From d3514e14df2af95c1c930be2ab037e5a74eeb5ac Mon Sep 17 00:00:00 2001 From: Stephen Yugel Date: Tue, 9 Aug 2022 23:40:03 +0000 Subject: [PATCH] Port most of the OAUTH2 support from Trino to Presto Not a cherry pick directly however the following commits are part of this https://github.com/trinodb/trino/commit/3879f4557b51cb6263ad426096fa05b9d4f2b4a99 https://github.com/trinodb/trino/commit/cd3da24c98c6351f995fabf17c8772e917a9fd26 https://github.com/trinodb/trino/commit/dcb6f0bf8260d631b93c54ab61645a6de5a431f5 https://github.com/trinodb/trino/commit/7cdd133614a65c99208f5845031aa481a0daa77c https://github.com/trinodb/trino/commit/8b8b0bec21307d73b2adc7b36a4c97b84467c733 https://github.com/trinodb/trino/commit/15e53ffd53a571cbcdca90ad3023ef720a919098 Co-authored-by: lukasz-walkiewicz Co-authored-by: Nik Hodgkinson --- .../facebook/presto/server/PrestoServer.java | 9 + .../facebook/presto/server/WebUiResource.java | 35 +- .../server/security/AuthenticationFilter.java | 55 ++- .../DefaultWebUiAuthenticationManager.java | 32 ++ .../server/security/SecurityConfig.java | 3 +- .../server/security/ServerSecurityModule.java | 15 + .../security/WebUiAuthenticationManager.java | 27 ++ .../oauth2/ChallengeFailedException.java | 28 ++ .../server/security/oauth2/ForOAuth2.java | 31 ++ .../security/oauth2/ForRefreshTokens.java | 31 ++ .../security/oauth2/JweTokenSerializer.java | 179 +++++++ .../oauth2/JweTokenSerializerModule.java | 62 +++ .../server/security/oauth2/JwtUtil.java | 46 ++ .../oauth2/NimbusAirliftHttpClient.java | 137 ++++++ .../security/oauth2/NimbusHttpClient.java | 31 ++ .../security/oauth2/NimbusOAuth2Client.java | 439 ++++++++++++++++++ .../server/security/oauth2/NonceCookie.java | 90 ++++ .../OAuth2AuthenticationSupportModule.java | 33 ++ .../security/oauth2/OAuth2Authenticator.java | 146 ++++++ .../oauth2/OAuth2CallbackResource.java | 80 ++++ .../server/security/oauth2/OAuth2Client.java | 95 ++++ .../server/security/oauth2/OAuth2Config.java | 254 ++++++++++ .../security/oauth2/OAuth2ErrorCode.java | 46 ++ .../oauth2/OAuth2ServerConfigProvider.java | 67 +++ .../server/security/oauth2/OAuth2Service.java | 284 +++++++++++ .../security/oauth2/OAuth2ServiceModule.java | 105 +++++ .../security/oauth2/OAuth2TokenExchange.java | 146 ++++++ .../oauth2/OAuth2TokenExchangeResource.java | 141 ++++++ .../security/oauth2/OAuth2TokenHandler.java | 21 + .../server/security/oauth2/OAuth2Utils.java | 79 ++++ .../security/oauth2/OAuthWebUiCookie.java | 61 +++ .../Oauth2WebUiAuthenticationManager.java | 119 +++++ .../server/security/oauth2/OidcDiscovery.java | 159 +++++++ .../security/oauth2/OidcDiscoveryConfig.java | 149 ++++++ .../security/oauth2/RefreshTokensConfig.java | 96 ++++ .../oauth2/StaticConfigurationProvider.java | 44 ++ .../StaticOAuth2ServerConfiguration.java | 105 +++++ .../security/oauth2/TokenPairSerializer.java | 92 ++++ .../security/oauth2/TokenRefresher.java | 68 +++ .../server/security/oauth2/ZstdCodec.java | 53 +++ .../server/testing/TestingPrestoServer.java | 5 + .../src/main/resources/oauth2/failure.html | 60 +++ .../src/main/resources/oauth2/logout.html | 51 ++ .../src/main/resources/oauth2/success.html | 60 +++ .../resources/webapp/dist/embedded_plan.js | 69 +++ .../src/main/resources/webapp/dist/index.js | 61 +++ .../src/main/resources/webapp/dist/plan.js | 69 +++ .../src/main/resources/webapp/dist/query.js | 61 +++ .../src/main/resources/webapp/dist/stage.js | 69 +++ .../src/main/resources/webapp/dist/worker.js | 61 +++ .../presto/server/MockHttpServletRequest.java | 29 +- .../oauth2/TestJweTokenSerializer.java | 171 +++++++ .../security/oauth2/TestOAuth2Config.java | 93 ++++ .../security/oauth2/TestOAuth2Utils.java | 55 +++ .../oauth2/TestOidcDiscoveryConfig.java | 67 +++ .../oauth2/TestRefreshTokensConfig.java | 74 +++ .../oauth2/TestingHydraIdentityProvider.java | 385 +++++++++++++++ .../oauth2/TokenEndpointAuthMethod.java | 33 ++ .../resources/router_ui/assets/presto.css | 5 + .../src/main/resources/router_ui/logout.html | 54 +++ .../src/main/resources/router_ui/src/utils.js | 142 +++--- presto-ui/src/components/PageTitle.jsx | 15 +- 62 files changed, 5307 insertions(+), 75 deletions(-) create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/DefaultWebUiAuthenticationManager.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/WebUiAuthenticationManager.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ChallengeFailedException.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ForOAuth2.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ForRefreshTokens.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JweTokenSerializer.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JweTokenSerializerModule.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JwtUtil.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusAirliftHttpClient.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusHttpClient.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusOAuth2Client.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NonceCookie.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2AuthenticationSupportModule.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Authenticator.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2CallbackResource.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Client.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Config.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ErrorCode.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ServerConfigProvider.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Service.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ServiceModule.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenExchange.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenExchangeResource.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenHandler.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Utils.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuthWebUiCookie.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/Oauth2WebUiAuthenticationManager.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OidcDiscovery.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OidcDiscoveryConfig.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/RefreshTokensConfig.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/StaticConfigurationProvider.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/StaticOAuth2ServerConfiguration.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/TokenPairSerializer.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/TokenRefresher.java create mode 100644 presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ZstdCodec.java create mode 100644 presto-main/src/main/resources/oauth2/failure.html create mode 100644 presto-main/src/main/resources/oauth2/logout.html create mode 100644 presto-main/src/main/resources/oauth2/success.html create mode 100644 presto-main/src/main/resources/webapp/dist/embedded_plan.js create mode 100644 presto-main/src/main/resources/webapp/dist/index.js create mode 100644 presto-main/src/main/resources/webapp/dist/plan.js create mode 100644 presto-main/src/main/resources/webapp/dist/query.js create mode 100644 presto-main/src/main/resources/webapp/dist/stage.js create mode 100644 presto-main/src/main/resources/webapp/dist/worker.js create mode 100644 presto-main/src/test/java/com/facebook/presto/server/security/oauth2/TestJweTokenSerializer.java create mode 100644 presto-main/src/test/java/com/facebook/presto/server/security/oauth2/TestOAuth2Config.java create mode 100644 presto-main/src/test/java/com/facebook/presto/server/security/oauth2/TestOAuth2Utils.java create mode 100644 presto-main/src/test/java/com/facebook/presto/server/security/oauth2/TestOidcDiscoveryConfig.java create mode 100644 presto-main/src/test/java/com/facebook/presto/server/security/oauth2/TestRefreshTokensConfig.java create mode 100644 presto-main/src/test/java/com/facebook/presto/server/security/oauth2/TestingHydraIdentityProvider.java create mode 100644 presto-main/src/test/java/com/facebook/presto/server/security/oauth2/TokenEndpointAuthMethod.java create mode 100644 presto-router/src/main/resources/router_ui/logout.html mode change 100755 => 100644 presto-router/src/main/resources/router_ui/src/utils.js diff --git a/presto-main/src/main/java/com/facebook/presto/server/PrestoServer.java b/presto-main/src/main/java/com/facebook/presto/server/PrestoServer.java index 9c11607574941..87fc1c387e5dc 100644 --- a/presto-main/src/main/java/com/facebook/presto/server/PrestoServer.java +++ b/presto-main/src/main/java/com/facebook/presto/server/PrestoServer.java @@ -19,6 +19,7 @@ import com.facebook.airlift.discovery.client.ServiceAnnouncement; import com.facebook.airlift.event.client.HttpEventModule; import com.facebook.airlift.event.client.JsonEventModule; +import com.facebook.airlift.http.server.HttpServerModule; import com.facebook.airlift.jaxrs.JaxrsModule; import com.facebook.airlift.jmx.JmxHttpModule; import com.facebook.airlift.jmx.JmxModule; @@ -51,8 +52,10 @@ import com.facebook.presto.security.AccessControlManager; import com.facebook.presto.security.AccessControlModule; import com.facebook.presto.server.security.PasswordAuthenticatorManager; +import com.facebook.presto.server.security.SecurityConfig; import com.facebook.presto.server.security.PrestoAuthenticatorManager; import com.facebook.presto.server.security.ServerSecurityModule; +import com.facebook.presto.server.security.oauth2.OAuth2Client; import com.facebook.presto.sql.analyzer.FeaturesConfig; import com.facebook.presto.sql.parser.SqlParserOptions; import com.facebook.presto.sql.planner.sanity.PlanCheckerProviderManager; @@ -83,6 +86,7 @@ import static com.facebook.airlift.json.JsonBinder.jsonBinder; import static com.facebook.presto.server.PrestoSystemRequirements.verifyJvmRequirements; import static com.facebook.presto.server.PrestoSystemRequirements.verifySystemTimeIsReasonable; +import static com.facebook.presto.server.security.SecurityConfig.AuthenticationType.OAUTH2; import static com.google.common.base.Strings.nullToEmpty; import static java.util.Objects.requireNonNull; @@ -198,6 +202,11 @@ public void run() injector.getInstance(ClientRequestFilterManager.class).loadClientRequestFilters(); startAssociatedProcesses(injector); + SecurityConfig securityConfig = injector.getInstance(SecurityConfig.class); + if (securityConfig.getAuthenticationTypes().contains(OAUTH2)) { + injector.getInstance(OAuth2Client.class).load(); + } + injector.getInstance(Announcer.class).start(); log.info("======== SERVER STARTED ========"); diff --git a/presto-main/src/main/java/com/facebook/presto/server/WebUiResource.java b/presto-main/src/main/java/com/facebook/presto/server/WebUiResource.java index c45774edc31e7..bb0fc7d22929a 100644 --- a/presto-main/src/main/java/com/facebook/presto/server/WebUiResource.java +++ b/presto-main/src/main/java/com/facebook/presto/server/WebUiResource.java @@ -13,6 +13,8 @@ */ package com.facebook.presto.server; +import com.facebook.presto.server.security.oauth2.OAuthWebUiCookie; + import javax.annotation.security.RolesAllowed; import javax.ws.rs.GET; import javax.ws.rs.HeaderParam; @@ -21,15 +23,19 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; +import java.util.Optional; + import static com.facebook.presto.server.security.RoleType.ADMIN; +import static com.facebook.presto.server.security.oauth2.OAuth2Utils.getLastURLParameter; import static com.google.common.base.Strings.isNullOrEmpty; import static com.google.common.net.HttpHeaders.X_FORWARDED_PROTO; -import static javax.ws.rs.core.Response.Status.MOVED_PERMANENTLY; -@Path("/") +@Path(WebUiResource.UI_ENDPOINT) @RolesAllowed(ADMIN) public class WebUiResource { + public static final String UI_ENDPOINT = "/"; + @GET public Response redirectIndexHtml( @HeaderParam(X_FORWARDED_PROTO) String proto, @@ -38,9 +44,30 @@ public Response redirectIndexHtml( if (isNullOrEmpty(proto)) { proto = uriInfo.getRequestUri().getScheme(); } + Optional lastURL = getLastURLParameter(uriInfo.getQueryParameters()); + if (lastURL.isPresent()) { + return Response + .seeOther(uriInfo.getRequestUriBuilder().scheme(proto).uri(lastURL.get()).build()) + .build(); + } + + return Response + .seeOther(uriInfo.getRequestUriBuilder().scheme(proto).path("/ui/").replaceQuery("").build()) + .build(); + } - return Response.status(MOVED_PERMANENTLY) - .location(uriInfo.getRequestUriBuilder().scheme(proto).path("/ui/").build()) + @GET + @Path("/logout") + public Response logout( + @HeaderParam(X_FORWARDED_PROTO) String proto, + @Context UriInfo uriInfo) + { + if (isNullOrEmpty(proto)) { + proto = uriInfo.getRequestUri().getScheme(); + } + return Response + .seeOther(uriInfo.getBaseUriBuilder().scheme(proto).path("/ui/logout.html").build()) + .cookie(OAuthWebUiCookie.delete()) .build(); } } diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/AuthenticationFilter.java b/presto-main/src/main/java/com/facebook/presto/server/security/AuthenticationFilter.java index 6914f8d7b03f5..94b9bd78e140a 100644 --- a/presto-main/src/main/java/com/facebook/presto/server/security/AuthenticationFilter.java +++ b/presto-main/src/main/java/com/facebook/presto/server/security/AuthenticationFilter.java @@ -18,6 +18,7 @@ import com.facebook.presto.ClientRequestFilterManager; import com.facebook.presto.spi.ClientRequestFilter; import com.facebook.presto.spi.PrestoException; +import com.facebook.presto.server.security.oauth2.OAuth2Authenticator; import com.google.common.base.Joiner; import com.google.common.base.Strings; import com.google.common.collect.ImmutableList; @@ -46,8 +47,12 @@ import java.util.List; import java.util.Map; import java.util.Set; +import java.util.stream.Collectors; import static com.facebook.presto.spi.StandardErrorCode.HEADER_MODIFICATION_ATTEMPT; +import static com.facebook.presto.server.WebUiResource.UI_ENDPOINT; +import static com.facebook.presto.server.security.oauth2.OAuth2CallbackResource.CALLBACK_ENDPOINT; +import static com.facebook.presto.server.security.oauth2.OAuth2TokenExchangeResource.TOKEN_ENDPOINT; import static com.google.common.io.ByteStreams.copy; import static com.google.common.io.ByteStreams.nullOutputStream; import static com.google.common.net.HttpHeaders.WWW_AUTHENTICATE; @@ -62,16 +67,22 @@ public class AuthenticationFilter { private static final String HTTPS_PROTOCOL = "https"; private final List authenticators; - private final boolean allowForwardedHttps; + private static boolean allowForwardedHttps; private final ClientRequestFilterManager clientRequestFilterManager; private final List headersBlockList = ImmutableList.of("X-Presto-Transaction-Id", "X-Presto-Started-Transaction-Id", "X-Presto-Clear-Transaction-Id", "X-Presto-Trace-Token"); + private final WebUiAuthenticationManager webUiAuthenticationManager; + private final boolean isOauth2Enabled; @Inject - public AuthenticationFilter(List authenticators, SecurityConfig securityConfig, ClientRequestFilterManager clientRequestFilterManager) + public AuthenticationFilter(List authenticators, SecurityConfig securityConfig, WebUiAuthenticationManager webUiAuthenticationManager, ClientRequestFilterManager clientRequestFilterManager) { + allowForwardedHttps = requireNonNull(securityConfig, "securityConfig is null").getAllowForwardedHttps(); + this.authenticators = ImmutableList.copyOf(requireNonNull(authenticators, "authenticators is null")); - this.allowForwardedHttps = requireNonNull(securityConfig, "securityConfig is null").getAllowForwardedHttps(); this.clientRequestFilterManager = requireNonNull(clientRequestFilterManager, "clientRequestFilterManager is null"); + this.webUiAuthenticationManager = requireNonNull(webUiAuthenticationManager, "webUiAuthenticationManager is null"); + this.isOauth2Enabled = this.authenticators.stream() + .anyMatch(a -> a.getClass().equals(OAuth2Authenticator.class)); } @Override @@ -86,7 +97,12 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo { HttpServletRequest request = (HttpServletRequest) servletRequest; HttpServletResponse response = (HttpServletResponse) servletResponse; - + // Check if it's a request going to the web UI side. + if (isWebUiRequest(request) && isOauth2Enabled) { + // call web authenticator + this.webUiAuthenticationManager.handleRequest(request, response, nextFilter); + return; + } // skip authentication if non-secure or not configured if (!doesRequestSupportAuthentication(request)) { nextFilter.doFilter(request, response); @@ -118,6 +134,10 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo // authentication failed skipRequestBody(request); + // Browsers have special handling for the BASIC challenge authenticate header so we need to filter them out if the WebUI Oauth Token is present. + if (isOauth2Enabled && OAuth2Authenticator.extractTokenFromCookie(request).isPresent()) { + authenticateHeaders = authenticateHeaders.stream().filter(value -> value.contains("x_token_server")).collect(Collectors.toSet()); + } for (String value : authenticateHeaders) { response.addHeader(WWW_AUTHENTICATE, value); } @@ -195,7 +215,7 @@ private boolean doesRequestSupportAuthentication(HttpServletRequest request) return false; } - private static ServletRequest withPrincipal(HttpServletRequest request, Principal principal) + public static ServletRequest withPrincipal(HttpServletRequest request, Principal principal) { requireNonNull(principal, "principal is null"); return new HttpServletRequestWrapper(request) @@ -208,6 +228,12 @@ public Principal getUserPrincipal() }; } + public static boolean isPublic(HttpServletRequest request) + { + return request.getPathInfo().startsWith(TOKEN_ENDPOINT) + || request.getPathInfo().startsWith(CALLBACK_ENDPOINT); + } + private static void skipRequestBody(HttpServletRequest request) throws IOException { @@ -258,6 +284,25 @@ public Enumeration getHeaders(String name) return enumeration(ImmutableList.of(customHeaders.get(name))); } return super.getHeaders(name); + } + + private boolean doesRequestSupportAuthentication(HttpServletRequest request) + { + if (isPublic(request)) { + return false; + } + if (authenticators.isEmpty()) { + return false; } + if (request.isSecure()) { + return true; + } + return allowForwardedHttps && Strings.nullToEmpty(request.getHeader(HttpHeaders.X_FORWARDED_PROTO)).equalsIgnoreCase(HTTPS_PROTOCOL); + } + + private boolean isWebUiRequest(HttpServletRequest request) + { + String pathInfo = request.getPathInfo(); + return pathInfo == null || pathInfo.equals(UI_ENDPOINT) || pathInfo.startsWith("/ui"); } } diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/DefaultWebUiAuthenticationManager.java b/presto-main/src/main/java/com/facebook/presto/server/security/DefaultWebUiAuthenticationManager.java new file mode 100644 index 0000000000000..dd0691f88e9a1 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/DefaultWebUiAuthenticationManager.java @@ -0,0 +1,32 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import java.io.IOException; + +public class DefaultWebUiAuthenticationManager + implements WebUiAuthenticationManager +{ + @Override + public void handleRequest(HttpServletRequest request, HttpServletResponse response, FilterChain nextFilter) + throws IOException, ServletException + { + nextFilter.doFilter(request, response); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/SecurityConfig.java b/presto-main/src/main/java/com/facebook/presto/server/security/SecurityConfig.java index 9d2e74e939a0a..b56ed00ac979b 100644 --- a/presto-main/src/main/java/com/facebook/presto/server/security/SecurityConfig.java +++ b/presto-main/src/main/java/com/facebook/presto/server/security/SecurityConfig.java @@ -41,6 +41,7 @@ public enum AuthenticationType KERBEROS, PASSWORD, JWT, + OAUTH2, CUSTOM } @@ -57,7 +58,7 @@ public SecurityConfig setAuthenticationTypes(List authentica } @Config("http-server.authentication.type") - @ConfigDescription("Authentication types (supported types: CERTIFICATE, KERBEROS, PASSWORD, JWT, CUSTOM)") + @ConfigDescription("Authentication types (supported types: CERTIFICATE, KERBEROS, PASSWORD, JWT, OAUTH2, CUSTOM)") public SecurityConfig setAuthenticationTypes(String types) { if (types == null) { diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/ServerSecurityModule.java b/presto-main/src/main/java/com/facebook/presto/server/security/ServerSecurityModule.java index cd7943e40b313..064bdb3db8eea 100644 --- a/presto-main/src/main/java/com/facebook/presto/server/security/ServerSecurityModule.java +++ b/presto-main/src/main/java/com/facebook/presto/server/security/ServerSecurityModule.java @@ -19,6 +19,10 @@ import com.facebook.airlift.http.server.KerberosAuthenticator; import com.facebook.airlift.http.server.KerberosConfig; import com.facebook.presto.server.security.SecurityConfig.AuthenticationType; +import com.facebook.presto.server.security.oauth2.OAuth2AuthenticationSupportModule; +import com.facebook.presto.server.security.oauth2.OAuth2Authenticator; +import com.facebook.presto.server.security.oauth2.OAuth2Config; +import com.facebook.presto.server.security.oauth2.Oauth2WebUiAuthenticationManager; import com.google.inject.Binder; import com.google.inject.Scopes; import com.google.inject.multibindings.Multibinder; @@ -39,6 +43,10 @@ public class ServerSecurityModule @Override protected void setup(Binder binder) { + newOptionalBinder(binder, WebUiAuthenticationManager.class).setDefault().to(DefaultWebUiAuthenticationManager.class).in(Scopes.SINGLETON); + newSetBinder(binder, Filter.class, TheServlet.class).addBinding() + .to(AuthenticationFilter.class).in(Scopes.SINGLETON); + binder.bind(PasswordAuthenticatorManager.class).in(Scopes.SINGLETON); binder.bind(PrestoAuthenticatorManager.class).in(Scopes.SINGLETON); @@ -63,6 +71,13 @@ else if (authType == JWT) { else if (authType == CUSTOM) { authBinder.addBinding().to(CustomPrestoAuthenticator.class).in(Scopes.SINGLETON); } + else if (authType == OAUTH2) { + newOptionalBinder(binder, WebUiAuthenticationManager.class).setBinding().to(Oauth2WebUiAuthenticationManager.class).in(Scopes.SINGLETON); + install(new OAuth2AuthenticationSupportModule()); + binder.bind(OAuth2Authenticator.class).in(Scopes.SINGLETON); + configBinder(binder).bindConfig(OAuth2Config.class); + authBinder.addBinding().to(OAuth2Authenticator.class).in(Scopes.SINGLETON); + } else { throw new AssertionError("Unhandled auth type: " + authType); } diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/WebUiAuthenticationManager.java b/presto-main/src/main/java/com/facebook/presto/server/security/WebUiAuthenticationManager.java new file mode 100644 index 0000000000000..e34a495463c37 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/WebUiAuthenticationManager.java @@ -0,0 +1,27 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import java.io.IOException; + +public interface WebUiAuthenticationManager +{ + void handleRequest(HttpServletRequest request, HttpServletResponse response, FilterChain nextFilter) + throws IOException, ServletException; +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ChallengeFailedException.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ChallengeFailedException.java new file mode 100644 index 0000000000000..f72a7c7c537ea --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ChallengeFailedException.java @@ -0,0 +1,28 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +public class ChallengeFailedException + extends Exception +{ + public ChallengeFailedException(String message) + { + super(message); + } + + public ChallengeFailedException(String message, Throwable cause) + { + super(message, cause); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ForOAuth2.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ForOAuth2.java new file mode 100644 index 0000000000000..ee66543301512 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ForOAuth2.java @@ -0,0 +1,31 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.google.inject.BindingAnnotation; + +import java.lang.annotation.Retention; +import java.lang.annotation.Target; + +import static java.lang.annotation.ElementType.FIELD; +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.PARAMETER; +import static java.lang.annotation.RetentionPolicy.RUNTIME; + +@Retention(RUNTIME) +@Target({FIELD, PARAMETER, METHOD}) +@BindingAnnotation +public @interface ForOAuth2 +{ +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ForRefreshTokens.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ForRefreshTokens.java new file mode 100644 index 0000000000000..d4d3939c61320 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ForRefreshTokens.java @@ -0,0 +1,31 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.google.inject.BindingAnnotation; + +import java.lang.annotation.Retention; +import java.lang.annotation.Target; + +import static java.lang.annotation.ElementType.FIELD; +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.PARAMETER; +import static java.lang.annotation.RetentionPolicy.RUNTIME; + +@Retention(RUNTIME) +@Target({FIELD, PARAMETER, METHOD}) +@BindingAnnotation +public @interface ForRefreshTokens +{ +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JweTokenSerializer.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JweTokenSerializer.java new file mode 100644 index 0000000000000..30b8196f6c57f --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JweTokenSerializer.java @@ -0,0 +1,179 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.nimbusds.jose.EncryptionMethod; +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWEAlgorithm; +import com.nimbusds.jose.JWEHeader; +import com.nimbusds.jose.JWEObject; +import com.nimbusds.jose.KeyLengthException; +import com.nimbusds.jose.Payload; +import com.nimbusds.jose.crypto.AESDecrypter; +import com.nimbusds.jose.crypto.AESEncrypter; +import io.airlift.units.Duration; +import io.jsonwebtoken.Claims; +import io.jsonwebtoken.CompressionCodec; +import io.jsonwebtoken.CompressionException; +import io.jsonwebtoken.Header; +import io.jsonwebtoken.JwtBuilder; +import io.jsonwebtoken.JwtParser; + +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; + +import java.security.NoSuchAlgorithmException; +import java.text.ParseException; +import java.time.Clock; +import java.util.Date; +import java.util.Map; +import java.util.Optional; + +import static com.facebook.presto.server.security.oauth2.JwtUtil.newJwtBuilder; +import static com.facebook.presto.server.security.oauth2.JwtUtil.newJwtParserBuilder; +import static com.google.common.base.Preconditions.checkState; +import static java.lang.String.format; +import static java.util.Objects.requireNonNull; + +public class JweTokenSerializer + implements TokenPairSerializer +{ + private static final JWEAlgorithm ALGORITHM = JWEAlgorithm.A256KW; + private static final EncryptionMethod ENCRYPTION_METHOD = EncryptionMethod.A256CBC_HS512; + private static final CompressionCodec COMPRESSION_CODEC = new ZstdCodec(); + private static final String ACCESS_TOKEN_KEY = "access_token"; + private static final String EXPIRATION_TIME_KEY = "expiration_time"; + private static final String REFRESH_TOKEN_KEY = "refresh_token"; + private final OAuth2Client client; + private final Clock clock; + private final String issuer; + private final String audience; + private final Duration tokenExpiration; + private final JwtParser parser; + private final AESEncrypter jweEncrypter; + private final AESDecrypter jweDecrypter; + private final String principalField; + + public JweTokenSerializer( + RefreshTokensConfig config, + OAuth2Client client, + String issuer, + String audience, + String principalField, + Clock clock, + Duration tokenExpiration) + throws KeyLengthException, NoSuchAlgorithmException + { + SecretKey secretKey = createKey(requireNonNull(config, "config is null")); + this.jweEncrypter = new AESEncrypter(secretKey); + this.jweDecrypter = new AESDecrypter(secretKey); + this.client = requireNonNull(client, "client is null"); + this.issuer = requireNonNull(issuer, "issuer is null"); + this.principalField = requireNonNull(principalField, "principalField is null"); + this.audience = requireNonNull(audience, "issuer is null"); + this.clock = requireNonNull(clock, "clock is null"); + this.tokenExpiration = requireNonNull(tokenExpiration, "tokenExpiration is null"); + + this.parser = newJwtParserBuilder() + .setClock(() -> Date.from(clock.instant())) + .requireIssuer(this.issuer) + .requireAudience(this.audience) + .setCompressionCodecResolver(JweTokenSerializer::resolveCompressionCodec) + .build(); + } + + @Override + public TokenPair deserialize(String token) + { + requireNonNull(token, "token is null"); + + try { + JWEObject jwe = JWEObject.parse(token); + jwe.decrypt(jweDecrypter); + Claims claims = parser.parseClaimsJwt(jwe.getPayload().toString()).getBody(); + return TokenPair.accessAndRefreshTokens( + claims.get(ACCESS_TOKEN_KEY, String.class), + claims.get(EXPIRATION_TIME_KEY, Date.class), + claims.get(REFRESH_TOKEN_KEY, String.class)); + } + catch (ParseException ex) { + throw new IllegalArgumentException("Malformed jwt token", ex); + } + catch (JOSEException ex) { + throw new IllegalArgumentException("Decryption failed", ex); + } + } + + @Override + public String serialize(TokenPair tokenPair) + { + requireNonNull(tokenPair, "tokenPair is null"); + + Optional> accessTokenClaims = client.getClaims(tokenPair.getAccessToken()); + if (!accessTokenClaims.isPresent()) { + throw new IllegalArgumentException("Claims are missing"); + } + Map claims = accessTokenClaims.get(); + if (!claims.containsKey(principalField)) { + throw new IllegalArgumentException(format("%s field is missing", principalField)); + } + JwtBuilder jwt = newJwtBuilder() + .setExpiration(Date.from(clock.instant().plusMillis(tokenExpiration.toMillis()))) + .claim(principalField, claims.get(principalField).toString()) + .setAudience(audience) + .setIssuer(issuer) + .claim(ACCESS_TOKEN_KEY, tokenPair.getAccessToken()) + .claim(EXPIRATION_TIME_KEY, tokenPair.getExpiration()) + .claim(REFRESH_TOKEN_KEY, tokenPair.getRefreshToken().orElseThrow(JweTokenSerializer::throwExceptionForNonExistingRefreshToken)) + .compressWith(COMPRESSION_CODEC); + + try { + JWEObject jwe = new JWEObject( + new JWEHeader(ALGORITHM, ENCRYPTION_METHOD), + new Payload(jwt.compact())); + jwe.encrypt(jweEncrypter); + return jwe.serialize(); + } + catch (JOSEException ex) { + throw new IllegalStateException("Encryption failed", ex); + } + } + + private static SecretKey createKey(RefreshTokensConfig config) + throws NoSuchAlgorithmException + { + SecretKey signingKey = config.getSecretKey(); + if (signingKey == null) { + KeyGenerator generator = KeyGenerator.getInstance("AES"); + generator.init(256); + return generator.generateKey(); + } + return signingKey; + } + + private static RuntimeException throwExceptionForNonExistingRefreshToken() + { + throw new IllegalStateException("Expected refresh token to be present. Please check your identity provider setup, or disable refresh tokens"); + } + + private static CompressionCodec resolveCompressionCodec(Header header) + throws CompressionException + { + if (header.getCompressionAlgorithm() != null) { + checkState(header.getCompressionAlgorithm().equals(ZstdCodec.CODEC_NAME), "Unknown codec '%s' used for token compression", header.getCompressionAlgorithm()); + return COMPRESSION_CODEC; + } + return null; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JweTokenSerializerModule.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JweTokenSerializerModule.java new file mode 100644 index 0000000000000..1819f79a33137 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JweTokenSerializerModule.java @@ -0,0 +1,62 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.configuration.AbstractConfigurationAwareModule; +import com.facebook.presto.client.NodeVersion; +import com.google.inject.Binder; +import com.google.inject.Inject; +import com.google.inject.Key; +import com.google.inject.Provides; +import com.google.inject.Singleton; +import com.nimbusds.jose.KeyLengthException; + +import java.security.NoSuchAlgorithmException; +import java.time.Clock; +import java.time.Duration; + +import static com.facebook.airlift.configuration.ConfigBinder.configBinder; +import static com.google.inject.multibindings.OptionalBinder.newOptionalBinder; + +public class JweTokenSerializerModule + extends AbstractConfigurationAwareModule +{ + @Override + protected void setup(Binder binder) + { + configBinder(binder).bindConfig(RefreshTokensConfig.class); + RefreshTokensConfig config = buildConfigObject(RefreshTokensConfig.class); + newOptionalBinder(binder, Key.get(Duration.class, ForRefreshTokens.class)).setBinding().toInstance(Duration.ofMillis(config.getTokenExpiration().toMillis())); + } + + @Provides + @Singleton + @Inject + public TokenPairSerializer getTokenPairSerializer( + OAuth2Client client, + NodeVersion nodeVersion, + RefreshTokensConfig config, + OAuth2Config oAuth2Config) + throws KeyLengthException, NoSuchAlgorithmException + { + return new JweTokenSerializer( + config, + client, + config.getIssuer() + "_" + nodeVersion.getVersion(), + config.getAudience(), + oAuth2Config.getPrincipalField(), + Clock.systemUTC(), + config.getTokenExpiration()); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JwtUtil.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JwtUtil.java new file mode 100644 index 0000000000000..026ebda5c8fab --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/JwtUtil.java @@ -0,0 +1,46 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import io.jsonwebtoken.JwtBuilder; +import io.jsonwebtoken.JwtParserBuilder; +import io.jsonwebtoken.impl.DefaultJwtBuilder; +import io.jsonwebtoken.impl.DefaultJwtParserBuilder; +import io.jsonwebtoken.io.Deserializer; +import io.jsonwebtoken.io.Serializer; +import io.jsonwebtoken.jackson.io.JacksonDeserializer; +import io.jsonwebtoken.jackson.io.JacksonSerializer; + +import java.util.Map; + +// avoid reflection and services lookup +public final class JwtUtil +{ + private static final Serializer> JWT_SERIALIZER = new JacksonSerializer<>(); + private static final Deserializer> JWT_DESERIALIZER = new JacksonDeserializer<>(); + + private JwtUtil() {} + + public static JwtBuilder newJwtBuilder() + { + return new DefaultJwtBuilder() + .serializeToJsonWith(JWT_SERIALIZER); + } + + public static JwtParserBuilder newJwtParserBuilder() + { + return new DefaultJwtParserBuilder() + .deserializeJsonWith(JWT_DESERIALIZER); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusAirliftHttpClient.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusAirliftHttpClient.java new file mode 100644 index 0000000000000..04d3eb17aad01 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusAirliftHttpClient.java @@ -0,0 +1,137 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.http.client.HttpClient; +import com.facebook.airlift.http.client.Request; +import com.facebook.airlift.http.client.Response; +import com.facebook.airlift.http.client.ResponseHandler; +import com.facebook.airlift.http.client.ResponseHandlerUtils; +import com.facebook.airlift.http.client.StringResponseHandler; +import com.google.common.collect.ImmutableMultimap; +import com.nimbusds.jose.util.Resource; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.http.HTTPRequest; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; + +import javax.inject.Inject; +import javax.ws.rs.core.UriBuilder; + +import java.io.IOException; +import java.net.URISyntaxException; +import java.net.URL; + +import static com.facebook.airlift.http.client.Request.Builder.prepareGet; +import static com.facebook.airlift.http.client.StaticBodyGenerator.createStaticBodyGenerator; +import static com.facebook.airlift.http.client.StringResponseHandler.createStringResponseHandler; +import static com.google.common.net.HttpHeaders.CONTENT_TYPE; +import static com.nimbusds.oauth2.sdk.http.HTTPRequest.Method.DELETE; +import static com.nimbusds.oauth2.sdk.http.HTTPRequest.Method.GET; +import static com.nimbusds.oauth2.sdk.http.HTTPRequest.Method.POST; +import static com.nimbusds.oauth2.sdk.http.HTTPRequest.Method.PUT; +import static java.lang.String.format; +import static java.nio.charset.StandardCharsets.UTF_8; +import static java.util.Objects.requireNonNull; + +public class NimbusAirliftHttpClient + implements NimbusHttpClient +{ + private final HttpClient httpClient; + + @Inject + public NimbusAirliftHttpClient(@ForOAuth2 HttpClient httpClient) + { + this.httpClient = requireNonNull(httpClient, "httpClient is null"); + } + + @Override + public Resource retrieveResource(URL url) + throws IOException + { + try { + StringResponseHandler.StringResponse response = httpClient.execute( + prepareGet().setUri(url.toURI()).build(), + createStringResponseHandler()); + return new Resource(response.getBody(), response.getHeader(CONTENT_TYPE)); + } + catch (URISyntaxException e) { + throw new RuntimeException(e); + } + } + + @Override + public T execute(com.nimbusds.oauth2.sdk.Request nimbusRequest, Parser parser) + { + HTTPRequest httpRequest = nimbusRequest.toHTTPRequest(); + HTTPRequest.Method method = httpRequest.getMethod(); + + Request.Builder request = new Request.Builder() + .setMethod(method.name()) + .setFollowRedirects(httpRequest.getFollowRedirects()); + + UriBuilder url = UriBuilder.fromUri(httpRequest.getURI()); + if (method.equals(GET) || method.equals(DELETE)) { + httpRequest.getQueryParameters().forEach((key, value) -> url.queryParam(key, value.toArray())); + } + + url.fragment(httpRequest.getFragment()); + + request.setUri(url.build()); + + ImmutableMultimap.Builder headers = ImmutableMultimap.builder(); + httpRequest.getHeaderMap().forEach(headers::putAll); + request.addHeaders(headers.build()); + + if (method.equals(POST) || method.equals(PUT)) { + String query = httpRequest.getQuery(); + if (query != null) { + request.setBodyGenerator(createStaticBodyGenerator(httpRequest.getQuery(), UTF_8)); + } + } + return httpClient.execute(request.build(), new NimbusResponseHandler<>(parser)); + } + + public static class NimbusResponseHandler + implements ResponseHandler + { + private final StringResponseHandler handler = createStringResponseHandler(); + private final Parser parser; + + public NimbusResponseHandler(Parser parser) + { + this.parser = requireNonNull(parser, "parser is null"); + } + + @Override + public T handleException(Request request, Exception exception) + { + throw ResponseHandlerUtils.propagate(request, exception); + } + + @Override + public T handle(Request request, Response response) + { + StringResponseHandler.StringResponse stringResponse = handler.handle(request, response); + HTTPResponse nimbusResponse = new HTTPResponse(response.getStatusCode()); + response.getHeaders().asMap().forEach((name, values) -> nimbusResponse.setHeader(name.toString(), values.toArray(new String[0]))); + nimbusResponse.setContent(stringResponse.getBody()); + try { + return parser.parse(nimbusResponse); + } + catch (ParseException e) { + throw new RuntimeException(format("Unable to parse response status=[%d], body=[%s]", stringResponse.getStatusCode(), stringResponse.getBody()), e); + } + } + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusHttpClient.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusHttpClient.java new file mode 100644 index 0000000000000..b8c0e491dec4b --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusHttpClient.java @@ -0,0 +1,31 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.nimbusds.jose.util.ResourceRetriever; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.Request; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; + +public interface NimbusHttpClient + extends ResourceRetriever +{ + T execute(Request request, Parser parser); + + interface Parser + { + T parse(HTTPResponse response) + throws ParseException; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusOAuth2Client.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusOAuth2Client.java new file mode 100644 index 0000000000000..1130531d94279 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NimbusOAuth2Client.java @@ -0,0 +1,439 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.log.Logger; +import com.facebook.presto.server.security.oauth2.OAuth2ServerConfigProvider.OAuth2ServerConfig; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Ordering; +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.JWSHeader; +import com.nimbusds.jose.jwk.source.RemoteJWKSet; +import com.nimbusds.jose.proc.BadJOSEException; +import com.nimbusds.jose.proc.JWSKeySelector; +import com.nimbusds.jose.proc.JWSVerificationKeySelector; +import com.nimbusds.jose.proc.SecurityContext; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier; +import com.nimbusds.jwt.proc.DefaultJWTProcessor; +import com.nimbusds.jwt.proc.JWTProcessor; +import com.nimbusds.oauth2.sdk.AccessTokenResponse; +import com.nimbusds.oauth2.sdk.AuthorizationCode; +import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant; +import com.nimbusds.oauth2.sdk.AuthorizationGrant; +import com.nimbusds.oauth2.sdk.AuthorizationRequest; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.RefreshTokenGrant; +import com.nimbusds.oauth2.sdk.Scope; +import com.nimbusds.oauth2.sdk.TokenRequest; +import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic; +import com.nimbusds.oauth2.sdk.auth.Secret; +import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.id.Issuer; +import com.nimbusds.oauth2.sdk.id.State; +import com.nimbusds.oauth2.sdk.token.AccessToken; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import com.nimbusds.oauth2.sdk.token.RefreshToken; +import com.nimbusds.oauth2.sdk.token.Tokens; +import com.nimbusds.openid.connect.sdk.AuthenticationRequest; +import com.nimbusds.openid.connect.sdk.Nonce; +import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; +import com.nimbusds.openid.connect.sdk.UserInfoRequest; +import com.nimbusds.openid.connect.sdk.UserInfoResponse; +import com.nimbusds.openid.connect.sdk.claims.AccessTokenHash; +import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet; +import com.nimbusds.openid.connect.sdk.token.OIDCTokens; +import com.nimbusds.openid.connect.sdk.validators.AccessTokenValidator; +import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator; +import com.nimbusds.openid.connect.sdk.validators.InvalidHashException; +import io.airlift.units.Duration; + +import javax.inject.Inject; + +import java.net.MalformedURLException; +import java.net.URI; +import java.time.Instant; +import java.util.Date; +import java.util.HashSet; +import java.util.Map; +import java.util.Optional; +import java.util.Set; +import java.util.stream.Stream; + +import static com.google.common.base.Preconditions.checkArgument; +import static com.google.common.base.Preconditions.checkState; +import static com.google.common.collect.ImmutableSet.toImmutableSet; +import static com.google.common.hash.Hashing.sha256; +import static com.nimbusds.oauth2.sdk.ResponseType.CODE; +import static com.nimbusds.openid.connect.sdk.OIDCScopeValue.OPENID; +import static java.nio.charset.StandardCharsets.UTF_8; +import static java.util.Objects.requireNonNull; +import static java.util.concurrent.TimeUnit.SECONDS; + +public class NimbusOAuth2Client + implements OAuth2Client +{ + private static final Logger LOG = Logger.get(NimbusAirliftHttpClient.class); + + private final Issuer issuer; + private final ClientID clientId; + private final ClientSecretBasic clientAuth; + private final Scope scope; + private final String principalField; + private final Set accessTokenAudiences; + private final Duration maxClockSkew; + private final NimbusHttpClient httpClient; + private final OAuth2ServerConfigProvider serverConfigurationProvider; + private volatile boolean loaded; + private URI authUrl; + private URI tokenUrl; + private Optional userinfoUrl; + private JWSKeySelector jwsKeySelector; + private JWTProcessor accessTokenProcessor; + private AuthorizationCodeFlow flow; + + @Inject + public NimbusOAuth2Client(OAuth2Config oauthConfig, OAuth2ServerConfigProvider serverConfigurationProvider, NimbusHttpClient httpClient) + { + requireNonNull(oauthConfig, "oauthConfig is null"); + issuer = new Issuer(oauthConfig.getIssuer()); + clientId = new ClientID(oauthConfig.getClientId()); + clientAuth = new ClientSecretBasic(clientId, new Secret(oauthConfig.getClientSecret())); + scope = Scope.parse(oauthConfig.getScopes()); + principalField = oauthConfig.getPrincipalField(); + maxClockSkew = oauthConfig.getMaxClockSkew(); + + accessTokenAudiences = new HashSet<>(oauthConfig.getAdditionalAudiences()); + accessTokenAudiences.add(clientId.getValue()); + accessTokenAudiences.add(null); // A null value in the set allows JWTs with no audience + + this.serverConfigurationProvider = requireNonNull(serverConfigurationProvider, "serverConfigurationProvider is null"); + this.httpClient = requireNonNull(httpClient, "httpClient is null"); + } + + @Override + public void load() + { + OAuth2ServerConfig config = serverConfigurationProvider.get(); + this.authUrl = config.getAuthUrl(); + this.tokenUrl = config.getTokenUrl(); + this.userinfoUrl = config.getUserinfoUrl(); + try { + jwsKeySelector = new JWSVerificationKeySelector<>( + Stream.concat(JWSAlgorithm.Family.RSA.stream(), JWSAlgorithm.Family.EC.stream()).collect(toImmutableSet()), + new RemoteJWKSet<>(config.getJwksUrl().toURL(), httpClient)); + } + catch (MalformedURLException e) { + throw new RuntimeException(e); + } + + DefaultJWTProcessor processor = new DefaultJWTProcessor<>(); + processor.setJWSKeySelector(jwsKeySelector); + DefaultJWTClaimsVerifier accessTokenVerifier = new DefaultJWTClaimsVerifier<>( + accessTokenAudiences, + new JWTClaimsSet.Builder() + .issuer(config.getAccessTokenIssuer().orElse(issuer.getValue())) + .build(), + ImmutableSet.of(principalField), + ImmutableSet.of()); + accessTokenVerifier.setMaxClockSkew((int) maxClockSkew.roundTo(SECONDS)); + processor.setJWTClaimsSetVerifier(accessTokenVerifier); + accessTokenProcessor = processor; + flow = scope.contains(OPENID) ? new OAuth2WithOidcExtensionsCodeFlow() : new OAuth2AuthorizationCodeFlow(); + loaded = true; + } + + @Override + public Request createAuthorizationRequest(String state, URI callbackUri) + { + checkState(loaded, "OAuth2 client not initialized"); + return flow.createAuthorizationRequest(state, callbackUri); + } + + @Override + public Response getOAuth2Response(String code, URI callbackUri, Optional nonce) + throws ChallengeFailedException + { + checkState(loaded, "OAuth2 client not initialized"); + return flow.getOAuth2Response(code, callbackUri, nonce); + } + + @Override + public Optional> getClaims(String accessToken) + { + checkState(loaded, "OAuth2 client not initialized"); + return getJWTClaimsSet(accessToken).map(JWTClaimsSet::getClaims); + } + + @Override + public Response refreshTokens(String refreshToken) + throws ChallengeFailedException + { + checkState(loaded, "OAuth2 client not initialized"); + return flow.refreshTokens(refreshToken); + } + + private interface AuthorizationCodeFlow + { + Request createAuthorizationRequest(String state, URI callbackUri); + + Response getOAuth2Response(String code, URI callbackUri, Optional nonce) + throws ChallengeFailedException; + + Response refreshTokens(String refreshToken) + throws ChallengeFailedException; + } + + private class OAuth2AuthorizationCodeFlow + implements AuthorizationCodeFlow + { + @Override + public Request createAuthorizationRequest(String state, URI callbackUri) + { + return new Request( + new AuthorizationRequest.Builder(CODE, clientId) + .redirectionURI(callbackUri) + .scope(scope) + .endpointURI(authUrl) + .state(new State(state)) + .build() + .toURI(), + Optional.empty()); + } + + @Override + public Response getOAuth2Response(String code, URI callbackUri, Optional nonce) + throws ChallengeFailedException + { + checkArgument(!nonce.isPresent(), "Unexpected nonce provided"); + AccessTokenResponse tokenResponse = getTokenResponse(code, callbackUri, AccessTokenResponse::parse); + Tokens tokens = tokenResponse.toSuccessResponse().getTokens(); + return toResponse(tokens, Optional.empty()); + } + + @Override + public Response refreshTokens(String refreshToken) + throws ChallengeFailedException + { + requireNonNull(refreshToken, "refreshToken is null"); + AccessTokenResponse tokenResponse = getTokenResponse(refreshToken, AccessTokenResponse::parse); + return toResponse(tokenResponse.toSuccessResponse().getTokens(), Optional.of(refreshToken)); + } + + private Response toResponse(Tokens tokens, Optional existingRefreshToken) + throws ChallengeFailedException + { + AccessToken accessToken = tokens.getAccessToken(); + RefreshToken refreshToken = tokens.getRefreshToken(); + JWTClaimsSet claims = getJWTClaimsSet(accessToken.getValue()).orElseThrow(() -> new ChallengeFailedException("invalid access token")); + return new Response( + accessToken.getValue(), + determineExpiration(getExpiration(accessToken), claims.getExpirationTime()), + Optional.empty(), + buildRefreshToken(refreshToken, existingRefreshToken)); + } + } + + private class OAuth2WithOidcExtensionsCodeFlow + implements AuthorizationCodeFlow + { + private final IDTokenValidator idTokenValidator; + + public OAuth2WithOidcExtensionsCodeFlow() + { + idTokenValidator = new IDTokenValidator(issuer, clientId, jwsKeySelector, null); + idTokenValidator.setMaxClockSkew((int) maxClockSkew.roundTo(SECONDS)); + } + + @Override + public Request createAuthorizationRequest(String state, URI callbackUri) + { + String nonce = new Nonce().getValue(); + return new Request( + new AuthenticationRequest.Builder(CODE, scope, clientId, callbackUri) + .endpointURI(authUrl) + .state(new State(state)) + .nonce(new Nonce(hashNonce(nonce))) + .build() + .toURI(), + Optional.of(nonce)); + } + + @Override + public Response getOAuth2Response(String code, URI callbackUri, Optional nonce) + throws ChallengeFailedException + { + if (!nonce.isPresent()) { + throw new ChallengeFailedException("Missing nonce"); + } + + OIDCTokenResponse tokenResponse = getTokenResponse(code, callbackUri, OIDCTokenResponse::parse); + OIDCTokens tokens = tokenResponse.getOIDCTokens(); + validateTokens(tokens, nonce); + return toResponse(tokens, Optional.empty()); + } + + @Override + public Response refreshTokens(String refreshToken) + throws ChallengeFailedException + { + OIDCTokenResponse tokenResponse = getTokenResponse(refreshToken, OIDCTokenResponse::parse); + OIDCTokens tokens = tokenResponse.getOIDCTokens(); + validateTokens(tokens); + return toResponse(tokens, Optional.of(refreshToken)); + } + + private Response toResponse(OIDCTokens tokens, Optional existingRefreshToken) + throws ChallengeFailedException + { + AccessToken accessToken = tokens.getAccessToken(); + RefreshToken refreshToken = tokens.getRefreshToken(); + JWTClaimsSet claims = getJWTClaimsSet(accessToken.getValue()).orElseThrow(() -> new ChallengeFailedException("invalid access token")); + return new Response( + accessToken.getValue(), + determineExpiration(getExpiration(accessToken), claims.getExpirationTime()), + Optional.ofNullable(tokens.getIDTokenString()), + buildRefreshToken(refreshToken, existingRefreshToken)); + } + + private void validateTokens(OIDCTokens tokens, Optional nonce) + throws ChallengeFailedException + { + try { + IDTokenClaimsSet idToken = idTokenValidator.validate( + tokens.getIDToken(), + nonce.map(this::hashNonce) + .map(Nonce::new) + .orElse(null)); + AccessTokenHash accessTokenHash = idToken.getAccessTokenHash(); + if (accessTokenHash != null) { + AccessTokenValidator.validate(tokens.getAccessToken(), ((JWSHeader) tokens.getIDToken().getHeader()).getAlgorithm(), accessTokenHash); + } + } + catch (BadJOSEException | JOSEException | InvalidHashException e) { + throw new ChallengeFailedException("Cannot validate tokens", e); + } + } + + private void validateTokens(OIDCTokens tokens) + throws ChallengeFailedException + { + validateTokens(tokens, Optional.empty()); + } + + private String hashNonce(String nonce) + { + return sha256() + .hashString(nonce, UTF_8) + .toString(); + } + } + + private T getTokenResponse(String code, URI callbackUri, NimbusAirliftHttpClient.Parser parser) + throws ChallengeFailedException + { + return getTokenResponse(new AuthorizationCodeGrant(new AuthorizationCode(code), callbackUri), parser); + } + + private T getTokenResponse(String refreshToken, NimbusAirliftHttpClient.Parser parser) + throws ChallengeFailedException + { + return getTokenResponse(new RefreshTokenGrant(new RefreshToken(refreshToken)), parser); + } + + private T getTokenResponse(AuthorizationGrant authorizationGrant, NimbusAirliftHttpClient.Parser parser) + throws ChallengeFailedException + { + T tokenResponse = httpClient.execute(new TokenRequest(tokenUrl, clientAuth, authorizationGrant, scope), parser); + if (!tokenResponse.indicatesSuccess()) { + throw new ChallengeFailedException("Error while fetching access token: " + tokenResponse.toErrorResponse().toJSONObject()); + } + return tokenResponse; + } + + private Optional getJWTClaimsSet(String accessToken) + { + if (userinfoUrl.isPresent()) { + return queryUserInfo(accessToken); + } + return parseAccessToken(accessToken); + } + + private Optional queryUserInfo(String accessToken) + { + try { + UserInfoResponse response = httpClient.execute(new UserInfoRequest(userinfoUrl.get(), new BearerAccessToken(accessToken)), UserInfoResponse::parse); + if (!response.indicatesSuccess()) { + LOG.error("Received bad response from userinfo endpoint: " + response.toErrorResponse().getErrorObject()); + return Optional.empty(); + } + return Optional.of(response.toSuccessResponse().getUserInfo().toJWTClaimsSet()); + } + catch (ParseException | RuntimeException e) { + LOG.error(e, "Received bad response from userinfo endpoint"); + return Optional.empty(); + } + } + + private Optional parseAccessToken(String accessToken) + { + try { + return Optional.of(accessTokenProcessor.process(accessToken, null)); + } + catch (java.text.ParseException | BadJOSEException | JOSEException e) { + LOG.error(e, "Failed to parse JWT access token"); + return Optional.empty(); + } + } + + private static Instant determineExpiration(Optional validUntil, Date expiration) + throws ChallengeFailedException + { + if (validUntil.isPresent()) { + if (expiration != null) { + return Ordering.natural().min(validUntil.get(), expiration.toInstant()); + } + + return validUntil.get(); + } + + if (expiration != null) { + return expiration.toInstant(); + } + + throw new ChallengeFailedException("no valid expiration date"); + } + + private Optional buildRefreshToken(RefreshToken refreshToken, Optional existingRefreshToken) + { + Optional firstOption = Optional.ofNullable(refreshToken) + .map(RefreshToken::getValue); + + if (firstOption.isPresent()) { + return firstOption; + } + else if (existingRefreshToken.isPresent()) { + return existingRefreshToken; + } + else { + return Optional.empty(); + } + } + + private static Optional getExpiration(AccessToken accessToken) + { + return accessToken.getLifetime() != 0 ? Optional.of(Instant.now().plusSeconds(accessToken.getLifetime())) : Optional.empty(); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NonceCookie.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NonceCookie.java new file mode 100644 index 0000000000000..7475d0c46cd9f --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/NonceCookie.java @@ -0,0 +1,90 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import org.apache.commons.lang3.StringUtils; + +import javax.ws.rs.core.Cookie; +import javax.ws.rs.core.NewCookie; + +import java.time.Instant; +import java.util.Date; +import java.util.Optional; + +import static com.facebook.presto.server.security.oauth2.OAuth2CallbackResource.CALLBACK_ENDPOINT; +import static com.google.common.base.Predicates.not; +import static javax.ws.rs.core.Cookie.DEFAULT_VERSION; +import static javax.ws.rs.core.NewCookie.DEFAULT_MAX_AGE; + +public final class NonceCookie +{ + // prefix according to: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.3.1 + public static final String NONCE_COOKIE = "__Secure-Presto-Nonce"; + + private NonceCookie() {} + + public static NewCookie create(String nonce, Instant tokenExpiration) + { + return new NewCookie( + NONCE_COOKIE, + nonce, + CALLBACK_ENDPOINT, + null, + DEFAULT_VERSION, + null, + DEFAULT_MAX_AGE, + Date.from(tokenExpiration), + true, + true); + } + + public static javax.servlet.http.Cookie createServletCookie(String nonce, Instant tokenExpiration) + { + return toServletCookie(create(nonce, tokenExpiration)); + } + + public static javax.servlet.http.Cookie toServletCookie(NewCookie cookie) + { + javax.servlet.http.Cookie servletCookie = new javax.servlet.http.Cookie(cookie.getName(), cookie.getValue()); + servletCookie.setPath(cookie.getPath()); + servletCookie.setVersion(cookie.getVersion()); + servletCookie.setMaxAge(cookie.getMaxAge()); + servletCookie.setSecure(cookie.isSecure()); + servletCookie.setHttpOnly(cookie.isHttpOnly()); + + return servletCookie; + } + + public static Optional read(Cookie cookie) + { + return Optional.ofNullable(cookie) + .map(Cookie::getValue) + .filter(not(StringUtils::isBlank)); + } + + public static NewCookie delete() + { + return new NewCookie( + NONCE_COOKIE, + "delete", + CALLBACK_ENDPOINT, + null, + DEFAULT_VERSION, + null, + 0, + null, + true, + true); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2AuthenticationSupportModule.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2AuthenticationSupportModule.java new file mode 100644 index 0000000000000..88cd2b5e0f23d --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2AuthenticationSupportModule.java @@ -0,0 +1,33 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.configuration.AbstractConfigurationAwareModule; +import com.google.inject.Binder; +import com.google.inject.Scopes; + +import static com.facebook.airlift.jaxrs.JaxrsBinder.jaxrsBinder; + +public class OAuth2AuthenticationSupportModule + extends AbstractConfigurationAwareModule +{ + @Override + protected void setup(Binder binder) + { + binder.bind(OAuth2TokenExchange.class).in(Scopes.SINGLETON); + binder.bind(OAuth2TokenHandler.class).to(OAuth2TokenExchange.class).in(Scopes.SINGLETON); + jaxrsBinder(binder).bind(OAuth2TokenExchangeResource.class); + install(new OAuth2ServiceModule()); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Authenticator.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Authenticator.java new file mode 100644 index 0000000000000..3fe980f061364 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Authenticator.java @@ -0,0 +1,146 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.http.server.AuthenticationException; +import com.facebook.airlift.http.server.Authenticator; +import com.facebook.airlift.http.server.BasicPrincipal; +import com.facebook.airlift.log.Logger; +import org.apache.commons.lang3.StringUtils; + +import javax.inject.Inject; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; + +import java.net.URI; +import java.security.Principal; +import java.sql.Date; +import java.time.Instant; +import java.util.Arrays; +import java.util.Map; +import java.util.Optional; +import java.util.UUID; + +import static com.facebook.presto.server.security.oauth2.OAuth2TokenExchangeResource.getInitiateUri; +import static com.facebook.presto.server.security.oauth2.OAuth2TokenExchangeResource.getTokenUri; +import static com.facebook.presto.server.security.oauth2.OAuth2Utils.getSchemeUriBuilder; +import static com.facebook.presto.server.security.oauth2.OAuthWebUiCookie.OAUTH2_COOKIE; +import static com.google.common.base.Strings.nullToEmpty; +import static com.google.common.net.HttpHeaders.AUTHORIZATION; +import static java.lang.String.format; +import static java.util.Objects.requireNonNull; + +public class OAuth2Authenticator + implements Authenticator +{ + private static final Logger Log = Logger.get(OAuth2Authenticator.class); + private final String principalField; + private final OAuth2Client client; + private final TokenPairSerializer tokenPairSerializer; + private final TokenRefresher tokenRefresher; + + @Inject + public OAuth2Authenticator(OAuth2Client client, OAuth2Config config, TokenRefresher tokenRefresher, TokenPairSerializer tokenPairSerializer) + { + this.client = requireNonNull(client, "service is null"); + this.principalField = config.getPrincipalField(); + requireNonNull(config, "oauth2Config is null"); + this.tokenRefresher = requireNonNull(tokenRefresher, "tokenRefresher is null"); + this.tokenPairSerializer = requireNonNull(tokenPairSerializer, "tokenPairSerializer is null"); + } + + public Principal authenticate(HttpServletRequest request) throws AuthenticationException + { + String token = extractToken(request); + TokenPairSerializer.TokenPair tokenPair; + try { + tokenPair = tokenPairSerializer.deserialize(token); + } + catch (IllegalArgumentException e) { + Log.error(e, "Failed to deserialize the OAuth token"); + throw needAuthentication(request, Optional.empty(), "Invalid Credentials"); + } + + if (tokenPair.getExpiration().before(Date.from(Instant.now()))) { + throw needAuthentication(request, Optional.of(token), "Invalid Credentials"); + } + Optional> claims = client.getClaims(tokenPair.getAccessToken()); + + if (!claims.isPresent()) { + throw needAuthentication(request, Optional.ofNullable(token), "Invalid Credentials"); + } + String principal = (String) claims.get().get(principalField); + if (StringUtils.isEmpty(principal)) { + Log.warn("The subject is not present we need to authenticate"); + needAuthentication(request, Optional.empty(), "Invalid Credentials"); + } + + return new BasicPrincipal(principal); + } + + public String extractToken(HttpServletRequest request) throws AuthenticationException + { + Optional cookieToken = this.extractTokenFromCookie(request); + Optional headerToken = this.extractTokenFromHeader(request); + + if (!cookieToken.isPresent() && !headerToken.isPresent()) { + throw needAuthentication(request, Optional.empty(), "Invalid Credentials"); + } + + return cookieToken.orElseGet(() -> headerToken.get()); + } + + public Optional extractTokenFromHeader(HttpServletRequest request) + { + String authHeader = nullToEmpty(request.getHeader(AUTHORIZATION)); + int space = authHeader.indexOf(' '); + if ((space < 0) || !authHeader.substring(0, space).equalsIgnoreCase("bearer")) { + return Optional.empty(); + } + + return Optional.ofNullable(authHeader.substring(space + 1).trim()) + .filter(t -> !t.isEmpty()); + } + + public static Optional extractTokenFromCookie(HttpServletRequest request) + { + Cookie[] cookies = Optional.ofNullable(request.getCookies()).orElse(new Cookie[0]); + return Optional.ofNullable(Arrays.stream(cookies) + .filter(cookie -> cookie.getName().equals(OAUTH2_COOKIE)) + .findFirst() + .map(c -> c.getValue()) + .orElse(null)); + } + + private AuthenticationException needAuthentication(HttpServletRequest request, Optional currentToken, String message) + { + URI baseUri = getSchemeUriBuilder(request).build(); + return currentToken + .map(tokenPairSerializer::deserialize) + .flatMap(tokenRefresher::refreshToken) + .map(refreshId -> baseUri.resolve(getTokenUri(refreshId))) + .map(tokenUri -> new AuthenticationException(message, format("Bearer x_token_server=\"%s\"", tokenUri))) + .orElseGet(() -> buildNeedAuthentication(request, message)); + } + + private AuthenticationException buildNeedAuthentication(HttpServletRequest request, String message) + { + UUID authId = UUID.randomUUID(); + URI baseUri = getSchemeUriBuilder(request).build(); + URI initiateUri = baseUri.resolve(getInitiateUri(authId)); + URI tokenUri = baseUri.resolve(getTokenUri(authId)); + + return new AuthenticationException(message, format("Bearer x_redirect_server=\"%s\", x_token_server=\"%s\"", initiateUri, tokenUri)); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2CallbackResource.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2CallbackResource.java new file mode 100644 index 0000000000000..ef5b6d6330d38 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2CallbackResource.java @@ -0,0 +1,80 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.log.Logger; + +import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.CookieParam; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.Cookie; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; + +import static com.facebook.presto.server.security.oauth2.NonceCookie.NONCE_COOKIE; +import static com.facebook.presto.server.security.oauth2.OAuth2Utils.getSchemeUriBuilder; +import static java.util.Objects.requireNonNull; +import static javax.ws.rs.core.MediaType.TEXT_HTML; +import static javax.ws.rs.core.Response.Status.BAD_REQUEST; + +@Path(OAuth2CallbackResource.CALLBACK_ENDPOINT) +public class OAuth2CallbackResource +{ + private static final Logger LOG = Logger.get(OAuth2CallbackResource.class); + + public static final String CALLBACK_ENDPOINT = "/oauth2/callback"; + + private final OAuth2Service service; + + @Inject + public OAuth2CallbackResource(OAuth2Service service) + { + this.service = requireNonNull(service, "service is null"); + } + + @GET + @Produces(TEXT_HTML) + public Response callback( + @QueryParam("state") String state, + @QueryParam("code") String code, + @QueryParam("error") String error, + @QueryParam("error_description") String errorDescription, + @QueryParam("error_uri") String errorUri, + @CookieParam(NONCE_COOKIE) Cookie nonce, + @Context HttpServletRequest request) + { + if (error != null) { + return service.handleOAuth2Error(state, error, errorDescription, errorUri); + } + + try { + requireNonNull(state, "state is null"); + requireNonNull(code, "code is null"); + UriBuilder builder = getSchemeUriBuilder(request); + return service.finishOAuth2Challenge(state, code, builder.build().resolve(CALLBACK_ENDPOINT), NonceCookie.read(nonce), request); + } + catch (RuntimeException e) { + LOG.error(e, "Authentication response could not be verified: state=%s", state); + return Response.status(BAD_REQUEST) + .cookie(NonceCookie.delete()) + .entity(service.getInternalFailureHtml("Authentication response could not be verified")) + .build(); + } + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Client.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Client.java new file mode 100644 index 0000000000000..3d826d0056b60 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Client.java @@ -0,0 +1,95 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import java.net.URI; +import java.time.Instant; +import java.util.Map; +import java.util.Optional; + +import static java.util.Objects.requireNonNull; + +public interface OAuth2Client +{ + void load(); + + Request createAuthorizationRequest(String state, URI callbackUri); + + Response getOAuth2Response(String code, URI callbackUri, Optional nonce) + throws ChallengeFailedException; + + Optional> getClaims(String accessToken); + + Response refreshTokens(String refreshToken) + throws ChallengeFailedException; + + class Request + { + private final URI authorizationUri; + private final Optional nonce; + + public Request(URI authorizationUri, Optional nonce) + { + this.authorizationUri = requireNonNull(authorizationUri, "authorizationUri is null"); + this.nonce = requireNonNull(nonce, "nonce is null"); + } + + public URI getAuthorizationUri() + { + return authorizationUri; + } + + public Optional getNonce() + { + return nonce; + } + } + + class Response + { + private final String accessToken; + private final Instant expiration; + private final Optional idToken; + + private final Optional refreshToken; + + public Response(String accessToken, Instant expiration, Optional idToken, Optional refreshToken) + { + this.accessToken = requireNonNull(accessToken, "accessToken is null"); + this.expiration = requireNonNull(expiration, "expiration is null"); + this.idToken = requireNonNull(idToken, "idToken is null"); + this.refreshToken = requireNonNull(refreshToken, "refreshToken is null"); + } + + public String getAccessToken() + { + return accessToken; + } + + public Instant getExpiration() + { + return expiration; + } + + public Optional getIdToken() + { + return idToken; + } + + public Optional getRefreshToken() + { + return refreshToken; + } + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Config.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Config.java new file mode 100644 index 0000000000000..8de3e4442138b --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Config.java @@ -0,0 +1,254 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.configuration.Config; +import com.facebook.airlift.configuration.ConfigDescription; +import com.facebook.airlift.configuration.ConfigSecuritySensitive; +import com.google.common.base.Splitter; +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; +import io.airlift.units.Duration; +import io.airlift.units.MinDuration; + +import javax.validation.constraints.NotNull; + +import java.io.File; +import java.util.Collections; +import java.util.List; +import java.util.Optional; +import java.util.Set; +import java.util.concurrent.TimeUnit; + +import static com.facebook.presto.server.security.oauth2.OAuth2Service.OPENID_SCOPE; +import static com.google.common.base.Strings.nullToEmpty; + +public class OAuth2Config +{ + private Optional stateKey = Optional.empty(); + private String issuer; + private String clientId; + private String clientSecret; + private Set scopes = ImmutableSet.of(OPENID_SCOPE); + private String principalField = "sub"; + private Optional groupsField = Optional.empty(); + private List additionalAudiences = Collections.emptyList(); + private Duration challengeTimeout = new Duration(15, TimeUnit.MINUTES); + private Duration maxClockSkew = new Duration(1, TimeUnit.MINUTES); + private Optional userMappingPattern = Optional.empty(); + private Optional userMappingFile = Optional.empty(); + private boolean enableRefreshTokens; + private boolean enableDiscovery = true; + + public Optional getStateKey() + { + return stateKey; + } + + @Config("http-server.authentication.oauth2.state-key") + @ConfigDescription("A secret key used by HMAC algorithm to sign the state parameter") + public OAuth2Config setStateKey(String stateKey) + { + this.stateKey = Optional.ofNullable(stateKey); + return this; + } + + @NotNull + public String getIssuer() + { + return issuer; + } + + @Config("http-server.authentication.oauth2.issuer") + @ConfigDescription("The required issuer of a token") + public OAuth2Config setIssuer(String issuer) + { + this.issuer = issuer; + return this; + } + + @NotNull + public String getClientId() + { + return clientId; + } + + @Config("http-server.authentication.oauth2.client-id") + @ConfigDescription("Client ID") + public OAuth2Config setClientId(String clientId) + { + this.clientId = clientId; + return this; + } + + @NotNull + public String getClientSecret() + { + return clientSecret; + } + + @Config("http-server.authentication.oauth2.client-secret") + @ConfigSecuritySensitive + @ConfigDescription("Client secret") + public OAuth2Config setClientSecret(String clientSecret) + { + this.clientSecret = clientSecret; + return this; + } + + @NotNull + public List getAdditionalAudiences() + { + return additionalAudiences; + } + + public OAuth2Config setAdditionalAudiences(List additionalAudiences) + { + this.additionalAudiences = ImmutableList.copyOf(additionalAudiences); + return this; + } + + @Config("http-server.authentication.oauth2.additional-audiences") + @ConfigDescription("Additional audiences to trust in addition to the Client ID") + public OAuth2Config setAdditionalAudiences(String additionalAudiences) + { + Splitter splitter = Splitter.on(',').trimResults().omitEmptyStrings(); + this.additionalAudiences = ImmutableList.copyOf(splitter.split(nullToEmpty(additionalAudiences))); + return this; + } + + @NotNull + public Set getScopes() + { + return scopes; + } + + @Config("http-server.authentication.oauth2.scopes") + @ConfigDescription("Scopes requested by the server during OAuth2 authorization challenge") + public OAuth2Config setScopes(String scopes) + { + Splitter splitter = Splitter.on(',').trimResults().omitEmptyStrings(); + this.scopes = ImmutableSet.copyOf(splitter.split(nullToEmpty(scopes))); + return this; + } + + @NotNull + public String getPrincipalField() + { + return principalField; + } + + @Config("http-server.authentication.oauth2.principal-field") + @ConfigDescription("The claim to use as the principal") + public OAuth2Config setPrincipalField(String principalField) + { + this.principalField = principalField; + return this; + } + + public Optional getGroupsField() + { + return groupsField; + } + + @Config("http-server.authentication.oauth2.groups-field") + @ConfigDescription("Groups field in the claim") + public OAuth2Config setGroupsField(String groupsField) + { + this.groupsField = Optional.ofNullable(groupsField); + return this; + } + + @MinDuration("1ms") + @NotNull + public Duration getChallengeTimeout() + { + return challengeTimeout; + } + + @Config("http-server.authentication.oauth2.challenge-timeout") + @ConfigDescription("Maximum duration of OAuth2 authorization challenge") + public OAuth2Config setChallengeTimeout(Duration challengeTimeout) + { + this.challengeTimeout = challengeTimeout; + return this; + } + + @MinDuration("0s") + @NotNull + public Duration getMaxClockSkew() + { + return maxClockSkew; + } + + @Config("http-server.authentication.oauth2.max-clock-skew") + @ConfigDescription("Max clock skew between the Authorization Server and the coordinator") + public OAuth2Config setMaxClockSkew(Duration maxClockSkew) + { + this.maxClockSkew = maxClockSkew; + return this; + } + + public Optional getUserMappingPattern() + { + return userMappingPattern; + } + + @Config("http-server.authentication.oauth2.user-mapping.pattern") + @ConfigDescription("Regex to match against user name") + public OAuth2Config setUserMappingPattern(String userMappingPattern) + { + this.userMappingPattern = Optional.ofNullable(userMappingPattern); + return this; + } + + public Optional getUserMappingFile() + { + return userMappingFile; + } + + @Config("http-server.authentication.oauth2.user-mapping.file") + @ConfigDescription("File containing rules for mapping user") + public OAuth2Config setUserMappingFile(File userMappingFile) + { + this.userMappingFile = Optional.ofNullable(userMappingFile); + return this; + } + + public boolean isEnableRefreshTokens() + { + return enableRefreshTokens; + } + + @Config("http-server.authentication.oauth2.refresh-tokens") + @ConfigDescription("Enables OpenID refresh tokens usage") + public OAuth2Config setEnableRefreshTokens(boolean enableRefreshTokens) + { + this.enableRefreshTokens = enableRefreshTokens; + return this; + } + + public boolean isEnableDiscovery() + { + return enableDiscovery; + } + + @Config("http-server.authentication.oauth2.oidc.discovery") + @ConfigDescription("Enable OpenID Provider Issuer discovery") + public OAuth2Config setEnableDiscovery(boolean enableDiscovery) + { + this.enableDiscovery = enableDiscovery; + return this; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ErrorCode.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ErrorCode.java new file mode 100644 index 0000000000000..058ce8be92b1e --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ErrorCode.java @@ -0,0 +1,46 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import java.util.Arrays; + +public enum OAuth2ErrorCode +{ + ACCESS_DENIED("access_denied", "OAuth2 server denied the login"), + UNAUTHORIZED_CLIENT("unauthorized_client", "OAuth2 server does not allow request from this Presto server"), + SERVER_ERROR("server_error", "OAuth2 server had a failure"), + TEMPORARILY_UNAVAILABLE("temporarily_unavailable", "OAuth2 server is temporarily unavailable"); + + private final String code; + private final String message; + + OAuth2ErrorCode(String code, String message) + { + this.code = code; + this.message = message; + } + + public static OAuth2ErrorCode fromString(String codeStr) + { + return Arrays.stream(OAuth2ErrorCode.values()) + .filter(value -> codeStr.equalsIgnoreCase(value.code)) + .findFirst() + .orElseThrow(() -> new IllegalArgumentException("No enum constant " + OAuth2ErrorCode.class.getCanonicalName() + "." + codeStr)); + } + + public String getMessage() + { + return this.message; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ServerConfigProvider.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ServerConfigProvider.java new file mode 100644 index 0000000000000..9455e5622605d --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ServerConfigProvider.java @@ -0,0 +1,67 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import java.net.URI; +import java.util.Optional; + +import static java.util.Objects.requireNonNull; + +public interface OAuth2ServerConfigProvider +{ + OAuth2ServerConfig get(); + + class OAuth2ServerConfig + { + private final Optional accessTokenIssuer; + private final URI authUrl; + private final URI tokenUrl; + private final URI jwksUrl; + private final Optional userinfoUrl; + + public OAuth2ServerConfig(Optional accessTokenIssuer, URI authUrl, URI tokenUrl, URI jwksUrl, Optional userinfoUrl) + { + this.accessTokenIssuer = requireNonNull(accessTokenIssuer, "accessTokenIssuer is null"); + this.authUrl = requireNonNull(authUrl, "authUrl is null"); + this.tokenUrl = requireNonNull(tokenUrl, "tokenUrl is null"); + this.jwksUrl = requireNonNull(jwksUrl, "jwksUrl is null"); + this.userinfoUrl = requireNonNull(userinfoUrl, "userinfoUrl is null"); + } + + public Optional getAccessTokenIssuer() + { + return accessTokenIssuer; + } + + public URI getAuthUrl() + { + return authUrl; + } + + public URI getTokenUrl() + { + return tokenUrl; + } + + public URI getJwksUrl() + { + return jwksUrl; + } + + public Optional getUserinfoUrl() + { + return userinfoUrl; + } + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Service.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Service.java new file mode 100644 index 0000000000000..00735a1d876f1 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Service.java @@ -0,0 +1,284 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.log.Logger; +import com.google.common.io.Resources; +import io.jsonwebtoken.Claims; +import io.jsonwebtoken.JwtParser; + +import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.core.HttpHeaders; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; + +import java.io.IOException; +import java.net.URI; +import java.security.Key; +import java.security.SecureRandom; +import java.time.Duration; +import java.time.Instant; +import java.time.temporal.TemporalAmount; +import java.util.Date; +import java.util.Optional; +import java.util.Random; + +import static com.facebook.presto.server.security.oauth2.JwtUtil.newJwtBuilder; +import static com.facebook.presto.server.security.oauth2.JwtUtil.newJwtParserBuilder; +import static com.facebook.presto.server.security.oauth2.OAuth2Utils.getSchemeUriBuilder; +import static com.facebook.presto.server.security.oauth2.TokenPairSerializer.TokenPair.fromOAuth2Response; +import static com.google.common.base.Strings.nullToEmpty; +import static com.google.common.base.Verify.verify; +import static com.google.common.hash.Hashing.sha256; +import static io.jsonwebtoken.security.Keys.hmacShaKeyFor; +import static java.lang.String.format; +import static java.nio.charset.StandardCharsets.UTF_8; +import static java.time.Instant.now; +import static java.util.Objects.requireNonNull; +import static javax.ws.rs.core.Response.Status.BAD_REQUEST; + +public class OAuth2Service +{ + private static final Logger logger = Logger.get(OAuth2Service.class); + + public static final String OPENID_SCOPE = "openid"; + + private static final String STATE_AUDIENCE_UI = "presto_oauth_ui"; + private static final String FAILURE_REPLACEMENT_TEXT = ""; + private static final Random SECURE_RANDOM = new SecureRandom(); + public static final String HANDLER_STATE_CLAIM = "handler_state"; + + private final OAuth2Client client; + private final Optional tokenExpiration; + private final TokenPairSerializer tokenPairSerializer; + + private final String successHtml; + private final String failureHtml; + + private final TemporalAmount challengeTimeout; + private final Key stateHmac; + private final JwtParser jwtParser; + + private final OAuth2TokenHandler tokenHandler; + + @Inject + public OAuth2Service( + OAuth2Client client, + OAuth2Config oauth2Config, + OAuth2TokenHandler tokenHandler, + TokenPairSerializer tokenPairSerializer, + @ForRefreshTokens Optional tokenExpiration) + throws IOException + { + this.client = requireNonNull(client, "client is null"); + requireNonNull(oauth2Config, "oauth2Config is null"); + + this.successHtml = Resources.toString(Resources.getResource(getClass(), "/oauth2/success.html"), UTF_8); + this.failureHtml = Resources.toString(Resources.getResource(getClass(), "/oauth2/failure.html"), UTF_8); + verify(failureHtml.contains(FAILURE_REPLACEMENT_TEXT), "login.html does not contain the replacement text"); + + this.challengeTimeout = Duration.ofMillis(oauth2Config.getChallengeTimeout().toMillis()); + this.stateHmac = hmacShaKeyFor(oauth2Config.getStateKey() + .map(key -> sha256().hashString(key, UTF_8).asBytes()) + .orElseGet(() -> secureRandomBytes(32))); + this.jwtParser = newJwtParserBuilder() + .setSigningKey(stateHmac) + .requireAudience(STATE_AUDIENCE_UI) + .build(); + + this.tokenHandler = requireNonNull(tokenHandler, "tokenHandler is null"); + this.tokenPairSerializer = requireNonNull(tokenPairSerializer, "tokenPairSerializer is null"); + + this.tokenExpiration = requireNonNull(tokenExpiration, "tokenExpiration is null"); + } + + public Response startOAuth2Challenge(URI callbackUri, Optional handlerState) + { + Instant challengeExpiration = now().plus(challengeTimeout); + String state = newJwtBuilder() + .signWith(stateHmac) + .setAudience(STATE_AUDIENCE_UI) + .claim(HANDLER_STATE_CLAIM, handlerState.orElse(null)) + .setExpiration(Date.from(challengeExpiration)) + .compact(); + + OAuth2Client.Request request = client.createAuthorizationRequest(state, callbackUri); + Response.ResponseBuilder response = Response.seeOther(request.getAuthorizationUri()); + request.getNonce().ifPresent(nce -> response.cookie(NonceCookie.create(nce, challengeExpiration))); + return response.build(); + } + + public void startOAuth2Challenge(URI callbackUri, Optional handlerState, HttpServletResponse servletResponse) + throws IOException + { + Instant challengeExpiration = now().plus(challengeTimeout); + + OAuth2Client.Request challengeRequest = this.startChallenge(callbackUri, handlerState); + challengeRequest.getNonce().ifPresent(nce -> servletResponse.addCookie(NonceCookie.createServletCookie(nce, challengeExpiration))); + servletResponseSeeOther(challengeRequest.getAuthorizationUri().toString(), servletResponse); + } + + public void servletResponseSeeOther(String location, HttpServletResponse servletResponse) + throws IOException + { + // 303 is preferred over a 302 when this response is received by a POST/PUT/DELETE and the redirect should be done via a GET instead of original method + servletResponse.addHeader(HttpHeaders.LOCATION, location); + servletResponse.sendError(HttpServletResponse.SC_SEE_OTHER); + } + + private OAuth2Client.Request startChallenge(URI callbackUri, Optional handlerState) + { + Instant challengeExpiration = now().plus(challengeTimeout); + String state = newJwtBuilder() + .signWith(stateHmac) + .setAudience(STATE_AUDIENCE_UI) + .claim(HANDLER_STATE_CLAIM, handlerState.orElse(null)) + .setExpiration(Date.from(challengeExpiration)) + .compact(); + + return client.createAuthorizationRequest(state, callbackUri); + } + + public Response handleOAuth2Error(String state, String error, String errorDescription, String errorUri) + { + try { + Claims stateClaims = parseState(state); + Optional.ofNullable(stateClaims.get(HANDLER_STATE_CLAIM, String.class)) + .ifPresent(value -> + tokenHandler.setTokenExchangeError(value, + format("Authentication response could not be verified: error=%s, errorDescription=%s, errorUri=%s", + error, errorDescription, errorDescription))); + } + catch (ChallengeFailedException | RuntimeException e) { + logger.error(e, "Authentication response could not be verified invalid state: state=%s", state); + return Response.status(BAD_REQUEST) + .entity(getInternalFailureHtml("Authentication response could not be verified")) + .cookie(NonceCookie.delete()) + .build(); + } + + logger.error("OAuth server returned an error: error=%s, error_description=%s, error_uri=%s, state=%s", error, errorDescription, errorUri, state); + return Response.ok() + .entity(getCallbackErrorHtml(error)) + .cookie(NonceCookie.delete()) + .build(); + } + + public Response finishOAuth2Challenge(String state, String code, URI callbackUri, Optional nonce, HttpServletRequest request) + { + Optional handlerState; + try { + Claims stateClaims = parseState(state); + handlerState = Optional.ofNullable(stateClaims.get(HANDLER_STATE_CLAIM, String.class)); + } + catch (ChallengeFailedException | RuntimeException e) { + logger.error(e, "Authentication response could not be verified invalid state: state=%s", state); + return Response.status(BAD_REQUEST) + .entity(getInternalFailureHtml("Authentication response could not be verified")) + .cookie(NonceCookie.delete()) + .build(); + } + + // Note: the Web UI may be disabled, so REST requests can not redirect to a success or error page inside the Web UI + try { + // fetch access token + OAuth2Client.Response oauth2Response = client.getOAuth2Response(code, callbackUri, nonce); + + if (!handlerState.isPresent()) { + UriBuilder uriBuilder = getSchemeUriBuilder(request); + return Response + .seeOther(uriBuilder.build().resolve("/ui/")) + .cookie( + OAuthWebUiCookie.create( + tokenPairSerializer.serialize( + fromOAuth2Response(oauth2Response)), + tokenExpiration + .map(expiration -> Instant.now().plus(expiration)) + .orElse(oauth2Response.getExpiration())), + NonceCookie.delete()) + .build(); + } + + tokenHandler.setAccessToken(handlerState.get(), tokenPairSerializer.serialize(fromOAuth2Response(oauth2Response))); + + Response.ResponseBuilder builder = Response.ok(getSuccessHtml()); + builder.cookie( + OAuthWebUiCookie.create( + tokenPairSerializer.serialize(fromOAuth2Response(oauth2Response)), + tokenExpiration.map(expiration -> Instant.now().plus(expiration)) + .orElse(oauth2Response.getExpiration()))); + + return builder.cookie(NonceCookie.delete()).build(); + } + catch (ChallengeFailedException | RuntimeException e) { + logger.error(e, "Authentication response could not be verified: state=%s", state); + + handlerState.ifPresent(value -> + tokenHandler.setTokenExchangeError(value, format("Authentication response could not be verified: state=%s", value))); + return Response.status(BAD_REQUEST) + .cookie(NonceCookie.delete()) + .entity(getInternalFailureHtml("Authentication response could not be verified")) + .build(); + } + } + + private Claims parseState(String state) + throws ChallengeFailedException + { + try { + return jwtParser + .parseClaimsJws(state) + .getBody(); + } + catch (RuntimeException e) { + throw new ChallengeFailedException("State validation failed", e); + } + } + + public String getSuccessHtml() + { + return successHtml; + } + + public String getCallbackErrorHtml(String errorCode) + { + return failureHtml.replace(FAILURE_REPLACEMENT_TEXT, getOAuth2ErrorMessage(errorCode)); + } + + public String getInternalFailureHtml(String errorMessage) + { + return failureHtml.replace(FAILURE_REPLACEMENT_TEXT, nullToEmpty(errorMessage)); + } + + private static byte[] secureRandomBytes(int count) + { + byte[] bytes = new byte[count]; + SECURE_RANDOM.nextBytes(bytes); + return bytes; + } + + private static String getOAuth2ErrorMessage(String errorCode) + { + try { + OAuth2ErrorCode code = OAuth2ErrorCode.fromString(errorCode); + return code.getMessage(); + } + catch (IllegalArgumentException e) { + logger.error(e, "Unknown error code received code=%s", errorCode); + return "OAuth2 unknown error code: " + errorCode; + } + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ServiceModule.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ServiceModule.java new file mode 100644 index 0000000000000..31b8740edbaf4 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2ServiceModule.java @@ -0,0 +1,105 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.configuration.AbstractConfigurationAwareModule; +import com.google.inject.Binder; +import com.google.inject.Inject; +import com.google.inject.Key; +import com.google.inject.Provides; +import com.google.inject.Scopes; +import com.google.inject.Singleton; + +import java.time.Duration; + +import static com.facebook.airlift.configuration.ConditionalModule.installModuleIf; +import static com.facebook.airlift.configuration.ConfigBinder.configBinder; +import static com.facebook.airlift.http.client.HttpClientBinder.httpClientBinder; +import static com.facebook.airlift.jaxrs.JaxrsBinder.jaxrsBinder; +import static com.facebook.presto.server.security.oauth2.TokenPairSerializer.ACCESS_TOKEN_ONLY_SERIALIZER; +import static com.google.inject.multibindings.OptionalBinder.newOptionalBinder; + +public class OAuth2ServiceModule + extends AbstractConfigurationAwareModule +{ + @Override + protected void setup(Binder binder) + { + jaxrsBinder(binder).bind(OAuth2CallbackResource.class); + configBinder(binder).bindConfig(OAuth2Config.class); + binder.bind(OAuth2Service.class).in(Scopes.SINGLETON); + binder.bind(OAuth2TokenHandler.class).to(OAuth2TokenExchange.class).in(Scopes.SINGLETON); + binder.bind(NimbusHttpClient.class).to(NimbusAirliftHttpClient.class).in(Scopes.SINGLETON); + newOptionalBinder(binder, OAuth2Client.class) + .setDefault() + .to(NimbusOAuth2Client.class) + .in(Scopes.SINGLETON); + install(installModuleIf(OAuth2Config.class, OAuth2Config::isEnableDiscovery, this::bindOidcDiscovery, this::bindStaticConfiguration)); + install(installModuleIf(OAuth2Config.class, OAuth2Config::isEnableRefreshTokens, this::enableRefreshTokens, this::disableRefreshTokens)); + httpClientBinder(binder) + .bindHttpClient("oauth2-jwk", ForOAuth2.class) + // Reset to defaults to override InternalCommunicationModule changes to this client default configuration. + // Setting a keystore and/or a truststore for internal communication changes the default SSL configuration + // for all clients in this guice context. This does not make sense for this client which will very rarely + // use the same SSL configuration, so using the system default truststore makes more sense. + .withConfigDefaults(config -> config + .setKeyStorePath(null) + .setKeyStorePassword(null) + .setTrustStorePath(null) + .setTrustStorePassword(null)); + } + + private void enableRefreshTokens(Binder binder) + { + install(new JweTokenSerializerModule()); + } + + private void disableRefreshTokens(Binder binder) + { + binder.bind(TokenPairSerializer.class).toInstance(ACCESS_TOKEN_ONLY_SERIALIZER); + newOptionalBinder(binder, Key.get(Duration.class, ForRefreshTokens.class)); + } + + @Singleton + @Provides + @Inject + public TokenRefresher getTokenRefresher(TokenPairSerializer tokenAssembler, OAuth2TokenHandler tokenHandler, OAuth2Client oAuth2Client) + { + return new TokenRefresher(tokenAssembler, tokenHandler, oAuth2Client); + } + + private void bindStaticConfiguration(Binder binder) + { + configBinder(binder).bindConfig(StaticOAuth2ServerConfiguration.class); + binder.bind(OAuth2ServerConfigProvider.class).to(StaticConfigurationProvider.class).in(Scopes.SINGLETON); + } + + private void bindOidcDiscovery(Binder binder) + { + configBinder(binder).bindConfig(OidcDiscoveryConfig.class); + binder.bind(OAuth2ServerConfigProvider.class).to(OidcDiscovery.class).in(Scopes.SINGLETON); + } + + @Override + public int hashCode() + { + return OAuth2ServiceModule.class.hashCode(); + } + + @Override + public boolean equals(Object obj) + { + return obj instanceof OAuth2ServiceModule; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenExchange.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenExchange.java new file mode 100644 index 0000000000000..ff06a4bfa9c4c --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenExchange.java @@ -0,0 +1,146 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.google.common.cache.CacheBuilder; +import com.google.common.cache.CacheLoader; +import com.google.common.cache.LoadingCache; +import com.google.common.hash.Hashing; +import com.google.common.util.concurrent.ListenableFuture; +import com.google.common.util.concurrent.SettableFuture; +import io.airlift.units.Duration; + +import javax.annotation.PreDestroy; +import javax.inject.Inject; + +import java.nio.charset.StandardCharsets; +import java.util.Optional; +import java.util.UUID; +import java.util.concurrent.Future; +import java.util.concurrent.ScheduledExecutorService; + +import static com.facebook.airlift.concurrent.Threads.daemonThreadsNamed; +import static com.google.common.util.concurrent.Futures.nonCancellationPropagating; +import static java.util.Objects.requireNonNull; +import static java.util.concurrent.Executors.newSingleThreadScheduledExecutor; +import static java.util.concurrent.TimeUnit.MILLISECONDS; +import static java.util.concurrent.TimeUnit.SECONDS; + +public class OAuth2TokenExchange + implements OAuth2TokenHandler +{ + public static final Duration MAX_POLL_TIME = new Duration(10, SECONDS); + private static final TokenPoll TOKEN_POLL_TIMED_OUT = TokenPoll.error("Authentication has timed out"); + private static final TokenPoll TOKEN_POLL_DROPPED = TokenPoll.error("Authentication has been finished by the client"); + + private final LoadingCache> cache; + private final ScheduledExecutorService executor = newSingleThreadScheduledExecutor(daemonThreadsNamed("oauth2-token-exchange")); + + @Inject + public OAuth2TokenExchange(OAuth2Config config) + { + long challengeTimeoutMillis = config.getChallengeTimeout().toMillis(); + this.cache = buildUnsafeCache( + CacheBuilder.newBuilder() + .expireAfterWrite(challengeTimeoutMillis + (MAX_POLL_TIME.toMillis() * 10), MILLISECONDS) + .removalListener(notification -> notification.getValue().set(TOKEN_POLL_TIMED_OUT)), + new CacheLoader>() + { + @Override + public SettableFuture load(String authIdHash) + { + SettableFuture future = SettableFuture.create(); + Future timeout = executor.schedule(() -> future.set(TOKEN_POLL_TIMED_OUT), challengeTimeoutMillis, MILLISECONDS); + future.addListener(() -> timeout.cancel(true), executor); + return future; + } + }); + } + + private static LoadingCache buildUnsafeCache(CacheBuilder cacheBuilder, CacheLoader cacheLoader) + { + return cacheBuilder.build(cacheLoader); + } + + @PreDestroy + public void stop() + { + executor.shutdownNow(); + } + + @Override + public void setAccessToken(String authIdHash, String accessToken) + { + cache.getUnchecked(authIdHash).set(TokenPoll.token(accessToken)); + } + + @Override + public void setTokenExchangeError(String authIdHash, String message) + { + cache.getUnchecked(authIdHash).set(TokenPoll.error(message)); + } + + public ListenableFuture getTokenPoll(UUID authId) + { + return nonCancellationPropagating(cache.getUnchecked(hashAuthId(authId))); + } + + public void dropToken(UUID authId) + { + cache.getUnchecked(hashAuthId(authId)).set(TOKEN_POLL_DROPPED); + } + + public static String hashAuthId(UUID authId) + { + return Hashing.sha256() + .hashString(authId.toString(), StandardCharsets.UTF_8) + .toString(); + } + + public static class TokenPoll + { + private final Optional token; + private final Optional error; + + private TokenPoll(String token, String error) + { + this.token = Optional.ofNullable(token); + this.error = Optional.ofNullable(error); + } + + static TokenPoll token(String token) + { + requireNonNull(token, "token is null"); + + return new TokenPoll(token, null); + } + + static TokenPoll error(String error) + { + requireNonNull(error, "error is null"); + + return new TokenPoll(null, error); + } + + public Optional getToken() + { + return token; + } + + public Optional getError() + { + return error; + } + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenExchangeResource.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenExchangeResource.java new file mode 100644 index 0000000000000..36d27a0fe1252 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenExchangeResource.java @@ -0,0 +1,141 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.json.JsonCodec; +import com.facebook.airlift.json.JsonCodecFactory; +import com.facebook.presto.dispatcher.DispatchExecutor; +import com.facebook.presto.server.security.oauth2.OAuth2TokenExchange.TokenPoll; +import com.google.common.base.VerifyException; +import com.google.common.collect.ImmutableMap; +import com.google.common.util.concurrent.Futures; +import com.google.common.util.concurrent.ListenableFuture; +import com.google.common.util.concurrent.ListeningExecutorService; + +import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.BadRequestException; +import javax.ws.rs.DELETE; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.container.AsyncResponse; +import javax.ws.rs.container.Suspended; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; + +import java.util.Map; +import java.util.Optional; +import java.util.UUID; + +import static com.facebook.airlift.http.server.AsyncResponseHandler.bindAsyncResponse; +import static com.facebook.presto.server.security.oauth2.OAuth2CallbackResource.CALLBACK_ENDPOINT; +import static com.facebook.presto.server.security.oauth2.OAuth2TokenExchange.MAX_POLL_TIME; +import static com.facebook.presto.server.security.oauth2.OAuth2TokenExchange.hashAuthId; +import static com.facebook.presto.server.security.oauth2.OAuth2Utils.getSchemeUriBuilder; +import static java.util.Objects.requireNonNull; +import static javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE; + +@Path(OAuth2TokenExchangeResource.TOKEN_ENDPOINT) +public class OAuth2TokenExchangeResource +{ + public static final String TOKEN_ENDPOINT = "/oauth2/token/"; + private static final JsonCodec> MAP_CODEC = new JsonCodecFactory().mapJsonCodec(String.class, Object.class); + private final OAuth2TokenExchange tokenExchange; + private final OAuth2Service service; + private final ListeningExecutorService responseExecutor; + + @Inject + public OAuth2TokenExchangeResource(OAuth2TokenExchange tokenExchange, OAuth2Service service, DispatchExecutor executor) + { + this.tokenExchange = requireNonNull(tokenExchange, "tokenExchange is null"); + this.service = requireNonNull(service, "service is null"); + this.responseExecutor = requireNonNull(executor, "executor is null").getExecutor(); + } + + @Path("initiate/{authIdHash}") + @GET + @Produces(MediaType.APPLICATION_JSON) + public Response initiateTokenExchange(@PathParam("authIdHash") String authIdHash, @Context HttpServletRequest request) + { + UriBuilder builder = getSchemeUriBuilder(request); + return service.startOAuth2Challenge(builder.build().resolve(CALLBACK_ENDPOINT), Optional.ofNullable(authIdHash)); + } + + @Path("{authId}") + @GET + @Produces(MediaType.APPLICATION_JSON) + public void getAuthenticationToken(@PathParam("authId") UUID authId, @Suspended AsyncResponse asyncResponse, @Context HttpServletRequest request) + { + if (authId == null) { + throw new BadRequestException(); + } + + // Do not drop the response from the cache on failure, as this would result in a + // hang if the client retries the request. The response will timeout eventually. + ListenableFuture tokenFuture = tokenExchange.getTokenPoll(authId); + ListenableFuture responseFuture = Futures.transform(tokenFuture, OAuth2TokenExchangeResource::toResponse, responseExecutor); + bindAsyncResponse(asyncResponse, responseFuture, responseExecutor) + .withTimeout(MAX_POLL_TIME, pendingResponse(request)); + } + + private static Response toResponse(TokenPoll poll) + { + if (poll.getError().isPresent()) { + return Response.ok(jsonMap("error", poll.getError().get()), APPLICATION_JSON_TYPE).build(); + } + if (poll.getToken().isPresent()) { + return Response.ok(jsonMap("token", poll.getToken().get()), APPLICATION_JSON_TYPE).build(); + } + throw new VerifyException("invalid TokenPoll state"); + } + + private static Response pendingResponse(HttpServletRequest request) + { + UriBuilder builder = getSchemeUriBuilder(request); + return Response.ok(jsonMap("nextUri", builder.build()), APPLICATION_JSON_TYPE).build(); + } + + @DELETE + @Path("{authId}") + public Response deleteAuthenticationToken(@PathParam("authId") UUID authId) + { + if (authId == null) { + throw new BadRequestException(); + } + + tokenExchange.dropToken(authId); + return Response + .ok() + .build(); + } + + public static String getTokenUri(UUID authId) + { + return TOKEN_ENDPOINT + authId; + } + + public static String getInitiateUri(UUID authId) + { + return TOKEN_ENDPOINT + "initiate/" + hashAuthId(authId); + } + + private static String jsonMap(String key, Object value) + { + return MAP_CODEC.toJson(ImmutableMap.of(key, value)); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenHandler.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenHandler.java new file mode 100644 index 0000000000000..027d3c27d90f4 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2TokenHandler.java @@ -0,0 +1,21 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +public interface OAuth2TokenHandler +{ + void setAccessToken(String hashedState, String accessToken); + + void setTokenExchangeError(String hashedState, String errorMessage); +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Utils.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Utils.java new file mode 100644 index 0000000000000..4d9dba90ec2f1 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuth2Utils.java @@ -0,0 +1,79 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.UriBuilder; + +import java.util.List; +import java.util.Map; +import java.util.Optional; + +import static com.google.common.net.HttpHeaders.X_FORWARDED_PROTO; + +public final class OAuth2Utils +{ + private OAuth2Utils() {} + + /** + * Returns a UriBuilder with the scheme set based upon the X_FORWARDED_PROTO header. + * If the header exists on the request we set the scheme to what is in that header. i.e. https. + * If the header is not set then we use the scheme on the request. + * + * Ex: If you are using a load balancer to handle ssl forwarding for Presto. You must set the + * X_FORWARDED_PROTO header in the load balancer to 'https'. For any callback or redirect url's + * for the OAUTH2 Login flow must use the scheme of https. + * + * @param request HttpServletRequest + * @return a new instance of UriBuilder with the scheme set. + */ + public static UriBuilder getSchemeUriBuilder(HttpServletRequest request) + { + Optional forwardedProto = Optional.ofNullable(request.getHeader(X_FORWARDED_PROTO)); + + UriBuilder builder = UriBuilder.fromUri(getFullRequestURL(request)); + if (forwardedProto.isPresent()) { + builder.scheme(forwardedProto.get()); + } + else { + builder.scheme(request.getScheme()); + } + + return builder; + } + + /** + * Finds the lastURL query parameter in the request. + * + * @return Optional the value of the lastURL parameter + */ + public static Optional getLastURLParameter(MultivaluedMap queryParams) + { + Optional>> lastUrl = queryParams.entrySet().stream().filter(qp -> qp.getKey().equals("lastURL")).findFirst(); + if (lastUrl.isPresent() && lastUrl.get().getValue().size() > 0) { + return Optional.ofNullable(lastUrl.get().getValue().get(0)); + } + + return Optional.empty(); + } + + public static String getFullRequestURL(HttpServletRequest request) + { + StringBuilder requestURL = new StringBuilder(request.getRequestURL()); + String queryString = request.getQueryString(); + + return queryString == null ? requestURL.toString() : requestURL.append("?").append(queryString).toString(); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuthWebUiCookie.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuthWebUiCookie.java new file mode 100644 index 0000000000000..477c0d0d3581d --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OAuthWebUiCookie.java @@ -0,0 +1,61 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import javax.ws.rs.core.NewCookie; + +import java.time.Instant; +import java.util.Date; + +import static javax.ws.rs.core.Cookie.DEFAULT_VERSION; +import static javax.ws.rs.core.NewCookie.DEFAULT_MAX_AGE; + +public final class OAuthWebUiCookie +{ + // prefix according to: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.3.1 + public static final String OAUTH2_COOKIE = "__Secure-Presto-OAuth2-Token"; + + public static final String API_PATH = "/"; + + private OAuthWebUiCookie() {} + + public static NewCookie create(String token, Instant tokenExpiration) + { + return new NewCookie( + OAUTH2_COOKIE, + token, + API_PATH, + null, + DEFAULT_VERSION, + null, + DEFAULT_MAX_AGE, + Date.from(tokenExpiration), + true, + true); + } + public static NewCookie delete() + { + return new NewCookie( + OAUTH2_COOKIE, + "delete", + API_PATH, + null, + DEFAULT_VERSION, + null, + 0, + null, + true, + true); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/Oauth2WebUiAuthenticationManager.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/Oauth2WebUiAuthenticationManager.java new file mode 100644 index 0000000000000..d31b993e5b437 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/Oauth2WebUiAuthenticationManager.java @@ -0,0 +1,119 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.http.server.AuthenticationException; +import com.facebook.airlift.log.Logger; +import com.facebook.presto.server.security.WebUiAuthenticationManager; +import com.facebook.presto.server.security.oauth2.TokenPairSerializer.TokenPair; + +import javax.inject.Inject; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.core.UriBuilder; + +import java.io.IOException; +import java.security.Principal; +import java.time.Duration; +import java.time.Instant; +import java.util.Optional; + +import static com.facebook.presto.server.security.AuthenticationFilter.withPrincipal; +import static com.facebook.presto.server.security.oauth2.OAuth2CallbackResource.CALLBACK_ENDPOINT; +import static com.facebook.presto.server.security.oauth2.OAuth2Utils.getSchemeUriBuilder; +import static java.util.Objects.requireNonNull; + +public class Oauth2WebUiAuthenticationManager + implements WebUiAuthenticationManager +{ + private static final Logger logger = Logger.get(Oauth2WebUiAuthenticationManager.class); + private final OAuth2Service oAuth2Service; + private final OAuth2Authenticator oAuth2Authenticator; + private final TokenPairSerializer tokenPairSerializer; + private final OAuth2Client client; + private final Optional tokenExpiration; + + @Inject + public Oauth2WebUiAuthenticationManager(OAuth2Service oAuth2Service, OAuth2Authenticator oAuth2Authenticator, TokenPairSerializer tokenPairSerializer, OAuth2Client client, @ForRefreshTokens Optional tokenExpiration) + { + this.oAuth2Service = requireNonNull(oAuth2Service, "oauth2Service is null"); + this.oAuth2Authenticator = requireNonNull(oAuth2Authenticator, "oauth2Authenticator is null"); + this.tokenPairSerializer = requireNonNull(tokenPairSerializer, "tokenPairSerializer is null"); + this.client = requireNonNull(client, "oauth2Client is null"); + this.tokenExpiration = requireNonNull(tokenExpiration, "tokenExpiration is null"); + } + + public void handleRequest(HttpServletRequest request, HttpServletResponse response, FilterChain nextFilter) + throws IOException, ServletException + { + try { + Principal principal = this.oAuth2Authenticator.authenticate(request); + nextFilter.doFilter(withPrincipal(request, principal), response); + } + catch (AuthenticationException e) { + needAuthentication(request, response); + } + } + + private Optional getTokenPair(HttpServletRequest request) + { + try { + Optional token = this.oAuth2Authenticator.extractTokenFromCookie(request); + if (token.isPresent()) { + return Optional.ofNullable(tokenPairSerializer.deserialize(token.get())); + } + else { + return Optional.empty(); + } + } + catch (Exception e) { + logger.error(e, "Exception occurred during token pair deserialization"); + return Optional.empty(); + } + } + + private void needAuthentication(HttpServletRequest request, HttpServletResponse response) + throws IOException + { + Optional tokenPair = getTokenPair(request); + Optional refreshToken = tokenPair.flatMap(TokenPair::getRefreshToken); + if (refreshToken.isPresent()) { + try { + OAuth2Client.Response refreshRes = client.refreshTokens(refreshToken.get()); + String serializeToken = tokenPairSerializer.serialize(TokenPair.fromOAuth2Response(refreshRes)); + UriBuilder builder = getSchemeUriBuilder(request); + Cookie newCookie = NonceCookie.toServletCookie(OAuthWebUiCookie.create(serializeToken, tokenExpiration.map(expiration -> Instant.now().plus(expiration)).orElse(refreshRes.getExpiration()))); + response.addCookie(newCookie); + response.sendRedirect(builder.build().toString()); + } + catch (ChallengeFailedException e) { + logger.error(e, "Token refresh challenge has failed"); + this.startOauth2Challenge(request, response); + } + } + else { + this.startOauth2Challenge(request, response); + } + } + + private void startOauth2Challenge(HttpServletRequest request, HttpServletResponse response) + throws IOException + { + UriBuilder builder = getSchemeUriBuilder(request); + this.oAuth2Service.startOAuth2Challenge(builder.build().resolve(CALLBACK_ENDPOINT), Optional.empty(), response); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OidcDiscovery.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OidcDiscovery.java new file mode 100644 index 0000000000000..1b6bae30cc8c5 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OidcDiscovery.java @@ -0,0 +1,159 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.json.JsonObjectMapperProvider; +import com.facebook.airlift.log.Logger; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.nimbusds.oauth2.sdk.ParseException; +import com.nimbusds.oauth2.sdk.http.HTTPResponse; +import com.nimbusds.oauth2.sdk.id.Issuer; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderConfigurationRequest; +import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; +import net.jodah.failsafe.Failsafe; +import net.jodah.failsafe.RetryPolicy; + +import javax.inject.Inject; + +import java.net.URI; +import java.time.Duration; +import java.util.Optional; + +import static com.facebook.airlift.http.client.HttpStatus.OK; +import static com.facebook.airlift.http.client.HttpStatus.REQUEST_TIMEOUT; +import static com.facebook.airlift.http.client.HttpStatus.TOO_MANY_REQUESTS; +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.ACCESS_TOKEN_ISSUER; +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.AUTH_URL; +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.JWKS_URL; +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.TOKEN_URL; +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.USERINFO_URL; +import static com.google.common.base.Preconditions.checkState; +import static java.lang.String.format; +import static java.util.Objects.requireNonNull; + +public class OidcDiscovery + implements OAuth2ServerConfigProvider +{ + private static final Logger LOG = Logger.get(OidcDiscovery.class); + + private static final ObjectMapper OBJECT_MAPPER = new JsonObjectMapperProvider().get(); + private final Issuer issuer; + private final Duration discoveryTimeout; + private final boolean userinfoEndpointEnabled; + private final Optional accessTokenIssuer; + private final Optional authUrl; + private final Optional tokenUrl; + private final Optional jwksUrl; + private final Optional userinfoUrl; + private final NimbusHttpClient httpClient; + + @Inject + public OidcDiscovery(OAuth2Config oauthConfig, OidcDiscoveryConfig oidcConfig, NimbusHttpClient httpClient) + { + requireNonNull(oauthConfig, "oauthConfig is null"); + issuer = new Issuer(requireNonNull(oauthConfig.getIssuer(), "issuer is null")); + requireNonNull(oidcConfig, "oidcConfig is null"); + userinfoEndpointEnabled = oidcConfig.isUserinfoEndpointEnabled(); + discoveryTimeout = Duration.ofMillis(requireNonNull(oidcConfig.getDiscoveryTimeout(), "discoveryTimeout is null").toMillis()); + accessTokenIssuer = requireNonNull(oidcConfig.getAccessTokenIssuer(), "accessTokenIssuer is null"); + authUrl = requireNonNull(oidcConfig.getAuthUrl(), "authUrl is null"); + tokenUrl = requireNonNull(oidcConfig.getTokenUrl(), "tokenUrl is null"); + jwksUrl = requireNonNull(oidcConfig.getJwksUrl(), "jwksUrl is null"); + userinfoUrl = requireNonNull(oidcConfig.getUserinfoUrl(), "userinfoUrl is null"); + this.httpClient = requireNonNull(httpClient, "httpClient is null"); + } + + @Override + public OAuth2ServerConfig get() + { + return Failsafe.with(new RetryPolicy<>() + .withMaxAttempts(-1) + .withMaxDuration(discoveryTimeout) + .withDelay(Duration.ofSeconds(1)) + .abortOn(IllegalStateException.class) + .onFailedAttempt(attempt -> LOG.debug("OpenID Connect Metadata read failed: %s", attempt.getLastFailure()))) + .get(() -> httpClient.execute(new OIDCProviderConfigurationRequest(issuer), this::parseConfigurationResponse)); + } + + private OAuth2ServerConfig parseConfigurationResponse(HTTPResponse response) + throws ParseException + { + int statusCode = response.getStatusCode(); + if (statusCode != OK.code()) { + // stop on any client errors other than REQUEST_TIMEOUT and TOO_MANY_REQUESTS + if (statusCode < 400 || statusCode >= 500 || statusCode == REQUEST_TIMEOUT.code() || statusCode == TOO_MANY_REQUESTS.code()) { + throw new RuntimeException("Invalid response from OpenID Metadata endpoint: " + statusCode); + } + else { + throw new IllegalStateException(format("Invalid response from OpenID Metadata endpoint. Expected response code to be %s, but was %s", OK.code(), statusCode)); + } + } + return readConfiguration(response.getContent()); + } + + private OAuth2ServerConfig readConfiguration(String body) + throws ParseException + { + OIDCProviderMetadata metadata = OIDCProviderMetadata.parse(body); + checkMetadataState(issuer.equals(metadata.getIssuer()), "The value of the \"issuer\" claim in Metadata document different than the Issuer URL used for the Configuration Request."); + try { + JsonNode metadataJson = OBJECT_MAPPER.readTree(body); + Optional userinfoEndpoint; + if (userinfoEndpointEnabled) { + userinfoEndpoint = getOptionalField("userinfo_endpoint", Optional.ofNullable(metadata.getUserInfoEndpointURI()).map(URI::toString), USERINFO_URL, userinfoUrl); + } + else { + userinfoEndpoint = Optional.empty(); + } + return new OAuth2ServerConfig( + // AD FS server can include "access_token_issuer" field in OpenID Provider Metadata. + // It's not a part of the OIDC standard thus have to be handled separately. + // see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-oidce/f629647a-4825-465b-80bb-32c7e9cec2c8 + getOptionalField("access_token_issuer", Optional.ofNullable(metadataJson.get("access_token_issuer")).map(JsonNode::textValue), ACCESS_TOKEN_ISSUER, accessTokenIssuer), + getRequiredField("authorization_endpoint", metadata.getAuthorizationEndpointURI(), AUTH_URL, authUrl), + getRequiredField("token_endpoint", metadata.getTokenEndpointURI(), TOKEN_URL, tokenUrl), + getRequiredField("jwks_uri", metadata.getJWKSetURI(), JWKS_URL, jwksUrl), + userinfoEndpoint.map(URI::create)); + } + catch (JsonProcessingException e) { + throw new ParseException("Invalid JSON value", e); + } + } + + private static URI getRequiredField(String metadataField, URI metadataValue, String configurationField, Optional configurationValue) + { + Optional uri = getOptionalField(metadataField, Optional.ofNullable(metadataValue).map(URI::toString), configurationField, configurationValue); + checkMetadataState(uri.isPresent(), "Missing required \"%s\" property.", metadataField); + return URI.create(uri.get()); + } + + private static Optional getOptionalField(String metadataField, Optional metadataValue, String configurationField, Optional configurationValue) + { + if (configurationValue.isPresent()) { + if (!configurationValue.equals(metadataValue)) { + LOG.warn("Overriding \"%s=%s\" from OpenID metadata document with value \"%s=%s\" defined in configuration", + metadataField, metadataValue.orElse(""), configurationField, configurationValue.orElse("")); + } + return configurationValue; + } + return metadataValue; + } + + private static void checkMetadataState(boolean expression, String additionalMessage, String... additionalMessageArgs) + { + checkState(expression, "Invalid response from OpenID Metadata endpoint. " + additionalMessage, (Object[]) additionalMessageArgs); + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OidcDiscoveryConfig.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OidcDiscoveryConfig.java new file mode 100644 index 0000000000000..126a5308b7f94 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/OidcDiscoveryConfig.java @@ -0,0 +1,149 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.configuration.Config; +import com.facebook.airlift.configuration.ConfigDescription; +import io.airlift.units.Duration; + +import javax.validation.constraints.NotNull; + +import java.util.Optional; + +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.ACCESS_TOKEN_ISSUER; +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.AUTH_URL; +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.JWKS_URL; +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.TOKEN_URL; +import static com.facebook.presto.server.security.oauth2.StaticOAuth2ServerConfiguration.USERINFO_URL; +import static java.util.concurrent.TimeUnit.SECONDS; + +public class OidcDiscoveryConfig +{ + private Duration discoveryTimeout = new Duration(30, SECONDS); + private boolean userinfoEndpointEnabled = true; + + //TODO Left for backward compatibility, remove after the next release/a couple of releases + private Optional accessTokenIssuer = Optional.empty(); + private Optional authUrl = Optional.empty(); + private Optional tokenUrl = Optional.empty(); + private Optional jwksUrl = Optional.empty(); + private Optional userinfoUrl = Optional.empty(); + + @NotNull + public Duration getDiscoveryTimeout() + { + return discoveryTimeout; + } + + @Config("http-server.authentication.oauth2.oidc.discovery.timeout") + @ConfigDescription("OpenID Connect discovery timeout") + public OidcDiscoveryConfig setDiscoveryTimeout(Duration discoveryTimeout) + { + this.discoveryTimeout = discoveryTimeout; + return this; + } + + public boolean isUserinfoEndpointEnabled() + { + return userinfoEndpointEnabled; + } + + @Config("http-server.authentication.oauth2.oidc.use-userinfo-endpoint") + @ConfigDescription("Use userinfo endpoint from OpenID connect metadata document") + public OidcDiscoveryConfig setUserinfoEndpointEnabled(boolean userinfoEndpointEnabled) + { + this.userinfoEndpointEnabled = userinfoEndpointEnabled; + return this; + } + + @NotNull + @Deprecated + public Optional getAccessTokenIssuer() + { + return accessTokenIssuer; + } + + @Config(ACCESS_TOKEN_ISSUER) + @ConfigDescription("The required issuer for access tokens") + @Deprecated + public OidcDiscoveryConfig setAccessTokenIssuer(String accessTokenIssuer) + { + this.accessTokenIssuer = Optional.ofNullable(accessTokenIssuer); + return this; + } + + @NotNull + @Deprecated + public Optional getAuthUrl() + { + return authUrl; + } + + @Config(AUTH_URL) + @ConfigDescription("URL of the authorization server's authorization endpoint") + @Deprecated + public OidcDiscoveryConfig setAuthUrl(String authUrl) + { + this.authUrl = Optional.ofNullable(authUrl); + return this; + } + + @NotNull + @Deprecated + public Optional getTokenUrl() + { + return tokenUrl; + } + + @Config(TOKEN_URL) + @ConfigDescription("URL of the authorization server's token endpoint") + @Deprecated + public OidcDiscoveryConfig setTokenUrl(String tokenUrl) + { + this.tokenUrl = Optional.ofNullable(tokenUrl); + return this; + } + + @NotNull + @Deprecated + public Optional getJwksUrl() + { + return jwksUrl; + } + + @Config(JWKS_URL) + @ConfigDescription("URL of the authorization server's JWKS (JSON Web Key Set) endpoint") + @Deprecated + public OidcDiscoveryConfig setJwksUrl(String jwksUrl) + { + this.jwksUrl = Optional.ofNullable(jwksUrl); + return this; + } + + @NotNull + @Deprecated + public Optional getUserinfoUrl() + { + return userinfoUrl; + } + + @Config(USERINFO_URL) + @ConfigDescription("URL of the userinfo endpoint") + @Deprecated + public OidcDiscoveryConfig setUserinfoUrl(String userinfoUrl) + { + this.userinfoUrl = Optional.ofNullable(userinfoUrl); + return this; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/RefreshTokensConfig.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/RefreshTokensConfig.java new file mode 100644 index 0000000000000..69bcd717e7451 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/RefreshTokensConfig.java @@ -0,0 +1,96 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.configuration.Config; +import com.facebook.airlift.configuration.ConfigDescription; +import com.facebook.airlift.configuration.ConfigSecuritySensitive; +import io.airlift.units.Duration; +import io.jsonwebtoken.io.Decoders; +import io.jsonwebtoken.security.Keys; + +import javax.crypto.SecretKey; +import javax.validation.constraints.NotEmpty; + +import static com.google.common.base.Strings.isNullOrEmpty; +import static java.util.concurrent.TimeUnit.HOURS; + +public class RefreshTokensConfig +{ + private Duration tokenExpiration = Duration.succinctDuration(1, HOURS); + private static final String coordinator = "Presto_coordinator"; + private String issuer = coordinator; + private String audience = coordinator; + + private SecretKey secretKey; + + public Duration getTokenExpiration() + { + return tokenExpiration; + } + + @Config("http-server.authentication.oauth2.refresh-tokens.issued-token.timeout") + @ConfigDescription("Expiration time for issued token. It needs to be equal or lower than duration of refresh token issued by IdP") + public RefreshTokensConfig setTokenExpiration(Duration tokenExpiration) + { + this.tokenExpiration = tokenExpiration; + return this; + } + + @NotEmpty + public String getIssuer() + { + return issuer; + } + + @Config("http-server.authentication.oauth2.refresh-tokens.issued-token.issuer") + @ConfigDescription("Issuer representing this coordinator instance, that will be used in issued token. In addition current Version will be added to it") + public RefreshTokensConfig setIssuer(String issuer) + { + this.issuer = issuer; + return this; + } + + @NotEmpty + public String getAudience() + { + return audience; + } + + @Config("http-server.authentication.oauth2.refresh-tokens.issued-token.audience") + @ConfigDescription("Audience representing this coordinator instance, that will be used in issued token") + public RefreshTokensConfig setAudience(String audience) + { + this.audience = audience; + return this; + } + + @Config("http-server.authentication.oauth2.refresh-tokens.secret-key") + @ConfigDescription("Base64 encoded secret key used to encrypt generated token") + @ConfigSecuritySensitive + public RefreshTokensConfig setSecretKey(String key) + { + if (isNullOrEmpty(key)) { + return this; + } + + secretKey = Keys.hmacShaKeyFor(Decoders.BASE64.decode(key)); + return this; + } + + public SecretKey getSecretKey() + { + return secretKey; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/StaticConfigurationProvider.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/StaticConfigurationProvider.java new file mode 100644 index 0000000000000..627c42b3a5814 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/StaticConfigurationProvider.java @@ -0,0 +1,44 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import javax.inject.Inject; + +import java.net.URI; + +import static java.util.Objects.requireNonNull; + +public class StaticConfigurationProvider + implements OAuth2ServerConfigProvider +{ + private final OAuth2ServerConfig config; + + @Inject + StaticConfigurationProvider(StaticOAuth2ServerConfiguration config) + { + requireNonNull(config, "config is null"); + this.config = new OAuth2ServerConfig( + config.getAccessTokenIssuer(), + URI.create(config.getAuthUrl()), + URI.create(config.getTokenUrl()), + URI.create(config.getJwksUrl()), + config.getUserinfoUrl().map(URI::create)); + } + + @Override + public OAuth2ServerConfig get() + { + return config; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/StaticOAuth2ServerConfiguration.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/StaticOAuth2ServerConfiguration.java new file mode 100644 index 0000000000000..2c497f05a27cb --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/StaticOAuth2ServerConfiguration.java @@ -0,0 +1,105 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.airlift.configuration.Config; +import com.facebook.airlift.configuration.ConfigDescription; + +import javax.validation.constraints.NotNull; + +import java.util.Optional; + +public class StaticOAuth2ServerConfiguration +{ + public static final String ACCESS_TOKEN_ISSUER = "http-server.authentication.oauth2.access-token-issuer"; + public static final String AUTH_URL = "http-server.authentication.oauth2.auth-url"; + public static final String TOKEN_URL = "http-server.authentication.oauth2.token-url"; + public static final String JWKS_URL = "http-server.authentication.oauth2.jwks-url"; + public static final String USERINFO_URL = "http-server.authentication.oauth2.userinfo-url"; + + private Optional accessTokenIssuer = Optional.empty(); + private String authUrl; + private String tokenUrl; + private String jwksUrl; + private Optional userinfoUrl = Optional.empty(); + + @NotNull + public Optional getAccessTokenIssuer() + { + return accessTokenIssuer; + } + + @Config(ACCESS_TOKEN_ISSUER) + @ConfigDescription("The required issuer for access tokens") + public StaticOAuth2ServerConfiguration setAccessTokenIssuer(String accessTokenIssuer) + { + this.accessTokenIssuer = Optional.ofNullable(accessTokenIssuer); + return this; + } + + @NotNull + public String getAuthUrl() + { + return authUrl; + } + + @Config(AUTH_URL) + @ConfigDescription("URL of the authorization server's authorization endpoint") + public StaticOAuth2ServerConfiguration setAuthUrl(String authUrl) + { + this.authUrl = authUrl; + return this; + } + + @NotNull + public String getTokenUrl() + { + return tokenUrl; + } + + @Config(TOKEN_URL) + @ConfigDescription("URL of the authorization server's token endpoint") + public StaticOAuth2ServerConfiguration setTokenUrl(String tokenUrl) + { + this.tokenUrl = tokenUrl; + return this; + } + + @NotNull + public String getJwksUrl() + { + return jwksUrl; + } + + @Config(JWKS_URL) + @ConfigDescription("URL of the authorization server's JWKS (JSON Web Key Set) endpoint") + public StaticOAuth2ServerConfiguration setJwksUrl(String jwksUrl) + { + this.jwksUrl = jwksUrl; + return this; + } + + public Optional getUserinfoUrl() + { + return userinfoUrl; + } + + @Config(USERINFO_URL) + @ConfigDescription("URL of the userinfo endpoint") + public StaticOAuth2ServerConfiguration setUserinfoUrl(String userinfoUrl) + { + this.userinfoUrl = Optional.ofNullable(userinfoUrl); + return this; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/TokenPairSerializer.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/TokenPairSerializer.java new file mode 100644 index 0000000000000..715374cc8e61d --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/TokenPairSerializer.java @@ -0,0 +1,92 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.facebook.presto.server.security.oauth2; + +import com.facebook.presto.server.security.oauth2.OAuth2Client.Response; + +import javax.annotation.Nullable; + +import java.util.Date; +import java.util.Optional; + +import static java.lang.Long.MAX_VALUE; +import static java.util.Objects.requireNonNull; + +public interface TokenPairSerializer +{ + TokenPairSerializer ACCESS_TOKEN_ONLY_SERIALIZER = new TokenPairSerializer() + { + @Override + public TokenPair deserialize(String token) + { + return TokenPair.accessToken(token); + } + + @Override + public String serialize(TokenPair tokenPair) + { + return tokenPair.getAccessToken(); + } + }; + + TokenPair deserialize(String token); + + String serialize(TokenPair tokenPair); + + class TokenPair + { + private final String accessToken; + private final Date expiration; + private final Optional refreshToken; + + private TokenPair(String accessToken, Date expiration, Optional refreshToken) + { + this.accessToken = requireNonNull(accessToken, "accessToken is nul"); + this.expiration = requireNonNull(expiration, "expiration is null"); + this.refreshToken = requireNonNull(refreshToken, "refreshToken is null"); + } + + public static TokenPair accessToken(String accessToken) + { + return new TokenPair(accessToken, new Date(MAX_VALUE), Optional.empty()); + } + + public static TokenPair fromOAuth2Response(Response tokens) + { + requireNonNull(tokens, "tokens is null"); + return new TokenPair(tokens.getAccessToken(), Date.from(tokens.getExpiration()), tokens.getRefreshToken()); + } + + public static TokenPair accessAndRefreshTokens(String accessToken, Date expiration, @Nullable String refreshToken) + { + return new TokenPair(accessToken, expiration, Optional.ofNullable(refreshToken)); + } + + public String getAccessToken() + { + return accessToken; + } + + public Date getExpiration() + { + return expiration; + } + + public Optional getRefreshToken() + { + return refreshToken; + } + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/TokenRefresher.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/TokenRefresher.java new file mode 100644 index 0000000000000..411103f6f8724 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/TokenRefresher.java @@ -0,0 +1,68 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import com.facebook.presto.server.security.oauth2.OAuth2Client.Response; +import com.facebook.presto.server.security.oauth2.TokenPairSerializer.TokenPair; + +import java.util.Optional; +import java.util.UUID; + +import static com.facebook.presto.server.security.oauth2.OAuth2TokenExchange.hashAuthId; +import static java.util.Objects.requireNonNull; + +public class TokenRefresher +{ + private final TokenPairSerializer tokenAssembler; + private final OAuth2TokenHandler tokenHandler; + private final OAuth2Client client; + + public TokenRefresher(TokenPairSerializer tokenAssembler, OAuth2TokenHandler tokenHandler, OAuth2Client client) + { + this.tokenAssembler = requireNonNull(tokenAssembler, "tokenAssembler is null"); + this.tokenHandler = requireNonNull(tokenHandler, "tokenHandler is null"); + this.client = requireNonNull(client, "oAuth2Client is null"); + } + + public Optional refreshToken(TokenPair tokenPair) + { + requireNonNull(tokenPair, "tokenPair is null"); + + Optional refreshToken = tokenPair.getRefreshToken(); + if (refreshToken.isPresent()) { + UUID refreshingId = UUID.randomUUID(); + try { + refreshToken(refreshToken.get(), refreshingId); + return Optional.of(refreshingId); + } + // If Refresh token has expired then restart the flow + catch (RuntimeException exception) { + return Optional.empty(); + } + } + return Optional.empty(); + } + + private void refreshToken(String refreshToken, UUID refreshingId) + { + try { + Response response = client.refreshTokens(refreshToken); + String serializedToken = tokenAssembler.serialize(TokenPair.fromOAuth2Response(response)); + tokenHandler.setAccessToken(hashAuthId(refreshingId), serializedToken); + } + catch (ChallengeFailedException e) { + tokenHandler.setTokenExchangeError(hashAuthId(refreshingId), "Token refreshing has failed: " + e.getMessage()); + } + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ZstdCodec.java b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ZstdCodec.java new file mode 100644 index 0000000000000..1065d90416240 --- /dev/null +++ b/presto-main/src/main/java/com/facebook/presto/server/security/oauth2/ZstdCodec.java @@ -0,0 +1,53 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.facebook.presto.server.security.oauth2; + +import io.airlift.compress.zstd.ZstdCompressor; +import io.airlift.compress.zstd.ZstdDecompressor; +import io.jsonwebtoken.CompressionCodec; +import io.jsonwebtoken.CompressionException; + +import static java.lang.Math.toIntExact; +import static java.util.Arrays.copyOfRange; + +public class ZstdCodec + implements CompressionCodec +{ + public static final String CODEC_NAME = "ZSTD"; + + @Override + public String getAlgorithmName() + { + return CODEC_NAME; + } + + @Override + public byte[] compress(byte[] bytes) + throws CompressionException + { + ZstdCompressor compressor = new ZstdCompressor(); + byte[] compressed = new byte[compressor.maxCompressedLength(bytes.length)]; + int outputSize = compressor.compress(bytes, 0, bytes.length, compressed, 0, compressed.length); + return copyOfRange(compressed, 0, outputSize); + } + + @Override + public byte[] decompress(byte[] bytes) + throws CompressionException + { + byte[] output = new byte[toIntExact(ZstdDecompressor.getDecompressedSize(bytes, 0, bytes.length))]; + new ZstdDecompressor().decompress(bytes, 0, bytes.length, output, 0, output.length); + return output; + } +} diff --git a/presto-main/src/main/java/com/facebook/presto/server/testing/TestingPrestoServer.java b/presto-main/src/main/java/com/facebook/presto/server/testing/TestingPrestoServer.java index 4360533f9db9f..39e0832ac3c01 100644 --- a/presto-main/src/main/java/com/facebook/presto/server/testing/TestingPrestoServer.java +++ b/presto-main/src/main/java/com/facebook/presto/server/testing/TestingPrestoServer.java @@ -222,6 +222,11 @@ public TestingPrestoServer(List additionalModules) this(true, ImmutableMap.of(), null, null, new SqlParserOptions(), additionalModules); } + public TestingPrestoServer(Map properties) throws Exception + { + this(true, properties, null, null, new SqlParserOptions(), ImmutableList.of()); + } + public TestingPrestoServer( boolean coordinator, Map properties, diff --git a/presto-main/src/main/resources/oauth2/failure.html b/presto-main/src/main/resources/oauth2/failure.html new file mode 100644 index 0000000000000..f2fd1c24f6bc6 --- /dev/null +++ b/presto-main/src/main/resources/oauth2/failure.html @@ -0,0 +1,60 @@ + + + + + + + + + Cluster Overview - Presto + + + + + + + + + + + + + + + + + + + + + + + + + + + +

OAuth2 authentication failed

+ +

+ + + + + + diff --git a/presto-main/src/main/resources/oauth2/logout.html b/presto-main/src/main/resources/oauth2/logout.html new file mode 100644 index 0000000000000..d410f8a695340 --- /dev/null +++ b/presto-main/src/main/resources/oauth2/logout.html @@ -0,0 +1,51 @@ + + + + + + + + + Cluster Overview - Presto + + + + + + + + + + + + + + + + + + +

OAuth2 logout succeeded

+ +

This browser window can be closed

+ + + + + + diff --git a/presto-main/src/main/resources/oauth2/success.html b/presto-main/src/main/resources/oauth2/success.html new file mode 100644 index 0000000000000..1d8408ab82fbf --- /dev/null +++ b/presto-main/src/main/resources/oauth2/success.html @@ -0,0 +1,60 @@ + + + + + + + + + Cluster Overview - Presto + + + + + + + + + + + + + + + + + + + + + + + + + + + +

OAuth2 authentication succeeded

+ +

This browser window can be closed

+ + + + + + diff --git a/presto-main/src/main/resources/webapp/dist/embedded_plan.js b/presto-main/src/main/resources/webapp/dist/embedded_plan.js new file mode 100644 index 0000000000000..1f8f8da33dbc4 --- /dev/null +++ b/presto-main/src/main/resources/webapp/dist/embedded_plan.js @@ -0,0 +1,69 @@ +!function(t){var n={};function e(r){if(n[r])return n[r].exports;var i=n[r]={i:r,l:!1,exports:{}};return t[r].call(i.exports,i,i.exports,e),i.l=!0,i.exports}e.m=t,e.c=n,e.d=function(t,n,r){e.o(t,n)||Object.defineProperty(t,n,{enumerable:!0,get:r})},e.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},e.t=function(t,n){if(1&n&&(t=e(t)),8&n)return t;if(4&n&&"object"==typeof t&&t&&t.__esModule)return t;var r=Object.create(null);if(e.r(r),Object.defineProperty(r,"default",{enumerable:!0,value:t}),2&n&&"string"!=typeof t)for(var i in t)e.d(r,i,function(n){return t[n]}.bind(null,i));return r},e.n=function(t){var n=t&&t.__esModule?function(){return t.default}:function(){return t};return e.d(n,"a",n),n},e.o=function(t,n){return Object.prototype.hasOwnProperty.call(t,n)},e.p="",e(e.s=132)}([function(t,n,e){var r;try{r=e(29)}catch(t){}r||(r=window._),t.exports=r},function(t,n,e){"use strict";var r=e(0),i=e(5).Graph;function o(t,n,e,i){var o;do{o=r.uniqueId(i)}while(t.hasNode(o));return e.dummy=n,t.setNode(o,e),o}function u(t){return r.max(r.map(t.nodes(),function(n){var e=t.node(n).rank;if(!r.isUndefined(e))return e}))}t.exports={addDummyNode:o,simplify:function(t){var n=(new i).setGraph(t.graph());return r.forEach(t.nodes(),function(e){n.setNode(e,t.node(e))}),r.forEach(t.edges(),function(e){var r=n.edge(e.v,e.w)||{weight:0,minlen:1},i=t.edge(e);n.setEdge(e.v,e.w,{weight:r.weight+i.weight,minlen:Math.max(r.minlen,i.minlen)})}),n},asNonCompoundGraph:function(t){var n=new i({multigraph:t.isMultigraph()}).setGraph(t.graph());return r.forEach(t.nodes(),function(e){t.children(e).length||n.setNode(e,t.node(e))}),r.forEach(t.edges(),function(e){n.setEdge(e,t.edge(e))}),n},successorWeights:function(t){var n=r.map(t.nodes(),function(n){var e={};return r.forEach(t.outEdges(n),function(n){e[n.w]=(e[n.w]||0)+t.edge(n).weight}),e});return r.zipObject(t.nodes(),n)},predecessorWeights:function(t){var n=r.map(t.nodes(),function(n){var e={};return r.forEach(t.inEdges(n),function(n){e[n.v]=(e[n.v]||0)+t.edge(n).weight}),e});return r.zipObject(t.nodes(),n)},intersectRect:function(t,n){var e,r,i=t.x,o=t.y,u=n.x-i,a=n.y-o,c=t.width/2,f=t.height/2;if(!u&&!a)throw new Error("Not possible to find intersection inside of the rectangle");Math.abs(a)*c>Math.abs(u)*f?(a<0&&(f=-f),e=f*u/a,r=f):(u<0&&(c=-c),e=c,r=c*a/u);return{x:i+e,y:o+r}},buildLayerMatrix:function(t){var n=r.map(r.range(u(t)+1),function(){return[]});return r.forEach(t.nodes(),function(e){var i=t.node(e),o=i.rank;r.isUndefined(o)||(n[o][i.order]=e)}),n},normalizeRanks:function(t){var n=r.minBy(r.map(t.nodes(),function(n){return t.node(n).rank}));r.forEach(t.nodes(),function(e){var i=t.node(e);r.has(i,"rank")&&(i.rank-=n)})},removeEmptyRanks:function(t){var n=r.minBy(r.map(t.nodes(),function(n){return t.node(n).rank})),e=[];r.forEach(t.nodes(),function(r){var i=t.node(r).rank-n;e[i]||(e[i]=[]),e[i].push(r)});var i=0,o=t.graph().nodeRankFactor;r.forEach(e,function(n,e){r.isUndefined(n)&&e%o!=0?--i:i&&r.forEach(n,function(n){t.node(n).rank+=i})})},addBorderNode:function(t,n,e,r){var i={width:0,height:0};arguments.length>=4&&(i.rank=e,i.order=r);return o(t,"border",i,n)},maxRank:u,partition:function(t,n){var e={lhs:[],rhs:[]};return r.forEach(t,function(t){n(t)?e.lhs.push(t):e.rhs.push(t)}),e},time:function(t,n){var e=r.now();try{return n()}finally{console.log(t+" time: "+(r.now()-e)+"ms")}},notime:function(t,n){return n()}}},function(t,n,e){"use strict";var r={value:function(){}};function i(){for(var t,n=0,e=arguments.length,r={};n=0&&(e=t.slice(r+1),t=t.slice(0,r)),t&&!n.hasOwnProperty(t))throw new Error("unknown type: "+t);return{type:t,name:e}})}(t+"",r),o=-1,c=i.length;if(!(arguments.length<2)){if(null!=n&&"function"!=typeof n)throw new Error("invalid callback: "+n);for(;++o0)for(var e,r,i=new Array(e),o=0;o=r.length)return null!=t&&e.sort(t),null!=n?n(e):e;for(var f,l,s,h=-1,d=e.length,p=r[i++],v=o(),g=a();++hr.length)return e;var u,a=i[o-1];return null!=n&&o>=r.length?u=e.entries():(u=[],e.each(function(n,e){u.push({key:e,values:t(n,o)})})),null!=a?u.sort(function(t,n){return a(t.key,n.key)}):u}(u(t,0,f,l),0)},key:function(t){return r.push(t),e},sortKeys:function(t){return i[r.length-1]=t,e},sortValues:function(n){return t=n,e},rollup:function(t){return n=t,e}}};function a(){return{}}function c(t,n,e){t[n]=e}function f(){return o()}function l(t,n,e){t.set(n,e)}function s(){}var h=o.prototype;function d(t,n){var e=new s;if(t instanceof s)t.each(function(t){e.add(t)});else if(t){var r=-1,i=t.length;if(null==n)for(;++r=l?d=!0:(c=t.charCodeAt(s++))===u?p=!0:c===a&&(p=!0,t.charCodeAt(s)===u&&++s),t.slice(f+1,n-1).replace(/""/g,'"')}for(;s0&&(a+=" ("+r.join(", ")+")")),"reserved"===i&&(a+=" (RESERVED)"),a}if("FAILED"===t)switch(o){case"USER_ERROR":return"USER_CANCELED"===u?"USER CANCELED":"USER ERROR";case"INTERNAL_ERROR":return"INTERNAL ERROR";case"INSUFFICIENT_RESOURCES":return"INSUFFICIENT RESOURCES";case"EXTERNAL":return"EXTERNAL ERROR"}return t},n.getProgressBarPercentage=a,n.getProgressBarTitle=function(t,n,e){if(t&&"RUNNING"===n)return e+" ("+a(t,n)+"%)";return e},n.isQueryEnded=function(t){return["FINISHED","FAILED","CANCELED"].indexOf(t)>-1},n.addToHistory=function(t,n){if(0===n.length)return n.concat([t]);return n.concat([t]).slice(Math.max(n.length-c,0))},n.addExponentiallyWeightedToHistory=function(t,n){if(0===n.length)return n.concat([t]);var e=t*f+n[n.length-1]*(1-f);t<1&&(e=0);return n.concat([e]).slice(Math.max(n.length-c,0))},n.initializeGraph=function(){return new r.graphlib.Graph({compound:!0}).setGraph({rankdir:"BT"}).setDefaultEdgeLabel(function(){return{}})},n.initializeSvg=function(t){var n=i.select(t);return n.append("g"),n},n.getChildren=function(t){var n=v(t["@type"]);switch(n){case"OutputNode":case"ExplainAnalyzeNode":case"ProjectNode":case"FilterNode":case"AggregationNode":case"SortNode":case"MarkDistinctNode":case"WindowNode":case"RowNumberNode":case"TopNRowNumberNode":case"LimitNode":case"DistinctLimitNode":case"TopNNode":case"SampleNode":case"TableWriterNode":case"DeleteNode":case"MetadataDeleteNode":case"TableFinishNode":case"GroupIdNode":case"UnnestNode":case"EnforceSingleRowNode":return[t.source];case"JoinNode":return[t.left,t.right];case"SemiJoinNode":return[t.source,t.filteringSource];case"SpatialJoinNode":return[t.left,t.right];case"IndexJoinNode":return[t.probeSource,t.indexSource];case"UnionNode":case"ExchangeNode":return t.sources;case"RemoteSourceNode":case"TableScanNode":case"ValuesNode":case"IndexSourceNode":break;default:console.log("NOTE: Unhandled PlanNode: "+n)}return[]},n.truncateString=function(t,n){if(t&&t.length>n)return t.substring(0,n)+"...";return t},n.getStageNumber=function(t){return Number.parseInt(t.slice(t.indexOf(".")+1,t.length))},n.getTaskIdSuffix=l,n.getTaskNumber=function(t){return Number.parseInt(l(l(t)))},n.getFirstParameter=function(t){var n=t.substring(1);if(-1!==n.indexOf("&"))return n.substring(0,n.indexOf("&"));return n},n.getHostname=function(t){var n=new URL(t).hostname;"["===n.charAt(0)&&"]"===n.charAt(n.length-1)&&(n=n.substr(1,n.length-2));return n},n.getPort=function(t){return new URL(t).port},n.getHostAndPort=function(t){var n=new URL(t);return n.hostname+":"+n.port},n.computeRate=function(t,n){if(0===n)return 0;return t/n*1e3},n.precisionRound=s,n.formatDuration=function(t){var n="ms";t>1e3&&(t/=1e3,n="s");"s"===n&&t>60&&(t/=60,n="m");"m"===n&&t>60&&(t/=60,n="h");"h"===n&&t>24&&(t/=24,n="d");"d"===n&&t>7&&(t/=7,n="w");return s(t)+n},n.formatRows=function(t){if(1===t)return"1 row";return h(t)+" rows"},n.formatCount=h,n.formatDataSizeBytes=function(t){return d(t,"")},n.formatDataSize=function(t){return d(t,"B")},n.parseDataSize=function(t){var n=/^\s*(\d+(?:\.\d+)?)\s*([a-zA-Z]+)\s*$/.exec(t);if(null===n)return null;var e=parseFloat(n[1]);switch(n[2]){case"B":return e;case"kB":return e*Math.pow(2,10);case"MB":return e*Math.pow(2,20);case"GB":return e*Math.pow(2,30);case"TB":return e*Math.pow(2,40);case"PB":return e*Math.pow(2,50);default:return null}},n.parseDuration=function(t){var n=/^\s*(\d+(?:\.\d+)?)\s*([a-zA-Z]+)\s*$/.exec(t);if(null===n)return null;var e=parseFloat(n[1]);switch(n[2]){case"ns":return e/1e6;case"us":return e/1e3;case"ms":return e;case"s":return 1e3*e;case"m":return 1e3*e*60;case"h":return 1e3*e*60*60;case"d":return 1e3*e*60*60*24;default:return null}},n.formatShortTime=p,n.formatShortDateTime=function(t){var n=t.getFullYear(),e=""+(t.getMonth()+1),r=""+t.getDate();return n+"-"+(e[1]?e:"0"+e[0])+"-"+(r[1]?r:"0"+r[0])+" "+p(t)},n.removeNodeTypePackage=v,n.getLastUrl=function(){var t=window.location.pathname,n=window.location.search;return t+n};var r=o(e(35)),i=o(e(36));function o(t){if(t&&t.__esModule)return t;var n={};if(null!=t)for(var e in t)Object.prototype.hasOwnProperty.call(t,e)&&(n[e]=t[e]);return n.default=t,n}n.GLYPHICON_DEFAULT={color:"#1edcff"},n.GLYPHICON_HIGHLIGHT={color:"#999999"};var u={QUEUED:"#1b8f72",RUNNING:"#19874e",PLANNING:"#674f98",FINISHED:"#1a4629",BLOCKED:"#61003b",USER_ERROR:"#9a7d66",CANCELED:"#858959",INSUFFICIENT_RESOURCES:"#7f5b72",EXTERNAL_ERROR:"#ca7640",UNKNOWN_ERROR:"#943524"};function a(t,n){return t&&"RUNNING"===n?Math.round(t):100}var c=300,f=.2;function l(t){return t.slice(t.indexOf(".")+1,t.length)}function s(t){return t<10?t.toFixed(2):t<100?t.toFixed(1):Math.round(t).toString()}function h(t){var n="";return t>1e3&&(t/=1e3,n="K"),t>1e3&&(t/=1e3,n="M"),t>1e3&&(t/=1e3,n="B"),t>1e3&&(t/=1e3,n="T"),t>1e3&&(t/=1e3,n="Q"),s(t)+n}function d(t,n){var e=n;return 0===t?"0"+e:(t>=1024&&(t/=1024,e="K"+n),t>=1024&&(t/=1024,e="M"+n),t>=1024&&(t/=1024,e="G"+n),t>=1024&&(t/=1024,e="T"+n),t>=1024&&(t/=1024,e="P"+n),s(t)+e)}function p(t){return(t.getHours()%12||12)+":"+((t.getMinutes()<10?"0":"")+t.getMinutes())+(t.getHours()>=12?"pm":"am")}function v(t){var n=t.lastIndexOf(".");return t.substr(n+1)}},function(t,n,e){"use strict";var r=e(3);t.exports=a;var i="\0",o="\0",u="";function a(t){this._isDirected=!r.has(t,"directed")||t.directed,this._isMultigraph=!!r.has(t,"multigraph")&&t.multigraph,this._isCompound=!!r.has(t,"compound")&&t.compound,this._label=void 0,this._defaultNodeLabelFn=r.constant(void 0),this._defaultEdgeLabelFn=r.constant(void 0),this._nodes={},this._isCompound&&(this._parent={},this._children={},this._children[o]={}),this._in={},this._preds={},this._out={},this._sucs={},this._edgeObjs={},this._edgeLabels={}}function c(t,n){t[n]?t[n]++:t[n]=1}function f(t,n){--t[n]||delete t[n]}function l(t,n,e,o){var a=""+n,c=""+e;if(!t&&a>c){var f=a;a=c,c=f}return a+u+c+u+(r.isUndefined(o)?i:o)}function s(t,n){return l(t,n.v,n.w,n.name)}a.prototype._nodeCount=0,a.prototype._edgeCount=0,a.prototype.isDirected=function(){return this._isDirected},a.prototype.isMultigraph=function(){return this._isMultigraph},a.prototype.isCompound=function(){return this._isCompound},a.prototype.setGraph=function(t){return this._label=t,this},a.prototype.graph=function(){return this._label},a.prototype.setDefaultNodeLabel=function(t){return r.isFunction(t)||(t=r.constant(t)),this._defaultNodeLabelFn=t,this},a.prototype.nodeCount=function(){return this._nodeCount},a.prototype.nodes=function(){return r.keys(this._nodes)},a.prototype.sources=function(){var t=this;return r.filter(this.nodes(),function(n){return r.isEmpty(t._in[n])})},a.prototype.sinks=function(){var t=this;return r.filter(this.nodes(),function(n){return r.isEmpty(t._out[n])})},a.prototype.setNodes=function(t,n){var e=arguments,i=this;return r.each(t,function(t){e.length>1?i.setNode(t,n):i.setNode(t)}),this},a.prototype.setNode=function(t,n){return r.has(this._nodes,t)?(arguments.length>1&&(this._nodes[t]=n),this):(this._nodes[t]=arguments.length>1?n:this._defaultNodeLabelFn(t),this._isCompound&&(this._parent[t]=o,this._children[t]={},this._children[o][t]=!0),this._in[t]={},this._preds[t]={},this._out[t]={},this._sucs[t]={},++this._nodeCount,this)},a.prototype.node=function(t){return this._nodes[t]},a.prototype.hasNode=function(t){return r.has(this._nodes,t)},a.prototype.removeNode=function(t){var n=this;if(r.has(this._nodes,t)){var e=function(t){n.removeEdge(n._edgeObjs[t])};delete this._nodes[t],this._isCompound&&(this._removeFromParentsChildList(t),delete this._parent[t],r.each(this.children(t),function(t){n.setParent(t)}),delete this._children[t]),r.each(r.keys(this._in[t]),e),delete this._in[t],delete this._preds[t],r.each(r.keys(this._out[t]),e),delete this._out[t],delete this._sucs[t],--this._nodeCount}return this},a.prototype.setParent=function(t,n){if(!this._isCompound)throw new Error("Cannot set parent in a non-compound graph");if(r.isUndefined(n))n=o;else{for(var e=n+="";!r.isUndefined(e);e=this.parent(e))if(e===t)throw new Error("Setting "+n+" as parent of "+t+" would create a cycle");this.setNode(n)}return this.setNode(t),this._removeFromParentsChildList(t),this._parent[t]=n,this._children[n][t]=!0,this},a.prototype._removeFromParentsChildList=function(t){delete this._children[this._parent[t]][t]},a.prototype.parent=function(t){if(this._isCompound){var n=this._parent[t];if(n!==o)return n}},a.prototype.children=function(t){if(r.isUndefined(t)&&(t=o),this._isCompound){var n=this._children[t];if(n)return r.keys(n)}else{if(t===o)return this.nodes();if(this.hasNode(t))return[]}},a.prototype.predecessors=function(t){var n=this._preds[t];if(n)return r.keys(n)},a.prototype.successors=function(t){var n=this._sucs[t];if(n)return r.keys(n)},a.prototype.neighbors=function(t){var n=this.predecessors(t);if(n)return r.union(n,this.successors(t))},a.prototype.isLeaf=function(t){return 0===(this.isDirected()?this.successors(t):this.neighbors(t)).length},a.prototype.filterNodes=function(t){var n=new this.constructor({directed:this._isDirected,multigraph:this._isMultigraph,compound:this._isCompound});n.setGraph(this.graph());var e=this;r.each(this._nodes,function(e,r){t(r)&&n.setNode(r,e)}),r.each(this._edgeObjs,function(t){n.hasNode(t.v)&&n.hasNode(t.w)&&n.setEdge(t,e.edge(t))});var i={};return this._isCompound&&r.each(n.nodes(),function(t){n.setParent(t,function t(r){var o=e.parent(r);return void 0===o||n.hasNode(o)?(i[r]=o,o):o in i?i[o]:t(o)}(t))}),n},a.prototype.setDefaultEdgeLabel=function(t){return r.isFunction(t)||(t=r.constant(t)),this._defaultEdgeLabelFn=t,this},a.prototype.edgeCount=function(){return this._edgeCount},a.prototype.edges=function(){return r.values(this._edgeObjs)},a.prototype.setPath=function(t,n){var e=this,i=arguments;return r.reduce(t,function(t,r){return i.length>1?e.setEdge(t,r,n):e.setEdge(t,r),r}),this},a.prototype.setEdge=function(){var t,n,e,i,o=!1,u=arguments[0];"object"==typeof u&&null!==u&&"v"in u?(t=u.v,n=u.w,e=u.name,2===arguments.length&&(i=arguments[1],o=!0)):(t=u,n=arguments[1],e=arguments[3],arguments.length>2&&(i=arguments[2],o=!0)),t=""+t,n=""+n,r.isUndefined(e)||(e=""+e);var a=l(this._isDirected,t,n,e);if(r.has(this._edgeLabels,a))return o&&(this._edgeLabels[a]=i),this;if(!r.isUndefined(e)&&!this._isMultigraph)throw new Error("Cannot set a named edge when isMultigraph = false");this.setNode(t),this.setNode(n),this._edgeLabels[a]=o?i:this._defaultEdgeLabelFn(t,n,e);var f=function(t,n,e,r){var i=""+n,o=""+e;if(!t&&i>o){var u=i;i=o,o=u}var a={v:i,w:o};r&&(a.name=r);return a}(this._isDirected,t,n,e);return t=f.v,n=f.w,Object.freeze(f),this._edgeObjs[a]=f,c(this._preds[n],t),c(this._sucs[t],n),this._in[n][a]=f,this._out[t][a]=f,this._edgeCount++,this},a.prototype.edge=function(t,n,e){var r=1===arguments.length?s(this._isDirected,arguments[0]):l(this._isDirected,t,n,e);return this._edgeLabels[r]},a.prototype.hasEdge=function(t,n,e){var i=1===arguments.length?s(this._isDirected,arguments[0]):l(this._isDirected,t,n,e);return r.has(this._edgeLabels,i)},a.prototype.removeEdge=function(t,n,e){var r=1===arguments.length?s(this._isDirected,arguments[0]):l(this._isDirected,t,n,e),i=this._edgeObjs[r];return i&&(t=i.v,n=i.w,delete this._edgeLabels[r],delete this._edgeObjs[r],f(this._preds[n],t),f(this._sucs[t],n),delete this._in[n][r],delete this._out[t][r],this._edgeCount--),this},a.prototype.inEdges=function(t,n){var e=this._in[t];if(e){var i=r.values(e);return n?r.filter(i,function(t){return t.v===n}):i}},a.prototype.outEdges=function(t,n){var e=this._out[t];if(e){var i=r.values(e);return n?r.filter(i,function(t){return t.w===n}):i}},a.prototype.nodeEdges=function(t,n){var e=this.inEdges(t,n);if(e)return e.concat(this.outEdges(t,n))}},function(t,n){t.exports=function(t,n,e,r){var i=t.x,o=t.y,u=i-r.x,a=o-r.y,c=Math.sqrt(n*n*a*a+e*e*u*u),f=Math.abs(n*e*u/c);r.x0&&(o=c.removeMin(),(u=a[o]).distance!==Number.POSITIVE_INFINITY);)r(o).forEach(f);return a}(t,String(n),e||o,r||function(n){return t.outEdges(n)})};var o=r.constant(1)},function(t,n,e){var r=e(3);function i(){this._arr=[],this._keyIndices={}}t.exports=i,i.prototype.size=function(){return this._arr.length},i.prototype.keys=function(){return this._arr.map(function(t){return t.key})},i.prototype.has=function(t){return r.has(this._keyIndices,t)},i.prototype.priority=function(t){var n=this._keyIndices[t];if(void 0!==n)return this._arr[n].priority},i.prototype.min=function(){if(0===this.size())throw new Error("Queue underflow");return this._arr[0].key},i.prototype.add=function(t,n){var e=this._keyIndices;if(t=String(t),!r.has(e,t)){var i=this._arr,o=i.length;return e[t]=o,i.push({key:t,priority:n}),this._decrease(o),!0}return!1},i.prototype.removeMin=function(){this._swap(0,this._arr.length-1);var t=this._arr.pop();return delete this._keyIndices[t.key],this._heapify(0),t.key},i.prototype.decrease=function(t,n){var e=this._keyIndices[t];if(n>this._arr[e].priority)throw new Error("New priority is greater than current priority. Key: "+t+" Old: "+this._arr[e].priority+" New: "+n);this._arr[e].priority=n,this._decrease(e)},i.prototype._heapify=function(t){var n=this._arr,e=2*t,r=e+1,i=t;e>1].priority + * Copyright JS Foundation and other contributors + * Released under MIT license + * Based on Underscore.js 1.8.3 + * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors + */(function(){var o,u=200,a="Unsupported core-js use. Try https://npms.io/search?q=ponyfill.",c="Expected a function",f="__lodash_hash_undefined__",l=500,s="__lodash_placeholder__",h=1,d=2,p=4,v=1,g=2,y=1,_=2,m=4,b=8,w=16,x=32,M=64,E=128,k=256,N=512,S=30,T="...",C=800,A=16,P=1,R=2,I=1/0,O=9007199254740991,L=1.7976931348623157e308,U=NaN,D=4294967295,z=D-1,F=D>>>1,j=[["ary",E],["bind",y],["bindKey",_],["curry",b],["curryRight",w],["flip",N],["partial",x],["partialRight",M],["rearg",k]],q="[object Arguments]",B="[object Array]",Y="[object AsyncFunction]",H="[object Boolean]",V="[object Date]",$="[object DOMException]",W="[object Error]",X="[object Function]",G="[object GeneratorFunction]",Q="[object Map]",Z="[object Number]",K="[object Null]",J="[object Object]",tt="[object Proxy]",nt="[object RegExp]",et="[object Set]",rt="[object String]",it="[object Symbol]",ot="[object Undefined]",ut="[object WeakMap]",at="[object WeakSet]",ct="[object ArrayBuffer]",ft="[object DataView]",lt="[object Float32Array]",st="[object Float64Array]",ht="[object Int8Array]",dt="[object Int16Array]",pt="[object Int32Array]",vt="[object Uint8Array]",gt="[object Uint8ClampedArray]",yt="[object Uint16Array]",_t="[object Uint32Array]",mt=/\b__p \+= '';/g,bt=/\b(__p \+=) '' \+/g,wt=/(__e\(.*?\)|\b__t\)) \+\n'';/g,xt=/&(?:amp|lt|gt|quot|#39);/g,Mt=/[&<>"']/g,Et=RegExp(xt.source),kt=RegExp(Mt.source),Nt=/<%-([\s\S]+?)%>/g,St=/<%([\s\S]+?)%>/g,Tt=/<%=([\s\S]+?)%>/g,Ct=/\.|\[(?:[^[\]]*|(["'])(?:(?!\1)[^\\]|\\.)*?\1)\]/,At=/^\w*$/,Pt=/[^.[\]]+|\[(?:(-?\d+(?:\.\d+)?)|(["'])((?:(?!\2)[^\\]|\\.)*?)\2)\]|(?=(?:\.|\[\])(?:\.|\[\]|$))/g,Rt=/[\\^$.*+?()[\]{}|]/g,It=RegExp(Rt.source),Ot=/^\s+|\s+$/g,Lt=/^\s+/,Ut=/\s+$/,Dt=/\{(?:\n\/\* \[wrapped with .+\] \*\/)?\n?/,zt=/\{\n\/\* \[wrapped with (.+)\] \*/,Ft=/,? & /,jt=/[^\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]+/g,qt=/\\(\\)?/g,Bt=/\$\{([^\\}]*(?:\\.[^\\}]*)*)\}/g,Yt=/\w*$/,Ht=/^[-+]0x[0-9a-f]+$/i,Vt=/^0b[01]+$/i,$t=/^\[object .+?Constructor\]$/,Wt=/^0o[0-7]+$/i,Xt=/^(?:0|[1-9]\d*)$/,Gt=/[\xc0-\xd6\xd8-\xf6\xf8-\xff\u0100-\u017f]/g,Qt=/($^)/,Zt=/['\n\r\u2028\u2029\\]/g,Kt="\\u0300-\\u036f\\ufe20-\\ufe2f\\u20d0-\\u20ff",Jt="\\xac\\xb1\\xd7\\xf7\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\xbf\\u2000-\\u206f \\t\\x0b\\f\\xa0\\ufeff\\n\\r\\u2028\\u2029\\u1680\\u180e\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200a\\u202f\\u205f\\u3000",tn="[\\ud800-\\udfff]",nn="["+Jt+"]",en="["+Kt+"]",rn="\\d+",on="[\\u2700-\\u27bf]",un="[a-z\\xdf-\\xf6\\xf8-\\xff]",an="[^\\ud800-\\udfff"+Jt+rn+"\\u2700-\\u27bfa-z\\xdf-\\xf6\\xf8-\\xffA-Z\\xc0-\\xd6\\xd8-\\xde]",cn="\\ud83c[\\udffb-\\udfff]",fn="[^\\ud800-\\udfff]",ln="(?:\\ud83c[\\udde6-\\uddff]){2}",sn="[\\ud800-\\udbff][\\udc00-\\udfff]",hn="[A-Z\\xc0-\\xd6\\xd8-\\xde]",dn="(?:"+un+"|"+an+")",pn="(?:"+hn+"|"+an+")",vn="(?:"+en+"|"+cn+")"+"?",gn="[\\ufe0e\\ufe0f]?"+vn+("(?:\\u200d(?:"+[fn,ln,sn].join("|")+")[\\ufe0e\\ufe0f]?"+vn+")*"),yn="(?:"+[on,ln,sn].join("|")+")"+gn,_n="(?:"+[fn+en+"?",en,ln,sn,tn].join("|")+")",mn=RegExp("['’]","g"),bn=RegExp(en,"g"),wn=RegExp(cn+"(?="+cn+")|"+_n+gn,"g"),xn=RegExp([hn+"?"+un+"+(?:['’](?:d|ll|m|re|s|t|ve))?(?="+[nn,hn,"$"].join("|")+")",pn+"+(?:['’](?:D|LL|M|RE|S|T|VE))?(?="+[nn,hn+dn,"$"].join("|")+")",hn+"?"+dn+"+(?:['’](?:d|ll|m|re|s|t|ve))?",hn+"+(?:['’](?:D|LL|M|RE|S|T|VE))?","\\d*(?:1ST|2ND|3RD|(?![123])\\dTH)(?=\\b|[a-z_])","\\d*(?:1st|2nd|3rd|(?![123])\\dth)(?=\\b|[A-Z_])",rn,yn].join("|"),"g"),Mn=RegExp("[\\u200d\\ud800-\\udfff"+Kt+"\\ufe0e\\ufe0f]"),En=/[a-z][A-Z]|[A-Z]{2,}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/,kn=["Array","Buffer","DataView","Date","Error","Float32Array","Float64Array","Function","Int8Array","Int16Array","Int32Array","Map","Math","Object","Promise","RegExp","Set","String","Symbol","TypeError","Uint8Array","Uint8ClampedArray","Uint16Array","Uint32Array","WeakMap","_","clearTimeout","isFinite","parseInt","setTimeout"],Nn=-1,Sn={};Sn[lt]=Sn[st]=Sn[ht]=Sn[dt]=Sn[pt]=Sn[vt]=Sn[gt]=Sn[yt]=Sn[_t]=!0,Sn[q]=Sn[B]=Sn[ct]=Sn[H]=Sn[ft]=Sn[V]=Sn[W]=Sn[X]=Sn[Q]=Sn[Z]=Sn[J]=Sn[nt]=Sn[et]=Sn[rt]=Sn[ut]=!1;var Tn={};Tn[q]=Tn[B]=Tn[ct]=Tn[ft]=Tn[H]=Tn[V]=Tn[lt]=Tn[st]=Tn[ht]=Tn[dt]=Tn[pt]=Tn[Q]=Tn[Z]=Tn[J]=Tn[nt]=Tn[et]=Tn[rt]=Tn[it]=Tn[vt]=Tn[gt]=Tn[yt]=Tn[_t]=!0,Tn[W]=Tn[X]=Tn[ut]=!1;var Cn={"\\":"\\","'":"'","\n":"n","\r":"r","\u2028":"u2028","\u2029":"u2029"},An=parseFloat,Pn=parseInt,Rn="object"==typeof t&&t&&t.Object===Object&&t,In="object"==typeof self&&self&&self.Object===Object&&self,On=Rn||In||Function("return this")(),Ln="object"==typeof n&&n&&!n.nodeType&&n,Un=Ln&&"object"==typeof r&&r&&!r.nodeType&&r,Dn=Un&&Un.exports===Ln,zn=Dn&&Rn.process,Fn=function(){try{var t=Un&&Un.require&&Un.require("util").types;return t||zn&&zn.binding&&zn.binding("util")}catch(t){}}(),jn=Fn&&Fn.isArrayBuffer,qn=Fn&&Fn.isDate,Bn=Fn&&Fn.isMap,Yn=Fn&&Fn.isRegExp,Hn=Fn&&Fn.isSet,Vn=Fn&&Fn.isTypedArray;function $n(t,n,e){switch(e.length){case 0:return t.call(n);case 1:return t.call(n,e[0]);case 2:return t.call(n,e[0],e[1]);case 3:return t.call(n,e[0],e[1],e[2])}return t.apply(n,e)}function Wn(t,n,e,r){for(var i=-1,o=null==t?0:t.length;++i-1}function Jn(t,n,e){for(var r=-1,i=null==t?0:t.length;++r-1;);return e}function we(t,n){for(var e=t.length;e--&&ce(n,t[e],0)>-1;);return e}var xe=de({"À":"A","Á":"A","Â":"A","Ã":"A","Ä":"A","Å":"A","à":"a","á":"a","â":"a","ã":"a","ä":"a","å":"a","Ç":"C","ç":"c","Ð":"D","ð":"d","È":"E","É":"E","Ê":"E","Ë":"E","è":"e","é":"e","ê":"e","ë":"e","Ì":"I","Í":"I","Î":"I","Ï":"I","ì":"i","í":"i","î":"i","ï":"i","Ñ":"N","ñ":"n","Ò":"O","Ó":"O","Ô":"O","Õ":"O","Ö":"O","Ø":"O","ò":"o","ó":"o","ô":"o","õ":"o","ö":"o","ø":"o","Ù":"U","Ú":"U","Û":"U","Ü":"U","ù":"u","ú":"u","û":"u","ü":"u","Ý":"Y","ý":"y","ÿ":"y","Æ":"Ae","æ":"ae","Þ":"Th","þ":"th","ß":"ss","Ā":"A","Ă":"A","Ą":"A","ā":"a","ă":"a","ą":"a","Ć":"C","Ĉ":"C","Ċ":"C","Č":"C","ć":"c","ĉ":"c","ċ":"c","č":"c","Ď":"D","Đ":"D","ď":"d","đ":"d","Ē":"E","Ĕ":"E","Ė":"E","Ę":"E","Ě":"E","ē":"e","ĕ":"e","ė":"e","ę":"e","ě":"e","Ĝ":"G","Ğ":"G","Ġ":"G","Ģ":"G","ĝ":"g","ğ":"g","ġ":"g","ģ":"g","Ĥ":"H","Ħ":"H","ĥ":"h","ħ":"h","Ĩ":"I","Ī":"I","Ĭ":"I","Į":"I","İ":"I","ĩ":"i","ī":"i","ĭ":"i","į":"i","ı":"i","Ĵ":"J","ĵ":"j","Ķ":"K","ķ":"k","ĸ":"k","Ĺ":"L","Ļ":"L","Ľ":"L","Ŀ":"L","Ł":"L","ĺ":"l","ļ":"l","ľ":"l","ŀ":"l","ł":"l","Ń":"N","Ņ":"N","Ň":"N","Ŋ":"N","ń":"n","ņ":"n","ň":"n","ŋ":"n","Ō":"O","Ŏ":"O","Ő":"O","ō":"o","ŏ":"o","ő":"o","Ŕ":"R","Ŗ":"R","Ř":"R","ŕ":"r","ŗ":"r","ř":"r","Ś":"S","Ŝ":"S","Ş":"S","Š":"S","ś":"s","ŝ":"s","ş":"s","š":"s","Ţ":"T","Ť":"T","Ŧ":"T","ţ":"t","ť":"t","ŧ":"t","Ũ":"U","Ū":"U","Ŭ":"U","Ů":"U","Ű":"U","Ų":"U","ũ":"u","ū":"u","ŭ":"u","ů":"u","ű":"u","ų":"u","Ŵ":"W","ŵ":"w","Ŷ":"Y","ŷ":"y","Ÿ":"Y","Ź":"Z","Ż":"Z","Ž":"Z","ź":"z","ż":"z","ž":"z","IJ":"IJ","ij":"ij","Œ":"Oe","œ":"oe","ʼn":"'n","ſ":"s"}),Me=de({"&":"&","<":"<",">":">",'"':""","'":"'"});function Ee(t){return"\\"+Cn[t]}function ke(t){return Mn.test(t)}function Ne(t){var n=-1,e=Array(t.size);return t.forEach(function(t,r){e[++n]=[r,t]}),e}function Se(t,n){return function(e){return t(n(e))}}function Te(t,n){for(var e=-1,r=t.length,i=0,o=[];++e",""":'"',"'":"'"});var Le=function t(n){var e=(n=null==n?On:Le.defaults(On.Object(),n,Le.pick(On,kn))).Array,r=n.Date,i=n.Error,Kt=n.Function,Jt=n.Math,tn=n.Object,nn=n.RegExp,en=n.String,rn=n.TypeError,on=e.prototype,un=Kt.prototype,an=tn.prototype,cn=n["__core-js_shared__"],fn=un.toString,ln=an.hasOwnProperty,sn=0,hn=function(){var t=/[^.]+$/.exec(cn&&cn.keys&&cn.keys.IE_PROTO||"");return t?"Symbol(src)_1."+t:""}(),dn=an.toString,pn=fn.call(tn),vn=On._,gn=nn("^"+fn.call(ln).replace(Rt,"\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g,"$1.*?")+"$"),yn=Dn?n.Buffer:o,_n=n.Symbol,wn=n.Uint8Array,Mn=yn?yn.allocUnsafe:o,Cn=Se(tn.getPrototypeOf,tn),Rn=tn.create,In=an.propertyIsEnumerable,Ln=on.splice,Un=_n?_n.isConcatSpreadable:o,zn=_n?_n.iterator:o,Fn=_n?_n.toStringTag:o,oe=function(){try{var t=Fo(tn,"defineProperty");return t({},"",{}),t}catch(t){}}(),de=n.clearTimeout!==On.clearTimeout&&n.clearTimeout,Ue=r&&r.now!==On.Date.now&&r.now,De=n.setTimeout!==On.setTimeout&&n.setTimeout,ze=Jt.ceil,Fe=Jt.floor,je=tn.getOwnPropertySymbols,qe=yn?yn.isBuffer:o,Be=n.isFinite,Ye=on.join,He=Se(tn.keys,tn),Ve=Jt.max,$e=Jt.min,We=r.now,Xe=n.parseInt,Ge=Jt.random,Qe=on.reverse,Ze=Fo(n,"DataView"),Ke=Fo(n,"Map"),Je=Fo(n,"Promise"),tr=Fo(n,"Set"),nr=Fo(n,"WeakMap"),er=Fo(tn,"create"),rr=nr&&new nr,ir={},or=lu(Ze),ur=lu(Ke),ar=lu(Je),cr=lu(tr),fr=lu(nr),lr=_n?_n.prototype:o,sr=lr?lr.valueOf:o,hr=lr?lr.toString:o;function dr(t){if(Sa(t)&&!ga(t)&&!(t instanceof yr)){if(t instanceof gr)return t;if(ln.call(t,"__wrapped__"))return su(t)}return new gr(t)}var pr=function(){function t(){}return function(n){if(!Na(n))return{};if(Rn)return Rn(n);t.prototype=n;var e=new t;return t.prototype=o,e}}();function vr(){}function gr(t,n){this.__wrapped__=t,this.__actions__=[],this.__chain__=!!n,this.__index__=0,this.__values__=o}function yr(t){this.__wrapped__=t,this.__actions__=[],this.__dir__=1,this.__filtered__=!1,this.__iteratees__=[],this.__takeCount__=D,this.__views__=[]}function _r(t){var n=-1,e=null==t?0:t.length;for(this.clear();++n=n?t:n)),t}function Lr(t,n,e,r,i,u){var a,c=n&h,f=n&d,l=n&p;if(e&&(a=i?e(t,r,i,u):e(t)),a!==o)return a;if(!Na(t))return t;var s=ga(t);if(s){if(a=function(t){var n=t.length,e=new t.constructor(n);return n&&"string"==typeof t[0]&&ln.call(t,"index")&&(e.index=t.index,e.input=t.input),e}(t),!c)return eo(t,a)}else{var v=Bo(t),g=v==X||v==G;if(ba(t))return Qi(t,c);if(v==J||v==q||g&&!i){if(a=f||g?{}:Ho(t),!c)return f?function(t,n){return ro(t,qo(t),n)}(t,function(t,n){return t&&ro(n,ic(n),t)}(a,t)):function(t,n){return ro(t,jo(t),n)}(t,Pr(a,t))}else{if(!Tn[v])return i?t:{};a=function(t,n,e){var r=t.constructor;switch(n){case ct:return Zi(t);case H:case V:return new r(+t);case ft:return function(t,n){var e=n?Zi(t.buffer):t.buffer;return new t.constructor(e,t.byteOffset,t.byteLength)}(t,e);case lt:case st:case ht:case dt:case pt:case vt:case gt:case yt:case _t:return Ki(t,e);case Q:return new r;case Z:case rt:return new r(t);case nt:return function(t){var n=new t.constructor(t.source,Yt.exec(t));return n.lastIndex=t.lastIndex,n}(t);case et:return new r;case it:return function(t){return sr?tn(sr.call(t)):{}}(t)}}(t,v,c)}}u||(u=new xr);var y=u.get(t);if(y)return y;if(u.set(t,a),Ra(t))return t.forEach(function(r){a.add(Lr(r,n,e,r,t,u))}),a;if(Ta(t))return t.forEach(function(r,i){a.set(i,Lr(r,n,e,i,t,u))}),a;var _=s?o:(l?f?Ro:Po:f?ic:rc)(t);return Xn(_||t,function(r,i){_&&(r=t[i=r]),Tr(a,i,Lr(r,n,e,i,t,u))}),a}function Ur(t,n,e){var r=e.length;if(null==t)return!r;for(t=tn(t);r--;){var i=e[r],u=n[i],a=t[i];if(a===o&&!(i in t)||!u(a))return!1}return!0}function Dr(t,n,e){if("function"!=typeof t)throw new rn(c);return ru(function(){t.apply(o,e)},n)}function zr(t,n,e,r){var i=-1,o=Kn,a=!0,c=t.length,f=[],l=n.length;if(!c)return f;e&&(n=te(n,ye(e))),r?(o=Jn,a=!1):n.length>=u&&(o=me,a=!1,n=new wr(n));t:for(;++i-1},mr.prototype.set=function(t,n){var e=this.__data__,r=Cr(e,t);return r<0?(++this.size,e.push([t,n])):e[r][1]=n,this},br.prototype.clear=function(){this.size=0,this.__data__={hash:new _r,map:new(Ke||mr),string:new _r}},br.prototype.delete=function(t){var n=Do(this,t).delete(t);return this.size-=n?1:0,n},br.prototype.get=function(t){return Do(this,t).get(t)},br.prototype.has=function(t){return Do(this,t).has(t)},br.prototype.set=function(t,n){var e=Do(this,t),r=e.size;return e.set(t,n),this.size+=e.size==r?0:1,this},wr.prototype.add=wr.prototype.push=function(t){return this.__data__.set(t,f),this},wr.prototype.has=function(t){return this.__data__.has(t)},xr.prototype.clear=function(){this.__data__=new mr,this.size=0},xr.prototype.delete=function(t){var n=this.__data__,e=n.delete(t);return this.size=n.size,e},xr.prototype.get=function(t){return this.__data__.get(t)},xr.prototype.has=function(t){return this.__data__.has(t)},xr.prototype.set=function(t,n){var e=this.__data__;if(e instanceof mr){var r=e.__data__;if(!Ke||r.length0&&e(a)?n>1?Hr(a,n-1,e,r,i):ne(i,a):r||(i[i.length]=a)}return i}var Vr=ao(),$r=ao(!0);function Wr(t,n){return t&&Vr(t,n,rc)}function Xr(t,n){return t&&$r(t,n,rc)}function Gr(t,n){return Zn(n,function(n){return Ma(t[n])})}function Qr(t,n){for(var e=0,r=(n=$i(n,t)).length;null!=t&&en}function ti(t,n){return null!=t&&ln.call(t,n)}function ni(t,n){return null!=t&&n in tn(t)}function ei(t,n,r){for(var i=r?Jn:Kn,u=t[0].length,a=t.length,c=a,f=e(a),l=1/0,s=[];c--;){var h=t[c];c&&n&&(h=te(h,ye(n))),l=$e(h.length,l),f[c]=!r&&(n||u>=120&&h.length>=120)?new wr(c&&h):o}h=t[0];var d=-1,p=f[0];t:for(;++d=a)return c;var f=e[r];return c*("desc"==f?-1:1)}}return t.index-n.index}(t,n,e)})}function _i(t,n,e){for(var r=-1,i=n.length,o={};++r-1;)a!==t&&Ln.call(a,c,1),Ln.call(t,c,1);return t}function bi(t,n){for(var e=t?n.length:0,r=e-1;e--;){var i=n[e];if(e==r||i!==o){var o=i;$o(i)?Ln.call(t,i,1):zi(t,i)}}return t}function wi(t,n){return t+Fe(Ge()*(n-t+1))}function xi(t,n){var e="";if(!t||n<1||n>O)return e;do{n%2&&(e+=t),(n=Fe(n/2))&&(t+=t)}while(n);return e}function Mi(t,n){return iu(tu(t,n,Cc),t+"")}function Ei(t){return Er(hc(t))}function ki(t,n){var e=hc(t);return au(e,Or(n,0,e.length))}function Ni(t,n,e,r){if(!Na(t))return t;for(var i=-1,u=(n=$i(n,t)).length,a=u-1,c=t;null!=c&&++io?0:o+n),(r=r>o?o:r)<0&&(r+=o),o=n>r?0:r-n>>>0,n>>>=0;for(var u=e(o);++i>>1,u=t[o];null!==u&&!Oa(u)&&(e?u<=n:u=u){var l=n?null:Mo(t);if(l)return Ae(l);a=!1,i=me,f=new wr}else f=n?[]:c;t:for(;++r=r?t:Ai(t,n,e)}var Gi=de||function(t){return On.clearTimeout(t)};function Qi(t,n){if(n)return t.slice();var e=t.length,r=Mn?Mn(e):new t.constructor(e);return t.copy(r),r}function Zi(t){var n=new t.constructor(t.byteLength);return new wn(n).set(new wn(t)),n}function Ki(t,n){var e=n?Zi(t.buffer):t.buffer;return new t.constructor(e,t.byteOffset,t.length)}function Ji(t,n){if(t!==n){var e=t!==o,r=null===t,i=t==t,u=Oa(t),a=n!==o,c=null===n,f=n==n,l=Oa(n);if(!c&&!l&&!u&&t>n||u&&a&&f&&!c&&!l||r&&a&&f||!e&&f||!i)return 1;if(!r&&!u&&!l&&t1?e[i-1]:o,a=i>2?e[2]:o;for(u=t.length>3&&"function"==typeof u?(i--,u):o,a&&Wo(e[0],e[1],a)&&(u=i<3?o:u,i=1),n=tn(n);++r-1?i[u?n[a]:a]:o}}function ho(t){return Ao(function(n){var e=n.length,r=e,i=gr.prototype.thru;for(t&&n.reverse();r--;){var u=n[r];if("function"!=typeof u)throw new rn(c);if(i&&!a&&"wrapper"==Oo(u))var a=new gr([],!0)}for(r=a?r:e;++r1&&b.reverse(),h&&l<_&&(b.length=l),this&&this!==On&&this instanceof y&&(N=m||lo(N)),N.apply(k,b)}}function vo(t,n){return function(e,r){return function(t,n,e,r){return Wr(t,function(t,i,o){n(r,e(t),i,o)}),r}(e,t,n(r),{})}}function go(t,n){return function(e,r){var i;if(e===o&&r===o)return n;if(e!==o&&(i=e),r!==o){if(i===o)return r;"string"==typeof e||"string"==typeof r?(e=Ui(e),r=Ui(r)):(e=Li(e),r=Li(r)),i=t(e,r)}return i}}function yo(t){return Ao(function(n){return n=te(n,ye(Uo())),Mi(function(e){var r=this;return t(n,function(t){return $n(t,r,e)})})})}function _o(t,n){var e=(n=n===o?" ":Ui(n)).length;if(e<2)return e?xi(n,t):n;var r=xi(n,ze(t/Re(n)));return ke(n)?Xi(Ie(r),0,t).join(""):r.slice(0,t)}function mo(t){return function(n,r,i){return i&&"number"!=typeof i&&Wo(n,r,i)&&(r=i=o),n=Fa(n),r===o?(r=n,n=0):r=Fa(r),function(t,n,r,i){for(var o=-1,u=Ve(ze((n-t)/(r||1)),0),a=e(u);u--;)a[i?u:++o]=t,t+=r;return a}(n,r,i=i===o?nc))return!1;var l=u.get(t);if(l&&u.get(n))return l==n;var s=-1,h=!0,d=e&g?new wr:o;for(u.set(t,n),u.set(n,t);++s-1&&t%1==0&&t1?"& ":"")+n[r],n=n.join(e>2?", ":" "),t.replace(Dt,"{\n/* [wrapped with "+n+"] */\n")}(r,function(t,n){return Xn(j,function(e){var r="_."+e[0];n&e[1]&&!Kn(t,r)&&t.push(r)}),t.sort()}(function(t){var n=t.match(zt);return n?n[1].split(Ft):[]}(r),e)))}function uu(t){var n=0,e=0;return function(){var r=We(),i=A-(r-e);if(e=r,i>0){if(++n>=C)return arguments[0]}else n=0;return t.apply(o,arguments)}}function au(t,n){var e=-1,r=t.length,i=r-1;for(n=n===o?r:n;++e1?t[n-1]:o;return Pu(t,e="function"==typeof e?(t.pop(),e):o)});function zu(t){var n=dr(t);return n.__chain__=!0,n}function Fu(t,n){return n(t)}var ju=Ao(function(t){var n=t.length,e=n?t[0]:0,r=this.__wrapped__,i=function(n){return Ir(n,t)};return!(n>1||this.__actions__.length)&&r instanceof yr&&$o(e)?((r=r.slice(e,+e+(n?1:0))).__actions__.push({func:Fu,args:[i],thisArg:o}),new gr(r,this.__chain__).thru(function(t){return n&&!t.length&&t.push(o),t})):this.thru(i)});var qu=io(function(t,n,e){ln.call(t,e)?++t[e]:Rr(t,e,1)});var Bu=so(vu),Yu=so(gu);function Hu(t,n){return(ga(t)?Xn:Fr)(t,Uo(n,3))}function Vu(t,n){return(ga(t)?Gn:jr)(t,Uo(n,3))}var $u=io(function(t,n,e){ln.call(t,e)?t[e].push(n):Rr(t,e,[n])});var Wu=Mi(function(t,n,r){var i=-1,o="function"==typeof n,u=_a(t)?e(t.length):[];return Fr(t,function(t){u[++i]=o?$n(n,t,r):ri(t,n,r)}),u}),Xu=io(function(t,n,e){Rr(t,e,n)});function Gu(t,n){return(ga(t)?te:hi)(t,Uo(n,3))}var Qu=io(function(t,n,e){t[e?0:1].push(n)},function(){return[[],[]]});var Zu=Mi(function(t,n){if(null==t)return[];var e=n.length;return e>1&&Wo(t,n[0],n[1])?n=[]:e>2&&Wo(n[0],n[1],n[2])&&(n=[n[0]]),yi(t,Hr(n,1),[])}),Ku=Ue||function(){return On.Date.now()};function Ju(t,n,e){return n=e?o:n,n=t&&null==n?t.length:n,ko(t,E,o,o,o,o,n)}function ta(t,n){var e;if("function"!=typeof n)throw new rn(c);return t=ja(t),function(){return--t>0&&(e=n.apply(this,arguments)),t<=1&&(n=o),e}}var na=Mi(function(t,n,e){var r=y;if(e.length){var i=Te(e,Lo(na));r|=x}return ko(t,r,n,e,i)}),ea=Mi(function(t,n,e){var r=y|_;if(e.length){var i=Te(e,Lo(ea));r|=x}return ko(n,r,t,e,i)});function ra(t,n,e){var r,i,u,a,f,l,s=0,h=!1,d=!1,p=!0;if("function"!=typeof t)throw new rn(c);function v(n){var e=r,u=i;return r=i=o,s=n,a=t.apply(u,e)}function g(t){var e=t-l;return l===o||e>=n||e<0||d&&t-s>=u}function y(){var t=Ku();if(g(t))return _(t);f=ru(y,function(t){var e=n-(t-l);return d?$e(e,u-(t-s)):e}(t))}function _(t){return f=o,p&&r?v(t):(r=i=o,a)}function m(){var t=Ku(),e=g(t);if(r=arguments,i=this,l=t,e){if(f===o)return function(t){return s=t,f=ru(y,n),h?v(t):a}(l);if(d)return f=ru(y,n),v(l)}return f===o&&(f=ru(y,n)),a}return n=Ba(n)||0,Na(e)&&(h=!!e.leading,u=(d="maxWait"in e)?Ve(Ba(e.maxWait)||0,n):u,p="trailing"in e?!!e.trailing:p),m.cancel=function(){f!==o&&Gi(f),s=0,r=l=i=f=o},m.flush=function(){return f===o?a:_(Ku())},m}var ia=Mi(function(t,n){return Dr(t,1,n)}),oa=Mi(function(t,n,e){return Dr(t,Ba(n)||0,e)});function ua(t,n){if("function"!=typeof t||null!=n&&"function"!=typeof n)throw new rn(c);var e=function(){var r=arguments,i=n?n.apply(this,r):r[0],o=e.cache;if(o.has(i))return o.get(i);var u=t.apply(this,r);return e.cache=o.set(i,u)||o,u};return e.cache=new(ua.Cache||br),e}function aa(t){if("function"!=typeof t)throw new rn(c);return function(){var n=arguments;switch(n.length){case 0:return!t.call(this);case 1:return!t.call(this,n[0]);case 2:return!t.call(this,n[0],n[1]);case 3:return!t.call(this,n[0],n[1],n[2])}return!t.apply(this,n)}}ua.Cache=br;var ca=Wi(function(t,n){var e=(n=1==n.length&&ga(n[0])?te(n[0],ye(Uo())):te(Hr(n,1),ye(Uo()))).length;return Mi(function(r){for(var i=-1,o=$e(r.length,e);++i=n}),va=ii(function(){return arguments}())?ii:function(t){return Sa(t)&&ln.call(t,"callee")&&!In.call(t,"callee")},ga=e.isArray,ya=jn?ye(jn):function(t){return Sa(t)&&Kr(t)==ct};function _a(t){return null!=t&&ka(t.length)&&!Ma(t)}function ma(t){return Sa(t)&&_a(t)}var ba=qe||Bc,wa=qn?ye(qn):function(t){return Sa(t)&&Kr(t)==V};function xa(t){if(!Sa(t))return!1;var n=Kr(t);return n==W||n==$||"string"==typeof t.message&&"string"==typeof t.name&&!Aa(t)}function Ma(t){if(!Na(t))return!1;var n=Kr(t);return n==X||n==G||n==Y||n==tt}function Ea(t){return"number"==typeof t&&t==ja(t)}function ka(t){return"number"==typeof t&&t>-1&&t%1==0&&t<=O}function Na(t){var n=typeof t;return null!=t&&("object"==n||"function"==n)}function Sa(t){return null!=t&&"object"==typeof t}var Ta=Bn?ye(Bn):function(t){return Sa(t)&&Bo(t)==Q};function Ca(t){return"number"==typeof t||Sa(t)&&Kr(t)==Z}function Aa(t){if(!Sa(t)||Kr(t)!=J)return!1;var n=Cn(t);if(null===n)return!0;var e=ln.call(n,"constructor")&&n.constructor;return"function"==typeof e&&e instanceof e&&fn.call(e)==pn}var Pa=Yn?ye(Yn):function(t){return Sa(t)&&Kr(t)==nt};var Ra=Hn?ye(Hn):function(t){return Sa(t)&&Bo(t)==et};function Ia(t){return"string"==typeof t||!ga(t)&&Sa(t)&&Kr(t)==rt}function Oa(t){return"symbol"==typeof t||Sa(t)&&Kr(t)==it}var La=Vn?ye(Vn):function(t){return Sa(t)&&ka(t.length)&&!!Sn[Kr(t)]};var Ua=bo(si),Da=bo(function(t,n){return t<=n});function za(t){if(!t)return[];if(_a(t))return Ia(t)?Ie(t):eo(t);if(zn&&t[zn])return function(t){for(var n,e=[];!(n=t.next()).done;)e.push(n.value);return e}(t[zn]());var n=Bo(t);return(n==Q?Ne:n==et?Ae:hc)(t)}function Fa(t){return t?(t=Ba(t))===I||t===-I?(t<0?-1:1)*L:t==t?t:0:0===t?t:0}function ja(t){var n=Fa(t),e=n%1;return n==n?e?n-e:n:0}function qa(t){return t?Or(ja(t),0,D):0}function Ba(t){if("number"==typeof t)return t;if(Oa(t))return U;if(Na(t)){var n="function"==typeof t.valueOf?t.valueOf():t;t=Na(n)?n+"":n}if("string"!=typeof t)return 0===t?t:+t;t=t.replace(Ot,"");var e=Vt.test(t);return e||Wt.test(t)?Pn(t.slice(2),e?2:8):Ht.test(t)?U:+t}function Ya(t){return ro(t,ic(t))}function Ha(t){return null==t?"":Ui(t)}var Va=oo(function(t,n){if(Zo(n)||_a(n))ro(n,rc(n),t);else for(var e in n)ln.call(n,e)&&Tr(t,e,n[e])}),$a=oo(function(t,n){ro(n,ic(n),t)}),Wa=oo(function(t,n,e,r){ro(n,ic(n),t,r)}),Xa=oo(function(t,n,e,r){ro(n,rc(n),t,r)}),Ga=Ao(Ir);var Qa=Mi(function(t,n){t=tn(t);var e=-1,r=n.length,i=r>2?n[2]:o;for(i&&Wo(n[0],n[1],i)&&(r=1);++e1),n}),ro(t,Ro(t),e),r&&(e=Lr(e,h|d|p,To));for(var i=n.length;i--;)zi(e,n[i]);return e});var cc=Ao(function(t,n){return null==t?{}:function(t,n){return _i(t,n,function(n,e){return Ja(t,e)})}(t,n)});function fc(t,n){if(null==t)return{};var e=te(Ro(t),function(t){return[t]});return n=Uo(n),_i(t,e,function(t,e){return n(t,e[0])})}var lc=Eo(rc),sc=Eo(ic);function hc(t){return null==t?[]:_e(t,rc(t))}var dc=fo(function(t,n,e){return n=n.toLowerCase(),t+(e?pc(n):n)});function pc(t){return xc(Ha(t).toLowerCase())}function vc(t){return(t=Ha(t))&&t.replace(Gt,xe).replace(bn,"")}var gc=fo(function(t,n,e){return t+(e?"-":"")+n.toLowerCase()}),yc=fo(function(t,n,e){return t+(e?" ":"")+n.toLowerCase()}),_c=co("toLowerCase");var mc=fo(function(t,n,e){return t+(e?"_":"")+n.toLowerCase()});var bc=fo(function(t,n,e){return t+(e?" ":"")+xc(n)});var wc=fo(function(t,n,e){return t+(e?" ":"")+n.toUpperCase()}),xc=co("toUpperCase");function Mc(t,n,e){return t=Ha(t),(n=e?o:n)===o?function(t){return En.test(t)}(t)?function(t){return t.match(xn)||[]}(t):function(t){return t.match(jt)||[]}(t):t.match(n)||[]}var Ec=Mi(function(t,n){try{return $n(t,o,n)}catch(t){return xa(t)?t:new i(t)}}),kc=Ao(function(t,n){return Xn(n,function(n){n=fu(n),Rr(t,n,na(t[n],t))}),t});function Nc(t){return function(){return t}}var Sc=ho(),Tc=ho(!0);function Cc(t){return t}function Ac(t){return ci("function"==typeof t?t:Lr(t,h))}var Pc=Mi(function(t,n){return function(e){return ri(e,t,n)}}),Rc=Mi(function(t,n){return function(e){return ri(t,e,n)}});function Ic(t,n,e){var r=rc(n),i=Gr(n,r);null!=e||Na(n)&&(i.length||!r.length)||(e=n,n=t,t=this,i=Gr(n,rc(n)));var o=!(Na(e)&&"chain"in e&&!e.chain),u=Ma(t);return Xn(i,function(e){var r=n[e];t[e]=r,u&&(t.prototype[e]=function(){var n=this.__chain__;if(o||n){var e=t(this.__wrapped__);return(e.__actions__=eo(this.__actions__)).push({func:r,args:arguments,thisArg:t}),e.__chain__=n,e}return r.apply(t,ne([this.value()],arguments))})}),t}function Oc(){}var Lc=yo(te),Uc=yo(Qn),Dc=yo(ie);function zc(t){return Xo(t)?he(fu(t)):function(t){return function(n){return Qr(n,t)}}(t)}var Fc=mo(),jc=mo(!0);function qc(){return[]}function Bc(){return!1}var Yc=go(function(t,n){return t+n},0),Hc=xo("ceil"),Vc=go(function(t,n){return t/n},1),$c=xo("floor");var Wc=go(function(t,n){return t*n},1),Xc=xo("round"),Gc=go(function(t,n){return t-n},0);return dr.after=function(t,n){if("function"!=typeof n)throw new rn(c);return t=ja(t),function(){if(--t<1)return n.apply(this,arguments)}},dr.ary=Ju,dr.assign=Va,dr.assignIn=$a,dr.assignInWith=Wa,dr.assignWith=Xa,dr.at=Ga,dr.before=ta,dr.bind=na,dr.bindAll=kc,dr.bindKey=ea,dr.castArray=function(){if(!arguments.length)return[];var t=arguments[0];return ga(t)?t:[t]},dr.chain=zu,dr.chunk=function(t,n,r){n=(r?Wo(t,n,r):n===o)?1:Ve(ja(n),0);var i=null==t?0:t.length;if(!i||n<1)return[];for(var u=0,a=0,c=e(ze(i/n));ui?0:i+e),(r=r===o||r>i?i:ja(r))<0&&(r+=i),r=e>r?0:qa(r);e>>0)?(t=Ha(t))&&("string"==typeof n||null!=n&&!Pa(n))&&!(n=Ui(n))&&ke(t)?Xi(Ie(t),0,e):t.split(n,e):[]},dr.spread=function(t,n){if("function"!=typeof t)throw new rn(c);return n=null==n?0:Ve(ja(n),0),Mi(function(e){var r=e[n],i=Xi(e,0,n);return r&&ne(i,r),$n(t,this,i)})},dr.tail=function(t){var n=null==t?0:t.length;return n?Ai(t,1,n):[]},dr.take=function(t,n,e){return t&&t.length?Ai(t,0,(n=e||n===o?1:ja(n))<0?0:n):[]},dr.takeRight=function(t,n,e){var r=null==t?0:t.length;return r?Ai(t,(n=r-(n=e||n===o?1:ja(n)))<0?0:n,r):[]},dr.takeRightWhile=function(t,n){return t&&t.length?ji(t,Uo(n,3),!1,!0):[]},dr.takeWhile=function(t,n){return t&&t.length?ji(t,Uo(n,3)):[]},dr.tap=function(t,n){return n(t),t},dr.throttle=function(t,n,e){var r=!0,i=!0;if("function"!=typeof t)throw new rn(c);return Na(e)&&(r="leading"in e?!!e.leading:r,i="trailing"in e?!!e.trailing:i),ra(t,n,{leading:r,maxWait:n,trailing:i})},dr.thru=Fu,dr.toArray=za,dr.toPairs=lc,dr.toPairsIn=sc,dr.toPath=function(t){return ga(t)?te(t,fu):Oa(t)?[t]:eo(cu(Ha(t)))},dr.toPlainObject=Ya,dr.transform=function(t,n,e){var r=ga(t),i=r||ba(t)||La(t);if(n=Uo(n,4),null==e){var o=t&&t.constructor;e=i?r?new o:[]:Na(t)&&Ma(o)?pr(Cn(t)):{}}return(i?Xn:Wr)(t,function(t,r,i){return n(e,t,r,i)}),e},dr.unary=function(t){return Ju(t,1)},dr.union=Su,dr.unionBy=Tu,dr.unionWith=Cu,dr.uniq=function(t){return t&&t.length?Di(t):[]},dr.uniqBy=function(t,n){return t&&t.length?Di(t,Uo(n,2)):[]},dr.uniqWith=function(t,n){return n="function"==typeof n?n:o,t&&t.length?Di(t,o,n):[]},dr.unset=function(t,n){return null==t||zi(t,n)},dr.unzip=Au,dr.unzipWith=Pu,dr.update=function(t,n,e){return null==t?t:Fi(t,n,Vi(e))},dr.updateWith=function(t,n,e,r){return r="function"==typeof r?r:o,null==t?t:Fi(t,n,Vi(e),r)},dr.values=hc,dr.valuesIn=function(t){return null==t?[]:_e(t,ic(t))},dr.without=Ru,dr.words=Mc,dr.wrap=function(t,n){return fa(Vi(n),t)},dr.xor=Iu,dr.xorBy=Ou,dr.xorWith=Lu,dr.zip=Uu,dr.zipObject=function(t,n){return Yi(t||[],n||[],Tr)},dr.zipObjectDeep=function(t,n){return Yi(t||[],n||[],Ni)},dr.zipWith=Du,dr.entries=lc,dr.entriesIn=sc,dr.extend=$a,dr.extendWith=Wa,Ic(dr,dr),dr.add=Yc,dr.attempt=Ec,dr.camelCase=dc,dr.capitalize=pc,dr.ceil=Hc,dr.clamp=function(t,n,e){return e===o&&(e=n,n=o),e!==o&&(e=(e=Ba(e))==e?e:0),n!==o&&(n=(n=Ba(n))==n?n:0),Or(Ba(t),n,e)},dr.clone=function(t){return Lr(t,p)},dr.cloneDeep=function(t){return Lr(t,h|p)},dr.cloneDeepWith=function(t,n){return Lr(t,h|p,n="function"==typeof n?n:o)},dr.cloneWith=function(t,n){return Lr(t,p,n="function"==typeof n?n:o)},dr.conformsTo=function(t,n){return null==n||Ur(t,n,rc(n))},dr.deburr=vc,dr.defaultTo=function(t,n){return null==t||t!=t?n:t},dr.divide=Vc,dr.endsWith=function(t,n,e){t=Ha(t),n=Ui(n);var r=t.length,i=e=e===o?r:Or(ja(e),0,r);return(e-=n.length)>=0&&t.slice(e,i)==n},dr.eq=ha,dr.escape=function(t){return(t=Ha(t))&&kt.test(t)?t.replace(Mt,Me):t},dr.escapeRegExp=function(t){return(t=Ha(t))&&It.test(t)?t.replace(Rt,"\\$&"):t},dr.every=function(t,n,e){var r=ga(t)?Qn:qr;return e&&Wo(t,n,e)&&(n=o),r(t,Uo(n,3))},dr.find=Bu,dr.findIndex=vu,dr.findKey=function(t,n){return ue(t,Uo(n,3),Wr)},dr.findLast=Yu,dr.findLastIndex=gu,dr.findLastKey=function(t,n){return ue(t,Uo(n,3),Xr)},dr.floor=$c,dr.forEach=Hu,dr.forEachRight=Vu,dr.forIn=function(t,n){return null==t?t:Vr(t,Uo(n,3),ic)},dr.forInRight=function(t,n){return null==t?t:$r(t,Uo(n,3),ic)},dr.forOwn=function(t,n){return t&&Wr(t,Uo(n,3))},dr.forOwnRight=function(t,n){return t&&Xr(t,Uo(n,3))},dr.get=Ka,dr.gt=da,dr.gte=pa,dr.has=function(t,n){return null!=t&&Yo(t,n,ti)},dr.hasIn=Ja,dr.head=_u,dr.identity=Cc,dr.includes=function(t,n,e,r){t=_a(t)?t:hc(t),e=e&&!r?ja(e):0;var i=t.length;return e<0&&(e=Ve(i+e,0)),Ia(t)?e<=i&&t.indexOf(n,e)>-1:!!i&&ce(t,n,e)>-1},dr.indexOf=function(t,n,e){var r=null==t?0:t.length;if(!r)return-1;var i=null==e?0:ja(e);return i<0&&(i=Ve(r+i,0)),ce(t,n,i)},dr.inRange=function(t,n,e){return n=Fa(n),e===o?(e=n,n=0):e=Fa(e),function(t,n,e){return t>=$e(n,e)&&t=-O&&t<=O},dr.isSet=Ra,dr.isString=Ia,dr.isSymbol=Oa,dr.isTypedArray=La,dr.isUndefined=function(t){return t===o},dr.isWeakMap=function(t){return Sa(t)&&Bo(t)==ut},dr.isWeakSet=function(t){return Sa(t)&&Kr(t)==at},dr.join=function(t,n){return null==t?"":Ye.call(t,n)},dr.kebabCase=gc,dr.last=xu,dr.lastIndexOf=function(t,n,e){var r=null==t?0:t.length;if(!r)return-1;var i=r;return e!==o&&(i=(i=ja(e))<0?Ve(r+i,0):$e(i,r-1)),n==n?function(t,n,e){for(var r=e+1;r--;)if(t[r]===n)return r;return r}(t,n,i):ae(t,le,i,!0)},dr.lowerCase=yc,dr.lowerFirst=_c,dr.lt=Ua,dr.lte=Da,dr.max=function(t){return t&&t.length?Br(t,Cc,Jr):o},dr.maxBy=function(t,n){return t&&t.length?Br(t,Uo(n,2),Jr):o},dr.mean=function(t){return se(t,Cc)},dr.meanBy=function(t,n){return se(t,Uo(n,2))},dr.min=function(t){return t&&t.length?Br(t,Cc,si):o},dr.minBy=function(t,n){return t&&t.length?Br(t,Uo(n,2),si):o},dr.stubArray=qc,dr.stubFalse=Bc,dr.stubObject=function(){return{}},dr.stubString=function(){return""},dr.stubTrue=function(){return!0},dr.multiply=Wc,dr.nth=function(t,n){return t&&t.length?gi(t,ja(n)):o},dr.noConflict=function(){return On._===this&&(On._=vn),this},dr.noop=Oc,dr.now=Ku,dr.pad=function(t,n,e){t=Ha(t);var r=(n=ja(n))?Re(t):0;if(!n||r>=n)return t;var i=(n-r)/2;return _o(Fe(i),e)+t+_o(ze(i),e)},dr.padEnd=function(t,n,e){t=Ha(t);var r=(n=ja(n))?Re(t):0;return n&&rn){var r=t;t=n,n=r}if(e||t%1||n%1){var i=Ge();return $e(t+i*(n-t+An("1e-"+((i+"").length-1))),n)}return wi(t,n)},dr.reduce=function(t,n,e){var r=ga(t)?ee:pe,i=arguments.length<3;return r(t,Uo(n,4),e,i,Fr)},dr.reduceRight=function(t,n,e){var r=ga(t)?re:pe,i=arguments.length<3;return r(t,Uo(n,4),e,i,jr)},dr.repeat=function(t,n,e){return n=(e?Wo(t,n,e):n===o)?1:ja(n),xi(Ha(t),n)},dr.replace=function(){var t=arguments,n=Ha(t[0]);return t.length<3?n:n.replace(t[1],t[2])},dr.result=function(t,n,e){var r=-1,i=(n=$i(n,t)).length;for(i||(i=1,t=o);++rO)return[];var e=D,r=$e(t,D);n=Uo(n),t-=D;for(var i=ge(r,n);++e=u)return t;var c=e-Re(r);if(c<1)return r;var f=a?Xi(a,0,c).join(""):t.slice(0,c);if(i===o)return f+r;if(a&&(c+=f.length-c),Pa(i)){if(t.slice(c).search(i)){var l,s=f;for(i.global||(i=nn(i.source,Ha(Yt.exec(i))+"g")),i.lastIndex=0;l=i.exec(s);)var h=l.index;f=f.slice(0,h===o?c:h)}}else if(t.indexOf(Ui(i),c)!=c){var d=f.lastIndexOf(i);d>-1&&(f=f.slice(0,d))}return f+r},dr.unescape=function(t){return(t=Ha(t))&&Et.test(t)?t.replace(xt,Oe):t},dr.uniqueId=function(t){var n=++sn;return Ha(t)+n},dr.upperCase=wc,dr.upperFirst=xc,dr.each=Hu,dr.eachRight=Vu,dr.first=_u,Ic(dr,function(){var t={};return Wr(dr,function(n,e){ln.call(dr.prototype,e)||(t[e]=n)}),t}(),{chain:!1}),dr.VERSION="4.17.10",Xn(["bind","bindKey","curry","curryRight","partial","partialRight"],function(t){dr[t].placeholder=dr}),Xn(["drop","take"],function(t,n){yr.prototype[t]=function(e){e=e===o?1:Ve(ja(e),0);var r=this.__filtered__&&!n?new yr(this):this.clone();return r.__filtered__?r.__takeCount__=$e(e,r.__takeCount__):r.__views__.push({size:$e(e,D),type:t+(r.__dir__<0?"Right":"")}),r},yr.prototype[t+"Right"]=function(n){return this.reverse()[t](n).reverse()}}),Xn(["filter","map","takeWhile"],function(t,n){var e=n+1,r=e==P||3==e;yr.prototype[t]=function(t){var n=this.clone();return n.__iteratees__.push({iteratee:Uo(t,3),type:e}),n.__filtered__=n.__filtered__||r,n}}),Xn(["head","last"],function(t,n){var e="take"+(n?"Right":"");yr.prototype[t]=function(){return this[e](1).value()[0]}}),Xn(["initial","tail"],function(t,n){var e="drop"+(n?"":"Right");yr.prototype[t]=function(){return this.__filtered__?new yr(this):this[e](1)}}),yr.prototype.compact=function(){return this.filter(Cc)},yr.prototype.find=function(t){return this.filter(t).head()},yr.prototype.findLast=function(t){return this.reverse().find(t)},yr.prototype.invokeMap=Mi(function(t,n){return"function"==typeof t?new yr(this):this.map(function(e){return ri(e,t,n)})}),yr.prototype.reject=function(t){return this.filter(aa(Uo(t)))},yr.prototype.slice=function(t,n){t=ja(t);var e=this;return e.__filtered__&&(t>0||n<0)?new yr(e):(t<0?e=e.takeRight(-t):t&&(e=e.drop(t)),n!==o&&(e=(n=ja(n))<0?e.dropRight(-n):e.take(n-t)),e)},yr.prototype.takeRightWhile=function(t){return this.reverse().takeWhile(t).reverse()},yr.prototype.toArray=function(){return this.take(D)},Wr(yr.prototype,function(t,n){var e=/^(?:filter|find|map|reject)|While$/.test(n),r=/^(?:head|last)$/.test(n),i=dr[r?"take"+("last"==n?"Right":""):n],u=r||/^find/.test(n);i&&(dr.prototype[n]=function(){var n=this.__wrapped__,a=r?[1]:arguments,c=n instanceof yr,f=a[0],l=c||ga(n),s=function(t){var n=i.apply(dr,ne([t],a));return r&&h?n[0]:n};l&&e&&"function"==typeof f&&1!=f.length&&(c=l=!1);var h=this.__chain__,d=!!this.__actions__.length,p=u&&!h,v=c&&!d;if(!u&&l){n=v?n:new yr(this);var g=t.apply(n,a);return g.__actions__.push({func:Fu,args:[s],thisArg:o}),new gr(g,h)}return p&&v?t.apply(this,a):(g=this.thru(s),p?r?g.value()[0]:g.value():g)})}),Xn(["pop","push","shift","sort","splice","unshift"],function(t){var n=on[t],e=/^(?:push|sort|unshift)$/.test(t)?"tap":"thru",r=/^(?:pop|shift)$/.test(t);dr.prototype[t]=function(){var t=arguments;if(r&&!this.__chain__){var i=this.value();return n.apply(ga(i)?i:[],t)}return this[e](function(e){return n.apply(ga(e)?e:[],t)})}}),Wr(yr.prototype,function(t,n){var e=dr[n];if(e){var r=e.name+"";(ir[r]||(ir[r]=[])).push({name:n,func:e})}}),ir[po(o,_).name]=[{name:"wrapper",func:o}],yr.prototype.clone=function(){var t=new yr(this.__wrapped__);return t.__actions__=eo(this.__actions__),t.__dir__=this.__dir__,t.__filtered__=this.__filtered__,t.__iteratees__=eo(this.__iteratees__),t.__takeCount__=this.__takeCount__,t.__views__=eo(this.__views__),t},yr.prototype.reverse=function(){if(this.__filtered__){var t=new yr(this);t.__dir__=-1,t.__filtered__=!0}else(t=this.clone()).__dir__*=-1;return t},yr.prototype.value=function(){var t=this.__wrapped__.value(),n=this.__dir__,e=ga(t),r=n<0,i=e?t.length:0,o=function(t,n,e){for(var r=-1,i=e.length;++r=this.__values__.length;return{done:t,value:t?o:this.__values__[this.__index__++]}},dr.prototype.plant=function(t){for(var n,e=this;e instanceof vr;){var r=su(e);r.__index__=0,r.__values__=o,n?i.__wrapped__=r:n=r;var i=r;e=e.__wrapped__}return i.__wrapped__=t,n},dr.prototype.reverse=function(){var t=this.__wrapped__;if(t instanceof yr){var n=t;return this.__actions__.length&&(n=new yr(this)),(n=n.reverse()).__actions__.push({func:Fu,args:[Nu],thisArg:o}),new gr(n,this.__chain__)}return this.thru(Nu)},dr.prototype.toJSON=dr.prototype.valueOf=dr.prototype.value=function(){return qi(this.__wrapped__,this.__actions__)},dr.prototype.first=dr.prototype.head,zn&&(dr.prototype[zn]=function(){return this}),dr}();On._=Le,(i=function(){return Le}.call(n,e,n,r))===o||(r.exports=i)}).call(this)}).call(this,e(21),e(22)(t))},function(t,n,e){"use strict";var r=e(0),i=e(5).Graph,o=e(11).slack;function u(t,n){return r.forEach(t.nodes(),function e(i){r.forEach(n.nodeEdges(i),function(r){var u=r.v,a=i===u?r.w:u;t.hasNode(a)||o(n,r)||(t.setNode(a,{}),t.setEdge(i,a,{}),e(a))})}),t.nodeCount()}function a(t,n){return r.minBy(n.edges(),function(e){if(t.hasNode(e.v)!==t.hasNode(e.w))return o(n,e)})}function c(t,n,e){r.forEach(t.nodes(),function(t){n.node(t).rank+=e})}t.exports=function(t){var n,e,r=new i({directed:!1}),f=t.nodes()[0],l=t.nodeCount();r.setNode(f,{});for(;u(r,t)1&&u.sort(function(t,n){var r=t.x-e.x,i=t.y-e.y,o=Math.sqrt(r*r+i*i),u=n.x-e.x,a=n.y-e.y,c=Math.sqrt(u*u+a*a);return oMath.abs(u)*f?(a<0&&(f=-f),e=0===a?0:f*u/a,r=f):(u<0&&(c=-c),e=c,r=0===u?0:c*a/u);return{x:i+e,y:o+r}}},function(t,n,e){ +/** + * @license + * Copyright (c) 2012-2013 Chris Pettitt + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ +t.exports={graphlib:e(46),dagre:e(28),intersect:e(85),render:e(87),util:e(4),version:e(100)}},function(t,n,e){"use strict";e.r(n);var r=function(t,n){return tn?1:t>=n?0:NaN},i=function(t){return 1===t.length&&(t=function(t){return function(n,e){return r(t(n),e)}}(t)),{left:function(n,e,r,i){for(null==r&&(r=0),null==i&&(i=n.length);r>>1;t(n[o],e)<0?r=o+1:i=o}return r},right:function(n,e,r,i){for(null==r&&(r=0),null==i&&(i=n.length);r>>1;t(n[o],e)>0?i=o:r=o+1}return r}}};var o=i(r),u=o.right,a=o.left,c=u,f=function(t,n){null==n&&(n=l);for(var e=0,r=t.length-1,i=t[0],o=new Array(r<0?0:r);et?1:n>=t?0:NaN},d=function(t){return null===t?NaN:+t},p=function(t,n){var e,r,i=t.length,o=0,u=-1,a=0,c=0;if(null==n)for(;++u1)return c/(o-1)},v=function(t,n){var e=p(t,n);return e?Math.sqrt(e):e},g=function(t,n){var e,r,i,o=t.length,u=-1;if(null==n){for(;++u=e)for(r=i=e;++ue&&(r=e),i=e)for(r=i=e;++ue&&(r=e),i0)return[t];if((r=n0)for(t=Math.ceil(t/u),n=Math.floor(n/u),o=new Array(i=Math.ceil(n-t+1));++a=0?(o>=M?10:o>=E?5:o>=k?2:1)*Math.pow(10,i):-Math.pow(10,-i)/(o>=M?10:o>=E?5:o>=k?2:1)}function T(t,n,e){var r=Math.abs(n-t)/Math.max(0,e),i=Math.pow(10,Math.floor(Math.log(r)/Math.LN10)),o=r/i;return o>=M?i*=10:o>=E?i*=5:o>=k&&(i*=2),ns;)h.pop(),--d;var p,v=new Array(d+1);for(i=0;i<=d;++i)(p=v[i]=[]).x0=i>0?h[i-1]:l,p.x1=i=1)return+e(t[r-1],r-1,t);var r,i=(r-1)*n,o=Math.floor(i),u=+e(t[o],o,t);return u+(+e(t[o+1],o+1,t)-u)*(i-o)}},R=function(t,n,e){return t=m.call(t,d).sort(r),Math.ceil((e-n)/(2*(P(t,.75)-P(t,.25))*Math.pow(t.length,-1/3)))},I=function(t,n,e){return Math.ceil((e-n)/(3.5*v(t)*Math.pow(t.length,-1/3)))},O=function(t,n){var e,r,i=t.length,o=-1;if(null==n){for(;++o=e)for(r=e;++or&&(r=e)}else for(;++o=e)for(r=e;++or&&(r=e);return r},L=function(t,n){var e,r=t.length,i=r,o=-1,u=0;if(null==n)for(;++o=0;)for(n=(r=t[i]).length;--n>=0;)e[--u]=r[n];return e},z=function(t,n){var e,r,i=t.length,o=-1;if(null==n){for(;++o=e)for(r=e;++oe&&(r=e)}else for(;++o=e)for(r=e;++oe&&(r=e);return r},F=function(t,n){for(var e=n.length,r=new Array(e);e--;)r[e]=t[n[e]];return r},j=function(t,n){if(e=t.length){var e,i,o=0,u=0,a=t[u];for(null==n&&(n=r);++o=0&&"xmlns"!==(n=t.slice(0,e))&&(t=t.slice(e+1)),ft.hasOwnProperty(n)?{space:ft[n],local:t}:t};var st=function(t){var n=lt(t);return(n.local?function(t){return function(){return this.ownerDocument.createElementNS(t.space,t.local)}}:function(t){return function(){var n=this.ownerDocument,e=this.namespaceURI;return e===ct&&n.documentElement.namespaceURI===ct?n.createElement(t):n.createElementNS(e,t)}})(n)};function ht(){}var dt=function(t){return null==t?ht:function(){return this.querySelector(t)}};function pt(){return[]}var vt=function(t){return null==t?pt:function(){return this.querySelectorAll(t)}},gt=function(t){return function(){return this.matches(t)}};if("undefined"!=typeof document){var yt=document.documentElement;if(!yt.matches){var _t=yt.webkitMatchesSelector||yt.msMatchesSelector||yt.mozMatchesSelector||yt.oMatchesSelector;gt=function(t){return function(){return _t.call(this,t)}}}}var mt=gt,bt=function(t){return new Array(t.length)};function wt(t,n){this.ownerDocument=t.ownerDocument,this.namespaceURI=t.namespaceURI,this._next=null,this._parent=t,this.__data__=n}wt.prototype={constructor:wt,appendChild:function(t){return this._parent.insertBefore(t,this._next)},insertBefore:function(t,n){return this._parent.insertBefore(t,n)},querySelector:function(t){return this._parent.querySelector(t)},querySelectorAll:function(t){return this._parent.querySelectorAll(t)}};var xt="$";function Mt(t,n,e,r,i,o){for(var u,a=0,c=n.length,f=o.length;an?1:t>=n?0:NaN}var Nt=function(t){return t.ownerDocument&&t.ownerDocument.defaultView||t.document&&t||t.defaultView};function St(t,n){return t.style.getPropertyValue(n)||Nt(t).getComputedStyle(t,null).getPropertyValue(n)}function Tt(t){return t.trim().split(/^|\s+/)}function Ct(t){return t.classList||new At(t)}function At(t){this._node=t,this._names=Tt(t.getAttribute("class")||"")}function Pt(t,n){for(var e=Ct(t),r=-1,i=n.length;++r=0&&(this._names.splice(n,1),this._node.setAttribute("class",this._names.join(" ")))},contains:function(t){return this._names.indexOf(t)>=0}};function It(){this.textContent=""}function Ot(){this.innerHTML=""}function Lt(){this.nextSibling&&this.parentNode.appendChild(this)}function Ut(){this.previousSibling&&this.parentNode.insertBefore(this,this.parentNode.firstChild)}function Dt(){return null}function zt(){var t=this.parentNode;t&&t.removeChild(this)}function Ft(){return this.parentNode.insertBefore(this.cloneNode(!1),this.nextSibling)}function jt(){return this.parentNode.insertBefore(this.cloneNode(!0),this.nextSibling)}var qt={},Bt=null;"undefined"!=typeof document&&("onmouseenter"in document.documentElement||(qt={mouseenter:"mouseover",mouseleave:"mouseout"}));function Yt(t,n,e){return t=Ht(t,n,e),function(n){var e=n.relatedTarget;e&&(e===this||8&e.compareDocumentPosition(this))||t.call(this,n)}}function Ht(t,n,e){return function(r){var i=Bt;Bt=r;try{t.call(this,this.__data__,n,e)}finally{Bt=i}}}function Vt(t){return function(){var n=this.__on;if(n){for(var e,r=0,i=-1,o=n.length;r=b&&(b=m+1);!(_=g[b])&&++b=0;)(r=i[o])&&(u&&u!==r.nextSibling&&u.parentNode.insertBefore(r,u),u=r);return this},sort:function(t){function n(n,e){return n&&e?t(n.__data__,e.__data__):!n-!e}t||(t=kt);for(var e=this._groups,r=e.length,i=new Array(r),o=0;o1?this.each((null==n?function(t){return function(){this.style.removeProperty(t)}}:"function"==typeof n?function(t,n,e){return function(){var r=n.apply(this,arguments);null==r?this.style.removeProperty(t):this.style.setProperty(t,r,e)}}:function(t,n,e){return function(){this.style.setProperty(t,n,e)}})(t,n,null==e?"":e)):St(this.node(),t)},property:function(t,n){return arguments.length>1?this.each((null==n?function(t){return function(){delete this[t]}}:"function"==typeof n?function(t,n){return function(){var e=n.apply(this,arguments);null==e?delete this[t]:this[t]=e}}:function(t,n){return function(){this[t]=n}})(t,n)):this.node()[t]},classed:function(t,n){var e=Tt(t+"");if(arguments.length<2){for(var r=Ct(this.node()),i=-1,o=e.length;++i=0&&(n=t.slice(e+1),t=t.slice(0,e)),{type:t,name:n}})}(t+""),u=o.length;if(!(arguments.length<2)){for(a=n?$t:Vt,null==e&&(e=!1),r=0;rs}c.mouse("drag")}function v(){Jt(Bt.view).on("mousemove.drag mouseup.drag",null),pn(Bt.view,e),hn(),c.mouse("end")}function g(){if(i.apply(this,arguments)){var t,n,e=Bt.changedTouches,r=o.apply(this,arguments),u=e.length;for(t=0;t>8&15|n>>4&240,n>>4&15|240&n,(15&n)<<4|15&n,1):(n=Cn.exec(t))?zn(parseInt(n[1],16)):(n=An.exec(t))?new Bn(n[1],n[2],n[3],1):(n=Pn.exec(t))?new Bn(255*n[1]/100,255*n[2]/100,255*n[3]/100,1):(n=Rn.exec(t))?Fn(n[1],n[2],n[3],n[4]):(n=In.exec(t))?Fn(255*n[1]/100,255*n[2]/100,255*n[3]/100,n[4]):(n=On.exec(t))?Hn(n[1],n[2]/100,n[3]/100,1):(n=Ln.exec(t))?Hn(n[1],n[2]/100,n[3]/100,n[4]):Un.hasOwnProperty(t)?zn(Un[t]):"transparent"===t?new Bn(NaN,NaN,NaN,0):null}function zn(t){return new Bn(t>>16&255,t>>8&255,255&t,1)}function Fn(t,n,e,r){return r<=0&&(t=n=e=NaN),new Bn(t,n,e,r)}function jn(t){return t instanceof En||(t=Dn(t)),t?new Bn((t=t.rgb()).r,t.g,t.b,t.opacity):new Bn}function qn(t,n,e,r){return 1===arguments.length?jn(t):new Bn(t,n,e,null==r?1:r)}function Bn(t,n,e,r){this.r=+t,this.g=+n,this.b=+e,this.opacity=+r}function Yn(t){return((t=Math.max(0,Math.min(255,Math.round(t)||0)))<16?"0":"")+t.toString(16)}function Hn(t,n,e,r){return r<=0?t=n=e=NaN:e<=0||e>=1?t=n=NaN:n<=0&&(t=NaN),new $n(t,n,e,r)}function Vn(t,n,e,r){return 1===arguments.length?function(t){if(t instanceof $n)return new $n(t.h,t.s,t.l,t.opacity);if(t instanceof En||(t=Dn(t)),!t)return new $n;if(t instanceof $n)return t;var n=(t=t.rgb()).r/255,e=t.g/255,r=t.b/255,i=Math.min(n,e,r),o=Math.max(n,e,r),u=NaN,a=o-i,c=(o+i)/2;return a?(u=n===o?(e-r)/a+6*(e0&&c<1?0:u,new $n(u,a,c,t.opacity)}(t):new $n(t,n,e,null==r?1:r)}function $n(t,n,e,r){this.h=+t,this.s=+n,this.l=+e,this.opacity=+r}function Wn(t,n,e){return 255*(t<60?n+(e-n)*t/60:t<180?e:t<240?n+(e-n)*(240-t)/60:n)}xn(En,Dn,{displayable:function(){return this.rgb().displayable()},hex:function(){return this.rgb().hex()},toString:function(){return this.rgb()+""}}),xn(Bn,qn,Mn(En,{brighter:function(t){return t=null==t?1/.7:Math.pow(1/.7,t),new Bn(this.r*t,this.g*t,this.b*t,this.opacity)},darker:function(t){return t=null==t?.7:Math.pow(.7,t),new Bn(this.r*t,this.g*t,this.b*t,this.opacity)},rgb:function(){return this},displayable:function(){return 0<=this.r&&this.r<=255&&0<=this.g&&this.g<=255&&0<=this.b&&this.b<=255&&0<=this.opacity&&this.opacity<=1},hex:function(){return"#"+Yn(this.r)+Yn(this.g)+Yn(this.b)},toString:function(){var t=this.opacity;return(1===(t=isNaN(t)?1:Math.max(0,Math.min(1,t)))?"rgb(":"rgba(")+Math.max(0,Math.min(255,Math.round(this.r)||0))+", "+Math.max(0,Math.min(255,Math.round(this.g)||0))+", "+Math.max(0,Math.min(255,Math.round(this.b)||0))+(1===t?")":", "+t+")")}})),xn($n,Vn,Mn(En,{brighter:function(t){return t=null==t?1/.7:Math.pow(1/.7,t),new $n(this.h,this.s,this.l*t,this.opacity)},darker:function(t){return t=null==t?.7:Math.pow(.7,t),new $n(this.h,this.s,this.l*t,this.opacity)},rgb:function(){var t=this.h%360+360*(this.h<0),n=isNaN(t)||isNaN(this.s)?0:this.s,e=this.l,r=e+(e<.5?e:1-e)*n,i=2*e-r;return new Bn(Wn(t>=240?t-240:t+120,i,r),Wn(t,i,r),Wn(t<120?t+240:t-120,i,r),this.opacity)},displayable:function(){return(0<=this.s&&this.s<=1||isNaN(this.s))&&0<=this.l&&this.l<=1&&0<=this.opacity&&this.opacity<=1}}));var Xn=Math.PI/180,Gn=180/Math.PI,Qn=.96422,Zn=1,Kn=.82521,Jn=4/29,te=6/29,ne=3*te*te,ee=te*te*te;function re(t){if(t instanceof ue)return new ue(t.l,t.a,t.b,t.opacity);if(t instanceof pe){if(isNaN(t.h))return new ue(t.l,0,0,t.opacity);var n=t.h*Xn;return new ue(t.l,Math.cos(n)*t.c,Math.sin(n)*t.c,t.opacity)}t instanceof Bn||(t=jn(t));var e,r,i=le(t.r),o=le(t.g),u=le(t.b),a=ae((.2225045*i+.7168786*o+.0606169*u)/Zn);return i===o&&o===u?e=r=a:(e=ae((.4360747*i+.3850649*o+.1430804*u)/Qn),r=ae((.0139322*i+.0971045*o+.7141733*u)/Kn)),new ue(116*a-16,500*(e-a),200*(a-r),t.opacity)}function ie(t,n){return new ue(t,0,0,null==n?1:n)}function oe(t,n,e,r){return 1===arguments.length?re(t):new ue(t,n,e,null==r?1:r)}function ue(t,n,e,r){this.l=+t,this.a=+n,this.b=+e,this.opacity=+r}function ae(t){return t>ee?Math.pow(t,1/3):t/ne+Jn}function ce(t){return t>te?t*t*t:ne*(t-Jn)}function fe(t){return 255*(t<=.0031308?12.92*t:1.055*Math.pow(t,1/2.4)-.055)}function le(t){return(t/=255)<=.04045?t/12.92:Math.pow((t+.055)/1.055,2.4)}function se(t){if(t instanceof pe)return new pe(t.h,t.c,t.l,t.opacity);if(t instanceof ue||(t=re(t)),0===t.a&&0===t.b)return new pe(NaN,0,t.l,t.opacity);var n=Math.atan2(t.b,t.a)*Gn;return new pe(n<0?n+360:n,Math.sqrt(t.a*t.a+t.b*t.b),t.l,t.opacity)}function he(t,n,e,r){return 1===arguments.length?se(t):new pe(e,n,t,null==r?1:r)}function de(t,n,e,r){return 1===arguments.length?se(t):new pe(t,n,e,null==r?1:r)}function pe(t,n,e,r){this.h=+t,this.c=+n,this.l=+e,this.opacity=+r}xn(ue,oe,Mn(En,{brighter:function(t){return new ue(this.l+18*(null==t?1:t),this.a,this.b,this.opacity)},darker:function(t){return new ue(this.l-18*(null==t?1:t),this.a,this.b,this.opacity)},rgb:function(){var t=(this.l+16)/116,n=isNaN(this.a)?t:t+this.a/500,e=isNaN(this.b)?t:t-this.b/200;return new Bn(fe(3.1338561*(n=Qn*ce(n))-1.6168667*(t=Zn*ce(t))-.4906146*(e=Kn*ce(e))),fe(-.9787684*n+1.9161415*t+.033454*e),fe(.0719453*n-.2289914*t+1.4052427*e),this.opacity)}})),xn(pe,de,Mn(En,{brighter:function(t){return new pe(this.h,this.c,this.l+18*(null==t?1:t),this.opacity)},darker:function(t){return new pe(this.h,this.c,this.l-18*(null==t?1:t),this.opacity)},rgb:function(){return re(this).rgb()}}));var ve=-.29227,ge=-.90649,ye=1.97294,_e=ye*ge,me=1.78277*ye,be=1.78277*ve- -.14861*ge;function we(t,n,e,r){return 1===arguments.length?function(t){if(t instanceof xe)return new xe(t.h,t.s,t.l,t.opacity);t instanceof Bn||(t=jn(t));var n=t.r/255,e=t.g/255,r=t.b/255,i=(be*r+_e*n-me*e)/(be+_e-me),o=r-i,u=(ye*(e-i)-ve*o)/ge,a=Math.sqrt(u*u+o*o)/(ye*i*(1-i)),c=a?Math.atan2(u,o)*Gn-120:NaN;return new xe(c<0?c+360:c,a,i,t.opacity)}(t):new xe(t,n,e,null==r?1:r)}function xe(t,n,e,r){this.h=+t,this.s=+n,this.l=+e,this.opacity=+r}function Me(t,n,e,r,i){var o=t*t,u=o*t;return((1-3*t+3*o-u)*n+(4-6*o+3*u)*e+(1+3*t+3*o-3*u)*r+u*i)/6}xn(xe,we,Mn(En,{brighter:function(t){return t=null==t?1/.7:Math.pow(1/.7,t),new xe(this.h,this.s,this.l*t,this.opacity)},darker:function(t){return t=null==t?.7:Math.pow(.7,t),new xe(this.h,this.s,this.l*t,this.opacity)},rgb:function(){var t=isNaN(this.h)?0:(this.h+120)*Xn,n=+this.l,e=isNaN(this.s)?0:this.s*n*(1-n),r=Math.cos(t),i=Math.sin(t);return new Bn(255*(n+e*(-.14861*r+1.78277*i)),255*(n+e*(ve*r+ge*i)),255*(n+e*(ye*r)),this.opacity)}}));var Ee=function(t){var n=t.length-1;return function(e){var r=e<=0?e=0:e>=1?(e=1,n-1):Math.floor(e*n),i=t[r],o=t[r+1],u=r>0?t[r-1]:2*i-o,a=r180||e<-180?e-360*Math.round(e/360):e):Ne(isNaN(t)?n:t)}function Ce(t){return 1==(t=+t)?Ae:function(n,e){return e-n?function(t,n,e){return t=Math.pow(t,e),n=Math.pow(n,e)-t,e=1/e,function(r){return Math.pow(t+r*n,e)}}(n,e,t):Ne(isNaN(n)?e:n)}}function Ae(t,n){var e=n-t;return e?Se(t,e):Ne(isNaN(t)?n:t)}var Pe=function t(n){var e=Ce(n);function r(t,n){var r=e((t=qn(t)).r,(n=qn(n)).r),i=e(t.g,n.g),o=e(t.b,n.b),u=Ae(t.opacity,n.opacity);return function(n){return t.r=r(n),t.g=i(n),t.b=o(n),t.opacity=u(n),t+""}}return r.gamma=t,r}(1);function Re(t){return function(n){var e,r,i=n.length,o=new Array(i),u=new Array(i),a=new Array(i);for(e=0;eo&&(i=n.slice(o,i),a[u]?a[u]+=i:a[++u]=i),(e=e[0])===(r=r[0])?a[u]?a[u]+=r:a[++u]=r:(a[++u]=null,c.push({i:u,x:De(e,r)})),o=je.lastIndex;return o180?n+=360:n-t>180&&(t+=360),o.push({i:e.push(i(e)+"rotate(",null,r)-2,x:De(t,n)})):n&&e.push(i(e)+"rotate("+n+r)}(o.rotate,u.rotate,a,c),function(t,n,e,o){t!==n?o.push({i:e.push(i(e)+"skewX(",null,r)-2,x:De(t,n)}):n&&e.push(i(e)+"skewX("+n+r)}(o.skewX,u.skewX,a,c),function(t,n,e,r,o,u){if(t!==e||n!==r){var a=o.push(i(o)+"scale(",null,",",null,")");u.push({i:a-4,x:De(t,e)},{i:a-2,x:De(n,r)})}else 1===e&&1===r||o.push(i(o)+"scale("+e+","+r+")")}(o.scaleX,o.scaleY,u.scaleX,u.scaleY,a,c),o=u=null,function(t){for(var n,e=-1,r=c.length;++e=0&&n._call.call(null,t),n=n._next;--mr}function Ir(){Er=(Mr=Nr.now())+kr,mr=br=0;try{Rr()}finally{mr=0,function(){var t,n,e=gr,r=1/0;for(;e;)e._call?(r>e._time&&(r=e._time),t=e,e=e._next):(n=e._next,e._next=null,e=t?t._next=n:gr=n);yr=t,Lr(r)}(),Er=0}}function Or(){var t=Nr.now(),n=t-Mr;n>xr&&(kr-=n,Mr=t)}function Lr(t){mr||(br&&(br=clearTimeout(br)),t-Er>24?(t<1/0&&(br=setTimeout(Ir,t-Nr.now()-kr)),wr&&(wr=clearInterval(wr))):(wr||(Mr=Nr.now(),wr=setInterval(Or,xr)),mr=1,Sr(Ir)))}Ar.prototype=Pr.prototype={constructor:Ar,restart:function(t,n,e){if("function"!=typeof t)throw new TypeError("callback is not a function");e=(null==e?Tr():+e)+(null==n?0:+n),this._next||yr===this||(yr?yr._next=this:gr=this,yr=this),this._call=t,this._time=e,Lr()},stop:function(){this._call&&(this._call=null,this._time=1/0,Lr())}};var Ur=function(t,n,e){var r=new Ar;return n=null==n?0:+n,r.restart(function(e){r.stop(),t(e+n)},n,e),r},Dr=function(t,n,e){var r=new Ar,i=n;return null==n?(r.restart(t,n,e),r):(n=+n,e=null==e?Tr():+e,r.restart(function o(u){u+=i,r.restart(o,i+=n,e),t(u)},n,e),r)},zr=Object(at.a)("start","end","interrupt"),Fr=[],jr=0,qr=1,Br=2,Yr=3,Hr=4,Vr=5,$r=6,Wr=function(t,n,e,r,i,o){var u=t.__transition;if(u){if(e in u)return}else t.__transition={};!function(t,n,e){var r,i=t.__transition;function o(c){var f,l,s,h;if(e.state!==qr)return a();for(f in i)if((h=i[f]).name===e.name){if(h.state===Yr)return Ur(o);h.state===Hr?(h.state=$r,h.timer.stop(),h.on.call("interrupt",t,t.__data__,h.index,h.group),delete i[f]):+fjr)throw new Error("too late; already scheduled");return e}function Gr(t,n){var e=Qr(t,n);if(e.state>Br)throw new Error("too late; already started");return e}function Qr(t,n){var e=t.__transition;if(!e||!(e=e[n]))throw new Error("transition not found");return e}var Zr=function(t,n){var e,r,i,o=t.__transition,u=!0;if(o){for(i in n=null==n?null:n+"",o)(e=o[i]).name===n?(r=e.state>Br&&e.state=0&&(t=t.slice(0,n)),!t||"start"===t})}(n)?Xr:Gr;return function(){var u=o(this,t),a=u.on;a!==r&&(i=(r=a).copy()).on(n,e),u.on=i}}(e,t,n))},attr:function(t,n){var e=lt(t),r="transform"===e?nr:Jr;return this.attrTween(t,"function"==typeof n?(e.local?function(t,n,e){var r,i,o;return function(){var u,a=e(this);if(null!=a)return(u=this.getAttributeNS(t.space,t.local))===a?null:u===r&&a===i?o:o=n(r=u,i=a);this.removeAttributeNS(t.space,t.local)}}:function(t,n,e){var r,i,o;return function(){var u,a=e(this);if(null!=a)return(u=this.getAttribute(t))===a?null:u===r&&a===i?o:o=n(r=u,i=a);this.removeAttribute(t)}})(e,r,Kr(this,"attr."+t,n)):null==n?(e.local?function(t){return function(){this.removeAttributeNS(t.space,t.local)}}:function(t){return function(){this.removeAttribute(t)}})(e):(e.local?function(t,n,e){var r,i;return function(){var o=this.getAttributeNS(t.space,t.local);return o===e?null:o===r?i:i=n(r=o,e)}}:function(t,n,e){var r,i;return function(){var o=this.getAttribute(t);return o===e?null:o===r?i:i=n(r=o,e)}})(e,r,n+""))},attrTween:function(t,n){var e="attr."+t;if(arguments.length<2)return(e=this.tween(e))&&e._value;if(null==n)return this.tween(e,null);if("function"!=typeof n)throw new Error;var r=lt(t);return this.tween(e,(r.local?function(t,n){function e(){var e=this,r=n.apply(e,arguments);return r&&function(n){e.setAttributeNS(t.space,t.local,r(n))}}return e._value=n,e}:function(t,n){function e(){var e=this,r=n.apply(e,arguments);return r&&function(n){e.setAttribute(t,r(n))}}return e._value=n,e})(r,n))},style:function(t,n,e){var r="transform"==(t+="")?tr:Jr;return null==n?this.styleTween(t,function(t,n){var e,r,i;return function(){var o=St(this,t),u=(this.style.removeProperty(t),St(this,t));return o===u?null:o===e&&u===r?i:i=n(e=o,r=u)}}(t,r)).on("end.style."+t,function(t){return function(){this.style.removeProperty(t)}}(t)):this.styleTween(t,"function"==typeof n?function(t,n,e){var r,i,o;return function(){var u=St(this,t),a=e(this);return null==a&&(this.style.removeProperty(t),a=St(this,t)),u===a?null:u===r&&a===i?o:o=n(r=u,i=a)}}(t,r,Kr(this,"style."+t,n)):function(t,n,e){var r,i;return function(){var o=St(this,t);return o===e?null:o===r?i:i=n(r=o,e)}}(t,r,n+""),e)},styleTween:function(t,n,e){var r="style."+(t+="");if(arguments.length<2)return(r=this.tween(r))&&r._value;if(null==n)return this.tween(r,null);if("function"!=typeof n)throw new Error;return this.tween(r,function(t,n,e){function r(){var r=this,i=n.apply(r,arguments);return i&&function(n){r.style.setProperty(t,i(n),e)}}return r._value=n,r}(t,n,null==e?"":e))},text:function(t){return this.tween("text","function"==typeof t?function(t){return function(){var n=t(this);this.textContent=null==n?"":n}}(Kr(this,"text",t)):function(t){return function(){this.textContent=t}}(null==t?"":t+""))},remove:function(){return this.on("end.remove",function(t){return function(){var n=this.parentNode;for(var e in this.__transition)if(+e!==t)return;n&&n.removeChild(this)}}(this._id))},tween:function(t,n){var e=this._id;if(t+="",arguments.length<2){for(var r,i=Qr(this.node(),e).tween,o=0,u=i.length;oqr&&e.name===n)return new ei([[t]],Gi,n,+r);return null},Zi=function(t){return function(){return t}},Ki=function(t,n,e){this.target=t,this.type=n,this.selection=e};function Ji(){Bt.stopImmediatePropagation()}var to=function(){Bt.preventDefault(),Bt.stopImmediatePropagation()},no={name:"drag"},eo={name:"space"},ro={name:"handle"},io={name:"center"},oo={name:"x",handles:["e","w"].map(po),input:function(t,n){return t&&[[t[0],n[0][1]],[t[1],n[1][1]]]},output:function(t){return t&&[t[0][0],t[1][0]]}},uo={name:"y",handles:["n","s"].map(po),input:function(t,n){return t&&[[n[0][0],t[0]],[n[1][0],t[1]]]},output:function(t){return t&&[t[0][1],t[1][1]]}},ao={name:"xy",handles:["n","e","s","w","nw","ne","se","sw"].map(po),input:function(t){return t},output:function(t){return t}},co={overlay:"crosshair",selection:"move",n:"ns-resize",e:"ew-resize",s:"ns-resize",w:"ew-resize",nw:"nwse-resize",ne:"nesw-resize",se:"nwse-resize",sw:"nesw-resize"},fo={e:"w",w:"e",nw:"ne",ne:"nw",se:"sw",sw:"se"},lo={n:"s",s:"n",nw:"sw",ne:"se",se:"ne",sw:"nw"},so={overlay:1,selection:1,n:null,e:1,s:null,w:-1,nw:-1,ne:1,se:1,sw:-1},ho={overlay:1,selection:1,n:-1,e:null,s:1,w:null,nw:-1,ne:-1,se:1,sw:1};function po(t){return{type:t}}function vo(){return!Bt.button}function go(){var t=this.ownerSVGElement||this;return[[0,0],[t.width.baseVal.value,t.height.baseVal.value]]}function yo(t){for(;!t.__brush;)if(!(t=t.parentNode))return;return t.__brush}function _o(t){return t[0][0]===t[1][0]||t[0][1]===t[1][1]}function mo(t){var n=t.__brush;return n?n.dim.output(n.selection):null}function bo(){return Mo(oo)}function wo(){return Mo(uo)}var xo=function(){return Mo(ao)};function Mo(t){var n,e=go,r=vo,i=Object(at.a)(u,"start","brush","end"),o=6;function u(n){var e=n.property("__brush",s).selectAll(".overlay").data([po("overlay")]);e.enter().append("rect").attr("class","overlay").attr("pointer-events","all").attr("cursor",co.overlay).merge(e).each(function(){var t=yo(this).extent;Jt(this).attr("x",t[0][0]).attr("y",t[0][1]).attr("width",t[1][0]-t[0][0]).attr("height",t[1][1]-t[0][1])}),n.selectAll(".selection").data([po("selection")]).enter().append("rect").attr("class","selection").attr("cursor",co.selection).attr("fill","#777").attr("fill-opacity",.3).attr("stroke","#fff").attr("shape-rendering","crispEdges");var r=n.selectAll(".handle").data(t.handles,function(t){return t.type});r.exit().remove(),r.enter().append("rect").attr("class",function(t){return"handle handle--"+t.type}).attr("cursor",function(t){return co[t.type]}),n.each(a).attr("fill","none").attr("pointer-events","all").style("-webkit-tap-highlight-color","rgba(0,0,0,0)").on("mousedown.brush touchstart.brush",l)}function a(){var t=Jt(this),n=yo(this).selection;n?(t.selectAll(".selection").style("display",null).attr("x",n[0][0]).attr("y",n[0][1]).attr("width",n[1][0]-n[0][0]).attr("height",n[1][1]-n[0][1]),t.selectAll(".handle").style("display",null).attr("x",function(t){return"e"===t.type[t.type.length-1]?n[1][0]-o/2:n[0][0]-o/2}).attr("y",function(t){return"s"===t.type[0]?n[1][1]-o/2:n[0][1]-o/2}).attr("width",function(t){return"n"===t.type||"s"===t.type?n[1][0]-n[0][0]+o:o}).attr("height",function(t){return"e"===t.type||"w"===t.type?n[1][1]-n[0][1]+o:o})):t.selectAll(".selection,.handle").style("display","none").attr("x",null).attr("y",null).attr("width",null).attr("height",null)}function c(t,n){return t.__brush.emitter||new f(t,n)}function f(t,n){this.that=t,this.args=n,this.state=t.__brush,this.active=0}function l(){if(Bt.touches){if(Bt.changedTouches.length0&&(e=i-d),x<0?s=h-p:x>0&&(o=u-p),b=eo,L.attr("cursor",co.selection),z());break;default:return}to()},!0).on("keyup.brush",function(){switch(Bt.keyCode){case 16:A&&(g=y=A=!1,z());break;case 18:b===io&&(w<0?f=l:w>0&&(e=i),x<0?s=h:x>0&&(o=u),b=ro,z());break;case 32:b===eo&&(Bt.altKey?(w&&(f=l-d*w,e=i+d*w),x&&(s=h-p*x,o=u+p*x),b=io):(w<0?f=l:w>0&&(e=i),x<0?s=h:x>0&&(o=u),b=ro),L.attr("cursor",co[m]),z());break;default:return}to()},!0).on("mousemove.brush",D,!0).on("mouseup.brush",F,!0);dn(Bt.view)}Ji(),Zr(_),a.call(_),I.start()}function D(){var t=an(_);!A||g||y||(Math.abs(t[0]-R[0])>Math.abs(t[1]-R[1])?y=!0:g=!0),R=t,v=!0,to(),z()}function z(){var t;switch(d=R[0]-P[0],p=R[1]-P[1],b){case eo:case no:w&&(d=Math.max(N-e,Math.min(T-f,d)),i=e+d,l=f+d),x&&(p=Math.max(S-o,Math.min(C-s,p)),u=o+p,h=s+p);break;case ro:w<0?(d=Math.max(N-e,Math.min(T-e,d)),i=e+d,l=f):w>0&&(d=Math.max(N-f,Math.min(T-f,d)),i=e,l=f+d),x<0?(p=Math.max(S-o,Math.min(C-o,p)),u=o+p,h=s):x>0&&(p=Math.max(S-s,Math.min(C-s,p)),u=o,h=s+p);break;case io:w&&(i=Math.max(N,Math.min(T,e-d*w)),l=Math.max(N,Math.min(T,f+d*w))),x&&(u=Math.max(S,Math.min(C,o-p*x)),h=Math.max(S,Math.min(C,s+p*x)))}l1e-6)if(Math.abs(l*a-c*f)>1e-6&&i){var h=e-o,d=r-u,p=a*a+c*c,v=h*h+d*d,g=Math.sqrt(p),y=Math.sqrt(s),_=i*Math.tan((Io-Math.acos((p+s-v)/(2*g*y)))/2),m=_/y,b=_/g;Math.abs(m-1)>1e-6&&(this._+="L"+(t+m*f)+","+(n+m*l)),this._+="A"+i+","+i+",0,0,"+ +(l*h>f*d)+","+(this._x1=t+b*a)+","+(this._y1=n+b*c)}else this._+="L"+(this._x1=t)+","+(this._y1=n);else;},arc:function(t,n,e,r,i,o){t=+t,n=+n;var u=(e=+e)*Math.cos(r),a=e*Math.sin(r),c=t+u,f=n+a,l=1^o,s=o?r-i:i-r;if(e<0)throw new Error("negative radius: "+e);null===this._x1?this._+="M"+c+","+f:(Math.abs(this._x1-c)>1e-6||Math.abs(this._y1-f)>1e-6)&&(this._+="L"+c+","+f),e&&(s<0&&(s=s%Oo+Oo),s>Lo?this._+="A"+e+","+e+",0,1,"+l+","+(t-u)+","+(n-a)+"A"+e+","+e+",0,1,"+l+","+(this._x1=c)+","+(this._y1=f):s>1e-6&&(this._+="A"+e+","+e+",0,"+ +(s>=Io)+","+l+","+(this._x1=t+e*Math.cos(i))+","+(this._y1=n+e*Math.sin(i))))},rect:function(t,n,e,r){this._+="M"+(this._x0=this._x1=+t)+","+(this._y0=this._y1=+n)+"h"+ +e+"v"+ +r+"h"+-e+"Z"},toString:function(){return this._}};var zo=Do;function Fo(t){return t.source}function jo(t){return t.target}function qo(t){return t.radius}function Bo(t){return t.startAngle}function Yo(t){return t.endAngle}var Ho=function(){var t=Fo,n=jo,e=qo,r=Bo,i=Yo,o=null;function u(){var u,a=Po.call(arguments),c=t.apply(this,a),f=n.apply(this,a),l=+e.apply(this,(a[0]=c,a)),s=r.apply(this,a)-So,h=i.apply(this,a)-So,d=l*Eo(s),p=l*ko(s),v=+e.apply(this,(a[0]=f,a)),g=r.apply(this,a)-So,y=i.apply(this,a)-So;if(o||(o=u=zo()),o.moveTo(d,p),o.arc(0,0,l,s,h),s===g&&h===y||(o.quadraticCurveTo(0,0,v*Eo(g),v*ko(g)),o.arc(0,0,v,g,y)),o.quadraticCurveTo(0,0,d,p),o.closePath(),u)return o=null,u+""||null}return u.radius=function(t){return arguments.length?(e="function"==typeof t?t:Ro(+t),u):e},u.startAngle=function(t){return arguments.length?(r="function"==typeof t?t:Ro(+t),u):r},u.endAngle=function(t){return arguments.length?(i="function"==typeof t?t:Ro(+t),u):i},u.source=function(n){return arguments.length?(t=n,u):t},u.target=function(t){return arguments.length?(n=t,u):n},u.context=function(t){return arguments.length?(o=null==t?null:t,u):o},u},Vo=e(6),$o=Array.prototype.slice,Wo=function(t,n){return t-n},Xo=function(t){for(var n=0,e=t.length,r=t[e-1][1]*t[0][0]-t[e-1][0]*t[0][1];++nr!=d>r&&e<(h-f)*(r-l)/(d-l)+f&&(i=-i)}return i}function Ko(t,n,e){var r;return function(t,n,e){return(n[0]-t[0])*(e[1]-t[1])==(e[0]-t[0])*(n[1]-t[1])}(t,n,e)&&function(t,n,e){return t<=n&&n<=e||e<=n&&n<=t}(t[r=+(t[0]===n[0])],e[r],n[r])}var Jo=function(){},tu=[[],[[[1,1.5],[.5,1]]],[[[1.5,1],[1,1.5]]],[[[1.5,1],[.5,1]]],[[[1,.5],[1.5,1]]],[[[1,1.5],[.5,1]],[[1,.5],[1.5,1]]],[[[1,.5],[1,1.5]]],[[[1,.5],[.5,1]]],[[[.5,1],[1,.5]]],[[[1,1.5],[1,.5]]],[[[.5,1],[1,.5]],[[1.5,1],[1,1.5]]],[[[1.5,1],[1,.5]]],[[[.5,1],[1.5,1]]],[[[1,1.5],[1.5,1]]],[[[.5,1],[1,1.5]]],[]],nu=function(){var t=1,n=1,e=C,r=a;function i(t){var n=e(t);if(Array.isArray(n))n=n.slice().sort(Wo);else{var r=g(t),i=r[0],u=r[1];n=T(i,u,n),n=x(Math.floor(i/n)*n,Math.floor(u/n)*n,n)}return n.map(function(n){return o(t,n)})}function o(e,i){var o=[],a=[];return function(e,r,i){var o,a,c,f,l,s,h=new Array,d=new Array;o=a=-1,f=e[0]>=r,tu[f<<1].forEach(p);for(;++o=r,tu[c|f<<1].forEach(p);tu[f<<0].forEach(p);for(;++a=r,l=e[a*t]>=r,tu[f<<1|l<<2].forEach(p);++o=r,s=l,l=e[a*t+o+1]>=r,tu[c|f<<1|l<<2|s<<3].forEach(p);tu[f|l<<3].forEach(p)}o=-1,l=e[a*t]>=r,tu[l<<2].forEach(p);for(;++o=r,tu[l<<2|s<<3].forEach(p);function p(t){var n,e,r=[t[0][0]+o,t[0][1]+a],c=[t[1][0]+o,t[1][1]+a],f=u(r),l=u(c);(n=d[f])?(e=h[l])?(delete d[n.end],delete h[e.start],n===e?(n.ring.push(c),i(n.ring)):h[n.start]=d[e.end]={start:n.start,end:e.end,ring:n.ring.concat(e.ring)}):(delete d[n.end],n.ring.push(c),d[n.end=l]=n):(n=h[l])?(e=d[f])?(delete h[n.start],delete d[e.end],n===e?(n.ring.push(c),i(n.ring)):h[e.start]=d[n.end]={start:e.start,end:n.end,ring:e.ring.concat(n.ring)}):(delete h[n.start],n.ring.unshift(r),h[n.start=f]=n):h[f]=d[l]={start:f,end:l,ring:[r,c]}}tu[l<<3].forEach(p)}(e,i,function(t){r(t,e,i),Xo(t)>0?o.push([t]):a.push(t)}),a.forEach(function(t){for(var n,e=0,r=o.length;e0&&u0&&a0&&o>0))throw new Error("invalid size");return t=r,n=o,i},i.thresholds=function(t){return arguments.length?(e="function"==typeof t?t:Array.isArray(t)?Go($o.call(t)):Go(t),i):e},i.smooth=function(t){return arguments.length?(r=t?a:Jo,i):r===a},i};function eu(t,n,e){for(var r=t.width,i=t.height,o=1+(e<<1),u=0;u=e&&(a>=o&&(c-=t.data[a-o+u*r]),n.data[a-e+u*r]=c/Math.min(a+1,r-1+o-a,o))}function ru(t,n,e){for(var r=t.width,i=t.height,o=1+(e<<1),u=0;u=e&&(a>=o&&(c-=t.data[u+(a-o)*r]),n.data[u+(a-e)*r]=c/Math.min(a+1,i-1+o-a,o))}function iu(t){return t[0]}function ou(t){return t[1]}function uu(){return 1}var au=function(){var t=iu,n=ou,e=uu,r=960,i=500,o=20,u=2,a=3*o,c=r+2*a>>u,f=i+2*a>>u,l=Go(20);function s(r){var i=new Float32Array(c*f),s=new Float32Array(c*f);r.forEach(function(r,o,l){var s=+t(r,o,l)+a>>u,h=+n(r,o,l)+a>>u,d=+e(r,o,l);s>=0&&s=0&&h>u),ru({width:c,height:f,data:s},{width:c,height:f,data:i},o>>u),eu({width:c,height:f,data:i},{width:c,height:f,data:s},o>>u),ru({width:c,height:f,data:s},{width:c,height:f,data:i},o>>u),eu({width:c,height:f,data:i},{width:c,height:f,data:s},o>>u),ru({width:c,height:f,data:s},{width:c,height:f,data:i},o>>u);var d=l(i);if(!Array.isArray(d)){var p=O(i);d=T(0,p,d),(d=x(0,Math.floor(p/d)*d,d)).shift()}return nu().thresholds(d).size([c,f])(i).map(h)}function h(t){return t.value*=Math.pow(2,-2*u),t.coordinates.forEach(d),t}function d(t){t.forEach(p)}function p(t){t.forEach(v)}function v(t){t[0]=t[0]*Math.pow(2,u)-a,t[1]=t[1]*Math.pow(2,u)-a}function g(){return c=r+2*(a=3*o)>>u,f=i+2*a>>u,s}return s.x=function(n){return arguments.length?(t="function"==typeof n?n:Go(+n),s):t},s.y=function(t){return arguments.length?(n="function"==typeof t?t:Go(+t),s):n},s.weight=function(t){return arguments.length?(e="function"==typeof t?t:Go(+t),s):e},s.size=function(t){if(!arguments.length)return[r,i];var n=Math.ceil(t[0]),e=Math.ceil(t[1]);if(!(n>=0||n>=0))throw new Error("invalid size");return r=n,i=e,g()},s.cellSize=function(t){if(!arguments.length)return 1<=1))throw new Error("invalid cell size");return u=Math.floor(Math.log(t)/Math.LN2),g()},s.thresholds=function(t){return arguments.length?(l="function"==typeof t?t:Array.isArray(t)?Go($o.call(t)):Go(t),s):l},s.bandwidth=function(t){if(!arguments.length)return Math.sqrt(o*(o+1));if(!((t=+t)>=0))throw new Error("invalid bandwidth");return o=Math.round((Math.sqrt(4*t*t+1)-1)/2),g()},s},cu=e(7);function fu(t){if(!t.ok)throw new Error(t.status+" "+t.statusText);return t.blob()}var lu=function(t,n){return fetch(t,n).then(fu)};function su(t){if(!t.ok)throw new Error(t.status+" "+t.statusText);return t.arrayBuffer()}var hu=function(t,n){return fetch(t,n).then(su)};function du(t){if(!t.ok)throw new Error(t.status+" "+t.statusText);return t.text()}var pu=function(t,n){return fetch(t,n).then(du)};function vu(t){return function(n,e,r){return 2===arguments.length&&"function"==typeof e&&(r=e,e=void 0),pu(n,e).then(function(n){return t(n,r)})}}function gu(t,n,e,r){3===arguments.length&&"function"==typeof e&&(r=e,e=void 0);var i=Object(cu.e)(t);return pu(n,e).then(function(t){return i.parse(t,r)})}var yu=vu(cu.c),_u=vu(cu.h),mu=function(t,n){return new Promise(function(e,r){var i=new Image;for(var o in n)i[o]=n[o];i.onerror=r,i.onload=function(){e(i)},i.src=t})};function bu(t){if(!t.ok)throw new Error(t.status+" "+t.statusText);return t.json()}var wu=function(t,n){return fetch(t,n).then(bu)};function xu(t){return function(n,e){return pu(n,e).then(function(n){return(new DOMParser).parseFromString(n,t)})}}var Mu=xu("application/xml"),Eu=xu("text/html"),ku=xu("image/svg+xml"),Nu=function(t,n){var e;function r(){var r,i,o=e.length,u=0,a=0;for(r=0;r=(o=(v+y)/2))?v=o:y=o,(l=e>=(u=(g+_)/2))?g=u:_=u,i=d,!(d=d[s=l<<1|f]))return i[s]=p,t;if(a=+t._x.call(null,d.data),c=+t._y.call(null,d.data),n===a&&e===c)return p.next=d,i?i[s]=p:t._root=p,t;do{i=i?i[s]=new Array(4):t._root=new Array(4),(f=n>=(o=(v+y)/2))?v=o:y=o,(l=e>=(u=(g+_)/2))?g=u:_=u}while((s=l<<1|f)==(h=(c>=u)<<1|a>=o));return i[h]=d,i[s]=p,t}var Au=function(t,n,e,r,i){this.node=t,this.x0=n,this.y0=e,this.x1=r,this.y1=i};function Pu(t){return t[0]}function Ru(t){return t[1]}function Iu(t,n,e){var r=new Ou(null==n?Pu:n,null==e?Ru:e,NaN,NaN,NaN,NaN);return null==t?r:r.addAll(t)}function Ou(t,n,e,r,i,o){this._x=t,this._y=n,this._x0=e,this._y0=r,this._x1=i,this._y1=o,this._root=void 0}function Lu(t){for(var n={data:t.data},e=n;t=t.next;)e=e.next={data:t.data};return n}var Uu=Iu.prototype=Ou.prototype;function Du(t){return t.x+t.vx}function zu(t){return t.y+t.vy}Uu.copy=function(){var t,n,e=new Ou(this._x,this._y,this._x0,this._y0,this._x1,this._y1),r=this._root;if(!r)return e;if(!r.length)return e._root=Lu(r),e;for(t=[{source:r,target:e._root=new Array(4)}];r=t.pop();)for(var i=0;i<4;++i)(n=r.source[i])&&(n.length?t.push({source:n,target:r.target[i]=new Array(4)}):r.target[i]=Lu(n));return e},Uu.add=function(t){var n=+this._x.call(null,t),e=+this._y.call(null,t);return Cu(this.cover(n,e),n,e,t)},Uu.addAll=function(t){var n,e,r,i,o=t.length,u=new Array(o),a=new Array(o),c=1/0,f=1/0,l=-1/0,s=-1/0;for(e=0;el&&(l=r),is&&(s=i));for(lt||t>i||r>n||n>o))return this;var u,a,c=i-e,f=this._root;switch(a=(n<(r+o)/2)<<1|t<(e+i)/2){case 0:do{(u=new Array(4))[a]=f,f=u}while(o=r+(c*=2),t>(i=e+c)||n>o);break;case 1:do{(u=new Array(4))[a]=f,f=u}while(o=r+(c*=2),(e=i-c)>t||n>o);break;case 2:do{(u=new Array(4))[a]=f,f=u}while(r=o-(c*=2),t>(i=e+c)||r>n);break;case 3:do{(u=new Array(4))[a]=f,f=u}while(r=o-(c*=2),(e=i-c)>t||r>n)}this._root&&this._root.length&&(this._root=f)}return this._x0=e,this._y0=r,this._x1=i,this._y1=o,this},Uu.data=function(){var t=[];return this.visit(function(n){if(!n.length)do{t.push(n.data)}while(n=n.next)}),t},Uu.extent=function(t){return arguments.length?this.cover(+t[0][0],+t[0][1]).cover(+t[1][0],+t[1][1]):isNaN(this._x0)?void 0:[[this._x0,this._y0],[this._x1,this._y1]]},Uu.find=function(t,n,e){var r,i,o,u,a,c,f,l=this._x0,s=this._y0,h=this._x1,d=this._y1,p=[],v=this._root;for(v&&p.push(new Au(v,l,s,h,d)),null==e?e=1/0:(l=t-e,s=n-e,h=t+e,d=n+e,e*=e);c=p.pop();)if(!(!(v=c.node)||(i=c.x0)>h||(o=c.y0)>d||(u=c.x1)=y)<<1|t>=g)&&(c=p[p.length-1],p[p.length-1]=p[p.length-1-f],p[p.length-1-f]=c)}else{var _=t-+this._x.call(null,v.data),m=n-+this._y.call(null,v.data),b=_*_+m*m;if(b=(a=(p+g)/2))?p=a:g=a,(l=u>=(c=(v+y)/2))?v=c:y=c,n=d,!(d=d[s=l<<1|f]))return this;if(!d.length)break;(n[s+1&3]||n[s+2&3]||n[s+3&3])&&(e=n,h=s)}for(;d.data!==t;)if(r=d,!(d=d.next))return this;return(i=d.next)&&delete d.next,r?(i?r.next=i:delete r.next,this):n?(i?n[s]=i:delete n[s],(d=n[0]||n[1]||n[2]||n[3])&&d===(n[3]||n[2]||n[1]||n[0])&&!d.length&&(e?e[h]=d:this._root=d),this):(this._root=i,this)},Uu.removeAll=function(t){for(var n=0,e=t.length;nc+d||if+d||oa.index){var p=c-u.x-u.vx,v=f-u.y-u.vy,g=p*p+v*v;gt.r&&(t.r=t[n].r)}function a(){if(n){var r,i,o=n.length;for(e=new Array(o),r=0;r1?(null==e?a.remove(t):a.set(t,d(e)),n):a.get(t)},find:function(n,e,r){var i,o,u,a,c,f=0,l=t.length;for(null==r?r=1/0:r*=r,f=0;f1?(f.on(t,e),n):f.on(t)}}},Xu=function(){var t,n,e,r,i=Su(-30),o=1,u=1/0,a=.81;function c(r){var i,o=t.length,u=Iu(t,Yu,Hu).visitAfter(l);for(e=r,i=0;i=u)){(t.data!==n||t.next)&&(0===l&&(d+=(l=Tu())*l),0===s&&(d+=(s=Tu())*s),d1?r[0]+r.slice(2):r,+t.slice(e+1)]},Ju=function(t){return(t=Ku(Math.abs(t)))?t[1]:NaN},ta=/^(?:(.)?([<>=^]))?([+\-( ])?([$#])?(0)?(\d+)?(,)?(\.\d+)?(~)?([a-z%])?$/i;function na(t){return new ea(t)}function ea(t){if(!(n=ta.exec(t)))throw new Error("invalid format: "+t);var n;this.fill=n[1]||" ",this.align=n[2]||">",this.sign=n[3]||"-",this.symbol=n[4]||"",this.zero=!!n[5],this.width=n[6]&&+n[6],this.comma=!!n[7],this.precision=n[8]&&+n[8].slice(1),this.trim=!!n[9],this.type=n[10]||""}na.prototype=ea.prototype,ea.prototype.toString=function(){return this.fill+this.align+this.sign+this.symbol+(this.zero?"0":"")+(null==this.width?"":Math.max(1,0|this.width))+(this.comma?",":"")+(null==this.precision?"":"."+Math.max(0,0|this.precision))+(this.trim?"~":"")+this.type};var ra,ia,oa,ua,aa=function(t){t:for(var n,e=t.length,r=1,i=-1;r0){if(!+t[r])break t;i=0}}return i>0?t.slice(0,i)+t.slice(n+1):t},ca=function(t,n){var e=Ku(t,n);if(!e)return t+"";var r=e[0],i=e[1];return i<0?"0."+new Array(-i).join("0")+r:r.length>i+1?r.slice(0,i+1)+"."+r.slice(i+1):r+new Array(i-r.length+2).join("0")},fa={"%":function(t,n){return(100*t).toFixed(n)},b:function(t){return Math.round(t).toString(2)},c:function(t){return t+""},d:function(t){return Math.round(t).toString(10)},e:function(t,n){return t.toExponential(n)},f:function(t,n){return t.toFixed(n)},g:function(t,n){return t.toPrecision(n)},o:function(t){return Math.round(t).toString(8)},p:function(t,n){return ca(100*t,n)},r:ca,s:function(t,n){var e=Ku(t,n);if(!e)return t+"";var r=e[0],i=e[1],o=i-(ra=3*Math.max(-8,Math.min(8,Math.floor(i/3))))+1,u=r.length;return o===u?r:o>u?r+new Array(o-u+1).join("0"):o>0?r.slice(0,o)+"."+r.slice(o):"0."+new Array(1-o).join("0")+Ku(t,Math.max(0,n+o-1))[0]},X:function(t){return Math.round(t).toString(16).toUpperCase()},x:function(t){return Math.round(t).toString(16)}},la=function(t){return t},sa=["y","z","a","f","p","n","µ","m","","k","M","G","T","P","E","Z","Y"],ha=function(t){var n=t.grouping&&t.thousands?function(t,n){return function(e,r){for(var i=e.length,o=[],u=0,a=t[0],c=0;i>0&&a>0&&(c+a+1>r&&(a=Math.max(1,r-c)),o.push(e.substring(i-=a,i+a)),!((c+=a+1)>r));)a=t[u=(u+1)%t.length];return o.reverse().join(n)}}(t.grouping,t.thousands):la,e=t.currency,r=t.decimal,i=t.numerals?function(t){return function(n){return n.replace(/[0-9]/g,function(n){return t[+n]})}}(t.numerals):la,o=t.percent||"%";function u(t){var u=(t=na(t)).fill,a=t.align,c=t.sign,f=t.symbol,l=t.zero,s=t.width,h=t.comma,d=t.precision,p=t.trim,v=t.type;"n"===v?(h=!0,v="g"):fa[v]||(null==d&&(d=12),p=!0,v="g"),(l||"0"===u&&"="===a)&&(l=!0,u="0",a="=");var g="$"===f?e[0]:"#"===f&&/[boxX]/.test(v)?"0"+v.toLowerCase():"",y="$"===f?e[1]:/[%p]/.test(v)?o:"",_=fa[v],m=/[defgprs%]/.test(v);function b(t){var e,o,f,b=g,w=y;if("c"===v)w=_(t)+w,t="";else{var x=(t=+t)<0;if(t=_(Math.abs(t),d),p&&(t=aa(t)),x&&0==+t&&(x=!1),b=(x?"("===c?c:"-":"-"===c||"("===c?"":c)+b,w=("s"===v?sa[8+ra/3]:"")+w+(x&&"("===c?")":""),m)for(e=-1,o=t.length;++e(f=t.charCodeAt(e))||f>57){w=(46===f?r+t.slice(e+1):t.slice(e))+w,t=t.slice(0,e);break}}h&&!l&&(t=n(t,1/0));var M=b.length+t.length+w.length,E=M>1)+b+t+w+E.slice(M);break;default:t=E+b+t+w}return i(t)}return d=null==d?6:/[gprs]/.test(v)?Math.max(1,Math.min(21,d)):Math.max(0,Math.min(20,d)),b.toString=function(){return t+""},b}return{format:u,formatPrefix:function(t,n){var e=u(((t=na(t)).type="f",t)),r=3*Math.max(-8,Math.min(8,Math.floor(Ju(n)/3))),i=Math.pow(10,-r),o=sa[8+r/3];return function(t){return e(i*t)+o}}}};function da(t){return ia=ha(t),oa=ia.format,ua=ia.formatPrefix,ia}da({decimal:".",thousands:",",grouping:[3],currency:["$",""]});var pa=function(t){return Math.max(0,-Ju(Math.abs(t)))},va=function(t,n){return Math.max(0,3*Math.max(-8,Math.min(8,Math.floor(Ju(n)/3)))-Ju(Math.abs(t)))},ga=function(t,n){return t=Math.abs(t),n=Math.abs(n)-t,Math.max(0,Ju(n)-Ju(t))+1},ya=function(){return new _a};function _a(){this.reset()}_a.prototype={constructor:_a,reset:function(){this.s=this.t=0},add:function(t){ba(ma,t,this.t),ba(this,ma.s,this.s),this.s?this.t+=ma.t:this.s=ma.t},valueOf:function(){return this.s}};var ma=new _a;function ba(t,n,e){var r=t.s=n+e,i=r-n,o=r-i;t.t=n-o+(e-i)}var wa=1e-6,xa=Math.PI,Ma=xa/2,Ea=xa/4,ka=2*xa,Na=180/xa,Sa=xa/180,Ta=Math.abs,Ca=Math.atan,Aa=Math.atan2,Pa=Math.cos,Ra=Math.ceil,Ia=Math.exp,Oa=(Math.floor,Math.log),La=Math.pow,Ua=Math.sin,Da=Math.sign||function(t){return t>0?1:t<0?-1:0},za=Math.sqrt,Fa=Math.tan;function ja(t){return t>1?0:t<-1?xa:Math.acos(t)}function qa(t){return t>1?Ma:t<-1?-Ma:Math.asin(t)}function Ba(t){return(t=Ua(t/2))*t}function Ya(){}function Ha(t,n){t&&$a.hasOwnProperty(t.type)&&$a[t.type](t,n)}var Va={Feature:function(t,n){Ha(t.geometry,n)},FeatureCollection:function(t,n){for(var e=t.features,r=-1,i=e.length;++r=0?1:-1,i=r*e,o=Pa(n),u=Ua(n),a=Ja*u,c=Ka*o+a*Pa(i),f=a*r*Ua(i);nc.add(Aa(f,c)),Za=t,Ka=o,Ja=u}var cc=function(t){return ec.reset(),tc(t,rc),2*ec};function fc(t){return[Aa(t[1],t[0]),qa(t[2])]}function lc(t){var n=t[0],e=t[1],r=Pa(e);return[r*Pa(n),r*Ua(n),Ua(e)]}function sc(t,n){return t[0]*n[0]+t[1]*n[1]+t[2]*n[2]}function hc(t,n){return[t[1]*n[2]-t[2]*n[1],t[2]*n[0]-t[0]*n[2],t[0]*n[1]-t[1]*n[0]]}function dc(t,n){t[0]+=n[0],t[1]+=n[1],t[2]+=n[2]}function pc(t,n){return[t[0]*n,t[1]*n,t[2]*n]}function vc(t){var n=za(t[0]*t[0]+t[1]*t[1]+t[2]*t[2]);t[0]/=n,t[1]/=n,t[2]/=n}var gc,yc,_c,mc,bc,wc,xc,Mc,Ec,kc,Nc=ya(),Sc={point:Tc,lineStart:Ac,lineEnd:Pc,polygonStart:function(){Sc.point=Rc,Sc.lineStart=Ic,Sc.lineEnd=Oc,Nc.reset(),rc.polygonStart()},polygonEnd:function(){rc.polygonEnd(),Sc.point=Tc,Sc.lineStart=Ac,Sc.lineEnd=Pc,nc<0?(gc=-(_c=180),yc=-(mc=90)):Nc>wa?mc=90:Nc<-wa&&(yc=-90),kc[0]=gc,kc[1]=_c}};function Tc(t,n){Ec.push(kc=[gc=t,_c=t]),nmc&&(mc=n)}function Cc(t,n){var e=lc([t*Sa,n*Sa]);if(Mc){var r=hc(Mc,e),i=hc([r[1],-r[0],0],r);vc(i),i=fc(i);var o,u=t-bc,a=u>0?1:-1,c=i[0]*Na*a,f=Ta(u)>180;f^(a*bcmc&&(mc=o):f^(a*bc<(c=(c+360)%360-180)&&cmc&&(mc=n)),f?tLc(gc,_c)&&(_c=t):Lc(t,_c)>Lc(gc,_c)&&(gc=t):_c>=gc?(t_c&&(_c=t)):t>bc?Lc(gc,t)>Lc(gc,_c)&&(_c=t):Lc(t,_c)>Lc(gc,_c)&&(gc=t)}else Ec.push(kc=[gc=t,_c=t]);nmc&&(mc=n),Mc=e,bc=t}function Ac(){Sc.point=Cc}function Pc(){kc[0]=gc,kc[1]=_c,Sc.point=Tc,Mc=null}function Rc(t,n){if(Mc){var e=t-bc;Nc.add(Ta(e)>180?e+(e>0?360:-360):e)}else wc=t,xc=n;rc.point(t,n),Cc(t,n)}function Ic(){rc.lineStart()}function Oc(){Rc(wc,xc),rc.lineEnd(),Ta(Nc)>wa&&(gc=-(_c=180)),kc[0]=gc,kc[1]=_c,Mc=null}function Lc(t,n){return(n-=t)<0?n+360:n}function Uc(t,n){return t[0]-n[0]}function Dc(t,n){return t[0]<=t[1]?t[0]<=n&&n<=t[1]:nLc(r[0],r[1])&&(r[1]=i[1]),Lc(i[0],r[1])>Lc(r[0],r[1])&&(r[0]=i[0])):o.push(r=i);for(u=-1/0,n=0,r=o[e=o.length-1];n<=e;r=i,++n)i=o[n],(a=Lc(r[1],i[0]))>u&&(u=a,gc=i[0],_c=r[1])}return Ec=kc=null,gc===1/0||yc===1/0?[[NaN,NaN],[NaN,NaN]]:[[gc,yc],[_c,mc]]},nf={sphere:Ya,point:ef,lineStart:of,lineEnd:cf,polygonStart:function(){nf.lineStart=ff,nf.lineEnd=lf},polygonEnd:function(){nf.lineStart=of,nf.lineEnd=cf}};function ef(t,n){t*=Sa;var e=Pa(n*=Sa);rf(e*Pa(t),e*Ua(t),Ua(n))}function rf(t,n,e){jc+=(t-jc)/++zc,qc+=(n-qc)/zc,Bc+=(e-Bc)/zc}function of(){nf.point=uf}function uf(t,n){t*=Sa;var e=Pa(n*=Sa);Zc=e*Pa(t),Kc=e*Ua(t),Jc=Ua(n),nf.point=af,rf(Zc,Kc,Jc)}function af(t,n){t*=Sa;var e=Pa(n*=Sa),r=e*Pa(t),i=e*Ua(t),o=Ua(n),u=Aa(za((u=Kc*o-Jc*i)*u+(u=Jc*r-Zc*o)*u+(u=Zc*i-Kc*r)*u),Zc*r+Kc*i+Jc*o);Fc+=u,Yc+=u*(Zc+(Zc=r)),Hc+=u*(Kc+(Kc=i)),Vc+=u*(Jc+(Jc=o)),rf(Zc,Kc,Jc)}function cf(){nf.point=ef}function ff(){nf.point=sf}function lf(){hf(Gc,Qc),nf.point=ef}function sf(t,n){Gc=t,Qc=n,t*=Sa,n*=Sa,nf.point=hf;var e=Pa(n);Zc=e*Pa(t),Kc=e*Ua(t),Jc=Ua(n),rf(Zc,Kc,Jc)}function hf(t,n){t*=Sa;var e=Pa(n*=Sa),r=e*Pa(t),i=e*Ua(t),o=Ua(n),u=Kc*o-Jc*i,a=Jc*r-Zc*o,c=Zc*i-Kc*r,f=za(u*u+a*a+c*c),l=qa(f),s=f&&-l/f;$c+=s*u,Wc+=s*a,Xc+=s*c,Fc+=l,Yc+=l*(Zc+(Zc=r)),Hc+=l*(Kc+(Kc=i)),Vc+=l*(Jc+(Jc=o)),rf(Zc,Kc,Jc)}var df=function(t){zc=Fc=jc=qc=Bc=Yc=Hc=Vc=$c=Wc=Xc=0,tc(t,nf);var n=$c,e=Wc,r=Xc,i=n*n+e*e+r*r;return i<1e-12&&(n=Yc,e=Hc,r=Vc,Fcxa?t-ka:t<-xa?t+ka:t,n]}function yf(t,n,e){return(t%=ka)?n||e?vf(mf(t),bf(n,e)):mf(t):n||e?bf(n,e):gf}function _f(t){return function(n,e){return[(n+=t)>xa?n-ka:n<-xa?n+ka:n,e]}}function mf(t){var n=_f(t);return n.invert=_f(-t),n}function bf(t,n){var e=Pa(t),r=Ua(t),i=Pa(n),o=Ua(n);function u(t,n){var u=Pa(n),a=Pa(t)*u,c=Ua(t)*u,f=Ua(n),l=f*e+a*r;return[Aa(c*i-l*o,a*e-f*r),qa(l*i+c*o)]}return u.invert=function(t,n){var u=Pa(n),a=Pa(t)*u,c=Ua(t)*u,f=Ua(n),l=f*i-c*o;return[Aa(c*i+f*o,a*e+l*r),qa(l*e-a*r)]},u}gf.invert=gf;var wf=function(t){function n(n){return(n=t(n[0]*Sa,n[1]*Sa))[0]*=Na,n[1]*=Na,n}return t=yf(t[0]*Sa,t[1]*Sa,t.length>2?t[2]*Sa:0),n.invert=function(n){return(n=t.invert(n[0]*Sa,n[1]*Sa))[0]*=Na,n[1]*=Na,n},n};function xf(t,n,e,r,i,o){if(e){var u=Pa(n),a=Ua(n),c=r*e;null==i?(i=n+r*ka,o=n-c/2):(i=Mf(u,i),o=Mf(u,o),(r>0?io)&&(i+=r*ka));for(var f,l=i;r>0?l>o:l1&&n.push(n.pop().concat(n.shift()))},result:function(){var e=n;return n=[],t=null,e}}},Nf=function(t,n){return Ta(t[0]-n[0])=0;--o)i.point((l=f[o])[0],l[1]);else r(h.x,h.p.x,-1,i);h=h.p}f=(h=h.o).z,d=!d}while(!h.v);i.lineEnd()}}};function Cf(t){if(n=t.length){for(var n,e,r=0,i=t[0];++r=0?1:-1,k=E*M,N=k>xa,S=v*w;if(Af.add(Aa(S*E*Ua(k),g*x+S*Pa(k))),u+=N?M+E*ka:M,N^d>=e^m>=e){var T=hc(lc(h),lc(_));vc(T);var C=hc(o,T);vc(C);var A=(N^M>=0?-1:1)*qa(C[2]);(r>A||r===A&&(T[0]||T[1]))&&(a+=N^M>=0?1:-1)}}return(u<-wa||u0){for(s||(i.polygonStart(),s=!0),i.lineStart(),t=0;t1&&2&c&&h.push(h.pop().concat(h.shift())),u.push(h.filter(If))}return h}};function If(t){return t.length>1}function Of(t,n){return((t=t.x)[0]<0?t[1]-Ma-wa:Ma-t[1])-((n=n.x)[0]<0?n[1]-Ma-wa:Ma-n[1])}var Lf=Rf(function(){return!0},function(t){var n,e=NaN,r=NaN,i=NaN;return{lineStart:function(){t.lineStart(),n=1},point:function(o,u){var a=o>0?xa:-xa,c=Ta(o-e);Ta(c-xa)0?Ma:-Ma),t.point(i,r),t.lineEnd(),t.lineStart(),t.point(a,r),t.point(o,r),n=0):i!==a&&c>=xa&&(Ta(e-i)wa?Ca((Ua(n)*(o=Pa(r))*Ua(e)-Ua(r)*(i=Pa(n))*Ua(t))/(i*o*u)):(n+r)/2}(e,r,o,u),t.point(i,r),t.lineEnd(),t.lineStart(),t.point(a,r),n=0),t.point(e=o,r=u),i=a},lineEnd:function(){t.lineEnd(),e=r=NaN},clean:function(){return 2-n}}},function(t,n,e,r){var i;if(null==t)i=e*Ma,r.point(-xa,i),r.point(0,i),r.point(xa,i),r.point(xa,0),r.point(xa,-i),r.point(0,-i),r.point(-xa,-i),r.point(-xa,0),r.point(-xa,i);else if(Ta(t[0]-n[0])>wa){var o=t[0]0,i=Ta(n)>wa;function o(t,e){return Pa(t)*Pa(e)>n}function u(t,e,r){var i=[1,0,0],o=hc(lc(t),lc(e)),u=sc(o,o),a=o[0],c=u-a*a;if(!c)return!r&&t;var f=n*u/c,l=-n*a/c,s=hc(i,o),h=pc(i,f);dc(h,pc(o,l));var d=s,p=sc(h,d),v=sc(d,d),g=p*p-v*(sc(h,h)-1);if(!(g<0)){var y=za(g),_=pc(d,(-p-y)/v);if(dc(_,h),_=fc(_),!r)return _;var m,b=t[0],w=e[0],x=t[1],M=e[1];w0^_[1]<(Ta(_[0]-b)xa^(b<=_[0]&&_[0]<=w)){var N=pc(d,(-p+y)/v);return dc(N,h),[_,fc(N)]}}}function a(n,e){var i=r?t:xa-t,o=0;return n<-i?o|=1:n>i&&(o|=2),e<-i?o|=4:e>i&&(o|=8),o}return Rf(o,function(t){var n,e,c,f,l;return{lineStart:function(){f=c=!1,l=1},point:function(s,h){var d,p=[s,h],v=o(s,h),g=r?v?0:a(s,h):v?a(s+(s<0?xa:-xa),h):0;if(!n&&(f=c=v)&&t.lineStart(),v!==c&&(!(d=u(n,p))||Nf(n,d)||Nf(p,d))&&(p[0]+=wa,p[1]+=wa,v=o(p[0],p[1])),v!==c)l=0,v?(t.lineStart(),d=u(p,n),t.point(d[0],d[1])):(d=u(n,p),t.point(d[0],d[1]),t.lineEnd()),n=d;else if(i&&n&&r^v){var y;g&e||!(y=u(p,n,!0))||(l=0,r?(t.lineStart(),t.point(y[0][0],y[0][1]),t.point(y[1][0],y[1][1]),t.lineEnd()):(t.point(y[1][0],y[1][1]),t.lineEnd(),t.lineStart(),t.point(y[0][0],y[0][1])))}!v||n&&Nf(n,p)||t.point(p[0],p[1]),n=p,c=v,e=g},lineEnd:function(){c&&t.lineEnd(),n=null},clean:function(){return l|(f&&c)<<1}}},function(n,r,i,o){xf(o,t,e,i,n,r)},r?[0,-t]:[-xa,t-xa])},Df=function(t,n,e,r,i,o){var u,a=t[0],c=t[1],f=0,l=1,s=n[0]-a,h=n[1]-c;if(u=e-a,s||!(u>0)){if(u/=s,s<0){if(u0){if(u>l)return;u>f&&(f=u)}if(u=i-a,s||!(u<0)){if(u/=s,s<0){if(u>l)return;u>f&&(f=u)}else if(s>0){if(u0)){if(u/=h,h<0){if(u0){if(u>l)return;u>f&&(f=u)}if(u=o-c,h||!(u<0)){if(u/=h,h<0){if(u>l)return;u>f&&(f=u)}else if(h>0){if(u0&&(t[0]=a+f*s,t[1]=c+f*h),l<1&&(n[0]=a+l*s,n[1]=c+l*h),!0}}}}},zf=1e9,Ff=-zf;function jf(t,n,e,r){function i(i,o){return t<=i&&i<=e&&n<=o&&o<=r}function o(i,o,a,f){var l=0,s=0;if(null==i||(l=u(i,a))!==(s=u(o,a))||c(i,o)<0^a>0)do{f.point(0===l||3===l?t:e,l>1?r:n)}while((l=(l+a+4)%4)!==s);else f.point(o[0],o[1])}function u(r,i){return Ta(r[0]-t)0?0:3:Ta(r[0]-e)0?2:1:Ta(r[1]-n)0?1:0:i>0?3:2}function a(t,n){return c(t.x,n.x)}function c(t,n){var e=u(t,1),r=u(n,1);return e!==r?e-r:0===e?n[1]-t[1]:1===e?t[0]-n[0]:2===e?t[1]-n[1]:n[0]-t[0]}return function(u){var c,f,l,s,h,d,p,v,g,y,_,m=u,b=kf(),w={point:x,lineStart:function(){w.point=M,f&&f.push(l=[]);y=!0,g=!1,p=v=NaN},lineEnd:function(){c&&(M(s,h),d&&g&&b.rejoin(),c.push(b.result()));w.point=x,g&&m.lineEnd()},polygonStart:function(){m=b,c=[],f=[],_=!0},polygonEnd:function(){var n=function(){for(var n=0,e=0,i=f.length;er&&(h-o)*(r-u)>(d-u)*(t-o)&&++n:d<=r&&(h-o)*(r-u)<(d-u)*(t-o)&&--n;return n}(),e=_&&n,i=(c=D(c)).length;(e||i)&&(u.polygonStart(),e&&(u.lineStart(),o(null,null,1,u),u.lineEnd()),i&&Tf(c,a,n,o,u),u.polygonEnd());m=u,c=f=l=null}};function x(t,n){i(t,n)&&m.point(t,n)}function M(o,u){var a=i(o,u);if(f&&l.push([o,u]),y)s=o,h=u,d=a,y=!1,a&&(m.lineStart(),m.point(o,u));else if(a&&g)m.point(o,u);else{var c=[p=Math.max(Ff,Math.min(zf,p)),v=Math.max(Ff,Math.min(zf,v))],b=[o=Math.max(Ff,Math.min(zf,o)),u=Math.max(Ff,Math.min(zf,u))];Df(c,b,t,n,e,r)?(g||(m.lineStart(),m.point(c[0],c[1])),m.point(b[0],b[1]),a||m.lineEnd(),_=!1):a&&(m.lineStart(),m.point(o,u),_=!1)}p=o,v=u,g=a}return w}}var qf,Bf,Yf,Hf=function(){var t,n,e,r=0,i=0,o=960,u=500;return e={stream:function(e){return t&&n===e?t:t=jf(r,i,o,u)(n=e)},extent:function(a){return arguments.length?(r=+a[0][0],i=+a[0][1],o=+a[1][0],u=+a[1][1],t=n=null,e):[[r,i],[o,u]]}}},Vf=ya(),$f={sphere:Ya,point:Ya,lineStart:function(){$f.point=Xf,$f.lineEnd=Wf},lineEnd:Ya,polygonStart:Ya,polygonEnd:Ya};function Wf(){$f.point=$f.lineEnd=Ya}function Xf(t,n){qf=t*=Sa,Bf=Ua(n*=Sa),Yf=Pa(n),$f.point=Gf}function Gf(t,n){t*=Sa;var e=Ua(n*=Sa),r=Pa(n),i=Ta(t-qf),o=Pa(i),u=r*Ua(i),a=Yf*e-Bf*r*o,c=Bf*e+Yf*r*o;Vf.add(Aa(za(u*u+a*a),c)),qf=t,Bf=e,Yf=r}var Qf=function(t){return Vf.reset(),tc(t,$f),+Vf},Zf=[null,null],Kf={type:"LineString",coordinates:Zf},Jf=function(t,n){return Zf[0]=t,Zf[1]=n,Qf(Kf)},tl={Feature:function(t,n){return el(t.geometry,n)},FeatureCollection:function(t,n){for(var e=t.features,r=-1,i=e.length;++rwa}).map(c)).concat(x(Ra(o/d)*d,i,d).filter(function(t){return Ta(t%v)>wa}).map(f))}return y.lines=function(){return _().map(function(t){return{type:"LineString",coordinates:t}})},y.outline=function(){return{type:"Polygon",coordinates:[l(r).concat(s(u).slice(1),l(e).reverse().slice(1),s(a).reverse().slice(1))]}},y.extent=function(t){return arguments.length?y.extentMajor(t).extentMinor(t):y.extentMinor()},y.extentMajor=function(t){return arguments.length?(r=+t[0][0],e=+t[1][0],a=+t[0][1],u=+t[1][1],r>e&&(t=r,r=e,e=t),a>u&&(t=a,a=u,u=t),y.precision(g)):[[r,a],[e,u]]},y.extentMinor=function(e){return arguments.length?(n=+e[0][0],t=+e[1][0],o=+e[0][1],i=+e[1][1],n>t&&(e=n,n=t,t=e),o>i&&(e=o,o=i,i=e),y.precision(g)):[[n,o],[t,i]]},y.step=function(t){return arguments.length?y.stepMajor(t).stepMinor(t):y.stepMinor()},y.stepMajor=function(t){return arguments.length?(p=+t[0],v=+t[1],y):[p,v]},y.stepMinor=function(t){return arguments.length?(h=+t[0],d=+t[1],y):[h,d]},y.precision=function(h){return arguments.length?(g=+h,c=fl(o,i,90),f=ll(n,t,g),l=fl(a,u,90),s=ll(r,e,g),y):g},y.extentMajor([[-180,-90+wa],[180,90-wa]]).extentMinor([[-180,-80-wa],[180,80+wa]])}function hl(){return sl()()}var dl,pl,vl,gl,yl=function(t,n){var e=t[0]*Sa,r=t[1]*Sa,i=n[0]*Sa,o=n[1]*Sa,u=Pa(r),a=Ua(r),c=Pa(o),f=Ua(o),l=u*Pa(e),s=u*Ua(e),h=c*Pa(i),d=c*Ua(i),p=2*qa(za(Ba(o-r)+u*c*Ba(i-e))),v=Ua(p),g=p?function(t){var n=Ua(t*=p)/v,e=Ua(p-t)/v,r=e*l+n*h,i=e*s+n*d,o=e*a+n*f;return[Aa(i,r)*Na,Aa(o,za(r*r+i*i))*Na]}:function(){return[e*Na,r*Na]};return g.distance=p,g},_l=function(t){return t},ml=ya(),bl=ya(),wl={point:Ya,lineStart:Ya,lineEnd:Ya,polygonStart:function(){wl.lineStart=xl,wl.lineEnd=kl},polygonEnd:function(){wl.lineStart=wl.lineEnd=wl.point=Ya,ml.add(Ta(bl)),bl.reset()},result:function(){var t=ml/2;return ml.reset(),t}};function xl(){wl.point=Ml}function Ml(t,n){wl.point=El,dl=vl=t,pl=gl=n}function El(t,n){bl.add(gl*t-vl*n),vl=t,gl=n}function kl(){El(dl,pl)}var Nl=wl,Sl=1/0,Tl=Sl,Cl=-Sl,Al=Cl;var Pl,Rl,Il,Ol,Ll={point:function(t,n){tCl&&(Cl=t);nAl&&(Al=n)},lineStart:Ya,lineEnd:Ya,polygonStart:Ya,polygonEnd:Ya,result:function(){var t=[[Sl,Tl],[Cl,Al]];return Cl=Al=-(Tl=Sl=1/0),t}},Ul=0,Dl=0,zl=0,Fl=0,jl=0,ql=0,Bl=0,Yl=0,Hl=0,Vl={point:$l,lineStart:Wl,lineEnd:Ql,polygonStart:function(){Vl.lineStart=Zl,Vl.lineEnd=Kl},polygonEnd:function(){Vl.point=$l,Vl.lineStart=Wl,Vl.lineEnd=Ql},result:function(){var t=Hl?[Bl/Hl,Yl/Hl]:ql?[Fl/ql,jl/ql]:zl?[Ul/zl,Dl/zl]:[NaN,NaN];return Ul=Dl=zl=Fl=jl=ql=Bl=Yl=Hl=0,t}};function $l(t,n){Ul+=t,Dl+=n,++zl}function Wl(){Vl.point=Xl}function Xl(t,n){Vl.point=Gl,$l(Il=t,Ol=n)}function Gl(t,n){var e=t-Il,r=n-Ol,i=za(e*e+r*r);Fl+=i*(Il+t)/2,jl+=i*(Ol+n)/2,ql+=i,$l(Il=t,Ol=n)}function Ql(){Vl.point=$l}function Zl(){Vl.point=Jl}function Kl(){ts(Pl,Rl)}function Jl(t,n){Vl.point=ts,$l(Pl=Il=t,Rl=Ol=n)}function ts(t,n){var e=t-Il,r=n-Ol,i=za(e*e+r*r);Fl+=i*(Il+t)/2,jl+=i*(Ol+n)/2,ql+=i,Bl+=(i=Ol*t-Il*n)*(Il+t),Yl+=i*(Ol+n),Hl+=3*i,$l(Il=t,Ol=n)}var ns=Vl;function es(t){this._context=t}es.prototype={_radius:4.5,pointRadius:function(t){return this._radius=t,this},polygonStart:function(){this._line=0},polygonEnd:function(){this._line=NaN},lineStart:function(){this._point=0},lineEnd:function(){0===this._line&&this._context.closePath(),this._point=NaN},point:function(t,n){switch(this._point){case 0:this._context.moveTo(t,n),this._point=1;break;case 1:this._context.lineTo(t,n);break;default:this._context.moveTo(t+this._radius,n),this._context.arc(t,n,this._radius,0,ka)}},result:Ya};var rs,is,os,us,as,cs=ya(),fs={point:Ya,lineStart:function(){fs.point=ls},lineEnd:function(){rs&&ss(is,os),fs.point=Ya},polygonStart:function(){rs=!0},polygonEnd:function(){rs=null},result:function(){var t=+cs;return cs.reset(),t}};function ls(t,n){fs.point=ss,is=us=t,os=as=n}function ss(t,n){us-=t,as-=n,cs.add(za(us*us+as*as)),us=t,as=n}var hs=fs;function ds(){this._string=[]}function ps(t){return"m0,"+t+"a"+t+","+t+" 0 1,1 0,"+-2*t+"a"+t+","+t+" 0 1,1 0,"+2*t+"z"}ds.prototype={_radius:4.5,_circle:ps(4.5),pointRadius:function(t){return(t=+t)!==this._radius&&(this._radius=t,this._circle=null),this},polygonStart:function(){this._line=0},polygonEnd:function(){this._line=NaN},lineStart:function(){this._point=0},lineEnd:function(){0===this._line&&this._string.push("Z"),this._point=NaN},point:function(t,n){switch(this._point){case 0:this._string.push("M",t,",",n),this._point=1;break;case 1:this._string.push("L",t,",",n);break;default:null==this._circle&&(this._circle=ps(this._radius)),this._string.push("M",t,",",n,this._circle)}},result:function(){if(this._string.length){var t=this._string.join("");return this._string=[],t}return null}};var vs=function(t,n){var e,r,i=4.5;function o(t){return t&&("function"==typeof i&&r.pointRadius(+i.apply(this,arguments)),tc(t,e(r))),r.result()}return o.area=function(t){return tc(t,e(Nl)),Nl.result()},o.measure=function(t){return tc(t,e(hs)),hs.result()},o.bounds=function(t){return tc(t,e(Ll)),Ll.result()},o.centroid=function(t){return tc(t,e(ns)),ns.result()},o.projection=function(n){return arguments.length?(e=null==n?(t=null,_l):(t=n).stream,o):t},o.context=function(t){return arguments.length?(r=null==t?(n=null,new ds):new es(n=t),"function"!=typeof i&&r.pointRadius(i),o):n},o.pointRadius=function(t){return arguments.length?(i="function"==typeof t?t:(r.pointRadius(+t),+t),o):i},o.projection(t).context(n)},gs=function(t){return{stream:ys(t)}};function ys(t){return function(n){var e=new _s;for(var r in t)e[r]=t[r];return e.stream=n,e}}function _s(){}function ms(t,n,e){var r=t.clipExtent&&t.clipExtent();return t.scale(150).translate([0,0]),null!=r&&t.clipExtent(null),tc(e,t.stream(Ll)),n(Ll.result()),null!=r&&t.clipExtent(r),t}function bs(t,n,e){return ms(t,function(e){var r=n[1][0]-n[0][0],i=n[1][1]-n[0][1],o=Math.min(r/(e[1][0]-e[0][0]),i/(e[1][1]-e[0][1])),u=+n[0][0]+(r-o*(e[1][0]+e[0][0]))/2,a=+n[0][1]+(i-o*(e[1][1]+e[0][1]))/2;t.scale(150*o).translate([u,a])},e)}function ws(t,n,e){return bs(t,[[0,0],n],e)}function xs(t,n,e){return ms(t,function(e){var r=+n,i=r/(e[1][0]-e[0][0]),o=(r-i*(e[1][0]+e[0][0]))/2,u=-i*e[0][1];t.scale(150*i).translate([o,u])},e)}function Ms(t,n,e){return ms(t,function(e){var r=+n,i=r/(e[1][1]-e[0][1]),o=-i*e[0][0],u=(r-i*(e[1][1]+e[0][1]))/2;t.scale(150*i).translate([o,u])},e)}_s.prototype={constructor:_s,point:function(t,n){this.stream.point(t,n)},sphere:function(){this.stream.sphere()},lineStart:function(){this.stream.lineStart()},lineEnd:function(){this.stream.lineEnd()},polygonStart:function(){this.stream.polygonStart()},polygonEnd:function(){this.stream.polygonEnd()}};var Es=16,ks=Pa(30*Sa),Ns=function(t,n){return+n?function(t,n){function e(r,i,o,u,a,c,f,l,s,h,d,p,v,g){var y=f-r,_=l-i,m=y*y+_*_;if(m>4*n&&v--){var b=u+h,w=a+d,x=c+p,M=za(b*b+w*w+x*x),E=qa(x/=M),k=Ta(Ta(x)-1)n||Ta((y*C+_*A)/m-.5)>.3||u*h+a*d+c*p2?t[2]%360*Sa:0,S()):[g*Na,y*Na,_*Na]},k.angle=function(t){return arguments.length?(m=t%360*Sa,S()):m*Na},k.precision=function(t){return arguments.length?(u=Ns(a,E=t*t),T()):za(E)},k.fitExtent=function(t,n){return bs(k,t,n)},k.fitSize=function(t,n){return ws(k,t,n)},k.fitWidth=function(t,n){return xs(k,t,n)},k.fitHeight=function(t,n){return Ms(k,t,n)},function(){return n=t.apply(this,arguments),k.invert=n.invert&&N,S()}}function Ps(t){var n=0,e=xa/3,r=As(t),i=r(n,e);return i.parallels=function(t){return arguments.length?r(n=t[0]*Sa,e=t[1]*Sa):[n*Na,e*Na]},i}function Rs(t,n){var e=Ua(t),r=(e+Ua(n))/2;if(Ta(r)=.12&&i<.234&&r>=-.425&&r<-.214?a:i>=.166&&i<.234&&r>=-.214&&r<-.115?c:u).invert(t)},l.stream=function(e){return t&&n===e?t:t=function(t){var n=t.length;return{point:function(e,r){for(var i=-1;++i0?n<-Ma+wa&&(n=-Ma+wa):n>Ma-wa&&(n=Ma-wa);var e=i/La(Vs(n),r);return[e*Ua(r*t),i-e*Pa(r*t)]}return o.invert=function(t,n){var e=i-n,o=Da(r)*za(t*t+e*e);return[Aa(t,Ta(e))/r*Da(e),2*Ca(La(i/o,1/r))-Ma]},o}var Ws=function(){return Ps($s).scale(109.5).parallels([30,30])};function Xs(t,n){return[t,n]}Xs.invert=Xs;var Gs=function(){return Cs(Xs).scale(152.63)};function Qs(t,n){var e=Pa(t),r=t===n?Ua(t):(e-Pa(n))/(n-t),i=e/r+t;if(Ta(r)wa&&--i>0);return[t/(.8707+(o=r*r)*(o*(o*o*o*(.003971-.001529*o)-.013791)-.131979)),r]};var lh=function(){return Cs(fh).scale(175.295)};function sh(t,n){return[Pa(n)*Ua(t),Ua(n)]}sh.invert=Ds(qa);var hh=function(){return Cs(sh).scale(249.5).clipAngle(90+wa)};function dh(t,n){var e=Pa(n),r=1+Pa(t)*e;return[e*Ua(t)/r,Ua(n)/r]}dh.invert=Ds(function(t){return 2*Ca(t)});var ph=function(){return Cs(dh).scale(250).clipAngle(142)};function vh(t,n){return[Oa(Fa((Ma+n)/2)),-t]}vh.invert=function(t,n){return[-n,2*Ca(Ia(t))-Ma]};var gh=function(){var t=Hs(vh),n=t.center,e=t.rotate;return t.center=function(t){return arguments.length?n([-t[1],t[0]]):[(t=n())[1],-t[0]]},t.rotate=function(t){return arguments.length?e([t[0],t[1],t.length>2?t[2]+90:90]):[(t=e())[0],t[1],t[2]-90]},e([0,0,90]).scale(159.155)};function yh(t,n){return t.parent===n.parent?1:2}function _h(t,n){return t+n.x}function mh(t,n){return Math.max(t,n.y)}var bh=function(){var t=yh,n=1,e=1,r=!1;function i(i){var o,u=0;i.eachAfter(function(n){var e=n.children;e?(n.x=function(t){return t.reduce(_h,0)/t.length}(e),n.y=function(t){return 1+t.reduce(mh,0)}(e)):(n.x=o?u+=t(n,o):0,n.y=0,o=n)});var a=function(t){for(var n;n=t.children;)t=n[0];return t}(i),c=function(t){for(var n;n=t.children;)t=n[n.length-1];return t}(i),f=a.x-t(a,c)/2,l=c.x+t(c,a)/2;return i.eachAfter(r?function(t){t.x=(t.x-i.x)*n,t.y=(i.y-t.y)*e}:function(t){t.x=(t.x-f)/(l-f)*n,t.y=(1-(i.y?t.y/i.y:1))*e})}return i.separation=function(n){return arguments.length?(t=n,i):t},i.size=function(t){return arguments.length?(r=!1,n=+t[0],e=+t[1],i):r?null:[n,e]},i.nodeSize=function(t){return arguments.length?(r=!0,n=+t[0],e=+t[1],i):r?[n,e]:null},i};function wh(t){var n=0,e=t.children,r=e&&e.length;if(r)for(;--r>=0;)n+=e[r].value;else n=1;t.value=n}function xh(t,n){var e,r,i,o,u,a=new Nh(t),c=+t.value&&(a.value=t.value),f=[a];for(null==n&&(n=Mh);e=f.pop();)if(c&&(e.value=+e.data.value),(i=n(e.data))&&(u=i.length))for(e.children=new Array(u),o=u-1;o>=0;--o)f.push(r=e.children[o]=new Nh(i[o])),r.parent=e,r.depth=e.depth+1;return a.eachBefore(kh)}function Mh(t){return t.children}function Eh(t){t.data=t.data.data}function kh(t){var n=0;do{t.height=n}while((t=t.parent)&&t.height<++n)}function Nh(t){this.data=t,this.depth=this.height=0,this.parent=null}Nh.prototype=xh.prototype={constructor:Nh,count:function(){return this.eachAfter(wh)},each:function(t){var n,e,r,i,o=this,u=[o];do{for(n=u.reverse(),u=[];o=n.pop();)if(t(o),e=o.children)for(r=0,i=e.length;r=0;--e)i.push(n[e]);return this},sum:function(t){return this.eachAfter(function(n){for(var e=+t(n.data)||0,r=n.children,i=r&&r.length;--i>=0;)e+=r[i].value;n.value=e})},sort:function(t){return this.eachBefore(function(n){n.children&&n.children.sort(t)})},path:function(t){for(var n=this,e=function(t,n){if(t===n)return t;var e=t.ancestors(),r=n.ancestors(),i=null;for(t=e.pop(),n=r.pop();t===n;)i=t,t=e.pop(),n=r.pop();return i}(n,t),r=[n];n!==e;)n=n.parent,r.push(n);for(var i=r.length;t!==e;)r.splice(i,0,t),t=t.parent;return r},ancestors:function(){for(var t=this,n=[t];t=t.parent;)n.push(t);return n},descendants:function(){var t=[];return this.each(function(n){t.push(n)}),t},leaves:function(){var t=[];return this.eachBefore(function(n){n.children||t.push(n)}),t},links:function(){var t=this,n=[];return t.each(function(e){e!==t&&n.push({source:e.parent,target:e})}),n},copy:function(){return xh(this).eachBefore(Eh)}};var Sh=Array.prototype.slice;var Th=function(t){for(var n,e,r=0,i=(t=function(t){for(var n,e,r=t.length;r;)e=Math.random()*r--|0,n=t[r],t[r]=t[e],t[e]=n;return t}(Sh.call(t))).length,o=[];r0&&e*e>r*r+i*i}function Rh(t,n){for(var e=0;e(u*=u)?(r=(f+u-i)/(2*f),o=Math.sqrt(Math.max(0,u/f-r*r)),e.x=t.x-r*a-o*c,e.y=t.y-r*c+o*a):(r=(f+i-u)/(2*f),o=Math.sqrt(Math.max(0,i/f-r*r)),e.x=n.x+r*a-o*c,e.y=n.y+r*c+o*a)):(e.x=n.x+e.r,e.y=n.y)}function Dh(t,n){var e=t.r+n.r-1e-6,r=n.x-t.x,i=n.y-t.y;return e>0&&e*e>r*r+i*i}function zh(t){var n=t._,e=t.next._,r=n.r+e.r,i=(n.x*e.r+e.x*n.r)/r,o=(n.y*e.r+e.y*n.r)/r;return i*i+o*o}function Fh(t){this._=t,this.next=null,this.previous=null}function jh(t){if(!(i=t.length))return 0;var n,e,r,i,o,u,a,c,f,l,s;if((n=t[0]).x=0,n.y=0,!(i>1))return n.r;if(e=t[1],n.x=-e.r,e.x=n.r,e.y=0,!(i>2))return n.r+e.r;Uh(e,n,r=t[2]),n=new Fh(n),e=new Fh(e),r=new Fh(r),n.next=r.previous=e,e.next=n.previous=r,r.next=e.previous=n;t:for(a=3;a0)throw new Error("cycle");return o}return e.id=function(n){return arguments.length?(t=Bh(n),e):t},e.parentId=function(t){return arguments.length?(n=Bh(t),e):n},e};function od(t,n){return t.parent===n.parent?1:2}function ud(t){var n=t.children;return n?n[0]:t.t}function ad(t){var n=t.children;return n?n[n.length-1]:t.t}function cd(t,n,e){var r=e/(n.i-t.i);n.c-=r,n.s+=e,t.c+=r,n.z+=e,n.m+=e}function fd(t,n,e){return t.a.parent===n.parent?t.a:e}function ld(t,n){this._=t,this.parent=null,this.children=null,this.A=null,this.a=this,this.z=0,this.m=0,this.c=0,this.s=0,this.t=null,this.i=n}ld.prototype=Object.create(Nh.prototype);var sd=function(){var t=od,n=1,e=1,r=null;function i(i){var c=function(t){for(var n,e,r,i,o,u=new ld(t,0),a=[u];n=a.pop();)if(r=n._.children)for(n.children=new Array(o=r.length),i=o-1;i>=0;--i)a.push(e=n.children[i]=new ld(r[i],i)),e.parent=n;return(u.parent=new ld(null,0)).children=[u],u}(i);if(c.eachAfter(o),c.parent.m=-c.z,c.eachBefore(u),r)i.eachBefore(a);else{var f=i,l=i,s=i;i.eachBefore(function(t){t.xl.x&&(l=t),t.depth>s.depth&&(s=t)});var h=f===l?1:t(f,l)/2,d=h-f.x,p=n/(l.x+h+d),v=e/(s.depth||1);i.eachBefore(function(t){t.x=(t.x+d)*p,t.y=t.depth*v})}return i}function o(n){var e=n.children,r=n.parent.children,i=n.i?r[n.i-1]:null;if(e){!function(t){for(var n,e=0,r=0,i=t.children,o=i.length;--o>=0;)(n=i[o]).z+=e,n.m+=e,e+=n.s+(r+=n.c)}(n);var o=(e[0].z+e[e.length-1].z)/2;i?(n.z=i.z+t(n._,i._),n.m=n.z-o):n.z=o}else i&&(n.z=i.z+t(n._,i._));n.parent.A=function(n,e,r){if(e){for(var i,o=n,u=n,a=e,c=o.parent.children[0],f=o.m,l=u.m,s=a.m,h=c.m;a=ad(a),o=ud(o),a&&o;)c=ud(c),(u=ad(u)).a=n,(i=a.z+s-o.z-f+t(a._,o._))>0&&(cd(fd(a,n,r),n,i),f+=i,l+=i),s+=a.m,f+=o.m,h+=c.m,l+=u.m;a&&!ad(u)&&(u.t=a,u.m+=s-l),o&&!ud(c)&&(c.t=o,c.m+=f-h,r=n)}return r}(n,i,n.parent.A||r[0])}function u(t){t._.x=t.z+t.parent.m,t.m+=t.parent.m}function a(t){t.x*=n,t.y=t.depth*e}return i.separation=function(n){return arguments.length?(t=n,i):t},i.size=function(t){return arguments.length?(r=!1,n=+t[0],e=+t[1],i):r?null:[n,e]},i.nodeSize=function(t){return arguments.length?(r=!0,n=+t[0],e=+t[1],i):r?[n,e]:null},i},hd=function(t,n,e,r,i){for(var o,u=t.children,a=-1,c=u.length,f=t.value&&(i-e)/t.value;++ah&&(h=a),g=l*l*v,(d=Math.max(h/g,g/s))>p){l-=a;break}p=d}y.push(u={value:l,dice:c1?n:1)},e}(dd),gd=function(){var t=vd,n=!1,e=1,r=1,i=[0],o=Yh,u=Yh,a=Yh,c=Yh,f=Yh;function l(t){return t.x0=t.y0=0,t.x1=e,t.y1=r,t.eachBefore(s),i=[0],n&&t.eachBefore(Qh),t}function s(n){var e=i[n.depth],r=n.x0+e,l=n.y0+e,s=n.x1-e,h=n.y1-e;s=e-1){var l=a[n];return l.x0=i,l.y0=o,l.x1=u,void(l.y1=c)}var s=f[n],h=r/2+s,d=n+1,p=e-1;for(;d>>1;f[v]c-o){var _=(i*y+u*g)/r;t(n,d,g,i,o,_,c),t(d,e,y,_,o,u,c)}else{var m=(o*y+c*g)/r;t(n,d,g,i,o,u,m),t(d,e,y,i,m,u,c)}}(0,c,t.value,n,e,r,i)},_d=function(t,n,e,r,i){(1&t.depth?hd:Zh)(t,n,e,r,i)},md=function t(n){function e(t,e,r,i,o){if((u=t._squarify)&&u.ratio===n)for(var u,a,c,f,l,s=-1,h=u.length,d=t.value;++s1?n:1)},e}(dd),bd=function(t){for(var n,e=-1,r=t.length,i=t[r-1],o=0;++e1&&xd(t[e[r-2]],t[e[r-1]],t[i])<=0;)--r;e[r++]=i}return e.slice(0,r)}var kd=function(t){if((e=t.length)<3)return null;var n,e,r=new Array(e),i=new Array(e);for(n=0;n=0;--n)f.push(t[r[o[n]][2]]);for(n=+a;na!=f>a&&u<(c-e)*(a-r)/(f-r)+e&&(l=!l),c=e,f=r;return l},Sd=function(t){for(var n,e,r=-1,i=t.length,o=t[i-1],u=o[0],a=o[1],c=0;++r1);return t+e*o*Math.sqrt(-2*Math.log(i)/i)}}return e.source=t,e}(Td),Pd=function t(n){function e(){var t=Ad.source(n).apply(this,arguments);return function(){return Math.exp(t())}}return e.source=t,e}(Td),Rd=function t(n){function e(t){return function(){for(var e=0,r=0;r2?Wd:$d,r=i=null,l}function l(n){return(r||(r=e(o,u,c?function(t){return function(n,e){var r=t(n=+n,e=+e);return function(t){return t<=n?0:t>=e?1:r(t)}}}(t):t,a)))(+n)}return l.invert=function(t){return(i||(i=e(u,o,Vd,c?function(t){return function(n,e){var r=t(n=+n,e=+e);return function(t){return t<=0?n:t>=1?e:r(t)}}}(n):n)))(+t)},l.domain=function(t){return arguments.length?(o=Ud.call(t,Yd),f()):o.slice()},l.range=function(t){return arguments.length?(u=Dd.call(t),f()):u.slice()},l.rangeRound=function(t){return u=Dd.call(t),a=Ge,f()},l.clamp=function(t){return arguments.length?(c=!!t,f()):c},l.interpolate=function(t){return arguments.length?(a=t,f()):a},f()}var Qd=function(t,n,e){var r,i=t[0],o=t[t.length-1],u=T(i,o,null==n?10:n);switch((e=na(null==e?",f":e)).type){case"s":var a=Math.max(Math.abs(i),Math.abs(o));return null!=e.precision||isNaN(r=va(u,a))||(e.precision=r),ua(e,a);case"":case"e":case"g":case"p":case"r":null!=e.precision||isNaN(r=ga(u,Math.max(Math.abs(i),Math.abs(o))))||(e.precision=r-("e"===e.type));break;case"f":case"%":null!=e.precision||isNaN(r=pa(u))||(e.precision=r-2*("%"===e.type))}return oa(e)};function Zd(t){var n=t.domain;return t.ticks=function(t){var e=n();return N(e[0],e[e.length-1],null==t?10:t)},t.tickFormat=function(t,e){return Qd(n(),t,e)},t.nice=function(e){null==e&&(e=10);var r,i=n(),o=0,u=i.length-1,a=i[o],c=i[u];return c0?r=S(a=Math.floor(a/r)*r,c=Math.ceil(c/r)*r,e):r<0&&(r=S(a=Math.ceil(a*r)/r,c=Math.floor(c*r)/r,e)),r>0?(i[o]=Math.floor(a/r)*r,i[u]=Math.ceil(c/r)*r,n(i)):r<0&&(i[o]=Math.ceil(a*r)/r,i[u]=Math.floor(c*r)/r,n(i)),t},t}function Kd(){var t=Gd(Vd,De);return t.copy=function(){return Xd(t,Kd())},Zd(t)}function Jd(){var t=[0,1];function n(t){return+t}return n.invert=n,n.domain=n.range=function(e){return arguments.length?(t=Ud.call(e,Yd),n):t.slice()},n.copy=function(){return Jd().domain(t)},Zd(n)}var tp=function(t,n){var e,r=0,i=(t=t.slice()).length-1,o=t[r],u=t[i];return u0){for(;hc)break;v.push(s)}}else for(;h=1;--l)if(!((s=f*l)c)break;v.push(s)}}else v=N(h,d,Math.min(d-h,p)).map(i);return o?v.reverse():v},t.tickFormat=function(n,o){if(null==o&&(o=10===e?".0e":","),"function"!=typeof o&&(o=oa(o)),n===1/0)return o;null==n&&(n=10);var u=Math.max(1,e*n/t.ticks().length);return function(t){var n=t/i(Math.round(r(t)));return n*e0?e[i-1]:t[0],i=e?[r[e-1],n]:[r[u-1],r[u]]},o.copy=function(){return hp().domain([t,n]).range(i)},Zd(o)}function dp(){var t=[.5],n=[0,1],e=1;function r(r){if(r<=r)return n[c(t,r,0,e)]}return r.domain=function(i){return arguments.length?(t=Dd.call(i),e=Math.min(t.length,n.length-1),r):t.slice()},r.range=function(i){return arguments.length?(n=Dd.call(i),e=Math.min(t.length,n.length-1),r):n.slice()},r.invertExtent=function(e){var r=n.indexOf(e);return[t[r-1],t[r]]},r.copy=function(){return dp().domain(t).range(n)},r}var pp=new Date,vp=new Date;function gp(t,n,e,r){function i(n){return t(n=new Date(+n)),n}return i.floor=i,i.ceil=function(e){return t(e=new Date(e-1)),n(e,1),t(e),e},i.round=function(t){var n=i(t),e=i.ceil(t);return t-n0))return a;do{a.push(u=new Date(+e)),n(e,o),t(e)}while(u=n)for(;t(n),!e(n);)n.setTime(n-1)},function(t,r){if(t>=t)if(r<0)for(;++r<=0;)for(;n(t,-1),!e(t););else for(;--r>=0;)for(;n(t,1),!e(t););})},e&&(i.count=function(n,r){return pp.setTime(+n),vp.setTime(+r),t(pp),t(vp),Math.floor(e(pp,vp))},i.every=function(t){return t=Math.floor(t),isFinite(t)&&t>0?t>1?i.filter(r?function(n){return r(n)%t==0}:function(n){return i.count(0,n)%t==0}):i:null}),i}var yp=gp(function(){},function(t,n){t.setTime(+t+n)},function(t,n){return n-t});yp.every=function(t){return t=Math.floor(t),isFinite(t)&&t>0?t>1?gp(function(n){n.setTime(Math.floor(n/t)*t)},function(n,e){n.setTime(+n+e*t)},function(n,e){return(e-n)/t}):yp:null};var _p=yp,mp=yp.range,bp=6e4,wp=6048e5,xp=gp(function(t){t.setTime(1e3*Math.floor(t/1e3))},function(t,n){t.setTime(+t+1e3*n)},function(t,n){return(n-t)/1e3},function(t){return t.getUTCSeconds()}),Mp=xp,Ep=xp.range,kp=gp(function(t){t.setTime(Math.floor(t/bp)*bp)},function(t,n){t.setTime(+t+n*bp)},function(t,n){return(n-t)/bp},function(t){return t.getMinutes()}),Np=kp,Sp=kp.range,Tp=gp(function(t){var n=t.getTimezoneOffset()*bp%36e5;n<0&&(n+=36e5),t.setTime(36e5*Math.floor((+t-n)/36e5)+n)},function(t,n){t.setTime(+t+36e5*n)},function(t,n){return(n-t)/36e5},function(t){return t.getHours()}),Cp=Tp,Ap=Tp.range,Pp=gp(function(t){t.setHours(0,0,0,0)},function(t,n){t.setDate(t.getDate()+n)},function(t,n){return(n-t-(n.getTimezoneOffset()-t.getTimezoneOffset())*bp)/864e5},function(t){return t.getDate()-1}),Rp=Pp,Ip=Pp.range;function Op(t){return gp(function(n){n.setDate(n.getDate()-(n.getDay()+7-t)%7),n.setHours(0,0,0,0)},function(t,n){t.setDate(t.getDate()+7*n)},function(t,n){return(n-t-(n.getTimezoneOffset()-t.getTimezoneOffset())*bp)/wp})}var Lp=Op(0),Up=Op(1),Dp=Op(2),zp=Op(3),Fp=Op(4),jp=Op(5),qp=Op(6),Bp=Lp.range,Yp=Up.range,Hp=Dp.range,Vp=zp.range,$p=Fp.range,Wp=jp.range,Xp=qp.range,Gp=gp(function(t){t.setDate(1),t.setHours(0,0,0,0)},function(t,n){t.setMonth(t.getMonth()+n)},function(t,n){return n.getMonth()-t.getMonth()+12*(n.getFullYear()-t.getFullYear())},function(t){return t.getMonth()}),Qp=Gp,Zp=Gp.range,Kp=gp(function(t){t.setMonth(0,1),t.setHours(0,0,0,0)},function(t,n){t.setFullYear(t.getFullYear()+n)},function(t,n){return n.getFullYear()-t.getFullYear()},function(t){return t.getFullYear()});Kp.every=function(t){return isFinite(t=Math.floor(t))&&t>0?gp(function(n){n.setFullYear(Math.floor(n.getFullYear()/t)*t),n.setMonth(0,1),n.setHours(0,0,0,0)},function(n,e){n.setFullYear(n.getFullYear()+e*t)}):null};var Jp=Kp,tv=Kp.range,nv=gp(function(t){t.setUTCSeconds(0,0)},function(t,n){t.setTime(+t+n*bp)},function(t,n){return(n-t)/bp},function(t){return t.getUTCMinutes()}),ev=nv,rv=nv.range,iv=gp(function(t){t.setUTCMinutes(0,0,0)},function(t,n){t.setTime(+t+36e5*n)},function(t,n){return(n-t)/36e5},function(t){return t.getUTCHours()}),ov=iv,uv=iv.range,av=gp(function(t){t.setUTCHours(0,0,0,0)},function(t,n){t.setUTCDate(t.getUTCDate()+n)},function(t,n){return(n-t)/864e5},function(t){return t.getUTCDate()-1}),cv=av,fv=av.range;function lv(t){return gp(function(n){n.setUTCDate(n.getUTCDate()-(n.getUTCDay()+7-t)%7),n.setUTCHours(0,0,0,0)},function(t,n){t.setUTCDate(t.getUTCDate()+7*n)},function(t,n){return(n-t)/wp})}var sv=lv(0),hv=lv(1),dv=lv(2),pv=lv(3),vv=lv(4),gv=lv(5),yv=lv(6),_v=sv.range,mv=hv.range,bv=dv.range,wv=pv.range,xv=vv.range,Mv=gv.range,Ev=yv.range,kv=gp(function(t){t.setUTCDate(1),t.setUTCHours(0,0,0,0)},function(t,n){t.setUTCMonth(t.getUTCMonth()+n)},function(t,n){return n.getUTCMonth()-t.getUTCMonth()+12*(n.getUTCFullYear()-t.getUTCFullYear())},function(t){return t.getUTCMonth()}),Nv=kv,Sv=kv.range,Tv=gp(function(t){t.setUTCMonth(0,1),t.setUTCHours(0,0,0,0)},function(t,n){t.setUTCFullYear(t.getUTCFullYear()+n)},function(t,n){return n.getUTCFullYear()-t.getUTCFullYear()},function(t){return t.getUTCFullYear()});Tv.every=function(t){return isFinite(t=Math.floor(t))&&t>0?gp(function(n){n.setUTCFullYear(Math.floor(n.getUTCFullYear()/t)*t),n.setUTCMonth(0,1),n.setUTCHours(0,0,0,0)},function(n,e){n.setUTCFullYear(n.getUTCFullYear()+e*t)}):null};var Cv=Tv,Av=Tv.range;function Pv(t){if(0<=t.y&&t.y<100){var n=new Date(-1,t.m,t.d,t.H,t.M,t.S,t.L);return n.setFullYear(t.y),n}return new Date(t.y,t.m,t.d,t.H,t.M,t.S,t.L)}function Rv(t){if(0<=t.y&&t.y<100){var n=new Date(Date.UTC(-1,t.m,t.d,t.H,t.M,t.S,t.L));return n.setUTCFullYear(t.y),n}return new Date(Date.UTC(t.y,t.m,t.d,t.H,t.M,t.S,t.L))}function Iv(t){return{y:t,m:0,d:1,H:0,M:0,S:0,L:0}}function Ov(t){var n=t.dateTime,e=t.date,r=t.time,i=t.periods,o=t.days,u=t.shortDays,a=t.months,c=t.shortMonths,f=$v(i),l=Wv(i),s=$v(o),h=Wv(o),d=$v(u),p=Wv(u),v=$v(a),g=Wv(a),y=$v(c),_=Wv(c),m={a:function(t){return u[t.getDay()]},A:function(t){return o[t.getDay()]},b:function(t){return c[t.getMonth()]},B:function(t){return a[t.getMonth()]},c:null,d:dg,e:dg,f:_g,H:pg,I:vg,j:gg,L:yg,m:mg,M:bg,p:function(t){return i[+(t.getHours()>=12)]},Q:Xg,s:Gg,S:wg,u:xg,U:Mg,V:Eg,w:kg,W:Ng,x:null,X:null,y:Sg,Y:Tg,Z:Cg,"%":Wg},b={a:function(t){return u[t.getUTCDay()]},A:function(t){return o[t.getUTCDay()]},b:function(t){return c[t.getUTCMonth()]},B:function(t){return a[t.getUTCMonth()]},c:null,d:Ag,e:Ag,f:Lg,H:Pg,I:Rg,j:Ig,L:Og,m:Ug,M:Dg,p:function(t){return i[+(t.getUTCHours()>=12)]},Q:Xg,s:Gg,S:zg,u:Fg,U:jg,V:qg,w:Bg,W:Yg,x:null,X:null,y:Hg,Y:Vg,Z:$g,"%":Wg},w={a:function(t,n,e){var r=d.exec(n.slice(e));return r?(t.w=p[r[0].toLowerCase()],e+r[0].length):-1},A:function(t,n,e){var r=s.exec(n.slice(e));return r?(t.w=h[r[0].toLowerCase()],e+r[0].length):-1},b:function(t,n,e){var r=y.exec(n.slice(e));return r?(t.m=_[r[0].toLowerCase()],e+r[0].length):-1},B:function(t,n,e){var r=v.exec(n.slice(e));return r?(t.m=g[r[0].toLowerCase()],e+r[0].length):-1},c:function(t,e,r){return E(t,n,e,r)},d:rg,e:rg,f:fg,H:og,I:og,j:ig,L:cg,m:eg,M:ug,p:function(t,n,e){var r=f.exec(n.slice(e));return r?(t.p=l[r[0].toLowerCase()],e+r[0].length):-1},Q:sg,s:hg,S:ag,u:Gv,U:Qv,V:Zv,w:Xv,W:Kv,x:function(t,n,r){return E(t,e,n,r)},X:function(t,n,e){return E(t,r,n,e)},y:tg,Y:Jv,Z:ng,"%":lg};function x(t,n){return function(e){var r,i,o,u=[],a=-1,c=0,f=t.length;for(e instanceof Date||(e=new Date(+e));++a53)return null;"w"in o||(o.w=1),"Z"in o?(r=(i=(r=Rv(Iv(o.y))).getUTCDay())>4||0===i?hv.ceil(r):hv(r),r=cv.offset(r,7*(o.V-1)),o.y=r.getUTCFullYear(),o.m=r.getUTCMonth(),o.d=r.getUTCDate()+(o.w+6)%7):(r=(i=(r=n(Iv(o.y))).getDay())>4||0===i?Up.ceil(r):Up(r),r=Rp.offset(r,7*(o.V-1)),o.y=r.getFullYear(),o.m=r.getMonth(),o.d=r.getDate()+(o.w+6)%7)}else("W"in o||"U"in o)&&("w"in o||(o.w="u"in o?o.u%7:"W"in o?1:0),i="Z"in o?Rv(Iv(o.y)).getUTCDay():n(Iv(o.y)).getDay(),o.m=0,o.d="W"in o?(o.w+6)%7+7*o.W-(i+5)%7:o.w+7*o.U-(i+6)%7);return"Z"in o?(o.H+=o.Z/100|0,o.M+=o.Z%100,Rv(o)):n(o)}}function E(t,n,e,r){for(var i,o,u=0,a=n.length,c=e.length;u=c)return-1;if(37===(i=n.charCodeAt(u++))){if(i=n.charAt(u++),!(o=w[i in jv?n.charAt(u++):i])||(r=o(t,e,r))<0)return-1}else if(i!=e.charCodeAt(r++))return-1}return r}return m.x=x(e,m),m.X=x(r,m),m.c=x(n,m),b.x=x(e,b),b.X=x(r,b),b.c=x(n,b),{format:function(t){var n=x(t+="",m);return n.toString=function(){return t},n},parse:function(t){var n=M(t+="",Pv);return n.toString=function(){return t},n},utcFormat:function(t){var n=x(t+="",b);return n.toString=function(){return t},n},utcParse:function(t){var n=M(t,Rv);return n.toString=function(){return t},n}}}var Lv,Uv,Dv,zv,Fv,jv={"-":"",_:" ",0:"0"},qv=/^\s*\d+/,Bv=/^%/,Yv=/[\\^$*+?|[\]().{}]/g;function Hv(t,n,e){var r=t<0?"-":"",i=(r?-t:t)+"",o=i.length;return r+(o68?1900:2e3),e+r[0].length):-1}function ng(t,n,e){var r=/^(Z)|([+-]\d\d)(?::?(\d\d))?/.exec(n.slice(e,e+6));return r?(t.Z=r[1]?0:-(r[2]+(r[3]||"00")),e+r[0].length):-1}function eg(t,n,e){var r=qv.exec(n.slice(e,e+2));return r?(t.m=r[0]-1,e+r[0].length):-1}function rg(t,n,e){var r=qv.exec(n.slice(e,e+2));return r?(t.d=+r[0],e+r[0].length):-1}function ig(t,n,e){var r=qv.exec(n.slice(e,e+3));return r?(t.m=0,t.d=+r[0],e+r[0].length):-1}function og(t,n,e){var r=qv.exec(n.slice(e,e+2));return r?(t.H=+r[0],e+r[0].length):-1}function ug(t,n,e){var r=qv.exec(n.slice(e,e+2));return r?(t.M=+r[0],e+r[0].length):-1}function ag(t,n,e){var r=qv.exec(n.slice(e,e+2));return r?(t.S=+r[0],e+r[0].length):-1}function cg(t,n,e){var r=qv.exec(n.slice(e,e+3));return r?(t.L=+r[0],e+r[0].length):-1}function fg(t,n,e){var r=qv.exec(n.slice(e,e+6));return r?(t.L=Math.floor(r[0]/1e3),e+r[0].length):-1}function lg(t,n,e){var r=Bv.exec(n.slice(e,e+1));return r?e+r[0].length:-1}function sg(t,n,e){var r=qv.exec(n.slice(e));return r?(t.Q=+r[0],e+r[0].length):-1}function hg(t,n,e){var r=qv.exec(n.slice(e));return r?(t.Q=1e3*+r[0],e+r[0].length):-1}function dg(t,n){return Hv(t.getDate(),n,2)}function pg(t,n){return Hv(t.getHours(),n,2)}function vg(t,n){return Hv(t.getHours()%12||12,n,2)}function gg(t,n){return Hv(1+Rp.count(Jp(t),t),n,3)}function yg(t,n){return Hv(t.getMilliseconds(),n,3)}function _g(t,n){return yg(t,n)+"000"}function mg(t,n){return Hv(t.getMonth()+1,n,2)}function bg(t,n){return Hv(t.getMinutes(),n,2)}function wg(t,n){return Hv(t.getSeconds(),n,2)}function xg(t){var n=t.getDay();return 0===n?7:n}function Mg(t,n){return Hv(Lp.count(Jp(t),t),n,2)}function Eg(t,n){var e=t.getDay();return t=e>=4||0===e?Fp(t):Fp.ceil(t),Hv(Fp.count(Jp(t),t)+(4===Jp(t).getDay()),n,2)}function kg(t){return t.getDay()}function Ng(t,n){return Hv(Up.count(Jp(t),t),n,2)}function Sg(t,n){return Hv(t.getFullYear()%100,n,2)}function Tg(t,n){return Hv(t.getFullYear()%1e4,n,4)}function Cg(t){var n=t.getTimezoneOffset();return(n>0?"-":(n*=-1,"+"))+Hv(n/60|0,"0",2)+Hv(n%60,"0",2)}function Ag(t,n){return Hv(t.getUTCDate(),n,2)}function Pg(t,n){return Hv(t.getUTCHours(),n,2)}function Rg(t,n){return Hv(t.getUTCHours()%12||12,n,2)}function Ig(t,n){return Hv(1+cv.count(Cv(t),t),n,3)}function Og(t,n){return Hv(t.getUTCMilliseconds(),n,3)}function Lg(t,n){return Og(t,n)+"000"}function Ug(t,n){return Hv(t.getUTCMonth()+1,n,2)}function Dg(t,n){return Hv(t.getUTCMinutes(),n,2)}function zg(t,n){return Hv(t.getUTCSeconds(),n,2)}function Fg(t){var n=t.getUTCDay();return 0===n?7:n}function jg(t,n){return Hv(sv.count(Cv(t),t),n,2)}function qg(t,n){var e=t.getUTCDay();return t=e>=4||0===e?vv(t):vv.ceil(t),Hv(vv.count(Cv(t),t)+(4===Cv(t).getUTCDay()),n,2)}function Bg(t){return t.getUTCDay()}function Yg(t,n){return Hv(hv.count(Cv(t),t),n,2)}function Hg(t,n){return Hv(t.getUTCFullYear()%100,n,2)}function Vg(t,n){return Hv(t.getUTCFullYear()%1e4,n,4)}function $g(){return"+0000"}function Wg(){return"%"}function Xg(t){return+t}function Gg(t){return Math.floor(+t/1e3)}function Qg(t){return Lv=Ov(t),Uv=Lv.format,Dv=Lv.parse,zv=Lv.utcFormat,Fv=Lv.utcParse,Lv}Qg({dateTime:"%x, %X",date:"%-m/%-d/%Y",time:"%-I:%M:%S %p",periods:["AM","PM"],days:["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],shortDays:["Sun","Mon","Tue","Wed","Thu","Fri","Sat"],months:["January","February","March","April","May","June","July","August","September","October","November","December"],shortMonths:["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"]});var Zg=Date.prototype.toISOString?function(t){return t.toISOString()}:zv("%Y-%m-%dT%H:%M:%S.%LZ");var Kg=+new Date("2000-01-01T00:00:00.000Z")?function(t){var n=new Date(t);return isNaN(n)?null:n}:Fv("%Y-%m-%dT%H:%M:%S.%LZ"),Jg=1e3,ty=60*Jg,ny=60*ty,ey=24*ny,ry=7*ey,iy=30*ey,oy=365*ey;function uy(t){return new Date(t)}function ay(t){return t instanceof Date?+t:+new Date(+t)}function cy(t,n,e,r,o,u,a,c,f){var l=Gd(Vd,De),s=l.invert,h=l.domain,d=f(".%L"),p=f(":%S"),v=f("%I:%M"),g=f("%I %p"),y=f("%a %d"),_=f("%b %d"),m=f("%B"),b=f("%Y"),w=[[a,1,Jg],[a,5,5*Jg],[a,15,15*Jg],[a,30,30*Jg],[u,1,ty],[u,5,5*ty],[u,15,15*ty],[u,30,30*ty],[o,1,ny],[o,3,3*ny],[o,6,6*ny],[o,12,12*ny],[r,1,ey],[r,2,2*ey],[e,1,ry],[n,1,iy],[n,3,3*iy],[t,1,oy]];function x(i){return(a(i)1)&&(t-=Math.floor(t));var n=Math.abs(t-.5);return S_.h=360*t-100,S_.s=1.5-1.5*n,S_.l=.8-.9*n,S_+""},C_=qn(),A_=Math.PI/3,P_=2*Math.PI/3,R_=function(t){var n;return t=(.5-t)*Math.PI,C_.r=255*(n=Math.sin(t))*n,C_.g=255*(n=Math.sin(t+A_))*n,C_.b=255*(n=Math.sin(t+P_))*n,C_+""};function I_(t){var n=t.length;return function(e){return t[Math.max(0,Math.min(n-1,Math.floor(e*n)))]}}var O_=I_(dy("44015444025645045745055946075a46085c460a5d460b5e470d60470e6147106347116447136548146748166848176948186a481a6c481b6d481c6e481d6f481f70482071482173482374482475482576482677482878482979472a7a472c7a472d7b472e7c472f7d46307e46327e46337f463480453581453781453882443983443a83443b84433d84433e85423f854240864241864142874144874045884046883f47883f48893e49893e4a893e4c8a3d4d8a3d4e8a3c4f8a3c508b3b518b3b528b3a538b3a548c39558c39568c38588c38598c375a8c375b8d365c8d365d8d355e8d355f8d34608d34618d33628d33638d32648e32658e31668e31678e31688e30698e306a8e2f6b8e2f6c8e2e6d8e2e6e8e2e6f8e2d708e2d718e2c718e2c728e2c738e2b748e2b758e2a768e2a778e2a788e29798e297a8e297b8e287c8e287d8e277e8e277f8e27808e26818e26828e26828e25838e25848e25858e24868e24878e23888e23898e238a8d228b8d228c8d228d8d218e8d218f8d21908d21918c20928c20928c20938c1f948c1f958b1f968b1f978b1f988b1f998a1f9a8a1e9b8a1e9c891e9d891f9e891f9f881fa0881fa1881fa1871fa28720a38620a48621a58521a68522a78522a88423a98324aa8325ab8225ac8226ad8127ad8128ae8029af7f2ab07f2cb17e2db27d2eb37c2fb47c31b57b32b67a34b67935b77937b87838b9773aba763bbb753dbc743fbc7340bd7242be7144bf7046c06f48c16e4ac16d4cc26c4ec36b50c46a52c56954c56856c66758c7655ac8645cc8635ec96260ca6063cb5f65cb5e67cc5c69cd5b6ccd5a6ece5870cf5773d05675d05477d1537ad1517cd2507fd34e81d34d84d44b86d54989d5488bd6468ed64590d74393d74195d84098d83e9bd93c9dd93ba0da39a2da37a5db36a8db34aadc32addc30b0dd2fb2dd2db5de2bb8de29bade28bddf26c0df25c2df23c5e021c8e020cae11fcde11dd0e11cd2e21bd5e21ad8e219dae319dde318dfe318e2e418e5e419e7e419eae51aece51befe51cf1e51df4e61ef6e620f8e621fbe723fde725")),L_=I_(dy("00000401000501010601010802010902020b02020d03030f03031204041405041606051806051a07061c08071e0907200a08220b09240c09260d0a290e0b2b100b2d110c2f120d31130d34140e36150e38160f3b180f3d19103f1a10421c10441d11471e114920114b21114e22115024125325125527125829115a2a115c2c115f2d11612f116331116533106734106936106b38106c390f6e3b0f703d0f713f0f72400f74420f75440f764510774710784910784a10794c117a4e117b4f127b51127c52137c54137d56147d57157e59157e5a167e5c167f5d177f5f187f601880621980641a80651a80671b80681c816a1c816b1d816d1d816e1e81701f81721f817320817521817621817822817922827b23827c23827e24828025828125818326818426818627818827818928818b29818c29818e2a81902a81912b81932b80942c80962c80982d80992d809b2e7f9c2e7f9e2f7fa02f7fa1307ea3307ea5317ea6317da8327daa337dab337cad347cae347bb0357bb2357bb3367ab5367ab73779b83779ba3878bc3978bd3977bf3a77c03a76c23b75c43c75c53c74c73d73c83e73ca3e72cc3f71cd4071cf4070d0416fd2426fd3436ed5446dd6456cd8456cd9466bdb476adc4869de4968df4a68e04c67e24d66e34e65e44f64e55064e75263e85362e95462ea5661eb5760ec5860ed5a5fee5b5eef5d5ef05f5ef1605df2625df2645cf3655cf4675cf4695cf56b5cf66c5cf66e5cf7705cf7725cf8745cf8765cf9785df9795df97b5dfa7d5efa7f5efa815ffb835ffb8560fb8761fc8961fc8a62fc8c63fc8e64fc9065fd9266fd9467fd9668fd9869fd9a6afd9b6bfe9d6cfe9f6dfea16efea36ffea571fea772fea973feaa74feac76feae77feb078feb27afeb47bfeb67cfeb77efeb97ffebb81febd82febf84fec185fec287fec488fec68afec88cfeca8dfecc8ffecd90fecf92fed194fed395fed597fed799fed89afdda9cfddc9efddea0fde0a1fde2a3fde3a5fde5a7fde7a9fde9aafdebacfcecaefceeb0fcf0b2fcf2b4fcf4b6fcf6b8fcf7b9fcf9bbfcfbbdfcfdbf")),U_=I_(dy("00000401000501010601010802010a02020c02020e03021004031204031405041706041907051b08051d09061f0a07220b07240c08260d08290e092b10092d110a30120a32140b34150b37160b39180c3c190c3e1b0c411c0c431e0c451f0c48210c4a230c4c240c4f260c51280b53290b552b0b572d0b592f0a5b310a5c320a5e340a5f3609613809623909633b09643d09653e0966400a67420a68440a68450a69470b6a490b6a4a0c6b4c0c6b4d0d6c4f0d6c510e6c520e6d540f6d550f6d57106e59106e5a116e5c126e5d126e5f136e61136e62146e64156e65156e67166e69166e6a176e6c186e6d186e6f196e71196e721a6e741a6e751b6e771c6d781c6d7a1d6d7c1d6d7d1e6d7f1e6c801f6c82206c84206b85216b87216b88226a8a226a8c23698d23698f24699025689225689326679526679727669827669a28659b29649d29649f2a63a02a63a22b62a32c61a52c60a62d60a82e5fa92e5eab2f5ead305dae305cb0315bb1325ab3325ab43359b63458b73557b93556ba3655bc3754bd3853bf3952c03a51c13a50c33b4fc43c4ec63d4dc73e4cc83f4bca404acb4149cc4248ce4347cf4446d04545d24644d34743d44842d54a41d74b3fd84c3ed94d3dda4e3cdb503bdd513ade5238df5337e05536e15635e25734e35933e45a31e55c30e65d2fe75e2ee8602de9612bea632aeb6429eb6628ec6726ed6925ee6a24ef6c23ef6e21f06f20f1711ff1731df2741cf3761bf37819f47918f57b17f57d15f67e14f68013f78212f78410f8850ff8870ef8890cf98b0bf98c0af98e09fa9008fa9207fa9407fb9606fb9706fb9906fb9b06fb9d07fc9f07fca108fca309fca50afca60cfca80dfcaa0ffcac11fcae12fcb014fcb216fcb418fbb61afbb81dfbba1ffbbc21fbbe23fac026fac228fac42afac62df9c72ff9c932f9cb35f8cd37f8cf3af7d13df7d340f6d543f6d746f5d949f5db4cf4dd4ff4df53f4e156f3e35af3e55df2e661f2e865f2ea69f1ec6df1ed71f1ef75f1f179f2f27df2f482f3f586f3f68af4f88ef5f992f6fa96f8fb9af9fc9dfafda1fcffa4")),D_=I_(dy("0d088710078813078916078a19068c1b068d1d068e20068f2206902406912605912805922a05932c05942e05952f059631059733059735049837049938049a3a049a3c049b3e049c3f049c41049d43039e44039e46039f48039f4903a04b03a14c02a14e02a25002a25102a35302a35502a45601a45801a45901a55b01a55c01a65e01a66001a66100a76300a76400a76600a76700a86900a86a00a86c00a86e00a86f00a87100a87201a87401a87501a87701a87801a87a02a87b02a87d03a87e03a88004a88104a78305a78405a78606a68707a68808a68a09a58b0aa58d0ba58e0ca48f0da4910ea3920fa39410a29511a19613a19814a099159f9a169f9c179e9d189d9e199da01a9ca11b9ba21d9aa31e9aa51f99a62098a72197a82296aa2395ab2494ac2694ad2793ae2892b02991b12a90b22b8fb32c8eb42e8db52f8cb6308bb7318ab83289ba3388bb3488bc3587bd3786be3885bf3984c03a83c13b82c23c81c33d80c43e7fc5407ec6417dc7427cc8437bc9447aca457acb4679cc4778cc4977cd4a76ce4b75cf4c74d04d73d14e72d24f71d35171d45270d5536fd5546ed6556dd7566cd8576bd9586ada5a6ada5b69db5c68dc5d67dd5e66de5f65de6164df6263e06363e16462e26561e26660e3685fe4695ee56a5de56b5de66c5ce76e5be76f5ae87059e97158e97257ea7457eb7556eb7655ec7754ed7953ed7a52ee7b51ef7c51ef7e50f07f4ff0804ef1814df1834cf2844bf3854bf3874af48849f48948f58b47f58c46f68d45f68f44f79044f79143f79342f89441f89540f9973ff9983ef99a3efa9b3dfa9c3cfa9e3bfb9f3afba139fba238fca338fca537fca636fca835fca934fdab33fdac33fdae32fdaf31fdb130fdb22ffdb42ffdb52efeb72dfeb82cfeba2cfebb2bfebd2afebe2afec029fdc229fdc328fdc527fdc627fdc827fdca26fdcb26fccd25fcce25fcd025fcd225fbd324fbd524fbd724fad824fada24f9dc24f9dd25f8df25f8e125f7e225f7e425f6e626f6e826f5e926f5eb27f4ed27f3ee27f3f027f2f227f1f426f1f525f0f724f0f921")),z_=function(t){return function(){return t}},F_=Math.abs,j_=Math.atan2,q_=Math.cos,B_=Math.max,Y_=Math.min,H_=Math.sin,V_=Math.sqrt,$_=1e-12,W_=Math.PI,X_=W_/2,G_=2*W_;function Q_(t){return t>=1?X_:t<=-1?-X_:Math.asin(t)}function Z_(t){return t.innerRadius}function K_(t){return t.outerRadius}function J_(t){return t.startAngle}function tm(t){return t.endAngle}function nm(t){return t&&t.padAngle}function em(t,n,e,r,i,o,u){var a=t-e,c=n-r,f=(u?o:-o)/V_(a*a+c*c),l=f*c,s=-f*a,h=t+l,d=n+s,p=e+l,v=r+s,g=(h+p)/2,y=(d+v)/2,_=p-h,m=v-d,b=_*_+m*m,w=i-o,x=h*v-p*d,M=(m<0?-1:1)*V_(B_(0,w*w*b-x*x)),E=(x*m-_*M)/b,k=(-x*_-m*M)/b,N=(x*m+_*M)/b,S=(-x*_+m*M)/b,T=E-g,C=k-y,A=N-g,P=S-y;return T*T+C*C>A*A+P*P&&(E=N,k=S),{cx:E,cy:k,x01:-l,y01:-s,x11:E*(i/w-1),y11:k*(i/w-1)}}var rm=function(){var t=Z_,n=K_,e=z_(0),r=null,i=J_,o=tm,u=nm,a=null;function c(){var c,f,l=+t.apply(this,arguments),s=+n.apply(this,arguments),h=i.apply(this,arguments)-X_,d=o.apply(this,arguments)-X_,p=F_(d-h),v=d>h;if(a||(a=c=zo()),s$_)if(p>G_-$_)a.moveTo(s*q_(h),s*H_(h)),a.arc(0,0,s,h,d,!v),l>$_&&(a.moveTo(l*q_(d),l*H_(d)),a.arc(0,0,l,d,h,v));else{var g,y,_=h,m=d,b=h,w=d,x=p,M=p,E=u.apply(this,arguments)/2,k=E>$_&&(r?+r.apply(this,arguments):V_(l*l+s*s)),N=Y_(F_(s-l)/2,+e.apply(this,arguments)),S=N,T=N;if(k>$_){var C=Q_(k/l*H_(E)),A=Q_(k/s*H_(E));(x-=2*C)>$_?(b+=C*=v?1:-1,w-=C):(x=0,b=w=(h+d)/2),(M-=2*A)>$_?(_+=A*=v?1:-1,m-=A):(M=0,_=m=(h+d)/2)}var P=s*q_(_),R=s*H_(_),I=l*q_(w),O=l*H_(w);if(N>$_){var L=s*q_(m),U=s*H_(m),D=l*q_(b),z=l*H_(b);if(p$_?function(t,n,e,r,i,o,u,a){var c=e-t,f=r-n,l=u-i,s=a-o,h=(l*(n-o)-s*(t-i))/(s*c-l*f);return[t+h*c,n+h*f]}(P,R,D,z,L,U,I,O):[I,O],j=P-F[0],q=R-F[1],B=L-F[0],Y=U-F[1],H=1/H_(function(t){return t>1?0:t<-1?W_:Math.acos(t)}((j*B+q*Y)/(V_(j*j+q*q)*V_(B*B+Y*Y)))/2),V=V_(F[0]*F[0]+F[1]*F[1]);S=Y_(N,(l-V)/(H-1)),T=Y_(N,(s-V)/(H+1))}}M>$_?T>$_?(g=em(D,z,P,R,s,T,v),y=em(L,U,I,O,s,T,v),a.moveTo(g.cx+g.x01,g.cy+g.y01),T$_&&x>$_?S>$_?(g=em(I,O,L,U,l,-S,v),y=em(P,R,D,z,l,-S,v),a.lineTo(g.cx+g.x01,g.cy+g.y01),S=l;--s)a.point(g[s],y[s]);a.lineEnd(),a.areaEnd()}v&&(g[f]=+t(h,f,c),y[f]=+e(h,f,c),a.point(n?+n(h,f,c):g[f],r?+r(h,f,c):y[f]))}if(d)return a=null,d+""||null}function f(){return cm().defined(i).curve(u).context(o)}return c.x=function(e){return arguments.length?(t="function"==typeof e?e:z_(+e),n=null,c):t},c.x0=function(n){return arguments.length?(t="function"==typeof n?n:z_(+n),c):t},c.x1=function(t){return arguments.length?(n=null==t?null:"function"==typeof t?t:z_(+t),c):n},c.y=function(t){return arguments.length?(e="function"==typeof t?t:z_(+t),r=null,c):e},c.y0=function(t){return arguments.length?(e="function"==typeof t?t:z_(+t),c):e},c.y1=function(t){return arguments.length?(r=null==t?null:"function"==typeof t?t:z_(+t),c):r},c.lineX0=c.lineY0=function(){return f().x(t).y(e)},c.lineY1=function(){return f().x(t).y(r)},c.lineX1=function(){return f().x(n).y(e)},c.defined=function(t){return arguments.length?(i="function"==typeof t?t:z_(!!t),c):i},c.curve=function(t){return arguments.length?(u=t,null!=o&&(a=u(o)),c):u},c.context=function(t){return arguments.length?(null==t?o=a=null:a=u(o=t),c):o},c},lm=function(t,n){return nt?1:n>=t?0:NaN},sm=function(t){return t},hm=function(){var t=sm,n=lm,e=null,r=z_(0),i=z_(G_),o=z_(0);function u(u){var a,c,f,l,s,h=u.length,d=0,p=new Array(h),v=new Array(h),g=+r.apply(this,arguments),y=Math.min(G_,Math.max(-G_,i.apply(this,arguments)-g)),_=Math.min(Math.abs(y)/h,o.apply(this,arguments)),m=_*(y<0?-1:1);for(a=0;a0&&(d+=s);for(null!=n?p.sort(function(t,e){return n(v[t],v[e])}):null!=e&&p.sort(function(t,n){return e(u[t],u[n])}),a=0,f=d?(y-h*m)/d:0;a0?s*f:0)+m,v[c]={data:u[c],index:a,value:s,startAngle:g,endAngle:l,padAngle:_};return v}return u.value=function(n){return arguments.length?(t="function"==typeof n?n:z_(+n),u):t},u.sortValues=function(t){return arguments.length?(n=t,e=null,u):n},u.sort=function(t){return arguments.length?(e=t,n=null,u):e},u.startAngle=function(t){return arguments.length?(r="function"==typeof t?t:z_(+t),u):r},u.endAngle=function(t){return arguments.length?(i="function"==typeof t?t:z_(+t),u):i},u.padAngle=function(t){return arguments.length?(o="function"==typeof t?t:z_(+t),u):o},u},dm=vm(om);function pm(t){this._curve=t}function vm(t){function n(n){return new pm(t(n))}return n._curve=t,n}function gm(t){var n=t.curve;return t.angle=t.x,delete t.x,t.radius=t.y,delete t.y,t.curve=function(t){return arguments.length?n(vm(t)):n()._curve},t}pm.prototype={areaStart:function(){this._curve.areaStart()},areaEnd:function(){this._curve.areaEnd()},lineStart:function(){this._curve.lineStart()},lineEnd:function(){this._curve.lineEnd()},point:function(t,n){this._curve.point(n*Math.sin(t),n*-Math.cos(t))}};var ym=function(){return gm(cm().curve(dm))},_m=function(){var t=fm().curve(dm),n=t.curve,e=t.lineX0,r=t.lineX1,i=t.lineY0,o=t.lineY1;return t.angle=t.x,delete t.x,t.startAngle=t.x0,delete t.x0,t.endAngle=t.x1,delete t.x1,t.radius=t.y,delete t.y,t.innerRadius=t.y0,delete t.y0,t.outerRadius=t.y1,delete t.y1,t.lineStartAngle=function(){return gm(e())},delete t.lineX0,t.lineEndAngle=function(){return gm(r())},delete t.lineX1,t.lineInnerRadius=function(){return gm(i())},delete t.lineY0,t.lineOuterRadius=function(){return gm(o())},delete t.lineY1,t.curve=function(t){return arguments.length?n(vm(t)):n()._curve},t},mm=function(t,n){return[(n=+n)*Math.cos(t-=Math.PI/2),n*Math.sin(t)]},bm=Array.prototype.slice;function wm(t){return t.source}function xm(t){return t.target}function Mm(t){var n=wm,e=xm,r=um,i=am,o=null;function u(){var u,a=bm.call(arguments),c=n.apply(this,a),f=e.apply(this,a);if(o||(o=u=zo()),t(o,+r.apply(this,(a[0]=c,a)),+i.apply(this,a),+r.apply(this,(a[0]=f,a)),+i.apply(this,a)),u)return o=null,u+""||null}return u.source=function(t){return arguments.length?(n=t,u):n},u.target=function(t){return arguments.length?(e=t,u):e},u.x=function(t){return arguments.length?(r="function"==typeof t?t:z_(+t),u):r},u.y=function(t){return arguments.length?(i="function"==typeof t?t:z_(+t),u):i},u.context=function(t){return arguments.length?(o=null==t?null:t,u):o},u}function Em(t,n,e,r,i){t.moveTo(n,e),t.bezierCurveTo(n=(n+r)/2,e,n,i,r,i)}function km(t,n,e,r,i){t.moveTo(n,e),t.bezierCurveTo(n,e=(e+i)/2,r,e,r,i)}function Nm(t,n,e,r,i){var o=mm(n,e),u=mm(n,e=(e+i)/2),a=mm(r,e),c=mm(r,i);t.moveTo(o[0],o[1]),t.bezierCurveTo(u[0],u[1],a[0],a[1],c[0],c[1])}function Sm(){return Mm(Em)}function Tm(){return Mm(km)}function Cm(){var t=Mm(Nm);return t.angle=t.x,delete t.x,t.radius=t.y,delete t.y,t}var Am={draw:function(t,n){var e=Math.sqrt(n/W_);t.moveTo(e,0),t.arc(0,0,e,0,G_)}},Pm={draw:function(t,n){var e=Math.sqrt(n/5)/2;t.moveTo(-3*e,-e),t.lineTo(-e,-e),t.lineTo(-e,-3*e),t.lineTo(e,-3*e),t.lineTo(e,-e),t.lineTo(3*e,-e),t.lineTo(3*e,e),t.lineTo(e,e),t.lineTo(e,3*e),t.lineTo(-e,3*e),t.lineTo(-e,e),t.lineTo(-3*e,e),t.closePath()}},Rm=Math.sqrt(1/3),Im=2*Rm,Om={draw:function(t,n){var e=Math.sqrt(n/Im),r=e*Rm;t.moveTo(0,-e),t.lineTo(r,0),t.lineTo(0,e),t.lineTo(-r,0),t.closePath()}},Lm=Math.sin(W_/10)/Math.sin(7*W_/10),Um=Math.sin(G_/10)*Lm,Dm=-Math.cos(G_/10)*Lm,zm={draw:function(t,n){var e=Math.sqrt(.8908130915292852*n),r=Um*e,i=Dm*e;t.moveTo(0,-e),t.lineTo(r,i);for(var o=1;o<5;++o){var u=G_*o/5,a=Math.cos(u),c=Math.sin(u);t.lineTo(c*e,-a*e),t.lineTo(a*r-c*i,c*r+a*i)}t.closePath()}},Fm={draw:function(t,n){var e=Math.sqrt(n),r=-e/2;t.rect(r,r,e,e)}},jm=Math.sqrt(3),qm={draw:function(t,n){var e=-Math.sqrt(n/(3*jm));t.moveTo(0,2*e),t.lineTo(-jm*e,-e),t.lineTo(jm*e,-e),t.closePath()}},Bm=Math.sqrt(3)/2,Ym=1/Math.sqrt(12),Hm=3*(Ym/2+1),Vm={draw:function(t,n){var e=Math.sqrt(n/Hm),r=e/2,i=e*Ym,o=r,u=e*Ym+e,a=-o,c=u;t.moveTo(r,i),t.lineTo(o,u),t.lineTo(a,c),t.lineTo(-.5*r-Bm*i,Bm*r+-.5*i),t.lineTo(-.5*o-Bm*u,Bm*o+-.5*u),t.lineTo(-.5*a-Bm*c,Bm*a+-.5*c),t.lineTo(-.5*r+Bm*i,-.5*i-Bm*r),t.lineTo(-.5*o+Bm*u,-.5*u-Bm*o),t.lineTo(-.5*a+Bm*c,-.5*c-Bm*a),t.closePath()}},$m=[Am,Pm,Om,Fm,zm,qm,Vm],Wm=function(){var t=z_(Am),n=z_(64),e=null;function r(){var r;if(e||(e=r=zo()),t.apply(this,arguments).draw(e,+n.apply(this,arguments)),r)return e=null,r+""||null}return r.type=function(n){return arguments.length?(t="function"==typeof n?n:z_(n),r):t},r.size=function(t){return arguments.length?(n="function"==typeof t?t:z_(+t),r):n},r.context=function(t){return arguments.length?(e=null==t?null:t,r):e},r},Xm=function(){};function Gm(t,n,e){t._context.bezierCurveTo((2*t._x0+t._x1)/3,(2*t._y0+t._y1)/3,(t._x0+2*t._x1)/3,(t._y0+2*t._y1)/3,(t._x0+4*t._x1+n)/6,(t._y0+4*t._y1+e)/6)}function Qm(t){this._context=t}Qm.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){switch(this._point){case 3:Gm(this,this._x1,this._y1);case 2:this._context.lineTo(this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2;break;case 2:this._point=3,this._context.lineTo((5*this._x0+this._x1)/6,(5*this._y0+this._y1)/6);default:Gm(this,t,n)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=n}};var Zm=function(t){return new Qm(t)};function Km(t){this._context=t}Km.prototype={areaStart:Xm,areaEnd:Xm,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._y0=this._y1=this._y2=this._y3=this._y4=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x2,this._y2),this._context.closePath();break;case 2:this._context.moveTo((this._x2+2*this._x3)/3,(this._y2+2*this._y3)/3),this._context.lineTo((this._x3+2*this._x2)/3,(this._y3+2*this._y2)/3),this._context.closePath();break;case 3:this.point(this._x2,this._y2),this.point(this._x3,this._y3),this.point(this._x4,this._y4)}},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._x2=t,this._y2=n;break;case 1:this._point=2,this._x3=t,this._y3=n;break;case 2:this._point=3,this._x4=t,this._y4=n,this._context.moveTo((this._x0+4*this._x1+t)/6,(this._y0+4*this._y1+n)/6);break;default:Gm(this,t,n)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=n}};var Jm=function(t){return new Km(t)};function tb(t){this._context=t}tb.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3;var e=(this._x0+4*this._x1+t)/6,r=(this._y0+4*this._y1+n)/6;this._line?this._context.lineTo(e,r):this._context.moveTo(e,r);break;case 3:this._point=4;default:Gm(this,t,n)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=n}};var nb=function(t){return new tb(t)};function eb(t,n){this._basis=new Qm(t),this._beta=n}eb.prototype={lineStart:function(){this._x=[],this._y=[],this._basis.lineStart()},lineEnd:function(){var t=this._x,n=this._y,e=t.length-1;if(e>0)for(var r,i=t[0],o=n[0],u=t[e]-i,a=n[e]-o,c=-1;++c<=e;)r=c/e,this._basis.point(this._beta*t[c]+(1-this._beta)*(i+r*u),this._beta*n[c]+(1-this._beta)*(o+r*a));this._x=this._y=null,this._basis.lineEnd()},point:function(t,n){this._x.push(+t),this._y.push(+n)}};var rb=function t(n){function e(t){return 1===n?new Qm(t):new eb(t,n)}return e.beta=function(n){return t(+n)},e}(.85);function ib(t,n,e){t._context.bezierCurveTo(t._x1+t._k*(t._x2-t._x0),t._y1+t._k*(t._y2-t._y0),t._x2+t._k*(t._x1-n),t._y2+t._k*(t._y1-e),t._x2,t._y2)}function ob(t,n){this._context=t,this._k=(1-n)/6}ob.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:ib(this,this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2,this._x1=t,this._y1=n;break;case 2:this._point=3;default:ib(this,t,n)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var ub=function t(n){function e(t){return new ob(t,n)}return e.tension=function(n){return t(+n)},e}(0);function ab(t,n){this._context=t,this._k=(1-n)/6}ab.prototype={areaStart:Xm,areaEnd:Xm,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._x3=t,this._y3=n;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=n);break;case 2:this._point=3,this._x5=t,this._y5=n;break;default:ib(this,t,n)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var cb=function t(n){function e(t){return new ab(t,n)}return e.tension=function(n){return t(+n)},e}(0);function fb(t,n){this._context=t,this._k=(1-n)/6}fb.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:ib(this,t,n)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var lb=function t(n){function e(t){return new fb(t,n)}return e.tension=function(n){return t(+n)},e}(0);function sb(t,n,e){var r=t._x1,i=t._y1,o=t._x2,u=t._y2;if(t._l01_a>$_){var a=2*t._l01_2a+3*t._l01_a*t._l12_a+t._l12_2a,c=3*t._l01_a*(t._l01_a+t._l12_a);r=(r*a-t._x0*t._l12_2a+t._x2*t._l01_2a)/c,i=(i*a-t._y0*t._l12_2a+t._y2*t._l01_2a)/c}if(t._l23_a>$_){var f=2*t._l23_2a+3*t._l23_a*t._l12_a+t._l12_2a,l=3*t._l23_a*(t._l23_a+t._l12_a);o=(o*f+t._x1*t._l23_2a-n*t._l12_2a)/l,u=(u*f+t._y1*t._l23_2a-e*t._l12_2a)/l}t._context.bezierCurveTo(r,i,o,u,t._x2,t._y2)}function hb(t,n){this._context=t,this._alpha=n}hb.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:this.point(this._x2,this._y2)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){if(t=+t,n=+n,this._point){var e=this._x2-t,r=this._y2-n;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(e*e+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2;break;case 2:this._point=3;default:sb(this,t,n)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var db=function t(n){function e(t){return n?new hb(t,n):new ob(t,0)}return e.alpha=function(n){return t(+n)},e}(.5);function pb(t,n){this._context=t,this._alpha=n}pb.prototype={areaStart:Xm,areaEnd:Xm,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,n){if(t=+t,n=+n,this._point){var e=this._x2-t,r=this._y2-n;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(e*e+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._x3=t,this._y3=n;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=n);break;case 2:this._point=3,this._x5=t,this._y5=n;break;default:sb(this,t,n)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var vb=function t(n){function e(t){return n?new pb(t,n):new ab(t,0)}return e.alpha=function(n){return t(+n)},e}(.5);function gb(t,n){this._context=t,this._alpha=n}gb.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){if(t=+t,n=+n,this._point){var e=this._x2-t,r=this._y2-n;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(e*e+r*r,this._alpha))}switch(this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:sb(this,t,n)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var yb=function t(n){function e(t){return n?new gb(t,n):new fb(t,0)}return e.alpha=function(n){return t(+n)},e}(.5);function _b(t){this._context=t}_b.prototype={areaStart:Xm,areaEnd:Xm,lineStart:function(){this._point=0},lineEnd:function(){this._point&&this._context.closePath()},point:function(t,n){t=+t,n=+n,this._point?this._context.lineTo(t,n):(this._point=1,this._context.moveTo(t,n))}};var mb=function(t){return new _b(t)};function bb(t){return t<0?-1:1}function wb(t,n,e){var r=t._x1-t._x0,i=n-t._x1,o=(t._y1-t._y0)/(r||i<0&&-0),u=(e-t._y1)/(i||r<0&&-0),a=(o*i+u*r)/(r+i);return(bb(o)+bb(u))*Math.min(Math.abs(o),Math.abs(u),.5*Math.abs(a))||0}function xb(t,n){var e=t._x1-t._x0;return e?(3*(t._y1-t._y0)/e-n)/2:n}function Mb(t,n,e){var r=t._x0,i=t._y0,o=t._x1,u=t._y1,a=(o-r)/3;t._context.bezierCurveTo(r+a,i+a*n,o-a,u-a*e,o,u)}function Eb(t){this._context=t}function kb(t){this._context=new Nb(t)}function Nb(t){this._context=t}function Sb(t){return new Eb(t)}function Tb(t){return new kb(t)}function Cb(t){this._context=t}function Ab(t){var n,e,r=t.length-1,i=new Array(r),o=new Array(r),u=new Array(r);for(i[0]=0,o[0]=2,u[0]=t[0]+2*t[1],n=1;n=0;--n)i[n]=(u[n]-i[n+1])/o[n];for(o[r-1]=(t[r]+i[r-1])/2,n=0;n=0&&(this._t=1-this._t,this._line=1-this._line)},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2;default:if(this._t<=0)this._context.lineTo(this._x,n),this._context.lineTo(t,n);else{var e=this._x*(1-this._t)+t*this._t;this._context.lineTo(e,this._y),this._context.lineTo(e,n)}}this._x=t,this._y=n}};var Ib=function(t){return new Rb(t,.5)};function Ob(t){return new Rb(t,0)}function Lb(t){return new Rb(t,1)}var Ub=function(t,n){if((i=t.length)>1)for(var e,r,i,o=1,u=t[n[0]],a=u.length;o=0;)e[n]=n;return e};function zb(t,n){return t[n]}var Fb=function(){var t=z_([]),n=Db,e=Ub,r=zb;function i(i){var o,u,a=t.apply(this,arguments),c=i.length,f=a.length,l=new Array(f);for(o=0;o0){for(var e,r,i,o=0,u=t[0].length;o1)for(var e,r,i,o,u,a,c=0,f=t[n[0]].length;c=0?(r[0]=o,r[1]=o+=i):i<0?(r[1]=u,r[0]=u+=i):r[0]=o},Bb=function(t,n){if((e=t.length)>0){for(var e,r=0,i=t[n[0]],o=i.length;r0&&(r=(e=t[n[0]]).length)>0){for(var e,r,i,o=0,u=1;u0)){if(o/=h,h<0){if(o0){if(o>s)return;o>l&&(l=o)}if(o=r-c,h||!(o<0)){if(o/=h,h<0){if(o>s)return;o>l&&(l=o)}else if(h>0){if(o0)){if(o/=d,d<0){if(o0){if(o>s)return;o>l&&(l=o)}if(o=i-f,d||!(o<0)){if(o/=d,d<0){if(o>s)return;o>l&&(l=o)}else if(d>0){if(o0||s<1)||(l>0&&(t[0]=[c+l*h,f+l*d]),s<1&&(t[1]=[c+s*h,f+s*d]),!0)}}}}}function cw(t,n,e,r,i){var o=t[1];if(o)return!0;var u,a,c=t[0],f=t.left,l=t.right,s=f[0],h=f[1],d=l[0],p=l[1],v=(s+d)/2,g=(h+p)/2;if(p===h){if(v=r)return;if(s>d){if(c){if(c[1]>=i)return}else c=[v,e];o=[v,i]}else{if(c){if(c[1]1)if(s>d){if(c){if(c[1]>=i)return}else c=[(e-a)/u,e];o=[(i-a)/u,i]}else{if(c){if(c[1]=r)return}else c=[n,u*n+a];o=[r,u*r+a]}else{if(c){if(c[0]=-Tw)){var d=c*c+f*f,p=l*l+s*s,v=(s*d-f*p)/h,g=(c*p-l*d)/h,y=dw.pop()||new function(){Jb(this),this.x=this.y=this.arc=this.site=this.cy=null};y.arc=t,y.site=i,y.x=v+u,y.y=(y.cy=g+a)+Math.sqrt(v*v+g*g),t.circle=y;for(var _=null,m=kw._;m;)if(y.ySw)a=a.L;else{if(!((i=o-xw(a,u))>Sw)){r>-Sw?(n=a.P,e=a):i>-Sw?(n=a,e=a.N):n=e=a;break}if(!a.R){n=a;break}a=a.R}!function(t){Ew[t.index]={site:t,halfedges:[]}}(t);var c=yw(t);if(Mw.insert(n,c),n||e){if(n===e)return vw(n),e=yw(n.site),Mw.insert(c,e),c.edge=e.edge=iw(n.site,c.site),pw(n),void pw(e);if(e){vw(n),vw(e);var f=n.site,l=f[0],s=f[1],h=t[0]-l,d=t[1]-s,p=e.site,v=p[0]-l,g=p[1]-s,y=2*(h*g-d*v),_=h*h+d*d,m=v*v+g*g,b=[(g*_-d*m)/y+l,(h*m-v*_)/y+s];uw(e.edge,f,p,b),c.edge=iw(f,t,null,b),e.edge=iw(t,p,null,b),pw(n),pw(e)}else c.edge=iw(n.site,c.site)}}function ww(t,n){var e=t.site,r=e[0],i=e[1],o=i-n;if(!o)return r;var u=t.P;if(!u)return-1/0;var a=(e=u.site)[0],c=e[1],f=c-n;if(!f)return a;var l=a-r,s=1/o-1/f,h=l/f;return s?(-h+Math.sqrt(h*h-2*s*(l*l/(-2*f)-c+f/2+i-o/2)))/s+r:(r+a)/2}function xw(t,n){var e=t.N;if(e)return ww(e,n);var r=t.site;return r[1]===n?r[0]:1/0}var Mw,Ew,kw,Nw,Sw=1e-6,Tw=1e-12;function Cw(t,n,e){return(t[0]-e[0])*(n[1]-t[1])-(t[0]-n[0])*(e[1]-t[1])}function Aw(t,n){return n[1]-t[1]||n[0]-t[0]}function Pw(t,n){var e,r,i,o=t.sort(Aw).pop();for(Nw=[],Ew=new Array(t.length),Mw=new rw,kw=new rw;;)if(i=hw,o&&(!i||o[1]Sw||Math.abs(i[0][1]-i[1][1])>Sw)||delete Nw[o]}(u,a,c,f),function(t,n,e,r){var i,o,u,a,c,f,l,s,h,d,p,v,g=Ew.length,y=!0;for(i=0;iSw||Math.abs(v-h)>Sw)&&(c.splice(a,0,Nw.push(ow(u,d,Math.abs(p-t)Sw?[t,Math.abs(s-t)Sw?[Math.abs(h-r)Sw?[e,Math.abs(s-e)Sw?[Math.abs(h-n)=a)return null;var c=t-i.site[0],f=n-i.site[1],l=c*c+f*f;do{i=o.cells[r=u],u=null,i.halfedges.forEach(function(e){var r=o.edges[e],a=r.left;if(a!==i.site&&a||(a=r.right)){var c=t-a[0],f=n-a[1],s=c*c+f*f;sr?(r+i)/2:Math.min(0,r)||Math.max(0,i),u>o?(o+u)/2:Math.min(0,o)||Math.max(0,u))}var Vw=function(){var t,n,e=Fw,r=jw,i=Hw,o=Bw,u=Yw,a=[0,1/0],c=[[-1/0,-1/0],[1/0,1/0]],f=250,l=ir,s=[],h=Object(at.a)("start","zoom","end"),d=500,p=150,v=0;function g(t){t.property("__zoom",qw).on("wheel.zoom",M).on("mousedown.zoom",E).on("dblclick.zoom",k).filter(u).on("touchstart.zoom",N).on("touchmove.zoom",S).on("touchend.zoom touchcancel.zoom",T).style("touch-action","none").style("-webkit-tap-highlight-color","rgba(0,0,0,0)")}function y(t,n){return(n=Math.max(a[0],Math.min(a[1],n)))===t.k?t:new Ow(n,t.x,t.y)}function _(t,n,e){var r=n[0]-e[0]*t.k,i=n[1]-e[1]*t.k;return r===t.x&&i===t.y?t:new Ow(t.k,r,i)}function m(t){return[(+t[0][0]+ +t[1][0])/2,(+t[0][1]+ +t[1][1])/2]}function b(t,n,e){t.on("start.zoom",function(){w(this,arguments).start()}).on("interrupt.zoom end.zoom",function(){w(this,arguments).end()}).tween("zoom",function(){var t=arguments,i=w(this,t),o=r.apply(this,t),u=e||m(o),a=Math.max(o[1][0]-o[0][0],o[1][1]-o[0][1]),c=this.__zoom,f="function"==typeof n?n.apply(this,t):n,s=l(c.invert(u).concat(a/c.k),f.invert(u).concat(a/f.k));return function(t){if(1===t)t=f;else{var n=s(t),e=a/n[2];t=new Ow(e,u[0]-n[0]*e,u[1]-n[1]*e)}i.zoom(null,t)}})}function w(t,n){for(var e,r=0,i=s.length;rv}t.zoom("mouse",i(_(t.that.__zoom,t.mouse[0]=an(t.that),t.mouse[1]),t.extent,c))},!0).on("mouseup.zoom",function(){r.on("mousemove.zoom mouseup.zoom",null),pn(Bt.view,t.moved),zw(),t.end()},!0),o=an(this),u=Bt.clientX,a=Bt.clientY;dn(Bt.view),Dw(),t.mouse=[o,this.__zoom.invert(o)],Zr(this),t.start()}}function k(){if(e.apply(this,arguments)){var t=this.__zoom,n=an(this),o=t.invert(n),u=t.k*(Bt.shiftKey?.5:2),a=i(_(y(t,u),n,o),r.apply(this,arguments),c);zw(),f>0?Jt(this).transition().duration(f).call(b,a,n):Jt(this).call(g.transform,a)}}function N(){if(e.apply(this,arguments)){var n,r,i,o,u=w(this,arguments),a=Bt.changedTouches,c=a.length;for(Dw(),r=0;rA.length&&A.push(t)}function I(t,n,e,r){var i=typeof t;"undefined"!==i&&"boolean"!==i||(t=null);var o=!1;if(null===t)o=!0;else switch(i){case"string":case"number":o=!0;break;case"object":switch(t.$$typeof){case c:case f:o=!0}}if(o)return e(r,t,""===n?"."+O(t,0):n),1;if(o=0,n=""===n?".":n+":",Array.isArray(t))for(var u=0;uthis.eventPool.length&&this.eventPool.push(t)}function Mt(t){t.eventPool=[],t.getPooled=wt,t.release=xt}u(bt.prototype,{preventDefault:function(){this.defaultPrevented=!0;var t=this.nativeEvent;t&&(t.preventDefault?t.preventDefault():"unknown"!=typeof t.returnValue&&(t.returnValue=!1),this.isDefaultPrevented=a.thatReturnsTrue)},stopPropagation:function(){var t=this.nativeEvent;t&&(t.stopPropagation?t.stopPropagation():"unknown"!=typeof t.cancelBubble&&(t.cancelBubble=!0),this.isPropagationStopped=a.thatReturnsTrue)},persist:function(){this.isPersistent=a.thatReturnsTrue},isPersistent:a.thatReturnsFalse,destructor:function(){var t,n=this.constructor.Interface;for(t in n)this[t]=null;for(n=0;n<_t.length;n++)this[_t[n]]=null}}),bt.Interface=mt,bt.extend=function(t){function n(){}function e(){return r.apply(this,arguments)}var r=this;n.prototype=r.prototype;var i=new n;return u(i,e.prototype),e.prototype=i,e.prototype.constructor=e,e.Interface=u({},r.Interface,t),e.extend=r.extend,Mt(e),e},Mt(bt);var Et=bt.extend({data:null}),kt=bt.extend({data:null}),Nt=[9,13,27,32],St=o.canUseDOM&&"CompositionEvent"in window,Tt=null;o.canUseDOM&&"documentMode"in document&&(Tt=document.documentMode);var Ct=o.canUseDOM&&"TextEvent"in window&&!Tt,At=o.canUseDOM&&(!St||Tt&&8=Tt),Pt=String.fromCharCode(32),Rt={beforeInput:{phasedRegistrationNames:{bubbled:"onBeforeInput",captured:"onBeforeInputCapture"},dependencies:["compositionend","keypress","textInput","paste"]},compositionEnd:{phasedRegistrationNames:{bubbled:"onCompositionEnd",captured:"onCompositionEndCapture"},dependencies:"blur compositionend keydown keypress keyup mousedown".split(" ")},compositionStart:{phasedRegistrationNames:{bubbled:"onCompositionStart",captured:"onCompositionStartCapture"},dependencies:"blur compositionstart keydown keypress keyup mousedown".split(" ")},compositionUpdate:{phasedRegistrationNames:{bubbled:"onCompositionUpdate",captured:"onCompositionUpdateCapture"},dependencies:"blur compositionupdate keydown keypress keyup mousedown".split(" ")}},It=!1;function Ot(t,n){switch(t){case"keyup":return-1!==Nt.indexOf(n.keyCode);case"keydown":return 229!==n.keyCode;case"keypress":case"mousedown":case"blur":return!0;default:return!1}}function Lt(t){return"object"==typeof(t=t.detail)&&"data"in t?t.data:null}var Ut=!1;var Dt={eventTypes:Rt,extractEvents:function(t,n,e,r){var i=void 0,o=void 0;if(St)t:{switch(t){case"compositionstart":i=Rt.compositionStart;break t;case"compositionend":i=Rt.compositionEnd;break t;case"compositionupdate":i=Rt.compositionUpdate;break t}i=void 0}else Ut?Ot(t,e)&&(i=Rt.compositionEnd):"keydown"===t&&229===e.keyCode&&(i=Rt.compositionStart);return i?(At&&(Ut||i!==Rt.compositionStart?i===Rt.compositionEnd&&Ut&&(o=gt()):(vt._root=r,vt._startText=yt(),Ut=!0)),i=Et.getPooled(i,n,e,r),o?i.data=o:null!==(o=Lt(e))&&(i.data=o),tt(i),o=i):o=null,(t=Ct?function(t,n){switch(t){case"compositionend":return Lt(n);case"keypress":return 32!==n.which?null:(It=!0,Pt);case"textInput":return(t=n.data)===Pt&&It?null:t;default:return null}}(t,e):function(t,n){if(Ut)return"compositionend"===t||!St&&Ot(t,n)?(t=gt(),vt._root=null,vt._startText=null,vt._fallbackText=null,Ut=!1,t):null;switch(t){case"paste":return null;case"keypress":if(!(n.ctrlKey||n.altKey||n.metaKey)||n.ctrlKey&&n.altKey){if(n.char&&1