lenticular_cloud2/lenticular_cloud/model.py

from flask import current_app
from flask_login import UserMixin
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from collections.abc import MutableSequence
from datetime import datetime
from dateutil import tz
import pyotp
import json
import logging
import crypt
import secrets
import string
from sqlalchemy import null
from sqlalchemy.orm import DeclarativeBase, MappedAsDataclass, Mapped, mapped_column, relationship, declarative_base
from flask_sqlalchemy import SQLAlchemy
from flask_sqlalchemy.model import Model, DefaultMeta
from flask_sqlalchemy.extension import _FSAModel
from flask_migrate import Migrate
from datetime import datetime
import uuid
from typing import Iterator, Optional, List, Dict, Tuple, Any, Type, TYPE_CHECKING
from cryptography.x509 import Certificate as CertificateObj
from sqlalchemy.ext.declarative import DeclarativeMeta

logger = logging.getLogger(__name__)


db = SQLAlchemy()
migrate = Migrate()

class BaseModelIntern(MappedAsDataclass, DeclarativeBase):
    pass

if TYPE_CHECKING:
    class BaseModel (_FSAModel,BaseModelIntern):
        pass
else:
    BaseModel: Type[_FSAModel] = db.Model

class ModelUpdatedMixin:
    created_at: Mapped[datetime] = mapped_column(db.DateTime, default=datetime.now(), nullable=False)
    modified_at: Mapped[datetime] = mapped_column(db.DateTime, default=datetime.now(), onupdate=datetime.now, nullable=False)

class SecurityUser(UserMixin):

    def __init__(self, username):
        self._username = username

    def get_id(self):
        return self._username


class Service(object):

    def __init__(self, name: str):
        self._name = name
        self._app_token = False
        self._client_cert = False
        self._pki_config = {
                    'cn': '{username}',
                    'email': '{username}@{domain}'
                }

    @staticmethod
    def from_config(name, config) -> 'Service':
        """
        """
        service = Service(name)
        if 'app_token' in config:
            service._app_token = bool(config['app_token'])
        if 'client_cert' in config:
            service._client_cert = bool(config['client_cert'])
        if 'pki_config' in config:
            service._pki_config.update(config['pki_config'])

        return service

    @property
    def name(self) -> str:
        return self._name

    @property
    def client_cert(self) -> bool:
        return self._client_cert

    @property
    def app_token(self) -> bool:
        return self._app_token

    @property
    def pki_config(self) -> dict[str,str]:
        if not self._client_cert:
            raise Exception('invalid call')
        return self._pki_config


class Certificate(object):

    def __init__(self, cn: str, ca_name: str, cert_data: CertificateObj, revoked=False):
        self._cn = cn
        self._ca_name = ca_name
        self._cert_data = cert_data
        self._revoked = revoked
        self._cert_data.not_valid_after.replace(tzinfo=tz.tzutc())
        self._cert_data.not_valid_before.replace(tzinfo=tz.tzutc())

    @property
    def cn(self) -> str:
        return self._cn

    @property
    def ca_name(self) -> str:
        return self._ca_name

    @property
    def not_valid_before(self) -> datetime:
        return self._cert_data.not_valid_before.replace(tzinfo=tz.tzutc()).astimezone(tz.tzlocal()).replace(tzinfo=None)

    @property
    def not_valid_after(self) -> datetime:
        return self._cert_data.not_valid_after.replace(tzinfo=tz.tzutc()).astimezone(tz.tzlocal()).replace(tzinfo=None)

    @property
    def serial_number(self) -> int:
        return self._cert_data.serial_number

    @property
    def serial_number_hex(self) -> str:
        return f'{self._cert_data.serial_number:X}'

    def fingerprint(self, algorithm=hashes.SHA256()) -> bytes:
        return self._cert_data.fingerprint(algorithm)

    @property
    def is_valid(self) -> bool:
        return self.not_valid_after > datetime.now() and not self._revoked

    def pem(self) -> str:
        return self._cert_data.public_bytes(encoding=serialization.Encoding.PEM).decode()

    @property
    def raw(self):
        return self._cert_data

    def __str__(self):
        return f'Certificate(cn={self._cn}, ca_name={self._ca_name}, not_valid_before={self.not_valid_before}, not_valid_after={self.not_valid_after})'


def generate_uuid():
    return str(uuid.uuid4())


class User(BaseModel, ModelUpdatedMixin):
    id: Mapped[uuid.UUID] = mapped_column(db.Uuid, primary_key=True, default=uuid.uuid4)
    username: Mapped[str] = mapped_column(db.String, unique=True, nullable=False)
    password_hashed: Mapped[str] = mapped_column(db.String, nullable=False)
    alternative_email: Mapped[Optional[str]] = mapped_column( db.String, nullable=True)
    last_login: Mapped[Optional[datetime]] = mapped_column(db.DateTime, nullable=True)

    enabled: Mapped[bool] = mapped_column(db.Boolean, nullable=False, default=False)

    app_tokens: Mapped[List['AppToken']] = relationship('AppToken', back_populates='user')
    passkey_credentials: Mapped[List['PasskeyCredential']] = relationship('PasskeyCredential', back_populates='user', cascade='delete,delete-orphan', passive_deletes=True)


    def __init__(self, **kwargs) -> None:
        super().__init__(**kwargs)

    @property
    def is_authenticated(self) -> bool:
        return True  # TODO

    def get(self, key) -> None:
        print(f'getitem: {key}') # TODO

    @property
    def groups(self) -> list['Group']:
        admins = current_app.config['ADMINS']
        if self.username in admins:
            return [Group(name='admin')]
        else:
            return []

    @property
    def email(self) -> str:
        domain = current_app.config['DOMAIN']
        return f'{self.username}@{domain}'

    def change_password(self, password_new: str) -> None:
        self.password_hashed = crypt.crypt(password_new)

    def get_token_by_name(self, name: str) -> Optional['AppToken']:
        for token in self.app_tokens:
            if token.name == name:
                return token
        return None
        

    def get_token_by_scope(self, scope: str) -> Iterator['AppToken']:
        for token in self.app_tokens:
            if scope in token.scopes.split():
                yield token # type: ignore


class AppToken(BaseModel, ModelUpdatedMixin):
    id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
    scopes: Mapped[str] = mapped_column(nullable=False) # string of a list seperated by `,` 
    user_id: Mapped[uuid.UUID] = mapped_column(
            db.Uuid,
            db.ForeignKey(User.id), nullable=False)
    user: Mapped[User] = relationship(User, back_populates="app_tokens")
    token: Mapped[str] = mapped_column(nullable=False)
    name: Mapped[str] = mapped_column(nullable=False)
    last_used: Mapped[Optional[datetime]] = mapped_column(db.DateTime, nullable=True, default=None)

    @staticmethod
    def new(user: User, scopes: str, name: str):
        alphabet = string.ascii_letters + string.digits
        token = ''.join(secrets.choice(alphabet) for i in range(12))
        return AppToken(scopes=scopes, token=token, user=user, name=name)


class PasskeyCredential(BaseModel, ModelUpdatedMixin):  # pylint: disable=too-few-public-methods
    """Passkey credential model"""

    id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
    user_id: Mapped[uuid.UUID] = mapped_column(db.Uuid, db.ForeignKey('user.id', ondelete='CASCADE'), nullable=False)
    credential_id: Mapped[bytes] = mapped_column(db.LargeBinary, nullable=False)
    credential_public_key: Mapped[bytes] = mapped_column(db.LargeBinary, nullable=False)
    name: Mapped[str] = mapped_column(db.String(250), nullable=False)
    last_used: Mapped[Optional[datetime]] = mapped_column(db.DateTime, nullable=True, default=None)
    sign_count: Mapped[int] = mapped_column(db.Integer, nullable=False, default=0)

    user = db.relationship('User', back_populates='passkey_credentials')


class Group(BaseModel, ModelUpdatedMixin):
    id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
    name: Mapped[str] = mapped_column(db.String(), nullable=False, unique=True)
init commit 2020-05-09 18:00:07 +00:00			`from flask import current_app`
			`from flask_login import UserMixin`
			`from cryptography.hazmat.primitives import hashes`
			`from cryptography.hazmat.primitives import serialization`
add 2fa totp 2020-05-10 12:34:28 +00:00			`from collections.abc import MutableSequence`
			`from datetime import datetime`
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`from dateutil import tz`
add 2fa totp 2020-05-10 12:34:28 +00:00			`import pyotp`
			`import json`
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`import logging`
			`import crypt`
update fixes, ... 2022-07-15 08:53:06 +00:00			`import secrets`
			`import string`
update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`from sqlalchemy import null`
update packages / nix packaging 2023-09-30 10:58:24 +00:00			`from sqlalchemy.orm import DeclarativeBase, MappedAsDataclass, Mapped, mapped_column, relationship, declarative_base`
more oauth2 fixes 2023-03-18 11:00:40 +00:00			`from flask_sqlalchemy import SQLAlchemy`
update packages / nix packaging 2023-09-30 10:58:24 +00:00			`from flask_sqlalchemy.model import Model, DefaultMeta`
			`from flask_sqlalchemy.extension import _FSAModel`
fix bug for migration 2022-02-20 15:54:35 +00:00			`from flask_migrate import Migrate`
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`from datetime import datetime`
			`import uuid`
change column name from apptoken 2023-10-20 08:05:30 +00:00			`from typing import Iterator, Optional, List, Dict, Tuple, Any, Type, TYPE_CHECKING`
remove ldap 2022-06-17 11:38:49 +00:00			`from cryptography.x509 import Certificate as CertificateObj`
code cleanup, mypy 2022-06-18 11:05:18 +00:00			`from sqlalchemy.ext.declarative import DeclarativeMeta`
init commit 2020-05-09 18:00:07 +00:00
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`logger = logging.getLogger(__name__)`
init commit 2020-05-09 18:00:07 +00:00
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00
init commit 2020-05-09 18:00:07 +00:00
update fixes, ... 2022-07-15 08:53:06 +00:00			`db = SQLAlchemy()`
remove ldap 2022-06-17 11:38:49 +00:00			`migrate = Migrate()`

update packages / nix packaging 2023-09-30 10:58:24 +00:00			`class BaseModelIntern(MappedAsDataclass, DeclarativeBase):`
			`pass`

			`if TYPE_CHECKING:`
			`class BaseModel (_FSAModel,BaseModelIntern):`
			`pass`
			`else:`
			`BaseModel: Type[_FSAModel] = db.Model`
update add nix flake make a restart 2023-10-09 19:58:44 +00:00
update packages / nix packaging 2023-09-30 10:58:24 +00:00			`class ModelUpdatedMixin:`
update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`created_at: Mapped[datetime] = mapped_column(db.DateTime, default=datetime.now(), nullable=False)`
			`modified_at: Mapped[datetime] = mapped_column(db.DateTime, default=datetime.now(), onupdate=datetime.now, nullable=False)`
code cleanup, mypy 2022-06-18 11:05:18 +00:00
init commit 2020-05-09 18:00:07 +00:00			`class SecurityUser(UserMixin):`

			`def __init__(self, username):`
			`self._username = username`

			`def get_id(self):`
			`return self._username`


			`class Service(object):`

code cleanup, mypy 2022-06-18 11:05:18 +00:00			`def __init__(self, name: str):`
init commit 2020-05-09 18:00:07 +00:00			`self._name = name`
update fixes, ... 2022-07-15 08:53:06 +00:00			`self._app_token = False`
init commit 2020-05-09 18:00:07 +00:00			`self._client_cert = False`
			`self._pki_config = {`
			`'cn': '{username}',`
			`'email': '{username}@{domain}'`
			`}`

			`@staticmethod`
more ldap migration 2022-06-18 17:35:05 +00:00			`def from_config(name, config) -> 'Service':`
init commit 2020-05-09 18:00:07 +00:00			`"""`
			`"""`
			`service = Service(name)`
update fixes, ... 2022-07-15 08:53:06 +00:00			`if 'app_token' in config:`
			`service._app_token = bool(config['app_token'])`
init commit 2020-05-09 18:00:07 +00:00			`if 'client_cert' in config:`
			`service._client_cert = bool(config['client_cert'])`
			`if 'pki_config' in config:`
flexebel email address in certs 2020-05-10 17:37:57 +00:00			`service._pki_config.update(config['pki_config'])`
init commit 2020-05-09 18:00:07 +00:00
			`return service`

			`@property`
code cleanup, mypy 2022-06-18 11:05:18 +00:00			`def name(self) -> str:`
init commit 2020-05-09 18:00:07 +00:00			`return self._name`

			`@property`
code cleanup, mypy 2022-06-18 11:05:18 +00:00			`def client_cert(self) -> bool:`
init commit 2020-05-09 18:00:07 +00:00			`return self._client_cert`

update fixes, ... 2022-07-15 08:53:06 +00:00			`@property`
			`def app_token(self) -> bool:`
			`return self._app_token`

init commit 2020-05-09 18:00:07 +00:00			`@property`
code cleanup, mypy 2022-06-18 11:05:18 +00:00			`def pki_config(self) -> dict[str,str]:`
init commit 2020-05-09 18:00:07 +00:00			`if not self._client_cert:`
			`raise Exception('invalid call')`
			`return self._pki_config`


			`class Certificate(object):`

code cleanup, mypy 2022-06-18 11:05:18 +00:00			`def __init__(self, cn: str, ca_name: str, cert_data: CertificateObj, revoked=False):`
init commit 2020-05-09 18:00:07 +00:00			`self._cn = cn`
			`self._ca_name = ca_name`
			`self._cert_data = cert_data`
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`self._revoked = revoked`
			`self._cert_data.not_valid_after.replace(tzinfo=tz.tzutc())`
			`self._cert_data.not_valid_before.replace(tzinfo=tz.tzutc())`
init commit 2020-05-09 18:00:07 +00:00
			`@property`
code cleanup, mypy 2022-06-18 11:05:18 +00:00			`def cn(self) -> str:`
init commit 2020-05-09 18:00:07 +00:00			`return self._cn`

			`@property`
code cleanup, mypy 2022-06-18 11:05:18 +00:00			`def ca_name(self) -> str:`
init commit 2020-05-09 18:00:07 +00:00			`return self._ca_name`

			`@property`
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`def not_valid_before(self) -> datetime:`
			`return self._cert_data.not_valid_before.replace(tzinfo=tz.tzutc()).astimezone(tz.tzlocal()).replace(tzinfo=None)`
init commit 2020-05-09 18:00:07 +00:00
			`@property`
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`def not_valid_after(self) -> datetime:`
			`return self._cert_data.not_valid_after.replace(tzinfo=tz.tzutc()).astimezone(tz.tzlocal()).replace(tzinfo=None)`
init commit 2020-05-09 18:00:07 +00:00
add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`@property`
			`def serial_number(self) -> int:`
			`return self._cert_data.serial_number`

			`@property`
			`def serial_number_hex(self) -> str:`
			`return f'{self._cert_data.serial_number:X}'`

			`def fingerprint(self, algorithm=hashes.SHA256()) -> bytes:`
init commit 2020-05-09 18:00:07 +00:00			`return self._cert_data.fingerprint(algorithm)`

add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`@property`
			`def is_valid(self) -> bool:`
			`return self.not_valid_after > datetime.now() and not self._revoked`

			`def pem(self) -> str:`
init commit 2020-05-09 18:00:07 +00:00			`return self._cert_data.public_bytes(encoding=serialization.Encoding.PEM).decode()`

add more pki features, bug fixes, try not to use jquery 2020-05-25 18:23:27 +00:00			`@property`
			`def raw(self):`
			`return self._cert_data`

init commit 2020-05-09 18:00:07 +00:00			`def __str__(self):`
			`return f'Certificate(cn={self._cn}, ca_name={self._ca_name}, not_valid_before={self.not_valid_before}, not_valid_after={self.not_valid_after})'`

add 2fa totp 2020-05-10 12:34:28 +00:00
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00			`def generate_uuid():`
			`return str(uuid.uuid4())`
add 2fa totp 2020-05-10 12:34:28 +00:00

update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`class User(BaseModel, ModelUpdatedMixin):`
			`id: Mapped[uuid.UUID] = mapped_column(db.Uuid, primary_key=True, default=uuid.uuid4)`
			`username: Mapped[str] = mapped_column(db.String, unique=True, nullable=False)`
			`password_hashed: Mapped[str] = mapped_column(db.String, nullable=False)`
			`alternative_email: Mapped[Optional[str]] = mapped_column( db.String, nullable=True)`
			`last_login: Mapped[Optional[datetime]] = mapped_column(db.DateTime, nullable=True)`

			`enabled: Mapped[bool] = mapped_column(db.Boolean, nullable=False, default=False)`

			`app_tokens: Mapped[List['AppToken']] = relationship('AppToken', back_populates='user')`
add basic passkey management 2023-12-25 16:28:09 +00:00			`passkey_credentials: Mapped[List['PasskeyCredential']] = relationship('PasskeyCredential', back_populates='user', cascade='delete,delete-orphan', passive_deletes=True)`
update add nix flake make a restart 2023-10-09 19:58:44 +00:00

			`def __init__(self, **kwargs) -> None:`
code cleanup, mypy 2022-06-18 11:05:18 +00:00			`super().__init__(**kwargs)`
add 2fa totp 2020-05-10 12:34:28 +00:00
init commit 2020-05-09 18:00:07 +00:00			`@property`
code cleanup, mypy 2022-06-18 11:05:18 +00:00			`def is_authenticated(self) -> bool:`
init commit 2020-05-09 18:00:07 +00:00			`return True # TODO`

code cleanup, mypy 2022-06-18 11:05:18 +00:00			`def get(self, key) -> None:`
bugfixes, cleanup 2022-02-06 22:57:01 +00:00			`print(f'getitem: {key}') # TODO`
init commit 2020-05-09 18:00:07 +00:00
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00			`@property`
update fixes, ... 2022-07-15 08:53:06 +00:00			`def groups(self) -> list['Group']:`
add config for admins 2023-12-24 10:09:41 +00:00			`admins = current_app.config['ADMINS']`
			`if self.username in admins:`
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00			`return [Group(name='admin')]`
			`else:`
			`return []`

init commit 2020-05-09 18:00:07 +00:00			`@property`
bugfixes, cleanup 2022-02-06 22:57:01 +00:00			`def email(self) -> str:`
bugfixes 2020-05-30 21:43:55 +00:00			`domain = current_app.config['DOMAIN']`
			`return f'{self.username}@{domain}'`
init commit 2020-05-09 18:00:07 +00:00
update fixes, ... 2022-07-15 08:53:06 +00:00			`def change_password(self, password_new: str) -> None:`
			`self.password_hashed = crypt.crypt(password_new)`

changes to app_token 2023-10-22 17:45:37 +00:00			`def get_token_by_name(self, name: str) -> Optional['AppToken']:`
			`for token in self.app_tokens:`
			`if token.name == name:`
			`return token`
			`return None`

update fixes, ... 2022-07-15 08:53:06 +00:00
change column name from apptoken 2023-10-20 08:05:30 +00:00			`def get_token_by_scope(self, scope: str) -> Iterator['AppToken']:`
update fixes, ... 2022-07-15 08:53:06 +00:00			`for token in self.app_tokens:`
change column name from apptoken 2023-10-20 08:05:30 +00:00			`if scope in token.scopes.split():`
			`yield token # type: ignore`
update fixes, ... 2022-07-15 08:53:06 +00:00
init commit 2020-05-09 18:00:07 +00:00
update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`class AppToken(BaseModel, ModelUpdatedMixin):`
			`id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)`
change column name from apptoken 2023-10-20 08:05:30 +00:00			scopes: Mapped[str] = mapped_column(nullable=False) # string of a list seperated by `,`
update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`user_id: Mapped[uuid.UUID] = mapped_column(`
			`db.Uuid,`
update fixes, ... 2022-07-15 08:53:06 +00:00			`db.ForeignKey(User.id), nullable=False)`
update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`user: Mapped[User] = relationship(User, back_populates="app_tokens")`
			`token: Mapped[str] = mapped_column(nullable=False)`
			`name: Mapped[str] = mapped_column(nullable=False)`
			`last_used: Mapped[Optional[datetime]] = mapped_column(db.DateTime, nullable=True, default=None)`
init commit 2020-05-09 18:00:07 +00:00
update fixes, ... 2022-07-15 08:53:06 +00:00			`@staticmethod`
change column name from apptoken 2023-10-20 08:05:30 +00:00			`def new(user: User, scopes: str, name: str):`
update fixes, ... 2022-07-15 08:53:06 +00:00			`alphabet = string.ascii_letters + string.digits`
update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`token = ''.join(secrets.choice(alphabet) for i in range(12))`
change column name from apptoken 2023-10-20 08:05:30 +00:00			`return AppToken(scopes=scopes, token=token, user=user, name=name)`
update add nix flake make a restart 2023-10-09 19:58:44 +00:00
merge ldap user and db user, cleanup, add password change 2020-05-27 15:56:10 +00:00
add partial fido2/WebAuthn 2022-04-08 19:28:22 +00:00
add basic passkey management 2023-12-25 16:28:09 +00:00			`class PasskeyCredential(BaseModel, ModelUpdatedMixin): # pylint: disable=too-few-public-methods`
			`"""Passkey credential model"""`
add partial fido2/WebAuthn 2022-04-08 19:28:22 +00:00
update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)`
			`user_id: Mapped[uuid.UUID] = mapped_column(db.Uuid, db.ForeignKey('user.id', ondelete='CASCADE'), nullable=False)`
fix postfix compatiblity sql is only a standard, ... 2023-12-25 17:57:27 +00:00			`credential_id: Mapped[bytes] = mapped_column(db.LargeBinary, nullable=False)`
			`credential_public_key: Mapped[bytes] = mapped_column(db.LargeBinary, nullable=False)`
update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`name: Mapped[str] = mapped_column(db.String(250), nullable=False)`
add basic passkey management 2023-12-25 16:28:09 +00:00			`last_used: Mapped[Optional[datetime]] = mapped_column(db.DateTime, nullable=True, default=None)`
			`sign_count: Mapped[int] = mapped_column(db.Integer, nullable=False, default=0)`
add partial fido2/WebAuthn 2022-04-08 19:28:22 +00:00
add basic passkey management 2023-12-25 16:28:09 +00:00			`user = db.relationship('User', back_populates='passkey_credentials')`
add partial fido2/WebAuthn 2022-04-08 19:28:22 +00:00

update add nix flake make a restart 2023-10-09 19:58:44 +00:00			`class Group(BaseModel, ModelUpdatedMixin):`
			`id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)`
			`name: Mapped[str] = mapped_column(db.String(), nullable=False, unique=True)`
add more registration stuff, admin interface 2020-06-01 21:43:10 +00:00