nextcloud/lib/private/Setup/PostgreSQL.php

<?php
/**
 * @copyright Copyright (c) 2016, ownCloud, Inc.
 *
 * @author Bart Visscher <bartv@thisnet.nl>
 * @author Christoph Wurst <christoph@winzerhof-wurst.at>
 * @author eduardo <eduardo@vnexu.net>
 * @author Joas Schilling <coding@schilljs.com>
 * @author Lukas Reschke <lukas@statuscode.ch>
 * @author Morris Jobke <hey@morrisjobke.de>
 * @author Robin Appelman <robin@icewind.nl>
 * @author Vitor Mattos <vitor@php.rio>
 *
 * @license AGPL-3.0
 *
 * This code is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License, version 3,
 * along with this program. If not, see <http://www.gnu.org/licenses/>
 *
 */
namespace OC\Setup;

use OC\DatabaseException;
use OC\DB\Connection;
use OC\DB\QueryBuilder\Literal;
use OCP\Security\ISecureRandom;

class PostgreSQL extends AbstractDatabase {
	public $dbprettyname = 'PostgreSQL';

	/**
	 * @param string $username
	 * @throws \OC\DatabaseSetupException
	 */
	public function setupDatabase($username) {
		try {
			$connection = $this->connect([
				'dbname' => 'postgres'
			]);
			if ($this->tryCreateDbUser) {
				//check for roles creation rights in postgresql
				$builder = $connection->getQueryBuilder();
				$builder->automaticTablePrefix(false);
				$query = $builder
					->select('rolname')
					->from('pg_roles')
					->where($builder->expr()->eq('rolcreaterole', new Literal('TRUE')))
					->andWhere($builder->expr()->eq('rolname', $builder->createNamedParameter($this->dbUser)));

				try {
					$result = $query->execute();
					$canCreateRoles = $result->rowCount() > 0;
				} catch (DatabaseException $e) {
					$canCreateRoles = false;
				}

				if ($canCreateRoles) {
					$connectionMainDatabase = $this->connect();
					//use the admin login data for the new database user

					//add prefix to the postgresql user name to prevent collisions
					$this->dbUser = 'oc_' . strtolower($username);
					//create a new password so we don't need to store the admin config in the config file
					$this->dbPassword = \OC::$server->getSecureRandom()->generate(30, ISecureRandom::CHAR_ALPHANUMERIC);

					$this->createDBUser($connection);

					// Go to the main database and grant create on the public schema
					// The code below is implemented to make installing possible with PostgreSQL version 15:
					// https://www.postgresql.org/docs/release/15.0/
					// From the release notes: For new databases having no need to defend against insider threats, granting CREATE permission will yield the behavior of prior releases
					// Therefore we assume that the database is only used by one user/service which is Nextcloud
					// Additional services should get installed in a separate database in order to stay secure
					// Also see https://www.postgresql.org/docs/15/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
					$connectionMainDatabase->executeQuery('GRANT CREATE ON SCHEMA public TO "' . addslashes($this->dbUser) . '"');
					$connectionMainDatabase->close();
				}
			}

			$this->config->setValues([
				'dbuser' => $this->dbUser,
				'dbpassword' => $this->dbPassword,
			]);

			//create the database
			$this->createDatabase($connection);
			// the connection to dbname=postgres is not needed anymore
			$connection->close();
		} catch (\Exception $e) {
			$this->logger->warning('Error trying to connect as "postgres", assuming database is setup and tables need to be created', [
				'exception' => $e,
			]);
			$this->config->setValues([
				'dbuser' => $this->dbUser,
				'dbpassword' => $this->dbPassword,
			]);
		}

		// connect to the database (dbname=$this->dbname) and check if it needs to be filled
		$this->dbUser = $this->config->getValue('dbuser');
		$this->dbPassword = $this->config->getValue('dbpassword');
		$connection = $this->connect();
		try {
			$connection->connect();
		} catch (\Exception $e) {
			$this->logger->error($e->getMessage(), [
				'exception' => $e,
			]);
			throw new \OC\DatabaseSetupException($this->trans->t('PostgreSQL Login and/or password not valid'),
				$this->trans->t('You need to enter details of an existing account.'), 0, $e);
		}
	}

	private function createDatabase(Connection $connection) {
		if (!$this->databaseExists($connection)) {
			//The database does not exists... let's create it
			$query = $connection->prepare("CREATE DATABASE " . addslashes($this->dbName) . " OWNER \"" . addslashes($this->dbUser) . '"');
			try {
				$query->execute();
			} catch (DatabaseException $e) {
				$this->logger->error('Error while trying to create database', [
					'exception' => $e,
				]);
			}
		} else {
			$query = $connection->prepare("REVOKE ALL PRIVILEGES ON DATABASE " . addslashes($this->dbName) . " FROM PUBLIC");
			try {
				$query->execute();
			} catch (DatabaseException $e) {
				$this->logger->error('Error while trying to restrict database permissions', [
					'exception' => $e,
				]);
			}
		}
	}

	private function userExists(Connection $connection) {
		$builder = $connection->getQueryBuilder();
		$builder->automaticTablePrefix(false);
		$query = $builder->select('*')
			->from('pg_roles')
			->where($builder->expr()->eq('rolname', $builder->createNamedParameter($this->dbUser)));
		$result = $query->execute();
		return $result->rowCount() > 0;
	}

	private function databaseExists(Connection $connection) {
		$builder = $connection->getQueryBuilder();
		$builder->automaticTablePrefix(false);
		$query = $builder->select('datname')
			->from('pg_database')
			->where($builder->expr()->eq('datname', $builder->createNamedParameter($this->dbName)));
		$result = $query->execute();
		return $result->rowCount() > 0;
	}

	private function createDBUser(Connection $connection) {
		$dbUser = $this->dbUser;
		try {
			$i = 1;
			while ($this->userExists($connection)) {
				$i++;
				$this->dbUser = $dbUser . $i;
			}

			// create the user
			$query = $connection->prepare("CREATE USER \"" . addslashes($this->dbUser) . "\" CREATEDB PASSWORD '" . addslashes($this->dbPassword) . "'");
			$query->execute();
			if ($this->databaseExists($connection)) {
				$query = $connection->prepare('GRANT CONNECT ON DATABASE ' . addslashes($this->dbName) . ' TO "' . addslashes($this->dbUser) . '"');
				$query->execute();
			}
		} catch (DatabaseException $e) {
			$this->logger->error('Error while trying to create database user', [
				'exception' => $e,
			]);
		}
	}
}
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00			`<?php`
Update license headers 2015-03-26 06:44:34 -04:00			`/**`
Fix others 2016-07-21 11:07:57 -04:00			`* @copyright Copyright (c) 2016, ownCloud, Inc.`
			`*`
Update license headers 2015-03-26 06:44:34 -04:00			`* @author Bart Visscher <bartv@thisnet.nl>`
Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> 2021-06-04 15:52:51 -04:00			`* @author Christoph Wurst <christoph@winzerhof-wurst.at>`
Update license headers 2015-03-26 06:44:34 -04:00			`* @author eduardo <eduardo@vnexu.net>`
Fix others 2016-07-21 11:07:57 -04:00			`* @author Joas Schilling <coding@schilljs.com>`
Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2017-11-06 09:56:42 -05:00			`* @author Lukas Reschke <lukas@statuscode.ch>`
Happy new year! 2016-01-12 09:02:16 -05:00			`* @author Morris Jobke <hey@morrisjobke.de>`
Update with robin 2016-07-21 12:13:36 -04:00			`* @author Robin Appelman <robin@icewind.nl>`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 13:57:53 -05:00			`* @author Vitor Mattos <vitor@php.rio>`
Update license headers 2015-03-26 06:44:34 -04:00			`*`
			`* @license AGPL-3.0`
			`*`
			`* This code is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License, version 3,`
			`* as published by the Free Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License, version 3,`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 13:57:53 -05:00			`* along with this program. If not, see <http://www.gnu.org/licenses/>`
Update license headers 2015-03-26 06:44:34 -04:00			`*`
			`*/`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00			`namespace OC\Setup;`

use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`use OC\DatabaseException;`
Bump doctrine/dbal from 2.12.0 to 3.0.0 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2021-01-03 09:28:31 -05:00			`use OC\DB\Connection;`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`use OC\DB\QueryBuilder\Literal;`
Introduce ISecureRandom::CHAR_ALPHANUMERIC Signed-off-by: J0WI <J0WI@users.noreply.github.com> 2021-07-07 11:52:46 -04:00			`use OCP\Security\ISecureRandom;`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00
Convert database setup code to objects 2013-04-02 16:01:23 -04:00			`class PostgreSQL extends AbstractDatabase {`
Use db setup class for option validation 2013-04-03 11:52:18 -04:00			`public $dbprettyname = 'PostgreSQL';`

Add Phan plugin to check for SQL injections This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues. As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections. The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases. Signed-off-by: Lukas Reschke <lukas@statuscode.ch> 2017-07-20 16:48:13 -04:00			`/**`
			`* @param string $username`
			`* @throws \OC\DatabaseSetupException`
			`*/`
Convert database setup code to objects 2013-04-02 16:01:23 -04:00			`public function setupDatabase($username) {`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`try {`
handle postgres setup when we cant connect as admin 2016-07-21 06:44:02 -04:00			`$connection = $this->connect([`
			`'dbname' => 'postgres'`
			`]);`
add option to disable db user creation trough environment variable Signed-off-by: Robin Appelman <robin@icewind.nl> 2023-01-29 09:54:39 -05:00			`if ($this->tryCreateDbUser) {`
			`//check for roles creation rights in postgresql`
			`$builder = $connection->getQueryBuilder();`
			`$builder->automaticTablePrefix(false);`
			`$query = $builder`
			`->select('rolname')`
			`->from('pg_roles')`
			`->where($builder->expr()->eq('rolcreaterole', new Literal('TRUE')))`
			`->andWhere($builder->expr()->eq('rolname', $builder->createNamedParameter($this->dbUser)));`
Fix PostgreSQL port configuration on install 2014-01-04 16:23:25 -05:00
add option to disable db user creation trough environment variable Signed-off-by: Robin Appelman <robin@icewind.nl> 2023-01-29 09:54:39 -05:00			`try {`
			`$result = $query->execute();`
			`$canCreateRoles = $result->rowCount() > 0;`
			`} catch (DatabaseException $e) {`
			`$canCreateRoles = false;`
			`}`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00
add option to disable db user creation trough environment variable Signed-off-by: Robin Appelman <robin@icewind.nl> 2023-01-29 09:54:39 -05:00			`if ($canCreateRoles) {`
			`$connectionMainDatabase = $this->connect();`
			`//use the admin login data for the new database user`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00
add option to disable db user creation trough environment variable Signed-off-by: Robin Appelman <robin@icewind.nl> 2023-01-29 09:54:39 -05:00			`//add prefix to the postgresql user name to prevent collisions`
			`$this->dbUser = 'oc_' . strtolower($username);`
			`//create a new password so we don't need to store the admin config in the config file`
			`$this->dbPassword = \OC::$server->getSecureRandom()->generate(30, ISecureRandom::CHAR_ALPHANUMERIC);`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00
add option to disable db user creation trough environment variable Signed-off-by: Robin Appelman <robin@icewind.nl> 2023-01-29 09:54:39 -05:00			`$this->createDBUser($connection);`
Bugfix to support postgres15 Signed-off-by: Vitor Mattos <vitor@php.rio> Signed-off-by: Simon L <szaimen@e.mail.de> Co-Authored-By: Joas Schilling <213943+nickvergessen@users.noreply.github.com> 2022-10-17 22:10:00 -04:00
add option to disable db user creation trough environment variable Signed-off-by: Robin Appelman <robin@icewind.nl> 2023-01-29 09:54:39 -05:00			`// Go to the main database and grant create on the public schema`
			`// The code below is implemented to make installing possible with PostgreSQL version 15:`
			`// https://www.postgresql.org/docs/release/15.0/`
			`// From the release notes: For new databases having no need to defend against insider threats, granting CREATE permission will yield the behavior of prior releases`
			`// Therefore we assume that the database is only used by one user/service which is Nextcloud`
			`// Additional services should get installed in a separate database in order to stay secure`
			`// Also see https://www.postgresql.org/docs/15/ddl-schemas.html#DDL-SCHEMAS-PATTERNS`
postgresql - add quotes around user names fix https://github.com/nextcloud/server/issues/37114 Signed-off-by: Simon L <szaimen@e.mail.de> 2023-03-07 18:37:19 -05:00			`$connectionMainDatabase->executeQuery('GRANT CREATE ON SCHEMA public TO "' . addslashes($this->dbUser) . '"');`
add option to disable db user creation trough environment variable Signed-off-by: Robin Appelman <robin@icewind.nl> 2023-01-29 09:54:39 -05:00			`$connectionMainDatabase->close();`
			`}`
handle postgres setup when we cant connect as admin 2016-07-21 06:44:02 -04:00			`}`
Use setConfigs() instead of calling setConfig() multiple times 2015-01-23 05:13:47 -05:00
Use SystemConfig instead of AllConfig for DB stuff * preparation for followup PRs to clean up the DB bootstrapping Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2017-03-17 18:37:48 -04:00			`$this->config->setValues([`
handle postgres setup when we cant connect as admin 2016-07-21 06:44:02 -04:00			`'dbuser' => $this->dbUser,`
			`'dbpassword' => $this->dbPassword,`
			`]);`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00
handle postgres setup when we cant connect as admin 2016-07-21 06:44:02 -04:00			`//create the database`
			`$this->createDatabase($connection);`
			`// the connection to dbname=postgres is not needed anymore`
			`$connection->close();`
			`} catch (\Exception $e) {`
Fix psalm errors Signed-off-by: Joas Schilling <coding@schilljs.com> 2021-04-22 09:22:50 -04:00			`$this->logger->warning('Error trying to connect as "postgres", assuming database is setup and tables need to be created', [`
			`'exception' => $e,`
			`]);`
Use SystemConfig instead of AllConfig for DB stuff * preparation for followup PRs to clean up the DB bootstrapping Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2017-03-17 18:37:48 -04:00			`$this->config->setValues([`
handle postgres setup when we cant connect as admin 2016-07-21 06:44:02 -04:00			`'dbuser' => $this->dbUser,`
			`'dbpassword' => $this->dbPassword,`
			`]);`
			`}`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00
Cleanup some PHPDoc leftovers and unused variables Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2019-03-06 08:51:17 -05:00			`// connect to the database (dbname=$this->dbname) and check if it needs to be filled`
Use SystemConfig instead of AllConfig for DB stuff * preparation for followup PRs to clean up the DB bootstrapping Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2017-03-17 18:37:48 -04:00			`$this->dbUser = $this->config->getValue('dbuser');`
			`$this->dbPassword = $this->config->getValue('dbpassword');`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`$connection = $this->connect();`
			`try {`
			`$connection->connect();`
			`} catch (\Exception $e) {`
Fix psalm errors Signed-off-by: Joas Schilling <coding@schilljs.com> 2021-04-22 09:22:50 -04:00			`$this->logger->error($e->getMessage(), [`
			`'exception' => $e,`
			`]);`
fix: replace `Account name` by `Login` Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2024-02-13 08:37:09 -05:00			`throw new \OC\DatabaseSetupException($this->trans->t('PostgreSQL Login and/or password not valid'),`
Add more previous exceptions to database setup code Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2021-01-07 15:04:11 -05:00			`$this->trans->t('You need to enter details of an existing account.'), 0, $e);`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00			`}`
			`}`

Bump doctrine/dbal from 2.12.0 to 3.0.0 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2021-01-03 09:28:31 -05:00			`private function createDatabase(Connection $connection) {`
handle postgres setup when we cant connect as admin 2016-07-21 06:44:02 -04:00			`if (!$this->databaseExists($connection)) {`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00			`//The database does not exists... let's create it`
postgresql - add quotes around user names fix https://github.com/nextcloud/server/issues/37114 Signed-off-by: Simon L <szaimen@e.mail.de> 2023-03-07 18:37:19 -05:00			`$query = $connection->prepare("CREATE DATABASE " . addslashes($this->dbName) . " OWNER \"" . addslashes($this->dbUser) . '"');`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`try {`
			`$query->execute();`
			`} catch (DatabaseException $e) {`
Fix psalm errors Signed-off-by: Joas Schilling <coding@schilljs.com> 2021-04-22 09:22:50 -04:00			`$this->logger->error('Error while trying to create database', [`
			`'exception' => $e,`
			`]);`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00			`}`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`} else {`
Revert "Quote database and role in queries" This reverts commit 9ebd5d5bb20af9178e071c3c6f3b41d9a9bc8be0. 2016-12-09 09:36:14 -05:00			`$query = $connection->prepare("REVOKE ALL PRIVILEGES ON DATABASE " . addslashes($this->dbName) . " FROM PUBLIC");`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`try {`
			`$query->execute();`
			`} catch (DatabaseException $e) {`
Fix psalm errors Signed-off-by: Joas Schilling <coding@schilljs.com> 2021-04-22 09:22:50 -04:00			`$this->logger->error('Error while trying to restrict database permissions', [`
			`'exception' => $e,`
			`]);`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00			`}`
			`}`
			`}`

Bump doctrine/dbal from 2.12.0 to 3.0.0 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2021-01-03 09:28:31 -05:00			`private function userExists(Connection $connection) {`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`$builder = $connection->getQueryBuilder();`
			`$builder->automaticTablePrefix(false);`
			`$query = $builder->select('*')`
			`->from('pg_roles')`
			`->where($builder->expr()->eq('rolname', $builder->createNamedParameter($this->dbUser)));`
			`$result = $query->execute();`
			`return $result->rowCount() > 0;`
			`}`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00
Bump doctrine/dbal from 2.12.0 to 3.0.0 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2021-01-03 09:28:31 -05:00			`private function databaseExists(Connection $connection) {`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`$builder = $connection->getQueryBuilder();`
			`$builder->automaticTablePrefix(false);`
			`$query = $builder->select('datname')`
			`->from('pg_database')`
			`->where($builder->expr()->eq('datname', $builder->createNamedParameter($this->dbName)));`
			`$result = $query->execute();`
			`return $result->rowCount() > 0;`
			`}`

Bump doctrine/dbal from 2.12.0 to 3.0.0 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2021-01-03 09:28:31 -05:00			`private function createDBUser(Connection $connection) {`
Allow to reuse the same name when installing a new instance Signed-off-by: Joas Schilling <coding@schilljs.com> 2016-12-06 13:04:57 -05:00			`$dbUser = $this->dbUser;`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`try {`
Allow to reuse the same name when installing a new instance Signed-off-by: Joas Schilling <coding@schilljs.com> 2016-12-06 13:04:57 -05:00			`$i = 1;`
			`while ($this->userExists($connection)) {`
			`$i++;`
			`$this->dbUser = $dbUser . $i;`
Remove unneeded semicolon and parentheses Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-01-26 17:46:40 -05:00			`}`
Allow to reuse the same name when installing a new instance Signed-off-by: Joas Schilling <coding@schilljs.com> 2016-12-06 13:04:57 -05:00
			`// create the user`
postgresql - add quotes around user names fix https://github.com/nextcloud/server/issues/37114 Signed-off-by: Simon L <szaimen@e.mail.de> 2023-03-07 18:37:19 -05:00			`$query = $connection->prepare("CREATE USER \"" . addslashes($this->dbUser) . "\" CREATEDB PASSWORD '" . addslashes($this->dbPassword) . "'");`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`$query->execute();`
Check if database exists and grand permission Signed-off-by: Vitor Mattos <vitor@php.rio> 2019-04-21 15:54:40 -04:00			`if ($this->databaseExists($connection)) {`
postgresql - add quotes around user names fix https://github.com/nextcloud/server/issues/37114 Signed-off-by: Simon L <szaimen@e.mail.de> 2023-03-07 18:37:19 -05:00			`$query = $connection->prepare('GRANT CONNECT ON DATABASE ' . addslashes($this->dbName) . ' TO "' . addslashes($this->dbUser) . '"');`
Check if database exists and grand permission Signed-off-by: Vitor Mattos <vitor@php.rio> 2019-04-21 15:54:40 -04:00			`$query->execute();`
			`}`
use pdo for postgres setup 2016-07-12 07:50:54 -04:00			`} catch (DatabaseException $e) {`
Fix psalm errors Signed-off-by: Joas Schilling <coding@schilljs.com> 2021-04-22 09:22:50 -04:00			`$this->logger->error('Error while trying to create database user', [`
			`'exception' => $e,`
			`]);`
Split database specific install/setup code to their own class 2013-03-29 11:28:48 -04:00			`}`
			`}`
			`}`