Class DefaultAssertionValidationContextBuilder
- java.lang.Object
-
- org.opensaml.saml.saml2.profile.impl.DefaultAssertionValidationContextBuilder
-
- All Implemented Interfaces:
Function<ValidateAssertions.AssertionValidationInput,ValidationContext>
public class DefaultAssertionValidationContextBuilder extends Object implements Function<ValidateAssertions.AssertionValidationInput,ValidationContext>
Function which implements default behavior for building an instance ofValidationContextfrom an instance ofValidateAssertions.AssertionValidationInput.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classDefaultAssertionValidationContextBuilder.DefaultValidInResponseToLookupFunctionDefault strategy for resolving the valid InResponseTo value.static classDefaultAssertionValidationContextBuilder.DefaultValidIssuersLookupFunctionDefault strategy for resolving the valid Issuers.
-
Field Summary
Fields Modifier and Type Field Description private Function<ProfileRequestContext,Set<String>>additionalAudiencesFunction for determining additional valid audience values.private Predicate<ProfileRequestContext>addressRequiredPredicate for determining whether an Assertion SubjectConfirmationData Address is required.private Predicate<ProfileRequestContext>checkAddressPredicate for determining whether an Assertion's network address(es) should be checked.private Predicate<ProfileRequestContext>includeSelfEntityIDAsRecipientPredicate for determining whether to include the self entityID as a valid Recipient.private Function<ProfileRequestContext,String>inResponseToFunction for determining the valid InResponseTo value.private Predicate<ProfileRequestContext>inResponseToRequiredPredicate for determining whether an Assertion SubjectConfirmationData InResponseTo is required.private org.slf4j.LoggerlogLogger.private Function<ProfileRequestContext,Duration>maximumTimeSinceAuthnFunction for determining the max allowed time since authentication.private Predicate<ProfileRequestContext>notBeforeRequiredPredicate for determining whether an Assertion SubjectConfirmationData NotBefore is required.private Predicate<ProfileRequestContext>notOnOrAfterRequiredPredicate for determining whether an Assertion SubjectConfirmationData NotOnOrAfter is required.private Predicate<ProfileRequestContext>recipientRequiredPredicate for determining whether an Assertion SubjectConfirmationData Recipient is required.private Set<QName>requiredConditionsThe set of required Conditions.private Function<ProfileRequestContext,SecurityParametersContext>securityParametersLookupStrategyResolver for security parameters context.private Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet>signatureCriteriaSetFunctionA function for resolving the signature validation CriteriaSet for a particular function.private Predicate<ProfileRequestContext>signatureRequiredPredicate for determining whether an Assertion signature is required.private Function<ProfileRequestContext,Set<String>>validIssuersFunction for determining additional valid Issuer values.
-
Constructor Summary
Constructors Constructor Description DefaultAssertionValidationContextBuilder()Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description ValidationContextapply(ValidateAssertions.AssertionValidationInput input)protected Map<String,Object>buildStaticParameters(ValidateAssertions.AssertionValidationInput input)Build the static parameters map for input to theValidationContext.Function<ProfileRequestContext,Set<String>>getAdditionalAudiences()Get the function for determining additional audience values.Predicate<ProfileRequestContext>getAddressRequired()Get the predicate which determines whether an Assertion SubjectConfirmationData Address is required.protected X509CertificategetAttesterCertificate(ValidateAssertions.AssertionValidationInput input)Get the attesting entity'sX509Certificate.protected StringgetAttesterIPAddress(ValidateAssertions.AssertionValidationInput input)Get the attester's IP address.protected PublicKeygetAttesterPublicKey(ValidateAssertions.AssertionValidationInput input)Get the attesting entity'sPublicKey.Predicate<ProfileRequestContext>getCheckAddress()Get the predicate which determines whether an Assertion's network address(es) should be checked.Predicate<ProfileRequestContext>getIncludeSelfEntityIDAsRecipient()Get the predicate which determines whether to include the self entityID as a valid Recipient.Function<ProfileRequestContext,String>getInResponseTo()Get the function for determining the valid InResponseTo.Predicate<ProfileRequestContext>getInResponseToRequired()Get the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.Function<ProfileRequestContext,Duration>getMaximumTimeSinceAuthn()Get the function for determining the max allowed time since authentication.Predicate<ProfileRequestContext>getNotBeforeRequired()Get the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.Predicate<ProfileRequestContext>getNotOnOrAfterRequired()Get the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.Predicate<ProfileRequestContext>getRecipientRequired()Get the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.Set<QName>getRequiredConditions()Get the set of required Conditions.protected Set<QName>getRequiredConditions(ValidateAssertions.AssertionValidationInput input)Get the set of required Conditions.Function<ProfileRequestContext,SecurityParametersContext>getSecurityParametersLookupStrategy()Get the strategy by which to resolve aSecurityParametersContext.protected StringgetSelfEntityID(ValidateAssertions.AssertionValidationInput input)Get the self entityID.protected CriteriaSetgetSignatureCriteriaSet(ValidateAssertions.AssertionValidationInput input)Get the signature validation criteria set.Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet>getSignatureCriteriaSetFunction()Get the function for resolving the signature validation CriteriaSet for a particular function.Predicate<ProfileRequestContext>getSignatureRequired()Get the predicate which determines whether an Assertion signature is required.protected Set<InetAddress>getValidAddresses(ValidateAssertions.AssertionValidationInput input)Get the set of addresses which are valid for subject confirmation.protected Set<String>getValidAudiences(ValidateAssertions.AssertionValidationInput input)Get the valid audiences for attestation.Function<ProfileRequestContext,Set<String>>getValidIssuers()Get the function for determining the valid Issuer valuesprotected Set<String>getValidRecipients(ValidateAssertions.AssertionValidationInput input)Get the valid recipient endpoints for attestation.private voidpopulateConditionsParameters(Map<String,Object> staticParams, ValidateAssertions.AssertionValidationInput input)Populate the static Conditions parameters.protected voidpopulateSignatureCriteriaFromInboundContext(CriteriaSet criteriaSet, MessageContext inboundContext)Populate signature criteria from the specifiedMessageContext.private voidpopulateSignatureParameters(Map<String,Object> staticParams, ValidateAssertions.AssertionValidationInput input)Populate the static signature parameters.private voidpopulateStatementParams(Map<String,Object> staticParams, ValidateAssertions.AssertionValidationInput input, Set<InetAddress> validAddresses, Boolean checkAddressEnabled)Populate the static Statement params.private voidpopulateSubjectConfirmationParameters(Map<String,Object> staticParams, ValidateAssertions.AssertionValidationInput input, Set<InetAddress> validAddresses, Boolean checkAddressEnabled)Populate the static SubjectConfirmation parameters.voidsetAdditionalAudiences(Function<ProfileRequestContext,Set<String>> function)Set the function for determining additional audience values.voidsetAddressRequired(Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData Address is required.voidsetCheckAddress(Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion's network address(es) should be checked.voidsetIncludeSelfEntityIDAsRecipient(Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether to include the self entityID as a valid Recipient.voidsetInResponseTo(Function<ProfileRequestContext,String> function)Set the function for determining the valid InResponseTo.voidsetInResponseToRequired(Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.voidsetMaximumTimeSinceAuthn(Function<ProfileRequestContext,Duration> function)Set the function for determining the max allowed time since authentication.voidsetNotBeforeRequired(Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.voidsetNotOnOrAfterRequired(Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.voidsetRecipientRequired(Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.voidsetRequiredConditions(Set<QName> conditions)Set the set of required Conditions.voidsetSecurityParametersLookupStrategy(Function<ProfileRequestContext,SecurityParametersContext> strategy)Set the strategy by which to resolve aSecurityParametersContext.voidsetSignatureCriteriaSetFunction(Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> function)Set the function for resolving the signature validation CriteriaSet for a particular function.voidsetSignatureRequired(Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion signature is required.voidsetValidIssuers(Function<ProfileRequestContext,Set<String>> function)Set the function for determining the valid Issuer values
-
-
-
Field Detail
-
log
@Nullable private org.slf4j.Logger log
Logger.
-
signatureCriteriaSetFunction
private Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> signatureCriteriaSetFunction
A function for resolving the signature validation CriteriaSet for a particular function.
-
signatureRequired
private Predicate<ProfileRequestContext> signatureRequired
Predicate for determining whether an Assertion signature is required.
-
checkAddress
private Predicate<ProfileRequestContext> checkAddress
Predicate for determining whether an Assertion's network address(es) should be checked.
-
maximumTimeSinceAuthn
private Function<ProfileRequestContext,Duration> maximumTimeSinceAuthn
Function for determining the max allowed time since authentication.
-
includeSelfEntityIDAsRecipient
private Predicate<ProfileRequestContext> includeSelfEntityIDAsRecipient
Predicate for determining whether to include the self entityID as a valid Recipient.
-
additionalAudiences
private Function<ProfileRequestContext,Set<String>> additionalAudiences
Function for determining additional valid audience values.
-
validIssuers
private Function<ProfileRequestContext,Set<String>> validIssuers
Function for determining additional valid Issuer values.
-
inResponseTo
private Function<ProfileRequestContext,String> inResponseTo
Function for determining the valid InResponseTo value.
-
inResponseToRequired
private Predicate<ProfileRequestContext> inResponseToRequired
Predicate for determining whether an Assertion SubjectConfirmationData InResponseTo is required.
-
recipientRequired
private Predicate<ProfileRequestContext> recipientRequired
Predicate for determining whether an Assertion SubjectConfirmationData Recipient is required.
-
notBeforeRequired
private Predicate<ProfileRequestContext> notBeforeRequired
Predicate for determining whether an Assertion SubjectConfirmationData NotBefore is required.
-
notOnOrAfterRequired
private Predicate<ProfileRequestContext> notOnOrAfterRequired
Predicate for determining whether an Assertion SubjectConfirmationData NotOnOrAfter is required.
-
addressRequired
private Predicate<ProfileRequestContext> addressRequired
Predicate for determining whether an Assertion SubjectConfirmationData Address is required.
-
securityParametersLookupStrategy
private Function<ProfileRequestContext,SecurityParametersContext> securityParametersLookupStrategy
Resolver for security parameters context.
-
-
Method Detail
-
getSecurityParametersLookupStrategy
@Nonnull public Function<ProfileRequestContext,SecurityParametersContext> getSecurityParametersLookupStrategy()
Get the strategy by which to resolve aSecurityParametersContext.- Returns:
- the lookup strategy
-
setSecurityParametersLookupStrategy
public void setSecurityParametersLookupStrategy(@Nonnull Function<ProfileRequestContext,SecurityParametersContext> strategy)Set the strategy by which to resolve aSecurityParametersContext.- Parameters:
strategy- the strategy function
-
getRequiredConditions
@Nonnull public Set<QName> getRequiredConditions()
Get the set of required Conditions.- Returns:
- the required conditions, may be null
-
setRequiredConditions
public void setRequiredConditions(@Nullable Set<QName> conditions)Set the set of required Conditions.- Parameters:
conditions- the required conditions
-
getIncludeSelfEntityIDAsRecipient
public Predicate<ProfileRequestContext> getIncludeSelfEntityIDAsRecipient()
Get the predicate which determines whether to include the self entityID as a valid Recipient.Defaults to an always false predicate;
- Returns:
- the predicate
-
setIncludeSelfEntityIDAsRecipient
public void setIncludeSelfEntityIDAsRecipient(@Nonnull Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether to include the self entityID as a valid Recipient.Defaults to an always false predicate.
- Parameters:
predicate- the predicate, must be non-null
-
getSignatureRequired
public Predicate<ProfileRequestContext> getSignatureRequired()
Get the predicate which determines whether an Assertion signature is required.Defaults to an always true predicate;
- Returns:
- the predicate
-
setSignatureRequired
public void setSignatureRequired(@Nonnull Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion signature is required.Defaults to an always true predicate.
- Parameters:
predicate- the predicate, must be non-null
-
setInResponseTo
public void setInResponseTo(@Nonnull Function<ProfileRequestContext,String> function)Set the function for determining the valid InResponseTo.Defaults to null.
- Parameters:
function- the function, may be null
-
getInResponseTo
public Function<ProfileRequestContext,String> getInResponseTo()
Get the function for determining the valid InResponseTo.Defaults to null.
- Returns:
- the function
-
getInResponseToRequired
public Predicate<ProfileRequestContext> getInResponseToRequired()
Get the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.Defaults to an always false predicate;
- Returns:
- the predicate
-
setInResponseToRequired
public void setInResponseToRequired(@Nonnull Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData InResponseTo is required.Defaults to an always false predicate.
- Parameters:
predicate- the predicate, must be non-null
-
getRecipientRequired
public Predicate<ProfileRequestContext> getRecipientRequired()
Get the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.Defaults to an always false predicate;
- Returns:
- the predicate
-
setRecipientRequired
public void setRecipientRequired(@Nonnull Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData Recipient is required.Defaults to an always false predicate.
- Parameters:
predicate- the predicate, must be non-null
-
getNotBeforeRequired
public Predicate<ProfileRequestContext> getNotBeforeRequired()
Get the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.Defaults to an always false predicate;
- Returns:
- the predicate
-
setNotBeforeRequired
public void setNotBeforeRequired(@Nonnull Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData NotBefore is required.Defaults to an always false predicate.
- Parameters:
predicate- the predicate, must be non-null
-
getNotOnOrAfterRequired
public Predicate<ProfileRequestContext> getNotOnOrAfterRequired()
Get the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.Defaults to an always false predicate;
- Returns:
- the predicate
-
setNotOnOrAfterRequired
public void setNotOnOrAfterRequired(@Nonnull Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData NotOnOrAfter is required.Defaults to an always false predicate.
- Parameters:
predicate- the predicate, must be non-null
-
getAddressRequired
public Predicate<ProfileRequestContext> getAddressRequired()
Get the predicate which determines whether an Assertion SubjectConfirmationData Address is required.Defaults to an always false predicate;
- Returns:
- the predicate
-
setAddressRequired
public void setAddressRequired(@Nonnull Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion SubjectConfirmationData Address is required.Defaults to an always false predicate.
- Parameters:
predicate- the predicate, must be non-null
-
getCheckAddress
public Predicate<ProfileRequestContext> getCheckAddress()
Get the predicate which determines whether an Assertion's network address(es) should be checked.Defaults to an always true predicate;
- Returns:
- the predicate
-
setCheckAddress
public void setCheckAddress(@Nonnull Predicate<ProfileRequestContext> predicate)Set the predicate which determines whether an Assertion's network address(es) should be checked.Defaults to an always true predicate.
- Parameters:
predicate- the predicate, must be non-null
-
getAdditionalAudiences
public Function<ProfileRequestContext,Set<String>> getAdditionalAudiences()
Get the function for determining additional audience values.Defaults to null.
- Returns:
- the function
-
setAdditionalAudiences
public void setAdditionalAudiences(@Nonnull Function<ProfileRequestContext,Set<String>> function)Set the function for determining additional audience values.Defaults to null.
- Parameters:
function- the function, may be null
-
getValidIssuers
public Function<ProfileRequestContext,Set<String>> getValidIssuers()
Get the function for determining the valid Issuer valuesDefaults to an implementation which resolves the outbound SAML peer entityID.
- Returns:
- the function
-
setValidIssuers
public void setValidIssuers(@Nonnull Function<ProfileRequestContext,Set<String>> function)Set the function for determining the valid Issuer valuesDefaults to an implementation which resolves the outbound SAML peer entityID.
- Parameters:
function- the function, may be null
-
getMaximumTimeSinceAuthn
public Function<ProfileRequestContext,Duration> getMaximumTimeSinceAuthn()
Get the function for determining the max allowed time since authentication.Defaults to null.
- Returns:
- the function
-
setMaximumTimeSinceAuthn
public void setMaximumTimeSinceAuthn(@Nonnull Function<ProfileRequestContext,Duration> function)Set the function for determining the max allowed time since authentication.Defaults to null.
- Parameters:
function- the function, may be null
-
getSignatureCriteriaSetFunction
@Nullable public Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> getSignatureCriteriaSetFunction()
Get the function for resolving the signature validation CriteriaSet for a particular function.Defaults to:
null.- Returns:
- a criteria set instance, or null
-
setSignatureCriteriaSetFunction
public void setSignatureCriteriaSetFunction(@Nullable Function<Pair<ProfileRequestContext,Assertion>,CriteriaSet> function)Set the function for resolving the signature validation CriteriaSet for a particular function.Defaults to:
null.- Parameters:
function- the resolving function, may be null
-
apply
@Nullable public ValidationContext apply(@Nullable ValidateAssertions.AssertionValidationInput input)
- Specified by:
applyin interfaceFunction<ValidateAssertions.AssertionValidationInput,ValidationContext>
-
buildStaticParameters
@Nonnull protected Map<String,Object> buildStaticParameters(@Nonnull ValidateAssertions.AssertionValidationInput input)
Build the static parameters map for input to theValidationContext.- Parameters:
input- the assertion validation input- Returns:
- the static parameters map
-
populateSignatureParameters
private void populateSignatureParameters(@Nonnull Map<String,Object> staticParams, @Nonnull ValidateAssertions.AssertionValidationInput input)Populate the static signature parameters.- Parameters:
staticParams- the parameters being populatedinput- validation input
-
populateConditionsParameters
private void populateConditionsParameters(@Nonnull Map<String,Object> staticParams, @Nonnull ValidateAssertions.AssertionValidationInput input)Populate the static Conditions parameters.- Parameters:
staticParams- the parameters being populatedinput- validation input
-
populateSubjectConfirmationParameters
private void populateSubjectConfirmationParameters(@Nonnull Map<String,Object> staticParams, @Nonnull ValidateAssertions.AssertionValidationInput input, @Nonnull Set<InetAddress> validAddresses, @Nonnull Boolean checkAddressEnabled)Populate the static SubjectConfirmation parameters.- Parameters:
staticParams- the parameters being populatedinput- validation inputvalidAddresses- the valid addressescheckAddressEnabled- whether address checking is enabled
-
populateStatementParams
private void populateStatementParams(@Nonnull Map<String,Object> staticParams, @Nonnull ValidateAssertions.AssertionValidationInput input, @Nonnull Set<InetAddress> validAddresses, @Nonnull Boolean checkAddressEnabled)Populate the static Statement params.- Parameters:
staticParams- the parameters being populatedinput- validation inputvalidAddresses- the valid addressescheckAddressEnabled- whether address checking is enabled
-
getRequiredConditions
@Nonnull protected Set<QName> getRequiredConditions(@Nonnull ValidateAssertions.AssertionValidationInput input)
Get the set of required Conditions.The default behavior is to return the locally-configured data via
getRequiredConditions().- Parameters:
input- the assertion validation input- Returns:
- the set of required Condition names, may be null
-
getSignatureCriteriaSet
@Nonnull protected CriteriaSet getSignatureCriteriaSet(@Nonnull ValidateAssertions.AssertionValidationInput input)
Get the signature validation criteria set.This implementation first evaluates the result of applying the function
getSignatureCriteriaSetFunction(), if configured. If that evaluation did not produce anEntityIdCriterion, one is added based on the issuer of theAssertion. If that evaluation did not produce an instance ofUsageCriterion, one is added with the value ofUsageType.SIGNING.Finally the following criteria are added if not already present and if the corresponding data is available in the inbound
MessageContext:- Parameters:
input- the assertion validation input- Returns:
- the criteria set based on the message context data
-
populateSignatureCriteriaFromInboundContext
protected void populateSignatureCriteriaFromInboundContext(@Nonnull CriteriaSet criteriaSet, @Nonnull MessageContext inboundContext)Populate signature criteria from the specifiedMessageContext.- Parameters:
criteriaSet- the criteria set to populateinboundContext- the inbound message context
-
getAttesterCertificate
@Nullable protected X509Certificate getAttesterCertificate(@Nonnull ValidateAssertions.AssertionValidationInput input)
Get the attesting entity'sX509Certificate.This implementation returns the client TLS certificate present in the
HttpServletRequest, or null if one is not present.- Parameters:
input- the assertion validation input- Returns:
- the entity certificate, or null
-
getAttesterPublicKey
@Nullable protected PublicKey getAttesterPublicKey(@Nonnull ValidateAssertions.AssertionValidationInput input)
Get the attesting entity'sPublicKey.This implementation returns null. Subclasses should override to implement specific logic.
- Parameters:
input- the assertion validation input- Returns:
- the entity public key, or null
-
getValidRecipients
@Nonnull protected Set<String> getValidRecipients(@Nonnull ValidateAssertions.AssertionValidationInput input)
Get the valid recipient endpoints for attestation.This implementation returns a set containing the 2 values;
-
the result of evaluating
SAMLBindingSupport.getActualReceiverEndpointURI(MessageContext, javax.servlet.http.HttpServletRequest) -
if enabled via the eval of
getIncludeSelfEntityIDAsRecipient(), the value from evaluatinggetSelfEntityID(AssertionValidationInput)if non-null
- Parameters:
input- the assertion validation input- Returns:
- set of recipient endpoint URI's
-
the result of evaluating
-
getValidAddresses
@Nonnull protected Set<InetAddress> getValidAddresses(@Nonnull ValidateAssertions.AssertionValidationInput input)
Get the set of addresses which are valid for subject confirmation.This implementation simply returns the set based on
getAttesterIPAddress(AssertionValidationInput), if that produces a value. Otherwise an empty set is returned.- Parameters:
input- the assertion validation input- Returns:
- the set of valid addresses
-
getAttesterIPAddress
@Nonnull protected String getAttesterIPAddress(@Nonnull ValidateAssertions.AssertionValidationInput input)
Get the attester's IP address.This implementation returns the value of
ServletRequest.getRemoteAddr().- Parameters:
input- the assertion validation input- Returns:
- the IP address of the attester
-
getValidAudiences
@Nonnull protected Set<String> getValidAudiences(@Nonnull ValidateAssertions.AssertionValidationInput input)
Get the valid audiences for attestation.This implementation returns a set containing the union of:
- the result of
getSelfEntityID(AssertionValidationInput), if non-null - the result of evaluating
getAdditionalAudiences(), if non-null
- Parameters:
input- the assertion validation input- Returns:
- set of audience URI's
- the result of
-
getSelfEntityID
@Nullable protected String getSelfEntityID(@Nonnull ValidateAssertions.AssertionValidationInput input)
Get the self entityID.- Parameters:
input- the assertion validation input- Returns:
- the self entityID, or null if could not be resolved
-
-