Framework/Helpers/IncrementalScanHelper.ps1
|
Set-StrictMode -Version Latest class IncrementalScanHelper { hidden [string] $OrganizationName = $null; hidden [string] $ProjectName = $null; hidden [string] $ProjectId = $null; hidden $OrganizationContext = $null; [PSObject] $ControlSettings; hidden [string] $AzSKTempStatePath = (Join-Path $([Constants]::AzSKAppFolderPath) "IncrementalScan"); hidden [string] $CAScanProgressSnapshotsContainerName = [Constants]::CAScanProgressSnapshotsContainerName; hidden [string] $ScanSource = $null; $StorageContext = $null; $ControlStateBlob = $null; $ContainerObject = $null; hidden [string] $IncrementalScanTimestampFile=$null; hidden [string] $CATempFile = $null; hidden [string] $MasterFilePath; hidden [PSObject] $ResourceTimestamps = $null; hidden [bool] $FirstScan = $false; hidden [datetime] $IncrementalDate = 0; hidden [datetime] $LastFullScan = 0; hidden [bool] $ShouldDiscardOldScan = $false; [bool] $UpdateTime = $true; hidden [datetime] $Timestamp = 0; [bool] $isPartialScanActive = $false; [bool] $IsFullScanInProgress = $false; static [PSObject] $auditSchema = $null [bool] $isIncFileAlreadyAvailable = $false; IncrementalScanHelper([string] $organizationName, [string] $projectName, [datetime] $incrementalDate, [bool] $updateTimestamp, [datetime] $timestamp) { $this.OrganizationName = $organizationName $this.ProjectName = $projectName $this.IncrementalScanTimestampFile = $([Constants]::IncrementalScanTimeStampFile) $this.ScanSource = [AzSKSettings]::GetInstance().GetScanSource() $this.CATempFile = "CATempLocal.json" # temporary file to store Json Data to upload to container (in CA) $this.IncrementalDate = $incrementalDate $this.MasterFilePath = (Join-Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.projectName) $this.IncrementalScanTimestampFile) $this.UpdateTime = $updateTimestamp $this.Timestamp = $timestamp $this.ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey("UsePartialCommits")){ [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance(); if(($partialScanMngr.IsPartialScanInProgress($this.OrganizationName, $false) -eq [ActiveStatus]::Yes)){ $this.isPartialScanActive = $true } } if($null -eq [IncrementalScanHelper]::auditSchema){ [IncrementalScanHelper]::auditSchema = [ConfigurationManager]::LoadServerConfigFile("IncrementalScanAudits.json") } } IncrementalScanHelper($organizationContext, [string] $projectId,[string] $projectName, [datetime] $incrementalDate) { $this.OrganizationName = $organizationContext.OrganizationName $this.OrganizationContext = $organizationContext $this.ProjectId = $projectId $this.IncrementalScanTimestampFile = $([Constants]::IncrementalScanTimeStampFile) $this.ScanSource = [AzSKSettings]::GetInstance().GetScanSource() $this.CATempFile = "CATempLocal.json" # temporary file to store Json Data to upload to container (in CA) $this.IncrementalDate = $incrementalDate $this.ProjectName = $projectName $this.MasterFilePath = (Join-Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.projectName) $this.IncrementalScanTimestampFile) $this.ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey("UsePartialCommits")){ [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance(); if(($partialScanMngr.IsPartialScanInProgress($this.OrganizationName, $false) -eq [ActiveStatus]::Yes)){ $this.isPartialScanActive = $true } } } hidden [datetime] GetThresholdTime([string] $resourceType) { # function to retrieve threshold time from storage, based on scan source. $latestScan = 0 if($this.ScanSource -ne "CA" -and $this.ScanSource -ne "CICD") { if(![string]::isnullorwhitespace($this.OrganizationName)) { if(Test-Path $this.MasterFilePath) { # File exists. Retrieve last timestamp. $this.ResourceTimestamps = Get-Content $this.MasterFilePath | ConvertFrom-Json if(-not ([Helpers]::CheckMember($this.ResourceTimestamps, $resourceType)) -or $null -eq $this.ResourceTimestamps.$resourceType -or [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime -eq 0) { # Previous timestamp does not exist for this resource in the existing file. $this.FirstScan = $true } } else { #file does not exist $this.FirstScan = $true } } } elseif ($this.ScanSource -eq 'CA') { $this.MasterFilePath = (Join-Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.ProjectName) $this.IncrementalScanTimestampFile) $tempPath = Join-Path $([Constants]::AzSKAppFolderPath) $this.CATempFile $blobPath = Join-Path (Join-Path (Join-Path "IncrementalScan" $this.OrganizationName) $this.ProjectName) $this.IncrementalScanTimestampFile try { #Validate if Storage is found $keys = Get-AzStorageAccountKey -ResourceGroupName $env:StorageRG -Name $env:StorageName $this.StorageContext = New-AzStorageContext -StorageAccountName $env:StorageName -StorageAccountKey $keys[0].Value -Protocol Https $this.ContainerObject = Get-AzStorageContainer -Context $this.StorageContext -Name $this.CAScanProgressSnapshotsContainerName -ErrorAction SilentlyContinue if($null -ne $this.ContainerObject) { #container exists $this.ControlStateBlob = Get-AzStorageBlob -Container $this.CAScanProgressSnapshotsContainerName -Context $this.StorageContext -Blob $blobPath -ErrorAction SilentlyContinue if($null -ne $this.ControlStateBlob) { # File exists. Copy existing timestamp file locally Get-AzStorageBlobContent -CloudBlob $this.ControlStateBlob.ICloudBlob -Context $this.StorageContext -Destination $tempPath -Force $this.ResourceTimestamps = Get-ChildItem -Path $tempPath -Force | Get-Content | ConvertFrom-Json #Delete the local file Remove-Item -Path $tempPath if(-not ([Helpers]::CheckMember($this.ResourceTimestamps, $resourceType)) -or $null -eq $this.ResourceTimestamps.$resourceType -or [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime -eq 0) { # Previous timestamp does not exist for current resource in existing file. $this.FirstScan = $true } } else { # File does not exist. $this.FirstScan = $true } } else { # Container does not exist $this.FirstScan = $true } } catch { write-host "Exception when trying to find/create incremental scan container: $_." } } elseif($this.ScanSource -eq 'CICD'){ if (Test-Path env:incrementalScanURI) { #Uri is created in cicd task based on jobid $uri = $env:incrementalScanURI } else { $uri = [Constants]::StorageUri -f $this.OrgName, $this.OrgName, "IncrementalScanFile" } try { #check if file already in extension sotrage $webRequestResult = [WebRequestHelper]::InvokeGetWebRequest($uri) if($null -ne $webRequestResult){ $this.ResourceTimestamps = $webRequestResult | ConvertFrom-Json if(-not ([Helpers]::CheckMember($this.ResourceTimestamps, $resourceType)) -or $null -eq $this.ResourceTimestamps.$resourceType -or [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime -eq 0) { # Previous timestamp does not exist for this resource in the existing file. $this.FirstScan = $true $this.isIncFileAlreadyAvailable = $true; } } else{ $this.FirstScan = $true $this.isIncFileAlreadyAvailable = $false; } } catch { $this.FirstScan = $true $this.isIncFileAlreadyAvailable = $false; } } if(-not $this.FirstScan) { if($this.isPartialScanActive){ $latestScan = [datetime]$this.ResourceTimestamps.$resourceType.LastPartialTime #to check if full scan is currently in progress, if we dont check this and give -dt switch full scan wont work if($this.ResourceTimestamps.$resourceType.IsFullScanInProgress){ $this.IsFullScanInProgress = $true } else{ $this.IsFullScanInProgress = $false } } else { $latestScan = [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime $this.IsFullScanInProgress = $false } $this.LastFullScan = [datetime]$this.ResourceTimestamps.$resourceType.LastFullScanTime } if($this.IncrementalDate -ne 0) { # user input of incremental date to be used for scanning incrementally. $latestScan = $this.IncrementalDate if($this.ScanSource -eq 'CA'){ $FromTimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById("Asia/Kolkata") $latestScan = [DateTime]::SpecifyKind((Get-Date $latestScan), [DateTimeKind]::Unspecified) $latestScan = [System.TimeZoneInfo]::ConvertTimeToUtc($latestScan, $FromTimeZone) } } return $latestScan } UpdateTimeStamp([string] $resourceType) { # Updates timestamp of current scan to storage, based on scan source. if($this.UpdateTime -ne $true) { return; } if($this.isPartialScanActive){ return; } if($this.ScanSource -ne "CA" -and $this.ScanSource -ne "CICD") { if($this.FirstScan -eq $true) { # Check if file exists if((-not (Test-Path ($this.AzSKTempStatePath))) -or (-not (Test-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName))) -or (-not (Test-Path $this.MasterFilePath))) { # Incremental Scan happening first time locally OR Incremental Scan happening first time for Org OR first time for current Project New-Item -Type Directory -Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.ProjectName) -ErrorAction Stop | Out-Null $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $this.MasterFilePath -Force } else { # File exists for Organization and Project but first time scan for current resource type $this.ResourceTimestamps = Get-ChildItem -Path $this.MasterFilePath -Force | Get-Content | ConvertFrom-Json $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $this.MasterFilePath -Force } } else { # Not a first time scan for the current resource $this.ResourceTimestamps = Get-ChildItem -Path $this.MasterFilePath -Force | Get-Content | ConvertFrom-Json $previousScanTime = $this.ResourceTimestamps.$resourceType.LastScanTime; $this.ResourceTimestamps.$resourceType.LastPartialTime= $previousScanTime if($this.IsFullScanInProgress -eq $false){ $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $false } #if old scan, we trigger full scan, store full scan value, also reset upc scan time if($this.ShouldDiscardOldScan){ $this.ResourceTimestamps.$resourceType.LastFullScanTime = $this.Timestamp $this.ResourceTimestamps.$resourceType.LastPartialTime = "0001-01-01T00:00:00.0000000"; $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $true } $this.ResourceTimestamps.$resourceType.LastScanTime = $this.Timestamp [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $this.MasterFilePath -Force } } elseif ($this.ScanSource -eq 'CA') { $tempPath = Join-Path $([Constants]::AzSKAppFolderPath) $this.CATempFile $blobPath = Join-Path (Join-Path (Join-Path "IncrementalScan" $this.OrganizationName) $this.ProjectName) $this.IncrementalScanTimestampFile if ($this.FirstScan -eq $true) { # Check if container object does not exist if($null -eq $this.ContainerObject) { # Container does not exist, create container. $this.ContainerObject = New-AzStorageContainer -Name $this.CAScanProgressSnapshotsContainerName -Context $this.StorageContext -ErrorAction SilentlyContinue if ($null -eq $this.ContainerObject ) { $this.PublishCustomMessage("Could not find/create partial scan container in storage.", [MessageType]::Warning); } $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() } if($null -eq $this.ControlStateBlob) { $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() } else { Get-AzStorageBlobContent -CloudBlob $this.ControlStateBlob.ICloudBlob -Context $this.StorageContext -Destination $tempPath -Force $this.ResourceTimestamps = Get-ChildItem -Path $tempPath -Force | Get-Content | ConvertFrom-Json #Delete the local file Remove-Item -Path $tempPath } $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $tempPath -Force Set-AzStorageBlobContent -File $tempPath -Container $this.ContainerObject.Name -Blob $blobPath -Context $this.StorageContext -Force Remove-Item -Path $tempPath } else { Get-AzStorageBlobContent -CloudBlob $this.ControlStateBlob.ICloudBlob -Context $this.StorageContext -Destination $tempPath -Force $this.ResourceTimestamps = Get-ChildItem -Path $tempPath -Force | Get-Content | ConvertFrom-Json $previousScanTime = $this.ResourceTimestamps.$resourceType.LastScanTime; $this.ResourceTimestamps.$resourceType.LastPartialTime = $previousScanTime if($this.IsFullScanInProgress -eq $false){ $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $false } if($this.ShouldDiscardOldScan){ $this.ResourceTimestamps.$resourceType.LastFullScanTime = $this.Timestamp $this.ResourceTimestamps.$resourceType.LastPartialTime = "0001-01-01T00:00:00.0000000"; $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $true } # Delete the local file Remove-Item -Path $tempPath $this.ResourceTimestamps.$resourceType.LastScanTime = $this.Timestamp [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $tempPath -Force Set-AzStorageBlobContent -File $tempPath -Container $this.ContainerObject.Name -Blob $blobPath -Context $this.StorageContext -Force Remove-Item -Path $tempPath } } elseif($this.ScanSource -eq 'CICD'){ $incrementalScanPayload = $null if($this.FirstScan -eq $true){ #first scan for the pipeline for all resources if($this.isIncFileAlreadyAvailable -eq $false){ $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() } #will be called for both scenarios: first scan for the resource as well as for the entire pipeline $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes $incrementalScanPayload = [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) } #not a first scan else{ $previousScanTime = $this.ResourceTimestamps.$resourceType.LastScanTime; $this.ResourceTimestamps.$resourceType.LastPartialTime= $previousScanTime if($this.IsFullScanInProgress -eq $false){ $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $false } #if old scan, we trigger full scan, store full scan value, also reset upc scan time if($this.ShouldDiscardOldScan){ $this.ResourceTimestamps.$resourceType.LastFullScanTime = $this.Timestamp $this.ResourceTimestamps.$resourceType.LastPartialTime = "0001-01-01T00:00:00.0000000"; $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $true } $this.ResourceTimestamps.$resourceType.LastScanTime = $this.Timestamp $incrementalScanPayload = [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) } try{ $rmContext = [ContextHelper]::GetCurrentContext(); $user = ""; $uri = ""; $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$rmContext.AccessToken))) $body = ""; if (Test-Path env:incrementalScanURI) { $uri = $env:incrementalScanURI $JobId =""; $JobId = $uri.Replace('?','/').Split('/')[$JobId.Length -2] #if the incremental scan is already present need to update the existing file if ($this.FirstScan -eq $false -or $this.isIncFileAlreadyAvailable -eq $true){ $body = @{"id" = $Jobid; "__etag"=-1; "value"= $incrementalScanPayload;} | ConvertTo-Json } else{ $body = @{"id" = $Jobid; "value"= $incrementalScanPayload;} | ConvertTo-Json } } else { $uri = [Constants]::StorageUri -f $this.OrgName, $this.OrgName, "IncrementalScanFile" if ($this.FirstScan -eq $false -or $this.isIncFileAlreadyAvailable -eq $true){ $body = @{"id" = "IncrementalScanFile";"__etag"=-1; "value"= $incrementalScanPayload;} | ConvertTo-Json } else{ $body = @{"id" = "IncrementalScanFile"; "value"= $incrementalScanPayload;} | ConvertTo-Json } } $webRequestResult = Invoke-WebRequest -Uri $uri -Method Put -ContentType "application/json" -Headers @{Authorization = ("Basic {0}" -f $base64AuthInfo) } -Body $body } catch{ Write-Host "Error updating Incremental Scan file: $($_)" } } } [bool] IsIncScanOld($resourceType){ $this.GetThresholdTime($resourceType) if($this.FirstScan){ return $false; } if($this.LastFullScan.AddDays($this.ControlSettings.IncrementalScan.IncrementalScanValidForDays) -lt [DateTime]::UtcNow){ return $true; } return $false; } [bool] ShouldDiscardOldIncScan($resourceType){ $this.ShouldDiscardOldScan = $false if($this.IsIncScanOld($resourceType)){ if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('Force')){ $this.ShouldDiscardOldScan = $false } else{ $this.ShouldDiscardOldScan = $true } } return $this.ShouldDiscardOldScan; } [System.Object[]] GetModifiedBuilds($buildDefnsObj) { # Function to filter builds that have been modified after threshold time $latestBuildScan = $this.GetThresholdTime("Build") if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0) { $this.UpdateTimeStamp("Build") return $buildDefnsObj } #if inc scan last time is 0 or if this is a full scan partial checkpoint, return all builds if($this.isPartialScanActive -and ($latestBuildScan -eq 0 -or $this.IsFullScanInProgress)){ return $buildDefnsObj } #if scan is old and no upc file found, simply return all builds, update scan time for full scans and last scan if($this.ShouldDiscardOldIncScan('Build') -and -not($this.isPartialScanActive)){ $this.UpdateTimeStamp("Build") return $buildDefnsObj } $newBuildDefns = @() if ([datetime] $buildDefnsObj[0].createdDate -lt $latestBuildScan) { # first resource is modified before the threshold time => all consequent are also modified before threshold # return empty list $this.UpdateTimeStamp("Build") return $newBuildDefns } #Binary search [int] $low = 0 # start index of array [int] $high = $buildDefnsObj.length - 1 # last index of array [int] $size = $buildDefnsObj.length # total length of array [int] $breakIndex = 0 while($low -le $high) { [int] $mid = ($low + $high)/2 # seeking the middle of the array [datetime] $modifiedDate = [datetime]($buildDefnsObj[$mid].createdDate) if($modifiedDate -ge $latestBuildScan) { # modified date is after the threshold time if(($mid + 1) -eq $size) { # all fetched build defs are modified after threshold time # return unmodified $this.UpdateTimeStamp("Build") return $buildDefnsObj } else { # mid point is not the last build defn if([datetime]($buildDefnsObj[$mid+1].createdDate) -lt $latestBuildScan) { # changing point found $breakIndex = $mid break } else { # search on right half $low = $mid + 1 } } } elseif ($modifiedDate -lt $latestBuildScan) { if($mid -eq 0) { # All fetched builds have been modified before the threshold return $newBuildDefns } else { if([datetime]($buildDefnsObj[$mid - 1].createdDate) -ge $latestBuildScan) { # changing point found $breakIndex = $mid - 1 break } else { # search on left half $high = $mid - 1 } } } } $newBuildDefns = @($buildDefnsObj[0..$breakIndex]) $this.UpdateTimeStamp("Build") return $newBuildDefns } [System.Object[]] GetModifiedReleases($releaseDefnsObj) { $latestReleaseScan = $this.GetThresholdTime("Release") if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0) { $this.UpdateTimeStamp("Release") return $releaseDefnsObj } if($this.isPartialScanActive -and ($latestReleaseScan -eq 0 -or $this.IsFullScanInProgress)){ return $releaseDefnsObj } if($this.ShouldDiscardOldIncScan('Release')){ $this.UpdateTimeStamp("Release") return $releaseDefnsObj } $newReleaseDefns = @() # Searching Linearly foreach ($releaseDefn in $releaseDefnsObj) { if ([datetime]($releaseDefn.modifiedOn) -ge $latestReleaseScan) { $newReleaseDefns += @($releaseDefn) } } $this.UpdateTimeStamp("Release") return $newReleaseDefns } #Get all resources attested after the latest scan [System.Object[]] GetAttestationAfterInc($projectName, $resourceType){ $resourceIds = @(); #if parameter not specified, wont be fetching these resources if(-not($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanAttestedResources'))){ return $resourceIds } $latestResourceScan = $this.GetThresholdTime($resourceType) if($this.ScanSource -ne 'CA'){ $latestResourceScan=$latestResourceScan.ToUniversalTime(); } $latestResourceScan =Get-Date $latestResourceScan -Format s if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ return $resourceIds; } [ControlStateExtension] $ControlStateExt = [ControlStateExtension]::new($this.OrganizationContext, $PSCmdlet.MyInvocation); $output = $ControlStateExt.RescanComputeControlStateIndexer($projectName, 'ADO.'+$resourceType); $output | ForEach-Object { if($_.AttestedDate -gt $latestResourceScan){ try { $resourceIds += ($_.ResourceId -split ($resourceType.ToLower() + "/"))[1] } catch { } } } return $resourceIds } [System.Object[]] GetAuditTrailsForBuilds(){ $latestBuildScan = $this.GetThresholdTime("Build") if($this.ScanSource -ne 'CA'){ $latestBuildScan=$latestBuildScan.ToUniversalTime(); } $latestBuildScan =Get-Date $latestBuildScan -Format s $buildIds = @(); if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ return $buildIds; } $auditUrl = "https://auditservice.dev.azure.com/{0}/_apis/audit/auditlog?startTime={1}&api-version=6.0-preview.1" -f $this.OrganizationName, $latestBuildScan try { $response = [WebRequestHelper]::InvokeGetWebRequest($auditUrl); $auditTrails = $response.decoratedAuditLogEntries; $modifiedBuilds = $auditTrails | Where-Object {$_.actionId -eq 'Security.ModifyPermission' -and $_.data.NamespaceName -eq 'Build' -and $_.data.Token -match $this.ProjectId+"/" } $restrictedBroaderGroups = @{} $broaderGroups = $this.ControlSettings.Build.RestrictedBroaderGroupsForBuild $broaderGroups.psobject.properties | foreach { $restrictedBroaderGroups[$_.Name] = $_.Value } $modifiedBuilds | foreach { $group = ($_.data.SubjectDisplayName -split("\\"))[1] if($group -in $restrictedBroaderGroups.keys ){ if($_.data.ChangedPermission -in $restrictedBroaderGroups[$group]){ $buildIds += (($_.data.Token -split("/"))[-1]) } } } $buildIds = $buildIds | Select -Unique } catch { } return $buildIds; } [System.Object[]] GetModifiedBuildsFromAudit($buildIds, $projectName){ $totalBuilds = $buildIds.Count $buildDefnObj =@() $newBuildDefns = @(); $queryIdCount = 0; $currentbuildIds = "" $buildIds | foreach { if($totalBuilds -lt 100){ $queryIdCount++; $currentbuildIds=$currentbuildIds+$_+"," if($queryIdCount -eq $totalBuilds){ $buildDefnURL = "https://{0}.visualstudio.com/{1}/_apis/build/definitions?definitionIds={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentbuildIds; try { $buildDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($buildDefnURL)); } catch { } } } else { $queryIdCount++; $currentbuildIds=$currentbuildIds+$_+","; if($queryIdCount -eq 100){ $buildDefnURL = "https://{0}.visualstudio.com/{1}/_apis/build/definitions?definitionIds={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentbuildIds; try { $buildDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($buildDefnURL)); $queryIdCount =0; $currentbuildIds=""; $totalBuilds -=100; } catch { } } } } $latestBuildScan = $this.GetThresholdTime("Build"); foreach ($buildDefn in $buildDefnObj) { if ([Helpers]::CheckMember($buildDefn,'CreatedDate') -and [datetime]($buildDefn.CreatedDate) -lt $latestBuildScan) { $newBuildDefns += @($buildDefn) } } return $newBuildDefns; } [System.Object[]] GetAuditTrailsForReleases(){ $latestReleaseScan = $this.GetThresholdTime("Release"); if($this.ScanSource -ne 'CA'){ $latestReleaseScan=$latestReleaseScan.ToUniversalTime(); } $latestReleaseScan = Get-Date $latestReleaseScan -Format s $releaseIds = @(); if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ return $releaseIds; } $auditUrl = "https://auditservice.dev.azure.com/{0}/_apis/audit/auditlog?startTime={1}&api-version=6.0-preview.1" -f $this.OrganizationName, $latestReleaseScan try { $response = [WebRequestHelper]::InvokeGetWebRequest($auditUrl); $auditTrails = $response.decoratedAuditLogEntries; $modifiedReleases = $auditTrails | Where-Object {$_.actionId -eq 'Security.ModifyPermission' -and $_.data.NamespaceName -eq 'ReleaseManagement' -and $_.data.Token -match $this.ProjectId+"/" } $restrictedBroaderGroups = @{} $broaderGroups = $this.ControlSettings.Release.RestrictedBroaderGroupsForRelease $broaderGroups.psobject.properties | foreach { $restrictedBroaderGroups[$_.Name] = $_.Value } $modifiedReleases| foreach { $group = ($_.data.SubjectDisplayName -split("\\"))[1] if($group -in $restrictedBroaderGroups.keys ){ if($_.data.ChangedPermission -in $restrictedBroaderGroups[$group]){ $releaseIds += (($_.data.Token -split("/"))[-1]) } } } $releaseIds = $releaseIds | Select -Unique } catch { } return $releaseIds; } [System.Object[]] GetModifiedReleasesFromAudit($releaseIds, $projectName){ $totalReleases = $releaseIds.Count $newReleaseDefns = @(); $releaseDefnObj =@() $queryIdCount = 0; $currentReleaseIds = "" $releaseIds | foreach { if($totalReleases -lt 100){ $queryIdCount++; $currentReleaseIds=$currentReleaseIds+$_+"," if($queryIdCount -eq $totalReleases){ $releaseDefnURL = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions?definitionIdFilter={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentReleaseIds; try { $releaseDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($releaseDefnURL)); } catch { } } } else { $queryIdCount++; $currentReleaseIds=$currentReleaseIds+$_+","; if($queryIdCount -eq 100){ $releaseDefnURL = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions?definitionIdFilter={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentReleaseIds; try { $releaseDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($releaseDefnURL)); $queryIdCount =0; $currentReleaseIds=""; $totalReleases -=100; } catch { } } } } $latestReleaseScan = $this.GetThresholdTime("Release"); foreach ($releaseDefn in $releaseDefnObj) { if ([Helpers]::CheckMember($releaseDefn,'modifiedOn') -and [datetime]($releaseDefn.modifiedOn) -lt $latestReleaseScan) { $newReleaseDefns += @($releaseDefn) } } return $newReleaseDefns; } #common function to get modified resource ids from audits for common svts and variable group [System.Object[]] GetModifiedCommonSvtAuditTrails($resourceType){ $resourceIds = @() #get last scan of the resources $latestScan = $this.GetThresholdTime($resourceType) if($this.ScanSource -ne 'CA'){ $latestScan=$latestScan.ToUniversalTime(); } $latestScan = Get-Date $latestScan -Format s $auditUrl = "https://auditservice.dev.azure.com/{0}/_apis/audit/auditlog?startTime={1}&api-version=6.0-preview.1" -f $this.OrganizationName, $latestScan try { $response = [WebRequestHelper]::InvokeGetWebRequest($auditUrl); $auditTrails = $response.decoratedAuditLogEntries; #get modified resources from filter $modifiedResources = $this.GetModifiedResourcesFilter($resourceType,$auditTrails) $modifiedResources | foreach { #extract resource ids from modified resources $resourceIds+=($_.data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[1]) -split("/"))[-1] if($resourceType -eq "GitRepositories"){ #to handle events of permission changes on branches $resourceIds+=(($_.data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[1]) -split("/refs"))[0]) -split("/")[-1] #to handle events of new repository creation $resourceIds+=($_.data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[1]) -split("\."))[-1] } } $resourceIds = $resourceIds | Select -Unique } catch { } return $resourceIds } #function to filter audits according to resource type [System.Object[]] GetModifiedResourcesFilter($resourceType,$auditTrails){ $resourceTypeInFilter = $resourceType #in case of secure file and variable group the resource type in audits is library, for other resources the name is same if($resourceType -eq "SecureFile" -or $resourceType -eq "VariableGroup"){ $resourceTypeInFilter = "Library" } if($resourceType -eq "GitRepositories"){ $resourceTypeInFilter = "Git Repositories" } $modifiedResources = $auditTrails | Where-Object {$_.actionId -in [IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.PSObject.Properties.Name -and ([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0] -eq $true -or( $_.Data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0]) -eq $resourceTypeInFilter -or $_.Data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0]) -eq "repository" -or $_.Data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0]) -eq $resourceType))} return $modifiedResources } #function to get modified resources [System.Object[]] GetModifiedCommonSvtFromAudit($resourceType,$response){ $latestScan = $this.GetThresholdTime($resourceType) $latestScan =Get-Date $latestScan -Format s #$response = [WebRequestHelper]::InvokeGetWebRequest($url); #if this a first scan return all resources if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ $this.UpdateTimeStamp($resourceType) return $response } #if partial scan is active and last scan is 0 or this is a full scan in progress return all resources if($this.isPartialScanActive -and ($latestScan -eq 0 -or $this.IsFullScanInProgress)){ return $response } #if this is a old scan return all resources if($this.ShouldDiscardOldIncScan($resourceType)){ $this.UpdateTimeStamp($resourceType) return $response } #get ids from above functions $modifiedResourceIds = @($this.GetModifiedCommonSvtAuditTrails($resourceType)); if($resourceType -eq "GitRepositories"){ $modifiedResourceIdsFromAttestation = @($this.GetAttestationAfterInc($this.ProjectName,"Repository")) } else{ $modifiedResourceIdsFromAttestation = @($this.GetAttestationAfterInc($this.ProjectName,$resourceType)) } $modifiedResourceIds = @($modifiedResourceIds + $modifiedResourceIdsFromAttestation | select -uniq) $modifiedResources = @() #if we get some ids from audit trails add them to modified resource obj if($modifiedResourceIds.Count -gt 0 -and $null -ne $modifiedResourceIds[0]){ #filter all ids from audit trails in the api response $modifiedResources = @($response | Where-Object{$modifiedResourceIds -contains $_.id}) #to capture events that dont come in audits but is reflected in api responses such as new resource created, properties of resources edited etc. if([Helpers]::CheckMember([IncrementalScanHelper]::auditSchema.$resourceType, "ApiResponseFilter")){ $modifiedResources +=$response | Where-Object{$modifiedResourceIds -notcontains $_.id -and [datetime]($_.([IncrementalScanHelper]::auditSchema.$resourceType.ApiResponseFilter)) -gt $latestScan} } } #in case no ids were obtained from audits check from response for corresponding api response filtee if present else{ if([Helpers]::CheckMember([IncrementalScanHelper]::auditSchema.$resourceType, "ApiResponseFilter")){ $modifiedResources += $response | Where-Object{[datetime]($_.([IncrementalScanHelper]::auditSchema.$resourceType.ApiResponseFilter)) -gt $latestScan} } } $this.UpdateTimeStamp($resourceType) return $modifiedResources } [void] SetContext($projectId,$organizationContext){ $this.ProjectId = $projectId $this.OrganizationContext = $organizationContext } } # SIG # Begin signature block # MIIn0AYJKoZIhvcNAQcCoIInwTCCJ70CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDu0RnMQpTI+qM0 # h0LTH/dgIIVOYsJ8iDSKXQeNVLNl26CCDYUwggYDMIID66ADAgECAhMzAAADri01 # UchTj1UdAAAAAAOuMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwODU5WhcNMjQxMTE0MTkwODU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQD0IPymNjfDEKg+YyE6SjDvJwKW1+pieqTjAY0CnOHZ1Nj5irGjNZPMlQ4HfxXG # yAVCZcEWE4x2sZgam872R1s0+TAelOtbqFmoW4suJHAYoTHhkznNVKpscm5fZ899 # QnReZv5WtWwbD8HAFXbPPStW2JKCqPcZ54Y6wbuWV9bKtKPImqbkMcTejTgEAj82 # 6GQc6/Th66Koka8cUIvz59e/IP04DGrh9wkq2jIFvQ8EDegw1B4KyJTIs76+hmpV # M5SwBZjRs3liOQrierkNVo11WuujB3kBf2CbPoP9MlOyyezqkMIbTRj4OHeKlamd # WaSFhwHLJRIQpfc8sLwOSIBBAgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUhx/vdKmXhwc4WiWXbsf0I53h8T8w # VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh # dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzUwMTgzNjAfBgNVHSMEGDAW # gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v # d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw # MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx # XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB # AGrJYDUS7s8o0yNprGXRXuAnRcHKxSjFmW4wclcUTYsQZkhnbMwthWM6cAYb/h2W # 5GNKtlmj/y/CThe3y/o0EH2h+jwfU/9eJ0fK1ZO/2WD0xi777qU+a7l8KjMPdwjY # 0tk9bYEGEZfYPRHy1AGPQVuZlG4i5ymJDsMrcIcqV8pxzsw/yk/O4y/nlOjHz4oV # APU0br5t9tgD8E08GSDi3I6H57Ftod9w26h0MlQiOr10Xqhr5iPLS7SlQwj8HW37 # ybqsmjQpKhmWul6xiXSNGGm36GarHy4Q1egYlxhlUnk3ZKSr3QtWIo1GGL03hT57 # xzjL25fKiZQX/q+II8nuG5M0Qmjvl6Egltr4hZ3e3FQRzRHfLoNPq3ELpxbWdH8t # Nuj0j/x9Crnfwbki8n57mJKI5JVWRWTSLmbTcDDLkTZlJLg9V1BIJwXGY3i2kR9i # 5HsADL8YlW0gMWVSlKB1eiSlK6LmFi0rVH16dde+j5T/EaQtFz6qngN7d1lvO7uk # 6rtX+MLKG4LDRsQgBTi6sIYiKntMjoYFHMPvI/OMUip5ljtLitVbkFGfagSqmbxK # 7rJMhC8wiTzHanBg1Rrbff1niBbnFbbV4UDmYumjs1FIpFCazk6AADXxoKCo5TsO # zSHqr9gHgGYQC2hMyX9MGLIpowYCURx3L7kUiGbOiMwaMIIHejCCBWKgAwIBAgIK # YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm # aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw # OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD # VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG # 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la # UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc # 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D # dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+ # lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk # kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6 # A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd # X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL # 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd # sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3 # T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS # 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI # bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL # BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD # uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv # c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF # BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h # cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA # YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn # 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7 # v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b # pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/ # KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy # CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp # mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi # hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb # BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS # oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL # gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX # cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCGaEwghmdAgEBMIGVMH4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p # Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAAOuLTVRyFOPVR0AAAAA # A64wDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIHEb # GJPGGbxp2qp+hW8ueI8/dclQYL2yXz7hbt1hdP5CMEIGCisGAQQBgjcCAQwxNDAy # oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20wDQYJKoZIhvcNAQEBBQAEggEArRpe6h7VdJvza/HxWLVD+LxLCmzY7813BRBU # wCJUPw+NYLuu5lM6MYXBBHjraSG/gXpW5Ti8qL4z838WK2qIgyCy4lMxpXqaaQ9U # 1ZcwS/AO01oqDG1qodCN8M/IzdmFTLrVG0t1XSxJusMvVYXXreAwBbHJWENj7XuU # z0QvQtPKkMwUSAOCb4Db1awoSCfB12jK1S302eYQFkpeDBu5HlQFFEy1T61TwevY # jNo+grApqR+yPrRQ4ej+fiBtkDBJGuqxwqmjULk8pX4qs0ADnwsJruadKiILW7Ud # 3Xqa4dW4zJO+rew2Vkt2BDdgSjesn4JQjpqNbs2IvO/cvIEtRqGCFyswghcnBgor # BgEEAYI3AwMBMYIXFzCCFxMGCSqGSIb3DQEHAqCCFwQwghcAAgEDMQ8wDQYJYIZI # AWUDBAIBBQAwggFZBgsqhkiG9w0BCRABBKCCAUgEggFEMIIBQAIBAQYKKwYBBAGE # WQoDATAxMA0GCWCGSAFlAwQCAQUABCDvV1/R47tO8KAcdsRtnsxfXvssXMY/lJHq # zfWL1TS/3gIGZdX9o0QZGBMyMDI0MDMwNTA1Mzg1NS40NDZaMASAAgH0oIHYpIHV # MIHSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQL # EyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsT # HVRoYWxlcyBUU1MgRVNOOjNCRDQtNEI4MC02OUMzMSUwIwYDVQQDExxNaWNyb3Nv # ZnQgVGltZS1TdGFtcCBTZXJ2aWNloIIRejCCBycwggUPoAMCAQICEzMAAAHlj2rA # 8z20C6MAAQAAAeUwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg # UENBIDIwMTAwHhcNMjMxMDEyMTkwNzM1WhcNMjUwMTEwMTkwNzM1WjCB0jELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9z # b2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMg # VFNTIEVTTjozQkQ0LTRCODAtNjlDMzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt # U3RhbXAgU2VydmljZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKl7 # 4Drau2O6LLrJO3HyTvO9aXai//eNyP5MLWZrmUGNOJMPwMI08V9zBfRPNcucreIY # SyJHjkMIUGmuh0rPV5/2+UCLGrN1P77n9fq/mdzXMN1FzqaPHdKElKneJQ8R6cP4 # dru2Gymmt1rrGcNe800CcD6d/Ndoommkd196VqOtjZFA1XWu+GsFBeWHiez/Pllq # cM/eWntkQMs0lK0zmCfH+Bu7i1h+FDRR8F7WzUr/7M3jhVdPpAfq2zYCA8ZVLNgE # izY+vFmgx+zDuuU/GChDK7klDcCw+/gVoEuSOl5clQsydWQjJJX7Z2yV+1KC6G1J # VqpP3dpKPAP/4udNqpR5HIeb8Ta1JfjRUzSv3qSje5y9RYT/AjWNYQ7gsezuDWM/ # 8cZ11kco1JvUyOQ8x/JDkMFqSRwj1v+mc6LKKlj//dWCG/Hw9ppdlWJX6psDesQu # QR7FV7eCqV/lfajoLpPNx/9zF1dv8yXBdzmWJPeCie2XaQnrAKDqlG3zXux9tNQm # z2L96TdxnIO2OGmYxBAAZAWoKbmtYI+Ciz4CYyO0Fm5Z3T40a5d7KJuftF6CTocc # c/Up/jpFfQitLfjd71cS+cLCeoQ+q0n0IALvV+acbENouSOrjv/QtY4FIjHlI5zd # JzJnGskVJ5ozhji0YRscv1WwJFAuyyCMQvLdmPddAgMBAAGjggFJMIIBRTAdBgNV # HQ4EFgQU3/+fh7tNczEifEXlCQgFOXgMh6owHwYDVR0jBBgwFoAUn6cVXQBeYl2D # 9OXSZacbUzUZ6XIwXwYDVR0fBFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3Nv # ZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUy # MDIwMTAoMSkuY3JsMGwGCCsGAQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1l # LVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNVHSUB # Af8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQAD # ggIBADP6whOFjD1ad8GkEJ9oLBuvfjndMyGQ9R4HgBKSlPt3pa0XVLcimrJlDnKG # gFBiWwI6XOgw82hdolDiMDBLLWRMTJHWVeUY1gU4XB8OOIxBc9/Q83zb1c0RWEup # gC48I+b+2x2VNgGJUsQIyPR2PiXQhT5PyerMgag9OSodQjFwpNdGirna2rpV23EU # wFeO5+3oSX4JeCNZvgyUOzKpyMvqVaubo+Glf/psfW5tIcMjZVt0elswfq0qJNQg # oYipbaTvv7xmixUJGTbixYifTwAivPcKNdeisZmtts7OHbAM795ZvKLSEqXiRUjD # YZyeHyAysMEALbIhdXgHEh60KoZyzlBXz3VxEirE7nhucNwM2tViOlwI7EkeU5hu # dctnXCG55JuMw/wb7c71RKimZA/KXlWpmBvkJkB0BZES8OCGDd+zY/T9BnTp8si3 # 6Tql84VfpYe9iHmy7PqqxqMF2Cn4q2a0mEMnpBruDGE/gR9c8SVJ2ntkARy5Sflu # uJ/MB61yRvT1mUx3lyppO22ePjBjnwoEvVxbDjT1jhdMNdevOuDeJGzRLK9HNmTD # C+TdZQlj+VMgIm8ZeEIRNF0oaviF+QZcUZLWzWbYq6yDok8EZKFiRR5otBoGLvaY # FpxBZUE8mnLKuDlYobjrxh7lnwrxV/fMy0F9fSo2JxFmtLgtMIIHcTCCBVmgAwIB # AgITMwAAABXF52ueAptJmQAAAAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0 # IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1 # WhcNMzAwOTMwMTgzMjI1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCC # AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O # 1YLT/e6cBwfSqWxOdcjKNVf2AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZn # hUYjDLWNE893MsAQGOhgfWpSg0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t # 1w/YJlN8OWECesSq/XJprx2rrPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxq # D89d9P6OU8/W7IVWTe/dvI2k45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmP # frVUj9z6BVWYbWg7mka97aSueik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSW # rAFKu75xqRdbZ2De+JKRHh09/SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv # 231fgLrbqn427DZM9ituqBJR6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zb # r17C89XYcz1DTsEzOUyOArxCaC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYcten # IPDC+hIK12NvDMk2ZItboKaDIV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQc # xWv2XFJRXRLbJbqvUAV6bMURHXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17a # j54WcmnGrnu3tz5q4i6tAgMBAAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQAB # MCMGCSsGAQQBgjcVAgQWBBQqp1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQU # n6cVXQBeYl2D9OXSZacbUzUZ6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEw # QTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9E # b2NzL1JlcG9zaXRvcnkuaHRtMBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQB # gjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/ # MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJ # oEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01p # Y1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYB # BQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9v # Q2VyQXV0XzIwMTAtMDYtMjMuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3h # LB9nATEkW+Geckv8qW/qXBS2Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x # 5MKP+2zRoZQYIu7pZmc6U03dmLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74p # y27YP0h1AdkY3m2CDPVtI1TkeFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1A # oL8ZthISEV09J+BAljis9/kpicO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbC # HcNhcy4sa3tuPywJeBTpkbKpW99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB # 9s7GdP32THJvEKt1MMU0sHrYUP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNt # yo4JvbMBV0lUZNlz138eW0QBjloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3 # rsjoiV5PndLQTHa1V1QJsWkBRH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcV # v7TOPqUxUYS8vwLBgqJ7Fx0ViY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A24 # 5oyZ1uEi6vAnQj0llOZ0dFtq0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lw # Y1NNje6CbaUFEMFxBmoQtB1VM1izoXBm8qGCAtYwggI/AgEBMIIBAKGB2KSB1TCB # 0jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMk # TWljcm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1U # aGFsZXMgVFNTIEVTTjozQkQ0LTRCODAtNjlDMzElMCMGA1UEAxMcTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUA942iGuYFrsE4wzWD # d85EpM6RiwqggYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAN # BgkqhkiG9w0BAQUFAAIFAOmQ9L8wIhgPMjAyNDAzMDUwOTMyNDdaGA8yMDI0MDMw # NjA5MzI0N1owdjA8BgorBgEEAYRZCgQBMS4wLDAKAgUA6ZD0vwIBADAJAgEAAgFX # AgH/MAcCAQACAhICMAoCBQDpkkY/AgEAMDYGCisGAQQBhFkKBAIxKDAmMAwGCisG # AQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEAAgMBhqAwDQYJKoZIhvcNAQEFBQAD # gYEARv+Zat8RQ/Q/CTZBPsTkeYHbFA87yNcmJhXzljlE+C+kcWR4BZ5w3odi929O # 8oCW330YPXNfVDdy1SzXyzWzbL19fhb+Hi6yrvUbdWjCJUC4eQpydnrfvQMNXnE3 # /p+yxUXFSzoLFf8floSIIVXjj+47NMdnYVPe7oMEFSh1e54xggQNMIIECQIBATCB # kzB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAeWPasDzPbQLowAB # AAAB5TANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJ # EAEEMC8GCSqGSIb3DQEJBDEiBCB0NuNTnLhAsVwfDh/3tCpTyGj6tJkm79dq/e/T # Y0/8ljCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EIBWp0//+qPEYWF7ZhugR # d5vwj+kCh/TULCFvFQf1Tr3tMIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg # UENBIDIwMTACEzMAAAHlj2rA8z20C6MAAQAAAeUwIgQg7TUurqmLnW4nNux8BZIc # gn96REHCAGz9RAgs6q4WI6swDQYJKoZIhvcNAQELBQAEggIAqSfB59udJRCrBr3x # pu5IhXyJgc77oMz23m7JglhtLlopiG3JpYf2FNRj3lCKDn82+aeNTNehbKd2vdkn # tKwfS+XvF299ZKIgufCRQIBCDApqpbDLNNfiD3KqTanvngv/AzQrONCiRtqWQ95E # Tq4M+xuwf/RwNh7nOat0eMge76tq+73L9pszLyUjCKLBd1T+mZd2Yd++fpUJsChI # 7v44+aEdVIw2bE39PyQsDpzugfGe+62DQ/5lNAt/mY8fSdQ4ZkrNr/WsXz1Dc/+m # OBKUaOvvdAQBiTPPNs8vYf+IQQD1F32vYq11Oz6XxultbZQFvlnUzAHge8oDt9pG # ht4TdUM1SDGXfY8oK2nIaMiolLqA0QeP5cgPb9qc1gVVsGWhF/ziNRgl+zavNEFG # n3OLGLbfrZv4haOX00BhnHpWtuiBxIW5tb10Gc+kMmqzFPLbyMvOErnvbihR49Dz # 5M2Wo49uJpR4NxitX0PVAWpSHszpVUpIoUyhV0bfR/IK/ap3mHRqS8ntO3NkMvGC # +91bdWD7BGRQkjsjIZ7OOanFKr0v5yqSI2wVdN0lYxZDRR1CdqK+rbxrMConoSFx # cMKA0SS3QBCLzsHap3MiybAXIjkGGLLsqn+pF2ZmbYdu0TCqR/6RrRh76Xuu2sRM # KwL8DeuI01FsljOHZBDztd65WzA= # SIG # End signature block |