Framework/Core/SVT/ADO/ADO.AgentPool.ps1
|
Set-StrictMode -Version Latest class AgentPool: ADOSVTBase { hidden [PSObject] $AgentObj; # This is used for fetching agent pool details hidden [PSObject] $ProjectId; hidden [PSObject] $AgentPoolId; hidden [PSObject] $agentPool; # This is used to fetch agent details in pool hidden [PSObject] $agentPoolActivityDetail = @{isAgentPoolActive = $true; agentPoolLastRunDate = $null; agentPoolCreationDate = $null; message = $null; isComputed = $false}; AgentPool([string] $organizationName, [SVTResource] $svtResource): Base($organizationName,$svtResource) { $this.AgentPoolId = ($this.ResourceContext.ResourceId -split "agentpool/")[-1] $this.ProjectId = ($this.ResourceContext.ResourceId -split "project/")[-1].Split('/')[0] $apiURL = "https://dev.azure.com/$($this.OrganizationContext.OrganizationName)/_apis/securityroles/scopes/distributedtask.agentqueuerole/roleassignments/resources/$($this.ProjectId)_$($this.AgentPoolId)"; $this.AgentObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); # if agent pool activity check function is not computed, then first compute the function to get the correct status of agent pool. if($this.agentPoolActivityDetail.isComputed -eq $false) { $this.CheckActiveAgentPool() } # overiding the '$this.isResourceActive' global variable based on the current status of agent pool. if ($this.agentPoolActivityDetail.isAgentPoolActive) { $this.isResourceActive = $true } else { $this.isResourceActive = $false } # calculating the inactivity period in days for the agent pool. If there is no use history, then setting it with negative value. # This will ensure inactive period is always computed irrespective of whether inactive control is scanned or not. if ($null -ne $this.agentPoolActivityDetail.agentPoolLastRunDate) { $this.InactiveFromDays = ((Get-Date) - $this.agentPoolActivityDetail.agentPoolLastRunDate).Days } } hidden [ControlResult] CheckRBACAccess([ControlResult] $controlResult) { if(($this.AgentObj | Measure-Object).Count -gt 0) { $roles = @(); $roles += ($this.AgentObj | Select-Object -Property @{Name="Name"; Expression = {$_.identity.displayName}},@{Name="Role"; Expression = {$_.role.displayName}}); $controlResult.AddMessage("Total number of identities that have access to agent pool: ", ($roles | Measure-Object).Count); $controlResult.AddMessage([VerificationResult]::Verify,"Validate whether following identities have been provided with minimum RBAC access to agent pool.", $roles); $controlResult.SetStateData("Validate whether following identities have been provided with minimum RBAC access to agent pool.", $roles); $controlResult.AdditionalInfo += "Total number of identities that have access to agent pool: " + ($roles | Measure-Object).Count; } elseif(($this.AgentObj | Measure-Object).Count -eq 0) { $controlResult.AddMessage([VerificationResult]::Passed,"No role assignment found") } return $controlResult } hidden [ControlResult] CheckInheritedPermissions([ControlResult] $controlResult) { if(($this.AgentObj | Measure-Object).Count -gt 0) { $inheritedRoles = $this.AgentObj | Where-Object {$_.access -eq "inherited"} if( ($inheritedRoles | Measure-Object).Count -gt 0) { $roles = @(); $roles += ($inheritedRoles | Select-Object -Property @{Name="Name"; Expression = {$_.identity.displayName}},@{Name="Role"; Expression = {$_.role.displayName}}); $controlResult.AddMessage("Total number of inherited role assignments on agent pool: ", ($roles | Measure-Object).Count); $controlResult.AddMessage([VerificationResult]::Failed,"Found inherited role assignments on agent pool.", $roles); $controlResult.SetStateData("Found inherited role assignments on agent pool.", $roles); $controlResult.AdditionalInfo += "Total number of inherited role assignments on agent pool: " + ($roles | Measure-Object).Count; } else { $controlResult.AddMessage([VerificationResult]::Passed,"No inherited role assignments found.") } } elseif(($this.AgentObj | Measure-Object).Count -eq 0) { $controlResult.AddMessage([VerificationResult]::Passed,"No role assignment found.") } return $controlResult } hidden [ControlResult] CheckOrgAgtAutoProvisioning([ControlResult] $controlResult) { try { #Only agent pools created from org setting has this settings.. $agentPoolsURL = "https://dev.azure.com/{0}/_apis/distributedtask/pools?poolName={1}&api-version=6.0" -f $($this.OrganizationContext.OrganizationName), $this.ResourceContext.resourcename; $agentPoolsObj = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL); if ((($agentPoolsObj | Measure-Object).Count -gt 0) -and $agentPoolsObj.autoProvision -eq $true) { $controlResult.AddMessage([VerificationResult]::Failed,"Auto-provisioning is enabled for the $($agentPoolsObj.name) agent pool."); } else { $controlResult.AddMessage([VerificationResult]::Passed,"Auto-provisioning is not enabled for the agent pool."); } $agentPoolsObj =$null; } catch{ $controlResult.AddMessage([VerificationResult]::Manual,"Could not fetch agent pool details."); } return $controlResult } hidden [ControlResult] CheckAutoUpdate([ControlResult] $controlResult) { try { #autoUpdate setting is available only at org level settings. $agentPoolsURL = "https://dev.azure.com/{0}/_apis/distributedtask/pools?poolName={1}&api-version=6.0" -f $($this.OrganizationContext.OrganizationName), $this.ResourceContext.resourcename; $agentPoolsObj = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL); if([Helpers]::CheckMember($agentPoolsObj,"autoUpdate")) { if($agentPoolsObj.autoUpdate -eq $true) { $controlResult.AddMessage([VerificationResult]::Passed,"Auto-update of agents is enabled for [$($agentPoolsObj.name)] agent pool."); } else { $controlResult.AddMessage([VerificationResult]::Failed,"Auto-update of agents is disabled for [$($agentPoolsObj.name)] agent pool."); } } else { $controlResult.AddMessage([VerificationResult]::Error,"Could not fetch auto-update details of agent pool."); } $agentPoolsObj =$null; } catch { $controlResult.AddMessage([VerificationResult]::Error,"Could not fetch agent pool details."); } return $controlResult } hidden [ControlResult] CheckPrjAllPipelineAccess([ControlResult] $controlResult) { try { $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_apis/build/authorizedresources?type=queue&id={2}&api-version=6.0-preview.1" -f $($this.OrganizationContext.OrganizationName),$this.ProjectId ,$this.AgentPoolId; $agentPoolsObj = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL); if([Helpers]::CheckMember($agentPoolsObj,"authorized") -and $agentPoolsObj.authorized) { $controlResult.AddMessage([VerificationResult]::Failed,"Access permission to all pipeline is enabled for the agent pool."); } else { $controlResult.AddMessage([VerificationResult]::Passed,"Access permission to all pipeline is not enabled for the agent pool."); } $agentPoolsObj =$null; } catch{ $controlResult.AddMessage($_); $controlResult.AddMessage([VerificationResult]::Manual,"Could not fetch agent pool details."); } return $controlResult } hidden [ControlResult] CheckInActiveAgentPool([ControlResult] $controlResult) { try { if ($this.agentPoolActivityDetail.message -eq 'Could not fetch agent pool details.') { $controlResult.AddMessage([VerificationResult]::Error, $this.agentPoolActivityDetail.message); } elseif($this.agentPoolActivityDetail.isAgentPoolActive) { $controlResult.AddMessage([VerificationResult]::Passed, $this.agentPoolActivityDetail.message); } else { if ($null -ne $this.agentPoolActivityDetail.agentPoolCreationDate) { $inactiveLimit = $this.ControlSettings.AgentPool.AgentPoolHistoryPeriodInDays if ((((Get-Date) - $this.agentPoolActivityDetail.agentPoolCreationDate).Days) -lt $inactiveLimit) { $controlResult.AddMessage([VerificationResult]::Passed, "Agent pool was created within last $inactiveLimit days but never queued."); } else { $controlResult.AddMessage([VerificationResult]::Failed, "Agent pool has not been queued from last $inactiveLimit days."); } $controlResult.AddMessage("The agent pool was created on: $($this.agentPoolActivityDetail.agentPoolCreationDate)"); $controlResult.AdditionalInfo += "The agent pool was created on: " + $this.agentPoolActivityDetail.agentPoolCreationDate; } else { $controlResult.AddMessage([VerificationResult]::Failed, $this.agentPoolActivityDetail.message); } } if ($null -ne $this.agentPoolActivityDetail.agentPoolLastRunDate) { $controlResult.AddMessage("Last queue date of agent pool: $($this.agentPoolActivityDetail.agentPoolLastRunDate)"); $controlResult.AdditionalInfo += "Last queue date of agent pool: " + $this.agentPoolActivityDetail.agentPoolLastRunDate; $agentPoolInactivePeriod = ((Get-Date) - $this.agentPoolActivityDetail.agentPoolLastRunDate).Days $controlResult.AddMessage("The agent pool was inactive from last $($agentPoolInactivePeriod) days."); } } catch { $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch agent pool details."); } #clearing memory space. $this.agentPool = $null; return $controlResult } hidden [ControlResult] CheckCredInEnvironmentVariables([ControlResult] $controlResult) { try { if($null -eq $this.agentPool) { $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_settings/agentqueues?queueId={2}&__rt=fps&__ver=2" -f $($this.OrganizationContext.OrganizationName), $this.ProjectId ,$this.AgentPoolId; $this.agentPool = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL); } $patterns = $this.ControlSettings.Patterns | Where-Object {$_.RegexCode -eq "SecretsInBuild"} | Select-Object -Property RegexList; if(($patterns | Measure-Object).Count -gt 0) { $noOfCredFound = 0; $AgentsWithSecretsInEnv=@() if (([Helpers]::CheckMember($this.agentPool[0],"fps.dataproviders.data") ) -and ($this.agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-pool-data-provider") -and [Helpers]::CheckMember($this.agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-pool-data-provider","agents") ) { $Agents = $this.agentpool.fps.dataproviders.data."ms.vss-build-web.agent-pool-data-provider".agents $Agents | ForEach-Object { $RefAgent = "" | Select-Object "AgentName","Capabilities" $RefAgent.AgentName = $_.name $EnvVariablesContainingSecret=@() if([Helpers]::CheckMember($_,"userCapabilities")) { $EnvVariable=$_.userCapabilities $refHashTable=@{} $EnvVariable.PSObject.properties | ForEach-Object { $refHashTable[$_.Name] = $_.Value } $refHashTable.Keys | Where-Object { for ($i = 0; $i -lt $patterns.RegexList.Count; $i++) { # Using -cmatch as same logic we had applied in build and release controls if($refHashTable.Item($_) -cmatch $patterns.RegexList[$i]) { $noOfCredFound += 1 $EnvVariablesContainingSecret += $_ break } } } } $RefAgent.Capabilities = $EnvVariablesContainingSecret $AgentsWithSecretsInEnv += $RefAgent } if($noOfCredFound -eq 0) { $controlResult.AddMessage([VerificationResult]::Passed, "No secrets found in user-defined capabilities of agents."); } else { $controlResult.AddMessage([VerificationResult]::Failed, "Found secrets in user-defined capabilities of agents."); $count = ($AgentsWithSecretsInEnv | Measure-Object).Count if($count -gt 0 ) { #$varList = $EnvVariablesContainingSecret | select -Unique | Sort-object # $stateData.AgentsWithCred += $AgentsWithSecretsInEnv.AgentName $controlResult.AddMessage("`nTotal number of agents that contain secrets in user-defined capabilities: $count") $controlResult.AdditionalInfo += "Total number of agents that contain secrets in user-defined capabilities: "+ $count; $controlResult.AddMessage("`nAgent wise list of user-defined capabilities containing secret: "); $display=($AgentsWithSecretsInEnv | FT AgentName,Capabilities -AutoSize | Out-String -Width 512) $controlResult.AddMessage($display) #$controlResult.AdditionalInfo += "Total number of variable(s) containing secret: " + ($varList | Measure-Object).Count; } $controlResult.SetStateData("Agent wise list of user-defined capabilities containing secret: ", $AgentsWithSecretsInEnv ); } } else { $controlResult.AddMessage([VerificationResult]::Passed, "There are no agents in the pool."); } $patterns = $null; } else { $controlResult.AddMessage([VerificationResult]::Manual, "Regular expressions for detecting credentials in environment variables for agents are not defined in your organization."); } } catch { $controlResult.AddMessage([VerificationResult]::Error, "Could not fetch details of user-defined capabilities of agents."); } #clearing memory space. $this.agentPool = $null; return $controlResult } hidden CheckActiveAgentPool() { try { $agentPoolsURL = "https://dev.azure.com/{0}/{1}/_settings/agentqueues?queueId={2}&__rt=fps&__ver=2" -f $($this.OrganizationContext.OrganizationName), $this.ProjectId ,$this.AgentPoolId; $this.agentPool = [WebRequestHelper]::InvokeGetWebRequest($agentPoolsURL); if (([Helpers]::CheckMember($this.agentPool[0], "fps.dataProviders.data") ) -and ($this.agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider")) { # $inactiveLimit denotes the upper limit on number of days of inactivity before the agent pool is deemed inactive. $inactiveLimit = $this.ControlSettings.AgentPool.AgentPoolHistoryPeriodInDays #Filtering agent pool jobs specific to the current project. $agentPoolJobs = $this.agentPool[0].fps.dataProviders.data."ms.vss-build-web.agent-jobs-data-provider".jobs | Where-Object {$_.scopeId -eq $this.ProjectId}; #Arranging in descending order of run time. $agentPoolJobs = $agentPoolJobs | Sort-Object queueTime -Descending #If agent pool has been queued at least once if (($agentPoolJobs | Measure-Object).Count -gt 0) { #Get the last queue timestamp of the agent pool if ([Helpers]::CheckMember($agentPoolJobs[0], "finishTime")) { $agtPoolLastRunDate = $agentPoolJobs[0].finishTime; if ((((Get-Date) - $agtPoolLastRunDate).Days) -gt $inactiveLimit) { $this.agentPoolActivityDetail.isAgentPoolActive = $false; $this.agentPoolActivityDetail.message = "Agent pool has not been queued in the last $inactiveLimit days."; } else { $this.agentPoolActivityDetail.isAgentPoolActive = $true; $this.agentPoolActivityDetail.message = "Agent pool has been queued in the last $inactiveLimit days."; } $this.agentPoolActivityDetail.agentPoolLastRunDate = $agtPoolLastRunDate; } else { $this.agentPoolActivityDetail.isAgentPoolActive = $true; $this.agentPoolActivityDetail.message = "Agent pool was being queued during control evaluation."; } } else { #[else] Agent pool is created but nenver run, check creation date greated then 180 $this.agentPoolActivityDetail.isAgentPoolActive = $false; if (([Helpers]::CheckMember($this.agentPool, "fps.dataProviders.data") ) -and ($this.agentPool.fps.dataProviders.data."ms.vss-build-web.agent-pool-data-provider")) { $agentPoolDetails = $this.agentPool.fps.dataProviders.data."ms.vss-build-web.agent-pool-data-provider" $this.agentPoolActivityDetail.agentPoolCreationDate = $agentPoolDetails.selectedAgentPool.createdOn; } else { $this.agentPoolActivityDetail.message = "Could not fetch agent pool details."; } } } else { $this.agentPoolActivityDetail.message = "Could not fetch agent pool details."; } } catch { $this.agentPoolActivityDetail.message = "Could not fetch agent pool details."; } $this.agentPoolActivityDetail.isComputed = $true } } # SIG # Begin signature block # MIIjhQYJKoZIhvcNAQcCoIIjdjCCI3ICAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCxJ2y+MDt7K1MX # 4nJCaj5GtjqKpt0F3YN8oPJr1V1oqqCCDYEwggX/MIID56ADAgECAhMzAAAB32vw # LpKnSrTQAAAAAAHfMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjAxMjE1MjEzMTQ1WhcNMjExMjAyMjEzMTQ1WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQC2uxlZEACjqfHkuFyoCwfL25ofI9DZWKt4wEj3JBQ48GPt1UsDv834CcoUUPMn # s/6CtPoaQ4Thy/kbOOg/zJAnrJeiMQqRe2Lsdb/NSI2gXXX9lad1/yPUDOXo4GNw # PjXq1JZi+HZV91bUr6ZjzePj1g+bepsqd/HC1XScj0fT3aAxLRykJSzExEBmU9eS # yuOwUuq+CriudQtWGMdJU650v/KmzfM46Y6lo/MCnnpvz3zEL7PMdUdwqj/nYhGG # 3UVILxX7tAdMbz7LN+6WOIpT1A41rwaoOVnv+8Ua94HwhjZmu1S73yeV7RZZNxoh # EegJi9YYssXa7UZUUkCCA+KnAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUOPbML8IdkNGtCfMmVPtvI6VZ8+Mw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDYzMDA5MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAnnqH # tDyYUFaVAkvAK0eqq6nhoL95SZQu3RnpZ7tdQ89QR3++7A+4hrr7V4xxmkB5BObS # 0YK+MALE02atjwWgPdpYQ68WdLGroJZHkbZdgERG+7tETFl3aKF4KpoSaGOskZXp # TPnCaMo2PXoAMVMGpsQEQswimZq3IQ3nRQfBlJ0PoMMcN/+Pks8ZTL1BoPYsJpok # t6cql59q6CypZYIwgyJ892HpttybHKg1ZtQLUlSXccRMlugPgEcNZJagPEgPYni4 # b11snjRAgf0dyQ0zI9aLXqTxWUU5pCIFiPT0b2wsxzRqCtyGqpkGM8P9GazO8eao # mVItCYBcJSByBx/pS0cSYwBBHAZxJODUqxSXoSGDvmTfqUJXntnWkL4okok1FiCD # Z4jpyXOQunb6egIXvkgQ7jb2uO26Ow0m8RwleDvhOMrnHsupiOPbozKroSa6paFt # VSh89abUSooR8QdZciemmoFhcWkEwFg4spzvYNP4nIs193261WyTaRMZoceGun7G # CT2Rl653uUj+F+g94c63AhzSq4khdL4HlFIP2ePv29smfUnHtGq6yYFDLnT0q/Y+ # Di3jwloF8EWkkHRtSuXlFUbTmwr/lDDgbpZiKhLS7CBTDj32I0L5i532+uHczw82 # oZDmYmYmIUSMbZOgS65h797rj5JJ6OkeEUJoAVwwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVWjCCFVYCAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAd9r8C6Sp0q00AAAAAAB3zAN # BglghkgBZQMEAgEFAKCBsDAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgEGfAT2on # SzXE0kHxMhblPOPJpOzQW9IhJTRhennGVBswRAYKKwYBBAGCNwIBDDE2MDSgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRyAGmh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20g # MA0GCSqGSIb3DQEBAQUABIIBABSni8i3PpGwKSdNju0cyGFJXhjSfngCBHpUHxHp # IbQnQIcXDSGI4RtWtOe1VXZ6JHm5cXWtJDFrNR8PtgQQy9PEqqaIjWR0vrtQBI4Q # QqaAjmBthHQarrGL8akJQK1SINsLv8uw53g4LgdOAedlfWS/ROwsmEMLeHk/7ZXk # jThL1e9bEwW79E3TJ2ZYq/KDhTD/TdLvtt8EBE5QNiPrkVFu2q7C8FwtnvbUbPyG # TXhP8FHQgJOWXho8tNp1sg1bOgdUrrMXBywpOZDBVhQdtZn9O103Q/MWvG7P3ZXb # j0Dn6xXwbd5m0ruLYOwSR6t7RBvimB68Wi5H/6JM7lwWYVuhghLiMIIS3gYKKwYB # BAGCNwMDATGCEs4wghLKBgkqhkiG9w0BBwKgghK7MIIStwIBAzEPMA0GCWCGSAFl # AwQCAQUAMIIBUQYLKoZIhvcNAQkQAQSgggFABIIBPDCCATgCAQEGCisGAQQBhFkK # AwEwMTANBglghkgBZQMEAgEFAAQgjdByv5/R5X47GAd6K/xuAQ9Q6mDAv6Nif8La # LWUKnPYCBmA9AdLY2hgTMjAyMTAzMTUwMjMwMDcuNzM3WjAEgAIB9KCB0KSBzTCB # yjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMc # TWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVzIFRT # UyBFU046MTJCQy1FM0FFLTc0RUIxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0 # YW1wIFNlcnZpY2Wggg45MIIE8TCCA9mgAwIBAgITMwAAAVPSgnJFbFfjiwAAAAAB # UzANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu # Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv # cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAe # Fw0yMDExMTIxODI2MDVaFw0yMjAyMTExODI2MDVaMIHKMQswCQYDVQQGEwJVUzET # MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV # TWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmlj # YSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjoxMkJDLUUzQUUt # NzRFQjElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCASIw # DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXrtnQHsxv5s0IC5cLoQYmwW+BU # HqLfT+OXiCa1TChAbnPdanFAc0mP63Yjh+kRNBAujGKgdKJH6dskVGdPdYKNzpTB # sYEydAmDODNVeh9U8cgKKaJg0SIfLzo+8ISlZPy9vqN8Vxo5Wgx77jA3Y2puU5YD # ijrCYRBQWatukpkH5xFUkXtYTUvo0N9GI8T1dF9GT7PNl34wmGzd5ZGvuNV0bXS9 # USVXeGrRgXN+GjuC4/cvRszGKRHLek97hbqDtDB/kxzEOkzQBq3P0I2SxwA/KHiN # k4XR/t2IvUEYRP9zi+nyJBOV8qoSEJu3cWL8ernhzBeMTVpTHNC9rlv95u0CAwEA # AaOCARswggEXMB0GA1UdDgQWBBTGootzSCqpszAZQLfgcG2sMVZEdTAfBgNVHSME # GDAWgBTVYzpcijGQ80N7fEYbxTNoWoVtVTBWBgNVHR8ETzBNMEugSaBHhkVodHRw # Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNUaW1TdGFQ # Q0FfMjAxMC0wNy0wMS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5o # dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1RpbVN0YVBDQV8y # MDEwLTA3LTAxLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMI # MA0GCSqGSIb3DQEBCwUAA4IBAQCUaL15fPogRD7HAXNJolHcnEexqJ6DKb0OxFdy # l93t+uVNRn/mJWTIWrxhfIqgQj7ttU7MmVN/c8XxR1gLLjKxZp7qzMj5uzPb1uhi # hGXBJrF1A6D2HCVfUyR90yeEn4iLDfkRVinusxWN032LppkeV0o/88NA2767MQeh # so0ulmzF74sj+B3G4iIUkM7c715O6fTvFYd+GcjEnbBLvLk8Qel3FlNBfae9ZHRu # N2a3mvqHLlfSw0PVdmJpTZqmXVZv0drZuc7gDyWt7vBmNL6LxcFVUloTgteZxMV5 # CWVmV2+rzIGa8OjjC+MU4VVySrIFKkIwwmlGrOSh0YPEnTo0MIIGcTCCBFmgAwIB # AgIKYQmBKgAAAAAAAjANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2Vy # dGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAwNzAxMjEzNjU1WhcNMjUwNzAx # MjE0NjU1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G # A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYw # JAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCASIwDQYJKoZI # hvcNAQEBBQADggEPADCCAQoCggEBAKkdDbx3EYo6IOz8E5f1+n9plGt0VBDVpQoA # goX77XxoSyxfxcPlYcJ2tz5mK1vwFVMnBDEfQRsalR3OCROOfGEwWbEwRA/xYIiE # VEMM1024OAizQt2TrNZzMFcmgqNFDdDq9UeBzb8kYDJYYEbyWEeGMoQedGFnkV+B # VLHPk0ySwcSmXdFhE24oxhr5hoC732H8RsEnHSRnEnIaIYqvS2SJUGKxXf13Hz3w # V3WsvYpCTUBR0Q+cBj5nf/VmwAOWRH7v0Ev9buWayrGo8noqCjHw2k4GkbaICDXo # eByw6ZnNPOcvRLqn9NxkvaQBwSAJk3jN/LzAyURdXhacAQVPIk0CAwEAAaOCAeYw # ggHiMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTVYzpcijGQ80N7fEYbxTNo # WoVtVTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBW # BgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUH # AQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtp # L2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDCBoAYDVR0gAQH/BIGV # MIGSMIGPBgkrBgEEAYI3LgMwgYEwPQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWlj # cm9zb2Z0LmNvbS9QS0kvZG9jcy9DUFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIw # NB4yIB0ATABlAGcAYQBsAF8AUABvAGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4A # dAAuIB0wDQYJKoZIhvcNAQELBQADggIBAAfmiFEN4sbgmD+BcQM9naOhIW+z66bM # 9TG+zwXiqf76V20ZMLPCxWbJat/15/B4vceoniXj+bzta1RXCCtRgkQS+7lTjMz0 # YBKKdsxAQEGb3FwX/1z5Xhc1mCRWS3TvQhDIr79/xn/yN31aPxzymXlKkVIArzgP # F/UveYFl2am1a+THzvbKegBvSzBEJCI8z+0DpZaPWSm8tv0E4XCfMkon/VWvL/62 # 5Y4zu2JfmttXQOnxzplmkIz/amJ/3cVKC5Em4jnsGUpxY517IW3DnKOiPPp/fZZq # kHimbdLhnPkd/DjYlPTGpQqWhqS9nhquBEKDuLWAmyI4ILUl5WTs9/S/fmNZJQ96 # LjlXdqJxqgaKD4kWumGnEcua2A5HmoDF0M2n0O99g/DhO3EJ3110mCIIYdqwUB5v # vfHhAN/nMQekkzr3ZUd46PioSKv33nJ+YWtvd6mBy6cJrDm77MbL2IK0cs0d9LiF # AR6A+xuJKlQ5slvayA1VmXqHczsI5pgt6o3gMy4SKfXAL1QnIffIrE7aKLixqduW # sqdCosnPGUFN4Ib5KpqjEWYw07t0MkvfY3v1mYovG8chr1m1rtxEPJdQcdeh0sVV # 42neV8HR3jDA/czmTfsNv11P6Z0eGTgvvM9YBS7vDaBQNdrvCScc1bN+NR4Iuto2 # 29Nfj950iEkSoYICyzCCAjQCAQEwgfihgdCkgc0wgcoxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNh # IE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOjEyQkMtRTNBRS03 # NEVCMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMKAQEw # BwYFKw4DAhoDFQCKSk3txw7WT08oIYK9pBYrInnRm6CBgzCBgKR+MHwxCzAJBgNV # BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w # HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m # dCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBBQUAAgUA4/ijLTAiGA8y # MDIxMDMxNDIyNTg1M1oYDzIwMjEwMzE1MjI1ODUzWjB0MDoGCisGAQQBhFkKBAEx # LDAqMAoCBQDj+KMtAgEAMAcCAQACAhUWMAcCAQACAhGpMAoCBQDj+fStAgEAMDYG # CisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSChCjAIAgEA # AgMBhqAwDQYJKoZIhvcNAQEFBQADgYEAPqArfz8dsXIBJ29goLa8m7ibIdelhe+1 # aYtmKVhVxYCXzHmbUXCsmwcIphKqf9nUkNcpeDd2iN1/AxNYO7kYnTPRgGBiYPuC # 8aW1po3DmfgXcY+odfL26DA6Na87H7/wSTjr89bLcH5izidUXQpkMzbGt1DXRUBF # fOzG5uB2ncIxggMNMIIDCQIBATCBkzB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0Eg # MjAxMAITMwAAAVPSgnJFbFfjiwAAAAABUzANBglghkgBZQMEAgEFAKCCAUowGgYJ # KoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCDwV+T0e/fs # e52iInajJYK3J0hHMvtWqQsKRbc+fbbptjCB+gYLKoZIhvcNAQkQAi8xgeowgecw # geQwgb0EIFDBCo85tCAICfyXoZBDppodLIMcb2wOH2rEBWiNtY8AMIGYMIGApH4w # fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMd # TWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAFT0oJyRWxX44sAAAAA # AVMwIgQgL8nQrkgMuLOt/3ly8ndejdr8xoPZ1fLoAKMRLWOTeV4wDQYJKoZIhvcN # AQELBQAEggEAJoWNvdsBiZcTyPEwOzBLvSqxQVC8yNYqRmr9lCD0oKmtp6RHVtAF # g3L2L2KA2DeJ/Cl8byEqip4b5bJaI2h06biG9L020x5HhnA9RIeXEy9FhnYaqiDx # w4HZci3CGJATf0wPucE4AHt5inNtf9TZRBwZJd4/XGPAxK71yxY4+EuVJEJXRE37 # PXLqG2x+D54uJYsco1pIcO/TWok29Ql0p/3T6lA/q9NqCb2hbIfyS1ZM7saNbUZd # MMMmNek4VYYieZVOvCcpO5VElhAHEcrWwdp4zn9azGoLUnrHy9wPdnALsOkLkJve # lDfQ85NOZw4dqqVY0VGcWPwY+iN5Y/Eo6g== # SIG # End signature block |