Framework/BugLog/BugMetaInfoProvider.ps1

Set-StrictMode -Version Latest
class BugMetaInfoProvider {

    hidden [PSObject] $ControlSettingsBugLog
    hidden [string] $ServiceId
    hidden static [PSObject] $ServiceTreeInfo
    hidden [PSObject] $InvocationContext
    hidden [bool] $BugLogUsingCSV = $false;
    hidden [string] $STMappingFilePath = $null
    hidden static $OrgMappingObj = @{}
    hidden static [PSObject] $emailRegEx
    hidden static $AssigneeForUnmappedResources = @{}
    hidden static [string] $GetAssigneeUsingFallbackMethod = $false
    hidden static $UserInactivityLimit;
    hidden static $UserActivityCache = @();
    hidden static $CheckForUserInactivity;

    BugMetaInfoProvider() {
        if ($null -eq [BugMetaInfoProvider]::emailRegEx) {
            $ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json");
            [BugMetaInfoProvider]::emailRegEx = $ControlSettings.Patterns | where {$_.RegexCode -eq "Email"} | Select-Object -Property RegexList;
            [BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod = $ControlSettings.BugLogging.GetAssigneeUsingFallbackMethod

            if ([Helpers]::CheckMember($ControlSettings.BugLogging, "CheckForUserInactivity")) {
                [BugMetaInfoProvider]::UserInactivityLimit = $ControlSettings.BugLogging.UserInactivityLimit;
                [BugMetaInfoProvider]::CheckForUserInactivity = $ControlSettings.BugLogging.CheckForUserInactivity;
            }
        }
    }

    BugMetaInfoProvider($bugLogUsingCSV, $stMappingFilePath) {
        $this.BugLogUsingCSV = $bugLogUsingCSV;
        $this.STMappingFilePath = $stMappingFilePath;
    }

    hidden [string] GetAssignee([SVTEventContext[]] $ControlResult, $controlSettingsBugLog, $isBugLogCustomFlow, $serviceIdPassedInCMD, $invocationContext) {
        $this.ControlSettingsBugLog = $controlSettingsBugLog;
        #flag to check if pluggable bug logging interface (service tree)
        if ($isBugLogCustomFlow) {
            $this.InvocationContext = $invocationContext;    
            return $this.BugLogCustomFlow($ControlResult, $serviceIdPassedInCMD)
        }
        else {
            return $this.GetAssigneeFallback($ControlResult);
        }
    }

    hidden [string] GetAssignee([SVTEventContext[]] $ControlResult, $invocationContext) {
        $this.InvocationContext = $invocationContext;    
        return $this.BugLogCustomFlow($ControlResult, "")
    }

    hidden [string] BugLogCustomFlow($ControlResult, $serviceIdPassedInCMD)
    {
        $resourceType = $ControlResult.ResourceContext.ResourceTypeName
        $projectName = $ControlResult[0].ResourceContext.ResourceGroupName;
        $assignee = "";
        try 
         {
            #assign to the person running the scan, as to reach at this point of code, it is ensured the user is PCA/PA and only they or other PCA
            #PA members can fix the control
            if($ResourceType -eq 'Organization' -or $ResourceType -eq 'Project') {
                $assignee = [ContextHelper]::GetCurrentSessionUser();
            }
            else {
                $rscId = ($ControlResult.ResourceContext.ResourceId -split "$resourceType/")[-1];
                $assignee = $this.CalculateAssignee($rscId, $projectName, $resourceType, $serviceIdPassedInCMD);
                if (!$assignee -and (!$this.BugLogUsingCSV)) {
                    $assignee = $this.GetAssigneeFallback($ControlResult)
                }
            }            
        }
        catch {
            return "";
        }
        return $assignee;
    }

    hidden [string] CalculateAssignee($rscId, $projectName, $resourceType, $serviceIdPassedInCMD) 
    {
        $metaInfo = [MetaInfoProvider]::Instance;
        $assignee = "";
        try {
            #If serviceid based scan then get servicetreeinfo details only once.
            #First condition if not serviceid based scan then go inside every time.
            #Second condition if serviceid based scan and [BugMetaInfoProvider]::ServiceTreeInfo not null then only go inside.
            if (!$serviceIdPassedInCMD -or ($serviceIdPassedInCMD -and ![BugMetaInfoProvider]::ServiceTreeInfo)) {
                [BugMetaInfoProvider]::ServiceTreeInfo = $metaInfo.FetchResourceMappingWithServiceData($rscId, $projectName, $resourceType, $this.STMappingFilePath);
            }
            if([BugMetaInfoProvider]::ServiceTreeInfo)
            {
                #Filter based on area path match project name and take first items (if duplicate service tree entry found).
                #Split areapath to match with projectname
                if (!$this.BugLogUsingCSV) {
                    [BugMetaInfoProvider]::ServiceTreeInfo = ([BugMetaInfoProvider]::ServiceTreeInfo | Where {($_.areaPath).Split('\')[0] -eq $projectName})[0]
                }
                $this.ServiceId = [BugMetaInfoProvider]::ServiceTreeInfo.serviceId;
                #Check if area path is not supplied in command parameter then only set from service tree.
                if (!$this.InvocationContext.BoundParameters["AreaPath"]) {
                    [BugLogPathManager]::AreaPath = [BugMetaInfoProvider]::ServiceTreeInfo.areaPath.Replace("\", "\\");
                }
                $domainNameForAssignee = ""
                if([Helpers]::CheckMember($this.ControlSettingsBugLog, "DomainName"))
                {
                    $domainNameForAssignee = $this.ControlSettingsBugLog.DomainName;
                }
                elseif ($this.BugLogUsingCSV) {
                    $domainNameForAssignee = "microsoft.com";
                }
                $assignee = [BugMetaInfoProvider]::ServiceTreeInfo.devOwner.Split(";")[0] + "@"+ $domainNameForAssignee
            }
        }
        catch {
            Write-Host "Could not find service tree data file." -ForegroundColor Yellow
        }
        return $assignee;    
    }

    hidden [string] GetAssigneeFallback([SVTEventContext[]] $ControlResult) {
        if ($ControlResult.ResourceContext.ResourceId -in [BugMetaInfoProvider]::AssigneeForUnmappedResources.Keys ) {
            return [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId]
        }
        $ResourceType = $ControlResult.ResourceContext.ResourceTypeName
        $ResourceName = $ControlResult.ResourceContext.ResourceName
        $organizationName = $ControlResult.OrganizationContext.OrganizationName;
        $eventBaseObj = [EventBase]::new()
        switch -regex ($ResourceType) {
            #assign to the creator of service connection
            'ServiceConnection' {
                $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName

                if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) 
                {
                    if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) 
                    {
                        $assignee = "";
                        $apiURL = "https://dev.azure.com/{0}/{1}/_apis/serviceendpoint/{2}/executionhistory?top=1&api-version=6.0-preview.1" -f $organizationName, $($ControlResult.ResourceContext.ResourceGroupName), $($ControlResult.ResourceContext.ResourceDetails.id);
                        $executionHistory = [WebRequestHelper]::InvokeGetWebRequest($apiURL);

                        # get assignee from the the build/release jobs history
                        if (([Helpers]::CheckMember($executionHistory, "data") ) -and (($executionHistory.data | Measure-Object).Count -gt 0) )
                        {
                            $pipelineType = $executionHistory.data[0].planType
                            $pipelineId = $executionHistory.data[0].definition.id
                            if ($pipelineType -eq 'Release') {
                                $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId)
                            }
                            else {
                                $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId)
                            }
                        }
                        # if no build/release jobs associated with service connection, then fecth assignee from permissions
                        # asignee not found from build/release
                        elseif (!$assignee) 
                        {
                            try {
                                $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0]
                                $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.serviceendpointrole/roleassignments/resources/{1}_{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1]
                                $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL);
                                $roles =   @(($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} )
                                if ($roles.Count -gt 0) {
                                    $userId = $roles[0].identity.id
                                    $assignee = $this.getUserFromUserId($organizationName, $userId)
                                }
                            }
                            catch {
                                $assignee = ""
                                $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.")
                            }
                        }
                    }  
                }

                [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee; 
                return $assignee
            }
            #assign to the creator of agent pool
            'AgentPool' {
                $apiurl = "https://dev.azure.com/{0}/_apis/distributedtask/pools?poolName={1}&api-version=6.0" -f $organizationName, $ResourceName
                try {
                    $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl)
                    $assignee = $response.createdBy.uniqueName

                    if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) 
                    {
                        # if assignee is service account, then fetch assignee from jobs/permissions
                        if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) 
                        {
                            $assignee = "";
                            $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_settings/agentqueues?queueId={2}&__rt=fps&__ver=2 " -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceId.split('/')[-1]
                            $agentPool = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL);
                            # get assignee from the the build/release jobs history
                            if (([Helpers]::CheckMember($agentPool[0], "fps.dataProviders.data") ) -and ([Helpers]::CheckMember($agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider", "jobs")) )
                            {
                                $pipelineType = $agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs[0].planType
                                $pipelineId = $agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs[0].definition.id
                                if ($pipelineType -eq 'Release') {
                                    $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId)
                                }
                                else {
                                    $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId)
                                }
                            }
                            # if no build/release jobs associated with agentpool, then fecth assignee from permissions
                            elseif(!$assignee) 
                            {
                                try {
                                    $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0]
                                    $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.agentqueuerole/roleassignments/resources/{1}_{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1]
                                    $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL));
                                    $roles =   @( ($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} )
                                    if ($roles.Count -gt 0) {
                                        $userId = $roles[0].identity.id
                                        $assignee = $this.getUserFromUserId($organizationName, $userId)
                                    }
                                }
                                catch {
                                    $assignee = ""
                                    $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.")
                                }
                            }
                        }
                    }    
                }
                catch {
                    $assignee = "";
                }
                [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee
                return $assignee
            }
            #assign to the creator of variable group
            'VariableGroup' {
                $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName

                if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) 
                {
                    if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) 
                    {
                        $assignee = "";
                        if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "modifiedBy")) {
                            $assignee = $ControlResult.ResourceContext.ResourceDetails.modifiedBy.uniqueName
                        }
                    }

                    if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) 
                    {
                        $assignee = "";
                        # if no createdby/modifiedby found then fecth assignee from permissions
                        try {
                            $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0]
                            $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.variablegroup/roleassignments/resources/{1}%24{2}?api-version=6.1-preview.1" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1]
                            $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL);
                            $roles =   @( ($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} )
                            if ($roles.Count -gt 0) {
                                $userId = $roles[0].identity.id
                                $assignee = $this.getUserFromUserId($organizationName, $userId)
                            }
                        }
                        catch {  
                            $assignee = ""
                            $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.")
                        }
                    }
                }
                [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee
                return $assignee
            }
            #assign to the person who recently triggered the build pipeline, or if the pipeline is empty assign it to the creator
            'Build' {
                $definitionId = $ControlResult.ResourceContext.ResourceDetails.id;
    
                try {
                    $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName , $definitionId)
                }
                catch {
                    $assignee = "";
                }
                [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee
                return $assignee    
                    
            }
            #assign to the person who recently triggered the release pipeline, or if the pipeline is empty assign it to the creator
            'Release' {
                $definitionId = ($ControlResult.ResourceContext.ResourceId -split "release/")[-1];
                try {
                    $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName , $definitionId)
                }
                catch {
                    $assignee = "";
                }
                [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee
                return $assignee
            }
            'Repository' {
                try {
                    $assignee = ""
                    $url = 'https://dev.azure.com/{0}/{1}/_apis/git/repositories/{2}/commits?searchCriteria.$top=1&api-version=6.0' -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id;
                    $repoLatestCommit = @([WebRequestHelper]::InvokeGetWebRequest($url));
                    if ($repoLatestCommit.count -gt 0 -and [Helpers]::CheckMember($repoLatestCommit[0],"author")) {
                        $assignee = $repoLatestCommit[0].author.email;
                    }

                    if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) 
                    {
                        #getting assignee from the repository permissions
                        if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) 
                        {
                            $assignee = "";
                            try{
                                $accessList = @()
                                $url = 'https://dev.azure.com/{0}/_apis/Contribution/HierarchyQuery?api-version=5.0-preview.1' -f $organizationName;
                                $refererUrl = "https://dev.azure.com/{0}/{1}/_settings/repositories?repo={2}&_a=permissionsMid" -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id
                                $inputbody = '{"contributionIds":["ms.vss-admin-web.security-view-members-data-provider"],"dataProviderContext":{"properties":{"permissionSetId": "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87","permissionSetToken":"","sourcePage":{"url":"","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"","adminPivot":"repositories","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json
                                $inputbody.dataProviderContext.properties.sourcePage.url = $refererUrl
                                $inputbody.dataProviderContext.properties.sourcePage.routeValues.Project = $ControlResult.ResourceContext.ResourceGroupName;
                                $inputbody.dataProviderContext.properties.permissionSetToken = "repoV2/$($ControlResult.ResourceContext.ResourceDetails.Project.id)/$($ControlResult.ResourceContext.ResourceDetails.id)"
                                $responseObj = [WebRequestHelper]::InvokePostWebRequest($url, $inputbody);
                                
                                # Iterate through each user/group to fetch detailed permissions list
                                if([Helpers]::CheckMember($responseObj[0],"dataProviders") -and ($responseObj[0].dataProviders.'ms.vss-admin-web.security-view-members-data-provider') -and ([Helpers]::CheckMember($responseObj[0].dataProviders.'ms.vss-admin-web.security-view-members-data-provider',"identities")))
                                {
                                    $body = '{"contributionIds":["ms.vss-admin-web.security-view-permissions-data-provider"],"dataProviderContext":{"properties":{"subjectDescriptor":"","permissionSetId": "2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87","permissionSetToken":"","accountName":"","sourcePage":{"url":"","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"","adminPivot":"repositories","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json
                                    $body.dataProviderContext.properties.sourcePage.url = $refererUrl
                                    $body.dataProviderContext.properties.sourcePage.routeValues.Project = $ControlResult.ResourceContext.ResourceGroupName;
                                    $body.dataProviderContext.properties.permissionSetToken = "repoV2/$($ControlResult.ResourceContext.ResourceDetails.Project.id)/$($ControlResult.ResourceContext.ResourceDetails.id)"
                                    $accessList += $responseObj.dataProviders."ms.vss-admin-web.security-view-members-data-provider".identities | Where-Object { ($_.subjectKind -eq "user") -and (-not [string]::IsNullOrEmpty($_.mailAddress))} | ForEach-Object {
                                        $identity = $_
                                        $body.dataProviderContext.properties.subjectDescriptor = $_.descriptor
                                        $identityPermissions = [WebRequestHelper]::InvokePostWebRequest($url, $body);
                                        $configuredPermissions = @($identityPermissions.dataproviders."ms.vss-admin-web.security-view-permissions-data-provider".subjectPermissions | Where-Object {$_.permissionDisplayString -ne 'Not set'})
                                        if ($configuredPermissions.Count -ge 12) {
                                            return $identity
                                        }
                                    }

                                    if ($accessList.Count -gt 0) {
                                        $assignee = $accessList[0].mailAddress
                                    }
                                }
                            }
                            catch {
                                $assignee = ""
                                $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.")
                            }
                        }
                    } 
                }
                catch {
                    $assignee = "";
                }
                [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee
                return $assignee
            }
            'SecureFile' {
                $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName

                if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) 
                {
                    if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) 
                    {
                        $assignee = "";
                        if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "modifiedBy")) {
                            $assignee = $ControlResult.ResourceContext.ResourceDetails.modifiedBy.uniqueName
                        }
                    }

                    # if assignee is service account, then fetch assignee from jobs/permissions
                    if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) 
                    {
                        $assignee = "";
                        try {
                            $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0]
                            $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.securefile/roleassignments/resources/{1}%24{2}" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1]
                            $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL));
                            $roles =   @( ($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} )
                            if ($roles.Count -gt 0) {
                                $userId = $roles[0].identity.id
                                $assignee = $this.getUserFromUserId($organizationName, $userId)
                            }
                        }
                        catch {
                            $assignee = ""
                            $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.")
                        }
                    }
                }
                    
                [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee
                return $assignee
            }
            'Feed' {
                try {
                    $assignee = ""
                    if ("Project" -notin $ControlResult.ResourceContext.ResourceDetails.PSobject.Properties.name){
                        $url = 'https://{0}.feeds.visualstudio.com/_apis/Packaging/Feeds/{1}/Permissions?includeIds=true&excludeInheritedPermissions=false&includeDeletedFeeds=false' -f $organizationName, $ControlResult.ResourceContext.ResourceDetails.Id;
                    }
                    else {
                        $url = 'https://{0}.feeds.visualstudio.com/{1}/_apis/Packaging/Feeds/{2}/Permissions?includeIds=true&excludeInheritedPermissions=false&includeDeletedFeeds=false' -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceDetails.Id;
                    }
                    $feedPermissionList = @([WebRequestHelper]::InvokeGetWebRequest($url));
                    if ($feedPermissionList.count -gt 0 -and [Helpers]::CheckMember($feedPermissionList[0],"identityDescriptor")) {
                        $roles = $feedPermissionList | Where {$_.role -eq 'Administrator'}
                        if ($roles.count -ge 1) {
                            $resourceOwners = @($roles.identityDescriptor.Split('\') | Where {$_ -match [BugMetaInfoProvider]::emailRegEx.RegexList[0]})
                            if ($resourceOwners.count -ge 1) {
                                $allAssignee = $resourceOwners | Select-Object @{l="mailaddress";e={$_}}, @{l="subjectKind";e={"User"}}
                                $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName)
                                if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) {
                                    $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress
                                }
                            }
                        }
                    }
                }
                catch {
                    $assignee = "";
                }
                [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee
                return $assignee
            }
            'Environment' {
                $assignee = $ControlResult.ResourceContext.ResourceDetails.createdBy.uniqueName

                if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) 
                {
                    if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) 
                    {
                        $assignee = "";
                        if ([Helpers]::CheckMember($ControlResult.ResourceContext.ResourceDetails, "lastModifiedBy")) {
                            $assignee = $ControlResult.ResourceContext.ResourceDetails.lastModifiedBy.uniqueName
                        }
                    }
                    
                    # if assignee is service account, then fetch assignee from jobs/permissions
                    if (($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0]) -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken)) -or !$this.isUserActive($organizationName,$assignee)) 
                    {
                        $assignee = "";
                        $url = "https://dev.azure.com/{0}/{1}/_environments/{2}?view=resources&__rt=fps&__ver=2" -f $organizationName, $ControlResult.ResourceContext.ResourceGroupName, $ControlResult.ResourceContext.ResourceId.split('/')[-1]
                        $envDetails = [WebRequestHelper]::InvokeGetWebRequest($url);
                        # get assignee from the the build/release jobs history
                        if (([Helpers]::CheckMember($envDetails[0], "fps.dataProviders.data") ) -and ([Helpers]::CheckMember($envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider", "deploymentExecutionRecords")) )
                        {
                            $pipelineType = $envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider".deploymentExecutionRecords[0].planType
                            $pipelineId = $envDetails[0].fps.dataProviders.data."ms.vss-environments-web.environment-deployment-history-data-provider".deploymentExecutionRecords[0].definition.id
                            if ($pipelineType -eq 'Release') {
                                $assignee = $this.FetchAssigneeFromRelease($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId)
                            }
                            else {
                                $assignee = $this.FetchAssigneeFromBuild($organizationName, $ControlResult.ResourceContext.ResourceGroupName, $pipelineId)
                            }
                        }
                        # if no build/release jobs associated with agentpool, then fecth assignee from permissions
                        elseif(!$assignee) 
                        {
                            try {
                                $projectId = ($ControlResult.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0]
                                $apiURL = "https://dev.azure.com/{0}/_apis/securityroles/scopes/distributedtask.environmentreferencerole/roleassignments/resources/{1}_{2}?api-version=5.0-preview.1" -f $organizationName, $projectId, $ControlResult.ResourceContext.ResourceId.split('/')[-1]
                                $responseObj = @([WebRequestHelper]::InvokeGetWebRequest($apiURL));
                                $roles =   @( ($responseObj | where {$_.role.displayname -eq 'Administrator'} |select identity) | where {(-not ($_.identity.displayname).Contains("\")) -and ($_.identity.displayname -notin @("GitHub", "Microsoft.VisualStudio.Services.TFS"))} )
                                if ($roles.Count -gt 0) {
                                    $userId = $roles[0].identity.id
                                    $assignee = $this.getUserFromUserId($organizationName, $userId)
                                }
                            }
                            catch {
                                $assignee = ""
                                $eventBaseObj.PublishCustomMessage("Assignee Could not be determind.") 
                            }
                        }
                    }
                }
                    
                [BugMetaInfoProvider]::AssigneeForUnmappedResources[$ControlResult.ResourceContext.ResourceId] = $assignee
                return $assignee
            }  
            #assign to the person running the scan, as to reach at this point of code, it is ensured the user is PCA/PA and only they or other PCA
            #PA members can fix the control
            'Organization' {
                return [ContextHelper]::GetCurrentSessionUser();
            }
            'Project' {
                return [ContextHelper]::GetCurrentSessionUser();
    
            }
        }
        return "";
    }

    hidden [string] GetAssigneeFromOrgMapping($organizationName){
        $assignee = $null;
        if([BugMetaInfoProvider]::OrgMappingObj.ContainsKey($organizationName)){
            return [BugMetaInfoProvider]::OrgMappingObj[$organizationName]
        }
        $orgMapping = Get-Content "$($this.STMappingFilePath)\OrgSTData.csv" | ConvertFrom-Csv
        $orgOwnerDetails = @($orgMapping | where {$_."ADO Org Name" -eq $organizationName})
        if($orgOwnerDetails.Count -gt 0){
            $assignee = $orgOwnerDetails[0]."OwnerAlias"   
            [BugMetaInfoProvider]::OrgMappingObj[$organizationName] = $assignee
        }

        return $assignee;
    }

    hidden [string] FetchAssigneeFromBuild($organizationName, $projectName, $definitionId) 
    {
        $assignee = "";
        try 
        {
            $apiurl = "https://dev.azure.com/{0}/{1}/_apis/build/builds?definitions={2}&api-version=6.0" -f $organizationName, $projectName, $definitionId;
            $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl)
            #check for recent trigger
            if ([Helpers]::CheckMember($response, "requestedBy")) {
                $assignee = $response[0].requestedBy.uniqueName
                if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) {
                    $assignee = $response[0].lastChangedBy.uniqueName
                }
            }
            #if no triggers found assign to the creator
            else {
                $apiurl = "https://dev.azure.com/{0}/{1}/_apis/build/definitions/{2}?api-version=6.0" -f $organizationName, $projectName, $definitionId;
                $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl)
                $assignee = $response.authoredBy.uniqueName
            }
            
            if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) 
            {
                # if assignee is service account, get assignee from the the build update history
                if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) {
                    $url = "https://dev.azure.com/{0}/{1}/_apis/build/definitions/{2}/revisions" -f $organizationName, $projectName, $definitionId;
                    $response = [WebRequestHelper]::InvokeGetWebRequest($url)
                    if ([Helpers]::CheckMember($response, "changedBy")) {
                        $response = @($response | Where-Object {$_.changedBy.uniqueName -imatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] }| Sort-Object -Property changedDate -descending)
                        if ($response.count -gt 0) {
                            $allAssignee = @()
                            $response | ForEach-Object {$allAssignee += @( [PSCustomObject] @{ mailAddress = $_.changedBy.uniqueName; subjectKind = 'User' } )} | Select-Object -Unique
                            $allAssignee = $allAssignee | Select-Object mailaddress, subjectKind -unique
                            $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName)
                            if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) {
                                $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress
                            }
                        }
                    }
                }
            }
        }
        catch {
        }

        return $assignee;    
    }

    hidden [string] FetchAssigneeFromRelease($organizationName, $projectName, $definitionId) 
    {
        $assignee = "";
        try 
        {
            $apiurl = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/releases?definitionId={2}&api-version=6.0" -f $organizationName, $projectName , $definitionId;
            $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl)
            #check for recent trigger
            if ([Helpers]::CheckMember($response, "modifiedBy")) {
                $assignee = $response[0].modifiedBy.uniqueName
            }
            #if no triggers found assign to the creator
            else {
                $apiurl = "https://vsrm.dev.azure.com/{0}/{1}/_apis/release/definitions/{2}?&api-version=6.0" -f $organizationName, $projectName, $definitionId;
                $response = [WebRequestHelper]::InvokeGetWebRequest($apiurl)
                $assignee = $response.createdBy.uniqueName
            }

            if ([BugMetaInfoProvider]::GetAssigneeUsingFallbackMethod) 
            {
                # if assignee is service account, get assignee from the the release update history
                if ($assignee -inotmatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] -or ([IdentityHelpers]::IsServiceAccount($assignee, 'User', [IdentityHelpers]::graphAccessToken))) {
                    $assignee = "";
                    $url = "https://{0}.vsrm.visualstudio.com/{1}/_apis/Release/definitions/{2}/revisions" -f $organizationName, $projectName, $definitionId;
                    $response = [WebRequestHelper]::InvokeGetWebRequest($url)
                    if ([Helpers]::CheckMember($response, "changedBy")) {
                        $response = @($response | Where-Object {$_.changedBy.uniqueName -imatch [BugMetaInfoProvider]::emailRegEx.RegexList[0] }| Sort-Object -Property changedDate -descending)
                        if ($response.count -gt 0) {
                            $allAssignee = @()
                            $response | ForEach-Object {$allAssignee += @( [PSCustomObject] @{ mailAddress = $_.changedBy.uniqueName; subjectKind = 'User' } )} | Select-Object -Unique
                            $allAssignee = $allAssignee | Select-Object mailaddress, subjectKind -unique
                            $SvcAndHumanAccounts = [IdentityHelpers]::DistinguishHumanAndServiceAccount($allAssignee, $organizationName)
                            if ($SvcAndHumanAccounts.humanAccount.Count -gt 0) {
                                $assignee = $SvcAndHumanAccounts.humanAccount[0].mailAddress
                            }
                        }
                    }
                }
            }
        }
        catch {
            Write-Host("Pipeline not found");
        }

        return $assignee;    
    }

    hidden [string] getUserFromUserId($organizationName, $userId) 
    {
        try 
        {
            # User descriptor is base 64 encoding of user id
            # $url = "https://vssps.dev.azure.com/{0}/_apis/graph/descriptors/{1}?api-version=6.0-preview.1" -f $organizationName, $userId
            # $userDescriptor = [WebRequestHelper]::InvokeGetWebRequest($url);
            $userDescriptor = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($userId))
            $userProfileURL = "https://vssps.dev.azure.com/{0}/_apis/graph/users/aad.{1}?api-version=6.0-preview.1" -f $organizationName, $userDescriptor
            $userProfile = [WebRequestHelper]::InvokeGetWebRequest($userProfileURL)
            return $userProfile[0].mailAddress
        }
        catch {
            return ""
        }
    }

    hidden [bool] isUserActive($organizationName,$mailAddress){
        $isUserActive = $true
        if(![BugMetaInfoProvider]::CheckForUserInactivity){
            return $true
        }
        try{
            $userActivity = [BugMetaInfoProvider]::UserActivityCache | where {$_.id -eq $mailAddress}
            if($userActivity){
                return $userActivity.isActive
            }
            else {
                $url = "https://vsaex.dev.azure.com/{0}/_apis/userentitlements?api-version=6.0-preview.3&`$filter=name eq '{1}'" -f $organizationName, $mailAddress
                $response = [WebRequestHelper]::InvokeGetWebRequest($url);
                if($response[0].members.count -gt 0){
                    [datetime] $lastAccessedDate = $response[0].members[0].lastAccessedDate
                    if(((Get-Date)-$lastAccessedDate).Days -gt [BugMetaInfoProvider]::UserInactivityLimit){
                        $isUserActive= $false;
                    }
                }
                else{
                    $isUserActive= $false
                }
            }

        }
        catch{
            $isUserActive= $false
        }
        [BugMetaInfoProvider]::UserActivityCache += (@{id = $mailAddress;isActive = $isUserActive})
        return $isUserActive
    }
    
    #method to obtain sign in ID of TF scoped identities
    hidden [string] GetAssigneeFromTFScopedIdentity($identity,$organizationName){
        $assignee = $null;
        #TF scoped identities with alternate email address will be in the format: a.b@microsoft.com
        if($identity -like "*.*@microsoft.com"){
            #check for the correct identitity corresponding to this email
            $url="https://dev.azure.com/{0}/_apis/IdentityPicker/Identities?api-version=7.1-preview.1" -f $organizationName
            $body = "{'query':'{0}','identityTypes':['user'],'operationScopes':['ims','source'],'properties':['DisplayName','Active','SignInAddress'],'filterByEntityIds':[],'options':{'MinResults':40,'MaxResults':40}}" | ConvertFrom-Json
            $body.query = $identity
            try{
                $responseObj = [WebRequestHelper]::InvokePostWebRequest($url,$body)
                #if any user has been found, assign this bug to the sign in address of the user
                if($responseObj.results[0].identities.count -gt 0){
                    $assignee = $responseObj.results[0].identities[0].signInAddress
                }
            }
            catch{
                return $assignee;
            }                    
        }
        else{
            return $assignee;
        }

        return $assignee;
    }

}

# SIG # Begin signature block
# MIInkwYJKoZIhvcNAQcCoIInhDCCJ4ACAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAh0SCUbHLDHpgR
# cElvJVXjx9SzGdy9pCDpzT/bG/GHSaCCDXYwggX0MIID3KADAgECAhMzAAADTrU8
# esGEb+srAAAAAANOMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMjMwMzE2MTg0MzI5WhcNMjQwMzE0MTg0MzI5WjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQDdCKiNI6IBFWuvJUmf6WdOJqZmIwYs5G7AJD5UbcL6tsC+EBPDbr36pFGo1bsU
# p53nRyFYnncoMg8FK0d8jLlw0lgexDDr7gicf2zOBFWqfv/nSLwzJFNP5W03DF/1
# 1oZ12rSFqGlm+O46cRjTDFBpMRCZZGddZlRBjivby0eI1VgTD1TvAdfBYQe82fhm
# WQkYR/lWmAK+vW/1+bO7jHaxXTNCxLIBW07F8PBjUcwFxxyfbe2mHB4h1L4U0Ofa
# +HX/aREQ7SqYZz59sXM2ySOfvYyIjnqSO80NGBaz5DvzIG88J0+BNhOu2jl6Dfcq
# jYQs1H/PMSQIK6E7lXDXSpXzAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUnMc7Zn/ukKBsBiWkwdNfsN5pdwAw
# RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW
# MBQGA1UEBRMNMjMwMDEyKzUwMDUxNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci
# tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j
# b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG
# CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu
# Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0
# MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAD21v9pHoLdBSNlFAjmk
# mx4XxOZAPsVxxXbDyQv1+kGDe9XpgBnT1lXnx7JDpFMKBwAyIwdInmvhK9pGBa31
# TyeL3p7R2s0L8SABPPRJHAEk4NHpBXxHjm4TKjezAbSqqbgsy10Y7KApy+9UrKa2
# kGmsuASsk95PVm5vem7OmTs42vm0BJUU+JPQLg8Y/sdj3TtSfLYYZAaJwTAIgi7d
# hzn5hatLo7Dhz+4T+MrFd+6LUa2U3zr97QwzDthx+RP9/RZnur4inzSQsG5DCVIM
# pA1l2NWEA3KAca0tI2l6hQNYsaKL1kefdfHCrPxEry8onJjyGGv9YKoLv6AOO7Oh
# JEmbQlz/xksYG2N/JSOJ+QqYpGTEuYFYVWain7He6jgb41JbpOGKDdE/b+V2q/gX
# UgFe2gdwTpCDsvh8SMRoq1/BNXcr7iTAU38Vgr83iVtPYmFhZOVM0ULp/kKTVoir
# IpP2KCxT4OekOctt8grYnhJ16QMjmMv5o53hjNFXOxigkQWYzUO+6w50g0FAeFa8
# 5ugCCB6lXEk21FFB1FdIHpjSQf+LP/W2OV/HfhC3uTPgKbRtXo83TZYEudooyZ/A
# Vu08sibZ3MkGOJORLERNwKm2G7oqdOv4Qj8Z0JrGgMzj46NFKAxkLSpE5oHQYP1H
# tPx1lPfD7iNSbJsP6LiUHXH1MIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq
# hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
# bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
# IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG
# EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
# A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg
# Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
# CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03
# a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr
# rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg
# OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy
# 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9
# sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh
# dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k
# A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB
# w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn
# Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90
# lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w
# ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o
# ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD
# VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa
# BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny
# bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG
# AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
# L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV
# HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3
# dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG
# AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl
# AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb
# C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l
# hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6
# I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0
# wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560
# STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam
# ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa
# J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah
# XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA
# 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt
# Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr
# /Xmfwb1tbWrJUnMTDXpQzTGCGXMwghlvAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw
# EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN
# aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp
# Z25pbmcgUENBIDIwMTECEzMAAANOtTx6wYRv6ysAAAAAA04wDQYJYIZIAWUDBAIB
# BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO
# MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIHX7e5fqhxoFHA2Agij9tEVk
# prUN6zMyRivDoDxgH+yRMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A
# cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB
# BQAEggEAbT35k8M4zXrPD+oo4KYbJqXDl2+FoxgJKXkIuin3bXlplq54yhavRC3q
# zAEprRpL4WTVBC4yZMC3nHYFUGhQmTIWC7L56c5g6BoBgpoEoErTL7mTtK6w9w5c
# 6HBSwaIgGXknR+TlFfEz1/HhYHDxajWJ8XwlDilgo63SvBUNGaZItTRdf8JCOGnD
# b243q7ty2VsCnYWRkcL06XiYl5eICadHw8hMmbR6NhxtkzL6+Xj7+IGkflqRLPdz
# A1eBlXwK1TDsTE4ISW6plDXP/MimdvWd3T05A6KWt4Wlc/xGL+ecUHW0vAupNpzP
# tePEUCfUcVnPQxQVbfQ2AXv6lKvRO6GCFv0wghb5BgorBgEEAYI3AwMBMYIW6TCC
# FuUGCSqGSIb3DQEHAqCCFtYwghbSAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFRBgsq
# hkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl
# AwQCAQUABCDNe7wOjc0jyoefLbrBApitHbiuI64uuYig9zwnZ9gIwAIGZLAdCXz+
# GBMyMDIzMDcyMTEyNTE1MS43NThaMASAAgH0oIHQpIHNMIHKMQswCQYDVQQGEwJV
# UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
# ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1l
# cmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjoxMkJDLUUz
# QUUtNzRFQjElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaCC
# EVQwggcMMIIE9KADAgECAhMzAAAByk/Cs+0DDRhsAAEAAAHKMA0GCSqGSIb3DQEB
# CwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
# EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV
# BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4XDTIyMTEwNDE5MDE0
# MFoXDTI0MDIwMjE5MDE0MFowgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo
# aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y
# cG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMx
# JjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjEyQkMtRTNBRS03NEVCMSUwIwYDVQQD
# ExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjANBgkqhkiG9w0BAQEF
# AAOCAg8AMIICCgKCAgEAwwGcq9j50rWEkcLSlGZLweUVfxXRaUjiPsyaNVxPdMRs
# 3CVe58siu/EkaVt7t7PNTPko/s8lNtusAeLEnzki44yxk2c9ekm8E1SQ2YV9b8/L
# OxfKapZ8tVlPyxw6DmFzNFQjifVm8EiZ7lFRoY448vpcbBD18qjYNF/2Z3SQchcs
# dV1N9Y6V2WGl55VmLqFRX5+dptdjreBXzi3WW9TsoCEWcYCBK5wYgS9tT2SSSTza
# e3jmdw40g+LOIyrVPF2DozkStv6JBDPvwahXWpKGpO7rHrKF+o7ECN/ViQFMZyp/
# vxePiUABDNqzEUI8s7klYmeHXvjeQOq/CM3C/Y8bj3fJObnZH7eAXvRDnxT8R6W/
# uD1mGUJvv9M9BMu3nhKpKmSxzzO5LtcMEh2tMXxhMGGNMUP3DOEK3X+2/LD1Z03u
# sJTk5pHNoH/gDIvbp787Cw40tsApiAvtrHYwub0TqIv8Zy62l8n8s/Mv/P764CTq
# rxcXzalBHh+Xy4XPjmadnPkZJycp3Kczbkg9QbvJp0H/0FswHS+efFofpDNJwLh1
# hs/aMi1K/ozEv7/WLIPsDgK16fU/axybqMKk0NOxgelUjAYKl4wU0Y6Q4q9N/9Pw
# AS0csifQhY1ooQfAI0iDCCSEATslD8bTO0tRtqdcIdavOReqzoPdvAv3Dr1XXQ8C
# AwEAAaOCATYwggEyMB0GA1UdDgQWBBT6x/6lS4ESQ8KZhd0RgU7RYXM8fzAfBgNV
# HSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNVHR8EWDBWMFSgUqBQhk5o
# dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBU
# aW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYIKwYBBQUHAQEEYDBeMFwG
# CCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz
# L01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNV
# HRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IC
# AQDY0HkqCS3KuKefFX8/rm/dtD9066dKEleNqriwZqsM4Ym8Ew4QiqOqO7mWoYYY
# 4K5y8eXSOHKNXOfpO6RbaYj8jCOcJAB5tqLl5hiMgaMbAVLrl1hlix9sloO45LON
# 0JphKva3D6AVKA7P78mA9iRHZYUVrRiyfvQjWxmUnxhis8fom92+/RHcEZ1Dh5+p
# 4gzeeL84Yl00Wyq9EcgBKKfgq0lCjWNSq1AUG1sELlgXOSvKZ4/lXXH+MfhcHe91
# WLIaZkS/Hu9wdTT6I14BC97yhDsZWXAl0IJ801I6UtEFpCsTeOyZBJ7CF0rf5lxJ
# 8tE9ojNsyqXJKuwVn0ewCMkZqz/cEwv9FEx8QmsZ0ZNodTtsl+V9dZm+eUrMKZk6
# PKsKArtQ+jHkfVsHgKODloelpOmHqgX7UbO0NVnIlpP55gQTqV76vU7wRXpUfz7K
# hE3BZXNgwG05dRnCXDwrhhYz+Itbzs1K1R8I4YMDJjW90ASCg9Jf+xygRKZGKHjo
# 2Bs2XyaKuN1P6FFCIVXN7KgHl/bZiakGq7k5TQ4OXK5xkhCHhjdgHuxj3hK5AaOy
# +GXxO/jbyqGRqeSxf+TTPuWhDWurIo33RMDGe5DbImjcbcj6dVhQevqHClR1OHSf
# r+8m1hWRJGlC1atcOWKajArwOURqJSVlThwVgIyzGNmjzjCCB3EwggVZoAMCAQIC
# EzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYT
# AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD
# VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBS
# b290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTIxMDkzMDE4MjIyNVoX
# DTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
# b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
# dGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggIi
# MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC
# 0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VG
# Iwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzBRMhxXFExN6AKOG6N7dcP
# 2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/P
# XfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361
# VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwB
# Sru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9
# X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269e
# wvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDw
# wvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr
# 9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+e
# FnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYBBAGCNxUBBAUCAwEAATAj
# BgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8vBO4wHQYDVR0OBBYEFJ+n
# FV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYMKwYBBAGCN0yDfQEBMEEw
# PwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9j
# cy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3
# FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAf
# BgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBH
# hkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNS
# b29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF
# BzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0Nl
# ckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4Swf
# ZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTC
# j/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu
# 2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/
# GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3D
# YXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbO
# xnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFORy3BFARxv2T5JL5zbcqO
# Cb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I
# 6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0
# zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaM
# mdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNT
# TY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLLMIICNAIBATCB+KGB0KSBzTCByjEL
# MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
# bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWlj
# cm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRTUyBF
# U046MTJCQy1FM0FFLTc0RUIxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1w
# IFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAKOO55cMT4syPP6nClg2IWfajMqkoIGD
# MIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV
# BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG
# A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEF
# BQACBQDoZH41MCIYDzIwMjMwNzIxMTE0NzAxWhgPMjAyMzA3MjIxMTQ3MDFaMHQw
# OgYKKwYBBAGEWQoEATEsMCowCgIFAOhkfjUCAQAwBwIBAAICG2YwBwIBAAICEbgw
# CgIFAOhlz7UCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgC
# AQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUFAAOBgQC1jS0K835zxZa8
# pGyv/RNq8G8jg4XShyDfJowvmQOFu5TOM5IN5p1aq8qEIidYJq6VirYxXZZmNZ58
# A/kUTCE7FnYKUdS96+qIiZf2Zs7dRzolAmPyH86/F4AViB4drSl3VEzVcrxcdvj8
# 27lmKbiplXik39Tl12IFuwJIMYogZDGCBA0wggQJAgEBMIGTMHwxCzAJBgNVBAYT
# AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD
# VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBU
# aW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAByk/Cs+0DDRhsAAEAAAHKMA0GCWCGSAFl
# AwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwLwYJKoZIhvcN
# AQkEMSIEIMsAXnt+jVc+JsDF6uE9Xuw4NLQs4/7nEgjJ2nBdgtJDMIH6BgsqhkiG
# 9w0BCRACLzGB6jCB5zCB5DCBvQQgEz0b85vrVU2slZAk4jt1SDEk6IzZAwVCoWwF
# 3KzcGuAwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
# bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0
# aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAA
# AcpPwrPtAw0YbAABAAAByjAiBCD/8GhuZy4SIg6UD5fjv5vFhmKato3B5Sck6zye
# VNkf6zANBgkqhkiG9w0BAQsFAASCAgB2poKnwzuzSiMv7ih1TlOmmckM0h0lhCQJ
# M5z8g/xuiiPyqjl5O61kIVu3C/JxRAa3CIbHLBwh0AKskn0DIsDPiHVyJv7Efbsr
# bR0E/nwas1fy+WL/2j0H88OuNNnShbNB8OG7ygLjeq/soB04dP8HJfNv0lLTzakv
# qhL4UCCg2UjbXwVUVgl7dS44I+4a6bvrE/CcLEduzqM4eFGm+a4iYiNqurI8SYkw
# 5lH2HCo7nMH9W1PlK/z1JPhT0sk3dXvu5eqVdIH6sfjgcXhDVc+YR+qKE08ISsGe
# IeHWekZAXx7ZqInqIG2T84RezlzeiLxHUxDeggDKUuCR4CnQZG6f+LAX4xJGqpQB
# Y9SaYePD/sdqoHCPeu54Z69TZ/bdXbm34VgJO96bmZnTWiMS3bZjhg21MsQjoA20
# e+ZleAEQoAbgfgmYDQ/lErTpCXoO19v4R9CVijyOzg+P/XINHUQHyR1N2u8VkW+y
# 8igfBC+DasZEHUxvzmOHlyJCxr4y2MODFUboF3ZkWCrqb4AQSg9W+EyT1L0jfwye
# XWR1VsIobV0wXVZZY7m4iRBO9VE+1PIbwd4mm00E//Bo3zi35YVrm0SNVB3ieJaC
# sxEejfXXNDSGeKSs2MsboPICOpx1spR/XginNYYOTdYDT7BEqXmtBRFwkDHnPEVU
# tYiihq493w==
# SIG # End signature block