Framework/Helpers/LogAnalyticsHelper.ps1
|
Set-StrictMode -Version Latest Class LogAnalyticsHelper{ static [string] $DefaultLAType = "AzSK" hidden static [int] $IsLAWSSettingValid = 0 #-1:Fail (Log Analytics workspace Empty, Log Analytics workspace Return Error) | 1:CA | 0:Local hidden static [int] $IsAltLAWSSettingValid = 0 # Create the function to create and post the request static PostLAWSData([string] $workspaceId, [string] $sharedKey, $body, $logType, $laType) { try { if(($laType | Measure-Object).Count -gt 0 -and [LogAnalyticsHelper]::$("is"+$laType+"SettingValid") -ne -1) { if([string]::IsNullOrWhiteSpace($logType)) { $logType = [LogAnalyticsHelper]::DefaultLAType } [string] $method = "POST" [string] $contentType = "application/json" [string] $resource = "/api/logs" $rfc1123date = [System.DateTime]::UtcNow.ToString("r") [int] $contentLength = $body.Length [string] $signature = [LogAnalyticsHelper]::GetLAWSSignature($workspaceId , $sharedKey , $rfc1123date ,$contentLength ,$method ,$contentType ,$resource) $LADataCollectorAPI = [WebRequestHelper]::GetLADataCollectorAPI() [string] $uri = "https://" + $workspaceId + $LADataCollectorAPI + $resource + "?api-version=2016-04-01" [DateTime] $TimeStampField = [System.DateTime]::UtcNow $headers = @{ "Authorization" = $signature; "Log-Type" = $logType; "x-ms-date" = $rfc1123date; "time-generated-field" = $TimeStampField; } $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing } } catch { $warningMsg="" if($laType -eq 'LAWS') { switch([LogAnalyticsHelper]::$("is"+$laType+"SettingValid")) { 0 { $warningMsg += "The Log Analytics workspace ID or key is invalid in the local settings file. Use Set-AzSKADOMonitoringSettings to update either/both with corrected values.";} 1 { $warningMsg += "The Log Analytics workspace ID or key is invalid in the ContinuousAssurance configuration. Use Update-AzSKADOContinuousAssurance to update either/both with corrected values."; } } [EventBase]::PublishGenericCustomMessage(" `r`nWARNING: $($warningMsg)", [MessageType]::Warning); #Flag to disable Log Analytics scan [LogAnalyticsHelper]::$("is"+$laType+"SettingValid") = -1 } elseif($laType -eq 'AltLAWS') { switch([LogAnalyticsHelper]::$("is"+$laType+"SettingValid")) { 0 { $warningMsg += "The alternate Log Analytics workspace ID or key is invalid in the local settings file. Use Set-AzSKADOMonitoringSettings to update either/both with corrected values.";} 1 { $warningMsg += "The alternate Log Analytics workspace ID or key is invalid in the ContinuousAssurance configuration. Use Update-AzSKADOContinuousAssurance to update either/both with corrected values."; } } [EventBase]::PublishGenericCustomMessage(" `r`nWARNING: $($warningMsg)", [MessageType]::Warning); #Flag to disable Log Analytics scan [LogAnalyticsHelper]::$("is"+$laType+"SettingValid") = -1 } } } static [string] GetLAWSSignature ($workspaceId, $sharedKey, $Date, $ContentLength, $Method, $ContentType, $Resource) { [string] $xHeaders = "x-ms-date:" + $Date [string] $stringToHash = $Method + "`n" + $ContentLength + "`n" + $ContentType + "`n" + $xHeaders + "`n" + $Resource [byte[]]$bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash) [byte[]]$keyBytes = [Convert]::FromBase64String($sharedKey) [System.Security.Cryptography.HMACSHA256] $sha256 = New-Object System.Security.Cryptography.HMACSHA256 $sha256.Key = $keyBytes [byte[]]$calculatedHash = $sha256.ComputeHash($bytesToHash) $encodedHash = [Convert]::ToBase64String($calculatedHash) $authorization = 'SharedKey {0}:{1}' -f $workspaceId,$encodedHash return $authorization } static [PSObject[]] GetLAWSBodyObjects([SVTEventContext] $eventContext,[AzSKContextDetails] $AzSKContext) { [PSObject[]] $output = @(); [array] $eventContext.ControlResults | ForEach-Object{ Set-Variable -Name ControlResult -Value $_ -Scope Local $out = [LAWSModel]::new() if($eventContext.IsResource()) { $out.ResourceType=$eventContext.ResourceContext.ResourceType $out.ResourceGroup=$eventContext.ResourceContext.ResourceGroupName $out.ResourceName=$eventContext.ResourceContext.ResourceName $out.ResourceId = $eventContext.ResourceContext.ResourceId $out.ChildResourceName=$ControlResult.ChildResourceName $out.PartialScanIdentifier=$eventContext.PartialScanIdentifier } $out.Env = $this.GetModuleName(); $out.Reference=$eventContext.Metadata.Reference $out.ControlStatus=$ControlResult.VerificationResult.ToString() $out.ActualVerificationResult=$ControlResult.ActualVerificationResult.ToString() $out.ControlId=$eventContext.ControlItem.ControlID $out.SubscriptionName=$eventContext.SubscriptionContext.SubscriptionName $out.SubscriptionId=$eventContext.SubscriptionContext.SubscriptionId $out.FeatureName=$eventContext.FeatureName $out.Recommendation=$eventContext.ControlItem.Recommendation $out.ControlSeverity=$eventContext.ControlItem.ControlSeverity.ToString() $out.Source=$AzSKContext.Source $out.Tags=$eventContext.ControlItem.Tags $out.RunIdentifier = $AzSKContext.RunIdentifier $out.HasRequiredAccess = $ControlResult.CurrentSessionContext.Permissions.HasRequiredAccess $out.ScannerVersion = $AzSKContext.Version $out.IsBaselineControl = $eventContext.ControlItem.IsBaselineControl #addPreviewBaselineControl Flag $out.IsPreviewBaselineControl = $eventContext.ControlItem.IsPreviewBaselineControl $out.HasAttestationWritePermissions = $ControlResult.CurrentSessionContext.Permissions.HasAttestationWritePermissions $out.HasAttestationReadPermissions = $ControlResult.CurrentSessionContext.Permissions.HasAttestationReadPermissions $out.IsLatestPSModule = $ControlResult.CurrentSessionContext.IsLatestPSModule $out.PolicyOrgName = $AzSKContext.PolicyOrgName $out.IsControlInGrace = $ControlResult.IsControlInGrace $out.ScannedBy=[ContextHelper]::GetCurrentSessionUser() #mapping the attestation properties if($null -ne $ControlResult -and $null -ne $ControlResult.StateManagement -and $null -ne $ControlResult.StateManagement.AttestedStateData) { $attestedData = $ControlResult.StateManagement.AttestedStateData; $out.AttestationStatus = $ControlResult.AttestationStatus.ToString(); $out.AttestedBy = $attestedData.AttestedBy; $out.Justification = $attestedData.Justification; $out.AttestedDate = $attestedData.AttestedDate $out.ExpiryDate = $attestedData.ExpiryDate } $output += $out } return $output } static [void] PostApplicableControlSet([SVTEventContext[]] $contexts,[AzSKContextDetails] $AzSKContext) { if (($contexts | Measure-Object).Count -lt 1) { return; } $set = [LogAnalyticsHelper]::ConvertToSimpleSet($contexts,$AzSKContext); [LogAnalyticsHelper]::WriteControlResult($set,"AzSK_Inventory") } static [void] WriteControlResult([PSObject[]] $lawsDataObject, [string] $laEventType) { try { $settings = [ConfigurationManager]::GetAzSKSettings() if([string]::IsNullOrWhiteSpace($laEventType)) { $laEventType = $settings.LAType } if((-not [string]::IsNullOrWhiteSpace($settings.LAWSId)) -or (-not [string]::IsNullOrWhiteSpace($settings.AltLAWSId))) { $lawsDataObject | ForEach-Object{ Set-Variable -Name tempBody -Value $_ -Scope Local $body = $tempBody | ConvertTo-Json $lawsBodyByteArray = ([System.Text.Encoding]::UTF8.GetBytes($body)) #publish to primary workspace if(-not [string]::IsNullOrWhiteSpace($settings.LAWSId) -and [LogAnalyticsHelper]::IsLAWSSettingValid -ne -1) { [LogAnalyticsHelper]::PostLAWSData($settings.LAWSId, $settings.LAWSSharedKey, $lawsBodyByteArray, $laEventType, 'LAWS') } #publish to secondary workspace if(-not [string]::IsNullOrWhiteSpace($settings.AltLAWSId) -and [LogAnalyticsHelper]::IsAltLAWSSettingValid -ne -1) { [LogAnalyticsHelper]::PostLAWSData($settings.AltLAWSId, $settings.AltLAWSSharedKey, $lawsBodyByteArray, $laEventType, 'AltLAWS') } } } } catch { throw ([SuppressedException]::new("Error sending events to Log Analytics. The following exception occurred: `r`n$($_.Exception.Message) `r`nFor more on AzSK Log Analytics workspace setup, refer: https://aka.ms/devopskit/ca")); } } static [PSObject[]] ConvertToSimpleSet($contexts,[AzSKContextDetails] $AzSKContext) { $ControlSet = [System.Collections.ArrayList]::new() foreach ($item in $contexts) { $set = [LAWSResourceInvModel]::new() $set.RunIdentifier = $AzSKContext.RunIdentifier $set.SubscriptionId = $item.SubscriptionContext.SubscriptionId $set.SubscriptionName = $item.SubscriptionContext.SubscriptionName $set.Source = $AzSKContext.Source $set.ScannerVersion = $AzSKContext.Version $set.FeatureName = $item.FeatureName if([Helpers]::CheckMember($item,"ResourceContext")) { $set.ResourceGroupName = $item.ResourceContext.ResourceGroupName $set.ResourceName = $item.ResourceContext.ResourceName $set.ResourceId = $item.ResourceContext.ResourceId } $set.ControlIntId = $item.ControlItem.Id $set.ControlId = $item.ControlItem.ControlID $set.ControlSeverity = $item.ControlItem.ControlSeverity $set.Tags = $item.ControlItem.Tags $set.IsBaselineControl = $item.ControlItem.IsBaselineControl #add PreviewBaselineFlag $set.IsPreviewBaselineControl = $item.ControlItem.IsPreviewBaselineControl $ControlSet.Add($set) } return $ControlSet; } static [void] SetLAWSDetails() { #Check if Settings already contain details of Log Analytics workspace $settings = [ConfigurationManager]::GetAzSKSettings() #Can we add one flag in 'AzSKSettings' or 'ControlSettings.json' to control this #Step 1: if Log Analytics workspace details are not present on machine if([string]::IsNullOrWhiteSpace($settings.LAWSId) -or [string]::IsNullOrWhiteSpace($settings.AltLAWSId)) { $rgName = [ConfigurationManager]::GetAzSKConfigData().AzSKRGName #Step 2: Validate if CA is enabled on subscription $automationAccDetails = $null #$automationAccDetails= Get-AzAutomationAccount -ResourceGroupName $rgName -ErrorAction SilentlyContinue if($automationAccDetails) { if([string]::IsNullOrWhiteSpace($settings.LAWSId)) { #Step 3: Get workspace id from automation account variables #Try getting the values from the LAWS variables, if they don't exist, read value from OMS variables $laWSId = Get-AzAutomationVariable -ResourceGroupName $automationAccDetails.ResourceGroupName -AutomationAccountName $automationAccDetails.AutomationAccountName -Name "LAWSId" -ErrorAction SilentlyContinue if(($laWSId | Measure-Object).Count -eq 0) { $laWSId = Get-AzAutomationVariable -ResourceGroupName $automationAccDetails.ResourceGroupName -AutomationAccountName $automationAccDetails.AutomationAccountName -Name "OMSWorkspaceId" -ErrorAction SilentlyContinue } #Step 4: set workspace id and shared key in setting file if($laWSId) { $laWSSharedKey = Get-AzAutomationVariable -ResourceGroupName $automationAccDetails.ResourceGroupName -AutomationAccountName $automationAccDetails.AutomationAccountName -Name "LAWSSharedKey" -ErrorAction SilentlyContinue if(($laWSSharedKey | Measure-Object).Count -eq 0) { $laWSSharedKey = Get-AzAutomationVariable -ResourceGroupName $automationAccDetails.ResourceGroupName -AutomationAccountName $automationAccDetails.AutomationAccountName -Name "OMSSharedKey" } if([Helpers]::CheckMember($laWSSharedKey,"Value") -and (-not [string]::IsNullOrWhiteSpace($laWSSharedKey.Value))) { #Step 6: Assign it to AzSKSettings Object $settings.LAWSId = $laWSId.Value $settings.LAWSSharedKey = $laWSSharedKey.Value [LogAnalyticsHelper]::IsLAWSSettingValid = 1 } } } if([string]::IsNullOrWhiteSpace($settings.LAWSId) -or [string]::IsNullOrWhiteSpace($settings.LAWSSharedKey)) { [LogAnalyticsHelper]::IsLAWSSettingValid = -1 } if([string]::IsNullOrWhiteSpace($settings.AltLAWSId)) { #Step 3: Get alternate workspace id from automation account variables #Try getting the values from the LAWS variables, if they don't exist, read value from OMS variables $altLAWSId = Get-AzAutomationVariable -ResourceGroupName $automationAccDetails.ResourceGroupName -AutomationAccountName $automationAccDetails.AutomationAccountName -Name "AltLAWSId" -ErrorAction SilentlyContinue if(($altLAWSId | Measure-Object).Count -eq 0) { $altLAWSId = Get-AzAutomationVariable -ResourceGroupName $automationAccDetails.ResourceGroupName -AutomationAccountName $automationAccDetails.AutomationAccountName -Name "AltOMSWorkspaceId" -ErrorAction SilentlyContinue } #Step 4: set alternate workspace id and shared key in setting file if($altLAWSId) { $altLAWSSharedKey = Get-AzAutomationVariable -ResourceGroupName $automationAccDetails.ResourceGroupName -AutomationAccountName $automationAccDetails.AutomationAccountName -Name "AltLAWSSharedKey" -ErrorAction SilentlyContinue if(($altLAWSSharedKey | Measure-Object).Count -eq 0) { $altLAWSSharedKey = Get-AzAutomationVariable -ResourceGroupName $automationAccDetails.ResourceGroupName -AutomationAccountName $automationAccDetails.AutomationAccountName -Name "AltOMSSharedKey" } if([Helpers]::CheckMember($altLAWSSharedKey,"Value") -and (-not [string]::IsNullOrWhiteSpace($altLAWSSharedKey.Value))) { #Step 6: Assign it to AzSKSettings Object $settings.AltLAWSId = $altLAWSId.Value $settings.AltLAWSSharedKey = $altLAWSSharedKey.Value [LogAnalyticsHelper]::IsAltLAWSSettingValid = 1 } } } if([string]::IsNullOrWhiteSpace($settings.AltLAWSId) -or [string]::IsNullOrWhiteSpace($settings.AltLAWSSharedKey)) { [LogAnalyticsHelper]::IsAltLAWSSettingValid = -1 } } } } static PostResourceInventory([AzSKContextDetails] $AzSKContext) { if($AzSKContext.Source.Equals("CA", [System.StringComparison]::OrdinalIgnoreCase)){ $resourceSet = [System.Collections.ArrayList]::new() [ResourceInventory]::FetchResources(); foreach($resource in [ResourceInventory]::FilteredResources){ $set = [LAWSResourceModel]::new() $set.RunIdentifier = $AzSKContext.RunIdentifier $set.SubscriptionId = $resource.SubscriptionId #$set.SubscriptionName = $item.SubscriptionContext.SubscriptionName $set.Source = $AzSKContext.Source $set.ScannerVersion = $AzSKContext.Version $set.ResourceType = $resource.ResourceType $set.ResourceGroupName = $resource.ResourceGroupName $set.ResourceName = $resource.Name $set.ResourceId = $resource.ResourceId $resourceSet.Add($set) } [LogAnalyticsHelper]::WriteControlResult($resourceSet,"AzSK_Inventory") $laMetadata = [ConfigurationManager]::LoadServerConfigFile("LogAnalyticsSettings.json") [LogAnalyticsHelper]::WriteControlResult($laMetadata,"AzSK_MetaData") } } hidden static [PSObject] QueryStatusfromWorkspace([string] $workspaceId,[string] $query) { $result=$null; try { $body = @{query=$query}; $url="https://api.loganalytics.io/v1/workspaces/" +$workspaceId+"/query" $response=[WebRequestHelper]::InvokePostWebRequest($url , $body); # Formating the response obtained from querying workspace. if(($response | Measure-Object).Count -gt 0) { $data = $response; #Out of four tables obtained, the first table contains result of query if(($data | Measure-Object).Count -gt 0) { $table= $data.Tables[0]; $Columns=$table.Columns; $objectView = @{}; $j = 0; if($null -ne $table) { foreach ($valuetable in $table) { foreach ($row in $table.Rows) { #If timestamp/first column value is null means row is empty if($row[0]) { $i = 0; $count=$valuetable.Columns.Count; $properties = @{} foreach($col in $Columns) { if($i -lt $count) { $properties[$col.Name] = $row[$i]; } $i++; } $objectView[$j] = (New-Object PSObject -Property $properties) $j++; } } } $result=$objectView; } } } } catch { [EventBase]::PublishGenericCustomMessage($_) } return $result; } } Class LAWSModel { [string] $RunIdentifier [string] $ResourceType [string] $ResourceGroup [string] $Reference [string] $ResourceName [string] $ChildResourceName [string] $ResourceId [string] $ControlStatus [string] $ActualVerificationResult [string] $ControlId [string] $SubscriptionName [string] $SubscriptionId [string] $FeatureName [string] $Source [string] $Recommendation [string] $ControlSeverity [string] $TimeTakenInMs [string] $AttestationStatus [string] $AttestedBy [string] $Justification [string] $AttestedDate [bool] $HasRequiredAccess [bool] $HasAttestationWritePermissions [bool] $HasAttestationReadPermissions [bool] $IsLatestPSModule [bool] $IsControlInGrace [string[]] $Tags [string] $ScannerVersion [bool] $IsBaselineControl #add PreviewBaselineFlag [bool] $IsPreviewBaselineControl [string] $ExpiryDate [string] $PartialScanIdentifier [string] $PolicyOrgName [string] $ScannedBy [string] $Env [string] $ComponentId } Class LAWSResourceInvModel{ [string] $RunIdentifier [string] $SubscriptionId [string] $SubscriptionName [string] $Source [string] $ScannerVersion [string] $FeatureName [string] $ResourceGroupName [string] $ResourceName [string] $ResourceId [string] $ControlId [string] $ControlIntId [string] $ControlSeverity [string[]] $Tags [bool] $IsBaselineControl #add PreviewBaselineFlag [bool] $IsPreviewBaselineControl } Class LAWSResourceModel{ [string] $RunIdentifier [string] $SubscriptionId [string] $Source [string] $ScannerVersion [string] $ResourceType [string] $ResourceGroupName [string] $ResourceName [string] $ResourceId } Class AzSKContextDetails { [string] $RunIdentifier [string] $Version [string] $Source [string] $PolicyOrgName } Class CommandModel{ [string] $EventName [string] $RunIdentifier [string] $PartialScanIdentifier [string] $ModuleVersion [string] $MethodName [string] $ModuleName [string] $Parameters [string] $SubscriptionId [string] $SubscriptionName } class CredHygieneAlert{ [int] $ExpiryDueInDays [bool] $IsExpired [string] $CredentialName [string] $CredentialGroup [string] $LastUpdatedBy [string] $SubscriptionId [string] $SubscriptionName } # SIG # Begin signature block # MIIhewYJKoZIhvcNAQcCoIIhbDCCIWgCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCZY7CXyO5tQTJ2 # 9L8QSuacaxOteXEBN+hXvB20j2Cfh6CCC28wggTrMIID06ADAgECAhMzAAAD53EW # vSG3L5ZCAAAAAAPnMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xIzAhBgNVBAMTGk1pY3Jvc29mdCBUZXN0aW5nIFBD # QSAyMDEwMB4XDTIwMDMwNDE5NTgzOVoXDTIxMDMwMzE5NTgzOVowfDELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdQ29kZSBTaWdu # IFRlc3QgKERPIE5PVCBUUlVTVCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK # AoIBAQC0dFU8yYFFisft2syLgnrgoEcOrrzraGs5owrAJ8YWyYuxhhk7UUJP0YAC # wuDAlPQMHrhnEhZsqmD7DfWGzz33gxe7hvcNpHdhItPpgXiVkh3thZrWz4jfHFGc # RMW1zyebGUJ16gN5cYWsI18Pax9tBZW1YZIef2hIQNU5Vr5QhVKZVAbaqZFqJRo+ # 51czrP44ZnofEMr3Z3HBmIS7C97kkFYS/G8JpkufIuDsTchX7dWduHhMbFIem+Zx # nT7mrsps0D5hXV3L9JPe8TFm1T0iwaFy6RWFaWPelibrTryIbWk6Qrv4Lz89WMM6 # XFxlrqQVphAmhns1+rNrr6yacRCtAgMBAAGjggFnMIIBYzATBgNVHSUEDDAKBggr # BgEFBQcDAzAdBgNVHQ4EFgQUseZoPiUpJDttlBAhnIzqzbcXsK4wUAYDVR0RBEkw # R6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNv # MRYwFAYDVQQFEw0yMzAwNzIrNDU4Mzk0MB8GA1UdIwQYMBaAFN3WR4sjFC/YOGhC # oz5tw/CQ9yzQMFMGA1UdHwRMMEowSKBGoESGQmh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Rlc1BDQV8yMDEwLTA3LTAxLmNybDBX # BggrBgEFBQcBAQRLMEkwRwYIKwYBBQUHMAKGO2h0dHA6Ly93d3cubWljcm9zb2Z0 # LmNvbS9wa2kvY2VydHMvTWljVGVzUENBXzIwMTAtMDctMDEuY3J0MAwGA1UdEwEB # /wQCMAAwDQYJKoZIhvcNAQELBQADggEBAJYdTCu6GLf0F8qu4JuKidCt6hweTHFz # 012VGqDoVNN8REwov3VMjK71y8oL6wgvx29RYYqD2sKn6a/NcKUlHJjttvbXW/Az # NK4FetsfpyURFCRTS8C5hRcGZTIZfiSsJXn0N/yV/pbf/M6N4c0Q//I5f+e5lMch # 0jf6TGVLEHcXgOOH1PcS4Rd9LjAaggJG7VAOrIQaoSfgtsMn/a0CoYXeigizHb4k # sZW2nEC5JSAZ49b3Y1Pjvtr1H6xfMewXwtGCEvTq2btl8in/TV8du5cimL7VmZAa # aggJr0eFOmLCNUgGhH+Ic+sLH7G7vpkdggW9PRQ0wtQm8ofUIYhIn2swggZ8MIIE # ZKADAgECAgphEYRvAAAAAAADMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTowOAYDVQQDEzFNaWNyb3NvZnQgVGVz # dGluZyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTEwMDcwMTIx # MjMwMVoXDTI1MDcwMTIxMzMwMVoweTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh # c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD # b3Jwb3JhdGlvbjEjMCEGA1UEAxMaTWljcm9zb2Z0IFRlc3RpbmcgUENBIDIwMTAw # ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBvSHVS2YGAJIwORjKy3NC # WbHvmyeo4OhVvSmw+SQfOtHow1mJ7ZG2wegzY/ZaZBniLnwMkIAFOL8cproNai/v # J5er3vbvUPOD59fDRTciPxi1wpYRto0Sg1mLJ1EGVnW5YGoTDtUmPy2WqgXMoYc/ # vk807wxMb8wE1KHmZ80KJzOf46+bb2h8vLQMczSMWoH5h/tUHMVHbOqfV7RZ/c4Z # qXd8h0KftXmUvMt2ktuWl6FfBCQ5/qGV4Z+G417ZXFbfQ5CfyRTq0fWgW6vzCATd # KK8b4qouE6AK7dKZRCr1mUT7K6RP8bthwh0t9SUnAqh475M59F51ge7S4HYMWyPv # AgMBAAGjggHsMIIB6DAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU3dZHiyMU # L9g4aEKjPm3D8JD3LNAwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0P # BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUowEEfjCIM+u5MZzK # 64V2Z/xltNEwWQYDVR0fBFIwUDBOoEygSoZIaHR0cDovL2NybC5taWNyb3NvZnQu # Y29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGVzUm9vQ2VyQXV0XzIwMTAtMDYtMTcu # Y3JsMF0GCCsGAQUFBwEBBFEwTzBNBggrBgEFBQcwAoZBaHR0cDovL3d3dy5taWNy # b3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUZXNSb29DZXJBdXRfMjAxMC0wNi0xNy5j # cnQwgaAGA1UdIAEB/wSBlTCBkjCBjwYJKwYBBAGCNy4DMIGBMD0GCCsGAQUFBwIB # FjFodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vUEtJL2RvY3MvQ1BTL2RlZmF1bHQu # aHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAFAAbwBsAGkAYwB5AF8A # UwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBAYQU+N90z # e1LCSGuA92ADFrbJLol+vdlYHGPT9ZLS9loEDQjuh7/rmDQ6ZXxQ5MgbKVB5VXsY # OZG1QSbzF3+YlWd8TN1y5B21BM3DSPb6r+3brl50kW2t1JqACtiLbZnmhmh5hkdJ # i8HYUfLQ7xKcP0g1CIJP9CyKil7UJv/HnMXKigTGiBaHjfVtVwG5k8roymrEirpB # DcOMVB0OZiTXxYIHDbM4v7LItZYIISdPs6+LwxwzwdroMdpj42+3dWQBumpRGQAg # qJ9i5UiBQtUM+9vLpKIRnujnWfQxbaIuIt2HRLFpHUYKGOXRlf148o+71dX3YWap # 88+ocaxkM8rkavgDNkcWSe9Dpoq8a3tS2P9BpxewDV+iSzF0JRo9UOZeciaSQDZv # rkQskxJjtdO725L6E5Fu1Ti+lGl6exRCnhPbooxCqHEGLRdiwXkrmLp+huTGAK8z # mfEt0d1JFrrDdu5kqoG3OVT2dN4JVFNpOFvCU/LNiVDCyCIcG0cSRVtDjyNckMhu # 1PcPtberjr1mcL8RkTzvonoH4pIvQk1k4IOLpdxslOj2oigApZjqCBJA3mIEZHln # wRuglg4Er74nSmL6953C0r1Vwl7T0vXnQO8izb+incAb1r6Y+45N5aVXww+PqHJB # RjvhjyBKG+1aDLVM3ixjV9P6OZkOvp4uozGCFWIwghVeAgEBMIGQMHkxCzAJBgNV # BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w # HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xIzAhBgNVBAMTGk1pY3Jvc29m # dCBUZXN0aW5nIFBDQSAyMDEwAhMzAAAD53EWvSG3L5ZCAAAAAAPnMA0GCWCGSAFl # AwQCAQUAoIGuMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcC # AQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCBLzZL/na1e2pG+sydy # sOIP1ymV3T4pIZvhk0+oAo1uqjBCBgorBgEEAYI3AgEMMTQwMqAUgBIATQBpAGMA # cgBvAHMAbwBmAHShGoAYaHR0cDovL3d3dy5taWNyb3NvZnQuY29tMA0GCSqGSIb3 # DQEBAQUABIIBAGAk2seKvsrorDd8j6+7JA/4tjhpezp4+lXSUPZVcnJIUPQde8Pu # AvLzVOmMYT4ts5I978HTMwDUBie9wOeXTRSGT7jnkEN2I85d9CMjt0mr9+zNgVCg # Fd4YnxfZ+zUR/oqYJVXWRvqXY7g4LZWKUiOlC00/vOFdIDd/rq3doHgKzEIzJKHi # e3nh4xSCyvumc+fOI88bc1JVD28vCAD2y7yussn7JCk/rYQ6nm5j5DYe78ZqEVCr # BCeouaTmxKgHxoNtwWAhW0n1kiszl8wFNmZGu9sXUOSOXcScgCock3JuTaLz7deB # zUtggmOcPRM9qIyZOD9bOSlaxboZs+alr0OhghLxMIIS7QYKKwYBBAGCNwMDATGC # Et0wghLZBgkqhkiG9w0BBwKgghLKMIISxgIBAzEPMA0GCWCGSAFlAwQCAQUAMIIB # VQYLKoZIhvcNAQkQAQSgggFEBIIBQDCCATwCAQEGCisGAQQBhFkKAwEwMTANBglg # hkgBZQMEAgEFAAQgxxVDvm2AaSOcuSh/rFJqaLau6uIOO8pqB0R405AjmZACBl+7 # zTNbxBgTMjAyMDExMjcxMTQ3NTIuNzU1WjAEgAIB9KCB1KSB0TCBzjELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEpMCcGA1UECxMgTWljcm9zb2Z0 # IE9wZXJhdGlvbnMgUHVlcnRvIFJpY28xJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNO # OjBBNTYtRTMyOS00RDREMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBT # ZXJ2aWNloIIORDCCBPUwggPdoAMCAQICEzMAAAEnL26j75GoGagAAAAAAScwDQYJ # KoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcNMTkx # MjE5MDExNDU5WhcNMjEwMzE3MDExNDU5WjCBzjELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEpMCcGA1UECxMgTWljcm9zb2Z0IE9wZXJhdGlvbnMg # UHVlcnRvIFJpY28xJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjBBNTYtRTMyOS00 # RDREMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIIBIjAN # BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+AHecRGeTp9LjS+9Z4PccKAz0Snj # FMhCI+clcT0T4eRlW1Ow96ag7KF80DIX3kT+tS9c5VNRwkUvtdvXqNMo9c42wJZj # wMKLFIMiKJ3rFrfROIRZVwhlHCIOVzHb0Pjrs5Nq/msDUbpPAARjmtCOFQcus6gm # B8l9qRmrogeN36yUjT+qXKztAgZqQWTY4HqaH+Wf+dLwbiQ1EroOjiDEO2cFIUs1 # +GxJmVFIwMnAW+tnYUKRqh7F3usqVQ04ABJxjjXUgSpB4jU/B9GbdpZtLwi8B8k8 # LYCHYuu0/ywqfl9ppTx6l7GN7u9l9xmJ/9xvGBQpK0nOpt29ME1z3ef9nwIDAQAB # o4IBGzCCARcwHQYDVR0OBBYEFOX0llWAXzkxJFtiU4lduFjTbZXyMB8GA1UdIwQY # MBaAFNVjOlyKMZDzQ3t8RhvFM2hahW1VMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6 # Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1RpbVN0YVBD # QV8yMDEwLTA3LTAxLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0 # dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljVGltU3RhUENBXzIw # MTAtMDctMDEuY3J0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwgw # DQYJKoZIhvcNAQELBQADggEBAArKjXzRVccGpWeNnBDLs2XNdujb5bmp8fFHsA1X # lEGRGR0ZqaTBRwM0v4Okc5sU8kdrShN5goTRluXUy+99LxG0YZ2EZgYIl/4E93+A # EKzj52Rl2O87M3K5W4M8aWpDl/sdLuK5D9wLIYdwdgnSddV7AXYuT4mWtbKQelOU # vA9eYKk1H6CJ4i0+L9QwXZFhMbCiNb7IhXA3IxieMUZTERfn8O0mNFmaDs8EcysQ # 03YOA7rAF6Wnim3IfYorYSxZP7yMUK6gq/54lvLRAPnks3l/xKtQ9Gcrzp+HtpU5 # 8KCVCh+jkAFkgaIMiuDgmxXiTqnSgFIgU4BypECGIf7WykIwggZxMIIEWaADAgEC # AgphCYEqAAAAAAACMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEG # A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj # cm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0 # aWZpY2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0xMDA3MDEyMTM2NTVaFw0yNTA3MDEy # MTQ2NTVaMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAk # BgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMIIBIjANBgkqhkiG # 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqR0NvHcRijog7PwTl/X6f2mUa3RUENWlCgCC # hfvtfGhLLF/Fw+Vhwna3PmYrW/AVUycEMR9BGxqVHc4JE458YTBZsTBED/FgiIRU # QwzXTbg4CLNC3ZOs1nMwVyaCo0UN0Or1R4HNvyRgMlhgRvJYR4YyhB50YWeRX4FU # sc+TTJLBxKZd0WETbijGGvmGgLvfYfxGwScdJGcSchohiq9LZIlQYrFd/XcfPfBX # day9ikJNQFHRD5wGPmd/9WbAA5ZEfu/QS/1u5ZrKsajyeioKMfDaTgaRtogINeh4 # HLDpmc085y9Euqf03GS9pAHBIAmTeM38vMDJRF1eFpwBBU8iTQIDAQABo4IB5jCC # AeIwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFNVjOlyKMZDzQ3t8RhvFM2ha # hW1VMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNV # HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fOmhjEMFYG # A1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3Js # L3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggrBgEFBQcB # AQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kv # Y2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MIGgBgNVHSABAf8EgZUw # gZIwgY8GCSsGAQQBgjcuAzCBgTA9BggrBgEFBQcCARYxaHR0cDovL3d3dy5taWNy # b3NvZnQuY29tL1BLSS9kb2NzL0NQUy9kZWZhdWx0Lmh0bTBABggrBgEFBQcCAjA0 # HjIgHQBMAGUAZwBhAGwAXwBQAG8AbABpAGMAeQBfAFMAdABhAHQAZQBtAGUAbgB0 # AC4gHTANBgkqhkiG9w0BAQsFAAOCAgEAB+aIUQ3ixuCYP4FxAz2do6Ehb7Prpsz1 # Mb7PBeKp/vpXbRkws8LFZslq3/Xn8Hi9x6ieJeP5vO1rVFcIK1GCRBL7uVOMzPRg # Eop2zEBAQZvcXBf/XPleFzWYJFZLdO9CEMivv3/Gf/I3fVo/HPKZeUqRUgCvOA8X # 9S95gWXZqbVr5MfO9sp6AG9LMEQkIjzP7QOllo9ZKby2/QThcJ8ySif9Va8v/rbl # jjO7Yl+a21dA6fHOmWaQjP9qYn/dxUoLkSbiOewZSnFjnXshbcOco6I8+n99lmqQ # eKZt0uGc+R38ONiU9MalCpaGpL2eGq4EQoO4tYCbIjggtSXlZOz39L9+Y1klD3ou # OVd2onGqBooPiRa6YacRy5rYDkeagMXQzafQ732D8OE7cQnfXXSYIghh2rBQHm+9 # 8eEA3+cxB6STOvdlR3jo+KhIq/fecn5ha293qYHLpwmsObvsxsvYgrRyzR30uIUB # HoD7G4kqVDmyW9rIDVWZeodzOwjmmC3qjeAzLhIp9cAvVCch98isTtoouLGp25ay # p0Kiyc8ZQU3ghvkqmqMRZjDTu3QyS99je/WZii8bxyGvWbWu3EQ8l1Bx16HSxVXj # ad5XwdHeMMD9zOZN+w2/XU/pnR4ZOC+8z1gFLu8NoFA12u8JJxzVs341Hgi62jbb # 01+P3nSISRKhggLSMIICOwIBATCB/KGB1KSB0TCBzjELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjEpMCcGA1UECxMgTWljcm9zb2Z0IE9wZXJhdGlv # bnMgUHVlcnRvIFJpY28xJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjBBNTYtRTMy # OS00RDREMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMK # AQEwBwYFKw4DAhoDFQCzlbhObIMcxEzuLPqaAaiOq9cfM6CBgzCBgKR+MHwxCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jv # c29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBBQUAAgUA42rowjAi # GA8yMDIwMTEyNzA2NTM1NFoYDzIwMjAxMTI4MDY1MzU0WjB3MD0GCisGAQQBhFkK # BAExLzAtMAoCBQDjaujCAgEAMAoCAQACAhxaAgH/MAcCAQACAhIUMAoCBQDjbDpC # AgEAMDYGCisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSCh # CjAIAgEAAgMBhqAwDQYJKoZIhvcNAQEFBQADgYEAXugpZM3HiA6aHmf3setucMpD # J/9XDU7kYPnpBHdTdA+cAu8FO5lgU0tLW7N/7jhQLPWX/jJyjfn0OIYXwKvNx9E2 # TjRXQ/GMjuYftAm8nQr498bSwKM0ZSFl2w4d45kuO6DifQO41qh7iicWPvHJEOMA # Lpz27+TaSMk2Cvj8ofMxggMNMIIDCQIBATCBkzB8MQswCQYDVQQGEwJVUzETMBEG # A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj # cm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFt # cCBQQ0EgMjAxMAITMwAAAScvbqPvkagZqAAAAAABJzANBglghkgBZQMEAgEFAKCC # AUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCCl # kmtTQuNqTZkZp0wLnpA6++PR0k8G4dfa0sIzuZ9JNDCB+gYLKoZIhvcNAQkQAi8x # geowgecwgeQwgb0EIBuS6EsShh1qFv8FTJWzM7ZUOLqQHcxJqh//7y7tIz4iMIGY # MIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV # BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG # A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAEnL26j75Go # GagAAAAAAScwIgQgmnsMS+AxoguyQRyBitWEElaEPYEhEzX2RVuhsFwIU2EwDQYJ # KoZIhvcNAQELBQAEggEAse5q9/0+VzI6CFG7V/DtAAVDUL+4/sH9qKpOIpCbf3bl # 3tUawWJ+ELLvScXuvXHaxyuKwXqTpVjVOfe4MBBhANPk+A6nNHYZvBWTvDNck8Ci # pLKaYxMC5O7riNPq20AQkBTyaLm27O4Oc19p2S0QKH2CLZVr7qvb8/ZzmC/SxvJM # 766w1Vn75kH5JAxohbXPJ0hCpNzqSRzyGUJXrgAujINyzN8kJUUW5C3GHOQfoKgD # 3ospaiO3I8ODKswanGFTrD+W16+MvBLoc3O1EElVR9ZFVYr5PFlIf9hfkcchReg5 # wZJixlz01oqLRBTmC+A4gKq4qB9jZV3grrn/rd3uIQ== # SIG # End signature block |