Framework/Core/SVT/ADO/ADO.User.ps1
|
Set-StrictMode -Version Latest class User: ADOSVTBase { User([string] $organizationName, [SVTResource] $svtResource): Base($organizationName, $svtResource) { } hidden [ControlResult] CheckPATAccessLevel([ControlResult] $controlResult) { $apiURL = "https://vssps.dev.azure.com/{0}/_apis/Token/SessionTokens?displayFilterOption=1&createdByOption=3&sortByOption=3&isSortAscending=false&startRowNumber=1&pageSize=100&api-version=5.0-preview.1" -f $($this.OrganizationContext.OrganizationName); $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); $controlResult.AddMessage("Currently this control evaluates PATs for all the organizations the user has access to.") try { if ($responseObj.Count -gt 0) { $AccessPATList = $responseObj | Where-Object { $_.validto -gt $(Get-Date -Format "yyyy-MM-dd") } $AccessPATListCount = ($AccessPATList | Measure-Object).Count if ($AccessPATListCount -gt 0) { $controlResult.AddMessage("Total number of active user PATs: $($AccessPATListCount)"); $controlResult.AdditionalInfo += "Total number of active user PATs: " + $AccessPATListCount; $statusSet = $false # Use this variable to check whether scanStaus is already set $fullAccessPATList = $AccessPATList | Where-Object { $_.scope -eq "app_token" } $fullAccessPATListCount = ($fullAccessPATList | Measure-Object).Count if ($fullAccessPATListCount -gt 0) { $controlResult.AddMessage("`nTotal number of PATs configured with full access: $($fullAccessPATListCount)"); $controlResult.AdditionalInfo += "Total number of PATs configured with full access: " + $fullAccessPATListCount; $fullAccessPATNames = $fullAccessPATList | Select-Object displayName, scope $controlResult.AddMessage([VerificationResult]::Failed, "The following PATs have been configured with full access: ", $fullAccessPATNames); $statusSet = $true } $remainingPATList = $AccessPATList | Where-Object { $_.scope -ne "app_token" } $remainingPATListCount = ($remainingPATList | Measure-Object).Count if ($remainingPATListCount -gt 0){ $controlResult.AddMessage("`nTotal number of PATs configured with custom defined access: $remainingPATListCount"); $controlResult.AdditionalInfo += "Total number of PATs configured with custom defined access: " + $remainingPATListCount; $remainingAccessPATNames = $remainingPATList | Select-Object displayName, scope if ($statusSet) { $controlResult.AddMessage("The following PATs have been configured with custom defined access: ", $remainingAccessPATNames) } else { $controlResult.AddMessage([VerificationResult]::Verify, "Verify that the following PATs have minimum required permissions: ", $remainingAccessPATNames) } } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No active PATs found"); } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No PATs found"); } } catch { $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch the list of PATs"); $controlResult.LogException($_) } return $controlResult; } hidden [ControlResult] CheckAltCred([ControlResult] $controlResult) { $apiURL = "https://dev.azure.com/{0}/_apis/Contribution/dataProviders/query?api-version=5.1-preview.1" -f $($this.OrganizationContext.OrganizationName); $inputbody = '{"contributionIds": ["ms.vss-admin-web.alternate-credentials-data-provider","ms.vss-admin-web.action-url-data-provider"]}' | ConvertFrom-Json $responseObj = [WebRequestHelper]::InvokePostWebRequest($apiURL, $inputbody); if ([Helpers]::CheckMember($responseObj, "data"), $responseObj.data.'ms.vss-admin-web.alternate-credentials-data-provider') { if ((-not $responseObj.data.'ms.vss-admin-web.alternate-credentials-data-provider'.alternateCredentialsModel.basicAuthenticationDisabled) -or (-not $responseObj.data.'ms.vss-admin-web.alternate-credentials-data-provider'.alternateCredentialsModel.basicAuthenticationDisabledOnAccount)) { $controlResult.AddMessage([VerificationResult]::Passed, "Alt credential is disabled"); } else { $controlResult.AddMessage([VerificationResult]::Passed, "Alt credential is enabled"); } } else { $controlResult.AddMessage([VerificationResult]::Manual, "Alt credential not found"); } return $controlResult } hidden [ControlResult] ValidatePATExpiryPeriod([ControlResult] $controlResult) { $controlResult.AddMessage("Currently this control evaluates PATs for all the organizations the user has access to.") try { $apiURL = "https://vssps.dev.azure.com/{0}/_apis/Token/SessionTokens?displayFilterOption=1&createdByOption=3&sortByOption=3&isSortAscending=false&startRowNumber=1&pageSize=100&api-version=5.0-preview.1" -f $($this.OrganizationContext.OrganizationName); $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); if ($responseObj.Count -gt 0) { $AccessPATList = $responseObj | Where-Object { $_.validto -gt $(Get-Date -Format "yyyy-MM-dd") } if (($AccessPATList | Measure-Object).Count -gt 0) { $res = $AccessPATList | Where-Object {(New-Timespan -Start $_.ValidFrom -End $_.ValidTo).Days -gt 180 } if (($res | Measure-Object).Count -gt 0) { $PATList = ($res | Select-Object -Property @{Name = "Name"; Expression = { $_.displayName } }, @{Name = "ValidFrom"; Expression = { $_.validfrom } }, @{Name = "ValidTo"; Expression = { $_.validto } }, @{Name = "ValidationPeriod"; Expression = { (New-Timespan -Start $_.ValidFrom -End $_.ValidTo).Days } }); $controlResult.AddMessage([VerificationResult]::Failed, "The following PATs have validity period of more than 180 days: ", $PATList) $PATListCount = ($PATList | Measure-Object).Count $controlResult.AdditionalInfo += "Total number of PATs that have validity period of more than 180 days: " + $PATListCount; $controlResult.AdditionalInfo += "List of PATs that have validity period of more than 180 days: " + [JsonHelper]::ConvertToJsonCustomCompressed($PATList); } else { $controlResult.AddMessage([VerificationResult]::Passed, "No PATs have been found with validity period of more than 180 days.") } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No active PATs have been found.") } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No PATs have been found."); } } catch { $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch the list of PATs."); $controlResult.LogException($_) } return $controlResult; } hidden [ControlResult] CheckPATExpiration([ControlResult] $controlResult) { $controlResult.AddMessage("Currently this control evaluates PATs for all the organizations the user has access to.") try { $apiURL = "https://vssps.dev.azure.com/{0}/_apis/Token/SessionTokens?displayFilterOption=1&createdByOption=3&sortByOption=3&isSortAscending=false&startRowNumber=1&pageSize=100&api-version=5.0-preview.1" -f $($this.OrganizationContext.OrganizationName); $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); if ($responseObj.Count -gt 0) { $date = Get-Date; $AccessPATList = $responseObj | Where-Object { $_.validto -gt $(Get-Date -Format "yyyy-MM-dd") } if (($AccessPATList | Measure-Object).Count -gt 0) { $PATExpri7Days = $AccessPATList | Where-Object { (New-Timespan -Start $date -End $_.validto ).Days -lt 8 }; $PATExpri30Days = $AccessPATList | Where-Object { ((New-Timespan -Start $date -End $_.validto).Days -gt 7) -and ((New-Timespan -Start $date -End $_.validto).Days -lt 31) }; $PATOther = $AccessPATList | Where-Object { ((New-Timespan -Start $date -End $_.validto).Days -gt 30) }; if (($PATExpri7Days | Measure-Object).Count -gt 0) { $PAT7List = ($PATExpri7Days | Select-Object -Property @{Name = "Name"; Expression = { $_.displayName } }, @{Name = "ValidFrom"; Expression = { $_.validfrom } }, @{Name = "ValidTo"; Expression = { $_.validto } }, @{Name = "Remaining"; Expression = { (New-Timespan -Start $date -End $_.validto).Days } }); $controlResult.AddMessage("The following PATs expire within 7 days: ", $PAT7List ) $controlResult.AdditionalInfo += "Total number of PATs that will expire within 7 days: " + ($PAT7List | Measure-Object).Count; } if (($PATExpri30Days | Measure-Object).Count -gt 0) { $PAT30List = ($PATExpri30Days | Select-Object -Property @{Name = "Name"; Expression = { $_.displayName } }, @{Name = "ValidFrom"; Expression = { $_.validfrom } }, @{Name = "ValidTo"; Expression = { $_.validto } }, @{Name = "Remaining"; Expression = { (New-Timespan -Start $date -End $_.validto).Days } }); $controlResult.AddMessage("The following PATs expire after 7 days but within 30 days: ", $PAT30List ) $controlResult.AdditionalInfo += "Total number of PATs that will expire after 7 days but within 30 days: " + ($PAT30List | Measure-Object).Count; } if (($PATOther | Measure-Object).Count -gt 0) { $PATOList = ($PATOther | Select-Object -Property @{Name = "Name"; Expression = { $_.displayName } }, @{Name = "ValidFrom"; Expression = { $_.validfrom } }, @{Name = "ValidTo"; Expression = { $_.validto } }, @{Name = "Remaining"; Expression = { (New-Timespan -Start $date -End $_.validto).Days } }); $controlResult.AddMessage("The following PATs expire after 30 days: ", $PATOList ) $controlResult.AdditionalInfo += "Total number of PATs that will expire after 30 days: " + ($PATOList | Measure-Object).Count; } if (($PATExpri7Days | Measure-Object).Count -gt 0) { $controlResult.VerificationResult = [VerificationResult]::Failed } elseif (($PATExpri30Days | Measure-Object).Count -gt 0) { $controlResult.VerificationResult = [VerificationResult]::Verify } else { $controlResult.AddMessage([VerificationResult]::Passed, "No PATs have been found which expire within 30 days.") } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No active PATs have been found.") } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No PATs have been found."); } } catch { $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch the list of PATs."); $controlResult.LogException($_) } return $controlResult; } hidden [ControlResult] CheckPATOrgAccess([ControlResult] $controlResult) { $apiURL = "https://{0}.vssps.visualstudio.com/_apis/Token/SessionTokens?displayFilterOption=1&createdByOption=3&sortByOption=3&isSortAscending=false&startRowNumber=1&pageSize=100&api-version=5.0-preview.1" -f $($this.OrganizationContext.OrganizationName); $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); $controlResult.AddMessage("Currently this control evaluates PATs for all the organizations the user has access to.") try { if ($responseObj.Count -gt 0) { $AccessPATList = $responseObj | Where-Object { $_.validto -gt $(Get-Date -Format "yyyy-MM-dd") } $AccessPATListCount = ($AccessPATList | Measure-Object).Count $allOrgPATCount = 0; #counter to store number of PATs that are accessible to all orgs. $allOrgPAT = @() #list to capture PAts accessible to all orgs. if ($AccessPATListCount -gt 0) { $controlResult.AddMessage("Total number of active user PATs: $($AccessPATListCount)"); $AccessPATList | ForEach-Object{ if([string]::IsNullOrWhiteSpace($_.targetAccounts)) #if a PAT is tied to a single org, value of targetAccounts is equal to org id. If its accessible to all orgs, this value is null. { $allOrgPATCount ++; $allOrgPAT += $_.DisplayName } } if($allOrgPATCount -gt 0) { $controlResult.AddMessage("Total number of active PATs accessible to all organizations: $($allOrgPATCount)"); $controlResult.AddMessage([VerificationResult]::Failed, "The below active PATs are accessible to all organizations: ", $allOrgPAT); $controlResult.AdditionalInfo += "Total number of active PATs accessible to all organizations: " + $allOrgPATCount; $controlResult.AdditionalInfo += "List of active PATs accessible to all organizations: " + [JsonHelper]::ConvertToJsonCustomCompressed($allOrgPAT); } else { $controlResult.AddMessage([VerificationResult]::Passed, "No active PATs are accessible to all organizations."); } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No active PATs found."); } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No PATs found."); } } catch { $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch the list of PATs"); $controlResult.LogException($_) } return $controlResult; } hidden [ControlResult] CheckPATCriticalPermissions([ControlResult] $controlResult) { $controlResult.AddMessage("Currently this control evaluates PATs for all the organizations the user has access to.") try { $apiURL = "https://vssps.dev.azure.com/{0}/_apis/Token/SessionTokens?displayFilterOption=1&createdByOption=3&sortByOption=3&isSortAscending=false&startRowNumber=1&pageSize=100&api-version=5.0-preview.1" -f $($this.OrganizationContext.OrganizationName); $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); if(($null -ne $this.ControlSettings) -and [Helpers]::CheckMember($this.ControlSettings, "CriticalPATPermissions")) { $patterns = $this.ControlSettings.CriticalPATPermissions if ($responseObj.Count -gt 0) { $AccessPATList = $responseObj | Where-Object { $_.validto -gt $(Get-Date -Format "yyyy-MM-dd") } $AccessPATListCount = ($AccessPATList | Measure-Object).Count if ($AccessPATListCount -gt 0) { $fullAccessPATList = $AccessPATList | Where-Object { $_.scope -eq "app_token" } $customAccessPATList = $AccessPATList | Where-Object { $_.scope -ne "app_token" } $fullAccessPATListCount = ($fullAccessPATList | Measure-Object).Count $PATWithCriticalAccess = @(); if(($patterns | Measure-Object).Count -gt 0) { $controlResult.AddMessage("`nNote: The following permission scopes are considered as 'critical': `n`t[$($patterns -join ', ')]"); foreach ($pat in $customAccessPATList) { foreach ($item in $patterns) { if($pat.scope.contains($item)) { $PATWithCriticalAccess += $pat break; } } } } $PATWithCriticalAccessCount = ($PATWithCriticalAccess | Measure-Object).Count if (($PATWithCriticalAccessCount -gt 0) -or ($fullAccessPATListCount -gt 0)) { $controlResult.AddMessage([VerificationResult]::Failed, "`nUser has PATs that are configured with critical permissions."); if ($PATWithCriticalAccessCount -gt 0) { $controlResult.AddMessage("`nTotal number of PATs configured with critical permissions: $($PATWithCriticalAccessCount)"); $controlResult.AdditionalInfo += "Total number of PATs configured with critical permissions: " + $PATWithCriticalAccessCount; $criticalPAT = $PATWithCriticalAccess | Select-Object displayName, scope $controlResult.AddMessage("List of PATs configured with critical permissions: ", $criticalPAT); } if ($fullAccessPATListCount -gt 0) { $controlResult.AddMessage([VerificationResult]::Failed, "`nTotal number of PATs configured with full access: $($fullAccessPATListCount)"); $controlResult.AdditionalInfo += "Total number of PATs configured with full access: " + $fullAccessPATListCount; $fullAccessPAT = $fullAccessPATList | Select-Object displayName, scope $controlResult.AddMessage("List of PATs configured with full access: ", $fullAccessPAT); } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No PATs are configured with critical permissions."); $controlResult.AdditionalInfo += "No PATs are configured with critical permissionss."; } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No active PATs found."); } } else { $controlResult.AddMessage([VerificationResult]::Passed, "No PATs found."); } } else { $controlResult.AddMessage([VerificationResult]::Manual, "Critical permission scopes for PAT are not defined in your organization."); } } catch { $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch the list of PATs."); $controlResult.LogException($_) } return $controlResult; } } # SIG # Begin signature block # MIIoLQYJKoZIhvcNAQcCoIIoHjCCKBoCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCtWC76D9V/3Ecc # DlIRztw4fp1oWQ9YtOxj35pNs54Cl6CCDXYwggX0MIID3KADAgECAhMzAAADrzBA # DkyjTQVBAAAAAAOvMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwOTAwWhcNMjQxMTE0MTkwOTAwWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDOS8s1ra6f0YGtg0OhEaQa/t3Q+q1MEHhWJhqQVuO5amYXQpy8MDPNoJYk+FWA # hePP5LxwcSge5aen+f5Q6WNPd6EDxGzotvVpNi5ve0H97S3F7C/axDfKxyNh21MG # 0W8Sb0vxi/vorcLHOL9i+t2D6yvvDzLlEefUCbQV/zGCBjXGlYJcUj6RAzXyeNAN # xSpKXAGd7Fh+ocGHPPphcD9LQTOJgG7Y7aYztHqBLJiQQ4eAgZNU4ac6+8LnEGAL # go1ydC5BJEuJQjYKbNTy959HrKSu7LO3Ws0w8jw6pYdC1IMpdTkk2puTgY2PDNzB # tLM4evG7FYer3WX+8t1UMYNTAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQURxxxNPIEPGSO8kqz+bgCAQWGXsEw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMTgyNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAISxFt/zR2frTFPB45Yd # mhZpB2nNJoOoi+qlgcTlnO4QwlYN1w/vYwbDy/oFJolD5r6FMJd0RGcgEM8q9TgQ # 2OC7gQEmhweVJ7yuKJlQBH7P7Pg5RiqgV3cSonJ+OM4kFHbP3gPLiyzssSQdRuPY # 1mIWoGg9i7Y4ZC8ST7WhpSyc0pns2XsUe1XsIjaUcGu7zd7gg97eCUiLRdVklPmp # XobH9CEAWakRUGNICYN2AgjhRTC4j3KJfqMkU04R6Toyh4/Toswm1uoDcGr5laYn # TfcX3u5WnJqJLhuPe8Uj9kGAOcyo0O1mNwDa+LhFEzB6CB32+wfJMumfr6degvLT # e8x55urQLeTjimBQgS49BSUkhFN7ois3cZyNpnrMca5AZaC7pLI72vuqSsSlLalG # OcZmPHZGYJqZ0BacN274OZ80Q8B11iNokns9Od348bMb5Z4fihxaBWebl8kWEi2O # PvQImOAeq3nt7UWJBzJYLAGEpfasaA3ZQgIcEXdD+uwo6ymMzDY6UamFOfYqYWXk # ntxDGu7ngD2ugKUuccYKJJRiiz+LAUcj90BVcSHRLQop9N8zoALr/1sJuwPrVAtx # HNEgSW+AKBqIxYWM4Ev32l6agSUAezLMbq5f3d8x9qzT031jMDT+sUAoCw0M5wVt # CUQcqINPuYjbS1WgJyZIiEkBMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGg0wghoJAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAAOvMEAOTKNNBUEAAAAAA68wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIGg5e59y/NXj/dfJUE8W3fn2 # lGfpl8FFTADaRmaI1ZuZMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAtEUJE85pS5/FswbvvE2O3ITB2FCqzOLE5HJlHO35EeJYveKR7FA9qUVs # opUe5bqg+i3y2dgP5OfBJTWMtvBVkrZWARTXMBng6oJAW7jGcQth5m6Yg57Xup1z # DzfFhVU1curlhFWJPphi8M4SZWu7SdmRuikVrpT7FsSVjEEw1sYWRuLWP5T7i6Ur # /MZ89igbsCn3QXwM6TUA3OodUcrR/0U8y1EeX+VuyMOZ4gbZUDSVkz8tRHmoBtCj # VdSt/YmHlhe/LubWTRf5pGUBMi9y7GpJ43Jp2pdNs4YBJEriRgODAzAEcHXq1m39 # ZZ0D9/Hz7Yl5zjdEdqZn4e9VtWzdWKGCF5cwgheTBgorBgEEAYI3AwMBMYIXgzCC # F38GCSqGSIb3DQEHAqCCF3AwghdsAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFSBgsq # hkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCARpFntAKhuj5MTFyNLM8mDIuF8U1Yc0LHWW3gb2qiE5AIGZbwSokaz # GBMyMDI0MDIxMzEyMjQ1MS4xNDhaMASAAgH0oIHRpIHOMIHLMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1l # cmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046OEQwMC0w # NUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2Wg # ghHtMIIHIDCCBQigAwIBAgITMwAAAfPFCkOuA8wdMQABAAAB8zANBgkqhkiG9w0B # AQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD # VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0yMzEyMDYxODQ2 # MDJaFw0yNTAzMDUxODQ2MDJaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25z # MScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046OEQwMC0wNUUwLUQ5NDcxJTAjBgNV # BAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQD+n6ba4SuB9iSO5WMhbngqYAb+z3IfzNpZIWS/sgfX # hlLYmGnsUtrGX3OVcg+8krJdixuNUMO7ZAOqCZsXUjOz8zcn1aUD5D2r2PhzVKjH # tivWGgGj4x5wqWe1Qov3vMz8WHsKsfadIlWjfBMnVKVomOybQ7+2jc4afzj2XJQQ # SmE9jQRoBogDwmqZakeYnIx0EmOuucPr674T6/YaTPiIYlGf+XV2u6oQHAkMG56x # YPQikitQjjNWHADfBqbBEaqppastxpRNc4id2S1xVQxcQGXjnAgeeVbbPbAoELhb # w+z3VetRwuEFJRzT6hbWEgvz9LMYPSbioHL8w+ZiWo3xuw3R7fJsqe7pqsnjwvni # P7sfE1utfi7k0NQZMpviOs//239H6eA6IOVtF8w66ipE71EYrcSNrOGlTm5uqq+s # yO1udZOeKM0xY728NcGDFqnjuFPbEEm6+etZKftU9jxLCSzqXOVOzdqA8O5Xa3E4 # 1j3s7MlTF4Q7BYrQmbpxqhTvfuIlYwI2AzeO3OivcezJwBj2FQgTiVHacvMQDgSA # 7E5vytak0+MLBm0AcW4IPer8A4gOGD9oSprmyAu1J6wFkBrf2Sjn+ieNq6Fx0tWj # 8Ipg3uQvcug37jSadF6q1rUEaoPIajZCGVk+o5wn6rt+cwdJ39REU43aWCwn0C+X # xwIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFMNkFfalEVEMjA3ApoUx9qDrDQokMB8G # A1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8GA1UdHwRYMFYwVKBSoFCG # Tmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY3Jvc29mdCUy # MFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBsBggrBgEFBQcBAQRgMF4w # XAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2Vy # dHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3J0MAwG # A1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwDgYDVR0PAQH/BAQD # AgeAMA0GCSqGSIb3DQEBCwUAA4ICAQDfxByP/NH+79vc3liO4c7nXM/UKFcAm5w6 # 1FxRxPxCXRXliNjZ7sDqNP0DzUTBU9tS5DqkqRSiIV15j7q8e6elg8/cD3bv0sW4 # Go9AML4lhA5MBg3wzKdihfJ0E/HIqcHX11mwtbpTiC2sgAUh7+OZnb9TwJE7pbEB # PJQUxxuCiS5/r0s2QVipBmi/8MEW2eIi4mJ+vHI5DCaAGooT4A15/7oNj9zyzRAB # TUICNNrS19KfryEN5dh5kqOG4Qgca9w6L7CL+SuuTZi0SZ8Zq65iK2hQ8IMAOVxe # wCpD4lZL6NDsVNSwBNXOUlsxOAO3G0wNT+cBug/HD43B7E2odVfs6H2EYCZxUS1r # gReGd2uqQxgQ2wrMuTb5ykO+qd+4nhaf/9SN3getomtQn5IzhfCkraT1KnZF8TI3 # ye1Z3pner0Cn/p15H7wNwDkBAiZ+2iz9NUEeYLfMGm9vErDVBDRMjGsE/HqqY7QT # STtDvU7+zZwRPGjiYYUFXT+VgkfdHiFpKw42Xsm0MfL5aOa31FyCM17/pPTIKTRi # KsDF370SwIwZAjVziD/9QhEFBu9pojFULOZvzuL5iSEJIcqopVAwdbNdroZi2HN8 # nfDjzJa8CMTkQeSfQsQpKr83OhBmE3MF2sz8gqe3loc05DW8JNvZ328Jps3LJCAL # t0rQPJYnOzCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZI # hvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # MjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAy # MDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp # bWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC # AQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25Phdg # M/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPF # dvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6 # GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBp # Dco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50Zu # yjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3E # XzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0 # lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1q # GFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ # +QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PA # PBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkw # EgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxG # NSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARV # MFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWlj # cm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAK # BggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMC # AYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvX # zpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v # cGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYI # KwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG # 9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0x # M7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmC # VgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449 # xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wM # nosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDS # PeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2d # Y3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxn # GSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+Crvs # QWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokL # jzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL # 6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggNQ # MIICOAIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEn # MCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjhEMDAtMDVFMC1EOTQ3MSUwIwYDVQQD # ExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEwBwYFKw4DAhoDFQBu # +gYs2LRha5pFO79g3LkfwKRnKKCBgzCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w # IFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA6XW6GjAiGA8yMDI0MDIxMzA5NTEy # MloYDzIwMjQwMjE0MDk1MTIyWjB3MD0GCisGAQQBhFkKBAExLzAtMAoCBQDpdboa # AgEAMAoCAQACAhTfAgH/MAcCAQACAhOuMAoCBQDpdwuaAgEAMDYGCisGAQQBhFkK # BAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEAAgMBhqAwDQYJ # KoZIhvcNAQELBQADggEBAFut9KTJtWuyCuKMgoc2F4Z6R+sX5Nsn6ppEN65b853d # oFI60bnSbJsys4P/LEiH7TG70fTb83u8d85uKsFWZuBnqfjtd8opugc3ZlwA7Z3i # lw26HjtNUj7C6DT05OOM5xv81JvfecmHCbZEQ9UXGvYr1WwAc1mp2nUSBeFTWAHf # l50oJ8m8yWX4XozMJYhQ1plEB+iKHZdpV8Watk1kWatLtqszBxRW2QTAN0vzkxCs # jy3KMpVMgqvPXvxDLeK4Xx7YbRRkYYQc52+p9KMH1WfMAUhtFKTusnBqQ/X1E5tO # loy3OKCtwQ/fY7wBpZmTPJO4bqWDrCI07JU97aJetpoxggQNMIIECQIBATCBkzB8 # MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk # bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1N # aWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAfPFCkOuA8wdMQABAAAB # 8zANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEE # MC8GCSqGSIb3DQEJBDEiBCDH3d8chP4sWnHJOSInVnYTZ+wUBtKKOVg6btV/9RUW # NTCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EIBi82TSLtuG4Vkp8wBmJk/T+ # RAh841sG/aDOwxg6O2LoMIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgT # Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENB # IDIwMTACEzMAAAHzxQpDrgPMHTEAAQAAAfMwIgQgcg6SKfwtF87IMwqnRsrrwrxY # 3GOBKE3cz2enLQxrYlAwDQYJKoZIhvcNAQELBQAEggIAUCKzvNpYJ467ZaZ+4zhr # dCaq5Op5DybEIx+l9kNZ3EXM0nKR2xUWDaRsFUxwWlDnVT2TzarkOouVEhMesybN # R9unNOGa9ClbOWkbe67mPDmpYM2jGjd1vzmDU/fuMKxbn3k46XPq5RF97KeasHnN # DSk6nFSNcGrTzg2T8cPRqE0u/PEI1cJE07Sm8sddJvAi7UMyNCrZ/u25RG3BaS2f # 4JHzoPJHqPoQ1fx9aLKGYrLWeJPhH6dAkjpKdW/71exhus5rgAggGmjtNinp7IET # /NXHhYThrT51gSU+ISRnWB0Q7/99bajCrYOGRWzXGWJFSXVC5MmSL+tEdKq1J0Uo # j1z4BVV/oO+iU8PMYVh59tcWPYV6PJeRKPuszB2euND8zRO+qZltb9dNObxIbpsb # EVUmyJJCvya/l3+AMXcJ7KlCkEv1too2tPs34Ex2pLLLLKdxv1tMam4G40f66IfM # UEw8OTPl+wwHDJD2r+dKKP3ddx3n6mhyjP2lxmGzYReZdPiy5wZxDYPfL+oZmZgX # ED6GFNxR2nToHMrDd4SXJbhHCIWesMT7+cAlveI7pZ1wt728BMjKvhJ93KtcA97K # AEt599yyyJWqMLNw98FArzvFna1nhQENri3EhZcVHdonwOHS7t+f6msZne/798Qq # x6u1eXOiYsBoy1E/IrojitU= # SIG # End signature block |