ContinuousAssurance/ContinuousAssurance.ps1

Set-StrictMode -Version Latest
function Install-AzSKADOContinuousAssurance 
{
    <#
    .SYNOPSIS
    This command would help in setting up Continuous Assurance feature of AzSK.ADO in your subscription
    .DESCRIPTION
    This command will create a resource group (Name: ADOScannerRG) which runs security scan on organization and projects which are specified during installation.
    Security scan results will be populated in Log Analytics workspace which is configured during installation. Also, detailed logs will be stored in storage account (Name: adoscannersayyMMddHHmmss format).
     
    .PARAMETER SubscriptionId
        Subscription id in which CA setup needs to be done.
    .PARAMETER Location
        Location in which all resources need to be setup.
    .PARAMETER ResourceGroupName
        Resource group name where CA setup need to be done. (Default : ADOScannerRG)
    .PARAMETER LAWSId
        Workspace ID of Log Analytics workspace where security scan results will be sent
    .PARAMETER LAWSSharedKey
        Shared key of Log Analytics workspace which is used to monitor security scan results.
    .PARAMETER OrganizationName
        Organization name for which scan will be performed.
    .PARAMETER PATToken
        PAT token secure string for organization to be scanned.
    .PARAMETER PATTokenURL
        KeyVault URL for PATToken.
    .PARAMETER IdentityResourceId
        Resource id of user assigned managed identity to be used to access KeyVault for PATToken.
    .PARAMETER ProjectName
        Project to be scanned within the organization.
    .PARAMETER ExtendedCommand
        Extended command to narrow down the scans.
    .PARAMETER ScanIntervalInHours
        Overrides the default scan interval (24hrs) with the custom provided value.
    .PARAMETER CreateLAWorkspace
        Switch to create and map new log analytics workspace with CA setup.
    .NOTES
    This command helps the application team to verify whether their ADO resources are compliant with the security guidance or not
 
 
    #>

    Param(
        [Parameter(Mandatory = $true, ParameterSetName = "Default", HelpMessage="Subscription id in which CA setup needs to be done.")]
        [Parameter(Mandatory = $true, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $true, ParameterSetName = "OAuthBasedCA")]
        [string]
        [Alias("sid")]
        $SubscriptionId ,

        [Parameter(Mandatory = $true, ParameterSetName = "Default", HelpMessage = "Organization name for which scan will be performed.")]
        [Parameter(Mandatory = $true, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $true, ParameterSetName = "OAuthBasedCA")]
        [ValidateNotNullOrEmpty()]
        [Alias("oz")]
        [string]
        $OrganizationName,

        [Parameter(Mandatory = $true, ParameterSetName = "Default", HelpMessage = "Project to be scanned within the organization.")]
        [Parameter(Mandatory = $true, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $true, ParameterSetName = "OAuthBasedCA")]
        [Alias("pns", "ProjectNames","pn")]
        [string]
        $ProjectName,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "PAT token secure string for organization to be scanned.")]
        [ValidateNotNullOrEmpty()]
        [Alias("pat","tkn")]
        [System.Security.SecureString]
        $PATToken,
        
        [Parameter(Mandatory = $true, ParameterSetName = "CentralCA", HelpMessage = "KeyVault URL for PATToken")]
        [ValidateNotNullOrEmpty()]
        [Alias("ptu")]
        [string]
        $PATTokenURL,
        
        [Parameter(Mandatory = $true, ParameterSetName = "CentralCA", HelpMessage = "Resource id of user assigned managed identity")]
        [ValidateNotNullOrEmpty()]
        [Alias("ici")]
        [string]
        $IdentityResourceId,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Resource group name where CA setup needs to be done")]
        [Parameter(Mandatory = $false, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $false, ParameterSetName = "OAuthBasedCA")]
        [string]
        [ValidateNotNullOrEmpty()]
        [Alias("rgn")]
        $ResourceGroupName,       

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Location in which all resources need to be setup.")]
        [Parameter(Mandatory = $false, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $false, ParameterSetName = "OAuthBasedCA")]
        [string]
        [ValidateNotNullOrEmpty()]
        [Alias("loc")]
        $Location, 

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Workspace ID of Log Analytics workspace which is used to monitor security scan results.")]
        [Parameter(Mandatory = $false, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $false, ParameterSetName = "OAuthBasedCA")]
        [string]
        [ValidateNotNullOrEmpty()]
        [Alias("lwid","wid")]
        $LAWSId,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Shared key of Log Analytics workspace which is used to monitor security scan results.")]
        [Parameter(Mandatory = $false, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $false, ParameterSetName = "OAuthBasedCA")]
        [string]
        [ValidateNotNullOrEmpty()]
        [Alias("lwkey","wkey")]
        $LAWSSharedKey,

        [switch]
        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Switch to create and map new Log Analytics workspace with CA setup.")]
        [Parameter(Mandatory = $false, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $false, ParameterSetName = "OAuthBasedCA")]
        [Alias("cws")]
        $CreateLAWorkspace,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Use extended command to narrow down the target scan.")]
        [Parameter(Mandatory = $false, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $false, ParameterSetName = "OAuthBasedCA")]
        [Alias("ex")]
        [string]
        $ExtendedCommand,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Overrides the default scan interval (24hrs) with the custom provided value.")]
        [Parameter(Mandatory = $false, ParameterSetName = "CentralCA")]
        [Parameter(Mandatory = $false, ParameterSetName = "OAuthBasedCA")]
        [Alias("si")]
        [int]
        $ScanIntervalInHours,
        
        [Parameter(Mandatory = $true, ParameterSetName = "OAuthBasedCA")]
        [Alias("oai")]
        [System.Security.SecureString]
        $OAuthAppId,

        [Parameter(Mandatory = $true, ParameterSetName = "OAuthBasedCA")]
        [ValidateNotNullOrEmpty()]
        [Alias("csec")]
        [System.Security.SecureString]
        $ClientSecret,

        [Parameter(Mandatory = $true, ParameterSetName = "OAuthBasedCA")]
        [Alias("ausc")]
        [string]
        $AuthorizedScopes

    )
    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [ListenerHelper]::RegisterListeners();
    }
    Process
    {
        try 
        {
            if ([string]::IsNullOrWhiteSpace($PATToken) -and [string]::IsNullOrWhiteSpace($PATTokenURL) -and $PSCmdlet.ParameterSetName -ne 'OAuthBasedCA' )
            {
                $PATToken = Read-Host "Provide PAT for [$OrganizationName] org:" -AsSecureString
            }

            $resolver = [Resolver]::new($OrganizationName)

            $caAccount = [CAAutomation]::new($SubscriptionId, $Location,`
                                            $OrganizationName, $PATToken, $PATTokenURL, $ResourceGroupName, $LAWSId,`
                                            $LAWSSharedKey, $ProjectName, $IdentityResourceId,`
                                            $ExtendedCommand,  $ScanIntervalInHours, $PSCmdlet.MyInvocation, $CreateLAWorkspace,`
                                            $OAuthAppId, $ClientSecret, $AuthorizedScopes);

            if ($PSCmdlet.ParameterSetName -eq 'Default') {
                $caAccount.InvokeFunction($caAccount.InstallAzSKADOContinuousAssurance)
            }
            elseif ($PSCmdlet.ParameterSetName -eq 'CentralCA')
            {
                $caAccount.InvokeFunction($caAccount.InstallAzSKADOCentralContinuousAssurance)
            }
            else {
                $caAccount.InvokeFunction($caAccount.InstallAzSKADOOAuthBasedContinuousAssurance)
            }
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }  
    }
    End
    {
        [ListenerHelper]::UnregisterListeners();
    }
}

function Update-AzSKADOContinuousAssurance 
{
    <#
    .SYNOPSIS
    This command would help in updating user configurable properties of Continuous Assurance in your subscription
    .DESCRIPTION
    This command will update configurations of existing AzSK.ADO CA setup in your subscription.
    Security scan results will be populated in Log Analytics workspace which is configured during installation. Also, detailed logs will be stored in storage account (Name: adoscannersayyMMddHHmmss format).
     
    .PARAMETER SubscriptionId
        Subscription id in which CA setup is present.
    .PARAMETER ResourceGroupName
        Resource group name where CA setup is available (Default : ADOScannerRG).
    .PARAMETER LAWSId
        Workspace ID of Log Analytics workspace which is used to monitor security scan results.
    .PARAMETER LAWSSharedKey
        Shared key of Log Analytics workspace which is used to monitor security scan results.
    .PARAMETER AltLAWSId
        Alternate workspace ID of Log Analytics workspace where security scan results will be sent
    .PARAMETER AltLAWSSharedKey
        Alternate shared key of Log Analytics workspace which is used to monitor security scan results.
    .PARAMETER OrganizationName
        Organization name for which scan will be performed.
    .PARAMETER PATToken
        PAT token secure string for organization to be scanned.
    .PARAMETER PATTokenURL
        KeyVault URL for PATToken.
    .PARAMETER ProjectName
        Project to be scanned within the organization.
    .PARAMETER ExtendedCommand
        Extended command to narrow down the target scan.
    .PARAMETER ScanIntervalInHours
        Overrides the default scan interval (24hrs) with the custom provided value.
    .PARAMETER ClearExtendedCommand
        Use to clear extended command.
    .PARAMETER WebhookUrl
        Provide webhook url to enable it in CA setup.
    .PARAMETER WebhookAuthZHeaderName
        Provide webhook header name.
    .PARAMETER WebhookAuthZHeaderValue
        Provide webhook header value.
    .PARAMETER AllowSelfSignedWebhookCertificate
        Use this switch to allow self signed webhook certificate.
    #>

    Param(
        [Parameter(Mandatory = $true, ParameterSetName = "Default", HelpMessage="Subscription id in which CA setup is present.")]
        [string]
        [Alias("sid")]
        $SubscriptionId ,

        [Parameter(Mandatory = $true, ParameterSetName = "Default", HelpMessage = "Orgnanization name for which scan will be performed.")]
        [Alias("oz")]
        [string]
        $OrganizationName,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Project to be scanned within the organization.")]
        [Alias("pns", "ProjectNames", "pn")]
        [string]
        $ProjectName,
        
        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "PAT token secure string for organization to be scanned.")]
        [Alias("pat")]
        [System.Security.SecureString]
        $PATToken,
        
        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "KeyVault URL for PATToken")]
        [Alias("ptu")]
        [string]
        $PATTokenURL,
        
        [Parameter(Mandatory = $false, ParameterSetName = "Default")]
        [Alias("oai")]
        [switch]
        $RefreshOAuthToken,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Resource group name where CA setup is available. (Default : ADOScannerRG)")]
        [string]
        [Alias("rgn")]
        $ResourceGroupName,       

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Workspace ID of Log Analytics workspace where security scan results will be populated.")]
        [string]
        [Alias("lwid","wid","WorkspaceId")]
        $LAWSId,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Shared key of Log Analytics workspace which is used to monitor security scan results.")]
        [string]
        [Alias("lwkey","wkey","SharedKey")]
        $LAWSSharedKey,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Alternate workspace ID of Log Analytics workspace which is used to monitor security scan results.")]
        [string]
        [ValidateNotNullOrEmpty()]
        [Alias("alwid","awid")]
        $AltLAWSId,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Alternate shared key of Log Analytics workspace which is used to monitor security scan results.")]
        [string]
        [ValidateNotNullOrEmpty()]
        [Alias("alwkey","awkey")]
        $AltLAWSSharedKey,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Use extended command to narrow down the scans.")]
        [Alias("ex")]
        [string]
        $ExtendedCommand,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Overrides the default scan interval (24hrs) with the custom provided value.")]
        [Alias("si")]
        [int]
        $ScanIntervalInHours,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Use to clear extended command.")]
        [Alias("cec")]
        [switch]
        $ClearExtendedCommand,
        
        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Provide webhook url to enable it in CA setup.")]
        [Alias("wu")]
        [string]
        $WebhookUrl,
        
        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Provide webhook header name.")]
        [Alias("wan")]
        [string]
        $WebhookAuthZHeaderName,
        
        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Provide webhook header value.")]
        [Alias("wav")]
        [string]
        $WebhookAuthZHeaderValue,
        
        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage = "Use this switch to allow self signed webhook certificate.")]
        [Alias("awc")]
        [switch]
        $AllowSelfSignedWebhookCertificate,

        #Dev-Test support params below this
        [string] $RsrcTimeStamp, 
        [string] $ContainerImageName, 
        [string] $ModuleEnv, 
        [bool] $UseDevTestImage, 
        [int] $TriggerNextScanInMin
    )
    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [ListenerHelper]::RegisterListeners();
    }
    Process
    {
        try 
        {
            if (-not [string]::IsNullOrEmpty($PATToken) -and -not [string]::IsNullOrEmpty($PATTokenURL))
            {
                throw [SuppressedException] "'PATToken' and 'PATTokenURL' are exclusive parameters. Please use only one of them in the command"   
            }
            if (-not [string]::IsNullOrEmpty($ExtendedCommand) -and $ClearExtendedCommand -eq $true)
            {
                throw [SuppressedException] "'ExtendedCommand' and 'ClearExtendedCommand' are exclusive parameters. Please use only one of them in the command"   
            }
            else 
            {
                
                    $resolver = [Resolver]::new($OrganizationName)
                    $caAccount = [CAAutomation]::new($SubscriptionId, $OrganizationName, $PATToken, $PATTokenURL, `
                                                    $ResourceGroupName, $LAWSId, $LAWSSharedKey, `
                                                    $AltLAWSId, $AltLAWSSharedKey, $ProjectName, $ExtendedCommand, `
                                                    $WebhookUrl, $WebhookAuthZHeaderName, $WebhookAuthZHeaderValue, $AllowSelfSignedWebhookCertificate, `
                                                    $RsrcTimeStamp, $ContainerImageName, $ModuleEnv, $UseDevTestImage, $TriggerNextScanInMin, `
                                                    $ScanIntervalInHours, $ClearExtendedCommand, $RefreshOAuthToken, $PSCmdlet.MyInvocation);
            
                    return $caAccount.InvokeFunction($caAccount.UpdateAzSKADOContinuousAssurance);
            }
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }  
    }
    End
    {
        [ListenerHelper]::UnregisterListeners();
    }
}
function Get-AzSKADOContinuousAssurance 
{
    <#
    .SYNOPSIS
    This command would help in getting details of Continuous Assurance Setup
         
    .PARAMETER SubscriptionId
        Subscription id in which CA setup is present.
    .PARAMETER OrganizationName
        Organization name for which CA is setup.
    .PARAMETER ResourceGroupName
        Resource group name where CA setup is available (Default : ADOScannerRG).
    .PARAMETER RsrcTimeStamp
        Timestamp of function app if multiple CA are setup in same resource group.
    #>

    Param(
        [Parameter(Mandatory = $true, ParameterSetName = "Default", HelpMessage="Subscription id in which CA setup is present.")]
        [string]
        [Alias("sid")]
        $SubscriptionId ,
        
        [Parameter(Mandatory = $true, ParameterSetName = "Default", HelpMessage = "Orgnanization name for which scan will be performed.")]
        [Alias("oz")]
        [string]
        $OrganizationName,

        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Resource group name where CA setup is available. (Default : ADOScannerRG)")]
        [string]
        [Alias("rg")]
        $ResourceGroupName ,
        
        [Parameter(Mandatory = $false, ParameterSetName = "Default", HelpMessage="Timestamp of function app if multiple CA are setup in same resource group.")]
        [string]
        [Alias("rts")]
        $RsrcTimeStamp    

    )
    Begin
    {
        [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
        [ListenerHelper]::RegisterListeners();
    }
    Process
    {
        try 
        {
            $resolver = [Resolver]::new($OrganizationName)
            $caAccount = [CAAutomation]::new($SubscriptionId, $OrganizationName, $ResourceGroupName, $RsrcTimeStamp, $PSCmdlet.MyInvocation);
            
            return $caAccount.InvokeFunction($caAccount.GetAzSKADOContinuousAssurance);
        }
        catch 
        {
            [EventBase]::PublishGenericException($_);
        }  
    }
    End
    {
        [ListenerHelper]::UnregisterListeners();
    }
}


# SIG # Begin signature block
# MIIjiAYJKoZIhvcNAQcCoIIjeTCCI3UCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDaNQHwJMEoUczt
# pj+h6s2jmcsbvtWg2nL5RX7wedQNraCCDYEwggX/MIID56ADAgECAhMzAAAB32vw
# LpKnSrTQAAAAAAHfMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMjAxMjE1MjEzMTQ1WhcNMjExMjAyMjEzMTQ1WjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQC2uxlZEACjqfHkuFyoCwfL25ofI9DZWKt4wEj3JBQ48GPt1UsDv834CcoUUPMn
# s/6CtPoaQ4Thy/kbOOg/zJAnrJeiMQqRe2Lsdb/NSI2gXXX9lad1/yPUDOXo4GNw
# PjXq1JZi+HZV91bUr6ZjzePj1g+bepsqd/HC1XScj0fT3aAxLRykJSzExEBmU9eS
# yuOwUuq+CriudQtWGMdJU650v/KmzfM46Y6lo/MCnnpvz3zEL7PMdUdwqj/nYhGG
# 3UVILxX7tAdMbz7LN+6WOIpT1A41rwaoOVnv+8Ua94HwhjZmu1S73yeV7RZZNxoh
# EegJi9YYssXa7UZUUkCCA+KnAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUOPbML8IdkNGtCfMmVPtvI6VZ8+Mw
# UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1
# ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDYzMDA5MB8GA1UdIwQYMBaAFEhu
# ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu
# bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w
# Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3
# Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx
# MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAnnqH
# tDyYUFaVAkvAK0eqq6nhoL95SZQu3RnpZ7tdQ89QR3++7A+4hrr7V4xxmkB5BObS
# 0YK+MALE02atjwWgPdpYQ68WdLGroJZHkbZdgERG+7tETFl3aKF4KpoSaGOskZXp
# TPnCaMo2PXoAMVMGpsQEQswimZq3IQ3nRQfBlJ0PoMMcN/+Pks8ZTL1BoPYsJpok
# t6cql59q6CypZYIwgyJ892HpttybHKg1ZtQLUlSXccRMlugPgEcNZJagPEgPYni4
# b11snjRAgf0dyQ0zI9aLXqTxWUU5pCIFiPT0b2wsxzRqCtyGqpkGM8P9GazO8eao
# mVItCYBcJSByBx/pS0cSYwBBHAZxJODUqxSXoSGDvmTfqUJXntnWkL4okok1FiCD
# Z4jpyXOQunb6egIXvkgQ7jb2uO26Ow0m8RwleDvhOMrnHsupiOPbozKroSa6paFt
# VSh89abUSooR8QdZciemmoFhcWkEwFg4spzvYNP4nIs193261WyTaRMZoceGun7G
# CT2Rl653uUj+F+g94c63AhzSq4khdL4HlFIP2ePv29smfUnHtGq6yYFDLnT0q/Y+
# Di3jwloF8EWkkHRtSuXlFUbTmwr/lDDgbpZiKhLS7CBTDj32I0L5i532+uHczw82
# oZDmYmYmIUSMbZOgS65h797rj5JJ6OkeEUJoAVwwggd6MIIFYqADAgECAgphDpDS
# AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
# IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0
# ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla
# MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
# ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT
# H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB
# AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG
# OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S
# 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz
# y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7
# 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u
# M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33
# X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl
# XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP
# 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB
# l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF
# RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM
# CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ
# BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud
# DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO
# 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0
# LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p
# Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y
# Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB
# FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw
# cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA
# XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY
# 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj
# 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd
# d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ
# Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf
# wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ
# aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j
# NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B
# xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96
# eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7
# r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I
# RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVXTCCFVkCAQEwgZUwfjELMAkG
# A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
# HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z
# b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAd9r8C6Sp0q00AAAAAAB3zAN
# BglghkgBZQMEAgEFAKCBsDAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor
# BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgJ0ASf+eN
# dgbZ5uHVzAQWxaQYctgyaly7+LPhjDmVCXwwRAYKKwYBBAGCNwIBDDE2MDSgFIAS
# AE0AaQBjAHIAbwBzAG8AZgB0oRyAGmh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20g
# MA0GCSqGSIb3DQEBAQUABIIBAFtlS6VedJJcGIatjAtrkPkrAxMjXjeXZ5g/DOza
# piG7G4GGT7PPnhp3Fov0di+HlkQuOoVVOq5fGZuaJcQveFo/oAovtUtN1Nnjhnz8
# jsmMBM1AkcufICYV4pXNGShDcC45F+Q8k3iPWS/uefP+ZphLxks1ZS3vo5dV+Bwv
# 1cqRXLkIPX2Z8PXGYDrG6fXKuehPzSSDWgZGFCUGL5i+sOtsa0Ede9/EByEWcrh8
# sED8MpU+zIYnGkKsYNrvte2Uv9Hk6CsjIceEPjK6FZRoA619nclISRqm3oFOs/Od
# uPJoSaVCn6x1voHj6HSjsYd7Oy3nYuPx9Px7kCNEGkFrrCGhghLlMIIS4QYKKwYB
# BAGCNwMDATGCEtEwghLNBgkqhkiG9w0BBwKgghK+MIISugIBAzEPMA0GCWCGSAFl
# AwQCAQUAMIIBUQYLKoZIhvcNAQkQAQSgggFABIIBPDCCATgCAQEGCisGAQQBhFkK
# AwEwMTANBglghkgBZQMEAgEFAAQgXNg+NaNbPsiQANIfDLwOaqkJ4UlBzYtebjBx
# N4Q1qHkCBmFDnHa3WhgTMjAyMTEwMTIxMTUzMjcuODM5WjAEgAIB9KCB0KSBzTCB
# yjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
# ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMc
# TWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRT
# UyBFU046MjI2NC1FMzNFLTc4MEMxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0
# YW1wIFNlcnZpY2Wggg48MIIE8TCCA9mgAwIBAgITMwAAAUqk9zHE/yKiSQAAAAAB
# SjANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu
# Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
# cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAe
# Fw0yMDExMTIxODI1NThaFw0yMjAyMTExODI1NThaMIHKMQswCQYDVQQGEwJVUzET
# MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV
# TWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmlj
# YSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjoyMjY0LUUzM0Ut
# NzgwQzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCASIw
# DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN7KKGZkolgsvVEaNKMTVZZgEl8o
# hsLgHR4gUFWLZvWzLbegDoRItpfFd+9maW2hPFlgT+wv7lxf6OB4HFYZgHfIpcZh
# GU6/ebsymXYAmAKzKph71pxJU5F228YTSTLcoSAIUNBZVdTEIZILEPT5gI77Ysu7
# YKMufSmiZPzqYlkEX2/dHhOcoo90zgIJRTG1u2kF7w6a7D50yHKE46eGEwqwjExE
# RCCNtFBDQrTfYID/Icj0zKikYjiJRaaPNjnvBaRJ/eFkGz8gD2XyYXjlsNjDGPaG
# PQTt/Rm3nrxcyXGyCIIhWdBMXMTLl7BMDKKeLBQ0d6pFfS1LRJo+paKKBiUCAwEA
# AaOCARswggEXMB0GA1UdDgQWBBRxjGEYMfrAhjWKk/99frgmKqk/4TAfBgNVHSME
# GDAWgBTVYzpcijGQ80N7fEYbxTNoWoVtVTBWBgNVHR8ETzBNMEugSaBHhkVodHRw
# Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNUaW1TdGFQ
# Q0FfMjAxMC0wNy0wMS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5o
# dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1RpbVN0YVBDQV8y
# MDEwLTA3LTAxLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMI
# MA0GCSqGSIb3DQEBCwUAA4IBAQBRC67dRjgFFS9kv72Vfe8gQ+Hg3FpX2TYyOq4n
# rtPq9D36Udydr2ibZy5n7LphXvW20bDTugUHiwuyfWnmyc2oEevo+SrNCzxXcj59
# Wv9lQpBgtL6OM56x+v1zbNzp/moMwk3UvysE5af5rktfFtPx6apqcjU1IDt09hX8
# 0ZAzqPflPPyC5Cj3J8DQilQz2/TzSZvcbgCM9vuwLu9p9bZhJemNP++3LrHkdycf
# HZf3jv7QBAigEvyVb2mrnlomFIKCyJW1cOrBjIqyntQt5PK8zKxX/yZlyiRbr8c0
# DQw8tYpXeyorgoVet9sAF+t3g/cYzVogW4qwhuyZmEmTlTSKMIIGcTCCBFmgAwIB
# AgIKYQmBKgAAAAAAAjANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzAR
# BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
# Y3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2Vy
# dGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAwNzAxMjEzNjU1WhcNMjUwNzAx
# MjE0NjU1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
# A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYw
# JAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCASIwDQYJKoZI
# hvcNAQEBBQADggEPADCCAQoCggEBAKkdDbx3EYo6IOz8E5f1+n9plGt0VBDVpQoA
# goX77XxoSyxfxcPlYcJ2tz5mK1vwFVMnBDEfQRsalR3OCROOfGEwWbEwRA/xYIiE
# VEMM1024OAizQt2TrNZzMFcmgqNFDdDq9UeBzb8kYDJYYEbyWEeGMoQedGFnkV+B
# VLHPk0ySwcSmXdFhE24oxhr5hoC732H8RsEnHSRnEnIaIYqvS2SJUGKxXf13Hz3w
# V3WsvYpCTUBR0Q+cBj5nf/VmwAOWRH7v0Ev9buWayrGo8noqCjHw2k4GkbaICDXo
# eByw6ZnNPOcvRLqn9NxkvaQBwSAJk3jN/LzAyURdXhacAQVPIk0CAwEAAaOCAeYw
# ggHiMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTVYzpcijGQ80N7fEYbxTNo
# WoVtVTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD
# VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBW
# BgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny
# bC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUH
# AQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtp
# L2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDCBoAYDVR0gAQH/BIGV
# MIGSMIGPBgkrBgEEAYI3LgMwgYEwPQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWlj
# cm9zb2Z0LmNvbS9QS0kvZG9jcy9DUFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIw
# NB4yIB0ATABlAGcAYQBsAF8AUABvAGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4A
# dAAuIB0wDQYJKoZIhvcNAQELBQADggIBAAfmiFEN4sbgmD+BcQM9naOhIW+z66bM
# 9TG+zwXiqf76V20ZMLPCxWbJat/15/B4vceoniXj+bzta1RXCCtRgkQS+7lTjMz0
# YBKKdsxAQEGb3FwX/1z5Xhc1mCRWS3TvQhDIr79/xn/yN31aPxzymXlKkVIArzgP
# F/UveYFl2am1a+THzvbKegBvSzBEJCI8z+0DpZaPWSm8tv0E4XCfMkon/VWvL/62
# 5Y4zu2JfmttXQOnxzplmkIz/amJ/3cVKC5Em4jnsGUpxY517IW3DnKOiPPp/fZZq
# kHimbdLhnPkd/DjYlPTGpQqWhqS9nhquBEKDuLWAmyI4ILUl5WTs9/S/fmNZJQ96
# LjlXdqJxqgaKD4kWumGnEcua2A5HmoDF0M2n0O99g/DhO3EJ3110mCIIYdqwUB5v
# vfHhAN/nMQekkzr3ZUd46PioSKv33nJ+YWtvd6mBy6cJrDm77MbL2IK0cs0d9LiF
# AR6A+xuJKlQ5slvayA1VmXqHczsI5pgt6o3gMy4SKfXAL1QnIffIrE7aKLixqduW
# sqdCosnPGUFN4Ib5KpqjEWYw07t0MkvfY3v1mYovG8chr1m1rtxEPJdQcdeh0sVV
# 42neV8HR3jDA/czmTfsNv11P6Z0eGTgvvM9YBS7vDaBQNdrvCScc1bN+NR4Iuto2
# 29Nfj950iEkSoYICzjCCAjcCAQEwgfihgdCkgc0wgcoxCzAJBgNVBAYTAlVTMRMw
# EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN
# aWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNh
# IE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjIyNjQtRTMzRS03
# ODBDMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEw
# BwYFKw4DAhoDFQC8BO6GhSDKwTN3KQTVtEHiiHprmKCBgzCBgKR+MHwxCzAJBgNV
# BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w
# HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m
# dCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBBQUAAgUA5Q+4SzAiGA8y
# MDIxMTAxMjE1MzEyM1oYDzIwMjExMDEzMTUzMTIzWjB3MD0GCisGAQQBhFkKBAEx
# LzAtMAoCBQDlD7hLAgEAMAoCAQACAgtJAgH/MAcCAQACAhFGMAoCBQDlEQnLAgEA
# MDYGCisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAI
# AgEAAgMBhqAwDQYJKoZIhvcNAQEFBQADgYEAVdBt4czZ3AzriMgXICGImjw6CGOk
# bTvmCeXkEUopgdUg4u8JruQ32+4SdGrfYmw6Z6P6ECTqs2NFO0FHckSuu2z+D+rs
# XXxgaDF/sPLCjrKEdOoyAqQiLvsXu371dtrDpKV09OMMbnPxkQKm3p95d3bJ3U9q
# BCjF2fvkdfFvn1cxggMNMIIDCQIBATCBkzB8MQswCQYDVQQGEwJVUzETMBEGA1UE
# CBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9z
# b2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQ
# Q0EgMjAxMAITMwAAAUqk9zHE/yKiSQAAAAABSjANBglghkgBZQMEAgEFAKCCAUow
# GgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCDBQgnh
# PKCsk+CMmHImRl/aEUpyOdz2lqLZbBzBmqujczCB+gYLKoZIhvcNAQkQAi8xgeow
# gecwgeQwgb0EIGwdktetudtX/kn7Yq/AVYiBWZBq+n4EFVQ8zUD3IlEDMIGYMIGA
# pH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
# B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE
# AxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAFKpPcxxP8iokkA
# AAAAAUowIgQgzurHkxo3ZlHINSo7kaoV3qPf9EZO6+GExaLX0vPPqY0wDQYJKoZI
# hvcNAQELBQAEggEAOfvoELJWg7eXzbnOAs8Ll5LvSw4WMfMUxxZBFVrYVG2qM2og
# IHz0EQbQXlMnA9dar4sTQobbz/QXFeOyZwrOzTVk9sApYKwdBP1mf4ERHck72NDy
# 0sfpmHeHxlJ54bzs8g1Oe2kWHUIDjOTpPV1HnPLdm7mCFU2O2EQSHX8zCXUy19kg
# +0g8ZkZegTtoVBlWYEutUmqb2/Tn1uCNtywWmAAZxiThBdEPACVf+4b/r8IHYP8h
# OrwG8G0h8cN+d/7kz0hed9iiQPS9SCTaoCtI3PEDkYM+1TiEZJGWCRhYJfaqoHXK
# 0kIzuzcJhD1h8gMUfe3Vh5LVIjb3nGFJuhUiSA==
# SIG # End signature block