Framework/Helpers/IncrementalScanHelper.ps1
|
Set-StrictMode -Version Latest class IncrementalScanHelper { hidden [string] $OrganizationName = $null; hidden [string] $ProjectName = $null; hidden [string] $ProjectId = $null; hidden $OrganizationContext = $null; [PSObject] $ControlSettings; hidden [string] $AzSKTempStatePath = (Join-Path $([Constants]::AzSKAppFolderPath) "IncrementalScan"); hidden [string] $CAScanProgressSnapshotsContainerName = [Constants]::CAScanProgressSnapshotsContainerName; hidden [string] $ScanSource = $null; $StorageContext = $null; $ControlStateBlob = $null; $ContainerObject = $null; hidden [string] $IncrementalScanTimestampFile=$null; hidden [string] $CATempFile = $null; hidden [string] $MasterFilePath; hidden [PSObject] $ResourceTimestamps = $null; hidden [bool] $FirstScan = $false; hidden [datetime] $IncrementalDate = 0; hidden [datetime] $LastFullScan = 0; hidden [bool] $ShouldDiscardOldScan = $false; [bool] $UpdateTime = $true; hidden [datetime] $Timestamp = 0; [bool] $isPartialScanActive = $false; [bool] $IsFullScanInProgress = $false; static [PSObject] $auditSchema = $null [bool] $isIncFileAlreadyAvailable = $false; IncrementalScanHelper([string] $organizationName, [string] $projectName, [datetime] $incrementalDate, [bool] $updateTimestamp, [datetime] $timestamp) { $this.OrganizationName = $organizationName $this.ProjectName = $projectName $this.IncrementalScanTimestampFile = $([Constants]::IncrementalScanTimeStampFile) $this.ScanSource = [AzSKSettings]::GetInstance().GetScanSource() $this.CATempFile = "CATempLocal.json" # temporary file to store Json Data to upload to container (in CA) $this.IncrementalDate = $incrementalDate $this.MasterFilePath = (Join-Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.projectName) $this.IncrementalScanTimestampFile) $this.UpdateTime = $updateTimestamp $this.Timestamp = $timestamp $this.ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey("UsePartialCommits")){ [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance(); if(($partialScanMngr.IsPartialScanInProgress($this.OrganizationName, $false) -eq [ActiveStatus]::Yes)){ $this.isPartialScanActive = $true } } if($null -eq [IncrementalScanHelper]::auditSchema){ [IncrementalScanHelper]::auditSchema = [ConfigurationManager]::LoadServerConfigFile("IncrementalScanAudits.json") } } IncrementalScanHelper($organizationContext, [string] $projectId,[string] $projectName, [datetime] $incrementalDate) { $this.OrganizationName = $organizationContext.OrganizationName $this.OrganizationContext = $organizationContext $this.ProjectId = $projectId $this.IncrementalScanTimestampFile = $([Constants]::IncrementalScanTimeStampFile) $this.ScanSource = [AzSKSettings]::GetInstance().GetScanSource() $this.CATempFile = "CATempLocal.json" # temporary file to store Json Data to upload to container (in CA) $this.IncrementalDate = $incrementalDate $this.ProjectName = $projectName $this.MasterFilePath = (Join-Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.projectName) $this.IncrementalScanTimestampFile) $this.ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey("UsePartialCommits")){ [PartialScanManager] $partialScanMngr = [PartialScanManager]::GetInstance(); if(($partialScanMngr.IsPartialScanInProgress($this.OrganizationName, $false) -eq [ActiveStatus]::Yes)){ $this.isPartialScanActive = $true } } } hidden [datetime] GetThresholdTime([string] $resourceType) { # function to retrieve threshold time from storage, based on scan source. $latestScan = 0 if($this.ScanSource -ne "CA" -and $this.ScanSource -ne "CICD") { if(![string]::isnullorwhitespace($this.OrganizationName)) { if(Test-Path $this.MasterFilePath) { # File exists. Retrieve last timestamp. $this.ResourceTimestamps = Get-Content $this.MasterFilePath | ConvertFrom-Json if(-not ([Helpers]::CheckMember($this.ResourceTimestamps, $resourceType)) -or $null -eq $this.ResourceTimestamps.$resourceType -or [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime -eq 0) { # Previous timestamp does not exist for this resource in the existing file. $this.FirstScan = $true } } else { #file does not exist $this.FirstScan = $true } } } elseif ($this.ScanSource -eq 'CA') { $this.MasterFilePath = (Join-Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.ProjectName) $this.IncrementalScanTimestampFile) $tempPath = Join-Path $([Constants]::AzSKAppFolderPath) $this.CATempFile $blobPath = Join-Path (Join-Path (Join-Path "IncrementalScan" $this.OrganizationName) $this.ProjectName) $this.IncrementalScanTimestampFile try { #Validate if Storage is found $keys = Get-AzStorageAccountKey -ResourceGroupName $env:StorageRG -Name $env:StorageName $this.StorageContext = New-AzStorageContext -StorageAccountName $env:StorageName -StorageAccountKey $keys[0].Value -Protocol Https $this.ContainerObject = Get-AzStorageContainer -Context $this.StorageContext -Name $this.CAScanProgressSnapshotsContainerName -ErrorAction SilentlyContinue if($null -ne $this.ContainerObject) { #container exists $this.ControlStateBlob = Get-AzStorageBlob -Container $this.CAScanProgressSnapshotsContainerName -Context $this.StorageContext -Blob $blobPath -ErrorAction SilentlyContinue if($null -ne $this.ControlStateBlob) { # File exists. Copy existing timestamp file locally Get-AzStorageBlobContent -CloudBlob $this.ControlStateBlob.ICloudBlob -Context $this.StorageContext -Destination $tempPath -Force $this.ResourceTimestamps = Get-ChildItem -Path $tempPath -Force | Get-Content | ConvertFrom-Json #Delete the local file Remove-Item -Path $tempPath if(-not ([Helpers]::CheckMember($this.ResourceTimestamps, $resourceType)) -or $null -eq $this.ResourceTimestamps.$resourceType -or [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime -eq 0) { # Previous timestamp does not exist for current resource in existing file. $this.FirstScan = $true } } else { # File does not exist. $this.FirstScan = $true } } else { # Container does not exist $this.FirstScan = $true } } catch { write-host "Exception when trying to find/create incremental scan container: $_." } } elseif($this.ScanSource -eq 'CICD'){ if (Test-Path env:incrementalScanURI) { #Uri is created in cicd task based on jobid $uri = $env:incrementalScanURI } else { $uri = [Constants]::StorageUri -f $this.OrgName, $this.OrgName, "IncrementalScanFile" } try { #check if file already in extension sotrage $webRequestResult = [WebRequestHelper]::InvokeGetWebRequest($uri) if($null -ne $webRequestResult){ $this.ResourceTimestamps = $webRequestResult | ConvertFrom-Json if(-not ([Helpers]::CheckMember($this.ResourceTimestamps, $resourceType)) -or $null -eq $this.ResourceTimestamps.$resourceType -or [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime -eq 0) { # Previous timestamp does not exist for this resource in the existing file. $this.FirstScan = $true $this.isIncFileAlreadyAvailable = $true; } } else{ $this.FirstScan = $true $this.isIncFileAlreadyAvailable = $false; } } catch { $this.FirstScan = $true $this.isIncFileAlreadyAvailable = $false; } } if(-not $this.FirstScan) { if($this.isPartialScanActive){ $latestScan = [datetime]$this.ResourceTimestamps.$resourceType.LastPartialTime #to check if full scan is currently in progress, if we dont check this and give -dt switch full scan wont work if($this.ResourceTimestamps.$resourceType.IsFullScanInProgress){ $this.IsFullScanInProgress = $true } else{ $this.IsFullScanInProgress = $false } } else { $latestScan = [datetime]$this.ResourceTimestamps.$resourceType.LastScanTime $this.IsFullScanInProgress = $false } $this.LastFullScan = [datetime]$this.ResourceTimestamps.$resourceType.LastFullScanTime } if($this.IncrementalDate -ne 0) { # user input of incremental date to be used for scanning incrementally. $latestScan = $this.IncrementalDate if($this.ScanSource -eq 'CA'){ $FromTimeZone = [System.TimeZoneInfo]::FindSystemTimeZoneById("Asia/Kolkata") $latestScan = [DateTime]::SpecifyKind((Get-Date $latestScan), [DateTimeKind]::Unspecified) $latestScan = [System.TimeZoneInfo]::ConvertTimeToUtc($latestScan, $FromTimeZone) } } return $latestScan } UpdateTimeStamp([string] $resourceType) { # Updates timestamp of current scan to storage, based on scan source. if($this.UpdateTime -ne $true) { return; } if($this.isPartialScanActive){ return; } if($this.ScanSource -ne "CA" -and $this.ScanSource -ne "CICD") { if($this.FirstScan -eq $true) { # Check if file exists if((-not (Test-Path ($this.AzSKTempStatePath))) -or (-not (Test-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName))) -or (-not (Test-Path $this.MasterFilePath))) { # Incremental Scan happening first time locally OR Incremental Scan happening first time for Org OR first time for current Project New-Item -Type Directory -Path (Join-Path (Join-Path $this.AzSKTempStatePath $this.OrganizationName) $this.ProjectName) -ErrorAction Stop | Out-Null $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $this.MasterFilePath -Force } else { # File exists for Organization and Project but first time scan for current resource type $this.ResourceTimestamps = Get-ChildItem -Path $this.MasterFilePath -Force | Get-Content | ConvertFrom-Json $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $this.MasterFilePath -Force } } else { # Not a first time scan for the current resource $this.ResourceTimestamps = Get-ChildItem -Path $this.MasterFilePath -Force | Get-Content | ConvertFrom-Json $previousScanTime = $this.ResourceTimestamps.$resourceType.LastScanTime; $this.ResourceTimestamps.$resourceType.LastPartialTime= $previousScanTime if($this.IsFullScanInProgress -eq $false){ $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $false } #if old scan, we trigger full scan, store full scan value, also reset upc scan time if($this.ShouldDiscardOldScan){ $this.ResourceTimestamps.$resourceType.LastFullScanTime = $this.Timestamp $this.ResourceTimestamps.$resourceType.LastPartialTime = "0001-01-01T00:00:00.0000000"; $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $true } $this.ResourceTimestamps.$resourceType.LastScanTime = $this.Timestamp [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $this.MasterFilePath -Force } } elseif ($this.ScanSource -eq 'CA') { $tempPath = Join-Path $([Constants]::AzSKAppFolderPath) $this.CATempFile $blobPath = Join-Path (Join-Path (Join-Path "IncrementalScan" $this.OrganizationName) $this.ProjectName) $this.IncrementalScanTimestampFile if ($this.FirstScan -eq $true) { # Check if container object does not exist if($null -eq $this.ContainerObject) { # Container does not exist, create container. $this.ContainerObject = New-AzStorageContainer -Name $this.CAScanProgressSnapshotsContainerName -Context $this.StorageContext -ErrorAction SilentlyContinue if ($null -eq $this.ContainerObject ) { $this.PublishCustomMessage("Could not find/create partial scan container in storage.", [MessageType]::Warning); } $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() } if($null -eq $this.ControlStateBlob) { $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() } else { Get-AzStorageBlobContent -CloudBlob $this.ControlStateBlob.ICloudBlob -Context $this.StorageContext -Destination $tempPath -Force $this.ResourceTimestamps = Get-ChildItem -Path $tempPath -Force | Get-Content | ConvertFrom-Json #Delete the local file Remove-Item -Path $tempPath } $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $tempPath -Force Set-AzStorageBlobContent -File $tempPath -Container $this.ContainerObject.Name -Blob $blobPath -Context $this.StorageContext -Force Remove-Item -Path $tempPath } else { Get-AzStorageBlobContent -CloudBlob $this.ControlStateBlob.ICloudBlob -Context $this.StorageContext -Destination $tempPath -Force $this.ResourceTimestamps = Get-ChildItem -Path $tempPath -Force | Get-Content | ConvertFrom-Json $previousScanTime = $this.ResourceTimestamps.$resourceType.LastScanTime; $this.ResourceTimestamps.$resourceType.LastPartialTime = $previousScanTime if($this.IsFullScanInProgress -eq $false){ $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $false } if($this.ShouldDiscardOldScan){ $this.ResourceTimestamps.$resourceType.LastFullScanTime = $this.Timestamp $this.ResourceTimestamps.$resourceType.LastPartialTime = "0001-01-01T00:00:00.0000000"; $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $true } # Delete the local file Remove-Item -Path $tempPath $this.ResourceTimestamps.$resourceType.LastScanTime = $this.Timestamp [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) | Out-File $tempPath -Force Set-AzStorageBlobContent -File $tempPath -Container $this.ContainerObject.Name -Blob $blobPath -Context $this.StorageContext -Force Remove-Item -Path $tempPath } } elseif($this.ScanSource -eq 'CICD'){ $incrementalScanPayload = $null if($this.FirstScan -eq $true){ #first scan for the pipeline for all resources if($this.isIncFileAlreadyAvailable -eq $false){ $this.ResourceTimestamps = [IncrementalScanTimestamps]::new() } #will be called for both scenarios: first scan for the resource as well as for the entire pipeline $resourceScanTimes = [IncrementalTimeStampsResources]@{ LastScanTime = $this.Timestamp; LastFullScanTime = $this.Timestamp; LastPartialTime = "0001-01-01T00:00:00.0000000"; IsFullScanInProgress = $false } $this.ResourceTimestamps.$resourceType = $resourceScanTimes $incrementalScanPayload = [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) } #not a first scan else{ $previousScanTime = $this.ResourceTimestamps.$resourceType.LastScanTime; $this.ResourceTimestamps.$resourceType.LastPartialTime= $previousScanTime if($this.IsFullScanInProgress -eq $false){ $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $false } #if old scan, we trigger full scan, store full scan value, also reset upc scan time if($this.ShouldDiscardOldScan){ $this.ResourceTimestamps.$resourceType.LastFullScanTime = $this.Timestamp $this.ResourceTimestamps.$resourceType.LastPartialTime = "0001-01-01T00:00:00.0000000"; $this.ResourceTimestamps.$resourceType.IsFullScanInProgress = $true } $this.ResourceTimestamps.$resourceType.LastScanTime = $this.Timestamp $incrementalScanPayload = [JsonHelper]::ConvertToJsonCustom($this.ResourceTimestamps) } try{ $rmContext = [ContextHelper]::GetCurrentContext(); $user = ""; $uri = ""; $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$rmContext.AccessToken))) $body = ""; if (Test-Path env:incrementalScanURI) { $uri = $env:incrementalScanURI $JobId =""; $JobId = $uri.Replace('?','/').Split('/')[$JobId.Length -2] #if the incremental scan is already present need to update the existing file if ($this.FirstScan -eq $false -or $this.isIncFileAlreadyAvailable -eq $true){ $body = @{"id" = $Jobid; "__etag"=-1; "value"= $incrementalScanPayload;} | ConvertTo-Json } else{ $body = @{"id" = $Jobid; "value"= $incrementalScanPayload;} | ConvertTo-Json } } else { $uri = [Constants]::StorageUri -f $this.OrgName, $this.OrgName, "IncrementalScanFile" if ($this.FirstScan -eq $false -or $this.isIncFileAlreadyAvailable -eq $true){ $body = @{"id" = "IncrementalScanFile";"__etag"=-1; "value"= $incrementalScanPayload;} | ConvertTo-Json } else{ $body = @{"id" = "IncrementalScanFile"; "value"= $incrementalScanPayload;} | ConvertTo-Json } } $webRequestResult = Invoke-WebRequest -Uri $uri -Method Put -ContentType "application/json" -Headers @{Authorization = ("Basic {0}" -f $base64AuthInfo) } -Body $body } catch{ Write-Host "Error updating Incremental Scan file: $($_)" } } } [bool] IsIncScanOld($resourceType){ $this.GetThresholdTime($resourceType) if($this.FirstScan){ return $false; } if($this.LastFullScan.AddDays($this.ControlSettings.IncrementalScan.IncrementalScanValidForDays) -lt [DateTime]::UtcNow){ return $true; } return $false; } [bool] ShouldDiscardOldIncScan($resourceType){ $this.ShouldDiscardOldScan = $false if($this.IsIncScanOld($resourceType)){ if($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('Force')){ $this.ShouldDiscardOldScan = $false } else{ $this.ShouldDiscardOldScan = $true } } return $this.ShouldDiscardOldScan; } [System.Object[]] GetModifiedBuilds($buildDefnsObj) { # Function to filter builds that have been modified after threshold time $latestBuildScan = $this.GetThresholdTime("Build") if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0) { $this.UpdateTimeStamp("Build") return $buildDefnsObj } #if inc scan last time is 0 or if this is a full scan partial checkpoint, return all builds if($this.isPartialScanActive -and ($latestBuildScan -eq 0 -or $this.IsFullScanInProgress)){ return $buildDefnsObj } #if scan is old and no upc file found, simply return all builds, update scan time for full scans and last scan if($this.ShouldDiscardOldIncScan('Build') -and -not($this.isPartialScanActive)){ $this.UpdateTimeStamp("Build") return $buildDefnsObj } $newBuildDefns = @() if ([datetime] $buildDefnsObj[0].createdDate -lt $latestBuildScan) { # first resource is modified before the threshold time => all consequent are also modified before threshold # return empty list $this.UpdateTimeStamp("Build") return $newBuildDefns } #Binary search [int] $low = 0 # start index of array [int] $high = $buildDefnsObj.length - 1 # last index of array [int] $size = $buildDefnsObj.length # total length of array [int] $breakIndex = 0 while($low -le $high) { [int] $mid = ($low + $high)/2 # seeking the middle of the array [datetime] $modifiedDate = [datetime]($buildDefnsObj[$mid].createdDate) if($modifiedDate -ge $latestBuildScan) { # modified date is after the threshold time if(($mid + 1) -eq $size) { # all fetched build defs are modified after threshold time # return unmodified $this.UpdateTimeStamp("Build") return $buildDefnsObj } else { # mid point is not the last build defn if([datetime]($buildDefnsObj[$mid+1].createdDate) -lt $latestBuildScan) { # changing point found $breakIndex = $mid break } else { # search on right half $low = $mid + 1 } } } elseif ($modifiedDate -lt $latestBuildScan) { if($mid -eq 0) { # All fetched builds have been modified before the threshold return $newBuildDefns } else { if([datetime]($buildDefnsObj[$mid - 1].createdDate) -ge $latestBuildScan) { # changing point found $breakIndex = $mid - 1 break } else { # search on left half $high = $mid - 1 } } } } $newBuildDefns = @($buildDefnsObj[0..$breakIndex]) $this.UpdateTimeStamp("Build") return $newBuildDefns } [System.Object[]] GetModifiedReleases($releaseDefnsObj) { $latestReleaseScan = $this.GetThresholdTime("Release") if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0) { $this.UpdateTimeStamp("Release") return $releaseDefnsObj } if($this.isPartialScanActive -and ($latestReleaseScan -eq 0 -or $this.IsFullScanInProgress)){ return $releaseDefnsObj } if($this.ShouldDiscardOldIncScan('Release')){ $this.UpdateTimeStamp("Release") return $releaseDefnsObj } $newReleaseDefns = @() # Searching Linearly foreach ($releaseDefn in $releaseDefnsObj) { if ([datetime]($releaseDefn.modifiedOn) -ge $latestReleaseScan) { $newReleaseDefns += @($releaseDefn) } } $this.UpdateTimeStamp("Release") return $newReleaseDefns } #Get all resources attested after the latest scan [System.Object[]] GetAttestationAfterInc($projectName, $resourceType){ $resourceIds = @(); #if parameter not specified, wont be fetching these resources if(-not($PSCmdlet.MyInvocation.BoundParameters.ContainsKey('ScanAttestedResources'))){ return $resourceIds } $latestResourceScan = $this.GetThresholdTime($resourceType) if($this.ScanSource -ne 'CA'){ $latestResourceScan=$latestResourceScan.ToUniversalTime(); } $latestResourceScan =Get-Date $latestResourceScan -Format s if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ return $resourceIds; } [ControlStateExtension] $ControlStateExt = [ControlStateExtension]::new($this.OrganizationContext, $PSCmdlet.MyInvocation); $output = $ControlStateExt.RescanComputeControlStateIndexer($projectName, 'ADO.'+$resourceType); $output | ForEach-Object { if($_.AttestedDate -gt $latestResourceScan){ try { $resourceIds += ($_.ResourceId -split ($resourceType.ToLower() + "/"))[1] } catch { } } } return $resourceIds } [System.Object[]] GetAuditTrailsForBuilds(){ $latestBuildScan = $this.GetThresholdTime("Build") if($this.ScanSource -ne 'CA'){ $latestBuildScan=$latestBuildScan.ToUniversalTime(); } $latestBuildScan =Get-Date $latestBuildScan -Format s $buildIds = @(); if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ return $buildIds; } $auditUrl = "https://auditservice.dev.azure.com/{0}/_apis/audit/auditlog?startTime={1}&api-version=6.0-preview.1" -f $this.OrganizationName, $latestBuildScan try { $response = [WebRequestHelper]::InvokeGetWebRequest($auditUrl); $auditTrails = $response.decoratedAuditLogEntries; $modifiedBuilds = $auditTrails | Where-Object {$_.actionId -eq 'Security.ModifyPermission' -and $_.data.NamespaceName -eq 'Build' -and $_.data.Token -match $this.ProjectId+"/" } $restrictedBroaderGroups = @{} $broaderGroups = $this.ControlSettings.Build.RestrictedBroaderGroupsForBuild $broaderGroups.psobject.properties | foreach { $restrictedBroaderGroups[$_.Name] = $_.Value } $modifiedBuilds | foreach { $group = ($_.data.SubjectDisplayName -split("\\"))[1] if($group -in $restrictedBroaderGroups.keys ){ if($_.data.ChangedPermission -in $restrictedBroaderGroups[$group]){ $buildIds += (($_.data.Token -split("/"))[-1]) } } } $buildIds = $buildIds | Select -Unique } catch { } return $buildIds; } [System.Object[]] GetModifiedBuildsFromAudit($buildIds, $projectName){ $totalBuilds = $buildIds.Count $buildDefnObj =@() $newBuildDefns = @(); $queryIdCount = 0; $currentbuildIds = "" $buildIds | foreach { if($totalBuilds -lt 100){ $queryIdCount++; $currentbuildIds=$currentbuildIds+$_+"," if($queryIdCount -eq $totalBuilds){ $buildDefnURL = "https://{0}.visualstudio.com/{1}/_apis/build/definitions?definitionIds={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentbuildIds; try { $buildDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($buildDefnURL)); } catch { } } } else { $queryIdCount++; $currentbuildIds=$currentbuildIds+$_+","; if($queryIdCount -eq 100){ $buildDefnURL = "https://{0}.visualstudio.com/{1}/_apis/build/definitions?definitionIds={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentbuildIds; try { $buildDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($buildDefnURL)); $queryIdCount =0; $currentbuildIds=""; $totalBuilds -=100; } catch { } } } } $latestBuildScan = $this.GetThresholdTime("Build"); foreach ($buildDefn in $buildDefnObj) { if ([Helpers]::CheckMember($buildDefn,'CreatedDate') -and [datetime]($buildDefn.CreatedDate) -lt $latestBuildScan) { $newBuildDefns += @($buildDefn) } } return $newBuildDefns; } [System.Object[]] GetAuditTrailsForReleases(){ $latestReleaseScan = $this.GetThresholdTime("Release"); if($this.ScanSource -ne 'CA'){ $latestReleaseScan=$latestReleaseScan.ToUniversalTime(); } $latestReleaseScan = Get-Date $latestReleaseScan -Format s $releaseIds = @(); if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ return $releaseIds; } $auditUrl = "https://auditservice.dev.azure.com/{0}/_apis/audit/auditlog?startTime={1}&api-version=6.0-preview.1" -f $this.OrganizationName, $latestReleaseScan try { $response = [WebRequestHelper]::InvokeGetWebRequest($auditUrl); $auditTrails = $response.decoratedAuditLogEntries; $modifiedReleases = $auditTrails | Where-Object {$_.actionId -eq 'Security.ModifyPermission' -and $_.data.NamespaceName -eq 'ReleaseManagement' -and $_.data.Token -match $this.ProjectId+"/" } $restrictedBroaderGroups = @{} $broaderGroups = $this.ControlSettings.Release.RestrictedBroaderGroupsForRelease $broaderGroups.psobject.properties | foreach { $restrictedBroaderGroups[$_.Name] = $_.Value } $modifiedReleases| foreach { $group = ($_.data.SubjectDisplayName -split("\\"))[1] if($group -in $restrictedBroaderGroups.keys ){ if($_.data.ChangedPermission -in $restrictedBroaderGroups[$group]){ $releaseIds += (($_.data.Token -split("/"))[-1]) } } } $releaseIds = $releaseIds | Select -Unique } catch { } return $releaseIds; } [System.Object[]] GetModifiedReleasesFromAudit($releaseIds, $projectName){ $totalReleases = $releaseIds.Count $newReleaseDefns = @(); $releaseDefnObj =@() $queryIdCount = 0; $currentReleaseIds = "" $releaseIds | foreach { if($totalReleases -lt 100){ $queryIdCount++; $currentReleaseIds=$currentReleaseIds+$_+"," if($queryIdCount -eq $totalReleases){ $releaseDefnURL = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions?definitionIdFilter={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentReleaseIds; try { $releaseDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($releaseDefnURL)); } catch { } } } else { $queryIdCount++; $currentReleaseIds=$currentReleaseIds+$_+","; if($queryIdCount -eq 100){ $releaseDefnURL = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions?definitionIdFilter={2}&api-version=6.0" -f $($this.OrganizationName), $projectName, $currentReleaseIds; try { $releaseDefnObj += ([WebRequestHelper]::InvokeGetWebRequest($releaseDefnURL)); $queryIdCount =0; $currentReleaseIds=""; $totalReleases -=100; } catch { } } } } $latestReleaseScan = $this.GetThresholdTime("Release"); foreach ($releaseDefn in $releaseDefnObj) { if ([Helpers]::CheckMember($releaseDefn,'modifiedOn') -and [datetime]($releaseDefn.modifiedOn) -lt $latestReleaseScan) { $newReleaseDefns += @($releaseDefn) } } return $newReleaseDefns; } #common function to get modified resource ids from audits for common svts and variable group [System.Object[]] GetModifiedCommonSvtAuditTrails($resourceType){ $resourceIds = @() #get last scan of the resources $latestScan = $this.GetThresholdTime($resourceType) if($this.ScanSource -ne 'CA'){ $latestScan=$latestScan.ToUniversalTime(); } $latestScan = Get-Date $latestScan -Format s $auditUrl = "https://auditservice.dev.azure.com/{0}/_apis/audit/auditlog?startTime={1}&api-version=6.0-preview.1" -f $this.OrganizationName, $latestScan try { $response = [WebRequestHelper]::InvokeGetWebRequest($auditUrl); $auditTrails = $response.decoratedAuditLogEntries; #get modified resources from filter $modifiedResources = $this.GetModifiedResourcesFilter($resourceType,$auditTrails) $modifiedResources | foreach { #extract resource ids from modified resources $resourceIds+=($_.data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[1]) -split("/"))[-1] if($resourceType -eq "GitRepositories"){ #to handle events of permission changes on branches $resourceIds+=(($_.data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[1]) -split("/refs"))[0]) -split("/")[-1] #to handle events of new repository creation $resourceIds+=($_.data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[1]) -split("\."))[-1] } } $resourceIds = $resourceIds | Select -Unique } catch { } return $resourceIds } #function to filter audits according to resource type [System.Object[]] GetModifiedResourcesFilter($resourceType,$auditTrails){ $resourceTypeInFilter = $resourceType #in case of secure file and variable group the resource type in audits is library, for other resources the name is same if($resourceType -eq "SecureFile" -or $resourceType -eq "VariableGroup"){ $resourceTypeInFilter = "Library" } if($resourceType -eq "GitRepositories"){ $resourceTypeInFilter = "Git Repositories" } $modifiedResources = $auditTrails | Where-Object {$_.actionId -in [IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.PSObject.Properties.Name -and ([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0] -eq $true -or( $_.Data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0]) -eq $resourceTypeInFilter -or $_.Data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0]) -eq "repository" -or $_.Data.([IncrementalScanHelper]::auditSchema.$resourceType.AuditEvents.($_.actionId)[0]) -eq $resourceType))} return $modifiedResources } #function to get modified resources [System.Object[]] GetModifiedCommonSvtFromAudit($resourceType,$response){ $latestScan = $this.GetThresholdTime($resourceType) $latestScan =Get-Date $latestScan -Format s #$response = [WebRequestHelper]::InvokeGetWebRequest($url); #if this a first scan return all resources if($this.FirstScan -eq $true -and $this.IncrementalDate -eq 0){ $this.UpdateTimeStamp($resourceType) return $response } #if partial scan is active and last scan is 0 or this is a full scan in progress return all resources if($this.isPartialScanActive -and ($latestScan -eq 0 -or $this.IsFullScanInProgress)){ return $response } #if this is a old scan return all resources if($this.ShouldDiscardOldIncScan($resourceType)){ $this.UpdateTimeStamp($resourceType) return $response } #get ids from above functions $modifiedResourceIds = @($this.GetModifiedCommonSvtAuditTrails($resourceType)); if($resourceType -eq "GitRepositories"){ $modifiedResourceIdsFromAttestation = @($this.GetAttestationAfterInc($this.ProjectName,"Repository")) } else{ $modifiedResourceIdsFromAttestation = @($this.GetAttestationAfterInc($this.ProjectName,$resourceType)) } $modifiedResourceIds = @($modifiedResourceIds + $modifiedResourceIdsFromAttestation | select -uniq) $modifiedResources = @() #if we get some ids from audit trails add them to modified resource obj if($modifiedResourceIds.Count -gt 0 -and $null -ne $modifiedResourceIds[0]){ #filter all ids from audit trails in the api response $modifiedResources = @($response | Where-Object{$modifiedResourceIds -contains $_.id}) #to capture events that dont come in audits but is reflected in api responses such as new resource created, properties of resources edited etc. if([Helpers]::CheckMember([IncrementalScanHelper]::auditSchema.$resourceType, "ApiResponseFilter")){ $modifiedResources +=$response | Where-Object{$modifiedResourceIds -notcontains $_.id -and [datetime]($_.([IncrementalScanHelper]::auditSchema.$resourceType.ApiResponseFilter)) -gt $latestScan} } } #in case no ids were obtained from audits check from response for corresponding api response filtee if present else{ if([Helpers]::CheckMember([IncrementalScanHelper]::auditSchema.$resourceType, "ApiResponseFilter")){ $modifiedResources += $response | Where-Object{[datetime]($_.([IncrementalScanHelper]::auditSchema.$resourceType.ApiResponseFilter)) -gt $latestScan} } } $this.UpdateTimeStamp($resourceType) return $modifiedResources } [void] SetContext($projectId,$organizationContext){ $this.ProjectId = $projectId $this.OrganizationContext = $organizationContext } } # SIG # Begin signature block # MIIjkgYJKoZIhvcNAQcCoIIjgzCCI38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDu0RnMQpTI+qM0 # h0LTH/dgIIVOYsJ8iDSKXQeNVLNl26CCDYEwggX/MIID56ADAgECAhMzAAACUosz # qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjEwOTAyMTgzMjU5WhcNMjIwOTAxMTgzMjU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDQ5M+Ps/X7BNuv5B/0I6uoDwj0NJOo1KrVQqO7ggRXccklyTrWL4xMShjIou2I # sbYnF67wXzVAq5Om4oe+LfzSDOzjcb6ms00gBo0OQaqwQ1BijyJ7NvDf80I1fW9O # L76Kt0Wpc2zrGhzcHdb7upPrvxvSNNUvxK3sgw7YTt31410vpEp8yfBEl/hd8ZzA # v47DCgJ5j1zm295s1RVZHNp6MoiQFVOECm4AwK2l28i+YER1JO4IplTH44uvzX9o # RnJHaMvWzZEpozPy4jNO2DDqbcNs4zh7AWMhE1PWFVA+CHI/En5nASvCvLmuR/t8 # q4bc8XR8QIZJQSp+2U6m2ldNAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUNZJaEUGL2Guwt7ZOAu4efEYXedEw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDY3NTk3MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAFkk3 # uSxkTEBh1NtAl7BivIEsAWdgX1qZ+EdZMYbQKasY6IhSLXRMxF1B3OKdR9K/kccp # kvNcGl8D7YyYS4mhCUMBR+VLrg3f8PUj38A9V5aiY2/Jok7WZFOAmjPRNNGnyeg7 # l0lTiThFqE+2aOs6+heegqAdelGgNJKRHLWRuhGKuLIw5lkgx9Ky+QvZrn/Ddi8u # TIgWKp+MGG8xY6PBvvjgt9jQShlnPrZ3UY8Bvwy6rynhXBaV0V0TTL0gEx7eh/K1 # o8Miaru6s/7FyqOLeUS4vTHh9TgBL5DtxCYurXbSBVtL1Fj44+Od/6cmC9mmvrti # yG709Y3Rd3YdJj2f3GJq7Y7KdWq0QYhatKhBeg4fxjhg0yut2g6aM1mxjNPrE48z # 6HWCNGu9gMK5ZudldRw4a45Z06Aoktof0CqOyTErvq0YjoE4Xpa0+87T/PVUXNqf # 7Y+qSU7+9LtLQuMYR4w3cSPjuNusvLf9gBnch5RqM7kaDtYWDgLyB42EfsxeMqwK # WwA+TVi0HrWRqfSx2olbE56hJcEkMjOSKz3sRuupFCX3UroyYf52L+2iVTrda8XW # esPG62Mnn3T8AuLfzeJFuAbfOSERx7IFZO92UPoXE1uEjL5skl1yTZB3MubgOA4F # 8KoRNhviFAEST+nG8c8uIsbZeb08SeYQMqjVEmkwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVZzCCFWMCAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAlKLM6r4lfM52wAAAAACUjAN # BglghkgBZQMEAgEFAKCBrjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgcRsYk8YZ # vGnaqn6Fby54jz91yVBgvbJfPuFu3WF0/kIwQgYKKwYBBAGCNwIBDDE0MDKgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRqAGGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbTAN # BgkqhkiG9w0BAQEFAASCAQAvfXRVFnJfaD3VUklKQ6cVc66EDfmpM4N6U96lnpml # wFQYlTLX+jVP6RTyalgI+HLpVdCtnBAifYO3eaNsbE5c8aIh9MWpX0drhv+jHfrJ # 7HmqE0aXnvD8wq60TM2vW+itKx1SSX3ijOm3FICHkttZfiVcoRIBSbBhlUU9kC4Y # cLxILup8Wnb7d1oFLC0MliqMLdjLCfm53bKY8shLZ7HPCDEPAzpzNt14ao5zaNBB # Y+UvfTKOKI5amPT73Tkmifpxk/JHi+vy5JxYFnck4yC6+PtkL41SmWOAFa9jwzHQ # s7o09uXCCvmslSHswQ5GNxc8l74WoqA7j4eiR47mhdnUoYIS8TCCEu0GCisGAQQB # gjcDAwExghLdMIIS2QYJKoZIhvcNAQcCoIISyjCCEsYCAQMxDzANBglghkgBZQME # AgEFADCCAVUGCyqGSIb3DQEJEAEEoIIBRASCAUAwggE8AgEBBgorBgEEAYRZCgMB # MDEwDQYJYIZIAWUDBAIBBQAEIEhP3vf3Vpw8rWZUXTU0Mj/oxdBOKajPkyAQ/2Oj # wXpNAgZiD/VxfzMYEzIwMjIwMzE0MTA0MzUzLjA3NFowBIACAfSggdSkgdEwgc4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1p # Y3Jvc29mdCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMg # VFNTIEVTTjpEOURFLUUzOUEtNDNGRTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt # U3RhbXAgU2VydmljZaCCDkQwggT1MIID3aADAgECAhMzAAABYfWiM16gKiRpAAAA # AAFhMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw # MB4XDTIxMDExNDE5MDIyMVoXDTIyMDQxMTE5MDIyMVowgc4xCzAJBgNVBAYTAlVT # MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVy # YXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpEOURF # LUUzOUEtNDNGRTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vydmlj # ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJeInahBrU//GzTqhxUy # AC8UXct6UJCkb2xEZKV3gjggmLAheBrxJk7tH+Pw2tTcyarLRfmV2xo5oBk5pW/O # cDc/n/TcTeQU6JIN5PlTcn0C9RlKQ6t9OuU/WAyAxGTjKE4ENnUjXtxiNlD/K2ZG # MLvjpROBKh7TtkUJK6ZGWw/uTRabNBxRg13TvjkGHXEUEDJ8imacw9BCeR9L6und # r32tj4duOFIHD8m1es3SNN98Zq4IDBP3Ccb+HQgxpbeHIUlK0y6zmzIkvfN73Zxw # fGvFv0/Max79WJY0cD8poCnZFijciWrf0eD1T2/+7HgewzrdxPdSFockUQ8QovID # IYkCAwEAAaOCARswggEXMB0GA1UdDgQWBBRWHpqd1hv71SVj5LAdPfNE7PhLLzAf # BgNVHSMEGDAWgBTVYzpcijGQ80N7fEYbxTNoWoVtVTBWBgNVHR8ETzBNMEugSaBH # hkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNU # aW1TdGFQQ0FfMjAxMC0wNy0wMS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF # BzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1RpbVN0 # YVBDQV8yMDEwLTA3LTAxLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsG # AQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQAQTA9bqVBmx5TTMhzj+Q8zWkPQXgCc # SQiqy2YYWF0hWr5GEiN2LtA+EWdu1y8oysZau4CP7SzM8VTSq31CLJiOy39Z4RvE # q2mr0EftFvmX2CxQ7ZyzrkhWMZaZQLkYbH5oabIFwndW34nh980BOY395tfnNS/Y # 6N0f+jXdoFn7fI2c43TFYsUqIPWjOHJloMektlD6/uS6Zn4xse/lItFm+fWOcB2A # xyXEB3ZREeSg9j7+GoEl1xT/iJuV/So7TlWdwyacQu4lv3MBsvxzRIbKhZwrDYog # moyJ+rwgQB8mKS4/M1SDRtIptamoTFJ56Tk6DuUXx1JudToelgjEZPa5MIIGcTCC # BFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJv # b3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAwNzAxMjEzNjU1WhcN # MjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCASIw # DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkdDbx3EYo6IOz8E5f1+n9plGt0 # VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vwFVMnBDEfQRsalR3OCROOfGEwWbEw # RA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNFDdDq9UeBzb8kYDJYYEbyWEeGMoQe # dGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC732H8RsEnHSRnEnIaIYqvS2SJUGKx # Xf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOWRH7v0Ev9buWayrGo8noqCjHw2k4G # kbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJk3jN/LzAyURdXhacAQVPIk0CAwEA # AaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTVYzpcijGQ80N7 # fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMC # AYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvX # zpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v # cGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYI # KwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDCBoAYDVR0g # AQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEwPQYIKwYBBQUHAgEWMWh0dHA6Ly93 # d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9DUFMvZGVmYXVsdC5odG0wQAYIKwYB # BQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABvAGwAaQBjAHkAXwBTAHQAYQB0AGUA # bQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAAfmiFEN4sbgmD+BcQM9naOh # IW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/15/B4vceoniXj+bzta1RXCCtRgkQS # +7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRWS3TvQhDIr79/xn/yN31aPxzymXlK # kVIArzgPF/UveYFl2am1a+THzvbKegBvSzBEJCI8z+0DpZaPWSm8tv0E4XCfMkon # /VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/3cVKC5Em4jnsGUpxY517IW3DnKOi # PPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9nhquBEKDuLWAmyI4ILUl5WTs9/S/ # fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5HmoDF0M2n0O99g/DhO3EJ3110mCII # YdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv33nJ+YWtvd6mBy6cJrDm77MbL2IK0 # cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI5pgt6o3gMy4SKfXAL1QnIffIrE7a # KLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0MkvfY3v1mYovG8chr1m1rtxEPJdQ # cdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0eGTgvvM9YBS7vDaBQNdrvCScc1bN+ # NR4Iuto229Nfj950iEkSoYIC0jCCAjsCAQEwgfyhgdSkgdEwgc4xCzAJBgNVBAYT # AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29mdCBP # cGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpE # OURFLUUzOUEtNDNGRTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vy # dmljZaIjCgEBMAcGBSsOAwIaAxUAFW5ShAw5ekTEXvL/4V1s0rbDz3mggYMwgYCk # fjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIF # AOXZbpIwIhgPMjAyMjAzMTQxMTM0NDJaGA8yMDIyMDMxNTExMzQ0MlowdzA9Bgor # BgEEAYRZCgQBMS8wLTAKAgUA5dlukgIBADAKAgEAAgIMQAIB/zAHAgEAAgIRcDAK # AgUA5drAEgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIB # AAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAHwBNXfxTjhyNJhK # ou8S2rZvvr+QQA4mEfXV7UYaEh/4X7xT3RWOIyWqKdr4L9tTVsVsNDZ6QDq3i14m # GMwcVez+7nCKI1sOv6josgdrAPYC2xMoRWV+DSQcpiq+vC49oXz68SpSMrSW3V2A # jrEMlOBtoJNHDusCXJ7Qxlu7HGpHMYIDDTCCAwkCAQEwgZMwfDELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp # bWUtU3RhbXAgUENBIDIwMTACEzMAAAFh9aIzXqAqJGkAAAAAAWEwDQYJYIZIAWUD # BAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0B # CQQxIgQgyedLcDEJ3XQvlLlxD+pQD54OX8fPRZYbJa60pkOzekowgfoGCyqGSIb3 # DQEJEAIvMYHqMIHnMIHkMIG9BCBhz4un6mkSLd/zA+0N5YLDGp4vW/VBtNW/lpmh # tAk4bzCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u # MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp # b24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB # YfWiM16gKiRpAAAAAAFhMCIEIDsQFLJKKglGUtkate2dzwBsnMbAjSoseDk16eIl # RyJ1MA0GCSqGSIb3DQEBCwUABIIBADsAT/Nc7KdhH+c3/CoD6Ltf2KuMw3iTTfGd # fKhZcHx0Dv3pKWCv8ZwODizAolfR9LyqxNWE7r7TIQTDG/KSD8vbJfEInBQBDyw7 # LI2NTGtjGwfW1StJM5iw4EiW6Y4qF3clR6nYT3xmT6HK2Rr9fszHqhIjl3sPlVMp # Qf9BA1L3UzIn37fzBzIQpFwkO4i9SNH6S0SgcooKy/aukqBv33kkchqMaeS3pq5h # H+FAADr3LZ35pymrKpikDsPjmrBzmf0cmY/VtsuirJjXsKR6EU1MLKCXjVVIeiRZ # ntSBrnd8B+vJxCMKXGJo1oh2AaeI1El9/ReS9MAbhtgIW7lBQ8c= # SIG # End signature block |