src/modules/rlm_preprocess/rlm_preprocess.c

   1 /*
   2  * rlm_preprocess.c
   3  *              Contains the functions for the "huntgroups" and "hints"
   4  *              files.
   5  *
   6  * Version:     $Id$
   7  *
   8  *   This program is free software; you can redistribute it and/or modify
   9  *   it under the terms of the GNU General Public License as published by
  10  *   the Free Software Foundation; either version 2 of the License, or
  11  *   (at your option) any later version.
  12  *
  13  *   This program is distributed in the hope that it will be useful,
  14  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  *   GNU General Public License for more details.
  17  *
  18  *   You should have received a copy of the GNU General Public License
  19  *   along with this program; if not, write to the Free Software
  20  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  21  *
  22  * Copyright 2000,2006  The FreeRADIUS server project
  23  * Copyright 2000  Alan DeKok <aland@ox.org>
  24  */
  25
  26 #include        <freeradius-devel/ident.h>
  27 RCSID("$Id$")
  28
  29 #include        <freeradius-devel/radiusd.h>
  30 #include        <freeradius-devel/modules.h>
  31 #include        <freeradius-devel/rad_assert.h>
  32
  33 #include        <ctype.h>
  34
  35 typedef struct rlm_preprocess_t {
  36         char            *huntgroup_file;
  37         char            *hints_file;
  38         PAIR_LIST       *huntgroups;
  39         PAIR_LIST       *hints;
  40         int             with_ascend_hack;
  41         int             ascend_channels_per_line;
  42         int             with_ntdomain_hack;
  43         int             with_specialix_jetstream_hack;
  44         int             with_cisco_vsa_hack;
  45         int             with_alvarion_vsa_hack;
  46 } rlm_preprocess_t;
  47
  48 static const CONF_PARSER module_config[] = {
  49         { "huntgroups",                 PW_TYPE_FILENAME,
  50           offsetof(rlm_preprocess_t,huntgroup_file), NULL,
  51           "${raddbdir}/huntgroups" },
  52         { "hints",                      PW_TYPE_FILENAME,
  53           offsetof(rlm_preprocess_t,hints_file), NULL,
  54           "${raddbdir}/hints" },
  55         { "with_ascend_hack",           PW_TYPE_BOOLEAN,
  56           offsetof(rlm_preprocess_t,with_ascend_hack), NULL, "no" },
  57         { "ascend_channels_per_line",   PW_TYPE_INTEGER,
  58           offsetof(rlm_preprocess_t,ascend_channels_per_line), NULL, "23" },
  59
  60         { "with_ntdomain_hack",         PW_TYPE_BOOLEAN,
  61           offsetof(rlm_preprocess_t,with_ntdomain_hack), NULL, "no" },
  62         { "with_specialix_jetstream_hack",  PW_TYPE_BOOLEAN,
  63           offsetof(rlm_preprocess_t,with_specialix_jetstream_hack), NULL,
  64           "no" },
  65         { "with_cisco_vsa_hack",        PW_TYPE_BOOLEAN,
  66           offsetof(rlm_preprocess_t,with_cisco_vsa_hack), NULL, "no" },
  67         { "with_alvarion_vsa_hack",        PW_TYPE_BOOLEAN,
  68           offsetof(rlm_preprocess_t,with_alvarion_vsa_hack), NULL, "no" },
  69
  70         { NULL, -1, 0, NULL, NULL }
  71 };
  72
  73 /*
  74  *     See if a VALUE_PAIR list contains Fall-Through = Yes
  75  */
  76 static int fallthrough(VALUE_PAIR *vp)
  77 {
  78         VALUE_PAIR *tmp;
  79         tmp = pairfind(vp, PW_FALL_THROUGH);
  80
  81         return tmp ? tmp->lvalue : 0;
  82 }
  83
  84 /*
  85  *      dgreer --
  86  *      This hack changes Ascend's wierd port numberings
  87  *      to standard 0-??? port numbers so that the "+" works
  88  *      for IP address assignments.
  89  */
  90 static void ascend_nasport_hack(VALUE_PAIR *nas_port, int channels_per_line)
  91 {
  92         int service;
  93         int line;
  94         int channel;
  95
  96         if (!nas_port) {
  97                 return;
  98         }
  99
 100         if (nas_port->vp_integer > 9999) {
 101                 service = nas_port->vp_integer/10000; /* 1=digital 2=analog */
 102                 line = (nas_port->vp_integer - (10000 * service)) / 100;
 103                 channel = nas_port->vp_integer-((10000 * service)+(100 * line));
 104                 nas_port->vp_integer =
 105                         (channel - 1) + (line - 1) * channels_per_line;
 106         }
 107 }
 108
 109 /*
 110  *      ThomasJ --
 111  *      This hack strips out Cisco's VSA duplicities in lines
 112  *      (Cisco not implemented VSA's in standard way.
 113  *
 114  *      Cisco sends it's VSA attributes with the attribute name *again*
 115  *      in the string, like:  H323-Attribute = "h323-attribute=value".
 116  *      This sort of behaviour is nonsense.
 117  */
 118 static void cisco_vsa_hack(VALUE_PAIR *vp)
 119 {
 120         int             vendorcode;
 121         char            *ptr;
 122         char            newattr[MAX_STRING_LEN];
 123
 124         for ( ; vp != NULL; vp = vp->next) {
 125                 vendorcode = VENDOR(vp->attribute);
 126                 if (!((vendorcode == 9) || (vendorcode == 6618))) continue; /* not a Cisco or Quintum VSA, continue */
 127
 128                 if (vp->type != PW_TYPE_STRING) continue;
 129
 130                 /*
 131                  *  No weird packing.  Ignore it.
 132                  */
 133                 ptr = strchr(vp->vp_strvalue, '='); /* find an '=' */
 134                 if (!ptr) continue;
 135
 136                 /*
 137                  *      Cisco-AVPair's get packed as:
 138                  *
 139                  *      Cisco-AVPair = "h323-foo-bar = baz"
 140                  *      Cisco-AVPair = "h323-foo-bar=baz"
 141                  *
 142                  *      which makes sense only if you're a lunatic.
 143                  *      This code looks for the attribute named inside
 144                  *      of the string, and if it exists, adds it as a new
 145                  *      attribute.
 146                  */
 147                 if ((vp->attribute & 0xffff) == 1) {
 148                         const char *p;
 149                         DICT_ATTR       *dattr;
 150
 151                         p = vp->vp_strvalue;
 152                         gettoken(&p, newattr, sizeof(newattr));
 153
 154                         if (((dattr = dict_attrbyname(newattr)) != NULL) &&
 155                             (dattr->type == PW_TYPE_STRING)) {
 156                                 VALUE_PAIR *newvp;
 157
 158                                 /*
 159                                  *  Make a new attribute.
 160                                  */
 161                                 newvp = pairmake(newattr, ptr + 1, T_OP_EQ);
 162                                 if (newvp) {
 163                                         pairadd(&vp, newvp);
 164                                 }
 165                         }
 166                 } else {        /* h322-foo-bar = "h323-foo-bar = baz" */
 167                         /*
 168                          *      We strip out the duplicity from the
 169                          *      value field, we use only the value on
 170                          *      the right side of the '=' character.
 171                          */
 172                         strlcpy(newattr, ptr + 1, sizeof(newattr));
 173                         strlcpy((char *)vp->vp_strvalue, newattr,
 174                                 sizeof(vp->vp_strvalue));
 175                         vp->length = strlen((char *)vp->vp_strvalue);
 176                 }
 177         }
 178 }
 179
 180
 181 /*
 182  *      Don't even ask what this is doing...
 183  */
 184 static void alvarion_vsa_hack(VALUE_PAIR *vp)
 185 {
 186         int             vendorcode;
 187         int             number = 1;
 188
 189         for ( ; vp != NULL; vp = vp->next) {
 190                 DICT_ATTR *da;
 191
 192                 vendorcode = VENDOR(vp->attribute);
 193                 if (vendorcode != 12394) continue;
 194                 if (vp->type != PW_TYPE_STRING) continue;
 195
 196                 da = dict_attrbyvalue(number | (12394 << 16));
 197                 if (!da) continue;
 198
 199                 vp->attribute = da->attr;
 200                 vp->name = da->name;
 201
 202                 number++;
 203         }
 204 }
 205
 206 /*
 207  *      Mangle username if needed, IN PLACE.
 208  */
 209 static void rad_mangle(rlm_preprocess_t *data, REQUEST *request)
 210 {
 211         VALUE_PAIR      *namepair;
 212         VALUE_PAIR      *request_pairs;
 213         VALUE_PAIR      *tmp;
 214
 215         /*
 216          *      Get the username from the request
 217          *      If it isn't there, then we can't mangle the request.
 218          */
 219         request_pairs = request->packet->vps;
 220         namepair = pairfind(request_pairs, PW_USER_NAME);
 221         if ((namepair == NULL) ||
 222             (namepair->length <= 0)) {
 223           return;
 224         }
 225
 226         if (data->with_ntdomain_hack) {
 227                 char            *ptr;
 228                 char            newname[MAX_STRING_LEN];
 229
 230                 /*
 231                  *      Windows NT machines often authenticate themselves as
 232                  *      NT_DOMAIN\username. Try to be smart about this.
 233                  *
 234                  *      FIXME: should we handle this as a REALM ?
 235                  */
 236                 if ((ptr = strchr(namepair->vp_strvalue, '\\')) != NULL) {
 237                         strlcpy(newname, ptr + 1, sizeof(newname));
 238                         /* Same size */
 239                         strcpy(namepair->vp_strvalue, newname);
 240                         namepair->length = strlen(newname);
 241                 }
 242         }
 243
 244         if (data->with_specialix_jetstream_hack) {
 245                 char            *ptr;
 246
 247                 /*
 248                  *      Specialix Jetstream 8500 24 port access server.
 249                  *      If the user name is 10 characters or longer, a "/"
 250                  *      and the excess characters after the 10th are
 251                  *      appended to the user name.
 252                  *
 253                  *      Reported by Lucas Heise <root@laonet.net>
 254                  */
 255                 if ((strlen((char *)namepair->vp_strvalue) > 10) &&
 256                     (namepair->vp_strvalue[10] == '/')) {
 257                         for (ptr = (char *)namepair->vp_strvalue + 11; *ptr; ptr++)
 258                                 *(ptr - 1) = *ptr;
 259                         *(ptr - 1) = 0;
 260                         namepair->length = strlen((char *)namepair->vp_strvalue);
 261                 }
 262         }
 263
 264         /*
 265          *      Small check: if Framed-Protocol present but Service-Type
 266          *      is missing, add Service-Type = Framed-User.
 267          */
 268         if (pairfind(request_pairs, PW_FRAMED_PROTOCOL) != NULL &&
 269             pairfind(request_pairs, PW_SERVICE_TYPE) == NULL) {
 270                 tmp = radius_paircreate(request, &request->packet->vps,
 271                                         PW_SERVICE_TYPE, PW_TYPE_INTEGER);
 272                 tmp->vp_integer = PW_FRAMED_USER;
 273         }
 274 }
 275
 276 /*
 277  *      Compare the request with the "reply" part in the
 278  *      huntgroup, which normally only contains username or group.
 279  *      At least one of the "reply" items has to match.
 280  */
 281 static int hunt_paircmp(REQUEST *req, VALUE_PAIR *request, VALUE_PAIR *check)
 282 {
 283         VALUE_PAIR      *check_item = check;
 284         VALUE_PAIR      *tmp;
 285         int             result = -1;
 286
 287         if (check == NULL) return 0;
 288
 289         while (result != 0 && check_item != NULL) {
 290
 291                 tmp = check_item->next;
 292                 check_item->next = NULL;
 293
 294                 result = paircompare(req, request, check_item, NULL);
 295
 296                 check_item->next = tmp;
 297                 check_item = check_item->next;
 298         }
 299
 300         return result;
 301 }
 302
 303
 304 /*
 305  *      Add hints to the info sent by the terminal server
 306  *      based on the pattern of the username, and other attributes.
 307  */
 308 static int hints_setup(PAIR_LIST *hints, REQUEST *request)
 309 {
 310         char            *name;
 311         VALUE_PAIR      *add;
 312         VALUE_PAIR      *tmp;
 313         PAIR_LIST       *i;
 314         VALUE_PAIR *request_pairs;
 315         int             updated = 0, ft;
 316
 317
 318         request_pairs = request->packet->vps;
 319
 320         if (hints == NULL || request_pairs == NULL)
 321                 return RLM_MODULE_NOOP;
 322
 323         /*
 324          *      Check for valid input, zero length names not permitted
 325          */
 326         if ((tmp = pairfind(request_pairs, PW_USER_NAME)) == NULL)
 327                 name = NULL;
 328         else
 329                 name = (char *)tmp->vp_strvalue;
 330
 331         if (name == NULL || name[0] == 0)
 332                 /*
 333                  *      No name, nothing to do.
 334                  */
 335                 return RLM_MODULE_NOOP;
 336
 337         for (i = hints; i; i = i->next) {
 338                 /*
 339                  *      Use "paircompare", which is a little more general...
 340                  */
 341                 if (((strcmp(i->name, "DEFAULT") == 0) ||
 342                      (strcmp(i->name, name) == 0)) &&
 343                     (paircompare(request, request_pairs, i->check, NULL) == 0)) {
 344                         RDEBUG2("  hints: Matched %s at %d",
 345                                i->name, i->lineno);
 346                         /*
 347                          *      Now add all attributes to the request list,
 348                          *      except PW_STRIP_USER_NAME and PW_FALL_THROUGH
 349                          *      and xlat them.
 350                          */
 351                         add = paircopy(i->reply);
 352                         ft = fallthrough(add);
 353                         pairdelete(&add, PW_STRIP_USER_NAME);
 354                         pairdelete(&add, PW_FALL_THROUGH);
 355                         pairxlatmove(request, &request->packet->vps, &add);
 356                         pairfree(&add);
 357                         updated = 1;
 358                         if (!ft) break;
 359                 }
 360         }
 361
 362         if (updated == 0) return RLM_MODULE_NOOP;
 363
 364         return RLM_MODULE_UPDATED;
 365 }
 366
 367 /*
 368  *      See if we have access to the huntgroup.
 369  */
 370 static int huntgroup_access(REQUEST *request, PAIR_LIST *huntgroups)
 371 {
 372         PAIR_LIST       *i;
 373         int             r = RLM_MODULE_OK;
 374         VALUE_PAIR      *request_pairs = request->packet->vps;
 375
 376         /*
 377          *      We're not controlling access by huntgroups:
 378          *      Allow them in.
 379          */
 380         if (huntgroups == NULL)
 381                 return RLM_MODULE_OK;
 382
 383         for(i = huntgroups; i; i = i->next) {
 384                 /*
 385                  *      See if this entry matches.
 386                  */
 387                 if (paircompare(request, request_pairs, i->check, NULL) != 0)
 388                         continue;
 389
 390                 /*
 391                  *      Now check for access.
 392                  */
 393                 r = RLM_MODULE_REJECT;
 394                 if (hunt_paircmp(request, request_pairs, i->reply) == 0) {
 395                         VALUE_PAIR *vp;
 396
 397                         /*
 398                          *  We've matched the huntgroup, so add it in
 399                          *  to the list of request pairs.
 400                          */
 401                         vp = pairfind(request_pairs, PW_HUNTGROUP_NAME);
 402                         if (!vp) {
 403                                 vp = radius_paircreate(request,
 404                                                        &request->packet->vps,
 405                                                        PW_HUNTGROUP_NAME,
 406                                                        PW_TYPE_STRING);
 407                                 strlcpy(vp->vp_strvalue, i->name,
 408                                         sizeof(vp->vp_strvalue));
 409                                 vp->length = strlen(vp->vp_strvalue);
 410                         }
 411                         r = RLM_MODULE_OK;
 412                 }
 413                 break;
 414         }
 415
 416         return r;
 417 }
 418
 419 /*
 420  *      If the NAS wasn't smart enought to add a NAS-IP-Address
 421  *      to the request, then add it ourselves.
 422  */
 423 static int add_nas_attr(REQUEST *request)
 424 {
 425         VALUE_PAIR *nas;
 426
 427         switch (request->packet->src_ipaddr.af) {
 428         case AF_INET:
 429                 nas = pairfind(request->packet->vps, PW_NAS_IP_ADDRESS);
 430                 if (!nas) {
 431                         nas = radius_paircreate(request, &request->packet->vps,
 432                                                 PW_NAS_IP_ADDRESS,
 433                                                 PW_TYPE_IPADDR);
 434                         nas->vp_ipaddr = request->packet->src_ipaddr.ipaddr.ip4addr.s_addr;
 435                 }
 436                 break;
 437
 438         case AF_INET6:
 439                 nas = pairfind(request->packet->vps, PW_NAS_IPV6_ADDRESS);
 440                 if (!nas) {
 441                         nas = radius_paircreate(request, &request->packet->vps,
 442                                                 PW_NAS_IPV6_ADDRESS,
 443                                                 PW_TYPE_IPV6ADDR);
 444                         memcpy(nas->vp_strvalue,
 445                                &request->packet->src_ipaddr.ipaddr,
 446                                sizeof(request->packet->src_ipaddr.ipaddr));
 447                 }
 448                 break;
 449
 450         default:
 451                 radlog(L_ERR, "Unknown address family for packet");
 452                 return -1;
 453         }
 454
 455         return 0;
 456 }
 457
 458
 459 /*
 460  *      Initialize.
 461  */
 462 static int preprocess_instantiate(CONF_SECTION *conf, void **instance)
 463 {
 464         int     rcode;
 465         rlm_preprocess_t *data;
 466
 467         /*
 468          *      Allocate room to put the module's instantiation data.
 469          */
 470         data = (rlm_preprocess_t *) rad_malloc(sizeof(*data));
 471         memset(data, 0, sizeof(*data));
 472
 473         /*
 474          *      Read this modules configuration data.
 475          */
 476         if (cf_section_parse(conf, data, module_config) < 0) {
 477                 free(data);
 478                 return -1;
 479         }
 480
 481         data->huntgroups = NULL;
 482         data->hints = NULL;
 483
 484         /*
 485          *      Read the huntgroups file.
 486          */
 487         rcode = pairlist_read(data->huntgroup_file, &(data->huntgroups), 0);
 488         if (rcode < 0) {
 489                 radlog(L_ERR|L_CONS, "rlm_preprocess: Error reading %s",
 490                        data->huntgroup_file);
 491                 return -1;
 492         }
 493
 494         /*
 495          *      Read the hints file.
 496          */
 497         rcode = pairlist_read(data->hints_file, &(data->hints), 0);
 498         if (rcode < 0) {
 499                 radlog(L_ERR|L_CONS, "rlm_preprocess: Error reading %s",
 500                        data->hints_file);
 501                 return -1;
 502         }
 503
 504         /*
 505          *      Save the instantiation data for later.
 506          */
 507         *instance = data;
 508
 509         return 0;
 510 }
 511
 512 /*
 513  *      Preprocess a request.
 514  */
 515 static int preprocess_authorize(void *instance, REQUEST *request)
 516 {
 517         int r;
 518         rlm_preprocess_t *data = (rlm_preprocess_t *) instance;
 519
 520         /*
 521          *      Mangle the username, to get rid of stupid implementation
 522          *      bugs.
 523          */
 524         rad_mangle(data, request);
 525
 526         if (data->with_ascend_hack) {
 527                 /*
 528                  *      If we're using Ascend systems, hack the NAS-Port-Id
 529                  *      in place, to go from Ascend's weird values to something
 530                  *      approaching rationality.
 531                  */
 532                 ascend_nasport_hack(pairfind(request->packet->vps,
 533                                              PW_NAS_PORT),
 534                                     data->ascend_channels_per_line);
 535         }
 536
 537         if (data->with_cisco_vsa_hack) {
 538                 /*
 539                  *      We need to run this hack because the h323-conf-id
 540                  *      attribute should be used.
 541                  */
 542                 cisco_vsa_hack(request->packet->vps);
 543         }
 544
 545         if (data->with_alvarion_vsa_hack) {
 546                 /*
 547                  *      We need to run this hack because the Alvarion
 548                  *      people are crazy.
 549                  */
 550                 alvarion_vsa_hack(request->packet->vps);
 551         }
 552
 553         /*
 554          *      Note that we add the Request-Src-IP-Address to the request
 555          *      structure BEFORE checking huntgroup access.  This allows
 556          *      the Request-Src-IP-Address to be used for huntgroup
 557          *      comparisons.
 558          */
 559         if (add_nas_attr(request) < 0) {
 560                 return RLM_MODULE_FAIL;
 561         }
 562
 563         hints_setup(data->hints, request);
 564
 565         /*
 566          *      If there is a PW_CHAP_PASSWORD attribute but there
 567          *      is PW_CHAP_CHALLENGE we need to add it so that other
 568          *      modules can use it as a normal attribute.
 569          */
 570         if (pairfind(request->packet->vps, PW_CHAP_PASSWORD) &&
 571             pairfind(request->packet->vps, PW_CHAP_CHALLENGE) == NULL) {
 572                 VALUE_PAIR *vp;
 573
 574                 vp = radius_paircreate(request, &request->packet->vps,
 575                                        PW_CHAP_CHALLENGE, PW_TYPE_OCTETS);
 576                 vp->length = AUTH_VECTOR_LEN;
 577                 memcpy(vp->vp_strvalue, request->packet->vector, AUTH_VECTOR_LEN);
 578         }
 579
 580         if ((r = huntgroup_access(request,
 581                                   data->huntgroups)) != RLM_MODULE_OK) {
 582                 char buf[1024];
 583                 radlog_request(L_AUTH, 0, request, "No huntgroup access: [%s] (%s)",
 584                        request->username ? request->username->vp_strvalue : "<NO User-Name>",
 585                        auth_name(buf, sizeof(buf), request, 1));
 586                 return r;
 587         }
 588
 589         return RLM_MODULE_OK; /* Meaning: try next authorization module */
 590 }
 591
 592 /*
 593  *      Preprocess a request before accounting
 594  */
 595 static int preprocess_preaccounting(void *instance, REQUEST *request)
 596 {
 597         int r;
 598         rlm_preprocess_t *data = (rlm_preprocess_t *) instance;
 599
 600         /*
 601          *  Ensure that we have the SAME user name for both
 602          *  authentication && accounting.
 603          */
 604         rad_mangle(data, request);
 605
 606         if (data->with_cisco_vsa_hack) {
 607                 /*
 608                  *      We need to run this hack because the h323-conf-id
 609                  *      attribute should be used.
 610                  */
 611                 cisco_vsa_hack(request->packet->vps);
 612         }
 613
 614         if (data->with_alvarion_vsa_hack) {
 615                 /*
 616                  *      We need to run this hack because the Alvarion
 617                  *      people are crazy.
 618                  */
 619                 alvarion_vsa_hack(request->packet->vps);
 620         }
 621
 622         /*
 623          *  Ensure that we log the NAS IP Address in the packet.
 624          */
 625         if (add_nas_attr(request) < 0) {
 626                 return RLM_MODULE_FAIL;
 627         }
 628
 629         hints_setup(data->hints, request);
 630
 631         if ((r = huntgroup_access(request,
 632                                   data->huntgroups)) != RLM_MODULE_OK) {
 633                 char buf[1024];
 634                 radlog_request(L_INFO, 0, request, "No huntgroup access: [%s] (%s)",
 635                        request->username ? request->username->vp_strvalue : "<NO User-Name>",
 636                        auth_name(buf, sizeof(buf), request, 1));
 637                 return r;
 638         }
 639
 640         return r;
 641 }
 642
 643 /*
 644  *      Clean up the module's instance.
 645  */
 646 static int preprocess_detach(void *instance)
 647 {
 648         rlm_preprocess_t *data = (rlm_preprocess_t *) instance;
 649
 650         pairlist_free(&(data->huntgroups));
 651         pairlist_free(&(data->hints));
 652
 653         free(data);
 654
 655         return 0;
 656 }
 657
 658 /* globally exported name */
 659 module_t rlm_preprocess = {
 660         RLM_MODULE_INIT,
 661         "preprocess",
 662         RLM_TYPE_CHECK_CONFIG_SAFE,     /* type */
 663         preprocess_instantiate, /* instantiation */
 664         preprocess_detach,      /* detach */
 665         {
 666                 NULL,                   /* authentication */
 667                 preprocess_authorize,   /* authorization */
 668                 preprocess_preaccounting, /* pre-accounting */
 669                 NULL,                   /* accounting */
 670                 NULL,                   /* checksimul */
 671                 NULL,                   /* pre-proxy */
 672                 NULL,                   /* post-proxy */
 673                 NULL                    /* post-auth */
 674         },
 675 };
 676