Framework/Abstracts/ServicesSecurityStatus.ps1
Set-StrictMode -Version Latest class ServicesSecurityStatus: ADOSVTCommandBase { [SVTResourceResolver] $Resolver = $null; [bool] $IsPartialCommitScanActive = $false; [System.Diagnostics.Stopwatch] $StopWatch [Datetime] $ScanStart [Datetime] $ScanEnd [bool] $IsAIEnabled = $false; [bool] $IsBugLoggingEnabled = $false; [bool] $IsSarifEnabled = $false; $ActualResourcesPerRsrcType = @(); # Resources count based on resource type . This count is evaluated before comparison with resource tracker file. [bool] $IsControlFixCommand = $false; [string] $controlInternalId; [bool] $IsBatchScan=$false; ServicesSecurityStatus([string] $organizationName, [InvocationInfo] $invocationContext, [SVTResourceResolver] $resolver): Base($organizationName, $invocationContext) { if(-not $resolver) { throw [System.ArgumentException] ("The argument 'resolver' is null"); } $this.Resolver = $resolver; $this.Resolver.LoadResourcesForScan(); #If resource scan count is more than allowed foe scan (>1000) then stopping scan and returning. if (!$this.Resolver.SVTResources) { return; } $this.ActualResourcesPerRsrcType = $this.Resolver.SVTResources | Group-Object -Property ResourceType |select-object Name, Count $this.UsePartialCommits = $invocationContext.BoundParameters["UsePartialCommits"]; $this.IsBatchScan = $invocationContext.BoundParameters["BatchScan"]; #BaseLineControlFilter with control ids $this.UseBaselineControls = $invocationContext.BoundParameters["UseBaselineControls"]; $this.UsePreviewBaselineControls = $invocationContext.BoundParameters["UsePreviewBaselineControls"]; if ([RemoteReportHelper]::IsAIOrgTelemetryEnabled()) { $this.IsAIEnabled = $true; } if($invocationContext.BoundParameters["AutoBugLog"] -or $invocationContext.BoundParameters["AutoCloseBugs"]){ $this.IsBugLoggingEnabled = $true; } if($invocationContext.BoundParameters["ALTControlEvaluationMethod"]) { [IdentityHelpers]::ALTControlEvaluationMethod = $invocationContext.BoundParameters["ALTControlEvaluationMethod"] } if($invocationContext.BoundParameters["GenerateSarifLogs"]){ $this.IsSarifEnabled = $true; } [PartialScanManager]::ClearInstance(); $this.BaselineFilterCheck(); $this.UsePartialCommitsCheck(); } #Contructor for Set-AzSKADOSecurityStatus command ServicesSecurityStatus([string] $organizationName, [string] $projectName, [InvocationInfo] $invocationContext, [SVTResourceResolver] $resolver, [string] $ControlId): Base($organizationName, $invocationContext) { $this.IsControlFixCommand = $true $this.FilterTags = "AutomatedFix" $this.MapTagsToControlIds(); if ($this.ControlIds.Count -gt 0) { $this.Resolver = $resolver; $this.Resolver.FetchControlFixBackupFile($organizationName, $projectName, $this.controlInternalId); if ([ControlHelper]::ControlFixBackup.Count -eq 0) { break; } $this.Resolver.LoadResourcesForScan(); if (!$this.Resolver.SVTResources) { return; } else { if (-not $invocationContext.BoundParameters["Force"]) { $ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); $backupLimit = $ControlSettings.AutomatedFix.BackupLimitInDays; $oldBackupResourcesFound = $false # [ControlHelper]::ControlFixBackup now has only relevant data based on this scan's paramaters foreach ($resource in [ControlHelper]::ControlFixBackup) { $dateDiff = New-TimeSpan -Start ([datetime]$resource.date) -End (GET-DATE) if($dateDiff.Days -gt $backupLimit) { $oldBackupResourcesFound = $true break; } } if ($oldBackupResourcesFound) { $this.PublishCustomMessage("`nOne or more resources have backup older than $($backupLimit) days. `nRun Gads with -PrepareForFix parameter to take backup again.`nOr use -Force in the Set-AzSKADOSecurityStatus command to proceed with the same backup.",[MessageType]::Warning); break; } } } $this.UsePartialCommits = $invocationContext.BoundParameters["UsePartialCommits"]; $this.UsePartialCommitsCheck(); } else { $this.PublishCustomMessage("`nControl $($ControlId) does not support automated fix.",[MessageType]::Warning); break; } } hidden [SVTEventContext[]] RunForAllResources([string] $methodNameToCall, [bool] $runNonAutomated, [PSObject] $resourcesList) { $ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); $scanSource = [AzSKSettings]::GetInstance().GetScanSource(); if ($Env:AzSKADOUPCSimulate -eq $true) { $ControlSettings.PartialScan.LocalScanUpdateFrequency = $Env:AzSKADOLocalScanUpdateFrequency $ControlSettings.PartialScan.DurableScanUpdateFrequency = $Env:AzSKADODurableScanUpdateFrequency } if ([string]::IsNullOrWhiteSpace($methodNameToCall)) { throw [System.ArgumentException] ("The argument 'methodNameToCall' is null. Pass the reference of method to call. e.g.: [YourClass]::new().YourMethod"); } $this.Severity = $this.ConvertToStringArray($this.Severity) # to handle when no severity is passed in command if($this.Severity) { $this.Severity = [ControlHelper]::CheckValidSeverities($this.Severity); } [SVTEventContext[]] $result = @(); if(($resourcesList | Measure-Object).Count -eq 0) { $this.PublishCustomMessage("No security controls/resources match the input criteria specified. `nPlease rerun the command using a different set of criteria."); return $result; } $this.PublishCustomMessage("Number of resources: $($this.resolver.SVTResourcesFoundCount)"); $automatedResources = @(); $automatedResources += ($resourcesList | Where-Object { $_.ResourceTypeMapping }); <# Resources skipped from scan using excludeResourceName parameter $ExcludedResources=$this.resolver.ExcludedResources ; if(($this.resolver.ExcludeResourceNames| Measure-Object).Count -gt 0) { $this.PublishCustomMessage("One or more resources/resource groups will be excluded from the scan based on exclude flags.") if(-not [string]::IsNullOrEmpty($this.resolver.ExcludeResourceGroupWarningMessage)) { $this.PublishCustomMessage("$($this.resolver.ExcludeResourceGroupWarningMessage)",[MessageType]::Warning) } if(-not [string]::IsNullOrEmpty($this.resolver.ExcludeResourceWarningMessage)) { $this.PublishCustomMessage("$($this.resolver.ExcludeResourceWarningMessage)",[MessageType]::Warning) } $this.PublishCustomMessage("Summary of exclusions: "); $this.PublishCustomMessage(" Resources excluded: $(($ExcludedResources | Measure-Object).Count)(includes RGs,resourcetypenames and explicit exclusions).", [MessageType]::Info); $this.PublishCustomMessage("For a detailed list of excluded resources, see 'ExcludedResources-$($this.RunIdentifier).txt' in the output log folder.") $this.ReportExcludedResources($this.resolver); } #> if($runNonAutomated) { $this.ReportNonAutomatedResources(); } #Begin-perf-optimize for ControlIds parameter #If controlIds are specified filter only to applicable resources #Filter resources based control tags like OwnerAccess, GraphAccess,RBAC, Authz, SOX etc $this.MapTagsToControlIds(); #Filter automated resources based on control ids $automatedResources = $this.MapControlsToResourceTypes($automatedResources) #End-perf-optimize $this.PublishCustomMessage("`nNumber of resources for which security controls will be evaluated: $($automatedResources.Count)",[MessageType]::Info); if ($this.IsAIEnabled) { $this.StopWatch = New-Object System.Diagnostics.Stopwatch #Send Telemetry for actual resource count. This is being done to monitor perf issues in ADOScanner internally if ($this.UsePartialCommits) { $resourceTypeCountHT = @{} foreach ($resType in $this.ActualResourcesPerRsrcType) { $resourceTypeCountHT["$($resType.Name)"] = "$($resType.Count)" } [AIOrgTelemetryHelper]::TrackCommandExecution("Actual Resources Count", @{"RunIdentifier" = $this.RunIdentifier}, $resourceTypeCountHT, $this.InvocationContext); } #Send Telemetry for target resource count (after partial commits has been checked). This is being done to monitor perf issues in ADOScanner internally $resourceTypeCount =$automatedResources | Group-Object -Property ResourceType |select-object Name, Count $resourceTypeCountHT = @{} foreach ($resType in $resourceTypeCount) { $resourceTypeCountHT["$($resType.Name)"] = "$($resType.Count)" } $memoryUsage = [System.Diagnostics.Process]::GetCurrentProcess().PrivateMemorySize64 / [Math]::Pow(10,6) $resourceTypeCountHT += @{MemoryUsageInMB = $memoryUsage} [AIOrgTelemetryHelper]::TrackCommandExecution("Target Resources Count", @{"RunIdentifier" = $this.RunIdentifier}, $resourceTypeCountHT, $this.InvocationContext); } $totalResources = $automatedResources.Count; [int] $currentCount = 0; $childResources = @(); #Declaring null object variable here, will initialize latter. $svtObject = $null; #Declaring $resourceTypesForCommonSVT to store resource types which uses common file. $resourceTypesForCommonSVT = ""; if ([Helpers]::CheckMember($ControlSettings, "ResourceTypesForCommonSVT")) { $resourceTypesForCommonSVT = $ControlSettings.ResourceTypesForCommonSVT } $automatedResources | ForEach-Object { $exceptionMessage = "Exception for resource: [ResourceType: $($_.ResourceTypeMapping.ResourceTypeName)] [ResourceGroupName: $($_.ResourceGroupName)] [ResourceName: $($_.ResourceName)]" try { if ($this.IsAIEnabled) { $this.ScanStart = [DateTime]::UtcNow $this.StopWatch.Restart() } $currentCount += 1; if($totalResources -gt 1) { $this.PublishCustomMessage(" `r`nChecking resource [$currentCount/$totalResources] "); } #Getting class name here from resourcetypemapping $svtClassName = $_.ResourceTypeMapping.ClassName; #Update resource scan retry count in scan snapshot in storage if user partial commit switch is on if($this.UsePartialCommits) { $this.UpdateRetryCountForPartialScan(); } try { $extensionSVTClassName = $svtClassName + "Ext"; $extensionSVTClassFilePath = $null #Check if the extended class of this type is already loaded? if(-not ($extensionSVTClassName -as [type])) { #Check if we know from a previous attempt that this 'type' has not been extended. if ([ConfigurationHelper]::NotExtendedTypes.containsKey($svtClassName)) { $extensionSVTClassFilePath = $null } else { $extensionSVTClassFilePath = [ConfigurationManager]::LoadExtensionFile($svtClassName); if ([string]::IsNullOrEmpty($extensionSVTClassFilePath)) { [ConfigurationHelper]::NotExtendedTypes["$svtClassName"] = $true } } #If $extensionSVTClassFilePath is null => use the built-in type from our module. if([string]::IsNullOrWhiteSpace($extensionSVTClassFilePath)) { #Check if $svtClassName is not common class then create object. #Check if $svtClassName is common class and objec of this class is not already created then on create new object. if ($svtClassName -ne "CommonSVTControls" -or ($svtClassName -eq "CommonSVTControls" -and (!$svtObject -or $svtObject.ResourceContext.ResourceTypeName -notin $resourceTypesForCommonSVT))) { $svtObject = New-Object -TypeName $svtClassName -ArgumentList $this.OrganizationContext.OrganizationName, $_ } else { $svtObject.ResourceId = $_.ResourceId; $svtObject.ResourceContext = [ResourceContext]@{ ResourceGroupName = $_.ResourceGroupName; ResourceName = $_.ResourceName; ResourceType = $_.ResourceTypeMapping.ResourceType; ResourceTypeName = $_.ResourceTypeMapping.ResourceTypeName; ResourceId = $_.ResourceId ResourceDetails = $_.ResourceDetails }; $svtObject.ControlStateExt.resourceName = $_.ResourceName; } } else #Use extended type. { # file has to be loaded here due to scope contraint Write-Warning "########## Loading extended type [$extensionSVTClassName] into memory ##########" . $extensionSVTClassFilePath $svtObject = New-Object -TypeName $extensionSVTClassName -ArgumentList $this.OrganizationContext.OrganizationName, $_ } } else { # Extended type is already loaded. Create an instance of that type. $svtObject = New-Object -TypeName $extensionSVTClassName -ArgumentList $this.OrganizationContext.OrganizationName, $_ } } catch { $this.PublishCustomMessage($exceptionMessage); # Unwrapping the first layer of exception which is added by New-Object function $this.CommandError($_.Exception.InnerException.ErrorRecord); } [SVTEventContext[]] $currentResourceResults = @(); if($svtObject) { $svtObject.RunningLatestPSModule = $this.RunningLatestPSModule; $this.SetSVTBaseProperties($svtObject); $childResources += $svtObject.ChildSvtObjects; $currentResourceResults += $svtObject.$methodNameToCall(); $result += $currentResourceResults; } if([Organization]::InstalledextensionInfo -or [Organization]::SharedextensionInfo -or [Organization]::AutoInjectedExtensionInfo) { # Default value if property 'ExtensionsLastUpdatedInYears' not exist in ControlSettings $years = 2 # Fetching property 'ExtensionsLastUpdatedInYears' from ControlSettings to print in csv column. if([Helpers]::CheckMember($svtObject.ControlSettings, "Organization.ExtensionsLastUpdatedInYears")) { $years = $svtObject.ControlSettings.Organization.ExtensionsLastUpdatedInYears } if ([Organization]::InstalledextensionInfo) { $folderpath=([WriteFolderPath]::GetInstance().FolderPath) + "\$($_.ResourceName)"+"_InstalledExtensionInfo.csv"; $MaxScore = [Organization]::InstalledextensionInfo[0].MaxScore [Organization]::InstalledextensionInfo | Select-Object extensionName,publisherId,KnownPublisher,publisherName,version,@{Name = "Too Old (>$($years)year(s))"; Expression = { $_.TooOld } },@{Name = "LastPublished"; Expression = { $_.lastPublished} },@{Name = "Sensitive Permissions"; Expression = { $_.SensitivePermissions} },@{Name = "NonProd (ExtensionName)"; Expression = { $_.NonProdByName}},@{Name = "NonProd (GalleryFlags) "; Expression = { $_.Preview }},TopPublisher,PrivateVisibility,NoOfInstalls,MarketPlaceAverageRating,@{Name = "Score (Out of $($MaxScore))"; Expression = { $_.Score } } | Export-Csv -Path $folderpath -NoTypeInformation -encoding utf8 #The NoTypeInformation parameter removes the #TYPE information header from the CSV output [Organization]::InstalledExtensionInfo = @() # Clearing the static variable value so that extensioninfo.csv file gets generated only once and when computed during the installed extension control } if ([Organization]::SharedextensionInfo) { $folderpath=([WriteFolderPath]::GetInstance().FolderPath) + "\$($_.ResourceName)"+"_SharedExtensionInfo.csv"; $MaxScore = [Organization]::SharedextensionInfo[0].MaxScore [Organization]::SharedextensionInfo | Select-Object extensionName,publisherId,KnownPublisher,publisherName,version,@{Name = "Too Old (>$($years)year(s))"; Expression = { $_.TooOld } },@{Name = "LastPublished"; Expression = { $_.lastPublished} },@{Name = "Sensitive Permissions"; Expression = { $_.SensitivePermissions} },@{Name = "NonProd (ExtensionName)"; Expression = { $_.NonProdByName}},@{Name = "NonProd (GalleryFlags) "; Expression = { $_.Preview }},TopPublisher,PrivateVisibility,NoOfInstalls,MarketPlaceAverageRating,@{Name = "Score (Out of $($MaxScore))"; Expression = { $_.Score } } | Export-Csv -Path $folderpath -NoTypeInformation -encoding utf8 #The NoTypeInformation parameter removes the #TYPE information header from the CSV output [Organization]::SharedextensionInfo = @() # Clearing the static variable value so that extensioninfo.csv file gets generated only once and when computed during the installed extension control } if ([Organization]::AutoInjectedExtensionInfo) { $folderpath=([WriteFolderPath]::GetInstance().FolderPath) + "\$($_.ResourceName)"+"_AutoInjectedExtensionInfo.csv"; $MaxScore = [Organization]::AutoInjectedExtensionInfo[0].MaxScore [Organization]::AutoInjectedExtensionInfo | Select-Object extensionName,publisherId,KnownPublisher,publisherName,version,@{Name = "Too Old (>$($years)year(s))"; Expression = { $_.TooOld } },@{Name = "LastPublished"; Expression = { $_.lastPublished} },@{Name = "Sensitive Permissions"; Expression = { $_.SensitivePermissions} },@{Name = "NonProd (ExtensionName)"; Expression = { $_.NonProdByName}},@{Name = "NonProd (GalleryFlags) "; Expression = { $_.Preview }},TopPublisher,PrivateVisibility,NoOfInstalls,MarketPlaceAverageRating,@{Name = "Score (Out of $($MaxScore))"; Expression = { $_.Score } } | Export-Csv -Path $folderpath -NoTypeInformation -encoding utf8 #The NoTypeInformation parameter removes the #TYPE information header from the CSV output [Organization]::AutoInjectedExtensionInfo = @() # Clearing the static variable value so that extensioninfo.csv file gets generated only once and when computed during the installed extension control } } $memoryUsage = 0 if(($result | Measure-Object).Count -gt 0 -and $this.UsePartialCommits) { $updateSucceeded = $false if ([system.String]::IsNullOrEmpty($scanSource) -or $scanSource -eq "SDL") { if($currentCount % $ControlSettings.PartialScan.LocalScanUpdateFrequency -eq 0 -or $currentCount -eq $totalResources) { # Update local resource tracker file $this.UpdatePartialCommitFile($false, $result) #If this is a batch scan, update the inventory count and add to tracker if($this.IsBatchScan) { $this.UpdateBatchScanCount($currentCount,$totalResources); } $updateSucceeded = $true } } else{ if($currentCount % $ControlSettings.PartialScan.DurableScanUpdateFrequency -eq 0 -or $currentCount -eq $totalResources) { # Update durable resource tracker file $this.UpdatePartialCommitFile($true, $result) $updateSucceeded = $true } } if ($updateSucceeded) { [SVTEventContext[]] $result = @(); [System.GC]::Collect(); $memoryUsage = [System.Diagnostics.Process]::GetCurrentProcess().PrivateMemorySize64 / [Math]::Pow(10,6) } } #Send Telemetry for scan time taken for a resource. This is being done to monitor perf issues in ADOScanner internally if ($this.IsAIEnabled) { $this.StopWatch.Stop() $this.ScanEnd = [DateTime]::UtcNow $properties = @{ TimeTakenInMs = $this.StopWatch.ElapsedMilliseconds; ResourceCount = "$currentCount/$totalResources"; ResourceName = $svtObject.ResourceContext.ResourceName; ResourceType = $svtObject.ResourceContext.ResourceType ; ScanStartDateTime = $this.ScanStart; ScanEndDateTime = $this.ScanEnd; RunIdentifier = $this.RunIdentifier; } if ($memoryUsage -gt 0) { $properties += @{MemoryUsageInMB = $memoryUsage;} } [AIOrgTelemetryHelper]::PublishEvent( "Resource Scan Completed",$properties, @{}) } } catch { $this.PublishCustomMessage($exceptionMessage); $this.CommandError($_); } } if(($childResources | Measure-Object).Count -gt 0) { try { [SVTEventContext[]] $childResourceResults = @(); $temp= $childResources |Sort-Object -Property @{Expression={$_.ResourceId}} -Unique $temp| ForEach-Object { $_.RunningLatestPSModule = $this.RunningLatestPSModule $this.SetSVTBaseProperties($_) $childResourceResults += $_.$methodNameToCall(); } $result += $childResourceResults; } catch { $this.PublishCustomMessage($_); } } return $result; } hidden [SVTEventContext[]] RunAllControls() { return $this.RunForAllResources("EvaluateAllControls",$true,$this.Resolver.SVTResources) } hidden [void] ReportNonAutomatedResources() { $nonAutomatedResources = @(); $nonAutomatedResources += ($this.Resolver.SVTResources | Where-Object { $null -eq $_.ResourceTypeMapping }); if(($nonAutomatedResources|Measure-Object).Count -gt 0) { $this.PublishCustomMessage("Number of resources for which security controls will NOT be evaluated: $($nonAutomatedResources.Count)", [MessageType]::Warning); $nonAutomatedResTypes = [array] ($nonAutomatedResources | Select-Object -Property ResourceType -Unique); $this.PublishCustomMessage([MessageData]::new("Security controls are yet to be automated for the following service types: ", $nonAutomatedResTypes)); $this.PublishAzSKRootEvent([AzSKRootEvent]::UnsupportedResources, $nonAutomatedResources); } } #Rescan controls post attestation hidden [SVTEventContext[]] ScanAttestedControls() { [ControlStateExtension] $ControlStateExt = [ControlStateExtension]::new($this.OrganizationContext, $this.InvocationContext); $ControlStateExt.UniqueRunId = $this.ControlStateExt.UniqueRunId; $ControlStateExt.Initialize($false); #$ControlStateExt.ComputeControlStateIndexer(); [PSObject] $ControlStateIndexer = $null; foreach ($items in $this.Resolver.SVTResources) { $resourceType = $null; $projectName = $null; if ($items.ResourceType -ne "ADO.Organization") { if ($items.ResourceType -eq "ADO.Project") { $projectName = $items.ResourceName $resourceType = "Project"; } else { $projectName = $items.ResourceGroupName $resourceType = $items.ResourceType } } else { $resourceType = "Organization"; } $ControlStateIndexer += $ControlStateExt.RescanComputeControlStateIndexer($projectName, $resourceType); } $ControlStateIndexer = $ControlStateIndexer | Select-Object * -Unique $resourcesAttestedinCurrentScan = @() if(($null -ne $ControlStateIndexer) -and ([Helpers]::CheckMember($ControlStateIndexer, "ResourceId"))) { $resourcesAttestedinCurrentScan = $this.Resolver.SVTResources | Where-Object {$ControlStateIndexer.ResourceId -contains $_.ResourceId} } return $this.RunForAllResources("RescanAndPostAttestationData",$false,$resourcesAttestedinCurrentScan) } #BaseLine Control Filter Function [void] BaselineFilterCheck() { #Check if use baseline or preview baseline flag is passed as parameter if($this.UseBaselineControls -or $this.UsePreviewBaselineControls) { $ResourcesWithBaselineFilter =@() #Load ControlSetting file $ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); $baselineControlsDetails = $ControlSettings.BaselineControls #if baselineControls switch is available and baseline controls available in settings if ($null -ne $baselineControlsDetails -and ($baselineControlsDetails.ResourceTypeControlIdMappingList | Measure-Object).Count -gt 0 -and $this.UseBaselineControls) { #Get resource type and control ids mapping from controlsetting object #$this.PublishCustomMessage("Running cmdlet with baseline resource types and controls.", [MessageType]::Warning); $baselineResourceTypes = $baselineControlsDetails.ResourceTypeControlIdMappingList | Select-Object ResourceType | Foreach-Object {$_.ResourceType} #Filter SVT resources based on baseline resource types $ResourcesWithBaselineFilter += $this.Resolver.SVTResources | Where-Object {$null -ne $_.ResourceTypeMapping -and $_.ResourceTypeMapping.ResourceTypeName -in $baselineResourceTypes } #Get the list of control ids $controlIds = $baselineControlsDetails.ResourceTypeControlIdMappingList | Select-Object ControlIds | ForEach-Object { $_.ControlIds } $BaselineControlIds = [system.String]::Join(",",$controlIds); if(-not [system.String]::IsNullOrEmpty($BaselineControlIds)) { #Assign preview control list to ControlIds filter parameter. This controls gets filtered during scan. $this.ControlIds = $controlIds; } } #If baseline switch is passed and there is no baseline control list present then throw exception elseif (($baselineControlsDetails.ResourceTypeControlIdMappingList | Measure-Object).Count -eq 0 -and $this.UseBaselineControls) { throw ([SuppressedException]::new(("There are no baseline controls defined for your org. No controls will be scanned."), [SuppressedExceptionType]::Generic)) } #Preview Baseline Controls $previewBaselineControlsDetails = $null #if use preview baseline switch is passed and preview baseline list property present if($this.UsePreviewBaselineControls -and [Helpers]::CheckMember($ControlSettings,"PreviewBaselineControls")) { $previewBaselineControlsDetails = $ControlSettings.PreviewBaselineControls #if preview baseline list is defined in settings if ($null -ne $previewBaselineControlsDetails -and ($previewBaselineControlsDetails.ResourceTypeControlIdMappingList | Measure-Object).Count -gt 0 ) { $previewBaselineResourceTypes = $previewBaselineControlsDetails.ResourceTypeControlIdMappingList | Select-Object ResourceType | Foreach-Object {$_.ResourceType} #Filter SVT resources based on preview baseline baseline resource types $BaselineResourceList = @() if(($ResourcesWithBaselineFilter | Measure-Object).Count -gt 0) { $BaselineResourceList += $ResourcesWithBaselineFilter | Foreach-Object { $_.ResourceId} } $ResourcesWithBaselineFilter += $this.Resolver.SVTResources | Where-Object {$null -ne $_.ResourceTypeMapping -and $_.ResourceTypeMapping.ResourceTypeName -in $previewBaselineResourceTypes -and $_.ResourceId -notin $BaselineResourceList } #Get the list of preview control ids $controlIds = $previewBaselineControlsDetails.ResourceTypeControlIdMappingList | Select-Object ControlIds | ForEach-Object { $_.ControlIds } $previewBaselineControlIds = [system.String]::Join(",",$controlIds); if(-not [system.String]::IsNullOrEmpty($previewBaselineControlIds)) { # Assign preview control list to ControlIds filter parameter. This controls gets filtered during scan. $this.ControlIds += $controlIds; } } #If preview baseline switch is passed and there is no baseline control list present then throw exception elseif (($previewBaselineControlsDetails.ResourceTypeControlIdMappingList | Measure-Object).Count -eq 0 -and $this.UsePreviewBaselineControls) { if(($baselineControlsDetails.ResourceTypeControlIdMappingList | Measure-Object).Count -eq 0 -and $this.UseBaselineControls) { throw ([SuppressedException]::new(("There are no baseline and preview-baseline controls defined for this policy. No controls will be scanned."), [SuppressedExceptionType]::Generic)) } if(-not ($this.UseBaselineControls)) { throw ([SuppressedException]::new(("There are no preview-baseline controls defined for your org. No controls will be scanned."), [SuppressedExceptionType]::Generic)) } } } #Assign baseline filtered resources to SVTResources list (resource list to be scanned) if(($ResourcesWithBaselineFilter | Measure-Object).Count -gt 0) { $this.Resolver.SVTResources = [SVTResource[]] $ResourcesWithBaselineFilter } } } [void] UpdateRetryCountForPartialScan() { [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance(); #If Scan source is in supported sources or UsePartialCommits switch is available if ($this.UsePartialCommits) { $partialScanMngr.UpdateResourceScanRetryCount($_.ResourceId); } } [void] UpdateBatchScanCount($currentCount,$totalResources) { $ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey("BatchScanMultipleProjects")){ [BatchScanManagerForMultipleProjects] $batchScanMngr = [BatchScanManagerForMultipleProjects]:: GetInstance(); } else { [BatchScanManager] $batchScanMngr = [BatchScanManager]:: GetInstance(); } $batchStatus = $batchScanMngr.GetBatchStatus(); if($currentCount % $ControlSettings.PartialScan.LocalScanUpdateFrequency -eq 0){ $batchStatus.ResourceCount += $ControlSettings.PartialScan.LocalScanUpdateFrequency; } elseif($currentCount -eq $totalResources){ $batchStatus.ResourceCount += ($totalResources % $ControlSettings.PartialScan.LocalScanUpdateFrequency ); } $batchScanMngr.BatchScanTrackerObj = $batchStatus; $batchScanMngr.WriteToBatchTrackerFile(); } [void] UpdatePartialCommitFile($isDurableStorageUpdate , $result) { [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance(); #If Scan source is in supported sources or UsePartialCommits switch is available if ($isDurableStorageUpdate) { $partialScanMngr.WriteToDurableStorage(); } else { if($this.invocationContext.BoundParameters["PrepareForControlFix"]){ $partialScanMngr.WriteControlFixDataObject($result); } $partialScanMngr.WriteToResourceTrackerFile(); } # write to csv after every partial commit $partialScanMngr.WriteToCSV($result, [FileOutputBase]::CSVFilePath); # append summary counts $partialScanMngr.CollateSummaryData($result); # append summary counts for bug logging & append control results with bug logging data if($this.IsBugLoggingEnabled){ if($this.invocationContext.BoundParameters["AutoBugLog"]){ $partialScanMngr.CollateBugSummaryData($result); } #Closes bugs after every partial commit $AutoClose=[AutoCloseBugManager]::new($this.OrganizationContext.OrganizationName); $AutoClose.AutoCloseBug($result) $bugsClosed=[AutoCloseBugManager]::ClosedBugs #Collects closed bugs information in partialScanManager class $partialScanMngr.CollateClosedBugSummaryData($bugsClosed) #Sends closed bugs information to Log Analytics after every partial commit. if($bugsClosed){ $laInstance= [LogAnalyticsOutput]::Instance $laInstance.WriteControlResult($bugsClosed) } } #sarif information. Save in ControlResultsWithSarifSummary only if controls not available in ControlResultsWithBugSummary if($this.IsSarifEnabled -and !$this.invocationContext.BoundParameters["AutoBugLog"]){ $partialScanMngr.CollateSarifData($result); } } [void] UsePartialCommitsCheck() { #If Scan source is in supported sources or UsePartialCommits switch is available if ($this.UsePartialCommits) { #Load ControlSetting Resource Types and Filter resources if($this.CentralStorageAccount){ [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance($this.CentralStorageAccount, $this.OrganizationContext.OrganizationName); } else{ [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance(); } #$this.PublishCustomMessage("Running cmdlet under transactional mode. This will scan resources and store intermittent scan progress to Storage. It resume scan in next run if something breaks inbetween.", [MessageType]::Warning); #Validate if active resources list already available in store #If list not available in store. Get resources filtered by baseline resource types and store it storage $nonScannedResourcesList = @(); #Sending $this.isControlFixCommand as true in case set-azskadosecuritystatus command is used in order to store RTF in separate folder, so that it does not interfere with GADS command if(($partialScanMngr.IsPartialScanInProgress($this.OrganizationContext.OrganizationName, $this.IsControlFixCommand) -eq [ActiveStatus]::Yes) ) { $this.IsPartialCommitScanActive = $true; $allResourcesList = $partialScanMngr.GetAllListedResources() # Get list of non-scanned active resources Write-Host "Finding unscanned resources" -ForegroundColor Yellow $nonScannedResourcesList = $partialScanMngr.GetNonScannedResources(); $this.PublishCustomMessage("Resuming scan from last commit. $(($nonScannedResourcesList | Measure-Object).Count) out of $(($allResourcesList | Measure-Object).Count) resources will be scanned.", [MessageType]::Warning); $nonScannedResourceIdList = $nonScannedResourcesList | Select-Object Id | ForEach-Object { $_.Id} #Filter SVT resources based on master resources list available and scan completed #Commenting telemtry here to include PartialScanIdentifier #[AIOrgTelemetryHelper]::PublishEvent( "Partial Commit Details", @{"TotalSVTResources"= $($this.Resolver.SVTResources | Where-Object { $_.ResourceTypeMapping } | Measure-Object).Count;"UnscannedResource"=$(($nonScannedResourcesList | Measure-Object).Count); "ResourceToBeScanned" = ($this.Resolver.SVTResources | Where-Object {$_.ResourceId -in $nonScannedResourceIdList } | Measure-Object).Count;},$null) $this.Resolver.SVTResources = $this.Resolver.SVTResources | Where-Object {$_.ResourceId -in $nonScannedResourceIdList } } else{ $this.IsPartialCommitScanActive = $false; [System.Collections.Generic.List[PSCustomObject]] $resourceLists=@() $progressCount=1 foreach ($svtResource in $this.Resolver.SVTResources) { if($null -ne $svtResource.ResourceTypeMapping){ $resourceList=[PSCustomObject]@{ ResourceId = $svtResource.ResourceId ResourceName=$svtResource.ResourceName ResourceGroupName = $svtResource.ResourceGroupName ResourceType = $svtResource.ResourceType #ResourceDetails=$svtResource.ResourceDetails } $resourceLists.Add($resourceList) if ($progressCount%100 -eq 0) { Write-Progress -Activity "Processed $($progressCount) of $($this.Resolver.SVTResources.Count) untracked resources " -Status "Progress: " -PercentComplete ($progressCount / $this.Resolver.SVTResources.Count * 100) } $progressCount++; } } Write-Progress -Activity "Processed all untracked resources" -Status "Ready" -Completed #$resourceIdList=@() #$resourceIdList += $this.Resolver.SVTResources| Where-Object {$null -ne $_.ResourceTypeMapping} | Select-Object ResourceId, ResourceName, ResourceDetails | ForEach-Object { $_.ResourceId, $_.ResourceName, $_.ResourceDetails } $partialScanMngr.CreateResourceMasterList($resourceLists); #This should fetch full list of resources to be scanned Write-Host "Finding unscanned resources" -ForegroundColor Yellow $nonScannedResourcesList = $partialScanMngr.GetNonScannedResources(); } #Set unique partial scan identifier (used for correlating events in AI when partial scan resumes.) #ADOTODO: Move '12' to Constants.ps1 later. $this.PartialScanIdentifier = [Helpers]::ComputeHashShort($partialScanMngr.ResourceScanTrackerObj.Id,12) #Telemetry with addition for Subscription Id, PartialScanIdentifier and correction in count of resources #Need optimization for calcuations done for total resources. try{ $CompletedResources = 0; $IncompleteScans = 0; $InErrorResources = 0; $ScanResourcesList = $partialScanMngr.GetAllListedResources() $progressCount=1 $ScanResourcesList | Group-Object -Property State | Select-Object Name,Count | foreach { if($_.Name -eq "COMP") { $CompletedResources = $_.Count } elseif ($_.Name -eq "INIT") { $IncompleteScans = $_.Count } elseif ($_.Name -eq "ERR") { $InErrorResources = $_.Count } if ($progressCount%100 -eq 0) { Write-Progress -Activity "Computed status of $($progressCount) of $($ScanResourcesList.Count) untracked resources " -Status "Progress: " -PercentComplete ($progressCount / $ScanResourcesList.Count * 100) } $progressCount++; } Write-Progress -Activity "Computed status of all untracked resources" -Status "Ready" -Completed [AIOrgTelemetryHelper]::PublishEvent( "Partial Commit Details",@{"TotalSVTResources"= $($ScanResourcesList |Measure-Object).Count;"ScanCompletedResourcesCount"=$CompletedResources; "NonScannedResourcesCount" = $IncompleteScans;"ErrorStateResourcesCount"= $InErrorResources;"OrganizationName"=$this.OrganizationContext.OrganizationName;"PartialScanIdentifier"=$this.PartialScanIdentifier;}, $null) } catch{ #Continue exexution if telemetry is not sent } } } #Get list of controlIds based control tags like OwnerAccess, GraphAccess,RBAC, Authz, SOX etc. [void] MapTagsToControlIds() { #Check if filtertags or exclude filter tags parameter is passed from user then get mapped control ids if(-not [string]::IsNullOrEmpty($this.FilterTags) ) #-or -not [string]::IsNullOrEmpty($this.ExcludeTags) { $resourcetypes = @() $controlList = @() #Get list of all supported resource Types $resourcetypes += ([SVTMapping]::AzSKADOResourceMapping | Sort-Object ResourceTypeName | Select-Object JsonFileName ) $resourcetypes | ForEach-Object{ #Fetch control json for all resource type and collect all control jsons $controlJson = [ConfigurationManager]::GetSVTConfig($_.JsonFileName); if ([Helpers]::CheckMember($controlJson, "Controls")) { $controlList += $controlJson.Controls | Where-Object {$_.Enabled} } } #If FilterTags are specified, limit the candidate set to matching controls if (-not [string]::IsNullOrEmpty($this.FilterTags)) { $filterTagList = $this.ConvertToStringArray($this.FilterTags) $controlIdsWithFilterTagList = @() #Look at each candidate control's tags and see if there's a match in FilterTags $filterTagList | ForEach-Object { $tagName = $_ $controlIdsWithFilterTagList += $controlList | Where-Object{ $tagName -in $_.Tags } | ForEach-Object{ $_.ControlId} } #Assign filtered control Id with tag name $this.ControlIds = @($controlIdsWithFilterTagList | Select-Object -Unique) #Need Control's internal id in case of Set-AzSKADOSecurityStatus command if ($this.IsControlFixCommand) { $inputControlId = $this.invocationContext.BoundParameters["ControlId"]; $this.ControlIds = $this.ControlIds | where-object {$_ -eq $inputControlId} $this.ControlInternalId = ($controlList | Where-Object { $inputControlId -contains $_.ControlId }| Select-Object Id -Unique).Id } } #********** Commentiing Exclude tags logic as this will not require perf optimization as excludeTags mostly will result in most of the resources # #If FilterTags are specified, limit the candidate set to matching controls # #Note: currently either includeTag or excludeTag will work at a time. Combined flag result will be overridden by excludeTags # if (-not [string]::IsNullOrEmpty($this.ExcludeTags)) # { # $excludeFilterTagList = $this.ConvertToStringArray($this.ExcludeTags) # $controlIdsWithFilterTagList = @() # #Look at each candidate control's tags and see if there's a match in FilterTags # $excludeFilterTagList | ForEach-Object { # $tagName = $_ # $controlIdsWithFilterTagList += $controlList | Where-Object{ $tagName -notin $_.Tags } | ForEach-Object{ $_.ControlId} # } # #Assign filtered control Id with tag name # $this.ControlIds = $controlIdsWithFilterTagList # } } } [PSObject] MapControlsToResourceTypes([PSObject] $automatedResources) { $allTargetControlIds = @($this.ControlIds) $allTargetControlIds += $this.ConvertToStringArray($this.ControlIdString) #Do this only for the actual controlIds case (not the Severity-Spec "Severity:High" case) if ($allTargetControlIds.Count -gt 0 ) { #Infer resource type names from control ids $allTargetResourceTypeNames = @($allTargetControlIds | ForEach-Object { ($_ -split '_')[1]}) $allTargetResourceTypeNamesUnique = @($allTargetResourceTypeNames | Sort-Object -Unique) #Match resources based on resource types. Here we have made exception for AzSKCfg to scan it every time and virtual network as its type name (VirtualNetwork) is different than controls type name (VNet) $automatedResources = @($automatedResources | Where-Object {$allTargetResourceTypeNamesUnique -contains $_.ResourceTypeMapping.ResourceTypeName -or $_.ResourceType -match 'AzSKCfg' -or ($_.ResourceTypeMapping.ResourceTypeName -match 'VirtualNetwork' -and $allTargetResourceTypeNamesUnique -contains "VNet")}) } return $automatedResources } [void] ReportExcludedResources($SVTResolver) { $excludedObj=New-Object -TypeName PSObject; $excludedObj | Add-Member -NotePropertyName ExcludedResources -NotePropertyValue $SVTResolver.ExcludedResources $excludedObj | Add-Member -NotePropertyName ExcludedResourceType -NotePropertyValue $SVTResolver.ExcludeResourceTypeName $excludedObj | Add-Member -NotePropertyName ExcludeResourceNames -NotePropertyValue $SVTResolver.ExcludeResourceNames $this.PublishAzSKRootEvent([AzSKRootEvent]::WriteExcludedResources,$excludedObj); } } # SIG # Begin signature block # MIIjoQYJKoZIhvcNAQcCoIIjkjCCI44CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCE3QrSF65QYR+R # fRUpwqC/CY2t/Oid9OPGDYlkQQe1waCCDYEwggX/MIID56ADAgECAhMzAAAB32vw # LpKnSrTQAAAAAAHfMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjAxMjE1MjEzMTQ1WhcNMjExMjAyMjEzMTQ1WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQC2uxlZEACjqfHkuFyoCwfL25ofI9DZWKt4wEj3JBQ48GPt1UsDv834CcoUUPMn # s/6CtPoaQ4Thy/kbOOg/zJAnrJeiMQqRe2Lsdb/NSI2gXXX9lad1/yPUDOXo4GNw # PjXq1JZi+HZV91bUr6ZjzePj1g+bepsqd/HC1XScj0fT3aAxLRykJSzExEBmU9eS # yuOwUuq+CriudQtWGMdJU650v/KmzfM46Y6lo/MCnnpvz3zEL7PMdUdwqj/nYhGG # 3UVILxX7tAdMbz7LN+6WOIpT1A41rwaoOVnv+8Ua94HwhjZmu1S73yeV7RZZNxoh # EegJi9YYssXa7UZUUkCCA+KnAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUOPbML8IdkNGtCfMmVPtvI6VZ8+Mw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDYzMDA5MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAnnqH # tDyYUFaVAkvAK0eqq6nhoL95SZQu3RnpZ7tdQ89QR3++7A+4hrr7V4xxmkB5BObS # 0YK+MALE02atjwWgPdpYQ68WdLGroJZHkbZdgERG+7tETFl3aKF4KpoSaGOskZXp # TPnCaMo2PXoAMVMGpsQEQswimZq3IQ3nRQfBlJ0PoMMcN/+Pks8ZTL1BoPYsJpok # t6cql59q6CypZYIwgyJ892HpttybHKg1ZtQLUlSXccRMlugPgEcNZJagPEgPYni4 # b11snjRAgf0dyQ0zI9aLXqTxWUU5pCIFiPT0b2wsxzRqCtyGqpkGM8P9GazO8eao # mVItCYBcJSByBx/pS0cSYwBBHAZxJODUqxSXoSGDvmTfqUJXntnWkL4okok1FiCD # Z4jpyXOQunb6egIXvkgQ7jb2uO26Ow0m8RwleDvhOMrnHsupiOPbozKroSa6paFt # VSh89abUSooR8QdZciemmoFhcWkEwFg4spzvYNP4nIs193261WyTaRMZoceGun7G # CT2Rl653uUj+F+g94c63AhzSq4khdL4HlFIP2ePv29smfUnHtGq6yYFDLnT0q/Y+ # Di3jwloF8EWkkHRtSuXlFUbTmwr/lDDgbpZiKhLS7CBTDj32I0L5i532+uHczw82 # oZDmYmYmIUSMbZOgS65h797rj5JJ6OkeEUJoAVwwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVdjCCFXICAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAd9r8C6Sp0q00AAAAAAB3zAN # BglghkgBZQMEAgEFAKCBsDAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgF+aIjKfO # 7bjKe3cjLodXPmySNqf8dCq1kBnOqiNivlcwRAYKKwYBBAGCNwIBDDE2MDSgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRyAGmh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20g # MA0GCSqGSIb3DQEBAQUABIIBAAZqtD6HO4kc6iSTWEtv10TJsU0XrbEQBCyCjrDZ # wGUpXB82vL2G5FLdzC4KY7EMoWfstlcBLJON1lfrV/fwHjODkP6Swup7i3xYGGUb # rYuNGZlpReULkG5zQXy+2BWF35nCx2I9XkD7nW+jBefrr9qu29mMHDIKaipuoqaq # y06G1S5xaR8MD+PMAwt3dqPrgxS15Xqr23VA9qU5wCOr6Kb6OgsJy8gVcIaL4BSl # rvflU+ebBdPv2zQYtKlnmcG+kR2JAAUjjqFCC+Sbs/+FYqISATDUkIMkoMtxibj4 # QuOaS6BeCh6aubZBjQ0PiB/222c6lOD+0dq1XeWUGj2obv+hghL+MIIS+gYKKwYB # BAGCNwMDATGCEuowghLmBgkqhkiG9w0BBwKgghLXMIIS0wIBAzEPMA0GCWCGSAFl # AwQCAQUAMIIBWQYLKoZIhvcNAQkQAQSgggFIBIIBRDCCAUACAQEGCisGAQQBhFkK # AwEwMTANBglghkgBZQMEAgEFAAQgNgo8N2Gjvq/44ukLy61UuEJ1dJeo/KK8jk0X # U7HaLQgCBmExMNysDxgTMjAyMTA5MTQxMjE4MzYuOTg2WjAEgAIB9KCB2KSB1TCB # 0jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMk # TWljcm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1U # aGFsZXMgVFNTIEVTTjo4RDQxLTRCRjctQjNCNzElMCMGA1UEAxMcTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgU2VydmljZaCCDk0wggT5MIID4aADAgECAhMzAAABOo2NMfd3 # SUnCAAAAAAE6MA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQI # EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv # ZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBD # QSAyMDEwMB4XDTIwMTAxNTE3MjgyMloXDTIyMDExMjE3MjgyMlowgdIxCzAJBgNV # BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w # HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29m # dCBJcmVsYW5kIE9wZXJhdGlvbnMgTGltaXRlZDEmMCQGA1UECxMdVGhhbGVzIFRT # UyBFU046OEQ0MS00QkY3LUIzQjcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0 # YW1wIFNlcnZpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOXyTn # Xw+XPwlMhdif8705qSpxap0nxlcmECSz2HIsHz4A1btmeBvW3uLDtOaB6ig7Aydu # EJBAfXhTBZ3yFAVZ7EqpWlwgWdjdvXn49iaBV5Dhcp9Ync88yNOJe7vd6lceP1df # uaFLYhWrAS8M6504jfJAvwPw44bbhv7XTMMMTI3nC9nkDVZy+XZ5CEIbrUZ4c1pe # 9c6WhNBuVUVsxY6Ya+Ie+BGVGFGOA2a6/UnbLp9AW2ITDSl1coJAbrzFCUGFy7gu # f5tgvgeh5Paau2SkcTINn5+uv4pr/NQM/cGxweQp2Q0Y44N+8l1YdpXRbOvXCc+5 # SC05t+cE7ShKMikFAgMBAAGjggEbMIIBFzAdBgNVHQ4EFgQUFFagnxZfEmumyW8c # daytCYVF88swHwYDVR0jBBgwFoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0f # BE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJv # ZHVjdHMvTWljVGltU3RhUENBXzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4w # TDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0 # cy9NaWNUaW1TdGFQQ0FfMjAxMC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNV # HSUEDDAKBggrBgEFBQcDCDANBgkqhkiG9w0BAQsFAAOCAQEAXjfkPqQBLaN4AnwE # bUpObkDPSOlt2OmpK8wu3t85WtoAQeV2CTTgEpxOaHONtNeyPCAIwwJL6NfhOiqL # RyfNxKgPYumFkD3wNd4fqVEfupB1dseDHT+9urRjJWSW1JMy/WPPMjvlnl2Gm9zh # TCfgVvoIJoXb/6vtGvSP7YMYLCXxpaq9CrOEIn+jtw2hhR8nhZIIezU6yOAyZZOa # CW48jG3eRXyItmXYhmDKvlw06I2JOtoUOruHEjXqgOyhbQRAoJXzidXXBZJZ7VKI # AojCvkG2pjAn6GWhw/Dmp6FZsGJMue1wuvAp0BvC2EWvUMd/dFjAWgPPI20pIH9M # mwHZszCCBnEwggRZoAMCAQICCmEJgSoAAAAAAAIwDQYJKoZIhvcNAQELBQAwgYgx # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1p # Y3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTEwMDcw # MTIxMzY1NVoXDTI1MDcwMTIxNDY1NVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgT # Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENB # IDIwMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpHQ28dxGKOiDs # /BOX9fp/aZRrdFQQ1aUKAIKF++18aEssX8XD5WHCdrc+Zitb8BVTJwQxH0EbGpUd # zgkTjnxhMFmxMEQP8WCIhFRDDNdNuDgIs0Ldk6zWczBXJoKjRQ3Q6vVHgc2/JGAy # WGBG8lhHhjKEHnRhZ5FfgVSxz5NMksHEpl3RYRNuKMYa+YaAu99h/EbBJx0kZxJy # GiGKr0tkiVBisV39dx898Fd1rL2KQk1AUdEPnAY+Z3/1ZsADlkR+79BL/W7lmsqx # qPJ6Kgox8NpOBpG2iAg16HgcsOmZzTznL0S6p/TcZL2kAcEgCZN4zfy8wMlEXV4W # nAEFTyJNAgMBAAGjggHmMIIB4jAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU # 1WM6XIoxkPNDe3xGG8UzaFqFbVUwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEw # CwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/o # olxiaNE9lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNy # b3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYt # MjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5t # aWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5j # cnQwgaAGA1UdIAEB/wSBlTCBkjCBjwYJKwYBBAGCNy4DMIGBMD0GCCsGAQUFBwIB # FjFodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vUEtJL2RvY3MvQ1BTL2RlZmF1bHQu # aHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAFAAbwBsAGkAYwB5AF8A # UwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQAH5ohRDeLG # 4Jg/gXEDPZ2joSFvs+umzPUxvs8F4qn++ldtGTCzwsVmyWrf9efweL3HqJ4l4/m8 # 7WtUVwgrUYJEEvu5U4zM9GASinbMQEBBm9xcF/9c+V4XNZgkVkt070IQyK+/f8Z/ # 8jd9Wj8c8pl5SpFSAK84Dxf1L3mBZdmptWvkx872ynoAb0swRCQiPM/tA6WWj1kp # vLb9BOFwnzJKJ/1Vry/+tuWOM7tiX5rbV0Dp8c6ZZpCM/2pif93FSguRJuI57BlK # cWOdeyFtw5yjojz6f32WapB4pm3S4Zz5Hfw42JT0xqUKloakvZ4argRCg7i1gJsi # OCC1JeVk7Pf0v35jWSUPei45V3aicaoGig+JFrphpxHLmtgOR5qAxdDNp9DvfYPw # 4TtxCd9ddJgiCGHasFAeb73x4QDf5zEHpJM692VHeOj4qEir995yfmFrb3epgcun # Caw5u+zGy9iCtHLNHfS4hQEegPsbiSpUObJb2sgNVZl6h3M7COaYLeqN4DMuEin1 # wC9UJyH3yKxO2ii4sanblrKnQqLJzxlBTeCG+SqaoxFmMNO7dDJL32N79ZmKLxvH # Ia9Zta7cRDyXUHHXodLFVeNp3lfB0d4wwP3M5k37Db9dT+mdHhk4L7zPWAUu7w2g # UDXa7wknHNWzfjUeCLraNtvTX4/edIhJEqGCAtcwggJAAgEBMIIBAKGB2KSB1TCB # 0jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMk # TWljcm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1U # aGFsZXMgVFNTIEVTTjo4RDQxLTRCRjctQjNCNzElMCMGA1UEAxMcTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUAByWR2fWPWBeB3K9i # PjUHyuQ1ngiggYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAN # BgkqhkiG9w0BAQUFAAIFAOTq2CswIhgPMjAyMTA5MTQxNjEzMzFaGA8yMDIxMDkx # NTE2MTMzMVowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA5OrYKwIBADAKAgEAAgIM # hQIB/zAHAgEAAgISmjAKAgUA5OwpqwIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgor # BgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUA # A4GBABNxNay63e4IGL/jNQJRU56TNBl+j4Bz5VCOXEDDKSlHL6cGzhNbnKauIdXi # Yx+VHnzXthdwdreFaTnRZy6uNAtq2bJngMoub0VZZnnZu8HgIEGh6vl/+j+oDmCm # sdicVv4jzKFQr3MdluujvBw/tEYbWPJsUypXBUVPu2FVrMANMYIDDTCCAwkCAQEw # gZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT # B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE # AxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAE6jY0x93dJScIA # AAAAATowDQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0B # CRABBDAvBgkqhkiG9w0BCQQxIgQgW4b5dqlR8Wap3/z/4jX549z0IHDp/FsxrGwn # hZAJI4YwgfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCCfr9CEB6ksX/sF2y9+ # 7wY5P6KEv1zhyCjk1/VpQ3y0bTCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w # IFBDQSAyMDEwAhMzAAABOo2NMfd3SUnCAAAAAAE6MCIEIMhJhiBp51+jOIJMNTcV # t4091IrKMAGTwyFKNlbbJQPBMA0GCSqGSIb3DQEBCwUABIIBAE2tdUP0Om6jMz6O # w9RrVMxZL5EUiGwTeTSOeGzq7WL4T4KSSeGYqZnMlv+CEp46W/OsOD33jBUD6WmY # udGNA4fXIxjHWCaC9NvetJaWoAswI3Pu3Thhi/oUXIaUQ8Q3Dxkd3lfSb4qnLa6w # 1mRERz3bZ9mOw7JHFtoLO1RQ81ZzqU+11qORyX5NmmckkOj9iZVK3RJgCVxmeCvp # Sc1rZPA5dssTOziMCCrzEaDs/mdD6RxD3Ejx11+3ujdVoYGjS13GFPMu6g3SX+0Y # rz+5A1zWLrOfgH5q1yqm7JHLn98bAnCabIIX+FiAAPHkAfMbHdmXRFPnZu3/RD+4 # EEv0psM= # SIG # End signature block |