + {Resource0.Name, ServiceAccount2.Name, PermissionDelete.Name, false}, + {Resource0.Name, ServiceAccountNotFound.Name, PermissionDelete.Name, false}, + {Resource0.Name, Anonymous, PermissionDelete.Name, false}, + + // Test: all users should be granted "grbac.test.get" permission on resource-1. + {Resource1.Name, User0.Name, PermissionGet.Name, true}, + {Resource1.Name, User1.Name, PermissionGet.Name, true}, + {Resource1.Name, User2.Name, PermissionGet.Name, true}, + {Resource1.Name, UserNotFound.Name, PermissionGet.Name, true}, + {Resource1.Name, ServiceAccount0.Name, PermissionGet.Name, true}, + {Resource1.Name, ServiceAccount1.Name, PermissionGet.Name, true}, + {Resource1.Name, ServiceAccount2.Name, PermissionGet.Name, true}, + {Resource1.Name, ServiceAccountNotFound.Name, PermissionGet.Name, true}, + {Resource1.Name, Anonymous, PermissionGet.Name, true}, + + // Test: only members of group-0 should be granted "grbac.test.delete" permission on resource-1. + {Resource1.Name, User0.Name, PermissionDelete.Name, true}, + {Resource1.Name, ServiceAccount0.Name, PermissionDelete.Name, true}, + + {Resource1.Name, User1.Name, PermissionDelete.Name, false}, + {Resource1.Name, User2.Name, PermissionDelete.Name, false}, + {Resource1.Name, UserNotFound.Name, PermissionDelete.Name, false}, + {Resource1.Name, ServiceAccount1.Name, PermissionDelete.Name, false}, + {Resource1.Name, ServiceAccount2.Name, PermissionDelete.Name, false}, + {Resource1.Name, ServiceAccountNotFound.Name, PermissionDelete.Name, false}, + {Resource1.Name, Anonymous, PermissionDelete.Name, false}, + + // Test: only members of group-0 (inherited) and group-1 should be granted "grbac.test.create" permission on resource-1. + {Resource1.Name, User0.Name, PermissionCreate.Name, true}, + {Resource1.Name, User1.Name, PermissionCreate.Name, true}, + {Resource1.Name, ServiceAccount0.Name, PermissionCreate.Name, true}, + {Resource1.Name, ServiceAccount1.Name, PermissionCreate.Name, true}, + + {Resource1.Name, User2.Name, PermissionCreate.Name, false}, + {Resource1.Name, ServiceAccount2.Name, PermissionCreate.Name, false}, + {Resource1.Name, Anonymous, PermissionCreate.Name, false}, + + // Test: only members of group-0 and group-1 should be granted "grbac.test.get" permission on resource-2. + {Resource2.Name, User0.Name, PermissionGet.Name, true}, + {Resource2.Name, User1.Name, PermissionGet.Name, true}, + {Resource2.Name, ServiceAccount0.Name, PermissionGet.Name, true}, + {Resource2.Name, ServiceAccount1.Name, PermissionGet.Name, true}, + + {Resource2.Name, User2.Name, PermissionGet.Name, false}, + {Resource2.Name, ServiceAccount2.Name, PermissionGet.Name, false}, + {Resource2.Name, Anonymous, PermissionGet.Name, false}, + } { + subject := i.subject + if isUser(i.subject) { + subject = toUserMember(i.subject) + } else if isServiceAccount(i.subject) { + subject = toServiceAccountMember(i.subject) + } + _, err = server.TestIamPolicy(context.TODO(), &grbac.TestIamPolicyRequest{ + AccessTuple: &grbac.AccessTuple{ + FullResourceName: i.object, + Principal: subject, + Permission: toPermissionId(i.relation), + }, + }) + + if i.allowed { + assert.NoError(t, err, "[%s:%s:%s]", i.object, i.relation, i.subject) + } else { + assert.Error(t, err, "[%s:%s:%s]", i.object, i.relation, i.subject) + if err != nil { + assert.Equal(t, codes.PermissionDenied, status.Code(err), "[%s:%s:%s]", i.object, i.relation, i.subject) + } + } + } +} diff --git a/pkg/services/authorizer_service.go b/pkg/services/authorizer_service.go new file mode 100644 index 0000000..4b337cc --- /dev/null +++ b/pkg/services/authorizer_service.go @@ -0,0 +1,118 @@ +package services + +import ( + "context" + "text/template" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "google.golang.org/grpc" +) + +type AccessControlServerConfig struct { + DgraphHostname string +} + +// NewAccessControlServer returns a new instance of AccessControl server. +func NewAccessControlServer(cfg *AccessControlServerConfig) (grbac.AccessControlServer, error) { + connection, err := grpc.Dial(cfg.DgraphHostname, grpc.WithInsecure()) + if err != nil { + return nil, err + } + + return &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(connection)), + conn: connection, + }, nil +} + +type AccessControlServerImpl struct { + cli *dgo.Dgraph + conn *grpc.ClientConn +} + +func (s *AccessControlServerImpl) Close() error { + return s.conn.Close() +} + +func (s *AccessControlServerImpl) delete(ctx context.Context, txn *dgo.Txn, queryTmpl, mutationTmpl *template.Template, data interface{}) error { + query, err := ExecuteTemplate(queryTmpl, data) + if err != nil { + return err + } + + mutation, err := ExecuteTemplate(mutationTmpl, data) + if err != nil { + return err + } + + request := &api.Request{ + Query: string(query), + Mutations: []*api.Mutation{{DelNquads: mutation}}, + CommitNow: true, + } + + _, err = txn.Do(ctx, request) + if err != nil { + return err + } + + return nil +} + +func (s *AccessControlServerImpl) create(ctx context.Context, txn *dgo.Txn, queryTmpl, mutationTmpl *template.Template, data interface{}) error { + query, err := ExecuteTemplate(queryTmpl, data) + if err != nil { + return err + } + + mutation, err := ExecuteTemplate(mutationTmpl, data) + if err != nil { + return err + } + + request := &api.Request{ + Query: string(query), + Mutations: []*api.Mutation{{SetNquads: mutation}}, + CommitNow: true, + } + + _, err = txn.Do(ctx, request) + if err != nil { + return err + } + + return nil +} + +func (s *AccessControlServerImpl) update(ctx context.Context, txn *dgo.Txn, queryTmpl, setTmpl, deleteTmpl *template.Template, data interface{}) error { + query, err := ExecuteTemplate(queryTmpl, data) + if err != nil { + return err + } + + setMutation, err := ExecuteTemplate(setTmpl, data) + if err != nil { + return err + } + + deleteMutation, err := ExecuteTemplate(deleteTmpl, data) + if err != nil { + return err + } + + request := &api.Request{ + Query: string(query), + Mutations: []*api.Mutation{{DelNquads: deleteMutation}, {SetNquads: setMutation}}, + CommitNow: true, + } + + _, err = txn.Do(ctx, request) + if err != nil { + return err + } + + return nil +} diff --git a/pkg/services/data/authorize.query.dql b/pkg/services/data/authorize.query.dql new file mode 100644 index 0000000..57c5a6f --- /dev/null +++ b/pkg/services/data/authorize.query.dql @@ -0,0 +1,17 @@ +query queryAuthorize($principal: string, $resource: string, $permission: string) { + var(func: eq(Subject.name, $principal)) { subject as uid } + var(func: eq(Resource.name, $resource)) { object as uid } + var(func: eq(Permission.name, $permission)) { ~Role.permissions { roles as uid } } + + path as shortest(from: uid(object), to: uid(subject)) { + Resource.parent + Resource.policy + Policy.bindings @filter(uid_in(Binding.role, uid(roles))) + Group.members + Binding.members + } + + ok(func: uid(path), first:1) { + uid + } +} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.create.mutation.go.tmpl b/pkg/services/data/groups/groups.create.mutation.go.tmpl new file mode 100644 index 0000000..22ba4bd --- /dev/null +++ b/pkg/services/data/groups/groups.create.mutation.go.tmpl @@ -0,0 +1,7 @@ +uid(group) "Group" . +uid(group) "{{ .Group.Name }}" . +uid(group) "{{ .ETag }}" . + +{{- range .Group.Members }} +uid(group) uid(members_{{ AlphaNumVar . }}) . +{{- end }} {{/* range .Members */}} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.create.query.go.tmpl b/pkg/services/data/groups/groups.create.query.go.tmpl new file mode 100644 index 0000000..6bafe05 --- /dev/null +++ b/pkg/services/data/groups/groups.create.query.go.tmpl @@ -0,0 +1,15 @@ +query { + var(func: eq(Group.name, "{{ .Group.Name }}")) { group as uid } + + {{- range .Group.Members }} + {{- if IsGroup . }} + var(func: eq(Group.name, "{{ ToGroupName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsUser . }} + var(func: eq(Subject.name, "{{ ToUserName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsServiceAccount . }} + var(func: eq(Subject.name, "{{ ToServiceAccountName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsAllUsers . }} + var(func: eq(Subject.name, "system/allUsers")) { members_{{ AlphaNumVar . }} as uid } + {{- end }} {{/* if IsGroup . */}} + {{- end }} {{/* range .Members */}} +} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.delete.mutation.go.tmpl b/pkg/services/data/groups/groups.delete.mutation.go.tmpl new file mode 100644 index 0000000..a2a14ae --- /dev/null +++ b/pkg/services/data/groups/groups.delete.mutation.go.tmpl @@ -0,0 +1 @@ +uid(group) * * . \ No newline at end of file diff --git a/pkg/services/data/groups/groups.delete.query.go.tmpl b/pkg/services/data/groups/groups.delete.query.go.tmpl new file mode 100644 index 0000000..88708c7 --- /dev/null +++ b/pkg/services/data/groups/groups.delete.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Group.name, "{{ .Name }}")) { group as uid } +} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.update.delete.go.tmpl b/pkg/services/data/groups/groups.update.delete.go.tmpl new file mode 100644 index 0000000..24539e9 --- /dev/null +++ b/pkg/services/data/groups/groups.update.delete.go.tmpl @@ -0,0 +1,5 @@ +uid(group) * . + +{{- if call .FieldMask "group.members" }} +uid(group) * . +{{- end }} {{/* if FieldMask "group.members" */}} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.update.query.go.tmpl b/pkg/services/data/groups/groups.update.query.go.tmpl new file mode 100644 index 0000000..fb25ddd --- /dev/null +++ b/pkg/services/data/groups/groups.update.query.go.tmpl @@ -0,0 +1,17 @@ +query { + var(func: eq(Group.name, "{{ .Group.Name }}")) { group as uid } + + {{- if call .FieldMask "group.members" }} + {{- range .Group.Members }} + {{- if IsGroup . }} + var(func: eq(Group.name, "{{ ToGroupName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsUser . }} + var(func: eq(Subject.name, "{{ ToUserName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsServiceAccount . }} + var(func: eq(Subject.name, "{{ ToServiceAccountName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsAllUsers . }} + var(func: eq(Subject.name, "system/allUsers")) { members_{{ AlphaNumVar . }} as uid } + {{- end }} {{/* if IsGroup . */}} + {{- end }} {{/* range .Members */}} + {{- end }} {{/* if FieldMask "group.members" */}} +} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.update.set.go.tmpl b/pkg/services/data/groups/groups.update.set.go.tmpl new file mode 100644 index 0000000..15fba4a --- /dev/null +++ b/pkg/services/data/groups/groups.update.set.go.tmpl @@ -0,0 +1,7 @@ +uid(group) "{{ .ETag }}" . + +{{- if call .FieldMask "group.members" }} +{{- range .Group.Members }} +uid(group) uid(members_{{ AlphaNumVar . }}) . +{{- end }} {{/* range .Members */}} +{{- end }} {{/* if FieldMask "group.members" */}} \ No newline at end of file diff --git a/pkg/services/data/permissions/permissions.create.mutation.go.tmpl b/pkg/services/data/permissions/permissions.create.mutation.go.tmpl new file mode 100644 index 0000000..a18fbf8 --- /dev/null +++ b/pkg/services/data/permissions/permissions.create.mutation.go.tmpl @@ -0,0 +1,2 @@ +uid(permission) "Permission" . +uid(permission) "{{ .Permission.Name }}" . \ No newline at end of file diff --git a/pkg/services/data/permissions/permissions.create.query.go.tmpl b/pkg/services/data/permissions/permissions.create.query.go.tmpl new file mode 100644 index 0000000..1b857ed --- /dev/null +++ b/pkg/services/data/permissions/permissions.create.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Permission.name, "{{ .Permission.Name }}")) { permission as uid } +} \ No newline at end of file diff --git a/pkg/services/data/permissions/permissions.delete.mutation.go.tmpl b/pkg/services/data/permissions/permissions.delete.mutation.go.tmpl new file mode 100644 index 0000000..e74de71 --- /dev/null +++ b/pkg/services/data/permissions/permissions.delete.mutation.go.tmpl @@ -0,0 +1 @@ +uid(permission) * * . \ No newline at end of file diff --git a/pkg/services/data/permissions/permissions.delete.query.go.tmpl b/pkg/services/data/permissions/permissions.delete.query.go.tmpl new file mode 100644 index 0000000..d32fefc --- /dev/null +++ b/pkg/services/data/permissions/permissions.delete.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Permission.name, "{{ .Name }}")) { permission as uid } +} \ No newline at end of file diff --git a/pkg/services/data/policies/policies.update.delete.go.tmpl b/pkg/services/data/policies/policies.update.delete.go.tmpl new file mode 100644 index 0000000..b84ecf6 --- /dev/null +++ b/pkg/services/data/policies/policies.update.delete.go.tmpl @@ -0,0 +1,5 @@ +uid(policy) * . +uid(policy) * . +uid(policy) * . + +uid(bindings) * * . \ No newline at end of file diff --git a/pkg/services/data/policies/policies.update.query.go.tmpl b/pkg/services/data/policies/policies.update.query.go.tmpl new file mode 100644 index 0000000..6ab198c --- /dev/null +++ b/pkg/services/data/policies/policies.update.query.go.tmpl @@ -0,0 +1,23 @@ +query { + resource as var(func: eq(Resource.name, "{{ .Resource }}")) { + policy as Resource.policy { + bindings as Policy.bindings + } + } + + {{- range .Policy.Bindings }} + var(func: eq(Role.name, "{{ .Role }}")) { role_{{ AlphaNumVar .Role }} as uid } + + {{- range .Members }} + {{- if IsGroup . }} + var(func: eq(Group.name, "{{ ToGroupName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsUser . }} + var(func: eq(Subject.name, "{{ ToUserName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsServiceAccount . }} + var(func: eq(Subject.name, "{{ ToServiceAccountName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsAllUsers . }} + var(func: eq(Subject.name, "system/allUsers")) { members_{{ AlphaNumVar . }} as uid } + {{- end }} {{/* if IsGroup . */}} + {{- end }} {{/* range .Members */}} + {{- end }} {{/* range .Bindings */}} +} \ No newline at end of file diff --git a/pkg/services/data/policies/policies.update.set.go.tmpl b/pkg/services/data/policies/policies.update.set.go.tmpl new file mode 100644 index 0000000..f675e25 --- /dev/null +++ b/pkg/services/data/policies/policies.update.set.go.tmpl @@ -0,0 +1,17 @@ +uid(resource) uid(policy) . + +uid(policy) "Policy" . +uid(policy) "{{ .ETag }}" . +uid(policy) "{{ .Policy.Version }}" . + +{{- range .Policy.Bindings }} +uid(policy) _:binding_{{ AlphaNumVar .Role }} . + +_:binding_{{ AlphaNumVar .Role }} "Binding" .. +_:binding_{{ AlphaNumVar .Role }} uid(role_{{ AlphaNumVar .Role }}) . + +{{- $binding := . }} +{{- range .Members }} +_:binding_{{ AlphaNumVar $binding.Role }} uid(members_{{ AlphaNumVar . }}) . +{{- end }} {{/* range .Members */}} +{{- end }} {{/* range .Bindings */}} \ No newline at end of file diff --git a/pkg/services/data/resources/resources.create.mutation.go.tmpl b/pkg/services/data/resources/resources.create.mutation.go.tmpl new file mode 100644 index 0000000..ebc5a09 --- /dev/null +++ b/pkg/services/data/resources/resources.create.mutation.go.tmpl @@ -0,0 +1,7 @@ +uid(resource) "Resource" . +uid(resource) "{{ .Resource.Name }}" . +uid(resource) "{{ .ETag }}" . + +{{- with .Resource.Parent }} +uid(resource) uid(parent) . +{{- end }} {{/* with .Resource.Parent */}} diff --git a/pkg/services/data/resources/resources.create.query.go.tmpl b/pkg/services/data/resources/resources.create.query.go.tmpl new file mode 100644 index 0000000..292fa30 --- /dev/null +++ b/pkg/services/data/resources/resources.create.query.go.tmpl @@ -0,0 +1,7 @@ +query { + var(func: eq(Resource.name, "{{ .Resource.Name }}")) { resource as uid } + + {{- with .Resource.Parent }} + var(func: eq(Resource.name, "{{ . }}")) { parent as uid } + {{- end }} {{/* with .Resource.Parent */}} +} \ No newline at end of file diff --git a/pkg/services/data/resources/resources.delete.mutation.go.tmpl b/pkg/services/data/resources/resources.delete.mutation.go.tmpl new file mode 100644 index 0000000..780e9ea --- /dev/null +++ b/pkg/services/data/resources/resources.delete.mutation.go.tmpl @@ -0,0 +1,3 @@ +uid(resource) * * . +uid(policy) * * . +uid(bindings) * * . \ No newline at end of file diff --git a/pkg/services/data/resources/resources.delete.query.go.tmpl b/pkg/services/data/resources/resources.delete.query.go.tmpl new file mode 100644 index 0000000..5a6b0ed --- /dev/null +++ b/pkg/services/data/resources/resources.delete.query.go.tmpl @@ -0,0 +1,7 @@ +query { + resource as var(func: eq(Resource.name, "{{ .Name }}")) { + policy as Resource.policy { + bindings as Policy.bindings + } + } +} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.create.mutation.go.tmpl b/pkg/services/data/roles/roles.create.mutation.go.tmpl new file mode 100644 index 0000000..fab2cff --- /dev/null +++ b/pkg/services/data/roles/roles.create.mutation.go.tmpl @@ -0,0 +1,7 @@ +uid(role) "Role" . +uid(role) "{{ .Role.Name }}" . +uid(role) "{{ .ETag }}" . + +{{- range .Role.Permissions }} +uid(role) uid(permission_{{ AlphaNumVar . }}) . +{{- end }} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.create.query.go.tmpl b/pkg/services/data/roles/roles.create.query.go.tmpl new file mode 100644 index 0000000..16e1b7a --- /dev/null +++ b/pkg/services/data/roles/roles.create.query.go.tmpl @@ -0,0 +1,7 @@ +query { + var(func: eq(Role.name, "{{ .Role.Name }}")) { role as uid } + + {{- range .Role.Permissions }} + var(func: eq(Permission.name, "{{ ToPermissionName . }}")) { permission_{{ AlphaNumVar . }} as uid } + {{- end }} +} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.delete.mutation.go.tmpl b/pkg/services/data/roles/roles.delete.mutation.go.tmpl new file mode 100644 index 0000000..763512c --- /dev/null +++ b/pkg/services/data/roles/roles.delete.mutation.go.tmpl @@ -0,0 +1 @@ +uid(role) * * . \ No newline at end of file diff --git a/pkg/services/data/roles/roles.delete.query.go.tmpl b/pkg/services/data/roles/roles.delete.query.go.tmpl new file mode 100644 index 0000000..6f043e3 --- /dev/null +++ b/pkg/services/data/roles/roles.delete.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Role.name, "{{ .Name }}")) { role as uid } +} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.update.delete.go.tmpl b/pkg/services/data/roles/roles.update.delete.go.tmpl new file mode 100644 index 0000000..ef3cda7 --- /dev/null +++ b/pkg/services/data/roles/roles.update.delete.go.tmpl @@ -0,0 +1,3 @@ +{{- if call .FieldMask "role.permissions" }} +uid(role) * . +{{- end }} {{/* if FieldMask "role.permissions" */}} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.update.query.go.tmpl b/pkg/services/data/roles/roles.update.query.go.tmpl new file mode 100644 index 0000000..e759354 --- /dev/null +++ b/pkg/services/data/roles/roles.update.query.go.tmpl @@ -0,0 +1,9 @@ +query { + var(func: eq(Role.name, "{{ .Role.Name }}")) { role as uid } + + {{- if call .FieldMask "role.permissions" }} + {{- range .Role.Permissions }} + var(func: eq(Permission.name, "{{ ToPermissionName . }}")) { permission_{{ AlphaNumVar . }} as uid } + {{- end }} + {{- end }} {{/* if FieldMask "role.permissions" */}} +} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.update.set.go.tmpl b/pkg/services/data/roles/roles.update.set.go.tmpl new file mode 100644 index 0000000..1dda6af --- /dev/null +++ b/pkg/services/data/roles/roles.update.set.go.tmpl @@ -0,0 +1,8 @@ + +uid(role) "{{ .ETag }}" . + +{{- if call .FieldMask "role.permissions" }} +{{- range .Role.Permissions }} +uid(role) uid(permission_{{ AlphaNumVar . }}) . +{{- end }} {{/* range .Permissions */}} +{{- end }} {{/* if FieldMask "role.permissions" */}} \ No newline at end of file diff --git a/pkg/services/data/subjects/subjects.create.mutation.go.tmpl b/pkg/services/data/subjects/subjects.create.mutation.go.tmpl new file mode 100644 index 0000000..998a98c --- /dev/null +++ b/pkg/services/data/subjects/subjects.create.mutation.go.tmpl @@ -0,0 +1,2 @@ +uid(subject) "Subject" . +uid(subject) "{{ .Subject.Name }}" . \ No newline at end of file diff --git a/pkg/services/data/subjects/subjects.create.query.go.tmpl b/pkg/services/data/subjects/subjects.create.query.go.tmpl new file mode 100644 index 0000000..b958a94 --- /dev/null +++ b/pkg/services/data/subjects/subjects.create.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Subject.name, "{{ .Subject.Name }}")) { subject as uid } +} \ No newline at end of file diff --git a/pkg/services/data/subjects/subjects.delete.mutation.go.tmpl b/pkg/services/data/subjects/subjects.delete.mutation.go.tmpl new file mode 100644 index 0000000..26c75d9 --- /dev/null +++ b/pkg/services/data/subjects/subjects.delete.mutation.go.tmpl @@ -0,0 +1 @@ +uid(subject) * * . \ No newline at end of file diff --git a/pkg/services/data/subjects/subjects.delete.query.go.tmpl b/pkg/services/data/subjects/subjects.delete.query.go.tmpl new file mode 100644 index 0000000..0bcad12 --- /dev/null +++ b/pkg/services/data/subjects/subjects.delete.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Subject.name, "{{ .Name }}")) { subject as uid } +} \ No newline at end of file diff --git a/pkg/services/groups.go b/pkg/services/groups.go new file mode 100644 index 0000000..ea56383 --- /dev/null +++ b/pkg/services/groups.go @@ -0,0 +1,110 @@ +package services + +import ( + "strings" + + "github.com/grbac/grbac/pkg/graph" +) + +type MemberError struct { + member string + field string + err string +} + +func (e *MemberError) Error() string { + return e.member + ": " + e.field + ": " + e.err +} + +func members(members []graph.Member) ([]string, error) { + var list []string + for _, member := range members { + if len(member.Group) != 0 { + if isGroup(member.Group) { + list = append(list, toGroupMember(member.Group)) + continue + } + + return nil, &MemberError{ + member: member.Group, + field: "Group", + err: "invalid member type", + } + } + + if len(member.Subject) != 0 { + if isAllUsers(member.Subject) { + list = append(list, "allUsers") + continue + } + + if isServiceAccount(member.Subject) { + list = append(list, toServiceAccountMember(member.Subject)) + continue + } + + if isUser(member.Subject) { + list = append(list, toUserMember(member.Subject)) + continue + } + + return nil, &MemberError{ + member: member.Subject, + field: "Subject", + err: "invalid member type", + } + } + + return nil, &MemberError{ + member: "", + field: "", + err: "member is not set", + } + } + + return list, nil +} + +func isUserMember(name string) bool { + return strings.HasPrefix(name, "user:") +} + +func isServiceAccountMember(name string) bool { + return strings.HasPrefix(name, "serviceAccount:") +} + +func isGroupMember(name string) bool { + return strings.HasPrefix(name, "group:") +} + +func isAllUsersMember(name string) bool { + return name == "allUsers" +} + +func isGroup(name string) bool { + return strings.HasPrefix(name, "groups/") +} + +func toUserName(name string) string { + return "users/" + strings.TrimPrefix(name, "user:") +} + +func toServiceAccountName(name string) string { + return "serviceAccounts/" + strings.TrimPrefix(name, "serviceAccount:") +} + +func toGroupName(name string) string { + return "groups/" + strings.TrimPrefix(name, "group:") +} + +func toUserMember(name string) string { + return "user:" + strings.TrimPrefix(name, "users/") +} + +func toServiceAccountMember(name string) string { + return "serviceAccount:" + strings.TrimPrefix(name, "serviceAccounts/") +} + +func toGroupMember(name string) string { + return "group:" + strings.TrimPrefix(name, "groups/") +} diff --git a/pkg/services/groups_create.go b/pkg/services/groups_create.go new file mode 100644 index 0000000..b5917df --- /dev/null +++ b/pkg/services/groups_create.go @@ -0,0 +1,120 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/groups/groups.create.query.go.tmpl +var queryCreateGroup string + +//go:embed data/groups/groups.create.mutation.go.tmpl +var mutationCreateGroup string + +var templateQueryCreateGroup = template.Must( + template.New("QueryCreateGroup").Funcs(defaultFuncMap).Parse(queryCreateGroup), +) + +var templateMutationCreateGroup = template.Must( + template.New("MutationCreateGroup").Funcs(defaultFuncMap).Parse(mutationCreateGroup), +) + +func (s *AccessControlServerImpl) validateCreateGroup(ctx context.Context, txn *dgo.Txn, req *grbac.CreateGroupRequest) error { + // A group must be defined. + if req.Group == nil { + return status.New(codes.InvalidArgument, "invalid argument {group not defined}").Err() + } + + // The group name must be defined. + if len(req.Group.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err() + } + + // The group name must be well formatted. + if !isGroup(req.Group.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err() + } + + // The members must all exist and must have a valid type. + for _, m := range req.Group.Members { + memberFound, err := false, error(nil) + if isGroupMember(m) { + // TODO: should groups be allowed to include other groups? + // TODO: if yes, a maximum path distance should be set to avoid too heavy queries. + memberFound, err = graph.ExistsGroup(ctx, txn, toGroupName(m)) + } else if isUserMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toUserName(m)) + } else if isServiceAccountMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toServiceAccountName(m)) + } else if isAllUsersMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, allUsers) + } else { + return status.New(codes.InvalidArgument, "invalid argument {invalid member type}").Err() + } + + if err != nil { + logrus.WithError(err).Errorf("CreateGroup: failed to query group members") + return status.New(codes.Internal, "internal error").Err() + } + + if !memberFound { + return status.New(codes.FailedPrecondition, "failed precondition {member does not exist}").Err() + } + } + + // The group must be new to avoid race conditions. + groupFound, err := graph.ExistsGroup(ctx, txn, req.Group.Name) + if err != nil { + logrus.WithError(err).Errorf("CreateGroup: failed to query group") + return status.New(codes.Internal, "internal error").Err() + } + + if groupFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreateGroup creates a new group. +func (s *AccessControlServerImpl) CreateGroup(ctx context.Context, req *grbac.CreateGroupRequest) (*grbac.Group, error) { + txn := s.cli.NewTxn() + if err := s.validateCreateGroup(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + data := struct { + Group *grbac.Group + ETag string + }{ + Group: req.GetGroup(), + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.create(ctx, txn, templateQueryCreateGroup, templateMutationCreateGroup, data); err != nil { + logrus.WithError(err).Errorf("CreateGroup: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + group := &grbac.Group{ + Name: req.Group.Name, + Members: req.Group.Members, + Etag: etag, + } + + return group, nil +} diff --git a/pkg/services/groups_delete.go b/pkg/services/groups_delete.go new file mode 100644 index 0000000..f11d6cf --- /dev/null +++ b/pkg/services/groups_delete.go @@ -0,0 +1,77 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/groups/groups.delete.query.go.tmpl +var queryDeleteGroup string + +//go:embed data/groups/groups.delete.mutation.go.tmpl +var mutationDeleteGroup string + +var templateQueryDeleteGroup = template.Must( + template.New("QueryDeleteGroup").Funcs(defaultFuncMap).Parse(queryDeleteGroup), +) + +var templateMutationDeleteGroup = template.Must( + template.New("MutationDeleteGroup").Funcs(defaultFuncMap).Parse(mutationDeleteGroup), +) + +func (s *AccessControlServerImpl) validateDeleteGroup(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteGroupRequest) error { + // The group name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err() + } + + // The group name must be well formatted. + if !isGroup(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err() + } + + // The group must exist. + groupFound, err := graph.ExistsGroup(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteGroup: failed to query group") + return status.New(codes.Internal, "internal error").Err() + } + + if !groupFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// DeleteGroup deletes a group. +func (s *AccessControlServerImpl) DeleteGroup(ctx context.Context, req *grbac.DeleteGroupRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeleteGroup(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.GetName(), + } + + if err := s.delete(ctx, txn, templateQueryDeleteGroup, templateMutationDeleteGroup, data); err != nil { + logrus.WithError(err).Errorf("DeleteGroup: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/groups_get.go b/pkg/services/groups_get.go new file mode 100644 index 0000000..672b38f --- /dev/null +++ b/pkg/services/groups_get.go @@ -0,0 +1,63 @@ +package services + +import ( + "context" + "encoding/base64" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func (s *AccessControlServerImpl) validateGetGroup(ctx context.Context, txn *dgo.Txn, req *grbac.GetGroupRequest) error { + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err() + } + + // The group name must be well formatted. + if !isGroup(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err() + } + + return nil +} + +// GetGroup returns a group. +func (s *AccessControlServerImpl) GetGroup(ctx context.Context, req *grbac.GetGroupRequest) (*grbac.Group, error) { + txn := s.cli.NewReadOnlyTxn() + if err := s.validateGetGroup(ctx, txn, req); err != nil { + return nil, err + } + + resp, err := graph.GetGroup(ctx, txn, req.GetName()) + if err != nil { + logrus.WithError(err).Errorf("failed to get group [%s]", req.GetName()) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp == nil { + return nil, status.New(codes.NotFound, "not found").Err() + } + + group := &grbac.Group{ + Name: resp.Name, + } + + group.Etag, err = base64.StdEncoding.DecodeString(resp.ETag) + if err != nil { + logrus.WithError(err).Errorf("failed to decode resource etag [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + group.Members, err = members(resp.Members) + if err != nil { + logrus.WithError(err).Errorf("failed to get group members [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + return group, nil +} diff --git a/pkg/services/groups_integration_test.go b/pkg/services/groups_integration_test.go new file mode 100644 index 0000000..319ae16 --- /dev/null +++ b/pkg/services/groups_integration_test.go @@ -0,0 +1,383 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/fieldmaskpb" +) + +func TestIntegrationGroupCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + User1 = &grbac.Subject{ + Name: "users/user-1." + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + ServiceAccount1 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-1." + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/group-0." + uuid.New().String(), + Members: []string{ + "allUsers", + toUserMember(User0.Name), + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount0.Name), + toServiceAccountMember(ServiceAccount1.Name), + }, + } + Group1 = &grbac.Group{ + Name: "groups/group-1." + uuid.New().String(), + Members: []string{ + toGroupMember(Group0.Name), + }, + } + Group2 = &grbac.Group{ + Name: "groups/group-2." + uuid.New().String(), + Members: []string{ + "allUsers", + toUserMember(User0.Name), + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount0.Name), + toServiceAccountMember(ServiceAccount1.Name), + toGroupMember(Group0.Name), + }, + } + Group3 = &grbac.Group{ + Name: "groups/group-3." + uuid.New().String(), + Members: []string{}, + } + ) + + // Test: creation with non-existing subjects should fail. + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: creation with non-existing groups should fail. + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group1}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: creation with non-existing mixed members should fail. + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group2}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Create new random subjects. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User1}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount1}) + require.NoError(t, err) + + // Test: creation (subjects only) should not fail. + group0, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + require.NotNil(t, group0) + + assert.Equal(t, Group0.Name, group0.Name) + assert.ElementsMatch(t, Group0.Members, group0.Members) + assert.NotEmpty(t, group0.Etag) + + // Test: creation (groups only) should not fail. + group1, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group1}) + require.NoError(t, err) + require.NotNil(t, group1) + + assert.Equal(t, Group1.Name, group1.Name) + assert.ElementsMatch(t, Group1.Members, group1.Members) + assert.NotEmpty(t, group1.Etag) + + // Test: creation (mixed members) should not fail. + group2, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group2}) + require.NoError(t, err) + require.NotNil(t, group2) + + assert.Equal(t, Group2.Name, group2.Name) + assert.ElementsMatch(t, Group2.Members, group2.Members) + assert.NotEmpty(t, group2.Etag) + + // Test: creation (no members) should not fail. + group3, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group3}) + require.NoError(t, err) + require.NotNil(t, group3) + + assert.Equal(t, Group3.Name, group3.Name) + assert.Empty(t, group3.Members) + assert.NotEmpty(t, group3.Etag) + + // Test: creation of duplicate group should fail with already exists. + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) + + // Test: get group (mixed members) should return the same group created. + group, err := server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group2.Name}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group2.Name, group.Name) + assert.ElementsMatch(t, Group2.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + // Test: get group (no members) should return the same group created. + group, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group3.Name}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group3.Name, group.Name) + assert.Empty(t, group.Members) + assert.NotEmpty(t, group.Etag) +} + +func TestIntegrationGroupDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/group-0." + uuid.New().String(), + Members: []string{ + "allUsers", + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + }, + } + GroupNotFound = &grbac.Group{ + Name: "groups/group-?." + uuid.New().String(), + } + ) + + // Create new random group and subjects. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + + // Test: deletion of existing resource with no children should not fail. + empty, err := server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: Group0.Name}) + assert.NoError(t, err) + assert.NotNil(t, empty) + + // Test: get resource should return 'not found' after deletion. + _, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of already deleted resource should fail. + _, err = server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: Group0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing resource should fail. + _, err = server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: GroupNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} + +func TestIntegrationGroupUpdate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + UserNotFound = &grbac.Subject{ + Name: "users/user-?." + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + ServiceAccountNotFound = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-?." + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/group-0." + uuid.New().String(), + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + }, + } + GroupNotFound = &grbac.Group{ + Name: "groups/group-?." + uuid.New().String(), + } + ) + + // Create new random group and subjects. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + + // Test: update (add existing subjects) should not fail. + Group0.Members = append(Group0.Members, + "allUsers", + ) + + group, err := server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group0.Name, group.Name) + assert.ElementsMatch(t, Group0.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + group, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group0.Name}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group0.Name, group.Name) + assert.ElementsMatch(t, Group0.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + // Test: update (add non-existing subjects) should fail. + Group0.Members = append(Group0.Members, + toUserMember(UserNotFound.Name), + toServiceAccountMember(ServiceAccountNotFound.Name), + ) + + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update (remove subjects) should not fail. + Group0.Members = nil + group, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group0.Name, group.Name) + assert.ElementsMatch(t, Group0.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + group, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group0.Name}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group0.Name, group.Name) + assert.ElementsMatch(t, Group0.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + // Test: update with mutable field mask should not fail. + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{ + Group: Group0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"group", "group.members"}, + }}) + require.NoError(t, err) + + // Test: update with immutable field mask should fail. + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{ + Group: Group0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"group.name"}, + }}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update with invalid field mask should fail. + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{ + Group: Group0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{""}, + }}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update of a self-referencing group should fail. + Group0.Members = []string{Group0.Name} + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update of non-existing resource should fail. + _, err = server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: GroupNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/groups_members_add.go b/pkg/services/groups_members_add.go new file mode 100644 index 0000000..2f9f923 --- /dev/null +++ b/pkg/services/groups_members_add.go @@ -0,0 +1,15 @@ +package services + +import ( + "context" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// AddGroupMember adds a member to a group. +func (s *AccessControlServerImpl) AddGroupMember(ctx context.Context, req *grbac.AddGroupMemberRequest) (*grbac.Group, error) { + return nil, status.New(codes.Unimplemented, "unimplemented").Err() +} diff --git a/pkg/services/groups_members_remove.go b/pkg/services/groups_members_remove.go new file mode 100644 index 0000000..10c8480 --- /dev/null +++ b/pkg/services/groups_members_remove.go @@ -0,0 +1,15 @@ +package services + +import ( + "context" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// RemoveGroupMember removes a member from a group. +func (s *AccessControlServerImpl) RemoveGroupMember(ctx context.Context, req *grbac.RemoveGroupMemberRequest) (*grbac.Group, error) { + return nil, status.New(codes.Unimplemented, "unimplemented").Err() +} diff --git a/pkg/services/groups_update.go b/pkg/services/groups_update.go new file mode 100644 index 0000000..d3352ae --- /dev/null +++ b/pkg/services/groups_update.go @@ -0,0 +1,146 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/fieldmask" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/groups/groups.update.query.go.tmpl +var queryUpdateGroup string + +//go:embed data/groups/groups.update.set.go.tmpl +var setUpdateGroup string + +//go:embed data/groups/groups.update.delete.go.tmpl +var deleteUpdateGroup string + +var templateQueryUpdateGroup = template.Must( + template.New("QueryUpdateGroup").Funcs(defaultFuncMap).Parse(queryUpdateGroup), +) + +var templateSetUpdateGroup = template.Must( + template.New("SetUpdateGroup").Funcs(defaultFuncMap).Parse(setUpdateGroup), +) + +var templateDeleteUpdateGroup = template.Must( + template.New("DeleteUpdateGroup").Funcs(defaultFuncMap).Parse(deleteUpdateGroup), +) + +func (s *AccessControlServerImpl) validateUpdateGroup(ctx context.Context, txn *dgo.Txn, req *grbac.UpdateGroupRequest) error { + // A group must be defined. + if req.Group == nil { + return status.New(codes.InvalidArgument, "invalid argument {group not defined}").Err() + } + + // The group name must be defined. + if len(req.Group.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err() + } + + // The group name must be well formatted. + if !isGroup(req.Group.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err() + } + + // The update field mask must contain valid paths. + for _, path := range req.GetUpdateMask().GetPaths() { + switch path { + case "group", "group.members": + default: + return status.New(codes.InvalidArgument, "invalid argument {invalid field mask}").Err() + } + } + + // The members must all exist and must have a valid type. + for _, m := range req.Group.Members { + memberFound, err := false, error(nil) + if isGroupMember(m) { + if toGroupName(m) == req.Group.Name { + return status.New(codes.InvalidArgument, "invalid argument {self-containing groups are forbidden}").Err() + } + + // TODO: should groups be allowed to include other groups? + // TODO: if yes, a maximum path distance should be set to avoid too heavy queries. + memberFound, err = graph.ExistsGroup(ctx, txn, toGroupName(m)) + } else if isUserMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toUserName(m)) + } else if isServiceAccountMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toServiceAccountName(m)) + } else if isAllUsersMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, allUsers) + } else { + return status.New(codes.InvalidArgument, "invalid argument {invalid member type}").Err() + } + + if err != nil { + logrus.WithError(err).Errorf("UpdateGroup: failed to query group members") + return status.New(codes.Internal, "internal error").Err() + } + + if !memberFound { + return status.New(codes.InvalidArgument, "invalid argument {member does not exist}").Err() + } + } + + // The group must exist. + groupFound, err := graph.ExistsGroup(ctx, txn, req.Group.Name) + if err != nil { + logrus.WithError(err).Errorf("UpdateGroup: failed to query group") + return status.New(codes.Internal, "internal error").Err() + } + + if !groupFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// UpdateGroup updates a group with a field mask. +func (s *AccessControlServerImpl) UpdateGroup(ctx context.Context, req *grbac.UpdateGroupRequest) (*grbac.Group, error) { + txn := s.cli.NewTxn() + if err := s.validateUpdateGroup(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + fieldmask := fieldmask.NewFieldMask(req.GetUpdateMask()) + + data := struct { + Group *grbac.Group + FieldMask func(string) bool + ETag string + }{ + Group: req.GetGroup(), + FieldMask: fieldmask.Contains, + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.update(ctx, txn, templateQueryUpdateGroup, templateSetUpdateGroup, templateDeleteUpdateGroup, data); err != nil { + logrus.WithError(err).Errorf("UpdateGroup: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + // TODO: merge missing fields (not included in the update mask) with the group in dgraph. + group := &grbac.Group{ + Name: req.Group.Name, + Members: req.Group.Members, + Etag: etag, + } + + return group, nil +} diff --git a/pkg/services/iam_policies_get.go b/pkg/services/iam_policies_get.go new file mode 100644 index 0000000..0cc83ea --- /dev/null +++ b/pkg/services/iam_policies_get.go @@ -0,0 +1,80 @@ +package services + +import ( + "context" + "encoding/base64" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func (s *AccessControlServerImpl) validateGetIamPolicy(ctx context.Context, txn *dgo.Txn, req *iam.GetIamPolicyRequest) error { + if len(req.Resource) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource not defined}").Err() + } + + // The full resource name must be well formatted. + if !isFullResourceName(req.Resource) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + return nil +} + +// Gets the IAM policy that is attached to a generic resource. +func (s *AccessControlServerImpl) GetIamPolicy(ctx context.Context, req *iam.GetIamPolicyRequest) (*iam.Policy, error) { + txn := s.cli.NewReadOnlyTxn() + if err := s.validateGetIamPolicy(ctx, txn, req); err != nil { + return nil, err + } + + // TODO(performance): a new query should be used to query only the resource and its policy. + resp, err := graph.GetResource(ctx, txn, req.GetResource()) + if err != nil { + logrus.WithError(err).Errorf("failed to get resource [%s]", req.GetResource()) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp == nil { + return nil, status.New(codes.NotFound, "not found").Err() + } + + if resp.Policy == nil { + return &iam.Policy{}, nil + } + + policy := &iam.Policy{ + Version: resp.Policy.Version, + } + + policy.Etag, err = base64.StdEncoding.DecodeString(resp.Policy.ETag) + if err != nil { + logrus.WithError(err).Errorf("failed to decode policy etag [%s]", req.Resource) + return nil, status.New(codes.Internal, "internal error").Err() + } + + for _, i := range resp.Policy.Bindings { + if i.Role == nil { + logrus.Warningf("found binding with no role in resource [%s]", resp.Name) + continue + } + + binding := &iam.Binding{ + Role: i.Role.Name, + } + + binding.Members, err = members(i.Members) + if err != nil { + logrus.WithError(err).Errorf("failed to get binding members [%s:%s]", req.Resource, i.Role.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + policy.Bindings = append(policy.Bindings, binding) + } + + return policy, nil +} diff --git a/pkg/services/iam_policies_integration_test.go b/pkg/services/iam_policies_integration_test.go new file mode 100644 index 0000000..5f51d3e --- /dev/null +++ b/pkg/services/iam_policies_integration_test.go @@ -0,0 +1,334 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationSetIamPolicy(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/" + uuid.New().String(), + } + User1 = &grbac.Subject{ + Name: "users/" + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/" + uuid.New().String(), + } + ServiceAccount1 = &grbac.Subject{ + Name: "serviceAccounts/" + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/" + uuid.New().String(), + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + }, + } + Group1 = &grbac.Group{ + Name: "groups/" + uuid.New().String(), + } + + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + Role0 = &grbac.Role{ + Name: "roles/" + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + }, + } + Role1 = &grbac.Role{ + Name: "roles/" + uuid.New().String(), + } + + Resource0 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/" + uuid.New().String(), + Parent: "@animeshon", + } + Resource1 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/" + uuid.New().String(), + Parent: "@animeshon", + } + + Policy0 = &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + } + ) + + // Create new random resources. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + require.NoError(t, err) + + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + + // Test: newly created resource should have an empty policy. + policy, err := server.GetIamPolicy(context.TODO(), &iam.GetIamPolicyRequest{Resource: Resource0.Name}) + require.NoError(t, err) + require.NotNil(t, policy) + require.Empty(t, policy.Bindings) + require.Empty(t, policy.Etag) + require.Empty(t, policy.Version) + + // Test: get policy should return 'not found' if the resource doesn't exist. + _, err = server.GetIamPolicy(context.TODO(), &iam.GetIamPolicyRequest{Resource: Resource1.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: setting a valid resource policy should not fail. + policy, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: Policy0, + }) + require.NoError(t, err) + require.NotNil(t, policy) + require.Equal(t, Policy0.Bindings, policy.Bindings) + require.Equal(t, Policy0.Version, policy.Version) + require.NotEmpty(t, policy.Etag) + + // Test: get resource should return the same resource created. + policy, err = server.GetIamPolicy(context.TODO(), &iam.GetIamPolicyRequest{Resource: Resource0.Name}) + require.NoError(t, err) + require.NotNil(t, policy) + require.Equal(t, Policy0.Bindings, policy.Bindings) + require.Equal(t, Policy0.Version, policy.Version) + require.NotEmpty(t, policy.Etag) + + // Test: setting an invalid (no policy) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (no resource name) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing resource) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource1.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: setting an invalid (unsupported version) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 5, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (no role) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing role) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role1.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing user) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing service account) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount1.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing group) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount1.Name), + toGroupMember(Group1.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (no members) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) +} diff --git a/pkg/services/iam_policies_set.go b/pkg/services/iam_policies_set.go new file mode 100644 index 0000000..fd94977 --- /dev/null +++ b/pkg/services/iam_policies_set.go @@ -0,0 +1,154 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/policies/policies.update.query.go.tmpl +var queryUpdatePolicy string + +//go:embed data/policies/policies.update.set.go.tmpl +var setUpdatePolicy string + +//go:embed data/policies/policies.update.delete.go.tmpl +var deleteUpdatePolicy string + +var templateQueryUpdatePolicy = template.Must( + template.New("QueryUpdatePolicy").Funcs(defaultFuncMap).Parse(queryUpdatePolicy), +) + +var templateSetUpdatePolicy = template.Must( + template.New("SetUpdatePolicy").Funcs(defaultFuncMap).Parse(setUpdatePolicy), +) + +var templateDeleteUpdatePolicy = template.Must( + template.New("DeleteUpdatePolicy").Funcs(defaultFuncMap).Parse(deleteUpdatePolicy), +) + +func (s *AccessControlServerImpl) validateSetIamPolicy(ctx context.Context, txn *dgo.Txn, req *iam.SetIamPolicyRequest) error { + // The resource name must be defined. + if len(req.Resource) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource not defined}").Err() + } + + // The full resource name must be well formatted. + if !isFullResourceName(req.Resource) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + // The resource policy is optional. + if req.Policy == nil { + return status.New(codes.InvalidArgument, "invalid argument {policy not defined}").Err() + } + + // The policy version must be defined and valid. + if req.Policy.Version != 1 { + return status.New(codes.InvalidArgument, "invalid argument {invalid policy version}").Err() + } + + for _, i := range req.Policy.Bindings { + // The binding role must be defined. + if len(i.Role) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role not defined}").Err() + } + + // The role must exist. + roleFound, err := graph.ExistsRole(ctx, txn, i.Role) + if err != nil { + logrus.WithError(err).Errorf("SetIamPolicy: failed to query role") + return status.New(codes.Internal, "internal error").Err() + } + + if !roleFound { + return status.New(codes.InvalidArgument, "invalid argument {role does not exist}").Err() + } + + // There must be at least one member in the binding. + if len(i.Members) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {binding has no members}").Err() + } + + // The members must all exist and must have a known type. + for _, m := range i.Members { + memberFound := false + if isGroupMember(m) { + memberFound, err = graph.ExistsGroup(ctx, txn, toGroupName(m)) + } else if isUserMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toUserName(m)) + } else if isServiceAccountMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toServiceAccountName(m)) + } else if isAllUsersMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, allUsers) + } else { + return status.New(codes.InvalidArgument, "invalid argument {unknown member type}").Err() + } + + if err != nil { + logrus.WithError(err).Errorf("SetIamPolicy: failed to query binding members") + return status.New(codes.Internal, "internal error").Err() + } + + if !memberFound { + return status.New(codes.InvalidArgument, "invalid argument {member does not exist}").Err() + } + } + } + + // The resource must exist. + resourceFound, err := graph.ExistsResource(ctx, txn, req.Resource) + if err != nil { + logrus.WithError(err).Errorf("SetIamPolicy: failed to query resource") + return status.New(codes.Internal, "internal error").Err() + } + + if !resourceFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// Sets the IAM policy that is attached to a generic resource. +func (s *AccessControlServerImpl) SetIamPolicy(ctx context.Context, req *iam.SetIamPolicyRequest) (*iam.Policy, error) { + txn := s.cli.NewTxn() + if err := s.validateSetIamPolicy(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + data := struct { + Resource string + Policy *iam.Policy + ETag string + }{ + Resource: req.GetResource(), + Policy: req.GetPolicy(), + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.update(ctx, txn, templateQueryUpdatePolicy, templateSetUpdatePolicy, templateDeleteUpdatePolicy, data); err != nil { + logrus.WithError(err).Errorf("SetIamPolicy: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + policy := &iam.Policy{ + Version: req.Policy.Version, + Bindings: req.Policy.Bindings, + Etag: etag, + } + + return policy, nil +} diff --git a/pkg/services/permissions.go b/pkg/services/permissions.go new file mode 100644 index 0000000..beb7f55 --- /dev/null +++ b/pkg/services/permissions.go @@ -0,0 +1,21 @@ +package services + +import "strings" + +func isPermission(name string) bool { + return strings.HasPrefix(name, "permissions/") +} + +func toPermissionId(name string) string { + return strings.TrimPrefix(name, "permissions/") +} + +func toPermissionName(name string) string { + return "permissions/" + name +} + +// isValidPermissionId enforces the Google Cloud IAM permission format +// [service].[resource].[verb]. +func isValidPermissionId(name string) bool { + return len(strings.Split(toPermissionId(name), ".")) == 3 +} diff --git a/pkg/services/permissions_create.go b/pkg/services/permissions_create.go new file mode 100644 index 0000000..a3339ec --- /dev/null +++ b/pkg/services/permissions_create.go @@ -0,0 +1,81 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/permissions/permissions.create.query.go.tmpl +var queryCreatePermission string + +//go:embed data/permissions/permissions.create.mutation.go.tmpl +var mutationCreatePermission string + +var templateQueryCreatePermission = template.Must( + template.New("QueryCreatePermission").Funcs(defaultFuncMap).Parse(queryCreatePermission), +) + +var templateMutationCreatePermission = template.Must( + template.New("MutationCreatePermission").Funcs(defaultFuncMap).Parse(mutationCreatePermission), +) + +func (s *AccessControlServerImpl) validateCreatePermission(ctx context.Context, txn *dgo.Txn, req *grbac.CreatePermissionRequest) error { + // A permission must be defined. + if req.Permission == nil { + return status.New(codes.InvalidArgument, "invalid argument {permission not defined}").Err() + } + + // The permission name must be defined. + if len(req.Permission.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {permission name not defined}").Err() + } + + // The permission name must be well formatted. + if !isPermission(req.Permission.Name) || !isValidPermissionId(req.Permission.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid permission name format}").Err() + } + + // The permission must be new to avoid race conditions. + permissionFound, err := graph.ExistsPermission(ctx, txn, req.Permission.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to validate 'CreatePermission' request") + return status.New(codes.Internal, "internal error").Err() + } + + if permissionFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreatePermission creates a new permission. +func (s *AccessControlServerImpl) CreatePermission(ctx context.Context, req *grbac.CreatePermissionRequest) (*grbac.Permission, error) { + txn := s.cli.NewTxn() + if err := s.validateCreatePermission(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Permission *grbac.Permission + }{ + Permission: req.GetPermission(), + } + + if err := s.create(ctx, txn, templateQueryCreatePermission, templateMutationCreatePermission, data); err != nil { + logrus.WithError(err).Errorf("CreatePermission: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &grbac.Permission{Name: req.Permission.Name}, nil +} diff --git a/pkg/services/permissions_delete.go b/pkg/services/permissions_delete.go new file mode 100644 index 0000000..57cc2cc --- /dev/null +++ b/pkg/services/permissions_delete.go @@ -0,0 +1,77 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/permissions/permissions.delete.query.go.tmpl +var queryDeletePermission string + +//go:embed data/permissions/permissions.delete.mutation.go.tmpl +var mutationDeletePermission string + +var templateQueryDeletePermission = template.Must( + template.New("QueryDeletePermission").Funcs(defaultFuncMap).Parse(queryDeletePermission), +) + +var templateMutationDeletePermission = template.Must( + template.New("MutationDeletePermission").Funcs(defaultFuncMap).Parse(mutationDeletePermission), +) + +func (s *AccessControlServerImpl) validateDeletePermission(ctx context.Context, txn *dgo.Txn, req *grbac.DeletePermissionRequest) error { + // The permission name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {permission name not defined}").Err() + } + + // The permission name must be well formatted. + if !isPermission(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid permission name format}").Err() + } + + // The permission must exist. + permissionFound, err := graph.ExistsPermission(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeletePermission: failed to query permission") + return status.New(codes.Internal, "internal error").Err() + } + + if !permissionFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// DeletePermission deletes a permission. +func (s *AccessControlServerImpl) DeletePermission(ctx context.Context, req *grbac.DeletePermissionRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeletePermission(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.GetName(), + } + + if err := s.delete(ctx, txn, templateQueryDeletePermission, templateMutationDeletePermission, data); err != nil { + logrus.WithError(err).Errorf("DeletePermission: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/permissions_integration_test.go b/pkg/services/permissions_integration_test.go new file mode 100644 index 0000000..ecfaf36 --- /dev/null +++ b/pkg/services/permissions_integration_test.go @@ -0,0 +1,109 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationPermissionCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + PermissionInvalid = &grbac.Permission{ + Name: "permissions/" + uuid.New().String(), + } + ) + + // Test: creation should not fail. + user0, err := server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + require.NotNil(t, user0) + + assert.Equal(t, Permission0.Name, user0.Name) + + // Test: creation with invalid format should fail. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionInvalid}) + assert.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: creation of duplicate permission should fail with already exists. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) +} + +func TestIntegrationPermissionDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + PermissionNotFound = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + ) + + // Create a new random permission. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + + // Test: deletion of existing permission should not fail. + empty, err := server.DeletePermission(context.TODO(), &grbac.DeletePermissionRequest{Name: Permission0.Name}) + require.NoError(t, err) + assert.NotNil(t, empty) + + // Test: deletion of deleted permission should fail. + _, err = server.DeletePermission(context.TODO(), &grbac.DeletePermissionRequest{Name: Permission0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing permission should fail. + _, err = server.DeletePermission(context.TODO(), &grbac.DeletePermissionRequest{Name: PermissionNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/resources.go b/pkg/services/resources.go new file mode 100644 index 0000000..d56c5ba --- /dev/null +++ b/pkg/services/resources.go @@ -0,0 +1,16 @@ +package services + +import "net/url" + +func isFullResourceName(name string) bool { + if name == "@animeshon" { + return true + } + + if len(name) == 0 || name[:2] != "//" { + return false + } + + _, err := url.Parse("https:" + name) + return err == nil +} diff --git a/pkg/services/resources_create.go b/pkg/services/resources_create.go new file mode 100644 index 0000000..7e1081a --- /dev/null +++ b/pkg/services/resources_create.go @@ -0,0 +1,114 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/resources/resources.create.query.go.tmpl +var queryCreateResource string + +//go:embed data/resources/resources.create.mutation.go.tmpl +var mutationCreateResource string + +var templateQueryCreateResource = template.Must( + template.New("QueryCreateResource").Funcs(defaultFuncMap).Parse(queryCreateResource), +) + +var templateMutationCreateResource = template.Must( + template.New("MutationCreateResource").Funcs(defaultFuncMap).Parse(mutationCreateResource), +) + +func (s *AccessControlServerImpl) validateCreateResource(ctx context.Context, txn *dgo.Txn, req *grbac.CreateResourceRequest) error { + // A resource must be defined. + if req.Resource == nil { + return status.New(codes.InvalidArgument, "invalid argument {resource not defined}").Err() + } + + // The resource name must be defined. + if len(req.Resource.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource name not defined}").Err() + } + + // The resource name must be well formatted. + if !isFullResourceName(req.Resource.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + // The parent name must be defined. + if len(req.Resource.Parent) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {parent name not defined}").Err() + } + + // The parent name must be well formatted. + if !isFullResourceName(req.Resource.Parent) { + return status.New(codes.InvalidArgument, "invalid argument {invalid parent name format}").Err() + } + + // The parent must exist. + parentFound, err := graph.ExistsResource(ctx, txn, req.Resource.Parent) + if err != nil { + logrus.WithError(err).Errorf("CreateResource: failed to query resource parent") + return status.New(codes.Internal, "internal error").Err() + } + + if !parentFound { + return status.New(codes.InvalidArgument, "invalid argument {parent does not exist}").Err() + } + + // The resource must be new to avoid race conditions. + resourceFound, err := graph.ExistsResource(ctx, txn, req.Resource.Name) + if err != nil { + logrus.WithError(err).Errorf("CreateResource: failed to query resource") + return status.New(codes.Internal, "internal error").Err() + } + + if resourceFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreateResource creates a new resource. +func (s *AccessControlServerImpl) CreateResource(ctx context.Context, req *grbac.CreateResourceRequest) (*grbac.Resource, error) { + txn := s.cli.NewTxn() + if err := s.validateCreateResource(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + data := struct { + Resource *grbac.Resource + ETag string + }{ + Resource: req.GetResource(), + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.create(ctx, txn, templateQueryCreateResource, templateMutationCreateResource, data); err != nil { + logrus.WithError(err).Errorf("CreateResource: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + resource := &grbac.Resource{ + Name: req.Resource.Name, + Parent: req.Resource.Parent, + Etag: etag, + } + + return resource, nil +} diff --git a/pkg/services/resources_delete.go b/pkg/services/resources_delete.go new file mode 100644 index 0000000..fdd59fa --- /dev/null +++ b/pkg/services/resources_delete.go @@ -0,0 +1,88 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/resources/resources.delete.query.go.tmpl +var queryDeleteResource string + +//go:embed data/resources/resources.delete.mutation.go.tmpl +var mutationDeleteResource string + +var templateQueryDeleteResource = template.Must( + template.New("QueryDeleteResource").Funcs(defaultFuncMap).Parse(queryDeleteResource), +) + +var templateMutationDeleteResource = template.Must( + template.New("MutationDeleteResource").Funcs(defaultFuncMap).Parse(mutationDeleteResource), +) + +func (s *AccessControlServerImpl) validateDeleteResource(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteResourceRequest) error { + // The resource name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource name not defined}").Err() + } + + // The resource name must be well formatted. + if !isFullResourceName(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + // The resource must exist. + resourceFound, err := graph.ExistsResource(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteResource: failed to query resource") + return status.New(codes.Internal, "internal error").Err() + } + + if !resourceFound { + return status.New(codes.NotFound, "not found").Err() + } + + // The resource must not have children before deletion. + childrenFound, err := graph.HasChildren(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteResource: failed to check if resource has children") + return status.New(codes.Internal, "internal error").Err() + } + + if childrenFound { + return status.New(codes.FailedPrecondition, "failed precondition {resource has children}").Err() + } + + return nil +} + +// DeleteResource deletes a resource. +func (s *AccessControlServerImpl) DeleteResource(ctx context.Context, req *grbac.DeleteResourceRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeleteResource(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.Name, + } + + if err := s.delete(ctx, txn, templateQueryDeleteResource, templateMutationDeleteResource, data); err != nil { + logrus.WithError(err).Errorf("DeleteResource: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/resources_get.go b/pkg/services/resources_get.go new file mode 100644 index 0000000..bb0a007 --- /dev/null +++ b/pkg/services/resources_get.go @@ -0,0 +1,64 @@ +package services + +import ( + "context" + "encoding/base64" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func (s *AccessControlServerImpl) validateGetResource(ctx context.Context, txn *dgo.Txn, req *grbac.GetResourceRequest) error { + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource name not defined}").Err() + } + + // The resource name must be well formatted. + if !isFullResourceName(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + return nil +} + +// GetResource returns a resource. +func (s *AccessControlServerImpl) GetResource(ctx context.Context, req *grbac.GetResourceRequest) (*grbac.Resource, error) { + txn := s.cli.NewReadOnlyTxn() + if err := s.validateGetResource(ctx, txn, req); err != nil { + return nil, err + } + + // TODO(performance): GetResource should return only the resource name and parent (no policy). + resp, err := graph.GetResource(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to get resource [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp == nil { + return nil, status.New(codes.NotFound, "not found").Err() + } + + resource := &grbac.Resource{ + Name: resp.Name, + } + + resource.Etag, err = base64.StdEncoding.DecodeString(resp.ETag) + if err != nil { + logrus.WithError(err).Errorf("failed to decode resource etag [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp.Parent != nil { + resource.Parent = resp.Parent.Name + } + + return resource, nil +} diff --git a/pkg/services/resources_integration_test.go b/pkg/services/resources_integration_test.go new file mode 100644 index 0000000..3d94ba6 --- /dev/null +++ b/pkg/services/resources_integration_test.go @@ -0,0 +1,174 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationResourceCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + ResourceNotFound = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-?." + uuid.New().String(), + Parent: "@animeshon", + } + Resource0 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-0." + uuid.New().String(), + Parent: "@animeshon", + } + Resource1 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-1." + uuid.New().String(), + Parent: Resource0.Name, + } + Resource2 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-2." + uuid.New().String(), + Parent: ResourceNotFound.Name, + } + Resource3 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-3." + uuid.New().String(), + } + ) + + // Test: creation should not fail. + resource0, err := server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + require.NoError(t, err) + require.NotNil(t, resource0) + + assert.Equal(t, Resource0.Name, resource0.Name) + assert.Equal(t, Resource0.Parent, resource0.Parent) + assert.NotEmpty(t, resource0.Etag) + + // Test: creation with existing parent should not fail. + resource1, err := server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource1}) + require.NoError(t, err) + require.NotNil(t, resource1) + + assert.Equal(t, Resource1.Name, resource1.Name) + assert.Equal(t, Resource1.Parent, resource1.Parent) + assert.NotEmpty(t, resource1.Etag) + + // Test: creation with non-existing parent should fail. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource2}) + require.Error(t, err) + require.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: creation without parent should fail. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource3}) + require.Error(t, err) + require.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: creation of duplicate resource should fail with already exists. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) + + // Test: get resource should return the same resource created. + resource, err := server.GetResource(context.TODO(), &grbac.GetResourceRequest{Name: Resource1.Name}) + require.NoError(t, err) + require.NotNil(t, resource) + + assert.Equal(t, Resource1.Name, resource.Name) + assert.Equal(t, Resource1.Parent, resource.Parent) + assert.NotEmpty(t, resource.Etag) +} + +func TestIntegrationResourceDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Resource0 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-0." + uuid.New().String(), + Parent: "@animeshon", + } + Resource1 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-1." + uuid.New().String(), + Parent: Resource0.Name, + } + ResourceNotFound = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-?." + uuid.New().String(), + Parent: "@animeshon", + } + ) + + // Create new random resources. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + require.NoError(t, err) + + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource1}) + require.NoError(t, err) + + // Test: deletion of existing resource with children should fail. + _, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: deletion of existing resource with no children should not fail. + empty, err := server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource1.Name}) + assert.NoError(t, err) + assert.NotNil(t, empty) + + empty, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource0.Name}) + assert.NoError(t, err) + assert.NotNil(t, empty) + + // Test: get resource should return 'not found' after deletion. + _, err = server.GetResource(context.TODO(), &grbac.GetResourceRequest{Name: Resource0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + _, err = server.GetResource(context.TODO(), &grbac.GetResourceRequest{Name: Resource1.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of already deleted resource should fail. + _, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing resource should fail. + _, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: ResourceNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/resources_transfer.go b/pkg/services/resources_transfer.go new file mode 100644 index 0000000..39fc507 --- /dev/null +++ b/pkg/services/resources_transfer.go @@ -0,0 +1,15 @@ +package services + +import ( + "context" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// TransferResource transfers a resource to a new parent. +func (s *AccessControlServerImpl) TransferResource(ctx context.Context, req *grbac.TransferResourceRequest) (*grbac.Resource, error) { + return nil, status.New(codes.Unimplemented, "unimplemented").Err() +} diff --git a/pkg/services/roles.go b/pkg/services/roles.go new file mode 100644 index 0000000..a2fba0f --- /dev/null +++ b/pkg/services/roles.go @@ -0,0 +1,7 @@ +package services + +import "strings" + +func isRole(name string) bool { + return strings.HasPrefix(name, "roles/") +} diff --git a/pkg/services/roles_create.go b/pkg/services/roles_create.go new file mode 100644 index 0000000..47f28c3 --- /dev/null +++ b/pkg/services/roles_create.go @@ -0,0 +1,110 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/roles/roles.create.query.go.tmpl +var queryCreateRole string + +//go:embed data/roles/roles.create.mutation.go.tmpl +var mutationCreateRole string + +var templateQueryCreateRole = template.Must( + template.New("QueryCreateRole").Funcs(defaultFuncMap).Parse(queryCreateRole), +) + +var templateMutationCreateRole = template.Must( + template.New("MutationCreateRole").Funcs(defaultFuncMap).Parse(mutationCreateRole), +) + +func (s *AccessControlServerImpl) validateCreateRole(ctx context.Context, txn *dgo.Txn, req *grbac.CreateRoleRequest) error { + // A role must be defined. + if req.Role == nil { + return status.New(codes.InvalidArgument, "invalid argument {role not defined}").Err() + } + + // The role name must be defined. + if len(req.Role.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err() + } + + // The role must include at least one permission. + if len(req.Role.Permissions) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role has no permissions}").Err() + } + + // The permissions included in the role must exist. + for _, permission := range req.Role.Permissions { + permissionFound, err := graph.ExistsPermission(ctx, txn, toPermissionName(permission)) + if err != nil { + logrus.WithError(err).Errorf("CreateRole: failed to query role permissions") + return status.New(codes.Internal, "internal error").Err() + } + + if !permissionFound { + return status.New(codes.FailedPrecondition, "failed precondition {permission does not exist}").Err() + } + } + + // The role name must be well formatted. + if !isRole(req.Role.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err() + } + + roleFound, err := graph.ExistsRole(ctx, txn, req.Role.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to validate 'CreateRole' request") + return status.New(codes.Internal, "internal error").Err() + } + + if roleFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreateRole creates a new role. +func (s *AccessControlServerImpl) CreateRole(ctx context.Context, req *grbac.CreateRoleRequest) (*grbac.Role, error) { + txn := s.cli.NewTxn() + if err := s.validateCreateRole(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + data := struct { + Role *grbac.Role + ETag string + }{ + Role: req.GetRole(), + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.create(ctx, txn, templateQueryCreateRole, templateMutationCreateRole, data); err != nil { + logrus.WithError(err).Errorf("CreateRole: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + role := &grbac.Role{ + Name: req.Role.Name, + Permissions: req.Role.Permissions, + Etag: etag, + } + + return role, nil +} diff --git a/pkg/services/roles_delete.go b/pkg/services/roles_delete.go new file mode 100644 index 0000000..12331b2 --- /dev/null +++ b/pkg/services/roles_delete.go @@ -0,0 +1,77 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/roles/roles.delete.query.go.tmpl +var queryDeleteRole string + +//go:embed data/roles/roles.delete.mutation.go.tmpl +var mutationDeleteRole string + +var templateQueryDeleteRole = template.Must( + template.New("QueryDeleteRole").Funcs(defaultFuncMap).Parse(queryDeleteRole), +) + +var templateMutationDeleteRole = template.Must( + template.New("MutationDeleteRole").Funcs(defaultFuncMap).Parse(mutationDeleteRole), +) + +func (s *AccessControlServerImpl) validateDeleteRole(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteRoleRequest) error { + // The role name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err() + } + + // The role name must be well formatted. + if !isRole(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err() + } + + // The role must exist. + roleFound, err := graph.ExistsRole(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteRole: failed to query role") + return status.New(codes.Internal, "internal error").Err() + } + + if !roleFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// DeleteRole deletes a role. +func (s *AccessControlServerImpl) DeleteRole(ctx context.Context, req *grbac.DeleteRoleRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeleteRole(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.GetName(), + } + + if err := s.delete(ctx, txn, templateQueryDeleteRole, templateMutationDeleteRole, data); err != nil { + logrus.WithError(err).Errorf("DeleteRole: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/roles_get.go b/pkg/services/roles_get.go new file mode 100644 index 0000000..a1b41ff --- /dev/null +++ b/pkg/services/roles_get.go @@ -0,0 +1,61 @@ +package services + +import ( + "context" + "encoding/base64" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func (s *AccessControlServerImpl) validateGetRole(ctx context.Context, txn *dgo.Txn, req *grbac.GetRoleRequest) error { + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err() + } + + // The role name must be well formatted. + if !isRole(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err() + } + + return nil +} + +// GetRole returns a role. +func (s *AccessControlServerImpl) GetRole(ctx context.Context, req *grbac.GetRoleRequest) (*grbac.Role, error) { + txn := s.cli.NewReadOnlyTxn() + if err := s.validateGetRole(ctx, txn, req); err != nil { + return nil, err + } + + resp, err := graph.GetRole(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to get role [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp == nil { + return nil, status.New(codes.NotFound, "not found").Err() + } + + role := &grbac.Role{ + Name: resp.Name, + } + + role.Etag, err = base64.StdEncoding.DecodeString(resp.ETag) + if err != nil { + logrus.WithError(err).Errorf("failed to decode role etag [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + for _, permission := range resp.Permissions { + role.Permissions = append(role.Permissions, toPermissionId(permission.Name)) + } + + return role, nil +} diff --git a/pkg/services/roles_integration_test.go b/pkg/services/roles_integration_test.go new file mode 100644 index 0000000..5a55b70 --- /dev/null +++ b/pkg/services/roles_integration_test.go @@ -0,0 +1,294 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/fieldmaskpb" +) + +func TestIntegrationRoleCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + PermissionNotFound = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + Role0 = &grbac.Role{ + Name: "roles/role-0." + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + }, + } + Role1 = &grbac.Role{ + Name: "roles/role-1." + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + toPermissionId(PermissionNotFound.Name), + }, + } + ) + + // Create a new permission. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + + // Test: creation should not fail. + role, err := server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + // Test: creation with non-existing permission should fail. + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role1}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: creation of duplicate role should fail with already exists. + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) + + // Test: get role should return the same role created. + role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) +} + +func TestIntegrationRoleDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + Role0 = &grbac.Role{ + Name: "roles/role-0." + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + }, + } + RoleNotFound = &grbac.Role{ + Name: "roles/role-?." + uuid.New().String(), + } + ) + + // Create a new random role and permission. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + require.NoError(t, err) + + // Test: deletion of existing role should not fail. + empty, err := server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: Role0.Name}) + assert.NoError(t, err) + assert.NotNil(t, empty) + + // Test: get role should return 'not found' after deletion. + _, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of already deleted role should fail. + _, err = server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: Role0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing role should fail. + _, err = server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: RoleNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} + +func TestIntegrationRoleUpdate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + Permission1 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + PermissionNotFound = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + Role0 = &grbac.Role{ + Name: "roles/role-0." + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + }, + } + RoleNotFound = &grbac.Role{ + Name: "roles/role-?." + uuid.New().String(), + } + ) + + // Create new random roles. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission1}) + require.NoError(t, err) + + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + require.NoError(t, err) + + // Test: update (replace permissions) should not fail. + Role0.Permissions = []string{toPermissionId(Permission1.Name)} + role, err := server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + // Test: update (add permissions) should not fail. + Role0.Permissions = append(Role0.Permissions, toPermissionId(Permission0.Name)) + role, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + // Test: update (remove all permissions) should not fail. + Role0.Permissions = nil + role, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + // Test: update (add non-existing permission) should fail. + Role0.Permissions = []string{toPermissionId(PermissionNotFound.Name)} + _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: update with mutable field mask should not fail. + Role0.Permissions = []string{toPermissionId(Permission0.Name)} + _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{ + Role: Role0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"role", "role.permissions"}, + }}) + require.NoError(t, err) + + // Test: update with immutable field mask should fail. + _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{ + Role: Role0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"role.name"}, + }}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update with invalid field mask should fail. + _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{ + Role: Role0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{""}, + }}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update of non-existing role should fail. + _, err = server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: RoleNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/roles_update.go b/pkg/services/roles_update.go new file mode 100644 index 0000000..cb0a95f --- /dev/null +++ b/pkg/services/roles_update.go @@ -0,0 +1,128 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/fieldmask" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/roles/roles.update.query.go.tmpl +var queryUpdateRole string + +//go:embed data/roles/roles.update.set.go.tmpl +var setUpdateRole string + +//go:embed data/roles/roles.update.delete.go.tmpl +var deleteUpdateRole string + +var templateQueryUpdateRole = template.Must( + template.New("QueryUpdateRole").Funcs(defaultFuncMap).Parse(queryUpdateRole), +) + +var templateSetUpdateRole = template.Must( + template.New("SetUpdateRole").Funcs(defaultFuncMap).Parse(setUpdateRole), +) + +var templateDeleteUpdateRole = template.Must( + template.New("DeleteUpdateRole").Funcs(defaultFuncMap).Parse(deleteUpdateRole), +) + +func (s *AccessControlServerImpl) validateUpdateRole(ctx context.Context, txn *dgo.Txn, req *grbac.UpdateRoleRequest) error { + // A role must be defined. + if req.Role == nil { + return status.New(codes.InvalidArgument, "invalid argument {role not defined}").Err() + } + + // The role name must be defined. + if len(req.Role.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err() + } + + // The role name must be well formatted. + if !isRole(req.Role.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err() + } + + // The update field mask must contain valid paths. + for _, path := range req.GetUpdateMask().GetPaths() { + switch path { + case "role", "role.permissions": + default: + return status.New(codes.InvalidArgument, "invalid argument {invalid field mask}").Err() + } + } + + // The permissions included in the role must exist. + for _, permission := range req.Role.Permissions { + permissionFound, err := graph.ExistsPermission(ctx, txn, toPermissionName(permission)) + if err != nil { + logrus.WithError(err).Errorf("CreateRole: failed to query role permissions") + return status.New(codes.Internal, "internal error").Err() + } + + if !permissionFound { + return status.New(codes.FailedPrecondition, "failed precondition {permission does not exist}").Err() + } + } + + // The role must exist. + roleFound, err := graph.ExistsRole(ctx, txn, req.Role.Name) + if err != nil { + logrus.WithError(err).Errorf("UpdateRole: failed to query role") + return status.New(codes.Internal, "internal error").Err() + } + + if !roleFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// UpdateRole updates a role with a field mask. +func (s *AccessControlServerImpl) UpdateRole(ctx context.Context, req *grbac.UpdateRoleRequest) (*grbac.Role, error) { + txn := s.cli.NewTxn() + if err := s.validateUpdateRole(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + fieldmask := fieldmask.NewFieldMask(req.GetUpdateMask()) + + data := struct { + Role *grbac.Role + FieldMask func(string) bool + ETag string + }{ + Role: req.GetRole(), + FieldMask: fieldmask.Contains, + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.update(ctx, txn, templateQueryUpdateRole, templateSetUpdateRole, templateDeleteUpdateRole, data); err != nil { + logrus.WithError(err).Errorf("UpdateRole: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + // TODO: merge missing fields (not included in the update mask) with the role in dgraph. + role := &grbac.Role{ + Name: req.Role.Name, + Permissions: req.Role.Permissions, + Etag: etag, + } + + return role, nil +} diff --git a/pkg/services/subjects.go b/pkg/services/subjects.go new file mode 100644 index 0000000..bad567c --- /dev/null +++ b/pkg/services/subjects.go @@ -0,0 +1,21 @@ +package services + +import "strings" + +func isSubject(name string) bool { + return isUser(name) || isServiceAccount(name) +} + +func isUser(name string) bool { + return strings.HasPrefix(name, "users/") +} + +func isServiceAccount(name string) bool { + return strings.HasPrefix(name, "serviceAccounts/") +} + +const allUsers = "system/allUsers" + +func isAllUsers(name string) bool { + return name == allUsers +} diff --git a/pkg/services/subjects_create.go b/pkg/services/subjects_create.go new file mode 100644 index 0000000..55561fb --- /dev/null +++ b/pkg/services/subjects_create.go @@ -0,0 +1,81 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/subjects/subjects.create.query.go.tmpl +var queryCreateSubject string + +//go:embed data/subjects/subjects.create.mutation.go.tmpl +var mutationCreateSubject string + +var templateQueryCreateSubject = template.Must( + template.New("QueryCreateSubject").Funcs(defaultFuncMap).Parse(queryCreateSubject), +) + +var templateMutationCreateSubject = template.Must( + template.New("MutationCreateSubject").Funcs(defaultFuncMap).Parse(mutationCreateSubject), +) + +func (s *AccessControlServerImpl) validateCreateSubject(ctx context.Context, txn *dgo.Txn, req *grbac.CreateSubjectRequest) error { + // A subject must be defined. + if req.Subject == nil { + return status.New(codes.InvalidArgument, "invalid argument {subject not defined}").Err() + } + + // The subject name must be defined. + if len(req.Subject.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {subject name not defined}").Err() + } + + // The subject name must be well formatted. + if !isSubject(req.Subject.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid subject name format}").Err() + } + + // The subject must be new to avoid race conditions. + subjectFound, err := graph.ExistsSubject(ctx, txn, req.Subject.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to validate 'CreateSubject' request") + return status.New(codes.Internal, "internal error").Err() + } + + if subjectFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreateSubject creates a new subject. +func (s *AccessControlServerImpl) CreateSubject(ctx context.Context, req *grbac.CreateSubjectRequest) (*grbac.Subject, error) { + txn := s.cli.NewTxn() + if err := s.validateCreateSubject(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Subject *grbac.Subject + }{ + Subject: req.GetSubject(), + } + + if err := s.create(ctx, txn, templateQueryCreateSubject, templateMutationCreateSubject, data); err != nil { + logrus.WithError(err).Errorf("CreateSubject: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &grbac.Subject{Name: req.Subject.Name}, nil +} diff --git a/pkg/services/subjects_delete.go b/pkg/services/subjects_delete.go new file mode 100644 index 0000000..aa38408 --- /dev/null +++ b/pkg/services/subjects_delete.go @@ -0,0 +1,77 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/subjects/subjects.delete.query.go.tmpl +var queryDeleteSubject string + +//go:embed data/subjects/subjects.delete.mutation.go.tmpl +var mutationDeleteSubject string + +var templateQueryDeleteSubject = template.Must( + template.New("QueryDeleteSubject").Funcs(defaultFuncMap).Parse(queryDeleteSubject), +) + +var templateMutationDeleteSubject = template.Must( + template.New("MutationDeleteSubject").Funcs(defaultFuncMap).Parse(mutationDeleteSubject), +) + +func (s *AccessControlServerImpl) validateDeleteSubject(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteSubjectRequest) error { + // The subject name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {subject name not defined}").Err() + } + + // The subject name must be well formatted. + if !isSubject(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid subject name format}").Err() + } + + // The subject must exist. + subjectFound, err := graph.ExistsSubject(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteSubject: failed to query subject") + return status.New(codes.Internal, "internal error").Err() + } + + if !subjectFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// DeleteSubject deletes a subject. +func (s *AccessControlServerImpl) DeleteSubject(ctx context.Context, req *grbac.DeleteSubjectRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeleteSubject(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.GetName(), + } + + if err := s.delete(ctx, txn, templateQueryDeleteSubject, templateMutationDeleteSubject, data); err != nil { + logrus.WithError(err).Errorf("DeleteSubject: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/subjects_integration_test.go b/pkg/services/subjects_integration_test.go new file mode 100644 index 0000000..caada3e --- /dev/null +++ b/pkg/services/subjects_integration_test.go @@ -0,0 +1,115 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationSubjectCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + ) + + // Test: creation (user) should not fail. + user0, err := server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + require.NotNil(t, user0) + + assert.Equal(t, User0.Name, user0.Name) + + // Test: creation (serviceAccount) should not fail. + serviceAccount, err := server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + require.NotNil(t, serviceAccount) + + assert.Equal(t, ServiceAccount0.Name, serviceAccount.Name) + + // Test: creation of duplicate subject should fail with already exists. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) +} + +func TestIntegrationSubjectDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Subject0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + SubjectNotFound = &grbac.Subject{ + Name: "users/user-?." + uuid.New().String(), + } + ) + + // Create a new random subject. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: Subject0}) + require.NoError(t, err) + + // Test: deletion of existing subject should not fail. + empty, err := server.DeleteSubject(context.TODO(), &grbac.DeleteSubjectRequest{Name: Subject0.Name}) + require.NoError(t, err) + assert.NotNil(t, empty) + + // Test: deletion of deleted subject should fail. + _, err = server.DeleteSubject(context.TODO(), &grbac.DeleteSubjectRequest{Name: Subject0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing subject should fail. + _, err = server.DeleteSubject(context.TODO(), &grbac.DeleteSubjectRequest{Name: SubjectNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/template.go b/pkg/services/template.go new file mode 100644 index 0000000..b4d4407 --- /dev/null +++ b/pkg/services/template.go @@ -0,0 +1,45 @@ +package services + +import ( + "bufio" + "bytes" + "regexp" + "text/template" +) + +var ( + regexAlphaNumeric = regexp.MustCompile("[^A-Za-z0-9]+") + + defaultFuncMap = template.FuncMap{ + "AlphaNumVar": replaceAlphaNumeric, + + "IsUser": isUserMember, + "IsServiceAccount": isServiceAccountMember, + "IsGroup": isGroupMember, + "IsAllUsers": isAllUsersMember, + + "ToUserName": toUserName, + "ToServiceAccountName": toServiceAccountName, + "ToGroupName": toGroupName, + "ToPermissionName": toPermissionName, + } +) + +func replaceAlphaNumeric(name string) string { + return regexAlphaNumeric.ReplaceAllString(name, "_") +} + +func ExecuteTemplate(t *template.Template, data interface{}) ([]byte, error) { + var buffer bytes.Buffer + writer := bufio.NewWriter(&buffer) + + if err := t.Execute(writer, data); err != nil { + return nil, err + } + + if err := writer.Flush(); err != nil { + return nil, err + } + + return buffer.Bytes(), nil +} diff --git a/schema/animeapis b/schema/animeapis new file mode 160000 index 0000000..e1dfc76 --- /dev/null +++ b/schema/animeapis @@ -0,0 +1 @@ +Subproject commit e1dfc764c23e00eb837c43e9f53286a2751af2e9 diff --git a/schema/api-common-protos b/schema/api-common-protos new file mode 160000 index 0000000..37d5125 --- /dev/null +++ b/schema/api-common-protos @@ -0,0 +1 @@ +Subproject commit 37d5125da5c90f2124d15908a54a32ed3f470bc2 diff --git a/scripts/docker-compose.sh b/scripts/docker-compose.sh new file mode 100755 index 0000000..947ca77 --- /dev/null +++ b/scripts/docker-compose.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env sh + +set -o errexit +set -o nounset +set -o pipefail + +sleep 10 + +grbac init --dgraph-endpoint=dgraph:9080 +grbac run --dgraph-endpoint=dgraph:9080 + +exit 0 \ No newline at end of file diff --git a/scripts/gapic.sh b/scripts/gapic.sh new file mode 100755 index 0000000..98d5395 --- /dev/null +++ b/scripts/gapic.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +API_NAME="grbac" +API_VERSION="v1alpha1" + +# TODO: Everything should be moved to Bazel for protobuf compilation. + +# Generate CLI via GAPIC. +protoc \ + --experimental_allow_proto3_optional \ + --proto_path="schema/api-common-protos" \ + --proto_path="schema/animeapis" \ + --go_cli_out="cmd" \ + --go_cli_opt="root=grbac" \ + --go_cli_opt="gapic=github.com/animeapis/api-go-client/${API_NAME}/${API_VERSION}" \ + --go_cli_opt="fmt=true" \ + "schema/animeapis/animeshon/${API_NAME}/${API_VERSION}/${API_NAME}.proto" + +exit 0 \ No newline at end of file diff --git a/scripts/run-integration.sh b/scripts/run-integration.sh new file mode 100755 index 0000000..ae0093c --- /dev/null +++ b/scripts/run-integration.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +export INTEGRATION_TEST_DGRAPH_ENDPOINT=127.0.0.1:9080 + +# Launch the dgraph docker container and open its ports. +echo "integration: starting the dgraph docker container..." +container_id=$(docker run --detach --rm -p 9080:9080 dgraph/standalone:v21.03.0) + +# Wait for the container to be up and running. +echo "integration: waiting (10s) for the container to be ready..." +sleep 10s + +# Run the integration tests and store the return code of the 'go test' command. +go test -cover -tags=integration ./... && return_code=$? || return_code=$? + +# Stop the dgraph docker container. +echo "integration: stopping the container..." +docker stop $container_id + +exit $return_code \ No newline at end of file diff --git a/scripts/update.sh b/scripts/update.sh new file mode 100755 index 0000000..cb7f179 --- /dev/null +++ b/scripts/update.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +WORKDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" + +echo "updating go modules..." + +GOPROXY=direct go get -u github.com/animeapis/api-go-client@master +GOPROXY=direct go get -u github.com/animeapis/go-genproto@master + +echo "updating git submodules..." + +git submodule foreach git pull origin master + +echo "regenerating gapics..." + +source "${WORKDIR}/gapic.sh" + +exit 0 \ No newline at end of file