From ebc32420af574f5bcf1bf1adb79ef4c30de8e972 Mon Sep 17 00:00:00 2001 From: Seth Hollandsworth Date: Fri, 7 Jul 2023 11:42:32 -0400 Subject: [PATCH 1/5] initial commit of katapolicygen --- src/confcom/.gitignore | 4 + src/confcom/HISTORY.rst | 6 +- src/confcom/azext_confcom/README.md | 62 +- src/confcom/azext_confcom/_help.py | 34 +- src/confcom/azext_confcom/_params.py | 38 + src/confcom/azext_confcom/commands.py | 1 + src/confcom/azext_confcom/config.py | 2 + src/confcom/azext_confcom/custom.py | 40 +- .../azext_confcom/data/internal_config.json | 2 +- src/confcom/azext_confcom/data/rules.rego | 1120 +++++++++++++++++ src/confcom/azext_confcom/kata_proxy.py | 148 +++ src/confcom/azext_confcom/os_util.py | 8 + .../tests/latest/test_confcom_kata.py | 82 ++ src/confcom/samples/sample-pod.yaml | 35 + src/confcom/setup.py | 10 +- 15 files changed, 1577 insertions(+), 15 deletions(-) create mode 100644 src/confcom/azext_confcom/data/rules.rego create mode 100644 src/confcom/azext_confcom/kata_proxy.py create mode 100644 src/confcom/azext_confcom/tests/latest/test_confcom_kata.py create mode 100644 src/confcom/samples/sample-pod.yaml diff --git a/src/confcom/.gitignore b/src/confcom/.gitignore index eb7212ecef5..562e4134172 100644 --- a/src/confcom/.gitignore +++ b/src/confcom/.gitignore @@ -12,6 +12,9 @@ **/__pycache__/* **/*.pyc +# genpolicy cache files +**/layers_cache/* + # virtual environments env/* accdevops_env/* @@ -27,6 +30,7 @@ azext_confcom/bin/ azext_confcom/bin/* **/dmverity-vhd.exe **/dmverity-vhd +**/bin/genpolicy* # metadata file for coverage reports **/.coverage diff --git a/src/confcom/HISTORY.rst b/src/confcom/HISTORY.rst index 5b766807cf4..75644fd8514 100644 --- a/src/confcom/HISTORY.rst +++ b/src/confcom/HISTORY.rst @@ -2,6 +2,9 @@ Release History =============== +0.3.0 +++++++ +* adding katapolicygen as a subcommand 0.2.18 ++++++ @@ -52,7 +55,7 @@ Release History * changing startup checks to errors rather than warnings * can specify image name in arm template by its SHA256 hash * disabling stdio in pause container -* adding another README.md with omre descriptive information +* adding another README.md with more descriptive information 0.2.9 ++++++ @@ -86,7 +89,6 @@ Release History * added ability to use tarball as input for layer hashes and container manifests * added initContainers as container source in ARM Template * update dealing with liveness and readiness probes -* update 0.2.2 ++++++ diff --git a/src/confcom/azext_confcom/README.md b/src/confcom/azext_confcom/README.md index 1ccc007a92b..929fbe1216d 100644 --- a/src/confcom/azext_confcom/README.md +++ b/src/confcom/azext_confcom/README.md @@ -1,7 +1,7 @@ # Microsoft Azure CLI 'confcom' Extension Examples and Security Policy Rules Documentation -- [Microsoft Azure CLI 'confcom' Extension Examples and Security Policy Rules Documentation](#microsoft-azure-cli-confcom-extension-examples-and-security-policy-rules-documentation) - - [Microsoft Azure CLI 'confcom' Extension Examples](#microsoft-azure-cli-confcom-extension-examples) +- [Microsoft Azure CLI 'confcom acipolicygen' Extension Examples and Security Policy Rules Documentation](#microsoft-azure-cli-confcom-acipolicygen-extension-examples-and-security-policy-rules-documentation) + - [Microsoft Azure CLI 'confcom acipolicygen' Extension Examples](#microsoft-azure-cli-confcom-extension-examples) - [dmverity Layer Hashing](#dmverity-layer-hashing) - [Security Policy Information Sources](#security-policy-information-sources) - [Security Policy Rules Documentation](#security-policy-rules-documentation) @@ -28,13 +28,13 @@ - [allow_environment_variable_dropping](#allow_environment_variable_dropping) - [allow_unencrypted_scratch](#allow_unencrypted_scratch) - [allow_capabilities_dropping](#allow_capabilities_dropping) +- [Microsoft Azure CLI 'confcom katapolicygen' Extension Examples](#microsoft-azure-cli-confcom-katapolicygen-extension-examples) + - [Microsoft Azure CLI 'confcom katapolicygen' Extension Examples] -## Microsoft Azure CLI 'confcom' Extension Examples +## Microsoft Azure CLI 'confcom acipolicygen' Extension Examples Run `az confcom acipolicygen --help` to see a list of supported arguments along with explanations. The following commands demonstrate the usage of different arguments to generate confidential computing security policies. -**Note:** The Azure Confidential Computing CLI extension is in public preview and is subject to change. Some arguments may be added or removed and the way `confcom acipolicygen` command is called to achieve specific functionality may change as well. This documentation will be updated as changes to the tooling are published. - **Prerequisites:** Install the Azure CLI and Confidential Computing extension. @@ -643,3 +643,55 @@ This rule determines whether unencrypted writable storage from the UVM to the co ## allow_capabilities_dropping Whether to allow capabilities to be dropped in the same manner as allow_environment_variable_dropping. + +## Microsoft Azure CLI 'confcom katapolicygen' Extension Examples + +Run `az confcom katapolicygen --help` to see a list of supported arguments along with explanations. The following commands demonstrate the usage of different arguments to generate confidential computing security policies. + +**Prerequisites:** +Install the Azure CLI and Confidential Computing extension. + +See the most recently released version of `confcom` extension. + +```bash +az extension list-available -o table | grep confcom +``` + +To add the most recent confcom extension, run: + +```bash +az extension add --name confcom +``` + +Use the `--version` argument to specify a version to add. + +Run this to update to the latest version if an older version is already installed: + +```bash +az extension update --name confcom +``` + +The `katapolicygen` command generates confidential computing security policies using a kubernetes pod spec. You can control the format of the generated policies using arguments. Note: It is recommended to use images with specific tags instead of the `latest` tag, as the `latest` tag can change at any time and images with different configurations may also have the latest tag. + +**Examples:** + +Example 1: The following command creates a security policy and outputs it to the command line: + +```bash +az confcom katapolicygen -y ./pod.yaml --print-policy +``` + +This command combines the information of images from the pod spec with other information such as mount, environment variables and commands from the pod spec to create a CCE policy. +The `--print-policy` argument is included to display the policy on the command line in addition to injecting it into the input pod spec. + +Example 2: This command injects a security policy into a [pod spec]() based on input from [config map]() so that there is no need to change the pod spec to pass variables into the security policy: + +```bash +az confcom katapolicygen -y .\\pod.yaml -c .\\config-map.yaml +``` + +Example 3: This command caches the layer hashes and stores them locally on your computer to make future computations faster if the same images are used: + +```bash +az confcom katapolicygen -y .\\pod.yaml -u +``` diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py index f1f455134e3..905c24355d0 100644 --- a/src/confcom/azext_confcom/_help.py +++ b/src/confcom/azext_confcom/_help.py @@ -18,7 +18,7 @@ "confcom acipolicygen" ] = """ type: command - short-summary: Create a Confidential Container Security Policy. + short-summary: Create a Confidential Container Security Policy for ACI. parameters: - name: --input -i @@ -91,3 +91,35 @@ - name: Input an ARM Template file and use a tar file as the image source instead of the Docker daemon text: az confcom acipolicygen --template-file "./template.json" --tar "./image.tar" """ + +helps[ + "confcom katapolicygen" +] = """ + type: command + short-summary: Create a Confidential Container Security Policy for AKS. + + parameters: + - name: --yaml-path -y + type: string + short-summary: 'Input YAML Kubernetes file' + + - name: --output-policy-file + type: string + short-summary: 'Output policy file in Rego format' + + - name: --config-map-file -c + type: string + short-summary: 'Path to config map file' + + - name: --use-cached-files -u + type: bool + short-summary: 'Use cached files to save on computation time' + + - name: --settings-file-name -j + type: bool + short-summary: 'Path to custom settings file' + + examples: + - name: Input a Kubernetes YAML file to inject a base64 encoded Confidential Container Security Policy into the YAML file + text: az confcom katapolicygen --yaml-path "./pod.json" +""" diff --git a/src/confcom/azext_confcom/_params.py b/src/confcom/azext_confcom/_params.py index 41e8babdd61..9ae5d708fa6 100644 --- a/src/confcom/azext_confcom/_params.py +++ b/src/confcom/azext_confcom/_params.py @@ -121,3 +121,41 @@ def load_arguments(self, _): required=False, help="Print the generated policy in the terminal", ) + + with self.argument_context("confcom katapolicygen") as c: + c.argument( + "yaml_path", + options_list=("--yaml", "-y"), + required=True, + help="Input YAML config file", + ) + c.argument( + "outraw", + options_list=("--outraw"), + required=False, + help="Print the generated policy in the terminal in Rego format", + ) + c.argument( + "print_policy", + options_list=("--print-policy"), + required=False, + help="Print the generated policy in the terminal in base64", + ) + c.argument( + "config_map_file", + options_list=("--config-map-file", "-c"), + required=False, + help="Config map file", + ) + c.argument( + "use_cached_files", + options_list=("--use-cached-files", "-u"), + required=False, + help="Use cached files", + ) + c.argument( + "settings_file_name", + options_list=("--settings-file-name", "-j"), + required=False, + help="Path for custom settings file", + ) diff --git a/src/confcom/azext_confcom/commands.py b/src/confcom/azext_confcom/commands.py index a433d61c2f5..1b76746e6ef 100644 --- a/src/confcom/azext_confcom/commands.py +++ b/src/confcom/azext_confcom/commands.py @@ -8,6 +8,7 @@ def load_command_table(self, _): with self.command_group("confcom") as g: g.custom_command("acipolicygen", "acipolicygen_confcom") + g.custom_command("katapolicygen", "katapolicygen_confcom") with self.command_group("confcom"): pass diff --git a/src/confcom/azext_confcom/config.py b/src/confcom/azext_confcom/config.py index 0dd9104ff9d..b1aea0cb0f9 100644 --- a/src/confcom/azext_confcom/config.py +++ b/src/confcom/azext_confcom/config.py @@ -156,6 +156,8 @@ SIDECAR_REGO_FILE = "./data/sidecar_rego_policy.txt" SIDECAR_REGO_FILE_PATH = f"{script_directory}/{SIDECAR_REGO_FILE}" SIDECAR_REGO_POLICY = os_util.load_str_from_file(SIDECAR_REGO_FILE_PATH) +# data folder +DATA_FOLDER = os.path.join(script_directory, "data") # api version API_VERSION = _config["version_api"] diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index 865a29bf0e5..1beb7ef92f4 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -8,13 +8,19 @@ from pkg_resources import parse_version from knack.log import get_logger -from azext_confcom.config import DEFAULT_REGO_FRAGMENTS +from azext_confcom.config import DEFAULT_REGO_FRAGMENTS, DATA_FOLDER from azext_confcom import os_util -from azext_confcom.template_util import pretty_print_func, print_func, str_to_sha256 +from azext_confcom.template_util import ( + pretty_print_func, + print_func, + str_to_sha256, + inject_policy_into_template, + print_existing_policy_from_arm_template, +) from azext_confcom.init_checks import run_initial_docker_checks -from azext_confcom.template_util import inject_policy_into_template, print_existing_policy_from_arm_template from azext_confcom import security_policy from azext_confcom.security_policy import OutputType +from azext_confcom.kata_proxy import KataPolicyGenProxy logger = get_logger(__name__) @@ -150,6 +156,34 @@ def acipolicygen_confcom( sys.exit(exit_code) +def katapolicygen_confcom( + yaml_path: str, + config_map_file: str, + outraw: bool = False, + print_policy: bool = False, + use_cached_files: bool = False, + settings_file_name: str = None, +): + + if settings_file_name: + if settings_file_name == "genpolicy-settings.json": + error_out("Cannot use default settings file names") + os_util.copy_file(settings_file_name, DATA_FOLDER) + + kata_proxy = KataPolicyGenProxy() + + output = kata_proxy.kata_genpolicy( + yaml_path, + config_map_file=config_map_file, + outraw=outraw, + print_policy=print_policy, + use_cached_files=use_cached_files, + settings_file_name=settings_file_name, + ) + print(output) + sys.exit(0) + + def update_confcom(cmd, instance, tags=None): with cmd.update_context(instance) as c: c.set_param("tags", tags) diff --git a/src/confcom/azext_confcom/data/internal_config.json b/src/confcom/azext_confcom/data/internal_config.json index 7835330a9a4..d2b45d4f8fc 100644 --- a/src/confcom/azext_confcom/data/internal_config.json +++ b/src/confcom/azext_confcom/data/internal_config.json @@ -1,5 +1,5 @@ { - "version": "0.2.18", + "version": "0.3.0", "hcsshim_config": { "maxVersion": "1.0.0", "minVersion": "0.0.1" diff --git a/src/confcom/azext_confcom/data/rules.rego b/src/confcom/azext_confcom/data/rules.rego new file mode 100644 index 00000000000..481b70b0d1f --- /dev/null +++ b/src/confcom/azext_confcom/data/rules.rego @@ -0,0 +1,1120 @@ +package agent_policy + +import future.keywords.in +import future.keywords.every + +import input + +# Default values, returned by OPA when rules cannot be evaluated to true. +default CopyFileRequest := false +default CreateContainerRequest := false +default CreateSandboxRequest := true +default DestroySandboxRequest := true +default ExecProcessRequest := false +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default OnlineCPUMemRequest := true +default PullImageRequest := true +default ReadStreamRequest := false +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default SignalProcessRequest := true +default StartContainerRequest := true +default StatsContainerRequest := true +default TtyWinResizeRequest := true +default UpdateEphemeralMountsRequest := true +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := false + +# AllowRequestsFailingPolicy := true configures the Agent to *allow any +# requests causing a policy failure*. This is an unsecure configuration +# but is useful for allowing unsecure pods to start, then connect to +# them and inspect OPA logs for the root cause of a failure. +default AllowRequestsFailingPolicy := false + +CreateContainerRequest { + i_oci := input.OCI + i_storages := input.storages + + some p_container in policy_data.containers + print("======== CreateContainerRequest: trying next policy container") + + p_oci := p_container.OCI + p_storages := p_container.storages + + print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) + p_oci.Version == i_oci.Version + + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + + allow_anno(p_oci, i_oci) + allow_by_anno(p_oci, i_oci, p_storages, i_storages) + allow_linux(p_oci, i_oci) + + print("CreateContainerRequest: true") +} + +# Reject unexpected annotations. +allow_anno(p_oci, i_oci) { + print("allow_anno 1: start") + + not i_oci.Annotations + + print("allow_anno 1: true") +} +allow_anno(p_oci, i_oci) { + print("allow_anno 2: p Annotations =", p_oci.Annotations) + print("allow_anno 2: i Annotations =", i_oci.Annotations) + + i_keys := object.keys(i_oci.Annotations) + print("allow_anno 2: i keys =", i_keys) + + every i_key in i_keys { + allow_anno_key(i_key, p_oci) + } + + print("allow_anno 2: true") +} + +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 1: i key =", i_key) + + startswith(i_key, "io.kubernetes.cri.") + + print("allow_anno_key 1: true") +} +allow_anno_key(i_key, p_oci) { + print("allow_anno_key 2: i key =", i_key) + + some p_key, _ in p_oci.Annotations + p_key == i_key + + print("allow_anno_key 2: true") +} + +# Get the value of the "io.kubernetes.cri.sandbox-name" annotation and +# correlate it with other annotations and process fields. +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + not p_oci.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 1: true") +} +allow_by_anno(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + + p_s_name := p_oci.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) + allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) + + print("allow_by_anno 2: true") +} + +allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +} + +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 1: start") + + p_s_name == i_s_name + + print("allow_sandbox_name 1: true") +} +allow_sandbox_name(p_s_name, i_s_name) { + print("allow_sandbox_name 2: start") + + # TODO: should generated names be handled differently? + contains(p_s_name, "$(generated-name)") + + print("allow_sandbox_name 2: true") +} + +# Check that the "io.kubernetes.cri.container-type" and +# "io.katacontainers.pkg.oci.container_type" annotations designate the +# expected type - either a "sandbox" or a "container". Then, validate +# other annotations based on the actual "sandbox" or "container" value +# from the input container. +allow_by_container_types(p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_types: checking io.kubernetes.cri.container-type") + + c_type := "io.kubernetes.cri.container-type" + + p_cri_type := p_oci.Annotations[c_type] + i_cri_type := i_oci.Annotations[c_type] + print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type) + p_cri_type == i_cri_type + + allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_types: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 1: i_cri_type =", i_cri_type) + i_cri_type == "sandbox" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 1: i_kata_type =", i_kata_type) + i_kata_type == "pod_sandbox" + + allow_sandbox_container_name(p_oci, i_oci) + allow_sandbox_net_namespace(p_oci, i_oci) + allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) + + print("allow_by_container_type 1: true") +} + +allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) { + print("allow_by_container_type 2: i_cri_type =", i_cri_type) + i_cri_type == "container" + + i_kata_type := i_oci.Annotations["io.katacontainers.pkg.oci.container_type"] + print("allow_by_container_type 2: i_kata_type =", i_kata_type) + i_kata_type == "pod_container" + + allow_container_name(p_oci, i_oci) + allow_net_namespace(p_oci, i_oci) + allow_log_directory(p_oci, i_oci) + + print("allow_by_container_type 2: true") +} + +# "io.kubernetes.cri.container-name" annotation +allow_sandbox_container_name(p_oci, i_oci) { + print("allow_sandbox_container_name: start") + + container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_sandbox_container_name: true") +} + +allow_container_name(p_oci, i_oci) { + print("allow_container_name: start") + + allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name") + + print("allow_container_name: true") +} + +container_annotation_missing(p_oci, i_oci, key) { + print("container_annotation_missing:", key) + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("container_annotation_missing: true") +} + +allow_container_annotation(p_oci, i_oci, key) { + print("allow_container_annotation: key =", key) + + p_value := p_oci.Annotations[key] + i_value := i_oci.Annotations[key] + print("allow_container_annotation: p_value =", p_value, "i_value =", i_value) + + p_value == i_value + + print("allow_container_annotation: true") +} + +# "nerdctl/network-namespace" annotation +allow_sandbox_net_namespace(p_oci, i_oci) { + print("allow_sandbox_net_namespace: start") + + key := "nerdctl/network-namespace" + + p_namespace := p_oci.Annotations[key] + i_namespace := i_oci.Annotations[key] + print("allow_sandbox_net_namespace: p_namespace =", p_namespace, "i_namespace =", i_namespace) + + regex.match(p_namespace, i_namespace) + + print("allow_sandbox_net_namespace: true") +} + +allow_net_namespace(p_oci, i_oci) { + print("allow_net_namespace: start") + + key := "nerdctl/network-namespace" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_net_namespace: true") +} + +# "io.kubernetes.cri.sandbox-log-directory" annotation +allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) { + print("allow_sandbox_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + p_dir := p_oci.Annotations[key] + regex1 := replace(p_dir, "$(sandbox-name)", s_name) + regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace) + print("allow_sandbox_log_directory: regex2 =", regex2) + + i_dir := i_oci.Annotations[key] + print("allow_sandbox_log_directory: i_dir =", i_dir) + + regex.match(regex2, i_dir) + + print("allow_sandbox_log_directory: true") +} + +allow_log_directory(p_oci, i_oci) { + print("allow_log_directory: start") + + key := "io.kubernetes.cri.sandbox-log-directory" + + not p_oci.Annotations[key] + not i_oci.Annotations[key] + + print("allow_log_directory: true") +} + +allow_linux(p_oci, i_oci) { + p_namespaces := p_oci.Linux.Namespaces + print("allow_linux: p namespaces =", p_namespaces) + + i_namespaces := i_oci.Linux.Namespaces + print("allow_linux: i namespaces =", i_namespaces) + + p_namespaces == i_namespaces + + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + + print("allow_linux: true") +} + +allow_masked_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.MaskedPaths + print("allow_masked_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.MaskedPaths + print("allow_masked_paths 1: i_paths =", i_paths) + + allow_masked_paths_array(p_paths, i_paths) + + print("allow_masked_paths 1: true") +} +allow_masked_paths(p_oci, i_oci) { + print("allow_masked_paths 2: start") + + not p_oci.Linux.MaskedPaths + not i_oci.Linux.MaskedPaths + + print("allow_masked_paths 2: true") +} + +# All the policy masked paths must be masked in the input data too. +# Input is allowed to have more masked paths than the policy. +allow_masked_paths_array(p_array, i_array) { + every p_elem in p_array { + allow_masked_path(p_elem, i_array) + } +} + +allow_masked_path(p_elem, i_array) { + print("allow_masked_path: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_masked_path: true") +} + +allow_readonly_paths(p_oci, i_oci) { + p_paths := p_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: p_paths =", p_paths) + + i_paths := i_oci.Linux.ReadonlyPaths + print("allow_readonly_paths 1: i_paths =", i_paths) + + allow_readonly_paths_array(p_paths, i_paths, i_oci.Linux.MaskedPaths) + + print("allow_readonly_paths 1: true") +} +allow_readonly_paths(p_oci, i_oci) { + print("allow_readonly_paths 2: start") + + not p_oci.Linux.ReadonlyPaths + not i_oci.Linux.ReadonlyPaths + + print("allow_readonly_paths 2: true") +} + +# All the policy readonly paths must be either: +# - Present in the input readonly paths, or +# - Present in the input masked paths. +# Input is allowed to have more readonly paths than the policy. +allow_readonly_paths_array(p_array, i_array, masked_paths) { + every p_elem in p_array { + allow_readonly_path(p_elem, i_array, masked_paths) + } +} + +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 1: p_elem =", p_elem) + + some i_elem in i_array + p_elem == i_elem + + print("allow_readonly_path 1: true") +} +allow_readonly_path(p_elem, i_array, masked_paths) { + print("allow_readonly_path 2: p_elem =", p_elem) + + some i_masked in masked_paths + p_elem == i_masked + + print("allow_readonly_path 2: true") +} + +# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" +# and io.kubernetes.cri.sandbox-id" values with other fields. +allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] + bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") + + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + + allow_root_path(p_oci, i_oci, bundle_id) + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") +} + +allow_process(p_oci, i_oci, s_name) { + p_process := p_oci.Process + i_process := i_oci.Process + + print("allow_process: i terminal =", i_process.Terminal, "p terminal =", p_process.Terminal) + p_process.Terminal == i_process.Terminal + + print("allow_process: i cwd =", i_process.Cwd, "i cwd =", p_process.Cwd) + p_process.Cwd == i_process.Cwd + + print("allow_process: i noNewPrivileges =", i_process.NoNewPrivileges, "p noNewPrivileges =", p_process.NoNewPrivileges) + p_process.NoNewPrivileges == i_process.NoNewPrivileges + + allow_caps(p_process.Capabilities, i_process.Capabilities) + allow_user(p_process, i_process) + allow_args(p_process, i_process, s_name) + allow_env(p_process, i_process, s_name) + + print("allow_process: true") +} + +allow_user(p_process, i_process) { + p_user := p_process.User + i_user := i_process.User + + # TODO: track down the reason for mcr.microsoft.com/oss/bitnami/redis:6.0.8 being + # executed with uid = 0 despite having "User": "1001" in its container image + # config. + #print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID) + #p_user.UID == i_user.UID + + # TODO: track down the reason for registry.k8s.io/pause:3.9 being + # executed with gid = 0 despite having "65535:65535" in its container image + # config. + #print("allow_user: input gid =", i_user.GID, "policy gid =", p_user.GID) + #p_user.GID == i_user.GID + + # TODO: compare the additionalGids field too after computing its value + # based on /etc/passwd and /etc/group from the container image. +} + +allow_args(p_process, i_process, s_name) { + print("allow_args 1: no args") + + not p_process.Args + not i_process.Args + + print("allow_args 1: true") +} +allow_args(p_process, i_process, s_name) { + print("allow_args 2: policy args =", p_process.Args) + print("allow_args 2: input args =", i_process.Args) + + count(p_process.Args) == count(i_process.Args) + + every i, i_arg in i_process.Args { + allow_arg(i, i_arg, p_process, s_name) + } + + print("allow_args 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 1: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg2 == i_arg + + print("allow_arg 1: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 2: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + # TODO: can $(node-name) be handled better? + contains(p_arg, "$(node-name)") + + print("allow_arg 2: true") +} +allow_arg(i, i_arg, p_process, s_name) { + p_arg := p_process.Args[i] + print("allow_arg 3: i =", i, "i_arg =", i_arg, "p_arg =", p_arg) + + p_arg2 := replace(p_arg, "$$", "$") + p_arg3 := replace(p_arg2, "$(sandbox-name)", s_name) + print("allow_arg 3: p_arg3 =", p_arg3) + p_arg3 == i_arg + + print("allow_arg 3: true") +} + +# OCI process.Env field +allow_env(p_process, i_process, s_name) { + print("allow_env: p env =", p_process.Env) + print("allow_env: i env =", i_process.Env) + + every i_var in i_process.Env { + allow_var(p_process, i_process, i_var, s_name) + } + + print("allow_env: true") +} + +# Allow input env variables that are present in the policy data too. +allow_var(p_process, i_process, i_var, s_name) { + print("allow_var 1: i_var =", i_var) + + some p_var in p_process.Env + p_var == i_var + + print("allow_var 1: true") +} + +# Match input with one of the policy variables, after substituting $(sandbox-name). +allow_var(p_process, i_process, i_var, s_name) { + print("allow_var 2: i_var =", i_var) + + some p_var in p_process.Env + p_var2 := replace(p_var, "$(sandbox-name)", s_name) + print("allow_var 2: p_var2 =", p_var2) + + p_var2 == i_var + + print("allow_var 2: true") +} + +# Allow input env variables that match with a request_defaults regex. +allow_var(p_process, i_process, i_var, s_name) { + print("allow_var 3: start") + + some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex + print("allow_var 3: p_regex1 =", p_regex1) + + p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a) + print("allow_var 3: p_regex2 =", p_regex2) + + p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p) + print("allow_var 3: p_regex3 =", p_regex3) + + p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name) + print("allow_var 3: p_regex4 =", p_regex4) + + p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label) + print("allow_var 3: p_regex5 =", p_regex5) + + print("allow_var 3: i_var =", i_var) + regex.match(p_regex5, i_var) + + print("allow_var 3: true") +} + +# Allow fieldRef "fieldPath: status.podIP" values. +allow_var(p_process, i_process, i_var, s_name) { + print("allow_var 4: i_var =", i_var) + + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_pod_ip_var(name_value[0], p_var) + + print("allow_var 4: true") +} + +# Allow common fieldRef variables. +allow_var(p_process, i_process, i_var, s_name) { + print("allow_var 5: i_var =", i_var) + + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed := ["$(host-name)", "$(node-name)", "$(pod-uid)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 5: true") +} + +# Allow fieldRef "fieldPath: status.hostIP" values. +allow_var(p_process, i_process, i_var, s_name) { + print("allow_var 6: i_var =", i_var) + + name_value := split(i_var, "=") + count(name_value) == 2 + is_ip(name_value[1]) + + some p_var in p_process.Env + allow_host_ip_var(name_value[0], p_var) + + print("allow_var 6: true") +} + +# Allow resourceFieldRef values (e.g., "limits.cpu"). +allow_var(p_process, i_process, i_var, s_name) { + print("allow_var 7: i_var =", i_var) + + name_value := split(i_var, "=") + count(name_value) == 2 + + some p_var in p_process.Env + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == name_value[0] + + # TODO: should these be handled in a different way? + always_allowed = ["$(resource-field)", "$(todo-annotation)"] + some allowed in always_allowed + contains(p_name_value[1], allowed) + + print("allow_var 7: true") +} + +allow_pod_ip_var(var_name, p_var) { + print("allow_pod_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(pod-ip)" + + print("allow_pod_ip_var: true") +} + +allow_host_ip_var(var_name, p_var) { + print("allow_host_ip_var: var_name =", var_name, "p_var =", p_var) + + p_name_value := split(p_var, "=") + count(p_name_value) == 2 + + p_name_value[0] == var_name + p_name_value[1] == "$(host-ip)" + + print("allow_host_ip_var: true") +} + +is_ip(value) { + bytes = split(value, ".") + count(bytes) == 4 + + is_ip_first_byte(bytes[0]) + is_ip_other_byte(bytes[1]) + is_ip_other_byte(bytes[2]) + is_ip_other_byte(bytes[3]) +} +is_ip_first_byte(component) { + number = to_number(component) + number >= 1 + number <= 255 +} +is_ip_other_byte(component) { + number = to_number(component) + number >= 0 + number <= 255 +} + +# OCI root.Path +allow_root_path(p_oci, i_oci, bundle_id) { + p_path1 := p_oci.Root.Path + print("allow_root_path: p_path1 =", p_path1) + + p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) + print("allow_root_path: p_path2 =", p_path2) + + p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) + print("allow_root_path: p_path3 =", p_path3) + + p_path3 == i_oci.Root.Path + + print("allow_root_path: true") +} + +# device mounts +allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: start") + + some p_mount in p_oci.Mounts + check_mount(p_mount, i_mount, bundle_id, sandbox_id) + + # TODO: are there any other required policy checks for mounts - e.g., + # multiple mounts with same source or destination? + + print("allow_mount: true") +} + +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + print("check_mount 1: p_mount =", p_mount) + print("check_mount 1: i_mount =", i_mount) + + p_mount == i_mount + + print("check_mount 1: true") +} +check_mount(p_mount, i_mount, bundle_id, sandbox_id) { + print("check_mount 2: i destination =", i_mount.destination, "p destination =", p_mount.destination) + p_mount.destination == i_mount.destination + + print("check_mount 2: i type =", i_mount.type_, "p type =", p_mount.type_) + p_mount.type_ == i_mount.type_ + + print("check_mount 2: i options =", i_mount.options) + print("check_mount 2: p options =", p_mount.options) + p_mount.options == i_mount.options + + mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) + + print("check_mount 2: true") +} + +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 1: i_mount.source =", i_mount.source) + + regex1 := p_mount.source + print("mount_source_allows 1: regex1 =", regex1) + + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + print("mount_source_allows 1: regex2 =", regex2) + + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + print("mount_source_allows 1: regex3 =", regex3) + + regex4 := replace(regex3, "$(bundle-id)", bundle_id) + print("mount_source_allows 1: regex4 =", regex4) + + regex.match(regex4, i_mount.source) + + print("mount_source_allows 1: true") +} +mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + print("mount_source_allows 2: i_mount.source=", i_mount.source) + + regex1 := p_mount.source + print("mount_source_allows 2: regex1 =", regex1) + + regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix) + print("mount_source_allows 2: regex2 =", regex2) + + regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath) + print("mount_source_allows 2: regex3 =", regex3) + + regex4 := replace(regex3, "$(sandbox-id)", sandbox_id) + print("mount_source_allows 2: regex4 =", regex4) + + regex.match(regex4, i_mount.source) + + print("mount_source_allows 2: true") +} + +###################################################################### +# Storages + +allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) + i_count := count(i_storages) + print("allow_storages: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + print("allow_storages: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + print("allow_storages: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") + print("allow_storages: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + + print("allow_storages: true") +} + +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + some p_storage in p_storages + + print("allow_storage: p_storage =", p_storage) + print("allow_storage: i_storage =", i_storage) + + p_storage.driver == i_storage.driver + p_storage.driver_options == i_storage.driver_options + p_storage.fs_group == i_storage.fs_group + + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) + allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) + + # TODO: validate the source field too. + + print("allow_storage: true") +} + +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 1: start") + + p_storage.driver != "blk" + p_storage.driver != "overlayfs" + p_storage.options == i_storage.options + + print("allow_storage_options 1: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 2: start") + + p_storage.driver == "overlayfs" + count(p_storage.options) == 2 + + policy_ids := split(p_storage.options[0], ":") + print("allow_storage_options 2: policy_ids =", policy_ids) + policy_ids == layer_ids + + policy_hashes := split(p_storage.options[1], ":") + print("allow_storage_options 2: policy_hashes =", policy_hashes) + + p_count := count(policy_ids) + print("allow_storage_options 2: p_count =", p_count) + p_count >= 1 + p_count == count(policy_hashes) + + i_count := count(i_storage.options) + print("allow_storage_options 2: i_count =", i_count) + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) + i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" + + lowerdir := concat("=", ["lowerdir", p_storage.options[0]]) + print("allow_storage_options 2: lowerdir =", lowerdir) + + i_storage.options[i_count - 1] == lowerdir + print("allow_storage_options 2: i_storage.options[i_count - 1] =", i_storage.options[i_count - 1]) + + every i, policy_id in policy_ids { + allow_overlay_layer(policy_id, policy_hashes[i], i_storage.options[i + 1]) + } + + print("allow_storage_options 2: true") +} +allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + print("allow_storage_options 3: start") + + p_storage.driver == "blk" + count(p_storage.options) == 1 + + startswith(p_storage.options[0], "$(hash") + hash_suffix := trim_left(p_storage.options[0], "$(hash") + + endswith(hash_suffix, ")") + hash_index := trim_right(hash_suffix, ")") + i := to_number(hash_index) + print("allow_storage_options 3: i =", i) + + hash_option := concat("=", ["io.katacontainers.fs-opt.root-hash", root_hashes[i]]) + print("allow_storage_options 3: hash_option =", hash_option) + + count(i_storage.options) == 4 + i_storage.options[0] == "ro" + i_storage.options[1] == "io.katacontainers.fs-opt.block_device=file" + i_storage.options[2] == "io.katacontainers.fs-opt.is-layer" + i_storage.options[3] == hash_option + + print("allow_storage_options 3: true") +} + +allow_overlay_layer(policy_id, policy_hash, i_option) { + print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash) + print("allow_overlay_layer: i_option =", i_option) + + startswith(i_option, "io.katacontainers.fs-opt.layer=") + i_value := replace(i_option, "io.katacontainers.fs-opt.layer=", "") + i_value_decoded := base64.decode(i_value) + print("allow_overlay_layer: i_value_decoded =", i_value_decoded) + + policy_suffix := concat("=", ["tar,ro,io.katacontainers.fs-opt.block_device=file,io.katacontainers.fs-opt.is-layer,io.katacontainers.fs-opt.root-hash", policy_hash]) + p_value := concat(",", [policy_id, policy_suffix]) + print("allow_overlay_layer: p_value =", p_value) + + p_value == i_value_decoded + + print("allow_overlay_layer: true") +} + +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 1: i_storage.mount_point =", i_storage.mount_point) + p_storage.fstype == "tar" + + startswith(p_storage.mount_point, "$(layer") + mount_suffix := trim_left(p_storage.mount_point, "$(layer") + + endswith(mount_suffix, ")") + layer_index := trim_right(mount_suffix, ")") + i := to_number(layer_index) + print("allow_mount_point 1: i =", i) + + layer_id := layer_ids[i] + print("allow_mount_point 1: layer_id =", layer_id) + + p_mount := concat("/", ["/run/kata-containers/sandbox/layers", layer_id]) + print("allow_mount_point 1: p_mount =", p_mount) + + p_mount == i_storage.mount_point + + print("allow_mount_point 1: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 2: i_storage.mount_point =", i_storage.mount_point) + p_storage.fstype == "fuse3.kata-overlay" + + mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(bundle-id)", bundle_id) + print("allow_mount_point 2: mount2 =", mount2) + + mount2 == i_storage.mount_point + + print("allow_mount_point 2: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 3: i_storage.mount_point =", i_storage.mount_point) + p_storage.fstype == "local" + + mount1 := p_storage.mount_point + print("allow_mount_point 3: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 3: mount2 =", mount2) + + mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) + print("allow_mount_point 3: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 3: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 4: i_storage.mount_point =", i_storage.mount_point) + p_storage.fstype == "bind" + + mount1 := p_storage.mount_point + print("allow_mount_point 4: mount1 =", mount1) + + mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + print("allow_mount_point 4: mount2 =", mount2) + + mount3 := replace(mount2, "$(bundle-id)", bundle_id) + print("allow_mount_point 4: mount3 =", mount3) + + regex.match(mount3, i_storage.mount_point) + + print("allow_mount_point 4: true") +} +allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) { + print("allow_mount_point 5: i_storage.mount_point =", i_storage.mount_point) + p_storage.fstype == "tmpfs" + + mount1 := p_storage.mount_point + print("allow_mount_point 5: mount1 =", mount1) + + regex.match(mount1, i_storage.mount_point) + + print("allow_mount_point 5: true") +} + +# process.Capabilities +allow_caps(p_caps, i_caps) { + print("allow_caps: policy Ambient =", p_caps.Ambient) + print("allow_caps: input Ambient =", i_caps.Ambient) + match_caps(p_caps.Ambient, i_caps.Ambient) + + print("allow_caps: policy Bounding =", p_caps.Bounding) + print("allow_caps: input Bounding =", i_caps.Bounding) + match_caps(p_caps.Bounding, i_caps.Bounding) + + print("allow_caps: policy Effective =", p_caps.Effective) + print("allow_caps: input Effective =", i_caps.Effective) + match_caps(p_caps.Effective, i_caps.Effective) + + print("allow_caps: policy Inheritable =", p_caps.Inheritable) + print("allow_caps: input Inheritable =", i_caps.Inheritable) + match_caps(p_caps.Inheritable, i_caps.Inheritable) + + print("allow_caps: policy Permitted =", p_caps.Permitted) + print("allow_caps: input Permitted =", i_caps.Permitted) + match_caps(p_caps.Permitted, i_caps.Permitted) +} + +match_caps(p_caps, i_caps) { + print("match_caps 1: start") + + p_caps == i_caps + + print("match_caps 1: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 2: start") + + count(p_caps) == 1 + p_caps[0] == "$(default_caps)" + + print("match_caps 2: default_caps =", policy_data.common.default_caps) + policy_data.common.default_caps == i_caps + + print("match_caps 2: true") +} +match_caps(p_caps, i_caps) { + print("match_caps 3: start") + + count(p_caps) == 1 + p_caps[0] == "$(privileged_caps)" + + print("match_caps 3: privileged_caps =", policy_data.common.privileged_caps) + policy_data.common.privileged_caps == i_caps + + print("match_caps 3: true") +} + +###################################################################### +CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + + some regex1 in policy_data.request_defaults.CopyFileRequest + regex2 := replace(regex1, "$(cpath)", policy_data.common.cpath) + regex.match(regex2, input.path) + + print("CopyFileRequest: true") +} + +ExecProcessRequest { + print("ExecProcessRequest 1: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_command in policy_data.request_defaults.ExecProcessRequest.commands + p_command == i_command + + print("ExecProcessRequest 1: true") +} +ExecProcessRequest { + print("ExecProcessRequest 2: input =", input) + + # TODO: match input container ID with its corresponding container.exec_commands. + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some container in policy_data.containers + some p_command in container.exec_commands + print("ExecProcessRequest 2: p_command =", p_command) + + # TODO: should other input data fields be validated as well? + p_command == i_command + + print("ExecProcessRequest 2: true") +} +ExecProcessRequest { + print("ExecProcessRequest 3: input =", input) + + i_command = concat(" ", input.process.Args) + print("ExecProcessRequest 3: i_command =", i_command) + + some p_regex in policy_data.request_defaults.ExecProcessRequest.regex + print("ExecProcessRequest 3: p_regex =", p_regex) + + regex.match(p_regex, i_command) + + print("ExecProcessRequest 3: true") +} + +ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true +} + +WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true +} diff --git a/src/confcom/azext_confcom/kata_proxy.py b/src/confcom/azext_confcom/kata_proxy.py new file mode 100644 index 00000000000..fe9eadf2c0e --- /dev/null +++ b/src/confcom/azext_confcom/kata_proxy.py @@ -0,0 +1,148 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# -------------------------------------------------------------------------------------------- + +import subprocess +from typing import List +import os +import stat +import sys +from pathlib import Path +import platform +import requests +from azext_confcom.config import DATA_FOLDER +from azext_confcom.errors import eprint + + +host_os = platform.system() +machine = platform.machine() + + +class KataPolicyGenProxy: # pylint: disable=too-few-public-methods + # static variable to cache layer hashes between container groups + layer_cache = {} + + # TODO: update this to only take stable releases once the release cycle is more consistent + @staticmethod + def download_binaries(): + dir_path = os.path.dirname(os.path.realpath(__file__)) + + bin_folder = os.path.join(dir_path, "bin") + if not os.path.exists(bin_folder): + os.makedirs(bin_folder) + + data_folder = os.path.join(dir_path, "data") + if not os.path.exists(data_folder): + os.makedirs(data_folder) + + # get the most recent release artifacts from github + r = requests.get("https://api.github.com/repos/microsoft/kata-containers/releases") + bin_flag = False + # search for genpolicy in the assets from kata-container releases + for release in r.json(): + # these should be newest to oldest + for asset in release["assets"]: + # download the file if it contains genpolicy + if "genpolicy" in asset["name"]: + save_name = "" + if ".exe" in asset["name"]: + save_name = "genpolicy-windows.exe" + else: + save_name = "genpolicy-linux" + bin_flag = True + # get the download url for the genpolicy file + exe_url = asset["browser_download_url"] + # download the file + r = requests.get(exe_url) + # save the file to the bin folder + with open(os.path.join(bin_folder, save_name), "wb") as f: + f.write(r.content) + + # download the rules.rego and genpolicy-settings.json files + if asset["name"] == "rules.rego" or asset["name"] == "genpolicy-settings.json": + # download the rules.rego file + exe_url = asset["browser_download_url"] + # download the file + r = requests.get(exe_url) + # save the file to the data folder + with open(os.path.join(data_folder, asset["name"]), "wb") as f: + f.write(r.content) + if bin_flag: + break + + def __init__(self): + script_directory = os.path.dirname(os.path.realpath(__file__)) + DEFAULT_LIB = "./bin/genpolicy" + + if host_os == "Linux": + DEFAULT_LIB += "-linux" + elif host_os == "Windows": + if machine.endswith("64"): + DEFAULT_LIB += "-windows.exe" + else: + eprint( + "32-bit Windows is not supported." + ) + elif host_os == "Darwin": + eprint("The extension for MacOS has not been implemented.") + else: + eprint( + "Unknown target platform. The extension only works with Windows, Linux and MacOS" + ) + + self.policy_bin = Path(os.path.join(f"{script_directory}", f"{DEFAULT_LIB}")) + + # check if the extension binary exists + if not os.path.exists(self.policy_bin): + eprint("The extension binary file cannot be located.") + if not os.access(self.policy_bin, os.X_OK): + # add executable permissions for the current user if they don't exist + st = os.stat(self.policy_bin) + os.chmod(self.policy_bin, st.st_mode | stat.S_IXUSR) + + def kata_genpolicy( + self, yaml_path, + config_map_file=None, + outraw=False, + print_policy=False, + use_cached_files=False, + settings_file_name=None, + ) -> List[str]: + policy_bin_str = str(self.policy_bin) + # get path to data and rules folder + arg_list = [policy_bin_str, "-y", yaml_path, "-i", DATA_FOLDER] + + if config_map_file is not None: + arg_list.append("-c") + arg_list.append(config_map_file) + + if outraw: + arg_list.append("-r") + + if print_policy: + arg_list.append("-b") + + if use_cached_files: + arg_list.append("-u") + + if settings_file_name: + arg_list.append("-j") + # only take the last part of the path for the settings file + settings_file_name = os.path.basename(settings_file_name) + arg_list.append(settings_file_name) + + item = subprocess.run( + arg_list, + stdout=sys.stdout, + stderr=sys.stderr, + check=False, + ) + + # get the exit code from the subprocess + if item.returncode != 0: + sys.exit(item.returncode) + + # decode the output + output = item.stdout.decode("utf8") if item.stdout is not None else "" + return output diff --git a/src/confcom/azext_confcom/os_util.py b/src/confcom/azext_confcom/os_util.py index 8a56172a4be..6cd8156b1d9 100644 --- a/src/confcom/azext_confcom/os_util.py +++ b/src/confcom/azext_confcom/os_util.py @@ -5,6 +5,7 @@ import base64 import binascii +import shutil import json import os from tarfile import TarFile @@ -45,6 +46,13 @@ def load_json_from_file(path: str) -> dict: return load_json_from_str(raw_data) +def copy_file(src: str, dest: str) -> None: + try: + shutil.copy(src, dest) + except (FileNotFoundError, IsADirectoryError, PermissionError, OSError): + eprint(f"File not found at path: {src}") + + def load_str_from_file(path: str) -> str: if path: try: diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_kata.py b/src/confcom/azext_confcom/tests/latest/test_confcom_kata.py new file mode 100644 index 00000000000..51a5a1ccf03 --- /dev/null +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_kata.py @@ -0,0 +1,82 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# -------------------------------------------------------------------------------------------- + +import os +import unittest +import pytest +import time +from azext_confcom.custom import katapolicygen_confcom + +import pytest + +TEST_DIR = os.path.abspath(os.path.join(os.path.abspath(__file__), "..")) + + +# @unittest.skip("not in use") +@pytest.mark.run(order=1) +class KataPolicyGen(unittest.TestCase): + + pod_string = """ +apiVersion: v1 +kind: Pod +metadata: + name: cm2 +spec: + restartPolicy: Never + runtimeClassName: kata-cc + containers: + - name: busybox + image: "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64" + volumeMounts: + - mountPath: /cm2 + name: cm2-volume + command: + - /bin/sh + args: + - "-c" + - while true; do echo hello; sleep 10; done + +""" + + def test_invalid_input_path(self): + with self.assertRaises(SystemExit) as wrapped_exit: + katapolicygen_confcom( + "fakepath/input.json", + None, + ) + self.assertNotEqual(wrapped_exit.exception.code, 0) + + def test_invalid_config_map_path(self): + filename = "pod.yaml" + with open(filename, "w") as f: + f.write(KataPolicyGen.pod_string) + with self.assertRaises(SystemExit) as wrapped_exit: + katapolicygen_confcom( + filename, "fakepath/configmap.yaml", + ) + os.remove(filename) + self.assertNotEqual(wrapped_exit.exception.code, 0) + + def test_output_settings(self): + filename = "pod2.yaml" + with open(filename, "w") as f: + f.write(KataPolicyGen.pod_string) + with self.assertRaises(SystemExit) as wrapped_exit: + katapolicygen_confcom( + filename, None, outraw=True, print_policy=True + ) + os.remove(filename) + self.assertEqual(wrapped_exit.exception.code, 0) + + def test_normal_run(self): + filename = "pod4.yaml" + with open(filename, "w") as f: + f.write(KataPolicyGen.pod_string) + with self.assertRaises(SystemExit) as wrapped_exit: + katapolicygen_confcom( + filename, None, + ) + os.remove(filename) + self.assertEqual(wrapped_exit.exception.code, 0) diff --git a/src/confcom/samples/sample-pod.yaml b/src/confcom/samples/sample-pod.yaml new file mode 100644 index 00000000000..656a52b1daa --- /dev/null +++ b/src/confcom/samples/sample-pod.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-map2 +data: + file1.json: "{key1: value1, key2: value2, key123: value123, 321key: value321}\n" +--- +apiVersion: v1 +kind: Pod +metadata: + name: cm2 + annotations: + io.katacontainers.config.agent.policy: cGFja2FnZSBhZ2VudF9wb2xpY3kKCmltcG9ydCBmdXR1cmUua2V5d29yZHMuaW4KaW1wb3J0IGZ1dHVyZS5rZXl3b3Jkcy5ldmVyeQoKaW1wb3J0IGlucHV0CgojIERlZmF1bHQgdmFsdWVzLCByZXR1cm5lZCBieSBPUEEgd2hlbiBydWxlcyBjYW5ub3QgYmUgZXZhbHVhdGVkIHRvIHRydWUuCmRlZmF1bHQgQ29weUZpbGVSZXF1ZXN0IDo9IGZhbHNlCmRlZmF1bHQgQ3JlYXRlQ29udGFpbmVyUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSBmYWxzZQpkZWZhdWx0IEdldE9PTUV2ZW50UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgR3Vlc3REZXRhaWxzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgT25saW5lQ1BVTWVtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUHVsbEltYWdlUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVhZFN0cmVhbVJlcXVlc3QgOj0gZmFsc2UKZGVmYXVsdCBSZW1vdmVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZW1vdmVTdGFsZVZpcnRpb2ZzU2hhcmVNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTaWduYWxQcm9jZXNzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RhcnRDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdGF0c0NvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFR0eVdpblJlc2l6ZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZUVwaGVtZXJhbE1vdW50c1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZUludGVyZmFjZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZVJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdhaXRQcm9jZXNzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgV3JpdGVTdHJlYW1SZXF1ZXN0IDo9IGZhbHNlCgojIEFsbG93UmVxdWVzdHNGYWlsaW5nUG9saWN5IDo9IHRydWUgY29uZmlndXJlcyB0aGUgQWdlbnQgdG8gKmFsbG93IGFueQojIHJlcXVlc3RzIGNhdXNpbmcgYSBwb2xpY3kgZmFpbHVyZSouIFRoaXMgaXMgYW4gdW5zZWN1cmUgY29uZmlndXJhdGlvbgojIGJ1dCBpcyB1c2VmdWwgZm9yIGFsbG93aW5nIHVuc2VjdXJlIHBvZHMgdG8gc3RhcnQsIHRoZW4gY29ubmVjdCB0bwojIHRoZW0gYW5kIGluc3BlY3QgT1BBIGxvZ3MgZm9yIHRoZSByb290IGNhdXNlIG9mIGEgZmFpbHVyZS4KZGVmYXVsdCBBbGxvd1JlcXVlc3RzRmFpbGluZ1BvbGljeSA6PSBmYWxzZQoKQ3JlYXRlQ29udGFpbmVyUmVxdWVzdCB7CiAgICBpX29jaSA6PSBpbnB1dC5PQ0kKICAgIGlfc3RvcmFnZXMgOj0gaW5wdXQuc3RvcmFnZXMKCiAgICBzb21lIHBfY29udGFpbmVyIGluIHBvbGljeV9kYXRhLmNvbnRhaW5lcnMKICAgIHByaW50KCI9PT09PT09PSBDcmVhdGVDb250YWluZXJSZXF1ZXN0OiB0cnlpbmcgbmV4dCBwb2xpY3kgY29udGFpbmVyIikKCiAgICBwX29jaSA6PSBwX2NvbnRhaW5lci5PQ0kKICAgIHBfc3RvcmFnZXMgOj0gcF9jb250YWluZXIuc3RvcmFnZXMKCiAgICBwcmludCgiQ3JlYXRlQ29udGFpbmVyUmVxdWVzdDogcCBWZXJzaW9uID0iLCBwX29jaS5WZXJzaW9uLCAiaSBWZXJzaW9uID0iLCBpX29jaS5WZXJzaW9uKQogICAgcF9vY2kuVmVyc2lvbiA9PSBpX29jaS5WZXJzaW9uCgogICAgcHJpbnQoIkNyZWF0ZUNvbnRhaW5lclJlcXVlc3Q6IHAgUmVhZG9ubHkgPSIsIHBfb2NpLlJvb3QuUmVhZG9ubHksICJpIFJlYWRvbmx5ID0iLCBpX29jaS5Sb290LlJlYWRvbmx5KQogICAgcF9vY2kuUm9vdC5SZWFkb25seSA9PSBpX29jaS5Sb290LlJlYWRvbmx5CgogICAgYWxsb3dfYW5ubyhwX29jaSwgaV9vY2kpCiAgICBhbGxvd19ieV9hbm5vKHBfb2NpLCBpX29jaSwgcF9zdG9yYWdlcywgaV9zdG9yYWdlcykKICAgIGFsbG93X2xpbnV4KHBfb2NpLCBpX29jaSkKCiAgICBwcmludCgiQ3JlYXRlQ29udGFpbmVyUmVxdWVzdDogdHJ1ZSIpCn0KCiMgUmVqZWN0IHVuZXhwZWN0ZWQgYW5ub3RhdGlvbnMuCmFsbG93X2Fubm8ocF9vY2ksIGlfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfYW5ubyAxOiBzdGFydCIpCgogICAgbm90IGlfb2NpLkFubm90YXRpb25zCgogICAgcHJpbnQoImFsbG93X2Fubm8gMTogdHJ1ZSIpCn0KYWxsb3dfYW5ubyhwX29jaSwgaV9vY2kpIHsKICAgIHByaW50KCJhbGxvd19hbm5vIDI6IHAgQW5ub3RhdGlvbnMgPSIsIHBfb2NpLkFubm90YXRpb25zKQogICAgcHJpbnQoImFsbG93X2Fubm8gMjogaSBBbm5vdGF0aW9ucyA9IiwgaV9vY2kuQW5ub3RhdGlvbnMpCgogICAgaV9rZXlzIDo9IG9iamVjdC5rZXlzKGlfb2NpLkFubm90YXRpb25zKQogICAgcHJpbnQoImFsbG93X2Fubm8gMjogaSBrZXlzID0iLCBpX2tleXMpCgogICAgZXZlcnkgaV9rZXkgaW4gaV9rZXlzIHsKICAgICAgICBhbGxvd19hbm5vX2tleShpX2tleSwgcF9vY2kpCiAgICB9CgogICAgcHJpbnQoImFsbG93X2Fubm8gMjogdHJ1ZSIpCn0KCmFsbG93X2Fubm9fa2V5KGlfa2V5LCBwX29jaSkgewogICAgcHJpbnQoImFsbG93X2Fubm9fa2V5IDE6IGkga2V5ID0iLCBpX2tleSkKCiAgICBzdGFydHN3aXRoKGlfa2V5LCAiaW8ua3ViZXJuZXRlcy5jcmkuIikKCiAgICBwcmludCgiYWxsb3dfYW5ub19rZXkgMTogdHJ1ZSIpCn0KYWxsb3dfYW5ub19rZXkoaV9rZXksIHBfb2NpKSB7CiAgICBwcmludCgiYWxsb3dfYW5ub19rZXkgMjogaSBrZXkgPSIsIGlfa2V5KQoKICAgIHNvbWUgcF9rZXksIF8gaW4gcF9vY2kuQW5ub3RhdGlvbnMKICAgIHBfa2V5ID09IGlfa2V5CgogICAgcHJpbnQoImFsbG93X2Fubm9fa2V5IDI6IHRydWUiKQp9CgojIEdldCB0aGUgdmFsdWUgb2YgdGhlICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LW5hbWUiIGFubm90YXRpb24gYW5kCiMgY29ycmVsYXRlIGl0IHdpdGggb3RoZXIgYW5ub3RhdGlvbnMgYW5kIHByb2Nlc3MgZmllbGRzLgphbGxvd19ieV9hbm5vKHBfb2NpLCBpX29jaSwgcF9zdG9yYWdlcywgaV9zdG9yYWdlcykgewogICAgcHJpbnQoImFsbG93X2J5X2Fubm8gMTogc3RhcnQiKQoKICAgIHNfbmFtZSA6PSAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1uYW1lIgoKICAgIG5vdCBwX29jaS5Bbm5vdGF0aW9uc1tzX25hbWVdCgogICAgaV9zX25hbWUgOj0gaV9vY2kuQW5ub3RhdGlvbnNbc19uYW1lXQogICAgcHJpbnQoImFsbG93X2J5X2Fubm8gMTogaV9zX25hbWUgPSIsIGlfc19uYW1lKQoKICAgIGFsbG93X2J5X3NhbmRib3hfbmFtZShwX29jaSwgaV9vY2ksIHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMsIGlfc19uYW1lKQoKICAgIHByaW50KCJhbGxvd19ieV9hbm5vIDE6IHRydWUiKQp9CmFsbG93X2J5X2Fubm8ocF9vY2ksIGlfb2NpLCBwX3N0b3JhZ2VzLCBpX3N0b3JhZ2VzKSB7CiAgICBwcmludCgiYWxsb3dfYnlfYW5ubyAyOiBzdGFydCIpCgogICAgc19uYW1lIDo9ICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LW5hbWUiCgogICAgcF9zX25hbWUgOj0gcF9vY2kuQW5ub3RhdGlvbnNbc19uYW1lXQogICAgaV9zX25hbWUgOj0gaV9vY2kuQW5ub3RhdGlvbnNbc19uYW1lXQogICAgcHJpbnQoImFsbG93X2J5X2Fubm8gMjogaV9zX25hbWUgPSIsIGlfc19uYW1lLCAicF9zX25hbWUgPSIsIHBfc19uYW1lKQoKICAgIGFsbG93X3NhbmRib3hfbmFtZShwX3NfbmFtZSwgaV9zX25hbWUpCiAgICBhbGxvd19ieV9zYW5kYm94X25hbWUocF9vY2ksIGlfb2NpLCBwX3N0b3JhZ2VzLCBpX3N0b3JhZ2VzLCBpX3NfbmFtZSkKCiAgICBwcmludCgiYWxsb3dfYnlfYW5ubyAyOiB0cnVlIikKfQoKYWxsb3dfYnlfc2FuZGJveF9uYW1lKHBfb2NpLCBpX29jaSwgcF9zdG9yYWdlcywgaV9zdG9yYWdlcywgc19uYW1lKSB7CiAgICBwcmludCgiYWxsb3dfYnlfc2FuZGJveF9uYW1lOiBzdGFydCIpCgogICAgc19uYW1lc3BhY2UgOj0gImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbmFtZXNwYWNlIgoKICAgIHBfbmFtZXNwYWNlIDo9IHBfb2NpLkFubm90YXRpb25zW3NfbmFtZXNwYWNlXQogICAgaV9uYW1lc3BhY2UgOj0gaV9vY2kuQW5ub3RhdGlvbnNbc19uYW1lc3BhY2VdCiAgICBwcmludCgiYWxsb3dfYnlfc2FuZGJveF9uYW1lOiBwX25hbWVzcGFjZSA9IiwgcF9uYW1lc3BhY2UsICJpX25hbWVzcGFjZSA9IiwgaV9uYW1lc3BhY2UpCiAgICBwX25hbWVzcGFjZSA9PSBpX25hbWVzcGFjZQoKICAgIGFsbG93X2J5X2NvbnRhaW5lcl90eXBlcyhwX29jaSwgaV9vY2ksIHNfbmFtZSwgcF9uYW1lc3BhY2UpCiAgICBhbGxvd19ieV9idW5kbGVfb3Jfc2FuZGJveF9pZChwX29jaSwgaV9vY2ksIHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMpCiAgICBhbGxvd19wcm9jZXNzKHBfb2NpLCBpX29jaSwgc19uYW1lKQoKICAgIHByaW50KCJhbGxvd19ieV9zYW5kYm94X25hbWU6IHRydWUiKQp9CgphbGxvd19zYW5kYm94X25hbWUocF9zX25hbWUsIGlfc19uYW1lKSB7CiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9uYW1lIDE6IHN0YXJ0IikKCiAgICBwX3NfbmFtZSA9PSBpX3NfbmFtZQoKICAgIHByaW50KCJhbGxvd19zYW5kYm94X25hbWUgMTogdHJ1ZSIpCn0KYWxsb3dfc2FuZGJveF9uYW1lKHBfc19uYW1lLCBpX3NfbmFtZSkgewogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbmFtZSAyOiBzdGFydCIpCgogICAgIyBUT0RPOiBzaG91bGQgZ2VuZXJhdGVkIG5hbWVzIGJlIGhhbmRsZWQgZGlmZmVyZW50bHk/CiAgICBjb250YWlucyhwX3NfbmFtZSwgIiQoZ2VuZXJhdGVkLW5hbWUpIikKCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9uYW1lIDI6IHRydWUiKQp9CgojIENoZWNrIHRoYXQgdGhlICJpby5rdWJlcm5ldGVzLmNyaS5jb250YWluZXItdHlwZSIgYW5kCiMgImlvLmthdGFjb250YWluZXJzLnBrZy5vY2kuY29udGFpbmVyX3R5cGUiIGFubm90YXRpb25zIGRlc2lnbmF0ZSB0aGUKIyBleHBlY3RlZCB0eXBlIC0gZWl0aGVyIGEgInNhbmRib3giIG9yIGEgImNvbnRhaW5lciIuIFRoZW4sIHZhbGlkYXRlCiMgb3RoZXIgYW5ub3RhdGlvbnMgYmFzZWQgb24gdGhlIGFjdHVhbCAic2FuZGJveCIgb3IgImNvbnRhaW5lciIgdmFsdWUKIyBmcm9tIHRoZSBpbnB1dCBjb250YWluZXIuCmFsbG93X2J5X2NvbnRhaW5lcl90eXBlcyhwX29jaSwgaV9vY2ksIHNfbmFtZSwgc19uYW1lc3BhY2UpIHsKICAgIHByaW50KCJhbGxvd19ieV9jb250YWluZXJfdHlwZXM6IGNoZWNraW5nIGlvLmt1YmVybmV0ZXMuY3JpLmNvbnRhaW5lci10eXBlIikKCiAgICBjX3R5cGUgOj0gImlvLmt1YmVybmV0ZXMuY3JpLmNvbnRhaW5lci10eXBlIgogICAgCiAgICBwX2NyaV90eXBlIDo9IHBfb2NpLkFubm90YXRpb25zW2NfdHlwZV0KICAgIGlfY3JpX3R5cGUgOj0gaV9vY2kuQW5ub3RhdGlvbnNbY190eXBlXQogICAgcHJpbnQoImFsbG93X2J5X2NvbnRhaW5lcl90eXBlczogcF9jcmlfdHlwZSA9IiwgcF9jcmlfdHlwZSwgImlfY3JpX3R5cGUgPSIsIGlfY3JpX3R5cGUpCiAgICBwX2NyaV90eXBlID09IGlfY3JpX3R5cGUKCiAgICBhbGxvd19ieV9jb250YWluZXJfdHlwZShpX2NyaV90eXBlLCBwX29jaSwgaV9vY2ksIHNfbmFtZSwgc19uYW1lc3BhY2UpCgogICAgcHJpbnQoImFsbG93X2J5X2NvbnRhaW5lcl90eXBlczogdHJ1ZSIpCn0KCmFsbG93X2J5X2NvbnRhaW5lcl90eXBlKGlfY3JpX3R5cGUsIHBfb2NpLCBpX29jaSwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X2J5X2NvbnRhaW5lcl90eXBlIDE6IGlfY3JpX3R5cGUgPSIsIGlfY3JpX3R5cGUpCiAgICBpX2NyaV90eXBlID09ICJzYW5kYm94IgoKICAgIGlfa2F0YV90eXBlIDo9IGlfb2NpLkFubm90YXRpb25zWyJpby5rYXRhY29udGFpbmVycy5wa2cub2NpLmNvbnRhaW5lcl90eXBlIl0KICAgIHByaW50KCJhbGxvd19ieV9jb250YWluZXJfdHlwZSAxOiBpX2thdGFfdHlwZSA9IiwgaV9rYXRhX3R5cGUpCiAgICBpX2thdGFfdHlwZSA9PSAicG9kX3NhbmRib3giCgogICAgYWxsb3dfc2FuZGJveF9jb250YWluZXJfbmFtZShwX29jaSwgaV9vY2kpCiAgICBhbGxvd19zYW5kYm94X25ldF9uYW1lc3BhY2UocF9vY2ksIGlfb2NpKQogICAgYWxsb3dfc2FuZGJveF9sb2dfZGlyZWN0b3J5KHBfb2NpLCBpX29jaSwgc19uYW1lLCBzX25hbWVzcGFjZSkKCiAgICBwcmludCgiYWxsb3dfYnlfY29udGFpbmVyX3R5cGUgMTogdHJ1ZSIpCn0KCmFsbG93X2J5X2NvbnRhaW5lcl90eXBlKGlfY3JpX3R5cGUsIHBfb2NpLCBpX29jaSwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X2J5X2NvbnRhaW5lcl90eXBlIDI6IGlfY3JpX3R5cGUgPSIsIGlfY3JpX3R5cGUpCiAgICBpX2NyaV90eXBlID09ICJjb250YWluZXIiCgogICAgaV9rYXRhX3R5cGUgOj0gaV9vY2kuQW5ub3RhdGlvbnNbImlvLmthdGFjb250YWluZXJzLnBrZy5vY2kuY29udGFpbmVyX3R5cGUiXQogICAgcHJpbnQoImFsbG93X2J5X2NvbnRhaW5lcl90eXBlIDI6IGlfa2F0YV90eXBlID0iLCBpX2thdGFfdHlwZSkKICAgIGlfa2F0YV90eXBlID09ICJwb2RfY29udGFpbmVyIgoKICAgIGFsbG93X2NvbnRhaW5lcl9uYW1lKHBfb2NpLCBpX29jaSkKICAgIGFsbG93X25ldF9uYW1lc3BhY2UocF9vY2ksIGlfb2NpKQogICAgYWxsb3dfbG9nX2RpcmVjdG9yeShwX29jaSwgaV9vY2kpCgogICAgcHJpbnQoImFsbG93X2J5X2NvbnRhaW5lcl90eXBlIDI6IHRydWUiKQp9CgojICJpby5rdWJlcm5ldGVzLmNyaS5jb250YWluZXItbmFtZSIgYW5ub3RhdGlvbgphbGxvd19zYW5kYm94X2NvbnRhaW5lcl9uYW1lKHBfb2NpLCBpX29jaSkgewogICAgcHJpbnQoImFsbG93X3NhbmRib3hfY29udGFpbmVyX25hbWU6IHN0YXJ0IikKCiAgICBjb250YWluZXJfYW5ub3RhdGlvbl9taXNzaW5nKHBfb2NpLCBpX29jaSwgImlvLmt1YmVybmV0ZXMuY3JpLmNvbnRhaW5lci1uYW1lIikKCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9jb250YWluZXJfbmFtZTogdHJ1ZSIpCn0KCmFsbG93X2NvbnRhaW5lcl9uYW1lKHBfb2NpLCBpX29jaSkgewogICAgcHJpbnQoImFsbG93X2NvbnRhaW5lcl9uYW1lOiBzdGFydCIpCgogICAgYWxsb3dfY29udGFpbmVyX2Fubm90YXRpb24ocF9vY2ksIGlfb2NpLCAiaW8ua3ViZXJuZXRlcy5jcmkuY29udGFpbmVyLW5hbWUiKQoKICAgIHByaW50KCJhbGxvd19jb250YWluZXJfbmFtZTogdHJ1ZSIpCn0KCmNvbnRhaW5lcl9hbm5vdGF0aW9uX21pc3NpbmcocF9vY2ksIGlfb2NpLCBrZXkpIHsKICAgIHByaW50KCJjb250YWluZXJfYW5ub3RhdGlvbl9taXNzaW5nOiIsIGtleSkKCiAgICBub3QgcF9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgbm90IGlfb2NpLkFubm90YXRpb25zW2tleV0KCiAgICBwcmludCgiY29udGFpbmVyX2Fubm90YXRpb25fbWlzc2luZzogdHJ1ZSIpCn0KCmFsbG93X2NvbnRhaW5lcl9hbm5vdGF0aW9uKHBfb2NpLCBpX29jaSwga2V5KSB7CiAgICBwcmludCgiYWxsb3dfY29udGFpbmVyX2Fubm90YXRpb246IGtleSA9Iiwga2V5KQoKICAgIHBfdmFsdWUgOj0gcF9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgaV92YWx1ZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1trZXldCiAgICBwcmludCgiYWxsb3dfY29udGFpbmVyX2Fubm90YXRpb246IHBfdmFsdWUgPSIsIHBfdmFsdWUsICJpX3ZhbHVlID0iLCBpX3ZhbHVlKQoKICAgIHBfdmFsdWUgPT0gaV92YWx1ZQoKICAgIHByaW50KCJhbGxvd19jb250YWluZXJfYW5ub3RhdGlvbjogdHJ1ZSIpCn0KCiMgIm5lcmRjdGwvbmV0d29yay1uYW1lc3BhY2UiIGFubm90YXRpb24KYWxsb3dfc2FuZGJveF9uZXRfbmFtZXNwYWNlKHBfb2NpLCBpX29jaSkgewogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbmV0X25hbWVzcGFjZTogc3RhcnQiKQoKICAgIGtleSA6PSAibmVyZGN0bC9uZXR3b3JrLW5hbWVzcGFjZSIKCiAgICBwX25hbWVzcGFjZSA6PSBwX29jaS5Bbm5vdGF0aW9uc1trZXldCiAgICBpX25hbWVzcGFjZSA6PSBpX29jaS5Bbm5vdGF0aW9uc1trZXldCiAgICBwcmludCgiYWxsb3dfc2FuZGJveF9uZXRfbmFtZXNwYWNlOiBwX25hbWVzcGFjZSA9IiwgcF9uYW1lc3BhY2UsICJpX25hbWVzcGFjZSA9IiwgaV9uYW1lc3BhY2UpCgogICAgcmVnZXgubWF0Y2gocF9uYW1lc3BhY2UsIGlfbmFtZXNwYWNlKQoKICAgIHByaW50KCJhbGxvd19zYW5kYm94X25ldF9uYW1lc3BhY2U6IHRydWUiKQp9CgphbGxvd19uZXRfbmFtZXNwYWNlKHBfb2NpLCBpX29jaSkgewogICAgcHJpbnQoImFsbG93X25ldF9uYW1lc3BhY2U6IHN0YXJ0IikKCiAgICBrZXkgOj0gIm5lcmRjdGwvbmV0d29yay1uYW1lc3BhY2UiCgogICAgbm90IHBfb2NpLkFubm90YXRpb25zW2tleV0KICAgIG5vdCBpX29jaS5Bbm5vdGF0aW9uc1trZXldCgogICAgcHJpbnQoImFsbG93X25ldF9uYW1lc3BhY2U6IHRydWUiKQp9CgojICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LWxvZy1kaXJlY3RvcnkiIGFubm90YXRpb24KYWxsb3dfc2FuZGJveF9sb2dfZGlyZWN0b3J5KHBfb2NpLCBpX29jaSwgc19uYW1lLCBzX25hbWVzcGFjZSkgewogICAgcHJpbnQoImFsbG93X3NhbmRib3hfbG9nX2RpcmVjdG9yeTogc3RhcnQiKQoKICAgIGtleSA6PSAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1sb2ctZGlyZWN0b3J5IgoKICAgIHBfZGlyIDo9IHBfb2NpLkFubm90YXRpb25zW2tleV0KICAgIHJlZ2V4MSA6PSByZXBsYWNlKHBfZGlyLCAiJChzYW5kYm94LW5hbWUpIiwgc19uYW1lKQogICAgcmVnZXgyIDo9IHJlcGxhY2UocmVnZXgxLCAiJChzYW5kYm94LW5hbWVzcGFjZSkiLCBzX25hbWVzcGFjZSkKICAgIHByaW50KCJhbGxvd19zYW5kYm94X2xvZ19kaXJlY3Rvcnk6IHJlZ2V4MiA9IiwgcmVnZXgyKQoKICAgIGlfZGlyIDo9IGlfb2NpLkFubm90YXRpb25zW2tleV0KICAgIHByaW50KCJhbGxvd19zYW5kYm94X2xvZ19kaXJlY3Rvcnk6IGlfZGlyID0iLCBpX2RpcikKCiAgICByZWdleC5tYXRjaChyZWdleDIsIGlfZGlyKQoKICAgIHByaW50KCJhbGxvd19zYW5kYm94X2xvZ19kaXJlY3Rvcnk6IHRydWUiKQp9CgphbGxvd19sb2dfZGlyZWN0b3J5KHBfb2NpLCBpX29jaSkgewogICAgcHJpbnQoImFsbG93X2xvZ19kaXJlY3Rvcnk6IHN0YXJ0IikKCiAgICBrZXkgOj0gImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbG9nLWRpcmVjdG9yeSIKCiAgICBub3QgcF9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgbm90IGlfb2NpLkFubm90YXRpb25zW2tleV0KCiAgICBwcmludCgiYWxsb3dfbG9nX2RpcmVjdG9yeTogdHJ1ZSIpCn0KCmFsbG93X2xpbnV4KHBfb2NpLCBpX29jaSkgewogICAgcF9uYW1lc3BhY2VzIDo9IHBfb2NpLkxpbnV4Lk5hbWVzcGFjZXMKICAgIHByaW50KCJhbGxvd19saW51eDogcCBuYW1lc3BhY2VzID0iLCBwX25hbWVzcGFjZXMpCgogICAgaV9uYW1lc3BhY2VzIDo9IGlfb2NpLkxpbnV4Lk5hbWVzcGFjZXMKICAgIHByaW50KCJhbGxvd19saW51eDogaSBuYW1lc3BhY2VzID0iLCBpX25hbWVzcGFjZXMpCgogICAgcF9uYW1lc3BhY2VzID09IGlfbmFtZXNwYWNlcwoKICAgIGFsbG93X21hc2tlZF9wYXRocyhwX29jaSwgaV9vY2kpCiAgICBhbGxvd19yZWFkb25seV9wYXRocyhwX29jaSwgaV9vY2kpCgogICAgcHJpbnQoImFsbG93X2xpbnV4OiB0cnVlIikKfQoKYWxsb3dfbWFza2VkX3BhdGhzKHBfb2NpLCBpX29jaSkgewogICAgcF9wYXRocyA6PSBwX29jaS5MaW51eC5NYXNrZWRQYXRocwogICAgcHJpbnQoImFsbG93X21hc2tlZF9wYXRocyAxOiBwX3BhdGhzID0iLCBwX3BhdGhzKQoKICAgIGlfcGF0aHMgOj0gaV9vY2kuTGludXguTWFza2VkUGF0aHMKICAgIHByaW50KCJhbGxvd19tYXNrZWRfcGF0aHMgMTogaV9wYXRocyA9IiwgaV9wYXRocykKCiAgICBhbGxvd19tYXNrZWRfcGF0aHNfYXJyYXkocF9wYXRocywgaV9wYXRocykKCiAgICBwcmludCgiYWxsb3dfbWFza2VkX3BhdGhzIDE6IHRydWUiKQp9CmFsbG93X21hc2tlZF9wYXRocyhwX29jaSwgaV9vY2kpIHsKICAgIHByaW50KCJhbGxvd19tYXNrZWRfcGF0aHMgMjogc3RhcnQiKQoKICAgIG5vdCBwX29jaS5MaW51eC5NYXNrZWRQYXRocwogICAgbm90IGlfb2NpLkxpbnV4Lk1hc2tlZFBhdGhzCgogICAgcHJpbnQoImFsbG93X21hc2tlZF9wYXRocyAyOiB0cnVlIikKfQoKIyBBbGwgdGhlIHBvbGljeSBtYXNrZWQgcGF0aHMgbXVzdCBiZSBtYXNrZWQgaW4gdGhlIGlucHV0IGRhdGEgdG9vLgojIElucHV0IGlzIGFsbG93ZWQgdG8gaGF2ZSBtb3JlIG1hc2tlZCBwYXRocyB0aGFuIHRoZSBwb2xpY3kuCmFsbG93X21hc2tlZF9wYXRoc19hcnJheShwX2FycmF5LCBpX2FycmF5KSB7CiAgICBldmVyeSBwX2VsZW0gaW4gcF9hcnJheSB7CiAgICAgICAgYWxsb3dfbWFza2VkX3BhdGgocF9lbGVtLCBpX2FycmF5KQogICAgfQp9CgphbGxvd19tYXNrZWRfcGF0aChwX2VsZW0sIGlfYXJyYXkpIHsKICAgIHByaW50KCJhbGxvd19tYXNrZWRfcGF0aDogcF9lbGVtID0iLCBwX2VsZW0pCgogICAgc29tZSBpX2VsZW0gaW4gaV9hcnJheQogICAgcF9lbGVtID09IGlfZWxlbQoKICAgIHByaW50KCJhbGxvd19tYXNrZWRfcGF0aDogdHJ1ZSIpCn0KCmFsbG93X3JlYWRvbmx5X3BhdGhzKHBfb2NpLCBpX29jaSkgewogICAgcF9wYXRocyA6PSBwX29jaS5MaW51eC5SZWFkb25seVBhdGhzCiAgICBwcmludCgiYWxsb3dfcmVhZG9ubHlfcGF0aHMgMTogcF9wYXRocyA9IiwgcF9wYXRocykKCiAgICBpX3BhdGhzIDo9IGlfb2NpLkxpbnV4LlJlYWRvbmx5UGF0aHMKICAgIHByaW50KCJhbGxvd19yZWFkb25seV9wYXRocyAxOiBpX3BhdGhzID0iLCBpX3BhdGhzKQoKICAgIGFsbG93X3JlYWRvbmx5X3BhdGhzX2FycmF5KHBfcGF0aHMsIGlfcGF0aHMsIGlfb2NpLkxpbnV4Lk1hc2tlZFBhdGhzKQoKICAgIHByaW50KCJhbGxvd19yZWFkb25seV9wYXRocyAxOiB0cnVlIikKfQphbGxvd19yZWFkb25seV9wYXRocyhwX29jaSwgaV9vY2kpIHsKICAgIHByaW50KCJhbGxvd19yZWFkb25seV9wYXRocyAyOiBzdGFydCIpCgogICAgbm90IHBfb2NpLkxpbnV4LlJlYWRvbmx5UGF0aHMKICAgIG5vdCBpX29jaS5MaW51eC5SZWFkb25seVBhdGhzCgogICAgcHJpbnQoImFsbG93X3JlYWRvbmx5X3BhdGhzIDI6IHRydWUiKQp9CgojIEFsbCB0aGUgcG9saWN5IHJlYWRvbmx5IHBhdGhzIG11c3QgYmUgZWl0aGVyOgojIC0gUHJlc2VudCBpbiB0aGUgaW5wdXQgcmVhZG9ubHkgcGF0aHMsIG9yCiMgLSBQcmVzZW50IGluIHRoZSBpbnB1dCBtYXNrZWQgcGF0aHMuCiMgSW5wdXQgaXMgYWxsb3dlZCB0byBoYXZlIG1vcmUgcmVhZG9ubHkgcGF0aHMgdGhhbiB0aGUgcG9saWN5LgphbGxvd19yZWFkb25seV9wYXRoc19hcnJheShwX2FycmF5LCBpX2FycmF5LCBtYXNrZWRfcGF0aHMpIHsKICAgIGV2ZXJ5IHBfZWxlbSBpbiBwX2FycmF5IHsKICAgICAgICBhbGxvd19yZWFkb25seV9wYXRoKHBfZWxlbSwgaV9hcnJheSwgbWFza2VkX3BhdGhzKQogICAgfQp9CgphbGxvd19yZWFkb25seV9wYXRoKHBfZWxlbSwgaV9hcnJheSwgbWFza2VkX3BhdGhzKSB7CiAgICBwcmludCgiYWxsb3dfcmVhZG9ubHlfcGF0aCAxOiBwX2VsZW0gPSIsIHBfZWxlbSkKCiAgICBzb21lIGlfZWxlbSBpbiBpX2FycmF5CiAgICBwX2VsZW0gPT0gaV9lbGVtCgogICAgcHJpbnQoImFsbG93X3JlYWRvbmx5X3BhdGggMTogdHJ1ZSIpCn0KYWxsb3dfcmVhZG9ubHlfcGF0aChwX2VsZW0sIGlfYXJyYXksIG1hc2tlZF9wYXRocykgewogICAgcHJpbnQoImFsbG93X3JlYWRvbmx5X3BhdGggMjogcF9lbGVtID0iLCBwX2VsZW0pCgogICAgc29tZSBpX21hc2tlZCBpbiBtYXNrZWRfcGF0aHMKICAgIHBfZWxlbSA9PSBpX21hc2tlZAoKICAgIHByaW50KCJhbGxvd19yZWFkb25seV9wYXRoIDI6IHRydWUiKQp9CgojIENoZWNrIHRoZSBjb25zaXN0ZW5jeSBvZiB0aGUgaW5wdXQgImlvLmthdGFjb250YWluZXJzLnBrZy5vY2kuYnVuZGxlX3BhdGgiCiMgYW5kIGlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtaWQiIHZhbHVlcyB3aXRoIG90aGVyIGZpZWxkcy4KYWxsb3dfYnlfYnVuZGxlX29yX3NhbmRib3hfaWQocF9vY2ksIGlfb2NpLCBwX3N0b3JhZ2VzLCBpX3N0b3JhZ2VzKSB7CiAgICBwcmludCgiYWxsb3dfYnlfYnVuZGxlX29yX3NhbmRib3hfaWQ6IHN0YXJ0IikKCiAgICBidW5kbGVfcGF0aCA6PSBpX29jaS5Bbm5vdGF0aW9uc1siaW8ua2F0YWNvbnRhaW5lcnMucGtnLm9jaS5idW5kbGVfcGF0aCJdCiAgICBidW5kbGVfaWQgOj0gcmVwbGFjZShidW5kbGVfcGF0aCwgIi9ydW4vY29udGFpbmVyZC9pby5jb250YWluZXJkLnJ1bnRpbWUudjIudGFzay9rOHMuaW8vIiwgIiIpCgogICAga2V5IDo9ICJpby5rdWJlcm5ldGVzLmNyaS5zYW5kYm94LWlkIgoKICAgIHBfcmVnZXggOj0gcF9vY2kuQW5ub3RhdGlvbnNba2V5XQogICAgc2FuZGJveF9pZCA6PSBpX29jaS5Bbm5vdGF0aW9uc1trZXldCgogICAgcHJpbnQoImFsbG93X2J5X2J1bmRsZV9vcl9zYW5kYm94X2lkOiBzYW5kYm94X2lkID0iLCBzYW5kYm94X2lkLCAicmVnZXggPSIsIHBfcmVnZXgpCiAgICByZWdleC5tYXRjaChwX3JlZ2V4LCBzYW5kYm94X2lkKQoKICAgIGFsbG93X3Jvb3RfcGF0aChwX29jaSwgaV9vY2ksIGJ1bmRsZV9pZCkKCiAgICBldmVyeSBpX21vdW50IGluIGlucHV0Lk9DSS5Nb3VudHMgewogICAgICAgIGFsbG93X21vdW50KHBfb2NpLCBpX21vdW50LCBidW5kbGVfaWQsIHNhbmRib3hfaWQpCiAgICB9CgogICAgYWxsb3dfc3RvcmFnZXMocF9zdG9yYWdlcywgaV9zdG9yYWdlcywgYnVuZGxlX2lkLCBzYW5kYm94X2lkKQoKICAgIHByaW50KCJhbGxvd19ieV9idW5kbGVfb3Jfc2FuZGJveF9pZDogdHJ1ZSIpCn0KCmFsbG93X3Byb2Nlc3MocF9vY2ksIGlfb2NpLCBzX25hbWUpIHsKICAgIHBfcHJvY2VzcyA6PSBwX29jaS5Qcm9jZXNzCiAgICBpX3Byb2Nlc3MgOj0gaV9vY2kuUHJvY2VzcwoKICAgIHByaW50KCJhbGxvd19wcm9jZXNzOiBpIHRlcm1pbmFsID0iLCBpX3Byb2Nlc3MuVGVybWluYWwsICJwIHRlcm1pbmFsID0iLCBwX3Byb2Nlc3MuVGVybWluYWwpCiAgICBwX3Byb2Nlc3MuVGVybWluYWwgPT0gaV9wcm9jZXNzLlRlcm1pbmFsCgogICAgcHJpbnQoImFsbG93X3Byb2Nlc3M6IGkgY3dkID0iLCBpX3Byb2Nlc3MuQ3dkLCAiaSBjd2QgPSIsIHBfcHJvY2Vzcy5Dd2QpCiAgICBwX3Byb2Nlc3MuQ3dkID09IGlfcHJvY2Vzcy5Dd2QKCiAgICBwcmludCgiYWxsb3dfcHJvY2VzczogaSBub05ld1ByaXZpbGVnZXMgPSIsIGlfcHJvY2Vzcy5Ob05ld1ByaXZpbGVnZXMsICJwIG5vTmV3UHJpdmlsZWdlcyA9IiwgcF9wcm9jZXNzLk5vTmV3UHJpdmlsZWdlcykKICAgIHBfcHJvY2Vzcy5Ob05ld1ByaXZpbGVnZXMgPT0gaV9wcm9jZXNzLk5vTmV3UHJpdmlsZWdlcwoKICAgIGFsbG93X2NhcHMocF9wcm9jZXNzLkNhcGFiaWxpdGllcywgaV9wcm9jZXNzLkNhcGFiaWxpdGllcykKICAgIGFsbG93X3VzZXIocF9wcm9jZXNzLCBpX3Byb2Nlc3MpCiAgICBhbGxvd19hcmdzKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBzX25hbWUpCiAgICBhbGxvd19lbnYocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIHNfbmFtZSkKCiAgICBwcmludCgiYWxsb3dfcHJvY2VzczogdHJ1ZSIpCn0KCmFsbG93X3VzZXIocF9wcm9jZXNzLCBpX3Byb2Nlc3MpIHsKICAgIHBfdXNlciA6PSBwX3Byb2Nlc3MuVXNlcgogICAgaV91c2VyIDo9IGlfcHJvY2Vzcy5Vc2VyCgogICAgIyBUT0RPOiB0cmFjayBkb3duIHRoZSByZWFzb24gZm9yIG1jci5taWNyb3NvZnQuY29tL29zcy9iaXRuYW1pL3JlZGlzOjYuMC44IGJlaW5nCiAgICAjICAgICAgIGV4ZWN1dGVkIHdpdGggdWlkID0gMCBkZXNwaXRlIGhhdmluZyAiVXNlciI6ICIxMDAxIiBpbiBpdHMgY29udGFpbmVyIGltYWdlCiAgICAjICAgICAgIGNvbmZpZy4KICAgICNwcmludCgiYWxsb3dfdXNlcjogaW5wdXQgdWlkID0iLCBpX3VzZXIuVUlELCAicG9saWN5IHVpZCA9IiwgcF91c2VyLlVJRCkKICAgICNwX3VzZXIuVUlEID09IGlfdXNlci5VSUQKCiAgICAjIFRPRE86IHRyYWNrIGRvd24gdGhlIHJlYXNvbiBmb3IgcmVnaXN0cnkuazhzLmlvL3BhdXNlOjMuOSBiZWluZwogICAgIyAgICAgICBleGVjdXRlZCB3aXRoIGdpZCA9IDAgZGVzcGl0ZSBoYXZpbmcgIjY1NTM1OjY1NTM1IiBpbiBpdHMgY29udGFpbmVyIGltYWdlCiAgICAjICAgICAgIGNvbmZpZy4KICAgICNwcmludCgiYWxsb3dfdXNlcjogaW5wdXQgZ2lkID0iLCBpX3VzZXIuR0lELCAicG9saWN5IGdpZCA9IiwgcF91c2VyLkdJRCkKICAgICNwX3VzZXIuR0lEID09IGlfdXNlci5HSUQKCiAgICAjIFRPRE86IGNvbXBhcmUgdGhlIGFkZGl0aW9uYWxHaWRzIGZpZWxkIHRvbyBhZnRlciBjb21wdXRpbmcgaXRzIHZhbHVlCiAgICAjIGJhc2VkIG9uIC9ldGMvcGFzc3dkIGFuZCAvZXRjL2dyb3VwIGZyb20gdGhlIGNvbnRhaW5lciBpbWFnZS4KfQoKYWxsb3dfYXJncyhwX3Byb2Nlc3MsIGlfcHJvY2Vzcywgc19uYW1lKSB7CiAgICBwcmludCgiYWxsb3dfYXJncyAxOiBubyBhcmdzIikKCiAgICBub3QgcF9wcm9jZXNzLkFyZ3MKICAgIG5vdCBpX3Byb2Nlc3MuQXJncwoKICAgIHByaW50KCJhbGxvd19hcmdzIDE6IHRydWUiKQp9CmFsbG93X2FyZ3MocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIHNfbmFtZSkgewogICAgcHJpbnQoImFsbG93X2FyZ3MgMjogcG9saWN5IGFyZ3MgPSIsIHBfcHJvY2Vzcy5BcmdzKQogICAgcHJpbnQoImFsbG93X2FyZ3MgMjogaW5wdXQgYXJncyA9IiwgaV9wcm9jZXNzLkFyZ3MpCgogICAgY291bnQocF9wcm9jZXNzLkFyZ3MpID09IGNvdW50KGlfcHJvY2Vzcy5BcmdzKQoKICAgIGV2ZXJ5IGksIGlfYXJnIGluIGlfcHJvY2Vzcy5BcmdzIHsKICAgICAgICBhbGxvd19hcmcoaSwgaV9hcmcsIHBfcHJvY2Vzcywgc19uYW1lKQogICAgfQoKICAgIHByaW50KCJhbGxvd19hcmdzIDI6IHRydWUiKQp9CmFsbG93X2FyZyhpLCBpX2FyZywgcF9wcm9jZXNzLCBzX25hbWUpIHsKICAgIHBfYXJnIDo9IHBfcHJvY2Vzcy5BcmdzW2ldCiAgICBwcmludCgiYWxsb3dfYXJnIDE6IGkgPSIsIGksICJpX2FyZyA9IiwgaV9hcmcsICJwX2FyZyA9IiwgcF9hcmcpCgogICAgcF9hcmcyIDo9IHJlcGxhY2UocF9hcmcsICIkJCIsICIkIikKICAgIHBfYXJnMiA9PSBpX2FyZwoKICAgIHByaW50KCJhbGxvd19hcmcgMTogdHJ1ZSIpCn0KYWxsb3dfYXJnKGksIGlfYXJnLCBwX3Byb2Nlc3MsIHNfbmFtZSkgewogICAgcF9hcmcgOj0gcF9wcm9jZXNzLkFyZ3NbaV0KICAgIHByaW50KCJhbGxvd19hcmcgMjogaSA9IiwgaSwgImlfYXJnID0iLCBpX2FyZywgInBfYXJnID0iLCBwX2FyZykKCiAgICAjIFRPRE86IGNhbiAkKG5vZGUtbmFtZSkgYmUgaGFuZGxlZCBiZXR0ZXI/CiAgICBjb250YWlucyhwX2FyZywgIiQobm9kZS1uYW1lKSIpCgogICAgcHJpbnQoImFsbG93X2FyZyAyOiB0cnVlIikKfQphbGxvd19hcmcoaSwgaV9hcmcsIHBfcHJvY2Vzcywgc19uYW1lKSB7CiAgICBwX2FyZyA6PSBwX3Byb2Nlc3MuQXJnc1tpXQogICAgcHJpbnQoImFsbG93X2FyZyAzOiBpID0iLCBpLCAiaV9hcmcgPSIsIGlfYXJnLCAicF9hcmcgPSIsIHBfYXJnKQoKICAgIHBfYXJnMiA6PSByZXBsYWNlKHBfYXJnLCAiJCQiLCAiJCIpCiAgICBwX2FyZzMgOj0gcmVwbGFjZShwX2FyZzIsICIkKHNhbmRib3gtbmFtZSkiLCBzX25hbWUpCiAgICBwcmludCgiYWxsb3dfYXJnIDM6IHBfYXJnMyA9IiwgcF9hcmczKQogICAgcF9hcmczID09IGlfYXJnCgogICAgcHJpbnQoImFsbG93X2FyZyAzOiB0cnVlIikKfQoKIyBPQ0kgcHJvY2Vzcy5FbnYgZmllbGQKYWxsb3dfZW52KHBfcHJvY2VzcywgaV9wcm9jZXNzLCBzX25hbWUpIHsKICAgIHByaW50KCJhbGxvd19lbnY6IHAgZW52ID0iLCBwX3Byb2Nlc3MuRW52KQogICAgcHJpbnQoImFsbG93X2VudjogaSBlbnYgPSIsIGlfcHJvY2Vzcy5FbnYpCgogICAgZXZlcnkgaV92YXIgaW4gaV9wcm9jZXNzLkVudiB7CiAgICAgICAgYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lKQogICAgfQoKICAgIHByaW50KCJhbGxvd19lbnY6IHRydWUiKQp9CgojIEFsbG93IGlucHV0IGVudiB2YXJpYWJsZXMgdGhhdCBhcmUgcHJlc2VudCBpbiB0aGUgcG9saWN5IGRhdGEgdG9vLgphbGxvd192YXIocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIGlfdmFyLCBzX25hbWUpIHsKICAgIHByaW50KCJhbGxvd192YXIgMTogaV92YXIgPSIsIGlfdmFyKQoKICAgIHNvbWUgcF92YXIgaW4gcF9wcm9jZXNzLkVudgogICAgcF92YXIgPT0gaV92YXIKCiAgICBwcmludCgiYWxsb3dfdmFyIDE6IHRydWUiKQp9CgojIE1hdGNoIGlucHV0IHdpdGggb25lIG9mIHRoZSBwb2xpY3kgdmFyaWFibGVzLCBhZnRlciBzdWJzdGl0dXRpbmcgJChzYW5kYm94LW5hbWUpLgphbGxvd192YXIocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIGlfdmFyLCBzX25hbWUpIHsKICAgIHByaW50KCJhbGxvd192YXIgMjogaV92YXIgPSIsIGlfdmFyKQoKICAgIHNvbWUgcF92YXIgaW4gcF9wcm9jZXNzLkVudgogICAgcF92YXIyIDo9IHJlcGxhY2UocF92YXIsICIkKHNhbmRib3gtbmFtZSkiLCBzX25hbWUpCiAgICBwcmludCgiYWxsb3dfdmFyIDI6IHBfdmFyMiA9IiwgcF92YXIyKQoKICAgIHBfdmFyMiA9PSBpX3ZhcgoKICAgIHByaW50KCJhbGxvd192YXIgMjogdHJ1ZSIpCn0KCiMgQWxsb3cgaW5wdXQgZW52IHZhcmlhYmxlcyB0aGF0IG1hdGNoIHdpdGggYSByZXF1ZXN0X2RlZmF1bHRzIHJlZ2V4LgphbGxvd192YXIocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIGlfdmFyLCBzX25hbWUpIHsKICAgIHByaW50KCJhbGxvd192YXIgMzogc3RhcnQiKQoKICAgIHNvbWUgcF9yZWdleDEgaW4gcG9saWN5X2RhdGEucmVxdWVzdF9kZWZhdWx0cy5DcmVhdGVDb250YWluZXJSZXF1ZXN0LmFsbG93X2Vudl9yZWdleAogICAgcHJpbnQoImFsbG93X3ZhciAzOiBwX3JlZ2V4MSA9IiwgcF9yZWdleDEpCgogICAgcF9yZWdleDIgOj0gcmVwbGFjZShwX3JlZ2V4MSwgIiQoaXB2NF9hKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5pcHY0X2EpCiAgICBwcmludCgiYWxsb3dfdmFyIDM6IHBfcmVnZXgyID0iLCBwX3JlZ2V4MikKCiAgICBwX3JlZ2V4MyA6PSByZXBsYWNlKHBfcmVnZXgyLCAiJChpcF9wKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5pcF9wKQogICAgcHJpbnQoImFsbG93X3ZhciAzOiBwX3JlZ2V4MyA9IiwgcF9yZWdleDMpCgogICAgcF9yZWdleDQgOj0gcmVwbGFjZShwX3JlZ2V4MywgIiQoc3ZjX25hbWUpIiwgcG9saWN5X2RhdGEuY29tbW9uLnN2Y19uYW1lKQogICAgcHJpbnQoImFsbG93X3ZhciAzOiBwX3JlZ2V4NCA9IiwgcF9yZWdleDQpCgogICAgcF9yZWdleDUgOj0gcmVwbGFjZShwX3JlZ2V4NCwgIiQoZG5zX2xhYmVsKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5kbnNfbGFiZWwpCiAgICBwcmludCgiYWxsb3dfdmFyIDM6IHBfcmVnZXg1ID0iLCBwX3JlZ2V4NSkKCiAgICBwcmludCgiYWxsb3dfdmFyIDM6IGlfdmFyID0iLCBpX3ZhcikKICAgIHJlZ2V4Lm1hdGNoKHBfcmVnZXg1LCBpX3ZhcikKCiAgICBwcmludCgiYWxsb3dfdmFyIDM6IHRydWUiKQp9CgojIEFsbG93IGZpZWxkUmVmICJmaWVsZFBhdGg6IHN0YXR1cy5wb2RJUCIgdmFsdWVzLgphbGxvd192YXIocF9wcm9jZXNzLCBpX3Byb2Nlc3MsIGlfdmFyLCBzX25hbWUpIHsKICAgIHByaW50KCJhbGxvd192YXIgNDogaV92YXIgPSIsIGlfdmFyKQoKICAgIG5hbWVfdmFsdWUgOj0gc3BsaXQoaV92YXIsICI9IikKICAgIGNvdW50KG5hbWVfdmFsdWUpID09IDIKICAgIGlzX2lwKG5hbWVfdmFsdWVbMV0pCgogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBhbGxvd19wb2RfaXBfdmFyKG5hbWVfdmFsdWVbMF0sIHBfdmFyKQoKICAgIHByaW50KCJhbGxvd192YXIgNDogdHJ1ZSIpCn0KCiMgQWxsb3cgY29tbW9uIGZpZWxkUmVmIHZhcmlhYmxlcy4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lKSB7CiAgICBwcmludCgiYWxsb3dfdmFyIDU6IGlfdmFyID0iLCBpX3ZhcikKCiAgICBuYW1lX3ZhbHVlIDo9IHNwbGl0KGlfdmFyLCAiPSIpCiAgICBjb3VudChuYW1lX3ZhbHVlKSA9PSAyCgogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX25hbWVfdmFsdWUgOj0gc3BsaXQocF92YXIsICI9IikKICAgIGNvdW50KHBfbmFtZV92YWx1ZSkgPT0gMgoKICAgIHBfbmFtZV92YWx1ZVswXSA9PSBuYW1lX3ZhbHVlWzBdCgogICAgIyBUT0RPOiBzaG91bGQgdGhlc2UgYmUgaGFuZGxlZCBpbiBhIGRpZmZlcmVudCB3YXk/CiAgICBhbHdheXNfYWxsb3dlZCA6PSBbIiQoaG9zdC1uYW1lKSIsICIkKG5vZGUtbmFtZSkiLCAiJChwb2QtdWlkKSJdCiAgICBzb21lIGFsbG93ZWQgaW4gYWx3YXlzX2FsbG93ZWQKICAgIGNvbnRhaW5zKHBfbmFtZV92YWx1ZVsxXSwgYWxsb3dlZCkKCiAgICBwcmludCgiYWxsb3dfdmFyIDU6IHRydWUiKQp9CgojIEFsbG93IGZpZWxkUmVmICJmaWVsZFBhdGg6IHN0YXR1cy5ob3N0SVAiIHZhbHVlcy4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lKSB7CiAgICBwcmludCgiYWxsb3dfdmFyIDY6IGlfdmFyID0iLCBpX3ZhcikKCiAgICBuYW1lX3ZhbHVlIDo9IHNwbGl0KGlfdmFyLCAiPSIpCiAgICBjb3VudChuYW1lX3ZhbHVlKSA9PSAyCiAgICBpc19pcChuYW1lX3ZhbHVlWzFdKQoKICAgIHNvbWUgcF92YXIgaW4gcF9wcm9jZXNzLkVudgogICAgYWxsb3dfaG9zdF9pcF92YXIobmFtZV92YWx1ZVswXSwgcF92YXIpCgogICAgcHJpbnQoImFsbG93X3ZhciA2OiB0cnVlIikKfQoKIyBBbGxvdyByZXNvdXJjZUZpZWxkUmVmIHZhbHVlcyAoZS5nLiwgImxpbWl0cy5jcHUiKS4KYWxsb3dfdmFyKHBfcHJvY2VzcywgaV9wcm9jZXNzLCBpX3Zhciwgc19uYW1lKSB7CiAgICBwcmludCgiYWxsb3dfdmFyIDc6IGlfdmFyID0iLCBpX3ZhcikKCiAgICBuYW1lX3ZhbHVlIDo9IHNwbGl0KGlfdmFyLCAiPSIpCiAgICBjb3VudChuYW1lX3ZhbHVlKSA9PSAyCgogICAgc29tZSBwX3ZhciBpbiBwX3Byb2Nlc3MuRW52CiAgICBwX25hbWVfdmFsdWUgOj0gc3BsaXQocF92YXIsICI9IikKICAgIGNvdW50KHBfbmFtZV92YWx1ZSkgPT0gMgoKICAgIHBfbmFtZV92YWx1ZVswXSA9PSBuYW1lX3ZhbHVlWzBdCgogICAgIyBUT0RPOiBzaG91bGQgdGhlc2UgYmUgaGFuZGxlZCBpbiBhIGRpZmZlcmVudCB3YXk/CiAgICBhbHdheXNfYWxsb3dlZCA9IFsiJChyZXNvdXJjZS1maWVsZCkiLCAiJCh0b2RvLWFubm90YXRpb24pIl0KICAgIHNvbWUgYWxsb3dlZCBpbiBhbHdheXNfYWxsb3dlZAogICAgY29udGFpbnMocF9uYW1lX3ZhbHVlWzFdLCBhbGxvd2VkKQoKICAgIHByaW50KCJhbGxvd192YXIgNzogdHJ1ZSIpCn0KCmFsbG93X3BvZF9pcF92YXIodmFyX25hbWUsIHBfdmFyKSB7CiAgICBwcmludCgiYWxsb3dfcG9kX2lwX3ZhcjogdmFyX25hbWUgPSIsIHZhcl9uYW1lLCAicF92YXIgPSIsIHBfdmFyKQoKICAgIHBfbmFtZV92YWx1ZSA6PSBzcGxpdChwX3ZhciwgIj0iKQogICAgY291bnQocF9uYW1lX3ZhbHVlKSA9PSAyCgogICAgcF9uYW1lX3ZhbHVlWzBdID09IHZhcl9uYW1lCiAgICBwX25hbWVfdmFsdWVbMV0gPT0gIiQocG9kLWlwKSIKCiAgICBwcmludCgiYWxsb3dfcG9kX2lwX3ZhcjogdHJ1ZSIpCn0KCmFsbG93X2hvc3RfaXBfdmFyKHZhcl9uYW1lLCBwX3ZhcikgewogICAgcHJpbnQoImFsbG93X2hvc3RfaXBfdmFyOiB2YXJfbmFtZSA9IiwgdmFyX25hbWUsICJwX3ZhciA9IiwgcF92YXIpCgogICAgcF9uYW1lX3ZhbHVlIDo9IHNwbGl0KHBfdmFyLCAiPSIpCiAgICBjb3VudChwX25hbWVfdmFsdWUpID09IDIKCiAgICBwX25hbWVfdmFsdWVbMF0gPT0gdmFyX25hbWUKICAgIHBfbmFtZV92YWx1ZVsxXSA9PSAiJChob3N0LWlwKSIKCiAgICBwcmludCgiYWxsb3dfaG9zdF9pcF92YXI6IHRydWUiKQp9Cgppc19pcCh2YWx1ZSkgewogICAgYnl0ZXMgPSBzcGxpdCh2YWx1ZSwgIi4iKQogICAgY291bnQoYnl0ZXMpID09IDQKCiAgICBpc19pcF9maXJzdF9ieXRlKGJ5dGVzWzBdKQogICAgaXNfaXBfb3RoZXJfYnl0ZShieXRlc1sxXSkKICAgIGlzX2lwX290aGVyX2J5dGUoYnl0ZXNbMl0pCiAgICBpc19pcF9vdGhlcl9ieXRlKGJ5dGVzWzNdKQp9CmlzX2lwX2ZpcnN0X2J5dGUoY29tcG9uZW50KSB7CiAgICBudW1iZXIgPSB0b19udW1iZXIoY29tcG9uZW50KQogICAgbnVtYmVyID49IDEKICAgIG51bWJlciA8PSAyNTUKfQppc19pcF9vdGhlcl9ieXRlKGNvbXBvbmVudCkgewogICAgbnVtYmVyID0gdG9fbnVtYmVyKGNvbXBvbmVudCkKICAgIG51bWJlciA+PSAwCiAgICBudW1iZXIgPD0gMjU1Cn0KCiMgT0NJIHJvb3QuUGF0aAphbGxvd19yb290X3BhdGgocF9vY2ksIGlfb2NpLCBidW5kbGVfaWQpIHsKICAgIHBfcGF0aDEgOj0gcF9vY2kuUm9vdC5QYXRoCiAgICBwcmludCgiYWxsb3dfcm9vdF9wYXRoOiBwX3BhdGgxID0iLCBwX3BhdGgxKQoKICAgIHBfcGF0aDIgOj0gcmVwbGFjZShwX3BhdGgxLCAiJChjcGF0aCkiLCBwb2xpY3lfZGF0YS5jb21tb24uY3BhdGgpCiAgICBwcmludCgiYWxsb3dfcm9vdF9wYXRoOiBwX3BhdGgyID0iLCBwX3BhdGgyKQoKICAgIHBfcGF0aDMgOj0gcmVwbGFjZShwX3BhdGgyLCAiJChidW5kbGUtaWQpIiwgYnVuZGxlX2lkKQogICAgcHJpbnQoImFsbG93X3Jvb3RfcGF0aDogcF9wYXRoMyA9IiwgcF9wYXRoMykKCiAgICBwX3BhdGgzID09IGlfb2NpLlJvb3QuUGF0aAoKICAgIHByaW50KCJhbGxvd19yb290X3BhdGg6IHRydWUiKQp9CgojIGRldmljZSBtb3VudHMKYWxsb3dfbW91bnQocF9vY2ksIGlfbW91bnQsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkgewogICAgcHJpbnQoImFsbG93X21vdW50OiBzdGFydCIpCgogICAgc29tZSBwX21vdW50IGluIHBfb2NpLk1vdW50cwogICAgY2hlY2tfbW91bnQocF9tb3VudCwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKQoKICAgICMgVE9ETzogYXJlIHRoZXJlIGFueSBvdGhlciByZXF1aXJlZCBwb2xpY3kgY2hlY2tzIGZvciBtb3VudHMgLSBlLmcuLAogICAgIyAgICAgICBtdWx0aXBsZSBtb3VudHMgd2l0aCBzYW1lIHNvdXJjZSBvciBkZXN0aW5hdGlvbj8KCiAgICBwcmludCgiYWxsb3dfbW91bnQ6IHRydWUiKQp9CgpjaGVja19tb3VudChwX21vdW50LCBpX21vdW50LCBidW5kbGVfaWQsIHNhbmRib3hfaWQpIHsKICAgIHByaW50KCJjaGVja19tb3VudCAxOiBwX21vdW50ID0iLCBwX21vdW50KQogICAgcHJpbnQoImNoZWNrX21vdW50IDE6IGlfbW91bnQgPSIsIGlfbW91bnQpCgogICAgcF9tb3VudCA9PSBpX21vdW50CgogICAgcHJpbnQoImNoZWNrX21vdW50IDE6IHRydWUiKQp9CmNoZWNrX21vdW50KHBfbW91bnQsIGlfbW91bnQsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkgewogICAgcHJpbnQoImNoZWNrX21vdW50IDI6IGkgZGVzdGluYXRpb24gPSIsIGlfbW91bnQuZGVzdGluYXRpb24sICJwIGRlc3RpbmF0aW9uID0iLCBwX21vdW50LmRlc3RpbmF0aW9uKQogICAgcF9tb3VudC5kZXN0aW5hdGlvbiA9PSBpX21vdW50LmRlc3RpbmF0aW9uCgogICAgcHJpbnQoImNoZWNrX21vdW50IDI6IGkgdHlwZSA9IiwgaV9tb3VudC50eXBlXywgInAgdHlwZSA9IiwgcF9tb3VudC50eXBlXykKICAgIHBfbW91bnQudHlwZV8gPT0gaV9tb3VudC50eXBlXwoKICAgIHByaW50KCJjaGVja19tb3VudCAyOiBpIG9wdGlvbnMgPSIsIGlfbW91bnQub3B0aW9ucykKICAgIHByaW50KCJjaGVja19tb3VudCAyOiBwIG9wdGlvbnMgPSIsIHBfbW91bnQub3B0aW9ucykKICAgIHBfbW91bnQub3B0aW9ucyA9PSBpX21vdW50Lm9wdGlvbnMKCiAgICBtb3VudF9zb3VyY2VfYWxsb3dzKHBfbW91bnQsIGlfbW91bnQsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkKCiAgICBwcmludCgiY2hlY2tfbW91bnQgMjogdHJ1ZSIpCn0KCm1vdW50X3NvdXJjZV9hbGxvd3MocF9tb3VudCwgaV9tb3VudCwgYnVuZGxlX2lkLCBzYW5kYm94X2lkKSB7CiAgICBwcmludCgibW91bnRfc291cmNlX2FsbG93cyAxOiBpX21vdW50LnNvdXJjZSA9IiwgaV9tb3VudC5zb3VyY2UpCgogICAgcmVnZXgxIDo9IHBfbW91bnQuc291cmNlCiAgICBwcmludCgibW91bnRfc291cmNlX2FsbG93cyAxOiByZWdleDEgPSIsIHJlZ2V4MSkKCiAgICByZWdleDIgOj0gcmVwbGFjZShyZWdleDEsICIkKHNmcHJlZml4KSIsIHBvbGljeV9kYXRhLmNvbW1vbi5zZnByZWZpeCkKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDE6IHJlZ2V4MiA9IiwgcmVnZXgyKQoKICAgIHJlZ2V4MyA6PSByZXBsYWNlKHJlZ2V4MiwgIiQoY3BhdGgpIiwgcG9saWN5X2RhdGEuY29tbW9uLmNwYXRoKQogICAgcHJpbnQoIm1vdW50X3NvdXJjZV9hbGxvd3MgMTogcmVnZXgzID0iLCByZWdleDMpCgogICAgcmVnZXg0IDo9IHJlcGxhY2UocmVnZXgzLCAiJChidW5kbGUtaWQpIiwgYnVuZGxlX2lkKQogICAgcHJpbnQoIm1vdW50X3NvdXJjZV9hbGxvd3MgMTogcmVnZXg0ID0iLCByZWdleDQpCgogICAgcmVnZXgubWF0Y2gocmVnZXg0LCBpX21vdW50LnNvdXJjZSkKCiAgICBwcmludCgibW91bnRfc291cmNlX2FsbG93cyAxOiB0cnVlIikKfQptb3VudF9zb3VyY2VfYWxsb3dzKHBfbW91bnQsIGlfbW91bnQsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkgewogICAgcHJpbnQoIm1vdW50X3NvdXJjZV9hbGxvd3MgMjogaV9tb3VudC5zb3VyY2U9IiwgaV9tb3VudC5zb3VyY2UpCgogICAgcmVnZXgxIDo9IHBfbW91bnQuc291cmNlCiAgICBwcmludCgibW91bnRfc291cmNlX2FsbG93cyAyOiByZWdleDEgPSIsIHJlZ2V4MSkKCiAgICByZWdleDIgOj0gcmVwbGFjZShyZWdleDEsICIkKHNmcHJlZml4KSIsIHBvbGljeV9kYXRhLmNvbW1vbi5zZnByZWZpeCkKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDI6IHJlZ2V4MiA9IiwgcmVnZXgyKQoKICAgIHJlZ2V4MyA6PSByZXBsYWNlKHJlZ2V4MiwgIiQoY3BhdGgpIiwgcG9saWN5X2RhdGEuY29tbW9uLmNwYXRoKQogICAgcHJpbnQoIm1vdW50X3NvdXJjZV9hbGxvd3MgMjogcmVnZXgzID0iLCByZWdleDMpCgogICAgcmVnZXg0IDo9IHJlcGxhY2UocmVnZXgzLCAiJChzYW5kYm94LWlkKSIsIHNhbmRib3hfaWQpCiAgICBwcmludCgibW91bnRfc291cmNlX2FsbG93cyAyOiByZWdleDQgPSIsIHJlZ2V4NCkKCiAgICByZWdleC5tYXRjaChyZWdleDQsIGlfbW91bnQuc291cmNlKQoKICAgIHByaW50KCJtb3VudF9zb3VyY2VfYWxsb3dzIDI6IHRydWUiKQp9CgojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiMgU3RvcmFnZXMKCmFsbG93X3N0b3JhZ2VzKHBfc3RvcmFnZXMsIGlfc3RvcmFnZXMsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCkgewogICAgcF9jb3VudCA6PSBjb3VudChwX3N0b3JhZ2VzKQogICAgaV9jb3VudCA6PSBjb3VudChpX3N0b3JhZ2VzKQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2VzOiBwX2NvdW50ID0iLCBwX2NvdW50LCAiaV9jb3VudCA9IiwgaV9jb3VudCkKCiAgICBwX2NvdW50ID09IGlfY291bnQKCiAgICAjIEdldCB0aGUgY29udGFpbmVyIGltYWdlIGxheWVyIElEcyBhbmQgdmVyaXR5IHJvb3QgaGFzaGVzLCBmcm9tIHRoZSAib3ZlcmxheWZzIiBzdG9yYWdlLgogICAgc29tZSBvdmVybGF5X3N0b3JhZ2UgaW4gcF9zdG9yYWdlcwogICAgb3ZlcmxheV9zdG9yYWdlLmRyaXZlciA9PSAib3ZlcmxheWZzIgogICAgcHJpbnQoImFsbG93X3N0b3JhZ2VzOiBvdmVybGF5X3N0b3JhZ2UgPSIsIG92ZXJsYXlfc3RvcmFnZSkKICAgIGNvdW50KG92ZXJsYXlfc3RvcmFnZS5vcHRpb25zKSA9PSAyCgogICAgbGF5ZXJfaWRzIDo9IHNwbGl0KG92ZXJsYXlfc3RvcmFnZS5vcHRpb25zWzBdLCAiOiIpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZXM6IGxheWVyX2lkcyA9IiwgbGF5ZXJfaWRzKQoKICAgIHJvb3RfaGFzaGVzIDo9IHNwbGl0KG92ZXJsYXlfc3RvcmFnZS5vcHRpb25zWzFdLCAiOiIpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZXM6IHJvb3RfaGFzaGVzID0iLCByb290X2hhc2hlcykKCiAgICBldmVyeSBpX3N0b3JhZ2UgaW4gaV9zdG9yYWdlcyB7CiAgICAgICAgYWxsb3dfc3RvcmFnZShwX3N0b3JhZ2VzLCBpX3N0b3JhZ2UsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCwgbGF5ZXJfaWRzLCByb290X2hhc2hlcykKICAgIH0KCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZXM6IHRydWUiKQp9CgphbGxvd19zdG9yYWdlKHBfc3RvcmFnZXMsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMsIHJvb3RfaGFzaGVzKSB7CiAgICBzb21lIHBfc3RvcmFnZSBpbiBwX3N0b3JhZ2VzCgogICAgcHJpbnQoImFsbG93X3N0b3JhZ2U6IHBfc3RvcmFnZSA9IiwgcF9zdG9yYWdlKQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2U6IGlfc3RvcmFnZSA9IiwgaV9zdG9yYWdlKQoKICAgIHBfc3RvcmFnZS5kcml2ZXIgICAgICAgICAgID09IGlfc3RvcmFnZS5kcml2ZXIKICAgIHBfc3RvcmFnZS5kcml2ZXJfb3B0aW9ucyAgID09IGlfc3RvcmFnZS5kcml2ZXJfb3B0aW9ucwogICAgcF9zdG9yYWdlLmZzX2dyb3VwICAgICAgICAgPT0gaV9zdG9yYWdlLmZzX2dyb3VwCgogICAgYWxsb3dfc3RvcmFnZV9vcHRpb25zKHBfc3RvcmFnZSwgaV9zdG9yYWdlLCBsYXllcl9pZHMsIHJvb3RfaGFzaGVzKQogICAgYWxsb3dfbW91bnRfcG9pbnQocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCwgbGF5ZXJfaWRzKQoKICAgICMgVE9ETzogdmFsaWRhdGUgdGhlIHNvdXJjZSBmaWVsZCB0b28uCgogICAgcHJpbnQoImFsbG93X3N0b3JhZ2U6IHRydWUiKQp9CgphbGxvd19zdG9yYWdlX29wdGlvbnMocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGxheWVyX2lkcywgcm9vdF9oYXNoZXMpIHsKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMTogc3RhcnQiKQoKICAgIHBfc3RvcmFnZS5kcml2ZXIgIT0gImJsayIKICAgIHBfc3RvcmFnZS5kcml2ZXIgIT0gIm92ZXJsYXlmcyIKICAgIHBfc3RvcmFnZS5vcHRpb25zID09IGlfc3RvcmFnZS5vcHRpb25zCgogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAxOiB0cnVlIikKfQphbGxvd19zdG9yYWdlX29wdGlvbnMocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGxheWVyX2lkcywgcm9vdF9oYXNoZXMpIHsKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMjogc3RhcnQiKQoKICAgIHBfc3RvcmFnZS5kcml2ZXIgPT0gIm92ZXJsYXlmcyIKICAgIGNvdW50KHBfc3RvcmFnZS5vcHRpb25zKSA9PSAyCgogICAgcG9saWN5X2lkcyA6PSBzcGxpdChwX3N0b3JhZ2Uub3B0aW9uc1swXSwgIjoiKQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAyOiBwb2xpY3lfaWRzID0iLCBwb2xpY3lfaWRzKQogICAgcG9saWN5X2lkcyA9PSBsYXllcl9pZHMKCiAgICBwb2xpY3lfaGFzaGVzIDo9IHNwbGl0KHBfc3RvcmFnZS5vcHRpb25zWzFdLCAiOiIpCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IHBvbGljeV9oYXNoZXMgPSIsIHBvbGljeV9oYXNoZXMpCgogICAgcF9jb3VudCA6PSBjb3VudChwb2xpY3lfaWRzKQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAyOiBwX2NvdW50ID0iLCBwX2NvdW50KQogICAgcF9jb3VudCA+PSAxCiAgICBwX2NvdW50ID09IGNvdW50KHBvbGljeV9oYXNoZXMpCgogICAgaV9jb3VudCA6PSBjb3VudChpX3N0b3JhZ2Uub3B0aW9ucykKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMjogaV9jb3VudCA9IiwgaV9jb3VudCkKICAgIGlfY291bnQgPT0gcF9jb3VudCArIDMKCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IGlfc3RvcmFnZS5vcHRpb25zWzBdID0iLCBpX3N0b3JhZ2Uub3B0aW9uc1swXSkKICAgIGlfc3RvcmFnZS5vcHRpb25zWzBdID09ICJpby5rYXRhY29udGFpbmVycy5mcy1vcHQubGF5ZXItc3JjLXByZWZpeD0vdmFyL2xpYi9jb250YWluZXJkL2lvLmNvbnRhaW5lcmQuc25hcHNob3R0ZXIudjEudGFyZGV2L2xheWVycyIKCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IGlfc3RvcmFnZS5vcHRpb25zW2lfY291bnQgLSAyXSA9IiwgaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDJdKQogICAgaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDJdID09ICJpby5rYXRhY29udGFpbmVycy5mcy1vcHQub3ZlcmxheS1ydyIKCiAgICBsb3dlcmRpciA6PSBjb25jYXQoIj0iLCBbImxvd2VyZGlyIiwgcF9zdG9yYWdlLm9wdGlvbnNbMF1dKQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAyOiBsb3dlcmRpciA9IiwgbG93ZXJkaXIpCgogICAgaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDFdID09IGxvd2VyZGlyCiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDI6IGlfc3RvcmFnZS5vcHRpb25zW2lfY291bnQgLSAxXSA9IiwgaV9zdG9yYWdlLm9wdGlvbnNbaV9jb3VudCAtIDFdKQoKICAgIGV2ZXJ5IGksIHBvbGljeV9pZCBpbiBwb2xpY3lfaWRzIHsKICAgICAgICBhbGxvd19vdmVybGF5X2xheWVyKHBvbGljeV9pZCwgcG9saWN5X2hhc2hlc1tpXSwgaV9zdG9yYWdlLm9wdGlvbnNbaSArIDFdKQogICAgfQoKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMjogdHJ1ZSIpCn0KYWxsb3dfc3RvcmFnZV9vcHRpb25zKHBfc3RvcmFnZSwgaV9zdG9yYWdlLCBsYXllcl9pZHMsIHJvb3RfaGFzaGVzKSB7CiAgICBwcmludCgiYWxsb3dfc3RvcmFnZV9vcHRpb25zIDM6IHN0YXJ0IikKCiAgICBwX3N0b3JhZ2UuZHJpdmVyID09ICJibGsiCiAgICBjb3VudChwX3N0b3JhZ2Uub3B0aW9ucykgPT0gMQoKICAgIHN0YXJ0c3dpdGgocF9zdG9yYWdlLm9wdGlvbnNbMF0sICIkKGhhc2giKQogICAgaGFzaF9zdWZmaXggOj0gdHJpbV9sZWZ0KHBfc3RvcmFnZS5vcHRpb25zWzBdLCAiJChoYXNoIikKCiAgICBlbmRzd2l0aChoYXNoX3N1ZmZpeCwgIikiKQogICAgaGFzaF9pbmRleCA6PSB0cmltX3JpZ2h0KGhhc2hfc3VmZml4LCAiKSIpCiAgICBpIDo9IHRvX251bWJlcihoYXNoX2luZGV4KQogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAzOiBpID0iLCBpKQoKICAgIGhhc2hfb3B0aW9uIDo9IGNvbmNhdCgiPSIsIFsiaW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LnJvb3QtaGFzaCIsIHJvb3RfaGFzaGVzW2ldXSkKICAgIHByaW50KCJhbGxvd19zdG9yYWdlX29wdGlvbnMgMzogaGFzaF9vcHRpb24gPSIsIGhhc2hfb3B0aW9uKQoKICAgIGNvdW50KGlfc3RvcmFnZS5vcHRpb25zKSA9PSA0CiAgICBpX3N0b3JhZ2Uub3B0aW9uc1swXSA9PSAicm8iCiAgICBpX3N0b3JhZ2Uub3B0aW9uc1sxXSA9PSAiaW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlIgogICAgaV9zdG9yYWdlLm9wdGlvbnNbMl0gPT0gImlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllciIKICAgIGlfc3RvcmFnZS5vcHRpb25zWzNdID09IGhhc2hfb3B0aW9uCgogICAgcHJpbnQoImFsbG93X3N0b3JhZ2Vfb3B0aW9ucyAzOiB0cnVlIikKfQoKYWxsb3dfb3ZlcmxheV9sYXllcihwb2xpY3lfaWQsIHBvbGljeV9oYXNoLCBpX29wdGlvbikgewogICAgcHJpbnQoImFsbG93X292ZXJsYXlfbGF5ZXI6IHBvbGljeV9pZCA9IiwgcG9saWN5X2lkLCAicG9saWN5X2hhc2ggPSIsIHBvbGljeV9oYXNoKQogICAgcHJpbnQoImFsbG93X292ZXJsYXlfbGF5ZXI6IGlfb3B0aW9uID0iLCBpX29wdGlvbikKCiAgICBzdGFydHN3aXRoKGlfb3B0aW9uLCAiaW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmxheWVyPSIpCiAgICBpX3ZhbHVlIDo9IHJlcGxhY2UoaV9vcHRpb24sICJpby5rYXRhY29udGFpbmVycy5mcy1vcHQubGF5ZXI9IiwgIiIpCiAgICBpX3ZhbHVlX2RlY29kZWQgOj0gYmFzZTY0LmRlY29kZShpX3ZhbHVlKQogICAgcHJpbnQoImFsbG93X292ZXJsYXlfbGF5ZXI6IGlfdmFsdWVfZGVjb2RlZCA9IiwgaV92YWx1ZV9kZWNvZGVkKQoKICAgIHBvbGljeV9zdWZmaXggOj0gY29uY2F0KCI9IiwgWyJ0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoIiwgcG9saWN5X2hhc2hdKQogICAgcF92YWx1ZSA6PSBjb25jYXQoIiwiLCBbcG9saWN5X2lkLCBwb2xpY3lfc3VmZml4XSkKICAgIHByaW50KCJhbGxvd19vdmVybGF5X2xheWVyOiBwX3ZhbHVlID0iLCBwX3ZhbHVlKQoKICAgIHBfdmFsdWUgPT0gaV92YWx1ZV9kZWNvZGVkCgogICAgcHJpbnQoImFsbG93X292ZXJsYXlfbGF5ZXI6IHRydWUiKQp9CgphbGxvd19tb3VudF9wb2ludChwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMpIHsKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAxOiBpX3N0b3JhZ2UubW91bnRfcG9pbnQgPSIsIGlfc3RvcmFnZS5tb3VudF9wb2ludCkKICAgIHBfc3RvcmFnZS5mc3R5cGUgPT0gInRhciIKCiAgICBzdGFydHN3aXRoKHBfc3RvcmFnZS5tb3VudF9wb2ludCwgIiQobGF5ZXIiKQogICAgbW91bnRfc3VmZml4IDo9IHRyaW1fbGVmdChwX3N0b3JhZ2UubW91bnRfcG9pbnQsICIkKGxheWVyIikKCiAgICBlbmRzd2l0aChtb3VudF9zdWZmaXgsICIpIikKICAgIGxheWVyX2luZGV4IDo9IHRyaW1fcmlnaHQobW91bnRfc3VmZml4LCAiKSIpCiAgICBpIDo9IHRvX251bWJlcihsYXllcl9pbmRleCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAxOiBpID0iLCBpKQoKICAgIGxheWVyX2lkIDo9IGxheWVyX2lkc1tpXQogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDE6IGxheWVyX2lkID0iLCBsYXllcl9pZCkKCiAgICBwX21vdW50IDo9IGNvbmNhdCgiLyIsIFsiL3J1bi9rYXRhLWNvbnRhaW5lcnMvc2FuZGJveC9sYXllcnMiLCBsYXllcl9pZF0pCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgMTogcF9tb3VudCA9IiwgcF9tb3VudCkKCiAgICBwX21vdW50ID09IGlfc3RvcmFnZS5tb3VudF9wb2ludAoKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAxOiB0cnVlIikKfQphbGxvd19tb3VudF9wb2ludChwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMpIHsKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAyOiBpX3N0b3JhZ2UubW91bnRfcG9pbnQgPSIsIGlfc3RvcmFnZS5tb3VudF9wb2ludCkKICAgIHBfc3RvcmFnZS5mc3R5cGUgPT0gImZ1c2UzLmthdGEtb3ZlcmxheSIKCiAgICBtb3VudDEgOj0gcmVwbGFjZShwX3N0b3JhZ2UubW91bnRfcG9pbnQsICIkKGNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5jcGF0aCkKICAgIG1vdW50MiA6PSByZXBsYWNlKG1vdW50MSwgIiQoYnVuZGxlLWlkKSIsIGJ1bmRsZV9pZCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAyOiBtb3VudDIgPSIsIG1vdW50MikKCiAgICBtb3VudDIgPT0gaV9zdG9yYWdlLm1vdW50X3BvaW50CgogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDI6IHRydWUiKQp9CmFsbG93X21vdW50X3BvaW50KHBfc3RvcmFnZSwgaV9zdG9yYWdlLCBidW5kbGVfaWQsIHNhbmRib3hfaWQsIGxheWVyX2lkcykgewogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDM6IGlfc3RvcmFnZS5tb3VudF9wb2ludCA9IiwgaV9zdG9yYWdlLm1vdW50X3BvaW50KQogICAgcF9zdG9yYWdlLmZzdHlwZSA9PSAibG9jYWwiCgogICAgbW91bnQxIDo9IHBfc3RvcmFnZS5tb3VudF9wb2ludAogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDM6IG1vdW50MSA9IiwgbW91bnQxKQoKICAgIG1vdW50MiA6PSByZXBsYWNlKG1vdW50MSwgIiQoY3BhdGgpIiwgcG9saWN5X2RhdGEuY29tbW9uLmNwYXRoKQogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDM6IG1vdW50MiA9IiwgbW91bnQyKQoKICAgIG1vdW50MyA6PSByZXBsYWNlKG1vdW50MiwgIiQoc2FuZGJveC1pZCkiLCBzYW5kYm94X2lkKQogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDM6IG1vdW50MyA9IiwgbW91bnQzKQoKICAgIHJlZ2V4Lm1hdGNoKG1vdW50MywgaV9zdG9yYWdlLm1vdW50X3BvaW50KQoKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCAzOiB0cnVlIikKfQphbGxvd19tb3VudF9wb2ludChwX3N0b3JhZ2UsIGlfc3RvcmFnZSwgYnVuZGxlX2lkLCBzYW5kYm94X2lkLCBsYXllcl9pZHMpIHsKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA0OiBpX3N0b3JhZ2UubW91bnRfcG9pbnQgPSIsIGlfc3RvcmFnZS5tb3VudF9wb2ludCkKICAgIHBfc3RvcmFnZS5mc3R5cGUgPT0gImJpbmQiCgogICAgbW91bnQxIDo9IHBfc3RvcmFnZS5tb3VudF9wb2ludAogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDQ6IG1vdW50MSA9IiwgbW91bnQxKQoKICAgIG1vdW50MiA6PSByZXBsYWNlKG1vdW50MSwgIiQoY3BhdGgpIiwgcG9saWN5X2RhdGEuY29tbW9uLmNwYXRoKQogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDQ6IG1vdW50MiA9IiwgbW91bnQyKQoKICAgIG1vdW50MyA6PSByZXBsYWNlKG1vdW50MiwgIiQoYnVuZGxlLWlkKSIsIGJ1bmRsZV9pZCkKICAgIHByaW50KCJhbGxvd19tb3VudF9wb2ludCA0OiBtb3VudDMgPSIsIG1vdW50MykKCiAgICByZWdleC5tYXRjaChtb3VudDMsIGlfc3RvcmFnZS5tb3VudF9wb2ludCkKCiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgNDogdHJ1ZSIpCn0KYWxsb3dfbW91bnRfcG9pbnQocF9zdG9yYWdlLCBpX3N0b3JhZ2UsIGJ1bmRsZV9pZCwgc2FuZGJveF9pZCwgbGF5ZXJfaWRzKSB7CiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgNTogaV9zdG9yYWdlLm1vdW50X3BvaW50ID0iLCBpX3N0b3JhZ2UubW91bnRfcG9pbnQpCiAgICBwX3N0b3JhZ2UuZnN0eXBlID09ICJ0bXBmcyIKCiAgICBtb3VudDEgOj0gcF9zdG9yYWdlLm1vdW50X3BvaW50CiAgICBwcmludCgiYWxsb3dfbW91bnRfcG9pbnQgNTogbW91bnQxID0iLCBtb3VudDEpCgogICAgcmVnZXgubWF0Y2gobW91bnQxLCBpX3N0b3JhZ2UubW91bnRfcG9pbnQpCgogICAgcHJpbnQoImFsbG93X21vdW50X3BvaW50IDU6IHRydWUiKQp9CgojIHByb2Nlc3MuQ2FwYWJpbGl0aWVzCmFsbG93X2NhcHMocF9jYXBzLCBpX2NhcHMpIHsKICAgIHByaW50KCJhbGxvd19jYXBzOiBwb2xpY3kgQW1iaWVudCA9IiwgcF9jYXBzLkFtYmllbnQpCiAgICBwcmludCgiYWxsb3dfY2FwczogaW5wdXQgQW1iaWVudCA9IiwgaV9jYXBzLkFtYmllbnQpCiAgICBtYXRjaF9jYXBzKHBfY2Fwcy5BbWJpZW50LCBpX2NhcHMuQW1iaWVudCkKCiAgICBwcmludCgiYWxsb3dfY2FwczogcG9saWN5IEJvdW5kaW5nID0iLCBwX2NhcHMuQm91bmRpbmcpCiAgICBwcmludCgiYWxsb3dfY2FwczogaW5wdXQgQm91bmRpbmcgPSIsIGlfY2Fwcy5Cb3VuZGluZykKICAgIG1hdGNoX2NhcHMocF9jYXBzLkJvdW5kaW5nLCBpX2NhcHMuQm91bmRpbmcpCgogICAgcHJpbnQoImFsbG93X2NhcHM6IHBvbGljeSBFZmZlY3RpdmUgPSIsIHBfY2Fwcy5FZmZlY3RpdmUpCiAgICBwcmludCgiYWxsb3dfY2FwczogaW5wdXQgRWZmZWN0aXZlID0iLCBpX2NhcHMuRWZmZWN0aXZlKQogICAgbWF0Y2hfY2FwcyhwX2NhcHMuRWZmZWN0aXZlLCBpX2NhcHMuRWZmZWN0aXZlKQoKICAgIHByaW50KCJhbGxvd19jYXBzOiBwb2xpY3kgSW5oZXJpdGFibGUgPSIsIHBfY2Fwcy5Jbmhlcml0YWJsZSkKICAgIHByaW50KCJhbGxvd19jYXBzOiBpbnB1dCBJbmhlcml0YWJsZSA9IiwgaV9jYXBzLkluaGVyaXRhYmxlKQogICAgbWF0Y2hfY2FwcyhwX2NhcHMuSW5oZXJpdGFibGUsIGlfY2Fwcy5Jbmhlcml0YWJsZSkKCiAgICBwcmludCgiYWxsb3dfY2FwczogcG9saWN5IFBlcm1pdHRlZCA9IiwgcF9jYXBzLlBlcm1pdHRlZCkKICAgIHByaW50KCJhbGxvd19jYXBzOiBpbnB1dCBQZXJtaXR0ZWQgPSIsIGlfY2Fwcy5QZXJtaXR0ZWQpCiAgICBtYXRjaF9jYXBzKHBfY2Fwcy5QZXJtaXR0ZWQsIGlfY2Fwcy5QZXJtaXR0ZWQpCn0KCm1hdGNoX2NhcHMocF9jYXBzLCBpX2NhcHMpIHsKICAgIHByaW50KCJtYXRjaF9jYXBzIDE6IHN0YXJ0IikKCiAgICBwX2NhcHMgPT0gaV9jYXBzCgogICAgcHJpbnQoIm1hdGNoX2NhcHMgMTogdHJ1ZSIpCn0KbWF0Y2hfY2FwcyhwX2NhcHMsIGlfY2FwcykgewogICAgcHJpbnQoIm1hdGNoX2NhcHMgMjogc3RhcnQiKQoKICAgIGNvdW50KHBfY2FwcykgPT0gMQogICAgcF9jYXBzWzBdID09ICIkKGRlZmF1bHRfY2FwcykiCgogICAgcHJpbnQoIm1hdGNoX2NhcHMgMjogZGVmYXVsdF9jYXBzID0iLCBwb2xpY3lfZGF0YS5jb21tb24uZGVmYXVsdF9jYXBzKQogICAgcG9saWN5X2RhdGEuY29tbW9uLmRlZmF1bHRfY2FwcyA9PSBpX2NhcHMKCiAgICBwcmludCgibWF0Y2hfY2FwcyAyOiB0cnVlIikKfQptYXRjaF9jYXBzKHBfY2FwcywgaV9jYXBzKSB7CiAgICBwcmludCgibWF0Y2hfY2FwcyAzOiBzdGFydCIpCgogICAgY291bnQocF9jYXBzKSA9PSAxCiAgICBwX2NhcHNbMF0gPT0gIiQocHJpdmlsZWdlZF9jYXBzKSIKCiAgICBwcmludCgibWF0Y2hfY2FwcyAzOiBwcml2aWxlZ2VkX2NhcHMgPSIsIHBvbGljeV9kYXRhLmNvbW1vbi5wcml2aWxlZ2VkX2NhcHMpCiAgICBwb2xpY3lfZGF0YS5jb21tb24ucHJpdmlsZWdlZF9jYXBzID09IGlfY2FwcwoKICAgIHByaW50KCJtYXRjaF9jYXBzIDM6IHRydWUiKQp9CgojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCkNvcHlGaWxlUmVxdWVzdCB7CiAgICBwcmludCgiQ29weUZpbGVSZXF1ZXN0OiBpbnB1dC5wYXRoID0iLCBpbnB1dC5wYXRoKQoKICAgIHNvbWUgcmVnZXgxIGluIHBvbGljeV9kYXRhLnJlcXVlc3RfZGVmYXVsdHMuQ29weUZpbGVSZXF1ZXN0CiAgICByZWdleDIgOj0gcmVwbGFjZShyZWdleDEsICIkKGNwYXRoKSIsIHBvbGljeV9kYXRhLmNvbW1vbi5jcGF0aCkKICAgIHJlZ2V4Lm1hdGNoKHJlZ2V4MiwgaW5wdXQucGF0aCkKCiAgICBwcmludCgiQ29weUZpbGVSZXF1ZXN0OiB0cnVlIikKfQoKRXhlY1Byb2Nlc3NSZXF1ZXN0IHsKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMTogaW5wdXQgPSIsIGlucHV0KQoKICAgIGlfY29tbWFuZCA9IGNvbmNhdCgiICIsIGlucHV0LnByb2Nlc3MuQXJncykKICAgIHByaW50KCJFeGVjUHJvY2Vzc1JlcXVlc3QgMzogaV9jb21tYW5kID0iLCBpX2NvbW1hbmQpCgogICAgc29tZSBwX2NvbW1hbmQgaW4gcG9saWN5X2RhdGEucmVxdWVzdF9kZWZhdWx0cy5FeGVjUHJvY2Vzc1JlcXVlc3QuY29tbWFuZHMKICAgIHBfY29tbWFuZCA9PSBpX2NvbW1hbmQKCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDE6IHRydWUiKQp9CkV4ZWNQcm9jZXNzUmVxdWVzdCB7CiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDI6IGlucHV0ID0iLCBpbnB1dCkKCiAgICAjIFRPRE86IG1hdGNoIGlucHV0IGNvbnRhaW5lciBJRCB3aXRoIGl0cyBjb3JyZXNwb25kaW5nIGNvbnRhaW5lci5leGVjX2NvbW1hbmRzLgogICAgaV9jb21tYW5kID0gY29uY2F0KCIgIiwgaW5wdXQucHJvY2Vzcy5BcmdzKQogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAzOiBpX2NvbW1hbmQgPSIsIGlfY29tbWFuZCkKCiAgICBzb21lIGNvbnRhaW5lciBpbiBwb2xpY3lfZGF0YS5jb250YWluZXJzCiAgICBzb21lIHBfY29tbWFuZCBpbiBjb250YWluZXIuZXhlY19jb21tYW5kcwogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAyOiBwX2NvbW1hbmQgPSIsIHBfY29tbWFuZCkKCiAgICAjIFRPRE86IHNob3VsZCBvdGhlciBpbnB1dCBkYXRhIGZpZWxkcyBiZSB2YWxpZGF0ZWQgYXMgd2VsbD8KICAgIHBfY29tbWFuZCA9PSBpX2NvbW1hbmQKCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDI6IHRydWUiKQp9CkV4ZWNQcm9jZXNzUmVxdWVzdCB7CiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDM6IGlucHV0ID0iLCBpbnB1dCkKCiAgICBpX2NvbW1hbmQgPSBjb25jYXQoIiAiLCBpbnB1dC5wcm9jZXNzLkFyZ3MpCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDM6IGlfY29tbWFuZCA9IiwgaV9jb21tYW5kKQoKICAgIHNvbWUgcF9yZWdleCBpbiBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLkV4ZWNQcm9jZXNzUmVxdWVzdC5yZWdleAogICAgcHJpbnQoIkV4ZWNQcm9jZXNzUmVxdWVzdCAzOiBwX3JlZ2V4ID0iLCBwX3JlZ2V4KQoKICAgIHJlZ2V4Lm1hdGNoKHBfcmVnZXgsIGlfY29tbWFuZCkKCiAgICBwcmludCgiRXhlY1Byb2Nlc3NSZXF1ZXN0IDM6IHRydWUiKQp9CgpSZWFkU3RyZWFtUmVxdWVzdCB7CiAgICBwb2xpY3lfZGF0YS5yZXF1ZXN0X2RlZmF1bHRzLlJlYWRTdHJlYW1SZXF1ZXN0ID09IHRydWUKfQoKV3JpdGVTdHJlYW1SZXF1ZXN0IHsKICAgIHBvbGljeV9kYXRhLnJlcXVlc3RfZGVmYXVsdHMuV3JpdGVTdHJlYW1SZXF1ZXN0ID09IHRydWUKfQoKcG9saWN5X2RhdGEgOj0gewogICJjb250YWluZXJzIjogWwogICAgewogICAgICAiT0NJIjogewogICAgICAgICJWZXJzaW9uIjogIjEuMS4wLXJjLjEiLAogICAgICAgICJQcm9jZXNzIjogewogICAgICAgICAgIlRlcm1pbmFsIjogZmFsc2UsCiAgICAgICAgICAiVXNlciI6IHsKICAgICAgICAgICAgIlVJRCI6IDY1NTM1LAogICAgICAgICAgICAiR0lEIjogNjU1MzUsCiAgICAgICAgICAgICJBZGRpdGlvbmFsR2lkcyI6IFtdLAogICAgICAgICAgICAiVXNlcm5hbWUiOiAiIgogICAgICAgICAgfSwKICAgICAgICAgICJBcmdzIjogWwogICAgICAgICAgICAiL3BhdXNlIgogICAgICAgICAgXSwKICAgICAgICAgICJFbnYiOiBbCiAgICAgICAgICAgICJQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIKICAgICAgICAgIF0sCiAgICAgICAgICAiQ3dkIjogIi8iLAogICAgICAgICAgIkNhcGFiaWxpdGllcyI6IHsKICAgICAgICAgICAgIkFtYmllbnQiOiBbXSwKICAgICAgICAgICAgIkJvdW5kaW5nIjogWwogICAgICAgICAgICAgICIkKGRlZmF1bHRfY2FwcykiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJFZmZlY3RpdmUiOiBbCiAgICAgICAgICAgICAgIiQoZGVmYXVsdF9jYXBzKSIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgIkluaGVyaXRhYmxlIjogW10sCiAgICAgICAgICAgICJQZXJtaXR0ZWQiOiBbCiAgICAgICAgICAgICAgIiQoZGVmYXVsdF9jYXBzKSIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgICJOb05ld1ByaXZpbGVnZXMiOiB0cnVlCiAgICAgICAgfSwKICAgICAgICAiUm9vdCI6IHsKICAgICAgICAgICJQYXRoIjogIiQoY3BhdGgpLyQoYnVuZGxlLWlkKSIsCiAgICAgICAgICAiUmVhZG9ubHkiOiB0cnVlCiAgICAgICAgfSwKICAgICAgICAiTW91bnRzIjogWwogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL3Byb2MiLAogICAgICAgICAgICAic291cmNlIjogInByb2MiLAogICAgICAgICAgICAidHlwZV8iOiAicHJvYyIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2V4ZWMiLAogICAgICAgICAgICAgICJub2RldiIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9kZXYiLAogICAgICAgICAgICAic291cmNlIjogInRtcGZzIiwKICAgICAgICAgICAgInR5cGVfIjogInRtcGZzIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgInN0cmljdGF0aW1lIiwKICAgICAgICAgICAgICAibW9kZT03NTUiLAogICAgICAgICAgICAgICJzaXplPTY1NTM2ayIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9kZXYvcHRzIiwKICAgICAgICAgICAgInNvdXJjZSI6ICJkZXZwdHMiLAogICAgICAgICAgICAidHlwZV8iOiAiZGV2cHRzIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAgICAgIm5ld2luc3RhbmNlIiwKICAgICAgICAgICAgICAicHRteG1vZGU9MDY2NiIsCiAgICAgICAgICAgICAgIm1vZGU9MDYyMCIsCiAgICAgICAgICAgICAgImdpZD01IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2Rldi9zaG0iLAogICAgICAgICAgICAic291cmNlIjogIi9ydW4va2F0YS1jb250YWluZXJzL3NhbmRib3gvc2htIiwKICAgICAgICAgICAgInR5cGVfIjogImJpbmQiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAicmJpbmQiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZGV2L21xdWV1ZSIsCiAgICAgICAgICAgICJzb3VyY2UiOiAibXF1ZXVlIiwKICAgICAgICAgICAgInR5cGVfIjogIm1xdWV1ZSIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2V4ZWMiLAogICAgICAgICAgICAgICJub2RldiIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9zeXMiLAogICAgICAgICAgICAic291cmNlIjogInN5c2ZzIiwKICAgICAgICAgICAgInR5cGVfIjogInN5c2ZzIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAgICAgIm5vZGV2IiwKICAgICAgICAgICAgICAicm8iCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZXRjL3Jlc29sdi5jb25mIiwKICAgICAgICAgICAgInNvdXJjZSI6ICIkKHNmcHJlZml4KXJlc29sdi5jb25mJCIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJiaW5kIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgInJiaW5kIiwKICAgICAgICAgICAgICAicm8iLAogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2RldiIsCiAgICAgICAgICAgICAgIm5vZXhlYyIKICAgICAgICAgICAgXQogICAgICAgICAgfQogICAgICAgIF0sCiAgICAgICAgIkFubm90YXRpb25zIjogewogICAgICAgICAgImlvLmthdGFjb250YWluZXJzLnBrZy5vY2kuYnVuZGxlX3BhdGgiOiAiL3J1bi9jb250YWluZXJkL2lvLmNvbnRhaW5lcmQucnVudGltZS52Mi50YXNrL2s4cy5pby8kKGJ1bmRsZS1pZCkiLAogICAgICAgICAgImlvLmthdGFjb250YWluZXJzLnBrZy5vY2kuY29udGFpbmVyX3R5cGUiOiAicG9kX3NhbmRib3giLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLmNvbnRhaW5lci10eXBlIjogInNhbmRib3giLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtaWQiOiAiXlthLXowLTldezY0fSQiLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbG9nLWRpcmVjdG9yeSI6ICJeL3Zhci9sb2cvcG9kcy8kKHNhbmRib3gtbmFtZXNwYWNlKV8kKHNhbmRib3gtbmFtZSlfWzAtOWEtZl17OH0tWzAtOWEtZl17NH0tWzAtOWEtZl17NH0tWzAtOWEtZl17NH0tWzAtOWEtZl17MTJ9JCIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1uYW1lIjogImNtMiIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuc2FuZGJveC1uYW1lc3BhY2UiOiAiZGVmYXVsdCIsCiAgICAgICAgICAibmVyZGN0bC9uZXR3b3JrLW5hbWVzcGFjZSI6ICJeL3Zhci9ydW4vbmV0bnMvY25pLVswLTlhLWZdezh9LVswLTlhLWZdezR9LVswLTlhLWZdezR9LVswLTlhLWZdezR9LVswLTlhLWZdezEyfSQiCiAgICAgICAgfSwKICAgICAgICAiTGludXgiOiB7CiAgICAgICAgICAiTmFtZXNwYWNlcyI6IFsKICAgICAgICAgICAgewogICAgICAgICAgICAgICJUeXBlIjogImlwYyIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgIlR5cGUiOiAidXRzIiwKICAgICAgICAgICAgICAiUGF0aCI6ICIiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAiVHlwZSI6ICJtb3VudCIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9CiAgICAgICAgICBdLAogICAgICAgICAgIk1hc2tlZFBhdGhzIjogWwogICAgICAgICAgICAiL3Byb2MvYWNwaSIsCiAgICAgICAgICAgICIvcHJvYy9hc291bmQiLAogICAgICAgICAgICAiL3Byb2Mva2NvcmUiLAogICAgICAgICAgICAiL3Byb2Mva2V5cyIsCiAgICAgICAgICAgICIvcHJvYy9sYXRlbmN5X3N0YXRzIiwKICAgICAgICAgICAgIi9wcm9jL3RpbWVyX2xpc3QiLAogICAgICAgICAgICAiL3Byb2MvdGltZXJfc3RhdHMiLAogICAgICAgICAgICAiL3Byb2Mvc2NoZWRfZGVidWciLAogICAgICAgICAgICAiL3N5cy9maXJtd2FyZSIsCiAgICAgICAgICAgICIvcHJvYy9zY3NpIgogICAgICAgICAgXSwKICAgICAgICAgICJSZWFkb25seVBhdGhzIjogWwogICAgICAgICAgICAiL3Byb2MvYnVzIiwKICAgICAgICAgICAgIi9wcm9jL2ZzIiwKICAgICAgICAgICAgIi9wcm9jL2lycSIsCiAgICAgICAgICAgICIvcHJvYy9zeXMiLAogICAgICAgICAgICAiL3Byb2Mvc3lzcnEtdHJpZ2dlciIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0sCiAgICAgICJzdG9yYWdlcyI6IFsKICAgICAgICB7CiAgICAgICAgICAiZHJpdmVyIjogImJsayIsCiAgICAgICAgICAiZHJpdmVyX29wdGlvbnMiOiBbXSwKICAgICAgICAgICJzb3VyY2UiOiAiIiwKICAgICAgICAgICJmc3R5cGUiOiAidGFyIiwKICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAiJChoYXNoMCkiCiAgICAgICAgICBdLAogICAgICAgICAgIm1vdW50X3BvaW50IjogIiQobGF5ZXIwKSIsCiAgICAgICAgICAiZnNfZ3JvdXAiOiBudWxsCiAgICAgICAgfSwKICAgICAgICB7CiAgICAgICAgICAiZHJpdmVyIjogIm92ZXJsYXlmcyIsCiAgICAgICAgICAiZHJpdmVyX29wdGlvbnMiOiBbXSwKICAgICAgICAgICJzb3VyY2UiOiAiIiwKICAgICAgICAgICJmc3R5cGUiOiAiZnVzZTMua2F0YS1vdmVybGF5IiwKICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAiNWE1YWFkODAwNTVmZjIwMDEyYTUwZGMyNWY4ZGY3YTI5OTI0NDc0MzI0ZDY1ZjdkNTMwNmVlOGVlMjdmZjcxZCIsCiAgICAgICAgICAgICI4MTcyNTBmMWEzZTMzNmRhNzZmNWJkM2ZhNzg0ZTFiMjZkOTU5YjljMTMxODc2ODE1YmEyNjA0MDQ4YjcwYzE4IgogICAgICAgICAgXSwKICAgICAgICAgICJtb3VudF9wb2ludCI6ICIkKGNwYXRoKS8kKGJ1bmRsZS1pZCkiLAogICAgICAgICAgImZzX2dyb3VwIjogbnVsbAogICAgICAgIH0KICAgICAgXSwKICAgICAgImV4ZWNfY29tbWFuZHMiOiBbXQogICAgfSwKICAgIHsKICAgICAgIk9DSSI6IHsKICAgICAgICAiVmVyc2lvbiI6ICIxLjEuMC1yYy4xIiwKICAgICAgICAiUHJvY2VzcyI6IHsKICAgICAgICAgICJUZXJtaW5hbCI6IGZhbHNlLAogICAgICAgICAgIlVzZXIiOiB7CiAgICAgICAgICAgICJVSUQiOiAwLAogICAgICAgICAgICAiR0lEIjogMCwKICAgICAgICAgICAgIkFkZGl0aW9uYWxHaWRzIjogW10sCiAgICAgICAgICAgICJVc2VybmFtZSI6ICIiCiAgICAgICAgICB9LAogICAgICAgICAgIkFyZ3MiOiBbCiAgICAgICAgICAgICIvYmluL3NoIiwKICAgICAgICAgICAgIi1jIiwKICAgICAgICAgICAgIndoaWxlIHRydWU7IGRvIGVjaG8gaGVsbG87IHNsZWVwIDEwOyBkb25lIgogICAgICAgICAgXSwKICAgICAgICAgICJFbnYiOiBbCiAgICAgICAgICAgICJQQVRIPS91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIsCiAgICAgICAgICAgICJIT1NUTkFNRT0kKGhvc3QtbmFtZSkiCiAgICAgICAgICBdLAogICAgICAgICAgIkN3ZCI6ICIvIiwKICAgICAgICAgICJDYXBhYmlsaXRpZXMiOiB7CiAgICAgICAgICAgICJBbWJpZW50IjogW10sCiAgICAgICAgICAgICJCb3VuZGluZyI6IFsKICAgICAgICAgICAgICAiJChkZWZhdWx0X2NhcHMpIgogICAgICAgICAgICBdLAogICAgICAgICAgICAiRWZmZWN0aXZlIjogWwogICAgICAgICAgICAgICIkKGRlZmF1bHRfY2FwcykiCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJJbmhlcml0YWJsZSI6IFtdLAogICAgICAgICAgICAiUGVybWl0dGVkIjogWwogICAgICAgICAgICAgICIkKGRlZmF1bHRfY2FwcykiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICAiTm9OZXdQcml2aWxlZ2VzIjogZmFsc2UKICAgICAgICB9LAogICAgICAgICJSb290IjogewogICAgICAgICAgIlBhdGgiOiAiJChjcGF0aCkvJChidW5kbGUtaWQpIiwKICAgICAgICAgICJSZWFkb25seSI6IGZhbHNlCiAgICAgICAgfSwKICAgICAgICAiTW91bnRzIjogWwogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL3Byb2MiLAogICAgICAgICAgICAic291cmNlIjogInByb2MiLAogICAgICAgICAgICAidHlwZV8iOiAicHJvYyIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2V4ZWMiLAogICAgICAgICAgICAgICJub2RldiIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9kZXYiLAogICAgICAgICAgICAic291cmNlIjogInRtcGZzIiwKICAgICAgICAgICAgInR5cGVfIjogInRtcGZzIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgInN0cmljdGF0aW1lIiwKICAgICAgICAgICAgICAibW9kZT03NTUiLAogICAgICAgICAgICAgICJzaXplPTY1NTM2ayIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9kZXYvcHRzIiwKICAgICAgICAgICAgInNvdXJjZSI6ICJkZXZwdHMiLAogICAgICAgICAgICAidHlwZV8iOiAiZGV2cHRzIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAgICAgIm5ld2luc3RhbmNlIiwKICAgICAgICAgICAgICAicHRteG1vZGU9MDY2NiIsCiAgICAgICAgICAgICAgIm1vZGU9MDYyMCIsCiAgICAgICAgICAgICAgImdpZD01IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL2Rldi9zaG0iLAogICAgICAgICAgICAic291cmNlIjogIi9ydW4va2F0YS1jb250YWluZXJzL3NhbmRib3gvc2htIiwKICAgICAgICAgICAgInR5cGVfIjogImJpbmQiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAicmJpbmQiCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZGV2L21xdWV1ZSIsCiAgICAgICAgICAgICJzb3VyY2UiOiAibXF1ZXVlIiwKICAgICAgICAgICAgInR5cGVfIjogIm1xdWV1ZSIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2V4ZWMiLAogICAgICAgICAgICAgICJub2RldiIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9zeXMiLAogICAgICAgICAgICAic291cmNlIjogInN5c2ZzIiwKICAgICAgICAgICAgInR5cGVfIjogInN5c2ZzIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgIm5vc3VpZCIsCiAgICAgICAgICAgICAgIm5vZXhlYyIsCiAgICAgICAgICAgICAgIm5vZGV2IiwKICAgICAgICAgICAgICAicm8iCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvc3lzL2ZzL2Nncm91cCIsCiAgICAgICAgICAgICJzb3VyY2UiOiAiY2dyb3VwIiwKICAgICAgICAgICAgInR5cGVfIjogImNncm91cCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJub3N1aWQiLAogICAgICAgICAgICAgICJub2V4ZWMiLAogICAgICAgICAgICAgICJub2RldiIsCiAgICAgICAgICAgICAgInJlbGF0aW1lIiwKICAgICAgICAgICAgICAicm8iCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZXRjL2hvc3RzIiwKICAgICAgICAgICAgInNvdXJjZSI6ICIkKHNmcHJlZml4KWhvc3RzJCIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJiaW5kIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgInJiaW5kIiwKICAgICAgICAgICAgICAicnByaXZhdGUiLAogICAgICAgICAgICAgICJydyIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9kZXYvdGVybWluYXRpb24tbG9nIiwKICAgICAgICAgICAgInNvdXJjZSI6ICIkKHNmcHJlZml4KXRlcm1pbmF0aW9uLWxvZyQiLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIsCiAgICAgICAgICAgICAgInJwcml2YXRlIiwKICAgICAgICAgICAgICAicnciCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvZXRjL2hvc3RuYW1lIiwKICAgICAgICAgICAgInNvdXJjZSI6ICIkKHNmcHJlZml4KWhvc3RuYW1lJCIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJiaW5kIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgInJiaW5kIiwKICAgICAgICAgICAgICAicnByaXZhdGUiLAogICAgICAgICAgICAgICJydyIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi9ldGMvcmVzb2x2LmNvbmYiLAogICAgICAgICAgICAic291cmNlIjogIiQoc2ZwcmVmaXgpcmVzb2x2LmNvbmYkIiwKICAgICAgICAgICAgInR5cGVfIjogImJpbmQiLAogICAgICAgICAgICAib3B0aW9ucyI6IFsKICAgICAgICAgICAgICAicmJpbmQiLAogICAgICAgICAgICAgICJycHJpdmF0ZSIsCiAgICAgICAgICAgICAgInJ3IgogICAgICAgICAgICBdCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZGVzdGluYXRpb24iOiAiL3Zhci9ydW4vc2VjcmV0cy9rdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50IiwKICAgICAgICAgICAgInNvdXJjZSI6ICIkKHNmcHJlZml4KXNlcnZpY2VhY2NvdW50JCIsCiAgICAgICAgICAgICJ0eXBlXyI6ICJiaW5kIiwKICAgICAgICAgICAgIm9wdGlvbnMiOiBbCiAgICAgICAgICAgICAgInJiaW5kIiwKICAgICAgICAgICAgICAicnByaXZhdGUiLAogICAgICAgICAgICAgICJybyIKICAgICAgICAgICAgXQogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImRlc3RpbmF0aW9uIjogIi92YXIvcnVuL3NlY3JldHMvYXp1cmUvdG9rZW5zIiwKICAgICAgICAgICAgInNvdXJjZSI6ICIkKHNmcHJlZml4KXRva2VucyQiLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIsCiAgICAgICAgICAgICAgInJwcml2YXRlIiwKICAgICAgICAgICAgICAicm8iCiAgICAgICAgICAgIF0KICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJkZXN0aW5hdGlvbiI6ICIvY20yIiwKICAgICAgICAgICAgInNvdXJjZSI6ICIkKHNmcHJlZml4KWNtMiQiLAogICAgICAgICAgICAidHlwZV8iOiAiYmluZCIsCiAgICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAgICJyYmluZCIsCiAgICAgICAgICAgICAgInJwcml2YXRlIiwKICAgICAgICAgICAgICAicm8iCiAgICAgICAgICAgIF0KICAgICAgICAgIH0KICAgICAgICBdLAogICAgICAgICJBbm5vdGF0aW9ucyI6IHsKICAgICAgICAgICJpby5rYXRhY29udGFpbmVycy5wa2cub2NpLmJ1bmRsZV9wYXRoIjogIi9ydW4vY29udGFpbmVyZC9pby5jb250YWluZXJkLnJ1bnRpbWUudjIudGFzay9rOHMuaW8vJChidW5kbGUtaWQpIiwKICAgICAgICAgICJpby5rYXRhY29udGFpbmVycy5wa2cub2NpLmNvbnRhaW5lcl90eXBlIjogInBvZF9jb250YWluZXIiLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLmNvbnRhaW5lci1uYW1lIjogImJ1c3lib3giLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLmNvbnRhaW5lci10eXBlIjogImNvbnRhaW5lciIsCiAgICAgICAgICAiaW8ua3ViZXJuZXRlcy5jcmkuaW1hZ2UtbmFtZSI6ICJtY3IubWljcm9zb2Z0LmNvbS9ha3MvZTJlL2xpYnJhcnktYnVzeWJveDptYXN0ZXIuMjIwMzE0LjEtbGludXgtYW1kNjQiLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtaWQiOiAiXlthLXowLTldezY0fSQiLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbmFtZSI6ICJjbTIiLAogICAgICAgICAgImlvLmt1YmVybmV0ZXMuY3JpLnNhbmRib3gtbmFtZXNwYWNlIjogImRlZmF1bHQiCiAgICAgICAgfSwKICAgICAgICAiTGludXgiOiB7CiAgICAgICAgICAiTmFtZXNwYWNlcyI6IFsKICAgICAgICAgICAgewogICAgICAgICAgICAgICJUeXBlIjogImlwYyIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgIlR5cGUiOiAidXRzIiwKICAgICAgICAgICAgICAiUGF0aCI6ICIiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAiVHlwZSI6ICJtb3VudCIsCiAgICAgICAgICAgICAgIlBhdGgiOiAiIgogICAgICAgICAgICB9CiAgICAgICAgICBdLAogICAgICAgICAgIk1hc2tlZFBhdGhzIjogWwogICAgICAgICAgICAiL3Byb2MvYWNwaSIsCiAgICAgICAgICAgICIvcHJvYy9rY29yZSIsCiAgICAgICAgICAgICIvcHJvYy9rZXlzIiwKICAgICAgICAgICAgIi9wcm9jL2xhdGVuY3lfc3RhdHMiLAogICAgICAgICAgICAiL3Byb2MvdGltZXJfbGlzdCIsCiAgICAgICAgICAgICIvcHJvYy90aW1lcl9zdGF0cyIsCiAgICAgICAgICAgICIvcHJvYy9zY2hlZF9kZWJ1ZyIsCiAgICAgICAgICAgICIvcHJvYy9zY3NpIiwKICAgICAgICAgICAgIi9zeXMvZmlybXdhcmUiCiAgICAgICAgICBdLAogICAgICAgICAgIlJlYWRvbmx5UGF0aHMiOiBbCiAgICAgICAgICAgICIvcHJvYy9hc291bmQiLAogICAgICAgICAgICAiL3Byb2MvYnVzIiwKICAgICAgICAgICAgIi9wcm9jL2ZzIiwKICAgICAgICAgICAgIi9wcm9jL2lycSIsCiAgICAgICAgICAgICIvcHJvYy9zeXMiLAogICAgICAgICAgICAiL3Byb2Mvc3lzcnEtdHJpZ2dlciIKICAgICAgICAgIF0KICAgICAgICB9CiAgICAgIH0sCiAgICAgICJzdG9yYWdlcyI6IFsKICAgICAgICB7CiAgICAgICAgICAiZHJpdmVyIjogImJsayIsCiAgICAgICAgICAiZHJpdmVyX29wdGlvbnMiOiBbXSwKICAgICAgICAgICJzb3VyY2UiOiAiIiwKICAgICAgICAgICJmc3R5cGUiOiAidGFyIiwKICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAiJChoYXNoMCkiCiAgICAgICAgICBdLAogICAgICAgICAgIm1vdW50X3BvaW50IjogIiQobGF5ZXIwKSIsCiAgICAgICAgICAiZnNfZ3JvdXAiOiBudWxsCiAgICAgICAgfSwKICAgICAgICB7CiAgICAgICAgICAiZHJpdmVyIjogImJsayIsCiAgICAgICAgICAiZHJpdmVyX29wdGlvbnMiOiBbXSwKICAgICAgICAgICJzb3VyY2UiOiAiIiwKICAgICAgICAgICJmc3R5cGUiOiAidGFyIiwKICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAiJChoYXNoMSkiCiAgICAgICAgICBdLAogICAgICAgICAgIm1vdW50X3BvaW50IjogIiQobGF5ZXIxKSIsCiAgICAgICAgICAiZnNfZ3JvdXAiOiBudWxsCiAgICAgICAgfSwKICAgICAgICB7CiAgICAgICAgICAiZHJpdmVyIjogIm92ZXJsYXlmcyIsCiAgICAgICAgICAiZHJpdmVyX29wdGlvbnMiOiBbXSwKICAgICAgICAgICJzb3VyY2UiOiAiIiwKICAgICAgICAgICJmc3R5cGUiOiAiZnVzZTMua2F0YS1vdmVybGF5IiwKICAgICAgICAgICJvcHRpb25zIjogWwogICAgICAgICAgICAiMmMzNDJhMTM3ZTY5M2M3ODk4YWVjMzZkYTEwNDdmMTkxZGM3YzE2ODdlNjYxOThhZGFjYzQzOWNmNGFkZjM3OToyNTcwZTNhMTllMWJmMjBkZGRhNDU0OThhOTYyN2Y2MTU1NWQyZDZjMDE0NzliOWI3NjQ2MGI2NzliMjdkNTUyIiwKICAgICAgICAgICAgIjg1NjhjNzBjMGNjZmUwMDUxMDkyZTgxOGRhNzY5MTExYTU5ODgyY2QxOWRkNzk5ZDNiY2E1ZmZhODI3OTEwODA6YjY0M2I2MjE3NzQ4OTgzODMwYjI2YWMxNGEzNWEzMzIyZGQ1MjhjMDA5NjNlYWFkZDkxZWY1NWY1MTNkYzczZiIKICAgICAgICAgIF0sCiAgICAgICAgICAibW91bnRfcG9pbnQiOiAiJChjcGF0aCkvJChidW5kbGUtaWQpIiwKICAgICAgICAgICJmc19ncm91cCI6IG51bGwKICAgICAgICB9CiAgICAgIF0sCiAgICAgICJleGVjX2NvbW1hbmRzIjogW10KICAgIH0KICBdLAogICJjb21tb24iOiB7CiAgICAiY3BhdGgiOiAiL3J1bi9rYXRhLWNvbnRhaW5lcnMvc2hhcmVkL2NvbnRhaW5lcnMiLAogICAgInNmcHJlZml4IjogIl4kKGNwYXRoKS8kKGJ1bmRsZS1pZCktW2EtejAtOV17MTZ9LSIsCiAgICAiaXB2NF9hIjogIigoMjVbMC01XXwoMlswLTRdfDFcXGR8WzEtOV18KVxcZClcXC4/XFxiKXs0fSIsCiAgICAiaXBfcCI6ICJbMC05XXsxLDV9IiwKICAgICJzdmNfbmFtZSI6ICJbQS1aMC05X1xcLlxcLV0rIiwKICAgICJkbnNfbGFiZWwiOiAiW2EtekEtWjAtOV9cXC5cXC1dKyIsCiAgICAiZGVmYXVsdF9jYXBzIjogWwogICAgICAiQ0FQX0NIT1dOIiwKICAgICAgIkNBUF9EQUNfT1ZFUlJJREUiLAogICAgICAiQ0FQX0ZTRVRJRCIsCiAgICAgICJDQVBfRk9XTkVSIiwKICAgICAgIkNBUF9NS05PRCIsCiAgICAgICJDQVBfTkVUX1JBVyIsCiAgICAgICJDQVBfU0VUR0lEIiwKICAgICAgIkNBUF9TRVRVSUQiLAogICAgICAiQ0FQX1NFVEZDQVAiLAogICAgICAiQ0FQX1NFVFBDQVAiLAogICAgICAiQ0FQX05FVF9CSU5EX1NFUlZJQ0UiLAogICAgICAiQ0FQX1NZU19DSFJPT1QiLAogICAgICAiQ0FQX0tJTEwiLAogICAgICAiQ0FQX0FVRElUX1dSSVRFIgogICAgXSwKICAgICJwcml2aWxlZ2VkX2NhcHMiOiBbCiAgICAgICJDQVBfQ0hPV04iLAogICAgICAiQ0FQX0RBQ19PVkVSUklERSIsCiAgICAgICJDQVBfREFDX1JFQURfU0VBUkNIIiwKICAgICAgIkNBUF9GT1dORVIiLAogICAgICAiQ0FQX0ZTRVRJRCIsCiAgICAgICJDQVBfS0lMTCIsCiAgICAgICJDQVBfU0VUR0lEIiwKICAgICAgIkNBUF9TRVRVSUQiLAogICAgICAiQ0FQX1NFVFBDQVAiLAogICAgICAiQ0FQX0xJTlVYX0lNTVVUQUJMRSIsCiAgICAgICJDQVBfTkVUX0JJTkRfU0VSVklDRSIsCiAgICAgICJDQVBfTkVUX0JST0FEQ0FTVCIsCiAgICAgICJDQVBfTkVUX0FETUlOIiwKICAgICAgIkNBUF9ORVRfUkFXIiwKICAgICAgIkNBUF9JUENfTE9DSyIsCiAgICAgICJDQVBfSVBDX09XTkVSIiwKICAgICAgIkNBUF9TWVNfTU9EVUxFIiwKICAgICAgIkNBUF9TWVNfUkFXSU8iLAogICAgICAiQ0FQX1NZU19DSFJPT1QiLAogICAgICAiQ0FQX1NZU19QVFJBQ0UiLAogICAgICAiQ0FQX1NZU19QQUNDVCIsCiAgICAgICJDQVBfU1lTX0FETUlOIiwKICAgICAgIkNBUF9TWVNfQk9PVCIsCiAgICAgICJDQVBfU1lTX05JQ0UiLAogICAgICAiQ0FQX1NZU19SRVNPVVJDRSIsCiAgICAgICJDQVBfU1lTX1RJTUUiLAogICAgICAiQ0FQX1NZU19UVFlfQ09ORklHIiwKICAgICAgIkNBUF9NS05PRCIsCiAgICAgICJDQVBfTEVBU0UiLAogICAgICAiQ0FQX0FVRElUX1dSSVRFIiwKICAgICAgIkNBUF9BVURJVF9DT05UUk9MIiwKICAgICAgIkNBUF9TRVRGQ0FQIiwKICAgICAgIkNBUF9NQUNfT1ZFUlJJREUiLAogICAgICAiQ0FQX01BQ19BRE1JTiIsCiAgICAgICJDQVBfU1lTTE9HIiwKICAgICAgIkNBUF9XQUtFX0FMQVJNIiwKICAgICAgIkNBUF9CTE9DS19TVVNQRU5EIiwKICAgICAgIkNBUF9BVURJVF9SRUFEIiwKICAgICAgIkNBUF9QRVJGTU9OIiwKICAgICAgIkNBUF9CUEYiLAogICAgICAiQ0FQX0NIRUNLUE9JTlRfUkVTVE9SRSIKICAgIF0KICB9LAogICJyZXF1ZXN0X2RlZmF1bHRzIjogewogICAgIkNyZWF0ZUNvbnRhaW5lclJlcXVlc3QiOiB7CiAgICAgICJhbGxvd19lbnZfcmVnZXgiOiBbCiAgICAgICAgIl5IT1NUTkFNRT0kKGRuc19sYWJlbCkkIiwKICAgICAgICAiXiQoc3ZjX25hbWUpX1BPUlRfJChpcF9wKV9UQ1A9dGNwOi8vJChpcHY0X2EpOiQoaXBfcCkkIiwKICAgICAgICAiXiQoc3ZjX25hbWUpX1BPUlRfJChpcF9wKV9UQ1BfUFJPVE89dGNwJCIsCiAgICAgICAgIl4kKHN2Y19uYW1lKV9QT1JUXyQoaXBfcClfVENQX1BPUlQ9JChpcF9wKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfUE9SVF8kKGlwX3ApX1RDUF9BRERSPSQoaXB2NF9hKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfU0VSVklDRV9IT1NUPSQoaXB2NF9hKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfU0VSVklDRV9QT1JUPSQoaXBfcCkkIiwKICAgICAgICAiXiQoc3ZjX25hbWUpX1NFUlZJQ0VfUE9SVF8kKGRuc19sYWJlbCk9JChpcF9wKSQiLAogICAgICAgICJeJChzdmNfbmFtZSlfUE9SVD10Y3A6Ly8kKGlwdjRfYSk6JChpcF9wKSQiLAogICAgICAgICJeQVpVUkVfQ0xJRU5UX0lEPVtBLUZhLWYwLTktXSskIiwKICAgICAgICAiXkFaVVJFX1RFTkFOVF9JRD1bQS1GYS1mMC05LV0rJCIsCiAgICAgICAgIl5BWlVSRV9GRURFUkFURURfVE9LRU5fRklMRT0vdmFyL3J1bi9zZWNyZXRzL2F6dXJlL3Rva2Vucy9henVyZS1pZGVudGl0eS10b2tlbiQiLAogICAgICAgICJeQVpVUkVfQVVUSE9SSVRZX0hPU1Q9aHR0cHM6Ly9sb2dpblxcLm1pY3Jvc29mdG9ubGluZVxcLmNvbS8kIgogICAgICBdCiAgICB9LAogICAgIkNvcHlGaWxlUmVxdWVzdCI6IFsKICAgICAgIl4kKGNwYXRoKS8iCiAgICBdLAogICAgIkV4ZWNQcm9jZXNzUmVxdWVzdCI6IHsKICAgICAgImNvbW1hbmRzIjogW10sCiAgICAgICJyZWdleCI6IFtdCiAgICB9LAogICAgIlJlYWRTdHJlYW1SZXF1ZXN0IjogdHJ1ZSwKICAgICJXcml0ZVN0cmVhbVJlcXVlc3QiOiB0cnVlCiAgfQp9 +spec: + restartPolicy: Never + runtimeClassName: kata-cc + containers: + - name: busybox + image: "mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64" + volumeMounts: + - mountPath: /cm2 + name: cm2-volume + command: + - /bin/sh + args: + - "-c" + - while true; do echo hello; sleep 10; done + volumes: + - name: cm2-volume + configMap: + name: config-map2 + items: + - key: file1.json + path: my-keys diff --git a/src/confcom/setup.py b/src/confcom/setup.py index 33e1b57d0a0..221af94a101 100644 --- a/src/confcom/setup.py +++ b/src/confcom/setup.py @@ -9,6 +9,7 @@ from codecs import open from setuptools import setup, find_packages from azext_confcom.rootfs_proxy import SecurityPolicyProxy +from azext_confcom.kata_proxy import KataPolicyGenProxy try: from azure_bdist_wheel import cmdclass @@ -17,7 +18,7 @@ logger.warn("Wheel is not available, disabling bdist_wheel hook") -VERSION = "0.2.18" +VERSION = "0.3.0" # The full list of classifiers is available at # https://pypi.python.org/pypi?%3Aaction=list_classifiers @@ -42,6 +43,7 @@ ] SecurityPolicyProxy.download_binaries() +KataPolicyGenProxy.download_binaries() with open("README.md", "r", encoding="utf-8") as f: README = f.read() @@ -63,8 +65,10 @@ package_data={ "azext_confcom": [ "azext_metadata.json", - "bin/dmverity-vhd.exe", # windows - "bin/dmverity-vhd", # linux + "bin/dmverity-vhd.exe", # windows for ACI + "bin/dmverity-vhd", # linux for ACI + "bin/genpolicy-windows.exe", # windows for AKS + "bin/genpolicy-linux", # linux for AKS "data/*", ] }, From 3137dd285f7a2a8e2e72f789e2f7c4cafd6806ff Mon Sep 17 00:00:00 2001 From: Seth Hollandsworth Date: Thu, 9 Nov 2023 18:01:12 -0500 Subject: [PATCH 2/5] only grab genpolicy from genpolicy tagged releases --- src/confcom/azext_confcom/kata_proxy.py | 55 +++++++++++++------------ 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/src/confcom/azext_confcom/kata_proxy.py b/src/confcom/azext_confcom/kata_proxy.py index fe9eadf2c0e..ba0103cfd62 100644 --- a/src/confcom/azext_confcom/kata_proxy.py +++ b/src/confcom/azext_confcom/kata_proxy.py @@ -41,33 +41,34 @@ def download_binaries(): bin_flag = False # search for genpolicy in the assets from kata-container releases for release in r.json(): - # these should be newest to oldest - for asset in release["assets"]: - # download the file if it contains genpolicy - if "genpolicy" in asset["name"]: - save_name = "" - if ".exe" in asset["name"]: - save_name = "genpolicy-windows.exe" - else: - save_name = "genpolicy-linux" - bin_flag = True - # get the download url for the genpolicy file - exe_url = asset["browser_download_url"] - # download the file - r = requests.get(exe_url) - # save the file to the bin folder - with open(os.path.join(bin_folder, save_name), "wb") as f: - f.write(r.content) - - # download the rules.rego and genpolicy-settings.json files - if asset["name"] == "rules.rego" or asset["name"] == "genpolicy-settings.json": - # download the rules.rego file - exe_url = asset["browser_download_url"] - # download the file - r = requests.get(exe_url) - # save the file to the data folder - with open(os.path.join(data_folder, asset["name"]), "wb") as f: - f.write(r.content) + if release.get("tag_name").startswith("genpolicy"): + # these should be newest to oldest + for asset in release["assets"]: + # download the file if it contains genpolicy + if "genpolicy" in asset["name"]: + save_name = "" + if ".exe" in asset["name"]: + save_name = "genpolicy-windows.exe" + else: + save_name = "genpolicy-linux" + bin_flag = True + # get the download url for the genpolicy file + exe_url = asset["browser_download_url"] + # download the file + r = requests.get(exe_url) + # save the file to the bin folder + with open(os.path.join(bin_folder, save_name), "wb") as f: + f.write(r.content) + + # download the rules.rego and genpolicy-settings.json files + if asset["name"] == "rules.rego" or asset["name"] == "genpolicy-settings.json": + # download the rules.rego file + exe_url = asset["browser_download_url"] + # download the file + r = requests.get(exe_url) + # save the file to the data folder + with open(os.path.join(data_folder, asset["name"]), "wb") as f: + f.write(r.content) if bin_flag: break From 78d8b4efe10d1e50a86d13d8f69e5eb55f491eb4 Mon Sep 17 00:00:00 2001 From: Seth Hollandsworth Date: Fri, 10 Nov 2023 10:36:46 -0500 Subject: [PATCH 3/5] fixing tests for pipeline --- src/confcom/azext_confcom/_help.py | 4 ++-- src/confcom/azext_confcom/custom.py | 2 +- src/confcom/azext_confcom/kata_proxy.py | 8 +++++--- .../tests/latest/test_confcom_kata.py | 18 +++--------------- 4 files changed, 11 insertions(+), 21 deletions(-) diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py index 905c24355d0..321490248ed 100644 --- a/src/confcom/azext_confcom/_help.py +++ b/src/confcom/azext_confcom/_help.py @@ -99,7 +99,7 @@ short-summary: Create a Confidential Container Security Policy for AKS. parameters: - - name: --yaml-path -y + - name: --yaml -y type: string short-summary: 'Input YAML Kubernetes file' @@ -121,5 +121,5 @@ examples: - name: Input a Kubernetes YAML file to inject a base64 encoded Confidential Container Security Policy into the YAML file - text: az confcom katapolicygen --yaml-path "./pod.json" + text: az confcom katapolicygen --yaml "./pod.json" """ diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index 1beb7ef92f4..8a94458a797 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -166,7 +166,7 @@ def katapolicygen_confcom( ): if settings_file_name: - if settings_file_name == "genpolicy-settings.json": + if "genpolicy-settings.json" in settings_file_name: error_out("Cannot use default settings file names") os_util.copy_file(settings_file_name, DATA_FOLDER) diff --git a/src/confcom/azext_confcom/kata_proxy.py b/src/confcom/azext_confcom/kata_proxy.py index ba0103cfd62..fc6eb38d75e 100644 --- a/src/confcom/azext_confcom/kata_proxy.py +++ b/src/confcom/azext_confcom/kata_proxy.py @@ -39,13 +39,14 @@ def download_binaries(): # get the most recent release artifacts from github r = requests.get("https://api.github.com/repos/microsoft/kata-containers/releases") bin_flag = False + needed_assets = ["genpolicy", "genpolicy.exe"] # search for genpolicy in the assets from kata-container releases for release in r.json(): if release.get("tag_name").startswith("genpolicy"): # these should be newest to oldest for asset in release["assets"]: # download the file if it contains genpolicy - if "genpolicy" in asset["name"]: + if asset["name"] in needed_assets: save_name = "" if ".exe" in asset["name"]: save_name = "genpolicy-windows.exe" @@ -132,11 +133,12 @@ def kata_genpolicy( # only take the last part of the path for the settings file settings_file_name = os.path.basename(settings_file_name) arg_list.append(settings_file_name) + print("arg_list: ", arg_list) item = subprocess.run( arg_list, - stdout=sys.stdout, - stderr=sys.stderr, + # stdout=sys.stdout, + # stderr=sys.stderr, check=False, ) diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_kata.py b/src/confcom/azext_confcom/tests/latest/test_confcom_kata.py index 51a5a1ccf03..3b0d08f324f 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_kata.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_kata.py @@ -6,7 +6,6 @@ import os import unittest import pytest -import time from azext_confcom.custom import katapolicygen_confcom import pytest @@ -59,24 +58,13 @@ def test_invalid_config_map_path(self): os.remove(filename) self.assertNotEqual(wrapped_exit.exception.code, 0) - def test_output_settings(self): + def test_invalid_settings(self): filename = "pod2.yaml" with open(filename, "w") as f: f.write(KataPolicyGen.pod_string) with self.assertRaises(SystemExit) as wrapped_exit: katapolicygen_confcom( - filename, None, outraw=True, print_policy=True + filename, None, settings_file_name="genpolicy-settings.json" ) os.remove(filename) - self.assertEqual(wrapped_exit.exception.code, 0) - - def test_normal_run(self): - filename = "pod4.yaml" - with open(filename, "w") as f: - f.write(KataPolicyGen.pod_string) - with self.assertRaises(SystemExit) as wrapped_exit: - katapolicygen_confcom( - filename, None, - ) - os.remove(filename) - self.assertEqual(wrapped_exit.exception.code, 0) + self.assertEqual(wrapped_exit.exception.code, 1) From ffbb80977325c2c6ef08d04e8c74db3256ec0641 Mon Sep 17 00:00:00 2001 From: Seth Hollandsworth Date: Fri, 10 Nov 2023 11:00:15 -0500 Subject: [PATCH 4/5] updating docs with more samples --- src/confcom/azext_confcom/README.md | 2 +- src/confcom/azext_confcom/_help.py | 16 +++++++++++++--- src/confcom/azext_confcom/tests/latest/README.md | 12 +++++++++++- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/src/confcom/azext_confcom/README.md b/src/confcom/azext_confcom/README.md index 929fbe1216d..d088b2ddfa3 100644 --- a/src/confcom/azext_confcom/README.md +++ b/src/confcom/azext_confcom/README.md @@ -681,7 +681,7 @@ Example 1: The following command creates a security policy and outputs it to the az confcom katapolicygen -y ./pod.yaml --print-policy ``` -This command combines the information of images from the pod spec with other information such as mount, environment variables and commands from the pod spec to create a CCE policy. +This command combines the information of images from the pod spec with other information such as mount, environment variables and commands from the pod spec to create a security policy. The `--print-policy` argument is included to display the policy on the command line in addition to injecting it into the input pod spec. Example 2: This command injects a security policy into a [pod spec]() based on input from [config map]() so that there is no need to change the pod spec to pass variables into the security policy: diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py index 321490248ed..3a81e6c642b 100644 --- a/src/confcom/azext_confcom/_help.py +++ b/src/confcom/azext_confcom/_help.py @@ -103,9 +103,13 @@ type: string short-summary: 'Input YAML Kubernetes file' - - name: --output-policy-file - type: string - short-summary: 'Output policy file in Rego format' + - name: --outraw + type: boolean + short-summary: 'Output policy in clear text compact JSON instead of default base64 format' + + - name: --print-policy + type: boolean + short-summary: 'Print the base64 encoded generated policy in the terminal' - name: --config-map-file -c type: string @@ -122,4 +126,10 @@ examples: - name: Input a Kubernetes YAML file to inject a base64 encoded Confidential Container Security Policy into the YAML file text: az confcom katapolicygen --yaml "./pod.json" + - name: Input a Kubernetes YAML file to print a base64 encoded Confidential Container Security Policy to stdout + text: az confcom katapolicygen --yaml "./pod.json" --print-policy + - name: Input a Kubernetes YAML file and custom settings file to inject a base64 encoded Confidential Container Security Policy into the YAML file + text: az confcom katapolicygen --yaml "./pod.json" -j "./settings.json" + - name: Input a Kubernetes YAML file and external config map file + text: az confcom katapolicygen --yaml "./pod.json" --config-map-file "./configmap.json" """ diff --git a/src/confcom/azext_confcom/tests/latest/README.md b/src/confcom/azext_confcom/tests/latest/README.md index a659bf3381d..b8c6b215f73 100644 --- a/src/confcom/azext_confcom/tests/latest/README.md +++ b/src/confcom/azext_confcom/tests/latest/README.md @@ -114,7 +114,7 @@ test_invalid_many_input_types | Makes sure we're only getting input from one sou test_diff_wrong_input_type | Makes sure we're only doing the diff command if we're using a ARM Template as the input type test_parameters_without_template | Makes sure we error out if a parameter file is getting passed in without an ARM Template -## Tar File (test_confcom_tar.py) +## Tar File [test file](test_confcom_tar.py) This is a way to generate a CCE policy without the use of the docker daemon. The tar file that gets passed in is either from the `docker save` command or doing `image.save(named=True)` with the Docker python SDK. It accepts either a path to a tar file or the path to a JSON file with keys being the name of the image and value being the path to that file relative to the JSON file. @@ -124,3 +124,13 @@ test_arm_template_with_parameter_file_clean_room_tar | nginx:1.23 | Create a pol test_arm_template_mixed_mode_tar | python:3.9 & nginx:1.22 | Create a policy with one image from a tar file and one image that must be downloaded or used locally from the daemon test_arm_template_with_parameter_file_clean_room_tar_invalid | N/A | Fail out if searching for an image in a tar file that does not include it test_clean_room_fake_tar_invalid | N/A | Fail out if the path to the tar file doesn't exist + +## Tar File [test file](test_confcom_kata.py) + +This is how to generate security policies for Confidential Containers on AKS + +Test Name | Image Used | Purpose +---|---|--- +test_invalid_input_path | mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64 | Input a path that does not exist for the pod.yaml file +test_invalid_config_map_path | mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64 | Input a path that does not exist for the config-map.yaml file +test_invalid_settings | mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64 | Input an invalid name for a custom settings file From f79a70a8242abdcee23c095a80c928c4a00d484a Mon Sep 17 00:00:00 2001 From: Seth Hollandsworth Date: Fri, 10 Nov 2023 15:29:33 -0500 Subject: [PATCH 5/5] getting rid of unused links in readme --- src/confcom/azext_confcom/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confcom/azext_confcom/README.md b/src/confcom/azext_confcom/README.md index d088b2ddfa3..14d6f0a5456 100644 --- a/src/confcom/azext_confcom/README.md +++ b/src/confcom/azext_confcom/README.md @@ -684,7 +684,7 @@ az confcom katapolicygen -y ./pod.yaml --print-policy This command combines the information of images from the pod spec with other information such as mount, environment variables and commands from the pod spec to create a security policy. The `--print-policy` argument is included to display the policy on the command line in addition to injecting it into the input pod spec. -Example 2: This command injects a security policy into a [pod spec]() based on input from [config map]() so that there is no need to change the pod spec to pass variables into the security policy: +Example 2: This command injects a security policy into the pod spec based on input from a config map so that there is no need to change the pod spec to pass variables into the security policy: ```bash az confcom katapolicygen -y .\\pod.yaml -c .\\config-map.yaml