Framework/Helpers/ContextHelper.ps1
|
<#
.Description # Context class for indenity details. # Provides functionality to login, create context, get token for api calls #> using namespace Microsoft.IdentityModel.Clients.ActiveDirectory class ContextHelper { static hidden [Context] $currentContext; static hidden [bool] $IsOAuthScan; static hidden [bool] $PromptForLogin; #This will be used to carry current org under current context. static hidden [string] $orgName; static hidden [bool] $IsBatchScan; static hidden [int] $PSVersion = $null; static hidden $appObj = $null; static hidden $Account = $null; static hidden $IsPATUsed = $false; ContextHelper() { if(-not [string]::IsNullOrWhiteSpace($env:RefreshToken) -and -not [string]::IsNullOrWhiteSpace($env:ClientSecret)) # this if block will be executed for OAuth based scan { [ContextHelper]::IsOAuthScan = $true } if (![ContextHelper]::PSVersion) { [ContextHelper]::PSVersion = ($global:PSVersionTable).PSVersion.major } } ContextHelper([bool] $IsBatchScan) { if(-not [string]::IsNullOrWhiteSpace($env:RefreshToken) -and -not [string]::IsNullOrWhiteSpace($env:ClientSecret)) # this if block will be executed for OAuth based scan { [ContextHelper]::IsOAuthScan = $true } [ContextHelper]::IsBatchScan=$true; if (![ContextHelper]::PSVersion) { [ContextHelper]::PSVersion = ($global:PSVersionTable).PSVersion.major } } hidden static [PSObject] GetCurrentContext() { return [ContextHelper]::GetCurrentContext($false); } hidden static [PSObject] GetCurrentContext([bool]$authNRefresh) { if( (-not [ContextHelper]::currentContext) -or $authNRefresh -or [ContextHelper]::PromptForLogin) { [ContextHelper]::IsPATUsed = $false $clientId = [Constants]::DefaultClientId ; $replyUri = [Constants]::DefaultReplyUri; $adoResourceId = [Constants]::DefaultADOResourceId; [AuthenticationContext] $ctx = $null; $ctx = [AuthenticationContext]::new("https://login.windows.net/common"); $result = $null; if([ContextHelper]::IsOAuthScan) { # this if block will be executed for OAuth based scan $tokenInfo = [ContextHelper]::GetOAuthAccessToken() [ContextHelper]::ConvertToContextObject($tokenInfo) } else { if ([ContextHelper]::PSVersion -gt 5) { [string[]] $Scopes = "$adoResourceId/.default"; [Microsoft.Identity.Client.IPublicClientApplication] $app = [Microsoft.Identity.Client.PublicClientApplicationBuilder]::Create($ClientId).Build(); if(![ContextHelper]::appObj) { [ContextHelper]::appObj = $app } if (![ContextHelper]::Account) { [ContextHelper]::Account = $app.GetAccountsAsync().GetAwaiter().GetResult() | Select-Object -First 1 } $tokenSource = New-Object System.Threading.CancellationTokenSource $taskAuthenticationResult=$null try { if ( !$authNRefresh -and [ContextHelper]::PromptForLogin) { if ([ContextHelper]::PromptForLogin) { $AquireTokenParameters = $app.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } else { $AquireTokenParameters = $app.AcquireTokenSilent($Scopes, [ContextHelper]::Account) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) if ($taskAuthenticationResult.exception.message -like "*errors occurred*") { $AquireTokenParameters = $app.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } } } else { $AquireTokenParameters = $app.AcquireTokenSilent($Scopes, [ContextHelper]::Account) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) if ($taskAuthenticationResult.exception.message -like "*errors occurred*") { $AquireTokenParameters = $app.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } } } catch { $AquireTokenParameters = $app.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } if ($taskAuthenticationResult.Result) { $result = $taskAuthenticationResult.Result; } if (![ContextHelper]::Account) { [ContextHelper]::Account = $app.GetAccountsAsync().GetAwaiter().GetResult() | Select-Object -First 1 } [ContextHelper]::appObj = $app; } else { if ( !$authNRefresh -and [ContextHelper]::PromptForLogin) { if ([ContextHelper]::PromptForLogin) { $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Always $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; [ContextHelper]::PromptForLogin = $false } else { $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } } else { $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } } [ContextHelper]::ConvertToContextObject($result) } } return [ContextHelper]::currentContext } hidden static [PSObject] GetCurrentContext([System.Security.SecureString] $PATToken) { if(-not [ContextHelper]::currentContext) { [ContextHelper]::IsPATUsed = $true; [ContextHelper]::ConvertToContextObject($PATToken) } return [ContextHelper]::currentContext } hidden static [PSObject] GetOAuthAccessToken() { $tokenInfo = @{}; try{ $url = "https://app.vssps.visualstudio.com/oauth2/token" # exchange refresh token with new access token $body = "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=$($env:ClientSecret)&grant_type=refresh_token&assertion=$($env:RefreshToken)&redirect_uri=https://localhost/" $res = Invoke-WebRequest -Uri $url -ContentType "application/x-www-form-urlencoded" -Method POST -Body $body $response = $res.Content | ConvertFrom-Json $tokenInfo['AccessToken'] = $response.access_token $expiry = $response.expires_in $request_time = get-date $tokenInfo['ExpiresOn'] = $request_time.AddSeconds($expiry) $refreshToken = ConvertTo-SecureString $response.refresh_token -AsPlainText -Force #Update refresh token if it is expiring in next 1 day $updateTokenInKV = $false $secretName = "RefreshTokenForADOScan" $tokenSecret = Get-AzKeyVaultSecret -VaultName $env:KeyVaultName -Name $secretName if (-not [string]::IsNullOrEmpty($tokenSecret) -and [Helpers]::CheckMember($tokenSecret,"Expires")) { if ($tokenSecret.Expires -le [DateTime]::Now.AddDays(1)) { $updateTokenInKV = $true } } else { $updateTokenInKV = $true } if ($updateTokenInKV -eq $true) { $RefreshTokenExpiresInDays = [Constants]::RefreshTokenExpiresInDays; $ExpiryDate = [DateTime]::Now.AddDays($RefreshTokenExpiresInDays) Set-AzKeyVaultSecret -VaultName $env:KeyVaultName -Name $secretName -SecretValue $refreshToken -Expires $ExpiryDate | out-null } } catch{ write-Host "Error fetching OAuth access token" Write-Host $_ return $null } return $tokenInfo } static [string] GetAccessToken([string] $resourceAppIdUri) { return [ContextHelper]::GetAccessToken() } static [string] GetAccessToken() { if([ContextHelper]::currentContext) { # Validate if token is PAT using lenght (PAT has lengh of 52), if PAT dont go to refresh login session. #TODO: Change code to find token type supplied PAT or login session token #if token expiry is within 2 min, refresh. if (([ContextHelper]::currentContext.AccessToken.length -ne 52) -and ([ContextHelper]::currentContext.TokenExpireTimeLocal -le [DateTime]::Now.AddMinutes(2))) { [ContextHelper]::GetCurrentContext($true); } return [ContextHelper]::currentContext.AccessToken } else { return $null } } static [string] GetAccessToken([string] $Uri, [string] $tenantId) { $rmContext = Get-AzContext if (-not $rmContext) { throw ([SuppressedException]::new(("No Azure login found"), [SuppressedExceptionType]::InvalidOperation)) } if ([string]::IsNullOrEmpty($tenantId) -and [Helpers]::CheckMember($rmContext,"Tenant")) { $tenantId = $rmContext.Tenant.Id } $authResult = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $rmContext.Account, $rmContext.Environment, $tenantId, [System.Security.SecureString] $null, "Never", $null, $Uri); if (-not ($authResult -and (-not [string]::IsNullOrWhiteSpace($authResult.AccessToken)))) { throw ([SuppressedException]::new(("Unable to get access token. Authentication Failed."), [SuppressedExceptionType]::Generic)) } return $authResult.AccessToken; } static [string] GetGraphAccessToken($useAzContext) { $accessToken = '' try { Write-Host "Graph access is required to evaluate some controls. Attempting to acquire graph token." -ForegroundColor Cyan # In CA mode, we use azure context to fetch the graph access token. if ($useAzContext) { #getting azure context because graph access token requires azure environment details. $Context = @(Get-AzContext -ErrorAction SilentlyContinue ) if ($Context.count -eq 0) { Connect-AzAccount -ErrorAction Stop $Context = @(Get-AzContext -ErrorAction SilentlyContinue) } if ($null -eq $Context) { throw "Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate." } else { $graphUri = "https://graph.microsoft.com" $authResult = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $Context.Account, $Context.Environment, $Context.Tenant.Id, [System.Security.SecureString] $null, "Never", $null, $graphUri); if (-not ($authResult -and (-not [string]::IsNullOrWhiteSpace($authResult.AccessToken)))) { throw ([SuppressedException]::new(("Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate."), [SuppressedExceptionType]::Generic)) } $accessToken = $authResult.AccessToken; } } else { # generating graph access token using default VSTS client. $clientId = [Constants]::DefaultClientId; $replyUri = [Constants]::DefaultReplyUri; $adoResourceId = "https://graph.microsoft.com/"; if ([ContextHelper]::PSVersion -gt 5) { $result = [ContextHelper]::GetGraphAccess() } else { [AuthenticationContext] $ctx = [AuthenticationContext]::new("https://login.windows.net/common"); [AuthenticationResult] $result = $null; $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } $accessToken = $result.AccessToken } Write-Host "Successfully acquired graph access token." -ForegroundColor Cyan } catch { Write-Host "Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate." -ForegroundColor Red Write-Host "Continuing without graph access." -ForegroundColor Yellow return $null } return $accessToken; } hidden static [PSobject] GetGraphAccess() { $rootConfigPath = [Constants]::AzSKAppFolderPath; $azskSettings = (Get-Content -Raw -Path (Join-Path $rootConfigPath "AzSKSettings.json")) | ConvertFrom-Json if ([ContextHelper]::IsPATUsed -and $azskSettings -and $azskSettings.LASource -ne "CICD") { $Context = @(Get-AzContext -ErrorAction SilentlyContinue) if ($null -eq $Context -or $Context.count -eq 0) { Connect-AzAccount -ErrorAction Stop $Context = @(Get-AzContext -ErrorAction SilentlyContinue) } if ($null -eq $Context) { throw } else { $graphUri = "https://graph.microsoft.com" $authResult = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $Context.Account, $Context.Environment, $Context.Tenant.Id, [System.Security.SecureString] $null, "Never", $null, $graphUri); return $authResult; } } else { $ClientId = [Constants]::DefaultClientId [Microsoft.Identity.Client.IPublicClientApplication] $appGrapth = [Microsoft.Identity.Client.PublicClientApplicationBuilder]::Create($ClientId).Build(); if (![ContextHelper]::Account) { [ContextHelper]::Account = $appGrapth.GetAccountsAsync().GetAwaiter().GetResult() | Select-Object -First 1 } $tokenSource = New-Object System.Threading.CancellationTokenSource $taskAuthenticationResult=$null $AquireTokenParameters = $null; [string[]] $Scopes = "https://graph.microsoft.com/.default"; $AquireTokenParameters = [ContextHelper]::appObj.AcquireTokenSilent($Scopes, [ContextHelper]::Account) try { $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) if ( [Helpers]::CheckMember($taskAuthenticationResult, "exception.message") -and ($taskAuthenticationResult.exception.message -like "*errors occurred*")) { $AquireTokenParameters = $appGrapth.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } } catch { $AquireTokenParameters = $appGrapth.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } } return $taskAuthenticationResult.result; } hidden [OrganizationContext] SetContext([string] $organizationName) { if((-not [string]::IsNullOrEmpty($organizationName))) { $OrganizationContext = [OrganizationContext]@{ OrganizationId = $organizationName; Scope = "/Organization/$organizationName"; OrganizationName = $organizationName; }; # $organizationId contains the organization name (due to framework). [ContextHelper]::orgName = $organizationName; [ContextHelper]::GetCurrentContext() } else { throw [SuppressedException] ("OrganizationName name [$organizationName] is either malformed or incorrect.") } return $OrganizationContext; } hidden [OrganizationContext] SetContext([string] $organizationName, [System.Security.SecureString] $PATToken) { if((-not [string]::IsNullOrEmpty($organizationName))) { $OrganizationContext = [OrganizationContext]@{ OrganizationId = $organizationName; Scope = "/Organization/$organizationName"; OrganizationName = $organizationName; }; # $organizationId contains the organization name (due to framework). [ContextHelper]::orgName = $organizationName; [ContextHelper]::GetCurrentContext($PATToken) } else { throw [SuppressedException] ("OrganizationName name [$organizationName] is either malformed or incorrect.") } return $OrganizationContext; } static [void] ResetCurrentContext() { } hidden static ConvertToContextObject([PSObject] $context) { $contextObj = [Context]::new() # We do not get ADO organization id as part of current context. Hence appending org name to both id and name param. $contextObj.Organization = [Organization]::new() $contextObj.Organization.Id = [ContextHelper]::orgName $contextObj.Organization.Name = [ContextHelper]::orgName if([ContextHelper]::IsOAuthScan) { # this if block will be executed for OAuth based scan $contextObj.Account.Id = [ContextHelper]::GetOAuthUserIdentity($context.AccessToken, $contextObj.Organization.Name) $contextObj.AccessToken = $context.AccessToken $contextObj.TokenExpireTimeLocal = $context.ExpiresOn } else { if ([ContextHelper]::PSVersion -gt 5) { $contextObj.Account.Id = $context.Account.username } else { $contextObj.Account.Id = $context.UserInfo.DisplayableId } $contextObj.Tenant.Id = $context.TenantId $contextObj.AccessToken = $context.AccessToken $contextObj.TokenExpireTimeLocal = $context.ExpiresOn.LocalDateTime #$contextObj.AccessToken = ConvertTo-SecureString -String $context.AccessToken -asplaintext -Force } [ContextHelper]::currentContext = $contextObj } hidden static [string] GetOAuthUserIdentity($accessToken, $orgName) { $apiURL = "https://dev.azure.com/{0}/_apis/connectionData" -f $orgName $headers =@{ Authorization = "Bearer $accesstoken"; "Content-Type"="application/json" }; try{ $responseObj = Invoke-RestMethod -Method Get -Uri $apiURL -Headers $headers -UseBasicParsing $descriptor = $responseObj.authenticatedUser.descriptor $userId = ($descriptor -split '\\')[-1] return $userId } catch{ return "" } } hidden static ConvertToContextObject([System.Security.SecureString] $patToken) { $contextObj = [Context]::new() $contextObj.Account.Id = [string]::Empty $contextObj.Tenant.Id = [string]::Empty $contextObj.AccessToken = [System.Net.NetworkCredential]::new("", $patToken).Password # We do not get ADO organization Id as part of current context. Hence appending org name to both Id and Name param. $contextObj.Organization = [Organization]::new() $contextObj.Organization.Id = [ContextHelper]::orgName $contextObj.Organization.Name = [ContextHelper]::orgName #$contextObj.AccessToken = $patToken #$contextObj.AccessToken = ConvertTo-SecureString -String $context.AccessToken -asplaintext -Force [ContextHelper]::currentContext = $contextObj $apiURL = "https://dev.azure.com/{0}/_apis/connectionData" -f [ContextHelper]::orgName #Note: cannot use this WRH method below due to ordering constraints during load in Framework.ps1 #$header = [WebRequestHelper]::GetAuthHeaderFromUri($apiURL); $user = "" $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user, $contextObj.AccessToken))) $headers = @{ "Authorization"= ("Basic " + $base64AuthInfo); "Content-Type"="application/json" }; $responseObj = Invoke-RestMethod -Method Get -Uri $apiURL -Headers $headers -UseBasicParsing #If the token is valid, we get: "descriptor"="Microsoft.IdentityModel.Claims.ClaimsIdentity;72f988bf-86f1-41af-91ab-2d7cd011db47\xyz@microsoft.com" #Note that even for guest users, we get the host tenant (and not their native tenantId). E.g., "descriptor...;72f...47\pqr@live.com" #If the token is invalid, we get a diff object: "descriptor":"System:PublicAccess;aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $authNUserInfo = @(($responseObj.authenticatedUser.descriptor -split ';') -split '\\') #Check if the above split resulted in 3 elements (valid token case) if ($authNUserInfo.Count -eq 3) { $contextObj.Tenant.Id = $authNUserInfo[1] $contextObj.Account.Id = $authNUserInfo[2] } } static [string] GetCurrentSessionUser() { $context = [ContextHelper]::GetCurrentContext() if ($null -ne $context) { return $context.Account.Id } else { return "NO_ACTIVE_SESSION" } } } # SIG # Begin signature block # MIIjmAYJKoZIhvcNAQcCoIIjiTCCI4UCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDl2pFxBhthNGHi # O/UDwX+VUaC2r2/lW4jkQ76ZF7q5mKCCDYUwggYDMIID66ADAgECAhMzAAAB4HFz # JMpcmPgZAAAAAAHgMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjAxMjE1MjEzMTQ2WhcNMjExMjAyMjEzMTQ2WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDRXpc9eiGRI/2BlmU7OMiQPTKpNlluodjT2rltPO/Gk47bH4gBShPMD4BX/4sg # NvvBun6ZOG2dxUW30myWoUJJ0iRbTAv2JFzjSpVQvPE+D5vtmdu6WlOR2ahF4leF # 5Vvk4lPg2ZFrqg5LNwT9gjwuYgmih+G2KwT8NMWusBhO649F4Ku6B6QgA+vZld5S # G2XWIdvS0pmpmn/HFrV4eYTsl9HYgjn/bPsAlfWolLlEXYTaCljK7q7bQHDBrzlR # ukyyryFpPOR9Wx1cxFJ6KBqg2jlJpzxjN3udNJPOqarnQIVgB8DUm3I5g2v5xTHK # Ovz9ucN21467cYcIxjPC4UkDAgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUVBWIZHrG4UIX3uX4142l+8GsPXAw # VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh # dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzQ2MzAxMDAfBgNVHSMEGDAW # gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v # d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw # MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx # XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB # AE5msNzmYzYbNgpnhya6YsrM+CIC8CXDu10nwzZtkgQciPOOqAYmFcWJCwD5VZzs # qFwad8XIOrfCylWf4hzn09mD87yuazpuCstLSqfDLNd3740+254vEZqdGxOglAGU # ih2IiF8S0GDwucpLGzt/OLXPFr/d4MWxPuX0L+HB5lA3Y/CJE673dHGQW2DELdqt # ohtkhp+oWFn1hNDDZ3LP++HEZvA7sI/o/981Sh4kaGayOp6oEiQuGeCXyfrIC9KX # eew0UlYX/NHVDqr4ykKkqpHtzbUbuo7qovUHPbYKcRGWrrEtBS5SPLFPumqsRtzb # LgU9HqfRAN36bMsd2qynGyWBVFOM7NMs2lTCGM85Z/Fdzv/8tnYT36Cmbue+IM+6 # kS86j6Ztmx0VIFWbOvNsASPT6yrmYiecJiP6H0TrYXQK5B3jE8s53l+t61ab0Eul # 7DAxNWX3lAiUlzKs3qZYQEK1LFvgbdTXtBRnHgBdABALK3RPrieIYqPln9sAmg3/ # zJZi4C/c2cWGF6WwK/w1Nzw08pj7jaaZZVBpCeDe+y7oM26QIXxracot7zJ21/TL # 70biK36YybSUDkjhQPP/uxT0yebLNBKk7g8V98Wna2MsHWwk0sgqpkjIp02TrkVz # 26tcF2rml2THRSDrwpBa4x9c8rM8Qomiyeh2tEJnsx2LMIIHejCCBWKgAwIBAgIK # YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm # aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw # OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD # VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG # 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la # UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc # 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D # dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+ # lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk # kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6 # A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd # X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL # 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd # sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3 # T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS # 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI # bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL # BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD # uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv # c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF # BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h # cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA # YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn # 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7 # v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b # pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/ # KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy # CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp # mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi # hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb # BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS # oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL # gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX # cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCFWkwghVlAgEBMIGVMH4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p # Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAAHgcXMkylyY+BkAAAAA # AeAwDQYJYIZIAWUDBAIBBQCggbAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIPjI # sHLrmvzv04I6NFta6NBsIntogCNwono1o2FoL9R1MEQGCisGAQQBgjcCAQwxNjA0 # oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEcgBpodHRwczovL3d3dy5taWNyb3NvZnQu # Y29tIDANBgkqhkiG9w0BAQEFAASCAQB1hXuNuhhbl+UNurbnDUUoSjdqq0WGlVEz # 3/By5C1H5g6IaZZRPLRDAVDetZze7b8E/1oHoJK6mW4tODySunstdH35PrUGLIiS # +GyMHAMmZeibv7E2Hhxs+UCpGUS5KhtuEP9kb7rOrW00CJYGlAqEEYx5jigoT1kO # lf/jZ4f0Pst31EDVSdIm7ZrnlLbGRb9CsnZhU/BjmcZIBDd+gAwFyeR48jNgxlK0 # 4nerUr1aBTcSB6+Vz0rAB69xJnIJJrcgVxyrU4ylBiXfE9xnfo3f+p91LszTrRoR # DxV4R5ZRwnPDi5x/1FJddwk8Kn9Z6sysw3AlhyJ279dTm6wQvxQUoYIS8TCCEu0G # CisGAQQBgjcDAwExghLdMIIS2QYJKoZIhvcNAQcCoIISyjCCEsYCAQMxDzANBglg # hkgBZQMEAgEFADCCAVUGCyqGSIb3DQEJEAEEoIIBRASCAUAwggE8AgEBBgorBgEE # AYRZCgMBMDEwDQYJYIZIAWUDBAIBBQAEIPy1ECjmnnpEbEO/7yilFdSJfoCY6MXn # SNJRG/fzCY5RAgZhRNPlXXcYEzIwMjEwOTI0MTM0NjA2LjkxNlowBIACAfSggdSk # gdEwgc4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNV # BAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1U # aGFsZXMgVFNTIEVTTjpDNEJELUUzN0YtNUZGQzElMCMGA1UEAxMcTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgU2VydmljZaCCDkQwggT1MIID3aADAgECAhMzAAABV0QHYtxv # 6L4qAAAAAAFXMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQI # EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv # ZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBD # QSAyMDEwMB4XDTIxMDExNDE5MDIxM1oXDTIyMDQxMTE5MDIxM1owgc4xCzAJBgNV # BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w # HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29m # dCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVT # TjpDNEJELUUzN0YtNUZGQzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAg # U2VydmljZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN5tA6dUZvnn # wL9qQtXcwPANhB4ez+5CQrePp/Z8TH4NBr5vAfGMo0lV/lidBatKTgHErOuKH11x # VAfBehHJvH9T/OhOc83CJs9bzDhrld0Jdy3eJyC0yBdxVeucS+2a2ZBd50wBg/5/ # 2YjQ2ylfD0dxKK6tQLxdODTuadQMbda05lPGnWGwZ3niSgIKVRgqqCVlhHzwNtRh # 1AH+ZxbfSe7t8z3oEKAdTAy7SsP8ykht3srjdh0BykPFdpaAgqwWCJJJmGk0gArS # vHC8+vXtGo3MJhWQRe5JtzdD5kdaKH9uc9gnShsXyDEhGZjx3+b8cuqEO8bHv0WP # X9MREfrfxvkCAwEAAaOCARswggEXMB0GA1UdDgQWBBRdMXu76DghnU/kPTMKdFkR # 9oCp2TAfBgNVHSMEGDAWgBTVYzpcijGQ80N7fEYbxTNoWoVtVTBWBgNVHR8ETzBN # MEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0 # cy9NaWNUaW1TdGFQQ0FfMjAxMC0wNy0wMS5jcmwwWgYIKwYBBQUHAQEETjBMMEoG # CCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01p # Y1RpbVN0YVBDQV8yMDEwLTA3LTAxLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQM # MAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQAld3kAgG6XWiZyvdibLRmW # r7yb6RSycjVDg8tcCitS01sTVp4T8Ad2QeYfJWfK6DMEk7QRBfKgdN7oE8dXtmQV # L+JcxLj0pUuy4NB5RchcteD5dRnTfKlRi8vgKUaxDcoFIzNEUz1EHpopeagDb4/u # I9Uj5tIuwlik/qrv/sHAw7kM4gELLNOgdev9Z/7xo1JIwfe0eoQM3wxcCFLuf8S9 # OncttaFAWHtEER8IvgRAgLJ/WnluFz68+hrDfRyX/qqWSPIE0voE6qFx1z8UvLwK # pm65QNyNDRMp/VmCpqRZrxB1o0RY7P+n4jSNGvbk2bR70kKt/dogFFRBHVVuUxf+ # MIIGcTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG9w0BAQsFADCBiDELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9z # b2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAwNzAxMjEz # NjU1WhcNMjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAx # MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkdDbx3EYo6IOz8E5f1 # +n9plGt0VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vwFVMnBDEfQRsalR3OCROO # fGEwWbEwRA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNFDdDq9UeBzb8kYDJYYEby # WEeGMoQedGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC732H8RsEnHSRnEnIaIYqv # S2SJUGKxXf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOWRH7v0Ev9buWayrGo8noq # CjHw2k4GkbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJk3jN/LzAyURdXhacAQVP # Ik0CAwEAAaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTVYzpc # ijGQ80N7fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNV # HQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo # 0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29m # dC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5j # cmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jv # c29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDCB # oAYDVR0gAQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEwPQYIKwYBBQUHAgEWMWh0 # dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9DUFMvZGVmYXVsdC5odG0w # QAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABvAGwAaQBjAHkAXwBTAHQA # YQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAAfmiFEN4sbgmD+B # cQM9naOhIW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/15/B4vceoniXj+bzta1RX # CCtRgkQS+7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRWS3TvQhDIr79/xn/yN31a # PxzymXlKkVIArzgPF/UveYFl2am1a+THzvbKegBvSzBEJCI8z+0DpZaPWSm8tv0E # 4XCfMkon/VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/3cVKC5Em4jnsGUpxY517 # IW3DnKOiPPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9nhquBEKDuLWAmyI4ILUl # 5WTs9/S/fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5HmoDF0M2n0O99g/DhO3EJ # 3110mCIIYdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv33nJ+YWtvd6mBy6cJrDm7 # 7MbL2IK0cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI5pgt6o3gMy4SKfXAL1Qn # IffIrE7aKLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0MkvfY3v1mYovG8chr1m1 # rtxEPJdQcdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0eGTgvvM9YBS7vDaBQNdrv # CScc1bN+NR4Iuto229Nfj950iEkSoYIC0jCCAjsCAQEwgfyhgdSkgdEwgc4xCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jv # c29mdCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNT # IEVTTjpDNEJELUUzN0YtNUZGQzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUAES34SWJ7DfbSG/gbIQwTrzgZ8PKg # gYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G # A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYw # JAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0B # AQUFAAIFAOT34/owIhgPMjAyMTA5MjQwOTQzMjJaGA8yMDIxMDkyNTA5NDMyMlow # dzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA5Pfj+gIBADAKAgEAAgIWfAIB/zAHAgEA # AgIRSjAKAgUA5Pk1egIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMC # oAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAE/FERRP # 5JE8hslV7U9Z1y5J9AvJiQ74tj9ALsrcYFQmWPLzwY/B58PqM9Da8tl6f0VzxNLw # xQl+7A4WXsHlxtgS/sA9gU5K8ZPQe6VSWIkqTeQOEvfJvEtSYw7maX0mkAiIWcZs # IpWlMhHnlnKeL8Too8jPFN58lWv5piEFhdzfMYIDDTCCAwkCAQEwgZMwfDELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9z # b2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAFXRAdi3G/ovioAAAAAAVcwDQYJ # YIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkq # hkiG9w0BCQQxIgQg5IrCbqqP95tXm+IufOIvqe0ZBQW74CF0283bs7WCcgUwgfoG # CyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCAsWo0NQ6vzuuupUsZEMSJ4UsRjtQw2 # dFxZWkHtqRygEzCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw # AhMzAAABV0QHYtxv6L4qAAAAAAFXMCIEIAOwbdCN+vQ72GGsV8BO0bHP2rPfTY9v # AQ59Trb2uZIdMA0GCSqGSIb3DQEBCwUABIIBALlfIJLxQwyoXfl6j04xdYfxKBJr # ePaTxvv22Vc01XX3eHJ1qpdqKiarIRMzMVMqvKMpBO6CYI2pkNEZJOatGhNuZPEh # XC2pGWl93V4gqdB6hoAxK6m8+aSYXM+lmgM+JnuW2Pt+DqTWtP0P3DuVdMjk8abu # m4Y28BDO9AW1DwsF21odlr7zrZxpZvjNFhfWDzFT5g6iV5hXHngrRP+Gw+ytPKuC # JEgs06aLfMlMOtJeKpN+Gn57LLSw7MSdP98m3kre2m14SSMgF5iUZkCUYEcjQjzn # BRWSGLP42/qWJ2odX0aXbZ8sc2pudID8144/3M2KvF9TWhYGlcx6+toYglk= # SIG # End signature block |