2017-07-06 16:28:13 +02:00
package integration
2016-12-12 18:30:31 +01:00
import (
"crypto/tls"
2018-05-16 11:44:03 +02:00
"crypto/x509"
2017-06-27 14:42:12 +02:00
"fmt"
2018-07-03 12:44:04 +02:00
"io/ioutil"
2016-12-12 18:30:31 +01:00
"net/http"
2017-09-13 10:34:04 +02:00
"os"
2018-07-03 12:44:04 +02:00
"path/filepath"
2016-12-12 18:30:31 +01:00
"time"
2017-05-17 15:22:44 +02:00
"github.com/containous/traefik/integration/try"
2018-06-27 15:08:05 +02:00
"github.com/containous/traefik/provider/acme"
2017-06-27 14:42:12 +02:00
"github.com/containous/traefik/testhelpers"
2018-06-27 15:08:05 +02:00
"github.com/containous/traefik/types"
2016-12-12 18:30:31 +01:00
"github.com/go-check/check"
2018-07-03 12:44:04 +02:00
"github.com/miekg/dns"
2016-12-12 18:30:31 +01:00
checker "github.com/vdemeester/shakers"
)
// ACME test suites (using libcompose)
type AcmeSuite struct {
BaseSuite
2018-07-03 12:44:04 +02:00
pebbleIP string
fakeDNSServer * dns . Server
2016-12-12 18:30:31 +01:00
}
2018-07-03 12:44:04 +02:00
type acmeTestCase struct {
template templateModel
2017-06-19 13:22:41 +02:00
traefikConfFilePath string
2018-07-03 12:44:04 +02:00
expectedCommonName string
2018-06-27 15:08:05 +02:00
expectedAlgorithm x509 . PublicKeyAlgorithm
2016-12-12 18:30:31 +01:00
}
2018-07-03 12:44:04 +02:00
type templateModel struct {
PortHTTP string
PortHTTPS string
Acme acme . Configuration
}
2017-06-27 14:42:12 +02:00
const (
// Domain to check
acmeDomain = "traefik.acme.wtf"
2017-06-19 13:22:41 +02:00
2017-06-27 14:42:12 +02:00
// Wildcard domain to check
wildcardDomain = "*.acme.wtf"
)
2017-06-19 13:22:41 +02:00
2018-06-27 15:08:05 +02:00
func ( s * AcmeSuite ) getAcmeURL ( ) string {
2018-07-03 12:44:04 +02:00
return fmt . Sprintf ( "https://%s:14000/dir" , s . pebbleIP )
}
func setupPebbleRootCA ( ) ( * http . Transport , error ) {
path , err := filepath . Abs ( "fixtures/acme/ssl/pebble.minica.pem" )
if err != nil {
return nil , err
}
os . Setenv ( "LEGO_CA_CERTIFICATES" , path )
os . Setenv ( "LEGO_CA_SERVER_NAME" , "pebble" )
customCAs , err := ioutil . ReadFile ( path )
if err != nil {
return nil , err
}
certPool := x509 . NewCertPool ( )
if ok := certPool . AppendCertsFromPEM ( customCAs ) ; ! ok {
return nil , fmt . Errorf ( "error creating x509 cert pool from %q: %v" , path , err )
}
return & http . Transport {
TLSClientConfig : & tls . Config {
ServerName : "pebble" ,
RootCAs : certPool ,
} ,
} , nil
2018-06-27 15:08:05 +02:00
}
2016-12-12 18:30:31 +01:00
func ( s * AcmeSuite ) SetUpSuite ( c * check . C ) {
2018-08-01 16:56:04 +02:00
s . createComposeProject ( c , "pebble" )
2016-12-12 18:30:31 +01:00
s . composeProject . Start ( c )
2018-07-03 12:44:04 +02:00
s . fakeDNSServer = startFakeDNSServer ( )
s . pebbleIP = s . composeProject . Container ( c , "pebble" ) . NetworkSettings . IPAddress
pebbleTransport , err := setupPebbleRootCA ( )
if err != nil {
c . Fatal ( err )
}
2018-08-01 16:56:04 +02:00
// wait for pebble
2018-07-03 12:44:04 +02:00
req := testhelpers . MustNewRequest ( http . MethodGet , s . getAcmeURL ( ) , nil )
client := & http . Client {
Transport : pebbleTransport ,
}
2016-12-12 18:30:31 +01:00
2018-07-03 12:44:04 +02:00
err = try . Do ( 5 * time . Second , func ( ) error {
resp , errGet := client . Do ( req )
if errGet != nil {
return errGet
}
return try . StatusCodeIs ( http . StatusOK ) ( resp )
} )
2016-12-12 18:30:31 +01:00
c . Assert ( err , checker . IsNil )
}
func ( s * AcmeSuite ) TearDownSuite ( c * check . C ) {
2018-07-03 12:44:04 +02:00
err := s . fakeDNSServer . Shutdown ( )
if err != nil {
c . Log ( err )
}
2016-12-12 18:30:31 +01:00
// shutdown and delete compose project
if s . composeProject != nil {
s . composeProject . Stop ( c )
}
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01DomainsAtStart ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
Domains : types . Domains { types . Domain {
Main : "traefik.acme.wtf" ,
} } ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2017-06-27 14:42:12 +02:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 13:22:41 +02:00
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01DomainsInSANAtStart ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
Domains : types . Domains { types . Domain {
Main : "acme.wtf" ,
SANs : [ ] string { "traefik.acme.wtf" } ,
} } ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : "acme.wtf" ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2018-03-05 20:54:04 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRule ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnHostRule : true ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2018-05-16 11:44:03 +02:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRuleECDSA ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnHostRule : true ,
KeyType : "EC384" ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . ECDSA ,
2018-06-27 15:08:05 +02:00
}
2018-05-16 11:44:03 +02:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRuleInvalidAlgo ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnHostRule : true ,
KeyType : "INVALID" ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2017-06-27 14:42:12 +02:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 13:22:41 +02:00
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRuleWithPath ( c * check . C ) {
testCase := acmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_http01_web_path.toml" ,
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnHostRule : true ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2018-03-06 14:50:03 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRuleStaticCertificatesWithWildcard ( c * check . C ) {
testCase := acmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_tls.toml" ,
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnHostRule : true ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : wildcardDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2018-01-15 16:04:05 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnHostRuleDynamicCertificatesWithWildcard ( c * check . C ) {
testCase := acmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_tls_dynamic.toml" ,
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnHostRule : true ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : wildcardDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2018-01-15 16:04:05 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnDemand ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnDemand : true ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2018-01-17 18:46:03 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnDemandStaticCertificatesWithWildcard ( c * check . C ) {
testCase := acmeTestCase {
2018-06-27 15:08:05 +02:00
traefikConfFilePath : "fixtures/acme/acme_tls.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnDemand : true ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : wildcardDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2017-06-27 14:42:12 +02:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 13:22:41 +02:00
}
2018-09-18 01:22:03 -05:00
func ( s * AcmeSuite ) TestHTTP01OnDemandStaticCertificatesWithWildcardMultipleEntrypoints ( c * check . C ) {
testCase := acmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_tls_multiple_entrypoints.toml" ,
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnDemand : true ,
} ,
} ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
}
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestHTTP01OnDemandDynamicCertificatesWithWildcard ( c * check . C ) {
testCase := acmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_tls_dynamic.toml" ,
template : templateModel {
Acme : acme . Configuration {
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnDemand : true ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : wildcardDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2017-05-17 15:22:44 +02:00
2017-06-27 14:42:12 +02:00
s . retrieveAcmeCertificate ( c , testCase )
2017-11-09 12:16:03 +01:00
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestTLSALPN01OnHostRule ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
OnHostRule : true ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2017-11-09 12:16:03 +01:00
s . retrieveAcmeCertificate ( c , testCase )
}
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) TestTLSALPN01OnDemand ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
OnDemand : true ,
} ,
} ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
}
s . retrieveAcmeCertificate ( c , testCase )
}
func ( s * AcmeSuite ) TestTLSALPN01DomainsAtStart ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
Domains : types . Domains { types . Domain {
Main : "traefik.acme.wtf" ,
} } ,
} ,
} ,
expectedCommonName : acmeDomain ,
expectedAlgorithm : x509 . RSA ,
}
s . retrieveAcmeCertificate ( c , testCase )
}
func ( s * AcmeSuite ) TestTLSALPN01DomainsInSANAtStart ( c * check . C ) {
testCase := acmeTestCase {
2018-07-12 19:10:03 +02:00
traefikConfFilePath : "fixtures/acme/acme_base.toml" ,
2018-07-03 12:44:04 +02:00
template : templateModel {
Acme : acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
Domains : types . Domains { types . Domain {
Main : "acme.wtf" ,
SANs : [ ] string { "traefik.acme.wtf" } ,
} } ,
} ,
2018-06-27 15:08:05 +02:00
} ,
2018-07-03 12:44:04 +02:00
expectedCommonName : "acme.wtf" ,
expectedAlgorithm : x509 . RSA ,
2018-06-27 15:08:05 +02:00
}
2017-11-09 12:16:03 +01:00
s . retrieveAcmeCertificate ( c , testCase )
2017-06-19 13:22:41 +02:00
}
2018-07-12 19:10:03 +02:00
func ( s * AcmeSuite ) TestTLSALPN01DomainsWithProvidedWildcardDomainAtStart ( c * check . C ) {
testCase := acmeTestCase {
traefikConfFilePath : "fixtures/acme/acme_tls.toml" ,
template : templateModel {
Acme : acme . Configuration {
TLSChallenge : & acme . TLSChallenge { } ,
Domains : types . Domains { types . Domain {
2018-09-18 01:22:03 -05:00
Main : acmeDomain ,
2018-07-12 19:10:03 +02:00
} } ,
} ,
} ,
2018-09-18 01:22:03 -05:00
expectedCommonName : wildcardDomain ,
2018-07-12 19:10:03 +02:00
expectedAlgorithm : x509 . RSA ,
}
s . retrieveAcmeCertificate ( c , testCase )
}
2018-02-05 18:20:04 +01:00
// Test Let's encrypt down
func ( s * AcmeSuite ) TestNoValidLetsEncryptServer ( c * check . C ) {
2018-07-12 19:10:03 +02:00
file := s . adaptFile ( c , "fixtures/acme/acme_base.toml" , templateModel {
2018-07-03 12:44:04 +02:00
Acme : acme . Configuration {
CAServer : "http://wrongurl:4001/directory" ,
HTTPChallenge : & acme . HTTPChallenge { EntryPoint : "http" } ,
OnHostRule : true ,
} ,
2018-06-27 15:08:05 +02:00
} )
defer os . Remove ( file )
cmd , display := s . traefikCmd ( withConfigFile ( file ) )
2018-02-05 18:20:04 +01:00
defer display ( c )
err := cmd . Start ( )
c . Assert ( err , checker . IsNil )
defer cmd . Process . Kill ( )
// Expected traefik works
err = try . GetRequest ( "http://127.0.0.1:8080/api/providers" , 10 * time . Second , try . StatusCodeIs ( http . StatusOK ) )
c . Assert ( err , checker . IsNil )
}
2017-06-19 13:22:41 +02:00
// Doing an HTTPS request and test the response certificate
2018-07-03 12:44:04 +02:00
func ( s * AcmeSuite ) retrieveAcmeCertificate ( c * check . C , testCase acmeTestCase ) {
if len ( testCase . template . PortHTTP ) == 0 {
testCase . template . PortHTTP = ":5002"
}
if len ( testCase . template . PortHTTPS ) == 0 {
testCase . template . PortHTTPS = ":5001"
}
if len ( testCase . template . Acme . CAServer ) == 0 {
testCase . template . Acme . CAServer = s . getAcmeURL ( )
}
file := s . adaptFile ( c , testCase . traefikConfFilePath , testCase . template )
2017-09-13 10:34:04 +02:00
defer os . Remove ( file )
2017-06-27 14:42:12 +02:00
2017-09-13 10:34:04 +02:00
cmd , display := s . traefikCmd ( withConfigFile ( file ) )
defer display ( c )
2016-12-12 18:30:31 +01:00
err := cmd . Start ( )
c . Assert ( err , checker . IsNil )
defer cmd . Process . Kill ( )
2018-04-10 10:52:04 +02:00
// A real file is needed to have the right mode on acme.json file
defer os . Remove ( "/tmp/acme.json" )
2016-12-12 18:30:31 +01:00
2017-05-17 15:22:44 +02:00
backend := startTestServer ( "9010" , http . StatusOK )
2016-12-12 18:30:31 +01:00
defer backend . Close ( )
2018-06-27 15:08:05 +02:00
client := & http . Client {
Transport : & http . Transport {
TLSClientConfig : & tls . Config { InsecureSkipVerify : true } ,
} ,
2016-12-12 18:30:31 +01:00
}
// wait for traefik (generating acme account take some seconds)
2017-05-17 15:22:44 +02:00
err = try . Do ( 90 * time . Second , func ( ) error {
2017-12-04 20:04:08 +01:00
_ , errGet := client . Get ( "https://127.0.0.1:5001" )
return errGet
2016-12-12 18:30:31 +01:00
} )
c . Assert ( err , checker . IsNil )
2018-06-27 15:08:05 +02:00
client = & http . Client {
Transport : & http . Transport {
TLSClientConfig : & tls . Config {
InsecureSkipVerify : true ,
ServerName : acmeDomain ,
} ,
2016-12-12 18:30:31 +01:00
} ,
}
2017-06-27 14:42:12 +02:00
req := testhelpers . MustNewRequest ( http . MethodGet , "https://127.0.0.1:5001/" , nil )
2017-06-19 13:22:41 +02:00
req . Host = acmeDomain
req . Header . Set ( "Host" , acmeDomain )
2016-12-12 18:30:31 +01:00
req . Header . Set ( "Accept" , "*/*" )
2017-06-19 13:22:41 +02:00
var resp * http . Response
2017-06-27 14:42:12 +02:00
2017-06-19 13:22:41 +02:00
// Retry to send a Request which uses the LE generated certificate
2017-06-27 14:42:12 +02:00
err = try . Do ( 60 * time . Second , func ( ) error {
2017-06-19 13:22:41 +02:00
resp , err = client . Do ( req )
2017-06-27 14:42:12 +02:00
2017-06-19 13:22:41 +02:00
// /!\ If connection is not closed, SSLHandshake will only be done during the first trial /!\
req . Close = true
2017-06-27 14:42:12 +02:00
2017-06-19 13:22:41 +02:00
if err != nil {
return err
}
2017-06-27 14:42:12 +02:00
cn := resp . TLS . PeerCertificates [ 0 ] . Subject . CommonName
2018-07-03 12:44:04 +02:00
if cn != testCase . expectedCommonName {
return fmt . Errorf ( "domain %s found instead of %s" , cn , testCase . expectedCommonName )
2017-06-27 14:42:12 +02:00
}
2017-06-19 13:22:41 +02:00
return nil
} )
2017-06-27 14:42:12 +02:00
2016-12-12 18:30:31 +01:00
c . Assert ( err , checker . IsNil )
2017-05-17 15:22:44 +02:00
c . Assert ( resp . StatusCode , checker . Equals , http . StatusOK )
2017-06-19 13:22:41 +02:00
// Check Domain into response certificate
2018-07-03 12:44:04 +02:00
c . Assert ( resp . TLS . PeerCertificates [ 0 ] . Subject . CommonName , checker . Equals , testCase . expectedCommonName )
2018-06-27 15:08:05 +02:00
c . Assert ( resp . TLS . PeerCertificates [ 0 ] . PublicKeyAlgorithm , checker . Equals , testCase . expectedAlgorithm )
2016-12-12 18:30:31 +01:00
}