From 97d863f52f9bd796551e907d0ce30d7e02f423f0 Mon Sep 17 00:00:00 2001 From: Joseph VanWanzeele Date: Fri, 22 Nov 2024 17:55:06 -0500 Subject: [PATCH 1/6] fixed bug that was stripping slashes from mountpoint. Updated store type definition for HCVPKI --- CHANGELOG.md | 3 + hashicorp-vault-orchestrator.sln | 23 +++++- .../HcvKeyfactorClient.cs | 9 ++- hashicorp-vault-orchestrator/Jobs/JobBase.cs | 17 +---- .../hashicorp-vault-orchestrator.csproj | 25 +++---- images/store_type_fields_pki.png | Bin 0 -> 16296 bytes images/store_type_pki.png | Bin 30301 -> 28741 bytes integration-manifest.json | 54 +++++--------- readme_source.md | 68 +++++++++--------- 9 files changed, 92 insertions(+), 107 deletions(-) create mode 100644 images/store_type_fields_pki.png diff --git a/CHANGELOG.md b/CHANGELOG.md index c2e84d8..4a7cf59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 3.1.1 +* bug fix: no longer stripping slashes from a mountpoint that includes them + ## 3.1.0 * Added support for enterprise namespaces and alternate mount-points during discovery by allowing the value to be entered in the "directories to search" field. diff --git a/hashicorp-vault-orchestrator.sln b/hashicorp-vault-orchestrator.sln index bc02e16..341745a 100644 --- a/hashicorp-vault-orchestrator.sln +++ b/hashicorp-vault-orchestrator.sln @@ -1,17 +1,36 @@  Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 16 -VisualStudioVersion = 16.0.32413.511 +# Visual Studio Version 17 +VisualStudioVersion = 17.11.35327.3 MinimumVisualStudioVersion = 10.0.40219.1 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "hashicorp-vault-orchestrator", "hashicorp-vault-orchestrator\hashicorp-vault-orchestrator.csproj", "{76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}" EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{83623EBF-AC4C-4158-922D-959AEFC75453}" ProjectSection(SolutionItems) = preProject + images\cert-store-kv.PNG = images\cert-store-kv.PNG + images\cert-store-pki.PNG = images\cert-store-pki.PNG + images\cert-store-type-advanced.png = images\cert-store-type-advanced.png + images\cert_store_add_dialog.png = images\cert_store_add_dialog.png + images\cert_store_fields.png = images\cert_store_fields.png CHANGELOG.md = CHANGELOG.md + images\discovery.PNG = images\discovery.PNG integration-manifest.json = integration-manifest.json LICENSE = LICENSE + images\PEM-vault-example-1.PNG = images\PEM-vault-example-1.PNG + images\PEM-vault-example-2.PNG = images\PEM-vault-example-2.PNG + images\PEM-vault-example-3.PNG = images\PEM-vault-example-3.PNG + images\pfx_enrollment_blank.png = images\pfx_enrollment_blank.png + images\pfx_enrollment_certstore.png = images\pfx_enrollment_certstore.png + images\pfx_enrollment_filled.png = images\pfx_enrollment_filled.png README.md = README.md readme_source.md = readme_source.md + images\store-type-kv.PNG = images\store-type-kv.PNG + images\store_type_1.PNG = images\store_type_1.PNG + images\store_type_add.png = images\store_type_add.png + images\store_type_fields.png = images\store_type_fields.png + images\store_type_pki.png = images\store_type_pki.png + images\vault_cli_list.png = images\vault_cli_list.png + images\vault_cli_read.png = images\vault_cli_read.png EndProjectSection EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "readme-src", "readme-src", "{3266961F-0B1D-4DB6-9A58-C0DA958EB832}" diff --git a/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs b/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs index 325444d..d3250af 100644 --- a/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs +++ b/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs @@ -21,8 +21,6 @@ namespace Keyfactor.Extensions.Orchestrator.HashicorpVault { public class HcvKeyfactorClient : IHashiClient { - //private IVaultClient _vaultClient { get; set; } - private ILogger logger = LogHandler.GetClassLogger(); private string _vaultUrl { get; set; } @@ -36,9 +34,11 @@ public class HcvKeyfactorClient : IHashiClient public HcvKeyfactorClient(string vaultToken, string serverUrl, string mountPoint, string storePath) { _vaultToken = vaultToken; - _mountPoint = mountPoint ?? "keyfactor"; + _mountPoint = mountPoint ?? "keyfactor"; // the mount point, including the namespace.. the namespace cannot contain slashes; so it will be everything before the first slash + // example: KF/pki/pru uses the KF namespace and the mount point is pki/pru. + _storePath = !string.IsNullOrEmpty(storePath) ? "/" + storePath : storePath; - _vaultUrl = $"{ serverUrl }/v1/{ _mountPoint.Replace("/", string.Empty) }"; + _vaultUrl = $"{ serverUrl }/v1/{ _mountPoint.Replace("//", "/") }"; } public async Task GetCertificateFromPemStore(string key) @@ -125,7 +125,6 @@ public async Task GetCertificateFromPemStore(string key) var content = JsonConvert.DeserializeObject(new StreamReader(res.GetResponseStream()).ReadToEnd()); string[] certKeys; - content.data.TryGetValue("keys", out certKeys); certKeys.ToList().ForEach(k => diff --git a/hashicorp-vault-orchestrator/Jobs/JobBase.cs b/hashicorp-vault-orchestrator/Jobs/JobBase.cs index c386332..6539b21 100644 --- a/hashicorp-vault-orchestrator/Jobs/JobBase.cs +++ b/hashicorp-vault-orchestrator/Jobs/JobBase.cs @@ -20,21 +20,13 @@ public abstract class JobBase public string ExtensionName => "HCV"; public string StorePath { get; set; } - public string VaultToken { get; set; } - public string ClientMachine { get; set; } - public string VaultServerUrl { get; set; } - public bool SubfolderInventory { get; set; } - public bool IncludeCertChain { get; set; } - public string MountPoint { get; set; } // the mount point of the KV secrets engine. defaults to kv-v2 if not provided. - - public string Namespace { get; set; } // for enterprise editions of vault that utilize namespaces; split from the passed in mount point. "namespace/mountpoint" - + public string Namespace { get; set; } // for enterprise editions of vault that utilize namespaces; split from the passed in mount point if needed. internal protected IHashiClient VaultClient { get; set; } internal protected string _storeType { get; set; } internal protected ILogger logger { get; set; } @@ -103,7 +95,6 @@ public void Initialize(DiscoveryJobConfiguration config) logger.LogTrace($"Directories to search (mount point): {MountPoint}"); logger.LogTrace($"Enterprise Namespace: {Namespace}"); - logger.LogTrace($"Directories to ignore (subpath to search): {subPath}"); InitProps(config.JobProperties, config.Capability); } @@ -112,11 +103,8 @@ public void Initialize(ManagementJobConfiguration config) logger = LogHandler.GetClassLogger(GetType()); ClientMachine = config.CertificateStoreDetails.ClientMachine; - VaultServerUrl = PAMUtilities.ResolvePAMField(PamSecretResolver, logger, "Server UserName", config.ServerUsername); - VaultToken = PAMUtilities.ResolvePAMField(PamSecretResolver, logger, "Server Password", config.ServerPassword); - StorePath = config.CertificateStoreDetails.StorePath; ClientMachine = config.CertificateStoreDetails.ClientMachine; dynamic props = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties.ToString()); @@ -141,8 +129,8 @@ private void InitProps(dynamic props, string capability) } var mp = props.ContainsKey("MountPoint") ? props["MountPoint"].ToString() : null; - MountPoint = !string.IsNullOrEmpty(mp) ? mp : MountPoint; + SubfolderInventory = props.ContainsKey("SubfolderInventory") ? bool.Parse(props["SubfolderInventory"].ToString()) : false; IncludeCertChain = props.ContainsKey("IncludeCertChain") ? bool.Parse(props["IncludeCertChain"].ToString()) : false; @@ -156,7 +144,6 @@ private void InitProps(dynamic props, string capability) { VaultClient = new HcvKeyfactorClient(VaultToken, VaultServerUrl, MountPoint, StorePath); } - } } } \ No newline at end of file diff --git a/hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj b/hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj index a7c518b..64e754e 100644 --- a/hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj +++ b/hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj @@ -1,14 +1,10 @@  - netstandard2.0 + netcoreapp3.1 Keyfactor.Extensions.Orchestrator.HashicorpVault Keyfactor.Extensions.Orchestrator.HCV true - Apache-2.0 - false - - true false @@ -33,25 +29,20 @@ - - - all - + + all - + all - - - - all - - - + + + + all diff --git a/images/store_type_fields_pki.png b/images/store_type_fields_pki.png new file mode 100644 index 0000000000000000000000000000000000000000..e1d8b2211aef5a9b495219aaa7ed72ff4dc555e7 GIT binary patch literal 16296 zcmc(`XIN8R+btSUKtaHcbQBTkNbf}ir1##X_ue5vco3B;E%aWb1?eO-0TD>(p;sxP zg@8cl1WtUO{qDWreZ6O&@B4Lra81_ATyw5+&3lY-k9&U7R97S?r6C0X0OU$<-)I8> zgaZHo0r4$j{25Q>ZasWM;H|Cr8UPuh+rl5*w3k(r1psQ|$u6yk@W;13-WquW02JMS z{s?;AzuEu*(vnJVWOW0~F$?6$k5Jjat{JWEWkMVuJ$_?8_RUBp!u_k#gHd@F0cx|% zSnBIHHR^6}~jPY?5Xh*x1N>*B#w4}8)PLXGIPcnU9dAKxT|g;C?1w=&=F;G5@6mVX}m{$1W1_~!PlGy?pEH*ex! z2tX#Bfg&wl8L_}@yVf^g)h{HjLM1xu)fCg(!gBhP)VE%KS7@&N4e0{bRVDnaB}nl| zpl-omMWq_YYXrAs0VnaLuYO;etnW;fGCqr$!-Py*zF0Jkr#_4zS1;~_2c3kJiqK~Ft`D?)DoLgj3WY)rjNIi2s$Txm7jj8iOb zu#FH9;7$$B3=gO(Zg4g!N$AmXG^*EBt(>pteiYK$#@XzkMQgL10f}?!empssiJ3D` z_Wa`X;o`@Szq)Bq_UG;4JiN;-3cGjI)3SsCc^kSO6yA;4SS&U&09?Mbl9--Yqm~+Q z_&AAl6xCSuC6bn=$P>;Bwfp=jtyoZH&|aH&{+xI&(W!&-ZkYH4U3BwHj_fo(3I+u*l~41Y9H~o z5gX2FD=;f9#x;>qCHWEG$m?UZuB~ zP)zT)7lrDl&qHlYX5CX~8B2VPKn~TVT_JW#D)m+V*TdJ2$DZdUFzb7oeA6j$bH6$t0km_45JjrnQIKmsu>IhMbCGTe~8 z=x^_05JK&STV2X*zp^v!at8p+%J54O3L@s_M+v-&@5-tIdAquiRg>jLs+)JWnv&P5%8LU37l=45Mv* zWr_3sU=iXS`wWx9RSAjql7LK&TDv5PA+oj0n9C^JvybS{z#fVT~Ee#sfjSpy&@*_ zO7;6)-8)9G<4cING}Sm!41}-$Ez$2Z%d)2;HFGCzaN@nP&jQnrb)bQrd!z9-!Mt`p zv!s+sT1glc=GHI=KSp@1X*arDaN*~xBt=xYc^7Hf(@++PP9pVhB1uk`V0Yp@MX@}7 zRfZJv_e2OpW#Yv%D$|?qzfZVbkZsJot)O&z7*!_W zWEk}RZ8BGsC?;t9fthJQXAy_EXvCpI%dQ%c+wtOG$@fo;{13QE$36u7(u1EdAE#qi zC2)koO)kPX6zu!&v5N3KvCAHbed|%SGrBL4Y$WNjKy8K&Hg{?&ZX>rLHIwUK;kxbs z$M%IG4Kd=dUA?EG1C6LrXIno}4+EYoI=v@b~8^ zK)q87=TcpWqA_PWRgKo41vb351V1lc=QH~J$%0*NZ>Ns*RpsdXnseNtDOGdvN3U6T zFlM)_5B;UDSbXT-a*zHolXP1zZ;z?rMze>~PGIx8lz8s(T5~inp*>)s@U{DST@}xZ zC*GX~c2rrb23<3|bi!PoHOcYjRxMR^MCm03PUbW@J8I7F*ae>@+g_-V%GcF5ItYWx zQCb^<8q2&X_T?3mx~fEECiUKpFJ~VQ7qMo>Ot#MkG&MMX+HveIc{@EvXIfcAWIt!~ zN$IxnO9T6xu8Z!LgjqYLXVKxwFJH!=klr*U3qHgwl51Fz#=)0Xrf~(SXct*kh~1V$ ziwm_rcLQ_u{6!^*p9n+0Vezcd*vg7$rvGg6#9_AT3NWhoLMSg&0goE}i^s(1MdlT3-zHx6mRl&&a z23M|%;9CnwWAk62`R}gPz$@3J<3!v&KO;x*2CTmf@bU@P-=ivKS!{cFO>L=NbusQh zdi6qbdJA#j|Hz-#+go>Aq4lF<_Mv-5?Zt4r4mo17N2+u#)!N9M!zCao**1cvZCRiY zZIVlF_DYy@>)75c^EhVB$#Up8UHil+9`2>}>qEg<%Z@yhp&A+?fpRn7E%1qv`3e2K z{n#`ax-%s1`DbOj{WkuUJBgEo`$RCa~Z<*;7*j*^x22O>-whu50-X#sEn z8O9VViyHt~`f=AORSqBwZjdiJ02pE1!chayDFJyrc&Zr2aCgx^f9rO%5-lK1>O=A$ z3duyk^*3E4{QqW|zYRsPqH~S8jn#lJ&MzqIs{w#bhMNPM-rF6X-`fe_%mM{x+X(@A z!O3*Ixgwrj?Sw&-x%0=+P@<2Qt127Q26)2SvRM$lQ?Y{Y(Q$czIDRxz#}K-seL;FR z@UrG)hXVje987!F-Of%SjKgzTz-?tWt1B#01H+MLpAEV?JAU*Xddn>0kTmT1JeCCC z;W-n_AL{#G;KTog2mE&$ePih64!WTA@7u&rp?PLEkY;7^sI)Td41FX#?TqUbNvVa23v`y9_ipjPfN7d19c#`R;cTS%|% zHKnr^N{i`N6J_g_G@`-3EvZF3^5~OjFF17vq;3H6DpC&V*2^i3$T?mFCg=+_BKSi-Nm5b(*g(?f}A+wI>L?KgFVP z+W8kNs=pauNA8jx8#9b9~W^}09Txr_^mgIl(B%?q_tb7CQlCZ0ezVJuEJ1xo78m-UCUd#xaeH{t)+?l>k z$(Os14K*myxj^ME1}I9^xFch(G6YP8o}Wm#!F;!6Dq1}~islWab>kXvpaZw4?7QBb zw%6wEQZVN+57Gsyvkh_XJ-5>ax^H{W8Z5{g?PIcBmoi*KgwczMqf?2*4<9C=wRXcn7W{Xnv1`zH3?r|Buk@&v&b?D&B{l58g0}N zlu!wj60Ylpv3Y4z-0VDbSM)PW*gP;->*KB_)^jO}dedctubbiz2jEVF|y z(l43qp@riZvll!&jfLJc+~lAMPX2>I@hx*BDNuN8>j5L`E4^O!hdx_jpdPo#Hv@`? ze%0?71q>CYKxzv9t;~!$-wFYMm-2U|TYpD`cYf=nOPkwVUgid^lHN`g+yr*FZxM8! zNWwbXA%L3$3sxtz2M4DnYui>}#5nO6u<%~(gTy;YHL?V5*P9ODkxoB+}r*^g`e(pVjy@7nPYxS+Xxb)4Krfsc`eTlr1>P1l9AsU`2gFN;^f2M)Zh z(9FEm!n1Cx(Q{LB(DH$|hQCky3&-5+gaPuE0%h6n^C-Xmb@HV|=&nMC)l{F_Du^xf zP;o#{+5N>us(`?$9D!)#gtGfh)j5MsOqsRVy+#N}z&=-?M4H`h;aC){M6JepwTB};PkQ}m8^@Kgkd5m&5{m@CqkP@x%?CYTF3OsvE-zn+-_&#HF5*NI#^u0JDDD+>EL<_}SkV0#(2* zvYnYl^#yKVH>4%JwWY2FZg~zfKO_S9FsrdlSWdS<-NwT0((nD?7p1-YfcwN5hmxYq z42e!ok-v9y`8qVR@A7&@nlqp8F0X$X^T9DXctD49ej=4xpEG$s*dnDV>DhYW+}aV- zHwbM?h7M2~Z@NS%JxO3AU*re}q& zcYU7Kp&G7P@>rBhiY` zc2KxcV}6AAwK&wFaoJ<%09TftOUm z@O2kZbJ0_r_sq42()(d0PT3yZ^8FJetpHyH=H+UcL`Xd>+x157mEO%F7+?EiA9WubCs}Z3cEnUZs;9|O^Z^Yu7eT2gy zRg6VSrVDSD(=BYNv$8_DXSFoZKoLHd1<-9k*uKA#O`;UUbr#D7bk^2x6?3dd#ebj` zI&|Mj5-`20B}N7nT0$P`l8=)GR+`!tM5aHsi+H@gGTLP-aZH5&Oe0-?xPea+9$fI5 z98P+A`eU=Be~>^>P|)if>v#bP+L9Ux)w=aB1Ys%LPQF9_(0^}{D;H?IAbWVWF$FJD zO8N)T)FN`?rLPRHP!?A`ab@bD%U%#Cm3ct^9XgSbxc=DC$Lw~w1b~r=0Odakt%NYT zKRK_w%zsDZe-c~&15joAHTnZwy)#4qB=vOLGfOAu40_l&EZf&Vb6{HFO|Bd6=i}#u z_)*XfoQ6){RsYAx|JD52|HAFCL^?6AAMJ!ADI$$w5QAM$`G1mczcj2jd<})JQQ9*O zOU2N45KfqN_?=pJokO6`)k??W%Wljx#A9txaV_1FrGzKsb%`G;99h(ObkM?(D*m&y zQ8ljhX*^dj3qq*Scx&SP<1))*1%n(f*y}4DWbS8+o9~^p&TI5kL-q28Bx@T3Q+D{= zVZWPw5L|X`2jg-*<4M`U*XEC#lCJQJugGwGZ=J8dZkIn zE^zok5_>>rAF#bcb!Nj?Fbg*-fNpW(c7^)P1!WBYlIb|oB08l^!N`L=TFMr;1(i~- zigI4}nzDuHT$%OAhiBJA4&HRI`Z3<9i}(ZGlZ4;5Oa59YLCqr78)JCeJT{$AJI(RqaK!bEP9nYfldIu(%{~oZ8wt7I z*0(%;#5Yj|HaXe6umGe*-cZvFkP>4`hm{ni9-Z;p3@2X!lAY9n4|-L ztAUpnjcZcs&O>GWwe;Dw?#SyzGet*vS8h8<~kj=WdWgBFQ+dUk%*-6vFlN|>u z?%urF-|Vg%_qKSMSH{R(ZC167XglCbQ01H&gR~ER-Iar(@?|8d>nQ={dI6`W?inEA zUA2b$j5DGu&!zX|zd;3U!`FK|^*yMx&%WsmSz=X~Oej&Lcgg z4P)}0+Ii47Pb11=R*Li5ze-7XxC#$*StKM)pDu6Ze>^XHTf9>@gzJQI+LwP6Z$g!4 z@}z>O*7I%Z%lCr(9F0TreVr9tzQmjN+3Zv>rS_!~7iP*WsCEabW}&6Lgc2WE!z{-bn@of6_{fK>SxNtnio0NAJPu@hfH|4irdcxy4@m# z$v#-42Z?*Ht%zdF-kpzyvp=G=LJ>wcZFROst zBKJdHJOzp7&Mre%VpNJ3Ir+-iX#~(X#mL=ZroIK28^2CP$L2cPU#fe)QdEe@Z*t!m zc_6HJe3Nk9EyaoLqGerit)^pqd9Ti5nKfRzsvS)ajWoF8sZ+kL}!Y19CK&G&6bLeue>RNa@l@lj_*z9_8YJjlJU8zS^;7o zSZ~d{3!-tKC6ewXv?QUbi;pSVK4XpJ$#^BEC~n-5=34a_^0@;bV$W-5|5#$P2?e=E znK~QaH6!ybF~h5>YAhNlSA7sb{@UHn`3`#_@ZiRhLvBhZH?#i&ddSzxEW7`R!r=QE zj|NAee~)-dco@{CGo>PQUj3;*N`dVmH_=ldDs@tRha$oBy=}QkAH9r`hQg@csrFpC z{^hD4aqKmvk%mAS#LYj^%b?u$vvC%Gi*IvX6YPy6HMa(jiI~FoJyKt;(cK>mzP3RN zv2L3@3xCM~jkYW94>u?_PNSL^bBglDif<8L`v=0H#X(GD_XKabj{nTEq=l#u6`>|H z${x>dhO8vl4u``64S27={q+`^jaJn#H1;UtT5BYdMx60r_NyUOqK47DE-!6B=1koK zY<##f!(CzZj$3S|ivgwaD{Rz((3ZH9{>e=WZTiJKkR0E0VN~4SrAe@`<0XY{8~kW@ zXi9dEbke94q~dnC_mDy%UEF9e1QzrCkvD1x-PPiY%uUo{&Su44V6qXN_E zZ^Sp8yN0QE#l7KvQNFQvsI?zRJ(Zh5QIby1#mqIagl6AZ79-}Vl`vvHbY$G$lQ8%Y zE5YER;ZaaK_n7>VPZL+T1!OKK(P|=#L$D+(%AF_oigE4pIA&VQD3Mv*wvLN=S0oMC zn+tEYlogcw@Rxs@B5IsGUBixmUH(j?|7B4-`_I=P&lTENv1>mRv(6N9!A1n3bZ#- zv;a=gL5Fgt`A#;N&Rl1qlNC#Cd*s$1eu-b_R!430adzmf2eyO-l!EaSEZP`XB^pcO zGG9mpB_)D+Y&J!tt6nd$E?_+>+PwI&PE$aQo%g$1+}e3xeeUG85R6bUmR@v0K*w&y zU0V~54qf0-^Dzp2_H<43A}p0m#$ z%fDw$aE2(+6FSCy_(>?51FE`MTpBvH;No-u5nr$$1|QjVy&L`_|3f_VA&91>$x$k8 zQ6S+76S$LWi4LIDDXE!NdnMqPk1d&`1Cbi!c2|}uY!UE{oE-JlL`oqfXCb9mmHwd4 z+@A^sUfy5A7LnAF2QN1)`tWHslDoVo2FL1l-gOqz+xKNtc;i*-IXzGDKYwov6|3%q(=CS^-{iB!8yT3}^ge`CFBIXu?=XmtI_GpZfp=-hx8u^yKRq$;EvIH-b9l3NY*}hn06Y%>gHIFq&`1z}2qL!`dE`6$6g~<-uP5=<6@=3;kyL#vt?&1aYUL9TZix8}2Se``X_LSVGdXjf zjln)X>`|pc?4aswkHP~a{S9a5Xo?|2?HJn>54Xynhx`QIvfIV&?ehAi@&lN$#WBvo z!DH7*Xu$C^$J7@y$xRX@tRJa{`=aZ38u#As`Zr6yOpC3v%`n(eO?Uldk+%LCN<>;f z&b=79xjYeFjDhYEH_+6=0vb8XbD5=2&_mssHVs9&)#t^Qa~2YZ1rI}wCx{c+9aNbu zxku_92ghoIbjoGwT@y>z9r*^^W1Anw#ngWs;I_FY#ZjwL^U^ae}(XeuLc>}XiUy#zA9#W zG9kbsp)lb2h>kHREA7C<6524ZZ(GVmu^z2Ka!zkR#dX){YGvowePm3sTIW`9WAvrV z9%`jWs7*7fUcdYI^yiYZ-dLqFW6laQr+2)YipaQzdU;eiEmAt^aRBNx?(HmJ#8cOI zE>K6L*F;o445r|CV4O)2CC)V+wcA=Jb`)r40g`<8-g?OQ+uY;WnhyB@WdyFpCX2R? zcL^HMa5C33>?@KTinjg8R;b0seva~^jnP)5w1Pu@p9 z%a|=1^3!S(A|a^VdQ2Mr(NZ?!;lX@x zrT&sJw1M?g_It;w@%1p=jmmL;=oq3-LBwj2$0-}gXB+aDxML|JE7dUYRT@L56?*1jny|iJ#5$tFOt&%n6Ra9sWtwP^z^{+y1q3;gR z?#y-Vwe(%J*hmZ8jS48vQf-}VyWh*AER< z1(K~E*c-O2U%wmEpr5yGJ0)+lJ5#1bqjx;-k9~jnDA|#wAe7oMRlaeIuT8-m2iA{r zT$n!1YOcPGW~z3>hO0{Q6qOnWqQUz9k&Z@X6J(8p?c;fdd#{`Xs=DAR%X~*xPHhpf z$?~!bIYx|)N-fmIN1;wFy4$7?c2ryyy_S+1uUF8TJWJ%<>|;UY4^UTTq$`-c^F1df zciPL(pLLWCNu)h??Pc+==U#yujrVW+b^ge}^!+3)%1;Ye|DVHhe5{E96@;2>0*~Yn zF4M+Ii!fd8HX}t!1S!;nWK*4{lCGQ#Nd$Xl_{#AH(j zosl1Pr)KKuS{(Nu-tO4_Y<8!2j9$BfiueRr;qhZU>X>kWBEx*-e&dJ8%U{1eg1;>k zkE3s+M(83qGI}yIS}T4g^YZYE zyxqC@eD5Y%?C1pF$Xu7icdW8jWR;*9N2Mi_T`o_WU)YU^Di0z5*x{G9*DpG{(&z}- zP%-ySGEPD2;qlmvAu7SmzvRXfcZ^vgo~mMg>)gDAakK&`EFh^pY8mAY;HG(tmfxoD z2oFSb7-0{&+XAc6kejGeME&pP5u?OWVH*AQE8_kuZ)1`NTL{ z38Oov;|P?kjpYYorI%~&r>cC>=Sg{a$EP%Tsll{b_z8@Ann)I-NWowJk$8yv<11gK z{I*!3rKJVNI>!v?Xhr>E1{UTiV&7Pgpi3LXFor%_snC_6(U1CH*}A8o15g{muFDSB0b6 zuX@_UY*DPudFJ0{F9Th;zuudwW1}8pW30rLRf_qvkAqx4n+h&3^+ElV&2z6U&MfUK zDnT1MXYi_%KK~bwsrZr-@!qRu8~hVdu!yBTtIf&m#^Q(WAA^xv4D*j|bo)h8vAI6Bcf&nti@F3-% zKdNII_Sly?uFxHDM%+E}ZTv42n>b3TwHmLpoq&x{=yt^ej5z+R?gIu6gRlpTpm!F3 ztl>yz#Xrse;rwE|)Ik5bVe74WYf?S$$w$#hMhXi(~Zf=$FE`%KJjn#&)9(#P#K&*ER0Mz-HtQmWYOPDR{5# z;Ob&ev3G)8c%F$;;(0P@ zE9h_JJ;7iw+7=c()<0uvtbg2u;B)@9plhHwG2SPW`JUA~k}s#`?GM^il{r> zsT;P#7*FbNih8f7d5U4u?Q>qef8XfBmaS2`wV@}0>uv~vo(VL(?geMOTTWd~WwcO- zU`CEcFe9=$+Q7rirL-+dNo+!3_2I=_@jPt%S82^=2RS+UK@;erY19X2e%-Qgr3pR0 zeGY-a#2lTSRmkF^?odA)mOROVGWlNe>Ap1@^vzn!I9ZNjOeLokN+Yv`KLRjO5w1(r z-=F#wusaXcilnVJJi@_KI0`2>zc4Gpbu=VxOFy@sEC!df7?myrZe-hK`N?yTKaslp zEr$%puzP^7@((4hPFEev81dFeauTaXhA(>$8BeR_qz1SeF^Ym>`kUx0460Kvc3U+3 zcBY@M_QngZ`t8oMRkxp)8>JGL|w1y^2tuYYnWM z=}=y(Hg14dMiIj!cOGCRrz}8iY!4o=stfe$UcOUtOhCgEI4X8uvs)M)#V45_=7b*4 z9IPd2WJC*dMZnYn02{gQrhuxq4Fwaj5rVF<2PUc(!5F~@BaR+b0xy9l3;u-w%hTV> zTFOyFg$U&E%c>u~fwSc$oppXn&cE|&i-8Wmsvd=kPD0F_C(XchA!i3KHT#?mB-WDV48C(zmIK%q`{dxzpV#oMe4#cMitg5`5 zO)}1!WmRzQyB`lZT&f1#+t2Ly%{Qj>O~J$k-G%W|>=(xve&ivwuv?Z975PiAQGrAf z#t>eo8SnQUWKPjDanE6@;PO|t@Q29H=AXSzZnNhS*P^GYg*zJ7g`9alHd3IS+eExN zTG}T)gXSHKCJu5m48YC+8Q*7?Lvk%)tI#C4-Xz3U4|&U!qn;w8@z=(?bF4z??5r`8 zyfOvq+%S>nalA8A^6UhRYRYaKB0Wx$1-V7Np^4RWh`)fOr zf!E)_+$>z5`iV9vZw#g;ZEf0P>+0+V`L1D*cT{hkHS@5CFuLoOq)pg%tnTdV4VR_% zg&6NG3YyCcDgez}XBjQH-&)~&7_s8)Y~{tbhp62Lx(o(aM>SsDRZ3^J6N7~)EkweY z7g}4WzS8MC2COH{1*t#?0`ku9@^0i;X$I+J>Ni7F3``^&B9W3Ta^7r$iets(m%pQ= zlNoWFidsxrvBX5cMaUSFtov)PrD6oq_CjOzZ2`J`_~YcBKe}A@Q=E5|qx5Mfr79D; z1ntjd+B~AlVJq%6TK|9?SYNDZ^6g066krzf=MyDe0ad`mw4c=0Z6s4xdvDNv$KZ@wz5Ov}zJ@C&_;$lp1Szd?fM=0ID-|IA8w z{Zkn8@1^@+Gs4c|iSK;FS5X1Nx>9_ROH-^CR!e&AaT*}jhK*eNCH$m$8JEc8>^6K# zv2pe|)@p?5YWz07|7Qci_>{SJv{`z{ne8z>{!IDp_!N%stn|6F|3K@%eAIv3&Ji-v zf&VKi8V})DDFCL9$2Urnf$W3M*<5(J+=dFSev8i+YboA-mlahw8GEoIo(nf{Yg26J zuW2qd|J$9_t@e7?nWNUfIsGhiRvyykn=_Cl@Or4KitF8zrw{ChlAsUX_+2|ihuBg5 zxpkk?9P%`c+*EbymsDBSOJK{9@9&?1Mo`!+d>BOxr1RT;41BE?5j=6#UON5eQkM1&DA8H9niR)Bjh4bExRz4^}$Tm zjJAUA!(nNjlO+&Hp11&SJ_pq2h)JCOia5aSftFlI@Os9u9ghPj+{screEYwNmpV{^ zCz>>AfRuu^HnVLs+IArAm7l7izPOl}&Gi+|4{x8RyblwN&zFnJ*j)+mxa?z&PfN8| zL=x5dayfHgvqZfIM6!3e>N<0;f`%bw8thv)JC2`;@- zs8cX$i2nmGjnfGL&_9tNrJ1wln{gAD`Bj z@Fss}WiGb`xbS`SP~j5p4*-l6s}$~;*V=r#?dN+je*(iGQJd}1omxae^ljWp7a5Og za5d6birjFX&qsQTZ$UnM7V2HvdcIvz8*=7#Xg(#6RKnuXcTdWwEvSJy{%ZLgT@4oB zZSGE1ku13+6Yk~V7u$3;usfjlzVb|TUaT9IGRX-!Q1brL6nJP?_wNXL!w`?4?j^yP zhAGvAiud_rd8Z5hORn%9l)OK#>DRp`~9 zu}Ps9$LUjw@eG1o@bhZ!)j{E<|4odbb3MFMfoALHF`sXykAnZVU@o zkAfUT$E=m(35wf9f#~W~N-kDoJD=Z(7zSxz`lv0`tLk#~`O+VZk;02LuawrtI7g1n zKUnLWx)YkXpaa`EtFA`#1D*7dLfHOq|0ts|L(qe-VGIvmX|E1nuDLKvmMwNH~zy znoLbj>QjsRRc6z;MVGwU6p#+k0&=tf%}+iNbHlg_72|~nKDzCl?ynAZWD2?RUC2i~ zCI2pHIEi}n`Xs`H1QpJJr92Pb?n!Ie^fDFQw?MyIfoD_D7{=2G!jr3Bb3a!Rl_CIq zWX4kk6U`}zS!Swx#rp!{9LSu3$;YEM^vXnF9m+=RoEo=-r*{J#kcw%dG44G>>1xD& zM+--@jGPXqz{G3lo|kM4nW4|fo`2OKJa#J3#{|EGB$C=+xlHr&n_VB73@sePcCn{d z(MVk0`^yYL=Ye3g(Gl7oBht+WdGRTShldRk+k2J0S(&}Xx7ga=dZRQEsi}I`X@`if z)zhmF0AV73`0gWRcLgNrl<$@k+1JK%n1s1&=meb-Soz*C?T|u5I5ofBn?RUy#Lc$b z{h?rP4KPMJwvY}MVx|G!sFbZL@o)fCq07;gvN7sNOGA_O`4hA=eJRq1A=Df~<|oKB zYOmvbw+g$YA$9iLNz~wq@4yv2N68)fCYQM?o=NUHzoTu@vfTC!$eLb&Y0`SI;qoUU zJC%fs%2;ZpH;aMa&DeBozbrz1$|oMu&PxQqGTs<+xVE{id>%ZnC=5?b!FWxyN+*?B zS=)^M@5=f%zbTo{&=MuS)K_LnU!C(U+25Ps^8R1sFaR)u3lg$~w5gX&O!URYa@gXk zr4zd8=?{$ZyWOP|=+Or7a>-{&?Vj0L&i{g=K`SBkzTF0{1MQ36F~{DAGFuU%}JmGVWpMll`CWq0xd9a3QW8;ryBqueu_UT3p*!UN;;6*^ zxhQN~@Bc?X#eQd|PLYO&W}u_pbQR&dJ%@^Bb|M|F*`Fe%%s%QHME^?#+4{ulHodjfjAW7+l<9s^L!mJlWy ziTb7{1U>}2^nScU&G+MGFJ2#K1XdH&6H`r@2Ui7FzfetM(kWF>sWNGreI>J0XlsmU zO!Wi+*l**@Fh@DgP0bMd4?mk4Tt|>lrov#bmm+@k@@HQZ8D3RKQP4Z3-lL53g$RlMP36!&_f7e6m{bdurkJrVhe%4%p-uGj*px?h_ zk%t9UL&if3`*#cO_ML)4W$STW?VQ*?Ois9M8-w^iv5A>TK6R>e#uWIhRxrNz+kQ?BTRA|(A7Bc0)5v!o(ze=+VQEW%xER@ zBEeh>o#d7J7-z&(v*+s069CGqH%sVyGfde6Es{;FD^9q6-;t@3^&$CRDa3<+lxJr} ziJ60OB=Lw?C|)?)0jCm6A`nW)TbDCluW)&?Hx69_ZEsR;YM4rO=udji9u#XNvaJ<7 zkg=M7Rk}q7G%G$be#$j215*5+6_xX{UIpR4JQ1dU$ZBQ)_Ir9EtnH8xvQ-Su038vR z;8m*knAYx#XqP~%KZyf^@Z4zXYwpm*Fyhs#4c~OJcyv4Qc>!jwNyWq@lWo;Fu0f(@ z_g4V*6l;I;!@&=iYVNk#$(*2P!l1`u>G}rD;zE$*qmC;X3V)wI`$&oooQz+k1zW}ON7eJ6 zzFrWs=lK33*+D{4Ga^r0rW*THFpMgt^g3TN>bR4YgazT196Ytwr1&g0e%K>+*2g=M zVNn17sgq>g&j0LI`Oo{c%WtRk#!=h;licJ$vr$_x_wI% OP?A@F19@#3{{H}>#Po*% literal 0 HcmV?d00001 diff --git a/images/store_type_pki.png b/images/store_type_pki.png index ff45833b161bc25069762668f6bfaa1e8d13c077..fa66f47a7edeb956ed23e2002f5e19df91a0791e 100644 GIT binary patch literal 28741 zcmdqJcT`kO_$G)VA|mi90s;amNn%TuoCG8*QBpS`xyiYK1{4Jq36g{4922xWyA|i5`QGF(_=L^Qn2RSmXreRMJby_KoFa2GHZfe};`^36Pw1voH zI&S5@$rkykk~6b(|0?6N7a+}jrquZgd1^sHUA zWes1uLTnd*?Pt$-u!+QM{xw>im!*GF^c(9LNxQV`ng{p#gxcsY0@-4+mydYN`|v*( zU4JFx`-B$gnZFm@0Js*#|Ia1! z#H;%h$>Q$MBFB8c8ckI$)eJ}t&7txG_r+PAURg0&%N#jhxb?a7 z!bxY3%<3PCNt_F~^gWX?+!x4M>H2In(Y+$;v9w!9JJ9t-h_fD@dV3|LFVVH!M2{ zVPHhNh#tPh)DhLAj-47XPy;87<6ycAs?%+=%5ZbnYCdvuA_1!ugpWPRIY1XEYzMgZk)rKCRVFp z*w4uekSKo}i-*UveP^;KLWyN8HubgnTihq}!%;h)2Mc;$pyS?o2vzUo;LelwjF#VC zd5d3;N{&y*!C1}Bs=A70J74C_z)pw$p#4UcWFMlnIRC~!EZFn$*HQESr4vh}2-Il= zQ`O;j+3!ciOzSL{#WSu4$0b4g$}i5`-hx|T2PmqZ&dI1Qf1l{I4D*YNUBuYgS^UYq z1*-D+&E?M!>m^V)Zt+vHv!}1!x2YqpgVX*J*(dXP_Gc@o64@8nm&UGOA3JdvVt2L1 zojJP=>J_$-quVri#|Z3|gncnBrF^24P-D>C)Y}N<>m3n3v!?EQy@M=6O7ZBO^T+d~ zitVNB*m7Mm3*TD^M7$lGaGmy4+Y8$JX9!6};{C^`2gdG$oy;OW z8(zS1sKx-}_=VS!VEa~-53g@pn)4d++|2>RC>exa7~N?S#xs>1((@$1miLI{PQ7f& ztDW<17(Z&7>C;K>EcVrBhE2~2vtG+D5AD>Ak~m-x3v@ToluvG8NOKO9H!vO&Ty}t3 z%j3FxabIP7wQqIBnZ_h4^y`_BgSy#82Eye%ii|}K3${EkWH2rGhqKmCPV9RHlDxz# z?D`v~{ikuMF&;nt_q&3fDO>Q7V*O<_MqQj}TzH$qhXUJU>zXr1Od-GG$G#lqi)`cC z3)}jKvf`dX=*9TWw52Qcq2(mPN1ks$d z9<|9I|85D>D}qrWVja>+$838NU3_~;HdAdN)TOZ|m6g$kIk&C_?GkpOYsx?RUe_0STvTH`+j_HC-983vGL#?1r<_MBtp@3e z=0I|}Gf0VM5StE}E_nZWbsp;i^x0?#%6_zhb8BMZD?^=R>WOVw-Evy$34{i$=6{Vo z&}dN6h|f_)Z?-4_>+5y>CCk~=QkGjB3Vgt&=65}mo&Nr{u^FQTq?&Dc@66I}=FrgHE>;=;dXGCo!1|801Ji?0b!RMC6ir`uwDakV6)TcvGf-4~U5lC`e`dr$Qnn@rl?oiRvWesZncZ2ApuR2r5X zvXj}wlUi(KwS*^X!GhE~E9?>$%W+rT4x;PliTfsaQ>D9^rPjOz{gmx&-x39Esf5-aJ2Sd5xk6NvET{@wNsxMu;RzPOnziQ@>xS=}WF8 znJ)sB3!U?5FOr-+z=XA?ERMSD_VrF@9H-9flsFa~t*vL~8SkIz+|00V zzg5MTM9wX>DHv~F&vnSpVpFg#W}QrHL7Lw_EBn33YDEBXpXUYS1|^Buf<@tH!6<|^tK&4(AEx|U)jdip8I zz#^|67m+_zrOpwYaMgAx1cWt62G^%Tlxy}55Q~10p9hi#5fIcWiM_Md)y!CLaXG`H z-u*%Lncs9{J|}zzH0-2{?$<6YI*Ud}UcZeEyrVHGJO7lOSpLt}wMIqq4T?5Lr)&y( z>9$oX?jVB!QhRJ@pI*8@MTcZbfyu5#>l;mE^NKy5!I9i&{f8piy#9}-x{JopD21)~ zLof(?cPmeKk!OE!Qha>YW@W;>p*pja`PE>RaqS|5CiR_Gi`jJX8%etB!|T32_#Gi7=|A7m zHTF_1i{-nR4P7v~gcmzf7T;vqnoBA&bQu2Hv592pGDY;rx zF^M|%mtSx(8|LFTM8A5m;ik6ij<+2;3xC^_Uy_h_WO6Hyn4*3o{+Do&ixIME9O`^R z%DiC_`0ker$=-?^_tPiCZG%1ED#J4jKnu4h(K z@y!mcwM@3w4^EIJubNes$NGCK8Sa+PBs@Pq5<)8-Hu{(9Nfx7Oap_}?@^yDgsOXx@ ze@LPsug{+>g(YO+9YULvDH1hp^~X@xqh{y~3|?=f_WK~^$=)E3t5EVt#`F1)<+gs( z#^aE#25X4Jd9`fUpO)=7(*reGZ%@(8T|aF6DlCG7Ll_ve&pr4fwO102^VfrkPYmuK ziW6n>?I%~}R6c2%c|UoTh{zOhFTzAyoHTU%SBVY<0r*<|rGE20mu+Sr5z!&J+EW0) z5|LK_-vqKDObZ>`9sN-lAt|@5szZ9<-op|m(lzRZsp>&j42vH|2spK6cx{dL#D3f3 zZ-It!)+i~<3@5594eu`ymsRE&SBQu*P2i`q3$=r_Vc|D`pG2gR&To{v(*PH!3*Mh&+I{6`Gq-dw>_IF zM-@6Mm;|n6>Q~h$KAJVqAtfUE5jct?DubqaO)KZ@Y>h6h@5-L<>&_OaetVeQotqnt zd|Xb?0JJexoa zabQFjvdmT%s(DK6d1)Siz3n_b!G1sFXP0#k!~`k@RJTR$)I#1l(Mm7wzWhAClOA9q ztWG8xey7iFZU#<`AB^P0Xb+I&0i9>$=AHc~Eh#QfLrq#$RhdFapS~eq9QlyiBM%o{ z|IycjZGm?@Vu)&C@Y9JfPnF+Bc!r)^OK~%TL~X z%U9>mA3+);_v-#a769<}#Vd{Hn^Zeynj z$%%=`pJVXctbzC2)$-n(G*^FKnRDnREDg}ZEr0(el7`0;LIqlWn$7KAH2zD}g0|`c ztx?IwM_)&+?{PdWuzuZ|5ZI?FJb9H*fIj6LHcMU6-Tp1WG=Ip{)e-N{G+B{zeZw1B zo^v14PUx39gLnPFH$^>3A2wzS=a4ltOWYXg%_FA+R!Ie-T1swnc4{3$@0r!<(;Sgj z9}ME${rKfK=}Sw+*D)hLQ#a~}W@%S44ND<^Dj%jU#xYUOdpBqb`24;XW$O67wiKKy zF})vE4Lr8Fi#;rOqVC(M>~L9-bp^dkGd@3H+am+&%h+f-GeLhEHC(!H-J>qFuM~hv zd(zWM&c7ATl$cv)GEr9?PSO9I13f=6zzDhQ$xI22TVO_f`jy+K`Ml`5vGfQdwP2_I zJHpr+m<0Bm7Ra6#;YAeAc|r~XUnqsGvYfA};Lfo@kmkKK?7yqy$N^X#o*yRu?aT~S z$yz1FJTBm5-@cV#bPhk)lGtUGJCz%xzx3`y|0Rn!70;VoU`{hwj)=AE)= z_#ej9zea87y!>1d0k4&oq$KD9KhEFXp(GryTp={%Di{3MaQ#DQpNRCD-GB2^8pRM{ zz1}CRK+K{^?D|i)qBVlH;F)Y@|AyacRo{wG(_y;VjUl&>ogOji916foWsaSWr(Ii~ zdiTr2z9=p0Kd&zdyKmrBgZa_$tVO>h{wqcI4SDz@XD>DcnhW!90rfa8Y@0s2#~4FS z?bh9IKvmt|9v*|~?HU=0@$2h;CdFB`cy-+rysTjV%FoqEE5%JHCT8e6U=~s^v7hN{ z*^-+}Kab#m?gcYVr4g0=3gz#5XN9(m=OKNqC{!t&Tw$hU1ez*n9!t8_z8{;kf4IIK z`zL}a_ToFtvXpO?O-8^n>?519XYY~V!6eX~saiAgA&D)@h&;fQyn-D?)U4}FxBo76 ze5c^H_o=cz3-szfpC(k8hh#ds-=QA`+#*NqEg;A9QMEhwW=tBSR=PTycVHu7N!+B> zO+Lo^10%w#L73@M;I#>YF!Vl+jG6Jjtdw=?zb-r0Au6^f1qRh?o8IN9evEB+-{{#Z zg?-z)rW6Vk4GuS>8sc8*>3a5Exs3-CZ92o#_)3P0ew_ZA1Kmf}KDv8Kun%&?WLeRY6I zl3=D?kMM&*V41z-!LBUDu;ni*%wN*enI&_P5_d8$*E23uWlpCDd)laE9c2mw?@Rd( zQ4;jDxp}1jr0~E-=ya6K$#a>DWde>y}h_`M4&!1eE;PvLC3N~ z&epl~4hCI#h{JGJCXCQohD?Y*Mg(@UUSRJ8ylQeP0l02X+)AoTPhIl?-)zCb3~i>@ zbO&9_v668*Fs4Hmo$ATMn$2HKN>TqUU>_xYm?U-lJEXFv z#`?6{z~pLm^K59d`9DDWQxsIv`_bLGn4tusGDPT@&kS&q$U9^pTOzhr(d6nrHt5p- z?<)0u-f4Y-xT9tOYod>t| z#ulwM?2UbvV_$=p<8Np$r8E_u zAYbj0@*z0mrT+#s8+5sJ<$-0258*Jc3`% z^QtN#-p;}OK{(n{wC&X?T@Gj+yZM8ymWLTgiC>S_vW}Z>$}!H*m{f+Fco%1{FFoEJvUnU zGQfDb1B;2x2CH8z%-jzPbq4-{BP!jAO>A!8q8jJDi;ya5KwLvivXkd8R246TXHAar z{Cw(Wyb`9A&#kjA0<*S~4_(zRd14#{JI2zdVR`~lw&M>CZ4Xs^zzlaDND&hSpDIpX zUxR{*pLkoc>&aAD8q1Js_>NmR$(6rXyJf(SZwnw7bVsYZ&r%}H{LDi#`V3hNC!J&^ z9&s8d>a)p!p2)BMaeAU zb-e3c$%hRiKlga>`o30q?q_!Mu3JT``gf5WE!-~7A|f4af|rw7ZW%%PBzmA5V1Kxp zrk#>ntjxnz!?DlLTAgd|kkfF4&=n1xOzsIv9a#30ub+*4pi^Y^#llfz4wDdOjD>Mw z?}ZkzZu~=-gB(lnt&+>Jg<5Mq!fQHjPj|JN(masIVa?5iL_<H9rEfiqnv5$bJcC#vK4BH^Dq)bG)v9o%qYFPc%$@dr)e(mKp&=mNkON)402#%2Rg7tY-ZZJ z`2LrQiq^F^CSqqNO$L_p3kiZ_w?>>^oavjOR)5(u$sxKnxr1mCO^?J1Yted7?GwCKI82WIEn|9AzgtB5wt{J{Cls_nUYR#GbFYO}KO z1R^*oq5 z(qzj;O#t8oIR2X9>cay>kQplQ)CqsQ6y?N1XbUNGvc`&U2L(QaoX$)-W=uePwPC0G z<57r~i-rJvFC?Lp*}w0Q;FXNE>!j#zlE45@GV6UMYhr>3130fh4l0@BOsV}L#rz}_ zh}F~p6;L+#Tw82ngVAt}{JQM%Z{pGUfdpHK%GK)Hni_U&^JzIg_@vD(RT8Ll>z#Ab zctqt11pd>!(ILIpi}x>SJ(Zv3e?)MghphiI=L^KFEl`*t+a&M%Q~r>p zaPB*kUs9cV{RsdrXu~m>-?=CB7duSK#{coRhxF<+Y(a1z9Y-nt806FgE1(dOfi1CT zso_bkATK9JqLt0#yT#U{aWD0FcBB7fe>UX1tjMDq9Ys};(^(0d{KI8sU9H9AxiFQK zJNA@rQ&=&zGR6U0pT7V#ru9;J$@jAA;VUS0I@bVue5h?yV8PWC056L?B9tWkb zu#S=yMt?=U7_DIEv6*Y9WYX6$#4(>xkqg>#J>3SfaY*8ywxwT^n{`2Q`2_A0`5UDa)Mo5|-9P5{j*mgVOD z$D*RhA+TxO^w;$ztwH~XJo5Nzr|EKIVt`2mmyb{1iJXe=ZtCh zz_H3<)i$O{)njL1W$CPQP&RPQTUT^=tKCn4o4EflSmoR*vtqf}zB~y$FGwhk4pWjyW;l}gei-MpNPW+awEDvCJD)5;n zZacr_CGP@vx%wP!n~gp#VYHDY7!ts)pf@3x4NNmKP835YihLkYuVKrHK5Tzj#R)>_ z;(_x*GoS1weh|If9qZ&&>I4lA#MDeKuNP$G*AS#9rrmDNjILCdX0C;ki8_KsG6|lr zW`vymp|gkm#j@uB7)}T}pA3pez%kHTZDBFhlxZfdEJrffN z1SCr~bmGhi6aZ>B7bBRe|FDP63_1(;ge5seArZczF+&NIY`Hwgk`dV7l*kEc=p@n= zGgM1!x7`F7)ZqE-sDm3;tj97&hU$CTNSoE;AI{FvyMa4 zk&l%2P{ZrjqRij=#SHo_&2G!>__=_Crd^Lt+h; zY4vubk>|9p{}T8f0F&_dAoQ4-FGdm_eWd>bG}eqyg6U}B0BB^mw(y4rPtH`G5!90a zd-cv1XhrWE`4vC4>ph@9qfsgj$agw!NJSzZ1LlY$ZY`kGvns88$|1OFIwtRxq{sU<|zg4ddy<{JRo`ubVkIWDW1i z8U|q<`1%qJ^ezn{@iZdyMQ<2veXGm-vMpsubQYuWPbAgOlK zxuZ$zgMI0!KA3Eh0>td;_NR#poyknlBjy1XOudTjM#fWfKT`pnNM>!umdw*H z{nE{Lca9Gy_1XS~pG9GC*Ne}L9|7gJ8A-R-OV*6HY9_(4EX6|Il5*Y0%w#B6pI3GOF;ISG>V6Waa z059AJm~Nj2VOcfGi>+)I(XJ6}iOkuK;w%A1cqaTOTIi{*9Yx@!?x%-Nvjq6G_8D?{ zGKm9BLCU|2aRvY|Ua(V49eOEBwiZrk>+obPCu$iWuI~ddP)HTr7{S-_Y;Dv~w)x^@ z6Nd%`88Q2B3H(corRQ;`kMAx6_QY|P*(D0EoNry9$4b1=+r0I0KafNt;s?%v3C|E(=U|}HEvk`Pa5`rm) z@lSsH%UQQbof`i&y;1*HruYAWoRW}vvj0$(W%~m09oApDMgX7lcOH zkU!#HOPz3+4qWyqFGAl2YXOhn7dl3kL4BJurJ!`HDbCJCleTr`~o&v0XFKv1}Es%y$%*w;WLVI-4U5kT_Cnpf5 z7%?%KtyQ{vF%kCDMpiNR))D}curaPY-Wq<2AEk9p1RAqY2n~qKx(DXT7N=HzZgfj| zLKY={Tum3K_n(PHBDiUcygKxi^}L4@n7oY31%Rh?B~ASK)b3up;UJ|X1Cpc+VCjP}2 zi$1*U@3-uhv+Mu-QR=4E5fsfGO`T-etoh^sttS z6khcuCK3Z(5qia#in4u@HMLJh_I{@Zb}-|*=^{T7BG3K7Ut3*4WZ337aw7pL80l!N z$vIa^&^L=EAjDWtLMY#?RIvf(z$O-o@9U*b*Sw_F-} zIfWehbb!mMU&2v4p8V{|nG+4)rgn4F5F;eIxNiBAZgU-qODHYK@bkqK zd0nw8SogyWd(m$u;DIH!X6cXPzi(Ie=b-7X4ky_laEImtxrNClau$^;cnsO)Rf6p6 zko}HeWL@QeP~iWby_We-5rBAstSzVW*yVvVN!;neC0GU^VSn|=`HjUemINTC(?gIW z!y#wc`}_M-4>4W~q-*2j`uLr;DD;mv#5f? z)P!~KdKcn-C<4hLEgdy713W@S6rh#*pnY0S%K|n{7AoP!*ydY9P$(2|3O?wpFy_A| zzXB4lKTL|79+Y_;bZ8r7b6PzCpFArDEcIHB_6@?|oQ^3{oqr2BUR3#4oScBuWdiALdazWB&*0gtxG1!I=LATjKo)ntC=}_k#((`th}Ienv5P5~GLm1UeD!DJ}n8a(4N>O-~O?`{Q+-N9Ug>Bhoe+e5n-~4ex~O}wyR6XjPCIkyd)l0CdS9; zymE99Brw>&z%JNwIkJld8Vyz!aQzKg_M+jY3z`NgE}S+849bMw!FDqqC}glQU86IU zWH51ha_)i){d!9#F;EJ&md{(eNMtcf8KkKN$2Q`|+iE43cMMy279T@Ve#Mg^OB@1Cw!P%@HbAlDiAO7>z-Z(S*`XQkD$atFwnjek?sla$OlN zn^q({;E?c~(IH{Fb-5C8r1#-g)Mc?L#pLI?dajnU)~cU7idf#>g|q&K{pq8j(SX$m zhP-<|fh97t7UEl+a}uHu!$l*~my+{XI5t+zp)R{1k>uvPD;S(;%TB;jQ?biyL8=dY)jZ zIN#Rlo2lRko3kOh@kRO9NbPkw2FkP`Zn#8|@_tY3&!=JN673DSAl9dHkH@*7VMtd- zx94}X6FS7t#tSs*yEiC5^-&!imJ|UpNk*pFB$`Pi10FHJ0lX=W#8)JC(w#q`zO_N% zt9h03>nw_b1xt2k=ktX zo?l?6mwHTZ672Nod7|5`Ca>flCab^Y!p!{rpI(akEZ&LZQ)TAc`GOYjsO@blQA4nGCO0>%R2w6uN8$~y1bjy*09+YCV(S_x#;IhDii2m_Z z_X04FYs3$z8pGKGCa&%sCQ+|RpPrF2F5+qXk}B-ZjyhWJ+iOxw)%S;<58#R#|;LJdX?@4e+qM@`uwqOYvjWQzP8A7-1qc} zL9PX0EHUHLv}@@WFxWxmoRrtI$ooZ?b|=nEe3ojU?YX%2N)|c+x(+0D@oY`mc%Gbt zVj;SwHPocUsp8Bh$N}uK5g+o;#`ukeZ*=qw*mDikE1rmjn@APR`!MUe5+OPY6xpP( zN?ViIocFa>I+~NZF8@b&lhhGM32B%c&p_M(fIV|rd04pXtX4xzWrirrFT-xj6a2ni zP9&Zp@pWS*XO5xi7sCrZ z*<9-{dXJC zR|GL-ia?XLR3xzLbCZ-uX2F5K-;geE&ucpoqI8F>X-CWfJ6C4Mje$!t0msn+CtL)= zWiC4k!)jkFYdac3=Y6i6kVB5&0)lWHL3-M##VYPK8MrU?@7`Bn&Sx07XB z2B>pN8_;hRVQX1~DTEfSb+hg?qhBbSvE-V)nq{jddVWt@9z#&#VcD^2Y+?D}WpDoNt%_ zPaN!gu+tXg=&bK^ykp_i8Hp(1rh(vhM#^XY>f)8g6fQqwlA6Or%ZxSWi#? zX?j39^Ls5v%=0cS8`!@|J$c>lFuH?)1f8!Ws6H~b_Gxw>b1XjlQZqnd#U|8yKN*<1 z22~Tar=GnYIXk86i>m`^v4&t+`(cq*STzB?CL~yO2U(r4NlH8(<&NDZSs^m_9`(ks zeC!@tuyR&lnph)FeIZMbVWw=2nKQkds`zK^?xw^2q@*tjG6Ee=<4j`FU!Oaa@_u0F zV2{1i&4>MRjewKkS?DV#zki14L(?~hmt=Q-5Z9J8MD%CF4J?giLv)DE%3q)!F<}Z! z-jH?z+|lpFb^V~d7xQ^sv%7S3)^jZ7jXZ*WfP$_#dhe?Nf_Ip2WyyiT&)DxcsNS(x z`=${+)BVKu-xQnLDx;$}LrY-uFh=jCqq_(EU);P$`XKuW*2tD{{O8dPtj>`%V}G4k z|4bV&8pf}w<~sNvvQoRnORJbrf7biZzrg^}wS2-!T@0<}Ek#$tR8OpLB*!g}EDn`~ z%oJLkp4s!Na>U1aP6yD837=quFP5h1lXWwGjuC_KUb84qTz9>>1dwp_Wqs{O#y}q1 z5|#D}y9omIJ!@sfjE~5OWiJ%OXU!I`UPAn~hd3$!SERZQe7`ICZH;xes+v}4Z|S&y zLV^m@7&~v2Zt{>)7+JC&>FxJh0m4>d zd>oy~YfMdn{bS1ne&HnWK4CmA)HzXcwE8B;k*>BPji3$j))xoSsW1Y?^~m2TO6o*JrQ z5cf=$oI7)Nx!<`M?<8KV^{KgJz#Ay~2mGZ@^8Kz9icd##>kDgsWYR94JbgGnQLU1a z5syRD_zi~ks=-4O((?c-P?&?c(f}l_*L!Um#CH;QWvI+tpXYW`@GP|UIJ&E3D@CU? zZ{?sSp+-t_@tR|7WF~NXZ<|+??ezso#(0kygPn~L%$Cbj7NImRsV*N4*s8M01HPe^ z))of&#}kF(6V-nbxJp%eWs0l!6Cf3KSHC(v6u}zFP>iD^Mgn$3%4TRr$%;k<%NGj3 zQwN}!&stUc(2L_I(w(4GLb)8tbJ}Uj@w}fD0d}OTaKgw8!7OcN%%hI2j7b4)5D=y zL6ae{$ueZt@7b-U)sd`5o6>GiiKef0sx5WR!Bxii(EL!dTM*%UeuEvoY7nbJY`~uu z@U*hJ7{Kd3STj zG5qIuGVlVi0XiHfO%H5UxEpEG8GbRJ8%6FFL--K!2lvJo;aF}i7#gR&>XQGLf#*!_7ig}f)g z+vcwaXqG~QQmmk+owsL`mnRVRcs2cc(*4`IwLpd?At2D})4a!YsTFP*p+Z=3?;wq!zda)Sz}%d@JMl#mx@F1vm*I|aN6MDy?dhjx{jceXt9{jc)U z&f6VlFcBR#QIf9tpffJF zDPXhS%zkFB2Uj<*rdsP^iG!2z^--PIP1(GWQED>coI;AF-_`>8H>1VB zo83zoPYkp6zwM`)Ki(5tWoA*-7o#y@wo6oPtOCuHJ^5{RTKeYG&KV6&!+fiU*wB?g z*MOJpS2L+at*h`IwuAjXdRwR>5hH^|@%Wx@TndI{%ijbypm|zt1gnXhDVWV`!;R>y z3y9rLH1#tsdru@`?*pX4%j2;ZS{LG9OG-jlIgCrMY<>Fkr*v6|(>fP|>9Q3!zb3&Y zD$K#P_?u>}dY*hJEA#A-QS@1zkkqDbXUM3av~=Oc0rOJ0x1mc|e68$>p1Yl|+sh6N z^g3y0JC^CQm^2fEb3snNcnaT#yOn|r4(}%l8qSYczVah;wplb(A})^_8uyh^QX?r5 z<+^d3__w)$Xy`4)wW|OwPlT(sE#TL!XGiJ4bsdBd>GcZu%9d>f`28WH4P5uMLJ2vz z7rJ?_;d|B<*clfwwO*)F(K~Y}Lp>$y%_kSM-x*Z;$L%BKFvbNo(5-y=)n|hzR%iM! zyUvnROF8Oy_#`{zgF5bed7B<%G!U1@7xW9lW0)e+`FWO~b@Z)Qizk0rWh<)_{HW^T zp!tVdo}w1@JWouoj$Vwl$W)^8+s*u(j-Zp=l$NstogMIisub+2v9l*#ReA0+wC(&| zj@LzRm)ppUF?PrqJD2mdg&T&h#cA8^rCsmLI6KD}iX+9Z2oHX}qT~Ohiqau}H-E6) zLp^4_x5uvVn=;0ptub)KWVJ8QRgb@iWVGza=>1mHe9QWauL%@E=Xy&kBcivkt{G%o zq>Z$hEPiWl_@f25;GJys8U5NXF#?x=a$mI+`a;>Cq4m4*CLwqQ5bfTe=_v8Pdhqmi(>Q0OZKmG+x3r%34BL4ZSIS zCGqlg<|LB))i?Vb;K^c=z1eHyoG6x)KcQ5n2U-Ans8$=3BqGU-=YKS2E9FJSXiDLd z7G4_5Z9!+HIOk)8-n7*_JxZ4InMD(oy;t-sMB{UOmNVLDm@u@G{Hh*tTk|h}$THbP zc6rf#g>9PVGU3n& z^VvcTu*eBn3JU9jZ?2VjxV3CO^6h)4;2q07F(~M?V0(4GjQnbKzT&>r9E$UY77fSdNRX zIT`0StycY1dX}HtX6yZfr2B*?QQUeM-21P5nh@sgKdg)t^pd4`vU9 zzUNywfh!kdB5SciZ?-3fiOz@Um=jgdPIxnFYkHRRZKirY$QO|3lb5NDH{NahlyV>z z5qroOIG=3jIx(iXiEO;HrfY=i;1LyGG8?kcg66R&_6R@aKHBK>#CW^Dx$$C@TJQ;b z4CIylAJl-D6*}g*yRW&w>_(>dr>dF_9EL=>$}h^9KcA*M(rK{!q5O#C7g@BR|`miRb3ewUZ>?ZwK9-Objs z(kB%jnwJ3=deFcFYB`^^fZ$MKIAhjJBbFswW59hjC?$@`<-9FoWQ=!&gzf;E@sN_; z-&p1Se{*yHU)?|Q)K&Z2prn;L?ZEx`D%h-1@0fnQ$i+Jh(NOh&+b8Dj@?#Pz)QJzH z0Cz}Gi{pf6YDi-etq;%^7A#c4w$R1T_nmw_ja#*trrzXJ8mPx48ltTujo-kts;d}cJa(gzsCu&L=TtrWDNK3so|*Rm7MG2= zF5#dnn(7j8I2WMOzMb{~2>O`S^|1n0+W7ix<=ZRsR_b#;_6|%n+I8w-=#i6JHV+_A zJ+DB&NjVrUAYmQ^dG=itG_9Z}xbe@^r`r(}-6Y7L$!2=H402F*D;=iX4v#ADRhrnW zWOn29V9}2h5vpqLl^Sn>b|Iu|HR!Jrrm{ue>o31$(Hr3u4`!-wMQZo%A7|bQjeO-b z-T6Bc9#@mE6iR|HinaHUXnZg|JmLw2Kl9u=$uQrke);8TmyvF+^lqn-Fo4Ql=}$2A zRx{|c7{H~uQ)_MVAr28G^%wDFN3tg^B^qG|H2!+$=aKv*-`d7?vhjcblKw=CDa{EQd9S{wtRm~hP?5!t*WL<{J;u@ejFTDGI}hhL|uc6jc> zOzC{>u>KFuk4G6Zbf!DMYB=VyUU^`8Cq}g>-V=-%t3~&J9XZU;>166ZRPA7?1M%d1 zo#|+%12XTsI&ARi>X@k!#=Mv)jSMSLsP`|2g2~m4^ocfQ%z$JibJ4-evxCPRow06Q z%Lr1*xh{E+oC8ob>JmGc%bicH%?wJbzuKVZ=4Rj?6B8S#{&F6Rq^z)?PD`GROJ@r+oDy@|h!Pen19xmMVIB5f_1%>{n9k-0sRbDUBPG}+%% zG^tWEdVjaWvFYOd0ycN%%ju|5EZWpGrgM5P`*e9EFudgGMQ0lKW53N$21ovoCVsqv zTF03lJ!6ajjnp2BZs9RflmiK0QB^(uT%K%TC$0Lq@CQ?x0pH@$5b5mCpT*+-XlMm! zLg%%-T;w|06{hMa;_5maUDI9{<)=#U7UTRDcJ)O2%fqyq+?~nSDnDjTaDm^1$De`^Xt{ zL+y5uQ3oX=LNswc*P<|U#Df|oX%q?vN9{kHXBXJ-uf)Yj%tV^TWo|ynDfph<)X=kI zCehb^bJ5<>(Qhz3T(E@l15`kAc`M+bF(kR<_xXPgge=Fi^IzCw|uG*EK6usS2-40H(fXI%}>{W>}Q6V0f~02LuYbMVvna^ z`ir<*>a1{xz8$qj*Eq;Qr5_UOKEl6`=h(&sC>rp8WD6tpK32~_9Z5fJFP;E-ynIGG&UI%-ptCURbO_q^*<%188q#$?exb8g_vEzd`j z&xmUNYkw=Z#B$ri8X6T6?z|a@MH*~2XZ~X4tJkwhtxM)jO^|Ta!f!f;kIm9e>NkU~ z&t$gAqRWyX_oPe;yr;y*=RmYqKRjuPocM(x->Yhk_k_-`olG5S*)KJZ?GLVMV}2XT zUhzyD04VF4+DWZxPNhtT_Bk=p#*(Nvk-0;;3j1v0Lm+XVA)ADdaP)tQH2*)4)AGOg z!z=&GbzV9^v9W%VR>hQl{OfDqt#(JlI>K(R>gP799MrXjH2;MP>~@g^g;pj!f4*M! zsUeZ=4(i=RJ}EmNy-~3kAkh+iuu~@sbA~zJO&5_qo2&N#_H!bpWNPkOy9K;>Z<{8a zXvO7gl?#&O26B!aKA+2n%@8!;)(oLh&go(KWP`;z`xW!o)82M|^pQPV`4~MQQ)T9F zIvpn;)lfsNQKFOZ%|RLIbmq%ZZP^+)Hw_&~tu|U`5hgg6QVe+7_iK6&dG`1hE1_lG z?pkajqHJF}R(|DL={%}O!*?G7XzZ}MHqP}v@F5xJ`3CDoh7#H4N%s`(hByab1ed=2 zv$i@&L-fl_DsF{8)PiEvl;sBn7CpQZv4Y>eh%6oFvDwUg;f{61E9KmwbU9XzwdNW= zx{1^_DpKbb;yka)8nl#!3h1?3$Y{%OC0l_%6V&}&Fvkd1O{j`vVLxZW#$0F#n zb-$>QQ>E$kP|oTTMUg-|@#O8DP2}V|*;pe=Z-$H0giym~l``vpKI>kj4+H@z*umR% zDp=w&69-c3Cuck4?5M`>ArRcW^X0Qey#HEXnbt-CBD@Q1teTevhyw4IO?vvjNXcLFwzmE z4X}~K0y`JslU6b&(R%q~k1%}Hvsrh=#I}TZfYc-P+3&|d&SqwKjkMg+tro`~A#N5> zuWJ-jcXBzL-^{9DGX&1@iw2MeC?`V}b#9d)#Efn4kL(NoIUg^`Qh&U)ne8)bXRyE5 zzaCe-+9~_|ak=`#`{fu`V~I+N8kwm7t-SLLYU*v*J?dW(X@Vjm2r2>s0@4Kp6a=Jq zkluTfPJn3ZtoZ)-oc+%1Is1Lj%>HuD7ru~T z7SGCB&;4BYb^UI=*#ycD%E8uQKqPRwNXgk=MQ&#-Fj|311h_@`$X{;nV(une!|xqo z2E(gJq*A{7j(+)_~58C_fjr5Fti-=MULWe|>gM6hZd#M8%AlDp!=NmuIxj zAt3UchnORtb&34z`4@oDYz?W>Q@B=$jL&>nx4h+96U+yp^Q)2)oi49gzDB;9+gPA6 z9YVIGx_j}^YhsvzTo~s+ENWfzrBMjQ4c5Be+SjR_uv(^Tw7x`J#)8w$^P?luPH_B8c)<$m?(KikV#|8tA>b)Ct$NE>&e-m?hYf=YdAfSEd zoV_^^8#Kjo^S4tFDVArUji<$w;RTR=^m2d$x{2^1uC*Ae!pbfyI69fa@^bX@OgLOf z|J~2T=hnwun2O2nwiVW6#HzJS+fw2jVJN9(ePtzbGpt1mXtdz;e#tA53d{#=4vW&1 zO7pR}Zg!mr%yv-$+9tP4BlW&|@UixuQy6ejn6s~drJ43-;nSAq9>sTGO6~`nP~L%`a*o(hc06Z$Z_hu2w{Es2BA=8Lt1;%_sEkIql*H zH|H7P5=ovPG~=le_-Xu(HqplO_R`;=g#T6;{dWVv|0JgpT||EzLU)JCW-;^NY3yFGz<$j5>mT2Z4_7O ztvlT_$@fsLy9$11J1qxGQF7=x2HO_Hx)5k@Ey0)$Ne-?90xQ%p%8}Bx-<-F*=qH#g zS{ti!@o~q_nlSH%ttx*p&ZBU;X#y7(Jjtz}X?TY2C{tf_`3UyDi7O~zJL!3!Pc~`~Eu3t9 z{>M6nRSIvNRE}3%d5F+&GZvJ91C6-?t@u8kNGgiAYE!fay8hZeO-jCz4JrePb=>~h zseJ_!K~I6syd$V$3vAdzYI}V#f{q+%de=+Fh9c>A-lB@kyIjQSvEvwJ`w*@7k>c5LE&R0C- zAO=UA**zt=YQmDE_$v76N|eZJqaocb>rWq1^L@y+IAq@9c9A5a@%9~N_>hXPA(W+n zu!#E}P#$rDq+ET0IJeikw%NL6eMhp7`CA&Ud+9{D26JqbHI->y`6>Vg9-4wApu_SXwGHP^OG&aHleU?U8M z;lHisV~kbrKO}BQUq-QW-pv)L*lKD6&*`t+Si`sTn^@i74KE|tlOpZ7`BUSFC5Uco z?0if$pOt#E_3=0rvI05IZDc6IzDkTPRmV|bRVI`Yh6=Vg)5SIxG#0;c5j$Zv1HB#c zOk6fwQ-3v0tk2p{MX_>@G5ho-?Bj_iZYS6O(Gku+!-&3@ikc<|)plVIz_DPHETLtT^``e@=%<2n#zGb`2Q`DwNDCi5IEM+9(WO zyIlsst&Uz3Ve+{|QyW1iI&q~f7&=E5d$c%}zV@o$0ET*D-rVQ-buAvm5N-TwiV0EP z$sr%IZM#yUN#}J&*HOl@7~0eDaFDqwV*K^>&#K&7+VHoG@S?PuFF7uu5VvHwH@sGIN6qC@CSbQ-=sVk6WpMV5%%)ec9?g-_)*&B7yG5A-9}wftK6we?sKH$=P&Sr7b(TN^L1#Ziqs(d|C+K-%S^WtqDIK7cZnvJMm}Bk$S&@s@S{q zA`}~M+I=G9W`6NfrIl%;1@tUNA@UXaCni{0cI5`_KpJPNuX-dGwnf!wdx+f=BUJG z%PRcNc8&HxJw1VW^%d$b%hs2y`%kz_>%ZWA43nm-5)Un2ODh#c^rsk>_7N5{P3J&m zeQuOSf{gFAFzNLdRE~;zLlh9KVDowq#&DL;;41Ut*vFliLG%&q%cQujlyqtrDXDF` zRsaW+L{`FKS7BKRwRxZL{*b9RU+DokuaIk{2^Y24DhZQ4Jvd1l%&H6$9;by&evr}Q zO+)3$pJW>XuPB=ZrbR5vq^>#24ip0+f$B*Zv<8`U+8ec46ln&h-?#};B$LPyHVpgmW+^6(OBVi5Vtil9?PAXh2k!8Slm_r!f7jo zVcxg|)i%!1rKvd`FS7Iz%AvhFcM&5g2;cTB@t$mM;4r>M8w7Q|>#9*##d_Qn;)tA- zu!SiWCx0CjDHwupu4wf1mpL#9N~&O92eH-;Y`P{plj&EM!L{4J4IM2&*G-_raN`ap z0_$5<>$V$`<13#(Pbiwl%z{pATW52fgG<-X++BV2M7E?1M73O&+wGjvr&q&3Iq=h& z{4{j)wXO7n+?XrtS??^o1AP_s(jN6s85(FbM{_dRyXWH7?ni>?$z2YM)Z}X(Y!)LW z81rM_3y#rebbUY>C|U|=74kz0%TOSRp607S7srZMzS!_D0EcJ#M6%vV)Vfs-<5hTEYW%I$;(6*9eplzq0RuLo|X6JsQ~pH zZDG?%+a&uq@cQ*OUT{NGFec(!)^Aat$i-4naLDmOUoGkSE9>3Td7g1+N|ROB#vvE+ zgboU9^>h{BA}QS%wJ_4D;_Eym|w3_6An+c(r^BkKT^>S#^$r2Sr0 z_^Msdg<6@lO90P{7H|fRSeR&C0t{IsTaeO#6p7D&!B=>?5BfxpX z(doYwUkY^WjSN3Z36x~ychl2jlHIUIF;8MLrU*T5uQ+>Ov?eiYaHje z|F`1uM%oELEWrkwobxpO@EgDP4~eM>ED}zv0Lej(LDC%Se+*<@eQ8BEzA#LPa`dZ_ z5hb>00QAK2%&*dM&{NX?l$6=;n-BIaukUT9gzr06;u-h6OJw~H8y?HI)w{Y=QXd$- zK}<$RDu`^;fzM`Y{Z-e`RD7Wa0u|XwK#A|xun=#GXDF;luVS3~JlL}~QVP4398Az4 zhdF>z;R0fcm;)2;#G&OeN8`Ol_{vgnM{bs{@PZS;?ooCjjY;8BR8*XU&XD%e0+7W2 z+P{8hT`yp(s(Y(ub(|&mZ(W62-^K0+9sya)YB|_%glwkj*}x}Q<^#mX-EfhPrz2PE zE3(KD^Xc=A5Yyya%+liJ*ciCk;aUIMAj|nI!hE;BVqT)Ci+VU#I(qDx-(1|JZsoR3 z7k9Sl>!aE;&~eTk%hVOR&AN&b0>jy4WRb%fo8OD*Un4@B=S0tHlRDbXs-74wU=q_> zahJbUxAjW(3H0j=?t-9CN_uVdeYy_rsu>9h;8G)TKp4>mdZnz&-!W0u%q>^d6;*h9 z<1+y|n1BwiRsseT_u)gr^64EiBPDmOSW{x#z?hvkf%j(=rOD?HelK=yaO|9W7uAV9 zliy^G*AuLYhZ8u#A)7#RId2uo!k0{yq?zAoJZxq?LwL4g?W3UDvbY;Z)N|xSL?&pp zP=L4al_L9LUNH#q;ofP6DXPr4IT@CoBeFG5j550_&%;EOgC4>ds(xcRd6l5KScBb zH}6@F`$zHb2RM0YZ52c$*ihe6pw@X+=gF--gAfmL$>7Uii=0;H{k*NAyJ(v23I?CS zfF$ZzTq)a<)4nM1M662zCveGjzJ91ted#mPq(x>4E#*U49oJ2~jq~Sm`myl8?rW0{ zgjg%&CUdWoKen{TvFPtmu zcz>;Z@jxdyG>Z2hS3_j-0m@-;Av&BnSmNMa%qx|?*{~^Ez!lJ%LeFb8!jr+E7|vVG zsB@v2Z|S_vOokmnmJm@SYHi7TsvJo+8a+Zw)sL6y^aE0bq}h{cn`bE>M0s#}j)u4( zRShK10>cLR>I-nhhaEXz-4xpQJ5F0xUM5{hZQEKI>d-dLE{~7f0 z_q1J`^57ktw#R(xd97qb`NRQ$gGe9DdhR9%A0?}vrSuVF`pJA|N!XA=nXg8Axg_B zb+yl(q|Y|gR}%G2`K6I2*km$*P(_r%Ze+Fo;l)k4?N`vnL~JJ(ZU5B<2B=ium{D~k zSR`z4BB-!g53u}^d`$<$PQaQ+a?&f+98C;XkC^`7ZG{p9wzfY2OyF<4{pCxfVAfz4 zi-;Tm64Hb>z|a2yv-%&hB-M0$xS+y{^SlpAz+2ZfTG|58m0ha-)`rrTjoR25NS@uL z8WFW#?cr>+ZoWh0pC?Babo*Q+F>Uu~5_$Umt_|r{EiQ%mU<4vY(Rv*^ie8>Ev^mwd(Rvlzmkun~(Eo z)ZO5*ztuYB@sGpY85i$}dBudJgAA2ddh!R|ZCCKAJnjn*-TLsNy&}&J!s~k(;`Yra zU1EJ}=f>{~9|jgE2rf2Gpq=WvpP$SI)6;ZCSU+ZqH*(#Rf5=}V^4dj8=089!<5}iX zW-oRpCFoKyA9_F6SL%+Fz6s{;^M4WE^korhDI?GR6T84HYY{+EOY6HhLUdO=eH6N? z>4*?+YcB*0@PQg#*sD!1t)F-au{cPM6s2A%LQp0KNlEb_H(>=E7?hQS3GThnwU?_! zY8aLO&3=)ed{cZNTy%rnfPoU`m~wB-sxekV?j;x8O09Us z{mHfQ8fA^3MUwCIseWLVmUdutYn3S00oT}$q#Ewuuim(9u3$OFQsE4LPdS*NwAqGM z9W1N&0pqgylIrf$p{bjr@ez@QdBV+<4R3Nhni-~D!_6>#0Tt#FPRs>oFZaRy^{TWF>W8BMKQLBDlRbZ>P<;I~K^J2*@$?SVo|6 z6`^)A)Y}oEA94dY5BiOyRkQaq{Ghb>`UeX2pvJPYbZps71VE*s68%dESRubE=VpVJ zIjxiTQH#$FjzSb3zKy7>@ejDAzgHstG7$^Yn-P)Z>He~aI?gp7rtdS{#}L0I zV+87voM;$m>N(SR9+XE}&81TQ^jF9G>946S3C!%A40{zlg6;64Us|-zYaan8QKI zOIq6=9a)Lbi7}sajpUUXyK~a@5xKC{byH~Ri+ef)@~mT)KTPhoSfGwYILje}?rLM- z1N?o-Im<8y5%zMD4?oEmuUq}*Hn%t3!Uh+f z&aVCN!06MQ0RbgJjg2c--=&n3kzp`A&^7iE&}`j>6|a%~ zA=DAN@NS~&*2}Gihi6xq5nw7&Kb`NuOD+4PG)%VQa1`n9&j=Bz(lw-bpn!(jijWXE zOGa4j8Fpee5d_C}=*5=c+wi9QVV`G<)*FO|e%`NNGuYUQVL* z94MY(?2y-JO@#YV1JQ$H`-5^Q=6aXs!hqico2?Yv?8{N~TB9q+$TppCp*RG~U&(r4 zLg{5${rEGxTAJ&*PGWf+ie5A&I*(^91=lUi$h2Kz8{(+3w34VG)LHl7FQl&a2>m7q z_jZ17tZSMaF<}^uK!Qf^*q$AOguhIvEBG@mX!Xh?+!LGj8cpyCS!tKFW9?Ey-+jEq zSdo}}YI(C}_AH70?yhHzK=UYvEzO2rQ8awHGmCe8f8nXu$I6DMjAG%h)wcgqDta_= zg3*3Y;?w2olvl6G4e1vq#pZbHvQ_Lt9W|;o-6f-bCObcJ+B4uhw7C?6etWe>{c2)o zY7*97*^lE0edbk8xAzTyd#d~&ng#5RNqiz>ox)usZgR(h^!Rs4=U!#d6G~nw#h&Gi zmZw8mF(1cYVUm7)+CQS-7%Yv3&FCGT&hS)pEar-LxYmh4oSTj#4oW_`;CRznOti+5 zOM<91wbgHD#fb9sCK!$kcA*lA{h*|UbS=Yt)MTx0!njpW#(@ip-?NUj`<?-Fw~UwhFb zy9qO~eLGV82WE!bY9EaaeSS)vs`$H!4+T zO0l0|FxB(H17Vg{B7APG93Bm8+;x#|D)DAwkE?^U*8*}Ojy~i*e6~`z^d;F2(wjJYDt=#`73f&d#5rADlD&0TX_gSEpFiI9%6=G zUD3`tB4g&GR*t88FBT}r!{J;@>QknDH8D6o3U$?+Z_Z(}95gRoC#nenI7*~Pw7=zm;EDp(oJ8mc@Lh^e&w(n{xl&nFD5NX?wU%$uDGGU{EuS=ZYRF6h7Jty(5C5~03&;XS)6Y_m7Y?NfDDn;@UympiNW6ceF~{KZ@i=TaqfETAq> z7K2U9pH1++V|-W-+le>UI?udDbtR^68s1`C>5r(HlmVCKb~e=b@tB^UAP)=2yqFop-x+BM6(t1N7T zrQiMB)8@cED~Y~kG4h9l7|N`GsXf6x43mZJ3}5h5Yte)TS`DwqEqXTD9@*!^{G1ly z0HP(H(lci!4YgLd>w#ZaDV8@3$L-m%NqeiEUW-Hg z!BOM0r=^qmSdKoNiU7z)sL}9;(++_7J+;7I&?+z1m9IF``&DnInK4oe5=i9yZjQQ4 z(xge46K9#_MB$0^MoJOfUD4U=ZzMEUs2C&#o@A7Ho`~^fBnMcYCY71CFmRF@+%`=# zvbj72ObB}B@sJ4)`J{~@H5Xt0CfO+kxL>A(#c$_`-0kb%u+f7`Kf@YI{j0M*{=;E; z0_?4C%fErYVj$iu_T!T=C(m#E155kwX&ECzapx?b={`2cOEvBgMG!?fwU^~G<{|$J DpPdL^ literal 30301 zcmdRVXH-*Nw=P9MMLwaUB&r z%EZLPWoU5SoQa7A0(_zlvjZ*V9@N9YA7)?kTUVLNdxRH&FNa+9P4t6@j8RGe6+|uA_ zEsFrDxigR9?NFGIk)cV1$iUrFxre62cW7Rh=buMjCTDG}?C)gb&hf}3y_Yc8Ny|%^ z8u%le%g~CjpI=vx$*l`PUL4|pQp6Z*Vk}HdkwvXeUl*gyK2j!2l)hF{gmx$x#qnFf zjDl>84L}5sDaQ7^GoBM@Fw5$6Iiw79IespmnThH7F=j3%rn63mfrVl^cTJC#iRrKa ziy#w|UdQoXpy_IKB(QjwN^x}Sa0)K3KAx^ao6qYw9<_Pn;Mz0M(N%a?7pI#T5^F!+ zm9f_#;^H#5sU4$yFh)!K@Qk!V_D+G70W=2Gyd?jTd^tbt+-8gle0z1^X~BJ3lu&qN zneLzJ?$ze>pJ^mDZd_B!)fx9W{)prE0ng=LECeUOeVTY$g0c)aq0DdQ~q{_W1`WQ&#NhohuVb(Lx1z zF68L!9beF179}o5Dg&~OqJ!YmgKYIr_P1zFiC#K;dg1i(rCMjutnDQFJQB)rCc4($ zXP?YTSILZ$@Ma6mQlnticjVRV76*FeQ2F^?lfv8IL3JxIDWr&50D4QtU|Clrp=dPr9n=|Mf`Gq5FjMcl=72O5O9UIuI2$V zDOq?z@`VTOzslZ0(DtCZi6rqdLz0Lp!b~UeMTS~)NdWlX*~IW7mC|U8EdLB?)N8l9 z>;y+q{$=*+HwiP}jV6N8XF_h3>uzkZ?R$#epII!iFPod`t~%LUtL8n?3~U9VG%pRL zTfP)L$-$(BVt-M+9}Rju$xI&F$~_i#8Rj`S(-WdLvzS_94*(LtM z`!s*x>*tKcll>aq#^KxW1ZUyWFkkPRO%eOPcq^$cH;>r7 zlWtB^^C$z~R~V-?esBXlun#j+9MOi>`i-YW4Ch*X8L_#@52yE$l5$nAD`BjottFIKTt(=uW^70}Hfx!Kfo}~+rpHZ^ z>f;rgcS+@8<66WmR@>H5?ImQ-SmLO{Ff-E^wRaWz>+WHrCYt2_aG^fCFO8g;GOjbT z7AqYEVh%}ag}7=3xiD56GHd*F$Ca45dm`BrP;Kl+05*{6<380#x5mGiR_+Wzc(sG z>5|Dwga3Xfp1-djH6sc4pX1so)P0jakpdE=8o#lxh#YZM~qqV~!~H`Aw|FN*9h?+dJ!D6IS?>+|%MZt&>iq zZ#~2az-NbKeZp+H#?mz^WCaU%JwW?9MA8S^^`-1k#-8L3-MF?!C%NH`XoDMj-g;G= z=Rn{Le*+pD7_g7>%mYk+hUS&-mvfu4ZZ+xgBFByETI=9(!F?9QkraApQ+T1K-2xpx z0ZY$JiY_kSH^A?|S+|<$FVQ_5s^+F{QCcr_Zsi1%*Ekxs%eg+@xF6rRM2%X2tsi1~ z-49wjHkwZM6J!18=WpKKz^qKkjyB+_a1rJ-JBvSN()0 zh`*=B_b!-!h!zgRtA)>n@g0K@zu(TAFV{!l8mGN)$`7HXbyRU4Ub%-jLD$-TD{gnq`Lo=U=O_MUqtED5gNQ-@n zwz@C4DZT}hwE-_T@I{r zoOgptH5aXiPO)z&LyGm*ZBaQB@i1(O>w~pt@j3Cu%z_)>2Mz{do6+n)1KwDb?9Hn0 z?0gpU2!?^U9IfnNeMT!D5m_pCEL7l&(O~+0y^uAL`hmM4yY*ul(_ES`FX4vjrkIJz z2*oHCn^pA=Dn_gUjl#SB3U_*zOB|-6wj+qdX`%2A?*8M;o=Q!dRA6x@nV3RqEDj4f z8xRBah-(7MzQ5NMEpIeu7Q$wjvC3ujoNGO;wV9(aR%D+gOS?La-blW~Hyl9x0h)Kj z3SByfPHoC+9;&{7VWilDQ(v=J&z})&$mcS)HC_0dt-_vIDsp9yX;|jV-sGx##x8qx z8Dj4{Y(D39MgAbBC9;s_4JG)65S@?6wPL~}N6+Qg$18FdjFK9mONhHS*cq!A$}Bp8oiTjXwMMoL3>gv`U$=gNJr;v27D?OE6Gs zW(y5p(NR)1Phw}QZfOj-h#G0i>BhaR7V}XfY11QzCweqf<5xT)zcFJ&%im3U#oL9S ze{*kZK#>vETu}l(RBa@czvDH&Y#E?s%EW}?+l`3xwPG&YHwOGsDlBmG0}o{RJ0vR6 zeq-Yi5n1dC@Dh7J+*P)4B(&XMiCZ~;L4%9%gHV3tSYthe?HT@yNp{(alcMr-`N>6w zqROAz)k#WdTT@UUG>h$f0FGbBPuR+~Axo;qt7&wFEqR)G zb7rim_-Y}sM7P{SsAy+Kd}l`nKUj$I-~8QNJE@_}vmXfFLzoRKckegscMmahRR02* z%(==w)8%l)&kp4g@|w<^>b23;t-Pkk*#o87zH#W9Yqh1sZLuG67z*axP{ef>kj9%q z{H6Nq=~Y{*P=-^R0K64__*dU*WoRc`r>No)4^Bt}ePzGJmZ3WkhMlDApx@T{&brU* zeyfSfVMSQy=K1eK`M|p96C(+=Xo>tuC~0eNEYJnn&Um=XHgUnTj~u-J*$$?S=U@uD zPu9%mx>y#u`SCnw_&UNq-(Gzkv;%L)S!F0)$*&2Q#q4Q)-wB-Q4y-sv$6iGLn$TG> zX_uXIz0}j0X<<_s#Z#KanZvJYT(>syY=BbZTeDg)fd zAW!o$UV;-jE9iPXjo`P~{X@z^26o$*W}#jkC3Ev<{0R2ch?4Hc9Jh%*D0on@L(zk` zXlHG}i1MoB-ZA#-3F1&zx|kf@eOF`)BqRxdAlH^HILe*UxVj<2a0M-GR8d|Ls5VUl zqx{C$B*ssVJQ!an%@VWmdWUd)eI;cV^RBHNnX?udS-2$hiN5YNIY4#|ce#cqwXbvu zAdN+8Y&FkFxB0I%H=fg7DQ6?h@laN^ zxsHlVvvoN%xj_S;{q7p%4x5aKE-48GZAX=8Dw||-Z0@_3dcYTw#^7~%kuDh#2K1yx z;bS`C@P%hIbq+;g|KU-;RK4{F4DuqjWUE$FyrOac8@K+?5;xmF+hwR8%BF=Ci*8My zYgXp0vLlVG#`>-S+^zgf*IVgQzJL&v!igWOD}!8WbPrdA8C+viuCjkBHU(n~b-0wj zx$|xmpmQZvE-;dB{ra?T4zWuyf*LK?XeIOjb%g0~Gn!3#KzJk93Z?wX&SCkef=2GX zYt*a4x$k>b`pxOsHwao0EF1>)^k}Kuf{M7%wzE`L^5%D5?7PMVtl>uguwfZRS;q2- zNRKFb=lLx&ZNg^n?+`jjV=nKa66rmre=X#(&ieXEWTV@k?JaE8gW$`xM64h3>WiH~ zeXkM!1`!B-eDIR%PjoQ4y)B@XHlIF9qAb+pcJhfo2vd7y`i9=Wn zt*5&#Rg|$bbappvSjSx+gQIzxeP~yOUS@b$glGhWY;G6j8v9ltXjm?$Of6o0|(Yo;58ei%i<)Mf7y7F^Z)%O9?#X67S>O?636)bWnjtp7Irj@~bO_p02rNC7rD?D#bj)+)S%l|AX-MxYFN< zIPw46F2WD>h)K8j&ANX4xbCX%bG665Nmj`7)A(pzh;>hHZhHS{8fkq)t0Cxn`9N%3 zf?Xcn6Gv*mO$LB}`zK=RH~%2yx`op}curmko=Q38x#Ewzq&h=wW2>*La9is36px7D zK7}Hv4$sVu9$$|LwKg@)PQfIA1JjF8&0}dhq9nD;mn-s?X5QM_K1hUWik*xikO$Nm z;_Zdb^to_pEm0w)V%PUJVu(%!bBo1ch+;?g_Z#&=eJRhfb=K~Y1I-ndFF%BhWv6#O zmM(a*<(7AJrRzJV;Kg{+)Y#6rU~9qGk;85zYNK%8m5U&Ll~N+u(MXgO7&6syBD200 zze4?Lr=xyOnpTi|LZJH1@X>bXsUZDfyFdq=o*t37v<33iOCYarkGjDfr|M1xjMZ_h ztT}7ra~exS&N3}wpK?^|YAcDSi`BG_M58Y?pLO*L=Ko!G3t3=!MYhPrWoF~Mb3JW@ z3$^)RIgM|onyTv`tgk@IsS=r91J?)aAh=y)DpmOK3O$$wiz2_hxYi;2*Wbt4&=0x| z+{z?C4LY2G;0RYJxiY%%vCq=>N8=v3j=k4`-^MRsJvjXW`Rx;9Gn2|E(@McQ^3n-n z>C^2AU47Fa!Ru(Uqasssk+Wm?O)2RF=p`)$&V!YZhWkNg-2%H|kMq z56W|LQyy!Kix)B$pc8eTC}UHEkGZLXJro8Kdgd~RCI@W1^vrrT)>uZI{+QWwS3Ugm zASj6EsM$CM?H!_D=uZ^O8-#^URohX$j2l=w@>hPpW#?Vr7s0RW*Ddp|)5>#4JAWk( zMK}zuwE2y6 z)f8D9tJdA!NLaqr_(k-JYP^WHl(gR@gbSS&)?(~BN{f%rgg1nB9%?tt!T&g+{nHOz zk?A~PlZy}*d#~&}s0=f~baz)9FSc!#NOSsFDfTBQ;5yzO(f*n<6gRZs2LElA&{>=m zt;}^Z*&%0;w;@+h&9iIoW9~!$I^KZ+C2hE6QJA?x!yS;0tg@|u>;0aw z%B?;Tzi0d&LJ%`B6t;2;uYl?$+>07UgEv^9D5Hsa>Xb+A8xcHBG~PIbXd;^R>&f*w zR8*9pM*c!muw64Kf?7Mg`qFkKzNLPEu0$wT8Lg8|uXuwx>h>~n*vnx_5YMgYZPzn8 z_l}x9BBIi55 zaVTqB2c+{GlcTkTU>)OGYO_=@msf%)5%G*a9>F>KxE_5;CSv!yO#M<%rEP*3!Mm1) z8O!ONtQ0Yj(}q-4KGcAy_3r0fbkp|ELoei*W7*svO;y*KR?yh^pJh{TjB^GmZXdx8 z{t)TAGnbbW#lm0Q!x?!rbQl^gs`$lk@WDu2qP?HrU3SI!?I8XOia}HmB#eB6zHMF4 z_bGGJkGKG;_1Pnv865LHXdE^D5%pIs2I4|*TM@LN*WoS$R}RR7YVMR+y++S1w3$^X4; zu+{WYO;;Nk3#JMzXf1Vni`Eg2di-mJEGqP6v3ZHQD(`N4oj{7F&J2ESG2AY(p$~@W zU_%2&2hV5F+c$rN?gUurg_O=~ae0@aCZirJQoh}BR(wz9#MZ_o9koAP>zND7S;F3E z1k-BYee<)47tvHmmNxC^Ua(LiOn>)cQ+S1*n_pA7R9oMvx(07kW<|vHnqt&dX{GvA z#NsEnO*3312O4Xi3~=G$Ps#P*jjN=X)_00MV0PFCsup^IFgM&%s~bM}2GzQS|Jq!d z>NL@0?EOO}IX)ytOxTA#LM><7(*fDS)s?6wO=LrmH?L$4PycwX?v+bSM-PQ+!LOPc z=cQTfqPK|wBVjG&F|hB)Li5@aYN-YBo7J?DyXvCC0hEjhV=AqQM#eGaN^^+zHst9O zgZ-=vP4w!vC!GuO1LNEGaB4HlZ360#5EsA$FUn4!z)9Z;$-&;c79y_ly+4Xu6(J)7 znr6+0s}F+$_si}G$dwnn%p+tf_()4NP{E~9Y>xdCO`>~zO3n8>%-9~>curuyb53^R zfObV>tK57>ogQl5wU?#V7=&bpd)eghkJuC2^2!B*N8)^u`ovG@F~RGmW*tt=YN4p+ z=66jTyvBvI2F-UsO4G+6E@A$hdrmcO0`UQXx%b zCE6HA5V=u2BP);=jGhRo7^5ce>F&xfG;3R9%asY2Tx1(n8(>u~pPf=+DqO|0S$=wB zg@5C^3(m5zlaeB={fK2WTC3rH;)^79C0ZZCPODgYy(-w1a1>%o)&I@wpgo5^0$~sF zGdVhUBg&gyHH1Q5yHi!nm65T5@a$&$Fr9f`yDw0i=$xym?y~{8RTT?UI%5AR<`^U@ zS3kr~375_0E}%C2(b7ke|Jc{;>B<4y?1@@P%stvtw(aDtf`Q6jn|Jad-!>IC=xq1# z?T65gx%xs=Q)95YNEa8cTy>BMb;8v}R84VmLxJ*b#jAJgi@zZ2dv0`34r)jy<9C*-$m*m!RiGp98x=&&K5fSXGTI$=8h0=A)O7I4W!v1d6 z#|Yj{s|3tPZO1HN*&f%2>{Q#g5T}hHPe9FYPlvLbn1yJJ$!J?6V`z(=Y+Rueu}_4T zSkd4b5z&>azw#a+m+ez5q`R{+lF^g#)iq4xfn5nR2zV9g&obhQJo?kh2A^vMk}1%x z=d!!nID8V^zLLMd*4IdIscnnp9q=em0( zff1YvwB!<4ei3f{7xLJ@-|fGpsQtg~0!oXd;u*7Iv$N?GK=SI>#$XipTety%E|Ppx zwAXmGi$0&%)f_>+g?H6lx26(xQ=7xfmUjI<&xxOmJ#<^{T;^U8*Je~xMaQwWUle4W4@Ao=XC8Awws2eF zh7TQwXk&ZhM$M6hVi3Lc@0KcJsl`(bw3d;S*;28t0Lavm1$3B>QYf&zezN{_G0)IP zKzhEUfrD@%_**=9T`IvRFGn;kM-C_6zAV2MbTz3s#c8fGN%%}}_vC5o?m`cXVz-m> z_xId@)qRZzo$7st%U5xhHf@%e|N$gsc*OW>P%gJz&i)3&8b=Se!?OW5`!#*vmit|9`V%!~Q)E-?+X!OF?wHiP- z##O!LP;Nb>XrbwXxD;}F9jAAq2WSo!GCHuKmWdPpM_m5zn!=K1{(hV8{*k{1dg^Gw zErP83|9q5xRPDJ)7MpvNw=X~5R>8xRKW4`pcor-)0BibC7@`+ee%-MHIx1$f5^( zlM=-P`D|}$q>M;PDP{wmD@jU*e7%2iNEq=CXGKuRd0q_ddZZ#Mze#0s95| zQ+!AnIAZD|sRln@luB}0m)Ts}_uyB7m@67yRFa-EOJHvr1`_&AxZI*sy_Sy+`|t8s zB1n}P@kXJl(mQtdT>|e$xu7oI=#)rK>g+LeQ5D}Q*wjmw1_rO1jXW?srs%&V1^-F; z!EvR>JP-!e`kH9yUTkUk#M`d%gr#FL0B#>3bDK|*56(p}87BA!2ObsB2334ztFEc> zN3m?~@)Gu@#lV1`66u=WsVqgb6f5l+1K;hc%S-Mn({3N6CH`Q z;S%XZ2_0)YS(Wd=$a(*5n8R_PgoBS6D|o7R_~Rw@bM2fT7|xR-7u#Wjg2Gf-g}>fGqvRLOVt{!#NknA^{}Z7VND&G_V}G?BF_wEfmg#MXa4JB zpQ#OJYhUtv)i2%IX;sqkqrV=Z%yN?kq=^{h6QVM==hmO8BbirJC(GrlYTTtg%0{EX zd>}4x+J|7D)WP@rPJ!ep3#zR0`{0j46P0 z09_|U4)27fIPBe_7Ubp1I2$<$*y0F^{TPqAW0&O6|)AfcblJWFtbm& zrO*O{Kr|*!d}2|(tpxHe-E7PZQ!pulrmgp3ld3DG*w(N`*ibr40{Po-^oZ6tSPT(oSl|si#iNxrvdx__$UxEnUW}ZY5gkT z3UL=W%uGFGhE1JlZwQV)!BJf<)syyXV;sYZMv4HFjXM~X4LE$@z1dR6BxoOxx(TNM5<>x#n_BH;&oCIx?r0LsslGR13ui5>Xj=yA1`a6;W@x6sPA zM*h@9S`|HDfxgstV_bEgb<|`%F#R1XVsz0a`~cHvz86>##cvzbb;XmVU1pXD7C!E~ z*Jbkw=^XJQsgLPKERvw_iOeQ|vIwNS8aI=kayc(cK7BkILD}|Rkz`Jv4(6z~SZ0n` z|NiZ@To9}*Y&=)@J*jtx=$hc!gXx|*lBphY-!uo2##=_Nlnmq?@L75ZXMSkzGH15M z4H3M=FQu{}qF(q8G-6PXigX!C7qBan1WLXl_u=fUqg4q^fH!78m#@usfIycH|Hoo5 z-o?lO09p5e!noDFGk+1w7K|3pirD)=0&32#?5V0TE|iFkd4p+c05blXHv4EFG1UM- z8h3LzOIe+gLYJ4SR^%pN*MFW8DpVE1u?okN0bQK=lfkPx2 z7hWdJg>O#3#b@vQ6zqMC6U-yV%ynmR&23tM6#vEQUB6l`hdY7ZbgF&`oh!}C#6Ms? za6ADqkwB5#f0u{+hq}1`vzg*?x z2I4svLu2I}GKeuD1;cR0PP2rao{nR7MsT4tA*~bK<%h@B@H{9xVri`U5@=Z@8o^Cq_s^_FelY#-1H`*CdtV{pmSC!DO>(_>JJW} zU}5GV3&P{JWFF<2>ZzViz#zI zH`=FMEMw#%u3oH+j!d&%D=7`&hGWUG;Qi(T|jLH&a%=?@>I?PePEL(C#JoKQ&osarU-T+SXk$anUH_yTLqKWZ!~3Tf z+@s8zBVDqts3gJ(9nh)Q?1(FYBE2bYi?45Ns zYEun(6uR&oE}Lr?`Lam*wudRDzO;M!Jv$a+`HI>WZ5&{#R3*@< zxP$uvoXRB}GoaKlF&&HhFU{nqXfK^y6|J?s&1(%{L@G**AYgtFSYLgo6*p@-n~Md= zm$G0Usu~pRVh`9a6iNzUTilec+-cWsXaWYuDI~iY*B0wMNUkv()1_)Z`u~of-M58G zX6C6Y-16T(B7e)Q2cxpSGtLHgd}OY`9=)lR6ele;^I`|3QJ)-;9iVC?RJv!zl>ik3j$J8rCw&GLV?b| zUmVF?GKC~4bj|$WtbBsJ)p3yDOfc?P$Z~Pd!L0tNG~McOtFQg-f1sbXgbVja)=IsY z=JoLjIi2YN3-TuSwec!>d+002)r^6I^rcMgs=s}<>SzcHxGFV=eNDvt;`p{hRLGGz zfSQqnR)Jm*lZ;}Sb)7}S81>8E#&fnuuqF32e_sVRM+Qio=~Y13)QBsIcv#&#a3o*E za2|T3P@Qf?h5Yecd^2t_G0MZh&E;zR&JnCmdf~g}ulRa-CxTRuxQI!1KyJG!23vmC z;2<=lt#z|khvD;!-}D>Hb^zY)JTFMnd#9Vzy6jicY{%tHg|VRru0fb5p-mF$W(z@J z$JYm^k~;l_y;>ia4^PO4*Lrrjx2xwtnh7(%-hWwh{_noEn;F1XYsGmd)whY)mCmgN-S(M9D32Gl5>spnE^dw|TzMXC`AWcW zQAsMWIey<`OLTKFX4V`RS0Uu>V|rzLOXkJmoB&te0+ zo7DGOE|WYUSSS_O`N_!`7p-6SMu}^dHOh6Na@Xt1&05*9D4)C4dQU1j#YyYp zSHgR_IakTdmxdB){2=!`RY}Qz2C4L>T_00(4IYaszBpI(SxGJ~|AwV14e-9)iMY#8T&2#Xd^cRnynV)?clRO0 z=^WSF^KSEp09N@liW3q$&QTpKBl*@+|Dp&_HXDo0W5a70yIWNbH;Pg(4zZqVKOEhl z_vgrnOupeYR{SIVqXm-I3f;FQT%*Tz%7*u_RX(zkGN|{E#bs6!qN*5bEWMsm$ zLiKpxxU|VA9#&QPb)(<;&1WFU|8gZUa!$p&XSpeM;6=8b)VZ$^^P~5&?0=r@^(eEH zsPHc4Xin=I{srrLRjf}um!J7W0INVq7XZkS!aTtH@uh$Z?KGDEWS7@_ zr88rVF^v)ruileg&RA&cuiW^0~{TPPH`}Cin4P1d`v^i`zk+!9qw&fLZR<9)l` zv}CEaw3PmH?ntuiLE5PQ43IXuCer(PNTnW4c~|Ow3FSNAj6sLo`&ZcQ~pi_kMb`Om2+T{ga2fK$Dl1ZT|WcHVC*1l*9hW{cF_GjDP+1;i8lm zkb9~>q$C)ll)q1GR`IBLT=B->9|Toeq|j+%uQxKQfxvV*Y@?-?Yil&}e|J@o3JmpQ zJT*E`3%tNOTA|WLxytm9ND*~WDlh}7d299#do@v3E9BbFv}3a)=?9!lj(U0VK^m|>e>xcBbQ9>$lgFRkRr$bXHJ&&dqq zIHdf~{5imfA)0^?8NP`T!+hT(QAVK^1f{^`_bHPr+8&UuMXsGJBo0IJ%ybAL%fo41 zCdC_q0nM|+l5kQDe5VsDnm3M;E?Hsx%<^h~a@rbP=Er4p@U&g)_kfZA@b`MsXXJ%E zC(zWUP{?jrkWu-}{7g;#vlLlk%w&COmu{nNVj#n@rrlNiVu{r(S)D6sr#UsNWUG2o z8_pQL!F8*mv%VP~L0hHCN3o1?#03p|M8yRaWki{TU;R_IWS+W&jB;M_-nl|!?P#zbs6%+}x;St+Pp zB!>EBlgF!Bssg>gwY%jtvuj2#>29VsbYrodq>5%q-M!hQJ?t|&3?b~0ms}rMPVfd6 z`&stDZ~MG~M=`!NcB*yVnEDq;Cwtuxa?LtrIn^jB0%|{Jk9W(a6_5F?!_u=T%VWO~ zm0e}c>0-G9J6W^+&Y3uefPuAP*X1!_DBP0P9HV4!reTX$V#Q$qj-ySZ6}ZH?h4RS_Wt?~Co zHRG3X@PrJ>RrN=s6T-=J!Z?w>5>Ds=>(BLv!%8L=DHW^TV(JPDIytF*2P%?}0 zX~VAA&*shCD$|>nCz8C|`&6 z4s~12jfU(HTBTi;BA;KpFF6N4Tl1oM)BU~OPJ!vPzXgi#n1apdfa>`EvymPZ$X58~ z7UjbW0Gyz}oEh6zQZ5vfJQ&rhJ6@jF5K9-F()aN1a-h$2HAtQJB4_G|WM711<( zUo1eVw|Xon(B2-CK67n6IwBoE3*T~qHvF}I;X=w1TeY;>Oln1=>=xKn_l>MqSKPd= z4>$xbo4-?Yea9hyAX=mv?#BWOj(jT=<6B#Oi4-UBM@f#|yqm zM-*@7(-%|Otc2#TCOXK@Ag)ZJf2)WDn`HY^Os!E{XL|RLR~*#5yhqOpgvPC>Q+h}h zo!?J0+G1=eyj&jNBB{Ym5-UU;i%GT`x_9FP)KgToj*S(;PH6TW*vPu#Z*3LB4Po31 zCj=M2dj#!S!bSb5Jk%=t&rTL=WigYPHaQ`Mehlu>z3*+qRS!yL#W1#o0s~qb5zEhJ z_9O2DwoQqdSV@HQF!IvHQqfGlB(I*3fnX!n?40mb$*1d-RtI_)XH*E+Kf{nFR`N5E zSFAAn{$X=7Wuf{M&Ut71blo$(ql!oVP%_dFDQ6>qT5J^OXoP(aI!vFhJC2jS2U|Vb zD3L#ngM8U+)Kdy1r>F<7m>BBEC?CL!w~y{;$p+SSSYpNK)as(!pAboeHikOyWnmB&as}} zhl5{U`1AsuqKLBNx&`|G@-!2VDD9twyCSK8!|BM;WT5AN{&VeB0sqVO(^N7K_#~kj za6>u`jIV&yvQW?bFP-Hk*m(Jq&I4aVCkD5(9#mN;J@p zk|eafqH-mh6sH|E|LobY40cbE6frb{$E3Og2|~m4mi(csCuReApXV~T|~x!h{VCALp4 zCSCO@KWZG#i>CWsen6UcXRC=&Qim2Lk6qJ)TE0qJOZQTho<-QIA;C)U6<<)EWw~5g zLdYUFAk$~}yUDRVTb)aCI&Wcaw}J=<)adT_+gZbxFloa(Qc2#iMb9wz)16V^le;+* zevOT#)oK6_{B!bqWFh}w~JCfTr;W2%3}A$=q#xqD zkH%pq_mwx!+jkUt$lsF?EPVsaf=$=2=4$=vH!|9Y)9BSZ{i}D9%_~c&kY9D+-#^21 z-}dyyDV-j=Ggp{XBh$C=RSsRvYGZNV=R~H@Q(TpdQRYhtBPp`Sq(T7wZFWZ63M@o# z-M!n~yi&hJp&+H%gx#zek>F`tJ6ozoc9ASPr!HTxx%>r4m;@hj=CUa&9F%16tFt_b8k~&f4NK{6bb41Ajn|Qn@a(K)h z_bBQm*F_W;L~}4--dV%FSEKb+k5SaSFk#Q4$osN}m0qx+325))EFoU78sd7j5_1Vk zJRNfA6M8UTrsAiptS{kV*$8km%-qlnxkal8`FKDU$TT8X*{TcKKRa0_`I2qYT*9n< z1S`#J$FZDtW%C`XvQ+iT_{dtafU*^*)3rXTYj5MiV!NhJRIPSC;fWKg^R={YkZYN1 zwO`+Gx>Kk24F_9gufknie!bh)QOKrb=WJSI3~jt&2iGC;0|XKE61ug7VJ^pW53Ja$ zg2=bwH)53XPD|qHddM5*=dHJv0FWASnPG;h=~g*LlZ)@BCc#NKt%$;RXHOa#NUh#< zdaN#83{)F*rhHVo(dpU%ykIBa^NaXg)yco9jj&Vb{7c@HR_nNBo1OFY^VgIiw+t8T zd;UfnppYZj_N#*IPIb(B?O_FE_OO8D4ZQb)Z$hv03?UqM z8F$DNFt4d&XDY2v6tc^Y5+sNvvAjS%OB-;Z686Cv?uHbI#iTW+5tXCqQ(D;-~S_ICIsry;v#l=|A|pf-A<^q8vLJ+@_&2lL->In zaeF&{Z(!v5CgeSQ)5tGsGVPZT^FGvuNdxJL@Bfjo4U!AYi%~O=vT3iLIHGb z{0vjTJRpi30WskL{J4mjhFzh6 zD@?=}()ncZY?Usz*qQqQ+>zp6tV;}P!jJoY2LWXgHt3Wj1BvtXsm!#8DvEEN4BgAC z%FfMha8I*bI}@l^0+e&Tk(SIHOnPZ3_cpblfp$E|R4Wyb7c_Mzo`Bu+R9ra(db?xA ztw+NbT78%GSZu(zi$8VuxEo*;Foh%(7caLAhW>DG4RpVR5FQaN!_5QV<{Z zd39Jc=)>t=L1)8TNl86Di#b+TAN75dE06O~aMs{i-h6LtGF$MTbMQf@k%qRkI>k+e|Sy(nULo-g&I>8Gz+MG+`X)YTjKBAFT>i52^NVzx~(cPQ??b>}Z1r-@WC z(;E^FUwQ9mRi?xmG;|lw-BEuTIk$oY4C{Koxu?lT8B&~EY`eei;J!*$-}E;g$fk2= zf#0OE%8BCAkI9FWmnQW<TtibjA|=LvpL4=EtrZoSI>&nfi%DXlg|zIkauMY+qt=WfcFs3ILK9bsG4EgW{#r%!e&nwa|TgetkASxCe?DdQkhdn+G z9x*gG!rDaj|Td}>ts@*ZGU{5e1*w7qE&}@~_TR;m; zEC_;E(Z2qZRH6QT)*?&_06zCOwz#r9p2SW(uzm|h}cKN6d zH)X2g-$GV@9zIjSTA^RnG$Pu+_hi_^qdG>&+*NOVxl&`7#JE`hN%L1pQbOTIzQ<@( zKf8+8laQ94pK-yuLqn%dWq7XsxGSH5sA&P`3QQhS_x;6@)~fjneaB^P0qo@c>9uCQ zifpiVMp7e638vsGspL!@5~aPH{6ToozyG8hEf%nXZxI!_t{3;CQSi6Z`E#*^>=c#I zP3?mTX>P3#tA`NR&YJh(Jc2-KJ)WVy<1Z0H?jeu8o*{%DWc~(y6Ky%8ofGMD=&DW0 zTq*v^wGs7v8KRbD%I9L(rNBp{7~wjLg=~Nz>RBgk&aE=b_lfkr*9Kk}pT298G-XLU zA9u~En;AQtbmP6fMS;9GnYv6zl4A}jza~5#%2z2dH^`W~x$<%$q-Xic{PMZ{dS5>v zFfB;Q{Xkw|0aS2P)uUv%+?EL}&WgdEZ7r>X zh2_{Y3i*UJK<0~rn`BdaN}%e;R#-{`U&x?|oEz=uE)Pe#AZ+}aIfsS+I20~OB~=8| zhAs7tryKhSKirnL$HyR3KVAZ0WMP8-ZBU0OZJJ+-_w~$+oQsc1$tnk`^J)suP_3Oq z-mK=DQDgErg%z(2G_{pX>Rkhatg;#H)=W+}<5p z_2(*%t$oN2X?RGGqBxPRPC?6OBu@6l#V*H?;;I@P7Q-`)JIAucdM(4O=aTNmN&65D>6X3{|>xR6s(B8hV6)(z_5kQWQl25ezkS z=^YHA6HpPUp%Vz9s6ZlwCZPzS+!xQ8v(8=jt~K|}%w4nA%>P-GH}Brh{yxv=``y!y zDf}KG^W7_%-r)vr!DcDD$eO|Iu-i`0ZgiTY&Z*zjK)IL6t0 zPP)xuV|;L@*Unxr-im$OQR;>-)A=KX%HdBcb0FMVCdh;*)3d501{Zf+7N4PCkqj=s zS;A>o2CJBD-49~?hJfhj zBF}T)AmG>D-HOuIN3ZCsroJ;f0=t+DF!n_v-*gDR1L@icn0_)SHZFmBG(xhIrB-KS zykJ*9yby?Q3>5}?z4rN-mIXCqoWUc`_FG(kuN9OQ_wDVJFYM;#B~5H>u)md*z>y?i z`z(L6s^fw$g%+Q9>!LEodRL<~S&-L2$Gy0~vwJl$$v+Uh6{>G4$Pd;nCMi9GvtG@f zH<`H7yFz{7_o1lkv9t&(-;!VPW9B7I4LwFkBc=U?rhU(~n^~)$fKiTHhhnD7tIOGP z`N-&Qqn4qdLie99_32HNltsJV_=PE$tRo@);J%HX-76ImJq-zd9UQS>3!1`4Xb*xp zQY(jj?BHco-+S|TsJtM`0wUdI4l+?p$Yxc_F2?1*(JY8UR~Wij-dyZK>Y?^kMXMV_ zNutx@db!X9@6RJ2fr29vHP-Z}02Q+ zJq~K4$`L)cS{$$0J{B2{zPM3|nA^(Q@-Eu$N@wm6MLfAkAyiW2+Tk z;VMJup9)OnoPzH<>sY5@Ai=?>qkDoq`B4h1_Qvam=RRPSod@LY6nWw?p*2nbU0TAK zH3fI`{H^jb%-(s>{u&50O5}X&eCys;yN^fxZd5{PIa%dl8MEzP(nczkZ1?EnU zw_g#M0$Un2kU0>G!Kr&^>XDI4_xp7eAv zB3o|=Pa>voSlL&fWiw%A+r1u6XV6j8@wS0gvjEe&Ffe2Q3nxy(;l zxQPU=IXqWgdwL42A@l4yQbb2^ZNSzB+>t>H8LE2(kz^P54GergUiLHQ6_LDo`!9oq zUyq#MZo1Df$XQ`kL_HBFC`w;lahWW3_UWK5+9>l)SzsB|WHpTNgac)4lQDN@hxV+Y zxKr$eJA+8z^j6)3ua|2lLM%Dif)o<_z_-H9n#8)ojj>IGr{5Jni8}&K0F;v8lrKP( za=*o~U-CqyHS@Mc^{vi`!f(u0HiNogFVu@KvbGmWaL@i$0H-sW-SA>2%OB=PFQ&~} z>kc*a1-Dk^arRW$^t#~FM|m=Uvs{gf@)Q3{W-Ks6kB{fiO)+7w6#)NETkBY`O5*Zj ztD{SOrin&%hikvx)$B(%fyE5MR;4f%R6l!_htoSQMMY|iwYSMr1URRj+5OCTd(et~ zU9;l52wgD_C#8BkukpbNy<#5$4r@*Q!ruIHhNsfkd_rAWa%qj&*C|2}!(o!|?rt|S zLdj3e@iNudp)#_1^iqTS=fnsMo@z54bN_BkTI;GGldOWPKn`cUwHp&_4E<@xlHy0# zzdN_>X0*D=gxvi&bg;7e{&=c#T_KDqQn3XJkNL$%4?FzxHv^?3b282};`gV|SiasQ z8Y;$rQe`bY&d6ldNMGh&Z1k&u8xtxT8FFk;2Q=Eu>F2X*iRgv;FAfM~ztf=!%S3@# zf4cy8bP(MDPPlj$cT|3en%fN~baE8vs54p4!KAS}C zN*jIS)9mE=ur`-Y9v12>uF`_AFDc^}A;Pk^1M;JvBJY*oK?P5)&2!0!ef?go>0zf~%0 z0(K;m?$IZ;>CZiMud=X&pEa>eJ#deDI>2U5zjmoek8oh^ZL(LVO?Ry6|2a#{#z2v- zV%9rNv8(T1CplU`30mgGZjE%Gvqb_dYoCt#_&Vz3kHZiC-mse@*w+ZWgc|S3Eibw2 zVquAa!@hu+z2gY5-Xm{WPC2N_^wu33PW$*21JyG|=W&G?<(Ue;tX#(_zu=sp7|?&; zd<+<8(#z^K@nxoYak{!KXv9a?KP|t9k1BG3?UI!90QHd7@IG)-$(3CP4v9BjjRuVu z7;(e0tswPp}XG zsyz@{mK9jgfqI?TS0TNu1pGHB+uQ6)uD!hu1S@n19Uv#YHLvbOQC5KR>LroilacU3 z;%?*5(F(aFvUh;ber}^{mm(-xxha|FQ@{!)vx1|)%)tv^VJMAELhm#;NJOJvWQ0n; zi!-VfFqY;&cI^Gx&tbI^?SRcD$uG)5$>OSrQ)qob#D(R)iBv(!dI2xd3XT#Xz(i9J zMX7Z`D2fhh!b>VdD&PmRyx})rY~`(z zbjt^gDRrP8LXm*CW@V@)eTHw-Jdas8UaJ2S#r&acjsHQQ^L25Q-Fi|mKsvl@NW^=M znsy(dIkz8|9i7RhC7H#_0<+Ru>q>R6a1VZ){}Fjwe@jvJp~X$0!=*HTJJIHOGN)}V zQ=#+ph$D&*zHDL-O3~K8{wA=ExU)l7mb^>{x|x*?m@ri%d{D`4!c6r_^gz3bDu z-fd*mmT=HO4C6=-4N{dW6TBu-rS#0FG#Ls%FUD3)ckHavm9kqdozPa&CykF)@7v{R zf<(b{!^a$M_how0gUn09kE*}ok=~gjyaITZJ z(7q}KW*}whe|=cfY_Y&7z4-Jajq?PHZhtwusq*w^ zVS^T3;3GhWRx}L!s!_3dliiU^J^*0>hJLb>Vq0K4sUwbC9x@t{KLrm*H!`TKbUTG@-dLO zd1M;dNoIfphN(kj7?=IGR)Mhn(n=k*S@`W6HQv>VAVUMjV;VmJ#EVPFA2lI0{DM%L z5?UDl1bEg1M6)Bp?AX@Ze|@T9|99i#pRo)u4^r)hKM4OnI2!@L=PC89B+gc}VSr(U zn&-7+uRfn|P?~bFT9sJs4pv|c<1?9A_MCK;thD%k^?4frJEtmE6?o{h`E1E8J^3h; z^Y1iH<~{zd&-WG9+E|%h%)CG8cqC^A)5~Nn*>Y2pbO?1 ztD}Lf?^B^&z$yXjg8Zv$-_Fp(*k-Qx^IUu{#e~Tu|1Ozp+U_~GaMS&~RHPu<%Q`ud z)R=$0ssX znwx_hxLOpP)V4JD%Uhc!D0rAFlfkqY_@JP`TTRJv)oxS5y35`Fv|@# zt=`rW;T8UwmxpUPg5*>G;??5rK`6D9iVu9psVLg}508CQi z=5IX#0n}?fmC~%VX(d-oO-SH_QEC|f&)$YBC7ihh5C_4mqzwxQx*FV7TOyi@Zb?b< zwe-_`@x~&Gs-6giA z?PF`oNWWhP(t=tk79CPF(H(WPWg=G#U&j*{Zu$z#<=Lz-dFNNc*(l}by6}7JPM|bq z3}h`0ogM?8xF>!9>qI&MP_?;ui%2(_=F&WeY9%CaoKR?^W*JN(A4TC zkh58wF4km|OJ&GN(lRx+c&NW9wQvI6XLn{IA^%NZhs4LmzY4D+EB&)D$qiV(T3@C2 z9q;|Je_m#ev`w}f=95{r2^8V>>4;DyHK)lN-g!3=;=YiV5EaGs1tOFGX@pm0lbudH zJ=0!;f|y=KK-|Spr@{qSpO!sxa|$4b*}DvEjF)Z_I(PzIQ~R-&Pjzz|V}qLN`P$wA z-ALB@J|Es{9Lya3t4Q-PbJv`Y7p<1ErC z$@80AVeq&&ZO`OOFNzrRfK1dNryr!O&F<=9#j1bhJauHP`o^p6LN295s$MO=t+lHL zoh6om^UM59Ng6tT*#&>}^5!dpU%-sHInzV8z6^MnvlW0&2l<=@a`w)oPH!$U*V^{y zDgy)DP8cV9X%44Ab*%eLVQ)*S^!XK;@|E-6w3IVvhH;Z8cRuN&PRFuX6yyR;5{`}f zfr0VIZ|O1|^104DHbjDwH_c=?A?o!`mxq^Ut*m1L15ADds<@@ukL_L&J9=Kh)2n`v z5bN7X)8CR^VzwMCd!-&7N2h7gE z-09iDe91irPHCzP=~%ll2H`E@n=^)1Zi2c1>3cFk3#%oiJZ7Xc zHrRUK49Qjr@DaOpjFpK{h&0f0h<}NnGPG($^lNP#r-mNvf1LkWA4ae@z?Ld7H98#( z!uOMWRL2uu4k(Uu%NmP!8VQK@e2Nt0_NQW1D8P%@XpMZS4bQPk>0d zffkEv^c4u@EjRU3to?k`1`qog_s76K`BmX0Ji?>y^0LR^E;k@+Y#OPZl~fXts7`4)?Nq zbj~+xiI$P=$La`=FTl2WNXc2+XR*PJCMb_$pW%rUaO%C0O3!LaPDe9~t^2`*nH6uBGYF8tGG~KAeu+f)I*y230Pjy1FgwO{4>`Js)U=+ZrTSFB3EYnCFnA zFI2)BTU3O>SelgI_CiD1Hu9srWfGMOOY~zic8JOe_jAVEf?r9onFs?CS3nwS;o1Lw z)BG)*sZ{l1ZiW1(#kw*E%zd8qg0{UlDm=t`cuBdufPMH2mmauJE#cC*Wbd7x>Oitb z>TL&vw8Q6Q;tY3UPH>!Jd`5h)tM3xsR?EORd35#I<2&HCEIQB!(YQT zpiE0=4<?G@EbZ+^X> zJHhQ3CwW@Nc2HJ4&!`sdYBz8~jgzLl?SSkbpZFNu?2=X6p*wUs&IG6=V^YL2aqzU& zy^Omqs!W&Kl;MDX(Z=&gcypHUweC(nIBHS9$iV*kS<}kY!{@I5_0>S^4e1&iRUo4k zojf6PIh|D^o6cVwU|qjC{Vxnm|C6rte_QXn*X;O&)nRgILb6pifS`i6#Uxud=#>HY z^s(9_hx8{=T2`pY;Q@i)GHV&oo*sur2fHzSrlnYbYt}Y=WGGsqZR54Qjf=^ULL`qTLn1NmgFe%gY5;br#IgNbnY+X!b zv#mzfP3ie^HLsmFNVc6ik$lADzkqb~-KVz$i4UsDImQT5&Gqf6cEuyy<#rpcz_?L_ zd5Qym*vP1~ED@-uQpJc9HwCg4WS<6RjRNP0&V)3G+u+ELP55*O5x~CR-1B!CkiCCq z^9(F|XW+Cp_jDs)^WxZyEWQ0TFlcmR6&N=!sOSwcaGAU@Zvr0vb!Dwu^~?$Sertnb(^JTyYp@twuELZZ@}7jSF|$2YB?l@MT12uwa*VkSOE_b;Qim= zWjF_10p7Dg%GiYovkQepmDlmhnc)Hq;`etS3NdKqa_{arr8@LuloyYuag%`Hu^+x_ z!}&e=pNh#cjs_W~(jr|AUX-1hBUHvP00_sad6nIHN(S8Mjg`}*3;dvw*re~m*tJWI5VbxGm|)IAi$;i1f9 zia5m5ib`@8k`xU&VFJi>PpXg$G)li_d*$o{38ox;Tczj}?>J;!xR5?*$ ze(}7*@nbLkNO8*3QOoH>n){h!c9K|G<4d^@Sv0XTmMv`$75$W?e%B7u`PC28~v$%K-*YhbP(DK~l;#AJd;4?XyL?r!4;?Kfc&g^tZY2oBI^9Ev8@ zE6Cen6XN%}J0Y@7m?p%%?FK&wnsOa)XG6%BlaAx100P^5_D2T8KRcbHLaXg)9kWOs zApt36QP5%D-~~n)lj-I0ln_8IO9yhA7Rl23a$C~ljikj1OJ!SQ@j4xrzY4@0uCb#i zY7KI>0TO?#*Y3MRMLJUDJ;hU=SR2=jW*qwKFjC5IW~-v+3czdSk-d-^2D10DVyz>ic-JAbllHvJ&iU)>FJ~XENE(5 zF569J%_1SeT=i>w;6YToy`AUOC7qRbJ%d=vxBDJ?Ix|RC%$J`$ z{RIYOtAA?%aV0ytLXs4k`rS4^HXm|!?f0KUiP!a;1Aq)_NV(%1hL%Yg!%`Dkr^`*A z?V{(PU@&FJMP9K~At#W1#RnooF2dL1&lW3`EBYa2sc%vPHHGYZfP$K7TL2l{Ta?VwU78R?hjfG87>wJm_s+=&=IJ z<+h$ocdZ|{)JW?V59(ff_Se7U!pzW3zEL53Qx40kfhnhwg z?8iSd$Nx-#jGZayQA&)rtK+605Fnmun_5D3Ha1KGE$X7v5qO8 zJbI08GJ4#?28TZ8F#P<0=MW%m161vToy_k|Dz)Y*yqyvnEF!W_N6HtUZZ;ouiysIG zk{N8jrz6l*HoPUl?u1QA0n6i_fLI#cgGTijWK~pWSsVlFjnuI~cwLRSOgrD{RM%`K%qRn=Go)sF~7+>?buLqrikqqY|; z?e9+UoFr~m@is0M<9CL~4lS$_*P%CVEGU|jEyXpL8#=ZsD|O88iKzBF**|RX+;|~q zNZOmv=v|8O)~>uz(0=Vbb;|@icI_N6+J&?qs^OPm9P@L91rNm{P@z~!&)Wx3BLlOaWJiJ zK*nxXh<_KXtcbULV(!DL6dHu4n339sB(29>6_k`;e|l>vrivbrz{RU2_SH0IVEuWCRy1o+x6(b__1{)y6j!=Hi_Z?fC2+VaWN(Q-R-K z-?a%mjwsYebig`wMfeg^7>$Ug$-=2(x>Dp5(m^?*9D=+)L<33o$d%|9A$ZYjpEF~d z8ON9w0Ezz)fZxao$dOk!IRhe2JGNa4QcBhcgJR!O!?qgg^jhusFAg-PHS2_clcdjq ziHl{BeUig-GuhIfLjIJy5SaK?iTZhI=18X}BK7f4DiNs)ZmOXK9=-G9KcLrlV;xey zC603dh!#DJ`~-mcMz5T96d7kQlLVJso0QF8V6kzzW{eRVp4d9FFjUC_+7#B6(C zgQCv1-*b4!*lUWZm^q%gs}e(*UX))75Dwo0_l|z4AvxgtjraZ18L%arZ=2>m?mgUP zz`S)1t)8x6#8t#D7kXRbEbA7gGBFZa>Sfs3w?BC+(ps2Z-@V@6i|`Hft2k)J+9x?? zquSLU1R3xi_*vVR_GlmNo%pZ<1)G6yidT|7UkEH zinkTZ3TT<|}VgmbA_bZ!K9LpNI$UlsT*Zqkc?z zU?m*S$h$3eCl`ugdv1?LAW=A-kS^6#Yb*BG0S3VYedTNvlZt~);Ny{lYDE;~CMb~U z(Khdc{s37DI=x> z$xFTVxM-$oqzv1LyNTUk%kQ|v^aDS6vbxG-!UdL`WwNq9RpatW3VG|+y#Hi{#}RTi zB{U`MOhtYyoBowr@Ft-bx3CS?Xd9NEi^<)QS~0CyI!LbNxuE(LN)o=dk$zr9f-y6C zDDY`o2Vm=tb+8+J`;GVRf`0A(W!mFW@$IS(__s;wbS3Q)*==i*=v&B#2 zbS6=4if_O>K!4eMyN9l&<=H^Xne3kTWDufd6Ta*0yxQ#N-Z#I|3P(8hBT_S7Z(nkw zpyaUH0zOLR9omz6$36Ge*dr6>blr)*S%%>=51lLav2;z|N9ta0=OoGuD(-}3PyK=W-NOdB`3Nma=Yj@m0X7_k!5udv>f(bXF~ z^SkUo{Kmy_>n8zl-8%R_YxRQ)$s_7r>Lg<_Isd=!Lj=Um*UI^Wc*(qm&3sv$rUGyw zRAr`1C|{}0)W%FnmmqP~!HX8@J45pcx~M#P*SCH*(Qj_?j?8mNzy5II*Y(l9@7rdL zn~P)pq&A-Q{e{)84Lx(z!30;pPA^NbTLW7R3=Eg2DpH@-iKo-ZH8TpjP{fq>YyO(%% zk!X+3xeXrfp^(dU@)q~(=u`X157pfZi+wd{x780b_4_OavuXL;-?g9;PA1SNOql>1~Puc=%oN+;Q zbIKFEEn!)jWs(fdzDlHq%qVr2*Limb&;cm|9|@HP|oWQ%ZeukZbGU`8@E zolv^}oa5*XA?pFpqUI@iuW+c!kOr0K4-ql#w}|uD&B}re_qW6;J50xU9Q@u^>Lq(k z;W0HX)B2Z#e)SesL@Yn&mGq{=MdX$3P0C}pJXamoahx-W%G`PKGs?n}5Ub5p-$WM2 z_EbhFi(TkJ#pGB>h(>AJBO6ntRCVPe8@+!ELwL_Yw_?ETQ>_)1z0Z)bkr${q-$$Ez z?_%!B>7+bzkL*&2p(HQegj>_XCo`GPH~`qmQOtI!<*(1g5Ix{kul;akA&4Hhf6j|+ zY*|RLQh*zdgNGmk+4|w19@=+3xuQc%vK2EospK%-poTduh9e*G7G@o2Q5#CeO zExL+w=u%6jNLnV+YVpEnG5X|qITlHKGxe(d3D&v>3ul9CWd`Xp3u9jzjNh#uHZWFJ z*4!BxtD&W-AB==dvO1Rd-hmJH!wfC$Q ze36DyIrE~3w63h=R;gHhExULZh^ci-5?(`ojGp<8n%uS$yCKQk?ERIfcJ$U{N`Cr= z9$W7wxD3A?OocdRKWx%9w&)CC_lCO z&BV))eS+l=tgTM{#uKvwDL;t28ZDK>aI>Ro)z-PmWy#0$C(fa-bIgY1pwb5zX{mde zTpJNn@>Xo}o?j)L)@10!#X~ot*@wi6NT0BOUTrFp`41~YUJw^5by7a8He0Dhy87kSjH?#@F)_olQ zb7|`Or&kwH{y>}@kT_MX3N&-pyi>&Ny$Inz;@lxqh-$wy^5R9n#&ql$SPP cat | base64` -### The Hashicorp PKI and Keyfactor Plugin secrets engines +## The Hashicorp PKI and Keyfactor Plugin secrets engines Both the Hashicorp PKI and Keyfactor Secrets Engine plugins are designed to allow managing certifications directly on the Hashicorp Vault instance. The store type for the PKI and/or the Keyfactor secrets engine is the same; `HCVPKI`. This integration supports the following in order to view your certificates from the platform: -1. Inventory - Return all certificates stored in a path. +1. **Inventory** - Return all certificates stored in a path. [View the repository on Github](https://github.com/Keyfactor/hashicorp-vault-secretsengine) for more information about the Hashicorp Vault Keyfactor Secrets Engine plugin. -## Versioning - -The version number of a the Hashicorp Vault Orchestrator Extension can be verified by right clicking on the `Keyfactor.Extensions.Orchestrator.HCV.dll` file in the extensions installation folder, selecting Properties, and then clicking on the Details tab. - -## Keyfactor Version Supported - -This integration was built on the .NET Core 3.1 target framework and are compatible for use with the Keyfactor Universal Orchestrator and the latest version of the Keyfactor platform. - -## Security Considerations - -1. It is not necessary to use the Vault root token when creating a Certificate Store for HashicorpVault. We recommend creating a token with policies that reflect the minimum path and permissions necessary to perform the intended operations. -1. The capabilities required to perform all operations on a cert store within vault are `["read", "list", "create", "update", "patch", "delete"]` -1. These capabilities should apply to the parent folder on file stores. -1. The token will also need `"list"` capability on the `/metadata` path to perform basic operations. ## Extension Configuration @@ -165,9 +151,9 @@ In Keyfactor Command create a new Certificate Store that resembles the one below - If your organization utilizes Vault enterprise namespaces, you should include the namespace here. - **Subfolder Inventory** - Set to 'True' if all of the certificates . The default, 'False' will inventory secrets stored at the root of the "Store Path", but will not look at secrets in subfolders. **Note** that there is a limit on the number of certificates that can be in a certificate store. In certain environments enabling Subfolder Inventory may exceed this limit and cause inventory job failure. Inventory job results are currently submitted to the Command platform as a single HTTP POST. There is not a specific limit on the number of certificates in a store, rather the limit is based on the size of the actual certificates and the HTTP POST size limit configured on the Command web server. -#### Set the server name and password +#### Set the server username and password -- The server name should be the full URL to the instance of Vault that will be accessible by the orchestrator. (example: `http://127.0.0.1:8200`) +- The server username should be the full URL to the instance of Vault that will be accessible by the orchestrator. (example: `http://127.0.0.1:8200`) - The server password should be the Vault token that will be used for authenticating. ### For the Keyfactor and PKI plugins @@ -182,6 +168,7 @@ In Keyfactor Command create a new Certificate Store that resembles the one below - **Name:** "Hashicorp Vault PKI" (or another preferred name) - **Short Name:** "HCVPKI" - **Supported Job Types:** "Inventory" +- **Needs Server** - should be checked (true). ![](images/store_type_pki.PNG) @@ -191,12 +178,10 @@ In Keyfactor Command create a new Certificate Store that resembles the one below ![](images/cert-store-type-advanced.png) -- Click the "Custom Fields" tab to add the following custom fields: +- Click the "Custom Fields" tab to add the following field: - **MountPoint** - type: *string* - - **VaultServerUrl** - type: *string*, *required* - - **VaultToken** - type: *secret*, *required* - -![](images/store_type_fields.png) + +![](images/store_type_fields_pki.png) - Click **Save** to save the new Store Type. @@ -209,14 +194,16 @@ In Keyfactor Command create a new Certificate Store similar to the one below: ![](images/store_type_pki.png) -- **Client Machine** - Enter the URL for the Vault host machine +- **Client Machine** - Enter an identifier for the client machine. This could be the Orchestrator host name, or anything else useful. This value is not used by the extension. - **Store Path** - "/" - **Mount Point** - This is the mount point name for the instance of the PKI or Keyfactor secrets engine plugin. - - If using the PKI plugin, the default in Hashicorp is pki. If using the Keyfactor plugin, it should correspond to the mount point given when the plugin was enabled. + - If using the PKI plugin, the default in Hashicorp is "pki". If using the Keyfactor plugin, the default is "keyfactor". - It is possible to have multiple instances of the Keyfactor plugin running simultaneously, so be sure this corresponds to the one you would like to manage. -- **Vault Token** - This is the access token that will be used by the orchestrator for requests to Vault. -- **Vault Server Url** - the full url and port of the Vault server instance +#### Set the server username and password (values hidden) + +- The **SERVER USERNAME** should be the full URL to the instance of Vault that will be accessible by the orchestrator. (example: `http://127.0.0.1:8200`) +- The **SERVER PASSWORD** should be the Vault token that will be used for authenticating. At this point, the certificate store should be created and ready to peform inventory on your certificates stored via the Keyfactor or PKI secrets engine plugin for Hashicorp Vault. @@ -262,4 +249,19 @@ At this point you should be able to enroll a certificate and store it in Vault u ## Notes / Future Enhancements +### Versioning + +The version number of a the Hashicorp Vault Orchestrator Extension can be verified by right clicking on the `Keyfactor.Extensions.Orchestrator.HCV.dll` file in the extensions installation folder, selecting Properties, and then clicking on the Details tab. + +### Keyfactor Version Supported + +This integration was built on the .NET Core 3.1 target framework and are compatible for use with the Keyfactor Universal Orchestrator and the latest version of the Keyfactor platform. + +## Security Considerations + +1. It is not necessary to use the Vault root token when creating a Certificate Store for HashicorpVault. We recommend creating a token with policies that reflect the minimum path and permissions necessary to perform the intended operations. +1. The capabilities required to perform all operations on a cert store within vault are `["read", "list", "create", "update", "patch", "delete"]` +1. These capabilities should apply to the parent folder on file stores. +1. The token will also need `"list"` capability on the `/metadata` path to perform basic operations. + - For the Key-Value stores we operate on a single version of the Key Value secret (no versioning capabilities through the Orchesterator Extension / Keyfactor). From 53bb02a16062e3f9c263003b29587346e90cd2a1 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Fri, 22 Nov 2024 22:55:57 +0000 Subject: [PATCH 2/6] Update generated README --- README.md | 73 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 39 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index bc3634c..4ed2804 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ The Keyfactor Universal Orchestrator may be installed on either Windows or Linux |Supports Management Remove|✓ |✓ | |Supports Create Store|✓ |✓ | |Supports Discovery|✓ |✓ | -|Supports Renrollment| | | +|Supports Reenrollment| | | |Supports Inventory|✓ |✓ | @@ -56,7 +56,7 @@ This integration for the Keyfactor Universal Orchestrator has been tested agains This integration supports 3 Hashicorp Secrets Engines; PKI, Key-Value store, and the Keyfactor Hashicorp Plugin (Keyfactor Secrets Engine). -### The Key-Value secrets engine +## The Key-Value secrets engine For the Key-Value secrets engine, we have 4 store types that can be used. @@ -67,11 +67,11 @@ For the Key-Value secrets engine, we have 4 store types that can be used. The following operations are supported by this integration for all of the Key-Value secrets engine types: -1. Discovery - Discovery all file repositories for the type -1. Inventory - Inventory all certificates in the path -1. Management (Add) - Add a certificate to a defined certificate store. -1. Management (Remove) - Remove a certificate from a defined certificate store. -1. Create - Create a new, empty certificate store at the path defined in Store Path. +1. **Discovery** - Discovery all file repositories for the type +1. **Inventory** - Inventory all certificates in the path +1. **Management (Add)** - Add a certificate to a defined certificate store. +1. **Management (Remove)** - Remove a certificate from a defined certificate store. +1. **Create** - Create a new, empty certificate store at the path defined in Store Path. Excluding *HCVKVPEM*, the discovery process requires that: 1. The entry for the certificate contain the base64 encoded certificate file. @@ -122,30 +122,16 @@ One way to encode a binary certificate store is to use the following command in `c:\> cat | base64` -### The Hashicorp PKI and Keyfactor Plugin secrets engines +## The Hashicorp PKI and Keyfactor Plugin secrets engines Both the Hashicorp PKI and Keyfactor Secrets Engine plugins are designed to allow managing certifications directly on the Hashicorp Vault instance. The store type for the PKI and/or the Keyfactor secrets engine is the same; `HCVPKI`. This integration supports the following in order to view your certificates from the platform: -1. Inventory - Return all certificates stored in a path. +1. **Inventory** - Return all certificates stored in a path. [View the repository on Github](https://github.com/Keyfactor/hashicorp-vault-secretsengine) for more information about the Hashicorp Vault Keyfactor Secrets Engine plugin. -## Versioning - -The version number of a the Hashicorp Vault Orchestrator Extension can be verified by right clicking on the `Keyfactor.Extensions.Orchestrator.HCV.dll` file in the extensions installation folder, selecting Properties, and then clicking on the Details tab. - -## Keyfactor Version Supported - -This integration was built on the .NET Core 3.1 target framework and are compatible for use with the Keyfactor Universal Orchestrator and the latest version of the Keyfactor platform. - -## Security Considerations - -1. It is not necessary to use the Vault root token when creating a Certificate Store for HashicorpVault. We recommend creating a token with policies that reflect the minimum path and permissions necessary to perform the intended operations. -1. The capabilities required to perform all operations on a cert store within vault are `["read", "list", "create", "update", "patch", "delete"]` -1. These capabilities should apply to the parent folder on file stores. -1. The token will also need `"list"` capability on the `/metadata` path to perform basic operations. ## Extension Configuration @@ -215,9 +201,9 @@ In Keyfactor Command create a new Certificate Store that resembles the one below - If your organization utilizes Vault enterprise namespaces, you should include the namespace here. - **Subfolder Inventory** - Set to 'True' if all of the certificates . The default, 'False' will inventory secrets stored at the root of the "Store Path", but will not look at secrets in subfolders. **Note** that there is a limit on the number of certificates that can be in a certificate store. In certain environments enabling Subfolder Inventory may exceed this limit and cause inventory job failure. Inventory job results are currently submitted to the Command platform as a single HTTP POST. There is not a specific limit on the number of certificates in a store, rather the limit is based on the size of the actual certificates and the HTTP POST size limit configured on the Command web server. -#### Set the server name and password +#### Set the server username and password -- The server name should be the full URL to the instance of Vault that will be accessible by the orchestrator. (example: `http://127.0.0.1:8200`) +- The server username should be the full URL to the instance of Vault that will be accessible by the orchestrator. (example: `http://127.0.0.1:8200`) - The server password should be the Vault token that will be used for authenticating. ### For the Keyfactor and PKI plugins @@ -232,6 +218,7 @@ In Keyfactor Command create a new Certificate Store that resembles the one below - **Name:** "Hashicorp Vault PKI" (or another preferred name) - **Short Name:** "HCVPKI" - **Supported Job Types:** "Inventory" +- **Needs Server** - should be checked (true). ![](images/store_type_pki.PNG) @@ -241,12 +228,10 @@ In Keyfactor Command create a new Certificate Store that resembles the one below ![](images/cert-store-type-advanced.png) -- Click the "Custom Fields" tab to add the following custom fields: +- Click the "Custom Fields" tab to add the following field: - **MountPoint** - type: *string* - - **VaultServerUrl** - type: *string*, *required* - - **VaultToken** - type: *secret*, *required* - -![](images/store_type_fields.png) + +![](images/store_type_fields_pki.png) - Click **Save** to save the new Store Type. @@ -259,14 +244,16 @@ In Keyfactor Command create a new Certificate Store similar to the one below: ![](images/store_type_pki.png) -- **Client Machine** - Enter the URL for the Vault host machine +- **Client Machine** - Enter an identifier for the client machine. This could be the Orchestrator host name, or anything else useful. This value is not used by the extension. - **Store Path** - "/" - **Mount Point** - This is the mount point name for the instance of the PKI or Keyfactor secrets engine plugin. - - If using the PKI plugin, the default in Hashicorp is pki. If using the Keyfactor plugin, it should correspond to the mount point given when the plugin was enabled. + - If using the PKI plugin, the default in Hashicorp is "pki". If using the Keyfactor plugin, the default is "keyfactor". - It is possible to have multiple instances of the Keyfactor plugin running simultaneously, so be sure this corresponds to the one you would like to manage. -- **Vault Token** - This is the access token that will be used by the orchestrator for requests to Vault. -- **Vault Server Url** - the full url and port of the Vault server instance +#### Set the server username and password (values hidden) + +- The **SERVER USERNAME** should be the full URL to the instance of Vault that will be accessible by the orchestrator. (example: `http://127.0.0.1:8200`) +- The **SERVER PASSWORD** should be the Vault token that will be used for authenticating. At this point, the certificate store should be created and ready to peform inventory on your certificates stored via the Keyfactor or PKI secrets engine plugin for Hashicorp Vault. @@ -312,5 +299,23 @@ At this point you should be able to enroll a certificate and store it in Vault u ## Notes / Future Enhancements +### Versioning + +The version number of a the Hashicorp Vault Orchestrator Extension can be verified by right clicking on the `Keyfactor.Extensions.Orchestrator.HCV.dll` file in the extensions installation folder, selecting Properties, and then clicking on the Details tab. + +### Keyfactor Version Supported + +This integration was built on the .NET Core 3.1 target framework and are compatible for use with the Keyfactor Universal Orchestrator and the latest version of the Keyfactor platform. + +## Security Considerations + +1. It is not necessary to use the Vault root token when creating a Certificate Store for HashicorpVault. We recommend creating a token with policies that reflect the minimum path and permissions necessary to perform the intended operations. +1. The capabilities required to perform all operations on a cert store within vault are `["read", "list", "create", "update", "patch", "delete"]` +1. These capabilities should apply to the parent folder on file stores. +1. The token will also need `"list"` capability on the `/metadata` path to perform basic operations. + - For the Key-Value stores we operate on a single version of the Key Value secret (no versioning capabilities through the Orchesterator Extension / Keyfactor). +When creating cert store type manually, that store property names and entry parameter names are case sensitive + + From 4e49c8261e42bfe6a070e8ac859f04d2fb6817b2 Mon Sep 17 00:00:00 2001 From: Joseph VanWanzeele Date: Fri, 22 Nov 2024 18:16:49 -0500 Subject: [PATCH 3/6] updated readme --- readme_source.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/readme_source.md b/readme_source.md index 91d7e7e..c475d82 100644 --- a/readme_source.md +++ b/readme_source.md @@ -1,10 +1,12 @@ -This integration for the Keyfactor Universal Orchestrator has been tested against Hashicorp Vault 1.10. It utilizes the **Key/Value** secrets engine to store certificates issues via Keyfactor Command. +This integration for the Keyfactor Universal Orchestrator has been tested against Hashicorp Vault 1.10+. It utilizes the **Key/Value** secrets engine to store certificates issues via Keyfactor Command. ## Use Cases -This integration supports 3 Hashicorp Secrets Engines; PKI, Key-Value store, and the Keyfactor Hashicorp Plugin (Keyfactor Secrets Engine). +This integration supports three Hashicorp Secrets Engines; **PKI**, **Key-Value** store, and the **Keyfactor** secrets engine. +The first part of this document describes setting up the store types available within the Hashicorp Vault Key-Value secrets engine. +If you are using the Keyfactor Secrets Engine, or the Hashicorp Vault PKI Secrets Engine, you can skip to [this section](#the-hashicorp-pki-and-keyfactor-plugin-secrets-engines). ## The Key-Value secrets engine @@ -82,6 +84,7 @@ This integration supports the following in order to view your certificates from [View the repository on Github](https://github.com/Keyfactor/hashicorp-vault-secretsengine) for more information about the Hashicorp Vault Keyfactor Secrets Engine plugin. +[View the Hashicorp documentation](https://developer.hashicorp.com/vault/api-docs/secret/pki) for more information on the Hashicorp Vault PKI Secrets Engine ## Extension Configuration @@ -97,7 +100,7 @@ This integration supports the following in order to view your certificates from ### In the Keyfactor Platform -#### Add a new Certificate Store Type - **Hashicorp Vault Key-Value PEM** +#### Add the Certificate Store Type - Log into Keyfactor as Administrator or a user with permissions to add certificate store types. - Click on the gear icon in the top right and then navigate to the "Certificate Store Types" @@ -132,7 +135,7 @@ The 3 highlighted fields above will be added automatically by the platform, you - Click **Save** to save the new Store Type. -#### Add the Hashicorp Vault Certificate Store - **Key-Value Secrets Engine** +#### Add the Certificate Store - Navigate to **Locations** > **Certificate Stores** from the main menu - Click **ADD** to open the new Certificate Store Dialog @@ -158,6 +161,8 @@ In Keyfactor Command create a new Certificate Store that resembles the one below ### For the Keyfactor and PKI plugins +#### Add the Store Type + - Add a new Certificate Store Type - Log into Keyfactor as Administrator or a user with permissions to add certificate store types. - Click on the gear icon in the top right and then navigate to the "Certificate Store Types" @@ -190,6 +195,8 @@ In Keyfactor Command create a new Certificate Store that resembles the one below - Navigate to **Locations** > **Certificate Stores** from the main menu - Click **ADD** to open the new Certificate Store Dialog +#### Add the Certificate Store + In Keyfactor Command create a new Certificate Store similar to the one below: ![](images/store_type_pki.png) @@ -207,6 +214,7 @@ In Keyfactor Command create a new Certificate Store similar to the one below: At this point, the certificate store should be created and ready to peform inventory on your certificates stored via the Keyfactor or PKI secrets engine plugin for Hashicorp Vault. + ## Testing the Key-Value store ### PFX Enrollment into Vault From cf4b571c262b489c5160fcbd11beb06620e49167 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Fri, 22 Nov 2024 23:20:51 +0000 Subject: [PATCH 4/6] Update generated README --- README.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4ed2804..6123120 100644 --- a/README.md +++ b/README.md @@ -50,11 +50,13 @@ The Keyfactor Universal Orchestrator may be installed on either Windows or Linux -This integration for the Keyfactor Universal Orchestrator has been tested against Hashicorp Vault 1.10. It utilizes the **Key/Value** secrets engine to store certificates issues via Keyfactor Command. +This integration for the Keyfactor Universal Orchestrator has been tested against Hashicorp Vault 1.10+. It utilizes the **Key/Value** secrets engine to store certificates issues via Keyfactor Command. ## Use Cases -This integration supports 3 Hashicorp Secrets Engines; PKI, Key-Value store, and the Keyfactor Hashicorp Plugin (Keyfactor Secrets Engine). +This integration supports three Hashicorp Secrets Engines; **PKI**, **Key-Value** store, and the **Keyfactor** secrets engine. +The first part of this document describes setting up the store types available within the Hashicorp Vault Key-Value secrets engine. +If you are using the Keyfactor Secrets Engine, or the Hashicorp Vault PKI Secrets Engine, you can skip to [this section](#the-hashicorp-pki-and-keyfactor-plugin-secrets-engines). ## The Key-Value secrets engine @@ -132,6 +134,7 @@ This integration supports the following in order to view your certificates from [View the repository on Github](https://github.com/Keyfactor/hashicorp-vault-secretsengine) for more information about the Hashicorp Vault Keyfactor Secrets Engine plugin. +[View the Hashicorp documentation](https://developer.hashicorp.com/vault/api-docs/secret/pki) for more information on the Hashicorp Vault PKI Secrets Engine ## Extension Configuration @@ -147,7 +150,7 @@ This integration supports the following in order to view your certificates from ### In the Keyfactor Platform -#### Add a new Certificate Store Type - **Hashicorp Vault Key-Value PEM** +#### Add the Certificate Store Type - Log into Keyfactor as Administrator or a user with permissions to add certificate store types. - Click on the gear icon in the top right and then navigate to the "Certificate Store Types" @@ -182,7 +185,7 @@ The 3 highlighted fields above will be added automatically by the platform, you - Click **Save** to save the new Store Type. -#### Add the Hashicorp Vault Certificate Store - **Key-Value Secrets Engine** +#### Add the Certificate Store - Navigate to **Locations** > **Certificate Stores** from the main menu - Click **ADD** to open the new Certificate Store Dialog @@ -208,6 +211,8 @@ In Keyfactor Command create a new Certificate Store that resembles the one below ### For the Keyfactor and PKI plugins +#### Add the Store Type + - Add a new Certificate Store Type - Log into Keyfactor as Administrator or a user with permissions to add certificate store types. - Click on the gear icon in the top right and then navigate to the "Certificate Store Types" @@ -240,6 +245,8 @@ In Keyfactor Command create a new Certificate Store that resembles the one below - Navigate to **Locations** > **Certificate Stores** from the main menu - Click **ADD** to open the new Certificate Store Dialog +#### Add the Certificate Store + In Keyfactor Command create a new Certificate Store similar to the one below: ![](images/store_type_pki.png) @@ -257,6 +264,7 @@ In Keyfactor Command create a new Certificate Store similar to the one below: At this point, the certificate store should be created and ready to peform inventory on your certificates stored via the Keyfactor or PKI secrets engine plugin for Hashicorp Vault. + ## Testing the Key-Value store ### PFX Enrollment into Vault From 37a57340b764dcae1b7bb531da781a329cb31c8b Mon Sep 17 00:00:00 2001 From: Joseph VanWanzeele Date: Mon, 25 Nov 2024 11:41:21 -0500 Subject: [PATCH 5/6] Removed confusing comment. --- hashicorp-vault-orchestrator/HcvKeyfactorClient.cs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs b/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs index d3250af..a9aee7b 100644 --- a/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs +++ b/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs @@ -34,8 +34,7 @@ public class HcvKeyfactorClient : IHashiClient public HcvKeyfactorClient(string vaultToken, string serverUrl, string mountPoint, string storePath) { _vaultToken = vaultToken; - _mountPoint = mountPoint ?? "keyfactor"; // the mount point, including the namespace.. the namespace cannot contain slashes; so it will be everything before the first slash - // example: KF/pki/pru uses the KF namespace and the mount point is pki/pru. + _mountPoint = mountPoint ?? "keyfactor"; // the mount point, including the namespace. _storePath = !string.IsNullOrEmpty(storePath) ? "/" + storePath : storePath; _vaultUrl = $"{ serverUrl }/v1/{ _mountPoint.Replace("//", "/") }"; From c3f10840449c7ac737f46b2b6c890af30de3aba2 Mon Sep 17 00:00:00 2001 From: Joseph VanWanzeele Date: Mon, 25 Nov 2024 16:57:59 -0500 Subject: [PATCH 6/6] changed package version to publicly available one --- .../hashicorp-vault-orchestrator.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj b/hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj index 64e754e..5da53c4 100644 --- a/hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj +++ b/hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj @@ -34,7 +34,7 @@ all - + all