Hugging Face's logo

Darochin
/
openskynet

English
Spanish
agent
autonomy
research
typescript
nodejs
llm
Model card Files
xet
 Community
openskynet / src /security /windows-acl.test.ts
Darochin's picture
Darochin
Mirror OpenSkyNet workspace snapshot from Git HEAD
fc93158 verified
raw
history blame contribute delete
23.3 kB
import { describe, expect, it, vi } from "vitest";
import type { WindowsAclEntry, WindowsAclSummary } from "./windows-acl.js";
const MOCK_USERNAME = "MockUser";
vi.mock("node:os", () => ({
 default: { userInfo: () => ({ username: MOCK_USERNAME }) },
 userInfo: () => ({ username: MOCK_USERNAME }),
}));
const {
 createIcaclsResetCommand,
 formatIcaclsResetCommand,
 formatWindowsAclSummary,
 inspectWindowsAcl,
 parseIcaclsOutput,
 resolveWindowsUserPrincipal,
 summarizeWindowsAcl,
} = await import("./windows-acl.js");
function aclEntry(params: {
 principal: string;
 rights?: string[];
 rawRights?: string;
 canRead?: boolean;
 canWrite?: boolean;
}): WindowsAclEntry {
 return {
 principal: params.principal,
 rights: params.rights ?? ["F"],
 rawRights: params.rawRights ?? "(F)",
 canRead: params.canRead ?? true,
 canWrite: params.canWrite ?? true,
 };
}
function expectSinglePrincipal(entries: WindowsAclEntry[], principal: string): void {
 expect(entries).toHaveLength(1);
 expect(entries[0].principal).toBe(principal);
}
function expectTrustedOnly(
 entries: WindowsAclEntry[],
 options?: { env?: NodeJS.ProcessEnv; expectedTrusted?: number },
): void {
 const summary = summarizeWindowsAcl(entries, options?.env);
 expect(summary.trusted).toHaveLength(options?.expectedTrusted ?? 1);
 expect(summary.untrustedWorld).toHaveLength(0);
 expect(summary.untrustedGroup).toHaveLength(0);
}
function expectInspectSuccess(
 result: Awaited<ReturnType<typeof inspectWindowsAcl>>,
 expectedEntries: number,
): void {
 expect(result.ok).toBe(true);
 expect(result.entries).toHaveLength(expectedEntries);
}
describe("windows-acl", () => {
 describe("resolveWindowsUserPrincipal", () => {
 it("returns DOMAIN\\USERNAME when both are present", () => {
 const env = { USERNAME: "TestUser", USERDOMAIN: "WORKGROUP" };
 expect(resolveWindowsUserPrincipal(env)).toBe("WORKGROUP\\TestUser");
 });
it("returns just USERNAME when USERDOMAIN is not present", () => {
 const env = { USERNAME: "TestUser" };
 expect(resolveWindowsUserPrincipal(env)).toBe("TestUser");
 });
it("trims whitespace from values", () => {
 const env = { USERNAME: " TestUser ", USERDOMAIN: " WORKGROUP " };
 expect(resolveWindowsUserPrincipal(env)).toBe("WORKGROUP\\TestUser");
 });
it("falls back to os.userInfo when USERNAME is empty", () => {
 // When USERNAME env is empty, falls back to os.userInfo().username
 const env = { USERNAME: "", USERDOMAIN: "WORKGROUP" };
 const result = resolveWindowsUserPrincipal(env);
 // Should return a username (from os.userInfo fallback) with WORKGROUP domain
 expect(result).toBe(`WORKGROUP\\${MOCK_USERNAME}`);
 });
 });
describe("parseIcaclsOutput", () => {
 it("parses standard icacls output", () => {
 const output = `C:\\test\\file.txt BUILTIN\\Administrators:(F)
 NT AUTHORITY\\SYSTEM:(F)
 WORKGROUP\\TestUser:(R)
Successfully processed 1 files`;
 const entries = parseIcaclsOutput(output, "C:\\test\\file.txt");
 expect(entries).toHaveLength(3);
 expect(entries[0]).toEqual({
 principal: "BUILTIN\\Administrators",
 rights: ["F"],
 rawRights: "(F)",
 canRead: true,
 canWrite: true,
 });
 });
it("parses entries with inheritance flags", () => {
 const output = `C:\\test\\dir BUILTIN\\Users:(OI)(CI)(R)`;
 const entries = parseIcaclsOutput(output, "C:\\test\\dir");
 expect(entries).toHaveLength(1);
 expect(entries[0].rights).toEqual(["R"]);
 expect(entries[0].canRead).toBe(true);
 expect(entries[0].canWrite).toBe(false);
 });
it("filters out DENY entries", () => {
 const output = `C:\\test\\file.txt BUILTIN\\Users:(DENY)(W)
 BUILTIN\\Administrators:(F)`;
 const entries = parseIcaclsOutput(output, "C:\\test\\file.txt");
 expectSinglePrincipal(entries, "BUILTIN\\Administrators");
 });
it("skips status messages", () => {
 const output = `Successfully processed 1 files
 Processed file: C:\\test\\file.txt
 Failed processing 0 files
 No mapping between account names`;
 const entries = parseIcaclsOutput(output, "C:\\test\\file.txt");
 expect(entries).toHaveLength(0);
 });
it("skips localized (non-English) status lines that have no parenthesised token", () => {
 const output =
 "C:\\Users\\karte\\.openclaw NT AUTHORITY\\\u0421\u0418\u0421\u0422\u0415\u041c\u0410:(OI)(CI)(F)\n" +
 "\u0423\u0441\u043f\u0435\u0448\u043d\u043e \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u0430\u043d\u043e 1 \u0444\u0430\u0439\u043b\u043e\u0432; " +
 "\u043d\u0435 \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c 0 \u0444\u0430\u0439\u043b\u043e\u0432";
 const entries = parseIcaclsOutput(output, "C:\\Users\\karte\\.openclaw");
 expect(entries).toHaveLength(1);
 expect(entries[0].principal).toBe("NT AUTHORITY\\\u0421\u0418\u0421\u0422\u0415\u041c\u0410");
 });
it("parses SID-format principals", () => {
 const output =
 "C:\\test\\file.txt S-1-5-18:(F)\n" +
 " S-1-5-21-1824257776-4070701511-781240313-1001:(F)";
 const entries = parseIcaclsOutput(output, "C:\\test\\file.txt");
 expect(entries).toHaveLength(2);
 expect(entries[0].principal).toBe("S-1-5-18");
 expect(entries[1].principal).toBe("S-1-5-21-1824257776-4070701511-781240313-1001");
 });
it("ignores malformed ACL lines that contain ':' but no rights tokens", () => {
 const output = `C:\\test\\file.txt random:message
 C:\\test\\file.txt BUILTIN\\Administrators:(F)`;
 const entries = parseIcaclsOutput(output, "C:\\test\\file.txt");
 expectSinglePrincipal(entries, "BUILTIN\\Administrators");
 });
it("handles quoted target paths", () => {
 const output = `"C:\\path with spaces\\file.txt" BUILTIN\\Administrators:(F)`;
 const entries = parseIcaclsOutput(output, "C:\\path with spaces\\file.txt");
 expect(entries).toHaveLength(1);
 });
it("detects write permissions correctly", () => {
 // F = Full control (read + write)
 // M = Modify (read + write)
 // W = Write
 // D = Delete (considered write)
 // R = Read only
 const testCases = [
 { rights: "(F)", canWrite: true, canRead: true },
 { rights: "(M)", canWrite: true, canRead: true },
 { rights: "(W)", canWrite: true, canRead: false },
 { rights: "(D)", canWrite: true, canRead: false },
 { rights: "(R)", canWrite: false, canRead: true },
 { rights: "(RX)", canWrite: false, canRead: true },
 ];
for (const tc of testCases) {
 const output = `C:\\test\\file.txt BUILTIN\\Users:${tc.rights}`;
 const entries = parseIcaclsOutput(output, "C:\\test\\file.txt");
 expect(entries[0].canWrite).toBe(tc.canWrite);
 expect(entries[0].canRead).toBe(tc.canRead);
 }
 });
 });
describe("summarizeWindowsAcl", () => {
 it("classifies trusted principals", () => {
 const entries: WindowsAclEntry[] = [
 aclEntry({ principal: "NT AUTHORITY\\SYSTEM" }),
 aclEntry({ principal: "BUILTIN\\Administrators" }),
 ];
 const summary = summarizeWindowsAcl(entries);
 expect(summary.trusted).toHaveLength(2);
 expect(summary.untrustedWorld).toHaveLength(0);
 expect(summary.untrustedGroup).toHaveLength(0);
 });
it("classifies world principals", () => {
 const entries: WindowsAclEntry[] = [
 aclEntry({
 principal: "Everyone",
 rights: ["R"],
 rawRights: "(R)",
 canWrite: false,
 }),
 aclEntry({
 principal: "BUILTIN\\Users",
 rights: ["R"],
 rawRights: "(R)",
 canWrite: false,
 }),
 ];
 const summary = summarizeWindowsAcl(entries);
 expect(summary.trusted).toHaveLength(0);
 expect(summary.untrustedWorld).toHaveLength(2);
 expect(summary.untrustedGroup).toHaveLength(0);
 });
it("classifies current user as trusted", () => {
 const entries: WindowsAclEntry[] = [aclEntry({ principal: "WORKGROUP\\TestUser" })];
 const env = { USERNAME: "TestUser", USERDOMAIN: "WORKGROUP" };
 const summary = summarizeWindowsAcl(entries, env);
 expect(summary.trusted).toHaveLength(1);
 });
it("classifies unknown principals as group", () => {
 const entries: WindowsAclEntry[] = [
 {
 principal: "DOMAIN\\SomeOtherUser",
 rights: ["R"],
 rawRights: "(R)",
 canRead: true,
 canWrite: false,
 },
 ];
 const env = { USERNAME: "TestUser", USERDOMAIN: "WORKGROUP" };
 const summary = summarizeWindowsAcl(entries, env);
 expect(summary.untrustedGroup).toHaveLength(1);
 });
 });
describe("summarizeWindowsAcl — SID-based classification", () => {
 it("classifies SYSTEM SID (S-1-5-18) as trusted", () => {
 expectTrustedOnly([aclEntry({ principal: "S-1-5-18" })]);
 });
it("classifies *S-1-5-18 (icacls /sid prefix form of SYSTEM) as trusted (refs #35834)", () => {
 // icacls /sid output prefixes SIDs with *, e.g. *S-1-5-18 instead of
 // S-1-5-18. Without this fix the asterisk caused SID_RE to not match
 // and the SYSTEM entry was misclassified as "group" (untrusted).
 expectTrustedOnly([aclEntry({ principal: "*S-1-5-18" })]);
 });
it("classifies *S-1-5-32-544 (icacls /sid Administrators) as trusted", () => {
 const entries: WindowsAclEntry[] = [aclEntry({ principal: "*S-1-5-32-544" })];
 const summary = summarizeWindowsAcl(entries);
 expect(summary.trusted).toHaveLength(1);
 expect(summary.untrustedGroup).toHaveLength(0);
 });
it("classifies BUILTIN\\Administrators SID (S-1-5-32-544) as trusted", () => {
 const entries: WindowsAclEntry[] = [aclEntry({ principal: "S-1-5-32-544" })];
 const summary = summarizeWindowsAcl(entries);
 expect(summary.trusted).toHaveLength(1);
 expect(summary.untrustedGroup).toHaveLength(0);
 });
it("classifies caller SID from USERSID env var as trusted", () => {
 const callerSid = "S-1-5-21-1824257776-4070701511-781240313-1001";
 expectTrustedOnly([aclEntry({ principal: callerSid })], {
 env: { USERSID: callerSid },
 });
 });
it("matches SIDs case-insensitively and trims USERSID", () => {
 expectTrustedOnly(
 [aclEntry({ principal: "s-1-5-21-1824257776-4070701511-781240313-1001" })],
 { env: { USERSID: " S-1-5-21-1824257776-4070701511-781240313-1001 " } },
 );
 });
it("does not trust *-prefixed Everyone via USERSID", () => {
 const entries: WindowsAclEntry[] = [
 {
 principal: "*S-1-1-0",
 rights: ["R"],
 rawRights: "(R)",
 canRead: true,
 canWrite: false,
 },
 ];
 const summary = summarizeWindowsAcl(entries, { USERSID: "*S-1-1-0" });
 expect(summary.untrustedWorld).toHaveLength(1);
 expect(summary.trusted).toHaveLength(0);
 });
it("classifies unknown SID as group (not world)", () => {
 const entries: WindowsAclEntry[] = [
 {
 principal: "S-1-5-21-9999-9999-9999-500",
 rights: ["R"],
 rawRights: "(R)",
 canRead: true,
 canWrite: false,
 },
 ];
 const summary = summarizeWindowsAcl(entries);
 expect(summary.untrustedGroup).toHaveLength(1);
 expect(summary.untrustedWorld).toHaveLength(0);
 expect(summary.trusted).toHaveLength(0);
 });
it("classifies Everyone SID (S-1-1-0) as world, not group", () => {
 // When icacls is run with /sid, "Everyone" becomes *S-1-1-0.
 // It must be classified as "world" to preserve security-audit severity.
 const entries: WindowsAclEntry[] = [
 {
 principal: "*S-1-1-0",
 rights: ["R"],
 rawRights: "(R)",
 canRead: true,
 canWrite: false,
 },
 ];
 const summary = summarizeWindowsAcl(entries);
 expect(summary.untrustedWorld).toHaveLength(1);
 expect(summary.untrustedGroup).toHaveLength(0);
 });
it("classifies Authenticated Users SID (S-1-5-11) as world, not group", () => {
 const entries: WindowsAclEntry[] = [
 {
 principal: "*S-1-5-11",
 rights: ["R"],
 rawRights: "(R)",
 canRead: true,
 canWrite: false,
 },
 ];
 const summary = summarizeWindowsAcl(entries);
 expect(summary.untrustedWorld).toHaveLength(1);
 expect(summary.untrustedGroup).toHaveLength(0);
 });
it("classifies BUILTIN\\Users SID (S-1-5-32-545) as world, not group", () => {
 const entries: WindowsAclEntry[] = [
 {
 principal: "*S-1-5-32-545",
 rights: ["R"],
 rawRights: "(R)",
 canRead: true,
 canWrite: false,
 },
 ];
 const summary = summarizeWindowsAcl(entries);
 expect(summary.untrustedWorld).toHaveLength(1);
 expect(summary.untrustedGroup).toHaveLength(0);
 });
it("full scenario: SYSTEM SID + owner SID only → no findings", () => {
 const ownerSid = "S-1-5-21-1824257776-4070701511-781240313-1001";
 const entries: WindowsAclEntry[] = [
 {
 principal: "S-1-5-18",
 rights: ["F"],
 rawRights: "(OI)(CI)(F)",
 canRead: true,
 canWrite: true,
 },
 {
 principal: ownerSid,
 rights: ["F"],
 rawRights: "(OI)(CI)(F)",
 canRead: true,
 canWrite: true,
 },
 ];
 const env = { USERSID: ownerSid };
 const summary = summarizeWindowsAcl(entries, env);
 expect(summary.trusted).toHaveLength(2);
 expect(summary.untrustedWorld).toHaveLength(0);
 expect(summary.untrustedGroup).toHaveLength(0);
 });
 });
describe("inspectWindowsAcl", () => {
 it("returns parsed ACL entries on success", async () => {
 const mockExec = vi.fn().mockResolvedValue({
 stdout: `C:\\test\\file.txt BUILTIN\\Administrators:(F)
 NT AUTHORITY\\SYSTEM:(F)`,
 stderr: "",
 });
const result = await inspectWindowsAcl("C:\\test\\file.txt", {
 exec: mockExec,
 });
 expectInspectSuccess(result, 2);
 // /sid is passed so that account names are printed as SIDs, making the
 // audit locale-independent (fixes #35834).
 expect(mockExec).toHaveBeenCalledWith("icacls", ["C:\\test\\file.txt", "/sid"]);
 });
it("classifies *S-1-5-18 (SID form of SYSTEM from /sid) as trusted", async () => {
 // When icacls is called with /sid it outputs *S-X-X-X instead of
 // locale-dependent names like "NT AUTHORITY\\SYSTEM" or the Russian
 // garbled equivalent.
 const mockExec = vi.fn().mockResolvedValue({
 stdout:
 "C:\\test\\file.txt *S-1-5-21-111-222-333-1001:(F)\n *S-1-5-18:(F)\n *S-1-5-32-544:(F)",
 stderr: "",
 });
const result = await inspectWindowsAcl("C:\\test\\file.txt", {
 exec: mockExec,
 env: { USERSID: "S-1-5-21-111-222-333-1001" },
 });
 expectInspectSuccess(result, 3);
 // All three entries (current user, SYSTEM, Administrators) must be trusted.
 expect(result.trusted).toHaveLength(3);
 expect(result.untrustedGroup).toHaveLength(0);
 expect(result.untrustedWorld).toHaveLength(0);
 });
it("resolves current user SID via whoami when USERSID is missing", async () => {
 const mockExec = vi
 .fn()
 .mockResolvedValueOnce({
 stdout:
 "C:\\test\\file.txt *S-1-5-21-111-222-333-1001:(F)\n *S-1-5-18:(F)",
 stderr: "",
 })
 .mockResolvedValueOnce({
 stdout: '"mock-host\\\\MockUser","S-1-5-21-111-222-333-1001"\r\n',
 stderr: "",
 });
const result = await inspectWindowsAcl("C:\\test\\file.txt", {
 exec: mockExec,
 env: { USERNAME: "MockUser", USERDOMAIN: "mock-host" },
 });
expectInspectSuccess(result, 2);
 expect(result.trusted).toHaveLength(2);
 expect(result.untrustedGroup).toHaveLength(0);
 expect(mockExec).toHaveBeenNthCalledWith(1, "icacls", ["C:\\test\\file.txt", "/sid"]);
 expect(mockExec).toHaveBeenNthCalledWith(2, "whoami", ["/user", "/fo", "csv", "/nh"]);
 });
it("returns error state on exec failure", async () => {
 const mockExec = vi.fn().mockRejectedValue(new Error("icacls not found"));
const result = await inspectWindowsAcl("C:\\test\\file.txt", {
 exec: mockExec,
 });
 expect(result.ok).toBe(false);
 expect(result.error).toContain("icacls not found");
 expect(result.entries).toHaveLength(0);
 });
it("combines stdout and stderr for parsing", async () => {
 const mockExec = vi.fn().mockResolvedValue({
 stdout: "C:\\test\\file.txt BUILTIN\\Administrators:(F)",
 stderr: "C:\\test\\file.txt NT AUTHORITY\\SYSTEM:(F)",
 });
const result = await inspectWindowsAcl("C:\\test\\file.txt", {
 exec: mockExec,
 });
 expectInspectSuccess(result, 2);
 });
 });
describe("formatWindowsAclSummary", () => {
 it("returns 'unknown' for failed summary", () => {
 const summary: WindowsAclSummary = {
 ok: false,
 entries: [],
 trusted: [],
 untrustedWorld: [],
 untrustedGroup: [],
 error: "icacls failed",
 };
 expect(formatWindowsAclSummary(summary)).toBe("unknown");
 });
it("returns 'trusted-only' when no untrusted entries", () => {
 const summary: WindowsAclSummary = {
 ok: true,
 entries: [],
 trusted: [
 {
 principal: "BUILTIN\\Administrators",
 rights: ["F"],
 rawRights: "(F)",
 canRead: true,
 canWrite: true,
 },
 ],
 untrustedWorld: [],
 untrustedGroup: [],
 };
 expect(formatWindowsAclSummary(summary)).toBe("trusted-only");
 });
it("formats untrusted entries", () => {
 const summary: WindowsAclSummary = {
 ok: true,
 entries: [],
 trusted: [],
 untrustedWorld: [
 {
 principal: "Everyone",
 rights: ["R"],
 rawRights: "(R)",
 canRead: true,
 canWrite: false,
 },
 ],
 untrustedGroup: [
 {
 principal: "DOMAIN\\OtherUser",
 rights: ["M"],
 rawRights: "(M)",
 canRead: true,
 canWrite: true,
 },
 ],
 };
 const result = formatWindowsAclSummary(summary);
 expect(result).toBe("Everyone:(R), DOMAIN\\OtherUser:(M)");
 });
 });
describe("formatIcaclsResetCommand", () => {
 it("generates command for files", () => {
 const env = { USERNAME: "TestUser", USERDOMAIN: "WORKGROUP" };
 const result = formatIcaclsResetCommand("C:\\test\\file.txt", {
 isDir: false,
 env,
 });
 expect(result).toBe(
 'icacls "C:\\test\\file.txt" /inheritance:r /grant:r "WORKGROUP\\TestUser:F" /grant:r "*S-1-5-18:F"',
 );
 });
it("generates command for directories with inheritance flags", () => {
 const env = { USERNAME: "TestUser", USERDOMAIN: "WORKGROUP" };
 const result = formatIcaclsResetCommand("C:\\test\\dir", {
 isDir: true,
 env,
 });
 expect(result).toContain("(OI)(CI)F");
 });
it("uses system username when env is empty (falls back to os.userInfo)", () => {
 // When env is empty, resolveWindowsUserPrincipal falls back to os.userInfo().username
 const result = formatIcaclsResetCommand("C:\\test\\file.txt", {
 isDir: false,
 env: {},
 });
 // Should contain the actual system username from os.userInfo
 expect(result).toContain(`"${MOCK_USERNAME}:F"`);
 expect(result).not.toContain("%USERNAME%");
 });
 });
describe("createIcaclsResetCommand", () => {
 it("returns structured command object", () => {
 const env = { USERNAME: "TestUser", USERDOMAIN: "WORKGROUP" };
 const result = createIcaclsResetCommand("C:\\test\\file.txt", {
 isDir: false,
 env,
 });
 expect(result).not.toBeNull();
 expect(result?.command).toBe("icacls");
 expect(result?.args).toContain("C:\\test\\file.txt");
 expect(result?.args).toContain("/inheritance:r");
 });
it("returns command with system username when env is empty (falls back to os.userInfo)", () => {
 // When env is empty, resolveWindowsUserPrincipal falls back to os.userInfo().username
 const result = createIcaclsResetCommand("C:\\test\\file.txt", {
 isDir: false,
 env: {},
 });
 // Should return a valid command using the system username
 expect(result).not.toBeNull();
 expect(result?.command).toBe("icacls");
 expect(result?.args).toContain(`${MOCK_USERNAME}:F`);
 });
it("includes display string matching formatIcaclsResetCommand", () => {
 const env = { USERNAME: "TestUser", USERDOMAIN: "WORKGROUP" };
 const result = createIcaclsResetCommand("C:\\test\\file.txt", {
 isDir: false,
 env,
 });
 const expected = formatIcaclsResetCommand("C:\\test\\file.txt", {
 isDir: false,
 env,
 });
 expect(result?.display).toBe(expected);
 });
 });
describe("summarizeWindowsAcl — localized SYSTEM account names", () => {
 it("classifies French SYSTEM (AUTORITE NT\\Système) as trusted", () => {
 expectTrustedOnly([aclEntry({ principal: "AUTORITE NT\\Système" })]);
 });
it("classifies German SYSTEM (NT-AUTORITÄT\\SYSTEM) as trusted", () => {
 expectTrustedOnly([aclEntry({ principal: "NT-AUTORITÄT\\SYSTEM" })]);
 });
it("classifies Spanish SYSTEM (AUTORIDAD NT\\SYSTEM) as trusted", () => {
 expectTrustedOnly([aclEntry({ principal: "AUTORIDAD NT\\SYSTEM" })]);
 });
it("French Windows full scenario: user + Système only → no untrusted", () => {
 const entries: WindowsAclEntry[] = [
 aclEntry({ principal: "MYPC\\Pierre" }),
 aclEntry({ principal: "AUTORITE NT\\Système" }),
 ];
 const env = { USERNAME: "Pierre", USERDOMAIN: "MYPC" };
 const { trusted, untrustedWorld, untrustedGroup } = summarizeWindowsAcl(entries, env);
 expect(trusted).toHaveLength(2);
 expect(untrustedWorld).toHaveLength(0);
 expect(untrustedGroup).toHaveLength(0);
 });
 });
describe("formatIcaclsResetCommand — uses SID for SYSTEM", () => {
 it("uses *S-1-5-18 instead of SYSTEM in reset command", () => {
 const cmd = formatIcaclsResetCommand("C:\\test.json", {
 isDir: false,
 env: { USERNAME: "TestUser", USERDOMAIN: "PC" },
 });
 expect(cmd).toContain("*S-1-5-18:F");
 expect(cmd).not.toContain("SYSTEM:F");
 });
 });
});