fleet/server/mdm/microsoft/microsoft_mdm.go

package microsoft_mdm

import (
	"crypto/x509"
	"encoding/base64"

	"github.com/fleetdm/fleet/v4/server/mdm/internal/commonmdm"
	"go.mozilla.org/pkcs7"
)

const (
	// MDMPath is Fleet's HTTP path for the core Windows MDM service.
	MDMPath = "/api/mdm/microsoft"

	// DiscoveryPath is the HTTP endpoint path that serves the IDiscoveryService functionality.
	// This is the endpoint that process the Discover and DiscoverResponse messages
	// See the section 3.1 on the MS-MDE2 specification for more details:
	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/2681fd76-1997-4557-8963-cf656ab8d887
	MDE2DiscoveryPath = MDMPath + "/discovery"

	// AuthPath is the HTTP endpoint path that delivers the Security Token Servicefunctionality.
	// The MS-MDE2 protocol is agnostic to the token format and value returned by this endpoint.
	// See the section 3.2 on the MS-MDE2 specification for more details:
	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/27ed8c2c-0140-41ce-b2fa-c3d1a793ab4a
	MDE2AuthPath = MDMPath + "/auth"

	// MDE2PolicyPath is the HTTP endpoint path that delivers the X.509 Certificate Enrollment Policy (MS-XCEP) functionality.
	// This is the endpoint that process the GetPolicies and GetPoliciesResponse messages
	// See the section 3.3 on the MS-MDE2 specification for more details on this endpoint requirements:
	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/8a5efdf8-64a9-44fd-ab63-071a26c9f2dc
	// The MS-XCEP specification is available here:
	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210
	MDE2PolicyPath = MDMPath + "/policy"

	// MDE2EnrollPath is the HTTP endpoint path that delivers WS-Trust X.509v3 Token Enrollment (MS-WSTEP) functionality.
	// This is the endpoint that process the RequestSecurityToken and RequestSecurityTokenResponseCollection messages
	// See the section 3.4 on the MS-MDE2 specification for more details on this endpoint requirements:
	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/5b02c625-ced2-4a01-a8e1-da0ae84f5bb7
	// The MS-WSTEP specification is available here:
	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/4766a85d-0d18-4fa1-a51f-e5cb98b752ea
	MDE2EnrollPath = MDMPath + "/enroll"

	// MDE2ManagementPath is the HTTP endpoint path that delivers WS-Trust X.509v3 Token Enrollment (MS-WSTEP) functionality.
	// This is the endpoint that process the RequestSecurityToken and RequestSecurityTokenResponseCollection messages
	// See the section 3.4 on the MS-MDE2 specification for more details:
	// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/5b02c625-ced2-4a01-a8e1-da0ae84f5bb7
	MDE2ManagementPath = MDMPath + "/management"

	// MDE2TOSPath is the HTTP endpoint path that delivers Terms of Service Content
	MDE2TOSPath = MDMPath + "/tos"

	// These are the entry points for the Microsoft Device Enrollment (MS-MDE) and Microsoft Device Enrollment v2 (MS-MDE2) protocols.
	// These are required to be implemented by the MDM server to support user-driven enrollments
	MSEnrollEntryPoint = "/EnrollmentServer/Discovery.svc"
	MSManageEntryPoint = "/ManagementServer/MDM.svc"
)

// Device Enrolled States

const (
	// Device is not yet MDM enrolled
	MDMDeviceStateNotEnrolled = "MDMDeviceEnrolledNotEnrolled"

	// Device is MDM enrolled
	MDMDeviceStateEnrolled = "MDMDeviceEnrolledEnrolled"

	// Device is MDM enrolled and managed
	/* #nosec G101 -- this constant doesn't contain any credentials */
	MDMDeviceStateManaged = "MDMDeviceEnrolledManaged"
)

func ResolveWindowsMDMDiscovery(serverURL string) (string, error) {
	return commonmdm.ResolveURL(serverURL, MDE2DiscoveryPath, false)
}

func ResolveWindowsMDMPolicy(serverURL string) (string, error) {
	return commonmdm.ResolveURL(serverURL, MDE2PolicyPath, false)
}

func ResolveWindowsMDMEnroll(serverURL string) (string, error) {
	return commonmdm.ResolveURL(serverURL, MDE2EnrollPath, false)
}

func ResolveWindowsMDMAuth(serverURL string) (string, error) {
	return commonmdm.ResolveURL(serverURL, MDE2AuthPath, false)
}

func ResolveWindowsMDMManagement(serverURL string) (string, error) {
	return commonmdm.ResolveURL(serverURL, MDE2ManagementPath, false)
}

// Encrypt uses pkcs7 to encrypt a raw value using the provided certificate.
// The returned encrypted value is base64-encoded.
func Encrypt(rawValue string, cert *x509.Certificate) (string, error) {
	encrypted, err := pkcs7.Encrypt([]byte(rawValue), []*x509.Certificate{cert})
	if err != nil {
		return "", err
	}
	b64Enc := base64.StdEncoding.EncodeToString(encrypted)
	return b64Enc, nil
}
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: 2023-06-22 20:31:17 +00:00			`package microsoft_mdm`

Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-06-27 15:59:33 +00:00			`import (`
Merging Bitlocker feature branch (#14350) This relates to #12577 --------- Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> 2023-10-06 22:04:33 +00:00			`"crypto/x509"`
			`"encoding/base64"`

Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-06-27 15:59:33 +00:00			`"github.com/fleetdm/fleet/v4/server/mdm/internal/commonmdm"`
Merging Bitlocker feature branch (#14350) This relates to #12577 --------- Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> 2023-10-06 22:04:33 +00:00			`"go.mozilla.org/pkcs7"`
Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-06-27 15:59:33 +00:00			`)`
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: 2023-06-22 20:31:17 +00:00
			`const (`
Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-06-27 15:59:33 +00:00			`// MDMPath is Fleet's HTTP path for the core Windows MDM service.`
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: 2023-06-22 20:31:17 +00:00			`MDMPath = "/api/mdm/microsoft"`

			`// DiscoveryPath is the HTTP endpoint path that serves the IDiscoveryService functionality.`
			`// This is the endpoint that process the Discover and DiscoverResponse messages`
			`// See the section 3.1 on the MS-MDE2 specification for more details:`
			`// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/2681fd76-1997-4557-8963-cf656ab8d887`
			`MDE2DiscoveryPath = MDMPath + "/discovery"`

12613 Azure AD JWT Auth token support (#12817) This PR adds support to parse Azure JWT tokens, and it also adds the STS endpoint ([Section 3.2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/27ed8c2c-0140-41ce-b2fa-c3d1a793ab4a) on the MS-MDE2 spec) This relates to #12614 and #12613 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-07-19 16:30:24 +00:00			`// AuthPath is the HTTP endpoint path that delivers the Security Token Servicefunctionality.`
			`// The MS-MDE2 protocol is agnostic to the token format and value returned by this endpoint.`
			`// See the section 3.2 on the MS-MDE2 specification for more details:`
			`// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/27ed8c2c-0140-41ce-b2fa-c3d1a793ab4a`
			`MDE2AuthPath = MDMPath + "/auth"`

Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: 2023-06-22 20:31:17 +00:00			`// MDE2PolicyPath is the HTTP endpoint path that delivers the X.509 Certificate Enrollment Policy (MS-XCEP) functionality.`
			`// This is the endpoint that process the GetPolicies and GetPoliciesResponse messages`
			`// See the section 3.3 on the MS-MDE2 specification for more details on this endpoint requirements:`
			`// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/8a5efdf8-64a9-44fd-ab63-071a26c9f2dc`
			`// The MS-XCEP specification is available here:`
			`// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210`
			`MDE2PolicyPath = MDMPath + "/policy"`

			`// MDE2EnrollPath is the HTTP endpoint path that delivers WS-Trust X.509v3 Token Enrollment (MS-WSTEP) functionality.`
			`// This is the endpoint that process the RequestSecurityToken and RequestSecurityTokenResponseCollection messages`
			`// See the section 3.4 on the MS-MDE2 specification for more details on this endpoint requirements:`
			`// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/5b02c625-ced2-4a01-a8e1-da0ae84f5bb7`
			`// The MS-WSTEP specification is available here:`
			`// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/4766a85d-0d18-4fa1-a51f-e5cb98b752ea`
			`MDE2EnrollPath = MDMPath + "/enroll"`

			`// MDE2ManagementPath is the HTTP endpoint path that delivers WS-Trust X.509v3 Token Enrollment (MS-WSTEP) functionality.`
			`// This is the endpoint that process the RequestSecurityToken and RequestSecurityTokenResponseCollection messages`
			`// See the section 3.4 on the MS-MDE2 specification for more details:`
			`// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/5b02c625-ced2-4a01-a8e1-da0ae84f5bb7`
			`MDE2ManagementPath = MDMPath + "/management"`

Windows mdm TOS endpoint (#12900) This relates to https://github.com/fleetdm/fleet/issues/12604 and https://github.com/fleetdm/fleet/issues/12600 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-07-21 17:36:26 +00:00			`// MDE2TOSPath is the HTTP endpoint path that delivers Terms of Service Content`
			`MDE2TOSPath = MDMPath + "/tos"`

Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: 2023-06-22 20:31:17 +00:00			`// These are the entry points for the Microsoft Device Enrollment (MS-MDE) and Microsoft Device Enrollment v2 (MS-MDE2) protocols.`
			`// These are required to be implemented by the MDM server to support user-driven enrollments`
			`MSEnrollEntryPoint = "/EnrollmentServer/Discovery.svc"`
			`MSManageEntryPoint = "/ManagementServer/MDM.svc"`
			`)`

Adding support for RequestSecurityToken messages - Windows MDM enroll endpoint (#12555) This relates to #12263 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests --------- Co-authored-by: Roberto Dip <me@roperzh.com> 2023-07-05 13:06:37 +00:00			`// Device Enrolled States`

			`const (`
			`// Device is not yet MDM enrolled`
			`MDMDeviceStateNotEnrolled = "MDMDeviceEnrolledNotEnrolled"`

			`// Device is MDM enrolled`
			`MDMDeviceStateEnrolled = "MDMDeviceEnrolledEnrolled"`

			`// Device is MDM enrolled and managed`
upgrade Go version to 1.21.1 (#13877) For #13715, this: - Upgrades the Go version to `1.21.1`, infrastructure changes are addressed separately at https://github.com/fleetdm/fleet/pull/13878 - Upgrades the linter version, as the current version doesn't work well after the Go upgrade - Fixes new linting errors (we now get errors for memory aliasing in loops! 🎉 ) After this is merged people will need to: 1. Update their Go version. I use `gvm` and I did it like: ``` $ gvm install go1.21.1 $ gvm use go1.21.1 --default ``` 2. Update the local version of `golangci-lint`: ``` $ go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2 ``` 3. (optional) depending on your setup, you might need to re-install some packages, for example: ``` # goimports to automatically import libraries $ go install golang.org/x/tools/cmd/goimports@latest # gopls for the language server $ go install golang.org/x/tools/gopls@latest # etc... ``` 2023-09-13 18:59:35 +00:00			`/* #nosec G101 -- this constant doesn't contain any credentials */`
Adding support for RequestSecurityToken messages - Windows MDM enroll endpoint (#12555) This relates to #12263 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests --------- Co-authored-by: Roberto Dip <me@roperzh.com> 2023-07-05 13:06:37 +00:00			`MDMDeviceStateManaged = "MDMDeviceEnrolledManaged"`
			`)`

Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-06-27 15:59:33 +00:00			`func ResolveWindowsMDMDiscovery(serverURL string) (string, error) {`
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: 2023-06-22 20:31:17 +00:00			`return commonmdm.ResolveURL(serverURL, MDE2DiscoveryPath, false)`
			`}`

Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-06-27 15:59:33 +00:00			`func ResolveWindowsMDMPolicy(serverURL string) (string, error) {`
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: 2023-06-22 20:31:17 +00:00			`return commonmdm.ResolveURL(serverURL, MDE2PolicyPath, false)`
			`}`

Adding support for GetPolicies message (#12477) This relates to #12262 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-06-27 15:59:33 +00:00			`func ResolveWindowsMDMEnroll(serverURL string) (string, error) {`
Pushing initial support for MS-MDE2 Discovery message (#12387) This PR requires the Windows MDM configuration changes - This will be updated next week - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [x] Documented any permissions changes - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: 2023-06-22 20:31:17 +00:00			`return commonmdm.ResolveURL(serverURL, MDE2EnrollPath, false)`
			`}`
Adding support for RequestSecurityToken messages - Windows MDM enroll endpoint (#12555) This relates to #12263 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests --------- Co-authored-by: Roberto Dip <me@roperzh.com> 2023-07-05 13:06:37 +00:00
12613 Azure AD JWT Auth token support (#12817) This PR adds support to parse Azure JWT tokens, and it also adds the STS endpoint ([Section 3.2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/27ed8c2c-0140-41ce-b2fa-c3d1a793ab4a) on the MS-MDE2 spec) This relates to #12614 and #12613 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality 2023-07-19 16:30:24 +00:00			`func ResolveWindowsMDMAuth(serverURL string) (string, error) {`
			`return commonmdm.ResolveURL(serverURL, MDE2AuthPath, false)`
			`}`

Adding support for RequestSecurityToken messages - Windows MDM enroll endpoint (#12555) This relates to #12263 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests --------- Co-authored-by: Roberto Dip <me@roperzh.com> 2023-07-05 13:06:37 +00:00			`func ResolveWindowsMDMManagement(serverURL string) (string, error) {`
			`return commonmdm.ResolveURL(serverURL, MDE2ManagementPath, false)`
			`}`
Merging Bitlocker feature branch (#14350) This relates to #12577 --------- Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com> 2023-10-06 22:04:33 +00:00
			`// Encrypt uses pkcs7 to encrypt a raw value using the provided certificate.`
			`// The returned encrypted value is base64-encoded.`
			`func Encrypt(rawValue string, cert *x509.Certificate) (string, error) {`
			`encrypted, err := pkcs7.Encrypt([]byte(rawValue), []*x509.Certificate{cert})`
			`if err != nil {`
			`return "", err`
			`}`
			`b64Enc := base64.StdEncoding.EncodeToString(encrypted)`
			`return b64Enc, nil`
			`}`