diff --git a/.github/infrastructure/docker-compose-solace.yml b/.github/infrastructure/docker-compose-solace.yml new file mode 100644 index 000000000..96cb46abb --- /dev/null +++ b/.github/infrastructure/docker-compose-solace.yml @@ -0,0 +1,61 @@ +version: '3.3' + +services: + primary: + container_name: pubSubStandardSingleNode + image: solace/solace-pubsub-standard:latest + volumes: + - "storage-group:/var/lib/solace" + shm_size: 1g + ulimits: + core: -1 + nofile: + soft: 2448 + hard: 6592 + deploy: + restart_policy: + condition: on-failure + max_attempts: 1 + ports: + #Port Mappings: With the exception of SMF, ports are mapped straight + #through from host to container. This may result in port collisions on + #commonly used ports that will cause failure of the container to start. + #Web transport + - '8008:8008' + #Web transport over TLS + - '1443:1443' + #SEMP over TLS + - '1943:1943' + #MQTT Default VPN + - '1883:1883' + #AMQP Default VPN over TLS + - '5671:5671' + #AMQP Default VPN + - '5672:5672' + #MQTT Default VPN over WebSockets + - '8000:8000' + #MQTT Default VPN over WebSockets / TLS + - '8443:8443' + #MQTT Default VPN over TLS + - '8883:8883' + #SEMP / PubSub+ Manager + - '8080:8080' + #REST Default VPN + - '9000:9000' + #REST Default VPN over TLS + - '9443:9443' + #SMF + - '55554:55555' + #SMF Compressed + - '55003:55003' + #SMF over TLS + - '55443:55443' + #SSH connection to CLI + - '2222:2222' + environment: + - username_admin_globalaccesslevel=admin + - username_admin_password=admin + - system_scaling_maxconnectioncount=100 + +volumes: + storage-group: \ No newline at end of file diff --git a/.github/infrastructure/terraform/conformance/pubsub/aws/snssqs/snssqs.tf b/.github/infrastructure/terraform/conformance/pubsub/aws/snssqs/snssqs.tf new file mode 100644 index 000000000..dbf787b09 --- /dev/null +++ b/.github/infrastructure/terraform/conformance/pubsub/aws/snssqs/snssqs.tf @@ -0,0 +1,105 @@ +terraform { + required_version = ">=0.13" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} + +variable "TIMESTAMP" { + type = string + description = "Timestamp of the github worklow run." +} + +variable "UNIQUE_ID" { + type = string + description = "Unique Id of the github worklow run." +} + +provider "aws" { + region = "us-east-1" + default_tags { + tags = { + Purpose = "AutomatedTesting" + Timestamp = "${var.TIMESTAMP}" + } + } +} + +resource "aws_sns_topic" "testTopic" { + name = "testTopic-${var.UNIQUE_ID}" + tags = { + dapr-topic-name = "testTopic-${var.UNIQUE_ID}" + } +} + +resource "aws_sns_topic" "multiTopic1" { + name = "multiTopic1-${var.UNIQUE_ID}" + tags = { + dapr-topic-name = "multiTopic1-${var.UNIQUE_ID}" + } +} + +resource "aws_sns_topic" "multiTopic2" { + name = "multiTopic2-${var.UNIQUE_ID}" + tags = { + dapr-topic-name = "multiTopic2-${var.UNIQUE_ID}" + } +} + +resource "aws_sqs_queue" "testQueue" { + name = "testQueue-${var.UNIQUE_ID}" + tags = { + dapr-queue-name = "testQueue-${var.UNIQUE_ID}" + } +} + +resource "aws_sns_topic_subscription" "multiTopic1_testQueue" { + topic_arn = aws_sns_topic.multiTopic1.arn + protocol = "sqs" + endpoint = aws_sqs_queue.testQueue.arn +} + +resource "aws_sns_topic_subscription" "multiTopic2_testQueue" { + topic_arn = aws_sns_topic.multiTopic2.arn + protocol = "sqs" + endpoint = aws_sqs_queue.testQueue.arn +} + +resource "aws_sns_topic_subscription" "testTopic_testQueue" { + topic_arn = aws_sns_topic.testTopic.arn + protocol = "sqs" + endpoint = aws_sqs_queue.testQueue.arn +} + +resource "aws_sqs_queue_policy" "testQueue_policy" { + queue_url = "${aws_sqs_queue.testQueue.id}" + + policy = < { async function handleIssueCommentCreate({ github, context }) { const payload = context.payload; const issue = context.issue; - const username = context.actor; + const username = (context.actor || "").toLowerCase(); const isFromPulls = !!payload.issue.pull_request; const commentBody = payload.comment.body; @@ -70,15 +70,12 @@ async function handleIssueCommentCreate({ github, context }) { } // Commands that can only be executed by owners. - if (owners.indexOf(username) < 0) { + if (owners.map((v) => v.toLowerCase()).indexOf(username) < 0) { console.log(`[handleIssueCommentCreate] user ${username} is not an owner, exiting.`); return; } switch (command) { - case "/make-me-laugh": - await cmdMakeMeLaugh(github, issue); - break; case "/ok-to-test": await cmdOkToTest(github, issue, isFromPulls); break; @@ -108,7 +105,7 @@ async function handleIssueOrPrLabeled({ github, context }) { // Only authorized users can add labels to issues. if (label == "documentation required") { // Open a new docs issue - await github.issues.create({ + await github.rest.issues.create({ owner: "dapr", repo: "docs", title: `New content needed for dapr/components-contrib#${issueNumber}`, @@ -117,7 +114,7 @@ async function handleIssueOrPrLabeled({ github, context }) { }); } else if (label == "new component") { // Open a new dapr issue - await github.issues.create({ + await github.rest.issues.create({ owner: "dapr", repo: "dapr", title: `Component registration for dapr/components-contrib#${issueNumber}`, @@ -145,7 +142,7 @@ async function cmdAssign(github, issue, username, isFromPulls) { return; } - await github.issues.addAssignees({ + await github.rest.issues.addAssignees({ owner: issue.owner, repo: issue.repo, issue_number: issue.number, @@ -153,27 +150,6 @@ async function cmdAssign(github, issue, username, isFromPulls) { }); } -/** - * Comment a funny joke. - * @param {*} github GitHub object reference - * @param {*} issue GitHub issue object - */ -async function cmdMakeMeLaugh(github, issue) { - const result = await github.request("https://official-joke-api.appspot.com/random_joke"); - jokedata = result.data; - joke = "I have a bad feeling about this."; - if (jokedata && jokedata.setup && jokedata.punchline) { - joke = `${jokedata.setup} - ${jokedata.punchline}`; - } - - await github.issues.createComment({ - owner: issue.owner, - repo: issue.repo, - issue_number: issue.number, - body: joke, - }); -} - /** * Trigger e2e test for the pull request. @@ -188,7 +164,7 @@ async function cmdOkToTest(github, issue, isFromPulls) { } // Get pull request - const pull = await github.pulls.get({ + const pull = await github.rest.pulls.get({ owner: issue.owner, repo: issue.repo, pull_number: issue.number @@ -204,7 +180,7 @@ async function cmdOkToTest(github, issue, isFromPulls) { }; // Fire repository_dispatch event to trigger certification test - await github.repos.createDispatchEvent({ + await github.rest.repos.createDispatchEvent({ owner: issue.owner, repo: issue.repo, event_type: "certification-test", @@ -212,7 +188,7 @@ async function cmdOkToTest(github, issue, isFromPulls) { }); // Fire repository_dispatch event to trigger conformance test - await github.repos.createDispatchEvent({ + await github.rest.repos.createDispatchEvent({ owner: issue.owner, repo: issue.repo, event_type: "conformance-test", diff --git a/.github/workflows/certification.yml b/.github/workflows/certification.yml index c9e5e6c3a..9f7bf7c9b 100644 --- a/.github/workflows/certification.yml +++ b/.github/workflows/certification.yml @@ -151,6 +151,8 @@ jobs: run: shell: bash needs: generate-matrix + env: + UNIQUE_ID: ${{github.run_id}}-${{github.run_attempt}} strategy: fail-fast: false # Keep running even if one component fails @@ -199,15 +201,26 @@ jobs: creds: ${{ secrets.AZURE_CREDENTIALS }} if: matrix.required-secrets != '' + # Set this GitHub secret to your KeyVault, and grant the KeyVault policy to your Service Principal: + # az keyvault set-policy -n $AZURE_KEYVAULT --secret-permissions get list --spn $SPN_CLIENT_ID + # Using az cli to query keyvault as Azure/get-keyvault-secrets@v1 is deprecated - name: Setup secrets - uses: Azure/get-keyvault-secrets@v1 - with: - # Set this GitHub secret to your KeyVault, and grant the KeyVault policy to your Service Principal: - # az keyvault set-policy -n $AZURE_KEYVAULT --secret-permissions get list --spn $SPN_CLIENT_ID - keyvault: ${{ secrets.AZURE_KEYVAULT }} - secrets: ${{ matrix.required-secrets }} id: get-azure-secrets if: matrix.required-secrets != '' + env: + VAULT_NAME: ${{ secrets.AZURE_KEYVAULT }} + run: | + secrets="${{ matrix.required-secrets }}" + for secretName in $(echo -n $secrets | tr ',' ' '); do + value=$(az keyvault secret show \ + --name $secretName \ + --vault-name $VAULT_NAME \ + --query value \ + --output tsv) + echo "::add-mask::$value" + echo "$secretName=$value" >> $GITHUB_OUTPUT + echo "$secretName=$value" >> $GITHUB_ENV + done # Download the required certificates into files, and set env var pointing to their names - name: Setup certs @@ -223,6 +236,46 @@ jobs: echo "$CERT_NAME=$CERT_FILE" >> $GITHUB_ENV done + - name: Get current time + run: | + echo "CURRENT_TIME=$(date --rfc-3339=date)" >> ${GITHUB_ENV} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + if: matrix.terraform-dir != '' + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} + aws-region: us-west-1 + if: matrix.terraform-dir != '' + + - name: Terraform Init + id: init + run: terraform init + working-directory: "./.github/infrastructure/terraform/certification/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + + - name: Terraform Validate + id: validate + run: terraform validate -no-color + working-directory: "./.github/infrastructure/terraform/certification/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + + - name: Terraform Plan + id: plan + run: terraform plan -no-color -var="UNIQUE_ID=${{env.UNIQUE_ID}}" -var="TIMESTAMP=${{env.CURRENT_TIME}}" + working-directory: "./.github/infrastructure/terraform/certification/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + + - name: Terraform Apply + run: terraform apply -auto-approve -var="UNIQUE_ID=${{env.UNIQUE_ID}}" -var="TIMESTAMP=${{env.CURRENT_TIME}}" + working-directory: "./.github/infrastructure/terraform/certification/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + continue-on-error: true + - name: Set up Go uses: actions/setup-go@v3 with: @@ -245,6 +298,9 @@ jobs: - name: Run tests continue-on-error: false working-directory: ${{ env.TEST_PATH }} + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }} run: | echo "Running certification tests for ${{ matrix.component }} ... " export GOLANG_PROTOBUF_REGISTRATION_CONFLICT=ignore @@ -336,6 +392,12 @@ jobs: name: ${{ matrix.component }}_certification_test path: ${{ env.TEST_OUTPUT_FILE_PREFIX }}_certification.* + - name: Terraform Destroy + continue-on-error: true + run: terraform destroy -auto-approve -var="UNIQUE_ID=${{env.UNIQUE_ID}}" -var="TIMESTAMP=${{env.CURRENT_TIME}}" + working-directory: "./.github/infrastructure/terraform/certification/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + post_job: name: Post-completion runs-on: ubuntu-latest diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 47e0afe46..1fecad380 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -61,7 +61,7 @@ jobs: - bindings.redis.v7 - bindings.kubemq - bindings.rabbitmq - - pubsub.aws.snssqs + - pubsub.aws.snssqs.docker - pubsub.hazelcast - pubsub.in-memory - pubsub.mqtt-emqx @@ -74,6 +74,7 @@ jobs: - pubsub.kafka-wurstmeister - pubsub.kafka-confluent - pubsub.kubemq + - pubsub.solace - secretstores.kubernetes - secretstores.localenv - secretstores.localfile @@ -149,6 +150,8 @@ jobs: required-secrets: AzureKeyVaultName,AzureKeyVaultSecretStoreTenantId,AzureKeyVaultSecretStoreServicePrincipalClientId,AzureKeyVaultSecretStoreServicePrincipalClientSecret - component: bindings.azure.cosmosdb required-secrets: AzureCosmosDBMasterKey,AzureCosmosDBUrl,AzureCosmosDB,AzureCosmosDBCollection + - component: pubsub.aws.snssqs.terraform + terraform-dir: pubsub/aws/snssqs - component: state.cloudflare.workerskv EOF ) @@ -179,6 +182,7 @@ jobs: # Version of Node.js to use # Currently used by the Cloudflare components NODE_VERSION: 18.x + UNIQUE_ID: ${{github.run_id}}-${{github.run_attempt}} defaults: run: shell: bash @@ -223,15 +227,26 @@ jobs: creds: ${{ secrets.AZURE_CREDENTIALS }} if: matrix.required-secrets != '' + # Set this GitHub secret to your KeyVault, and grant the KeyVault policy to your Service Principal: + # az keyvault set-policy -n $AZURE_KEYVAULT --secret-permissions get list --spn $SPN_CLIENT_ID + # Using az cli to query keyvault as Azure/get-keyvault-secrets@v1 is deprecated - name: Setup secrets - uses: Azure/get-keyvault-secrets@v1 - with: - # Set this GitHub secret to your KeyVault, and grant the KeyVault policy to your Service Principal: - # az keyvault set-policy -n $AZURE_KEYVAULT --secret-permissions get list --spn $SPN_CLIENT_ID - keyvault: ${{ secrets.AZURE_KEYVAULT }} - secrets: ${{ matrix.required-secrets }} id: get-azure-secrets if: matrix.required-secrets != '' + env: + VAULT_NAME: ${{ secrets.AZURE_KEYVAULT }} + run: | + secrets="${{ matrix.required-secrets }}" + for secretName in $(echo -n $secrets | tr ',' ' '); do + value=$(az keyvault secret show \ + --name $secretName \ + --vault-name $VAULT_NAME \ + --query value \ + --output tsv) + echo "::add-mask::$value" + echo "$secretName=$value" >> $GITHUB_OUTPUT + echo "$secretName=$value" >> $GITHUB_ENV + done - name: Start ngrok if: contains(matrix.component, 'azure.eventgrid') @@ -261,6 +276,58 @@ jobs: echo "$CERT_NAME=$CERT_FILE" >> $GITHUB_ENV done + - name: Get current time + run: | + echo "CURRENT_TIME=$(date --rfc-3339=date)" >> ${GITHUB_ENV} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + if: matrix.terraform-dir != '' + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }} + aws-region: us-west-1 + if: matrix.terraform-dir != '' + + - name: Terraform Init + id: init + run: terraform init + working-directory: "./.github/infrastructure/terraform/conformance/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + + - name: Terraform Validate + id: validate + run: terraform validate -no-color + working-directory: "./.github/infrastructure/terraform/conformance/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + + - name: Terraform Plan + id: plan + run: terraform plan -no-color -var="UNIQUE_ID=${{env.UNIQUE_ID}}" -var="TIMESTAMP=${{env.CURRENT_TIME}}" + working-directory: "./.github/infrastructure/terraform/conformance/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + + - name: Terraform Apply + run: terraform apply -auto-approve -var="UNIQUE_ID=${{env.UNIQUE_ID}}" -var="TIMESTAMP=${{env.CURRENT_TIME}}" + working-directory: "./.github/infrastructure/terraform/conformance/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + continue-on-error: true + + - name: Create aws.snssqs variables + run: | + PUBSUB_AWS_SNSSQS_QUEUE="testQueue-${{ env.UNIQUE_ID }}" + echo "PUBSUB_AWS_SNSSQS_QUEUE=$PUBSUB_AWS_SNSSQS_QUEUE" >> $GITHUB_ENV + PUBSUB_AWS_SNSSQS_TOPIC="testTopic-${{ env.UNIQUE_ID }}" + echo "PUBSUB_AWS_SNSSQS_TOPIC=$PUBSUB_AWS_SNSSQS_TOPIC" >> $GITHUB_ENV + PUBSUB_AWS_SNSSQS_TOPIC_MULTI_1="multiTopic1-${{ env.UNIQUE_ID }}" + echo "PUBSUB_AWS_SNSSQS_TOPIC_MULTI_1=$PUBSUB_AWS_SNSSQS_TOPIC_MULTI_1" >> $GITHUB_ENV + PUBSUB_AWS_SNSSQS_TOPIC_MULTI_2="multiTopic2-${{ env.UNIQUE_ID }}" + echo "PUBSUB_AWS_SNSSQS_TOPIC_MULTI_2=$PUBSUB_AWS_SNSSQS_TOPIC_MULTI_2" >> $GITHUB_ENV + if: contains(matrix.component, 'snssqs') + - name: Start Redis 6 with Redis JSON run: docker-compose -f ./.github/infrastructure/docker-compose-redisjson.yml -p redis up -d if: contains(matrix.component, 'redis.v6') @@ -363,7 +430,7 @@ jobs: - name: Start aws snssqs run: docker-compose -f ./.github/infrastructure/docker-compose-snssqs.yml -p snssqs up -d - if: contains(matrix.component, 'aws.snssqs') + if: contains(matrix.component, 'aws.snssqs.docker') - name: Start influxdb run: | @@ -414,6 +481,10 @@ jobs: - name: Start kubemq run: docker-compose -f ./.github/infrastructure/docker-compose-kubemq.yml -p kubemq up -d if: contains(matrix.component, 'kubemq') + + - name: Start solace + run: docker-compose -f ./.github/infrastructure/docker-compose-solace.yml -p solace up -d + if: contains(matrix.component, 'solace') - name: Start nats with JetStream run: | @@ -445,6 +516,9 @@ jobs: - name: Run tests continue-on-error: true + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }} run: | set -e KIND=$(echo ${{ matrix.component }} | cut -d. -f1) @@ -524,6 +598,12 @@ jobs: rm $CERT_FILE done + - name: Terraform Destroy + continue-on-error: true + run: terraform destroy -auto-approve -var="UNIQUE_ID=${{env.UNIQUE_ID}}" -var="TIMESTAMP=${{env.CURRENT_TIME}}" + working-directory: "./.github/infrastructure/terraform/conformance/${{ matrix.terraform-dir }}" + if: matrix.terraform-dir != '' + - name: Check conformance test passed continue-on-error: false run: | diff --git a/.github/workflows/dapr-bot-schedule.yml b/.github/workflows/dapr-bot-schedule.yml index f43e3dc00..b42283362 100644 --- a/.github/workflows/dapr-bot-schedule.yml +++ b/.github/workflows/dapr-bot-schedule.yml @@ -35,13 +35,14 @@ jobs: prune_stale: name: Prune Stale runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - name: Prune Stale - uses: actions/stale@v3.0.14 + uses: actions/stale@v7.0.0 with: - repo-token: ${{ secrets.DAPR_BOT_TOKEN }} - # Different amounts of days for issues/PRs are not currently supported but there is a PR - # open for it: https://github.com/actions/stale/issues/214 + repo-token: ${{ github.token }} days-before-stale: 30 days-before-close: 7 stale-issue-message: > diff --git a/.github/workflows/dapr-bot.yml b/.github/workflows/dapr-bot.yml index feead1f9c..bfb9fc290 100644 --- a/.github/workflows/dapr-bot.yml +++ b/.github/workflows/dapr-bot.yml @@ -27,9 +27,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 # required to make the script available for next step + uses: actions/checkout@v3 # required to make the script available for next step - name: Issue analyzer - uses: actions/github-script@v4 + uses: actions/github-script@v6 with: github-token: ${{secrets.DAPR_BOT_TOKEN}} script: | diff --git a/internal/component/cloudflare/worker-src/package-lock.json b/internal/component/cloudflare/worker-src/package-lock.json index 7ab2097a9..c0976903a 100644 --- a/internal/component/cloudflare/worker-src/package-lock.json +++ b/internal/component/cloudflare/worker-src/package-lock.json @@ -1,12 +1,12 @@ { "name": "dapr-cfworkers-client", - "version": "20221219", + "version": "20221228", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "dapr-cfworkers-client", - "version": "20221219", + "version": "20221228", "license": "Apache2", "dependencies": { "itty-router": "^2.6.6", diff --git a/internal/component/cloudflare/worker-src/package.json b/internal/component/cloudflare/worker-src/package.json index b963622fd..835e12650 100644 --- a/internal/component/cloudflare/worker-src/package.json +++ b/internal/component/cloudflare/worker-src/package.json @@ -2,7 +2,7 @@ "private": true, "name": "dapr-cfworkers-client", "description": "Client code for Dapr to interact with Cloudflare Workers", - "version": "20221219", + "version": "20221228", "main": "worker.ts", "scripts": { "build": "esbuild --bundle --minify --outfile=../workers/code/worker.js --format=esm --platform=browser --sourcemap worker.ts", diff --git a/internal/component/cloudflare/worker-src/worker.ts b/internal/component/cloudflare/worker-src/worker.ts index e46cdbbc9..d2fcac7d3 100644 --- a/internal/component/cloudflare/worker-src/worker.ts +++ b/internal/component/cloudflare/worker-src/worker.ts @@ -40,24 +40,20 @@ const router = Router() continue } const obj = env[all[i]] - if (!obj || typeof obj != 'object') { + if (!obj || typeof obj != 'object' || !obj.constructor) { continue } - if ( - (obj as Queue) && - typeof (obj as Queue).send == 'function' - ) { - queues.push(all[i]) - } else if ( - (obj as KVNamespace) && - typeof (obj as KVNamespace).getWithMetadata == 'function' - ) { - kv.push(all[i]) - } else if ( - (obj as R2Bucket) && - typeof (obj as R2Bucket).createMultipartUpload == 'function' - ) { - r2.push(all[i]) + switch (obj.constructor.name) { + case 'KVNamespace': + kv.push(all[i]) + break + case 'Queue': + queues.push(all[i]) + break + case 'R2Bucket': + // Note that we currently don't support R2 yet + r2.push(all[i]) + break } } @@ -174,7 +170,7 @@ async function setupKVRequest( return { errorRes: new Response('Bad request', { status: 400 }) } } const namespace = env[req.params.namespace] as KVNamespace - if (!namespace || typeof namespace.getWithMetadata != 'function') { + if (typeof namespace != 'object' || namespace?.constructor?.name != 'KVNamespace') { return { errorRes: new Response( `Worker is not bound to KV '${req.params.kv}'`, @@ -200,7 +196,7 @@ async function setupQueueRequest( return { errorRes: new Response('Bad request', { status: 400 }) } } const queue = env[req.params.queue] as Queue - if (!queue || typeof queue.send != 'function') { + if (typeof queue != 'object' || queue?.constructor?.name != 'Queue') { return { errorRes: new Response( `Worker is not bound to queue '${req.params.queue}'`, diff --git a/internal/component/cloudflare/workers/code/worker.js b/internal/component/cloudflare/workers/code/worker.js index 4510eae39..0390f6553 100644 --- a/internal/component/cloudflare/workers/code/worker.js +++ b/internal/component/cloudflare/workers/code/worker.js @@ -1,2 +1,2 @@ -function ce({base:e="",routes:t=[]}={}){return{__proto__:new Proxy({},{get:(r,n,o)=>(i,...a)=>t.push([n.toUpperCase(),RegExp(`^${(e+i).replace(/(\/?)\*/g,"($1.*)?").replace(/(\/$)|((?<=\/)\/)/,"").replace(/:(\w+)(\?)?(\.)?/g,"$2(?<$1>[^/]+)$2$3").replace(/\.(?=[\w(])/,"\\.").replace(/\)\.\?\(([^\[]+)\[\^/g,"?)\\.?($1(?<=\\.)[^\\.")}/*$`),a])&&o}),routes:t,async handle(r,...n){let o,i,a=new URL(r.url);r.query=Object.fromEntries(a.searchParams);for(var[s,c,d]of t)if((s===r.method||s==="ALL")&&(i=a.pathname.match(c))){r.params=i.groups;for(var m of d)if((o=await m(r.proxy||r,...n))!==void 0)return o}}}}var f=crypto,g=e=>e instanceof CryptoKey;var w=new TextEncoder,y=new TextDecoder,gt=2**32;function C(...e){let t=e.reduce((o,{length:i})=>o+i,0),r=new Uint8Array(t),n=0;return e.forEach(o=>{r.set(o,n),n+=o.length}),r}var de=e=>{let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n{let t=e;t instanceof Uint8Array&&(t=y.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return de(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}};var b=class extends Error{constructor(t){var r;super(t),this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,(r=Error.captureStackTrace)===null||r===void 0||r.call(Error,this,this.constructor)}static get code(){return"ERR_JOSE_GENERIC"}},E=class extends b{constructor(t,r="unspecified",n="unspecified"){super(t),this.code="ERR_JWT_CLAIM_VALIDATION_FAILED",this.claim=r,this.reason=n}static get code(){return"ERR_JWT_CLAIM_VALIDATION_FAILED"}},I=class extends b{constructor(t,r="unspecified",n="unspecified"){super(t),this.code="ERR_JWT_EXPIRED",this.claim=r,this.reason=n}static get code(){return"ERR_JWT_EXPIRED"}},T=class extends b{constructor(){super(...arguments),this.code="ERR_JOSE_ALG_NOT_ALLOWED"}static get code(){return"ERR_JOSE_ALG_NOT_ALLOWED"}},p=class extends b{constructor(){super(...arguments),this.code="ERR_JOSE_NOT_SUPPORTED"}static get code(){return"ERR_JOSE_NOT_SUPPORTED"}};var u=class extends b{constructor(){super(...arguments),this.code="ERR_JWS_INVALID"}static get code(){return"ERR_JWS_INVALID"}},_=class extends b{constructor(){super(...arguments),this.code="ERR_JWT_INVALID"}static get code(){return"ERR_JWT_INVALID"}};var D=class extends b{constructor(){super(...arguments),this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed"}static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}};var $=f.getRandomValues.bind(f);function K(){return typeof WebSocketPair<"u"||typeof navigator<"u"&&navigator.userAgent==="Cloudflare-Workers"||typeof EdgeRuntime<"u"&&EdgeRuntime==="vercel"}function v(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function O(e,t){return e.name===t}function Y(e){return parseInt(e.name.slice(4),10)}function Ke(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function xe(e,t){if(t.length&&!t.some(r=>e.usages.includes(r))){let r="CryptoKey does not support this operation, its usages must include ";if(t.length>2){let n=t.pop();r+=`one of ${t.join(", ")}, or ${n}.`}else t.length===2?r+=`one of ${t[0]} or ${t[1]}.`:r+=`${t[0]}.`;throw new TypeError(r)}}function ue(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!O(e.algorithm,"HMAC"))throw v("HMAC");let n=parseInt(t.slice(2),10);if(Y(e.algorithm.hash)!==n)throw v(`SHA-${n}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!O(e.algorithm,"RSASSA-PKCS1-v1_5"))throw v("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(Y(e.algorithm.hash)!==n)throw v(`SHA-${n}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!O(e.algorithm,"RSA-PSS"))throw v("RSA-PSS");let n=parseInt(t.slice(2),10);if(Y(e.algorithm.hash)!==n)throw v(`SHA-${n}`,"algorithm.hash");break}case(K()&&"EdDSA"):{if(!O(e.algorithm,"NODE-ED25519"))throw v("NODE-ED25519");break}case"EdDSA":{if(e.algorithm.name!=="Ed25519"&&e.algorithm.name!=="Ed448")throw v("Ed25519 or Ed448");break}case"ES256":case"ES384":case"ES512":{if(!O(e.algorithm,"ECDSA"))throw v("ECDSA");let n=Ke(t);if(e.algorithm.namedCurve!==n)throw v(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}xe(e,r)}function fe(e,t,...r){if(r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor&&t.constructor.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var S=(e,...t)=>fe("Key must be ",e,...t);function Q(e,t,...r){return fe(`Key for the ${e} algorithm must be `,t,...r)}var Z=e=>g(e),l=["CryptoKey"];var Je=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return!0;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let i of o){if(r.has(i))return!1;r.add(i)}}return!0},W=Je;function Re(e){return typeof e=="object"&&e!==null}function h(e){if(!Re(e)||Object.prototype.toString.call(e)!=="[object Object]")return!1;if(Object.getPrototypeOf(e)===null)return!0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}var B=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};var P=(e,t,r=0)=>{r===0&&(t.unshift(t.length),t.unshift(6));let n=e.indexOf(t[0],r);if(n===-1)return!1;let o=e.subarray(n,n+t.length);return o.length!==t.length?!1:o.every((i,a)=>i===t[a])||P(e,t,n+1)},j=e=>{switch(!0){case P(e,[42,134,72,206,61,3,1,7]):return"P-256";case P(e,[43,129,4,0,34]):return"P-384";case P(e,[43,129,4,0,35]):return"P-521";case P(e,[43,101,110]):return"X25519";case P(e,[43,101,111]):return"X448";case P(e,[43,101,112]):return"Ed25519";case P(e,[43,101,113]):return"Ed448";default:throw new p("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},Me=async(e,t,r,n,o)=>{var i;let a,s,c=new Uint8Array(atob(r.replace(e,"")).split("").map(m=>m.charCodeAt(0))),d=t==="spki";switch(n){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${n.slice(-3)}`},s=d?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${n.slice(-3)}`},s=d?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(n.slice(-3),10)||1}`},s=d?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},s=d?["verify"]:["sign"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},s=d?["verify"]:["sign"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},s=d?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{let m=j(c);a=m.startsWith("P-")?{name:"ECDH",namedCurve:m}:{name:m},s=d?[]:["deriveBits"];break}case(K()&&"EdDSA"):{let m=j(c).toUpperCase();a={name:`NODE-${m}`,namedCurve:`NODE-${m}`},s=d?["verify"]:["sign"];break}case"EdDSA":a={name:j(c)},s=d?["verify"]:["sign"];break;default:throw new p('Invalid or unsupported "alg" (Algorithm) value')}return f.subtle.importKey(t,c,a,(i=o?.extractable)!==null&&i!==void 0?i:!1,s)};var me=(e,t,r)=>Me(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",e,t,r);async function ee(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return me(e,t,r)}var ke=(e,t)=>{if(!(t instanceof Uint8Array)){if(!Z(t))throw new TypeError(Q(e,t,...l,"Uint8Array"));if(t.type!=="secret")throw new TypeError(`${l.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}},Ne=(e,t,r)=>{if(!Z(t))throw new TypeError(Q(e,t,...l));if(t.type==="secret")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if(r==="sign"&&t.type==="public")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if(r==="decrypt"&&t.type==="public")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(t.algorithm&&r==="verify"&&t.type==="private")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(t.algorithm&&r==="encrypt"&&t.type==="private")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)},$e=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?ke(e,t):Ne(e,t,r)},M=$e;function qe(e,t,r,n,o){if(o.crit!==void 0&&n.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(a=>typeof a!="string"||a.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...t.entries()]):i=t;for(let a of n.crit){if(!i.has(a))throw new p(`Extension Header Parameter "${a}" is not recognized`);if(o[a]===void 0)throw new e(`Extension Header Parameter "${a}" is missing`);if(i.get(a)&&n[a]===void 0)throw new e(`Extension Header Parameter "${a}" MUST be integrity protected`)}return new Set(n.crit)}var J=qe;var Xe=(e,t)=>{if(t!==void 0&&(!Array.isArray(t)||t.some(r=>typeof r!="string")))throw new TypeError(`"${e}" option must be an array of strings`);if(!!t)return new Set(t)},re=Xe;var Ze=Symbol();function L(e,t){let r=`SHA-${e.slice(-3)}`;switch(e){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:e.slice(-3)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:t.namedCurve};case(K()&&"EdDSA"):let{namedCurve:n}=t;return{name:n,namedCurve:n};case"EdDSA":return{name:t.name};default:throw new p(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}function G(e,t,r){if(g(t))return ue(t,e,r),t;if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(S(t,...l));return f.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},!1,[r])}throw new TypeError(S(t,...l,"Uint8Array"))}var je=async(e,t,r,n)=>{let o=await G(e,t,"verify");B(e,o);let i=L(e,o.algorithm);try{return await f.subtle.verify(i,o,r,n)}catch{return!1}},Ee=je;async function V(e,t,r){var n;if(!h(e))throw new u("Flattened JWS must be an object");if(e.protected===void 0&&e.header===void 0)throw new u('Flattened JWS must have either of the "protected" or "header" members');if(e.protected!==void 0&&typeof e.protected!="string")throw new u("JWS Protected Header incorrect type");if(e.payload===void 0)throw new u("JWS Payload missing");if(typeof e.signature!="string")throw new u("JWS Signature missing or incorrect type");if(e.header!==void 0&&!h(e.header))throw new u("JWS Unprotected Header incorrect type");let o={};if(e.protected)try{let se=A(e.protected);o=JSON.parse(y.decode(se))}catch{throw new u("JWS Protected Header is invalid")}if(!W(o,e.header))throw new u("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let i={...o,...e.header},a=J(u,new Map([["b64",!0]]),r?.crit,o,i),s=!0;if(a.has("b64")&&(s=o.b64,typeof s!="boolean"))throw new u('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:c}=i;if(typeof c!="string"||!c)throw new u('JWS "alg" (Algorithm) Header Parameter missing or invalid');let d=r&&re("algorithms",r.algorithms);if(d&&!d.has(c))throw new T('"alg" (Algorithm) Header Parameter not allowed');if(s){if(typeof e.payload!="string")throw new u("JWS Payload must be a string")}else if(typeof e.payload!="string"&&!(e.payload instanceof Uint8Array))throw new u("JWS Payload must be a string or an Uint8Array instance");let m=!1;typeof t=="function"&&(t=await t(o,e),m=!0),M(c,t,"verify");let R=C(w.encode((n=e.protected)!==null&&n!==void 0?n:""),w.encode("."),typeof e.payload=="string"?w.encode(e.payload):e.payload),X=A(e.signature);if(!await Ee(c,t,X,R))throw new D;let k;s?k=A(e.payload):typeof e.payload=="string"?k=w.encode(e.payload):k=e.payload;let N={payload:k};return e.protected!==void 0&&(N.protectedHeader=o),e.header!==void 0&&(N.unprotectedHeader=e.header),m?{...N,key:t}:N}async function ne(e,t,r){if(e instanceof Uint8Array&&(e=y.decode(e)),typeof e!="string")throw new u("Compact JWS must be a string or Uint8Array");let{0:n,1:o,2:i,length:a}=e.split(".");if(a!==3)throw new u("Invalid Compact JWS");let s=await V({payload:o,protected:n,signature:i},t,r),c={payload:s.payload,protectedHeader:s.protectedHeader};return typeof t=="function"?{...c,key:s.key}:c}var oe=e=>Math.floor(e.getTime()/1e3);var et=/^(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i,F=e=>{let t=et.exec(e);if(!t)throw new TypeError("Invalid time period format");let r=parseFloat(t[1]);switch(t[2].toLowerCase()){case"sec":case"secs":case"second":case"seconds":case"s":return Math.round(r);case"minute":case"minutes":case"min":case"mins":case"m":return Math.round(r*60);case"hour":case"hours":case"hr":case"hrs":case"h":return Math.round(r*3600);case"day":case"days":case"d":return Math.round(r*86400);case"week":case"weeks":case"w":return Math.round(r*604800);default:return Math.round(r*31557600)}};var ge=e=>e.toLowerCase().replace(/^application\//,""),tt=(e,t)=>typeof e=="string"?t.includes(e):Array.isArray(e)?t.some(Set.prototype.has.bind(new Set(e))):!1,z=(e,t,r={})=>{let{typ:n}=r;if(n&&(typeof e.typ!="string"||ge(e.typ)!==ge(n)))throw new E('unexpected "typ" JWT header value',"typ","check_failed");let o;try{o=JSON.parse(y.decode(t))}catch{}if(!h(o))throw new _("JWT Claims Set must be a top-level JSON object");let{issuer:i}=r;if(i&&!(Array.isArray(i)?i:[i]).includes(o.iss))throw new E('unexpected "iss" claim value',"iss","check_failed");let{subject:a}=r;if(a&&o.sub!==a)throw new E('unexpected "sub" claim value',"sub","check_failed");let{audience:s}=r;if(s&&!tt(o.aud,typeof s=="string"?[s]:s))throw new E('unexpected "aud" claim value',"aud","check_failed");let c;switch(typeof r.clockTolerance){case"string":c=F(r.clockTolerance);break;case"number":c=r.clockTolerance;break;case"undefined":c=0;break;default:throw new TypeError("Invalid clockTolerance option type")}let{currentDate:d}=r,m=oe(d||new Date);if((o.iat!==void 0||r.maxTokenAge)&&typeof o.iat!="number")throw new E('"iat" claim must be a number',"iat","invalid");if(o.nbf!==void 0){if(typeof o.nbf!="number")throw new E('"nbf" claim must be a number',"nbf","invalid");if(o.nbf>m+c)throw new E('"nbf" claim timestamp check failed',"nbf","check_failed")}if(o.exp!==void 0){if(typeof o.exp!="number")throw new E('"exp" claim must be a number',"exp","invalid");if(o.exp<=m-c)throw new I('"exp" claim timestamp check failed',"exp","check_failed")}if(r.maxTokenAge){let R=m-o.iat,X=typeof r.maxTokenAge=="number"?r.maxTokenAge:F(r.maxTokenAge);if(R-c>X)throw new I('"iat" claim timestamp check failed (too far in the past)',"iat","check_failed");if(R<0-c)throw new E('"iat" claim timestamp check failed (it should be in the past)',"iat","check_failed")}return o};async function ae(e,t,r){var n;let o=await ne(e,t,r);if(((n=o.protectedHeader.crit)===null||n===void 0?void 0:n.includes("b64"))&&o.protectedHeader.b64===!1)throw new _("JWTs MUST NOT use unencoded payload");let a={payload:z(o.protectedHeader,o.payload,r),protectedHeader:o.protectedHeader};return typeof t=="function"?{...a,key:o.key}:a}var dt=/^(?:Bearer )?([A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+)/i;async function q(e,t){if(t.SKIP_AUTH==="true")return!0;let r=dt.exec(e.headers.get("authorization")||"");if(!r||!r[1])return!1;let n=await ee(t.PUBLIC_KEY,"EdDSA");try{await ae(r[1],n,{issuer:"dapr.io/cloudflare",audience:t.TOKEN_AUDIENCE,algorithms:["EdDSA"],clockTolerance:300})}catch(o){return console.error("Failed to validate JWT: "+o),!1}return!0}var be="20221219";var ut=ce().get("/.well-known/dapr/info",async(e,t)=>{if(!await q(e,t))return new Response("Unauthorized",{status:401});let n=[],o=[],i=[],a=Object.keys(t);for(let c=0;c{let{namespace:r,key:n,errorRes:o}=await ie(e,t);if(o)return o;let i=await r.get(n,"stream");return i?new Response(i,{status:200}):new Response("",{status:404})}).post("/kv/:namespace/:key",async(e,t)=>{let{namespace:r,key:n,errorRes:o}=await ie(e,t);if(o)return o;let i,a=new URL(e.url),s=parseInt(a.searchParams.get("ttl")||"",10);return s>0&&(i=s),await r.put(n,e.body,{expirationTtl:i}),new Response("",{status:201})}).delete("/kv/:namespace/:key",async(e,t)=>{let{namespace:r,key:n,errorRes:o}=await ie(e,t);return o||(await r.delete(n),new Response("",{status:204}))}).post("/queues/:queue",async(e,t)=>{let{queue:r,errorRes:n}=await ft(e,t);if(n)return n;let o=await e.text();return await r.send(o),new Response("",{status:201})}).all("*",()=>new Response("Not found",{status:404}));async function ie(e,t){if(!e?.text||!e.params?.namespace||!e.params?.key)return{errorRes:new Response("Bad request",{status:400})};let r=t[e.params.namespace];return!r||typeof r.getWithMetadata!="function"?{errorRes:new Response(`Worker is not bound to KV '${e.params.kv}'`,{status:412})}:await q(e,t)?{namespace:r,key:e.params.key}:{errorRes:new Response("Unauthorized",{status:401})}}async function ft(e,t){if(!e?.text||!e.params?.queue)return{errorRes:new Response("Bad request",{status:400})};let r=t[e.params.queue];return!r||typeof r.send!="function"?{errorRes:new Response(`Worker is not bound to queue '${e.params.queue}'`,{status:412})}:await q(e,t)?{queue:r}:{errorRes:new Response("Unauthorized",{status:401})}}var Oc={fetch:ut.handle};export{Oc as default}; +function ce({base:e="",routes:t=[]}={}){return{__proto__:new Proxy({},{get:(r,n,o)=>(i,...a)=>t.push([n.toUpperCase(),RegExp(`^${(e+i).replace(/(\/?)\*/g,"($1.*)?").replace(/(\/$)|((?<=\/)\/)/,"").replace(/:(\w+)(\?)?(\.)?/g,"$2(?<$1>[^/]+)$2$3").replace(/\.(?=[\w(])/,"\\.").replace(/\)\.\?\(([^\[]+)\[\^/g,"?)\\.?($1(?<=\\.)[^\\.")}/*$`),a])&&o}),routes:t,async handle(r,...n){let o,i,a=new URL(r.url);r.query=Object.fromEntries(a.searchParams);for(var[s,c,u]of t)if((s===r.method||s==="ALL")&&(i=a.pathname.match(c))){r.params=i.groups;for(var l of u)if((o=await l(r.proxy||r,...n))!==void 0)return o}}}}var f=crypto,g=e=>e instanceof CryptoKey;var w=new TextEncoder,y=new TextDecoder,gt=2**32;function C(...e){let t=e.reduce((o,{length:i})=>o+i,0),r=new Uint8Array(t),n=0;return e.forEach(o=>{r.set(o,n),n+=o.length}),r}var de=e=>{let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n{let t=e;t instanceof Uint8Array&&(t=y.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return de(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}};var b=class extends Error{constructor(t){var r;super(t),this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,(r=Error.captureStackTrace)===null||r===void 0||r.call(Error,this,this.constructor)}static get code(){return"ERR_JOSE_GENERIC"}},E=class extends b{constructor(t,r="unspecified",n="unspecified"){super(t),this.code="ERR_JWT_CLAIM_VALIDATION_FAILED",this.claim=r,this.reason=n}static get code(){return"ERR_JWT_CLAIM_VALIDATION_FAILED"}},I=class extends b{constructor(t,r="unspecified",n="unspecified"){super(t),this.code="ERR_JWT_EXPIRED",this.claim=r,this.reason=n}static get code(){return"ERR_JWT_EXPIRED"}},T=class extends b{constructor(){super(...arguments),this.code="ERR_JOSE_ALG_NOT_ALLOWED"}static get code(){return"ERR_JOSE_ALG_NOT_ALLOWED"}},d=class extends b{constructor(){super(...arguments),this.code="ERR_JOSE_NOT_SUPPORTED"}static get code(){return"ERR_JOSE_NOT_SUPPORTED"}};var p=class extends b{constructor(){super(...arguments),this.code="ERR_JWS_INVALID"}static get code(){return"ERR_JWS_INVALID"}},_=class extends b{constructor(){super(...arguments),this.code="ERR_JWT_INVALID"}static get code(){return"ERR_JWT_INVALID"}};var D=class extends b{constructor(){super(...arguments),this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed"}static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}};var $=f.getRandomValues.bind(f);function K(){return typeof WebSocketPair<"u"||typeof navigator<"u"&&navigator.userAgent==="Cloudflare-Workers"||typeof EdgeRuntime<"u"&&EdgeRuntime==="vercel"}function v(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function O(e,t){return e.name===t}function Y(e){return parseInt(e.name.slice(4),10)}function Ke(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function xe(e,t){if(t.length&&!t.some(r=>e.usages.includes(r))){let r="CryptoKey does not support this operation, its usages must include ";if(t.length>2){let n=t.pop();r+=`one of ${t.join(", ")}, or ${n}.`}else t.length===2?r+=`one of ${t[0]} or ${t[1]}.`:r+=`${t[0]}.`;throw new TypeError(r)}}function ue(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!O(e.algorithm,"HMAC"))throw v("HMAC");let n=parseInt(t.slice(2),10);if(Y(e.algorithm.hash)!==n)throw v(`SHA-${n}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!O(e.algorithm,"RSASSA-PKCS1-v1_5"))throw v("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(Y(e.algorithm.hash)!==n)throw v(`SHA-${n}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!O(e.algorithm,"RSA-PSS"))throw v("RSA-PSS");let n=parseInt(t.slice(2),10);if(Y(e.algorithm.hash)!==n)throw v(`SHA-${n}`,"algorithm.hash");break}case(K()&&"EdDSA"):{if(!O(e.algorithm,"NODE-ED25519"))throw v("NODE-ED25519");break}case"EdDSA":{if(e.algorithm.name!=="Ed25519"&&e.algorithm.name!=="Ed448")throw v("Ed25519 or Ed448");break}case"ES256":case"ES384":case"ES512":{if(!O(e.algorithm,"ECDSA"))throw v("ECDSA");let n=Ke(t);if(e.algorithm.namedCurve!==n)throw v(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}xe(e,r)}function fe(e,t,...r){if(r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor&&t.constructor.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var S=(e,...t)=>fe("Key must be ",e,...t);function Q(e,t,...r){return fe(`Key for the ${e} algorithm must be `,t,...r)}var Z=e=>g(e),m=["CryptoKey"];var Je=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return!0;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let i of o){if(r.has(i))return!1;r.add(i)}}return!0},W=Je;function Re(e){return typeof e=="object"&&e!==null}function h(e){if(!Re(e)||Object.prototype.toString.call(e)!=="[object Object]")return!1;if(Object.getPrototypeOf(e)===null)return!0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}var B=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};var P=(e,t,r=0)=>{r===0&&(t.unshift(t.length),t.unshift(6));let n=e.indexOf(t[0],r);if(n===-1)return!1;let o=e.subarray(n,n+t.length);return o.length!==t.length?!1:o.every((i,a)=>i===t[a])||P(e,t,n+1)},j=e=>{switch(!0){case P(e,[42,134,72,206,61,3,1,7]):return"P-256";case P(e,[43,129,4,0,34]):return"P-384";case P(e,[43,129,4,0,35]):return"P-521";case P(e,[43,101,110]):return"X25519";case P(e,[43,101,111]):return"X448";case P(e,[43,101,112]):return"Ed25519";case P(e,[43,101,113]):return"Ed448";default:throw new d("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},ke=async(e,t,r,n,o)=>{var i;let a,s,c=new Uint8Array(atob(r.replace(e,"")).split("").map(l=>l.charCodeAt(0))),u=t==="spki";switch(n){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${n.slice(-3)}`},s=u?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${n.slice(-3)}`},s=u?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(n.slice(-3),10)||1}`},s=u?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},s=u?["verify"]:["sign"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},s=u?["verify"]:["sign"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},s=u?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{let l=j(c);a=l.startsWith("P-")?{name:"ECDH",namedCurve:l}:{name:l},s=u?[]:["deriveBits"];break}case(K()&&"EdDSA"):{let l=j(c).toUpperCase();a={name:`NODE-${l}`,namedCurve:`NODE-${l}`},s=u?["verify"]:["sign"];break}case"EdDSA":a={name:j(c)},s=u?["verify"]:["sign"];break;default:throw new d('Invalid or unsupported "alg" (Algorithm) value')}return f.subtle.importKey(t,c,a,(i=o?.extractable)!==null&&i!==void 0?i:!1,s)};var le=(e,t,r)=>ke(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",e,t,r);async function ee(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return le(e,t,r)}var Me=(e,t)=>{if(!(t instanceof Uint8Array)){if(!Z(t))throw new TypeError(Q(e,t,...m,"Uint8Array"));if(t.type!=="secret")throw new TypeError(`${m.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}},Ne=(e,t,r)=>{if(!Z(t))throw new TypeError(Q(e,t,...m));if(t.type==="secret")throw new TypeError(`${m.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if(r==="sign"&&t.type==="public")throw new TypeError(`${m.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if(r==="decrypt"&&t.type==="public")throw new TypeError(`${m.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(t.algorithm&&r==="verify"&&t.type==="private")throw new TypeError(`${m.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(t.algorithm&&r==="encrypt"&&t.type==="private")throw new TypeError(`${m.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)},$e=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?Me(e,t):Ne(e,t,r)},k=$e;function qe(e,t,r,n,o){if(o.crit!==void 0&&n.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(a=>typeof a!="string"||a.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...t.entries()]):i=t;for(let a of n.crit){if(!i.has(a))throw new d(`Extension Header Parameter "${a}" is not recognized`);if(o[a]===void 0)throw new e(`Extension Header Parameter "${a}" is missing`);if(i.get(a)&&n[a]===void 0)throw new e(`Extension Header Parameter "${a}" MUST be integrity protected`)}return new Set(n.crit)}var J=qe;var Xe=(e,t)=>{if(t!==void 0&&(!Array.isArray(t)||t.some(r=>typeof r!="string")))throw new TypeError(`"${e}" option must be an array of strings`);if(!!t)return new Set(t)},re=Xe;var Ze=Symbol();function L(e,t){let r=`SHA-${e.slice(-3)}`;switch(e){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:e.slice(-3)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:t.namedCurve};case(K()&&"EdDSA"):let{namedCurve:n}=t;return{name:n,namedCurve:n};case"EdDSA":return{name:t.name};default:throw new d(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}function G(e,t,r){if(g(t))return ue(t,e,r),t;if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(S(t,...m));return f.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},!1,[r])}throw new TypeError(S(t,...m,"Uint8Array"))}var je=async(e,t,r,n)=>{let o=await G(e,t,"verify");B(e,o);let i=L(e,o.algorithm);try{return await f.subtle.verify(i,o,r,n)}catch{return!1}},Ee=je;async function V(e,t,r){var n;if(!h(e))throw new p("Flattened JWS must be an object");if(e.protected===void 0&&e.header===void 0)throw new p('Flattened JWS must have either of the "protected" or "header" members');if(e.protected!==void 0&&typeof e.protected!="string")throw new p("JWS Protected Header incorrect type");if(e.payload===void 0)throw new p("JWS Payload missing");if(typeof e.signature!="string")throw new p("JWS Signature missing or incorrect type");if(e.header!==void 0&&!h(e.header))throw new p("JWS Unprotected Header incorrect type");let o={};if(e.protected)try{let se=A(e.protected);o=JSON.parse(y.decode(se))}catch{throw new p("JWS Protected Header is invalid")}if(!W(o,e.header))throw new p("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let i={...o,...e.header},a=J(p,new Map([["b64",!0]]),r?.crit,o,i),s=!0;if(a.has("b64")&&(s=o.b64,typeof s!="boolean"))throw new p('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:c}=i;if(typeof c!="string"||!c)throw new p('JWS "alg" (Algorithm) Header Parameter missing or invalid');let u=r&&re("algorithms",r.algorithms);if(u&&!u.has(c))throw new T('"alg" (Algorithm) Header Parameter not allowed');if(s){if(typeof e.payload!="string")throw new p("JWS Payload must be a string")}else if(typeof e.payload!="string"&&!(e.payload instanceof Uint8Array))throw new p("JWS Payload must be a string or an Uint8Array instance");let l=!1;typeof t=="function"&&(t=await t(o,e),l=!0),k(c,t,"verify");let R=C(w.encode((n=e.protected)!==null&&n!==void 0?n:""),w.encode("."),typeof e.payload=="string"?w.encode(e.payload):e.payload),X=A(e.signature);if(!await Ee(c,t,X,R))throw new D;let M;s?M=A(e.payload):typeof e.payload=="string"?M=w.encode(e.payload):M=e.payload;let N={payload:M};return e.protected!==void 0&&(N.protectedHeader=o),e.header!==void 0&&(N.unprotectedHeader=e.header),l?{...N,key:t}:N}async function ne(e,t,r){if(e instanceof Uint8Array&&(e=y.decode(e)),typeof e!="string")throw new p("Compact JWS must be a string or Uint8Array");let{0:n,1:o,2:i,length:a}=e.split(".");if(a!==3)throw new p("Invalid Compact JWS");let s=await V({payload:o,protected:n,signature:i},t,r),c={payload:s.payload,protectedHeader:s.protectedHeader};return typeof t=="function"?{...c,key:s.key}:c}var oe=e=>Math.floor(e.getTime()/1e3);var et=/^(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i,F=e=>{let t=et.exec(e);if(!t)throw new TypeError("Invalid time period format");let r=parseFloat(t[1]);switch(t[2].toLowerCase()){case"sec":case"secs":case"second":case"seconds":case"s":return Math.round(r);case"minute":case"minutes":case"min":case"mins":case"m":return Math.round(r*60);case"hour":case"hours":case"hr":case"hrs":case"h":return Math.round(r*3600);case"day":case"days":case"d":return Math.round(r*86400);case"week":case"weeks":case"w":return Math.round(r*604800);default:return Math.round(r*31557600)}};var ge=e=>e.toLowerCase().replace(/^application\//,""),tt=(e,t)=>typeof e=="string"?t.includes(e):Array.isArray(e)?t.some(Set.prototype.has.bind(new Set(e))):!1,z=(e,t,r={})=>{let{typ:n}=r;if(n&&(typeof e.typ!="string"||ge(e.typ)!==ge(n)))throw new E('unexpected "typ" JWT header value',"typ","check_failed");let o;try{o=JSON.parse(y.decode(t))}catch{}if(!h(o))throw new _("JWT Claims Set must be a top-level JSON object");let{issuer:i}=r;if(i&&!(Array.isArray(i)?i:[i]).includes(o.iss))throw new E('unexpected "iss" claim value',"iss","check_failed");let{subject:a}=r;if(a&&o.sub!==a)throw new E('unexpected "sub" claim value',"sub","check_failed");let{audience:s}=r;if(s&&!tt(o.aud,typeof s=="string"?[s]:s))throw new E('unexpected "aud" claim value',"aud","check_failed");let c;switch(typeof r.clockTolerance){case"string":c=F(r.clockTolerance);break;case"number":c=r.clockTolerance;break;case"undefined":c=0;break;default:throw new TypeError("Invalid clockTolerance option type")}let{currentDate:u}=r,l=oe(u||new Date);if((o.iat!==void 0||r.maxTokenAge)&&typeof o.iat!="number")throw new E('"iat" claim must be a number',"iat","invalid");if(o.nbf!==void 0){if(typeof o.nbf!="number")throw new E('"nbf" claim must be a number',"nbf","invalid");if(o.nbf>l+c)throw new E('"nbf" claim timestamp check failed',"nbf","check_failed")}if(o.exp!==void 0){if(typeof o.exp!="number")throw new E('"exp" claim must be a number',"exp","invalid");if(o.exp<=l-c)throw new I('"exp" claim timestamp check failed',"exp","check_failed")}if(r.maxTokenAge){let R=l-o.iat,X=typeof r.maxTokenAge=="number"?r.maxTokenAge:F(r.maxTokenAge);if(R-c>X)throw new I('"iat" claim timestamp check failed (too far in the past)',"iat","check_failed");if(R<0-c)throw new E('"iat" claim timestamp check failed (it should be in the past)',"iat","check_failed")}return o};async function ae(e,t,r){var n;let o=await ne(e,t,r);if(((n=o.protectedHeader.crit)===null||n===void 0?void 0:n.includes("b64"))&&o.protectedHeader.b64===!1)throw new _("JWTs MUST NOT use unencoded payload");let a={payload:z(o.protectedHeader,o.payload,r),protectedHeader:o.protectedHeader};return typeof t=="function"?{...a,key:o.key}:a}var dt=/^(?:Bearer )?([A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+)/i;async function q(e,t){if(t.SKIP_AUTH==="true")return!0;let r=dt.exec(e.headers.get("authorization")||"");if(!r||!r[1])return!1;let n=await ee(t.PUBLIC_KEY,"EdDSA");try{await ae(r[1],n,{issuer:"dapr.io/cloudflare",audience:t.TOKEN_AUDIENCE,algorithms:["EdDSA"],clockTolerance:300})}catch(o){return console.error("Failed to validate JWT: "+o),!1}return!0}var be="20221228";var ut=ce().get("/.well-known/dapr/info",async(e,t)=>{if(!await q(e,t))return new Response("Unauthorized",{status:401});let n=[],o=[],i=[],a=Object.keys(t);for(let c=0;c{let{namespace:r,key:n,errorRes:o}=await ie(e,t);if(o)return o;let i=await r.get(n,"stream");return i?new Response(i,{status:200}):new Response("",{status:404})}).post("/kv/:namespace/:key",async(e,t)=>{let{namespace:r,key:n,errorRes:o}=await ie(e,t);if(o)return o;let i,a=new URL(e.url),s=parseInt(a.searchParams.get("ttl")||"",10);return s>0&&(i=s),await r.put(n,e.body,{expirationTtl:i}),new Response("",{status:201})}).delete("/kv/:namespace/:key",async(e,t)=>{let{namespace:r,key:n,errorRes:o}=await ie(e,t);return o||(await r.delete(n),new Response("",{status:204}))}).post("/queues/:queue",async(e,t)=>{let{queue:r,errorRes:n}=await ft(e,t);if(n)return n;let o=await e.text();return await r.send(o),new Response("",{status:201})}).all("*",()=>new Response("Not found",{status:404}));async function ie(e,t){if(!e?.text||!e.params?.namespace||!e.params?.key)return{errorRes:new Response("Bad request",{status:400})};let r=t[e.params.namespace];return typeof r!="object"||r?.constructor?.name!="KVNamespace"?{errorRes:new Response(`Worker is not bound to KV '${e.params.kv}'`,{status:412})}:await q(e,t)?{namespace:r,key:e.params.key}:{errorRes:new Response("Unauthorized",{status:401})}}async function ft(e,t){if(!e?.text||!e.params?.queue)return{errorRes:new Response("Bad request",{status:400})};let r=t[e.params.queue];return typeof r!="object"||r?.constructor?.name!="Queue"?{errorRes:new Response(`Worker is not bound to queue '${e.params.queue}'`,{status:412})}:await q(e,t)?{queue:r}:{errorRes:new Response("Unauthorized",{status:401})}}var Oc={fetch:ut.handle};export{Oc as default}; //# sourceMappingURL=worker.js.map diff --git a/internal/component/cloudflare/workers/code/worker.js.map b/internal/component/cloudflare/workers/code/worker.js.map index ddea9c08f..cee8a0185 100644 --- a/internal/component/cloudflare/workers/code/worker.js.map +++ b/internal/component/cloudflare/workers/code/worker.js.map @@ -1,7 +1,7 @@ { "version": 3, "sources": ["../../worker-src/node_modules/itty-router/dist/itty-router.min.mjs", "../../worker-src/node_modules/jose/dist/browser/runtime/webcrypto.js", "../../worker-src/node_modules/jose/dist/browser/lib/buffer_utils.js", "../../worker-src/node_modules/jose/dist/browser/runtime/base64url.js", "../../worker-src/node_modules/jose/dist/browser/util/errors.js", "../../worker-src/node_modules/jose/dist/browser/runtime/random.js", "../../worker-src/node_modules/jose/dist/browser/runtime/env.js", "../../worker-src/node_modules/jose/dist/browser/lib/crypto_key.js", "../../worker-src/node_modules/jose/dist/browser/lib/invalid_key_input.js", "../../worker-src/node_modules/jose/dist/browser/runtime/is_key_like.js", "../../worker-src/node_modules/jose/dist/browser/lib/is_disjoint.js", "../../worker-src/node_modules/jose/dist/browser/lib/is_object.js", "../../worker-src/node_modules/jose/dist/browser/runtime/check_key_length.js", "../../worker-src/node_modules/jose/dist/browser/runtime/asn1.js", "../../worker-src/node_modules/jose/dist/browser/key/import.js", "../../worker-src/node_modules/jose/dist/browser/lib/check_key_type.js", "../../worker-src/node_modules/jose/dist/browser/lib/validate_crit.js", "../../worker-src/node_modules/jose/dist/browser/lib/validate_algorithms.js", "../../worker-src/node_modules/jose/dist/browser/jwe/flattened/encrypt.js", "../../worker-src/node_modules/jose/dist/browser/runtime/subtle_dsa.js", "../../worker-src/node_modules/jose/dist/browser/runtime/get_sign_verify_key.js", "../../worker-src/node_modules/jose/dist/browser/runtime/verify.js", "../../worker-src/node_modules/jose/dist/browser/jws/flattened/verify.js", "../../worker-src/node_modules/jose/dist/browser/jws/compact/verify.js", "../../worker-src/node_modules/jose/dist/browser/lib/epoch.js", "../../worker-src/node_modules/jose/dist/browser/lib/secs.js", "../../worker-src/node_modules/jose/dist/browser/lib/jwt_claims_set.js", "../../worker-src/node_modules/jose/dist/browser/jwt/verify.js", "../../worker-src/lib/jwt-auth.ts", "../../worker-src/worker.ts"], - "sourcesContent": ["function e({base:t=\"\",routes:n=[]}={}){return{__proto__:new Proxy({},{get:(e,a,o)=>(e,...r)=>n.push([a.toUpperCase(),RegExp(`^${(t+e).replace(/(\\/?)\\*/g,\"($1.*)?\").replace(/(\\/$)|((?<=\\/)\\/)/,\"\").replace(/:(\\w+)(\\?)?(\\.)?/g,\"$2(?<$1>[^/]+)$2$3\").replace(/\\.(?=[\\w(])/,\"\\\\.\").replace(/\\)\\.\\?\\(([^\\[]+)\\[\\^/g,\"?)\\\\.?($1(?<=\\\\.)[^\\\\.\")}/*$`),r])&&o}),routes:n,async handle(e,...r){let a,o,t=new URL(e.url);e.query=Object.fromEntries(t.searchParams);for(var[p,s,u]of n)if((p===e.method||\"ALL\"===p)&&(o=t.pathname.match(s))){e.params=o.groups;for(var c of u)if(void 0!==(a=await c(e.proxy||e,...r)))return a}}}}export default{Router:e};export{e as Router};\n", "export default crypto;\nexport const isCryptoKey = (key) => key instanceof CryptoKey;\n", "import digest from '../runtime/digest.js';\nexport const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n buffers.forEach((buffer) => {\n buf.set(buffer, i);\n i += buffer.length;\n });\n return buf;\n}\nexport function p2s(alg, p2sInput) {\n return concat(encoder.encode(alg), new Uint8Array([0]), p2sInput);\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function lengthAndInput(input) {\n return concat(uint32be(input.length), input);\n}\nexport async function concatKdf(secret, bits, value) {\n const iterations = Math.ceil((bits >> 3) / 32);\n const res = new Uint8Array(iterations * 32);\n for (let iter = 0; iter < iterations; iter++) {\n const buf = new Uint8Array(4 + secret.length + value.length);\n buf.set(uint32be(iter + 1));\n buf.set(secret, 4);\n buf.set(value, 4 + secret.length);\n res.set(await digest('sha256', buf), iter * 32);\n }\n return res.slice(0, bits >> 3);\n}\n", "import { encoder, decoder } from '../lib/buffer_utils.js';\nexport const encodeBase64 = (input) => {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < unencoded.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, unencoded.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n};\nexport const encode = (input) => {\n return encodeBase64(input).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n};\nexport const decodeBase64 = (encoded) => {\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n};\nexport const decode = (input) => {\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, '');\n try {\n return decodeBase64(encoded);\n }\n catch (_a) {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n};\n", "export class JOSEError extends Error {\n constructor(message) {\n var _a;\n super(message);\n this.code = 'ERR_JOSE_GENERIC';\n this.name = this.constructor.name;\n (_a = Error.captureStackTrace) === null || _a === void 0 ? void 0 : _a.call(Error, this, this.constructor);\n }\n static get code() {\n return 'ERR_JOSE_GENERIC';\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n constructor(message, claim = 'unspecified', reason = 'unspecified') {\n super(message);\n this.code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n this.claim = claim;\n this.reason = reason;\n }\n static get code() {\n return 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n }\n}\nexport class JWTExpired extends JOSEError {\n constructor(message, claim = 'unspecified', reason = 'unspecified') {\n super(message);\n this.code = 'ERR_JWT_EXPIRED';\n this.claim = claim;\n this.reason = reason;\n }\n static get code() {\n return 'ERR_JWT_EXPIRED';\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n }\n static get code() {\n return 'ERR_JOSE_ALG_NOT_ALLOWED';\n }\n}\nexport class JOSENotSupported extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JOSE_NOT_SUPPORTED';\n }\n static get code() {\n return 'ERR_JOSE_NOT_SUPPORTED';\n }\n}\nexport class JWEDecryptionFailed extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWE_DECRYPTION_FAILED';\n this.message = 'decryption operation failed';\n }\n static get code() {\n return 'ERR_JWE_DECRYPTION_FAILED';\n }\n}\nexport class JWEInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWE_INVALID';\n }\n static get code() {\n return 'ERR_JWE_INVALID';\n }\n}\nexport class JWSInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWS_INVALID';\n }\n static get code() {\n return 'ERR_JWS_INVALID';\n }\n}\nexport class JWTInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWT_INVALID';\n }\n static get code() {\n return 'ERR_JWT_INVALID';\n }\n}\nexport class JWKInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWK_INVALID';\n }\n static get code() {\n return 'ERR_JWK_INVALID';\n }\n}\nexport class JWKSInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_INVALID';\n }\n static get code() {\n return 'ERR_JWKS_INVALID';\n }\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_NO_MATCHING_KEY';\n this.message = 'no applicable key found in the JSON Web Key Set';\n }\n static get code() {\n return 'ERR_JWKS_NO_MATCHING_KEY';\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n this.message = 'multiple matching keys found in the JSON Web Key Set';\n }\n static get code() {\n return 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n }\n}\nexport class JWKSTimeout extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_TIMEOUT';\n this.message = 'request timed out';\n }\n static get code() {\n return 'ERR_JWKS_TIMEOUT';\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n this.message = 'signature verification failed';\n }\n static get code() {\n return 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n }\n}\n", "import crypto from './webcrypto.js';\nexport default crypto.getRandomValues.bind(crypto);\n", "export function isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' ||\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\n", "import { isCloudflareWorkers } from '../runtime/env.js';\nfunction unusable(name, prop = 'algorithm.name') {\n return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\n}\nfunction isAlgorithm(algorithm, name) {\n return algorithm.name === name;\n}\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usages) {\n if (usages.length && !usages.some((expected) => key.usages.includes(expected))) {\n let msg = 'CryptoKey does not support this operation, its usages must include ';\n if (usages.length > 2) {\n const last = usages.pop();\n msg += `one of ${usages.join(', ')}, or ${last}.`;\n }\n else if (usages.length === 2) {\n msg += `one of ${usages[0]} or ${usages[1]}.`;\n }\n else {\n msg += `${usages[0]}.`;\n }\n throw new TypeError(msg);\n }\n}\nexport function checkSigCryptoKey(key, alg, ...usages) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case isCloudflareWorkers() && 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'NODE-ED25519'))\n throw unusable('NODE-ED25519');\n break;\n }\n case 'EdDSA': {\n if (key.algorithm.name !== 'Ed25519' && key.algorithm.name !== 'Ed448') {\n throw unusable('Ed25519 or Ed448');\n }\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usages);\n}\nexport function checkEncCryptoKey(key, alg, ...usages) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n case 'X448':\n break;\n default:\n throw unusable('ECDH, X25519, or X448');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n const expected = parseInt(alg.slice(9), 10) || 1;\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usages);\n}\n", "function message(msg, actual, ...types) {\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor && actual.constructor.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport default (actual, ...types) => {\n return message('Key must be ', actual, ...types);\n};\nexport function withAlg(alg, actual, ...types) {\n return message(`Key for the ${alg} algorithm must be `, actual, ...types);\n}\n", "import { isCryptoKey } from './webcrypto.js';\nexport default (key) => {\n return isCryptoKey(key);\n};\nexport const types = ['CryptoKey'];\n", "const isDisjoint = (...headers) => {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n};\nexport default isDisjoint;\n", "function isObjectLike(value) {\n return typeof value === 'object' && value !== null;\n}\nexport default function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\n", "export default (alg, key) => {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n};\n", "import { isCloudflareWorkers } from './env.js';\nimport crypto, { isCryptoKey } from './webcrypto.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { encodeBase64 } from './base64url.js';\nimport formatPEM from '../lib/format_pem.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { types } from './is_key_like.js';\nconst genericExport = async (keyType, keyFormat, key) => {\n if (!isCryptoKey(key)) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n if (!key.extractable) {\n throw new TypeError('CryptoKey is not extractable');\n }\n if (key.type !== keyType) {\n throw new TypeError(`key is not a ${keyType} key`);\n }\n return formatPEM(encodeBase64(new Uint8Array(await crypto.subtle.exportKey(keyFormat, key))), `${keyType.toUpperCase()} KEY`);\n};\nexport const toSPKI = (key) => {\n return genericExport('public', 'spki', key);\n};\nexport const toPKCS8 = (key) => {\n return genericExport('private', 'pkcs8', key);\n};\nconst findOid = (keyData, oid, from = 0) => {\n if (from === 0) {\n oid.unshift(oid.length);\n oid.unshift(0x06);\n }\n let i = keyData.indexOf(oid[0], from);\n if (i === -1)\n return false;\n const sub = keyData.subarray(i, i + oid.length);\n if (sub.length !== oid.length)\n return false;\n return sub.every((value, index) => value === oid[index]) || findOid(keyData, oid, i + 1);\n};\nconst getNamedCurve = (keyData) => {\n switch (true) {\n case findOid(keyData, [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07]):\n return 'P-256';\n case findOid(keyData, [0x2b, 0x81, 0x04, 0x00, 0x22]):\n return 'P-384';\n case findOid(keyData, [0x2b, 0x81, 0x04, 0x00, 0x23]):\n return 'P-521';\n case findOid(keyData, [0x2b, 0x65, 0x6e]):\n return 'X25519';\n case findOid(keyData, [0x2b, 0x65, 0x6f]):\n return 'X448';\n case findOid(keyData, [0x2b, 0x65, 0x70]):\n return 'Ed25519';\n case findOid(keyData, [0x2b, 0x65, 0x71]):\n return 'Ed448';\n default:\n throw new JOSENotSupported('Invalid or unsupported EC Key Curve or OKP Key Sub Type');\n }\n};\nconst genericImport = async (replace, keyFormat, pem, alg, options) => {\n var _a;\n let algorithm;\n let keyUsages;\n const keyData = new Uint8Array(atob(pem.replace(replace, ''))\n .split('')\n .map((c) => c.charCodeAt(0)));\n const isPublic = keyFormat === 'spki';\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,\n };\n keyUsages = isPublic ? ['encrypt', 'wrapKey'] : ['decrypt', 'unwrapKey'];\n break;\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW': {\n const namedCurve = getNamedCurve(keyData);\n algorithm = namedCurve.startsWith('P-') ? { name: 'ECDH', namedCurve } : { name: namedCurve };\n keyUsages = isPublic ? [] : ['deriveBits'];\n break;\n }\n case isCloudflareWorkers() && 'EdDSA': {\n const namedCurve = getNamedCurve(keyData).toUpperCase();\n algorithm = { name: `NODE-${namedCurve}`, namedCurve: `NODE-${namedCurve}` };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n }\n case 'EdDSA':\n algorithm = { name: getNamedCurve(keyData) };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported \"alg\" (Algorithm) value');\n }\n return crypto.subtle.importKey(keyFormat, keyData, algorithm, (_a = options === null || options === void 0 ? void 0 : options.extractable) !== null && _a !== void 0 ? _a : false, keyUsages);\n};\nexport const fromPKCS8 = (pem, alg, options) => {\n return genericImport(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\\s)/g, 'pkcs8', pem, alg, options);\n};\nexport const fromSPKI = (pem, alg, options) => {\n return genericImport(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\\s)/g, 'spki', pem, alg, options);\n};\n", "import { decode as decodeBase64URL, encodeBase64, decodeBase64 } from '../runtime/base64url.js';\nimport { fromSPKI as importPublic } from '../runtime/asn1.js';\nimport { fromPKCS8 as importPrivate } from '../runtime/asn1.js';\nimport asKeyObject from '../runtime/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport formatPEM from '../lib/format_pem.js';\nimport isObject from '../lib/is_object.js';\nfunction getElement(seq) {\n let result = [];\n let next = 0;\n while (next < seq.length) {\n let nextPart = parseElement(seq.subarray(next));\n result.push(nextPart);\n next += nextPart.byteLength;\n }\n return result;\n}\nfunction parseElement(bytes) {\n let position = 0;\n let tag = bytes[0] & 0x1f;\n position++;\n if (tag === 0x1f) {\n tag = 0;\n while (bytes[position] >= 0x80) {\n tag = tag * 128 + bytes[position] - 0x80;\n position++;\n }\n tag = tag * 128 + bytes[position] - 0x80;\n position++;\n }\n let length = 0;\n if (bytes[position] < 0x80) {\n length = bytes[position];\n position++;\n }\n else if (length === 0x80) {\n length = 0;\n while (bytes[position + length] !== 0 || bytes[position + length + 1] !== 0) {\n if (length > bytes.byteLength) {\n throw new TypeError('invalid indefinite form length');\n }\n length++;\n }\n const byteLength = position + length + 2;\n return {\n byteLength,\n contents: bytes.subarray(position, position + length),\n raw: bytes.subarray(0, byteLength),\n };\n }\n else {\n let numberOfDigits = bytes[position] & 0x7f;\n position++;\n length = 0;\n for (let i = 0; i < numberOfDigits; i++) {\n length = length * 256 + bytes[position];\n position++;\n }\n }\n const byteLength = position + length;\n return {\n byteLength,\n contents: bytes.subarray(position, byteLength),\n raw: bytes.subarray(0, byteLength),\n };\n}\nfunction spkiFromX509(buf) {\n const tbsCertificate = getElement(getElement(parseElement(buf).contents)[0].contents);\n return encodeBase64(tbsCertificate[tbsCertificate[0].raw[0] === 0xa0 ? 6 : 5].raw);\n}\nfunction getSPKI(x509) {\n const pem = x509.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\\s)/g, '');\n const raw = decodeBase64(pem);\n return formatPEM(spkiFromX509(raw), 'PUBLIC KEY');\n}\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return importPublic(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n let spki;\n try {\n spki = getSPKI(x509);\n }\n catch (cause) {\n throw new TypeError('failed to parse the X.509 certificate', { cause });\n }\n return importPublic(spki, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return importPrivate(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, octAsKeyObject) {\n var _a;\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n alg || (alg = jwk.alg);\n if (typeof alg !== 'string' || !alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n octAsKeyObject !== null && octAsKeyObject !== void 0 ? octAsKeyObject : (octAsKeyObject = jwk.ext !== true);\n if (octAsKeyObject) {\n return asKeyObject({ ...jwk, alg, ext: (_a = jwk.ext) !== null && _a !== void 0 ? _a : false });\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if (jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n case 'EC':\n case 'OKP':\n return asKeyObject({ ...jwk, alg });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n", "import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport isKeyLike, { types } from '../runtime/is_key_like.js';\nconst symmetricTypeCheck = (alg, key) => {\n if (key instanceof Uint8Array)\n return;\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, ...types, 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${types.join(' or ')} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, ...types));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (usage === 'sign' && key.type === 'public') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm signing must be of type \"private\"`);\n }\n if (usage === 'decrypt' && key.type === 'public') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n if (key.algorithm && usage === 'verify' && key.type === 'private') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm verifying must be of type \"public\"`);\n }\n if (key.algorithm && usage === 'encrypt' && key.type === 'private') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n};\nconst checkKeyType = (alg, key, usage) => {\n const symmetric = alg.startsWith('HS') ||\n alg === 'dir' ||\n alg.startsWith('PBES2') ||\n /^A\\d{3}(?:GCM)?KW$/.test(alg);\n if (symmetric) {\n symmetricTypeCheck(alg, key);\n }\n else {\n asymmetricTypeCheck(alg, key, usage);\n }\n};\nexport default checkKeyType;\n", "import { JOSENotSupported } from '../util/errors.js';\nfunction validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n else if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\nexport default validateCrit;\n", "const validateAlgorithms = (option, algorithms) => {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n};\nexport default validateAlgorithms;\n", "import { encode as base64url } from '../../runtime/base64url.js';\nimport encrypt from '../../runtime/encrypt.js';\nimport { deflate } from '../../runtime/zlib.js';\nimport generateIv from '../../lib/iv.js';\nimport encryptKeyManagement from '../../lib/encrypt_key_management.js';\nimport { JOSENotSupported, JWEInvalid } from '../../util/errors.js';\nimport isDisjoint from '../../lib/is_disjoint.js';\nimport { encoder, decoder, concat } from '../../lib/buffer_utils.js';\nimport validateCrit from '../../lib/validate_crit.js';\nexport const unprotected = Symbol();\nexport class FlattenedEncrypt {\n constructor(plaintext) {\n if (!(plaintext instanceof Uint8Array)) {\n throw new TypeError('plaintext must be an instance of Uint8Array');\n }\n this._plaintext = plaintext;\n }\n setKeyManagementParameters(parameters) {\n if (this._keyManagementParameters) {\n throw new TypeError('setKeyManagementParameters can only be called once');\n }\n this._keyManagementParameters = parameters;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this._protectedHeader = protectedHeader;\n return this;\n }\n setSharedUnprotectedHeader(sharedUnprotectedHeader) {\n if (this._sharedUnprotectedHeader) {\n throw new TypeError('setSharedUnprotectedHeader can only be called once');\n }\n this._sharedUnprotectedHeader = sharedUnprotectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this._unprotectedHeader) {\n throw new TypeError('setUnprotectedHeader can only be called once');\n }\n this._unprotectedHeader = unprotectedHeader;\n return this;\n }\n setAdditionalAuthenticatedData(aad) {\n this._aad = aad;\n return this;\n }\n setContentEncryptionKey(cek) {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey can only be called once');\n }\n this._cek = cek;\n return this;\n }\n setInitializationVector(iv) {\n if (this._iv) {\n throw new TypeError('setInitializationVector can only be called once');\n }\n this._iv = iv;\n return this;\n }\n async encrypt(key, options) {\n if (!this._protectedHeader && !this._unprotectedHeader && !this._sharedUnprotectedHeader) {\n throw new JWEInvalid('either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()');\n }\n if (!isDisjoint(this._protectedHeader, this._unprotectedHeader, this._sharedUnprotectedHeader)) {\n throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader,\n ...this._sharedUnprotectedHeader,\n };\n validateCrit(JWEInvalid, new Map(), options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);\n if (joseHeader.zip !== undefined) {\n if (!this._protectedHeader || !this._protectedHeader.zip) {\n throw new JWEInvalid('JWE \"zip\" (Compression Algorithm) Header MUST be integrity protected');\n }\n if (joseHeader.zip !== 'DEF') {\n throw new JOSENotSupported('Unsupported JWE \"zip\" (Compression Algorithm) Header Parameter value');\n }\n }\n const { alg, enc } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWEInvalid('JWE \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n if (typeof enc !== 'string' || !enc) {\n throw new JWEInvalid('JWE \"enc\" (Encryption Algorithm) Header Parameter missing or invalid');\n }\n let encryptedKey;\n if (alg === 'dir') {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey cannot be called when using Direct Encryption');\n }\n }\n else if (alg === 'ECDH-ES') {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey cannot be called when using Direct Key Agreement');\n }\n }\n let cek;\n {\n let parameters;\n ({ cek, encryptedKey, parameters } = await encryptKeyManagement(alg, enc, key, this._cek, this._keyManagementParameters));\n if (parameters) {\n if (options && unprotected in options) {\n if (!this._unprotectedHeader) {\n this.setUnprotectedHeader(parameters);\n }\n else {\n this._unprotectedHeader = { ...this._unprotectedHeader, ...parameters };\n }\n }\n else {\n if (!this._protectedHeader) {\n this.setProtectedHeader(parameters);\n }\n else {\n this._protectedHeader = { ...this._protectedHeader, ...parameters };\n }\n }\n }\n }\n this._iv || (this._iv = generateIv(enc));\n let additionalData;\n let protectedHeader;\n let aadMember;\n if (this._protectedHeader) {\n protectedHeader = encoder.encode(base64url(JSON.stringify(this._protectedHeader)));\n }\n else {\n protectedHeader = encoder.encode('');\n }\n if (this._aad) {\n aadMember = base64url(this._aad);\n additionalData = concat(protectedHeader, encoder.encode('.'), encoder.encode(aadMember));\n }\n else {\n additionalData = protectedHeader;\n }\n let ciphertext;\n let tag;\n if (joseHeader.zip === 'DEF') {\n const deflated = await ((options === null || options === void 0 ? void 0 : options.deflateRaw) || deflate)(this._plaintext);\n ({ ciphertext, tag } = await encrypt(enc, deflated, cek, this._iv, additionalData));\n }\n else {\n ;\n ({ ciphertext, tag } = await encrypt(enc, this._plaintext, cek, this._iv, additionalData));\n }\n const jwe = {\n ciphertext: base64url(ciphertext),\n iv: base64url(this._iv),\n tag: base64url(tag),\n };\n if (encryptedKey) {\n jwe.encrypted_key = base64url(encryptedKey);\n }\n if (aadMember) {\n jwe.aad = aadMember;\n }\n if (this._protectedHeader) {\n jwe.protected = decoder.decode(protectedHeader);\n }\n if (this._sharedUnprotectedHeader) {\n jwe.unprotected = this._sharedUnprotectedHeader;\n }\n if (this._unprotectedHeader) {\n jwe.header = this._unprotectedHeader;\n }\n return jwe;\n }\n}\n", "import { isCloudflareWorkers } from './env.js';\nimport { JOSENotSupported } from '../util/errors.js';\nexport default function subtleDsa(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: alg.slice(-3) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case isCloudflareWorkers() && 'EdDSA':\n const { namedCurve } = algorithm;\n return { name: namedCurve, namedCurve };\n case 'EdDSA':\n return { name: algorithm.name };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n", "import crypto, { isCryptoKey } from './webcrypto.js';\nimport { checkSigCryptoKey } from '../lib/crypto_key.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { types } from './is_key_like.js';\nexport default function getCryptoKey(alg, key, usage) {\n if (isCryptoKey(key)) {\n checkSigCryptoKey(key, alg, usage);\n return key;\n }\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));\n}\n", "import subtleAlgorithm from './subtle_dsa.js';\nimport crypto from './webcrypto.js';\nimport checkKeyLength from './check_key_length.js';\nimport getVerifyKey from './get_sign_verify_key.js';\nconst verify = async (alg, key, signature, data) => {\n const cryptoKey = await getVerifyKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch (_a) {\n return false;\n }\n};\nexport default verify;\n", "import { decode as base64url } from '../../runtime/base64url.js';\nimport verify from '../../runtime/verify.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder } from '../../lib/buffer_utils.js';\nimport isDisjoint from '../../lib/is_disjoint.js';\nimport isObject from '../../lib/is_object.js';\nimport checkKeyType from '../../lib/check_key_type.js';\nimport validateCrit from '../../lib/validate_crit.js';\nimport validateAlgorithms from '../../lib/validate_algorithms.js';\nexport async function flattenedVerify(jws, key, options) {\n var _a;\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = base64url(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch (_b) {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(encoder.encode((_a = jws.protected) !== null && _a !== void 0 ? _a : ''), encoder.encode('.'), typeof jws.payload === 'string' ? encoder.encode(jws.payload) : jws.payload);\n const signature = base64url(jws.signature);\n const verified = await verify(alg, key, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n payload = base64url(jws.payload);\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key };\n }\n return result;\n}\n", "import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n", "export default (date) => Math.floor(date.getTime() / 1000);\n", "const minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i;\nexport default (str) => {\n const matched = REGEX.exec(str);\n if (!matched) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[1]);\n const unit = matched[2].toLowerCase();\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n return Math.round(value);\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n return Math.round(value * minute);\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n return Math.round(value * hour);\n case 'day':\n case 'days':\n case 'd':\n return Math.round(value * day);\n case 'week':\n case 'weeks':\n case 'w':\n return Math.round(value * week);\n default:\n return Math.round(value * year);\n }\n};\n", "import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { decoder } from './buffer_utils.js';\nimport epoch from './epoch.js';\nimport secs from './secs.js';\nimport isObject from './is_object.js';\nconst normalizeTyp = (value) => value.toLowerCase().replace(/^application\\//, '');\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport default (protectedHeader, encodedPayload, options = {}) => {\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', 'typ', 'check_failed');\n }\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch (_a) {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { issuer } = options;\n if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', 'iss', 'check_failed');\n }\n const { subject } = options;\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', 'sub', 'check_failed');\n }\n const { audience } = options;\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || options.maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', 'exp', 'check_failed');\n }\n }\n if (options.maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof options.maxTokenAge === 'number' ? options.maxTokenAge : secs(options.maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', 'iat', 'check_failed');\n }\n }\n return payload;\n};\n", "import { compactVerify } from '../jws/compact/verify.js';\nimport jwtPayload from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n var _a;\n const verified = await compactVerify(jwt, key, options);\n if (((_a = verified.protectedHeader.crit) === null || _a === void 0 ? void 0 : _a.includes('b64')) && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = jwtPayload(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n", "/*\nCopyright 2022 The Dapr Authors\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n http://www.apache.org/licenses/LICENSE-2.0\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { importSPKI, jwtVerify } from 'jose'\n\nimport type { Environment } from '$lib/environment'\n\nconst tokenHeaderMatch =\n /^(?:Bearer )?([A-Za-z0-9_\\-]+\\.[A-Za-z0-9_\\-]+\\.[A-Za-z0-9_\\-]+)/i\n\nexport async function AuthorizeRequest(\n req: Request,\n env: Environment\n): Promise {\n // If \"SKIP_AUTH\" is set, we can allow skipping authorization\n if (env.SKIP_AUTH === 'true') {\n return true\n }\n\n // Ensure we have an Authorization header with a bearer JWT token\n const match = tokenHeaderMatch.exec(req.headers.get('authorization') || '')\n if (!match || !match[1]) {\n return false\n }\n\n // Validate the JWT\n const pk = await importSPKI(env.PUBLIC_KEY, 'EdDSA')\n try {\n await jwtVerify(match[1], pk, {\n issuer: 'dapr.io/cloudflare',\n audience: env.TOKEN_AUDIENCE,\n algorithms: ['EdDSA'],\n // Allow 5 mins of clock skew\n clockTolerance: 300,\n })\n } catch (err) {\n console.error('Failed to validate JWT: ' + err)\n return false\n }\n\n return true\n}\n", "/*\nCopyright 2022 The Dapr Authors\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n http://www.apache.org/licenses/LICENSE-2.0\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { Router, type Request as RequestI } from 'itty-router'\n\nimport type { Environment } from '$lib/environment'\nimport { AuthorizeRequest } from '$lib/jwt-auth'\nimport { version } from './package.json'\n\nconst router = Router()\n // Handle the info endpoint\n .get(\n '/.well-known/dapr/info',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const auth = await AuthorizeRequest(req, env)\n if (!auth) {\n return new Response('Unauthorized', { status: 401 })\n }\n\n // Filter all bindings by type\n const queues: string[] = []\n const kv: string[] = []\n const r2: string[] = []\n const all = Object.keys(env)\n for (let i = 0; i < all.length; i++) {\n if (!all[i]) {\n continue\n }\n const obj = env[all[i]]\n if (!obj || typeof obj != 'object') {\n continue\n }\n if (\n (obj as Queue) &&\n typeof (obj as Queue).send == 'function'\n ) {\n queues.push(all[i])\n } else if (\n (obj as KVNamespace) &&\n typeof (obj as KVNamespace).getWithMetadata == 'function'\n ) {\n kv.push(all[i])\n } else if (\n (obj as R2Bucket) &&\n typeof (obj as R2Bucket).createMultipartUpload == 'function'\n ) {\n r2.push(all[i])\n }\n }\n\n const res = JSON.stringify({\n version,\n queues: queues && queues.length ? queues : undefined,\n kv: kv && kv.length ? kv : undefined,\n r2: r2 && r2.length ? r2 : undefined,\n })\n return new Response(res, {\n headers: {\n 'content-type': 'application/json',\n },\n })\n }\n )\n\n // Retrieve a value from KV\n .get(\n '/kv/:namespace/:key',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const { namespace, key, errorRes } = await setupKVRequest(req, env)\n if (errorRes) {\n return errorRes\n }\n\n const val = await namespace!.get(key!, 'stream')\n if (!val) {\n return new Response('', { status: 404 })\n }\n\n return new Response(val, { status: 200 })\n }\n )\n\n // Store a value in KV\n .post(\n '/kv/:namespace/:key',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const { namespace, key, errorRes } = await setupKVRequest(req, env)\n if (errorRes) {\n return errorRes\n }\n\n let expirationTtl: number|undefined = undefined\n const reqUrl = new URL(req.url)\n const ttlParam = parseInt(reqUrl.searchParams.get('ttl') ||'', 10)\n if (ttlParam > 0) {\n expirationTtl = ttlParam\n }\n await namespace!.put(key!, req.body!, {expirationTtl})\n\n return new Response('', { status: 201 })\n }\n )\n\n // Delete a value from KV\n .delete(\n '/kv/:namespace/:key',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const { namespace, key, errorRes } = await setupKVRequest(req, env)\n if (errorRes) {\n return errorRes\n }\n\n await namespace!.delete(key!)\n\n return new Response('', { status: 204 })\n }\n )\n\n // Publish a message in a queue\n .post(\n '/queues/:queue',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const { queue, errorRes } = await setupQueueRequest(req, env)\n if (errorRes) {\n return errorRes\n }\n\n let message = await req.text()\n await queue!.send(message)\n return new Response('', { status: 201 })\n }\n )\n\n // Catch-all route to handle 404s\n .all('*', (): Response => {\n return new Response('Not found', { status: 404 })\n })\n\n// Performs the init setps for a KV request. Returns a Response object in case of error.\nasync function setupKVRequest(\n req: Request & RequestI,\n env: Environment\n): Promise<{\n namespace?: KVNamespace\n key?: string\n errorRes?: Response\n}> {\n if (!req?.text || !req.params?.namespace || !req.params?.key) {\n return { errorRes: new Response('Bad request', { status: 400 }) }\n }\n const namespace = env[req.params.namespace] as KVNamespace\n if (!namespace || typeof namespace.getWithMetadata != 'function') {\n return {\n errorRes: new Response(\n `Worker is not bound to KV '${req.params.kv}'`,\n { status: 412 }\n ),\n }\n }\n\n const auth = await AuthorizeRequest(req, env)\n if (!auth) {\n return { errorRes: new Response('Unauthorized', { status: 401 }) }\n }\n\n return { namespace, key: req.params.key }\n}\n\n// Performs the init setps for a Queue request. Returns a Response object in case of error.\nasync function setupQueueRequest(\n req: Request & RequestI,\n env: Environment\n): Promise<{ queue?: Queue; errorRes?: Response }> {\n if (!req?.text || !req.params?.queue) {\n return { errorRes: new Response('Bad request', { status: 400 }) }\n }\n const queue = env[req.params.queue] as Queue\n if (!queue || typeof queue.send != 'function') {\n return {\n errorRes: new Response(\n `Worker is not bound to queue '${req.params.queue}'`,\n { status: 412 }\n ),\n }\n }\n\n const auth = await AuthorizeRequest(req, env)\n if (!auth) {\n return { errorRes: new Response('Unauthorized', { status: 401 }) }\n }\n\n return { queue }\n}\n\nexport default {\n fetch: router.handle,\n}\n"], - "mappings": "AAAA,SAASA,GAAE,CAAC,KAAKC,EAAE,GAAG,OAAOC,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,EAAE,CAAC,IAAI,CAACF,EAAEG,EAAE,IAAI,CAACH,KAAKI,IAAIF,EAAE,KAAK,CAACC,EAAE,YAAY,EAAE,OAAO,KAAKF,EAAED,GAAG,QAAQ,WAAW,SAAS,EAAE,QAAQ,oBAAoB,EAAE,EAAE,QAAQ,oBAAoB,oBAAoB,EAAE,QAAQ,cAAc,KAAK,EAAE,QAAQ,wBAAwB,wBAAwB,MAAM,EAAEI,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,OAAOF,EAAE,MAAM,OAAOF,KAAKI,EAAE,CAAC,IAAID,EAAEE,EAAEJ,EAAE,IAAI,IAAID,EAAE,GAAG,EAAEA,EAAE,MAAM,OAAO,YAAYC,EAAE,YAAY,EAAE,OAAO,CAACK,EAAEC,EAAEC,CAAC,IAAIN,EAAE,IAAII,IAAIN,EAAE,QAAgBM,IAAR,SAAaD,EAAEJ,EAAE,SAAS,MAAMM,CAAC,GAAG,CAACP,EAAE,OAAOK,EAAE,OAAO,QAAQI,KAAKD,EAAE,IAAaL,EAAE,MAAMM,EAAET,EAAE,OAAOA,EAAE,GAAGI,CAAC,KAAnC,OAAsC,OAAOD,CAAC,CAAC,CAAC,CAAC,CCA7lB,IAAOO,EAAQ,OACFC,EAAeC,GAAQA,aAAe,UCA5C,IAAMC,EAAU,IAAI,YACdC,EAAU,IAAI,YACrBC,GAAY,GAAK,GAChB,SAASC,KAAUC,EAAS,CAC/B,IAAMC,EAAOD,EAAQ,OAAO,CAACE,EAAK,CAAE,OAAAC,CAAO,IAAMD,EAAMC,EAAQ,CAAC,EAC1DC,EAAM,IAAI,WAAWH,CAAI,EAC3BI,EAAI,EACR,OAAAL,EAAQ,QAASM,GAAW,CACxBF,EAAI,IAAIE,EAAQD,CAAC,EACjBA,GAAKC,EAAO,MAChB,CAAC,EACMF,CACX,CCGO,IAAMG,GAAgBC,GAAY,CACrC,IAAMC,EAAS,KAAKD,CAAO,EACrBE,EAAQ,IAAI,WAAWD,EAAO,MAAM,EAC1C,QAASE,EAAI,EAAGA,EAAIF,EAAO,OAAQE,IAC/BD,EAAMC,GAAKF,EAAO,WAAWE,CAAC,EAElC,OAAOD,CACX,EACaE,EAAUC,GAAU,CAC7B,IAAIL,EAAUK,EACVL,aAAmB,aACnBA,EAAUM,EAAQ,OAAON,CAAO,GAEpCA,EAAUA,EAAQ,QAAQ,KAAM,GAAG,EAAE,QAAQ,KAAM,GAAG,EAAE,QAAQ,MAAO,EAAE,EACzE,GAAI,CACA,OAAOD,GAAaC,CAAO,CAC/B,MACA,CACI,MAAM,IAAI,UAAU,mDAAmD,CAC3E,CACJ,ECpCO,IAAMO,EAAN,cAAwB,KAAM,CACjC,YAAYC,EAAS,CACjB,IAAIC,EACJ,MAAMD,CAAO,EACb,KAAK,KAAO,mBACZ,KAAK,KAAO,KAAK,YAAY,MAC5BC,EAAK,MAAM,qBAAuB,MAAQA,IAAO,QAAkBA,EAAG,KAAK,MAAO,KAAM,KAAK,WAAW,CAC7G,CACA,WAAW,MAAO,CACd,MAAO,kBACX,CACJ,EACaC,EAAN,cAAuCH,CAAU,CACpD,YAAYC,EAASG,EAAQ,cAAeC,EAAS,cAAe,CAChE,MAAMJ,CAAO,EACb,KAAK,KAAO,kCACZ,KAAK,MAAQG,EACb,KAAK,OAASC,CAClB,CACA,WAAW,MAAO,CACd,MAAO,iCACX,CACJ,EACaC,EAAN,cAAyBN,CAAU,CACtC,YAAYC,EAASG,EAAQ,cAAeC,EAAS,cAAe,CAChE,MAAMJ,CAAO,EACb,KAAK,KAAO,kBACZ,KAAK,MAAQG,EACb,KAAK,OAASC,CAClB,CACA,WAAW,MAAO,CACd,MAAO,iBACX,CACJ,EACaE,EAAN,cAAgCP,CAAU,CAC7C,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,0BAChB,CACA,WAAW,MAAO,CACd,MAAO,0BACX,CACJ,EACaQ,EAAN,cAA+BR,CAAU,CAC5C,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,wBAChB,CACA,WAAW,MAAO,CACd,MAAO,wBACX,CACJ,EAoBO,IAAMS,EAAN,cAAyBC,CAAU,CACtC,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,iBAChB,CACA,WAAW,MAAO,CACd,MAAO,iBACX,CACJ,EACaC,EAAN,cAAyBD,CAAU,CACtC,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,iBAChB,CACA,WAAW,MAAO,CACd,MAAO,iBACX,CACJ,EAiDO,IAAME,EAAN,cAA6CC,CAAU,CAC1D,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,wCACZ,KAAK,QAAU,+BACnB,CACA,WAAW,MAAO,CACd,MAAO,uCACX,CACJ,ECjJA,IAAOC,EAAQC,EAAO,gBAAgB,KAAKA,CAAM,ECD1C,SAASC,GAAsB,CAClC,OAAQ,OAAO,cAAkB,KAC5B,OAAO,UAAc,KAAe,UAAU,YAAc,sBAC5D,OAAO,YAAgB,KAAe,cAAgB,QAC/D,CCHA,SAASC,EAASC,EAAMC,EAAO,iBAAkB,CAC7C,OAAO,IAAI,UAAU,kDAAkDA,aAAgBD,GAAM,CACjG,CACA,SAASE,EAAYC,EAAWH,EAAM,CAClC,OAAOG,EAAU,OAASH,CAC9B,CACA,SAASI,EAAcC,EAAM,CACzB,OAAO,SAASA,EAAK,KAAK,MAAM,CAAC,EAAG,EAAE,CAC1C,CACA,SAASC,GAAcC,EAAK,CACxB,OAAQA,EAAK,CACT,IAAK,QACD,MAAO,QACX,IAAK,QACD,MAAO,QACX,IAAK,QACD,MAAO,QACX,QACI,MAAM,IAAI,MAAM,aAAa,CACrC,CACJ,CACA,SAASC,GAAWC,EAAKC,EAAQ,CAC7B,GAAIA,EAAO,QAAU,CAACA,EAAO,KAAMC,GAAaF,EAAI,OAAO,SAASE,CAAQ,CAAC,EAAG,CAC5E,IAAIC,EAAM,sEACV,GAAIF,EAAO,OAAS,EAAG,CACnB,IAAMG,EAAOH,EAAO,IAAI,EACxBE,GAAO,UAAUF,EAAO,KAAK,IAAI,SAASG,IAC9C,MACSH,EAAO,SAAW,EACvBE,GAAO,UAAUF,EAAO,SAASA,EAAO,MAGxCE,GAAO,GAAGF,EAAO,MAErB,MAAM,IAAI,UAAUE,CAAG,CAC3B,CACJ,CACO,SAASE,GAAkBL,EAAKF,KAAQG,EAAQ,CACnD,OAAQH,EAAK,CACT,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACL,EAAYO,EAAI,UAAW,MAAM,EAClC,MAAMV,EAAS,MAAM,EACzB,IAAMY,EAAW,SAASJ,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeH,EAAcK,EAAI,UAAU,IAAI,IAChCE,EACX,MAAMZ,EAAS,OAAOY,IAAY,gBAAgB,EACtD,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYO,EAAI,UAAW,mBAAmB,EAC/C,MAAMV,EAAS,mBAAmB,EACtC,IAAMY,EAAW,SAASJ,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeH,EAAcK,EAAI,UAAU,IAAI,IAChCE,EACX,MAAMZ,EAAS,OAAOY,IAAY,gBAAgB,EACtD,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYO,EAAI,UAAW,SAAS,EACrC,MAAMV,EAAS,SAAS,EAC5B,IAAMY,EAAW,SAASJ,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeH,EAAcK,EAAI,UAAU,IAAI,IAChCE,EACX,MAAMZ,EAAS,OAAOY,IAAY,gBAAgB,EACtD,KACJ,CACA,KAAKI,EAAoB,GAAK,SAAS,CACnC,GAAI,CAACb,EAAYO,EAAI,UAAW,cAAc,EAC1C,MAAMV,EAAS,cAAc,EACjC,KACJ,CACA,IAAK,QAAS,CACV,GAAIU,EAAI,UAAU,OAAS,WAAaA,EAAI,UAAU,OAAS,QAC3D,MAAMV,EAAS,kBAAkB,EAErC,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACG,EAAYO,EAAI,UAAW,OAAO,EACnC,MAAMV,EAAS,OAAO,EAC1B,IAAMY,EAAWL,GAAcC,CAAG,EAElC,GADeE,EAAI,UAAU,aACdE,EACX,MAAMZ,EAASY,EAAU,sBAAsB,EACnD,KACJ,CACA,QACI,MAAM,IAAI,UAAU,2CAA2C,CACvE,CACAH,GAAWC,EAAKC,CAAM,CAC1B,CCnGA,SAASM,GAAQC,EAAKC,KAAWC,EAAO,CACpC,GAAIA,EAAM,OAAS,EAAG,CAClB,IAAMC,EAAOD,EAAM,IAAI,EACvBF,GAAO,eAAeE,EAAM,KAAK,IAAI,SAASC,IAClD,MACSD,EAAM,SAAW,EACtBF,GAAO,eAAeE,EAAM,SAASA,EAAM,MAG3CF,GAAO,WAAWE,EAAM,MAE5B,OAAID,GAAU,KACVD,GAAO,aAAaC,IAEf,OAAOA,GAAW,YAAcA,EAAO,KAC5CD,GAAO,sBAAsBC,EAAO,OAE/B,OAAOA,GAAW,UAAYA,GAAU,MACzCA,EAAO,aAAeA,EAAO,YAAY,OACzCD,GAAO,4BAA4BC,EAAO,YAAY,QAGvDD,CACX,CACA,IAAOI,EAAQ,CAACH,KAAWC,IAChBH,GAAQ,eAAgBE,EAAQ,GAAGC,CAAK,EAE5C,SAASG,EAAQC,EAAKL,KAAWC,EAAO,CAC3C,OAAOH,GAAQ,eAAeO,uBAA0BL,EAAQ,GAAGC,CAAK,CAC5E,CC5BA,IAAOK,EAASC,GACLC,EAAYD,CAAG,EAEbE,EAAQ,CAAC,WAAW,ECJjC,IAAMC,GAAa,IAAIC,IAAY,CAC/B,IAAMC,EAAUD,EAAQ,OAAO,OAAO,EACtC,GAAIC,EAAQ,SAAW,GAAKA,EAAQ,SAAW,EAC3C,MAAO,GAEX,IAAIC,EACJ,QAAWC,KAAUF,EAAS,CAC1B,IAAMG,EAAa,OAAO,KAAKD,CAAM,EACrC,GAAI,CAACD,GAAOA,EAAI,OAAS,EAAG,CACxBA,EAAM,IAAI,IAAIE,CAAU,EACxB,QACJ,CACA,QAAWC,KAAaD,EAAY,CAChC,GAAIF,EAAI,IAAIG,CAAS,EACjB,MAAO,GAEXH,EAAI,IAAIG,CAAS,CACrB,CACJ,CACA,MAAO,EACX,EACOC,EAAQP,GCrBf,SAASQ,GAAaC,EAAO,CACzB,OAAO,OAAOA,GAAU,UAAYA,IAAU,IAClD,CACe,SAARC,EAA0BC,EAAO,CACpC,GAAI,CAACH,GAAaG,CAAK,GAAK,OAAO,UAAU,SAAS,KAAKA,CAAK,IAAM,kBAClE,MAAO,GAEX,GAAI,OAAO,eAAeA,CAAK,IAAM,KACjC,MAAO,GAEX,IAAIC,EAAQD,EACZ,KAAO,OAAO,eAAeC,CAAK,IAAM,MACpCA,EAAQ,OAAO,eAAeA,CAAK,EAEvC,OAAO,OAAO,eAAeD,CAAK,IAAMC,CAC5C,CCfA,IAAOC,EAAQ,CAACC,EAAKC,IAAQ,CACzB,GAAID,EAAI,WAAW,IAAI,GAAKA,EAAI,WAAW,IAAI,EAAG,CAC9C,GAAM,CAAE,cAAAE,CAAc,EAAID,EAAI,UAC9B,GAAI,OAAOC,GAAkB,UAAYA,EAAgB,KACrD,MAAM,IAAI,UAAU,GAAGF,wDAA0D,CAEzF,CACJ,ECkBA,IAAMG,EAAU,CAACC,EAASC,EAAKC,EAAO,IAAM,CACpCA,IAAS,IACTD,EAAI,QAAQA,EAAI,MAAM,EACtBA,EAAI,QAAQ,CAAI,GAEpB,IAAIE,EAAIH,EAAQ,QAAQC,EAAI,GAAIC,CAAI,EACpC,GAAIC,IAAM,GACN,MAAO,GACX,IAAMC,EAAMJ,EAAQ,SAASG,EAAGA,EAAIF,EAAI,MAAM,EAC9C,OAAIG,EAAI,SAAWH,EAAI,OACZ,GACJG,EAAI,MAAM,CAACC,EAAOC,IAAUD,IAAUJ,EAAIK,EAAM,GAAKP,EAAQC,EAASC,EAAKE,EAAI,CAAC,CAC3F,EACMI,EAAiBP,GAAY,CAC/B,OAAQ,GAAM,CACV,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAM,IAAM,GAAM,EAAM,EAAM,CAAI,CAAC,EAClE,MAAO,QACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,EAAM,EAAM,EAAI,CAAC,EAChD,MAAO,QACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,EAAM,EAAM,EAAI,CAAC,EAChD,MAAO,QACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAI,CAAC,EACpC,MAAO,SACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAI,CAAC,EACpC,MAAO,OACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAI,CAAC,EACpC,MAAO,UACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAI,CAAC,EACpC,MAAO,QACX,QACI,MAAM,IAAIQ,EAAiB,yDAAyD,CAC5F,CACJ,EACMC,GAAgB,MAAOC,EAASC,EAAWC,EAAKC,EAAKC,IAAY,CACnE,IAAIC,EACJ,IAAIC,EACAC,EACEjB,EAAU,IAAI,WAAW,KAAKY,EAAI,QAAQF,EAAS,EAAE,CAAC,EACvD,MAAM,EAAE,EACR,IAAKQ,GAAMA,EAAE,WAAW,CAAC,CAAC,CAAC,EAC1BC,EAAWR,IAAc,OAC/B,OAAQE,EAAK,CACT,IAAK,QACL,IAAK,QACL,IAAK,QACDG,EAAY,CAAE,KAAM,UAAW,KAAM,OAAOH,EAAI,MAAM,EAAE,GAAI,EAC5DI,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,QACL,IAAK,QACL,IAAK,QACDH,EAAY,CAAE,KAAM,oBAAqB,KAAM,OAAOH,EAAI,MAAM,EAAE,GAAI,EACtEI,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,WACL,IAAK,eACL,IAAK,eACL,IAAK,eACDH,EAAY,CACR,KAAM,WACN,KAAM,OAAO,SAASH,EAAI,MAAM,EAAE,EAAG,EAAE,GAAK,GAChD,EACAI,EAAYE,EAAW,CAAC,UAAW,SAAS,EAAI,CAAC,UAAW,WAAW,EACvE,MACJ,IAAK,QACDH,EAAY,CAAE,KAAM,QAAS,WAAY,OAAQ,EACjDC,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,QACDH,EAAY,CAAE,KAAM,QAAS,WAAY,OAAQ,EACjDC,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,QACDH,EAAY,CAAE,KAAM,QAAS,WAAY,OAAQ,EACjDC,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,UACL,IAAK,iBACL,IAAK,iBACL,IAAK,iBAAkB,CACnB,IAAMC,EAAab,EAAcP,CAAO,EACxCgB,EAAYI,EAAW,WAAW,IAAI,EAAI,CAAE,KAAM,OAAQ,WAAAA,CAAW,EAAI,CAAE,KAAMA,CAAW,EAC5FH,EAAYE,EAAW,CAAC,EAAI,CAAC,YAAY,EACzC,KACJ,CACA,KAAKE,EAAoB,GAAK,SAAS,CACnC,IAAMD,EAAab,EAAcP,CAAO,EAAE,YAAY,EACtDgB,EAAY,CAAE,KAAM,QAAQI,IAAc,WAAY,QAAQA,GAAa,EAC3EH,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,KACJ,CACA,IAAK,QACDH,EAAY,CAAE,KAAMT,EAAcP,CAAO,CAAE,EAC3CiB,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,QACI,MAAM,IAAIX,EAAiB,gDAAgD,CACnF,CACA,OAAOc,EAAO,OAAO,UAAUX,EAAWX,EAASgB,GAAYD,EAAuDD,GAAQ,eAAiB,MAAQC,IAAO,OAASA,EAAK,GAAOE,CAAS,CAChM,EAIO,IAAMM,GAAW,CAACC,EAAKC,EAAKC,IACxBC,GAAc,6CAA8C,OAAQH,EAAKC,EAAKC,CAAO,ECtDhG,eAAsBE,GAAWC,EAAMC,EAAKC,EAAS,CACjD,GAAI,OAAOF,GAAS,UAAYA,EAAK,QAAQ,4BAA4B,IAAM,EAC3E,MAAM,IAAI,UAAU,sCAAsC,EAE9D,OAAOG,GAAaH,EAAMC,EAAKC,CAAO,CAC1C,CC9EA,IAAME,GAAqB,CAACC,EAAKC,IAAQ,CACrC,GAAI,EAAAA,aAAe,YAEnB,IAAI,CAACC,EAAUD,CAAG,EACd,MAAM,IAAI,UAAUE,EAAgBH,EAAKC,EAAK,GAAGG,EAAO,YAAY,CAAC,EAEzE,GAAIH,EAAI,OAAS,SACb,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,+DAA+D,EAE/G,EACMC,GAAsB,CAACL,EAAKC,EAAKK,IAAU,CAC7C,GAAI,CAACJ,EAAUD,CAAG,EACd,MAAM,IAAI,UAAUE,EAAgBH,EAAKC,EAAK,GAAGG,CAAK,CAAC,EAE3D,GAAIH,EAAI,OAAS,SACb,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,oEAAoE,EAEhH,GAAIE,IAAU,QAAUL,EAAI,OAAS,SACjC,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,wEAAwE,EAEpH,GAAIE,IAAU,WAAaL,EAAI,OAAS,SACpC,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,2EAA2E,EAEvH,GAAIH,EAAI,WAAaK,IAAU,UAAYL,EAAI,OAAS,UACpD,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,yEAAyE,EAErH,GAAIH,EAAI,WAAaK,IAAU,WAAaL,EAAI,OAAS,UACrD,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,0EAA0E,CAE1H,EACMG,GAAe,CAACP,EAAKC,EAAKK,IAAU,CACpBN,EAAI,WAAW,IAAI,GACjCA,IAAQ,OACRA,EAAI,WAAW,OAAO,GACtB,qBAAqB,KAAKA,CAAG,EAE7BD,GAAmBC,EAAKC,CAAG,EAG3BI,GAAoBL,EAAKC,EAAKK,CAAK,CAE3C,EACOE,EAAQD,GC3Cf,SAASE,GAAaC,EAAKC,EAAmBC,EAAkBC,EAAiBC,EAAY,CACzF,GAAIA,EAAW,OAAS,QAAaD,EAAgB,OAAS,OAC1D,MAAM,IAAIH,EAAI,gEAAgE,EAElF,GAAI,CAACG,GAAmBA,EAAgB,OAAS,OAC7C,OAAO,IAAI,IAEf,GAAI,CAAC,MAAM,QAAQA,EAAgB,IAAI,GACnCA,EAAgB,KAAK,SAAW,GAChCA,EAAgB,KAAK,KAAME,GAAU,OAAOA,GAAU,UAAYA,EAAM,SAAW,CAAC,EACpF,MAAM,IAAIL,EAAI,uFAAuF,EAEzG,IAAIM,EACAJ,IAAqB,OACrBI,EAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQJ,CAAgB,EAAG,GAAGD,EAAkB,QAAQ,CAAC,CAAC,EAG1FK,EAAaL,EAEjB,QAAWM,KAAaJ,EAAgB,KAAM,CAC1C,GAAI,CAACG,EAAW,IAAIC,CAAS,EACzB,MAAM,IAAIC,EAAiB,+BAA+BD,sBAA8B,EAE5F,GAAIH,EAAWG,KAAe,OAC1B,MAAM,IAAIP,EAAI,+BAA+BO,eAAuB,EAEnE,GAAID,EAAW,IAAIC,CAAS,GAAKJ,EAAgBI,KAAe,OACjE,MAAM,IAAIP,EAAI,+BAA+BO,gCAAwC,CAE7F,CACA,OAAO,IAAI,IAAIJ,EAAgB,IAAI,CACvC,CACA,IAAOM,EAAQV,GCjCf,IAAMW,GAAqB,CAACC,EAAQC,IAAe,CAC/C,GAAIA,IAAe,SACd,CAAC,MAAM,QAAQA,CAAU,GAAKA,EAAW,KAAMC,GAAM,OAAOA,GAAM,QAAQ,GAC3E,MAAM,IAAI,UAAU,IAAIF,uCAA4C,EAExE,GAAI,EAACC,EAGL,OAAO,IAAI,IAAIA,CAAU,CAC7B,EACOE,GAAQJ,GCDR,IAAMK,GAAc,OAAO,ECPnB,SAARC,EAA2BC,EAAKC,EAAW,CAC9C,IAAMC,EAAO,OAAOF,EAAI,MAAM,EAAE,IAChC,OAAQA,EAAK,CACT,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAE,EAAM,KAAM,MAAO,EAChC,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAA,EAAM,KAAM,UAAW,WAAYF,EAAI,MAAM,EAAE,GAAK,CAAE,EACnE,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAE,EAAM,KAAM,mBAAoB,EAC7C,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAA,EAAM,KAAM,QAAS,WAAYD,EAAU,UAAW,EACnE,KAAKE,EAAoB,GAAK,SAC1B,GAAM,CAAE,WAAAC,CAAW,EAAIH,EACvB,MAAO,CAAE,KAAMG,EAAY,WAAAA,CAAW,EAC1C,IAAK,QACD,MAAO,CAAE,KAAMH,EAAU,IAAK,EAClC,QACI,MAAM,IAAII,EAAiB,OAAOL,8DAAgE,CAC1G,CACJ,CCzBe,SAARM,EAA8BC,EAAKC,EAAKC,EAAO,CAClD,GAAIC,EAAYF,CAAG,EACf,OAAAG,GAAkBH,EAAKD,EAAKE,CAAK,EAC1BD,EAEX,GAAIA,aAAe,WAAY,CAC3B,GAAI,CAACD,EAAI,WAAW,IAAI,EACpB,MAAM,IAAI,UAAUK,EAAgBJ,EAAK,GAAGK,CAAK,CAAC,EAEtD,OAAOC,EAAO,OAAO,UAAU,MAAON,EAAK,CAAE,KAAM,OAAOD,EAAI,MAAM,EAAE,IAAK,KAAM,MAAO,EAAG,GAAO,CAACE,CAAK,CAAC,CAC7G,CACA,MAAM,IAAI,UAAUG,EAAgBJ,EAAK,GAAGK,EAAO,YAAY,CAAC,CACpE,CCZA,IAAME,GAAS,MAAOC,EAAKC,EAAKC,EAAWC,IAAS,CAChD,IAAMC,EAAY,MAAMC,EAAaL,EAAKC,EAAK,QAAQ,EACvDK,EAAeN,EAAKI,CAAS,EAC7B,IAAMG,EAAYC,EAAgBR,EAAKI,EAAU,SAAS,EAC1D,GAAI,CACA,OAAO,MAAMK,EAAO,OAAO,OAAOF,EAAWH,EAAWF,EAAWC,CAAI,CAC3E,MACA,CACI,MAAO,EACX,CACJ,EACOO,GAAQX,GCNf,eAAsBY,EAAgBC,EAAKC,EAAKC,EAAS,CACrD,IAAIC,EACJ,GAAI,CAACC,EAASJ,CAAG,EACb,MAAM,IAAIK,EAAW,iCAAiC,EAE1D,GAAIL,EAAI,YAAc,QAAaA,EAAI,SAAW,OAC9C,MAAM,IAAIK,EAAW,uEAAuE,EAEhG,GAAIL,EAAI,YAAc,QAAa,OAAOA,EAAI,WAAc,SACxD,MAAM,IAAIK,EAAW,qCAAqC,EAE9D,GAAIL,EAAI,UAAY,OAChB,MAAM,IAAIK,EAAW,qBAAqB,EAE9C,GAAI,OAAOL,EAAI,WAAc,SACzB,MAAM,IAAIK,EAAW,yCAAyC,EAElE,GAAIL,EAAI,SAAW,QAAa,CAACI,EAASJ,EAAI,MAAM,EAChD,MAAM,IAAIK,EAAW,uCAAuC,EAEhE,IAAIC,EAAa,CAAC,EAClB,GAAIN,EAAI,UACJ,GAAI,CACA,IAAMO,GAAkBC,EAAUR,EAAI,SAAS,EAC/CM,EAAa,KAAK,MAAMG,EAAQ,OAAOF,EAAe,CAAC,CAC3D,MACA,CACI,MAAM,IAAIF,EAAW,iCAAiC,CAC1D,CAEJ,GAAI,CAACK,EAAWJ,EAAYN,EAAI,MAAM,EAClC,MAAM,IAAIK,EAAW,2EAA2E,EAEpG,IAAMM,EAAa,CACf,GAAGL,EACH,GAAGN,EAAI,MACX,EACMY,EAAaC,EAAaR,EAAY,IAAI,IAAI,CAAC,CAAC,MAAO,EAAI,CAAC,CAAC,EAAqDH,GAAQ,KAAMI,EAAYK,CAAU,EACxJG,EAAM,GACV,GAAIF,EAAW,IAAI,KAAK,IACpBE,EAAMR,EAAW,IACb,OAAOQ,GAAQ,WACf,MAAM,IAAIT,EAAW,yEAAyE,EAGtG,GAAM,CAAE,IAAAU,CAAI,EAAIJ,EAChB,GAAI,OAAOI,GAAQ,UAAY,CAACA,EAC5B,MAAM,IAAIV,EAAW,2DAA2D,EAEpF,IAAMW,EAAad,GAAWe,GAAmB,aAAcf,EAAQ,UAAU,EACjF,GAAIc,GAAc,CAACA,EAAW,IAAID,CAAG,EACjC,MAAM,IAAIG,EAAkB,gDAAgD,EAEhF,GAAIJ,GACA,GAAI,OAAOd,EAAI,SAAY,SACvB,MAAM,IAAIK,EAAW,8BAA8B,UAGlD,OAAOL,EAAI,SAAY,UAAY,EAAEA,EAAI,mBAAmB,YACjE,MAAM,IAAIK,EAAW,wDAAwD,EAEjF,IAAIc,EAAc,GACd,OAAOlB,GAAQ,aACfA,EAAM,MAAMA,EAAIK,EAAYN,CAAG,EAC/BmB,EAAc,IAElBC,EAAaL,EAAKd,EAAK,QAAQ,EAC/B,IAAMoB,EAAOC,EAAOC,EAAQ,QAAQpB,EAAKH,EAAI,aAAe,MAAQG,IAAO,OAASA,EAAK,EAAE,EAAGoB,EAAQ,OAAO,GAAG,EAAG,OAAOvB,EAAI,SAAY,SAAWuB,EAAQ,OAAOvB,EAAI,OAAO,EAAIA,EAAI,OAAO,EACxLwB,EAAYhB,EAAUR,EAAI,SAAS,EAEzC,GAAI,CADa,MAAMyB,GAAOV,EAAKd,EAAKuB,EAAWH,CAAI,EAEnD,MAAM,IAAIK,EAEd,IAAIC,EACAb,EACAa,EAAUnB,EAAUR,EAAI,OAAO,EAE1B,OAAOA,EAAI,SAAY,SAC5B2B,EAAUJ,EAAQ,OAAOvB,EAAI,OAAO,EAGpC2B,EAAU3B,EAAI,QAElB,IAAM4B,EAAS,CAAE,QAAAD,CAAQ,EAOzB,OANI3B,EAAI,YAAc,SAClB4B,EAAO,gBAAkBtB,GAEzBN,EAAI,SAAW,SACf4B,EAAO,kBAAoB5B,EAAI,QAE/BmB,EACO,CAAE,GAAGS,EAAQ,IAAA3B,CAAI,EAErB2B,CACX,CCpGA,eAAsBC,GAAcC,EAAKC,EAAKC,EAAS,CAInD,GAHIF,aAAe,aACfA,EAAMG,EAAQ,OAAOH,CAAG,GAExB,OAAOA,GAAQ,SACf,MAAM,IAAII,EAAW,4CAA4C,EAErE,GAAM,CAAE,EAAGC,EAAiB,EAAGC,EAAS,EAAGC,EAAW,OAAAC,CAAO,EAAIR,EAAI,MAAM,GAAG,EAC9E,GAAIQ,IAAW,EACX,MAAM,IAAIJ,EAAW,qBAAqB,EAE9C,IAAMK,EAAW,MAAMC,EAAgB,CAAE,QAAAJ,EAAS,UAAWD,EAAiB,UAAAE,CAAU,EAAGN,EAAKC,CAAO,EACjGS,EAAS,CAAE,QAASF,EAAS,QAAS,gBAAiBA,EAAS,eAAgB,EACtF,OAAI,OAAOR,GAAQ,WACR,CAAE,GAAGU,EAAQ,IAAKF,EAAS,GAAI,EAEnCE,CACX,CCpBA,IAAOC,GAASC,GAAS,KAAK,MAAMA,EAAK,QAAQ,EAAI,GAAI,ECKzD,IAAMC,GAAQ,sGACPC,EAASC,GAAQ,CACpB,IAAMC,EAAUH,GAAM,KAAKE,CAAG,EAC9B,GAAI,CAACC,EACD,MAAM,IAAI,UAAU,4BAA4B,EAEpD,IAAMC,EAAQ,WAAWD,EAAQ,EAAE,EAEnC,OADaA,EAAQ,GAAG,YAAY,EACtB,CACV,IAAK,MACL,IAAK,OACL,IAAK,SACL,IAAK,UACL,IAAK,IACD,OAAO,KAAK,MAAMC,CAAK,EAC3B,IAAK,SACL,IAAK,UACL,IAAK,MACL,IAAK,OACL,IAAK,IACD,OAAO,KAAK,MAAMA,EAAQ,EAAM,EACpC,IAAK,OACL,IAAK,QACL,IAAK,KACL,IAAK,MACL,IAAK,IACD,OAAO,KAAK,MAAMA,EAAQ,IAAI,EAClC,IAAK,MACL,IAAK,OACL,IAAK,IACD,OAAO,KAAK,MAAMA,EAAQ,KAAG,EACjC,IAAK,OACL,IAAK,QACL,IAAK,IACD,OAAO,KAAK,MAAMA,EAAQ,MAAI,EAClC,QACI,OAAO,KAAK,MAAMA,EAAQ,QAAI,CACtC,CACJ,ECtCA,IAAMC,GAAgBC,GAAUA,EAAM,YAAY,EAAE,QAAQ,iBAAkB,EAAE,EAC1EC,GAAwB,CAACC,EAAYC,IACnC,OAAOD,GAAe,SACfC,EAAU,SAASD,CAAU,EAEpC,MAAM,QAAQA,CAAU,EACjBC,EAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAID,CAAU,CAAC,CAAC,EAE9D,GAEJE,EAAQ,CAACC,EAAiBC,EAAgBC,EAAU,CAAC,IAAM,CAC9D,GAAM,CAAE,IAAAC,CAAI,EAAID,EAChB,GAAIC,IACC,OAAOH,EAAgB,KAAQ,UAC5BN,GAAaM,EAAgB,GAAG,IAAMN,GAAaS,CAAG,GAC1D,MAAM,IAAIC,EAAyB,oCAAqC,MAAO,cAAc,EAEjG,IAAIC,EACJ,GAAI,CACAA,EAAU,KAAK,MAAMC,EAAQ,OAAOL,CAAc,CAAC,CACvD,MACA,CACA,CACA,GAAI,CAACM,EAASF,CAAO,EACjB,MAAM,IAAIG,EAAW,gDAAgD,EAEzE,GAAM,CAAE,OAAAC,CAAO,EAAIP,EACnB,GAAIO,GAAU,EAAE,MAAM,QAAQA,CAAM,EAAIA,EAAS,CAACA,CAAM,GAAG,SAASJ,EAAQ,GAAG,EAC3E,MAAM,IAAID,EAAyB,+BAAgC,MAAO,cAAc,EAE5F,GAAM,CAAE,QAAAM,CAAQ,EAAIR,EACpB,GAAIQ,GAAWL,EAAQ,MAAQK,EAC3B,MAAM,IAAIN,EAAyB,+BAAgC,MAAO,cAAc,EAE5F,GAAM,CAAE,SAAAO,CAAS,EAAIT,EACrB,GAAIS,GACA,CAACf,GAAsBS,EAAQ,IAAK,OAAOM,GAAa,SAAW,CAACA,CAAQ,EAAIA,CAAQ,EACxF,MAAM,IAAIP,EAAyB,+BAAgC,MAAO,cAAc,EAE5F,IAAIQ,EACJ,OAAQ,OAAOV,EAAQ,eAAgB,CACnC,IAAK,SACDU,EAAYC,EAAKX,EAAQ,cAAc,EACvC,MACJ,IAAK,SACDU,EAAYV,EAAQ,eACpB,MACJ,IAAK,YACDU,EAAY,EACZ,MACJ,QACI,MAAM,IAAI,UAAU,oCAAoC,CAChE,CACA,GAAM,CAAE,YAAAE,CAAY,EAAIZ,EAClBa,EAAMC,GAAMF,GAAe,IAAI,IAAM,EAC3C,IAAKT,EAAQ,MAAQ,QAAaH,EAAQ,cAAgB,OAAOG,EAAQ,KAAQ,SAC7E,MAAM,IAAID,EAAyB,+BAAgC,MAAO,SAAS,EAEvF,GAAIC,EAAQ,MAAQ,OAAW,CAC3B,GAAI,OAAOA,EAAQ,KAAQ,SACvB,MAAM,IAAID,EAAyB,+BAAgC,MAAO,SAAS,EAEvF,GAAIC,EAAQ,IAAMU,EAAMH,EACpB,MAAM,IAAIR,EAAyB,qCAAsC,MAAO,cAAc,CAEtG,CACA,GAAIC,EAAQ,MAAQ,OAAW,CAC3B,GAAI,OAAOA,EAAQ,KAAQ,SACvB,MAAM,IAAID,EAAyB,+BAAgC,MAAO,SAAS,EAEvF,GAAIC,EAAQ,KAAOU,EAAMH,EACrB,MAAM,IAAIK,EAAW,qCAAsC,MAAO,cAAc,CAExF,CACA,GAAIf,EAAQ,YAAa,CACrB,IAAMgB,EAAMH,EAAMV,EAAQ,IACpBc,EAAM,OAAOjB,EAAQ,aAAgB,SAAWA,EAAQ,YAAcW,EAAKX,EAAQ,WAAW,EACpG,GAAIgB,EAAMN,EAAYO,EAClB,MAAM,IAAIF,EAAW,2DAA4D,MAAO,cAAc,EAE1G,GAAIC,EAAM,EAAIN,EACV,MAAM,IAAIR,EAAyB,gEAAiE,MAAO,cAAc,CAEjI,CACA,OAAOC,CACX,ECvFA,eAAsBe,GAAUC,EAAKC,EAAKC,EAAS,CAC/C,IAAIC,EACJ,IAAMC,EAAW,MAAMC,GAAcL,EAAKC,EAAKC,CAAO,EACtD,KAAMC,EAAKC,EAAS,gBAAgB,QAAU,MAAQD,IAAO,OAAS,OAASA,EAAG,SAAS,KAAK,IAAMC,EAAS,gBAAgB,MAAQ,GACnI,MAAM,IAAIE,EAAW,qCAAqC,EAG9D,IAAMC,EAAS,CAAE,QADDC,EAAWJ,EAAS,gBAAiBA,EAAS,QAASF,CAAO,EACpD,gBAAiBE,EAAS,eAAgB,EACpE,OAAI,OAAOH,GAAQ,WACR,CAAE,GAAGM,EAAQ,IAAKH,EAAS,GAAI,EAEnCG,CACX,CCEA,IAAME,GACF,oEAEJ,eAAsBC,EAClBC,EACAC,EACgB,CAEhB,GAAIA,EAAI,YAAc,OAClB,MAAO,GAIX,IAAMC,EAAQJ,GAAiB,KAAKE,EAAI,QAAQ,IAAI,eAAe,GAAK,EAAE,EAC1E,GAAI,CAACE,GAAS,CAACA,EAAM,GACjB,MAAO,GAIX,IAAMC,EAAK,MAAMC,GAAWH,EAAI,WAAY,OAAO,EACnD,GAAI,CACA,MAAMI,GAAUH,EAAM,GAAIC,EAAI,CAC1B,OAAQ,qBACR,SAAUF,EAAI,eACd,WAAY,CAAC,OAAO,EAEpB,eAAgB,GACpB,CAAC,CACL,OAASK,EAAP,CACE,eAAQ,MAAM,2BAA6BA,CAAG,EACvC,EACX,CAEA,MAAO,EACX,mBChCA,IAAMC,GAASC,GAAO,EAEjB,IACG,yBACA,MACIC,EACAC,IACoB,CAEpB,GAAI,CADS,MAAMC,EAAiBF,EAAKC,CAAG,EAExC,OAAO,IAAI,SAAS,eAAgB,CAAE,OAAQ,GAAI,CAAC,EAIvD,IAAME,EAAmB,CAAC,EACpBC,EAAe,CAAC,EAChBC,EAAe,CAAC,EAChBC,EAAM,OAAO,KAAKL,CAAG,EAC3B,QAASM,EAAI,EAAGA,EAAID,EAAI,OAAQC,IAAK,CACjC,GAAI,CAACD,EAAIC,GACL,SAEJ,IAAMC,EAAMP,EAAIK,EAAIC,IAChB,CAACC,GAAO,OAAOA,GAAO,WAIrBA,GACD,OAAQA,EAAsB,MAAQ,WAEtCL,EAAO,KAAKG,EAAIC,EAAE,EAEjBC,GACD,OAAQA,EAAoB,iBAAmB,WAE/CJ,EAAG,KAAKE,EAAIC,EAAE,EAEbC,GACD,OAAQA,EAAiB,uBAAyB,YAElDH,EAAG,KAAKC,EAAIC,EAAE,EAEtB,CAEA,IAAME,EAAM,KAAK,UAAU,CACvB,QAAAC,GACA,OAAQP,GAAUA,EAAO,OAASA,EAAS,OAC3C,GAAIC,GAAMA,EAAG,OAASA,EAAK,OAC3B,GAAIC,GAAMA,EAAG,OAASA,EAAK,MAC/B,CAAC,EACD,OAAO,IAAI,SAASI,EAAK,CACrB,QAAS,CACL,eAAgB,kBACpB,CACJ,CAAC,CACL,CACJ,EAGC,IACG,sBACA,MACIT,EACAC,IACoB,CACpB,GAAM,CAAE,UAAAU,EAAW,IAAAC,EAAK,SAAAC,CAAS,EAAI,MAAMC,GAAed,EAAKC,CAAG,EAClE,GAAIY,EACA,OAAOA,EAGX,IAAME,EAAM,MAAMJ,EAAW,IAAIC,EAAM,QAAQ,EAC/C,OAAKG,EAIE,IAAI,SAASA,EAAK,CAAE,OAAQ,GAAI,CAAC,EAH7B,IAAI,SAAS,GAAI,CAAE,OAAQ,GAAI,CAAC,CAI/C,CACJ,EAGC,KACG,sBACA,MACIf,EACAC,IACoB,CACpB,GAAM,CAAE,UAAAU,EAAW,IAAAC,EAAK,SAAAC,CAAS,EAAI,MAAMC,GAAed,EAAKC,CAAG,EAClE,GAAIY,EACA,OAAOA,EAGX,IAAIG,EACEC,EAAS,IAAI,IAAIjB,EAAI,GAAG,EACxBkB,EAAW,SAASD,EAAO,aAAa,IAAI,KAAK,GAAI,GAAI,EAAE,EACjE,OAAIC,EAAW,IACXF,EAAgBE,GAEpB,MAAMP,EAAW,IAAIC,EAAMZ,EAAI,KAAO,CAAC,cAAAgB,CAAa,CAAC,EAE9C,IAAI,SAAS,GAAI,CAAE,OAAQ,GAAI,CAAC,CAC3C,CACJ,EAGC,OACG,sBACA,MACIhB,EACAC,IACoB,CACpB,GAAM,CAAE,UAAAU,EAAW,IAAAC,EAAK,SAAAC,CAAS,EAAI,MAAMC,GAAed,EAAKC,CAAG,EAClE,OAAIY,IAIJ,MAAMF,EAAW,OAAOC,CAAI,EAErB,IAAI,SAAS,GAAI,CAAE,OAAQ,GAAI,CAAC,EAC3C,CACJ,EAGC,KACG,iBACA,MACIZ,EACAC,IACoB,CACpB,GAAM,CAAE,MAAAkB,EAAO,SAAAN,CAAS,EAAI,MAAMO,GAAkBpB,EAAKC,CAAG,EAC5D,GAAIY,EACA,OAAOA,EAGX,IAAIQ,EAAU,MAAMrB,EAAI,KAAK,EAC7B,aAAMmB,EAAO,KAAKE,CAAO,EAClB,IAAI,SAAS,GAAI,CAAE,OAAQ,GAAI,CAAC,CAC3C,CACJ,EAGC,IAAI,IAAK,IACC,IAAI,SAAS,YAAa,CAAE,OAAQ,GAAI,CAAC,CACnD,EAGL,eAAeP,GACXd,EACAC,EAKD,CACC,GAAI,CAACD,GAAK,MAAQ,CAACA,EAAI,QAAQ,WAAa,CAACA,EAAI,QAAQ,IACrD,MAAO,CAAE,SAAU,IAAI,SAAS,cAAe,CAAE,OAAQ,GAAI,CAAC,CAAE,EAEpE,IAAMW,EAAYV,EAAID,EAAI,OAAO,WACjC,MAAI,CAACW,GAAa,OAAOA,EAAU,iBAAmB,WAC3C,CACH,SAAU,IAAI,SACV,8BAA8BX,EAAI,OAAO,MACzC,CAAE,OAAQ,GAAI,CAClB,CACJ,EAGS,MAAME,EAAiBF,EAAKC,CAAG,EAKrC,CAAE,UAAAU,EAAW,IAAKX,EAAI,OAAO,GAAI,EAH7B,CAAE,SAAU,IAAI,SAAS,eAAgB,CAAE,OAAQ,GAAI,CAAC,CAAE,CAIzE,CAGA,eAAeoB,GACXpB,EACAC,EACuD,CACvD,GAAI,CAACD,GAAK,MAAQ,CAACA,EAAI,QAAQ,MAC3B,MAAO,CAAE,SAAU,IAAI,SAAS,cAAe,CAAE,OAAQ,GAAI,CAAC,CAAE,EAEpE,IAAMmB,EAAQlB,EAAID,EAAI,OAAO,OAC7B,MAAI,CAACmB,GAAS,OAAOA,EAAM,MAAQ,WACxB,CACH,SAAU,IAAI,SACV,iCAAiCnB,EAAI,OAAO,SAC5C,CAAE,OAAQ,GAAI,CAClB,CACJ,EAGS,MAAME,EAAiBF,EAAKC,CAAG,EAKrC,CAAE,MAAAkB,CAAM,EAHJ,CAAE,SAAU,IAAI,SAAS,eAAgB,CAAE,OAAQ,GAAI,CAAC,CAAE,CAIzE,CAEA,IAAOG,GAAQ,CACX,MAAOxB,GAAO,MAClB", - "names": ["e", "t", "n", "a", "r", "o", "p", "s", "u", "c", "webcrypto_default", "isCryptoKey", "key", "encoder", "decoder", "MAX_INT32", "concat", "buffers", "size", "acc", "length", "buf", "i", "buffer", "decodeBase64", "encoded", "binary", "bytes", "i", "decode", "input", "decoder", "JOSEError", "message", "_a", "JWTClaimValidationFailed", "claim", "reason", "JWTExpired", "JOSEAlgNotAllowed", "JOSENotSupported", "JWSInvalid", "JOSEError", "JWTInvalid", "JWSSignatureVerificationFailed", "JOSEError", "random_default", "webcrypto_default", "isCloudflareWorkers", "unusable", "name", "prop", "isAlgorithm", "algorithm", "getHashLength", "hash", "getNamedCurve", "alg", "checkUsage", "key", "usages", "expected", "msg", "last", "checkSigCryptoKey", "isCloudflareWorkers", "message", "msg", "actual", "types", "last", "invalid_key_input_default", "withAlg", "alg", "is_key_like_default", "key", "isCryptoKey", "types", "isDisjoint", "headers", "sources", "acc", "header", "parameters", "parameter", "is_disjoint_default", "isObjectLike", "value", "isObject", "input", "proto", "check_key_length_default", "alg", "key", "modulusLength", "findOid", "keyData", "oid", "from", "i", "sub", "value", "index", "getNamedCurve", "JOSENotSupported", "genericImport", "replace", "keyFormat", "pem", "alg", "options", "_a", "algorithm", "keyUsages", "c", "isPublic", "namedCurve", "isCloudflareWorkers", "webcrypto_default", "fromSPKI", "pem", "alg", "options", "genericImport", "importSPKI", "spki", "alg", "options", "fromSPKI", "symmetricTypeCheck", "alg", "key", "is_key_like_default", "withAlg", "types", "asymmetricTypeCheck", "usage", "checkKeyType", "check_key_type_default", "validateCrit", "Err", "recognizedDefault", "recognizedOption", "protectedHeader", "joseHeader", "input", "recognized", "parameter", "JOSENotSupported", "validate_crit_default", "validateAlgorithms", "option", "algorithms", "s", "validate_algorithms_default", "unprotected", "subtleDsa", "alg", "algorithm", "hash", "isCloudflareWorkers", "namedCurve", "JOSENotSupported", "getCryptoKey", "alg", "key", "usage", "isCryptoKey", "checkSigCryptoKey", "invalid_key_input_default", "types", "webcrypto_default", "verify", "alg", "key", "signature", "data", "cryptoKey", "getCryptoKey", "check_key_length_default", "algorithm", "subtleDsa", "webcrypto_default", "verify_default", "flattenedVerify", "jws", "key", "options", "_a", "isObject", "JWSInvalid", "parsedProt", "protectedHeader", "decode", "decoder", "is_disjoint_default", "joseHeader", "extensions", "validate_crit_default", "b64", "alg", "algorithms", "validate_algorithms_default", "JOSEAlgNotAllowed", "resolvedKey", "check_key_type_default", "data", "concat", "encoder", "signature", "verify_default", "JWSSignatureVerificationFailed", "payload", "result", "compactVerify", "jws", "key", "options", "decoder", "JWSInvalid", "protectedHeader", "payload", "signature", "length", "verified", "flattenedVerify", "result", "epoch_default", "date", "REGEX", "secs_default", "str", "matched", "value", "normalizeTyp", "value", "checkAudiencePresence", "audPayload", "audOption", "jwt_claims_set_default", "protectedHeader", "encodedPayload", "options", "typ", "JWTClaimValidationFailed", "payload", "decoder", "isObject", "JWTInvalid", "issuer", "subject", "audience", "tolerance", "secs_default", "currentDate", "now", "epoch_default", "JWTExpired", "age", "max", "jwtVerify", "jwt", "key", "options", "_a", "verified", "compactVerify", "JWTInvalid", "result", "jwt_claims_set_default", "tokenHeaderMatch", "AuthorizeRequest", "req", "env", "match", "pk", "importSPKI", "jwtVerify", "err", "router", "e", "req", "env", "AuthorizeRequest", "queues", "kv", "r2", "all", "i", "obj", "res", "version", "namespace", "key", "errorRes", "setupKVRequest", "val", "expirationTtl", "reqUrl", "ttlParam", "queue", "setupQueueRequest", "message", "worker_default"] + "sourcesContent": ["function e({base:t=\"\",routes:n=[]}={}){return{__proto__:new Proxy({},{get:(e,a,o)=>(e,...r)=>n.push([a.toUpperCase(),RegExp(`^${(t+e).replace(/(\\/?)\\*/g,\"($1.*)?\").replace(/(\\/$)|((?<=\\/)\\/)/,\"\").replace(/:(\\w+)(\\?)?(\\.)?/g,\"$2(?<$1>[^/]+)$2$3\").replace(/\\.(?=[\\w(])/,\"\\\\.\").replace(/\\)\\.\\?\\(([^\\[]+)\\[\\^/g,\"?)\\\\.?($1(?<=\\\\.)[^\\\\.\")}/*$`),r])&&o}),routes:n,async handle(e,...r){let a,o,t=new URL(e.url);e.query=Object.fromEntries(t.searchParams);for(var[p,s,u]of n)if((p===e.method||\"ALL\"===p)&&(o=t.pathname.match(s))){e.params=o.groups;for(var c of u)if(void 0!==(a=await c(e.proxy||e,...r)))return a}}}}export default{Router:e};export{e as Router};\n", "export default crypto;\nexport const isCryptoKey = (key) => key instanceof CryptoKey;\n", "import digest from '../runtime/digest.js';\nexport const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n buffers.forEach((buffer) => {\n buf.set(buffer, i);\n i += buffer.length;\n });\n return buf;\n}\nexport function p2s(alg, p2sInput) {\n return concat(encoder.encode(alg), new Uint8Array([0]), p2sInput);\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function lengthAndInput(input) {\n return concat(uint32be(input.length), input);\n}\nexport async function concatKdf(secret, bits, value) {\n const iterations = Math.ceil((bits >> 3) / 32);\n const res = new Uint8Array(iterations * 32);\n for (let iter = 0; iter < iterations; iter++) {\n const buf = new Uint8Array(4 + secret.length + value.length);\n buf.set(uint32be(iter + 1));\n buf.set(secret, 4);\n buf.set(value, 4 + secret.length);\n res.set(await digest('sha256', buf), iter * 32);\n }\n return res.slice(0, bits >> 3);\n}\n", "import { encoder, decoder } from '../lib/buffer_utils.js';\nexport const encodeBase64 = (input) => {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < unencoded.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, unencoded.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n};\nexport const encode = (input) => {\n return encodeBase64(input).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n};\nexport const decodeBase64 = (encoded) => {\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n};\nexport const decode = (input) => {\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/').replace(/\\s/g, '');\n try {\n return decodeBase64(encoded);\n }\n catch (_a) {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n};\n", "export class JOSEError extends Error {\n constructor(message) {\n var _a;\n super(message);\n this.code = 'ERR_JOSE_GENERIC';\n this.name = this.constructor.name;\n (_a = Error.captureStackTrace) === null || _a === void 0 ? void 0 : _a.call(Error, this, this.constructor);\n }\n static get code() {\n return 'ERR_JOSE_GENERIC';\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n constructor(message, claim = 'unspecified', reason = 'unspecified') {\n super(message);\n this.code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n this.claim = claim;\n this.reason = reason;\n }\n static get code() {\n return 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n }\n}\nexport class JWTExpired extends JOSEError {\n constructor(message, claim = 'unspecified', reason = 'unspecified') {\n super(message);\n this.code = 'ERR_JWT_EXPIRED';\n this.claim = claim;\n this.reason = reason;\n }\n static get code() {\n return 'ERR_JWT_EXPIRED';\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n }\n static get code() {\n return 'ERR_JOSE_ALG_NOT_ALLOWED';\n }\n}\nexport class JOSENotSupported extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JOSE_NOT_SUPPORTED';\n }\n static get code() {\n return 'ERR_JOSE_NOT_SUPPORTED';\n }\n}\nexport class JWEDecryptionFailed extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWE_DECRYPTION_FAILED';\n this.message = 'decryption operation failed';\n }\n static get code() {\n return 'ERR_JWE_DECRYPTION_FAILED';\n }\n}\nexport class JWEInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWE_INVALID';\n }\n static get code() {\n return 'ERR_JWE_INVALID';\n }\n}\nexport class JWSInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWS_INVALID';\n }\n static get code() {\n return 'ERR_JWS_INVALID';\n }\n}\nexport class JWTInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWT_INVALID';\n }\n static get code() {\n return 'ERR_JWT_INVALID';\n }\n}\nexport class JWKInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWK_INVALID';\n }\n static get code() {\n return 'ERR_JWK_INVALID';\n }\n}\nexport class JWKSInvalid extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_INVALID';\n }\n static get code() {\n return 'ERR_JWKS_INVALID';\n }\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_NO_MATCHING_KEY';\n this.message = 'no applicable key found in the JSON Web Key Set';\n }\n static get code() {\n return 'ERR_JWKS_NO_MATCHING_KEY';\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n this.message = 'multiple matching keys found in the JSON Web Key Set';\n }\n static get code() {\n return 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n }\n}\nexport class JWKSTimeout extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWKS_TIMEOUT';\n this.message = 'request timed out';\n }\n static get code() {\n return 'ERR_JWKS_TIMEOUT';\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n constructor() {\n super(...arguments);\n this.code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n this.message = 'signature verification failed';\n }\n static get code() {\n return 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n }\n}\n", "import crypto from './webcrypto.js';\nexport default crypto.getRandomValues.bind(crypto);\n", "export function isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' ||\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\n", "import { isCloudflareWorkers } from '../runtime/env.js';\nfunction unusable(name, prop = 'algorithm.name') {\n return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\n}\nfunction isAlgorithm(algorithm, name) {\n return algorithm.name === name;\n}\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usages) {\n if (usages.length && !usages.some((expected) => key.usages.includes(expected))) {\n let msg = 'CryptoKey does not support this operation, its usages must include ';\n if (usages.length > 2) {\n const last = usages.pop();\n msg += `one of ${usages.join(', ')}, or ${last}.`;\n }\n else if (usages.length === 2) {\n msg += `one of ${usages[0]} or ${usages[1]}.`;\n }\n else {\n msg += `${usages[0]}.`;\n }\n throw new TypeError(msg);\n }\n}\nexport function checkSigCryptoKey(key, alg, ...usages) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case isCloudflareWorkers() && 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'NODE-ED25519'))\n throw unusable('NODE-ED25519');\n break;\n }\n case 'EdDSA': {\n if (key.algorithm.name !== 'Ed25519' && key.algorithm.name !== 'Ed448') {\n throw unusable('Ed25519 or Ed448');\n }\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usages);\n}\nexport function checkEncCryptoKey(key, alg, ...usages) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n case 'X448':\n break;\n default:\n throw unusable('ECDH, X25519, or X448');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n const expected = parseInt(alg.slice(9), 10) || 1;\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usages);\n}\n", "function message(msg, actual, ...types) {\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor && actual.constructor.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport default (actual, ...types) => {\n return message('Key must be ', actual, ...types);\n};\nexport function withAlg(alg, actual, ...types) {\n return message(`Key for the ${alg} algorithm must be `, actual, ...types);\n}\n", "import { isCryptoKey } from './webcrypto.js';\nexport default (key) => {\n return isCryptoKey(key);\n};\nexport const types = ['CryptoKey'];\n", "const isDisjoint = (...headers) => {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n};\nexport default isDisjoint;\n", "function isObjectLike(value) {\n return typeof value === 'object' && value !== null;\n}\nexport default function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\n", "export default (alg, key) => {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n};\n", "import { isCloudflareWorkers } from './env.js';\nimport crypto, { isCryptoKey } from './webcrypto.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { encodeBase64 } from './base64url.js';\nimport formatPEM from '../lib/format_pem.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { types } from './is_key_like.js';\nconst genericExport = async (keyType, keyFormat, key) => {\n if (!isCryptoKey(key)) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n if (!key.extractable) {\n throw new TypeError('CryptoKey is not extractable');\n }\n if (key.type !== keyType) {\n throw new TypeError(`key is not a ${keyType} key`);\n }\n return formatPEM(encodeBase64(new Uint8Array(await crypto.subtle.exportKey(keyFormat, key))), `${keyType.toUpperCase()} KEY`);\n};\nexport const toSPKI = (key) => {\n return genericExport('public', 'spki', key);\n};\nexport const toPKCS8 = (key) => {\n return genericExport('private', 'pkcs8', key);\n};\nconst findOid = (keyData, oid, from = 0) => {\n if (from === 0) {\n oid.unshift(oid.length);\n oid.unshift(0x06);\n }\n let i = keyData.indexOf(oid[0], from);\n if (i === -1)\n return false;\n const sub = keyData.subarray(i, i + oid.length);\n if (sub.length !== oid.length)\n return false;\n return sub.every((value, index) => value === oid[index]) || findOid(keyData, oid, i + 1);\n};\nconst getNamedCurve = (keyData) => {\n switch (true) {\n case findOid(keyData, [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07]):\n return 'P-256';\n case findOid(keyData, [0x2b, 0x81, 0x04, 0x00, 0x22]):\n return 'P-384';\n case findOid(keyData, [0x2b, 0x81, 0x04, 0x00, 0x23]):\n return 'P-521';\n case findOid(keyData, [0x2b, 0x65, 0x6e]):\n return 'X25519';\n case findOid(keyData, [0x2b, 0x65, 0x6f]):\n return 'X448';\n case findOid(keyData, [0x2b, 0x65, 0x70]):\n return 'Ed25519';\n case findOid(keyData, [0x2b, 0x65, 0x71]):\n return 'Ed448';\n default:\n throw new JOSENotSupported('Invalid or unsupported EC Key Curve or OKP Key Sub Type');\n }\n};\nconst genericImport = async (replace, keyFormat, pem, alg, options) => {\n var _a;\n let algorithm;\n let keyUsages;\n const keyData = new Uint8Array(atob(pem.replace(replace, ''))\n .split('')\n .map((c) => c.charCodeAt(0)));\n const isPublic = keyFormat === 'spki';\n switch (alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,\n };\n keyUsages = isPublic ? ['encrypt', 'wrapKey'] : ['decrypt', 'unwrapKey'];\n break;\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW': {\n const namedCurve = getNamedCurve(keyData);\n algorithm = namedCurve.startsWith('P-') ? { name: 'ECDH', namedCurve } : { name: namedCurve };\n keyUsages = isPublic ? [] : ['deriveBits'];\n break;\n }\n case isCloudflareWorkers() && 'EdDSA': {\n const namedCurve = getNamedCurve(keyData).toUpperCase();\n algorithm = { name: `NODE-${namedCurve}`, namedCurve: `NODE-${namedCurve}` };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n }\n case 'EdDSA':\n algorithm = { name: getNamedCurve(keyData) };\n keyUsages = isPublic ? ['verify'] : ['sign'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported \"alg\" (Algorithm) value');\n }\n return crypto.subtle.importKey(keyFormat, keyData, algorithm, (_a = options === null || options === void 0 ? void 0 : options.extractable) !== null && _a !== void 0 ? _a : false, keyUsages);\n};\nexport const fromPKCS8 = (pem, alg, options) => {\n return genericImport(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\\s)/g, 'pkcs8', pem, alg, options);\n};\nexport const fromSPKI = (pem, alg, options) => {\n return genericImport(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\\s)/g, 'spki', pem, alg, options);\n};\n", "import { decode as decodeBase64URL, encodeBase64, decodeBase64 } from '../runtime/base64url.js';\nimport { fromSPKI as importPublic } from '../runtime/asn1.js';\nimport { fromPKCS8 as importPrivate } from '../runtime/asn1.js';\nimport asKeyObject from '../runtime/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport formatPEM from '../lib/format_pem.js';\nimport isObject from '../lib/is_object.js';\nfunction getElement(seq) {\n let result = [];\n let next = 0;\n while (next < seq.length) {\n let nextPart = parseElement(seq.subarray(next));\n result.push(nextPart);\n next += nextPart.byteLength;\n }\n return result;\n}\nfunction parseElement(bytes) {\n let position = 0;\n let tag = bytes[0] & 0x1f;\n position++;\n if (tag === 0x1f) {\n tag = 0;\n while (bytes[position] >= 0x80) {\n tag = tag * 128 + bytes[position] - 0x80;\n position++;\n }\n tag = tag * 128 + bytes[position] - 0x80;\n position++;\n }\n let length = 0;\n if (bytes[position] < 0x80) {\n length = bytes[position];\n position++;\n }\n else if (length === 0x80) {\n length = 0;\n while (bytes[position + length] !== 0 || bytes[position + length + 1] !== 0) {\n if (length > bytes.byteLength) {\n throw new TypeError('invalid indefinite form length');\n }\n length++;\n }\n const byteLength = position + length + 2;\n return {\n byteLength,\n contents: bytes.subarray(position, position + length),\n raw: bytes.subarray(0, byteLength),\n };\n }\n else {\n let numberOfDigits = bytes[position] & 0x7f;\n position++;\n length = 0;\n for (let i = 0; i < numberOfDigits; i++) {\n length = length * 256 + bytes[position];\n position++;\n }\n }\n const byteLength = position + length;\n return {\n byteLength,\n contents: bytes.subarray(position, byteLength),\n raw: bytes.subarray(0, byteLength),\n };\n}\nfunction spkiFromX509(buf) {\n const tbsCertificate = getElement(getElement(parseElement(buf).contents)[0].contents);\n return encodeBase64(tbsCertificate[tbsCertificate[0].raw[0] === 0xa0 ? 6 : 5].raw);\n}\nfunction getSPKI(x509) {\n const pem = x509.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\\s)/g, '');\n const raw = decodeBase64(pem);\n return formatPEM(spkiFromX509(raw), 'PUBLIC KEY');\n}\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return importPublic(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n let spki;\n try {\n spki = getSPKI(x509);\n }\n catch (cause) {\n throw new TypeError('failed to parse the X.509 certificate', { cause });\n }\n return importPublic(spki, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return importPrivate(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, octAsKeyObject) {\n var _a;\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n alg || (alg = jwk.alg);\n if (typeof alg !== 'string' || !alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n octAsKeyObject !== null && octAsKeyObject !== void 0 ? octAsKeyObject : (octAsKeyObject = jwk.ext !== true);\n if (octAsKeyObject) {\n return asKeyObject({ ...jwk, alg, ext: (_a = jwk.ext) !== null && _a !== void 0 ? _a : false });\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if (jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n case 'EC':\n case 'OKP':\n return asKeyObject({ ...jwk, alg });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n", "import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport isKeyLike, { types } from '../runtime/is_key_like.js';\nconst symmetricTypeCheck = (alg, key) => {\n if (key instanceof Uint8Array)\n return;\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, ...types, 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${types.join(' or ')} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, ...types));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (usage === 'sign' && key.type === 'public') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm signing must be of type \"private\"`);\n }\n if (usage === 'decrypt' && key.type === 'public') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n if (key.algorithm && usage === 'verify' && key.type === 'private') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm verifying must be of type \"public\"`);\n }\n if (key.algorithm && usage === 'encrypt' && key.type === 'private') {\n throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n};\nconst checkKeyType = (alg, key, usage) => {\n const symmetric = alg.startsWith('HS') ||\n alg === 'dir' ||\n alg.startsWith('PBES2') ||\n /^A\\d{3}(?:GCM)?KW$/.test(alg);\n if (symmetric) {\n symmetricTypeCheck(alg, key);\n }\n else {\n asymmetricTypeCheck(alg, key, usage);\n }\n};\nexport default checkKeyType;\n", "import { JOSENotSupported } from '../util/errors.js';\nfunction validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n else if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\nexport default validateCrit;\n", "const validateAlgorithms = (option, algorithms) => {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n};\nexport default validateAlgorithms;\n", "import { encode as base64url } from '../../runtime/base64url.js';\nimport encrypt from '../../runtime/encrypt.js';\nimport { deflate } from '../../runtime/zlib.js';\nimport generateIv from '../../lib/iv.js';\nimport encryptKeyManagement from '../../lib/encrypt_key_management.js';\nimport { JOSENotSupported, JWEInvalid } from '../../util/errors.js';\nimport isDisjoint from '../../lib/is_disjoint.js';\nimport { encoder, decoder, concat } from '../../lib/buffer_utils.js';\nimport validateCrit from '../../lib/validate_crit.js';\nexport const unprotected = Symbol();\nexport class FlattenedEncrypt {\n constructor(plaintext) {\n if (!(plaintext instanceof Uint8Array)) {\n throw new TypeError('plaintext must be an instance of Uint8Array');\n }\n this._plaintext = plaintext;\n }\n setKeyManagementParameters(parameters) {\n if (this._keyManagementParameters) {\n throw new TypeError('setKeyManagementParameters can only be called once');\n }\n this._keyManagementParameters = parameters;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n if (this._protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this._protectedHeader = protectedHeader;\n return this;\n }\n setSharedUnprotectedHeader(sharedUnprotectedHeader) {\n if (this._sharedUnprotectedHeader) {\n throw new TypeError('setSharedUnprotectedHeader can only be called once');\n }\n this._sharedUnprotectedHeader = sharedUnprotectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this._unprotectedHeader) {\n throw new TypeError('setUnprotectedHeader can only be called once');\n }\n this._unprotectedHeader = unprotectedHeader;\n return this;\n }\n setAdditionalAuthenticatedData(aad) {\n this._aad = aad;\n return this;\n }\n setContentEncryptionKey(cek) {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey can only be called once');\n }\n this._cek = cek;\n return this;\n }\n setInitializationVector(iv) {\n if (this._iv) {\n throw new TypeError('setInitializationVector can only be called once');\n }\n this._iv = iv;\n return this;\n }\n async encrypt(key, options) {\n if (!this._protectedHeader && !this._unprotectedHeader && !this._sharedUnprotectedHeader) {\n throw new JWEInvalid('either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()');\n }\n if (!isDisjoint(this._protectedHeader, this._unprotectedHeader, this._sharedUnprotectedHeader)) {\n throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this._protectedHeader,\n ...this._unprotectedHeader,\n ...this._sharedUnprotectedHeader,\n };\n validateCrit(JWEInvalid, new Map(), options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);\n if (joseHeader.zip !== undefined) {\n if (!this._protectedHeader || !this._protectedHeader.zip) {\n throw new JWEInvalid('JWE \"zip\" (Compression Algorithm) Header MUST be integrity protected');\n }\n if (joseHeader.zip !== 'DEF') {\n throw new JOSENotSupported('Unsupported JWE \"zip\" (Compression Algorithm) Header Parameter value');\n }\n }\n const { alg, enc } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWEInvalid('JWE \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n if (typeof enc !== 'string' || !enc) {\n throw new JWEInvalid('JWE \"enc\" (Encryption Algorithm) Header Parameter missing or invalid');\n }\n let encryptedKey;\n if (alg === 'dir') {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey cannot be called when using Direct Encryption');\n }\n }\n else if (alg === 'ECDH-ES') {\n if (this._cek) {\n throw new TypeError('setContentEncryptionKey cannot be called when using Direct Key Agreement');\n }\n }\n let cek;\n {\n let parameters;\n ({ cek, encryptedKey, parameters } = await encryptKeyManagement(alg, enc, key, this._cek, this._keyManagementParameters));\n if (parameters) {\n if (options && unprotected in options) {\n if (!this._unprotectedHeader) {\n this.setUnprotectedHeader(parameters);\n }\n else {\n this._unprotectedHeader = { ...this._unprotectedHeader, ...parameters };\n }\n }\n else {\n if (!this._protectedHeader) {\n this.setProtectedHeader(parameters);\n }\n else {\n this._protectedHeader = { ...this._protectedHeader, ...parameters };\n }\n }\n }\n }\n this._iv || (this._iv = generateIv(enc));\n let additionalData;\n let protectedHeader;\n let aadMember;\n if (this._protectedHeader) {\n protectedHeader = encoder.encode(base64url(JSON.stringify(this._protectedHeader)));\n }\n else {\n protectedHeader = encoder.encode('');\n }\n if (this._aad) {\n aadMember = base64url(this._aad);\n additionalData = concat(protectedHeader, encoder.encode('.'), encoder.encode(aadMember));\n }\n else {\n additionalData = protectedHeader;\n }\n let ciphertext;\n let tag;\n if (joseHeader.zip === 'DEF') {\n const deflated = await ((options === null || options === void 0 ? void 0 : options.deflateRaw) || deflate)(this._plaintext);\n ({ ciphertext, tag } = await encrypt(enc, deflated, cek, this._iv, additionalData));\n }\n else {\n ;\n ({ ciphertext, tag } = await encrypt(enc, this._plaintext, cek, this._iv, additionalData));\n }\n const jwe = {\n ciphertext: base64url(ciphertext),\n iv: base64url(this._iv),\n tag: base64url(tag),\n };\n if (encryptedKey) {\n jwe.encrypted_key = base64url(encryptedKey);\n }\n if (aadMember) {\n jwe.aad = aadMember;\n }\n if (this._protectedHeader) {\n jwe.protected = decoder.decode(protectedHeader);\n }\n if (this._sharedUnprotectedHeader) {\n jwe.unprotected = this._sharedUnprotectedHeader;\n }\n if (this._unprotectedHeader) {\n jwe.header = this._unprotectedHeader;\n }\n return jwe;\n }\n}\n", "import { isCloudflareWorkers } from './env.js';\nimport { JOSENotSupported } from '../util/errors.js';\nexport default function subtleDsa(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: alg.slice(-3) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case isCloudflareWorkers() && 'EdDSA':\n const { namedCurve } = algorithm;\n return { name: namedCurve, namedCurve };\n case 'EdDSA':\n return { name: algorithm.name };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n", "import crypto, { isCryptoKey } from './webcrypto.js';\nimport { checkSigCryptoKey } from '../lib/crypto_key.js';\nimport invalidKeyInput from '../lib/invalid_key_input.js';\nimport { types } from './is_key_like.js';\nexport default function getCryptoKey(alg, key, usage) {\n if (isCryptoKey(key)) {\n checkSigCryptoKey(key, alg, usage);\n return key;\n }\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, ...types));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));\n}\n", "import subtleAlgorithm from './subtle_dsa.js';\nimport crypto from './webcrypto.js';\nimport checkKeyLength from './check_key_length.js';\nimport getVerifyKey from './get_sign_verify_key.js';\nconst verify = async (alg, key, signature, data) => {\n const cryptoKey = await getVerifyKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch (_a) {\n return false;\n }\n};\nexport default verify;\n", "import { decode as base64url } from '../../runtime/base64url.js';\nimport verify from '../../runtime/verify.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder } from '../../lib/buffer_utils.js';\nimport isDisjoint from '../../lib/is_disjoint.js';\nimport isObject from '../../lib/is_object.js';\nimport checkKeyType from '../../lib/check_key_type.js';\nimport validateCrit from '../../lib/validate_crit.js';\nimport validateAlgorithms from '../../lib/validate_algorithms.js';\nexport async function flattenedVerify(jws, key, options) {\n var _a;\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = base64url(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch (_b) {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(encoder.encode((_a = jws.protected) !== null && _a !== void 0 ? _a : ''), encoder.encode('.'), typeof jws.payload === 'string' ? encoder.encode(jws.payload) : jws.payload);\n const signature = base64url(jws.signature);\n const verified = await verify(alg, key, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n payload = base64url(jws.payload);\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key };\n }\n return result;\n}\n", "import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n", "export default (date) => Math.floor(date.getTime() / 1000);\n", "const minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i;\nexport default (str) => {\n const matched = REGEX.exec(str);\n if (!matched) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[1]);\n const unit = matched[2].toLowerCase();\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n return Math.round(value);\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n return Math.round(value * minute);\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n return Math.round(value * hour);\n case 'day':\n case 'days':\n case 'd':\n return Math.round(value * day);\n case 'week':\n case 'weeks':\n case 'w':\n return Math.round(value * week);\n default:\n return Math.round(value * year);\n }\n};\n", "import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { decoder } from './buffer_utils.js';\nimport epoch from './epoch.js';\nimport secs from './secs.js';\nimport isObject from './is_object.js';\nconst normalizeTyp = (value) => value.toLowerCase().replace(/^application\\//, '');\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport default (protectedHeader, encodedPayload, options = {}) => {\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', 'typ', 'check_failed');\n }\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch (_a) {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { issuer } = options;\n if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', 'iss', 'check_failed');\n }\n const { subject } = options;\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', 'sub', 'check_failed');\n }\n const { audience } = options;\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || options.maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', 'exp', 'check_failed');\n }\n }\n if (options.maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof options.maxTokenAge === 'number' ? options.maxTokenAge : secs(options.maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', 'iat', 'check_failed');\n }\n }\n return payload;\n};\n", "import { compactVerify } from '../jws/compact/verify.js';\nimport jwtPayload from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n var _a;\n const verified = await compactVerify(jwt, key, options);\n if (((_a = verified.protectedHeader.crit) === null || _a === void 0 ? void 0 : _a.includes('b64')) && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = jwtPayload(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n", "/*\nCopyright 2022 The Dapr Authors\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n http://www.apache.org/licenses/LICENSE-2.0\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { importSPKI, jwtVerify } from 'jose'\n\nimport type { Environment } from '$lib/environment'\n\nconst tokenHeaderMatch =\n /^(?:Bearer )?([A-Za-z0-9_\\-]+\\.[A-Za-z0-9_\\-]+\\.[A-Za-z0-9_\\-]+)/i\n\nexport async function AuthorizeRequest(\n req: Request,\n env: Environment\n): Promise {\n // If \"SKIP_AUTH\" is set, we can allow skipping authorization\n if (env.SKIP_AUTH === 'true') {\n return true\n }\n\n // Ensure we have an Authorization header with a bearer JWT token\n const match = tokenHeaderMatch.exec(req.headers.get('authorization') || '')\n if (!match || !match[1]) {\n return false\n }\n\n // Validate the JWT\n const pk = await importSPKI(env.PUBLIC_KEY, 'EdDSA')\n try {\n await jwtVerify(match[1], pk, {\n issuer: 'dapr.io/cloudflare',\n audience: env.TOKEN_AUDIENCE,\n algorithms: ['EdDSA'],\n // Allow 5 mins of clock skew\n clockTolerance: 300,\n })\n } catch (err) {\n console.error('Failed to validate JWT: ' + err)\n return false\n }\n\n return true\n}\n", "/*\nCopyright 2022 The Dapr Authors\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n http://www.apache.org/licenses/LICENSE-2.0\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n*/\n\nimport { Router, type Request as RequestI } from 'itty-router'\n\nimport type { Environment } from '$lib/environment'\nimport { AuthorizeRequest } from '$lib/jwt-auth'\nimport { version } from './package.json'\n\nconst router = Router()\n // Handle the info endpoint\n .get(\n '/.well-known/dapr/info',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const auth = await AuthorizeRequest(req, env)\n if (!auth) {\n return new Response('Unauthorized', { status: 401 })\n }\n\n // Filter all bindings by type\n const queues: string[] = []\n const kv: string[] = []\n const r2: string[] = []\n const all = Object.keys(env)\n for (let i = 0; i < all.length; i++) {\n if (!all[i]) {\n continue\n }\n const obj = env[all[i]]\n if (!obj || typeof obj != 'object' || !obj.constructor) {\n continue\n }\n switch (obj.constructor.name) {\n case 'KVNamespace':\n kv.push(all[i])\n break\n case 'Queue':\n queues.push(all[i])\n break\n case 'R2Bucket':\n // Note that we currently don't support R2 yet\n r2.push(all[i])\n break\n }\n }\n\n const res = JSON.stringify({\n version,\n queues: queues && queues.length ? queues : undefined,\n kv: kv && kv.length ? kv : undefined,\n r2: r2 && r2.length ? r2 : undefined,\n })\n return new Response(res, {\n headers: {\n 'content-type': 'application/json',\n },\n })\n }\n )\n\n // Retrieve a value from KV\n .get(\n '/kv/:namespace/:key',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const { namespace, key, errorRes } = await setupKVRequest(req, env)\n if (errorRes) {\n return errorRes\n }\n\n const val = await namespace!.get(key!, 'stream')\n if (!val) {\n return new Response('', { status: 404 })\n }\n\n return new Response(val, { status: 200 })\n }\n )\n\n // Store a value in KV\n .post(\n '/kv/:namespace/:key',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const { namespace, key, errorRes } = await setupKVRequest(req, env)\n if (errorRes) {\n return errorRes\n }\n\n let expirationTtl: number|undefined = undefined\n const reqUrl = new URL(req.url)\n const ttlParam = parseInt(reqUrl.searchParams.get('ttl') ||'', 10)\n if (ttlParam > 0) {\n expirationTtl = ttlParam\n }\n await namespace!.put(key!, req.body!, {expirationTtl})\n\n return new Response('', { status: 201 })\n }\n )\n\n // Delete a value from KV\n .delete(\n '/kv/:namespace/:key',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const { namespace, key, errorRes } = await setupKVRequest(req, env)\n if (errorRes) {\n return errorRes\n }\n\n await namespace!.delete(key!)\n\n return new Response('', { status: 204 })\n }\n )\n\n // Publish a message in a queue\n .post(\n '/queues/:queue',\n async (\n req: Request & RequestI,\n env: Environment\n ): Promise => {\n const { queue, errorRes } = await setupQueueRequest(req, env)\n if (errorRes) {\n return errorRes\n }\n\n let message = await req.text()\n await queue!.send(message)\n return new Response('', { status: 201 })\n }\n )\n\n // Catch-all route to handle 404s\n .all('*', (): Response => {\n return new Response('Not found', { status: 404 })\n })\n\n// Performs the init setps for a KV request. Returns a Response object in case of error.\nasync function setupKVRequest(\n req: Request & RequestI,\n env: Environment\n): Promise<{\n namespace?: KVNamespace\n key?: string\n errorRes?: Response\n}> {\n if (!req?.text || !req.params?.namespace || !req.params?.key) {\n return { errorRes: new Response('Bad request', { status: 400 }) }\n }\n const namespace = env[req.params.namespace] as KVNamespace\n if (typeof namespace != 'object' || namespace?.constructor?.name != 'KVNamespace') {\n return {\n errorRes: new Response(\n `Worker is not bound to KV '${req.params.kv}'`,\n { status: 412 }\n ),\n }\n }\n\n const auth = await AuthorizeRequest(req, env)\n if (!auth) {\n return { errorRes: new Response('Unauthorized', { status: 401 }) }\n }\n\n return { namespace, key: req.params.key }\n}\n\n// Performs the init setps for a Queue request. Returns a Response object in case of error.\nasync function setupQueueRequest(\n req: Request & RequestI,\n env: Environment\n): Promise<{ queue?: Queue; errorRes?: Response }> {\n if (!req?.text || !req.params?.queue) {\n return { errorRes: new Response('Bad request', { status: 400 }) }\n }\n const queue = env[req.params.queue] as Queue\n if (typeof queue != 'object' || queue?.constructor?.name != 'Queue') {\n return {\n errorRes: new Response(\n `Worker is not bound to queue '${req.params.queue}'`,\n { status: 412 }\n ),\n }\n }\n\n const auth = await AuthorizeRequest(req, env)\n if (!auth) {\n return { errorRes: new Response('Unauthorized', { status: 401 }) }\n }\n\n return { queue }\n}\n\nexport default {\n fetch: router.handle,\n}\n"], + "mappings": "AAAA,SAASA,GAAE,CAAC,KAAKC,EAAE,GAAG,OAAOC,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,EAAE,CAAC,IAAI,CAACF,EAAEG,EAAE,IAAI,CAACH,KAAKI,IAAIF,EAAE,KAAK,CAACC,EAAE,YAAY,EAAE,OAAO,KAAKF,EAAED,GAAG,QAAQ,WAAW,SAAS,EAAE,QAAQ,oBAAoB,EAAE,EAAE,QAAQ,oBAAoB,oBAAoB,EAAE,QAAQ,cAAc,KAAK,EAAE,QAAQ,wBAAwB,wBAAwB,MAAM,EAAEI,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,OAAOF,EAAE,MAAM,OAAOF,KAAKI,EAAE,CAAC,IAAID,EAAEE,EAAEJ,EAAE,IAAI,IAAID,EAAE,GAAG,EAAEA,EAAE,MAAM,OAAO,YAAYC,EAAE,YAAY,EAAE,OAAO,CAACK,EAAEC,EAAE,CAAC,IAAIL,EAAE,IAAII,IAAIN,EAAE,QAAgBM,IAAR,SAAaD,EAAEJ,EAAE,SAAS,MAAMM,CAAC,GAAG,CAACP,EAAE,OAAOK,EAAE,OAAO,QAAQG,KAAK,EAAE,IAAaL,EAAE,MAAMK,EAAER,EAAE,OAAOA,EAAE,GAAGI,CAAC,KAAnC,OAAsC,OAAOD,CAAC,CAAC,CAAC,CAAC,CCA7lB,IAAOM,EAAQ,OACFC,EAAeC,GAAQA,aAAe,UCA5C,IAAMC,EAAU,IAAI,YACdC,EAAU,IAAI,YACrBC,GAAY,GAAK,GAChB,SAASC,KAAUC,EAAS,CAC/B,IAAMC,EAAOD,EAAQ,OAAO,CAACE,EAAK,CAAE,OAAAC,CAAO,IAAMD,EAAMC,EAAQ,CAAC,EAC1DC,EAAM,IAAI,WAAWH,CAAI,EAC3BI,EAAI,EACR,OAAAL,EAAQ,QAASM,GAAW,CACxBF,EAAI,IAAIE,EAAQD,CAAC,EACjBA,GAAKC,EAAO,MAChB,CAAC,EACMF,CACX,CCGO,IAAMG,GAAgBC,GAAY,CACrC,IAAMC,EAAS,KAAKD,CAAO,EACrBE,EAAQ,IAAI,WAAWD,EAAO,MAAM,EAC1C,QAASE,EAAI,EAAGA,EAAIF,EAAO,OAAQE,IAC/BD,EAAMC,GAAKF,EAAO,WAAWE,CAAC,EAElC,OAAOD,CACX,EACaE,EAAUC,GAAU,CAC7B,IAAIL,EAAUK,EACVL,aAAmB,aACnBA,EAAUM,EAAQ,OAAON,CAAO,GAEpCA,EAAUA,EAAQ,QAAQ,KAAM,GAAG,EAAE,QAAQ,KAAM,GAAG,EAAE,QAAQ,MAAO,EAAE,EACzE,GAAI,CACA,OAAOD,GAAaC,CAAO,CAC/B,MACA,CACI,MAAM,IAAI,UAAU,mDAAmD,CAC3E,CACJ,ECpCO,IAAMO,EAAN,cAAwB,KAAM,CACjC,YAAYC,EAAS,CACjB,IAAIC,EACJ,MAAMD,CAAO,EACb,KAAK,KAAO,mBACZ,KAAK,KAAO,KAAK,YAAY,MAC5BC,EAAK,MAAM,qBAAuB,MAAQA,IAAO,QAAkBA,EAAG,KAAK,MAAO,KAAM,KAAK,WAAW,CAC7G,CACA,WAAW,MAAO,CACd,MAAO,kBACX,CACJ,EACaC,EAAN,cAAuCH,CAAU,CACpD,YAAYC,EAASG,EAAQ,cAAeC,EAAS,cAAe,CAChE,MAAMJ,CAAO,EACb,KAAK,KAAO,kCACZ,KAAK,MAAQG,EACb,KAAK,OAASC,CAClB,CACA,WAAW,MAAO,CACd,MAAO,iCACX,CACJ,EACaC,EAAN,cAAyBN,CAAU,CACtC,YAAYC,EAASG,EAAQ,cAAeC,EAAS,cAAe,CAChE,MAAMJ,CAAO,EACb,KAAK,KAAO,kBACZ,KAAK,MAAQG,EACb,KAAK,OAASC,CAClB,CACA,WAAW,MAAO,CACd,MAAO,iBACX,CACJ,EACaE,EAAN,cAAgCP,CAAU,CAC7C,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,0BAChB,CACA,WAAW,MAAO,CACd,MAAO,0BACX,CACJ,EACaQ,EAAN,cAA+BR,CAAU,CAC5C,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,wBAChB,CACA,WAAW,MAAO,CACd,MAAO,wBACX,CACJ,EAoBO,IAAMS,EAAN,cAAyBC,CAAU,CACtC,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,iBAChB,CACA,WAAW,MAAO,CACd,MAAO,iBACX,CACJ,EACaC,EAAN,cAAyBD,CAAU,CACtC,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,iBAChB,CACA,WAAW,MAAO,CACd,MAAO,iBACX,CACJ,EAiDO,IAAME,EAAN,cAA6CC,CAAU,CAC1D,aAAc,CACV,MAAM,GAAG,SAAS,EAClB,KAAK,KAAO,wCACZ,KAAK,QAAU,+BACnB,CACA,WAAW,MAAO,CACd,MAAO,uCACX,CACJ,ECjJA,IAAOC,EAAQC,EAAO,gBAAgB,KAAKA,CAAM,ECD1C,SAASC,GAAsB,CAClC,OAAQ,OAAO,cAAkB,KAC5B,OAAO,UAAc,KAAe,UAAU,YAAc,sBAC5D,OAAO,YAAgB,KAAe,cAAgB,QAC/D,CCHA,SAASC,EAASC,EAAMC,EAAO,iBAAkB,CAC7C,OAAO,IAAI,UAAU,kDAAkDA,aAAgBD,GAAM,CACjG,CACA,SAASE,EAAYC,EAAWH,EAAM,CAClC,OAAOG,EAAU,OAASH,CAC9B,CACA,SAASI,EAAcC,EAAM,CACzB,OAAO,SAASA,EAAK,KAAK,MAAM,CAAC,EAAG,EAAE,CAC1C,CACA,SAASC,GAAcC,EAAK,CACxB,OAAQA,EAAK,CACT,IAAK,QACD,MAAO,QACX,IAAK,QACD,MAAO,QACX,IAAK,QACD,MAAO,QACX,QACI,MAAM,IAAI,MAAM,aAAa,CACrC,CACJ,CACA,SAASC,GAAWC,EAAKC,EAAQ,CAC7B,GAAIA,EAAO,QAAU,CAACA,EAAO,KAAMC,GAAaF,EAAI,OAAO,SAASE,CAAQ,CAAC,EAAG,CAC5E,IAAIC,EAAM,sEACV,GAAIF,EAAO,OAAS,EAAG,CACnB,IAAMG,EAAOH,EAAO,IAAI,EACxBE,GAAO,UAAUF,EAAO,KAAK,IAAI,SAASG,IAC9C,MACSH,EAAO,SAAW,EACvBE,GAAO,UAAUF,EAAO,SAASA,EAAO,MAGxCE,GAAO,GAAGF,EAAO,MAErB,MAAM,IAAI,UAAUE,CAAG,CAC3B,CACJ,CACO,SAASE,GAAkBL,EAAKF,KAAQG,EAAQ,CACnD,OAAQH,EAAK,CACT,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACL,EAAYO,EAAI,UAAW,MAAM,EAClC,MAAMV,EAAS,MAAM,EACzB,IAAMY,EAAW,SAASJ,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeH,EAAcK,EAAI,UAAU,IAAI,IAChCE,EACX,MAAMZ,EAAS,OAAOY,IAAY,gBAAgB,EACtD,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYO,EAAI,UAAW,mBAAmB,EAC/C,MAAMV,EAAS,mBAAmB,EACtC,IAAMY,EAAW,SAASJ,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeH,EAAcK,EAAI,UAAU,IAAI,IAChCE,EACX,MAAMZ,EAAS,OAAOY,IAAY,gBAAgB,EACtD,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYO,EAAI,UAAW,SAAS,EACrC,MAAMV,EAAS,SAAS,EAC5B,IAAMY,EAAW,SAASJ,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeH,EAAcK,EAAI,UAAU,IAAI,IAChCE,EACX,MAAMZ,EAAS,OAAOY,IAAY,gBAAgB,EACtD,KACJ,CACA,KAAKI,EAAoB,GAAK,SAAS,CACnC,GAAI,CAACb,EAAYO,EAAI,UAAW,cAAc,EAC1C,MAAMV,EAAS,cAAc,EACjC,KACJ,CACA,IAAK,QAAS,CACV,GAAIU,EAAI,UAAU,OAAS,WAAaA,EAAI,UAAU,OAAS,QAC3D,MAAMV,EAAS,kBAAkB,EAErC,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACG,EAAYO,EAAI,UAAW,OAAO,EACnC,MAAMV,EAAS,OAAO,EAC1B,IAAMY,EAAWL,GAAcC,CAAG,EAElC,GADeE,EAAI,UAAU,aACdE,EACX,MAAMZ,EAASY,EAAU,sBAAsB,EACnD,KACJ,CACA,QACI,MAAM,IAAI,UAAU,2CAA2C,CACvE,CACAH,GAAWC,EAAKC,CAAM,CAC1B,CCnGA,SAASM,GAAQC,EAAKC,KAAWC,EAAO,CACpC,GAAIA,EAAM,OAAS,EAAG,CAClB,IAAMC,EAAOD,EAAM,IAAI,EACvBF,GAAO,eAAeE,EAAM,KAAK,IAAI,SAASC,IAClD,MACSD,EAAM,SAAW,EACtBF,GAAO,eAAeE,EAAM,SAASA,EAAM,MAG3CF,GAAO,WAAWE,EAAM,MAE5B,OAAID,GAAU,KACVD,GAAO,aAAaC,IAEf,OAAOA,GAAW,YAAcA,EAAO,KAC5CD,GAAO,sBAAsBC,EAAO,OAE/B,OAAOA,GAAW,UAAYA,GAAU,MACzCA,EAAO,aAAeA,EAAO,YAAY,OACzCD,GAAO,4BAA4BC,EAAO,YAAY,QAGvDD,CACX,CACA,IAAOI,EAAQ,CAACH,KAAWC,IAChBH,GAAQ,eAAgBE,EAAQ,GAAGC,CAAK,EAE5C,SAASG,EAAQC,EAAKL,KAAWC,EAAO,CAC3C,OAAOH,GAAQ,eAAeO,uBAA0BL,EAAQ,GAAGC,CAAK,CAC5E,CC5BA,IAAOK,EAASC,GACLC,EAAYD,CAAG,EAEbE,EAAQ,CAAC,WAAW,ECJjC,IAAMC,GAAa,IAAIC,IAAY,CAC/B,IAAMC,EAAUD,EAAQ,OAAO,OAAO,EACtC,GAAIC,EAAQ,SAAW,GAAKA,EAAQ,SAAW,EAC3C,MAAO,GAEX,IAAIC,EACJ,QAAWC,KAAUF,EAAS,CAC1B,IAAMG,EAAa,OAAO,KAAKD,CAAM,EACrC,GAAI,CAACD,GAAOA,EAAI,OAAS,EAAG,CACxBA,EAAM,IAAI,IAAIE,CAAU,EACxB,QACJ,CACA,QAAWC,KAAaD,EAAY,CAChC,GAAIF,EAAI,IAAIG,CAAS,EACjB,MAAO,GAEXH,EAAI,IAAIG,CAAS,CACrB,CACJ,CACA,MAAO,EACX,EACOC,EAAQP,GCrBf,SAASQ,GAAaC,EAAO,CACzB,OAAO,OAAOA,GAAU,UAAYA,IAAU,IAClD,CACe,SAARC,EAA0BC,EAAO,CACpC,GAAI,CAACH,GAAaG,CAAK,GAAK,OAAO,UAAU,SAAS,KAAKA,CAAK,IAAM,kBAClE,MAAO,GAEX,GAAI,OAAO,eAAeA,CAAK,IAAM,KACjC,MAAO,GAEX,IAAIC,EAAQD,EACZ,KAAO,OAAO,eAAeC,CAAK,IAAM,MACpCA,EAAQ,OAAO,eAAeA,CAAK,EAEvC,OAAO,OAAO,eAAeD,CAAK,IAAMC,CAC5C,CCfA,IAAOC,EAAQ,CAACC,EAAKC,IAAQ,CACzB,GAAID,EAAI,WAAW,IAAI,GAAKA,EAAI,WAAW,IAAI,EAAG,CAC9C,GAAM,CAAE,cAAAE,CAAc,EAAID,EAAI,UAC9B,GAAI,OAAOC,GAAkB,UAAYA,EAAgB,KACrD,MAAM,IAAI,UAAU,GAAGF,wDAA0D,CAEzF,CACJ,ECkBA,IAAMG,EAAU,CAACC,EAASC,EAAKC,EAAO,IAAM,CACpCA,IAAS,IACTD,EAAI,QAAQA,EAAI,MAAM,EACtBA,EAAI,QAAQ,CAAI,GAEpB,IAAIE,EAAIH,EAAQ,QAAQC,EAAI,GAAIC,CAAI,EACpC,GAAIC,IAAM,GACN,MAAO,GACX,IAAMC,EAAMJ,EAAQ,SAASG,EAAGA,EAAIF,EAAI,MAAM,EAC9C,OAAIG,EAAI,SAAWH,EAAI,OACZ,GACJG,EAAI,MAAM,CAACC,EAAOC,IAAUD,IAAUJ,EAAIK,EAAM,GAAKP,EAAQC,EAASC,EAAKE,EAAI,CAAC,CAC3F,EACMI,EAAiBP,GAAY,CAC/B,OAAQ,GAAM,CACV,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAM,IAAM,GAAM,EAAM,EAAM,CAAI,CAAC,EAClE,MAAO,QACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,EAAM,EAAM,EAAI,CAAC,EAChD,MAAO,QACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,EAAM,EAAM,EAAI,CAAC,EAChD,MAAO,QACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAI,CAAC,EACpC,MAAO,SACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAI,CAAC,EACpC,MAAO,OACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAI,CAAC,EACpC,MAAO,UACX,KAAKD,EAAQC,EAAS,CAAC,GAAM,IAAM,GAAI,CAAC,EACpC,MAAO,QACX,QACI,MAAM,IAAIQ,EAAiB,yDAAyD,CAC5F,CACJ,EACMC,GAAgB,MAAOC,EAASC,EAAWC,EAAKC,EAAKC,IAAY,CACnE,IAAIC,EACJ,IAAIC,EACAC,EACEjB,EAAU,IAAI,WAAW,KAAKY,EAAI,QAAQF,EAAS,EAAE,CAAC,EACvD,MAAM,EAAE,EACR,IAAKQ,GAAMA,EAAE,WAAW,CAAC,CAAC,CAAC,EAC1BC,EAAWR,IAAc,OAC/B,OAAQE,EAAK,CACT,IAAK,QACL,IAAK,QACL,IAAK,QACDG,EAAY,CAAE,KAAM,UAAW,KAAM,OAAOH,EAAI,MAAM,EAAE,GAAI,EAC5DI,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,QACL,IAAK,QACL,IAAK,QACDH,EAAY,CAAE,KAAM,oBAAqB,KAAM,OAAOH,EAAI,MAAM,EAAE,GAAI,EACtEI,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,WACL,IAAK,eACL,IAAK,eACL,IAAK,eACDH,EAAY,CACR,KAAM,WACN,KAAM,OAAO,SAASH,EAAI,MAAM,EAAE,EAAG,EAAE,GAAK,GAChD,EACAI,EAAYE,EAAW,CAAC,UAAW,SAAS,EAAI,CAAC,UAAW,WAAW,EACvE,MACJ,IAAK,QACDH,EAAY,CAAE,KAAM,QAAS,WAAY,OAAQ,EACjDC,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,QACDH,EAAY,CAAE,KAAM,QAAS,WAAY,OAAQ,EACjDC,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,QACDH,EAAY,CAAE,KAAM,QAAS,WAAY,OAAQ,EACjDC,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,IAAK,UACL,IAAK,iBACL,IAAK,iBACL,IAAK,iBAAkB,CACnB,IAAMC,EAAab,EAAcP,CAAO,EACxCgB,EAAYI,EAAW,WAAW,IAAI,EAAI,CAAE,KAAM,OAAQ,WAAAA,CAAW,EAAI,CAAE,KAAMA,CAAW,EAC5FH,EAAYE,EAAW,CAAC,EAAI,CAAC,YAAY,EACzC,KACJ,CACA,KAAKE,EAAoB,GAAK,SAAS,CACnC,IAAMD,EAAab,EAAcP,CAAO,EAAE,YAAY,EACtDgB,EAAY,CAAE,KAAM,QAAQI,IAAc,WAAY,QAAQA,GAAa,EAC3EH,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,KACJ,CACA,IAAK,QACDH,EAAY,CAAE,KAAMT,EAAcP,CAAO,CAAE,EAC3CiB,EAAYE,EAAW,CAAC,QAAQ,EAAI,CAAC,MAAM,EAC3C,MACJ,QACI,MAAM,IAAIX,EAAiB,gDAAgD,CACnF,CACA,OAAOc,EAAO,OAAO,UAAUX,EAAWX,EAASgB,GAAYD,EAAuDD,GAAQ,eAAiB,MAAQC,IAAO,OAASA,EAAK,GAAOE,CAAS,CAChM,EAIO,IAAMM,GAAW,CAACC,EAAKC,EAAKC,IACxBC,GAAc,6CAA8C,OAAQH,EAAKC,EAAKC,CAAO,ECtDhG,eAAsBE,GAAWC,EAAMC,EAAKC,EAAS,CACjD,GAAI,OAAOF,GAAS,UAAYA,EAAK,QAAQ,4BAA4B,IAAM,EAC3E,MAAM,IAAI,UAAU,sCAAsC,EAE9D,OAAOG,GAAaH,EAAMC,EAAKC,CAAO,CAC1C,CC9EA,IAAME,GAAqB,CAACC,EAAKC,IAAQ,CACrC,GAAI,EAAAA,aAAe,YAEnB,IAAI,CAACC,EAAUD,CAAG,EACd,MAAM,IAAI,UAAUE,EAAgBH,EAAKC,EAAK,GAAGG,EAAO,YAAY,CAAC,EAEzE,GAAIH,EAAI,OAAS,SACb,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,+DAA+D,EAE/G,EACMC,GAAsB,CAACL,EAAKC,EAAKK,IAAU,CAC7C,GAAI,CAACJ,EAAUD,CAAG,EACd,MAAM,IAAI,UAAUE,EAAgBH,EAAKC,EAAK,GAAGG,CAAK,CAAC,EAE3D,GAAIH,EAAI,OAAS,SACb,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,oEAAoE,EAEhH,GAAIE,IAAU,QAAUL,EAAI,OAAS,SACjC,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,wEAAwE,EAEpH,GAAIE,IAAU,WAAaL,EAAI,OAAS,SACpC,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,2EAA2E,EAEvH,GAAIH,EAAI,WAAaK,IAAU,UAAYL,EAAI,OAAS,UACpD,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,yEAAyE,EAErH,GAAIH,EAAI,WAAaK,IAAU,WAAaL,EAAI,OAAS,UACrD,MAAM,IAAI,UAAU,GAAGG,EAAM,KAAK,MAAM,0EAA0E,CAE1H,EACMG,GAAe,CAACP,EAAKC,EAAKK,IAAU,CACpBN,EAAI,WAAW,IAAI,GACjCA,IAAQ,OACRA,EAAI,WAAW,OAAO,GACtB,qBAAqB,KAAKA,CAAG,EAE7BD,GAAmBC,EAAKC,CAAG,EAG3BI,GAAoBL,EAAKC,EAAKK,CAAK,CAE3C,EACOE,EAAQD,GC3Cf,SAASE,GAAaC,EAAKC,EAAmBC,EAAkBC,EAAiBC,EAAY,CACzF,GAAIA,EAAW,OAAS,QAAaD,EAAgB,OAAS,OAC1D,MAAM,IAAIH,EAAI,gEAAgE,EAElF,GAAI,CAACG,GAAmBA,EAAgB,OAAS,OAC7C,OAAO,IAAI,IAEf,GAAI,CAAC,MAAM,QAAQA,EAAgB,IAAI,GACnCA,EAAgB,KAAK,SAAW,GAChCA,EAAgB,KAAK,KAAME,GAAU,OAAOA,GAAU,UAAYA,EAAM,SAAW,CAAC,EACpF,MAAM,IAAIL,EAAI,uFAAuF,EAEzG,IAAIM,EACAJ,IAAqB,OACrBI,EAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQJ,CAAgB,EAAG,GAAGD,EAAkB,QAAQ,CAAC,CAAC,EAG1FK,EAAaL,EAEjB,QAAWM,KAAaJ,EAAgB,KAAM,CAC1C,GAAI,CAACG,EAAW,IAAIC,CAAS,EACzB,MAAM,IAAIC,EAAiB,+BAA+BD,sBAA8B,EAE5F,GAAIH,EAAWG,KAAe,OAC1B,MAAM,IAAIP,EAAI,+BAA+BO,eAAuB,EAEnE,GAAID,EAAW,IAAIC,CAAS,GAAKJ,EAAgBI,KAAe,OACjE,MAAM,IAAIP,EAAI,+BAA+BO,gCAAwC,CAE7F,CACA,OAAO,IAAI,IAAIJ,EAAgB,IAAI,CACvC,CACA,IAAOM,EAAQV,GCjCf,IAAMW,GAAqB,CAACC,EAAQC,IAAe,CAC/C,GAAIA,IAAe,SACd,CAAC,MAAM,QAAQA,CAAU,GAAKA,EAAW,KAAMC,GAAM,OAAOA,GAAM,QAAQ,GAC3E,MAAM,IAAI,UAAU,IAAIF,uCAA4C,EAExE,GAAI,EAACC,EAGL,OAAO,IAAI,IAAIA,CAAU,CAC7B,EACOE,GAAQJ,GCDR,IAAMK,GAAc,OAAO,ECPnB,SAARC,EAA2BC,EAAKC,EAAW,CAC9C,IAAMC,EAAO,OAAOF,EAAI,MAAM,EAAE,IAChC,OAAQA,EAAK,CACT,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAE,EAAM,KAAM,MAAO,EAChC,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAA,EAAM,KAAM,UAAW,WAAYF,EAAI,MAAM,EAAE,GAAK,CAAE,EACnE,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAE,EAAM,KAAM,mBAAoB,EAC7C,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAA,EAAM,KAAM,QAAS,WAAYD,EAAU,UAAW,EACnE,KAAKE,EAAoB,GAAK,SAC1B,GAAM,CAAE,WAAAC,CAAW,EAAIH,EACvB,MAAO,CAAE,KAAMG,EAAY,WAAAA,CAAW,EAC1C,IAAK,QACD,MAAO,CAAE,KAAMH,EAAU,IAAK,EAClC,QACI,MAAM,IAAII,EAAiB,OAAOL,8DAAgE,CAC1G,CACJ,CCzBe,SAARM,EAA8BC,EAAKC,EAAKC,EAAO,CAClD,GAAIC,EAAYF,CAAG,EACf,OAAAG,GAAkBH,EAAKD,EAAKE,CAAK,EAC1BD,EAEX,GAAIA,aAAe,WAAY,CAC3B,GAAI,CAACD,EAAI,WAAW,IAAI,EACpB,MAAM,IAAI,UAAUK,EAAgBJ,EAAK,GAAGK,CAAK,CAAC,EAEtD,OAAOC,EAAO,OAAO,UAAU,MAAON,EAAK,CAAE,KAAM,OAAOD,EAAI,MAAM,EAAE,IAAK,KAAM,MAAO,EAAG,GAAO,CAACE,CAAK,CAAC,CAC7G,CACA,MAAM,IAAI,UAAUG,EAAgBJ,EAAK,GAAGK,EAAO,YAAY,CAAC,CACpE,CCZA,IAAME,GAAS,MAAOC,EAAKC,EAAKC,EAAWC,IAAS,CAChD,IAAMC,EAAY,MAAMC,EAAaL,EAAKC,EAAK,QAAQ,EACvDK,EAAeN,EAAKI,CAAS,EAC7B,IAAMG,EAAYC,EAAgBR,EAAKI,EAAU,SAAS,EAC1D,GAAI,CACA,OAAO,MAAMK,EAAO,OAAO,OAAOF,EAAWH,EAAWF,EAAWC,CAAI,CAC3E,MACA,CACI,MAAO,EACX,CACJ,EACOO,GAAQX,GCNf,eAAsBY,EAAgBC,EAAKC,EAAKC,EAAS,CACrD,IAAIC,EACJ,GAAI,CAACC,EAASJ,CAAG,EACb,MAAM,IAAIK,EAAW,iCAAiC,EAE1D,GAAIL,EAAI,YAAc,QAAaA,EAAI,SAAW,OAC9C,MAAM,IAAIK,EAAW,uEAAuE,EAEhG,GAAIL,EAAI,YAAc,QAAa,OAAOA,EAAI,WAAc,SACxD,MAAM,IAAIK,EAAW,qCAAqC,EAE9D,GAAIL,EAAI,UAAY,OAChB,MAAM,IAAIK,EAAW,qBAAqB,EAE9C,GAAI,OAAOL,EAAI,WAAc,SACzB,MAAM,IAAIK,EAAW,yCAAyC,EAElE,GAAIL,EAAI,SAAW,QAAa,CAACI,EAASJ,EAAI,MAAM,EAChD,MAAM,IAAIK,EAAW,uCAAuC,EAEhE,IAAIC,EAAa,CAAC,EAClB,GAAIN,EAAI,UACJ,GAAI,CACA,IAAMO,GAAkBC,EAAUR,EAAI,SAAS,EAC/CM,EAAa,KAAK,MAAMG,EAAQ,OAAOF,EAAe,CAAC,CAC3D,MACA,CACI,MAAM,IAAIF,EAAW,iCAAiC,CAC1D,CAEJ,GAAI,CAACK,EAAWJ,EAAYN,EAAI,MAAM,EAClC,MAAM,IAAIK,EAAW,2EAA2E,EAEpG,IAAMM,EAAa,CACf,GAAGL,EACH,GAAGN,EAAI,MACX,EACMY,EAAaC,EAAaR,EAAY,IAAI,IAAI,CAAC,CAAC,MAAO,EAAI,CAAC,CAAC,EAAqDH,GAAQ,KAAMI,EAAYK,CAAU,EACxJG,EAAM,GACV,GAAIF,EAAW,IAAI,KAAK,IACpBE,EAAMR,EAAW,IACb,OAAOQ,GAAQ,WACf,MAAM,IAAIT,EAAW,yEAAyE,EAGtG,GAAM,CAAE,IAAAU,CAAI,EAAIJ,EAChB,GAAI,OAAOI,GAAQ,UAAY,CAACA,EAC5B,MAAM,IAAIV,EAAW,2DAA2D,EAEpF,IAAMW,EAAad,GAAWe,GAAmB,aAAcf,EAAQ,UAAU,EACjF,GAAIc,GAAc,CAACA,EAAW,IAAID,CAAG,EACjC,MAAM,IAAIG,EAAkB,gDAAgD,EAEhF,GAAIJ,GACA,GAAI,OAAOd,EAAI,SAAY,SACvB,MAAM,IAAIK,EAAW,8BAA8B,UAGlD,OAAOL,EAAI,SAAY,UAAY,EAAEA,EAAI,mBAAmB,YACjE,MAAM,IAAIK,EAAW,wDAAwD,EAEjF,IAAIc,EAAc,GACd,OAAOlB,GAAQ,aACfA,EAAM,MAAMA,EAAIK,EAAYN,CAAG,EAC/BmB,EAAc,IAElBC,EAAaL,EAAKd,EAAK,QAAQ,EAC/B,IAAMoB,EAAOC,EAAOC,EAAQ,QAAQpB,EAAKH,EAAI,aAAe,MAAQG,IAAO,OAASA,EAAK,EAAE,EAAGoB,EAAQ,OAAO,GAAG,EAAG,OAAOvB,EAAI,SAAY,SAAWuB,EAAQ,OAAOvB,EAAI,OAAO,EAAIA,EAAI,OAAO,EACxLwB,EAAYhB,EAAUR,EAAI,SAAS,EAEzC,GAAI,CADa,MAAMyB,GAAOV,EAAKd,EAAKuB,EAAWH,CAAI,EAEnD,MAAM,IAAIK,EAEd,IAAIC,EACAb,EACAa,EAAUnB,EAAUR,EAAI,OAAO,EAE1B,OAAOA,EAAI,SAAY,SAC5B2B,EAAUJ,EAAQ,OAAOvB,EAAI,OAAO,EAGpC2B,EAAU3B,EAAI,QAElB,IAAM4B,EAAS,CAAE,QAAAD,CAAQ,EAOzB,OANI3B,EAAI,YAAc,SAClB4B,EAAO,gBAAkBtB,GAEzBN,EAAI,SAAW,SACf4B,EAAO,kBAAoB5B,EAAI,QAE/BmB,EACO,CAAE,GAAGS,EAAQ,IAAA3B,CAAI,EAErB2B,CACX,CCpGA,eAAsBC,GAAcC,EAAKC,EAAKC,EAAS,CAInD,GAHIF,aAAe,aACfA,EAAMG,EAAQ,OAAOH,CAAG,GAExB,OAAOA,GAAQ,SACf,MAAM,IAAII,EAAW,4CAA4C,EAErE,GAAM,CAAE,EAAGC,EAAiB,EAAGC,EAAS,EAAGC,EAAW,OAAAC,CAAO,EAAIR,EAAI,MAAM,GAAG,EAC9E,GAAIQ,IAAW,EACX,MAAM,IAAIJ,EAAW,qBAAqB,EAE9C,IAAMK,EAAW,MAAMC,EAAgB,CAAE,QAAAJ,EAAS,UAAWD,EAAiB,UAAAE,CAAU,EAAGN,EAAKC,CAAO,EACjGS,EAAS,CAAE,QAASF,EAAS,QAAS,gBAAiBA,EAAS,eAAgB,EACtF,OAAI,OAAOR,GAAQ,WACR,CAAE,GAAGU,EAAQ,IAAKF,EAAS,GAAI,EAEnCE,CACX,CCpBA,IAAOC,GAASC,GAAS,KAAK,MAAMA,EAAK,QAAQ,EAAI,GAAI,ECKzD,IAAMC,GAAQ,sGACPC,EAASC,GAAQ,CACpB,IAAMC,EAAUH,GAAM,KAAKE,CAAG,EAC9B,GAAI,CAACC,EACD,MAAM,IAAI,UAAU,4BAA4B,EAEpD,IAAMC,EAAQ,WAAWD,EAAQ,EAAE,EAEnC,OADaA,EAAQ,GAAG,YAAY,EACtB,CACV,IAAK,MACL,IAAK,OACL,IAAK,SACL,IAAK,UACL,IAAK,IACD,OAAO,KAAK,MAAMC,CAAK,EAC3B,IAAK,SACL,IAAK,UACL,IAAK,MACL,IAAK,OACL,IAAK,IACD,OAAO,KAAK,MAAMA,EAAQ,EAAM,EACpC,IAAK,OACL,IAAK,QACL,IAAK,KACL,IAAK,MACL,IAAK,IACD,OAAO,KAAK,MAAMA,EAAQ,IAAI,EAClC,IAAK,MACL,IAAK,OACL,IAAK,IACD,OAAO,KAAK,MAAMA,EAAQ,KAAG,EACjC,IAAK,OACL,IAAK,QACL,IAAK,IACD,OAAO,KAAK,MAAMA,EAAQ,MAAI,EAClC,QACI,OAAO,KAAK,MAAMA,EAAQ,QAAI,CACtC,CACJ,ECtCA,IAAMC,GAAgBC,GAAUA,EAAM,YAAY,EAAE,QAAQ,iBAAkB,EAAE,EAC1EC,GAAwB,CAACC,EAAYC,IACnC,OAAOD,GAAe,SACfC,EAAU,SAASD,CAAU,EAEpC,MAAM,QAAQA,CAAU,EACjBC,EAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAID,CAAU,CAAC,CAAC,EAE9D,GAEJE,EAAQ,CAACC,EAAiBC,EAAgBC,EAAU,CAAC,IAAM,CAC9D,GAAM,CAAE,IAAAC,CAAI,EAAID,EAChB,GAAIC,IACC,OAAOH,EAAgB,KAAQ,UAC5BN,GAAaM,EAAgB,GAAG,IAAMN,GAAaS,CAAG,GAC1D,MAAM,IAAIC,EAAyB,oCAAqC,MAAO,cAAc,EAEjG,IAAIC,EACJ,GAAI,CACAA,EAAU,KAAK,MAAMC,EAAQ,OAAOL,CAAc,CAAC,CACvD,MACA,CACA,CACA,GAAI,CAACM,EAASF,CAAO,EACjB,MAAM,IAAIG,EAAW,gDAAgD,EAEzE,GAAM,CAAE,OAAAC,CAAO,EAAIP,EACnB,GAAIO,GAAU,EAAE,MAAM,QAAQA,CAAM,EAAIA,EAAS,CAACA,CAAM,GAAG,SAASJ,EAAQ,GAAG,EAC3E,MAAM,IAAID,EAAyB,+BAAgC,MAAO,cAAc,EAE5F,GAAM,CAAE,QAAAM,CAAQ,EAAIR,EACpB,GAAIQ,GAAWL,EAAQ,MAAQK,EAC3B,MAAM,IAAIN,EAAyB,+BAAgC,MAAO,cAAc,EAE5F,GAAM,CAAE,SAAAO,CAAS,EAAIT,EACrB,GAAIS,GACA,CAACf,GAAsBS,EAAQ,IAAK,OAAOM,GAAa,SAAW,CAACA,CAAQ,EAAIA,CAAQ,EACxF,MAAM,IAAIP,EAAyB,+BAAgC,MAAO,cAAc,EAE5F,IAAIQ,EACJ,OAAQ,OAAOV,EAAQ,eAAgB,CACnC,IAAK,SACDU,EAAYC,EAAKX,EAAQ,cAAc,EACvC,MACJ,IAAK,SACDU,EAAYV,EAAQ,eACpB,MACJ,IAAK,YACDU,EAAY,EACZ,MACJ,QACI,MAAM,IAAI,UAAU,oCAAoC,CAChE,CACA,GAAM,CAAE,YAAAE,CAAY,EAAIZ,EAClBa,EAAMC,GAAMF,GAAe,IAAI,IAAM,EAC3C,IAAKT,EAAQ,MAAQ,QAAaH,EAAQ,cAAgB,OAAOG,EAAQ,KAAQ,SAC7E,MAAM,IAAID,EAAyB,+BAAgC,MAAO,SAAS,EAEvF,GAAIC,EAAQ,MAAQ,OAAW,CAC3B,GAAI,OAAOA,EAAQ,KAAQ,SACvB,MAAM,IAAID,EAAyB,+BAAgC,MAAO,SAAS,EAEvF,GAAIC,EAAQ,IAAMU,EAAMH,EACpB,MAAM,IAAIR,EAAyB,qCAAsC,MAAO,cAAc,CAEtG,CACA,GAAIC,EAAQ,MAAQ,OAAW,CAC3B,GAAI,OAAOA,EAAQ,KAAQ,SACvB,MAAM,IAAID,EAAyB,+BAAgC,MAAO,SAAS,EAEvF,GAAIC,EAAQ,KAAOU,EAAMH,EACrB,MAAM,IAAIK,EAAW,qCAAsC,MAAO,cAAc,CAExF,CACA,GAAIf,EAAQ,YAAa,CACrB,IAAMgB,EAAMH,EAAMV,EAAQ,IACpBc,EAAM,OAAOjB,EAAQ,aAAgB,SAAWA,EAAQ,YAAcW,EAAKX,EAAQ,WAAW,EACpG,GAAIgB,EAAMN,EAAYO,EAClB,MAAM,IAAIF,EAAW,2DAA4D,MAAO,cAAc,EAE1G,GAAIC,EAAM,EAAIN,EACV,MAAM,IAAIR,EAAyB,gEAAiE,MAAO,cAAc,CAEjI,CACA,OAAOC,CACX,ECvFA,eAAsBe,GAAUC,EAAKC,EAAKC,EAAS,CAC/C,IAAIC,EACJ,IAAMC,EAAW,MAAMC,GAAcL,EAAKC,EAAKC,CAAO,EACtD,KAAMC,EAAKC,EAAS,gBAAgB,QAAU,MAAQD,IAAO,OAAS,OAASA,EAAG,SAAS,KAAK,IAAMC,EAAS,gBAAgB,MAAQ,GACnI,MAAM,IAAIE,EAAW,qCAAqC,EAG9D,IAAMC,EAAS,CAAE,QADDC,EAAWJ,EAAS,gBAAiBA,EAAS,QAASF,CAAO,EACpD,gBAAiBE,EAAS,eAAgB,EACpE,OAAI,OAAOH,GAAQ,WACR,CAAE,GAAGM,EAAQ,IAAKH,EAAS,GAAI,EAEnCG,CACX,CCEA,IAAME,GACF,oEAEJ,eAAsBC,EAClBC,EACAC,EACgB,CAEhB,GAAIA,EAAI,YAAc,OAClB,MAAO,GAIX,IAAMC,EAAQJ,GAAiB,KAAKE,EAAI,QAAQ,IAAI,eAAe,GAAK,EAAE,EAC1E,GAAI,CAACE,GAAS,CAACA,EAAM,GACjB,MAAO,GAIX,IAAMC,EAAK,MAAMC,GAAWH,EAAI,WAAY,OAAO,EACnD,GAAI,CACA,MAAMI,GAAUH,EAAM,GAAIC,EAAI,CAC1B,OAAQ,qBACR,SAAUF,EAAI,eACd,WAAY,CAAC,OAAO,EAEpB,eAAgB,GACpB,CAAC,CACL,OAASK,EAAP,CACE,eAAQ,MAAM,2BAA6BA,CAAG,EACvC,EACX,CAEA,MAAO,EACX,mBChCA,IAAMC,GAASC,GAAO,EAEjB,IACG,yBACA,MACIC,EACAC,IACoB,CAEpB,GAAI,CADS,MAAMC,EAAiBF,EAAKC,CAAG,EAExC,OAAO,IAAI,SAAS,eAAgB,CAAE,OAAQ,GAAI,CAAC,EAIvD,IAAME,EAAmB,CAAC,EACpBC,EAAe,CAAC,EAChBC,EAAe,CAAC,EAChBC,EAAM,OAAO,KAAKL,CAAG,EAC3B,QAASM,EAAI,EAAGA,EAAID,EAAI,OAAQC,IAAK,CACjC,GAAI,CAACD,EAAIC,GACL,SAEJ,IAAMC,EAAMP,EAAIK,EAAIC,IACpB,GAAI,GAACC,GAAO,OAAOA,GAAO,UAAY,CAACA,EAAI,aAG3C,OAAQA,EAAI,YAAY,KAAM,CAC1B,IAAK,cACDJ,EAAG,KAAKE,EAAIC,EAAE,EACd,MACJ,IAAK,QACDJ,EAAO,KAAKG,EAAIC,EAAE,EAClB,MACJ,IAAK,WAEDF,EAAG,KAAKC,EAAIC,EAAE,EACd,KACR,CACJ,CAEA,IAAME,EAAM,KAAK,UAAU,CACvB,QAAAC,GACA,OAAQP,GAAUA,EAAO,OAASA,EAAS,OAC3C,GAAIC,GAAMA,EAAG,OAASA,EAAK,OAC3B,GAAIC,GAAMA,EAAG,OAASA,EAAK,MAC/B,CAAC,EACD,OAAO,IAAI,SAASI,EAAK,CACrB,QAAS,CACL,eAAgB,kBACpB,CACJ,CAAC,CACL,CACJ,EAGC,IACG,sBACA,MACIT,EACAC,IACoB,CACpB,GAAM,CAAE,UAAAU,EAAW,IAAAC,EAAK,SAAAC,CAAS,EAAI,MAAMC,GAAed,EAAKC,CAAG,EAClE,GAAIY,EACA,OAAOA,EAGX,IAAME,EAAM,MAAMJ,EAAW,IAAIC,EAAM,QAAQ,EAC/C,OAAKG,EAIE,IAAI,SAASA,EAAK,CAAE,OAAQ,GAAI,CAAC,EAH7B,IAAI,SAAS,GAAI,CAAE,OAAQ,GAAI,CAAC,CAI/C,CACJ,EAGC,KACG,sBACA,MACIf,EACAC,IACoB,CACpB,GAAM,CAAE,UAAAU,EAAW,IAAAC,EAAK,SAAAC,CAAS,EAAI,MAAMC,GAAed,EAAKC,CAAG,EAClE,GAAIY,EACA,OAAOA,EAGX,IAAIG,EACEC,EAAS,IAAI,IAAIjB,EAAI,GAAG,EACxBkB,EAAW,SAASD,EAAO,aAAa,IAAI,KAAK,GAAI,GAAI,EAAE,EACjE,OAAIC,EAAW,IACXF,EAAgBE,GAEpB,MAAMP,EAAW,IAAIC,EAAMZ,EAAI,KAAO,CAAC,cAAAgB,CAAa,CAAC,EAE9C,IAAI,SAAS,GAAI,CAAE,OAAQ,GAAI,CAAC,CAC3C,CACJ,EAGC,OACG,sBACA,MACIhB,EACAC,IACoB,CACpB,GAAM,CAAE,UAAAU,EAAW,IAAAC,EAAK,SAAAC,CAAS,EAAI,MAAMC,GAAed,EAAKC,CAAG,EAClE,OAAIY,IAIJ,MAAMF,EAAW,OAAOC,CAAI,EAErB,IAAI,SAAS,GAAI,CAAE,OAAQ,GAAI,CAAC,EAC3C,CACJ,EAGC,KACG,iBACA,MACIZ,EACAC,IACoB,CACpB,GAAM,CAAE,MAAAkB,EAAO,SAAAN,CAAS,EAAI,MAAMO,GAAkBpB,EAAKC,CAAG,EAC5D,GAAIY,EACA,OAAOA,EAGX,IAAIQ,EAAU,MAAMrB,EAAI,KAAK,EAC7B,aAAMmB,EAAO,KAAKE,CAAO,EAClB,IAAI,SAAS,GAAI,CAAE,OAAQ,GAAI,CAAC,CAC3C,CACJ,EAGC,IAAI,IAAK,IACC,IAAI,SAAS,YAAa,CAAE,OAAQ,GAAI,CAAC,CACnD,EAGL,eAAeP,GACXd,EACAC,EAKD,CACC,GAAI,CAACD,GAAK,MAAQ,CAACA,EAAI,QAAQ,WAAa,CAACA,EAAI,QAAQ,IACrD,MAAO,CAAE,SAAU,IAAI,SAAS,cAAe,CAAE,OAAQ,GAAI,CAAC,CAAE,EAEpE,IAAMW,EAAYV,EAAID,EAAI,OAAO,WACjC,OAAI,OAAOW,GAAa,UAAYA,GAAW,aAAa,MAAQ,cACzD,CACH,SAAU,IAAI,SACV,8BAA8BX,EAAI,OAAO,MACzC,CAAE,OAAQ,GAAI,CAClB,CACJ,EAGS,MAAME,EAAiBF,EAAKC,CAAG,EAKrC,CAAE,UAAAU,EAAW,IAAKX,EAAI,OAAO,GAAI,EAH7B,CAAE,SAAU,IAAI,SAAS,eAAgB,CAAE,OAAQ,GAAI,CAAC,CAAE,CAIzE,CAGA,eAAeoB,GACXpB,EACAC,EACuD,CACvD,GAAI,CAACD,GAAK,MAAQ,CAACA,EAAI,QAAQ,MAC3B,MAAO,CAAE,SAAU,IAAI,SAAS,cAAe,CAAE,OAAQ,GAAI,CAAC,CAAE,EAEpE,IAAMmB,EAAQlB,EAAID,EAAI,OAAO,OAC7B,OAAI,OAAOmB,GAAS,UAAYA,GAAO,aAAa,MAAQ,QACjD,CACH,SAAU,IAAI,SACV,iCAAiCnB,EAAI,OAAO,SAC5C,CAAE,OAAQ,GAAI,CAClB,CACJ,EAGS,MAAME,EAAiBF,EAAKC,CAAG,EAKrC,CAAE,MAAAkB,CAAM,EAHJ,CAAE,SAAU,IAAI,SAAS,eAAgB,CAAE,OAAQ,GAAI,CAAC,CAAE,CAIzE,CAEA,IAAOG,GAAQ,CACX,MAAOxB,GAAO,MAClB", + "names": ["e", "t", "n", "a", "r", "o", "p", "s", "c", "webcrypto_default", "isCryptoKey", "key", "encoder", "decoder", "MAX_INT32", "concat", "buffers", "size", "acc", "length", "buf", "i", "buffer", "decodeBase64", "encoded", "binary", "bytes", "i", "decode", "input", "decoder", "JOSEError", "message", "_a", "JWTClaimValidationFailed", "claim", "reason", "JWTExpired", "JOSEAlgNotAllowed", "JOSENotSupported", "JWSInvalid", "JOSEError", "JWTInvalid", "JWSSignatureVerificationFailed", "JOSEError", "random_default", "webcrypto_default", "isCloudflareWorkers", "unusable", "name", "prop", "isAlgorithm", "algorithm", "getHashLength", "hash", "getNamedCurve", "alg", "checkUsage", "key", "usages", "expected", "msg", "last", "checkSigCryptoKey", "isCloudflareWorkers", "message", "msg", "actual", "types", "last", "invalid_key_input_default", "withAlg", "alg", "is_key_like_default", "key", "isCryptoKey", "types", "isDisjoint", "headers", "sources", "acc", "header", "parameters", "parameter", "is_disjoint_default", "isObjectLike", "value", "isObject", "input", "proto", "check_key_length_default", "alg", "key", "modulusLength", "findOid", "keyData", "oid", "from", "i", "sub", "value", "index", "getNamedCurve", "JOSENotSupported", "genericImport", "replace", "keyFormat", "pem", "alg", "options", "_a", "algorithm", "keyUsages", "c", "isPublic", "namedCurve", "isCloudflareWorkers", "webcrypto_default", "fromSPKI", "pem", "alg", "options", "genericImport", "importSPKI", "spki", "alg", "options", "fromSPKI", "symmetricTypeCheck", "alg", "key", "is_key_like_default", "withAlg", "types", "asymmetricTypeCheck", "usage", "checkKeyType", "check_key_type_default", "validateCrit", "Err", "recognizedDefault", "recognizedOption", "protectedHeader", "joseHeader", "input", "recognized", "parameter", "JOSENotSupported", "validate_crit_default", "validateAlgorithms", "option", "algorithms", "s", "validate_algorithms_default", "unprotected", "subtleDsa", "alg", "algorithm", "hash", "isCloudflareWorkers", "namedCurve", "JOSENotSupported", "getCryptoKey", "alg", "key", "usage", "isCryptoKey", "checkSigCryptoKey", "invalid_key_input_default", "types", "webcrypto_default", "verify", "alg", "key", "signature", "data", "cryptoKey", "getCryptoKey", "check_key_length_default", "algorithm", "subtleDsa", "webcrypto_default", "verify_default", "flattenedVerify", "jws", "key", "options", "_a", "isObject", "JWSInvalid", "parsedProt", "protectedHeader", "decode", "decoder", "is_disjoint_default", "joseHeader", "extensions", "validate_crit_default", "b64", "alg", "algorithms", "validate_algorithms_default", "JOSEAlgNotAllowed", "resolvedKey", "check_key_type_default", "data", "concat", "encoder", "signature", "verify_default", "JWSSignatureVerificationFailed", "payload", "result", "compactVerify", "jws", "key", "options", "decoder", "JWSInvalid", "protectedHeader", "payload", "signature", "length", "verified", "flattenedVerify", "result", "epoch_default", "date", "REGEX", "secs_default", "str", "matched", "value", "normalizeTyp", "value", "checkAudiencePresence", "audPayload", "audOption", "jwt_claims_set_default", "protectedHeader", "encodedPayload", "options", "typ", "JWTClaimValidationFailed", "payload", "decoder", "isObject", "JWTInvalid", "issuer", "subject", "audience", "tolerance", "secs_default", "currentDate", "now", "epoch_default", "JWTExpired", "age", "max", "jwtVerify", "jwt", "key", "options", "_a", "verified", "compactVerify", "JWTInvalid", "result", "jwt_claims_set_default", "tokenHeaderMatch", "AuthorizeRequest", "req", "env", "match", "pk", "importSPKI", "jwtVerify", "err", "router", "e", "req", "env", "AuthorizeRequest", "queues", "kv", "r2", "all", "i", "obj", "res", "version", "namespace", "key", "errorRes", "setupKVRequest", "val", "expirationTtl", "reqUrl", "ttlParam", "queue", "setupQueueRequest", "message", "worker_default"] } diff --git a/pubsub/solace/amqp/amqp.go b/pubsub/solace/amqp/amqp.go new file mode 100644 index 000000000..137a77c18 --- /dev/null +++ b/pubsub/solace/amqp/amqp.go @@ -0,0 +1,292 @@ +/* +Copyright 2021 The Dapr Authors +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package amqp + +import ( + "context" + "crypto/tls" + "crypto/x509" + "errors" + "fmt" + "net/url" + "strconv" + "strings" + "sync" + time "time" + + amqp "github.com/Azure/go-amqp" + + "github.com/dapr/components-contrib/pubsub" + "github.com/dapr/kit/logger" +) + +const ( + publishRetryWaitSeconds = 2 + publishMaxRetries = 3 +) + +// amqpPubSub type allows sending and receiving data to/from an AMQP 1.0 broker +type amqpPubSub struct { + session *amqp.Session + metadata *metadata + logger logger.Logger + publishLock sync.RWMutex + publishRetryCount int + ctx context.Context + cancel context.CancelFunc +} + +// NewAMQPPubsub returns a new AMQPPubSub instance +func NewAMQPPubsub(logger logger.Logger) pubsub.PubSub { + return &amqpPubSub{ + logger: logger, + publishLock: sync.RWMutex{}, + } +} + +// Init parses the metadata and creates a new Pub Sub Client. +func (a *amqpPubSub) Init(metadata pubsub.Metadata) error { + amqpMeta, err := parseAMQPMetaData(metadata, a.logger) + if err != nil { + return err + } + + a.metadata = amqpMeta + + a.ctx, a.cancel = context.WithCancel(context.Background()) + + s, err := a.connect() + if err != nil { + return err + } + + a.session = s + + return err +} + +func AddPrefixToAddress(t string) string { + dest := t + + // Unless the request comes in to publish on a queue, publish directly on a topic + if !strings.HasPrefix(dest, "queue:") && !strings.HasPrefix(dest, "topic:") { + dest = "topic://" + dest + } else if strings.HasPrefix(dest, "queue:") { + dest = strings.Replace(dest, "queue:", "queue://", 1) + } else if strings.HasPrefix(dest, "topic:") { + dest = strings.Replace(dest, "topic:", "topic://", 1) + } + + return dest +} + +// Publish the topic to amqp pubsub +func (a *amqpPubSub) Publish(ctx context.Context, req *pubsub.PublishRequest) error { + a.publishLock.Lock() + defer a.publishLock.Unlock() + + a.publishRetryCount = 0 + + if req.Topic == "" { + return errors.New("topic name is empty") + } + + m := amqp.NewMessage(req.Data) + + // If the request has ttl specified, put it on the message header + ttlProp := req.Metadata["ttlInSeconds"] + if ttlProp != "" { + ttlInSeconds, err := strconv.Atoi(ttlProp) + if err != nil { + a.logger.Warnf("Invalid ttl received from message %s", ttlInSeconds) + } else { + m.Header.TTL = time.Second * time.Duration(ttlInSeconds) + } + } + + sender, err := a.session.NewSender(ctx, + AddPrefixToAddress(req.Topic), + nil, + ) + + if err != nil { + a.logger.Errorf("Unable to create link to %s", req.Topic, err) + } else { + err = sender.Send(ctx, m) + + // If the publish operation has failed, attempt to republish a maximum number of times + // before giving up + if err != nil { + for a.publishRetryCount <= publishMaxRetries { + a.publishRetryCount++ + + // Send message + err = sender.Send(ctx, m) + + if err != nil { + a.logger.Warnf("Failed to publish a message to the broker", err) + } + time.Sleep(publishRetryWaitSeconds * time.Second) + } + } + } + + return err +} + +func (a *amqpPubSub) Subscribe(ctx context.Context, req pubsub.SubscribeRequest, handler pubsub.Handler) error { + prefixedTopic := AddPrefixToAddress(req.Topic) + + receiver, err := a.session.NewReceiver(a.ctx, + prefixedTopic, + nil, + ) + + if err == nil { + a.logger.Infof("Attempting to subscribe to %s", prefixedTopic) + go a.subscribeForever(ctx, receiver, handler, prefixedTopic) + } else { + a.logger.Error("Unable to create a receiver:", err) + } + + return err +} + +// function that subscribes to a queue in a tight loop +func (a *amqpPubSub) subscribeForever(ctx context.Context, receiver *amqp.Receiver, handler pubsub.Handler, t string) { + for { + // Receive next message + msg, err := receiver.Receive(ctx) + + if msg != nil { + data := msg.GetData() + + // if data is empty, then check the value field for data + if data == nil || len(data) == 0 { + data = []byte(fmt.Sprint(msg.Value)) + } + + pubsubMsg := &pubsub.NewMessage{ + Data: data, + Topic: msg.LinkName(), + } + + if err != nil { + a.logger.Errorf("failed to establish receiver") + } + + err = handler(ctx, pubsubMsg) + + if err == nil { + err := receiver.AcceptMessage(ctx, msg) + a.logger.Debugf("ACKed a message") + if err != nil { + a.logger.Errorf("failed to acknowledge a message") + } + } else { + a.logger.Errorf("Error processing message from %s", msg.LinkName()) + a.logger.Debugf("NAKd a message") + err := receiver.RejectMessage(ctx, msg, nil) + if err != nil { + a.logger.Errorf("failed to NAK a message") + } + } + } + } +} + +// Connect to the AMQP broker +func (a *amqpPubSub) connect() (*amqp.Session, error) { + uri, err := url.Parse(a.metadata.url) + if err != nil { + return nil, err + } + + clientOpts := a.createClientOptions(uri) + + a.logger.Infof("Attempting to connect to %s", a.metadata.url) + client, err := amqp.Dial(a.metadata.url, &clientOpts) + if err != nil { + a.logger.Fatal("Dialing AMQP server:", err) + } + + // Open a session + session, err := client.NewSession(a.ctx, nil) + if err != nil { + a.logger.Fatal("Creating AMQP session:", err) + } + + return session, nil +} + +func (a *amqpPubSub) newTLSConfig() *tls.Config { + tlsConfig := new(tls.Config) + + if a.metadata.clientCert != "" && a.metadata.clientKey != "" { + cert, err := tls.X509KeyPair([]byte(a.metadata.clientCert), []byte(a.metadata.clientKey)) + if err != nil { + a.logger.Warnf("unable to load client certificate and key pair. Err: %v", err) + + return tlsConfig + } + tlsConfig.Certificates = []tls.Certificate{cert} + } + + if a.metadata.caCert != "" { + tlsConfig.RootCAs = x509.NewCertPool() + if ok := tlsConfig.RootCAs.AppendCertsFromPEM([]byte(a.metadata.caCert)); !ok { + a.logger.Warnf("unable to load ca certificate.") + } + } + + return tlsConfig +} + +func (a *amqpPubSub) createClientOptions(uri *url.URL) amqp.ConnOptions { + var opts amqp.ConnOptions + + scheme := uri.Scheme + + switch scheme { + case "amqp": + if a.metadata.anonymous == true { + opts.SASLType = amqp.SASLTypeAnonymous() + } else { + opts.SASLType = amqp.SASLTypePlain(a.metadata.username, a.metadata.password) + } + case "amqps": + opts.SASLType = amqp.SASLTypePlain(a.metadata.username, a.metadata.password) + opts.TLSConfig = a.newTLSConfig() + } + + return opts +} + +// Close the session +func (a *amqpPubSub) Close() error { + a.publishLock.Lock() + + defer a.publishLock.Unlock() + + err := a.session.Close(a.ctx) + if err != nil { + a.logger.Warnf("failed to close the connection.", err) + } + return err +} + +// Feature list for AMQP PubSub +func (a *amqpPubSub) Features() []pubsub.Feature { + return []pubsub.Feature{pubsub.FeatureSubscribeWildcards, pubsub.FeatureMessageTTL} +} diff --git a/pubsub/solace/amqp/amqp_test.go b/pubsub/solace/amqp/amqp_test.go new file mode 100644 index 000000000..d2b26175b --- /dev/null +++ b/pubsub/solace/amqp/amqp_test.go @@ -0,0 +1,141 @@ +/* +Copyright 2021 The Dapr Authors +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package amqp + +import ( + "crypto/x509" + "encoding/pem" + "errors" + "testing" + + mdata "github.com/dapr/components-contrib/metadata" + + "github.com/dapr/components-contrib/pubsub" + "github.com/dapr/kit/logger" + + "github.com/stretchr/testify/assert" +) + +func getFakeProperties() map[string]string { + return map[string]string{ + "consumerID": "client", + amqpURL: "tcp://fakeUser:fakePassword@fake.mqtt.host:1883", + anonymous: "false", + username: "default", + password: "default", + } +} + +func TestParseMetadata(t *testing.T) { + log := logger.NewLogger("test") + t.Run("metadata is correct", func(t *testing.T) { + fakeProperties := getFakeProperties() + + fakeMetaData := pubsub.Metadata{Base: mdata.Base{Properties: fakeProperties}} + + m, err := parseAMQPMetaData(fakeMetaData, log) + + // assert + assert.NoError(t, err) + assert.Equal(t, fakeProperties[amqpURL], m.url) + }) + + t.Run("url is not given", func(t *testing.T) { + fakeProperties := getFakeProperties() + + fakeMetaData := pubsub.Metadata{ + Base: mdata.Base{Properties: fakeProperties}, + } + fakeMetaData.Properties[amqpURL] = "" + + m, err := parseAMQPMetaData(fakeMetaData, log) + + // assert + assert.EqualError(t, err, errors.New(errorMsgPrefix+" missing url").Error()) + assert.Equal(t, fakeProperties[amqpURL], m.url) + }) + + t.Run("invalid ca certificate", func(t *testing.T) { + fakeProperties := getFakeProperties() + fakeMetaData := pubsub.Metadata{Base: mdata.Base{Properties: fakeProperties}} + fakeMetaData.Properties[amqpCACert] = "randomNonPEMBlockCA" + _, err := parseAMQPMetaData(fakeMetaData, log) + + // assert + assert.Contains(t, err.Error(), "invalid caCert") + }) + + t.Run("valid ca certificate", func(t *testing.T) { + fakeProperties := getFakeProperties() + fakeMetaData := pubsub.Metadata{Base: mdata.Base{Properties: fakeProperties}} + fakeMetaData.Properties[amqpCACert] = "-----BEGIN CERTIFICATE-----\nMIICyDCCAbACCQDb8BtgvbqW5jANBgkqhkiG9w0BAQsFADAmMQswCQYDVQQGEwJJ\nTjEXMBUGA1UEAwwOZGFwck1xdHRUZXN0Q0EwHhcNMjAwODEyMDY1MzU4WhcNMjUw\nODEyMDY1MzU4WjAmMQswCQYDVQQGEwJJTjEXMBUGA1UEAwwOZGFwck1xdHRUZXN0\nQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEXte1GBxFJaygsEnK\nHV2AxazZW6Vppv+i50AuURHcaGo0i8G5CTfHzSKrYtTFfBskUspl+2N8GPV5c8Eb\ng+PP6YFn1wiHVz+wRSk3BD35DcGOT2o4XsJw5tiAzJkbpAOYCYl7KAM+BtOf41uC\nd6TdqmawhRGtv1ND2WtyJOT6A3KcUfjhL4TFEhWoljPJVay4TQoJcZMAImD/Xcxw\n6urv6wmUJby3/RJ3I46ZNH3zxEw5vSq1TuzuXxQmfPJG0ZPKJtQZ2nkZ3PNZe4bd\nNUa83YgQap7nBhYdYMMsQyLES2qy3mPcemBVoBWRGODel4PMEcsQiOhAyloAF2d3\nhd+LAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAK13X5JYBy78vHYoP0Oq9fe5XBbL\nuRM8YLnet9b/bXTGG4SnCCOGqWz99swYK7SVyR5l2h8SAoLzeNV61PtaZ6fHrbar\noxSL7BoRXOhMH6LQATadyvwlJ71uqlagqya7soaPK09TtfzeebLT0QkRCWT9b9lQ\nDBvBVCaFidynJL1ts21m5yUdIY4JSu4sGZGb4FRGFdBv/hD3wH8LAkOppsSv3C/Q\nkfkDDSQzYbdMoBuXmafvi3He7Rv+e6Tj9or1rrWdx0MIKlZPzz4DOe5Rh112uRB9\n7xPHJt16c+Ya3DKpchwwdNcki0vFchlpV96HK8sMCoY9kBzPhkEQLdiBGv4=\n-----END CERTIFICATE-----\n" + m, err := parseAMQPMetaData(fakeMetaData, log) + + // assert + assert.NoError(t, err) + block, _ := pem.Decode([]byte(m.tlsCfg.caCert)) + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + t.Errorf("failed to parse ca certificate from metadata. %v", err) + } + assert.Equal(t, "daprMqttTestCA", cert.Subject.CommonName) + }) + + t.Run("invalid client certificate", func(t *testing.T) { + fakeProperties := getFakeProperties() + fakeMetaData := pubsub.Metadata{Base: mdata.Base{Properties: fakeProperties}} + fakeMetaData.Properties[amqpClientCert] = "randomNonPEMBlockClientCert" + _, err := parseAMQPMetaData(fakeMetaData, log) + + // assert + assert.Contains(t, err.Error(), "invalid clientCert") + }) + + t.Run("valid client certificate", func(t *testing.T) { + fakeProperties := getFakeProperties() + fakeMetaData := pubsub.Metadata{Base: mdata.Base{Properties: fakeProperties}} + fakeMetaData.Properties[amqpClientCert] = "-----BEGIN CERTIFICATE-----\nMIICzDCCAbQCCQDBKDMS3SHsDzANBgkqhkiG9w0BAQUFADAmMQswCQYDVQQGEwJJ\nTjEXMBUGA1UEAwwOZGFwck1xdHRUZXN0Q0EwHhcNMjAwODEyMDY1NTE1WhcNMjEw\nODA3MDY1NTE1WjAqMQswCQYDVQQGEwJJTjEbMBkGA1UEAwwSZGFwck1xdHRUZXN0\nQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5IDfsGI2pb4W\nt3CjckrKuNeTrgmla3sXxSI5wfDgLGd/XkNu++M6yi9ABaBiYChpxbylqIeAn/HT\n3r/nhcb+bldMtEkU9tODHy/QDhvN2UGFjRsMfzO9p1oMpTnRdJCHYinE+oqVced5\nHI+UEofAU+1eiIXqJGKrdfn4gvaHst4QfVPvui8WzJq9TMkEhEME+5hs3VKyKZr2\nqjIxzr7nLVod3DBf482VjxRI06Ip3fPvNuMWwzj2G+Rj8PMcBjoKeCLQL9uQh7f1\nTWHuACqNIrmFEUQWdGETnRjHWIvw0NEL40+Ur2b5+7/hoqnTzReJ3XUe1jM3l44f\nl0rOf4hu2QIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAT9yoIeX0LTsvx7/b+8V3a\nkP+j8u97QCc8n5xnMpivcMEk5cfqXX5Llv2EUJ9kBsynrJwT7ujhTJXSA/zb2UdC\nKH8PaSrgIlLwQNZMDofbz6+zPbjStkgne/ZQkTDIxY73sGpJL8LsQVO9p2KjOpdj\nSf9KuJhLzcHolh7ry3ZrkOg+QlMSvseeDRAxNhpkJrGQ6piXoUiEeKKNa0rWTMHx\nIP1Hqj+hh7jgqoQR48NL2jNng7I64HqTl6Mv2fiNfINiw+5xmXTB0QYkGU5NvPBO\naKcCRcGlU7ND89BogQPZsl/P04tAuQqpQWffzT4sEEOyWSVGda4N2Ys3GSQGBv8e\n-----END CERTIFICATE-----\n" + m, err := parseAMQPMetaData(fakeMetaData, log) + + // assert + assert.NoError(t, err) + block, _ := pem.Decode([]byte(m.tlsCfg.clientCert)) + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + t.Errorf("failed to parse client certificate from metadata. %v", err) + } + assert.Equal(t, "daprMqttTestClient", cert.Subject.CommonName) + }) + + t.Run("invalid client certificate key", func(t *testing.T) { + fakeProperties := getFakeProperties() + fakeMetaData := pubsub.Metadata{Base: mdata.Base{Properties: fakeProperties}} + fakeMetaData.Properties[amqpClientKey] = "randomNonPEMBlockClientKey" + _, err := parseAMQPMetaData(fakeMetaData, log) + + // assert + assert.Contains(t, err.Error(), "invalid clientKey") + }) + + t.Run("valid client certificate key", func(t *testing.T) { + fakeProperties := getFakeProperties() + fakeMetaData := pubsub.Metadata{Base: mdata.Base{Properties: fakeProperties}} + fakeMetaData.Properties[amqpClientKey] = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA5IDfsGI2pb4Wt3CjckrKuNeTrgmla3sXxSI5wfDgLGd/XkNu\n++M6yi9ABaBiYChpxbylqIeAn/HT3r/nhcb+bldMtEkU9tODHy/QDhvN2UGFjRsM\nfzO9p1oMpTnRdJCHYinE+oqVced5HI+UEofAU+1eiIXqJGKrdfn4gvaHst4QfVPv\nui8WzJq9TMkEhEME+5hs3VKyKZr2qjIxzr7nLVod3DBf482VjxRI06Ip3fPvNuMW\nwzj2G+Rj8PMcBjoKeCLQL9uQh7f1TWHuACqNIrmFEUQWdGETnRjHWIvw0NEL40+U\nr2b5+7/hoqnTzReJ3XUe1jM3l44fl0rOf4hu2QIDAQABAoIBAQCVMINb4TP20P55\n9IPyqlxjhPT563hijXK+lhMJyiBDPavOOs7qjLikq2bshYPVbm1o2jt6pkXXqAeB\n5t/d20fheQQurYyPfxecNBZuL78duwbcUy28m2aXLlcVRYO4zGhoMgdW4UajoNLV\nT/UIiDONWGyhTHXMHdP+6h9UOmvs3o4b225AuLrw9n6QO5I1Se8lcfOTIqR1fy4O\nGsUWEQPdW0X3Dhgpx7kDIuBTAQzbjD31PCR1U8h2wsCeEe6hPCrsMbo/D019weol\ndi40tbWR1/oNz0+vro2d9YDPJkXN0gmpT51Z4YJoexZBdyzO5z4DMSdn5yczzt6p\nQq8LsXAFAoGBAPYXRbC4OxhtuC+xr8KRkaCCMjtjUWFbFWf6OFgUS9b5uPz9xvdY\nXo7wBP1zp2dS8yFsdIYH5Six4Z5iOuDR4sVixzjabhwedL6bmS1zV5qcCWeASKX1\nURgSkfMmC4Tg3LBgZ9YxySFcVRjikxljkS3eK7Mp7Xmj5afe7qV73TJfAoGBAO20\nTtw2RGe02xnydZmmwf+NpQHOA9S0JsehZA6NRbtPEN/C8bPJIq4VABC5zcH+tfYf\nzndbDlGhuk+qpPA590rG5RSOUjYnQFq7njdSfFyok9dXSZQTjJwFnG2oy0LmgjCe\nROYnbCzD+a+gBKV4xlo2M80OLakQ3zOwPT0xNRnHAoGATLEj/tbrU8mdxP9TDwfe\nom7wyKFDE1wXZ7gLJyfsGqrog69y+lKH5XPXmkUYvpKTQq9SARMkz3HgJkPmpXnD\nelA2Vfl8pza2m1BShF+VxZErPR41hcLV6vKemXAZ1udc33qr4YzSaZskygSSYy8s\nZ2b9p3BBmc8CGzbWmKvpW3ECgYEAn7sFLxdMWj/+5221Nr4HKPn+wrq0ek9gq884\n1Ep8bETSOvrdvolPQ5mbBKJGsLC/h5eR/0Rx18sMzpIF6eOZ2GbU8z474mX36cCf\nrd9A8Gbbid3+9IE6gHGIz2uYwujw3UjNVbdyCpbahvjJhoQlDePUZVu8tRpAUpSA\nYklZvGsCgYBuIlOFTNGMVUnwfzrcS9a/31LSvWTZa8w2QFjsRPMYFezo2l4yWs4D\nPEpeuoJm+Gp6F6ayjoeyOw9mvMBH5hAZr4WjbiU6UodzEHREAsLAzCzcRyIpnDE6\nPW1c3j60r8AHVufkWTA+8B9WoLC5MqcYTV3beMGnNGGqS2PeBom63Q==\n-----END RSA PRIVATE KEY-----\n" + m, err := parseAMQPMetaData(fakeMetaData, log) + + // assert + assert.NoError(t, err) + assert.NotNil(t, m.tlsCfg.clientKey, "failed to parse valid client certificate key") + }) +} diff --git a/pubsub/solace/amqp/metadata.go b/pubsub/solace/amqp/metadata.go new file mode 100644 index 000000000..bfbfc5261 --- /dev/null +++ b/pubsub/solace/amqp/metadata.go @@ -0,0 +1,117 @@ +/* +Copyright 2021 The Dapr Authors +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package amqp + +import ( + "encoding/pem" + "fmt" + "strconv" + "time" + + "github.com/dapr/components-contrib/pubsub" + "github.com/dapr/kit/logger" +) + +const ( + // errors. + errorMsgPrefix = "amqp pub sub error:" +) + +type metadata struct { + tlsCfg + url string + username string + password string + anonymous bool +} + +type tlsCfg struct { + caCert string + clientCert string + clientKey string +} + +const ( + // Keys + amqpURL = "url" + anonymous = "anonymous" + username = "username" + password = "password" + amqpCACert = "caCert" + amqpClientCert = "clientCert" + amqpClientKey = "clientKey" + defaultWait = 30 * time.Second +) + +// isValidPEM validates the provided input has PEM formatted block. +func isValidPEM(val string) bool { + block, _ := pem.Decode([]byte(val)) + + return block != nil +} + +func parseAMQPMetaData(md pubsub.Metadata, log logger.Logger) (*metadata, error) { + m := metadata{anonymous: false} + + // required configuration settings + if val, ok := md.Properties[amqpURL]; ok && val != "" { + m.url = val + } else { + return &m, fmt.Errorf("%s missing url", errorMsgPrefix) + } + + // optional configuration settings + if val, ok := md.Properties[anonymous]; ok && val != "" { + var err error + m.anonymous, err = strconv.ParseBool(val) + if err != nil { + return &m, fmt.Errorf("%s invalid anonymous %s, %s", errorMsgPrefix, val, err) + } + } + + if !m.anonymous { + if val, ok := md.Properties[username]; ok && val != "" { + m.username = val + } else { + return &m, fmt.Errorf("%s missing username", errorMsgPrefix) + } + + if val, ok := md.Properties[password]; ok && val != "" { + m.password = val + } else { + return &m, fmt.Errorf("%s missing username", errorMsgPrefix) + } + } + + if val, ok := md.Properties[amqpCACert]; ok && val != "" { + if !isValidPEM(val) { + return &m, fmt.Errorf("%s invalid caCert", errorMsgPrefix) + } + m.tlsCfg.caCert = val + } + if val, ok := md.Properties[amqpClientCert]; ok && val != "" { + if !isValidPEM(val) { + return &m, fmt.Errorf("%s invalid clientCert", errorMsgPrefix) + } + m.tlsCfg.clientCert = val + } + if val, ok := md.Properties[amqpClientKey]; ok && val != "" { + if !isValidPEM(val) { + return &m, fmt.Errorf("%s invalid clientKey", errorMsgPrefix) + } + m.tlsCfg.clientKey = val + } + + return &m, nil +} diff --git a/state/query/filter.go b/state/query/filter.go index 6726db92e..4961f7483 100644 --- a/state/query/filter.go +++ b/state/query/filter.go @@ -21,7 +21,8 @@ type Filter interface { Parse(interface{}) error } -func parseFilter(obj interface{}) (Filter, error) { +// ParseFilter parses a filter struct using the visitor pattern returning a built Filter interface. +func ParseFilter(obj interface{}) (Filter, error) { m, ok := obj.(map[string]interface{}) if !ok { return nil, fmt.Errorf("filter unit must be a map") @@ -134,7 +135,7 @@ func parseFilters(t string, obj interface{}) ([]Filter, error) { filters := make([]Filter, len(arr)) for i, entry := range arr { var err error - if filters[i], err = parseFilter(entry); err != nil { + if filters[i], err = ParseFilter(entry); err != nil { return nil, err } } diff --git a/state/query/query.go b/state/query/query.go index 111aec131..ea3d874af 100644 --- a/state/query/query.go +++ b/state/query/query.go @@ -109,7 +109,7 @@ func (q *Query) UnmarshalJSON(data []byte) error { return nil } - filter, err := parseFilter(q.QueryFields.Filters) + filter, err := ParseFilter(q.QueryFields.Filters) if err != nil { return err } diff --git a/tests/config/pubsub/aws/snssqs/pubsub.yml b/tests/config/pubsub/aws/snssqs/docker/pubsub.yml similarity index 100% rename from tests/config/pubsub/aws/snssqs/pubsub.yml rename to tests/config/pubsub/aws/snssqs/docker/pubsub.yml diff --git a/tests/config/pubsub/aws/snssqs/terraform/pubsub.yml b/tests/config/pubsub/aws/snssqs/terraform/pubsub.yml new file mode 100644 index 000000000..5c70cd24b --- /dev/null +++ b/tests/config/pubsub/aws/snssqs/terraform/pubsub.yml @@ -0,0 +1,29 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: aws-snssqs + namespace: default +spec: + type: pubsub.aws.snssqs + version: v1 + metadata: + - name: accessKey + value: ${{AWS_ACCESS_KEY_ID}} + - name: secretKey + value: ${{AWS_SECRET_ACCESS_KEY}} + - name: region + value: "us-east-1" + - name: consumerID + value: ${{PUBSUB_AWS_SNSSQS_QUEUE}} + - name: messageVisibilityTimeout + value: 10 + - name: messageRetryLimit + value: 10 + - name: messageWaitTimeSeconds + value: 1 + - name: messageMaxNumber + value: 10 + - name: concurrencyMode + value: "single" + - name: disableEntityManagement + value: "true" \ No newline at end of file diff --git a/tests/config/pubsub/solace/amqp/pubsub.yml b/tests/config/pubsub/solace/amqp/pubsub.yml new file mode 100644 index 000000000..16a07593e --- /dev/null +++ b/tests/config/pubsub/solace/amqp/pubsub.yml @@ -0,0 +1,10 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +spec: + type: pubsub.solace.amqp + version: v1 + metadata: + - name: url + value: 'amqp://localhost:5672' + - name: anonymous + value: true diff --git a/tests/config/pubsub/tests.yml b/tests/config/pubsub/tests.yml index 3d19bbb5f..18acc9e82 100644 --- a/tests/config/pubsub/tests.yml +++ b/tests/config/pubsub/tests.yml @@ -12,7 +12,7 @@ componentType: pubsub components: - component: azure.eventhubs - operations: ["publish", "subscribe", "multiplehandlers", "bulkpublish"] + operations: ['publish', 'subscribe', 'multiplehandlers', 'bulkpublish'] config: pubsubName: azure-eventhubs testTopicName: eventhubs-pubsub-topic @@ -50,9 +50,9 @@ components: config: checkInOrderProcessing: false - component: natsstreaming - operations: ["publish", "subscribe", "multiplehandlers"] + operations: ['publish', 'subscribe', 'multiplehandlers'] - component: jetstream - operations: ["publish", "subscribe", "multiplehandlers"] + operations: ['publish', 'subscribe', 'multiplehandlers'] - component: kafka allOperations: true - component: kafka @@ -62,27 +62,38 @@ components: profile: confluent allOperations: true - component: pulsar - operations: ["publish", "subscribe", "multiplehandlers"] + operations: ['publish', 'subscribe', 'multiplehandlers'] - component: mqtt profile: mosquitto - operations: ["publish", "subscribe", "multiplehandlers"] + operations: ['publish', 'subscribe', 'multiplehandlers'] + - component: solace.amqp + operations: ['publish', 'subscribe'] - component: mqtt profile: emqx - operations: ["publish", "subscribe", "multiplehandlers"] + operations: ['publish', 'subscribe', 'multiplehandlers'] - component: mqtt profile: vernemq - operations: ["publish", "subscribe", "multiplehandlers"] + operations: ['publish', 'subscribe', 'multiplehandlers'] - component: hazelcast - operations: ["publish", "subscribe", "multiplehandlers"] + operations: ['publish', 'subscribe', 'multiplehandlers'] - component: rabbitmq - operations: ["publish", "subscribe", "multiplehandlers"] + operations: ['publish', 'subscribe', 'multiplehandlers'] config: checkInOrderProcessing: false - component: in-memory operations: ["publish", "subscribe", "multiplehandlers"] - - component: aws.snssqs + - component: aws.snssqs.terraform operations: ["publish", "subscribe", "multiplehandlers"] config: + pubsubName: aws-snssqs + testTopicName: ${{PUBSUB_AWS_SNSSQS_TOPIC}} + testMultiTopic1Name: ${{PUBSUB_AWS_SNSSQS_TOPIC_MULTI_1}} + testMultiTopic2Name: ${{PUBSUB_AWS_SNSSQS_TOPIC_MULTI_2}} + checkInOrderProcessing: false + - component: aws.snssqs.docker + operations: ["publish", "subscribe", "multiplehandlers"] + config: + pubsubName: aws-snssqs checkInOrderProcessing: false - component: kubemq - operations: ["publish", "subscribe", "multiplehandlers"] + operations: ['publish', 'subscribe', 'multiplehandlers'] diff --git a/tests/config/state/cloudflare/kv/statestore.yml b/tests/config/state/cloudflare/workerskv/statestore.yml similarity index 100% rename from tests/config/state/cloudflare/kv/statestore.yml rename to tests/config/state/cloudflare/workerskv/statestore.yml diff --git a/tests/conformance/README.md b/tests/conformance/README.md index 51df29236..ffed4f0bc 100644 --- a/tests/conformance/README.md +++ b/tests/conformance/README.md @@ -119,4 +119,76 @@ If you want to combine VS Code & dlv for debugging so you can set breakpoints in }, ] } -``` \ No newline at end of file +``` + +## Using terraform for conformance tests + +If you are writing new conformance tests and they require cloud resources, you should use the +terraform framework we have in place. To enable your component test to use terraform there are a few changes in the normal steps you must do. + +1. In the `conformance.yml` you should create a new step in a workflow for your component that creates new env variables. You will need a variable for each specific resource your tests will use. If you require 3 different topics and 2 different tables for your tests you should have 5 different env variables set. The only convention you must follow for the variables is the value must use `env.UNIQUE_ID` to ensure there are no conflicts with the resource names. + + ```bash + PUBSUB_AWS_SNSSQS_QUEUE="testQueue-${{ env.UNIQUE_ID }}" + echo "PUBSUB_AWS_SNSSQS_QUEUE=$PUBSUB_AWS_SNSSQS_QUEUE" >> $GITHUB_ENV + ``` + +2. When updating the `tests.yml` defined inside `tests/config//` folder you should overwrite the default names of any resources the conformance tests use. These values should reference env variables which should be defined in the conformance.yml. + + ```yaml + - component: aws.snssqs.terraform + operations: ["publish", "subscribe", "multiplehandlers"] + config: + pubsubName: aws-snssqs + testTopicName: ${{PUBSUB_AWS_SNSSQS_TOPIC}} + testMultiTopic1Name: ${{PUBSUB_AWS_SNSSQS_TOPIC_MULTI_1}} + testMultiTopic2Name: ${{PUBSUB_AWS_SNSSQS_TOPIC_MULTI_2}} + ``` + +3. When writing your `component.yml` you should reference your credentials using env variables and any resources specified in the yaml should use env variables as well just as you did in the `test.yml`. Also if your component has an option that controls resource creation such as `disableEntityManagement` you will need to set it so it prohibits new resource creation. We want to use only terraform to provision resources and not dapr itself for these tests. + + ```yaml + metadata: + - name: accessKey + value: ${{AWS_ACCESS_KEY_ID}} + - name: secretKey + value: ${{AWS_SECRET_ACCESS_KEY}} + - name: region + value: "us-east-1" + - name: consumerID + value: ${{PUBSUB_AWS_SNSSQS_QUEUE}} + - name: disableEntityManagement + value: "true" + ``` + + +4. You will need to create a new terrafrorm file `component.tf` to provision your resources. The file should be placed in its own folder in the `.github/infrastructure/terraform/conformance` directory such as +`.github/infrastructure/terraform/conformance/pubsub/aws/snsqsq`. The terraform file should use a UNIQUE_ID variables and use this variables when naming its resources so they matched the names defined earlier. Make sure any resources your tests will use are defined in terraform. + + ``` + variable "UNIQUE_ID" { + type = string + description = "Unique Id of the github worklow run." + } + ``` + +5. The component should be added to the `cron-components` step in conformance test workflow `.github/conformance.yml`. The component should have a variable named `terraform-dir` and the value should be the relative path from `.github/infrastructure/terraform/conformance` to the folder which the tests personal terraform files are located such as `pubsub/aws/snsqsq`. + + ``` + - component: pubsub.aws.snssqs.terraform + terraform-dir: pubsub/aws/snssqs + ``` + +## Adding new AWS component in github actions + +1. For tests involving aws components we use a service account to provision the resources needed. If you are contributing a brand new component you will need to make sure our account has sufficient permissions to provision resources and use handle component. A Dapr STC member will have to update the service account so contact them for assistance. + +2. In your component yaml for your tests you should set the component metadata properties `accesskey` and `secretkey` to the values of `${{AWS_ACCESS_KEY_ID}}` and `${{AWS_SECRET_ACCESS_KEY}}`. These env values will contain the credentials for the testing service account. + + ```yaml + metadata: + - name: accessKey + value: ${{AWS_ACCESS_KEY_ID}} + - name: secretKey + value: ${{AWS_SECRET_ACCESS_KEY}} + ``` \ No newline at end of file diff --git a/tests/conformance/common.go b/tests/conformance/common.go index d0b7e10a6..5d08462f8 100644 --- a/tests/conformance/common.go +++ b/tests/conformance/common.go @@ -31,6 +31,7 @@ import ( "github.com/google/uuid" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "gopkg.in/yaml.v3" "github.com/dapr/components-contrib/bindings" @@ -69,6 +70,7 @@ import ( p_pulsar "github.com/dapr/components-contrib/pubsub/pulsar" p_rabbitmq "github.com/dapr/components-contrib/pubsub/rabbitmq" p_redis "github.com/dapr/components-contrib/pubsub/redis" + p_solaceamqp "github.com/dapr/components-contrib/pubsub/solace/amqp" ss_azure "github.com/dapr/components-contrib/secretstores/azure/keyvault" ss_hashicorp_vault "github.com/dapr/components-contrib/secretstores/hashicorp/vault" ss_kubernetes "github.com/dapr/components-contrib/secretstores/kubernetes" @@ -149,6 +151,7 @@ func LoadComponents(componentPath string) ([]Component, error) { return components, nil } +// LookUpEnv returns the value of the specified environment variable or the empty string. func LookUpEnv(key string) string { if val, ok := os.LookupEnv(key); ok { return val @@ -166,6 +169,10 @@ func ParseConfigurationMap(t *testing.T, configMap map[string]interface{}) { val = uuid.New().String() t.Logf("Generated UUID %s", val) configMap[k] = val + } else if strings.Contains(val, "${{") { + s := strings.TrimSpace(strings.TrimSuffix(strings.TrimPrefix(val, "${{"), "}}")) + v := LookUpEnv(s) + configMap[k] = v } else { jsonMap := make(map[string]interface{}) err := json.Unmarshal([]byte(val), &jsonMap) @@ -194,6 +201,10 @@ func parseConfigurationInterfaceMap(t *testing.T, configMap map[interface{}]inte val = uuid.New().String() t.Logf("Generated UUID %s", val) configMap[k] = val + } else if strings.Contains(val, "${{") { + s := strings.TrimSpace(strings.TrimSuffix(strings.TrimPrefix(val, "${{"), "}}")) + v := LookUpEnv(s) + configMap[k] = v } else { jsonMap := make(map[string]interface{}) err := json.Unmarshal([]byte(val), &jsonMap) @@ -293,8 +304,8 @@ func decodeYaml(b []byte) (TestConfiguration, error) { func (tc *TestConfiguration) loadComponentsAndProperties(t *testing.T, filepath string) (map[string]string, error) { comps, err := LoadComponents(filepath) - assert.Nil(t, err) - assert.Equal(t, 1, len(comps)) // We only expect a single component per file + require.NoError(t, err) + require.Equal(t, 1, len(comps)) // We only expect a single component per file c := comps[0] props, err := ConvertMetadataToProperties(c.Spec.Metadata) @@ -436,10 +447,14 @@ func loadPubSub(tc TestComponent) pubsub.PubSub { pubsub = p_rabbitmq.NewRabbitMQ(testLogger) case "in-memory": pubsub = p_inmemory.New(testLogger) - case "aws.snssqs": + case "aws.snssqs.terraform": + pubsub = p_snssqs.NewSnsSqs(testLogger) + case "aws.snssqs.docker": pubsub = p_snssqs.NewSnsSqs(testLogger) case "kubemq": pubsub = p_kubemq.NewKubeMQ(testLogger) + case "solace.amqp": + pubsub = p_solaceamqp.NewAMQPPubsub(testLogger) default: return nil }