requests-gssapi


Namerequests-gssapi JSON
Version 1.3.0 PyPI version JSON
download
home_page
SummaryA GSSAPI authentication handler for python-requests
upload_time2024-02-16 02:38:07
maintainer
docs_urlNone
authorIan Cordasco, Cory Benfield, Michael Komitee
requires_python>=3.8
licenseISC License Copyright (c) 2012-2017 Kenneth Reitz Copyright (c) 2017 the python-requests-gssapi contributors Copyright (c) 2017 Red Hat, Inc. Permission to use, copy, modify and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS-IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
keywords ansible debug lsp dap
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            requests GSSAPI authentication library
===============================================

Requests is an HTTP library, written in Python, for human beings. This library
adds optional GSSAPI authentication support and supports mutual
authentication.

It provides a fully backward-compatible shim for the old
python-requests-kerberos library: simply replace ``import requests_kerberos``
with ``import requests_gssapi``.  A more powerful interface is provided by the
HTTPSPNEGOAuth component, but this is of course not guaranteed to be
compatible.  Documentation below is written toward the new interface.

Basic GET usage:


.. code-block:: python

    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth
    >>> r = requests.get("http://example.org", auth=HTTPSPNEGOAuth())
    ...

The entire ``requests.api`` should be supported.

Setup
-----

In order to use this library, there must already be a Kerberos Ticket-Granting
Ticket (TGT) in a credential cache (ccache).  Whether a TGT is available can
be easily determined by running the ``klist`` command.  If no TGT is
available, then it first must be obtained (for instance, by running the
``kinit`` command, or pointing the $KRB5CCNAME to a credential cache with a
valid TGT).

In short, the library will handle the "negotiations" of Kerberos
authentication, but ensuring that a credentials are available and valid is the
responsibility of the user.

Authentication Failures
-----------------------

Client authentication failures will be communicated to the caller by returning
a 401 response.  A 401 response may also be the result of expired credentials
(including the TGT).

Mutual Authentication
---------------------

Mutual authentication is a poorly-named feature of the GSSAPI which doesn't
provide any additional security benefit to most possible uses of
requests_gssapi.  Practically speaking, in most mechanism implementations
(including krb5), it requires another round-trip between the client and server
during the authentication handshake.  Many clients and servers do not properly
handle the authentication handshake taking more than one round-trip.  If you
encounter a MutualAuthenticationError, this is probably why.

So long as you're running over a TLS link whose security guarantees you trust,
there's no benefit to mutual authentication.  If you don't trust the link at
all, mutual authentication won't help (since it's not tamper-proof, and GSSAPI
isn't being used post-authentication.  There's some middle ground between the
two where it helps a small amount (e.g., passive adversary over
encrypted-but-unverified channel), but for Negotiate (what we're doing here),
it's not generally helpful.

For a more technical explanation of what mutual authentication actually
guarantees, I refer you to rfc2743 (GSSAPIv2), rfc4120 (krb5 in GSSAPI),
rfc4178 (SPNEGO), and rfc4559 (HTTP Negotiate).


DISABLED
^^^^^^^^

By default, there's no need to explicitly disable mutual authentication.
However, for compatability with older versions of request_gssapi or
requests_kerberos, you can explicitly request it not be attempted:

.. code-block:: python

    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth, DISABLED
    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=DISABLED)
    >>> r = requests.get("https://example.org", auth=gssapi_auth)
    ...

REQUIRED
^^^^^^^^

This was historically the default, but no longer is.  If requested,
``HTTPSPNEGOAuth`` will require mutual authentication from the server, and if
a server emits a non-error response which cannot be authenticated, a
``requests_gssapi.errors.MutualAuthenticationError`` will be raised.  (See
above for what this means.)  If a server emits an error which cannot be
authenticated, it will be returned to the user but with its contents and
headers stripped.  If the response content is more important than the need for
mutual auth on errors, (eg, for certain WinRM calls) the stripping behavior
can be suppressed by setting ``sanitize_mutual_error_response=False``:

.. code-block:: python

    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth, REQUIRED
    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=REQUIRED, sanitize_mutual_error_response=False)
    >>> r = requests.get("https://windows.example.org/wsman", auth=gssapi_auth)
    ...

OPTIONAL
^^^^^^^^

This will cause ``requests_gssapi`` to attempt mutual authentication if the
server advertises that it supports it, and cause a failure if authentication
fails, but not if the server does not support it at all.  This is probably not
what you want: link tampering will either cause hard failures, or silently
cause it to not happen at all.  It is retained for compatability.

.. code-block:: python

    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth, OPTIONAL
    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=OPTIONAL)
    >>> r = requests.get("https://example.org", auth=gssapi_auth)
    ...

Opportunistic Authentication
----------------------------

``HTTPSPNEGOAuth`` can be forced to preemptively initiate the GSSAPI
exchange and present a token on the initial request (and all
subsequent). By default, authentication only occurs after a
``401 Unauthorized`` response containing a Negotiate challenge
is received from the origin server. This can cause mutual authentication
failures for hosts that use a persistent connection (eg, Windows/WinRM), as
no GSSAPI challenges are sent after the initial auth handshake. This
behavior can be altered by setting  ``opportunistic_auth=True``:

.. code-block:: python

    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth
    >>> gssapi_auth = HTTPSPNEGOAuth(opportunistic_auth=True)
    >>> r = requests.get("https://windows.example.org/wsman", auth=gssapi_auth)
    ...

`Expect-Continue`
^^^^^^^^^^^^^^^^^

Since `httplib <https://bugs.python.org/issue1346874>`_ does not support the
`Expect-Continue` header, a request with a body will fail with
``401 Unauthorized`` and must be repeated with a GSSAPI exchange. This causes
several issues:

* Additional overhead for request retransmission
* Requests with non-repeatable bodies will fail
* Some servers will already send the approriate error response while your
  client is still streaming the request. Not all reverse proxies can handle that
  properly and will rather fail.

Therefore, in such cases you must enable opportunistic authentication.

Hostname Override
-----------------

If communicating with a host whose DNS name doesn't match its
hostname (eg, behind a content switch or load balancer),
the hostname used for the GSSAPI exchange can be overridden by
passing in a custom name (string or ``gssapi.Name``):

.. code-block:: python

    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth
    >>> gssapi_auth = HTTPSPNEGOAuth(target_name="internalhost.local")
    >>> r = requests.get("https://externalhost.example.org/", auth=gssapi_auth)
    ...

Explicit Principal
------------------

``HTTPSPNEGOAuth`` normally uses the default principal (ie, the user for whom
you last ran ``kinit`` or ``kswitch``, or an SSO credential if
applicable). However, an explicit credential can be in instead, if desired.

.. code-block:: python

    >>> import gssapi
    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth
    >>> name = gssapi.Name("user@REALM", gssapi.NameType.user)
    >>> creds = gssapi.Credentials(name=name, usage="initiate")
    >>> gssapi_auth = HTTPSPNEGOAuth(creds=creds)
    >>> r = requests.get("http://example.org", auth=gssapi_auth)
    ...

Explicit Mechanism
------------------

``HTTPSPNEGOAuth`` normally lets SPNEGO decide which negotiation mechanism to use.
However, an explicit mechanism can be used instead if desired. The ``mech``
parameter will be passed straight through to ``gssapi`` without interference.
It is expected to be an instance of ``gssapi.mechs.Mechanism``.

.. code-block:: python

    >>> import gssapi
    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth
    >>> try:
    ...   krb5 = gssapi.mechs.Mechanism.from_sasl_name("GS2-KRB5")
    ... except AttributeError:
    ...   krb5 = gssapi.OID.from_int_seq("1.2.840.113554.1.2.2")
    >>> gssapi_auth = HTTPSPNEGOAuth(mech=krb5)
    >>> r = requests.get("http://example.org", auth=gssapi_auth)
    ...

Delegation
----------

``requests_gssapi`` supports credential delegation (``GSS_C_DELEG_FLAG``).
To enable delegation of credentials to a server that requests delegation, pass
``delegate=True`` to ``HTTPSPNEGOAuth``:

.. code-block:: python

    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth
    >>> r = requests.get("http://example.org", auth=HTTPSPNEGOAuth(delegate=True))
    ...

Be careful to only allow delegation to servers you trust as they will be able
to impersonate you using the delegated credentials.

Logging
-------

This library makes extensive use of Python's logging facilities.

Log messages are logged to the ``requests_gssapi`` and
``requests_gssapi.gssapi`` named loggers.

If you are having difficulty we suggest you configure logging. Issues with the
underlying GSSAPI libraries will be made apparent. Additionally, copious debug
information is made available which may assist in troubleshooting if you
increase your log level all the way up to debug.

            

Raw data

            {
    "_id": null,
    "home_page": "",
    "name": "requests-gssapi",
    "maintainer": "",
    "docs_url": null,
    "requires_python": ">=3.8",
    "maintainer_email": "",
    "keywords": "ansible,debug,lsp,dap",
    "author": "Ian Cordasco, Cory Benfield, Michael Komitee",
    "author_email": "Robbie Harwood <rharwood@redhat.com>",
    "download_url": "https://files.pythonhosted.org/packages/cf/65/3fcdb60ef9130ea857422651dd4a90e44a6991f7cb832d45872e492649bd/requests-gssapi-1.3.0.tar.gz",
    "platform": null,
    "description": "requests GSSAPI authentication library\n===============================================\n\nRequests is an HTTP library, written in Python, for human beings. This library\nadds optional GSSAPI authentication support and supports mutual\nauthentication.\n\nIt provides a fully backward-compatible shim for the old\npython-requests-kerberos library: simply replace ``import requests_kerberos``\nwith ``import requests_gssapi``.  A more powerful interface is provided by the\nHTTPSPNEGOAuth component, but this is of course not guaranteed to be\ncompatible.  Documentation below is written toward the new interface.\n\nBasic GET usage:\n\n\n.. code-block:: python\n\n    >>> import requests\n    >>> from requests_gssapi import HTTPSPNEGOAuth\n    >>> r = requests.get(\"http://example.org\", auth=HTTPSPNEGOAuth())\n    ...\n\nThe entire ``requests.api`` should be supported.\n\nSetup\n-----\n\nIn order to use this library, there must already be a Kerberos Ticket-Granting\nTicket (TGT) in a credential cache (ccache).  Whether a TGT is available can\nbe easily determined by running the ``klist`` command.  If no TGT is\navailable, then it first must be obtained (for instance, by running the\n``kinit`` command, or pointing the $KRB5CCNAME to a credential cache with a\nvalid TGT).\n\nIn short, the library will handle the \"negotiations\" of Kerberos\nauthentication, but ensuring that a credentials are available and valid is the\nresponsibility of the user.\n\nAuthentication Failures\n-----------------------\n\nClient authentication failures will be communicated to the caller by returning\na 401 response.  A 401 response may also be the result of expired credentials\n(including the TGT).\n\nMutual Authentication\n---------------------\n\nMutual authentication is a poorly-named feature of the GSSAPI which doesn't\nprovide any additional security benefit to most possible uses of\nrequests_gssapi.  Practically speaking, in most mechanism implementations\n(including krb5), it requires another round-trip between the client and server\nduring the authentication handshake.  Many clients and servers do not properly\nhandle the authentication handshake taking more than one round-trip.  If you\nencounter a MutualAuthenticationError, this is probably why.\n\nSo long as you're running over a TLS link whose security guarantees you trust,\nthere's no benefit to mutual authentication.  If you don't trust the link at\nall, mutual authentication won't help (since it's not tamper-proof, and GSSAPI\nisn't being used post-authentication.  There's some middle ground between the\ntwo where it helps a small amount (e.g., passive adversary over\nencrypted-but-unverified channel), but for Negotiate (what we're doing here),\nit's not generally helpful.\n\nFor a more technical explanation of what mutual authentication actually\nguarantees, I refer you to rfc2743 (GSSAPIv2), rfc4120 (krb5 in GSSAPI),\nrfc4178 (SPNEGO), and rfc4559 (HTTP Negotiate).\n\n\nDISABLED\n^^^^^^^^\n\nBy default, there's no need to explicitly disable mutual authentication.\nHowever, for compatability with older versions of request_gssapi or\nrequests_kerberos, you can explicitly request it not be attempted:\n\n.. code-block:: python\n\n    >>> import requests\n    >>> from requests_gssapi import HTTPSPNEGOAuth, DISABLED\n    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=DISABLED)\n    >>> r = requests.get(\"https://example.org\", auth=gssapi_auth)\n    ...\n\nREQUIRED\n^^^^^^^^\n\nThis was historically the default, but no longer is.  If requested,\n``HTTPSPNEGOAuth`` will require mutual authentication from the server, and if\na server emits a non-error response which cannot be authenticated, a\n``requests_gssapi.errors.MutualAuthenticationError`` will be raised.  (See\nabove for what this means.)  If a server emits an error which cannot be\nauthenticated, it will be returned to the user but with its contents and\nheaders stripped.  If the response content is more important than the need for\nmutual auth on errors, (eg, for certain WinRM calls) the stripping behavior\ncan be suppressed by setting ``sanitize_mutual_error_response=False``:\n\n.. code-block:: python\n\n    >>> import requests\n    >>> from requests_gssapi import HTTPSPNEGOAuth, REQUIRED\n    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=REQUIRED, sanitize_mutual_error_response=False)\n    >>> r = requests.get(\"https://windows.example.org/wsman\", auth=gssapi_auth)\n    ...\n\nOPTIONAL\n^^^^^^^^\n\nThis will cause ``requests_gssapi`` to attempt mutual authentication if the\nserver advertises that it supports it, and cause a failure if authentication\nfails, but not if the server does not support it at all.  This is probably not\nwhat you want: link tampering will either cause hard failures, or silently\ncause it to not happen at all.  It is retained for compatability.\n\n.. code-block:: python\n\n    >>> import requests\n    >>> from requests_gssapi import HTTPSPNEGOAuth, OPTIONAL\n    >>> gssapi_auth = HTTPSPNEGOAuth(mutual_authentication=OPTIONAL)\n    >>> r = requests.get(\"https://example.org\", auth=gssapi_auth)\n    ...\n\nOpportunistic Authentication\n----------------------------\n\n``HTTPSPNEGOAuth`` can be forced to preemptively initiate the GSSAPI\nexchange and present a token on the initial request (and all\nsubsequent). By default, authentication only occurs after a\n``401 Unauthorized`` response containing a Negotiate challenge\nis received from the origin server. This can cause mutual authentication\nfailures for hosts that use a persistent connection (eg, Windows/WinRM), as\nno GSSAPI challenges are sent after the initial auth handshake. This\nbehavior can be altered by setting  ``opportunistic_auth=True``:\n\n.. code-block:: python\n\n    >>> import requests\n    >>> from requests_gssapi import HTTPSPNEGOAuth\n    >>> gssapi_auth = HTTPSPNEGOAuth(opportunistic_auth=True)\n    >>> r = requests.get(\"https://windows.example.org/wsman\", auth=gssapi_auth)\n    ...\n\n`Expect-Continue`\n^^^^^^^^^^^^^^^^^\n\nSince `httplib <https://bugs.python.org/issue1346874>`_ does not support the\n`Expect-Continue` header, a request with a body will fail with\n``401 Unauthorized`` and must be repeated with a GSSAPI exchange. This causes\nseveral issues:\n\n* Additional overhead for request retransmission\n* Requests with non-repeatable bodies will fail\n* Some servers will already send the approriate error response while your\n  client is still streaming the request. Not all reverse proxies can handle that\n  properly and will rather fail.\n\nTherefore, in such cases you must enable opportunistic authentication.\n\nHostname Override\n-----------------\n\nIf communicating with a host whose DNS name doesn't match its\nhostname (eg, behind a content switch or load balancer),\nthe hostname used for the GSSAPI exchange can be overridden by\npassing in a custom name (string or ``gssapi.Name``):\n\n.. code-block:: python\n\n    >>> import requests\n    >>> from requests_gssapi import HTTPSPNEGOAuth\n    >>> gssapi_auth = HTTPSPNEGOAuth(target_name=\"internalhost.local\")\n    >>> r = requests.get(\"https://externalhost.example.org/\", auth=gssapi_auth)\n    ...\n\nExplicit Principal\n------------------\n\n``HTTPSPNEGOAuth`` normally uses the default principal (ie, the user for whom\nyou last ran ``kinit`` or ``kswitch``, or an SSO credential if\napplicable). However, an explicit credential can be in instead, if desired.\n\n.. code-block:: python\n\n    >>> import gssapi\n    >>> import requests\n    >>> from requests_gssapi import HTTPSPNEGOAuth\n    >>> name = gssapi.Name(\"user@REALM\", gssapi.NameType.user)\n    >>> creds = gssapi.Credentials(name=name, usage=\"initiate\")\n    >>> gssapi_auth = HTTPSPNEGOAuth(creds=creds)\n    >>> r = requests.get(\"http://example.org\", auth=gssapi_auth)\n    ...\n\nExplicit Mechanism\n------------------\n\n``HTTPSPNEGOAuth`` normally lets SPNEGO decide which negotiation mechanism to use.\nHowever, an explicit mechanism can be used instead if desired. The ``mech``\nparameter will be passed straight through to ``gssapi`` without interference.\nIt is expected to be an instance of ``gssapi.mechs.Mechanism``.\n\n.. code-block:: python\n\n    >>> import gssapi\n    >>> import requests\n    >>> from requests_gssapi import HTTPSPNEGOAuth\n    >>> try:\n    ...   krb5 = gssapi.mechs.Mechanism.from_sasl_name(\"GS2-KRB5\")\n    ... except AttributeError:\n    ...   krb5 = gssapi.OID.from_int_seq(\"1.2.840.113554.1.2.2\")\n    >>> gssapi_auth = HTTPSPNEGOAuth(mech=krb5)\n    >>> r = requests.get(\"http://example.org\", auth=gssapi_auth)\n    ...\n\nDelegation\n----------\n\n``requests_gssapi`` supports credential delegation (``GSS_C_DELEG_FLAG``).\nTo enable delegation of credentials to a server that requests delegation, pass\n``delegate=True`` to ``HTTPSPNEGOAuth``:\n\n.. code-block:: python\n\n    >>> import requests\n    >>> from requests_gssapi import HTTPSPNEGOAuth\n    >>> r = requests.get(\"http://example.org\", auth=HTTPSPNEGOAuth(delegate=True))\n    ...\n\nBe careful to only allow delegation to servers you trust as they will be able\nto impersonate you using the delegated credentials.\n\nLogging\n-------\n\nThis library makes extensive use of Python's logging facilities.\n\nLog messages are logged to the ``requests_gssapi`` and\n``requests_gssapi.gssapi`` named loggers.\n\nIf you are having difficulty we suggest you configure logging. Issues with the\nunderlying GSSAPI libraries will be made apparent. Additionally, copious debug\ninformation is made available which may assist in troubleshooting if you\nincrease your log level all the way up to debug.\n",
    "bugtrack_url": null,
    "license": "ISC License  Copyright (c) 2012-2017 Kenneth Reitz Copyright (c) 2017 the python-requests-gssapi contributors Copyright (c) 2017 Red Hat, Inc.  Permission to use, copy, modify and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.  THE SOFTWARE IS PROVIDED \"AS-IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ",
    "summary": "A GSSAPI authentication handler for python-requests",
    "version": "1.3.0",
    "project_urls": {
        "homepage": "https://github.com/pythongssapi/requests-gssapi"
    },
    "split_keywords": [
        "ansible",
        "debug",
        "lsp",
        "dap"
    ],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "dde686bf684d56220efd3c1d937b6646230abd17d3b482dcd94a63addccf4650",
                "md5": "412c051fc254c81c446f12d6500f8fec",
                "sha256": "f36303cd989c54d54630c30f1ef73d7e23acdede2285c941631192e51b4da418"
            },
            "downloads": -1,
            "filename": "requests_gssapi-1.3.0-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "412c051fc254c81c446f12d6500f8fec",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.8",
            "size": 12319,
            "upload_time": "2024-02-16T02:38:05",
            "upload_time_iso_8601": "2024-02-16T02:38:05.951052Z",
            "url": "https://files.pythonhosted.org/packages/dd/e6/86bf684d56220efd3c1d937b6646230abd17d3b482dcd94a63addccf4650/requests_gssapi-1.3.0-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "cf653fcdb60ef9130ea857422651dd4a90e44a6991f7cb832d45872e492649bd",
                "md5": "883703b1d07182ffc2fa8b2b1a2984cf",
                "sha256": "4d52bf8c2aa2a829130efcca85c14943fdd0aa75455aab985b2b8726159c20ca"
            },
            "downloads": -1,
            "filename": "requests-gssapi-1.3.0.tar.gz",
            "has_sig": false,
            "md5_digest": "883703b1d07182ffc2fa8b2b1a2984cf",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.8",
            "size": 18681,
            "upload_time": "2024-02-16T02:38:07",
            "upload_time_iso_8601": "2024-02-16T02:38:07.760408Z",
            "url": "https://files.pythonhosted.org/packages/cf/65/3fcdb60ef9130ea857422651dd4a90e44a6991f7cb832d45872e492649bd/requests-gssapi-1.3.0.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-02-16 02:38:07",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "pythongssapi",
    "github_project": "requests-gssapi",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "lcname": "requests-gssapi"
}
        
Elapsed time: 0.35430s