AzSKPreview.ADO

1.19.0

Framework/Core/SVT/ADO/ADO.AgentPool.ps1

                                Set-StrictMode -Version Latest

class AgentPool: ADOSVTBase

{

    hidden [PSObject] $AgentObj; # This is used for fetching agent pool details

    hidden [PSObject] $ProjectId;

    hidden [PSObject] $AgentPoolId;

    hidden [PSObject] $agentPool; # This is used to fetch agent details in pool

    hidden [PSObject] $agentPoolActivityDetail = @{isAgentPoolActive = $true; agentPoolLastRunDate = $null; agentPoolCreationDate = $null; message = $null; isComputed = $false; errorObject = $null};

    hidden [string] $checkInheritedPermissionsPerAgentPool = $false

    hidden static [PSObject] $regexListForSecrets;

    hidden [PSObject] $AgentPoolOrgObj; #This will contain org level agent pool details

    AgentPool([string] $organizationName, [SVTResource] $svtResource): Base($organizationName,$svtResource)

    {

        $this.AgentPoolId =  ($this.ResourceContext.ResourceId -split "agentpool/")[-1]

        $this.ProjectId = ($this.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0]

        $apiURL = "https://dev.azure.com/$($this.OrganizationContext.OrganizationName)/_apis/securityroles/scopes/distributedtask.agentqueuerole/roleassignments/resources/$($this.ProjectId)_$($this.AgentPoolId)";

        $this.AgentObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL));

        # if agent pool activity check function is not computed, then first compute the function to get the correct status of agent pool.

        if($this.agentPoolActivityDetail.isComputed -eq $false)

        {

            $this.CheckActiveAgentPool()

        }

        # overiding the '$this.isResourceActive' global variable based on the current status of agent pool.

        if ($this.agentPoolActivityDetail.isAgentPoolActive)

        {

            $this.isResourceActive = $true

        }

        else

        {

            $this.isResourceActive = $false

        }

        # calculating the inactivity period in days for the agent pool. If there is no use history, then setting it with negative value.

        # This will ensure inactive period is always computed irrespective of whether inactive control is scanned or not.

        if ($null -ne $this.agentPoolActivityDetail.agentPoolLastRunDate)

        {

            $this.InactiveFromDays = ((Get-Date) - $this.agentPoolActivityDetail.agentPoolLastRunDate).Days

        }

        if ([Helpers]::CheckMember($this.ControlSettings, "Agentpool.CheckForInheritedPermissions") -and $this.ControlSettings.Agentpool.CheckForInheritedPermissions) {

            $this.checkInheritedPermissionsPerAgentPool = $true

        }

        [AgentPool]::regexListForSecrets = @($this.ControlSettings.Patterns | Where-Object {$_.RegexCode -eq "SecretsInBuild"} | Select-Object -Property RegexList);

    }

    hidden [ControlResult] CheckRBACAccess([ControlResult] $controlResult)

    {

        <#{

            "ControlID": "ADO_AgentPool_AuthZ_Grant_Min_RBAC_Access",

            "Description": "All teams/groups must be granted minimum required permissions on agent pool.",

            "Id": "AgentPool110",

            "ControlSeverity": "High",

            "Automated": "Yes",

            "MethodName": "CheckRBACAccess",

            "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

            "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts",

            "Tags": [

            "SDL",

            "TCP",

            "Automated",

            "AuthZ",

            "RBAC"

            ],

            "Enabled": true

        }#>

        if($this.AgentObj.Count -gt 0)

        {

            $roles = @();

            $roles +=   ($this.AgentObj  | Select-Object -Property @{Name="Name"; Expression = {$_.identity.displayName}},@{Name="Role"; Expression = {$_.role.displayName}});

            $controlResult.AddMessage("Total number of identities that have access to agent pool: ", ($roles | Measure-Object).Count);

            $controlResult.AddMessage([VerificationResult]::Verify,"Validate whether following identities have been provided with minimum RBAC access to agent pool.", $roles);

            $controlResult.SetStateData("Validate whether following identities have been provided with minimum RBAC access to agent pool.", $roles);

            $controlResult.AdditionalInfo += "Total number of identities that have access to agent pool: " + ($roles | Measure-Object).Count;

        }

        elseif($this.AgentObj.Count -eq 0)

        {

            $controlResult.AddMessage([VerificationResult]::Passed,"No role assignment found")

        }

        return $controlResult

    }

    hidden [ControlResult] CheckInheritedPermissions([ControlResult] $controlResult)

    {

        if($this.AgentObj.Count -gt 0)

        {

        $inheritedRoles = $this.AgentObj | Where-Object {$_.access -eq "inherited"}

            if( ($inheritedRoles | Measure-Object).Count -gt 0)

            {

                $roles = @();

                $roles +=   ($inheritedRoles  | Select-Object -Property @{Name="Name"; Expression = {$_.identity.displayName}},@{Name="Role"; Expression = {$_.role.displayName}});

                $controlResult.AddMessage("Total number of inherited role assignments on agent pool: ", ($roles | Measure-Object).Count);

                $controlResult.AddMessage([VerificationResult]::Failed,"Found inherited role assignments on agent pool.", $roles);

                $controlResult.SetStateData("Found inherited role assignments on agent pool.", $roles);

                $controlResult.AdditionalInfo += "Total number of inherited role assignments on agent pool: " + ($roles | Measure-Object).Count;

            }

            else {

                $controlResult.AddMessage([VerificationResult]::Passed,"No inherited role assignments found.")

            }

        }

        elseif($this.AgentObj.Count -eq 0)

        {

            $controlResult.AddMessage([VerificationResult]::Passed,"No role assignment found.")

        }

        return $controlResult

    }

    hidden [ControlResult] CheckOrgAgtAutoProvisioning([ControlResult] $controlResult)

    {

        $controlResult.VerificationResult = [VerificationResult]::Failed

        try {

            #Only agent pools created from org setting has this settings..

            if($null -eq $this.AgentPoolOrgObj)

            {

                $agentPoolsURL = "https://dev.azure.com/{0}/_apis/distributedtask/pools?poolName={1}&api-version=6.0" -f $($this.OrganizationContext.OrganizationName), $this.ResourceContext.resourcename;

                $this.AgentPoolOrgObj = @([WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL));

            }

            if($this.AgentPoolOrgObj.Count -gt 0)

            {

                if ($this.AgentPoolOrgObj.autoProvision -eq $true) {

                    $controlResult.AddMessage([VerificationResult]::Failed,"Auto-provisioning is enabled for the $($this.AgentPoolOrgObj.name) agent pool.");

                    $controlResult.AdditionalInfo = "Auto-provisioning is enabled for [$($this.AgentPoolOrgObj.name)] agent pool.";

                    $controlResult.AdditionalInfoInCSV += "NA";

                    if ($this.ControlFixBackupRequired) {

                        #Data object that will be required to fix the control

                        $controlResult.BackupControlState = $this.AgentPoolOrgObj;

                    }

                }

                else {

                    $controlResult.AddMessage([VerificationResult]::Passed,"Auto-provisioning is not enabled for the agent pool.");

                    $controlResult.AdditionalInfoInCSV += "NA";

                }

            }

            else

            {

                $controlResult.AddMessage([VerificationResult]::Error,"Could not fetch auto-update details of agent pool.");

            }

        }

        catch{

            $controlResult.AddMessage([VerificationResult]::Error,"Could not fetch agent pool details.");

            $controlResult.LogException($_)

        }

        return $controlResult

    }

    hidden [ControlResult] CheckOrgAgtAutoProvisioningAutomatedFix([ControlResult] $controlResult)

    {

        try 

        {

            #Backup data object is not required in this scenario.

            $RawDataObjForControlFix = @();

            $RawDataObjForControlFix = ([ControlHelper]::ControlFixBackup | where-object {$_.ResourceId -eq $this.ResourceId}).DataObject

            $body = ""

            if (-not $this.UndoFix)

            {                 

                if ($body.length -gt 1) {$body += ","}

                $body += @"

                {

                    "id": $($RawDataObjForControlFix.id),

                    "autoProvision": false

                }

"@;

            }

            else 

            {

                if ($body.length -gt 1) {$body += ","}

                $body += @"

                {

                    "id": $($RawDataObjForControlFix.id),

                    "autoProvision": true

                }

"@;

            }  

            $url = "https://dev.azure.com/{0}/_apis/distributedtask/pools/{1}?api-version=5.0-preview.1" -f $($this.OrganizationContext.OrganizationName),$($RawDataObjForControlFix.id);          

            $header = [WebRequestHelper]::GetAuthHeaderFromUriPatch($url)

            $webRequestResult = Invoke-RestMethod -Uri $url -Method Patch -ContentType "application/json" -Headers $header -Body $body                                

            $controlResult.AddMessage([VerificationResult]::Fixed,  "Auto-provisioning setting for agent pool have been changed.");

        }

        catch{

            $controlResult.AddMessage([VerificationResult]::Error,  "Could not apply fix.");

            $controlResult.LogException($_)

        }

        return $controlResult

    }

    hidden [ControlResult] CheckAutoUpdate([ControlResult] $controlResult)

    {

        $controlResult.VerificationResult = [VerificationResult]::Failed

        try

        {

            if($null -eq $this.AgentPoolOrgObj)

            {

                #autoUpdate setting is available only at org level settings.

                $agentPoolsURL = "https://dev.azure.com/{0}/_apis/distributedtask/pools?poolName={1}&api-version=6.0" -f $($this.OrganizationContext.OrganizationName), $this.ResourceContext.resourcename;

                $this.AgentPoolOrgObj = @([WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL));

            }

            if($this.AgentPoolOrgObj.Count -gt 0)

            {

                if($this.AgentPoolOrgObj.autoUpdate -eq $true)

                {

                    $controlResult.AddMessage([VerificationResult]::Passed,"Auto-update of agents is enabled for [$($this.AgentPoolOrgObj.name)] agent pool.");

                    $controlResult.AdditionalInfoInCSV = "NA";

                }

                else

                {

                    $controlResult.AddMessage([VerificationResult]::Failed,"Auto-update of agents is disabled for [$($this.AgentPoolOrgObj.name)] agent pool.");

                    if ($this.ControlFixBackupRequired) {

                        #Data object that will be required to fix the control

                        $controlResult.BackupControlState = $this.AgentPoolOrgObj.id;

                    }

                    $controlResult.AdditionalInfo = "Auto-update of agents is disabled for [$($this.AgentPoolOrgObj.name)] agent pool.";

                    $controlResult.AdditionalInfoInCSV = "NA";

                }

            }

            else

            {

                $controlResult.AddMessage([VerificationResult]::Error,"Could not fetch auto-update details of agent pool.");

            }

        }

        catch

        {

            $controlResult.AddMessage([VerificationResult]::Error,"Could not fetch agent pool details.");

            $controlResult.LogException($_)

        }

        return $controlResult

    }

    hidden [ControlResult] CheckAutoUpdateAutomatedFix([ControlResult] $controlResult)

    {

        try 

        {

            #Backup data object is not required in this scenario.

            $RawDataObjForControlFix = @();

            $RawDataObjForControlFix = ([ControlHelper]::ControlFixBackup | where-object {$_.ResourceId -eq $this.ResourceId}).DataObject

            $body = ""

            if (-not $this.UndoFix)

            {                 

                $body += @"

                {

                    "id":$($RawDataObjForControlFix),

                    "autoUpdate":true

                }

"@;

            }

            else 

           {

               $body += @"

                {

                    "id":$($RawDataObjForControlFix),

                    "autoUpdate":false

                }

"@;

            }

            $url = " https://dev.azure.com/{0}/_apis/distributedtask/pools/{1}?api-version=5.0-preview.1" -f $($this.OrganizationContext.OrganizationName),$($RawDataObjForControlFix);          

            $header = [WebRequestHelper]::GetAuthHeaderFromUriPatch($url)

            $webRequestResult = Invoke-RestMethod -Uri $url -Method Patch -ContentType "application/json" -Headers $header -Body $body                                

            $controlResult.AddMessage([VerificationResult]::Fixed,  "Auto-Update setting for agent pool has been changed.");

        }

        catch{

            $controlResult.AddMessage([VerificationResult]::Error,  "Could not apply fix.");

            $controlResult.LogException($_)

        }

        return $controlResult

    }

    hidden [ControlResult] CheckPrjAllPipelineAccess([ControlResult] $controlResult)

    {

        try {

            $controlResult.VerificationResult = [VerificationResult]::Failed

            $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_apis/build/authorizedresources?type=queue&id={2}&api-version=6.0-preview.1" -f $($this.OrganizationContext.OrganizationName),$this.ProjectId ,$this.AgentPoolId;

            $agentPoolsObj = @([WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL));

            if([Helpers]::CheckMember($agentPoolsObj[0],"authorized"))

            {

                $controlResult.AddMessage([VerificationResult]::Failed,"Agent pool is marked as accessible to all pipelines.");

                if ($this.ControlFixBackupRequired) {

                    #Data object that will be required to fix the control

                    $controlResult.BackupControlState = $agentPoolsObj;

                }

            }

            else {

                $controlResult.AddMessage([VerificationResult]::Passed,"Agent pool is not marked as accessible to all pipelines.");

            }

            $controlResult.AdditionalInfoInCSV = "NA";

            $agentPoolsObj =$null;

        }

        catch{

            $controlResult.AddMessage($_);

            $controlResult.AddMessage([VerificationResult]::Error,"Could not fetch agent pool details.");

            $controlResult.LogException($_)

        }

        return $controlResult

    }

    hidden [ControlResult] CheckPrjAllPipelineAccessAutomatedFix([ControlResult] $controlResult)

    {

        try 

        {

            #Backup data object is not required in this scenario.

            $RawDataObjForControlFix = @();

            $RawDataObjForControlFix = ([ControlHelper]::ControlFixBackup | where-object {$_.ResourceId -eq $this.ResourceId}).DataObject

            $body = "["

            if (-not $this.UndoFix)

            {                 

                if ($body.length -gt 1) {$body += ","}

                $body += @"

                {

                    "authorized": false,

                    "id": "$($RawDataObjForControlFix.id)",

                    "name": "$($RawDataObjForControlFix.name)",

                    "type": "queue"

                }

"@;

            }

            else 

            {

                if ($body.length -gt 1) {$body += ","}

                $body += @"

                {

                    "authorized": true,

                    "id": "$($RawDataObjForControlFix.id)",

                    "name": "$($RawDataObjForControlFix.name)",

                    "type": "queue"

                }

"@;

            }          

            $body += "]"  

            $url = "https://dev.azure.com/{0}/{1}/_apis/build/authorizedresources?api-version=6.0-preview.1" -f $($this.OrganizationContext.OrganizationName),$($this.projectId);          

            $header = [WebRequestHelper]::GetAuthHeaderFromUriPatch($url)

            $webRequestResult = Invoke-RestMethod -Uri $url -Method Patch -ContentType "application/json" -Headers $header -Body $body                                

            $controlResult.AddMessage([VerificationResult]::Fixed,  "Pipeline permissions for agent pool have been changed.");

        }

        catch{

            $controlResult.AddMessage([VerificationResult]::Error,  "Could not apply fix.");

            $controlResult.LogException($_)

        }

        return $controlResult

    }

    hidden [ControlResult] CheckInactiveAgentPool([ControlResult] $controlResult)

    {

        $controlResult.VerificationResult = [VerificationResult]::Failed

        try

        {

            if ($this.agentPoolActivityDetail.message -eq 'Could not fetch agent pool details.')

            {

                $controlResult.AddMessage([VerificationResult]::Error, $this.agentPoolActivityDetail.message);

                if ($null -ne $this.agentPoolActivityDetail.errorObject)

                {

                    $controlResult.LogException($this.agentPoolActivityDetail.errorObject)

                }

            }

            elseif($this.agentPoolActivityDetail.isAgentPoolActive)

            {

                $controlResult.AddMessage([VerificationResult]::Passed, $this.agentPoolActivityDetail.message);

            }

            else

            {

                if ($null -ne $this.agentPoolActivityDetail.agentPoolCreationDate)

                {

                    $inactiveLimit = $this.ControlSettings.AgentPool.AgentPoolHistoryPeriodInDays

                    if ((((Get-Date) - $this.agentPoolActivityDetail.agentPoolCreationDate).Days) -lt $inactiveLimit)

                    {

                        $controlResult.AddMessage([VerificationResult]::Passed, "Agent pool was created within last $inactiveLimit days but never queued.");

                    }

                    else

                    {

                        $controlResult.AddMessage([VerificationResult]::Failed, "Agent pool has not been queued from last $inactiveLimit days.");

                    }

                    $formattedDate = $this.agentPoolActivityDetail.agentPoolCreationDate.ToString("d MMM yyyy")

                    $controlResult.AddMessage("The agent pool was created on: $($formattedDate)");

                    $controlResult.AdditionalInfo += "The agent pool was created on: " + $formattedDate;

                }

                else

                {

                    $controlResult.AddMessage([VerificationResult]::Failed, $this.agentPoolActivityDetail.message);

                }

            }

            if ($null -ne $this.agentPoolActivityDetail.agentPoolLastRunDate)

            {

                $formattedDate = $this.agentPoolActivityDetail.agentPoolLastRunDate.ToString("d MMM yyyy")

                $controlResult.AddMessage("Last queue date of agent pool: $($formattedDate)");

                $controlResult.AdditionalInfo += "Last queue date of agent pool: " + $formattedDate;

                $agentPoolInactivePeriod = ((Get-Date) - $this.agentPoolActivityDetail.agentPoolLastRunDate).Days

                $controlResult.AddMessage("The agent pool has been inactive from last $($agentPoolInactivePeriod) days.");

            }

        }

        catch

        {

            $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch agent pool details.");

            $controlResult.LogException($_)

        }

        #clearing memory space.

        $this.agentPool = $null;

        return $controlResult

    }

    hidden [ControlResult] CheckCredInEnvironmentVariables([ControlResult] $controlResult)

    {

        $controlResult.VerificationResult = [VerificationResult]::Failed;

        try

        {

            if($null -eq  $this.agentPool)

            {

                $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_settings/agentqueues?queueId={2}&__rt=fps&__ver=2" -f $($this.OrganizationContext.OrganizationName), $this.ProjectId ,$this.AgentPoolId;

                $this.agentPool = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL);

            }

            $patterns = [AgentPool]::regexListForSecrets

            if($patterns.RegexList.Count -gt 0)

            {

                $noOfCredFound = 0;

                $agentsWithSecretsInEnv=@()

                if (([Helpers]::CheckMember($this.agentPool[0],"fps.dataproviders.data") ) -and ($this.agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-pool-data-provider") -and [Helpers]::CheckMember($this.agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-pool-data-provider","agents") )

                {

                    $agents = $this.agentpool.fps.dataproviders.data."ms.vss-build-web.agent-pool-data-provider".agents

                    $agentDetails = @{}

                    $poolId = ($this.agentpool.fps.dataproviders.data.'ms.vss-build-web.agent-pool-data-provider'.selectedAgentPool.id).ToString()

                    $agents | ForEach-Object {

                        $currentAgent = "" | Select-Object "AgentName","Capabilities"

                        $currentAgent.AgentName = $_.name

                        $agentId = $_.id

                        $envVariablesContainingSecret=@()

                        $secretsFoundInCurrentAgent = $false

                        $capabilitiesTable=@{}

                        $secretsCapabilitiesTable=@{}

                        if([Helpers]::CheckMember($_,"userCapabilities"))

                        {

                            $userCapabilities=$_.userCapabilities

                            $secretsHashTable=@{}

                            $userCapabilities.PSObject.properties | ForEach-Object { $secretsHashTable[$_.Name] = $_.Value }

                            $secretsHashTable.Keys | ForEach-Object {

                                for ($i = 0; $i -lt $patterns.RegexList.Count; $i++)

                                {

                                    if($secretsHashTable.Item($_) -cmatch $patterns.RegexList[$i])

                                    {

                                        $noOfCredFound += 1

                                        $secretsFoundInCurrentAgent = $true

                                        $envVariablesContainingSecret += $_

                                        $secretsCapabilitiesTable.add($_, ($secretsHashTable.Item($_)| ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString))

                                        break

                                    }

                                }

                                if ($envVariablesContainingSecret -notcontains $_) {

                                    $capabilitiesTable.add($_, $secretsHashTable.Item($_))

                                }

                            }

                        }

                        if ($secretsCapabilitiesTable.count -gt 0 -or $capabilitiesTable.count -gt 0) {

                            $agentDetails.add($agentId,$($secretsCapabilitiesTable,$capabilitiesTable));

                        }

                        $currentAgent.Capabilities = $envVariablesContainingSecret

                        if ($secretsFoundInCurrentAgent -eq $true) {

                            $agentsWithSecretsInEnv += $currentAgent

                        }

                    }

                    if($noOfCredFound -eq 0)

                    {

                        $controlResult.AddMessage([VerificationResult]::Passed, "No secrets found in user-defined capabilities of agents.");

                    }

                    else {

                        $controlResult.AddMessage([VerificationResult]::Failed, "Found secrets in user-defined capabilities of agents.");

                        $count = $agentsWithSecretsInEnv.Count

                        $controlResult.AddMessage("`nCount of agents that contain secrets: $count")

                        $controlResult.AdditionalInfo += "Count of agents that contain secrets: "+ $count;

                        $controlResult.AddMessage("`nAgent-wise list of user-defined capabilities with secrets: ");

                        $display=($agentsWithSecretsInEnv | FT AgentName,Capabilities -AutoSize | Out-String -Width 512)

                        $controlResult.AddMessage($display)

                        $controlResult.SetStateData("Agent-wise list of user-defined capabilities with secrets: ", $agentsWithSecretsInEnv );

                        $backupDataObject= @()

                        @($agentDetails.Keys) | ForEach-Object {

                            $key = $_

                             $obj = '' | Select @{l="PoolId";e={$poolId}}, @{l="AgentId";e={$key}},@{l="UndoFixObj";e={($agentDetails.item($key))[0]}}, @{l="FixObj";e={($agentDetails.item($key))[1]}}

                            $backupDataObject += $obj

                        }

                        if ($this.ControlFixBackupRequired) {

                            $controlResult.BackupControlState = $backupDataObject;

                        }

                    }

                }

                else

                {

                    $controlResult.AddMessage([VerificationResult]::Passed, "There are no agents in the pool.");

                }

            }

            else

            {

                $controlResult.AddMessage([VerificationResult]::Error, "Regular expressions for detecting credentials in environment variables for agents are not defined in your organization.");

            }

        }

        catch

        {

            $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch details of user-defined capabilities of agents.");

            $controlResult.LogException($_)

        }

        return $controlResult

    }

    hidden [ControlResult] CheckCredInEnvironmentVariablesAutomatedFix([ControlResult] $controlResult)

    {

        try 

        {     

            $RawDataObjForControlFix = @();

            $RawDataObjForControlFix = ([ControlHelper]::ControlFixBackup | where-object {$_.ResourceId -eq $this.ResourceId}).DataObject

            $RawDataObjForControlFix | ForEach-Object {

                $CurrentAgent= $_

                $undofixObj = $CurrentAgent.UndoFixObj | Get-Member -MemberType NoteProperty | foreach {

                    @{($_.Name) = ([Helpers]::ConvertToPlainText((($CurrentAgent.UndoFixObj.($_.Name))| ConvertTo-SecureString))) }

                    }

                if($undofixObj){

                    $display = $undofixObj.Keys |  FT -AutoSize | Out-String -Width 512

                }

                else{

                    return;

                }

                if (-not $this.UndoFix)

                {                 

                    $body =  $CurrentAgent.FixObj   |ConvertTo-Json                    

                    $controlResult.AddMessage([VerificationResult]::Fixed,  "Following user-defined capabilities for agent ID $($CurrentAgent.AgentId) have been removed:");      

                }

                else 

                {             

                    $body = "{"

                    $i=0;

                    $undofixObj.Keys | foreach{

                        if($body.Length -gt 1){

                            $body+=","

                        }

                        if ($undofixObj.Keys.Count -eq 1)

                        {

                            $agentpool = '"{0}":"{1}"' -f $_,$undofixObj[$_]

                        }

                        else {

                            $agentpool = '"{0}":"{1}"' -f $_,$undofixObj[$i][$_]

                        }

                        $body+=$agentPool

                        $i++;

                    }

                    $i=0;

                    $fixObj = $CurrentAgent.FixObj | Get-Member -MemberType NoteProperty | foreach {

                        @{($_.Name) = $CurrentAgent.FixObj.($_.Name)}

                        }

                    $fixObj.Keys | foreach{

                        if($body.Length -gt 1){

                            $body+=","

                        }

                        if ($fixObj.Keys.Count -eq 1)

                        {

                            $agentpool = '"{0}":"{1}"' -f $_,$fixObj[$_]

                        }

                        else {

                            $agentpool = '"{0}":"{1}"' -f $_,$fixObj[$i][$_]

                        }

                        $body+=$agentPool

                        $i++;

                    }

                    $body+="}"

                    $controlResult.AddMessage([VerificationResult]::Fixed,  "Following user-defined capabilities for agent ID $($CurrentAgent.AgentId) have been added:");

                }  

                $url = "https://dev.azure.com/{0}/_apis/distributedtask/pools/{1}/agents/{2}/usercapabilities?api-version=5.0-preview.1" -f $this.OrganizationContext.OrganizationName,$CurrentAgent.PoolId, $CurrentAgent.AgentId;          

                $header = [WebRequestHelper]::GetAuthHeaderFromUriPatch($url)

                $webRequestResult = Invoke-RestMethod -Uri $url -Method Put -ContentType "application/json" -Headers $header -Body $body                  

                $controlResult.AddMessage("`n$display");

            }                          

        }

        catch{

            $controlResult.AddMessage([VerificationResult]::Error,  "Could not apply fix.");

            $controlResult.LogException($_)

        }

        return $controlResult

    }

    hidden CheckActiveAgentPool()

    {

        try

        {

            $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_settings/agentqueues?queueId={2}&__rt=fps&__ver=2" -f $($this.OrganizationContext.OrganizationName), $this.ProjectId ,$this.AgentPoolId;

            $this.agentPool = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL);

            if (([Helpers]::CheckMember($this.agentPool[0], "fps.dataProviders.data") ) -and ($this.agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider"))

            {

                # $inactiveLimit denotes the upper limit on number of days of inactivity before the agent pool is deemed inactive.

                $inactiveLimit = $this.ControlSettings.AgentPool.AgentPoolHistoryPeriodInDays

                #Filtering agent pool jobs specific to the current project.

                $agentPoolJobs = $this.agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs | Where-Object {$_.scopeId -eq $this.ProjectId};

                 #Arranging in descending order of run time.

                $agentPoolJobs = $agentPoolJobs | Sort-Object queueTime -Descending

                #If agent pool has been queued at least once

                if (($agentPoolJobs | Measure-Object).Count -gt 0)

                {

                        #Get the last queue timestamp of the agent pool

                        if ([Helpers]::CheckMember($agentPoolJobs[0], "finishTime"))

                        {

                            $agtPoolLastRunDate = $agentPoolJobs[0].finishTime;

                            if ((((Get-Date) - $agtPoolLastRunDate).Days) -gt $inactiveLimit)

                            {

                                $this.agentPoolActivityDetail.isAgentPoolActive = $false;

                                $this.agentPoolActivityDetail.message = "Agent pool has not been queued in the last $inactiveLimit days.";

                            }

                            else

                            {

                                $this.agentPoolActivityDetail.isAgentPoolActive = $true;

                                $this.agentPoolActivityDetail.message = "Agent pool has been queued in the last $inactiveLimit days.";

                            }

                            $this.agentPoolActivityDetail.agentPoolLastRunDate = $agtPoolLastRunDate;

                        }

                        else

                        {

                            $this.agentPoolActivityDetail.isAgentPoolActive = $true;

                            $this.agentPoolActivityDetail.message = "Agent pool was being queued during control evaluation.";

                        }

                }

                else

                {

                    #[else] Agent pool is created but nenver run, check creation date greated then 180

                    $this.agentPoolActivityDetail.isAgentPoolActive = $false;

                    if (([Helpers]::CheckMember($this.agentPool, "fps.dataProviders.data") ) -and ($this.agentPool.fps.dataProviders.data."ms.vss-build-web.agent-pool-data-provider"))

                    {

                        $agentPoolDetails = $this.agentPool.fps.dataProviders.data."ms.vss-build-web.agent-pool-data-provider"

                        $this.agentPoolActivityDetail.agentPoolCreationDate = $agentPoolDetails.selectedAgentPool.createdOn;

                    }

                    else

                    {

                        $this.agentPoolActivityDetail.message = "Could not fetch agent pool details.";

                    }

                }

            }

            else

            {

                $this.agentPoolActivityDetail.message = "Could not fetch agent pool details.";

            }

        }

        catch

        {

            $this.agentPoolActivityDetail.message = "Could not fetch agent pool details.";

            $this.agentPoolActivityDetail.errorObject = $_

        }

        $this.agentPoolActivityDetail.isComputed = $true

    }

    hidden [ControlResult] CheckBroaderGroupAccess ([ControlResult] $controlResult) {

        try {

            $controlResult.VerificationResult = [VerificationResult]::Failed

            $restrictedBroaderGroups = @{}

            $restrictedBroaderGroupsForAgentPool = $this.ControlSettings.AgentPool.RestrictedBroaderGroupsForAgentPool;

            $restrictedBroaderGroupsForAgentPool.psobject.properties | foreach { $restrictedBroaderGroups[$_.Name] = $_.Value }

            if (($this.AgentObj.Count -gt 0) -and [Helpers]::CheckMember($this.AgentObj, "identity")) {

                # match all the identities added on agentpool with defined restricted list

                $roleAssignmentsToCheck = $this.AgentObj

                $restrictedGroups = @()

                if ($this.checkInheritedPermissionsPerAgentPool -eq $false) {

                    $roleAssignmentsToCheck = @($this.AgentObj | where-object { $_.access -ne "inherited" })

                }

                $roleAssignments = @($roleAssignmentsToCheck | Select-Object -Property @{Name="Name"; Expression = {$_.identity.displayName}},@{Name="Id"; Expression = {$_.identity.id}}, @{Name="Role"; Expression = {$_.role.displayName}});

                # Checking whether the broader groups have User/Admin permissions

                $restrictedGroups = @($roleAssignments | Where-Object { $restrictedBroaderGroups.keys -contains $_.Name.split('\')[-1] -and ($_.Role -in $restrictedBroaderGroups[$_.Name.split('\')[-1]])})

                if ($this.ControlSettings.CheckForBroadGroupMemberCount -and $restrictedGroups.Count -gt 0)

                {

                    $broaderGroupsWithExcessiveMembers = @([ControlHelper]::FilterBroadGroupMembers($restrictedGroups, $true))

                    $restrictedGroups = @($restrictedGroups | Where-Object {$broaderGroupsWithExcessiveMembers -contains $_.Name})

                }

                $restrictedGroupsCount = $restrictedGroups.Count

                # fail the control if restricted group found on agentpool

                if ($restrictedGroupsCount -gt 0) {

                    $controlResult.AddMessage([VerificationResult]::Failed, "Count of broader groups that have excessive permissions on agent pool: $($restrictedGroupsCount)");

                    $formattedGroupsData = $restrictedGroups | Select @{l = 'Group'; e = { $_.Name} }, @{l = 'Role'; e = { $_.Role } }

                    $backupDataObject = $restrictedGroups | Select @{l = 'Group'; e = { $_.Name} },@{l = 'Id'; e = { $_.Id } }, @{l = 'Role'; e = { $_.Role } }

                    $formattedGroupsTable = ($formattedGroupsData | FT -AutoSize | Out-String -width 512)

                    $controlResult.AddMessage("`nList of groups: `n$formattedGroupsTable")

                    $controlResult.SetStateData("List of groups: ", $restrictedGroups)

                    $controlResult.AdditionalInfo += "Count of broader groups that have excessive permissions on agent pool: $($restrictedGroupsCount)";

                    $groups = $restrictedGroups | ForEach-Object { $_.name + ': ' + $_.role } 

                    $controlResult.AdditionalInfoInCSV = $groups -join ' ; '

                    $controlResult.AdditionalInfo += "List of broader groups: $($groups -join ' ; ')"

                    if ($this.ControlFixBackupRequired) {

                        #Data object that will be required to fix the control

                        $controlResult.BackupControlState = $backupDataObject;

                    }

                }

                else {

                    $controlResult.AddMessage([VerificationResult]::Passed, "No broader groups have excessive permissions on agent pool.");

                        $controlResult.AdditionalInfoInCSV = "NA";

                }

            }

            else {

                $controlResult.AddMessage([VerificationResult]::Passed, "No groups have given access to agent pool.");

                $controlResult.AdditionalInfoInCSV = "NA";

            }

            $displayObj = $restrictedBroaderGroups.Keys | Select-Object @{Name = "Broader Group"; Expression = {$_}}, @{Name = "Excessive Permissions"; Expression = {$restrictedBroaderGroups[$_] -join ', '}}

            $controlResult.AddMessage("Note:`nThe following groups are considered 'broad' which should not excessive permissions: `n$($displayObj | FT -AutoSize| out-string -width 512)");

        }

        catch {

            $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch the agent pool permissions.");

            $controlResult.LogException($_)

        }

        return $controlResult;

    }

    hidden [ControlResult] CheckBroaderGroupAccessAutomatedFix ([ControlResult] $controlResult) {

        try {

            $RawDataObjForControlFix = @();

            $RawDataObjForControlFix = ([ControlHelper]::ControlFixBackup | where-object {$_.ResourceId -eq $this.ResourceId}).DataObject

            $body = "["

            if (-not $this.UndoFix)

            {

                foreach ($identity in $RawDataObjForControlFix) 

                {                    

                    if ($body.length -gt 1) {$body += ","}

                    $body += @"

                        {

                            "userId": "$($identity.id)",

                            "roleName": "Reader"

                        }

"@;

                }

                $RawDataObjForControlFix | Add-Member -NotePropertyName NewRole -NotePropertyValue "Reader"

                $RawDataObjForControlFix = @($RawDataObjForControlFix  | Select-Object @{Name="DisplayName"; Expression={$_.group}}, @{Name="OldRole"; Expression={$_.Role}},@{Name="NewRole"; Expression={$_.NewRole}})

            }

            else {

                foreach ($identity in $RawDataObjForControlFix) 

                {                    

                    if ($body.length -gt 1) {$body += ","}

                    $body += @"

                        {

                            "userId": "$($identity.id)",

                            "roleName": "$($identity.role)"                          

                        }

"@;

                }

                $RawDataObjForControlFix | Add-Member -NotePropertyName OldRole -NotePropertyValue "Reader"

                $RawDataObjForControlFix = @($RawDataObjForControlFix  | Select-Object @{Name="DisplayName"; Expression={$_.group}}, @{Name="OldRole"; Expression={$_.OldRole}},@{Name="NewRole"; Expression={$_.Role}})

            }

            $body += "]"

            #Put request           

            $url = "https://dev.azure.com/$($this.OrganizationContext.OrganizationName)/_apis/securityroles/scopes/distributedtask.agentqueuerole/roleassignments/resources/$($this.ProjectId)_$($this.AgentPoolId)?api-version=6.1-preview.1";  

            $rmContext = [ContextHelper]::GetCurrentContext();

            $user = "";

            $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$rmContext.AccessToken)))

            $webRequestResult = Invoke-RestMethod -Uri $url -Method Put -ContentType "application/json" -Headers @{Authorization = ("Basic {0}" -f $base64AuthInfo) } -Body $body                

            $controlResult.AddMessage([VerificationResult]::Fixed,  "Permission for broader groups have been changed as below: ");

            $display = ($RawDataObjForControlFix |  FT -AutoSize | Out-String -Width 512)

            $controlResult.AddMessage("`n$display");

        }

        catch{

            $controlResult.AddMessage([VerificationResult]::Error,  "Could not apply fix.");

            $controlResult.LogException($_)

        }

        return $controlResult  

    }

}

# SIG # Begin signature block

# MIInogYJKoZIhvcNAQcCoIInkzCCJ48CAQExDzANBglghkgBZQMEAgEFADB5Bgor

# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG

# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBe3OXltJjPfmdi

# zy+tViDTpKpfyZFR/26+Zw/Rm0uBMqCCDYUwggYDMIID66ADAgECAhMzAAADTU6R

# phoosHiPAAAAAANNMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD

# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy

# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p

# bmcgUENBIDIwMTEwHhcNMjMwMzE2MTg0MzI4WhcNMjQwMzE0MTg0MzI4WjB0MQsw

# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u

# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy

# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB

# AQDUKPcKGVa6cboGQU03ONbUKyl4WpH6Q2Xo9cP3RhXTOa6C6THltd2RfnjlUQG+

# Mwoy93iGmGKEMF/jyO2XdiwMP427j90C/PMY/d5vY31sx+udtbif7GCJ7jJ1vLzd

# j28zV4r0FGG6yEv+tUNelTIsFmmSb0FUiJtU4r5sfCThvg8dI/F9Hh6xMZoVti+k

# bVla+hlG8bf4s00VTw4uAZhjGTFCYFRytKJ3/mteg2qnwvHDOgV7QSdV5dWdd0+x

# zcuG0qgd3oCCAjH8ZmjmowkHUe4dUmbcZfXsgWlOfc6DG7JS+DeJak1DvabamYqH

# g1AUeZ0+skpkwrKwXTFwBRltAgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE

# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUId2Img2Sp05U6XI04jli2KohL+8w

# VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh

# dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzUwMDUxNzAfBgNVHSMEGDAW

# gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v

# d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw

# MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov

# L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx

# XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB

# ACMET8WuzLrDwexuTUZe9v2xrW8WGUPRQVmyJ1b/BzKYBZ5aU4Qvh5LzZe9jOExD

# YUlKb/Y73lqIIfUcEO/6W3b+7t1P9m9M1xPrZv5cfnSCguooPDq4rQe/iCdNDwHT

# 6XYW6yetxTJMOo4tUDbSS0YiZr7Mab2wkjgNFa0jRFheS9daTS1oJ/z5bNlGinxq

# 2v8azSP/GcH/t8eTrHQfcax3WbPELoGHIbryrSUaOCphsnCNUqUN5FbEMlat5MuY

# 94rGMJnq1IEd6S8ngK6C8E9SWpGEO3NDa0NlAViorpGfI0NYIbdynyOB846aWAjN

# fgThIcdzdWFvAl/6ktWXLETn8u/lYQyWGmul3yz+w06puIPD9p4KPiWBkCesKDHv

# XLrT3BbLZ8dKqSOV8DtzLFAfc9qAsNiG8EoathluJBsbyFbpebadKlErFidAX8KE

# usk8htHqiSkNxydamL/tKfx3V/vDAoQE59ysv4r3pE+zdyfMairvkFNNw7cPn1kH

# Gcww9dFSY2QwAxhMzmoM0G+M+YvBnBu5wjfxNrMRilRbxM6Cj9hKFh0YTwba6M7z

# ntHHpX3d+nabjFm/TnMRROOgIXJzYbzKKaO2g1kWeyG2QtvIR147zlrbQD4X10Ab

# rRg9CpwW7xYxywezj+iNAc+QmFzR94dzJkEPUSCJPsTFMIIHejCCBWKgAwIBAgIK

# YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV

# BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv

# c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm

# aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw

# OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE

# BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD

# VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG

# 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la

# UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc

# 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D

# dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+

# lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk

# kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6

# A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd

# X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL

# 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd

# sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3

# T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS

# 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI

# bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL

# BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD

# uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv

# c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf

# MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3

# dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf

# MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF

# BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h

# cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA

# YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn

# 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7

# v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b

# pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/

# KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy

# CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp

# mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi

# hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb

# BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS

# oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL

# gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX

# cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCGXMwghlvAgEBMIGVMH4x

# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt

# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p

# Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAANNTpGmGiiweI8AAAAA

# A00wDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw

# HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIMK7

# cbB2AEWymI5P1jpV1Mr/u5tzOWfMH9O5Cj19oJFtMEIGCisGAQQBgjcCAQwxNDAy

# oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5j

# b20wDQYJKoZIhvcNAQEBBQAEggEAV+z/vVOjk7C4xIL8WicCIHuVIYXEpgC05yZ7

# C5ZQKPmtgHx4eBLqHX/YapqIPA2jS4yodIbe0b/vtZEbQTXX4pC4nNjuHqlOPVF6

# IZcm3XxlNwJsUDFh+FnIHMRv2wH2my4U3w5bLtFST+FumCi1KReKuNNdfnWyaXuy

# djKUXXNRCDzpGiH0RtqOoR0XPEQUjAEpSEwuQtrAzRhX+VlgRaWazPfijVfZSYCs

# XEW4t20bnDrLLZJkRtkVkB1bKWEOLcmQutg6XMvuFt8c14i22OpXm02x+gmbpKEd

# sq6q/KDkG7qWGWj8Tisfs/Z15Xw7LhLXNDKisTw59d/6TCv0oaGCFv0wghb5Bgor

# BgEEAYI3AwMBMYIW6TCCFuUGCSqGSIb3DQEHAqCCFtYwghbSAgEDMQ8wDQYJYIZI

# AWUDBAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGE

# WQoDATAxMA0GCWCGSAFlAwQCAQUABCAVyaCuCnByiNgvTiNSnE4Ypf9nMV+Jo891

# TlJQS85AkgIGZIthurNDGBMyMDIzMDYxNjA4MjcwNC43NjdaMASAAgH0oIHQpIHN

# MIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH

# UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQL

# ExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMg

# VFNTIEVTTjo0OUJDLUUzN0EtMjMzQzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt

# U3RhbXAgU2VydmljZaCCEVQwggcMMIIE9KADAgECAhMzAAABwFWkjcNkFcVLAAEA

# AAHAMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo

# aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y

# cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw

# MB4XDTIyMTEwNDE5MDEyNVoXDTI0MDIwMjE5MDEyNVowgcoxCzAJBgNVBAYTAlVT

# MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK

# ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVy

# aWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjQ5QkMtRTM3

# QS0yMzNDMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIIC

# IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvO1g+2NhhmBQvlGlCTOMaFw3

# jbIhUdDTqkaQhRpdHVb+huU/0HNhLmoRYvrp7z5vIoL1MPAkVBFWJIkrcG7sSred

# nyZwreY207C9n8XivL9ZBOQeiUeL/TMlJ6VinrcafbhdnkNO5JDlPozC9dGySiub

# ryds5GKtu69D1wNat9DIQl6alFO6pncZK4RIzfv+KzkM7RkY3vHphV0C8EFUpF+l

# ysaGJXFf9QsUUHwj9XKWHfc9BfhLoCReXUzvgrspdFmVnA9ATYXmidSjrshf8A+E

# 0/FpTdhXPI9XXqsZDHBqr7DlYoSCU3lvrVDRu1p5pHHf7s3kM16HpK6arDtY3ai1

# soASmEpv3C2N/y5MDBApDd4SpSkLMa7+6es/daeS7zdH1qdCa2RoJPM6Eh/6YmBf

# ofhfLQofKPJl34ALlZWK5AzVtFRNOXacoj6MAG2dT8Rc5fpKCH1E3n7Zje0dK24Q

# VfSv/YOxw52ECaMLlW5PhHT3ZINNaCmRgcHCTClOKzC2FOr03YBc2zPOW6bIVdXl

# oPmBMVaE+thXqPmANBw0YsncaOkVggjDb5O5VqOp98MklHpJoJI6pk5zAlx8/OtC

# 7FutrdtYNUC6ykXzMAPFuYkWGgx/W7A0itKW8WzYzwO3bAhprwznouGZmRiw2k8p

# en80BzqzdyPvbzTxQsMCAwEAAaOCATYwggEyMB0GA1UdDgQWBBQARMZ480jwpK3P

# 6quVWUEJ0c30hTAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNV

# HR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Ny

# bC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYI

# KwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5j

# b20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAy

# MDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0G

# CSqGSIb3DQEBCwUAA4ICAQCtTh0EQn16kKQyCeVk9Vc10m6L0EwLRo3ATRouP7Yd

# 2hWeEB2Y4ZF4CJKe9qfXWGJKzV7tMUm6DAsBKYH/nT+8ybI8uJiHGnfnVi6Sh7gF

# jnTpfh1j1T90H/uLeoFjpOn/+eoCoJmorW5Gb2ezlTlo5I0kNAubxtCxqbLizuPN

# Pob8kRAKQgv+4/CC1JmiUFG0uKINlKj9SsHcrWeBBQHX62nNgziIwT44JqHrA02I

# 6cmQAi9BZcsf57OOLpRYlzoPH3x/+ldSySXAmyLq2uSbWtQuD84I/0ZgS/B5L3ew

# qTdiE1KbKX89MW5JqCK/yI/mAIQammAlHPqU9eZZTMPOHQs0XrpCijlk+qyo2JaH

# iySww6nuPqXzU3sEj3VW00YiVSayKEu1IrRzzX3La8qe6OqLTvK/6gu5XdKq7TT8

# 52nB6IP0QM+Budtr4Fbx4/svpKHGpK9/zBuaHHDXX5AoSksh/kSDYKfefQIhIfQJ

# JzoE3X+MimMJrgrwZXltb6j1IL0HY3qCpa03Ghgi0ITzqfkw3Man3G8kB1Ql+SeN

# ciPUj73Kn2veJenGLtT8JkUM9RUi0woO0iuY4tJnYuS+SeqavXUOWqUYVY19FIr1

# PLqpmWkbrO5xKjkyOHoAmLxjNbKjOnkAwft+1G00kulKqzqPbm+Sn+47JsGQFhNG

# bTCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQEL

# BQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH

# EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNV

# BAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4X

# DTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzAR

# BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p

# Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh

# bXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM

# 57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm

# 95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzB

# RMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBb

# fowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCO

# Mcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYw

# XE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW

# /aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/w

# EPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPK

# Z6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2

# BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfH

# CBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYB

# BAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8v

# BO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYM

# KwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0

# LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEF

# BQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD

# VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBW

# BgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny

# bC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUH

# AQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtp

# L2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsF

# AAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518Jx

# Nj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+

# iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2

# pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefw

# C2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7

# T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFO

# Ry3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhL

# mm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3L

# wUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5

# m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE

# 0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLLMIICNAIB

# ATCB+KGB0KSBzTCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x

# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv

# bjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UE

# CxMdVGhhbGVzIFRTUyBFU046NDlCQy1FMzdBLTIzM0MxJTAjBgNVBAMTHE1pY3Jv

# c29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVABAQ7ExF19Kk

# wVL1E3Ad8k0Peb6doIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh

# c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD

# b3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIw

# MTAwDQYJKoZIhvcNAQEFBQACBQDoNojvMCIYDzIwMjMwNjE2MTUwODMxWhgPMjAy

# MzA2MTcxNTA4MzFaMHQwOgYKKwYBBAGEWQoEATEsMCowCgIFAOg2iO8CAQAwBwIB

# AAICEbgwBwIBAAICEqowCgIFAOg32m8CAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYK

# KwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUF

# AAOBgQB5hrAjhDwLOLUGuQGPEQXnLtg07nhh4up/60H9nffx5dwkRw4sXGYcsC4H

# rIu5NFHB0YbYtoizLSuLJgjNkwSm6A7KStVVflG6fmFnsCl75ONjP68nb7vdCzkT

# D/aF38W1wM3ukr8cwlzpG01UAWeRI7/lw+4mKFZyNpMpXw6TyzGCBA0wggQJAgEB

# MIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH

# EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV

# BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABwFWkjcNkFcVL

# AAEAAAHAMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcN

# AQkQAQQwLwYJKoZIhvcNAQkEMSIEIKttTNxuwm7T+Q8shnhIkAj45yePxHgnr2yz

# +eH41uU1MIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgWvFYolIIXME0zK/W

# 6XsCkkYX7lYNb9yA8JxwY04Pk08wgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEG

# A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj

# cm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFt

# cCBQQ0EgMjAxMAITMwAAAcBVpI3DZBXFSwABAAABwDAiBCBcw+CFklPWX+w6JJ20

# DVz8/dNvemeX32PJoZ2QzCuBYDANBgkqhkiG9w0BAQsFAASCAgCOYql/0Q1koCBX

# dNondfvvGnqWh/7jkXSdXsOw0QjMDe0DHErO567WxH5yzAo6v5L58BeMURiKjpLG

# wHSKfd9CuICLp+Rg9xooi63QzFqfq/GjXFFH4TxvQyeEte3H6yI3kdStVn8pzkRU

# u1QNFlwVCr1FbFDwizWyZcdNnjO5h13ymEiBHoVYYpu13YPlxi//5ddQCiecgVK5

# vg4fL/610wa3WGbEs0ck9F741cgm+245T7jGAqvFe9JximKebTOzPfy8MM/jMGQQ

# U/bX0GVGONQTVIy6fuakYUez4I5hv+CRWyMc46YD2ljxheV/MIwr7Cx6z3yFN8RI

# kXkQeuhRaoHDPJYZibLN4jHWfo5/M9omijLO/A9zRvkviB81UuGhpnQs54FlkGom

# NdiiTPowvKo8wDlPbjlnPUzR9w9t7LjtkoRef5yZst/yDPNYvSplxlXw+tREy0rq

# f3+VjHWG0wezwFnfmQsC+c8u2b0MIcraawyHafPcJSXk2ULHPBVGoqRBSv9h6SLZ

# rFKidvNaCwbsLWQ7LTHq33q65V+5v1ATVAUpdBbma33WYwVtikqPpX5mSpoy4eKJ

# Neaq43KrVIAhPl8ox3ApP3imP6Vqil1Sk565RlVh7JEnGp3X/IGWZ6EWjbgg5whf

# Mh31HhU6uLQo8hqYq/mM44coenjdOg==

# SIG # End signature block