From f04e62350fd41c3c669fac05ac6aae7fa28fa347 Mon Sep 17 00:00:00 2001 From: Christopher Santana Date: Tue, 16 Apr 2024 13:33:58 +0200 Subject: [PATCH] Oppdaterer dependencies og gradle. Bytter ut kluent og kotlinx serialization. --- azure-exchange/build.gradle.kts | 8 +- .../azure/exchange/AzureEnvironment.kt | 23 ++ .../azure/exchange/config/Environment.kt | 8 +- .../exchange/config/HttpClientBuilder.kt | 14 +- .../exchange/consumer/AzureTokenResponse.kt | 12 +- .../azure/exchange/AzureServiceTest.kt | 30 +- azure-validation-mock/build.gradle.kts | 6 +- .../azure/validation/mock/AzureAuthTest.kt | 14 +- azure-validation/build.gradle.kts | 12 +- .../azure/validation/AzureEnvironment.kt | 23 ++ .../validation/install/HttpClientBuilder.kt | 13 +- .../azure/validation/install/tokenVerifier.kt | 15 +- .../support/azure/validation/AzureAuthIT.kt | 46 +-- .../support/azure/validation/ObjectMapper.kt | 9 - .../support/azure/validation/mockedClient.kt | 13 +- build.gradle.kts | 8 +- buildSrc/build.gradle.kts | 6 + buildSrc/src/main/kotlin/dependencies.kt | 110 ++++--- gradle/wrapper/gradle-wrapper.jar | Bin 55190 -> 43453 bytes gradle/wrapper/gradle-wrapper.properties | 4 +- gradlew | 301 +++++++++++------- gradlew.bat | 76 +++-- idporten-sidecar-mock/build.gradle.kts | 6 +- .../idporten/sidecar/mock/IdPortenAuthTest.kt | 10 +- idporten-sidecar/build.gradle.kts | 8 +- .../idporten/sidecar/IdPortenEnvironment.kt | 23 ++ .../sidecar/install/HttpClientBuilder.kt | 14 +- .../idporten/sidecar/install/loginApi.kt | 8 +- .../idporten/sidecar/install/tokenVerifier.kt | 11 +- .../idporten/sidecar/IdPortenAuthIT.kt | 44 +-- .../idporten/sidecar/IdPortenPluginTest.kt | 43 ++- .../support/idporten/sidecar/ObjectMapper.kt | 9 - .../sidecar/install/TokenVerifierTest.kt | 21 +- .../support/idporten/sidecar/mockedClient.kt | 12 +- tokendings-exchange/build.gradle.kts | 8 +- .../tokendings/exchange/TokenXEnvironment.kt | 23 ++ .../tokendings/exchange/config/Environment.kt | 8 +- .../exchange/config/HttpClientBuilder.kt | 13 +- .../config/TokendingsConfigurationMetadata.kt | 10 +- .../consumer/TokendingsTokenResponse.kt | 12 +- .../exchange/TokendingsServiceTest.kt | 38 +-- tokenx-validation-mock/build.gradle.kts | 6 +- .../tokenx/validation/mock/TokenXAuthTest.kt | 10 +- tokenx-validation/build.gradle.kts | 14 +- .../tokenx/validation/TokenXEnvironment.kt | 23 ++ .../validation/install/HttpClientBuilder.kt | 13 +- .../validation/install/tokenVerifier.kt | 19 +- .../support/tokenx/validation/ObjectMapper.kt | 9 - .../support/tokenx/validation/TokenXAuthIT.kt | 87 ++--- .../support/tokenx/validation/mockedClient.kt | 12 +- 50 files changed, 723 insertions(+), 542 deletions(-) create mode 100644 azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/AzureEnvironment.kt create mode 100644 azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/AzureEnvironment.kt delete mode 100644 azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/ObjectMapper.kt create mode 100644 idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenEnvironment.kt delete mode 100644 idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/ObjectMapper.kt create mode 100644 tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/TokenXEnvironment.kt create mode 100644 tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/TokenXEnvironment.kt delete mode 100644 tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/ObjectMapper.kt diff --git a/azure-exchange/build.gradle.kts b/azure-exchange/build.gradle.kts index 3f5551e..0f18202 100644 --- a/azure-exchange/build.gradle.kts +++ b/azure-exchange/build.gradle.kts @@ -2,7 +2,6 @@ plugins { `maven-publish` `java-library` kotlin("jvm") - kotlin("plugin.serialization") } dependencies { @@ -14,13 +13,12 @@ dependencies { implementation(Ktor.serverAuthJwt) implementation(Ktor.clientApache) implementation(Ktor.clientContentNegotiation) - implementation(Ktor.serializationKotlinxJson) + implementation(Ktor.jackson) implementation(Ktor.clientJson) implementation(Ktor.serialization) implementation(Ktor.serverNetty) implementation(Nimbusds.joseJwt) testImplementation(kotlin("test-junit5")) - testImplementation(Kluent.kluent) testImplementation(Mockk.mockk) testImplementation(Ktor.clientMock) testImplementation(Ktor.serverTestHost) @@ -65,8 +63,8 @@ publishing { } } -java { - toolchain { +kotlin { + jvmToolchain { languageVersion.set(JavaLanguageVersion.of(17)) } } diff --git a/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/AzureEnvironment.kt b/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/AzureEnvironment.kt new file mode 100644 index 0000000..a3e2418 --- /dev/null +++ b/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/AzureEnvironment.kt @@ -0,0 +1,23 @@ +package no.nav.tms.token.support.azure.exchange + +// Proxy for System environment which allows for mocking or overwriting default env +object AzureEnvironment { + private val baseEnv = System.getenv() + + private val env = mutableMapOf() + + init { + env.putAll(baseEnv) + } + + fun get(name: String) = env[name] + + fun extend(envMap: Map) { + env.putAll(envMap) + } + + fun reset() { + env.clear() + env.putAll(baseEnv) + } +} diff --git a/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/config/Environment.kt b/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/config/Environment.kt index dede903..c1ecc20 100644 --- a/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/config/Environment.kt +++ b/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/config/Environment.kt @@ -1,5 +1,7 @@ package no.nav.tms.token.support.azure.exchange.config +import no.nav.tms.token.support.azure.exchange.AzureEnvironment + internal class Environment ( val azureClientId: String = getAzureEnvVar("AZURE_APP_CLIENT_ID"), val azureTenantId: String = getAzureEnvVar("AZURE_APP_TENANT_ID"), @@ -8,7 +10,5 @@ internal class Environment ( val azureOpenidTokenEndpoint: String = getAzureEnvVar("AZURE_OPENID_CONFIG_TOKEN_ENDPOINT") ) -private fun getAzureEnvVar(varName: String): String { - return System.getenv(varName) - ?: throw IllegalArgumentException("Fant ikke $varName for azure. Påse at nais.yaml er konfigurert riktig.") -} +private fun getAzureEnvVar(varName: String) = AzureEnvironment.get(varName) + ?: throw IllegalArgumentException("Fant ikke $varName for azure. Påse at nais.yaml er konfigurert riktig.") diff --git a/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/config/HttpClientBuilder.kt b/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/config/HttpClientBuilder.kt index aa7e2ef..575750f 100644 --- a/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/config/HttpClientBuilder.kt +++ b/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/config/HttpClientBuilder.kt @@ -1,11 +1,11 @@ package no.nav.tms.token.support.azure.exchange.config +import com.fasterxml.jackson.databind.DeserializationFeature import io.ktor.client.* import io.ktor.client.engine.apache.* import io.ktor.client.plugins.* import io.ktor.client.plugins.contentnegotiation.* -import io.ktor.serialization.kotlinx.json.* -import kotlinx.serialization.json.Json +import io.ktor.serialization.jackson.* import org.apache.http.impl.conn.SystemDefaultRoutePlanner import java.net.ProxySelector @@ -13,7 +13,9 @@ internal object HttpClientBuilder { internal fun buildHttpClient(enableDefaultProxy: Boolean): HttpClient { return HttpClient(Apache) { install(ContentNegotiation) { - json(kotlinxSerializer()) + jackson { + configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false) + } } install(HttpTimeout) @@ -24,12 +26,6 @@ internal object HttpClientBuilder { } } - private fun kotlinxSerializer() = - Json { - ignoreUnknownKeys = true - } - - private fun HttpClientConfig.enableSystemDefaultProxy() { engine { customizeClient { setRoutePlanner(SystemDefaultRoutePlanner(ProxySelector.getDefault())) } diff --git a/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/consumer/AzureTokenResponse.kt b/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/consumer/AzureTokenResponse.kt index 9169592..d417d37 100644 --- a/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/consumer/AzureTokenResponse.kt +++ b/azure-exchange/src/main/kotlin/no/nav/tms/token/support/azure/exchange/consumer/AzureTokenResponse.kt @@ -1,12 +1,10 @@ package no.nav.tms.token.support.azure.exchange.consumer -import kotlinx.serialization.SerialName -import kotlinx.serialization.Serializable +import com.fasterxml.jackson.annotation.JsonAlias -@Serializable internal data class AzureTokenResponse( - @SerialName("access_token") val accessToken: String, - @SerialName("token_type") val tokenType: String, - @SerialName("expires_in") val expiresIn: Int, - @SerialName("ext_expires_in") val extExpiresIn: Int + @JsonAlias("access_token") val accessToken: String, + @JsonAlias("token_type") val tokenType: String, + @JsonAlias("expires_in") val expiresIn: Int, + @JsonAlias("ext_expires_in") val extExpiresIn: Int ) diff --git a/azure-exchange/src/test/kotlin/no/nav/tms/token/support/azure/exchange/AzureServiceTest.kt b/azure-exchange/src/test/kotlin/no/nav/tms/token/support/azure/exchange/AzureServiceTest.kt index fcaba70..08bc51f 100644 --- a/azure-exchange/src/test/kotlin/no/nav/tms/token/support/azure/exchange/AzureServiceTest.kt +++ b/azure-exchange/src/test/kotlin/no/nav/tms/token/support/azure/exchange/AzureServiceTest.kt @@ -1,14 +1,14 @@ package no.nav.tms.token.support.azure.exchange import com.nimbusds.jwt.SignedJWT +import io.kotest.matchers.collections.shouldContain +import io.kotest.matchers.shouldBe +import io.kotest.matchers.shouldNotBe import io.mockk.* import kotlinx.coroutines.runBlocking import no.nav.tms.token.support.azure.exchange.consumer.AzureConsumer import no.nav.tms.token.support.azure.exchange.service.CachingAzureService import no.nav.tms.token.support.azure.exchange.service.NonCachingAzureService -import org.amshove.kluent.`should be equal to` -import org.amshove.kluent.`should contain` -import org.amshove.kluent.`should not be equal to` import org.junit.jupiter.api.AfterEach import org.junit.jupiter.api.Test @@ -41,14 +41,14 @@ internal class AzureServiceTest { nonCachingazureService.getAccessToken(target) } - result `should be equal to` exchangedToken + result shouldBe exchangedToken val signedJwt = assertion.captured.let { SignedJWT.parse(it) } val claims = signedJwt.jwtClaimsSet - claims.audience `should contain` jwtAudience - claims.issuer `should be equal to` clientId - claims.subject `should be equal to` clientId + claims.audience shouldContain jwtAudience + claims.issuer shouldBe clientId + claims.subject shouldBe clientId } @Test @@ -65,14 +65,14 @@ internal class AzureServiceTest { cachingAzureService.getAccessToken(target) } - result `should be equal to` exchangedToken + result shouldBe exchangedToken val signedJwt = assertion.captured.let { SignedJWT.parse(it) } val claims = signedJwt.jwtClaimsSet - claims.audience `should contain` jwtAudience - claims.issuer `should be equal to` clientId - claims.subject `should be equal to` clientId + claims.audience shouldContain jwtAudience + claims.issuer shouldBe clientId + claims.subject shouldBe clientId } @Test @@ -137,9 +137,9 @@ internal class AzureServiceTest { coVerify(exactly = 1) {azureConsumer.fetchToken(any(), target1) } coVerify(exactly = 1) {azureConsumer.fetchToken(any(), target2) } - result1 `should be equal to` result3 - result2 `should be equal to` result4 - result1 `should not be equal to` result2 - result3 `should not be equal to` result4 + result1 shouldBe result3 + result2 shouldBe result4 + result1 shouldNotBe result2 + result3 shouldNotBe result4 } } diff --git a/azure-validation-mock/build.gradle.kts b/azure-validation-mock/build.gradle.kts index 814b1c2..fa90293 100644 --- a/azure-validation-mock/build.gradle.kts +++ b/azure-validation-mock/build.gradle.kts @@ -2,7 +2,6 @@ plugins { `maven-publish` `java-library` kotlin("jvm") - kotlin("plugin.serialization") } dependencies { @@ -15,7 +14,6 @@ dependencies { implementation(Ktor.clientJson) implementation(Nimbusds.joseJwt) testImplementation(kotlin("test-junit5")) - testImplementation(Kluent.kluent) testImplementation(Mockk.mockk) testImplementation(Ktor.clientMock) testImplementation(Ktor.serverTestHost) @@ -60,8 +58,8 @@ publishing { } } -java { - toolchain { +kotlin { + jvmToolchain { languageVersion.set(JavaLanguageVersion.of(17)) } } diff --git a/azure-validation-mock/src/test/kotlin/no/nav/tms/token/support/azure/validation/mock/AzureAuthTest.kt b/azure-validation-mock/src/test/kotlin/no/nav/tms/token/support/azure/validation/mock/AzureAuthTest.kt index 439425d..a9d3d41 100644 --- a/azure-validation-mock/src/test/kotlin/no/nav/tms/token/support/azure/validation/mock/AzureAuthTest.kt +++ b/azure-validation-mock/src/test/kotlin/no/nav/tms/token/support/azure/validation/mock/AzureAuthTest.kt @@ -1,5 +1,6 @@ package no.nav.tms.token.support.azure.validation.mock +import io.kotest.matchers.shouldBe import io.ktor.client.call.* import io.ktor.client.request.* import io.ktor.http.* @@ -10,7 +11,6 @@ import io.ktor.server.routing.* import io.ktor.server.testing.* import no.nav.tms.token.support.azure.validation.AzureAuthenticator import no.nav.tms.token.support.azure.validation.AzurePrincipal -import org.amshove.kluent.`should be equal to` import org.junit.jupiter.api.Test internal class AzureAuthTest { @@ -34,7 +34,7 @@ internal class AzureAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized + response.status shouldBe HttpStatusCode.Unauthorized } @Test @@ -53,8 +53,8 @@ internal class AzureAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.OK - response.body() `should be equal to` jwtOverrideString + response.status shouldBe HttpStatusCode.OK + response.body() shouldBe jwtOverrideString } @Test @@ -73,8 +73,8 @@ internal class AzureAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.OK - response.body().isNotBlank() `should be equal to` true + response.status shouldBe HttpStatusCode.OK + response.body().isNotBlank() shouldBe true } @Test @@ -94,7 +94,7 @@ internal class AzureAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized + response.status shouldBe HttpStatusCode.Unauthorized } private fun Application.testApi(authConfig: Application.() -> Unit) { diff --git a/azure-validation/build.gradle.kts b/azure-validation/build.gradle.kts index ad6d926..a8d8451 100644 --- a/azure-validation/build.gradle.kts +++ b/azure-validation/build.gradle.kts @@ -1,13 +1,16 @@ +import org.gradle.internal.impldep.com.amazonaws.util.json.Jackson + plugins { `maven-publish` `java-library` kotlin("jvm") - kotlin("plugin.serialization") } dependencies { api(kotlin("stdlib-jdk8")) implementation(Logback.classic) + implementation(JacksonDatatype.moduleKotlin) + implementation(JacksonDatatype.datatypeJsr310) implementation(KotlinLogging.logging) implementation(Ktor.serverAuth) implementation(Ktor.serverAuthJwt) @@ -15,10 +18,9 @@ dependencies { implementation(Ktor.clientJson) implementation(Ktor.serialization) implementation(Ktor.clientContentNegotiation) - implementation(Ktor.serializationKotlinxJson) + implementation(Ktor.jackson) implementation(Nimbusds.joseJwt) testImplementation(kotlin("test-junit5")) - testImplementation(Kluent.kluent) testImplementation(Mockk.mockk) testImplementation(Ktor.clientMock) testImplementation(Ktor.serverTestHost) @@ -63,8 +65,8 @@ publishing { } } -java { - toolchain { +kotlin { + jvmToolchain { languageVersion.set(JavaLanguageVersion.of(17)) } } diff --git a/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/AzureEnvironment.kt b/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/AzureEnvironment.kt new file mode 100644 index 0000000..bd34faf --- /dev/null +++ b/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/AzureEnvironment.kt @@ -0,0 +1,23 @@ +package no.nav.tms.token.support.azure.validation + +// Proxy for System environment which allows for mocking or overwriting default env +object AzureEnvironment { + private val baseEnv = System.getenv() + + private val env = mutableMapOf() + + init { + env.putAll(baseEnv) + } + + fun get(name: String) = env[name] + + fun extend(envMap: Map) { + env.putAll(envMap) + } + + fun reset() { + env.clear() + env.putAll(baseEnv) + } +} diff --git a/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/install/HttpClientBuilder.kt b/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/install/HttpClientBuilder.kt index 6e9e9cf..5cf4ffc 100644 --- a/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/install/HttpClientBuilder.kt +++ b/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/install/HttpClientBuilder.kt @@ -1,11 +1,11 @@ package no.nav.tms.token.support.azure.validation.install +import com.fasterxml.jackson.databind.DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES import io.ktor.client.* import io.ktor.client.engine.apache.* import io.ktor.client.plugins.* import io.ktor.client.plugins.contentnegotiation.* -import io.ktor.serialization.kotlinx.json.* -import kotlinx.serialization.json.Json +import io.ktor.serialization.jackson.* import org.apache.http.impl.conn.SystemDefaultRoutePlanner import java.net.ProxySelector @@ -13,7 +13,9 @@ internal object HttpClientBuilder { internal fun build(enableDefaultProxy: Boolean): HttpClient { return HttpClient(Apache) { install(ContentNegotiation) { - json(kotlinxSerializer()) + jackson { + configure(FAIL_ON_UNKNOWN_PROPERTIES, false) + } } install(HttpTimeout) @@ -23,11 +25,6 @@ internal object HttpClientBuilder { } } - private fun kotlinxSerializer() = - Json { - ignoreUnknownKeys = true - } - private fun HttpClientConfig.enableSystemDefaultProxy() { engine { customizeClient { setRoutePlanner(SystemDefaultRoutePlanner(ProxySelector.getDefault())) } diff --git a/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/install/tokenVerifier.kt b/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/install/tokenVerifier.kt index 270e8ad..8dcf863 100644 --- a/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/install/tokenVerifier.kt +++ b/azure-validation/src/main/kotlin/no/nav/tms/token/support/azure/validation/install/tokenVerifier.kt @@ -6,13 +6,13 @@ import com.auth0.jwt.JWT import com.auth0.jwt.algorithms.Algorithm import com.auth0.jwt.interfaces.DecodedJWT import com.auth0.jwt.interfaces.JWTVerifier +import com.fasterxml.jackson.annotation.JsonAlias import io.ktor.client.* import io.ktor.client.call.* import io.ktor.client.request.* import io.ktor.http.* import kotlinx.coroutines.runBlocking -import kotlinx.serialization.SerialName -import kotlinx.serialization.Serializable +import no.nav.tms.token.support.azure.validation.AzureEnvironment import java.net.URL import java.security.interfaces.RSAPublicKey import java.util.concurrent.TimeUnit @@ -61,12 +61,11 @@ internal class TokenVerifier( } -@Serializable internal data class OauthServerConfigurationMetadata( - @SerialName("issuer") val issuer: String, - @SerialName("token_endpoint") val tokenEndpoint: String, - @SerialName("jwks_uri") val jwksUri: String, - @SerialName("authorization_endpoint") var authorizationEndpoint: String = "" + @JsonAlias("issuer") val issuer: String, + @JsonAlias("token_endpoint") val tokenEndpoint: String, + @JsonAlias("jwks_uri") val jwksUri: String, + @JsonAlias("authorization_endpoint") var authorizationEndpoint: String = "" ) private fun fetchMetadata(client: HttpClient, wellKnownUrl: String): OauthServerConfigurationMetadata = runBlocking { @@ -85,5 +84,5 @@ internal object JwlProviderBuilder { .build() } -private fun getAzureEnvVar(varName: String) = System.getenv(varName) +private fun getAzureEnvVar(varName: String) = AzureEnvironment.get(varName) ?: throw IllegalArgumentException("Fant ikke $varName for azure. Påse at nais.yaml er konfigurert riktig.") diff --git a/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/AzureAuthIT.kt b/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/AzureAuthIT.kt index 2bb9e8d..be84a30 100644 --- a/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/AzureAuthIT.kt +++ b/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/AzureAuthIT.kt @@ -1,7 +1,7 @@ package no.nav.tms.token.support.azure.validation -import io.kotest.extensions.system.withEnvironment +import io.kotest.matchers.shouldBe import io.ktor.client.call.* import io.ktor.client.request.* import io.ktor.http.* @@ -15,7 +15,6 @@ import io.mockk.mockkObject import io.mockk.unmockkObject import no.nav.tms.token.support.azure.validation.install.HttpClientBuilder import no.nav.tms.token.support.azure.validation.install.JwlProviderBuilder -import org.amshove.kluent.`should be equal to` import org.junit.jupiter.api.AfterEach import org.junit.jupiter.api.BeforeEach import org.junit.jupiter.api.Test @@ -47,6 +46,7 @@ internal class AzureAuthIT { fun cleanUp() { unmockkObject(HttpClientBuilder) unmockkObject(JwlProviderBuilder) + AzureEnvironment.reset() } @Test @@ -58,8 +58,8 @@ internal class AzureAuthIT { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "No bearer token found." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "No bearer token found." } @Test @@ -73,8 +73,8 @@ internal class AzureAuthIT { headers.append(HttpHeaders.Authorization, "Bearer ") } - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "Invalid or expired token." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "Invalid or expired token." } @Test @@ -90,7 +90,7 @@ internal class AzureAuthIT { headers.append(AzureHeader.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK } @Test @@ -106,7 +106,7 @@ internal class AzureAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK } @Test @@ -123,7 +123,7 @@ internal class AzureAuthIT { headers.append(HttpHeaders.Authorization, "Bearer othertoken") } - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK } @Test @@ -140,7 +140,7 @@ internal class AzureAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK } @Test @@ -157,7 +157,7 @@ internal class AzureAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.Unauthorized + response.status shouldBe HttpStatusCode.Unauthorized } @Test @@ -175,8 +175,8 @@ internal class AzureAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "Invalid or expired token." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "Invalid or expired token." } @Test @@ -194,8 +194,8 @@ internal class AzureAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "Invalid or expired token." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "Invalid or expired token." } @Test @@ -213,8 +213,8 @@ internal class AzureAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "Invalid or expired token." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "Invalid or expired token." } @Test @@ -226,11 +226,13 @@ internal class AzureAuthIT { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "No bearer token found." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "No bearer token found." } - private fun Application.testApi() = withEnvironment(envVars) { + private fun Application.testApi() { + + AzureEnvironment.extend(envVars) authentication { azure() @@ -245,7 +247,9 @@ internal class AzureAuthIT { } } - private fun Application.testApiWithDefault() = withEnvironment(envVars) { + private fun Application.testApiWithDefault() { + + AzureEnvironment.extend(envVars) authentication { azure { diff --git a/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/ObjectMapper.kt b/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/ObjectMapper.kt deleted file mode 100644 index f2e5bfc..0000000 --- a/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/ObjectMapper.kt +++ /dev/null @@ -1,9 +0,0 @@ -package no.nav.tms.token.support.azure.validation - -import kotlinx.serialization.json.Json - -internal object ObjectMapper { - val kotlinxMapper = Json { - ignoreUnknownKeys = true - } -} diff --git a/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/mockedClient.kt b/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/mockedClient.kt index fcf9c8a..ba70ce3 100644 --- a/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/mockedClient.kt +++ b/azure-validation/src/test/kotlin/no/nav/tms/token/support/azure/validation/mockedClient.kt @@ -1,20 +1,21 @@ package no.nav.tms.token.support.azure.validation +import com.fasterxml.jackson.databind.DeserializationFeature +import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper import io.ktor.client.* import io.ktor.client.engine.mock.* import io.ktor.client.plugins.contentnegotiation.* import io.ktor.http.* import io.ktor.http.HttpStatusCode.Companion.OK -import io.ktor.serialization.kotlinx.json.* -import kotlinx.serialization.encodeToString -import no.nav.tms.token.support.azure.validation.ObjectMapper.kotlinxMapper +import io.ktor.serialization.jackson.* import no.nav.tms.token.support.azure.validation.install.OauthServerConfigurationMetadata - internal fun createMockedMockedClient() = HttpClient(MockEngine) { install(ContentNegotiation) { - json(kotlinxMapper) + jackson { + configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false) + } } engine { @@ -38,7 +39,7 @@ internal val idportenMetadata = OauthServerConfigurationMetadata( ) private val metadataJson: String = idportenMetadata.let { metadata -> - kotlinxMapper.encodeToString(metadata) + jacksonObjectMapper().writeValueAsString(metadata) } private val Url.hostWithPortIfRequired: String get() = if (port == protocol.defaultPort) host else hostWithPort diff --git a/build.gradle.kts b/build.gradle.kts index be8e5e4..3e76a5d 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -1,7 +1,5 @@ plugins { kotlin("jvm") version Kotlin.version - kotlin("plugin.serialization") version (Kotlin.version) - kotlin("plugin.allopen") version Kotlin.version } repositories { @@ -14,3 +12,9 @@ tasks { enabled = false } } + +kotlin { + jvmToolchain { + languageVersion.set(JavaLanguageVersion.of(17)) + } +} diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts index 876c922..cbcc24a 100644 --- a/buildSrc/build.gradle.kts +++ b/buildSrc/build.gradle.kts @@ -5,3 +5,9 @@ plugins { repositories { mavenCentral() } + +kotlin { + jvmToolchain { + languageVersion.set(JavaLanguageVersion.of(17)) + } +} diff --git a/buildSrc/src/main/kotlin/dependencies.kt b/buildSrc/src/main/kotlin/dependencies.kt index 6b78eca..997a220 100644 --- a/buildSrc/src/main/kotlin/dependencies.kt +++ b/buildSrc/src/main/kotlin/dependencies.kt @@ -1,66 +1,88 @@ -object Caffeine { - private const val version = "3.0.0" - private const val groupId = "com.github.ben-manes.caffeine" +interface DependencyGroup { + val groupId: String? get() = null + val version: String? get() = null - const val caffeine = "$groupId:caffeine:$version" + fun dependency(name: String, groupId: String? = this.groupId, version: String? = this.version): String { + requireNotNull(groupId) + requireNotNull(version) + + return "$groupId:$name:$version" + } } -object Kluent { - private const val version = "1.68" - const val kluent = "org.amshove.kluent:kluent:$version" + +object Caffeine : DependencyGroup { + override val version = "3.1.8" + override val groupId = "com.github.ben-manes.caffeine" + + val caffeine = dependency("caffeine") +} + +object JacksonDatatype: DependencyGroup { + override val version get() = "2.17.0" + + val datatypeJsr310 get() = dependency("jackson-datatype-jsr310", groupId = "com.fasterxml.jackson.datatype") + val moduleKotlin get() = dependency("jackson-module-kotlin", groupId = "com.fasterxml.jackson.module") } object Kotlin { - const val version = "1.9.0" + const val version = "1.9.0" } -object Kotest { - private const val groupId = "io.kotest" - private const val version = "4.3.1" +object Kotest : DependencyGroup { + override val groupId = "io.kotest" + override val version = "5.8.1" - const val runnerJunit = "$groupId:kotest-runner-junit5:$version" - const val assertionsCore = "$groupId:kotest-assertions-core:$version" - const val extensions = "$groupId:kotest-extensions:$version" + val runnerJunit = dependency("kotest-runner-junit5") + val assertionsCore = dependency("kotest-assertions-core") + val extensions = dependency("kotest-extensions") } -object Ktor { - private const val version = "2.3.7" - private const val groupId = "io.ktor" - - const val serverAuth = "$groupId:ktor-server-auth:$version" - const val serverAuthJwt = "$groupId:ktor-server-auth-jwt:$version" - const val serialization = "$groupId:ktor-serialization:$version" - const val serializationKotlinxJson = "$groupId:ktor-serialization-kotlinx-json:$version" - const val serverNetty = "$groupId:ktor-server-netty:$version" - const val clientApache = "$groupId:ktor-client-apache:$version" - const val clientJson = "$groupId:ktor-client-json:$version" - const val clientMock = "$groupId:ktor-client-mock:$version" - const val serverTestHost = "$groupId:ktor-server-test-host:$version" - const val clientContentNegotiation = "$groupId:ktor-client-content-negotiation:$version" - const val serverForwardedHeaders = "$groupId:ktor-server-forwarded-header:$version" +object Ktor : DependencyGroup { + override val version = "2.3.10" + override val groupId = "io.ktor" + + val serverAuth = dependency("ktor-server-auth") + val serverAuthJwt = dependency("ktor-server-auth-jwt") + val serialization = dependency("ktor-serialization") + val jackson = dependency("ktor-serialization-jackson") + val serverNetty = dependency("ktor-server-netty") + val clientApache = dependency("ktor-client-apache") + val clientJson = dependency("ktor-client-json") + val clientMock = dependency("ktor-client-mock") + val serverTestHost = dependency("ktor-server-test-host") + val clientContentNegotiation = dependency("ktor-client-content-negotiation") + val serverForwardedHeaders = dependency("ktor-server-forwarded-header") + val serverAuthJvm = dependency("ktor-server-auth-jvm") + val serverCoreJvm = dependency("ktor-server-core-jvm") + val serverAuthLdapJvm = dependency("ktor-server-auth-ldap-jvm") } -object KotlinLogging { - private const val groupId = "io.github.oshai" - private const val version = "6.0.3" +object KotlinLogging : DependencyGroup { + override val groupId = "io.github.oshai" + override val version = "6.0.4" - const val logging = "$groupId:kotlin-logging:$version" + val logging = dependency("kotlin-logging") } -object Logback { - private const val version = "1.4.14" - const val classic = "ch.qos.logback:logback-classic:$version" +object Logback : DependencyGroup { + override val version = "1.4.14" + override val groupId = "ch.qos.logback" + + val classic = dependency("logback-classic") } -object Mockk { - private const val version = "1.12.3" - const val mockk = "io.mockk:mockk:$version" +object Mockk : DependencyGroup { + override val version = "1.13.10" + override val groupId = "io.mockk" + + val mockk = dependency("mockk") } -object Nimbusds { - private const val version = "9.37.3" - private const val groupId = "com.nimbusds" +object Nimbusds : DependencyGroup { + override val version = "9.37.3" + override val groupId = "com.nimbusds" - const val joseJwt = "$groupId:nimbus-jose-jwt:$version" - const val oauth2OidcSdk = "$groupId:oauth2-oidc-sdk:$version" + val joseJwt = dependency("nimbus-jose-jwt") + val oauth2OidcSdk = dependency("oauth2-oidc-sdk") } diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index 87b738cbd051603d91cc39de6cb000dd98fe6b02..e6441136f3d4ba8a0da8d277868979cfbc8ad796 100644 GIT binary patch literal 43453 zcma&N1CXTcmMvW9vTb(Rwr$&4wr$(C?dmSu>@vG-+vuvg^_??!{yS%8zW-#zn-LkA z5&1^$^{lnmUON?}LBF8_K|(?T0Ra(xUH{($5eN!MR#ZihR#HxkUPe+_R8Cn`RRs(P z_^*#_XlXmGv7!4;*Y%p4nw?{bNp@UZHv1?Um8r6)Fei3p@ClJn0ECfg1hkeuUU@Or zDaPa;U3fE=3L}DooL;8f;P0ipPt0Z~9P0)lbStMS)ag54=uL9ia-Lm3nh|@(Y?B`; zx_#arJIpXH!U{fbCbI^17}6Ri*H<>OLR%c|^mh8+)*h~K8Z!9)DPf zR2h?lbDZQ`p9P;&DQ4F0sur@TMa!Y}S8irn(%d-gi0*WxxCSk*A?3lGh=gcYN?FGl z7D=Js!i~0=u3rox^eO3i@$0=n{K1lPNU zwmfjRVmLOCRfe=seV&P*1Iq=^i`502keY8Uy-WNPwVNNtJFx?IwAyRPZo2Wo1+S(xF37LJZ~%i)kpFQ3Fw=mXfd@>%+)RpYQLnr}B~~zoof(JVm^^&f zxKV^+3D3$A1G;qh4gPVjhrC8e(VYUHv#dy^)(RoUFM?o%W-EHxufuWf(l*@-l+7vt z=l`qmR56K~F|v<^Pd*p~1_y^P0P^aPC##d8+HqX4IR1gu+7w#~TBFphJxF)T$2WEa zxa?H&6=Qe7d(#tha?_1uQys2KtHQ{)Qco)qwGjrdNL7thd^G5i8Os)CHqc>iOidS} z%nFEDdm=GXBw=yXe1W-ShHHFb?Cc70+$W~z_+}nAoHFYI1MV1wZegw*0y^tC*s%3h zhD3tN8b=Gv&rj}!SUM6|ajSPp*58KR7MPpI{oAJCtY~JECm)*m_x>AZEu>DFgUcby z1Qaw8lU4jZpQ_$;*7RME+gq1KySGG#Wql>aL~k9tLrSO()LWn*q&YxHEuzmwd1?aAtI zBJ>P=&$=l1efe1CDU;`Fd+_;&wI07?V0aAIgc(!{a z0Jg6Y=inXc3^n!U0Atk`iCFIQooHqcWhO(qrieUOW8X(x?(RD}iYDLMjSwffH2~tB z)oDgNBLB^AJBM1M^c5HdRx6fBfka`(LD-qrlh5jqH~);#nw|iyp)()xVYak3;Ybik z0j`(+69aK*B>)e_p%=wu8XC&9e{AO4c~O1U`5X9}?0mrd*m$_EUek{R?DNSh(=br# z#Q61gBzEpmy`$pA*6!87 zSDD+=@fTY7<4A?GLqpA?Pb2z$pbCc4B4zL{BeZ?F-8`s$?>*lXXtn*NC61>|*w7J* z$?!iB{6R-0=KFmyp1nnEmLsA-H0a6l+1uaH^g%c(p{iT&YFrbQ$&PRb8Up#X3@Zsk zD^^&LK~111%cqlP%!_gFNa^dTYT?rhkGl}5=fL{a`UViaXWI$k-UcHJwmaH1s=S$4 z%4)PdWJX;hh5UoK?6aWoyLxX&NhNRqKam7tcOkLh{%j3K^4Mgx1@i|Pi&}<^5>hs5 zm8?uOS>%)NzT(%PjVPGa?X%`N2TQCKbeH2l;cTnHiHppPSJ<7y-yEIiC!P*ikl&!B z%+?>VttCOQM@ShFguHVjxX^?mHX^hSaO_;pnyh^v9EumqSZTi+#f&_Vaija0Q-e*| z7ulQj6Fs*bbmsWp{`auM04gGwsYYdNNZcg|ph0OgD>7O}Asn7^Z=eI>`$2*v78;sj-}oMoEj&@)9+ycEOo92xSyY344^ z11Hb8^kdOvbf^GNAK++bYioknrpdN>+u8R?JxG=!2Kd9r=YWCOJYXYuM0cOq^FhEd zBg2puKy__7VT3-r*dG4c62Wgxi52EMCQ`bKgf*#*ou(D4-ZN$+mg&7$u!! z-^+Z%;-3IDwqZ|K=ah85OLwkO zKxNBh+4QHh)u9D?MFtpbl)us}9+V!D%w9jfAMYEb>%$A;u)rrI zuBudh;5PN}_6J_}l55P3l_)&RMlH{m!)ai-i$g)&*M`eN$XQMw{v^r@-125^RRCF0 z^2>|DxhQw(mtNEI2Kj(;KblC7x=JlK$@78`O~>V!`|1Lm-^JR$-5pUANAnb(5}B}JGjBsliK4& zk6y(;$e&h)lh2)L=bvZKbvh@>vLlreBdH8No2>$#%_Wp1U0N7Ank!6$dFSi#xzh|( zRi{Uw%-4W!{IXZ)fWx@XX6;&(m_F%c6~X8hx=BN1&q}*( zoaNjWabE{oUPb!Bt$eyd#$5j9rItB-h*5JiNi(v^e|XKAj*8(k<5-2$&ZBR5fF|JA z9&m4fbzNQnAU}r8ab>fFV%J0z5awe#UZ|bz?Ur)U9bCIKWEzi2%A+5CLqh?}K4JHi z4vtM;+uPsVz{Lfr;78W78gC;z*yTch~4YkLr&m-7%-xc ztw6Mh2d>_iO*$Rd8(-Cr1_V8EO1f*^@wRoSozS) zy1UoC@pruAaC8Z_7~_w4Q6n*&B0AjOmMWa;sIav&gu z|J5&|{=a@vR!~k-OjKEgPFCzcJ>#A1uL&7xTDn;{XBdeM}V=l3B8fE1--DHjSaxoSjNKEM9|U9#m2<3>n{Iuo`r3UZp;>GkT2YBNAh|b z^jTq-hJp(ebZh#Lk8hVBP%qXwv-@vbvoREX$TqRGTgEi$%_F9tZES@z8Bx}$#5eeG zk^UsLBH{bc2VBW)*EdS({yw=?qmevwi?BL6*=12k9zM5gJv1>y#ML4!)iiPzVaH9% zgSImetD@dam~e>{LvVh!phhzpW+iFvWpGT#CVE5TQ40n%F|p(sP5mXxna+Ev7PDwA zamaV4m*^~*xV+&p;W749xhb_X=$|LD;FHuB&JL5?*Y2-oIT(wYY2;73<^#46S~Gx| z^cez%V7x$81}UWqS13Gz80379Rj;6~WdiXWOSsdmzY39L;Hg3MH43o*y8ibNBBH`(av4|u;YPq%{R;IuYow<+GEsf@R?=@tT@!}?#>zIIn0CoyV!hq3mw zHj>OOjfJM3F{RG#6ujzo?y32m^tgSXf@v=J$ELdJ+=5j|=F-~hP$G&}tDZsZE?5rX ztGj`!S>)CFmdkccxM9eGIcGnS2AfK#gXwj%esuIBNJQP1WV~b~+D7PJTmWGTSDrR` zEAu4B8l>NPuhsk5a`rReSya2nfV1EK01+G!x8aBdTs3Io$u5!6n6KX%uv@DxAp3F@{4UYg4SWJtQ-W~0MDb|j-$lwVn znAm*Pl!?Ps&3wO=R115RWKb*JKoexo*)uhhHBncEDMSVa_PyA>k{Zm2(wMQ(5NM3# z)jkza|GoWEQo4^s*wE(gHz?Xsg4`}HUAcs42cM1-qq_=+=!Gk^y710j=66(cSWqUe zklbm8+zB_syQv5A2rj!Vbw8;|$@C!vfNmNV!yJIWDQ>{+2x zKjuFX`~~HKG~^6h5FntRpnnHt=D&rq0>IJ9#F0eM)Y-)GpRjiN7gkA8wvnG#K=q{q z9dBn8_~wm4J<3J_vl|9H{7q6u2A!cW{bp#r*-f{gOV^e=8S{nc1DxMHFwuM$;aVI^ zz6A*}m8N-&x8;aunp1w7_vtB*pa+OYBw=TMc6QK=mbA-|Cf* zvyh8D4LRJImooUaSb7t*fVfih<97Gf@VE0|z>NcBwBQze);Rh!k3K_sfunToZY;f2 z^HmC4KjHRVg+eKYj;PRN^|E0>Gj_zagfRbrki68I^#~6-HaHg3BUW%+clM1xQEdPYt_g<2K+z!$>*$9nQ>; zf9Bei{?zY^-e{q_*|W#2rJG`2fy@{%6u0i_VEWTq$*(ZN37|8lFFFt)nCG({r!q#9 z5VK_kkSJ3?zOH)OezMT{!YkCuSSn!K#-Rhl$uUM(bq*jY? zi1xbMVthJ`E>d>(f3)~fozjg^@eheMF6<)I`oeJYx4*+M&%c9VArn(OM-wp%M<-`x z7sLP1&3^%Nld9Dhm@$3f2}87!quhI@nwd@3~fZl_3LYW-B?Ia>ui`ELg z&Qfe!7m6ze=mZ`Ia9$z|ARSw|IdMpooY4YiPN8K z4B(ts3p%2i(Td=tgEHX z0UQ_>URBtG+-?0E;E7Ld^dyZ;jjw0}XZ(}-QzC6+NN=40oDb2^v!L1g9xRvE#@IBR zO!b-2N7wVfLV;mhEaXQ9XAU+>=XVA6f&T4Z-@AX!leJ8obP^P^wP0aICND?~w&NykJ#54x3_@r7IDMdRNy4Hh;h*!u(Ol(#0bJdwEo$5437-UBjQ+j=Ic>Q2z` zJNDf0yO6@mr6y1#n3)s(W|$iE_i8r@Gd@!DWDqZ7J&~gAm1#~maIGJ1sls^gxL9LLG_NhU!pTGty!TbhzQnu)I*S^54U6Yu%ZeCg`R>Q zhBv$n5j0v%O_j{QYWG!R9W?5_b&67KB$t}&e2LdMvd(PxN6Ir!H4>PNlerpBL>Zvyy!yw z-SOo8caEpDt(}|gKPBd$qND5#a5nju^O>V&;f890?yEOfkSG^HQVmEbM3Ugzu+UtH zC(INPDdraBN?P%kE;*Ae%Wto&sgw(crfZ#Qy(<4nk;S|hD3j{IQRI6Yq|f^basLY; z-HB&Je%Gg}Jt@={_C{L$!RM;$$|iD6vu#3w?v?*;&()uB|I-XqEKqZPS!reW9JkLewLb!70T7n`i!gNtb1%vN- zySZj{8-1>6E%H&=V}LM#xmt`J3XQoaD|@XygXjdZ1+P77-=;=eYpoEQ01B@L*a(uW zrZeZz?HJsw_4g0vhUgkg@VF8<-X$B8pOqCuWAl28uB|@r`19DTUQQsb^pfqB6QtiT z*`_UZ`fT}vtUY#%sq2{rchyfu*pCg;uec2$-$N_xgjZcoumE5vSI{+s@iLWoz^Mf; zuI8kDP{!XY6OP~q5}%1&L}CtfH^N<3o4L@J@zg1-mt{9L`s^z$Vgb|mr{@WiwAqKg zp#t-lhrU>F8o0s1q_9y`gQNf~Vb!F%70f}$>i7o4ho$`uciNf=xgJ>&!gSt0g;M>*x4-`U)ysFW&Vs^Vk6m%?iuWU+o&m(2Jm26Y(3%TL; zA7T)BP{WS!&xmxNw%J=$MPfn(9*^*TV;$JwRy8Zl*yUZi8jWYF>==j~&S|Xinsb%c z2?B+kpet*muEW7@AzjBA^wAJBY8i|#C{WtO_or&Nj2{=6JTTX05}|H>N2B|Wf!*3_ z7hW*j6p3TvpghEc6-wufFiY!%-GvOx*bZrhZu+7?iSrZL5q9}igiF^*R3%DE4aCHZ zqu>xS8LkW+Auv%z-<1Xs92u23R$nk@Pk}MU5!gT|c7vGlEA%G^2th&Q*zfg%-D^=f z&J_}jskj|Q;73NP4<4k*Y%pXPU2Thoqr+5uH1yEYM|VtBPW6lXaetokD0u z9qVek6Q&wk)tFbQ8(^HGf3Wp16gKmr>G;#G(HRBx?F`9AIRboK+;OfHaLJ(P>IP0w zyTbTkx_THEOs%Q&aPrxbZrJlio+hCC_HK<4%f3ZoSAyG7Dn`=X=&h@m*|UYO-4Hq0 z-Bq&+Ie!S##4A6OGoC~>ZW`Y5J)*ouaFl_e9GA*VSL!O_@xGiBw!AF}1{tB)z(w%c zS1Hmrb9OC8>0a_$BzeiN?rkPLc9%&;1CZW*4}CDDNr2gcl_3z+WC15&H1Zc2{o~i) z)LLW=WQ{?ricmC`G1GfJ0Yp4Dy~Ba;j6ZV4r{8xRs`13{dD!xXmr^Aga|C=iSmor% z8hi|pTXH)5Yf&v~exp3o+sY4B^^b*eYkkCYl*T{*=-0HniSA_1F53eCb{x~1k3*`W zr~};p1A`k{1DV9=UPnLDgz{aJH=-LQo<5%+Em!DNN252xwIf*wF_zS^!(XSm(9eoj z=*dXG&n0>)_)N5oc6v!>-bd(2ragD8O=M|wGW z!xJQS<)u70m&6OmrF0WSsr@I%T*c#Qo#Ha4d3COcX+9}hM5!7JIGF>7<~C(Ear^Sn zm^ZFkV6~Ula6+8S?oOROOA6$C&q&dp`>oR-2Ym3(HT@O7Sd5c~+kjrmM)YmgPH*tL zX+znN>`tv;5eOfX?h{AuX^LK~V#gPCu=)Tigtq9&?7Xh$qN|%A$?V*v=&-2F$zTUv z`C#WyIrChS5|Kgm_GeudCFf;)!WH7FI60j^0o#65o6`w*S7R@)88n$1nrgU(oU0M9 zx+EuMkC>(4j1;m6NoGqEkpJYJ?vc|B zOlwT3t&UgL!pX_P*6g36`ZXQ; z9~Cv}ANFnJGp(;ZhS(@FT;3e)0)Kp;h^x;$*xZn*k0U6-&FwI=uOGaODdrsp-!K$Ac32^c{+FhI-HkYd5v=`PGsg%6I`4d9Jy)uW0y%) zm&j^9WBAp*P8#kGJUhB!L?a%h$hJgQrx!6KCB_TRo%9{t0J7KW8!o1B!NC)VGLM5! zpZy5Jc{`r{1e(jd%jsG7k%I+m#CGS*BPA65ZVW~fLYw0dA-H_}O zrkGFL&P1PG9p2(%QiEWm6x;U-U&I#;Em$nx-_I^wtgw3xUPVVu zqSuKnx&dIT-XT+T10p;yjo1Y)z(x1fb8Dzfn8e yu?e%!_ptzGB|8GrCfu%p?(_ zQccdaaVK$5bz;*rnyK{_SQYM>;aES6Qs^lj9lEs6_J+%nIiuQC*fN;z8md>r_~Mfl zU%p5Dt_YT>gQqfr@`cR!$NWr~+`CZb%dn;WtzrAOI>P_JtsB76PYe*<%H(y>qx-`Kq!X_; z<{RpAqYhE=L1r*M)gNF3B8r(<%8mo*SR2hu zccLRZwGARt)Hlo1euqTyM>^!HK*!Q2P;4UYrysje@;(<|$&%vQekbn|0Ruu_Io(w4#%p6ld2Yp7tlA`Y$cciThP zKzNGIMPXX%&Ud0uQh!uQZz|FB`4KGD?3!ND?wQt6!n*f4EmCoJUh&b?;B{|lxs#F- z31~HQ`SF4x$&v00@(P+j1pAaj5!s`)b2RDBp*PB=2IB>oBF!*6vwr7Dp%zpAx*dPr zb@Zjq^XjN?O4QcZ*O+8>)|HlrR>oD*?WQl5ri3R#2?*W6iJ>>kH%KnnME&TT@ZzrHS$Q%LC?n|e>V+D+8D zYc4)QddFz7I8#}y#Wj6>4P%34dZH~OUDb?uP%-E zwjXM(?Sg~1!|wI(RVuxbu)-rH+O=igSho_pDCw(c6b=P zKk4ATlB?bj9+HHlh<_!&z0rx13K3ZrAR8W)!@Y}o`?a*JJsD+twZIv`W)@Y?Amu_u zz``@-e2X}27$i(2=9rvIu5uTUOVhzwu%mNazS|lZb&PT;XE2|B&W1>=B58#*!~D&) zfVmJGg8UdP*fx(>Cj^?yS^zH#o-$Q-*$SnK(ZVFkw+er=>N^7!)FtP3y~Xxnu^nzY zikgB>Nj0%;WOltWIob|}%lo?_C7<``a5hEkx&1ku$|)i>Rh6@3h*`slY=9U}(Ql_< zaNG*J8vb&@zpdhAvv`?{=zDedJ23TD&Zg__snRAH4eh~^oawdYi6A3w8<Ozh@Kw)#bdktM^GVb zrG08?0bG?|NG+w^&JvD*7LAbjED{_Zkc`3H!My>0u5Q}m!+6VokMLXxl`Mkd=g&Xx z-a>m*#G3SLlhbKB!)tnzfWOBV;u;ftU}S!NdD5+YtOjLg?X}dl>7m^gOpihrf1;PY zvll&>dIuUGs{Qnd- zwIR3oIrct8Va^Tm0t#(bJD7c$Z7DO9*7NnRZorrSm`b`cxz>OIC;jSE3DO8`hX955ui`s%||YQtt2 z5DNA&pG-V+4oI2s*x^>-$6J?p=I>C|9wZF8z;VjR??Icg?1w2v5Me+FgAeGGa8(3S z4vg*$>zC-WIVZtJ7}o9{D-7d>zCe|z#<9>CFve-OPAYsneTb^JH!Enaza#j}^mXy1 z+ULn^10+rWLF6j2>Ya@@Kq?26>AqK{A_| zQKb*~F1>sE*=d?A?W7N2j?L09_7n+HGi{VY;MoTGr_)G9)ot$p!-UY5zZ2Xtbm=t z@dpPSGwgH=QtIcEulQNI>S-#ifbnO5EWkI;$A|pxJd885oM+ zGZ0_0gDvG8q2xebj+fbCHYfAXuZStH2j~|d^sBAzo46(K8n59+T6rzBwK)^rfPT+B zyIFw)9YC-V^rhtK`!3jrhmW-sTmM+tPH+;nwjL#-SjQPUZ53L@A>y*rt(#M(qsiB2 zx6B)dI}6Wlsw%bJ8h|(lhkJVogQZA&n{?Vgs6gNSXzuZpEyu*xySy8ro07QZ7Vk1!3tJphN_5V7qOiyK8p z#@jcDD8nmtYi1^l8ml;AF<#IPK?!pqf9D4moYk>d99Im}Jtwj6c#+A;f)CQ*f-hZ< z=p_T86jog%!p)D&5g9taSwYi&eP z#JuEK%+NULWus;0w32-SYFku#i}d~+{Pkho&^{;RxzP&0!RCm3-9K6`>KZpnzS6?L z^H^V*s!8<>x8bomvD%rh>Zp3>Db%kyin;qtl+jAv8Oo~1g~mqGAC&Qi_wy|xEt2iz zWAJEfTV%cl2Cs<1L&DLRVVH05EDq`pH7Oh7sR`NNkL%wi}8n>IXcO40hp+J+sC!W?!krJf!GJNE8uj zg-y~Ns-<~D?yqbzVRB}G>0A^f0!^N7l=$m0OdZuqAOQqLc zX?AEGr1Ht+inZ-Qiwnl@Z0qukd__a!C*CKuGdy5#nD7VUBM^6OCpxCa2A(X;e0&V4 zM&WR8+wErQ7UIc6LY~Q9x%Sn*Tn>>P`^t&idaOEnOd(Ufw#>NoR^1QdhJ8s`h^|R_ zXX`c5*O~Xdvh%q;7L!_!ohf$NfEBmCde|#uVZvEo>OfEq%+Ns7&_f$OR9xsihRpBb z+cjk8LyDm@U{YN>+r46?nn{7Gh(;WhFw6GAxtcKD+YWV?uge>;+q#Xx4!GpRkVZYu zzsF}1)7$?%s9g9CH=Zs+B%M_)+~*j3L0&Q9u7!|+T`^O{xE6qvAP?XWv9_MrZKdo& z%IyU)$Q95AB4!#hT!_dA>4e@zjOBD*Y=XjtMm)V|+IXzjuM;(l+8aA5#Kaz_$rR6! zj>#&^DidYD$nUY(D$mH`9eb|dtV0b{S>H6FBfq>t5`;OxA4Nn{J(+XihF(stSche7$es&~N$epi&PDM_N`As;*9D^L==2Q7Z2zD+CiU(|+-kL*VG+&9!Yb3LgPy?A zm7Z&^qRG_JIxK7-FBzZI3Q<;{`DIxtc48k> zc|0dmX;Z=W$+)qE)~`yn6MdoJ4co;%!`ddy+FV538Y)j(vg}5*k(WK)KWZ3WaOG!8 z!syGn=s{H$odtpqFrT#JGM*utN7B((abXnpDM6w56nhw}OY}0TiTG1#f*VFZr+^-g zbP10`$LPq_;PvrA1XXlyx2uM^mrjTzX}w{yuLo-cOClE8MMk47T25G8M!9Z5ypOSV zAJUBGEg5L2fY)ZGJb^E34R2zJ?}Vf>{~gB!8=5Z) z9y$>5c)=;o0HeHHSuE4U)#vG&KF|I%-cF6f$~pdYJWk_dD}iOA>iA$O$+4%@>JU08 zS`ep)$XLPJ+n0_i@PkF#ri6T8?ZeAot$6JIYHm&P6EB=BiaNY|aA$W0I+nz*zkz_z zkEru!tj!QUffq%)8y0y`T&`fuus-1p>=^hnBiBqD^hXrPs`PY9tU3m0np~rISY09> z`P3s=-kt_cYcxWd{de@}TwSqg*xVhp;E9zCsnXo6z z?f&Sv^U7n4`xr=mXle94HzOdN!2kB~4=%)u&N!+2;z6UYKUDqi-s6AZ!haB;@&B`? z_TRX0%@suz^TRdCb?!vNJYPY8L_}&07uySH9%W^Tc&1pia6y1q#?*Drf}GjGbPjBS zbOPcUY#*$3sL2x4v_i*Y=N7E$mR}J%|GUI(>WEr+28+V z%v5{#e!UF*6~G&%;l*q*$V?&r$Pp^sE^i-0$+RH3ERUUdQ0>rAq2(2QAbG}$y{de( z>{qD~GGuOk559Y@%$?N^1ApVL_a704>8OD%8Y%8B;FCt%AoPu8*D1 zLB5X>b}Syz81pn;xnB}%0FnwazlWfUV)Z-~rZg6~b z6!9J$EcE&sEbzcy?CI~=boWA&eeIa%z(7SE^qgVLz??1Vbc1*aRvc%Mri)AJaAG!p z$X!_9Ds;Zz)f+;%s&dRcJt2==P{^j3bf0M=nJd&xwUGlUFn?H=2W(*2I2Gdu zv!gYCwM10aeus)`RIZSrCK=&oKaO_Ry~D1B5!y0R=%!i2*KfXGYX&gNv_u+n9wiR5 z*e$Zjju&ODRW3phN925%S(jL+bCHv6rZtc?!*`1TyYXT6%Ju=|X;6D@lq$8T zW{Y|e39ioPez(pBH%k)HzFITXHvnD6hw^lIoUMA;qAJ^CU?top1fo@s7xT13Fvn1H z6JWa-6+FJF#x>~+A;D~;VDs26>^oH0EI`IYT2iagy23?nyJ==i{g4%HrAf1-*v zK1)~@&(KkwR7TL}L(A@C_S0G;-GMDy=MJn2$FP5s<%wC)4jC5PXoxrQBFZ_k0P{{s@sz+gX`-!=T8rcB(=7vW}^K6oLWMmp(rwDh}b zwaGGd>yEy6fHv%jM$yJXo5oMAQ>c9j`**}F?MCry;T@47@r?&sKHgVe$MCqk#Z_3S z1GZI~nOEN*P~+UaFGnj{{Jo@16`(qVNtbU>O0Hf57-P>x8Jikp=`s8xWs^dAJ9lCQ z)GFm+=OV%AMVqVATtN@|vp61VVAHRn87}%PC^RAzJ%JngmZTasWBAWsoAqBU+8L8u z4A&Pe?fmTm0?mK-BL9t+{y7o(7jm+RpOhL9KnY#E&qu^}B6=K_dB}*VlSEiC9fn)+V=J;OnN)Ta5v66ic1rG+dGAJ1 z1%Zb_+!$=tQ~lxQrzv3x#CPb?CekEkA}0MYSgx$Jdd}q8+R=ma$|&1a#)TQ=l$1tQ z=tL9&_^vJ)Pk}EDO-va`UCT1m#Uty1{v^A3P~83_#v^ozH}6*9mIjIr;t3Uv%@VeW zGL6(CwCUp)Jq%G0bIG%?{_*Y#5IHf*5M@wPo6A{$Um++Co$wLC=J1aoG93&T7Ho}P z=mGEPP7GbvoG!uD$k(H3A$Z))+i{Hy?QHdk>3xSBXR0j!11O^mEe9RHmw!pvzv?Ua~2_l2Yh~_!s1qS`|0~0)YsbHSz8!mG)WiJE| z2f($6TQtt6L_f~ApQYQKSb=`053LgrQq7G@98#igV>y#i==-nEjQ!XNu9 z~;mE+gtj4IDDNQJ~JVk5Ux6&LCSFL!y=>79kE9=V}J7tD==Ga+IW zX)r7>VZ9dY=V&}DR))xUoV!u(Z|%3ciQi_2jl}3=$Agc(`RPb z8kEBpvY>1FGQ9W$n>Cq=DIpski};nE)`p3IUw1Oz0|wxll^)4dq3;CCY@RyJgFgc# zKouFh!`?Xuo{IMz^xi-h=StCis_M7yq$u) z?XHvw*HP0VgR+KR6wI)jEMX|ssqYvSf*_3W8zVTQzD?3>H!#>InzpSO)@SC8q*ii- z%%h}_#0{4JG;Jm`4zg};BPTGkYamx$Xo#O~lBirRY)q=5M45n{GCfV7h9qwyu1NxOMoP4)jjZMxmT|IQQh0U7C$EbnMN<3)Kk?fFHYq$d|ICu>KbY_hO zTZM+uKHe(cIZfEqyzyYSUBZa8;Fcut-GN!HSA9ius`ltNebF46ZX_BbZNU}}ZOm{M2&nANL9@0qvih15(|`S~z}m&h!u4x~(%MAO$jHRWNfuxWF#B)E&g3ghSQ9|> z(MFaLQj)NE0lowyjvg8z0#m6FIuKE9lDO~Glg}nSb7`~^&#(Lw{}GVOS>U)m8bF}x zVjbXljBm34Cs-yM6TVusr+3kYFjr28STT3g056y3cH5Tmge~ASxBj z%|yb>$eF;WgrcOZf569sDZOVwoo%8>XO>XQOX1OyN9I-SQgrm;U;+#3OI(zrWyow3 zk==|{lt2xrQ%FIXOTejR>;wv(Pb8u8}BUpx?yd(Abh6? zsoO3VYWkeLnF43&@*#MQ9-i-d0t*xN-UEyNKeyNMHw|A(k(_6QKO=nKMCxD(W(Yop zsRQ)QeL4X3Lxp^L%wzi2-WVSsf61dqliPUM7srDB?Wm6Lzn0&{*}|IsKQW;02(Y&| zaTKv|`U(pSzuvR6Rduu$wzK_W-Y-7>7s?G$)U}&uK;<>vU}^^ns@Z!p+9?St1s)dG zK%y6xkPyyS1$~&6v{kl?Md6gwM|>mt6Upm>oa8RLD^8T{0?HC!Z>;(Bob7el(DV6x zi`I)$&E&ngwFS@bi4^xFLAn`=fzTC;aimE^!cMI2n@Vo%Ae-ne`RF((&5y6xsjjAZ zVguVoQ?Z9uk$2ON;ersE%PU*xGO@T*;j1BO5#TuZKEf(mB7|g7pcEA=nYJ{s3vlbg zd4-DUlD{*6o%Gc^N!Nptgay>j6E5;3psI+C3Q!1ZIbeCubW%w4pq9)MSDyB{HLm|k zxv-{$$A*pS@csolri$Ge<4VZ}e~78JOL-EVyrbxKra^d{?|NnPp86!q>t<&IP07?Z z^>~IK^k#OEKgRH+LjllZXk7iA>2cfH6+(e&9ku5poo~6y{GC5>(bRK7hwjiurqAiZ zg*DmtgY}v83IjE&AbiWgMyFbaRUPZ{lYiz$U^&Zt2YjG<%m((&_JUbZcfJ22(>bi5 z!J?<7AySj0JZ&<-qXX;mcV!f~>G=sB0KnjWca4}vrtunD^1TrpfeS^4dvFr!65knK zZh`d;*VOkPs4*-9kL>$GP0`(M!j~B;#x?Ba~&s6CopvO86oM?-? zOw#dIRc;6A6T?B`Qp%^<U5 z19x(ywSH$_N+Io!6;e?`tWaM$`=Db!gzx|lQ${DG!zb1Zl&|{kX0y6xvO1o z220r<-oaS^^R2pEyY;=Qllqpmue|5yI~D|iI!IGt@iod{Opz@*ml^w2bNs)p`M(Io z|E;;m*Xpjd9l)4G#KaWfV(t8YUn@A;nK^#xgv=LtnArX|vWQVuw3}B${h+frU2>9^ z!l6)!Uo4`5k`<<;E(ido7M6lKTgWezNLq>U*=uz&s=cc$1%>VrAeOoUtA|T6gO4>UNqsdK=NF*8|~*sl&wI=x9-EGiq*aqV!(VVXA57 zw9*o6Ir8Lj1npUXvlevtn(_+^X5rzdR>#(}4YcB9O50q97%rW2me5_L=%ffYPUSRc z!vv?Kv>dH994Qi>U(a<0KF6NH5b16enCp+mw^Hb3Xs1^tThFpz!3QuN#}KBbww`(h z7GO)1olDqy6?T$()R7y%NYx*B0k_2IBiZ14&8|JPFxeMF{vSTxF-Vi3+ZOI=Thq2} zyQgjYY1_7^ZQHh{?P))4+qUiQJLi1&{yE>h?~jU%tjdV0h|FENbM3X(KnJdPKc?~k zh=^Ixv*+smUll!DTWH!jrV*wSh*(mx0o6}1@JExzF(#9FXgmTXVoU+>kDe68N)dkQ zH#_98Zv$}lQwjKL@yBd;U(UD0UCl322=pav<=6g>03{O_3oKTq;9bLFX1ia*lw;#K zOiYDcBJf)82->83N_Y(J7Kr_3lE)hAu;)Q(nUVydv+l+nQ$?|%MWTy`t>{havFSQloHwiIkGK9YZ79^9?AZo0ZyQlVR#}lF%dn5n%xYksXf8gnBm=wO7g_^! zauQ-bH1Dc@3ItZ-9D_*pH}p!IG7j8A_o94#~>$LR|TFq zZ-b00*nuw|-5C2lJDCw&8p5N~Z1J&TrcyErds&!l3$eSz%`(*izc;-?HAFD9AHb-| z>)id`QCrzRws^9(#&=pIx9OEf2rmlob8sK&xPCWS+nD~qzU|qG6KwA{zbikcfQrdH z+ zQg>O<`K4L8rN7`GJB0*3<3`z({lWe#K!4AZLsI{%z#ja^OpfjU{!{)x0ZH~RB0W5X zTwN^w=|nA!4PEU2=LR05x~}|B&ZP?#pNgDMwD*ajI6oJqv!L81gu=KpqH22avXf0w zX3HjbCI!n9>l046)5rr5&v5ja!xkKK42zmqHzPx$9Nn_MZk`gLeSLgC=LFf;H1O#B zn=8|^1iRrujHfbgA+8i<9jaXc;CQBAmQvMGQPhFec2H1knCK2x!T`e6soyrqCamX% zTQ4dX_E*8so)E*TB$*io{$c6X)~{aWfaqdTh=xEeGvOAN9H&-t5tEE-qso<+C!2>+ zskX51H-H}#X{A75wqFe-J{?o8Bx|>fTBtl&tcbdR|132Ztqu5X0i-pisB-z8n71%q%>EF}yy5?z=Ve`}hVh{Drv1YWL zW=%ug_&chF11gDv3D6B)Tz5g54H0mDHNjuKZ+)CKFk4Z|$RD zfRuKLW`1B>B?*RUfVd0+u8h3r-{@fZ{k)c!93t1b0+Q9vOaRnEn1*IL>5Z4E4dZ!7 ztp4GP-^1d>8~LMeb}bW!(aAnB1tM_*la=Xx)q(I0Y@__Zd$!KYb8T2VBRw%e$iSdZ zkwdMwd}eV9q*;YvrBFTv1>1+}{H!JK2M*C|TNe$ZSA>UHKk);wz$(F$rXVc|sI^lD zV^?_J!3cLM;GJuBMbftbaRUs$;F}HDEDtIeHQ)^EJJ1F9FKJTGH<(Jj`phE6OuvE) zqK^K`;3S{Y#1M@8yRQwH`?kHMq4tHX#rJ>5lY3DM#o@or4&^_xtBC(|JpGTfrbGkA z2Tu+AyT^pHannww!4^!$5?@5v`LYy~T`qs7SYt$JgrY(w%C+IWA;ZkwEF)u5sDvOK zGk;G>Mh&elvXDcV69J_h02l&O;!{$({fng9Rlc3ID#tmB^FIG^w{HLUpF+iB`|
NnX)EH+Nua)3Y(c z&{(nX_ht=QbJ%DzAya}!&uNu!4V0xI)QE$SY__m)SAKcN0P(&JcoK*Lxr@P zY&P=}&B3*UWNlc|&$Oh{BEqwK2+N2U$4WB7Fd|aIal`FGANUa9E-O)!gV`((ZGCc$ zBJA|FFrlg~9OBp#f7aHodCe{6= zay$6vN~zj1ddMZ9gQ4p32(7wD?(dE>KA2;SOzXRmPBiBc6g`eOsy+pVcHu=;Yd8@{ zSGgXf@%sKKQz~;!J;|2fC@emm#^_rnO0esEn^QxXgJYd`#FPWOUU5b;9eMAF zZhfiZb|gk8aJIw*YLp4!*(=3l8Cp{(%p?ho22*vN9+5NLV0TTazNY$B5L6UKUrd$n zjbX%#m7&F#U?QNOBXkiiWB*_tk+H?N3`vg;1F-I+83{M2!8<^nydGr5XX}tC!10&e z7D36bLaB56WrjL&HiiMVtpff|K%|*{t*ltt^5ood{FOG0<>k&1h95qPio)2`eL${YAGIx(b4VN*~nKn6E~SIQUuRH zQ+5zP6jfnP$S0iJ@~t!Ai3o`X7biohli;E zT#yXyl{bojG@-TGZzpdVDXhbmF%F9+-^YSIv|MT1l3j zrxOFq>gd2%U}?6}8mIj?M zc077Zc9fq(-)4+gXv?Az26IO6eV`RAJz8e3)SC7~>%rlzDwySVx*q$ygTR5kW2ds- z!HBgcq0KON9*8Ff$X0wOq$`T7ml(@TF)VeoF}x1OttjuVHn3~sHrMB++}f7f9H%@f z=|kP_?#+fve@{0MlbkC9tyvQ_R?lRdRJ@$qcB(8*jyMyeME5ns6ypVI1Xm*Zr{DuS zZ!1)rQfa89c~;l~VkCiHI|PCBd`S*2RLNQM8!g9L6?n`^evQNEwfO@&JJRme+uopQX0%Jo zgd5G&#&{nX{o?TQwQvF1<^Cg3?2co;_06=~Hcb6~4XWpNFL!WU{+CK;>gH%|BLOh7@!hsa(>pNDAmpcuVO-?;Bic17R}^|6@8DahH)G z!EmhsfunLL|3b=M0MeK2vqZ|OqUqS8npxwge$w-4pFVXFq$_EKrZY?BuP@Az@(k`L z`ViQBSk`y+YwRT;&W| z2e3UfkCo^uTA4}Qmmtqs+nk#gNr2W4 zTH%hhErhB)pkXR{B!q5P3-OM+M;qu~f>}IjtF%>w{~K-0*jPVLl?Chz&zIdxp}bjx zStp&Iufr58FTQ36AHU)0+CmvaOpKF;W@sMTFpJ`j;3d)J_$tNQI^c<^1o<49Z(~K> z;EZTBaVT%14(bFw2ob@?JLQ2@(1pCdg3S%E4*dJ}dA*v}_a4_P(a`cHnBFJxNobAv zf&Zl-Yt*lhn-wjZsq<9v-IsXxAxMZ58C@e0!rzhJ+D@9^3~?~yllY^s$?&oNwyH!#~6x4gUrfxplCvK#!f z$viuszW>MFEcFL?>ux*((!L$;R?xc*myjRIjgnQX79@UPD$6Dz0jutM@7h_pq z0Zr)#O<^y_K6jfY^X%A-ip>P%3saX{!v;fxT-*0C_j4=UMH+Xth(XVkVGiiKE#f)q z%Jp=JT)uy{&}Iq2E*xr4YsJ5>w^=#-mRZ4vPXpI6q~1aFwi+lQcimO45V-JXP;>(Q zo={U`{=_JF`EQj87Wf}{Qy35s8r1*9Mxg({CvOt}?Vh9d&(}iI-quvs-rm~P;eRA@ zG5?1HO}puruc@S{YNAF3vmUc2B4!k*yi))<5BQmvd3tr}cIs#9)*AX>t`=~{f#Uz0 z0&Nk!7sSZwJe}=)-R^$0{yeS!V`Dh7w{w5rZ9ir!Z7Cd7dwZcK;BT#V0bzTt>;@Cl z#|#A!-IL6CZ@eHH!CG>OO8!%G8&8t4)Ro@}USB*k>oEUo0LsljsJ-%5Mo^MJF2I8- z#v7a5VdJ-Cd%(a+y6QwTmi+?f8Nxtm{g-+WGL>t;s#epv7ug>inqimZCVm!uT5Pf6 ziEgQt7^%xJf#!aPWbuC_3Nxfb&CFbQy!(8ANpkWLI4oSnH?Q3f?0k1t$3d+lkQs{~(>06l&v|MpcFsyAv zin6N!-;pggosR*vV=DO(#+}4ps|5$`udE%Kdmp?G7B#y%H`R|i8skKOd9Xzx8xgR$>Zo2R2Ytktq^w#ul4uicxW#{ zFjG_RNlBroV_n;a7U(KIpcp*{M~e~@>Q#Av90Jc5v%0c>egEdY4v3%|K1XvB{O_8G zkTWLC>OZKf;XguMH2-Pw{BKbFzaY;4v2seZV0>^7Q~d4O=AwaPhP3h|!hw5aqOtT@ z!SNz}$of**Bl3TK209@F=Tn1+mgZa8yh(Png%Zd6Mt}^NSjy)etQrF zme*llAW=N_8R*O~d2!apJnF%(JcN??=`$qs3Y+~xs>L9x`0^NIn!8mMRFA_tg`etw z3k{9JAjnl@ygIiJcNHTy02GMAvBVqEss&t2<2mnw!; zU`J)0>lWiqVqo|ex7!+@0i>B~BSU1A_0w#Ee+2pJx0BFiZ7RDHEvE*ptc9md(B{&+ zKE>TM)+Pd>HEmdJao7U@S>nL(qq*A)#eLOuIfAS@j`_sK0UEY6OAJJ-kOrHG zjHx`g!9j*_jRcJ%>CE9K2MVf?BUZKFHY?EpV6ai7sET-tqk=nDFh-(65rhjtlKEY% z@G&cQ<5BKatfdA1FKuB=i>CCC5(|9TMW%K~GbA4}80I5%B}(gck#Wlq@$nO3%@QP_ z8nvPkJFa|znk>V92cA!K1rKtr)skHEJD;k8P|R8RkCq1Rh^&}Evwa4BUJz2f!2=MH zo4j8Y$YL2313}H~F7@J7mh>u%556Hw0VUOz-Un@ZASCL)y8}4XXS`t1AC*^>PLwIc zUQok5PFS=*#)Z!3JZN&eZ6ZDP^-c@StY*t20JhCnbMxXf=LK#;`4KHEqMZ-Ly9KsS zI2VUJGY&PmdbM+iT)zek)#Qc#_i4uH43 z@T5SZBrhNCiK~~esjsO9!qBpaWK<`>!-`b71Y5ReXQ4AJU~T2Njri1CEp5oKw;Lnm)-Y@Z3sEY}XIgSy%xo=uek(kAAH5MsV$V3uTUsoTzxp_rF=tx zV07vlJNKtJhCu`b}*#m&5LV4TAE&%KtHViDAdv#c^x`J7bg z&N;#I2GkF@SIGht6p-V}`!F_~lCXjl1BdTLIjD2hH$J^YFN`7f{Q?OHPFEM$65^!u zNwkelo*5+$ZT|oQ%o%;rBX$+?xhvjb)SHgNHE_yP%wYkkvXHS{Bf$OiKJ5d1gI0j< zF6N}Aq=(WDo(J{e-uOecxPD>XZ@|u-tgTR<972`q8;&ZD!cep^@B5CaqFz|oU!iFj zU0;6fQX&~15E53EW&w1s9gQQ~Zk16X%6 zjG`j0yq}4deX2?Tr(03kg>C(!7a|b9qFI?jcE^Y>-VhudI@&LI6Qa}WQ>4H_!UVyF z((cm&!3gmq@;BD#5P~0;_2qgZhtJS|>WdtjY=q zLnHH~Fm!cxw|Z?Vw8*~?I$g#9j&uvgm7vPr#&iZgPP~v~BI4jOv;*OQ?jYJtzO<^y z7-#C={r7CO810!^s(MT!@@Vz_SVU)7VBi(e1%1rvS!?PTa}Uv`J!EP3s6Y!xUgM^8 z4f!fq<3Wer_#;u!5ECZ|^c1{|q_lh3m^9|nsMR1#Qm|?4Yp5~|er2?W^7~cl;_r4WSme_o68J9p03~Hc%X#VcX!xAu%1`R!dfGJCp zV*&m47>s^%Ib0~-2f$6oSgn3jg8m%UA;ArcdcRyM5;}|r;)?a^D*lel5C`V5G=c~k zy*w_&BfySOxE!(~PI$*dwG><+-%KT5p?whOUMA*k<9*gi#T{h3DAxzAPxN&Xws8o9Cp*`PA5>d9*Z-ynV# z9yY*1WR^D8|C%I@vo+d8r^pjJ$>eo|j>XiLWvTWLl(^;JHCsoPgem6PvegHb-OTf| zvTgsHSa;BkbG=(NgPO|CZu9gUCGr$8*EoH2_Z#^BnxF0yM~t`|9ws_xZ8X8iZYqh! zAh;HXJ)3P&)Q0(&F>!LN0g#bdbis-cQxyGn9Qgh`q+~49Fqd2epikEUw9caM%V6WgP)532RMRW}8gNS%V%Hx7apSz}tn@bQy!<=lbhmAH=FsMD?leawbnP5BWM0 z5{)@EEIYMu5;u)!+HQWhQ;D3_Cm_NADNeb-f56}<{41aYq8p4=93d=-=q0Yx#knGYfXVt z+kMxlus}t2T5FEyCN~!}90O_X@@PQpuy;kuGz@bWft%diBTx?d)_xWd_-(!LmVrh**oKg!1CNF&LX4{*j|) zIvjCR0I2UUuuEXh<9}oT_zT#jOrJAHNLFT~Ilh9hGJPI1<5`C-WA{tUYlyMeoy!+U zhA#=p!u1R7DNg9u4|QfED-2TuKI}>p#2P9--z;Bbf4Op*;Q9LCbO&aL2i<0O$ByoI z!9;Ght733FC>Pz>$_mw(F`zU?`m@>gE`9_p*=7o=7av`-&ifU(^)UU`Kg3Kw`h9-1 z6`e6+im=|m2v`pN(2dE%%n8YyQz;#3Q-|x`91z?gj68cMrHl}C25|6(_dIGk*8cA3 zRHB|Nwv{@sP4W+YZM)VKI>RlB`n=Oj~Rzx~M+Khz$N$45rLn6k1nvvD^&HtsMA4`s=MmuOJID@$s8Ph4E zAmSV^+s-z8cfv~Yd(40Sh4JG#F~aB>WFoX7ykaOr3JaJ&Lb49=B8Vk-SQT9%7TYhv z?-Pprt{|=Y5ZQ1?od|A<_IJU93|l4oAfBm?3-wk{O<8ea+`}u%(kub(LFo2zFtd?4 zwpN|2mBNywv+d^y_8#<$r>*5+$wRTCygFLcrwT(qc^n&@9r+}Kd_u@Ithz(6Qb4}A zWo_HdBj#V$VE#l6pD0a=NfB0l^6W^g`vm^sta>Tly?$E&{F?TTX~DsKF~poFfmN%2 z4x`Dc{u{Lkqz&y!33;X}weD}&;7p>xiI&ZUb1H9iD25a(gI|`|;G^NwJPv=1S5e)j z;U;`?n}jnY6rA{V^ zxTd{bK)Gi^odL3l989DQlN+Zs39Xe&otGeY(b5>rlIqfc7Ap4}EC?j<{M=hlH{1+d zw|c}}yx88_xQr`{98Z!d^FNH77=u(p-L{W6RvIn40f-BldeF-YD>p6#)(Qzf)lfZj z?3wAMtPPp>vMehkT`3gToPd%|D8~4`5WK{`#+}{L{jRUMt zrFz+O$C7y8$M&E4@+p+oV5c%uYzbqd2Y%SSgYy#xh4G3hQv>V*BnuKQhBa#=oZB~w{azUB+q%bRe_R^ z>fHBilnRTUfaJ201czL8^~Ix#+qOHSO)A|xWLqOxB$dT2W~)e-r9;bm=;p;RjYahB z*1hegN(VKK+ztr~h1}YP@6cfj{e#|sS`;3tJhIJK=tVJ-*h-5y9n*&cYCSdg#EHE# zSIx=r#qOaLJoVVf6v;(okg6?*L_55atl^W(gm^yjR?$GplNP>BZsBYEf_>wM0Lc;T zhf&gpzOWNxS>m+mN92N0{;4uw`P+9^*|-1~$uXpggj4- z^SFc4`uzj2OwdEVT@}Q`(^EcQ_5(ZtXTql*yGzdS&vrS_w>~~ra|Nb5abwf}Y!uq6R5f&6g2ge~2p(%c< z@O)cz%%rr4*cRJ5f`n@lvHNk@lE1a*96Kw6lJ~B-XfJW%?&-y?;E&?1AacU@`N`!O z6}V>8^%RZ7SQnZ-z$(jsX`amu*5Fj8g!3RTRwK^`2_QHe;_2y_n|6gSaGyPmI#kA0sYV<_qOZc#-2BO%hX)f$s-Z3xlI!ub z^;3ru11DA`4heAu%}HIXo&ctujzE2!6DIGE{?Zs>2}J+p&C$rc7gJC35gxhflorvsb%sGOxpuWhF)dL_&7&Z99=5M0b~Qa;Mo!j&Ti_kXW!86N%n= zSC@6Lw>UQ__F&+&Rzv?gscwAz8IP!n63>SP)^62(HK98nGjLY2*e^OwOq`3O|C92? z;TVhZ2SK%9AGW4ZavTB9?)mUbOoF`V7S=XM;#3EUpR+^oHtdV!GK^nXzCu>tpR|89 zdD{fnvCaN^^LL%amZ^}-E+214g&^56rpdc@yv0b<3}Ys?)f|fXN4oHf$six)-@<;W&&_kj z-B}M5U*1sb4)77aR=@%I?|Wkn-QJVuA96an25;~!gq(g1@O-5VGo7y&E_srxL6ZfS z*R%$gR}dyONgju*D&?geiSj7SZ@ftyA|}(*Y4KbvU!YLsi1EDQQCnb+-cM=K1io78o!v*);o<XwjaQH%)uIP&Zm?)Nfbfn;jIr z)d#!$gOe3QHp}2NBak@yYv3m(CPKkwI|{;d=gi552u?xj9ObCU^DJFQp4t4e1tPzM zvsRIGZ6VF+{6PvqsplMZWhz10YwS={?`~O0Ec$`-!klNUYtzWA^f9m7tkEzCy<_nS z=&<(awFeZvt51>@o_~>PLs05CY)$;}Oo$VDO)?l-{CS1Co=nxjqben*O1BR>#9`0^ zkwk^k-wcLCLGh|XLjdWv0_Hg54B&OzCE^3NCP}~OajK-LuRW53CkV~Su0U>zN%yQP zH8UH#W5P3-!ToO-2k&)}nFe`t+mdqCxxAHgcifup^gKpMObbox9LFK;LP3}0dP-UW z?Zo*^nrQ6*$FtZ(>kLCc2LY*|{!dUn$^RW~m9leoF|@Jy|M5p-G~j%+P0_#orRKf8 zvuu5<*XO!B?1E}-*SY~MOa$6c%2cM+xa8}_8x*aVn~57v&W(0mqN1W`5a7*VN{SUH zXz98DDyCnX2EPl-`Lesf`=AQT%YSDb`$%;(jUTrNen$NPJrlpPDP}prI>Ml!r6bCT;mjsg@X^#&<}CGf0JtR{Ecwd&)2zuhr#nqdgHj+g2n}GK9CHuwO zk>oZxy{vcOL)$8-}L^iVfJHAGfwN$prHjYV0ju}8%jWquw>}_W6j~m<}Jf!G?~r5&Rx)!9JNX!ts#SGe2HzobV5); zpj@&`cNcO&q+%*<%D7za|?m5qlmFK$=MJ_iv{aRs+BGVrs)98BlN^nMr{V_fcl_;jkzRju+c-y?gqBC_@J0dFLq-D9@VN&-`R9U;nv$Hg?>$oe4N&Ht$V_(JR3TG^! zzJsbQbi zFE6-{#9{G{+Z}ww!ycl*7rRdmU#_&|DqPfX3CR1I{Kk;bHwF6jh0opI`UV2W{*|nn zf_Y@%wW6APb&9RrbEN=PQRBEpM(N1w`81s=(xQj6 z-eO0k9=Al|>Ej|Mw&G`%q8e$2xVz1v4DXAi8G};R$y)ww638Y=9y$ZYFDM$}vzusg zUf+~BPX>(SjA|tgaFZr_e0{)+z9i6G#lgt=F_n$d=beAt0Sa0a7>z-?vcjl3e+W}+ z1&9=|vC=$co}-Zh*%3588G?v&U7%N1Qf-wNWJ)(v`iO5KHSkC5&g7CrKu8V}uQGcfcz zmBz#Lbqwqy#Z~UzHgOQ;Q-rPxrRNvl(&u6ts4~0=KkeS;zqURz%!-ERppmd%0v>iRlEf+H$yl{_8TMJzo0 z>n)`On|7=WQdsqhXI?#V{>+~}qt-cQbokEbgwV3QvSP7&hK4R{Z{aGHVS3;+h{|Hz z6$Js}_AJr383c_+6sNR|$qu6dqHXQTc6?(XWPCVZv=)D#6_;D_8P-=zOGEN5&?~8S zl5jQ?NL$c%O)*bOohdNwGIKM#jSAC?BVY={@A#c9GmX0=T(0G}xs`-%f3r=m6-cpK z!%waekyAvm9C3%>sixdZj+I(wQlbB4wv9xKI*T13DYG^T%}zZYJ|0$Oj^YtY+d$V$ zAVudSc-)FMl|54n=N{BnZTM|!>=bhaja?o7s+v1*U$!v!qQ%`T-6fBvmdPbVmro&d zk07TOp*KuxRUSTLRrBj{mjsnF8`d}rMViY8j`jo~Hp$fkv9F_g(jUo#Arp;Xw0M$~ zRIN!B22~$kx;QYmOkos@%|5k)!QypDMVe}1M9tZfkpXKGOxvKXB!=lo`p?|R1l=tA zp(1}c6T3Fwj_CPJwVsYtgeRKg?9?}%oRq0F+r+kdB=bFUdVDRPa;E~~>2$w}>O>v=?|e>#(-Lyx?nbg=ckJ#5U6;RT zNvHhXk$P}m9wSvFyU3}=7!y?Y z=fg$PbV8d7g25&-jOcs{%}wTDKm>!Vk);&rr;O1nvO0VrU&Q?TtYVU=ir`te8SLlS zKSNmV=+vF|ATGg`4$N1uS|n??f}C_4Sz!f|4Ly8#yTW-FBfvS48Tef|-46C(wEO_%pPhUC5$-~Y?!0vFZ^Gu`x=m7X99_?C-`|h zfmMM&Y@zdfitA@KPw4Mc(YHcY1)3*1xvW9V-r4n-9ZuBpFcf{yz+SR{ zo$ZSU_|fgwF~aakGr(9Be`~A|3)B=9`$M-TWKipq-NqRDRQc}ABo*s_5kV%doIX7LRLRau_gd@Rd_aLFXGSU+U?uAqh z8qusWWcvgQ&wu{|sRXmv?sl=xc<$6AR$+cl& zFNh5q1~kffG{3lDUdvEZu5c(aAG~+64FxdlfwY^*;JSS|m~CJusvi-!$XR`6@XtY2 znDHSz7}_Bx7zGq-^5{stTRy|I@N=>*y$zz>m^}^{d&~h;0kYiq8<^Wq7Dz0w31ShO^~LUfW6rfitR0(=3;Uue`Y%y@ex#eKPOW zO~V?)M#AeHB2kovn1v=n^D?2{2jhIQd9t|_Q+c|ZFaWt+r&#yrOu-!4pXAJuxM+Cx z*H&>eZ0v8Y`t}8{TV6smOj=__gFC=eah)mZt9gwz>>W$!>b3O;Rm^Ig*POZP8Rl0f zT~o=Nu1J|lO>}xX&#P58%Yl z83`HRs5#32Qm9mdCrMlV|NKNC+Z~ z9OB8xk5HJ>gBLi+m@(pvpw)1(OaVJKs*$Ou#@Knd#bk+V@y;YXT?)4eP9E5{J%KGtYinNYJUH9PU3A}66c>Xn zZ{Bn0<;8$WCOAL$^NqTjwM?5d=RHgw3!72WRo0c;+houoUA@HWLZM;^U$&sycWrFd zE7ekt9;kb0`lps{>R(}YnXlyGY}5pPd9zBpgXeJTY_jwaJGSJQC#-KJqmh-;ad&F- z-Y)E>!&`Rz!HtCz>%yOJ|v(u7P*I$jqEY3}(Z-orn4 zlI?CYKNl`6I){#2P1h)y(6?i;^z`N3bxTV%wNvQW+eu|x=kbj~s8rhCR*0H=iGkSj zk23lr9kr|p7#qKL=UjgO`@UnvzU)`&fI>1Qs7ubq{@+lK{hH* zvl6eSb9%yngRn^T<;jG1SVa)eA>T^XX=yUS@NCKpk?ovCW1D@!=@kn;l_BrG;hOTC z6K&H{<8K#dI(A+zw-MWxS+~{g$tI7|SfP$EYKxA}LlVO^sT#Oby^grkdZ^^lA}uEF zBSj$weBJG{+Bh@Yffzsw=HyChS(dtLE3i*}Zj@~!_T-Ay7z=B)+*~3|?w`Zd)Co2t zC&4DyB!o&YgSw+fJn6`sn$e)29`kUwAc+1MND7YjV%lO;H2}fNy>hD#=gT ze+-aFNpyKIoXY~Vq-}OWPBe?Rfu^{ps8>Xy%42r@RV#*QV~P83jdlFNgkPN=T|Kt7 zV*M`Rh*30&AWlb$;ae130e@}Tqi3zx2^JQHpM>j$6x`#{mu%tZlwx9Gj@Hc92IuY* zarmT|*d0E~vt6<+r?W^UW0&#U&)8B6+1+;k^2|FWBRP9?C4Rk)HAh&=AS8FS|NQaZ z2j!iZ)nbEyg4ZTp-zHwVlfLC~tXIrv(xrP8PAtR{*c;T24ycA-;auWsya-!kF~CWZ zw_uZ|%urXgUbc@x=L=_g@QJ@m#5beS@6W195Hn7>_}z@Xt{DIEA`A&V82bc^#!q8$ zFh?z_Vn|ozJ;NPd^5uu(9tspo8t%&-U9Ckay-s@DnM*R5rtu|4)~e)`z0P-sy?)kc zs_k&J@0&0!q4~%cKL)2l;N*T&0;mqX5T{Qy60%JtKTQZ-xb%KOcgqwJmb%MOOKk7N zgq})R_6**{8A|6H?fO+2`#QU)p$Ei2&nbj6TpLSIT^D$|`TcSeh+)}VMb}LmvZ{O| ze*1IdCt3+yhdYVxcM)Q_V0bIXLgr6~%JS<<&dxIgfL=Vnx4YHuU@I34JXA|+$_S3~ zy~X#gO_X!cSs^XM{yzDGNM>?v(+sF#<0;AH^YrE8smx<36bUsHbN#y57K8WEu(`qHvQ6cAZPo=J5C(lSmUCZ57Rj6cx!e^rfaI5%w}unz}4 zoX=nt)FVNV%QDJH`o!u9olLD4O5fl)xp+#RloZlaA92o3x4->?rB4`gS$;WO{R;Z3>cG3IgFX2EA?PK^M}@%1%A;?f6}s&CV$cIyEr#q5;yHdNZ9h{| z-=dX+a5elJoDo?Eq&Og!nN6A)5yYpnGEp}?=!C-V)(*~z-+?kY1Q7qs#Rsy%hu_60rdbB+QQNr?S1 z?;xtjUv|*E3}HmuNyB9aFL5H~3Ho0UsmuMZELp1a#CA1g`P{-mT?BchuLEtK}!QZ=3AWakRu~?f9V~3F;TV`5%9Pcs_$gq&CcU}r8gOO zC2&SWPsSG{&o-LIGTBqp6SLQZPvYKp$$7L4WRRZ0BR$Kf0I0SCFkqveCp@f)o8W)! z$%7D1R`&j7W9Q9CGus_)b%+B#J2G;l*FLz#s$hw{BHS~WNLODV#(!u_2Pe&tMsq={ zdm7>_WecWF#D=?eMjLj=-_z`aHMZ=3_-&E8;ibPmM}61i6J3is*=dKf%HC>=xbj4$ zS|Q-hWQ8T5mWde6h@;mS+?k=89?1FU<%qH9B(l&O>k|u_aD|DY*@~(`_pb|B#rJ&g zR0(~(68fpUPz6TdS@4JT5MOPrqDh5_H(eX1$P2SQrkvN8sTxwV>l0)Qq z0pzTuvtEAKRDkKGhhv^jk%|HQ1DdF%5oKq5BS>szk-CIke{%js?~%@$uaN3^Uz6Wf z_iyx{bZ(;9y4X&>LPV=L=d+A}7I4GkK0c1Xts{rrW1Q7apHf-))`BgC^0^F(>At1* za@e7{lq%yAkn*NH8Q1{@{lKhRg*^TfGvv!Sn*ed*x@6>M%aaqySxR|oNadYt1mpUZ z6H(rupHYf&Z z29$5g#|0MX#aR6TZ$@eGxxABRKakDYtD%5BmKp;HbG_ZbT+=81E&=XRk6m_3t9PvD zr5Cqy(v?gHcYvYvXkNH@S#Po~q(_7MOuCAB8G$a9BC##gw^5mW16cML=T=ERL7wsk zzNEayTG?mtB=x*wc@ifBCJ|irFVMOvH)AFRW8WE~U()QT=HBCe@s$dA9O!@`zAAT) zaOZ7l6vyR+Nk_OOF!ZlZmjoImKh)dxFbbR~z(cMhfeX1l7S_`;h|v3gI}n9$sSQ>+3@AFAy9=B_y$)q;Wdl|C-X|VV3w8 z2S#>|5dGA8^9%Bu&fhmVRrTX>Z7{~3V&0UpJNEl0=N32euvDGCJ>#6dUSi&PxFW*s zS`}TB>?}H(T2lxBJ!V#2taV;q%zd6fOr=SGHpoSG*4PDaiG0pdb5`jelVipkEk%FV zThLc@Hc_AL1#D&T4D=w@UezYNJ%0=f3iVRuVL5H?eeZM}4W*bomebEU@e2d`M<~uW zf#Bugwf`VezG|^Qbt6R_=U0}|=k;mIIakz99*>FrsQR{0aQRP6ko?5<7bkDN8evZ& zB@_KqQG?ErKL=1*ZM9_5?Pq%lcS4uLSzN(Mr5=t6xHLS~Ym`UgM@D&VNu8e?_=nSFtF$u@hpPSmI4Vo_t&v?>$~K4y(O~Rb*(MFy_igM7 z*~yYUyR6yQgzWnWMUgDov!!g=lInM+=lOmOk4L`O?{i&qxy&D*_qorRbDwj6?)!ef z#JLd7F6Z2I$S0iYI={rZNk*<{HtIl^mx=h>Cim*04K4+Z4IJtd*-)%6XV2(MCscPiw_a+y*?BKbTS@BZ3AUao^%Zi#PhoY9Vib4N>SE%4>=Jco0v zH_Miey{E;FkdlZSq)e<{`+S3W=*ttvD#hB8w=|2aV*D=yOV}(&p%0LbEWH$&@$X3x~CiF-?ejQ*N+-M zc8zT@3iwkdRT2t(XS`d7`tJQAjRmKAhiw{WOqpuvFp`i@Q@!KMhwKgsA}%@sw8Xo5Y=F zhRJZg)O4uqNWj?V&&vth*H#je6T}}p_<>!Dr#89q@uSjWv~JuW(>FqoJ5^ho0%K?E z9?x_Q;kmcsQ@5=}z@tdljMSt9-Z3xn$k)kEjK|qXS>EfuDmu(Z8|(W?gY6-l z@R_#M8=vxKMAoi&PwnaIYw2COJM@atcgfr=zK1bvjW?9B`-+Voe$Q+H$j!1$Tjn+* z&LY<%)L@;zhnJlB^Og6I&BOR-m?{IW;tyYC%FZ!&Z>kGjHJ6cqM-F z&19n+e1=9AH1VrVeHrIzqlC`w9=*zfmrerF?JMzO&|Mmv;!4DKc(sp+jy^Dx?(8>1 zH&yS_4yL7m&GWX~mdfgH*AB4{CKo;+egw=PrvkTaoBU+P-4u?E|&!c z)DKc;>$$B6u*Zr1SjUh2)FeuWLWHl5TH(UHWkf zLs>7px!c5n;rbe^lO@qlYLzlDVp(z?6rPZel=YB)Uv&n!2{+Mb$-vQl=xKw( zve&>xYx+jW_NJh!FV||r?;hdP*jOXYcLCp>DOtJ?2S^)DkM{{Eb zS$!L$e_o0(^}n3tA1R3-$SNvgBq;DOEo}fNc|tB%%#g4RA3{|euq)p+xd3I8^4E&m zFrD%}nvG^HUAIKe9_{tXB;tl|G<%>yk6R;8L2)KUJw4yHJXUOPM>(-+jxq4R;z8H#>rnJy*)8N+$wA$^F zN+H*3t)eFEgxLw+Nw3};4WV$qj&_D`%ADV2%r zJCPCo%{=z7;`F98(us5JnT(G@sKTZ^;2FVitXyLe-S5(hV&Ium+1pIUB(CZ#h|g)u zSLJJ<@HgrDiA-}V_6B^x1>c9B6%~847JkQ!^KLZ2skm;q*edo;UA)~?SghG8;QbHh z_6M;ouo_1rq9=x$<`Y@EA{C%6-pEV}B(1#sDoe_e1s3^Y>n#1Sw;N|}8D|s|VPd+g z-_$QhCz`vLxxrVMx3ape1xu3*wjx=yKSlM~nFgkNWb4?DDr*!?U)L_VeffF<+!j|b zZ$Wn2$TDv3C3V@BHpSgv3JUif8%hk%OsGZ=OxH@8&4`bbf$`aAMchl^qN>Eyu3JH} z9-S!x8-s4fE=lad%Pkp8hAs~u?|uRnL48O|;*DEU! zuS0{cpk%1E0nc__2%;apFsTm0bKtd&A0~S3Cj^?72-*Owk3V!ZG*PswDfS~}2<8le z5+W^`Y(&R)yVF*tU_s!XMcJS`;(Tr`J0%>p=Z&InR%D3@KEzzI+-2)HK zuoNZ&o=wUC&+*?ofPb0a(E6(<2Amd6%uSu_^-<1?hsxs~0K5^f(LsGqgEF^+0_H=uNk9S0bb!|O8d?m5gQjUKevPaO+*VfSn^2892K~%crWM8+6 z25@V?Y@J<9w%@NXh-2!}SK_(X)O4AM1-WTg>sj1{lj5@=q&dxE^9xng1_z9w9DK>| z6Iybcd0e zyi;Ew!KBRIfGPGytQ6}z}MeXCfLY0?9%RiyagSp_D1?N&c{ zyo>VbJ4Gy`@Fv+5cKgUgs~na$>BV{*em7PU3%lloy_aEovR+J7TfQKh8BJXyL6|P8un-Jnq(ghd!_HEOh$zlv2$~y3krgeH;9zC}V3f`uDtW(%mT#944DQa~^8ZI+zAUu4U(j0YcDfKR$bK#gvn_{JZ>|gZ5+)u?T$w7Q%F^;!Wk?G z(le7r!ufT*cxS}PR6hIVtXa)i`d$-_1KkyBU>qmgz-=T};uxx&sKgv48akIWQ89F{ z0XiY?WM^~;|T8zBOr zs#zuOONzH?svv*jokd5SK8wG>+yMC)LYL|vLqm^PMHcT=`}V$=nIRHe2?h)8WQa6O zPAU}d`1y(>kZiP~Gr=mtJLMu`i<2CspL|q2DqAgAD^7*$xzM`PU4^ga`ilE134XBQ z99P(LhHU@7qvl9Yzg$M`+dlS=x^(m-_3t|h>S}E0bcFMn=C|KamQ)=w2^e)35p`zY zRV8X?d;s^>Cof2SPR&nP3E+-LCkS0J$H!eh8~k0qo$}00b=7!H_I2O+Ro@3O$nPdm ztmbOO^B+IHzQ5w>@@@J4cKw5&^_w6s!s=H%&byAbUtczPQ7}wfTqxxtQNfn*u73Qw zGuWsrky_ajPx-5`R<)6xHf>C(oqGf_Fw|-U*GfS?xLML$kv;h_pZ@Kk$y0X(S+K80 z6^|z)*`5VUkawg}=z`S;VhZhxyDfrE0$(PMurAxl~<>lfZa>JZ288ULK7D` zl9|#L^JL}Y$j*j`0-K6kH#?bRmg#5L3iB4Z)%iF@SqT+Lp|{i`m%R-|ZE94Np7Pa5 zCqC^V3}B(FR340pmF*qaa}M}+h6}mqE~7Sh!9bDv9YRT|>vBNAqv09zXHMlcuhKD| zcjjA(b*XCIwJ33?CB!+;{)vX@9xns_b-VO{i0y?}{!sdXj1GM8+$#v>W7nw;+O_9B z_{4L;C6ol?(?W0<6taGEn1^uG=?Q3i29sE`RfYCaV$3DKc_;?HsL?D_fSYg}SuO5U zOB_f4^vZ_x%o`5|C@9C5+o=mFy@au{s)sKw!UgC&L35aH(sgDxRE2De%(%OT=VUdN ziVLEmdOvJ&5*tCMKRyXctCwQu_RH%;m*$YK&m;jtbdH#Ak~13T1^f89tn`A%QEHWs~jnY~E}p_Z$XC z=?YXLCkzVSK+Id`xZYTegb@W8_baLt-Fq`Tv|=)JPbFsKRm)4UW;yT+J`<)%#ue9DPOkje)YF2fsCilK9MIIK>p*`fkoD5nGfmLwt)!KOT+> zOFq*VZktDDyM3P5UOg`~XL#cbzC}eL%qMB=Q5$d89MKuN#$6|4gx_Jt0Gfn8w&q}%lq4QU%6#jT*MRT% zrLz~C8FYKHawn-EQWN1B75O&quS+Z81(zN)G>~vN8VwC+e+y(`>HcxC{MrJ;H1Z4k zZWuv$w_F0-Ub%MVcpIc){4PGL^I7M{>;hS?;eH!;gmcOE66z3;Z1Phqo(t zVP(Hg6q#0gIKgsg7L7WE!{Y#1nI(45tx2{$34dDd#!Z0NIyrm)HOn5W#7;f4pQci# zDW!FI(g4e668kI9{2+mLwB+=#9bfqgX%!B34V-$wwSN(_cm*^{y0jQtv*4}eO^sOV z*9xoNvX)c9isB}Tgx&ZRjp3kwhTVK?r9;n!x>^XYT z@Q^7zp{rkIs{2mUSE^2!Gf6$6;j~&4=-0cSJJDizZp6LTe8b45;{AKM%v99}{{FfC zz709%u0mC=1KXTo(=TqmZQ;c?$M3z(!xah>aywrj40sc2y3rKFw4jCq+Y+u=CH@_V zxz|qeTwa>+<|H%8Dz5u>ZI5MmjTFwXS-Fv!TDd*`>3{krWoNVx$<133`(ftS?ZPyY z&4@ah^3^i`vL$BZa>O|Nt?ucewzsF)0zX3qmM^|waXr=T0pfIb0*$AwU=?Ipl|1Y; z*Pk6{C-p4MY;j@IJ|DW>QHZQJcp;Z~?8(Q+Kk3^0qJ}SCk^*n4W zu9ZFwLHUx-$6xvaQ)SUQcYd6fF8&x)V`1bIuX@>{mE$b|Yd(qomn3;bPwnDUc0F=; zh*6_((%bqAYQWQ~odER?h>1mkL4kpb3s7`0m@rDKGU*oyF)$j~Ffd4fXV$?`f~rHf zB%Y)@5SXZvfwm10RY5X?TEo)PK_`L6qgBp=#>fO49$D zDq8Ozj0q6213tV5Qq=;fZ0$|KroY{Dz=l@lU^J)?Ko@ti20TRplXzphBi>XGx4bou zEWrkNjz0t5j!_ke{g5I#PUlEU$Km8g8TE|XK=MkU@PT4T><2OVamoK;wJ}3X0L$vX zgd7gNa359*nc)R-0!`2X@FOTB`+oETOPc=ubp5R)VQgY+5BTZZJ2?9QwnO=dnulIUF3gFn;BODC2)65)HeVd%t86sL7Rv^Y+nbn+&l z6BAJY(ETvwI)Ts$aiE8rht4KD*qNyE{8{x6R|%akbTBzw;2+6Echkt+W+`u^XX z_z&x%n7)art9Bu0Pcm@7C z@c%WG|JzYkP)<@zR9S^iR_sA`azaL$mTnGKnwDyMa;8yL_0^>Ba^)phg0L5rOPTbm7g*YIRLg-2^{qe^`rb!2KqS zk~5wEJtTdD?)3+}=eby3x6%i)sb+m??NHC^u=tcG8p$TzB<;FL(WrZGV&cDQb?O0GMe6PBV=V z?tTO*5_HTW$xea!nkc~Cnx#cL_rrUGWPRa6l+A{aiMY=<0@8y5OC#UcGeE#I>nWh}`#M#kIn-$A;q@u-p71b#hcSItS!IPw?>8 zvzb|?@Ahb22L(O4#2Sre&l9H(@TGT>#Py)D&eW-LNb!=S;I`ZQ{w;MaHW z#to!~TVLgho_Pm%zq@o{K3Xq?I|MVuVSl^QHnT~sHlrVxgsqD-+YD?Nz9@HA<;x2AQjxP)r6Femg+LJ-*)k%EZ}TTRw->5xOY z9#zKJqjZgC47@AFdk1$W+KhTQJKn7e>A&?@-YOy!v_(}GyV@9G#I?bsuto4JEp;5|N{orxi_?vTI4UF0HYcA( zKyGZ4<7Fk?&LZMQb6k10N%E*$gr#T&HsY4SPQ?yerqRz5c?5P$@6dlD6UQwZJ*Je9 z7n-@7!(OVdU-mg@5$D+R%gt82Lt%&n6Yr4=|q>XT%&^z_D*f*ug8N6w$`woqeS-+#RAOfSY&Rz z?1qYa5xi(7eTCrzCFJfCxc%j{J}6#)3^*VRKF;w+`|1n;Xaojr2DI{!<3CaP`#tXs z*`pBQ5k@JLKuCmovFDqh_`Q;+^@t_;SDm29 zCNSdWXbV?9;D4VcoV`FZ9Ggrr$i<&#Dx3W=8>bSQIU_%vf)#(M2Kd3=rN@^d=QAtC zI-iQ;;GMk|&A++W5#hK28W(YqN%?!yuW8(|Cf`@FOW5QbX|`97fxmV;uXvPCqxBD zJ9iI37iV)5TW1R+fV16y;6}2tt~|0J3U4E=wQh@sx{c_eu)t=4Yoz|%Vp<#)Qlh1V z0@C2ZtlT>5gdB6W)_bhXtcZS)`9A!uIOa`K04$5>3&8An+i9BD&GvZZ=7#^r=BN=k za+=Go;qr(M)B~KYAz|<^O3LJON}$Q6Yuqn8qu~+UkUKK~&iM%pB!BO49L+?AL7N7o z(OpM(C-EY753=G=WwJHE`h*lNLMNP^c^bBk@5MyP5{v7x>GNWH>QSgTe5 z!*GPkQ(lcbEs~)4ovCu!Zt&$${9$u(<4@9%@{U<-ksAqB?6F`bQ;o-mvjr)Jn7F&j$@`il1Mf+-HdBs<-`1FahTxmPMMI)@OtI&^mtijW6zGZ67O$UOv1Jj z;a3gmw~t|LjPkW3!EZ=)lLUhFzvO;Yvj9g`8hm%6u`;cuek_b-c$wS_0M4-N<@3l|88 z@V{Sd|M;4+H6guqMm4|v=C6B7mlpP(+It%0E;W`dxMOf9!jYwWj3*MRk`KpS_jx4c z=hrKBkFK;gq@;wUV2eqE3R$M+iUc+UD0iEl#-rECK+XmH9hLKrC={j@uF=f3UiceB zU5l$FF7#RKjx+6!JHMG5-!@zI-eG=a-!Bs^AFKqN_M26%cIIcSs61R$yuq@5a3c3& z4%zLs!g}+C5%`ja?F`?5-og0lv-;(^e<`r~p$x%&*89_Aye1N)9LNVk?9BwY$Y$$F^!JQAjBJvywXAesj7lTZ)rXuxv(FFNZVknJha99lN=^h`J2> zl5=~(tKwvHHvh|9-41@OV`c;Ws--PE%{7d2sLNbDp;A6_Ka6epzOSFdqb zBa0m3j~bT*q1lslHsHqaHIP%DF&-XMpCRL(v;MV#*>mB^&)a=HfLI7efblG z(@hzN`|n+oH9;qBklb=d^S0joHCsArnR1-h{*dIUThik>ot^!6YCNjg;J_i3h6Rl0ji)* zo(tQ~>xB!rUJ(nZjCA^%X;)H{@>uhR5|xBDA=d21p@iJ!cH?+%U|VSh2S4@gv`^)^ zNKD6YlVo$%b4W^}Rw>P1YJ|fTb$_(7C;hH+ z1XAMPb6*p^h8)e5nNPKfeAO}Ik+ZN_`NrADeeJOq4Ak;sD~ zTe77no{Ztdox56Xi4UE6S7wRVxJzWxKj;B%v7|FZ3cV9MdfFp7lWCi+W{}UqekdpH zdO#eoOuB3Fu!DU`ErfeoZWJbWtRXUeBzi zBTF-AI7yMC^ntG+8%mn(I6Dw}3xK8v#Ly{3w3_E?J4(Q5JBq~I>u3!CNp~Ekk&YH` z#383VO4O42NNtcGkr*K<+wYZ>@|sP?`AQcs5oqX@-EIqgK@Pmp5~p6O6qy4ml~N{D z{=jQ7k(9!CM3N3Vt|u@%ssTw~r~Z(}QvlROAkQQ?r8OQ3F0D$aGLh zny+uGnH5muJ<67Z=8uilKvGuANrg@s3Vu_lU2ajb?rIhuOd^E@l!Kl0hYIxOP1B~Q zggUmXbh$bKL~YQ#!4fos9UUVG#}HN$lIkM<1OkU@r>$7DYYe37cXYwfK@vrHwm;pg zbh(hEU|8{*d$q7LUm+x&`S@VbW*&p-sWrplWnRM|I{P;I;%U`WmYUCeJhYc|>5?&& zj}@n}w~Oo=l}iwvi7K6)osqa;M8>fRe}>^;bLBrgA;r^ZGgY@IC^ioRmnE&H4)UV5 zO{7egQ7sBAdoqGsso5q4R(4$4Tjm&&C|7Huz&5B0wXoJzZzNc5Bt)=SOI|H}+fbit z-PiF5(NHSy>4HPMrNc@SuEMDuKYMQ--G+qeUPqO_9mOsg%1EHpqoX^yNd~~kbo`cH zlV0iAkBFTn;rVb>EK^V6?T~t~3vm;csx+lUh_%ROFPy0(omy7+_wYjN!VRDtwDu^h4n|xpAMsLepm% zggvs;v8+isCW`>BckRz1MQ=l>K6k^DdT`~sDXTWQ<~+JtY;I~I>8XsAq3yXgxe>`O zZdF*{9@Z|YtS$QrVaB!8&`&^W->_O&-JXn1n&~}o3Z7FL1QE5R*W2W@=u|w~7%EeC1aRfGtJWxImfY-D3t!!nBkWM> zafu>^Lz-ONgT6ExjV4WhN!v~u{lt2-QBN&UxwnvdH|I%LS|J-D;o>@@sA62@&yew0 z)58~JSZP!(lX;da!3`d)D1+;K9!lyNlkF|n(UduR-%g>#{`pvrD^ClddhJyfL7C-(x+J+9&7EsC~^O`&}V%)Ut8^O_7YAXPDpzv8ir4 zl`d)(;imc6r16k_d^)PJZ+QPxxVJS5e^4wX9D=V2zH&wW0-p&OJe=}rX`*->XT=;_qI&)=WHkYnZx6bLoUh_)n-A}SF_ z9z7agNTM5W6}}ui=&Qs@pO5$zHsOWIbd_&%j^Ok5PJ3yUWQw*i4*iKO)_er2CDUME ztt+{Egod~W-fn^aLe)aBz)MOc_?i-stTj}~iFk7u^-gGSbU;Iem06SDP=AEw9SzuF zeZ|hKCG3MV(z_PJg0(JbqTRf4T{NUt%kz&}4S`)0I%}ZrG!jgW2GwP=WTtkWS?DOs znI9LY!dK+1_H0h+i-_~URb^M;4&AMrEO_UlDV8o?E>^3x%ZJyh$JuDMrtYL8|G3If zPf2_Qb_W+V?$#O; zydKFv*%O;Y@o_T_UAYuaqx1isMKZ^32JtgeceA$0Z@Ck0;lHbS%N5)zzAW9iz; z8tTKeK7&qw!8XVz-+pz>z-BeIzr*#r0nB^cntjQ9@Y-N0=e&ZK72vlzX>f3RT@i7@ z=z`m7jNk!9%^xD0ug%ptZnM>F;Qu$rlwo}vRGBIymPL)L|x}nan3uFUw(&N z24gdkcb7!Q56{0<+zu zEtc5WzG2xf%1<@vo$ZsuOK{v9gx^0`gw>@h>ZMLy*h+6ueoie{D#}}` zK2@6Xxq(uZaLFC%M!2}FX}ab%GQ8A0QJ?&!vaI8Gv=vMhd);6kGguDmtuOElru()) zuRk&Z{?Vp!G~F<1#s&6io1`poBqpRHyM^p;7!+L??_DzJ8s9mYFMQ0^%_3ft7g{PD zZd}8E4EV}D!>F?bzcX=2hHR_P`Xy6?FOK)mCj)Ym4s2hh z0OlOdQa@I;^-3bhB6mpw*X5=0kJv8?#XP~9){G-+0ST@1Roz1qi8PhIXp1D$XNqVG zMl>WxwT+K`SdO1RCt4FWTNy3!i?N>*-lbnn#OxFJrswgD7HjuKpWh*o@QvgF&j+CT z{55~ZsUeR1aB}lv#s_7~+9dCix!5(KR#c?K?e2B%P$fvrsZxy@GP#R#jwL{y#Ld$} z7sF>QT6m|}?V;msb?Nlohj7a5W_D$y+4O6eI;Zt$jVGymlzLKscqer9#+p2$0It&u zWY!dCeM6^B^Z;ddEmhi?8`scl=Lhi7W%2|pT6X6^%-=q90DS(hQ-%c+E*ywPvmoF(KqDoW4!*gmQIklm zk#!GLqv|cs(JRF3G?=AYY19{w@~`G3pa z@xR9S-Hquh*&5Yas*VI};(%9%PADn`kzm zeWMJVW=>>wap*9|R7n#!&&J>gq04>DTCMtj{P^d12|2wXTEKvSf?$AvnE!peqV7i4 zE>0G%CSn%WCW1yre?yi9*aFP{GvZ|R4JT}M%x_%Hztz2qw?&28l&qW<6?c6ym{f$d z5YCF+k#yEbjCN|AGi~-NcCG8MCF1!MXBFL{#7q z)HO+WW173?kuI}^Xat;Q^gb4Hi0RGyB}%|~j8>`6X4CPo+|okMbKy9PHkr58V4bX6<&ERU)QlF8%%huUz&f+dwTN|tk+C&&o@Q1RtG`}6&6;ncQuAcfHoxd5AgD7`s zXynq41Y`zRSiOY@*;&1%1z>oNcWTV|)sjLg1X8ijg1Y zbIGL0X*Sd}EXSQ2BXCKbJmlckY(@EWn~Ut2lYeuw1wg?hhj@K?XB@V_ZP`fyL~Yd3n3SyHU-RwMBr6t-QWE5TinN9VD4XVPU; zonIIR!&pGqrLQK)=#kj40Im%V@ij0&Dh0*s!lnTw+D`Dt-xmk-jmpJv$1-E-vfYL4 zqKr#}Gm}~GPE+&$PI@4ag@=M}NYi7Y&HW82Q`@Y=W&PE31D110@yy(1vddLt`P%N^ z>Yz195A%tnt~tvsSR2{m!~7HUc@x<&`lGX1nYeQUE(%sphTi>JsVqSw8xql*Ys@9B z>RIOH*rFi*C`ohwXjyeRBDt8p)-u{O+KWP;$4gg||%*u{$~yEj+Al zE(hAQRQ1k7MkCq9s4^N3ep*$h^L%2Vq?f?{+cicpS8lo)$Cb69b98au+m2J_e7nYwID0@`M9XIo1H~|eZFc8Hl!qly612ADCVpU zY8^*RTMX(CgehD{9v|^9vZ6Rab`VeZ2m*gOR)Mw~73QEBiktViBhR!_&3l$|be|d6 zupC`{g89Y|V3uxl2!6CM(RNpdtynaiJ~*DqSTq9Mh`ohZnb%^3G{k;6%n18$4nAqR zjPOrP#-^Y9;iw{J@XH9=g5J+yEVh|e=4UeY<^65`%gWtdQ=-aqSgtywM(1nKXh`R4 zzPP&7r)kv_uC7X9n=h=!Zrf<>X=B5f<9~Q>h#jYRD#CT7D~@6@RGNyO-#0iq0uHV1 zPJr2O4d_xLmg2^TmG7|dpfJ?GGa`0|YE+`2Rata9!?$j#e9KfGYuLL(*^z z!SxFA`$qm)q-YKh)WRJZ@S+-sD_1E$V?;(?^+F3tVcK6 z2fE=8hV*2mgiAbefU^uvcM?&+Y&E}vG=Iz!%jBF7iv){lyC`)*yyS~D8k+Mx|N3bm zI~L~Z$=W9&`x)JnO;8c>3LSDw!fzN#X3qi|0`sXY4?cz{*#xz!kvZ9bO=K3XbN z5KrgN=&(JbXH{Wsu9EdmQ-W`i!JWEmfI;yVTT^a-8Ch#D8xf2dtyi?7p z%#)W3n*a#ndFpd{qN|+9Jz++AJQO#-Y7Z6%*%oyEP5zs}d&kKIr`FVEY z;S}@d?UU=tCdw~EJ{b}=9x}S2iv!!8<$?d7VKDA8h{oeD#S-$DV)-vPdGY@x08n)@ zag?yLF_E#evvRTj4^CcrLvBL=fft&@HOhZ6Ng4`8ijt&h2y}fOTC~7GfJi4vpomA5 zOcOM)o_I9BKz}I`q)fu+Qnfy*W`|mY%LO>eF^a z;$)?T4F-(X#Q-m}!-k8L_rNPf`Mr<9IWu)f&dvt=EL+ESYmCvErd@8B9hd)afc(ZL94S z?rp#h&{7Ah5IJftK4VjATklo7@hm?8BX*~oBiz)jyc9FuRw!-V;Uo>p!CWpLaIQyt zAs5WN)1CCeux-qiGdmbIk8LR`gM+Qg=&Ve}w?zA6+sTL)abU=-cvU`3E?p5$Hpkxw znu0N659qR=IKnde*AEz_7z2pdi_Bh-sb3b=PdGO1Pdf_q2;+*Cx9YN7p_>rl``knY zRn%aVkcv1(W;`Mtp_DNOIECtgq%ufk-mu_<+Fu3Q17Tq4Rr(oeq)Yqk_CHA7LR@7@ zIZIDxxhS&=F2IQfusQ+Nsr%*zFK7S4g!U0y@3H^Yln|i;0a5+?RPG;ZSp6Tul>ezM z`40+516&719qT)mW|ArDSENle5hE2e8qY+zfeZoy12u&xoMgcP)4=&P-1Ib*-bAy` zlT?>w&B|ei-rCXO;sxo7*G;!)_p#%PAM-?m$JP(R%x1Hfas@KeaG%LO?R=lmkXc_MKZW}3f%KZ*rAN?HYvbu2L$ zRt_uv7~-IejlD1x;_AhwGXjB94Q=%+PbxuYzta*jw?S&%|qb=(JfJ?&6P=R7X zV%HP_!@-zO*zS}46g=J}#AMJ}rtWBr21e6hOn&tEmaM%hALH7nlm2@LP4rZ>2 zebe5aH@k!e?ij4Zwak#30|}>;`bquDQK*xmR=zc6vj0yuyC6+U=LusGnO3ZKFRpen z#pwzh!<+WBVp-!$MAc<0i~I%fW=8IO6K}bJ<-Scq>e+)951R~HKB?Mx2H}pxPHE@} zvqpq5j81_jtb_WneAvp<5kgdPKm|u2BdQx9%EzcCN&U{l+kbkhmV<1}yCTDv%&K^> zg;KCjwh*R1f_`6`si$h6`jyIKT7rTv5#k~x$mUyIw)_>Vr)D4fwIs@}{FSX|5GB1l z4vv;@oS@>Bu7~{KgUa_8eg#Lk6IDT2IY$41$*06{>>V;Bwa(-@N;ex4;D`(QK*b}{ z{#4$Hmt)FLqERgKz=3zXiV<{YX6V)lvYBr3V>N6ajeI~~hGR5Oe>W9r@sg)Na(a4- zxm%|1OKPN6^%JaD^^O~HbLSu=f`1px>RawOxLr+1b2^28U*2#h*W^=lSpSY4(@*^l z{!@9RSLG8Me&RJYLi|?$c!B0fP=4xAM4rerxX{xy{&i6=AqXueQAIBqO+pmuxy8Ib z4X^}r!NN3-upC6B#lt7&x0J;)nb9O~xjJMemm$_fHuP{DgtlU3xiW0UesTzS30L+U zQzDI3p&3dpONhd5I8-fGk^}@unluzu%nJ$9pzoO~Kk!>dLxw@M)M9?pNH1CQhvA`z zV;uacUtnBTdvT`M$1cm9`JrT3BMW!MNVBy%?@ZX%;(%(vqQAz<7I!hlDe|J3cn9=} zF7B;V4xE{Ss76s$W~%*$JviK?w8^vqCp#_G^jN0j>~Xq#Zru26e#l3H^{GCLEXI#n z?n~F-Lv#hU(bZS`EI9(xGV*jT=8R?CaK)t8oHc9XJ;UPY0Hz$XWt#QyLBaaz5+}xM zXk(!L_*PTt7gwWH*HLWC$h3Ho!SQ-(I||nn_iEC{WT3S{3V{8IN6tZ1C+DiFM{xlI zeMMk{o5;I6UvaC)@WKp9D+o?2Vd@4)Ue-nYci()hCCsKR`VD;hr9=vA!cgGL%3k^b(jADGyPi2TKr(JNh8mzlIR>n(F_hgiV(3@Ds(tjbNM7GoZ;T|3 zWzs8S`5PrA!9){jBJuX4y`f<4;>9*&NY=2Sq2Bp`M2(fox7ZhIDe!BaQUb@P(ub9D zlP8!p(AN&CwW!V&>H?yPFMJ)d5x#HKfwx;nS{Rr@oHqpktOg)%F+%1#tsPtq7zI$r zBo-Kflhq-=7_eW9B2OQv=@?|y0CKN77)N;z@tcg;heyW{wlpJ1t`Ap!O0`Xz{YHqO zI1${8Hag^r!kA<2_~bYtM=<1YzQ#GGP+q?3T7zYbIjN6Ee^V^b&9en$8FI*NIFg9G zPG$OXjT0Ku?%L7fat8Mqbl1`azf1ltmKTa(HH$Dqlav|rU{zP;Tbnk-XkGFQ6d+gi z-PXh?_kEJl+K98&OrmzgPIijB4!Pozbxd0H1;Usy!;V>Yn6&pu*zW8aYx`SC!$*ti zSn+G9p=~w6V(fZZHc>m|PPfjK6IN4(o=IFu?pC?+`UZAUTw!e`052{P=8vqT^(VeG z=psASIhCv28Y(;7;TuYAe>}BPk5Qg=8$?wZj9lj>h2kwEfF_CpK=+O6Rq9pLn4W)# zeXCKCpi~jsfqw7Taa0;!B5_C;B}e56W1s8@p*)SPzA;Fd$Slsn^=!_&!mRHV*Lmt| zBGIDPuR>CgS4%cQ4wKdEyO&Z>2aHmja;Pz+n|7(#l%^2ZLCix%>@_mbnyPEbyrHaz z>j^4SIv;ZXF-Ftzz>*t4wyq)ng8%0d;(Z_ExZ-cxwei=8{(br-`JYO(f23Wae_MqE z3@{Mlf^%M5G1SIN&en1*| zH~ANY1h3&WNsBy$G9{T=`kcxI#-X|>zLX2r*^-FUF+m0{k)n#GTG_mhG&fJfLj~K& zU~~6othMlvMm9<*SUD2?RD+R17|Z4mgR$L*R3;nBbo&Vm@39&3xIg;^aSxHS>}gwR zmzs?h8oPnNVgET&dx5^7APYx6Vv6eou07Zveyd+^V6_LzI$>ic+pxD_8s~ zC<}ucul>UH<@$KM zT4oI=62M%7qQO{}re-jTFqo9Z;rJKD5!X5$iwUsh*+kcHVhID08MB5cQD4TBWB(rI zuWc%CA}}v|iH=9gQ?D$1#Gu!y3o~p7416n54&Hif`U-cV?VrUMJyEqo_NC4#{puzU zzXEE@UppeeRlS9W*^N$zS`SBBi<@tT+<%3l@KhOy^%MWB9(A#*J~DQ;+MK*$rxo6f zcx3$3mcx{tly!q(p2DQrxcih|)0do_ZY77pyHGE#Q(0k*t!HUmmMcYFq%l$-o6%lS zDb49W-E?rQ#Hl``C3YTEdGZjFi3R<>t)+NAda(r~f1cT5jY}s7-2^&Kvo&2DLTPYP zhVVo-HLwo*vl83mtQ9)PR#VBg)FN}+*8c-p8j`LnNUU*Olm1O1Qqe62D#$CF#?HrM zy(zkX|1oF}Z=T#3XMLWDrm(|m+{1&BMxHY7X@hM_+cV$5-t!8HT(dJi6m9{ja53Yw z3f^`yb6Q;(e|#JQIz~B*=!-GbQ4nNL-NL z@^NWF_#w-Cox@h62;r^;Y`NX8cs?l^LU;5IWE~yvU8TqIHij!X8ydbLlT0gwmzS9} z@5BccG?vO;rvCs$mse1*ANi-cYE6Iauz$Fbn3#|ToAt5v7IlYnt6RMQEYLldva{~s zvr>1L##zmeoYgvIXJ#>bbuCVuEv2ZvZ8I~PQUN3wjP0UC)!U+wn|&`V*8?)` zMSCuvnuGec>QL+i1nCPGDAm@XSMIo?A9~C?g2&G8aNKjWd2pDX{qZ?04+2 zeyLw}iEd4vkCAWwa$ zbrHlEf3hfN7^1g~aW^XwldSmx1v~1z(s=1az4-wl} z`mM+G95*N*&1EP#u3}*KwNrPIgw8Kpp((rdEOO;bT1;6ea~>>sK+?!;{hpJ3rR<6UJb`O8P4@{XGgV%63_fs%cG8L zk9Fszbdo4tS$g0IWP1>t@0)E%-&9yj%Q!fiL2vcuL;90fPm}M==<>}Q)&sp@STFCY z^p!RzmN+uXGdtPJj1Y-khNyCb6Y$Vs>eZyW zPaOV=HY_T@FwAlleZCFYl@5X<<7%5DoO(7S%Lbl55?{2vIr_;SXBCbPZ(up;pC6Wx={AZL?shYOuFxLx1*>62;2rP}g`UT5+BHg(ju z&7n5QSvSyXbioB9CJTB#x;pexicV|9oaOpiJ9VK6EvKhl4^Vsa(p6cIi$*Zr0UxQ z;$MPOZnNae2Duuce~7|2MCfhNg*hZ9{+8H3?ts9C8#xGaM&sN;2lriYkn9W>&Gry! z3b(Xx1x*FhQkD-~V+s~KBfr4M_#0{`=Yrh90yj}Ph~)Nx;1Y^8<418tu!$1<3?T*~ z7Dl0P3Uok-7w0MPFQexNG1P5;y~E8zEvE49>$(f|XWtkW2Mj`udPn)pb%} zrA%wRFp*xvDgC767w!9`0vx1=q!)w!G+9(-w&p*a@WXg{?T&%;qaVcHo>7ca%KX$B z^7|KBPo<2;kM{2mRnF8vKm`9qGV%|I{y!pKm8B(q^2V;;x2r!1VJ^Zz8bWa)!-7a8 zSRf@dqEPlsj!7}oNvFFAA)75})vTJUwQ03hD$I*j6_5xbtd_JkE2`IJD_fQ;a$EkO z{fQ{~e%PKgPJsD&PyEvDmg+Qf&p*-qu!#;1k2r_(H72{^(Z)htgh@F?VIgK#_&eS- z$~(qInec>)XIkv@+{o6^DJLpAb>!d}l1DK^(l%#OdD9tKK6#|_R?-%0V!`<9Hj z3w3chDwG*SFte@>Iqwq`J4M&{aHXzyigT620+Vf$X?3RFfeTcvx_e+(&Q*z)t>c0e zpZH$1Z3X%{^_vylHVOWT6tno=l&$3 z9^eQ@TwU#%WMQaFvaYp_we%_2-9=o{+ck zF{cKJCOjpW&qKQquyp2BXCAP920dcrZ}T1@piukx_NY;%2W>@Wca%=Ch~x5Oj58Hv z;D-_ALOZBF(Mqbcqjd}P3iDbek#Dwzu`WRs`;hRIr*n0PV7vT+%Io(t}8KZ zpp?uc2eW!v28ipep0XNDPZt7H2HJ6oey|J3z!ng#1H~x_k%35P+Cp%mqXJ~cV0xdd z^4m5^K_dQ^Sg?$P`))ccV=O>C{Ds(C2WxX$LMC5vy=*44pP&)X5DOPYfqE${)hDg< z3hcG%U%HZ39=`#Ko4Uctg&@PQLf>?0^D|4J(_1*TFMOMB!Vv1_mnOq$BzXQdOGqgy zOp#LBZ!c>bPjY1NTXksZmbAl0A^Y&(%a3W-k>bE&>K?px5Cm%AT2E<&)Y?O*?d80d zgI5l~&Mve;iXm88Q+Fw7{+`PtN4G7~mJWR^z7XmYQ>uoiV!{tL)hp|= zS(M)813PM`d<501>{NqaPo6BZ^T{KBaqEVH(2^Vjeq zgeMeMpd*1tE@@);hGjuoVzF>Cj;5dNNwh40CnU+0DSKb~GEMb_# zT8Z&gz%SkHq6!;_6dQFYE`+b`v4NT7&@P>cA1Z1xmXy<2htaDhm@XXMp!g($ zw(7iFoH2}WR`UjqjaqOQ$ecNt@c|K1H1kyBArTTjLp%-M`4nzOhkfE#}dOpcd;b#suq8cPJ&bf5`6Tq>ND(l zib{VrPZ>{KuaIg}Y$W>A+nrvMg+l4)-@2jpAQ5h(Tii%Ni^-UPVg{<1KGU2EIUNGaXcEkOedJOusFT9X3%Pz$R+-+W+LlRaY-a$5r?4V zbPzgQl22IPG+N*iBRDH%l{Zh$fv9$RN1sU@Hp3m=M}{rX%y#;4(x1KR2yCO7Pzo>rw(67E{^{yUR`91nX^&MxY@FwmJJbyPAoWZ9Z zcBS$r)&ogYBn{DOtD~tIVJUiq|1foX^*F~O4hlLp-g;Y2wKLLM=?(r3GDqsPmUo*? zwKMEi*%f)C_@?(&&hk>;m07F$X7&i?DEK|jdRK=CaaNu-)pX>n3}@%byPKVkpLzBq z{+Py&!`MZ^4@-;iY`I4#6G@aWMv{^2VTH7|WF^u?3vsB|jU3LgdX$}=v7#EHRN(im zI(3q-eU$s~r=S#EWqa_2!G?b~ z<&brq1vvUTJH380=gcNntZw%7UT8tLAr-W49;9y^=>TDaTC|cKA<(gah#2M|l~j)w zY8goo28gj$n&zcNgqX1Qn6=<8?R0`FVO)g4&QtJAbW3G#D)uNeac-7cH5W#6i!%BH z=}9}-f+FrtEkkrQ?nkoMQ1o-9_b+&=&C2^h!&mWFga#MCrm85hW;)1pDt;-uvQG^D zntSB?XA*0%TIhtWDS!KcI}kp3LT>!(Nlc(lQN?k^bS8Q^GGMfo}^|%7s;#r+pybl@?KA++|FJ zr%se9(B|g*ERQU96az%@4gYrxRRxaM2*b}jNsG|0dQi;Rw{0WM0E>rko!{QYAJJKY z)|sX0N$!8d9E|kND~v|f>3YE|uiAnqbkMn)hu$if4kUkzKqoNoh8v|S>VY1EKmgO} zR$0UU2o)4i4yc1inx3}brso+sio{)gfbLaEgLahj8(_Z#4R-v) zglqwI%`dsY+589a8$Mu7#7_%kN*ekHupQ#48DIN^uhDxblDg3R1yXMr^NmkR z7J_NWCY~fhg}h!_aXJ#?wsZF$q`JH>JWQ9`jbZzOBpS`}-A$Vgkq7+|=lPx9H7QZG z8i8guMN+yc4*H*ANr$Q-3I{FQ-^;8ezWS2b8rERp9TMOLBxiG9J*g5=?h)mIm3#CGi4JSq1ohFrcrxx@`**K5%T}qbaCGldV!t zVeM)!U3vbf5FOy;(h08JnhSGxm)8Kqxr9PsMeWi=b8b|m_&^@#A3lL;bVKTBx+0v8 zLZeWAxJ~N27lsOT2b|qyp$(CqzqgW@tyy?CgwOe~^i;ZH zlL``i4r!>i#EGBNxV_P@KpYFQLz4Bdq{#zA&sc)*@7Mxsh9u%e6Ke`?5Yz1jkTdND zR8!u_yw_$weBOU}24(&^Bm|(dSJ(v(cBct}87a^X(v>nVLIr%%D8r|&)mi+iBc;B;x;rKq zd8*X`r?SZsTNCPQqoFOrUz8nZO?225Z#z(B!4mEp#ZJBzwd7jW1!`sg*?hPMJ$o`T zR?KrN6OZA1H{9pA;p0cSSu;@6->8aJm1rrO-yDJ7)lxuk#npUk7WNER1Wwnpy%u zF=t6iHzWU(L&=vVSSc^&D_eYP3TM?HN!Tgq$SYC;pSIPWW;zeNm7Pgub#yZ@7WPw#f#Kl)W4%B>)+8%gpfoH1qZ;kZ*RqfXYeGXJ_ zk>2otbp+1By`x^1V!>6k5v8NAK@T;89$`hE0{Pc@Q$KhG0jOoKk--Qx!vS~lAiypV zCIJ&6B@24`!TxhJ4_QS*S5;;Pk#!f(qIR7*(c3dN*POKtQe)QvR{O2@QsM%ujEAWEm) z+PM=G9hSR>gQ`Bv2(k}RAv2+$7qq(mU`fQ+&}*i%-RtSUAha>70?G!>?w%F(b4k!$ zvm;E!)2`I?etmSUFW7WflJ@8Nx`m_vE2HF#)_BiD#FaNT|IY@!uUbd4v$wTglIbIX zblRy5=wp)VQzsn0_;KdM%g<8@>#;E?vypTf=F?3f@SSdZ;XpX~J@l1;p#}_veWHp>@Iq_T z@^7|h;EivPYv1&u0~l9(a~>dV9Uw10QqB6Dzu1G~-l{*7IktljpK<_L8m0|7VV_!S zRiE{u97(%R-<8oYJ{molUd>vlGaE-C|^<`hppdDz<7OS13$#J zZ+)(*rZIDSt^Q$}CRk0?pqT5PN5TT`Ya{q(BUg#&nAsg6apPMhLTno!SRq1e60fl6GvpnwDD4N> z9B=RrufY8+g3_`@PRg+(+gs2(bd;5#{uTZk96CWz#{=&h9+!{_m60xJxC%r&gd_N! z>h5UzVX%_7@CUeAA1XFg_AF%(uS&^1WD*VPS^jcC!M2v@RHZML;e(H-=(4(3O&bX- zI6>usJOS+?W&^S&DL{l|>51ZvCXUKlH2XKJPXnHjs*oMkNM#ZDLx!oaM5(%^)5XaP zk6&+P16sA>vyFe9v`Cp5qnbE#r#ltR5E+O3!WnKn`56Grs2;sqr3r# zp@Zp<^q`5iq8OqOlJ`pIuyK@3zPz&iJ0Jcc`hDQ1bqos2;}O|$i#}e@ua*x5VCSx zJAp}+?Hz++tm9dh3Fvm_bO6mQo38al#>^O0g)Lh^&l82+&x)*<n7^Sw-AJo9tEzZDwyJ7L^i7|BGqHu+ea6(&7jKpBq>~V z8CJxurD)WZ{5D0?s|KMi=e7A^JVNM6sdwg@1Eg_+Bw=9j&=+KO1PG|y(mP1@5~x>d z=@c{EWU_jTSjiJl)d(>`qEJ;@iOBm}alq8;OK;p(1AdH$)I9qHNmxxUArdzBW0t+Qeyl)m3?D09770g z)hzXEOy>2_{?o%2B%k%z4d23!pZcoxyW1Ik{|m7Q1>fm4`wsRrl)~h z_=Z*zYL+EG@DV1{6@5@(Ndu!Q$l_6Qlfoz@79q)Kmsf~J7t1)tl#`MD<;1&CAA zH8;i+oBm89dTTDl{aH`cmTPTt@^K-%*sV+t4X9q0Z{A~vEEa!&rRRr=0Rbz4NFCJr zLg2u=0QK@w9XGE=6(-JgeP}G#WG|R&tfHRA3a9*zh5wNTBAD;@YYGx%#E4{C#Wlfo z%-JuW9=FA_T6mR2-Vugk1uGZvJbFvVVWT@QOWz$;?u6+CbyQsbK$>O1APk|xgnh_8 zc)s@Mw7#0^wP6qTtyNq2G#s?5j~REyoU6^lT7dpX{T-rhZWHD%dik*=EA7bIJgOVf_Ga!yC8V^tkTOEHe+JK@Fh|$kfNxO^= z#lpV^(ZQ-3!^_BhV>aXY~GC9{8%1lOJ}6vzXDvPhC>JrtXwFBC+!3a*Z-%#9}i z#<5&0LLIa{q!rEIFSFc9)>{-_2^qbOg5;_A9 ztQ))C6#hxSA{f9R3Eh^`_f${pBJNe~pIQ`tZVR^wyp}=gLK}e5_vG@w+-mp#Fu>e| z*?qBp5CQ5zu+Fi}xAs)YY1;bKG!htqR~)DB$ILN6GaChoiy%Bq@i+1ZnANC0U&D z_4k$=YP47ng+0NhuEt}6C;9-JDd8i5S>`Ml==9wHDQFOsAlmtrVwurYDw_)Ihfk35 zJDBbe!*LUpg%4n>BExWz>KIQ9vexUu^d!7rc_kg#Bf= z7TLz|l*y*3d2vi@c|pX*@ybf!+Xk|2*z$@F4K#MT8Dt4zM_EcFmNp31#7qT6(@GG? zdd;sSY9HHuDb=w&|K%sm`bYX#%UHKY%R`3aLMO?{T#EI@FNNFNO>p@?W*i0z(g2dt z{=9Ofh80Oxv&)i35AQN>TPMjR^UID-T7H5A?GI{MD_VeXZ%;uo41dVm=uT&ne2h0i zv*xI%9vPtdEK@~1&V%p1sFc2AA`9?H)gPnRdlO~URx!fiSV)j?Tf5=5F>hnO=$d$x zzaIfr*wiIc!U1K*$JO@)gP4%xp!<*DvJSv7p}(uTLUb=MSb@7_yO+IsCj^`PsxEl& zIxsi}s3L?t+p+3FXYqujGhGwTx^WXgJ1}a@Yq5mwP0PvGEr*qu7@R$9j>@-q1rz5T zriz;B^(ex?=3Th6h;7U`8u2sDlfS{0YyydK=*>-(NOm9>S_{U|eg(J~C7O zIe{|LK=Y`hXiF_%jOM8Haw3UtaE{hWdzo3BbD6ud7br4cODBtN(~Hl+odP0SSWPw;I&^m)yLw+nd#}3#z}?UIcX3=SssI}`QwY=% zAEXTODk|MqTx}2DVG<|~(CxgLyi*A{m>M@1h^wiC)4Hy>1K7@|Z&_VPJsaQoS8=ex zDL&+AZdQa>ylxhT_Q$q=60D5&%pi6+qlY3$3c(~rsITX?>b;({FhU!7HOOhSP7>bmTkC8KM%!LRGI^~y3Ug+gh!QM=+NZXznM)?L3G=4=IMvFgX3BAlyJ z`~jjA;2z+65D$j5xbv9=IWQ^&-K3Yh`vC(1Qz2h2`o$>Cej@XRGff!it$n{@WEJ^N z41qk%Wm=}mA*iwCqU_6}Id!SQd13aFER3unXaJJXIsSnxvG2(hSCP{i&QH$tL&TPx zDYJsuk+%laN&OvKb-FHK$R4dy%M7hSB*yj#-nJy?S9tVoxAuDei{s}@+pNT!vLOIC z8g`-QQW8FKp3cPsX%{)0B+x+OhZ1=L7F-jizt|{+f1Ga7%+!BXqjCjH&x|3%?UbN# zh?$I1^YokvG$qFz5ySK+Ja5=mkR&p{F}ev**rWdKMko+Gj^?Or=UH?SCg#0F(&a_y zXOh}dPv0D9l0RVedq1~jCNV=8?vZfU-Xi|nkeE->;ohG3U7z+^0+HV17~-_Mv#mV` zzvwUJJ15v5wwKPv-)i@dsEo@#WEO9zie7mdRAbgL2kjbW4&lk$vxkbq=w5mGKZK6@ zjXWctDkCRx58NJD_Q7e}HX`SiV)TZMJ}~zY6P1(LWo`;yDynY_5_L?N-P`>ALfmyl z8C$a~FDkcwtzK9m$tof>(`Vu3#6r#+v8RGy#1D2)F;vnsiL&P-c^PO)^B-4VeJteLlT@25sPa z%W~q5>YMjj!mhN})p$47VA^v$Jo6_s{!y?}`+h+VM_SN`!11`|;C;B};B&Z<@%FOG z_YQVN+zFF|q5zKab&e4GH|B;sBbKimHt;K@tCH+S{7Ry~88`si7}S)1E{21nldiu5 z_4>;XTJa~Yd$m4A9{Qbd)KUAm7XNbZ4xHbg3a8-+1uf*$1PegabbmCzgC~1WB2F(W zYj5XhVos!X!QHuZXCatkRsdEsSCc+D2?*S7a+(v%toqyxhjz|`zdrUvsxQS{J>?c& zvx*rHw^8b|v^7wq8KWVofj&VUitbm*a&RU_ln#ZFA^3AKEf<#T%8I!Lg3XEsdH(A5 zlgh&M_XEoal)i#0tcq8c%Gs6`xu;vvP2u)D9p!&XNt z!TdF_H~;`g@fNXkO-*t<9~;iEv?)Nee%hVe!aW`N%$cFJ(Dy9+Xk*odyFj72T!(b%Vo5zvCGZ%3tkt$@Wcx8BWEkefI1-~C_3y*LjlQ5%WEz9WD8i^ z2MV$BHD$gdPJV4IaV)G9CIFwiV=ca0cfXdTdK7oRf@lgyPx;_7*RRFk=?@EOb9Gcz zg~VZrzo*Snp&EE{$CWr)JZW)Gr;{B2ka6B!&?aknM-FENcl%45#y?oq9QY z3^1Y5yn&^D67Da4lI}ljDcphaEZw2;tlYuzq?uB4b9Mt6!KTW&ptxd^vF;NbX=00T z@nE1lIBGgjqs?ES#P{ZfRb6f!At51vk%<0X%d_~NL5b8UyfQMPDtfU@>ijA0NP3UU zh{lCf`Wu7cX!go`kUG`1K=7NN@SRGjUKuo<^;@GS!%iDXbJs`o6e`v3O8-+7vRkFm z)nEa$sD#-v)*Jb>&Me+YIW3PsR1)h=-Su)))>-`aRcFJG-8icomO4J@60 zw10l}BYxi{eL+Uu0xJYk-Vc~BcR49Qyyq!7)PR27D`cqGrik=?k1Of>gY7q@&d&Ds zt7&WixP`9~jjHO`Cog~RA4Q%uMg+$z^Gt&vn+d3&>Ux{_c zm|bc;k|GKbhZLr-%p_f%dq$eiZ;n^NxoS-Nu*^Nx5vm46)*)=-Bf<;X#?`YC4tLK; z?;u?shFbXeks+dJ?^o$l#tg*1NA?(1iFff@I&j^<74S!o;SWR^Xi);DM%8XiWpLi0 zQE2dL9^a36|L5qC5+&Pf0%>l&qQ&)OU4vjd)%I6{|H+pw<0(a``9w(gKD&+o$8hOC zNAiShtc}e~ob2`gyVZx59y<6Fpl*$J41VJ-H*e-yECWaDMmPQi-N8XI3 z%iI@ljc+d}_okL1CGWffeaejlxWFVDWu%e=>H)XeZ|4{HlbgC-Uvof4ISYQzZ0Um> z#Ov{k1c*VoN^f(gfiueuag)`TbjL$XVq$)aCUBL_M`5>0>6Ska^*Knk__pw{0I>jA zzh}Kzg{@PNi)fcAk7jMAdi-_RO%x#LQszDMS@_>iFoB+zJ0Q#CQJzFGa8;pHFdi`^ zxnTC`G$7Rctm3G8t8!SY`GwFi4gF|+dAk7rh^rA{NXzc%39+xSYM~($L(pJ(8Zjs* zYdN_R^%~LiGHm9|ElV4kVZGA*T$o@YY4qpJOxGHlUi*S*A(MrgQ{&xoZQo+#PuYRs zv3a$*qoe9gBqbN|y|eaH=w^LE{>kpL!;$wRahY(hhzRY;d33W)m*dfem@)>pR54Qy z ze;^F?mwdU?K+=fBabokSls^6_6At#1Sh7W*y?r6Ss*dmZP{n;VB^LDxM1QWh;@H0J z!4S*_5j_;+@-NpO1KfQd&;C7T`9ak;X8DTRz$hDNcjG}xAfg%gwZSb^zhE~O);NMO zn2$fl7Evn%=Lk!*xsM#(y$mjukN?A&mzEw3W5>_o+6oh62kq=4-`e3B^$rG=XG}Kd zK$blh(%!9;@d@3& zGFO60j1Vf54S}+XD?%*uk7wW$f`4U3F*p7@I4Jg7f`Il}2H<{j5h?$DDe%wG7jZQL zI{mj?t?Hu>$|2UrPr5&QyK2l3mas?zzOk0DV30HgOQ|~xLXDQ8M3o#;CNKO8RK+M; zsOi%)js-MU>9H4%Q)#K_me}8OQC1u;f4!LO%|5toa1|u5Q@#mYy8nE9IXmR}b#sZK z3sD395q}*TDJJA9Er7N`y=w*S&tA;mv-)Sx4(k$fJBxXva0_;$G6!9bGBw13c_Uws zXks4u(8JA@0O9g5f?#V~qR5*u5aIe2HQO^)RW9TTcJk28l`Syl>Q#ZveEE4Em+{?%iz6=V3b>rCm9F zPQQm@-(hfNdo2%n?B)u_&Qh7^^@U>0qMBngH8}H|v+Ejg*Dd(Y#|jgJ-A zQ_bQscil%eY}8oN7ZL+2r|qv+iJY?*l)&3W_55T3GU;?@Om*(M`u0DXAsQ7HSl56> z4P!*(%&wRCb?a4HH&n;lAmr4rS=kMZb74Akha2U~Ktni>>cD$6jpugjULq)D?ea%b zk;UW0pAI~TH59P+o}*c5Ei5L-9OE;OIBt>^(;xw`>cN2`({Rzg71qrNaE=cAH^$wP zNrK9Glp^3a%m+ilQj0SnGq`okjzmE7<3I{JLD6Jn^+oas=h*4>Wvy=KXqVBa;K&ri z4(SVmMXPG}0-UTwa2-MJ=MTfM3K)b~DzSVq8+v-a0&Dsv>4B65{dBhD;(d44CaHSM zb!0ne(*<^Q%|nuaL`Gb3D4AvyO8wyygm=1;9#u5x*k0$UOwx?QxR*6Od8>+ujfyo0 zJ}>2FgW_iv(dBK2OWC-Y=Tw!UwIeOAOUUC;h95&S1hn$G#if+d;*dWL#j#YWswrz_ zMlV=z+zjZJ%SlDhxf)vv@`%~$Afd)T+MS1>ZE7V$Rj#;J*<9Ld=PrK0?qrazRJWx) z(BTLF@Wk279nh|G%ZY7_lK7=&j;x`bMND=zgh_>>-o@6%8_#Bz!FnF*onB@_k|YCF z?vu!s6#h9bL3@tPn$1;#k5=7#s*L;FLK#=M89K^|$3LICYWIbd^qguQp02w5>8p-H z+@J&+pP_^iF4Xu>`D>DcCnl8BUwwOlq6`XkjHNpi@B?OOd`4{dL?kH%lt78(-L}eah8?36zw9d-dI6D{$s{f=M7)1 zRH1M*-82}DoFF^Mi$r}bTB5r6y9>8hjL54%KfyHxn$LkW=AZ(WkHWR;tIWWr@+;^^ zVomjAWT)$+rn%g`LHB6ZSO@M3KBA? z+W7ThSBgpk`jZHZUrp`F;*%6M5kLWy6AW#T{jFHTiKXP9ITrMlEdti7@&AT_a-BA!jc(Kt zWk>IdY-2Zbz?U1)tk#n_Lsl?W;0q`;z|t9*g-xE!(}#$fScX2VkjSiboKWE~afu5d z2B@9mvT=o2fB_>Mnie=TDJB+l`GMKCy%2+NcFsbpv<9jS@$X37K_-Y!cvF5NEY`#p z3sWEc<7$E*X*fp+MqsOyMXO=<2>o8)E(T?#4KVQgt=qa%5FfUG_LE`n)PihCz2=iNUt7im)s@;mOc9SR&{`4s9Q6)U31mn?}Y?$k3kU z#h??JEgH-HGt`~%)1ZBhT9~uRi8br&;a5Y3K_Bl1G)-y(ytx?ok9S*Tz#5Vb=P~xH z^5*t_R2It95=!XDE6X{MjLYn4Eszj9Y91T2SFz@eYlx9Z9*hWaS$^5r7=W5|>sY8}mS(>e9Ez2qI1~wtlA$yv2e-Hjn&K*P z2zWSrC~_8Wrxxf#%QAL&f8iH2%R)E~IrQLgWFg8>`Vnyo?E=uiALoRP&qT{V2{$79 z%9R?*kW-7b#|}*~P#cA@q=V|+RC9=I;aK7Pju$K-n`EoGV^-8Mk=-?@$?O37evGKn z3NEgpo_4{s>=FB}sqx21d3*=gKq-Zk)U+bM%Q_}0`XGkYh*+jRaP+aDnRv#Zz*n$pGp zEU9omuYVXH{AEx>=kk}h2iKt!yqX=EHN)LF}z1j zJx((`CesN1HxTFZ7yrvA2jTPmKYVij>45{ZH2YtsHuGzIRotIFj?(8T@ZWUv{_%AI zgMZlB03C&FtgJqv9%(acqt9N)`4jy4PtYgnhqev!r$GTIOvLF5aZ{tW5MN@9BDGu* zBJzwW3sEJ~Oy8is`l6Ly3an7RPtRr^1Iu(D!B!0O241Xua>Jee;Rc7tWvj!%#yX#m z&pU*?=rTVD7pF6va1D@u@b#V@bShFr3 zMyMbNCZwT)E-%L-{%$3?n}>EN>ai7b$zR_>=l59mW;tfKj^oG)>_TGCJ#HbLBsNy$ zqAqPagZ3uQ(Gsv_-VrZmG&hHaOD#RB#6J8&sL=^iMFB=gH5AIJ+w@sTf7xa&Cnl}@ zxrtzoNq>t?=(+8bS)s2p3>jW}tye0z2aY_Dh@(18-vdfvn;D?sv<>UgL{Ti08$1Q+ zZI3q}yMA^LK=d?YVg({|v?d1|R?5 zL0S3fw)BZazRNNX|7P4rh7!+3tCG~O8l+m?H} z(CB>8(9LtKYIu3ohJ-9ecgk+L&!FX~Wuim&;v$>M4 zUfvn<=Eok(63Ubc>mZrd8d7(>8bG>J?PtOHih_xRYFu1Hg{t;%+hXu2#x%a%qzcab zv$X!ccoj)exoOnaco_jbGw7KryOtuf(SaR-VJ0nAe(1*AA}#QV1lMhGtzD>RoUZ;WA?~!K{8%chYn?ttlz17UpDLlhTkGcVfHY6R<2r4E{mU zq-}D?+*2gAkQYAKrk*rB%4WFC-B!eZZLg4(tR#@kUQHIzEqV48$9=Q(~J_0 zy1%LSCbkoOhRO!J+Oh#;bGuXe;~(bIE*!J@i<%_IcB7wjhB5iF#jBn5+u~fEECN2* z!QFh!m<(>%49H12Y33+?$JxKV3xW{xSs=gxkxW-@Xds^|O1`AmorDKrE8N2-@ospk z=Au%h=f!`_X|G^A;XWL}-_L@D6A~*4Yf!5RTTm$!t8y&fp5_oqvBjW{FufS`!)5m% z2g(=9Ap6Y2y(9OYOWuUVGp-K=6kqQ)kM0P^TQT{X{V$*sN$wbFb-DaUuJF*!?EJPl zJev!UsOB^UHZ2KppYTELh+kqDw+5dPFv&&;;C~=u$Mt+Ywga!8YkL2~@g67}3wAQP zrx^RaXb1(c7vwU8a2se75X(cX^$M{FH4AHS7d2}heqqg4F0!1|Na>UtAdT%3JnS!B)&zelTEj$^b0>Oyfw=P-y-Wd^#dEFRUN*C{!`aJIHi<_YA2?piC%^ zj!p}+ZnBrM?ErAM+D97B*7L8U$K zo(IR-&LF(85p+fuct9~VTSdRjs`d-m|6G;&PoWvC&s8z`TotPSoksp;RsL4VL@CHf z_3|Tn%`ObgRhLmr60<;ya-5wbh&t z#ycN_)3P_KZN5CRyG%LRO4`Ot)3vY#dNX9!f!`_>1%4Q`81E*2BRg~A-VcN7pcX#j zrbl@7`V%n z6J53(m?KRzKb)v?iCuYWbH*l6M77dY4keS!%>}*8n!@ROE4!|7mQ+YS4dff1JJC(t z6Fnuf^=dajqHpH1=|pb(po9Fr8it^;2dEk|Ro=$fxqK$^Yix{G($0m-{RCFQJ~LqUnO7jJcjr zl*N*!6WU;wtF=dLCWzD6kW;y)LEo=4wSXQDIcq5WttgE#%@*m><@H;~Q&GniA-$in z`sjWFLgychS1kIJmPtd-w6%iKkj&dGhtB%0)pyy0M<4HZ@ZY0PWLAd7FCrj&i|NRh?>hZj*&FYnyu%Ur`JdiTu&+n z78d3n)Rl6q&NwVj_jcr#s5G^d?VtV8bkkYco5lV0LiT+t8}98LW>d)|v|V3++zLbHC(NC@X#Hx?21J0M*gP2V`Yd^DYvVIr{C zSc4V)hZKf|OMSm%FVqSRC!phWSyuUAu%0fredf#TDR$|hMZihJ__F!)Nkh6z)d=NC z3q4V*K3JTetxCPgB2_)rhOSWhuXzu+%&>}*ARxUaDeRy{$xK(AC0I=9%X7dmc6?lZNqe-iM(`?Xn3x2Ov>sej6YVQJ9Q42>?4lil?X zew-S>tm{=@QC-zLtg*nh5mQojYnvVzf3!4TpXPuobW_*xYJs;9AokrXcs!Ay z;HK>#;G$*TPN2M!WxdH>oDY6k4A6S>BM0Nimf#LfboKxJXVBC=RBuO&g-=+@O-#0m zh*aPG16zY^tzQLNAF7L(IpGPa+mDsCeAK3k=IL6^LcE8l0o&)k@?dz!79yxUquQIe($zm5DG z5RdXTv)AjHaOPv6z%99mPsa#8OD@9=URvHoJ1hYnV2bG*2XYBgB!-GEoP&8fLmWGg z9NG^xl5D&3L^io&3iYweV*qhc=m+r7C#Jppo$Ygg;jO2yaFU8+F*RmPL` zYxfGKla_--I}YUT353k}nF1zt2NO?+kofR8Efl$Bb^&llgq+HV_UYJUH7M5IoN0sT z4;wDA0gs55ZI|FmJ0}^Pc}{Ji-|#jdR$`!s)Di4^g3b_Qr<*Qu2rz}R6!B^;`Lj3sKWzjMYjexX)-;f5Y+HfkctE{PstO-BZan0zdXPQ=V8 zS8cBhnQyy4oN?J~oK0zl!#S|v6h-nx5to7WkdEk0HKBm;?kcNO*A+u=%f~l&aY*+J z>%^Dz`EQ6!+SEX$>?d(~|MNWU-}JTrk}&`IR|Ske(G^iMdk04)Cxd@}{1=P0U*%L5 zMFH_$R+HUGGv|ju2Z>5x(-aIbVJLcH1S+(E#MNe9g;VZX{5f%_|Kv7|UY-CM(>vf= z!4m?QS+AL+rUyfGJ;~uJGp4{WhOOc%2ybVP68@QTwI(8kDuYf?#^xv zBmOHCZU8O(x)=GVFn%tg@TVW1)qJJ_bU}4e7i>&V?r zh-03>d3DFj&@}6t1y3*yOzllYQ++BO-q!)zsk`D(z||)y&}o%sZ-tUF>0KsiYKFg6 zTONq)P+uL5Vm0w{D5Gms^>H1qa&Z##*X31=58*r%Z@Ko=IMXX{;aiMUp-!$As3{sq z0EEk02MOsgGm7$}E%H1ys2$yftNbB%1rdo@?6~0!a8Ym*1f;jIgfcYEF(I_^+;Xdr z2a>&oc^dF3pm(UNpazXgVzuF<2|zdPGjrNUKpdb$HOgNp*V56XqH`~$c~oSiqx;8_ zEz3fHoU*aJUbFJ&?W)sZB3qOSS;OIZ=n-*#q{?PCXi?Mq4aY@=XvlNQdA;yVC0Vy+ z{Zk6OO!lMYWd`T#bS8FV(`%flEA9El;~WjZKU1YmZpG#49`ku`oV{Bdtvzyz3{k&7 zlG>ik>eL1P93F zd&!aXluU_qV1~sBQf$F%sM4kTfGx5MxO0zJy<#5Z&qzNfull=k1_CZivd-WAuIQf> zBT3&WR|VD|=nKelnp3Q@A~^d_jN3@$x2$f@E~e<$dk$L@06Paw$);l*ewndzL~LuU zq`>vfKb*+=uw`}NsM}~oY}gW%XFwy&A>bi{7s>@(cu4NM;!%ieP$8r6&6jfoq756W z$Y<`J*d7nK4`6t`sZ;l%Oen|+pk|Ry2`p9lri5VD!Gq`U#Ms}pgX3ylAFr8(?1#&dxrtJgB>VqrlWZf61(r`&zMXsV~l{UGjI7R@*NiMJLUoK*kY&gY9kC@^}Fj* zd^l6_t}%Ku<0PY71%zQL`@}L}48M!@=r)Q^Ie5AWhv%#l+Rhu6fRpvv$28TH;N7Cl z%I^4ffBqx@Pxpq|rTJV)$CnxUPOIn`u278s9#ukn>PL25VMv2mff)-RXV&r`Dwid7}TEZxXX1q(h{R6v6X z&x{S_tW%f)BHc!jHNbnrDRjGB@cam{i#zZK*_*xlW@-R3VDmp)<$}S%t*@VmYX;1h zFWmpXt@1xJlc15Yjs2&e%)d`fimRfi?+fS^BoTcrsew%e@T^}wyVv6NGDyMGHSKIQ zC>qFr4GY?#S#pq!%IM_AOf`#}tPoMn7JP8dHXm(v3UTq!aOfEXNRtEJ^4ED@jx%le zvUoUs-d|2(zBsrN0wE(Pj^g5wx{1YPg9FL1)V1JupsVaXNzq4fX+R!oVX+q3tG?L= z>=s38J_!$eSzy0m?om6Wv|ZCbYVHDH*J1_Ndajoh&?L7h&(CVii&rmLu+FcI;1qd_ zHDb3Vk=(`WV?Uq;<0NccEh0s`mBXcEtmwt6oN99RQt7MNER3`{snV$qBTp={Hn!zz z1gkYi#^;P8s!tQl(Y>|lvz{5$uiXsitTD^1YgCp+1%IMIRLiSP`sJru0oY-p!FPbI)!6{XM%)(_Dolh1;$HlghB-&e><;zU&pc=ujpa-(+S&Jj zX1n4T#DJDuG7NP;F5TkoG#qjjZ8NdXxF0l58RK?XO7?faM5*Z17stidTP|a%_N z^e$D?@~q#Pf+708cLSWCK|toT1YSHfXVIs9Dnh5R(}(I;7KhKB7RD>f%;H2X?Z9eR z{lUMuO~ffT!^ew= z7u13>STI4tZpCQ?yb9;tSM-(EGb?iW$a1eBy4-PVejgMXFIV_Ha^XB|F}zK_gzdhM z!)($XfrFHPf&uyFQf$EpcAfk83}91Y`JFJOiQ;v5ca?)a!IxOi36tGkPk4S6EW~eq z>WiK`Vu3D1DaZ}515nl6>;3#xo{GQp1(=uTXl1~ z4gdWxr-8a$L*_G^UVd&bqW_nzMM&SlNW$8|$lAfo@zb+P>2q?=+T^qNwblP*RsN?N zdZE%^Zs;yAwero1qaoqMp~|KL=&npffh981>2om!fseU(CtJ=bW7c6l{U5(07*e0~ zJRbid6?&psp)ilmYYR3ZIg;t;6?*>hoZ3uq7dvyyq-yq$zH$yyImjfhpQb@WKENSP zl;KPCE+KXzU5!)mu12~;2trrLfs&nlEVOndh9&!SAOdeYd}ugwpE-9OF|yQs(w@C9 zoXVX`LP~V>%$<(%~tE*bsq(EFm zU5z{H@Fs^>nm%m%wZs*hRl=KD%4W3|(@j!nJr{Mmkl`e_uR9fZ-E{JY7#s6i()WXB0g-b`R{2r@K{2h3T+a>82>722+$RM*?W5;Bmo6$X3+Ieg9&^TU(*F$Q3 zT572!;vJeBr-)x?cP;^w1zoAM`nWYVz^<6N>SkgG3s4MrNtzQO|A?odKurb6DGZffo>DP_)S0$#gGQ_vw@a9JDXs2}hV&c>$ zUT0;1@cY5kozKOcbN6)n5v)l#>nLFL_x?2NQgurQH(KH@gGe>F|$&@ zq@2A!EXcIsDdzf@cWqElI5~t z4cL9gg7{%~4@`ANXnVAi=JvSsj95-7V& zME3o-%9~2?cvlH#twW~99=-$C=+b5^Yv}Zh4;Mg-!LS zw>gqc=}CzS9>v5C?#re>JsRY!w|Mtv#%O3%Ydn=S9cQarqkZwaM4z(gL~1&oJZ;t; zA5+g3O6itCsu93!G1J_J%Icku>b3O6qBW$1Ej_oUWc@MI)| zQ~eyS-EAAnVZp}CQnvG0N>Kc$h^1DRJkE7xZqJ0>p<>9*apXgBMI-v87E0+PeJ-K& z#(8>P_W^h_kBkI;&e_{~!M+TXt@z8Po*!L^8XBn{of)knd-xp{heZh~@EunB2W)gd zAVTw6ZZasTi>((qpBFh(r4)k zz&@Mc@ZcI-4d639AfcOgHOU+YtpZ)rC%Bc5gw5o~+E-i+bMm(A6!uE>=>1M;V!Wl4 z<#~muol$FsY_qQC{JDc8b=$l6Y_@_!$av^08`czSm!Xan{l$@GO-zPq1s>WF)G=wv zDD8j~Ht1pFj)*-b7h>W)@O&m&VyYci&}K|0_Z*w`L>1jnGfCf@6p}Ef*?wdficVe_ zmPRUZ(C+YJU+hIj@_#IiM7+$4kH#VS5tM!Ksz01siPc-WUe9Y3|pb4u2qnn zRavJiRpa zq?tr&YV?yKt<@-kAFl3s&Kq#jag$hN+Y%%kX_ytvpCsElgFoN3SsZLC>0f|m#&Jhu zp7c1dV$55$+k78FI2q!FT}r|}cIV;zp~#6X2&}22$t6cHx_95FL~T~1XW21VFuatb zpM@6w>c^SJ>Pq6{L&f9()uy)TAWf;6LyHH3BUiJ8A4}od)9sriz~e7}l7Vr0e%(=>KG1Jay zW0azuWC`(|B?<6;R)2}aU`r@mt_#W2VrO{LcX$Hg9f4H#XpOsAOX02x^w9+xnLVAt z^~hv2guE-DElBG+`+`>PwXn5kuP_ZiOO3QuwoEr)ky;o$n7hFoh}Aq0@Ar<8`H!n} zspCC^EB=6>$q*gf&M2wj@zzfBl(w_@0;h^*fC#PW9!-kT-dt*e7^)OIU{Uw%U4d#g zL&o>6`hKQUps|G4F_5AuFU4wI)(%9(av7-u40(IaI|%ir@~w9-rLs&efOR@oQy)}{ z&T#Qf`!|52W0d+>G!h~5A}7VJky`C3^fkJzt3|M&xW~x-8rSi-uz=qBsgODqbl(W#f{Ew#ui(K)(Hr&xqZs` zfrK^2)tF#|U=K|_U@|r=M_Hb;qj1GJG=O=d`~#AFAccecIaq3U`(Ds1*f*TIs=IGL zp_vlaRUtFNK8(k;JEu&|i_m39c(HblQkF8g#l|?hPaUzH2kAAF1>>Yykva0;U@&oRV8w?5yEK??A0SBgh?@Pd zJg{O~4xURt7!a;$rz9%IMHQeEZHR8KgFQixarg+MfmM_OeX#~#&?mx44qe!wt`~dd zqyt^~ML>V>2Do$huU<7}EF2wy9^kJJSm6HoAD*sRz%a|aJWz_n6?bz99h)jNMp}3k ztPVbos1$lC1nX_OK0~h>=F&v^IfgBF{#BIi&HTL}O7H-t4+wwa)kf3AE2-Dx@#mTA z!0f`>vz+d3AF$NH_-JqkuK1C+5>yns0G;r5ApsU|a-w9^j4c+FS{#+7- zH%skr+TJ~W_8CK_j$T1b;$ql_+;q6W|D^BNK*A+W5XQBbJy|)(IDA=L9d>t1`KX2b zOX(Ffv*m?e>! zS3lc>XC@IqPf1g-%^4XyGl*1v0NWnwZTW?z4Y6sncXkaA{?NYna3(n@(+n+#sYm}A zGQS;*Li$4R(Ff{obl3#6pUsA0fKuWurQo$mWXMNPV5K66V!XYOyc})^>889Hg3I<{V^Lj9($B4Zu$xRr=89-lDz9x`+I8q(vEAimx1K{sTbs|5x7S zZ+7o$;9&9>@3K;5-DVzGw=kp7ez%1*kxhGytdLS>Q)=xUWv3k_x(IsS8we39Tijvr z`GKk>gkZTHSht;5q%fh9z?vk%sWO}KR04G9^jleJ^@ovWrob7{1xy7V=;S~dDVt%S za$Q#Th%6g1(hiP>hDe}7lcuI94K-2~Q0R3A1nsb7Y*Z!DtQ(Ic<0;TDKvc6%1kBdJ z$hF!{uALB0pa?B^TC}#N5gZ|CKjy|BnT$7eaKj;f>Alqdb_FA3yjZ4CCvm)D&ibL) zZRi91HC!TIAUl<|`rK_6avGh`!)TKk=j|8*W|!vb9>HLv^E%t$`@r@piI(6V8pqDG zBON7~=cf1ZWF6jc{qkKm;oYBtUpIdau6s+<-o^5qNi-p%L%xAtn9OktFd{@EjVAT% z#?-MJ5}Q9QiK_jYYWs+;I4&!N^(mb!%4zx7qO6oCEDn=8oL6#*9XIJ&iJ30O`0vsFy|fEVkw}*jd&B6!IYi+~Y)qv6QlM&V9g0 zh)@^BVDB|P&#X{31>G*nAT}Mz-j~zd>L{v{9AxrxKFw8j;ccQ$NE0PZCc(7fEt1xd z`(oR2!gX6}R+Z77VkDz^{I)@%&HQT5q+1xlf*3R^U8q%;IT8-B53&}dNA7GW`Ki&= z$lrdH zDCu;j$GxW<&v_4Te7=AE2J0u1NM_7Hl9$u{z(8#%8vvrx2P#R7AwnY|?#LbWmROa; zOJzU_*^+n(+k;Jd{e~So9>OF>fPx$Hb$?~K1ul2xr>>o@**n^6IMu8+o3rDp(X$cC z`wQt9qIS>yjA$K~bg{M%kJ00A)U4L+#*@$8UlS#lN3YA{R{7{-zu#n1>0@(#^eb_% zY|q}2)jOEM8t~9p$X5fpT7BZQ1bND#^Uyaa{mNcFWL|MoYb@>y`d{VwmsF&haoJuS2W7azZU0{tu#Jj_-^QRc35tjW~ae&zhKk!wD}#xR1WHu z_7Fys#bp&R?VXy$WYa$~!dMxt2@*(>@xS}5f-@6eoT%rwH zv_6}M?+piNE;BqaKzm1kK@?fTy$4k5cqYdN8x-<(o6KelwvkTqC3VW5HEnr+WGQlF zs`lcYEm=HPpmM4;Ich7A3a5Mb3YyQs7(Tuz-k4O0*-YGvl+2&V(B&L1F8qfR0@vQM-rF<2h-l9T12eL}3LnNAVyY_z51xVr$%@VQ-lS~wf3mnHc zoM({3Z<3+PpTFCRn_Y6cbxu9v>_>eTN0>hHPl_NQQuaK^Mhrv zX{q#80ot;ptt3#js3>kD&uNs{G0mQp>jyc0GG?=9wb33hm z`y2jL=J)T1JD7eX3xa4h$bG}2ev=?7f>-JmCj6){Upo&$k{2WA=%f;KB;X5e;JF3IjQBa4e-Gp~xv- z|In&Rad7LjJVz*q*+splCj|{7=kvQLw0F@$vPuw4m^z=B^7=A4asK_`%lEf_oIJ-O z{L)zi4bd#&g0w{p1$#I&@bz3QXu%Y)j46HAJKWVfRRB*oXo4lIy7BcVl4hRs<%&iQ zr|)Z^LUJ>qn>{6y`JdabfNNFPX7#3`x|uw+z@h<`x{J4&NlDjnknMf(VW_nKWT!Jh zo1iWBqT6^BR-{T=4Ybe+?6zxP_;A5Uo{}Xel%*=|zRGm1)pR43K39SZ=%{MDCS2d$~}PE-xPw4ZK6)H;Zc&0D5p!vjCn0wCe&rVIhchR9ql!p2`g0b@JsC^J#n_r*4lZ~u0UHKwo(HaHUJDHf^gdJhTdTW z3i7Zp_`xyKC&AI^#~JMVZj^9WsW}UR#nc#o+ifY<4`M+?Y9NTBT~p`ONtAFf8(ltr*ER-Ig!yRs2xke#NN zkyFcaQKYv>L8mQdrL+#rjgVY>Z2_$bIUz(kaqL}cYENh-2S6BQK-a(VNDa_UewSW` zMgHi<3`f!eHsyL6*^e^W7#l?V|42CfAjsgyiJsA`yNfAMB*lAsJj^K3EcCzm1KT zDU2+A5~X%ax-JJ@&7>m`T;;}(-e%gcYQtj}?ic<*gkv)X2-QJI5I0tA2`*zZRX(;6 zJ0dYfMbQ+{9Rn3T@Iu4+imx3Y%bcf2{uT4j-msZ~eO)5Z_T7NC|Nr3)|NWjomhv=E zXaVin)MY)`1QtDyO7mUCjG{5+o1jD_anyKn73uflH*ASA8rm+S=gIfgJ);>Zx*hNG z!)8DDCNOrbR#9M7Ud_1kf6BP)x^p(|_VWCJ+(WGDbYmnMLWc?O4zz#eiP3{NfP1UV z(n3vc-axE&vko^f+4nkF=XK-mnHHQ7>w05$Q}iv(kJc4O3TEvuIDM<=U9@`~WdKN* zp4e4R1ncR_kghW}>aE$@OOc~*aH5OOwB5U*Z)%{LRlhtHuigxH8KuDwvq5{3Zg{Vr zrd@)KPwVKFP2{rXho(>MTZZfkr$*alm_lltPob4N4MmhEkv`J(9NZFzA>q0Ch;!Ut zi@jS_=0%HAlN+$-IZGPi_6$)ap>Z{XQGt&@ZaJ(es!Po5*3}>R4x66WZNsjE4BVgn z>}xm=V?F#tx#e+pimNPH?Md5hV7>0pAg$K!?mpt@pXg6UW9c?gvzlNe0 z3QtIWmw$0raJkjQcbv-7Ri&eX6Ks@@EZ&53N|g7HU<;V1pkc&$3D#8k!coJ=^{=vf z-pCP;vr2#A+i#6VA?!hs6A4P@mN62XYY$#W9;MwNia~89i`=1GoFESI+%Mbrmwg*0 zbBq4^bA^XT#1MAOum)L&ARDXJ6S#G>&*72f50M1r5JAnM1p7GFIv$Kf9eVR(u$KLt z9&hQ{t^i16zL1c(tRa~?qr?lbSN;1k;%;p*#gw_BwHJRjcYPTj6>y-rw*dFTnEs95 z`%-AoPL!P16{=#RI0 zUb6#`KR|v^?6uNnY`zglZ#Wd|{*rZ(x&Hk8N6ob6mpX~e^qu5kxvh$2TLJA$M=rx zc!#ot+sS+-!O<0KR6+Lx&~zgEhCsbFY{i_DQCihspM?e z-V}HemMAvFzXR#fV~a=Xf-;tJ1edd}Mry@^=9BxON;dYr8vDEK<<{ zW~rg(ZspxuC&aJo$GTM!9_sXu(EaQJNkV9AC(ob#uA=b4*!Uf}B*@TK=*dBvKKPAF z%14J$S)s-ws9~qKsf>DseEW(ssVQ9__YNg}r9GGx3AJiZR@w_QBlGP>yYh0lQCBtf zx+G;mP+cMAg&b^7J!`SiBwC81M_r0X9kAr2y$0(Lf1gZK#>i!cbww(hn$;fLIxRf? z!AtkSZc-h76KGSGz%48Oe`8ZBHkSXeVb!TJt_VC>$m<#}(Z}!(3h631ltKb3CDMw^fTRy%Ia!b&at`^g7Ew-%WLT9(#V0OP9CE?uj62s>`GI3NA z!`$U+i<`;IQyNBkou4|-7^9^ylac-Xu!M+V5p5l0Ve?J0wTSV+$gYtoc=+Ve*OJUJ z$+uIGALW?}+M!J9+M&#bT=Hz@{R2o>NtNGu1yS({pyteyb>*sg4N`KAD?`u3F#C1y z2K4FKOAPASGZTep54PqyCG(h3?kqQQAxDSW@>T2d!n;9C8NGS;3A8YMRcL>b=<<%M zMiWf$jY;`Ojq5S{kA!?28o)v$;)5bTL<4eM-_^h4)F#eeC2Dj*S`$jl^yn#NjJOYT zx%yC5Ww@eX*zsM)P(5#wRd=0+3~&3pdIH7CxF_2iZSw@>kCyd z%M}$1p((Bidw4XNtk&`BTkU{-PG)SXIZ)yQ!Iol6u8l*SQ1^%zC72FP zLvG>_Z0SReMvB%)1@+et0S{<3hV@^SY3V~5IY(KUtTR{*^xJ^2NN{sIMD9Mr9$~(C$GLNlSpzS=fsbw-DtHb_T|{s z9OR|sx!{?F``H!gVUltY7l~dx^a(2;OUV^)7 z%@hg`8+r&xIxmzZ;Q&v0X%9P)U0SE@r@(lKP%TO(>6I_iF{?PX(bez6v8Gp!W_nd5 z<8)`1jcT)ImNZp-9rr4_1MQ|!?#8sJQx{`~7)QZ75I=DPAFD9Mt{zqFrcrXCU9MG8 zEuGcy;nZ?J#M3!3DWW?Zqv~dnN6ijlIjPfJx(#S0cs;Z=jDjKY|$w2s4*Xa1Iz953sN2Lt!Vmk|%ZwOOqj`sA--5Hiaq8!C%LV zvWZ=bxeRV(&%BffMJ_F~~*FdcjhRVNUXu)MS(S#67rDe%Ler=GS+WysC1I2=Bmbh3s6wdS}o$0 zz%H08#SPFY9JPdL6blGD$D-AaYi;X!#zqib`(XX*i<*eh+2UEPzU4}V4RlC3{<>-~ zadGA8lSm>b7Z!q;D_f9DT4i)Q_}ByElGl*Cy~zX%IzHp)@g-itZB6xM70psn z;AY8II99e6P2drgtTG5>`^|7qg`9MTp%T~|1N3tBqV}2zgow3TFAH{XPor0%=HrkXnKyxyozHlJ6 zd3}OWkl?H$l#yZqOzZbMI+lDLoH48;s10!m1!K87g;t}^+A3f3e&w{EYhVPR0Km*- zh5-ku$Z|Ss{2?4pGm(Rz!0OQb^_*N`)rW{z)^Cw_`a(_L9j=&HEJl(!4rQy1IS)>- zeTIr>hOii`gc(fgYF(cs$R8l@q{mJzpoB5`5r>|sG zBpsY}RkY(g5`bj~D>(;F8v*DyjX(#nVLSs>)XneWI&%Wo>a0u#4A?N<1SK4D}&V1oN)76 z%S>a2n3n>G`YY1>0Hvn&AMtMuI_?`5?4y3w2Hnq4Qa2YH5 zxKdfM;k467djL31Y$0kd9FCPbU=pHBp@zaIi`Xkd80;%&66zvSqsq6%aY)jZacfvw ztkWE{ZV6V2WL9e}Dvz|!d96KqVkJU@5ryp#rReeWu>mSrOJxY^tWC9wd0)$+lZc%{ zY=c4#%OSyQJvQUuy^u}s8DN8|8T%TajOuaY^)R-&8s@r9D`(Ic4NmEu)fg1f!u`xUb;9t#rM z>}cY=648@d5(9A;J)d{a^*ORdVtJrZ77!g~^lZ9@)|-ojvW#>)Jhe8$7W3mhmQh@S zU=CSO+1gSsQ+Tv=x-BD}*py_Ox@;%#hPb&tqXqyUW9jV+fonnuCyVw=?HR>dAB~Fg z^vl*~y*4|)WUW*9RC%~O1gHW~*tJb^a-j;ae2LRNo|0S2`RX>MYqGKB^_ng7YRc@! zFxg1X!VsvXkNuv^3mI`F2=x6$(pZdw=jfYt1ja3FY7a41T07FPdCqFhU6%o|Yb6Z4 zpBGa=(ao3vvhUv#*S{li|EyujXQPUV;0sa5!0Ut)>tPWyC9e0_9(=v*z`TV5OUCcx zT=w=^8#5u~7<}8Mepqln4lDv*-~g^VoV{(+*4w(q{At6d^E-Usa2`JXty++Oh~on^ z;;WHkJsk2jvh#N|?(2PLl+g!M0#z_A;(#Uy=TzL&{Ei5G9#V{JbhKV$Qmkm%5tn!CMA? z@hM=b@2DZWTQ6>&F6WCq6;~~WALiS#@{|I+ucCmD6|tBf&e;$_)%JL8$oIQ%!|Xih1v4A$=7xNO zZVz$G8;G5)rxyD+M0$20L$4yukA_D+)xmK3DMTH3Q+$N&L%qB)XwYx&s1gkh=%qGCCPwnwhbT4p%*3R)I}S#w7HK3W^E%4w z2+7ctHPx3Q97MFYB48HfD!xKKb(U^K_4)Bz(5dvwyl*R?)k;uHEYVi|{^rvh)w7}t z`tnH{v9nlVHj2ign|1an_wz0vO)*`3RaJc#;(W-Q6!P&>+@#fptCgtUSn4!@b7tW0&pE2Qj@7}f#ugu4*C)8_}AMRuz^WG zc)XDcOPQjRaGptRD^57B83B-2NKRo!j6TBAJntJPHNQG;^Oz}zt5F^kId~miK3J@l ztc-IKp6qL!?u~q?qfGP0I~$5gvq#-0;R(oLU@sYayr*QH95fnrYA*E|n%&FP@Cz`a zSdJ~(c@O^>qaO`m9IQ8sd8!L<+)GPJDrL7{4{ko2gWOZel^3!($Gjt|B&$4dtfTmBmC>V`R&&6$wpgvdmns zxcmfS%9_ZoN>F~azvLFtA(9Q5HYT#A(byGkESnt{$Tu<73$W~reB4&KF^JBsoqJ6b zS?$D7DoUgzLO-?P`V?5_ub$nf1p0mF?I)StvPomT{uYjy!w&z$t~j&en=F~hw|O(1 zlV9$arQmKTc$L)Kupwz_zA~deT+-0WX6NzFPh&d+ly*3$%#?Ca9Z9lOJsGVoQ&1HNg+)tJ_sw)%oo*DK)iU~n zvL``LqTe=r=7SwZ@LB)9|3QB5`0(B9r(iR}0nUwJss-v=dXnwMRQFYSRK1blS#^g(3@z{`=8_CGDm!LESTWig zzm1{?AG&7`uYJ;PoFO$o8RWuYsV26V{>D-iYTnvq7igWx9@w$EC*FV^vpvDl@i9yp zPIqiX@hEZF4VqzI3Y)CHhR`xKN8poL&~ak|wgbE4zR%Dm(a@?bw%(7(!^>CM!^4@J z6Z)KhoQP;WBq_Z_&<@i2t2&xq>N>b;Np2rX?yK|-!14iE2T}E|jC+=wYe~`y38g3J z8QGZquvqBaG!vw&VtdXWX5*i5*% zJP~7h{?&E|<#l{klGPaun`IgAJ4;RlbRqgJz5rmHF>MtJHbfqyyZi53?Lhj=(Ku#& z__ubmZIxzSq3F90Xur!1)Vqe6b@!ueHA!93H~jdHmaS5Q^CULso}^poy)0Op6!{^9 zWyCyyIrdBP4fkliZ%*g+J-A!6VFSRF6Liu6G^^=W>cn81>4&7(c7(6vCGSAJ zQZ|S3mb|^Wf=yJ(h~rq`iiW~|n#$+KcblIR<@|lDtm!&NBzSG-1;7#YaU+-@=xIm4 zE}edTYd~e&_%+`dIqqgFntL-FxL3!m4yTNt<(^Vt9c6F(`?9`u>$oNxoKB29<}9FE zgf)VK!*F}nW?}l95%RRk8N4^Rf8)Xf;drT4<|lUDLPj^NPMrBPL;MX&0oGCsS za3}vWcF(IPx&W6{s%zwX{UxHX2&xLGfT{d9bWP!g;Lg#etpuno$}tHoG<4Kd*=kpU z;4%y(<^yj(UlG%l-7E9z_Kh2KoQ19qT3CR@Ghr>BAgr3Vniz3LmpC4g=g|A3968yD2KD$P7v$ zx9Q8`2&qH3&y-iv0#0+jur@}k`6C%7fKbCr|tHX2&O%r?rBpg`YNy~2m+ z*L7dP$RANzVUsG_Lb>=__``6vA*xpUecuGsL+AW?BeSwyoQfDlXe8R1*R1M{0#M?M zF+m19`3<`gM{+GpgW^=UmuK*yMh3}x)7P738wL8r@(Na6%ULPgbPVTa6gh5Q(SR0f znr6kdRpe^(LVM;6Rt(Z@Lsz3EX*ry6(WZ?w>#ZRelx)N%sE+MN>5G|Z8{%@b&D+Ov zPU{shc9}%;G7l;qbonIb_1m^Qc8ez}gTC-k02G8Rl?7={9zBz8uRX2{XJQ{vZhs67avlRn| zgRtWl0Lhjet&!YC47GIm%1gdq%T24_^@!W3pCywc89X4I5pnBCZDn(%!$lOGvS*`0!AoMtqxNPFgaMR zwoW$p;8l6v%a)vaNsesED3f}$%(>zICnoE|5JwP&+0XI}JxPccd+D^gx`g`=GsUc0 z9Uad|C+_@_0%JmcObGnS@3+J^0P!tg+fUZ_w#4rk#TlJYPXJiO>SBxzs9(J;XV9d{ zmTQE1(K8EYaz9p^XLbdWudyIPJlGPo0U*)fAh-jnbfm@SYD_2+?|DJ-^P+ojG{2{6 z>HJtedEjO@j_tqZ4;Zq1t5*5cWm~W?HGP!@_f6m#btM@46cEMhhK{(yI&jG)fwL1W z^n_?o@G8a-jYt!}$H*;{0#z8lANlo!9b@!c5K8<(#lPlpE!z86Yq#>WT&2} z;;G1$pD%iNoj#Z=&kij5&V1KHIhN-h<;{HC5wD)PvkF>CzlQOEx_0;-TJ*!#&{Wzt zKcvq^SZIdop}y~iouNqtU7K7+?eIz-v_rfNM>t#i+dD$s_`M;sjGubTdP)WI*uL@xPOLHt#~T<@Yz>xt50ZoTw;a(a}lNiDN-J${gOdE zx?8LOA|tv{Mb}=TTR=LcqMqbCJkKj+@;4Mu)Cu0{`~ohix6E$g&tff)aHeUAQQ%M? zIN4uSUTzC1iMEWL*W-in1y)C`E+R8j?4_?X4&2Zv5?QdkNMz(k} zw##^Ikx`#_s>i&CO_mu@vJJ*|3ePRDl5pq$9V^>D;g0R%l>lw;ttyM6Sy`NBF{)Lr zSk)V>mZr96+aHY%vTLLt%vO-+juw6^SO_ zYGJaGeWX6W(TOQx=5oTGXOFqMMU*uZyt>MR-Y`vxW#^&)H zk0!F8f*@v6NO@Z*@Qo)+hlX40EWcj~j9dGrLaq%1;DE_%#lffXCcJ;!ZyyyZTz74Q zb2WSly6sX{`gQeToQsi1-()5EJ1nJ*kXGD`xpXr~?F#V^sxE3qSOwRSaC9x9oa~jJ zTG9`E|q zC5Qs1xh}jzb5UPYF`3N9YuMnI7xsZ41P;?@c|%w zl=OxLr6sMGR+`LStLvh)g?fA5p|xbUD;yFAMQg&!PEDYxVYDfA>oTY;CFt`cg?Li1 z0b})!9Rvw&j#*&+D2))kXLL z0+j=?7?#~_}N-qdEIP>DQaZh#F(#e0WNLzwUAj@r694VJ8?Dr5_io2X49XYsG^ zREt0$HiNI~6VV!ycvao+0v7uT$_ilKCvsC+VDNg7yG1X+eNe^3D^S==F3ByiW0T^F zH6EsH^}Uj^VPIE&m)xlmOScYR(w750>hclqH~~dM2+;%GDXT`u4zG!p((*`Hwx41M z4KB+`hfT(YA%W)Ve(n+Gu9kuXWKzxg{1ff^xNQw>w%L-)RySTk9kAS92(X0Shg^Q? zx1YXg_TLC^?h6!4mBqZ9pKhXByu|u~gF%`%`vdoaGBN3^j4l!4x?Bw4Jd)Z4^di}! zXlG1;hFvc>H?bmmu1E7Vx=%vahd!P1#ZGJOJYNbaek^$DHt`EOE|Hlij+hX>ocQFSLVu|wz`|KVl@Oa;m2k6b*mNK2Vo{~l9>Qa3@B7G7#k?)aLx;w6U ze8bBq%vF?5v>#TspEoaII!N}sRT~>bh-VWJ7Q*1qsz%|G)CFmnttbq$Ogb{~YK_=! z{{0vhlW@g!$>|}$&4E3@k`KPElW6x#tSX&dfle>o!irek$NAbDzdd2pVeNzk4&qgJ zXvNF0$R96~g0x+R1igR=Xu&X_Hc5;!Ze&C)eUTB$9wW&?$&o8Yxhm5s(S`;?{> z*F?9Gr0|!OiKA>Rq-ae=_okB6&yMR?!JDer{@iQgIn=cGxs-u^!8Q$+N&pfg2WM&Z zulHu=Uh~U>fS{=Nm0x>ACvG*4R`Dx^kJ65&Vvfj`rSCV$5>c04N26Rt2S?*kh3JKq z9(3}5T?*x*AP(X2Ukftym0XOvg~r6Ms$2x&R&#}Sz23aMGU&7sU-cFvE3Eq`NBJe84VoftWF#v7PDAp`@V zRFCS24_k~;@~R*L)eCx@Q9EYmM)Sn}HLbVMyxx%{XnMBDc-YZ<(DXDBYUt8$u5Zh} zBK~=M9cG$?_m_M61YG+#|9Vef7LfbH>(C21&aC)x$^Lg}fa#SF){RX|?-xZjSOrn# z2ZAwUF)$VB<&S;R3FhNSQOV~8w%A`V9dWyLiy zgt7G=Z4t|zU3!dh5|s(@XyS|waBr$>@=^Dspmem8)@L`Ns{xl%rGdX!R(BiC5C7Vo zXetb$oC_iXS}2x_Hy}T(hUUNbO47Q@+^4Q`h>(R-;OxCyW#eoOeC51jzxnM1yxBrp zz6}z`(=cngs6X05e79o_B7@3K|Qpe3n38Py_~ zpi?^rj!`pq!7PHGliC$`-8A^Ib?2qgJJCW+(&TfOnFGJ+@-<<~`7BR0f4oSINBq&R z2CM`0%WLg_Duw^1SPwj-{?BUl2Y=M4e+7yL1{C&&f&zjF06#xf>VdLozgNye(BNgSD`=fFbBy0HIosLl@JwCQl^s;eTnc( z3!r8G=K>zb`|bLLI0N|eFJk%s)B>oJ^M@AQzqR;HUjLsOqW<0v>1ksT_#24*U@R3HJu*A^#1o#P3%3_jq>icD@<`tqU6ICEgZrME(xX#?i^Z z%Id$_uyQGlFD-CcaiRtRdGn|K`Lq5L-rx7`vYYGH7I=eLfHRozPiUtSe~Tt;IN2^gCXmf2#D~g2@9bhzK}3nphhG%d?V7+Zq{I2?Gt*!NSn_r~dd$ zqkUOg{U=MI?Ehx@`(X%rQB?LP=CjJ*V!rec{#0W2WshH$X#9zep!K)tzZoge*LYd5 z@g?-j5_mtMp>_WW`p*UNUZTFN{_+#m*bJzt{hvAdkF{W40{#L3w6gzPztnsA_4?&0 z(+>pv!zB16rR-(nm(^c>Z(its{ny677vT8sF564^mlZvJ!h65}OW%Hn|2OXbOQM%b z{6C54Z2v;^hyMQ;UH+HwFD2!F!VlQ}6Z{L0_9g5~CH0@Mqz?ZC`^QkhOU#$Lx<4`B zyZsa9uPF!rZDo8ZVfzzR#raQ>5|)k~_Ef*wDqG^76o)j!C4 zykvT*o$!-MBko@?{b~*Zf2*YMlImrK`cEp|#D7f%Twm<|C|dWD \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null - -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + # Determine the Java command to use to start the JVM. if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -81,92 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) -# For Cygwin, switch paths to Windows format before running java -if $cygwin ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=$((i+1)) + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - (0) set -- ;; - (1) set -- "$args0" ;; - (2) set -- "$args0" "$args1" ;; - (3) set -- "$args0" "$args1" "$args2" ;; - (4) set -- "$args0" "$args1" "$args2" "$args3" ;; - (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=$(save "$@") - -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" -# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong -if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then - cd "$(dirname "$0")" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" fi +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat index 6d57edc..25da30d 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -1,4 +1,20 @@ -@if "%DEBUG%" == "" @echo off +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -9,25 +25,29 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -set DEFAULT_JVM_OPTS="-Xmx64m" +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" @rem Find java.exe if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute -echo. -echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 goto fail @@ -35,48 +55,36 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute -echo. -echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/idporten-sidecar-mock/build.gradle.kts b/idporten-sidecar-mock/build.gradle.kts index d3411a9..a31119e 100644 --- a/idporten-sidecar-mock/build.gradle.kts +++ b/idporten-sidecar-mock/build.gradle.kts @@ -2,7 +2,6 @@ plugins { `maven-publish` `java-library` kotlin("jvm") - kotlin("plugin.serialization") } dependencies { @@ -15,7 +14,6 @@ dependencies { implementation(Ktor.clientJson) implementation(Nimbusds.joseJwt) testImplementation(kotlin("test-junit5")) - testImplementation(Kluent.kluent) testImplementation(Ktor.clientMock) testImplementation(Ktor.serverTestHost) testImplementation(Kotest.runnerJunit) @@ -59,8 +57,8 @@ publishing { } } -java { - toolchain { +kotlin { + jvmToolchain { languageVersion.set(JavaLanguageVersion.of(17)) } } diff --git a/idporten-sidecar-mock/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/mock/IdPortenAuthTest.kt b/idporten-sidecar-mock/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/mock/IdPortenAuthTest.kt index ff9a162..b9de036 100644 --- a/idporten-sidecar-mock/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/mock/IdPortenAuthTest.kt +++ b/idporten-sidecar-mock/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/mock/IdPortenAuthTest.kt @@ -1,5 +1,6 @@ package no.nav.tms.token.support.idporten.sidecar.mock +import io.kotest.matchers.shouldBe import io.ktor.client.call.* import io.ktor.client.request.* import io.ktor.http.* @@ -10,7 +11,6 @@ import io.ktor.server.routing.* import io.ktor.server.testing.* import no.nav.tms.token.support.idporten.sidecar.IdPortenAuthenticator import no.nav.tms.token.support.idporten.sidecar.user.IdportenUserFactory -import org.amshove.kluent.`should be equal to` import org.junit.jupiter.api.Test internal class IdPortenAuthTest { @@ -32,7 +32,7 @@ internal class IdPortenAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized + response.status shouldBe HttpStatusCode.Unauthorized } @Test @@ -52,8 +52,8 @@ internal class IdPortenAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.OK - response.body() `should be equal to` userPid + response.status shouldBe HttpStatusCode.OK + response.body() shouldBe userPid } @Test @@ -72,7 +72,7 @@ internal class IdPortenAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized + response.status shouldBe HttpStatusCode.Unauthorized } private fun Application.testApi(authConfig: Application.() -> Unit) { diff --git a/idporten-sidecar/build.gradle.kts b/idporten-sidecar/build.gradle.kts index 5263a9f..8eecde3 100644 --- a/idporten-sidecar/build.gradle.kts +++ b/idporten-sidecar/build.gradle.kts @@ -2,7 +2,6 @@ plugins { `maven-publish` `java-library` kotlin("jvm") - kotlin("plugin.serialization") } dependencies { @@ -15,12 +14,11 @@ dependencies { implementation(Ktor.clientJson) implementation(Ktor.serialization) implementation(Ktor.clientContentNegotiation) - implementation(Ktor.serializationKotlinxJson) + implementation(Ktor.jackson) implementation(Ktor.serverForwardedHeaders) implementation(Ktor.serverNetty) implementation(Nimbusds.oauth2OidcSdk) testImplementation(kotlin("test-junit5")) - testImplementation(Kluent.kluent) testImplementation(Mockk.mockk) testImplementation(Ktor.clientMock) testImplementation(Ktor.serverTestHost) @@ -66,8 +64,8 @@ publishing { } } -java { - toolchain { +kotlin { + jvmToolchain { languageVersion.set(JavaLanguageVersion.of(17)) } } diff --git a/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenEnvironment.kt b/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenEnvironment.kt new file mode 100644 index 0000000..0d1c029 --- /dev/null +++ b/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenEnvironment.kt @@ -0,0 +1,23 @@ +package no.nav.tms.token.support.idporten.sidecar + +// Proxy for System environment which allows for mocking or overwriting default env +object IdPortenEnvironment { + private val baseEnv = System.getenv() + + private val env = mutableMapOf() + + init { + env.putAll(baseEnv) + } + + fun get(name: String) = env[name] + + fun extend(envMap: Map) { + env.putAll(envMap) + } + + fun reset() { + env.clear() + env.putAll(baseEnv) + } +} diff --git a/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/HttpClientBuilder.kt b/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/HttpClientBuilder.kt index 6eb917c..33d1fe5 100644 --- a/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/HttpClientBuilder.kt +++ b/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/HttpClientBuilder.kt @@ -1,11 +1,11 @@ package no.nav.tms.token.support.idporten.sidecar.install +import com.fasterxml.jackson.databind.DeserializationFeature import io.ktor.client.* import io.ktor.client.engine.apache.* import io.ktor.client.plugins.* import io.ktor.client.plugins.contentnegotiation.* -import io.ktor.serialization.kotlinx.json.* -import kotlinx.serialization.json.Json +import io.ktor.serialization.jackson.* import org.apache.http.impl.conn.SystemDefaultRoutePlanner import java.net.ProxySelector @@ -13,7 +13,9 @@ internal object HttpClientBuilder { internal fun buildHttpClient(enableDefaultProxy: Boolean): HttpClient { return HttpClient(Apache) { install(ContentNegotiation) { - json(kotlinxSerializer()) + jackson { + configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false) + } } install(HttpTimeout) @@ -23,12 +25,6 @@ internal object HttpClientBuilder { } } - private fun kotlinxSerializer() = - Json { - ignoreUnknownKeys = true - } - - private fun HttpClientConfig.enableSystemDefaultProxy() { engine { customizeClient { setRoutePlanner(SystemDefaultRoutePlanner(ProxySelector.getDefault())) } diff --git a/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/loginApi.kt b/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/loginApi.kt index dc48be1..fa2a701 100644 --- a/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/loginApi.kt +++ b/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/loginApi.kt @@ -1,14 +1,12 @@ package no.nav.tms.token.support.idporten.sidecar.install import com.auth0.jwt.interfaces.DecodedJWT +import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper import io.ktor.http.* import io.ktor.server.application.* import io.ktor.server.response.* import io.ktor.server.routing.* import io.ktor.util.date.* -import kotlinx.serialization.Serializable -import kotlinx.serialization.encodeToString -import kotlinx.serialization.json.Json import no.nav.tms.token.support.idporten.sidecar.user.IdportenUserFactory private const val postLoginRedirectCookie = "redirect_uri" @@ -96,16 +94,16 @@ private fun String.isStub() = when(this) { else -> false } +private val objectMapper = jacksonObjectMapper() private suspend fun ApplicationCall.respondJson(status: LoginStatus) { response.headers.append(HttpHeaders.ContentType, ContentType.Application.Json.toString()) respond( status = HttpStatusCode.OK, - message = Json.encodeToString(status) + message = objectMapper.writeValueAsString(status) ) } -@Serializable internal data class LoginStatus( val authenticated: Boolean, val level: Int?, diff --git a/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/tokenVerifier.kt b/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/tokenVerifier.kt index 595a54e..97381e5 100644 --- a/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/tokenVerifier.kt +++ b/idporten-sidecar/src/main/kotlin/no/nav/tms/token/support/idporten/sidecar/install/tokenVerifier.kt @@ -7,18 +7,18 @@ import com.auth0.jwt.JWT import com.auth0.jwt.algorithms.Algorithm import com.auth0.jwt.interfaces.DecodedJWT import com.auth0.jwt.interfaces.JWTVerifier +import com.fasterxml.jackson.annotation.JsonAlias import io.ktor.client.* import io.ktor.client.call.* import io.ktor.client.request.* import io.ktor.http.* import kotlinx.coroutines.runBlocking -import kotlinx.serialization.SerialName -import kotlinx.serialization.Serializable +import no.nav.tms.token.support.idporten.sidecar.IdPortenEnvironment import java.net.URL import java.security.interfaces.RSAPublicKey import java.util.concurrent.TimeUnit -private fun getIdportenWellKnownUrl() = System.getenv("IDPORTEN_WELL_KNOWN_URL") +private fun getIdportenWellKnownUrl() = IdPortenEnvironment.get("IDPORTEN_WELL_KNOWN_URL") ?: throw IllegalArgumentException("Fant ikke IDPORTEN_WELL_KNOWN_URL som brukes i token-support-idporten-sidecar. Påse at nais.yaml er konfigurert riktig.") internal fun initializeTokenVerifier( @@ -91,10 +91,9 @@ internal class TokenVerifier private constructor( } } -@Serializable internal data class OauthServerConfigurationMetadata( - @SerialName("issuer") val issuer: String, - @SerialName("jwks_uri") val jwksUri: String, + @JsonAlias("issuer") val issuer: String, + @JsonAlias("jwks_uri") val jwksUri: String, ) private fun fetchMetadata(client: HttpClient, wellKnownUrl: String): OauthServerConfigurationMetadata = runBlocking { diff --git a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenAuthIT.kt b/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenAuthIT.kt index 4d6e828..e178634 100644 --- a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenAuthIT.kt +++ b/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenAuthIT.kt @@ -1,7 +1,7 @@ package no.nav.tms.token.support.idporten.sidecar import com.auth0.jwt.interfaces.DecodedJWT -import io.kotest.extensions.system.withEnvironment +import io.kotest.matchers.shouldBe import io.ktor.client.request.* import io.ktor.http.* import io.ktor.server.application.* @@ -12,7 +12,6 @@ import io.ktor.server.testing.* import io.mockk.* import no.nav.tms.token.support.idporten.sidecar.install.HttpClientBuilder import no.nav.tms.token.support.idporten.sidecar.install.TokenVerifier -import org.amshove.kluent.`should be equal to` import org.junit.jupiter.api.AfterEach import org.junit.jupiter.api.BeforeEach import org.junit.jupiter.api.Test @@ -39,6 +38,7 @@ internal class IdPortenAuthIT { @AfterEach fun cleanUp() { + IdPortenEnvironment.reset() clearMocks(verifier) unmockkObject(HttpClientBuilder) unmockkObject(TokenVerifier) @@ -54,7 +54,7 @@ internal class IdPortenAuthIT { val status = client.get("/test") .status - status `should be equal to` HttpStatusCode.Unauthorized + status shouldBe HttpStatusCode.Unauthorized } @Test @@ -66,7 +66,7 @@ internal class IdPortenAuthIT { val status = client.get("/test").status - status `should be equal to` HttpStatusCode.Unauthorized + status shouldBe HttpStatusCode.Unauthorized } @Test @@ -82,7 +82,7 @@ internal class IdPortenAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $dummyToken") }.status - status `should be equal to` HttpStatusCode.OK + status shouldBe HttpStatusCode.OK } @Test @@ -98,23 +98,23 @@ internal class IdPortenAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $dummyToken") }.status - status `should be equal to` HttpStatusCode.Unauthorized + status shouldBe HttpStatusCode.Unauthorized } @Test fun `Allows installing multiple authorizers in parallel`() = testApplication { + IdPortenEnvironment.extend(envVars) + application { - withEnvironment(envVars) { - authentication { - idPorten { - setAsDefault = true - levelOfAssurance = LevelOfAssurance.HIGH - } - idPorten { - setAsDefault = false - authenticatorName = "other" - } + authentication { + idPorten { + setAsDefault = true + levelOfAssurance = LevelOfAssurance.HIGH + } + idPorten { + setAsDefault = false + authenticatorName = "other" } } routing { @@ -135,14 +135,16 @@ internal class IdPortenAuthIT { client.get("/test/one") { headers.append(HttpHeaders.Authorization, "Bearer $dummyToken") - }.status `should be equal to` HttpStatusCode.OK + }.status shouldBe HttpStatusCode.OK client.get("/test/two") { headers.append(HttpHeaders.Authorization, "Bearer $dummyToken") - }.status `should be equal to` HttpStatusCode.OK + }.status shouldBe HttpStatusCode.OK } - private fun Application.testApi() = withEnvironment(envVars) { + private fun Application.testApi() { + + IdPortenEnvironment.extend(envVars) authentication { idPorten { } @@ -157,7 +159,9 @@ internal class IdPortenAuthIT { } } - private fun Application.testApiWithDefault() = withEnvironment(envVars) { + private fun Application.testApiWithDefault() { + + IdPortenEnvironment.extend(envVars) authentication { idPorten { diff --git a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenPluginTest.kt b/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenPluginTest.kt index a319f77..a0b4f3d 100644 --- a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenPluginTest.kt +++ b/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/IdPortenPluginTest.kt @@ -2,7 +2,10 @@ package no.nav.tms.token.support.idporten.sidecar import com.auth0.jwt.interfaces.Claim import com.auth0.jwt.interfaces.DecodedJWT -import io.kotest.extensions.system.withEnvironment +import com.fasterxml.jackson.databind.node.NullNode +import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper +import io.kotest.matchers.nulls.shouldBeNull +import io.kotest.matchers.shouldBe import io.ktor.client.* import io.ktor.client.request.* import io.ktor.client.statement.* @@ -11,12 +14,9 @@ import io.ktor.server.application.* import io.ktor.server.testing.* import io.ktor.util.* import io.mockk.* -import kotlinx.serialization.json.* import no.nav.tms.token.support.idporten.sidecar.install.HttpClientBuilder import no.nav.tms.token.support.idporten.sidecar.install.IdPortenLevelOfAssurance import no.nav.tms.token.support.idporten.sidecar.install.TokenVerifier -import org.amshove.kluent.`should be equal to` -import org.amshove.kluent.`should be instance of` import org.junit.jupiter.api.AfterEach import org.junit.jupiter.api.BeforeEach import org.junit.jupiter.api.Test @@ -32,7 +32,7 @@ class IdPortenPluginTest { private val dummyToken = "token" - private val objectMapper = Json + private val objectMapper = jacksonObjectMapper() @BeforeEach fun setupMock() { @@ -44,6 +44,7 @@ class IdPortenPluginTest { @AfterEach fun cleanUp() { + IdPortenEnvironment.reset() clearMocks(verifier) unmockkObject(HttpClientBuilder) unmockkObject(TokenVerifier) @@ -53,8 +54,8 @@ class IdPortenPluginTest { fun `Enables login endpoint which redirects to callback`() = loginApiTest { client -> client.get("/login").let { - it.status `should be equal to` HttpStatusCode.Found - it.headers["location"] `should be equal to` "/oauth2/login?redirect=/login/callback" + it.status shouldBe HttpStatusCode.Found + it.headers["location"] shouldBe "/oauth2/login?redirect=/login/callback" } } @@ -64,14 +65,13 @@ class IdPortenPluginTest { client.get("/login/status") { accept(ContentType.Application.Json) }.let { response -> - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK response.bodyAsText() - .let(objectMapper::parseToJsonElement) - .let { it as JsonObject } + .let(objectMapper::readTree) .let { - it["authenticated"]?.jsonPrimitive?.boolean `should be equal to` false - it["level"] `should be instance of` JsonNull::class - it["levelOfAssurance"] `should be instance of` JsonNull::class + it["authenticated"]?.asBoolean() shouldBe false + it["level"].isNull shouldBe true + it["levelOfAssurance"].isNull shouldBe true } } } @@ -96,24 +96,23 @@ class IdPortenPluginTest { bearerAuth(dummyToken) accept(ContentType.Application.Json) }.let { response -> - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK response.bodyAsText() - .let(objectMapper::parseToJsonElement) - .let { it as JsonObject } + .let(objectMapper::readTree) .let { - it["authenticated"]?.jsonPrimitive?.boolean `should be equal to` true - it["level"]?.jsonPrimitive?.int `should be equal to` 4 - it["levelOfAssurance"]?.jsonPrimitive?.content `should be equal to` IdPortenLevelOfAssurance.High.name + it["authenticated"]?.asBoolean() shouldBe true + it["level"]?.asInt() shouldBe 4 + it["levelOfAssurance"]?.asText() shouldBe IdPortenLevelOfAssurance.High.name } } } @KtorDsl private fun loginApiTest(block: suspend TestApplicationBuilder.(HttpClient) -> Unit) = testApplication { + IdPortenEnvironment.extend(envVars) + application { - withEnvironment(envVars) { - install(IdPortenLogin) - } + install(IdPortenLogin) } val client = createClient { diff --git a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/ObjectMapper.kt b/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/ObjectMapper.kt deleted file mode 100644 index 2322d89..0000000 --- a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/ObjectMapper.kt +++ /dev/null @@ -1,9 +0,0 @@ -package no.nav.tms.token.support.idporten.sidecar - -import kotlinx.serialization.json.Json - -internal object ObjectMapper { - val kotlinxMapper = Json { - ignoreUnknownKeys = true - } -} diff --git a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/install/TokenVerifierTest.kt b/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/install/TokenVerifierTest.kt index 10cf7f6..6778baf 100644 --- a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/install/TokenVerifierTest.kt +++ b/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/install/TokenVerifierTest.kt @@ -3,14 +3,13 @@ package no.nav.tms.token.support.idporten.sidecar.install import com.auth0.jwk.Jwk import com.auth0.jwk.JwkProvider import com.nimbusds.jose.jwk.RSAKey +import io.kotest.assertions.throwables.shouldNotThrow +import io.kotest.assertions.throwables.shouldThrow import io.mockk.clearMocks import io.mockk.every import io.mockk.mockk import no.nav.tms.token.support.idporten.sidecar.JwkBuilder import no.nav.tms.token.support.idporten.sidecar.JwtBuilder -import org.amshove.kluent.invoking -import org.amshove.kluent.`should not throw` -import org.amshove.kluent.`should throw` import org.junit.jupiter.api.AfterEach import org.junit.jupiter.api.Test import java.time.Instant @@ -51,9 +50,9 @@ internal class TokenVerifierTest { every { jwkProvider.get(any()) } returns jwk.toJwk() - invoking { + shouldNotThrow { verifier.verifyAccessToken(token) - } `should not throw` Exception::class + } } @Test @@ -75,9 +74,9 @@ internal class TokenVerifierTest { every { jwkProvider.get(any()) } returns jwk.toJwk() - invoking { + shouldThrow { verifier.verifyAccessToken(token) - } `should throw` Exception::class + } } @Test @@ -99,9 +98,9 @@ internal class TokenVerifierTest { every { jwkProvider.get(any()) } returns jwk.toJwk() - invoking { + shouldThrow { verifier.verifyAccessToken(token) - } `should throw` Exception::class + } } @Test @@ -123,9 +122,9 @@ internal class TokenVerifierTest { every { jwkProvider.get(any()) } returns jwk.toJwk() - invoking { + shouldThrow { verifier.verifyAccessToken(token) - } `should throw` Exception::class + } } } diff --git a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/mockedClient.kt b/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/mockedClient.kt index 4cc45cf..75d0f43 100644 --- a/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/mockedClient.kt +++ b/idporten-sidecar/src/test/kotlin/no/nav/tms/token/support/idporten/sidecar/mockedClient.kt @@ -1,19 +1,21 @@ package no.nav.tms.token.support.idporten.sidecar +import com.fasterxml.jackson.databind.DeserializationFeature +import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper import io.ktor.client.* import io.ktor.client.engine.mock.* import io.ktor.client.plugins.contentnegotiation.* import io.ktor.http.* import io.ktor.http.HttpStatusCode.Companion.OK -import io.ktor.serialization.kotlinx.json.* -import kotlinx.serialization.encodeToString -import no.nav.tms.token.support.idporten.sidecar.ObjectMapper.kotlinxMapper +import io.ktor.serialization.jackson.* import no.nav.tms.token.support.idporten.sidecar.install.OauthServerConfigurationMetadata val mockedClient = HttpClient(MockEngine) { install(ContentNegotiation) { - json(kotlinxMapper) + jackson { + configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false) + } } engine { @@ -39,7 +41,7 @@ internal val idportenMetadata = OauthServerConfigurationMetadata( ) private val metadataJson: String = idportenMetadata.let { metadata -> - kotlinxMapper.encodeToString(metadata) + jacksonObjectMapper().writeValueAsString(metadata) } private val Url.hostWithPortIfRequired: String get() = if (port == protocol.defaultPort) host else hostWithPort diff --git a/tokendings-exchange/build.gradle.kts b/tokendings-exchange/build.gradle.kts index 0f603b5..d2c09ef 100644 --- a/tokendings-exchange/build.gradle.kts +++ b/tokendings-exchange/build.gradle.kts @@ -2,7 +2,6 @@ plugins { `maven-publish` `java-library` kotlin("jvm") - kotlin("plugin.serialization") } dependencies { @@ -12,7 +11,7 @@ dependencies { implementation(Ktor.clientContentNegotiation) implementation(Ktor.clientJson) implementation(Ktor.serialization) - implementation(Ktor.serializationKotlinxJson) + implementation(Ktor.jackson) implementation(Ktor.serverAuth) implementation(Ktor.serverAuthJwt) implementation(Ktor.serverNetty) @@ -20,7 +19,6 @@ dependencies { implementation(KotlinLogging.logging) implementation(Nimbusds.joseJwt) testImplementation(kotlin("test-junit5")) - testImplementation(Kluent.kluent) testImplementation(Mockk.mockk) testImplementation(Ktor.clientMock) testImplementation(Ktor.serverTestHost) @@ -65,8 +63,8 @@ publishing { } } -java { - toolchain { +kotlin { + jvmToolchain { languageVersion.set(JavaLanguageVersion.of(17)) } } diff --git a/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/TokenXEnvironment.kt b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/TokenXEnvironment.kt new file mode 100644 index 0000000..f7c2b0a --- /dev/null +++ b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/TokenXEnvironment.kt @@ -0,0 +1,23 @@ +package no.nav.tms.token.support.tokendings.exchange + +// Proxy for System environment which allows for mocking or overwriting default env +object TokenXEnvironment { + private val baseEnv = System.getenv() + + private val env = mutableMapOf() + + init { + env.putAll(baseEnv) + } + + fun get(name: String) = env[name] + + fun extend(envMap: Map) { + env.putAll(envMap) + } + + fun reset() { + env.clear() + env.putAll(baseEnv) + } +} diff --git a/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/Environment.kt b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/Environment.kt index a80ce8d..4a08420 100644 --- a/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/Environment.kt +++ b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/Environment.kt @@ -1,12 +1,12 @@ package no.nav.tms.token.support.tokendings.exchange.config +import no.nav.tms.token.support.tokendings.exchange.TokenXEnvironment + internal class Environment ( val tokenxWellKnownUrl: String = getTokenxEnvVar("TOKEN_X_WELL_KNOWN_URL"), val tokenxClientId: String = getTokenxEnvVar("TOKEN_X_CLIENT_ID"), val tokenxClientJwk: String = getTokenxEnvVar("TOKEN_X_PRIVATE_JWK") ) -private fun getTokenxEnvVar(varName: String): String { - return System.getenv(varName) - ?: throw IllegalArgumentException("Fant ikke $varName for tokenx. Påse at nais.yaml er konfigurert riktig.") -} +private fun getTokenxEnvVar(varName: String) = TokenXEnvironment.get(varName) + ?: throw IllegalArgumentException("Fant ikke $varName for tokenx. Påse at nais.yaml er konfigurert riktig.") diff --git a/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/HttpClientBuilder.kt b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/HttpClientBuilder.kt index 8941227..3216824 100644 --- a/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/HttpClientBuilder.kt +++ b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/HttpClientBuilder.kt @@ -1,25 +1,22 @@ package no.nav.tms.token.support.tokendings.exchange.config +import com.fasterxml.jackson.databind.DeserializationFeature import io.ktor.client.* import io.ktor.client.engine.apache.* import io.ktor.client.plugins.* import io.ktor.client.plugins.contentnegotiation.* -import io.ktor.serialization.kotlinx.json.* -import kotlinx.serialization.json.Json +import io.ktor.serialization.jackson.* internal object HttpClientBuilder { internal fun buildHttpClient(): HttpClient { return HttpClient(Apache) { install(ContentNegotiation) { - json(kotlinxSerializer()) + jackson { + configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false) + } } install(HttpTimeout) } } - - private fun kotlinxSerializer() = - Json { - ignoreUnknownKeys = true - } } diff --git a/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/TokendingsConfigurationMetadata.kt b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/TokendingsConfigurationMetadata.kt index 2f53fdb..476258e 100644 --- a/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/TokendingsConfigurationMetadata.kt +++ b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/config/TokendingsConfigurationMetadata.kt @@ -1,11 +1,9 @@ package no.nav.tms.token.support.tokendings.exchange.config -import kotlinx.serialization.SerialName -import kotlinx.serialization.Serializable +import com.fasterxml.jackson.annotation.JsonAlias -@Serializable internal data class TokendingsConfigurationMetadata( - @SerialName("issuer") val issuer: String, - @SerialName("token_endpoint") val tokenEndpoint: String, - @SerialName("jwks_uri") val jwksUri: String + @JsonAlias("issuer") val issuer: String, + @JsonAlias("token_endpoint") val tokenEndpoint: String, + @JsonAlias("jwks_uri") val jwksUri: String ) diff --git a/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/consumer/TokendingsTokenResponse.kt b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/consumer/TokendingsTokenResponse.kt index ff40c77..8d89ec8 100644 --- a/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/consumer/TokendingsTokenResponse.kt +++ b/tokendings-exchange/src/main/kotlin/no/nav/tms/token/support/tokendings/exchange/consumer/TokendingsTokenResponse.kt @@ -1,12 +1,10 @@ package no.nav.tms.token.support.tokendings.exchange.consumer -import kotlinx.serialization.SerialName -import kotlinx.serialization.Serializable +import com.fasterxml.jackson.annotation.JsonAlias -@Serializable internal data class TokendingsTokenResponse( - @SerialName("access_token") val accessToken: String, - @SerialName("issued_token_type") val issuedTokenType: String, - @SerialName("token_type") val tokenType: String, - @SerialName("expires_in") val expiresIn: Int + @JsonAlias("access_token") val accessToken: String, + @JsonAlias("issued_token_type") val issuedTokenType: String, + @JsonAlias("token_type") val tokenType: String, + @JsonAlias("expires_in") val expiresIn: Int ) diff --git a/tokendings-exchange/src/test/kotlin/no/nav/tms/token/support/tokendings/exchange/TokendingsServiceTest.kt b/tokendings-exchange/src/test/kotlin/no/nav/tms/token/support/tokendings/exchange/TokendingsServiceTest.kt index 2329523..8f610b0 100644 --- a/tokendings-exchange/src/test/kotlin/no/nav/tms/token/support/tokendings/exchange/TokendingsServiceTest.kt +++ b/tokendings-exchange/src/test/kotlin/no/nav/tms/token/support/tokendings/exchange/TokendingsServiceTest.kt @@ -1,6 +1,9 @@ package no.nav.tms.token.support.tokendings.exchange import com.nimbusds.jwt.SignedJWT +import io.kotest.matchers.collections.shouldContain +import io.kotest.matchers.shouldBe +import io.kotest.matchers.shouldNotBe import io.mockk.* import kotlinx.coroutines.runBlocking import no.nav.tms.token.support.tokendings.exchange.config.cache.AccessTokenKey @@ -8,9 +11,6 @@ import no.nav.tms.token.support.tokendings.exchange.consumer.TokendingsConsumer import no.nav.tms.token.support.tokendings.exchange.service.CachingTokendingsService import no.nav.tms.token.support.tokendings.exchange.service.NonCachingTokendingsService import no.nav.tms.token.support.tokendings.exchange.service.TokenStringUtil -import org.amshove.kluent.`should be equal to` -import org.amshove.kluent.`should contain` -import org.amshove.kluent.`should not be equal to` import org.junit.jupiter.api.AfterEach import org.junit.jupiter.api.Test @@ -47,14 +47,14 @@ internal class TokendingsServiceTest { nonCachingtokendingsService.exchangeToken(token, target) } - result `should be equal to` exchangedToken + result shouldBe exchangedToken val signedJwt = assertion.captured.let { SignedJWT.parse(it) } val claims = signedJwt.jwtClaimsSet - claims.audience `should contain` jwtAudience - claims.issuer `should be equal to` clientId - claims.subject `should be equal to` clientId + claims.audience shouldContain jwtAudience + claims.issuer shouldBe clientId + claims.subject shouldBe clientId } @Test @@ -79,14 +79,14 @@ internal class TokendingsServiceTest { cachingTokendingsService.exchangeToken(token, target) } - result `should be equal to` exchangedToken + result shouldBe exchangedToken val signedJwt = assertion.captured.let { SignedJWT.parse(it) } val claims = signedJwt.jwtClaimsSet - claims.audience `should contain` jwtAudience - claims.issuer `should be equal to` clientId - claims.subject `should be equal to` clientId + claims.audience shouldContain jwtAudience + claims.issuer shouldBe clientId + claims.subject shouldBe clientId } @Test @@ -184,10 +184,10 @@ internal class TokendingsServiceTest { coVerify(exactly = 1) {tokendingsConsumer.exchangeToken(any(), any(), target1) } coVerify(exactly = 1) {tokendingsConsumer.exchangeToken(any(), any(), target2) } - result1 `should be equal to` result3 - result2 `should be equal to` result4 - result1 `should not be equal to` result2 - result3 `should not be equal to` result4 + result1 shouldBe result3 + result2 shouldBe result4 + result1 shouldNotBe result2 + result3 shouldNotBe result4 } @Test @@ -233,9 +233,9 @@ internal class TokendingsServiceTest { coVerify(exactly = 1) {tokendingsConsumer.exchangeToken(token1, any(), target) } coVerify(exactly = 1) {tokendingsConsumer.exchangeToken(token2, any(), target) } - result1 `should be equal to` result3 - result2 `should be equal to` result4 - result1 `should not be equal to` result2 - result3 `should not be equal to` result4 + result1 shouldBe result3 + result2 shouldBe result4 + result1 shouldNotBe result2 + result3 shouldNotBe result4 } } diff --git a/tokenx-validation-mock/build.gradle.kts b/tokenx-validation-mock/build.gradle.kts index 8fcb956..6101336 100644 --- a/tokenx-validation-mock/build.gradle.kts +++ b/tokenx-validation-mock/build.gradle.kts @@ -2,7 +2,6 @@ plugins { `maven-publish` `java-library` kotlin("jvm") - kotlin("plugin.serialization") } dependencies { @@ -15,7 +14,6 @@ dependencies { implementation(Ktor.clientJson) implementation(Nimbusds.joseJwt) testImplementation(kotlin("test-junit5")) - testImplementation(Kluent.kluent) testImplementation(Ktor.clientMock) testImplementation(Ktor.serverTestHost) testImplementation(Kotest.runnerJunit) @@ -59,8 +57,8 @@ publishing { } } -java { - toolchain { +kotlin { + jvmToolchain { languageVersion.set(JavaLanguageVersion.of(17)) } } diff --git a/tokenx-validation-mock/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/mock/TokenXAuthTest.kt b/tokenx-validation-mock/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/mock/TokenXAuthTest.kt index f4ed031..171c64a 100644 --- a/tokenx-validation-mock/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/mock/TokenXAuthTest.kt +++ b/tokenx-validation-mock/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/mock/TokenXAuthTest.kt @@ -1,5 +1,6 @@ package no.nav.tms.token.support.tokenx.validation.mock +import io.kotest.matchers.shouldBe import io.ktor.client.call.* import io.ktor.client.request.* import io.ktor.http.* @@ -10,7 +11,6 @@ import io.ktor.server.routing.* import io.ktor.server.testing.* import no.nav.tms.token.support.tokenx.validation.TokenXAuthenticator import no.nav.tms.token.support.tokenx.validation.user.TokenXUserFactory -import org.amshove.kluent.`should be equal to` import org.junit.jupiter.api.Test internal class TokenXAuthTest { @@ -33,7 +33,7 @@ internal class TokenXAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized + response.status shouldBe HttpStatusCode.Unauthorized } @Test @@ -53,8 +53,8 @@ internal class TokenXAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.OK - response.body() `should be equal to` userPid + response.status shouldBe HttpStatusCode.OK + response.body() shouldBe userPid } @Test @@ -73,7 +73,7 @@ internal class TokenXAuthTest { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized + response.status shouldBe HttpStatusCode.Unauthorized } private fun Application.testApi(authConfig: Application.() -> Unit) { diff --git a/tokenx-validation/build.gradle.kts b/tokenx-validation/build.gradle.kts index 2d53c9b..4302d4d 100644 --- a/tokenx-validation/build.gradle.kts +++ b/tokenx-validation/build.gradle.kts @@ -2,7 +2,6 @@ plugins { `maven-publish` `java-library` kotlin("jvm") - kotlin("plugin.serialization") } dependencies { @@ -13,15 +12,14 @@ dependencies { implementation(Ktor.clientContentNegotiation) implementation(Ktor.clientJson) implementation(Ktor.serialization) - implementation(Ktor.serializationKotlinxJson) + implementation(Ktor.jackson) implementation(Ktor.serverAuth) implementation(Ktor.serverAuthJwt) + implementation(Ktor.serverAuthJvm) + implementation(Ktor.serverCoreJvm) + implementation(Ktor.serverAuthLdapJvm) implementation(Nimbusds.joseJwt) - implementation("io.ktor:ktor-server-auth-jvm:2.3.0") - implementation("io.ktor:ktor-server-core-jvm:2.3.0") - implementation("io.ktor:ktor-server-auth-ldap-jvm:2.3.0") testImplementation(kotlin("test-junit5")) - testImplementation(Kluent.kluent) testImplementation(Mockk.mockk) testImplementation(Ktor.clientMock) testImplementation(Ktor.serverTestHost) @@ -66,8 +64,8 @@ publishing { } } -java { - toolchain { +kotlin { + jvmToolchain { languageVersion.set(JavaLanguageVersion.of(17)) } } diff --git a/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/TokenXEnvironment.kt b/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/TokenXEnvironment.kt new file mode 100644 index 0000000..047b20f --- /dev/null +++ b/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/TokenXEnvironment.kt @@ -0,0 +1,23 @@ +package no.nav.tms.token.support.tokenx.validation + +// Proxy for System environment which allows for mocking or overwriting default env +object TokenXEnvironment { + private val baseEnv = System.getenv() + + private val env = mutableMapOf() + + init { + env.putAll(baseEnv) + } + + fun get(name: String) = env[name] + + fun extend(envMap: Map) { + env.putAll(envMap) + } + + fun reset() { + env.clear() + env.putAll(baseEnv) + } +} diff --git a/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/install/HttpClientBuilder.kt b/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/install/HttpClientBuilder.kt index 124c32a..68a2590 100644 --- a/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/install/HttpClientBuilder.kt +++ b/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/install/HttpClientBuilder.kt @@ -1,26 +1,23 @@ package no.nav.tms.token.support.tokenx.validation.install +import com.fasterxml.jackson.databind.DeserializationFeature import io.ktor.client.* import io.ktor.client.engine.apache.* import io.ktor.client.plugins.* import io.ktor.client.plugins.contentnegotiation.* -import io.ktor.serialization.kotlinx.json.* -import kotlinx.serialization.json.Json +import io.ktor.serialization.jackson.* internal object HttpClientBuilder { internal fun build(): HttpClient { return HttpClient(Apache) { install(ContentNegotiation) { - json(kotlinxSerializer()) + jackson { + configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false) + } } install(HttpTimeout) } } - - private fun kotlinxSerializer() = - Json { - ignoreUnknownKeys = true - } } diff --git a/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/install/tokenVerifier.kt b/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/install/tokenVerifier.kt index 960d5e9..bc20cfa 100644 --- a/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/install/tokenVerifier.kt +++ b/tokenx-validation/src/main/kotlin/no/nav/tms/token/support/tokenx/validation/install/tokenVerifier.kt @@ -6,13 +6,13 @@ import com.auth0.jwt.JWT import com.auth0.jwt.algorithms.Algorithm import com.auth0.jwt.interfaces.DecodedJWT import com.auth0.jwt.interfaces.JWTVerifier +import com.fasterxml.jackson.annotation.JsonAlias import io.ktor.client.* import io.ktor.client.call.* import io.ktor.client.request.* import io.ktor.http.* import kotlinx.coroutines.runBlocking -import kotlinx.serialization.SerialName -import kotlinx.serialization.Serializable +import no.nav.tms.token.support.tokenx.validation.TokenXEnvironment import java.net.URL import java.security.interfaces.RSAPublicKey import java.util.concurrent.TimeUnit @@ -73,12 +73,11 @@ internal class TokenVerifier( } } -@Serializable internal data class OauthServerConfigurationMetadata( - @SerialName("issuer") val issuer: String, - @SerialName("token_endpoint") val tokenEndpoint: String, - @SerialName("jwks_uri") val jwksUri: String, - @SerialName("authorization_endpoint") var authorizationEndpoint: String = "" + @JsonAlias("issuer") val issuer: String, + @JsonAlias("token_endpoint") val tokenEndpoint: String, + @JsonAlias("jwks_uri") val jwksUri: String, + @JsonAlias("authorization_endpoint") var authorizationEndpoint: String = "" ) private fun fetchMetadata(httpClient: HttpClient, wellKnownUrl: String): OauthServerConfigurationMetadata = runBlocking { @@ -97,7 +96,5 @@ internal object JwkProviderBuilder { .build() } -private fun getTokenxEnvVar(varName: String): String { - return System.getenv(varName) - ?: throw IllegalArgumentException("Fant ikke $varName for tokenx. Påse at nais.yaml er konfigurert riktig.") -} +private fun getTokenxEnvVar(varName: String) = TokenXEnvironment.get(varName) + ?: throw IllegalArgumentException("Fant ikke $varName for tokenx. Påse at nais.yaml er konfigurert riktig.") diff --git a/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/ObjectMapper.kt b/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/ObjectMapper.kt deleted file mode 100644 index df9fcc2..0000000 --- a/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/ObjectMapper.kt +++ /dev/null @@ -1,9 +0,0 @@ -package no.nav.tms.token.support.tokenx.validation - -import kotlinx.serialization.json.Json - -internal object ObjectMapper { - val kotlinxMapper = Json { - ignoreUnknownKeys = true - } -} diff --git a/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/TokenXAuthIT.kt b/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/TokenXAuthIT.kt index 5c72482..df81f45 100644 --- a/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/TokenXAuthIT.kt +++ b/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/TokenXAuthIT.kt @@ -1,7 +1,7 @@ package no.nav.tms.token.support.tokenx.validation -import io.kotest.extensions.system.withEnvironment +import io.kotest.matchers.shouldBe import io.ktor.client.call.* import io.ktor.client.request.* import io.ktor.http.* @@ -18,7 +18,6 @@ import no.nav.tms.token.support.tokenx.validation.LevelOfAssurance.SUBSTANTIAL import no.nav.tms.token.support.tokenx.validation.install.HttpClientBuilder import no.nav.tms.token.support.tokenx.validation.install.IdPortenLevelOfAssurance.* import no.nav.tms.token.support.tokenx.validation.install.JwkProviderBuilder -import org.amshove.kluent.`should be equal to` import org.junit.jupiter.api.AfterEach import org.junit.jupiter.api.BeforeEach import org.junit.jupiter.api.Test @@ -48,6 +47,7 @@ internal class TokenXAuthIT { @AfterEach fun cleanUp() { + TokenXEnvironment.reset() unmockkObject(HttpClientBuilder) unmockkObject(JwkProviderBuilder) } @@ -61,8 +61,8 @@ internal class TokenXAuthIT { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "No bearer token found." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "No bearer token found." } @Test @@ -76,8 +76,8 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer ") } - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "Invalid or expired token." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "Invalid or expired token." } @Test @@ -93,7 +93,7 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK } @@ -110,7 +110,7 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK } @Test @@ -127,7 +127,7 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer othertoken") } - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK } @Test @@ -144,7 +144,7 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.OK + response.status shouldBe HttpStatusCode.OK } @Test @@ -161,7 +161,7 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.Unauthorized + response.status shouldBe HttpStatusCode.Unauthorized } @Test @@ -179,8 +179,8 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "Invalid or expired token." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "Invalid or expired token." } @Test @@ -198,8 +198,8 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "Invalid or expired token." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "Invalid or expired token." } @Test @@ -217,8 +217,8 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "Invalid or expired token." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "Invalid or expired token." } @Test @@ -234,7 +234,7 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $bearerToken") } - response.status `should be equal to` HttpStatusCode.Unauthorized + response.status shouldBe HttpStatusCode.Unauthorized } @Test @@ -261,10 +261,10 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $level3Token") } - loaHighResponse.status `should be equal to` HttpStatusCode.OK - level4Response.status `should be equal to` HttpStatusCode.OK - loaLowResponse.status `should be equal to` HttpStatusCode.Unauthorized - level3Response.status `should be equal to` HttpStatusCode.Unauthorized + loaHighResponse.status shouldBe HttpStatusCode.OK + level4Response.status shouldBe HttpStatusCode.OK + loaLowResponse.status shouldBe HttpStatusCode.Unauthorized + level3Response.status shouldBe HttpStatusCode.Unauthorized } @Test @@ -283,8 +283,8 @@ internal class TokenXAuthIT { headers.append(HttpHeaders.Authorization, "Bearer $level3Token") } - loaLowResponse.status `should be equal to` HttpStatusCode.OK - level3Response.status `should be equal to` HttpStatusCode.OK + loaLowResponse.status shouldBe HttpStatusCode.OK + level3Response.status shouldBe HttpStatusCode.OK } @Test @@ -296,27 +296,28 @@ internal class TokenXAuthIT { val response = client.get("/test") - response.status `should be equal to` HttpStatusCode.Unauthorized - response.body() `should be equal to` "No bearer token found." + response.status shouldBe HttpStatusCode.Unauthorized + response.body() shouldBe "No bearer token found." } @Test fun `Allows verifying different apis with different configurations`() = testApplication { + TokenXEnvironment.extend(envVars) + application { - withEnvironment(envVars) { - authentication { - tokenX { - setAsDefault = true - levelOfAssurance = HIGH - } - tokenX { - setAsDefault = false - authenticatorName = "substantial" - levelOfAssurance = SUBSTANTIAL - } + authentication { + tokenX { + setAsDefault = true + levelOfAssurance = HIGH + } + tokenX { + setAsDefault = false + authenticatorName = "substantial" + levelOfAssurance = SUBSTANTIAL } } + routing { authenticate { get("/test/one") { @@ -335,14 +336,16 @@ internal class TokenXAuthIT { client.get("/test/one") { headers.append(HttpHeaders.Authorization, "Bearer $loaSubstantialToken") - }.status `should be equal to` HttpStatusCode.Unauthorized + }.status shouldBe HttpStatusCode.Unauthorized client.get("/test/two") { headers.append(HttpHeaders.Authorization, "Bearer $loaSubstantialToken") - }.status `should be equal to` HttpStatusCode.OK + }.status shouldBe HttpStatusCode.OK } - private fun Application.testApi(minLoa: LevelOfAssurance? = null) = withEnvironment(envVars) { + private fun Application.testApi(minLoa: LevelOfAssurance? = null) { + + TokenXEnvironment.extend(envVars) authentication{ tokenX { @@ -361,7 +364,9 @@ internal class TokenXAuthIT { } } - private fun Application.testApiWithDefault() = withEnvironment(envVars) { + private fun Application.testApiWithDefault() { + + TokenXEnvironment.extend(envVars) authentication { tokenX { diff --git a/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/mockedClient.kt b/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/mockedClient.kt index 264756e..729f6e9 100644 --- a/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/mockedClient.kt +++ b/tokenx-validation/src/test/kotlin/no/nav/tms/token/support/tokenx/validation/mockedClient.kt @@ -1,20 +1,22 @@ package no.nav.tms.token.support.tokenx.validation +import com.fasterxml.jackson.databind.DeserializationFeature +import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper import io.ktor.client.* import io.ktor.client.engine.mock.* import io.ktor.client.plugins.contentnegotiation.* import io.ktor.http.* import io.ktor.http.HttpStatusCode.Companion.OK -import io.ktor.serialization.kotlinx.json.* -import kotlinx.serialization.encodeToString -import no.nav.tms.token.support.tokenx.validation.ObjectMapper.kotlinxMapper +import io.ktor.serialization.jackson.* import no.nav.tms.token.support.tokenx.validation.install.OauthServerConfigurationMetadata internal fun createMockedMockedClient() = HttpClient(MockEngine) { install(ContentNegotiation) { - json(kotlinxMapper) + jackson { + configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false) + } } engine { @@ -38,7 +40,7 @@ internal val idportenMetadata = OauthServerConfigurationMetadata( ) private val metadataJson: String = idportenMetadata.let { metadata -> - kotlinxMapper.encodeToString(metadata) + jacksonObjectMapper().writeValueAsString(metadata) } private val Url.hostWithPortIfRequired: String get() = if (port == protocol.defaultPort) host else hostWithPort