From 9e16da8974e7ca2f8db57d3fef5b42ad06aed8b0 Mon Sep 17 00:00:00 2001 From: "Chang Liu (cgliu)" Date: Thu, 11 Mar 2021 10:33:38 -0800 Subject: [PATCH] Migrate build system from Maven to Gradle --- .github/workflows/ci.yml | 10 +- build.gradle | 282 +++++++++++++++++- gradle/wrapper/gradle-wrapper.jar | Bin 56177 -> 59203 bytes gradle/wrapper/gradle-wrapper.properties | 2 +- gradlew | 36 +-- gradlew.bat | 26 +- settings.gradle | 1 + .../security/auditlog/sink/WebhookSink.java | 2 +- .../security/auth/AuthenticationBackend.java | 18 +- .../security/auth/AuthorizationBackend.java | 14 +- .../security/auth/BackendRegistry.java | 9 +- .../security/auth/HTTPAuthenticator.java | 12 +- .../ConfigurationChangeListener.java | 2 +- .../dlic/rest/api/NodesDnApiAction.java | 1 - .../filter/OpenDistroSecurityRestFilter.java | 3 +- .../DefaultOpenDistroSecurityKeyStore.java | 2 - .../security/user/AuthCredentials.java | 2 +- .../security/user/User.java | 4 +- .../security/AggregationTests.java | 5 + .../security/ConfigTests.java | 5 + .../EncryptionInTransitMigrationTests.java | 5 + .../security/HealthTests.java | 5 + .../security/HttpIntegrationTests.java | 5 + .../security/IndexIntegrationTests.java | 5 + .../InitializationIntegrationTests.java | 5 + .../security/IntegrationTests.java | 14 +- ...istroSecurityAdminInvalidConfigsTests.java | 5 + .../OpendistroSecurityRolesTests.java | 5 + .../security/SecurityAdminMigrationTests.java | 5 + .../security/SecurityAdminTests.java | 5 + .../security/SlowIntegrationTests.java | 5 + .../security/SnapshotRestoreTests.java | 18 +- .../security/SystemIntegratorsTests.java | 5 + .../security/TaskTests.java | 5 + .../TransportClientIntegrationTests.java | 5 + .../security/UtilTests.java | 5 + .../security/auditlog/impl/TracingTests.java | 23 +- .../security/auditlog/sink/KafkaSinkTest.java | 7 +- .../ccstest/CrossClusterSearchTests.java | 6 +- .../security/ccstest/RemoteReindexTests.java | 5 + .../dlic/rest/api/MigrationTests.java | 5 + .../multitenancy/test/MultitenancyTests.java | 5 + .../ProtectedIndicesTests.java | 6 +- ...DistroSecuritySSLCertsInfoActionTests.java | 5 + ...stroSecuritySSLReloadCertsActionTests.java | 5 + .../transport/DualModeSSLHandlerTests.java | 5 + .../security/ssl/util/CertFromFileTests.java | 5 + .../ssl/util/CertFromKeystoreTests.java | 5 + .../ssl/util/CertFromTruststoreTests.java | 5 + .../ssl/util/SSLConnectionTestUtilTests.java | 6 + .../security/ssl/util/TLSUtilTests.java | 5 + .../system_indices/SystemIndicesTests.java | 7 +- 52 files changed, 507 insertions(+), 136 deletions(-) create mode 100644 settings.gradle diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5466f8ba41..7f6aa64d66 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,10 +16,10 @@ jobs: steps: - - name: Set up JDK 11 + - name: Set up JDK 14 uses: actions/setup-java@v1 with: - java-version: 11.0.x + java-version: 14.0.x - name: Checkout security uses: actions/checkout@v2 @@ -40,13 +40,13 @@ jobs: run: mvn -B checkstyle:checkstyle - name: Package - run: mvn -B clean package -Padvanced -DskipTests + run: ./gradlew clean build --no-daemon -Dbuild.snapshot=false -x test - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v1 - name: Test - run: OPENDISTRO_SECURITY_TEST_OPENSSL_OPT=true mvn -B test + run: ./gradlew test - name: Coverage uses: codecov/codecov-action@v1 @@ -57,4 +57,4 @@ jobs: uses: actions/upload-artifact@v1 with: name: artifacts - path: target/releases/ + path: gradle-build/distributions diff --git a/build.gradle b/build.gradle index e43ef4b97e..249a1e5181 100644 --- a/build.gradle +++ b/build.gradle @@ -1,8 +1,270 @@ -// Uses Gradle to build RPMs since that's what we use for the other plugins. When all you have is a hammer... +buildscript { + ext { + es_version = System.getProperty("es.version", "7.10.2") + } + + repositories { + mavenLocal() + mavenCentral() + maven { + url = uri('https://repo.maven.apache.org/maven2/') + } + } + + dependencies { + classpath "org.elasticsearch.gradle:build-tools:${es_version}" + } +} + plugins { - id "nebula.ospackage" version "5.3.0" + id 'java' + id 'nebula.ospackage' version '8.5.6' + id "com.gorylenko.gradle-git-properties" version "2.2.4" +} + +apply plugin: 'elasticsearch.esplugin' +esplugin { + name 'opendistro_security' + description 'Open Distro Security for Elasticsearch' + classname 'com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin' } +group = 'com.amazon.opendistroforelasticsearch' +version = '1.13.1.0' +java.sourceCompatibility = JavaVersion.VERSION_1_8 + +bundlePlugin { + archiveName("opendistro-security-${version}.zip") + + from("securityconfig") { + into "securityconfig" + } + from("tools") { + into "tools" + } + from("plugin-security.policy") { + into "." + } +} + +group = 'com.amazon.opendistroforelasticsearch' +version = '1.13.1.0' +java.sourceCompatibility = JavaVersion.VERSION_1_8 + +apply plugin: 'distribution' +distributions { + custom { + distributionBaseName = "opendistro-security-${version}-securityadmin-standalone" + contents { + into('./tools/') { + from 'tools' + } + into('./deps/securityconfig') { + from 'securityconfig' + } + } + } + customDistZip.setArchiveName("opendistro-security-${version}-securityadmin-standalone.zip") + customDistTar.setArchiveName("opendistro-security-${version}-securityadmin-standalone.tar.gz") +} + +customDistTar{ + compression = Compression.GZIP + archiveExtension = "tar.gz" +} + +ext { + projectSubstitutions = [:] + licenseFile = rootProject.file('LICENSE.txt') + noticeFile = rootProject.file('NOTICE.txt') +} + +configurations.all { + if (it.state != Configuration.State.UNRESOLVED) return + resolutionStrategy { + force 'commons-codec:commons-codec:1.14' + force 'org.slf4j:slf4j-api:1.7.26' + force 'org.apache.httpcomponents:httpclient:4.5.10' + force 'com.google.code.findbugs:jsr305:3.0.2' + force 'com.fasterxml.jackson.core:jackson-databind:2.11.2' + force 'com.fasterxml.jackson.core:jackson-core:2.11.2' + force 'commons-cli:commons-cli:1.3.1' + force 'commons-logging:commons-logging:1.2' + force 'com.google.guava:guava:25.1-jre' + force 'org.bouncycastle:bcprov-jdk15on:1.67' + force 'org.apache.commons:commons-lang3:3.4' + force 'org.apache.santuario:xmlsec:2.2.0' + force 'com.fasterxml.woodstox:woodstox-core:6.2.1' + force 'io.netty:netty-buffer:4.1.49.Final' + force 'io.netty:netty-common:4.1.49.Final' + force 'io.netty:netty-handler:4.1.49.Final' + force 'io.netty:netty-transport:4.1.49.Final' + force 'com.fasterxml.jackson.core:jackson-annotations:2.11.2' + force 'net.sf.jopt-simple:jopt-simple:5.0.4' + force 'org.scala-lang:scala-library:2.12.10' + force 'org.scala-lang:scala-reflect:2.12.10' + force 'org.cryptacular:cryptacular:1.1.4' + force 'org.apache.httpcomponents:httpcore:4.4.12' + exclude group: "org.elasticsearch", module: "securemock" + } +} + +configurations.testCompile { + if (it.state != Configuration.State.UNRESOLVED) return + resolutionStrategy { + force 'org.apache.kafka:kafka-clients:2.0.1:test' + } +} + +dependencies { + compile('org.elasticsearch.plugin:transport-netty4-client:7.10.2') { + exclude group: 'org.elasticsearch', module: 'jna' + exclude group: 'com.vividsolutions', module: 'jts' + exclude group: 'org.apache.logging.log4j', module: 'log4j-api' + } + compile 'com.google.guava:guava:25.1-jre' + compile 'com.google.errorprone:error_prone_annotations:2.1.3' + compile 'org.greenrobot:eventbus:3.2.0' + compile 'commons-cli:commons-cli:1.3.1' + compile 'org.bouncycastle:bcprov-jdk15on:1.67' + compile('com.fasterxml.jackson.core:jackson-databind:2.11.2') { + exclude group: 'com.fasterxml.jackson.core', module: 'ackson-core' + } + compile('org.apache.logging.log4j:log4j-slf4j-impl:2.11.1') { + exclude group: 'org.apache.logging.log4j', module: 'log4j-api' + } + compile('org.ldaptive:ldaptive:1.2.3') { + exclude group: 'commons-cli', module: 'commons-cli' + exclude group: 'org.slf4j', module: 'slf4j-api' + } + compile('org.apache.httpcomponents:httpclient-cache:4.5.3') { + exclude group: 'org.apache.httpcomponents', module: 'httpcore' + } + compile('org.elasticsearch.client:elasticsearch-rest-high-level-client:7.10.2') { + exclude group: 'org.apache.httpcomponents', module: 'httpclient' + } + compile 'io.jsonwebtoken:jjwt-api:0.10.5' + compile('org.apache.cxf:cxf-rt-rs-security-jose:3.4.0') { + exclude group: 'jakarta.activation', module: 'jakarta.activation-api' + } + compile 'com.github.wnameless:json-flattener:0.5.0' + compile('com.flipkart.zjsonpatch:zjsonpatch:0.4.4') { + exclude group: 'com.fasterxml.jackson.core', module: 'jackson-core' + exclude group: 'com.fasterxml.jackson.core', module: 'jackson-databind' + } + compile('org.apache.kafka:kafka-clients:2.5.0') { + exclude group: 'org.slf4j', module: 'slf4j-api' + } + compile('com.onelogin:java-saml:2.5.0') { + exclude group: 'org.codehaus.woodstox', module: 'woodstox-core-asl' + exclude group: 'joda-time', module: 'joda-time' + exclude group: 'org.apache.httpcomponents', module: 'httpclient' + } + compile('org.opensaml:opensaml-saml-impl:3.4.5') { + exclude group: 'joda-time', module: 'joda-time' + exclude group: 'commons-collections', module: 'commons-collections' + } + compile 'commons-collections:commons-collections:3.2.2' + compile 'com.jayway.jsonpath:json-path:2.4.0' + compile('org.apache.httpcomponents:httpclient:4.5.3') { + exclude group: 'org.apache.httpcomponents', module: 'httpcore' + } + compile('io.jsonwebtoken:jjwt-jackson:0.10.5') { + exclude group: 'com.fasterxml.jackson.core', module: 'jackson-databind' + } + compile 'org.apache.geronimo.specs:geronimo-jta_1.1_spec:1.1.1' + compile 'jakarta.annotation:jakarta.annotation-api:1.3.5' + compile 'jakarta.jws:jakarta.jws-api:2.1.0' + compile('jakarta.xml.soap:jakarta.xml.soap-api:1.4.2') { + exclude group: 'jakarta.activation', module: 'jakarta.activation-api' + } + compile('jakarta.xml.ws:jakarta.xml.ws-api:2.3.3') { + exclude group: 'jakarta.activation', module: 'jakarta.activation-api' + } + compile 'org.jboss.spec.javax.rmi:jboss-rmi-api_1.0_spec:1.0.6.Final' + compileOnly 'org.apache.logging.log4j:log4j-core:2.11.1' + runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.10.5' + runtimeOnly('io.jsonwebtoken:jjwt-jackson:0.10.5') { + exclude group: 'com.fasterxml.jackson.core', module: 'jackson-databind' + } + runtimeOnly 'com.sun.xml.messaging.saaj:saaj-impl:1.5.2' + runtimeOnly 'org.jvnet.staxex:stax-ex:1.8.3' + testImplementation 'commons-io:commons-io:2.6' + testCompileOnly 'org.hamcrest:hamcrest-all:1.3' + testImplementation 'junit:junit:4.12' + testImplementation 'org.apache.httpcomponents:fluent-hc:4.5.3' + testImplementation('org.elasticsearch.plugin:reindex-client:7.10.2') { + exclude group: 'org.elasticsearch', module: 'elasticsearch-ssl-config' + exclude group: 'org.apache.httpcomponents', module: 'httpclient' + } + testImplementation 'org.elasticsearch:elasticsearch-ssl-config:7.10.2' + testImplementation 'org.elasticsearch.plugin:percolator-client:7.10.2' + compile 'org.elasticsearch.plugin:lang-mustache-client:7.10.2' + compile 'org.elasticsearch.plugin:parent-join-client:7.10.2' + compile 'org.elasticsearch.plugin:aggs-matrix-stats-client:7.10.2' + testImplementation 'org.mockito:mockito-core:2.23.0' + testImplementation 'net.bytebuddy:byte-buddy:1.9.0' + testImplementation 'org.objenesis:objenesis:2.6' + testCompileOnly 'org.springframework.kafka:spring-kafka-test:2.5.4.RELEASE' + testImplementation 'javax.servlet:servlet-api:2.5' + testImplementation 'com.unboundid:unboundid-ldapsdk:4.0.9' + testImplementation 'com.github.stephenc.jcip:jcip-annotations:1.0-1' + compileOnly 'org.elasticsearch:elasticsearch:7.10.2' + compileOnly 'io.netty:netty-tcnative:2.0.25.Final' +} + +tasks.register('testsJar', Jar) { + archiveClassifier = 'tests' + from(sourceSets.test.output) +} + +publishing { + publications { + maven(MavenPublication) { + from(components.java) + artifact(testsJar) + } + } +} + +tasks.withType(JavaCompile) { + options.encoding = 'UTF-8' +} + +gitProperties { + gitPropertiesName = "git.properties" + gitPropertiesResourceDir = "$buildDir/classes" + keys = ['git.branch', 'git.build.time', 'git.build.version', 'git.closest.tag.commit.count', 'git.closest.tag.name', + 'git.commit.id', 'git.commit.id.abbrev', 'git.commit.id.describe', 'git.commit.id.describe-short', + 'git.commit.message.full', 'git.commit.message.short', 'git.commit.time', 'git.dirty', + 'git.remote.origin.url', 'git.tags', 'git.total.commit.count', 'gitPropertiesResourceDir'] +} + +allprojects { + gradle.projectsEvaluated { + tasks.withType(JavaCompile) { + options.compilerArgs.remove("-Werror") + options.compilerArgs << "-Xlint:unchecked" << "-Xlint:deprecation" + options.warnings(false) + } + } +} + +checkstyleMain.enabled(false) +checkstyleTest.enabled(false) +filepermissions.enabled(false) +forbiddenPatterns.enabled(false) +validateMavenPom.enabled(false) +validateNebulaPom.enabled(false) +testingConventions.enabled(false) +forbiddenApisMain.enabled(false) +forbiddenApisTest.enabled(false) +forbiddenApisTest.enabled(false) +dependencyLicenses.enabled(false) +thirdPartyAudit.enabled(false) +loggerUsageCheck.enabled(false) +licenseHeaders.enabled(false) + // To prevent conflicts with maven build under build/ buildDir = 'gradle-build' @@ -11,26 +273,22 @@ ext { isSnapshot = "true" == System.getProperty("build.snapshot", "true") } +test{ + workingDir = '.' +} + group = "com.amazon.opendistroforelasticsearch" // Increment the final digit when there's a new plugin versions for the same opendistro version // Reset the final digit to 0 when upgrading to a new opendistro version version = "${opendistroVersion}.0" + (isSnapshot ? "-SNAPSHOT" : "") - -if (!project.hasProperty("archivePath")) { - throw new GradleException("Missing -ParchivePath command line switch pointing to built plugin ZIP") -} -if (!project.file(archivePath).exists()) { - throw new GradleException("Missing plugin zip file: $archivePath") -} - ospackage { packageName = "opendistro-security" release = isSnapshot ? "0.1" : '1' version = "${project.version}" into '/usr/share/elasticsearch/plugins' - from(zipTree(project.file(archivePath).absolutePath)) { + from(zipTree(bundlePlugin.archivePath)) { into "opendistro_security" permissionGroup 'elasticsearch' } @@ -48,7 +306,7 @@ ospackage { maintainer 'OpenDistro for Elasticsearch Team ' url 'https://opendistro.github.io/for-elasticsearch/downloads.html' summary ''' - Security plugin for OpenDistro for Elasticsearch. + Security plugin for OpenDistro for Elasticsearch. Reference documentation can be found at https://opendistro.github.io/for-elasticsearch-docs/. '''.stripIndent().replace('\n', ' ').trim() diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index 29953ea141f55e3b8fc691d31b5ca8816d89fa87..e708b1c023ec8b20f512888fe07c5bd3ff77bb8f 100644 GIT binary patch delta 50929 zcmZ5{V{k7(kY{Y$wr$(C?c~Ky{x7y|+qP}z#kQ>%+`HYo-P^00shRoERbACRjbC@) zw}KAMf`Ti_f`Y*$+@mMpprXP60YO0l0RagE**6IA3;nwZCJ4!+(gb6YW1tmd+&kYp z0|WgRK^p?_e-Lh>|L>Cp^S`N6$d^hxfPsLpL4kl6lkSNyl9Yha0A$Pzrgp|IE-@-o z4ogC4{7da_%%#Ck;$F!@hSJuy103Pt>Ip&&bSiEEYjRh_8I#zOhtQvBxEw?cd!TPr z!wsm=Q2MUSE`%<#D;=-1bB4PBAkWAipvU&6@Gjt+{oXivLPTFSaEx5*qHUJ|ohm}qMhh40KfU18KY?_@@d5MY{`l_pS-t2K5W2U3iBj^Wg`{Z(3q3MU*+9N zHq`}6T1is#B22Fvn6W)Inw+!^F7lr zsa?oj1693%^*K|LX%bvAKi>vGvGlnC-vqJ?=)+W#LOj-Pw0+Fis`L;-r z_iICRO69Q4h~5xSP1xpIKfE`vvcbr}um2GKe`$#|FkKZPI1msSOwtVz_CF!x0X9`p zHL-s1UDoUA!kK9z0vkl6flwJ+H0m{CsOG`xf$f_&7$%6T9o)|?iso%@YkK%z1KPf! zU&z;3T9(q>O94rTPrO~y(k9*g)9X#U&#(HNKLTH0%)g7?q$Pk*Sqz52p)p0%lbOg( zac(E?gj1MEjWs0T(#-TmeOON70qA4h(MT9(dIRcC-Gm|vO0^-5`h$=tDl8=J#HM(h z!KFfW7ms*4DnH9h=ShT~X{*i*H@40F7cS9!x>`8Uh|3H5>)2Edwx;x1o>m8pG5$!062>zKLXUeZ z_XNHxJJM+)9|p=A6ytLT4U4n8_N7euv&Yo)JM}Sm-Iit$N|WU!rj8_obX8m}kq)tP zeUzbCh+PKhc8pK#8#-NZK&V#G@0m2XT#rS9I5H1TN(cLr+-|9=b=9FV>E0;kls^8V znsyTuS7(lf%v0J}hYWM*wsIcXPHm-@$PB}iR$N0sA-P-4gik;hK? zd3v81J&T&ioYO$*2pi3*WTt#0pdc89L;T4>4K5e-r3Kkfz#1GX0K3Wr?V$8{7=AKr z=x~-L&d`+>t{0bNj9ntswQ|71}+&4<)P`6 zo4f=Fmm7wzTIx+J0DiKfC_j)F<|fhZn$rIQS80Q8mfL$*bCD;V1%z%gTof31_ykk3%>J0r(9M zT<4$GHKVTO)^$6QX7BsC?&9QJg$MCV#_}wW>do#FdK><`#MbhJ@^UX`MmR{_RlUC! z&=2Yxc;>H30QZ;zRYp#_R)io=5pCbL%$W=wX*$099GTWDNxXbSPoRT2NQzW~oVq35 z%-rbQfPMIS!}CUXQCA3k6EtWZbVVR(xTPdxup%|bnup$6ck01hO{q$-lL9_26{kqRbM>aO_M>_USX`a~Ab;Zho zW#RjomoI9=mZRq_#7hOK`csYRZ-TGOGu-vz?=6S}b-Z-!FI@eixUW7ToM(K$ae~eg zbn9?rEG4cSwF;^gn|Prz=oe-X8j;wfEuu~*5eQ3aKIc;im_))-AVgFwU_P)HurVmE z3A3$UF2!?Dvx8d?)sUb6bfW)dN3E2<{R;ni+r@vI^gsNi<1|##Is__63r*4u1R((X z1Rk;X)!=pvwI4?mVw8!9%+kjtV+&IUWmI<)%U-;fZbTo6f;Y+f61FI|v3Dbzn0UHc zRgXKtb^@2OQikVyie4jlVF2r#L&uYmpV+>t9Yf-NsU%rjKKXgX!F2_L&46^{! zKiGesOAiIhCV=hxznMh&$Cofr2`Gs)FBlNe8sxv%|K$>jOw8QE*v-y0sc)J9P@=xA zimQ(Hvu(!#I|ZR4MU~w8yOkYGrc$H1xW+!f%8DvQ38{uB?TEv!>*~M)^b7Z6Pu1|F zP*K6q_dFVECF4cj@&ohjxsa8o=rD-za4ecN_S9fdvh4Q~b4Iq$Yqrnqt%tzN$$%i? zF6bTH4h!-a?6cJXG&MxYcsiK^V0Aw^V#%`s7&<#4vx#EXxEy#0i#eYCE-`}2AT~QA z;3Iw9SS|7qViZn~iD?$esoPom4G!OHj9m0)^;Bez1|;rteh1BS`xxEpQoM%6*I8!8+onEAS_I-)Od$$rT}rw)+B%SKOlB znW07$p-v5qJ9{JMPr*;PM2U2=O{++Mkd3)jY?ryRiIwz8-Gg|pyLfyrTf$Uy>|{2a z0nG#uTnu6scA@xONxrZFp#9h=mWFrIs1`B}xhPnvn`0Ey2Ah&h)1wEyn-0bxRW;Dt z8NRAT>)Ef7Z-e!`8{(JG`PSR`bD44gJ13Yye~w#bgM8#A zP1BzG1f{KP>cTVE7s~vgzh3ivWDmy1yn`_z4;`MkV8aFHU1SI}0F4fB6gg@q%MxBr zr#+Y&bZPN{CdCbR1MY9~YQbU|Wu=4BToinfST^%rX2>6>^+DWryFK~P>7O$m@}3Az z0Uvd=3Z9-g<{da4758$#v9=I{%9a}zyejxak)rzt*n{gz$0(AerV&StoYbHMuW$q6 zJNq`dptkXxN~}H+K#t-`D^D#xQQ4dOK)9*1m1K5n%`(NQ?=NX=Gn<&KP-ccOk*w1{ z$8g8a&Y{g-SsSYjvNQAIZN_-Rm^hio!}HI7=)yu*(y>qL@IjCt*Gs>_jxC)lFVpb6Z4X8G0Vr&tcEp%pV;>U0REGN+g!!9o9%<{88EuotEN!?zs$||9mq=WxAx4X)FpknitCHG(#Qr~joUm-Y;w6Xh~jX%x1=5`jv#Yb_$v*Z$@%yVr3AAf#dA&6(O$$c;zYEz{bR#doAh9 z-UY9rsG{=?-m0~x$P+{k9YW=W@125`FVd=o{IfJD%4k3OVwiu#Ba~DhN!dZwl>RQVsWMNBkSi@+ znTOzS4eINpE(6LfFM)Hi&kIT!ea;YVO3$~@vBe}~!hB}=Pd#S8a+*#J5Wf9C!Hl37 z#XaXK3v(F>o-|2+6a9e@gENupmq!M9g>FCYw`aHwZ;vvDl)!5rTTuoEn3CL>>IK6h zdR9UMtAdEYshd`oW*)+!8|ZrAtz+``_xt_@GsI@B1jF;awinm~sXBM&M&QgbBMOuhaV=^C~Xhzv$JCc)N4qW;u zOAy~ zU~$5$%OZ~p6R9emS%=!d_NA+b_pv%mM*L}V9<5aGXA>=ZohE^h^n$e41%`csxXs@-AAiH zMw&~78yg7e4T4}`+kl$G1A8Eyzqoi)?{x&5S3BA;k~J5J_S1;&{q$0cir#0lNM2@q znK&-c4JUJQlgr+PT*Lj+S>Ms+K^a^0AQV-3>|zWwEsq{ONz=sgX2@&{CihDj(F&F; zsU8=hs&JiC8XD^ca0TX)e%=$;9MCVEMLqi{b}CAsK?EwcRS;%|%Rt-k+S1^TG*xV# zaIAP0Y$dzCq3wZ->K}8E7+(~)t*5iWWk{{{^s0NO;V5#Oun#k8O<@-WB6wq74gk>W z?|r~RX`5jai=8A(0GO?>#cT6owkhVH(H3`AM!@rd9Et7#fuoQ;#^$CZy_Zwvd*Bz3 z@OX_3Np&;A!AS4gi*-Pg3a;K5a$!! z5>xFG3dy9p#p08xwG%b_6NAA`_D4j}a=2oz$0M$(-0dixvP&JZ{w=PAY^Y@MO_{jy znr)7A&D@Zg=o>3Me9 zt$geq!U?SsG#Nv~N&SQ!lEsg=hmrCNnT3P4TYO(veW&t)Bc-jXTl6?*a8zH!r)tuk zX1DagA?3B)w`V0~JeR-V_=H=yg%_YHC^$yC? zVG%v?X5^^kW;zY;wCCdL;Y&P$EH;e?i+VHS&F=0xfCh~(6d6)B;v%A=vaat{2w+L& zT6suhmKGU4&>6dvn>!l|Y{kWnbaiuukH@uwe{}&9%ER2m7(9Xtuub><%JF$cH#c$~ zn_f_Eh(p&eW#3@2IZsGmU@<V5lX_$kbpI($UJ-{Cq+u8P)474RQ+Ed(f=Gj>_7*=F z<}$5Zy5a%?XtJ(-)I>)TNpjK^)HHID39k@++ITi&%SLNXKwLq(`Eh3b1zaQ-&rG#$`D`c5+oSgFxtC zomDuta$wB}IB;goP~5T&QD)1H&uAPBrP2@*!-xP8iIs?(2VdYTSb#hijv**amOxaE ztgr_Lpy|FcSQ3#rw@DBdKH~UA=L&(1+VLVwK^>uFX|_uq8gxdQV4zN{W0&@ec%SA~ zi>T)fO0wOY#*c#XmER)~uAFIm%M{5zC60PLFx|20HeaK7M@#uzgYrHQ(*tD21t~HQ zadt;2**fK{V|Ma6_ce_jo8XE^Dc{i)rort1f8HEc*#+n`nM|$j!bgkvN*&b>ecqx+ znT=mhu}{>*z#FwIg6+l7Vr}i51Fe-2JiT4cW19G?1_TQzzr0{U2d{z$Uv2E1R7|sw zHB{cJM^Urq-?GD}Gd+OCm&dn0?G(jL8@+9sGKHVwv`*R$52bq**=|Me|4O=Yu`XT! z+E`iG{RMld?K%llat+0C06?gpzpVtQx*zh-_{lQESZM{ob{T#L{!Y;*{p&;{WV~}! z__c`CXa9lPnZoudLaAT&Cu7p=+uApm(3l6{`U{{~fBGB1MD6bCXp}$4$h=|*Rq6j& zZT$Ysm7T*j$d&lj)J~mjHb*ar@s2nSaJ`dM!qIqgmAM1^^kW7Mr%5F*ax4){QN@DE zmk8lmirhIBYUec#mS9{`j}e?ETzFIVhaxnq zEWK7NMS(`OA@QH50FM0@72Uq;;#BPfE^}q|RMV8Ya=FtZduPP~hyVqEo%L%&*0Nh3 z^*g#*a0$pNPn!|B@OaMC5?!JI>NTqsTdNg6F8@$&9_`9|>Bk68X3! z4|mXR{x-#KXdU%xe$tmlV2v_^}rZVkLQ$lIZ$`&MEQ^nleD_O z$OHMqh_sUL;!a+~wM7{N1aek z{h>9q)UQmUdpN(bI$){SA3=Y)xYMjNLs$=%io4w8h9N+&o1JodKIodyj=u-Uo%^?4QIfsm`Z3xm4(BZzq>#vaJx+a8txx`TFxp&LlqT@u1t8%+Hnu?hG74>d8U{3bG z%Zud4);3|bxBmJ}N1 z^mjC#7MD*{OV3(uYgR@=s6@i+J~qfbdn0!Mg>B{=JtG2d@Ad}7c^P7F(i`C~M11~G z)Sg&++fr)+WEO(#%23w4zuBE zD~U6&Y2OeD>&($Jcpgw(lqdYov|d>ZKSbKzI57XL(R2LBp-iy4A|EeQZ9Jl^Hl;{F z+Y;C=3SDZbZAdE}fVLjM+`AS{+mZt3Xl7MvcBxy%~}6}z$RGUn&%VGx{<0= z2~B?I#t!^B-vP&w>B-^(a-JzF6g$`-t&d%T9atSe)EMRRy#-d9c5XA8hZm&6X~EEM?`O@kxP5f3s5;K8 z^g#n(YF%D7;iDFP>uSuWcY%)(uy$c%F-<7Dbic}yH>DXmVLDV2v(vTc3IaFQCqc<* za=dL)V$i;LdSJ3u!+>481j3J8hXU3U7fbZ^#T880&w5w{;Tfu=Kr;z2#(u#SYIZM3 zj?Gv4P{uN)ih)$ZKrCbm?z;(uObsy2GzbU=g1J?H(#xkS`g4Xu!UaKSX@z)j^^Ws} z;{64bWhkL|G#-*&$0*fzfB+W$j{c#(M#Z-!Mb4^ZNV9|m{^X_%T4oW?UyBC~CjC#a zPn}5zb~aohp>${08jnZcpk0#9gp zylmARp`o^0@>a%xANZNesLG`tNd5HgW=B6xokj%Bk)V|CNwUFmbyaO>PhY|zKHR5L|%soGlSm5e+K z5aC#_<*LX$L!T<9nTBxT0Kjp6`ytp^OnptX+`Z&-{4eV+y^q^{yRX+Dia%dpgg|%$ zb*_AomOA-|+AV--8&3sEG{a>_1xdWQ@}aclo9*0H_ z)O&Pz!<9SsfS3D;f(BU9_xpWVRZB^UhdCJ6SVI=ZEN#H1>q(PpuO;{67f6k0t?Iq} zSRV6rC7RWJO`>bnx0txl5x9G@{^l%i?-N5-E6FG%-Pl7M^f1f2?`yP>>o~niz5SN+ zQH71Qg7?x%Hhl_zo6!bqsbz&r4%Ra!oy|mS*N(6I4r^5FG=rB#2VKwAT}q&SjaJ%m zxcSt8h%i8d2DQ|5RyHnnbmlh^Q#$lv{Z{qCC8DDGZetVpA8IvzMIL|m@n(DThCUzt zS5-b?RBY6k9 z3Fi*w)Uey@=l&RmcIh4f<~xuHMozM?~%?7p%>mhWckZQ+!IR+E_?a(x%d zufzSW4z|d#euXTd2(B(AsE>k2QKkdRG75#7+y4+vOu_!s87SgZ6Nd8C4_B^uxZj_Jd}1 z-HNR=MlG`5kJyh{J^2D)Z>vq_K@1~AVN3fLJ=t>{q0gIumaA*g zy{tiT ztFO2}>>`%l>u=?67e?-hNyCT;uV2W8wJ1}+_ma~}aWk!oK|q{U*Xz2NS}N@$a{O_R zRnAkGZNYPAFYFpyUiAINEqAfg<@^Uw=K43ZS~lrDLfwvf>MCWrys?)zsZZ0rFgxz$ zq`0n!lTC4Bv3eXnv^15rmyWq1_PiZt15ZL%0_F?K0--Zsfb=&-al9}mn73ynQGf!w zQ2VVKYw#S^?MM8vcY2xj16u{A-yD2+u0A2rV$)wxwjN9RisT zVxT=>Rkf#kMqG6P$6asC^kV%51Lb1fA77vLEWKvR-CZSo>y_QiV+W%neS8Fa@{9kL z)Om)lGD1(b@;DAlt-1K+W0MQe8F*y(>lBpp&WIs3awUFpMD-qr00v9*Co^()xK=G1 zR-H}1D`NY$+P_@wsg|=Rj3Xri=f(Zz@Ouw}6Jc9Khp4Pf>I?>Lu}X*%zuT0kq%TX> zZZ4@khjo=1r!C{B@6dE%6t6V`;aN;sOw7Ykpgi|T>De1K&e1Pbc`vei|yy}P0CxOr>Ea)EvyiC;+D6E4&I>r?NxEs39`{en= z9IcOZLLMld=c<8+TgplziRfMnQEtFAJpj5D41xA$r$$IRbwaQS$#4-2?_4hdy&Mh*vPBJXE9)kuE40-m% zVVTWSmA#E=YW9@Hf_Vr%%3tk9fR^mmu&eUr=fNi$2lGAmyFIHjR88fbvZ6d4Nm^ZZ zgh+zz2)lmrCl;C6m8_Qv>7z8{hrI8CoS%BR#D2Yh@;uu|12Pp;py3msV;Z};a6Q=` z1^*`$9)A@~=aqC$Bn%*Pj}BN)mW4r+p(bk{2H#kO6)!XrBGF40D&`ZX&;}1`ARQ|x zG+c=SE0^-S678#~a^z}=RfpGRsHB^a?MKHRrqC(d!D1`zdg?EO4p$Y|b$b^xV;6&y z+lDt~Xk-;b*$8JZ>yW_VT0$50OC#>3z0LGyUGK~hwls&GU$*+vD68+6Iu;7`AKG*B zIl2wKpR0^xmRG>jicyE|{!XUPuxhQ37JbswtP1EXQVgXH2EC?XgPlTlZ1gV-1kPz^ zCW%2>2(MnFKOr>OZ5Qb6do075G18I#G~NqiOiqf{WW}R08qkV2ON1x}Rh~iI5YMGT z3vcubzw#;~J3$dL4u(TyR2ycdldl|bIs%h>gu2UN0pqdo##@94$ys zv@!H=$eiY~6_NtfYbya$Axh<7YKSNcVrXecA|VhG$KS`zQji{PCcokmx%d^xM~XKh zmQZ=|RTLW0iF&wtUN4?@L{Y{j1iQ+XQozrrUJE*MIDdU>p7vl9czy2E0%=5m!{ip2 zu;x~Xj5HnH*>P{x>~Yi3kad6n=G5=_z~^2M!Tr0HP-d$)1A&|eSTVE(nP;C^}*!31zpdp1Rect%Bn zdsYRuRcO%x-;9C65Ih}T(+qlsMS2|QKU{7*d&c4IT#ktgGE|fg|2_Hye9;K}Mywn+ z(i(vxP`PK4K=+jzFh{?15+BiTzZeTU4vl-eR|Y3c$|FpR%2T?R_N|1;8?{8^BjFaL zC6@li6JQKuEPo^EEk2lfiwvx*T#K!Pp1xSyT*R;zY^*EuyG@wA$+?#7^mui5yG4N# zQ#dPoE^W`nv$|-g(Q-Bd1oba#ux2zq7xx&(mB9xnO}w&4p>weKd7V|*+qC#F<~jME$(Vb zMZDfM!Pamib|h;QaK5O3X-k-L&4$|CMB;z|CuM%>Elzwu=WHmSy6C?eUTUB88P)xU zh~_Na)|MB8Q_Bt0JG*!G^)=#v)K0C36+f5}U2`GhoMNCfyrYCSyHPFj&Qcm8yY}g1 zQL;>*hAchgu+i2QWgF;xf{ElaOK$&VH%ssk{D5MgwvO`$pjyFk_{PDSbM>o@ZtS~) zzm_OGx*45)>nT^;xmQCfKn@f!oa0fB#o^)$ z=cQ0`2sL5Vh_qy%>g>}%X(@Vbh~f7cK-h6TWsL1 z%^N|lVy-F(;J9p&c?d)63xLN9FW8UB{s|?hafb>YcThH6crUtKQ3io61}``?hyE!t z#CT5&&&(%2grs226;MX=))KnA*9PLkH+_+K%tdgz?~XaEbeytS&`0~UhxOyIO<*To z5)IZgn&{h?Hbe+^!JppNs8M34P~4a9SSt(|&I4-(eDW1a-^`*P9xDufYY!N*eWC-F z?mV!!0DGCCfCHSVp`2-0+XNx?fmFc$uJf)b%y-eg)2C(u5%DmZc(U~%ZZhiuEC=*)BsYCcT z3_d5IMroCjc=dhWX-Y1*&`x^nDH*xaFuT%FIX-NAOaV(-7gbff1x>Rk+&Z%y{a>lU z+JtAZnvGLnFEc&BHZr{;LfeFcRRs*4SrXNS+$nb&Q3R~chpJ@yoi5^#exgmm{V= zD{2hBKCi@vnSMhqvBSIQ9#xGM;K&T-SMPXmBa7=vgn;HD(uPz`ZC#LLa~cAH`J4_| zH1gbCvWYTJa(@f$Hvo65ruC}DNLG~mZNjB7|0HT)eMmi6vz}{fK>jDeCF)eYbPYU) zAb!NYG6@?kO|yxo^kmqhbaB{OMW@XZZ#!M{{4&~R&^QzW+INF3hxeKOzo2MiP8pb0OY`Q&*wD1;sPCt!siE!J~#TT4z=O-;0d= zR&0vd$;9Xt9!I4LhY^=s-+VDM>|+KrK2?c|_2zVMZ?;@Y@j)Uz2;q8w-c5s12^4YE)A|>q!*WEJqWyh z)HmG-0X#BH&M2R9HFRrDNhJ(z9*|uHgySv=4yO2WoOI$4n8f0*Hv)87;L#;wO9ku7UbpeI?R!P46}@sfh)K` z;o52I7s#(ENhVE&6Lw7o+<{LE_HvF`6Jf)8XS6`my;317EY3I+W5apDXx-2TE3_!+ zX0o6Ur=~X2{)Suwgr#{1HB)K}W9$=C?o}gjo`%Go?vz-qnbR2^tafBQ8Ngi(AI`H|oD<)VTfke39~k}1q>BQY<(t;fQCHny z38owBG^Wl|eoSl!KySyIs9fQQeu+YGhEKA@=UC9ihXZ63ZK6OxepVV!f|VQND=zTm z<}(d-L~OVz%_%@=U+j$cuQ={nXYW_X^3EOLwcHk~Ti%oT&zM$rR4JYq();?LSNp)F zz}&#NQKMB(N?NY&2~Z;b29F7-glpZ7I(InYJ|E9lt>h0BWH=vf>{fbJtq$OxZgKKp zaCDwW*MVRTGkGhViPX+RSLKhq7ON{LH@>2Zot@xozo5%DqLHmF`$7CqIBlQd9PPiy zW4P_m4mAGF*@U7b?J!aUw7h)LJkWo>8^`F9fESfSFs-t5>|7Z4X@ZADM40VSh=_y1 zigT_IvWS~lFR$nVyp`;0BzrDXyz{igOV;c}7DoRH+4lTe(5R8*za)H775DpP!MVOo zN6nl!_dV4^aKGLx?4_y(_nTc=g|?b^ zkAJIMbMUW-Cjg2N0JR@P>?QJGSnn+sbEXk|iVHrOK~Y+k&9RN4m7KNyVYIP8-}Hy0G+k~c;>o=Y zb;(=~qh(suo6o*Vj#6pUc>P{#OT#o21G{0xOr?p`&tNwbpeXaXZ^F(mdQsVO>AeUY zAfuR3ka;hKh@9?Z0>vZhZ8IVha9q;doJB3k4p+KaoYmPRzE_*M4h5T|WRuE!Nls`} zy3*nU{#m0D-Q8O+%GpxuYNFKiS{{TKHi>{RWw5g9m8<{sNDZFszC?B(nki$=)?<^J zRBcr%`d1nSAYM^e+RD`)d6UqBV7*`ro#$$SbFw?=BeK?QK0+AX3afrVBU#?8xE$S z`+^&$+_8fjj&XzU_H&Z+74GSJstvR;Q}6S_^hVu6gJmXGUQ@jZ_zOuK0||9jY40PF ze@YF+Wn5CeRRrfzzj6B)?D6?m>}h(+4II7!S^{_LzjsL#(yf=^W{lkj3B9%&;}Y^I z?|7m6H18lkl?RgEk^%(}8O8KK(u2!2Xzhn9<)FfRYz2!`i!NwzH^14%{_L*JQ*W6)t-BLMO?pjnF?A@K?rXl_NM8Q6QWnA|Gn|Rh1LFbLe7)38BksY3|83S-Y-X*}$Cjz%ee& zM)|Jq4C?qj-ibd1lRk?x!GF8~t>&-fYl(4hveaJO;J8`?qd$MKuOkaV-4f~86`(Z) z^ovg}#Cu7*Y0G4B_sP|k(iC9F1;A)&-l)Np`p7qzg2u1U<&R#T=$w7LITtt!R=&9k;-8q$B?RV!=8Wu%BlMnHbKLP z)x-458VfkmLXe$69>bYu!UKvR8>IZby2wWS<`3GzAD0AT+7OSkA~%GR9h|Bx>4qJ@ zGvP2|m%7q4{IK;nBA=hJ)nW@XFu)kSaib_4y)1{oFyctW^j9jDv_!tpv4bQ0t@9|G z9|WYnQSbh8ENuw}nCnjgB$@fDpr^{@tnS0Uw3SUjG%ciQ>qr7e;c6)g;VOG(Y_)vX z01$Kc#8Xq$#i7Z;L9TLhnbn1k zjvy_5l;6A=DR|@g3_;$jl7bs{;||GQHn@s=t*Jr@XHXGObY}a26xyB&MqYacrS!4Z zNP3cxsxqj-fNXq$2T6YLV8qir<5Y`A3IW6-;#!4HSQx4h8Xl+e3n(A#k+y@aIG z{LM11ga&;510we*u$RPA2je2itvLPzJns?GHOko{L%smud$gA* zz`^hK-@5v8gn@D&X~vu{NP&tf3eSn|f)ll41~}l-i~dgu_P`Qu7=PIhoSv3y`@`GQ zoNWc~2{2#xfV8iMmI_fA`-Kyo3E*pwfUH5$3SVCwNEOQg&5LmFATQET(r5k6 zW{OPYp&P_$24lu;grWO4sT&pF+cWPL?cVYJX)>o)z)Z4r8ZqC#I;T^e1OOr#Mk>1YaZ zMke_?2d&V?`mb?^s&CR??ek)V3&XOEpUR`GO|rT&@NDvP)9X2}+_&o)+kybVCy3G@ zDX7ztxt4+w)%cxIDJ@T=vmSfAkn|W1AV~T7t(Vq-!zR$U*>`x?Wy)HM5l@q^6c%#J zX)|{Xqj#>VnFO`k(W}Six|y%cphVrfJ#xTT{Z)6%tqmc>uX?fbu2t{m@1W({w1L{` zBz&C>I7Kxg!7q*w%aG&{1DutGR-C_TX4O~ABbV;>ik`pTbF1{&?QS&MPsjPX0p)*Y zxglfMEW<5aZn0E& z=^Y4vJzA_K52#bZR*jH|68o69n~4ixbp1{Qvx5UZ6U4F1XNTUv!*TrvBcIz)@pEG_ zUtF_p=GPr>+y-qWA*OIRNR3d|1F#yCm=6jq4x`;%Xjy7?7LuZ(w$l%ZhPwXQ%<3UE zZo{JZiBrx}8-VLkhW5TE8JB`&o08&XqoAVn$VZh~=V8kP9#tIn(Ei4Knv-EyU}m_j zht@0Wz^)#IA7L^}3WDlk^K20)+?CGRgS zXuu|0qmx+A7MTTOkvl-hw?LU)mgB%JAmo3qpLW4H?os=uZQh-4QJgQNbS2(6bZZ#1 zr2*S50>C94v8ECXu&Kj)YK%uET(3zR&K>e+V_A@g4ZEcG5mB&yA==e@0!M)kFH}X` zdboGfe#efRA0(qNx^Z-AGE6g|LjKKGXAW!L@cS@B4(7P{|8(}q9mKH+4G4&V9teo& zpUUC`{!>kBw4r^~R#pTlo4SoX=^}!e>=2}gXpJR7Op=huut3P^;Fm9C9}=UdQFgnT zq4k?<&|7M1bZq{G%lc=5HRWVhG#eW_x@k7{wl!Vbm|cDw{{AKMKc~GJ6J%acZ-3uH z{_b?WZn?}o2%hHpoQC~$++rcq@ApAk0~k+bRf%S>7v&O49q}?N7SSe7n~74Kr4G*t z4)XZ0iizgp8!{HBVIJ%RR5KmpPw%#f@b{XEGs>Kt;!E#*3k>s}q<_l>xnibS>k$;6 z>me6+b*Ok_OzNg|(=U2D#Sh}aJfIlh6!RERQYWSg#97^fVFE#T!?+RiD(fPlNb>0Jsx!kABGau9L3<|5f-a!A>_m?+9j4s zzuBc$=z@GIoUd0pHH~h9bo2M~7Mohe+q~;9HiMme?UdX*#O%`7VS=6e`YXnBJcQsF zq7}~!`jO%SJEX*MSZmm95foqB0c^IAj}&eaDNu@Y7G0d;-Cd~qeU7kGEX?Cg@emzJ z#Tf6>|>5>o0Z>Xj*+D$JCiE;vPtEhD%&_PPg)3usZ0t0hCEI*plQ5 z+@3FOTR9!N9Q8#XTWjE3Hrv?k96B9kXIkOqz+*6R({R+4Nq4kY>~s_U7gy&TV@nui z`?hV{wr$(CZQVX?+qP}nws{-3aofgiynZt;^JeCclRBwNC6!bv-~RSq>$kj4ZOWkC zp${-V56v+t5TS@iqBH#Pg~rz*HMqPL1G2Hip=w3Gj3s> z^&qv=N+(EH?}G2Hh9DW!DIW3$)NO~*cd})$?OxhPmn9|2&ORkpXfLl>P$Xx^bQGFZ zyBsM2hM6epm4B^|2 z8tBnOy%;Q#8x*vXOt(mss`Ecw(d)p+8fjTlY}ZJ&ADKG(js&$O<9}hrYp_eCU(}0mhp)YmXf!6%#7(T3#4Y~@E1p%rRt8UXo)nw1VO1B3;q>jE<=D2< zBn_+xmaf3@7+0+W{1p&}m7=^Nkgi%J)hgj$!sfh82_41E4Oz#s1)`E(uDbz$wqyQ{ zu^c6yBpnGf^4rQmiA}MAi+=kiV9IXa2IoqFMSkllG9`DkTF2+tP!x7sEmV&(nc(fY zgE+}N^9cqmv2`a0dL&OyL*x>+DYV%L9x_69vvN1j1%SO6KpaP2tHv3VC(AMjtfEhX z!Fm`Wh%W|Bi|>wO2%9XC#7pXIXS%Ses?r5(L!Klb2IQ#Mjm=KJtHbaNT$mm!Wg)rv4Y*#+ghLJyv%ulq6VqM+v;z zCgy3VP-dc|b(l4{WA0i2(d>SWS!eUEXusDP_Sr#y8BEZHR=w5oWi=ONVV4=2y3P2TW@ zPL^j|Klr30)Hlg!X#d)hnt(6Av(|{l%x&w+z_-)D-iwTs1MgFsaPx^FSU>lC^vxwG zfOPlCG*~?MeQZ$BT#$5oNBX5z?vJx@j?;$#o3F7-lU%ocPSd4RPHUY%#(DNZy;uKG z{w5I%5F{mpbnAMA=f?{WK4rX5cl%;7EPoLGf^muW#V)$jbpOHu=%0%Eh0pE(c9d}~p9_DJ$h|4T z%w*tEoWz}@M<0TXN`@V}f@Z~zqr7CI(b$dvj0{WkAev#ct%sB}haS8?8sN5}9w3~l*cF%yE{(H+%$S>b^_YWXkdD~{9_Pk1HqFgF-@#R_s z9B{Dj7!Pz_xkeq0-eCl6r&3rvhIYru&N@|Fj}5mWU!;)`?VvVxV_=N0o)1KYUNH9MQD@}cQNrJ1c#M^z(^)3ZKGTa{<&fyx6?wR&xH(R zXw~!a=@^z7F(TZSAs`&Rj4sqkR;Rrrp^_=igG534S5Clds=OYs% z#{@s5iJO&fFeb@)@|S1 zJfzIs%CL;quA-I;RC38+ZIw`-J-Fi_t_0$l^(=KonVu5YhmpwALBawubUW1hHKAdtXsHX6&IA>^m{MR_m2S3!BL4(8#E;5-pvP zS@)IOtAsUEF}oG~4LCKs6SMoG95D8K4EL;me?n?J$8MG0(`0=>QCegF(%8;g6MN5u zW|U0GXKoMYWWjf5$-tp5MN&QRyXZRkXin#YimR%X<7&qCJGT%MB7@U&&0 z3$x<5GaY5S0xYutGO~4ZPA(o+n_9;VPQI?sk`+0Dt2Ei{6g~-S@RNW{b{A{C^#!Cr zi<^@;RHH88T@ea=xK4xVP#KqA_InXKmGs1&l!lr23hZEAB-o=Pi~8IzysLaWkVPYg zQ^n@01}Q z!EB|abjOHqG*h&Y6%F}i0#f3haY@Z+JZXWh;AXWY*eys&j4Cb;P8!owooNmQiozs> zwMCzRM{6hOC6+Ga=O-fv>|bFHVHT_frs=Bomc z7JQ{@R5WCvQHCN1sG+wTlco3WkFf9S(ps_J8NqOl(6i z{D#H#w43!MqHd684n+@VxW5la|Jt5syHUPEYo#Z0fVKI@KHI33Eb8Oz&f@HfK2ppY z)GsCu0H_G}aYEm?X4fmO<+GTEQa{-M31KHlUhiUGEM5!iYTk_WMm$2QFfu(as@Bov zMQ>E8_@(!}%qoF1uC!q^l8D~drJ>$n5inWtDyuKTEmmlWaCCjDlSF+Pibo6nU_OS> zu`k5G>mZQo3s}e9r|oF8Q$o4a z93|8|w~&vxRCoH?Ng}ErqehI!_4?p95}ZFI+9!lOXaFYYP&JVb{T?R(Cqq^HI;H}BsfDNK5@C6u(>G}st(tbc%DSfmB)0{OA;5a%BlZw`0`@}Mhfu|0j*ZF?ZN@Bhwo=~n~8 zE2&D*?c7bs(X6h^PjV;XO%CnlA+5`XJs=GlRq;wapH!pWE>RFe8#S$hTX6CA^__$T zdnJt`Bn9<16fyC`I6|Qss;#Om8QXe?M~te1JX25*izN!3=ydTYQOmx8OSMM(&^S2EBQ9=y*;YFWBa+nTjdw#7dr~_{e$DL9{5ti07a~9 zkPwE2`xFW6MXK-tFu*?hz<`A{I1n9~eym!nRWCl^*smlgopH@dyQDLOYrZT>cnbc{^@DoJmmj~@u`@utQ+0#RPDBfeZSUbF{3 zxy@rL5yD$=c;rjc)n=k5fJJ=rC{T_kZ)nfecoR%R>h*D_gc155@kPTsccAj zLxpC9*Ovm~Ak!E-&GEV6aeevZ!|nTgkBy=)N(XVPMWtm?zrq z32ul|Mecf-p@q?QfFdCFj1lV-SHA39xXvGc>r zMnHWOAj_HF5Y=o*e?IW0&s%R)#P+4VWQpGcU;akM=mzRu%|B!J@?)`y5j3Tj_FK1% z{l)*u-n*=ihz<6*elT4KOG5OGP}wtu4q^RWHi^?4$Hl9ljx!pTpwWt#GY!?n?h~v; zhvyAQ9{U47c+p1}38RdS6LjiVY+({PBhZ9z@&QWW^o+b|170`!w&4OQ|EJ>2qOIn3 zPY#uqM!k34)9H*I$d#i>b^g|%LPiTAA%9#|;DRlgvQQ^e?tx3ta-MNcrwHr0PgJ`I zOMTAPX5Q0=4v|P#?7RGL-7wAAeVnYl+q^S?=GeH967qNLk#*q(vn*Y0YO1LtBAn)$ zf9nVwxyS}_U@$&1+q>cxHVz)Wxul0>E}l`)axPFEiH4fM!g9ubf#Xef|kGfOy|4@N|Io8>i!~(-^Xn)Ea6Sz@-gafXKPl+KzA~F2qTLeQ@(Ib zeQxgZDxox0pq!j03LsuybNPT^n&nd+KR%x)0Pufw>6@Qrt3m!7O;bjuo-+1_rg`(z zu;=;@RL7hG1weUQW>^S`Kf5Hh_73C56P(Zn9dwjaJOM+PiiRqv&wjhqAy#^`EDBI+ zgzR?<`a$LFp*vDV)HgGenaS#E@pAR~2VDqwTDycPH!v96-a>z-Tg%AFwkcI_ielKQ zbI{S7=;*glm`S-Njr3^3UTUJ;Ggg}Gr~IeYXU-t?7=V3{NhK|j%Vu9Kgy$$VfyJM@ z?*2B1w$hpLoJ_N6l*z(|T&LWuGOn{bOQ9O(#>xkeY;kZC~Vqn8Cq??TbWxR;~6 zkiojj8>JRv{_rwI<&04M_5$t%(;e;RmqOonD2<)*(gt-*(t0^h2C07Lf9gE`3+UEz z>gL7ygGoz700N@;f3FNa`S&~oAXVcWfV+y$Zz_x9&1X=w0nOo|lp|y&-IfI;pPiAi z!4f&pr0=-$V|82-%M;6DZYJ}vmbG3Mc}c6YJ{QsKipD5GYcH8@|B|Qg-{WOXvm?fQ zEqJ;1?Yh})gFKcudgEJbstbRvvteESRmV9Y}{mPu%s z!<^+AX85}K*i`yg zbz9MdCUx0Wo`@IE;1I-Eln^Y+&o+b=C#zYkv&_zf?CP!C)>PH5 zdhfKNTZephvM0A`brzY?*Z6tg>onr~Nq^%te>k84(;MsHpdrmsr}0!f5eqdS+*7}_TlG=!k7@p@Ydl3b7%?#XTmc&POC?ieIq+ePamhPQ2wOi>*E6Q4n zY&Jo{_{n8wdCM#uOPjjCDL#!HrceIbb@NdR5fT3LEL3njS%nuAAf9Fy#=x*A2hdmB zy@oECR+%4l@$_0(cl`54N7Ziys7}LX{t_8D(C3hSD%xA5 zxP_+yMHWOOLcS&=pOv4O_yV@kivT*!Kw!X$%hdEvjshrZ$38$~qk2h=VdtRVkz!ka zXpJR%$&AsQnDa%^?OyFpu=odQnjI?_=ObFejcU(Xj+4O68Nb03bYQyr9G|25oL zY%m$a`fTr#9n$|>9(((>I;OvId)toT-N6C&%>FtTz_K@lUxnIFy_D--ff$F$raH23 z{t=AI9tcp`bP3IgR6&cJ3?O&Pi75|cfFfNe|`(&gF zn&W0$&$!m~J3Dm~Kr&zER#nyb;`aHea%5qF%PW9q`*)T;K%=Ky>}uxdjFAuFrG>A* zdwG8sKq6xuQwSH>nJ9-*GsYUz1-PTm*m`^;9cbB@(pyg{XVoK z*mI2;5$o~|%Z&>@O3`6-c~91jLG!vM(iqdeOgP;lXVkN5SH7_q^{Pc5&gAe^H`a-eLfde3&Q$@|{zXRzptJUp5zIePR8kn^v1JN4%E{ zVm5XEA!!$K&QbC21$e;y4(5UfCM;6NJ#6{9t#eQEUtyI-SSDyy!kJ(E>z@Ul6?}&i zvaYupzd*GJ2S*w}>XkvZsXF8>w=@H!DlkA=GTDU!I)dt0P#d@;-x5Goh$jvyp;sab z$ZLxqL0L9Iv6lOn;h0RGc#?f5hJM8k)^ukEKe+j-RTQ?6IlwWZ{za=NI?hqDio;_~ zuDOVQUS>=rB#O?@{+I`SeMYcRjJsKUAu~BvxWIu>hX4jC!v3iKcMpz4%oOfJ>ADbz zP$H-(VT58#Z=S&?=OS;nWJ8ZAp68Yh@adVQ09uGm02Y`h%#q}J|s<`x_xm0@N}dwH?Xcz z9eMl`k=eww+HQ&ah~4BDd9}J1fMN3WEGeAyJ2370t1n3XN4_J-2*($1p2>`0v~tu< zvhtHX*I_e0ZD|C^ygHJ#2LA{?2ybjMLGz!w^oOkMLaH0=4iT(1ylh4q;ZNnjJn7b( zA=^D&3OWQpMou*4dEB@=?-66d>u@7MsV8xUJ$SvaswN|m_FSEACuQ+4!aZUyp~>Oz zuOT5UaB;D{IG$_eaxag3MK$~BpxmLA+Q5%TY8?5OUyLj(T||;F?0!Ceqqj>%do9ra zc%YVIeSq-4LI0FbZwjC9xx@+P?>Pz}L$# z3bCYvVv%so6fG+VJ@Dk!#gCZhm%W3(M;r+ca<|CQN|uKxY&rYS0D!m6n1U1p{wVE- zExoM0vc#=l@El}}GnWxSxzbGa8^2w{8oIyq}Q(V{C}qayGZfYaRUoFXM9gq4mP zXyjl2%BDi@6Wf}a(v-N~B=h(I^pZW{F`@G!R}Nq@o-N<{kJDs$m54wFialyn8dbs2 zJAAhKF&=i2w)cO>Euc{!0k%e8V^O?o&2Ps`SR|yaH?cn{77dp1r>g1rg=16M@0;#6 z+j1|H4sQEe)Q%GEtK=^%R6sUbu^4}Gv?tMzwTGCfL*J2^-&uZzpQ)G=cxe6hLw{u@ zA9#SeH-!J)S?C{SifPGib*ea_8FUXvZyXm?T>nBaa>G!P-L%FI0YENNg9UmlNH@iQ zUrf@S5yo?vDzo4V zz|CdtR!a9=6nZQ?8TMvl5mzOc1$}Wk_6HD1dM=PKu{H#21oC#smC759;69!>*L3p7 zpI#UAvz<>Iy+$ye0g9hdb>4#n*4=~l@N*uGtp6=4?CX0?NOD4GzY@)LnIa8i3G=s; zatg*5r;HzrL*tD}vvt~eF#l!y+$AF#sc`6-an5K)RzW4^mcWvB~y7YAvL3%fiR4BN^FzFh3A< zYs7;R7#I?0DRnt?QE-&~1p1smQk_ZN)fE0T@?;c!x1g_uF|3}jDdyQ36s*mx5BZ;0 z*H82NhW)?=Ak#cQ3fAAoASX#iLgK-a&|Y!}e3{@ZiW7X~%@u=55c61Aka2`w3dN{g z_UVHFrK+VdL38td*8`}He{84Ts!l}CZR%~@+%)fFsCY@9JoH~9_M1zJ{~m3+p83C!REZ6X zi_`tRifec5cRRb5RLA6#EoUx(TE~i^B?vvKdGGrbGk~z${5TL={k4^c5KBenPYiOeSI*2H_aB9ZtNg7IE+%YE=Lgej5_B5^9o8&s`7!}`cMn?EpP_f0)AWA}m9!lV%5 zeD6y|D6Sg<+~OT!Tym5EXA#X5CMZ+@a6-}x$34TAXdj`#@Tr2&5ET0M5TIiK!#oUh zy|c%{JVd{|E_QHzM|*@tMqBJ%7(?A~Mkk{PmZK5A9^yxrl7pZw z9=ikYMU!i-F1Db?R zXhI<)4(8Jg%CJcYfoqD&Y9%1@24<-Rlb#|{C!YXimr{Y)6q?N@AOZ(wLA9~?{?C5L zf9;wjKPnK>e-?4PWMU&`zzYEN6#F}m{_Xfkiv_|C4tXpf!43`#ine4U<8V#1)h>d# zmRr{HpU@h0IqGk;ti>g_5?cGLglo5j%nS@W9L_@2Ew`KAf0oC~&)$2yCCOY=pTajj zc`yGiPx*WAZ!irZ8o|uhq%7uou-;SNJ0XI+wxh#97zv1?3 z3osO^GQwS1_KJ;&=T=cpeZ9R15pPbT34b3*m-#b=Al`kT<@;r5Du&;}&7XREafHO* zekfA_Vl)X64^a64N#Tm2w|MjUCkL!70=Pq`T7j@LU*6!JN3b=AnBGt12EVvN>KoqY zS%+a+%DnyaCKV?-02M~OeN)Hv)KW(%!3G*k!P?-Ow@*k0DGLq#yxd$1yUc7GyZf9h zYzwSOSZ9iE@NfvSP%l696`Lz;dfvUf7J5?NKHZ@Y1=j5L)|y{Z(`atcvF1Sd|C00x zLR?Ht_J0c_I(uU?dpqqBz(c*DGb}4@;k4T%v@$LGZ>4;TgSG?>+0|nx92yt;O*K9 zUe4qOl^a>N8C#sI>}FUe<{bG6ZU~xo>-6ra&ksN-Xy9`5TUu8l4d_qzsy9u|;C<^u zp3rsPyB&s!p;7d!U&zGQ&r|YT`H>nZ;avQtb2B^GEYG=TmtJtaWoi~dg5k8oLc|y0 z;{s|N+7aR1T!ro}24zx3)QhOZ!S7j4Cd6ddmq3>A08K1z#HKdqA(ZqY5@{&f>lD!* z35&a%dV?Nup3|>kG3jPKa@U0G_Vqp`xVb6d1|od#-)50Du!spi0(nVC1_r?r2ZlDe zvGg_LEROT?KR)bjvdwn8D9$ieYh2p8r=-CtOn6ez^6jWp#*-C@U-VN$n&>bI!yXGc zWZ9>QfPXtiO7=C;do?={g1^+;P0HWdBsLFRZxj-j-ZL~NcFy#8Z=lX27}X}02!}*$r?1)Xy-nyhtI5PMcw0M4ibyz`prB{JyFDgg92;dKG;Vpf zIXt@?SFY9I4ztO&>bo+Z=?TKr{BZXR$Ml=L0R;)IvC_R-HYhs!xg_Mb6Ij%!+Wj2; z0!bX!+3Z&l{#jL)q^a`I)qoV<)To<7U%D$C_I%zN0`&Uf3w68!TXj6Kc9>Xq{-9!- zx}$$&WLMOy2=w*UufPV%iR04ff@ad@c+j(XN_V6uugs_yy(7mzSV!e1rpiM~gfVM$ zfS@_Y6ESIe3DsF#NIvt^sW}+rE2i8lIqF}(E^_aNWjeE^A=#ZGl5#&ho6O{)LflQ& zeii2!`%iYzZ-{>NJ6?lN0?A6{(&;R#FmwvS{Lo*d+BOq(C?In`uUg$fLMGE%Vp#Q^slK%FM;y%7-msL$(WjYYEGBn zB;!!c!eh0yH3i=fmDAWB_H(CFuOb^$9T>%d)>}d2pzJ{9F5!U`z9r!m^RQ9nOO^O;2HBb zP``N1?8`wh1hHlIou0&>OOmsxyM&D4w#q7kM^gzcKCE2GlTwxU5kXI&%2+72SG+DP zlkMb?`{@Pj#I|qnX-mb;3JMqceTDW*?+I5Pc$><2`aK z3egvsAg#R+)Q20Lp6Ebap%CVaEHLg{0xrrIjrGF8Vyj%C9g!AVv8X`e0HPQzYa4JP z^CoY2HsQlEzsYBC>*C1kg>pwfs_E!77>ac!w1ilZNMpFN7ETgZ|7Ink^{AlAKN|6f zl>R#x2~a3AZPpSRfQ9y2G^dMeHIU%K=#S~*vUVj<9Mi2glDL6&@;Ee*Tl}p>ZiCUBe|>1qhK%FZwG8rXoL> ztW3V#uaQ;kHdW6T`%?%pRa-d_pN{%Y6xXhEJ5pIP6goiIyEP@cSVCMa->FCqld$B5 zbP#?(FUsAc#)*x&Ji#0?@C9%t8Pv!_Emd2kO@G6|Vbann7w z;Hu|hifI8Wmhu)=nkc+4v5GJPy&gltD>Uzk}71>~shsB4dp^ASLG5+pDI z5BKh0?;+lQPE8->O%ERaIpR8arxAq!=YFn@d)(~?vA=_uis8qMmQoN>NQh_ElIxs_ z(9P8y)q_X1SCN7yg;h0^!{X+X@1IS*9{J zEV?Xc1BX{Gj0wr&a0cu^@%37#@1Krgky~xo`{nnYaC-YM1qLJ(>nRp(?$gU(&wHo5 z|2*z5_7wrZw;X-SOffI!eg#HQ4}KlRM!=rvbcY0#g2&bWV3uB`2FE8JjR4To{28M# zgc{wqksyQuS0ZhY!CnKA^REpQrnwhCZUNCTOt`@m>&!j8U_lgp(*%smp23B5W_r`k zo_1?4#FkkSXAx}O^(fmcQlpgzK^N!5MT#=&RR&Pa#3(*!P{>x8z@-G_r-DX^Q z)*Z0VdwCXrIyb?$wc(wDL->wv;WU zH4_tCYBco+oXWvtnKA_nQ)_sNFEd9+k~Cx_6c^DtljMbstYMbwoB?D)PM{GfbC&yfLtEk5k%~n-ATYw5y10O*?CNiw;x zjFL5GS53vZFLDHJS^!IMzG3@HFLYA4&+@A(FZd%G3MPglS#(Dt$|G9zcwwAmKTFiE z7{2{NAje87Bi*pdpQt;Us0~%)!Lpvd+MLJlg#D6K|^6Bcxqim%+oj%CB zZ{$02;_iNKSy)+??aa<1?t9cJFL2YgWX!{_(eE(qYZJq3UI1}kYi3KV`WJ0?UDu0- zimG}s9+n+h9r;;zj(b62yGo=mHOe;KM;uDME4d^e=w8Ai$0S0L#ANY&W_^Q@-dVgb zhGyiaLW)oyj#~oRIvoxKzPq+1Ra)&JEB}2QcZO_@Jua(%Rq zRJU&PycM(fVt_*Vc3<;>6mK7!FaRfPP>=a1~u?Jf55*a6tS2M0-QC5 z`L+ukq$6ZHfb6c1=p=HBZ_+Z!8(-5#LYC~R{LO~$7OoHe+YS8dGE6KvrIx4xt)8d@ zjZ&qq!1nWX1&Itt68a}1fzdch;TUSHdaVj-#3sr=25|gd@hK*ieRm?P^6|KT_DD3_ zi6z(`bPbb2`p86Q$Qv|ui;rRL9C*O(*It55y`n3;Z%2gpN&xCi@-Lq0_xL*^7Wot* zf*KM|;t=q;GkE<<+t(ZSSBOFa*x%`6l?2YR2~^hOP|pd(hY-i$1bz~|4~TW>WjK?^ z*kzljGgDi!hwT%b_9MgFH?JfOOmLunry>^oXu)wK@B_*p|9@p5PuqF5w){a`#_898230m2 zIi~^x!z4E@VK*bXN&x@2F}bP*%qqx_pUv_=X0D3~_{ouO2moDARCTP~q5O_5^E9M)|P_W9UX>IgM~GWD5zyKImoh1rc5W~8_y5Op4YOTTOx))b?xat$%uV# zm><{-=^gWCJefNs)8RP}xvqW9{o7v(Cocg1FYtlsSBe;WF3KZ6EZ`hlal$kmXJALz z^CGOh$lpi|;(%KihG^l`Mm%90Z0xKU&tWUZ-6& zrBU>>bR=O!%Te3Xsrl_Vm7>GNK z!4d!} zjy=W%56b_ZJbBShZkbqz77b4L*eb+hx|0@b7XgTD1nU2=Eb9~&SZGhH^%UN#)FLa# zrJ;cQ^K!>8$wkog;!=t3YJ?NVzF;0^a(qQyK)bQLu)m8d!!FI^WXq2#S`KtEbml(4 z&?9bY?*=v*y(&eKQVEMZ`3ZjoED@}r8$d_ zM7MPHU=FMLv)&~6q5^trxjDP2sQ#UfzVJa{m;GXgwrHF7mdQG{4g>AP^acg_-Jb9JDQFRR;$a6Yaol!iR3Rw;*_g(AFKF@O zIa#T+O^;M;?xQgpa*x<|b_nAK1`YrO&zcuuVc&QP=5%Qesx&yI8_8=bAl8fvi z8VZ11gLYf3hBKOhYY|23+^hZi9$cK@(nQ1Y!efwfo2|c1p0M8Gi6yC*z{v&4H62+Z z6&qmfVl*`8A;?IHS8<(`g&B64R)rU~v3Z1kT48#EC24FC!Ye|V5+Sj61qSf*fH?P< zI(3<7B|Y%sk7@J45*^`E!ZgK0Wf;T9m|Of6`p6wFX=Gr>+sBB_{wTlyYG^chQ#NmvDZ z7uV^qdm_Ws)_%ia!nXE6KLnVZ%Z*>?&cH)*;J=OWY$h?{6AqGq!X=kNq$Y!-lp!*R z_0b;|$s(%;iE|q(JQfaL3bbOKHyls7m_Qc9=do4clRsjGKO^E%M{>!+A#Xr+805(u z$9UfJObC8Kvg^75S3Ufj-B;w^6#G8B4=l(5)#g9{*Hctzr+LEgq2 zDH*Ra##B}SBP7v5y+gUtyDgj~sC-@xKdTDt5Q~_0C!X_he)Hw_>90y>b@$OWIbG}C zQUB##I%l4E?^7S4_Zfu+ZYU*z%$Cl<3_K+14x2AeOtIFGYLeM|HD{VZ=~|yC zk`^z+Jl~%2uUyGrdxTP9$X9!>sO7g*^#3lFKdz$cOMj~2KR-XJF!3Kp?P*FjY5m!pOOJGTV5A?i%5Xs9r+z#L#!Vz!2*ZkIVVQ_U%%51e z?rB6pH_x!eu8j6A`6aD2>aX21KrhG6r8=iFAnq8*Ba=|f#L|mfn-^*wSD^?Vj7BkS zTF-K*E^&K=lw6?7{8hnYWIv@RX8qJmE+Kln&FwSv!Zi8~2q;{iFucV68$kB{|Kk{c z9#|NN4Bf(4_9q#wANr^EMo)H%L`k0UB?Is`&?_k+-9(@l(zk#kHw1{JMx((9OW*Fd z>0gL!l5dOqf#(lt4u}QIn0%DqWyUzqIRu*Mwqc=s=ShfQ&Q^fMF~>pT9ijAOq!1ktkCVnxL&U$y(1R7h?E<8C zC&XRCa%O20ark$MsmR4f1Rw*-SdM=4eLG1UGQA?08 zV#2^^$8x#AsSOo!^=6t*!)U4!Km$aR>uR%_jLX{O)z`UD;A)?@Jj7*^8w?&PIFHv| z$QW%qC#tL~bQla6&Rs1G!sPM(nvqg6)WOB~zIieO#UtVR3;YRVUv$y#X3K0|XR9E_SMA-&ykdQYO2Zz$!;;*88vQuQ_ z3aROo>I&OR!%>GF0IC{wOq%!=uBO6VSjudo2AeVA|Max2e=~hr7_( z^R!~zh{*q{*JvS}d+{X!D1tI@bbPxrA2b&fMf;!8KVDe+_giVUR0YerF)k=3dbqaK z7jI(1{R*MQg1ITa=D*UnDsR+2+o1cqiPvLCfKPTogui)&QU|ma^$tLo#Hvf?#C^i= zCE8(A1QQ&1g1)}BTlm8Zgf)pR{M?Z|0G92|meo zfc69r=?_#GVFJ19iy}t2+lWGTzhj9u-ntqBnU!vTg#4fT>QZd6;-a6C8%44LKmhQ6 zr)=N8^t~?hEfqupnqYynP61IQV`8_&Wa#n<5?;nlEtcH9*O^y^ugD(^eF69QQ{ZwJIFgIdS9C$rTRTM}B6AEYO(wHfQ+Tho)&im~v=lq-Hdaf2<%5T<;7f9S>4zmYdcEASh`LNx zqwtl((QZG<>k1rYGiWQM^uTyd>+#4S#!3UGt(nYjdLQlIj$?1UL@K96He4qE#D>XN zxih(tStNwu#a)-zJh*@PFB?2{K4wdVeKju8ex>O$V6xk;rpHy#$2c;PbpUEAkGC+e zefW@t&oa!vJv;hJnZ^29me@Hw$gOwVl( zTW|Lw5i~iyHj<*4%a1HD+5t@SOx`sRW*J;_o2)Yg{p@ECv4ZMhi*304mwhnK{&0jm z?C$`p3@gGf+b(=Y z*(~MSAZO|Pg-z1c;CtDgNrZXxi=%6Yjc_Lt?F-K1_!K|_OB!PQ%K;07BBxdw20DkP z(WxZ38_`grw#;lzIS5$6T$n5b%Lq|%JDz0g(I=K%>{) zTDhp&ZmU1vzS2$+MJ(%yj+-&}LRnA}i z`H*ku56ToC&Z1y?2L><864o%0m`rS}ErF3f{G)ThBaE7b8Lv|6rT~bJxyRuW?;LlK zA8`mIF$cKE^~6wdaKYetV!!7)#`yS!8Php#rpk?Kv{(B`RO4i_S8J%wUiBFN^;GY! z+vZ*};E)^c9CC79GW>Lh*X-FXO3&UhOIWM1&pk*%vSYI`-|Z_;t0s#)p_i|9sA?mA zmMq~Z7m;4K-x#prUcN!aY0pB{F0b0YUS-o;m%LTPIN_x!ie|0Ft8^uzU`YoD znx^fhwoT3F0XKd88e+Vl>)Us>K&-2q{3iLg-KMN6D^+f>5xzO;B1P^^^rk@`E2v5z zdBuIB*wM1{T`Z~n7Qsr_YTLrcy~ok3A+$jdktcgHj#T4Q*P%2G@O!ShTG_8L8BG$P12=b&ReK>(xt@ctKg z_G`)!D>%6w^T@}m+AUB%E8UwZ1igj%`*9yDNZ9pS(9CJ)kl2?tO$!^q5E+_K#%OiIZQgkhr$j3Kqj#Sc|`u(C{u| zh&~Ml=C`i%|0(P(pz2zZaAAT3ch}(V?gR+#?iM__I|m5vaBvMS!AWp;cXzko1PS_1 zGWX70X5Rn5X0i5RQ&ru&ySlnh?W(U2pkntOcf&sYIPpW`OW}LADw5dCu8^RNF6yaT zQxQA5RvIiVJiPVU)`%@#>fR}#4Ts7iehnpTw&~Vccg9gAP zK?YptqgXqjWN&i1w*TlG!lxD}hicZ4C#xjOag;C7QVB~cVB~&BFgoLVNOa_=are-j z{q3gR577A1UMxe{Py2C(4|L9KFDa^0izViV_cM;nEpp8|-;k%u$m4}bVkHY*Q6K$p z-n58rOF8uIP4;7qY4hA1a{$v42*KJl5C&fo@LS)!!Kfx3Duz&T6l^(=c7F!qJ zl7P(06S`(|2V+7Vk|vuvOS$f$YLjqAcBGM7wh#E3XzqnWEv6vdzNJc&!YC+Vg8iB4 z28E$OB40z>PQVEQO>vzp*-!?OEkY@&8%IYxTu(e&ub|F;HmGgGe<`HmBRCKMsZ~~J zf%!hgR~a^cV2`?jB+BxWG@EU#e|y|^EVoDz88NtddJdMPMs8~JN;SmkeUK67KCiqx z?L#!r_YQO2eu67TuaDpT;7{ip50)ANZ!Pu3LfZ_Jy5NcBuNuhjcj)71kj7zD;!r+h zx4fN%GIxN^%^uq_rtxF4cvg-leEF9<<=?N~ztMixmIJMDXCQB`_@B)%<17WBK;;ht zkbv7mwPL;Ua7Z|5sG5Z^mOD#fV6mKR+DuG-;B5}!(S~dCh;104_oX9(Ddo=4`{o_) z#rD|g+s|TFTcZ18E1=LhFL`qzz{@#m2PG$bl@g8N2tCgV$FKmt3}vfzo|$oPA1z6H zfj6cNI_vPPo=6?4GlfxZ0l@p0_ryBTQ{vbogQh+p`rI{0eJ_Kuc9ISgZ4aL`K~5;a zx0uw0d^t|tw-WUyauAl%7g+h}+X7p6QUnUnsSQv~`#0YXJf}|FhfJ*v?)0Xw3np@A z5>XRe0#?Hm`1__Df4nDvok#Z_my5mLl>I))(P@+q4(L9>1<%m4s{zzhEUizY!B$+Hmf9-^!4&lb`FdOBeXKk-0rJ>UqJn`5{874qFap4+<{`*uhw;+NIhsHH zMkbC{%;Cd9yt97*pSqP;**CFrEILMn!C0hxHW#z00Q}SD&~Qm5dr=2$e&w zOb+^JEeDZJQX&A>fH$zgkzxz@c=1XRUcaW3HinA(>>}PhuRFuOqi%h?@fFY|-QubmI}sjC@EoI^wdd z%Uh11nlhk4xuJle=S3`05M98$AgBThqatPTkChxE&~S2r9Y_CODZ&H+nHKSb_f57M z;heH%T}_QuEoa&Hd_A(+DN}C7)x=voDHW$_P8NOsUC)A-%&8F*8ACVxS{=)j;AKkt zFTTP0bf+bNt?1O$3q&9A93(p7xy)W_fy2(ICZDf$EMl>xjC2(R_w36XXJ9yv&VPzb4`D#?bf2Fh=pD-tS%`U zu3AS2nKcXCt0$|XYHAA^r`7_Sygu*k(9@LLHFUE9qNziadA&+TWO#;jhY2T6z6+O7 zi|TW;WqTX~u}_HU$XkewLISa&d>>x+bsdgP_4Sji^@fI7^|d{;#)jc4x-IRALvFP# z`6>+T>2p9m;`OUhB}bkxn= z5HCXogl1}I%A%Dm;mv<8W<;(?S9Y$v*HbRn*_tVVm2p#@c2v_?&i$HJVisSYs;$E4 zF>kw4)-P3?d;#~hUZ(Tw0z*~Js_JzoiJMN6Ea4=9%RpUlRA81OmsTB~P|$%HY$eUY zXC)}T1Jx>QD~y(C4zx9thWz6CX2kv+-OH;WfGm=BXG?(noX0zdlj^Y#N>C3Mg@N@L zEm3Y5EfK45NE-rBXHMixP17{M=ZZ!ji3JtUNpxON1+#Ws+I2C!yO3Tm zvZd~H-!rK5!y#=}brhH{phIaFX^jFy_b~i8MvEC>*vIk+Khg; z2H@TG!fS&L5-T4)Bbc$bL{uq*<~V9k#!eys(OigyftU;q@lihq6p^OVlu@e(!T6!ButbuAm^>jy**UCv7olEYCQ1B#y${SE)aSYQn*+&+eD<^>x zHb!Om%P2+yzZ{0+Rri0k7%}9NPP@2@_l?vj(7p%{JF6nIEXf?io3Q zheob59<6wjd;65s0$h45PD!>jkF=CT*ZkbEmuw+xj0G*h_wfYrT$MpsGCrkhoX0^Yz zoKz!36??I>413KnVDwKm;S&9RI>Y9FpBj^ld%r}rxDbddAK(~C`i86%87f=fVrLnp zQ@+YhLWxUQZ9Q%u%b7d^9D-Gc&#OE9j_gnD3_>?SQFj{{0#C8iFnE zy>L4e^mP?gK!?DVL}X}omCR$L(gl2Lyl=O|1)nb(U_-;9>q;ZRyC&kYE`3Wke0!&n zXh?Nz9NiyzxeCI{K_wOn9wj<+hiZP5N{MkZsa?qlE!>T}9Zl7u{_Q4U>4PlIBC&*V zl-!l51PPJ?>;hdDxQ(DX=dQ^L7DiNL+ZPLyGWc-uz7ze)^OARNv5{zHw|8q{l;em- zJsV%*PBkWc9YSA9?I+~dTSwYhMWjxN5udqwI%`RO3B6tb$$Q#z3qZTBpP)sMALP}u zb2MiHF2srfFmY)^V`M)pLewC}krcy@h2T)788UZjV9$-DonqPXF`hEY$Y!gGZUH?l}1rRI|pV4g!SxG{|kzc+ZtWtrY~Nxk}r zJzaOkDv24QeUL1cBHVEvEy*oAC;kLFR>wG0Et7YbEgwNcdlXTnZ3~|>GoykheMNtJ zO4-vL=W0zm;dH=h*o9#dCU&?6RsH(}UqnTgs&vz!kZnr76jOtQQq6Za?{sV%M!a4% zh4^JrNS`xcbOoV@(j zIfIosh6MtX9;YEx=IyB=f3#TeujiytqkHlvQ$UJ<2LvvqXZ>fRBb;tnyv(YVC#b0> zOS{EFIF+F+cOB<;%<@7S{$N=qbCZLU#Qa-40jW=TZ_~uX_t1I><hB-zyYlq=8bZ#>awd|S5gD=eOV81DNH>WLg4~-NRjmV{GWXOh> zQGgUwA;ES?PBx#TY+cTvYc#Gdq7tS7vQonKkC&6_M81ar$cLlt$PVU?0%4T~ED@r3 zQ+A65qJ^;>lQcq1S5E6GyO#Kh?O=n+1n#rcf;4~F9t&;?9F}V+IwQ!V2emHDDJl%& z%)9^cjj2M)2$q6$xCf-e|JuYoC%pyw%wYk_)s}6i|D-58Y&DQ4aOw_GB@@iFZu6?1ktGAhxmFU!WpRH6eU-G?u+2d2YyEqn;bSDojE zzb@cJO=e4!YNQSqEI7Uvy7zrWyhKPK_{>GCt2uR(iJHnNdOuia&T}(_gx#jSxJ}gi z-DR1x_tWR*3aN&m4tl57)B`;gIlyz>r+A7MAB1kjwx8kcdqHpOe+1P~(KolTKWC7P zi0M(TVCE-r-vk@KLm`hQ_iD%1v+t9bJ}!!?zD}`wz*HWVm%-Ufqlj{zKeQ|YHLzm8?^`Y6eK*CEE9G zE%w(gqT#W)*;80h2_6KLlm|2;7u9SAd>HU*$^?R37uB=K>?-c)$jn$QZbrB~$)ARjgg^|lP3#MK^$ zILVxWLEVQ!co>N=kx^C6z6%%#5pARH?Yt!9pA^laX52#S#bqShzB>L=8AW@PjY?T6 zsJ+PbVV$HE+EhiGRV1~4jjS=`uF$UZ-Lf4WhuUCAA&T)dVNl7Kc#8-Js@&gY}wA_?vI@Dh;lPqGP+~sWKj(K_!3;*RaOQF~pX$GlvDM+ok z{(LuiPQnJL+9*sbV)&lUO)BvcRKm6SA*{lEW_^zm4#PM}uhn4^+!JHUUYlBht>@((cDzN|4_v!iCt+wX%bCeAEJkeHLREIhm%e{-jXDh zMlUPkSNIy@ep+Q!>*92I@GJ5tZ_e73H`txP>G3pF%GC(6g6WcEAj(kL%Bm6J!NBh`og6c8eU6bU4mmoZ!-ijX3c{HweOZzl=3=;3DB#+Hua=ro9<^+A*)AC56IzP%%~Ba2`1ro> zZC2QqRP9!y`EHTA@o|e=sIhGH3*A1fI?MA404U3ij?+}@HZuGKx6b^2uX-}oi}Wpt zF#;0~<#uVG!!|;}3(-?M5|(SUQG?D8i}3CK0PT6^M`l=`2neVG8-!26m3m%Du|Y=p z0_~=gSt3p3qk@U8iYIkzJ{#->POO#Q0+U6vhf1{0)usncc{1UQ@87@*I+`HH7sQ*8 z160_|CB4Zh{7F1-?WrDujiz={{7_d&2HhiaH;_Lhkv6h=h41hL)*mC3C>%8UHK-ih zm&5N%IyJl5%5n!eJEoSulOlbNCb@y|xM3S;B4Cx!YIMcE4ah9p5VYiH4S`PivcOMh z9nVhEEZ6LXb7GsQ9*Uisx(NRh^AG^{OM54c%&f~q>v@MXo+Cc2Sg_2?M_jaHS6(Hh zk4#%(%fW9v4@DBHUP@kRl$Ba}hWqg6aN(dz5C5WN{4mZ7;_KbVj+tmm5eQcz59Au= z{!7K*0_EmW0g3VJ()hv{eeJbcwM~V1FYL2*bH#7+Fy^K0r1KRa3WB}_Niw#ilXvsh zq$Vzg-NE?~R6;V{gZUIsv8DTk2C+9|ucy|o{~{dAczW93#P%bb5y7ZJ?dliz8wFDn zxzMyU6+(x*Zbj;}EA)}lw5DND2>D#WzMq?JZ`PQ21Nbn7D&Ba-eYh->h?+E3Q7(Or zY{Y80q^|j_dSCIKee{D#s>yJ_`ll^w&fM&Q;^gAuRHU~ew|d!1dMCK~!kUsCA$?gx zIuE@)Z|Y#K6z&P;ZYlG!MY>hlthi&B(BzNG=^V&%KOAs>(#dmPNl9x!k$I3aiBWAE ziD*I9&<9XW4S_8OuHKuRhXm_mc*gKFPlu#qSNenCXWE10A$wtCZQonuCsYrHoZ?!r_%8S`Tzhfc?52F=;4R@GQw) zHk*8vn-#%c2(UzRI5oq7jk6QQdeMWeYtnlC_xrERrxRaw(q zkxqEl2uIV^$K152?J&^pu5dq8)_=6sg{Voy4tLglI0`3HEwu_(^ay_4tt-4gZy-m- ziU-C@onc39yxMyFJFRf**i)(GMOsK4`ks8B%A3P9bRnm_;C>-MN)`M?ur~XRbivFk!OUbL2)gh4-eY|h;b&*|LttS_M4&f}Gui>H6!BGPxQIZ+ zRGDn>_Tk|07<8rpg8LB)oG#1;9=i=zS6q+p5)KEfa=nlbEB3`6uBrEo2wI)C8G>_= zfDA1~bmRDl{gr5|@<=v?>Z3DL7q%am<;R)i6f|;Nm6UW?7`Z%;tOpCY-&=c(+e;#}}o9Sfir6MmP^6zCI?6%mdbJs0s ze`|VKF8+>^@>DFsPwcC`Y#KDPYs^LCFoO_UpgN;u6_4{aq5$js2uw1xGDz{PjHG4QSlbpzzt zattW1v0qy$b76;?1dvXCi_Y9Cuf43magmIY0_O~$6$K0e#`sZu*t6gAWPd~1vOUr#e|2@Uixj@t&3T^ zx7Q152dTRAPh;^AMr=e6kT$E14DQASdo;?;%~XBK>50{?*W&}F1NPcr(+nU&V3Q3iR2HA9lJLG(l8VPcV9{Fn@frJi>d+`Q5p(84*VyHeSBUa>SXk8 z=5T6=5vUFORRuK(8SVOp15fa2IqkMwdZ=~zNIw7{r{Qe+K|r>ix5xOZpp6nkyOGVZ z<2PB2W)F`6KmP=O3VJK|k*Yl%pqw2?_`LdR(FpB-Vl zTEPGkNc||~QmH#|Q#<&CV77*V^uWuW5FybV{wg*8klZ%^!nUAN>yanC^5R96gS;bL zw3bW(;3*B-rw51`>|=017-- zx_9Ix-J4pJTl?rIawai`&&Jz~jPbg~6-Fat#wlEjAix1cCG(=(`6npNk+joT{emZfR(0&DVV&J^IYYdH#yM=_F> zJ!_IZYux=p9JDz4gu3MF(g)7dZOT$OHLSPEIF}g^nRfqs@wOk;L|g^wiWLYqO6ZTS z=;RXvhLzEkPz2oKrMj5k!=PLQg;Gnw1STUxR>w|F(ZZFBXjL_nt2j8bipo(AG2JmS z=7&op!V7gI;v2wo*{&QgX}T&DiUcZ>Fs?YSFV~MBwiVe?o&nl@pbg>bIeKDeCxWXv zwWDeWt5Y{VOGPOc<~88;a=iI|EHxgw75x4IKz5jf=#~fpeh;zCxk4e6G%T)V=)LF= z(U?mIpAK3;RxGmWmfB$8M%Uan&X9p zO;5VMr1}9zh5V`VF)62Gh$TM68JkoVN-OUV@{8$7oeI|K8?%5E{i|asK-bV5WV#fm zigh7WumX6YRXHyvm)#1R$IT!a&$hP&fKcGT)Ja7GdyBUzZXzc~r61*OZpt)EjE>So zde+l^5ef4w#xmH&d7OimZ9fFs3!lFy?)(fE?Rt z{{Zqua@F_VfwY3c=-HDLZC^CJdue!wRbeM$*!&dKHOr43;~Y+AaZbvfj)@lKFiORjiT zvRCXyJRsZceeHW5UDB*YlJBl4O90V?49|{YmWaDB*Nd+e1@4K7lvAHK{j4%E$bC?U zBhC76Na~PXt~>k3Rh>TR_1g1H@C4KOkFiAF@m|pev0u=#zca%ZgZ@Pl{tX>SwAVh2 zn^DNf#G;jvJ&I5f^8LRYq9}O+&{$|-VAh~CCCc9pQQ&OsyT8u)$kehl)a{LXmQG9M z^7O1TU91r>wBCgHk;GD0wW}fshAYFFR2_#rqUjkgPBb2xidx4l($Iw(jS_8$4(@Ll z0vXU~0`I>l*U*JFaEi7tT4S{MS-=mG#2T!>-}h-PeRAXgH|$Z-O~FmgMa^Y)epaE9 z(CY@pPYZCVO2m6n{pneQqkX;_E8F7kGZK^F2>LFc6RaX-r}!F(WwM#LS3L_f~pY)_tXi~G}-N;}8w9i~`Tv|jE5g~2FJ zDQ=FL_`NBHOB{H6SlVT#BoU8h zI$yWnk>cDYbtf6lQ;c?2I?s{zt)^Z)spZR~Z7ulB;KU+nicY+^+W3`nIIWxI8`vU_W7t zjjTMrDPH3j*Eb?)>azRS%RA}y@(s;m))vnkz~BdP7%Bdk22i<)S9 zvgJa9c=f5D<`Hj=`rFH3F6rFVq$2TVL0l;u!4 zTyJ7qMw2le12?u=En;?)viP zayi1WKw*4_@9HzIHb(*DEdYOLNJeUvEUjbPIBkMLB?GE}< zR{Zc0SIWfKJ5N3o`!kHe_VG1DQ8EO73%A_xYEV$*$2dlc@BGG+F9%p^{OnvDT(3JC zJ0E4`Qq;i5v1lu)>579ES4^Vk$bw4oaE=fL+s#~5GZh=?3{M-f!qR%KimxZKP+qp; zyxGOD8+@G5K+>GwA1kxVD$1Bl2SZ2^v0Z@F+f~Xc+D4*5n`?*Xn5Zk~{%vlyM!VOh zAxJHfO{1}(G}0matuA2j$XbjZD+<>!O4;*q;~Pwnj#?kgNt1d7+m4Q7D+w31#0s?r zjw8@}IW~Rwlc;UyN$?77J?xP-Dz=(cYZvesEgsp;#TXpXHmX~b6lDN*1e6yBD;qg&IAY6Z z0JBNGE|VXL*N(nu8`G_YW41rnE_Copc5fEAl_-(o=3XjMHql@xFa8_EUpczg1D`KZ zZc}XuCu4BLF19}Q8V+>R_VzUzXHt4$J_)KrT2i1?mkHpQ!7jFbcKcY`VrpreuFr4m z=`HR+txtf^KVk^5QgEO|jp%o}hgMANHf~s-vpUK%NYZTXT(0-ksxtjZeq;A-rO$v-jILZQdYHPX5miE}9#VYF|o!^fwEoH`e&zm<~-K z*XF!SFVbnoM4AgQm8agla=_iA7#9&p<_)+Ichcy(ujup~Mz8jbWT0`O(}s72^r|aK zwx^HtPQXlTNcfCD>-D^KYRH`>7RwKdHiPUqVPM+^=v%HY5Y05!Z}HMu37gH0_nb#_ z4TRfgN9SxxIZx)-(QCJgbmml%uWPd#A?V}d{ed0;TGY~-XFe~90*_`L=9<$BbvBF( zatuqBC%so&uQHdZeJea&?*r6>(YSO?v%kRP;Q&a}JRg%9N(F0HWvjAq6%FdGa;i$~ zhp;(8(N|$ebh3wjj~4kXcv3`${$i=@#z9j|^?Jg?mbTUVSPP9Uskrs$mvz#*6i|j2V+OcxVo~oOfhfLxZOf z@^vYpde+4Th8#k!yVmxL?8HGtAPVmyREBc_npW+6Y^p3CSA1Ka5WD(w2nlaA0{ugr z?qQMN3>+HZQ8rPWzNhzC?pnQw-sz3od?K6dthP*v?5=O!E`~ zlt7;C1#(n61(?$?%oo&FQYpdmR`4~|O1oGaNd^AEjk=v&2jmAZz z4>CZSEm=Bxz?*GrQVBo2lRlz~_2KG}r`uosT>O}M6DwR6 z9|e2e@8jlIkXsv%Eq8vB7}$gLy@|9q=pWdtf#dO0irV#|-hl5yKmTd;&9J_uLOdv- zy(>lA&a`7WqPlsv+ONK<7<=0_@5{UGbj%-teLjxwiXd9KExF`LO*>?^fL<)sa{%n~ z>n#j4UHJehEMc_{ovJEqpp`eLDJo4kW;xab_~UNlz?MLwtU1s!yw|x@?8gOfJ_i2z zy|ObfyJtp#n)I4o`ApbXsPKwf-pik!y!4u;7NSjXWFV)xk48(-TtbGgWp|)rmR@=^ zr=_&!9R-G}w&q-fqnPem1l+7b8Q>cFv9)+5s>@Hvl2NTw?o(6gqz+Icp-5N#iFj{{ z_F35#bN(om)I}mc3r%a*-6rdp?|Dm*zK}7#qN279c{*fD2K8_*Zq$0k&DzYANxpKy zPAoLMh)SvRhF{hYO;!y3s0xYBL2&sR<|9PiHu%pkxEdeHrVY`JZPi6s_J^Q}p+vWK=Fx;TJ*2A?Us!Idt;JC!C019n;@&w~MIi@7h-n{FzINI$-wijA% zX2u02YY+%TD$Qkxk0N*_HUSo#@!Zk_pf6CI!;D#cKSc9?`aY_C?X=Est{SdEb4cRo zeQ_QUree4`VJX?KsGa1(a^&k4aaD&@t|{kv2Wkx zc7~Q;fHC!aY|-W?#D^He=wO!KTJuPu0JP}n+^q6oJ&EE;BYNHui$?%j(H=o?O!qhX zdjBKX=y}81xLm@gRNR4AJ)}= z8byDpo_b3XS?SDNEKUMY5n~!#aeMq+D5G$F4j!KsL2pfM?quPk=7?3 zkE_v-BCwvvyjS%i>PYZgN6fgl#|k>>-tphf?HumEeft<>{;r2-C5U#0u9}H#J-!uM zdsAB89o*whEAl>IkM=$_62_&wOqrAJ#G4k6{)Dn5E-zDkN3BEM2L+Kszc1vYCBev4 z;zzCWmWdD!tmf~(1~G&7J+k_j_H@5bkXsz}^5U^ql3I@cVlN1_Xl%3pY?HwCxn*%% z@*8f<`UrQ+Mwlvs{?LH(K|;SfEc3JsE=6tCJFApz;XU&}z~Ofwt|OPzj&I*8N#CL! zuE9&>{`s4%{{9S}5ksEf?1*Rs6d8jA@D}pgiyHb)x*CK^X+B>XzKgV#;Q3vO7Lv*> zIgdbjaaL$I<>u^d?8r4_W<(}Oju@}ZfMoh6j{L=8f^&y= z-6E1v&AOq`V_~2*cV*xnOZ2ZMHh6J`yZ25BDgepJ&G@`+<{vA z-)qEo)5`}dRni_ASVq@2&$!Kp4-^LPygXG*=Mix{2)@g^wiXywBpS9GY5TjkfZuOG zA#%*!*+d+`V4;a3Z<~1sGG%v$+KZ_3!BU;5cC{9UY<9 zsAT!{t@Znw3Z>z);^Xs23>o-W+V7Uu2wF>5rZcaWqbATJhI7HTQ_5Qr zdx&oDzH77x>n_FMp70e~+sd+2nRJ6;YTspeQs}953o~!;Mq8_sxnTPC@`RD4R)zN{ zG3Ak{56JhK7pYE+{2D?(qAlHaOV5`SdzJK)Z!i~--FkTk=^p*@Td)}q_^2azX5Ed< zko0=t>TM-z%8uR7lp}Sp)JP>y(l4; zVL|g~fbh<*cn>db7dYcdqg7h{is-6K$yM4A<@zC#ef7pf^O8#jj}VLgje5ptvSKqo zc|kyAi9v@KhL}1#8+j4d-No4*^1fMxStXKuBlqoOS$${5H@?MT>-{m4XNAXPcqjRr z?yk&V?RsuWM#m!q57{&5mSNw)A>sJEsxz_u&EN4iDj0n-x+8YwhjKdCDe;rIY@lH5 z*Cfq&oFM%LqXcgyfvR9sqSk}9iEf#aEEf={UU}G`j4IMSxIyd>&@A|U8WMri5`zz~d1MT5O`*L+y)y*Nk%UFimcay!K8 z0D3AZYX}blesQD&*rdj+yuCLSpCuz_=GaH$v2{)zhku!*#Ozp?N2~fy(0GB}BVT*l z;R|F9=*#$`WTHP_S#qO>D*1OxJCn_MYFl_*)NZXc1_1W_e3w-J7l zFQXO0?HDagWIBzg`}lcbgv>s|51I>EVdp8`iQ3wxL{uvct$q73vOwX{RJd;~J0q~- z!rsjZQySB&wQg5LOh5cuQ)t{5<~F9)Ib>$)+^fHQDd(L@^rl(qCb}WJbyH9Tv>W%$ zVP_dO93t6va8b?bX9VC4>|EpW;dtf8G<=f8ZM{1#QM`>AUL=Dv0M^gElXeVm#E zb!a5UiT9-Xgc1n!g#{>wn?%f|!kttN_f2^$+}kT?Un`w#x$gRBy{!^cLTMR?zSX3R zT^g24J(>cafOtTI4Sl`x(jsalz#`v)Eu904eEp-F@tmvz-mrMxN~+CT9~@d1ave;| z`h)D*#JDYKDaPu}Ln)8Vf&`abf<=iZt+}*Ylw$;#>p@Avhm6@;F=P09t%^?5eGkGD znLwc*MqV$MFG5|j84lXKm0!)kJ-$rO4@7Ex!-_PY)ht@j8%ag8C^g; z-)OZq+qx8NIPbxfV1tch0syuEULkY25yC$EBb~JB%NPv_E?s3khX#_i=qbwGUt#Kb8moXeix$n>BfkR52H?(@oHv=gOFv z!0MxHnI75qF4>qzMg5!Fwc?;+q|{iZr6b*KRS5)7V=>V-Qrx%bDs#ZFN>L-+^sjFV zN(IH*wL~7F8OtHt-#5PFDIkmN%UMZL^?i}(7JOPG#y`Ul$mVh^iHg$@=&JKA3B(@B zC^!G`vz&+p23)7bj2c1#p0}x$(<5k6QQ*8GyH=VzOFGK579(S-zx$EZW+mSQ{Lt`L7@dZ@q z$x2RDnNla*34jykM0en6Kc(pCz04oo^KqHPc3%nw^jT49ls~os?DA&D#xF7vehELL zF9hKp2S*9GVX`k-&pD|Ka?K@I2a!_LjmvmU0}&X-0EBh?FowRbwhkU4)8Q~ zH@Aei3;952nml%vbQA*8P_{k?MUJyPn&{PodyqxJbu8amp$fv{Q*!| z>k^$GmRex?QGjhkj*^4zFlQ8x=^iVL%z|lL*0!DR9*{<(3^0&>PvCWdN=Z!pNC)&u z6B2e!xnXk;f0k%?Krl;9h=PRq%ER@h{Cr(hRjf#)>5Q~6cURB3Arg=vo-xn3O;vnx zv6gYr9JG+}CEc0-xcfV6C8{Oy&=$*~WqNJSu>spQE=5K_(K-a@F(RMv0`S)V2`9?| zc*}YAMwp@V2B6NaY+e$lU5IY|MWTWjr=hOt+3w}Lqx=&2SMvpwS`&|GG2R%Wd%Ec8 zxIuYda-^TbBZ(OYy|s7lYB}(uRJvIlcV{9L{mqa>_ zr%68}@|}IL5?msTHC>~k{l)3|9FHNklZ+%`noo0+FAVs_pQ%UBr*o3qtpdTP`?E}; z2`ktUTfmxIP>VRcd);pb9VT3VX@zGodgdO%xM6mk zZU&SJC8dlJnBSGBlM8=5bBdhfc?kEqF*L9|Px?x$ucYQ&06>I&H;b5?)_8CgcJVNd zzZ=Ozal=n_4DY-z)+VCAC9}QjIOpnwBy^OtV7NFbe5fxbET*XltE32*WHQkB7shaH zSQi<@8@Tu-+}gh0CJ=&Dt$+X28+5pTCqOr~E+{0B>E8mu!1DbG-vHmhVFDH3V6c<3FdADMIXV3| zv*jE5ukS!nI^>{UWq8F*2Jsg&-v88Sq4eyN3nHEZ{gS<6ih=<#5&nPHRscaN#Ruw@ z1<+RRPyhbKobPWB`d#4p3w-`>Pt^kbW}) zTcL4*Oe0YLCaph#nJ2G)nPL`q<+@dJj-gKrrY@U-xMa%^!Ne=(~T? zry6r|6@hdQ5ep2A_LY27`oHMk0yjpnKw1UdWW)uv;$J1-UzHP>!-WMzVnX_#G2*et z*iwf9H3GC_CjFZObj|k{f;A#y2OCubvT zYf%eRW2^tWM(wzQ+vkC%1S3cQ@vDl{ML;r0f$L*Xzn^4pj0Du<-Wq?Nka!&RpFQ&G z^t4wpsI`Heilo40d7S@g{Hyc3UNOPzf|#iPhavEvXOO&N2sZxHDyj+6f41sBApZZ| zJ4qIQ=>G-lkMmESf5W4LdW8B_9dTBF@!#-(SHUM2ia?wI=`fG&6Mgr|N?F054JrfWRq&-^x%u^}B*3-#_>Gr!f9m z$t#S&SC!lV{?JQJzfzu87*Vh2`GbM}(@g)A{U1Q4|9$|f5Rhy#5IhqeaDC>LUHLb# z49JMRHV4Due|TI0X#b;Y|AF)PSJv3y?aKFWivs4%i2k!tuk!l;CInsc{W0SIRKPe( z`%n5;DcP^+dlUZ9=gyM+lm5Rm*#2h8_dienLytH|{7?E<*+PF4|7p)z7Kok(lsNRt zUcO4hct!s+=MVkC9Oggezlv#pMGsj3qUZge&iqfv^nZ`Qo1#Az;A9{G+vi`6+N+S% zSCu@K{EH|1f0x!*p@6TLj>~|XIqd(_vRCn7uNdA}f@&cH>f{ss57U1K(EQDp@9$Xy zVj^YzzZ=?DK9Rq9K-YZ#nI7PmE>a*U1>yJHDqQ?Mw>C#W_Za`4jPXmq??FufDVBtP z)A;xQb8aq90;87R|8t1`z0(58{|#3BcggoJn+949lKd?fw5gH%z4!XNUWuQQ-4j33G=;sKuXo=4J{_Fn$4kLCG delta 48256 zcmY(KV{jlr8?Ce9#YA5-<#)J#`*Ro8i^ z&vRyA8tk?O3_?)`3>+;{$rU{w2Ne|!1myd75D*X{kRHr23E_X0M!cXLy76d#bH*t) z&MEe-)2-7tkpJ@zBKW^Y?42wa!T#^P_%-xz{~0h5{2M;z{~eKpQ;wD$0tAE+1_XpY zG2a9uQT`hmz+hr)vZHnh9O6p4s;<-~DDrUpoUlZTYh^n|Inb#y9ZniVtmDHfb(Th!dtVlw zI|D?(8)O&6?>k8li_oRG_Hb6zE0LEYdziBaR~UpTFzCeposa>%J}lDMvlvW^xP8%| z96Qx43ZfpncDxN`(58(>WGn1PirFD|9Oj=kO&DWpH$(F8@GGXe*S{EAiizC%;*6NV zV=P0=6_{R(Z^a;~&5pSSj+@MHUZt(lbxxMdvdQwB(p4VCmgWb&<*3$ZwbO}n*sF~j zEXzH!0ZM!A^K+Wkgb}#~hK&d2Qfu*Hb^1)5M7X~VtITjiDf26fxYo)V(Z}vYmj2@? zEJp_)Gqc!JW?1FsBbVzEQz4F$TsA{~L9Oy`VylzS(z0wJ-GOU`su0VaRkQJ-dfSoV zRV>@ws%(_%Y}S5x3Y#cGiuMCHhh(2QHoK(=v%KPBlvcfy&pH>DmBxCILxCY8Bs$&@ zz!YMqK$I#}zCu+eC}|6Uz8UAJ(nr6keiNekv@3^gPwjzwP33`kjm&P{6r{5fqz{(O zdDI!Hi`E&7`280Z0kSS+6 zGp!fDb())MX-vK6qW+!|rq1F$HlMF8aRqh`XRQ);(^13?68^Rhfjrd<#!mQRw*}VU z+|~r6_r$lbPMz;Rt=X{6|pOXdnBzaK~8X_q;a9a-Qc9=lb!a@Sz}gI| zZJL6Dj_^OCu=vV#n1t0`(yoYk(oKWo>)CA6dJqlN-|&@}IrM{jA_R{KfI}MYK26&N-|4KV*UljZzM zWR4m2h<{L#Uxs5;B6}NOwEW6!fSJ9Y^nEaw5ZPF+>xvlNTn(h&Aug9#edz+n`=O6!9M}l#Qn_XSR1#D zoPfz-}=i6t7_RTu#nA{scW)En-8N=)yVO` zKIzrLkrD!#=Ixqp^u2`F=i4yEZx@P_wB*wM`WM~*I^E^jA_~ID$7B{3c==(A_p{9I zY!~c*&k*&$?PbNuv>Oo=1Vr#(17ZDNQ-n^WS-}F5RrKspgwXiFl7`Hz9M$TUrR{9= zDjF7REq_pen-~krCR(E|lv2wYPPv7`1tuAo?k9GyilYL*1jap}%21@Ww?f<9|8PA| zw>w(^f8UG(y0t14R(SELL4r#+&P}AW&r$obVwjhUE7%lYUha5H%!8|yJ zv}pjFW|E7hDnIBJ10_5E;9tT%hFpiDIbJmM4d~T?HWEUi{>FEK-cY}DP`o;833Hj< z)uw?wQA2}PgY|5s4O6L+S-R7S;1Jn+M!$9mx-%H{LzCXt70}D;uUkd&%A9{!W}~bV z6o<3Xum76^?D~;431q6)JEVSttK3evuvY_Q59$Y)MfUJW0=r1PD~R8?s5L zrqX+tj?ZEm8crOm{dYRAa_F1L`lOhY@%gub5RKeCOLWm{>06huy)n3bffDml6Eb07 zLOZjvLODy6taD#Knpof#!bY)R8pj#2VMAMGalffKShg&C+nES0ye` zmNs^V=OkO(s^F>R1YG1{?WoqEi-9KEBjPVehD6sfnZhucI>%(XhVq^Ny?6e*buOTf zZJQB5Kw|L|^N=ZlY%OR*v=z_4epbya+R;Ipj`UcXaI3aHM~5LaoL;{N$e81US#sZDm?O=+;&-LrAEPWK4eyo87+Udn&iBS?7V)TZ8b&X zA9>p&UPyowas-zXvDst`C zK4_9OvbRtUqHrp*Dm3uW;B{aI?8OlV^=MMf=S#EV4Me}dlx@cQe}NZICy9m7sjJAy zYFUpngI#lwp~W3F^e5>omeay(nT=Yj^p{jI9jXH=%aF5-7qVLR<96qp8_8skCAL3` z`;x>}GGwjTi-(fbU3>9EY*|eciQQp{>bMUaN3O!w#)=Zrz`eHyU&pqn?H9wn=Y%$7 z+5$4Ry9eIipTtQJUGPq?xya(=gU9pT6;QWPBpQZwO|1DP`T-IPqovE-Ne+ggXbGd+Abv0gk7 zSC98$Y#IseEVwbyKKS9p(%pHqIPPA`CZz!WbD1x9iK`Ucdc8>tuG+z6(F|_%{37iM zYB~wUaq=aU(sOl%K%2sxmM@V>~Y3qLSlbT{WZBprPWfJ#pc*Pr6Oz zn;uyoBPz{gG)qW^e&%fM);2Msm*l2}tV1EbiLF|o{OeA19F=aY(wXxpx|A1ZtA3#LGK{qJs;JTIe)}a)K6v9?CP=eYx*4L~e0ZaH~4iFUNH%0;uOiN;)svxvFh z3=fhC4iFnT8%3w9VDuCgoWghB7lA3NWDcYgWysPRpLsqPNC-~s*b;*DAxe;J z4~&uK81`fs)mh}iptvcsCIA|L#DvndNowDyCiZi|UJsfy?UtQHw?@(KDkk7IY$f1( zsLwJZs#a%uZ^gx4vL5QoxQ+c3?;*dMHyR^Yv)SWov)n`VSWob6$n{8;$#lzJm{v4$ zVxom5E^?5n=giBHH%}Vs*COIIq8xz0)k)Ib zq@WMkv>2mq--&~w^Hj9$|3zMEHk&}qWffi+^%FfLoqWJ!ECG2bY8+Xnpu%08&0_6l zGcEY!HXu*Ka|GvblAN}MKQ z48MUx3+fW(3>`E233I*j7Xk4W#;LGWC8C6U6W94WinR{&I2ugp9ULir6xR^Lo;cxj z!TkIh@=i{~u#5B?%Rco58J!Qzj5c#klaHjXOhSK9xth1mC_At`U*j0QW-TQ>J=ewZ zOC%{bc_T%3^wstd?WaNNj#A>ctitdpSuOS8I+M{Na>NNzR_Cud-zm7d)(M`7QzxAZ zX~TG;D)X7vEW*gMoPi zocF2>n@N2#FBAZFPMBBW{R@8v+z6^ZXF3j{f?`Pij}r=Lti8aI->#$l(x>BOo-*uX zYB;y^)H#<^pxJj@JoKKj3rF^reDjOK! z%pcMpy}py-+sCrlmKw`WqC;?)AZPOzYS%aG$(ze+WOh88p9_AiuH~0yE-sxym!zf6 zK8>nOC;0)e7bnZP`ET>VY1)Us&XKjR@RvyP45vg)MjhQyHlx!pRIp)SzMGq5htCZ=K%;tQs&rQN2gRnGbdNK*G zsu}x4lQkxztYMt-!G`6iQJ$c%_VM0rd@9Elm3Rc;2WRq#+i?`w;u5+{?E>u33XS*%4Kcx>WN_v&68A9LL`jW3xZ9Cy1?bXS=0x zSDH>hN@c@P!+6PYt7@~wwUJuC*Q<@tj@Vr0o*eGS-HV) zI_lzluN?MCLQ>Dena=GCp5y!Ei0*XE2!IpVi&@*ILzmX92!hd~sp>=eP3*8c;*`~= z^<)Av{$tp&(=ba=kq>Vbv7$Bbuh$x*0n!JgB#-~SEhX2v1cc9rIyTBFm{{v2JTyR+CQsDs)7+BgnQZGI<^ z|BB-SPrSpX%F3!2mf(^C5n9w~pjeWr}Bq$hjaK%Mk65Ww@3Qku~IJ>1dzBZdZ zZ6o8vdq7Dtw|qA&<`{{|l2ezXkO~g4WVMKAZ)uy+AApU|a`JP(-MyhlD;Ia#cI=`F zL?A#WV+Hhs$}fs%XR14v#rLv@a-_{RYKp2rETlk&i23XOI4e$Wx?k?L z$U9po&Ch-~wW7IsA5{1$t0sORu-Oh)x)#@(uW9$_#AUWCWW}ms<(B?)s_mf^TfKKn z*Pe99Edzi8Go=K((&zTV%x=Kln4RvyKONM6FeW5fjWyxyrMom8#y1VaH>Pr3pyq3v zRQxSmQR)ajGtbr|e9oBg#s;@r$?0EvK-TTA@a6b}`^`tOxKj0`KfKG9vpyBNl)1eB;00-1EZD_dA~@~k2fy${S?^yGno>`PW`9~p zzvW&D_>U}qN;qDtT@y$khj|v_HhzZH*_oeaPIX7Mwq0AqsV6NrE4O`8Fi&N_0u5e#@!-olUmd1C^TXulTK;5uI zI;c3j!(U>h^-u41SzTHa!CfD7M7xV%ekBYK!Q#|TYzw0MHc{0MYNOod=lV;9Czj{Zrdq|sus*qPKs=Y! zGq&}7h~Y^VHkJa^9*WV3ubc!_wIUipjdtDU#6s>ke0J!>24w-2TVO}geFIhx33(^z zc3dX5As@hdpdg(EJx8^X@?@33D%JINXcK zB{nf&+G`sHxA>O1iZvB~ft58jAWOh2#FbkVM5tk6bdP2e7|Vjl-$%1&RlVUKC8)La z!5Nd2+=d1lbh62!nHG4#!xW+W6}ns znPL$L7e{^}_^-QOOMLzR*zwd}MFX9XARyt1^&~ui`i3*E2KE=e*8KV%x7+4mb;bs_ zl+IXqbrXcLDe8WkW1I<()nVFiXsMO?@UB~HjVg7=$!bMO=vL6;VD_Yz*?ImS*;W>1 z3A_F`;4HiYH<&l8nEGk{-=5vw$VXa($|d-{r`@~XpWnN;dOoh*0g#*T+w!}_Syp|4 zoRuj6qa|mmAleBVZ?+(w#bTdo$C)|WVq+PVGCk%Zb76`WygCa*#g#57ejTc++Wao- zfSh5a@lJ#js6kNaPa5c#GWLUnd5)c^iE7Q>RFoIy?u1^A+h(jqgZKD>Y7a<*l^b~Y z8S9r4!I9JO{DYHF=R%2@69q)XlN_{Dye>;XpP8lQY|`|u+k%Vb6Vy(mM&(v+B$xH7 z0?qQaI>Dv#ucnybAvk-o-o`Xn_X9(E3&}7P-N+px^q_LPu9q?q_aO%LD!(S)D z%61T!os8KGecDsenbx^3rTC{-q&9P54M$@7?PLKx%YBX(gAAkdgHvCPdXf@{)fwk}4LBs$P?mI(?ioI6<2o#Qx>kOM-q#4B zzquKsYD0Uy@8;cUdZq69jcn;@O8*NW((;~am#ytA;i|p0VYYBVf(3(kc%`kE5bRV) z=Y9R>v3F4Pi#R!`(;nk^c+!bz81nn>6MetN06P4P)k}+DfNPT34oO{DX(!u3n%`1k ze7%48<(oC$o8}`NpOkYk2g`gek?siHhI*d0bg|a-6uGmJHp1FZF@B}yB6}8~RIk+z z9Fv&&`*w=(0hPlHB=02^WRiQOe!l**p1ZhJZoc}3y68`m`` zRLEw99xL7o2TTsDuT_#7z10gbWhqJMjhZ?M<#d<6^VbSUTcof6jzs>H$ z;Xq-7q{6K~f*X_+W3XQlVsPex>IrXu_QF=vpxIhzfb4cXl0kFX+zeQvtvYJFu>HAS zG>LAo!gx0crC{!tJjo#yt)Iu)$ z>hE}y#Z;mbCxi~%xh=pf$*Q{*iNf^+zx|@H!$fVlc ziDaIN9LgV_r5}4N;~o5_Z3Mek5xjEeV0kCpqBAXsNM~z*zhwa1h(Ux1g9W-B?SI5! zpA1o-?qnc;2s80UCU%#OE(XJ+qI##Q4s3O87p-uqbb14M1+7nG$B$y6pFo>Xm zstGRjLDRX&L#jqE^yNz}^%KwK6LP%6*-usrQw;k;!k#`5>m=<#B6@e;3d`nXc)DSj>Hy=!Haw(5RvDJl_JG5wUbdu^!Ev1J zg?ImKq5=Z8EF8kx*5tBt$*ZBM=Y$j>7d4pv$^$V-VqzcYA|6?UjS|!~j4}u+cUaV( zmS00g@VN)}BPcC-Vj>KjF+rm6BWzLPY*F97`r`Rz23}A)#5dv);au=2&wcMfz*M4d z!M|Q(DxYUb`|xLdz_xViIv)Nw-4BAjoe^Psjhd(+^5$=QxV}33hzAgSpssuUG_LLC z35)4ga7v1@W8FY2yAY&S`KvN>%dqn>K zjos|0F>tScOd#YR6ZkJ6o~I@Sh~1*v7g+^i(4=)F=TR^%Wf;-I1HOejD1pY`p{1Lm z!wtvag+}9VV1xG(SoFHPc=Fzf7 zb~Xcsv-42L_2nBSD$9-kTF=ol94Uum@YUpUOZ?gx=5jQz$V$S6s_(+BbBW%;AOLG` zdwf27(|M%%7gWTXH{RqseLMME9;F?ZPorDYNEg2I%yECH4(nCcnU?XEWyptb<#?QA zhrSl0xB1xd8|6%uYFjB#3puex^Sr!Cn&Y-LpdDQ0o|^dv*L5rED>|{HL6?bILVJ-p zGyva-GAijYMl^$Y6{19bvD`_5sTrb4o1V0*G8g-;p!TBJI!N*gRkWWLy_RVtPd^p? zh6B8(U4>@bSbm7l5)O<57#hhiOKlrLYA?{ZMPLo6Dn0L~Ilcw_jqYN2L=pZ*+Fs$` z6znWkT(GywSMUoMpVB!48_wZt0!C?JJN%sC>K4@NFp`wSvM!rkCBkj4(r_y71-6&r zt6)1_P2K|A!nm=gKOg4tttDh_f2c7%C{ge(**y#+b+sU%CWP-uJH~Nyn~ArRdO|+2 z{TieS2{cDTq^ba1K|+4Was?ps+WLHO5rLI7w>USQtN=n?f>a8s_y$ckTt&wzRNX=t zW&=#4Qcy!iRH7T9N)aY5Mf7yxj1-BK`a)4AI#-Kuv^MYek1B0yZLGU*sk z4R;*wb*ODdK2x)kfHP_66$uNCxm%8AJ0I5EUD9 zQK-@l7X`#tXi~Rt#)hKFdfwJWaPt=ID`h3x$BrGDIK8%E=HBcl(saHgZ35bT2LKI! z;7o-FXs*hwr;pGO<}Epdf%*+PdghH9y1~Fo*GovzYYFC#@{Qf=8@}gD5${Kh=|d6b zPGVH|^$;T3hvK?Zs;=MR(AC|m38P=Ze(6hkK(6;Ktkj1LdQX4t(H$;&&(O8%2LYgX zBY_U~k|=of)OD4eUnBDV*6~EJ4$Q4AxR%*J3%VQB{$g}d708Dw^s*&ewI3p_k7xHE zM_@^*dq`s|lSm8^%nR#mw8`t@SzJm#QppxyYpm_CA%fM*f}$s(*+2;wtEvVie}oSN z%|UQZn>P<7VJhU{a$5~UJPj=jQJsgom=oe7h<|6DHHj8S0j(4<_aWm%0aii_#cxb? z2?;s&`>vkcdKxe0NSSbsun$xW{XYAQ6Yb8te1bkI^kN_uSx>UPbo0jh!qWQe;>-FL zDsJ1xL}-o4$V3IhGfS4RiGQxO5h!5!XvJ4raN4BJYcw!7-kc6k)bNY_8b{_3@V&KVPq{_DuxJ$rBjVf!O?6O^w&w{daDJChR_tqw|B-lGHc zlOGE`IbpqtkE@`KkXE$5XG+H1x$+%1-jO!ayfJrKq0eB|W7Qx1BUw(|(C%}{xqMVY zV>;|qIK1#_L!Cx{z5h#em{dU;;QYyvy8(GTA8*PEcTN$5gcr2%} zg}}!&zBxNcr&ItPOSKf&iw$3Ts|%0uM^!YP0&Ndn^K`!(__@|usH9#zVN~kLjKTJ3 z#13QSLf1AeX>S8IGAqq#Zy@?*r#B$$FG z-Lw5n$Qge;!O{pdh0n9A|S_-x+=Y-+)>%UWVj2{57E_h0lxv z)1L&xvY!zHpfQf8z=$M|(5whIBgqRp%FrZc$X{SkYAsX3t{P2?=S#A#GR3wr zPF`Gb4l=hkZZ1PzUC$peExr+!7FNEU)K z%LUSqnG7T;A1pt!&5;CTw5jS+)W!48S5qQ2dMgky{R|?NAQ^TbLg7LD!e~L2s~T#) z++)}ZiNE-fSTymhI815fNk6~p8lhPm4sT34p`=?ACYP}qwShKAb8%qKz1KM%EDVyole(~b?4Z}Ab z_W%^XnsKVrSXH5EL?XdNeDZgiwN|&&F((SP)Uee-ML~?7ZB(bS%vHI0$#Po^K9{Lm z&tWmUv1WVgpMc3N4c;)SGcKv!3hYfLF5OjCU;_u{$w^X1`>Mg{?Htz8>M|lSmPR$j zth2|#$pL5Utsve+yiuXs3_`=Ceq}3ky*;=Ay5mnk)YhNG$?QF^40pa&P_%)TfD%HN z2}BL#>Et7?W4Gc}Ck99SPZ+(~)Bc8=i0wYr@NuDv3@(pb>_*PO%gv>ODjv$?qqVM1 zzyiKfBXyt@gJZbxcb3IIG=XhJt`gQ3Wbg0v`1y~ug;@m86HfMd?#R~fJc6ZXKA6>` zsyYGnkrGu4eZqJVdR|6wBZzmj)9D*8-!unZ-;zEsvaX}LqOye7uz7g=d8&C-XU9cs zrBbX~A3$ZfVi`wW)msWTw&NYo5o2+lfRQLi-g1evJkR!*Y1fTqhhN{TZke+EH!k-- z0~uI<#%G=g+h9g#GcA{)=5~qQ`vl@{d7Asgvh32Ax$~vY)0B8$S^0_N=DK&^74MZ% zzxy2oFEH+m1Y>F_1)5`dIGQmqX+X`r>*ywTVqIUdwR)MSeKZu>%zs_)vG4wz0p7t8 z(vRy8Ir;Q~JR_uudJLU!9=jt%Pa?b4f6Vi<-t)7%#y|bDe951ooS)Q+knS2oE?k4a zU(tM0*yROz4GZ!1wavj&_q}Q|0zvRYU+E;U1_nv$IYk`NgZS9Pwem}(k{%pxALR30 zEJ4kx33@0Y%zAcI-oAH=kayqx1&Cu6t`zb~Anb5-sr%GWIsuqQDX!AyMFSeElQ+I- z>KE+^3Z<=z7j)r?5=D_DPwGj9{N_2`F;+ z*e~AEnQ^5g#c5y85UTp8-a#zmhu6msiv$^LF1$g;&s*ti&kz?_+GFNbb>~wpbwTv2y^(u~r2GXSfN6%%9 zeWUCZfp$}n+^`3~Ia>MX*-?8p#6@2%PA~D^y@jabw{t^f{}b%!ehFRV6RUo8wF8XJ zi_KH>O8~VlxBmpp+T&qe(GN&P>5iIBWg38B zqCHLGnXj=7IH6vo@pxU(tl33}(SNOiBmcH3MCGy6_<(r0QHgyE9@!WE5~ue)O1iL? zH+ajva9GOs=TlLghPVUDCv&W{lham#v=p5wlibOIa>sXkS7{;)<)~nu1>=8l4plj$ zUz@bl)}Ze&Xbbltcy4M|ZlJaG_4@Au|Ftb)*RT_dOi&Yp*}MLq>@Uv-B`*L40>Xg= z0z&ei4`{)4sKl(b??AT3t2?d+`rjP3d8)fM$4v?`xp|y(iUwsJt&AW}SgEU|jB$DE z5hf`x7dpA3@DUbc)^X*OhNP5cq?Y}LS|e&!`ucs=S97J1--@gq{>4?jyfa3cz12V176?DP=lz<$HpPA{wpw5hkx@Yn@fOUD z^E{QDXu@06Q<s6(&8nl9 zn7P|EDkv=@WP`++EA*5nw!`C~BZ=y6TA`Lt)X=`>j-jkG_LG%IuW&rGfC50%ey zg5g}vkv`HBE^t~>&n-@i=PA^O#IqAJnF7MBl7k+l*^P~Bv+J`+;+ai7JSi*pqe5yA zaB{tklX_;bHM?|8@z?Qy;SAt+8;t$a9AmOQpAI# zU>9wrRDV`H^#9={zrY=4PaOThYu0~fD}V?<C%?4L4J#j$l z0-Zw^VdQorg!oeW{Y3epHDFK#9muR%i9t&>{&TXc_gpN|Ku)UIzRqGgl#bTVs7sCS z{&CUMZL2t%w1l}P-`g)8+SX?MID@?mBAYlV4!?rl!sFfbOy-wz^1YGoxMfv5(5_Br zwo&zxBbu1gYFG{`Oc3QIUq|L(QlK?sXPZ-P?wA*WxTD*W7N!MvsVmL%EQ^L;d5Hb) z$~e<|njWQeNME1xEczDl4xn-z8#gzE*R^k#j(2k$XV@-=zphBQA53A7NuT06FaL~N zW>+v-S})F#{KDTd zBQ05V-aGS&i|$oOuOd*oL@&REA|^r_N{y;cZ9nu({p9StDT&Bvp4W>%{plB6;n~G$ zn`P=s(;}b>-zJ7L>r4(g`_`PQwId|9XwdCCX17LX*M84zTMpF+9HH5%^6cS6OYe3yFNBNMg&r2>dvx+Mx#1GXZujv@6%pjh^}uO$-z2oYGZruyph)G z0*BQXv7ITeU?hWITdM;Lt#>v8+Idd8iMkwM@tvNK^kX^LK?#m#kkZTqIYOM+v6Dmz zyoirXPAz%4to`@BUT|@M_1|Zl%b}|{dx33*!-5AzEF)^YP7mZckuhgWYLhXsL4<4x zn;#3~mKSXiMN!2kuMPXwWl?4enq4(fF;-Q(0dbLi!%K~A$F>d)2S#P%*i`x1S+tFs z{GHY~iIL}8N(&36gUQS__^I<2w-GQl5?OG3X1Wq3%<7Ptl|?T=o71;SkuX~Sri+nE z^Qrw1ejqi~&481j`lIg_JLp?Ij`xuECPhM<-opU`Q^03Z7RCV<3Zk(lZ-no@V^mlv z6HU&*w_8wzw^g2T!je+z3j||>{36%I-@&IJJno@CqJEGAo58+=o|^l00dqkf;O+?u zyJ4K+$WbV@T1vg&*6|DEzIw5aXct@H4h~@t9?`R)yhF<_erWs@ejqPW+gxhV>4Z}# zWvb?(X}>eDpY}ZhjJjsDADYDucbY+2YcFDnjj0Gb zR{(Z^FqY(m`ufOdzxg8~-iGv}=L_`zH)QY49&H)^{lH^N3j#v)zq&U3zrZb&q3RL- z*O&8wUJR5lQ7@B%sVNFO3K~4IBr7->9GIGqlzu`W?(H9ZGV97_%__ZRwK?wdejzng zlpmnW{5hXoe&wm(F50T>HuHUyg{(Acwo}K|!a!KY1srQ@)8K8`qPVuQVhsIVE zHoE)8#Jplp3QHatp{3rQkTZ)ODXHQ&wv2=m&ZZ@*8SOZPC&l$XQK_*fp87NgsE7BW zR^vtKJFyd<{=?`5`enCL4JPra6pqD{xtDt?MYSkSm=oH~sUf#003u`Z-$h&fVK#mJ zY1&S#>P3&_RC6%QW%mQ4yVe{4PKuX0LfdPJ$GUUJ*E3(@4iUDfaMq80mtEZ^d=%aP?fj&W-s#>e3-Qt6+BEQ59m;@@Ju=dN5v#GNp{mhtH z?BPX;(Gp+PwgNvW31u{Kf+CfZGf%QIRU=zhokwHC2{0cUE}NS-7MH15B$4;RA;BH! z3!Cd@rC1mqhX{A=n>W^+G9zMA#Y7uDV8++X=!OavPpf|H^PsEi)5ZFpVfOfFPS>*f z9XFySK^BPyK=1%2{cizHV$qBvE^60SCD@@!cQ5>QEcS zVuo0|L9P3YeR;p%mLT&o)KVsW$Zj84vg@RC{@RhYY*6x_f$1X`-`FrQ_vOW@TbITd zz%U8}U_s@~CleB*3m!JnV#Xb0HbHe4z8fVIL%QpA)+@>K*-ZI(=;+}#*=s_ou*a>V z{eZs~S@Lm}M$sCH6uy%ne-~^?psu^nmVG+B^$=>49OC9HOQsxmt2`+VKB9&8f{x2{9`>-Xx?!hyESP~@9<{CJZP^;2 zf!x*igbXK3YOal5T_+%8+P)YS0$QK8%G+7P(Ucs(mcmRqxnXX~PR9}r$>TFz6(YGQ zy;ddM^#cVSJEfSNGw{3nuLb4M*=&lH;<+&J{nuN;*^ohc*}(Uoap;YqGIUa}XPZgX zWvIzUc~QeUL|+f|`aI@z5kVlOJ)cSd0d#QG4?N|Oa7os^kP7|Pf{Fm71im}oLHw|4 zn4tK@A8v<7|Da90W;1bJ1MXxVbstBDklSk6&_2!DFEAg^^UOZ$#h@`n{X{0~USw9U z*fDg(T>M|G!{#oHE>~@nb?A07)RNGI5;8~&G^Sz!cuk2B#QQ2zL^AWomER!;iE zimB<68wA7xp$(i8il%35Nl_yT>CD09G$xR;B@?6w+FI2rMd>tCO+QstAk>acGewh` zd`qm0$nvZ}PuobLlJrH$jpPIX)+&*ZJhCcm(8?D{!|Ff$yebH}URa^AtRLph^4G)6 zGIf)D#;&D23Mh-0q{r$AD`jQ&Jil^QIkZ~N9_X%C&P3iMOZl2KN`d(eZa(SQvj^Yb zf~EJTKH2N#BBfJ4^hktCeKesp3unS_`SJpJaySOH_wXM!+4hH-tle4w|IfKs_3es# zyH51*k6qd5T$f1Ck--`rk#ivT;!Ec zb6O|Qx+wv+=2|=Eiuj)&GUv-i+9!OS8sJZH(>+JovZaJcVc>tT6h%Ms?IrxD5${R4 z^(1Dm3qR7P--*zFszYey=?|FzMRU2~A>v>#)|_6#9>Q%H>=}-L!l>mv2QIEGkZl$6 znSyK`U-V}Ot1g35;d|v9KhB-bR7mjfgTlCGm%?4EC@H69^DFTgd!Lz(wqyT11?6&I zi-ENvKm@rb8Z1FoA{6ryO(iKK%CZ_JoXYvfK1y8JZ@^ycfGIvz&q5Ak_~VSNoUmA< z91yk@=ETPMROST66ZoC_@Xv4Hf7gEzX6x(o+@nv) z?Jc85IvlojGPm;&ysq;5>z8NlFCp<65sQZq&4yM6Bzcd#v>8~*WhmMJuQa`eB=;qb zP!cLtyhe-Z#n)J$M8Vg@Y2dggPkrvS);LOpWyPZH#R3?udCHh(yxRd^mYM(Pf-)$7 zlRHU$r7-o0FYxH49kb)R_>uiZyfN(KOq~)%%qJ`ya2s$Z$-A1Ti}^^cOQMzcrt_Ot z6)+*wK2LSHtr)I7``{J`;_YO$#9?A0>Df#h+RIaFQ^`}pUKJ;`4X+%kmx!X>L!hPE zJJKd&=K`XXssb&-dy}rcNSiK|AL5F4s%PCD!hm+a&rS@ z6<-`*l;v^!k7?6{BK{u+Oi@Z*t}R6p`Ru%W+a-+Qzxk1`d@Bm;Oc&L;f#H?&4=#I& zU0#n~iQCL9WI()_<7(7?Q3^~^T2|#>)wWUs;L3U3a^zWj3n2L&Yw-~0sm(ObN~RLN z8u6X>|9AlsMtw8T+ezRDW6$%(@Qr@vygqEmp_vci4WaZO zS)15H`V$?#sKW;m9X%7}OIOT3{Y#myc-yySbPa`ae0Jw_8KKtrHqB(SP7-PxA)F8< zV87ceIVq5nDTtt!%}pOF@Uu5>pGX%Gq14<1Z&YBgG8(mIh3Ki-+|Q4^EV7jqD@9c) ztxj%wEA9r|LchCn1MVD~W@*DrfVQFR9h#D(mbvh%&GEvjAtPB1mLWb}*Hq#-`FShX z>yet9QzN~_yGk+vfgY*yd$VSn>2F*$KwD8Gm%n%UA=y^^&Y1<7B(|`=cWu9HR*Z04 zCBrGxg1BYGOGv69v9jHlv=zU#iU9+9m|jIU-@@8Xgzww63z1lH4;>u@+ZN`2A9e|G z%s;X_-jTe9qX^TC9>s{R(s(o{VXMSfcKGZ$b%q&6FPY*=)MxqYPYl7pk((NbhdJV@*?_4K<$s-zf9yyh;=cp#9K}jCu+e z#q>+n;e-sP^$b*YVMg@ozT{%n_Y7ii=``D(x;1NZe(#goBtmPX)KBnZgzDB@d*3a{ z*^{Xfvg{Rt85O8TRt?`DB+5>9qMdAKme$2SBu??M)A`QfXB{u&1=mV3fNm+%bbLqi zxg)JQU(M(#l*zUE@9$T!H?I6doO7{^r+JqF@^{O}54fTVE^*y~Z;vTf53bHKD9*51 z(`fME?(Xg$+}+*XWpEhWeX!sT!9BRUySo#DyM<-$(xC=|XOsbS>A*xS?coy<|*BPbsh z^19O+e4{bU6iFBB{+`X4Pk&11%!TIXSWsDSM-W$N$KtwB>%1NXTG>aeDd!UQ12P?V zYPYdiJuBWaUKXP^hY@l#tg}w=T9XK#(gKe78f(f_hJ>{E<1&vX0fs9NDoHa(qtKwD z-yU5mi;8BleMhV7-*3}x<8^ZN6K1+jBs19}+x;%}XYQ{qii_kL{nsuyroAB_?rb2- znig0q{W9g_jGD&=^g15jnmjT|fTk`q^$f)#)=DsIRejQ`6-6@Y$ReDx z^@~t0P^T2SQWMsK9#A)!g^e_#4jKFjg|eY>#>$F2V5AlcV;rCW1@2_248^Di(RMh| zV7uMLDR+cWHw=e-JsbMdu>zc}aCF69*!c^0m_a^d?W@7jxBw!DqMaWKKu>T**0%P# zsp`2cyse@+kGM;VxJz=pJ5HqjA4P93UW!dXlrZ0V-B4#&f77?6#!;?dz{Jss5hXQgr*BXn5#$Rd~=~y+nn*xu06- zSRJPV_B(K(vY^?H28di<26jOZs}v|hT_i!Ie?oP1BUYaHICqfm$&-ByXVFhya6!%L z3g<#=IDv-u2$p%uNnfJndn_^uJ3~G;7e-~V-NES-OM0)b5h^MKS!Co7ps6Dxq<8E5*%bmK!=XxwQ1>`+aW^?b#FAbslYu%1A z_to66L16q_EYX~!u0y{=?Kw+Js7~o(#X6{GP!aW>wwUJgILDHg*0}fxkylolqi7ID zL%C<6^Pq`m8)6V|BJA7RfJc>)pj{1^r|acoENjWpj2SAhE91PlC)AnbB@DUPWyH1w zpe~jFW7ADy0d_8NU|cYwd{(2ZIY^uQHXF&|AgnLIm@^R?{2hHMNw6L-4PY*u{NVWn zBWXVHg9(0x3~WK)^Tl3Vi@JU%3Gf)meWV*|>6O;%lgTUE5h=7HOZv$D2WCITk(nDI z;}d9u+w}t&8ZCE*@rwR|i`RzZ`zZ<>+QhWIFJ!y%2huiQ74^_IBTEMQ$o%wTI(_pU zAEX~WID;@$Qr&s(5i3gP^pPk6THn*nf#Zd=F^$cgWknv_-LH?~b=4d}{>8tyB+KGH zkQ1;GpT_04x#)7YM*VR-o?!>yXsW#O(1w-qMT3!Y zzRl{51J%OJkx4thW5YKbA_)fps8_LL@(jv5?b+JHhvL19ViL>ZnUuM7IDGJ88$z;^ z4-$C^H@J8QA?pFQ+%g`4-tfslyvV$u7(oPszfz-q-+9k)Gru9hMzIGvLU??{Y=fgi z?z$(t5%91lZI?V@KsKuRWGGzG3&KKvjNM=&0cTGki9VnM&Bt~q(Ar*QNU*Kin?Uko z^KmWE+%nIYvRwhGEx+MF(d9@w4AxXAZqSFgEW7KYU=?{gLa0e#n2KBntib zxJyF2Wg9gU$dUY%Yz6EsYQJXuLr_2#cYF&Kf|eYmqdb&5YZS-oNDI_8u6yyc7o2YHw2~=P7O0!)KLKCL`I?!y)zO{*w~EPnBXvDE0n+vt z0-oCg9~{P5m5P|oEm6iO-ioQ>qtDSMq+) zQqIF)zkjUjN~Bve$~Pa#8dvFwQ$Z=L5Z1D2=sXBvNR>&DXdpi!O-!!u8Gl$jDuD7X z>9>rBF5+)*-<6p>(FJD*m^`Q>YkFyunlzOo1uoB+9Jb(xq$PrPwjrWcDXjm>(1;z_ zYp53A(ggap8TGr!%}y|-5AIIp1AIe}@FD=0d3$wl*WZzMi_jwE(1XUSqw6NiE`A&; zx*WB%L1YIB(4Z5Xw2+5_213wH4fWv9q|WS&;@ZofS57Rg`ZSAg=$xl9Vz(N4%Tb^P+t+LoLy=oPMS)s}Q# znC69HyyRXDMFX3n3By3QpesTR&Xfg*S3W=Rw|aKG}6$52RKrFm{A#~$c@5v z^3S;u3wbLx&DSN)@m|rN|B!UR+b%M9;uY z2lNL`Jh|Whf{AwA6Sot@D10E=w5#FIXdAA*(lhvnX$2VggBDObgBEZL0 z0u*tEtaWQna^DD|ZRI;Zq;ED#IKYLB1PPIvT6ogEcj088s{ToP{%Bm0wRqlcRn=?wU zWmOiX)t=S^jV-?(M=v&IZZ!PT=DheVnaO6oN#V(z+JUUCAgp0rJ8iI?^Kt^*_CoK~*^G16cIv~;K-C|KgDvSq#Anl{gKscM8CszG3rhynPR~h} zR>ZOR=_HxIpJwkgURSb@j!G~a{HjAZfR$Ks%sAS00|GH5Q*tgaPi@F|D?xz@)ZYoDUV6lrf!8zv6VQ=a(wv7u|f!276Fg@w^?> zqdA$MvpSXjUYXQiTbA&2zjjc8*+z4YT3a`yhsVpbfh{NLtVoZ=HGsgKp0A>ASr3EQ zs_ROnV{W}Ip|@1&vwsIxulZsJaE*5Aw%n!P&+}0Z&w?)P0_U%tH^Nou&Unq{CvhpI zMDohi*_Ov!&g@Ire2vtETicJM0bB-zTKTghHG-ODTr07K#CghNVI=*XMYUU_rxL%F zy^=EQHdbjiIZC+*2k6?8khL9qF}_L5u*U|ldYSxv%Be@BZsq}|3sJzM?Md((Rh}C- z;4wF#sdpBWh;|%IW@Ul?4VbC-po7b>BTr+GKW36>~eUQtViPQ0T zKF#bfbg8nCCAtT;sE3YcndB4R=TC>5#RMyNtRS;5HT;numnCNQD&GXBrS4Dz`W?Kb zxP6ag0&Qn}bU59m^>db&K4xoth=a-i{;J8pkARVLZA)Mb{#a&9bdTM01cfn%Qv(_0 z-HBOMO@>Z%YBj#*9@g04HdE+e6+e52&z82^qr=o&SimQL=a2vav4D2b$oHlmm*0Q+ z4v_3V@*8GLfDjh-`QbZrM^BaVxl}~P(JTT}QG_~y&*gTRvkp8f{hJK;R$FzGzI0p>h zhW#Ot)zsX{O-Yjc2o(VI7sb&3jG?6)p+9O$4su(ZWGD(KDX3V^Hr|<&)Te)=kHKeF z!kPoo#5AC+&<4inL{A|3mD7(jTBFkl#nURSk7O(J8P}%^_Q-vF>FnJf-)ocx83=HV* z^_)r^7e&yH93D#F4-#&I zNR6K+QRaL+oLzZ;NOo!50}$1nuRJVa>W@xoEh|22>|QX`{t>NLjyT31@aUeo!GM5U zN{0)BSOLWOpQQKuY(kRnn!{G#?*x1^Zy~S@oFr}kO4S`U0ApQY$19=})Xdt3U-^_| z&j3_KW%M{+2U!6W$1A8}qdj>u!S zjOL@lU%#uX9euMe?Y8F=*v$ysE0m1Dm^xo|UF5ys zZ{G$E=sRQMh@dEYK)U+`E zamnzI5{Um;)K-ty>}RaUuB4RK!?dM=lBJ34S{37=k{aMW8;knk^cYa9lry~=(GB=3 zU&j7O`Q4&a$fHzvjIVh|D2fzrj_+sHR|eZL^u2JZ?n>_Y{5VhoQ`*x7+saVBb_GMq zfHg)_gWm^#E_USugJyTVi3Vm*(Mi)}s9oEFF=kww8O9^1W`j&w!7xuK-9us*(%^ldh0O1h zrjl5u932@(_S&^@{qz(=YKKFpZ`6$Zm@;eYu968=>$+T(8%cvc({oyu_Av+}vu;+L zAj>RL_hR?5WjbdTb;OlAvI9xUgh$MD?~zgQ(k6zd7bMWiY%^w%F(#L#<(=Z3c!sfY zj)kwik3HirE5ZRb8{nP(^2(WXquLARmU{(nreS+AHDMuM>;Oau-E;zPdo^zwVt`Z& zL8Cxs^q)HDOu0yaB;(ghmL$=0Ip4xOX5=cIR~~xuc@#PssUVEESGx6>Dwp@`pG!_} z8+a(%Z3sq`OIxZi9;#MW%cnIdmY*8i5U~Ec2j_hl0trX&1f+iWg15*tF?E|2`z*OA z)*E~$RcUf}4B-|15NDej2~0tP$X{Z2Hx8Iwu5<)v9Yu-;uzxq;{kWX?hNBHlHr0G9 z)x60Yt2Q7ahV3^RI|y@#YK{2rG&hxT|uSS#Ou>$2Jrl`<&cW}+pq7bk5ItHEd42%&40Zp7{^?J9zetD}gtLyZt3al|PnjKkF zIwgR8)n5qE<#z533B!Nl`sUa#Cgg)^xobiI7$J!_!2rNAozI3rM@OmLmhk);2g(@O-WX3$~m-O z{75+JiQ$5t**PFJgl2ZG*p+}TBf-e-hWw<3wramDl<8X)#_17LI&j=KDvW5nWOyY0 z&zr=h96n6a*RtTtH&Bf=Kk#$I>W@es7`Q}rbW?=0Ds-NVS9$a=)AAqt_^x4%1hiVN zo=byDB~fuv%Eo40o-*;EF4?BWhtdXtc}C)vc+=etl@U zn{)Kg2Q{KNmfF1F`vaM0(#CH$*mE~i=pUY(mxDRz{MJv`TK{ok3TWJEpY0efojPmX z#B5sqq(6F$?8@|o&|*Dz{5>ZZ0UIZzi)-~`P6n5mW3GGK72bg?IV zrV0Ke4TK`|Ba=W4@ZD|fKM9>dFoJz&!8xJkS1c18XTM!|MP?BsJ|n9*F*6tp;Xxf7 za|(KATXPv4izky*$z;=!SLFzU8@Jsf8JAD8Y7MU3M+*_C9eTKu_7@~hLkUK3dDj<+ zvlHzU-9p{2o&f@q+JDHvtdZF`enTG~U}6oD(!JIUKW{Aniy9|kmrW##(+U)~NMy6Q z2Pb(SxQ=n671?JS?L<3l!J}XbVMs1z1EZk-VVOcA#x|Oab{LOmF8$40K9d^qhbx4+ zCR}o&NG`pItZiZ_VuNgEGdPJixTW86==dUB~qu$9r$Y&<<+I`FxqwHwoN>HtsvJ5M*%_l+0c6r>Z9 zERP{O=ib{_Zo;+in>~2}SiM;9a)WjfolK!p6zY2qWZNX9kqc;0ok>dDK#Kh-(oTs% zJ<3ibr*!2Qb~LQrrbtg|?a+nh!52j$qN6IXxyblu=0>h{^*&d-c}|d}%T}GVNL+UH&h` zd^4kpi4bK)`Ad9(Q_>n5^3v~@_*)GQZ`QWuTD`YPmxtE2b-?^eAljVRuRzdkc&-+b zni>K`+FAv+0^>%m`;5#-JK733qulGtT6X64wC{eo%z2xOgJ^F!(N>0a9!rY6rh~8v zjd%M>z-lf(V{TzVMrLl2+`~b;h--X>ja!f9Y&re{M2qA^pHuiMKve5QcgCKS9ls$~f&Vpl1v8`H6 znz7+%L>_Z%2rMb?)qdBCH6f1KsXp3M333DY4NiCqA@BYrU>V6iy?K2B9WH_fF zbtV1JVrn^2-S}HwjZ*!_QJAeZzqzIaxW`JeZmNBF2{Td7F1%zPchxi)i2b=wY8&w- zS6Cf43ZKJQ-8->A$LkZ8{x*c|j>!SC-C8Cc7z64^^!DIG86kzzR|DhPCg1)XeW7T=UQo=~4l6=cyaJWwn1XuHEzcY54svx9C(Q3ALiv z?BeWC7)j%vMZ*vu{*f*DhufNq|G4H6i*A+mmT0TSx2)BqL9rV%q_v=IFvygnhc_pW zL7Bbnk&CLjUakqWhVJQdaBIPr+fo`P=~gWKh|aOu0q&Ye54$~6J=`QuK@MgAQuyWg z3r?DcPeOJ#$wif_A;7`JpQ31it1JukfkI+%;g0jUnth1GFqCV_-BbW@jQMZdwRsL$T3n#juA&)xPxd2W?uYEUr_bZ>xqu$49nm+YnE=NA z%@!NN<7tPf#R(fj=?33fxorQYb8)2Vz+rFLfxB|N_^`?olng0nukW00C{_%>)&M+* zVSw~J%|`k)8bUi3B-1XGcuZR46xltG=46ov4+C^=U+~@^?LTOTybPU_{ia836^yt5 z4oKGi$Rb<^A|1Gq*pwl9js-|B{h z^vzgX)~)O=8Uf2|uWr_V8aM0uJjAlMX1O9(kM4?rPzn32;)F2n#;kE!qnVudO0Mi_ z^F3#hua&rcT+wG9g_|-iJ3+p6=xVEB5%pP@SCpZGJTV>D7(>D~Z7e^4Zx%eE18H(r zr^779)vHOt&HISI8uZ%{H9kobZBfa|;v-wJgCo=DX?q?yT&$e|#{kpPGLOMlq~g?Uy8mSC6{S3m<;$Dn(%>=QUBXr4?zR{5}w(DaN)#555-A z6^|uV=m5*HjMM{gwyp31LokD#y%rd_jKVMwoH7T}2JTwTR&^b723p1^|4?GSDl5UK zu-P>i1%q@Rh<>60uX)(=NXYaWY>74^#vnZ(htV5XMS5~hNFHuBCBdr;ZOg?VS-BFU zkZRtkDu@-=bm3(PWe`D=-!ijUP0!Hk@AZz%d24xi7JX@Pv9>fQ7Ky zMMFqZ_|?bR)&*h8-egp9#2~fVFK+~abOZsSL}R*b=W-MI_G5ekJ$FLnsUg1epq2p_ z} z5zbY+7w{wH^u7ytgi|*%wyMm)1XXTL?=b4i#(F4=xCdSdVw(^7J`XNh(UOD~AYDow zxk7&P=cuWofrZ$WC9l|Ewt{-xlrDFw10pVnzT5_JlA?wrBSQy()m+a*`4Fotdx+H! zQ6O!8MAnate#_RcAEc$q))jqPCJvrB=G76gGHm%d^ql|0uBz!e)(# zzSPbM{e7${+r62u4~fPwyht`wkJ0PdG9h0+#o<37OU|8FwIggm&|e!&zR1dwn9 zCdki=3Am+&uYvNpWey6nK%hWFDZorz3@sLSkh3eGDOns2M^=Egq4#Li=@(s%>%d2R z6@I?t?S5+R7QZ17^nVndFIsNPN~E$crX4vv44BMG*qPk?nYHuza>NaGwWkLs)=Fur z(of=eXCl*2=tr@~H1GGuYP1DP>}v?cta>y?0_NTCs+qqy_aNlST$^+u;0xmPp7=G6 zMZk~|xxPq|b)(b|p=2*0ZT+;m9@#%f>@WPeg7eDOUQnI#>75 z1|(IVjsN*wOD^6K4-vB7%TkM1Syf_)rnn)#1RvUz@Ud=tnLvWs);oNT%c{lp3=p?f zVPk(D)*z8sR1Y%F%CDwPQ)u-f38wU%V!3e**ylPgRXnI6C3jS*4h!5%gNdtT+o9mp zLy%mXi}__y!htVbUpAR4FAE{3mi*W>00fk1FQ?H_$~8J*tF{_&_`gy}w99B@q80K` zc}iCCn*F{Rj)@nc<7}8@o|bVBsm4C3bNBPEX=#}DHu0goE56oWR#_BGc7BL_P96_c zX3$Wt4%Ztr8~4^^#)&>Se(%tVca1RKw{qWe90}APTiUEC1>(tS@w9liS`D+*6DQQ5@4;fnRzyZg3hxC^c zDt`h1-_|2#{NVarn9HjkE7U*KKCh*P=WiFP9BK|^EDz|b2~F1~p~LxdvBnskjt1Yd zN1%V8c-c9h+`J0(S?zlxfB+?w`;QBLtf12f^{rne$OevpB!T z*n~>2>VW(AlS8!zlGbu&WoePQNL7kbTKII@?+BqzphQ73{ml?>peRQils_nxDVn}j z+!vg5vk0T};Pv;?wG+bC{Eqx_4HJ4TvKGGgZVGOpzS|x7dst%RIgp%k-~SON{9kbq zJ`+c{&SYCb*ILgHmSdZt0k^PN7q@wJvX`&r81dZPWRG9p|AZ+T8JxpB&*otN`!5fk z|F&=NZ$$Qw0SCuu%nC39|Nk@qAuEwS5Wh44vq4CK%s?5>1x<{9hdgO!F%&px)RST~ z@e0lx9P%;)D5XuffyFX#%F6ajs5C7}7UA>WrFUrxo{acdC1t%|JL+YXOt0AO=QF2g zv>&-uqqpj=?UC*~3mrQjmt8yl(^p?G1R?O`MgbPz#c((b#gAtv7|E*|8rwxiyTWTS zB1x1F5r|Y9BPBU3io?e=(MmP|ThM&iOjA`==PGh2=4XV7z#bX=Y#Jq{B2WW&b-wQ+ zHvHw~BAw{wEjMF4FS%Xi6EJ+gpFMjSo>uMmm~`Y~zZ~q@n!1Z& zb89lmRFcu~B<5XXdoxKvPo~lIBn5kECRdaB_$-LLZAgMMi)f*7y_j(D7+==TTTSj) zT3Q+k&U|A#Cj%+oT_|xghguGIQ{Of&+`lA!UGx&NNpTk!L-w*EZV{ez)i~Ux#i8{z zMBrhzyPr=&R_oO4w`Nx=+UIKMoTZ&d_x{voH*cBKD#Yn|eyBf3bNOzSr3{<^3;n5$ znif9CF)uYy(;->Qf=l4x12Yd?5IE9 zVs`{8?r1bhMCnDjYnrD%g#zo4&B;1*&Qhitf6$Ls(cg%*TN=t-CD=;{SB8uM%fRe) zMrF*u{d$Z3y!|rGb-gt3TqcdNzcD*QF5p|Dq-s~&N_Gu8M?}=Fg{Enq!H8w8YaPR5 z6EOT@l~&u??lTPY0}7E2^NnG0RaoMcFey;XRAy4I+7aLlhckk6N|29yQ;8i9LW5_n z+pa%E`_i9f`&P*A)5!wY)VsQzrvopofX5Vq@~i>MWs*#uz18=G@Z{UEGgZxkK%2SgOjVI==brFU?7 zL}biDMYD7)LgN~g{5Qe+11}qA8_qB;{tz)lJro5R-;f}t%?_{S7AAoFGX@AtLe>QR z7(q|`R2jy#sT)W zEvk}ceKt(7iu!5_hobDDNfPM2uag^jH%QX&75|O%i%^@m!xp&tPU%-#u@bjV_QEsea+0#b)rk zTZ$5@C9~(?&$MT}&~(Tbfgq0s!Lz;1eW+yTDyGp2ACeEQ9v_ksmwxcJDXcXs;-XX^ zYkaeZbzn#`%2kB6AU?JxMZ+=b^17u|G01YCwD4%Z$}F`n7kaIciy)uO(3~|KcQ>(2 z`$O@W*0sEWbM{ujb9}frwyX^McwdGL8nU9uE|0K(Ryg}NCQIT4bbvs#s z>0NXrDAH0*>06Fz9^;Yh_~yoV@aa9z#1GFsr}h&nHPv%mr3K(R;owJ$tABL_)SsRL6uTqg@p) ziYvHQaJ7qo%W@CH@&g8V^((TZN@ld8Jqb3u9pqX*lFXv4aTg(2PYTD1hu0Rf`ujR-q2H2-J zcgpp<7r9yJmrOwZ)=~@2Ksg>xD{N{|W^mPr$~zf~1{3XE$aE+zcKZt}6M-T7N0oq? z^9$L0NXe?sobB=ZGe2V)@3QyKzO6bPI+fdvo&J{}5ZZsAc?}HycPfxzVCNvA2zelb zJpx8(wC7;-EJ9aQphS~;n{36r|?4P_l`W}{#@9%dH_<^wVWPB)&MU-TP=q9Ktn*d{sC#YCBoRj1?GN?f) zdH4*pyA#c6Fi2TSvhwiH^FGXAg9w!fm7{$1a4 zy{!XL@J1`VYKF#VPCA{7>Q+qhpKa*z3H)eC-qKEKnN%`aUO|M!;hHYN`Xfcabw2dSHJHv~M246v zdC3}SQ(bIzgd2vP)FEpXY6YB(a@2S34`TvvRGc(1>{X-2N;E&MO(zMDYLD+!=2mym zt5(7EABoET0`r^o7^!XskO(8a9SP`Acns{7vE_Yq37gdx-Bm2HxxW_hqQ)A&#-ZF_ ztmQ}G$jY1u{{+5jxSOJC%c@(ca?xYQsaqOMp zSRGG09S2@P;IO(8aIlKDio0h{ddz~V5_ndkw(DYW$l$f;w<1j;-WjomAd~qcg`j{# z5;v=k17vfQ9naYR*^GERGO{TC>YLGiP2sWscS`8lfd(PRpaK_^F-AUr5Uy zK?weVkWx?>$%^U+J0^~9j%t{p-@;e1Rect{FLmAVEQ*#YjxHQXJnrSFCAB39Kg@9^ zc(UmRJjwQ*ariIqErB$S@{GmAVRdGi_GlXtUh-<#g{u92p!@mtkmo!KjoQC$|!X+x!h| zkkC@yQrIS?rXMPyecPvF25=bDuI5=y;kXtttz!v`m>ExI2=I-iis&HYU~DKKGo_37 zg^n$j&g~;WIZ4#u_tS3+Zf<-&}iJ0c8 zLx0>~N(E~QNg;294!0zdZ#XXydS^pG$e7{+1t@{@z}-ldWwE7IrMn|1NPT##bU^9{ z^s29<8X$Ii7#m9|)g@i?YMJSYekrkS|J$S+wRRVfdto+hv4AR2n1zR;4<{L7O3Q_%8q`Gfk!&%fQdbho z!0jC-B)UVEV-ry<5Bhg5zf%Z&`+jj>a~K$f#P)OYKEdPZa?5unSJ1Z^`0wo;0Sp(1 zEj)=|B##mo^^ih8jdVXc*20fq5MGnA>ZXqxt;QAj`<%^uGtt=%EKgQDJ!ymyH)J(Y zIT3Z(3QZ_o+5FU#2q$ipVZdvl9aZAC2)RruR5=obK$Ev>*hwI> zTMcX&b>lnxh%j!rHuE{oVc}8}CmOQWv2?@?qA(P68Eb_x)RpXWFe!k+^<|$KGo_Al zFE_aMnp12sK^uB!S1-KEsg(b?#YT{;L;C*SL=Ar0G`on7o#MMvovBt9V9UKmXzm`E zMl#(ZDye5Gvoy;5hnAI(cP=B_1oon`MLD3{E*?rj1e$NgD{n9PDs35gZC3gTjwqc1 zcr#TY&K%g8LZ6_aCk%U97d3fPE4al4Y$Kv2n29p!Dw|(CFGI)V70ZWfbSF~U{Ut2{PTUF%_9Stt7=&7zI#M4MUo%$7#RHt?g2a<9@nE0 zyh!cPQWUEtFKAbsuc{Q6YeAUym11w!8Xz}VzV!q4h~PfHm^^>t{$q9pjYLJ$2sV=4 z^O+T(FkdYq{McQ}{bzVJcls?3a*^(4kQrq^>hL>+@SJw<+r8k}$*T8#y*Cta4chNV z3u-1gFjmFBRj{JP-0T_lL|5grAMCY!$&)kj0=GhzWDV%Mfb>!4P#mTyXfHQN z+_@17fNI7N;nEUHp(hz{&_@N-1MJQC_CD^OXAENW9e3IMfrB+gaG{_*#+d{4BX*fA zTuO!kpNl*+`!}6o#rOT}I-qYcf2HdGTNMI+2(V1FMjhl%7@ERip9*Abbeyt{`li?I z<|;48)kh-#GN9y&I9u}zXJECZ7XMdeC>d-xgKLY52L{wMf&_9fn}KNF$riVBc|7|1)Xu`*-%Lew~81Ux`EVzmtYqGBr@aY2gQo|G8f)+;=1!{Cs6y*@Bls#c}Wg zbxagET2*-IUp_k&8+Aj?mCb55TF=OB&a`MSgFk_xG{lW98tSUBXfRik)7{?ePMvQr zZxIP#TsI^L=$?%kb8_%c_YIDP#RC@T8t9zpPq_1X^QnDYVukA4X3{O4LB<&u(po?P zV#3GJ^&`OuvatA-lW8I?)vE(zHZMy5@FT1ziH(P_^NAlsF^>7g{Px}vQu;T&YKWQ} zfG}I$%_nF|feSBNYh+Afp8iYzd8)spo-ply$&a{>yrhEeH^Z0N!Fl+%DJ+1HZ9Ox+G}J3dUY`%&g`*|%Djy3yNnS} zR*io|=2f)JEe>#RFXAr$gPuw}8!wm$Nm}lCC<~Via{p^2wvoBmsi3}A!>#InBX0{B zigLy08xzG!XIL%QvkqLJ{8Y3s`F=-b?UC^Lbdqb90L40KR2*pncx}Qt-me5UoHs|* zl!eyJ)H(Mx&!tnigluY0gEXRGF!u9cx!SPXSYP7ZjmEZ@e9|^{K9^#D7WiE?6 zLZ^@YCIhon3GAll=;zTv<&$YquFfH;@4CnORZ{;5GK;1XEe)2etNohPGhgG@{@Q)g zjbby?ykN}7(WKj@^Zxc=yocvhgFa)rI7dr)lBfKE@A47ho<@>YsV+>aQFH}$c4H)d zSm^3K3*|UOkuZvP1GPGYP9quEXsD(=44*^o%s*JWuV}sEO!;>w-$ko@oXjyqc{DUKk_qm#+FhG+&m+I;K z+Jfll+Ua`QN`HTS!Zrf89vMTyLt!ouK_HFoprjCm&CjFdL(cME?H5Z1Mt~o4Q)GxB z%C=I6A{d8#4FIR2i&tQX;aHYdlP;Rz1Gnk-x>2z9gGh)F3*eB$>L8KtrpZYKqDL}r zZb)*C$3Z1t@Je^rv7uJpZ@k+9-5AWfGH}cdr*de9Y1h$#_TTy1ZSMKf94RO|WmB3# zH1}%`IGIbSUw4T{XkBt(X{xn?wynUg=HX-?yL4Wbe7u`TM{Dl#v}zqr&=E5>%_9SB zHt?H@Qh2MJ8TudrSxwY4g$NpL1L4vf#a}X;nJ_~t*rvlL0Ge5IsK1J9A((kqi^0B_+VH(UfS_b9(6V@!zJ3JMX1$m>vig--A(etuKHv}Fe*XA3vVgYWg2>BnR!qX?-$1u7xdfEHH%B@ z0NKq&`ym#>A(h|O(Y7>aeAWeeZiU~M9oMUdMjJnPdM~?}4v+{iwAXBC)_e0C8Oci# zD_hvCe~S44^<(Hgv(nJ`i&S9Z5+9)BO7Y?l3jQiCQX8^t+8D31 zv|(QcBIc=Hj6KJ)J`<3u)jf?%4buz=g&&{|L#OxwhbRsZvQb(Og$)}ZF4(IsX+`f` zXEUt;3a}hgrNhun*=rw?Uo*N#GSvb=2ZY6=9>kBVP)BFH7}`xpI)hVs*QQdWq%#YN zEjp=@U!zOQ+TN<{Xo@{{m06jii)9E&OJ07N?(2x0>8^ixbH<8!vu*enizv4Yhcx_# zn{KCpv~?!mjLo0^{)Eu37&gsxSYa^Omh^O8iFL4e4fsw`ModR9cFHN8UvhUiP0)LC zWuUY5>F%FqDA^Lgyiu%t|AM@D`x^e2+7>{idG=vH9zMKX7ZHxDuH8YlFaviSgF3_GIWy6`K>f*Yz;bLNJBB zVN{IJAsqMtY7}kZ@Iq9Kh%8Bxuq-JQL@j7ZWwaVH+tZB7deHDt;^|%^HfcRRrYSM7 zVkm$C6-JrfP^!oaQVV^?6{9}D-2`*DX7vifb0`&qM2?WL~%$(vVV6$_9< zAbP$_+a2Qe^_Dk?nbp(Z!AxPDep zf|HzNJDlQs($m$xs0$9^K5YBY+a(Z=PVoFEx_CX_*5SrO)AxMiF;m@Ik-;Yq^0`yq zNZkf(0*N6a_4*?hb@;!1+34D>xh6tyr|Q(lY$*Ha`+V>cet+=N1SPun&J7F;P?B=l zyPG{Sf6|`ny|JKYnU;bI;3Pzhl6FTzsF_tm84v#9n{~hdK>81XRpW5xa6lljRI?R8 zWe}Y|Vq3e2XT`uCkw8|gj)yRXvMq#75k^vJfoIyR5wnTMXcu1}#lfCPVrmcg?|N}D zUd^29d0O#qNn(xEv|9Lm=Bf!%A#h!hI)W$aWnXT5#EGV2XP@bYFns7~l{O&X^DSYO zIbc}k2B90fXP^2eD@F^Z;5QJ|aQ!XXjnu;!)p1ZE^jxODZe?nXJmrljuI|p|qW7*9 z_xJP9`pAY0jAiLl{xCGS^MC)VuCIWKV`*MT0v*gF_$? z+}+)R1t$<3{!QNd-5c&b|LoawW@qZ@>Y1*dsqLnPbiLVuOP=4oa+T#pus-trjbReD39 z4QVJAwn(utUE8sxBrNu%uhaWyufG&Q-=Wto-vBhs$Zu z07gg;wm+C~()mi`2)JBd3e_=h)850F$&xSt@CeNkg-Hm9;Yy(*pU6=;lfkE&reZ-! znY^7AvyBzBYwMFjzLjQz}`=o$>O(s{f1!N8-?um3~EW3a@uQxp&@$0?;rTYY-c~J2?Y%~+Lg3e4QcsK7XvrT z>Uxjem>7$~!dOo$B@SW*n)K$;V!*r%xVp-)S}i6gfwF@fxBUu0jsvJu8riD5*wc%| zQHcWe9~3Q&fIV)Ud_698e`c%&}zUP%H?tY6o}EYK_tY&lr^c@sC};D`75;%ZPnV~940IuX}6FlIwH z%(U7OR04V@9l^2vUfanGcuAhqLKGqhqpbG7aq=c!x;AN65@N!~X>>e5DWS+JgdNmk zAqqSVg`>hubB-ns^S2*nT@0jp%WLk$D9(7}9iC5M@a&LNwX%p!v7kk40T~L;1o5HE z6xK^RWiraZT5+?+D_@pBpi}81A%}&@E=8C}b zLZu1x^d8}t-r$$Yn)6Q}8y*7L@c+EQ+$|&^M-C3aP6;#`=YOI(S4nSAHiGTj$!co* z)lfDb+u(gTsUk&C=Wu6L!1q z;ttc!71A(Uk1miuR-`%PD;@in^!;~0#-~Prbv*S71Y);x<7H&WZU|KqUPvvye0dGW zc_!(Igc#OJa$(BCT(KP?T2CBi>rxa`^VYW6&*}We$Fx&V>TfXtnvKi(<`o$iJ*w{@ zr&ZOZUda$zuvQlkTezN>=5O*QNe)iuh~w^OL&A^|xulLF~a zh@mto`2@$LKB#A!s^sFCsVqnA%!$k@33^WmNyt*Zr~@@a?q}k$o@C9@^hp-Yk*GNq z*nUK1Y4_1ADpv_+>nL7fGeR?r2ZM+jM1FBSLdI{~%l$6bG_9=@0~APyiuqlm6s0~( z7+mvJY6SNYeUwHwouTIoLNIkvm&|+;-b+Ryv?ZFyxWyha`GCS&TSvhrg*CYE@Y1x| zt+wtvL8e^^GHvePe{^!U2m#3&e;M}NqzV^K^^mWK(-3?#+Z&Wf*fGl#217Qnt$sFp zbD8N&{5jtoYh5)#EmDOMbU!6A;;ACo}ScKX5n9kMNC`cMrp(}0^h+j17?D758W-2eLgFm!eSpg!y5WR~+%GWGYoUS}iEw+5p zmb&2;$r6PQq7~>3jkZ9fpSSf@9{!1ncW96Dz>AwfYr6^H9bMaTXR(zGWxyq3UM6Z1 zoaT=6v^a`@6^GxZVO@zT`|#BaH}YBV5kSbWPtYyhG&e~i6$jN&HTFmX`>wyUZHWt7 zK=(JG9h7C-fmDJXactrAH_lk7F)N7o?eeL@;i zD#=)PvHEF%Wzld*&n2xfu}rv8TDG9*V7pQ9H+8VDH1?u;V%94A4*>&c^-SZLB>vC` zjQkQ?=-y+b4&&~nbA{{_z3ojbOj&Pu+r#JLcu)cTEcXGlKkG2vXboQ%z#m}QH?isT z5he!jL9Fyb-YQOZo+MD1HPW=+8@bb)lIjv#XqL7CEGtWr%s@WhTRQY=?>c&jDqm;t*Am+E@fR< zUFq{Y2cYSK;=;(#QQ-~t1Fs+5Whe1Q9NMYvD-p7uBY{kQk8#0NpOY2ghYkqGXeA-G zg|kiLZn4pBDzTq+>QkAlrg*Jdi1zd+2%*WKkZWU(Blt(42lm>yq?l8ow)K4E(sEH1;Z|IIy%h)p^ z_>I8j2E0qz37FgAL#JknhELvHS`Iu)=ov435QZ1CBO0unM0YppU?AW}Z}~pSNJ0@+ zQ-6&-W&ls{O*QfA5v!VpDH`sq2C=!GD@mNQ_Up~9ug@!>?gPvV&Q2#eg_UpCm zxs3=&Ry$TiS3wc zK4YeM6+tER{f0o`?9+JIrhK6$|OJ+`f3g+r>@dmILQ%^D3!;?O7r=*PEDub3s)s z!tn?qc6lt_ZC$}$q)^k|>Lo-$`dEwVlewm&4WxBvJC(tv=GIOKsRacKwk3B_Xg>w4 zXrlq&O)qz4Coh~OSJ0f6$Y=#r+xMm79X|8k>iHHeOiKM9B=tcL2fo%MYIOw`iVKc_ z+dU2a5(fn^ zx(dAd65aWnm+C>-WDUcYZ79Uc?lS z%y0zlbb4aDzPF2?sa;}nZe2f*XjdBFo2fJ*u;tW`k8F%Gr@$xD;#?qQypaqdARfS> z*iBLeu8MA!HX}|N;<_YRCr@K%IC&Fl%H$Rv%Z&2`?)C%L%E&!2XVMAwm_9U?`SY0G zk&3^l^LG?&`DB4hoTkBTXg|87h$cGwsonuNaG)Y;8r$o<(=1nP@`I9iRaR9^SD`t1 z{esUj0k-lA#3GBr8L{hZtKnjbO3?YnZM-O$Uc4xI3L98xiyTxcmPV3UCk-J&=3Gp9 zm>5MIEELxT6J^+rn0Uvg0cj=wruDw_nafB8*|rbJw*PTC7q_thS?cS*oX)2cyC%^C zLo#^@m_XS3fFy9y0oVWrQXRHl(@^nsrUKmFsb4Q=`m=8t%s%H(XbREocigz!Eyvo?#79%lYmSrt^ly#Pr2f!Xl+E(&i0^Y!VUhWbv?Y6Av40 z!tfDgnL37ZH34mYQAVZat#i|Jli54M*gmhlLT&WLcv`!fidLP z99l;sJzN=lQN4wNRNUSTSM!j;GIUkW3UpX;`PH0in|IeJbP>UM7-0EOJ$$_=sUBB1 zpTJ9ykg#xR5OX4vmugmEmrQ9Dyrt{)RB22!U59FJO96<%z7`OsAn>{ECUGbuitH<= z-fEscPVVCO3DYEJ@bJ0NK$1fYKNGxXOx~HfJ%kE90En<(&L0=kccl>Y-sQkHh%U1N z#vH!1J|f8$&3{Q*|I}!=_^!Bor45nIki^UoH;%J{#rEenZPWk_H;7@RqY0s!&#A`w zFru2794vrHM6o-MHN^7g7BQ{F-fm-@7JFSpwJ*Bx z8owthgJ*(~n_Ns=1XHx2iM81nE{^PC{^ z4*J6#R#`3Ub$LU+xl&$S8R(hf{!_lJM7s1CS=j*a34tOqSh0~d0u7U>gc-*3Rggdg z!#qp(ef&0`tS^|H04Az#Y?M2!%rTa|6h)I`7>DAw6qeA|B=#t)6>5H*9i&qe%J@4h7;N&;K zSLu7WHMWS2sS@j&Wt^iQ9%&5I>fsWluT{9AMvRX5Up}8(U?@JpfNZ!GG=anR_XLj6 zH&mcNB@zIt>7$Fvin5`t`n5UB2Wbvg(q*&}qMz;op>DKIyN&F3!na#dR6;i}H&VFc zc8jJ#kXBRK#MhapzI&O=>j3|!SB_xwl34s)&I^MD*4uE|x}doW6lZ3?gZ^sRbnoq8 zL-(#cDedFCDgHK`Yr!j#ONgIIt($KksYP#>vUvcbHzRSdAtrfbN>|3Hb#*uTvPy2R zP$h_n8$ajawUASW2JF3lwSFADT@x?%j&!tKv8V}dOxyRs$M)mRzR6Ko;wSyn>?ox! zq+o)UFWR@xGxnKi7yhoeiKy0vI%7SknxecR=0>T?vR5{3N_!aTYVJ<_>Pf8q}Cn4C@8()50ZE>3$>weB7 zWB3NA`RF#Y;K0dvgjo}p7=mTwkp8o|6#&8aJ;x^~&GFO2H@M}fj8;vCRp@ILtn&?d zgN-3F$ht0o*6X_(!+q2f}Y1GR-Xa&3S(i?#|=0*uafQ;w5%bED=@&;5ZUqqix(T1h*3)S1oX&XRK$8G#00+ zz#mu+gaLc78DeDKvJZ}7778kEH92MMP_g-{c1K#dNFsUY*w+LDpAnSh za3LW7;Sh@kvr5?nS&BVq%0>8ZO951q02I{FMNs_e2C0nd-oT=qBcQ4zQlh}-l7*8M z6=`7ThB$9XAYgwJnlrLp*jBy_hY$AibZ>B~q;YC;&ju zYVAo?1X$4B*G4yw#jTxMee*PJCp~hD<~GZNmO!)Jlq}VVJMmIEd<7yS#)Y7J%^$HFNB1*&-wu%$_=jm>tXSHgD zTc0I{tc&VDw#MBS7e!(7LfKck%mXm)NpOBFhPiB78_P5zdFA^9GaJQT#{Fyg$)}l`OgO-~B<7cW zbaQAet-feyEkq}vWSympMr!^NGT-5ER!)9F9h8pd?6Dpi4|;x zk7er-fT!~d;1qVY$fS&|VV?k8?J!!{wi9cPD!e{vA2))hqZ#2qtXd9(Yfu;Q5f zVi)$thfupJfH|H`Vk<2K59>Ltjz>X5pDZpICqqXMnI7;*BHLeiYzHXCnu|a| zmnw9>=-2)i4+;%nGO;ysammv0GEACnc+MKRP-yqH4FD@(Kt&sr1tS&Jh7gC60ShwJ z?jgOEh7L{VVMpDHm3wEMH&+B@V`IfRYkepQR zJ-#gy;xQu{;y(~SvesyO8MQ~~HmEWpAnI5ex1cpko8Oq$TnwQ#s2+-mAJ?jL4$JE> zxmmj=kYeu{HRx>tF+(fVyX9t6%6(O9Rh9a1dD|3So4tito%zj$USyqOU>Iw7CH#+V5fZE@5p z7oWDRe+OP=m5ZM>{rf!vRF?Rbf@-xcPQmjM`& z`(6Q-MY*!}-=QGFY)3&>B~D$vx~`Rus=VA&L?Uc$T%2@^RF3bUn<9X%L>3SF?qNJd z=zySlk))(D@5GgSRbQU4(UqtGam;wkEK=7{IG7jQw%eY=K^=t?sJogCqITs&?OaLZ zD8m$BF1nd$tgG*W8;3VXwl?vcZ{M*dcN@hPc!FH)+I-7EaNsdV zZEy$ti4n$J8}J}c=jynAINn`f5KmnbNoOYhwU4s_9jYu^09HBDHKnG?AehKv*UAha zP?KG$37K=QF2V^WUnRSd-!yD7#`+}ZIVal{E?T-5ZFZcPge(P4Eyg_)5!-Z(0S6xC zT$SxCo>Z&+Q(naRut|U>QKRrSyXMFu`IYgOYE zyzFcW9U7f!s*4TNClqaZ=&){%YH@^sSgF}lz7pnvo+UED%4RY`C(KeEPSfHG^Ti@? zA+;WfL8~dmapey~UZSoDKJ!&yi8^PVsz&g3B_0v^5EdV7%}rZ*YMsY%AG!v+EMOg; z5D-Zd$2cg)oWsCd$k9yC7-?jH%?xPpi=%uvwGuv9X+O@^l>4(|1In9@b5TM7Y2K_U ze3?%^XO711W!mTVhYRiRvZijp@fm07ty_=F#0T2C?;)9J)QYRj;Hb4TSD7T(#HWQ^ zhDw}g5jnV*YqTdbaoHhzDT4~cX{+xt1=;U-_UOhCLc4f#1!N-AO2lul;zvKikMv1P z)u(f&h@RF!P$+0QGaU5`A$V*8>=6u<3w+KgjWyS?QX!4)R{G*!%T*<;VzmcW!@!Go}TeGbA_~&z;*hPP4n1|db7FKc{&-PDe0|q>Wcl~>V=owNdmJrpjPQ8x{@qb zzbrZiLP@I5g+z-Ms^4JZ{WpK(VtuV)YfOV4p*iu0mLbOJ;WP*<%an?%@A;F`Gl?)s zQ`^wR(kwIiwNjSzK^JCn?PM?vyrl%^@kdSH$}c`q8UXJZZ~035$uE$$+9<=4>YreE zNJ<%Ri+!V#b+K;LMJ_b^0N~Y8OI*m>EH2@0n(O!CUe_wK0_HNQzWi1euhhEvk5j}U z*#yIA+Mde?68m=|5Y?;;Cf}5R5>k*u6y#5Ib!@FO+{QX@056g#*ORFcZ?i)T2BuR4 zrsD*mwo(Mj$;RFh(7(2T%!UY05uk3;y=WuYrRu#)`iv`G(Wu@-QpYH%I!Grq5H!!&S+GLys7o@19#!_bJ4~alt;ls@_wi zrKLX+TZ3zc0U@|M!P6+WsE8%851+(=hj;pDqGv0>vdz(hWlfW((s{`h!DB;FOuzP9 zbDQnJwT9#orY&B651>n$XGUj%0InaRlLgbx0U_8*kz+w`VWkh<#yq?iC&!w3)h>(c zQ4L~_*H_HnaFAX$0gf^Q+n}T6@$(YO&e|th&a#!yMHMrNT04+ge3lF~p$2R;lewqo zUO|yO%hSFz=h=^&Olen(Is9S)TXh0=dx%JiFuo8t)^^N1@mEtj0?ztMqlhz_d1km_27%Sl}n7d<@LVzWPoc7+Gf(MD0dKb{`;lF*j|aZ?B0D z?+0JYA}9~Qi}wzQ8iTGAnEiAUUIaO#_J=DaT+_QNgjlrYP`D+tW_4m%uf5v_?iMPONsu%_`_@8q~w z8+aJbhX}39w(&w6^AU3>;p|Tzhr80yWvn!O`mlcjFl;5R4jYvw*iyV>f|dAJY%OjE zjH*4-b}bV0a+0{o6h7RY!jTsA#zGai%Y6qgLTd{`kYq1V>j)C2EU9|{fbAK{K5Qnn!E_iawn{!~jqBoNMAw?5o-4X#S>g|N8yX`GQ>7`_0%y+kdr z?ZZb!1e`+@O32bl5rLkoYUd;KXO`!i+`T!B?{~bTBLz4f$j%wwhFr;lahWCq=mY_7 zklo*XSlT{T1fHg#BJK3EBv!*Vt@|MsK*D?@1aJ;v`w|z}2qgO}arY6#mpo)Y1lmUn zzE2RunJ?7t=XM?J&iv`Ioe9AcmgJ8dF@D?^j90zB91}s&oDB)&=ydI{_||1FU-gqO z3967ry*_mP>__T7-KY;yIuq42#;9v{v6~NCA;#ggrK_c|Vw@%P)?(mi zl}gWV{Z>l_-ureiTQO;Lu3CG02bJ(Ok!ZD4d`H=xqI*(x$DB(`CmRixW~X%a?zU^0 zn)S&?i24{+Se~JMDtd0{O-rUmyciu?#SUPnYh|t5vLYm<%g&a7T5iA@7f*|noG~WU z+;VO_MEweV)PuP%j&9#2S=>$4w`wjB$>>R>wFR>fNxV(>5Sc`5i2oFAewi;3+L_|C zz=S?Y7h(xiJ&H%DQNu$`R9K+oM@ew6A4Y1{J&{x=5|hvVcG|tb$egdH-`{Y-WDiI( z*rvJ_v`-e^a=%45iDz%7rw%*#XxxE+J2M%_FOA#k}BxY34mX6DQVtB%@gr&_uW$SRRMVh+n$BUtx?-_R65t)Cz$Lwd3novIYirS|^ zHBqW-q%OhDboBkPw1T;;2E*7jiXUPzPeL1Nf6~T2Z9;Lt@z^!M7j#Z9U zGKi_uOh897$eUAk1-iJaobH-DZR^@BsLrH0yz4Vdi$jayhV!Y3 zzrj0!hAxB8F6qzM03h8)Rfnr7cNWUf zoiP>JWXipk^5`k0-yQc&p^g3&g%l`#N0PE_7ZTN+zEEY%pXwtV+hIh2zw#*57DUVz zD=doYFaBBYgb(%9I+k;$C~EB@ANn<(cXLyb(_Fj^A0V3qzUiXxhV?1d#fDa8{9~@- zF0zzxrxNZ(i}Nc$8~|Y0c(dd65RKQ&B1hCU9`RtW`xDJS?}v)nyzS4}><;;Z+qfQS zi)sU>u>>bF%56dKcV?SeIBRktSq#4GUt#!ApCb-n$ovRL0uZ2uX0`!y;w7Kr(|pnP z&;pc90{iytwV3m|r{gerMy+M3x!8Tv`aCY4hGj-n_U+25rvVXNr-(k@Q1m_%JrhgX zr~2wo&~3N$TFHdn#g~zYy%CWWeeCBX&h$9$8QkinZ~de2TCm)%o}!)H&4{TKwMayX z@Au7sPlSpc(fR9i`!%?i8k}qWXlvVYADsw=W@>7}m()LvJ-|LID&6xcuDDmAK0!Qx zbaJ44ilVMmwg=Gq$E;gMrLYM7ELwN}@C0!E0zQX#GL2)l(c}yt>JGDd-KtcY-~xEe z=9a>Cc)PdToLW-q>)h7XzI8*U)zJD?@EpZm3!~X$*7MSBQzpssiOAM&sDmz{BD=2u zmY|ah%O5`e1MraXaXu%c@}cnyekBY#hux!?)%>*S~s$IABVm2ZT_E)%2NZ&bdw^JRaoj-@^+ z_Y?3-?id6t5As0dv?nU&MUo2MQWX0mj$2{u-&mk15grtL0LafkYaGpjmlrq+E}mww zQCHHPZ9LD6nLeR2;tym_KPLdQZnrD=hf&;%9fV{A7p<@09mgz>_WKmqSWlRm-;Ent z`|s1Z3&OOXp6{yjx}-7AE=gTJe4^|c1b+C&Y&mbiA{40nMeI;}_{qARw&2L*Xs<4= z?$i)~)O&2+5tf;CRPC109Q$~cN!pxUWrkei@b z0;5fy=m`b`r6Qo1-4D)U05b8LdSHp!D7>xIJ@rtioG~(tF0mc(9EHN1fg_#pg_CCa#!bzjo7{dr) zah~ZZP`#z5qR!9HJhL&~tQmxTp6JAH+n|$+-EaHuAvf^5413n> zvFMnxX{!&3>)b!8O{}n%-{0*Pw!IZDCWX%Ef-}tX;+OtjdJ-fk^0Py z-0y2{sA)As)^p#n7Us5OhW6e9$S|dRFXPtM1rt&TfsH~x7;Kb9Ytl3x#Cw&pQdC*? zQ!DI5qJkxD%NLMi&h0x0thC@$><}%~3Q}k%|(Pm-ON9Vq$rk z+*6z*r^N-<_+crIw9x(~fRoP()0w>wPE9^w7ybsK%L+;Aj2-Q>$drtr@Nn$>L=*%j zu_wQ!r|@fQp6DQWqJfeVf)IC4PdT|=M)Gj;d}t+ z_7b*Z<@d~^Fu}9mREUjbLb71}XardtD!kPg$&V)lp775w^LE(Fg;(Zzj_RZ z3AvRZ$M_xLZI$+1tqJWmT7eQF3hr>3r(8Fky^SY6Es{<1I~jW@m!pKC1N9Y#RtQYU zZD;X}HAxp8>SVnXIzY)dWJ@xa?Xj{Z(~#6>F^YzQBRz+oGpR;=9TM(Ic1e{w$pYeI zXXNLyXG4Sr$Yo4AExcJck3x3$BR)a4E6jHfZ3zl?i0v05jaN|U={2>D_L2J;zQ!n! zTz3kp(Aik7u6MY%Av$k`ep-%4P!cE=g|g$qD;}5-1BM#UQUUI;Ncr1&xpC!SYyF(~ zt8a<7?#_yT?Fa|rwa4Y=T!7`ulfowRS5s-`Qp};G>5H7b7RBhsC_j0#ib9T2PAhqu zTWo>(A@KYgojXl)>@V`TM{CN1KJ&C^#89uGi|6_T)3V zvv|4^YA9-QfWuRU$__6%XkMCUbxYqyr`aB1$k8O-n|nWOF@KbTg&3KmfS50yxX7EB zJvZzC;@GJz3W!>jC@I!pI=wg8MBQOGQl^RF-8_o=n}fu`G5 zcjOb^cpu82qEikG0})H<7dUwd(Trm-x<#X5&l&62l2`&?_t%Ss?(@uU^AVr~jgMNy zpVFOVy%WQ)JKONI92lH=BYno;;;1cc|GLXZUyNh%lMk*>aUzn>PC2JuE&OZ7%4hPH z=rDWl2mmjMO({Mq1xgXN)0}ythF7=u3LsN9 zbC>D51eD%UFK1sz(pDBl$@nLfW48$p9cFMz96%-~gAii8!y9W9WfMcs7kMFE_=v_x zX&uHLnwC1IEeawr(?0N+*{ZJ5ID=D>VnH9-K#IrJ#OiT%1Bsb`^qW?aE`H0JQq|I+ zDYg!V6m{veWLQr?{;7%nxrfh*Yxmcp+AVB;t5heX&Q|5YpC>V7IXm2Ic}(QYsN6Ia z;sB57$Dd%UmH0|egspQEtg92aiAC$=Wj;{v01A;^@UrvxrX#dJt3+cLU}0fF5+b1QKN}8c*VxU<)|AoN%*4#f(Ur;3*}>7w z+11L-gSH2>DB^vK;s;3@{9!iW?@- zU^ zp@I+;P4UN;1=@FTw)j6CzbgSh3y=3pr1P(H7S2Ydwq}2dAfx{}|MzzEE6o$bzpF{c zqd?CEia%n82LogLTlUuuF*xvimV^4&)&F%zHHk`k3qWUPL0|G;B7bkW(7*r&Okg`K z%6}BhJDav6gQor8fG&ySZ@{meV3@x^a6r0w!ao%q!tL5NfHG6X5rTn{zQF9j{e^)A zM$IF<0yRiADK6qaB8xbGpI@5C|FcY5@51gjPyloUNSgg00BCOz_cvykjO0I+&-ytC z=?$uUD5&x;@6H?v2!szzTfqHO3DsslD2pv9S`lP$psC$IwhVHRJOe0w$p6d;VUZM6 zxA+1qe+0H>k;k@IRn`at-{uIhfx41}Uz<0LLuhxZf=jQ>S}X|^DFT;S0v?JtGcYro2P>jd0PA^>Wy5&Sxq;g1W9 zTl?Lf&cBb3`6K_k{J-f6f8~06QND`nZ_MlU7dG&Mtm=h)o;OII9B8$U_-Fn9ri=nL z<;(iV`23ddSSP0X<1zAr`Q}CW+`#j-|50Q8j|T_oKNj$UWaI^wA@H}Z#~A$ofL@Rc zya2_7{s#Tnp!@TJUMviMAukpIk{1RleS6V>FP6W(kZ+9tT|RT>e=GH3z0nI$J@7Z^ zO$jt;`4QH?mAzQZ@dDS8@;9z>3-iwldJz`?0yCTbH%6ui_20T)1Yf_vO=tXtL;KI& zei7CB5|sTH2obox{i1>|q6lALdh>o`guY?@c|k8?$zI446#kY6R1^LCVqV1Dyuj#| zfG}i0_#K2lb^JYE0dhEAb{nzJz_T8jzn|qcJHPs6a2GIs2jnNUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if "%ERRORLEVEL%" == "0" goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -35,7 +38,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -45,28 +48,13 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell diff --git a/settings.gradle b/settings.gradle new file mode 100644 index 0000000000..40ebe1b3ea --- /dev/null +++ b/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'opendistro-security' diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/WebhookSink.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/WebhookSink.java index 16df66e543..a97f845e6f 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/WebhookSink.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/WebhookSink.java @@ -179,7 +179,7 @@ protected String formatText(AuditMessage msg) { * The default implementation returns *

 	 * {
-	 *   "text": ""
+ 	 *	 "text": "<AuditMessage#toText>"
 	 * }
 	 * 
*

diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/AuthenticationBackend.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/AuthenticationBackend.java index d95bbc18a8..d98a1d706c 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/AuthenticationBackend.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/AuthenticationBackend.java @@ -37,19 +37,19 @@ /** * Open Distro Security custom authentication backends need to implement this interface. - *

+ *

* Authentication backends verify {@link AuthCredentials} and, if successfully verified, return a {@link User}. - *

+ *

* Implementation classes must provide a public constructor - *

+ *

* {@code public MyHTTPAuthenticator(org.elasticsearch.common.settings.Settings settings, java.nio.file.Path configPath)} - *

+ *

* The constructor should not throw any exception in case of an initialization problem. * Instead catch all exceptions and log a appropriate error message. A logger can be instantiated like: - *

+ *

* {@code private final Logger log = LogManager.getLogger(this.getClass());} * - *

+ *

*/ public interface AuthenticationBackend { @@ -61,10 +61,10 @@ public interface AuthenticationBackend { /** * Validate credentials and return an authenticated user (or throw an ElasticsearchSecurityException) - *

+ *

* Results of this method are normally cached so that we not need to query the backend for every authentication attempt. - *

- * @param The credentials to be validated, never null + *

+ * @param credentials to be validated, never null * @return the authenticated User, never null * @throws ElasticsearchSecurityException in case an authentication failure * (when credentials are incorrect, the user does not exist or the backend is not reachable) diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/AuthorizationBackend.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/AuthorizationBackend.java index 67871e512c..b646afe443 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/AuthorizationBackend.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/AuthorizationBackend.java @@ -37,19 +37,19 @@ /** * Open Distro Security custom authorization backends need to implement this interface. - *

+ *

* Authorization backends populate a prior authenticated {@link User} with backend roles who's the user is a member of. - *

+ *

* Implementation classes must provide a public constructor - *

+ *

* {@code public MyHTTPAuthenticator(org.elasticsearch.common.settings.Settings settings, java.nio.file.Path configPath)} - *

+ *

* The constructor should not throw any exception in case of an initialization problem. * Instead catch all exceptions and log a appropriate error message. A logger can be instantiated like: - *

+ *

* {@code private final Logger log = LogManager.getLogger(this.getClass());} * - *

+ *

*/ public interface AuthorizationBackend { @@ -61,7 +61,7 @@ public interface AuthorizationBackend { /** * Populate a {@link User} with backend roles. This method will not be called for cached users. - *

+ *

* Add them by calling either {@code user.addRole()} or {@code user.addRoles()} *

* @param user The authenticated user to populate with backend roles, never null diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/BackendRegistry.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/BackendRegistry.java index 1d9ae51e29..aea6d79117 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/BackendRegistry.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/BackendRegistry.java @@ -569,8 +569,9 @@ private void notifyIpAuthFailureListeners(InetAddress remoteAddress, AuthCredent * no auditlog, throw no exception, does also authz for all authorizers * * @param cache - * @param ac - * @param authDomain + * @param user + * @param authenticationBackend + * @param authorizers * @return null if user cannot b authenticated */ private User checkExistsAndAuthz(final Cache cache, final User user, final AuthenticationBackend authenticationBackend, @@ -648,8 +649,10 @@ private void authz(User authenticatedUser, Cache> roleCache, f * no auditlog, throw no exception, does also authz for all authorizers * * @param cache + * @param roleCache * @param ac - * @param authDomain + * @param authBackend + * @param authorizers * @return null if user cannot b authenticated */ private User authcz(final Cache cache, Cache> roleCache, final AuthCredentials ac, diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/HTTPAuthenticator.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/HTTPAuthenticator.java index 937a82746d..c9b3658e32 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/HTTPAuthenticator.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/auth/HTTPAuthenticator.java @@ -39,19 +39,19 @@ /** * Open Distro Security custom HTTP authenticators need to implement this interface. - *

+ *

* A HTTP authenticator extracts {@link AuthCredentials} from a {@link RestRequest} - *

+ *

* * Implementation classes must provide a public constructor - *

+ *

* {@code public MyHTTPAuthenticator(org.elasticsearch.common.settings.Settings settings, java.nio.file.Path configPath)} - *

+ *

* The constructor should not throw any exception in case of an initialization problem. * Instead catch all exceptions and log a appropriate error message. A logger can be instantiated like: - *

+ *

* {@code private final Logger log = LogManager.getLogger(this.getClass());} - *

+ *

*/ public interface HTTPAuthenticator { diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/configuration/ConfigurationChangeListener.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/configuration/ConfigurationChangeListener.java index c5d5420c21..031798f259 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/configuration/ConfigurationChangeListener.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/configuration/ConfigurationChangeListener.java @@ -41,7 +41,7 @@ public interface ConfigurationChangeListener { /** - * @param configuration not null updated configuration on that was subscribe current listener + * @param typeToConfig not null updated configuration on that was subscribe current listener */ void onChange(Map> typeToConfig); } diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/NodesDnApiAction.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/NodesDnApiAction.java index 805b50434a..e7ecf2717d 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/NodesDnApiAction.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/NodesDnApiAction.java @@ -55,7 +55,6 @@ * For existing clusters, {@link com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin} tool can * be used to populate the index. * - * See {@link com.amazon.opendistroforelasticsearch.security.dlic.rest.api.NodesDnApiTest} for usage examples. */ public class NodesDnApiAction extends PatchableResourceApiAction { public static final String STATIC_ES_YML_NODES_DN = "STATIC_ES_YML_NODES_DN"; diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/filter/OpenDistroSecurityRestFilter.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/filter/OpenDistroSecurityRestFilter.java index 6b033df873..3a201733c4 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/filter/OpenDistroSecurityRestFilter.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/filter/OpenDistroSecurityRestFilter.java @@ -40,6 +40,7 @@ import org.apache.logging.log4j.Logger; import org.elasticsearch.ElasticsearchException; import org.elasticsearch.client.node.NodeClient; +import org.elasticsearch.client.Request; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.rest.BytesRestResponse; @@ -97,7 +98,7 @@ public OpenDistroSecurityRestFilter(final BackendRegistry registry, final AuditL * The whitelisting check works as follows: * If whitelisting is not enabled, then requests are handled normally. * If whitelisting is enabled, then SuperAdmin is allowed access to all APIs, regardless of what is currently whitelisted. - * If whitelisting is enabled, then Non-SuperAdmin is allowed to access only those APIs that are whitelisted in {@link #requests} + * If whitelisting is enabled, then Non-SuperAdmin is allowed to access only those APIs that are whitelisted in {@link Request} * For example: if whitelisting is enabled and requests = ["/_cat/nodes"], then SuperAdmin can access all APIs, but non SuperAdmin * can only access "/_cat/nodes" * Further note: Some APIs are only accessible by SuperAdmin, regardless of whitelisting. For example: /_opendistro/_security/api/whitelist is only accessible by SuperAdmin. diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java index 6328ceab4a..2a058ef8f3 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java @@ -565,7 +565,6 @@ private void validateNewCerts(final X509Certificate[] currentX509Certs, final X5 * @param currentX509Certs Array of current X509Certificates. * @param newX509Certs Array of new X509Certificates. * @return true if all Issuer DN and Subject DN pairs match; false otherwise. - * @throws Exception if certificate is invalid. */ private boolean hasValidDNs(final X509Certificate[] currentX509Certs, final X509Certificate[] newX509Certs) { @@ -599,7 +598,6 @@ private boolean hasValidDNs(final X509Certificate[] currentX509Certs, final X509 * @param currentX509Certs Array of current X509Certificates. * @param newX509Certs Array of new X509Certificates. * @return true if all of the new certificates expire after the currentX509 certificates. - * @throws Exception if certificate is invalid. */ private boolean hasValidExpiryDates(final X509Certificate[] currentX509Certs, final X509Certificate[] newX509Certs) { diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/user/AuthCredentials.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/user/AuthCredentials.java index b3eae45f1c..faa73894fc 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/user/AuthCredentials.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/user/AuthCredentials.java @@ -211,7 +211,7 @@ public boolean isComplete() { /** * If the credentials are complete and no further roundtrips with the originator are due * then this method must be called so that the authentication flow can proceed. - *

+ *

* If this credentials are already marked a complete then a call to this method does nothing. * * @return this diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/user/User.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/user/User.java index c04f8de536..3164bc1520 100644 --- a/src/main/java/com/amazon/opendistroforelasticsearch/security/user/User.java +++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/user/User.java @@ -48,7 +48,7 @@ /** * A authenticated user and attributes associated to them (like roles, tenant, custom attributes) - *

+ *

* Do not subclass from this class! * */ @@ -158,7 +158,7 @@ public final boolean isUserInRole(final String role) { /** * Associate this user with a set of backend roles * - * @param roles The backend roles + * @param attributes The backend roles */ public final void addAttributes(final Map attributes) { if(attributes != null) { diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/AggregationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/AggregationTests.java index 014a49bffb..610f181cd2 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/AggregationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/AggregationTests.java @@ -30,6 +30,8 @@ package com.amazon.opendistroforelasticsearch.security; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest.AliasActions; @@ -45,7 +47,10 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class AggregationTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ConfigTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ConfigTests.java index aa187012e1..515cca588e 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ConfigTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ConfigTests.java @@ -19,6 +19,8 @@ import java.io.File; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.commons.io.FileUtils; import org.elasticsearch.common.Strings; import org.elasticsearch.common.collect.Tuple; @@ -43,7 +45,10 @@ import com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleMappingsV7; import com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7; import com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.TenantV7; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class ConfigTests { private static final ObjectMapper YAML = new ObjectMapper(new YAMLFactory()); diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/EncryptionInTransitMigrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/EncryptionInTransitMigrationTests.java index 00396786c5..f9e1eaa6db 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/EncryptionInTransitMigrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/EncryptionInTransitMigrationTests.java @@ -18,11 +18,16 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.elasticsearch.common.settings.Settings; import org.junit.Assert; import org.junit.Test; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class EncryptionInTransitMigrationTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/HealthTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/HealthTests.java index 2d70f4b7c0..96d9ce5ebd 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/HealthTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/HealthTests.java @@ -30,6 +30,8 @@ package com.amazon.opendistroforelasticsearch.security; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.elasticsearch.common.settings.Settings; import org.junit.Assert; @@ -39,7 +41,10 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class HealthTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/HttpIntegrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/HttpIntegrationTests.java index d8a477de79..151e25ef38 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/HttpIntegrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/HttpIntegrationTests.java @@ -33,6 +33,8 @@ import java.io.File; import java.nio.charset.StandardCharsets; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import com.fasterxml.jackson.databind.JsonNode; import org.apache.commons.io.FileUtils; import org.apache.http.HttpStatus; @@ -60,10 +62,13 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; import static com.amazon.opendistroforelasticsearch.security.DefaultObjectMapper.readTree; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class HttpIntegrationTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/IndexIntegrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/IndexIntegrationTests.java index d9758a7226..a3fc4099f7 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/IndexIntegrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/IndexIntegrationTests.java @@ -35,6 +35,8 @@ import java.util.Date; import java.util.TimeZone; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest.AliasActions; @@ -59,9 +61,12 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; import static com.amazon.opendistroforelasticsearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_ADVANCED_MODULES_ENABLED; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class IndexIntegrationTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/InitializationIntegrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/InitializationIntegrationTests.java index 51e80f4969..e9ee10ee0e 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/InitializationIntegrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/InitializationIntegrationTests.java @@ -33,6 +33,8 @@ import java.io.File; import java.util.Iterator; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.Header; import org.apache.http.HttpStatus; import org.apache.http.client.methods.HttpGet; @@ -60,7 +62,10 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class InitializationIntegrationTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/IntegrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/IntegrationTests.java index bbb59fab68..17caa62b63 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/IntegrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/IntegrationTests.java @@ -30,6 +30,8 @@ package com.amazon.opendistroforelasticsearch.security; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import com.fasterxml.jackson.databind.JsonNode; import io.netty.handler.ssl.OpenSsl; @@ -68,23 +70,17 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; import static com.amazon.opendistroforelasticsearch.security.DefaultObjectMapper.readTree; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class IntegrationTests extends SingleClusterTest { @Test public void testSearchScroll() throws Exception { - Thread.setDefaultUncaughtExceptionHandler(new UncaughtExceptionHandler() { - - @Override - public void uncaughtException(Thread t, Throwable e) { - e.printStackTrace(); - - } - }); - final Settings settings = Settings.builder() .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/OpendistroSecurityAdminInvalidConfigsTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/OpendistroSecurityAdminInvalidConfigsTests.java index 0199c4157e..7c8950c0db 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/OpendistroSecurityAdminInvalidConfigsTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/OpendistroSecurityAdminInvalidConfigsTests.java @@ -34,6 +34,8 @@ import java.util.ArrayList; import java.util.List; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.junit.Assert; import org.junit.Test; @@ -42,7 +44,10 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class OpendistroSecurityAdminInvalidConfigsTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/OpendistroSecurityRolesTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/OpendistroSecurityRolesTests.java index c347bc0355..e88463341f 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/OpendistroSecurityRolesTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/OpendistroSecurityRolesTests.java @@ -30,6 +30,8 @@ package com.amazon.opendistroforelasticsearch.security; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.apache.http.message.BasicHeader; import org.elasticsearch.common.settings.Settings; @@ -41,7 +43,10 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class OpendistroSecurityRolesTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/SecurityAdminMigrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/SecurityAdminMigrationTests.java index a4465f1853..cce2c1ed55 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/SecurityAdminMigrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/SecurityAdminMigrationTests.java @@ -21,6 +21,8 @@ import java.util.ArrayList; import java.util.List; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.elasticsearch.common.settings.Settings; import org.junit.Assert; @@ -33,7 +35,10 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; import com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class SecurityAdminMigrationTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/SecurityAdminTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/SecurityAdminTests.java index 86988433fe..3974014ef8 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/SecurityAdminTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/SecurityAdminTests.java @@ -21,6 +21,8 @@ import java.util.ArrayList; import java.util.List; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.elasticsearch.common.settings.Settings; import org.junit.Assert; @@ -33,7 +35,10 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; import com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class SecurityAdminTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/SlowIntegrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/SlowIntegrationTests.java index b18cccecb1..fee9931835 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/SlowIntegrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/SlowIntegrationTests.java @@ -30,6 +30,8 @@ package com.amazon.opendistroforelasticsearch.security; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest; import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest; import org.elasticsearch.cluster.health.ClusterHealthStatus; @@ -46,7 +48,10 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.cluster.ClusterConfiguration; import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class SlowIntegrationTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/SnapshotRestoreTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/SnapshotRestoreTests.java index b97067c3ea..cd03cc61ee 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/SnapshotRestoreTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/SnapshotRestoreTests.java @@ -33,6 +33,8 @@ import java.util.Arrays; import java.util.Collection; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.elasticsearch.action.admin.cluster.repositories.put.PutRepositoryRequest; import org.elasticsearch.action.admin.cluster.snapshots.create.CreateSnapshotRequest; @@ -44,9 +46,6 @@ import org.junit.Assert; import org.junit.Test; import org.junit.runner.RunWith; -import org.junit.runners.Parameterized; -import org.junit.runners.Parameterized.Parameter; -import org.junit.runners.Parameterized.Parameters; import com.amazon.opendistroforelasticsearch.security.action.configupdate.ConfigUpdateAction; import com.amazon.opendistroforelasticsearch.security.action.configupdate.ConfigUpdateRequest; @@ -56,18 +55,11 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.cluster.ClusterConfiguration; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; -@RunWith(Parameterized.class) +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class SnapshotRestoreTests extends SingleClusterTest { - @Parameters - public static Collection data() { - return Arrays.asList(new ClusterConfiguration[] { - ClusterConfiguration.DEFAULT - }); - } - - @Parameter - public ClusterConfiguration currentClusterConfig; + public ClusterConfiguration currentClusterConfig = ClusterConfiguration.DEFAULT; @Test public void testSnapshotEnableSecurityIndexRestore() throws Exception { diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/SystemIntegratorsTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/SystemIntegratorsTests.java index ba3a482769..c098a1a3ef 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/SystemIntegratorsTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/SystemIntegratorsTests.java @@ -30,6 +30,8 @@ package com.amazon.opendistroforelasticsearch.security; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.apache.http.message.BasicHeader; import org.elasticsearch.common.settings.Settings; @@ -42,7 +44,10 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; import com.google.common.collect.Lists; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class SystemIntegratorsTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/TaskTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/TaskTests.java index 7b02b29dfa..ac3454b394 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/TaskTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/TaskTests.java @@ -17,6 +17,8 @@ package com.amazon.opendistroforelasticsearch.security; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.apache.http.message.BasicHeader; import org.elasticsearch.common.settings.Settings; @@ -28,7 +30,10 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class TaskTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/TransportClientIntegrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/TransportClientIntegrationTests.java index ad91a16269..b9b230c0bf 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/TransportClientIntegrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/TransportClientIntegrationTests.java @@ -30,6 +30,8 @@ package com.amazon.opendistroforelasticsearch.security; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.Header; import org.elasticsearch.ElasticsearchSecurityException; import org.elasticsearch.action.DocWriteResponse.Result; @@ -59,7 +61,10 @@ import com.amazon.opendistroforelasticsearch.security.test.DynamicSecurityConfig; import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class TransportClientIntegrationTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/UtilTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/UtilTests.java index 926987f587..c7e6392cfd 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/UtilTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/UtilTests.java @@ -37,6 +37,8 @@ import java.util.Map; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.bouncycastle.crypto.generators.OpenBSDBCrypt; import org.elasticsearch.common.settings.Settings; import org.junit.Test; @@ -44,7 +46,10 @@ import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants; import com.amazon.opendistroforelasticsearch.security.support.OpenDistroSecurityUtils; import com.amazon.opendistroforelasticsearch.security.support.WildcardMatcher; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class UtilTests { static private WildcardMatcher wc(String pattern) { diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/impl/TracingTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/impl/TracingTests.java index aba709b7b1..8313b0dfd5 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/impl/TracingTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/impl/TracingTests.java @@ -19,6 +19,8 @@ import com.amazon.opendistroforelasticsearch.security.auditlog.AuditTestUtils; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import net.jcip.annotations.NotThreadSafe; import org.apache.http.HttpStatus; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest; @@ -43,8 +45,11 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; @NotThreadSafe +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class TracingTests extends SingleClusterTest { @Override @@ -235,15 +240,6 @@ public void testHTTPTrace() throws Exception { @Test public void testHTTPSingle() throws Exception { - Thread.setDefaultUncaughtExceptionHandler(new UncaughtExceptionHandler() { - - @Override - public void uncaughtException(Thread t, Throwable e) { - e.printStackTrace(); - - } - }); - final Settings settings = Settings.builder() .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); @@ -301,15 +297,6 @@ public void uncaughtException(Thread t, Throwable e) { @Test public void testSearchScroll() throws Exception { - Thread.setDefaultUncaughtExceptionHandler(new UncaughtExceptionHandler() { - - @Override - public void uncaughtException(Thread t, Throwable e) { - e.printStackTrace(); - - } - }); - final Settings settings = Settings.builder() .putList(ConfigConstants.OPENDISTRO_SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".worf", "knuddel","nonexists") .build(); diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/KafkaSinkTest.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/KafkaSinkTest.java index 9de36d3b49..6dd1c2f75c 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/KafkaSinkTest.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/auditlog/sink/KafkaSinkTest.java @@ -18,7 +18,10 @@ import java.time.Duration; import java.util.Arrays; import java.util.Properties; +import java.util.Random; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.kafka.clients.consumer.ConsumerRecords; import org.apache.kafka.clients.consumer.KafkaConsumer; import org.elasticsearch.common.settings.Settings; @@ -26,15 +29,17 @@ import org.junit.Assert; import org.junit.ClassRule; import org.junit.Test; +import org.junit.runner.RunWith; import org.springframework.kafka.test.rule.EmbeddedKafkaRule; -import scala.util.Random; import com.amazon.opendistroforelasticsearch.security.auditlog.AbstractAuditlogiUnitTest; import com.amazon.opendistroforelasticsearch.security.auditlog.helper.MockAuditMessageFactory; import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditCategory; import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class KafkaSinkTest extends AbstractAuditlogiUnitTest { @ClassRule diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ccstest/CrossClusterSearchTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ccstest/CrossClusterSearchTests.java index a2cb876aad..be92dbade6 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ccstest/CrossClusterSearchTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ccstest/CrossClusterSearchTests.java @@ -34,6 +34,8 @@ import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants; import com.amazon.opendistroforelasticsearch.security.test.NodeSettingsSupplier; import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest; import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest.AliasActions; @@ -47,7 +49,6 @@ import org.junit.Assert; import org.junit.Test; import org.junit.runner.RunWith; -import org.junit.runners.Parameterized; import org.junit.runners.Parameterized.Parameter; import org.junit.runners.Parameterized.Parameters; @@ -64,7 +65,8 @@ import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.not; -@RunWith(Parameterized.class) +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class CrossClusterSearchTests extends AbstractSecurityUnitTest { private final ClusterHelper cl1 = new ClusterHelper("crl1_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ccstest/RemoteReindexTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ccstest/RemoteReindexTests.java index 4595947a71..6c47ce04e2 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ccstest/RemoteReindexTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ccstest/RemoteReindexTests.java @@ -31,6 +31,8 @@ package com.amazon.opendistroforelasticsearch.security.ccstest; import com.amazon.opendistroforelasticsearch.security.test.AbstractSecurityUnitTest; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.elasticsearch.action.admin.indices.create.CreateIndexRequest; import org.elasticsearch.action.index.IndexRequest; @@ -47,7 +49,10 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.cluster.ClusterInfo; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class RemoteReindexTests extends AbstractSecurityUnitTest { private final ClusterHelper cl1 = new ClusterHelper("crl1_n"+num.incrementAndGet()+"_f"+System.getProperty("forkno")+"_t"+System.nanoTime()); diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/MigrationTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/MigrationTests.java index 0f8ecbede2..5100e98d37 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/MigrationTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/dlic/rest/api/MigrationTests.java @@ -15,6 +15,8 @@ package com.amazon.opendistroforelasticsearch.security.dlic.rest.api; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import com.google.common.io.BaseEncoding; import org.apache.http.HttpStatus; import org.elasticsearch.common.settings.Settings; @@ -28,7 +30,10 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class MigrationTests extends SingleClusterTest { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/multitenancy/test/MultitenancyTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/multitenancy/test/MultitenancyTests.java index d0c1ae9656..7460090e8c 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/multitenancy/test/MultitenancyTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/multitenancy/test/MultitenancyTests.java @@ -18,6 +18,8 @@ import java.util.HashMap; import java.util.Map; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.HttpStatus; import org.apache.http.message.BasicHeader; import org.elasticsearch.action.admin.indices.alias.Alias; @@ -39,7 +41,10 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper.HttpResponse; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class MultitenancyTests extends SingleClusterTest { @Override diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/protected_indices/ProtectedIndicesTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/protected_indices/ProtectedIndicesTests.java index 42f972bdfc..c1bcadcfb2 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/protected_indices/ProtectedIndicesTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/protected_indices/ProtectedIndicesTests.java @@ -38,6 +38,8 @@ import com.amazon.opendistroforelasticsearch.security.test.DynamicSecurityConfig; import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.Header; import org.apache.http.HttpStatus; import org.elasticsearch.action.admin.cluster.repositories.put.PutRepositoryRequest; @@ -56,10 +58,13 @@ import org.elasticsearch.common.xcontent.XContentType; import org.elasticsearch.rest.RestStatus; import org.junit.Test; +import org.junit.runner.RunWith; import static junit.framework.TestCase.assertTrue; import static org.junit.Assert.assertEquals; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class ProtectedIndicesTests extends SingleClusterTest { private static final List listOfIndexesToTest = Arrays.asList("logs1", "logs2", "logs3", "no_match"); @@ -159,7 +164,6 @@ public void setupSettingsEnabledSnapshot() throws Exception { /** * Creates a set of test indices and indexes one document into each index. * - * @throws Exception */ public void createTestIndicesAndDocs() { try (TransportClient tc = getInternalTransportClient()) { diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLCertsInfoActionTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLCertsInfoActionTests.java index a124bc4d62..be7ed92889 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLCertsInfoActionTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLCertsInfoActionTests.java @@ -20,16 +20,21 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import net.minidev.json.JSONObject; import org.elasticsearch.common.settings.Settings; import org.junit.Assert; import org.junit.Test; +import org.junit.runner.RunWith; import java.util.List; import java.util.Map; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class OpenDistroSecuritySSLCertsInfoActionTests extends SingleClusterTest { private final String ENDPOINT = "_opendistro/_security/api/ssl/certs"; diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLReloadCertsActionTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLReloadCertsActionTests.java index dd8c74f8f5..32e4d44a87 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLReloadCertsActionTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLReloadCertsActionTests.java @@ -22,6 +22,8 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.cluster.ClusterConfiguration; import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import net.minidev.json.JSONObject; @@ -30,10 +32,13 @@ import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; +import org.junit.runner.RunWith; import java.io.File; import java.util.List; import java.util.Map; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class OpenDistroSecuritySSLReloadCertsActionTests extends SingleClusterTest { private final String GET_CERT_DETAILS_ENDPOINT = "_opendistro/_security/api/ssl/certs"; diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/DualModeSSLHandlerTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/DualModeSSLHandlerTests.java index 8a6ae1def8..34ed97b0c4 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/DualModeSSLHandlerTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/DualModeSSLHandlerTests.java @@ -17,6 +17,8 @@ import com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecurityKeyStore; import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConnectionTestUtil; import com.amazon.opendistroforelasticsearch.security.ssl.util.TLSUtil; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import io.netty.buffer.ByteBuf; import io.netty.buffer.ByteBufAllocator; import io.netty.buffer.PooledByteBufAllocator; @@ -30,9 +32,12 @@ import org.junit.Assert; import org.junit.Before; import org.junit.Test; +import org.junit.runner.RunWith; import org.mockito.ArgumentCaptor; import org.mockito.Mockito; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class DualModeSSLHandlerTests { public static final int TLS_MAJOR_VERSION = 3; diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromFileTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromFileTests.java index 754676e9f9..c7c9abac47 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromFileTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromFileTests.java @@ -4,9 +4,14 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.junit.Assert; import org.junit.Test; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class CertFromFileTests { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromKeystoreTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromKeystoreTests.java index ffac6a2c7b..76a7ff6ed3 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromKeystoreTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromKeystoreTests.java @@ -8,9 +8,14 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.junit.Assert; import org.junit.Test; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class CertFromKeystoreTests { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromTruststoreTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromTruststoreTests.java index 839fc0f52d..1f43a90aea 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromTruststoreTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/CertFromTruststoreTests.java @@ -7,9 +7,14 @@ import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.junit.Assert; import org.junit.Test; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class CertFromTruststoreTests { @Test diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConnectionTestUtilTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConnectionTestUtilTests.java index b79f619bbb..19493d47b6 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConnectionTestUtilTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConnectionTestUtilTests.java @@ -20,12 +20,18 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.net.Socket; + +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.junit.Assert; import org.junit.Before; import org.junit.Test; +import org.junit.runner.RunWith; import org.mockito.ArgumentCaptor; import org.mockito.Mockito; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class SSLConnectionTestUtilTests { private Socket socket; private OutputStream outputStream; diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/TLSUtilTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/TLSUtilTests.java index 7a17872f32..47e1a37855 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/TLSUtilTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/util/TLSUtilTests.java @@ -14,13 +14,18 @@ */ package com.amazon.opendistroforelasticsearch.security.ssl.util; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import io.netty.buffer.ByteBuf; import io.netty.buffer.ByteBufAllocator; import io.netty.buffer.PooledByteBufAllocator; import org.junit.Assert; import org.junit.Before; import org.junit.Test; +import org.junit.runner.RunWith; +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class TLSUtilTests { public static final int TLS_MAJOR_VERSION = 3; diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/system_indices/SystemIndicesTests.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/system_indices/SystemIndicesTests.java index deb12ad5db..728e841d38 100644 --- a/src/test/java/com/amazon/opendistroforelasticsearch/security/system_indices/SystemIndicesTests.java +++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/system_indices/SystemIndicesTests.java @@ -20,6 +20,8 @@ import com.amazon.opendistroforelasticsearch.security.test.SingleClusterTest; import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper; import com.amazon.opendistroforelasticsearch.security.test.helper.rest.RestHelper; +import com.carrotsearch.randomizedtesting.RandomizedRunner; +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; import org.apache.http.Header; import org.apache.http.HttpStatus; import org.elasticsearch.action.admin.cluster.repositories.put.PutRepositoryRequest; @@ -37,6 +39,7 @@ import org.elasticsearch.common.xcontent.XContentType; import org.elasticsearch.rest.RestStatus; import org.junit.Test; +import org.junit.runner.RunWith; import java.io.IOException; import java.util.Arrays; @@ -50,6 +53,9 @@ * Refer: "opendistro_security.system_indices.enabled" * "opendistro_security.system_indices.indices"; */ + +@RunWith(RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) public class SystemIndicesTests extends SingleClusterTest { private static final List listOfIndexesToTest = Arrays.asList("config1", "config2"); @@ -101,7 +107,6 @@ private void setupSystemIndicesEnabledWithSsl() throws Exception { /** * Creates a set of test indices and indexes one document into each index. * - * @throws Exception */ private void createTestIndicesAndDocs() { try (TransportClient tc = getInternalTransportClient()) {