Framework/Helpers/IdentityHelpers.ps1
|
Set-StrictMode -Version Latest class IdentityHelpers { static hidden [bool] $hasGraphAccess = $false static hidden [string] $graphAccessToken = $null static hidden [string] $ALTControlEvaluationMethod static hidden [bool] $hasSIPAccess = $false static hidden [string] $dataExplorerAccessToken = $null hidden static [bool] IsAltAccount($SignInName, $graphToken) { $isAltAccount = $false $headers = @{"Authorization"= ("Bearer " + $graphToken); "Content-Type"="application/json"} $uri="" $graphURI = [WebRequestHelper]::GetGraphUrl() if (-not [string]::IsNullOrWhiteSpace($SignInName)) { $uri = [string]::Format('{0}/v1.0/users/{1}?$select=onPremisesExtensionAttributes', $graphURI, $SignInName) } else { return $false } try { $responseObj = [WebRequestHelper]::InvokeGetWebRequest($uri, $headers); if ($null -ne $responseObj -and ($responseObj | Measure-Object).Count -gt 0) { # extensionAttribute contains 15 different values which define unique properties for users. $extensionAttributes = $responseObj.onPremisesExtensionAttributes #"extensionAttribute2" contains the integer values which represents the different types of users. #"extensionAttribute2: -10" => SC-ALT Accounts if($extensionAttributes.extensionAttribute2 -eq "-10") { $isAltAccount = $true } } } catch { return $false; } return $isAltAccount } hidden static [bool] IsServiceAccount($SignInName, $subjectKind, $graphToken) { $isServiceAccount = $false $headers = @{"Authorization"= ("Bearer " + $graphToken); "Content-Type"="application/json"} $uri="" $graphURI = [WebRequestHelper]::GetGraphUrl() if($subjectKind -eq "User") { if (-not [string]::IsNullOrWhiteSpace($SignInName)) { $uri = [string]::Format('{0}/v1.0/users/{1}?$select=onPremisesImmutableId,onPremisesExtensionAttributes', $graphURI, $SignInName) } else { return $false } } else { return $false } try { $responseObj = [WebRequestHelper]::InvokeGetWebRequest($uri, $headers); if ($null -ne $responseObj -and ($responseObj | Measure-Object).Count -gt 0) { # extensionAttribute contains 15 different values which define unique properties for users. $extensionAttributes = $responseObj.onPremisesExtensionAttributes #"extensionAttribute2" contains the integer values which represents the different types of users. #"extensionAttribute2: -9" => Service Accounts if($extensionAttributes.extensionAttribute2 -eq "-9") { $isServiceAccount = $true } } } catch { return $false; } return $isServiceAccount } hidden static [bool] IsADObjectGUID($immutableId){ try { $decodedII = [system.convert]::frombase64string($immutableId) $guid = [GUID]$decodedII } catch { return $false } return $true } static CheckGraphAccess() { # In CA mode, we use azure context to fetch the graph access token, because VSTS authentication is not supported in CA. $useAzContext = $false $scanSource = [AzSKSettings]::GetInstance().GetScanSource(); if ($scanSource -eq 'CICD') { [IdentityHelpers]::hasGraphAccess = $false } else { if ($scanSource -eq "CA") { $useAzContext = $true } $graphUri = [WebRequestHelper]::GetGraphUrl() $uri = $GraphUri + "/v1.0/users?`$top=1" [IdentityHelpers]::graphAccessToken = [ContextHelper]::GetGraphAccessToken($useAzContext) if (-not [string]::IsNullOrWhiteSpace([IdentityHelpers]::graphAccessToken)) { $header = @{ "Authorization"= ("Bearer " + [IdentityHelpers]::graphAccessToken); "Content-Type"="application/json" }; try { $webResponse = [WebRequestHelper]::InvokeGetWebRequest($uri, $header); [IdentityHelpers]::hasGraphAccess = $true; } catch { [IdentityHelpers]::hasGraphAccess = $false; } } } } static CheckSIPAccess() { # In CA mode, we use azure context to fetch the data explorer access token, because VSTS authentication is not supported in CA. $useAzContext = $false $scanSource = [AzSKSettings]::GetInstance().GetScanSource(); if ($scanSource -eq 'CICD') { [IdentityHelpers]::hasSIPAccess = $false } else { if ($scanSource -eq "CA") { $useAzContext = $true } [IdentityHelpers]::dataExplorerAccessToken = [ContextHelper]::GetDataExplorerAccessToken($useAzContext) if (-not [string]::IsNullOrWhiteSpace([IdentityHelpers]::dataExplorerAccessToken)) { $header = @{ "Authorization" = "Bearer " + [IdentityHelpers]::dataExplorerAccessToken } $apiURL = "https://dsresip.kusto.windows.net/v2/rest/query" # making a samlple api call, just to check if user has access to required SIP database. $inputbody = "{`"db`": `"AADUsersData`",`"csl`": `"UsersInfo | take 1`"}" try { $kustoResponse = Invoke-RestMethod -Uri $apiURL -Method Post -ContentType "application/json; charset=utf-8" -Headers $header -Body $inputbody; [IdentityHelpers]::hasSIPAccess = $true; } catch { [IdentityHelpers]::hasSIPAccess = $false; } } } } #This method differentiate human accounts and service account from the list. hidden static [PSObject] DistinguishHumanAndServiceAccount([PSObject] $allMembers, $orgName) { $humanAccount = @(); $serviceAccount = @(); $defaultSvcAcc = @(); #"Account Service ($orgName)" # This is default service account automatically added by ADO. $allMembers | ForEach-Object{ if (-not [string]::IsNullOrEmpty($_.mailAddress)) { $isServiceAccount = [IdentityHelpers]::IsServiceAccount($_.mailAddress, $_.subjectKind, [IdentityHelpers]::graphAccessToken) if ($isServiceAccount) { $serviceAccount += $_ } else { $humanAccount += $_ } } else { $defaultSvcAcc += $_ } } if ($null -ne $defaultSvcAcc -and $defaultSvcAcc.Count -gt 0) { $serviceAccount += $defaultSvcAcc } $adminMembers = @{serviceAccount = $serviceAccount; humanAccount = $humanAccount;}; return $adminMembers } #This method differentiate alt accounts and non-alt account from the list. hidden static [PSObject] DistinguishAltAndNonAltAccount([PSObject] $allMembers) { $altAccount = @(); $nonAltAccount = @(); $allMembers | ForEach-Object{ $isAltAccount = [IdentityHelpers]::IsAltAccount($_.mailAddress, [IdentityHelpers]::graphAccessToken) if ($isAltAccount) { $altAccount += $_ } else { $nonAltAccount += $_ } } $adminMembers = @{altAccount = $altAccount; nonAltAccount = $nonAltAccount;}; return $adminMembers } } # SIG # Begin signature block # MIInvAYJKoZIhvcNAQcCoIInrTCCJ6kCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCB+NUGMm2P8+7Hi # yV5tzl2NP9ASTF5pZAJjOfgM4C/fa6CCDYEwggX/MIID56ADAgECAhMzAAACUosz # qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjEwOTAyMTgzMjU5WhcNMjIwOTAxMTgzMjU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDQ5M+Ps/X7BNuv5B/0I6uoDwj0NJOo1KrVQqO7ggRXccklyTrWL4xMShjIou2I # sbYnF67wXzVAq5Om4oe+LfzSDOzjcb6ms00gBo0OQaqwQ1BijyJ7NvDf80I1fW9O # L76Kt0Wpc2zrGhzcHdb7upPrvxvSNNUvxK3sgw7YTt31410vpEp8yfBEl/hd8ZzA # v47DCgJ5j1zm295s1RVZHNp6MoiQFVOECm4AwK2l28i+YER1JO4IplTH44uvzX9o # RnJHaMvWzZEpozPy4jNO2DDqbcNs4zh7AWMhE1PWFVA+CHI/En5nASvCvLmuR/t8 # q4bc8XR8QIZJQSp+2U6m2ldNAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUNZJaEUGL2Guwt7ZOAu4efEYXedEw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDY3NTk3MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAFkk3 # uSxkTEBh1NtAl7BivIEsAWdgX1qZ+EdZMYbQKasY6IhSLXRMxF1B3OKdR9K/kccp # kvNcGl8D7YyYS4mhCUMBR+VLrg3f8PUj38A9V5aiY2/Jok7WZFOAmjPRNNGnyeg7 # l0lTiThFqE+2aOs6+heegqAdelGgNJKRHLWRuhGKuLIw5lkgx9Ky+QvZrn/Ddi8u # TIgWKp+MGG8xY6PBvvjgt9jQShlnPrZ3UY8Bvwy6rynhXBaV0V0TTL0gEx7eh/K1 # o8Miaru6s/7FyqOLeUS4vTHh9TgBL5DtxCYurXbSBVtL1Fj44+Od/6cmC9mmvrti # yG709Y3Rd3YdJj2f3GJq7Y7KdWq0QYhatKhBeg4fxjhg0yut2g6aM1mxjNPrE48z # 6HWCNGu9gMK5ZudldRw4a45Z06Aoktof0CqOyTErvq0YjoE4Xpa0+87T/PVUXNqf # 7Y+qSU7+9LtLQuMYR4w3cSPjuNusvLf9gBnch5RqM7kaDtYWDgLyB42EfsxeMqwK # WwA+TVi0HrWRqfSx2olbE56hJcEkMjOSKz3sRuupFCX3UroyYf52L+2iVTrda8XW # esPG62Mnn3T8AuLfzeJFuAbfOSERx7IFZO92UPoXE1uEjL5skl1yTZB3MubgOA4F # 8KoRNhviFAEST+nG8c8uIsbZeb08SeYQMqjVEmkwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIZkTCCGY0CAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAlKLM6r4lfM52wAAAAACUjAN # BglghkgBZQMEAgEFAKCBsDAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgQhj/mVgR # Zq4R89NW5r2NcMFJ4ITWQqqgKxpr1qWu/NYwRAYKKwYBBAGCNwIBDDE2MDSgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRyAGmh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20g # MA0GCSqGSIb3DQEBAQUABIIBAE6f8vt13OvZfOc2Be/lXR8z1/vhuKRk4DZVcmp6 # oOuz4FqMlu4HLTqc80Zavbd5cu0d+o40eTY54FqOihAyRdvcCmd/1kbdQ4uzXSli # w014bFPdQiUHV3BteXeeWF2J1s6DYVT6NenqMP5S22XBFR+YaGzniwEwu/YonfzP # vni6htHuZvZ/wZvwh71jpOrM8ckMYLb+lo9KGrhono+HF5VRsRVTSaXxaoMUsTr4 # RlXTATAunBh4PZzKmN4TH0pZksYx+rFXnX5B9zPDPB4cSNAur3S/686WdWl+/AHU # hosYtaibWiTHJ0XHtBPwtsfBo1KvE3m4MX8suTMddbdpgbuhghcZMIIXFQYKKwYB # BAGCNwMDATGCFwUwghcBBgkqhkiG9w0BBwKgghbyMIIW7gIBAzEPMA0GCWCGSAFl # AwQCAQUAMIIBWQYLKoZIhvcNAQkQAQSgggFIBIIBRDCCAUACAQEGCisGAQQBhFkK # AwEwMTANBglghkgBZQMEAgEFAAQgaWLsh5kQNMl4rKOBEf3YsakqDcBLfi/0WotN # MANZUGECBmH9VmaVkBgTMjAyMjAyMTUwNjQzNTYuOTEzWjAEgAIB9KCB2KSB1TCB # 0jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMk # TWljcm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1U # aGFsZXMgVFNTIEVTTjpEMDgyLTRCRkQtRUVCQTElMCMGA1UEAxMcTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgU2VydmljZaCCEWgwggcUMIIE/KADAgECAhMzAAABj/NRqOta # ct3MAAEAAAGPMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQI # EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv # ZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBD # QSAyMDEwMB4XDTIxMTAyODE5Mjc0NloXDTIzMDEyNjE5Mjc0NlowgdIxCzAJBgNV # BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w # HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29m # dCBJcmVsYW5kIE9wZXJhdGlvbnMgTGltaXRlZDEmMCQGA1UECxMdVGhhbGVzIFRT # UyBFU046RDA4Mi00QkZELUVFQkExJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0 # YW1wIFNlcnZpY2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZVz7+ # tc8XHoWTj4Kkuu5sOstNrdC4AdFVe7L7OzFfCSiCRPRr5da4FpvAfKqPxFGJlBC9 # 29s6rk1ETE54eJoK2RSxDTYRIB70LP6WgE22x8Krzjq7ei1YcImWqS8OtKvuYwGr # BxFjtx+EAZ8u+WkxKiOgCeTtF6P6NwmdjEh43fgXeH0nAA1jfrSgZgIhLuks6ixZ # X5vG6D26JNlgT9dyXJg0Xpd3Nn/MP/hTmnFPgxlCbMEa8Oz7xwN0D+y1l+P+vL6L # RdRg0U+G6pz5QqTCb9c0cH4IOwZCX5lLQZxtRS6fhU9OEcmbqZEDAvnLzOm1YQih # xtN5FJOZmdRraJgfYQ4FXt4KPHRJ1vqQtzXF0VFyQN5AZHgnXIXLJu5mxQ/zHR06 # wQSgtC46G4qUMtASDsPpnGZkmdLwHTd7CT9KlUuqxvrpTarIXgHAO3W5mSMRnt+K # cihSBLPgHt9Ytgh47Y4JjEgTRe/CxWin0+9NdNm0Y/POYdTvncZqsrK4zqhr+ppP # Ni+sB9RvspiG9VArEZQ+Qv354qIzsbSp6ckIWtfNk/BFahxwBHfc+E0S67PMpkUn # gN5pMIuD/y4rRDhCMVF5/mfgf7YpAgSJtnvMh4FfeOCysgJvPNKbRBfdJFWZkf/8 # CqnxjGTBygjVYIGLO/zjP16rBEF1Dgdhw1tAwwIDAQABo4IBNjCCATIwHQYDVR0O # BBYEFPMG5nRrrknO4qHOhZvbl/s3I3G8MB8GA1UdIwQYMBaAFJ+nFV0AXmJdg/Tl # 0mWnG1M1GelyMF8GA1UdHwRYMFYwVKBSoFCGTmh0dHA6Ly93d3cubWljcm9zb2Z0 # LmNvbS9wa2lvcHMvY3JsL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAy # MDEwKDEpLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUGh0dHA6Ly93 # d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVGltZS1T # dGFtcCUyMFBDQSUyMDIwMTAoMSkuY3J0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAww # CgYIKwYBBQUHAwgwDQYJKoZIhvcNAQELBQADggIBAM1/06j3PKELmfWMLyJTs0lj # f0WLOOHFnAlslj9i3CfremUyVNJoGl6tqfnrp+5GiMYlK/cTBmz5Gu45TZP9lEPH # hUd6wse1yUTwaYwzWpMxpk8vwjYWtGZ/k6ingapzE100QIEKVVmafQrMV08ypFrn # /RHoKaComHSa68iaKSAe5u+iGxq88TLIdBr3gcPj8s0p39ghoIoo/P1IDl8BrimF # DgS/PZq5j1JSW4h3kwr0flyNZXAHEK9gAP7UJb3PsayEmU2OoG9a0o7onQB6Z+Dr # PbyDupzsb+0K2uUfj/LbvL6y27BZc2/B2xJ3WW8HgzrcC4yX1inpq79cWScbMk8X # qf+5ZHomFC/OHjQguB5OEuZiF/zP5oNvivY4EsbU/YHpoJNbZhCS3tOlSfMjRwoa # vbXcJsq0aT844gdKwM7FqyZ4Yn4WJQkKJXXnCHdplP9VP8+Qv0TiEMEDAa3j0bzy # BII7TH2N90NlZ1YZsQteVKYDcQ/h5NirtGuiVjTgbx8a0XSnO5m7jcDb3Noj2Uiv # m6UpHPwShAdTpy7Q/FTDQH0fxwCS9DFoy6ZFn/h8Juo1vhNw+Q9xY4jbhBiW+lu1 # P2nfV+VgSWZznCMamUCTL+eQlxPQdkQ1d6fFa0++3iByiqml4k8DdL/UPnsovfrr # t6kivTJXb3QTai1lsBbwMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJmQAAAAAA # FTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0 # aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1WjB8MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNy # b3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEBBQADggIP # ADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjKNVf2AX9s # SuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhgfWpSg0S3 # po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJprx2rrPY2 # vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/dvI2k45GP # sjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka97aSueik3 # rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKRHh09/SDP # c31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9ituqBJR6L8F # A6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyOArxCaC4Q # 6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItboKaDIV1f # MHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6bMURHXLv # jflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6tAgMBAAGj # ggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBQqp1L+ # ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacbUzUZ6XIw # XAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYzaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRtMBMG # A1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsG # A1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJc # YmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9z # b2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIz # LmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWlj # cm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0 # MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/qXBS2Pk5H # ZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6U03dmLq2 # HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVtI1TkeFN1 # JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis9/kpicO8 # F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTpkbKpW99J # o3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0sHrYUP4K # WN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138eW0QBjloZ # kWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJsWkBRH58 # oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7Fx0ViY1w # /ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0dFtq0Z4+ # 7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQtB1VM1iz # oXBm8qGCAtcwggJAAgEBMIIBAKGB2KSB1TCB0jELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxhbmQgT3Bl # cmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpEMDgyLTRC # RkQtRUVCQTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaIj # CgEBMAcGBSsOAwIaAxUAPk0vggR250gHB0agJpXRYFtBmmqggYMwgYCkfjB8MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNy # b3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIFAOW1rBAw # IhgPMjAyMjAyMTUxMjM1MjhaGA8yMDIyMDIxNjEyMzUyOFowdzA9BgorBgEEAYRZ # CgQBMS8wLTAKAgUA5bWsEAIBADAKAgEAAgIKHwIB/zAHAgEAAgIRSTAKAgUA5bb9 # kAIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAIDB6Eg # oQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBABbsRXkKYNwDUD0MdQZeol6T # hqQmBDzlXhQnNYUds/DT2BNiDmeaMs0xcEdPyQCvtytrmXnngKhJI4o+vANJXS/a # 7rSHBaSQ6rROfBoRDBv6V8YMwMEZ5vYXZVHH9VJBQYqmZBoz3hE0sbR7UphNdzZV # NseZvrwVpZV5MgxdiEdiMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgUENBIDIwMTACEzMAAAGP81Go61py3cwAAQAAAY8wDQYJYIZIAWUDBAIBBQCg # ggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg # iWbak0ksU+Rd19Mka72VXvKrdzCzbZHgVA3dHF9ABJMwgfoGCyqGSIb3DQEJEAIv # MYHqMIHnMIHkMIG9BCCXcgVP4sbGC5WOIqbbYi2Y7p0UNZbydKG7o7qDzIXHHzCB # mDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAk # BgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABj/NRqOta # ct3MAAEAAAGPMCIEIEVovGoO3hMtwk/Fq4VXrEIc5RMn1YsNS4nhJVGg/PXSMA0G # CSqGSIb3DQEBCwUABIICAFWkY4nTwWF5Oq3pnhtk+Vuwch53BBWxERO6nH0zYhMR # awlqJP7KuhKmg4kQusUsMcWRT2bZnkpr/Tf0eh7JQ3671k5Hrz/7H3zgXYmG++Zg # F4dMHFREcu0i2uDJLnXikBznFHBhJ6mqF193Ze10bkorEyPqZh7gSzeE3z/GjFkc # 5zMKwixtSAGfvsQ0WlnvP5Jmxrt/PKKqZNH7RzJQQqLP4nIdkATqpfuEzs6sVRbh # +WVvLjYg5L70/szaLoYJtUr5clGkgC/bm/HQINLZ9MmXWajj+7pejuXGE06jeb+1 # zJfEV+9YGTlKoO4Rsq3tBrExI2HwfrCQLO4aa+v5TjyEoLW1p/7XFO2DlfsNllaC # RHpcosDQMzh3IMlAhEIECQ4NxSzvKeVsG9gQOfyj1UYTK57dNpPzLePTAbdZ6P7e # 1+PQjikWDn/8vYKsIh/8GFqQj7sPa9Cda80P1N/FY1poCTQ4GXLCwrza4cP7s+gK # 5THDzSlns1e1DfCjk6SQmwLmvLMB3ylE11R+8umQLgJ6z/9gk3HL14aT6pXaWopQ # V754zwrHMvnQRjJM+vhiCrVwAwnXRGtJmW5bLK+/H1eqEDTQUqysGt24BW0j5aBO # hpkq3PICa2F7vTwxYodaJtyOiLjtHa4asqQSAeUH0plNSzw1/BkA+/tRyZ0TSAB1 # SIG # End signature block |