mirrors
/
gitblit
mirror of https://github.com/gitblit/gitblit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 43 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1550 Commits
11 Branches
Tree: 04a98505a4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '04a98505a4'
${ noResults }
gitblit/src/main/java/com/gitblit/auth/LdapAuthProvider.java

LdapAuthProvider.java 18KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508 
  1. /*

  2.  * Copyright 2012 John Crygier

  3.  * Copyright 2012 gitblit.com

  4.  *

  5.  * Licensed under the Apache License, Version 2.0 (the "License");

  6.  * you may not use this file except in compliance with the License.

  7.  * You may obtain a copy of the License at

  8.  *

  9.  *     http://www.apache.org/licenses/LICENSE-2.0

  10.  *

  11.  * Unless required by applicable law or agreed to in writing, software

  12.  * distributed under the License is distributed on an "AS IS" BASIS,

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.  * See the License for the specific language governing permissions and

  15.  * limitations under the License.

  16.  */

  17. package com.gitblit.auth;

  18. 

  19. import java.net.URI;

  20. import java.net.URISyntaxException;

  21. import java.security.GeneralSecurityException;

  22. import java.util.Arrays;

  23. import java.util.HashMap;

  24. import java.util.List;

  25. import java.util.Map;

  26. import java.util.concurrent.TimeUnit;

  27. import java.util.concurrent.atomic.AtomicLong;

  28. 

  29. import com.gitblit.Constants;

  30. import com.gitblit.Constants.AccountType;

  31. import com.gitblit.Keys;

  32. import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider;

  33. import com.gitblit.models.TeamModel;

  34. import com.gitblit.models.UserModel;

  35. import com.gitblit.utils.ArrayUtils;

  36. import com.gitblit.utils.StringUtils;

  37. import com.unboundid.ldap.sdk.Attribute;

  38. import com.unboundid.ldap.sdk.DereferencePolicy;

  39. import com.unboundid.ldap.sdk.ExtendedResult;

  40. import com.unboundid.ldap.sdk.LDAPConnection;

  41. import com.unboundid.ldap.sdk.LDAPException;

  42. import com.unboundid.ldap.sdk.LDAPSearchException;

  43. import com.unboundid.ldap.sdk.ResultCode;

  44. import com.unboundid.ldap.sdk.SearchRequest;

  45. import com.unboundid.ldap.sdk.SearchResult;

  46. import com.unboundid.ldap.sdk.SearchResultEntry;

  47. import com.unboundid.ldap.sdk.SearchScope;

  48. import com.unboundid.ldap.sdk.SimpleBindRequest;

  49. import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;

  50. import com.unboundid.util.ssl.SSLUtil;

  51. import com.unboundid.util.ssl.TrustAllTrustManager;

  52. 

  53. /**

  54.  * Implementation of an LDAP user service.

  55.  *

  56.  * @author John Crygier

  57.  */

  58. public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider {

  59. 

  60.     private AtomicLong lastLdapUserSync = new AtomicLong(0L);

  61. 

  62. 	public LdapAuthProvider() {

  63. 		super("ldap");

  64. 	}

  65. 

  66.  	private long getSynchronizationPeriod() {

  67.         final String cacheDuration = settings.getString(Keys.realm.ldap.ldapCachePeriod, "2 MINUTES");

  68.         try {

  69.             final String[] s = cacheDuration.split(" ", 2);

  70.             long duration = Long.parseLong(s[0]);

  71.             TimeUnit timeUnit = TimeUnit.valueOf(s[1]);

  72.             return timeUnit.toMillis(duration);

  73.         } catch (RuntimeException ex) {

  74.             throw new IllegalArgumentException(Keys.realm.ldap.ldapCachePeriod + " must have format '<long> <TimeUnit>' where <TimeUnit> is one of 'MILLISECONDS', 'SECONDS', 'MINUTES', 'HOURS', 'DAYS'");

  75.         }

  76.     }

  77. 

  78. 	@Override

  79. 	public void setup() {

  80. 		synchronizeLdapUsers();

  81. 	}

  82. 

  83. 	protected synchronized void synchronizeLdapUsers() {

  84.         final boolean enabled = settings.getBoolean(Keys.realm.ldap.synchronizeUsers.enable, false);

  85.         if (enabled) {

  86.             if (System.currentTimeMillis() > (lastLdapUserSync.get() + getSynchronizationPeriod())) {

  87.             	logger.info("Synchronizing with LDAP @ " + settings.getRequiredString(Keys.realm.ldap.server));

  88.                 final boolean deleteRemovedLdapUsers = settings.getBoolean(Keys.realm.ldap.synchronizeUsers.removeDeleted, true);

  89.                 LDAPConnection ldapConnection = getLdapConnection();

  90.                 if (ldapConnection != null) {

  91.                     try {

  92.                         String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");

  93.                         String uidAttribute = settings.getString(Keys.realm.ldap.uid, "uid");

  94.                         String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");

  95.                         accountPattern = StringUtils.replace(accountPattern, "${username}", "*");

  96. 

  97.                         SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);

  98.                         if (result != null && result.getEntryCount() > 0) {

  99.                             final Map<String, UserModel> ldapUsers = new HashMap<String, UserModel>();

  100. 

  101.                             for (SearchResultEntry loggingInUser : result.getSearchEntries()) {

  102. 

  103.                                 final String username = loggingInUser.getAttribute(uidAttribute).getValue();

  104.                                 logger.debug("LDAP synchronizing: " + username);

  105. 

  106.                                 UserModel user = userManager.getUserModel(username);

  107.                                 if (user == null) {

  108.                                     user = new UserModel(username);

  109.                                 }

  110. 

  111.                                 if (!supportsTeamMembershipChanges()) {

  112.                                     getTeamsFromLdap(ldapConnection, username, loggingInUser, user);

  113.                                 }

  114. 

  115.                                 // Get User Attributes

  116.                                 setUserAttributes(user, loggingInUser);

  117. 

  118.                                 // store in map

  119.                                 ldapUsers.put(username.toLowerCase(), user);

  120.                             }

  121. 

  122.                             if (deleteRemovedLdapUsers) {

  123.                                 logger.debug("detecting removed LDAP users...");

  124. 

  125.                                 for (UserModel userModel : userManager.getAllUsers()) {

  126.                                     if (Constants.EXTERNAL_ACCOUNT.equals(userModel.password)) {

  127.                                         if (!ldapUsers.containsKey(userModel.username)) {

  128.                                             logger.info("deleting removed LDAP user " + userModel.username + " from user service");

  129.                                             userManager.deleteUser(userModel.username);

  130.                                         }

  131.                                     }

  132.                                 }

  133.                             }

  134. 

  135.                             userManager.updateUserModels(ldapUsers.values());

  136. 

  137.                             if (!supportsTeamMembershipChanges()) {

  138.                                 final Map<String, TeamModel> userTeams = new HashMap<String, TeamModel>();

  139.                                 for (UserModel user : ldapUsers.values()) {

  140.                                     for (TeamModel userTeam : user.teams) {

  141.                                         userTeams.put(userTeam.name, userTeam);

  142.                                     }

  143.                                 }

  144.                                 userManager.updateTeamModels(userTeams.values());

  145.                             }

  146.                         }

  147.                         lastLdapUserSync.set(System.currentTimeMillis());

  148.                     } finally {

  149.                         ldapConnection.close();

  150.                     }

  151.                 }

  152.             }

  153.         }

  154.     }

  155. 

  156. 	private LDAPConnection getLdapConnection() {

  157. 		try {

  158. 

  159. 			URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));

  160. 			String ldapHost = ldapUrl.getHost();

  161. 			int ldapPort = ldapUrl.getPort();

  162. 			String bindUserName = settings.getString(Keys.realm.ldap.username, "");

  163. 			String bindPassword = settings.getString(Keys.realm.ldap.password, "");

  164. 

  165. 

  166. 			LDAPConnection conn;

  167. 			if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) {

  168. 				// SSL

  169. 				SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());

  170. 				conn = new LDAPConnection(sslUtil.createSSLSocketFactory());

  171. 			} else if (ldapUrl.getScheme().equalsIgnoreCase("ldap") || ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {

  172. 				// no encryption or StartTLS

  173. 				conn = new LDAPConnection();

  174. 			} else {

  175. 				logger.error("Unsupported LDAP URL scheme: " + ldapUrl.getScheme());

  176. 				return null;

  177. 			}

  178. 

  179. 			conn.connect(ldapHost, ldapPort);

  180. 

  181. 			if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {

  182. 				SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());

  183. 				ExtendedResult extendedResult = conn.processExtendedOperation(

  184. 						new StartTLSExtendedRequest(sslUtil.createSSLContext()));

  185. 				if (extendedResult.getResultCode() != ResultCode.SUCCESS) {

  186. 					throw new LDAPException(extendedResult.getResultCode());

  187. 				}

  188. 			}

  189. 

  190. 			if (!StringUtils.isEmpty(bindUserName) || !StringUtils.isEmpty(bindPassword)) {

  191. 				conn.bind(new SimpleBindRequest(bindUserName, bindPassword));

  192. 			}

  193. 

  194. 			return conn;

  195. 

  196. 		} catch (URISyntaxException e) {

  197. 			logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);

  198. 		} catch (GeneralSecurityException e) {

  199. 			logger.error("Unable to create SSL Connection", e);

  200. 		} catch (LDAPException e) {

  201. 			logger.error("Error Connecting to LDAP", e);

  202. 		}

  203. 

  204. 		return null;

  205. 	}

  206. 

  207. 	/**

  208. 	 * Credentials are defined in the LDAP server and can not be manipulated

  209. 	 * from Gitblit.

  210. 	 *

  211. 	 * @return false

  212. 	 * @since 1.0.0

  213. 	 */

  214. 	@Override

  215. 	public boolean supportsCredentialChanges() {

  216. 		return false;

  217. 	}

  218. 

  219. 	/**

  220. 	 * If no displayName pattern is defined then Gitblit can manage the display name.

  221. 	 *

  222. 	 * @return true if Gitblit can manage the user display name

  223. 	 * @since 1.0.0

  224. 	 */

  225. 	@Override

  226. 	public boolean supportsDisplayNameChanges() {

  227. 		return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.displayName, ""));

  228. 	}

  229. 

  230. 	/**

  231. 	 * If no email pattern is defined then Gitblit can manage the email address.

  232. 	 *

  233. 	 * @return true if Gitblit can manage the user email address

  234. 	 * @since 1.0.0

  235. 	 */

  236. 	@Override

  237. 	public boolean supportsEmailAddressChanges() {

  238. 		return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, ""));

  239. 	}

  240. 

  241. 

  242. 	/**

  243. 	 * If the LDAP server will maintain team memberships then LdapUserService

  244. 	 * will not allow team membership changes.  In this scenario all team

  245. 	 * changes must be made on the LDAP server by the LDAP administrator.

  246. 	 *

  247. 	 * @return true or false

  248. 	 * @since 1.0.0

  249. 	 */

  250. 	@Override

  251. 	public boolean supportsTeamMembershipChanges() {

  252. 		return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false);

  253. 	}

  254. 

  255. 	@Override

  256. 	public AccountType getAccountType() {

  257. 		 return AccountType.LDAP;

  258. 	}

  259. 

  260. 	@Override

  261. 	public UserModel authenticate(String username, char[] password) {

  262. 		String simpleUsername = getSimpleUsername(username);

  263. 

  264. 		LDAPConnection ldapConnection = getLdapConnection();

  265. 		if (ldapConnection != null) {

  266. 			try {

  267. 				// Find the logging in user's DN

  268. 				String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");

  269. 				String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");

  270. 				accountPattern = StringUtils.replace(accountPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));

  271. 

  272. 				SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);

  273. 				if (result != null && result.getEntryCount() == 1) {

  274. 					SearchResultEntry loggingInUser = result.getSearchEntries().get(0);

  275. 					String loggingInUserDN = loggingInUser.getDN();

  276. 

  277. 					if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {

  278. 						logger.debug("LDAP authenticated: " + username);

  279. 

  280. 						UserModel user = null;

  281. 						synchronized (this) {

  282. 							user = userManager.getUserModel(simpleUsername);

  283. 							if (user == null)	// create user object for new authenticated user

  284. 								user = new UserModel(simpleUsername);

  285. 

  286. 							// create a user cookie

  287. 							if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) {

  288. 								user.cookie = StringUtils.getSHA1(user.username + new String(password));

  289. 							}

  290. 

  291. 							if (!supportsTeamMembershipChanges())

  292. 								getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);

  293. 

  294. 							// Get User Attributes

  295. 							setUserAttributes(user, loggingInUser);

  296. 

  297. 							// Push the ldap looked up values to backing file

  298. 							updateUser(user);

  299. 

  300. 							if (!supportsTeamMembershipChanges()) {

  301. 								for (TeamModel userTeam : user.teams)

  302. 									updateTeam(userTeam);

  303. 							}

  304. 						}

  305. 

  306. 						return user;

  307. 					}

  308. 				}

  309. 			} finally {

  310. 				ldapConnection.close();

  311. 			}

  312. 		}

  313. 		return null;

  314. 	}

  315. 

  316. 	/**

  317. 	 * Set the admin attribute from team memberships retrieved from LDAP.

  318. 	 * If we are not storing teams in LDAP and/or we have not defined any

  319. 	 * administrator teams, then do not change the admin flag.

  320. 	 *

  321. 	 * @param user

  322. 	 */

  323. 	private void setAdminAttribute(UserModel user) {

  324. 		if (!supportsTeamMembershipChanges()) {

  325. 			List<String> admins = settings.getStrings(Keys.realm.ldap.admins);

  326. 			// if we have defined administrative teams, then set admin flag

  327. 			// otherwise leave admin flag unchanged

  328. 			if (!ArrayUtils.isEmpty(admins)) {

  329. 				user.canAdmin = false;

  330. 				for (String admin : admins) {

  331. 					if (admin.startsWith("@")) { // Team

  332. 						if (user.getTeam(admin.substring(1)) != null)

  333. 							user.canAdmin = true;

  334. 					} else

  335. 						if (user.getName().equalsIgnoreCase(admin))

  336. 							user.canAdmin = true;

  337. 				}

  338. 			}

  339. 		}

  340. 	}

  341. 

  342. 	private void setUserAttributes(UserModel user, SearchResultEntry userEntry) {

  343. 		// Is this user an admin?

  344. 		setAdminAttribute(user);

  345. 

  346. 		// Don't want visibility into the real password, make up a dummy

  347. 		user.password = Constants.EXTERNAL_ACCOUNT;

  348. 		user.accountType = getAccountType();

  349. 

  350. 		// Get full name Attribute

  351. 		String displayName = settings.getString(Keys.realm.ldap.displayName, "");

  352. 		if (!StringUtils.isEmpty(displayName)) {

  353. 			// Replace embedded ${} with attributes

  354. 			if (displayName.contains("${")) {

  355. 				for (Attribute userAttribute : userEntry.getAttributes())

  356. 					displayName = StringUtils.replace(displayName, "${" + userAttribute.getName() + "}", userAttribute.getValue());

  357. 

  358. 				user.displayName = displayName;

  359. 			} else {

  360. 				Attribute attribute = userEntry.getAttribute(displayName);

  361. 				if (attribute != null && attribute.hasValue()) {

  362. 					user.displayName = attribute.getValue();

  363. 				}

  364. 			}

  365. 		}

  366. 

  367. 		// Get email address Attribute

  368. 		String email = settings.getString(Keys.realm.ldap.email, "");

  369. 		if (!StringUtils.isEmpty(email)) {

  370. 			if (email.contains("${")) {

  371. 				for (Attribute userAttribute : userEntry.getAttributes())

  372. 					email = StringUtils.replace(email, "${" + userAttribute.getName() + "}", userAttribute.getValue());

  373. 

  374. 				user.emailAddress = email;

  375. 			} else {

  376. 				Attribute attribute = userEntry.getAttribute(email);

  377. 				if (attribute != null && attribute.hasValue()) {

  378. 					user.emailAddress = attribute.getValue();

  379. 				}

  380. 			}

  381. 		}

  382. 	}

  383. 

  384. 	private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) {

  385. 		String loggingInUserDN = loggingInUser.getDN();

  386. 

  387. 		user.teams.clear();		// Clear the users team memberships - we're going to get them from LDAP

  388. 		String groupBase = settings.getString(Keys.realm.ldap.groupBase, "");

  389. 		String groupMemberPattern = settings.getString(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))");

  390. 

  391. 		groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", escapeLDAPSearchFilter(loggingInUserDN));

  392. 		groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));

  393. 

  394. 		// Fill in attributes into groupMemberPattern

  395. 		for (Attribute userAttribute : loggingInUser.getAttributes()) {

  396. 			groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue()));

  397. 		}

  398. 

  399. 		SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, Arrays.asList("cn"));

  400. 		if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {

  401. 			for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {

  402. 				SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);

  403. 				String teamName = teamEntry.getAttribute("cn").getValue();

  404. 

  405. 				TeamModel teamModel = userManager.getTeamModel(teamName);

  406. 				if (teamModel == null) {

  407. 					teamModel = createTeamFromLdap(teamEntry);

  408. 				}

  409. 

  410. 				user.teams.add(teamModel);

  411. 				teamModel.addUser(user.getName());

  412. 			}

  413. 		}

  414. 	}

  415. 

  416. 	private TeamModel createTeamFromLdap(SearchResultEntry teamEntry) {

  417. 		TeamModel answer = new TeamModel(teamEntry.getAttributeValue("cn"));

  418. 		answer.accountType = getAccountType();

  419. 		// potentially retrieve other attributes here in the future

  420. 

  421. 		return answer;

  422. 	}

  423. 

  424. 	private SearchResult doSearch(LDAPConnection ldapConnection, String base, String filter) {

  425. 		try {

  426. 			return ldapConnection.search(base, SearchScope.SUB, filter);

  427. 		} catch (LDAPSearchException e) {

  428. 			logger.error("Problem Searching LDAP", e);

  429. 

  430. 			return null;

  431. 		}

  432. 	}

  433. 

  434. 	private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolean dereferenceAliases, String filter, List<String> attributes) {

  435. 		try {

  436. 			SearchRequest searchRequest = new SearchRequest(base, SearchScope.SUB, filter);

  437. 			if (dereferenceAliases) {

  438. 				searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING);

  439. 			}

  440. 			if (attributes != null) {

  441. 				searchRequest.setAttributes(attributes);

  442. 			}

  443. 			return ldapConnection.search(searchRequest);

  444. 

  445. 		} catch (LDAPSearchException e) {

  446. 			logger.error("Problem Searching LDAP", e);

  447. 

  448. 			return null;

  449. 		} catch (LDAPException e) {

  450. 			logger.error("Problem creating LDAP search", e);

  451. 			return null;

  452. 		}

  453. 	}

  454. 

  455. 	private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {

  456. 		try {

  457. 			// Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN

  458. 			ldapConnection.bind(userDn, password);

  459. 			return true;

  460. 		} catch (LDAPException e) {

  461. 			logger.error("Error authenticating user", e);

  462. 			return false;

  463. 		}

  464. 	}

  465. 

  466. 	/**

  467. 	 * Returns a simple username without any domain prefixes.

  468. 	 *

  469. 	 * @param username

  470. 	 * @return a simple username

  471. 	 */

  472. 	protected String getSimpleUsername(String username) {

  473. 		int lastSlash = username.lastIndexOf('\\');

  474. 		if (lastSlash > -1) {

  475. 			username = username.substring(lastSlash + 1);

  476. 		}

  477. 

  478. 		return username;

  479. 	}

  480. 

  481. 	// From: https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java

  482. 	public static final String escapeLDAPSearchFilter(String filter) {

  483. 		StringBuilder sb = new StringBuilder();

  484. 		for (int i = 0; i < filter.length(); i++) {

  485. 			char curChar = filter.charAt(i);

  486. 			switch (curChar) {

  487. 			case '\\':

  488. 				sb.append("\\5c");

  489. 				break;

  490. 			case '*':

  491. 				sb.append("\\2a");

  492. 				break;

  493. 			case '(':

  494. 				sb.append("\\28");

  495. 				break;

  496. 			case ')':

  497. 				sb.append("\\29");

  498. 				break;

  499. 			case '\u0000':

  500. 				sb.append("\\00");

  501. 				break;

  502. 			default:

  503. 				sb.append(curChar);

  504. 			}

  505. 		}

  506. 		return sb.toString();

  507. 	}

  508. }