From a31de536b525e66eb77232247ebea68f79d9003d Mon Sep 17 00:00:00 2001 From: Can Bulut Bayburt Date: Fri, 8 Nov 2024 16:26:32 +0100 Subject: [PATCH 1/5] RFC: Role-Based Access Control (RBAC) --- accepted/00000-rbac.md | 271 ++++++++++++++++++++++ accepted/images/00000-rbac-er-diagram.png | Bin 0 -> 36367 bytes 2 files changed, 271 insertions(+) create mode 100644 accepted/00000-rbac.md create mode 100644 accepted/images/00000-rbac-er-diagram.png diff --git a/accepted/00000-rbac.md b/accepted/00000-rbac.md new file mode 100644 index 00000000..aa070110 --- /dev/null +++ b/accepted/00000-rbac.md @@ -0,0 +1,271 @@ +# RFC: Role-Based Access Control + +- Feature Name: Role-Based Access Control (RBAC) +- Start Date: 2024-11-12 +- Author: @cbbayburt + +# Summary +[summary]: #summary + +This RFC proposes implementing role-based access control (RBAC) in Uyuni to meet users' needs for fine-grained access control and configuration. +The solution is extensible, integrates with existing features of the codebase, and is independent of the ongoing efforts to migrate from the Struts framework. + + +# Motivation +[motivation]: #motivation + +Currently, access control rules are defined by static role information and controlled individually within each action. +By default, each new feature must define its own access rules; if no rules are explicitly defined, the feature is available to all authenticated users. + +This proposal moves access control rules to a centrally managed location. +The code implementation is generic and relies on configurable access policy definitions, allowing new use cases and rule definitions to be addressed through configuration rather than code changes. +The Uyuni Server deploys with sensible defaults and enables users to define custom access policies (user access groups) to meet their specific needs. + +The goal of access control is to answer the following question: "Can user U perform operation O on resource R?" + +Access control operates on three distinct levels, each with specific goals and constraints: + +1. **Authentication:** Identifies the user calling this action. +2. **Authorization:** Determines if the user is allowed to call the endpoints for this action. +3. **Accounting:** Assesses whether the user is permitted to operate on a specific entity. + +This proposal specifically addresses level 2, authorization. +Level 1 is managed through the authentication filter, and level 3 is handled within each feature implementation, thus falling outside the scope of this RFC. + + +# Detailed design +[design]: #detailed-design + +## Overview + +This solution stores all available network endpoints in the database and determines which endpoints each user can access, with the exception of the **Uyuni Administrator** role, which bypasses access control. + +Endpoints are organized into functional groups called **namespaces**, allowing administrators to modify access control rules easily without needing to navigate the complex endpoint structure. +This approach reduces the risk of misconfiguration. + +The namespaces are further categorized by access mode into "View" and "Modify" to provide a clear distinction of access levels. +Access policies are defined by mapping namespaces to access control groups. + +All existing endpoints must be mapped and grouped into namespaces: + +- **308** endpoints in Spark framework used by the web UI +- **757** XML-RPC and JSON over HTTP API endpoints (excluding overloads) +- **563** Struts entry points + +The proposed solution is based on the following key components: + +1. Access control data +2. User access information +3. Access control filters +4. Management interface +5. Development resources + +## 1. Access Control Data + +Every access point in Uyuni is mapped as an **endpoint** in the database and grouped into **namespaces**. +Access control is enforced by defining rules for these namespaces, either per **user** or **access group**. + +Below is a simplified ER diagram illustrating the proposed structure for access information in the database: + +![ER diagram](images/00000-rbac-er-diagram.png) +*[View in dbdiagram.io](https://dbdiagram.io/d/Uyuni-RBAC-672e18b3e9daa85acacbddd0)* + +### Endpoint + +An **endpoint** represents a specific access point that can be called by a client, such as a web page URL, an internal API endpoint used by a web page, or a public API endpoint. + +- **`endpoint`**: The accessible URI of the endpoint. +- **`class_method`**: The Java class that handles incoming requests to the endpoint, such as a controller class for web endpoints or an API handler for API endpoints. +- **`http_method`**: The HTTP method (e.g., GET, POST, PUT, DELETE) accepted by the endpoint. If multiple methods are supported, each should be defined as a separate endpoint since they typically serve different purposes. +- **`scope`**: Indicates whether the endpoint is accessible through the web UI (including internal API calls) or the public API. + +### Namespace + +A **namespace** is a logical grouping of endpoints that performs a specific task and defines the smallest unit of access control. + +- **`namespace`**: A label representing the namespace, expressed as a dot-separated string of components. Each component corresponds to a level of hierarchy for a task, with related tasks sharing the same components at higher levels. + + *Example:* + - `clm.project.list`: Allows viewing the CLM projects list. + - `clm.project.details`: Allows viewing or modifying the details of a CLM project. + +- **`access_mode`**: Defines the access level for each namespace as either "View" (R) or "Modify" (W). Many namespaces will have separate entries for each mode, with different endpoints for each purpose. + + For example, `clm.project.details` **[R]** allows viewing a project's details, where `clm.project.details` **[W]** allows modifying them. + +- **`description`**: A clear description of what a namespace grants access to. + +#### Organization of namespaces + +Organizing namespaces in a hierarchical structure with distinct access modes simplifies management and modification of access rules for administrators across users or groups. + +### Access group + +An **access group** is a collection of access rules that can be assigned to users, allowing administrators to manage permissions for multiple users at once. +Access groups can be either predefined or created by administrators. +Predefined groups serve as replacements for existing user roles on the Uyuni server. + +- **`label`**: The label of the access group. +- **`description`**: The purpose or scope of the access group. +- **`org_id`**: The ID of the organization to which the group belongs. This field will be `null` for predefined groups. + +#### Existing roles + +To ensure a smooth transition, existing roles will remain until all JSP/Struts pages are fully removed. The new access control mechanism includes default user access groups replicating the following roles: + +- Uyuni Administrator +- Organization Administrator +- Activation Key Administrator +- Configuration Administrator +- Image Administrator +- Channel Administrator +- System Group Administrator +- Read-only API User + + +## 2. User Access Information + +Users can be granted access either individually or through access groups. + +Users assigned to an access group inherit all permissions defined within that group. +While administrators can grant individual users additional permissions beyond those provided by their assigned group, they cannot revoke permissions set by the group. Additionally, users can belong to multiple access groups and inherit all associated access rules. + +Predefined access groups are designed to meet the needs of most environments; however, administrators can create custom groups to address specific requirements as needed. + +Below is a conceptual example of how access rules can be defined for an individual user: + +**Example:** Grant tailored access to content management (images) feature for user `Alice` + +Available namespaces in the content management feature: + +| namespace | access_mode | description +|-------------------|-------------|------------------------------------------------------------------------- +|cm.build | Modify (W) | Build container or Kiwi images +|cm.image.import | Modify (W) | Import container images from a registered image store +|cm.image.list | View (R) | List all images +|cm.image.list | Modify (W) | Delete images +|cm.image.overview | View (R) | View image details, patches, packages, build log and cluster information +|cm.image.overview | Modify (W) | Inspect, rebuild, delete images +|cm.profile.details | View (R) | View details of an image profile +|cm.profile.details | Modify (W) | Create image profiles, edit profile details +|cm.profile.list | View (R) | List all image profiles +|cm.profile.list | Modify (W) | Delete image profiles +|cm.store.details | View (R) | View details of an image store +|cm.store.details | Modify (W) | Create image stores, edit store details +|cm.store.list | View (R) | List all image stores +|cm.store.list | Modify (W) | Delete image stores + +Setting up access rules for user `Alice`: + +- Grant view access to the entire images feature: + + ``` + Grant 'View' on 'cm.*' to 'Alice' + ``` + +- Prevent access to sensitive image store information: + + ``` + Revoke 'View' on 'cm.store.details' from 'Alice' + ``` + +- Allow `Alice` to build and manage images: + + ``` + Grant 'All' on 'cm.build' to 'Alice' + Grant 'All' on 'cm.image.*' to 'Alice' + ``` + +- With these permissions, `Alice` can now: + + - List all images + - Delete all images + - View image details, patches, packages, build log and cluster information + - List all image profiles + - View details of an image profile + - List all image stores + - Build container or Kiwi images + - Inspect, rebuild, delete images + - Import container images from a registered image store + +- When permissions are no longer needed, revoke them: + ``` + Revoke 'All' on 'cm.*' from 'Alice' + ``` + +*Permissions can be assigned to an access group instead of an individual user in the same manner.* + + +## 3. Access Control Filters + +Access control is enforced at the endpoint level through a dedicated Java servlet filter. + +The filter queries the database to verify if the current user is permitted to access a specified endpoint. +It does this by matching the requested URI with the `endpoint` field of allowed endpoints within any associated namespace before passing the request along the chain. + +Additionally, the filter injects details of the relevant access rule, such as the namespace and the access mode, into the request context, allowing the controller processing the endpoint to access this information. +This enables the controller to serve conditional content based on each user's access rules, such as hiding unauthorized sections of the page. New ACL methods can also be used to check access to arbitrary namespaces for similar purposes. + +The filter controls access to the following types of endpoints: + +- Struts pages +- Spark web UI endpoints (pages and internal API) +- Spark public API endpoints (JSON over HTTP API) +- Saltboot endpoints +- Ajax endpoints +- Websocket endpoints + +By default, any requested URI is denied access unless a match is found. + +### XML-RPC API + +Access to XML-RPC API methods is managed through the `BaseHandler` class, the base class for all XML-RPC handlers. +Access is granted if the requested method's name and handler match the `class_method` field of an allowed endpoint. + +XML-RPC and HTTP APIs share the same endpoint entries in the database. However, while HTTP requests are validated against the `endpoint` field, XML-RPC requests are validated against the `class_method` field. + +### Performance + +Access control checks query the database on every request. +To mitigate performance impact, a user's access rules can be preloaded into memory and stored in the user's session data during login, enabling faster access control validation. + + +## 4. Management Interface + +A UI catalog is proposed for access control administration, offering a clear and user-friendly view of all namespaces along with their descriptions. + +Additionally, administrators can manage access through a new API namespace called `access`, which provides methods to: + +- Grant or revoke access to a namespace for a user or access group +- Add or remove a user from an access group +- Check if a user or group has access to a specific namespace +- List all available namespaces for a particular feature + + +## 5. Development Resources + +After the initial development and mapping of all existing endpoints to the new structure, ongoing effort is required to keep endpoint mappings and the namespace structure up-to-date. To reduce RBAC overhead when implementing new features, the following additional resources are proposed: + +- An extensive Wiki guide on adding necessary endpoints with proper namespace organization +- Stored procedures and scripts to easily grant/revoke user access for development +- CI checks to detect any unmapped endpoints when introducing new features +- A failsafe mechanism to prevent access to unmapped endpoints +- Startup checks in the Uyuni Server to log any misconfigurations within a specific deployment + +# Drawbacks +[drawbacks]: #drawbacks + +- **Increased development complexity and overhead:** Maintaining RBAC will require additional development effort, especially to ensure that all endpoints are properly mapped and categorized. Each new feature will need to be carefully aligned with access policies, adding complexity to the process. + +- **Potential for configuration drift**: Over time, there is a risk that the RBAC namespace structure and actual endpoint mappings may drift apart. If new endpoints or features are not consistently mapped or if namespace groupings are mismanaged, this can lead to security gaps or unintended access permissions. + +- **Learning curve for administrators and developers**: Introducing a new RBAC model with detailed namespace mapping and access modes may require training for both developers and administrators. Adjusting to this new model and understanding the finer distinctions of access control may initially be challenging. + +# Unresolved Questions +[unresolved]: #unresolved-questions + +- **Granularity of access control:** Should the RBAC model include finer-grained permissions, such as access by specific actions (create, update, delete) within a namespace, or is the proposed "View" vs. "Modify" access mode sufficient for most cases? + +- **External integration needs:** Will the RBAC system require compatibility with external authentication or access control systems, such as LDAP, and if so, what integration points are required to support this? + +- **Additional access groups:** Should predefined access groups be expanded to cover specific use cases beyond those mirroring existing roles? diff --git a/accepted/images/00000-rbac-er-diagram.png b/accepted/images/00000-rbac-er-diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..58457071628e15759fad6086b4133a0b58e4145c GIT binary patch literal 36367 zcmeFZbySt#);7Em6%zzSIs^fc?go`sLTLp-V$-ncO@o3#3rLqpiIjkJsdS5UBi-Hk z&h0PGIpcl4=ljk#-sg{ZjI$jKHhbUqy4RX(t{K<7rali9q%U6}y?{U$K@U9yh-v0UC06sW{g^hrZ5U=2e z0N!J+!TgY7o%#LSAKsJw`TiZezxC%er{FyY)+xkg_#F#Bobdh{{Qd+#Ca?c^Rwca0 zyw3gpCj;*=BmebVT2}rcH76?vJ1ZAI+|SO*Ey%$k$iYd?!6nGUBgoDVS7W{Z$BZx| z#f@Czf>FFp#Kj-Vii=ZQ*`N$f%#jF$W2{@Sh)nez;#Z@o_a!rM9j;h6Jd9iXphRA9 zLGt4j)0b)#a;!&Q^p|CQ{gTF>Sgji6&X0{}W_V>#pF8&C7vg6umGK#+dwHE>#CoXO zW%R&ihk}~>wp@OxA(nhms~zVJL)#3!SwgpSo&NfF48u7XWEpn@b6igEx)V)2KDPG= zbmu{FP*W4Mb5?)x;d?U?Q~1p(f&cscy!);S!n!}t_)wK(J08}R%;tUNqBW!!Q6#@{ z-H#&Ej-4rrbdB3urQ5EFD33BDwus*>jMQv6w2D2pS3SH$!R(qWv)*|EiCZ5N{V$l; z828HNzD?cm4)UnkdN8Tfpn8_J{?w-*)Mf6gV!Okd8SFfBbT6;o+3}lj^~Xwl`u;IG zc16G5Bp&h2XzV`fAmj40>CjDQO+QL3ufeai_L|Dup3M}`b{pTy_lLds;(ZUxQ7j47 zge6{dXC=C~s7FA7%Jb6JZF_8T@>3I%P1-w7XhoyZ<1CY{6`TZ4o8qjkJaN!LM-vqd zI}Ld`L4A}3tF8e`56S9iVTIW+gs_;Sm9D-S(vDgWX=Gw4LbFmAGF=OiL zq3rEMXlUSj>c8e^VI?pB_wbgse@X%5!RDxI#m2$P&Sqi3_Rn|N+DSUVAb(Eizr4d% z#mNfEri8Rb+1uzNB^{8KcC`OIgn|Cw_gmT9nEzgmfj%439BBcU+QL&g{^gOF6ZiKW z7!eqmSXlkO3xxeISK65v{zF**GB?aOznAmR6M@_R9`|3a{%h^OFNUk+A1sX`nB_X~4p1D8R$Q&7-f+qKD)XVA1E}M)GkPa&dF< zu>aE#iZ&*omAdBtJS)sl2AHAr1^Bo)^|@KNba~iWxVboZS@^m6xmnl+*pVE%NOnC= zB;W6$4DLLvMQTVJThK(zn7?i3?{6^MA_$8C z!Rli46bAVHIjluc+y<#@hq6&Yq0B{S{|8_Oz@K6i?vE?!*w(xwX-yi*PqLh)=fBf~wpXMgNj}kTY??WM| ztN+ImY;_%wf9yAm^~YEG#=4e9NU$D%s_S2$oBS85z^lt=$jQOZ$-*JPtEt82(2 zpwGk4!p>#Lj^s7a=i?XP{4IsQN4G^8+M#uAkavwhjvy;g&)*)3`quA_V*J;u(Z)#3 zE`Y#TI5=21IR6ruz@GwR`*Xo;7@P6eiiO$!H<<|kzTlsX4BYp}XJEX*7P9?q4F8lF z%=drt_2*vvPd*D`t*Z(nbUHC^j zg|vhy2o1?nbaAXVBwAhAgB?t5_eS`2Ns9Xc7)vn^=l{_0=cy0Q%d(9+@hhD3HH0jsB}s4 z#{;6fcg=6zenb79M&s7KYbkGDI69>erQDJilzDLO<_+)YJ2EmW0yE_vHU1JZ=iU%c z?mS+|HsiP5Zdr_S+IBZwiNdD&&+Gqk2`H&p4A^}c$r>Cf-5M@iqN(MgwEM|JM?<3| zcQD}~$@2Mr*lp7vlFRQG7Z=MM217%}3ArRJY4Zi7!>DP{UD$YC`KhV&=`<2YYc!u# zRec(k3^}7z&Vy9Y9GaRb=V>G>wN=jiDWvyZ-6e{<2X zy7N?+I^6Nzx>N``i&jctWk*{reYw{rVLv=26)&y0*DF8K$nCsFJSq=?-QRd+MJxm}7;V zLP8l7KXD!>yC3ZfA1vnA7M6Q338{V?Mdywx7`4ZzpjSrtw&IqD%Qn`V+460s?h_CY z*geE7Y%+UAOq2QgtIK5DIg1-7s%%w~0+hS#-IFbJCnuX?#zJyHY&Y%DF^*Ofd{#+WOudk2Ypy3KHYNW;IDnnn1Z5oGL zDeQ;q(N^#2GiR(<$L`WA#`|YvFd--@DO=)2V!Uwh2*}A>1`5nfx<3)phx&9RN$0!l zSO!vwwe@6ak_g((+86cL*1p6O-Sx!A!L?fKNfC360^CAKq| zVYZhB=X$bY){bnZn%0(zMhUK6tI0z)udb~%svocZs`i2X&@8fK)~Sqz)l9d>yoOh< zoZod8jS?HW8#it&4wpsb>er9Y&PJlh4BO-5a>^Z+26COZOz+*h2iwA9ztD3Av!&(x z^BD;9k@6_mVzWZoWd2pyoBVcB{od@S-rnAyttX^TojT>;{`Be7D1K`imz`xEQIFkU zuLFwN(aTzal$Ne;dvHOgW8%V>|ofM&-e>&~3F$WAlZKoXVz| z1P_IW53iW@W~XRZI2X|witP;9nhzERV5Vm|EI9DRBq{WX#3W_D)vtT7j(hci6#a!3 zWK~DoWD|7()orZk!{t`KQH(~X#XC3cw*9Jpeg5LbW_1NAsk3Yqn;{*n+w;;JCAdewd2{ZCmsfzraIrOQVq#)(Y3cR!xUwjV%14zGi;FEaK3DsT zP*ku>%$kM%^zzY@88fXhe4Q08=t9&eX41AZZ9D^uCY`ArA0#i9S5&}uKWh$Wk(>{` zrh+~b#(=(+Uic)drly8nzwXlZ^6&$gI|+~JwYLZ6s}VZxvRm`rk8}0TfQC$ce|ZtH zxzHQ*C`szk2Z{67*|g=Xtk@qtdNhO{b#vWl<>NN%@sHv%%CnnOa^7BS^ge$T;kZ^y zWHMOD0tZ94&Ywi9*y{O%2-c45r$T4(C|h1$B*JWu%l0CpRgJ^XWLe>(%}(>7;@}|B z{Ws2A^Bf+>u5$FDxh;LU`W#VmprhneR8(+W%^4TdOnb9i zCmTbt_-&^zMX)~QWc>_-hP->1%%$xc$E2P;HZf5R+Y=>de;bad>)~3x%EyOTo{gal zpoCN(K780cK3MVb^P}bDB*4MJ!JNemwXD7ZGa@FnOlnrvKyUBUhet@Dnzet#a)(aDL!ypKIqA+D({PDlW~Ob**`)bREO;^p$y zudk`xWsdf@_Qw6#BE>vJA3uJqRqoiK(ffd{!aE?~G8vy`vSDlV>9c2*K1ldfT>~St z+^UJHkhHVozDh6mbz~&IUF;;*wENRs&2{{e`r_hZcEc88ID`^PN(9(vFOAKmB~+$! zf?9!sT?VzP9v+U94W$PS2_SRN`7HXayU=p@!kv7>R{xVKyE%fuz`(97%?PkRO0X#y z(-{&P>etmayvR%RZbfT&M!4^aE z7YX{nL(xJh;*4O|t2wv5GKxBMfz7(5o=qOZYcU>!s>HI9wij|(Y#>9G-vv*DsI08a z)GP`FbE;SH#2Sspv5^ku;^K;8*F7~iH`jal6osH2wWw(P&WH=1U+q1x!gHNzcwkTX z!i8Wzyv|2bc{O?vvDRURIBd3iGT@0Tur+}#=VXovG` zZDTVIzT=BY=UFl`vQmd7-?%u61lRTRw$m-&zI}UM;j;5HejeNt)Ms2Yj{j9Yi{pM|G^&;5G&H3(&Vq#+8?2LP} zDHs_UH|IKEfBC|#UjnXW0u&uQVoublaI^?0QV=1N+Gk|*b+Gr6Gi`A&>&yN9{a}Q~ zmzUcP_cj7*O5STIy?vo~&)l3jO)()AOk`aig^)wCUac=&77`n4et7UBQM|-%E(D(m z+^+nyXVft849GbVoFLy&8r_3%;z2O0_LckdOyEePP@3Z6;sMULbt;7eNO?ZMv&q5Z zh3h-C$BSS&o*eC*$HQZwqkBohW%#4g%|&E}p2h|*8XO84ulX35EM2g4AiYtPq@t)Iv{I4oSx`=wmctA4BmI8JTmrxw+gXKTn4?N`%tO?=F|E5DPo9 z2axg6v$C@4tUv8?ST-yydGA`^-5rKYA^0{jQl`rNsG+TmUQjT)SKB23REZtgbWOh> z^gh>h&xVxS_$!{+p=Uw@6#_JQ=4fY>K}003){ls+nW%@sr0e6O=l1FkoosMIOksmD zvr1ElTU}r0l)AULv=mS#fPlYCr^~dpwGj}FXxa8&cn_Nj9(3}c1!nQ}>m6ZX;n|)n zGSG-$pfSQHhZ~3c3pp730S00XjM2t`ShPiga{ze8w4d>uD)BC{VBKbuuzD zb9HSTAr6j?J~l-~MMPVIn4+56^|uF?Hn$|CrLo_JhfCeNcWPv0q`0JnBuNwY9@{1@ z1dK;8s1OMsPBw$E@Q{q0lCrWj*ossy-=WK3;7B<1PV<=c)O2@uJ5GKZ8KK0(!!x(A zC~;iVtMo4Y>}YM@Ld<1&Nx#m&5iOFIlCpNV(avQ##QzG9s?D}tq~4!|YZpw_1%J9T z71W>KMXlhtTuv_9ao0Kc-s zd&MeC*`8{UNX}i=YBep$b31S-MXxA;D}?iIbaH&eZQAt)c8b&jHNrjf;fpO_S?d`K zGl&;*3ks&-I2srkVP7F3aT;D>3>S&JtUrc$Z}Xh@9(V1#B@&JKLK>g{s`62ibCj%oEVve;XDisij43 zm>;#fyK5#DK}$;;z)0l8u$wSNH$2r8R^8SX7#m9tGDHs}!N*;CcJn9rhvejB;zqla z`(d6#>BORbv_Q{cxH;y-_K zfeg|f?ANbvnUC{j6cnbXB6Ox(qPUo~iho4@jAvM(AL_o~ z{Hrlwdk!Xov0sAr^Q*sJQ~k`#{QQt7(K3A%iVN>q51 zdk+rf0>+);sD4uMNsnV6ZW?@Cwhhe!}igZHaf>)q-)*4vAZqj}7vjE!&2 zv?tUzH(!LA!JYmy1dxgO`*ATb`7y*hz6fX0guvfm=v!mid(qu7?0DC8SeIh+^&=trO8TY zbd=hgQSYSatk#>SRk|I7#KpBv1c|v1ucW1=aiK_! zYKJrx2Yj6h@ogZ55PM83MgWj$gocOL!OmhLYA^@PPfNRQ75$}eZE#XFO6?dG#g4ck zbEDzreh2Xm#1`wri>z{B+Ch$v&d%%KaH!r!MKyx!zPJ>6O%2`4gc`5$5$wpBC>(Xz zU8|>hTx3ZBYr(|05|WZ@3prJ!2`iujkeOYjppXX_jEUy!gQ#%E{Mag=Ef1CS_4jua zp>*bZvYH{kZD?xxfEukd@B925eEM3O(8`r7SDwi^z47x)5`T^BPsSGrs+b2!6S!cE zfr8|53Q{A3zR$Xgqg4q-BhJmc3VM1U*2u>rIrJmBjBqcLaz9(_%Y~Ho^N&YkVlE3= zMSb~3m;h@AmSX^4^**%(izd7~=Cylp04~pA!f6f@>p%O7`2PL-xpU{f*4MuV8@$gJ zR}8Lye0Obv+j2+)H5sO7HdJgKD})Y&^>yaxh>0HWPPirn5p%q_OvX#RB4A~2k4bxO z($TFg=C|8GW(bIcWDunYzsIpK*zMI-tFxDgze2!ABI?SIDqlN`i5wspgm~kAICJAg zw(_r#yFhL*0Vjw-RJ8J|Mo3hYEM(5X($Crx#M&WJ0lY#khBp9?;Rc-OqZH@c<_Xk0 zPOG3aoVwpnLv#%>%SeeWgM)*^7xVrQ07<4hddpEr&D<<@y6B_)VYIR~0+Y9v5oA;ZGPq_uAk=xrc+x&Q8#uCU_o zAgKs~B%HB|oe_OdigzrU;V{%aad8rUtM_Zh8js3Pjt@YiIY(|Av0_@;qkW6bMvW@F=d$tMoKzQ4pIrC?Wy7|&ndE841G zQc*>RYtztUaH{#4 z^|{vTx4T>+EKeVb`@X?K{!_P>Uqf7=P-zr{QrB_u6O-So!w=S!uT=g2hwAy7DOqqv z?XFh)$Pu3?Ja2~JB;<^aNA1y6^XO+`JUleyE#E&DX&bHPW3R1R^*##KYi!RUb#oSz zB^3)i?L*6v75 zqIexwxmqIE&W~to_a2p-^|CVW?lV!Eb$*hWvR@i_`K=w-0G?$6=+kWtU$+C7!BA63 z#=2e_LwbH<^Z5AK-F1EKH6l~1ApB~g?j?5z>ZfH69VE213eL`F&!6`(FfjPUX?agi zkA~>O2U!J$<7Omg+-$5k0esTBCRMYwos4fEi==MnUa!T*53cH%YL4(Jy&`YeqZ8zm zG~!I*QAHYi?(&3$F>x!EiRmOZO>MzZLD}$`Cs}HSZTlZqk<2|bVLZG2&*kFR85tD3 zNs0Oc%g|HR6H{b?-Nxp@Xo)Qh@ zY?4phyFV3V>RBZ2-F-B9IaWS?J$-G*=Lh?t2dWpn*q7o(i~e$SR3BpMxwl~$3O?d9 zk#^(K;(qsg)ac3huU~hqRymj@XKx-H9KdAFZgzo0!P@5P&sZwNo~x~{7MI-;c|YQ1 zZ~WsuYnAzNm@{5as!Dpu&6_uKZF@!a^e5P(#|A=677Z z^*ZP@8PdEz&kG=*vHAIXT3W&fJ5(RkEX0~3nEd)FSTbtHajWT77=I`F4t67T)Ir!gcZ9UJIxur|KOTU&vZ{WJ|1f~><*H<#e5 z9f=49yA{f><0~gY0c0L^0E>uLBz$<3^eQhqD1L=EXwGK1Zvp&92MES!nI7*t?# zx7K$jf4N>>tJJRl)`aoHbC>7EJR1$9?KbINybw3;`YgJ#xEeaKKLz(Ur_L2 zTA>)dW@yJF9OHp6`1GMH>f=`dGkGl*7Xr!U`$tLp$*HN<;}ZOstxQfObaL?uq@1!d zxCuaw@K7-a9-pPT2n9*w=3JdN$}#O4eHn_nB>$mHeQeuS&!qqz;X=C>l{QuXlh zpspbY>3pT56*E7eP=>clt_KhP4DZcWe%;ljvaa`F<3!k@*>+Hh}HF*eJN~~^t zYG{`{DXEATp1KMrsB1;t%Ec?>dI+sbO#)nG&fvu%em~PAt@4wnJ@()EU*|cw)cxaTDZTXg(5)(me4!dwCvfwRW*2 zR*yeIQld&!SZt9*`aiblm}tuDV#J4arATo zFX`n;2?*_jmj=;*dCiXI5YY_}A#SO+mG#wnd3vU0!jW}!b~4#~B4OFzo%Az}mX?IG z7y0_g#O913X)6c>(0z)|rTe$*ZgoGI8aZSJNzNgEi| z3s#9>jvD0fsdVhvEsBh6K11J4Nx6)1B75;EmHYYGSWnlV8rYy@WMoc%)yswO-V1=b zGf%4v3wu3Iv~83wAV^3`+V@jaQgnG^uo_xgcq8VNe^sD6IpIve4u}MQvHX#95&c?1o=hW zvtN6ABOqMV*Hn~}xV9HHZ>BG0`QjP{g++}Y8C};?>{8-(B^{O(`7zrWmLHOvYy>AR z!Z3^5o6&5G`N^X?{t-Jgp~=ZZRjr0xhWY)w+SWceJf>amEr&~MSuyq`-62j80cS0Q zh%ei+{s#J$oP)x)d_-JtV0~R3WLX<7nv}NH-lWCLo=C)>C+YD?w|VF z+}XLyhu-0Qsii`@L5J}c{>}^bv_2!bwh@92JJb)b*oqrm)?UWN4Xb_|+A3|1W&y7j z6&{cKb?;&ax#+cbEBT9ynPQbF#=~JmR8$ndfPhk-fh;Gd4cS#PvKX4GOj;3^;d8e< z!XvsyOcd0!_;`2LCOisReKZ5mTLj?ER%gLBj(Uw zE`YhBVQt4H^#qN9u#@Ra=;4g_zH?F!jT4a) z04>?stlTDtS4`&S=oH9-Gw=r&KqX`TAfn0N*Oy*E;H3?+!Y4?Pnoi&h0|NuI+C`2C zeLtQtkk!VN;Qw<}npDFaA2{VY-s!D_jZyIHa9E-aR@Mv9+_)Ohg7j*%eG|Cb|)u z>Ne^XLSQQ$(;T+(>$xD0HPhUaXG(5GwO$)DZEH(>IwOUSKfnlNC5to7oN z!idnLb%Ob!n+I15Cgy`qCYDgSvY#O9k0jisb2|`jt;XY<9809le0)HwXg8-~EKTBm zaz2Zq?A^l$iG?Snucf0!{Hr|d2|`1_Ch&mRNHMP5}@Pyj5Hn(ATy^XE^WH~em$0V7-5r?(Y*owTvzi`vI*@YW zTWP_G>KgS5@?I?+95J!#{{E65kM&=c2s*X-v1C0dN`*7m)6Bt9VzH<5hIM0_Wvu@$ z_D8j>+jRGb>WfC*>uuW!hr(SPi!t$EuV))TyX@$ZQyA$G#cUVd@^vj4YT69a?119a z;gKnEoSytvxQi-4+iNUi%huN11`Q9?6xrA&7z)~Sb`LygSLcNW5KQV>-SYf<>dwji zv?`e@bA`2DBNaH0&3eeqD3bjEG)S`n(a>N1q+m^b8>ZUZO!Arof|dc zKOMxastHww{7|kKz7xl4vzF{)i`}L$GrLU*PbO>YmSVqD!|8yBIH!e?@+U_EkyV=J z=339I2&mUl1Y|@2YlXf;_%)19w| z#@;?rdWZG?rxRB7@$pEplNcHnv%G?-stT96%xn1gj30WksER&amzZ418;g9M_;csg$8Sg8QY?}N>L z04g6BP2xbfbHOtxhz}cQv$lEA&wKau_LA7!oW=A61;dUHCmmBh3h!<|4gtJvW9x;a z7Q{}ToGA}Fi$*=t$2Cdv`@etldc9Xg6&@TH7x4NuPPGns6H|`=>9I~l`h2Sny;6I( zQ|jtO*;=yCz?j$6)vd2TV0-wpHNfX;Jr=wB;eiJ8^|+MUH(u3loAV@JLryd$4GrlL zZEX*r5i#* zuPKCf2#C;U`1sV1JIl}4D|&Z))O91c8mdvHn~yu93Qvm#ux5O5(YwmyvYdm1`EY4m zcSbMP!w=pf;;$}!(0h3S>IGLQ+=AJvqNPnuNg?~aM7e%R8kcG+cv>EVvPS3>UctBa zO>-6jkckU&*Qldf@(^VugmHJ?84AHKn3CYfkH*ujI(L+mIJ2{}FFB`*0a{jTU_`^Z zeIY?1?yj0z&*cdPK%E^wJYWDs=Q)&yp;UtGT^5lNUL2gMQpwOJBs1^JLy|G6W!FLB z0G=l6b#@B_T{^5@c@WO58oL)Wes^zOw9Dl)E`2BkFR#_C)fIgFG(tSf{Jy>iz|N8M zDL4mJD8ONhN{F_*VU&20vd)hk;ul(QYZGsiQ@II;&CdE^u-u{*kMyS*^iY(|9R2JA zdKl-3PG0Hp_lwY5&CDp(&(LSI8Xcbe>+h;@k9>%i+L z$@?ipuh#~@iOa?DhH@gCR+r0Aw)-t4fLP((Nef(x5}r~XAJ2Z6pGw76!SDZzEwG_N zL)$SvP6(Z^TTKt87GjR^DOcoRU*Auta?{K2zk!7VM&I=ITRZzyk|LJlRM@Y@;i7~n zuBxvFoB(5D&vobHjItb$@(h}onLTKhKB>kDO@(@qd{MUI>ZY$An!tehn$9t5{h1cNw+PF;JgV^#E=C5)wS7g5nz4VR8igk z@sS&dt~oWK2n$kF0l0h>)?s9g;d9GP@|j_-KPs+@X_aG9;%H*5iRspolFV4;QPMq?URB;N_y{qUBG zDEmp7D-i6_F)_u+lX=`YG_ZW;X1%-d#bnsG+sr0(*;F;-vr)UKR1oFsv^1QRsvTAa zMXA-1gV09U^_N8PNfv`W%sRQzrS=Oya`kaUBe`FCdrLTr_QxF`?Xxpk@j|BlYkjJ@ zWtaI1f{jfPz;)ki=(dEauM7za42+CXP|oI@UgGO7Ly5u6BXlT%^Av~?Vu2SuS(H;VI)$^|yJX{c55rFPp!)6s8EAPqWv(liB{G=L$I587*zrF!QL)^iE7vO?gpeHqytyI45Hm$9z3r~w*mVGuB zQKMDq-))L)czgG7v-7OO%E*Jg^(jY}O|tU69wABXnNX3^@mVV>+ELp{Sw^wU%u;7X$s#;m0vhn9Uez&WJ#9gJjqC^(u&uA%NcQ5j1+VY*6aS>p2tPcjO2A{qU3c>^S&Qv`WAHr&?i7=2{^gb9Gf8_RJ zzoM4ba$Lqly?E{uVEcsto-m=E${oWy6?hg99iS-`n)R%0uxUbVz7A@*&Rc?qho2^9 zXJtxkkk)9nYDF=N8q)&ETdGS7#5&5II!_g$J5yVw>ZiY=a2PcUGqXd=WOf^6KB=Xf zA3iNGMSicQg|w}SMpP8bb8*p}RVT2zySr9nyCuq2LQ;qOI9shdLcd<&ZEWni3xf!) zPBroR!ArAT4Suxf1@$7aCf|UH7yagE$G*RubzR6UDgye$=(~qR<6Y@8K;^@NiWUJw zHSI0+o%4xjr?%h~#d`h&Ei?OZN#_2*rLOjHB z+AxI&prJ5o_TT_QtCpkv8umgj_iac>bQwz!w{G`*0VXX50To(Qt^W|eY{z*hzedf$ z*k7DFF+Sed$T6{bu%-;bM@e8zr0vg46MeNzEsK`Ey}byQcZ^Scf%!<>Y(BKg6``l+ zpS*CqK6Oq6f7>O~|2sG#sFD*p#RZUx)XejU>G8%u0q$_ObKhlNs!nVaEhK*5)G~oy zaGyYpNvi6j%xI9XMGLbKTGSURDQ)p0Coadt7>WWo@DdA~g4^Vx7%Fh~VBT^C$jgn%CR>~PSH?*3<&9np!E zU2kvK(MFCL3^hXaXTa{Rw<}>t#I>g^Q#%T{ci>szNZ!GnP!I)|y*_-yr;OlrQWEX< z_IB^^NJbGI0|QQI+_KfMd|O=ESK3y}I>1eYgoN(D`^>OEPKOv8ZpJ`axPiFO3Y4HW z*Om~(SsAnILh!D>u`&3|=H@~+11)Xm?9Cbb}EHVi1Psjsi^1#GqR9;Vgcw8p0Q>)-sUeGswk=6-zd8lLdO7>hyl!xUdO zNawZo+xX5`#VPE==yB!2!#|fDrvKC?f7CRL(~eA@rLthT$lkly*p@GI`NfWF9~3;R1SlO{oPH)-i}xHAHxfH756;M9_GR#^X#pkNQ1q)iT2T{pEO%$^&X@l4C}q{ry`OrbCMcEfS6?2npp~U4`R> zL@ZU}fz%ASBHy8<-KHcI5_j7@D6wp2%8E>#ENC{3{igf+r$+D`%f*H6RezUNki7v^ zNnliVW?RGz37vItuv_elk1KN+-E=oV8tUb00G+Q#Rk`Km%Y+YlwFl{1C8xlJAG&X*MVoG=4S9l`E zEyBD}a>dtf6nPIlZf|5v7hb)?GNILIHi$~Anvz6viC#=bC7f{T?=wtJ8iYnh)~MS~ zlc7T{lwIY3_y!wid%}k`4hT1f)vprfek58{P6fV<#X!qoQE$*sbJ|Y3TDWf4E(&bU z9dT2+^W$gK-ha5t0Tc-P&Vy%#8XA>)gs4i67oZ#T3b7J(qwFWz$E8f_;~Y`uvWo5O z@n-Uh?PEU@sVP@}yn+z$XD1ir)Xe2q-S(LkATx74YG`U1Pur>*vO2nZ_r{l9 z#j68FsDRp7Atl3X$12oYFSwpMyeM6$o53i)lp>|;zmk14azmnm8}p`^0(RsZmi%y_3YB)R zcHM5iFFZ4oS#KiSYE937{P`OhT}!=Z)=L8kvprkq=@p3m0V%M%wJ4mR)gR(`Ka*S-GJA%kkKBbEYaCM#q}-34$RNG_pg`e) z2&BTBSp7BTF>QlEEcL7xj0U=bBG)@qdW#!}`zU=tYSPdkx#$DA*!DZ=C86`t21U-23W<2l> zK+TQy^)b74$c^wU z-~dJ7jZk62fdL(-Mg^3W^Vs&5aIKoNJ>n@c{O`x6hURfN(AhW1W)TZI~Uo)8qDH!?B;YUdqu z^UT{a5|h07s)V4s4RLB!?rzsvp42?Y#yNN4f?i_?o$%^c?7A7qwB=&?gMqCJe2VWt zp>hJI8HqYC2= zgALR!q0#6xbON1z542W5$yVnxa@O}|5-^P$z}Wy0Jzl{X|BpShDXXckhbZ;?i!&E@ z;Ygc6BMfkTI7JhLojBe0H*eg&?YmNS5?@@*PeV(au9|UO$9<0uz;~lsUqZlL!r(cG zA7yCNi1PvqP#!V#Ziw_;kN0L&GSmWqh0Ni&`ixbp_$&B!4FBl-`SS=2d$B7=Cjl7g zFZMQOLc_xBhl`GMAU1+F1qiTPfv>l=x;h5Duhe@lFZ|ct698R&hQ1LX7S(1yEz?Th{S7zXNh@AJU-*PHC@tFNl?*l28uer}@R{FO{7B#6ob^)sLf zfLa-lptZgInfJh`fbi=F^h5x7?mq<`9{y0^0C=P&!W(;YvHz+kaNHAsGX=2#kh{(< z4HnJJb|fL*F{uZ(w8+uRMc#3C7DNC7jDV;oE~j$e7bySQ=oqL_0b7vsIQvP#ZFuv& zy&cob0h}#7YIL$A@N?^I;DFQt%M0k4TtGf^MZ$&=LNE^fO!bhK0Csf|PR9qh3z%}R zAe+;A`V=GC->O{(8DglszfZgm{h2yf9s(@pw zkYXC;f`zhymCgJ(&l}`ry}PQrTy^43y;I~SA}stF=)~i-etQI_2ows1P>2(>myd#~ zCL;4mf$!V5R}5Psb#F!ilZ^?w+v)&F!3Y$@*a^)&2jr?TV274?;N*biu<(S<#&z#PiDXL4Pe4z>K&4)j1!760AubfZ+ur2-Ai7pa@v^2VmE3d zhbD_QjJm@i!Envr3Ym_8K0@CatS%7<%fj1z`n@*;Ak3V}t*6unT)}RkCjdhx9Ly?ni1imxOx@)E3|&aqhh4}iLt&GS_~Qk_mQo9^%QVefV4~i1wN?dVY;PQ zo_u)*n+=4R4Y1`{pMi!-jh+jrqIBsuB5b-p`GKEwp(pz|RkGqaPqVu-~8&k3hL5HlU>l z<}MC}9Su0pICzxF;DUjInx|WR7DGvdrVFUgd^6yDRBC4e)x0K9t0-<00w7@`;k-iG z3o1y8(2b!eymlJevu@tH)gbdOKQ9jfokEpshqjPWV#=;6*;-Lx0^n@W9Q1p@!|&g@g8&{ord6zg!op)V@wMYb0AF9Z z6BhvLC6->41~8EP0mv91AOEOX#2O@a%n#&I5Cs?TSg3dQCV}b+RRB5Q!zOqf3&ilD>IMg6 zV2kxny8=NKBO7>zEx2MJsOkfbVPL)iOwZ@}`CORo1G!-7_X*)iLmI15%O_MrUAf#{L zfrK|&xQfflLZhRbASUrQYEg_AmIdZ3F*JDqId&4bx0uEn2ypU%SA8$26}sxApazPq~d>XBl|RmCtE^Mbh%>pE2vdmMP1!I8wDM zUiBm=GYLN1`TP%x=(`pA#tO&>mQVW2Hoo4PKRB6aA2tt>=k1TZbMDHy^EYq2(ZZ5A zXLIW{(ff}Y79yXHx^wmmva)*Avc3%X5*FOAs!dWdv&hOi7Z!7qhOY^q`rOScGWV7b z23q5*#7<@46P!|-bQC#mT5fSQ+}?=VGZ@(rcm?s@VefHJ)nU^ql$s&EA5qnbPJexv zKD~3$&d`;PlTl@@m8RSH0)qeiIurVLL%;%O=ArI+JM4vm+1%2;Ek@e^V+Nu z^$eE@@bRe|b6Ec30>JeTkp|35U6)Iq{O-q|%-n@;n!y$ucN1mtoQ9Npt+KysfJSkz z?)lvM_$R>>|IA;-(F=ccakHKyRc86{{*NML+uJ%g2!CB0yut9%-DE_o6dhDz%(;TI zGujNq>9!}%jg7L0^K&}0nZoTFS&1!`7O9-~+DN+3l%`@D!|!fMnshbbH=V}E7l1|q zy}C^kh+TFoFX9z(>em%O6Gq?8QwSdUTFc|1DbJ6ap=(%GLgJdr1EE8IDZ^2BKhAp+ z5(?}Ft9Js)89yW@;(K~mx<#^!#zoH$@GkK1@rA~qKg+*&d-SqP8)9tlC0?U3yb+9zNsFrhK%QNT=UmPNqzk3(o$7ijk#tzvUt;op8LYwYEgN>7V z<;rYO=P!f)^-H5-bAJsW5#BLvs9lJEPw(8fs z`33Atad~+b)X^TBT$C%1Y~v9J=_TgESGOsR?ayCOFXc7s`TT!&`s`Bwhuol2;+Z!#{M=UBF+EG zqla#WlB0)k zM{}CYh$0B6sOl@-N)Ve%gRft_xEHIy(Avt& zYjGSK9sLB;vdp1R`a0;ElA2n_69*G@idZf*>iKez;@ zpwiZ{L%NxrG(bzlgdAIGKeU1g$MeN^nmqK>m_wPYyga?d?lYZLauO1SocLVkePc%4 z*UD$mr1p0m9f?m4R9Injyqkkc{?~b7`nr+l8f4S z=jCx$9t;cZHYNpi{`lc3!2Z_r>m5(fnLxQ{?&mY^LJ@U!^vmV?yozF5r#DWDJ^4ml zW1t;neUgpJs5!jdil2P6nALcNkMR2SxzqDsOG;Dq^-A@M`b{hg_qLyEDGe-J_nSMI zn$80>llXpY{IV>WG zE$7DmvLM!{AFyt*Fd|zbJ0QFy45}ALB2^c5QjnL(BkwCIi6NSrnG~Faot$t4Y?2XB zT^a^#83H)3-i2Dj{NM=m+epi&Sj9G*ga!tNk2E!L?np^p7k{M{n2>v9zVABdFuH%R zGc)es0ws8af2H0{KhY=SW_uc;!IB0N{MObLnD)>|!T6clalgu-!1*Ktc6@4jD)dKD z(2DK7dsH^I8(7BH{2$XzmYnD81k*o$H02suYY6_%%U9`herAUukPr|~wi-#={fs|lbsXRP9;6JuV^(@6+>OKPjmf^`U_TosWEi(fB z3}s?c6c31eB7_IfT0-DCKX00cUe=ra@vT_P($v(n*!ia;^Yx3{;n(LE7KAcw1@oMm z)pUl#E6nh^yLlG-f-m3E)y0>WZ;;Ko@8mEhgF<6-_$Owf!kC#{zZ!@uUO5|vR4(v*kRxa9!?zL z-MTH<^y+fV$DEv*Ia`e5ENScujalwD(ZLZcPtQT5$O;GRFsegVN?WEQc6Ke z8tKjf1SO-DGcq1zy?G@RhE@c6NOiQ~#q7>EHI{NckJ>S{Vf zS2Q%v98!-KAdagV@Qk3PrQI&d&a|_L*0Q&!Y84r{xo(U`Z`gi}#6DuPixOZY2P-BO z6VoAmKCWnkgl@)!LFMLio*KGM5*ef%)ioc)Z+>jomjbFKqOvk%>Xldhx}M<`1Pry; zjVu1}|2j%TL=wgA*P1N64xqEz(JBuL#Zat~K>%YqL@PvL zRBe1>VrgflZJVhTmU{LX*fZEY;lWXRD);yUpTzl9Db=9&;XQ6%zP;a$G7E@h}vK$R0dY#)4;@x3H`lTco1tm@8;caGg7W6;Po^Ml3BI zyLIap&?fKm@}lyLa}PtXmEYo>_xP~Ohlm|1sp)#6rBR+yF)_Xukh^fDmcx^a?)u}p z3l)NJ<7^Vw)YLdmD%j(da>c*hab?MSboWC>#+u6<@CxW-6GF}!bnq@J85tdHyt(_Z z+ZL^5Wl^@O=-@yiEG(?+Hm700a-5Oz2@tnfEY@weRF@Z|{%gZ|TkpyxrmVX!n(NRx zuOvKL9*wuPwy5@ur<8^HehUk8i|6n_>E3PgR4DAhPfXmITppA(7c^ZGM!=ev=e~%s z=>|x#USc`voKxb-p_~?)os3fU_GUwHDHlI!=4A>Vw8h|@m!{DB{>>8{=hE4bn~OED zHZd!654g>q5nZ2c&4^7ZX987S#b<}#%!wVoqcs7&v_Ofho?HAm^0sbgHVs*AYj?jb zaY{LE2*bu_UcbT=yWA2@A4YWRiGqjC-a!M>MyuuhT0OVHM)Dp51sRz`Fl2MT>3OD$ z)~nQ+8OEKRuwHA|nMfC0QQs^KBPOJ)a~Yur^7>|(FUMjR$u~w0`d_S4OpqXnt|XBU z4Vd7$q+GH;ShoI5+VupmIA6wWZN%L$s~T0#YVs~uH8p9M_ctT}Li0ezQSlGnle{}T zKwZIF>M=pNTrwt^?=dlf9di^<&&-@!72Q*W#t5P(=%`0VdaXs`;}bRquzTO{Cpi^) zca**^$98t6yq@(gPE}}bf=2hzqr3e{GUJ&rUK{-6$?M``jmMBm<48TdB9wGmK3tt! zE6S5b!k)d-eH3F}7{MUu`fS~uw6cNIH`<2(qeln#e&PNYU*)GS2`}OrN9z`>`cYAK zaky*y2T4E-ZLcuK7Yj(UWm-N`B=;zNH zFba3hb-;puLL-?C7>%jEsmY8pve#Wgy{&Y4>DYL6JeyXnMI`t4ej1z7|J+@`wwlJg zU;2^nbdHA)d4F>S*CV)FkM~#~tjy;+jem|)O7@XLe7}8rcEHzf6)$=|dZHklMe@lj zDI@Jt>q5I5alsAg^e+e#a*jEg8XBtJ1&>b3H;XFc7coB99Myc!^JMm-_Yv?~Z0?d) zYH~GOT3J}66cx>9wPl{-_>HiXarI1gt6SUKZl1e!p~%V2506-E14~vCuQPPVQ81X;Vdh?7U3I91#xB}yf zQcDeEL(+?jhzolCn>lmHZCoThKl|gfS9`)ojy#4*OUJKL*wb(93?fd_soz!YO?R%> z6_3Y)kpeq4mOJdVoc-8)f2gdJeCM+Lx?X-`tK_4akrV?X1H=-=WWK2ae&+-b1!mt& z4}n>c6s8^z4@WGt0J5(gAl;u=IL*h$mewp=S?jLDOaXF$qNyycOpu;(aNRWzSojY9f(m_%V9bpk9#v2xkjv1L&N00tA-}qRyGCvsVhwx=&O6dLQzys!hw4FhsfQNA2p8;1djO=(X zEiVhF#|HZoCN`tGwQ%6mQzNEGNly<+l=1@V=MK4Xy|ToZR*BcbChH-h6v+SKm5)4` z?7*{}V0SSEOkC5`XQ9q$-kl2B+dcjvJ)Ki@ojoK3b(7`kbxTWe`G^y)65$XprKYVd zYpX8}H@nzd^*pR3hf0V;=7z#q^8|E7_#bB{&#_|^6()U{nKme>Vi%N z?j$kIvQGKoR=G*-Bd(FiHJbB0Jn30kODMOUh4Jw-zyjx9lZ?#L&wmMBvW^Zj8I!9x z&}?b68i%qPH=YAnt*W}Zf*TBlHR_X~7iC_afMVR`hadTQ5F{as^x<-AauSWiQ^=+F!hq&#p| zuU>Rph1R`&Y4@9qShBHr@L=gkW6~g(%kUL!QPA@8f#AqUyJ)$!9P74msjmC??_&;* z-ZB_g)7STD@?+G&sQKzSIv&S@g^zU?_f@lZig3!t#(0mOQG3L&`HGbr3Ry{$w(C$f zSdrJ}>V-e-=7KSsc4b!Ru&^HF6%#vZfePAbpq4=aLXI0q(N?|d-R{T8-e6sC$p5Xg z)4Tq_YGY2`lO@Oa3n#Z~F&$}zm>~3KuW+9>YILj->B{ot_X8)6i72%77>f*lEd9bT z^u3cPZK_~d_J>TnIb|jW+7M_QZP5uIJ~X)YAcur^+^>M`q;7qoJal?`x;v!leCEdB zGGCEp)l0h=Ovm0b(?XsphPyQXu0Pah$@`xq(A%}c=yH-dYmEQGte*IZlgu_WKhRRV zDrFc`JBN)3$UoaGf-WN|{>E3s>0;`>_D1}SNs(>eTi)^C%g^}bqgj%3?mb;&*;d^6 zQqNT5j5*h`1qA{S~l*0m=x!WKohdgstgH~aSbu@t^5g)Z5GU((L3*NnM# za7)iKrNt$91wVg&W@}yH%Y^fYbIHfRKvgZRt1e15Y3&x4mTyuD!sZ1AV|s;Kk;bpcYl@0@;OR5# z{aD2;t?T!$?y9ctS3%|c)S`$NnU@$uoT*|AULCuFk~uAZ?1?f@QlXXTr3an%Mr9a? zYEibaVF^#`)7;La*`Ao1+U8nQZw%GFEP=Wj$tq4d+vY4FuQo;~7bG(+dA+w?U>%X5`DzTrPQG12dYD)ctMATjSgvm{ z{2C~TF;hjIeXlI$_#`;^><4KlAGy={kYv{CR_;Y$)LJ}V2yja(QlOyi>Xk_p z&Nt3vKKAv90WQUKTz2+Tv)ac;hkeJK-@fIT#v(`FwsPn8WJb%@x?Md>dYzXxbziHR zu&_filo2`k`!{bMiehzdSZXu;Bj*OvW*rJ!nE;Q^WQ)fW|I%9?^Nc1Q=<>$2RSTN@ACi2! z4F8$rLtJL1j3HM%B_O~GQ=hW3oL0!eM;*AshSN{4f{cEjpWa?V4@~rr30SsUwLXHO zj&7UcsfhPc7njwnyK(8&+wu6Eq$bU=j>TfB+5SSN+_br*hQ^$Ztt}$JxFu8b3&)uT zSdh_dnlHLOi!IPHQxNZNaXJpz_S41W@dDTysb`wqfmmnO}!>iPdSox5Te6sCLHtbk7=Dh zpK(L^K{g*5(V@b^Rp22R$_ABn`l%q`;%=GiX~ga}_qR&lgODl4iJGN_@Gbt``g9G= zu8+36W~Lt->Y83(0KRaSoRfQX3dAYQgrmb)c#i{|;Kpt!-*Va!yQTijW%rqM@d_8D zZb9r#8jRrjs#~%2y8Lplab+#e`I6qIC#$MQ(KeO)zw2Q zE0Ka`ieo>ct^w0@??gv?;76a`lUljjq*rqF^T-&5{AhUuEiEi+twoFh8R^JCNaI1n z{~N0C+Lud@0N{@IRPJ4bM==H1(AtnO?Gi`fD?vRt;U2}5w{QLL?D4btft6y|UJRy9 z#(dd){EmKXLB&>vde^(5Qr_Y}K zP-6r46g(jZ5Wud3IS2GVqTHU)R$-)8EL%T z2fuO(n8yPja_!jp7O3>fic&?lox>o8QTx0HBHy(CpFDYJ$*HaISgu8Q(o(8X7Q+_sPr1 zjOD!^9GaAKSfC^J>(;_ozcsp+ZIG&|tsOovM>IVB{h7!%F#iw@W^?SrfB=V$SX^AP z>YY23U(A#3-hJL_&go>)14F`J%qiCOFP^bu>s!r;y&=&)4*s1AbkZf~cvQsevLwJZjQWy4c!U_ln*a1*d#+KfW~< zcHSIfxpxO5F<@?BVi0#ci^JXdh{Et1loNzBy5xNw1s4~W@CCb==Eqg;TZ>*}cWkf0 zx+ank9vp0MEpo4Hpi@+6W6zb1bcTtsQV}z^xS` zca@Zs629`HN#A`Bt}-OJ!TOD_{&3LL?7Ax>BS24fH(Lv^rFSz(0YZDTOy@6LZhG-f zo{EvtztMz){Y&z*_Dcw;h77UsVd4#B`h3*XBPaeVeK?nR&($lG&qA8@E}JjAkr3kz zC8bj$B1E6{6}c)!C>5+-B`;D09m{07e_!i-W=6lhd7**6JX~p5@ZMHbykfE|rU2gL zt*kX$~J(H?|NHd zRdjsOUCeo!A2sGh@HOb`OY7&-f!ds^lysw;o5}m(N^J;^CDk+^O~rWJQD;iD{J6~RcBg2Ht{zdUlP9|;%W{cc!}UM_V@V(`!FDtb$y{$rOXIf! z<+fIEsQ%UH-1(3&i{%o9m}x$?UJuEfb%_jOi85dDec=IMf81kH+sn$OpCP*W(c{Or z)zs>ToB52lBlI#T2&}c*l=qsQyaFk(nX$396$^|^Oi%%NxYP&eeRa3!v2N;Vx;1-; zN^ER3D$`e)L@s$Ob%B$lUw9Be%G}+apV2Jl=KqZajBpVcg8K#jg~cQ7>Rbld3Hbcs zEAyvDM?KrqRQQ&bbjo~)4{tz}+!WKkMc(0#Y%7cm)eU}>1B&Ko+ z2s|85*}Gyz=bb5B(1GbJb7Kw(A;BD+y&)HI!+4-*j-~rfQa15;wFw$c#kx09ll=L! z4A9yefu03xa>t~!_7C&Bww&$G#@5z{Cr8E7tMuf2M-&tk7#0SOPMK?@LJz5XMsdnB z$Tl*FlJ4T9ITF$!y+}b;l^?2-VU~FQb-8kzd~-7hn7d>|11K@vzMEp;IeZ>-=O+*` z$z8^cZA0N*4<@*gKJ@wGRB0V`ldbnQ*Mr!SR>V{$#v)?`VR>)yn7m0QcZjp@{bv#1 zhkW*X!vT~f%WVT5i|dtjKo@q+gozARO|)p-=^36fuQkh8_s!xC0KpLxF{qeyiMnhs zqSb6_xN0XNV5a8C;d}mZA}+_dd}$(15;xy5Np##Vb6bG6;w&T?`(XzA9p@wP>HfHs z?0d*GFGaGiJ2N+d&l2~lH0(&dm{h79{cLM7nhhB?Fjqg~{0W6oc653gqGW?WumltK z2w48CcghX3KSo&6{%Xw0$fZt>4t=*rTZ9_|&ffDQE(f&ADzum`S~XM7dCSVqM{ zbpw|o)~BQ$IfGsdC|Sls>gv74mOPIi*By=vD4v{I+}KXAFB^p9)kii1`3zDL;Q>Ju z>bJk^RND0xzi`04+q77`1R@p)N293;IccBX#Y;LdcHy z>(`{To|XpA=09mgX~Q4Ijrv}pyZ$ZffIkSd)&6z|lLU$EYLzA9FZM8(B}!qBYrxQO zIaNidO=bMJp+qv}yh%+sxMCxBXEDGS?qA{E-|FFb@gX?zag)3@`>#d%sw(OdZ%n9p zazf@aSZ+%Ec0oiIf0`h#)!k3ggYPcnQP~+a-&xp~_LST90CU4+1;5HNqweU|y2@*L zYclO*YgLF4drzaWKaD}Ek_gZk?;^UY%0<0h6Fcww4_`B zM{<;%`oHlQkonb&m@ElL(~H_(fDEzOmZ3W2-r~ar%|LMfjIH&d!T$~X$7oVz1?G*+ zW>YWem4%^ldT)>Op)pxMQ8C}pl#PwMgmwa22AD*n2&nSwz!~iZUewUkJYFGJ9bxn$|T}C0$TK;>Xg3xchWO=hF39+%c zDZsmX415S6>Vx=^?>Z+3TpnBqcA+z1)Hw}4D^BwTAJ_RG@2Y8jqfJL2d$GhU{TEkl zhhSEECz*}kq1yfBj`=wR=%LU%(@zwqR?OkJ^M zg)rptH^jaTD!yxnd1Dmfyk7DAQQKH;-xn2C2!BwXma!c=g*bLBv|;E)z`z`ruy9<# zNI>QBGc~~lZ%oXx*UQxeFWMZv->oXGTW|t;qCV@jxy(DctQQQTs!ClFAZn;3RyrJH zXLvk;0UDnjRMFNx0<0le@t!_wPfqH~u7WgE4#|9{jcw$~kwte6dye+NQeObi4e0qV zd2TIU<@%0m^Y0X5EU=f*14?p}+*k0A-e+o=^LzKIB48Lw5iS6s$@pm1!wRhr3CUtp zC#fH1Y~PF_f2)5xBH;3%d^d3G@J{=H{mJ2zalbpNJ{yy930YxcK%7)zF5U1P%dG zgfw9U2cMI0E0Q%2FeLaY8j;?$=pVM|?SnjiV8y7eu0cR{e42p~N9FDuGj{3A7lePy zRd~K?AO4V0jE`+An(JE$Um##bq z(E;VsHSN07RzgJk8~{GS;JVyFIbRth zvl$e(KFU)p#Y&KG9LmSMn*#y@piixs{{dvJ5VKWMR(2+M0h#v}RP4^4=2HdLSB#mW z)HOWS?iyQ>-N2E5F4C4po(VRU5^ZqpCl%7x*o;V0vkI6aF`>!HQA6ck>8jULIy!&tj)BbpwI(^iOnE9k zlY7*;w0Em-sur`pcoAFfMY+dCW+M>bbF zG)tqX#1*)dKWkAIfkfJ-4t_JoSEWxehs;baXkNMa*6J2K&sYCU@%YPq_7`*Yr#bB( zKJ<(1hert7$v@~V_|SOPM;)0s)PSPtBhVEIT+>N$gRsh(TR=Xop(y^P`wU?k`|Gpt zg$Jhl1YZshv%{@C!2ZULjVnwgEw!|$)w8v=b$pV=n#LkDSU2pme(t5Ke-TglNw2F6 zhe01UYk1l$z!(mV%Fp@)J12l-(2@UGOzJzcrtrn@VOCZlfGZM^ej!2q*-H_!T#Ul~ z+td)-$qG@~2vE=6V7~%n@m`=62_@;f49Tp|*dWh(hrc`!}|<8W=@lK)7FKWVmv5&6fJ(11 zrh zvp?cmcaXdYcA(k);C$OTCE_ux+nma2(ZGQ$H=L$iTIr~)$FCak(}O$q#8)X%x|rrV zB~hiR3Q+8poeT~S6G{YhoU!Zenb4WT=T+=C8mNzvhH6yD#1b?mAqxbLmRb9^Z?IEB zy)7DOj;%H{i1jrV@H(eBklnzk5R|6>UPZL?F6FQ8zdazALe42@CAGRrzOl)G`~FT6 zl+4Asvf`A2!Ld($vz?utkZ~w;^xZ+sj1azlr#$Hau1fm&Htm(QTo>e43w z8&D`;UeG4kfc*Xaga0zfw4?WDlgj8NH1urvWPf{b-hulOQ3mkY%CY$}YZ-%D+9s?N>jFW%Jwv?nO%*bH0viPvzG?vFs@&zDvejgMQ?h6;le0^!Y zO09?4dHlAPXyWw!fibfv>QgRlv9((~(uz5RAIm;3_wHe5=LwMWzToRjmL%WQy|1X) zYj(Q8PZd<-p@V_AF@c0bnl}hN8$3;tTDrQ`c)OjrZ%?UMJvR>M+R{NFG>i~{HBu(w zOFw>9O;b||1XA*F1ERLux1%&zm;}kG7-+A4hv^ZJa0r`zjNHwHfDRhu{-*kQr7APK zQ$pk8*;On`ubuk79H@0(kTaWz2YTNX7<|!U*7ati&oKu!Yb_Gz1?-fCsXnz$(q~QepiDO?~9M z&!7FD<%Zp6iIJ{Hd(S+#>h)!h39OfU5~=`_;s{*xEuE9#djJU@-eA?eH>V*}*eLHX zn&{Ky6|6@GwL&m~Y{gQ6*VW6d*as^9-d<{lr;-+wIC4zjB^UCL^n!9-A*Vz1Q0y#m}1@!4Ri?L4QYp&G&O6@S%onf+|M*V14DC zDBL9NFSsx{JBW#{^iG7466lgZCPkx~3BJYojW%n2kInUBUFDgX8IRp?WJhNTV)7Yj z1|=PpHHle&=S{H6is>*zv*pkb(sc4;+XbfNYc?2h6Iq8w%=)gTuMBnvouJSlXJI+!9*}WX%Y*rqo3sFk zn{I$dF!AOuG!pX`0wlj}yy)?8HM!nzPf!gikv;2!)s>$WWMv;;Qv0K#HI$hCGxOgQ zBYKvL20i2`2u>$hED0{iA>VxiSn0Rc!lxwBSc2hZ+|FpKO%G}Z_P{?|Zr^j7{@C6v zYiQYcbk8>K=1ofm7+pEuV;~xSsKmp>G}{zN1~AES_8OfMc*6%HVOe)eV3PYndwZb3 zT>rV@)k~Lc=wZYUb`A(7_Hjo#8N|xpym{{5Rk6<-+t|e(H>@!@XrR#rqU5D0R>!?j zrMe$>Ya%ju)ilb<Tg z$$QYR)y(DF)qVZ?741D4#uO3}F`9?*CHbPlwo45!xiN5~`R3T__V+x!6~^4qO*J$e zMS!_s0~^E!>GtT}a_%6Ay$&Nf1fuoIOkecX7|LS6!~LVe#il|1FYA ztEf2OS5R>3k+#gH{dYB39ARBXLnOWDM{ijoe78-#wFs~wLQqA|^5xdfxkl%^Ax%wb z>B)#-Oho3^EninNG||__#*o>TwvmPXyN@tq-;Z42u(5bccu&Nq;7Q6GM>YeGKqz?^ z4IYm0t9befS2@HRaJ|0P~(^WHT|)+Pd`M9|W{0BJ4czD$tw%=#Z@*y_bQPqG^u zIKYxoT&!Q=qLtfLJ7S@?w^=mjyfC!;3`q$R7!1*Jy|Me8n+O9g*L-{qApUDrZC!(^ zx_R({U+p7zY3$26o}gUmE9n^-Z$5u+Uq^X(9O?e1ie38jsXJ!}?26Au+eNm)^2x<* zo_rAc-*bfoHMT+Al%F0uZxP>=w=xs3VHW`?hgiG1{iB&cXpsU92uT_>^qT> z+3vCNh8X@n!M5Og<@Wd61XE{vwj@rPiILIr!Grmq#f(h-5xF_(+3$TTYn69j!Rq}W zk_8)cRo5lqb$04n^8{Q}WOTAJ5rOmLQc^S@ShI%qH}&=FqX3k@Td)fYKkn_N|LG|Z zx6^;w9Tb3EJ9UbySIy!RY`6zi)SZ?|4wP5*#_Ov-jk_A47IKslEX~KQNo<{by1Rrw zy#8awN@V-2&qq!k{^+qb9M?hMuWRY}3wiB^-^Un8;$n@#?rb*6ZDQtA-9T-*v$H4< zv(L$YI4xBwR6eI&&KVnQh{U&Z0+$*%Mm#vO0GAau)Oiw^tLS}_miA^>o3-q(3KCRrg$*4d1~ws4T(>nb%c;RRA7@~wN(sRkG;bG8d}|*i$bK)4rB3wg zZCd>cH28gz>^QY$%!n00wgU#p|T!2{9`0=76{0?754Fz8p7tlabNi^Pf4lght;)oA~0jHBHaL5NaHL=yXAvlGo()Q0hH3?ZIX6Vb=dur zAkk@N3idmrch`eLOK_>UowX8i_r-Q2yAdp#&vls9pyAf7GmRmywMCCPOKdI=_*P9g z-qzHt+d)>e!Oj4;+}*`^(V>q?_it%idQ2VMwULY!bGS_KV(c8+(XR03gdqhi-8gb% zcz^71$=9gWMjgmb?lT*RMC!MN;Y9hT;fbr?AZb1&fOz>PlXR?J+4|O! zHH4g`M6%S4H`4qpzK78-8}oFHZ8J}vGpr4MLx33IDgqTkyYM{z`8F1E=D?d^b|G*}m zzacIu+DCLKK@|0Ne~cr>PZ_OY*Y{cLg@1#%ki%%9=TlA&N9A|yrVoRI6Q#q`Pl~I+ zJXP0R5~0y*@K81;%twts`$zUqIpO!H6|^w_8>hwJc=bPii1)sJ?wvUH(K7a5po%a( zb$z^r{;$6%a|iODeFFUAUsGFufB9dC`7bd1A3qf3Wc;hWA=8k9bNuytQMq1gqLmz6 zTyhMjl3qUj7L;c!ckVQB6^cyK%V#=YOlIyL8_ZMb5q1IypxliG0&2bjUq+Z<3jWCtCIJwH4TltRpC$Wlq-=W( z2d#rX?(zKja~LQ2Cm+PIG3K&~mrQ-1aZaFOl7VRf8e{-%sW~~Ueha8|k-g0-d9dLk zU?s1neHXY4-olDGpg7uwn~9IZO9lod7D-pZ2jl$UXJA(5#`oC4bki}v;bB7n!u~&h z^8c`1tzO_paMqbuhII2}$1Y zswcse2$cEx8-Fkn*jN7n@RqC=X}2U-`Yk;<21_XVha-(rYb#9l5R_^6`4aPuF*XA` z(bs#W33lr;j|&(%B_BslYF)iv-ZY z2zE=v4F#s^t<`&XQP%r#ve*g$b+JO{l2p2F$EUv^2dqmJ(4>03LW}RW{Zy9;Rd?eg zs^BnzWrz>Ez;U`dBose!&-}Lx3ysQwX-FB|US~l7d<4V5jmX|!TLUv80(nb`G20 zoN3#+fGXGw`DmfA4JKPlQ`4B7d=jr`hi|y*}-aP0kj)p2(Q8~y;DQ7G{cbQvy13ax2l~SyfYcF4lB!|~`+rU-hXWWey zAM59{^HJggU+nC*?j7v6`Bwn}{{76Ef4p^@-5%xoAg@7x`SwlT_jMEuf@osuHP{Rm zG9gQ(CHK`HCt-96lx5$&W$X!Bmbn!|6F@?m-`?4I7)~NsC!?~?>GiHDD_J04fORP6 zbl5sT8JGejEco7X0|Rre1U}D@qy5xx^3%z7H!xhW%=H+TI(~VVWDIj#U;pY&$wB)A zTdR0^4-fH5&q?i9$&!&ELLswJwgVLbu-n+iLEO3MTrGuFj}H}ZqHG7>KI~>CT3jsu zDwf^fFA<-RP~xqck^7@{@(REki9*!Xk=sDua&e{dAOKK6;touW6ubdCkkAfF@41T$ zreeP&n!lNydIfjEKfP`5 ziDzMEe$;9U2If;?%yF*OB6bxePd_a=n!XAS-noOr5jMz8q}^|Q`M?i0nT&ub8SmT? z7>6-*{t=!nC+zJn20ju8I%Kl5jpJ8b5@SaM5MJmL6m$|_&a Jxn}79zW_TeIBoy{ literal 0 HcmV?d00001 From e34243b06732627976d9d9b2bc676109866d8be0 Mon Sep 17 00:00:00 2001 From: Can Bulut Bayburt Date: Wed, 13 Nov 2024 17:30:14 +0100 Subject: [PATCH 2/5] Clarify AAA framework terms --- accepted/00000-rbac.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/accepted/00000-rbac.md b/accepted/00000-rbac.md index aa070110..3f6b7326 100644 --- a/accepted/00000-rbac.md +++ b/accepted/00000-rbac.md @@ -27,10 +27,9 @@ Access control operates on three distinct levels, each with specific goals and c 1. **Authentication:** Identifies the user calling this action. 2. **Authorization:** Determines if the user is allowed to call the endpoints for this action. -3. **Accounting:** Assesses whether the user is permitted to operate on a specific entity. +3. **Accounting:** Tracks and logs actions taken by users on specific resources. -This proposal specifically addresses level 2, authorization. -Level 1 is managed through the authentication filter, and level 3 is handled within each feature implementation, thus falling outside the scope of this RFC. +This proposal specifically addresses level 2, authorization. However, managing access control across different instances or sets of the same resource type is considered beyond the scope of this RFC. # Detailed design From 17f7f92a0ef5c4c4b8fd1b80c801b0494947ad98 Mon Sep 17 00:00:00 2001 From: Can Bulut Bayburt Date: Wed, 13 Nov 2024 18:42:18 +0100 Subject: [PATCH 3/5] Clarify plan on existing roles --- accepted/00000-rbac.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/accepted/00000-rbac.md b/accepted/00000-rbac.md index 3f6b7326..5071ce40 100644 --- a/accepted/00000-rbac.md +++ b/accepted/00000-rbac.md @@ -110,10 +110,16 @@ Predefined groups serve as replacements for existing user roles on the Uyuni ser #### Existing roles -To ensure a smooth transition, existing roles will remain until all JSP/Struts pages are fully removed. The new access control mechanism includes default user access groups replicating the following roles: +In Uyuni, two superuser roles grant unrestricted access to system resources: +- **Uyuni Administrator:** Grants access to every resource across the Uyuni system. +- **Organization Administrator:** Grants access to all resources within the user's organization. + +Beyond feature access, these roles also control data visibility. For instance, an Uyuni Administrator can view all clients registered in Uyuni, regardless of the organization each client belongs to. Similarly, an Organization Administrator can view every client within their organization, even if managed by a different user. In contrast, regular users can only view the clients they manage. + +Due to these distinctions, the logic around superuser roles will remain in place. Additionally, these roles will have access to all namespaces in the new RBAC implementation. + +The other existing roles in Uyuni are as follows: -- Uyuni Administrator -- Organization Administrator - Activation Key Administrator - Configuration Administrator - Image Administrator @@ -121,6 +127,8 @@ To ensure a smooth transition, existing roles will remain until all JSP/Struts p - System Group Administrator - Read-only API User +Each of these roles grants access to different features in Uyuni. This static access control is enforced individually within each feature. Stripping these control checks throughout the system requires significant effort. Therefore, in the initial phase, the logic of these static roles will coexist with their RBAC counterparts, but will be bypassed by assigning them to all existing and future users. This will effectively make RBAC the exclusive access control mechanism. + ## 2. User Access Information From 09ab1e8123649692e9bcdd1b48b3fd6d61e659ea Mon Sep 17 00:00:00 2001 From: Can Bulut Bayburt Date: Wed, 13 Nov 2024 18:49:37 +0100 Subject: [PATCH 4/5] Minor edits --- accepted/00000-rbac.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/accepted/00000-rbac.md b/accepted/00000-rbac.md index 5071ce40..3a5188bd 100644 --- a/accepted/00000-rbac.md +++ b/accepted/00000-rbac.md @@ -37,7 +37,7 @@ This proposal specifically addresses level 2, authorization. However, managing a ## Overview -This solution stores all available network endpoints in the database and determines which endpoints each user can access, with the exception of the **Uyuni Administrator** role, which bypasses access control. +This solution stores all available system endpoints in the database and determines which endpoints each user can access, except the **Uyuni Administrator** role, which bypasses access control. Endpoints are organized into functional groups called **namespaces**, allowing administrators to modify access control rules easily without needing to navigate the complex endpoint structure. This approach reduces the risk of misconfiguration. @@ -74,10 +74,15 @@ Below is a simplified ER diagram illustrating the proposed structure for access An **endpoint** represents a specific access point that can be called by a client, such as a web page URL, an internal API endpoint used by a web page, or a public API endpoint. - **`endpoint`**: The accessible URI of the endpoint. + - **`class_method`**: The Java class that handles incoming requests to the endpoint, such as a controller class for web endpoints or an API handler for API endpoints. + - **`http_method`**: The HTTP method (e.g., GET, POST, PUT, DELETE) accepted by the endpoint. If multiple methods are supported, each should be defined as a separate endpoint since they typically serve different purposes. + - **`scope`**: Indicates whether the endpoint is accessible through the web UI (including internal API calls) or the public API. +- **`auth_required`**: Indicates if the endpoint requires authorization. + ### Namespace A **namespace** is a logical grouping of endpoints that performs a specific task and defines the smallest unit of access control. @@ -94,6 +99,8 @@ A **namespace** is a logical grouping of endpoints that performs a specific task - **`description`**: A clear description of what a namespace grants access to. +- **`scope`**: Indicates whether the endpoint is intended for the web UI or the public API. + #### Organization of namespaces Organizing namespaces in a hierarchical structure with distinct access modes simplifies management and modification of access rules for administrators across users or groups. @@ -102,10 +109,12 @@ Organizing namespaces in a hierarchical structure with distinct access modes sim An **access group** is a collection of access rules that can be assigned to users, allowing administrators to manage permissions for multiple users at once. Access groups can be either predefined or created by administrators. -Predefined groups serve as replacements for existing user roles on the Uyuni server. +Predefined groups cannot be modified by the users and serve as replacements for existing user roles on the Uyuni server. - **`label`**: The label of the access group. + - **`description`**: The purpose or scope of the access group. + - **`org_id`**: The ID of the organization to which the group belongs. This field will be `null` for predefined groups. #### Existing roles From 6f850e2ff51bffb5e8a12fae643645944a941525 Mon Sep 17 00:00:00 2001 From: Can Bulut Bayburt Date: Wed, 13 Nov 2024 19:07:03 +0100 Subject: [PATCH 5/5] Update ER diagram --- accepted/00000-rbac.md | 4 +--- accepted/images/00000-rbac-er-diagram.png | Bin 36367 -> 37941 bytes 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/accepted/00000-rbac.md b/accepted/00000-rbac.md index 3a5188bd..3467bef5 100644 --- a/accepted/00000-rbac.md +++ b/accepted/00000-rbac.md @@ -79,8 +79,6 @@ An **endpoint** represents a specific access point that can be called by a clien - **`http_method`**: The HTTP method (e.g., GET, POST, PUT, DELETE) accepted by the endpoint. If multiple methods are supported, each should be defined as a separate endpoint since they typically serve different purposes. -- **`scope`**: Indicates whether the endpoint is accessible through the web UI (including internal API calls) or the public API. - - **`auth_required`**: Indicates if the endpoint requires authorization. ### Namespace @@ -99,7 +97,7 @@ A **namespace** is a logical grouping of endpoints that performs a specific task - **`description`**: A clear description of what a namespace grants access to. -- **`scope`**: Indicates whether the endpoint is intended for the web UI or the public API. +- **`scope`**: Indicates whether the endpoint is accessible through the web UI (including internal API calls) or the public API. #### Organization of namespaces diff --git a/accepted/images/00000-rbac-er-diagram.png b/accepted/images/00000-rbac-er-diagram.png index 58457071628e15759fad6086b4133a0b58e4145c..cd5dfb701f108e524603756503a5ce349cda611d 100644 GIT binary patch literal 37941 zcmeFZbySsK^EZ4D6%_>$0Rd@20qJg3LRzGyTN)1CAWDaTbg2j^9nz^tmw=R{ba&@F zN56MH_x--_`mOam|2*r)#p0an?6a?Z&7M8;nVHWR@I+Sp+7+TJ2n6Dq#AA`C2n6~# z0)b|5=^|X=(e-D7Ki>^iC5$8_=n$9S4U9xPk3fT0!mo+npL^B7Yt+xB z-~S%NE7Z(?`ztOX^Mst0k%gI&jT^qt%*xKo!othKM$W>+%go8k#sj0#-u`1nsF|$K z6mG#RFHIgjdLr@Y5xF(e%E-jr5P@(?bPpGJTrYgPL0ci{J;Mu!>o%93CN00G3@yGQ z`tiEyD`gUC#*-H`*CYaiQYW5Suj>~qPE2NJ`DBq_^6=v3j@KE$6_E_yk){C5sh{Om4;Q7ZHkv@=b7o)+F~O=+~Ez)bKT!}A(&B1>N??h zXxgdgC3h#3rT%jOm%lNmh0m6tO)Q>a)PADV*AJLCgpisW`ysYp484tgJM2u8xux&p z|5P>6S7zs!G@10zTzJD|z^}|>Wz*lP)L(ViQ-3GmJh$2O*ob+dzkh}U1{{L3z~8ZMjNdZPMzf* zZwl?@Mmz4RiyGThS*%;WyHFgB&vWju)H`S?I(-=}hOh2>Bt=3Y{ej7q1O9anvGF$- zE?RkyapaZG3d)jsvD-&gp-#RcwqtyLpxn^Ckt~+TV5vt%HQ+y!fVuJCQ9<( zL+s21C{;m^9$6s`$=Mm%8JQVGolG29DFv^P^CJz6c%O=h{WS%=6QF!;SpTv%)F;0m=bsk>U;q2O|1$b-&;ENbjFOSz6|vH{ zM=ei6M1T@?e_jJCeG>!TKQGxhnc3M5^%->a^$i)=**I7jxLJ%?7&y5NI5_mUS=l&v z*#2oM2}@f$T}ypK)KoAzqY2DoWW=Rwq^HZtz{h!)*vtu^O;3=o_$daI&)-uyAr1 z{+`M}pI6KZX`u_-X=0&kY{+D7Y5e;Gl)!l(JdqHfWMyRj$CW4Mx^_nJ1p!KF6H9xi ze|(^5VqvIYr;Cy%3l|#;2P+FJGYc~h4>JeXKL#lqB5gqvQFH#boxeXpZ3{0v3i zrKd2#@9Xd^ypNEEx^`AbMJp?F0m{Ey-M@b<1INig*G^YN*Uk_o{kt7j{F@!7XJ+AL z{3CPvQxf1^={hnyeA!r`%v)e z>i>BJTU`f3gWv0fx&C~l|6JG7*buD8U+Vg|>n8s}6}VxW^tg1H8T44Vbs5;1S&Trh zcvu*W4D{G}IE=VKBUt}+c3UeWJ4aol;R9okBghKW^S6g0zxR8iX#aJz<8wpQE`Y!o zSXdZX*!~h2JIh}JWBTiXnNT+4Z%@q6^lviZ|2^QJj0}A5&owY!U<;Z4ZVdmD8OrSZ zAN=`iFa8hS0jB=%P5wvn{ja$GE3W^M1pY^Z|Epd971#er0{^4I|JAPlZQ{D}k8sM+ z5>SvM1WShbI{6T2UDT5j7eSn%{=Kcvh=ePbtskq|A`qCks9!Whd?JL-2n;(38BvUR z%xgC;(w4DBI3f__2nmq~icUY5M;)DRDh)SnSQTDQS9pp>`;Pi1&h-z?J~wHfUKRcB z$N1vK;1k8`4}?YYpS-*$iF0A&SCrP9_v{Pg=Wm>oxb%+Z`i&k}hrJUjqdN~DJ`sLB zK37p?P^8e+J~B6A+u8oY|Gz)~7f7Hvr#D?jd}*{|B}aX{dYBPu+~^})kuD-4vifzm zY*ah$lVlWK=Dw(9YGPtyrNeM!B<@W%5lhM<9+g+*l%;*>*guNW)2Oq^MOHRyTa+8_ zQIIPon2mo8Z7lXk6Om*CMdNoAF5cv9fR?)g^<3+-`i+pD8TzOxHs)qG5~ z$E@@!xp!DtBmFL)OSV_I0Tk+mrZW>iw{7r<-x288uCVx1aZA;=$CYM_wK*@X@XJh4h2| zw~sOjoHomYEW4|tZQBdIEOFAW8Y6`0Wu-sDE(hT=Ou}=Y$G|8uXt_b^G=VmC1p1UN z9rv|zt)}f)z2CvkfHoly@{YxDiQ&oN4vgID;2OW_k0ZLG0Poc*>}Ww^w|VXS*J_SJ z1M%pIh7T9B@-`3VQgCnIZvR;Na;`8Of}(m#n#*G_#=1Xu$E@NWW_w^O4?u>+(Z|!W7 z7#ka-#8~5gbm`hP!=XY$c9WhD!aP=ERdK7Ml|}AH4ljIsKnrr^jpY(JL+}}%O{}cQ z7#Q49FEOW8PWX^tNN?_p^rIeE&WaiwR5fak{Q_IEFjzp9Di(5XGg(Q0LwRn38~QAa$B?W{Cxp=4LG zKpeB~IRsP9J|#-rZP5(vu`E7Yb6vI@lcFHWrim{;Jf5fg3hC0iF!X)6o|eFDS4vom0c$!+|7aouX4+z=rl#trTOvbzH{ifIO^1tfyKLVB<+?!h z%Tr74@#9OdfuGHXA{@uv3B2Mt%vg;(Z)Ym!w4R-epV{m#t6jvp-R!zntzw|o70(g$ z`t@~(<-rFlKa1n|ommkXaw)U$RE@8=9hOxiA|vg0+eqf%VC?Vj=ez8frpqP;`uSmy zc^lzeM4Ihk8)3~@J{4iIis1@s5{iux||7^A=IyE z>1giUxic|2`SryG%>CVAE0e)|iXx+qibXNQYL^|=5_3W=Ev>7>oWY+IG74?yWIK}u zq`=S+vKm|x4nI1-{>zW-X|0EQ&Hf}Nh*HkMfs=qygSmgFM~Vr~Q#~lvC$%CPZ*T86 z_v9z78kS-IxBAtsaBy+!UtY$|FD;$h>JrKTJIz}lDzeJL$jBH>$mR=&Fg!7_-3txf z>2M*#>N(-q*w|;2USHVcU#qK~A0#3_%BMEk&(UYfSf}Nvm!A8ct;RNWM!=-?t-CuM zjLp*$b2Zea!1)l9l$0!3EGHhF{koY%Kg@quF4^E zy*E~`SMa3RROxVg;St!AkOkO}wzm&_@}K1>W-12Eb|fgIN#gbN_L}r(6G})(pp547 zvN>p4-cZ}=$=*1d&7=tUXp~X6`1$!uW20}bW~H97ans!tx37sjw$|3xI%{Lqb_+cX zkH6;`g0fVd><-6D(_oPaN*9~<G6Ts3r*Ggw9>jP6pW0a3K_E9#bzq{KS6j;3-m-` z7(64(si58b6GpA7=igd~ii~k@-FgffdH{0%_%yB6e$S*Og1WH;tY1=I&0%01n=$@i ze||o5YGP{)lN=bLkD8U7AmGC`mP+HUWJJ~3=@GbS*qByO#pmNS)yeg^IOP~JiQM7W zh&k8Wm}>K%cT@iSY*PPTG|2KfAvy*Yc=qt^Z98y{V(^T4ixg*YhT`#l(v&>~4`yRy z1BUZ_WQ#~7jm-XP<=QQNCuXogG=hRP!Vy{{E~{cC<@s(+eSJ|_B)qTRyb-DOIB9Na zp`fAh9nf+OAr)|8Hf+7A|5GB8roin0NyPrV4qNEh3xteli(#6BZM{oH<VoBCmn490?G{2R^YyY*at!-YdptO{06$>qq-+43Bxw@(f;U64awa9o& z7&i6twQCIPNm*I+a9qJff6r0p0@zW%G1cUJdN7A_Z73U7?|W?u?l@OGpfv@TjE{C# zE=2$O^~<}(;613#%a<=Tb^tmg7HA$^+xYO|j(#mTX*6!f)!RcuL&9ThKL>8$;-U+? zxbT98IJvq`&CVKaM<)rm;x`k2MgIDFAyX;KXhfte8UPrTw}g~beRp^FEnhk$*ZSU` z@i%{*AK7ZS;NYj^FJU`$P~^%{}($o4fDpzv`V6hUF8oKfeyD1;5h#u{_;J9S2>^Y!Mr^xSEJwIeIsnd29F)=tAO<0u zQE<3h%su%RU|7H@p z5JB~;v$KISD$I)}CM2jEc%fannnY0EE1e>k1n?JS zd{JI5E3ZZ}hEdb2O7|%OoInFgCCc^8%*@Aj#W2$PdB-wuY{KEiEk{2S{$;W=`n1Fzbj! zejOc6+TV9d9c#(+3w)}WFwx2>G`(Z$xHgsqD7M{*?ZJZw%fqE%$pWqs$;q;IcAvY; zl@h^Pl!CRm3#e#hM8nO^tqh=Kb8G9@fdPU#r;#O>m9yiM;^JZkhlCFw3oH9Kr?I4J zwwUOG8eRZ2farj6{R9lvEoL3WBR{N$rlzKO8&Y1odrJd(OA_5!m`EvXl=NZ&X?r?JtmQlU&{N=v> z1%v-!I`S%@{}j*DxMH(`8`rPbfukC%bY!x$v;)b_3kpmFi1m96 z!}fePIvC3kA`a#_Y4e|-FBc897aF$R0?Yx>H{;=}EBi-BQ-E1uL!LZGKXchcuZJ@Z zmdxPGiwj~AOvsGpFhW3c;EB4coNcEnzkL&du;LMzU)9ggaUdZ20CCUxix&%B_bekK zBA);JOba&eTVrDn;0Rua<>sC=sfF>{TKVwwj0}ZOPpKi+0#|%-swvDEV8MqEA9M;- zn>#uDxfWEao4rVHr7&2wPr%4eA9?nytJ_b+-;ROb4C*Tq!1U-NocHxn7%0Wd=?ggRqIj)AFh@>Q$r%!JrCnvkX&KnpSvUr{z zQx4w|jT$YE<^sr(G|x33Jyx;5(L|dg^w((Ig@+z6IM(G`==k8PlCA4tC%X zAaxTsxJ{uX=qO9A1E6SdXsEl?N_(+Crwx2jOJ`>~JgoU(zPDDj%SI>P+V$(#b*>fz z3eEtv3?}9Zh3K=;a+DW!w%y$L?U(vzAP6&nXnT3QHl=jTr7iX@Ep3aFED~G=Xt&?R zYedXoXaKpZ8su%JRPXewLzL`yxU;kc0Wd27cr)2j*h83IM~RfF4mE6F=w`c)^QTZ`HxEMENkQs*Q^% zy;`-NNBCYVG)YLH33?nn_z0u!D`Q?G%9M8Hj_?bvoiXj@LZT>U(=5 zAqGLtwi8mZ)b_yL)gYcgLqoemL$e9{cFSH?KF}2RLwb5dVxswv7{GG31>J68U|@J0 zt#FaAbu4jmazfnj)oHA<3}RACTipY!I*6^BM#^nz)l2TfR4-q>VzHhOo(lgw>2!9o z7Z4hnu3l;h)_ShOBI14P>a(^;;=LHsOSw*ED|1*@^`Y_4t`rU7c|C%f}*?l>jJjI{AF^_iyg#2aUmd@t9&e*Xd9G3r7CQ ze^E--{7xkSRQ-FFEW+x49rPbkX)q`}q1~J_>pChCwOGLqDLN$X;7L>*e>L65X%R~* zb@g7&$`vfE&Oky+uJDkMkSh;FEVClg_-!0$b6#98ZaQ0KRSc$dtZ(qx)5@fYl)!j0 zolY~JSs^;@&_pu2jayE*V$(PA*E&miy;X4jU(rCP@8Md%yr)&n?i_##rYIS#iyBIs(O z6mN08HEhE_-x)79)fkd{P+eO~hFNnONZ^Of(7y@i_}1~VuvqmDFC>%{+OIdDn~kcADp+0=yb}nmd4fN-PG^n zzwc_gPC~L(8Z)!D)^wN5^HN=_k{J&ve&>WSMh|=~Ne$W5(%cMDLO^@_eZ0nNk0m81 z-R!Q?($adms%cg_yfYIv4)uFggzS5Ed}7MHm=i8pC%PdlGL2thw{W9-PQSVJ^oYgk zhkD-Bnu^bq?yuX}m>CCDG9hll)0WwuE0!}~bCl`XjNRq8+40Q^qB-`5yrq*jX`90Q z2nnV_lPVX8zP}>jbHE`W$YYaUy=B~)IMp6!%Vptg*!rfNzKw!>f;MYNk7DboQ9-(p z-8?hILyVN^s)5C~Jw1iug?fU+t%5HyyHq*k$qZjHsxJeX-OW?ypq!v z84(E~3vK^)mU50Eo>@>kb|6))kHzL2xsa}=`mY;j)mq~P`Y~9cBmIYap>j27vt0=? z%F6ilT29n?^2;hdHST9Yko%yZ5HGly%CfSyCJsSFxYN$d=I$>(zC9k8@rT)T7UP_9?2W z1y~Xo5(RCe-H))q#rc$$-c8~yFzkXC z11rNp0^_)vyxrBVh@jdtAx_IWBUHi-3;W#LU_!u`(IW$qrTYH8?9`feQo0N=a`6Wtvcu?Ssnx5Z`h^^X*Ic|{gf8n4l7|9<_^bQ9wBW(75piV7J$uI66ebSYF=^9hE(N7r`^`AA zqN2Z+mfGq=h_|e#8v7OGb`yHir7-c#>S zxPsRzpEriSJY+lJ8{PfZLsM2PDLv4NnocEGc%~JP8;4L-R+bTu?oFyhq;IxXHECpv zo%lDOw{OWQsi-i&`J_@%0Ju?*D1+ikMU_Jm?}xOsa5DAyv$=v=jTj-m=LiT^@9^`# z*qTcXIvLqbSz2mQ5QIF7)`|z%_=3Z|T+}*$)C~>AQHej?-)t*K1iKsGRLWAO-Tc}{ zhSVC|Yf^c&aHY&IksGHWG|9D~xcHq_O7a^zr5nTv#Adc)iQFy80vPu+D{hWfH~_?n zxkg;7!}&k=+BNrUYVd|mmsZcUX_UAznAB?5 z;nCl8^VZo}be`Mqx2P<0V%cR{*~?Ut3Qk%cb$tzrxJJ@_WN*l{_vz!k67w+)9rd%& zi`N#>)*F_~6Zr`n!l}MgogUJQc1Ci28=1=Fn>@fPxv}OMb8>`@V>5Y2ON-QQ^+#w= zn&fGkp-3{nsHr5KOg#G?-otalrE84_tlhQROp+DlXistz_ecn^&z(yyba8h6wJ?)5 zW{q>umb*NI+VR(4+%X$p*T%Z=jX08_1k1pX6egG~W@*W|us~?H_~Tvk0XUlqmdTw~ z7yjC070uk;eIcc@F{KvAmI&u-v9Xv0!L<#IT6F9OyX)3-kzqpj*R%Jc#_g}oKb_Ef z{`eB2rlzLqaFJ}-g_5;!u**%Ggl+T2r`XtAR9YHL8>>X$ z8=U%&BoC|vQ~0dB8Q*(`zZ{=>psef=KHw%lPJMRzqV|}e@Xp;icg}>4*bXE88a`@L zRQ46pv|~2l3xtG-L_V@d-``D~8=sjrIAf_zn|CCD(B;?k^kc{v zwzRir*_oT02cGnV2X9}cT0d6v*mSMr(JUDI{Q2|4jLNmZw@#^$SfvH+h8%gKpt~=t z=(nI_Vx)?4v$GZdn%=kI@-2J~dn&orO{XW##W9{T!^3Ad*drrX0x*o)IP_bRh_HLu zSRv(FX0lP&GBk9noRZS!f`6cbc2aCSGk?9iANipg6O}(=4vLn*{>hr@7f& zmoEo=NdGW7J^ix5lw$X(MnR12;tw@Q$TXyean5Wn*mCpmM7)0e_{o#U1+zj>a=|3% zWLdqd#q;9`^aqkwToxbqLR!hrX%7v=m|b%|;p=iEyTU6CscJ%AJLU%u#GO7qIC+?{ zv$scooftsYbwC{#1-BA?6UKcaA~#*~+M>38dGm7E&@ViDzUf}t;A3mtwYkEjJ@(n@ zd*vQ^R#DLw$qv?KoN^X2>3Gx8QpYuIm+3oa8&Ss<$Dq(kHUQb0vOUx0_}JLk)~?NX za5$Y5$M84`#^axvXif7UteLmSRc%FV$SHql^Lr zo5ZN&Cz+-z`TD~jAGPpYUHN)?*@C%f@CSZTi9;SXRWhpe$9A5qi_69E@C?f`WK}6%duVzG&gYeFmiDg=see?8hcIQ0}_Hdud4IoEO&SCGzbHP&8cn|tMGEHXa2 z5o*oO>w8?8fG=$Jo8?Kf)sM9Cus5{>?J~Zh;~W@s^YIbzT*HIZ<$0p-gn+zeJJsL1Xsm4T zrJtTup7x||tN11z;{kmAGM?w#?bLtWwp@k7r03@N!&R~I0N<<5EsF~?hQ~h!%eP8T zx$yI<9%1DJ!X3?y^h^_v7kJnp8D;s5e;#GT!8-*zA8}BxQ96D?!KATvf@G~B;#B|y zhdV;yuU}iY?WF?hX7~K?X%SgY#ly!_d@UZqqGhSS$9(Oz^Cnrbaxvy1_Vb!y*oAif|;pl}u zMivG?R~`mVgCz-D)qLZ2*2~z`#O8U*)ezrrVAkg8y4N#APf7VyI!9f|Qi;~TIj3+U zK~w{>r57kfC8ebFn>qy?+jj>?7xCUOY6co#+)dRuKu*t2LpI07W3&L*Yc9n#I)D8V z5r@kqD<&qSt?j{h1lgr4yyv{a!nn{ewj0`pgTB2K*d@k-lf%Dj5{kl~2eWk>5(T%rm&SVhzVMMlI5fgLYyeVxkP21p;aG!CN zQYlkW{v6{uC|SZGGGBe=UR+d^YTUKTZn}M4IVh@Vu5)9hG$_OcxtI|d$Fqf*?3^wH zV6lWJ*9v zc!|rL5{}E=F$0@nGWmF(`pyIP+wo0&1sWorH9z#XI4B2Sy@?ji_PosSUTvs zO>)-j-@`rSHcxtj>i1VBDAHvUB;r^No%TjcdF&6_q3DVJR-tJZl`z=Yi20<}8y2H= zyK$XBd|FeHiNC8esd6Y^7dJE%EBMw1(%W!&a1heuxHK|{{!oB$*`9BOoCxzwsvMfr zOw_OC(bAMSw%R%a){W&N^o716jB$q3aiw7sGc&0+@w0l2$n@7qNsmf%<<_?q1Y!lL zUJq$^8uqt;g2b)7${-0H8(Yx)Jm&tP^7Q`3B}As;CkSGUp>#qaAmB6ViuL;SYyawM zfzb;4=^qP48db55O`qjc4}rrIBO_#m{`TQ3Y=G5FoMb zR>*g9w4 zYWWl2zO6s+aXPbxCp=dEqgow7O1fIbu}Fd#yT$XOKZkT?PP=6OW!Z%d@?S_wP+1B# zHeAQO9=pZC=#L-S8auGy@YMG!ui4=pq;{Cvb}gHAC68`wuTSKZj#1pb>(})2^CV=B zr$-&f>rIQn{AyavYS2vXacF`L9I`YhP*({YUK?{;O47^QY9ZCM zu`3IM^iiW;!S|zDIbfUFO^(volYMNE6FPZl`i#i1&80Ve$8+CugEhNKK4Rgar22!1!P%@>=uX+yq~Q?YCY{k zNiZ?$#%qZl_=RnroGC+%#@g1FAwL&ZKhZv9Yd%(p?sbD&a%8MxLz!`;smTxW*qc*f z#0Zp6@bd}%{`P@@e!PI|E-qP$<6TfG=4@r4{oMifNm&eSN4ku2H6|fpocU1UN~Zns zaT`7)$iXl{?2RQt`9$G zjb_NoT420kLm8NR;@fw%+7nP6D4Kh3V}GQtW@8frby!5A5SfCG!0s*-yS5T;tWl!E z-va$6G{`s3iiq5qX+5!F@D)$2gDot6#zW+C8`N`(56Wx(<5S<#q-;dQoAPbvNDB)K z;jvzxCu*$9&~~=He0;0vd|^=$guks>ky%O<_wIdr zF7@hF%3EZbP-hN!#!ylLkB)91YN?7}kQ#dO#J@YbU3+Z>Ddk!Nw18LD)g(}8WIlD! z4!8k)r>_0P*RiTP$r`qdP?CH~Jqk>o`%kP7T6&|NdRkpYgToD(!UqdIX`rlBw6x`Q zBr*GK8=y^kR#u)JE7eGKkQ2+$Lg>)wH0&!X)Bxg3K6o{7-Fl1~=j%qRuR=0wYGNLt zOb=#ba-{sZ{@91{$TT-u+0YNh1{$^kadB#5`nzhj5z?7NmH|gumBG1*W$_1DeQZxpFN-z~8>~e_;$&(t zo&jH94Q}>cETn}0aNhHjTab{Do0}K(#}cCA%TDjvpw0_a)%bBN(hAEF$bY}pt-lC| z;VNGwiE=jT`2e|mdYblFQo3T1F&~fswN$jh;CBkuZ0BK1V^&SJv6hYi4B&{qbt$G3 z>&gbRuhA{0z<(X*zziIuwT%tMhMc{s+p*z@#@W1gmGy?6_gYs{*sM2(X_3VdR;JHgvZ4x>5S0}&7E`v=HxIy z*$I~Sy>N!AaRXIJ&p-X};myN=DaZ_nQS2PlQXa@kN>XxggmkAi;dxNyyvC&Bp}xSy z#RaPhHpyLPX;x{hW}oYv6Hu6#pZ5YbG;Iqlq!y-DSG9CJfbS6zsSwO((=dv!S>=ck z)bO<>GUMZ<`en%Yf};R?s>d2Pzwbm0cF*L_2=KJ-A=L=u)WF}5tRJikCq3JLvtzV1 zs|{Z9opf9ezr#$09i8SG_cKh-&Vz%wi#Du_Hv#;559z(r9OhKaR@`7}%rJ0R8*7Ws z8O}R!w_cZj;S=`s-Pe=g+Xr+pOxm0`PQFgc?kx7r0|b*kT&GGcJ>IHYKtTLIv9KUd zPBW7t2gM5M1i>Io0>=6CWepp3!)=i?A;g8NO)_F~4&#Dybf`$-Jk*-^_uHJD%81ug zTFiW6D4Ei0_O`VKuq+h2<`81rqNzf@*r2uu$dQ#-a+FYmrO=OEx z%`l*7E2b{W7+m{Jb`OufUjZ; zcuaWzXud@1|=nza;?Mik1zg_IqCwE=F8N2dRJ<{jC`=6>d!q2kcbr2 zI}8>ENMrkG=@<|qP#|=siAjEzD$Na%Q1bAk30GDIu8n75Qc=qGtiQtu32&!~yd0x9 z9sQaske8Yx1cUUWVIuv3{m}}tO}mV9sz~^7_kf8l-SeTPC6o!Oa+Ngy~%G924k~x=pURQLaQ?&ff6Dic8La*Sp^?uS< z2k#URRNMXvvjDZVqUGM9t;J@Z@6`wH#&YZ4=Pcp;CZesQJP{*GQxB=T?bQ=VzYBUd z=s|8j8N$;y^?p7<#hqjxsZ2IXPRLG~9L!VMEsP{*FPrPV zXS%gkbwKaI=M?Kl>hhX&lux&KRzPom_)C2w+uXp`R@X4_XK?Hn_tCAFRkhRd~BCJ zQiB}L3@rUIkCpVsSeG55XTXj|mpH#ErsM19H(u!Cb{Nc*qt0n%)R#$JYCzI)wiR2P z-^6*A>qqnhh#w{GR}z7P!U{e%U4}GWDn_<3&&&Tw1_w*m93ykDJp5DdZXV47(j=;*;|d<#bznsUD1KQ~#CDB{ zot%+T_QD-XB=Jz@B}ny5rzir^8aVdfywNc(K_dkusrlFI&>Qz4(v}8tYPIVgs+j_4 z%+CA2{Lr2c6;cDQo}8Wi4G;>}7cx@LISY~P1F5gTVwe+nY>kkBf8I;8HYYAagPSTI zW(4G=+k6hez^7&fLan|!(0wFNNzaSQKSs+)Z)cB?P`MYY8nmdENdP zaEK`$`Q}4*E|g5D6L=87oDxDn7_JN49UyeXQi+G=+bukW7NHBm0CrWYT{wW=qYuA8 zEN|bJNCfV2#J}}j00WiTb=Mq=lpg@oC9{FtG$=eFf`K>#lFEnP0~7zXbq773b$&RH3g9NA?-N@IYemG87j3RgA4c7OM+=+;%^<5nGdl-o$Qk$ z?OKM9XkcsR+|v4JRy02YMbk38)ZAZNWe*qQ@PbnnpSLIo~@f`Sl%!~;WU654y3 z$ULQAUBN@l59E;nrS!c>z>WJ_Rk6^A@IEya_-H!7SNUw(7YJ$F0=+mi{(A zo&t0xz$cx+$_H+jJ`g6i7yE)(4O>yvV-(Q{dLq=yk<>uafg+BU+lJ`R5(_A6s>ibE zU!3bonS-_lMB_ETFu_CrYXW4+;TOn*R9s1=X7b zRWi%@{hI9_slma)d>|bHi(W!Uhn!mS&G!H%%Dvmy_y|xvTaXaTnEzRvwNVZ_qnNFV z1MFV}gvjDhpGJvWKwvc1a(&_p6gi+dr2SkAuQ0I4(0=oQ{Qb$HmkT(nD3*TcZJu+& z<;WReOX_`ndD+0g0Dufc=i;v7O~89Wv+ag|3MyTS$hZ*mE8p9w_=2kgyTX z0$nINf4bRd1qVnSz4_N*M|qF z55@euGk7q(3ZKMo+8G_H(EA>W(J^q;{eBU_WQd>ya#Le%6Q(*9dDCS zY@h@2Vyp3F0M@7#LE~E)u-m<>#>IBm*Xtl%2O59#aTOZC5HxP*&1t2!?aj?|I`HH# zeSKN=8?RCkp8Q4ohO8Hg8INlA0vm*2MovFQQ7VCys|wX}Hsj9e8felnJwQ?W4rXFd z0{rIappdDbF58-ocS0Wbcy4S}*{(p-vXGW59kVv}_OZ#VcQ zCo}VFXxs9JJ%)*I_vdPwz0rO6@P$n(>~#_dXcJh2T3g)a(1>(Aj%3uVU@s{t(Wr9j z-d9&tRP=V=FFJNVD}oZ`)HpDOg~#&U%Y)|ca*F=8xy?zLPMU_Kq@=JrK|lrBf=&V8 zdlKl+??<(unmTOk?2c2>^v&9UMeSW>{4wvCuMQ#|ud2DY6t_)@saof)Su|!?SUi_i zr#P9r2qe>Pu^C-`J%Bl$AxC!Z+&O5MN&{Wx-yPIfp^oXzkee%LBGm_Z*)8>l>?{os z4CWoLkG=Y{AisvU5dOH9T(}aYC z!9*N^ApU%Z6(9@ss-FTo64D_(W~4#Kcld-PIy*X0^xm?AiKQh> zo!ewk9rl7knNrg)N#K;S@3MH-ZnZr)Rf;L{*YNXAf-cHtp~f#?(136b40YIWs9Fa= za}x3RT^gD~<1W&8c9XBb{p5!BK{&gVuuD*yV%Dic_+pU+hJ|5+?*&1!f%Cv;(rSk; zom;>w1|L*6Hbx5FN$1efohJkCq8!tgFJHtSCM6|Zs{`(1$Xt=Ftt}dy%J;~bR#XcJ zkRB@>*Fqt1dcC(<@`uK|b?&GbnAc!WVtMW9h`B7kwY3ESDY@okSN;Ek!z%>ooI9X3 zAVyT95BSdJ=4PGa{S6ee8W1S7azcd}Oxo1YCNwHiQFM-{KsRS_e~vmESmDKiJUQ?T zV7zNrZCW}y3?WWOwawjs_Sqk94tw3)*=YnvP*`j2w^2B~I_n5eTC z;#yMC}t)a`bB1opX|UdY=s_2!z%aNo5=~J zLLU6U9ZUrtYa+J|&@{Si!BB{Wk#@YMcr-s$1SD44#)OiX`)V&BXay&40L*FN`v4C~ z9;m!P3C)1UNq!)lLh1!t47$J#dRNV50PQ~rAO^%hD3=3=h|tQ)3Ys!PNOx?e8d<>j zpzZ;AqkUi#$FZA46m)32ZCn8EK5&z9w^xQ^z-;83_R&F{?+pC|U|p|*%Y`&Ja4Pon z3seDT>C}0lRqg&X0|q#>!zsH$|1hLi6bcO_P{dMHb03P)3J(Yke$Y&`)y~#6vAQbz z>=_X>(6A+Y3)xJb7jW6ufqoBm^TF2`WNxofByQ-+gwDete$KV(JUk@C40ui+Lg9I*0RfIeRp(Ucil!wo8^&6BEz+v4WCG7+#uK6}bQ$&PA zABTv`SaEZ z1K;Bl-PACaN&EA4>(7jV`kIxydKMGNuSNl3{Uu8wqdHnT7iCNJ}_-w+W2 zzIZC*6V|}yIJ?gSL$D>y2l{=jH?Q%>1Zg2RXM`%{vn~&abfWvwWb%-a#2D-`oFP!Q`p`r#Cn_<<>rHG1@M$C;E)BFOPRLOWBYHJto82;7<3q za6J_-3p7CoEz8QGgybb2Gev^=c+@l(#tDikd@yKnV2PK2r*1|gOMdU(_an9E&zT1_ zY%aB` z2mNACPc++HTV8zj)Y4LYlH-`zFsB7G(Y5J0g7wCPwI}N8;(k~*Bg{~`$-*lNiv!;F zMz{DG&Aog6!l=Ev+wnYc*YE z1^V+n#cX0e-aOhK9i`*BybSgaY{w%Gfu37o>riiYB9buMdG+I?N_ z-8SZ;r}s0vtKD+Av%sCyiAh(D?(;Q&ALG+R0OF#LH?&Gozx02x#%9(SeAd($64!p% zM2t9pexIyB_K}Ydb&vw6+=V)Uv$cUcVMHw|+FklTKQF~{Sy3zy60;D6y!7)!vmP>R zxk*5W_tz1?k74gg0K zl&^X#9pz}GZ#5~%2}y~HQY+*pee2*Fty?NOZKxe{N*K^~4QL`u88SG#jE=EhYOMYC z{rd<;P2P>lqg84FcPiP8NLmG&Zc5e&NC8~+tN$`T9X{eXE`aJ)L6jY>Y8RRI5dkiF zQCs_J{KV2%a!w+Dc!|gQtyfuDiTQZ)1z|s|m7z*UGAuuz3SMHfeh)ck=L-O#HEcW1 zJFE?f>+0I*k5O;y&$Qa#SF5<~#c83pFj~onNs#tbQ`4tG?~7$A^v6##)Z5l1hIKzT zXrI4R;kYC{o1TMM9*q%)zhxSXkT{Y2T30hh&d1OHhBHS$Zfl00i0F1}S>#8|hmRiZ zuLM^*PlY(5;(4I7-MZ#$v=ryMc5scjhs|kWX5bPw_FTYSQp3Guft&dFNN9CKo}pta zXljNubYW`?33=)F^K=jjxZIQz+PclbQ9NQd#h&bREN^r&b#2V$NC4u|jucYYSo@`# z)OYWG84p}&I+Q)yo%w{|m@?Pwh5!6v(86JH(R@swteJ^>)_KU>p|y=38u4`3#xUuz zuU)KuCIKeR+SqQ;xhzeQGqDiUy$=A?00dt4djEcMDp}59ml1F$rm)eh5tIs{t*BvYL#Jq{ zxpPcZ+U_PI<|?tIq$v>|UKA?X+nuLPCf%ricW95er+R5^F#J{93=QNKy>uU8piEtr z0Iifl&n0ZkG)N&p_YN)&X=4O6?O3Dgv!BSQ&d4`WNm5N%E7fO?%Y(_;*&2vNVxoIY zR<}17thw(oGFoi%&n62T#k0Sj;%h9hUvgN>m#-Wh`|#kPz9dOlKWwO`3jO?rv$DL1 z2v!Y70>shY92ZY0086t0%O?|~!TNm{AR;mZGB}j-c68p3c~#e(#_mWoM#P_Hm(pbQ#qhOkBbp6fjOA;Z|2wiO!H-IR&mXxh@*5FS{Dwd(|4(*DpF3=X}nx zD#&|@g;=mCN~LMC%G=?sC*&C*+*&0I#)F4Q!omXISva~QgT7LXw>)8gI;guOnn#t? z+s9YIGa`9TZA(T?jZsw8DA99Y3T^CJRRujeP4P%ad$n+#_nN-TdP~!;?jkSL4aBFM z93i8G-gt5Bv6QmeRoC<{R<^plF`kZE-J?!na|t=-Kc`SmKllbMc!fv;lepjscu=$R zDLXee0~Rrh)4S zMa1L>V~GFR%*}}xiBNlGe@IncW9V9T3=c1iyJ)+-y0&&5)N>(CUM&WCwYvsC-si02 zjkdG|bny8uZ=J@)OH>xc*<2V-h<@Lbmf;y#H;JjeJ$|&0HwbyMOUsh8%6zw%M-psA zl+@LwWMx@Hgx7Z!L!N4Aw4qLpUPGB_=v&O4?G&<}j#PbaUDUZ(>S?8AQ-Qu!eaNFV z-u-f13hxJrnAn&NMA(#`jqlM#9qiC110}UK&0eQtvV?t+P-uOxW!2xtaizU>)={4~ zj+`U8+DSc*H>a`^UjW7%86$j&o1C1S(H+4%7tdd~@aa=-4T`%e*KjtgKZsh$7ch8HVN)!~xjkAQs#Kd7zdXC4t zzU!^kLHpvk?0US@5CvW45GeykhUnWl4P9r6I)0E#P(N`Fhu{Xli{JFl8f-5S4u3Um<6MkUJrND0w2p4f&Z~IYJD*%o z@P=>PHEMnRyjArPN$q{{FT)mn1N}gsB=KsX;@QNC+4u*XvT~lTI{gPRefuS>eP~@pFUthATDT?)o*lEG)Qy*o-t5S!0RNs?hDLj`G2$u z)eh>Np9vJ$cw3&>VT3|xyQiMUSt*%T0c@hCS6)O?SFwkvjX|y=EI?JeMUwU?E}hA= zX>7bcK=srma-y1TY9RnmzgOn84Z=7Oq>y(2Yq!&v1qW?Y=N8TTM```Ofh&0&oUApCSv=T)5w zhH2sBdTlUm(-IL)jyjIy{TfQaIUuCc8Ap0Bd`+5+!k@P8s+u@D>CQek?rF^HH0l}X zo0NoORcT0}J}kh^&HwAlIQGjWt5-XkkWLNyIVE{w0%dPn0!l-(1c9GEBj6Xwggm{`hGB5(UNU zF)N6pVBzAk#7zbt3WT4;v7^{@6z+?CNYz+vsjj}}(sveA2fKDFr&?QE*S5BFf%*Y! z6rQ#=Ewotb-&{p-aUV7vA)#g8wzaKTU!Y7JD=h^fkC`3!-yxS_Wg$D$b!uwrS5F}W zr~@p<3Vgs*+`-{q|4V6Qw*06_8(ds`uodf_9OGn;njdWo6#`O2$Hny;04Bo$fe$Y- z-$q2KzKi@8xVw9C^B2j zHm~nJ7@=c>n9>jQZi>FJvXswnXTIB=$RG7(9U>5bAQ0u0uwn#tm)vFI7H9`KdbxFV3Q~5Ig*BB^VAgX_0 zz}0J>cq~J*D-mhwgqk~biIjBEfHo$MOCWN`-Ot;b3P1jF1-6``VvjA3wTb({K_iw+0bM`(^_zaN+ks@WpozC5)u=siG4(M5P( zliu{FxyfSD5k-j;4i4OlgE_t34u75uI~v>xhNbRz!{U_=l9XI-SzYcU%Z_N~+Le!WcGuH=15Xy*XPevK#$x< z$x+)1#`DL^z4kiA#KMyCxnjzDTTxqE-t*pdR{am;Vr(%VKIqlf)it+|w!S)iJ#B@? z)cDA1@{85JQx~6$VQCawm=C|c@%T3L)U*)5 zL`?uOwre?!IWA!d-*^q7NE~Ym%+MQd%6+9rC5?`X0Q}f==PaNC|s=<@_)Jm9oA0hZ+A&d!W5VD-h%Tw1GRU~KQ` z*pgHD7*ATtAOE94)cH{uQi;)y1b6q$yZ1#C6^FKRG8OGg;|h5)R|I4~W2-z-LM6S} zs+p{u1aS?>L=>O7&f!eJ4$cX{2J)mj{veoMHT=a}7>gJB7O{sC;u^+gTW&XNR#~mldBK%e;{jBj&==!t^kxE?%;c$A59meAMOHj=(`B-gFp)Z(sMH2zvqh1@Hs5yty zyidI>3{H2?Rtw%29rfo<b+Lr^ zG=H5Ro1mCrisL@o-!|w<6wb;v$AZEo0{F?3=PEr0m1Sju1qDt# z=bG7X!AJMGSMPR@@!W&c?Z(sB#>$7*x(zz(%Ws%puB4a&vE1*+Ojs5@_6+SBSM>xJ zBGevA?Bv^8r%z8awbQ6{(?#3e0}ZurW~@mkJAsYfJaIrrT|RdXXSGCRsjY3=i%@he z5z;0n8!0n;Qr-A0cquQCvewMoXFW)~5!ev2n4#HWd=dj2vN!jL5E|)hF`tZj5+A^AmKF(9!Z*jn+d)Mfp-LVXE|ap9z4G3CGfyqhmhg>_IY7<`E^_*(h2tE%+WkSc1daplqv4L$*2$kOss)}NWu7<> z*bMOKUirtTPn4TSbqa6w6+$h@t=d1ITkUzCy<+$LiR-lGbHp+o4Z=OcX^efY-Ozsh zQKH-NEbSt*S11t0tDC)DllFoTqIJUwY0KOtx}#UvM9sq$P%XN}V!br{_bV5IPqQvYz5xi;;9Xc_dUB?<~(M8jeL4A|vYN|OygRgfG_i^tAb9kKi&Zb(zzw{V6j z>$T}uXJ~7d9q)MjRFBivE;r9o)0c*}(fHt+KIl4#6 z9z77#E~|k(RL&j(|Js&n0(BMX{mP^Ao+Ip*md~2FP;D;IEJoOhaa#U#Xpbv?w;2>n z7Ayh#Jr>Zblf`#d=7RZ4nbT7H;(M~!OWRJZ3_#=D!z;I;Kj|gt6i)R3t z%d3i&jABcG=f>JGZfQvia%4zfwzp%9ufU1EX_~GvDhy4i42=H8hy_?p1dO3@H?bc{ zNu@%-Xmn7M+y{Wu;T0EN0$v68&;O0t=y-mL7l4_n$i#3ME4=-DeiT{8dDS2>aJDF0 z)CIVchqxE|74~8Z3SP_)rBv>myrmuqkBq!<7y6Xh*WgO@8q#GGn??(bwZrl3 z+?)7;Y+Rw{H7g#8<7Pw*6%m^(agIbey-c2<-Ff=tiErENDV>w!L;5D*33Zo$5}dCH zNx4>yk=PJXQ~QiSGoE$@6V_Rv-z3LtZHn(pK|zr}I7m!666Wu3L&BmK1Rr+Zo(mm^ z3nXA)xjXbc!Zh$g;N^&L_IHG47oT^^!^OXN{`}_q%zuH~m_^174QG+n333d+ zN+v@CR2Cf6X3irPytTFWVGQlyHMwX@jeneN?l~ILw!FQ~>*wS1qjZBTEKI^V3SP!? zO!9VX=oxIg;U@`f3=*kCUNv_?U2=6+HVMtl%6gNZ@htq0jZHpZKGw&NANw|J#d;wS zr_^BR+UwV+Ku!Mhx=wS-gH=HR;ApFall7+9KU+SlCNs%H?m5yE zhH6GJ>AQe#%NQCy4L8sH`uPelny^SK?hQ=VxwJ9ghUG4@;-Iaek%?dWGX7r?Go=0X z8!!hRaPzAuxb$^}5Fvaey+ex;Vpzw=Bv2VYiUxNXs=&r-)FBAK6~Er_7uTUNnjOw+ zRZ~;)&`=`T*GF)>q}y6oorRTE2QOW|EMsZOiUmxz)t$U&_Q;Pk9)!??A6zXt}Y=iNlc5OS^aCM)py?&epgP;9%L5` za{dsLYGLK7eT~VsWT$X#nhl(VpXpyMcYU+#H*0)LEgnb`EIvhmhtqS$FO7CtSl$3Z z%tnh6K`Gu0XS{uz{$!$ij$oc#CYqy@(k6sbNJ3;h^Iu>tD=NE{#YF%F*G0!Izu{e? z?mtW=EERD3^@ENkn`!rXsJaUlD`Gc|;AJY-8*p=_;b!r~3PN0E>ftJLyz-bn2 zC2fU>1Lo4w@=9V_%OhPOgzJ(nNHUmi-<|`Pk5CROET%LDaBWPx&O#zab&&x?cNnO{ zrEfzx(Yi|gI}dT59#o`S9qxCCv?8ad@VKM0b7J8LB(z!XG+uFG{t{mGLz!v<5Is*htJT@P{sYeAGA z;x^WXOX8lCZeEt0e>S^cS|>R&miX+)qeJ%q|FhHIU!5|9-K-gRC8AM)kS5GtrQAf@ zb6z0PV}vyz(l;hKIYLv-=K51ru3r-H;!U%j%3^MUL|!)Z(t_kP+8PomovUJs)dIlw2>Ze4 zoV}pS!aOP>5V~HuBVG?qW2Eh1;qcNSI?y^o=R08P2?^@MY3Z!ij+MVYGSVDP)9x-? z)AFZJR~-I$;`2`KA6kGHFzP=>?y1g9^_9MmeAdwTuE-+tvN-hrCw*wolQXjs{_$UH zKYUQKO8cF|9xo>WZIZu#Jm01fkPia#F_9Q0tzGWw*489|+^LpvyudT8Z(MMm?r?$; z7$-TUre>&3B0Pfol$e+pAOTYlGPhH8F&FZNWs)4JVeI+&^O@-GDlz!2BJ)wNKq1*( zEKfM+`3+cq;G5=uek0zPV^8@v9VV7crPU3lPt0VVEjqBP@9l=4=yHHI#UsFcoFugc z7=K(K8BYZhCkK;pdVeGdg+O2MC${ZS@}AP+ig_eWB@O8c00*_U-iC=z7V0TPDBfb^ zxD?*P1s|F z_nR0X021a0z93ozxwZ#S2t0G1Leo|dt3x7GSOB~y!wzzTlIE~36*^416#=X9sv}J< zi%TgfHK1E_mAiJBguTx`roNYG#8-a(hFS4wsz$WkDrk7CyQZ0 zfv013BZbd|4f*;Pfct$*Jst58gl_tw%Tw`oq|Pz)Sc1Q)l~*3^5>7A^}xJyxS?&$biGRn8Y6CQ z?n_s%O8LEAmKx7L_dhGIpum@wBEPN%)SC0hJZlihyxZU3ze(8FUhfeQP{+u`WC(-L zs1>0|nbURQ8%wLfk%~9$q`8+gp`><_PZCWojmG%2EjL>5-kF$qXJ=j40IYko0TwhS zWPFa?_y@UGzO=^8o0|0a~|^g4EV!^ zRy^(Oc0l;-)IQf(m2o$F%lj>@2|;px^4a1MsHJHT#N2v?NPrbW5n#ta1<8x<1+|3J z+YLt>Ks5qUN@7XLHgYzO&$_0`Vy@IUskUpXsWC`quERW@x*Q}6)z!R#iK8Vu%YUdG!t?46@srCLfs{tGwKmA9Q|zBUpa? zAc>FC;tL3fa#^5Uhzz)q8Stk%yr}xK(<`v2H$NPo;3ZQlH;VDq@z`hmuM>7aoA5wyU`clyS|?kJ%M(oYc~I?qct6&*y+X3jW}Z8%t-(tpSUZhoBl*>Yfuab!&L8zmk%YsUF$XzVLe#5G$?oO z_U~F0#ix6ycB8hddcv*kJuN8n1EiyxT}*nW(qa3uzrR>yKKLF05n0i=qhm=>xG-O5 z*Qs=MsG}fTE!-g{B9cILQnL@)uR9ChX1Rg9a9`@$4IRF{ET(g<#N#9wms00hO1 zzt*a`r@rfbv6&9;1yd3wZ(OiX;QI-C!KcqcuHU{L_BfoarmHLJP3vulww1KBq{e_b z;(qwxdpcFz)PWRnao;(Tz^E!fErKuoOY-hZF}ch@P?7*;@;Q|T@`T^icpXfm79T^6 zGaqo5w6$e|=z?NQq8Elg#%mrbi2>ID&btWypx3oGrhXO!eswmgt;1KOl#S)<;J4(Cx>4VI=dD=(0pFAu~81X~8QSbX@J7DTG;8tLnc2L?RU{$eKg zdz`4aVKm|qNK~G?u33X@RIGFhUjN3dMr7wWkvT8=JCqwx+l5E)$HP8;F8^5odI&qb zrM~vzW0;(8@)pry0F}_t(DwK}ez%>a*<~lA7dzG~Q>7^F8)DU1AeM|^3V-y7>}Auk zuJ&^pNbx>rXlRI4v0FR7yP7IrVl?#>ip~=il^Q_qGGHy>PEzsc+@%GHwv>skh#!SUh4tK+$vfq-sI>KuWsVWDxnw3B*%wDcx;To`QY6`;3{ao%zU zi2-zb&*<`-eOi-mT?#F{g=!0tFi+yXgKZ zv7?b8AD)<^qPMR%*6L7FA_meJ_t<$SY<6qBU88&HI76=TJp^;ZsVE7!chN}9aTrwc zB1bHMHOrJbUgjIO$I0v3Cxsyo)?kkCNo^a%hFpgET$0x19XRL`pHO@?9g9VJxUM%f zCDvP6S4i2QMXGfHCt0RdJ3;j+=N~rLq6^e9N=Rr z;tQ*7eTy#;WJ;UMz2Wsl;_CSvxG#HJ0%m4b3{6|l%h2D1(B|v9I@$xdBX?oZK}nU8 z(gH0s5md*(KoH`6mtj)gr+mKVbFeuMYS-=;0duL1O{uU`25-@@JIg0 zGKNy#^X7zxp<&sP?|t#}G4=dwKCwTaJp*44uzRA%Gl&Ip!5jJWO`uX(jj9$FH#EEo zs_P)+hw?!c};VgM1rR z-qq+BENm%7^DGj)c@r2COM6q2e(i9BeFNf=dOke7g>c`zzP`Q=$C(8F7qlUKC_cN8wN-k=r@=XGA$VhkmqcD5y zOF##{PUsG?o;>*hW+FoR)KEZ2@-0Ukp$o_6x4D)Cg4Tp}0Sy*U$a2mcvfzd91c?bI zKX`A06k9<>MPjZ|7D!mqm)_pk?ps^#u=_wCw0D6di>Nnfd8Dx7-pU;7h(7>tgM)tE z-IqW*fXP7d18X359g+x(7;q*(OJ4d!z1RI*DZG#*wHI$Tb?SSw*ch~Ugx1B~9w*_EZ!$Kg?+X4b^A3x>bUK6Xn6msT}P=hTPj}HG9k3)|w2I;4fJW5|^p4oh#SnweF66jm0JtI+^jJE1c{?jF);^?PA-PJu zA<>*0uZbr34yZP)d&r78lKXXlPbnA;A|4;WxOGgWDJFGOz`D^`-Wf*s34Q?EiKn6=C1BG$Ldd0Q@9~ z3-?~VLh7dYMW`z4Sgi1O#Jf5;1Ur#!rsyB+M!W3KGgKz+?d=yBb-3c=;ehA~7-QF{ zr^?D%eqYJAwg`~bT5O~j{cr$@I%FkTu-K+IRaH_7%!6eRelD=ur>t%rH@T?jVqo>G zzdnHLphtb(5}v!eHpLkScp)~0UxL#c^aSfo(0IzWKG4$YorcdDBr&G2_vzg`9ck&u zAtl>#Gi6%e%m|)7eX8lve-*d@F#D)lJnFi}!tK58RkN?S=v!Mmw-}#vT6*^CRr{4I zh*7j22iaMC{Im}hA6ihq2?Si~tpkAsIT@p1JArXEoWp?m9v?P8k?Lg|{#DKch4JpY zpfpXVGkox{_?nQA=BO}EUi))@s zNs!aD6ji_}Uw}y?RW@$m3}qV;fc+iimQuFoV7x)b;lhBQSm_$S`h}3HIkTc7o|%mn zO^^j`Lp}}u6}~iMfa>|t1-AN4A73GZV7PFxp4yxr^Qx`Y1LzgtJ|-sCbQpnyea1}E zobs#;jQK?6@}0D4h=_ENDbpl@v|443H{1q8MU;S=?SW&gzOW+PeUu;Bbk`gb!ZPlp zbS}2)zYN>HVLQ{%yTlq0wtaa&(qy4OL9wVJ=8jJ!TFA&EV zVNSBG@_ied?sG{>upbA6pq=yOE*OI-k=NqU&H#iTDk7(8auQ=OQo8lO_@bCLaaKat z(so9OyrD4)Gf@IIQ8~M=K)$iHWeB2o_i{UeY*mD$yL)_b=cl|pU{KD6w|so?R{@xa z4hjkeBaR>NVmJ;C4&X%e1DTL(6k>If0VHnr62WB=zWaF4z;c=Or6XrI=2&OI=B6_` z#947tBN-9-KB?$MTl=UCOvgJXo_KJLF8YOog>a*qy($d^VopexBryG62=94-JU;rY zeNyQ(vJguldbBA9rehC~<>?oXsDHB~IL2l;#z$u(k{W{fWTyL7pMRgXS5Q}Ph_kMI z3_voR{(#Fj#+^W_?TlAmnF!E8ESSt`1*qhJs(|+BG|;vHz8f^W;X%&Agsay)@yb5I z9+!p?qM2WAZpxmatRi5MRj--2cLb7l(A0Sjm3cuPGnH*TD9M?an8_l#lhTrPOGepl zGiRw)7?5M`afT%`TM~yaG?_5QRdj{6wWwDgyFF{HU!6%h@$Q{BSR@<)LFm{ytztOM zWeTI+o3-niuz8pGCG_)em386q8a){I=(xGBWVW>|4bv8w_P!@Bzn*{HYX-#co+Ejy zYg@WCuO9+8m&*C;XCx+st?PI>4_cGCE%g(#f@QvOmWkK^RnCnTF zzHW?Wbck_Sn4AJuL4PZDYiYy@3lS(56-*A6Epot7cB$!VpuiA&jE)AIt^h61j;|TbjXBneybO zal$|F$ziX*_+*954h&oNXk;+rc#-w$eMJwOFy9ceWm~FgTb9tk+P?p*#ak_Rmwgm zUAHo0(-|}Ig>HqR3PTOZ>BKwc;6WO z&=K!Y`5+7hNgAfI5EG}LzWR5bWibEe(0Ear49q17aqheaMufWUd+DFu)hrFFbS$jVs$umy|e*VCE3d;0nf7DfvWgK%7= zHgqpw1OSiK$&_RHeE0RYlo|335XG|1S!g>=4`*hKW7#iU>Dn5U2TjeX;Z9kH}) z)$c~oB|d!-hMG=ew}1|JIo^vZU4L_KslAmRE{s$_ooWB=_gIjM@|GG-GlBQ@j)>sC zd>M~pa@}@fje|oMj&MRemX@Y)I+gJYjPf?*`A$Ut2vVd?G)bk zK=#96La}{sXd53YC|rZiw&JMM0=P4Z+B?L~l;jEV{@}m}Pz^bwv!Z%|Qu{?*cSzCl zGp{qCE^FFHb77Snu5%hJx9c`_T42G7dZKEa2?|4GWf>0mqbVJiMjMJOg(92(DhoS3 z2IUg{s~bYj(72xl`fk%y33TenSFZ~AIH9L)K7|8?vT+aDp5cq=othti%~E*?(>-8ab7#Ao1hk2z8PfOMWZSfZs}ZG>4l0U zLaJ`R?{}F2Qy;_%q7-@q$4x>if}F}{H4w0;4p)mMt@?BP!Rc=RucX++`muPhkn=_0 zWz`3AZ~k~?*>7Lh#nSc=p^a+uX`0qOe%<)IMVzhF;OvX)eZ0)x0N7>r)~!K_Erx}= zhv7hje*I#EA4W$Pj8;bfYn$oJU|pzo2p&dxpf;U_B@u25&}ljv@oc-2kVb*mk^*lN z?R0(`P4Hk(-o$J0^{VWz-m4a}b))d2Eo^xJtrXV(PGjbQ=9Du# z+Z-@`^X&?=Ec4hy?dOX3P;zSwn;tL?f8uxc^ow}^o`~v7p8>)Tz-<|$@bh)*Y)&u< zvQ=(gwpPDG5!}~*q{aqXoF2qoYtR-{&dP!#0CNs(d=xyQ{rx=N-lvr`G%f&_n_P@4 zw{_uRuU_9*ObT!;9|JqUO<)?m&d{wk*Aa5)Hy$ZJ9qg_;>M<_fo)B1Zp{A(vd=y9$ zs{B-yR&d^^TK*3Qsyui|_FeLUx035>3|f4#MV-}DawdH2c~@9^+o#W;1s6y>4mJTt zc;~;$p{LPkbFF%!WRLyEkG}y0+I_y8_~5QW5tK9qQ}^ED*DAH+QOd0Z@xv)N+m8^0 zvRD}AuUt#c3NpaRy?P$~Q|)f6Vh7ABXrSbFyxZz#=2EEd)z+3Nz+NAe1gZVd-h;cJQSsqS+9wo7K#jlIOz+FR;5c=gqVWQ7*HiyN~HQ>B&F$?)A-jw8+{h2*fbu$haMuk&>&F47dTP3{w zZp{yh&#)BWsY%HuSo70%iEyrQ$$N-baw*Q-$R@Tj2*u%T*m#R8G#qX+UqT20k_R|0v4e^??pUh{Zp5ozs{R zeiz2omHdK~NJ|OoC5m0-H`Hwx4VAILy+ImOaQ^Wszo`oh0{c%z-5;el+^hdL+1-Bw zgartMX+kdl)wKP2nEab#3>84;{YM!~{8!xa=S$2x|4&2j-|vG5@%Q)q%ZvW+ulM^& zZQj$_cC*%7+fcgykC%rkZS`rNfKw~z@_jkArnk%FobLXY?>~^c@TWer;T4Xb_)ksg z(Rs(`A02EkF=s2lH~)UCQY?y_Mt30n@dj+TG{t@%E-rA)6a)CTuvdQsBBs9$9=8C4 zEu*Y_VWo6uXLoPUZjqIb7_6*7ya3Rotg5>4qb)BquKeI*Q|SSp)7t0;duWn2CRz8t zi{ftI=`2{xEsyO!HuM@>UyI>oJ-VWuT#YF)@MOC zwmg{gI1^yf(|FHX*cor#)V~9h+cgk9;rV$*G7mn{)I5(l9JG#|`~iT8Y*BHtam8>( z6VBZyQykkX9WW%njgDr7xSe|nHrI0W^dD&yWv%ThvXXIsgfqWXglYI-UBkg+IIWNV zE(uiCf5e#ZB{H6i`KT8nlRuV_fjY=xP&T6|_bpgF13*;)5kt35cAMgw@GB4tKU;{` zig(w(dxcCmmdA)%-iGshVr<`&6ZoEtBacobw8m|*5YJ5|+#;SN-@EeZ4*A*65{}PL z@9Z>8-kPvqVkoRX(QCV$pd|C&u&s)2B#c$J#dF~7ZCv^*xOI2OifLuyS?;{@Oi^I^ zy8ZKcic>Ld7RtZwYAuUFNR#|dY55MyVb6VqEeTbL+}ShOVoj3T$@Tc8e0%S(Y@~O% zlubnBjIqdZFJDf3=StKQ#w+U+a|avW2dm<>%H6nlRa$e*RZ*Rt4#VHd8Kl6|(rS&aJyB(9Xb4%nvyCtl_a{iZ^I-(O9dBu`?@zG428m_aVR8o{BjpMFc~+t{Be^YH8r2n>Wl&&9$xsZUO2f8fwVZMvu$66{Zc@Q@d})* z7ZzGbdYtFzyespJl!ySKGj=1E#dFQ(d6{Y~8L9e)Mb-%20UikbfOH9) zqpHx*9@l(SI1eYMdbQRkmEQ24nh`84oDWhD?kRV#+E%879N&Gy7PVNM-EY>aq(sWX z$K4*pL=xBA&A~oCTCi7#GuhZ!vC;WufBl!6K534og;mwWw^L`wvA*-9!Ucg}=jTY2 z(P!nX@oM||F#PJ1Bs5{-4%%_a`MSKwUZwEfQ4^PdK#Xys3)|5VPGPP9+~yAtbI56F z<-_3UgU6`Wf?rzZaAGT?q zyoWfd0i2!2Gb@98Rp%@DR9YPdzcIwbe6ayru-0~&goMN$IPUV} zCwr~Z14q5+vj`j;`Z%mTj*nedR@U({hq)kp_V|SrWH{@%Go!q<#|@Y?v^<%$2{#YP8v&u8DGV7Kb$s0GqDxvaljt! z+u1+aJSjH2;wD(=*s&lZFOPDzMhxVtI}9%_4xgC8p|8Uwx*2se-rI!m{W%HqJ+?Br=k}+j_rA;uyRY-N6S;TYtHrMex(Z}MXfbe z$0eOiMUj(5pA#L_t`^4p;^W7i`sC!cT1L4AI4k$B=TQqxlu#ab&Aa1Z4Mr3-Sbpj^ z6F6F#cXg^zv*}hEA>$BLGFE>*Z&9AWnHiU literal 36367 zcmeFZbySt#);7Em6%zzSIs^fc?go`sLTLp-V$-ncO@o3#3rLqpiIjkJsdS5UBi-Hk z&h0PGIpcl4=ljk#-sg{ZjI$jKHhbUqy4RX(t{K<7rali9q%U6}y?{U$K@U9yh-v0UC06sW{g^hrZ5U=2e z0N!J+!TgY7o%#LSAKsJw`TiZezxC%er{FyY)+xkg_#F#Bobdh{{Qd+#Ca?c^Rwca0 zyw3gpCj;*=BmebVT2}rcH76?vJ1ZAI+|SO*Ey%$k$iYd?!6nGUBgoDVS7W{Z$BZx| z#f@Czf>FFp#Kj-Vii=ZQ*`N$f%#jF$W2{@Sh)nez;#Z@o_a!rM9j;h6Jd9iXphRA9 zLGt4j)0b)#a;!&Q^p|CQ{gTF>Sgji6&X0{}W_V>#pF8&C7vg6umGK#+dwHE>#CoXO zW%R&ihk}~>wp@OxA(nhms~zVJL)#3!SwgpSo&NfF48u7XWEpn@b6igEx)V)2KDPG= zbmu{FP*W4Mb5?)x;d?U?Q~1p(f&cscy!);S!n!}t_)wK(J08}R%;tUNqBW!!Q6#@{ z-H#&Ej-4rrbdB3urQ5EFD33BDwus*>jMQv6w2D2pS3SH$!R(qWv)*|EiCZ5N{V$l; z828HNzD?cm4)UnkdN8Tfpn8_J{?w-*)Mf6gV!Okd8SFfBbT6;o+3}lj^~Xwl`u;IG zc16G5Bp&h2XzV`fAmj40>CjDQO+QL3ufeai_L|Dup3M}`b{pTy_lLds;(ZUxQ7j47 zge6{dXC=C~s7FA7%Jb6JZF_8T@>3I%P1-w7XhoyZ<1CY{6`TZ4o8qjkJaN!LM-vqd zI}Ld`L4A}3tF8e`56S9iVTIW+gs_;Sm9D-S(vDgWX=Gw4LbFmAGF=OiL zq3rEMXlUSj>c8e^VI?pB_wbgse@X%5!RDxI#m2$P&Sqi3_Rn|N+DSUVAb(Eizr4d% z#mNfEri8Rb+1uzNB^{8KcC`OIgn|Cw_gmT9nEzgmfj%439BBcU+QL&g{^gOF6ZiKW z7!eqmSXlkO3xxeISK65v{zF**GB?aOznAmR6M@_R9`|3a{%h^OFNUk+A1sX`nB_X~4p1D8R$Q&7-f+qKD)XVA1E}M)GkPa&dF< zu>aE#iZ&*omAdBtJS)sl2AHAr1^Bo)^|@KNba~iWxVboZS@^m6xmnl+*pVE%NOnC= zB;W6$4DLLvMQTVJThK(zn7?i3?{6^MA_$8C z!Rli46bAVHIjluc+y<#@hq6&Yq0B{S{|8_Oz@K6i?vE?!*w(xwX-yi*PqLh)=fBf~wpXMgNj}kTY??WM| ztN+ImY;_%wf9yAm^~YEG#=4e9NU$D%s_S2$oBS85z^lt=$jQOZ$-*JPtEt82(2 zpwGk4!p>#Lj^s7a=i?XP{4IsQN4G^8+M#uAkavwhjvy;g&)*)3`quA_V*J;u(Z)#3 zE`Y#TI5=21IR6ruz@GwR`*Xo;7@P6eiiO$!H<<|kzTlsX4BYp}XJEX*7P9?q4F8lF z%=drt_2*vvPd*D`t*Z(nbUHC^j zg|vhy2o1?nbaAXVBwAhAgB?t5_eS`2Ns9Xc7)vn^=l{_0=cy0Q%d(9+@hhD3HH0jsB}s4 z#{;6fcg=6zenb79M&s7KYbkGDI69>erQDJilzDLO<_+)YJ2EmW0yE_vHU1JZ=iU%c z?mS+|HsiP5Zdr_S+IBZwiNdD&&+Gqk2`H&p4A^}c$r>Cf-5M@iqN(MgwEM|JM?<3| zcQD}~$@2Mr*lp7vlFRQG7Z=MM217%}3ArRJY4Zi7!>DP{UD$YC`KhV&=`<2YYc!u# zRec(k3^}7z&Vy9Y9GaRb=V>G>wN=jiDWvyZ-6e{<2X zy7N?+I^6Nzx>N``i&jctWk*{reYw{rVLv=26)&y0*DF8K$nCsFJSq=?-QRd+MJxm}7;V zLP8l7KXD!>yC3ZfA1vnA7M6Q338{V?Mdywx7`4ZzpjSrtw&IqD%Qn`V+460s?h_CY z*geE7Y%+UAOq2QgtIK5DIg1-7s%%w~0+hS#-IFbJCnuX?#zJyHY&Y%DF^*Ofd{#+WOudk2Ypy3KHYNW;IDnnn1Z5oGL zDeQ;q(N^#2GiR(<$L`WA#`|YvFd--@DO=)2V!Uwh2*}A>1`5nfx<3)phx&9RN$0!l zSO!vwwe@6ak_g((+86cL*1p6O-Sx!A!L?fKNfC360^CAKq| zVYZhB=X$bY){bnZn%0(zMhUK6tI0z)udb~%svocZs`i2X&@8fK)~Sqz)l9d>yoOh< zoZod8jS?HW8#it&4wpsb>er9Y&PJlh4BO-5a>^Z+26COZOz+*h2iwA9ztD3Av!&(x z^BD;9k@6_mVzWZoWd2pyoBVcB{od@S-rnAyttX^TojT>;{`Be7D1K`imz`xEQIFkU zuLFwN(aTzal$Ne;dvHOgW8%V>|ofM&-e>&~3F$WAlZKoXVz| z1P_IW53iW@W~XRZI2X|witP;9nhzERV5Vm|EI9DRBq{WX#3W_D)vtT7j(hci6#a!3 zWK~DoWD|7()orZk!{t`KQH(~X#XC3cw*9Jpeg5LbW_1NAsk3Yqn;{*n+w;;JCAdewd2{ZCmsfzraIrOQVq#)(Y3cR!xUwjV%14zGi;FEaK3DsT zP*ku>%$kM%^zzY@88fXhe4Q08=t9&eX41AZZ9D^uCY`ArA0#i9S5&}uKWh$Wk(>{` zrh+~b#(=(+Uic)drly8nzwXlZ^6&$gI|+~JwYLZ6s}VZxvRm`rk8}0TfQC$ce|ZtH zxzHQ*C`szk2Z{67*|g=Xtk@qtdNhO{b#vWl<>NN%@sHv%%CnnOa^7BS^ge$T;kZ^y zWHMOD0tZ94&Ywi9*y{O%2-c45r$T4(C|h1$B*JWu%l0CpRgJ^XWLe>(%}(>7;@}|B z{Ws2A^Bf+>u5$FDxh;LU`W#VmprhneR8(+W%^4TdOnb9i zCmTbt_-&^zMX)~QWc>_-hP->1%%$xc$E2P;HZf5R+Y=>de;bad>)~3x%EyOTo{gal zpoCN(K780cK3MVb^P}bDB*4MJ!JNemwXD7ZGa@FnOlnrvKyUBUhet@Dnzet#a)(aDL!ypKIqA+D({PDlW~Ob**`)bREO;^p$y zudk`xWsdf@_Qw6#BE>vJA3uJqRqoiK(ffd{!aE?~G8vy`vSDlV>9c2*K1ldfT>~St z+^UJHkhHVozDh6mbz~&IUF;;*wENRs&2{{e`r_hZcEc88ID`^PN(9(vFOAKmB~+$! zf?9!sT?VzP9v+U94W$PS2_SRN`7HXayU=p@!kv7>R{xVKyE%fuz`(97%?PkRO0X#y z(-{&P>etmayvR%RZbfT&M!4^aE z7YX{nL(xJh;*4O|t2wv5GKxBMfz7(5o=qOZYcU>!s>HI9wij|(Y#>9G-vv*DsI08a z)GP`FbE;SH#2Sspv5^ku;^K;8*F7~iH`jal6osH2wWw(P&WH=1U+q1x!gHNzcwkTX z!i8Wzyv|2bc{O?vvDRURIBd3iGT@0Tur+}#=VXovG` zZDTVIzT=BY=UFl`vQmd7-?%u61lRTRw$m-&zI}UM;j;5HejeNt)Ms2Yj{j9Yi{pM|G^&;5G&H3(&Vq#+8?2LP} zDHs_UH|IKEfBC|#UjnXW0u&uQVoublaI^?0QV=1N+Gk|*b+Gr6Gi`A&>&yN9{a}Q~ zmzUcP_cj7*O5STIy?vo~&)l3jO)()AOk`aig^)wCUac=&77`n4et7UBQM|-%E(D(m z+^+nyXVft849GbVoFLy&8r_3%;z2O0_LckdOyEePP@3Z6;sMULbt;7eNO?ZMv&q5Z zh3h-C$BSS&o*eC*$HQZwqkBohW%#4g%|&E}p2h|*8XO84ulX35EM2g4AiYtPq@t)Iv{I4oSx`=wmctA4BmI8JTmrxw+gXKTn4?N`%tO?=F|E5DPo9 z2axg6v$C@4tUv8?ST-yydGA`^-5rKYA^0{jQl`rNsG+TmUQjT)SKB23REZtgbWOh> z^gh>h&xVxS_$!{+p=Uw@6#_JQ=4fY>K}003){ls+nW%@sr0e6O=l1FkoosMIOksmD zvr1ElTU}r0l)AULv=mS#fPlYCr^~dpwGj}FXxa8&cn_Nj9(3}c1!nQ}>m6ZX;n|)n zGSG-$pfSQHhZ~3c3pp730S00XjM2t`ShPiga{ze8w4d>uD)BC{VBKbuuzD zb9HSTAr6j?J~l-~MMPVIn4+56^|uF?Hn$|CrLo_JhfCeNcWPv0q`0JnBuNwY9@{1@ z1dK;8s1OMsPBw$E@Q{q0lCrWj*ossy-=WK3;7B<1PV<=c)O2@uJ5GKZ8KK0(!!x(A zC~;iVtMo4Y>}YM@Ld<1&Nx#m&5iOFIlCpNV(avQ##QzG9s?D}tq~4!|YZpw_1%J9T z71W>KMXlhtTuv_9ao0Kc-s zd&MeC*`8{UNX}i=YBep$b31S-MXxA;D}?iIbaH&eZQAt)c8b&jHNrjf;fpO_S?d`K zGl&;*3ks&-I2srkVP7F3aT;D>3>S&JtUrc$Z}Xh@9(V1#B@&JKLK>g{s`62ibCj%oEVve;XDisij43 zm>;#fyK5#DK}$;;z)0l8u$wSNH$2r8R^8SX7#m9tGDHs}!N*;CcJn9rhvejB;zqla z`(d6#>BORbv_Q{cxH;y-_K zfeg|f?ANbvnUC{j6cnbXB6Ox(qPUo~iho4@jAvM(AL_o~ z{Hrlwdk!Xov0sAr^Q*sJQ~k`#{QQt7(K3A%iVN>q51 zdk+rf0>+);sD4uMNsnV6ZW?@Cwhhe!}igZHaf>)q-)*4vAZqj}7vjE!&2 zv?tUzH(!LA!JYmy1dxgO`*ATb`7y*hz6fX0guvfm=v!mid(qu7?0DC8SeIh+^&=trO8TY zbd=hgQSYSatk#>SRk|I7#KpBv1c|v1ucW1=aiK_! zYKJrx2Yj6h@ogZ55PM83MgWj$gocOL!OmhLYA^@PPfNRQ75$}eZE#XFO6?dG#g4ck zbEDzreh2Xm#1`wri>z{B+Ch$v&d%%KaH!r!MKyx!zPJ>6O%2`4gc`5$5$wpBC>(Xz zU8|>hTx3ZBYr(|05|WZ@3prJ!2`iujkeOYjppXX_jEUy!gQ#%E{Mag=Ef1CS_4jua zp>*bZvYH{kZD?xxfEukd@B925eEM3O(8`r7SDwi^z47x)5`T^BPsSGrs+b2!6S!cE zfr8|53Q{A3zR$Xgqg4q-BhJmc3VM1U*2u>rIrJmBjBqcLaz9(_%Y~Ho^N&YkVlE3= zMSb~3m;h@AmSX^4^**%(izd7~=Cylp04~pA!f6f@>p%O7`2PL-xpU{f*4MuV8@$gJ zR}8Lye0Obv+j2+)H5sO7HdJgKD})Y&^>yaxh>0HWPPirn5p%q_OvX#RB4A~2k4bxO z($TFg=C|8GW(bIcWDunYzsIpK*zMI-tFxDgze2!ABI?SIDqlN`i5wspgm~kAICJAg zw(_r#yFhL*0Vjw-RJ8J|Mo3hYEM(5X($Crx#M&WJ0lY#khBp9?;Rc-OqZH@c<_Xk0 zPOG3aoVwpnLv#%>%SeeWgM)*^7xVrQ07<4hddpEr&D<<@y6B_)VYIR~0+Y9v5oA;ZGPq_uAk=xrc+x&Q8#uCU_o zAgKs~B%HB|oe_OdigzrU;V{%aad8rUtM_Zh8js3Pjt@YiIY(|Av0_@;qkW6bMvW@F=d$tMoKzQ4pIrC?Wy7|&ndE841G zQc*>RYtztUaH{#4 z^|{vTx4T>+EKeVb`@X?K{!_P>Uqf7=P-zr{QrB_u6O-So!w=S!uT=g2hwAy7DOqqv z?XFh)$Pu3?Ja2~JB;<^aNA1y6^XO+`JUleyE#E&DX&bHPW3R1R^*##KYi!RUb#oSz zB^3)i?L*6v75 zqIexwxmqIE&W~to_a2p-^|CVW?lV!Eb$*hWvR@i_`K=w-0G?$6=+kWtU$+C7!BA63 z#=2e_LwbH<^Z5AK-F1EKH6l~1ApB~g?j?5z>ZfH69VE213eL`F&!6`(FfjPUX?agi zkA~>O2U!J$<7Omg+-$5k0esTBCRMYwos4fEi==MnUa!T*53cH%YL4(Jy&`YeqZ8zm zG~!I*QAHYi?(&3$F>x!EiRmOZO>MzZLD}$`Cs}HSZTlZqk<2|bVLZG2&*kFR85tD3 zNs0Oc%g|HR6H{b?-Nxp@Xo)Qh@ zY?4phyFV3V>RBZ2-F-B9IaWS?J$-G*=Lh?t2dWpn*q7o(i~e$SR3BpMxwl~$3O?d9 zk#^(K;(qsg)ac3huU~hqRymj@XKx-H9KdAFZgzo0!P@5P&sZwNo~x~{7MI-;c|YQ1 zZ~WsuYnAzNm@{5as!Dpu&6_uKZF@!a^e5P(#|A=677Z z^*ZP@8PdEz&kG=*vHAIXT3W&fJ5(RkEX0~3nEd)FSTbtHajWT77=I`F4t67T)Ir!gcZ9UJIxur|KOTU&vZ{WJ|1f~><*H<#e5 z9f=49yA{f><0~gY0c0L^0E>uLBz$<3^eQhqD1L=EXwGK1Zvp&92MES!nI7*t?# zx7K$jf4N>>tJJRl)`aoHbC>7EJR1$9?KbINybw3;`YgJ#xEeaKKLz(Ur_L2 zTA>)dW@yJF9OHp6`1GMH>f=`dGkGl*7Xr!U`$tLp$*HN<;}ZOstxQfObaL?uq@1!d zxCuaw@K7-a9-pPT2n9*w=3JdN$}#O4eHn_nB>$mHeQeuS&!qqz;X=C>l{QuXlh zpspbY>3pT56*E7eP=>clt_KhP4DZcWe%;ljvaa`F<3!k@*>+Hh}HF*eJN~~^t zYG{`{DXEATp1KMrsB1;t%Ec?>dI+sbO#)nG&fvu%em~PAt@4wnJ@()EU*|cw)cxaTDZTXg(5)(me4!dwCvfwRW*2 zR*yeIQld&!SZt9*`aiblm}tuDV#J4arATo zFX`n;2?*_jmj=;*dCiXI5YY_}A#SO+mG#wnd3vU0!jW}!b~4#~B4OFzo%Az}mX?IG z7y0_g#O913X)6c>(0z)|rTe$*ZgoGI8aZSJNzNgEi| z3s#9>jvD0fsdVhvEsBh6K11J4Nx6)1B75;EmHYYGSWnlV8rYy@WMoc%)yswO-V1=b zGf%4v3wu3Iv~83wAV^3`+V@jaQgnG^uo_xgcq8VNe^sD6IpIve4u}MQvHX#95&c?1o=hW zvtN6ABOqMV*Hn~}xV9HHZ>BG0`QjP{g++}Y8C};?>{8-(B^{O(`7zrWmLHOvYy>AR z!Z3^5o6&5G`N^X?{t-Jgp~=ZZRjr0xhWY)w+SWceJf>amEr&~MSuyq`-62j80cS0Q zh%ei+{s#J$oP)x)d_-JtV0~R3WLX<7nv}NH-lWCLo=C)>C+YD?w|VF z+}XLyhu-0Qsii`@L5J}c{>}^bv_2!bwh@92JJb)b*oqrm)?UWN4Xb_|+A3|1W&y7j z6&{cKb?;&ax#+cbEBT9ynPQbF#=~JmR8$ndfPhk-fh;Gd4cS#PvKX4GOj;3^;d8e< z!XvsyOcd0!_;`2LCOisReKZ5mTLj?ER%gLBj(Uw zE`YhBVQt4H^#qN9u#@Ra=;4g_zH?F!jT4a) z04>?stlTDtS4`&S=oH9-Gw=r&KqX`TAfn0N*Oy*E;H3?+!Y4?Pnoi&h0|NuI+C`2C zeLtQtkk!VN;Qw<}npDFaA2{VY-s!D_jZyIHa9E-aR@Mv9+_)Ohg7j*%eG|Cb|)u z>Ne^XLSQQ$(;T+(>$xD0HPhUaXG(5GwO$)DZEH(>IwOUSKfnlNC5to7oN z!idnLb%Ob!n+I15Cgy`qCYDgSvY#O9k0jisb2|`jt;XY<9809le0)HwXg8-~EKTBm zaz2Zq?A^l$iG?Snucf0!{Hr|d2|`1_Ch&mRNHMP5}@Pyj5Hn(ATy^XE^WH~em$0V7-5r?(Y*owTvzi`vI*@YW zTWP_G>KgS5@?I?+95J!#{{E65kM&=c2s*X-v1C0dN`*7m)6Bt9VzH<5hIM0_Wvu@$ z_D8j>+jRGb>WfC*>uuW!hr(SPi!t$EuV))TyX@$ZQyA$G#cUVd@^vj4YT69a?119a z;gKnEoSytvxQi-4+iNUi%huN11`Q9?6xrA&7z)~Sb`LygSLcNW5KQV>-SYf<>dwji zv?`e@bA`2DBNaH0&3eeqD3bjEG)S`n(a>N1q+m^b8>ZUZO!Arof|dc zKOMxastHww{7|kKz7xl4vzF{)i`}L$GrLU*PbO>YmSVqD!|8yBIH!e?@+U_EkyV=J z=339I2&mUl1Y|@2YlXf;_%)19w| z#@;?rdWZG?rxRB7@$pEplNcHnv%G?-stT96%xn1gj30WksER&amzZ418;g9M_;csg$8Sg8QY?}N>L z04g6BP2xbfbHOtxhz}cQv$lEA&wKau_LA7!oW=A61;dUHCmmBh3h!<|4gtJvW9x;a z7Q{}ToGA}Fi$*=t$2Cdv`@etldc9Xg6&@TH7x4NuPPGns6H|`=>9I~l`h2Sny;6I( zQ|jtO*;=yCz?j$6)vd2TV0-wpHNfX;Jr=wB;eiJ8^|+MUH(u3loAV@JLryd$4GrlL zZEX*r5i#* zuPKCf2#C;U`1sV1JIl}4D|&Z))O91c8mdvHn~yu93Qvm#ux5O5(YwmyvYdm1`EY4m zcSbMP!w=pf;;$}!(0h3S>IGLQ+=AJvqNPnuNg?~aM7e%R8kcG+cv>EVvPS3>UctBa zO>-6jkckU&*Qldf@(^VugmHJ?84AHKn3CYfkH*ujI(L+mIJ2{}FFB`*0a{jTU_`^Z zeIY?1?yj0z&*cdPK%E^wJYWDs=Q)&yp;UtGT^5lNUL2gMQpwOJBs1^JLy|G6W!FLB z0G=l6b#@B_T{^5@c@WO58oL)Wes^zOw9Dl)E`2BkFR#_C)fIgFG(tSf{Jy>iz|N8M zDL4mJD8ONhN{F_*VU&20vd)hk;ul(QYZGsiQ@II;&CdE^u-u{*kMyS*^iY(|9R2JA zdKl-3PG0Hp_lwY5&CDp(&(LSI8Xcbe>+h;@k9>%i+L z$@?ipuh#~@iOa?DhH@gCR+r0Aw)-t4fLP((Nef(x5}r~XAJ2Z6pGw76!SDZzEwG_N zL)$SvP6(Z^TTKt87GjR^DOcoRU*Auta?{K2zk!7VM&I=ITRZzyk|LJlRM@Y@;i7~n zuBxvFoB(5D&vobHjItb$@(h}onLTKhKB>kDO@(@qd{MUI>ZY$An!tehn$9t5{h1cNw+PF;JgV^#E=C5)wS7g5nz4VR8igk z@sS&dt~oWK2n$kF0l0h>)?s9g;d9GP@|j_-KPs+@X_aG9;%H*5iRspolFV4;QPMq?URB;N_y{qUBG zDEmp7D-i6_F)_u+lX=`YG_ZW;X1%-d#bnsG+sr0(*;F;-vr)UKR1oFsv^1QRsvTAa zMXA-1gV09U^_N8PNfv`W%sRQzrS=Oya`kaUBe`FCdrLTr_QxF`?Xxpk@j|BlYkjJ@ zWtaI1f{jfPz;)ki=(dEauM7za42+CXP|oI@UgGO7Ly5u6BXlT%^Av~?Vu2SuS(H;VI)$^|yJX{c55rFPp!)6s8EAPqWv(liB{G=L$I587*zrF!QL)^iE7vO?gpeHqytyI45Hm$9z3r~w*mVGuB zQKMDq-))L)czgG7v-7OO%E*Jg^(jY}O|tU69wABXnNX3^@mVV>+ELp{Sw^wU%u;7X$s#;m0vhn9Uez&WJ#9gJjqC^(u&uA%NcQ5j1+VY*6aS>p2tPcjO2A{qU3c>^S&Qv`WAHr&?i7=2{^gb9Gf8_RJ zzoM4ba$Lqly?E{uVEcsto-m=E${oWy6?hg99iS-`n)R%0uxUbVz7A@*&Rc?qho2^9 zXJtxkkk)9nYDF=N8q)&ETdGS7#5&5II!_g$J5yVw>ZiY=a2PcUGqXd=WOf^6KB=Xf zA3iNGMSicQg|w}SMpP8bb8*p}RVT2zySr9nyCuq2LQ;qOI9shdLcd<&ZEWni3xf!) zPBroR!ArAT4Suxf1@$7aCf|UH7yagE$G*RubzR6UDgye$=(~qR<6Y@8K;^@NiWUJw zHSI0+o%4xjr?%h~#d`h&Ei?OZN#_2*rLOjHB z+AxI&prJ5o_TT_QtCpkv8umgj_iac>bQwz!w{G`*0VXX50To(Qt^W|eY{z*hzedf$ z*k7DFF+Sed$T6{bu%-;bM@e8zr0vg46MeNzEsK`Ey}byQcZ^Scf%!<>Y(BKg6``l+ zpS*CqK6Oq6f7>O~|2sG#sFD*p#RZUx)XejU>G8%u0q$_ObKhlNs!nVaEhK*5)G~oy zaGyYpNvi6j%xI9XMGLbKTGSURDQ)p0Coadt7>WWo@DdA~g4^Vx7%Fh~VBT^C$jgn%CR>~PSH?*3<&9np!E zU2kvK(MFCL3^hXaXTa{Rw<}>t#I>g^Q#%T{ci>szNZ!GnP!I)|y*_-yr;OlrQWEX< z_IB^^NJbGI0|QQI+_KfMd|O=ESK3y}I>1eYgoN(D`^>OEPKOv8ZpJ`axPiFO3Y4HW z*Om~(SsAnILh!D>u`&3|=H@~+11)Xm?9Cbb}EHVi1Psjsi^1#GqR9;Vgcw8p0Q>)-sUeGswk=6-zd8lLdO7>hyl!xUdO zNawZo+xX5`#VPE==yB!2!#|fDrvKC?f7CRL(~eA@rLthT$lkly*p@GI`NfWF9~3;R1SlO{oPH)-i}xHAHxfH756;M9_GR#^X#pkNQ1q)iT2T{pEO%$^&X@l4C}q{ry`OrbCMcEfS6?2npp~U4`R> zL@ZU}fz%ASBHy8<-KHcI5_j7@D6wp2%8E>#ENC{3{igf+r$+D`%f*H6RezUNki7v^ zNnliVW?RGz37vItuv_elk1KN+-E=oV8tUb00G+Q#Rk`Km%Y+YlwFl{1C8xlJAG&X*MVoG=4S9l`E zEyBD}a>dtf6nPIlZf|5v7hb)?GNILIHi$~Anvz6viC#=bC7f{T?=wtJ8iYnh)~MS~ zlc7T{lwIY3_y!wid%}k`4hT1f)vprfek58{P6fV<#X!qoQE$*sbJ|Y3TDWf4E(&bU z9dT2+^W$gK-ha5t0Tc-P&Vy%#8XA>)gs4i67oZ#T3b7J(qwFWz$E8f_;~Y`uvWo5O z@n-Uh?PEU@sVP@}yn+z$XD1ir)Xe2q-S(LkATx74YG`U1Pur>*vO2nZ_r{l9 z#j68FsDRp7Atl3X$12oYFSwpMyeM6$o53i)lp>|;zmk14azmnm8}p`^0(RsZmi%y_3YB)R zcHM5iFFZ4oS#KiSYE937{P`OhT}!=Z)=L8kvprkq=@p3m0V%M%wJ4mR)gR(`Ka*S-GJA%kkKBbEYaCM#q}-34$RNG_pg`e) z2&BTBSp7BTF>QlEEcL7xj0U=bBG)@qdW#!}`zU=tYSPdkx#$DA*!DZ=C86`t21U-23W<2l> zK+TQy^)b74$c^wU z-~dJ7jZk62fdL(-Mg^3W^Vs&5aIKoNJ>n@c{O`x6hURfN(AhW1W)TZI~Uo)8qDH!?B;YUdqu z^UT{a5|h07s)V4s4RLB!?rzsvp42?Y#yNN4f?i_?o$%^c?7A7qwB=&?gMqCJe2VWt zp>hJI8HqYC2= zgALR!q0#6xbON1z542W5$yVnxa@O}|5-^P$z}Wy0Jzl{X|BpShDXXckhbZ;?i!&E@ z;Ygc6BMfkTI7JhLojBe0H*eg&?YmNS5?@@*PeV(au9|UO$9<0uz;~lsUqZlL!r(cG zA7yCNi1PvqP#!V#Ziw_;kN0L&GSmWqh0Ni&`ixbp_$&B!4FBl-`SS=2d$B7=Cjl7g zFZMQOLc_xBhl`GMAU1+F1qiTPfv>l=x;h5Duhe@lFZ|ct698R&hQ1LX7S(1yEz?Th{S7zXNh@AJU-*PHC@tFNl?*l28uer}@R{FO{7B#6ob^)sLf zfLa-lptZgInfJh`fbi=F^h5x7?mq<`9{y0^0C=P&!W(;YvHz+kaNHAsGX=2#kh{(< z4HnJJb|fL*F{uZ(w8+uRMc#3C7DNC7jDV;oE~j$e7bySQ=oqL_0b7vsIQvP#ZFuv& zy&cob0h}#7YIL$A@N?^I;DFQt%M0k4TtGf^MZ$&=LNE^fO!bhK0Csf|PR9qh3z%}R zAe+;A`V=GC->O{(8DglszfZgm{h2yf9s(@pw zkYXC;f`zhymCgJ(&l}`ry}PQrTy^43y;I~SA}stF=)~i-etQI_2ows1P>2(>myd#~ zCL;4mf$!V5R}5Psb#F!ilZ^?w+v)&F!3Y$@*a^)&2jr?TV274?;N*biu<(S<#&z#PiDXL4Pe4z>K&4)j1!760AubfZ+ur2-Ai7pa@v^2VmE3d zhbD_QjJm@i!Envr3Ym_8K0@CatS%7<%fj1z`n@*;Ak3V}t*6unT)}RkCjdhx9Ly?ni1imxOx@)E3|&aqhh4}iLt&GS_~Qk_mQo9^%QVefV4~i1wN?dVY;PQ zo_u)*n+=4R4Y1`{pMi!-jh+jrqIBsuB5b-p`GKEwp(pz|RkGqaPqVu-~8&k3hL5HlU>l z<}MC}9Su0pICzxF;DUjInx|WR7DGvdrVFUgd^6yDRBC4e)x0K9t0-<00w7@`;k-iG z3o1y8(2b!eymlJevu@tH)gbdOKQ9jfokEpshqjPWV#=;6*;-Lx0^n@W9Q1p@!|&g@g8&{ord6zg!op)V@wMYb0AF9Z z6BhvLC6->41~8EP0mv91AOEOX#2O@a%n#&I5Cs?TSg3dQCV}b+RRB5Q!zOqf3&ilD>IMg6 zV2kxny8=NKBO7>zEx2MJsOkfbVPL)iOwZ@}`CORo1G!-7_X*)iLmI15%O_MrUAf#{L zfrK|&xQfflLZhRbASUrQYEg_AmIdZ3F*JDqId&4bx0uEn2ypU%SA8$26}sxApazPq~d>XBl|RmCtE^Mbh%>pE2vdmMP1!I8wDM zUiBm=GYLN1`TP%x=(`pA#tO&>mQVW2Hoo4PKRB6aA2tt>=k1TZbMDHy^EYq2(ZZ5A zXLIW{(ff}Y79yXHx^wmmva)*Avc3%X5*FOAs!dWdv&hOi7Z!7qhOY^q`rOScGWV7b z23q5*#7<@46P!|-bQC#mT5fSQ+}?=VGZ@(rcm?s@VefHJ)nU^ql$s&EA5qnbPJexv zKD~3$&d`;PlTl@@m8RSH0)qeiIurVLL%;%O=ArI+JM4vm+1%2;Ek@e^V+Nu z^$eE@@bRe|b6Ec30>JeTkp|35U6)Iq{O-q|%-n@;n!y$ucN1mtoQ9Npt+KysfJSkz z?)lvM_$R>>|IA;-(F=ccakHKyRc86{{*NML+uJ%g2!CB0yut9%-DE_o6dhDz%(;TI zGujNq>9!}%jg7L0^K&}0nZoTFS&1!`7O9-~+DN+3l%`@D!|!fMnshbbH=V}E7l1|q zy}C^kh+TFoFX9z(>em%O6Gq?8QwSdUTFc|1DbJ6ap=(%GLgJdr1EE8IDZ^2BKhAp+ z5(?}Ft9Js)89yW@;(K~mx<#^!#zoH$@GkK1@rA~qKg+*&d-SqP8)9tlC0?U3yb+9zNsFrhK%QNT=UmPNqzk3(o$7ijk#tzvUt;op8LYwYEgN>7V z<;rYO=P!f)^-H5-bAJsW5#BLvs9lJEPw(8fs z`33Atad~+b)X^TBT$C%1Y~v9J=_TgESGOsR?ayCOFXc7s`TT!&`s`Bwhuol2;+Z!#{M=UBF+EG zqla#WlB0)k zM{}CYh$0B6sOl@-N)Ve%gRft_xEHIy(Avt& zYjGSK9sLB;vdp1R`a0;ElA2n_69*G@idZf*>iKez;@ zpwiZ{L%NxrG(bzlgdAIGKeU1g$MeN^nmqK>m_wPYyga?d?lYZLauO1SocLVkePc%4 z*UD$mr1p0m9f?m4R9Injyqkkc{?~b7`nr+l8f4S z=jCx$9t;cZHYNpi{`lc3!2Z_r>m5(fnLxQ{?&mY^LJ@U!^vmV?yozF5r#DWDJ^4ml zW1t;neUgpJs5!jdil2P6nALcNkMR2SxzqDsOG;Dq^-A@M`b{hg_qLyEDGe-J_nSMI zn$80>llXpY{IV>WG zE$7DmvLM!{AFyt*Fd|zbJ0QFy45}ALB2^c5QjnL(BkwCIi6NSrnG~Faot$t4Y?2XB zT^a^#83H)3-i2Dj{NM=m+epi&Sj9G*ga!tNk2E!L?np^p7k{M{n2>v9zVABdFuH%R zGc)es0ws8af2H0{KhY=SW_uc;!IB0N{MObLnD)>|!T6clalgu-!1*Ktc6@4jD)dKD z(2DK7dsH^I8(7BH{2$XzmYnD81k*o$H02suYY6_%%U9`herAUukPr|~wi-#={fs|lbsXRP9;6JuV^(@6+>OKPjmf^`U_TosWEi(fB z3}s?c6c31eB7_IfT0-DCKX00cUe=ra@vT_P($v(n*!ia;^Yx3{;n(LE7KAcw1@oMm z)pUl#E6nh^yLlG-f-m3E)y0>WZ;;Ko@8mEhgF<6-_$Owf!kC#{zZ!@uUO5|vR4(v*kRxa9!?zL z-MTH<^y+fV$DEv*Ia`e5ENScujalwD(ZLZcPtQT5$O;GRFsegVN?WEQc6Ke z8tKjf1SO-DGcq1zy?G@RhE@c6NOiQ~#q7>EHI{NckJ>S{Vf zS2Q%v98!-KAdagV@Qk3PrQI&d&a|_L*0Q&!Y84r{xo(U`Z`gi}#6DuPixOZY2P-BO z6VoAmKCWnkgl@)!LFMLio*KGM5*ef%)ioc)Z+>jomjbFKqOvk%>Xldhx}M<`1Pry; zjVu1}|2j%TL=wgA*P1N64xqEz(JBuL#Zat~K>%YqL@PvL zRBe1>VrgflZJVhTmU{LX*fZEY;lWXRD);yUpTzl9Db=9&;XQ6%zP;a$G7E@h}vK$R0dY#)4;@x3H`lTco1tm@8;caGg7W6;Po^Ml3BI zyLIap&?fKm@}lyLa}PtXmEYo>_xP~Ohlm|1sp)#6rBR+yF)_Xukh^fDmcx^a?)u}p z3l)NJ<7^Vw)YLdmD%j(da>c*hab?MSboWC>#+u6<@CxW-6GF}!bnq@J85tdHyt(_Z z+ZL^5Wl^@O=-@yiEG(?+Hm700a-5Oz2@tnfEY@weRF@Z|{%gZ|TkpyxrmVX!n(NRx zuOvKL9*wuPwy5@ur<8^HehUk8i|6n_>E3PgR4DAhPfXmITppA(7c^ZGM!=ev=e~%s z=>|x#USc`voKxb-p_~?)os3fU_GUwHDHlI!=4A>Vw8h|@m!{DB{>>8{=hE4bn~OED zHZd!654g>q5nZ2c&4^7ZX987S#b<}#%!wVoqcs7&v_Ofho?HAm^0sbgHVs*AYj?jb zaY{LE2*bu_UcbT=yWA2@A4YWRiGqjC-a!M>MyuuhT0OVHM)Dp51sRz`Fl2MT>3OD$ z)~nQ+8OEKRuwHA|nMfC0QQs^KBPOJ)a~Yur^7>|(FUMjR$u~w0`d_S4OpqXnt|XBU z4Vd7$q+GH;ShoI5+VupmIA6wWZN%L$s~T0#YVs~uH8p9M_ctT}Li0ezQSlGnle{}T zKwZIF>M=pNTrwt^?=dlf9di^<&&-@!72Q*W#t5P(=%`0VdaXs`;}bRquzTO{Cpi^) zca**^$98t6yq@(gPE}}bf=2hzqr3e{GUJ&rUK{-6$?M``jmMBm<48TdB9wGmK3tt! zE6S5b!k)d-eH3F}7{MUu`fS~uw6cNIH`<2(qeln#e&PNYU*)GS2`}OrN9z`>`cYAK zaky*y2T4E-ZLcuK7Yj(UWm-N`B=;zNH zFba3hb-;puLL-?C7>%jEsmY8pve#Wgy{&Y4>DYL6JeyXnMI`t4ej1z7|J+@`wwlJg zU;2^nbdHA)d4F>S*CV)FkM~#~tjy;+jem|)O7@XLe7}8rcEHzf6)$=|dZHklMe@lj zDI@Jt>q5I5alsAg^e+e#a*jEg8XBtJ1&>b3H;XFc7coB99Myc!^JMm-_Yv?~Z0?d) zYH~GOT3J}66cx>9wPl{-_>HiXarI1gt6SUKZl1e!p~%V2506-E14~vCuQPPVQ81X;Vdh?7U3I91#xB}yf zQcDeEL(+?jhzolCn>lmHZCoThKl|gfS9`)ojy#4*OUJKL*wb(93?fd_soz!YO?R%> z6_3Y)kpeq4mOJdVoc-8)f2gdJeCM+Lx?X-`tK_4akrV?X1H=-=WWK2ae&+-b1!mt& z4}n>c6s8^z4@WGt0J5(gAl;u=IL*h$mewp=S?jLDOaXF$qNyycOpu;(aNRWzSojY9f(m_%V9bpk9#v2xkjv1L&N00tA-}qRyGCvsVhwx=&O6dLQzys!hw4FhsfQNA2p8;1djO=(X zEiVhF#|HZoCN`tGwQ%6mQzNEGNly<+l=1@V=MK4Xy|ToZR*BcbChH-h6v+SKm5)4` z?7*{}V0SSEOkC5`XQ9q$-kl2B+dcjvJ)Ki@ojoK3b(7`kbxTWe`G^y)65$XprKYVd zYpX8}H@nzd^*pR3hf0V;=7z#q^8|E7_#bB{&#_|^6()U{nKme>Vi%N z?j$kIvQGKoR=G*-Bd(FiHJbB0Jn30kODMOUh4Jw-zyjx9lZ?#L&wmMBvW^Zj8I!9x z&}?b68i%qPH=YAnt*W}Zf*TBlHR_X~7iC_afMVR`hadTQ5F{as^x<-AauSWiQ^=+F!hq&#p| zuU>Rph1R`&Y4@9qShBHr@L=gkW6~g(%kUL!QPA@8f#AqUyJ)$!9P74msjmC??_&;* z-ZB_g)7STD@?+G&sQKzSIv&S@g^zU?_f@lZig3!t#(0mOQG3L&`HGbr3Ry{$w(C$f zSdrJ}>V-e-=7KSsc4b!Ru&^HF6%#vZfePAbpq4=aLXI0q(N?|d-R{T8-e6sC$p5Xg z)4Tq_YGY2`lO@Oa3n#Z~F&$}zm>~3KuW+9>YILj->B{ot_X8)6i72%77>f*lEd9bT z^u3cPZK_~d_J>TnIb|jW+7M_QZP5uIJ~X)YAcur^+^>M`q;7qoJal?`x;v!leCEdB zGGCEp)l0h=Ovm0b(?XsphPyQXu0Pah$@`xq(A%}c=yH-dYmEQGte*IZlgu_WKhRRV zDrFc`JBN)3$UoaGf-WN|{>E3s>0;`>_D1}SNs(>eTi)^C%g^}bqgj%3?mb;&*;d^6 zQqNT5j5*h`1qA{S~l*0m=x!WKohdgstgH~aSbu@t^5g)Z5GU((L3*NnM# za7)iKrNt$91wVg&W@}yH%Y^fYbIHfRKvgZRt1e15Y3&x4mTyuD!sZ1AV|s;Kk;bpcYl@0@;OR5# z{aD2;t?T!$?y9ctS3%|c)S`$NnU@$uoT*|AULCuFk~uAZ?1?f@QlXXTr3an%Mr9a? zYEibaVF^#`)7;La*`Ao1+U8nQZw%GFEP=Wj$tq4d+vY4FuQo;~7bG(+dA+w?U>%X5`DzTrPQG12dYD)ctMATjSgvm{ z{2C~TF;hjIeXlI$_#`;^><4KlAGy={kYv{CR_;Y$)LJ}V2yja(QlOyi>Xk_p z&Nt3vKKAv90WQUKTz2+Tv)ac;hkeJK-@fIT#v(`FwsPn8WJb%@x?Md>dYzXxbziHR zu&_filo2`k`!{bMiehzdSZXu;Bj*OvW*rJ!nE;Q^WQ)fW|I%9?^Nc1Q=<>$2RSTN@ACi2! z4F8$rLtJL1j3HM%B_O~GQ=hW3oL0!eM;*AshSN{4f{cEjpWa?V4@~rr30SsUwLXHO zj&7UcsfhPc7njwnyK(8&+wu6Eq$bU=j>TfB+5SSN+_br*hQ^$Ztt}$JxFu8b3&)uT zSdh_dnlHLOi!IPHQxNZNaXJpz_S41W@dDTysb`wqfmmnO}!>iPdSox5Te6sCLHtbk7=Dh zpK(L^K{g*5(V@b^Rp22R$_ABn`l%q`;%=GiX~ga}_qR&lgODl4iJGN_@Gbt``g9G= zu8+36W~Lt->Y83(0KRaSoRfQX3dAYQgrmb)c#i{|;Kpt!-*Va!yQTijW%rqM@d_8D zZb9r#8jRrjs#~%2y8Lplab+#e`I6qIC#$MQ(KeO)zw2Q zE0Ka`ieo>ct^w0@??gv?;76a`lUljjq*rqF^T-&5{AhUuEiEi+twoFh8R^JCNaI1n z{~N0C+Lud@0N{@IRPJ4bM==H1(AtnO?Gi`fD?vRt;U2}5w{QLL?D4btft6y|UJRy9 z#(dd){EmKXLB&>vde^(5Qr_Y}K zP-6r46g(jZ5Wud3IS2GVqTHU)R$-)8EL%T z2fuO(n8yPja_!jp7O3>fic&?lox>o8QTx0HBHy(CpFDYJ$*HaISgu8Q(o(8X7Q+_sPr1 zjOD!^9GaAKSfC^J>(;_ozcsp+ZIG&|tsOovM>IVB{h7!%F#iw@W^?SrfB=V$SX^AP z>YY23U(A#3-hJL_&go>)14F`J%qiCOFP^bu>s!r;y&=&)4*s1AbkZf~cvQsevLwJZjQWy4c!U_ln*a1*d#+KfW~< zcHSIfxpxO5F<@?BVi0#ci^JXdh{Et1loNzBy5xNw1s4~W@CCb==Eqg;TZ>*}cWkf0 zx+ank9vp0MEpo4Hpi@+6W6zb1bcTtsQV}z^xS` zca@Zs629`HN#A`Bt}-OJ!TOD_{&3LL?7Ax>BS24fH(Lv^rFSz(0YZDTOy@6LZhG-f zo{EvtztMz){Y&z*_Dcw;h77UsVd4#B`h3*XBPaeVeK?nR&($lG&qA8@E}JjAkr3kz zC8bj$B1E6{6}c)!C>5+-B`;D09m{07e_!i-W=6lhd7**6JX~p5@ZMHbykfE|rU2gL zt*kX$~J(H?|NHd zRdjsOUCeo!A2sGh@HOb`OY7&-f!ds^lysw;o5}m(N^J;^CDk+^O~rWJQD;iD{J6~RcBg2Ht{zdUlP9|;%W{cc!}UM_V@V(`!FDtb$y{$rOXIf! z<+fIEsQ%UH-1(3&i{%o9m}x$?UJuEfb%_jOi85dDec=IMf81kH+sn$OpCP*W(c{Or z)zs>ToB52lBlI#T2&}c*l=qsQyaFk(nX$396$^|^Oi%%NxYP&eeRa3!v2N;Vx;1-; zN^ER3D$`e)L@s$Ob%B$lUw9Be%G}+apV2Jl=KqZajBpVcg8K#jg~cQ7>Rbld3Hbcs zEAyvDM?KrqRQQ&bbjo~)4{tz}+!WKkMc(0#Y%7cm)eU}>1B&Ko+ z2s|85*}Gyz=bb5B(1GbJb7Kw(A;BD+y&)HI!+4-*j-~rfQa15;wFw$c#kx09ll=L! z4A9yefu03xa>t~!_7C&Bww&$G#@5z{Cr8E7tMuf2M-&tk7#0SOPMK?@LJz5XMsdnB z$Tl*FlJ4T9ITF$!y+}b;l^?2-VU~FQb-8kzd~-7hn7d>|11K@vzMEp;IeZ>-=O+*` z$z8^cZA0N*4<@*gKJ@wGRB0V`ldbnQ*Mr!SR>V{$#v)?`VR>)yn7m0QcZjp@{bv#1 zhkW*X!vT~f%WVT5i|dtjKo@q+gozARO|)p-=^36fuQkh8_s!xC0KpLxF{qeyiMnhs zqSb6_xN0XNV5a8C;d}mZA}+_dd}$(15;xy5Np##Vb6bG6;w&T?`(XzA9p@wP>HfHs z?0d*GFGaGiJ2N+d&l2~lH0(&dm{h79{cLM7nhhB?Fjqg~{0W6oc653gqGW?WumltK z2w48CcghX3KSo&6{%Xw0$fZt>4t=*rTZ9_|&ffDQE(f&ADzum`S~XM7dCSVqM{ zbpw|o)~BQ$IfGsdC|Sls>gv74mOPIi*By=vD4v{I+}KXAFB^p9)kii1`3zDL;Q>Ju z>bJk^RND0xzi`04+q77`1R@p)N293;IccBX#Y;LdcHy z>(`{To|XpA=09mgX~Q4Ijrv}pyZ$ZffIkSd)&6z|lLU$EYLzA9FZM8(B}!qBYrxQO zIaNidO=bMJp+qv}yh%+sxMCxBXEDGS?qA{E-|FFb@gX?zag)3@`>#d%sw(OdZ%n9p zazf@aSZ+%Ec0oiIf0`h#)!k3ggYPcnQP~+a-&xp~_LST90CU4+1;5HNqweU|y2@*L zYclO*YgLF4drzaWKaD}Ek_gZk?;^UY%0<0h6Fcww4_`B zM{<;%`oHlQkonb&m@ElL(~H_(fDEzOmZ3W2-r~ar%|LMfjIH&d!T$~X$7oVz1?G*+ zW>YWem4%^ldT)>Op)pxMQ8C}pl#PwMgmwa22AD*n2&nSwz!~iZUewUkJYFGJ9bxn$|T}C0$TK;>Xg3xchWO=hF39+%c zDZsmX415S6>Vx=^?>Z+3TpnBqcA+z1)Hw}4D^BwTAJ_RG@2Y8jqfJL2d$GhU{TEkl zhhSEECz*}kq1yfBj`=wR=%LU%(@zwqR?OkJ^M zg)rptH^jaTD!yxnd1Dmfyk7DAQQKH;-xn2C2!BwXma!c=g*bLBv|;E)z`z`ruy9<# zNI>QBGc~~lZ%oXx*UQxeFWMZv->oXGTW|t;qCV@jxy(DctQQQTs!ClFAZn;3RyrJH zXLvk;0UDnjRMFNx0<0le@t!_wPfqH~u7WgE4#|9{jcw$~kwte6dye+NQeObi4e0qV zd2TIU<@%0m^Y0X5EU=f*14?p}+*k0A-e+o=^LzKIB48Lw5iS6s$@pm1!wRhr3CUtp zC#fH1Y~PF_f2)5xBH;3%d^d3G@J{=H{mJ2zalbpNJ{yy930YxcK%7)zF5U1P%dG zgfw9U2cMI0E0Q%2FeLaY8j;?$=pVM|?SnjiV8y7eu0cR{e42p~N9FDuGj{3A7lePy zRd~K?AO4V0jE`+An(JE$Um##bq z(E;VsHSN07RzgJk8~{GS;JVyFIbRth zvl$e(KFU)p#Y&KG9LmSMn*#y@piixs{{dvJ5VKWMR(2+M0h#v}RP4^4=2HdLSB#mW z)HOWS?iyQ>-N2E5F4C4po(VRU5^ZqpCl%7x*o;V0vkI6aF`>!HQA6ck>8jULIy!&tj)BbpwI(^iOnE9k zlY7*;w0Em-sur`pcoAFfMY+dCW+M>bbF zG)tqX#1*)dKWkAIfkfJ-4t_JoSEWxehs;baXkNMa*6J2K&sYCU@%YPq_7`*Yr#bB( zKJ<(1hert7$v@~V_|SOPM;)0s)PSPtBhVEIT+>N$gRsh(TR=Xop(y^P`wU?k`|Gpt zg$Jhl1YZshv%{@C!2ZULjVnwgEw!|$)w8v=b$pV=n#LkDSU2pme(t5Ke-TglNw2F6 zhe01UYk1l$z!(mV%Fp@)J12l-(2@UGOzJzcrtrn@VOCZlfGZM^ej!2q*-H_!T#Ul~ z+td)-$qG@~2vE=6V7~%n@m`=62_@;f49Tp|*dWh(hrc`!}|<8W=@lK)7FKWVmv5&6fJ(11 zrh zvp?cmcaXdYcA(k);C$OTCE_ux+nma2(ZGQ$H=L$iTIr~)$FCak(}O$q#8)X%x|rrV zB~hiR3Q+8poeT~S6G{YhoU!Zenb4WT=T+=C8mNzvhH6yD#1b?mAqxbLmRb9^Z?IEB zy)7DOj;%H{i1jrV@H(eBklnzk5R|6>UPZL?F6FQ8zdazALe42@CAGRrzOl)G`~FT6 zl+4Asvf`A2!Ld($vz?utkZ~w;^xZ+sj1azlr#$Hau1fm&Htm(QTo>e43w z8&D`;UeG4kfc*Xaga0zfw4?WDlgj8NH1urvWPf{b-hulOQ3mkY%CY$}YZ-%D+9s?N>jFW%Jwv?nO%*bH0viPvzG?vFs@&zDvejgMQ?h6;le0^!Y zO09?4dHlAPXyWw!fibfv>QgRlv9((~(uz5RAIm;3_wHe5=LwMWzToRjmL%WQy|1X) zYj(Q8PZd<-p@V_AF@c0bnl}hN8$3;tTDrQ`c)OjrZ%?UMJvR>M+R{NFG>i~{HBu(w zOFw>9O;b||1XA*F1ERLux1%&zm;}kG7-+A4hv^ZJa0r`zjNHwHfDRhu{-*kQr7APK zQ$pk8*;On`ubuk79H@0(kTaWz2YTNX7<|!U*7ati&oKu!Yb_Gz1?-fCsXnz$(q~QepiDO?~9M z&!7FD<%Zp6iIJ{Hd(S+#>h)!h39OfU5~=`_;s{*xEuE9#djJU@-eA?eH>V*}*eLHX zn&{Ky6|6@GwL&m~Y{gQ6*VW6d*as^9-d<{lr;-+wIC4zjB^UCL^n!9-A*Vz1Q0y#m}1@!4Ri?L4QYp&G&O6@S%onf+|M*V14DC zDBL9NFSsx{JBW#{^iG7466lgZCPkx~3BJYojW%n2kInUBUFDgX8IRp?WJhNTV)7Yj z1|=PpHHle&=S{H6is>*zv*pkb(sc4;+XbfNYc?2h6Iq8w%=)gTuMBnvouJSlXJI+!9*}WX%Y*rqo3sFk zn{I$dF!AOuG!pX`0wlj}yy)?8HM!nzPf!gikv;2!)s>$WWMv;;Qv0K#HI$hCGxOgQ zBYKvL20i2`2u>$hED0{iA>VxiSn0Rc!lxwBSc2hZ+|FpKO%G}Z_P{?|Zr^j7{@C6v zYiQYcbk8>K=1ofm7+pEuV;~xSsKmp>G}{zN1~AES_8OfMc*6%HVOe)eV3PYndwZb3 zT>rV@)k~Lc=wZYUb`A(7_Hjo#8N|xpym{{5Rk6<-+t|e(H>@!@XrR#rqU5D0R>!?j zrMe$>Ya%ju)ilb<Tg z$$QYR)y(DF)qVZ?741D4#uO3}F`9?*CHbPlwo45!xiN5~`R3T__V+x!6~^4qO*J$e zMS!_s0~^E!>GtT}a_%6Ay$&Nf1fuoIOkecX7|LS6!~LVe#il|1FYA ztEf2OS5R>3k+#gH{dYB39ARBXLnOWDM{ijoe78-#wFs~wLQqA|^5xdfxkl%^Ax%wb z>B)#-Oho3^EninNG||__#*o>TwvmPXyN@tq-;Z42u(5bccu&Nq;7Q6GM>YeGKqz?^ z4IYm0t9befS2@HRaJ|0P~(^WHT|)+Pd`M9|W{0BJ4czD$tw%=#Z@*y_bQPqG^u zIKYxoT&!Q=qLtfLJ7S@?w^=mjyfC!;3`q$R7!1*Jy|Me8n+O9g*L-{qApUDrZC!(^ zx_R({U+p7zY3$26o}gUmE9n^-Z$5u+Uq^X(9O?e1ie38jsXJ!}?26Au+eNm)^2x<* zo_rAc-*bfoHMT+Al%F0uZxP>=w=xs3VHW`?hgiG1{iB&cXpsU92uT_>^qT> z+3vCNh8X@n!M5Og<@Wd61XE{vwj@rPiILIr!Grmq#f(h-5xF_(+3$TTYn69j!Rq}W zk_8)cRo5lqb$04n^8{Q}WOTAJ5rOmLQc^S@ShI%qH}&=FqX3k@Td)fYKkn_N|LG|Z zx6^;w9Tb3EJ9UbySIy!RY`6zi)SZ?|4wP5*#_Ov-jk_A47IKslEX~KQNo<{by1Rrw zy#8awN@V-2&qq!k{^+qb9M?hMuWRY}3wiB^-^Un8;$n@#?rb*6ZDQtA-9T-*v$H4< zv(L$YI4xBwR6eI&&KVnQh{U&Z0+$*%Mm#vO0GAau)Oiw^tLS}_miA^>o3-q(3KCRrg$*4d1~ws4T(>nb%c;RRA7@~wN(sRkG;bG8d}|*i$bK)4rB3wg zZCd>cH28gz>^QY$%!n00wgU#p|T!2{9`0=76{0?754Fz8p7tlabNi^Pf4lght;)oA~0jHBHaL5NaHL=yXAvlGo()Q0hH3?ZIX6Vb=dur zAkk@N3idmrch`eLOK_>UowX8i_r-Q2yAdp#&vls9pyAf7GmRmywMCCPOKdI=_*P9g z-qzHt+d)>e!Oj4;+}*`^(V>q?_it%idQ2VMwULY!bGS_KV(c8+(XR03gdqhi-8gb% zcz^71$=9gWMjgmb?lT*RMC!MN;Y9hT;fbr?AZb1&fOz>PlXR?J+4|O! zHH4g`M6%S4H`4qpzK78-8}oFHZ8J}vGpr4MLx33IDgqTkyYM{z`8F1E=D?d^b|G*}m zzacIu+DCLKK@|0Ne~cr>PZ_OY*Y{cLg@1#%ki%%9=TlA&N9A|yrVoRI6Q#q`Pl~I+ zJXP0R5~0y*@K81;%twts`$zUqIpO!H6|^w_8>hwJc=bPii1)sJ?wvUH(K7a5po%a( zb$z^r{;$6%a|iODeFFUAUsGFufB9dC`7bd1A3qf3Wc;hWA=8k9bNuytQMq1gqLmz6 zTyhMjl3qUj7L;c!ckVQB6^cyK%V#=YOlIyL8_ZMb5q1IypxliG0&2bjUq+Z<3jWCtCIJwH4TltRpC$Wlq-=W( z2d#rX?(zKja~LQ2Cm+PIG3K&~mrQ-1aZaFOl7VRf8e{-%sW~~Ueha8|k-g0-d9dLk zU?s1neHXY4-olDGpg7uwn~9IZO9lod7D-pZ2jl$UXJA(5#`oC4bki}v;bB7n!u~&h z^8c`1tzO_paMqbuhII2}$1Y zswcse2$cEx8-Fkn*jN7n@RqC=X}2U-`Yk;<21_XVha-(rYb#9l5R_^6`4aPuF*XA` z(bs#W33lr;j|&(%B_BslYF)iv-ZY z2zE=v4F#s^t<`&XQP%r#ve*g$b+JO{l2p2F$EUv^2dqmJ(4>03LW}RW{Zy9;Rd?eg zs^BnzWrz>Ez;U`dBose!&-}Lx3ysQwX-FB|US~l7d<4V5jmX|!TLUv80(nb`G20 zoN3#+fGXGw`DmfA4JKPlQ`4B7d=jr`hi|y*}-aP0kj)p2(Q8~y;DQ7G{cbQvy13ax2l~SyfYcF4lB!|~`+rU-hXWWey zAM59{^HJggU+nC*?j7v6`Bwn}{{76Ef4p^@-5%xoAg@7x`SwlT_jMEuf@osuHP{Rm zG9gQ(CHK`HCt-96lx5$&W$X!Bmbn!|6F@?m-`?4I7)~NsC!?~?>GiHDD_J04fORP6 zbl5sT8JGejEco7X0|Rre1U}D@qy5xx^3%z7H!xhW%=H+TI(~VVWDIj#U;pY&$wB)A zTdR0^4-fH5&q?i9$&!&ELLswJwgVLbu-n+iLEO3MTrGuFj}H}ZqHG7>KI~>CT3jsu zDwf^fFA<-RP~xqck^7@{@(REki9*!Xk=sDua&e{dAOKK6;touW6ubdCkkAfF@41T$ zreeP&n!lNydIfjEKfP`5 ziDzMEe$;9U2If;?%yF*OB6bxePd_a=n!XAS-noOr5jMz8q}^|Q`M?i0nT&ub8SmT? z7>6-*{t=!nC+zJn20ju8I%Kl5jpJ8b5@SaM5MJmL6m$|_&a Jxn}79zW_TeIBoy{