AzureValidation/Microsoft.AzureStack.AzureValidation.Internal.psm1
|
<#############################################################
# # # Copyright (C) Microsoft Corporation. All rights reserved. # # # #############################################################> Import-LocalizedData LocalizedData -BaseDirectory $PSScriptRoot -Filename Microsoft.AzureStack.AzureValidation.Strings.psd1 # Call install code to check Service Administrator Function Test-AzsServiceAdministrator { [OutputType([Hashtable])] [CmdletBinding()] Param( [Parameter(Mandatory = $true)] [pscredential] $AADServiceAdministrator, [Parameter(Mandatory = $true)] [string] $AzureEnvironment, [Parameter(Mandatory = $true)] [string] $AADDirectoryTenantName ) $thisFunction = $MyInvocation.MyCommand.Name $null = Import-Module $PSScriptRoot\AzureADConfiguration.psm1 -force $ErrorDetails = @() $err = $null Write-AzsReadinessLog -message "Starting: Get-AzureADTenantDetails with credential" -function $thisFunction try { $tenantDetails = Get-AzureADTenantDetails -AzureEnvironment $AzureEnvironment -AADAdminCredential $AADServiceAdministrator -AADDirectoryTenantName $AADDirectoryTenantName } catch { $err = $_ } # MFA should rerun Get-AzureADTenantDetails with no creds so the user is prompted if ($err.exception.innerexception.errorcode -eq 'interaction_required') { try { Write-AzsReadinessLog -message "Starting: Get-AzureADTenantDetails with no credential, Multi-Factor Authentication required." -function $thisFunction Clear-Variable err $tenantDetails = Get-AzureADTenantDetails -AzureEnvironment $AzureEnvironment -AADDirectoryTenantName $AADDirectoryTenantName } catch { $err = $_ } } if ($err) { if ($err.Exception.Message -match 'is not an administrator of the Azure Active Directory tenant') { $ErrorDetails += ($LocalizedData.NotAdminOfTenant -f $AADServiceAdministrator.UserName, $AADDirectoryTenantName ) Write-AzsReadinessLog -message ("Get-AzureADTenantDetails failed with: {0}" -f $LocalizedData.NotAdminOfTenant) -function $thisFunction -type Error $result = 'Fail' } elseif ($err.exception.innerexception.errorcode -eq 'unknown_user_type') { $errorDetails += ($LocalizedData.UnknownUserType -f $credential.UserName, $AzureEnvironment) Write-AzsReadinessLog -message ($LocalizedData.UnknownUserType -f $credential.UserName, $AzureEnvironment) -function $thisFunction -type Error $result = 'Fail' } elseif ($err.exception.innerexception.errorcode -eq 'user_password_expired') { $errorDetails += ($LocalizedData.ForceResetPassword -f $credential.UserName) Write-AzsReadinessLog -message ($LocalizedData.ForceResetPassword -f $credential.UserName) -function $thisFunction -type Error $result = 'Fail' } elseif ($err.exception.InnerException.ErrorCode -eq 'invalid_grant') { $errorDetails += ($LocalizedData.AccountDisabled -f $credential.UserName) Write-AzsReadinessLog -message $errorDetails -function $thisFunction -type Error $result = 'Fail' } elseif ($err.exception.InnerException.ErrorCode -eq 'authentication_canceled') { $errorDetails += $LocalizedData.UserCancelledLogon Write-AzsReadinessLog -message $errorDetails -function $thisFunction -type Error $result = 'Fail' } else { $errorDetails += ($LocalizedData.testfailed -f $thisFunction, $err.exception) Write-AzsReadinessLog -message $errorDetails -function $thisFunction -type Error $result = 'Fail' } } if ($tenantDetails) { $result = 'OK' Write-AzsReadinessLog -message "Get-AzureADTenantDetails completed" -function $thisFunction } @{'Test' = 'ServiceAdministrator'; 'Result' = $result; 'errorDetails' = $errorDetails; 'Assets' = @{'AADServiceAdmin' = $AADServiceAdministrator.UserName; 'AzureEnvironment' = $AzureEnvironment; 'AADDirectoryTenantName' = $AADDirectoryTenantName}} } Function Test-AzsRegistrationAccount { [OutputType([Hashtable])] [CmdletBinding()] Param( [Parameter(Mandatory = $true)] [psobject] $subscription, [Parameter(Mandatory = $true)] [string] $subscriptionId ) $thisFunction = $MyInvocation.MyCommand.Name $errorDetail = @() $supportedSubscriptionTypes = 'EnterpriseAgreement_', 'CSP_', 'Sponsored_', 'Internal_' Write-AzsReadinessLog -message ("Testing if subscription {0} is one of type {1}" -f $subscription.subscriptionid, ($supportedSubscriptionTypes -join ',')) -function $thisFunction foreach ($supportedSubscriptionType in $supportedSubscriptionTypes) { if ($subscription.subscriptionPolicies.quotaId -match $supportedSubscriptionType) { $supported = $true Write-AzsReadinessLog -message ("Success subscription {0} is of type {1}" -f $subscription.subscriptionid, $subscription.subscriptionPolicies.quotaId) -function $thisFunction break } else { $supported = $false Write-AzsReadinessLog -message ("Subscription {0} is of type {1}" -f $subscription.subscriptionid, $subscription.subscriptionPolicies.quotaId) -function $thisFunction -type Error } } # If both subscription types don't match, give one failure reason. if ($supported -ne $true) { $errorDetail += ($LocalizedData.SubscriptionNotSupported -f $subscription.subscriptionid, $subscription.subscriptionPolicies.quotaId) Write-AzsReadinessLog -message ($LocalizedData.SubscriptionNotSupported -f $subscription.subscriptionid, $subscription.subscriptionPolicies.quotaId) -function $thisFunction -type Error } # Check subscription is enabled if ($subscription.state -eq 'Enabled') { $enabled = $true Write-AzsReadinessLog -message ("Subscription {0} is enabled" -f $subscription.subscriptionid) -function $thisFunction } else { $enabled = $false $errorDetail += ($LocalizedData.SubscriptionNotEnabled -f $subscription.subscriptionid) Write-AzsReadinessLog -message ($LocalizedData.SubscriptionNotEnabled -f $subscription.subscriptionid) -function $thisFunction } # Check subscriptions match Write-AzsReadinessLog -message ("Checking subscription {0} matches given subscription {1}" -f $subscription.subscriptionid, $subscriptionid) -function $thisFunction if ($subscription.subscriptionid -eq $subscriptionid) { $subscriptionMatch = $true Write-AzsReadinessLog -message ("Subscription {0} matches given subscription {1}" -f $subscription.subscriptionid, $subscriptionid) -function $thisFunction } Else { $subscriptionMatch = $false $errorDetail += ($LocalizedData.SubscriptionNotMatch -f $subscription.subscriptionid, $subscriptionid) Write-AzsReadinessLog -message ($LocalizedData.SubscriptionNotMatch -f $subscription.subscriptionid, $subscriptionid) -function $thisFunction -type Error } if ($supported -AND $enabled -AND $subscriptionMatch) { $result = 'OK' Write-AzsReadinessLog -message ("Overall check for subscription {0} is success" -f $subscription.subscriptionid) -function $thisFunction } else { $result = 'Fail' Write-AzsReadinessLog -message ("Overall check for subscription {0} is error with detail {1}: " -f $subscription.subscriptionid, ($errorDetail -join ',')) -function $thisFunction -Type Error } @{'Test' = 'RegistrationAccount'; 'Result' = $result; 'errorDetails' = $errorDetail; 'Assets' = @{'SubscriptionId' = $subscription.subscriptionid; 'SubscriptionType' = $subscription.subscriptionPolicies.quotaId; 'Enabled' = $enabled}} } # Get subscription detail via REST so we can see the subscription type (CSP, EA, PAYG etc.) function Get-AzureSubscriptionDetail { [OutputType([Hashtable])] [CmdletBinding()] param ([string]$tenantid, [string]$subscriptionid, [pscredential]$credential, [string]$AzureEnvironment ) $thisFunction = $MyInvocation.MyCommand.Name try { Write-AzsReadinessLog -message ("TenantID: {0}" -f $tenantid) -function $thisFunction Write-AzsReadinessLog -message ("SubscriptionId: {0}" -f $subscriptionid) -function $thisFunction $errorDetails = @() # Set well-known client ID for AzurePowerShell $clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # Set redirect URI for Azure PowerShell $redirectUri = "urn:ietf:wg:oauth:2.0:oob" # Set Resource App URI as ARM Write-AzsReadinessLog -message ("Retrieving ARMURI for {0}" -f $AzureEnvironment) -function $thisFunction $resourceAppIdURI = (Get-AzureURIs -AzureEnvironment $AzureEnvironment).ARMUri Write-AzsReadinessLog -message ("Retrieved ARMURI {0}" -f $resourceAppIdURI) -function $thisFunction # Set Authority to Azure AD Tenant $authority = "{0}{1}" -f (Get-AzureURIs -AzureEnvironment $AzureEnvironment).LoginUri, $tenantid Write-AzsReadinessLog -message ("Authority {0}" -f $authority) -function $thisFunction # Create Authentication Context tied to Azure AD Tenant $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority # Acquire token $userCreds = new-object Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential($credential.userName, $credential.Password) try { $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $userCreds) } catch [Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException] { if ($_.Exception.ErrorCode -eq "interaction_required") { $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $redirectUri, 'Always') } else { throw } } $ApiVersion = '2017-08-01' # Output bearer token $authHeader = $authResult.CreateAuthorizationHeader() $header = @{ 'Content-Type' = 'application/json' 'Authorization' = $authHeader } # Make Subscription call $URI = $resourceAppIdURI + "subscriptions/${subscriptionId}?api-version=$ApiVersion" Write-AzsReadinessLog -message ("Making REST call to uri {0} for subscription details" -f $uri, $header) -function $thisFunction $subscription = Invoke-RestMethod -Uri $URI -Method GET -Headers $header # Make role assignment call for user $principalId = $authResult.UserInfo.UniqueId $roleAssignmentURI = $resourceAppIdURI + "subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2017-09-01&`$filter=PrincipalId eq '$principalId'" Write-AzsReadinessLog -message ("Making call to uri {0} for role assignments of user" -f $uri) -function $thisFunction $roleAssignment = Invoke-RestMethod -Uri $roleAssignmentURI -Method GET -Headers $header $roleDefinitionIds = $roleAssignment.value.properties.roleDefinitionId Write-AzsReadinessLog -message ("RoleAssignment IDs {0} for user" -f ($roleDefinitionIds -join ',')) -function $thisFunction # Make role assignment definition call $roleDefURI = $resourceAppIdURI + "subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01" Write-AzsReadinessLog -message ("Get all RoleAssignment defintions from uri {0}" -f $roleDefURI) -function $thisFunction $allRoleDefs = Invoke-RestMethod -Uri $roleDefURI -Method GET -Headers $header # filter definitions on users role assignment(s) $roledef = $allRoleDefs.value | ? id -in $roleDefinitionIds Write-AzsReadinessLog ("Resolving {0} role definition(s) from user in role definition list." -f ($roleDef.properties.roleName -join ',')) -function $thisFunction # check is role definition on user is owner if ($roleDef.properties.roleName -match 'Owner') { Write-AzsReadinessLog ("Success. Owner present. User: {0} role(s): {1}" -f $authResult.UserInfo.DisplayableId, ($roleDef.properties.roleName -join ',')) -function $thisFunction } else { $allClassicAdmins = Get-AzureClassicAdmins -resourceAppIdURI $resourceAppIdURI -header $header -subscriptionId $subscriptionId $classicAdmin = $allClassicAdmins | Where-Object {$_.properties.emailaddress -eq $authResult.UserInfo.DisplayableId} if ($classicAdmin) { Write-Log ("Success. Classic Admin present. User: {0} role(s): {1}" -f $authResult.UserInfo.DisplayableId, $classicAdmin.properties.role) -function $thisFunction } else { Write-Log ("Error. Owner and classic admin not present. User: {0} role(s): {1}" -f $authResult.UserInfo.DisplayableId, ($roleDef.properties.roleName -join ',')) -function $thisFunction throw "NonOwner" } } } catch { if ($_.exception.Message -match 'Forbidden|Unauthorized') { $errorDetails += ($LocalizedData.UserNotAuthorizedForSubscription -f $credential.username, $tenantid, $subscriptionid) Write-AzsReadinessLog -message ($LocalizedData.UserNotAuthorizedForSubscription -f $credential.username, $tenantid, $subscriptionid) -function $thisFunction -type Error } elseif ($_.exception.Message -match 'NonOwner') { $errorDetails += ($LocalizedData.UserNotOwnerForSubscription -f $credential.username, ($roleDef.properties.roleName -join ','), $subscriptionid) Write-AzsReadinessLog -message ($LocalizedData.UserNotOwnerForSubscription -f $credential.username, $tenantid, $subscriptionid) -function $thisFunction -type Error } else { $errorDetails += ("{0} threw an error: {1}" -f $MyInvocation.MyCommand.Name, $_) Write-AzsReadinessLog -message ("error: {0}" -f $_) -function $thisFunction -type Error } } @{'Test' = 'GetSubscription'; 'subscription' = $subscription; 'errorDetails' = $errorDetails; 'AADDirectoryTenantName' = $tenantid; 'subscriptionid' = $subscriptionid; 'credential' = $credential.UserName; 'AzureEnvironment' = $AzureEnvironment; 'UserRole' = ($roleDef.properties.roleName -join ',')} } function Get-RegistrationTenantId { [CmdletBinding()] param ( [string]$subscriptionid, [pscredential]$credential, [string]$AzureEnvironment ) $thisFunction = $MyInvocation.MyCommand.Name try { Write-AzsReadinessLog -message ("Getting TenantId for subscription {0}" -f $subscriptionid) -function $thisFunction $tenantId = (Login-AzureRmAccount -Credential $credential -Subscription $subscriptionid -Environment $AzureEnvironment -errorAction Stop).Context.Tenant.TenantId Write-AzsReadinessLog -message ("Resolved TenantId {0} for subscription {1}" -f $tenantId, $subscriptionid) -function $thisFunction } catch { if ($_.Exception.InnerException.ErrorCode -eq "interaction_required") { Write-AzsReadinessLog -message ("Account is MFA enabled, prompting user for MFA." -f $credential.username) -function $thisFunction try { $tenantId = (Login-AzureRmAccount -Subscription $subscriptionid -Environment $AzureEnvironment -errorAction Stop).Context.Tenant.TenantId } catch { if ($_.Exception.InnerException.ErrorCode -eq 'authentication_canceled') { $errorDetails += $LocalizedData.UserCancelledLogon Write-AzsReadinessLog -message $LocalizedData.UserCancelledLogon -function $thisFunction -type Error } elseif ($_.Exception.InnerException.ErrorCode -eq 'unknown_user_type') { $errorDetails += ($LocalizedData.UnknownUserType -f $credential.UserName, $AzureEnvironment) Write-AzsReadinessLog -message ($LocalizedData.UnknownUserType -f $credential.UserName, $AzureEnvironment) -function $thisFunction -type Error } elseif ($_.Exception.InnerException.ErrorCode -eq 'user_password_expired') { $errorDetails += ($LocalizedData.ForceResetPassword -f $credential.UserName) Write-AzsReadinessLog -message ($LocalizedData.ForceResetPassword -f $credential.UserName) -function $thisFunction -type Error } elseif ($_.Exception.InnerException.ErrorCode -eq 'invalid_grant') { $errorDetails += ($LocalizedData.AccountDisabled -f $credential.UserName) Write-AzsReadinessLog -message $errorDetails -function $thisFunction -type Error } else { $errorDetails = ("Retrieving TenantId for subscription {0} using account {1} failed with: {2}" -f $subscriptionid, $credential.username, $_.exception.message) Write-AzsReadinessLog -message $errorDetails -function $thisFunction -Type Error } } } elseif ($_.Exception.InnerException.ErrorCode -eq 'unknown_user_type') { $errorDetails += ($LocalizedData.UnknownUserType -f $credential.UserName, $AzureEnvironment) Write-AzsReadinessLog -message ($LocalizedData.UnknownUserType -f $credential.UserName, $AzureEnvironment) -function $thisFunction -type Error } elseif ($_.Exception.InnerException.ErrorCode -eq 'user_password_expired') { $errorDetails += ($LocalizedData.ForceResetPassword -f $credential.UserName) Write-AzsReadinessLog -message ($LocalizedData.ForceResetPassword -f $credential.UserName) -function $thisFunction -type Error } elseif ($_.Exception.InnerException.ErrorCode -eq 'invalid_grant') { $errorDetails += ($LocalizedData.AccountDisabled -f $credential.UserName) Write-AzsReadinessLog -message $errorDetails -function $thisFunction -type Error } else { $errorDetails = ("Retrieving TenantId for subscription {0} using account {1} failed with: {2}" -f $subscriptionid, $credential.username, $_.exception.message) Write-AzsReadinessLog -message $errorDetails -function $thisFunction -Type Error } } @{'Test' = 'GetTenantId'; 'errorDetails' = $errorDetails; 'tenantId' = $tenantid} } function Get-AzureClassicAdmins { param ($resourceAppIdURI, $header, $subscriptionId) $thisFunction = $MyInvocation.MyCommand.Name $classicAdminURI = $resourceAppIdURI + "subscriptions/${subscriptionId}/providers/Microsoft.Authorization/classicAdministrators?api-version=2015-06-01" Write-AzsReadinessLog -message ("Get Classic Administrators from uri {0}" -f $classicAdminURI) -function $thisFunction try { $classicAdmins = Invoke-RestMethod -Uri $classicAdminURI -Method GET -Headers $header | Select-Object -ExpandProperty Value } catch { Write-AzsReadinessLog -message ("Unable to retrieve Classic Administrators from uri {0}. Exception {1}" -f $classicAdminURI, $_.exception) -function $thisFunction -Type Error } return $classicAdmins } # SIG # Begin signature block # MIIkiAYJKoZIhvcNAQcCoIIkeTCCJHUCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCB/tSVQRovOZwk3 # /RfXSmmLBFjKgs4pKW0cKds9Z7t0GqCCDYEwggX/MIID56ADAgECAhMzAAABA14l # HJkfox64AAAAAAEDMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMTgwNzEyMjAwODQ4WhcNMTkwNzI2MjAwODQ4WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDRlHY25oarNv5p+UZ8i4hQy5Bwf7BVqSQdfjnnBZ8PrHuXss5zCvvUmyRcFrU5 # 3Rt+M2wR/Dsm85iqXVNrqsPsE7jS789Xf8xly69NLjKxVitONAeJ/mkhvT5E+94S # nYW/fHaGfXKxdpth5opkTEbOttU6jHeTd2chnLZaBl5HhvU80QnKDT3NsumhUHjR # hIjiATwi/K+WCMxdmcDt66VamJL1yEBOanOv3uN0etNfRpe84mcod5mswQ4xFo8A # DwH+S15UD8rEZT8K46NG2/YsAzoZvmgFFpzmfzS/p4eNZTkmyWPU78XdvSX+/Sj0 # NIZ5rCrVXzCRO+QUauuxygQjAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUR77Ay+GmP/1l1jjyA123r3f3QP8w # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDM3OTY1MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAn/XJ # Uw0/DSbsokTYDdGfY5YGSz8eXMUzo6TDbK8fwAG662XsnjMQD6esW9S9kGEX5zHn # wya0rPUn00iThoj+EjWRZCLRay07qCwVlCnSN5bmNf8MzsgGFhaeJLHiOfluDnjY # DBu2KWAndjQkm925l3XLATutghIWIoCJFYS7mFAgsBcmhkmvzn1FFUM0ls+BXBgs # 1JPyZ6vic8g9o838Mh5gHOmwGzD7LLsHLpaEk0UoVFzNlv2g24HYtjDKQ7HzSMCy # RhxdXnYqWJ/U7vL0+khMtWGLsIxB6aq4nZD0/2pCD7k+6Q7slPyNgLt44yOneFuy # bR/5WcF9ttE5yXnggxxgCto9sNHtNr9FB+kbNm7lPTsFA6fUpyUSj+Z2oxOzRVpD # MYLa2ISuubAfdfX2HX1RETcn6LU1hHH3V6qu+olxyZjSnlpkdr6Mw30VapHxFPTy # 2TUxuNty+rR1yIibar+YRcdmstf/zpKQdeTr5obSyBvbJ8BblW9Jb1hdaSreU0v4 # 6Mp79mwV+QMZDxGFqk+av6pX3WDG9XEg9FGomsrp0es0Rz11+iLsVT9qGTlrEOla # P470I3gwsvKmOMs1jaqYWSRAuDpnpAdfoP7YO0kT+wzh7Qttg1DO8H8+4NkI6Iwh # SkHC3uuOW+4Dwx1ubuZUNWZncnwa6lL2IsRyP64wggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIWXTCCFlkCAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAQNeJRyZH6MeuAAAAAABAzAN # BglghkgBZQMEAgEFAKCB3jAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgKrDt6dKV # tLA4P73sE/v+Gyi/vItUrnle4kRI6JFEVNgwcgYKKwYBBAGCNwIBDDFkMGKgSIBG # AE0AaQBjAHIAbwBzAG8AZgB0ACAAQQB6AHUAcgBlAFMAdABhAGMAawAgAFAAYQBy # AHQAbgBlAHIAVABvAG8AbABrAGkAdKEWgBRodHRwOi8vQ29kZVNpZ25JbmZvIDAN # BgkqhkiG9w0BAQEFAASCAQCY9vBqUorj+laGItc2Gu+aKM7WkkmTNlmM6/+Q5Ijw # bwu+MEbKdvDhS5xkiFL8M6n0plVtBeKrMoKpvdhFx/TtWs34cAbzBrtUc5hkhAsu # x5dAn6dHUk68v4/tEQqBFJxQUGQ7ZnMrPt+iNkzUaSmsiwk5ZLMNWG/WTEjuN9Fs # pVKB/aMFKpsxg2c8WmyLubgqq0P2MVPVJCprP/kJlpgjQvhUvV65RaRw5zJJOsTs # 3YlnRSH6UCCdmYJ1dpEJtByMkdvo0+4ZfkKJK/yi4J3oCvdbCbBFafojBMxLIQ6T # Lk75M4nVIStvcV1licDRYnzCVk6D+59/pbOEbXSLkwDwoYITtzCCE7MGCisGAQQB # gjcDAwExghOjMIITnwYJKoZIhvcNAQcCoIITkDCCE4wCAQMxDzANBglghkgBZQME # AgEFADCCAVgGCyqGSIb3DQEJEAEEoIIBRwSCAUMwggE/AgEBBgorBgEEAYRZCgMB # MDEwDQYJYIZIAWUDBAIBBQAEIB0rWvZDV3ekouxp8xa0WPGmbRaN65v3U9nSWVdn # GoqfAgZb2dKztccYEzIwMTgxMTAxMjE1MzQxLjA0OFowBwIBAYACAfSggdSkgdEw # gc4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsT # IE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFs # ZXMgVFNTIEVTTjpDMEY0LTMwODYtREVGODElMCMGA1UEAxMcTWljcm9zb2Z0IFRp # bWUtU3RhbXAgU2VydmljZaCCDx8wggT1MIID3aADAgECAhMzAAAA0BxqYGHC5+Gt # AAAAAADQMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAy # MDEwMB4XDTE4MDgyMzIwMjYyOFoXDTE5MTEyMzIwMjYyOFowgc4xCzAJBgNVBAYT # AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29mdCBP # cGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpD # MEY0LTMwODYtREVGODElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vy # dmljZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJs+hjbXWs77xn3M # KjwgBhWamzkgPLrX6kM0xhOnSbyG5WitejlIoyYoBicTQLWyDqyuZflDSzhrrgdh # GKcO/aXLYczZxTfqG9rcTLVle02RqzqNK51fUh2p7c24gIaQ5Ma3J2EF5ItZDnu1 # bHhzT94U/JFvnoH3c5V7fmAyKuc01TEbXf5nQ9XnZJGMZNn7NQ9nLtysrVQ/xE1s # p8dZ3Y9hkrpZJG/ftV3uhyoLv0ds/XElvylkvFNUKpaV8+iQTWhl8rGYdO0EOU/J # PWsaSoKBX3sf8pZoB5ezL9ZF5dpa5o9XElUKelwSxGuC18WadKI2gTO75+DsUggE # 9c6SRisCAwEAAaOCARswggEXMB0GA1UdDgQWBBQDgyiXqGsl8sRTMh+ZrTq8dxjF # cTAfBgNVHSMEGDAWgBTVYzpcijGQ80N7fEYbxTNoWoVtVTBWBgNVHR8ETzBNMEug # SaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9N # aWNUaW1TdGFQQ0FfMjAxMC0wNy0wMS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsG # AQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Rp # bVN0YVBDQV8yMDEwLTA3LTAxLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoG # CCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQClvCSWZAnfWvS/lFN/NhmRbjwg # 9eBgXXyyl0YJWgwYPuorUZHkhc3R5PNNY0lNGk6RHjvbp0n22u6UR/BMN72jC2eB # WdRNNlyjiPUFrWEudzStxPXBl9tBz1tdaaEQjcouhsBOMrtK1/Pj1VX1C9GCveV2 # eoYZtjmaIeDkIo4gY6v1cMW1Pe972NOolmXyrElWgp8dxSJ1h0bB8AqPzNwwiu3T # 5oT1XsbTTBM1X124MgDm9rNkBSQmHq+z4fYeayXRKt7O1ycs65IYvkfBImt6cY+U # FPiYR5mpGF0la6dB01Z8QaY3Wi9BmzsprJG72Xk6JryszvCRcNUX1wT5wIEsMIIG # cTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0 # IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAwNzAxMjEzNjU1 # WhcNMjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCC # ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkdDbx3EYo6IOz8E5f1+n9p # lGt0VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vwFVMnBDEfQRsalR3OCROOfGEw # WbEwRA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNFDdDq9UeBzb8kYDJYYEbyWEeG # MoQedGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC732H8RsEnHSRnEnIaIYqvS2SJ # UGKxXf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOWRH7v0Ev9buWayrGo8noqCjHw # 2k4GkbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJk3jN/LzAyURdXhacAQVPIk0C # AwEAAaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTVYzpcijGQ # 80N7fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8E # BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2U # kFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5j # b20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmww # WgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29m # dC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDCBoAYD # VR0gAQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEwPQYIKwYBBQUHAgEWMWh0dHA6 # Ly93d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9DUFMvZGVmYXVsdC5odG0wQAYI # KwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABvAGwAaQBjAHkAXwBTAHQAYQB0 # AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAAfmiFEN4sbgmD+BcQM9 # naOhIW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/15/B4vceoniXj+bzta1RXCCtR # gkQS+7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRWS3TvQhDIr79/xn/yN31aPxzy # mXlKkVIArzgPF/UveYFl2am1a+THzvbKegBvSzBEJCI8z+0DpZaPWSm8tv0E4XCf # Mkon/VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/3cVKC5Em4jnsGUpxY517IW3D # nKOiPPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9nhquBEKDuLWAmyI4ILUl5WTs # 9/S/fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5HmoDF0M2n0O99g/DhO3EJ3110 # mCIIYdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv33nJ+YWtvd6mBy6cJrDm77MbL # 2IK0cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI5pgt6o3gMy4SKfXAL1QnIffI # rE7aKLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0MkvfY3v1mYovG8chr1m1rtxE # PJdQcdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0eGTgvvM9YBS7vDaBQNdrvCScc # 1bN+NR4Iuto229Nfj950iEkSoYIDrTCCApUCAQEwgf6hgdSkgdEwgc4xCzAJBgNV # BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w # HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29m # dCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVT # TjpDMEY0LTMwODYtREVGODElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAg # U2VydmljZaIlCgEBMAkGBSsOAwIaBQADFQApKR+LcXEyVzc2v72d4dOjMT6OlaCB # 3jCB26SB2DCB1TELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO # BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEp # MCcGA1UECxMgTWljcm9zb2Z0IE9wZXJhdGlvbnMgUHVlcnRvIFJpY28xJzAlBgNV # BAsTHm5DaXBoZXIgTlRTIEVTTjo1N0Y2LUMxRTAtNTU0QzErMCkGA1UEAxMiTWlj # cm9zb2Z0IFRpbWUgU291cmNlIE1hc3RlciBDbG9jazANBgkqhkiG9w0BAQUFAAIF # AN+FY3kwIhgPMjAxODExMDExOTM1MjFaGA8yMDE4MTEwMjE5MzUyMVowdDA6Bgor # BgEEAYRZCgQBMSwwKjAKAgUA34VjeQIBADAHAgEAAgIciTAHAgEAAgIbsTAKAgUA # 34a0+QIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMBoAowCAIBAAID # FuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQB1PgRQMBfYZpbjQ+xP # UIqi/zxcL/H8yVU71XY6xejb85doJuyW8eCNdTEUQVXKXE1T1/Gcp9H+XFZLuVey # EUDjO8vsCndgcW3ZRQUH32JAP2l2t+ibgv2wx3fIc48wJ4iMKT++MzBhe82Dl04x # 8sjEv6HQ3iDBleI0RS210nDnPYakNl0jujielh5oJqJTeWu56/LkO1BkIhuQemdc # qZF81SgSnKU6Ao0FaBR42AR2mg6N7EYsqxjChe996Gdc8Fe5vS8vYPT87wEiKgDT # oSSroOY2UVKRLLWccNlJlBKGv4vg0ZIOQT8TubcNoL9GrJyXw8mLQFIzI6aO++P1 # ZEKgMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAC # EzMAAADQHGpgYcLn4a0AAAAAANAwDQYJYIZIAWUDBAIBBQCgggEyMBoGCSqGSIb3 # DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQgcsKNtoLchrEpW5j7 # FLq88qPogBZcbyga68n/UlPfHYIwgeIGCyqGSIb3DQEJEAIMMYHSMIHPMIHMMIGx # BBQpKR+LcXEyVzc2v72d4dOjMT6OlTCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0 # YW1wIFBDQSAyMDEwAhMzAAAA0BxqYGHC5+GtAAAAAADQMBYEFG8/trCD4uFRLd0e # OmOcBD/p1lRdMA0GCSqGSIb3DQEBCwUABIIBAD5sQb6temECk54egM33REb2rljF # mBkeMeMEbq/zwlva3+H3xjpppwDt6DwoRrVt/duiOrH34v3rkzT3zhl6PkezyJDu # uxjxYvfogSbsUqsP8mSzKVKfK0h+ebsvzzxxWt+P4rKrKF8neOL9YmMFJ9hHCIpq # f8hZiXK85mefkMGWRfihtgCvajzzPZkX3qY8JsLQJ21lzRPcoh3B4k8gXImID0m1 # Mj9OJZlylcLty4ROhAWbGZxyN+9kDVFGtlSWtzCnbx3SN92m3hmRPV2KxaIvwy8L # z7vQ4TQRfidTqJ2LW0ChE5Tpwg72OcOMOTcGaEkywnuS79waROQ7Napf0Ys= # SIG # End signature block |