Framework/BugLog/BugMetaInfoProvider.ps1
|
Set-StrictMode -Version Latest class BugMetaInfoProvider { hidden [PSObject] $ControlSettingsBugLog hidden [string] $ServiceId hidden static [PSObject] $ServiceTreeInfo hidden [PSObject] $InvocationContext hidden [bool] $BugLogUsingCSV = $false; hidden [string] $STMappingFilePath = $null hidden static $OrgMappingObj = @{} hidden static [PSObject] $emailRegEx hidden static $AssigneeForUnmappedResources = @{} hidden static [string] $GetAssigneeUsingFallbackMethod = $false hidden static $UserInactivityLimit; hidden static $UserActivityCache = @(); hidden static $CheckForUserInactivity; BugMetaInfoProvider() { if ($null -eq [BugMetaInfoProvider]::emailRegEx) { $ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); [BugMetaInfoProvider]::emailRegEx = $ControlSettings.Patterns | where {$_.RegexCode -eq "Email"} | Select-Object -Property RegexList; [BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod = $ControlSettings.BugLogging.GetAssigneeUsingFallbackMethod if ([Helpers]::CheckMember($ControlSettings.BugLogging, "CheckForUserInactivity")) { [BugMetaInfoProvider]::UserInactivityLimit = $ControlSettings.BugLogging.UserInactivityLimit; [BugMetaInfoProvider]::CheckForUserInactivity = $ControlSettings.BugLogging.CheckForUserInactivity; } } } BugMetaInfoProvider($bugLogUsingCSV, $stMappingFilePath) { $this.BugLogUsingCSV = $bugLogUsingCSV; $this.STMappingFilePath = $stMappingFilePath; } hidden [string] GetAssignee([SVTEventContext[]] $ControlResult, $controlSettingsBugLog, $isBugLogCustomFlow, $serviceIdPassedInCMD, $invocationContext) { $this.ControlSettingsBugLog = $controlSettingsBugLog; #flag to check if pluggable bug logging interface (service tree) if ($isBugLogCustomFlow) { $this.InvocationContext = $invocationContext; return $this.BugLogCustomFlow($ControlResult, $serviceIdPassedInCMD) } else { return $this.GetAssigneeFallback($ControlResult); } } hidden [string] GetAssignee([SVTEventContext[]] $ControlResult, $invocationContext) { $this.InvocationContext = $invocationContext; return $this.BugLogCustomFlow($ControlResult, "") } hidden [string] BugLogCustomFlow($ControlResult, $serviceIdPassedInCMD) { $resourceType = $ControlResult.ResourceContext.ResourceTypeName $projectName = $ControlResult[0].ResourceContext.ResourceGroupName; $assignee = ""; try { #assign to the person running the scan, as to reach at this point of code, it is ensured the user is PCA/PA and only they or other PCA #PA members can fix the control if($ResourceType -eq 'Organization' -or $ResourceType -eq 'Project') { $assignee = [ContextHelper]::GetCurrentSessionUser(); } else { $rscId = ($ControlResult.ResourceContext.ResourceId -split "$resourceType/")[-1]; $assignee = $this.CalculateAssignee($rscId, $projectName, $resourceType, $serviceIdPassedInCMD); if (!$assignee -and (!$this.BugLogUsingCSV)) { $assignee = $this.GetAssigneeFallback($ControlResult) } } } catch { return ""; } return $assignee; } hidden [string] CalculateAssignee($rscId, $projectName, $resourceType, $serviceIdPassedInCMD) { $metaInfo = [MetaInfoProvider]::Instance; $assignee = ""; try { #If serviceid based scan then get servicetreeinfo details only once. #First condition if not serviceid based scan then go inside every time. #Second condition if serviceid based scan and [BugMetaInfoProvider]::ServiceTreeInfo not null then only go inside. if (!$serviceIdPassedInCMD -or ($serviceIdPassedInCMD -and ![BugMetaInfoProvider]::ServiceTreeInfo)) { [BugMetaInfoProvider]::ServiceTreeInfo = $metaInfo.FetchResourceMappingWithServiceData($rscId, $projectName, $resourceType, $this.STMappingFilePath); } if([BugMetaInfoProvider]::ServiceTreeInfo) { #Filter based on area path match project name and take first items (if duplicate service tree entry found). #Split areapath to match with projectname if (!$this.BugLogUsingCSV) { [BugMetaInfoProvider]::ServiceTreeInfo = ([BugMetaInfoProvider]::ServiceTreeInfo | Where {($_.areaPath).Split('\')[0] -eq $projectName})[0] } $this.ServiceId = [BugMetaInfoProvider]::ServiceTreeInfo.serviceId; #Check if area path is not supplied in command parameter then only set from service tree. if (!$this.InvocationContext.BoundParameters["AreaPath"]) { [BugLogPathManager]::AreaPath = [BugMetaInfoProvider]::ServiceTreeInfo.areaPath.Replace("\", "\\"); } $domainNameForAssignee = "" if([Helpers]::CheckMember($this.ControlSettingsBugLog, "DomainName")) { $domainNameForAssignee = $this.ControlSettingsBugLog.DomainName; } elseif ($this.BugLogUsingCSV) { $domainNameForAssignee = "microsoft.com"; } $assignee = [BugMetaInfoProvider]::ServiceTreeInfo.devOwner.Split(";")[0] + "@"+ $domainNameForAssignee } } catch { Write-Host "Could not find service tree data file." -ForegroundColor Yellow } return $assignee; } hidden [string] GetAssigneeFallback([SVTEventContext[]] $ControlResult) { if ($ControlResult.ResourceContext.ResourceId -in [BugMetaInfoProvider]::AssigneeForUnmappedResources.Keys ) { return [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] } $ResourceType = $ControlResult.ResourceContext.ResourceTypeName $ResourceName = $ControlResult.ResourceContext.ResourceName $organizationName = $ControlResult.OrganizationContext.OrganizationName; $eventBaseObj = [EventBase]::new() switch -regex ($ResourceType) { #assign to the creator of service connection 'ServiceConnection' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) { $assignee = ""; $apiURL = "https://dev.azure.com/{0}/{1}/_apis/serviceendpoint/{2}/executionhistory?top=1&api-version=6.0-preview.1" -f $organizationName, $($ControlResult.ResourceContext.ResourceGroupName), $($ControlResult.ResourceContext.ResourceDetails.id); $executionHistory = [WebRequestHelper]::InvokeGetWebRequest($apiURL); # get assignee from the the build/release jobs history if (([Helpers]::CheckMember($executionHistory, "data") ) -and (($executionHistory.data | Measure-Object).Count -gt 0) ) { $pipelineType = $executionHistory.data[0].planType $pipelineId = $executionHistory.data[0].definition.id if ($pipelineType -eq 'Release') { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } else { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } } # if no build/release jobs associated with service connection, then fecth assignee from permissions # asignee not found from build/release elseif (!$assignee) { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.serviceendpointrole/roleassignments/resources/{1}_{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); $roles = @(($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} ) if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee; return $assignee } #assign to the creator of agent pool 'AgentPool' { $apiurl = "https://dev.azure.com/{0}/_apis/distributedtask/pools?poolName={1}&api-version=6.0" -f $organizationName, $ResourceName try { $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) $assignee = $response.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { # if assignee is service account, then fetch assignee from jobs/permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) { $assignee = ""; $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_settings/agentqueues?queueId={2}&__rt=fps&__ver=2 " -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $agentPool = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL); # get assignee from the the build/release jobs history if (([Helpers]::CheckMember($agentPool[0], "fps.dataProviders.data") ) -and ([Helpers]::CheckMember($agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider", "jobs")) ) { $pipelineType = $agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs[0].planType $pipelineId = $agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs[0].definition.id if ($pipelineType -eq 'Release') { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } else { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } } # if no build/release jobs associated with agentpool, then fecth assignee from permissions elseif(!$assignee) { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.agentqueuerole/roleassignments/resources/{1}_{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL)); $roles = @( ($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} ) if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the creator of variable group 'VariableGroup' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) { $assignee = ""; if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "modifiedBy")) { $assignee = $ControlResult.ResourceContext.ResourceDetails.modifiedBy.uniqueName } } if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) { $assignee = ""; # if no createdby/modifiedby found then fecth assignee from permissions try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.variablegroup/roleassignments/resources/{1}%24{2}?api-version=6.1-preview.1" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); $roles = @( ($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} ) if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the person who recently triggered the build pipeline, or if the pipeline is empty assign it to the creator 'Build' { $definitionId = $ControlResult.ResourceContext.ResourceDetails.id; try { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName , $definitionId) } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the person who recently triggered the release pipeline, or if the pipeline is empty assign it to the creator 'Release' { $definitionId = ($ControlResult.ResourceContext.ResourceId -split "release/")[-1]; try { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName , $definitionId) } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'Repository' { try { $assignee = "" $url = 'https://dev.azure.com/{0}/{1}/_apis/git/repositories/{2}/commits?searchCriteria.$top=1&api-version=6.0' -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id; $repoLatestCommit = @([WebRequestHelper]::InvokeGetWebRequest($url)); if ($repoLatestCommit.count -gt 0 -and [Helpers]::CheckMember($repoLatestCommit[0],"author")) { $assignee = $repoLatestCommit[0].author.email; } if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { #getting assignee from the repository permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) { $assignee = ""; try{ $accessList = @() $url = 'https://dev.azure.com/{0}/_apis/Contribution/HierarchyQuery?api-version=5.0-preview.1' -f $organizationName; $refererUrl = "https://dev.azure.com/{0}/{1}/_settings/repositories?repo={2}&_a=permissionsMid" -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id $inputbody = '{"contributionIds":["ms.vss-admin-web.security-view-members-data-provider"],"dataProviderContext":{"properties":{"permissionSetId": "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87","permissionSetToken":"","sourcePage":{"url":"","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"","adminPivot":"repositories","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json $inputbody.dataProviderContext.properties.sourcePage.url = $refererUrl $inputbody.dataProviderContext.properties.sourcePage.routeValues.Project = $ControlResult.ResourceContext.ResourceGroupName; $inputbody.dataProviderContext.properties.permissionSetToken = "repoV2/$($ControlResult.ResourceContext.ResourceDetails.Project.id)/$($ControlResult.ResourceContext.ResourceDetails.id)" $responseObj = [WebRequestHelper]::InvokePostWebRequest($url, $inputbody); # Iterate through each user/group to fetch detailed permissions list if([Helpers]::CheckMember($responseObj[0],"dataProviders") -and ($responseObj[0].dataProviders.'ms.vss-admin-web.security-view-members-data-provider') -and ([Helpers]::CheckMember($responseObj[0].dataProviders.'ms.vss-admin-web.security-view-members-data-provider',"identities"))) { $body = '{"contributionIds":["ms.vss-admin-web.security-view-permissions-data-provider"],"dataProviderContext":{"properties":{"subjectDescriptor":"","permissionSetId": "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87","permissionSetToken":"","accountName":"","sourcePage":{"url":"","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"","adminPivot":"repositories","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json $body.dataProviderContext.properties.sourcePage.url = $refererUrl $body.dataProviderContext.properties.sourcePage.routeValues.Project = $ControlResult.ResourceContext.ResourceGroupName; $body.dataProviderContext.properties.permissionSetToken = "repoV2/$($ControlResult.ResourceContext.ResourceDetails.Project.id)/$($ControlResult.ResourceContext.ResourceDetails.id)" $accessList += $responseObj.dataProviders."ms.vss-admin-web.security-view-members-data-provider".identities | Where-Object { ($_.subjectKind -eq "user") -and (-not [string]::IsNullOrEmpty($_.mailAddress))} | ForEach-Object { $identity = $_ $body.dataProviderContext.properties.subjectDescriptor = $_.descriptor $identityPermissions = [WebRequestHelper]::InvokePostWebRequest($url, $body); $configuredPermissions = @($identityPermissions.dataproviders."ms.vss-admin-web.security-view-permissions-data-provider".subjectPermissions | Where-Object {$_.permissionDisplayString -ne 'Not set'}) if ($configuredPermissions.Count -ge 12) { return $identity } } if ($accessList.Count -gt 0) { $assignee = $accessList[0].mailAddress } } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'SecureFile' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) { $assignee = ""; if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "modifiedBy")) { $assignee = $ControlResult.ResourceContext.ResourceDetails.modifiedBy.uniqueName } } # if assignee is service account, then fetch assignee from jobs/permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) { $assignee = ""; try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.securefile/roleassignments/resources/{1}%24{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL)); $roles = @( ($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} ) if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'Feed' { try { $assignee = "" if ("Project" -notin $ControlResult.ResourceContext.ResourceDetails.PSobject.Properties.name){ $url = 'https://{0}.feeds.visualstudio.com/_apis/Packaging/Feeds/{1}/Permissions?includeIds=true&excludeInheritedPermissions=false&includeDeletedFeeds=false' -f $organizationName, $ControlResult.ResourceContext.ResourceDetails.Id; } else { $url = 'https://{0}.feeds.visualstudio.com/{1}/_apis/Packaging/Feeds/{2}/Permissions?includeIds=true&excludeInheritedPermissions=false&includeDeletedFeeds=false' -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id; } $feedPermissionList = @([WebRequestHelper]::InvokeGetWebRequest($url)); if ($feedPermissionList.count -gt 0 -and [Helpers]::CheckMember($feedPermissionList[0],"identityDescriptor")) { $roles = $feedPermissionList | Where {$_.role -eq 'Administrator'} if ($roles.count -ge 1) { $resourceOwners = @($roles.identityDescriptor.Split('\') | Where {$_ -match [BugMetaInfoProvider]::emailRegEx.RegexList[0]}) if ($resourceOwners.count -ge 1) { $allAssignee = $resourceOwners | Select-Object @{l="mailaddress";e={$_}}, @{l="subjectKind";e={"User"}} $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName) if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) { $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress } } } } } catch { $assignee = ""; } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } 'Environment' { $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) { $assignee = ""; if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "lastModifiedBy")) { $assignee = $ControlResult.ResourceContext.ResourceDetails.lastModifiedBy.uniqueName } } # if assignee is service account, then fetch assignee from jobs/permissions if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) { $assignee = ""; $url = "https://dev.azure.com/{0}/{1}/_environments/{2}?view=resources&__rt=fps&__ver=2" -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $envDetails = [WebRequestHelper]::InvokeGetWebRequest($url); # get assignee from the the build/release jobs history if (([Helpers]::CheckMember($envDetails[0], "fps.dataProviders.data") ) -and ([Helpers]::CheckMember($envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider", "deploymentExecutionRecords")) ) { $pipelineType = $envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider".deploymentExecutionRecords[0].planType $pipelineId = $envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider".deploymentExecutionRecords[0].definition.id if ($pipelineType -eq 'Release') { $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } else { $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId) } } # if no build/release jobs associated with agentpool, then fecth assignee from permissions elseif(!$assignee) { try { $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.environmentreferencerole/roleassignments/resources/{1}_{2}?api-version=5.0-preview.1" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1] $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL)); $roles = @( ($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} ) if ($roles.Count -gt 0) { $userId = $roles[0].identity.id $assignee = $this.getUserFromUserId($organizationName, $userId) } } catch { $assignee = "" $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") } } } } [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee return $assignee } #assign to the person running the scan, as to reach at this point of code, it is ensured the user is PCA/PA and only they or other PCA #PA members can fix the control 'Organization' { return [ContextHelper]::GetCurrentSessionUser(); } 'Project' { return [ContextHelper]::GetCurrentSessionUser(); } } return ""; } hidden [string] GetAssigneeFromOrgMapping($organizationName){ $assignee = $null; if([BugMetaInfoProvider]::OrgMappingObj.ContainsKey($organizationName)){ return [BugMetaInfoProvider]::OrgMappingObj[$organizationName] } $orgMapping = Get-Content "$($this.STMappingFilePath)\OrgSTData.csv" | ConvertFrom-Csv $orgOwnerDetails = @($orgMapping | where {$_."ADO Org Name" -eq $organizationName}) if($orgOwnerDetails.Count -gt 0){ $assignee = $orgOwnerDetails[0]."OwnerAlias" [BugMetaInfoProvider]::OrgMappingObj[$organizationName] = $assignee } return $assignee; } hidden [string] FetchAssigneeFromBuild($organizationName, $projectName, $definitionId) { $assignee = ""; try { $apiurl = "https://dev.azure.com/{0}/{1}/_apis/build/builds?definitions={2}&api-version=6.0" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) #check for recent trigger if ([Helpers]::CheckMember($response, "requestedBy")) { $assignee = $response[0].requestedBy.uniqueName if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $assignee = $response[0].lastChangedBy.uniqueName } } #if no triggers found assign to the creator else { $apiurl = "https://dev.azure.com/{0}/{1}/_apis/build/definitions/{2}?api-version=6.0" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) $assignee = $response.authoredBy.uniqueName } if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { # if assignee is service account, get assignee from the the build update history if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $url = "https://dev.azure.com/{0}/{1}/_apis/build/definitions/{2}/revisions" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($url) if ([Helpers]::CheckMember($response, "changedBy")) { $response = @($response | Where-Object {$_.changedBy.uniqueName -imatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] }| Sort-Object -Property changedDate -descending) if ($response.count -gt 0) { $allAssignee = @() $response | ForEach-Object {$allAssignee += @( [PSCustomObject] @{ mailAddress = $_.changedBy.uniqueName; subjectKind = 'User' } )} | Select-Object -Unique $allAssignee = $allAssignee | Select-Object mailaddress, subjectKind -unique $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName) if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) { $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress } } } } } } catch { } return $assignee; } hidden [string] FetchAssigneeFromRelease($organizationName, $projectName, $definitionId) { $assignee = ""; try { $apiurl = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/releases?definitionId={2}&api-version=6.0" -f $organizationName, $projectName , $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) #check for recent trigger if ([Helpers]::CheckMember($response, "modifiedBy")) { $assignee = $response[0].modifiedBy.uniqueName } #if no triggers found assign to the creator else { $apiurl = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions/{2}?&api-version=6.0" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl) $assignee = $response.createdBy.uniqueName } if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) { # if assignee is service account, get assignee from the the release update history if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) { $assignee = ""; $url = "https://{0}.vsrm.visualstudio.com/{1}/_apis/Release/definitions/{2}/revisions" -f $organizationName, $projectName, $definitionId; $response = [WebRequestHelper]::InvokeGetWebRequest($url) if ([Helpers]::CheckMember($response, "changedBy")) { $response = @($response | Where-Object {$_.changedBy.uniqueName -imatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] }| Sort-Object -Property changedDate -descending) if ($response.count -gt 0) { $allAssignee = @() $response | ForEach-Object {$allAssignee += @( [PSCustomObject] @{ mailAddress = $_.changedBy.uniqueName; subjectKind = 'User' } )} | Select-Object -Unique $allAssignee = $allAssignee | Select-Object mailaddress, subjectKind -unique $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName) if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) { $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress } } } } } } catch { Write-Host("Pipeline not found"); } return $assignee; } hidden [string] getUserFromUserId($organizationName, $userId) { try { # User descriptor is base 64 encoding of user id # $url = "https://vssps.dev.azure.com/{0}/_apis/graph/descriptors/{1}?api-version=6.0-preview.1" -f $organizationName, $userId # $userDescriptor = [WebRequestHelper]::InvokeGetWebRequest($url); $userDescriptor = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($userId)) $userProfileURL = "https://vssps.dev.azure.com/{0}/_apis/graph/users/aad.{1}?api-version=6.0-preview.1" -f $organizationName, $userDescriptor $userProfile = [WebRequestHelper]::InvokeGetWebRequest($userProfileURL) return $userProfile[0].mailAddress } catch { return "" } } hidden [bool] isUserActive($organizationName,$mailAddress){ $isUserActive = $true if(![BugMetaInfoProvider]::CheckForUserInactivity){ return $true } try{ $userActivity = [BugMetaInfoProvider]::UserActivityCache | where {$_.id -eq $mailAddress} if($userActivity){ return $userActivity.isActive } else { $url = "https://vsaex.dev.azure.com/{0}/_apis/userentitlements?api-version=6.0-preview.3&`$filter=name eq '{1}'" -f $organizationName, $mailAddress $response = [WebRequestHelper]::InvokeGetWebRequest($url); if($response[0].members.count -gt 0){ [datetime] $lastAccessedDate = $response[0].members[0].lastAccessedDate if(((Get-Date)-$lastAccessedDate).Days -gt [BugMetaInfoProvider]::UserInactivityLimit){ $isUserActive= $false; } } else{ $isUserActive= $false } } } catch{ $isUserActive= $false } [BugMetaInfoProvider]::UserActivityCache += (@{id = $mailAddress;isActive = $isUserActive}) return $isUserActive } #method to obtain sign in ID of TF scoped identities hidden [string] GetAssigneeFromTFScopedIdentity($identity,$organizationName){ $assignee = $null; #TF scoped identities with alternate email address will be in the format: a.b@microsoft.com if($identity -like "*.*@microsoft.com"){ #check for the correct identitity corresponding to this email $url="https://dev.azure.com/{0}/_apis/IdentityPicker/Identities?api-version=7.1-preview.1" -f $organizationName $body = "{'query':'{0}','identityTypes':['user'],'operationScopes':['ims','source'],'properties':['DisplayName','Active','SignInAddress'],'filterByEntityIds':[],'options':{'MinResults':40,'MaxResults':40}}" | ConvertFrom-Json $body.query = $identity try{ $responseObj = [WebRequestHelper]::InvokePostWebRequest($url,$body) #if any user has been found, assign this bug to the sign in address of the user if($responseObj.results[0].identities.count -gt 0){ $assignee = $responseObj.results[0].identities[0].signInAddress } } catch{ return $assignee; } } else{ return $assignee; } return $assignee; } } # SIG # Begin signature block # MIInoQYJKoZIhvcNAQcCoIInkjCCJ44CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAh0SCUbHLDHpgR # cElvJVXjx9SzGdy9pCDpzT/bG/GHSaCCDYEwggX/MIID56ADAgECAhMzAAACUosz # qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjEwOTAyMTgzMjU5WhcNMjIwOTAxMTgzMjU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDQ5M+Ps/X7BNuv5B/0I6uoDwj0NJOo1KrVQqO7ggRXccklyTrWL4xMShjIou2I # sbYnF67wXzVAq5Om4oe+LfzSDOzjcb6ms00gBo0OQaqwQ1BijyJ7NvDf80I1fW9O # L76Kt0Wpc2zrGhzcHdb7upPrvxvSNNUvxK3sgw7YTt31410vpEp8yfBEl/hd8ZzA # v47DCgJ5j1zm295s1RVZHNp6MoiQFVOECm4AwK2l28i+YER1JO4IplTH44uvzX9o # RnJHaMvWzZEpozPy4jNO2DDqbcNs4zh7AWMhE1PWFVA+CHI/En5nASvCvLmuR/t8 # q4bc8XR8QIZJQSp+2U6m2ldNAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUNZJaEUGL2Guwt7ZOAu4efEYXedEw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDY3NTk3MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAFkk3 # uSxkTEBh1NtAl7BivIEsAWdgX1qZ+EdZMYbQKasY6IhSLXRMxF1B3OKdR9K/kccp # kvNcGl8D7YyYS4mhCUMBR+VLrg3f8PUj38A9V5aiY2/Jok7WZFOAmjPRNNGnyeg7 # l0lTiThFqE+2aOs6+heegqAdelGgNJKRHLWRuhGKuLIw5lkgx9Ky+QvZrn/Ddi8u # TIgWKp+MGG8xY6PBvvjgt9jQShlnPrZ3UY8Bvwy6rynhXBaV0V0TTL0gEx7eh/K1 # o8Miaru6s/7FyqOLeUS4vTHh9TgBL5DtxCYurXbSBVtL1Fj44+Od/6cmC9mmvrti # yG709Y3Rd3YdJj2f3GJq7Y7KdWq0QYhatKhBeg4fxjhg0yut2g6aM1mxjNPrE48z # 6HWCNGu9gMK5ZudldRw4a45Z06Aoktof0CqOyTErvq0YjoE4Xpa0+87T/PVUXNqf # 7Y+qSU7+9LtLQuMYR4w3cSPjuNusvLf9gBnch5RqM7kaDtYWDgLyB42EfsxeMqwK # WwA+TVi0HrWRqfSx2olbE56hJcEkMjOSKz3sRuupFCX3UroyYf52L+2iVTrda8XW # esPG62Mnn3T8AuLfzeJFuAbfOSERx7IFZO92UPoXE1uEjL5skl1yTZB3MubgOA4F # 8KoRNhviFAEST+nG8c8uIsbZeb08SeYQMqjVEmkwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIZdjCCGXICAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAlKLM6r4lfM52wAAAAACUjAN # BglghkgBZQMEAgEFAKCBrjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgdft7l+qH # GgUcDYCCKP20RWSmtQ3rMzJGK8OgPGAf7JEwQgYKKwYBBAGCNwIBDDE0MDKgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRqAGGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbTAN # BgkqhkiG9w0BAQEFAASCAQDPQigb5JgNbqMlUNrhpxTpOhbbWr6FnSpX6c7Ys0w7 # frGsR6sEOSJh24eN8PRY0rgswa5EwyHSqkhcb52hMpPDXg8BGaNOZEAyfInkEvRb # n6RqiCgiv36EW2XlveAM+QM/EpwBghAHWEVuMk89/BCgjN4oTwumrEBucK98tChD # aag1FOIqc2IgLEQmVYz9rGrR6eLgr3hD0sUllMCoh4kSdZSIANJQ+vVACrC7J5+g # 5wHVWni1Dzh+444g88dRtiCB8RrsxNLSDG85AruCiBRcmxtf7YbO1RRTsnD8WCqH # qCvLVCHO5sBI4hyUOntUvQSsAELe+H3t+Bk0Rn+gCYT+oYIXADCCFvwGCisGAQQB # gjcDAwExghbsMIIW6AYJKoZIhvcNAQcCoIIW2TCCFtUCAQMxDzANBglghkgBZQME # AgEFADCCAVEGCyqGSIb3DQEJEAEEoIIBQASCATwwggE4AgEBBgorBgEEAYRZCgMB # MDEwDQYJYIZIAWUDBAIBBQAEIM36Gi7OqxRweEZ2EFfqoegHwihTji2wiLJaUSG7 # D5/0AgZiFl9AyMkYEzIwMjIwMzE1MDgzNTEzLjYzNFowBIACAfSggdCkgc0wgcox # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1p # Y3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1Mg # RVNOOkU1QTYtRTI3Qy01OTJFMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFt # cCBTZXJ2aWNloIIRVzCCBwwwggT0oAMCAQICEzMAAAGVt/wN1uM3MSUAAQAAAZUw # DQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 # b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh # dGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcN # MjExMjAyMTkwNTEyWhcNMjMwMjI4MTkwNTEyWjCByjELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2Eg # T3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046RTVBNi1FMjdDLTU5 # MkUxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggIiMA0G # CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCfbUEMZ7ZLOz9aoRCeJL4hhT9Q8JZB # 2xaVlMNCt3bwhcTI5GLPrt2e93DAsmlqOzw1cFiPPg6S5sLCXz7LbbUQpLha8S4v # 2qccMtTokEaDQS+QJErnAsl6VSmRvAy0nlj+C/PaZuLb3OzY0ARw7UeCZLpyWPPH # +k5MdYj6NUDTNoXqbzQHCuPs+fgIoro5y3DHoO077g6Ir2THIx1yfVFEt5zDcFPO # YMg4yBi4A6Xc3hm9tZ6w849nBvVKwm5YALfH3y/f3n4LnN61b1wzAx3ZCZjf13UK # bpE7p6DYJrHRB/+pwFjG99TwHH6uXzDeZT6/r6qH7AABwn8fpYc1TmleFY8YRuVz # zjp9VkPHV8VzvzLL7QK2kteeXLL/Y4lvjL6hzyOmE+1LVD3lEbYho1zCt+F7bU+F # pjyBfTC4i/wHsptb218YlbkQt1i1B6llmJwVFwCLX7gxQ48QIGUacMy8kp1+zczY # +SxlpaEgNmQkfc1raPh9y5sMa6X48+x0K7B8OqDoXcTiECIjJetxwtuBlQseJ05H # RfisfgFm09kG7vdHEo3NbUuMMBFikc4boN9Ufm0iUhq/JtqV0Kwrv9Cv3ayDgdNw # EWiL2a65InEWSpRTYfsCQ03eqEh5A3rwV/KfUFcit+DrP+9VcDpjWRsCokZv4tgn # 5qAXNMtHa8NiqQIDAQABo4IBNjCCATIwHQYDVR0OBBYEFKuX02ICFFdXgrcCBmDJ # fH5v/KkXMB8GA1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8GA1UdHwRY # MFYwVKBSoFCGTmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01p # Y3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBsBggrBgEF # BQcBAQRgMF4wXAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9w # a2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAo # MSkuY3J0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwgwDQYJKoZI # hvcNAQELBQADggIBAOCzNt4fJ+jOvQuq0Itn37IZrYNBGswAi+IAFM3YGK/wGQlE # ncgjmNBuac95W2fAL6xtFVfMfkeqSLMLqoidVsU9Bm4DEBjaWNOT9uX/tcYiJSfF # QM0rDbrl8V4nM88RZF56G/qJW9g5dIqOSoimzKUt/Q7WH6VByW0sar5wGvgovK3q # FadwKShzRYcEqTkHH2zip5e73jezPHx2+taYqJG5xJzdDErZ1nMixRjaHs3Kpcsm # ZYuxsIRfBYOJvAFGymTGRv5PuwsNps9Ech1Aasq84H/Y/8xN3GQj4P3MiDn8izUB # DCuXIfHYk39bqnaAmFbUiCby+WWpuzdk4oDKz/sWwrnsoQ72uEGVEN7+kyw9+HSo # 5i8l8Zg1Ymj9tUgDpVUGjAduoLyHQ7XqknKmS9kJSBKk4okEDg0Id6LeKLQwH1e4 # aVeTyUYwcBX3wg7pLJQWvR7na2SGrtl/23YGQTudmWOryhx9lnU7KBGV/aNvz0tT # pcsucsK+cZFKDEkWB/oUFVrtyun6ND5pYZNj0CgRup5grVACq/Agb+EOGLCD+zEt # GNop4tfKvsYb64257NJ9XrMHgpCib76WT34RPmCBByxLUkHxHq5zCyYNu0IFXAt1 # AVicw14M+czLYIVM7NOyVpFdcB1B9MiJik7peSii0XTRdl5/V/KscTaCBFz3MIIH # cTCCBVmgAwIBAgITMwAAABXF52ueAptJmQAAAAAAFTANBgkqhkiG9w0BAQsFADCB # iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMp # TWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMjEw # OTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UE # CBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9z # b2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQ # Q0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOThpkzntHIh # C3miy9ckeb0O1YLT/e6cBwfSqWxOdcjKNVf2AX9sSuDivbk+F2Az/1xPx2b3lVNx # WuJ+Slr+uDZnhUYjDLWNE893MsAQGOhgfWpSg0S3po5GawcU88V29YZQ3MFEyHFc # UTE3oAo4bo3t1w/YJlN8OWECesSq/XJprx2rrPY2vjUmZNqYO7oaezOtgFt+jBAc # nVL+tuhiJdxqD89d9P6OU8/W7IVWTe/dvI2k45GPsjksUZzpcGkNyjYtcI4xyDUo # veO0hyTD4MmPfrVUj9z6BVWYbWg7mka97aSueik3rMvrg0XnRm7KMtXAhjBcTyzi # YrLNueKNiOSWrAFKu75xqRdbZ2De+JKRHh09/SDPc31BmkZ1zcRfNN0Sidb9pSB9 # fvzZnkXftnIv231fgLrbqn427DZM9ituqBJR6L8FA6PRc6ZNN3SUHDSCD/AQ8rdH # GO2n6Jl8P0zbr17C89XYcz1DTsEzOUyOArxCaC4Q6oRRRuLRvWoYWmEBc8pnol7X # KHYC4jMYctenIPDC+hIK12NvDMk2ZItboKaDIV1fMHSRlJTYuVD5C4lh8zYGNRiE # R9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6bMURHXLvjflSxIUXk8A8FdsaN8cIFRg/ # eKtFtvUeh17aj54WcmnGrnu3tz5q4i6tAgMBAAGjggHdMIIB2TASBgkrBgEEAYI3 # FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBQqp1L+ZMSavoKRPEY1Kc8Q/y8E7jAd # BgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXAYDVR0gBFUwUzBRBgwrBgEE # AYI3TIN9AQEwQTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRtMBMGA1UdJQQMMAoGCCsGAQUFBwMI # MBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMB # Af8EBTADAQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1Ud # HwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3By # b2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggrBgEFBQcBAQRO # MEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2Vy # dHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MA0GCSqGSIb3DQEBCwUAA4IC # AQCdVX38Kq3hLB9nATEkW+Geckv8qW/qXBS2Pk5HZHixBpOXPTEztTnXwnE2P9pk # bHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6U03dmLq2HnjYNi6cqYJWAAOwBb6J6Gng # ugnue99qb74py27YP0h1AdkY3m2CDPVtI1TkeFN1JFe53Z/zjj3G82jfZfakVqr3 # lbYoVSfQJL1AoL8ZthISEV09J+BAljis9/kpicO8F7BUhUKz/AyeixmJ5/ALaoHC # gRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTpkbKpW99Jo3QMvOyRgNI95ko+ZjtPu4b6 # MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0sHrYUP4KWN1APMdUbZ1jdEgssU5HLcEU # BHG/ZPkkvnNtyo4JvbMBV0lUZNlz138eW0QBjloZkWsNn6Qo3GcZKCS6OEuabvsh # VGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJsWkBRH58oWFsc/4Ku+xBZj1p/cvBQUl+ # fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7Fx0ViY1w/ue10CgaiQuPNtq6TPmb/wrp # NPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0dFtq0Z4+7X6gMTN9vMvpe784cETRkPHI # qzqKOghif9lwY1NNje6CbaUFEMFxBmoQtB1VM1izoXBm8qGCAs4wggI3AgEBMIH4 # oYHQpIHNMIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G # A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUw # IwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1U # aGFsZXMgVFNTIEVTTjpFNUE2LUUyN0MtNTkyRTElMCMGA1UEAxMcTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUA0Y+CyLezGgVHWFNm # KI1LuE/hY6uggYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAN # BgkqhkiG9w0BAQUFAAIFAOXaknkwIhgPMjAyMjAzMTUxMjIwMDlaGA8yMDIyMDMx # NjEyMjAwOVowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA5dqSeQIBADAKAgEAAgIb # /QIB/zAHAgEAAgIRwjAKAgUA5dvj+QIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgor # BgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUA # A4GBAHKQUUY0yFFqyX/pbGq1CKjcpH0woqUQ8TXleMgW1cb/kzuOOc9PPYVeEWTU # wZJTIamhFOKchJi2reEyX3seXNhmKsw4/nrqtdTZMN9LYNOnjsJ4f3y4gLluWD4S # 4H7OcUT0kKT4DPs2nzX6ktWh/wJS/wxoG1ep0taM4dt4C1eCMYIEDTCCBAkCAQEw # gZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT # B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE # AxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAGVt/wN1uM3MSUA # AQAAAZUwDQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0B # CRABBDAvBgkqhkiG9w0BCQQxIgQg2VUiRcsBMJ/nlT2b8jeELj4KPnKdmgY6KQlh # f8GBuLowgfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCBc5kvhjZALe2mhIz/Q # d7keVOmA/cC1dzKZT4ybLEkCxzCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w # IFBDQSAyMDEwAhMzAAABlbf8DdbjNzElAAEAAAGVMCIEICZGiJ1qg7458mSsFKFF # emgl4ex6po7KOsf9OxKL6y7QMA0GCSqGSIb3DQEBCwUABIICADXbKhCkeqEoTIRL # z8QzX+0YQA5/Q1FCzpqMMfSHKEKJbrzFt8eyhNqu+xLuwWE54o2h5MTJxRrlKKoQ # VJhfP2G3Yz+7sQ6w/rtuuNLoEKoTv+ggVWg84ybsWlP5JHby3GseEqsV7s2+xxA8 # XQw8FdcT+RnoOF84xWhl3JDDvwW7eyX6zndOkU8TdESdH6x9GLfQig7kKXIU8c8Y # qIeykogVWML5XSGltd/sL9lLMmilyiM/7P/arZwf8OgI2xmygE1HXWisbdMK9LkA # nWSVIOXU5+/dubnsdYBhWnbaRwsH3x3Ddp1WfZBisc7kIuo2EyXzapF5df3RKu/O # /sHR23apSSkkun5QUGyPzFK3tHqC/b3xAqrfp3CMuMOMJ1KveU4oG5Bzy0bY+oTr # aUccfUjdUiFeZzp3U44+GICN0pbIJT5paQKtU36nFlC6WBDpEqcmeHFQXH4kyn9V # n5tW1tGw4hkxeGiT90qxBmBJoPbSmZPexet66GI//s8ru2LrWcsDrBZPHD/14g3J # fqQ+mqYyH4I9JskfFalMn+cXh2Ki6NjnwqJfu/W7/iTZcZN+kui87hEyWujjNmOH # r+1/b66u7MOavmPT9CocTXEahz9kaGKD1BE3W9gUUKgpbN6jMyfqTNw+9QzkmSJG # ggClh2OmfKiOzUzBbU/tF4Ycu3Dx # SIG # End signature block |