Framework/BugLog/BugMetaInfoProvider.ps1
|
Set-StrictMode -Version Latest class BugMetaInfoProvider { hidden [PSObject] $ControlSettingsBugLog hidden [string] $ServiceId hidden static [PSObject] $ServiceTreeInfo hidden [PSObject] $InvocationContext hidden [bool] $BugLogUsingCSV = $false; hidden [string] $STMappingFilePath = $null hidden static $OrgMappingObj = @{} hidden static [PSObject] $emailRegEx hidden static $AssigneeForUnmappedResources = @{} hidden static [string] $GetAssigneeUsingFallbackMethod = $false BugMetaInfoProvider() { if ($null -eq [BugMetaInfoProvider]::emailRegEx) { $ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); [BugMetaInfoProvider]::emailRegEx = $ControlSettings.Patterns | where {$_.RegexCode -eq "Email"} | Select-Object -Property RegexList; [BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod = $ControlSettings.BugLogging.GetAssigneeUsingFallbackMethod } } BugMetaInfoProvider($bugLogUsingCSV, $stMappingFilePath) { $this.BugLogUsingCSV = $bugLogUsingCSV; $this.STMappingFilePath = $stMappingFilePath; } hidden [string] GetAssignee([SVTEventContext[]] $ControlResult, $controlSettingsBugLog, $isBugLogCustomFlow, $serviceIdPassedInCMD, $invocationContext) { $this.ControlSettingsBugLog = $controlSettingsBugLog; #flag to check if pluggable bug logging interface (service tree) if ($isBugLogCustomFlow) { $this.InvocationContext = $invocationContext; return $this.BugLogCustomFlow($ControlResult, $serviceIdPassedInCMD) } else { return $this.GetAssigneeFallback($ControlResult); } } hidden [string] GetAssignee([SVTEventContext[]] $ControlResult, $invocationContext) { $this.InvocationContext = $invocationContext; return $this.BugLogCustomFlow($ControlResult, "") } hidden [string] BugLogCustomFlow($ControlResult, $serviceIdPassedInCMD) { $resourceType = $ControlResult.ResourceContext.ResourceTypeName $projectName = $ControlResult[0].ResourceContext.ResourceGroupName; $assignee = ""; try { #assign to the person running the scan, as to reach at this point of code, it is ensured the user is PCA/PA and only they or other PCA #PA members can fix the control if($ResourceType -eq 'Organization' -or $ResourceType -eq 'Project') { $assignee = [ContextHelper]::GetCurrentSessionUser(); } else { $rscId = ($ControlResult.ResourceContext.ResourceId -split "$resourceType/")[-1]; $assignee = $this.CalculateAssignee($rscId, $projectName, $resourceType, $serviceIdPassedInCMD); if (!$assignee -and (!$this.BugLogUsingCSV)) { $assignee = $this.GetAssigneeFallback($ControlResult) } } } catch { return ""; } return $assignee; } hidden [string] CalculateAssignee($rscId, $projectName, $resourceType, $serviceIdPassedInCMD) { $metaInfo = [MetaInfoProvider]::Instance; $assignee = ""; try { #If serviceid based scan then get servicetreeinfo details only once. #First condition if not serviceid based scan then go inside every time. #Second condition if serviceid based scan and [BugMetaInfoProvider]::ServiceTreeInfo not null then only go inside. if (!$serviceIdPassedInCMD -or ($serviceIdPassedInCMD -and ![BugMetaInfoProvider]::ServiceTreeInfo)) { [BugMetaInfoProvider]::ServiceTreeInfo = $metaInfo.FetchResourceMappingWithServiceData($rscId, $projectName, $resourceType, $this.STMappingFilePath); } if([BugMetaInfoProvider]::ServiceTreeInfo) { #Filter based on area path match project name and take first items (if duplicate service tree entry found). #Split areapath to match with projectname if (!$this.BugLogUsingCSV) { [BugMetaInfoProvider]::ServiceTreeInfo = ([BugMetaInfoProvider]::ServiceTreeInfo | Where {($_.areaPath).Split('\')[0] -eq $projectName})[0] } $this.ServiceId = [BugMetaInfoProvider]::ServiceTreeInfo.serviceId; #Check if area path is not supplied in command parameter then only set from service tree. if (!$this.InvocationContext.BoundParameters["AreaPath"]) { [BugLogPathManager]::AreaPath = [BugMetaInfoProvider]::ServiceTreeInfo.areaPath.Replace("\", "\\"); } $domainNameForAssignee = "" if([Helpers]::CheckMember($this.ControlSettingsBugLog, "DomainName")) { $domainNameForAssignee = $this.ControlSettingsBugLog.DomainName; } elseif ($this.BugLogUsingCSV) { $domainNameForAssignee = "microsoft.com"; } $assignee = [BugMetaInfoProvider]::ServiceTreeInfo.devOwner.Split(";")[0] + "@"+ $domainNameForAssignee } } catch { Write-Host "Could not find service tree data file." -ForegroundColor Yellow } return $assignee; } hidden [string] GetAssigneeFallback([SVTEventContext[]] $ControlResult) { if ($ControlResult.ResourceContext.ResourceId -in [BugMetaInfoProvider]::AssigneeForUnmappedResources.Keys ) { return [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] } $ResourceType = $ControlResult.ResourceContext.ResourceTypeName $ResourceName = $ControlResult.ResourceContext.ResourceName $organizationName = $ControlResult.OrganizationContext.OrganizationName; $eventBaseObj = [EventBase]::new() switch -regex ($ResourceType) { #assign to the creator of service connection 'ServiceConnection' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $apiURL = "https://dev.azure.com/{0}/{1}/_apis/serviceendpoint/{2}/executionhistory?top=1&api-version=6.0-preview.1" -f $organizationName, $($ControlResult.ResourceContext.ResourceGroupName), $($ControlResult.ResourceContext.ResourceDetails.id); $executionHistory = [WebRequestHelper]::InvokeGetWebRequest($apiURL); # get assignee from the the build/release jobs history if (([Helpers]::CheckMember($executionHistory, "data") ) -and (($executionHistory.data | Measure-Object).Count -gt 0) ) { $pipelineType = $executionHistory.data[0].planType $pipelineId = $executionHistory.data[0].definition.id if ($pipelineType -eq 'Release') { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } else { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } } # if no build/release jobs associated with service connection, then fecth assignee from permissions else { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.serviceendpointrole/roleassignments/resources/{1}_{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the creator of agent pool 'AgentPool' { $apiurl = "https://dev.azure.com/{0}/_apis/distributedtask/pools?poolName={1}&api-version=6.0" -f $organizationName, $ResourceName try { $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) $assignee = $response.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { # if assignee is service account, then fetch assignee from jobs/permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_settings/agentqueues?queueId={2}&__rt=fps&__ver=2 " -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $agentPool = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL); # get assignee from the the build/release jobs history if (([Helpers]::CheckMember($agentPool[0], "fps.dataProviders.data") ) -and ([Helpers]::CheckMember($agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider", "jobs")) ) { $pipelineType = $agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs[0].planType $pipelineId = $agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs[0].definition.id if ($pipelineType -eq 'Release') { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } else { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } } # if no build/release jobs associated with agentpool, then fecth assignee from permissions else { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.agentqueuerole/roleassignments/resources/{1}_{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL)); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the creator of variable group 'VariableGroup' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "modifiedBy")) { $assignee = $ControlResult.ResourceContext.ResourceDetails.modifiedBy.uniqueName } } if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.variablegroup/roleassignments/resources/{1}%24{2}?api-version=6.1-preview.1" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the person who recently triggered the build pipeline, or if the pipeline is empty assign it to the creator 'Build' { $definitionId = $ControlResult.ResourceContext.ResourceDetails.id; try { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName , $definitionId) } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the person who recently triggered the release pipeline, or if the pipeline is empty assign it to the creator 'Release' { $definitionId = ($ControlResult.ResourceContext.ResourceId -split "release/")[-1]; try { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName , $definitionId) } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'Repository' { try { $assignee = "" $url = 'https://dev.azure.com/{0}/{1}/_apis/git/repositories/{2}/commits?searchCriteria.$top=1&api-version=6.0' -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id; $repoLatestCommit = @([WebRequestHelper]::InvokeGetWebRequest($url)); if ($repoLatestCommit.count -gt 0 -and [Helpers]::CheckMember($repoLatestCommit[0],"author")) { $assignee = $repoLatestCommit[0].author.email; } if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { #getting assignee from the repository permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { try{ $accessList = @() $url = 'https://dev.azure.com/{0}/_apis/Contribution/HierarchyQuery?api-version=5.0-preview.1' -f $organizationName; $refererUrl = "https://dev.azure.com/{0}/{1}/_settings/repositories?repo={2}&_a=permissionsMid" -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id $inputbody = '{"contributionIds":["ms.vss-admin-web.security-view-members-data-provider"],"dataProviderContext":{"properties":{"permissionSetId": "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87","permissionSetToken":"","sourcePage":{"url":"","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"","adminPivot":"repositories","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json $inputbody.dataProviderContext.properties.sourcePage.url = $refererUrl $inputbody.dataProviderContext.properties.sourcePage.routeValues.Project = $ControlResult.ResourceContext.ResourceGroupName; $inputbody.dataProviderContext.properties.permissionSetToken = "repoV2/$($ControlResult.ResourceContext.ResourceDetails.Project.id)/$($ControlResult.ResourceContext.ResourceDetails.id)" $responseObj = [WebRequestHelper]::InvokePostWebRequest($url, $inputbody); # Iterate through each user/group to fetch detailed permissions list if([Helpers]::CheckMember($responseObj[0],"dataProviders") -and ($responseObj[0].dataProviders.'ms.vss-admin-web.security-view-members-data-provider') -and ([Helpers]::CheckMember($responseObj[0].dataProviders.'ms.vss-admin-web.security-view-members-data-provider',"identities"))) { $body = '{"contributionIds":["ms.vss-admin-web.security-view-permissions-data-provider"],"dataProviderContext":{"properties":{"subjectDescriptor":"","permissionSetId": "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87","permissionSetToken":"","accountName":"","sourcePage":{"url":"","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"","adminPivot":"repositories","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json $body.dataProviderContext.properties.sourcePage.url = $refererUrl $body.dataProviderContext.properties.sourcePage.routeValues.Project = $ControlResult.ResourceContext.ResourceGroupName; $body.dataProviderContext.properties.permissionSetToken = "repoV2/$($ControlResult.ResourceContext.ResourceDetails.Project.id)/$($ControlResult.ResourceContext.ResourceDetails.id)" $accessList += $responseObj.dataProviders."ms.vss-admin-web.security-view-members-data-provider".identities | Where-Object { ($_.subjectKind -eq "user") -and (-not [string]::IsNullOrEmpty($_.mailAddress))} | ForEach-Object { $identity = $_ $body.dataProviderContext.properties.subjectDescriptor = $_.descriptor $identityPermissions = [WebRequestHelper]::InvokePostWebRequest($url, $body); $configuredPermissions = @($identityPermissions.dataproviders."ms.vss-admin-web.security-view-permissions-data-provider".subjectPermissions | Where-Object {$_.permissionDisplayString -ne 'Not set'}) if ($configuredPermissions.Count -ge 12) { return $identity } } if ($accessList.Count -gt 0) { $assignee = $accessList[0].mailAddress } } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'SecureFile' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "modifiedBy")) { $assignee = $ControlResult.ResourceContext.ResourceDetails.modifiedBy.uniqueName } } # if assignee is service account, then fetch assignee from jobs/permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.securefile/roleassignments/resources/{1}%24{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL)); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'Feed' { try { $assignee = "" if ("Project" -notin $ControlResult.ResourceContext.ResourceDetails.PSobject.Properties.name){ $url = 'https://{0}.feeds.visualstudio.com/_apis/Packaging/Feeds/{1}/Permissions?includeIds=true&excludeInheritedPermissions=false&includeDeletedFeeds=false' -f $organizationName, $ControlResult.ResourceContext.ResourceDetails.Id; } else { $url = 'https://{0}.feeds.visualstudio.com/{1}/_apis/Packaging/Feeds/{2}/Permissions?includeIds=true&excludeInheritedPermissions=false&includeDeletedFeeds=false' -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id; } $feedPermissionList = @([WebRequestHelper]::InvokeGetWebRequest($url)); if ($feedPermissionList.count -gt 0 -and [Helpers]::CheckMember($feedPermissionList[0],"identityDescriptor")) { $roles = $feedPermissionList | Where {$_.role -eq 'Administrator'} if ($roles.count -ge 1) { $resourceOwners = @($roles.identityDescriptor.Split('\') | Where {$_ -match [BugMetaInfoProvider]::emailRegEx.RegexList[0]}) if ($resourceOwners.count -ge 1) { $allAssignee = $resourceOwners | Select-Object @{l="mailaddress";e={$_}}, @{l="subjectKind";e={"User"}} $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName) if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) { $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress } } } } } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'Environment' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "lastModifiedBy")) { $assignee = $ControlResult.ResourceContext.ResourceDetails.lastModifiedBy.uniqueName } } # if assignee is service account, then fetch assignee from jobs/permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $url = "https://dev.azure.com/{0}/{1}/_environments/{2}?view=resources&__rt=fps&__ver=2" -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $envDetails = [WebRequestHelper]::InvokeGetWebRequest($url); # get assignee from the the build/release jobs history if (([Helpers]::CheckMember($envDetails[0], "fps.dataProviders.data") ) -and ([Helpers]::CheckMember($envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider", "deploymentExecutionRecords")) ) { $pipelineType = $envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider".deploymentExecutionRecords[0].planType $pipelineId = $envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider".deploymentExecutionRecords[0].definition.id if ($pipelineType -eq 'Release') { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } else { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } } # if no build/release jobs associated with agentpool, then fecth assignee from permissions else { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.environmentreferencerole/roleassignments/resources/{1}_{2}?api-version=5.0-preview.1" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL)); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the person running the scan, as to reach at this point of code, it is ensured the user is PCA/PA and only they or other PCA #PA members can fix the control 'Organization' { return [ContextHelper]::GetCurrentSessionUser(); } 'Project' { return [ContextHelper]::GetCurrentSessionUser(); } } return ""; } hidden [string] GetAssigneeFromOrgMapping($organizationName){ $assignee = $null; if([BugMetaInfoProvider]::OrgMappingObj.ContainsKey($organizationName)){ return [BugMetaInfoProvider]::OrgMappingObj[$organizationName] } $orgMapping = Get-Content "$($this.STMappingFilePath)\OrgSTData.csv" | ConvertFrom-Csv $orgOwnerDetails = @($orgMapping | where {$_."ADO Org Name" -eq $organizationName}) if($orgOwnerDetails.Count -gt 0){ $assignee = $orgOwnerDetails[0]."OwnerAlias" [BugMetaInfoProvider]::OrgMappingObj[$organizationName] = $assignee } return $assignee; } hidden [string] FetchAssigneeFromBuild($organizationName, $projectName, $definitionId) { $assignee = ""; try { $apiurl = "https://dev.azure.com/{0}/{1}/_apis/build/builds?definitions={2}&api-version=6.0" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) #check for recent trigger if ([Helpers]::CheckMember($response, "requestedBy")) { $assignee = $response[0].requestedBy.uniqueName if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $assignee = $response[0].lastChangedBy.uniqueName } } #if no triggers found assign to the creator else { $apiurl = "https://dev.azure.com/{0}/{1}/_apis/build/definitions/{2}?api-version=6.0" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) $assignee = $response.authoredBy.uniqueName } if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { # if assignee is service account, get assignee from the the build update history if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $url = "https://dev.azure.com/{0}/{1}/_apis/build/definitions/{2}/revisions" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($url) if ([Helpers]::CheckMember($response, "changedBy")) { $response = @($response | Where-Object {$_.changedBy.uniqueName -imatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] }| Sort-Object -Property changedDate -descending) if ($response.count -gt 0) { $allAssignee = @() $response | ForEach-Object {$allAssignee += @( [PSCustomObject] @{ mailAddress = $_.changedBy.uniqueName; subjectKind = 'User' } )} | Select-Object -Unique $allAssignee = $allAssignee | Select-Object mailaddress, subjectKind -unique $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName) if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) { $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress } } } } } } catch { } return $assignee; } hidden [string] FetchAssigneeFromRelease($organizationName, $projectName, $definitionId) { $assignee = ""; try { $apiurl = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/releases?definitionId={2}&api-version=6.0" -f $organizationName, $projectName , $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) #check for recent trigger if ([Helpers]::CheckMember($response, "modifiedBy")) { $assignee = $response[0].modifiedBy.uniqueName } #if no triggers found assign to the creator else { $apiurl = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions/{2}?&api-version=6.0" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) $assignee = $response.createdBy.uniqueName } if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { # if assignee is service account, get assignee from the the release update history if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $url = "https://{0}.vsrm.visualstudio.com/{1}/_apis/Release/definitions/{2}/revisions" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($url) if ([Helpers]::CheckMember($response, "changedBy")) { $response = @($response | Where-Object {$_.changedBy.uniqueName -imatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] }| Sort-Object -Property changedDate -descending) if ($response.count -gt 0) { $allAssignee = @() $response | ForEach-Object {$allAssignee += @( [PSCustomObject] @{ mailAddress = $_.changedBy.uniqueName; subjectKind = 'User' } )} | Select-Object -Unique $allAssignee = $allAssignee | Select-Object mailaddress, subjectKind -unique $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName) if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) { $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress } } } } } } catch { } return $assignee; } hidden [string] getUserFromUserId($organizationName, $userId) { try { # User descriptor is base 64 encoding of user id # $url = "https://vssps.dev.azure.com/{0}/_apis/graph/descriptors/{1}?api-version=6.0-preview.1" -f $organizationName, $userId # $userDescriptor = [WebRequestHelper]::InvokeGetWebRequest($url); $userDescriptor = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($userId)) $userProfileURL = "https://vssps.dev.azure.com/{0}/_apis/graph/users/aad.{1}?api-version=6.0-preview.1" -f $organizationName, $userDescriptor $userProfile = [WebRequestHelper]::InvokeGetWebRequest($userProfileURL) return $userProfile[0].mailAddress } catch { return "" } } #method to obtain sign in ID of TF scoped identities hidden [string] GetAssigneeFromTFScopedIdentity($identity,$organizationName){ $assignee = $null; #TF scoped identities with alternate email address will be in the format: a.b@microsoft.com if($identity -like "*.*@microsoft.com"){ #check for the correct identitity corresponding to this email $url="https://dev.azure.com/{0}/_apis/IdentityPicker/Identities?api-version=7.1-preview.1" -f $organizationName $body = "{'query':'{0}','identityTypes':['user'],'operationScopes':['ims','source'],'properties':['DisplayName','Active','SignInAddress'],'filterByEntityIds':[],'options':{'MinResults':40,'MaxResults':40}}" | ConvertFrom-Json $body.query = $identity try{ $responseObj = [WebRequestHelper]::InvokePostWebRequest($url,$body) #if any user has been found, assign this bug to the sign in address of the user if($responseObj.results[0].identities.count -gt 0){ $assignee = $responseObj.results[0].identities[0].signInAddress } } catch{ return $assignee; } } else{ return $assignee; } return $assignee; } } # SIG # Begin signature block # MIInnwYJKoZIhvcNAQcCoIInkDCCJ4wCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBWAUGlHXZBQcgZ # Ut2uN6pVQxEeJhoERPCR2O1o1KPJfKCCDYEwggX/MIID56ADAgECAhMzAAACUosz # qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjEwOTAyMTgzMjU5WhcNMjIwOTAxMTgzMjU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDQ5M+Ps/X7BNuv5B/0I6uoDwj0NJOo1KrVQqO7ggRXccklyTrWL4xMShjIou2I # sbYnF67wXzVAq5Om4oe+LfzSDOzjcb6ms00gBo0OQaqwQ1BijyJ7NvDf80I1fW9O # L76Kt0Wpc2zrGhzcHdb7upPrvxvSNNUvxK3sgw7YTt31410vpEp8yfBEl/hd8ZzA # v47DCgJ5j1zm295s1RVZHNp6MoiQFVOECm4AwK2l28i+YER1JO4IplTH44uvzX9o # RnJHaMvWzZEpozPy4jNO2DDqbcNs4zh7AWMhE1PWFVA+CHI/En5nASvCvLmuR/t8 # q4bc8XR8QIZJQSp+2U6m2ldNAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUNZJaEUGL2Guwt7ZOAu4efEYXedEw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDY3NTk3MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAFkk3 # uSxkTEBh1NtAl7BivIEsAWdgX1qZ+EdZMYbQKasY6IhSLXRMxF1B3OKdR9K/kccp # kvNcGl8D7YyYS4mhCUMBR+VLrg3f8PUj38A9V5aiY2/Jok7WZFOAmjPRNNGnyeg7 # l0lTiThFqE+2aOs6+heegqAdelGgNJKRHLWRuhGKuLIw5lkgx9Ky+QvZrn/Ddi8u # TIgWKp+MGG8xY6PBvvjgt9jQShlnPrZ3UY8Bvwy6rynhXBaV0V0TTL0gEx7eh/K1 # o8Miaru6s/7FyqOLeUS4vTHh9TgBL5DtxCYurXbSBVtL1Fj44+Od/6cmC9mmvrti # yG709Y3Rd3YdJj2f3GJq7Y7KdWq0QYhatKhBeg4fxjhg0yut2g6aM1mxjNPrE48z # 6HWCNGu9gMK5ZudldRw4a45Z06Aoktof0CqOyTErvq0YjoE4Xpa0+87T/PVUXNqf # 7Y+qSU7+9LtLQuMYR4w3cSPjuNusvLf9gBnch5RqM7kaDtYWDgLyB42EfsxeMqwK # WwA+TVi0HrWRqfSx2olbE56hJcEkMjOSKz3sRuupFCX3UroyYf52L+2iVTrda8XW # esPG62Mnn3T8AuLfzeJFuAbfOSERx7IFZO92UPoXE1uEjL5skl1yTZB3MubgOA4F # 8KoRNhviFAEST+nG8c8uIsbZeb08SeYQMqjVEmkwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIZdDCCGXACAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAlKLM6r4lfM52wAAAAACUjAN # BglghkgBZQMEAgEFAKCBsDAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgWjJYBTM5 # T9xUseMVzivQzFlsQalx6W53k1GrNVANrI4wRAYKKwYBBAGCNwIBDDE2MDSgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRyAGmh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20g # MA0GCSqGSIb3DQEBAQUABIIBAIa9YvlnK2IcNNRMXk+76oVYhMMvvdOyono8w8Fm # MeWKtsS5OZW1yxzy9EMK/6Uq7jG4YJoXjftCMAQLbYtPcEXkNJfmMe8CsWwTSlNI # QfKbyMB1N/9XWMndrykoNhkksjZuNDw0cmCbf7WH3eDjLlE04s2AJ8rKkioPpYzB # RQvjrbfYRFSazhK9RZcy3DnuiJN3MRckIw0/j6HLD+tLbuzsWoIfQc+MmTYZe2FB # i0tRMuhKDRwPMGvCGS4sGiNqZPdqPr1NuI5bY6h0Fu7iXatkittHTlMZRyI53RYW # /OwkdmDR9dqs8bqzRCJpTg5kjVaC5qHoSy2InvVSIj8vYdOhghb8MIIW+AYKKwYB # BAGCNwMDATGCFugwghbkBgkqhkiG9w0BBwKgghbVMIIW0QIBAzEPMA0GCWCGSAFl # AwQCAQUAMIIBUAYLKoZIhvcNAQkQAQSgggE/BIIBOzCCATcCAQEGCisGAQQBhFkK # AwEwMTANBglghkgBZQMEAgEFAAQgJD4scsy6BtTpX88jtazN4l0iWaFUvyTPt/cc # 4kqNoHgCBmH66+n4mxgSMjAyMjAyMTEwNjIyMTEuMDVaMASAAgH0oIHQpIHNMIHK # MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk # bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxN # aWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNT # IEVTTjo3QkYxLUUzRUEtQjgwODElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgU2VydmljZaCCEVQwggcMMIIE9KADAgECAhMzAAABnytFNRUILktdAAEAAAGf # MA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n # dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y # YXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4X # DTIxMTIwMjE5MDUyMloXDTIzMDIyODE5MDUyMlowgcoxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNh # IE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjdCRjEtRTNFQS1C # ODA4MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjAN # BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApPV5fE1RsomQL85vLQeHyz9M5y/P # N2AyBtN47Nf1swmiAlw7NJF5Sd/TlGcHgRWv1fJdu5pQY8i2Q7U4N1vHUDkQ7p35 # +0s2RKBZpV2kmHEIcgzFeYIcYupYfMtzVdUzRxmC82qEJrQXrhUpRB/cKeqwv7ES # uxj6zp9e1wBs6Pv8hcuw31oCEON19+brdtE0oVHmA67ORjlaR6e6LqkGEU6bvpQG # gh36vLa/ixaiMo6ZL8cW9x3MelY7XtDTx+hpyAk/OD8VmCu3qGuQMW7E1KlkMolr # axqMkMlz+MiCn01GD7bExQoteIriTa98kRo6OFNTh2VNshplngq3XHCYJG8upNje # QIUWLyh63jz4eaFh2NNYPE3JMVeIeIpaKr2mmBodxwz1j8OCqCshMu0BxrmStagJ # IXloil9qhNHjUVrppgij4XXBd3XFYlSPWil4bcuMzO+rbFI3HQrZxuVSCOnlOnc3 # C+mBadLzJeyTyN8vSK8fbARIlZkooDNkw2VOEVCGxSLQ+tAyWMzR9Kxrtg79/T/9 # DsKMd+z92X7weYwHoOgfkgUg9GsIvn+tSRa1XP1GfN1vubYCP9MXCxlhwTXRIm0h # dTRX61dCjwin4vYg9gZEIDGItNgmPBN7rPlMmAODRWHFiaY2nASgAXgwXZGNQT3x # oM7JGioSBoXaMfUCAwEAAaOCATYwggEyMB0GA1UdDgQWBBRiNPLVHhMWK0gOLujf # 2WrH1h3IYTAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNVHR8E # WDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9N # aWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYIKwYB # BQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20v # cGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEw # KDEpLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqG # SIb3DQEBCwUAA4ICAQAdiigpPDvpGfPpvWz10CAJqPusWyg2ipDEd//NgPF1QDGv # UaSLWCZHZLWvgumSFQbGRAESZCp1qWCYoshgVdz5j6CDD+cxW69AWCzKJQyWTLR9 # zIn1QQ/TZJ2DSoPhm1smgD7PFWelA9wkc46FWdj2x0R/lDpdmHP3JtSEdwZb45XD # cMpKcwRlJ3QEXn7s430UnwfnQc5pRWPnTBPPidzr73jK2iHM50q5a+OhlzKFhibd # IQSTX+BuSWasl3vJ/M9skeaaC9rojEc6iF19a8AiF4XCzxYEijf7yca8R4hfQclY # qLn+IwnA/DtpjveLaAkqixEbqHUnvXUO6qylQaJw6GFgMfltFxgF9qmqGZqhLp+0 # G/IZ8jclaydgtn2cAGNsol92TICxlK6Q0aCVnT/rXOUkuimdX8MoS/ygII4jT71A # YruzxeCx8eU0RVOx2V74KWQ5+cZLZF2YnQOEtujWbDEsoMdEdZ11d8m2NyXZTX0R # E7ekiH0HQsUV+WFGyOTXb7lTIsuaAd25X4T4DScqNKnZpByhNqTeHPIsPUq2o51n # DNG1BMaw5DanMGqtdQ88HNJQxl9eIJ4xkW4IZehy7A+48cdPm7syRymT8xnUyzBS # qEnSXleKVP7d3T23VNtR0utBMdiKdk3Rn4LUvTzs1WkwOFLnLpJW42ZEIoX4NjCC # B3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQELBQAw # gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMT # KU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTIx # MDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg # UENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM57Ry # IQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm95VT # cVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzBRMhx # XFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBbfowQ # HJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCOMcg1 # KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYwXE8s # 4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW/aUg # fX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/wEPK3 # Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPKZ6Je # 1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2BjUY # hEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfHCBUY # P3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYBBAGC # NxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8vBO4w # HQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYMKwYB # BAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNv # bS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcD # CDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0T # AQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNV # HR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9w # cm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEE # TjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl # cnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsFAAOC # AgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518JxNj/a # ZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+iehp # 4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2pFaq # 95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefwC2qB # woEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7T7uG # +jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFORy3B # FARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhLmm77 # IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3LwUFJ # fn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5m/8K # 6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE0ZDx # yKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLLMIICNAIBATCB # +KGB0KSBzTCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO # BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEl # MCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMd # VGhhbGVzIFRTUyBFU046N0JGMS1FM0VBLUI4MDgxJTAjBgNVBAMTHE1pY3Jvc29m # dCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAHRdrpgf8ssMRSxU # wvKyfRb/XPa3oIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAw # DQYJKoZIhvcNAQEFBQACBQDlr/YrMCIYDzIwMjIwMjExMDQzODAzWhgPMjAyMjAy # MTIwNDM4MDNaMHQwOgYKKwYBBAGEWQoEATEsMCowCgIFAOWv9isCAQAwBwIBAAIC # Gd4wBwIBAAICE0IwCgIFAOWxR6sCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYB # BAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUFAAOB # gQBGYCV4GoAiU0ZnVHWkVpxxv44XYM7GShUgeRhaZZufIbfohbGFBJC7fElwL7MI # 9q7q0Gn+X3FMN+rlju/Zq8ASZvInDK4Eg2/fq11WpgNHn5LcZrHCFZnki4ovltPq # 0lWkD6ijYWb4tD1OLHgS1TH5DXcd45iLEOByfoIFgo8vzDGCBA0wggQJAgEBMIGT # MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMT # HU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABnytFNRUILktdAAEA # AAGfMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQ # AQQwLwYJKoZIhvcNAQkEMSIEIItd1NNveKjwoTZtZ+WI0Q+cSYyhztE+OXjulFhH # gcVTMIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQghvFeKaIniZ6l51c8DVHo # 3ioCyXxB+z/o7KcsN0t8XNowgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UE # CBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9z # b2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQ # Q0EgMjAxMAITMwAAAZ8rRTUVCC5LXQABAAABnzAiBCD6d8oWQUUP+zwg6IG47MFc # jVTJ4Mm6vOm1DF0wq6U1LjANBgkqhkiG9w0BAQsFAASCAgBcP80fHg+oPsD+S0e5 # OmQ2WfyTPzpCtgxh97+6gVjoCJ1ldlgGyEhpwUkdrXwbOO7x9rkj4m7IxdRElPSS # 8WBaunZ4mp0KpohRcaDYMsg/TEEarTrxKtQYSSCR8M1tBz8Tf3lfC7Bk77p6CaDc # /9vZAkREzkBuSdow6qeuGOzv7FtktHg3ap2TaPlb3cpMUu8jjkUMsnOyh4UuAmjI # e2IeVk8UJX+N/AclCAqnzXQRJqJ8mBZ0Knhg+jakOhtYMrKBKQJx/obujYIBWl3L # C6Dserq0uLrYUvkV9fNQyLV5qAWiwzLSTDpqH1Je8fpYOem4eTCXLqVlow9n2ryt # gZvgpD711/l9wHp4CCOCr3KbxEhLc3MIELWRiWyWCMTDGmzdeH5iEjsv098MFR1v # 9eRAYmZSqza72Nzg0QFl2RpN8nr1qOsYb3wM0bJCSgcUHZrk3qHOf+DOQW+SOc9V # P1RCOfHIQwBZBtJsqEMH3znQErdAb4Bcz2ip7bq3ZDIJp+00HCMUHwgl7rTrpcNf # sHKjKiMhQZ2+iTMSO9Vah9jDM1up2pU9CLl2G42X1rTWLBIhkkIpDIdBI4Ogfnf+ # nDDzDZ0dHK0Hz8PdbgJn9K37NiPuN9h3dyaNNpMilxLD/QwboEtDcrM3/QEeI9q9 # zoASzSd3a1QLaY6pSN4wyQuFNg== # SIG # End signature block |