UNPKG

@microsoft/windows-admin-center-sdk

Version:

Microsoft - Windows Admin Center Shell

792 lines (789 loc) 40.1 kB
import { from, of, Subject, throwError } from 'rxjs'; import { filter, map, mergeMap, take } from 'rxjs/operators'; import { ErrorExtended } from '../data/error-extended'; import { Logging } from '../diagnostics/logging'; import { RpcCredSSPOperationResultMember, RpcCredSSPOperationType, RpcCredSspResponseKey } from '../rpc/credssp/rpc-credssp-model'; import { RpcCredSspRequestClient } from '../rpc/credssp/rpc-credssp-request-client'; import { GatewayInstallationType } from '../shared/gateway-inventory/gateway-inventory'; import { GatewayInventoryCache } from '../shared/gateway-inventory/gateway-inventory-cache'; /** * CredSPP Manager class. Handles detecting and configuring CredSSP on a set of servers. */ export class CredSSPManager { rpc; strings = MsftSme.getStrings().MsftSmeShell.Core.CredSSPManager; watcher; gatewayInventoryCache; /** * Initializes a new instance of the Authorization Manager class. * * @param rpc The rpc to forward auth requests to a parent window */ constructor(rpc) { this.rpc = rpc; this.watcher = new Subject(); } initialize(appContext) { // When in Shell do not register. if (!this.rpc.isShell) { this.rpc.register(RpcCredSspResponseKey.command, this.onRpcResponse.bind(this)); } this.gatewayInventoryCache = new GatewayInventoryCache(appContext); } /** * New Enable CredSSP on the passed in server. * * @param serverName This server on which CredSSP should be enabled * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored */ wsmanEnableManagedServer(serverName, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (MsftSme.isNullOrWhiteSpace(serverName)) { throw new Error('A server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.EnableManagedServer, serverNames: [serverName], notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.Succeeded); } /** * New Disable CredSSP for the passed in server. * * @param serverName This server on which CredSSP should be disabled * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored */ wsmanDisableManagedServer(serverName, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (MsftSme.isNullOrWhiteSpace(serverName)) { throw new Error('A server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.DisableManagedServer, serverNames: [serverName], notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.Succeeded); } /** * New Enable CredSSP client role for the gateway and delegate to the list of servers. * * @param serverNames This list of servers where CredSSP should be enabled. * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored */ wsmanEnableClientRole(serverNames, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (!serverNames || serverNames.length < 1) { throw new Error('At least one server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.EnableClientRole, serverNames: serverNames, notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.Succeeded); } /** * New Disable CredSSP client role for the gateway and remove all delegated servers. * * @param serverNames This list of servers where CredSSP should be disabled * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored */ wsmanDisableClientRole(serverNames, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (!serverNames || serverNames.length < 1) { throw new Error('At least one server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.DisableClientRole, serverNames, notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.Succeeded); } /** * @deprecated * Use tryGatewayLocalPowershellConfig instead which will only enable CredSSP when the gateway is making * a double hop to a remote node. This method will enable CredSSP every time, even in cases where * it is not needed. * * New Enable the server as a CredSSP server, and enable the gateway as a CredSSP client of the server. * * @param serverName The server where CredSSP delegation should be enabled * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored */ wsmanEnableDelegation(serverName, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (MsftSme.isNullOrWhiteSpace(serverName)) { throw new Error('The server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.EnableDelegation, serverNames: [serverName], notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.Succeeded); } /** * Check to see if given servers contain the gateway machine. If not, enable CredSSP on index 0 of serverNames, * otherwise, do nothing. * * Note: Will only check if local runspace can be used if msft.sme.shell.localRunspace experiment key is set * or gateway is running as WAC in Portal. Otherwise will fall back to calling {@link wsmanEnableDelegation}. * This is because old installs of WAC do not have the necessary shell RPC endpoint or PowerShell API functionality. * * @param serverNames String array of server names to check for a match with the gateway server name. * If not found, CredSSP will be enabled between the gateway machine and the server name at index 0. * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored. * @returns GatewayLocalPowerShellConfig object if success. * @throws If call is made from shell, serverNames is empty or contains empty values, or unable to enable CredSSP. */ tryGatewayLocalPowerShellConfig(serverNames, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (serverNames.length === 0 || serverNames.some(serverName => MsftSme.isNullOrWhiteSpace(serverName))) { throw new Error('The server name(s) must be provided.'); } if (MsftSme.isExperimentEnabled('localRunspace', true)) { return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.TryGatewayLocalPowerShellConfig, serverNames: serverNames, notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.Data); } return this.gatewayInventoryCache.query({}).pipe(take(1), mergeMap(inventory => { if (inventory.instance.installationType === GatewayInstallationType.AzureVmExtension) { return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.TryGatewayLocalPowerShellConfig, serverNames: serverNames, notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.Data); } // Fallback to using the old, deprecated wsmanEnableDelegation method if user is running an old version of WAC. // Uses index 0 because if serverNames does not contain the gateway machine, the given name(s) should all be able to // delegate credentials (by receiving the) in a double hop scenario. return this.wsmanEnableDelegation(serverNames[0], verbose).pipe(map(response => { if (!response) { throw new Error(this.strings.TryGatewayLocalPowerShellConfigNotConfirmed.error); } const data = { configuredServerConnectionString: serverNames[0], powerShellOptions: { authenticationMechanism: 'Credssp' } }; return data; })); })); } /** * Test WSMan CredSSP connection from gateway to server(s) * * @param serverNames the servers to test connection to from gateway * @param credentials explicit credentials(username and password) to be used to WSMan CredSSP test * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored * @returns true if we can safely connect to all server without isssues otherwise returns false */ testCredSSP(serverNames, credentials, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (!serverNames.length || serverNames.some(serverName => MsftSme.isNullOrWhiteSpace(serverName))) { throw new Error('The server name(s) must be provided.'); } if (!credentials || !credentials.username || !credentials.password) { throw new Error('Username and password must be provided in the options.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.TestCredSSP, serverNames: serverNames, credentials, notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.Succeeded); } /** * Get the CredSSP client role configuration of the gateway, including: * 1. Client role of gateway to delegate fresh credentials * 2. Which servers can be delegated fresh credentials * * @param serverNames The list of servers to check credential delegation status * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored * @returns ClientRoleConfiguration object of the gateway client role configuration */ wsmanGetClientConfigurationOnGateway(serverNames, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (!serverNames || serverNames.length < 1) { throw new Error('At least one server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.ConfirmClientConfiguration, serverNames, notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.ConfigurationStatus).pipe(map(response => response.client)); } /** * Get the CredSSP server role configuration of the server. * * @param serverName The server to get the CredSSP configuration * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored * @returns ServerRoleConfiguration object of the managed server server role configuration */ wsmanGetManagedServerConfiguration(serverNames, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (!serverNames || serverNames.length < 1) { throw new Error('At least one server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.ConfirmManagedServerConfiguration, serverNames, notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.ConfigurationStatus).pipe(map(response => response.servers)); } /** * Get the CredSSP delegation configuration, including: * 1. Client role of gateway to delegate fresh credentials * 2. Which servers can be delegated fresh credentials * 3. Server roles of each servers * * @param serverNames The list of servers to check credential delegation from gateway and to check server role status * @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored * @returns ConfigurationData object of the client and server role configuation */ wsmanGetDelegationConfiguration(serverNames, verbose = false) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (!serverNames || serverNames.length < 1) { throw new Error('At least one server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.ConfirmDelegation, serverNames, notificationTitle: null, notificationId: null }, verbose, RpcCredSSPOperationResultMember.ConfigurationStatus); } /** * @deprecated * Notification message wouldn't be displayed from this call. Display the notification by own code, * and use wsmanEnableManagedServer instead. * * Enable CredSSP on the passed in server. * * @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service * @param serverName This server on which CredSSP should be enabled * @param alertId Optional notification Id */ enableManagedServer(alertTitle, serverName, alertId) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (MsftSme.isNullOrWhiteSpace(serverName)) { throw new Error('A server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.EnableManagedServer, serverNames: [serverName], notificationTitle: alertTitle, notificationId: alertId }, false, RpcCredSSPOperationResultMember.Succeeded); } /** * @deprecated * Notification message wouldn't be displayed from this call. Display the notification by own code, * and use wsmanDisableManagedServer instead. * * Disable CredSSP for the passed in server. * * @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service * @param serverName This server on which CredSSP should be disabled * @param alertId Optional notification Id */ disableManagedServer(alertTitle, serverName, alertId) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (MsftSme.isNullOrWhiteSpace(serverName)) { throw new Error('A server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.DisableManagedServer, serverNames: [serverName], notificationTitle: alertTitle, notificationId: alertId }, false, RpcCredSSPOperationResultMember.Succeeded); } /** * @deprecated * Notification message wouldn't be displayed from this call. Display the notification by own code, * and use wsmanEnableClientRole instead. * * Enable CredSSP client role for the gateway and delegate to the list of servers. * * @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service * @param serverNames This list of servers where CredSSP should be enabled. * @param alertId Optional notification Id */ enableClientRole(alertTitle, serverNames, alertId) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (!serverNames || serverNames.length < 1) { throw new Error('At least one server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.EnableClientRole, serverNames: serverNames, notificationTitle: alertTitle, notificationId: alertId }, false, RpcCredSSPOperationResultMember.Succeeded); } /** * @deprecated * Notification message wouldn't be displayed from this call. Display the notification by own code, * and use wsmanDisableClientRole instead. * * Disable CredSSP client role for the gateway and remove all delegated servers. * * @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service * @param serverNames This list of servers where CredSSP should be disabled. * @param alertId Optional notification Id */ disableClientRole(alertTitle, serverNames, alertId) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (!serverNames || serverNames.length < 1) { throw new Error('At least one server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.DisableClientRole, serverNames, notificationTitle: alertTitle, notificationId: alertId }, false, RpcCredSSPOperationResultMember.Succeeded); } /** * @deprecated * Notification message wouldn't be displayed from this call. Display the notification by own code, * and use wsmanEnableDelegation instead. * * Enable the server as a CredSSP server, and enable the gateway as a CredSSP client of the server. * * @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service * @param serverName The sever where CredSSP delegation should be enabled. * @param alertId Optional notification Id */ enableDelegation(alertTitle, serverName, alertId) { if (this.rpc.isShell) { throw new Error('Not supported on the shell environment.'); } if (MsftSme.isNullOrWhiteSpace(serverName)) { throw new Error('The server name must be provided.'); } return this.sendRequest({ requestId: MsftSme.getUniqueId(), operation: RpcCredSSPOperationType.EnableDelegation, serverNames: [serverName], notificationTitle: alertTitle, notificationId: alertId }, false, RpcCredSSPOperationResultMember.Succeeded); } /** * @deprecated * This method is obsolete! * * Disable the server as a CredSSP server, and disable the gateway as a CredSSP client of the server. * * @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service * @param serverName The sever where CredSSP delegation should be disabled. * @param alertId Optional notification Id */ disableDelegation() { return of(true); } /** * The RPC request to the CredSSPManagerShellService. * @param request The requested CredSSP manager operation * @param verbose Specify whether a solution (if any) should be returned if CredSSP errored * @param returnProperty The property of the RPC result object to return */ sendRequest(request, verbose, returnProperty) { Logging.logDebug('CredSSPManager', 'Sending request to CredSSPManagerService. Request:{0}'.format(JSON.stringify(request))); return from(RpcCredSspRequestClient.credSspRequest(this.rpc, request)) .pipe(mergeMap(() => this.watcher), filter(result => result.requestId === request.requestId), take(1), mergeMap(result => { // shell reports 'error' property originated from the CredSSP operation. // the client using this API should get this error message to display to user. if (result.error) { if (verbose) { const error = new ErrorExtended(result.error); error.extendedSource = `${request.operation}-credSSPError`; error.extended = { solutionMessage: result.solutionMessage }; return throwError(() => error); } else { return throwError(() => new Error(result.error)); } } return of(result[returnProperty]); })); } /** * Process the RPC response from the CredSSPManagerShellService. * @param data The requested CredSSP manager operation result. */ onRpcResponse(data) { Logging.logDebug('CredSSPManager', 'Processing response from CredSSPManagerService Response:{0}'.format(JSON.stringify(data))); this.watcher.next(data); return Promise.resolve(); } } //# sourceMappingURL=credssp-manager.js.map // SIG // Begin signature block // SIG // MIIoKwYJKoZIhvcNAQcCoIIoHDCCKBgCAQExDzANBglg // SIG // hkgBZQMEAgEFADB3BgorBgEEAYI3AgEEoGkwZzAyBgor // SIG // BgEEAYI3AgEeMCQCAQEEEBDgyQbOONQRoqMAEEvTUJAC // SIG // AQACAQACAQACAQACAQAwMTANBglghkgBZQMEAgEFAAQg // SIG // Lg+uG34BuJMC9q27lSkO7rgAQnl64b9QIgRdVLrV8Y6g // SIG // gg12MIIF9DCCA9ygAwIBAgITMwAABARsdAb/VysncgAA // SIG // AAAEBDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV // SIG // UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH // SIG // UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv // SIG // cmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBT // SIG // aWduaW5nIFBDQSAyMDExMB4XDTI0MDkxMjIwMTExNFoX // SIG // DTI1MDkxMTIwMTExNFowdDELMAkGA1UEBhMCVVMxEzAR // SIG // BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v // SIG // bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv // SIG // bjEeMBwGA1UEAxMVTWljcm9zb2Z0IENvcnBvcmF0aW9u // SIG // MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA // SIG // tCg32mOdDA6rBBnZSMwxwXegqiDEUFlvQH9Sxww07hY3 // SIG // w7L52tJxLg0mCZjcszQddI6W4NJYb5E9QM319kyyE0l8 // SIG // EvA/pgcxgljDP8E6XIlgVf6W40ms286Cr0azaA1f7vaJ // SIG // jjNhGsMqOSSSXTZDNnfKs5ENG0bkXeB2q5hrp0qLsm/T // SIG // WO3oFjeROZVHN2tgETswHR3WKTm6QjnXgGNj+V6rSZJO // SIG // /WkTqc8NesAo3Up/KjMwgc0e67x9llZLxRyyMWUBE9co // SIG // T2+pUZqYAUDZ84nR1djnMY3PMDYiA84Gw5JpceeED38O // SIG // 0cEIvKdX8uG8oQa047+evMfDRr94MG9EWwIDAQABo4IB // SIG // czCCAW8wHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYB // SIG // BQUHAwMwHQYDVR0OBBYEFPIboTWxEw1PmVpZS+AzTDwo // SIG // oxFOMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQLExVNaWNy // SIG // b3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAx // SIG // Mis1MDI5MjMwHwYDVR0jBBgwFoAUSG5k5VAF04KqFzc3 // SIG // IrVtqMp1ApUwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDov // SIG // L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWlj // SIG // Q29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNybDBhBggr // SIG // BgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93 // SIG // d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWlj // SIG // Q29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNydDAMBgNV // SIG // HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCI5g/S // SIG // KUFb3wdUHob6Qhnu0Hk0JCkO4925gzI8EqhS+K4umnvS // SIG // BU3acsJ+bJprUiMimA59/5x7WhJ9F9TQYy+aD9AYwMtb // SIG // KsQ/rst+QflfML+Rq8YTAyT/JdkIy7R/1IJUkyIS6srf // SIG // G1AKlX8n6YeAjjEb8MI07wobQp1F1wArgl2B1mpTqHND // SIG // lNqBjfpjySCScWjUHNbIwbDGxiFr93JoEh5AhJqzL+8m // SIG // onaXj7elfsjzIpPnl8NyH2eXjTojYC9a2c4EiX0571Ko // SIG // mhENF3RtR25A7/X7+gk6upuE8tyMy4sBkl2MUSF08U+E // SIG // 2LOVcR8trhYxV1lUi9CdgEU2CxODspdcFwxdT1+G8YNc // SIG // gzHyjx3BNSI4nOZcdSnStUpGhCXbaOIXfvtOSfQX/UwJ // SIG // oruhCugvTnub0Wna6CQiturglCOMyIy/6hu5rMFvqk9A // SIG // ltIJ0fSR5FwljW6PHHDJNbCWrZkaEgIn24M2mG1M/Ppb // SIG // /iF8uRhbgJi5zWxo2nAdyDBqWvpWxYIoee/3yIWpquVY // SIG // cYGhJp/1I1sq/nD4gBVrk1SKX7Do2xAMMO+cFETTNSJq // SIG // fTSSsntTtuBLKRB5mw5qglHKuzapDiiBuD1Zt4QwxA/1 // SIG // kKcyQ5L7uBayG78kxlVNNbyrIOFH3HYmdH0Pv1dIX/Mq // SIG // 7avQpAfIiLpOWwcbjzCCB3owggVioAMCAQICCmEOkNIA // SIG // AAAAAAMwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYT // SIG // AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH // SIG // EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y // SIG // cG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290 // SIG // IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDExMB4XDTEx // SIG // MDcwODIwNTkwOVoXDTI2MDcwODIxMDkwOVowfjELMAkG // SIG // A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO // SIG // BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m // SIG // dCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9zb2Z0 // SIG // IENvZGUgU2lnbmluZyBQQ0EgMjAxMTCCAiIwDQYJKoZI // SIG // hvcNAQEBBQADggIPADCCAgoCggIBAKvw+nIQHC6t2G6q // SIG // ghBNNLrytlghn0IbKmvpWlCquAY4GgRJun/DDB7dN2vG // SIG // EtgL8DjCmQawyDnVARQxQtOJDXlkh36UYCRsr55JnOlo // SIG // XtLfm1OyCizDr9mpK656Ca/XllnKYBoF6WZ26DJSJhIv // SIG // 56sIUM+zRLdd2MQuA3WraPPLbfM6XKEW9Ea64DhkrG5k // SIG // NXimoGMPLdNAk/jj3gcN1Vx5pUkp5w2+oBN3vpQ97/vj // SIG // K1oQH01WKKJ6cuASOrdJXtjt7UORg9l7snuGG9k+sYxd // SIG // 6IlPhBryoS9Z5JA7La4zWMW3Pv4y07MDPbGyr5I4ftKd // SIG // gCz1TlaRITUlwzluZH9TupwPrRkjhMv0ugOGjfdf8NBS // SIG // v4yUh7zAIXQlXxgotswnKDglmDlKNs98sZKuHCOnqWbs // SIG // YR9q4ShJnV+I4iVd0yFLPlLEtVc/JAPw0XpbL9Uj43Bd // SIG // D1FGd7P4AOG8rAKCX9vAFbO9G9RVS+c5oQ/pI0m8GLhE // SIG // fEXkwcNyeuBy5yTfv0aZxe/CHFfbg43sTUkwp6uO3+xb // SIG // n6/83bBm4sGXgXvt1u1L50kppxMopqd9Z4DmimJ4X7Iv // SIG // hNdXnFy/dygo8e1twyiPLI9AN0/B4YVEicQJTMXUpUMv // SIG // dJX3bvh4IFgsE11glZo+TzOE2rCIF96eTvSWsLxGoGyY // SIG // 0uDWiIwLAgMBAAGjggHtMIIB6TAQBgkrBgEEAYI3FQEE // SIG // AwIBADAdBgNVHQ4EFgQUSG5k5VAF04KqFzc3IrVtqMp1 // SIG // ApUwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYD // SIG // VR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0j // SIG // BBgwFoAUci06AjGQQ7kUBU7h6qfHMdEjiTQwWgYDVR0f // SIG // BFMwUTBPoE2gS4ZJaHR0cDovL2NybC5taWNyb3NvZnQu // SIG // Y29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0 // SIG // MjAxMV8yMDExXzAzXzIyLmNybDBeBggrBgEFBQcBAQRS // SIG // MFAwTgYIKwYBBQUHMAKGQmh0dHA6Ly93d3cubWljcm9z // SIG // b2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0MjAx // SIG // MV8yMDExXzAzXzIyLmNydDCBnwYDVR0gBIGXMIGUMIGR // SIG // BgkrBgEEAYI3LgMwgYMwPwYIKwYBBQUHAgEWM2h0dHA6 // SIG // Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvZG9jcy9w // SIG // cmltYXJ5Y3BzLmh0bTBABggrBgEFBQcCAjA0HjIgHQBM // SIG // AGUAZwBhAGwAXwBwAG8AbABpAGMAeQBfAHMAdABhAHQA // SIG // ZQBtAGUAbgB0AC4gHTANBgkqhkiG9w0BAQsFAAOCAgEA // SIG // Z/KGpZjgVHkaLtPYdGcimwuWEeFjkplCln3SeQyQwWVf // SIG // Liw++MNy0W2D/r4/6ArKO79HqaPzadtjvyI1pZddZYSQ // SIG // fYtGUFXYDJJ80hpLHPM8QotS0LD9a+M+By4pm+Y9G6XU // SIG // tR13lDni6WTJRD14eiPzE32mkHSDjfTLJgJGKsKKELuk // SIG // qQUMm+1o+mgulaAqPyprWEljHwlpblqYluSD9MCP80Yr // SIG // 3vw70L01724lruWvJ+3Q3fMOr5kol5hNDj0L8giJ1h/D // SIG // Mhji8MUtzluetEk5CsYKwsatruWy2dsViFFFWDgycSca // SIG // f7H0J/jeLDogaZiyWYlobm+nt3TDQAUGpgEqKD6CPxNN // SIG // ZgvAs0314Y9/HG8VfUWnduVAKmWjw11SYobDHWM2l4bf // SIG // 2vP48hahmifhzaWX0O5dY0HjWwechz4GdwbRBrF1HxS+ // SIG // YWG18NzGGwS+30HHDiju3mUv7Jf2oVyW2ADWoUa9WfOX // SIG // pQlLSBCZgB/QACnFsZulP0V3HjXG0qKin3p6IvpIlR+r // SIG // +0cjgPWe+L9rt0uX4ut1eBrs6jeZeRhL/9azI2h15q/6 // SIG // /IvrC4DqaTuv/DDtBEyO3991bWORPdGdVk5Pv4BXIqF4 // SIG // ETIheu9BCrE/+6jMpF3BoYibV3FWTkhFwELJm3ZbCoBI // SIG // a/15n8G9bW1qyVJzEw16UM0xghoNMIIaCQIBATCBlTB+ // SIG // MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv // SIG // bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj // SIG // cm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNy // SIG // b3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExAhMzAAAE // SIG // BGx0Bv9XKydyAAAAAAQEMA0GCWCGSAFlAwQCAQUAoIGu // SIG // MBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisG // SIG // AQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3 // SIG // DQEJBDEiBCBfkIItjBVy2W9LCFv9fdDacE0A+4LnVfJ5 // SIG // 8kRJrhQSUjBCBgorBgEEAYI3AgEMMTQwMqAUgBIATQBp // SIG // AGMAcgBvAHMAbwBmAHShGoAYaHR0cDovL3d3dy5taWNy // SIG // b3NvZnQuY29tMA0GCSqGSIb3DQEBAQUABIIBAEmaK4MS // SIG // dj+bnVgNCFZR0R23upl4VoGmxJKBSZ0FK+rw9zO6a4mj // SIG // gX0wqmuzx3S/pcM3UgV3aI2/nyivDruAVVczxXBw1E/6 // SIG // unZ1zOIW1Xbx93l+XQlOFW8B8F0j6JtnrhcMtuLolJhH // SIG // NpLYfZxxz95xKs0JTRUnH+KGf7reewUPy2G1itXMn8Bp // SIG // TK+75X8pN4YdXrz58zYsS2MT3seJ6ErYHT31xGU6SU4a // SIG // GV1SWYAiLByMeSIZ7g67Thd3AuZXXNSlwEYlSKeZb854 // SIG // Mr+Wrt/fG4yqzMo4hQGCpzTKq19xrs29ZZ7uiJQivgWn // SIG // hmaLbjmBz9dzYmMWxuoDG85aFYyhgheXMIIXkwYKKwYB // SIG // BAGCNwMDATGCF4Mwghd/BgkqhkiG9w0BBwKgghdwMIIX // SIG // bAIBAzEPMA0GCWCGSAFlAwQCAQUAMIIBUgYLKoZIhvcN // SIG // AQkQAQSgggFBBIIBPTCCATkCAQEGCisGAQQBhFkKAwEw // SIG // MTANBglghkgBZQMEAgEFAAQg8BJI99Fpw6BEJNcD89al // SIG // eWvx0261MUMMy3oaATO3DYECBmeuM89AURgTMjAyNTAy // SIG // MjAxNTI4MzIuMTU4WjAEgAIB9KCB0aSBzjCByzELMAkG // SIG // A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO // SIG // BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m // SIG // dCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0 // SIG // IEFtZXJpY2EgT3BlcmF0aW9uczEnMCUGA1UECxMeblNo // SIG // aWVsZCBUU1MgRVNOOkUwMDItMDVFMC1EOTQ3MSUwIwYD // SIG // VQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNl // SIG // oIIR7TCCByAwggUIoAMCAQICEzMAAAHuBdMCMLKanacA // SIG // AQAAAe4wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMC // SIG // VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT // SIG // B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw // SIG // b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt // SIG // U3RhbXAgUENBIDIwMTAwHhcNMjMxMjA2MTg0NTQ0WhcN // SIG // MjUwMzA1MTg0NTQ0WjCByzELMAkGA1UEBhMCVVMxEzAR // SIG // BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v // SIG // bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv // SIG // bjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3Bl // SIG // cmF0aW9uczEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNO // SIG // OkUwMDItMDVFMC1EOTQ3MSUwIwYDVQQDExxNaWNyb3Nv // SIG // ZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjANBgkqhkiG // SIG // 9w0BAQEFAAOCAg8AMIICCgKCAgEAvvG8pdeihImvMSku // SIG // L1S+0RDjkey82Ai1xLVoHqsjlZa87hM/gKAmuLQRhEo2 // SIG // x01xAnjDsD/Uz3imimpX01OV0ho6SYaRsefX8TCaE2Fj // SIG // 88w9DtkQJcgZjgQZoiw10Q0CS9UbbgI7woi7pVUHojyP // SIG // Fe/h4U0d/dU2wtW3kscF33SiamNaJ4w2sKgyQJrcLAP4 // SIG // Jql4B8BfX2VnMCkrl4mQU21OX3Jt24YZUTcOXdOC3deW // SIG // Vs1Zf1Q6f4kXqxqNiLP9FsJ/2t3hjnR6738CG35OpVas // SIG // GzUBNdTnnZ9rr0YylhMHq1y+9Drg2fLy88a8tMhHb0PJ // SIG // MvlX6vJnxF0vdO2O6zfx2F+nArAtrKMlxtzsArSwO6NP // SIG // /pCiWbjqw+R1K0s95H6oA5Zlsuu8/GWT45IgwtXWFtYz // SIG // e+7eYkpeVqdRygaeyVPEYkSPr2NotXG+V9kRJMN1qzVv // SIG // 426H1xLPbeG4HfslPLICp/TLVZ0OubOkBu9jP8mlGRth // SIG // zCN9bZvZqKB9vbzwTvYwzDiLtC8M1E5CFn5YHf7xFn0z // SIG // XD1hEI+37FrkqFbid7gasDZkUqZkA80nzGiM7srNKb1d // SIG // YxVqrasMAnGmP1l7G/2sZMQf8wk3R0gVCfE5t4uDzPbJ // SIG // Irp12PnEqh+fI1pKR22ywNzn7LO3viWzIypk3XI5kpG+ // SIG // aDfKlNcCAwEAAaOCAUkwggFFMB0GA1UdDgQWBBQQiM0/ // SIG // GtncIJ69+8Xftr9f3HamCDAfBgNVHSMEGDAWgBSfpxVd // SIG // AF5iXYP05dJlpxtTNRnpcjBfBgNVHR8EWDBWMFSgUqBQ // SIG // hk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3Bz // SIG // L2NybC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENB // SIG // JTIwMjAxMCgxKS5jcmwwbAYIKwYBBQUHAQEEYDBeMFwG // SIG // CCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5j // SIG // b20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUt // SIG // U3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB // SIG // Af8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4G // SIG // A1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEA // SIG // d2cgL2thCjlklaQZ2JM1/H/BmY2jrOe+xfaNeAJ4fZSs // SIG // urUt+MF6D1xMkKdb9YiO6yc2VRu66VM52stp/XLH596e // SIG // su5GJB6rUroAhpk4ogZMIRX0gcijyNPDJJYLybyk2W+u // SIG // 98hn6RcD40MGXiOhD4/zgLaWJE+yFF6jJItQkTCSoHmO // SIG // MFEQnHCLo3VkZKFb+Cd6v/OyhNKj0JgEfX6jDcYyN2Qp // SIG // VcQOMIjN7TVZUWxfUoKTp41aNz/yOafCXeNYTUlQsf/I // SIG // 96jO2i0irQ8zhFDbPmbY4c55mYFHe/wFhw4cAR3S+e0y // SIG // PYe54mZHzmTl53GLCsRuIK8k7IVOhurAGKW6nTBP/v4N // SIG // bnq+1RiB1LS6t1tAJ5vJQH0vT6rYbJGbeeCRdvAh3bBa // SIG // v+11QbRZcS/yoHEMpSTZ4mvmp4sVButMlA7dxTBkiSN+ // SIG // MRvTR7M9waaklrnhrSYUOWTdCvI7tLzVYBfg79ObIqz4 // SIG // NH7Uin/RVRAqfd6PKIBePI4fAk/wd9pc9Q+k67pOBM3M // SIG // OxNTobTjH+wx4DzFn+ljnWJ3/h2kice2U1wibFuaDpDN // SIG // LC4rcQaUqRnI9mI5zc5wqbBD2WrdIfune7pUWlkeURwF // SIG // MhRUPY0WuylmjRnRC07Ppx0pWI2HkKSuUEl44oHSpS0D // SIG // wZV/vczqBgCYaGX66Y6uJ0AwggdxMIIFWaADAgECAhMz // SIG // AAAAFcXna54Cm0mZAAAAAAAVMA0GCSqGSIb3DQEBCwUA // SIG // MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu // SIG // Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV // SIG // TWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylN // SIG // aWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp // SIG // dHkgMjAxMDAeFw0yMTA5MzAxODIyMjVaFw0zMDA5MzAx // SIG // ODMyMjVaMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX // SIG // YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD // SIG // VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV // SIG // BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw // SIG // MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA // SIG // 5OGmTOe0ciELeaLL1yR5vQ7VgtP97pwHB9KpbE51yMo1 // SIG // V/YBf2xK4OK9uT4XYDP/XE/HZveVU3Fa4n5KWv64NmeF // SIG // RiMMtY0Tz3cywBAY6GB9alKDRLemjkZrBxTzxXb1hlDc // SIG // wUTIcVxRMTegCjhuje3XD9gmU3w5YQJ6xKr9cmmvHaus // SIG // 9ja+NSZk2pg7uhp7M62AW36MEBydUv626GIl3GoPz130 // SIG // /o5Tz9bshVZN7928jaTjkY+yOSxRnOlwaQ3KNi1wjjHI // SIG // NSi947SHJMPgyY9+tVSP3PoFVZhtaDuaRr3tpK56KTes // SIG // y+uDRedGbsoy1cCGMFxPLOJiss254o2I5JasAUq7vnGp // SIG // F1tnYN74kpEeHT39IM9zfUGaRnXNxF803RKJ1v2lIH1+ // SIG // /NmeRd+2ci/bfV+AutuqfjbsNkz2K26oElHovwUDo9Fz // SIG // pk03dJQcNIIP8BDyt0cY7afomXw/TNuvXsLz1dhzPUNO // SIG // wTM5TI4CvEJoLhDqhFFG4tG9ahhaYQFzymeiXtcodgLi // SIG // Mxhy16cg8ML6EgrXY28MyTZki1ugpoMhXV8wdJGUlNi5 // SIG // UPkLiWHzNgY1GIRH29wb0f2y1BzFa/ZcUlFdEtsluq9Q // SIG // BXpsxREdcu+N+VLEhReTwDwV2xo3xwgVGD94q0W29R6H // SIG // XtqPnhZyacaue7e3PmriLq0CAwEAAaOCAd0wggHZMBIG // SIG // CSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYE // SIG // FCqnUv5kxJq+gpE8RjUpzxD/LwTuMB0GA1UdDgQWBBSf // SIG // pxVdAF5iXYP05dJlpxtTNRnpcjBcBgNVHSAEVTBTMFEG // SIG // DCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRw // SIG // Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3Mv // SIG // UmVwb3NpdG9yeS5odG0wEwYDVR0lBAwwCgYIKwYBBQUH // SIG // AwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYD // SIG // VR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0j // SIG // BBgwFoAU1fZWy4/oolxiaNE9lJBb186aGMQwVgYDVR0f // SIG // BE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQu // SIG // Y29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0 // SIG // XzIwMTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBK // SIG // BggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQu // SIG // Y29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0w // SIG // Ni0yMy5jcnQwDQYJKoZIhvcNAQELBQADggIBAJ1Vffwq // SIG // reEsH2cBMSRb4Z5yS/ypb+pcFLY+TkdkeLEGk5c9MTO1 // SIG // OdfCcTY/2mRsfNB1OW27DzHkwo/7bNGhlBgi7ulmZzpT // SIG // Td2YurYeeNg2LpypglYAA7AFvonoaeC6Ce5732pvvinL // SIG // btg/SHUB2RjebYIM9W0jVOR4U3UkV7ndn/OOPcbzaN9l // SIG // 9qRWqveVtihVJ9AkvUCgvxm2EhIRXT0n4ECWOKz3+SmJ // SIG // w7wXsFSFQrP8DJ6LGYnn8AtqgcKBGUIZUnWKNsIdw2Fz // SIG // Lixre24/LAl4FOmRsqlb30mjdAy87JGA0j3mSj5mO0+7 // SIG // hvoyGtmW9I/2kQH2zsZ0/fZMcm8Qq3UwxTSwethQ/gpY // SIG // 3UA8x1RtnWN0SCyxTkctwRQEcb9k+SS+c23Kjgm9swFX // SIG // SVRk2XPXfx5bRAGOWhmRaw2fpCjcZxkoJLo4S5pu+yFU // SIG // a2pFEUep8beuyOiJXk+d0tBMdrVXVAmxaQFEfnyhYWxz // SIG // /gq77EFmPWn9y8FBSX5+k77L+DvktxW/tM4+pTFRhLy/ // SIG // AsGConsXHRWJjXD+57XQKBqJC4822rpM+Zv/Cuk0+CQ1 // SIG // ZyvgDbjmjJnW4SLq8CdCPSWU5nR0W2rRnj7tfqAxM328 // SIG // y+l7vzhwRNGQ8cirOoo6CGJ/2XBjU02N7oJtpQUQwXEG // SIG // ahC0HVUzWLOhcGbyoYIDUDCCAjgCAQEwgfmhgdGkgc4w // SIG // gcsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n // SIG // dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN // SIG // aWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1p // SIG // Y3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJzAlBgNV // SIG // BAsTHm5TaGllbGQgVFNTIEVTTjpFMDAyLTA1RTAtRDk0 // SIG // NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAg // SIG // U2VydmljZaIjCgEBMAcGBSsOAwIaAxUAiKOm1Tb35RcW // SIG // 1Fgg0N2GCsujvpOggYMwgYCkfjB8MQswCQYDVQQGEwJV // SIG // UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH // SIG // UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv // SIG // cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1T // SIG // dGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQsFAAIFAOth // SIG // Q4YwIhgPMjAyNTAyMjAwNjAwMzhaGA8yMDI1MDIyMTA2 // SIG // MDAzOFowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA62FD // SIG // hgIBADAKAgEAAgIOWwIB/zAHAgEAAgITLjAKAgUA62KV // SIG // BgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZ // SIG // CgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqG // SIG // SIb3DQEBCwUAA4IBAQCJm5tqhfJNGnCU6pzufu7oSZKV // SIG // kv+qUT6NPmaIzZj91+DmimfBb0YmUjGNsZHYZ+ZZcsRX // SIG // kTw2s3ZNXOL4R4lwl1wsBp3LeZhHAaaHYdDY4fJAGy5F // SIG // RPOKH2123IGxiX7HVxJ9cpcgc8n5XjhyYVLDie2DU4E4 // SIG // k+SMqAXEkt9Y+mnPhbyFkwjij9kjLMnRozEem8SSrQNk // SIG // wpvhm3a1Nv33xw2xGJbO2QW++gn7WtZyN8hQytYCvPpE // SIG // HQwmlEpURvW+AE3UaWklCnpbF3IlBTmJNxYxkxl2EWZP // SIG // RJrr1zrZ3TOAUhcChoymljIQT2I5ozMrbqD0wP4/eS7q // SIG // mD5oCPXlMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UEBhMC // SIG // VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT // SIG // B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw // SIG // b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt // SIG // U3RhbXAgUENBIDIwMTACEzMAAAHuBdMCMLKanacAAQAA // SIG // Ae4wDQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJ // SIG // AzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg // SIG // aoLhKT0fhBRHHTRaQzIjlxNCY08Qzeiw/zja4oaUoHMw // SIG // gfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCBPUHcU // SIG // lYX6vlXX/gz7PuRCJAc/aAkvzkH5R5FUYX4wITCBmDCB // SIG // gKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo // SIG // aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK // SIG // ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMT // SIG // HU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMz // SIG // AAAB7gXTAjCymp2nAAEAAAHuMCIEIL8alJrYHTS+brqa // SIG // XihIgQYMTOuyPr8/IrVb9C65hr9FMA0GCSqGSIb3DQEB // SIG // CwUABIICAKg6QV34HtQF4pH0DnmmJioxn7+6p4oq6zVD // SIG // KRR27Gvb0qPj/AuLbyHGl8+wgbKi/2Ot9O1oX8mtL/AZ // SIG // 5gBVBKwyx9P4pL+OLoy2B5KoW0M+JZV1TvGsyCtnvicn // SIG // Dg4WBqJ7UyJ+JAZD8mfxQjhQ4VtqLXMKw0Xax0DLSuIt // SIG // 1aw4TLjwc9GjNbMb+zORnId2B8sWZsgp4EpCpAjo0vir // SIG // VAjtjfCj3Q1snk9H+FiVmPs5H+3nSMXoXRtTOMNoPSEn // SIG // HOQJ25Uh+fEV0f2D6HfbU3iGgmHgmdFhABV70n77hdnY // SIG // sHkqupZpAUG0qkNiiiFkyGBFuSBLV2dXH0oD/JHuNhDk // SIG // 39xOcrc6X1ZYznD/X2z55o97SYFIJ4HoqjumcA0QC4Mo // SIG // BFudcmEzpLsPPTtTf5soXQvoo9bhiVl9VXU5oLe6gpNi // SIG // ZiyFZ8DVY1w1kr2quqHuyxMHEIlQgYKPpFOHFDLlCQaO // SIG // HRVSTY40DRx2TRZ8XOeYAqDIeQvYDKSn2350gf/NVbOe // SIG // u9ofURJgbrA06hPhR+Tt7YvwVWsipY5Mw+R9QLqS71fK // SIG // oSDuHJW6DOQ5pXAn11y2i3aO7ZGxzGDDRV9+eh1xISRj // SIG // 3+SGOlcLvAowABJuZC+UoGSJZjw2T1o8jURDwtJPv3BJ // SIG // uj4DbUF2mNG/0ArGEbh9ftFAsYk4lUGu // SIG // End signature block