feat(tfstated): implement HTTP basic auth

author: Julien Dessaux 2024-11-14 01:34:29 +0100
committer: Julien Dessaux 2024-11-14 01:34:29 +0100
commit: 3d8812fbd0091d2ef636949628c52bf9f48617a6 (patch)
tree: 00755c8903497ad7abaaffffbbaa4a37fdf41a03 /cmd
parent: chore(tfstated): rename state "name" to "path" for consistency (diff)
download: tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.gz
tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.bz2
tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.zip
10 files changed, 83 insertions, 54 deletions
diff --git a/cmd/tfstated/delete_test.go b/cmd/tfstated/delete_test.go
index 970fbcf..cbc0d55 100644
--- a/cmd/tfstated/delete_test.go
+++ b/cmd/tfstated/delete_test.go
@@ -11,20 +11,22 @@ import (
 func TestDelete(t *testing.T) {
 	tests := []struct {
 		method string
+		auth   bool
 		uri    url.URL
 		body   io.Reader
 		expect string
 		status int
 		msg    string
 	}{
-		{"DELETE", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
-		{"DELETE", url.URL{Path: "/non_existent_delete"}, nil, "", http.StatusNotFound, "non existent"},
-		{"POST", url.URL{Path: "/test_delete"}, strings.NewReader("the_test_delete"), "", http.StatusOK, "/test_delete"},
-		{"DELETE", url.URL{Path: "/test_delete"}, nil, "", http.StatusOK, "/test_delete"},
-		{"DELETE", url.URL{Path: "/test_delete"}, nil, "", http.StatusNotFound, "/test_delete"},
+		{"DELETE", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+		{"DELETE", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+		{"DELETE", true, url.URL{Path: "/non_existent_delete"}, nil, "", http.StatusNotFound, "non existent"},
+		{"POST", true, url.URL{Path: "/test_delete"}, strings.NewReader("the_test_delete"), "", http.StatusOK, "/test_delete"},
+		{"DELETE", true, url.URL{Path: "/test_delete"}, nil, "", http.StatusOK, "/test_delete"},
+		{"DELETE", true, url.URL{Path: "/test_delete"}, nil, "", http.StatusNotFound, "/test_delete"},
 	}
 	for _, tt := range tests {
-		runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+		runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
 			if err != nil {
 				t.Fatalf("failed %s with error: %+v", tt.method, err)
 			} else if r.StatusCode != tt.status {
diff --git a/cmd/tfstated/get_test.go b/cmd/tfstated/get_test.go
index 5ffcfd0..274522b 100644
--- a/cmd/tfstated/get_test.go
+++ b/cmd/tfstated/get_test.go
@@ -11,19 +11,21 @@ import (
 func TestGet(t *testing.T) {
 	tests := []struct {
 		method string
+		auth   bool
 		uri    url.URL
 		body   io.Reader
 		expect string
 		status int
 		msg    string
 	}{
-		{"GET", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
-		{"GET", url.URL{Path: "/non_existent_get"}, strings.NewReader(""), "", http.StatusOK, "non existent"},
-		{"POST", url.URL{Path: "/test_get"}, strings.NewReader("the_test_get"), "", http.StatusOK, "/test_get"},
-		{"GET", url.URL{Path: "/test_get"}, nil, "the_test_get", http.StatusOK, "/test_get"},
+		{"GET", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+		{"GET", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+		{"GET", true, url.URL{Path: "/non_existent_get"}, strings.NewReader(""), "", http.StatusOK, "non existent"},
+		{"POST", true, url.URL{Path: "/test_get"}, strings.NewReader("the_test_get"), "", http.StatusOK, "/test_get"},
+		{"GET", true, url.URL{Path: "/test_get"}, nil, "the_test_get", http.StatusOK, "/test_get"},
 	}
 	for _, tt := range tests {
-		runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+		runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
 			if err != nil {
 				t.Fatalf("failed %s with error: %+v", tt.method, err)
 			} else if r.StatusCode != tt.status {
diff --git a/cmd/tfstated/healthz_test.go b/cmd/tfstated/healthz_test.go
index c4860c4..10d237b 100644
--- a/cmd/tfstated/healthz_test.go
+++ b/cmd/tfstated/healthz_test.go
@@ -7,7 +7,7 @@ import (
 )
 
 func TestHealthz(t *testing.T) {
-	runHTTPRequest("GET", &url.URL{Path: "/healthz"}, nil, func(r *http.Response, err error) {
+	runHTTPRequest("GET", false, &url.URL{Path: "/healthz"}, nil, func(r *http.Response, err error) {
 		if err != nil {
 			t.Fatalf("failed healthcheck with error: %+v", err)
 		} else if r.StatusCode != http.StatusOK {
diff --git a/cmd/tfstated/lock_test.go b/cmd/tfstated/lock_test.go
index fa454be..22f5890 100644
--- a/cmd/tfstated/lock_test.go
+++ b/cmd/tfstated/lock_test.go
@@ -11,24 +11,26 @@ import (
 func TestLock(t *testing.T) {
 	tests := []struct {
 		method string
+		auth   bool
 		uri    url.URL
 		body   io.Reader
 		expect string
 		status int
 		msg    string
 	}{
-		{"LOCK", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
-		{"LOCK", url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
-		{"LOCK", url.URL{Path: "/non_existent_lock"}, strings.NewReader("{}"), "", http.StatusBadRequest, "invalid lock data on non existent state"},
-		{"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
-		{"GET", url.URL{Path: "/test_lock"}, nil, "", http.StatusOK, "/test_lock"},
-		{"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"\"}"), "", http.StatusBadRequest, "invalid lock data on already locked state"},
-		{"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on already locked state"},
-		{"POST", url.URL{Path: "/test_lock", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_lock"), "", http.StatusOK, "/test_lock"},
-		{"GET", url.URL{Path: "/test_lock"}, nil, "the_test_lock", http.StatusOK, "/test_lock"},
+		{"LOCK", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+		{"LOCK", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+		{"LOCK", true, url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
+		{"LOCK", true, url.URL{Path: "/non_existent_lock"}, strings.NewReader("{}"), "", http.StatusBadRequest, "invalid lock data on non existent state"},
+		{"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
+		{"GET", true, url.URL{Path: "/test_lock"}, nil, "", http.StatusOK, "/test_lock"},
+		{"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"\"}"), "", http.StatusBadRequest, "invalid lock data on already locked state"},
+		{"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on already locked state"},
+		{"POST", true, url.URL{Path: "/test_lock", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_lock"), "", http.StatusOK, "/test_lock"},
+		{"GET", true, url.URL{Path: "/test_lock"}, nil, "the_test_lock", http.StatusOK, "/test_lock"},
 	}
 	for _, tt := range tests {
-		runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+		runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
 			if err != nil {
 				t.Fatalf("failed %s with error: %+v", tt.method, err)
 			} else if r.StatusCode != tt.status {
diff --git a/cmd/tfstated/main.go b/cmd/tfstated/main.go
index 722ec82..e6c6272 100644
--- a/cmd/tfstated/main.go
+++ b/cmd/tfstated/main.go
@@ -52,6 +52,10 @@ func run(
 		db.SetVersionsHistoryLimit(n)
 	}
 
+	if err := db.InitAdminAccount(); err != nil {
+		return err
+	}
+
 	mux := http.NewServeMux()
 	addRoutes(
 		mux,
diff --git a/cmd/tfstated/main_test.go b/cmd/tfstated/main_test.go
index c52b924..3ad1d7e 100644
--- a/cmd/tfstated/main_test.go
+++ b/cmd/tfstated/main_test.go
@@ -19,6 +19,7 @@ var baseURI = url.URL{
 	Scheme: "http",
 }
 var db *database.DB
+var password string
 
 func TestMain(m *testing.M) {
 	ctx := context.Background()
@@ -58,6 +59,13 @@ func TestMain(m *testing.M) {
 		os.Exit(1)
 	}
 
+	admin, err := db.LoadAccountByUsername("admin")
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%+v\n", err)
+		os.Exit(1)
+	}
+	password = admin.Password
+
 	ret := m.Run()
 
 	cancel()
@@ -71,7 +79,7 @@ func TestMain(m *testing.M) {
 	os.Exit(ret)
 }
 
-func runHTTPRequest(method string, uriRef *url.URL, body io.Reader, testFunc func(*http.Response, error)) {
+func runHTTPRequest(method string, auth bool, uriRef *url.URL, body io.Reader, testFunc func(*http.Response, error)) {
 	uri := baseURI.ResolveReference(uriRef)
 	client := http.Client{}
 	req, err := http.NewRequest(method, uri.String(), body)
@@ -79,6 +87,9 @@ func runHTTPRequest(method string, uriRef *url.URL, body io.Reader, testFunc fun
 		testFunc(nil, fmt.Errorf("failed to create request: %w", err))
 		return
 	}
+	if auth {
+		req.SetBasicAuth("admin", password)
+	}
 	resp, err := client.Do(req)
 	if err != nil {
 		testFunc(nil, fmt.Errorf("failed to do request: %w\n", err))
diff --git a/cmd/tfstated/post.go b/cmd/tfstated/post.go
index cf788d4..718fed7 100644
--- a/cmd/tfstated/post.go
+++ b/cmd/tfstated/post.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 
 	"git.adyxax.org/adyxax/tfstated/pkg/database"
+	"git.adyxax.org/adyxax/tfstated/pkg/model"
 )
 
 func handlePost(db *database.DB) http.Handler {
@@ -24,7 +25,8 @@ func handlePost(db *database.DB) http.Handler {
 			_ = errorResponse(w, http.StatusBadRequest, err)
 			return
 		}
-		if idMismatch, err := db.SetState(r.URL.Path, data, id); err != nil {
+		account := r.Context().Value("account").(*model.Account)
+		if idMismatch, err := db.SetState(r.URL.Path, account.Id, data, id); err != nil {
 			if idMismatch {
 				_ = errorResponse(w, http.StatusConflict, err)
 			} else {
diff --git a/cmd/tfstated/post_test.go b/cmd/tfstated/post_test.go
index fd66dc4..71e5143 100644
--- a/cmd/tfstated/post_test.go
+++ b/cmd/tfstated/post_test.go
@@ -11,31 +11,33 @@ import (
 func TestPost(t *testing.T) {
 	tests := []struct {
 		method string
+		auth   bool
 		uri    url.URL
 		body   io.Reader
 		expect string
 		status int
 		msg    string
 	}{
-		{"POST", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
-		{"POST", url.URL{Path: "/test_post"}, nil, "", http.StatusBadRequest, "without a body"},
-		{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post"), "", http.StatusOK, "without lock ID in query string"},
-		{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
-		{"POST", url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post2"), "", http.StatusConflict, "with a lock ID on an unlocked state"},
-		{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
-		{"LOCK", url.URL{Path: "/test_post"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "/test_post"},
-		{"POST", url.URL{Path: "/test_post", RawQuery: "ID=ffffffff-ffff-ffff-ffff-ffffffffffff"}, strings.NewReader("the_test_post3"), "", http.StatusConflict, "with a wrong lock ID on a locked state"},
-		{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
-		{"POST", url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post4"), "", http.StatusOK, "with a correct lock ID on a locked state"},
-		{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post4", http.StatusOK, "/test_post"},
-		{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post5"), "", http.StatusOK, "without lock ID in query string on a locked state"},
-		{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post5", http.StatusOK, "/test_post"},
-		{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post6"), "", http.StatusOK, "another post just to make sure the history limit works"},
-		{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post7"), "", http.StatusOK, "another post just to make sure the history limit works"},
-		{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post8"), "", http.StatusOK, "another post just to make sure the history limit works"},
+		{"POST", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+		{"POST", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+		{"POST", true, url.URL{Path: "/test_post"}, nil, "", http.StatusBadRequest, "without a body"},
+		{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post"), "", http.StatusOK, "without lock ID in query string"},
+		{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
+		{"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post2"), "", http.StatusConflict, "with a lock ID on an unlocked state"},
+		{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
+		{"LOCK", true, url.URL{Path: "/test_post"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "/test_post"},
+		{"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=ffffffff-ffff-ffff-ffff-ffffffffffff"}, strings.NewReader("the_test_post3"), "", http.StatusConflict, "with a wrong lock ID on a locked state"},
+		{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
+		{"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post4"), "", http.StatusOK, "with a correct lock ID on a locked state"},
+		{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post4", http.StatusOK, "/test_post"},
+		{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post5"), "", http.StatusOK, "without lock ID in query string on a locked state"},
+		{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post5", http.StatusOK, "/test_post"},
+		{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post6"), "", http.StatusOK, "another post just to make sure the history limit works"},
+		{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post7"), "", http.StatusOK, "another post just to make sure the history limit works"},
+		{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post8"), "", http.StatusOK, "another post just to make sure the history limit works"},
 	}
 	for _, tt := range tests {
-		runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+		runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
 			if err != nil {
 				t.Fatalf("failed %s with error: %+v", tt.method, err)
 			} else if r.StatusCode != tt.status {
diff --git a/cmd/tfstated/routes.go b/cmd/tfstated/routes.go
index e2700d2..019bb76 100644
--- a/cmd/tfstated/routes.go
+++ b/cmd/tfstated/routes.go
@@ -3,6 +3,7 @@ package main
 import (
 	"net/http"
 
+	"git.adyxax.org/adyxax/tfstated/pkg/basic_auth"
 	"git.adyxax.org/adyxax/tfstated/pkg/database"
 )
 
@@ -12,9 +13,10 @@ func addRoutes(
 ) {
 	mux.Handle("GET /healthz", handleHealthz())
 
-	mux.Handle("DELETE /", handleDelete(db))
-	mux.Handle("GET /", handleGet(db))
-	mux.Handle("LOCK /", handleLock(db))
-	mux.Handle("POST /", handlePost(db))
-	mux.Handle("UNLOCK /", handleUnlock(db))
+	basicAuth := basic_auth.Middleware(db)
+	mux.Handle("DELETE /", basicAuth(handleDelete(db)))
+	mux.Handle("GET /", basicAuth(handleGet(db)))
+	mux.Handle("LOCK /", basicAuth(handleLock(db)))
+	mux.Handle("POST /", basicAuth(handlePost(db)))
+	mux.Handle("UNLOCK /", basicAuth(handleUnlock(db)))
 }
diff --git a/cmd/tfstated/unlock_test.go b/cmd/tfstated/unlock_test.go
index f5af5f7..e8c14cc 100644
--- a/cmd/tfstated/unlock_test.go
+++ b/cmd/tfstated/unlock_test.go
@@ -11,22 +11,24 @@ import (
 func TestUnlock(t *testing.T) {
 	tests := []struct {
 		method string
+		auth   bool
 		uri    url.URL
 		body   io.Reader
 		expect string
 		status int
 		msg    string
 	}{
-		{"UNLOCK", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
-		{"UNLOCK", url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
-		{"UNLOCK", url.URL{Path: "/non_existent_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on non existent state"},
-		{"LOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
-		{"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF\"}"), "", http.StatusConflict, "valid but wrong lock data on a locked state"},
-		{"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid and correct lock data on a locked state"},
-		{"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid and correct lock data on a now unlocked state"},
+		{"UNLOCK", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+		{"UNLOCK", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+		{"UNLOCK", true, url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
+		{"UNLOCK", true, url.URL{Path: "/non_existent_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on non existent state"},
+		{"LOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
+		{"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF\"}"), "", http.StatusConflict, "valid but wrong lock data on a locked state"},
+		{"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid and correct lock data on a locked state"},
+		{"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid and correct lock data on a now unlocked state"},
 	}
 	for _, tt := range tests {
-		runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+		runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
 			if err != nil {
 				t.Fatalf("failed %s with error: %+v", tt.method, err)
 			} else if r.StatusCode != tt.status {
author	Julien Dessaux	2024-11-14 01:34:29 +0100
committer	Julien Dessaux	2024-11-14 01:34:29 +0100
commit	3d8812fbd0091d2ef636949628c52bf9f48617a6 (patch)
tree	00755c8903497ad7abaaffffbbaa4a37fdf41a03 /cmd
parent	chore(tfstated): rename state "name" to "path" for consistency (diff)
download	tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.gz tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.bz2 tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.zip