From 4a2fdcbb82cf0ffcfe8eeb685d6b452462753edf Mon Sep 17 00:00:00 2001 From: Stian Kristoffersen Date: Mon, 8 Mar 2021 12:32:05 +0100 Subject: [PATCH] Initial commit --- .gitignore | 33 + CODE_OF_CONDUCT.md | 133 + CONTRIBUTING.md | 18 + LICENSE | 202 ++ NOTICE | 150 ++ README.md | 86 + build.gradle | 106 + gradle/wrapper/gradle-wrapper.jar | Bin 0 -> 58694 bytes gradle/wrapper/gradle-wrapper.properties | 5 + gradlew | 183 ++ gradlew.bat | 103 + .../security/artishock/ArtishockCli.java | 87 + .../artifactory/ArtifactoryClient.java | 263 ++ .../artishock/artifactory/DownloadStats.java | 51 + .../artishock/artifactory/Repository.java | 59 + .../security/artishock/artifactory/Stats.java | 84 + .../artishock/artifactory/StatsInfo.java | 17 + .../artishock/artifactory/StatsInfoImpl.java | 68 + .../security/artishock/cli/view/Commands.java | 239 ++ .../artishock/cli/view/OutputFormat.java | 9 + .../security/artishock/cli/view/Renderer.java | 84 + .../artishock/cli/viewmodel/Artishock.java | 147 ++ .../types/ArtifactoryRepository.java | 68 + .../types/ArtifactoryRepositoryStats.java | 68 + .../viewmodel/types/NpmPackageIdentifier.java | 30 + .../viewmodel/types/NpmPackageOrScope.java | 32 + .../types/PyPiPackageIdentifier.java | 22 + .../security/artishock/config/Config.java | 29 + .../security/artishock/config/ConfigRaw.java | 11 + .../artishock/config/ConfigResolver.java | 71 + .../schibsted/security/artishock/npm/Npm.java | 132 + .../artishock/npm/NpmPackageIdentifier.java | 60 + .../artishock/npm/NpmPackageOrScope.java | 74 + .../artishock/npm/client/NpmClient.java | 115 + .../artishock/npm/client/NpmPackageInfo.java | 91 + .../artishock/npm/client/NpmRelease.java | 53 + .../artishock/npm/client/NpmSearchResult.java | 41 + .../artishock/npm/client/NpmVersion.java | 46 + .../artishock/npm/client/SearchRaw.java | 31 + .../artishock/npm/client/ViewRaw.java | 37 + .../artishock/pypi/PyPiPackageIdentifier.java | 37 + .../security/artishock/pypi/Pypi.java | 104 + .../artishock/pypi/client/PyPiClient.java | 80 + .../artishock/pypi/client/SimpleRaw.java | 11 + .../artishock/shared/CacheCategory.java | 22 + .../artishock/shared/ConnectionInfo.java | 40 + .../security/artishock/shared/FileReader.java | 21 + .../security/artishock/shared/HttpClient.java | 94 + .../artishock/shared/Intersection.java | 29 + .../artishock/shared/PackageSystem.java | 42 + .../artishock/shared/SimpleCache.java | 92 + src/main/logo/NOTICE | 1 + src/main/logo/artishock.svg | 2245 +++++++++++++++++ 53 files changed, 5956 insertions(+) create mode 100644 .gitignore create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 NOTICE create mode 100644 README.md create mode 100644 build.gradle create mode 100644 gradle/wrapper/gradle-wrapper.jar create mode 100644 gradle/wrapper/gradle-wrapper.properties create mode 100755 gradlew create mode 100644 gradlew.bat create mode 100644 src/main/java/com/schibsted/security/artishock/ArtishockCli.java create mode 100644 src/main/java/com/schibsted/security/artishock/artifactory/ArtifactoryClient.java create mode 100644 src/main/java/com/schibsted/security/artishock/artifactory/DownloadStats.java create mode 100644 src/main/java/com/schibsted/security/artishock/artifactory/Repository.java create mode 100644 src/main/java/com/schibsted/security/artishock/artifactory/Stats.java create mode 100644 src/main/java/com/schibsted/security/artishock/artifactory/StatsInfo.java create mode 100644 src/main/java/com/schibsted/security/artishock/artifactory/StatsInfoImpl.java create mode 100644 src/main/java/com/schibsted/security/artishock/cli/view/Commands.java create mode 100644 src/main/java/com/schibsted/security/artishock/cli/view/OutputFormat.java create mode 100644 src/main/java/com/schibsted/security/artishock/cli/view/Renderer.java create mode 100644 src/main/java/com/schibsted/security/artishock/cli/viewmodel/Artishock.java create mode 100644 src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/ArtifactoryRepository.java create mode 100644 src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/ArtifactoryRepositoryStats.java create mode 100644 src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/NpmPackageIdentifier.java create mode 100644 src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/NpmPackageOrScope.java create mode 100644 src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/PyPiPackageIdentifier.java create mode 100644 src/main/java/com/schibsted/security/artishock/config/Config.java create mode 100644 src/main/java/com/schibsted/security/artishock/config/ConfigRaw.java create mode 100644 src/main/java/com/schibsted/security/artishock/config/ConfigResolver.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/Npm.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/NpmPackageIdentifier.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/NpmPackageOrScope.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/client/NpmClient.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/client/NpmPackageInfo.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/client/NpmRelease.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/client/NpmSearchResult.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/client/NpmVersion.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/client/SearchRaw.java create mode 100644 src/main/java/com/schibsted/security/artishock/npm/client/ViewRaw.java create mode 100644 src/main/java/com/schibsted/security/artishock/pypi/PyPiPackageIdentifier.java create mode 100644 src/main/java/com/schibsted/security/artishock/pypi/Pypi.java create mode 100644 src/main/java/com/schibsted/security/artishock/pypi/client/PyPiClient.java create mode 100644 src/main/java/com/schibsted/security/artishock/pypi/client/SimpleRaw.java create mode 100644 src/main/java/com/schibsted/security/artishock/shared/CacheCategory.java create mode 100644 src/main/java/com/schibsted/security/artishock/shared/ConnectionInfo.java create mode 100644 src/main/java/com/schibsted/security/artishock/shared/FileReader.java create mode 100644 src/main/java/com/schibsted/security/artishock/shared/HttpClient.java create mode 100644 src/main/java/com/schibsted/security/artishock/shared/Intersection.java create mode 100644 src/main/java/com/schibsted/security/artishock/shared/PackageSystem.java create mode 100644 src/main/java/com/schibsted/security/artishock/shared/SimpleCache.java create mode 100644 src/main/logo/NOTICE create mode 100644 src/main/logo/artishock.svg diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c07aa32 --- /dev/null +++ b/.gitignore @@ -0,0 +1,33 @@ +# Compiled class file +*.class + +# Log file +*.log + +# BlueJ files +*.ctxt + +# Mobile Tools for Java (J2ME) +.mtj.tmp/ + +# Package Files # +*.jar +*.war +*.nar +*.ear +*.zip +*.tar.gz +*.rar + +# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml +hs_err_pid* + +# Gradle +build/ +.gradle/ + +# IntelliJ +.idea + +# Vim +*.swp diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..ca47b3a --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,133 @@ + +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, caste, color, religion, or sexual identity +and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the + overall community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or + advances of any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email + address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +application-security@schibsted.com. +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series +of actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or +permanent ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within +the community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.0, available at +[https://www.contributor-covenant.org/version/2/0/code_of_conduct.html][v2.0]. + +Community Impact Guidelines were inspired by +[Mozilla's code of conduct enforcement ladder][Mozilla CoC]. + +For answers to common questions about this code of conduct, see the FAQ at +[https://www.contributor-covenant.org/faq][FAQ]. Translations are available +at [https://www.contributor-covenant.org/translations][translations]. + +[homepage]: https://www.contributor-covenant.org +[v2.0]: https://www.contributor-covenant.org/version/2/0/code_of_conduct.html +[Mozilla CoC]: https://github.com/mozilla/diversity +[FAQ]: https://www.contributor-covenant.org/faq +[translations]: https://www.contributor-covenant.org/translations diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..6c3372c --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,18 @@ +# Contributing to Artishock + +Thanks for taking the time to contribute! :+1::tada: + +## Code of Conduct +The project is governed by the [Contributor Covenant Code of Conduct](CODE_OF_CONDUCT.md). + +## License +Artishock is released under the [Apache 2.0 License](LICENSE). Any code you submit will be released under the same license, as per section 5 in the [Apache 2.0 License](LICENSE): +``` + Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. +``` diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/NOTICE b/NOTICE new file mode 100644 index 0000000..ea55b6a --- /dev/null +++ b/NOTICE @@ -0,0 +1,150 @@ +################################################################################ +# # +# Artishock # +# # +# Copyright 2021 Schibsted # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# # +# See the License for the specific language governing permissions and # +# limitations under the License. # +# # +################################################################################ + +The platform specific distributions are bundled with parts of the AdoptOpenJDk from +https://github.com/AdoptOpenJDK/openjdk15-binaries. + +Futher project dependencies are included as JARs. + +See the `legal` directory as well as the individual JARs in the `lib` directory for more information. + +OpenJDK + LICENSE: GPL 2.0 with Class-path Exception, + https://github.com/openjdk/ + + The Mozilla Elliptic Curve Crypotography library is used + LICENSE: LGPL 2.1 + +Groovy + LICENSE: Apache 2.0 + NOTICE: https://github.com/apache/groovy/blob/master/NOTICE + +Kotlin + LICENSE: Apache 2.0 + NOTICE: https://github.com/JetBrains/kotlin/tree/master/license + +------- + +Airline + LICENSE: Apache 2.0, + https://github.com/airlift/airline/ + +Apache Commons Lang + LICENSE: Apache 2.0 + NOTICE: https://github.com/apache/commons-lang/blob/master/NOTICE.txt + +Apache Log4j + LICENSE: Apache 2.0 + NOTICE: https://github.com/apache/log4j/blob/trunk/NOTICE + +Apache HttpComponents Core + LICENSE: Apache 2.0, + NOTICE: https://github.com/apache/httpcomponents-core/blob/master/NOTICE.txt + +Apache HttpComponents Client + LICENSE: Apache 2.0, + NOTICE: https://github.com/apache/httpcomponents-client/blob/master/NOTICE.txt + +Apache Commons Codec + LICENSE: Apache 2.0, + NOTICE: https://github.com/apache/commons-codec/blob/master/NOTICE.txt + +Apache Commons Lang + LICENSE: Apache 2.0, + NOTICE: https://github.com/apache/commons-lang/blob/master/NOTICE.txt + +Apache Commons IO + LICENSE: Apache 2.0 + NOTICE: https://github.com/apache/commons-io/blob/master/NOTICE.txt + +FasterXML Jackson Core + LICENSE: Apache 2.0, + https://github.com/FasterXML/jackson-core + +FasterXML Jackson Annotations + LICENSE: Apache 2.0, + https://github.com/FasterXML/jackson-annotations + +FasterXML Jackson Databind + LICENSE: Apache 2.0, + https://github.com/FasterXML/jackson-databind + +FasterXML Jackson Datatype JDK8 + LICENSE: Apache 2.0, + https://github.com/FasterXML/jackson-modules-java8 + +FasterXML Jackson Dataformat XML + LICENSE: Apache 2.0, + https://github.com/FasterXML/jackson-dataformat-xml + +FasterXML Jackson BOM + LICSENS: Apache 2.0, + https://github.com/FasterXML/jackson-bom + +FasterXML Jackson JAXB Annotations + LICENSE: Apache 2.0, + https://github.com/FasterXML/jackson-modules-base + +FasterXML Woodstox + LICENSE: Apache 2.0, + https://github.com/FasterXML/woodstox + +Google Guava + LICENSE: Apache 2.0, + https://github.com/google/guava/ + +Google J2ObjC + LICENSE: Apache 2.0, + https://github.com/google/j2objc + +Google Findbugs JSR-305 + LICENSE: 2-Clause BSD, + https://github.com/findbugsproject/findbugs/blob/master/findbugs/licenses/LICENSE-jsr305.txt + +Google Error Prone + LICENES: Apache 2.0, + https://github.com/google/error-prone + +Jakarta XML Binding + LICENSE: EDL 1.0 + NOTICE: https://github.com/eclipse-ee4j/jaxb-api/blob/master/NOTICE.md + +Jakarta Activation + LICENSE: EDL 1.0 + NOTICE: https://github.com/eclipse-ee4j/jaf/blob/master/NOTICE.md + +javax.inject + LICENSE: Apache 2.0, + https://search.maven.org/artifact/javax.inject/javax.inject/1/jar + +Jfrog Artifactory Client + LICENSE: Apache 2.0, + https://github.com/jfrog/artifactory-client-java + +SLF4J + LICENSE: MIT, + https://github.com/qos-ch/slf4j/blob/master/LICENSE.txt + +Square OkHttp + LICENSE: Apache 2.0, + https://github.com/square/okhttp + +Square Okio + LICENSE: Apache 2.0, + https://github.com/square/okio + +Type Tools Checker Equal + LICENSE: MIT, + https://github.com/typetools/checker-framework/blob/master/checker-qual/LICENSE.txt diff --git a/README.md b/README.md new file mode 100644 index 0000000..4673a6c --- /dev/null +++ b/README.md @@ -0,0 +1,86 @@ +![](src/main/logo/artishock.svg) +# Artishock +A tool to investigate Dependency Confusion in Artifactory. + +## Install +Binaries for Linux, Mac and Windows can be found under [releases](https://github.com/schibsted/artishock/releases) (Windows is not tested). + +Unzip `artishock-{linux,mac,win}.zip`, then run `artishock-{linux,mac,win}/bin/artishock`. + +**For macOs**: `bin/artishock` and `bin/java` are not signed so they must be allowed to run. + +## Configure +Create `~/.artishock/artishock.config` with the following +``` +{ + "artifactoryUrl": "https://example.com/artifactory/", + "artifactoryUsername": "email@example.com", + "artifactoryPassword": "" +} +``` + +You can also set these as environment variables: +``` +export ARTISHOCK_ARTIFACTORY_URL= +export ARTISHOCK_ARTIFACTORY_USERNAME= +export ARTISHOCK_ARTIFACTORY_PASSWORD= +``` + +## Run + +**Please note that some Artishock commands will look up your internal package names upstream.** These require the `--query-upstream` flag. If you do not want to disclose your internal names don't use those commands. + +Some requests will be cached to `~/.artishock/cache/`. Each request is cached for 7 days. The cache directory can be deleted to clear the cache. +``` +artishock +artishock repo-ls --help +artishock repo-ls --json +``` + +## Examples + +### NPM +``` +artishock repo-ls --package-system npm +artishock exclude-candidates --package-system npm --local npm-local +artishock not-claimed --package-system npm --local npm-local --query-upstream +artishock cached --package-system npm --local npm-local --remote npm-remote +artishock inferred-exclude --package-system npm --local npm-local --remote npm-remote --query-upstream +artishock package-stats --package-system npm --repo npm-local --package @example/package +``` + +### PyPi +``` +artishock repo-ls --package-system pypi +artishock exclude-candidates --package-system pypi --local pypi-local +artishock not-claimed --package-system pypi --local pypi-local --query-upstream +artishock cached --package-system pypi --local pypi-local --remote pypi-remote +artishock inferred-exclude --package-system pypi --local pypi-local --remote pypi-remote --query-upstream +``` + +### Maven +This is a slow command that iterates over the whole repo to gather download stats +``` +artishock repo-stats --package-system maven --repo small-remote-cache +``` + +## Debugging +Use `--verbose` for verbose output and `--stacktrace` to get the full stack trace rather than just the message. + +## Developer notes +*Prerequisite: [OpenJDK 15](https://adoptopenjdk.net/?variant=openjdk15&jvmVariant=hotspot)* + +Generate runtime images `build/image/artishock-{linux,mac,win}/` +``` +./gradlew runtime +``` + +On Linux run the program with +``` +build/image/artishock-linux/bin/artishock +``` + +Make release files `/build/artishoc-{linux,mac,win}.zip` +``` +./gradlew runtimeZip +``` diff --git a/build.gradle b/build.gradle new file mode 100644 index 0000000..0930a4d --- /dev/null +++ b/build.gradle @@ -0,0 +1,106 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +plugins { + id('java') + id('application') + id 'org.beryx.runtime' version '1.12.1' +} + +repositories { + mavenCentral() + jcenter() +} + +mainClassName = 'com.schibsted.security.artishock.ArtishockCli' +def version = '0.0.1' + +dependencies { + implementation('org.apache.logging.log4j:log4j-core:2.13.1') + implementation('org.slf4j:slf4j-simple:1.7.30') + + implementation('com.google.guava:guava:30.0-jre') + implementation('com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.12.2') + implementation('com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.12.2') + implementation("com.squareup.okhttp3:okhttp:4.9.0") + implementation("io.airlift:airline:0.8") + + implementation("org.jfrog.artifactory.client:artifactory-java-client-services:2.8.6") + implementation("org.codehaus.groovy:groovy:3.0.6") // Force upgrade in artifactory client +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 +} + +runtime { + options = ['--strip-debug', '--compress', '2', '--no-header-files', '--no-man-pages'] + imageZip = file("$buildDir/artishock.zip") + additive = true + modules = ["jdk.crypto.ec"] + + jpackage { + skipInstaller = true + imageName = "artishock" + } + + targetPlatform("linux") { + jdkHome = jdkDownload("https://github.com/AdoptOpenJDK/openjdk15-binaries/releases/download/jdk-15.0.2%2B7/OpenJDK15U-jdk_x64_linux_hotspot_15.0.2_7.tar.gz") + } + + targetPlatform("win") { + jdkHome = jdkDownload("https://github.com/AdoptOpenJDK/openjdk15-binaries/releases/download/jdk-15.0.2%2B7/OpenJDK15U-jdk_x64_windows_hotspot_15.0.2_7.zip") + } + + targetPlatform("mac") { + jdkHome = jdkDownload("https://github.com/AdoptOpenJDK/openjdk15-binaries/releases/download/jdk-15.0.2%2B7/OpenJDK15U-jdk_x64_mac_hotspot_15.0.2_7.tar.gz") + } +} + +jar { + enabled = true + manifest { + attributes( + 'Bundle-License': 'https://www.apache.org/licenses/LICENSE-2.0.txt', + 'Implementation-Version': version, + 'Implementation-URL': 'https://github.com/schibsted/artishock' + ) + } +} + + +// Copy LICENSE and NOTICE into the JAR +tasks.withType(Jar) { + from(project.projectDir) { + include 'LICENSE', 'NOTICE' + into 'META-INF' + } +} + +// Copy LICENSE and NOTICE into the legal directory in each image +def license = "${project.projectDir}/LICENSE" +def notice = "${project.projectDir}/NOTICE" + +task copyToLinuxImage(type: Copy) { + dependsOn("runtime") + from license, notice + into "${project.buildDir}/image/artishock-linux/legal/" +} + +task copyToMacImage(type: Copy) { + dependsOn("runtime") + from license, notice + into "${project.buildDir}/image/artishock-mac/legal/" +} + +task copyToWinImage(type: Copy) { + dependsOn("runtime") + from license, notice + into "${project.buildDir}/image/artishock-win/legal/" +} + +runtimeZip.dependsOn('copyToLinuxImage') +runtimeZip.dependsOn('copyToMacImage') +runtimeZip.dependsOn('copyToWinImage') diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000000000000000000000000000000000000..490fda8577df6c95960ba7077c43220e5bb2c0d9 GIT binary patch literal 58694 zcma&OV~}Oh(k5J8>Mq;1ZQHhO+v>7y+qO>Gc6Hgdjp>5?}0s%q%y~>Cv3(!c&iqe4q$^V<9O+7CU z|6d2bzlQvOI?4#hN{EUmDbvb`-pfo*NK4Vs&cR60P)<+IG%C_BGVL7RP11}?Ovy}9 zNl^cQJPR>SIVjSkXhS0@IVhqGLL)&%E<(L^ymkEXU!M5)A^-c;K>yy`Ihy@nZ}orr zK>gFl%+bKu+T{P~iuCWUZjJ`__9l-1*OFwCg_8CkKtLEEKtOc=d5NH%owJkk-}N#E z7Pd;x29C}qj>HVKM%D&SPSJ`JwhR2oJPU0u3?)GiA|6TndJ+~^eXL<%D)IcZ)QT?t zE7BJP>Ejq;`w$<dd^@|esR(;1Z@9EVR%7cZG`%Xr%6 zLHXY#GmPV!HIO3@j5yf7D{PN5E6tHni4mC;qIq0Fj_fE~F1XBdnzZIRlk<~?V{-Uc zt9ldgjf)@8NoAK$6OR|2is_g&pSrDGlQS);>YwV7C!=#zDSwF}{_1#LA*~RGwALm) zC^N1ir5_}+4!)@;uj92irB5_Ugihk&Uh|VHd924V{MiY7NySDh z|6TZCb1g`c)w{MWlMFM5NK@xF)M33F$ZElj@}kMu$icMyba8UlNQ86~I$sau*1pzZ z4P)NF@3(jN(thO5jwkx(M5HOe)%P1~F!hXMr%Rp$&OY0X{l_froFdbi(jCNHbHj#! z(G`_tuGxu#h@C9HlIQ8BV4>%8eN=MApyiPE0B3dR`bsa1=MM$lp+38RN4~`m>PkE? zARywuzZ#nV|0wt;22|ITkkrt>ahz7`sKXd2!vpFCC4i9VnpNvmqseE%XnxofI*-Mr6tjm7-3$I-v}hr6B($ALZ=#Q4|_2l#i5JyVQCE{hJAnFhZF>vfSZgnw`Vgn zIi{y#1e7`}xydrUAdXQ%e?_V6K(DK89yBJ;6Sf{Viv*GzER9C3Mns=nTFt6`Eu?yu<*Fb}WpP$iO#-y+^H>OQ< zw%DSM@I=@a)183hx!sz(#&cg-6HVfK(UMgo8l2jynx5RWEo8`?+^3x0sEoj9H8%m1 z87?l+w;0=@Dx_J86rA6vesuDQ^nY(n?SUdaY}V)$Tvr%>m9XV>G>6qxKxkH zN6|PyTD(7+fjtb}cgW1rctvZQR!3wX2S|ils!b%(=jj6lLdx#rjQ6XuJE1JhNqzXO zKqFyP8Y1tN91g;ahYsvdGsfyUQz6$HMat!7N1mHzYtN3AcB>par(Q>mP7^`@7@Ox14gD12*4RISSYw-L>xO#HTRgM)eLaOOFuN}_UZymIhu%J?D|k>Y`@ zYxTvA;=QLhu@;%L6;Ir_$g+v3;LSm8e3sB;>pI5QG z{Vl6P-+69G-P$YH-yr^3cFga;`e4NUYzdQy6vd|9${^b#WDUtxoNe;FCcl5J7k*KC z7JS{rQ1%=7o8to#i-`FD3C?X3!60lDq4CqOJ8%iRrg=&2(}Q95QpU_q ziM346!4()C$dHU@LtBmfKr!gZGrZzO{`dm%w_L1DtKvh8UY zTP3-|50~Xjdu9c%Cm!BN^&9r?*Wgd(L@E!}M!#`C&rh&c2fsGJ_f)XcFg~$#3S&Qe z_%R=Gd`59Qicu`W5YXk>vz5!qmn`G>OCg>ZfGGuI5;yQW9Kg*exE+tdArtUQfZ&kO ze{h37fsXuQA2Z(QW|un!G2Xj&Qwsk6FBRWh;mfDsZ-$-!YefG!(+bY#l3gFuj)OHV830Xl*NKp1-L&NPA3a8jx#yEn3>wea~ z9zp8G6apWn$0s)Pa!TJo(?lHBT1U4L>82jifhXlkv^a+p%a{Og8D?k6izWyhv`6prd7Yq5{AqtzA8n{?H|LeQFqn(+fiIbDG zg_E<1t%>753QV!erV^G4^7p1SE7SzIqBwa{%kLHzP{|6_rlM*ae{*y4WO?{%&eQ`| z>&}ZkQ;<)rw;d(Dw*om?J@3<~UrXsvW2*0YOq_-Lfq45PQGUVu?Ws3&6g$q+q{mx4 z$2s@!*|A+74>QNlK!D%R(u22>Jeu}`5dsv9q~VD!>?V86x;Fg4W<^I;;ZEq5z4W5c z#xMX=!iYaaW~O<(q>kvxdjNk15H#p0CSmMaZB$+%v90@w(}o$T7;(B+Zv%msQvjnW z`k7=uf(h=gkivBw?57m%k^SPxZnYu@^F% zKd`b)S#no`JLULZCFuP^y5ViChc;^3Wz#c|ehD+2MHbUuB3IH5+bJ_FChTdARM6Q2 zdyuu9eX{WwRasK!aRXE+0j zbTS8wg@ue{fvJ*=KtlWbrXl8YP88;GXto?_h2t@dY3F?=gX9Frwb8f1n!^xdOFDL7 zbddq6he>%k+5?s}sy?~Ya!=BnwSDWloNT;~UF4|1>rUY!SSl^*F6NRs_DT-rn=t-p z_Ga0p)`@!^cxW_DhPA=0O;88pCT*G9YL29_4fJ(b{| zuR~VCZZCR97e%B(_F5^5Eifes$8!7DCO_4(x)XZDGO%dY9Pkm~-b1-jF#2H4kfl<3 zsBes0sP@Zyon~Q&#<7%gxK{o+vAsIR>gOm$w+{VY8ul7OsSQ>07{|7jB6zyyeu+WU zME>m2s|$xvdsY^K%~nZ^%Y`D7^PCO(&)eV-Qw|2_PnL=Nd=}#4kY)PS=Y62Dzz1e2 z&*)`$OEBuC&M5f`I}A-pEzy^lyEEcd$n1mEgLj}u_b^d!5pg{v+>_FexoDxYj%X_F z5?4eHVXurS%&n2ISv2&Eik?@3ry}0qCwS9}N)`Zc_Q8}^SOViB_AB&o6Eh#bG;NnL zAhP2ZF_la`=dZv6Hs@78DfMjy*KMSExRZfccK=-DPGkqtCK%U1cUXxbTX-I0m~x$3 z&Oc&aIGWtcf|i~=mPvR^u6^&kCj|>axShGlPG}r{DyFp(Fu;SAYJ}9JfF*x0k zA@C(i5ZM*(STcccXkpV$=TznZKQVtec!A24VWu*oS0L(^tkEm2ZIaE4~~?#y9Z4 zlU!AB6?yc(jiB`3+{FC zl|IdP1Fdt#e5DI{W{d8^$EijTU(8FA@8V&_A*tO?!9rI zhoRk`Q*riCozP>F%4pDPmA>R#Zm>_mAHB~Y5$sE4!+|=qK0dhMi4~`<6sFHb=x8Naml}1*8}K_Es3#oh3-7@0W}BJDREnwWmw<{wY9p)3+Mq2CLcX?uAvItguqhk*Po!RoP`kR)!OQy3Ayi zL@ozJ!I_F2!pTC?OBAaOrJmpGX^O(dSR-yu5Wh)f+o5O262f6JOWuXiJS_Jxgl@lS z6A9c*FSHGP4HuwS)6j3~b}t{+B(dqG&)Y}C;wnb!j#S0)CEpARwcF4Q-5J1NVizx7 z(bMG>ipLI1lCq?UH~V#i3HV9|bw%XdZ3Q#c3)GB+{2$zoMAev~Y~(|6Ae z^QU~3v#*S>oV*SKvA0QBA#xmq9=IVdwSO=m=4Krrlw>6t;Szk}sJ+#7=ZtX(gMbrz zNgv}8GoZ&$=ZYiI2d?HnNNGmr)3I);U4ha+6uY%DpeufsPbrea>v!D50Q)k2vM=aF-zUsW*aGLS`^2&YbchmKO=~eX@k9B!r;d{G% zrJU~03(->>utR^5;q!i>dAt)DdR!;<9f{o@y2f}(z(e)jj^*pcd%MN{5{J=K<@T!z zseP#j^E2G31piu$O@3kGQ{9>Qd;$6rr1>t!{2CuT_XWWDRfp7KykI?kXz^{u_T2AZ z-@;kGj8Iy>lOcUyjQqK!1OHkY?0Kz+_`V8$Q-V|8$9jR|%Ng;@c%kF_!rE3w>@FtX zX1w7WkFl%Vg<mE0aAHX==DLjyxlfA}H|LVh;}qcWPd8pSE!_IUJLeGAW#ZJ?W}V7P zpVeo|`)a<#+gd}dH%l)YUA-n_Vq3*FjG1}6mE;@A5ailjH*lJaEJl*51J0)Xecn6X zz zDr~lx5`!ZJ`=>>Xb$}p-!3w;ZHtu zX@xB4PbX!J(Jl((<8K%)inh!-3o2S2sbI4%wu9-4ksI2%e=uS?Wf^Tp%(Xc&wD6lV z*DV()$lAR&##AVg__A=Zlu(o$3KE|N7ZN{X8oJhG+FYyF!(%&R@5lpCP%A|{Q1cdr>x0<+;T`^onat<6tlGfEwRR?ZgMTD-H zjWY?{Fd8=Fa6&d@0+pW9nBt-!muY@I9R>eD5nEDcU~uHUT04gH-zYB>Re+h4EX|IH zp`Ls>YJkwWD3+}DE4rC3kT-xE89^K@HsCt6-d;w*o8xIHua~||4orJ<7@4w_#C6>W z2X$&H38OoW8Y-*i=@j*yn49#_C3?@G2CLiJUDzl(6P&v`lW|=gQ&)DVrrx8Bi8I|$ z7(7`p=^Lvkz`=Cwd<0%_jn&6k_a(+@)G^D04}UylQax*l(bhJ~;SkAR2q*4>ND5nc zq*k9(R}Ijc1J8ab>%Tv{kb-4TouWfA?-r(ns#ghDW^izG3{ts{C7vHc5Mv?G;)|uX zk&Fo*xoN`OG9ZXc>9(`lpHWj~9!hI;2aa_n!Ms1i;BFHx6DS23u^D^e(Esh~H@&f}y z(=+*7I@cUGi`U{tbSUcSLK`S)VzusqEY)E$ZOokTEf2RGchpmTva?Fj! z<7{9Gt=LM|*h&PWv6Q$Td!|H`q-aMIgR&X*;kUHfv^D|AE4OcSZUQ|1imQ!A$W)pJtk z56G;0w?&iaNV@U9;X5?ZW>qP-{h@HJMt;+=PbU7_w`{R_fX>X%vnR&Zy1Q-A=7**t zTve2IO>eEKt(CHjSI7HQ(>L5B5{~lPm91fnR^dEyxsVI-wF@82$~FD@aMT%$`usqNI=ZzH0)u>@_9{U!3CDDC#xA$pYqK4r~9cc_T@$nF1yODjb{=(x^({EuO?djG1Hjb{u zm*mDO(e-o|v2tgXdy87*&xVpO-z_q)f0~-cf!)nb@t_uCict?p-L%v$_mzG`FafIV zPTvXK4l3T8wAde%otZhyiEVVU^5vF zQSR{4him-GCc-(U;tIi;qz1|Az0<4+yh6xFtqB-2%0@ z&=d_5y>5s^NQKAWu@U#IY_*&G73!iPmFkWxxEU7f9<9wnOVvSuOeQ3&&HR<>$!b%J z#8i?CuHx%la$}8}7F5-*m)iU{a7!}-m@#O}ntat&#d4eSrT1%7>Z?A-i^Y!Wi|(we z$PBfV#FtNZG8N-Ot#Y>IW@GtOfzNuAxd1%=it zDRV-dU|LP#v70b5w~fm_gPT6THi zNnEw&|Yc9u5lzTVMAL} zgj|!L&v}W(2*U^u^+-e?Tw#UiCZc2omzhOf{tJX*;i2=i=9!kS&zQN_hKQ|u7_3vo6MU0{U+h~` zckXGO+XK9{1w3Z$U%%Fw`lr7kK8PzU=8%0O8ZkW`aQLFlR4OCb^aQgGCBqu6AymXk zX!p(JDJtR`xB$j48h}&I2FJ*^LFJzJQJ0T>=z{*> zWesZ#%W?fm`?f^B^%o~Jzm|Km5$LP#d7j9a{NCv!j14axHvO<2CpidW=|o4^a|l+- zSQunLj;${`o%xrlcaXzOKp>nU)`m{LuUW!CXzbyvn;MeK#-D{Z4)+>xSC)km=&K%R zsXs3uRkta6-rggb8TyRPnquv1>wDd)C^9iN(5&CEaV9yAt zM+V+%KXhGDc1+N$UNlgofj8+aM*(F7U3=?grj%;Pd+p)U9}P3ZN`}g3`{N`bm;B(n z12q1D7}$``YQC7EOed!n5Dyj4yl~s0lptb+#IEj|!RMbC!khpBx!H-Kul(_&-Z^OS zQTSJA@LK!h^~LG@`D}sMr2VU#6K5Q?wqb7-`ct2(IirhhvXj?(?WhcNjJiPSrwL0} z8LY~0+&7<~&)J!`T>YQgy-rcn_nf+LjKGy+w+`C*L97KMD%0FWRl`y*piJz2=w=pj zxAHHdkk9d1!t#bh8Joi1hTQr#iOmt8v`N--j%JaO`oqV^tdSlzr#3 zw70~p)P8lk<4pH{_x$^i#=~E_ApdX6JpR`h{@<Y;PC#{0uBTe z1Puhl^q=DuaW}Gdak6kV5w);35im0PJ0F)Zur)CI*LXZxZQTh=4dWX}V}7mD#oMAn zbxKB7lai}G8C){LS`hn>?4eZFaEw-JoHI@K3RbP_kR{5eyuwBL_dpWR>#bo!n~DvoXvX`ZK5r|$dBp6%z$H@WZ6Pdp&(zFKGQ z2s6#ReU0WxOLti@WW7auSuyOHvVqjaD?kX;l)J8tj7XM}lmLxLvp5V|CPQrt6ep+t z>7uK|fFYALj>J%ou!I+LR-l9`z3-3+92j2G`ZQPf18rst;qXuDk-J!kLB?0_=O}*XQ5wZMn+?ZaL5MKlZie- z0aZ$*5~FFU*qGs|-}v-t5c_o-ReR@faw^*mjbMK$lzHSheO*VJY)tBVymS^5ol=ea z)W#2z8xCoh1{FGtJA+01Hwg-bx`M$L9Ex-xpy?w-lF8e*xJXS4(I^=k1zFy|V)=ll z#&yez3hRC5?@rPywJo2eOHWezUxZphm#wo`oyA-sP@|^+LV0^nzq|UJEZZM9wqa z5Y}M0Lu@0Qd%+Q=3kCSb6q4J60t_s(V|qRw^LC>UL7I`=EZ zvIO;P2n27=QJ1u;C+X)Si-P#WB#phpY3XOzK(3nEUF7ie$>sBEM3=hq+x<=giJjgS zo;Cr5uINL%4k@)X%+3xvx$Y09(?<6*BFId+399%SC)d# zk;Qp$I}Yiytxm^3rOxjmRZ@ws;VRY?6Bo&oWewe2i9Kqr1zE9AM@6+=Y|L_N^HrlT zAtfnP-P8>AF{f>iYuKV%qL81zOkq3nc!_?K7R3p$fqJ?};QPz6@V8wnGX>3%U%$m2 zdZv|X+%cD<`OLtC<>=ty&o{n-xfXae2~M-euITZY#X@O}bkw#~FMKb5vG?`!j4R_X%$ZSdwW zUA0Gy&Q_mL5zkhAadfCo(yAw1T@}MNo>`3Dwou#CMu#xQKY6Z+9H+P|!nLI;4r9@k zn~I*^*4aA(4y^5tLD+8eX;UJW;>L%RZZUBo(bc{)BDM!>l%t?jm~}eCH?OOF%ak8# z*t$YllfyBeT(9=OcEH(SHw88EOH0L1Ad%-Q`N?nqM)<`&nNrp>iEY_T%M6&U>EAv3 zMsvg1E#a__!V1E|ZuY!oIS2BOo=CCwK1oaCp#1ED_}FGP(~Xp*P5Gu(Pry_U zm{t$qF^G^0JBYrbFzPZkQ;#A63o%iwe;VR?*J^GgWxhdj|tj`^@i@R+vqQWt~^ z-dLl-Ip4D{U<;YiFjr5OUU8X^=i35CYi#j7R! zI*9do!LQrEr^g;nF`us=oR2n9ei?Gf5HRr&(G380EO+L6zJD)+aTh_<9)I^{LjLZ} z{5Jw5vHzucQ*knJ6t}Z6k+!q5a{DB-(bcN*)y?Sfete7Y}R9Lo2M|#nIDsYc({XfB!7_Db0Z99yE8PO6EzLcJGBlHe(7Q{uv zlBy7LR||NEx|QyM9N>>7{Btifb9TAq5pHQpw?LRe+n2FV<(8`=R}8{6YnASBj8x}i zYx*enFXBG6t+tmqHv!u~OC2nNWGK0K3{9zRJ(umqvwQ~VvD;nj;ihior5N$Hf@y0G z$7zrb=CbhyXSy`!vcXK-T}kisTgI$8vjbuCSe7Ev*jOqI&Pt@bOEf>WoQ!A?`UlO5 zSLDKE(-mN4a{PUu$QdGbfiC)pA}phS|A1DE(f<{Dp4kIB_1mKQ5!0fdA-K0h#_ z{qMsj@t^!n0Lq%)h3rJizin0wT_+9K>&u0%?LWm<{e4V8W$zZ1w&-v}y zY<6F2$6Xk>9v{0@K&s(jkU9B=OgZI(LyZSF)*KtvI~a5BKr_FXctaVNLD0NIIokM}S}-mCB^^Sgqo%e{4!Hp)$^S%q@ zU%d&|hkGHUKO2R6V??lfWCWOdWk74WI`xmM5fDh+hy6>+e)rG_w>_P^^G!$hSnRFy z5fMJx^0LAAgO5*2-rsN)qx$MYzi<_A=|xez#rsT9&K*RCblT2FLJvb?Uv3q^@Dg+J zQX_NaZza4dAajS!khuvt_^1dZzOZ@eLg~t02)m2+CSD=}YAaS^Y9S`iR@UcHE%+L0 zOMR~6r?0Xv#X8)cU0tpbe+kQ;ls=ZUIe2NsxqZFJQj87#g@YO%a1*^ zJZ+`ah#*3dVYZdeNNnm8=XOOc<_l-b*uh zJR8{yQJ#-FyZ!7yNxY|?GlLse1ePK!VVPytKmBwlJdG-bgTYW$3T5KinRY#^Cyu@& zd7+|b@-AC67VEHufv=r5(%_#WwEIKjZ<$JD%4!oi1XH65r$LH#nHHab{9}kwrjtf= zD}rEC65~TXt=5bg*UFLw34&*pE_(Cw2EL5Zl2i^!+*Vx+kbkT_&WhOSRB#8RInsh4 z#1MLczJE+GAHR^>8hf#zC{pJfZ>6^uGn6@eIxmZ6g_nHEjMUUfXbTH1ZgT7?La;~e zs3(&$@4FmUVw3n033!1+c9dvs&5g#a;ehO(-Z}aF{HqygqtHf=>raoWK9h7z)|DUJ zlE0#|EkzOcrAqUZF+Wd@4$y>^0eh!m{y@qv6=C zD(){00vE=5FU@Fs_KEpaAU1#$zpPJGyi0!aXI8jWaDeTW=B?*No-vfv=>`L`LDp$C zr4*vgJ5D2Scl{+M;M(#9w_7ep3HY#do?!r0{nHPd3x=;3j^*PQpXv<~Ozd9iWWlY_ zVtFYzhA<4@zzoWV-~in%6$}Hn$N;>o1-pMK+w$LaN1wA95mMI&Q6ayQO9 zTq&j)LJm4xXjRCse?rMnbm%7E#%zk!EQiZwt6gMD=U6A0&qXp%yMa(+C~^(OtJ8dH z%G1mS)K9xV9dlK>%`(o6dKK>DV07o46tBJfVxkIz#%VIv{;|)?#_}Qq(&| zd&;iIJt$|`te=bIHMpF1DJMzXKZp#7Fw5Q0MQe@;_@g$+ELRfh-UWeYy%L*A@SO^J zLlE}MRZt(zOi6yo!);4@-`i~q5OUAsac^;RpULJD(^bTLt9H{0a6nh0<)D6NS7jfB ze{x#X2FLD2deI8!#U@5$i}Wf}MzK&6lSkFy1m2c~J?s=!m}7%3UPXH_+2MnKNY)cI z(bLGQD4ju@^<+%T5O`#77fmRYxbs(7bTrFr=T@hEUIz1t#*ntFLGOz)B`J&3WQa&N zPEYQ;fDRC-nY4KN`8gp*uO@rMqDG6=_hHIX#u{TNpjYRJ9ALCl!f%ew7HeprH_I2L z6;f}G90}1x9QfwY*hxe&*o-^J#qQ6Ry%2rn=9G3*B@86`$Pk1`4Rb~}`P-8^V-x+s zB}Ne8)A3Ex29IIF2G8dGEkK^+^0PK36l3ImaSv1$@e=qklBmy~7>5IxwCD9{RFp%q ziejFT(-C>MdzgQK9#gC?iFYy~bjDcFA^%dwfTyVCk zuralB)EkA)*^8ZQd8T!ofh-tRQ#&mWFo|Y3taDm8(0=KK>xke#KPn8yLCXwq zc*)>?gGKvSK(}m0p4uL8oQ~!xRqzDRo(?wvwk^#Khr&lf9YEPLGwiZjwbu*p+mkWPmhoh0Fb(mhJEKXl+d68b6%U{E994D z3$NC=-avSg7s{si#CmtfGxsijK_oO7^V`s{?x=BsJkUR4=?e@9# z-u?V8GyQp-ANr%JpYO;3gxWS?0}zLmnTgC66NOqtf*p_09~M-|Xk6ss7$w#kdP8`n zH%UdedsMuEeS8Fq0RfN}Wz(IW%D%Tp)9owlGyx#i8YZYsxWimQ>^4ikb-?S+G;HDT zN4q1{0@|^k_h_VFRCBtku@wMa*bIQc%sKe0{X@5LceE`Uqqu7E9i9z-r}N2ypvdX1{P$*-pa$A8*~d0e5AYkh_aF|LHt7qOX>#d3QOp-iEO7Kq;+}w zb)Le}C#pfmSYYGnq$Qi4!R&T{OREvbk_;7 zHP<*B$~Qij1!9Me!@^GJE-icH=set0fF-#u5Z{JmNLny=S*9dbnU@H?OCXAr7nHQH zw?$mVH^W-Y89?MZo5&q{C2*lq}sj&-3@*&EZaAtpxiLU==S@m_PJ6boIC9+8fKz@hUDw==nNm9? z`#!-+AtyCOSDPZA)zYeB|EQ)nBq6!QI66xq*PBI~_;`fHEOor}>5jj^BQ;|-qS5}1 zRezNBpWm1bXrPw3VC_VHd z$B06#uyUhx)%6RkK2r8*_LZ3>-t5tG8Q?LU0Yy+>76dD(m|zCJ>)}9AB>y{*ftDP3 z(u8DDZd(m;TcxW-w$(vq7bL&s#U_bsIm67w{1n|y{k9Ei8Q9*8E^W0Jr@M?kBFJE< zR7Pu}#3rND;*ulO8X%sX>8ei7$^z&ZH45(C#SbEXrr3T~e`uhVobV2-@p5g9Of%!f z6?{|Pt*jW^oV0IV7V76Pd>Pcw5%?;s&<7xelwDKHz(KgGL7GL?IZO%upB+GMgBd3ReR9BS zL_FPE2>LuGcN#%&=eWWe;P=ylS9oIWY)Xu2dhNe6piyHMI#X4BFtk}C9v?B3V+zty zLFqiPB1!E%%mzSFV+n<(Rc*VbvZr)iJHu(HabSA_YxGNzh zN~O(jLq9bX41v{5C8%l%1BRh%NDH7Vx~8nuy;uCeXKo2Do{MzWQyblZsWdk>k0F~t z`~8{PWc86VJ)FDpj!nu))QgHjl7a%ArDrm#3heEHn|;W>xYCocNAqX{J(tD!)~rWu zlRPZ3i5sW;k^^%0SkgV4lypb zqKU2~tqa+!Z<)!?;*50pT&!3xJ7=7^xOO0_FGFw8ZSWlE!BYS2|hqhQT8#x zm2a$OL>CiGV&3;5-sXp>3+g+|p2NdJO>bCRs-qR(EiT&g4v@yhz(N5cU9UibBQ8wM z0gwd4VHEs(Mm@RP(Zi4$LNsH1IhR}R7c9Wd$?_+)r5@aj+!=1-`fU(vr5 z1c+GqAUKulljmu#ig5^SF#{ag10PEzO>6fMjOFM_Le>aUbw>xES_Ow|#~N%FoD{5!xir^;`L1kSb+I^f z?rJ0FZugo~sm)@2rP_8p$_*&{GcA4YyWT=!uriu+ZJ%~_OD4N%!DEtk9SCh+A!w=< z3af%$60rM%vdi%^X2mSb)ae>sk&DI_&+guIC88_Gq|I1_7q#}`9b8X zGj%idjshYiq&AuXp%CXk>zQ3d2Ce9%-?0jr%6-sX3J{*Rgrnj=nJ2`#m`TaW-13kl zS2>w8ehkYEx@ml2JPivxp zIa2l^?)!?Y*=-+jk_t;IMABQ5Uynh&LM^(QB{&VrD7^=pXNowzD9wtMkH_;`H|d0V z*rohM)wDg^EH_&~=1j1*?@~WvMG3lH=m#Btz?6d9$E*V5t~weSf4L%|H?z-^g>Fg` zI_Q+vgHOuz31?mB{v#4(aIP}^+RYU}^%XN}vX_KN=fc{lHc5;0^F2$2A+%}D=gk-) zi1qBh!1%xw*uL=ZzYWm-#W4PV(?-=hNF%1cXpWQ_m=ck1vUdTUs5d@2Jm zV8cXsVsu~*f6=_7@=1 zaV0n2`FeQ{62GMaozYS)v~i10wGoOs+Z8=g$F-6HH1qBbasAkkcZj-}MVz{%xf8`2 z1XJU;&QUY4Hf-I(AG8bX zhu~KqL}TXS6{)DhW=GFkCzMFMSf`Y00e{Gzu2wiS4zB|PczU^tjLhOJUv=i2KuFZHf-&`wi>CU0h_HUxCdaZ`s9J8|7F}9fZXg`UUL}ws7G=*n zImEd-k@tEXU?iKG#2I13*%OX#dXKTUuv1X3{*WEJS41ci+uy=>30LWCv*YfX_A2(M z9lnNAjLIzX=z;g;-=ARa<`z$x)$PYig1|#G;lnOs8-&rB2lT0#e;`EH8qZ_xNvwy7 zo_9>P@SHK(YPu*8r86f==eshYjM3yAPOHDn- zmuW04o02AGMz!S|S32(h560d(IP$;S7LIM(PC7Owwr$&XCbsQNY))+3HYS+ZcHTVq zJm;QsfA`#~_m8fwuI~DFb$@pE-h1t}*HZB7hc-CUM~x6aZ<4v9_Jr-))=El>(rphK z(@wMC$e>^o+cQ(9S+>&JfP;&KM6nff2{RNu;MqE9>L9t^lvzo^*B5>@$TG!gZlh0Z z%us8ys$1~v&&N-gPBvXl5b<#>-@lhAkg_4Ev6#R&r{ObIn=Qki&`wxR_OWj%kU_RW&w#Mxv%x zW|-sJ^jss+;xmxi8?gphNW{^HZ!xF?poe%mgZ>nwlqgvH@TrZ zad5)yJx3T|&$Afl$pkh=7bZAwBdv+tQEP=d3vE#o<&r6h+sTU$64ZZQ0e^Fu9FrnL zN-?**4ta&!+{cP=jt`w)5|dD&CP@-&*BsN#mlbUn!V*(E_gskcQ*%F#Nw#aTkp%x| z8^&g)1d!%Y+`L!Se2s_XzKfonT_BWbn}LQo#YUAx%f7L__h4Xi680GIk)s z8GHm59EYn(@4c&eAO)}0US@((t#0+rNZ680SS<=I^|Y=Yv)b<@n%L20qu7N%V1-k1 z*oxpOj$ZAc>L6T)SZX?Pyr#}Q?B`7ZlBrE1fHHx_Au{q9@ zLxwPOf>*Gtfv6-GYOcT^ZJ7RGEJTVXN=5(;{;{xAV3n`q1Z-USkK626;atcu%dTHU zBewQwrpcZkKoR(iF;fVev&D;m9q)URqvKP*eF9J=A?~0=jn3=_&80vhfBp?6@KUpgyS`kBk(S0@X5Xf%a~?#4Ct5nMB9q~)LP<`G#T-eA z+)6cl1H-2uMP=u<=saDj*;pOggb2(NJO^pW8O<6u^?*eiqn7h)w9{D`TrE1~k?Xuo z(r%NIhw3kcTHS%9nbff>-jK1k^~zr8kypQJ6W+?dkY7YS`Nm z5i;Q23ZpJw(F7|e?)Tm~1bL9IUKx6GC*JpUa_Y00Xs5nyxGmS~b{ zR!(TzwMuC%bB8&O->J82?@C|9V)#i3Aziv7?3Z5}d|0eTTLj*W3?I32?02>Eg=#{> zpAO;KQmA}fx?}j`@@DX-pp6{-YkYY81dkYQ(_B88^-J#rKVh8Wys-;z)LlPu{B)0m zeZr=9{@6=7mrjShh~-=rU}n&B%a7qs1JL_nBa>kJFQ8elV=2!WY1B5t2M5GD5lt|f zSAvTgLUv#8^>CX}cM(i(>(-)dxz;iDvWw5O!)c5)TBoWp3$>3rUI=pH9D1ffeIOUW zDbYx}+)$*+`hT}j226{;=*3(uc*ge(HQpTHM4iD&r<=JVc1(gCy}hK%<(6)^`uY4>Tj6rIHYB zqW5UAzpdS!34#jL;{)Fw{QUgJ~=w`e>PHMsnS1TcIXXHZ&3M~eK5l>Xu zKsoFCd%;X@qk#m-fefH;((&?Y9grF{Al#55A3~L5YF0plJ;G=;Tr^+W-7|6IO;Q+8 z(jAXq$ayf;ZkMZ4(*w?Oh@p8LhC6=8??!%@V(e}%*>fW^Gdn|qZVyvHhcn;7nP7e; z13!D$^-?^#x*6d1)88ft06hVZh%m4w`xR?!cnzuoOj(g9mdE2vbKT@RghJ)XOPj{9 z@)8!#=HRJvG=jDJ77XND;cYsC=CszC!<6GUC=XLuTJ&-QRa~EvJ1rk2+G!*oQJ-rv zDyHVZ{iQN$*5is?dNbqV8|qhc*O15)HGG)f2t9s^Qf|=^iI?0K-Y1iTdr3g=GJp?V z$xZiigo(pndUv;n1xV1r5+5qPf#vQQWw3m&pRT>G&vF( zUfKIQg9%G;R`*OdO#O;nP4o+BElMgmKt<>DmKO1)S$&&!q6#4HnU4||lxfMa-543{ zkyJ+ohEfq{OG3{kZszURE;Rw$%Q;egRKJ%zsVcXx!KIO0*3MFBx83sD=dDVsvc17i zIOZuEaaI~q`@!AR{gEL#Iw}zQpS$K6i&omY2n94@a^sD@tQSO(dA(npgkPs7kGm>;j?$Ia@Q-Xnzz?(tgpkA6VBPNX zE?K%$+e~B{@o>S+P?h6K=XP;caQ=3)I{@ZMNDz)9J2T#5m#h9nXd*33TEH^v7|~i) zeYctF*06eX)*0e{xXaPT!my1$Xq>KPJakJto3xnuT&z zSaL8NwRUFm?&xIMwA~gt4hc3=hAde#vDjQ!I)@;V<9h2YOvi-XzleP!g4blZm|$iV zF%c3G8Cs;FH8|zEczqGSY%F54h`$P_VsmJ6TaXRLc8lSf`Sv%s%6<4+;Wbs-3lya( z=9I>I%97Y~G945O48YaAq6ENPUs%EJvyC! zM4jMgJj}r~@D;cdaQ-j#`5zCRku}42aI<>CgraXuKDr19db~#|@UyM;f-uc!(KDsu z5EA@CsN>^t@oH+0!SALi;ud>`P5mQta+Lh*-#RHJ)Gin%>EaFLSoU`(TG7c|yeFvl zk|Yll%)h-*%WoI6M*j+4xw`OqiDVX{k-^V2{rzCIM9mzNHGP^D={!*P7T)%yDSI5- zkGA4}r3`)#Vl6JFJ3xG)8K;FTtII9o7jNHof_Z_Zc<%@-H4RPpyXudpf)ky zmTH$LFGxaIUGQ;l=>R>?+>ZSCU|@&+Gt@5Bj3w{L{KPpgQ<~)jqx0oNZSv9R&^A42 zzqJr?C#D-n>=9FjM=D=7h_$QO$KQ8*%0%)rI(Npai_JjE9_lBk75BQMI zkk4X5PATWgrub!fb5Hxi8{(Y<(GOO8^HECOA)eanyS{u%leQOkp;1W}_8eH?nPQxW zd#Z+uJfTK>g-TR3WPu~2Ru9A+NkuIICM@PyPmJn(GBZt;xFZNDMbw8`xzl2`(?UC- z#<*=*fo{UOvycb|b&4y0Nm!sHhFMI*Y$Olgh;BG#xBU+yxav82Ejj(ZvQ|64Wwy7I zN=DXx7(V^NTH3YRB4HOu6T5=DW86P`L#Ng!SuT{%&>Cq8>|o8lF^^U%MRU41TT?h& z!uJ$YdbM*2y?#`LJ2)XPoKq`hm$I3R{V5-;@u7!E9tH4sR(`Ab-Qh!|UN-a5fZ?P@2LWRvSv!hOk08;Yy!h&uEI-X}j+&v`X` zkqY%*F@{}DHL*Jgjg2}a54hwEV`63bK4>mL%D^YT|>m1-kX{876BRm&`Y#{$&oz($qWJL}T*tj42k+yu8fa=4b7VUPq()Wb~=L?DU0U-4*Iu^KMZBRByWn-@=_f(4){Or#| zpw}~Ajs6a=z!8_H59lqYlfnS77QY0pHpIz0#)}!EGhypupZeZe@%cv z6Dngnl*SsUy^a`v?>lARi6Yps@%32JpGQvrcd*A8LPLEInBEU2vriGvMqG!jh^=Gj zXvu5zpikqnt*e4&Un_e$2FAB?(yOS0JAzxh@nN?Blqc-)Pv`U}&E5|# z)97-9utpqi*`hR+$;eS)A+KK)CO)V`b?*}z&*+28mDfWI31)sF)tBg6LVlxS z225poL+O|x)5;skkj{rew<}TsDVqFMMLSgd;UK7^clMcObM~IgSq6!eJ($JP!KHPr zBJ&SHi{wLsgMzn1^#kV#_!NO@RG@B5lxBO7WfIAi@o`{_XQg(*{R=@Z(0ij+*i7sK zW5D%_fRN7l6qpytW2K1lUqP&W5jDT!AA9@q<;M!T=CKv*^MP)Er_uLL+Y53>**w7Y zQ!2?^4$wC;Soc!+#~d?Yec;NLdR z{~*hrSQS>UOMBe)1pHe0EsyO@d(IrU4ZiS&jL`wqv6Oqv=HbI^70qu9kn~wGkNL^> z!Pd2)i--+&zp^`#4@*Myg;3r(jt*h@RWgRt70byZr;0Na8n4!bmpuX1&gK=QK!@j< zH2fF7@2s0H0!9%VC-BIp(99@e@<%Ko?BB9uv*xPnZ5dQr z8r7~9cZXv(AZPY^<(X@}GARv&_}mfYA7`vdl=)g2GIyN(<}(b_S_N2--NKp$SgO<3 zRx|EabcjUSB44GaH3Kxmx3SW;E;Eia2Zs5SkbkQ8E%VQqr0J?tQjF~p;nbIXn+D;? zg;t3Jg7A@9U**@aaqs}9;%??Scm{zBIY2ceYAQd*W-hB-!+H&4#yrm*GtT*&#`FXx zGIVm}G<;Pj+h*KQ68S4rcIIGw-mkl039s@O4p9F%TC&&&xRL=N49v2PdBb$MxJoMo zQk8+Sv+F5m{xP1prZvn1=x-Q z&Yox|y&arZrLTm~<%o}VfPV#z+i&{)W5emXhx^g~8>eUe)|Vvwp8-x8d-MOj%@mSk zZ9i{-Hu8m-rfO##y(_Rv;Y@?6%h4Id#6%`7ah+IaQ13o7o>bG&ScMj&KO~QoCmNT6()+oo%B zugV3Da)t>unQq=tbD)FP{JmB~S5QCmb)lq9Fp(*|(UGeXr3kR?k35sKFs{{a*y+h0anA_K@iCi;BR6nFmKHC=@)rMmu=XWS1nVqD*=#${cFJ6<{e=U7!Rbg>Y0b~d#&viX+5m9aNAv=RAMt8=n6a&@t^|2LsKMR7xF z;Cmw>t0<=W2II;doX`p#bcjPV9z&3dhAObzcB9xXMslqr(y!P6+2kG>Eh!rx&ZKmW)Wk~_xh`?neJqVhJk~1eTvRF#ehRwpS>s1{vUx*qf&Jm z$)Wh|lmwYatW@U@*$<14>^|yYwmwFs)C5ke9hG42{gilSU#^ulO`M}`wJ_4*-3 zGb?hfQj_AGQBI?4ghGijqfu>uAYkLK#!^uGUXuctdn8Ae5I7}o+j{9MJiM|sf9Nc{ zuP&Ls@?rMe=IfJo!=iX?9&*4!Yjs5d?0Yx4cIFXrkSHRk17Fc@yM__fyFLLl6O9nT zQqaDXunH;!PpQ7+-&#wJVtJXl8LjIkh)5qmcqhErYrP31w5~#!tS{LYTWGKEtbpE%(hH>qV(!2KMfs#a z?ZzzbDB}(7+NWIiSBQ<_{3>;H;z}uZI;n2PKWJNxM=l;5-^zpu-}+1x|38lS-}6GX z6F=M~bUtHg98X@of>mgCH-&5g6UpXGAla<+g`b&MQANW6D^;zfSzq0mQ)*J%;&tPOYin?J*G7GqmQ=>jvWvOn6E?! z{$(CU7}zChEnl$(>xf`ZdeF2E9Bv=eH&T4HWAOQ!9gBs z{gl^|(78q-ioBS^rR2PEGZLe_4Rl**H(bB?84RHquCEKi8N#29u=Eoh(DV`ZX{+8< z3BIX<`sOFNBziFWS#-X%(e`0C_|Q8;Pw9izjNOF8h|kvmWCmDHM&pANC9MV<wEJ;W{-jXqm!zC+Y@Q1y_lLL zfV^(1{A;L%TWmyI)RPknVUB<4r+d42S(W=%bXd@YB(~d>ABq-E;t)ie6%ouy(Fg`p zuj<=I7^PDs5H+UsG}+GH}zoGt*{yKF&n23C7aW@ z4ydrRtFW-uuAUu@RWe&0c!N4!H;`!n@@t#u zxlGQB4rx(F7#&MKHPy}EI;d+l(G{1KG!ZBE)7)@P!AsUCCCb0IH!P5TW=GoNFcif`NB4en16Cp<7=fhz7^uQAjbJBH>@naf2ueMktmtZ|U|)ICDMN2r`mgMSl=qDwHL;}L-d~El>pf8UJRts_03eTj*hVy6H z5o!>?AcffORZq9!NJNa`-W4wMfe6I{3*rYUhIMA>y|T}KZ56HR5XEs{(|x#SDtP@N z5?12L0W7qfvWl8T-V+u=fkBH8!$}g)7hRs34m7~)^S&Ar zd`Kz7$S2Mz(|5H(Dwn$V7n8K2pqhHQ8!i{G4C~Y6_Ex&Y%EyXdw#Nj}VdG`XCN_1n zFg4;3DGjjUo$%=m@ui%z$JU66QK^qywvLKZpD6ZQ2Ve2VBps8rcvJ6^Cf^#H4?UQ5PW$4;b)55yIY9}@k@48RLtJa>7bofX{EUE7 z?0Cx0PeYbbLAelC-BfqHf_08;{lzC1kwr|a>5{O6*g<~wt6KYPfP5uW0w?VTO!M~Q z6H@n{cONp`{>hVjEIkOV6m^ZP^l;mGz=T&*5&`m84astyZ#XZ6CpH384tt%vSJ zsvYDC5u`D&U_u)1OJ&D2=F*ie-7!%N+V6*qoM6m-zj|}hDZ+@?`mJ10OX3K-`+R0m zNk$^+zBJK7%It=_&sIc}&DT>!LYU{|WPNrp-Nfly8u5&3@(l{!pcPxek3^{L`<9*! zE-0KukkD^^+<&3BNJM$e0=~B$=VQEp@V`L+PsUEL-_%+E_kyR-_mUjr|D1Z2J->y2 zZNHTrzP$=uEKQvy4DG&+4*o5^8Kd?eI>5S#b;NXlSrGVnj3~e^OLe4*Qe7%U#4WiX z)k7h@VHRERR_j{wp8ALHdD6bj&+Dl^?2(MuL9*oTRUI3SQ2jJ4x#!GR~b8F(H6|clt%g_O=v(@*;;5eW{e)CsR{UNDIE{C-1@qe z7NY&S7DeI4?z7tR9LJ$e6za%qLsF(>%M?m1nQQ4htpl?P)yj7_C#Ds5k5F z1h@YlI%a#k9x6}=hs(mkRr-fSrmikEk)Iv6D`S==)-dDVbNK;4F@J7iC(M!K6l<^lm@iXKpYbd7b{_0BDjc9ju~tFH7Qfcgu>A9~3tzmbFnXbS(pWES9955Vbu=iI zX>GH$kbD_?_fRojp{~Mz+%=%RHG!3l(wxQb{zQlW&MTlbr2*9|peUBo#YZ8u!UMPz zJo9lmW3isPrkErmxp&SA4Z4vpe~LLL-w6JUW}f*bf#w6lVyDvUhdK9fX!p#TT3fL+ z7im|;28gcWM)UdfRI;603BWd`d%7#sP0t)qNW*R*WmrD?hg37Zngmu{P;Lm`rlK_> zITGMQH~V(}6l6}TeG5nPEHYI3EHiY}TD%AAQ@%&*Q@w}lLp!VC>E;PCjzgVyNqNmA zYd0t~-pn55?#)1Tc-(xbL07m;Md14bPJOLyoRpLhRx-BtH{Z%<78P>0$olxWy4d9! zncKIDHrWFnBRUUqc`qiz@xrz52u-?2kq~5n$h}&*K?MxJ?xV?vVXvLErROVl7L9s; zedsv`#k1PCWY;`{${N?=R9%uy1P+jKf$&__RLHP zWVH#4;U{}bB4D^B*hm%nhRpQF{4?xW$&|oNp2CUE?Coyj1QI%P|w91%+*lty%ecgZ$I1|mJWq9_c?+4{KElHR%TIU zf+^4^hXY?f0&(|Q5=NG~AhiIVR+(a1gF)Q;L&vH%zPO{yydKt*(f#LehU3CVRIS&* zA1khb+xXe{29|Ggayz;nqv9M8n$JYj?Z!w0Sb}^lq#XQlg~=nkBhYxmlB{huZcL}F zA6sNZgJpJ|laA>P$V#ZhT+&$nvNM2sudEEeUaohc#ab+sC zrj7G)E-#;G-w=I1hTjN@b;lAjX40pR+<>)=n`V_!(JFk*yE zP3nDEs^C9DCSbs8`TV~U17Bmq%9I^$2xWK;N>;W~^^HOu)jQt*LH(-WD@UyR?lk$o z+mZhVgYn<1!ov1;W|rozPKN*0V#Xxdelr-6M$Gf?*Y~BQbHRK-&@B;ni(p_#pe0mg z(1pQKcH#lqe^P^eZVUta>(kWOPSnhH^E-oKtcJzCI^FSuJ zze(PI3_%VP4Fp7k#GyT8c6l?vndL`$$s5Z05+P==upnazJ>&{eIc?MW6fVO34pXfm zmmilQmRYtQ*e*BV>J{aqI%F$j*;=Tdx{msYgM{2Gd`D^TU>~NLKrbqtQDh6KPGcB& zYEY{fj~P1Q zY_vIx8j+W?nOTo{k7|A!vvlK?qYKZnTkm@qV7lWQf#;J@)(qh~m07vHwdQ@701t>}N2> zYt=Q^?p;5oP%enrkvLCarS2rlJ;zjT@1)Ha_28t7T(IMcZi3U?D_dTzMKnR%{b7 zXeWL6f-xfJvhsVNF_?I2^3gmv=2|f7azO~wc+o|=2cR+N_<9sF;vio2z;vtlV7U6o z%q9XNPhjS1Fv)QuRq|0#HVGw&HG!!t0wQo=W>hP)uYZ7o;_qdM=-*`k-Z%4+>VGZ; z{vGL`lv&#q*NFJmy`%{yAIPrAB%*freDk*5cHaNPB~B86YH zIw9gNDz9H+n0&}J-c0V{E(`My-2Nkt0NBY-PjL5r*s48D&j)h7pIpJUb+0ol1F*~` zp1!}vw0*&IA^z*SXZ}pIG9;ySrW01 zpU6d%LB2t@(;)LD!*G(DXK-!R!}Bp1mKS>Uu`^#p z>~WR%dn&;>iuz9Pv3W7EPX~GtnCg$63a-#A$1B7q;ZqH{xws^Pf-V1eO|D zHXE9qC~c)%CS>n>jc?m)ux2hN2UpKIU2hP(X}`Ljjc|CDFH%asVJH&6j5&Rb6aaVeQvSt z6VIX1X(pXAmxL>}wO&QIImzI9LcFhECJ|Mzi1FWhCgS$=^!!D3^vyEEY0HM0>?fsv zz1W(i8*H{v9APY$IW@J9NQ06Y@g$&STTrPC$I1{t0ptDZ=rHjEZnN2BSw{(Pn+6KD zRZ-hjn-KgzRa=ZoUs=W0cAc-}66Rmi)kZgub$G6zPQn>fM&}9X6!J^UsbVFdewj#M zt5erf{g$1$WV`h=0<2Y%iDK|HwH6hSu-8LDPknW`jl$UfmI_z9=GkC(@A$oVsRFl` zMYdksp797E2vzaH-N_%;t@q4}Z;FxZ(y&6&(#;_uzaGV+M%CB= zVNRMN3tj1#%##v%wdYNDfy0)|Q$>JYJ8-6o*K4hcC(;5F=_Mn-l)y@UX$ zt$YU7Q%o3cqwRC6;{vbL1No%d&)=)2$$;SD9a-=PfFh$6P1;*I*d z?C_52JLp$(UF}SCxJXTY+9?uE`@f35}k=i`#4Rk6e@*KDc^(tnQcw(jY^fcG z2hqo(q%7)o0YkX;lCq$o6hgCi3n%i#6vZ7x&_k#aW{QnPk2CWm8yVytzz-Xd_05x& zK3Vo>SFs-R)cf&`{&tL=xJVe`-HvE7&mAL^uj`W z%$d@~HtC6RV)R6}b6PqR$Pa7R8c3d_D4Hqq2NfG(>kTi!rOp%>Lc~n3!5mddW>>pR zt8tmTCxnr(Xk6g2^MqN08AmxcFLP;APA}^V80R_+K#agUx(RR48L2ZQej@XRm?OF3 z&jyIH+L2f<&wdR}X$XB~;2tBIf^AThY(zLA4*i6@9FdbT!Xy~7Ywt-zdi=wCIRuOL z73^T>|0wMU6&500dh%`EqjoMKS;Z+_5iFfnaLNy+B-@vyNWRdcmRaaBUdtQvT_Q17 zTG$aE4SA0iRA}+d@r;k~BwsTn@=r*;LgW8Q~>>Y9oke1Rm(xx!gv){TQFv|25IK_jjLj z_mxH%0-WoyI`)361H|?QVmz7;GfF~EKrTLxMMI`-GF&@Hdq@W!)mBLYniN*qL^iti)BMVHlCJ}6zkOoinJYolUHu!*(WoxKrxmw=1b&YHkFD)8! zM;5~XMl=~kcaLx%$51-XsJ|ZRi6_Vf{D(Kj(u!%R1@wR#`p!%eut#IkZ5eam1QVDF zeNm0!33OmxQ-rjGle>qhyZSvRfes@dC-*e=DD1-j%<$^~4@~AX+5w^Fr{RWL>EbUCcyC%19 z80kOZqZF0@@NNNxjXGN=X>Rfr=1-1OqLD8_LYcQ)$D0 zV4WKz{1eB#jUTU&+IVkxw9Vyx)#iM-{jY_uPY4CEH31MFZZ~+5I%9#6yIyZ(4^4b7 zd{2DvP>-bt9Zlo!MXFM`^@N?@*lM^n=7fmew%Uyz9numNyV{-J;~}``lz9~V9iX8` z1DJAS$ejyK(rPP!r43N(R`R%ay*Te2|MStOXlu&Na7^P-<-+VzRB!bKslVU1OQf;{WQ`}Nd5KDyDEr#7tB zKtpT2-pRh5N~}mdm+@1$<>dYcykdY94tDg4K3xZc?hfwps&VU*3x3>0ejY84MrKTz zQ{<&^lPi{*BCN1_IJ9e@#jCL4n*C;8Tt?+Z>1o$dPh;zywNm4zZ1UtJ&GccwZJcU+H_f@wLdeXfw(8tbE1{K>*X1 ze|9e`K}`)B-$3R$3=j~{{~fvi8H)b}WB$K`vRX}B{oC8@Q;vD8m+>zOv_w97-C}Uj zptN+8q@q-LOlVX|;3^J}OeiCg+1@1BuKe?*R`;8het}DM`|J7FjbK{KPdR!d6w7gD zO|GN!pO4!|Ja2BdXFKwKz}M{Eij2`urapNFP7&kZ!q)E5`811 z_Xf}teCb0lglZkv5g>#=E`*vPgFJd8W}fRPjC0QX=#7PkG2!}>Ei<<9g7{H%jpH%S zJNstSm;lCYoh_D}h>cSujzZYlE0NZj#!l_S$(^EB6S*%@gGHuW z<5$tex}v$HdO|{DmAY=PLn(L+V+MbIN)>nEdB)ISqMDSL{2W?aqO72SCCq${V`~Ze z#PFWr7?X~=08GVa5;MFqMPt$8e*-l$h* zw=_VR1PeIc$LXTeIf3X3_-JoIXLftZMg?JDcnctMTH0aJ`DvU{k}B1JrU(TEqa_F zPLhu~YI`*APCk%*IhBESX!*CLEKTI9vSD9IXLof$a4mLTe?Vowa0cRAGP!J;D)JC( z@n)MB^41Iari`eok4q+2rg;mKqmb)1b@CJ3gf$t{z;o0q4BPVPz_N!Zk0p~iR_&9f ztG4r5U0Fq~2siVlw3h6YEBh_KpiMbas0wAX_B{@z&V@{(7jze4fqf#OP(qSuE|aca zaMu)GD18I+Lq0`_7yC7Vbd44}0`E=pyfUq3poQ-ajw^kZ+BT=gnh{h>him533v+o7 zuI18YU5ZPG>90kTxI(#aFOh~_37&3NK|h?(K7M8_22UIYl$5*-E7X9K++N?J5X3@O z2ym8Yrt5Zekk;S{f3llyqQi)F-ZAq;PkePNF=?`k(ibbbYq)OsFBkC7^H7nb6&bhDx~F#muc#-a(ymv|)2@4)NQw!cgZ|NLJ@N6o#y!T* zi0kdtK#GC8e7m#SA9pSuiE5bOKs^ox%=l6KBL?8Rl;8R~V>7UCaz+Y_hEOZ^fT}$m{$;GJt9$l$m3ax6_ro{OH@r z8LmGIt2C9tM6fNUD<(Y1Q8w(aN2t@VPrjc;dLp9756VNLt9&>pX!L*6kyU=uui9e7 zrQ^&h7Nuk|fa1WH?@{DNg}C&i2BPX$%)+AMi%-ImT2Q_QnRV)3UbO2JW7T-JYoYnU!(}tii1LAN|D(%7cL@IEI0mCT0!t|kd)1KahVC2K z|9L76JA1F#-=|{!eJcN|r2bI={kK#3M*^rokSGIa zWe@gc$gT&!Q!WYqGHNy3PlhBvcjf&X0o_R>a?DGQ`e|uWa)>YuWk(ibM6r_Xpiaq4 zWtcFh6k&ih==f(%+T$`L1EYJ^CeevsviNKGK3iUF&1QI!EZOR4y2d?z{kh!@hfoR4 zR$n!oTq-{w^eSf-ckrX)rp`@DG4(8%e{AtoKlwoHjNIX8hY>P;3y*y_O8XZ8ien=J zQR{%EX3|XA79>Al$+8(rw$Y~9ydiaH!@*{;*H_Weng(B+tJe^@Hh~lm^J?rL_`0$g z%o51AI)M5AP4)R##rWU8U-|zQ>N#rK?x?C*TS+B3tQmUYjh6X32PBq4xJ`|D)tg%M zLwd8z7?Ds5CNhvE8H^bY$XD*~ke$yZo!3P40jio4f0GcqUohXX>C;+gOt>>PizdRd z?{b{G8+tZA!Aj6GmXFD*thAzMDL!h{90}jI=PdjS093DQi3v@l|5~^hKrwR6 zeUbcTjhPDLUg*ao;c>8JN}wB>MOIE^vN22t5147OVW>!BTDvz4xeP$B({i(Po~_BL z9*#5s@;l~%7S3?WkF0}E8>iN+UQZh{-D}3F##`x$+YG@H0vyyD%vY!zsJHcnGrN|& z;j<&E%0i6kwaMT{tjp$m5^V4*+9;13^DDjgaFvvOe3=j2hWU3(PY)kFXvfx#EJF(V zM!l@%;xJuF3pERftbWw~WnR$A&ok4UQ0dISRjNi-j7>!WdGm0^FUmns_uy2DYX1!< zihag3z-a%BI*WE?er9_UTY_Eui-R>cvS1;=N#Bv{mPKKIv5O9iXS- z3|WAAOhFjGB1il&5F9vj6Vm!t99VnZ6v)$mKW$!I)_=41msTtDQ`CAV`azZw#(aSt z5XK052F(2mTOy|hb~KaAM@(Gg9l3=rqXB79Zp!Q>)*)Hhm(8O3s53@BCx_ltYRV=o ztb3!SE4UlbZadeiDcr2NZnT1}MNd0Au}VRHKQ!`nW(2!sPW5ulYI zosR$tFs@ul-q2)^z}}Y;3$Jj4J#kik5ou3xxf)_JL$5C!E%MDFH5fza9unrHXXw5F zHY#AcZSU73&;sy;y;fM_*p0Txd{DmQVYSyT(8Bu@vSLZAPKlVDd&6%bHj%HaV1{=L z91uK99)#H)!*Q6S`Dv))pyUoDkMa0Sllw7Fvb!iKKjbR3>q-@zp>$lcNLt4(&F9yk z!g!~88ulk{z2xgG-3{{il~#8wah-S$PDsv)h$4v?e@iEW{%JRU21>lL%fw8~(DT#^ zywKIPee|O;<3lWQL$hEWAUeA2)~-xA7yV(I(Pe55DMTFD&6fP6bS3JXHE& ze2nS2pMh>pdB%}#XYcS*N|SMQmQ2J&7WZu72OP zj&wXEJHG2^_XZLJUco>yC|q(0L~1fPN+}|}7%$xcp-i$$kXV=D`~$(T`2Y)+8U2yu zvr%Mzd~RzcUfF#X_+uh&RV1fO9P&C;yFTuW5sb%e_xPYEB%AgtaOJ(ztnLEW_Hao2 zZHV-;f-^2epH zxn#@~NOA z11ZBV6tw5T5>Iz^Jb)0%OIlra;qJl^ufG156Ui{A2$qpZ_{^c1^R`+fbi*WT%;He@ zyieltZ{6ivdgz6i=@iEldc;jVS!5E5$rymBrD?v#K?Mr`?ocG-n&lL`@;sMYaM2m6 z)Tt641KSaR_(MIZi0J-0r(53x)8LPvfBwp-{yFxkKiTU)pdB)FGjC~7AfTS_$=v_Y z*Z#MJ`R|V^X!eb+h*>&0yC}OF{rl;vioX)<^+YRtY&IVpwZx%m(G%kbE0AM%G$dMnxO@9U~x`$qY-b?f@fkQ`9pNJeiFRud6ZB~-h_kWX>mCgONAn%y8FDS z1jJ5f3AGpr111cNW(=njoJxN_XIF;t1dO^e0km*ZO?76yVM(*B>Ix?cT=nC+o2XP$ zo!&hK$H9sd8H07(XoY2&7QG(*iL;qrs4U*82`MFg4P0Dzw%rEFXuGLBslk;D|Cf}sL{Bdj9TpChAGEEN*DvCLV(j_N-e zcLNc98=ZJ>3?UluoPSL2QwygpEHOrNp?KEVT77e1i3zzY%Y9lStpis{$m zm(cz{%HDxH)4xj^O$Qy@?AW%`NjkP|cWgVkW81cE+qP}nZ)X0p&N}nVoOeCvGhF+3 z?b@|#SADRMCTILsR4>rrHy4AU0PJ{|)~M^(@q-e3hLdj7_}OdzCb7?6jvhyQy!)3Gv3ELg)6!VjwA<}NC@GK%{NI0 zJT}T#aRk{>TXHs_T?t5eRw>v2ntXC6^p*jkWo`a)WZ0?8&JFWArnx^e@#->FsW0`H zaG;x(iE*;8ugY6Nhw%)c!hpKUyX3jhGA*i6J6@(fUBPL$z{4dz!^d6OL#hN?41I+g z!KjR5!+yZ+z+Y#U0p;s{fV{jmnQyy>%`Eu5GUWo&fsZL97=D~-b_O#00NQ+zO>XS` z6cn1v6jGixMb@=ItgwK*pbiAms3``uBok32wSnIF!(VPSH!Aca2(cTt_k_R zo!iTIMT0nvu%dfM`Tm^UEy_oqiKOy5hANU5*kqB?bbwBoz>e&)X{#5b+bFeY#FB}p zj#JFe|1ix8(itqE%U8Oe9{8p+lmPB#ITX?HhA~WU^`aMeLagZ?{J#$k1(<*Ga=!-# z(r?kozXS&T@4ut}e53yWT>JmB5K8z*I`ZXC(_u$bUyRSI0_sa;;}c3a_~)8{7*#4- z*hR0l-h`v$GUX!Y8S$OAGx`t7Oh5c~5aXowl-+DBh(YT4|& zz2Q~Iz2(b(#FdLc$(X>h-N-=%K&sS{-j3KfIshl~vZ(yd@zZNg`=RANO&IW5GfVZE zs6mU)V!n_RSxggdO;6lhUb4T6hUvzQ$bXz{bZkC4QCxql0E>+~jH^F@J~OC%bQSnw z!dVcM*I_fSE>Yp7Ty9TQ8VjoGh>2rpcziKFwP#ZBOnF7Eb+fb#57*n=S;keHfwc zH49H*3q*cDponQrD`v$M1l5b=n=zY6HiA!3d-3ZhDZ+LzKN9kDW#xrc^yy*`$5>{c zL~=_5`{q}NdlgOp5;!td)>hv&2umQuUJip0G-qJ0O^3tqXGdqmn}Z9DTz4j33Oh6* zRs?8e!2wbIsGfGP{9#WZD|RF{E86KJLEy$vz9KuntCBzNS(>A~j5a$SlK;1USU4_S zB~S;>^=U+8Kqh5?r+Nbfvr>prvVolf25hJ>p9%wx5ew2uyC4l%vXv}jkoT5T@NOml z^@+(g=Fks#f9@XKR3CWI`oEWac$gIO`*&M%ga!iQ{=d%2|J9ZRjEt@AzT>j~_r7Ge zrikzvS+U<-JIh%phK;}dvq;P%#NIq@*-Ro zG795&jLHtK3kt@gsFnVb^geyY&Q#0!O5NK<5l`92U6zg)2z^ixqqM;dD69k{pn5na zjzCXM7%i#qTM&x#D|7;Cs8qI%RB+HS5}ROsznNr@l{c2b$1$=!oSc;%3db4qHN!gG z%>$rEZM~8pIiTEB<|bT*mBLb{tT1uWu6OFJ)KF7(hj^P2rs5QyMx#q_*|BJuoXwJv zyh%!-X{q#YM`heA8Hj!57>5|U9qR_sVak1r z2ZH_d(s!DNqIuDZc5gkw(w^h@n7~LZ82aCz6|aG^n5bXeTCFdW z7m@2Ej5B%8MSD2HAr*BPh~b^9^;NJ~HXJJX7VeGl(#=!DS?r0mNIH^}d}=~&Ui+B^ z_wm)B4@6oIZ9FP|3#qxxW6-_;>b*pN_iexjXi=h}e`(krgGC?N9fbTnyYPYIO6K}B zFA_P-suUrOEb6b`R1i9SkQ*s2Jb7^Y-tOTodB9(}j@~WUg#QJE`jW#~0+;?p-Oyv- zf|?tPS8>)50*6Qh^}EqVu&_nQ+F^C-IvX6tCg-UDYg3UXsv^pjsXxyJD>pVkh$z=?hWh9Cyd8bJRGUUU{A@XK zEFVF%XrUA0yYJ(VcELR{+rh(`Av6SI^lRD?z)AQ$gLvakWpQF`_zp{aqZKUt@U1H2uD*qV*seS(QQ2Dy-oc-O8X zMKUd~h#|T^-6H}`fk?iJx;2kI2$Jj;QIf6%C{vhRVjqTvaHy7Wq*g(r%|c-3w(n|C zr9N;Rs9JfUDeCWJFL}uP;Y0FDf(Wy};!IZ2zFjeU(d+_6MEJlaX*p=3D!D0b>op*k zuYr23N1W0wly8w74c#W1LpXP|?)nWr(3eXs$E(c&PiERe!JWE^z0mm5cg@7F`_!@X za8nQpF$jOM+JDY~nb?BoW=-xIQ22c3TFS?M{R<~rPg$le_1#FXz85*d|IS}UP|x1z z+ey;M%HGW3JB?4_`{vKeW ztvEN4bJui=CcnsQr$FVybke#RDpaIHY{GaczId-A9x@ zD;Gi-lJ9Iau-2o;`eV1*3ztzN3!P`Jxrc)3ocRRAct^jD5E<^lS-Z2}IFL)oUQ<%h z4?B_#BP>07`M}`7ywGkk}UQpFIOvRZx*v_~StXIsHv% zk|F{D@%%dlD`92rZ1oTF`=>D~IOsVT{euA~R8PKHPL!_>)`|SN9}+Q?LbiX7V;y|` zxRlL>%Ik$H(5Pr(Mxx>JnH-I0{je|Ff^ zz-BM|Nl%;W&QA{{-tTu0O+e~5f#GiJBzZraC7MNqDOlr?|LhqN(b;MvwI7GKiU~0K z{eT373oTRU0c$+Rhw4@XlTr&~#ma@bzsx0Wj}{NwfD$q4FH;&|U+$&78LfwdW8CyW z;OP%PLaqA+xw`)8&GY!c(BaeeC9Brzjgx$h5BNTOB+6D5tkg^CsI*KLgPcM%ya0vp zbV@C>a?WQSn!)u=q#cuPB(|i9nbp{($Sdf>!kHiclcaabX4aUu7DhI!LxJ!}0zu6Q zTOuR4jCzAp4HQB~$lx0-I*OxW?+7`C+)yPz2LhTJcEWDtrjrKPGYcx7JOz5>Fq1BbCwdcc~)V(_dWb^W^Cg+d`E znHou4u_BxEZ#{w1)X2Kp1f&31bB$h<4(gDTg@SKrHdbYIH!LCpjoWx$m6H?^Rn_?n zQtIMb-Te>usVOR~oBNm|$%EuM-Al$LI7T(caHlUC_)EwIwb_}nTuQcJOCTkj73b`fRMv9KQcH|un^M#jXkC}A*2{;)>XL4t%9j;TE~jj=;kQxkt|4?2+jG$ zO>MA4Ihwb3fs%0QJ?(xri>|+HFKQwe~VKVDLRp+kcn%p&_N|cAcOg@pMI36hxJ}`pdX&g37 z;cjX3*$bO0ZP)WGjS+*#9BPg-k|%%ld(u(z6#Rs)CdDq3v`;~(3yzuCIThvMSR?)N8k)5*zG&`Z5~4mo5!kDs8X%#wWG=BAOu>f;BBx)i={ZF2%pg&8u9OHu$RwHWi(Zrnb_F!S4}H4Pemup{B?g&x zU#uE<^xzLw!p;7LfV$qJaB~})?F?0goeb3_q^thbL^rZUwm(m}&9u{(G_k#^JTnZ# z?ls#Ol&@v+(`?BLI#?e_JDXMXZ{(A&w5)*9@rU$xbIzoJK{+Kq$9~gGf?d^9H95ge z9~bmk_TQ;pQR=n`mb-!up;6q>rJg5h&~DXGOL10ZCpZElV9+NXAe{ z(U{+>WGl-7n9_cB;esbv`zQd5PGDmtwrS6_?5O|j?f&4!=Swn)P&{DTRm#Q z?lZCaTsQRukADw>9hvymR@=x9j+`A^;gGe7opW<)l3(+nJ@lsz+RXHLf8DN7;}xZk z?qsC(lwIfrLNr`%cX`j&a39Sp*W&E5ABI{ZAa5xsdUx~eii8JeRZF~w%iTbC#CrAF z-f(##d2g%O_TH()d(?*AHm2=rhVJdR;EgIyP9gikuT_JX+bTqZK_f(F?2|1`kjc^R zBzDQ!BZWG%cOfa7HvQaL{Ub@Sf-hnaA$2DxLI5WNxlEM_Y{{$4dSJMYh7u9pnQdxV z4jn2yc%eOWUGmF0IvlC|>3K7RbP86le>*$oQf1o9Hu$U5W?FiyW4x15Ke~2{<~fNTN9&{nZ5ltn)|0&e(%8lU!5}Jn=P4>{Wc_V#@<*& z#iR_5lKis*QVSbHPz*U4gh7_7OW&h{zBrzGiDu1}dlO-OKldzv6xfgM1;iJBv)(xV zL*nOH>}C4e_pM>gMOIgr7fA9zY$T{1XY4SU7$v!*x(F28!b*5-sBQdSve9%p&6M3A zoF)u_&hxDVt(HQi+d30wc#%MI?O*#P7A-(aDiQVoVBc|#+G2bKX3W9;9o8 zD4HbHZV4&TIV&gj0z6v7AXq7b^MENIMn!!BR-tnjn>8c7k|S+hdv8|W%?0CbQ$7B2 z*nZ5BW(Fd9tQJwZVVWzfGE-5!b%f6Gtb7t<-@dIT#=TMz3ERX_;%e*+5i3(E=Fe|ao}{&(4(W{aQ4Aoc)ELdd z5xg&)DFQ19QdauMEM#(&`Aef|XP5yeP7=4gf8P)3_V6z`))+>cj3Zt1W8V+5k z6@?Vs07*I%!{dvD{3k3PvAAMT~6`Iim@M4XaO_%YOCvyx_aZ#OE zEoQCTV=MOnIy3QCDFvy%ko~6YBp3`2U{rdbr*BHVsIz1!_!-at!VxNhO7NC`mw*3v z`Ttu;@xSWcS?XvTO7%Eu&JIN?8S!yGelAjipZZjjL?kL>E`1=KPegVn$cd#Q3 zmrT=BIxi`@g_jH)Xa+_?g2hpyNK%m(2OB8!%k?+{0(O|w)+-aJ*9?afapdUc!Kzrs z{bs76WLj({R!@J8BMHvCo3*s0;2pzhzGX)r8;v!#bHTvh^<3+|+&~E$E|kdCik&Q* zvXm9N43@#(!o=hFvr%fQ&OT-!rqBw$jx?HZJdVPlcdD=K;SDr6uCWgM^>3>bYYyzD zw(m$e)>4rAZ2TKb((Vb1@C$)B zlGwcqUCU-rWbV8uqUIsl`VCcnOj-itFqI_2Vd=!Iq?jNi9x#_YHyx#bWu>p$(+<#3 zm8~w;gB*jg_f08pzm}{qhFqd*D)ma%t4`7=-7rq(#5?lpDE3t^qTn!nJd{~h0E~E- zRQR>Q81&d@rddwej@!YvrbA+RoMKfi;I-d?R$U8^y^k3xwU)Hbm+Y+5OD;`JOia_@ z@eFpvBey;1Twd9l*KHO!*;QK5)5hjZ6$t;DMfiE(0a6m5?s6M|m_vXC)Q4Fs9sn_y zI!or%?trl8Gt;p&}Jf;`yVHP@rsXhgAkueW}cmxLXHXddup{SVk z>^B@F*hxOnbBoJ8BbZ4}yNfh{NlUbMcb;7pL3x^mNLtFPzQXori=YGCNI{)ZAZ2Ki zs3qvR(7N>3nl%-R(nxn9g25ba>ww@!Zk2n&Ba}d16bhv_#ER1_5xYp4v>EZSD=SiN zawHYv%hwEpP%wK16R};MR@m~tu!hMb+v9EDkD&DX5wQI`eh`K1)O`&W>qHzi z!b-DJ&}vPMc~072@*LfJeLTEC`v}F87}68vWOcpLQ|U|l0V(wYixZ*=QHzP%b48F5 zDzkei^(!En6E0%9u}ZGpvth=98Ab7vbAkWtt0*l8ho~bKg&k)N)D{X)Sw;9K%Rymb9ZkXRbICW~F^rHlD@gHfrM)$z@z z$hD#^b4Oa|U>c*}O;;{gCD0tASCj@XM=^K~@*b&A(W9HhBW7}y*>zs`L6&b(Numk+ z?}W2dTTY-k=m`2Mn)4HUL~E6!TYM-44baeHe*R4+@g^O;S2E_999y!?b&i{oCw2p8XKj8~?@*s%WZ!JnBS*(vHBdP{u*jZ;&mPhgW- z$TymUXpLsqmETA3RIEm7PvM~#n2jc{hcz=P?u0)H3}EOmNcTzyZTDabzVJS};Lw~R z^_n%#OhfmE{M47|-{~Pe!$80aEMfivs=~;(cxH+gPUI*ZYK)Fs^CUuPfB%5wwKIf`Er>NFR$wv_^&lqkC2)JPA$tSp%^o25 zAg&XPxP;|y!~aPnY+-Z{-RB5sI)^EdId1W3Ryen*fIbqnZ*#ViWDj((OR4xJM)(;? z@Cf4i$TZxF!ziNG;)MR>mr=gWYsSqO1fHC|%#CXi%S_NF)#i?IVU?g9jGmIR0)3Bq z;tln(pGsuhYpC|QPZ-M*8&b?$?(Qip*nJ?akUU7FF0*UvGnI!R3f3ehEjPhPEH4?iI+hc$O*6CpeI~ z4Sg%6ZtDeiGX3M@Xb0VgXkGxN8nJgs*k=MrN#I7+%!m&e>Y)R!$GXr{Ox1#dMkdI= zlKCh%&BnMT;qlKbqHxO{`^lO_0%GE1Wrg?yydI<3s6he$-Lq$K9S~S3G^v4nX^Z) zB1xZCP}vgY{yApKcg{ysSWd~`b){kFXX{Ue7MRxdIp*Pn%tWiA;G zK}!DfOQSN$&ZWcr5-u-l7x|fv7&wHK*XJt#+uRJnB2FM~@^XCA<8EU7^5gaHgUsjK zVOWSyGNZpfk~vg>rhqFct7@kb;0^O2Xsel9!;mh_$I zaKvjBu*O_)8H>OOS4ydd6g-9Aa_$Ws${Ws6Fz0|USEkulnyRswYM|urnEWUey-5v< zK|YioRQPd{ip*!92N>e3y5>A+Nv3n4toNold<;@)Cpa-}o{A3jKdb?O!_ZABIy-wA ztzaL_l_MAt9Aem+gcuy}HD3IYtK{aB*hzTjXq&0A@uXRXv^;8|0?@Am=!pbiG=C5N zM)McoW~TRnVW3NZq1KJj+xK2C;;K|}6aa~;Hr(bM#K7Rt=}86*!4%lv7!SYq>1?b! zoj=E)44db=!=F?h3B5g#AL`+B*zeH*a^T`<+KZ^BuwjR)kT#^@EDMz<=4WrL{?JQL z(Midu5k`G6nx|MAl2Y&qGSM%%J)+Yw(FWm|z4fu4I z{{3wjNT2C$ql;!i*H5F{3gKU*q?bZrK0;+SlBwYIPElp%gqUQ} zu~PZr#qYvYE(y1#z$@vrcmgY2xRG0o>lUpzY=8Rxlo4QAjRJzT;NnCL<(mUbSdA4= ztVE89jFFMl`L#!Zg%3PXupV$V{iK<4bVwi2|NAg#!f#s}|6Tho-?jh$0}cQ0{CR|dmG3a^sq@LvxXZ)+3$dF}+2P(mIEWS<*7dvo6~{*oVgRl! zQj7D|**X2unoU|<->1K~fm%Nsb}uww1XK5 zPTkQf9B`IX6+xXBtW=vbHP=GNFEGLjjx=4n!T8k>P0Dxgg)8?1odzkeL#&YQ#Ot0b z=PB19V^dl>CF9vFxxuNE`{qHrf083@(u~2?E+QAb|ND4Ak^;V`^p(&%y!)wtA0#DI~1sjPy=Gl=Jk_LKV+s!Y^j?t@%~H!tX2)H zm{hZ!i~RL`v`e690}D)}3FD}V(vmxXyhY%K5Guq{_Mv9?v2lT{bOWg4Zu^7y1ar8n zmAHd)JADf~14}K&Kd>r_R}_x(PBD?%GkD@IDUklYfy|?y1BVdi#9312{)remsr!-H zjW0tu#v*ygyWbLt^s5_5MkpYWOUgiCwk>cCafD`_APTvKBz%WJjzlS-G2A*dS)qkQzz504s~eJE&!(*U_>0mr$HykbwGNoNWwCEjL=c7M*D!Nb`PH zx2NPxryn>XZ%|N7#-LQKLHw1-kG_2=QJ2=JLW=C*nydd_?z&Q5N}%86-u%7SV*Gb- z@Bf(i5)`(qXJx-{k|yJdb?lP{@*FHb*?$CWe>MafB>S6?GqJ~&cUG(*a1pK4j zcf{!2#D*VPQ_jByclkm!s~C_7tTThdil^s=WdwIgp0IA$=lH>9hCTx z5Xr)>@*R|x(DjaQ$DHV74NS`Whn+KWt~fSy84>OBxriMf6kUU4Q-kS1l88`oJ;U37 zBQ0WgFx`l;cSai&{i2YGMjA#*3na}+e^znG8aHDsy4bZf z{#LURLOT3~vp8(Iz0R{4 z(_8XLA)?)amfcWVTsCQ-sSBOwSm)13fLBY`sl!Db%2|ifT=q zA}^pepW;deI;)PQ&|m^3N#3nC$*tDKC&*TfWst8|sxfW&I?b{?nN`JNk9Ca(mhRwR z;e*YDD(uF0O__g-j`;qano_bd|GzAsI+Vubzr}$(&aq;>^uHkxZUTeJ#UKKb;6ZDm zXJ;v)Dg@N3+lUox9T)|rNJr_O>1gvqMG~O-x)ZQ{39k$k* zrcOGGtVyrDyF9^lp_*9wqZg(DHLU6pbt5$?+x}t^@`ZWLSOY9S8qUS0f_DMG--u2U zVVx5|fL}q@Sl3A;632wqbUjvV!&-8wpc7-pG>olAC=&9uR9P+aLa{6Tryv9JHBdyU z`QqpdCu5x$noe5^wes^G-+w6U9@E!NDHQLKi5hO!OIh=Gi{cttNKdQZov`>`$0}qW zwz3-)$gk3`583rGJ_}20tDDcVxc&m|+f<1AbLy?n*OZa;*e5mRaNf1g%?~}~d-9qg z)YnEg7G_l=&u9@fFIBKaalRbC<3=@@*feY>lRsNADQ15TvdRTJZ<)eCYVPqzdL=Ef zN5(>Vd%-(d`|e!KyLWUEG);_E!J-fhAOl=zUcrgVX1&hj`Zz+wvF9Oz%X4gGuONcH z%h?(;os*+5gzz&rd5$4ULvA`P^W&(9fPMjG4QPG?KhaXi@O6O|U0j#gaaIq8)g2TV zw^p{f?V!a@N*#6eiN&o9wm34rAKw#f?N|a+zzc!gN;w?_aaFF$hD3`u9UipKy2=a?eobQF_M*REf$ zj;+{$jx7^GXy!mmwnHMf3B}G*11Dl+ur+U$HV>=|*rWme??d4H)D^+~34-e<&T4fK z9ektGZMEA`+wEVx>}pcQ8=?b3U&4M_&cEw^b7&G~t`IahA*>38X=Dd9PK+d+v5AchxFfgIsaho z3^g-d&4HLt@zfMHx9?onm0BKMiye@&M25!d0|j0nObOP+ni%+TRkv7Sys6+6#71_3 z=3c}|gh*XvU|-!JP`?&KXx|m7=3b=XOQhwATD=v29v@f&3!tGPuaC{Nnek)Hkat;U z8D}L&CC7!O1(_;b_eTUDwOd6z&YPOQpDHX}OEqX&rqBLxbi6Y+6raWRuS~FCMLRMt z&#=5pIeXB!uFvv)dfz7vM;+QgV~i`G1D= z-T1{F=Svc>DCY7thwMnMEmQWBpxlHg7sL~EN*8FEl-J$-QY%K%J<1cYy3$KV zG+EM%8p|KXJPMwGyQmer(9LR9MVP?GkZ=w}PhCJq%Z)LsM&!Gw6`W|6YLt|VXVknn zG+d8xv`&o*XpcrIyO?E>GlQ59W6fo)hgdm&!us+gk&~Z(xzd@ocd|b&VXN{1iqTsr*tppm%|xZev}kgETo?Ip)PrPEKQ`fJY27Z?+iQ zPb+`K9I8RYFXR$~Ml+_RwfhqjPI$G<^2eQukio^mMUAfca=8^`P$}-3av))0#reBX zJO?KRoQN}PfKy6EWE<${E5oA4psTIXI5R3P!`afUEO#@F#cW6?SdJ)pjcBxn{HXms zby#DnxcBA!a)&`0rbZD2SYTN$P0#hKE_J>aS6t>Fk>J=OkHFT(x{~rHi3m`WL<=kn zYqLhsunHC_IFkJ)nD=}RTK!-#DyN3zk?9q}WQ|y1rKvmlPWbjHi7UlXup~E2|PJyPAGVueL7){V%z~!0G zXAH|iVbtT<`S2``Tz}5WNHpQkL-$|7{gJQRQ z{~K-@lS>`6>%9heUPf-y_RL%GwF=+XQ~OK*X5E^AVS9Hz$Yi?j*y$}A5lRJRSrKl( z3QcA!z)W=;sR?}0Mz~&?X z!oKp_GaPNka5j@l=_W8i_Ofa*C=4c}Wn{Tg&f#Kv>KXE-R$KfXiUCcU6VXc% z=8i?pTr4YAqN+|9NHN6(T6PSGByZO+A&`CaMYXfh0S?fVLF)`1*NWI$0?QTU>kd1; zGzWn5_-2B({Gn)x14cpGBq|78lCZr3xPjhMM!`-370O&|EV~3vDVO@igfR9m|9LnF``CmprMnO!UW=7QAFV7bZS z&97u9G63r&&SVh|)l9V;7LLGCY8;X~D^VDNon%jj$@1u7VD2c4OvIF-u>sc%Ihq#3{;M1c1{1p*hfy2MCQDBv0zVR>fl{I|lfOf;-g+=$^M zq0Rs#+yN#^6GhBtw92LZA^WH9cMTdqHT|aKv9`5>skD<(_o8oU-&XLEN{BSkLfhlzuyX9QH{N}qaK6~?EU{Kz zFf*F$WS+nvgybofAOzsSJB2OZAEG_m7vlWn+^D;_jaN7gg(HGtYw~px zw}w`idAI|sf^=i2^*GKT7v~wW-*+2JZJYOB6^uJwuw86RE7aIFD9F(*S)1|L=(x*R zBloIwb9(ht1|YF%8f9femH5?zGAQAwWo zyqo4TV2R=B`U<5m8wAeMHEHpWnOW5wp)I$xr(kkl)R;Oi0isun=y}c-l7LZ7m;lm$ z$q4Iy6Sc&$7dUfcx*n3=`*`*UR zN1JtLOUYS-=7UaFQks;9^B@e^CN+Pz{Jd$gh_F`j>;ZkK-Md1}-@#73aDFjIwBy*d zTlwKK`nqGu3$(>F?Ap8A?q4y9mka`bxGNnAlZNNKWA&(V)8YwF5nmp7j%ul`_QG%4 zaeXBNd7~ytMg3#Xf>6W<>tYbEa%-$6=;P^Sh>aUHZ+e~0RG)Xi3%`rEs8MS8uYqwNdw4SWVkOjZaf` zG5VfUUiPoOG}N6 z<{qp@h!mly6=>7I?*}czyF3Y!CUIt=0}iD^XE&VrDA?Dp@(yuX{qsEJgb&Q}SNvXl zg?HrA?!MH-r4JN!Af3G9!#Qn(6l%OCA`)Ef2g8*M)Z!C4?WMK9NKh2jRTsnTgfut9 zpcZ7xAHd%`iq|80efZ31m3pN9wwBIl#Hqv=X)1r?($L>(#BR+)^)pSgbo+7#q<^S1nr$1&0=q$@M&POX?y?3L&3X z!%^Atu025LgEZ~|-)Cd0=o8K9A{$sT;SHj3M?l{!Er;st5w=T=K2^hJ<$(>&P!j2m zy3~(Qm?r5vh*EGKNLnP31{fhbiIU~c2GX_wqmM}ik7)NF$bEYKH^bK?MD+uJ24Qa=6~Fg-o!gSX*ZYoo{fzTLs$371<;7oLD|PiS3s zz;aIW1HVCV2r*#r`V-0hw_!s4!G4R|L@`u_;)KA?o(p8@$&bkWXV*taO%NC3k? zok=*KA5vswZe|5QOQd*4kD7Db^c|__5C;&|S5MvKdkPtu)vo}DGqDpc097%52V*z( zXp%Esq4?Rzj53SE6hKu;Xc!&LMZPPIj;O-Gnpq&!&u5db7Xi z64ox137#@4w5it68EPn<8RO48KG_2>?+Aa}Qo7fR%&wXJNf2J;Kwm6Opddsyx$gY# zU+b%y*{cBju|sw!wOcY_sMFWX9(C02d(;_YQh1*sH9?j$%`tKJyd(j0PtK#D+KLHI zL;b*n{CZ7IBb}MUGdG3l2vFGJn3TOYJD$Hz2OOy*%!5a{!!0mvok+e+N zaP?Ndm;SO(8-v%yvu#Rr;qFSgZrKJxV^uEnX@L(r4)dZeyh@yRqoi@3M|#Hz`hHN6 zA|8#&oFv8+1F8t(#j1%Ywdn%N2uREt;@bFAF}2zeI2KE&uZr$?-SIwKu<5ThXn_}f z`@RRcJ!3;pKi>mQe)VU5;c)zA@b#dd(J?}$sg0K5L^fIm8%TV4|>Q?qdfMwAh4AM8l8J|tiSF32B4q`!TYj_z!4Lowq99lipY?vlC zJssf0Vy+@In|fg`2sUl$wDGr$XY+4g*%PhDjM^G!Z{H44gwY-ymOqXka)G3ulfWdY ztNvx4oW*}=5^&NGhiS)Vzwb4;K`^*tjj8h$esujKb7&}?V_cU5kQElGgCL<358O^% zcT-EwP>hqb1%_8C_5R4e#7RH zp@tA$bVGG}q@TDR#-_^YT6}Zo5~p_5P%C_pRxwhgkor!;FtNFF#cncoEHm=#?xtY0 z1dHK{(;)5CQJ`0upxdRV?(5PH{JISW%d+@v8FmbTh9n5TXGnM`Cs}{(AbDxaIg&O2 zg<~{fKtj#r91u9PujPqhkFt7tid?IZ={dML<$3sh;A*Hw=VP++12;lVguAyio!na#kaYeX{|8h3_;g*K=UEf zU*{ZR($$Bw*(h;CSO4{alBraU^)52&nxLKUxg=1N5MCBUJ+3a^`9#f?7=4#`&oz?k zoz-#s4C)f8Uk@S*VF!Uc>X}9M`_*gkn0&GI2R*j zUlHUy5b;rLro3?bBLIt%dRd~2lT@kjcfY~OL5ZmTl)ExZyt!)^K#1p>U~rdclk``e z>=zHu6Qp^z%nX2U*RE14f{$U0*Cf)LfBz-c)t%iD%3wxsgHpRPvieqZgEC0IX_Vkd zxh27*KXpXxYD=^PP&EtX{NlX zC%v9)Wz6De((qH}Jqg-g`mwJ!IZ^L?eE2PE9@#9U0T>jD%e^K8-Phz7cZ-bP zU%h91CvGtNYmE{gk=tex+96fK^!I7P7YI3Ma}h)ty%NEN zn}d&kVV1DM4tPht`B!poikUOE396Uy+VE|E*eQuq zoT8M0M&bcREYOX7Q)F5+d!xec;2;H!WO+!r;v#uo402OEt*q%vj)mC@8wg}HO02G( zYG=<5*Vgl3R(5)N@{y+rvBY9CgUHeN`qQLm*3;$@Ez|2z2j3@V_m6j4Kc{5MTf}GG zMS_qp%5n(5$y|Ke#!!7w$4KKAJmhA@sJLcoS}Mv+l^X$2DS9H)ezLP0LfVpNMIPwL2U@Y%%7Q7jPXmGSPlRwa7*y~EkqObIDtyFm)q z-D~m~?At^+db`FvO2uEi2FuK@`RaSN*`T%G!}yA5f-hG1SYtty+Q}}`O^In~cgi>l z=zXVDDNVH?QHtgup3*d46+OEicA^)pIn2`}B}8}{g`msSbzzvq5zHCIjU>OrtmbrG zU26iOxr*A6%_LC(|3nH@ef$16q%glnTl}ob+(w=A9Uk48Pe(F^%ktv(oHC2Ve4|TE zc6J5le1ZqXdLP~+(UY@`Y?r~{B6_Alh8Q{OmhufQSf94*GFtAi(lV<=!6wqxL;jck zOnpR+=HK3Nh}Vv}%LXPzn;0b#^5Afk3y&G)X}NEkE`~TM%tU-P1@^=msCxOyP!IRO zBegW5wZ@10CM!9*_|kF~ZSxrk>r^zyCL|dy9$~*`OX?>1)fL1l(|lW|G!``CEq!N$ zMM)W~G2zDb6wA#)D5OmIMu_&UH_5B%DJ#NKl#R!?QVz>y5jLrK(-JpI6LIGVyD%W9 zg+7;cE40;Rcv9 zkCrUgZ-H}IaC=aY8~7*9+Ny?O=Ep;yso*#-SesEGSa3T&e&DQ`k!p#Zgb<6@KRjgn zG+Z?LoNstww}#+R`Y(?d>>GG^ncorkoKX@REYSTD zQTYHMwNiE~9MM(>u%!3KVR=O=by_thqeFR&Bm;D|lW@>^unOrb^k9yd-=S2LH0S7} z>ae^bwruKEB*7m=)u$5MIo(`)Y+RR5o>9(DDDV623UMVck1##|b`7H%yjK9unoDGkVIKrG*dvN;2S3P_9>ckR6c?7n{s5v!i;dE&<_aDaPA_ zi>Z&SHW^bWYJr-2sb7{WC|0k-a}7>k3)*YgZora(7dVnK7b6?Y7U|>t*u=-aLgC3` zvnz>+QQ_%r^ePEJA5X6^`Ey@^#{dDW(QZr*A_L9Y+QI4?xFXAQ-JDe?&YmeAVN{2b zK0DO+&S-fQWDg`ab0$mQodAEemrA3p{cHbqx{yVqz5Ns6)Rixse^k(i5spvs@22QF zAhsD~>)rC%n(#M+D1!s?DFCBTRfNF~`N7kC8by+1samiHH9dbid%Masz0;p`l^GuF z)taCc0FD9!#^qP3B`G>vZA2db%ma*@6WNWW{*kPq^|f^R%Ee|F-FM69H)u|#Qt{qt zoi{%@b&~<}!vBf99Ef=ih~RNSh2LT6zvdLf+KCi=hu6#d5v7kpppM&Z;F3;`{0FxW z@#nY=LnIjx1?~XD?48~y)>Y&odjWF%6G64~A_3<{rx6>R zqF2ozPyJzzmcF+3AQwJQ@C?KEo|5k3xP%;^ZN*zpQBm5ho(*e)*zn8NzzzG6V?5V0 z2<7tkys|TInay6or7^K(y0ZdwJz|6$blXL}SX7s2es~5{gYwS3d>6k|3V9vz-#G3! zh@|-B?^JP~seJrS$&XAfp`RknZ!pFw@e!a9WgKijDz3K#6@`ifTCWHTa}Tr}n!~;0 zh0~X4_sEKGZZ^}8+X9!T7NazNv{%@nJgpJ8M;Oa zaYo_2Qbk6_j7W15!`+XKC!`+_)IGZ>r6X=buKUkQ*5wXs5}A2D@eYvF0{q(=wm znxEYB{>rdO75{|gy2>`^UB!(y+9acVVRieAMG@Lhf)g>yr+Ccgf8oy1qUO@L$n8@A z;nKV>muW=<*rD@Su=A?nhxTpx>?1>jYOk(ytb|TNwq8q1{;WERaWZi0ov0xFjiIm} z)PkKhn`#2CSuR?p?4)9Vk#`#oL)#q8!B*j3s+x*6kQ~2Pog{K^{k(=xfv{IP9MecW zCB_bMVE;HQS12k5L;tHHjhJ8m%07IN<1N(vQCG+8IilmMo{g$Y5nrPhSx`OH03*55 z;^!ZP!KR|h3~K&8O?uAqKie(}FOYVMt}S-M;FF6%#pX@C<8P!jbk&G&a^_Oj+^2Ys z*1tnnx4eOpd*hgE$xD+(iTw1TaGNs=4*;Pf#P`fd%_%)Jk|eeooma)pR9ka)Ek(PX zq2N$R8sio=D*TQ0BaO+M*8wF-0cR8Bq6vZjr?NAFhjQ!V_)x?Yxmhd9T8#bPWJ^p2 zVbs{=P2C~;GV>Zlkw%u3?OM9&TE|2xMT@t3uSiNEt`MOO*Q>52Wh>pfXJR}YW6XQ{ zJfCN%^ZlJU=RD7Ip3^zMKT-4Q8#0faYOd#r>yK58)sH5XCS>Yj%p1^_p%gSNX4Iai z%;dio52O@`qrWD0>K#6CJvdGFcB%`pA47@W5qIzGe`HRY=O5CK4bZvl6IkJj{#%r? z|A5O4Uo8)Ng;t9f!sRAIsl1a8=TST_Vn(m0i`>XCa0r`>YP-LwxB%^wu8;8+GdQv( zG^usXB?ocI0_)y0MR`T!?Us5ehia8>M~+$sXlUCRovE--QR@;Ys?Ozq9P(Q7ZQ43> zpIo}_{z39UhS{5f8wKSDu+TKfi+#n{O-~4Uk zh*EmSxYYrfwOxCYV}}!zL%2uIc%Oe$XRV@rFeWeka?;Z(XI{}`X?HJGyIgFm@ZX;w zsc2~^A%MTLdqhpoV!jr)}36>dv>Px$jJImpFCzVcs)1b7l%&=qcE;^ zEoSbtk#6sYkpC=iQX(3 z5EUP%LDh0p49U2=$~DIZhi;dDRKwLN8`|PiC-Echa#PXZ|6)S}wWEA@3f!rX>G_!A zphhlmxu@3JVRr3xOWD}*UYv04{*WHt*vT;0@pVLmuu52Mb_Vg9Wg9EUuA2 zl8?Jv5GSU+*{PO$tBpirns`>?!VL-cX@gZO&q)OL%2_8U)8r*4jrGrH`p2zV!T-&| zaf{j)uCI!{A{R9~aJ?$SZ?kk?jfE7FM%1sOCd&S0B(^ckufHtAOetsuspYrqyZ)x8Z8=dG=GG1lcFtKmoxl{>m zAakHGc|f5ZKh>>}F8qu)Y29d2Op+uf?qK|dKPwE!pPkfGl#Sa#?TmJfv}jA5;1`#= zQqplM=!3^!2QZeCx7wu8uWl9!IN85^zrmqGDxsj;TVs=EU)ubiDaD<*@ss- zm%Y-l)9@TN+_0W7Ml5XnEz>_ep>fFIL{5V-n#cCKFhy#0p;!@D!D-=e{(8;*$#2G- z-~F3cHNv>%;D819xg3-F_yHg8bD1W}{1-kQ-da2kMRP?r=@>BD^b5H6=`Lf3y6VPn$`%)-GW}O^kSon7EBP;q9?=n_7O67v9pc>!pQb z)auPuaqG5v3l(E)_GSI_vFY2BtlPgw{(hIMip%d;>9vWnej@q%qMva4iRPI|N7n7w z(!_tL^K*((d428fyiU(eFYzyaICWGnFx_T^a$3(A4p<5kwVtGjOSNa=ey z3;wiIDZDmghb8BsMcSVyT9^W#{YkoGJ9As)0ccff5 zB`U1^TKO@jql!utGX7_6ceT=$mJTWcQ+7_Fk7=jIE7Lu2Ja%~~6K=X$o@5Q7)=`Ao z%Vptz#p~F$l82kO>0*a`LQ8HomkN}$Q0{w8GzfUMX3_$LbiUMT6?eJhshLtmT2m`2 zrK@zuUt8C6$2Zb?u5HM~2xm~H)s1rOJ^3v#{cdG~?xM<+6Lrd(chPMthvmtIcgJoV z-(H!YsUD=t^F)QFU+e|WYBXo`#ht!`&flPI?tga}(nLX13WI~;V?XO(57wx&_pbkw zBgcA$g+wx2w|Xvakrlw=n~x7nWeO7*SwR2(p1`8M*~Ae34SZ&}#$zt|Z%!C%XpOXbpLFv5`sjlu|+#!Pgo9FXG>J~QZn(O%YH zBWQs46dZC)E;!SviJp zefD-koJ?SaKCq_$3t)wALZM_9CQK zGw9iXX^iWLHTQFmME^y==>muB0FYBWAg>aJ#z};63aHSV~ z^&BI1Xx6m%m3k8-P|$7QUIaSpT%uDW?OD?BB+n%~l7+?9t%+Q~hX?=}`?8pcPE~ed z2_t~uEm#W0-QN{N#+ApD+=zZSaBm3ob`3@h+u^Gh4ttNN2s$sX!nzuwp?JOsGoHwj z2@l5>ME8YD3`fUA=$RfY>9hSG4D8@onJ^lTK8T>xz1g7`#v+8NaNr$;IubZHjA0js z2L>_#pi_KLjIjbU(W!eWi-1dyWY}RDad&1C;~9SzVCP+CjBSB%W;hBDGdrDHyErp5 z5X#cSZWs?oRzdJKA&bh!#B=h>1`ELv5fGsjM;8grEB_Ml5nw!Q?T_Fy!`b1Xw-Oi& zJK7`IPZ8{}^QU`YChTvFFb$*GF~83#Ejd(!t%MOOCWZs*(#FDY@nJtyM5ys3r$RH; zGwY5D3&8G^h`_zm90;)SqJ))TM><4FJcR=#j{NChP1sZn(R`H3fhIePF<1&VWkIAq zW^y3K#-asQg8eTLr4LygD9v;SEK4^GSPFI-K%^#fIhF$V7sl;-&O{IvfwyiWBC85G z7MZzT=Na3;D)1g*L}lf9j#XxMO|l*@z#B0U0n~;6Q((CogEzq;QX^ml3_auK-QH(! zYRlFYydetV8<%jvXTLoPZWwqE2_hCzy1W?cwt!a;Ak6maMa=Kjv3M;3Tu%5uArNL? z-SSL!&nS5679sOBE+%t6kqdtVcsdc$>26x21CM6sb)#h-?QyJ literal 0 HcmV?d00001 diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 0000000..8cf6eb5 --- /dev/null +++ b/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-6.8.3-all.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/gradlew b/gradlew new file mode 100755 index 0000000..2fe81a7 --- /dev/null +++ b/gradlew @@ -0,0 +1,183 @@ +#!/usr/bin/env sh + +# +# Copyright 2015 the original author or authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +## +## Gradle start up script for UN*X +## +############################################################################## + +# Attempt to set APP_HOME +# Resolve links: $0 may be a link +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi +done +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null + +APP_NAME="Gradle" +APP_BASE_NAME=`basename "$0"` + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD="maximum" + +warn () { + echo "$*" +} + +die () { + echo + echo "$*" + echo + exit 1 +} + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD="java" + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi +fi + +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi + +# For Cygwin or MSYS, switch paths to Windows format before running java +if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi + # Now convert the arguments - kludge to limit ourselves to /bin/sh + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" + fi + i=`expr $i + 1` + done + case $i in + 0) set -- ;; + 1) set -- "$args0" ;; + 2) set -- "$args0" "$args1" ;; + 3) set -- "$args0" "$args1" "$args2" ;; + 4) set -- "$args0" "$args1" "$args2" "$args3" ;; + 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac +fi + +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=`save "$@"` + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat new file mode 100644 index 0000000..9109989 --- /dev/null +++ b/gradlew.bat @@ -0,0 +1,103 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto init + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto init + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:init +@rem Get command-line arguments, handling Windows variants + +if not "%OS%" == "Windows_NT" goto win9xME_args + +:win9xME_args +@rem Slurp the command line arguments. +set CMD_LINE_ARGS= +set _SKIP=2 + +:win9xME_args_slurp +if "x%~1" == "x" goto execute + +set CMD_LINE_ARGS=%* + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/src/main/java/com/schibsted/security/artishock/ArtishockCli.java b/src/main/java/com/schibsted/security/artishock/ArtishockCli.java new file mode 100644 index 0000000..de18ddf --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/ArtishockCli.java @@ -0,0 +1,87 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock; + +import com.google.common.collect.ListMultimap; +import com.schibsted.security.artishock.cli.view.Commands; +import java.util.Arrays; +import java.util.Collection; +import java.util.Map; +import io.airlift.airline.Cli; +import io.airlift.airline.Help; +import io.airlift.airline.OptionType; +import io.airlift.airline.ParseArgumentsMissingException; +import io.airlift.airline.ParseArgumentsUnexpectedException; +import io.airlift.airline.ParseOptionMissingException; +import io.airlift.airline.Parser; +import io.airlift.airline.model.GlobalMetadata; +import io.airlift.airline.model.OptionMetadata; + +public class ArtishockCli { + public static void main(String[] args) { + java.lang.Object.class.getModule().addOpens(java.lang.Object.class.getPackageName(), org.codehaus.groovy.reflection.CachedClass.class.getModule()); + org.codehaus.groovy.reflection.CachedClass.class.getModule().addReads(java.lang.Object.class.getModule()); + + var builder = Cli.builder("artishock") + .withDefaultCommand(Commands.CustomHelp.class); + + builder.withCommand(Commands.CustomHelp.class); + builder.withCommand(Commands.CustomHelpAlternativeName.class); + builder.withCommand(Commands.Version.class); + builder.withCommand(Commands.VersionAlternativeName.class); + + builder.withCommand(Commands.RepoLs.class); + builder.withCommand(Commands.RepoStats.class); + builder.withCommand(Commands.PackageStats.class); + builder.withCommand(Commands.Cached.class); + builder.withCommand(Commands.InferredExclude.class); + builder.withCommand(Commands.NotClaimed.class); + builder.withCommand(Commands.ExcludeCandidates.class); + + var parser = builder.build(); + try { + parser.parse(args).run(); + } catch (ParseArgumentsUnexpectedException e) { + System.err.println(e.getMessage()); + System.err.println("Try '--help' instead"); + System.exit(1); + } catch (ParseArgumentsMissingException | ParseOptionMissingException e) { + if (flagIsSet("--help", parser.getMetadata(), args)) { + Help.help(parser.getMetadata(), Arrays.asList(args)); + } else { + System.err.println(e.getMessage()); + System.err.println("Try adding '--help'"); + } + System.exit(1); + } catch (Exception e) { + boolean stacktrace = flagIsSet("--stacktrace", parser.getMetadata(), args); + + if (!stacktrace) { + System.err.println(e.getMessage()); + System.exit(1); + } + throw e; + } + } + + private static boolean flagIsSet(String flag, final GlobalMetadata globalMetadata, final String[] args) { + try { + Parser p = new Parser(); + ListMultimap options = p.parse(globalMetadata, args).getParsedOptions(); + + for (Map.Entry> option : options.asMap().entrySet()) { + OptionMetadata metadata = option.getKey(); + + if (metadata.getOptionType() == OptionType.COMMAND && metadata.getOptions().contains(flag)) { + return option.getValue().contains(true); + } + } + } catch (Exception e) { + System.err.println("Failed to determine if the stacktrace should be shown."); + } + + return false; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/artifactory/ArtifactoryClient.java b/src/main/java/com/schibsted/security/artishock/artifactory/ArtifactoryClient.java new file mode 100644 index 0000000..4ca65dc --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/artifactory/ArtifactoryClient.java @@ -0,0 +1,263 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.artifactory; + +import com.schibsted.security.artishock.npm.NpmPackageIdentifier; +import com.schibsted.security.artishock.config.Config; +import com.schibsted.security.artishock.pypi.PyPiPackageIdentifier; +import java.io.IOException; +import java.time.ZonedDateTime; +import java.util.ArrayList; +import java.util.Comparator; +import java.util.HashMap; +import java.util.List; +import java.util.Locale; +import java.util.Optional; +import java.util.Set; +import java.util.stream.Collectors; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.jfrog.artifactory.client.Artifactory; +import org.jfrog.artifactory.client.ArtifactoryClientBuilder; +import org.jfrog.artifactory.client.impl.ArtifactoryImpl; +import org.jfrog.artifactory.client.model.Folder; +import org.jfrog.artifactory.client.model.Item; +import org.jfrog.artifactory.client.model.impl.RemoteRepositoryImpl; +import org.jfrog.artifactory.client.model.impl.RepositoryTypeImpl; +import org.jfrog.artifactory.client.model.impl.VirtualRepositoryImpl; +import org.jfrog.artifactory.client.model.repository.settings.ComposerRepositorySettings; +import org.jfrog.artifactory.client.model.repository.settings.GradleRepositorySettings; +import org.jfrog.artifactory.client.model.repository.settings.MavenRepositorySettings; +import org.jfrog.artifactory.client.model.repository.settings.NpmRepositorySettings; +import org.jfrog.artifactory.client.model.repository.settings.NugetRepositorySettings; +import org.jfrog.artifactory.client.model.repository.settings.PypiRepositorySettings; +import org.jfrog.artifactory.client.model.repository.settings.RepositorySettings; +import org.jfrog.artifactory.client.model.repository.settings.SbtRepositorySettings; + +/** + * Fetch configs from internal Artifactory. + */ +public class ArtifactoryClient { + private static final Logger log = LogManager.getLogger(); + + private final Artifactory artifactory; + + /** + * Resolve credentials and create ArtifactoryFetcher. + */ + public ArtifactoryClient(Config config) { + artifactory = ArtifactoryClientBuilder.create() + .setUrl(config.getArtifactoryUrl()) + .setUsername(config.getArtifactoryUsername()) + .setPassword(config.getArtifactoryPassword()) + .build(); + } + + /** + * This is useful for the remote repo, but for the local repo there is only one file: /.pypi/simple.html + */ + public List getAllPyPiPackageIdentifiersFromPyPiDir(String repositoryName) { + log.info(() -> "Downloading all package identifiers for " + repositoryName); + var topLevelFolders = listSubFolders(repositoryName, "/.pypi/"); + + var result = new ArrayList(); + for (var topLevelFolder : topLevelFolders) { + var candidate = topLevelFolder.substring(1, topLevelFolder.length() - ".html".length()); + + // TODO simple.html is the index, there might be other corner cases + if (candidate.equals("simple")) { + continue; + } + + // TODO consider filtering out names that are not allowed upstream + result.add(new PyPiPackageIdentifier(candidate)); + } + return result; + } + + public List getAllPyPiPackageIdentifiers(String repositoryName) { + log.info(() -> "Downloading all package identifiers for " + repositoryName); + var topLevelFolders = listTopLevelFolders(repositoryName); + + var result = new ArrayList(); + for (var topLevelFolder : topLevelFolders) { + var candidate = topLevelFolder.substring(1); + + // TODO consider filtering out names that are not allowed upstream + result.add(new PyPiPackageIdentifier(topLevelFolder.substring(1))); + } + return result; + } + + public List getAllNpmPackageIdentifiersForCache(String repositoryName) { + return getAllNpmPackageIdentifiers(repositoryName, "/"); + } + + public List getAllNpmPackageIdentifiersForLocal(String repositoryName) { + return getAllNpmPackageIdentifiers(repositoryName, "/.npm/"); + } + + // TODO consider filtering out names that are not allowed upstream + public List getAllNpmPackageIdentifiers(String repositoryName, String path) { + log.info(() -> "Downloading all package identifiers for " + repositoryName); + var topLevelFolders = listSubFolders(repositoryName, path); + + var result = new ArrayList(); + for (var topLevelFolder : topLevelFolders) { + if (topLevelFolder.startsWith("/@")) { + var subFolders = listSubFolders(repositoryName, topLevelFolder); + var scope = topLevelFolder.substring(2); + for (var packageName : subFolders) { + result.add(new NpmPackageIdentifier(scope, packageName.substring(1))); + } + } else { + if (topLevelFolder.startsWith("/.")) { + continue; + } + result.add(new NpmPackageIdentifier(topLevelFolder.substring(1))); + } + } + return result; + } + + public List repoLs() { + log.info("Retrieving repos from Artifactory"); + var virtual = artifactory.repositories().list(RepositoryTypeImpl.VIRTUAL); + var remote = artifactory.repositories().list(RepositoryTypeImpl.REMOTE); + var local = artifactory.repositories().list(RepositoryTypeImpl.LOCAL); + + var repos = new HashMap(); + var reposRaw = new HashMap(); + + for (var v : local) { + var r = artifactory.repository(v.getKey()).get(); + var artifactType = artifactType(r.getRepositorySettings()); + repos.put(v.getKey(), new Repository(r.getKey(), "local", artifactType, null, new ArrayList<>())); + reposRaw.put(v.getKey(), r); + } + + + for (var v : remote) { + var r = (RemoteRepositoryImpl) artifactory.repository(v.getKey()).get(); + var artifactType = artifactType(r.getRepositorySettings()); + repos.put(v.getKey(), new Repository(r.getKey(), "remote", artifactType, r.getUrl(), new ArrayList<>())); + reposRaw.put(v.getKey(), r); + } + + for (var v : virtual) { + var r = (VirtualRepositoryImpl) artifactory.repository(v.getKey()).get(); + var artifactType = artifactType(r.getRepositorySettings()); + + repos.put(v.getKey(), new Repository(r.getKey(), "virtual", artifactType, null, new ArrayList<>())); + reposRaw.put(v.getKey(), r); + } + + for (var v : virtual) { + var r = (VirtualRepositoryImpl) reposRaw.get(v.getKey()); + + var repo = repos.get(v.getKey()); + for (var c : r.getRepositories()) { + repo.addChild(repos.get(c)); + } + } + + return repos.values().stream() + .sorted(Comparator.comparingInt(a -> -a.getChildren().size())) + .sorted(Comparator.comparingInt(a -> a.getParents().size())) + .sorted(Comparator.comparing(Repository::getType).reversed()) + .collect(Collectors.toList()); + } + + // TODO support more + public String artifactType(RepositorySettings repositorySettings) { + if (repositorySettings instanceof PypiRepositorySettings) { + return "pypi"; + } else if (repositorySettings instanceof GradleRepositorySettings) { + return "gradle"; + } else if (repositorySettings instanceof NpmRepositorySettings) { + return "npm"; + } else if (repositorySettings instanceof SbtRepositorySettings) { + return "sbt"; + } else if (repositorySettings instanceof MavenRepositorySettings) { + return "maven"; + } else if (repositorySettings instanceof NugetRepositorySettings) { + return "nuget"; + } else if (repositorySettings instanceof ComposerRepositorySettings) { + return "composer"; + } else { + return "other"; + } + } + + List listTopLevelFolders(String repositoryName) { + return listSubFolders(repositoryName, "/"); + } + + List listSubFolders(String repositoryName, String folderName) { + Folder folder = artifactory.repository(repositoryName).folder(folderName).info(); + + return folder.getChildren().stream() + .map(Item::getUri) + .collect(Collectors.toList()); + } + + public Stats repoStats(String repoName, String packageSystem) { + return recursiveStats(repoName, "/", archiveExtensions(packageSystem)); + } + + public Stats packageStats(String repoName, String packageSystem, NpmPackageIdentifier packageName) { + return recursiveStats(repoName, packageName.toString(), archiveExtensions(packageSystem)); + } + + List archiveExtensions(String packageSystem) { + switch (packageSystem.toLowerCase(Locale.ENGLISH)) { + case "maven": + return List.of(".jar", ".war", ".rar", ".ear", ".sar", ".apk", ".aar", ".par", ".kar"); + case "npm": + return List.of(".tgz"); + case "pypi": + return List.of(".tar.gz"); + default: + throw new RuntimeException("Unknown package system " + packageSystem); + } + } + + public Stats recursiveStats(String repository, String path, List archiveExtensions) { + Folder folder = artifactory.repository(repository).folder(path).info(); + + if (folder.getChildren() == null) { + var extensionMatch = archiveExtensions.stream().filter(path::endsWith).findAny(); + if (extensionMatch.isPresent()) { + //System.out.println(path); + var stats = getDownloadStats(repository, path); + Optional lastDownloaded = stats.getDownloadCount() > 0 ? Optional.of(stats.getLastDownloaded()) : Optional.empty(); + Optional lastDownloadedBy = stats.getDownloadCount() > 0 ? Optional.of(stats.getLastDownloadedBy()) : Optional.empty(); + return new Stats(stats.getDownloadCount(), 1, lastDownloaded, lastDownloadedBy, Set.of(extensionMatch.get())); + } else { + return Stats.empty(); + } + } + + var result = Stats.empty(); + for (var child : folder.getChildren()) { + result = result.merge(recursiveStats(repository, path + child.getUri(), archiveExtensions)); + } + + return result; + } + + /** + * https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API#ArtifactoryRESTAPI-FileStatistics + */ + public DownloadStats getDownloadStats(String repository, String path) { + var artifactoryImpl = (ArtifactoryImpl) artifactory; + var url = "/api/storage/" + repository + "/" + path + "?stats"; + try { + return new DownloadStats(artifactoryImpl.get(url, StatsInfoImpl.class, StatsInfo.class)); + } catch (IOException e) { + throw new RuntimeException(e); + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/artifactory/DownloadStats.java b/src/main/java/com/schibsted/security/artishock/artifactory/DownloadStats.java new file mode 100644 index 0000000..ea6b1ed --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/artifactory/DownloadStats.java @@ -0,0 +1,51 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.artifactory; + +import java.time.Instant; +import java.time.ZoneOffset; +import java.time.ZonedDateTime; + +public class DownloadStats { + private final String uri; + private final long downloadCount; + private final ZonedDateTime lastDownloaded; + private final String lastDownloadedBy; + private final long remoteDownloadCount; + private final ZonedDateTime remoteLastDownloaded; + + public DownloadStats(StatsInfo statsInfo) { + this.uri = statsInfo.getUri(); + this.downloadCount = statsInfo.getDownloadCount(); + this.lastDownloaded = ZonedDateTime.ofInstant(Instant.ofEpochMilli(statsInfo.getLastDownloaded()), ZoneOffset.UTC); + this.lastDownloadedBy = statsInfo.getLastDownloadedBy(); + this.remoteDownloadCount = statsInfo.getRemoteDownloadCount(); + this.remoteLastDownloaded = ZonedDateTime.ofInstant(Instant.ofEpochMilli(statsInfo.getRemoteLastDownloaded()), ZoneOffset.UTC); + } + + public String getUri() { + return uri; + } + + public long getDownloadCount() { + return downloadCount; + } + + public ZonedDateTime getLastDownloaded() { + return lastDownloaded; + } + + public String getLastDownloadedBy() { + return lastDownloadedBy; + } + + public long getRemoteDownloadCount() { + return remoteDownloadCount; + } + + public ZonedDateTime getRemoteLastDownloaded() { + return remoteLastDownloaded; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/artifactory/Repository.java b/src/main/java/com/schibsted/security/artishock/artifactory/Repository.java new file mode 100644 index 0000000..b102f28 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/artifactory/Repository.java @@ -0,0 +1,59 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.artifactory; + +import java.util.ArrayList; +import java.util.List; + +public class Repository { + private final String name; + private final String type; + private final String artifactType; + private final List children; + private final List parents; + private final String url; + + public Repository(String name, String type, String artifactType, String url, List children) { + this.name = name; + this.type = type; + this.artifactType = artifactType; + this.children = children; + this.parents = new ArrayList<>(); + this.url = url; + } + + public String getName() { + return name; + } + + public String getType() { + return type; + } + + public String getArtifactType() { + return artifactType; + } + + public String getUrl() { + return url; + } + + public List getChildren() { + return children; + } + + public List getParents() { + return parents; + } + + public void addChild(Repository repository) { + this.children.add(repository); + repository.addParent(this); + } + + public void addParent(Repository repository) { + parents.add(repository); + } +} diff --git a/src/main/java/com/schibsted/security/artishock/artifactory/Stats.java b/src/main/java/com/schibsted/security/artishock/artifactory/Stats.java new file mode 100644 index 0000000..24591b5 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/artifactory/Stats.java @@ -0,0 +1,84 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.artifactory; + +import java.time.ZonedDateTime; +import java.util.Collection; +import java.util.Optional; +import java.util.Set; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +public class Stats { + private final long downloadCount; + private final long archiveCount; + private final Optional lastDownloaded; + private final Optional lastDownloadedBy; + private final Set extensions; + + public Stats(long downloadCount, long archiveCount, + Optional lastDownloaded, + Optional lastDownloadedBy, + Set extensions) { + this.downloadCount = downloadCount; + this.archiveCount = archiveCount; + this.lastDownloaded = lastDownloaded; + this.lastDownloadedBy = lastDownloadedBy; + this.extensions = extensions; + } + + public long getDownloadCount() { + return downloadCount; + } + + public long getArchiveCount() { + return archiveCount; + } + + public Optional getLastDownloaded() { + return lastDownloaded; + } + + public Optional getLastDownloadedBy() { + return lastDownloadedBy; + } + + public Set getExtensions() { + return extensions; + } + + public Stats merge(Stats other) { + var extensions = Stream.of(this.extensions, other.getExtensions()) + .flatMap(Collection::stream) + .distinct() + .collect(Collectors.toSet()); + + return new Stats(this.downloadCount + other.getDownloadCount(), + this.archiveCount + other.getArchiveCount(), + isAfter(this.lastDownloaded, other.getLastDownloaded()) ? this.lastDownloaded : other.getLastDownloaded(), + isAfter(this.lastDownloaded, other.getLastDownloaded()) ? this.getLastDownloadedBy() : other.getLastDownloadedBy(), + extensions); + } + + public static Stats empty() { + return new Stats(0, 0, Optional.empty(), Optional.empty(), Set.of()); + } + + private static boolean isAfter(Optional a, Optional b) { + if (a.isEmpty() && b.isEmpty()) { + return true; + } + + if (a.isPresent() && b.isEmpty()) { + return true; + } + + if (b.isPresent() && a.isEmpty()) { + return false; + } + + return a.get().isAfter(b.get()); + } +} diff --git a/src/main/java/com/schibsted/security/artishock/artifactory/StatsInfo.java b/src/main/java/com/schibsted/security/artishock/artifactory/StatsInfo.java new file mode 100644 index 0000000..44545df --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/artifactory/StatsInfo.java @@ -0,0 +1,17 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.artifactory; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; + +@JsonIgnoreProperties(ignoreUnknown = true) +public interface StatsInfo { + long getDownloadCount(); + long getRemoteDownloadCount(); + long getLastDownloaded(); + long getRemoteLastDownloaded(); + String getLastDownloadedBy(); + String getUri(); +} diff --git a/src/main/java/com/schibsted/security/artishock/artifactory/StatsInfoImpl.java b/src/main/java/com/schibsted/security/artishock/artifactory/StatsInfoImpl.java new file mode 100644 index 0000000..a8dd4c0 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/artifactory/StatsInfoImpl.java @@ -0,0 +1,68 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.artifactory; + +public class StatsInfoImpl implements StatsInfo { + private long downloadCount; + private long remoteDownloadCount; + private long lastDownloaded; + private long remoteLastDownloaded; + private String lastDownloadedBy; + private String uri; + + @Override + public long getDownloadCount() { + return downloadCount; + } + + @Override + public long getRemoteDownloadCount() { + return remoteDownloadCount; + } + + @Override + public long getLastDownloaded() { + return lastDownloaded; + } + + @Override + public long getRemoteLastDownloaded() { + return remoteLastDownloaded; + } + + @Override + public String getLastDownloadedBy() { + return lastDownloadedBy; + } + + @Override + public String getUri() { + return uri; + } + + public void setDownloadCount(long downloadCount) { + this.downloadCount = downloadCount; + } + + public void setRemoteDownloadCount(long remoteDownloadCount) { + this.remoteDownloadCount = remoteDownloadCount; + } + + public void setLastDownloaded(long lastDownloaded) { + this.lastDownloaded = lastDownloaded; + } + + public void setRemoteLastDownloaded(long remoteLastDownloaded) { + this.remoteLastDownloaded = remoteLastDownloaded; + } + + public void setLastDownloadedBy(String lastDownloadedBy) { + this.lastDownloadedBy = lastDownloadedBy; + } + + public void setUri(String uri) { + this.uri = uri; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/cli/view/Commands.java b/src/main/java/com/schibsted/security/artishock/cli/view/Commands.java new file mode 100644 index 0000000..0cea610 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/cli/view/Commands.java @@ -0,0 +1,239 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.cli.view; + +import com.schibsted.security.artishock.cli.viewmodel.Artishock; +import java.util.List; +import javax.inject.Inject; +import io.airlift.airline.Command; +import io.airlift.airline.Help; +import io.airlift.airline.OptionType; +import io.airlift.airline.model.GlobalMetadata; +import org.apache.logging.log4j.Level; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.core.config.Configurator; + +public class Commands { + private static final String PACKAGE_SYSTEM_NAME = "--package-system"; + private static final String LOCAL_NAME = "--local"; + private static final String LOCAL_DESCRIPTION = "Name of an Artifactory repo of type local"; + private static final String REMOTE_NAME = "--remote"; + private static final String REPO_DESCRIPTION = "Name of Artifactory repo"; + private static final String REPO_NAME = "--repo"; + private static final String REMOTE_DESCRIPTION = "Name of an Artifactory repo of type remote"; + private static final String QUERY_UPSTREAM_NAME = "--query-upstream"; + private static final String QUERY_UPSTREAM_DESCRIPTION = "Acknowledge that this command sends internal package names upstream"; + + private static Artishock confused() { + return new Artishock(); + } + + @io.airlift.airline.Command(name = "help", description = "Help") + public static class CustomHelp extends Help { + @Override + public void run() { + super.run(); + System.exit(1); + } + } + + @io.airlift.airline.Command(name = "--help", description = "Help", hidden = true) + public static class CustomHelpAlternativeName extends CustomHelp { + } + + @io.airlift.airline.Command(name = "version", description = "Get version") + public static class Version implements Runnable { + + @Override + public void run() { + Package p = getClass().getPackage(); + String version = p.getImplementationVersion(); + + System.out.println(String.format("artishock %s", version)); + } + } + + @io.airlift.airline.Command(name = "--version", description = "Get version", hidden = true) + public static class VersionAlternativeName extends Version { + } + + public static class BaseCommand implements Runnable { + @Inject + public GlobalMetadata global; + + @io.airlift.airline.Option(type = OptionType.COMMAND, name = "--json", description = "Output as JSON") + public boolean json; + + @io.airlift.airline.Option(type = OptionType.COMMAND, name = "--verbose", description = "Make verbose") + public boolean verbose; + + @io.airlift.airline.Option(type = OptionType.COMMAND, name = "--stacktrace", description = "Enable stacktrace") + public boolean stacktrace; + + @io.airlift.airline.Option(type = OptionType.COMMAND, name = "--help", description = "Show help") + public boolean help; + + protected Renderer renderer() { + return new Renderer(json ? OutputFormat.JSON : OutputFormat.TEXT, System.out); + } + + private void help(List commands) { + if (help) { + Help.help(global, commands); + System.exit(0); + } + } + + private void configureVerbose() { + if (verbose) { + Configurator.setAllLevels(LogManager.getRootLogger().getName(), Level.INFO); + } else { + Configurator.setAllLevels(LogManager.getRootLogger().getName(), Level.OFF); + } + } + + protected void verboseAndHelp(String command) { + configureVerbose(); + help(List.of(command)); + } + + @Override + public void run() { + } + } + + @Command(name = "repo-ls", description = "List Artifactory repositories") + public static class RepoLs extends BaseCommand { + @io.airlift.airline.Option(type = OptionType.COMMAND, name = PACKAGE_SYSTEM_NAME, description = "maven, npm, pypi") + public String packageSystem; + + @Override + public void run() { + verboseAndHelp("repo-ls"); + + renderer().render(confused().repoLs(packageSystem)); + } + } + + + @Command(name = "repo-stats", description = "Stats for a given Artifactory repository by iterating over all files (slow)") + public static class RepoStats extends BaseCommand { + + @io.airlift.airline.Option(name = REPO_NAME, description = REPO_DESCRIPTION, required = true) + public String repoName; + + @io.airlift.airline.Option(name = PACKAGE_SYSTEM_NAME, description = "maven, npm, pypi", required = true) + public String packageSystem; + + @Override + public void run() { + verboseAndHelp("repo-stats"); + + renderer().render(confused().repoStats(repoName, packageSystem)); + } + } + + @Command(name = "package-stats", description = "Stats for a given package in Artifactory by iterating recursively (can be slow)") + public static class PackageStats extends BaseCommand { + + @io.airlift.airline.Option(name = REPO_NAME, description = REPO_DESCRIPTION, required = true) + public String repoName; + + @io.airlift.airline.Option(name = PACKAGE_SYSTEM_NAME, description = "npm", required = true) + public String packageSystem; + + @io.airlift.airline.Option(name = "--package", description = "Name of the package", required = true) + public String packageName; + + @Override + public void run() { + verboseAndHelp("package-stats"); + + renderer().render(confused().packageStats(repoName, packageSystem, packageName)); + } + } + + @Command(name = "exclude-candidates", description = "Packages that are candidates to be excluded") + public static class ExcludeCandidates extends BaseCommand { + @io.airlift.airline.Option(name = PACKAGE_SYSTEM_NAME, description = "npm, pypi", required = true) + public String packageSystem; + + @io.airlift.airline.Option(name = LOCAL_NAME, description = LOCAL_DESCRIPTION, required = true) + public String local; + + @io.airlift.airline.Option(name = "--trusted", description = "File containing trusted packages") + public String trusted; + + @io.airlift.airline.Option(name = "--excluded", description = "File containing excluded packages") + public String excluded; + + @Override + public void run() { + verboseAndHelp("exclude-candidates"); + + renderer().render(confused().excludeCandidates(packageSystem, local, trusted, excluded)); + } + } + + @Command(name = "cached", description = "Local packages that exist upstream and have been cached by Artifactory") + public static class Cached extends BaseCommand { + @io.airlift.airline.Option(name = PACKAGE_SYSTEM_NAME, description = "npm, pypi", required = true) + public String packageSystem; + + @io.airlift.airline.Option(name = LOCAL_NAME, description = LOCAL_DESCRIPTION, required = true) + public String local; + + @io.airlift.airline.Option(name = REMOTE_NAME, description = REMOTE_DESCRIPTION, required = true) + public String remote; + + @Override + public void run() { + verboseAndHelp("cached"); + + renderer().render(confused().cached(packageSystem, local, remote)); + } + } + + @Command(name = "inferred-exclude", description = "Infer excluded packages (best effort)") + public static class InferredExclude extends BaseCommand { + @io.airlift.airline.Option(name = PACKAGE_SYSTEM_NAME, description = "npm, pypi", required = true) + public String packageSystem; + + @io.airlift.airline.Option(name = LOCAL_NAME, description = LOCAL_DESCRIPTION, required = true) + public String local; + + @io.airlift.airline.Option(name = REMOTE_NAME, description = REMOTE_DESCRIPTION, required = true) + public String remote; + + @io.airlift.airline.Option(name = QUERY_UPSTREAM_NAME, description = QUERY_UPSTREAM_DESCRIPTION, required = false) + boolean queryUpstream; + + @Override + public void run() { + verboseAndHelp("inferred-exclude"); + + renderer().render(confused().inferredExclude(packageSystem, local, remote, queryUpstream)); + } + } + + @Command(name = "not-claimed", description = "Local packages not claimed upstream") + public static class NotClaimed extends BaseCommand { + @io.airlift.airline.Option(name = PACKAGE_SYSTEM_NAME, description = "npm, pypi", required = true) + public String packageSystem; + + @io.airlift.airline.Option(name = LOCAL_NAME, description = LOCAL_DESCRIPTION, required = true) + public String local; + + @io.airlift.airline.Option(name = QUERY_UPSTREAM_NAME, description = QUERY_UPSTREAM_DESCRIPTION, required = false) + boolean queryUpstream; + + @Override + public void run() { + verboseAndHelp("not-claimed"); + + renderer().render(confused().notClaimed(packageSystem, local, queryUpstream)); + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/cli/view/OutputFormat.java b/src/main/java/com/schibsted/security/artishock/cli/view/OutputFormat.java new file mode 100644 index 0000000..45fa18e --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/cli/view/OutputFormat.java @@ -0,0 +1,9 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.cli.view; + +public enum OutputFormat { + TEXT, JSON; +} diff --git a/src/main/java/com/schibsted/security/artishock/cli/view/Renderer.java b/src/main/java/com/schibsted/security/artishock/cli/view/Renderer.java new file mode 100644 index 0000000..be36e69 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/cli/view/Renderer.java @@ -0,0 +1,84 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.cli.view; + +import com.google.common.base.Joiner; +import java.io.IOException; +import java.io.PrintStream; +import java.nio.charset.StandardCharsets; +import java.util.Collection; +import java.util.stream.Collectors; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.SerializationFeature; +import com.fasterxml.jackson.datatype.jdk8.Jdk8Module; + +public class Renderer { + private final OutputFormat outputFormat; + private final PrintStream outputStream; + + public Renderer(OutputFormat outputFormat, PrintStream outputStream) { + this.outputStream = outputStream; + + this.outputFormat = outputFormat; + switch (outputFormat) { + case JSON: + case TEXT: + break; + default: + throw new IllegalArgumentException(String.format("Unexpected output format '%s', reverting to text", outputFormat.toString())); + } + } + + public > void render(T object) { + writeToStream(arrayOutput(object).getBytes(StandardCharsets.UTF_8)); + } + + public void render(T object) { + writeToStream(singleOutput(object).getBytes(StandardCharsets.UTF_8)); + } + + public void writeToStream(byte[] data) { + try { + this.outputStream.write(data); + this.outputStream.flush(); + } catch (IOException e) { + throw new RuntimeException("Failed to write output from CLI", e); + } + } + + private > String arrayOutput(T object) { + switch (outputFormat) { + case JSON: + return serializeToJSON(object) + "\n"; + case TEXT: + return Joiner.on("\n").join(object.stream().map(Object::toString).collect(Collectors.toList())) + "\n"; + default: + throw new RuntimeException("Unexpected output format"); + } + } + + public String singleOutput(T object) { + switch (outputFormat) { + case JSON: + return serializeToJSON(object) + "\n"; + case TEXT: + return object.toString() + "\n"; + default: + throw new RuntimeException("Unexpected output format"); + } + } + + private String serializeToJSON(Object object) { + ObjectMapper m = new ObjectMapper() + .registerModule(new Jdk8Module()); + m.enable(SerializationFeature.INDENT_OUTPUT); + try { + return m.writeValueAsString(object); + } catch (JsonProcessingException e) { + throw new RuntimeException("Failed to serialize output to JSON", e); + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/cli/viewmodel/Artishock.java b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/Artishock.java new file mode 100644 index 0000000..a503776 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/Artishock.java @@ -0,0 +1,147 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.cli.viewmodel; + +import com.google.common.base.Joiner; +import com.schibsted.security.artishock.cli.viewmodel.types.PyPiPackageIdentifier; +import com.schibsted.security.artishock.npm.Npm; +import com.schibsted.security.artishock.artifactory.ArtifactoryClient; +import com.schibsted.security.artishock.cli.viewmodel.types.ArtifactoryRepository; +import com.schibsted.security.artishock.cli.viewmodel.types.ArtifactoryRepositoryStats; +import com.schibsted.security.artishock.cli.viewmodel.types.NpmPackageIdentifier; +import com.schibsted.security.artishock.cli.viewmodel.types.NpmPackageOrScope; +import com.schibsted.security.artishock.config.ConfigResolver; +import com.schibsted.security.artishock.pypi.Pypi; +import com.schibsted.security.artishock.shared.PackageSystem; +import java.util.List; +import java.util.Optional; +import java.util.stream.Collectors; + +public class Artishock { + private final Npm npm; + private final Pypi pypi; + private final ArtifactoryClient artifactoryClient; + + public Artishock() { + var configResolver = new ConfigResolver(); + var config = configResolver.resolveConfig(); + this.artifactoryClient = new ArtifactoryClient(config); + this.npm = new Npm(config, artifactoryClient); + this.pypi = new Pypi(config, artifactoryClient); + } + + public List repoLs(String packageSystem) { + throwIfNotSupportedOptional(packageSystem, List.of(PackageSystem.MAVEN, PackageSystem.NPM, PackageSystem.PYPI)); + + return artifactoryClient.repoLs().stream() + .filter(f -> packageSystem == null || f.getArtifactType().equals(packageSystem)) + .map(ArtifactoryRepository::new) + .collect(Collectors.toList()); + } + + public Object repoStats(String repoName, String packageSystem) { + getPackageSystemOrThrow(packageSystem, List.of(PackageSystem.MAVEN, PackageSystem.NPM, PackageSystem.PYPI)); + + return new ArtifactoryRepositoryStats(repoName, artifactoryClient.repoStats(repoName, packageSystem)); + } + + public Object packageStats(String repoName, String packageSystem, String packageName) { + getPackageSystemOrThrow(packageSystem, List.of(PackageSystem.NPM)); + + var identifier = new com.schibsted.security.artishock.npm.NpmPackageIdentifier(packageName); + return new ArtifactoryRepositoryStats(packageName, artifactoryClient.packageStats(repoName, packageSystem, identifier)); + } + + public List excludeCandidates(String packageSystem, String local, String trusted, String excluded) { + var system = getPackageSystemOrThrow(packageSystem, List.of(PackageSystem.NPM, PackageSystem.PYPI)); + + if (system.equals(PackageSystem.NPM)) { + return npm.excludeCandidates(local, Optional.ofNullable(trusted), Optional.ofNullable(excluded)).stream() + .map(NpmPackageIdentifier::new) + .collect(Collectors.toList()); + } else if (system.equals(PackageSystem.PYPI)) { + return pypi.excludeCandidates(local, Optional.ofNullable(trusted), Optional.ofNullable(excluded)).stream() + .map(PyPiPackageIdentifier::new) + .collect(Collectors.toList()); + } + + throw new RuntimeException("Implementation bug"); + } + + public List cached(String packageSystem, String local, String remote) { + var system = getPackageSystemOrThrow(packageSystem, List.of(PackageSystem.NPM, PackageSystem.PYPI)); + + if (system.equals(PackageSystem.NPM)) { + return npm.cached(local, remote).stream() + .map(NpmPackageIdentifier::new) + .collect(Collectors.toList()); + } else if (system.equals(PackageSystem.PYPI)) { + return pypi.cached(local, remote).stream() + .map(PyPiPackageIdentifier::new) + .collect(Collectors.toList()); + } + + throw new RuntimeException("Implementation bug"); + } + + public List inferredExclude(String packageSystem, String local, String remote, boolean enableUpstream) { + verifyEnableUpstreamOrThrow(enableUpstream); + + var system = getPackageSystemOrThrow(packageSystem, List.of(PackageSystem.NPM, PackageSystem.PYPI)); + + if (system.equals(PackageSystem.NPM)) { + return npm.inferredExclude(local, remote).stream() + .map(NpmPackageIdentifier::new) + .collect(Collectors.toList()); + } else if (system.equals(PackageSystem.PYPI)){ + return pypi.inferredExclude(local, remote).stream() + .map(PyPiPackageIdentifier::new) + .collect(Collectors.toList()); + } + + throw new RuntimeException("Implementation bug"); + } + + public List notClaimed(String packageSystem, String local, boolean enableUpstream) { + verifyEnableUpstreamOrThrow(enableUpstream); + + var system = getPackageSystemOrThrow(packageSystem, List.of(PackageSystem.NPM, PackageSystem.PYPI)); + + if (system.equals(PackageSystem.NPM)) { + return npm.notClaimed(local).stream() + .map(NpmPackageOrScope::new) + .collect(Collectors.toList()); + } else if (system.equals(PackageSystem.PYPI)) { + return pypi.notClaimed(local).stream() + .map(PyPiPackageIdentifier::new) + .collect(Collectors.toList()); + } + + throw new RuntimeException("Implementation bug"); + } + + void throwIfNotSupportedOptional(String packageSystem, List supported) { + if (packageSystem != null) { + getPackageSystemOrThrow(packageSystem, supported); + } + } + + PackageSystem getPackageSystemOrThrow(String packageSystem, List supported) { + var type = PackageSystem.fromString(packageSystem); + if (type.isEmpty() || !supported.contains(type.get())) { + throw new RuntimeException(String.format("Unsupported package system '%s', try one of {%s}", + packageSystem, + Joiner.on(", ").join(supported))); + } + + return type.get(); + } + + void verifyEnableUpstreamOrThrow(boolean enableUpstream) { + if (!enableUpstream) { + throw new RuntimeException("This command only works by querying internal packages upstream, add `--query-upstream` if this is OK or don't use this command"); + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/ArtifactoryRepository.java b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/ArtifactoryRepository.java new file mode 100644 index 0000000..0209dfb --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/ArtifactoryRepository.java @@ -0,0 +1,68 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.cli.viewmodel.types; + +import com.schibsted.security.artishock.artifactory.Repository; +import java.util.List; +import java.util.stream.Collectors; + +public class ArtifactoryRepository { + private final String name; + private final String repositoryType; + private final String packageSystem; + private final List repositories; + private final String upstreamUrl; + + public ArtifactoryRepository(Repository repository) { + this.name = repository.getName(); + this.repositoryType = repository.getType(); + this.packageSystem = repository.getArtifactType(); + this.repositories = repository.getChildren().stream().map(ArtifactoryRepository::new).collect(Collectors.toList()); + this.upstreamUrl = repository.getUrl(); + } + + public String getName() { + return name; + } + + public String getRepositoryType() { + return repositoryType; + } + + public String getPackageSystem() { + return packageSystem; + } + + public String getUpstreamUrl() { + return upstreamUrl; + } + + public List getRepositories() { + return repositories; + } + + @Override + public String toString() { + var sb = new StringBuilder(); + print(sb, this, 0); + return sb.toString(); + } + + private void print(StringBuilder sb, ArtifactoryRepository repo, int indent) { + var prefix = "-".repeat(indent); + if (indent > 0) { + prefix = prefix + " "; + } + if (repo.getUpstreamUrl() != null) { + sb.append(String.format("%s%s [%s:%s:%s]", prefix, repo.getName(), repo.getPackageSystem(), repo.getRepositoryType(), repo.getUpstreamUrl())); + } else { + sb.append(String.format("%s%s [%s:%s]", prefix, repo.getName(), repo.getPackageSystem(), repo.getRepositoryType())); + } + for (var c : repo.getRepositories()) { + sb.append("\n"); + print(sb, c, indent + 1); + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/ArtifactoryRepositoryStats.java b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/ArtifactoryRepositoryStats.java new file mode 100644 index 0000000..478ecd9 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/ArtifactoryRepositoryStats.java @@ -0,0 +1,68 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.cli.viewmodel.types; + +import com.google.common.base.Joiner; +import com.schibsted.security.artishock.artifactory.Stats; +import java.time.ZonedDateTime; +import java.util.Optional; +import java.util.Set; + +public class ArtifactoryRepositoryStats { + private final String name; + private final long downloadCount; + private final long archiveCount; + private final Optional lastDownloaded; + private final Optional lastDownloadedBy; + private final Set extensions; + + public ArtifactoryRepositoryStats(String name, Stats stats) { + this.name = name; + this.downloadCount = stats.getDownloadCount(); + this.archiveCount = stats.getArchiveCount(); + this.lastDownloaded = stats.getLastDownloaded().map(ZonedDateTime::toString); + this.lastDownloadedBy = stats.getLastDownloadedBy(); + this.extensions = stats.getExtensions(); + } + + public String getName() { + return name; + } + + public long getDownloadCount() { + return downloadCount; + } + + public long getArchiveCount() { + return archiveCount; + } + + public Optional getLastDownloaded() { + return lastDownloaded; + } + + public Optional getLastDownloadedBy() { + return lastDownloadedBy; + } + + public Set getExtensions() { + return extensions; + } + + @Override + public String toString() { + var sb = new StringBuilder(); + + sb.append(String.format("name: %s\n", name)); + sb.append(String.format("archives: %d\n", archiveCount)); + sb.append(String.format("archives types: %s\n", Joiner.on(",").join(extensions))); + sb.append(String.format("downloads: %d\n", downloadCount)); + + lastDownloaded.ifPresent(s -> sb.append(String.format("last downloaded: %s\n", s))); + lastDownloadedBy.ifPresent(s -> sb.append(String.format("last downloaded by: %s\n", s))); + + return sb.toString(); + } +} diff --git a/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/NpmPackageIdentifier.java b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/NpmPackageIdentifier.java new file mode 100644 index 0000000..d807fb4 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/NpmPackageIdentifier.java @@ -0,0 +1,30 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.cli.viewmodel.types; + +import java.util.Optional; + +public class NpmPackageIdentifier { + private final String packageName; + private final Optional scope; + + public NpmPackageIdentifier(com.schibsted.security.artishock.npm.NpmPackageIdentifier packageIdentifier) { + this.packageName = packageIdentifier.getPackageName(); + this.scope = packageIdentifier.getScope(); + } + + public String getPackageName() { + return packageName; + } + + public Optional getScope() { + return scope; + } + + @Override + public String toString() { + return scope.map(s -> "@" + s + "/" + packageName).orElse(packageName); + } +} diff --git a/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/NpmPackageOrScope.java b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/NpmPackageOrScope.java new file mode 100644 index 0000000..c1be3cd --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/NpmPackageOrScope.java @@ -0,0 +1,32 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.cli.viewmodel.types; + +import java.util.Optional; + +public class NpmPackageOrScope { + private final Optional packageName; + private final Optional scope; + private final String name; + + public NpmPackageOrScope(com.schibsted.security.artishock.npm.NpmPackageOrScope packageOrScope) { + this.packageName = packageOrScope.getPackageName(); + this.scope = packageOrScope.getScope(); + this.name = packageOrScope.toString(); + } + + public Optional getPackageName() { + return packageName; + } + + public Optional getScope() { + return scope; + } + + @Override + public String toString() { + return name; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/PyPiPackageIdentifier.java b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/PyPiPackageIdentifier.java new file mode 100644 index 0000000..7db7b5e --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/cli/viewmodel/types/PyPiPackageIdentifier.java @@ -0,0 +1,22 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.cli.viewmodel.types; + +public class PyPiPackageIdentifier { + private final String packageName; + + public PyPiPackageIdentifier(com.schibsted.security.artishock.pypi.PyPiPackageIdentifier pyPiPackageIdentifier) { + this.packageName = pyPiPackageIdentifier.getPackageName(); + } + + public String getPackageName() { + return packageName; + } + + @Override + public String toString() { + return packageName; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/config/Config.java b/src/main/java/com/schibsted/security/artishock/config/Config.java new file mode 100644 index 0000000..90b29d6 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/config/Config.java @@ -0,0 +1,29 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.config; + +public class Config { + private final String artifactoryUrl; + private final String artifactoryUsername; + private final String artifactoryPassword; + + public Config(String artifactoryUrl, String artifactoryUsername, String artifactoryPassword) { + this.artifactoryUrl = artifactoryUrl; + this.artifactoryUsername = artifactoryUsername; + this.artifactoryPassword = artifactoryPassword; + } + + public String getArtifactoryUrl() { + return artifactoryUrl; + } + + public String getArtifactoryUsername() { + return artifactoryUsername; + } + + public String getArtifactoryPassword() { + return artifactoryPassword; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/config/ConfigRaw.java b/src/main/java/com/schibsted/security/artishock/config/ConfigRaw.java new file mode 100644 index 0000000..39e28e0 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/config/ConfigRaw.java @@ -0,0 +1,11 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.config; + +public class ConfigRaw { + public String artifactoryUrl; + public String artifactoryUsername; + public String artifactoryPassword; +} diff --git a/src/main/java/com/schibsted/security/artishock/config/ConfigResolver.java b/src/main/java/com/schibsted/security/artishock/config/ConfigResolver.java new file mode 100644 index 0000000..87e62bc --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/config/ConfigResolver.java @@ -0,0 +1,71 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.config; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.Optional; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +public class ConfigResolver { + private static final Logger log = LogManager.getLogger(); + + public static Config resolveConfig() { + var file = configDirectory().resolve("artishock.config").toFile(); + + var mapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); + + try { + var config = new ConfigRaw(); + + if (file.exists()) { + log.info(() -> String.format("Reading config file %s", file.toPath())); + var content = Files.readString(file.toPath()); + config = mapper.readValue(content, ConfigRaw.class); + } else { + log.info(() -> String.format("Could not read config file %s", file.toPath())); + } + + var artifactoryUrl = getValue(config.artifactoryUrl, "ARTISHOCK_ARTIFACTORY_URL", "artifactory url"); + var artifactoryUser = getValue(config.artifactoryUsername, "ARTISHOCK_ARTIFACTORY_USERNAME", "artifactory user"); + var artifactoryPassword = getValue(config.artifactoryPassword, "ARTISHOCK_ARTIFACTORY_PASSWORD", "artifactory api key"); + + return new Config(artifactoryUrl, artifactoryUser, artifactoryPassword); + } catch (JsonProcessingException e) { + throw new RuntimeException("Could deserialize config"); + } catch (IOException e) { + throw new RuntimeException("Could not read config from"); + } + } + + public static Path configDirectory() { + return Path.of(userHome() + "/.artishock/"); + } + + static String userHome() { + return System.getProperty("user.home"); + } + + static String getValue(String configFileValue, String env, String description) { + Optional envOverride = Optional.ofNullable(System.getenv(env)); + + if (envOverride.isEmpty() && configFileValue == null) { + throw new RuntimeException("Unable to get config " + description); + } + + if (envOverride.isPresent()) { + log.info(() -> String.format("Using %s from environment variable", description)); + return envOverride.get(); + } else { + log.info(() -> String.format("Using %s from config file", description)); + return configFileValue; + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/npm/Npm.java b/src/main/java/com/schibsted/security/artishock/npm/Npm.java new file mode 100644 index 0000000..d9288bf --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/Npm.java @@ -0,0 +1,132 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm; + +import com.schibsted.security.artishock.artifactory.ArtifactoryClient; +import com.schibsted.security.artishock.npm.client.NpmClient; +import com.schibsted.security.artishock.config.Config; +import com.schibsted.security.artishock.shared.ConnectionInfo; +import com.schibsted.security.artishock.shared.FileReader; +import com.schibsted.security.artishock.shared.Intersection; +import java.util.ArrayList; +import java.util.Comparator; +import java.util.List; +import java.util.Optional; +import java.util.stream.Collectors; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +public class Npm { + private static final Logger log = LogManager.getLogger(); + + private final ArtifactoryClient artifactoryClient; + private final Config config; + + private final NpmClient npmClient; + + public Npm(Config config, ArtifactoryClient artifactoryClient) { + this.config = config; + this.artifactoryClient = artifactoryClient; + this.npmClient = new NpmClient(); + } + + public List excludeCandidates(String local, Optional trusted, Optional excluded) { + var candidates = artifactoryClient.getAllNpmPackageIdentifiersForLocal(local); + + if (trusted.isPresent()) { + candidates = filterOutPackageOrScope(candidates, packageOrScopes(trusted.get())); + } + + if (excluded.isPresent()) { + candidates = filterOutPackageOrScope(candidates, packageOrScopes(excluded.get())); + } + + return candidates; + } + + public List cached(String local, String remote) { + var localPackages = artifactoryClient.getAllNpmPackageIdentifiersForLocal(local); + + var remoteCached = artifactoryClient.getAllNpmPackageIdentifiersForCache(remote + "-cache"); + return Intersection.cacheIntersection(localPackages, remoteCached); + } + + public List inferredExclude(String local, String remote) { + var localPackages = artifactoryClient.getAllNpmPackageIdentifiersForLocal(local); + + // TODO search for scoped packages? This will leak additional names upstream + var localPackagesWithoutScope = packagesWithoutScope(localPackages); + + var upstreamPackages = npmClient.getPackageList(localPackagesWithoutScope, npmClient.upstream()); + + var remotePackages = npmClient.getPackageList(localPackagesWithoutScope, + new ConnectionInfo(npmApi(config.getArtifactoryUrl(), remote), config.getArtifactoryUsername(), config.getArtifactoryPassword())); + + upstreamPackages.removeAll(remotePackages); + upstreamPackages.sort(Comparator.comparing(NpmPackageIdentifier::toString)); + return upstreamPackages; + } + + public List notClaimed(String local) { + var localPackages = new ArrayList<>(artifactoryClient.getAllNpmPackageIdentifiersForLocal(local)); + + var localPackagesWithoutScope = packagesWithoutScope(localPackages); + + var localScopes = localPackages.stream() + .flatMap(f -> f.getScope().stream()) + .distinct() + .collect(Collectors.toList()); + + var upstreamPackages = npmClient.getPackageList(localPackagesWithoutScope, npmClient.upstream()); + + localPackagesWithoutScope.removeAll(upstreamPackages); + + var result = localPackagesWithoutScope.stream() + .map(NpmPackageOrScope::new) + .collect(Collectors.toList()); + + var notClaimedScopes = npmClient.notClaimedOrg(localScopes); + + result.addAll(notClaimedScopes); + + return result; + } + + String npmApi(String artifactoryBase, String repositoryName) { + return artifactoryBase + "/api/npm/" + repositoryName; + } + + List filterOutPackageOrScope(List all, List exclude) { + var excludeScopes = exclude.stream() + .filter(f -> f.getScope().isPresent() && f.getPackageName().isEmpty()) + .flatMap(f -> f.getScope().stream()) + .collect(Collectors.toSet()); + var excludePackages = exclude.stream() + .filter(f -> f.getScope().isEmpty()) + .flatMap(f -> f.getPackageName().stream()) + .collect(Collectors.toSet()); + var excludePackageAndScope = exclude.stream() + .filter(f -> f.getScope().isPresent() && f.getPackageName().isPresent()) + .collect(Collectors.toSet()); + + return all.stream() + .filter(p -> p.getScope().isEmpty() || !excludeScopes.contains(p.getScope().get())) + .filter(p -> p.getScope().isPresent() || !excludePackages.contains(p.getPackageName())) + .filter(p -> p.getScope().isEmpty() || !excludePackageAndScope.contains(new NpmPackageOrScope(p))) + .collect(Collectors.toList()); + } + + List packageOrScopes(String location) { + return FileReader.linesFromFile(location).stream() + .map(NpmPackageOrScope::new) + .collect(Collectors.toList()); + } + + static List packagesWithoutScope(List packages) { + return packages.stream() + .filter(p -> p.getScope().isEmpty()) + .collect(Collectors.toList()); + } +} diff --git a/src/main/java/com/schibsted/security/artishock/npm/NpmPackageIdentifier.java b/src/main/java/com/schibsted/security/artishock/npm/NpmPackageIdentifier.java new file mode 100644 index 0000000..471fb2a --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/NpmPackageIdentifier.java @@ -0,0 +1,60 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm; + +import java.util.Objects; +import java.util.Optional; + +public class NpmPackageIdentifier { + private final Optional scope; + private final String packageName; + + public NpmPackageIdentifier(String scope, String packageName) { + this.scope = Optional.of(scope); + this.packageName = packageName; + } + + public NpmPackageIdentifier(String name) { + var parts = name.split("/"); + if (parts.length == 2) { + if (!parts[0].startsWith("@")) { + throw new RuntimeException(String.format("Scope '%s' must start with '@'", parts[0])); + } + this.scope = Optional.of(parts[0].substring(1)); + this.packageName = parts[1]; + } else if (parts.length == 1){ + this.scope = Optional.empty(); + this.packageName = parts[0]; + } else { + throw new RuntimeException(String.format("Expected at most one '/' to separate scope and package name in '%s'", name)); + } + } + + public Optional getScope() { + return scope; + } + + public String getPackageName() { + return packageName; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + NpmPackageIdentifier that = (NpmPackageIdentifier) o; + return scope.equals(that.scope) && packageName.equals(that.packageName); + } + + @Override + public int hashCode() { + return Objects.hash(scope, packageName); + } + + @Override + public String toString() { + return scope.map(s -> "@" + s + "/" + packageName).orElse(packageName); + } +} diff --git a/src/main/java/com/schibsted/security/artishock/npm/NpmPackageOrScope.java b/src/main/java/com/schibsted/security/artishock/npm/NpmPackageOrScope.java new file mode 100644 index 0000000..062c621 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/NpmPackageOrScope.java @@ -0,0 +1,74 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm; + +import java.util.Objects; +import java.util.Optional; + +public class NpmPackageOrScope { + private final Optional packageName; + private final Optional scope; + + public NpmPackageOrScope(String name) { + var parts = name.split("/"); + if (parts.length > 1) { + if (!parts[0].startsWith("@")) { + throw new RuntimeException(String.format("Scope '%s' must start with '@'", parts[0])); + } + this.scope = Optional.of(parts[0].substring(1)); + this.packageName = Optional.of(parts[1]); + } else { + if (parts[0].startsWith("@")) { + this.scope = Optional.of(parts[0].substring(1)); + this.packageName = Optional.empty(); + } else { + this.packageName = Optional.of(parts[0]); + this.scope = Optional.empty(); + } + } + } + + public NpmPackageOrScope(Optional scope, Optional packageName) { + this.scope = scope; + this.packageName = packageName; + } + + public NpmPackageOrScope(NpmPackageIdentifier npmPackageIdentifier) { + this.scope = npmPackageIdentifier.getScope(); + this.packageName = Optional.of(npmPackageIdentifier.getPackageName()); + } + + public Optional getPackageName() { + return packageName; + } + + public Optional getScope() { + return scope; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + NpmPackageOrScope that = (NpmPackageOrScope) o; + return Objects.equals(packageName, that.packageName) && Objects.equals(scope, that.scope); + } + + @Override + public int hashCode() { + return Objects.hash(packageName, scope); + } + + @Override + public String toString() { + if (packageName.isPresent()) { + return scope.map(s -> "@" + s + "/" + packageName).orElse(packageName.get()); + } else if (scope.isPresent()) { + return "@" + scope.get(); + } else { + throw new IllegalStateException("Neither scope nor package name present"); + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/npm/client/NpmClient.java b/src/main/java/com/schibsted/security/artishock/npm/client/NpmClient.java new file mode 100644 index 0000000..d617e54 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/client/NpmClient.java @@ -0,0 +1,115 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm.client; + +import com.schibsted.security.artishock.shared.CacheCategory; +import com.schibsted.security.artishock.shared.ConnectionInfo; +import com.schibsted.security.artishock.npm.NpmPackageIdentifier; +import com.schibsted.security.artishock.npm.NpmPackageOrScope; +import com.schibsted.security.artishock.shared.HttpClient; +import com.schibsted.security.artishock.shared.SimpleCache; +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.function.Supplier; +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +public class NpmClient { + private static final Logger log = LogManager.getLogger(); + + private final ObjectMapper mapper; + + public NpmClient() { + mapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); + } + + public List getPackageList(List packages, ConnectionInfo connectionInfo) { + log.info(() -> "Fetching select packages from " + connectionInfo.getPrefix()); + return new ArrayList<>(getNpmPackages(packages, connectionInfo).keySet()); + } + + public List notClaimedOrg(List scopes) { + var result = new ArrayList(); + for (var scope : scopes) { + if (!claimedOrgCached(scope)) { + result.add(new NpmPackageOrScope(Optional.of(scope), Optional.empty())); + } + } + + return result; + } + + boolean claimedOrgCached(String scope) { + var connectionInfo = new ConnectionInfo("https://www.npmjs.com"); + Supplier f = () -> Boolean.toString(fetchOrgIsClaimed(connectionInfo, scope)); + var result = SimpleCache.getFromCacheOrExecute(connectionInfo, scope, CacheCategory.ORG, f); + + if (result.equals("true")) { + return true; + } else if (result.equals("false")) { + return false; + } else { + throw new RuntimeException("Wrong code"); + } + } + + Map getNpmPackages(List packages, ConnectionInfo connectionInfo) { + var result = new HashMap(); + for (var packageName : packages) { + var npmjs = getPackageInfo(packageName, connectionInfo); + var p = convert(npmjs); + p.ifPresent(npmPackageInfo -> result.put(packageName, npmPackageInfo)); + } + + return result; + } + + Optional convert(ViewRaw viewRaw) { + if (viewRaw.error == null && viewRaw.errors == null) { + return Optional.of(new NpmPackageInfo(viewRaw)); + } else { + if (viewRaw.errors != null && viewRaw.errors.get(0).status == 404) { + return Optional.empty(); + } else if (viewRaw.error != null && (viewRaw.error.equals("Not found") || viewRaw.error.equals("not_found"))) { + return Optional.empty(); + } + + if (viewRaw.errors != null) { + throw new RuntimeException(String.format("Got error %s", viewRaw.errors.get(0).message)); + } else { + throw new RuntimeException(String.format("Got error %s", viewRaw.error)); + } + } + } + + ViewRaw getPackageInfo(NpmPackageIdentifier packageName, ConnectionInfo connectionInfo) { + try { + Supplier f = () -> fetchPackageInfo(packageName.toString(), connectionInfo); + var result = SimpleCache.getFromCacheOrExecute(connectionInfo, packageName.toString(), CacheCategory.PACKAGE_INFO, f); + + return mapper.readValue(result, ViewRaw.class); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + + boolean fetchOrgIsClaimed(ConnectionInfo connectionInfo, String scope) { + return HttpClient.exists(connectionInfo, "/org/" + scope); + } + + private String fetchPackageInfo(String packageName, ConnectionInfo connectionInfo) { + return HttpClient.fetch(connectionInfo, "/" + packageName); + } + + public ConnectionInfo upstream() { + return new ConnectionInfo("https://registry.npmjs.org"); + } +} diff --git a/src/main/java/com/schibsted/security/artishock/npm/client/NpmPackageInfo.java b/src/main/java/com/schibsted/security/artishock/npm/client/NpmPackageInfo.java new file mode 100644 index 0000000..5ddc4bb --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/client/NpmPackageInfo.java @@ -0,0 +1,91 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm.client; + +import java.time.ZonedDateTime; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Optional; +import java.util.stream.Collectors; + +public class NpmPackageInfo { + private final String name; + private final List releases; + private final ZonedDateTime created; + private final ZonedDateTime modified; + private final List maintainers; + + public NpmPackageInfo(ViewRaw viewRaw) { + if (viewRaw.errors != null) { + throw new RuntimeException(String.format("code %d, message %s", viewRaw.errors.get(0).status, viewRaw.errors.get(0).message)); + } + this.name = viewRaw.name; + + var releases = new ArrayList(); + for (var version : viewRaw.versions.keySet()) { + var time = ZonedDateTime.parse(viewRaw.time.get(version)); + releases.add(new NpmRelease(version, time)); + } + Collections.sort(releases); + this.releases = releases; + + this.created = ZonedDateTime.parse(viewRaw.time.get("created")); + this.modified = ZonedDateTime.parse(viewRaw.time.get("modified")); + + if (viewRaw.maintainers != null) { + this.maintainers = viewRaw.maintainers.stream() + .map(m -> m.name + " <" + m.email + ">") + .collect(Collectors.toList()); + } else { + this.maintainers = List.of(); + } + } + + public String getName() { + return name; + } + + public List getReleases() { + return releases; + } + + public ZonedDateTime getCreated() { + return created; + } + + public ZonedDateTime getModified() { + return modified; + } + + public List getMaintainers() { + return maintainers; + } + + public List majorVersions() { + return releases.stream() + .map(r -> r.getNpmVersion().getMajor()) + .distinct() + .sorted() + .collect(Collectors.toList()); + } + + public NpmVersion highestVersion() { + return releases.get(releases.size() - 1).getNpmVersion(); + } + + public Optional highestVersion(int majorVersion) { + var candidates = releases.stream() + .filter(r -> r.getNpmVersion().getMajor() == majorVersion) + .sorted() + .collect(Collectors.toList()); + + if (candidates.isEmpty()) { + return Optional.empty(); + } else { + return Optional.of(candidates.get(candidates.size() - 1).getNpmVersion()); + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/npm/client/NpmRelease.java b/src/main/java/com/schibsted/security/artishock/npm/client/NpmRelease.java new file mode 100644 index 0000000..2a87bcc --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/client/NpmRelease.java @@ -0,0 +1,53 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm.client; + +import java.time.ZonedDateTime; + +public class NpmRelease implements Comparable { + private final String version; + private final NpmVersion npmVersion; + + private final ZonedDateTime time; + + public NpmRelease(String version, ZonedDateTime time) { + this.version = version; + + var dash = version.split("[-+]"); + if (dash.length > 1) { + // System.out.println("version has - or +, ignoring"); + } + + var parts = dash[0].split("\\."); + if (parts.length != 3) { + throw new RuntimeException("Unexpected version " + version); + } + + var major = Integer.parseInt(parts[0]); + var minor = Integer.parseInt(parts[1]); + var patch = Integer.parseInt(parts[2]); + this.npmVersion = new NpmVersion(major, minor, patch); + + this.time = time; + } + + public String getVersion() { + return version; + } + + public ZonedDateTime getTime() { + return time; + } + + public NpmVersion getNpmVersion() { + return npmVersion; + } + + @Override + public int compareTo(NpmRelease o) { + return this.npmVersion.compareTo(o.getNpmVersion()); + } +} + diff --git a/src/main/java/com/schibsted/security/artishock/npm/client/NpmSearchResult.java b/src/main/java/com/schibsted/security/artishock/npm/client/NpmSearchResult.java new file mode 100644 index 0000000..d48b6a7 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/client/NpmSearchResult.java @@ -0,0 +1,41 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm.client; + +import java.time.ZonedDateTime; + +public class NpmSearchResult { + private final String name; + private final String scope; + private final String description; + private final ZonedDateTime date; + + public NpmSearchResult(SearchRaw.Package packageAlt) { + this.name = packageAlt.name; + this.scope = packageAlt.scope; // can be null + this.description = packageAlt.description; // can be null + if (packageAlt.date != null) { + this.date = ZonedDateTime.parse(packageAlt.date); + } else { + this.date = null; + } + } + + public String getName() { + return name; + } + + public String getScope() { + return scope; + } + + public String getDescription() { + return description; + } + + public ZonedDateTime getDate() { + return date; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/npm/client/NpmVersion.java b/src/main/java/com/schibsted/security/artishock/npm/client/NpmVersion.java new file mode 100644 index 0000000..db2c0b6 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/client/NpmVersion.java @@ -0,0 +1,46 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm.client; + +public class NpmVersion implements Comparable { + private final int major; + private final int minor; + private final int patch; + + public NpmVersion(int major, int minor, int patch) { + this.major = major; + this.minor = minor; + this.patch = patch; + } + + public int getMajor() { + return major; + } + + public int getMinor() { + return minor; + } + + public int getPatch() { + return patch; + } + + @Override + public int compareTo(NpmVersion o) { + if (this.major == o.getMajor()) { + if (this.minor == o.getMinor()) { + return Integer.compare(this.patch, o.getPatch()); + } else { + return Integer.compare(this.minor, o.getMinor()); + } + } else { + return Integer.compare(this.major, o.getMajor()); + } + } + + public String versionAsString() { + return major + "." + minor + "." + patch; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/npm/client/SearchRaw.java b/src/main/java/com/schibsted/security/artishock/npm/client/SearchRaw.java new file mode 100644 index 0000000..2775061 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/client/SearchRaw.java @@ -0,0 +1,31 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm.client; + +import java.util.List; +import com.fasterxml.jackson.annotation.JsonProperty; + +public class SearchRaw { + public List objects; + + public static class Object { + @JsonProperty("package") + public Package aPackage; + } + + public static class Package { + public String name; + public String scope; + public String date; + public String description; + public UsernameEmail publisher; + public List maintainers; + } + + public static class UsernameEmail { + public String username; + public String email; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/npm/client/ViewRaw.java b/src/main/java/com/schibsted/security/artishock/npm/client/ViewRaw.java new file mode 100644 index 0000000..10e7f71 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/npm/client/ViewRaw.java @@ -0,0 +1,37 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.npm.client; + +import java.util.List; +import java.util.Map; + +public class ViewRaw { + public String name; + public Map versions; + public Map time; + public List maintainers; + public String error; + public List errors; + + public static class Version { + public String version; + public String name; + } + + public static class Repository { + public String type; + public String url; + } + + public static class Maintainers { + public String name; + public String email; + } + + public static class Error { + public int status; + public String message; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/pypi/PyPiPackageIdentifier.java b/src/main/java/com/schibsted/security/artishock/pypi/PyPiPackageIdentifier.java new file mode 100644 index 0000000..914f24c --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/pypi/PyPiPackageIdentifier.java @@ -0,0 +1,37 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.pypi; + +import java.util.Objects; + +public class PyPiPackageIdentifier { + private final String packageName; + + public PyPiPackageIdentifier(String packageName) { + this.packageName = packageName; + } + + public String getPackageName() { + return packageName; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + PyPiPackageIdentifier that = (PyPiPackageIdentifier) o; + return Objects.equals(packageName, that.packageName); + } + + @Override + public int hashCode() { + return Objects.hash(packageName); + } + + @Override + public String toString() { + return packageName; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/pypi/Pypi.java b/src/main/java/com/schibsted/security/artishock/pypi/Pypi.java new file mode 100644 index 0000000..341a471 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/pypi/Pypi.java @@ -0,0 +1,104 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.pypi; + +import com.schibsted.security.artishock.artifactory.ArtifactoryClient; +import com.schibsted.security.artishock.config.Config; +import com.schibsted.security.artishock.pypi.client.PyPiClient; +import com.schibsted.security.artishock.shared.ConnectionInfo; +import com.schibsted.security.artishock.shared.FileReader; +import com.schibsted.security.artishock.shared.Intersection; +import java.util.ArrayList; +import java.util.List; +import java.util.Optional; +import java.util.stream.Collectors; + +public class Pypi { + private final ArtifactoryClient artifactoryClient; + private final PyPiClient pyPiClient; + private final Config config; + + public Pypi(Config config, ArtifactoryClient artifactoryClient) { + this.artifactoryClient = artifactoryClient; + this.pyPiClient = new PyPiClient(config); + this.config = config; + } + + public List excludeCandidates(String local, Optional trusted, Optional excluded) { + var candidates = pyPiClient.getAllPyPiPackageIdentifierFromIndex(local); + + var exclude = new ArrayList(); + trusted.ifPresent(s -> exclude.addAll(fromFile(s))); + excluded.ifPresent(s -> exclude.addAll(fromFile(s))); + + candidates.removeAll(exclude); + + return candidates; + } + + public List cached(String local, String remote) { + var localPackages = pyPiClient.getAllPyPiPackageIdentifierFromIndex(local); + var remoteCached = artifactoryClient.getAllPyPiPackageIdentifiersFromPyPiDir(remote + "-cache"); + + return Intersection.cacheIntersection(localPackages, remoteCached); + } + + public List inferredExclude(String local, String remote) { + var localPackages = pyPiClient.getAllPyPiPackageIdentifierFromIndex(local); + + var upstreamPackages = checkUpstream(localPackages); + var remotePackages = checkLocal(remote, localPackages); + + upstreamPackages.removeAll(remotePackages); + + return upstreamPackages; + } + + public List notClaimed(String local) { + var localPackages = pyPiClient.getAllPyPiPackageIdentifierFromIndex(local); + + var upstreamPackages = checkUpstream(localPackages); + localPackages.removeAll(upstreamPackages); + + return localPackages; + } + + List checkUpstream(List local) { + var result = new ArrayList(); + for (var l : local) { + if (existsUpstream(l)) { + result.add(l); + } + } + return result; + } + + List checkLocal(String repoName, List local) { + var result = new ArrayList(); + for (var l : local) { + if (existsInArtifactory(repoName, l)) { + result.add(l); + } + } + return result; + } + + boolean existsUpstream(PyPiPackageIdentifier packageIdentifier) { + return pyPiClient.packageExistsCached(pyPiClient.upstream(), packageIdentifier); + } + + boolean existsInArtifactory(String repo, PyPiPackageIdentifier packageIdentifier) { + return pyPiClient.packageExistsCached(new ConnectionInfo(config.getArtifactoryUrl() + "/api/pypi/" + repo, + config.getArtifactoryUsername(), + config.getArtifactoryPassword()), + packageIdentifier); + } + + List fromFile(String location) { + return FileReader.linesFromFile(location).stream() + .map(PyPiPackageIdentifier::new) + .collect(Collectors.toList()); + } +} diff --git a/src/main/java/com/schibsted/security/artishock/pypi/client/PyPiClient.java b/src/main/java/com/schibsted/security/artishock/pypi/client/PyPiClient.java new file mode 100644 index 0000000..891756a --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/pypi/client/PyPiClient.java @@ -0,0 +1,80 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.pypi.client; + +import com.schibsted.security.artishock.config.Config; +import com.schibsted.security.artishock.pypi.PyPiPackageIdentifier; +import com.schibsted.security.artishock.shared.CacheCategory; +import com.schibsted.security.artishock.shared.ConnectionInfo; +import com.schibsted.security.artishock.shared.HttpClient; +import com.schibsted.security.artishock.shared.SimpleCache; +import java.util.List; +import java.util.function.Supplier; +import java.util.stream.Collectors; +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.dataformat.xml.XmlMapper; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +public class PyPiClient { + private static final Logger log = LogManager.getLogger(); + + private final Config config; + + public PyPiClient(Config config) { + this.config = config; + } + + public ConnectionInfo upstream() { + return new ConnectionInfo("https://pypi.org"); + } + + public List getAllPyPiPackageIdentifierFromIndex(String repositoryName) { + log.info(() -> "Fetching PyPi package from index in " + repositoryName); + + var raw = getPackagesFromIndex(new ConnectionInfo(config.getArtifactoryUrl() + "/api/pypi/" + repositoryName, + config.getArtifactoryUsername(), config.getArtifactoryPassword()), "/simple/"); + + var preprocessed = raw.replaceAll("\".*\"", "\"\"") + .replace("\n", "") + .replaceAll("
", "") + .replaceAll(".* ", ""); + + var xmlMapper = new XmlMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); + + try + { + var r = xmlMapper.readValue(preprocessed, SimpleRaw.class); + + // TODO consider filtering out names that are not allowed upstream + return r.body.stream() + .map(PyPiPackageIdentifier::new) + .collect(Collectors.toList()); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + public boolean packageExistsCached(ConnectionInfo connectionInfo, PyPiPackageIdentifier packageIdentifier) { + Supplier f = () -> Boolean.toString(packageExists(connectionInfo, packageIdentifier)); + var result = SimpleCache.getFromCacheOrExecute(connectionInfo, packageIdentifier.toString(), CacheCategory.PACKAGE_EXISTS, f); + + if (result.equals("true")) { + return true; + } else if (result.equals("false")) { + return false; + } else { + throw new RuntimeException(String.format("Must be 'true' or 'false' got '%s'", result)); + } + } + + public boolean packageExists(ConnectionInfo connectionInfo, PyPiPackageIdentifier packageName) { + return HttpClient.exists(connectionInfo, "/simple/" + packageName.getPackageName() + "/"); + } + + String getPackagesFromIndex(ConnectionInfo connectionInfo, String path) { + return HttpClient.fetch(connectionInfo, path); + } +} diff --git a/src/main/java/com/schibsted/security/artishock/pypi/client/SimpleRaw.java b/src/main/java/com/schibsted/security/artishock/pypi/client/SimpleRaw.java new file mode 100644 index 0000000..a331b34 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/pypi/client/SimpleRaw.java @@ -0,0 +1,11 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.pypi.client; + +import java.util.List; + +public class SimpleRaw { + public List body; +} diff --git a/src/main/java/com/schibsted/security/artishock/shared/CacheCategory.java b/src/main/java/com/schibsted/security/artishock/shared/CacheCategory.java new file mode 100644 index 0000000..ae08b55 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/shared/CacheCategory.java @@ -0,0 +1,22 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.shared; + +public enum CacheCategory { + PACKAGE_INFO("/package-info/"), + SEARCH("/search/"), + ORG("/org/"), + PACKAGE_EXISTS("/package-exists/"); + + private final String path; + + CacheCategory(String path) { + this.path = path; + } + + public String getPath() { + return path; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/shared/ConnectionInfo.java b/src/main/java/com/schibsted/security/artishock/shared/ConnectionInfo.java new file mode 100644 index 0000000..f85ce71 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/shared/ConnectionInfo.java @@ -0,0 +1,40 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.shared; + +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.util.Optional; + +public class ConnectionInfo { + private final String prefix; + private final Optional username; + private final Optional password; + + public ConnectionInfo(String prefix, String username, String password) { + this.prefix = prefix; + this.username = Optional.of(username); + this.password = Optional.of(password); + } + + + public ConnectionInfo(String prefix) { + this.prefix = prefix; + this.username = Optional.empty(); + this.password = Optional.empty(); + } + + public String getPrefix() { + return prefix; + } + + public Optional getUsername() { + return username; + } + + public Optional getPassword() { + return password; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/shared/FileReader.java b/src/main/java/com/schibsted/security/artishock/shared/FileReader.java new file mode 100644 index 0000000..2256722 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/shared/FileReader.java @@ -0,0 +1,21 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.shared; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.List; + +public class FileReader { + public static List linesFromFile(String location) { + var path = Path.of(location); + try { + return Files.readAllLines(Path.of(location)); + } catch (IOException e) { + throw new RuntimeException(String.format("Failed to read file at '%s'", path.toString()), e); + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/shared/HttpClient.java b/src/main/java/com/schibsted/security/artishock/shared/HttpClient.java new file mode 100644 index 0000000..e100a48 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/shared/HttpClient.java @@ -0,0 +1,94 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.shared; + +import java.io.IOException; +import java.util.concurrent.TimeUnit; +import okhttp3.Credentials; +import okhttp3.OkHttpClient; +import okhttp3.Request; +import okhttp3.Response; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +public class HttpClient { + private static final Logger log = LogManager.getLogger(); + + private static final OkHttpClient client = new OkHttpClient.Builder() + .connectTimeout(50, TimeUnit.SECONDS) + .readTimeout(300, TimeUnit.SECONDS) + .writeTimeout(50, TimeUnit.SECONDS) + .build(); + + public static Request prepareRequest(ConnectionInfo connectionInfo, String path) { + var url = connectionInfo.getPrefix() + path; + var requestBuilder = new Request.Builder() + .url(url); + + if (connectionInfo.getUsername().isPresent() && connectionInfo.getPassword().isPresent()) { + var credentials = Credentials.basic(connectionInfo.getUsername().get(), connectionInfo.getPassword().get()); + requestBuilder.addHeader("Authorization", credentials); + } else { + // External request: be polite + try { + Thread.sleep(1000); + } catch (InterruptedException e) { + // do nothing + } + } + + return requestBuilder.build(); + } + + public static Response execute(Request request) { + log.info(() -> "Fetching " + request.url()); + + try { + var response = client.newCall(request).execute(); + throwIfUnauthorized(response); + + return response; + } catch (IOException e) { + throw new RuntimeException("Failed to fetch " + request.url(), e); + } + } + + public static void throwIfUnauthorized(Response response) { + if (response.code() == 401) { + response.close(); + throw new RuntimeException("401 Unauthorized " + response.request().url()); + } + if (response.code() == 429) { + response.close(); + throw new RuntimeException("429 Too many requests " + response.request().url()); + } + } + + public static String fetch(ConnectionInfo connectionInfo, String path) { + var request = HttpClient.prepareRequest(connectionInfo, path); + + try (var response = HttpClient.execute(request)) { + return response.body().string(); + } catch (IOException e) { + throw new RuntimeException("Failed to get body from " + request.url()); + } + } + + /** + * Returns true if response is 200, false if response is 404, throws otherwise + */ + public static boolean exists(ConnectionInfo connectionInfo, String path) { + var request = HttpClient.prepareRequest(connectionInfo, path); + + try (var response = HttpClient.execute(request)) { + if (response.code() == 200) { + return true; + } else if (response.code() == 404) { + return false; + } + throw new RuntimeException(String.format("Expected code '200' or '404' for '%s', got '%d'", request.url(), response.code())); + } + } +} diff --git a/src/main/java/com/schibsted/security/artishock/shared/Intersection.java b/src/main/java/com/schibsted/security/artishock/shared/Intersection.java new file mode 100644 index 0000000..68071b4 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/shared/Intersection.java @@ -0,0 +1,29 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.shared; + +import java.util.HashSet; +import java.util.List; +import java.util.stream.Collectors; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +public class Intersection { + private static final Logger log = LogManager.getLogger(); + + public static List cacheIntersection(List local, List cached) { + var localSet = new HashSet<>(local); + var cachedSet = new HashSet<>(cached); + + var intersection = local.stream() + .filter(cachedSet::contains) + .collect(Collectors.toList()); + + log.info("Without cache " + (localSet.size() - intersection.size())); + log.info("With cache " + intersection.size()); + + return intersection; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/shared/PackageSystem.java b/src/main/java/com/schibsted/security/artishock/shared/PackageSystem.java new file mode 100644 index 0000000..1181d49 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/shared/PackageSystem.java @@ -0,0 +1,42 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.shared; + +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; + +public enum PackageSystem { + NPM("npm"), + MAVEN("maven"), + GRADLE("gradle"), + PYPI("pypi"); + + private final String alias; + + private static final Map map = new HashMap<>(); + static { + for (var v : values()) { + map.put(v.getAlias(), v); + } + } + + PackageSystem(String alias) { + this.alias = alias; + } + + public String getAlias() { + return alias; + } + + public static Optional fromString(String alias) { + return Optional.ofNullable(map.get(alias)); + } + + @Override + public String toString() { + return alias; + } +} diff --git a/src/main/java/com/schibsted/security/artishock/shared/SimpleCache.java b/src/main/java/com/schibsted/security/artishock/shared/SimpleCache.java new file mode 100644 index 0000000..dbda086 --- /dev/null +++ b/src/main/java/com/schibsted/security/artishock/shared/SimpleCache.java @@ -0,0 +1,92 @@ +/* + * Copyright 2021 Schibsted. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + */ + +package com.schibsted.security.artishock.shared; + +import com.schibsted.security.artishock.config.ConfigResolver; +import java.io.File; +import java.io.IOException; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.time.Instant; +import java.time.temporal.ChronoUnit; +import java.util.function.Supplier; + +public class SimpleCache { + public static boolean notInCache(String key, String repo, CacheCategory npmCacheCategory) { + var cacheFile = cacheFile(key, repo, npmCacheCategory); + + return !cacheFile.exists() || olderThanOneWeek(cacheFile); + } + + private static boolean olderThanOneWeek(File cacheFile) { + if (cacheFile.exists()) { + try { + var lastModified = Files.getLastModifiedTime(cacheFile.toPath()); + var ageInDays = ChronoUnit.DAYS.between(lastModified.toInstant(), Instant.now()); + + return ageInDays >= 7; + } catch (IOException e) { + throw new RuntimeException("Failed to find age of cache " + cacheFile); + } + } + + return false; + } + + private static File cacheFile(String key, String repo, CacheCategory npmCacheCategory) { + var urlEncodedKey = urlEncode(key); + var urlEncodedRepo = urlEncode(repo); + return ConfigResolver.configDirectory().resolve("cache/" + urlEncodedRepo + npmCacheCategory.getPath() + urlEncodedKey).toFile(); + } + + private static String urlEncode(String s) { + return URLEncoder.encode(s, StandardCharsets.UTF_8); + } + + public static String getFromCache(String key, String repo, CacheCategory npmCacheCategory) { + var path = cacheFile(key, repo, npmCacheCategory).toPath(); + try { + return Files.readString(path); + } catch (IOException e) { + throw new RuntimeException(String.format("Failed read cached data from '%s'", path), e); + } + } + + public static void putInCache(String key, String repo, CacheCategory npmCacheCategory, String content) { + var configDirectory = ConfigResolver.configDirectory(); + var urlEncodedRepo = urlEncode(repo); + createDirectoryIfNonexistent(configDirectory); + createDirectoryIfNonexistent(configDirectory.resolve("cache/")); + createDirectoryIfNonexistent(configDirectory.resolve("cache/" + urlEncodedRepo)); + createDirectoryIfNonexistent(configDirectory.resolve("cache/" + urlEncodedRepo + npmCacheCategory.getPath())); + + var path = cacheFile(key, repo, npmCacheCategory).toPath(); + try { + Files.writeString(path, content); + } catch (IOException e) { + throw new RuntimeException(String.format("Failed to write cache to '%s'", path)); + } + } + + public static void createDirectoryIfNonexistent(Path path) { + var cacheDirectory = path.toFile(); + if (!cacheDirectory.exists()) { + if (!cacheDirectory.mkdir()) { + throw new RuntimeException(String.format("Failed to create '%s'", cacheDirectory.toString())); + } + } + } + + public static String getFromCacheOrExecute(ConnectionInfo connectionInfo, String key, CacheCategory cacheCategory, Supplier f) { + var repo = connectionInfo.getPrefix(); + + if (SimpleCache.notInCache(key, repo, cacheCategory)) { + SimpleCache.putInCache(key, repo, cacheCategory, f.get()); + } + return SimpleCache.getFromCache(key, repo, cacheCategory); + } +} diff --git a/src/main/logo/NOTICE b/src/main/logo/NOTICE new file mode 100644 index 0000000..7401d4f --- /dev/null +++ b/src/main/logo/NOTICE @@ -0,0 +1 @@ +Artishock the Shocked Artichoke logo is based on the public domain work: https://commons.wikimedia.org/wiki/File:Artichoke.svg diff --git a/src/main/logo/artishock.svg b/src/main/logo/artishock.svg new file mode 100644 index 0000000..42abad8 --- /dev/null +++ b/src/main/logo/artishock.svg @@ -0,0 +1,2245 @@ + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +