Framework/Helpers/ContextHelper.ps1
|
<#
.Description # Context class for indenity details. # Provides functionality to login, create context, get token for api calls #> using namespace Microsoft.IdentityModel.Clients.ActiveDirectory class ContextHelper { static hidden [Context] $currentContext; #This will be used to carry current org under current context. static hidden [string] $orgName; hidden static [PSObject] GetCurrentContext() { return [ContextHelper]::GetCurrentContext($false); } hidden static [PSObject] GetCurrentContext([bool]$authNRefresh) { if( (-not [ContextHelper]::currentContext) -or $authNRefresh) { $clientId = [Constants]::DefaultClientId ; $replyUri = [Constants]::DefaultReplyUri; $adoResourceId = [Constants]::DefaultADOResourceId; [AuthenticationContext] $ctx = $null; $ctx = [AuthenticationContext]::new("https://login.windows.net/common"); [AuthenticationResult] $result = $null; $azSKUI = $null; if(-not [string]::IsNullOrWhiteSpace($env:RefreshToken) -and -not [string]::IsNullOrWhiteSpace($env:ClientSecret)) { # this if block will be executed for OAuth based scan $tokenInfo = [ContextHelper]::GetOAuthAccessToken() [ContextHelper]::ConvertToContextObject($tokenInfo) } else { if ( !$authNRefresh -and ($azSKUI = Get-Variable 'AzSKADOLoginUI' -Scope Global -ErrorAction 'Ignore')) { if ($azSKUI.Value -eq 1) { $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Always $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } else { $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } } else { $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } [ContextHelper]::ConvertToContextObject($result) } } return [ContextHelper]::currentContext } hidden static [PSObject] GetCurrentContext([System.Security.SecureString] $PATToken) { if(-not [ContextHelper]::currentContext) { [ContextHelper]::ConvertToContextObject($PATToken) } return [ContextHelper]::currentContext } hidden static [PSObject] GetOAuthAccessToken() { $tokenInfo = @{}; try{ $url = "https://app.vssps.visualstudio.com/oauth2/token" # exchange refresh token with new access token $body = "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=$($env:ClientSecret)&grant_type=refresh_token&assertion=$($env:RefreshToken)&redirect_uri=https://localhost/" $res = Invoke-WebRequest -Uri $url -ContentType "application/x-www-form-urlencoded" -Method POST -Body $body $response = $res.Content | ConvertFrom-Json $tokenInfo['AccessToken'] = $response.access_token $expiry = $response.expires_in $request_time = get-date $tokenInfo['ExpiresOn'] = $request_time.AddSeconds($expiry) $refreshToken = ConvertTo-SecureString $response.refresh_token -AsPlainText -Force #Update refresh token if it is expiring in next 1 day $updateTokenInKV = $false $secretName = "RefreshTokenForADOScan" $tokenSecret = Get-AzKeyVaultSecret -VaultName $env:KeyVaultName -Name $secretName if (-not [string]::IsNullOrEmpty($tokenSecret) -and [Helpers]::CheckMember($tokenSecret,"Expires")) { if ($tokenSecret.Expires -le [DateTime]::Now.AddDays(1)) { $updateTokenInKV = $true } } else { $updateTokenInKV = $true } if ($updateTokenInKV -eq $true) { $RefreshTokenExpiresInDays = [Constants]::RefreshTokenExpiresInDays; $ExpiryDate = [DateTime]::Now.AddDays($RefreshTokenExpiresInDays) Set-AzKeyVaultSecret -VaultName $env:KeyVaultName -Name $secretName -SecretValue $refreshToken -Expires $ExpiryDate | out-null } } catch{ write-Host "Error fetching OAuth access token" Write-Host $_ return $null } return $tokenInfo } static [string] GetAccessToken([string] $resourceAppIdUri) { return [ContextHelper]::GetAccessToken() } static [string] GetAccessToken() { if([ContextHelper]::currentContext) { # Validate if token is PAT using lenght (PAT has lengh of 52), if PAT dont go to refresh login session. #TODO: Change code to find token type supplied PAT or login session token #if token expiry is within 2 min, refresh. if (([ContextHelper]::currentContext.AccessToken.length -ne 52) -and ([ContextHelper]::currentContext.TokenExpireTimeLocal -le [DateTime]::Now.AddMinutes(2))) { [ContextHelper]::GetCurrentContext($true); } return [ContextHelper]::currentContext.AccessToken } else { return $null } } static [string] GetAccessToken([string] $Uri, [string] $tenantId) { $rmContext = Get-AzContext if (-not $rmContext) { throw ([SuppressedException]::new(("No Azure login found"), [SuppressedExceptionType]::InvalidOperation)) } if ([string]::IsNullOrEmpty($tenantId) -and [Helpers]::CheckMember($rmContext,"Tenant")) { $tenantId = $rmContext.Tenant.Id } $authResult = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $rmContext.Account, $rmContext.Environment, $tenantId, [System.Security.SecureString] $null, "Never", $null, $Uri); if (-not ($authResult -and (-not [string]::IsNullOrWhiteSpace($authResult.AccessToken)))) { throw ([SuppressedException]::new(("Unable to get access token. Authentication Failed."), [SuppressedExceptionType]::Generic)) } return $authResult.AccessToken; } static [string] GetGraphAccessToken() { $accessToken = '' try { #getting azure context because graph access token requires azure environment details. $Context = @(Get-AzContext -ErrorAction SilentlyContinue ) if ($Context.count -eq 0) { Write-Host "Graph access is required to evaluate some controls. Attempting to acquire Graph token." -ForegroundColor Cyan Connect-AzAccount -ErrorAction Stop $Context = @(Get-AzContext -ErrorAction SilentlyContinue) } if ($null -eq $Context) { throw "Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate." } else { $graphUri = "https://graph.microsoft.com" $authResult = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $Context.Account, $Context.Environment, $Context.Tenant.Id, [System.Security.SecureString] $null, "Never", $null, $graphUri); if (-not ($authResult -and (-not [string]::IsNullOrWhiteSpace($authResult.AccessToken)))) { throw ([SuppressedException]::new(("Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate."), [SuppressedExceptionType]::Generic)) } $accessToken = $authResult.AccessToken; } } catch { Write-Host "Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate." -ForegroundColor Red Write-Host "Continuing without graph access." -ForegroundColor Yellow return $null } return $accessToken; } hidden [OrganizationContext] SetContext([string] $organizationName) { if((-not [string]::IsNullOrEmpty($organizationName))) { $OrganizationContext = [OrganizationContext]@{ OrganizationId = $organizationName; Scope = "/Organization/$organizationName"; OrganizationName = $organizationName; }; # $organizationId contains the organization name (due to framework). [ContextHelper]::orgName = $organizationName; [ContextHelper]::GetCurrentContext() } else { throw [SuppressedException] ("OrganizationName name [$organizationName] is either malformed or incorrect.") } return $OrganizationContext; } hidden [OrganizationContext] SetContext([string] $organizationName, [System.Security.SecureString] $PATToken) { if((-not [string]::IsNullOrEmpty($organizationName))) { $OrganizationContext = [OrganizationContext]@{ OrganizationId = $organizationName; Scope = "/Organization/$organizationName"; OrganizationName = $organizationName; }; # $organizationId contains the organization name (due to framework). [ContextHelper]::orgName = $organizationName; [ContextHelper]::GetCurrentContext($PATToken) } else { throw [SuppressedException] ("OrganizationName name [$organizationName] is either malformed or incorrect.") } return $OrganizationContext; } static [void] ResetCurrentContext() { } hidden static ConvertToContextObject([PSObject] $context) { $contextObj = [Context]::new() # We do not get ADO organization id as part of current context. Hence appending org name to both id and name param. $contextObj.Organization = [Organization]::new() $contextObj.Organization.Id = [ContextHelper]::orgName $contextObj.Organization.Name = [ContextHelper]::orgName if(-not [string]::IsNullOrWhiteSpace($env:RefreshToken) -and -not [string]::IsNullOrWhiteSpace($env:ClientSecret)) { # this if block will be executed for OAuth based scan $contextObj.Account.Id = [ContextHelper]::GetOAuthUserIdentity($context.AccessToken, $contextObj.Organization.Name) $contextObj.AccessToken = $context.AccessToken $contextObj.TokenExpireTimeLocal = $context.ExpiresOn } else { $contextObj.Account.Id = $context.UserInfo.DisplayableId $contextObj.Tenant.Id = $context.TenantId $contextObj.AccessToken = $context.AccessToken $contextObj.TokenExpireTimeLocal = $context.ExpiresOn.LocalDateTime #$contextObj.AccessToken = ConvertTo-SecureString -String $context.AccessToken -asplaintext -Force } [ContextHelper]::currentContext = $contextObj } hidden static [string] GetOAuthUserIdentity($accessToken, $orgName) { $apiURL = "https://dev.azure.com/{0}/_apis/connectionData" -f $orgName $headers =@{ Authorization = "Bearer $accesstoken"; "Content-Type"="application/json" }; try{ $responseObj = Invoke-RestMethod -Method Get -Uri $apiURL -Headers $headers -UseBasicParsing $descriptor = $responseObj.authenticatedUser.descriptor $userId = ($descriptor -split '\\')[-1] return $userId } catch{ return "" } } hidden static ConvertToContextObject([System.Security.SecureString] $patToken) { $contextObj = [Context]::new() $contextObj.Account.Id = [string]::Empty $contextObj.Tenant.Id = [string]::Empty $contextObj.AccessToken = [System.Net.NetworkCredential]::new("", $patToken).Password # We do not get ADO organization Id as part of current context. Hence appending org name to both Id and Name param. $contextObj.Organization = [Organization]::new() $contextObj.Organization.Id = [ContextHelper]::orgName $contextObj.Organization.Name = [ContextHelper]::orgName #$contextObj.AccessToken = $patToken #$contextObj.AccessToken = ConvertTo-SecureString -String $context.AccessToken -asplaintext -Force [ContextHelper]::currentContext = $contextObj $apiURL = "https://dev.azure.com/{0}/_apis/connectionData" -f [ContextHelper]::orgName #Note: cannot use this WRH method below due to ordering constraints during load in Framework.ps1 #$header = [WebRequestHelper]::GetAuthHeaderFromUri($apiURL); $user = "" $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user, $contextObj.AccessToken))) $headers = @{ "Authorization"= ("Basic " + $base64AuthInfo); "Content-Type"="application/json" }; $responseObj = Invoke-RestMethod -Method Get -Uri $apiURL -Headers $headers -UseBasicParsing #If the token is valid, we get: "descriptor"="Microsoft.IdentityModel.Claims.ClaimsIdentity;72f988bf-86f1-41af-91ab-2d7cd011db47\xyz@microsoft.com" #Note that even for guest users, we get the host tenant (and not their native tenantId). E.g., "descriptor...;72f...47\pqr@live.com" #If the token is invalid, we get a diff object: "descriptor":"System:PublicAccess;aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $authNUserInfo = @(($responseObj.authenticatedUser.descriptor -split ';') -split '\\') #Check if the above split resulted in 3 elements (valid token case) if ($authNUserInfo.Count -eq 3) { $contextObj.Tenant.Id = $authNUserInfo[1] $contextObj.Account.Id = $authNUserInfo[2] } } static [string] GetCurrentSessionUser() { $context = [ContextHelper]::GetCurrentContext() if ($null -ne $context) { return $context.Account.Id } else { return "NO_ACTIVE_SESSION" } } } # SIG # Begin signature block # MIIjlAYJKoZIhvcNAQcCoIIjhTCCI4ECAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDRriUpD+Q9212p # 0NDdzHq3QTEGD7ND9cykUSNTwJvkpKCCDYEwggX/MIID56ADAgECAhMzAAAB32vw # LpKnSrTQAAAAAAHfMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjAxMjE1MjEzMTQ1WhcNMjExMjAyMjEzMTQ1WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQC2uxlZEACjqfHkuFyoCwfL25ofI9DZWKt4wEj3JBQ48GPt1UsDv834CcoUUPMn # s/6CtPoaQ4Thy/kbOOg/zJAnrJeiMQqRe2Lsdb/NSI2gXXX9lad1/yPUDOXo4GNw # PjXq1JZi+HZV91bUr6ZjzePj1g+bepsqd/HC1XScj0fT3aAxLRykJSzExEBmU9eS # yuOwUuq+CriudQtWGMdJU650v/KmzfM46Y6lo/MCnnpvz3zEL7PMdUdwqj/nYhGG # 3UVILxX7tAdMbz7LN+6WOIpT1A41rwaoOVnv+8Ua94HwhjZmu1S73yeV7RZZNxoh # EegJi9YYssXa7UZUUkCCA+KnAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUOPbML8IdkNGtCfMmVPtvI6VZ8+Mw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDYzMDA5MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAnnqH # tDyYUFaVAkvAK0eqq6nhoL95SZQu3RnpZ7tdQ89QR3++7A+4hrr7V4xxmkB5BObS # 0YK+MALE02atjwWgPdpYQ68WdLGroJZHkbZdgERG+7tETFl3aKF4KpoSaGOskZXp # TPnCaMo2PXoAMVMGpsQEQswimZq3IQ3nRQfBlJ0PoMMcN/+Pks8ZTL1BoPYsJpok # t6cql59q6CypZYIwgyJ892HpttybHKg1ZtQLUlSXccRMlugPgEcNZJagPEgPYni4 # b11snjRAgf0dyQ0zI9aLXqTxWUU5pCIFiPT0b2wsxzRqCtyGqpkGM8P9GazO8eao # mVItCYBcJSByBx/pS0cSYwBBHAZxJODUqxSXoSGDvmTfqUJXntnWkL4okok1FiCD # Z4jpyXOQunb6egIXvkgQ7jb2uO26Ow0m8RwleDvhOMrnHsupiOPbozKroSa6paFt # VSh89abUSooR8QdZciemmoFhcWkEwFg4spzvYNP4nIs193261WyTaRMZoceGun7G # CT2Rl653uUj+F+g94c63AhzSq4khdL4HlFIP2ePv29smfUnHtGq6yYFDLnT0q/Y+ # Di3jwloF8EWkkHRtSuXlFUbTmwr/lDDgbpZiKhLS7CBTDj32I0L5i532+uHczw82 # oZDmYmYmIUSMbZOgS65h797rj5JJ6OkeEUJoAVwwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVaTCCFWUCAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAd9r8C6Sp0q00AAAAAAB3zAN # BglghkgBZQMEAgEFAKCBsDAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgS8eiwK73 # 9tO4r7FNim3spwNuDL7pc8A0Tv1e1p8KO5owRAYKKwYBBAGCNwIBDDE2MDSgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRyAGmh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20g # MA0GCSqGSIb3DQEBAQUABIIBAHFX3dS8fTm/R+W7oJDpY8ffNtcweIxzV2+v3Kv5 # qPFSpGITog+zuZ3K+uo+21FT3CUq5K+vZ7Y3wc++bdIm+AXanoxklC8CpHpju+Rz # SqOG/E54av7yu2RORAl2smk0LWMay9PBnkeNxi4vinNm8MFtnF4vP8ReI2BYp9DZ # q3v+mPD/mRw+bn/4GKYQtHkSldUUPB1On4HOGEILn76YVnwo7b4stjMQurr0pJ7i # yIeLyi2SG4oKzbWkXEiNnqJX/OnVXJy87O8gaKgfZu13zp7IGXWI6Ii7SjyL5vWh # JQyIMYVe9MyYpzwChfbth7RBcTS2y9zDU2WKniD5vAaLnoGhghLxMIIS7QYKKwYB # BAGCNwMDATGCEt0wghLZBgkqhkiG9w0BBwKgghLKMIISxgIBAzEPMA0GCWCGSAFl # AwQCAQUAMIIBVQYLKoZIhvcNAQkQAQSgggFEBIIBQDCCATwCAQEGCisGAQQBhFkK # AwEwMTANBglghkgBZQMEAgEFAAQglyXQ36Je7ZEBY/EoPf+rqYjmDkQMYWAj9k0u # JHZ3lGUCBmCJ5fvbHRgTMjAyMTA1MTcwNjM2NTguMjQzWjAEgAIB9KCB1KSB0TCB # zjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEpMCcGA1UECxMg # TWljcm9zb2Z0IE9wZXJhdGlvbnMgUHVlcnRvIFJpY28xJjAkBgNVBAsTHVRoYWxl # cyBUU1MgRVNOOjg5N0EtRTM1Ni0xNzAxMSUwIwYDVQQDExxNaWNyb3NvZnQgVGlt # ZS1TdGFtcCBTZXJ2aWNloIIORDCCBPUwggPdoAMCAQICEzMAAAFgByDwkkjavusA # AAAAAWAwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh # c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD # b3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIw # MTAwHhcNMjEwMTE0MTkwMjIwWhcNMjIwNDExMTkwMjIwWjCBzjELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEpMCcGA1UECxMgTWljcm9zb2Z0IE9w # ZXJhdGlvbnMgUHVlcnRvIFJpY28xJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjg5 # N0EtRTM1Ni0xNzAxMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2 # aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtDGAHNDyxszxUjM+ # CY31NaRazaTxLUJlTI3nxIvMtbfXnytln87iXrwZvhKQT+IFRKTjJV6wEo5Widss # vecDAheaxiGfkFHRFc8j1cuLPNWqyVSAc/NM9G0y1m76O3KAKmHkx+q4GJr9KnQe # OPuUQOs0dH8L/X/EJpnJCmAhHuUBEkhpFWHnL5apuqZtSwUigXlQfDDMkUmk5fFi # 0DS5a6toql0JTMDOHrCQpmAyRGtc/cT/DlyzhTtxiJiNlEaWbcav68mCTJOwpbc4 # GJO2Rpb96O2lb5Lqm7817NcWoDPC5ION4giY454Rq+UD071WkJ7GjXPpUKmnQRvf # 3Ti6EwIDAQABo4IBGzCCARcwHQYDVR0OBBYEFKebHvi3qBfgmuF1Mgl1fNDrvh9j # MB8GA1UdIwQYMBaAFNVjOlyKMZDzQ3t8RhvFM2hahW1VMFYGA1UdHwRPME0wS6BJ # oEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01p # Y1RpbVN0YVBDQV8yMDEwLTA3LTAxLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYB # BQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljVGlt # U3RhUENBXzIwMTAtMDctMDEuY3J0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYI # KwYBBQUHAwgwDQYJKoZIhvcNAQELBQADggEBABU0mAibOgWmiVB1Tydh1xfvJKUo # Q/fn2qDlD9IWnt7iPl0DVX6Sy+Yp1kHWOGOwGzYiY04i3I1ja7Y3CNrgk3EV/7bL # 8pNw/wYT3sfyiCv1z5VvW4cXuC2d7cXy+e/QJvv0riZuGLpLRAiGo9wjxzfpSp4/ # AowubfYn6873C4pbY0ry/1sDmBC73YCPq5/sAYC41gciHSJmiT5ty4mlg8opjWe9 # LYRrWDOYXwn+Ks9jgxby/j+Bp6Qmix+RzqBuiZrjDWAUMYqAqG/u2VPX7ne4cZHZ # NLWoxh43AZ8a2OJPFDUGVARmJuTs8V8J74pGFNFMJG3NadKDc0QTTLaoudQwggZx # MIIEWaADAgECAgphCYEqAAAAAAACMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQg # Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0xMDA3MDEyMTM2NTVa # Fw0yNTA3MDEyMTQ2NTVaMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n # dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y # YXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMIIB # IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqR0NvHcRijog7PwTl/X6f2mU # a3RUENWlCgCChfvtfGhLLF/Fw+Vhwna3PmYrW/AVUycEMR9BGxqVHc4JE458YTBZ # sTBED/FgiIRUQwzXTbg4CLNC3ZOs1nMwVyaCo0UN0Or1R4HNvyRgMlhgRvJYR4Yy # hB50YWeRX4FUsc+TTJLBxKZd0WETbijGGvmGgLvfYfxGwScdJGcSchohiq9LZIlQ # YrFd/XcfPfBXday9ikJNQFHRD5wGPmd/9WbAA5ZEfu/QS/1u5ZrKsajyeioKMfDa # TgaRtogINeh4HLDpmc085y9Euqf03GS9pAHBIAmTeM38vMDJRF1eFpwBBU8iTQID # AQABo4IB5jCCAeIwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFNVjOlyKMZDz # Q3t8RhvFM2hahW1VMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQE # AwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQ # W9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNv # bS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBa # BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0 # LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MIGgBgNV # HSABAf8EgZUwgZIwgY8GCSsGAQQBgjcuAzCBgTA9BggrBgEFBQcCARYxaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL1BLSS9kb2NzL0NQUy9kZWZhdWx0Lmh0bTBABggr # BgEFBQcCAjA0HjIgHQBMAGUAZwBhAGwAXwBQAG8AbABpAGMAeQBfAFMAdABhAHQA # ZQBtAGUAbgB0AC4gHTANBgkqhkiG9w0BAQsFAAOCAgEAB+aIUQ3ixuCYP4FxAz2d # o6Ehb7Prpsz1Mb7PBeKp/vpXbRkws8LFZslq3/Xn8Hi9x6ieJeP5vO1rVFcIK1GC # RBL7uVOMzPRgEop2zEBAQZvcXBf/XPleFzWYJFZLdO9CEMivv3/Gf/I3fVo/HPKZ # eUqRUgCvOA8X9S95gWXZqbVr5MfO9sp6AG9LMEQkIjzP7QOllo9ZKby2/QThcJ8y # Sif9Va8v/rbljjO7Yl+a21dA6fHOmWaQjP9qYn/dxUoLkSbiOewZSnFjnXshbcOc # o6I8+n99lmqQeKZt0uGc+R38ONiU9MalCpaGpL2eGq4EQoO4tYCbIjggtSXlZOz3 # 9L9+Y1klD3ouOVd2onGqBooPiRa6YacRy5rYDkeagMXQzafQ732D8OE7cQnfXXSY # Ighh2rBQHm+98eEA3+cxB6STOvdlR3jo+KhIq/fecn5ha293qYHLpwmsObvsxsvY # grRyzR30uIUBHoD7G4kqVDmyW9rIDVWZeodzOwjmmC3qjeAzLhIp9cAvVCch98is # TtoouLGp25ayp0Kiyc8ZQU3ghvkqmqMRZjDTu3QyS99je/WZii8bxyGvWbWu3EQ8 # l1Bx16HSxVXjad5XwdHeMMD9zOZN+w2/XU/pnR4ZOC+8z1gFLu8NoFA12u8JJxzV # s341Hgi62jbb01+P3nSISRKhggLSMIICOwIBATCB/KGB1KSB0TCBzjELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEpMCcGA1UECxMgTWljcm9zb2Z0 # IE9wZXJhdGlvbnMgUHVlcnRvIFJpY28xJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNO # Ojg5N0EtRTM1Ni0xNzAxMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBT # ZXJ2aWNloiMKAQEwBwYFKw4DAhoDFQD7MpJ0dYtE3MiXKodXFdmAqdnQoqCBgzCB # gKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBBQUA # AgUA5Ewe7jAiGA8yMDIxMDUxNzAyNDUwMloYDzIwMjEwNTE4MDI0NTAyWjB3MD0G # CisGAQQBhFkKBAExLzAtMAoCBQDkTB7uAgEAMAoCAQACAgq+AgH/MAcCAQACAhEx # MAoCBQDkTXBuAgEAMDYGCisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAI # AgEAAgMHoSChCjAIAgEAAgMBhqAwDQYJKoZIhvcNAQEFBQADgYEAjwxKuNtR2Phg # mjSkDbD5j09hRCnKC4sjBQ3GJIV/xNgHwgAwygLHjivSmMrtddcIQzl8kZa0M+Dj # UvS2p+C5A9UsstcCb7fvwZmndVuYMAvRoL2yFbMoY6Lo0z1u7vFaNg7ismrPZ/Ur # QL5NxYNzy1O6IdhPa9YaNL4kptrVfuMxggMNMIIDCQIBATCBkzB8MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg # VGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAWAHIPCSSNq+6wAAAAABYDANBglghkgB # ZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3 # DQEJBDEiBCBGu8votLoB5az0ikx7U2pcuWbzAF1h7xLcitbQRQW9iDCB+gYLKoZI # hvcNAQkQAi8xgeowgecwgeQwgb0EIAISo72jcy6XW0Wnrx7qK8p+ldL/j1wXCeJe # SPeosGW5MIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 # b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh # dGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMA # AAFgByDwkkjavusAAAAAAWAwIgQgfvxo+v34p5Becbw1tJh3R6pEfvbbiFkXnyee # NfsACLQwDQYJKoZIhvcNAQELBQAEggEACUPnkYeF89vjqqTkD4Jd2w9OleqbSf0M # g9Swlwee/PzuWii8rCmHkp3xSB6ubuwUza3G/+YHwn+dz5QgNxePQAZ+I0erE3ZV # W12NSaI20kv1Ta8Wx9AyHhtZFuDxxygQvtKfZO5ctqZ0HJNYNAkeaYDlZUDZL5So # 2BhHyd15LsIWalGuOU+l9U0yXtZfR70f1JrHtIlKccfR/nuTTY7RQcbSasERlQS9 # H1PPtfv+gs+1CGJWT+2hYaSHnb0DzaypGA/e7auKO4G7Sv1Ve//P+D0NQr0T6iQM # iWwaLxgr7FB9lTNGd50X280nrl0jvTWVYBQL1CuleBpOGxSZy1RLOw== # SIG # End signature block |