mTLS auth using OPA python client

awx/main/exceptions.py

@@ -38,5 +38,12 @@ def __init__(self, msg, status='failed', tb=''):
         super(PostRunError, self).__init__(msg)
 
 
+class PreRunError(Exception):
+    def __init__(self, msg, status='failed', tb=''):
+        self.status = status
+        self.tb = tb
+        super(PreRunError, self).__init__(msg)
+
+
 class ReceptorNodeNotFound(RuntimeError):
     pass

awx/main/tasks/jobs.py

@@ -14,6 +14,8 @@
 import traceback
 import time
 import urllib.parse as urlparse
+import requests
+from opa_client.opa import OpaClient
 
 # Django
 from django.conf import settings
@@ -68,7 +70,7 @@
 from awx.main.tasks.signals import with_signal_handling, signal_callback
 from awx.main.tasks.receptor import AWXReceptorJob
 from awx.main.tasks.facts import start_fact_cache, finish_fact_cache
-from awx.main.exceptions import AwxTaskError, PostRunError, ReceptorNodeNotFound
+from awx.main.exceptions import AwxTaskError, PreRunError, PostRunError, ReceptorNodeNotFound
 from awx.main.utils.ansible import read_ansible_config
 from awx.main.utils.safe_yaml import safe_dump, sanitize_jinja
 from awx.main.utils.common import (
@@ -425,7 +427,24 @@ def pre_run_hook(self, instance, private_data_dir):
         """
         instance.log_lifecycle("pre_run")
 
-        # Before task is started, ensure that job_event partitions exist
+        opa_input_data = {
+            'created': instance.created.isoformat(),
+            'created_by': {
+                "username": instance.created_by.username,
+                "is_superuser": instance.created_by.is_superuser,
+            },
+        }
+
+        with OpaClient(host=settings.OPA_HOST, port=settings.OPA_PORT, ssl=settings.OPA_SSL, cert=settings.OPA_AUTH_CERT) as opa_client:
+            try:
+                opa_query_response = opa_client.query_rule(input_data=opa_input_data, package_path='job_template', rule_name='response')
+            except Exception as e:
+                raise PreRunError(_('Call to OPA failed, Exception: {}').format(e))
+
+            opa_query_result = opa_query_response.get('result', {})
+            if opa_query_result.get('allowed', False) == False:
+                raise PreRunError(_('OPA policy denied the request, Violations: {}').format(opa_query_result.get('violations', [])))
+
         create_partition(instance.event_class._meta.db_table, start=instance.created)
 
     def post_run_hook(self, instance, status):
@@ -626,6 +645,8 @@ def run(self, pk, **kwargs):
                 elif cancel_flag_value is False:
                     self.runner_callback.delay_update(skip_if_already_set=True, job_explanation="The running ansible process received a shutdown signal.")
                     status = 'failed'
+        except PreRunError as exc:
+            self.runner_callback.delay_update(job_explanation=str(exc), result_traceback=str(exc))
         except ReceptorNodeNotFound as exc:
             self.runner_callback.delay_update(job_explanation=str(exc))
         except Exception:

awx/settings/defaults.py

@@ -1062,3 +1062,21 @@
 
 # feature flags
 FLAGS = {'FEATURE_INDIRECT_NODE_COUNTING_ENABLED': [{'condition': 'boolean', 'value': False}]}
+
+
+# Policy as code feature configurations
+FEATURE_POLICY_AS_CODE_ENABLED = False
+
+OPA_POLICY_EVALUATION_DEFAULT_RESULT = {'allowed': True}  # Default policy enforcement decision if policy evaluation fail for any reason.
+OPA_HOST = 'opa'  # Host to connect to OPA service, defaults to 'localhost'.
+OPA_PORT = 8181  # Port to connect to OPA service, defaults to 8181.
+OPA_SSL = True  # Use SSL to connect to OPA service, defaults to False.
+OPA_REST_API_VERSION = 'v1'  # REST API version provided by OPA, defaults to 'v1'.
+
+
+OPA_AUTH_TYPE = 'Certificate'  # 'None', 'Token', 'Certificate', 'Custom Header'
+OPA_AUTH_TOKEN = ''  # Token for OPA authentication, defaults to '', required when OPA_AUTH_TYPE = 'Token'.
+OPA_AUTH_CERT = '/tmp/client.pem'  # Path to certificate file for mTLS authentication, defaults to '', required when OPA_AUTH_TYPE = 'Certificate'.
+OPA_AUTH_CUSTOM_HEADER = ''  # Custom header for OPA authentication, defaults to '', required when OPA_AUTH_TYPE = 'Custom Header'.
+OPA_REQUEST_TIMEOUT = 1.5  # Connection timeout in seconds, defaults to 1.5 seconds.
+OPA_REQUEST_RETRY = 2  # Number of retries to connect to OPA service, defaults to 2.

pac_demo/allow-false.rego

@@ -0,0 +1,8 @@
+package job_template
+
+import rego.v1
+
+response := {
+    "allowed": false,
+    "violations": ["No job execution is allowed"]
+}

pac_demo/allow-true.rego

@@ -0,0 +1,8 @@
+package job_template
+
+import rego.v1
+
+response := {
+    "allowed": true,
+    "violations": []
+}

pac_demo/input-is_superuser-false.json

@@ -0,0 +1,6 @@
+{
+    "created_by": {
+        "username": "TheRealHaoLiu",
+        "is_superuser": false
+    }
+}

pac_demo/input-is_superuser-true.json

@@ -0,0 +1,6 @@
+{
+    "created_by": {
+        "username": "admin",
+        "is_superuser": true
+    }
+}

pac_demo/interesting-data.md

@@ -0,0 +1,65 @@
+all user modifiable flat properties
+id:
+created: datetime
+created_by: <scheduled will be created_by None>
+    username:
+    id:
+    email:
+    is_superuser
+<!-- credentials:[{id: ,name, type}, ...] -->
+execution_environments: []
+    id:
+    name:
+    image:
+    pull:
+extra_vars:
+extra_vars_dict:
+forks:
+count(hosts):
+instance_group:
+    id:
+    name:
+    capacity:
+    jobs_running:
+    jobs_total:
+    max_concurrent_jobs:
+    max_forks:
+inventory
+    id:
+    name:
+    description:
+    total_hosts:
+    total_groups:
+    inventory_sources: []
+        id:
+        name:
+        type:
+        kind: ?
+    <TODO figure out what identify a constructed inventory>
+job_template:
+    id:
+    name:
+    type
+job_type:
+job_type_name:
+launch_type:
+name:
+limit:
+launched_by: ?
+organization:
+    name:
+    id:
+playbook:
+project:
+    name:
+    id:
+    scm_*:
+    status:
+scm_branch =
+scm_revision =
+workflow_job_id
+workflow_node_id
+workflow_job_template: ?
+
+
+<only provide info that's serialized to the API>

pac_demo/maintenance.rego

@@ -0,0 +1,27 @@
+package maintenance
+
+import rego.v1
+
+# Default rule to deny if no condition matches
+default allow := false
+
+maintenance_window := {
+    "start_time": "01:00",
+    "end_time": "02:00"
+}
+
+# Main rule to check if the created time is within the maintenance window
+allow if {
+	time_within_window(input.created, maintenance_window.start_time, maintenance_window.end_time)
+}
+
+# Helper rule to check if the time is within the maintenance window
+time_within_window(created_time, start_time, end_time) if {
+	parsed_time := time.parse_rfc3339_ns(created_time)
+	[hour, minute, _]:= time.clock(parsed_time)
+
+	current_time := sprintf("%02d:%02d", [hour, minute])
+
+	current_time >= start_time
+	current_time < end_time
+}

pac_demo/opa-cert/ca.crt

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICmjCCAYICCQDVbOt5/MRHxDANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARN
+eUNBMB4XDTI1MDEyMjAyMDYyMVoXDTI2MDEyMjAyMDYyMVowDzENMAsGA1UEAwwE
+TXlDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfga5AnIpjoKKfZ
+3N1DGW/6vZWh0k6tigAE6Gd00Tci2IL3lQ3TBhsz2yeJnCNLYvBqCw3pSDyyQdYy
+VtQRduHG3jUa29NJW+qmTYnotq7jPYzcQL1e/ylUNg6XMZR2aCuamGfzqA85Km16
+GIPYE7I5y3loXwVe05EFJpyNRPZ3vT8S6OQLulVSLRPNK8eLLgCl7NXMUz8GPi3D
+TTJGYg1Fhsl6nVWgLcJKJT7gcMVLp8aOz64SlvOEqYQpyG33WIL3zkyBa02gNsxs
+FVwzpQt2RuS9ohQ7zrL/YdGo989LVOkYQdibdgZFvfR9kUvOn/ygl9Hv8qoBRpM8
+zkbtQvECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAm5zHvMw8w1Gl8aCBKGsUQa4M
+j2BPLmQFat886ilIi0WUStEh1NZtdLGqywc7nlMFW3wkLpJ3AoYbHK4CaWozEsv5
+AdWtnbMmTlFuBeQZ41EYnDGmJMv7Th0yiap7g22rS2spT1SaQinTa7tZoEw6lOo1
+ff4Qi4qfTs2/QDEHfU72MI6W9fCp9i0uKwzjhPRihJlugMm1PkdVae3MzvhSqxQB
+vUu0e3xGHgRfRs+3+5IRmu3GLzp7dGlj9YSQECA4XA4mKBek7HO7oD2vA40r2uMS
+qYpIxvwGruOpfWemQtuzmfNUvrOvrQxM/OfMzhau4xvtIpEGYZCJ929PkVU/xQ==
+-----END CERTIFICATE-----

pac_demo/opa-cert/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAx+BrkCcimOgop9nc3UMZb/q9laHSTq2KAAToZ3TRNyLYgveV
+DdMGGzPbJ4mcI0ti8GoLDelIPLJB1jJW1BF24cbeNRrb00lb6qZNiei2ruM9jNxA
+vV7/KVQ2DpcxlHZoK5qYZ/OoDzkqbXoYg9gTsjnLeWhfBV7TkQUmnI1E9ne9PxLo
+5Au6VVItE80rx4suAKXs1cxTPwY+LcNNMkZiDUWGyXqdVaAtwkolPuBwxUunxo7P
+rhKW84SphCnIbfdYgvfOTIFrTaA2zGwVXDOlC3ZG5L2iFDvOsv9h0aj3z0tU6RhB
+2Jt2BkW99H2RS86f/KCX0e/yqgFGkzzORu1C8QIDAQABAoIBAEh9y2Uv3Gtqn/wo
+luMkx+AGJ6ZSV20zoX5aSVPkWVDO8Ymmc8fcxjUtfIl9bkSavdqGC1ZTSmDBIgGm
+pjkp0F0YfFT0Vc/upkiXYj3nSgJp5lPlOhG0l4SMx0JJcbDvtN5DpozlIQnMaOfl
+xWhkANi9/18cDIJtHvxUyukyj1V3+Z9QoGT/LK3jmFRWb55AVE6aYuDxfcUKJiZ7
+kY8y19daItMqPLDUvxvVy5XNT+dykWdMIpzbNxMI+XashSxZhWCUrYHTCfQDCKRK
+sCGTmdYbqxNOe+prK3iEQyswCzrxa5P9uFochLFLU1Y8igK/yeWRm0A7Uh+anod1
+Ormb8AECgYEA8R91s3GIfKQx7DKq/lPbtr3sZf9IcPUtCcSUIwKGL3SQBPFcXxub
+sEiuh4ZmoCPrv5zFKxyernDT781qljMFD/PxMbC499t+DLSQyXuxy2xRXVLNk9dO
+x3Y18hjHEnWvDgBnIXtU+qlzy+0H4hGsD+eZBzPV1CYNVlUsP7NFGfECgYEA1DV5
+pfVP7IEkJmKYbOzBWXA2DE+lJVP79WMJk20KVxWUmhiDZkqhpsXiZ6ss80U1NEHP
+eziRLAbqyy/nCY1Xvi4trL9yzsRVL+1dNt86ez6PqnpNNLBqTJdK9rv13tAF8ypK
+cDppxIGDsTJLbgf60DcyyccIrZ8j1So9NXF5uQECgYEAiJM6Nt7K4VablF8Kra3Q
+GI0xFoDnhlvJG+xFwCLQ4JZUcQhJOvHHWK2Cde8xt+lAwjLJF2dJliMAWKbwhYz2
+hBe3eV7RFksz9XxdOlKe3UtINuUM3n2o+J/DZJKWR6Vy9ypRQAy8kJJkrZBf07QQ
+0p1q90JsDpNTIKBzxM0FCfECgYEAhDUkqs5gktoKKZf3mrUN6KjOI3FjVBQ0vzaK
+erzOWl7pi++Fva71cy+J1EiC4rTVZs8xcnVVjHZqxVf8uqjCZ4vhjORhpIwQ/qEF
+F/CPQMVDQFSd0RuvvjPr0jhcAAreChbo9W6PAowl/bl14QE7s4kQLUHBGFozOtTr
++WXPDgECgYAnrlZYb5JwkbmfCxQt4isLwhGb3g/zEvky68AHDhBOIwX/MRcg2Ib0
+G7Oe7U+D7vMqIWk19fvJ3VpuGbHOlV0/6Eh1x4k2B7XtcnFUHbqEUC7L5kXEkTU4
+N1Dt2xl2lZDd2c5xRnA0XmTzdrMJhyuxDSAlXlwWW0Ld9fSlFI6pOg==
+-----END RSA PRIVATE KEY-----

pac_demo/opa-cert/ca.srl

@@ -0,0 +1 @@
+ACFFDC8C2B531521

pac_demo/opa-cert/client.crt

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICnDCCAYQCCQCs/9yMK1MVITANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARN
+eUNBMB4XDTI1MDEyMjAyMDcyM1oXDTI2MDEyMjAyMDcyM1owETEPMA0GA1UEAwwG
+Y2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzwxIonTNCaSl
+1apXvvBqXyLmH9Ytk4pSUMKzksMWjJumm1vaE08SP++YbR0y11kgf+QtZOd3WLVO
+up0AhXRciob6HfDux8LmaTWq+2vxOCB2bIr3AffoDsIOKOpprRIYQgNRHOsBE/AB
+2i7NXodjmtgKQ4MGdQgUU/gpKaPlMWgEnBI5mRd0KFusDF/v8gADcDNPPBUigIpa
+jiI1GiFZFkd2qcyk+jIII1xBiDV5BbPfKNwTPQ0MiijmLHm7Pah+oLEC6HyRFGLE
+/RnZ6gpJgqc2FzVr15QRRqAbS/monEsmS7IZooD0RZbHPKSEKUKQO3uy66RGfLIm
+1jNbVXgxQwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC6dnaRaHu2JRO/gBehgArb
+GugoGIfTzHkqG3tFtQLGpWShW3zXzkZC48ufPKzqX1ZmIBHfznQdwFgLvCi9P/03
+Ey2855RqjbORxIZfUqbxseC1shUJ+veh80KI7qKr0HqndSXlpx2hKxzodoaVZ1rO
+lYUs3v9nWLyzR8LlxOEwC0YTpt006rErXTT0nJzC9UeSY2dwcuHEqp44CKfD4qcO
+s+ZIW0FBgUGEEkUoe5kBWzGJD4LLnh55B7sItFDiUTBamW1F72kLEHRMUXnqHMCQ
+kdLtB8cqTcvXBvAqPRc49nBc2hmfLJbQRITZFuP+4zaJbV3l9vcKFEqjLss5PzLc
+-----END CERTIFICATE-----

pac_demo/opa-cert/client.csr

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGY2xpZW50MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAzwxIonTNCaSl1apXvvBqXyLmH9Ytk4pSUMKzksMWjJum
+m1vaE08SP++YbR0y11kgf+QtZOd3WLVOup0AhXRciob6HfDux8LmaTWq+2vxOCB2
+bIr3AffoDsIOKOpprRIYQgNRHOsBE/AB2i7NXodjmtgKQ4MGdQgUU/gpKaPlMWgE
+nBI5mRd0KFusDF/v8gADcDNPPBUigIpajiI1GiFZFkd2qcyk+jIII1xBiDV5BbPf
+KNwTPQ0MiijmLHm7Pah+oLEC6HyRFGLE/RnZ6gpJgqc2FzVr15QRRqAbS/monEsm
+S7IZooD0RZbHPKSEKUKQO3uy66RGfLIm1jNbVXgxQwIDAQABoAAwDQYJKoZIhvcN
+AQELBQADggEBAGnc/7odqjnmyvfMZkS2glEIhTSn9pYEeyGK1WTL/OYdCMw+A+II
+iOf9rrQRmwtlVlI7EgJ4Ca44+L5RvnFXPROdKoq7FqPFwVJ2nr1ZHYM/Je5gcfbJ
+MCNjergp4ypB8V9RJkmvkdsfHFhrZPHwNvYcz+C83gxZ01L3yIk9QpuolMdkdvIU
+iAZRCs+vx8/0D5v19DZERwXsOgJVsGzdnacokG+QNSU3AzJSiq5qhGgGR+qBy7OM
+weqdUWMy01Gj1R7uzv79b6P5A5sbGqWRKHBIxeUgkVZqxHwXM5Q22148kxyZEIzS
+decZoYeaG2Wrrz/tbOEQofpgJEddVOuUQWg=
+-----END CERTIFICATE REQUEST-----

pac_demo/opa-cert/client.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEAzwxIonTNCaSl1apXvvBqXyLmH9Ytk4pSUMKzksMWjJumm1va
+E08SP++YbR0y11kgf+QtZOd3WLVOup0AhXRciob6HfDux8LmaTWq+2vxOCB2bIr3
+AffoDsIOKOpprRIYQgNRHOsBE/AB2i7NXodjmtgKQ4MGdQgUU/gpKaPlMWgEnBI5
+mRd0KFusDF/v8gADcDNPPBUigIpajiI1GiFZFkd2qcyk+jIII1xBiDV5BbPfKNwT
+PQ0MiijmLHm7Pah+oLEC6HyRFGLE/RnZ6gpJgqc2FzVr15QRRqAbS/monEsmS7IZ
+ooD0RZbHPKSEKUKQO3uy66RGfLIm1jNbVXgxQwIDAQABAoIBAQCAgKw3/+wd1w2B
+3hZVkFtErqFLEx/4WTobm6veI6zEGfq+o7RmlYXLHsZoul2KoGt2VMUDwlElQmoZ
+kkX3ji+9Xmav3JAmdUWR+Ngk8WqmHifB2EHT++wP9MrbBBoQa5GYrvxRyV1C5YwQ
+wUl/KOJeAUXlftWsHxaWwwexK2KdVUYLhimN8h6oK//fZekwAInjc+YRDURn1DjG
+B2qJf0qPFwE44EZOv5wK1ght6Mit12pAM6Kl/1TxWEdvnkcR2cyjg2+9c+LrztN/
+pxWOfS0Z2T3xuCrnG68a7582dmCTJErQhIrGqnjVtbDODdHI5Gu/7qraSIoAyAmq
+bI4e7s5JAoGBAPl26qEsPf+2B/2G1L11rRLk2dLU5uiPeASeCzUQWcaTCQgL+hWu
+J/ZusjMPa+PvVn69DEY8vPReBKlXFHXiM7KMxLITmseWcMAHd4EHz4yplbJqvceq
+5kY4hMnuQWYv3lnn4TvIblqvHVZvYLSN35y1iy9mNwnL4xgfEUFtjnTnAoGBANR4
+5GvYeBLSXbN/XvK65gnwmWCUGOZsJinkbrtnqkfY1f2ucpQJPmwYJ/S0lVpP3tu2
+cBxkt8W+omxaM+RMxHEpepd0dQcqsVRw2BUQgmbBRpW8tGKUMgsVkQrTIg7RRXGP
+IKUWOic9tBOfsz/3L72tdj7gB5jJI+7It3fk8vlFAoGBAI23970OND6Du/BUW6Ey
+K9uS9Qfn+THe51DANB+2JTpBJ51RqIYOhRdjdYq6VRGNUzb20PVJ5hJxIvbMyIvb
+sIDbpZaAuqpuFamR1FsSA9+mK6vLJfs7ZEw6KX3KA4843Hl42KSszbxoxSLobSjF
+fGY7YFHSIKxJDr8STyw7P/W7AoGBANF3haoUtPvJTPtDHPYr79Ho0yz1lD7GbDFs
+tQYowyUlzoHUU71CB7pFbk6/IWbxywHMsGYtnUdkE3jCzNnMHPZ7MBLUivNP0Zcv
+0LejmQt4i//fE+8DrvpifqWvVKpLAi1cL5DRgu9g04FtNihfpz9WHXcLIjIsSjKE
+yut2WVwJAoGBAN7nlb7XrMULDeyLFWk78CEtPKTrvUyjssZV6TXT3ZKQCYWvWJBn
+NuBKkXjJnezGutv5fby0PYchu9wTouaWL3L5jDwQI8mAkyIB7Gv58POl5cATGqei
+Tc/mcVdX4Zs84LqhTngJ9iKA/u/gsg2Wba8AST1FVHqAgOcHTs97TnjL
+-----END RSA PRIVATE KEY-----

pac_demo/opa-cert/client.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICnDCCAYQCCQCs/9yMK1MVITANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARN
+eUNBMB4XDTI1MDEyMjAyMDcyM1oXDTI2MDEyMjAyMDcyM1owETEPMA0GA1UEAwwG
+Y2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzwxIonTNCaSl
+1apXvvBqXyLmH9Ytk4pSUMKzksMWjJumm1vaE08SP++YbR0y11kgf+QtZOd3WLVO
+up0AhXRciob6HfDux8LmaTWq+2vxOCB2bIr3AffoDsIOKOpprRIYQgNRHOsBE/AB
+2i7NXodjmtgKQ4MGdQgUU/gpKaPlMWgEnBI5mRd0KFusDF/v8gADcDNPPBUigIpa
+jiI1GiFZFkd2qcyk+jIII1xBiDV5BbPfKNwTPQ0MiijmLHm7Pah+oLEC6HyRFGLE
+/RnZ6gpJgqc2FzVr15QRRqAbS/monEsmS7IZooD0RZbHPKSEKUKQO3uy66RGfLIm
+1jNbVXgxQwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC6dnaRaHu2JRO/gBehgArb
+GugoGIfTzHkqG3tFtQLGpWShW3zXzkZC48ufPKzqX1ZmIBHfznQdwFgLvCi9P/03
+Ey2855RqjbORxIZfUqbxseC1shUJ+veh80KI7qKr0HqndSXlpx2hKxzodoaVZ1rO
+lYUs3v9nWLyzR8LlxOEwC0YTpt006rErXTT0nJzC9UeSY2dwcuHEqp44CKfD4qcO
+s+ZIW0FBgUGEEkUoe5kBWzGJD4LLnh55B7sItFDiUTBamW1F72kLEHRMUXnqHMCQ
+kdLtB8cqTcvXBvAqPRc49nBc2hmfLJbQRITZFuP+4zaJbV3l9vcKFEqjLss5PzLc
+-----END CERTIFICATE-----

pac_demo/opa-cert/client_full.pem

@@ -0,0 +1,59 @@
+-----BEGIN CERTIFICATE-----
+MIICnDCCAYQCCQCs/9yMK1MVITANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARN
+eUNBMB4XDTI1MDEyMjAyMDcyM1oXDTI2MDEyMjAyMDcyM1owETEPMA0GA1UEAwwG
+Y2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzwxIonTNCaSl
+1apXvvBqXyLmH9Ytk4pSUMKzksMWjJumm1vaE08SP++YbR0y11kgf+QtZOd3WLVO
+up0AhXRciob6HfDux8LmaTWq+2vxOCB2bIr3AffoDsIOKOpprRIYQgNRHOsBE/AB
+2i7NXodjmtgKQ4MGdQgUU/gpKaPlMWgEnBI5mRd0KFusDF/v8gADcDNPPBUigIpa
+jiI1GiFZFkd2qcyk+jIII1xBiDV5BbPfKNwTPQ0MiijmLHm7Pah+oLEC6HyRFGLE
+/RnZ6gpJgqc2FzVr15QRRqAbS/monEsmS7IZooD0RZbHPKSEKUKQO3uy66RGfLIm
+1jNbVXgxQwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC6dnaRaHu2JRO/gBehgArb
+GugoGIfTzHkqG3tFtQLGpWShW3zXzkZC48ufPKzqX1ZmIBHfznQdwFgLvCi9P/03
+Ey2855RqjbORxIZfUqbxseC1shUJ+veh80KI7qKr0HqndSXlpx2hKxzodoaVZ1rO
+lYUs3v9nWLyzR8LlxOEwC0YTpt006rErXTT0nJzC9UeSY2dwcuHEqp44CKfD4qcO
+s+ZIW0FBgUGEEkUoe5kBWzGJD4LLnh55B7sItFDiUTBamW1F72kLEHRMUXnqHMCQ
+kdLtB8cqTcvXBvAqPRc49nBc2hmfLJbQRITZFuP+4zaJbV3l9vcKFEqjLss5PzLc
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEAzwxIonTNCaSl1apXvvBqXyLmH9Ytk4pSUMKzksMWjJumm1va
+E08SP++YbR0y11kgf+QtZOd3WLVOup0AhXRciob6HfDux8LmaTWq+2vxOCB2bIr3
+AffoDsIOKOpprRIYQgNRHOsBE/AB2i7NXodjmtgKQ4MGdQgUU/gpKaPlMWgEnBI5
+mRd0KFusDF/v8gADcDNPPBUigIpajiI1GiFZFkd2qcyk+jIII1xBiDV5BbPfKNwT
+PQ0MiijmLHm7Pah+oLEC6HyRFGLE/RnZ6gpJgqc2FzVr15QRRqAbS/monEsmS7IZ
+ooD0RZbHPKSEKUKQO3uy66RGfLIm1jNbVXgxQwIDAQABAoIBAQCAgKw3/+wd1w2B
+3hZVkFtErqFLEx/4WTobm6veI6zEGfq+o7RmlYXLHsZoul2KoGt2VMUDwlElQmoZ
+kkX3ji+9Xmav3JAmdUWR+Ngk8WqmHifB2EHT++wP9MrbBBoQa5GYrvxRyV1C5YwQ
+wUl/KOJeAUXlftWsHxaWwwexK2KdVUYLhimN8h6oK//fZekwAInjc+YRDURn1DjG
+B2qJf0qPFwE44EZOv5wK1ght6Mit12pAM6Kl/1TxWEdvnkcR2cyjg2+9c+LrztN/
+pxWOfS0Z2T3xuCrnG68a7582dmCTJErQhIrGqnjVtbDODdHI5Gu/7qraSIoAyAmq
+bI4e7s5JAoGBAPl26qEsPf+2B/2G1L11rRLk2dLU5uiPeASeCzUQWcaTCQgL+hWu
+J/ZusjMPa+PvVn69DEY8vPReBKlXFHXiM7KMxLITmseWcMAHd4EHz4yplbJqvceq
+5kY4hMnuQWYv3lnn4TvIblqvHVZvYLSN35y1iy9mNwnL4xgfEUFtjnTnAoGBANR4
+5GvYeBLSXbN/XvK65gnwmWCUGOZsJinkbrtnqkfY1f2ucpQJPmwYJ/S0lVpP3tu2
+cBxkt8W+omxaM+RMxHEpepd0dQcqsVRw2BUQgmbBRpW8tGKUMgsVkQrTIg7RRXGP
+IKUWOic9tBOfsz/3L72tdj7gB5jJI+7It3fk8vlFAoGBAI23970OND6Du/BUW6Ey
+K9uS9Qfn+THe51DANB+2JTpBJ51RqIYOhRdjdYq6VRGNUzb20PVJ5hJxIvbMyIvb
+sIDbpZaAuqpuFamR1FsSA9+mK6vLJfs7ZEw6KX3KA4843Hl42KSszbxoxSLobSjF
+fGY7YFHSIKxJDr8STyw7P/W7AoGBANF3haoUtPvJTPtDHPYr79Ho0yz1lD7GbDFs
+tQYowyUlzoHUU71CB7pFbk6/IWbxywHMsGYtnUdkE3jCzNnMHPZ7MBLUivNP0Zcv
+0LejmQt4i//fE+8DrvpifqWvVKpLAi1cL5DRgu9g04FtNihfpz9WHXcLIjIsSjKE
+yut2WVwJAoGBAN7nlb7XrMULDeyLFWk78CEtPKTrvUyjssZV6TXT3ZKQCYWvWJBn
+NuBKkXjJnezGutv5fby0PYchu9wTouaWL3L5jDwQI8mAkyIB7Gv58POl5cATGqei
+Tc/mcVdX4Zs84LqhTngJ9iKA/u/gsg2Wba8AST1FVHqAgOcHTs97TnjL
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICmjCCAYICCQDVbOt5/MRHxDANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARN
+eUNBMB4XDTI1MDEyMjAyMDYyMVoXDTI2MDEyMjAyMDYyMVowDzENMAsGA1UEAwwE
+TXlDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfga5AnIpjoKKfZ
+3N1DGW/6vZWh0k6tigAE6Gd00Tci2IL3lQ3TBhsz2yeJnCNLYvBqCw3pSDyyQdYy
+VtQRduHG3jUa29NJW+qmTYnotq7jPYzcQL1e/ylUNg6XMZR2aCuamGfzqA85Km16
+GIPYE7I5y3loXwVe05EFJpyNRPZ3vT8S6OQLulVSLRPNK8eLLgCl7NXMUz8GPi3D
+TTJGYg1Fhsl6nVWgLcJKJT7gcMVLp8aOz64SlvOEqYQpyG33WIL3zkyBa02gNsxs
+FVwzpQt2RuS9ohQ7zrL/YdGo989LVOkYQdibdgZFvfR9kUvOn/ygl9Hv8qoBRpM8
+zkbtQvECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAm5zHvMw8w1Gl8aCBKGsUQa4M
+j2BPLmQFat886ilIi0WUStEh1NZtdLGqywc7nlMFW3wkLpJ3AoYbHK4CaWozEsv5
+AdWtnbMmTlFuBeQZ41EYnDGmJMv7Th0yiap7g22rS2spT1SaQinTa7tZoEw6lOo1
+ff4Qi4qfTs2/QDEHfU72MI6W9fCp9i0uKwzjhPRihJlugMm1PkdVae3MzvhSqxQB
+vUu0e3xGHgRfRs+3+5IRmu3GLzp7dGlj9YSQECA4XA4mKBek7HO7oD2vA40r2uMS
+qYpIxvwGruOpfWemQtuzmfNUvrOvrQxM/OfMzhau4xvtIpEGYZCJ929PkVU/xQ==
+-----END CERTIFICATE-----