avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 1 | package main |
| 2 | |
| 3 | import ( |
| 4 | "context" |
| 5 | "database/sql" |
| 6 | "flag" |
| 7 | "fmt" |
| 8 | "log" |
| 9 | "net" |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 10 | "net/http" |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 11 | "time" |
| 12 | |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 13 | "github.com/ReneKroon/ttlcache/v2" |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 14 | _ "github.com/go-sql-driver/mysql" |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 15 | "google.golang.org/api/idtoken" |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 16 | "google.golang.org/grpc" |
| 17 | "google.golang.org/grpc/codes" |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 18 | "google.golang.org/grpc/metadata" |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 19 | "google.golang.org/grpc/reflection" |
| 20 | "google.golang.org/grpc/status" |
| 21 | "google.golang.org/protobuf/proto" |
| 22 | |
| 23 | pb "gomodules.avm99963.com/twpt-server/api_proto" |
| 24 | db "gomodules.avm99963.com/twpt-server/internal/db" |
| 25 | ) |
| 26 | |
| 27 | var ( |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 28 | authorizedUsersCacheTime = 15 * time.Minute |
| 29 | ) |
| 30 | |
| 31 | var ( |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 32 | port = flag.Int("port", 10000, "The server port") |
| 33 | dbDsn = flag.String("db", "", "MySQL/MariaDB database data source name (DSN)") // https://github.com/go-sql-driver/mysql#dsn-data-source-name |
| 34 | dbConnMaxLifetime = flag.Int("dbConnMaxLifetime", 3*60, "Maximum amount of time a connection to the database may be reused in seconds.") |
| 35 | dbMaxOpenConns = flag.Int("dbMaxOpenConns", 5, "Maximum number of open connections to the database.") |
| 36 | dbMaxIdleConns = flag.Int("dbMaxIdleConns", *dbMaxOpenConns, "Maximum number of connections to the database in the idle connection pool.") |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 37 | jwtAudience = flag.String("jwtAudience", "", "JWT audience string.") |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 38 | ) |
| 39 | |
| 40 | type killSwitchServiceServer struct { |
| 41 | pb.UnimplementedKillSwitchServiceServer |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 42 | dbPool *sql.DB |
| 43 | jwtValidator *idtoken.Validator |
| 44 | cache ttlcache.SimpleCache |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 45 | } |
| 46 | |
| 47 | func newKillSwitchServiceServer() *killSwitchServiceServer { |
| 48 | s := &killSwitchServiceServer{} |
| 49 | db, err := sql.Open("mysql", *dbDsn) |
| 50 | if err != nil { |
| 51 | log.Fatalf("unable to open database connection: %v", err) |
| 52 | } |
| 53 | db.SetConnMaxLifetime(time.Duration(*dbConnMaxLifetime) * time.Second) |
| 54 | db.SetMaxOpenConns(*dbMaxOpenConns) |
| 55 | db.SetMaxIdleConns(*dbMaxIdleConns) |
| 56 | |
| 57 | ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second) |
| 58 | defer cancel() |
| 59 | |
| 60 | if err := db.PingContext(ctx); err != nil { |
| 61 | log.Fatalf("unable to connect to database: %v", err) |
| 62 | } |
| 63 | |
| 64 | s.dbPool = db |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 65 | |
| 66 | client := &http.Client{} |
| 67 | validator, err := idtoken.NewValidator(context.Background(), idtoken.WithHTTPClient(client)) |
| 68 | if err != nil { |
| 69 | log.Fatalf("unable to start idtoken validator: %v", err) |
| 70 | } |
| 71 | s.jwtValidator = validator |
| 72 | |
| 73 | s.cache = ttlcache.NewCache() |
| 74 | |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 75 | return s |
| 76 | } |
| 77 | |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 78 | func getAuthenticatedUser(s *killSwitchServiceServer, ctx context.Context) (*pb.KillSwitchAuthorizedUser, error) { |
| 79 | md, ok := metadata.FromIncomingContext(ctx) |
| 80 | if !ok { |
| 81 | return nil, status.Errorf(codes.Internal, "getAuthenticatedUser: can't retrieve metadata from incoming request") |
| 82 | } |
| 83 | |
| 84 | authorization := md.Get("authorization") |
| 85 | if len(authorization) < 1 { |
| 86 | return nil, status.Errorf(codes.Unauthenticated, "Unauthenticated") |
| 87 | } |
| 88 | |
| 89 | token := authorization[0] |
| 90 | payload, err := s.jwtValidator.Validate(ctx, token, *jwtAudience) |
| 91 | if err != nil { |
| 92 | return nil, status.Errorf(codes.Unauthenticated, "getAuthenticatedUser: can't parse idtoken") |
| 93 | } |
| 94 | |
| 95 | var authorizedUsers []*pb.KillSwitchAuthorizedUser |
| 96 | var okAssertion bool |
| 97 | |
| 98 | authorizedUsersInterface, err := s.cache.Get("AuthorizedUsers") |
| 99 | if err == nil { |
| 100 | authorizedUsers, okAssertion = authorizedUsersInterface.([]*pb.KillSwitchAuthorizedUser) |
| 101 | } |
| 102 | if err != nil || !okAssertion { |
| 103 | freshAuthorizedUsers, err := db.ListAuthorizedUsers(s.dbPool, ctx) |
| 104 | if err != nil { |
| 105 | log.Printf("getAuthenticatedUser: error while getting authorized users: %v", err) |
| 106 | return nil, status.Errorf(codes.Internal, "getAuthenticatedUser: can't get list of authorized users") |
| 107 | } |
| 108 | s.cache.SetWithTTL("AuthorizedUsers", freshAuthorizedUsers, authorizedUsersCacheTime) |
| 109 | authorizedUsers = freshAuthorizedUsers |
| 110 | } |
| 111 | |
| 112 | // Check if the current user is one of the authorized users, and if so return it. |
| 113 | for _, u := range authorizedUsers { |
| 114 | if u.GetGoogleUid() != "" && u.GetGoogleUid() == payload.Subject { |
| 115 | return u, nil |
| 116 | } |
| 117 | |
| 118 | email, emailExists := payload.Claims["email"] |
| 119 | emailVerified, emailVerifiedExists := payload.Claims["email_verified"] |
| 120 | |
| 121 | if u.GetEmail() != "" && emailVerifiedExists && emailExists && emailVerified == true && email == u.GetEmail() { |
| 122 | return u, nil |
| 123 | } |
| 124 | } |
| 125 | |
| 126 | return nil, status.Errorf(codes.PermissionDenied, "User is not part of the authorized users list.") |
| 127 | } |
| 128 | |
| 129 | func userHasAccessLevel(requiredLevel pb.KillSwitchAuthorizedUser_AccessLevel, user *pb.KillSwitchAuthorizedUser) bool { |
| 130 | return requiredLevel <= user.GetAccessLevel() |
| 131 | } |
| 132 | |
| 133 | func errorWhenMissingAccess(requiredLevel pb.KillSwitchAuthorizedUser_AccessLevel, user *pb.KillSwitchAuthorizedUser) error { |
| 134 | if userHasAccessLevel(requiredLevel, user) { |
| 135 | return nil |
| 136 | } |
| 137 | |
| 138 | return status.Errorf(codes.PermissionDenied, "User has lower access level than the action that they are trying to perform.") |
| 139 | } |
| 140 | |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 141 | func (s *killSwitchServiceServer) GetKillSwitchStatus(ctx context.Context, req *pb.GetKillSwitchStatusRequest) (*pb.GetKillSwitchStatusResponse, error) { |
| 142 | return nil, status.Errorf(codes.Unimplemented, "Unimplemented method.") |
| 143 | } |
| 144 | |
| 145 | func (s *killSwitchServiceServer) GetKillSwitchOverview(ctx context.Context, req *pb.GetKillSwitchOverviewRequest) (*pb.GetKillSwitchOverviewResponse, error) { |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 146 | killSwitches, err := db.ListKillSwitches(s.dbPool, ctx) |
| 147 | if err != nil { |
| 148 | return nil, status.Errorf(codes.Unavailable, err.Error()) |
| 149 | } |
| 150 | res := &pb.GetKillSwitchOverviewResponse{ |
| 151 | KillSwitches: killSwitches, |
| 152 | } |
| 153 | return res, nil |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 154 | } |
| 155 | |
| 156 | func (s *killSwitchServiceServer) SyncFeatures(ctx context.Context, req *pb.SyncFeaturesRequest) (*pb.SyncFeaturesResponse, error) { |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 157 | // This method requires authentication |
| 158 | authenticatedUser, err := getAuthenticatedUser(s, ctx) |
| 159 | if err != nil { |
| 160 | return nil, err |
| 161 | } |
| 162 | err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser) |
| 163 | if err != nil { |
| 164 | return nil, err |
| 165 | } |
| 166 | |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 167 | log.Println("Syncing features...") |
| 168 | |
| 169 | for _, feature := range req.Features { |
| 170 | existingFeature, err := db.GetFeatureByCodename(s.dbPool, ctx, feature.Codename) |
| 171 | if err != nil { |
| 172 | return nil, status.Errorf(codes.Unavailable, err.Error()) |
| 173 | } |
| 174 | // If the feature didn't exist in the db, add it. Otherwise, update it if applicable. |
| 175 | if existingFeature == nil { |
| 176 | if err := db.AddFeature(s.dbPool, ctx, feature); err != nil { |
| 177 | return nil, status.Error(codes.Unavailable, err.Error()) |
| 178 | } |
| 179 | } else { |
| 180 | canonicalExistingFeature := *existingFeature |
| 181 | canonicalExistingFeature.Id = 0 |
| 182 | if !proto.Equal(&canonicalExistingFeature, feature) { |
| 183 | if err := db.UpdateFeature(s.dbPool, ctx, existingFeature.Id, feature); err != nil { |
| 184 | return nil, status.Error(codes.Unavailable, err.Error()) |
| 185 | } |
| 186 | } |
| 187 | } |
| 188 | } |
| 189 | |
| 190 | res := &pb.SyncFeaturesResponse{} |
| 191 | return res, nil |
| 192 | } |
| 193 | |
| 194 | func (s *killSwitchServiceServer) ListFeatures(ctx context.Context, req *pb.ListFeaturesRequest) (*pb.ListFeaturesResponse, error) { |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 195 | features, err := db.ListFeatures(s.dbPool, ctx, req.WithDeprecatedFeatures) |
| 196 | if err != nil { |
| 197 | return nil, status.Errorf(codes.Unavailable, err.Error()) |
| 198 | } |
| 199 | res := &pb.ListFeaturesResponse{ |
| 200 | Features: features, |
| 201 | } |
| 202 | return res, nil |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 203 | } |
| 204 | |
| 205 | func (s *killSwitchServiceServer) EnableKillSwitch(ctx context.Context, req *pb.EnableKillSwitchRequest) (*pb.EnableKillSwitchResponse, error) { |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 206 | // This method requires authentication |
| 207 | authenticatedUser, err := getAuthenticatedUser(s, ctx) |
| 208 | if err != nil { |
| 209 | return nil, err |
| 210 | } |
| 211 | err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ACTIVATOR, authenticatedUser) |
| 212 | if err != nil { |
| 213 | return nil, err |
| 214 | } |
| 215 | |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 216 | if req.GetKillSwitch().GetFeature().GetId() == 0 { |
| 217 | return nil, status.Errorf(codes.InvalidArgument, "feature.id must be set.") |
| 218 | } |
| 219 | |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 220 | err = db.EnableKillSwitch(s.dbPool, ctx, req.KillSwitch, authenticatedUser) |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 221 | if err != nil { |
| 222 | return nil, status.Errorf(codes.Unavailable, err.Error()) |
| 223 | } |
| 224 | res := &pb.EnableKillSwitchResponse{} |
| 225 | return res, nil |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 226 | } |
| 227 | |
| 228 | func (s *killSwitchServiceServer) DisableKillSwitch(ctx context.Context, req *pb.DisableKillSwitchRequest) (*pb.DisableKillSwitchResponse, error) { |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 229 | // This method requires authentication |
| 230 | authenticatedUser, err := getAuthenticatedUser(s, ctx) |
| 231 | if err != nil { |
| 232 | return nil, err |
| 233 | } |
| 234 | err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ACTIVATOR, authenticatedUser) |
| 235 | if err != nil { |
| 236 | return nil, err |
| 237 | } |
| 238 | |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 239 | if req.GetKillSwitchId() == 0 { |
| 240 | return nil, status.Errorf(codes.InvalidArgument, "kill_switch_id must be set.") |
| 241 | } |
| 242 | |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 243 | err = db.DisableKillSwitch(s.dbPool, ctx, req.KillSwitchId, authenticatedUser) |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 244 | if err != nil { |
| 245 | return nil, status.Errorf(codes.Unavailable, err.Error()) |
| 246 | } |
| 247 | res := &pb.DisableKillSwitchResponse{} |
| 248 | return res, nil |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 249 | } |
| 250 | |
| 251 | func (s *killSwitchServiceServer) ListAuthorizedUsers(ctx context.Context, req *pb.ListAuthorizedUsersRequest) (*pb.ListAuthorizedUsersResponse, error) { |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 252 | // This method requires authentication |
| 253 | authenticatedUser, err := getAuthenticatedUser(s, ctx) |
| 254 | if err != nil { |
| 255 | return nil, err |
| 256 | } |
| 257 | err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ACTIVATOR, authenticatedUser) |
| 258 | if err != nil { |
| 259 | return nil, err |
| 260 | } |
| 261 | |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 262 | users, err := db.ListAuthorizedUsers(s.dbPool, ctx) |
| 263 | if err != nil { |
| 264 | return nil, status.Errorf(codes.Unavailable, err.Error()) |
| 265 | } |
| 266 | res := &pb.ListAuthorizedUsersResponse{ |
| 267 | Users: users, |
| 268 | } |
| 269 | return res, nil |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 270 | } |
| 271 | |
| 272 | func (s *killSwitchServiceServer) AddAuthorizedUser(ctx context.Context, req *pb.AddAuthorizedUserRequest) (*pb.AddAuthorizedUserResponse, error) { |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 273 | // This method requires authentication |
| 274 | authenticatedUser, err := getAuthenticatedUser(s, ctx) |
| 275 | if err != nil { |
| 276 | return nil, err |
| 277 | } |
| 278 | err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser) |
| 279 | if err != nil { |
| 280 | return nil, err |
| 281 | } |
| 282 | |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 283 | if req.GetUser().GetGoogleUid() == "" && req.GetUser().GetEmail() == "" { |
| 284 | return nil, status.Errorf(codes.InvalidArgument, "At least one of google_uid or email must be set.") |
| 285 | } |
| 286 | |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 287 | err = db.AddAuthorizedUser(s.dbPool, ctx, req.User, authenticatedUser) |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 288 | if err != nil { |
| 289 | return nil, status.Errorf(codes.Unavailable, err.Error()) |
| 290 | } |
| 291 | res := &pb.AddAuthorizedUserResponse{} |
| 292 | return res, nil |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 293 | } |
| 294 | |
| 295 | func (s *killSwitchServiceServer) UpdateAuthorizedUser(ctx context.Context, req *pb.UpdateAuthorizedUserRequest) (*pb.UpdateAuthorizedUserResponse, error) { |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 296 | // This method requires authentication |
| 297 | authenticatedUser, err := getAuthenticatedUser(s, ctx) |
| 298 | if err != nil { |
| 299 | return nil, err |
| 300 | } |
| 301 | err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser) |
| 302 | if err != nil { |
| 303 | return nil, err |
| 304 | } |
| 305 | |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 306 | if req.GetUserId() == 0 { |
| 307 | return nil, status.Errorf(codes.InvalidArgument, "user_id must be greater than 0.") |
| 308 | } |
| 309 | |
| 310 | if req.GetUser().GetGoogleUid() == "" && req.GetUser().GetEmail() == "" { |
| 311 | return nil, status.Errorf(codes.InvalidArgument, "At least one of google_uid or email must be set.") |
| 312 | } |
| 313 | |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 314 | err = db.UpdateAuthorizedUser(s.dbPool, ctx, req.UserId, req.User, authenticatedUser) |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 315 | if err != nil { |
| 316 | return nil, status.Errorf(codes.Unavailable, err.Error()) |
| 317 | } |
| 318 | res := &pb.UpdateAuthorizedUserResponse{} |
| 319 | return res, nil |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 320 | } |
| 321 | |
| 322 | func (s *killSwitchServiceServer) DeleteAuthorizedUser(ctx context.Context, req *pb.DeleteAuthorizedUserRequest) (*pb.DeleteAuthorizedUserResponse, error) { |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 323 | // This method requires authentication |
| 324 | authenticatedUser, err := getAuthenticatedUser(s, ctx) |
| 325 | if err != nil { |
| 326 | return nil, err |
| 327 | } |
| 328 | err = errorWhenMissingAccess(pb.KillSwitchAuthorizedUser_ACCESS_LEVEL_ADMIN, authenticatedUser) |
| 329 | if err != nil { |
| 330 | return nil, err |
| 331 | } |
| 332 | |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 333 | if req.GetUserId() == 0 { |
| 334 | return nil, status.Errorf(codes.InvalidArgument, "user_id must be greater than 0.") |
| 335 | } |
| 336 | |
Adrià Vilanova Martínez | c147b6a | 2021-09-01 17:25:38 +0200 | [diff] [blame^] | 337 | err = db.DeleteAuthorizedUser(s.dbPool, ctx, req.UserId, authenticatedUser) |
Adrià Vilanova Martínez | 25e1211 | 2021-08-25 13:48:06 +0200 | [diff] [blame] | 338 | if err != nil { |
| 339 | return nil, status.Errorf(codes.Unavailable, err.Error()) |
| 340 | } |
| 341 | res := &pb.DeleteAuthorizedUserResponse{} |
| 342 | return res, nil |
avm99963 | 83f8f29 | 2021-08-24 18:26:52 +0200 | [diff] [blame] | 343 | } |
| 344 | |
| 345 | func main() { |
| 346 | flag.Parse() |
| 347 | |
| 348 | lis, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", *port)) |
| 349 | if err != nil { |
| 350 | log.Fatalf("Failed to listen: %v", err) |
| 351 | } |
| 352 | |
| 353 | grpcServer := grpc.NewServer() |
| 354 | pb.RegisterKillSwitchServiceServer(grpcServer, newKillSwitchServiceServer()) |
| 355 | // Register reflection service on gRPC server. |
| 356 | reflection.Register(grpcServer) |
| 357 | grpcServer.Serve(lis) |
| 358 | } |