Framework/BugLog/BugMetaInfoProvider.ps1
|
Set-StrictMode -Version Latest class BugMetaInfoProvider { hidden [PSObject] $ControlSettingsBugLog hidden [string] $ServiceId hidden static [PSObject] $ServiceTreeInfo hidden [PSObject] $InvocationContext hidden [bool] $BugLogUsingCSV = $false; hidden [string] $STMappingFilePath = $null hidden static $OrgMappingObj = @{} hidden static [PSObject] $emailRegEx hidden static $AssigneeForUnmappedResources = @{} hidden static [string] $GetAssigneeUsingFallbackMethod = $false BugMetaInfoProvider() { if ($null -eq [BugMetaInfoProvider]::emailRegEx) { $ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); [BugMetaInfoProvider]::emailRegEx = $ControlSettings.Patterns | where {$_.RegexCode -eq "Email"} | Select-Object -Property RegexList; [BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod = $ControlSettings.BugLogging.GetAssigneeUsingFallbackMethod } } BugMetaInfoProvider($bugLogUsingCSV, $stMappingFilePath) { $this.BugLogUsingCSV = $bugLogUsingCSV; $this.STMappingFilePath = $stMappingFilePath; } hidden [string] GetAssignee([SVTEventContext[]] $ControlResult, $controlSettingsBugLog, $isBugLogCustomFlow, $serviceIdPassedInCMD, $invocationContext) { $this.ControlSettingsBugLog = $controlSettingsBugLog; #flag to check if pluggable bug logging interface (service tree) if ($isBugLogCustomFlow) { $this.InvocationContext = $invocationContext; return $this.BugLogCustomFlow($ControlResult, $serviceIdPassedInCMD) } else { return $this.GetAssigneeFallback($ControlResult); } } hidden [string] GetAssignee([SVTEventContext[]] $ControlResult, $invocationContext) { $this.InvocationContext = $invocationContext; return $this.BugLogCustomFlow($ControlResult, "") } hidden [string] BugLogCustomFlow($ControlResult, $serviceIdPassedInCMD) { $resourceType = $ControlResult.ResourceContext.ResourceTypeName $projectName = $ControlResult[0].ResourceContext.ResourceGroupName; $assignee = ""; try { #assign to the person running the scan, as to reach at this point of code, it is ensured the user is PCA/PA and only they or other PCA #PA members can fix the control if($ResourceType -eq 'Organization' -or $ResourceType -eq 'Project') { $assignee = [ContextHelper]::GetCurrentSessionUser(); } else { $rscId = ($ControlResult.ResourceContext.ResourceId -split "$resourceType/")[-1]; $assignee = $this.CalculateAssignee($rscId, $projectName, $resourceType, $serviceIdPassedInCMD); if (!$assignee -and (!$this.BugLogUsingCSV)) { $assignee = $this.GetAssigneeFallback($ControlResult) } } } catch { return ""; } return $assignee; } hidden [string] CalculateAssignee($rscId, $projectName, $resourceType, $serviceIdPassedInCMD) { $metaInfo = [MetaInfoProvider]::Instance; $assignee = ""; try { #If serviceid based scan then get servicetreeinfo details only once. #First condition if not serviceid based scan then go inside every time. #Second condition if serviceid based scan and [BugMetaInfoProvider]::ServiceTreeInfo not null then only go inside. if (!$serviceIdPassedInCMD -or ($serviceIdPassedInCMD -and ![BugMetaInfoProvider]::ServiceTreeInfo)) { [BugMetaInfoProvider]::ServiceTreeInfo = $metaInfo.FetchResourceMappingWithServiceData($rscId, $projectName, $resourceType, $this.STMappingFilePath); } if([BugMetaInfoProvider]::ServiceTreeInfo) { #Filter based on area path match project name and take first items (if duplicate service tree entry found). #Split areapath to match with projectname if (!$this.BugLogUsingCSV) { [BugMetaInfoProvider]::ServiceTreeInfo = ([BugMetaInfoProvider]::ServiceTreeInfo | Where {($_.areaPath).Split('\')[0] -eq $projectName})[0] } $this.ServiceId = [BugMetaInfoProvider]::ServiceTreeInfo.serviceId; #Check if area path is not supplied in command parameter then only set from service tree. if (!$this.InvocationContext.BoundParameters["AreaPath"]) { [BugLogPathManager]::AreaPath = [BugMetaInfoProvider]::ServiceTreeInfo.areaPath.Replace("\", "\\"); } $domainNameForAssignee = "" if([Helpers]::CheckMember($this.ControlSettingsBugLog, "DomainName")) { $domainNameForAssignee = $this.ControlSettingsBugLog.DomainName; } elseif ($this.BugLogUsingCSV) { $domainNameForAssignee = "microsoft.com"; } $assignee = [BugMetaInfoProvider]::ServiceTreeInfo.devOwner.Split(";")[0] + "@"+ $domainNameForAssignee } } catch { Write-Host "Could not find service tree data file." -ForegroundColor Yellow } return $assignee; } hidden [string] GetAssigneeFallback([SVTEventContext[]] $ControlResult) { if ($ControlResult.ResourceContext.ResourceId -in [BugMetaInfoProvider]::AssigneeForUnmappedResources.Keys ) { return [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] } $ResourceType = $ControlResult.ResourceContext.ResourceTypeName $ResourceName = $ControlResult.ResourceContext.ResourceName $organizationName = $ControlResult.OrganizationContext.OrganizationName; $eventBaseObj = [EventBase]::new() switch -regex ($ResourceType) { #assign to the creator of service connection 'ServiceConnection' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $apiURL = "https://dev.azure.com/{0}/{1}/_apis/serviceendpoint/{2}/executionhistory?top=1&api-version=6.0-preview.1" -f $organizationName, $($ControlResult.ResourceContext.ResourceGroupName), $($ControlResult.ResourceContext.ResourceDetails.id); $executionHistory = [WebRequestHelper]::InvokeGetWebRequest($apiURL); # get assignee from the the build/release jobs history if (([Helpers]::CheckMember($executionHistory, "data") ) -and (($executionHistory.data | Measure-Object).Count -gt 0) ) { $pipelineType = $executionHistory.data[0].planType $pipelineId = $executionHistory.data[0].definition.id if ($pipelineType -eq 'Release') { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } else { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } } # if no build/release jobs associated with service connection, then fecth assignee from permissions else { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.serviceendpointrole/roleassignments/resources/{1}_{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the creator of agent pool 'AgentPool' { $apiurl = "https://dev.azure.com/{0}/_apis/distributedtask/pools?poolName={1}&api-version=6.0" -f $organizationName, $ResourceName try { $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) $assignee = $response.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { # if assignee is service account, then fetch assignee from jobs/permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_settings/agentqueues?queueId={2}&__rt=fps&__ver=2 " -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $agentPool = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL); # get assignee from the the build/release jobs history if (([Helpers]::CheckMember($agentPool[0], "fps.dataProviders.data") ) -and ([Helpers]::CheckMember($agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider", "jobs")) ) { $pipelineType = $agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs[0].planType $pipelineId = $agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs[0].definition.id if ($pipelineType -eq 'Release') { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } else { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } } # if no build/release jobs associated with agentpool, then fecth assignee from permissions else { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.agentqueuerole/roleassignments/resources/{1}_{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL)); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the creator of variable group 'VariableGroup' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "modifiedBy")) { $assignee = $ControlResult.ResourceContext.ResourceDetails.modifiedBy.uniqueName } } if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.variablegroup/roleassignments/resources/{1}%24{2}?api-version=6.1-preview.1" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the person who recently triggered the build pipeline, or if the pipeline is empty assign it to the creator 'Build' { $definitionId = $ControlResult.ResourceContext.ResourceDetails.id; try { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName , $definitionId) } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the person who recently triggered the release pipeline, or if the pipeline is empty assign it to the creator 'Release' { $definitionId = ($ControlResult.ResourceContext.ResourceId -split "release/")[-1]; try { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName , $definitionId) } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'Repository' { try { $assignee = "" $url = 'https://dev.azure.com/{0}/{1}/_apis/git/repositories/{2}/commits?searchCriteria.$top=1&api-version=6.0' -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id; $repoLatestCommit = @([WebRequestHelper]::InvokeGetWebRequest($url)); if ($repoLatestCommit.count -gt 0 -and [Helpers]::CheckMember($repoLatestCommit[0],"author")) { $assignee = $repoLatestCommit[0].author.email; } if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { #getting assignee from the repository permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { try{ $accessList = @() $url = 'https://dev.azure.com/{0}/_apis/Contribution/HierarchyQuery?api-version=5.0-preview.1' -f $organizationName; $refererUrl = "https://dev.azure.com/{0}/{1}/_settings/repositories?repo={2}&_a=permissionsMid" -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id $inputbody = '{"contributionIds":["ms.vss-admin-web.security-view-members-data-provider"],"dataProviderContext":{"properties":{"permissionSetId": "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87","permissionSetToken":"","sourcePage":{"url":"","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"","adminPivot":"repositories","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json $inputbody.dataProviderContext.properties.sourcePage.url = $refererUrl $inputbody.dataProviderContext.properties.sourcePage.routeValues.Project = $ControlResult.ResourceContext.ResourceGroupName; $inputbody.dataProviderContext.properties.permissionSetToken = "repoV2/$($ControlResult.ResourceContext.ResourceDetails.Project.id)/$($ControlResult.ResourceContext.ResourceDetails.id)" $responseObj = [WebRequestHelper]::InvokePostWebRequest($url, $inputbody); # Iterate through each user/group to fetch detailed permissions list if([Helpers]::CheckMember($responseObj[0],"dataProviders") -and ($responseObj[0].dataProviders.'ms.vss-admin-web.security-view-members-data-provider') -and ([Helpers]::CheckMember($responseObj[0].dataProviders.'ms.vss-admin-web.security-view-members-data-provider',"identities"))) { $body = '{"contributionIds":["ms.vss-admin-web.security-view-permissions-data-provider"],"dataProviderContext":{"properties":{"subjectDescriptor":"","permissionSetId": "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87","permissionSetToken":"","accountName":"","sourcePage":{"url":"","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"","adminPivot":"repositories","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json $body.dataProviderContext.properties.sourcePage.url = $refererUrl $body.dataProviderContext.properties.sourcePage.routeValues.Project = $ControlResult.ResourceContext.ResourceGroupName; $body.dataProviderContext.properties.permissionSetToken = "repoV2/$($ControlResult.ResourceContext.ResourceDetails.Project.id)/$($ControlResult.ResourceContext.ResourceDetails.id)" $accessList += $responseObj.dataProviders."ms.vss-admin-web.security-view-members-data-provider".identities | Where-Object { ($_.subjectKind -eq "user") -and (-not [string]::IsNullOrEmpty($_.mailAddress))} | ForEach-Object { $identity = $_ $body.dataProviderContext.properties.subjectDescriptor = $_.descriptor $identityPermissions = [WebRequestHelper]::InvokePostWebRequest($url, $body); $configuredPermissions = @($identityPermissions.dataproviders."ms.vss-admin-web.security-view-permissions-data-provider".subjectPermissions | Where-Object {$_.permissionDisplayString -ne 'Not set'}) if ($configuredPermissions.Count -ge 12) { return $identity } } if ($accessList.Count -gt 0) { $assignee = $accessList[0].mailAddress } } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'SecureFile' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "modifiedBy")) { $assignee = $ControlResult.ResourceContext.ResourceDetails.modifiedBy.uniqueName } } # if assignee is service account, then fetch assignee from jobs/permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.securefile/roleassignments/resources/{1}%24{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL)); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'Feed' { try { $assignee = "" if ("Project" -notin $ControlResult.ResourceContext.ResourceDetails.PSobject.Properties.name){ $url = 'https://{0}.feeds.visualstudio.com/_apis/Packaging/Feeds/{1}/Permissions?includeIds=true&excludeInheritedPermissions=false&includeDeletedFeeds=false' -f $organizationName, $ControlResult.ResourceContext.ResourceDetails.Id; } else { $url = 'https://{0}.feeds.visualstudio.com/{1}/_apis/Packaging/Feeds/{2}/Permissions?includeIds=true&excludeInheritedPermissions=false&includeDeletedFeeds=false' -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id; } $feedPermissionList = @([WebRequestHelper]::InvokeGetWebRequest($url)); if ($feedPermissionList.count -gt 0 -and [Helpers]::CheckMember($feedPermissionList[0],"identityDescriptor")) { $roles = $feedPermissionList | Where {$_.role -eq 'Administrator'} if ($roles.count -ge 1) { $resourceOwners = @($roles.identityDescriptor.Split('\') | Where {$_ -match [BugMetaInfoProvider]::emailRegEx.RegexList[0]}) if ($resourceOwners.count -ge 1) { $allAssignee = $resourceOwners | Select-Object @{l="mailaddress";e={$_}}, @{l="subjectKind";e={"User"}} $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName) if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) { $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress } } } } } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'Environment' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "lastModifiedBy")) { $assignee = $ControlResult.ResourceContext.ResourceDetails.lastModifiedBy.uniqueName } } # if assignee is service account, then fetch assignee from jobs/permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $url = "https://dev.azure.com/{0}/{1}/_environments/{2}?view=resources&__rt=fps&__ver=2" -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $envDetails = [WebRequestHelper]::InvokeGetWebRequest($url); # get assignee from the the build/release jobs history if (([Helpers]::CheckMember($envDetails[0], "fps.dataProviders.data") ) -and ([Helpers]::CheckMember($envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider", "deploymentExecutionRecords")) ) { $pipelineType = $envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider".deploymentExecutionRecords[0].planType $pipelineId = $envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider".deploymentExecutionRecords[0].definition.id if ($pipelineType -eq 'Release') { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } else { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } } # if no build/release jobs associated with agentpool, then fecth assignee from permissions else { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.environmentreferencerole/roleassignments/resources/{1}_{2}?api-version=5.0-preview.1" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL)); $roles = @($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the person running the scan, as to reach at this point of code, it is ensured the user is PCA/PA and only they or other PCA #PA members can fix the control 'Organization' { return [ContextHelper]::GetCurrentSessionUser(); } 'Project' { return [ContextHelper]::GetCurrentSessionUser(); } } return ""; } hidden [string] GetAssigneeFromOrgMapping($organizationName){ $assignee = $null; if([BugMetaInfoProvider]::OrgMappingObj.ContainsKey($organizationName)){ return [BugMetaInfoProvider]::OrgMappingObj[$organizationName] } $orgMapping = Get-Content "$($this.STMappingFilePath)\OrgSTData.csv" | ConvertFrom-Csv $orgOwnerDetails = @($orgMapping | where {$_."ADO Org Name" -eq $organizationName}) if($orgOwnerDetails.Count -gt 0){ $assignee = $orgOwnerDetails[0]."OwnerAlias" [BugMetaInfoProvider]::OrgMappingObj[$organizationName] = $assignee } return $assignee; } hidden [string] FetchAssigneeFromBuild($organizationName, $projectName, $definitionId) { $assignee = ""; try { $apiurl = "https://dev.azure.com/{0}/{1}/_apis/build/builds?definitions={2}&api-version=6.0" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) #check for recent trigger if ([Helpers]::CheckMember($response, "requestedBy")) { $assignee = $response[0].requestedBy.uniqueName if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $assignee = $response[0].lastChangedBy.uniqueName } } #if no triggers found assign to the creator else { $apiurl = "https://dev.azure.com/{0}/{1}/_apis/build/definitions/{2}?api-version=6.0" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) $assignee = $response.authoredBy.uniqueName } if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { # if assignee is service account, get assignee from the the build update history if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $url = "https://dev.azure.com/{0}/{1}/_apis/build/definitions/{2}/revisions" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($url) if ([Helpers]::CheckMember($response, "changedBy")) { $response = @($response | Where-Object {$_.changedBy.uniqueName -imatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] }| Sort-Object -Property changedDate -descending) if ($response.count -gt 0) { $allAssignee = @() $response | ForEach-Object {$allAssignee += @( [PSCustomObject] @{ mailAddress = $_.changedBy.uniqueName; subjectKind = 'User' } )} | Select-Object -Unique $allAssignee = $allAssignee | Select-Object mailaddress, subjectKind -unique $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName) if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) { $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress } } } } } } catch { } return $assignee; } hidden [string] FetchAssigneeFromRelease($organizationName, $projectName, $definitionId) { $assignee = ""; try { $apiurl = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/releases?definitionId={2}&api-version=6.0" -f $organizationName, $projectName , $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) #check for recent trigger if ([Helpers]::CheckMember($response, "modifiedBy")) { $assignee = $response[0].modifiedBy.uniqueName } #if no triggers found assign to the creator else { $apiurl = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions/{2}?&api-version=6.0" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) $assignee = $response.createdBy.uniqueName } if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { # if assignee is service account, get assignee from the the release update history if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $url = "https://{0}.vsrm.visualstudio.com/{1}/_apis/Release/definitions/{2}/revisions" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($url) if ([Helpers]::CheckMember($response, "changedBy")) { $response = @($response | Where-Object {$_.changedBy.uniqueName -imatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] }| Sort-Object -Property changedDate -descending) if ($response.count -gt 0) { $allAssignee = @() $response | ForEach-Object {$allAssignee += @( [PSCustomObject] @{ mailAddress = $_.changedBy.uniqueName; subjectKind = 'User' } )} | Select-Object -Unique $allAssignee = $allAssignee | Select-Object mailaddress, subjectKind -unique $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName) if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) { $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress } } } } } } catch { } return $assignee; } hidden [string] getUserFromUserId($organizationName, $userId) { try { # User descriptor is base 64 encoding of user id # $url = "https://vssps.dev.azure.com/{0}/_apis/graph/descriptors/{1}?api-version=6.0-preview.1" -f $organizationName, $userId # $userDescriptor = [WebRequestHelper]::InvokeGetWebRequest($url); $userDescriptor = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($userId)) $userProfileURL = "https://vssps.dev.azure.com/{0}/_apis/graph/users/aad.{1}?api-version=6.0-preview.1" -f $organizationName, $userDescriptor $userProfile = [WebRequestHelper]::InvokeGetWebRequest($userProfileURL) return $userProfile[0].mailAddress } catch { return "" } } #method to obtain sign in ID of TF scoped identities hidden [string] GetAssigneeFromTFScopedIdentity($identity,$organizationName){ $assignee = $null; #TF scoped identities with alternate email address will be in the format: a.b@microsoft.com if($identity -like "*.*@microsoft.com"){ #check for the correct identitity corresponding to this email $url="https://dev.azure.com/{0}/_apis/IdentityPicker/Identities?api-version=7.1-preview.1" -f $organizationName $body = "{'query':'{0}','identityTypes':['user'],'operationScopes':['ims','source'],'properties':['DisplayName','Active','SignInAddress'],'filterByEntityIds':[],'options':{'MinResults':40,'MaxResults':40}}" | ConvertFrom-Json $body.query = $identity try{ $responseObj = [WebRequestHelper]::InvokePostWebRequest($url,$body) #if any user has been found, assign this bug to the sign in address of the user if($responseObj.results[0].identities.count -gt 0){ $assignee = $responseObj.results[0].identities[0].signInAddress } } catch{ return $assignee; } } else{ return $assignee; } return $assignee; } } # SIG # Begin signature block # MIInoAYJKoZIhvcNAQcCoIInkTCCJ40CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBWAUGlHXZBQcgZ # Ut2uN6pVQxEeJhoERPCR2O1o1KPJfKCCDYEwggX/MIID56ADAgECAhMzAAACUosz # qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjEwOTAyMTgzMjU5WhcNMjIwOTAxMTgzMjU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDQ5M+Ps/X7BNuv5B/0I6uoDwj0NJOo1KrVQqO7ggRXccklyTrWL4xMShjIou2I # sbYnF67wXzVAq5Om4oe+LfzSDOzjcb6ms00gBo0OQaqwQ1BijyJ7NvDf80I1fW9O # L76Kt0Wpc2zrGhzcHdb7upPrvxvSNNUvxK3sgw7YTt31410vpEp8yfBEl/hd8ZzA # v47DCgJ5j1zm295s1RVZHNp6MoiQFVOECm4AwK2l28i+YER1JO4IplTH44uvzX9o # RnJHaMvWzZEpozPy4jNO2DDqbcNs4zh7AWMhE1PWFVA+CHI/En5nASvCvLmuR/t8 # q4bc8XR8QIZJQSp+2U6m2ldNAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUNZJaEUGL2Guwt7ZOAu4efEYXedEw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDY3NTk3MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAFkk3 # uSxkTEBh1NtAl7BivIEsAWdgX1qZ+EdZMYbQKasY6IhSLXRMxF1B3OKdR9K/kccp # kvNcGl8D7YyYS4mhCUMBR+VLrg3f8PUj38A9V5aiY2/Jok7WZFOAmjPRNNGnyeg7 # l0lTiThFqE+2aOs6+heegqAdelGgNJKRHLWRuhGKuLIw5lkgx9Ky+QvZrn/Ddi8u # TIgWKp+MGG8xY6PBvvjgt9jQShlnPrZ3UY8Bvwy6rynhXBaV0V0TTL0gEx7eh/K1 # o8Miaru6s/7FyqOLeUS4vTHh9TgBL5DtxCYurXbSBVtL1Fj44+Od/6cmC9mmvrti # yG709Y3Rd3YdJj2f3GJq7Y7KdWq0QYhatKhBeg4fxjhg0yut2g6aM1mxjNPrE48z # 6HWCNGu9gMK5ZudldRw4a45Z06Aoktof0CqOyTErvq0YjoE4Xpa0+87T/PVUXNqf # 7Y+qSU7+9LtLQuMYR4w3cSPjuNusvLf9gBnch5RqM7kaDtYWDgLyB42EfsxeMqwK # WwA+TVi0HrWRqfSx2olbE56hJcEkMjOSKz3sRuupFCX3UroyYf52L+2iVTrda8XW # esPG62Mnn3T8AuLfzeJFuAbfOSERx7IFZO92UPoXE1uEjL5skl1yTZB3MubgOA4F # 8KoRNhviFAEST+nG8c8uIsbZeb08SeYQMqjVEmkwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIZdTCCGXECAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAlKLM6r4lfM52wAAAAACUjAN # BglghkgBZQMEAgEFAKCBsDAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgWjJYBTM5 # T9xUseMVzivQzFlsQalx6W53k1GrNVANrI4wRAYKKwYBBAGCNwIBDDE2MDSgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRyAGmh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20g # MA0GCSqGSIb3DQEBAQUABIIBAIa9YvlnK2IcNNRMXk+76oVYhMMvvdOyono8w8Fm # MeWKtsS5OZW1yxzy9EMK/6Uq7jG4YJoXjftCMAQLbYtPcEXkNJfmMe8CsWwTSlNI # QfKbyMB1N/9XWMndrykoNhkksjZuNDw0cmCbf7WH3eDjLlE04s2AJ8rKkioPpYzB # RQvjrbfYRFSazhK9RZcy3DnuiJN3MRckIw0/j6HLD+tLbuzsWoIfQc+MmTYZe2FB # i0tRMuhKDRwPMGvCGS4sGiNqZPdqPr1NuI5bY6h0Fu7iXatkittHTlMZRyI53RYW # /OwkdmDR9dqs8bqzRCJpTg5kjVaC5qHoSy2InvVSIj8vYdOhghb9MIIW+QYKKwYB # BAGCNwMDATGCFukwghblBgkqhkiG9w0BBwKgghbWMIIW0gIBAzEPMA0GCWCGSAFl # AwQCAQUAMIIBUQYLKoZIhvcNAQkQAQSgggFABIIBPDCCATgCAQEGCisGAQQBhFkK # AwEwMTANBglghkgBZQMEAgEFAAQgJD4scsy6BtTpX88jtazN4l0iWaFUvyTPt/cc # 4kqNoHgCBmH64OWV+hgTMjAyMjAyMTQwOTU4MDEuNzg3WjAEgAIB9KCB0KSBzTCB # yjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMc # TWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRT # UyBFU046QUUyQy1FMzJCLTFBRkMxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0 # YW1wIFNlcnZpY2WgghFUMIIHDDCCBPSgAwIBAgITMwAAAZZJW2LhL933TwABAAAB # ljANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAe # Fw0yMTEyMDIxOTA1MTNaFw0yMzAyMjgxOTA1MTNaMIHKMQswCQYDVQQGEwJVUzET # MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV # TWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmlj # YSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpBRTJDLUUzMkIt # MUFGQzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCAiIw # DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANIfbBALb63+PMDqMvotkyEM0kbS # e/VxSp74fgwYrISBFlTCnViweXUhMbKLwr2uQ9EoooCLSVPyDRvUYiKmRZzyoK0T # fCJvGg1HiYLKu+ASxe62dvEjWhvHxwx9rZeByEb9cEZlwW0Z3RRC9eTFRi+iR8bV # PIEyqchm9DYu1yYaPzqVo9E25Gh2QQztVVQ7agxIcltpM2PVvaQALyyqXK0fXOZ+ # tClMDetk7ISbLBPjcNF+w2VeaQ0oyJbsFp82cdksYcZpymKYTh2gMy6vfKIf+oIL # HY87ikiqQDpYsZI3zKFhq9xBlEVW2yX/H8iK4vR/E8alCZFzzibjXJq6dy942H/n # /Xgyqxnu6BjWLHx+Q5iAkGUuyzybI+FowDqpwQH9FZapwJ+HIBE2MJyYE0Y1d4yA # rJn/57dsI6VeZZ4O1UkMuY63MQMEuaSDb962ndP2E5f4uh1jB0GRjaegIMTM9ZVr # zfgCaQm9HrKcR4EaPqi5aJ+lfFqhsF1qxvT6v/15iv5PTTKssWfXqutNQudXORbu # UvJdYSi6y/Nie6Xcc8JCihBLgtjUcEpPJNJ+0ZfnpmA7PtGT56y9tyv42Mu8EHLt # d6iaCS7DUX9Su7uVn0BH4RBumDam8IdJqsxBAdt/UZc+GUNMfCR6yRGLPmM+NOvV # bP9/70JnHmi+1MXRAgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU0t8I2SwuZa0gYSyJ # i4QqmtHNdLIwHwYDVR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYDVR0f # BFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwv # TWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwGCCsG # AQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAx # MCgxKS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDANBgkq # hkiG9w0BAQsFAAOCAgEAr2ALELghVtgpVAEc/nO0lz+R+BK5twvmFNF5UTW7BJUq # n3ZJ938gi8WAZBzBWUBlzwO5s6FOyGVHZ9IV8rr6xTOgw65/0i0oXubfjz5Klnjn # mIhMPJOASOpeFOZNO8F/IQcDqDEcbNWjnvyTZCxzupK5eY+vxmR65E0c07EVFCad # RaZ1M4sYmVsmr3NMf4phuclna0rnHBPZ3aKu0G7tT8Wu7MLFJuczTTLp2lhlwxQJ # 0u7PEcSdfz96k7WdCWulROknqB6XY+/4T7iiS11fzPPRjRZ/B1A5lVufmCv/A8u8 # ihx4oknfroADfqVtzwOjmHpNK8ltUCs261uD/UlwJPlOX2l4wSaIrVvfPmREVl9/ # O1R72k1ieGKOQZpCdFNuwGpdoIIuY9T2Lg8Qdw7KHzPu3m3OM4CdBheLug0FtFeK # 3Pxds8rZdqw0H1BpT7TVMplGVW1iWxasOuI3vELAJzHhtSfKIcY2JXmt4iwMxsIp # nuHWzEshB6Dm1b8yDdHfQSfOMVXlyrxE9e+hoWPz0ukUyWYluTz4oWYfPBdyXnBL # 4ZXLfxW6UD7fpoQzgUAMqoyNbXQUJQRVV/OcVndSUZ1JLsarIV6hcHMSq/BohbG/ # QFe8u0099H5jE7N4Jp6IxULdzHQ+UNzP4AX9U3ZYcojzV04CYT+osmR38SmYtnMw # ggdxMIIFWaADAgECAhMzAAAAFcXna54Cm0mZAAAAAAAVMA0GCSqGSIb3DQEBCwUA # MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQD # EylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0y # MTA5MzAxODIyMjVaFw0zMDA5MzAxODMyMjVaMHwxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w # IFBDQSAyMDEwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5OGmTOe0 # ciELeaLL1yR5vQ7VgtP97pwHB9KpbE51yMo1V/YBf2xK4OK9uT4XYDP/XE/HZveV # U3Fa4n5KWv64NmeFRiMMtY0Tz3cywBAY6GB9alKDRLemjkZrBxTzxXb1hlDcwUTI # cVxRMTegCjhuje3XD9gmU3w5YQJ6xKr9cmmvHaus9ja+NSZk2pg7uhp7M62AW36M # EBydUv626GIl3GoPz130/o5Tz9bshVZN7928jaTjkY+yOSxRnOlwaQ3KNi1wjjHI # NSi947SHJMPgyY9+tVSP3PoFVZhtaDuaRr3tpK56KTesy+uDRedGbsoy1cCGMFxP # LOJiss254o2I5JasAUq7vnGpF1tnYN74kpEeHT39IM9zfUGaRnXNxF803RKJ1v2l # IH1+/NmeRd+2ci/bfV+AutuqfjbsNkz2K26oElHovwUDo9Fzpk03dJQcNIIP8BDy # t0cY7afomXw/TNuvXsLz1dhzPUNOwTM5TI4CvEJoLhDqhFFG4tG9ahhaYQFzymei # XtcodgLiMxhy16cg8ML6EgrXY28MyTZki1ugpoMhXV8wdJGUlNi5UPkLiWHzNgY1 # GIRH29wb0f2y1BzFa/ZcUlFdEtsluq9QBXpsxREdcu+N+VLEhReTwDwV2xo3xwgV # GD94q0W29R6HXtqPnhZyacaue7e3PmriLq0CAwEAAaOCAd0wggHZMBIGCSsGAQQB # gjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFCqnUv5kxJq+gpE8RjUpzxD/LwTu # MB0GA1UdDgQWBBSfpxVdAF5iXYP05dJlpxtTNRnpcjBcBgNVHSAEVTBTMFEGDCsG # AQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0wEwYDVR0lBAwwCgYIKwYBBQUH # AwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud # EwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/oolxiaNE9lJBb186aGMQwVgYD # VR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwv # cHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEB # BE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9j # ZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcnQwDQYJKoZIhvcNAQELBQAD # ggIBAJ1VffwqreEsH2cBMSRb4Z5yS/ypb+pcFLY+TkdkeLEGk5c9MTO1OdfCcTY/ # 2mRsfNB1OW27DzHkwo/7bNGhlBgi7ulmZzpTTd2YurYeeNg2LpypglYAA7AFvono # aeC6Ce5732pvvinLbtg/SHUB2RjebYIM9W0jVOR4U3UkV7ndn/OOPcbzaN9l9qRW # qveVtihVJ9AkvUCgvxm2EhIRXT0n4ECWOKz3+SmJw7wXsFSFQrP8DJ6LGYnn8Atq # gcKBGUIZUnWKNsIdw2FzLixre24/LAl4FOmRsqlb30mjdAy87JGA0j3mSj5mO0+7 # hvoyGtmW9I/2kQH2zsZ0/fZMcm8Qq3UwxTSwethQ/gpY3UA8x1RtnWN0SCyxTkct # wRQEcb9k+SS+c23Kjgm9swFXSVRk2XPXfx5bRAGOWhmRaw2fpCjcZxkoJLo4S5pu # +yFUa2pFEUep8beuyOiJXk+d0tBMdrVXVAmxaQFEfnyhYWxz/gq77EFmPWn9y8FB # SX5+k77L+DvktxW/tM4+pTFRhLy/AsGConsXHRWJjXD+57XQKBqJC4822rpM+Zv/ # Cuk0+CQ1ZyvgDbjmjJnW4SLq8CdCPSWU5nR0W2rRnj7tfqAxM328y+l7vzhwRNGQ # 8cirOoo6CGJ/2XBjU02N7oJtpQUQwXEGahC0HVUzWLOhcGbyoYICyzCCAjQCAQEw # gfihgdCkgc0wgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # JTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsT # HVRoYWxlcyBUU1MgRVNOOkFFMkMtRTMyQi0xQUZDMSUwIwYDVQQDExxNaWNyb3Nv # ZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEwBwYFKw4DAhoDFQDQ+iaaVVlp24q0 # MeCHO0FkN+ZW/qCBgzCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw # MA0GCSqGSIb3DQEBBQUAAgUA5bSIRTAiGA8yMDIyMDIxNDE1NTAyOVoYDzIwMjIw # MjE1MTU1MDI5WjB0MDoGCisGAQQBhFkKBAExLDAqMAoCBQDltIhFAgEAMAcCAQAC # Ag1KMAcCAQACAhGsMAoCBQDltdnFAgEAMDYGCisGAQQBhFkKBAIxKDAmMAwGCisG # AQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEAAgMBhqAwDQYJKoZIhvcNAQEFBQAD # gYEAJ1SPUp38INS9DV+J3bzePmZjVkxtUjaDoj9GPCNE9aEBXl9BQrNNRP0gVF2r # Qfez9/Gwbq9ZHlQHSk/7XjMtlQgx6StMF6hlQiu5rKOFQindgRaNVOb5anYkvG4+ # 9bQkC3HsHigYX92R2fzKLVs+9+QPSsK82eycH/sx9pM+2YcxggQNMIIECQIBATCB # kzB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAZZJW2LhL933TwAB # AAABljANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJ # EAEEMC8GCSqGSIb3DQEJBDEiBCD8lK+W3Nka2uQ5E221PP2kVlYfG+4j+kB7z0lQ # Buy0mTCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EIHYE1gL4HTXTknZHLoJ+ # dnQkDwl+VlBDqwukcjctsr2QMIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg # UENBIDIwMTACEzMAAAGWSVti4S/d908AAQAAAZYwIgQgFK8xHuKeJUV3LyetCXhm # Lv5RAznE+pppSVvqjvzufFwwDQYJKoZIhvcNAQELBQAEggIADAWseL6dFI3QkJIW # 91LVSXHSxoN/5/ghbGTqAxF9lLqSCNFRgMAt5wYAL0HbWOwRl3mxyxNSu4P/RZtj # Ztp5xvd4ehpZ1MPnTS1ZqhhiT5VF4fLe9N6AL5/Ot0Jp98/mGkF6ZRETd+lnNXXI # pxi6MksYQQBWWgHLCyq17UXhbAMfsetWQt2NERJbw+W3MOgbO6O3r84+R0GrgTxz # JRPwxYwxfQudmt55rU1hhmZpxAyfo5lwvFFaoKZQP3RpiWOI32JjdYnW8y9Yr/uF # YEc+Q2X4tdNKWyt9v+BpLNx8jicSBGYJN3/QRd4AXsWfqL2+2/4c0hMNMI+G85qh # n1M1WhA1NIc3SKkm0Oa03GL5RnMLPeKSHChmZmzXcFf8zfdSOX+2elzfsD0Nqm4l # zDFfaszjCkiNXesqsRji4gP0FUTokZBTAu25aGQqL2KR87/BVrMMQy0gbYkSBP+s # QgPCv/1P8vlNNBQhgCadbVsCsqMa9kpl13Ia44IPTJQPGOGm3J71f5dggBNr7I4W # Exx1ReAWAFz49T8ALv0sBkKhk/Mz5FoQ9W9U75NhqPYVdUyT9nL2rXFPEwHUYJS5 # Z7VvnKF2ibHHly0I7TRH3PaV0ROg3i+r1FhEePNHS5T9ZvLoLrJfVfQ4E6xju5cx # NAwA/eAioZ31sgyzwCbVkIabk8g= # SIG # End signature block |