The WS-Trust flow does not adhere to the Use user store domain in local subject identifier option of the SP

[deshankoswatte]

Describe the issue:

The WS-Trust flow does not adhere to the Use user store domain in local subject identifier option of the SP. Even if it is enabled or not the user store domain is appended to the name identifier of the security token.

How to reproduce:

• Setup a secondary user store in the WSO2 Identity Server.
• Create a user in the secondary user store.
• Setup the WS-Trust flow by following the official documentation at [1] (disable the option Use user store domain in local subject identifier in the service provider) and try out the flow with the user that was created.
• Even if the relevant configuration is disabled the user store domain is appended to the token as follows.

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope
    xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
    <soapenv:Header
        xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
        <wsse:Security
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
            <wsu:Timestamp
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-1">
                <wsu:Created>2023-07-14T13:25:34.299Z</wsu:Created>
                <wsu:Expires>2023-07-14T13:30:34.299Z</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
        <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
        <wsa:MessageID>urn:uuid:a52c91b1-2689-4276-bc5c-8c8f7f71ff04</wsa:MessageID>
        <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RSTRC/IssueFinal</wsa:Action>
        <wsa:RelatesTo>urn:uuid:2e7c4171-415c-49c6-bb8a-3bee3f76b48d</wsa:RelatesTo>
    </soapenv:Header>
    <soapenv:Body>
        <wst:RequestSecurityTokenResponse
            xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
            <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
            <wst:RequestedAttachedReference>
                <wsse:SecurityTokenReference
                    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <wsse:Reference URI="#urn:uuid:A63CD1CE7FA80F87321689341134087" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
                </wsse:SecurityTokenReference>
            </wst:RequestedAttachedReference>
            <wst:RequestedUnattachedReference>
                <wsse:SecurityTokenReference
                    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <wsse:Reference URI="urn:uuid:A63CD1CE7FA80F87321689341134087" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
                </wsse:SecurityTokenReference>
            </wst:RequestedUnattachedReference>
            <wsp:AppliesTo
                xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                <wsa:EndpointReference
                    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                    <wsa:Address>https://localhost:10443/services/echo</wsa:Address>
                </wsa:EndpointReference>
            </wsp:AppliesTo>
            <wst:Lifetime>
                <wsu:Created
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2023-07-14T13:25:34.091Z
                </wsu:Created>
                <wsu:Expires
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2023-07-14T13:30:34.091Z
                </wsu:Expires>
            </wst:Lifetime>
            <wst:RequestedSecurityToken>
                <saml2:Assertion
                    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="urn:uuid:A63CD1CE7FA80F87321689341134087" IssueInstant="2023-07-14T13:25:34.124Z" Version="2.0">
                    <saml2:Issuer>https://localhost</saml2:Issuer>
                    <ds:Signature
                        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:SignedInfo>
                            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                            <ds:Reference URI="#urn:uuid:A63CD1CE7FA80F87321689341134087">
                                <ds:Transforms>
                                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                        <ec:InclusiveNamespaces
                                            xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
                                        </ds:Transform>
                                    </ds:Transforms>
                                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                    <ds:DigestValue>wsYTJ01zCRzdDEjzcpaqdqbOuCg=</ds:DigestValue>
                                </ds:Reference>
                            </ds:SignedInfo>
                            <ds:SignatureValue>PktuMxhSWgBI5rodhdim8osSvsndiK5eHR4t7VTJ0vceB8P41+z78RacDCYwb/z1MvgTTZWMmlG8ljjmCuj0EClUqUu1nvPEJFWToqLx/TBPTCCTOxwOqX1YMxYwMsIeI+DBYIxqHbBZoQRshMJK21yEoVihifdywKrDuYvL8Gg4jYto+BSHYwBmWdgAjdMSGfimHvRSKZ+tVzUDa9GOOljG+pWzpH6jVnQRH4F7iVacl0LtQwpQfU0HFbGBVAG5xBkZCt85vDcj8spVgow5dHNCKEOOJ8geSZOMqWUbuNJFhzOMXnLbrZpRm95ka4bwpeog4v2avwdmlYLsUYTY4w==</ds:SignatureValue>
                            <ds:KeyInfo>
                                <ds:X509Data>
                                    <ds:X509Certificate>MIIDqTCCApGgAwIBAgIEXbABozANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxDTALBgNVBAsMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xOTEwMjMwNzMwNDNaFw0yMjAxMjUwNzMwNDNaMGQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjENMAsGA1UECwwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxeqoZYbQ/Sr8DOFQ+/qbEbCp6Vzb5hzH7oa3hf2FZxRKF0H6b8COMzz8+0mvEdYVvb/31jMEL2CIQhkQRol1IruD6nBOmkjuXJSBficklMaJZORhuCrB4roHxzoG19aWmscA0gnfBKo2oGXSjJmnZxIh+2X6syHCfyMZZ00LzDyrgoXWQXyFvCA2ax54s7sKiHOM3P4A9W4QUwmoEi4HQmPgJjIM4eGVPh0GtIANN+BOQ1KkUI7OzteHCTLu3VjxM0sw8QRayZdhniPF+U9n3fa1mO4KLBsW4mDLjg8R/JuAGTX/SEEGj0B5HWQAP6myxKFz2xwDaCGvT+rdvkktOwIDAQABo2MwYTAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFEDpLB4PDgzsdxD2FV3rVnOr/A0DMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjALBgNVHQ8EBAMCBPAwDQYJKoZIhvcNAQELBQADggEBAE8H/axAgXjt93HGCYGumULW2lKkgqEvXryP2QkRpbyQSsTYcL7ZLSVB7MVVHtIsHh8f1C4Xq6Qu8NUrqu5ZLC1pUByaqR2ZIzcj/OWLGYRjSTHSVmVIq9QqBq1j7r6f3BWqaOIiknmTzEuqIVlOTY0gO+SHdS62vr2FCz4yOrBEulGAvomsU8sqg4PhFnkhxI4M912Ly+2RgN9L7AkhzK+EzXY1/QtlI/VysNfS6zrHasKz6CrKKCGqQnBnSvSTyF9OR5KFHnkAwE995IZrcSQicMxsLhTMUHDLQ/gRyy7V/ZpDMfAWR+5OeQiNAp/bG4fjJoTdoqkul51+2bHHVrU=</ds:X509Certificate>
                                </ds:X509Data>
                            </ds:KeyInfo>
                        </ds:Signature>
                        <saml2:Subject>
                            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">SECONDARY/wstrusttest</saml2:NameID>
                            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
                        </saml2:Subject>
                        <saml2:Conditions NotBefore="2023-07-14T13:25:34.091Z" NotOnOrAfter="2023-07-14T13:30:34.091Z">
                            <saml2:AudienceRestriction>
                                <saml2:Audience>https://localhost:10443/services/echo</saml2:Audience>
                            </saml2:AudienceRestriction>
                        </saml2:Conditions>
                        <saml2:AttributeStatement>
                            <saml2:Attribute Name="http://wso2.org/claims/emailaddress" NameFormat="http://wso2.org/claims/emailaddress">
                                <saml2:AttributeValue
                                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">wstrusttest@wso2.com
                                </saml2:AttributeValue>
                            </saml2:Attribute>
                            <saml2:Attribute Name="http://wso2.org/claims/givenname" NameFormat="http://wso2.org/claims/givenname">
                                <saml2:AttributeValue
                                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">default
                                </saml2:AttributeValue>
                            </saml2:Attribute>
                        </saml2:AttributeStatement>
                        <saml2:AuthnStatement AuthnInstant="2023-07-14T13:25:34.142Z">
                            <saml2:AuthnContext>
                                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
                            </saml2:AuthnContext>
                        </saml2:AuthnStatement>
                    </saml2:Assertion>
                </wst:RequestedSecurityToken>
            </wst:RequestSecurityTokenResponse>
        </soapenv:Body>
    </soapenv:Envelope>

This seems to be occurring since we have not considered this option in the source code. I debugged the issue at a high level and managed to fix the issue by manually setting the name identifier value that was existing in the subject object at [2] (Note: we will also have to have a proper way to extract the SP details so that we can check whether the option is enabled or not). However, please note that the fix should be applied to SAML1 and also the attributes statement values [3] should be checked for this. The fix mentioned here might not be the ideal solution hence feasibility should be checked.

[1] - https://is.docs.wso2.com/en/5.11.0/learn/configuring-ws-trust-security-token-service/ [2] - https://github.com/wso2/wso2-rampart/blob/v1.6.1-wso2v45/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAML2TokenIssuer.java#L268 [3] - https://github.com/wso2/wso2-rampart/blob/v1.6.1-wso2v45/modules/rampart-trust/src/main/java/org/apache/rahas/impl/SAML2TokenIssuer.java#L271

Expected behavior:

The user store domain should not be appended when the option is disabled in the service provider. Sample response after the manual fix is as follows.

<?xml version='1.0' encoding='utf-8'?>
<soapenv:Envelope
    xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
    <soapenv:Header
        xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
        <wsse:Security
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true">
            <wsu:Timestamp
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-28">
                <wsu:Created>2023-07-14T14:04:49.040Z</wsu:Created>
                <wsu:Expires>2023-07-14T14:09:49.040Z</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
        <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
        <wsa:MessageID>urn:uuid:e311c907-5a70-40ad-bdf2-5656f3737258</wsa:MessageID>
        <wsa:Action>http://schemas.xmlsoap.org/ws/2005/02/trust/RSTRC/IssueFinal</wsa:Action>
        <wsa:RelatesTo>urn:uuid:2e7c4171-415c-49c6-bb8a-3bee3f76b48d</wsa:RelatesTo>
    </soapenv:Header>
    <soapenv:Body>
        <wst:RequestSecurityTokenResponse
            xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
            <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
            <wst:RequestedAttachedReference>
                <wsse:SecurityTokenReference
                    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <wsse:Reference URI="#urn:uuid:DC4EE8EAC7F50327CC1689343434322" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
                </wsse:SecurityTokenReference>
            </wst:RequestedAttachedReference>
            <wst:RequestedUnattachedReference>
                <wsse:SecurityTokenReference
                    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <wsse:Reference URI="urn:uuid:DC4EE8EAC7F50327CC1689343434322" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
                </wsse:SecurityTokenReference>
            </wst:RequestedUnattachedReference>
            <wsp:AppliesTo
                xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                <wsa:EndpointReference
                    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                    <wsa:Address>https://localhost:10443/services/echo</wsa:Address>
                </wsa:EndpointReference>
            </wsp:AppliesTo>
            <wst:Lifetime>
                <wsu:Created
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2023-07-14T14:03:54.312Z
                </wsu:Created>
                <wsu:Expires
                    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2023-07-14T14:08:54.312Z
                </wsu:Expires>
            </wst:Lifetime>
            <wst:RequestedSecurityToken>
                <saml2:Assertion
                    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="urn:uuid:DC4EE8EAC7F50327CC1689343434322" IssueInstant="2023-07-14T14:03:54.312Z" Version="2.0">
                    <saml2:Issuer>https://localhost</saml2:Issuer>
                    <ds:Signature
                        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:SignedInfo>
                            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                            <ds:Reference URI="#urn:uuid:DC4EE8EAC7F50327CC1689343434322">
                                <ds:Transforms>
                                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                        <ec:InclusiveNamespaces
                                            xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
                                        </ds:Transform>
                                    </ds:Transforms>
                                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                    <ds:DigestValue>bTijqj32ZEcUw+gZuE4xq1yHpi8=</ds:DigestValue>
                                </ds:Reference>
                            </ds:SignedInfo>
                            <ds:SignatureValue>wIDBGZRbNQgSDiiFf2YukTt0yEqvKaJIe7Sy98A95gO3ocxcqXzVzPNpravkcLjPpHcileO7LM4anoERXzfJvbrHlXRm1yTUB13CMiyYpKrKAGsec35VCktUpIDSk5dMvQDZuUISscc6vJ0ZMtTKU8cfyG8c+P06RMcE9DKx8b8uqjmvJIHAtjhaxtwZDxjWLVTo9mBSnppPumQkuJhAG0xn/AHZT2nAv2e2doBcKGDmGV10OMC7lhXKrAhMCDMzrvnxGouPZb/gKrjo7Cxj/GTrGZkTh2vqxDJ4cUI+nnoVrD63Hw7mjyFYXFurA/gec8j4a+sKSytHRSpLkv1r1A==</ds:SignatureValue>
                            <ds:KeyInfo>
                                <ds:X509Data>
                                    <ds:X509Certificate>MIIDqTCCApGgAwIBAgIEXbABozANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxDTALBgNVBAsMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xOTEwMjMwNzMwNDNaFw0yMjAxMjUwNzMwNDNaMGQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjENMAsGA1UECwwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxeqoZYbQ/Sr8DOFQ+/qbEbCp6Vzb5hzH7oa3hf2FZxRKF0H6b8COMzz8+0mvEdYVvb/31jMEL2CIQhkQRol1IruD6nBOmkjuXJSBficklMaJZORhuCrB4roHxzoG19aWmscA0gnfBKo2oGXSjJmnZxIh+2X6syHCfyMZZ00LzDyrgoXWQXyFvCA2ax54s7sKiHOM3P4A9W4QUwmoEi4HQmPgJjIM4eGVPh0GtIANN+BOQ1KkUI7OzteHCTLu3VjxM0sw8QRayZdhniPF+U9n3fa1mO4KLBsW4mDLjg8R/JuAGTX/SEEGj0B5HWQAP6myxKFz2xwDaCGvT+rdvkktOwIDAQABo2MwYTAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFEDpLB4PDgzsdxD2FV3rVnOr/A0DMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjALBgNVHQ8EBAMCBPAwDQYJKoZIhvcNAQELBQADggEBAE8H/axAgXjt93HGCYGumULW2lKkgqEvXryP2QkRpbyQSsTYcL7ZLSVB7MVVHtIsHh8f1C4Xq6Qu8NUrqu5ZLC1pUByaqR2ZIzcj/OWLGYRjSTHSVmVIq9QqBq1j7r6f3BWqaOIiknmTzEuqIVlOTY0gO+SHdS62vr2FCz4yOrBEulGAvomsU8sqg4PhFnkhxI4M912Ly+2RgN9L7AkhzK+EzXY1/QtlI/VysNfS6zrHasKz6CrKKCGqQnBnSvSTyF9OR5KFHnkAwE995IZrcSQicMxsLhTMUHDLQ/gRyy7V/ZpDMfAWR+5OeQiNAp/bG4fjJoTdoqkul51+2bHHVrU=</ds:X509Certificate>
                                </ds:X509Data>
                            </ds:KeyInfo>
                        </ds:Signature>
                        <saml2:Subject>
                            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">wstrusttest</saml2:NameID>
                            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
                        </saml2:Subject>
                        <saml2:Conditions NotBefore="2023-07-14T14:03:54.312Z" NotOnOrAfter="2023-07-14T14:08:54.312Z">
                            <saml2:AudienceRestriction>
                                <saml2:Audience>https://localhost:10443/services/echo</saml2:Audience>
                            </saml2:AudienceRestriction>
                        </saml2:Conditions>
                        <saml2:AttributeStatement>
                            <saml2:Attribute Name="http://wso2.org/claims/emailaddress" NameFormat="http://wso2.org/claims/emailaddress">
                                <saml2:AttributeValue
                                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">wstrusttest@wso2.com
                                </saml2:AttributeValue>
                            </saml2:Attribute>
                            <saml2:Attribute Name="http://wso2.org/claims/givenname" NameFormat="http://wso2.org/claims/givenname">
                                <saml2:AttributeValue
                                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">default
                                </saml2:AttributeValue>
                            </saml2:Attribute>
                        </saml2:AttributeStatement>
                        <saml2:AuthnStatement AuthnInstant="2023-07-14T14:04:49.019Z">
                            <saml2:AuthnContext>
                                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
                            </saml2:AuthnContext>
                        </saml2:AuthnStatement>
                    </saml2:Assertion>
                </wst:RequestedSecurityToken>
            </wst:RequestSecurityTokenResponse>
        </soapenv:Body>
    </soapenv:Envelope>

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: IS 5.11.0.252
• OS: Ubuntu 20.04.3 LTS
• Database: H2
• Userstore: LDAP

---

[aaujayasena]

@nipunsampath any reason even though moved to done status, issue is still open ?