Framework/Managers/ControlStateExtension.ps1
|
using namespace System.Management.Automation Set-StrictMode -Version Latest class ControlStateExtension { #Static attestation index file object. #This gets cashed for every scan and reset for every fresh scan command in servicessecurity status [PSObject] $ControlStateIndexer = $null; #Property indicates if Attestation index file is present in blob [bool] $IsControlStateIndexerPresent = $true; hidden [int] $HasControlStateReadPermissions = 1; hidden [int] $HasControlStateWritePermissions = -1; hidden [string] $IndexerBlobName ="Resource.index.json" hidden [int] $retryCount = 3; hidden [string] $UniqueRunId; hidden [OrganizationContext] $OrganizationContext; hidden [InvocationInfo] $InvocationContext; hidden [PSObject] $ControlSettings; hidden [PSObject] $resourceType; hidden [PSObject] $resourceName; hidden [PSObject] $resourceGroupName; hidden [PSObject] $AttestationBody; [bool] $IsPersistedControlStates = $false; [bool] $FailedDownloadForControlStateIndexer = $false #hidden [bool] $PrintExtStgPolicyProjErr = $true; hidden [bool] $PrintParamPolicyProjErr = $true; hidden [bool] $PrintAttestationRepoErr = $true; hidden static [bool] $IsOrgAttestationProjectFound = $false; # Flag to represent if Host proj(attestation repo) is avilable for org controls. FALSE => Project or Repo not yet found. hidden [AzSKSettings] $AzSKSettings; ControlStateExtension([OrganizationContext] $organizationContext, [InvocationInfo] $invocationContext) { $this.OrganizationContext = $organizationContext; $this.InvocationContext = $invocationContext; $this.ControlSettings = [ConfigurationManager]::LoadServerConfigFile("ControlSettings.json"); $this.AttestationBody = [ConfigurationManager]::LoadServerConfigFile("ADOAttestation.json"); if (!$this.AzSKSettings) { $this.AzSKSettings = [ConfigurationManager]::GetAzSKSettings(); } } static [string] ComputeHashX([string] $dataToHash) { return [Helpers]::ComputeHashShort($dataToHash, [Constants]::AttestationHashLen) } hidden [void] Initialize([bool] $CreateResourcesIfNotExists) { if([string]::IsNullOrWhiteSpace($this.UniqueRunId)) { $this.UniqueRunId = $(Get-Date -format "yyyyMMdd_HHmmss"); } # this function to check and set access permission $this.SetControlStatePermission(); #Reset attestation index file and set attestation index file present flag to get fresh index file from storage $this.ControlStateIndexer = $null; $this.IsControlStateIndexerPresent = $true } # fetch allowed group for attestation from setting file and check user is member of this group and set acccess permission hidden [void] SetControlStatePermission() { try { $this.HasControlStateWritePermissions = 1 } catch { $this.HasControlStateWritePermissions = 0 } } hidden [bool] ComputeControlStateIndexer() { try { $AzSKTemp = Join-Path $([Constants]::AzSKAppFolderPath) "Temp" | Join-Path -ChildPath $this.UniqueRunId | Join-Path -ChildPath "ServerControlState"; if(-not (Test-Path -Path $AzSKTemp)) { New-Item -ItemType Directory -Path $AzSKTemp -Force | Out-Null } $indexerObject = Get-ChildItem -Path (Join-Path $AzSKTemp $($this.IndexerBlobName)) -Force -ErrorAction Stop | Get-Content | ConvertFrom-Json } catch { #Write-Host $_ } #Cache code: Fetch index file only if index file is null and it is present on storage blob if(-not $this.ControlStateIndexer -and $this.IsControlStateIndexerPresent) { #Attestation index blob is not preset then return [ControlStateIndexer[]] $indexerObjects = @(); $this.ControlStateIndexer = $indexerObjects $AzSKTemp = Join-Path $([Constants]::AzSKAppFolderPath) "Temp" | Join-Path -ChildPath $this.UniqueRunId | Join-Path -ChildPath "ServerControlState"; if(-not (Test-Path -Path $AzSKTemp)) { New-Item -ItemType Directory -Path $AzSKTemp -Force | Out-Null } $indexerObject = @(); $loopValue = $this.retryCount; while($loopValue -gt 0) { $loopValue = $loopValue - 1; try { #FailedDownloadForControlStateIndexer is used if file present in repo then variable is false, if file not present then it goes to exception so variable value is true. #If file resent in repo with no content, there will be no exception in api call and respose body will be null $this.FailedDownloadForControlStateIndexer = $false $webRequestResult = $this.GetRepoFileContent( $this.IndexerBlobName ); if($webRequestResult){ $indexerObject = $webRequestResult } else { if ($this.FailedDownloadForControlStateIndexer -eq $false) { $this.IsControlStateIndexerPresent = $true } else { $this.IsControlStateIndexerPresent = $false } } $loopValue = 0; } catch{ #Attestation index blob is not preset then return $this.IsControlStateIndexerPresent = $false return $true; } } $this.ControlStateIndexer += $indexerObject; } return $true; } # set indexer for rescan post attestation hidden [PSObject] RescanComputeControlStateIndexer([string] $projectName, [string] $resourceType) { #$this.resourceType is used inside the GetProject method to get the project name for organization from extension storage, also return project for other resources $this.resourceType = $resourceType; if ($resourceType -eq "Organization" -or $resourceType -eq "Project") { $this.resourceName = $projectName } else { $this.resourceGroupName = $projectName } [PSObject] $ControlStateIndexerForRescan = $this.GetRepoFileContent($this.IndexerBlobName ); #setting below global variables null as needed for next resource. $this.resourceType = $null; $this.resourceName = ""; $this.resourceGroupName = ""; return $ControlStateIndexerForRescan; } #isRescan parameter is added to check if method is called from rescan. hidden [PSObject] GetControlState([string] $id, [string] $resourceType, [string] $resourceName, [string] $resourceGroupName, [bool] $isRescan = $false) { try { $this.resourceType = $resourceType; $this.resourceName = $resourceName $this.resourceGroupName = $resourceGroupName [ControlState[]] $controlStates = @(); if(!$this.GetProject()) { return $null; } # We reset ControlStateIndexer to null whenever we move to a new project (project context switch) if($this.resourceType -eq "Project" ){ $this.ControlStateIndexer = $null; $this.IsControlStateIndexerPresent = $true; } #getting resource.index for rescan [PSObject] $ControlStateIndexerForRescan = $null; [bool] $retVal = $true; if ($isRescan) { #this is to set project name from GetProject method $projectName = $resourceName; if ($resourceType -ne "Organization" -and $resourceType -ne "Project") { $projectName = $resourceGroupName } $ControlStateIndexerForRescan = $this.RescanComputeControlStateIndexer($projectName, $resourceType); #Above method setting below blobal variable null so settting them again. $this.resourceType = $resourceType; $this.resourceName = $resourceName $this.resourceGroupName = $resourceGroupName } else { $retVal = $this.ComputeControlStateIndexer(); } if(($null -ne $this.ControlStateIndexer -and $retVal) -or $isRescan) { $indexes = @(); if ($isRescan) { $indexes = $ControlStateIndexerForRescan; } else { $indexes += $this.ControlStateIndexer } if ($indexes) { $hashId = [ControlStateExtension]::ComputeHashX($id) $selectedIndex = $indexes | Where-Object { $_.HashId -eq $hashId} if(($selectedIndex | Measure-Object).Count -gt 0) { $hashId = $selectedIndex.HashId | Select-Object -Unique $controlStateBlobName = $hashId + ".json" $ControlStatesJson = $null; #Fetch attestation file content from repository $ControlStatesJson = $this.GetRepoFileContent($controlStateBlobName) if($ControlStatesJson ) { $retVal = $true; } else { $retVal = $false; } #$ControlStatesJson = Get-ChildItem -Path (Join-Path $AzSKTemp $controlStateBlobName) -Force | Get-Content | ConvertFrom-Json if($null -ne $ControlStatesJson) { $ControlStatesJson | ForEach-Object { try { $controlState = [ControlState] $_ $controlStates += $controlState; } catch { [EventBase]::PublishGenericException($_); } } } } } } if($this.resourceType -eq "Organization" ){ $this.ControlStateIndexer = $null; $this.IsControlStateIndexerPresent = $true; } return $controlStates; } catch{ if($this.resourceType -eq "Organization"){ $this.ControlStateIndexer = $null; $this.IsControlStateIndexerPresent = $true; } [EventBase]::PublishGenericException($_); return $null; } } hidden [void] SetControlState([string] $id, [ControlState[]] $controlStates, [bool] $Override, [string] $resourceType, [string] $resourceName, [string] $resourceGroupName) { $this.resourceType = $resourceType; $this.resourceName = $resourceName; $this.resourceGroupName = $resourceGroupName if(!$this.GetProject()) { return } $AzSKTemp = Join-Path $([Constants]::AzSKAppFolderPath) "Temp" | Join-Path -ChildPath $this.UniqueRunId | Join-Path -ChildPath "ServerControlState"; if(-not (Test-Path $(Join-Path $AzSKTemp "ControlState"))) { New-Item -ItemType Directory -Path $(Join-Path $AzSKTemp "ControlState") -ErrorAction Stop | Out-Null } else { Remove-Item -Path $(Join-Path $AzSKTemp "ControlState" | Join-Path -ChildPath '*' ) -Force -Recurse } $hash = [ControlStateExtension]::ComputeHashX($id) $indexerPath = Join-Path $AzSKTemp "ControlState" | Join-Path -ChildPath $this.IndexerBlobName; if(-not (Test-Path -Path (Join-Path $AzSKTemp "ControlState"))) { New-Item -ItemType Directory -Path (Join-Path $AzSKTemp "ControlState") -Force } $fileName = Join-Path $AzSKTemp "ControlState" | Join-Path -ChildPath ($hash+".json"); #Filter out the "Passed" controls $finalControlStates = $controlStates | Where-Object { $_.ActualVerificationResult -ne [VerificationResult]::Passed}; if(($finalControlStates | Measure-Object).Count -gt 0) { $this.IsPersistedControlStates = $false; if($Override) { $this.IsPersistedControlStates = $true; # in the case of override, just persist what is evaluated in the current context. No merging with older data $this.UpdateControlIndexer($id, $finalControlStates, $false); $finalControlStates = $finalControlStates | Where-Object { $_.State}; } else { #merge with the exiting if found $persistedControlStates = $this.GetPersistedControlStates("$hash.json"); $finalControlStates = $this.MergeControlStates($persistedControlStates, $finalControlStates); # COmmenting this code out. We will be handling encoding-decoding to b64 at SetStateData and WriteDetailedLogs.ps1 #$finalControl = @(); ##convert state data object to encoded string #foreach ($controls in $finalControlStates) { # # checking If state.DataObject is not empty and dataobject is not encode string, if control is already attested it will have encoded string # if ($controls.state.DataObject -and !($controls.state.DataObject -is [string]) ) { # try { # #when dataobject is empty it comes like {} and null check does not work it alwasys count 1 # if ($controls.state.DataObject.count -gt 0) { # $stateData = $controls.state.DataObject | ConvertTo-Json -Depth 10 # $encodedStateData =[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($stateData)) # $controls.state.DataObject = $encodedStateData; # } # } # catch { # #eat the exception # } # } # $finalControl += $controls; #} #$finalControlStates = $finalControl; $this.UpdateControlIndexer($id, $finalControlStates, $false); } } else { #purge would remove the entry from the control indexer and also purge the stale state json. $this.PurgeControlState($id); } if(($finalControlStates|Measure-Object).Count -gt 0) { [JsonHelper]::ConvertToJsonCustom($finalControlStates) | Out-File $fileName -Force } if($null -ne $this.ControlStateIndexer) { [JsonHelper]::ConvertToJsonCustom($this.ControlStateIndexer) | Out-File $indexerPath -Force $controlStateArray = Get-ChildItem -Path (Join-Path $AzSKTemp "ControlState") $controlStateArray | ForEach-Object { $state = $_; try { $this.UploadFileContent($state.FullName); } catch { $_ #eat this exception and retry } } } } [void] UploadFileContent( $FullName ) { $fileContent = Get-Content -Path $FullName -raw $fileName = $FullName.split('\')[-1]; $projectName = $this.GetProject(); $attestationRepo = [Constants]::AttestationRepo; #Get attesttion repo name from controlsetting file if AttestationRepo varibale value is not empty. if ([Helpers]::CheckMember($this.ControlSettings,"AttestationRepo")) { $attestationRepo = $this.ControlSettings.AttestationRepo; } #Get attesttion repo name from local azsksettings.json file if AttestationRepo varibale value is not empty. if ($this.AzSKSettings.AttestationRepo) { $attestationRepo = $this.AzSKSettings.AttestationRepo; } $rmContext = [ContextHelper]::GetCurrentContext(); $user = ""; $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$rmContext.AccessToken))) $uri = "https://dev.azure.com/{0}/{1}/_apis/git/repositories/{2}/refs?api-version=6.0" -f $this.OrganizationContext.OrganizationName, $projectName, $attestationRepo try { $webRequest = Invoke-RestMethod -Uri $uri -Method Get -ContentType "application/json" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} $branchName = [Constants]::AttestationDefaultBranch; #Get attesttion branch name from controlsetting file if AttestationBranch varibale value is not empty. if ([Helpers]::CheckMember($this.ControlSettings,"AttestationBranch")) { $branchName = $this.ControlSettings.AttestationBranch; } #Get attesttion branch name from local azsksettings.json file if AttestationBranch varibale value is not empty. if ($this.AzSKSettings.AttestationBranch) { $branchName = $this.AzSKSettings.AttestationBranch; } $branchId = ($webRequest.value | where {$_.name -eq "refs/heads/"+$branchName}).ObjectId $uri = [Constants]::AttRepoStorageUri -f $this.OrganizationContext.OrganizationName, $projectName, $attestationRepo $body = $this.CreateBody($fileContent, $fileName, $branchId, $branchName); $webRequestResult = Invoke-RestMethod -Uri $uri -Method Post -ContentType "application/json" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Body $body if ($fileName -eq $this.IndexerBlobName) { $this.IsControlStateIndexerPresent = $true; } } catch { Write-Host "Error: Attestation denied.`nThis may be because: `n (a) $($attestationRepo) repository is not present in the project `n (b) you do not have write permission on the repository. `n" -ForegroundColor Red Write-Host "See more at https://aka.ms/adoscanner/attestation `n" -ForegroundColor Yellow } } [string] CreateBody([string] $fileContent, [string] $fileName, [string] $branchId, [string] $branchName){ $body = $this.AttestationBody.Post | ConvertTo-Json -Depth 10 $body = $body.Replace("{0}",$branchId) $body = $body.Replace("{2}", $this.CreatePath($fileName)) if ( $this.IsControlStateIndexerPresent -and $fileName -eq $this.IndexerBlobName ) { $body = $body.Replace("{1}","edit") } elseif ($this.IsPersistedControlStates -and $fileName -ne $this.IndexerBlobName ) { $body = $body.Replace("{1}","edit") } else { $body = $body.Replace("{1}","add") } $content = ($fileContent | ConvertTo-Json -Depth 10) -replace '^.|.$', '' $body = $body.Replace("{3}", $content) $body = $body.Replace("{4}", $branchName) return $body; } [string] CreatePath($fileName){ $path = $fileName if (!($this.resourceType -eq "Organization" -or $fileName -eq $this.IndexerBlobName) -and ($this.resourceType -ne "Project")) { $path = $this.resourceGroupName + "/" + $this.resourceType + "/" + $fileName; } elseif(!($this.resourceType -eq "Organization" -or $fileName -eq $this.IndexerBlobName)) { $path = $this.resourceName + "/" + $fileName; } return $path; } [string] GetProject(){ $projectName = ""; #If EnableMultiProjectAttestation is enabled and ProjectToStoreAttestation has project, only then ProjectToStoreAttestation will be used as central attestation location. if ([Helpers]::CheckMember($this.ControlSettings, "EnableMultiProjectAttestation") -and [Helpers]::CheckMember($this.ControlSettings, "ProjectToStoreAttestation")) { return $this.ControlSettings.ProjectToStoreAttestation; } if ($this.resourceType -eq "Organization" -or $this.resourceType -eq $null) { if($this.InvocationContext) { #Get project name from ext storage to fetch org attestation $projectName = $this.GetProjectNameFromExtStorage(); $printCentralOrgPolicyMessage = $false; #If not found then check if 'PolicyProject' parameter is provided in command if ([string]::IsNullOrEmpty($projectName)) { $projectName = [AzSKSettings]::InvocationContext.BoundParameters["PolicyProject"]; if(-not [string]::IsNullOrEmpty($projectName)) { # Handle the case of org policy hosted in another Org $policyProjectOrgInfo = $projectName.split("/"); if ($policyProjectOrgInfo.length -eq 2) { $printCentralOrgPolicyMessage = $true; $projectName = $null; } } if ([string]::IsNullOrEmpty($projectName)) { #TODO: azsk setting fetching and add comment for EnableOrgControlAttestation if (!$this.AzSKSettings) { $this.AzSKSettings = [ConfigurationManager]::GetAzSKSettings(); } $projectName = $this.AzSKSettings.PolicyProject if(-not [string]::IsNullOrEmpty($projectName)) { # Handle the case of org policy hosted in another Org $policyProjectOrgInfo = $projectName.split("/"); if ($policyProjectOrgInfo.length -eq 2) { $projectName = $null; $printCentralOrgPolicyMessage = $true; } } $enableOrgControlAttestation = $this.AzSKSettings.EnableOrgControlAttestation if([string]::IsNullOrEmpty($projectName) -and $printCentralOrgPolicyMessage -eq $true -and $enableOrgControlAttestation) { Write-Host "Attestation is not enabled for centralized org policy." -ForegroundColor Red } if([string]::IsNullOrEmpty($projectName)) { if ($this.PrintParamPolicyProjErr -eq $true -and $enableOrgControlAttestation -eq $true) { Write-Host -ForegroundColor Yellow "Could not fetch attestation-project-name. `nYou can: `n`r(a) Run Set-AzSKADOMonitoringSetting -PolicyProject '<PolicyProjectName>' or `n`r(b) Use '-PolicyProject' parameter to specify the host project containing attestation details of organization controls." $this.PrintParamPolicyProjErr = $false; } } } #If $projectName was set in the above if clause - we need to next validate whether this project has an attestattion repo as shown below. if(-not [string]::IsNullOrEmpty($projectName)) { if ([ControlStateExtension]::IsOrgAttestationProjectFound -eq $false) { #Validate if Attestation repo is available in policy project $attestationRepo = [Constants]::AttestationRepo; try { $rmContext = [ContextHelper]::GetCurrentContext(); $user = ""; $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$rmContext.AccessToken))) #Get attesttion repo name from controlsetting file if AttestationRepo varibale value is not empty. if ([Helpers]::CheckMember($this.ControlSettings,"AttestationRepo")) { $attestationRepo = $this.ControlSettings.AttestationRepo; } #Get attesttion repo name from local azsksettings.json file if AttestationRepo varibale value is not empty. if ($this.AzSKSettings.AttestationRepo) { $attestationRepo = $this.AzSKSettings.AttestationRepo; } $uri = "https://dev.azure.com/{0}/{1}/_apis/git/repositories/{2}/refs?api-version=6.0" -f $this.OrganizationContext.OrganizationName, $projectName, $attestationRepo $webRequest = Invoke-RestMethod -Uri $uri -Method Get -ContentType "application/json" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} [ControlStateExtension]::IsOrgAttestationProjectFound = $true # Policy project and repo found } catch { $projectName = ""; #2010 ToDO: [ControlStateExtension]::IsOrgAttestationProjectFound = $false # Policy project and repo found if ($this.PrintAttestationRepoErr -eq $true) { Write-Host -ForegroundColor Yellow "Could not find attestation repo [$($attestationRepo)] in the policy project." $this.PrintAttestationRepoErr = $false; } # eat exception. This means attestation repo was not found # attestation repo is required to scan org controls and send hasrequiredaccess as true } } } }} } elseif($this.resourceType -eq "Project" ) { $projectName = $this.resourceName } else { $projectName = $this.resourceGroupName } return $projectName; } [string] GetProjectNameFromExtStorage() { try { $rmContext = [ContextHelper]::GetCurrentContext(); $user = ""; $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$rmContext.AccessToken))) $uri = [Constants]::StorageUri -f $this.OrganizationContext.OrganizationName, $this.OrganizationContext.OrganizationName, [Constants]::OrgAttPrjExtFile $webRequestResult = Invoke-RestMethod -Uri $uri -Method Get -ContentType "application/json" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} #If repo is not found, we will fall into the catch block from IRM call above [ControlStateExtension]::IsOrgAttestationProjectFound = $true # Policy project found return $webRequestResult.Project } catch { #2010 ToDo: [ControlStateExtension]::IsOrgAttestationProjectFound = $false # Policy project not found return $null; } } [bool] SetProjectInExtForOrg() { $projectName = $this.InvocationContext.BoundParameters["AttestationHostProjectName"] $rmContext = [ContextHelper]::GetCurrentContext(); $user = ""; $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user, $rmContext.AccessToken))) $fileName = [Constants]::OrgAttPrjExtFile $apiURL = "https://dev.azure.com/{0}/_apis/projects/{1}?api-version=6.0" -f $($this.OrganizationContext.OrganizationName), $projectName; try { $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL) ; #$projects = $responseObj | Where-Object { $projectName -contains $_.name } #if ($null -eq $projects) { # Write-Host "$($projectName) Project not found: Incorrect project name or you do not have neccessary permission to access the project." -ForegroundColor Red # return $false #} } catch { Write-Host "$($projectName) Project not found: Incorrect project name or you do not have necessary permission to access the project." -ForegroundColor Red return $false } $uri = [Constants]::StorageUri -f $this.OrganizationContext.OrganizationName, $this.OrganizationContext.OrganizationName, $fileName try { $webRequestResult = Invoke-RestMethod -Uri $uri -Method Get -ContentType "application/json" -Headers @{Authorization = ("Basic {0}" -f $base64AuthInfo) } Write-Host "Project $($webRequestResult.Project) is already configured to store attestation details for organization-specific controls." -ForegroundColor Yellow } catch { $body = @{"id" = "$fileName"; "Project" = $projectName; } | ConvertTo-Json $uri = [Constants]::StorageUri -f $this.OrganizationContext.OrganizationName, $this.OrganizationContext.OrganizationName, $fileName try { $webRequestResult = Invoke-RestMethod -Uri $uri -Method Put -ContentType "application/json" -Headers @{Authorization = ("Basic {0}" -f $base64AuthInfo) } -Body $body return $true; } catch { Write-Host "Error: Could not configure host project for attestation of org-specific controls because 'ADOSecurityScanner' extension is not installed in your organization." -ForegroundColor Red } } return $false; } [PSObject] GetRepoFileContent($fileName) { $projectName = $this.GetProject(); $branchName = [Constants]::AttestationDefaultBranch #Get attesttion branch name from controlsetting file if AttestationBranch varibale value is not empty. if ([Helpers]::CheckMember($this.ControlSettings,"AttestationBranch")) { $branchName = $this.ControlSettings.AttestationBranch; } #Get attesttion branch name from local azsksettings.json file if AttestationBranch varibale value is not empty. if ($this.AzSKSettings.AttestationBranch) { $branchName = $this.AzSKSettings.AttestationBranch; } $fileName = $this.CreatePath($fileName); $rmContext = [ContextHelper]::GetCurrentContext(); $user = ""; $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$rmContext.AccessToken))) try { $attestationRepo = [Constants]::AttestationRepo; #Get attesttion repo name from controlsetting file if AttestationRepo varibale value is not empty. if ([Helpers]::CheckMember($this.ControlSettings,"AttestationRepo")) { $attestationRepo = $this.ControlSettings.AttestationRepo; } #Get attesttion repo name from local azsksettings.json file if AttestationRepo varibale value is not empty. if ($this.AzSKSettings.AttestationRepo) { $attestationRepo = $this.AzSKSettings.AttestationRepo; } $uri = [Constants]::GetAttRepoStorageUri -f $this.OrganizationContext.OrganizationName, $projectName, $attestationRepo, $fileName, $branchName $webRequestResult = Invoke-RestMethod -Uri $uri -Method Get -ContentType "application/json" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} if ($webRequestResult) { # COmmenting this code out. We will be handling encoding-decoding to b64 at SetStateData and WriteDetailedLogs.ps1 #if($fileName -ne $this.IndexerBlobName) #{ # #convert back state data from encoded string # $attestationData = @(); # foreach ($controls in $webRequestResult) # { # if($controls.State.DataObject -is [string]) # { # $controls.State.DataObject = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($controls.State.DataObject)) | ConvertFrom-Json # } # $attestationData += $controls; # } # $webRequestResult = $attestationData; #} return $webRequestResult } return $null; } catch{ if ($fileName -eq $this.IndexerBlobName) { $this.FailedDownloadForControlStateIndexer = $true } return $null; } } [void] RemoveAttestationData($fileName) { $projectName = $this.GetProject(); $fileName = $this.CreatePath($fileName); $attestationRepo = [Constants]::AttestationRepo; #Get attesttion repo name from controlsetting file if AttestationRepo varibale value is not empty. if ([Helpers]::CheckMember($this.ControlSettings,"AttestationRepo")) { $attestationRepo = $this.ControlSettings.AttestationRepo; } #Get attesttion repo name from local azsksettings.json file if AttestationRepo varibale value is not empty. if ($this.AzSKSettings.AttestationRepo) { $attestationRepo = $this.AzSKSettings.AttestationRepo; } $rmContext = [ContextHelper]::GetCurrentContext(); $user = ""; $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$rmContext.AccessToken))) $uri = "https://dev.azure.com/{0}/{1}/_apis/git/repositories/{2}/refs?api-version=6.0" -f $this.OrganizationContext.OrganizationName, $projectName, $attestationRepo $webRequest = Invoke-RestMethod -Uri $uri -Method Get -ContentType "application/json" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} $branchId = ($webRequest.value | where {$_.name -eq 'refs/heads/master'}).ObjectId $body = $this.AttestationBody.Delete | ConvertTo-Json -Depth 10; $body = $body.Replace('{0}',$branchId) $body = $body.Replace('{1}',$fileName) $branchName = [Constants]::AttestationDefaultBranch; #Get attesttion branch name from controlsetting file if AttestationBranch varibale value is not empty. if ([Helpers]::CheckMember($this.ControlSettings,"AttestationBranch")) { $branchName = $this.ControlSettings.AttestationBranch; } #Get attesttion branch name from local azsksettings.json file if AttestationBranch varibale value is not empty. if ($this.AzSKSettings.AttestationBranch) { $branchName = $this.AzSKSettings.AttestationBranch; } $body = $body.Replace('{2}',$branchName) try { $uri = [Constants]::AttRepoStorageUri -f $this.OrganizationContext.OrganizationName, $projectName, $attestationRepo $webRequestResult = Invoke-RestMethod -Uri $uri -Method Post -ContentType "application/json" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Body $body } catch{ Write-Host "Could not remove attastation for: " + $fileName; Write-Host $_ } } hidden [void] PurgeControlState([string] $id) { $AzSKTemp = Join-Path $([Constants]::AzSKAppFolderPath) "Temp" | Join-Path -ChildPath $this.UniqueRunId | Join-Path -ChildPath "ServerControlState"; if(-not (Test-Path $(Join-Path $AzSKTemp "ControlState"))) { New-Item -ItemType Directory -Path (Join-Path $AzSKTemp "ControlState") -ErrorAction Stop | Out-Null } else { Remove-Item -Path $(Join-Path $AzSKTemp "ControlState" | Join-Path -ChildPath '*') -Force -Recurse } $hash = [ControlStateExtension]::ComputeHashX($id); $indexerPath = Join-Path $AzSKTemp "ControlState" | Join-Path -ChildPath $this.IndexerBlobName ; $fileName = Join-Path $AzSKTemp "ControlState" | Join-Path -ChildPath ("$hash.json"); $this.UpdateControlIndexer($id, $null, $true); if($null -ne $this.ControlStateIndexer) { [JsonHelper]::ConvertToJsonCustom($this.ControlStateIndexer) | Out-File $indexerPath -Force $controlStateArray = Get-ChildItem -Path (Join-Path $AzSKTemp "ControlState"); $controlStateArray | ForEach-Object { $state = $_ $loopValue = $this.retryCount; while($loopValue -gt 0) { $loopValue = $loopValue - 1; try { $this.UploadFileContent($state.FullName); $loopValue = 0; } catch { #eat this exception and retry } } } } try { $hashFile = "$hash.json"; $this.RemoveAttestationData($hashFile) } catch { #eat this exception and retry } } hidden [ControlState[]] GetPersistedControlStates([string] $controlStateBlobName) { $AzSKTemp = Join-Path $([Constants]::AzSKAppFolderPath) "Temp" | Join-Path -ChildPath $this.UniqueRunId | Join-Path -ChildPath "ServerControlState"; if(-not (Test-Path (Join-Path $AzSKTemp "ExistingControlStates"))) { New-Item -ItemType Directory -Path (Join-Path $AzSKTemp "ExistingControlStates") -ErrorAction Stop | Out-Null } [ControlState[]] $ControlStatesJson = @() $loopValue = $this.retryCount; while($loopValue -gt 0) { $loopValue = $loopValue - 1; try { #$ControlStatesJson = @() $ControlStatesJson = $this.GetRepoFileContent($controlStateBlobName) if ($ControlStatesJson) { $this.IsPersistedControlStates = $true } $loopValue = 0; } catch { $this.IsPersistedControlStates = $false; #$ControlStatesJson = @() #eat this exception and retry } } return $ControlStatesJson } hidden [ControlState[]] MergeControlStates([ControlState[]] $persistedControlStates,[ControlState[]] $controlStates) { [ControlState[]] $computedControlStates = $controlStates; if(($computedControlStates | Measure-Object).Count -le 0) { $computedControlStates = @(); } if(($persistedControlStates | Measure-Object).Count -gt 0) { $persistedControlStates | ForEach-Object { $controlState = $_; if(($computedControlStates | Where-Object { ($_.InternalId -eq $controlState.InternalId) -and ($_.ChildResourceName -eq $controlState.ChildResourceName) } | Measure-Object).Count -le 0) { $computedControlStates += $controlState; } } } #remove the control states with null state which would be in the case of clear attestation. $computedControlStates = $computedControlStates | Where-Object { $_.State} return $computedControlStates; } hidden [void] UpdateControlIndexer([string] $id, [ControlState[]] $controlStates, [bool] $ToBeDeleted) { $this.ControlStateIndexer = $null; $retVal = $this.ComputeControlStateIndexer(); if($retVal) { $tempHash = [ControlStateExtension]::ComputeHashX($id); #take the current indexer value $filteredIndexerObject = $null; $filteredIndexerObject2 = $null; if ($this.ControlStateIndexer -and ($this.ControlStateIndexer | Measure-Object).Count -gt 0) { $filteredIndexerObject = $this.ControlStateIndexer | Where-Object { $_.HashId -eq $tempHash} #remove the current index from the list $filteredIndexerObject2 = $this.ControlStateIndexer | Where-Object { $_.HashId -ne $tempHash} } $this.ControlStateIndexer = @(); if($filteredIndexerObject2) { $this.ControlStateIndexer += $filteredIndexerObject2 } if(-not $ToBeDeleted) { $currentIndexObject = $null; #check if there is an existing index and the controlstates are present for that index resource if(($filteredIndexerObject | Measure-Object).Count -gt 0 -and ($controlStates | Measure-Object).Count -gt 0) { $currentIndexObject = $filteredIndexerObject; if(($filteredIndexerObject | Measure-Object).Count -gt 1) { $currentIndexObject = $filteredIndexerObject | Select-Object -Last 1 } $currentIndexObject.AttestedBy = [ContextHelper]::GetCurrentSessionUser(); $currentIndexObject.AttestedDate = [DateTime]::UtcNow; $currentIndexObject.Version = "1.0"; } elseif(($controlStates | Measure-Object).Count -gt 0) { $currentIndexObject = [ControlStateIndexer]::new(); $currentIndexObject.ResourceId = $id $currentIndexObject.HashId = $tempHash; $currentIndexObject.AttestedBy = [ContextHelper]::GetCurrentSessionUser(); $currentIndexObject.AttestedDate = [DateTime]::UtcNow; $currentIndexObject.Version = "1.0"; } if($null -ne $currentIndexObject) { $this.ControlStateIndexer += $currentIndexObject; } } } } [bool] HasControlStateReadAccessPermissions() { if($this.HasControlStateReadPermissions -le 0) { return $false; } else { return $true; } } [void] SetControlStateReadAccessPermissions([int] $value) { $this.HasControlStateReadPermissions = $value } [void] SetControlStateWriteAccessPermissions([int] $value) { $this.HasControlStateWritePermissions = $value } [bool] HasControlStateWriteAccessPermissions() { if($this.HasControlStateWritePermissions -le 0) { return $false; } else { return $true; } } [bool] GetControlStatePermission([string] $featureName, [string] $resourceName) { try { $this.HasControlStateWritePermissions = 0 $allowedGrpForOrgAtt = $this.ControlSettings.GroupsWithAttestPermission | where { $_.ResourceType -eq "Organization" } | select-object -property GroupNames $url= "https://dev.azure.com/{0}/_apis/Contribution/HierarchyQuery?api-version=5.1-preview" -f $($this.OrganizationContext.OrganizationName); $postbody="{'contributionIds':['ms.vss-admin-web.org-admin-groups-data-provider'],'dataProviderContext':{'properties':{'sourcePage':{'url':'https://dev.azure.com/$($this.OrganizationContext.OrganizationName)/_settings/groups','routeId':'ms.vss-admin-web.collection-admin-hub-route','routeValues':{'adminPivot':'groups','controller':'ContributedPage','action':'Execute'}}}}}" | ConvertFrom-Json $groupsOrgObj = [WebRequestHelper]::InvokePostWebRequest($url,$postbody); $groupsOrgObj = $groupsOrgObj.dataProviders.'ms.vss-admin-web.org-admin-groups-data-provider'.identities | where { $allowedGrpForOrgAtt.GroupNames -contains $_.displayName } if($this.CheckGroupMemberPCA($groupsOrgObj.descriptor)){ return $true; } if($featureName -ne "Organization") { $allowedGrpForAtt = $this.ControlSettings.GroupsWithAttestPermission | where { $_.ResourceType -eq $featureName } | select-object -property GroupNames $url = 'https://dev.azure.com/{0}/_apis/Contribution/HierarchyQuery?api-version=5.0-preview.1' -f $($this.OrganizationContext.OrganizationName); $inputbody = '{"contributionIds":["ms.vss-admin-web.org-admin-groups-data-provider"],"dataProviderContext":{"properties":{"sourcePage":{"url":"","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"","adminPivot":"permissions","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json $inputbody.dataProviderContext.properties.sourcePage.url = "https://dev.azure.com/$($this.OrganizationContext.OrganizationName)/$($resourceName)/_settings/permissions"; $inputbody.dataProviderContext.properties.sourcePage.routeValues.Project =$resourceName; $groupsObj = [WebRequestHelper]::InvokePostWebRequest($url,$inputbody); $groupsObj = $groupsObj.dataProviders."ms.vss-admin-web.org-admin-groups-data-provider".identities | where { $allowedGrpForAtt.GroupNames -contains $_.displayName } foreach ($group in $groupsObj) { if($this.CheckGroupMemberPA($group.descriptor,$resourceName)){ return $true; } } } if($this.HasControlStateWritePermissions -gt 0) { return $true } else { return $false } } catch { $this.HasControlStateWritePermissions = 0 return $false; } } [bool] CheckGroupMemberPA($descriptor,[string] $resourceName) { <# $inputbody = '{"contributionIds":["ms.vss-admin-web.org-admin-members-data-provider"],"dataProviderContext":{"properties":{"subjectDescriptor":"","sourcePage":{"url":"","routeId":"ms.vss-admin-web.collection-admin-hub-route","routeValues":{"adminPivot":"groups","controller":"ContributedPage","action":"Execute"}}}}}' | ConvertFrom-Json $inputbody.dataProviderContext.properties.subjectDescriptor = $descriptor; $inputbody.dataProviderContext.properties.sourcePage.url = "https://dev.azure.com/$($this.OrganizationContext.OrganizationName)/_settings/groups?subjectDescriptor=$($descriptor)"; $apiURL = "https://dev.azure.com/{0}/_apis/Contribution/HierarchyQuery?api-version=5.0-preview" -f $($this.OrganizationContext.OrganizationName); $groupMembersObj = [WebRequestHelper]::InvokePostWebRequest($apiURL,$inputbody); $users = $groupMembersObj.dataProviders."ms.vss-admin-web.org-admin-members-data-provider".identities | where {$_.subjectKind -eq "user"} if($null -ne $users){ $currentUser = [ContextHelper]::GetCurrentSessionUser(); $grpmember = ($users | where { $_.mailAddress -eq $currentUser } ); if ($null -ne $grpmember ) { $this.HasControlStateWritePermissions = 1 return $true; } } if($this.HasControlStateWritePermissions -gt 0) { return $true } else { return $false }#> $isUserPA=[AdministratorHelper]::GetIsCurrentUserPA($descriptor,$this.OrganizationContext.OrganizationName,$resourceName); if($isUserPA -eq $true){ $this.HasControlStateWritePermissions = 1 return $true; } if($this.HasControlStateWritePermissions -gt 0) { return $true } else { return $false } } [bool] CheckGroupMemberPCA($descriptor){ $isUserPCA=[AdministratorHelper]::GetIsCurrentUserPCA($descriptor,$this.OrganizationContext.OrganizationName); if($isUserPCA -eq $true){ $this.HasControlStateWritePermissions = 1 return $true; } if($this.HasControlStateWritePermissions -gt 0) { return $true } else { return $false } } } # SIG # Begin signature block # MIIoLQYJKoZIhvcNAQcCoIIoHjCCKBoCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDzD6oK+67MzfTD # mecs7qpAgpNgi/amWx6FvlgSa7rs3aCCDXYwggX0MIID3KADAgECAhMzAAADrzBA # DkyjTQVBAAAAAAOvMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwOTAwWhcNMjQxMTE0MTkwOTAwWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDOS8s1ra6f0YGtg0OhEaQa/t3Q+q1MEHhWJhqQVuO5amYXQpy8MDPNoJYk+FWA # hePP5LxwcSge5aen+f5Q6WNPd6EDxGzotvVpNi5ve0H97S3F7C/axDfKxyNh21MG # 0W8Sb0vxi/vorcLHOL9i+t2D6yvvDzLlEefUCbQV/zGCBjXGlYJcUj6RAzXyeNAN # xSpKXAGd7Fh+ocGHPPphcD9LQTOJgG7Y7aYztHqBLJiQQ4eAgZNU4ac6+8LnEGAL # go1ydC5BJEuJQjYKbNTy959HrKSu7LO3Ws0w8jw6pYdC1IMpdTkk2puTgY2PDNzB # tLM4evG7FYer3WX+8t1UMYNTAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQURxxxNPIEPGSO8kqz+bgCAQWGXsEw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMTgyNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAISxFt/zR2frTFPB45Yd # mhZpB2nNJoOoi+qlgcTlnO4QwlYN1w/vYwbDy/oFJolD5r6FMJd0RGcgEM8q9TgQ # 2OC7gQEmhweVJ7yuKJlQBH7P7Pg5RiqgV3cSonJ+OM4kFHbP3gPLiyzssSQdRuPY # 1mIWoGg9i7Y4ZC8ST7WhpSyc0pns2XsUe1XsIjaUcGu7zd7gg97eCUiLRdVklPmp # XobH9CEAWakRUGNICYN2AgjhRTC4j3KJfqMkU04R6Toyh4/Toswm1uoDcGr5laYn # TfcX3u5WnJqJLhuPe8Uj9kGAOcyo0O1mNwDa+LhFEzB6CB32+wfJMumfr6degvLT # e8x55urQLeTjimBQgS49BSUkhFN7ois3cZyNpnrMca5AZaC7pLI72vuqSsSlLalG # OcZmPHZGYJqZ0BacN274OZ80Q8B11iNokns9Od348bMb5Z4fihxaBWebl8kWEi2O # PvQImOAeq3nt7UWJBzJYLAGEpfasaA3ZQgIcEXdD+uwo6ymMzDY6UamFOfYqYWXk # ntxDGu7ngD2ugKUuccYKJJRiiz+LAUcj90BVcSHRLQop9N8zoALr/1sJuwPrVAtx # HNEgSW+AKBqIxYWM4Ev32l6agSUAezLMbq5f3d8x9qzT031jMDT+sUAoCw0M5wVt # CUQcqINPuYjbS1WgJyZIiEkBMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGg0wghoJAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAAOvMEAOTKNNBUEAAAAAA68wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIGtPCkw1xNVSO9CFzOKRJLHu # RlulsozKkLWbL7m3swgyMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAojjiGRBFTR3H/xBURgXhRwYBZYUNNFVK/MnkoUbjxr7E23XD1ULHby9d # f6lfNGzjTiECltpCEnqx+7qJKBH+iAXarbnBBaTG+306KjAcZztsm0Sp+nWIeWdU # 2hyW118/pmfkwZ40mYHQHRYuT6I0RjyZJq00+vylJ3PYepnVAWSyWh+Mpv2QnsYz # bTbQeiGqzRpnjT1ZOPAemqr97X1XeIRgBJViPbhMM3G0aM7TfJMdnV/KEmeVxOMR # O4WETYtu1J/GwlqwQmLLEk2Avr10XIuyj+VTedgZhYs8EEawJfXuRTpbKog57WCy # xhT9SY1q5BWtNuVR4gDLNaLoR2e0OaGCF5cwgheTBgorBgEEAYI3AwMBMYIXgzCC # F38GCSqGSIb3DQEHAqCCF3AwghdsAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFSBgsq # hkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCAAuoi7rjjAwSiJgc54Zh7qMCo/nR+2j4aR7MA4Gam16QIGZeeoDS96 # GBMyMDI0MDMxMTEwNDMzNi45ODNaMASAAgH0oIHRpIHOMIHLMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1l # cmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046OTYwMC0w # NUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2Wg # ghHtMIIHIDCCBQigAwIBAgITMwAAAe+JP1ahWMyo2gABAAAB7zANBgkqhkiG9w0B # AQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD # VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0yMzEyMDYxODQ1 # NDhaFw0yNTAzMDUxODQ1NDhaMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25z # MScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046OTYwMC0wNUUwLUQ5NDcxJTAjBgNV # BAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCjC1jinwzgHwhOakZqy17oE4BIBKsm5kX4DUmCBWI0 # lFVpEiK5mZ2Kh59soL4ns52phFMQYGG5kypCipungwP9Nob4VGVE6aoMo5hZ9Nyt # XR5ZRgb9Z8NR6EmLKICRhD4sojPMg/RnGRTcdf7/TYvyM10jLjmLyKEegMHfvIwP # mM+AP7hzQLfExDdqCJ2u64Gd5XlnrFOku5U9jLOKk1y70c+Twt04/RLqruv1fGP8 # LmYmtHvrB4TcBsADXSmcFjh0VgQkX4zXFwqnIG8rgY+zDqJYQNZP8O1Yo4kSckHT # 43XC0oM40ye2+9l/rTYiDFM3nlZe2jhtOkGCO6GqiTp50xI9ITpJXi0vEek8AejT # 4PKMEO2bPxU63p63uZbjdN5L+lgIcCNMCNI0SIopS4gaVR4Sy/IoDv1vDWpe+I28 # /Ky8jWTeed0O3HxPJMZqX4QB3I6DnwZrHiKn6oE38tgBTCCAKvEoYOTg7r2lF0Iu # bt/3+VPvKtTCUbZPFOG8jZt9q6AFodlvQntiolYIYtqSrLyXAQIlXGhZ4gNcv4dv # 1YAilnbWA9CsnYh+OKEFr/4w4M69lI+yaoZ3L/t/UfXpT/+yc7hS/FolcmrGFJTB # YlS4nE1cuKblwZ/UOG26SLhDONWXGZDKMJKN53oOLSSk4ldR0HlsbT4heLlWlOEl # JQIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFO1MWqKFwrCbtrw9P8A63bAVSJzLMB8G # A1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8GA1UdHwRYMFYwVKBSoFCG # Tmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY3Jvc29mdCUy # MFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBsBggrBgEFBQcBAQRgMF4w # XAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2Vy # dHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3J0MAwG # A1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwDgYDVR0PAQH/BAQD # AgeAMA0GCSqGSIb3DQEBCwUAA4ICAQAYGZa3aCDudbk9EVdkP8xcQGZuIAIPRx9K # 1CA7uRzBt80fC0aWkuYYhQMvHHJRHUobSM4Uw3zN7fHEN8hhaBDb9NRaGnFWdtHx # mJ9eMz6Jpn6KiIyi9U5Og7QCTZMl17n2w4eddq5vtk4rRWOVvpiDBGJARKiXWB9u # 2ix0WH2EMFGHqjIhjWUXhPgR4C6NKFNXHvWvXecJ2WXrJnvvQGXAfNJGETJZGpR4 # 1nUN3ijfiCSjFDxamGPsy5iYu904Hv9uuSXYd5m0Jxf2WNJSXkPGlNhrO27pPxgT # 111myAR61S3S2hc572zN9yoJEObE98Vy5KEM3ZX53cLefN81F1C9p/cAKkE6u9V6 # ryyl/qSgxu1UqeOZCtG/iaHSKMoxM7Mq4SMFsPT/8ieOdwClYpcw0CjZe5KBx2xL # a4B1neFib8J8/gSosjMdF3nHiyHx1YedZDtxSSgegeJsi0fbUgdzsVMJYvqVw52W # qQNu0GRC79ZuVreUVKdCJmUMBHBpTp6VFopL0Jf4Srgg+zRD9iwbc9uZrn+89odp # InbznYrnPKHiO26qe1ekNwl/d7ro2ItP/lghz0DoD7kEGeikKJWHdto7eVJoJhkr # UcanTuUH08g+NYwG6S+PjBSB/NyNF6bHa/xR+ceAYhcjx0iBiv90Mn0JiGfnA2/h # Lj5evhTcAjCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZI # hvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # MjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAy # MDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp # bWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC # AQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25Phdg # M/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPF # dvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6 # GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBp # Dco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50Zu # yjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3E # XzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0 # lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1q # GFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ # +QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PA # PBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkw # EgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxG # NSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARV # MFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWlj # cm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAK # BggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMC # AYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvX # zpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v # cGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYI # KwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG # 9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0x # M7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmC # VgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449 # xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wM # nosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDS # PeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2d # Y3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxn # GSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+Crvs # QWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokL # jzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL # 6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggNQ # MIICOAIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEn # MCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjk2MDAtMDVFMC1EOTQ3MSUwIwYDVQQD # ExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEwBwYFKw4DAhoDFQBL # cI81gxbea1Ex2mFbXx7ck+0g/6CBgzCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w # IFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA6Zi9gDAiGA8yMDI0MDMxMDIzMTUx # MloYDzIwMjQwMzExMjMxNTEyWjB3MD0GCisGAQQBhFkKBAExLzAtMAoCBQDpmL2A # AgEAMAoCAQACAgpkAgH/MAcCAQACAhQUMAoCBQDpmg8AAgEAMDYGCisGAQQBhFkK # BAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEAAgMBhqAwDQYJ # KoZIhvcNAQELBQADggEBACKc3QI6aOQoLuqzSZlh3JFhyRxIbjKzn+qitnu6jXZL # LFDxlVUhPdhr0ulwtiLokFLwzWOeWQiclgBV+3oRS/gY6DoE+rZozO0SF15WtrGX # 3OPvLp+9K6buxf7bv2C0P6lznC1XrQKXFMZMJkg0DLm+OboPCJAwO8ULLjWLIDKD # CGIlRUAr1NWxDJsBGVTIqhEyGVKyvfX09EjFGkpk+Ou0PIkTNYHDQl6tX2/w5DB8 # iPlHJ5mtjpKtLpI+fTOPVwjLl/IXI5V6IzX+JVyfe+6wzRI2Cgdx+NjaTUrlRHCO # Y+jX9Xbl7jtVb/GkPvakh6OkYFxx1vMz5uOV6GmOKiAxggQNMIIECQIBATCBkzB8 # MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk # bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1N # aWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAe+JP1ahWMyo2gABAAAB # 7zANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEE # MC8GCSqGSIb3DQEJBDEiBCAqKtcjyW5HZUB7U0CITvEH/Y3UA6WrCsgoFDR0MImR # VjCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EIPBhKEW4Fo3wUz09NQx2a0Db # cdsX8jovM5LizHmnyX+jMIGYMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgT # Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENB # IDIwMTACEzMAAAHviT9WoVjMqNoAAQAAAe8wIgQgMM9NfhtFdP/Bme1IcMLQdrLj # a6YrsnCuUv7Q/hXPJkIwDQYJKoZIhvcNAQELBQAEggIANRVVpIgQIZLSI4/8oD0X # EXBEE8zU9DKyNRg0VlJbmzh2xJFPC36UNScidMIFaaEz2yOSSiXiJupUJ5KA4Hqg # uBWgmjeuPBzbswDYdFFs/KKVFruGkd0cWuvRBgy3KSu/9eVCAhUSMd5GrrkM06B/ # rwTGPXE3SsRyHwoJeQUMB2qRWOxhHFB2Sj61C5Ks5cQExNbb8S/SQqQZHVb/ccrG # XriJ4gvrGsHZ27HUTwNZFEWP74s+13udrAHg8d/j8xGI2bSU+rhbIKmvhaTADInY # Gh7BRQjfXCfrEDl7P+DzwpmDMz3cUR3DDUCKdViKCmYMXX6g94EF5jPMK1sYH3VZ # SXWcrcyEM5SN5c9gpq9hZxspO6jGXQf3pEZ+GWfCZnRdptMn+bFSG/tS+FOCP6oZ # O0Dvt6nLvjtdajNZkzgEu0LoRRw/KYwyKJsw3TxsA4qhrA5tdfS3Ua4aPPFaAvOj # TbSdjimA77XKOJvyrtPJWes20dpyzHUKTUMnVHjexYlvMq+uMwjbA+uSAf7OHdw0 # OVbwX3LulfoaAzlfFTdW87+ifsXDQ70C+rpjMlLjzK7eY6lq4cWphV4SnKhKCw8s # SruDBym2o8mY02VDJUu0EvxxrBu2Bd72r0bLIzIKmrHBZXqrHo/xr3W6i1i4OdKY # zj4GIvYYTyvKZQULLD/dbj0= # SIG # End signature block |