kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/lib/gitlab/auth.rb

256 lines
8.3 KiB
Ruby
Raw Normal View History

Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
module Gitlab
Refactor Gitlab::Auth rate limiting
2016-06-03 11:07:40 -04:00
module Auth
Consistently use PersonalAccessToken instead of PersonalToken
2017-10-12 05:27:16 -04:00
MissingPersonalAccessTokenError = Class.new(StandardError)
Better authentication handling, syntax fixes and better actor handling for LFS Tokens
2016-09-06 17:32:39 -04:00
Clean up read_registry scope changes Closes #37789
2017-09-15 11:43:49 -04:00
REGISTRY_SCOPES = [:read_registry].freeze
Create read_registry scope with JWT auth This is the first commit doing mainly 3 things: 1. create a new scope and allow users to use it 2. Have the JWTController respond correctly on this 3. Updates documentation to suggest usage of PATs There is one gotcha, there will be no support for impersonation tokens, as this seems not needed. Fixes gitlab-org/gitlab-ce#19219
2017-05-31 09:55:12 -04:00
Only use API scopes for personal access tokens
2017-01-31 05:21:29 -05:00
# Scopes used for GitLab API access
Add sudo API scope
2017-10-12 08:38:39 -04:00
API_SCOPES = [:api, :read_user, :sudo].freeze
Only use API scopes for personal access tokens
2017-01-31 05:21:29 -05:00
Require explicit scopes on personal access tokens Gitlab::Auth and API::APIGuard already check for at least one valid scope on personal access tokens, so if the scopes are empty the token will always fail validation.
2017-02-06 10:39:35 -05:00
# Scopes used for OpenID Connect
Only use API scopes for personal access tokens
2017-01-31 05:21:29 -05:00
OPENID_SCOPES = [:openid].freeze
Require explicit scopes on personal access tokens Gitlab::Auth and API::APIGuard already check for at least one valid scope on personal access tokens, so if the scopes are empty the token will always fail validation.
2017-02-06 10:39:35 -05:00
# Default scopes for OAuth applications that don't define their own
Enable Style/MutableConstant
2017-02-21 18:32:18 -05:00
DEFAULT_SCOPES = [:api].freeze
Require explicit scopes on personal access tokens Gitlab::Auth and API::APIGuard already check for at least one valid scope on personal access tokens, so if the scopes are empty the token will always fail validation.
2017-02-06 10:39:35 -05:00
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
class << self
`current_application_settings` belongs on `Gitlab::CurrentSettings` The initializers including this were doing so at the top level, so every object loaded after them had a `current_application_settings` method. However, if someone had rack-attack enabled (which was loaded before these initializers), it would try to load the API, and fail, because `Gitlab::CurrentSettings` didn't have that method. To fix this: 1. Don't include `Gitlab::CurrentSettings` at the top level. We do not need `Object.new.current_application_settings` to work. 2. Make `Gitlab::CurrentSettings` explicitly `extend self`, as we already use it like that in several places. 3. Change the initializers to use that new form.
2017-08-31 05:47:03 -04:00
include Gitlab::CurrentSettings
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
def find_for_git_client(login, password, project:, ip:)
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
raise "Must provide an IP for rate limiting" if ip.nil?
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
# `user_with_password_for_git` should be the last check
# because it's the most expensive, especially when LDAP
# is enabled.
Refactored authentication code to make it a bit clearer, added test for wrong SSH key.
2016-09-15 12:54:24 -04:00
result =
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb
2016-09-15 15:16:38 -04:00
service_request_check(login, password, project) ||
Refactor Gitlab::Auth to simplify the data flow
2016-09-14 11:28:24 -04:00
build_access_token_check(login, password) ||
Fix Error 500 when pushing LFS objects with a write deploy key
2017-11-08 11:21:39 -05:00
lfs_token_check(login, password, project) ||
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
oauth_access_token_check(login, password) ||
add impersonation token
2016-12-28 11:19:08 -05:00
personal_access_token_check(password) ||
Create read_registry scope with JWT auth This is the first commit doing mainly 3 things: 1. create a new scope and allow users to use it 2. Have the JWTController respond correctly on this 3. Updates documentation to suggest usage of PATs There is one gotcha, there will be no support for impersonation tokens, as this seems not needed. Fixes gitlab-org/gitlab-ce#19219
2017-05-31 09:55:12 -04:00
user_with_password_for_git(login, password) ||
Properly support Gitlab::Auth::Result
2016-09-19 07:50:28 -04:00
Gitlab::Auth::Result.new
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb
2016-09-15 15:16:38 -04:00
rate_limit!(ip, success: result.success?, login: login)
Remove unecessary calls to limit_user!, UniqueIps Middleware, and address MR review - cleanup formating in haml - clarify time window is in seconds - cleanup straneous chunks in db/schema - rename count_uniqe_ips to update_and_return_ips_count - other
2017-02-20 09:09:05 -05:00
Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor)
Refactored authentication code to make it a bit clearer, added test for wrong SSH key.
2016-09-15 12:54:24 -04:00
Allow password authentication to be disabled entirely
2017-11-23 08:16:14 -05:00
return result if result.success? || authenticate_using_internal_or_ldap_password?
Instruct user to use a personal access token for Git over HTTP If internal auth is disabled and LDAP is not configured on the instance, present the user with a message to create a personal access token if his Git over HTTP auth attempt fails.
2017-06-07 15:49:45 -04:00
# If sign-in is disabled and LDAP is not configured, recommend a
# personal access token on failed auth attempts
Consistently use PersonalAccessToken instead of PersonalToken
2017-10-12 05:27:16 -04:00
raise Gitlab::Auth::MissingPersonalAccessTokenError
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
end
Improve Gitlab::Auth method names Auth.find was a very generic name for a very specific method. Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also looks in Kerberos.
2016-06-10 08:51:16 -04:00
def find_with_user_password(login, password)
Avoid resource intensive login checks if password is not provided Fixes #32598
2017-05-19 04:38:31 -04:00
# Avoid resource intensive login checks if password is not provided
return unless password.present?
Allow password authentication to be disabled entirely
2017-11-23 08:16:14 -05:00
# Nothing to do here if internal auth is disabled and LDAP is
# not configured
return unless authenticate_using_internal_or_ldap_password?
Allow limiting logging in users from too many different IPs.
2017-02-06 07:48:46 -05:00
Gitlab::Auth::UniqueIpsLimiter.limit_user! do
user = User.by_login(login)
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
Allow limiting logging in users from too many different IPs.
2017-02-06 07:48:46 -05:00
# If no user is found, or it's an LDAP server, try LDAP.
# LDAP users are only authenticated via LDAP
if user.nil? || user.ldap_user?
# Second chance - try LDAP authentication
Gitlab::LDAP::Authentication.login(login, password)
Allow password authentication to be disabled entirely
2017-11-23 08:16:14 -05:00
elsif current_application_settings.password_authentication_enabled_for_git?
Don't allow blocked users to authenticate through other means Gitlab::Auth.find_with_user_password is currently used in these places: - resource_owner_from_credentials in config/initializers/doorkeeper.rb, which is used for the OAuth Resource Owner Password Credentials flow - the /session API call in lib/api/session.rb, which is used to reveal the user's current authentication_token In both cases users should only be authenticated if they're in the active state.
2017-01-18 05:23:25 -05:00
user if user.active? && user.valid_password?(password)
Allow limiting logging in users from too many different IPs.
2017-02-06 07:48:46 -05:00
end
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
end
end
Fix tests
2016-06-06 11:40:26 -04:00
def rate_limit!(ip, success:, login:)
rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
return unless rate_limiter.enabled?
if success
# Repeated login 'failures' are normal behavior for some Git clients so
# it is important to reset the ban counter once the client has proven
# they are not a 'bad guy'.
rate_limiter.reset!
else
# Register a login failure so that Rack::Attack can block the next
# request from this IP if needed.
rate_limiter.register_fail!
if rate_limiter.banned?
Rails.logger.info "IP #{ip} failed to login " \
"as #{login} but has been temporarily banned from Git auth"
end
end
end
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
private
Allow password authentication to be disabled entirely
2017-11-23 08:16:14 -05:00
def authenticate_using_internal_or_ldap_password?
current_application_settings.password_authentication_enabled_for_git? || Gitlab::LDAP::Config.enabled?
end
Merge remote-tracking branch 'origin/lfs-support-for-ssh' into per-build-token # Conflicts: # app/controllers/projects/git_http_client_controller.rb # app/helpers/lfs_helper.rb # lib/gitlab/auth.rb # spec/requests/lfs_http_spec.rb
2016-09-15 15:16:38 -04:00
def service_request_check(login, password, project)
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
Refactor Gitlab::Auth to simplify the data flow
2016-09-14 11:28:24 -04:00
return unless project && matched_login.present?
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
underscored_service = matched_login['service'].underscore
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files)
2016-08-08 06:01:25 -04:00
if Service.available_services_names.include?(underscored_service)
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
# We treat underscored_service as a trusted input because it is included
# in the Service.available_services_names whitelist.
Whitelist or fix additional `Gitlab/PublicSend` cop violations An upcoming update to rubocop-gitlab-security added additional violations.
2017-08-10 12:39:26 -04:00
service = project.public_send("#{underscored_service}_service") # rubocop:disable GitlabSecurity/PublicSend
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
Refactor Gitlab::Auth to simplify the data flow
2016-09-14 11:28:24 -04:00
if service && service.activated? && service.valid_token?(password)
Properly support Gitlab::Auth::Result
2016-09-19 07:50:28 -04:00
Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities)
Refactor `find_for_git_client` and its related methods.
2016-08-17 18:59:25 -04:00
end
end
end
def user_with_password_for_git(login, password)
user = find_with_user_password(login, password)
Refactor Gitlab::Auth to simplify the data flow
2016-09-14 11:28:24 -04:00
return unless user
Consistently use PersonalAccessToken instead of PersonalToken
2017-10-12 05:27:16 -04:00
raise Gitlab::Auth::MissingPersonalAccessTokenError if user.two_factor_enabled?
Refactor Gitlab::Auth to simplify the data flow
2016-09-14 11:28:24 -04:00
Fix test failures
2017-06-06 07:18:01 -04:00
Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
Refactor `find_for_git_client` and its related methods.
2016-08-17 18:59:25 -04:00
end
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
def oauth_access_token_check(login, password)
if login == "oauth2" && password.present?
token = Doorkeeper::AccessToken.by_token(password)
Create read_registry scope with JWT auth This is the first commit doing mainly 3 things: 1. create a new scope and allow users to use it 2. Have the JWTController respond correctly on this 3. Updates documentation to suggest usage of PATs There is one gotcha, there will be no support for impersonation tokens, as this seems not needed. Fixes gitlab-org/gitlab-ce#19219
2017-05-31 09:55:12 -04:00
Refactor access token validation in `Gitlab::Auth` - Based on @dbalexandre's review - Extract token validity conditions into two separate methods, for personal access tokens and OAuth tokens.
2016-11-24 04:09:12 -05:00
if valid_oauth_token?(token)
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes.
2016-08-17 18:21:18 -04:00
user = User.find_by(id: token.resource_owner_id)
Fix test failures
2017-06-06 07:18:01 -04:00
Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities)
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes.
2016-08-17 18:21:18 -04:00
end
Make CI/Oauth/rate limiting reusable
2016-04-29 12:58:55 -04:00
end
end
Allow Git over HTTP access using Personal Access Tokens
2016-08-10 20:03:32 -04:00
add impersonation token
2016-12-28 11:19:08 -05:00
def personal_access_token_check(password)
return unless password.present?
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
apply codestyle and implementation changes to the respective feature code
2017-03-01 11:59:03 -05:00
token = PersonalAccessTokensFinder.new(state: 'active').find_by(token: password)
add impersonation token
2016-12-28 11:19:08 -05:00
Clean up read_registry scope changes Closes #37789
2017-09-15 11:43:49 -04:00
if token && valid_scoped_token?(token, available_scopes)
Fix pulling and pushing using a personal access token with the sudo scope
2017-11-23 06:41:29 -05:00
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes.
2016-08-17 18:21:18 -04:00
end
end
Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related.
2016-08-25 18:26:20 -04:00
Refactor access token validation in `Gitlab::Auth` - Based on @dbalexandre's review - Extract token validity conditions into two separate methods, for personal access tokens and OAuth tokens.
2016-11-24 04:09:12 -05:00
def valid_oauth_token?(token)
Extract a `Gitlab::Scope` class. - To represent an authorization scope, such as `api` or `read_user` - This is a better abstraction than the hash we were previously using.
2017-06-28 03:12:23 -04:00
token && token.accessible? && valid_scoped_token?(token, [:api])
Refactor access token validation in `Gitlab::Auth` - Based on @dbalexandre's review - Extract token validity conditions into two separate methods, for personal access tokens and OAuth tokens.
2016-11-24 04:09:12 -05:00
end
Fix test failures
2017-06-06 07:18:01 -04:00
def valid_scoped_token?(token, scopes)
Create read_registry scope with JWT auth This is the first commit doing mainly 3 things: 1. create a new scope and allow users to use it 2. Have the JWTController respond correctly on this 3. Updates documentation to suggest usage of PATs There is one gotcha, there will be no support for impersonation tokens, as this seems not needed. Fixes gitlab-org/gitlab-ce#19219
2017-05-31 09:55:12 -04:00
AccessTokenValidationService.new(token).include_any_scope?(scopes)
end
Fix pulling and pushing using a personal access token with the sudo scope
2017-11-23 06:41:29 -05:00
def abilities_for_scopes(scopes)
abilities_by_scope = {
api: full_authentication_abilities,
read_registry: [:read_container_image]
}
scopes.flat_map do |scope|
abilities_by_scope.fetch(scope.to_sym, [])
end.uniq
Validate access token scopes in `Gitlab::Auth` - This module is used for git-over-http, as well as JWT. - The only valid scope here is `api`, currently.
2016-11-22 04:13:37 -05:00
end
Fix Error 500 when pushing LFS objects with a write deploy key
2017-11-08 11:21:39 -05:00
def lfs_token_check(login, password, project)
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c.
2016-09-19 10:34:32 -04:00
deploy_key_matches = login.match(/\Alfs\+deploy-key-(\d+)\z/)
actor =
if deploy_key_matches
DeployKey.find(deploy_key_matches[1])
else
User.by_login(login)
end
Use early return in lfs_token_check
2016-09-20 03:41:21 -04:00
return unless actor
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c.
2016-09-19 10:34:32 -04:00
Use early return in lfs_token_check
2016-09-20 03:41:21 -04:00
token_handler = Gitlab::LfsToken.new(actor)
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c.
2016-09-19 10:34:32 -04:00
Use early return in lfs_token_check
2016-09-20 03:41:21 -04:00
authentication_abilities =
if token_handler.user?
Fix test failures
2017-06-06 07:18:01 -04:00
full_authentication_abilities
Fix Error 500 when pushing LFS objects with a write deploy key
2017-11-08 11:21:39 -05:00
elsif token_handler.deploy_key_pushable?(project)
read_write_authentication_abilities
Use early return in lfs_token_check
2016-09-20 03:41:21 -04:00
else
Fix test failures
2017-06-06 07:18:01 -04:00
read_authentication_abilities
Use early return in lfs_token_check
2016-09-20 03:41:21 -04:00
end
Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
2017-01-24 12:12:49 -05:00
if Devise.secure_compare(token_handler.token, password)
Gitlab::Auth::Result.new(actor, nil, token_handler.type, authentication_abilities)
end
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c.
2016-09-19 10:34:32 -04:00
end
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files)
2016-08-08 06:01:25 -04:00
def build_access_token_check(login, password)
return unless login == 'gitlab-ci-token'
return unless password
Fix existing authorization specs
2016-09-15 07:49:11 -04:00
build = ::Ci::Build.running.find_by_token(password)
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files)
2016-08-08 06:01:25 -04:00
return unless build
Fix most of specs
2016-09-15 09:40:53 -04:00
return unless build.project.builds_enabled?
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files)
2016-08-08 06:01:25 -04:00
if build.user
# If user is assigned to build, use restricted credentials of user
Properly support Gitlab::Auth::Result
2016-09-19 07:50:28 -04:00
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files)
2016-08-08 06:01:25 -04:00
else
# Otherwise use generic CI credentials (backward compatibility)
Properly support Gitlab::Auth::Result
2016-09-19 07:50:28 -04:00
Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities)
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes.
2016-08-17 18:21:18 -04:00
end
end
Make result to return project and capabilities granted
2016-09-13 09:27:05 -04:00
Simplify checking of allowed abilities in git_http_client_controller
2016-09-16 07:34:05 -04:00
public
Rename capabilities to authentication_abilities
2016-09-16 03:59:10 -04:00
def build_authentication_abilities
Make result to return project and capabilities granted
2016-09-13 09:27:05 -04:00
[
:read_project,
Use `build_read_container_image` and use `build_download_code`
2016-09-15 04:34:53 -04:00
:build_download_code,
:build_read_container_image,
:build_create_container_image
Make result to return project and capabilities granted
2016-09-13 09:27:05 -04:00
]
end
Fix test failures
2017-06-06 07:18:01 -04:00
def read_authentication_abilities
Use `build_read_container_image` and use `build_download_code`
2016-09-15 04:34:53 -04:00
[
:read_project,
Make result to return project and capabilities granted
2016-09-13 09:27:05 -04:00
:download_code,
Refactor Gitlab::Auth to simplify the data flow
2016-09-14 11:28:24 -04:00
:read_container_image
]
end
Fix Error 500 when pushing LFS objects with a write deploy key
2017-11-08 11:21:39 -05:00
def read_write_authentication_abilities
Fix test failures
2017-06-06 07:18:01 -04:00
read_authentication_abilities + [
Make result to return project and capabilities granted
2016-09-13 09:27:05 -04:00
:push_code,
Fix Error 500 when pushing LFS objects with a write deploy key
2017-11-08 11:21:39 -05:00
:create_container_image
]
end
def full_authentication_abilities
read_write_authentication_abilities + [
Cleanup tests and add admin_container_image to full_authentication_abilities. This is fine because we're going to check with can?(..) anyway
2017-08-02 05:27:21 -04:00
:admin_container_image
Make result to return project and capabilities granted
2016-09-13 09:27:05 -04:00
]
end
Clean up read_registry scope changes Closes #37789
2017-09-15 11:43:49 -04:00
Add sudo API scope
2017-10-12 08:38:39 -04:00
def available_scopes(current_user = nil)
scopes = API_SCOPES + registry_scopes
scopes.delete(:sudo) if current_user && !current_user.admin?
scopes
Clean up read_registry scope changes Closes #37789
2017-09-15 11:43:49 -04:00
end
# Other available scopes
def optional_scopes
available_scopes + OPENID_SCOPES - DEFAULT_SCOPES
end
def registry_scopes
return [] unless Gitlab.config.registry.enabled
REGISTRY_SCOPES
end
Add LDAP support to /api/session
2013-07-16 04:28:19 -04:00
end
Refactorn oauth & ldap
2012-09-12 02:23:16 -04:00
end
end
Copy permalink