Private/AzStackHci.Connectivity.Helpers.ps1

# ////////////////////////////////////////////////////////////////////////////
# Strict Mode v1 (PS 5.1 safe) - surfaces reads of uninitialised variables at runtime.
Set-StrictMode -Version 1.0

# Function to test version of PowerShell
# This function checks the version of PowerShell and returns an error if the version is greater than 5.1.x
Function Test-PowerShellVersion5 {
    param
    (
        [Parameter(Mandatory = $false)]
        [bool]$NoVerboseOutput = $false
    )

    begin {
        # Check if the PowerShell version is 5.1.x
        $versionMaximum = [version]'5.1.99999.999'
        # Get the PowerShell version from the PSVersionTable
        $PowerShellVersion = [version]$PSVersionTable.PSVersion
    }

    process {
        # Compare the PowerShell version with the maximum version
        if($PowerShellVersion -gt $versionMaximum) {
            # PowerShell version is greater than 5.1.x, return an error
            if(-not($NoVerboseOutput)){
                Write-Verbose "PowerShell version $($PSVersionTable.PSVersion.ToString()) detected."
            }
            # $PowerShell5 = $false
            $PowerShell5 = $false
        } else {
            # PowerShell version is 5.1.x or lower, continue
            if(-not($NoVerboseOutput)){
                Write-Verbose "PowerShell version $($PSVersionTable.PSVersion.ToString()) detected."
            }
            # $PowerShell5 = $true
            $PowerShell5 = $true
        }
    } # End of process block

    end {
        # Write-Debug "Completed Test-PowerShellVersion5 function"
        return $PowerShell5
    }
}



# ////////////////////////////////////////////////////////////////////////////
# Classify a single connectivity result row into a stable, machine-readable
# category (v0.6.7). Lets integrators branch on $row.ResultCategory instead of
# brittle free-text matching on $row.Note (e.g. the old config-gap heuristic
# -match 'WAS NOT USED|REQUIRED TO SPECIFY').
#
# Categories (mutually exclusive, evaluated in priority order):
# ConfigGap - a required parameter placeholder (e.g. -KeyVaultURL) was left
# unsubstituted, so the row carries the 'WAS NOT USED' /
# 'REQUIRED TO SPECIFY' Note marker. This is a setup/input gap,
# NOT a real network fault.
# PrivateLink - the endpoint resolved to an RFC1918 private IP (Private Link).
# SSLInspected - an untrusted certificate chain was seen (possible SSL inspection).
# Skipped - the endpoint was never tested. Covers (a) Arc-Gateway skip rows and
# skip-list rows (Layer7Status/TCPStatus literally 'Skipped'), and
# (b) untested wildcard-parent placeholder rows whose Layer7Status is
# still the initial EMPTY string because they never entered the
# DNS/TCP/Layer7 test loop. (A genuinely tested row ALWAYS ends with a
# non-empty Layer7Status - Success / Failed / N/A / 'Invalid port:' -
# so an empty/whitespace value unambiguously means "not tested".)
# Success - Layer7Status reported Success.
# ConnectivityFailure - any other terminal state where a test ran and did not pass
# (Failed, or N/A from a DNS-resolution failure, or 'Invalid port:').
#
# Precedence rationale: the three "diagnostic" categories (ConfigGap, PrivateLink,
# SSLInspected) describe WHY a row is special and are evaluated ahead of the generic
# Success / ConnectivityFailure split, because such rows usually ALSO carry
# Layer7Status='Failed' which would otherwise mask the real cause.
#
# NOTE on CRL/OCSP revocation-offline rows: these keep Layer7Status='Failed' + a
# '- CRL/OCSP unreachable' Layer7Response marker and are DELIBERATELY left as
# ConnectivityFailure here (NOT given their own category) to keep the ResultCategory
# enum stable for consumers. The run-level signal for them is the CRLOfflineDetected /
# CRLOfflineURLs container NoteProperties on the returned ArrayList (and JSON summary),
# mirroring how SSL inspection is ALSO surfaced as a container array - integrators that
# want to treat revocation-offline as a softer WARNING branch on those fields.
Function Get-ConnectivityResultCategory {
    [CmdletBinding()]
    [OutputType([string])]
    param(
        [Parameter(Mandatory = $true)]
        [psobject]$Row,

        # Run-level detection lists. Publish-Results passes a snapshot of the module-scope
        # state ($script:SSLInspectedURLs / $script:PrivateLinkDetectedArray); unit tests
        # pass synthetic lists. Default to empty so the helper is fully self-contained.
        [AllowNull()]
        [string[]]$SSLInspectedURLs = @(),

        [AllowNull()]
        [string[]]$PrivateLinkURLs = @()
    )

    # Bare property reads are safe under StrictMode v1.0 (it throws only on uninitialised
    # VARIABLES, not absent object properties); cast to [string] to coalesce $null to ''.
    $note = [string]$Row.Note
    $url  = [string]$Row.URL
    $l7   = [string]$Row.Layer7Status
    $tcp  = [string]$Row.TCPStatus

    # URL normalisation for the detection-list lookups (steps 2 & 3). The two run-level arrays
    # store the URL in DIFFERENT shapes:
    # * $script:PrivateLinkDetectedArray stores the bare result-row .URL (host[/path]) - it is
    # populated by matching $_.URL in Test-AzureLocalConnectivity, so it already aligns.
    # * $script:SSLInspectedURLs stores the SCHEME-PREFIXED request URL ('https://host/path')
    # because Test-Layer7Connectivity adds the value it actually requested.
    # The result-row .URL is the bare host+path with no scheme, so a raw -contains against the
    # SSL list silently MISSES (an SSL-inspected row then falls through to ConnectivityFailure).
    # Strip a leading http(s):// and any trailing '/' from BOTH the row URL and every list entry
    # so the comparison is scheme- and trailing-slash-insensitive. (-contains is already
    # case-insensitive for strings.)
    $normalizeUrl = { param($u) (([string]$u) -replace '^\s*https?://', '').TrimEnd('/') }
    $urlNorm = & $normalizeUrl $url
    $sslNorm = @(@($SSLInspectedURLs) | ForEach-Object { & $normalizeUrl $_ })
    $plNorm  = @(@($PrivateLinkURLs)  | ForEach-Object { & $normalizeUrl $_ })

    # 1. Config gap — required parameter placeholder was never substituted.
    if ($note -match 'WAS NOT USED|REQUIRED TO SPECIFY') { return 'ConfigGap' }

    # 2. Private Link — endpoint resolved to an RFC1918 address.
    if ($plNorm -and ($plNorm -contains $urlNorm)) { return 'PrivateLink' }

    # 3. SSL inspection — untrusted certificate chain observed (possible TLS interception).
    # Two signals, set in lockstep upstream (AzStackHci.Layer7.Helpers.ps1); either is authoritative:
    # (a) the bare row URL appears in the run-level $script:SSLInspectedURLs snapshot, OR
    # (b) the row's own Layer7Response carries the '- SSL Inspection detected' marker.
    # (b) is read straight off the row, so it survives any URL-shape drift between the snapshot
    # (which stores the scheme-prefixed REQUEST url, possibly a redirect target) and the row's
    # .URL field. A CRL/OCSP-offline row is reclassified away from this marker upstream, so it
    # correctly does NOT match here and stays a ConnectivityFailure.
    $l7Response = [string]$Row.Layer7Response
    if (($sslNorm -and ($sslNorm -contains $urlNorm)) -or ($l7Response -match 'SSL Inspection detected')) { return 'SSLInspected' }

    # 4. Skipped / not-tested. Three cases:
    # (a) Arc-Gateway / skip-list rows -> TCPStatus or Layer7Status literally 'Skipped'.
    # (b) Untested wildcard-parent / placeholder rows that never entered the test loop
    # -> Layer7Status is still the initial EMPTY string. A tested row always has a
    # non-empty Layer7Status, so empty/whitespace here means "never tested", NOT a
    # failure. Guard with -not IsNullOrWhiteSpace($note) is unnecessary because the
    # ConfigGap Note marker is already handled at step 1 above.
    if (($tcp -like 'Skipped*') -or ($l7 -eq 'Skipped') -or [string]::IsNullOrWhiteSpace($l7)) { return 'Skipped' }

    # 5. Success.
    if ($l7 -eq 'Success') { return 'Success' }

    # 6. Everything else is a terminal connectivity failure (Failed / N/A / 'Invalid port:').
    return 'ConnectivityFailure'
}



# ////////////////////////////////////////////////////////////////////////////
# This function converts a hashtable to a string representation
Function Convert-HashTableToString {

    param
    (
        [Parameter(Mandatory = $true)]
        [System.Collections.Hashtable]
        $HashTable
    )

    begin {
        # Write-Verbose "Starting Convert-HashTableToString function"
    }

    process {
        $HashString = "@{"
        $Keys = $HashTable.keys
        foreach ($Key in $Keys)
        {
            $v = $HashTable[$key]
            if ($key -match "\s")
            {
                $HashString += "`"$key`"" + "=" + "`"$v`"" + ";"
            }
            else
            {
                $HashString += $key + "=" + "`"$v`"" + ";"
            }
        }
        $HashString += "}"

    } # End of process block

    end {
        # Write-Debug "Completed Convert-HashTableToString function"
        return $HashString
    }
}



# ////////////////////////////////////////////////////////////////////////////
# Function to extract domains from URLs
Function Get-DomainFromURL {
    param (
        [string]$url
    )

    begin {
        # Write-Verbose "Starting Get-DomainFromURL function"
    }

    process {
        # Remove the protocol (http:// or https://) and extract the domain and port
        $url = $url -replace "^https?://", ""
        # Check if the URL contains a port number
        # If the URL contains a port number, extract it
        if ($url -match ":(\d+)$") {
            $port = [int]($url -replace ".*:(\d+)$", '$1')
            $url = $url -replace ":(\d+)$", ""
        } else {
            $port = $null
        }
        $domain = $url -split '/' | Select-Object -First 1
        return @{ Domain = $domain; Port = $port }
    }

    end {
        # Write-Debug "Completed Get-DomainFromURL function"
    }
}


# ////////////////////////////////////////////////////////////////////////////
# Helper function to normalize URL with protocol based on port
# This is a private helper function for Test-Layer7Connectivity
Function Initialize-WebRequestUrl {
    param (
        [Parameter(Mandatory=$true)]
        [string]$url,
        [Parameter(Mandatory=$true)]
        [int]$port
    )

    # Check if the port is 80 for HTTP or port 443, 8084 or 8443 for HTTPS and update the URL accordingly
    if ($port -eq $script:PORT_HTTPS -or $port -eq $script:PORT_HTTPS_ALT1 -or $port -eq $script:PORT_HTTPS_ALT2) {
        if($url -notmatch "^https://") {
            # If the URL does not start with https://, add it
            $url = "https://$url"
        }
    } elseif($port -eq $script:PORT_HTTP) {
        if($url -notmatch "^http://") {
            # If the URL does not start with http://, add it
            $url = "http://$url"
        }
    } else {
        # For custom ports, use http as the default
        if($url -notmatch "^http") {
            Write-Verbose "Custom port $port detected, using http as the default"
            $url = "http://$url"
        }
    }

    return $url
}


# ////////////////////////////////////////////////////////////////////////////
# Helper function to register a redirected URL into the RedirectedResults array
# Prevents duplicates by checking both RedirectedResults and Results arrays.
# Called from the redirect-handling section of Test-Layer7Connectivity.
Function Add-RedirectedUrlToResults {
    param (
        [Parameter(Mandatory=$true)]
        [string]$RedirectedURL,

        [Parameter(Mandatory=$true)]
        [string]$FullRedirectUrl,

        [Parameter(Mandatory=$true)]
        [int]$DestinationPort,

        [Parameter(Mandatory=$true)]
        [string]$OriginalURL,

        [Parameter(Mandatory=$true)]
        [int]$OriginalPort
    )

    Write-HostAzS "Redirected to '$FullRedirectUrl'" -ForegroundColor Yellow

    # Update the Note on the original result to show the redirect target (only if not already set)
    $ResultsToUpdate = $script:Results | Where-Object { $_.url -eq $OriginalURL -and ($_.Port -eq $OriginalPort) }
    ForEach ($ResultToUpdate in $ResultsToUpdate) {
        if (-not($ResultToUpdate.Note -like "Redirects to *")) {
            if ($ResultToUpdate.Note) {
                $ResultToUpdate.Note = "Redirects to '$($RedirectedURL)' - $($ResultToUpdate.Note)"
            } else {
                $ResultToUpdate.Note = "Redirects to '$($RedirectedURL)'"
            }
        }
    }

    if ([string]::IsNullOrWhiteSpace($RedirectedURL)) {
        Write-Warning "Redirected URL is null for $FullRedirectUrl, skipping"
        return
    }

    # Check if the URL already exists in the Results array
    [bool]$RedirectExistsInResults = $false
    ForEach ($result in $script:Results) {
        if ((Get-DomainFromURL -url $result.url).Domain -eq $RedirectedURL -and ($result.Port -eq $DestinationPort)) {
            Write-Debug "Redirected URL already exists in Results array, skipping"
            $RedirectExistsInResults = $true
            break
        }
    }

    # Add to RedirectedResults if it doesn't already exist in either array
    # Note: -notcontains works correctly on an empty @() array, no special first-entry handling needed
    if (($script:RedirectedResults.url -notcontains $RedirectedURL) -and (-not($RedirectExistsInResults))) {
        $OriginalResult = $script:Results | Where-Object { ((Get-DomainFromURL -url $_.URL).Domain -eq (Get-DomainFromURL -url $OriginalURL).Domain) -and ($_.Port -eq $OriginalPort) } | Select-Object -First 1
        $script:RedirectedResults.Add([PSCustomObject]@{
            RowID = 0
            MachineName = $env:COMPUTERNAME
            url = $RedirectedURL
            redirect = $FullRedirectUrl
            Port = $DestinationPort
            ArcGateway = $false
            IsWildcard = $false
            Source = "Redirect for $($OriginalResult.Source)"
            Note = "Redirected URL from $($OriginalURL) - $($OriginalResult.Note)"
            TCPStatus = ""
            IPAddress = ""
            Layer7Status = ""
            Layer7Response = ""
            Layer7ResponseTime = ""
            CertificateSubject = ""
            CertificateIssuer = ""
            CertificateThumbprint = ""
            IntermediateCertificateIssuer = ""
            IntermediateCertificateSubject = ""
            IntermediateCertificateThumbprint = ""
            RootCertificateIssuer = ""
            RootCertificateSubject = ""
            RootCertificateThumbprint = ""
        }) | Out-Null
        Write-Debug "Added $($script:RedirectedResults[-1]) to RedirectedResults array"
    } else {
        Write-Debug "Redirected URL $RedirectedURL already exists in RedirectedResults or Results array, skipping"
    }
}


# ////////////////////////////////////////////////////////////////////////////
# Helper function to register a CRL / OCSP dependency URL as its own row in
# $script:Results. Called when Get-Layer7CertificateDetails classifies an HTTPS
# endpoint as "CRL/OCSP unreachable" (trusted chain, revocation offline).
#
# Dedupe strategy (two tiers):
# - OCSP: skip if ANY existing row already covers the same host+port=80
# (the OCSP protocol uses a single host, so host match = full coverage)
# - CRL: fall through to exact-URL match — different .crl files on the same
# host can be blocked independently by path-based proxy filtering
# When an identical URL was already added by a previous parent, the existing
# row's Source is extended to list both parents.
#
# Rows are appended directly to $script:Results with Layer7Status = "" so the
# existing remainingUrls loop in Test-AzureLocalConnectivity picks them up and
# tests them as first-class endpoints.
Function Add-CrlDependencyRowToResults {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory=$true)][ValidateSet('CRL','OCSP')][string]$Kind,
        [Parameter(Mandatory=$true)][string]$DependencyURL,
        [Parameter(Mandatory=$true)][string]$ParentURL
    )

    if ([string]::IsNullOrWhiteSpace($DependencyURL)) { return }
    $parentDomain = (Get-DomainFromURL -url $ParentURL).Domain
    $depDomain    = (Get-DomainFromURL -url $DependencyURL).Domain
    if ([string]::IsNullOrWhiteSpace($depDomain)) {
        Write-Debug "Add-CrlDependencyRowToResults: cannot parse domain from '$DependencyURL', skipping"
        return
    }

    # Tier 1 — dedupe against existing rows
    if ($Kind -eq 'OCSP') {
        # Host-level dedupe is sufficient for OCSP (single-host protocol)
        $existing = $script:Results | Where-Object {
            ((Get-DomainFromURL -url $_.URL).Domain -eq $depDomain) -and ($_.Port -eq $script:PORT_HTTP)
        } | Select-Object -First 1
        if ($existing) {
            Write-Debug "Add-CrlDependencyRowToResults: OCSP host '$depDomain' already in Results (row URL '$($existing.URL)'), skipping duplicate"
            return
        }
    } else {
        # CRL — exact URL dedupe (different .crl paths on same host can be independently blocked)
        $existingSame = $script:Results | Where-Object {
            ($_.URL -eq $DependencyURL) -and ($_.Port -eq $script:PORT_HTTP)
        } | Select-Object -First 1
        if ($existingSame) {
            # Same CRL URL already added — extend Source to reflect shared parent
            if ($existingSame.Source -notmatch [regex]::Escape($parentDomain)) {
                $existingSame.Source = "$($existingSame.Source); $parentDomain"
            }
            Write-Debug "Add-CrlDependencyRowToResults: CRL URL '$DependencyURL' already present — appended parent '$parentDomain' to Source"
            return
        }
    }

    # Tier 2 — append new row (Layer7Status="" so the remaining-URLs loop tests it)
    $sourcePrefix = if ($Kind -eq 'CRL') { 'CRL dependency for' } else { 'OCSP dependency for' }
    $script:Results.Add([PSCustomObject]@{
        RowID = 0
        MachineName = $env:COMPUTERNAME
        URL = $DependencyURL
        Port = $script:PORT_HTTP
        ArcGateway = $false
        IsWildcard = $false
        Source = "$sourcePrefix $parentDomain"
        Note = "Required for certificate revocation check of https://$parentDomain (HTTP port 80 must be reachable)"
        TCPStatus = ""
        IPAddress = ""
        Layer7Status = ""
        Layer7Response = ""
        Layer7ResponseTime = ""
        CertificateIssuer = ""
        CertificateSubject = ""
        CertificateThumbprint = ""
        IntermediateCertificateIssuer = ""
        IntermediateCertificateSubject = ""
        IntermediateCertificateThumbprint = ""
        RootCertificateIssuer = ""
        RootCertificateSubject = ""
        RootCertificateThumbprint = ""
    }) | Out-Null
    Write-Debug "Add-CrlDependencyRowToResults: appended $Kind dependency row '$DependencyURL' for parent '$parentDomain'"
}


# ////////////////////////////////////////////////////////////////////////////
# Helper function to initialize ServerCertificateValidationCallback for SSL bypass
# This is a private helper function for Test-Layer7Connectivity
Function Initialize-CertificateCallback {
    # IMPORTANT: This sets a PROCESS-WIDE callback on ServicePointManager.ServerCertificateValidationCallback
    # that accepts all certificates. This is intentional — the module needs to connect to endpoints even when
    # SSL inspection replaces certificates, so it can detect and report SSL inspection to the user.
    # The callback is reset to $null in the end block of Test-Layer7Connectivity and Test-AzureLocalConnectivity.

    # Check if ServerCertificateValidationCallback class is already defined
    if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type) {
        # Define the ServerCertificateValidationCallback class
        # This class is used to bypass SSL certificate validation, to allow for SSL inspection detection
        $CertCallback = @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class ServerCertificateValidationCallback
{
    public static void Ignore()
    {
        if(ServicePointManager.ServerCertificateValidationCallback == null)
        {
            ServicePointManager.ServerCertificateValidationCallback +=
                delegate
                (
                    Object obj,
                    X509Certificate certificate,
                    X509Chain chain,
                    SslPolicyErrors errors
                )
                {
                    return true;
                };
        }
    }
}
"@

        Add-Type $CertCallback
    }
    # Call the Ignore method to bypass SSL certificate validation.
    # PRECONDITION: the C# Ignore() only installs the accept-all delegate when
    # ServicePointManager.ServerCertificateValidationCallback is currently $null. If the
    # caller (or another loaded module) already set a callback, the bypass is NOT installed,
    # so SSL-inspection detection can be inconsistent in shared sessions. The caller
    # (Test-Layer7Connectivity / Test-AzureLocalConnectivity) captures and restores the
    # original callback in its finally block, so this never leaks across function calls.
    [ServerCertificateValidationCallback]::Ignore()
}


# ////////////////////////////////////////////////////////////////////////////
# Helper to set all connectivity result fields on a URL object to skip/N/A values.
# Used when a URL is skipped, wildcarded, or DNS resolution fails.
Function Set-UrlObjectSkipFields {
    param(
        [Parameter(Mandatory)][PSCustomObject]$UrlObject,
        [Parameter(Mandatory)][string]$TCPStatus,
        [Parameter(Mandatory)][string]$Layer7Status,
        [string]$IPAddress = "N/A",
        [string]$Layer7Response = "N/A",
        [string]$Layer7ResponseTime = "N/A"
    )
    $UrlObject.TCPStatus = $TCPStatus
    $UrlObject.IPAddress = $IPAddress
    $UrlObject.Layer7Status = $Layer7Status
    $UrlObject.Layer7Response = $Layer7Response
    $UrlObject.Layer7ResponseTime = $Layer7ResponseTime
    $UrlObject.CertificateIssuer = "N/A"
    $UrlObject.CertificateSubject = "N/A"
    $UrlObject.CertificateThumbprint = "N/A"
    $UrlObject.IntermediateCertificateIssuer = "N/A"
    $UrlObject.IntermediateCertificateSubject = "N/A"
    $UrlObject.IntermediateCertificateThumbprint = "N/A"
    $UrlObject.RootCertificateIssuer = "N/A"
    $UrlObject.RootCertificateSubject = "N/A"
    $UrlObject.RootCertificateThumbprint = "N/A"
}


# ////////////////////////////////////////////////////////////////////////////
# Helper to copy connectivity test results from an Invoke-EndpointConnectivityTest
# result hashtable to a URL result object.
Function Copy-ConnectivityResultsToUrlObject {
    param(
        [Parameter(Mandatory)][PSCustomObject]$UrlObject,
        [Parameter(Mandatory)][hashtable]$TestResult
    )
    $UrlObject.TCPStatus = $TestResult.TCPStatus
    $UrlObject.IPAddress = $TestResult.IPAddress
    $UrlObject.Layer7Status = $TestResult.Layer7Status
    $UrlObject.Layer7Response = $TestResult.Layer7Response
    $UrlObject.Layer7ResponseTime = $TestResult.Layer7ResponseTime
    $UrlObject.CertificateIssuer = $TestResult.CertificateIssuer
    $UrlObject.CertificateSubject = $TestResult.CertificateSubject
    $UrlObject.CertificateThumbprint = $TestResult.CertificateThumbprint
    $UrlObject.IntermediateCertificateIssuer = $TestResult.CertificateIntermediateIssuer
    $UrlObject.IntermediateCertificateSubject = $TestResult.CertificateIntermediateSubject
    $UrlObject.IntermediateCertificateThumbprint = $TestResult.CertificateIntermediateThumbprint
    $UrlObject.RootCertificateIssuer = $TestResult.CertificateRootIssuer
    $UrlObject.RootCertificateSubject = $TestResult.CertificateRootSubject
    $UrlObject.RootCertificateThumbprint = $TestResult.CertificateRootThumbprint
}

# SIG # Begin signature block
# MIInSQYJKoZIhvcNAQcCoIInOjCCJzYCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCybchw9R9jtISC
# zEOgNrqloiACmuuhyEiZ/LXInUvN66CCDLowggX1MIID3aADAgECAhMzAAACHU0Z
# yE7XD1dIAAAAAAIdMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAlVTMR4wHAYD
# VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBD
# b2RlIFNpZ25pbmcgUENBIDIwMjQwHhcNMjYwNDE2MTg1OTQzWhcNMjcwNDE1MTg1
# OTQzWjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
# BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYD
# VQQDExVNaWNyb3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IB
# DwAwggEKAoIBAQDQvewXxx9gZZFC6Ys1WBay8BJ8kGA4JQnH5CMafqOASlTpK9H8
# o5ZXTXt0caVQTNMUPt445wXYD+dFtaKWTwDn1I52oUSrC9vJin1Gsqt+zyKJL5Dg
# 3eQXbQNR61DmMy20GLTIO3SFed9Rfi/ophgCLGFLDR3r0KvHjwMb/jYWS0celV/4
# Lz27LfAekm8v9E5IXaeiXbAUYZKK090n4CVl3JBtbN+9DtI9SNu/yjvozW52/u7R
# X/Ttpa/KDlpuokZ+Zcbvmtd9ur9gFLvZzh41o9MsE/clQtdaFWGvuo6Jua/ntpgk
# ey3E5/vBFe+MJPG6phdnuo6r57ZudCudiI1bAgMBAAGjggGbMIIBlzAOBgNVHQ8B
# Af8EBAMCB4AwHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0O
# BBYEFH6QuMwqcPG0hQlQ6c5jCtTTLrVeMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQL
# ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAxMis1MDc1NTkw
# HwYDVR0jBBgwFoAUf1k/VCHarU/vBeXmo9ctBpQSCDEwYAYDVR0fBFkwVzBVoFOg
# UYZPaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0
# JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNybDBtBggrBgEFBQcBAQRh
# MF8wXQYIKwYBBQUHMAKGUWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMv
# Y2VydHMvTWljcm9zb2Z0JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNy
# dDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQBKTbYOjzwTG/DXGaz9
# s6+fQeaTtDcFmMY+5UyVFCyj7Pv+5i37qfX8lSL/tBIfYQfWsMuBQlfZurJD6r4H
# VJ2CeH+1fgiq8dcHdVKoZ3Sa2qXoX3cq9iS8cVb06B7+5/XJ7I0OxHH9fDsvJ3T3
# w5V/ZtAIFmLrl+P0CtG+92uzRsn0nTbdFjOkLMLWPLAU3THohKRlSEMgFJpPkm5n
# 5UAZ35xX6FWCrDLsSKb555bTifwa8mJBwdlof0bmfYidH+dxZ1FdDxvLnNl9zeKs
# A4kejaaIqqIPguhwAti5Ql7BlTNoJNwxCvBmqW2MQLnCkYN/VVUsR3V2x/rcTNzo
# Bf/Z/SpROvdaA2ZOOd1uioXJt3tdLQ7vHpqpib0KfWr/FWXW10q38VxfCnRQBqzb
# SuztR7nEMuzX7Ck+B/XaPDXd1qh72+QYyB0Z2VzWmO9zsnb9Uq/dwu8LGeQqnyu6
# 7SDGACvnXii2fb9+US492VTnXSnFKyqwgzUyFMtZK1/sHYTv6bG4TtQUygQxTN+Z
# V+aJIlKO2MqZ7bKrAnOzS9m6NgoTdWOq11bTOZwKlIEV/EhV9SWkDmdpR/hPPT2v
# 6TEj4F8PT/zHjRezIU5c/DGlt/VhY/pK0XkJtEyMmmS1BMtjU/rqBZVMIm3dnxQs
# /TBByr+Cf8Z1r7aifQVQ+WSqzjCCBr0wggSloAMCAQICEzMAAAA5O7Y3Gb8GHWcA
# AAAAADkwDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX
# YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg
# Q29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRl
# IEF1dGhvcml0eSAyMDExMB4XDTI0MDgwODIwNTQxOFoXDTM2MDMyMjIyMTMwNFow
# VzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEo
# MCYGA1UEAxMfTWljcm9zb2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAyNDCCAiIwDQYJ
# KoZIhvcNAQEBBQADggIPADCCAgoCggIBANgBnB7jOMeqlRYHNa265v4IY9fH8TKh
# emHfPINe1gpLaV3dhg324WwH06LcHbpnsBukCDNitryo0dtS/EW6I/yEL/bLSY8h
# KpbfQuWusBPr9qazYcDxCW/qnjb5JsI1s8bNOg3bVATvQVL4tcf03aTycsz8QeCd
# M0l/yHRObJ9QqazM1r6VPEOJ7LL+uEEb73w6QCuhs89a1uv1zerOYMnsneRRwCbp
# yW11IcggU0cRKDDq1pjVJzIbIF6+oiXXbReOsgeI8zu1FyQfK0fVkaya8SmVHQ/t
# Of23mZ4W9k0Ri22QW9p3UgSC5OUDktKxxcCmGL6tXLfOGSWHIIV4YrTJTT6PNty5
# REojHJuZHArkF9VnHTERWoTjAzfI3kP+5b4alUdhgAZ7ttOu1bVnXfHaqPYl2rPs
# 20ji03LOVWsh/radgE17es5hL+t6lV0eVHrVhsssROWJuz2MXMCt7iw7lFPG9LXK
# Gjsmonn2gotGdHIuEg5JnJMJVmixd5LRlkmgYRZKzhxSCwyoGIq0PhaA7Y+VPct5
# pCHkijcIIDm0nlkK+0KyepolcqGm0T/GYQRMhHJlGOOmVQop36wUVUYklUy++vDW
# eEgEo4s7hxN6mIbf2MSIQ/iIfMZgJxC69oukMUXCrOC3SkE/xIkgpfl22MM1itkZ
# 35nNXkMolU1lAgMBAAGjggFOMIIBSjAOBgNVHQ8BAf8EBAMCAYYwEAYJKwYBBAGC
# NxUBBAMCAQAwHQYDVR0OBBYEFH9ZP1Qh2q1P7wXl5qPXLQaUEggxMBkGCSsGAQQB
# gjcUAgQMHgoAUwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU
# ci06AjGQQ7kUBU7h6qfHMdEjiTQwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2Ny
# bC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0MjAx
# MV8yMDExXzAzXzIyLmNybDBeBggrBgEFBQcBAQRSMFAwTgYIKwYBBQUHMAKGQmh0
# dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0MjAx
# MV8yMDExXzAzXzIyLmNydDANBgkqhkiG9w0BAQwFAAOCAgEAFJQfOChP7onn6fLI
# MKrSlN1WYKwDFgAddymOUO3FrM8d7B/W/iQ6DxXsDn7D5W4wMwYeLystcEqfkjz4
# NURRgazyMu5yRzQh4LqjA4tStTcJh1opExo7nn5PuPBYnbu0+THSuVHTe0VTTPVh
# ily/piFrDo3axQ9P4C+Ol5yet+2gTfekICS5xS+cYfSIvgn0JksVBVMYVI5QFu/q
# hnLhsEFEUzG8fvv0hjgkO+lkpV9ty6GkN4vdnd7ya6Q6aR9y34aiM1qmxaxBi6OU
# nyNl6fkuun/diTFnYDLTppOkr/mg5WSfCiDVMNCxtj4wPKC5OmHm1DQIt/MNokbb
# H3UGsFP1QbzsLocuSqLCvH09Io3fDPTmscR9Y75G4qX7RTX8AdBPo0I6OEojf39z
# uFZt0qOHm65YWQE69cZM2ueE1MB05dNNgHK9gTE7zKvK/fg8B2qjW88MT/WF5V5u
# vZGtqa9FSL2RazArA+rDPuf6JGYz4HpgMZHB4S6szWSKYBv0VisCzfxgeU+dquXW
# 9bd0auYlOB58DPcOYKdc3Se94g+xL4pcEhbB54JOgAkwYTu/9dLeH2pDqeJZAABV
# DWRQCaXfO5LgyKwKCLYXpigrZYCjUSBcr+Ve8PFWMhVTQl0v4q8J/AUmQN5W4n10
# 1cY2L4A7GTQG1h32HHAvfQESWP0xghnlMIIZ4QIBATBuMFcxCzAJBgNVBAYTAlVT
# MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jv
# c29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMjQCEzMAAAIdTRnITtcPV0gAAAAAAh0w
# DQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYK
# KwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEINBh7+aR
# cSUOTcS396NkbuSZRFiQQ8b3/H8HyTcMZsEPMEIGCisGAQQBgjcCAQwxNDAyoBSA
# EgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20w
# DQYJKoZIhvcNAQEBBQAEggEAa3imjexmztTUVcF0nIMBiiR4x4+NkF9t+RKG1/9H
# F6MCqzYP1ZCHDpGWa7u5PhsnYEuZkMjkveYbNIvAl2RAptxumonjZig8U0t8nCIR
# oTIKWDu8oMv7mOnzr2hNZJXLTbyT+UbAAuEAn6d22NZftqldz8wLB+fMdJUw1avv
# mDXD8uyu1e1pLF9by5X6tQuIK0u+ycm0uH7dJs8I2Gs/UwLziHskX5edYZ7LVJSX
# bWmQg1YXLVVOaWnLTr+pe2gHzTvXqDd41MeZkMcR1ki1SpaHSaMdCpHpz+h9yZ+2
# 6VMeGjA/G8yV9FaIVcsmQPTgNA+bxzFfdf7uVKeHPUQzCaGCF5cwgheTBgorBgEE
# AYI3AwMBMYIXgzCCF38GCSqGSIb3DQEHAqCCF3AwghdsAgEDMQ8wDQYJYIZIAWUD
# BAIBBQAwggFSBgsqhkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYBBAGEWQoD
# ATAxMA0GCWCGSAFlAwQCAQUABCB4w0jI5qXfr8A7d2gvvLe8NHug3jCnytL4qypL
# zfCTtQIGajE3aNXVGBMyMDI2MDcwNzE2NTYzMi45NDFaMASAAgH0oIHRpIHOMIHL
# MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk
# bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxN
# aWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRT
# UyBFU046QTQwMC0wNUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0
# YW1wIFNlcnZpY2WgghHtMIIHIDCCBQigAwIBAgITMwAAAijwpYfX88geQAABAAAC
# KDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu
# Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
# cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAe
# Fw0yNjAyMTkxOTQwMDZaFw0yNzA1MTcxOTQwMDZaMIHLMQswCQYDVQQGEwJVUzET
# MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV
# TWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmlj
# YSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046QTQwMC0wNUUw
# LUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggIi
# MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCujvbk/sqcCSReZaJfCuf1NwRc
# c7XknhE6wkLofkNj1mxEAg35qy2xcFjgjartVvA09W8QHcpyMqVSXOTxNHJsmk0q
# P2CDLvUAulWg7aS5oBORpEX1oz3n0R2nPqeH0IHK1zJxjxaHW21AbuZ0Z+wM3WYN
# zkBlcHmVe03ZG7rlk28h72r5P5ME8FGpFmYW5Hl7psKbgLEfrYAitpttsb+sZsBU
# I+hMKl4uLJYotKyZv1ewOIinBfRU8QosivjofaBezUf9NdV+iGrWh321WnSsK3A/
# Jl6GLtbSWXcJWULgbxuqnobPK+YlB3174TMWTgX4YWjG7o0Otz/pjHNCKBbB788d
# ynhLdGY6B08E9+4SGrRpsty4iJHOydHCA5M4i5yYRwsdut+gmvxIpT8yNXJcjJCg
# 0vO8mv/nFY9Wytv2qmCtCFFivGUWqU20/sUeRooQZGiQOJQn095Cj3isIsvRP8KU
# 7hN/EDI8HVsb/NPzMFLvRznrRnj0TOnDiOTUcnYwmk+XfoS1owskcCCCwHnbC00D
# 58z83y7K5ZJB745hcn4CE2nR3e6RGsr42y5qtt6Mdz/s7MTnDS2UmVHWX1X/HZe3
# UlX8gj/t63L50xIPqkRCBEdM1ADNUaSfo9OQiKb/bj1diZCGTfEDUBBLop1mhkwI
# F82faplV2busZ+U4kQIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFKrJpYz48tzouvVk
# BVthASFpQ93DMB8GA1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8GA1Ud
# HwRYMFYwVKBSoFCGTmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3Js
# L01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBsBggr
# BgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0LmNv
# bS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIw
# MTAoMSkuY3J0MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgw
# DgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4ICAQCQ6NfLmrRahgVtgWg3
# 83GaS07fHyod6bhcUONt2tet+6BaNuH0r7ABkVHheOpxBdrUrOEYVEaIii9dK3cu
# ZLNmp1iUAx/VbmOZYl7xz+tNrjCWqrg1jQmq0oRB8iE4QJpwNhGP67oY5huYIU0D
# 4lhDoahqfgKJn/0Bk+9UKDPw5XlUYmreFmJlj9YQzcPPep8MxBXxh/Y5I7vQeRaW
# 5SjtiLQOLRk3ggvraDs5Sf49MJV6/BwxXC2rvUfEFX6SUDooqKIE9NgVIRq0RZu7
# Ot0i0Is+HvPP0hB6KwOxMg1SWKOfTtFpWpdo8MJvgKCHkPpXEzgprP+pyIHuO7gV
# RlSTsbYBFLh2yId/itM4uYL0R+2SSBBTpSSRthrGuEmElI5BCHMxzMg/oqHSPwZA
# IAkM2C4xxi0St7qMuA+m+ZzFYkfoF41QoSJn+HjqhqWYQ0m/SO9/KnJRJJUwMd5T
# iMnjZ+E/DJiUry5udiWyQpvfj2hQFI0djhahoAXDazeEciLF2uEnTur9UfjcwOun
# /oMY+ULftnOi2jKLMrreV097akzz/JxpnDgYJU/tgU7fQflg7IqiL9+0276+joQH
# o21mVeY5YD8Kh/kUaY6Jm/OTM88G7evTz/qnRumxovTjMStvpbAHNRhmSTdIPTV3
# 2CyuxDKS/V5a5iwA+f9ViBo+wjCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkA
# AAAAABUwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX
# YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg
# Q29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRl
# IEF1dGhvcml0eSAyMDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVow
# fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
# ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMd
# TWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUA
# A4ICDwAwggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX
# 9gF/bErg4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1q
# UoNEt6aORmsHFPPFdvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8d
# q6z2Nr41JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byN
# pOORj7I5LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2k
# rnopN6zL64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4d
# Pf0gz3N9QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgS
# Uei/BQOj0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8
# QmguEOqEUUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6Cm
# gyFdXzB0kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzF
# ER1y7435UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQID
# AQABo4IB3TCCAdkwEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQU
# KqdS/mTEmr6CkTxGNSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1
# GelyMFwGA1UdIARVMFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0
# dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0
# bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA
# QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbL
# j+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1p
# Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0w
# Ni0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3
# Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIz
# LmNydDANBgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwU
# tj5OR2R4sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN
# 3Zi6th542DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU
# 5HhTdSRXud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5
# KYnDvBewVIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGy
# qVvfSaN0DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB6
# 2FD+CljdQDzHVG2dY3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltE
# AY5aGZFrDZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFp
# AUR+fKFhbHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcd
# FYmNcP7ntdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRb
# atGePu1+oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQd
# VTNYs6FwZvKhggNQMIICOAIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMCVVMxEzAR
# BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
# Y3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2Eg
# T3BlcmF0aW9uczEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOkE0MDAtMDVFMC1E
# OTQ3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEw
# BwYFKw4DAhoDFQB1rbmFkzS7qAK1Oav08AUnhbNIUqCBgzCBgKR+MHwxCzAJBgNV
# BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w
# HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m
# dCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA7fdigzAiGA8y
# MDI2MDcwNzExMzMyM1oYDzIwMjYwNzA4MTEzMzIzWjB3MD0GCisGAQQBhFkKBAEx
# LzAtMAoCBQDt92KDAgEAMAoCAQACAgC0AgH/MAcCAQACAhDvMAoCBQDt+LQDAgEA
# MDYGCisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAI
# AgEAAgMBhqAwDQYJKoZIhvcNAQELBQADggEBAGui7iTWi09Rvf8n4lcSGF+VnjhB
# 3TsmEZbYNwkw0HzoBpdlmIPjwDS5Sj3Z0TgkKC3HG1mTLnvdto5nLNsSs+COf88v
# jJym37piX2rtfwfhI90imoXCYxy8i9SYMVZkKeRu9jC5aVu9REYXp4z9ap+Rwjpi
# ol+1omd5sQe0WyOZvpMXLdm9NYxflNiBsCSyZmrpf1DhEPy7/T4KTa1ugYgqmBdE
# FM7fR5G4w4XKKYM27cY3vl9OrRx7DDIKu38aGh3+shPDZjmVVcup//L64UNDFtN4
# md/P0cbz1RtftkllqzcJWV/qc8j1KqJJHBN4REovwTFxBx5NXqNJ+gl8r9cxggQN
# MIIECQIBATCBkzB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQ
# MA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
# MSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAijw
# pYfX88geQAABAAACKDANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0G
# CyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCAwvZxq+i8U2wbGWaC8arPJ7myW
# LwaxQ9z2iuTg7AyTtjCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EIFWxikZR
# YGNf4oEVZK1eT45H+3GQ3/qxV75VwuBt+iLXMIGYMIGApH4wfDELMAkGA1UEBhMC
# VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV
# BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp
# bWUtU3RhbXAgUENBIDIwMTACEzMAAAIo8KWH1/PIHkAAAQAAAigwIgQgVvwUmgwX
# joRC4cvB6Izw6KhGNE/dBMQZ9bAuZjmqlMYwDQYJKoZIhvcNAQELBQAEggIAhLpp
# HGcnZuWlltS5o+vsfI61Jl1MX6BeoC50Wn4628jraL5oyshIUwMj5Q28OVIZBrWg
# /wxZoiR8QWLe29npsDZyNMCBQtYoOvDtfoCTNFgvkMNUAfpa9QescQy0UC0wc2A6
# wphkchMtP3LpMkm1lY7VdFyXtg7N2bxTm1SEZL2mMC0d8c49OH64lBYUSQUbdRSe
# QhbhlA7r0/sEuUNIcMNq+1Xgo79M6VcTtDwuhuFfVQsVKwYErJol15V2BBCYTf1B
# ugd1rFvqTXrtsFNXXLN9z3L4ucrbUDrPt3UHWe2TYep4jM31qKAKC8ZTFbefqIxU
# pKdQ73mnjY2o8qTS2nNT9/pC0d5n7pXBgozb2EmtjkE2cYJ0ZdisGaTVIBZvYLey
# Mz1Gc3qTD9Izckw27fbvinfXmSudsDl6YR9NLgRDdFH/CAr52FVZXDiZYwEcQDC0
# e7kj5h3RRw5VfDPf75d0lEpubLUHnLrV/0q4Bbg25/OKUAHMKfoQzEKiWFTWB8bo
# Qy0wEhHRSI2zR6ilQ2LJ2YRtBZS372JKCmcL0jBSWQVxkuzDU/o2DJkIRhB0gLWp
# Lt5I1JYy2yfU/1dqyE0syxo8pkwOTTQFsbWF9wAut4LFSGnXhPkELO/cjI80bGKJ
# xrwJnm22kjRhLdkje+HulQLGDr9Wc3PHwCtLm0g=
# SIG # End signature block