Framework/Helpers/IncrementalScanHelper.ps1
|
Set-StrictMode -Version Latest class IncrementalScanHelper { hidden [string] $OrganizationName = $null; hidden [string] $ProjectName = $null; hidden [string] $ProjectId = $null; hidden $OrganizationContext = $null; [PSObject] $ControlSettings; hidden [string] $AzSKTempStatePath = (Join-Path $([Constants]::AzSKAppFolderPath) "IncrementalScan"); hidden [string] $CAScanProgressSnapshotsContainerName = [Constants]::CAScanProgressSnapshotsContainerName; hidden [string] $ScanSource = $null; $StorageContext = $null; $ControlStateBlob = $null; $ContainerObject = $null; hidden [string] $IncrementalScanTimestampFile=$null; hidden [string] $CATempFile = $null; hidden [string] $MasterFilePath; hidden [PSObject] $ResourceTimestamps = $null; hidden [bool] $FirstScan = $false; hidden [datetime] $IncrementalDate = 0; hidden [datetime] $LastFullScan = 0; hidden [bool] $ShouldDiscardOldScan = $false; [bool] $UpdateTime = $true; hidden [datetime] $Timestamp = 0; [bool] $isPartialScanActive = $false; [bool] $IsFullScanInProgress = $false; static [PSObject] $auditSchema = $null [bool] $isIncFileAlreadyAvailable = $false; IncrementalScanHelper([string] $organizationName, [string] $projectName, [datetime] $incrementalDate, [bool] $updateTimestamp, [datetime] $timestamp) { $this.OrganizationName = $organizationName $this.ProjectName = $projectName $this.IncrementalScanTimestampFile = $([Constants]::IncrementalScanTimeStampFile) $this.ScanSource = [AzSKSettings]::GetInstance().GetScanSource() $this.CATempFile = "CATempLocal.json" # temporary file to store Json Data to upload to container (in CA) $this.IncrementalDate = $incrementalDate $this.MasterFilePath = (Join-Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.projectName) $this.IncrementalScanTimestampFile) $this.UpdateTime = $updateTimestamp $this.Timestamp = $timestamp $this.ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey("UsePartialCommits")){ [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance(); if(($partialScanMngr.IsPartialScanInProgress($this.OrganizationName, $false) -eq [ActiveStatus]::Yes)){ $this.isPartialScanActive = $true } } if($null -eq [IncrementalScanHelper]::auditSchema){ [IncrementalScanHelper]::auditSchema = [ConfigurationManager]::LoadServerConfigFile("IncrementalScanAudits.json") } } IncrementalScanHelper($organizationContext, [string] $projectId,[string] $projectName, [datetime] $incrementalDate) { $this.OrganizationName = $organizationContext.OrganizationName $this.OrganizationContext = $organizationContext $this.ProjectId = $projectId $this.IncrementalScanTimestampFile = $([Constants]::IncrementalScanTimeStampFile) $this.ScanSource = [AzSKSettings]::GetInstance().GetScanSource() $this.CATempFile = "CATempLocal.json" # temporary file to store Json Data to upload to container (in CA) $this.IncrementalDate = $incrementalDate $this.ProjectName = $projectName $this.MasterFilePath = (Join-Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.projectName) $this.IncrementalScanTimestampFile) $this.ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey("UsePartialCommits")){ [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance(); if(($partialScanMngr.IsPartialScanInProgress($this.OrganizationName, $false) -eq [ActiveStatus]::Yes)){ $this.isPartialScanActive = $true } } } hidden [datetime] GetThresholdTime([string] $resourceType) { # function to retrieve threshold time from storage, based on scan source. $latestScan = 0 if($this.ScanSource -ne "CA" -and $this.ScanSource -ne "CICD") { if(![string]::isnullorwhitespace($this.OrganizationName)) { if(Test-Path $this.MasterFilePath) { # File exists. Retrieve last timestamp. $this.ResourceTimestamps = Get-Content $this.MasterFilePath | ConvertFrom-Json if(-not ([Helpers]::CheckMember($this.ResourceTimestamps, $resourceType)) -or $null -eq $this.ResourceTimestamps.$resourceType -or [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime -eq 0) { # Previous timestamp does not exist for this resource in the existing file. $this.FirstScan = $true } } else { #file does not exist $this.FirstScan = $true } } } elseif ($this.ScanSource -eq 'CA') { $this.MasterFilePath = (Join-Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.ProjectName) $this.IncrementalScanTimestampFile) $tempPath = Join-Path $([Constants]::AzSKAppFolderPath) $this.CATempFile $blobPath = Join-Path (Join-Path (Join-Path "IncrementalScan" $this.OrganizationName) $this.ProjectName) $this.IncrementalScanTimestampFile try { #Validate if Storage is found $keys = Get-AzStorageAccountKey -ResourceGroupName $env:StorageRG -Name $env:StorageName $this.StorageContext = New-AzStorageContext -StorageAccountName $env:StorageName -StorageAccountKey $keys[0].Value -Protocol Https $this.ContainerObject = Get-AzStorageContainer -Context $this.StorageContext -Name $this.CAScanProgressSnapshotsContainerName -ErrorAction SilentlyContinue if($null -ne $this.ContainerObject) { #container exists $this.ControlStateBlob = Get-AzStorageBlob -Container $this.CAScanProgressSnapshotsContainerName -Context $this.StorageContext -Blob $blobPath -ErrorAction SilentlyContinue if($null -ne $this.ControlStateBlob) { # File exists. Copy existing timestamp file locally Get-AzStorageBlobContent -CloudBlob $this.ControlStateBlob.ICloudBlob -Context $this.StorageContext -Destination $tempPath -Force $this.ResourceTimestamps = Get-ChildItem -Path $tempPath -Force | Get-Content | ConvertFrom-Json #Delete the local file Remove-Item -Path $tempPath if(-not ([Helpers]::CheckMember($this.ResourceTimestamps, $resourceType)) -or $null -eq $this.ResourceTimestamps.$resourceType -or [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime -eq 0) { # Previous timestamp does not exist for current resource in existing file. $this.FirstScan = $true } } else { # File does not exist. $this.FirstScan = $true } } else { # Container does not exist $this.FirstScan = $true } } catch { write-host "Exception when trying to find/create incremental scan container: $_." } } elseif($this.ScanSource -eq 'CICD'){ if (Test-Path env:incrementalScanURI) { #Uri is created in cicd task based on jobid $uri = $env:incrementalScanURI } else { $uri = [Constants]::StorageUri -f $this.OrgName, $this.OrgName, "IncrementalScanFile" } try { #check if file already in extension sotrage $webRequestResult = [WebRequestHelper]::InvokeGetWebRequest($uri) if($null -ne $webRequestResult){ $this.ResourceTimestamps = $webRequestResult | ConvertFrom-Json if(-not ([Helpers]::CheckMember($this.ResourceTimestamps, $resourceType)) -or $null -eq $this.ResourceTimestamps.$resourceType -or [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime -eq 0) { # Previous timestamp does not exist for this resource in the existing file. $this.FirstScan = $true $this.isIncFileAlreadyAvailable = $true; } } else{ $this.FirstScan = $true $this.isIncFileAlreadyAvailable = $false; } } catch { $this.FirstScan = $true $this.isIncFileAlreadyAvailable = $false; } } if(-not $this.FirstScan) { if($this.isPartialScanActive){ $latestScan = [datetime]$this.ResourceTimestamps.$resourceType.LastPartialTime #to check if full scan is currently in progress, if we dont check this and give -dt switch full scan wont work if($this.ResourceTimestamps.$resourceType.IsFullScanInProgress){ $this.IsFullScanInProgress = $true } else{ $this.IsFullScanInProgress = $false } } else { $latestScan = [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime $this.IsFullScanInProgress = $false } $this.LastFullScan = [datetime]$this.ResourceTimestamps.$resourceType.LastFullScanTime } if($this.IncrementalDate -ne 0) { # user input of incremental date to be used for scanning incrementally. $latestScan = $this.IncrementalDate if($this.ScanSource -eq 'CA'){ $FromTimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById("Asia/Kolkata") $latestScan = [DateTime]::SpecifyKind((Get-Date $latestScan), [DateTimeKind]::Unspecified) $latestScan = [System.TimeZoneInfo]::ConvertTimeToUtc($latestScan, $FromTimeZone) } } return $latestScan } UpdateTimeStamp([string] $resourceType) { # Updates timestamp of current scan to storage, based on scan source. if($this.UpdateTime -ne $true) { return; } if($this.isPartialScanActive){ return; } if($this.ScanSource -ne "CA" -and $this.ScanSource -ne "CICD") { if($this.FirstScan -eq $true) { # Check if file exists if((-not (Test-Path ($this.AzSKTempStatePath))) -or (-not (Test-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName))) -or (-not (Test-Path $this.MasterFilePath))) { # Incremental Scan happening first time locally OR Incremental Scan happening first time for Org OR first time for current Project New-Item -Type Directory -Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.ProjectName) -ErrorAction Stop | Out-Null $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $this.MasterFilePath -Force } else { # File exists for Organization and Project but first time scan for current resource type $this.ResourceTimestamps = Get-ChildItem -Path $this.MasterFilePath -Force | Get-Content | ConvertFrom-Json $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $this.MasterFilePath -Force } } else { # Not a first time scan for the current resource $this.ResourceTimestamps = Get-ChildItem -Path $this.MasterFilePath -Force | Get-Content | ConvertFrom-Json $previousScanTime = $this.ResourceTimestamps.$resourceType.LastScanTime; $this.ResourceTimestamps.$resourceType.LastPartialTime= $previousScanTime if($this.IsFullScanInProgress -eq $false){ $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $false } #if old scan, we trigger full scan, store full scan value, also reset upc scan time if($this.ShouldDiscardOldScan){ $this.ResourceTimestamps.$resourceType.LastFullScanTime = $this.Timestamp $this.ResourceTimestamps.$resourceType.LastPartialTime = "0001-01-01T00:00:00.0000000"; $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $true } $this.ResourceTimestamps.$resourceType.LastScanTime = $this.Timestamp [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $this.MasterFilePath -Force } } elseif ($this.ScanSource -eq 'CA') { $tempPath = Join-Path $([Constants]::AzSKAppFolderPath) $this.CATempFile $blobPath = Join-Path (Join-Path (Join-Path "IncrementalScan" $this.OrganizationName) $this.ProjectName) $this.IncrementalScanTimestampFile if ($this.FirstScan -eq $true) { # Check if container object does not exist if($null -eq $this.ContainerObject) { # Container does not exist, create container. $this.ContainerObject = New-AzStorageContainer -Name $this.CAScanProgressSnapshotsContainerName -Context $this.StorageContext -ErrorAction SilentlyContinue if ($null -eq $this.ContainerObject ) { $this.PublishCustomMessage("Could not find/create partial scan container in storage.", [MessageType]::Warning); } $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() } if($null -eq $this.ControlStateBlob) { $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() } else { Get-AzStorageBlobContent -CloudBlob $this.ControlStateBlob.ICloudBlob -Context $this.StorageContext -Destination $tempPath -Force $this.ResourceTimestamps = Get-ChildItem -Path $tempPath -Force | Get-Content | ConvertFrom-Json #Delete the local file Remove-Item -Path $tempPath } $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $tempPath -Force Set-AzStorageBlobContent -File $tempPath -Container $this.ContainerObject.Name -Blob $blobPath -Context $this.StorageContext -Force Remove-Item -Path $tempPath } else { Get-AzStorageBlobContent -CloudBlob $this.ControlStateBlob.ICloudBlob -Context $this.StorageContext -Destination $tempPath -Force $this.ResourceTimestamps = Get-ChildItem -Path $tempPath -Force | Get-Content | ConvertFrom-Json $previousScanTime = $this.ResourceTimestamps.$resourceType.LastScanTime; $this.ResourceTimestamps.$resourceType.LastPartialTime = $previousScanTime if($this.IsFullScanInProgress -eq $false){ $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $false } if($this.ShouldDiscardOldScan){ $this.ResourceTimestamps.$resourceType.LastFullScanTime = $this.Timestamp $this.ResourceTimestamps.$resourceType.LastPartialTime = "0001-01-01T00:00:00.0000000"; $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $true } # Delete the local file Remove-Item -Path $tempPath $this.ResourceTimestamps.$resourceType.LastScanTime = $this.Timestamp [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $tempPath -Force Set-AzStorageBlobContent -File $tempPath -Container $this.ContainerObject.Name -Blob $blobPath -Context $this.StorageContext -Force Remove-Item -Path $tempPath } } elseif($this.ScanSource -eq 'CICD'){ $incrementalScanPayload = $null if($this.FirstScan -eq $true){ #first scan for the pipeline for all resources if($this.isIncFileAlreadyAvailable -eq $false){ $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() } #will be called for both scenarios: first scan for the resource as well as for the entire pipeline $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes $incrementalScanPayload = [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) } #not a first scan else{ $previousScanTime = $this.ResourceTimestamps.$resourceType.LastScanTime; $this.ResourceTimestamps.$resourceType.LastPartialTime= $previousScanTime if($this.IsFullScanInProgress -eq $false){ $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $false } #if old scan, we trigger full scan, store full scan value, also reset upc scan time if($this.ShouldDiscardOldScan){ $this.ResourceTimestamps.$resourceType.LastFullScanTime = $this.Timestamp $this.ResourceTimestamps.$resourceType.LastPartialTime = "0001-01-01T00:00:00.0000000"; $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $true } $this.ResourceTimestamps.$resourceType.LastScanTime = $this.Timestamp $incrementalScanPayload = [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) } try{ $rmContext = [ContextHelper]::GetCurrentContext(); $user = ""; $uri = ""; $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$rmContext.AccessToken))) $body = ""; if (Test-Path env:incrementalScanURI) { $uri = $env:incrementalScanURI $JobId =""; $JobId = $uri.Replace('?','/').Split('/')[$JobId.Length -2] #if the incremental scan is already present need to update the existing file if ($this.FirstScan -eq $false -or $this.isIncFileAlreadyAvailable -eq $true){ $body = @{"id" = $Jobid; "__etag"=-1; "value"= $incrementalScanPayload;} | ConvertTo-Json } else{ $body = @{"id" = $Jobid; "value"= $incrementalScanPayload;} | ConvertTo-Json } } else { $uri = [Constants]::StorageUri -f $this.OrgName, $this.OrgName, "IncrementalScanFile" if ($this.FirstScan -eq $false -or $this.isIncFileAlreadyAvailable -eq $true){ $body = @{"id" = "IncrementalScanFile";"__etag"=-1; "value"= $incrementalScanPayload;} | ConvertTo-Json } else{ $body = @{"id" = "IncrementalScanFile"; "value"= $incrementalScanPayload;} | ConvertTo-Json } } $webRequestResult = Invoke-WebRequest -Uri $uri -Method Put -ContentType "application/json" -Headers @{Authorization = ("Basic {0}" -f $base64AuthInfo) } -Body $body } catch{ Write-Host "Error updating Incremental Scan file: $($_)" } } } [bool] IsIncScanOld($resourceType){ $this.GetThresholdTime($resourceType) if($this.FirstScan){ return $false; } if($this.LastFullScan.AddDays($this.ControlSettings.IncrementalScan.IncrementalScanValidForDays) -lt [DateTime]::UtcNow){ return $true; } return $false; } [bool] ShouldDiscardOldIncScan($resourceType){ $this.ShouldDiscardOldScan = $false if($this.IsIncScanOld($resourceType)){ if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('Force')){ $this.ShouldDiscardOldScan = $false } else{ $this.ShouldDiscardOldScan = $true } } return $this.ShouldDiscardOldScan; } [System.Object[]] GetModifiedBuilds($buildDefnsObj) { # Function to filter builds that have been modified after threshold time $latestBuildScan = $this.GetThresholdTime("Build") if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0) { $this.UpdateTimeStamp("Build") return $buildDefnsObj } #if inc scan last time is 0 or if this is a full scan partial checkpoint, return all builds if($this.isPartialScanActive -and ($latestBuildScan -eq 0 -or $this.IsFullScanInProgress)){ return $buildDefnsObj } #if scan is old and no upc file found, simply return all builds, update scan time for full scans and last scan if($this.ShouldDiscardOldIncScan('Build') -and -not($this.isPartialScanActive)){ $this.UpdateTimeStamp("Build") return $buildDefnsObj } $newBuildDefns = @() if ([datetime] $buildDefnsObj[0].createdDate -lt $latestBuildScan) { # first resource is modified before the threshold time => all consequent are also modified before threshold # return empty list $this.UpdateTimeStamp("Build") return $newBuildDefns } #Binary search [int] $low = 0 # start index of array [int] $high = $buildDefnsObj.length - 1 # last index of array [int] $size = $buildDefnsObj.length # total length of array [int] $breakIndex = 0 while($low -le $high) { [int] $mid = ($low + $high)/2 # seeking the middle of the array [datetime] $modifiedDate = [datetime]($buildDefnsObj[$mid].createdDate) if($modifiedDate -ge $latestBuildScan) { # modified date is after the threshold time if(($mid + 1) -eq $size) { # all fetched build defs are modified after threshold time # return unmodified $this.UpdateTimeStamp("Build") return $buildDefnsObj } else { # mid point is not the last build defn if([datetime]($buildDefnsObj[$mid+1].createdDate) -lt $latestBuildScan) { # changing point found $breakIndex = $mid break } else { # search on right half $low = $mid + 1 } } } elseif ($modifiedDate -lt $latestBuildScan) { if($mid -eq 0) { # All fetched builds have been modified before the threshold return $newBuildDefns } else { if([datetime]($buildDefnsObj[$mid - 1].createdDate) -ge $latestBuildScan) { # changing point found $breakIndex = $mid - 1 break } else { # search on left half $high = $mid - 1 } } } } $newBuildDefns = @($buildDefnsObj[0..$breakIndex]) $this.UpdateTimeStamp("Build") return $newBuildDefns } [System.Object[]] GetModifiedReleases($releaseDefnsObj) { $latestReleaseScan = $this.GetThresholdTime("Release") if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0) { $this.UpdateTimeStamp("Release") return $releaseDefnsObj } if($this.isPartialScanActive -and ($latestReleaseScan -eq 0 -or $this.IsFullScanInProgress)){ return $releaseDefnsObj } if($this.ShouldDiscardOldIncScan('Release')){ $this.UpdateTimeStamp("Release") return $releaseDefnsObj } $newReleaseDefns = @() # Searching Linearly foreach ($releaseDefn in $releaseDefnsObj) { if ([datetime]($releaseDefn.modifiedOn) -ge $latestReleaseScan) { $newReleaseDefns += @($releaseDefn) } } $this.UpdateTimeStamp("Release") return $newReleaseDefns } #Get all resources attested after the latest scan [System.Object[]] GetAttestationAfterInc($projectName, $resourceType){ $resourceIds = @(); #if parameter not specified, wont be fetching these resources if(-not($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanAttestedResources'))){ return $resourceIds } $latestResourceScan = $this.GetThresholdTime($resourceType) if($this.ScanSource -ne 'CA'){ $latestResourceScan=$latestResourceScan.ToUniversalTime(); } $latestResourceScan =Get-Date $latestResourceScan -Format s if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ return $resourceIds; } [ControlStateExtension] $ControlStateExt = [ControlStateExtension]::new($this.OrganizationContext, $PSCmdlet.MyInvocation); $output = $ControlStateExt.RescanComputeControlStateIndexer($projectName, 'ADO.'+$resourceType); $output | ForEach-Object { if($_.AttestedDate -gt $latestResourceScan){ try { $resourceIds += ($_.ResourceId -split ($resourceType.ToLower() + "/"))[1] } catch { } } } return $resourceIds } [System.Object[]] GetAuditTrailsForBuilds(){ $latestBuildScan = $this.GetThresholdTime("Build") if($this.ScanSource -ne 'CA'){ $latestBuildScan=$latestBuildScan.ToUniversalTime(); } $latestBuildScan =Get-Date $latestBuildScan -Format s $buildIds = @(); if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ return $buildIds; } $auditUrl = "https://auditservice.dev.azure.com/{0}/_apis/audit/auditlog?startTime={1}&api-version=6.0-preview.1" -f $this.OrganizationName, $latestBuildScan try { $response = [WebRequestHelper]::InvokeGetWebRequest($auditUrl); $auditTrails = $response.decoratedAuditLogEntries; $modifiedBuilds = $auditTrails | Where-Object {$_.actionId -eq 'Security.ModifyPermission' -and $_.data.NamespaceName -eq 'Build' -and $_.data.Token -match $this.ProjectId+"/" } $restrictedBroaderGroups = @{} $broaderGroups = $this.ControlSettings.Build.RestrictedBroaderGroupsForBuild $broaderGroups.psobject.properties | foreach { $restrictedBroaderGroups[$_.Name] = $_.Value } $modifiedBuilds | foreach { $group = ($_.data.SubjectDisplayName -split("\\"))[1] if($group -in $restrictedBroaderGroups.keys ){ if($_.data.ChangedPermission -in $restrictedBroaderGroups[$group]){ $buildIds += (($_.data.Token -split("/"))[-1]) } } } $buildIds = $buildIds | Select -Unique } catch { } return $buildIds; } [System.Object[]] GetModifiedBuildsFromAudit($buildIds, $projectName){ $totalBuilds = $buildIds.Count $buildDefnObj =@() $newBuildDefns = @(); $queryIdCount = 0; $currentbuildIds = "" $buildIds | foreach { if($totalBuilds -lt 100){ $queryIdCount++; $currentbuildIds=$currentbuildIds+$_+"," if($queryIdCount -eq $totalBuilds){ $buildDefnURL = "https://{0}.visualstudio.com/{1}/_apis/build/definitions?definitionIds={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentbuildIds; try { $buildDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($buildDefnURL)); } catch { } } } else { $queryIdCount++; $currentbuildIds=$currentbuildIds+$_+","; if($queryIdCount -eq 100){ $buildDefnURL = "https://{0}.visualstudio.com/{1}/_apis/build/definitions?definitionIds={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentbuildIds; try { $buildDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($buildDefnURL)); $queryIdCount =0; $currentbuildIds=""; $totalBuilds -=100; } catch { } } } } $latestBuildScan = $this.GetThresholdTime("Build"); foreach ($buildDefn in $buildDefnObj) { if ([Helpers]::CheckMember($buildDefn,'CreatedDate') -and [datetime]($buildDefn.CreatedDate) -lt $latestBuildScan) { $newBuildDefns += @($buildDefn) } } return $newBuildDefns; } [System.Object[]] GetAuditTrailsForReleases(){ $latestReleaseScan = $this.GetThresholdTime("Release"); if($this.ScanSource -ne 'CA'){ $latestReleaseScan=$latestReleaseScan.ToUniversalTime(); } $latestReleaseScan = Get-Date $latestReleaseScan -Format s $releaseIds = @(); if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ return $releaseIds; } $auditUrl = "https://auditservice.dev.azure.com/{0}/_apis/audit/auditlog?startTime={1}&api-version=6.0-preview.1" -f $this.OrganizationName, $latestReleaseScan try { $response = [WebRequestHelper]::InvokeGetWebRequest($auditUrl); $auditTrails = $response.decoratedAuditLogEntries; $modifiedReleases = $auditTrails | Where-Object {$_.actionId -eq 'Security.ModifyPermission' -and $_.data.NamespaceName -eq 'ReleaseManagement' -and $_.data.Token -match $this.ProjectId+"/" } $restrictedBroaderGroups = @{} $broaderGroups = $this.ControlSettings.Release.RestrictedBroaderGroupsForRelease $broaderGroups.psobject.properties | foreach { $restrictedBroaderGroups[$_.Name] = $_.Value } $modifiedReleases| foreach { $group = ($_.data.SubjectDisplayName -split("\\"))[1] if($group -in $restrictedBroaderGroups.keys ){ if($_.data.ChangedPermission -in $restrictedBroaderGroups[$group]){ $releaseIds += (($_.data.Token -split("/"))[-1]) } } } $releaseIds = $releaseIds | Select -Unique } catch { } return $releaseIds; } [System.Object[]] GetModifiedReleasesFromAudit($releaseIds, $projectName){ $totalReleases = $releaseIds.Count $newReleaseDefns = @(); $releaseDefnObj =@() $queryIdCount = 0; $currentReleaseIds = "" $releaseIds | foreach { if($totalReleases -lt 100){ $queryIdCount++; $currentReleaseIds=$currentReleaseIds+$_+"," if($queryIdCount -eq $totalReleases){ $releaseDefnURL = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions?definitionIdFilter={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentReleaseIds; try { $releaseDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($releaseDefnURL)); } catch { } } } else { $queryIdCount++; $currentReleaseIds=$currentReleaseIds+$_+","; if($queryIdCount -eq 100){ $releaseDefnURL = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions?definitionIdFilter={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentReleaseIds; try { $releaseDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($releaseDefnURL)); $queryIdCount =0; $currentReleaseIds=""; $totalReleases -=100; } catch { } } } } $latestReleaseScan = $this.GetThresholdTime("Release"); foreach ($releaseDefn in $releaseDefnObj) { if ([Helpers]::CheckMember($releaseDefn,'modifiedOn') -and [datetime]($releaseDefn.modifiedOn) -lt $latestReleaseScan) { $newReleaseDefns += @($releaseDefn) } } return $newReleaseDefns; } #common function to get modified resource ids from audits for common svts and variable group [System.Object[]] GetModifiedCommonSvtAuditTrails($resourceType){ $resourceIds = @() #get last scan of the resources $latestScan = $this.GetThresholdTime($resourceType) if($this.ScanSource -ne 'CA'){ $latestScan=$latestScan.ToUniversalTime(); } $latestScan = Get-Date $latestScan -Format s $auditUrl = "https://auditservice.dev.azure.com/{0}/_apis/audit/auditlog?startTime={1}&api-version=6.0-preview.1" -f $this.OrganizationName, $latestScan try { $response = [WebRequestHelper]::InvokeGetWebRequest($auditUrl); $auditTrails = $response.decoratedAuditLogEntries; #get modified resources from filter $modifiedResources = $this.GetModifiedResourcesFilter($resourceType,$auditTrails) $modifiedResources | foreach { #extract resource ids from modified resources $resourceIds+=($_.data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[1]) -split("/"))[-1] if($resourceType -eq "GitRepositories"){ #to handle events of permission changes on branches $resourceIds+=(($_.data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[1]) -split("/refs"))[0]) -split("/")[-1] #to handle events of new repository creation $resourceIds+=($_.data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[1]) -split("\."))[-1] } } $resourceIds = $resourceIds | Select -Unique } catch { } return $resourceIds } #function to filter audits according to resource type [System.Object[]] GetModifiedResourcesFilter($resourceType,$auditTrails){ $resourceTypeInFilter = $resourceType #in case of secure file and variable group the resource type in audits is library, for other resources the name is same if($resourceType -eq "SecureFile" -or $resourceType -eq "VariableGroup"){ $resourceTypeInFilter = "Library" } if($resourceType -eq "GitRepositories"){ $resourceTypeInFilter = "Git Repositories" } $modifiedResources = $auditTrails | Where-Object {$_.actionId -in [IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.PSObject.Properties.Name -and ([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0] -eq $true -or( $_.Data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0]) -eq $resourceTypeInFilter -or $_.Data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0]) -eq "repository" -or $_.Data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0]) -eq $resourceType))} return $modifiedResources } #function to get modified resources [System.Object[]] GetModifiedCommonSvtFromAudit($resourceType,$response){ $latestScan = $this.GetThresholdTime($resourceType) $latestScan =Get-Date $latestScan -Format s #$response = [WebRequestHelper]::InvokeGetWebRequest($url); #if this a first scan return all resources if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ $this.UpdateTimeStamp($resourceType) return $response } #if partial scan is active and last scan is 0 or this is a full scan in progress return all resources if($this.isPartialScanActive -and ($latestScan -eq 0 -or $this.IsFullScanInProgress)){ return $response } #if this is a old scan return all resources if($this.ShouldDiscardOldIncScan($resourceType)){ $this.UpdateTimeStamp($resourceType) return $response } #get ids from above functions $modifiedResourceIds = @($this.GetModifiedCommonSvtAuditTrails($resourceType)); if($resourceType -eq "GitRepositories"){ $modifiedResourceIdsFromAttestation = @($this.GetAttestationAfterInc($this.ProjectName,"Repository")) } else{ $modifiedResourceIdsFromAttestation = @($this.GetAttestationAfterInc($this.ProjectName,$resourceType)) } $modifiedResourceIds = @($modifiedResourceIds + $modifiedResourceIdsFromAttestation | select -uniq) $modifiedResources = @() #if we get some ids from audit trails add them to modified resource obj if($modifiedResourceIds.Count -gt 0 -and $null -ne $modifiedResourceIds[0]){ #filter all ids from audit trails in the api response $modifiedResources = @($response | Where-Object{$modifiedResourceIds -contains $_.id}) #to capture events that dont come in audits but is reflected in api responses such as new resource created, properties of resources edited etc. if([Helpers]::CheckMember([IncrementalScanHelper]::auditSchema.$resourceType, "ApiResponseFilter")){ $modifiedResources +=$response | Where-Object{$modifiedResourceIds -notcontains $_.id -and [datetime]($_.([IncrementalScanHelper]::auditSchema.$resourceType.ApiResponseFilter)) -gt $latestScan} } } #in case no ids were obtained from audits check from response for corresponding api response filtee if present else{ if([Helpers]::CheckMember([IncrementalScanHelper]::auditSchema.$resourceType, "ApiResponseFilter")){ $modifiedResources += $response | Where-Object{[datetime]($_.([IncrementalScanHelper]::auditSchema.$resourceType.ApiResponseFilter)) -gt $latestScan} } } $this.UpdateTimeStamp($resourceType) return $modifiedResources } [void] SetContext($projectId,$organizationContext){ $this.ProjectId = $projectId $this.OrganizationContext = $organizationContext } } # SIG # Begin signature block # MIInogYJKoZIhvcNAQcCoIInkzCCJ48CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDu0RnMQpTI+qM0 # h0LTH/dgIIVOYsJ8iDSKXQeNVLNl26CCDYUwggYDMIID66ADAgECAhMzAAACzfNk # v/jUTF1RAAAAAALNMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjIwNTEyMjA0NjAyWhcNMjMwNTExMjA0NjAyWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDrIzsY62MmKrzergm7Ucnu+DuSHdgzRZVCIGi9CalFrhwtiK+3FIDzlOYbs/zz # HwuLC3hir55wVgHoaC4liQwQ60wVyR17EZPa4BQ28C5ARlxqftdp3H8RrXWbVyvQ # aUnBQVZM73XDyGV1oUPZGHGWtgdqtBUd60VjnFPICSf8pnFiit6hvSxH5IVWI0iO # nfqdXYoPWUtVUMmVqW1yBX0NtbQlSHIU6hlPvo9/uqKvkjFUFA2LbC9AWQbJmH+1 # uM0l4nDSKfCqccvdI5l3zjEk9yUSUmh1IQhDFn+5SL2JmnCF0jZEZ4f5HE7ykDP+ # oiA3Q+fhKCseg+0aEHi+DRPZAgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQU0WymH4CP7s1+yQktEwbcLQuR9Zww # VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh # dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzQ3MDUzMDAfBgNVHSMEGDAW # gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v # d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw # MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx # XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB # AE7LSuuNObCBWYuttxJAgilXJ92GpyV/fTiyXHZ/9LbzXs/MfKnPwRydlmA2ak0r # GWLDFh89zAWHFI8t9JLwpd/VRoVE3+WyzTIskdbBnHbf1yjo/+0tpHlnroFJdcDS # MIsH+T7z3ClY+6WnjSTetpg1Y/pLOLXZpZjYeXQiFwo9G5lzUcSd8YVQNPQAGICl # 2JRSaCNlzAdIFCF5PNKoXbJtEqDcPZ8oDrM9KdO7TqUE5VqeBe6DggY1sZYnQD+/ # LWlz5D0wCriNgGQ/TWWexMwwnEqlIwfkIcNFxo0QND/6Ya9DTAUykk2SKGSPt0kL # tHxNEn2GJvcNtfohVY/b0tuyF05eXE3cdtYZbeGoU1xQixPZAlTdtLmeFNly82uB # VbybAZ4Ut18F//UrugVQ9UUdK1uYmc+2SdRQQCccKwXGOuYgZ1ULW2u5PyfWxzo4 # BR++53OB/tZXQpz4OkgBZeqs9YaYLFfKRlQHVtmQghFHzB5v/WFonxDVlvPxy2go # a0u9Z+ZlIpvooZRvm6OtXxdAjMBcWBAsnBRr/Oj5s356EDdf2l/sLwLFYE61t+ME # iNYdy0pXL6gN3DxTVf2qjJxXFkFfjjTisndudHsguEMk8mEtnvwo9fOSKT6oRHhM # 9sZ4HTg/TTMjUljmN3mBYWAWI5ExdC1inuog0xrKmOWVMIIHejCCBWKgAwIBAgIK # YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm # aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw # OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD # VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG # 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la # UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc # 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D # dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+ # lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk # kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6 # A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd # X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL # 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd # sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3 # T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS # 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI # bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL # BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD # uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv # c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF # BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h # cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA # YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn # 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7 # v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b # pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/ # KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy # CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp # mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi # hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb # BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS # oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL # gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX # cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCGXMwghlvAgEBMIGVMH4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p # Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAALN82S/+NRMXVEAAAAA # As0wDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIHEb # GJPGGbxp2qp+hW8ueI8/dclQYL2yXz7hbt1hdP5CMEIGCisGAQQBgjcCAQwxNDAy # oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20wDQYJKoZIhvcNAQEBBQAEggEA6TSoLLsyOaBhSRiq+gykKildXnlkzW0lDKmq # klCxKMdep6h0n2hHARarYJO0oOQd+WzjuqVeZFWPiPIpjQTGvFGhNyDDEtp6gYRr # M4AYOd+ePGCphRp0kfi/Ojqz5sNJbvhMeG2SA0JpAopYTN72Zxe7LjbKC0zeY0/j # aERVrobTSoKGD5Pt6aCcUZqP7UVZqY7JGE2FO+9evLVjvEbbzgZRj2EGMnF1sCit # BxTdVwHTmmadlUKl+AgIZ9PZZpZfLGUd3J9kqigB91M0L01B5rlyRhpgoemOebjb # 9cYuoGcSj5EHCXiN8pMK00WG5DKrL/wRoddNNBfJTKHDwPhLn6GCFv0wghb5Bgor # BgEEAYI3AwMBMYIW6TCCFuUGCSqGSIb3DQEHAqCCFtYwghbSAgEDMQ8wDQYJYIZI # AWUDBAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGE # WQoDATAxMA0GCWCGSAFlAwQCAQUABCDUL5eqZkAXcx5gjNPP09lOB6opZAkDZBEY # kaE5bodjPwIGZDfpaRnXGBMyMDIzMDQxNzEwMzAxMS43NTZaMASAAgH0oIHQpIHN # MIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQL # ExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMg # VFNTIEVTTjozQkJELUUzMzgtRTlBMTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt # U3RhbXAgU2VydmljZaCCEVQwggcMMIIE9KADAgECAhMzAAABxjDNLtbTocD0AAEA # AAHGMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw # MB4XDTIyMTEwNDE5MDEzNFoXDTI0MDIwMjE5MDEzNFowgcoxCzAJBgNVBAYTAlVT # MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVy # aWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjNCQkQtRTMz # OC1FOUExMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIIC # IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA770iOr6v4Hk1m3SZj+1BR/iu # ofv+f6eVb7Hc21YxzAzro4G6kKXF47YAsEgrWWT1ogvp0IroFm8CdRZTf/DlQ0fb # NNO9pCA01KJ03zH82Clmk9ze9r1jPJ1ZJaMnsZmAy7VpY9mNqX9dhPvnW1/Zxbbi # Hv7qwwgw9U2ST5mfcpPutsI/Qr/gLC6aTI3UCYziVPZ/Qfag8NQhKkpHZO3Kr5r8 # 3cy7jz4OWPy5M2WitWv5bJJ5rBTW518QPEzFwzq8e8P722CWKZJFjN8etBgsK05g # HeHaN9kmlpYJJL84v9JiaX7NFJkORhApEFZiUIaZoLxJt4pcBDzf+WD9UAjRKCrA # seJ/ckzQvOn95X4Ot4asnOuNhcCdcQWcrZoykFmEaoYkrsD7n/4nFFHwJDKUaBYZ # ZLwPj7ux48S1Ye+cMccMxdRSjuoG4rqJqpEd6gzfz239v36L+LtOlQhfL5cnclhN # SWdmKw1THyekH96RNtOpIE7c+9Tnsv1aE9hphejLOJxfsXTkyw0FIdilc0CP7zzU # sqaCGF2mFXRwL4jfX1RyV7QGKEeOpvGZqQKLHVZbLD32ztW8Lfv99xQ24d/TIxO9 # LReuHsnwotn+8BsCrzu+/24vOcA9Xcpd7kIeW4zmUxhFsv4KCfiqMptZhhMAA0Sq # Duj23cj10smXROLUnhUCAwEAAaOCATYwggEyMB0GA1UdDgQWBBRxX/lHiShECp1n # 2lMa6G1uLvNglDAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNV # HR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Ny # bC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYI # KwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAy # MDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0G # CSqGSIb3DQEBCwUAA4ICAQALzF724jXugDU486PMBYR7Cc6aHr2nJDnGsnkqwZYm # jRi28qv6S1Ly772zwm5DI189zgAQ99xhEjW6uYkrX5UrtVu7JUQP6bBBBJ98c28F # AIPIK3fkQNCv2rxRjfQMJSdcwsJeTK7Ld09OuA5hY4PWCBgJpfY71LcaXz3FR8AN # PFX6zcKYbgYOZregtpDub34N0QhR7wc/FcmV+g4I3IdTAoMD2/WI5ZsfKTzBUn/U # 3ApUhNwbOl5YSC+f9S1LStbZLwPzMS+fLPXJUSe7SSvspfSsr/VEe0oQhmaR+5vc # q+7MLw861WBVhYpJ7TB5YBS5ORO9XdIbcpbBFwcHPmb8iZqSIqW9JpgG76+5NQUL # PVzZ75z5W2R5ZiyQktiHpMwjX2OO29Z8+nTw2tOsVCcwzH9LoELedv3PjcpbwOyL # jtm1T4XHYd3qbd9DXoBjNYkSjdi37pNp58u+rITltLKOjjQCJwj1FpnuBY825B5C # 0uC/NYESEKsTicEjhS/4ujBXLcNGDhVBl2vHE6qY/YW4ky1vcypvUrsG81gpv2+8 # /ihOwg4wTLO7XqikeIiU3ZWAUAoOpTl14tedQqxbHTDveJYR3OU0yKB2xwf87EWC # Ab0CJimhDmyQaKEvSV0fLW9iVyI0wYcG4V2aVN6TrZ4mr+ffaqDQD9F+HpPhP0pl # AzCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQEL # BQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNV # BAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4X # DTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM # 57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm # 95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzB # RMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBb # fowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCO # Mcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYw # XE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW # /aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/w # EPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPK # Z6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2 # BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfH # CBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYB # BAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8v # BO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYM # KwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0 # LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEF # BQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBW # BgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUH # AQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtp # L2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsF # AAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518Jx # Nj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+ # iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2 # pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefw # C2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7 # T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFO # Ry3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhL # mm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3L # wUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5 # m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE # 0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLLMIICNAIB # ATCB+KGB0KSBzTCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UE # CxMdVGhhbGVzIFRTUyBFU046M0JCRC1FMzM4LUU5QTExJTAjBgNVBAMTHE1pY3Jv # c29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAC01yuYmIVvs # okSacJmWe8Mu2QFtoIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh # c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD # b3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIw # MTAwDQYJKoZIhvcNAQEFBQACBQDn5wTNMCIYDzIwMjMwNDE3MDczNTQxWhgPMjAy # MzA0MTgwNzM1NDFaMHQwOgYKKwYBBAGEWQoEATEsMCowCgIFAOfnBM0CAQAwBwIB # AAICB4swBwIBAAICEdIwCgIFAOfoVk0CAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYK # KwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUF # AAOBgQADKhMRGOcYnVjciI+hXyA8NoKu5w/hrXjtdET80gUYJB8q7ReDcKp5b/iE # V8sK2dteyoGQE55AAsGXZFUtQwMwt9AMCCuhwlbqmfp80Xbwc+RutTXDl++laVdT # 4GA13A5JExhwFrTilInnR40CMxtdGAYnuzTKeV1HWonkTFnigjGCBA0wggQJAgEB # MIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABxjDNLtbTocD0 # AAEAAAHGMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcN # AQkQAQQwLwYJKoZIhvcNAQkEMSIEINeVQgxryn2OHfvIQ5I6ZLqLOsfFeXEoBpEL # PlL8BsQaMIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgVjETXFXJvZgpxiZq # k/BwDWA5Pxw6hehULpkFr9rjry0wgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEG # A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj # cm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFt # cCBQQ0EgMjAxMAITMwAAAcYwzS7W06HA9AABAAABxjAiBCDqJ7opBkv+nXYyFbtv # Gw6nchJaaHgtUOvvW3EtgfcRZjANBgkqhkiG9w0BAQsFAASCAgC25+ICRIcWV9zy # 0FP/L+yKcFKbVb0agux5RmXOv2rq9JKteymr0TEnpGshnxZF+7rlXIqW1ZCl5Ac+ # V2mNxpW5ntrDvBAw7qtErCdXA7vr804Avm9o1aJ1nVCR8TKZJA1e5W2F4zk5BaQ8 # ZXijo1ux+4X7HKi+mX1bBr0UJ5tlP9u+o1rNsvUAK+lO1VqfLwshKWMU2RigNtVN # cZHgXqKfFxHhqXCMno/dd6QhPzTCYBb8GMxtDyqGeskpygjYZ9MjXMoZ4zv0phhF # KALsY1qr/FdA+UOP/jcxT4ZAgdnwRP8g5s5VyfL87+5grR2uII6/SP8v+cYDTo5G # jA0ng2lFHWaYY+wQoIM2Dw/tNGImlrnftw8OY8SQBi7/BsFWl75mLdyT+ah2zdr2 # LgfBrv235f5lo6y3aXlNdIaUu0BSAbMcmn6NHaa/p8ylT6oD250J9GMljMrvXD5A # K1O/jCLpEvZeo0P6rMt3t3zKhN/tTN1dB1qcGC/PudTOzFUBnnRQGVS75aipjYAF # hIEX0A30ExcqUR+N0qi15ne4q3ZQE/YUrtKCCWIvTMg90FzE6fu36WAwGl81MRY4 # u1871BlwvmcjHDqjXw6lD/y6pfFQXTqOEUoMPbYsunkIjUZgZ1TwMq+3j+9DRueA # IhSlviYl0EVSvLzkL8YKG4Ru4yJZHA== # SIG # End signature block |