From afb19629532f75c8a92b66bc7f92a9752c561c14 Mon Sep 17 00:00:00 2001
From: Noah <noahpaig@amazon.com>
Date: Fri, 17 May 2024 20:37:59 +0000
Subject: [PATCH] Squashed commit of the following
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

commit a06c8cba
Author: Noah Paige <noahpaig@amazon.com>
Date: Fri May 17 2024 16:37:05 GMT-0400 (Eastern Daylight Time)

    Merge share logs PR


commit aee98cf7
Author: Noah Paige <noahpaig@amazon.com>
Date: Fri May 17 2024 16:34:24 GMT-0400 (Eastern Daylight Time)

    Merge share logs PR


commit 5ca55303
Author: Sofia Sazonova <sazonova@amazon.co.uk>
Date: Wed May 15 2024 11:57:41 GMT-0400 (Eastern Daylight Time)

    remove unused imports


commit 8f8bf3dd
Author: Sofia Sazonova <sazonova@amazon.co.uk>
Date: Wed May 15 2024 11:56:39 GMT-0400 (Eastern Daylight Time)

    restrict access to the share logs


commit 9137da9b
Author: Sofia Sazonova <sazonova@amazon.co.uk>
Date: Wed May 15 2024 11:28:32 GMT-0400 (Eastern Daylight Time)

    share Logs button is available only for dataset Admins and stewards


commit fcb16bd9
Author: Sofia Sazonova <sazonova@amazon.co.uk>
Date: Wed May 15 2024 10:46:25 GMT-0400 (Eastern Daylight Time)

    getShareLogs query


commit 0503a3bb
Author: Sofia Sazonova <sazonova@amazon.co.uk>
Date: Wed May 15 2024 10:21:25 GMT-0400 (Eastern Daylight Time)

    Logs modal in Share View


commit bab2f3e6
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Mon May 13 2024 09:09:18 GMT-0400 (Eastern Daylight Time)

    Add confirmation pop-ups for deletion of team roles and groups (#1231)

### Feature or Bugfix

- Feature



### Detail
Pop ups added for:
- deletion team from environment
- deletion of the consumption role
- deletion of group from Organization

### Relates
- #942

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>

commit 93ff7725
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Mon May 13 2024 08:00:38 GMT-0400 (Eastern Daylight Time)

    Update version.json (#1264)

Release info update

commit e718d861
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Mon May 13 2024 07:29:27 GMT-0400 (Eastern Daylight Time)

    fix permission query (#1263)

### Feature or Bugfix
- Bugfix


### Detail
- The filter -- array of permissions' NAMES, so in order to query
policies correctly we need to add join
- The filter 'share_type' and 'share_item_status' must be string
- IMPORTANT: in block "finally" the param session was used, but session
was defined only in "try" block. So, the lock failed to be released.

### Relates
- <URL or Ticket>

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>

commit 479b8f3f
Author: mourya-33 <134511711+mourya-33@users.noreply.github.com>
Date: Wed May 08 2024 10:29:36 GMT-0400 (Eastern Daylight Time)

    Add encryption and tag immutability to ECR repository (#1224)

### Feature or Bugfix
- Bugfix

### Detail
- Currently the ecr repository created do not have encryption and tag
immutability enabled which is identified by checkov scans. This fix is
to enable both.

### Relates
[- <URL or Ticket>](https://github.com/data-dot-all/dataall/issues/1200)

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
N/A
  - Is the input sanitized? N/A
- What precautions are you taking before deserializing the data you
consume? N/A
  - Is injection prevented by parametrizing queries? N/A
  - Have you ensured no `eval` or similar functions are used? N/A
- Does this PR introduce any functionality or component that requires
authorization? N/A
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
N/A
  - Are you logging failed auth attempts? N/A
- Are you using or adding any cryptographic features? N/A
  - Do you use a standard proven implementations? N/A
- Are the used keys controlled by the customer? Where are they stored?
No. This is with default encryption
- Are you introducing any new policies/roles/users? N/A
  - Have you used the least-privilege principle? How? N/A


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 2f885773
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Wed May 08 2024 09:22:40 GMT-0400 (Eastern Daylight Time)

    Multiple permission roots (#1259)

### Feature or Bugfix
- Bugfix


### Detail
- GET_DATASET_TABLE (FOLDER) permissions are granted to the group only
if they are not granted already
- these permissions are removed if group is not admin|steward and there
are no other shares of this item.

### Relates
- #1174

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>

commit c4cc07ee
Author: Petros Kalos <petrkalos@gmail.com>
Date: Wed May 08 2024 08:54:02 GMT-0400 (Eastern Daylight Time)

    explicitly specify dataset_client s3 endpoint_url (#1260)

* AWS requires that the endpoint_url should be explicitly specified for
some regions
* Remove misleading CORS error message, the upload step can fail for
many reason

### Feature or Bugfix
- Bugfix

### Detail
Resolves #778

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 40defe8e
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Tue May 07 2024 11:52:17 GMT-0400 (Eastern Daylight Time)

    Generic dataset module and specific s3_datasets module - part 1 (Rename datasets as s3_datasets) (#1250)

### Feature or Bugfix
- Refactoring

### Detail
- Rename `datasets` module to `s3_datasets` module

This PR is the first step to extract a generic datasets_base module that
implements the undifferentiated concepts of Dataset in data.all.
s3_datasets will use this base module to implement the specific
implementation for S3 datatasets.

### Relates
- #1123
- #955

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 74a303cb
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue May 07 2024 02:26:09 GMT-0400 (Eastern Daylight Time)

    Bump werkzeug from 3.0.1 to 3.0.3 in /tests (#1253)

Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.0.1 to
3.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/releases">werkzeug's
releases</a>.</em></p>
<blockquote>
<h2>3.0.3</h2>
<p>This is the Werkzeug 3.0.3 security release, which fixes security
issues and bugs but does not otherwise change behavior and should not
result in breaking changes.</p>
<p>PyPI: <a
href="https://pypi.org/project/Werkzeug/3.0.3/">https://pypi.org/project/Werkzeug/3.0.3/</a>
Changes: <a
href="https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3">https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3</a>
Milestone: <a
href="https://github.com/pallets/werkzeug/milestone/35?closed=1">https://github.com/pallets/werkzeug/milestone/35?closed=1</a></p>
<ul>
<li>Only allow <code>localhost</code>, <code>.localhost</code>,
<code>127.0.0.1</code>, or the specified hostname when running the dev
server, to make debugger requests. Additional hosts can be added by
using the debugger middleware directly. The debugger UI makes requests
using the full URL rather than only the path. GHSA-2g68-c3qc-8985</li>
<li>Make reloader more robust when <code>&quot;&quot;</code> is in
<code>sys.path</code>. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2823">#2823</a></li>
<li>Better TLS cert format with <code>adhoc</code> dev certs. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2891">#2891</a></li>
<li>Inform Python &lt; 3.12 how to handle <code>itms-services</code>
URIs correctly, rather than using an overly-broad workaround in Werkzeug
that caused some redirect URIs to be passed on without encoding. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2828">#2828</a></li>
<li>Type annotation for <code>Rule.endpoint</code> and other uses of
<code>endpoint</code> is <code>Any</code>. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2836">#2836</a></li>
</ul>
<h2>3.0.2</h2>
<p>This is a fix release for the 3.0.x feature branch.</p>
<ul>
<li>Changes: <a
href="https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-2">https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-2</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/blob/main/CHANGES.rst">werkzeug's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.0.3</h2>
<p>Released 2024-05-05</p>
<ul>
<li>
<p>Only allow <code>localhost</code>, <code>.localhost</code>,
<code>127.0.0.1</code>, or the specified
hostname when running the dev server, to make debugger requests.
Additional
hosts can be added by using the debugger middleware directly. The
debugger
UI makes requests using the full URL rather than only the path.
:ghsa:<code>2g68-c3qc-8985</code></p>
</li>
<li>
<p>Make reloader more robust when <code>&quot;&quot;</code> is in
<code>sys.path</code>. :pr:<code>2823</code></p>
</li>
<li>
<p>Better TLS cert format with <code>adhoc</code> dev certs.
:pr:<code>2891</code></p>
</li>
<li>
<p>Inform Python &lt; 3.12 how to handle <code>itms-services</code> URIs
correctly, rather
than using an overly-broad workaround in Werkzeug that caused some
redirect
URIs to be passed on without encoding. :issue:<code>2828</code></p>
</li>
<li>
<p>Type annotation for <code>Rule.endpoint</code> and other uses of
<code>endpoint</code> is
<code>Any</code>. :issue:<code>2836</code></p>
</li>
<li>
<p>Make reloader more robust when <code>&quot;&quot;</code> is in
<code>sys.path</code>. :pr:<code>2823</code></p>
</li>
</ul>
<h2>Version 3.0.2</h2>
<p>Released 2024-04-01</p>
<ul>
<li>Ensure setting <code>merge_slashes</code> to <code>False</code>
results in <code>NotFound</code> for
repeated-slash requests against single slash routes.
:issue:<code>2834</code></li>
<li>Fix handling of <code>TypeError</code> in
<code>TypeConversionDict.get()</code> to match
<code>ValueError</code>. :issue:<code>2843</code></li>
<li>Fix <code>response_wrapper</code> type check in test client.
:issue:<code>2831</code></li>
<li>Make the return type of <code>MultiPartParser.parse</code> more
precise.
:issue:<code>2840</code></li>
<li>Raise an error if converter arguments cannot be parsed.
:issue:<code>2822</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pallets/werkzeug/commit/f9995e967979eb694d6b31536cc65314fd7e9c8c"><code>f9995e9</code></a>
release version 3.0.3</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692"><code>3386395</code></a>
Merge pull request from GHSA-2g68-c3qc-8985</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/890b6b62634fa61224222aee31081c61b054ff01"><code>890b6b6</code></a>
only require trusted host for evalex</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/71b69dfb7df3d912e66bab87fbb1f21f83504967"><code>71b69df</code></a>
restrict debugger trusted hosts</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/d2d3869525a4ffb2c41dfb2c0e39d94dab2d870c"><code>d2d3869</code></a>
endpoint type is Any (<a
href="https://redirect.github.com/pallets/werkzeug/issues/2895">#2895</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/7080b55acd48b68afdda65ee6c7f99e9afafb0ba"><code>7080b55</code></a>
endpoint type is Any</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/7555eff296fbdf12f2e576b6bbb0b506df8417ed"><code>7555eff</code></a>
remove iri_to_uri redirect workaround (<a
href="https://redirect.github.com/pallets/werkzeug/issues/2894">#2894</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/97fb2f722297ae4e12e36dab024e0acf8477b3c8"><code>97fb2f7</code></a>
remove _invalid_iri_to_uri workaround</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/249527ff981e7aa22cd714825c5637cc92df7761"><code>249527f</code></a>
make cn field a valid single hostname, and use wildcard in SANs field.
(<a
href="https://redirect.github.com/pallets/werkzeug/issues/2892">#2892</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/793be472c9d145eb9be7d4200672d1806289d84a"><code>793be47</code></a>
update adhoc tls dev cert format</li>
<li>Additional commits viewable in <a
href="https://github.com/pallets/werkzeug/compare/3.0.1...3.0.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=werkzeug&package-manager=pip&previous-version=3.0.1&new-version=3.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/data-dot-all/dataall/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

commit 2f33320c
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue May 07 2024 02:25:03 GMT-0400 (Eastern Daylight Time)

    Bump werkzeug from 3.0.1 to 3.0.3 in /backend/dataall/base/cdkproxy (#1252)

Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.0.1 to
3.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/releases">werkzeug's
releases</a>.</em></p>
<blockquote>
<h2>3.0.3</h2>
<p>This is the Werkzeug 3.0.3 security release, which fixes security
issues and bugs but does not otherwise change behavior and should not
result in breaking changes.</p>
<p>PyPI: <a
href="https://pypi.org/project/Werkzeug/3.0.3/">https://pypi.org/project/Werkzeug/3.0.3/</a>
Changes: <a
href="https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3">https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3</a>
Milestone: <a
href="https://github.com/pallets/werkzeug/milestone/35?closed=1">https://github.com/pallets/werkzeug/milestone/35?closed=1</a></p>
<ul>
<li>Only allow <code>localhost</code>, <code>.localhost</code>,
<code>127.0.0.1</code>, or the specified hostname when running the dev
server, to make debugger requests. Additional hosts can be added by
using the debugger middleware directly. The debugger UI makes requests
using the full URL rather than only the path. GHSA-2g68-c3qc-8985</li>
<li>Make reloader more robust when <code>&quot;&quot;</code> is in
<code>sys.path</code>. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2823">#2823</a></li>
<li>Better TLS cert format with <code>adhoc</code> dev certs. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2891">#2891</a></li>
<li>Inform Python &lt; 3.12 how to handle <code>itms-services</code>
URIs correctly, rather than using an overly-broad workaround in Werkzeug
that caused some redirect URIs to be passed on without encoding. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2828">#2828</a></li>
<li>Type annotation for <code>Rule.endpoint</code> and other uses of
<code>endpoint</code> is <code>Any</code>. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2836">#2836</a></li>
</ul>
<h2>3.0.2</h2>
<p>This is a fix release for the 3.0.x feature branch.</p>
<ul>
<li>Changes: <a
href="https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-2">https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-2</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/blob/main/CHANGES.rst">werkzeug's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.0.3</h2>
<p>Released 2024-05-05</p>
<ul>
<li>
<p>Only allow <code>localhost</code>, <code>.localhost</code>,
<code>127.0.0.1</code>, or the specified
hostname when running the dev server, to make debugger requests.
Additional
hosts can be added by using the debugger middleware directly. The
debugger
UI makes requests using the full URL rather than only the path.
:ghsa:<code>2g68-c3qc-8985</code></p>
</li>
<li>
<p>Make reloader more robust when <code>&quot;&quot;</code> is in
<code>sys.path</code>. :pr:<code>2823</code></p>
</li>
<li>
<p>Better TLS cert format with <code>adhoc</code> dev certs.
:pr:<code>2891</code></p>
</li>
<li>
<p>Inform Python &lt; 3.12 how to handle <code>itms-services</code> URIs
correctly, rather
than using an overly-broad workaround in Werkzeug that caused some
redirect
URIs to be passed on without encoding. :issue:<code>2828</code></p>
</li>
<li>
<p>Type annotation for <code>Rule.endpoint</code> and other uses of
<code>endpoint</code> is
<code>Any</code>. :issue:<code>2836</code></p>
</li>
<li>
<p>Make reloader more robust when <code>&quot;&quot;</code> is in
<code>sys.path</code>. :pr:<code>2823</code></p>
</li>
</ul>
<h2>Version 3.0.2</h2>
<p>Released 2024-04-01</p>
<ul>
<li>Ensure setting <code>merge_slashes</code> to <code>False</code>
results in <code>NotFound</code> for
repeated-slash requests against single slash routes.
:issue:<code>2834</code></li>
<li>Fix handling of <code>TypeError</code> in
<code>TypeConversionDict.get()</code> to match
<code>ValueError</code>. :issue:<code>2843</code></li>
<li>Fix <code>response_wrapper</code> type check in test client.
:issue:<code>2831</code></li>
<li>Make the return type of <code>MultiPartParser.parse</code> more
precise.
:issue:<code>2840</code></li>
<li>Raise an error if converter arguments cannot be parsed.
:issue:<code>2822</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pallets/werkzeug/commit/f9995e967979eb694d6b31536cc65314fd7e9c8c"><code>f9995e9</code></a>
release version 3.0.3</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692"><code>3386395</code></a>
Merge pull request from GHSA-2g68-c3qc-8985</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/890b6b62634fa61224222aee31081c61b054ff01"><code>890b6b6</code></a>
only require trusted host for evalex</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/71b69dfb7df3d912e66bab87fbb1f21f83504967"><code>71b69df</code></a>
restrict debugger trusted hosts</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/d2d3869525a4ffb2c41dfb2c0e39d94dab2d870c"><code>d2d3869</code></a>
endpoint type is Any (<a
href="https://redirect.github.com/pallets/werkzeug/issues/2895">#2895</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/7080b55acd48b68afdda65ee6c7f99e9afafb0ba"><code>7080b55</code></a>
endpoint type is Any</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/7555eff296fbdf12f2e576b6bbb0b506df8417ed"><code>7555eff</code></a>
remove iri_to_uri redirect workaround (<a
href="https://redirect.github.com/pallets/werkzeug/issues/2894">#2894</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/97fb2f722297ae4e12e36dab024e0acf8477b3c8"><code>97fb2f7</code></a>
remove _invalid_iri_to_uri workaround</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/249527ff981e7aa22cd714825c5637cc92df7761"><code>249527f</code></a>
make cn field a valid single hostname, and use wildcard in SANs field.
(<a
href="https://redirect.github.com/pallets/werkzeug/issues/2892">#2892</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/793be472c9d145eb9be7d4200672d1806289d84a"><code>793be47</code></a>
update adhoc tls dev cert format</li>
<li>Additional commits viewable in <a
href="https://github.com/pallets/werkzeug/compare/3.0.1...3.0.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=werkzeug&package-manager=pip&previous-version=3.0.1&new-version=3.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/data-dot-all/dataall/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

commit 0b49633f
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue May 07 2024 02:24:34 GMT-0400 (Eastern Daylight Time)

    Bump werkzeug from 3.0.1 to 3.0.3 in /tests_new/integration_tests (#1254)

Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.0.1 to
3.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/releases">werkzeug's
releases</a>.</em></p>
<blockquote>
<h2>3.0.3</h2>
<p>This is the Werkzeug 3.0.3 security release, which fixes security
issues and bugs but does not otherwise change behavior and should not
result in breaking changes.</p>
<p>PyPI: <a
href="https://pypi.org/project/Werkzeug/3.0.3/">https://pypi.org/project/Werkzeug/3.0.3/</a>
Changes: <a
href="https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3">https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-3</a>
Milestone: <a
href="https://github.com/pallets/werkzeug/milestone/35?closed=1">https://github.com/pallets/werkzeug/milestone/35?closed=1</a></p>
<ul>
<li>Only allow <code>localhost</code>, <code>.localhost</code>,
<code>127.0.0.1</code>, or the specified hostname when running the dev
server, to make debugger requests. Additional hosts can be added by
using the debugger middleware directly. The debugger UI makes requests
using the full URL rather than only the path. GHSA-2g68-c3qc-8985</li>
<li>Make reloader more robust when <code>&quot;&quot;</code> is in
<code>sys.path</code>. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2823">#2823</a></li>
<li>Better TLS cert format with <code>adhoc</code> dev certs. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2891">#2891</a></li>
<li>Inform Python &lt; 3.12 how to handle <code>itms-services</code>
URIs correctly, rather than using an overly-broad workaround in Werkzeug
that caused some redirect URIs to be passed on without encoding. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2828">#2828</a></li>
<li>Type annotation for <code>Rule.endpoint</code> and other uses of
<code>endpoint</code> is <code>Any</code>. <a
href="https://redirect.github.com/pallets/werkzeug/issues/2836">#2836</a></li>
</ul>
<h2>3.0.2</h2>
<p>This is a fix release for the 3.0.x feature branch.</p>
<ul>
<li>Changes: <a
href="https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-2">https://werkzeug.palletsprojects.com/en/3.0.x/changes/#version-3-0-2</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pallets/werkzeug/blob/main/CHANGES.rst">werkzeug's
changelog</a>.</em></p>
<blockquote>
<h2>Version 3.0.3</h2>
<p>Released 2024-05-05</p>
<ul>
<li>
<p>Only allow <code>localhost</code>, <code>.localhost</code>,
<code>127.0.0.1</code>, or the specified
hostname when running the dev server, to make debugger requests.
Additional
hosts can be added by using the debugger middleware directly. The
debugger
UI makes requests using the full URL rather than only the path.
:ghsa:<code>2g68-c3qc-8985</code></p>
</li>
<li>
<p>Make reloader more robust when <code>&quot;&quot;</code> is in
<code>sys.path</code>. :pr:<code>2823</code></p>
</li>
<li>
<p>Better TLS cert format with <code>adhoc</code> dev certs.
:pr:<code>2891</code></p>
</li>
<li>
<p>Inform Python &lt; 3.12 how to handle <code>itms-services</code> URIs
correctly, rather
than using an overly-broad workaround in Werkzeug that caused some
redirect
URIs to be passed on without encoding. :issue:<code>2828</code></p>
</li>
<li>
<p>Type annotation for <code>Rule.endpoint</code> and other uses of
<code>endpoint</code> is
<code>Any</code>. :issue:<code>2836</code></p>
</li>
<li>
<p>Make reloader more robust when <code>&quot;&quot;</code> is in
<code>sys.path</code>. :pr:<code>2823</code></p>
</li>
</ul>
<h2>Version 3.0.2</h2>
<p>Released 2024-04-01</p>
<ul>
<li>Ensure setting <code>merge_slashes</code> to <code>False</code>
results in <code>NotFound</code> for
repeated-slash requests against single slash routes.
:issue:<code>2834</code></li>
<li>Fix handling of <code>TypeError</code> in
<code>TypeConversionDict.get()</code> to match
<code>ValueError</code>. :issue:<code>2843</code></li>
<li>Fix <code>response_wrapper</code> type check in test client.
:issue:<code>2831</code></li>
<li>Make the return type of <code>MultiPartParser.parse</code> more
precise.
:issue:<code>2840</code></li>
<li>Raise an error if converter arguments cannot be parsed.
:issue:<code>2822</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pallets/werkzeug/commit/f9995e967979eb694d6b31536cc65314fd7e9c8c"><code>f9995e9</code></a>
release version 3.0.3</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692"><code>3386395</code></a>
Merge pull request from GHSA-2g68-c3qc-8985</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/890b6b62634fa61224222aee31081c61b054ff01"><code>890b6b6</code></a>
only require trusted host for evalex</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/71b69dfb7df3d912e66bab87fbb1f21f83504967"><code>71b69df</code></a>
restrict debugger trusted hosts</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/d2d3869525a4ffb2c41dfb2c0e39d94dab2d870c"><code>d2d3869</code></a>
endpoint type is Any (<a
href="https://redirect.github.com/pallets/werkzeug/issues/2895">#2895</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/7080b55acd48b68afdda65ee6c7f99e9afafb0ba"><code>7080b55</code></a>
endpoint type is Any</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/7555eff296fbdf12f2e576b6bbb0b506df8417ed"><code>7555eff</code></a>
remove iri_to_uri redirect workaround (<a
href="https://redirect.github.com/pallets/werkzeug/issues/2894">#2894</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/97fb2f722297ae4e12e36dab024e0acf8477b3c8"><code>97fb2f7</code></a>
remove _invalid_iri_to_uri workaround</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/249527ff981e7aa22cd714825c5637cc92df7761"><code>249527f</code></a>
make cn field a valid single hostname, and use wildcard in SANs field.
(<a
href="https://redirect.github.com/pallets/werkzeug/issues/2892">#2892</a>)</li>
<li><a
href="https://github.com/pallets/werkzeug/commit/793be472c9d145eb9be7d4200672d1806289d84a"><code>793be47</code></a>
update adhoc tls dev cert format</li>
<li>Additional commits viewable in <a
href="https://github.com/pallets/werkzeug/compare/3.0.1...3.0.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=werkzeug&package-manager=pip&previous-version=3.0.1&new-version=3.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/data-dot-all/dataall/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

commit 08862420
Author: mourya-33 <134511711+mourya-33@users.noreply.github.com>
Date: Tue May 07 2024 02:15:15 GMT-0400 (Eastern Daylight Time)

    Updated lambda_api.py to add encryption for lambda env vars for custo… (#1255)

Feature or Bugfix

    Bugfix

Detail

The environment variables for the lambda functions are not encrypted in
cdk which are identified by checkov scans. This fix is to enable kms
encryption for the lambda environment variables.

Relates


Security

Please answer the questions below briefly where applicable, or write
N/A. Based on
[OWASP 10](https://owasp.org/Top10/en/).

Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)? N/A
        Is the input sanitized? N/A
What precautions are you taking before deserializing the data you
consume? N/A
        Is injection prevented by parametrizing queries? N/A
        Have you ensured no eval or similar functions are used? N/A
Does this PR introduce any functionality or component that requires
authorization? N/A
How have you ensured it respects the existing AuthN/AuthZ mechanisms?
N/A
        Are you logging failed auth attempts? N/A
    Are you using or adding any cryptographic features? N/A
        Do you use a standard proven implementations? N/A
Are the used keys controlled by the customer? Where are they stored? the
KMS keys are generated by cdk and are used to encrypt the environment
variables for all lambda functions in the lambda-api stack
    Are you introducing any new policies/roles/users? - N/A
        Have you used the least-privilege principle? How? N/A

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit ed7cc3eb
Author: Noah Paige <69586985+noah-paige@users.noreply.github.com>
Date: Mon May 06 2024 09:32:30 GMT-0400 (Eastern Daylight Time)

    Add order_by for paginated queries  (#1249)

### Feature or Bugfix
<!-- please choose -->
- Bugfix

### Detail
- This PR aims to solve the following

- (1) for particular queries (identified as ones that perform
`.outerjoin()` operations and have results paginated with `paginate()`
function - sometimes the returned query results is *less than* the limit
set by the pageSize of the paginate function even when the total count
is greater than the pageSize
- Ex 1: 11 envs total, `query_user_environments()` returning 9 envs on
1st page + 2 on 2nd page
- Ex 2: 10 envs total, `query_user_environments()` returning 9 envs on
1st page + no 2nd page

- Believe this is to be happening due to the way SQLAlchemy is
"uniquing" the records resulted from an outerjoin and then returning
that result back to the frontend

- Adding a `.distinct()` check on the query ensures each distinct record
is returned (tested successfully)

- (2) Currently we often times do not implement an `.order_by()`
condition for the query used in `paginate()` and do not have a stable
way of preserving order of the items returned from a query (i.e. when
navigating through pages of response)
- A generally good practice seems to include an `order_by()` on a column
or set of columns
- For each query used in `paginate()` this PR adds an `order_by()`
condition (full list in comments below)

Can read a bit more context from related issue linked below

### Relates
- https://github.com/data-dot-all/dataall/issues/1241

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 98e67fa8
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Fri May 03 2024 12:21:57 GMT-0400 (Eastern Daylight Time)

    fix: DATASET_READ_TABLE read permissions (#1237)

### Feature or Bugfix
- Bugfix


### Detail
- backfill DATASET_READ_TABLE permissions
- delete this permissions, when dataset tables are revoked or deteled
-
### Relates
- #1173

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>

commit 18e2f509
Author: Noah Paige <69586985+noah-paige@users.noreply.github.com>
Date: Fri May 03 2024 10:14:52 GMT-0400 (Eastern Daylight Time)

    Fix local test groups listing for listGroups query (#1239)

### Feature or Bugfix
<!-- please choose -->
- Bugfix


### Detail
- Locally when trying to invite a team to Env or Org we call listGroups
and the returned `LOCAL_TEST_GROUPS` is not returning the proper data
type expected


### Relates
N/A

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit a0be03c4
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Fri May 03 2024 10:12:34 GMT-0400 (Eastern Daylight Time)

    Refactor: uncouple datasets and dataset_sharing modules - part 2-5 FINAL DELETE DATASETS_BASE (#1242)

### Feature or Bugfix
- Refactoring

### Detail
After all the previous PRs are merged, there should be no circular
dependencies between `datasets` and `datasets_sharing`. We can now
proceed to:
- move `datasets_base` models, repositories, permissions and enums to
`datasets`
- adjust the `__init__` files to establish the `datasets_sharing`
depends on `datasets`
- adjust the Module interfaces to ensure that all necessary dataset
models... are imported in the interface for sharing


Next steps:
- share_notifications paramter to dataset_sharing in config.json

### Relates
#955

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit b68b40c1
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Fri May 03 2024 10:12:11 GMT-0400 (Eastern Daylight Time)

    bugfix: EnvironmentGroup can remove other groups (#1234)

### Feature or Bugfix
<!-- please choose -->
- Bugfix


### Detail
- Now, if the group can't update other group, it also can not remove
them.
-
### Relates
- #1212

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>

commit 264539b5
Author: Noah Paige <69586985+noah-paige@users.noreply.github.com>
Date: Fri May 03 2024 05:23:11 GMT-0400 (Eastern Daylight Time)

    Fix Alembic Migration: has table checks (#1240)

### Feature or Bugfix
<!-- please choose -->
- Bugfix

### Detail
- Fix `has_table()` check to ensure dropping the tables if the exists as
part of alembic migration upgrade
- Fix `DatasetLock nullable=True`

### Relates
- https://github.com/data-dot-all/dataall/issues/1165

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)? No
  - Is the input sanitized? N/A
- What precautions are you taking before deserializing the data you
consume? N/A
  - Is injection prevented by parametrizing queries? N/A
  - Have you ensured no `eval` or similar functions are used? N/A
- Does this PR introduce any functionality or component that requires
authorization? No
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
N/A
  - Are you logging failed auth attempts? N/A
- Are you using or adding any cryptographic features? No
  - Do you use a standard proven implementations? N/A
- Are the used keys controlled by the customer? Where are they stored?
N/A
- Are you introducing any new policies/roles/users? No
  - Have you used the least-privilege principle? How? N/A


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 42a5f6bd
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Fri May 03 2024 02:24:09 GMT-0400 (Eastern Daylight Time)

    Refactor: uncouple datasets and dataset_sharing modules - part 2-4 (#1214)

### Feature or Bugfix
- Refactoring
⚠️ MERGE AFTER https://github.com/data-dot-all/dataall/pull/1213

### Detail
This is needed as explained in full PR [AFTER 2.4] Refactor: uncouple
datasets and dataset_sharing modules #1179
- [X] Use interface to resolve dataset roles related to datasets shared
and implement logic in the dataset_sharing module
- [X] Extend and clean-up stewards share permissions through interface

### Relates
- #1179

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 6d3f2d45
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Thu May 02 2024 10:55:00 GMT-0400 (Eastern Daylight Time)

    [After 2.4]Core Refactoring part5 (#1194)

### Feature or Bugfix
- Refactoring

### Detail
- focus on core/environments
- move logic from resolvers to services
- create s3_client in base/aws --> TO BE REFACTORED. Needs to be merged
with dataset_sharind/aws/s3_client

### Relates
- #741

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>

commit 2ea24cbb
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Thu May 02 2024 08:22:12 GMT-0400 (Eastern Daylight Time)

    Refactor: uncouple datasets and dataset_sharing modules - part 2-3 (#1213)

### Feature or Bugfix
- Refactoring
⚠️ MERGE AFTER https://github.com/data-dot-all/dataall/pull/1187

### Detail
This is needed as explained in full PR [AFTER 2.4] Refactor: uncouple
datasets and dataset_sharing modules #1179

- [X] Creates an interface to execute checks and clean-ups of data
sharing objects when dataset objects are deleted (initially it was going
to be an db interface, but I think it is better in the service)
- [X] Move listDatasetShares query to dataset_sharing module in
https://github.com/data-dot-all/dataall/pull/1185

### Relates
-  #1179

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 750a5ec8
Author: Anushka Singh <anushka.singh.2511@gmail.com>
Date: Wed May 01 2024 12:28:18 GMT-0400 (Eastern Daylight Time)

    Feature:1221 - Make visibility of auto-approval toggle configurable based on confidentiality (#1223)

### Feature or Bugfix

- Feature


### Detail
- Users should be able to disable visibility of auto-approval toggle
with code. For example, at our company, we require that shares always go
through approval process if their confidentiality classification is
Secret. We dont even want to give the option to users to be able to set
autoApproval enabled to ensure they dont do so by mistake and end up
over sharing.

Video demo:
https://github.com/data-dot-all/dataall/issues/1221#issuecomment-2077412044

### Relates
- https://github.com/data-dot-all/dataall/issues/1221

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 82044689
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Wed May 01 2024 12:26:42 GMT-0400 (Eastern Daylight Time)

    Refactor: uncouple datasets and dataset_sharing modules - part 2-2 (#1187)

### Feature or Bugfix
- Refactoring
⚠️ MERGE AFTER https://github.com/data-dot-all/dataall/pull/1185

### Detail
This is needed as explained in full PR [AFTER 2.4] Refactor: uncouple
datasets and dataset_sharing modules #1179
- Split the getDatasetAssumeRole API into 2 APIs, one for dataset owners
role (in datasets module) and another one for share requester roles (in
datasets_sharing module)

### Relates
-  #1179

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 5173419f
Author: Noah Paige <69586985+noah-paige@users.noreply.github.com>
Date: Wed May 01 2024 12:24:42 GMT-0400 (Eastern Daylight Time)

    Fix so listValidEnvironments called only once (#1238)

### Feature or Bugfix
<!-- please choose -->
- Bugfix

### Detail
- When request access to a share on data.all the query to
`listValidEnvironments` used to be called twice which (depending on how
long for query results to return) could cause the environment initially
selected to disappear


### Relates
- Continuation of https://github.com/data-dot-all/dataall/issues/916

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 7656ea86
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Tue Apr 30 2024 07:13:01 GMT-0400 (Eastern Daylight Time)

    Add integration tests on a real API client and integrate the tests in CICD (#1219)

### Feature or Bugfix
- Feature

### Detail
Add integration tests that use a real Client to execute different
validation actions.

- Define the Client and the way API calls are posted to API Gateway in
the conftest
- Define the Cognito users and the different fixtures needed for all
tests
- Write tests for the Organization core module as example
- Add feature flag in `cdk.json` called `with_approval_tests` that can
be defined at the deployment environment level. If set to True, a
CodeBuild stage running the tests is created.

### Relates
- https://github.com/data-dot-all/dataall/issues/1220

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit b963fe81
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Mon Apr 29 2024 09:26:36 GMT-0400 (Eastern Daylight Time)

    Notification link routes to a share request page (#1227)

### Feature or Bugfix
<!-- please choose -->
- Feature

### Detail
- in notification object field `target_uri = 'shareUri|DataSetUri'`
- this value is parsed and used to redirect user to a relevant Share
Request page

### Relates
- #1115

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>

commit 6386fe14
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Mon Apr 29 2024 07:32:00 GMT-0400 (Eastern Daylight Time)

    Refactor: uncouple datasets and dataset_sharing modules - part 2 (#1185)

### Feature or Bugfix
- Refactoring

### Detail

Remove and move logic from dataset to datasets_sharing module. This is
needed as explained in full PR [AFTER 2.4] Refactor: uncouple datasets
and dataset_sharing modules #1179
- [X] Moves the verify dataset shares mutation to the datasets_sharing
module
- [X] Move dataset_subscription task to dataset_sharing
- [X] Move listDatasetShares query to dataset_sharing module
- [X] Remove unused `shares` field from the Dataset graphql type as it
was not used in the frontend: listDatasets, listOwnedDatasets,
listDatasetsOwnedByEnvGroup, listDatasetsCreatedInEnvironment and
getDataset
- [x] Move getSharedDatasetTables to data_sharing module and fix
reference to DatasetService

I am aware that some of the queries and mutations that this PR moves
look a bit odd in the dataset_sharing module, but this will be solved
once data sharing is divided into dataset_sharing_base and
s3_dataset_sharing.


### Relates
#1179

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit d7a95180
Author: mourya-33 <134511711+mourya-33@users.noreply.github.com>
Date: Mon Apr 29 2024 07:21:54 GMT-0400 (Eastern Daylight Time)

    Enable encryption for lambda environment variables (#1225)

### Feature or Bugfix
- Bugfix

### Detail
- The environment variables for the lambda functions are not encrypted
in cdk which are identified by checkov scans. This fix is to enable kms
encryption for the lambda environment variables.

### Relates
- [<URL or Ticket>
](https://github.com/data-dot-all/dataall/issues/1201)
### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)? N/A
  - Is the input sanitized? N/A
- What precautions are you taking before deserializing the data you
consume? N/A
  - Is injection prevented by parametrizing queries? N/A
  - Have you ensured no `eval` or similar functions are used? N/A
- Does this PR introduce any functionality or component that requires
authorization? N/A
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
N/A
  - Are you logging failed auth attempts? N/A
- Are you using or adding any cryptographic features? N/A
  - Do you use a standard proven implementations? N/A
- Are the used keys controlled by the customer? Where are they stored?
the KMS keys are generated by cdk and are used to encrypt the
environment variables for all lambda functions in the lambda-api stack
- Are you introducing any new policies/roles/users? - N/A
  - Have you used the least-privilege principle? How? N/A


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit ca44e49f
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Mon Apr 29 2024 02:10:57 GMT-0400 (Eastern Daylight Time)

    Refactor: uncouple datasets and dataset_sharing modules - part 3 (#1186)

### Feature or Bugfix
- Refactoring

### Detail
Remove and move logic from dataset to datasets_sharing module. This is
needed as explained in full PR [AFTER 2.4] Refactor: uncouple datasets
and dataset_sharing modules
https://github.com/data-dot-all/dataall/pull/1179
- [X] Split the KMS client and create one dedicated KMS client for
datasets

### Relates
https://github.com/data-dot-all/dataall/pull/1179

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/). `N/A`

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit e691b0e2
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Fri Apr 26 2024 07:13:11 GMT-0400 (Eastern Daylight Time)

    Refactor: uncouple datasets and dataset_sharing modules - part 1 (#1184)

### Feature or Bugfix
- Refactoring

### Detail
- Split the DatasetAlarm service into the alarms related to datasets and
those related to sharing. This is needed as explained in full PR #1179

### Relates
- #1179

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/). `N/A`

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit e15df15a
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Thu Apr 25 2024 11:34:26 GMT-0400 (Eastern Daylight Time)

    Profiling job fix (#1222)

### Feature or Bugfix
<!-- please choose -->
- Bugfix

### Detail
- ColumnProfilerRunner must be imported from pydeequ.profiles
-  Workaround about missing SPARK_VERSION

### Relates
- #1216

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>

commit 5df61006
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Thu Apr 25 2024 08:51:25 GMT-0400 (Eastern Daylight Time)

    Update version to 2.4  (#1193)

### Feature or Bugfix
- Feature

### Detail
PR to be merged right before releasing 2.4.0. It updates the version in
the repository.

### Relates
Release 2.4.0

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 083272cf
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Thu Apr 25 2024 08:14:32 GMT-0400 (Eastern Daylight Time)

    Documentation in userguide for release 2.4 (#1218)

### Feature or Bugfix
Documentation

### Detail
Explaining some changes for multiple environments in same account

### Relates
#1203

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 652fe923
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Tue Apr 23 2024 11:29:26 GMT-0400 (Eastern Daylight Time)

    Fix: sagemaker tagging permissions (#1211)

### Feature or Bugfix
- Bugfix

### Detail
- Fix value of key-value conditions for tags in SageMaker
- Add permissions for tags coming from creation of resources in
sagemaker:
https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#access-tag-policy


### Relates
- #1208

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit c68d2090
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Mon Apr 22 2024 11:20:40 GMT-0400 (Eastern Daylight Time)

    Fix reference to locationUri (#1209)

### Feature or Bugfix
- Bugfix

### Detail
This PR corrects the uri used to update the shared folders permissions.
Instead of using the locationUri which is a field of StorageLocation
objects, it uses the itemUri, which is a field of the ShareObjectItem
object

### Relates
- release 2.4

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit cf6f461c
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Mon Apr 22 2024 07:18:53 GMT-0400 (Eastern Daylight Time)

    Fix: unnecessary permission check in resolve_stack functions (failure in list datasets when there are shared datasets) (#1205)

### Feature or Bugfix
- Bugfix

### Detail

The function `get_stack_with_cfn_resources` from `StackService` is used
to resolve the CFN stack details of several stacks in data.all. It is a
private function that is not used directly as resolver by any GraphQL
query/mutation, so the permissions are checked indirectly by applying
the permissions in the main API. Better with an example:


API Query: `GetNotebook` (what we want)
- 1. calls the service `get_notebook` decorated to check user
`GET_NOTEBOOK` permissions on that Notebook1
- 2. calls `get_stack_with_cfn_resources` to resolve CFN details of the
Notebook

API Query: `GetNotebook` (what we currently have)
- 1. calls the service `get_notebook` decorated to check user
`GET_NOTEBOOK` permissions on that Notebook1
- 2. calls `get_stack_with_cfn_resources`
- 3. inside `get_stack_with_cfn_resources` we call find_environment,
which checks the `GET_ENVIRONMENT` permissions of the user

In this PR I revert to pass the environmentUri instead of passing the
environment. Instead of using the EnvironmentService, it uses the
EnvironmentRepository


### Relates
- https://github.com/data-dot-all/dataall/pull/1181/files

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 35f498aa
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Mon Apr 22 2024 04:38:40 GMT-0400 (Eastern Daylight Time)

    Fix missing $ in CDK custom policy (#1204)

### Feature or Bugfix
- Bugfix

### Detail
Add missing $ in parameter reference in CDK execution role custom policy
CloudFormation template

### Relates
- #1202

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 3f788038
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Fri Apr 19 2024 10:56:41 GMT-0400 (Eastern Daylight Time)

    Fix missing session in resolve_environment (#1199)

### Feature or Bugfix
- Bugfix

### Detail
`EnvironmentService.get_environment_by_uri` receives `session` and
`environment_uri` as inputs. In one of the calls `session` was missing

### Relates
- <URL or Ticket>

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 96e8ee54
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Fri Apr 19 2024 06:12:44 GMT-0400 (Eastern Daylight Time)

    Fix: Remove creation of log-groups in Lambdas (#1192)

### Feature or Bugfix
- Bugfix

### Detail
In #1134 log groups are created explicitly for each Lambda in the
backend, which results in errors when the log-groups do not exist. (see
#1190 )

This PR removes the `log_group` parameter from the definition of the
Lambdas. It reverts back to the previous (2.3) settings.

Tested: on a fresh deployment, making sure that no log-groups were
previously created, the stack creates the log-groups with the Lambda
name. For example `/aws/lambda/<resource_prefix>-<env_name>-esproxy`.

Update: we need to explicitly define the log groups to avoid the log
retention lambdas and their roles and policies that CDK automatically
creates. So to cope with existing groups and non-existing groups this PR
adds a CfnCondition to the creation of the log-group

### Relates
- #1134

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/). `n/a`

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 8e157291
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Fri Apr 19 2024 05:50:54 GMT-0400 (Eastern Daylight Time)

    Fix: Update CDK exec role Policy name with region in template (#1197)

### Feature or Bugfix
- Feature

### Detail
- Adds region as part of the policy name of the CDK exec role
- Updates cdk bootstrap command accordingly

Backwards compatibility. If not using multi-region, users won't notice
any difference because their CDKToolkit will continue working as usual.
- If at any moment they want to onboard a second environment in the same
account, they can create the second environment using the new template
without affecting the first cdkToolkit.
- If they want to use the new template, they can just update their CDK
Toolkit and the cdk exec role will be updated (new policy attached).
Since no roles are deleted and re-created, users and existing resources
(e.g. KMS keys...) won't be impacted.

Testing:
- [X] Creation of the stack DataallCustomExecRolePolicy stack + creation
of CDKToolkit with this stack + creation of second environment

### Relates
- #1196

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit 1f5e641f
Author: dlpzx <71252798+dlpzx@users.noreply.github.com>
Date: Fri Apr 19 2024 05:37:28 GMT-0400 (Eastern Daylight Time)

    Fix input parameters for get credentials get environment group (#1198)

### Feature or Bugfix
- Bugfix

### Detail
- fix order of parameters in function

### Relates


### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit d4819ef5
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Tue Apr 16 2024 15:51:46 GMT-0400 (Eastern Daylight Time)

    Refactoring env stack part4 (#1181)

### Feature or Bugfix
- Refactoring

### Detail
- detangle StackRepository & StackService & EnvironmentService
- Move logic from resolvers and repositories to services
- Remove unused params

### Relates
- #741

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>

commit 356a8a7f
Author: Petros Kalos <petrkalos@gmail.com>
Date: Tue Apr 16 2024 07:13:50 GMT-0400 (Eastern Daylight Time)

    run db migrations in a custom resource (#1177)

### Feature or Bugfix
- Bugfix

### Detail
Currently the DB is being initialised in the DBMigrations pipeline stage
(using CodeBuild) which runs after the BackendStage.
The SavePermissions TriggerFunction runs during the deployment of
Backend, just after deployment of the DBCluster.
As a result on clean deployments the SavePermissions step will fail
because the DB is uninitialized.

To resolve that in this PR we do the following
* remove DBMigrations stage based on CodeBuild
* run DBMigrations as part of a TriggerFunction/CustomResource after the
DB deployment
* run SavePermissions TriggerFunction after the DBMigrations
TriggerFunction

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

commit b634b417
Author: Sofia Sazonova <sofia-s@304.ru>
Date: Tue Apr 16 2024 06:27:23 GMT-0400 (Eastern Daylight Time)

    Refactor core/environment&stack module - part 3 (#1178)

### Feature or Bugfix
- Refactoring

### Detail
- Detangle stack_helper and Environment module

### Relates
- #741

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>
---
 Makefile                                      |   2 +-
 UserGuide.pdf                                 | Bin 20272831 -> 20622385 bytes
 .../modules/dataset_sharing/api/queries.py    |   9 ++
 .../modules/dataset_sharing/api/resolvers.py  |   8 ++
 .../modules/dataset_sharing/api/types.py      |  16 +++
 .../services/share_object_service.py          |  65 ++++++++++
 .../DeleteObjectWithFrictionModal.js          |   1 +
 .../components/EnvironmentTeams.js            |  46 +++++--
 .../components/OrganizationTeams.js           |  23 +++-
 .../modules/Shares/components/ShareLogs.js    | 119 ++++++++++++++++++
 .../modules/Shares/services/getShareObject.js |   1 +
 .../src/modules/Shares/views/ShareView.js     |  29 +++++
 .../graphql/ShareObject/getShareLogs.js       |  15 +++
 .../src/services/graphql/ShareObject/index.js |   1 +
 14 files changed, 326 insertions(+), 9 deletions(-)
 create mode 100644 frontend/src/modules/Shares/components/ShareLogs.js
 create mode 100644 frontend/src/services/graphql/ShareObject/getShareLogs.js

diff --git a/Makefile b/Makefile
index 2dc6fd25a..9188d2d12 100644
--- a/Makefile
+++ b/Makefile
@@ -49,7 +49,7 @@ check-security: upgrade-pip install-backend install-cdkproxy
 	pip install bandit
 	pip install safety
 	bandit -lll -r backend
-	safety check --ignore=51668
+	safety check --ignore=51668,67599
 
 test:
 	export PYTHONPATH=./backend:/./tests && \
diff --git a/UserGuide.pdf b/UserGuide.pdf
index 5c6e6319ec9ab39b728d39f689346021e8b45396..c55a267e0e9c7f58aec394c4f3c1fcc60358e5d0 100644
GIT binary patch
delta 40002
zcmb@uWl&t(7A@SkySqbhcMa|kg1bwA;1;AIxCYk{65Jgcch>;H9fG?%e4LznPu2JC
zd&Lh<7ptnPd+s^b9BbNIdpE5mlW-L?yKv>4Qc0NtP?%K$Qj(BW+cI%rD6DL(oQzJE
zMvi8THg*<H{(f@7esW+SKRIwkM1Fz4U!>9!Z^hw-{(h0VvN3TovA_%d{rczQ|3guR
zLj?yI2IyD=d`#jGCa5nRJROVVh08#uRp46)uK`Xv*@MIY*|dVcqkp}crCo4L^4F`u
zK!ON`{F{X=G>AL&7g<QBgph)NJuVb81S(k4nkE7kh=>Iu1^z|c8a{{ysMq60i~NQA
zm#2a9-a@z$zlcj@2;q$SdfZBTh!yapwK6CyP^uF|CDV(za+wf^1h2={Zu!IWU$~B~
z5Zq)h;^wbFpkcorckc2(JmVyNnTCb~JzPO_AiW6Q0tHzD^Lp?IBuGN=zZba-1yTv+
zMcfBsNH^Hm<0jBR{@1yR-#{87fR30Uu_6D@MD}+YAm;c>_K!nwaY7Cdyg0`vWk?E?
z*UwSR5Yma}^=hVrAs1h*1`{+@28r?~9I-$L<&df`ryr3{NSIfrAIv<fVaWeDi2W#}
z-OI2`tB_Eyf(1S2{!@<E@D4g5g^I*~jfTG+FM}Tn6%6#80gX^!^f_<^sMCKTF0j;}
zA^(m?1`ViYG*FZ=lq&T9JudDnq5k#=Oc2@!sB9R}{zs?|@c+APuLIQ8zfc30<Dr)E
zUQg_D>0iV?N3`wBSypij${YRlko)U@5!+!6j|GC<fa=A5aX|;}pafslJpJuMZ(yPS
ziz@;LokW<VP6h3U^WQe?|LC_sQ&i9p|3c=v<$yM0em!Ttrhm=-x%0pUrI|q!z1(?#
z?4Sexh0a6I1)7QM_0um-gwBNhyKz#_fM!DjsTV@i|8FdTxxrz8Qp=$ms9pv6M~%zW
zUyMCx3>?sNEjL7d(aR1upfO*UHvZsJ9R3FvGwC@?LxO~kpkpv!1RsHbdH=dL{SUY(
z3e4X|V}i6$VZvT^lQn#p`q#P1AKWHVn3DhGN_%n`nU}XEb=)x9|AM{kV*l7XBM$TF
z<=XI04d(7&SY%s$nBxD~OKJ!+0|5#(hOzvg&0o?VZs1M-nIoAQ%y--ueWA@8rWon<
z0T3Df&ziiAgh_b0kDW|~aeG}K`^R3}%zx|+$bz{?0X3DtG(-JQE&L-JTlJUhpAA)E
zHB1xCi`<ws!AL;9o}0lo7<As(t9iVE(R^KD`on@7H0*!7he#OMG*}Q65-cIa|D7>D
zRM`JArh*1rfCPGj4?Fa~-TEKBNF@KrQjx-9!@bBZA1&<Ozrd~}(?9m;GQ(a$zlf{C
z1=|Pl`sLu~`^(<vl#c~^&kx&<_98BZ0&EZ5>v3<@|KS;36PD;@o|%kbvHyjvYi9lr
z&z=^rO|T$bTUgxxhu_H9!>0TTkPxo_P)y(k%ky%=RSAZj{}&RjV)Q>0o5#T3yiBov
z8f?J7VegOs;NpUaGhsPlUvw#zLfD#rA%xzP{fB2vkZ?IHJmQPE(oL{Q(64so+RlGq
zak^mHU#{aav#{m=LLJB7fQ?~%_3S}I=y2OquU9k419$gal@g$^L9={t+b_3{Z8C7I
z|ALdFtH8BF{Jk-nRf7|InSBClxS3b64|=W>6n|1CHi*$3?&0NlrVWJ?d3DOf1ck@K
zeSP&xVS;4p;Aq%hzu+;uaQ|(a^Y`GmUXJp`Gq?}`LX=xx|APy>fg2%tG0Nrf-~-WK
zZ|^A`e5K&))pT3J!$W|cH}cFcZ*Y!*@Y}CCi~75nz6paz`p+2{QY3sD_=}9?eSx<H
zd%dZgG4RjFBs{V3;e;<jc9g=GzV77UPxltn0uKxE_xaQJc6fMbkXtuA!~dQswG$y=
zf|`5bk^kP0Bt6rD2iog{KY~d5{skTz^kER*>VJ18f37+hf=2-Z9Sy^8;=gFruWk4o
z<X7?d2QuyI8S+nxOL{(oK?b#5!_VNn2%dzBK=`U15$GBG?>vVE+9yV!dpXZxF(Vwk
zE~WpmmzoFRzpcFhFM=+@%chDW5WlXDKjUJ6reqQRo6!#B5LOUCPVW)k|L->8kL<F>
zvn=R&6Bhh(TV-jCfcLt#>JMb5#Xq#vSt9&~0FhcFxcpze6a!Rh^N%Urwg_)AUZfDp
z524_7@%LwrqtOT)EU)o+5L!FJ+<%hQX(s|N0qFNUg2?~&=g(r8Afe@d7*Sn8`0}!&
ztnDFKysi-c!L`0X;D86kJ|QeZyhLo$M+ij8zuS{02t;%o5EmX|%>ORhm;@pwXcZsv
z+3%l^mGMCL1c+NiFX;xY@glCiu9bPleGc(I_onV85qDlb&i-wQnD@Gyq<>5;@%YQs
zKgZc!pAact&Ssl2h~=+4M*riVplrk+&VSbj13V;B&lf57iAP!&eT_pWIdGC;Bz>Mn
zdjB`<!ZcF<o0ni~vXQM{cWd?!Dhm#>S`xY(%JXS14sz7{mry~3*2w-$uQ#?W1zGiP
zV+m4`Vc)(8OFoZWK=FFm{YT{YAhsvuc9s_rPnl6bue-tahu;BN6gAK@zY)P8-X;_?
z?EmL|k@RttjMv>m{e!1>i=y#|*x<%nl;?r^JkXv8`t!he9+=Mq>v>>551i+L3u?T@
z6I>7WWx)pdvfv2Lf`;I5^D_Ql(+s{^#D5+HpsPhf+1ItYf2M0pK=dD{Zz3RqdU<Eo
z#zIu|s&w{utVIYA{qcG%(2f96m+6bnQ2c|)h5PmHCpt^?AFofJB~oF35%v&~_<{J<
zupmSRVkSlOKhH@0{fN|m9&Q40e<IET1AaYdmWeRaNL{|V8{xfL;_e~jjpencE}CIb
zuPUS|nk-4gZ>}H!$JdqyhwMaPhU`2ZM_^`Xdwxf7T#as8Z3|Xu<WAOC9-tyqNavz9
zy<i$6U)g6mVj|DHrf{|7)G`{56O*DQ5r+4B(486oo-FukZPoh<cofPGTy|RlBDAdh
z|NfAJ<rgzs?ndDb3ep}vj|OdzJ`Kk+F5N=!l~p{>IS>1^TTt|kr_iR|gO)|L83Z`Z
zstk@(VB^y!YAg}9Ozppvfby(eH#P5ewB)WCAnD!mtXb1}2yPoO^PWGiO*X6awwj_7
zLU>!doL1TI2$WV+QG3tDuVa&R)yi*;mJ!I}viQ+9U6ZX&K(DGwqVSux^<UyfyA4qO
z(sQY$vv^KVK_&XhH6f#-<&#z@Zi9{J=r^IXY3Yo^+b|mDjB8b>xurU1i0_KloQFqn
z@z`f711GiicsSlZaNty#-a)wSQf104RKG7%8arhG-fZ)aw_0HD#u=p5#EY?;jm<9E
z_NS^MPj`M)7&}F*NMIgZYDL4*6YzluXVDw0NUB6&ED#Y-Gf2tYz$0%I7KvY3+#Izi
z+4vc-6Q;O<T;EGjkzJZ+=@GPjkP(`kEJ<(v_jkw#Z?uBgP4|0_6rc6Vq+OX-gi~1q
z8Ar4Sf51&(+0KG%A&03QCz+Bm7LBsBL<JNte5*<PYexOdKi`PRP~2DO-rlHn;cYtX
z77{f&4yERhzSk>s-ujkhNrq;z9e-6|{<-BrY)r&b`C_Q@WFX1BWZOP~mTu(GtCPDm
zfO#khy-9O)*G9X?q9<~&@>A**o&PvcdvCHH$Aa-$a(6)^&wPJL$$Lx^Jmq^0l|rP+
z<=rD|)7p$DOqr%Ld5Mm2YR&gfwA}o<M6?nnCe(5Vq!HF{i6>e=0%P&(La3}vALk~u
z==liSuX1x|Qpro82+=<*gcSF1<(he!FZjgem^lYX;4c~TTE7jZkbhU<nn(p4tr(z$
z$NDvJqJwu$_508zaaua)z4%^LE0?vzAE7d)F-_7%9HQh&QD+;g$D!)|(V$73E-_W{
zn4uh#%>wk?oVta^^mP3n6}}IIN#(KC6h?5^xyC^AYWA=Q6|&Vdqw<*A(oyXRGFZn4
znhDnGU-tB)=xpO$isBKsK;n;+YSYis)Y(PClplX;{?IT9UFmPS@T{70f$gaNZNB9Q
z`h-Sa>;J|>u|8CfYe98?6te!3Nx#oA`&)7A+<53|O)IapUNEV=#K-*Q{wW+w;Yg&P
zf?ri23t1nmMXhMQOkj9m3Qk|RwT545iXzIDS_U+)SJM-ASi(CJ01uGd*0^CA>)zsv
zL7-^K2qw0x)joA^wRXuzPZc>g@`zcBzoi<ivhM8%a(VgGujW8$2@Z}U{FLIBCSLAF
z9Hf<9lXfkeonzHmO(P}o&giCM!PUZrgXnLVOLr|FjidA;uAhCc!<4{K>%NNut8k9L
zBc%U^uu$4>bBZJ14Cp>uDXEf{c}~&xDXY9X;EhU5q|ukn)KZeXP=jk5$MAiH8cG$X
zQ$nQ&vSFtg<b_}|MKrOuZQ|M1Q=n>^8?B^t=}*Pj%s7WKQvvV>GJtRnJ|lOhsY>Lx
zJn_2IxM2jL+|{RxrC)vgYnI7{{g8gz+CcP3Lw5ROuylpGmH_7}#^$5s=a>uZls|^>
z=zenK=E91<vdSP&2w4@ZAjf1vdVe%C6#v<F(dW1acyKhAwyZK}X7ny(TNxjzup)w6
z&&eho`S%)n3H0EWmS^NhRUP4F`P~eX4M9O0>Lmps8(62fY5Q6tQVZiciuc_h2lGl}
z&<7Q`rEvhl$1-5=gZ22%$f4Ce_(>-yXDM@%)OHn7fUm>o;9_i?pi2F!E@13NIJrst
zer~xYeebq7Zj5@eHnImjE8IkDcU&uPGCosg>iaQAL-iDyA;C6NL+BEftucl8mE4sd
z$OXVY6ka`Sv|&42FH>gXs<O~9iY+av^=@(>2`_4PuK-wGQlnV3p>B{cYg?}Klu@_$
z^cfWw1x^+n7b8G@J`$!%#YOY89E^5OboW+{hdLMVgW2-Hz~#pe_!TaL2Zh$*dz(`q
z(RA3N_AeYLbOR~h9Is$9^F$k*WaHScAc>3mQ5Lqu^G67M9|^G?_{=JU?R?VYqL?<i
zFuUw<;o=NT^ht@0v~oV-RbPd2P+l9x(mH9+7*?M70oxtvT{8J}agw?I-k_>!J%~iw
zWl`f=RWn!ROEhJDp8ckFY)yZgA6Vs62Vxr{Cj%aqdH(0TW>M}e<hfCs-U5TkjrYY(
z@rno2(~!S$z=GIy)cWl1@eZiiP&oDN!QtNZr=}7C)1WSo3$zy(uYAuJruP;Tm*<iA
z1{4|UaySbG*HED};$*W$5Yd`4!M_KIvXN(_M~YW8DYz-54mRlY@TWPHGlZ87&e3mT
zkoq?&JtmT*y^F{Cf)Tq4t}fOQ%b{KCXp{NSY4X8E2ZR7#90B4owxbXp8=9Ki40QCR
zuJlU=l6CvQ>?88L(W6jL?8ygZ?qMsXY;N3v3O(`CmmQfOm+loK`Dv)^$T%Uh!{@uv
z)hG1eJJ%<~gI6QPynjGEMDNu2%n@J}DfF`!s<6U|X(0S=dqmZa#4j}E>*@-VnAVr$
z?;H!}&U#1%UVZ^E-YKo*=8Bx%3MZZ-mvDav_Runkg?U>XZGP4)NbBvC;+yG7@AR>V
zg)CCi=xsLUtjjeF%6|tp`&J1NEz_6+6G6|4p?jWSeLm&eJ%4wg@Yh3Id7|dIOTO%R
zNpc@YDX^l7kkOseq;P|jnx0<r_|f}Ei#u~@?N+sqh-Xk|>Ao0YVeuFU0syq}K9xW&
zU>Emp5omDrZ1tk`$Zz-Y{Nrk<;U4qYQ*<U61RKnEyn>z&r@4F8ojoU-qkIdpQ)T5U
zn@gYO6%dnFRkJD0lY2=Ma<OWBi|m#dds{b`ugf+;y$=%iQ*Jq9<a=u{ro>oXKag2P
z$s&W6A9sp5g|OT0fTi0V*of-$YCzrJz!6avgHQrPM)~qs%h<1nHr=P9*O5=BJQDN=
z2Qnaq#PvvZi~|ge)O84Q6^`*agsQ}A&45wnYOsxKb1nuwYHWd)4tj9bcP9Q0&9;Xd
zt;6X@N)jhyhO^`fQk(X?2XWgWkI)itE&Z~ZcQ>-Mti2dMC(+go_c&nRtvCJn4HVss
z4uC_Wn@n$Ex>x&lyO;4qCnb5=`J}t1XVntq^pmo>|A;))JjpAR(m7FgZftS2IKhX{
z?|_z4Thn)p2PJEOv*}k5tobiVypr?NU(?sePmlK+ylfm?-ivuPka$e;n-K1O@Lu7R
zrbu()E_)kV^bgLW-n-Lz#?stNV?f9K4^(_jhSI78Q4C*WFnSrziX#rkJ;PmL-swU$
zT86?VqM}MoC5$-MJ^Vo?JI~9iWV6UoriY6S^-D#f-x1o=_|k57o7I>06p0yS3?})L
z#`ZhahzXUtUkq017%4FX%{2>Sf^lvF4SpEzn_vC1`}>3U-NLB@R8h!4>-tQIu|QAF
zFNMLhOL0AxB%laBE5@CUf#N_PJ|k^91nK5R^@K##Us;+Z(G!BaSa(tb>5SM@{Q|Xe
z%~ERQD}+`Nw&WH7KAO*u`8LA*)+HID(!&KCgw>wY)m;)4c+hH*Ix#=LCO%}fbG6W3
zc<*?@g>L&cbfGKSN9A_`ZNp$itz}XXus6G(e#gPSk55*S+7o*BPPwX(Yp2|6NKzAV
zDF#)O2g1ZAVA7BW1Z<I5`0<Wh0iV95QPpPT&V~o`p+II|u6I|cpJ6r|CAa?j@OomH
z*;OtFJYSw61W^q6>dG<tR*0Yt&U6nv_Go1lyG})hY@3p;2hXo7U<p^aG<YDq4i9}}
zFT=I`ZITwR(pYzCtSkdqh|!9GmH1pox@0<of%EioF}~9xQt(Uz3#X1j!}lX#TK-Cf
zIM$B9V1jT);sZrnn5WQUT+MPjEuSQ2ULS-8rBrdq)f;_r_&J)zaV;RQ^nC_QE4PAo
zp<e?zUX5{zbCk{pU|lmxc2(bL_zbLUJ}bZFcPuoP-8;<2x(WBAsf@F<B-@>}2s0pC
zdx`wnIbyx*BptI_r9-GeH&Gs0b*)$3L*iHONMpQGBTjq=82U2#1u?-3t{v(}OgaYP
zJ)Eg^cZ;5J;gmMj?wmK;Z*AjiWW#HAiv5X^4(FaojfQSDfM|iNTy5lvKCA9^E41_j
zgVoF{iptI#1!WCaEn4aK5k447si+#cDa_gr-fP%nxEs|PdU@;;>q?jp+a!&VK*lW}
z|0yfefc+o-{^lOza7uI)oiGFZ970`X#@{Bl9(Hr?mq6y;FeFOJrIoBTQ&E-QG5H<z
z?|LcH13xw&0FS%|YaA85h_<59ro?*d{9%iN-y>1D55%rgHP9T7zD;8<t2>ZuI37T>
zTaANdP^?1HcVBnD$s*BG(-e%p<Xw6i!Hg89<r7@??41<e>L8gA@Q?4qK6!jZMu%xW
z%8sBB?q}=K2_PA>>EOlANQ|>ss3F<iSx((a_d@hz0d6?QO3v?Eu4xHCTc7w`W$ZoJ
zY5*yfTHEKQPmpKHyv1w42ocL{fDD2=5faD9oVVO7o*aU+e0i-MmsoD={8k5hpLRhO
zpOjifq~D{&hYQEBCYF8RT6W5QY(2Zk-PgOQ9h_x8`?dUCQyh8*CVu)S{1(Z9SNr8d
zGn6<iF;MPYSQMkAtm3#>*L_jw`rGn#1&M9;g$HjmWu28<oQejW=$P}KQz|A?(@h4R
zCa2>CQ=t9kH1C-w$5af_KKx{3wqO^TVQp(rcXl#KXarWDK+VrqN&JaVF&H>GbLDAC
zW>;DEw)5I@Q^^nN;`R@;Bphf2d8cFE{Wv)(O2FyUEvcp3;QeN$dd9@ANd`uzP0pzn
zdHZ8B*Nj{E3uHy&%a+@f`8W`aA8*{KKLqZgS(DruWswC{LgHdly9hLuKe5D}NeAPX
zXj1?59qn_qWn;7SI9EIUkvDJ}kMSJ#W+)|NWJ?u4jSd)|3yZ$wp~;mrf0wOugaF@3
z4N&Sa=|R@!v@aRqvlyFk_mYcl+DK&x&AgfFpryQ4*2pQ9bqT?0pI!R*n|P-l4t=So
z#f<(AkDKk`9c>{@qxB4}G1lPl#>B1IAfC?l4)UVC;`E&6ptAD6K!h9+!-OqUc(2_)
z6GC<=3Z=)N{0>I$T7|Uu1u>pXZebJ%v=L{`ETmPFOskw=N4Tz4<4jkp_uL5i=HJNo
z5ck!@nvw8;uKH<8I2-nI*RIM#u8?(4smfgipIRblBlZJFG(UC&L)rKtIov}?ogBUq
zXC_bQjTE&+9NV{KZsLLp`{M#aO!gI0p05<N4)UF=Y-~zu@8dDQjmwm%Hj;NN0U4WO
zTxhZDJf|yz(gk}vXs`V3(4;23*^Hkq&fOY&d|2<>m!E8wFRZDo82lMs-DVblbti3f
z@fMV^&6#p!md-5Za959oV2s+IM#RrsDxiD4EfV_{2UScNUoN#D(_@*PQ1vr+vWxtJ
zxZsQ0cb>%~hmBQbcy=4MTDA%QRN(FRUo`b*mwEDcK(tvByP_CUIvHtEq#704ns;IW
z+E>CQ33QprXUX3?3<GcvxY8w@7;jbtyLh})CtY+}zZW+gJ+hAtC}w=R-=e+Eds?-i
z4+Wx3&fDESU1xahOED!^rPhUhe228Z>ABF<u_iI~&8SIip|fXOq?nv;YzT<8_Lf`-
z6`X8^aD?nzJd4y4rCUIMyt&BkJCqX$e55e0=S~wdO8z@_RDN(atKwCaf_$pFr)jhR
z?czg4f?$6C9RV`TnNf_?l6`cY@o7ou=<07Jj#yM0hjC?si}t<#Q3V-U4s=xI5Lu!E
zawdM*92{6mBLQ;L>eT9a4t}6%cw&ju7Dc^hsA6z;5F=y%9Gsk=dGO(EMH6~Y>!X2u
zv+wL9N!7?)FOcI~7Z!D=&X$YkrrF3+x#J+Tjw(T|!<Wj+_hmds-3Q4eY;*D1YwXhb
zaO9ED#Ap(7yJQZ&QT8UHlx~=^o0^tY=Tzz~;(aj+Yu-I+suYx;*CK)aF<;qc`+>@B
zUxq$G?Z4eo+&%3~<Jpe7BCzqeKJn8MzR|FcQ?}ymb2dz-@aW;Zh>n-$Ohq1;|M3k{
zOY&O`DgL`QX->2z8i~Dwx#q^~kU_+nrbu@Rt+R*(qNl3XXpN^Z=aDcfNW7MZ;T>$I
z=%D6Jgs1i`5XRG5Yup}CxOz&iSa0Q)yZEDA)!-rL@O){^jd~|1{+fiBS%XBA(i}#p
zJ8NEbs`H5KQk&Gcuj(pkpO61O31+q+L&HNXmnVz#x2Bi}@Flx!lA#~SbQNunJf4*w
zZOKm!vmc}<O7?NG@g_q)g;0l!s(y$wRZpX$Ag47XKI<}66WcQccD78h)>Bg}%IbNf
zZo+|XN=t=Ha2^|4PjX3`vkaa*TW=A~&PSeZZ{*hARM<U{SRD-7v`}en>e>!>Ff-gH
zs4XAJmS)>ld79rPsEIp#jMXuDIzixR5AAD55AvJwxe=VvNN#!x4CALYM?<ZE;dE_{
zUtO)!2B5X8ikm(Gr$qy^(J2b5Rb$2}S7FBTX>tzBeW8xkX^5l_Gzu_@Jm@A8wu%Ys
z1F`r|QtysY`}NF@fT<IaL%r=89?xB^`XbJr4BGv`C)Zso&`b<D9z>VCh`J#dR|U~{
zZH}Iez)3aV8=5rdn$~hsBd(ik!<ixG+71{9YmaLZ6n%JLrEr2{2*!I=8F;M1MD&DM
z#ItBW8jlLYF&o17t+I{l9Io1-GHIAv-tBfiu4M$X4@batcA$rkJ@cdD{$k7{R&UfE
zgDH*Db==;#R`tpcxFTr+90&fH+*#^c>o~YrY7W0gQLzWPPV-Ca8~+$=0nN+u;7PYu
z-spz}c??J(85|l-o$py<fP<-S7I~~m)IhO8&*IxT#&yzy8b%K-pIOet+*4E2t&GRK
z_pBT=*Up28w;H;*w{d%``@A5>&&7c?(OB7`1Qgz;1bcX%Gkq!&g%u%qxp!vNm*1P0
zjwG&d%866(&+KKokaHDLXq3^r3wV_JPU_J@SPF50>Z&mVHkj}2l0QB0h`;Y;koHta
zeXrkwto}g7o9Ed<87R_nO5R*_VqVsA<8R~5`n7dsN)e5`A*9A$t`6J^p>gxF3+aTS
zxFb`6u6oY&=c6=|kLmXufd#*r47E@}T$Rw|6<tPTFMnmy6smmmtbt3(b2)+t6Fc3b
zDSY+>poCTW>EfBvwjX5wbVl?Jo(jFQ0pn@pC(I(x>AgGQe#J7=QGvb0QT%XAFoZfY
zN(}tEmU=KQN!e=b5}6u_x0x#}f|ivilBQppOo6-nR%Jw)YneP<FkXHLxlw%YruGwR
z`F|~uUIb0*v)PjB@t)jL8bt2Ig;Aj>jhqkR0l(<L&h{tmEauyN%sn8n*g6Wx%gEy8
z?Y9A&?(yhCXx9yb+@hO+N2{1);W)TzL<x6iyZ*!?5a-{s5bAb^#r?aE@I>51cY<X8
zP}#Gyj=lJ5H(SrT*un!$nTRiV(g^PKcNwdWF;whb6_5(~a65;4z1j2TtnB)tYLng>
z4rncc&}*uNKnT8cd1n$~dgt_pA6L7x(}fuf10xu6>%++kf^HC;nX&5Zh;O>lKGNXQ
zo9>_uoDvUwp31&8<@$}RhAH_SThS?958gxDY?8<C?vFlo*YFY@j@3v=4)7n0<2t$R
z(QsHTj8SmJkj<r0XnLv5LnyaCY!S7HfCJ$MQkyGmQEIsJU4t(AwC>E{QULqJ8{RNS
zQRknkatdju^nViJJ=~j*Ee{%asWs4>Cup)*i;9I%gPqjLi?VT2Lq*J)k~X)h4nKDF
z4aqo{V)sWQ3XI{Zod-3r%g=W@GWYN$U3##jNl5y##1)N1pNt?`n&$zlnojI&kAcni
zlhca>R?Z;_bzDpk+*;p7K3@l<q!_~ts>0j_K)(^)2|=|7bNUr(G<>P->Ho=7`QrV6
zVts;`&7*ueX}3cdQwnxPtJ+uZmZha}67RB;TY^eg{5_KdtM|Id39G1Yzw)Hm><BDi
z)WVd-MYEt`#Ae34GquQXepfHZum=SM-JVmztqmPwfcqpSJyAA*2o7_WU6>yaF`8xT
zPm~7TT7(}@t_bX!$mnUtz)Cx`l}XVG&^*e0Y5Pp;E)3~KixXuo6lB%jC+;U&fr>w^
zf7;$ZKN{*xp&;AXGA~(OcfSMXrO(Q)hw4*qWqNy*`0N3TmT#>dZwVL}!XklVmZe~L
zDrCrA)ZN9kB$jms9Wo)wA%1iwIR-oW#cn|^SYBCspsh9E>gdtnD1(j$z4@j?*Np2~
z93;Zg2UoAFw8Qbn)oJ~l=Q8w5A-6lEm)C)q(}|icC^QAnIKi?*;DhSGo4Gerjhzi2
zZ#NK>v@h2&wnrRck7c?vmivHqz_#5YDf<%WGGr!>LX<}(kbAeF8yd4TBlZxRZXln-
z$XCP4*2QoU^deSiS=)%oAlAdk0W#g|I1kGd64dby0b;OUO+Y+3ZQ?QV2;rNW>I?nb
zZAMU2+bukos5}EZ4l0VwSFuTP7NhaI4{TU6k~v%jEuJz-202%8S!2NaWXN>(w-^ft
zo~G@GBr)r@(6>V*y&1ZfBzi6f&<BJBq8Ki5>iBWNjpFKIiROJ>2zlysk)Bz&iu3);
z{P^u(l#<01d|NK^T25;l-ApwYT!AV~!Wc)790toPJ1&lIgEY?!6`O>u*^0X8<gdOE
z77WWy8b#zJZN#lEfxZCck4?}wl`)hVGwc?9(y|1<^<~^Qd^DJxcQY$sltbzw=Bf2x
zf!t^#uv;Ux7S9>y$^XUN=tYbn8F&-FQ4)M6<#np%TEwmG#dP6=TkB>8-4#lb%6Vyh
z>|+XP%tyNtn)Wryq*#1jse=0pO<w>9u#%5tF^005Pkk{VDT)I)rGAKH+i2KmA!iH6
zTPg})MH(9oOD@jvgBtEb78_9_9le!4#%-X7>gCAYbx=*(xm~~ezz@O<QR`u^q(#A7
z3T;2qx&VY^DSzpJx})iD<(BF>99&-X3y;%Mg=ZCTPWd+X=LEx%S5)kUve>O&@kt-s
zk4L@~x6=Bfsf8l~9crvTGO=5*h-U3{_0NWwuV>Tdv9?O#1yK<92_XAeNPU)xNueS#
z5L_z?N08COjVdY5S%uA!HrgaJygOj$J5lB?iTxn?b%VCx$)|%bZ151+Hvq2?^TE{Z
z%WW~XmUoY<uqlhN?$}7bYLnur5y`a+X_!QgWKn)M-sbfJ@Ye8*hKUnLPdSWrvNk76
z2?O;cFo6P3Em2i|XuKt(iik&)9=#%&p)#YySs(7#Szg&>LJu{Pg-IGAl~=s!gR0B7
z+VndWbrqT+BjY;<TH_CFJHA+jmg+w>1&srP$%oQfMmDapS$N+?KX(fW8XH3#PA7uM
z4ODTA`t(^{KvJR4Dek<-{jrc^)ry4@+R4lE*&@l@-Yyn2(>f}!?UXopc3M8GA)Iw<
z-)>6@)PBW4{tAJxr(0v8GV13D6YoEK*bmtt3S+UmE%r{m6-rtCVIM)UlP?I$sX&BM
z%b@$wLn*23n9ah8DQ7-b9ai9R8B#-(Xy`MLawtS|18n9t<BY+9EJqYJz8^!gw!c~y
zE1%1b%7qP*BM%G}ida%Im#OwyV}i?w`@Vh?YgwOET)RSfW=Kv!Kytye>^3T;P}@l5
zLP-Qk942*{p39grNw<4;!@N=-H}fX@T@3FjK=v@Z!D{Pi3azMowNyMuQCy6M7jMA_
zHypn|8(0{(Ihj&FD0C|q;P{QwwG6mip+HZA@tFo*V&s_mQ#JkgN)WdKe8Got${B8<
zzAnRl>0G#?gl3N~!-!5)V|;rZ*a}LU{Q@;{nbE3q+xcJoB50U*ml!o9Ge1Lg3+&R&
zBT_P~QC&5j#SS0E!A5$-ZqF%zR%pRJzQ_FFqyQ#tOw73QIc1kr>)qAPWa#M0vZ<DX
z)3zNPaZnb^_74k9Z|9+JN|`yF6#cj-UZf7BxJvY(1+Ql(kQ;1VQkn>Cbuu-+cYD+k
zV<59y+eL=m6j#X7Qh9IDSwb;!mICLL>9|V&gjU(V1~);V;_evSdrF#)-ON~+rih{O
zNCM=)<BpR4N%Amy@pP3jbIfMth^XoiUGnzQ4gXi*6l<S5v3Y5w_X#&`nGBkiW$vS3
zDqdi(KUI@5q_zTqz67-6daO-L?~Sk!xmk-C5lz8h*H<lse)+HY(W+V74m_Hi*_$@1
zt_F7$mxlvW!LhYGS6Fjmi;qlN3RPAqq;$YHiVSDteW<ugH2Dipz}b7eyvI~V1NZSX
zXUC_?KpQp`E+^4Ir#eDLM&p{f9vCInHdR=uEXN(CM=<V|(P5p-{i7<+&?UW(Pq?9u
zn}pW%s!6tYo~Brl(0H58W9ZuC)U$0Ip?GWdG4eCb1CzoDX<IxeX8b2q!>agO*=In3
z3#1(b5KD~>b?qnhPe}zIR0GiGB_U7Vs7uf`_-Jc<iiKQu&e*y;XubKOyF^XJ*qbRf
zrh|Aiv#IALb;>!w%46K`2^=|Q;)>;8{;{}uu7$0!%~8Q$`%q@%97vuwMrzoeX3$nM
zZ07z2E7p#{8;vv>2QEt8*x7#xd0h@zs)^GozC?v7{`P2<ADs<eX)ZvbGR~Co6grZs
z!Ggg$MQ92;TmRboW(TQ<>Vq<yLogQ^o{Nf`KvV$yd+c4xOS#2uIhSEIvACeXZB@O#
z?3jx2oOjksaZ&IDwH|>dj82k`W+^lxo5Rej{O-(5D*~}v_UKJFe%ApwPUOTuHk+ni
z%iyKpF6xGmBXWgU-vam8amzvj*EEoQO^M)!{)34YA4-U4al_U}{YpNqbV_P=teLA$
z*$=z6b|$H#2ccy1Pb&p9-jQqjMV~eMyl9*d7^k_c&gFZgW99oVuYRJjC#C50Snx0l
zg&@SmZ3LiM1#8NE{jINFD08X~w3v#mlbsw_v0;(Vk;Tup0UKuflp*CxSGH|W<2(tx
zz)DQAm#nv*{y2LPxvQUkF93b;K-bPJcp{+XP);JI{t*kkFEPx%VSVJABZ6E=re_B%
zkr>-v2*=3^;gW(Qp%F3PweCXl&^sQLAahde$y)CPnTD$LPhv$R*GWhzz|YKmVFtPt
zW1}Hfv3BE`vMQ0ZRH5$$mG}G6jJKo%@#DFd>5pXVQnzrFEVf4EOwg=DA{1n4>c_fM
zJg{KUNkdF6gW&dm;L#c`?Z(*JbnVTbjOb%!sJd<2v=@fu-^mcf#tfljs~zfo62(bp
zGU5`Ym(!WFzmjYjqu1xz0%|Bx*v9yVhoo?blY_gH8Q%C1BQpL(EOA*^Z2AOhsVMP=
z5>WaeCXdfA{Z{YDVoTcmT}hM*14%d;2kO1N5;y)LVP5l9>gZA684lxb!#X`Q&b=^N
z@?@#38C1p!!wVL@dX;8iBR*pXxe||`JkL|1&o#3xM<R?&bCx#V1n{0W4v214s|}&*
z>3<&QrtOl_e7w+ZWa1qIY0J<F-2q@{sQQ4)+{}M_qaM#0l?`p>+9P3M7Wx?$UWTmi
zutElf$Fl^__sF23N*NM(LaQ1ba$ZhmYRpMzS^f!k*%Q>@-08m+vKDmqeB%^NHl31H
zJd&^Ad0(f}Z<ME)48$ne=%_z|v8&bAS4<Z{lFtsncgp83IUh*aJrxY2I8ZKZ5B|7=
zN3ck49w5$9w2P@%FNA|~-~hX^rfWG&nwWmO1v*vq|9D19kp07)lIw6<qt>M`I6;_N
zMS{Le1?QSIOadeF=75B-Id)VsnZCq~YW0@r>i+$2AK{BUI-prX>B7`LZAKJRRwu-Q
zI}A=fq1Ibj^{FX=lX`WxFNrH*##8vjDjH-<OZ`erl}#a6zE;L2?6!#vBR#C`C9Rf8
zPgq&vRSI1L4I{#<()sn2LkSC-J=M)t^Np21+p)g?GHa-cx#xSpyNN3C9{y1C>5Ww+
zo0#4d|8B_Cs2DJrz8)`|4^$$^OVm%8izr!JZ{0n}KH<EV##5si3Pt}8srGSbsEhDh
zeOwyX(flFudTQ<Wo{t#~eTf#y=pZY!`Mp87d=uFgZTF9^#>fiE-1V!QYD6g+`yJFZ
ztIAn<>>FZHD1is+Ty^aIVN|Re(@$PO#>jHda%$_v>cAwtNY<)&8ynRcuj3Lt+0&6R
z8*NnrjVV4wF-y`qj|qai5B)tgloWXW6*^zdE}+iOrw>N>yHeSD?1!T2V9#=S7!2n@
z#q!B<rd;^e$qpe6fqAy)7y}g_?9;f-={L)VvWyYvRr`x22-D0L(ksp~H8F|U2u<1<
z)00b*JArIp!d&)hb4o3Hjg|TqyJz!0OxU#Fddlh>+}{@05Jo8*+!s|%9S>d;JRvyX
zHFSwuSBy+lsR!5`X?aNXa&mw1V?NIc@K9a&G|-dsM%{xzs*&S?eE=ogno(v9jw>;;
zHMu6S6Ak|?uP#icSHaj=v+}yy>z4bQK%Rbe+7U3vJjsgW={6g#c%%jFp6d6Ou;D_c
zELWk8;%Aa+;5<{S9&;;)HBm72FNCuiRk-85(V5{REv+BqZcFJk_yC<2(*$z@DWc%V
z8@MytIZ2ZqPHM;1H^}-oswz{U5z$(2k10`Pg}xqci;`87{F+Mb8u=-YH9wp${*A|t
zQv|^7OTvS6VQMlV&c^gQCCQHqKUDD|f1h%jmq7V)x3(7n>9L$n=3U>2YI}N5;R^-b
zAGT(<DtOKcb2HNy@U>{US*&1Q^1`K#nj|+2$`uL?(-3oCTwA^ia%>qF5<)f-lF%4^
zFrR5Us@=3qUue0c$#j^aLsp2c!Fit0dWAauk&|(hqU3NHq08Y-0cxeS@VA<vFH%xE
zuBRv#C2KPn`@f$b<aw4{iV9dq^XDIh+`J&$MF5iCFi?;@IilL=lVoNLu0B+lED2P$
z7!KS&F>m@|{q>+7X421g;`!$X%)WZs=u8szwki_#R;+h<%sQlUD8?m9!P<)Tz(b6=
z>KLgReW_HNgZN2#34;%-fFTA^oe(LEJE5Qd-RiTIZ*8b;L}}BHId_aVNY!vwslf+L
zi`foqQt0zCBag@PC(S}zZl!}97xWS>SDW`fTUmRaBM%QFooycJ(;g4Nr^3456Vw3Z
z?9<lR4~x9(%JKMyTEQn@9p1=d9XoA)o+dN1Su~1qNRQ5u?9oOlza&qK*bBf<H7iyF
zv)(h+rTJAU)1zH>+WNt%<oOG(S+n9vfbGxU$b34_?^@Q7EaRWAt&+$EsemyQ`YZT<
zn=AiOA={w~^-~ii7#b+(l9Q#r8LkXgTpX<DANBKH-aM&MDY#{se~EsFi!PE`^hqZ8
zjG?55f52YdZg|DJ4qc>jNN6Mg0RWGg&Q}q@h+ew>0o(@NF9+Vx>0U{(+qF$y5~Kmm
z!3Aa+duS2C)kZyrMh7v)0cM#9p8#kxhA2k2GcjwEBmktzLjWNGGuB{PUHp1@_E~to
z{W5Mual?@Dn2_ZPFe0G9L%!Tw6##NWGusLjz!$-+Gw>6@GIO3DTzd`-kkltmF4B}$
zId(=ZG00fK3_3us+)D-$0DevIi%PWVVF3W^E~eA0cb@>|8hsx9KTb^;a>-IO;p`Dv
zdy?%MB{gXmfy3yxCGi;}9zD3>`;)Nr1$H-azA^k}ga_elJ-BzJlDZCfKGAC?47Vns
zhQFthzhr#qffi}K;!P~*Z0sBHAwD~<Gk5N0<R%F%w+Vb~Sbn=#krBe{-Y)_*4ki-w
zqb@rH@52WIZo9o9BI5EN7<sxF`gVp6YF*wt2#sKXX5jP?8rTIuwuq}*e{QuHgqc8>
zIAOblD31N`$a~dR@M9G<&(pdouF$OyP<s72t9PzeubE<5IilT=Xzze`M=RvG!L5s;
zJ*-EF+^|90&YP_1@I+2yg#-qYy>Bne;eF&SUZ;x^J%yr>SAxA*J)_Y*yDb1rH)*lA
ztLFGP2MB4`DxWNzgGY+!7O}D7`G_A@mf1?PZ;&LtKUJ{zU?cFfIB=k&u(1e-(&@-5
zm6-a){M4gG-uV|_iapxG4=PgpWrZyQD(_}MxhL<c$$@X8mq;FWH_nWdtCQTo;G#GV
zJle&{a!wSApwu~1bq+FjT>5Wy26Xd?3bfnneBdE-0l$0v)DWgqY(ZyeR$i~wH?ZUh
z=w9uR_xNEl6V~(<qg1yzUs-!qmA;O=gWPxM6}nUUNeCfgJ*P)cAruhiyY$64L(nJH
z1W-rnof?vCNDp3loxYcI0~Ou<>+PUTd@tqgG{Dd$<To}zc`3$cN|B)dJv1RQpzU+o
zZ)_mor|a9>l;*hK;&}F6=m2VJnU7!qy#zc?Jq5>1M4lrs-*=&0mF#EdXW6T!W^LQJ
zfI9Uz`e1-ze)du31%;DLHv27b-?w2C$(Lq<z7pI83X1eHNYP+LA3u*K57>>gR9c|S
zYANbr8QXlMpS|a*RkX9N45KXAeAlC>{=NjreEGZ2#^(nWiM$<~Yj(1wt{VpoN%%r3
z?dtmoL3s`r!jbOYnabP%7`#S*^ZJX61+Rz_!e1;;_gp%S-;6aby_3*MO!jXEIU$-p
z*j7*g3v3b=jw|7bO>Ay`@+5r~Ec80;@&?L;L75}Hxcn|<T(t2OTecOrBR^e68$EV_
zxF!+x#EXNxfjNBoE|gvr++Rx%V~I45${mxwT((SmcW`Dbm(2+SYaDT;)S%zH_&W_s
z94M|{?l_^;>%~n}IStB%nW-)>XZ)_qo!GnR4svv|vPzlNH7_hG$gi0#sm@7NQ=9jj
zRJJ$&IK|DsadiWJ_Grm5gu)Z={$*Ppi0!0iYnC(ou|l&XS0$?-psp(FJ#3m^mr34Y
zV@5>?cP;97qs+rY5+#XkVQwx)rY7Q687U4vxSEjDol~!pl`~>oQZ<PN1OF>~I<06e
zba3EzvNa1E2BL&o##<8^(k++t{)H8r#yanCHET)nkxv32r@MYRlh$Du$#rN+0Ijzy
zm|H^xB&rk<@|4cM;h&l>Vb0<`rIw~Q)>^mW3SG3{^#)^4J&E~aMPO+hHr6r%S+N46
zp0<Wju*^SIYauS*=McE5q@8~ll`He<<9CusItj9v9)0WBclS%97%Dit!2PIIUE&1#
zFi*ZEI_GJZK-Aq^*zud30HAz{6F3mb?NxT(z!Fv~*cpuD^SeU{0!5@BWz_N5#kvJi
zT*P2|Fc@@c9Xe@_zrFU+Md+v`u%xw)%z$#@HVS{)YWz)-FN47#Kk>M$Zi?OaqBgH`
z;dmgg;dC~7#vXg%rr6-SsKY1oz~2+h^{G)(dc;w|`P-xQU`Mn9B$trxn?RrW=KAX;
z)R9tHYi`>O0baLd3|=NlV$7%_SYH>fG#KIxE#N^-QlK>jfa?V8vbFkfeAi^n33|<!
z4`yGt^J27AC+PB|sG|lA5P4yr><-_;`PF+v`jA0gZOs=8nWrwXCBuV$uVanABjFu@
z=<;`FqrfNry{05KZYJcqA3#DgFW=rx_R&WFzrH89_;~`gC-#uC)f=z}4rPx4Xjx1R
zCo%iV6s;}{3$gnZz;%j*WPu)8C%y*`>$^z}P;3F)R7#u}RgBC176@iL3?TGESv^+0
zowcIY#t{KHPXWr0OU6_BHDesKtLXrcZNoVL=L20cik+iaDv%{m4FKy~Vc8Hj%Jh6h
zy@yr;@5}RjhYiqXrdT>oVRiDEM(Vno>|NW)43YCOBR-LWr&|OQebW1wH!F-Mv#Cc8
z-2v+p1ty_X^56}u$$d=Uey0SpG{wqFwP@M%0PZH(ek|+oA`;7Cqv&Z_^0eKEMCa^q
zM%l7l<)FJN_@KW9N^~bJO=l#CK|fW~Ec3-3Q6fC0)uAO*H2%bkyi_34(63;M;97QG
zxrU*U${l53ETNr=Vy3BEsFo}SXqvJmrO*v9sznkE-;SStkWxE5&N&aGFUS1K%fDyv
zO-C~|<?BgslK)QG0;_>BW%OLg^M7<ao>OVl(AGk5>YNfF0?KM>5drG%pcCaXAGbe9
zO52;0BlmGYM@Yu?){f{IEaVC;vtJ+blOQqv9`Fz|IccwrPJ`{s*?kzz-}m=8C7`1n
zuv^Q4MiAK6aXt{9c3eZc7Z)tA7t}vgJD`?GKt=KTx_(GBbR~w!-PH^Cq--e!7!fu<
zYmNqTxTP_x1LG}Rf~vzv`hI&xo0OMvanV#Xv>v+yj+ObA-x4D{oJFwqY%<exXv>>1
z=UyY9q!1cMuuhfrqnJA64<@bf_t!tHDfZx+Fvq$95TJ{DzsV2^vJG0SYC{3sI1G5H
zLM49z!>51q73(w6x&glDe)Z)syb{?zb6KJ~U&jDU0j0Bu0bO9;N4-MJ>ztbQV8;_G
zioVe}R{#KZJt(EP4op5OR6Q=9#n1p3kSke-1P$iySUj^D&$3dE16a5xDAg<S4PFT8
z2D8uwtiWy2C&hb$t+X!hQ6kp;1`7bc4wWgcm#~(R@q(R!@`YPKZ-ogzZ}t}#i2?YS
zVLG7$@1nZEdOLmHRND-3-&+J)%Y*@Vn16-%z5A+#SxQCg(6-~yHoP3-2lrKNV2_s)
z8TTCa&^h%|X@fcYjYFFnNSOlKtCYPXAzM88Cov`=ih=7*7yYx6?T(0_jlfxn2QqYD
z$ZcdL*hO?MhOt3qKpr)<1U@Uv8de!4Ew~}Sy(Y{3*Z3Kd0e0V%k{bP(D_CELP@h!r
z5RA{G@k12S;Dle33Qh>~f3N{ll+<pY{7BM-nLj?@Tw#`jR;P&J{`^G4Bl`I#8aS7C
z-dhWv%bxWXW@hRMs<E;;C6ga6gxJr|f3mnk6XLRn&-gmH!`Vc%BNNs_K=jy%&7iuv
zNA!wx872b2S=LX=Q}A%v*;&px&NCBprBsU4R1W0S)zv@RwO)A%KRFx?%Bm%0&(X_`
zGqV*gH6OJ&jW#ad0b9-vg6kwy(=xy}$HH-i;YN(k`3B$tzn}@VaPUxxp{7^GoNHNt
z06{XH=1BtYfJSh2{)~o#Jw7FqqCDGP^-z6+oF5D^08;>|FC3{Mz!!bYP&^+sM0ET7
zXUf||lMe)w3xaoiB&(mw8%}kWw_-1`JrT4SD|T@47ervdfUuAvfbXd|DrW_^zzSZ9
z&u~y^^zvrOPOkatLFL{`EmKm-zLO(mo@G~_Cb}UrUwe{aKZ8M1)`?*$zqJyT2S8d=
zM}7AT+Jpdr;i$$ffRR#Y!&PDNb=@=MLSJ2m`)H!Y)O@@j35>(#V`4VpiCn3n43f=8
z^MX`6hChr30E78S?M1Dilfj?|4e^rwp>U1BAPrHY2^W1oic7zNPR4gE5cOo3uVXg2
z?*v!h8(q9ke-Bqw1xpVLfQ*cR{)zi-1sSZ}2u|G(&d<;n1DR(9s}R2QlLIvDpdoKD
zlyxV(CISZ_n)Gb|EMFLWl@3pNVE2-@7c7Zs`L2+wKX8JE?dvF76zSlqi93!JBF;)*
zh^q*UVdzdkfvsxSIbjDw5QX@6?Vd~Oo-ZQ2K}lnRU&7u5<9;Fi3_XZCUrrlfRSv~2
z5)BXyASmuoO$yhToNXVP@&;0qyeXg4tb6<w*y~~r!x!QOU4TMDnjj)t)PcytAMSN)
z9{gqW#}kli4q^LSS9!2s)^sOsK3y9sTNiQ%Vh3U|0MSu7x*cMr4_Z^RdsXi1s@~%g
z2|mk(#*)L@0*&*kfGc?z#4(wdZ@e;W6&2q``cg?VIEm5zHd2LP&v)?z!=Rs{UnP>?
zCPPCgmu&|~QIaE<m$z@AnG30OeZ-U38QmA03dIBJF1*!+B(#EMW_@pDc6qqWlk^Fz
zR&s`xl~`sZnnIpph-}1{7eMM4KpsmL!P6L;(}L{PH4Fl%&u6r_Iy3bKG9o&4ffvA(
zu?Y7#-VrYe%NwbFx1MPUYe#MhkkEv20CON7@|_C=e?y9A6LG_YqNdqk;&8eOm^gN7
zg!u$?!B3j@BgD_dH!AH|z3XP`v|u4L_Jnw_y@oZ%`1mcjh7{(*k*o-LaYqL=$)01a
zQ%3I9&(A`SEw>4+*kedDJ781;LVO*oyFN-Z-q2!FN8q>C`9X#vUqv-VlKruK@!9CV
zqpu~y)K;9vEZ*xIHvF1t=W7hG?R5u`fJY?&uiL06Z^5DYXLv&&>BeCrU?)PtL!1nY
zk!*ji1j$-nxo^`EFM1eOEiN1Gl9U<j<k0+_e~V9!#3GpE4?}W1bj|^tRN;;Opyn>x
zhh~n7LMrbM`O9*Swu6YBK)@L;xDmy5<PKH7Qw(r^vHm7-6&C+3RU$EqOWBVH2Slz4
z;Ds$>Dc~~}Y*k+(YA${#l5Y^*X9_00j+pS|lutk7mZS{v1)xL>Jh9i2BJO_TYIXT#
zp?oqv689looS3;s?n(RJKKDH1@N#fzU;hB`!ZsTODK2}%>+cp#2B>3$fVSY{Ieai<
zuv!1~sSDinu7xv8!Otb!W8MTyQoNFLKuK3r2V@p$kwE!l-mfV=x71OkMmrS2T*=U1
zz<z2(eV3P};^_J12P0VI);o@3=#HI6!@`3?r5VH$yiY1hP-sFxib!lE#-QIbb^#-}
z4uhC`K?B&{=**YRMyKO#y#H=-A@uXy;wKP;-_EEB3H3){T|gZGy6<f?Bsu!n9I$Ob
z%O}Le=GG9;_h~#XpDr6+{_8i7pH-iLmX~L5+{(Sdo2!)JBm<s*;Reg@`yRRS#N2wQ
zTaB>!{CnQLA?jFBb4yLHtgp<h|JN}E<2^Hg<~3!Q|I7_nk4`?<s@QM2KJ4xYX<tJs
z)CwQWc_;UCOl0rvCi3$oa=??u=no)1MdaJgUq7Dh(-Gf7+iwazw7SMkBpV?Y?qXT2
z6DR$dk66%g?;%hdHhcWt!s`hY&D!rPK>qsL2x0o1+3@7dvczytErRRa$M)a>WHtkE
z@@P^&lP=$q-jiE!;`#t7A%>V<SP6h3oMyTnyNtJYe))whfalzQ<`dSu9U1WAJ32n8
z&Ra|F3V2HKw^ck7tC#rSG(CUDwUC4m%GV{j7-RYdbD@JCh!~y#bHU}0Nb&r1W#ktr
zB%-yXl5}s82|CHSzN}0l6B~55qqr|Iae5(&+zwFW6K=p#I}?L5-ZtBB2eW8*CnQxk
z!E*!=I-qrvX@imYgTvtql1Bo|-QjvigtzgQ#l$1z0MQEQvrs@w-nyPZAR>U?K(wMQ
zayq)_Cm)BhPqITU+O(sVjCtKHPmnDkZ)D*4_bqQFR3qqp>~!2F@FlAEx2qi+z(|T#
z;%<)8d$u0IY#~XD6_^-CFlhJn#UZ3DtR~LLPK%QnnCOIpw{dDIEvG>69`9@1^u`Ro
z3qX6|7o!KN^C=@}_8urq7`F+S)Jg=ie7d2G_7i%PPc3eEzg#hRWS4n@97wD}rY=IO
zQ3Ml-J1?ycb$$6G%V{x#S<t3!iaUJAm36x@k{qs$>@OAw$<49Tl7`yRMBD>MVqo}+
z8Y2%;t9s*c76i&pqIZEt&e+<|F~Ctk4xls@tqH+^g4VD<hse~Eiht<0_J;x-!+Xtm
z5gmmu0W{lG{Du*B?a(M9Mj=d0>B|WVQ@`FRx98b&b&6>3v_6&J5uevs*T_7UU`22l
zflYi7XyaYf8N#n+a=2q7gCtKAdxR}kp!#)ajSBlF@Ur3CoEPxtMDu&`nQs?8Y%CrB
zUuSn26-TqL3!Fg)cXtmG2<|Qcg1dVN8XST%5C{@HKyV8L8Qg-qOM*j!ySqELdEb5H
z-m~^Td)=({dp^}v|GTTY(+qUA!ZuuAN7HW{0u0*XnuY;pkijud4=qY{tnL;JH8mF+
z<|+CFt`+5R@DUnzu80k$b~|T+R32tc@g+*|Yl^{|9|L1V+iyL=H`Kvialtbi!~MZ-
z0SuhvMiX(X5-PX69o)B>Eq%8x(H#VWsL9^v5<hn!t$`UDx+Yd0!Q#PTCE88>z4Blf
z&ydN9Q+#qCMh#xt`;1+4!;i#JwF%!fIP{CG%^Z21(D~nB`DL8tejRw)7ty7vor2BH
zAGxP<F|%yRIee{P&3Pl(B}pLd-_PM2Z{c;O6YJ`KgfN4WayU-A%$2p2JfrYW3ChWO
zjw8h&r?F%Fw%Hz;`~mMtA3#t{h0UU0Dj*Gh{nL8_`B2{M;8pBO>v2h#Y{@b6BaTeb
z?+ldrS)#>L4CP{1n-jkULw|ARQ$nybyiJ$qJv=|4=i(4!=f_cgs+DV-4uHX4Yn{`B
zcv_Qb89QQg$ONNlVcwd8br;cRg@3&TSxt{ZNNJAD+`v7#C>qj6!3-7B#qYXgk2h@~
zyDPCyCt%Gy>K|$tsv-&AYZ>iqtba~y(gi;K1XYR3Y>f)iq`e^Lc}bhIP}!l@>@}U`
zjWqrCtChp@hs`<Q!gAAP%CvxWxzDRy`qnRuh3ZGF*hhYaTe`Z;?3}iZopdoC|Iv6q
z2&MFOl;ZU$7;eyBk+SVb!~6JH1M#2;)(kaiMqJj50^B3enKNl&`@!<JNhL0!`#j~j
z?-FVpAB$8KuOzA#<<5$(&7t6Z6#d;b$O4&=F9763@nsc_!{*k)+$!^7P^IM7x#cMg
z6NzQ%@fB;M|Jpe&k+0`>H+26^B$bRVNW%<p$HDu#E9|TUmpe@!qytf!!WX$%-rZQj
zjq@dp(c=AN7UF`aLHX*f4cqxkDgV=IQ%Wn9!1ilcn0KxT60o2z8Lu&x9gQv+u4toj
z7faR8`;jvZWg4PtmM+44P#`->cl#0Ifz^&Muxy<lJ2fY)>%RUh)gwh>;CuMp3Q=H+
z@$v5QC#({PtW)*#R5-J}Zd+Wr@=GOJ*#}ktG!%E1b_UCpH0?F2y7BY++(E?}+T6;J
zntfhoyvJ}xSz}ccaelI_Vast$U)vI+ClI~^BSo@(3>hVm0|$peEyiGz_9yYhT4U}F
zSyb9|>cE+gc(+@lH^;BKe9V@vAd!prI{ZFg^rHDc-LqHOWPeN-m8lJiEmo9Ix*YKa
zo_5`5A=$z%%bu6q3rY;}FgPyH*xG6%+}_@Qsbm~L4m^8Q7ArwKfpMxAO<5aH_%PrX
zhu?L&-?zB+IbOxA{_~}%-O%ZB`_T<c>lu3b6Xz*!wb#0=>4p3jV_jS$BLu^o<%+AZ
z62aR9yW`5vif{{?H&%2XI{oTA(WIU55sQ7u^+}vYoFKFVDGJMlvG1DmGc6f;PYT!L
zIvmDtC*PglcgA>&zG`dkc%esK!4xFEhcUYsVo?fWedd{eKzN}@p)#XHQv|W2{)Rz;
zRt)FsLGKHRu^qnQF#V!(kAsLJd3AcAKi$S0pFwnuZ7znyVbFU}Vx{n<NT+y1tp50q
zH}>7HBar);iXiYC`(*LdhxlzFXc~l_U3rRP5}&WO70*1PO{-Mb_WNSrNZ7(3b%e?p
zg<#C~)mCp#Fg%<fPBby@w$yGL>5^7@UpETPzdcTZNV45)H{V{>dO^Ujru~=!;ffVs
zp|51D`0w)UW1JlfVnhO<qS594D=*k;9Vz{E`Yu9AcN(7L%I_sEU*(8InE$Er%Cq-O
z5)F<~C6n~m6k@m^g+u!3eBT>!^;AYFZ2jo5XYhpBOKYc;t812SIV(OJC|_uP$GA%E
zzH}^m<l!vR=Lk6!U4onjq15^(`fm`bqW?}ctL#+G)-Uh?F?=d2$R<8&+l^V!`4o{m
zk>&qXEZX_A<AlEXGCrV^$Evi8PPGhMifW9;QnV~C!T(Q|Zlj~d>h}26QeB!K(ei@T
zd9T>p$YHBe_hc5eGFW`-UJOfPRgZ-=fd#hjf;7H0<vk1Vlur=sNSwvTf~vw(l+W*a
z5j6L{#d_~&Ef1f~lP!-o+;L^~-?<lHB75$H-tRoAKa}sPFR>EAoznLP*D%3HmUCuS
zHZat>PsPl~e2pW^x<|iS;icrw>j^X#h_bJksJw@%*3(QXqCgHve;}H?d_)$x3HK4f
zjb?kw^zn<qWPn1jE(Y6{t=m7$ozjQEPBCkJi5^|OFBm;SVcXmBNlPAf*`md0)nROU
z>AkTPo?aS_|1vMPQBiP(<tzIG?2pCK)$Pn*)TiT!^ceh)2a>T%S3jE<$*~JFcW+6T
zOa+2V4O)lU%iZv~BWDBzBO0tcFVgrwU`~k9Y#lBvU!gui#Oy9ipm$*L^$6>OToH!-
zaLSHl$oYgA8&{u}9eF_S@hiFW5%x5xE#h<^;t^4wm={<a7f!NXwP%PImnyrRVu(4h
zOf?)=+=PcyXN_9N7f&&L5F(+a(<pR(@f5vuyUt$bDW9}zHuH0&U+H~ZV!kRbV#g`l
z2-g-Vw>!%rV|x&-EeJ&qXI1p}X^z4An9pg21L;oD>*iBF_Qfh~20TRZZ~9!H!8Mfc
z?)Z7zqI0i;Cup=yT7eD_`ypb+H?Gb1JS?IGzRFrAYh~)6#<Y$y>o!J2w~>vd>R}+K
zYAxO!eFF9NJ)jVQ8v;6vS2PCQ=hggApEH5g3LYTSYFuqMWtiS#qkd#;PmE>F!MRHj
ze;7<Z^$N{4<Q?GTx<~!!f6%gM@5&m#l(Sk?%}X-)I?^RO3M03ju|6MxG$efYwEE}i
z;Bb+z>P*VRqx%lV=oY2*#H#*=IrE+dqq%U}jLNiz)y}3l_fRhnXWm4}@prhav+u0O
zw4W;^gPXmMKSC3E07`zY;(W``+Zs64=IwDrdUP9hMKbQ(d_GfuLlO-^9?I&O)aWM!
zx+>DV{l&xx!ggM=SF_p5KOQbGZN1STNm|CR$4(D%6tL-1=(m%2h`E`kY>42CO1_yi
zB0Dsen$tNRH(BjP7QLV^@l~D}$?-#~M2C1#W!Hu@uW<(3jBHY#TQ~-1n7r*%&O2&e
zrH&OE-s&gdc2b!Z8MsmDv~=4nU-?7XV89n?yTqgO$MgX0!w>9yBF9%Fdjw;jf$#C!
zI)2vOOk$eeoFzXH35DWYnGuicI){yZd5zpp0QGz_FRKgoT=%%PG%0q>!(zRVN>+zJ
z1LU>Ju_x0^`o6dM%s6=H^pf;aDi=fMMl!*cL_#^$-8)^${t2Z`n=(vQT-Uct>zi}J
zk8p-J!j@S&ckHKndZ^!$#f$l(zcN^GSs$gb#x8~1Zkh5gLVr94hX^TuA@0KSokPZ8
zGidGKv2s4KI-aL&d07{cd^evFvzi2%9>h(maPK`G)*m7<?6{nJ&uV_jk>&&2lfmh>
zC|FefgvYnEdBWzh;hKEMKPwwMLRFJ9`W~0{4ThEr)i0{0Hd0(V-!_pOxSb0~A!lF<
zmQ?@&H$1buirFJ>4O99Jsploz{7nnZY}+nIDC3AfeQDdiS#Lf?-!^M@A0rpUxw&`9
zuKAW(5RvBz%__RxfuWRr#AIp)@|Bd(^B&dkhGN*CEQ7Y+%EmtDauo&oRJu$r*Zt#<
zf6-ABwdcC4{{?H?x&5bQGX3|oiBx%_-UVY`C<bgNrzQ<&q_5|17&ox<$h)(vG_9r!
z2$SpZO<{~mnD;WYj)XrWD6!c=Hl2q>-Ot``UDlmP=~Os}_qDYrj=a5G+a`1HBqXje
zuwa|qPm}LpNn>t1i}$!~IpnBffW$aHF;O1%!wS>RX{sckvl;wo|K*%<=W~CZ)zZ}@
zJ-on#`1TG@D)a+Bu_lY%;oC)H3xYg~V*6+h)hJ0V^XBixq_cvhJ9XT55PpJ8(@W7m
zk~vRp%Lb0Ft^py9Y}u~Xk_*U3(-4>Xu3~S9(h$YRjKJ{*2hY_|sN)lzx;#<vZ;*>8
z(~FB=riTa^Y`c>t9j;Gz8T0heiz1<nqKrCUF!cb=X94%GJnpJD3GtJv8@xm4QDqhL
zl~vLLGFSEo>C?9_Q+>!HAR})d8%U#}Q%{P(jRl6+{h99LJkM@#YGe9&|7dVHxtt=s
zM995z+oYca|2^XPEppqvlHEu{lBK<;3yjvxt<|U(N*bH%LA3U2n9!YY0DlB`CT~JG
ze2yw(+G$BwY<RUT>mX+Cu1j<H2|gO1?u7t_S^X!4rQ-`eb`LaQ`=&cwku!n}w;N)g
zbW|#5I^wh1Pp#PR!adaMK1fZIHqNZ$uWNpc!A9v0rHyCL@M02uyg8XpGfrfurHNIL
zYG>C)ccv)qbH8P{?tF5as|!oM8O~7QKKIF~)<mCK4^llqlI><35`o8&3>D3t2IbL`
z*_-(ythq-vG0O5n_SbgnDjri``Jy9I^mLx>V+lQV8;e9qq^Y!qeOEEReC_r%PKEZz
zi{@exRtK0cCz>hwub(cJ5)}_It?yh{#*zl>jJ5j%)GA;L4e>V?g@*oEvDXJwi$xVY
zogYL|PBo%>jjcEbp9nTFwCvw)f76O#b`;{|j7Q+m!HeCVfG}=qmR8JmTr<n)a4dG#
z$CzaWq4N8YY_*0L!Ol6l;5pyp>iSYtXGz~-RS^dp?eeNvo|YrMfqHzX<JJxvJ`69|
zpr9@xyS%6y|B#4+$XpG33ZK3E$23u+ujZD`bJ=8ZaT#03@hpC3#AWkO{qg+u;1G#%
zuc_8eB+KB(ct{N+s)Z)Zr1{ruy*xO^J0eFjH~h6?#wJEYq7Ri`6f92nZ<GDN6C=4T
zk^G-j17_4bPE!M<!(5=>k}5(Y+kfAvbiFMYFLoRVs{ZCeBmZ5B$QWf}qCemHw(q1f
zW}){tHkSv3D;KQub<5N=GNrxGQDkirK4(g}+eb8W7&wSjFbuyWsxwKC@a#)qt9)w4
zpROwIJv9^;yhwUz%t><s4%F)`=l9mDHLa?c)DrbVZ(1X`oB1T0kQ6d@Px}pI%B`^r
z4MP$}+e{B+YcB-Z7Nb`P-3=(4PFSoUO1i$k*dS6tS{H0oSuR|u9gGDqU^x&Skq!1>
z4s1@4FNDA!%O-LXK|Yvw6;=|FTDCv!;kUzRMN~kwL+@hP_Ge@LY2=%(91A0<TMn^X
zq2ix83>+^QiCnB%QU_mk5`2~teA2jFWld9zL-apbNVNcK4w*3Wnap^~K4{poj={px
zqhNhB<PHFXxSzjcCV9z=TY&_FmK_KpFk8uJhTLJqT5FrYxP0R-SFK?Y_H`dF-Fa#f
zJa<gAx}%^`9ix#Z1Uc1MmgbVAUsgjNv_qrnPExMK`A_dUJI|(OXSfZ|Is^zN4g&|I
z17L$-m=y_B;gD#tNO<kT<dOqHXt*}}xLsFG254ci%hK<R8<~gnBQZBbwNLtUY!4#k
zAx!G8I3>TsTzv*^;D_`d5PVit7G{%$uY)|CKkMBbxNR%goM}bf5v9v)Wt%5pD<@Ma
zrRJle1(1*gnLe<=q@~aEe5eg=ytr9NOy<GG{laXk2%<LKoAWqPSm3KUS<(shKe|qM
znL6|aF4BqGv-YhQYUX{X%E=!C_J~}|R>;;vc_V(X3l?UxYN<bd7y9`KRh9&MzpaGQ
zn_5IYQ`Uyp+0o~EUFGvUfyWr18g3-^U0hv3OvutW@gU~>6$6heU_0GXeb6B*Uqfml
z1Sz)!Fn_<x#Hn7}DG$Ycj{y;uj^oO18Y%Xl)1>j<@@z7%C&O(P+M$){F!fy$$i{r?
z#%1bSCk!tI^K{Kp*V4t;k2CNWhs0TOHsR}&YGj_ea|DVjY}!L@9=^9igZi)HWO&+a
zitt`~kKbf1pYf3f*9)C2?;*NJM6l%znQV9>K1^8uq$SCi>2~Vs1l!QW+jllKo&T^i
z*W)#Ndq7>mGnXySK8{2psZjaz8iM6$PJ!v|KG6J8@}M30BQBPrR*aV{DVy0t*5bZ(
z<BozO1-Ltr?Pj`8H;SV^cm<{Eo24x5MJ8fis;&qemTlZZ$!Kl;v;_p0o6=TJS+U>H
z!&1BJwo;s<r$|cop-TCYm7>*dy2B4#P*qXCoWz@m4<)2j!x9fA#WiibhTvY_JGP~a
z(Ew}gJUXFeo%Y1oUF?;B$<obzK+d3x$L4%XlZaFk`gVyR$*ykqgu2bE)Um6wZtsH8
zvN~iQDc+bOTF-lpW?zb>$GQ4z9^u=dWa9?HrNc~fl&3_>`<>Ilk^XpV45FY^)(j>#
z)}!m`H%1S;KO+eoPa6$BK~{>LZ}@Z!+B!8|>U&pgHp#t9NshD%kb`I8s<tW?|5zk>
zAaqe|G#D2MP&bQrqB#>B6i`#!x%$A(ZC%`&Ob>IE`4Vv5af|IOn7WGLSuV+?l`~}#
zkg;3qGzBv@?u^%6&)>0?W1n3OT11wPthS@p-}B^$J?hmEU{RJ%K@e19`A!>N@Y>Tv
z*^QH!&Ukw8xd!>1vy`WhM$uss>%TOGDKOho#oPDzBUD~DVrTnFLB(vh(&t?1NHCxG
zb}CRM@8?W9JJzcX_{v9~Vo76b*C^8R)+1GHKIgH6Rga#Hrx*5q5lof)&Q3TtXjOXk
zUGUQF)QISAjJ)NbNl4otJMJI73A0+&12U?7lnka7VMxbRl8Aq3s<`@J<t(gZj~qgk
zja02Zq4u%Ys!Z6FOX=!XT~;N{p{T)=-l^hp$f6Yu>D&z8{YC|LvSPv``H=-fxNnFp
z&5FpR=NPYx%K~FcTS@$kVKfkiXk9$HqFw?t8SHFd#laU?0g+wd%)a!Ki8U4Pj~mHx
zCwe&Re?>haK$P8<?@Bl-8UPn#=KZv3IBmK&VfH9s^6=TJp-7puR>m0{WR+=C+_!jF
zsEU2$(UU=S@#w^VomO+fdL2f=-x}sivcgE$|1Qq0aB~ew(BkOa389@j2#womwfcQY
zzBhfZ^b%N{9l{$u5=*O`!ym9heLj+-`>y!YqxgeThLNllK}0A=3uNwh9ovJv{<V4S
zBd4ZD;y3v6BvY6$&_io^hX0ZC>YcH3Xumea#68D;3GWT}+C&(_D(A8jA?-GLibpN0
z;BI!jucTw>?~<Q2BGT`=wxh(l15&fz;ua$jn<Mt%gg}b7Go*fe*6w{Ay%XAXFt^2z
zh%vLx;uS!e$U@5Kn>e=D8|4WFi97!2A9g7<*>rvC@Ik}zI$q>88=GniIMkDRK`(wB
zD8n!iP%*l#7iQb6hLIOOn#s}?^;o<2sqA6^o`~p0S((vM9|d0+=reGbu}(vVgS3F_
zoWbkN9EjNQVaQR5t8FH*x3xzf$jx{ixkd^)Y{qOC5#+FC_+hArrsljIS($e!nDrQ=
zDJH_RHnzjQ<!~Xqpr&%?5j4BOMT)4+#YQqsXjY@wbeuLg+bfGRjcV{!+G;#Z9T04>
zqnXLXf7g%3OYQ0}-ot!aJ*XXLwTtOzCuN|+5Ak4P5w`0Q<t(hycw+xaS<Gu0XpDRJ
zf|RfoR2xG6kyrWT&(rM!I9&J9{>s|F2km^5(h5Sr822t4j(#`eeEf%uBS$$Frg(_=
z-8*nc0219a%FH2&BAjiGJuXg2cxbTCFf(r_S+mTJeqS`0OE(xlY@$DDv@z^ZuUm__
z1yUFE(#m&FUDtDb^GX4N3G-gW_NFSyihdv!79&vm4xBzXw`;U~nY3gd9OeNzQdSi{
z5jviR{3?Al&RrE88-y&c8cwI1&`8qqI*M55MX;hN40)vbN7%Sj>tNVq5}qbYZRKRG
z5BBJ-o70<g%CDXH2yBpUEbM<_7sQgAet=MXz=7tWtQqV3y_sSx^L;cHj-Ly_XRCO4
zmq2Lt>buC;crSiGR?6+HXH;M774W;*;gR_Z8+?T}Osgj$LxGqRn)d;tU?cfs9AqWa
z->}VWVxN59|3OKHd;dYb+~y6TRH+npky-`uWvtUTBfj2B3DFa$gGQzO+t>u+ln5CJ
zxDIA0EE1UnA{!){Fn-Hc-QqcuHE<Bf_SE3C-Z1H-l<*}&Mt}^Ll2wAr&Snn}k#Cxs
z25fco*gXA6^y(1}?5a+vXFQ<@jU7!$(Jf_=wGJEGN$~zkE|Z*cTp0%nyRf4|0+S?`
zscD+6PR{?tSf+rwuI_M;W~c5TPnkjFVl|OA8~O+$^nPIIJC8YQZv^C4e)u()Ytnod
zv+<+dJkCs;xr2jhP!3MI3VE)(@G<&_<2*S_>l|ra)N19L;E9;2kMbG?3LJf&AX^KE
zr*JqvOOOCjA$(hcddwd)%Loe@H8)P4d#JvA+HPX~O^6LnR$(|{S@^a`zkM1cI0wxg
z9yLHZJTpML6DcPcEd8DPt4^5f@MT2TkiG(erLg_LN5hNq>Xn5Ti<a3oXYWLv;h6lA
z{Kk4#3*1g)c5D%YsLc`9)g__1*R?9NpD|paKbCPt#%X*FY{Zu=f4t{?U2lO)qT>_n
z3L9iAz_P}3T449hz-Rr;!8YIpghQ5)zG32Jf(S-gw#V$P<DF-hX=d$MYW0SSO^q`l
z<xocZ=T3d{qdL>v@Z&k2TXGo2Zo>sGq6I290v<v4x_ouA2bJ*@v4A0i-^i;l{p<8!
zru>PRs3wccbIYc95u-NUtiod7x`8%+SfNIqp=qcqyYenZLRWN@^Iq9zLdtNHN=~Bo
z<!z2r1*7!Y-W+$^me{sKBgR6&c4TF5E9|={tVMYo_4=akvssS_=~2Zy3C?7Hw;_cH
z&Q|mx!P8?!N(5Cl>a^Xh0e?B?2-gEFB~kkL#;7?s>IYP5L&CTN9a)+lS;A?G*n(5`
zX9j_F_}4<|2$&56MI+QCY={-sCh%+HS&QlJp)w}DCSejPT;#lvg7OnPBW-<ZbTxF<
z3srZH#g4*IXbkr^oD9xFuAV>d2x3;-2?frEjl8HlP;>MPtKusdEsj^DBQARdsi+H5
z;P=yO`^xH0fZGbmXwMJZe0fnzM^+|%wuo!RD4MqF-qenUQN|O$;~@7WQLLk|d$*yg
zDKxABE?SCGAxgTaIp}+gZl?B}476CJLqx$iaurPABxx-<{Bb0kLT>RtU7i89?Y3wt
zv2yXRH(5gpu>|gttGZAkcrW~_9=?ekeTr%%u-fno_z7!>S|B4Aj|Dfy%F!rVh1GU9
zX-{?0`t{c%=d0l&A7aSZYbrG=%>g9`B+#pRTKMFb0zsx=!Jr8;0!4{T7U^mjR63Z@
zUU{Jk7|RO9;cg^&<*NL|UMEB@Bsu&Rb!f7@CcXNngyoN;o&ui<s$lifDx*qRhd2&7
z*#w@PVcKn$7ri$fG1soix=3O>&<=5_m8J!2sluqO4Q(s@7px#_9$AfAzbl_Agzs_%
z`C_7Y^pN?)zevQAfqB0CSqB*xchzQ4Sm)ue#DWM|;0NA?U|B?QMQ}IBg~l)xv-nos
zN}9?Sl3{2jGRx98AdSkQGSXBLoZ74dKZ0QiAtAt&`x)ygESwekhbug7l8c7=Aa2rz
zP&tm#B-qB6D?38$I46+cHAsql{CrNfm)v*1Vj17ZuT6=qY{{26bRb$Y!h=Jrqi+To
zljgBi%R7{VA~v~$5W##3hY~2NA5)l^;rY#EBBIQvuJaV#Pf+3M8&v5NkiX~R!04OC
zagD^j>z`#Lh#jG>F++HdlP6FA(u1De<rdj(WT$g!WmN>SB(ZWSUf!QRt=+#N6;L8_
zJda*E+0XqOC8jMm^li<?p+}5od<CtTfy0BfdqZ~vc_c4B+?Sb3IL9iwKY8=PjqSKd
z;7}IvZ^Uxo0@7ik`B*~<8AgeYl3&Rxc|~JPCE?6pu-4T#m~jWcP(=_#z;YzL9usFD
zN*>`zv!e)x=-@)MEwa6sJjVF%7#j&|E_urK%SF3+ntejpg9#?hXU$r+VUneL(h{U;
zLqzgCCf~iz>#$#{XK52$6bPM=Ixtj6l1p7T;ITx7=}#l!AZC%ksMdFg2r+eIQ0ia|
zf*t<J*f4~}!YHS$F!#n*8Ah>oCm{ejULi^1io(1NaUh`|eG_Xrg;gY78Tmf&E1ykM
zp;xx?rb4~K`Z+C8$=<5i>U_lZemMc<`?iiTq<0;v&9tgN`pjXaT@&+Hgw#h?-TUeS
z*2F|9p8Uk>IusZz5^_Ia^Nd~3+FRI0s>i;9??=E@%zjBUZ>xo>T<_%+93VcZ1Wqw{
zXITM50vRw$(zXZXST3m{pk=594ayoxS7YJ9O5ye9qu<6B#rTGs?drRwfZ@Tg_|0E*
z_E|bm?0qxV-myIO3grzN!C#;-(zJg@o;mcMVZbuYAG`3LwrAE`!4=~>H<8m(K0cUP
z=raXhHLm9IO4ucF!KUWDQLF9#p+AlSRxpk?fymHFxv4}aGb+&FZFj)pp=FB4$JLI$
zpbC;ov`gn^jziyR2sum)TaL#e9@t3q3g@<*sxuFFj@AYqjCe<a{idGbJI806R}>SM
zdWP2w!WEEta@is+Ny|7(P04t1A?&GCJa~E=I-hlYO(B<^59wuzS>?BECzA@>#+qTV
z*$^X!h}34Z!)XfOf{k=o1ZQt6Z6i&k=p>uB{E92(sBt6R5~N*+!akZ>_9mPJbuAAn
zEvk(oO4igx2e0QOGlouGFMTxBCoeLTl+4EAMzpJJ03RMp%ve7EQg8hp_qS+)g4oc8
z-xzBKuad(TTHW<Utxa&OysgvE^C%xo2M9sT!%fvwdCd*jL;E|trFduUoRV?4do}nA
z9YQCZt(P5`3qeZ8GEj{ORSSV$Kp0v^|29_0OgdICqg?%tmRcNNQ{tT@)B<1rI{UOS
zm0RB7#TXp@+{KrCRu$TOiZl8MS2X+I-Ol8&Z;EXc*XG}D8%_7L1vQK~?||%#$sif|
zud6wTBxpMXnLmhxlhcLxowFTfeg;azF*X`M{*1=~!P;W`2Hn;CB7*SZJqsDpFcvN6
zTY_Z#emIo3K3{v#s+eAG>M4S@#y9xfZ3<5UI3!{fm9GL|Vx45EkU4Xl?KPAW%f`RU
zOOOo7Cc<w2T8~tFC6glbZ36BiQ6z+fJ+Z`_`D-$(ezIl1*>s^%EyJi0l)pBzB&yWW
zy5`p>!ox6WkFb5b)mUS!jzx*7S?MCkQLP~=$<=qee8&U_f%lz!PY<5^eb5y<T`$<R
z;D{{_is~{hq<o^3jeb--;?M2V+y)x`1-fn}*44UI_e?qFs{LX^PTdoG?KTj*Hi5$@
zyfRJkFVgf40}Hs=a(wiI?Qgt8q`#+z)4zOoN<C31P4{i=HDSDgi-p9Oh8OycObO@Y
z3bgA+BT30WxoT{PBa!0hbUWgk%|(Cq^i}$Si|uspVJ$OT-|8<AfK3X}s1;Lbk=#iR
zx{<VVw_y^#49qoAJ`X-c<r!q4WL7TsXgNjJxh7&PfT;u4Jk863C7Ey-Q~w8xJxv0~
z6ASkEHvJIg64x;O4Lwe~OY3#<#F$3W9sWgRWw6xP0x|4*eyoLz`uo!?1n4*BJi1``
z@laL0>65qgWA8W`WZ$?kb<#Bwp*aw&le8-o-wrno6S59d)mUQ_$k9UNnFiunOjq8V
z&p2;nIXPiOuq|R2IiT)SO4mk5Dy9b$O&03<43?4#MnKD)z2<$K&I(&^NI#F<bFpP9
zt#PG-<x=&&j%8NF-d*dg&*fbIcF#gN@R(BgUVJlnMB>m|S~rqYVyGOZEI?%Fpj^3P
zI!QwkZY+U6>dbT{aXJVAb-d>47eSCt77}SUVqynJ^y(jQrY0TEDN1P@y^HwDMy0GF
zz(Qq_07{(y9{daEjLE(&I%2Eg7*;T5u~(|e{`Y)tt26O%$D4&kX`fc@ff+d)+0R7A
zcDR?(K?af+3T+58Rk0pN(~Q4h9Ncj`?js;<ko~$y-ls<Gm)f+D!ViXnaHdeg^EXi(
z^!-ZsE2?I4DKc*k<v!B6dYfWx90tD13nuzWE6gsaQDN->M)d1;OVm=anX7^u-Xtm@
za$#qWEm<FE(PXT5B71nLfA{)BX8U=3-PODU+<OrjOC*riK>qj9Zthgo9}c05HEO@t
znj2|VrWbmyvz~7EAqtQJ@B53Ihmk2(>d+zd%`Xk4b~=c<Nl0nJMVxVixlpo!oH+H5
zWE6O&E>jjClF}N4>GRt0i0Q|Mi4<{|ynAf(N``zpPT?Y5BkeicIrWi@y<9-)f??*`
zLWGqc!q3>uZ+|~{a!(29XXNvjM44tIcYb5CiX(aPg6^ia7qaJk)B)Fbz4dgkdiONb
zF{L4Rk`JYGO?@Hot17!U0Gv0ut=B*uF$+JAx5hI5b-b`l!ksI18O%p_Hi)gn#33M}
zhY}X3?5)ZkANbujZAyFt<E%%Og*pv{%GqfxcS@&%B0xydXR0B@R_y^h5z6t<FXG3d
zh(PnH8ycGM0>Y_>+XxMxX;@b!56Ysl9qI5FXKZB<yPT6Dg&-5^<eV&iqw_G+>4T=t
zX-O(DT6UH|r(Vjbu%}7RYVOi#MGes<Hw;7#Y=0Hj#nF&NlaCu?;eYEy%c`0nH1Qki
zz+9J1Y1(S-45lt1CSJxDej{#|*;8}7_gk=I1-zLl3)!Qnt@k5&JVQblB2N(MXCR2n
zOD#0E(oycWpMNWVaB$qf#(r<LWOBbO290jZ{NWF7kyk8KXd$n~F%psn$yt2-#$_-d
zc3Hd@*e2``tl04m;pW@Mg#4VG$ahV)f!Kjz3&leY_7tcE2M4&PeI3n`It39PF2%Rq
z_WhduI%IDUQ`Z^m4;m4+98M;Q%KjvEO$f<*mxq^(1ndv|r%f#@uI^Y<BvpD}=L)^i
zjkG3e^#V6AlA1ILqYY81XbwewGY~z@JF@sMvtdjxP4AVrhi0!sQD5tM1ent18;M&+
z+FN8*%ZlnKKKQIyXl16Joq#M6%{1hM#>EGAkRcsLfo}C&L{hO4hhK3tDu{$rg~y_5
z5$D&LDoOHB@_TiD>zh@Y=fDlwL~BaCDa7McW-BH!ujskZ8D&;2$*xzhbA7b2zh@0b
zVpDUVLMO=>Brg*jEYs9k_BQHd$S%T!h3RfVyhEgZvhcrOA}%%Qz2QPB!j^A}P*`|U
z4S=ZWStM)E!UUv<Wr<xah3sUU8j6)tVr>x_oM$$_MAvIz)H5Oz_xy<XJwRN$j79HV
zWMJj=&=&)7cGnI>Xb20Ry{BF&tu~p(HWi-g>+)<m0rQR&{PGYocMidx_oNv?^<B{^
z2P(D)l-Z5nR<Vnxc^YZT>+-D&Bi7|FVD}-l>tz%9*yXHEhIc!DslBScJ6j<IPlgv$
z!25lo-jF*<ZO%5KgGymlYR?#+*7iix(EWu=D}^WITj0XTb&-#lE`qU{i0sfwERlLm
z2_id)qBwNXB7041+D*|yOf9t$iHHq`F?B14ft!|8?!u2cU*Hyl4b%smlZr5h;%Xsk
zHT`6zHwL%2%m%XpJ*Uuo%=pe<d#yJwpz;GNiOf2Q&F>%8Q<~M8Qw9U9S4NF7eqGLx
zG)IiFJv83?JX#9+OD^3K%B{&1t7jx|z4`W&M(Av~oNcoFl(K_t7V&BH+M>L<KKq2`
z)Js3Di0vXy#?-~}%bWGh@W{aMLc<hDHD^Tca%7-`n=2QQO)s~p`=YGf*Pm6oKc>wr
zxoSSjsejw07lXD?{mdn)AakmxB?(EBCOn9t)%<<)!g5RXetNI%?3yyWDR>$sq=0>&
z6Mk4&5|u3d;!q$Ds%)qUrLTTTuax||<(GabPf3lC#k^0&5>}PfSpj5bd)F%+a(hX4
z{U&=y23F#A@3fjvlHp9v@mhnwhhd{?=2B4^8N3zVW)VR%Ci?o@0lTGGIaeJd#Z&!`
zGT2-L`LH-kf&oFw$w=k=939%ovfJZtwb2#2mgzYg*;3)q_~5{j+!EUIWcdU?ukK@^
zd}?V=%1f<d#?BYMxI0u8)EKJ9kj`V2kCh???@91vlWHD9WQ^!}P6ZmEw<_|71Bvif
z8Y+~#wkKfcr6OG)_UltC{iP>`sWZp#rB51rgfB`lud*l1PQu=0`PX6BoZ{$=raoD?
zJ7^lEs<a?{;x)%`>_SwfG?qk`@t77>_Aa$y$j=_cS}<4Tl;McA<o+T<3sEeY=9xA3
z&%D8j2>SZ7dPn7mhi|4-&Qwj06i2I}$txocLd+kdd8O8hv{@6h-JO3XZS<b6emSlD
zZkc(!n@0Yy)>qkBXlUbAxw|cj1;NS;+7G0qnK@E4$Vq6#(NlQGS;0wdR(JMGF7AZ~
z3$L=2*Ds^}JPgkT^WfTs;UJ8&S-=|NF7DH^)fK!_uWC2oti!koGF~C*aH8hZfvwoJ
zGtH|^BLj2v5^a8okDF>TtChOe4|x7ML)eTMCQMNpLrLZNgW)n=S{B>2tTc<Yug~>y
zfy!H>ug4a#rP}5$Pi9UId0^wsfY$eLi!v_{oe|C{aueDHhVPMfZBCH2&J{ldpOZeB
zrF*sJ%QI+i1<c2(<d-qqxLLoFAbme$CJrA7TRUpLCXrSbrOF^>5A_}AOok2$CKX0!
zP+?hG_Ui7L2gadwe54KuNsOW+j-*qBA*Oj7dP7$2W$8McPpn^3M{AX#Tsy}o8$Sun
ze*iNwQeSZBY8;h-?TjJO)YMariN*5JFU%@h>Kn!l1?yS|Sv+2^-Z|fpi(M5SUcXXb
zrJ%NJOU``Cc=x9-yxe6HE-(f7gEWwaN;B8vwI~tmqZG@x<Od})tCmLok{|gRwi779
zk+uVfz?T(h`HgXeKQlrs&@ALiU~_%4wSeKpnM)?aH6K#YG$4c6PrRb4Nmer8?cxvO
z?}?q@q~^BS`$E!Ny7x*UL1b!fG?G^nJyG2r)~vHi-p1p?zA$YaWAaqblzsiEa69JC
zi*(uu80wiVlWWL5uwt++_Fe&2SeJ_32WpExsSiUfWl&l+I7Y!G(y|gQy9_8FEkV`C
z;X-wifl%}mqil%Aivs4iPTC=+D8E!W;DHBoq5?}?VeL3c-&pC{PP!Ys?Z-mVS4LG*
zpDLRQT^Q`cu?e=-Bvh4v_HcgDjM(<RxUjRU;Ing5GK!Bs2)K?;H!*%}pln>*f@H-)
z4$IL!{5jA^0&BIh>NcOEgvhG-AJY67%BN?iOy!5w*iInOT{J3FG|hk+9%%Y|8VyvZ
z5W%-jNxjqk2krX(@l8|a@TqQiywoBvN+(tt-&bHqJt>WjC;7QaTp5|(Xnh%CK&@aX
z`pSc%9+L3s``(|#B!AnsbLM*D8vo;?=)3aoE>U56TQ~c!4pb<Wg_FwGr>1te_xZos
zilsDZO48au;5D;N403GHq#qoqSQX`r*@ma_>?iF9?IcOlW_@8UI-B@TraYvsfahA7
zrzT%3EziExqo?;$dYh#>gDmaU8~aIWrg+%!VJ9@a9Y){e-o{K0{`A9_s73UX{k}<A
z_u35JeBXI_BwMmYXguF{91=ME<o1C_aZ5UE+v0E}i1tLQc9XTc{*%Ltb%!&A1L)7m
zS8K|ThJ^>2A?-ZwpAzQnvO-3W9mqYxOv~`>U!V@nkm5DpyLz;Jf9i@z`L1*nT9c?V
z$4a?Twp^2cTkz)e<tLoN0C;|-PC7_yj<pf{3`?*3`@xbj_w;K$4(hWqEr>`U!^t=9
zoSMA#S_tBIUf(^1Y?u$(NYrGF9c-e|r{e=^_oE8GO{#zt+BE0NtRI86Tnb(DB4Kzz
zL^&U=N&Jz&3xnPmA8ejh4J^F~5>RWB#zEH4fc!K%X_l3C{Q}{lwqGdC4__}vMw-59
zcK21q$reuwac?G@)wI|GA80%HUP?tDZlVOFBtoK`Op||vOigK%SRAUkkCE;YzzL|y
zeo`n((6N9uG`=!}AB4|Eni@9JAV1INZKFP-K<uMaz-g4(Y_#ZZiH23d*sFI8R-*pJ
zNKf)UkmREEuBn?e^8pFw#|Y15?_``mS;~=xR^2hD9cPJ|Dm;SpHyGSh^vD*1<&SUc
zWT23;jSM`8xOsO16+z!4^%)MmWKzr0aOeW6B2q>Ads?@EFk9;g2Ms=Dm&l{bUfJJ0
zrs+Y+{w1Uzylo1Ojf+V(jo+jvbnvk9PFc^^qRB$jJ_Z&!1Vq1h`HSbzja?m1p6L7o
z<jZht+U0N~kq$dMFkb^U#8m}0-E0sU+ngc0TE2CBqMh!)8)m`mEmgVPNOKKW20+1T
zZUxrv;VgLKSndxJEli(O$h6!edK&{L9r#NyAjT85FYM=b2?(2z<(1OdIX@C7PhDt2
zyUk4zzbr1067xKUwbun?)LL4trZC)9ZWY;0eJJrxk?GhIJ^!Il)~KPVp~h*W69Wl3
zP7OOGafiwuM1#vXJ{X-XzK<5M*_M?Ljz2I?CjaJJjx782PQbJtGA2SCfFr*3raR6z
z%_glV>kjF(F(Ina5{VcznQnyZuKv2kpuhQQQrht758?Y$3h{c7L$y)bPTP_2TE-^2
z-}YD=KkTSi2|nh8EbWrzY`9IIuQWufiPd4Mq^U^&wOzWd>Wywu$fDO21#|{o1qN@8
zeW5NTO@1lzKCImXE+}GV7jc%-;L<sT_eaZ;yif{ej+v@JWu&cT*^bDGm6DsyzS+_O
zv`Uc8kiAll*NBD`?s!G%Pu<Cj@;fBHm_<?pn1E3)=;;^Ljk(Q@eh(DN8edB~I*pds
zuO~d6%QJZb;lr@QqGNx5sb#MCRo?hX`nTL+U(Fv(Fxb&dJ!tEIux?_5xMp+w7t~R(
z84k?$G7?ww=p79ABzT(zjd&Zmw7o<#l{>xuwbKFN(J6S0(#&M#330F+Zu+k!Qz$v9
z*r^=NZBa!3{zt{Z$-%?wYHjB7j`h8xm1`34(ysC(9&O5>?0>z{OIY~tcY3jDD4Dt1
zQStDy1D{t%VN-nPVC7~_CBVlefbx&`eI<c(D5>!O>h^#18fPwyU$^E%aqv1xZIW`R
zF0GTo059ps3gs}`f8R_}#|#Ap;(zoPxcaaAJDZ^}wNB#lry8oGkf0>OPh$H_#hJyH
z#|6p>Mb@DNPywg`Gyqxv9e^J20>A)Z1TX=Z0WSe809L>&02_cEzyaU{Z~?dhJOEw*
zAAlbq01yNS0fYe}08xM#KpY?ekOW8pqyeu1G5}eC9N-N=9-shF1SkQN0V)7hfEqv@
zpaIYXXaTeVIsjdO9zY*p05Aj?0gM4A08@Y&z#Q-vU;%gsumo5EtN}IvTYw$lJ-{B|
z0B{620h|FY09Sw;z#Z@b-~sRicmcctJ^){UAHW{~0R#X70UrTDfMCEUKnNfd5C#Yb
zd<H}SA^}l=Xg~}g77z#c0*D7B01^RT0ZD*lKnfrgkOoKxWB@V&S%7Rn4&WOg7mx?|
z4#)=-015#`04SgsPy#3glmW^C6@W@W6`&eW1E>Z30Mr5M0S$mgKog)D&;n=$v;o=y
z9e_?i7oZ!^1Ly_x0r~+0fI+|zU>NWd@Cz^k7zK<0#sL$6Nx&3f8ZZO+4fq3?1<V2F
z0Skadz!G2?umV^GtO3>m8-Pu~7GN8&1K0)Z0rmk0fJ49$;23ZMI0c*m&H)#IOTZQ2
z8gK)+1>6Dd0S|yjz*7XW4k!iyYD3n61qqVJ@Vdc*fPi}r_~$@)4)Ajzg4%f9kU$@7
znf`I|qwsO?{V!LlxIz==tkGQrP;QLp5)!D*a|sz#_$F()8y@s6W?l#h1O)PPpgafa
zbD%v3`g34B2j+8NJqPx4;5-NJbKpG({&NsK2jO!NJqPh~kUR(JbC5j;`EyV_2jz26
zJqPu3&^!n2bI?5p{d2r{4u<Dod=94PV1AC5&%yE>tk3c4IoO_q{W&<EgY!AKKyC9v
z+#qf2HhLv)&?Ox0e;lxXazRJo<KfA|*5(FPwT-HAgB1UM-*{V$88`4iY}O}DZcsv&
z50FWi|IhyfS<X}JAiOpfEpE^nY#XdDH%JaPtJ9AgH1$7P#u;-1EsgZKK`#;idOPS}
z-M@y-YOCi4ZT^$yTW|mBnDZLw7?d>(bUgk~x?iz<?ta&r8&rVX_HVR*E*!V5!k-(o
z{&(RXpsdG_z!Au*+TsTN_#gHB-M%yEx&7bemxgeIvOxc=c_lZ{y>Zxc^DLJmZqR<#
zAh4gS|735S|7wmO^;b3jsJ?vhUmW(o+Rw)QS2h0_tJFMh(C4gJAfx{0F8uYOuCM>C
zrhmD|e>Im+`|maVs}cBnAC$8HKWgIr{(pbyEhwu67=?d27JpSH2mPzEe>v%%Yr<>u
zF8_CD(ckU;YM$Hw8<X_!U2bi7F61Ah{J$U3*RB6v-MDQZy8iFO0-THg`}mslbAwnA
z|E*Ktufqr(`_GMJJx}R_e`BJ40G4@s1pmi2{`ZNhwe;NnzYgfXHNJt{e{JOX<Y@u@
wle7Ns0gyQP&vM2=|8nvZ-2R(G#eu*BOq|Te|C$K@@^t^ZxgZ=5=#$3(0nTVgQ2+n{

delta 5691
zcmaLbdsr0Z9tZGe*x8-gnPr#DBFIH<5+Z`Ih`OjLCYc&YXdNvv62)6;C20puO-)Km
z(#!=z*F1_hNX5$=9z1IhlH?^%8k!nJcuh;q>WG%-`|ivR9d<fA&*%5YyubOq*O{G%
zJ!h}$9TjKvyOW37GRt_*c33O2d((#wW|vsf3oYpkv7~#X8;p-ie_?Yh@yYQCcJC8b
z#+Mu)>v1a0c^j#;d#v{(v-W#j7CYqHR+%(rviVbw%vjZy$8LJ~Ms#Q)xTlnrDyNz?
z_kGB?XwBn7hb&szm)uI!crj9{IZ3llASVWBs<f)9XC6~h?+ww+?Lywm)y(!%O?@g~
z)9fKtO`EIP8&3ktG&h4(Q%BV(Rp-`f`i7H}ts1XRs;P1JU8%NVzvv7k`+=s$lMEEt
za!xhh>ca-hqnK)DN1DjlNOlgdnp)a}buGi;I5tPLtu|?V$e01j)%lOIUj&iK&$1CF
z)dG!E+1b&mEyb(Yi|Q@4RZ96Q2id2wO~+ZC`Zn!uWEpuXb?4YwK4kO_mQ_zJ`;~3#
zr8<(YVzmW<sx2Qru60e{F;tuGMS6_U-d10!=`Sd$MH94#yrq?@DbSkaV{~brb~7hk
zov}>&TgSsG9lOfy+NRDOhY~(dXC}?HN+nI5c5FDAe_1=<M>TcmJtcKooA&cgB+FaZ
zzvIJZb5^|=qLasWAXHZzOcML+Jlr<YnYnm`Zeq_4-4V1zO4D0=mS@Sh`MMB+lq}ON
zRew^ZzoUx}?@&XU_mv9WCSH0l)*sL%dD|*)>3vAZ3Ejb{j`@3T>3vDmU7c%VaO881
z<d}x@b=w$cYMg;{r9S1!ePAZK2rkR*b>d7di&Ih?;<@Dl$+vQ!xJ|{GS}>5SkT<qp
zDmToJY<`BjqF(jf1f}Zlxm<x4vE_4Z>SJwsohz5C+81(XHPSLLZz=_%mT?;c$fXV3
zPEXZ!`L<jcmi=Sy15Yx#nw#VH7I4lW;4`Ia|2po0N$Si0ymGbQ1?~_>0$RBttZH97
zu5vzB)fORwALDl3oSp8D=UvakS3UU;d8yO#e!OdozU<HM@RY7j8L3=-CzJQrliIQT
zb@id#AMYw_Yg!>{Nn{RxM@Nz;^Yt3l0S=$8l%Dw_U*k<O7w~m@)zsX#l+?nv`7U}=
zx0?4;KNH=GU85i)O89Dda;aPRlE28`sg!=QoVR+BE!F%t>IdU^osxR{2;ZhB;wgTK
zdesYGyHXFF<*hs!+syA%U$y5hxiZPZ%e-J9+wbseb*iiI?me1%Yq*{#m2JGmkFZ|)
zUFyf33D&QQQ!UawOn)^>wWZTb`up;^k9tLa-AH=Ap-)g>iHf)N4vqAtSoE%bh#zU)
zq;FIkiJ1ty^sd7ew_E?vi#++MexTYeo5?o~`qGX=BRH}BEUM#8i4<H1c6?W%H&6EU
z5T>dx^7KR{wa6lz2qmv)2}`|ItB#x~R1Q#Y*(3<^q-Sgqg3M%Fm2k!FXU_SAUHnY&
zlztKEM^|U!UoR~7unp%$BdI?sjAvBq&;CLlBumyD6AFS!{57G%?RUUgKjxmm%R@<f
zAP72JM5*XQ*0Z8(snILXN>`_fqO?pbS#A)|1d@f(;$~yV5rmhDzU1ZJaw@krRA;iy
zm}1bAiaz2=e^NS9403zfIq%VCyY3+|<HcAnl0Q@Y(e2bYQ+Ll*Qcu4ojuT1dQZdBs
zs3X-(s+TKM!MmhcB$!~tpMT`mi?j6PhcYq1?fG-wpH(gz<+Ge$A+~DhQs8^CQmN{@
zPfYbC`Ss#9w-t64nBFKRC8#da4bD(6f9=!@25XSC$`fJ?uEV&jyP-%V$-NDEZpYlY
z4A%x4k_8ew-0-DFla!QXW9I9kZD|>XAnAe1&oKD<OGQ&AD@DgoG293t)0P>U-5xV%
z(c;xgYW4eu>*3_cenXkt_pdYc;1MPD+j>J+e-hDT*ya8aLl-Rcj^U$xX;`Q8Jj3P@
zbBkxo;Ev0Z7-h_pl6FQJk9H$#GK|yQK9avHF_~@YlZ>OK%>9#$t45K$D&yk#j^&)0
zeXbfuNtqk28u?UmB*wHYQZ@5Xx+zP_jLa}qB#>JROb6UPBvEsUl$5>B^jaaw>g%<^
z?Yr06@xUCfXPlXZ+jG3Y8+^bQ%-{!|z#jsjGufUKIN<xjmg*4bLRzXrhq=8!oRtgO
zLgj%rw}oo`h}J7?huda4Gyez*lb0zkIIM0W8SzF~ejnAz8>_<PWqP$LEGvmzxe@lD
zi&`eJ7{cQ+NdB|o8yVYzjB|R@*bsg*&1P8~exBI9BSx5QLsy31wJn%+S5Fe7BXXuN
z7Taw;CeIe@9WjYyzZc=}XIphN{8-_jvIvNTt`G%}Ks0oN80ZeM&;#Ni9(qCoB!UH!
zpcf=VZ|DPk!3rtR5BkFZcoYW0AV`J5@E8n%G<Y0_!V@qIhQkPW64D_9MnWb$1z9i(
zM#Iza4Eznoz*u+|o`Z3a4ddZ?$blDN0_4I(m;`w+8K%Hgm<H3~MVJ9IVHUguFT*P^
z8}i{*m;-a+HTXLez&w}_ufqaZ2#eqiSPV;GDZB~Gpb*}Iw_!P~fOp_sSP4b&9;|}Z
z@II`84`40WpcqPE9efC-upTym9X7&8unGPFn_&x-!B*G?+hGUngmS2Wk6{<=hCNUT
zdto2!hXX+16R3iN@K30QL+~$fz+w0lYM>TAgE}|@_3$|yg$DQnj=^y_0Vm;0I0gTP
zui!MCfv=$v&cZqP2F}9;xCq}u6Ewqj&;s8>D_nxha0RZyHMkBxzzw(wKf+IN3vR<5
z_!;iPFYqh;2LFM3&<6M60sIbsz{3@T%9tXc!Gi`34J_jrRHkK8LyA_`Y8eC_4IB+T
z4SE^`#<8+iWTsBD4J*D7Q<M;FWDra=c+ucZgAWb9G?;1dqoETG{xk&8(3yrn8iHsD
zrXhreE;NMF5Jp2d4G}a%($JNLC>kE2A)1D6G{n%*orYK%de9I@Lp%*VX-J?Ukp>G5
zNi_7LA(@8WH1wgNFXKoEwldi>9qX1`nQI!4KFRjmJFLuJ`^XhmCeZOpk(IGX9|Vqu
zjaFs?V-H+yW!BiT96$LuCckfGTBYA~$Mb8gOfL`V`tlMh(}Q#V8aVGtldt=4ZqGMu
zwK6&n`{0l9Uo(d%y4>n3-5@nch3XEs-#|OaW$a;fR;E&F-El-|wLj4{g}G@jYCxmi
zhyEwd5qQkXeD53_Yd@Tt!ko9qZL%^ga_i|+u2#-Ld+f#7AD+R)<mU9o_GWqB!8fhU
z5_@*16ozvq`8b*`xcYbX;2fOXYHe|~N<Cn*mR35jo>%{GZ7Hb+y-B0zoJ)wAU&PFJ
z+7}3P08-M{pWBn9^|#mDr(HDMYj2PjT551SY;U0RO7oCMtI?&%Td6jeY|+)q$r~--
zw#d7^;V;+8*FQx$4)SQ|7Wp_b!`tts8+ekD%Z5g$Fn{RU&x5i%mbes5Z*M{h^Sj(k
zd+o3|Qt>@0t{SX^?ti(fc<vBagR=GRd)t!k8ruJ?hok$b6y{gy$p87wIZDQ)FvX+(
E3ogO8Gynhq

diff --git a/backend/dataall/modules/dataset_sharing/api/queries.py b/backend/dataall/modules/dataset_sharing/api/queries.py
index 34d072656..073331de1 100644
--- a/backend/dataall/modules/dataset_sharing/api/queries.py
+++ b/backend/dataall/modules/dataset_sharing/api/queries.py
@@ -2,6 +2,7 @@
 from dataall.modules.dataset_sharing.api.resolvers import (
     get_dataset_shared_assume_role_url,
     get_share_object,
+    get_share_logs,
     list_shared_with_environment_data_items,
     list_shares_in_my_inbox,
     list_shares_in_my_outbox,
@@ -70,3 +71,11 @@
     resolver=get_dataset_shared_assume_role_url,
     test_scope='Dataset',
 )
+
+
+getShareLogs = gql.QueryField(
+    name='getShareLogs',
+    args=[gql.Argument(name='shareUri', type=gql.NonNullableType(gql.String))],
+    type=gql.ArrayType(gql.Ref('ShareLog')),
+    resolver=get_share_logs,
+)
diff --git a/backend/dataall/modules/dataset_sharing/api/resolvers.py b/backend/dataall/modules/dataset_sharing/api/resolvers.py
index 3779516fa..5a5cc2359 100644
--- a/backend/dataall/modules/dataset_sharing/api/resolvers.py
+++ b/backend/dataall/modules/dataset_sharing/api/resolvers.py
@@ -132,6 +132,10 @@ def get_share_object(context, source, shareUri: str = None):
     return ShareObjectService.get_share_object(uri=shareUri)
 
 
+def get_share_logs(context, source, shareUri: str):
+    return ShareObjectService.get_share_logs(shareUri)
+
+
 def resolve_user_role(context: Context, source: ShareObject, **kwargs):
     if not source:
         return None
@@ -164,6 +168,10 @@ def resolve_user_role(context: Context, source: ShareObject, **kwargs):
         )
 
 
+def resolve_can_view_logs(context: Context, source: ShareObject):
+    return ShareObjectService.check_view_log_permissions(context.username, context.groups, source.shareUri)
+
+
 def resolve_dataset(context: Context, source: ShareObject, **kwargs):
     if not source:
         return None
diff --git a/backend/dataall/modules/dataset_sharing/api/types.py b/backend/dataall/modules/dataset_sharing/api/types.py
index 8d481cc5c..eff971fd0 100644
--- a/backend/dataall/modules/dataset_sharing/api/types.py
+++ b/backend/dataall/modules/dataset_sharing/api/types.py
@@ -16,6 +16,7 @@
     list_shareable_objects,
     resolve_user_role,
     resolve_shared_database_name,
+    resolve_can_view_logs,
 )
 from dataall.core.environment.api.resolvers import resolve_environment
 
@@ -166,6 +167,11 @@
             type=gql.Ref('SharedItemSearchResult'),
             resolver=list_shareable_objects,
         ),
+        gql.Field(
+            name='canViewLogs',
+            resolver=resolve_can_view_logs,
+            type=gql.Boolean,
+        ),
         gql.Field(
             name='userRoleForShareObject',
             type=gql.Ref('ShareObjectPermission'),
@@ -261,3 +267,13 @@
         gql.Field(name='hasPrevious', type=gql.Boolean),
     ],
 )
+
+ShareLog = gql.ObjectType(
+    name='ShareLog',
+    fields=[
+        gql.Field(name='logStream', type=gql.String),
+        gql.Field(name='logGroup', type=gql.String),
+        gql.Field(name='timestamp', type=gql.String),
+        gql.Field(name='message', type=gql.String),
+    ],
+)
diff --git a/backend/dataall/modules/dataset_sharing/services/share_object_service.py b/backend/dataall/modules/dataset_sharing/services/share_object_service.py
index 5e1d2ef81..371e619f8 100644
--- a/backend/dataall/modules/dataset_sharing/services/share_object_service.py
+++ b/backend/dataall/modules/dataset_sharing/services/share_object_service.py
@@ -1,3 +1,4 @@
+import os
 from datetime import datetime
 from warnings import warn
 
@@ -45,12 +46,24 @@
 from dataall.modules.s3_datasets.services.dataset_permissions import DATASET_TABLE_READ, DATASET_FOLDER_READ
 from dataall.base.aws.iam import IAM
 
+from dataall.base.utils import Parameter
+from dataall.base.db import exceptions
+from dataall.core.stacks.aws.cloudwatch import CloudWatch
+
+
 import logging
 
 log = logging.getLogger(__name__)
 
 
 class ShareObjectService:
+    @staticmethod
+    def check_view_log_permissions(username, groups, shareUri):
+        with get_context().db_engine.scoped_session() as session:
+            share: ShareObject = ShareObjectRepository.get_share_by_uri(session, shareUri)
+            ds: Dataset = DatasetRepository.get_dataset_by_uri(session, share.datasetUri)
+            return ds.stewards in groups or ds.SamlAdminGroupName in groups or username == ds.owner
+
     @staticmethod
     def verify_principal_role(session, share: ShareObject) -> bool:
         role_name = share.principalIAMRoleName
@@ -590,3 +603,55 @@ def attach_dataset_folder_read_permission(session, share):
                 log.info(
                     f'Resource permission policy {DATASET_FOLDER_READ} to table {location.itemUri} for group {share.groupUri} already exists. Skip... '
                 )
+
+    @staticmethod
+    def get_share_logs_name_query(shareUri):
+        log.info(f'Get share Logs stream name for share {shareUri}')
+
+        query = """fields @logStream
+                        |filter  @message like 'bmm02skg'
+                        | sort @timestamp desc
+                        | limit 1
+                    """
+        return query
+
+    @staticmethod
+    def get_share_logs_query(log_stream_name):
+        query = f"""fields @timestamp, @message, @logStream, @log as @logGroup
+                    | sort @timestamp asc
+                    | filter @logStream like "{log_stream_name}"
+                    """
+        return query
+
+    @staticmethod
+    def get_share_logs(shareUri):
+        context = get_context()
+        if not ShareObjectService.check_view_log_permissions(context.username, context.groups, shareUri):
+            raise exceptions.ResourceUnauthorized(
+                username=context.username,
+                action='view logs',
+                resource_uri=shareUri,
+            )
+
+        envname = os.getenv('envname', 'local')
+        log_group_name = f"/{Parameter().get_parameter(env=envname, path='resourcePrefix')}/{envname}/ecs/share-manager"
+
+        query_for_name = ShareObjectService.get_share_logs_name_query(shareUri=shareUri)
+        name_query_result = CloudWatch.run_query(
+            query=query_for_name,
+            log_group_name=log_group_name,
+            days=1,
+        )
+        if len(name_query_result) == 0:
+            return []
+
+        name = name_query_result[0]['logStream']
+
+        query = ShareObjectService.get_share_logs_query(log_stream_name=name)
+        results = CloudWatch.run_query(
+            query=query,
+            log_group_name=log_group_name,
+            days=1,
+        )
+        log.info(f'Running Logs query {query} for log_group_name={log_group_name}')
+        return results
diff --git a/frontend/src/design/components/DeleteObjectWithFrictionModal.js b/frontend/src/design/components/DeleteObjectWithFrictionModal.js
index b7a610bdf..06f3c1449 100644
--- a/frontend/src/design/components/DeleteObjectWithFrictionModal.js
+++ b/frontend/src/design/components/DeleteObjectWithFrictionModal.js
@@ -29,6 +29,7 @@ export const DeleteObjectWithFrictionModal = (props) => {
   const handleChange = (event) => {
     setConfirmValue(event.target.value);
   };
+
   return (
     <Dialog maxWidth="sm" fullWidth onClose={onClose} open={open} {...other}>
       <Box sx={{ p: 3 }}>
diff --git a/frontend/src/modules/Environments/components/EnvironmentTeams.js b/frontend/src/modules/Environments/components/EnvironmentTeams.js
index 52b2a3775..228fcbaea 100644
--- a/frontend/src/modules/Environments/components/EnvironmentTeams.js
+++ b/frontend/src/modules/Environments/components/EnvironmentTeams.js
@@ -34,6 +34,7 @@ import { HiUserRemove } from 'react-icons/hi';
 import { VscChecklist } from 'react-icons/vsc';
 import {
   Defaults,
+  DeleteObjectWithFrictionModal,
   Label,
   Pager,
   RefreshTableMenu,
@@ -65,6 +66,16 @@ function TeamRow({ team, environment, fetchItems }) {
   const [accessingConsole, setAccessingConsole] = useState(false);
   const [loadingCreds, setLoadingCreds] = useState(false);
   const [isTeamEditModalOpen, setIsTeamEditModalOpen] = useState(false);
+  const [isDeleteTeamModalOpen, setIsDeleteTeamModalOpen] = useState(false);
+
+  const handleDeleteTeamModalOpen = () => {
+    setIsDeleteTeamModalOpen(true);
+  };
+
+  const handleDeleteTeamModalClose = () => {
+    setIsDeleteTeamModalOpen(false);
+  };
+
   const handleTeamEditModalClose = () => {
     setIsTeamEditModalOpen(false);
   };
@@ -215,7 +226,7 @@ function TeamRow({ team, environment, fetchItems }) {
             </>
           )}
           {team.groupUri !== environment.SamlGroupName && (
-            <LoadingButton onClick={() => removeGroup(team.groupUri)}>
+            <LoadingButton onClick={() => handleDeleteTeamModalOpen()}>
               <HiUserRemove
                 size={25}
                 color={
@@ -227,6 +238,14 @@ function TeamRow({ team, environment, fetchItems }) {
             </LoadingButton>
           )}
         </Box>
+        <DeleteObjectWithFrictionModal
+          objectName={team.groupUri}
+          onApply={handleDeleteTeamModalClose}
+          onClose={handleDeleteTeamModalClose}
+          open={isDeleteTeamModalOpen}
+          isAWSResource={false}
+          deleteFunction={() => removeGroup(team.groupUri)}
+        />
       </TableCell>
     </TableRow>
   );
@@ -252,6 +271,14 @@ export const EnvironmentTeams = ({ environment }) => {
   const [inputValueRoles, setInputValueRoles] = useState('');
   const [isTeamInviteModalOpen, setIsTeamInviteModalOpen] = useState(false);
   const [isAddRoleModalOpen, setIsAddRoleModalOpen] = useState(false);
+  const [isDeleteRoleModalOpenId, setIsDeleteRoleModalOpen] = useState(0);
+  const handleDeleteRoleModalOpen = (id) => {
+    setIsDeleteRoleModalOpen(id);
+  };
+  const handleDeleteRoleModalClosed = (id) => {
+    setIsDeleteRoleModalOpen(0);
+  };
+
   const handleTeamInviteModalOpen = () => {
     setIsTeamInviteModalOpen(true);
   };
@@ -424,10 +451,6 @@ export const EnvironmentTeams = ({ environment }) => {
     setRowModesModel({ ...rowModesModel, [id]: { mode: GridRowModes.View } });
   };
 
-  const handleDeleteClick = (id) => () => {
-    removeConsumptionRole(id);
-  };
-
   const handleCancelClick = (id) => () => {
     setRowModesModel({
       ...rowModesModel,
@@ -711,7 +734,8 @@ export const EnvironmentTeams = ({ environment }) => {
                     flex: 0.5,
                     type: 'actions',
                     cellClassName: 'actions',
-                    getActions: ({ id }) => {
+                    getActions: ({ id, ...props }) => {
+                      const name = props.row.consumptionRoleName;
                       const isInEditMode =
                         rowModesModel[id]?.mode === GridRowModes.Edit;
 
@@ -745,8 +769,16 @@ export const EnvironmentTeams = ({ environment }) => {
                         <GridActionsCellItem
                           icon={<DeleteIcon />}
                           label="Delete"
-                          onClick={handleDeleteClick(id)}
+                          onClick={() => handleDeleteRoleModalOpen(id)}
                           color="inherit"
+                        />,
+                        <DeleteObjectWithFrictionModal
+                          objectName={name}
+                          onApply={() => handleDeleteRoleModalClosed(id)}
+                          onClose={() => handleDeleteRoleModalClosed(id)}
+                          open={isDeleteRoleModalOpenId === id}
+                          isAWSResource={false}
+                          deleteFunction={() => removeConsumptionRole(id)}
                         />
                       ];
                     }
diff --git a/frontend/src/modules/Organizations/components/OrganizationTeams.js b/frontend/src/modules/Organizations/components/OrganizationTeams.js
index f4288c02f..2b7887ba8 100644
--- a/frontend/src/modules/Organizations/components/OrganizationTeams.js
+++ b/frontend/src/modules/Organizations/components/OrganizationTeams.js
@@ -26,6 +26,7 @@ import { HiUserRemove } from 'react-icons/hi';
 import { VscChecklist } from 'react-icons/vsc';
 import {
   Defaults,
+  DeleteObjectWithFrictionModal,
   Label,
   Pager,
   RefreshTableMenu,
@@ -49,6 +50,16 @@ function TeamRow({ team, organization, fetchItems }) {
   const theme = useTheme();
   const { enqueueSnackbar } = useSnackbar();
   const [isPermissionModalOpen, setIsPermissionsModalOpen] = useState(false);
+  const [isDeleteGroupModalOpen, setIsDeleteGroupModalOpenId] = useState(false);
+
+  const handleDeleteGroupModalClosed = () => {
+    setIsDeleteGroupModalOpenId(false);
+  };
+
+  const handleDeleteGroupModalOpen = () => {
+    setIsDeleteGroupModalOpenId(true);
+  };
+
   const handlePermissionsModalClose = () => {
     setIsPermissionsModalOpen(false);
   };
@@ -125,7 +136,7 @@ function TeamRow({ team, organization, fetchItems }) {
       <TableCell>
         <Box>
           {team.groupUri !== organization.SamlGroupName && (
-            <LoadingButton onClick={() => removeGroup(team.groupUri)}>
+            <LoadingButton onClick={() => handleDeleteGroupModalOpen()}>
               <HiUserRemove
                 size={25}
                 color={
@@ -136,6 +147,16 @@ function TeamRow({ team, organization, fetchItems }) {
               />
             </LoadingButton>
           )}
+          {team.groupUri !== organization.SamlGroupName && (
+            <DeleteObjectWithFrictionModal
+              objectName={team.groupUri}
+              onApply={() => handleDeleteGroupModalClosed()}
+              onClose={() => handleDeleteGroupModalClosed()}
+              open={isDeleteGroupModalOpen}
+              isAWSResource={false}
+              deleteFunction={() => removeGroup(team.groupUri)}
+            />
+          )}
         </Box>
       </TableCell>
     </TableRow>
diff --git a/frontend/src/modules/Shares/components/ShareLogs.js b/frontend/src/modules/Shares/components/ShareLogs.js
new file mode 100644
index 000000000..05d9b57bc
--- /dev/null
+++ b/frontend/src/modules/Shares/components/ShareLogs.js
@@ -0,0 +1,119 @@
+import Editor from '@monaco-editor/react';
+import { RefreshRounded } from '@mui/icons-material';
+import {
+  Box,
+  Button,
+  CircularProgress,
+  Dialog,
+  Grid,
+  Typography
+} from '@mui/material';
+import PropTypes from 'prop-types';
+import React, { useCallback, useEffect, useState } from 'react';
+import { THEMES, useSettings } from 'design';
+import { SET_ERROR, useDispatch } from 'globalErrors';
+import { getShareLogs, useClient } from 'services';
+
+export const ShareLogs = (props) => {
+  const { shareUri, onClose, open } = props;
+  const { settings } = useSettings();
+  const client = useClient();
+  const dispatch = useDispatch();
+  const [logs, setLogs] = useState(null);
+  const [loading, setLoading] = useState(true);
+
+  const getLogs = useCallback(async () => {
+    setLoading(true);
+    try {
+      const response = await client.query(getShareLogs(shareUri));
+      if (response && !response.errors) {
+        setLogs(response.data.getShareLogs.map((l) => l.message));
+      } else {
+        dispatch({ type: SET_ERROR, error: response.errors[0].message });
+      }
+    } catch (e) {
+      dispatch({ type: SET_ERROR, error: e.message });
+    }
+    setLoading(false);
+  }, [client, dispatch, shareUri]);
+
+  useEffect(() => {
+    if (client) {
+      getLogs().catch((e) => dispatch({ type: SET_ERROR, error: e.message }));
+    }
+  }, [client, dispatch, getLogs]);
+
+  return (
+    <Dialog maxWidth="md" fullWidth onClose={onClose} open={open}>
+      <Box sx={{ p: 3 }}>
+        <Grid container justifyContent="space-between" spacing={3}>
+          <Grid item>
+            <Typography color="textPrimary" gutterBottom variant="h6">
+              Logs for share {shareUri}
+            </Typography>
+          </Grid>
+          <Grid item />
+          <Box sx={{ m: -1, mt: 2 }}>
+            <Button
+              color="primary"
+              startIcon={<RefreshRounded fontSize="small" />}
+              variant="outlined"
+              onClick={getLogs}
+            >
+              Refresh
+            </Button>
+          </Box>
+        </Grid>
+        <Box sx={{ height: '35rem' }}>
+          {loading ? (
+            <CircularProgress />
+          ) : (
+            <Box>
+              {logs && (
+                <Box sx={{ mt: 1 }}>
+                  <div
+                    style={{
+                      width: '100%',
+                      border:
+                        settings.theme === THEMES.LIGHT ? '1px solid #eee' : ''
+                    }}
+                  >
+                    <Editor
+                      value={
+                        logs.length > 0
+                          ? logs.join('\n')
+                          : 'No logs available for the last 24 hours. Logs may take few minutes after the share is processed...'
+                      }
+                      options={{ minimap: { enabled: false } }}
+                      theme="vs-dark"
+                      inDiffEditor={false}
+                      height="35rem"
+                      language="text"
+                      showPrintMargin
+                      showGutter
+                      highlightActiveLine
+                      editorProps={{
+                        $blockScrolling: Infinity
+                      }}
+                      setOptions={{
+                        enableBasicAutocompletion: true,
+                        enableLiveAutocompletion: true,
+                        enableSnippets: true,
+                        showLineNumbers: true,
+                        tabSize: 2
+                      }}
+                    />
+                  </div>
+                </Box>
+              )}
+            </Box>
+          )}
+        </Box>
+      </Box>
+    </Dialog>
+  );
+};
+
+ShareLogs.propTypes = {
+  shareUri: PropTypes.string.isRequired
+};
diff --git a/frontend/src/modules/Shares/services/getShareObject.js b/frontend/src/modules/Shares/services/getShareObject.js
index 728ae4b8b..579aeaa37 100644
--- a/frontend/src/modules/Shares/services/getShareObject.js
+++ b/frontend/src/modules/Shares/services/getShareObject.js
@@ -15,6 +15,7 @@ export const getShareObject = ({ shareUri, filter }) => ({
         requestPurpose
         rejectPurpose
         userRoleForShareObject
+        canViewLogs
         consumptionData {
           s3AccessPointName
           sharedGlueDatabase
diff --git a/frontend/src/modules/Shares/views/ShareView.js b/frontend/src/modules/Shares/views/ShareView.js
index 151d72362..82912f68a 100644
--- a/frontend/src/modules/Shares/views/ShareView.js
+++ b/frontend/src/modules/Shares/views/ShareView.js
@@ -1,4 +1,5 @@
 import {
+  Article,
   BlockOutlined,
   CheckCircleOutlined,
   CopyAllOutlined,
@@ -73,6 +74,7 @@ import {
   UpdateRequestReason
 } from '../components';
 import { generateShareItemLabel } from 'utils';
+import { ShareLogs } from '../components/ShareLogs';
 
 function ShareViewHeader(props) {
   const {
@@ -89,6 +91,8 @@ function ShareViewHeader(props) {
   const [rejecting, setRejecting] = useState(false);
   const [submitting, setSubmitting] = useState(false);
   const [isRejectShareModalOpen, setIsRejectShareModalOpen] = useState(false);
+  const [openLogsModal, setOpenLogsModal] = useState(null);
+
   const submit = async () => {
     setSubmitting(true);
     const response = await client.mutate(
@@ -133,6 +137,13 @@ function ShareViewHeader(props) {
     }
   };
 
+  const handleOpenLogsModal = () => {
+    setOpenLogsModal(true);
+  };
+  const handleCloseOpenLogs = () => {
+    setOpenLogsModal(false);
+  };
+
   const handleRejectShareModalOpen = () => {
     setIsRejectShareModalOpen(true);
   };
@@ -246,6 +257,17 @@ function ShareViewHeader(props) {
               >
                 Refresh
               </Button>
+              {share.canViewLogs && (
+                <Button
+                  color="primary"
+                  startIcon={<Article fontSize="small" />}
+                  sx={{ m: 1 }}
+                  variant="outlined"
+                  onClick={handleOpenLogsModal}
+                >
+                  Logs
+                </Button>
+              )}
               {(share.userRoleForShareObject === 'Approvers' ||
                 share.userRoleForShareObject === 'ApproversAndRequesters') && (
                 <>
@@ -319,6 +341,13 @@ function ShareViewHeader(props) {
           rejectFunction={reject}
         />
       )}
+      {share.canViewLogs && (
+        <ShareLogs
+          shareUri={share.shareUri}
+          onClose={handleCloseOpenLogs}
+          open={openLogsModal && share.canViewLogs}
+        />
+      )}
     </>
   );
 }
diff --git a/frontend/src/services/graphql/ShareObject/getShareLogs.js b/frontend/src/services/graphql/ShareObject/getShareLogs.js
new file mode 100644
index 000000000..8940f69dd
--- /dev/null
+++ b/frontend/src/services/graphql/ShareObject/getShareLogs.js
@@ -0,0 +1,15 @@
+import { gql } from 'apollo-boost';
+
+export const getShareLogs = (shareUri) => ({
+  variables: {
+    shareUri
+  },
+  query: gql`
+    query getShareLogs($shareUri: String!) {
+      getShareLogs(shareUri: $shareUri) {
+        message
+        timestamp
+      }
+    }
+  `
+});
diff --git a/frontend/src/services/graphql/ShareObject/index.js b/frontend/src/services/graphql/ShareObject/index.js
index 033e2b72f..62e364ada 100644
--- a/frontend/src/services/graphql/ShareObject/index.js
+++ b/frontend/src/services/graphql/ShareObject/index.js
@@ -1,2 +1,3 @@
 export * from './createShareObject';
 export * from './getShareRequestsToMe';
+export * from './getShareLogs';