~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.onap.ccsdk.apps.blueprintsprocessor</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
</dependency>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-security</artifactId>
+ </dependency>
+
<!-- North Bound -->
<dependency>
<groupId>org.onap.ccsdk.apps.blueprintsprocessor</groupId>
import io.grpc.Server;
import io.grpc.ServerBuilder;
+import org.onap.ccsdk.apps.blueprintsprocessor.security.BasicAuthServerInterceptor;
import org.onap.ccsdk.apps.blueprintsprocessor.selfservice.api.BluePrintManagementGRPCHandler;
import org.onap.ccsdk.apps.blueprintsprocessor.selfservice.api.BluePrintProcessingGRPCHandler;
import org.slf4j.Logger;
@Autowired
private BluePrintProcessingGRPCHandler bluePrintProcessingGRPCHandler;
-
@Autowired
private BluePrintManagementGRPCHandler bluePrintManagementGRPCHandler;
+ @Autowired
+ private BasicAuthServerInterceptor authInterceptor;
@Value("${blueprintsprocessor.grpcPort}")
private Integer grpcPort;
try {
log.info("Starting Blueprint Processor GRPC Starting..");
Server server = ServerBuilder
- .forPort(grpcPort)
- .addService(bluePrintProcessingGRPCHandler)
- .addService(bluePrintManagementGRPCHandler)
- .build();
+ .forPort(grpcPort)
+ .intercept(authInterceptor)
+ .addService(bluePrintProcessingGRPCHandler)
+ .addService(bluePrintManagementGRPCHandler)
+ .build();
server.start();
log.info("Blueprint Processor GRPC server started and ready to serve on port({})...", server.getPort());
package org.onap.ccsdk.apps.blueprintsprocessor;
+import javax.annotation.PostConstruct;
+import javax.annotation.PreDestroy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.embedded.netty.NettyReactiveWebServerFactory;
import org.springframework.boot.web.reactive.server.ReactiveWebServerFactory;
import org.springframework.boot.web.server.WebServer;
import org.springframework.http.server.reactive.HttpHandler;
import org.springframework.stereotype.Component;
-import javax.annotation.PostConstruct;
-import javax.annotation.PreDestroy;
-
-@ConditionalOnProperty(name = "blueprintsprocessor.grpcEnable", havingValue = "true")
@Component
public class BlueprintHttpServer {
+
private static Logger log = LoggerFactory.getLogger(BlueprintHttpServer.class);
@Value("${blueprintsprocessor.httpPort}")
import org.springframework.boot.autoconfigure.SpringBootApplication;\r
import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;\r
import org.springframework.context.annotation.ComponentScan;\r
-import org.springframework.web.reactive.config.EnableWebFlux;\r
\r
/**\r
* BlueprintProcessorApplication\r
*/\r
@SpringBootApplication\r
@EnableAutoConfiguration(exclude = {DataSourceAutoConfiguration.class})\r
-@EnableWebFlux\r
@ComponentScan(basePackages = {"org.onap.ccsdk.apps.controllerblueprints",\r
- "org.onap.ccsdk.apps.blueprintsprocessor"})\r
+ "org.onap.ccsdk.apps.blueprintsprocessor"})\r
public class BlueprintProcessorApplication {\r
+\r
public static void main(String[] args) {\r
SpringApplication.run(BlueprintProcessorApplication.class, args);\r
}\r
\r
package org.onap.ccsdk.apps.blueprintsprocessor;\r
\r
+import org.onap.ccsdk.apps.blueprintsprocessor.security.AuthenticationManager;\r
+import org.onap.ccsdk.apps.blueprintsprocessor.security.SecurityContextRepository;\r
+import org.springframework.beans.factory.annotation.Autowired;\r
+import org.springframework.context.annotation.Bean;\r
import org.springframework.context.annotation.Configuration;\r
-import org.springframework.web.reactive.config.*;\r
+import org.springframework.http.HttpMethod;\r
+import org.springframework.security.config.web.server.ServerHttpSecurity;\r
+import org.springframework.security.web.server.SecurityWebFilterChain;\r
+import org.springframework.web.reactive.config.CorsRegistry;\r
+import org.springframework.web.reactive.config.ResourceHandlerRegistry;\r
+import org.springframework.web.reactive.config.WebFluxConfigurationSupport;\r
\r
/**\r
* WebConfig\r
*/\r
@Configuration\r
public class WebConfig extends WebFluxConfigurationSupport {\r
- @Override\r
+\r
+ @Autowired\r
+ private AuthenticationManager authenticationManager;\r
+\r
+ @Autowired\r
+ private SecurityContextRepository securityContextRepository;\r
+\r
+ @Override\r
public void addResourceHandlers(ResourceHandlerRegistry registry) {\r
registry.addResourceHandler("swagger-ui.html")\r
- .addResourceLocations("classpath:/META-INF/resources/");\r
+ .addResourceLocations("classpath:/META-INF/resources/");\r
\r
registry.addResourceHandler("/webjars/**")\r
- .addResourceLocations("classpath:/META-INF/resources/webjars/");\r
+ .addResourceLocations("classpath:/META-INF/resources/webjars/");\r
}\r
\r
@Override\r
public void addCorsMappings(CorsRegistry corsRegistry) {\r
corsRegistry.addMapping("/**")\r
- .allowedOrigins("*")\r
- .allowedMethods("*")\r
- .allowedHeaders("DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range")\r
- .maxAge(3600);\r
+ .allowedOrigins("*")\r
+ .allowedMethods("*")\r
+ .allowedHeaders("*")\r
+ .maxAge(3600);\r
+ }\r
+\r
+\r
+ @Bean\r
+ public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http) {\r
+ return http.csrf().disable()\r
+ .formLogin().disable()\r
+ .httpBasic().disable()\r
+ .authenticationManager(authenticationManager)\r
+ .securityContextRepository(securityContextRepository)\r
+ .authorizeExchange()\r
+ .pathMatchers(HttpMethod.OPTIONS).permitAll()\r
+ .anyExchange().authenticated()\r
+ .and().build();\r
+\r
}\r
}\r
--- /dev/null
+/*
+ * Copyright (C) 2019 Bell Canada.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+* limitations under the License.
+ */
+package org.onap.ccsdk.apps.blueprintsprocessor.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import reactor.core.publisher.Mono;
+
+@Configuration
+public class AuthenticationManager implements ReactiveAuthenticationManager {
+
+ @Autowired
+ private AuthenticationProvider authenticationProvider;
+
+ @Override
+ public Mono<Authentication> authenticate(Authentication authentication) {
+ try {
+ return Mono.just(authenticationProvider.authenticate(authentication));
+ } catch (AuthenticationException e) {
+ return Mono.error(e);
+ }
+ }
+}
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) 2019 Bell Canada.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.onap.ccsdk.apps.blueprintsprocessor.security;
+
+import com.google.common.base.Strings;
+import io.grpc.Metadata;
+import io.grpc.ServerCall;
+import io.grpc.ServerCallHandler;
+import io.grpc.ServerInterceptor;
+import io.grpc.Status;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
+@Component
+public class BasicAuthServerInterceptor implements ServerInterceptor {
+
+ private static Logger log = LoggerFactory.getLogger(BasicAuthServerInterceptor.class);
+
+ @Autowired
+ private AuthenticationManager authenticationManager;
+
+
+ @Override
+ public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
+ ServerCall<ReqT, RespT> call,
+ Metadata headers,
+ ServerCallHandler<ReqT, RespT> next) {
+ String authHeader = headers.get(Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER));
+
+ if (Strings.isNullOrEmpty(authHeader)) {
+ throw Status.UNAUTHENTICATED.withDescription("Missing required authentication").asRuntimeException();
+
+ }
+
+ try {
+ String[] tokens = decodeBasicAuth(authHeader);
+ String username = tokens[0];
+
+ log.info("Basic Authentication Authorization header found for user: {}", username);
+
+ Authentication authRequest = new UsernamePasswordAuthenticationToken(username, tokens[1]);
+ Authentication authResult = authenticationManager.authenticate(authRequest).block();
+
+ log.info("Authentication success: {}", authResult);
+
+ SecurityContextHolder.getContext().setAuthentication(authResult);
+
+ } catch (AuthenticationException e) {
+ SecurityContextHolder.clearContext();
+
+ log.info("Authentication request failed: {}", e.getMessage());
+
+ throw Status.UNAUTHENTICATED.withDescription(e.getMessage()).withCause(e).asRuntimeException();
+ }
+
+ return next.startCall(call, headers);
+ }
+
+ private String[] decodeBasicAuth(String authHeader) {
+ String basicAuth;
+ try {
+ basicAuth = new String(Base64.getDecoder().decode(authHeader.substring(6).getBytes(StandardCharsets.UTF_8)),
+ StandardCharsets.UTF_8);
+ } catch (IllegalArgumentException | IndexOutOfBoundsException e) {
+ throw new BadCredentialsException("Failed to decode basic authentication token");
+ }
+
+ int delim = basicAuth.indexOf(':');
+ if (delim == -1) {
+ throw new BadCredentialsException("Failed to decode basic authentication token");
+ }
+
+ return new String[]{basicAuth.substring(0, delim), basicAuth.substring(delim + 1)};
+ }
+}
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) 2019 Bell Canada.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.onap.ccsdk.apps.blueprintsprocessor.security;
+
+import java.util.Collections;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+
+@Configuration
+public class SecurityConfiguration {
+
+ @Value("${security.user.name}")
+ private String username;
+
+ @Value("${security.user.password}")
+ private String password;
+
+ @Bean
+ public UserDetailsService inMemoryUserService() {
+ UserDetails user = new User(username, password,
+ Collections.singletonList(new SimpleGrantedAuthority("USER")));
+ return new InMemoryUserDetailsManager(user);
+ }
+
+ @Bean
+ public PasswordEncoder passwordEncoder() {
+ return new BCryptPasswordEncoder();
+ }
+
+ @Bean
+ public AuthenticationProvider inMemoryAuthenticationProvider() {
+ DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
+ provider.setUserDetailsService(inMemoryUserService());
+ return provider;
+ }
+}
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) 2019 Bell Canada.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.onap.ccsdk.apps.blueprintsprocessor.security;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.security.web.server.context.ServerSecurityContextRepository;
+import org.springframework.stereotype.Component;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+@Component
+public class SecurityContextRepository implements ServerSecurityContextRepository {
+
+ @Autowired
+ private AuthenticationManager authenticationManager;
+
+ @Override
+ public Mono<Void> save(ServerWebExchange swe, SecurityContext sc) {
+ throw new UnsupportedOperationException("Not supported.");
+ }
+
+ @Override
+ public Mono<SecurityContext> load(ServerWebExchange swe) {
+ ServerHttpRequest request = swe.getRequest();
+ String authHeader = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
+ if (authHeader != null && authHeader.startsWith("Basic")) {
+ String[] tokens = decodeBasicAuth(authHeader);
+ String username = tokens[0];
+ String password = tokens[1];
+ Authentication auth = new UsernamePasswordAuthenticationToken(username, password);
+ return this.authenticationManager.authenticate(auth).map(SecurityContextImpl::new);
+ } else {
+ return Mono.empty();
+ }
+ }
+
+ private String[] decodeBasicAuth(String authHeader) {
+ String basicAuth;
+ try {
+ basicAuth = new String(Base64.getDecoder().decode(authHeader.substring(6).getBytes(StandardCharsets.UTF_8)),
+ StandardCharsets.UTF_8);
+ } catch (IllegalArgumentException | IndexOutOfBoundsException e) {
+ throw new BadCredentialsException("Failed to decode basic authentication token");
+ }
+
+ int delim = basicAuth.indexOf(':');
+ if (delim == -1) {
+ throw new BadCredentialsException("Failed to decode basic authentication token");
+ }
+
+ return new String[]{basicAuth.substring(0, delim), basicAuth.substring(delim + 1)};
+ }
+}
\ No newline at end of file
# Python executor
blueprints.processor.functions.python.executor.executionPath=/opt/app/onap/scripts/jython/ccsdk_blueprints
blueprints.processor.functions.python.executor.modulePaths=/opt/app/onap/scripts/jython/ccsdk_blueprints,/opt/app/onap/scripts/jython/ccsdk_netconf
+
+security.user.password: {bcrypt}$2a$10$duaUzVUVW0YPQCSIbGEkQOXwafZGwQ/b32/Ys4R1iwSSawFgz7QNu
+security.user.name: ccsdkapps
#
# Web server config
server.port=8080
+blueprintsprocessor.grpcEnable=false
+blueprintsprocessor.httpPort=8080
+blueprintsprocessor.grpcPort=9111
# Blueprint Processor File Execution and Handling Properties
blueprintsprocessor.blueprintDeployPath=/opt/app/onap/blueprints/deploy
blueprintsprocessor.blueprintArchivePath=/opt/app/onap/blueprints/archive
# Python executor
blueprints.processor.functions.python.executor.executionPath=/opt/app/onap/scripts/jython
blueprints.processor.functions.python.executor.modulePaths=/opt/app/onap/scripts/jython
+
+security.user.password: {bcrypt}$2a$10$duaUzVUVW0YPQCSIbGEkQOXwafZGwQ/b32/Ys4R1iwSSawFgz7QNu
+security.user.name: ccsdkapps
<description>Blueprints Processor Selfservice API</description>
<dependencies>
+
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-core</artifactId>
+ </dependency>
+
<dependency>
<groupId>org.onap.ccsdk.apps.components</groupId>
<artifactId>proto-definition</artifactId>
import org.onap.ccsdk.apps.controllerblueprints.management.api.BluePrintManagementOutput
import org.onap.ccsdk.apps.controllerblueprints.management.api.BluePrintManagementServiceGrpc
import org.slf4j.LoggerFactory
+import org.springframework.security.access.prepost.PreAuthorize
import org.springframework.stereotype.Service
import java.io.File
@Service
-class BluePrintManagementGRPCHandler(private val bluePrintCoreConfiguration: BluePrintCoreConfiguration,
+open class BluePrintManagementGRPCHandler(private val bluePrintCoreConfiguration: BluePrintCoreConfiguration,
private val bluePrintCatalogService: BluePrintCatalogService)
: BluePrintManagementServiceGrpc.BluePrintManagementServiceImplBase() {
private val log = LoggerFactory.getLogger(BluePrintManagementGRPCHandler::class.java)
+ @PreAuthorize("hasRole('USER')")
override fun uploadBlueprint(request: BluePrintManagementInput, responseObserver: StreamObserver<BluePrintManagementOutput>) {
val blueprintName = request.blueprintName
val blueprintVersion = request.blueprintVersion
}
}
+ @PreAuthorize("hasRole('USER')")
override fun removeBlueprint(request: BluePrintManagementInput, responseObserver: StreamObserver<BluePrintManagementOutput>) {
val blueprintName = request.blueprintName
val blueprintVersion = request.blueprintVersion
import org.onap.ccsdk.apps.controllerblueprints.processing.api.ExecutionServiceInput
import org.onap.ccsdk.apps.controllerblueprints.processing.api.ExecutionServiceOutput
import org.slf4j.LoggerFactory
+import org.springframework.security.access.prepost.PreAuthorize
import org.springframework.stereotype.Service
@Service
-class BluePrintProcessingGRPCHandler(private val bluePrintCoreConfiguration: BluePrintCoreConfiguration,
+open class BluePrintProcessingGRPCHandler(private val bluePrintCoreConfiguration: BluePrintCoreConfiguration,
private val executionServiceHandler: ExecutionServiceHandler)
: BluePrintProcessingServiceGrpc.BluePrintProcessingServiceImplBase() {
private val log = LoggerFactory.getLogger(BluePrintProcessingGRPCHandler::class.java)
+ @PreAuthorize("hasRole('USER')")
override fun process(
responseObserver: StreamObserver<ExecutionServiceOutput>): StreamObserver<ExecutionServiceInput> {
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.http.MediaType
import org.springframework.http.codec.multipart.FilePart
+import org.springframework.security.access.prepost.PreAuthorize
import org.springframework.web.bind.annotation.PostMapping
import org.springframework.web.bind.annotation.RequestBody
import org.springframework.web.bind.annotation.RequestMapping
@RestController
@RequestMapping("/api/v1/execution-service")
-class ExecutionServiceController {
+open class ExecutionServiceController {
@Autowired
lateinit var executionServiceHandler: ExecutionServiceHandler
@PostMapping(path = ["/upload"], consumes = [MediaType.MULTIPART_FORM_DATA_VALUE])
@ApiOperation(value = "Upload CBA", notes = "Takes a File and load it in the runtime database")
@ResponseBody
+ @PreAuthorize("hasRole('USER')")
fun upload(@RequestPart("file") parts: Mono<FilePart>): Mono<String> {
return parts
.filter { it is FilePart }
@ApiOperation(value = "Resolve Resource Mappings",
notes = "Takes the blueprint information and process as per the payload")
@ResponseBody
+ @PreAuthorize("hasRole('USER')")
fun process(@RequestBody executionServiceInput: ExecutionServiceInput): ExecutionServiceOutput {
if (executionServiceInput.actionIdentifiers.mode == ACTION_MODE_ASYNC) {
throw IllegalStateException("Can't process async request through the REST endpoint. Use gRPC for async processing.")
import org.onap.ccsdk.apps.controllerblueprints.core.interfaces.BluePrintCatalogService
import org.onap.ccsdk.apps.controllerblueprints.core.utils.JacksonUtils
import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.boot.autoconfigure.security.SecurityProperties
import org.springframework.boot.test.autoconfigure.web.reactive.WebFluxTest
import org.springframework.context.annotation.ComponentScan
import org.springframework.core.io.ByteArrayResource
@RunWith(SpringRunner::class)
@WebFluxTest
-@ContextConfiguration(classes = [ExecutionServiceHandler::class, BluePrintCoreConfiguration::class, BluePrintCatalogService::class])
+@ContextConfiguration(classes = [ExecutionServiceHandler::class, BluePrintCoreConfiguration::class, BluePrintCatalogService::class, SecurityProperties::class])
@ComponentScan(basePackages = ["org.onap.ccsdk.apps.blueprintsprocessor", "org.onap.ccsdk.apps.controllerblueprints"])
@TestPropertySource(locations = ["classpath:application-test.properties"])
class ExecutionServiceHandlerTest {
Code Review / ccsdk / apps.git / commitdiff