1
0

OauthApiControllerTest.php 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
  4. *
  5. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  6. * @author Lukas Reschke <lukas@statuscode.ch>
  7. * @author Morris Jobke <hey@morrisjobke.de>
  8. * @author Roeland Jago Douma <roeland@famdouma.nl>
  9. *
  10. * @license GNU AGPL version 3 or any later version
  11. *
  12. * This program is free software: you can redistribute it and/or modify
  13. * it under the terms of the GNU Affero General Public License as
  14. * published by the Free Software Foundation, either version 3 of the
  15. * License, or (at your option) any later version.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  24. *
  25. */
  26. namespace OCA\OAuth2\Tests\Controller;
  27. use OC\Authentication\Exceptions\ExpiredTokenException;
  28. use OC\Authentication\Exceptions\InvalidTokenException;
  29. use OC\Authentication\Token\IProvider as TokenProvider;
  30. use OC\Authentication\Token\PublicKeyToken;
  31. use OCA\OAuth2\Controller\OauthApiController;
  32. use OCA\OAuth2\Db\AccessToken;
  33. use OCA\OAuth2\Db\AccessTokenMapper;
  34. use OCA\OAuth2\Db\Client;
  35. use OCA\OAuth2\Db\ClientMapper;
  36. use OCA\OAuth2\Exceptions\AccessTokenNotFoundException;
  37. use OCA\OAuth2\Exceptions\ClientNotFoundException;
  38. use OCP\AppFramework\Http;
  39. use OCP\AppFramework\Http\JSONResponse;
  40. use OCP\AppFramework\Utility\ITimeFactory;
  41. use OCP\IRequest;
  42. use OCP\Security\Bruteforce\IThrottler;
  43. use OCP\Security\ICrypto;
  44. use OCP\Security\ISecureRandom;
  45. use Psr\Log\LoggerInterface;
  46. use Test\TestCase;
  47. /* We have to use this to add a property to the mocked request and avoid warnings about dynamic properties on PHP>=8.2 */
  48. abstract class RequestMock implements IRequest {
  49. public array $server = [];
  50. }
  51. class OauthApiControllerTest extends TestCase {
  52. /** @var IRequest|\PHPUnit\Framework\MockObject\MockObject */
  53. private $request;
  54. /** @var ICrypto|\PHPUnit\Framework\MockObject\MockObject */
  55. private $crypto;
  56. /** @var AccessTokenMapper|\PHPUnit\Framework\MockObject\MockObject */
  57. private $accessTokenMapper;
  58. /** @var ClientMapper|\PHPUnit\Framework\MockObject\MockObject */
  59. private $clientMapper;
  60. /** @var TokenProvider|\PHPUnit\Framework\MockObject\MockObject */
  61. private $tokenProvider;
  62. /** @var ISecureRandom|\PHPUnit\Framework\MockObject\MockObject */
  63. private $secureRandom;
  64. /** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */
  65. private $time;
  66. /** @var IThrottler|\PHPUnit\Framework\MockObject\MockObject */
  67. private $throttler;
  68. /** @var LoggerInterface|\PHPUnit\Framework\MockObject\MockObject */
  69. private $logger;
  70. /** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */
  71. private $timeFactory;
  72. /** @var OauthApiController */
  73. private $oauthApiController;
  74. protected function setUp(): void {
  75. parent::setUp();
  76. $this->request = $this->createMock(RequestMock::class);
  77. $this->crypto = $this->createMock(ICrypto::class);
  78. $this->accessTokenMapper = $this->createMock(AccessTokenMapper::class);
  79. $this->clientMapper = $this->createMock(ClientMapper::class);
  80. $this->tokenProvider = $this->createMock(TokenProvider::class);
  81. $this->secureRandom = $this->createMock(ISecureRandom::class);
  82. $this->time = $this->createMock(ITimeFactory::class);
  83. $this->throttler = $this->createMock(IThrottler::class);
  84. $this->logger = $this->createMock(LoggerInterface::class);
  85. $this->timeFactory = $this->createMock(ITimeFactory::class);
  86. $this->oauthApiController = new OauthApiController(
  87. 'oauth2',
  88. $this->request,
  89. $this->crypto,
  90. $this->accessTokenMapper,
  91. $this->clientMapper,
  92. $this->tokenProvider,
  93. $this->secureRandom,
  94. $this->time,
  95. $this->logger,
  96. $this->throttler,
  97. $this->timeFactory
  98. );
  99. }
  100. public function testGetTokenInvalidGrantType() {
  101. $expected = new JSONResponse([
  102. 'error' => 'invalid_grant',
  103. ], Http::STATUS_BAD_REQUEST);
  104. $expected->throttle(['invalid_grant' => 'foo']);
  105. $this->assertEquals($expected, $this->oauthApiController->getToken('foo', null, null, null, null));
  106. }
  107. public function testGetTokenInvalidCode() {
  108. $expected = new JSONResponse([
  109. 'error' => 'invalid_request',
  110. ], Http::STATUS_BAD_REQUEST);
  111. $expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidcode']);
  112. $this->accessTokenMapper->method('getByCode')
  113. ->with('invalidcode')
  114. ->willThrowException(new AccessTokenNotFoundException());
  115. $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'invalidcode', null, null, null));
  116. }
  117. public function testGetTokenExpiredCode() {
  118. $codeCreatedAt = 100;
  119. $expiredSince = 123;
  120. $expected = new JSONResponse([
  121. 'error' => 'invalid_request',
  122. ], Http::STATUS_BAD_REQUEST);
  123. $expected->throttle(['invalid_request' => 'authorization_code_expired', 'expired_since' => $expiredSince]);
  124. $accessToken = new AccessToken();
  125. $accessToken->setClientId(42);
  126. $accessToken->setCodeCreatedAt($codeCreatedAt);
  127. $this->accessTokenMapper->method('getByCode')
  128. ->with('validcode')
  129. ->willReturn($accessToken);
  130. $tsNow = $codeCreatedAt + OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER + $expiredSince;
  131. $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow);
  132. $this->timeFactory->method('now')
  133. ->willReturn($dateNow);
  134. $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
  135. }
  136. public function testGetTokenWithCodeForActiveToken() {
  137. // if a token has already delivered oauth tokens,
  138. // it should not be possible to get a new oauth token from a valid authorization code
  139. $codeCreatedAt = 100;
  140. $expected = new JSONResponse([
  141. 'error' => 'invalid_request',
  142. ], Http::STATUS_BAD_REQUEST);
  143. $expected->throttle(['invalid_request' => 'authorization_code_received_for_active_token']);
  144. $accessToken = new AccessToken();
  145. $accessToken->setClientId(42);
  146. $accessToken->setCodeCreatedAt($codeCreatedAt);
  147. $accessToken->setTokenCount(1);
  148. $this->accessTokenMapper->method('getByCode')
  149. ->with('validcode')
  150. ->willReturn($accessToken);
  151. $tsNow = $codeCreatedAt + 1;
  152. $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow);
  153. $this->timeFactory->method('now')
  154. ->willReturn($dateNow);
  155. $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
  156. }
  157. public function testGetTokenClientDoesNotExist() {
  158. // In this test, the token's authorization code is valid and has not expired
  159. // and we check what happens when the associated Oauth client does not exist
  160. $codeCreatedAt = 100;
  161. $expected = new JSONResponse([
  162. 'error' => 'invalid_request',
  163. ], Http::STATUS_BAD_REQUEST);
  164. $expected->throttle(['invalid_request' => 'client not found', 'client_id' => 42]);
  165. $accessToken = new AccessToken();
  166. $accessToken->setClientId(42);
  167. $accessToken->setCodeCreatedAt($codeCreatedAt);
  168. $this->accessTokenMapper->method('getByCode')
  169. ->with('validcode')
  170. ->willReturn($accessToken);
  171. // 'now' is before the token's authorization code expiration
  172. $tsNow = $codeCreatedAt + OauthApiController::AUTHORIZATION_CODE_EXPIRES_AFTER - 1;
  173. $dateNow = (new \DateTimeImmutable())->setTimestamp($tsNow);
  174. $this->timeFactory->method('now')
  175. ->willReturn($dateNow);
  176. $this->clientMapper->method('getByUid')
  177. ->with(42)
  178. ->willThrowException(new ClientNotFoundException());
  179. $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'validcode', null, null, null));
  180. }
  181. public function testRefreshTokenInvalidRefreshToken() {
  182. $expected = new JSONResponse([
  183. 'error' => 'invalid_request',
  184. ], Http::STATUS_BAD_REQUEST);
  185. $expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidrefresh']);
  186. $this->accessTokenMapper->method('getByCode')
  187. ->with('invalidrefresh')
  188. ->willThrowException(new AccessTokenNotFoundException());
  189. $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'invalidrefresh', null, null));
  190. }
  191. public function testRefreshTokenClientDoesNotExist() {
  192. $expected = new JSONResponse([
  193. 'error' => 'invalid_request',
  194. ], Http::STATUS_BAD_REQUEST);
  195. $expected->throttle(['invalid_request' => 'client not found', 'client_id' => 42]);
  196. $accessToken = new AccessToken();
  197. $accessToken->setClientId(42);
  198. $this->accessTokenMapper->method('getByCode')
  199. ->with('validrefresh')
  200. ->willReturn($accessToken);
  201. $this->clientMapper->method('getByUid')
  202. ->with(42)
  203. ->willThrowException(new ClientNotFoundException());
  204. $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', null, null));
  205. }
  206. public function invalidClientProvider() {
  207. return [
  208. ['invalidClientId', 'invalidClientSecret'],
  209. ['clientId', 'invalidClientSecret'],
  210. ['invalidClientId', 'clientSecret'],
  211. ];
  212. }
  213. /**
  214. * @dataProvider invalidClientProvider
  215. *
  216. * @param string $clientId
  217. * @param string $clientSecret
  218. */
  219. public function testRefreshTokenInvalidClient($clientId, $clientSecret) {
  220. $expected = new JSONResponse([
  221. 'error' => 'invalid_client',
  222. ], Http::STATUS_BAD_REQUEST);
  223. $expected->throttle(['invalid_client' => 'client ID or secret does not match']);
  224. $accessToken = new AccessToken();
  225. $accessToken->setClientId(42);
  226. $this->accessTokenMapper->method('getByCode')
  227. ->with('validrefresh')
  228. ->willReturn($accessToken);
  229. $this->crypto
  230. ->method('calculateHMAC')
  231. ->with($this->callback(function (string $text) {
  232. return $text === 'clientSecret' || $text === 'invalidClientSecret';
  233. }))
  234. ->willReturnCallback(function (string $text) {
  235. return $text === 'clientSecret'
  236. ? 'hashedClientSecret'
  237. : 'hashedInvalidClientSecret';
  238. });
  239. $client = new Client();
  240. $client->setClientIdentifier('clientId');
  241. $client->setSecret(bin2hex('hashedClientSecret'));
  242. $this->clientMapper->method('getByUid')
  243. ->with(42)
  244. ->willReturn($client);
  245. $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', $clientId, $clientSecret));
  246. }
  247. public function testRefreshTokenInvalidAppToken() {
  248. $expected = new JSONResponse([
  249. 'error' => 'invalid_request',
  250. ], Http::STATUS_BAD_REQUEST);
  251. $expected->throttle(['invalid_request' => 'token is invalid']);
  252. $accessToken = new AccessToken();
  253. $accessToken->setClientId(42);
  254. $accessToken->setTokenId(1337);
  255. $accessToken->setEncryptedToken('encryptedToken');
  256. $this->accessTokenMapper->method('getByCode')
  257. ->with('validrefresh')
  258. ->willReturn($accessToken);
  259. $client = new Client();
  260. $client->setClientIdentifier('clientId');
  261. $client->setSecret(bin2hex('hashedClientSecret'));
  262. $this->clientMapper->method('getByUid')
  263. ->with(42)
  264. ->willReturn($client);
  265. $this->crypto
  266. ->method('decrypt')
  267. ->with('encryptedToken')
  268. ->willReturn('decryptedToken');
  269. $this->crypto
  270. ->method('calculateHMAC')
  271. ->with('clientSecret')
  272. ->willReturn('hashedClientSecret');
  273. $this->tokenProvider->method('getTokenById')
  274. ->with(1337)
  275. ->willThrowException(new InvalidTokenException());
  276. $this->accessTokenMapper->expects($this->once())
  277. ->method('delete')
  278. ->with($accessToken);
  279. $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
  280. }
  281. public function testRefreshTokenValidAppToken() {
  282. $accessToken = new AccessToken();
  283. $accessToken->setClientId(42);
  284. $accessToken->setTokenId(1337);
  285. $accessToken->setEncryptedToken('encryptedToken');
  286. $this->accessTokenMapper->method('getByCode')
  287. ->with('validrefresh')
  288. ->willReturn($accessToken);
  289. $client = new Client();
  290. $client->setClientIdentifier('clientId');
  291. $client->setSecret(bin2hex('hashedClientSecret'));
  292. $this->clientMapper->method('getByUid')
  293. ->with(42)
  294. ->willReturn($client);
  295. $this->crypto
  296. ->method('decrypt')
  297. ->with('encryptedToken')
  298. ->willReturn('decryptedToken');
  299. $this->crypto
  300. ->method('calculateHMAC')
  301. ->with('clientSecret')
  302. ->willReturn('hashedClientSecret');
  303. $appToken = new PublicKeyToken();
  304. $appToken->setUid('userId');
  305. $this->tokenProvider->method('getTokenById')
  306. ->with(1337)
  307. ->willThrowException(new ExpiredTokenException($appToken));
  308. $this->accessTokenMapper->expects($this->never())
  309. ->method('delete')
  310. ->with($accessToken);
  311. $this->secureRandom->method('generate')
  312. ->willReturnCallback(function ($len) {
  313. return 'random'.$len;
  314. });
  315. $this->tokenProvider->expects($this->once())
  316. ->method('rotate')
  317. ->with(
  318. $appToken,
  319. 'decryptedToken',
  320. 'random72'
  321. )->willReturn($appToken);
  322. $this->time->method('getTime')
  323. ->willReturn(1000);
  324. $this->tokenProvider->expects($this->once())
  325. ->method('updateToken')
  326. ->with(
  327. $this->callback(function (PublicKeyToken $token) {
  328. return $token->getExpires() === 4600;
  329. })
  330. );
  331. $this->crypto->method('encrypt')
  332. ->with('random72', 'random128')
  333. ->willReturn('newEncryptedToken');
  334. $this->accessTokenMapper->expects($this->once())
  335. ->method('update')
  336. ->with(
  337. $this->callback(function (AccessToken $token) {
  338. return $token->getHashedCode() === hash('sha512', 'random128') &&
  339. $token->getEncryptedToken() === 'newEncryptedToken';
  340. })
  341. );
  342. $expected = new JSONResponse([
  343. 'access_token' => 'random72',
  344. 'token_type' => 'Bearer',
  345. 'expires_in' => 3600,
  346. 'refresh_token' => 'random128',
  347. 'user_id' => 'userId',
  348. ]);
  349. $this->request->method('getRemoteAddress')
  350. ->willReturn('1.2.3.4');
  351. $this->throttler->expects($this->once())
  352. ->method('resetDelay')
  353. ->with(
  354. '1.2.3.4',
  355. 'login',
  356. ['user' => 'userId']
  357. );
  358. $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
  359. }
  360. public function testRefreshTokenValidAppTokenBasicAuth() {
  361. $accessToken = new AccessToken();
  362. $accessToken->setClientId(42);
  363. $accessToken->setTokenId(1337);
  364. $accessToken->setEncryptedToken('encryptedToken');
  365. $this->accessTokenMapper->method('getByCode')
  366. ->with('validrefresh')
  367. ->willReturn($accessToken);
  368. $client = new Client();
  369. $client->setClientIdentifier('clientId');
  370. $client->setSecret(bin2hex('hashedClientSecret'));
  371. $this->clientMapper->method('getByUid')
  372. ->with(42)
  373. ->willReturn($client);
  374. $this->crypto
  375. ->method('decrypt')
  376. ->with('encryptedToken')
  377. ->willReturn('decryptedToken');
  378. $this->crypto
  379. ->method('calculateHMAC')
  380. ->with('clientSecret')
  381. ->willReturn('hashedClientSecret');
  382. $appToken = new PublicKeyToken();
  383. $appToken->setUid('userId');
  384. $this->tokenProvider->method('getTokenById')
  385. ->with(1337)
  386. ->willThrowException(new ExpiredTokenException($appToken));
  387. $this->accessTokenMapper->expects($this->never())
  388. ->method('delete')
  389. ->with($accessToken);
  390. $this->secureRandom->method('generate')
  391. ->willReturnCallback(function ($len) {
  392. return 'random'.$len;
  393. });
  394. $this->tokenProvider->expects($this->once())
  395. ->method('rotate')
  396. ->with(
  397. $appToken,
  398. 'decryptedToken',
  399. 'random72'
  400. )->willReturn($appToken);
  401. $this->time->method('getTime')
  402. ->willReturn(1000);
  403. $this->tokenProvider->expects($this->once())
  404. ->method('updateToken')
  405. ->with(
  406. $this->callback(function (PublicKeyToken $token) {
  407. return $token->getExpires() === 4600;
  408. })
  409. );
  410. $this->crypto->method('encrypt')
  411. ->with('random72', 'random128')
  412. ->willReturn('newEncryptedToken');
  413. $this->accessTokenMapper->expects($this->once())
  414. ->method('update')
  415. ->with(
  416. $this->callback(function (AccessToken $token) {
  417. return $token->getHashedCode() === hash('sha512', 'random128') &&
  418. $token->getEncryptedToken() === 'newEncryptedToken';
  419. })
  420. );
  421. $expected = new JSONResponse([
  422. 'access_token' => 'random72',
  423. 'token_type' => 'Bearer',
  424. 'expires_in' => 3600,
  425. 'refresh_token' => 'random128',
  426. 'user_id' => 'userId',
  427. ]);
  428. $this->request->server['PHP_AUTH_USER'] = 'clientId';
  429. $this->request->server['PHP_AUTH_PW'] = 'clientSecret';
  430. $this->request->method('getRemoteAddress')
  431. ->willReturn('1.2.3.4');
  432. $this->throttler->expects($this->once())
  433. ->method('resetDelay')
  434. ->with(
  435. '1.2.3.4',
  436. 'login',
  437. ['user' => 'userId']
  438. );
  439. $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', null, null));
  440. }
  441. public function testRefreshTokenExpiredAppToken() {
  442. $accessToken = new AccessToken();
  443. $accessToken->setClientId(42);
  444. $accessToken->setTokenId(1337);
  445. $accessToken->setEncryptedToken('encryptedToken');
  446. $this->accessTokenMapper->method('getByCode')
  447. ->with('validrefresh')
  448. ->willReturn($accessToken);
  449. $client = new Client();
  450. $client->setClientIdentifier('clientId');
  451. $client->setSecret(bin2hex('hashedClientSecret'));
  452. $this->clientMapper->method('getByUid')
  453. ->with(42)
  454. ->willReturn($client);
  455. $this->crypto
  456. ->method('decrypt')
  457. ->with('encryptedToken')
  458. ->willReturn('decryptedToken');
  459. $this->crypto
  460. ->method('calculateHMAC')
  461. ->with('clientSecret')
  462. ->willReturn('hashedClientSecret');
  463. $appToken = new PublicKeyToken();
  464. $appToken->setUid('userId');
  465. $this->tokenProvider->method('getTokenById')
  466. ->with(1337)
  467. ->willReturn($appToken);
  468. $this->accessTokenMapper->expects($this->never())
  469. ->method('delete')
  470. ->with($accessToken);
  471. $this->secureRandom->method('generate')
  472. ->willReturnCallback(function ($len) {
  473. return 'random'.$len;
  474. });
  475. $this->tokenProvider->expects($this->once())
  476. ->method('rotate')
  477. ->with(
  478. $appToken,
  479. 'decryptedToken',
  480. 'random72'
  481. )->willReturn($appToken);
  482. $this->time->method('getTime')
  483. ->willReturn(1000);
  484. $this->tokenProvider->expects($this->once())
  485. ->method('updateToken')
  486. ->with(
  487. $this->callback(function (PublicKeyToken $token) {
  488. return $token->getExpires() === 4600;
  489. })
  490. );
  491. $this->crypto->method('encrypt')
  492. ->with('random72', 'random128')
  493. ->willReturn('newEncryptedToken');
  494. $this->accessTokenMapper->expects($this->once())
  495. ->method('update')
  496. ->with(
  497. $this->callback(function (AccessToken $token) {
  498. return $token->getHashedCode() === hash('sha512', 'random128') &&
  499. $token->getEncryptedToken() === 'newEncryptedToken';
  500. })
  501. );
  502. $expected = new JSONResponse([
  503. 'access_token' => 'random72',
  504. 'token_type' => 'Bearer',
  505. 'expires_in' => 3600,
  506. 'refresh_token' => 'random128',
  507. 'user_id' => 'userId',
  508. ]);
  509. $this->request->method('getRemoteAddress')
  510. ->willReturn('1.2.3.4');
  511. $this->throttler->expects($this->once())
  512. ->method('resetDelay')
  513. ->with(
  514. '1.2.3.4',
  515. 'login',
  516. ['user' => 'userId']
  517. );
  518. $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret'));
  519. }
  520. }