rules/Azure.Deployment.Rule.ps1
|
# Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # # Validation rules for Azure deployments # #region Rules # Synopsis: Avoid outputting sensitive deployment values. Rule 'Azure.Deployment.OutputSecretValue' -Ref 'AZR-000279' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_06'; 'Azure.WAF/pillar' = 'Security'; } { $Assert.Create($PSRule.Issue.Get('PSRule.Rules.Azure.Template.OutputSecretValue')); } # Synopsis: Ensure all properties named used for setting a username within a deployment are expressions (e.g. an ARM function not a string) Rule 'Azure.Deployment.AdminUsername' -Ref 'AZR-000284' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; } { RecurseDeploymentSensitive -Deployment $TargetObject } # Synopsis: Use secure parameters for any parameter that contains sensitive information. Rule 'Azure.Deployment.SecureParameter' -Ref 'AZR-000408' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } { GetSecureParameter -Deployment $TargetObject } # Synopsis: Use secure parameters for setting properties of resources that contain sensitive information. Rule 'Azure.Deployment.SecureValue' -Ref 'AZR-000316' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2024_12'; 'Azure.WAF/pillar' = 'Security'; } { RecurseSecureValue -Deployment $TargetObject } # Synopsis: Ensure Outer scope deployments aren't using SecureString or SecureObject Parameters Rule 'Azure.Deployment.OuterSecret' -Ref 'AZR-000331' -Type 'Microsoft.Resources/deployments' -If { IsParentDeployment } -Tag @{ release = 'GA'; ruleSet = '2022_12'; 'Azure.WAF/pillar' = 'Security'; } { $template = @($TargetObject.properties.template); if ($template.resources.Length -eq 0) { return $Assert.Pass(); } $secureParameters = @($template.parameters.PSObject.properties | Where-Object { $_.Value.type -eq 'secureString' -or $_.Value.type -eq 'secureObject' } | ForEach-Object { $_.Name }); foreach ($deployments in $template.resources) { if ($deployments.properties.expressionEvaluationOptions.scope -eq 'outer') { foreach ($outerDeployment in $deployments.properties.template.resources) { foreach ($property in $outerDeployment.properties) { RecursivePropertiesSecretEvaluation -Resource $outerDeployment -SecureParameters $secureParameters -ShouldUseSecret $False -Property $property } } } else { $Assert.Pass() } } } # Synopsis: The deployment parameter leaks sensitive information. Rule 'Azure.Deployment.SecretLeak' -Ref 'AZR-000459' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2025_06'; 'Azure.WAF/pillar' = 'Security'; } { $Assert.Create($PSRule.Issue.Get('PSRule.Rules.Azure.Template.ParameterSecureAssignment')); } #endregion Rules #region Helpers function global:GetSecureParameter { param ( [Parameter(Mandatory = $True)] [PSObject]$Deployment ) process { $count = 0; if ($Null -ne $Deployment.properties.template.parameters.PSObject.properties) { foreach ($parameter in $Deployment.properties.template.parameters.PSObject.properties.GetEnumerator()) { if ( $Assert.Like($parameter, 'Name', @( '*password*' '*secret*' '*token*' '*key' '*keys' )).Result -and $parameter.Name -ne 'customerManagedKey' -and $parameter.Name -notLike '*name' -and $parameter.Name -notLike '*uri' -and $parameter.Name -notLike '*url' -and $parameter.Name -notLike '*path' -and $parameter.Name -notLike '*type' -and $parameter.Name -notLike '*id' -and $parameter.Name -notLike '*options' -and $parameter.Name -notLike '*publickey' -and $parameter.Name -notLike '*publickeys' -and $parameter.Name -notLike '*secretname*' -and $parameter.Name -notLike '*secreturl*' -and $parameter.Name -notLike '*secreturi*' -and $parameter.Name -notLike '*secrettype*' -and $parameter.Name -notLike '*secretrotation*' -and $parameter.Name -notLike '*tokenname*' -and $parameter.Name -notLike '*tokentype*' -and $parameter.Name -notLike '*interval*' -and $parameter.Name -notLike '*length*' -and $parameter.Name -notLike '*secretprovider*' -and $parameter.Name -notLike '*secretsprovider*' -and $parameter.Name -notLike '*secretref*' -and $parameter.Name -notLike '*secretid*' -and $parameter.Name -notLike '*disablepassword*' -and $parameter.Name -notLike '*sync*passwords*' -and $parameter.Name -notLike '*keyvaultpath*' -and $parameter.Name -notLike '*keyvaultname*' -and $parameter.Name -notLike '*keyvaulturi*' -and $Assert.NotIn($parameter, 'Name', $Configuration.GetStringValues('AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES')).Result -and $Null -ne $parameter.Value.type -and $parameter.Value.type -ne 'bool' -and $parameter.Value.type -ne 'int' ) { $count++ # If the parameter is a custom type, recurse the type properties marked as secure. if ($Assert.HasField($parameter.Value, '$ref').Result) { $result = DefinitionHasSecureProperty -Definitions $Deployment.properties.template.definitions -Name $parameter.Value.'$ref'; $Assert.Create($result -eq $True, $LocalizedData.InsecureParameterType, $parameter.Name, $parameter.Value.'$ref'); } elseif ($Assert.HasField($parameter.Value, 'items.$ref').Result) { # Array of custom types $result = DefinitionHasSecureProperty -Definitions $Deployment.properties.template.definitions -Name $parameter.Value.items.'$ref'; $Assert.Create($result -eq $True, $LocalizedData.InsecureParameterType, $parameter.Name, $parameter.Value.items.'$ref'); } elseif ($Assert.HasField($parameter.Value, 'items.type').Result) { # Array parameters $Assert.In($parameter.Value.items.type, '.', @('secureString', 'secureObject')).ReasonFrom($parameter.Name, $LocalizedData.InsecureParameterType, $parameter.Name, $parameter.Value.items.type); } else { # Normal parameters $Assert.In($parameter.Value.type, '.', @('secureString', 'secureObject')).ReasonFrom($parameter.Name, $LocalizedData.InsecureParameterType, $parameter.Name, $parameter.Value.type); } } } } if ($count -eq 0) { return $Assert.Pass(); } } } # Check a definition for secure properties. # If the property is a custom type, recurse the definition to check these properties are secure. function global:DefinitionHasSecureProperty { param ( [Parameter(Mandatory = $True)] [PSObject]$Definitions, [Parameter(Mandatory = $True)] [String]$Name ) process { $result = $False; $shortName = $Name.Split('/')[-1]; Write-Verbose -Message "Checking definition: $shortName"; foreach ($definition in $Definitions.PSObject.Properties.GetEnumerator()) { if ($definition.Name -eq $shortName) { if ($Assert.HasField($definition.Value, 'properties').Result) { foreach ($property in $definition.Value.properties.PSObject.Properties.GetEnumerator()) { if ($Assert.HasField($property.Value, '$ref').Result) { $child = DefinitionHasSecureProperty -Definitions $Definitions -Name $property.Value.'$ref'; if ($child) { $result = $True; } } elseif ($Assert.HasField($property.Value, 'items.$ref').Result) { $child = DefinitionHasSecureProperty -Definitions $Definitions -Name $property.Value.items.'$ref'; if ($child) { $result = $True; } } elseif ($Assert.HasField($property.Value, 'items.type').Result) { $child = $Assert.In($property.Value.items.type, '.', @('secureString', 'secureObject')).Result; if ($child) { $result = $True; } } elseif ($Assert.In($property.Value.type, '.', @('secureString', 'secureObject')).Result) { $result = $True; } } } } } if ($result -eq $False) { Write-Verbose -Message "No secure properties found in definition: $shortName"; } else { Write-Verbose -Message "Secure properties found in definition: $shortName"; } return $result; } } function global:RecurseDeploymentSensitive { param ( [Parameter(Mandatory = $True)] [PSObject]$Deployment ) process { Write-Debug "Deployment is: $($Deployment.name)"; $propertyNames = $Configuration.GetStringValues('AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES'); # Resources could be an object or an array. Check if it is an object and enumerate properties instead. $resources = @($Deployment.properties.template.resources); if ($Deployment.properties.template.resources -is [System.Management.Automation.PSObject]) { $resources = @($Deployment.properties.template.resources.PSObject.Properties.GetEnumerator() | ForEach-Object { $_.Value }); } if ($resources.Length -eq 0) { return $Assert.Pass(); } foreach ($resource in $resources) { if ($resource.type -eq 'Microsoft.Resources/deployments') { RecurseDeploymentSensitive -Deployment $resource; } else { foreach ($propertyName in $propertyNames) { $found = $PSRule.GetPath($resource, "$..$propertyName"); if ($Null -eq $found -or $found.Length -eq 0) { $Assert.Pass(); } else { Write-Debug "Found property name: $propertyName, value: $found"; foreach ($value in $found) { $Assert.Create(![PSRule.Rules.Azure.Runtime.Helper]::HasLiteralValue($value), $LocalizedData.LiteralSensitiveProperty, $propertyName); } } } } } } } function global:RecursivePropertiesSecretEvaluation { param ( [Parameter(Mandatory = $True)] [PSObject]$Resource, [Parameter(Mandatory = $True)] [PSObject]$Property, [Parameter(Mandatory = $True)] [AllowEmptyCollection()] [PSObject]$SecureParameters, [Parameter(Mandatory = $False)] [Bool]$ShouldUseSecret = $True ) process { $PropertyName = $Property.PSObject.properties.Name foreach ($NestedProperty in $Property.PSObject.Properties.Value.PSObject.Properties) { if($NestedProperty.MemberType -eq 'NoteProperty') { RecursivePropertiesSecretEvaluation -Resource $Resource -SecureParameters $SecureParameters -Property $NestedProperty -ShouldUseSecret $ShouldUseSecret } else { CheckPropertyUsesSecureParameter -Resource $Resource -SecureParameters $SecureParameters -PropertyPath "properties.$($PropertyName)" -ShouldUseSecret $ShouldUseSecret } } } } function global:CheckPropertyUsesSecureParameter { param ( [Parameter(Mandatory = $True)] [PSObject]$Resource, [Parameter(Mandatory = $True)] [AllowEmptyCollection()] [PSObject]$SecureParameters, [Parameter(Mandatory = $True)] [String]$PropertyPath, [Parameter(Mandatory = $False)] [Bool]$ShouldUseSecret = $True ) process { $propertyValues = $PSRule.GetPath($Resource, $PropertyPath); if ($propertyValues.Length -eq 0) { return $Assert.Pass(); } foreach ($propertyValue in $propertyValues) { $hasSecureParam = [PSRule.Rules.Azure.Runtime.Helper]::HasSecureValue($propertyValue, $SecureParameters); $Assert.Create($hasSecureParam -eq $ShouldUseSecret, $LocalizedData.SecureParameterRequired, $PropertyPath); } } } # Check resource properties that should be set by secure parameters. function global:RecurseSecureValue { param ( [Parameter(Mandatory = $True)] [PSObject]$Deployment ) process { $resources = @($Deployment.properties.template.resources); if ($resources.Length -eq 0) { return $Assert.Pass(); } $secureParameters = @($Deployment.properties.template.parameters.PSObject.properties | Where-Object { $_.Value.type -eq 'secureString' -or $_.Value.type -eq 'secureObject' } | ForEach-Object { $_.Name }); Write-Debug -Message "Secure parameters are: $($secureParameters -join ', ')"; foreach ($resource in $resources) { if ($resource.type -eq 'Microsoft.Resources/Deployments') { RecurseSecureValue -Deployment $resource; } else { $properties = [PSRule.Rules.Azure.Runtime.Helper]::GetSecretProperty($PSRule.GetService('Azure.Context'), $resource.type); if ($Null -eq $properties -or $properties.Length -eq 0) { $Assert.Pass(); } else { foreach ($property in $properties) { CheckPropertyUsesSecureParameter -Resource $resource -SecureParameters $secureParameters -PropertyPath $property } } } } } } # Check if the TargetObject is a parent deployment, with scoped deployments or a rendered deployment function global:IsParentDeployment { [CmdletBinding()] [OutputType([System.Boolean])] param () process { foreach ($deployment in $TargetObject.properties.template.resources){ return $Assert.HasField($deployment, 'properties.expressionEvaluationOptions.scope').Result; } } } #endregion Helpers # SIG # Begin signature block # MIIoVQYJKoZIhvcNAQcCoIIoRjCCKEICAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCmr/Qqu6ImHYEE # BjojLoYLZjHZAjt64oicllPnX5/K8aCCDYUwggYDMIID66ADAgECAhMzAAAEhJji # EuB4ozFdAAAAAASEMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjUwNjE5MTgyMTM1WhcNMjYwNjE3MTgyMTM1WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDtekqMKDnzfsyc1T1QpHfFtr+rkir8ldzLPKmMXbRDouVXAsvBfd6E82tPj4Yz # aSluGDQoX3NpMKooKeVFjjNRq37yyT/h1QTLMB8dpmsZ/70UM+U/sYxvt1PWWxLj # MNIXqzB8PjG6i7H2YFgk4YOhfGSekvnzW13dLAtfjD0wiwREPvCNlilRz7XoFde5 # KO01eFiWeteh48qUOqUaAkIznC4XB3sFd1LWUmupXHK05QfJSmnei9qZJBYTt8Zh # ArGDh7nQn+Y1jOA3oBiCUJ4n1CMaWdDhrgdMuu026oWAbfC3prqkUn8LWp28H+2S # LetNG5KQZZwvy3Zcn7+PQGl5AgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUBN/0b6Fh6nMdE4FAxYG9kWCpbYUw # VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh # dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzUwNTM2MjAfBgNVHSMEGDAW # gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v # d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw # MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx # XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB # AGLQps1XU4RTcoDIDLP6QG3NnRE3p/WSMp61Cs8Z+JUv3xJWGtBzYmCINmHVFv6i # 8pYF/e79FNK6P1oKjduxqHSicBdg8Mj0k8kDFA/0eU26bPBRQUIaiWrhsDOrXWdL # m7Zmu516oQoUWcINs4jBfjDEVV4bmgQYfe+4/MUJwQJ9h6mfE+kcCP4HlP4ChIQB # UHoSymakcTBvZw+Qst7sbdt5KnQKkSEN01CzPG1awClCI6zLKf/vKIwnqHw/+Wvc # Ar7gwKlWNmLwTNi807r9rWsXQep1Q8YMkIuGmZ0a1qCd3GuOkSRznz2/0ojeZVYh # ZyohCQi1Bs+xfRkv/fy0HfV3mNyO22dFUvHzBZgqE5FbGjmUnrSr1x8lCrK+s4A+ # bOGp2IejOphWoZEPGOco/HEznZ5Lk6w6W+E2Jy3PHoFE0Y8TtkSE4/80Y2lBJhLj # 27d8ueJ8IdQhSpL/WzTjjnuYH7Dx5o9pWdIGSaFNYuSqOYxrVW7N4AEQVRDZeqDc # fqPG3O6r5SNsxXbd71DCIQURtUKss53ON+vrlV0rjiKBIdwvMNLQ9zK0jy77owDy # XXoYkQxakN2uFIBO1UNAvCYXjs4rw3SRmBX9qiZ5ENxcn/pLMkiyb68QdwHUXz+1 # fI6ea3/jjpNPz6Dlc/RMcXIWeMMkhup/XEbwu73U+uz/MIIHejCCBWKgAwIBAgIK # YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm # aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw # OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD # VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG # 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la # UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc # 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D # dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+ # lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk # kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6 # A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd # X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL # 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd # sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3 # T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS # 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI # bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL # BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD # uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv # c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF # BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h # cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA # YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn # 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7 # v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b # pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/ # KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy # CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp # mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi # hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb # BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS # oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL # gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX # cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCGiYwghoiAgEBMIGVMH4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p # Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAASEmOIS4HijMV0AAAAA # BIQwDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIJL7 # uyN/2wpbihuf1orwTmEtbjYJElBtWOB2F+YH3p00MEIGCisGAQQBgjcCAQwxNDAy # oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20wDQYJKoZIhvcNAQEBBQAEggEAFfbaNBPQBbkSVmg3hpiuUl+GPxh4ISue50oV # PYQjJjByYYgDA04R7j+Z6oeLjRX7ajEWyWL+3kmh4tKdGcpE/gjw1Tps6WUqQEhg # W0JA5lD2Yy0J5thJtain7Dfo71IfvFH7cm81CtME7P4J2Yrrl7AL0qV+HOYV6nLZ # kzb4gmZQ7x3q+PuePVC1VGqOpBVC+YfjCpb++9Brd3GIrF57EKqIEiaBPTiz7xYj # q6pPZ/5Zh8GcN70QwOakfRGvhgmLt20N0uc98TQbDa3cWtOsqsCLSrZ1kQmi/rt5 # EvERocZFXlLyQrZQXYLsSa5TIGL2Fur1rwSNWI9KXjw2Tvaf96GCF7AwghesBgor # BgEEAYI3AwMBMYIXnDCCF5gGCSqGSIb3DQEHAqCCF4kwgheFAgEDMQ8wDQYJYIZI # AWUDBAIBBQAwggFaBgsqhkiG9w0BCRABBKCCAUkEggFFMIIBQQIBAQYKKwYBBAGE # WQoDATAxMA0GCWCGSAFlAwQCAQUABCCBcQd6vPfPbVRIvO+q0oPb5YhDQQZtHRVV # lykoB3/uNQIGaULTWz+iGBMyMDI2MDEwODAzMDIzNC41MDJaMASAAgH0oIHZpIHW # MIHTMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQL # EyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJzAlBgNVBAsT # Hm5TaGllbGQgVFNTIEVTTjozMjFBLTA1RTAtRDk0NzElMCMGA1UEAxMcTWljcm9z # b2Z0IFRpbWUtU3RhbXAgU2VydmljZaCCEf4wggcoMIIFEKADAgECAhMzAAACGqmg # HQagD0OqAAEAAAIaMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w # IFBDQSAyMDEwMB4XDTI1MDgxNDE4NDgyOFoXDTI2MTExMzE4NDgyOFowgdMxCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jv # c29mdCBJcmVsYW5kIE9wZXJhdGlvbnMgTGltaXRlZDEnMCUGA1UECxMeblNoaWVs # ZCBUU1MgRVNOOjMyMUEtMDVFMC1EOTQ3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGlt # ZS1TdGFtcCBTZXJ2aWNlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA # mYEAwSTz79q2V3ZWzQ5Ev7RKgadQtMBy7+V3XQ8R0NL8R9mupxcqJQ/KPeZGJTER # +9Qq/t7HOQfBbDy6e0TepvBFV/RY3w+LOPMKn0Uoh2/8IvdSbJ8qAWRVoz2S9VrJ # zZpB8/f5rQcRETgX/t8N66D2JlEXv4fZQB7XzcJMXr1puhuXbOt9RYEyN1Q3Z7Yj # RkhfBsRc+SD/C9F4iwZqfQgo82GG4wguIhjJU7+XMfrv4vxAFNVg3mn1PoMWGZWi # o+e14+PGYPVLKlad+0IhdHK5AgPyXKkqAhEZpYhYYVEItHOOvqrwukxVAJXMvWA3 # GatWkRZn33WDJVtghCW6XPLi1cDKiGE5UcXZSV4OjQIUB8vp2LUMRXud5I49FIBc # E9nT00z8A+EekrPM+OAk07aDfwZbdmZ56j7ub5fNDLf8yIb8QxZ8Mr4RwWy/czBu # V5rkWQQ+msjJ5AKtYZxJdnaZehUgUNArU/u36SH1eXKMQGRXr/xeKFGI8vvv5Jl1 # knZ8UqEQr9PxDbis7OXp2WSMK5lLGdYVH8VownYF3sbOiRkx5Q5GaEyTehOQp2Sf # dbsJZlg0SXmHphGnoW1/gQ/5P6BgSq4PAWIZaDJj6AvLLCdbURgR5apNQQed2zYU # gUbjACA/TomA8Ll7Arrv2oZGiUO5Vdi4xxtA3BRTQTUCAwEAAaOCAUkwggFFMB0G # A1UdDgQWBBTwqyIJ3QMoPasDcGdGovbaY8IlNjAfBgNVHSMEGDAWgBSfpxVdAF5i # XYP05dJlpxtTNRnpcjBfBgNVHR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jv # c29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENB # JTIwMjAxMCgxKS5jcmwwbAYIKwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRw # Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRp # bWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBYGA1Ud # JQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsF # AAOCAgEA1a72WFq7B6bJT3VOJ21nnToPJ9O/q51bw1bhPfQy67uy+f8x8akipzNL # 2k5b6mtxuPbZGpBqpBKguDwQmxVpX8cGmafeo3wGr4a8Yk6Sy09tEh/Nwwlsyq7B # RrJNn6bGOB8iG4OTy+pmMUh7FejNPRgvgeo/OPytm4NNrMMg98UVlrZxGNOYsifp # RJFg5jE/Yu6lqFa1lTm9cHuPYxWa2oEwC0sEAsTFb69iKpN0sO19xBZCr0h5ClU9 # Pgo6ekiJb7QJoDzrDoPQHwbNA87Cto7TLuphj0m9l/I70gLjEq53SHjuURzwpmNx # dm18Qg+rlkaMC6Y2KukOfJ7oCSu9vcNGQM+inl9gsNgirZ6yJk9VsXEsoTtoR7fM # NU6Py6ufJQGMTmq6ZCq2eIGOXWMBb79ZF6tiKTa4qami3US0mTY41J129XmAglVy # +ujSZkHu2lHJDRHs7FjnIXZVUE5pl6yUIl23jG50fRTLQcStdwY/LvJUgEHCIzjv # lLTqLt6JVR5bcs5aN4Dh0YPG95B9iDMZrq4rli5SnGNWev5LLsDY1fbrK6uVpD+p # svSLsNpht27QcHRsYdAMALXM+HNsz2LZ8xiOfwt6rOsVWXoiHV86/TeMy5TZFUl7 # qB59INoMSJgDRladVXeT9fwOuirFIoqgjKGk3vO2bELrYMN0QVwwggdxMIIFWaAD # AgECAhMzAAAAFcXna54Cm0mZAAAAAAAVMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD # VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe # MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3Nv # ZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0yMTA5MzAxODIy # MjVaFw0zMDA5MzAxODMyMjVaMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5OGmTOe0ciELeaLL1yR5 # vQ7VgtP97pwHB9KpbE51yMo1V/YBf2xK4OK9uT4XYDP/XE/HZveVU3Fa4n5KWv64 # NmeFRiMMtY0Tz3cywBAY6GB9alKDRLemjkZrBxTzxXb1hlDcwUTIcVxRMTegCjhu # je3XD9gmU3w5YQJ6xKr9cmmvHaus9ja+NSZk2pg7uhp7M62AW36MEBydUv626GIl # 3GoPz130/o5Tz9bshVZN7928jaTjkY+yOSxRnOlwaQ3KNi1wjjHINSi947SHJMPg # yY9+tVSP3PoFVZhtaDuaRr3tpK56KTesy+uDRedGbsoy1cCGMFxPLOJiss254o2I # 5JasAUq7vnGpF1tnYN74kpEeHT39IM9zfUGaRnXNxF803RKJ1v2lIH1+/NmeRd+2 # ci/bfV+AutuqfjbsNkz2K26oElHovwUDo9Fzpk03dJQcNIIP8BDyt0cY7afomXw/ # TNuvXsLz1dhzPUNOwTM5TI4CvEJoLhDqhFFG4tG9ahhaYQFzymeiXtcodgLiMxhy # 16cg8ML6EgrXY28MyTZki1ugpoMhXV8wdJGUlNi5UPkLiWHzNgY1GIRH29wb0f2y # 1BzFa/ZcUlFdEtsluq9QBXpsxREdcu+N+VLEhReTwDwV2xo3xwgVGD94q0W29R6H # XtqPnhZyacaue7e3PmriLq0CAwEAAaOCAd0wggHZMBIGCSsGAQQBgjcVAQQFAgMB # AAEwIwYJKwYBBAGCNxUCBBYEFCqnUv5kxJq+gpE8RjUpzxD/LwTuMB0GA1UdDgQW # BBSfpxVdAF5iXYP05dJlpxtTNRnpcjBcBgNVHSAEVTBTMFEGDCsGAQQBgjdMg30B # ATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3Bz # L0RvY3MvUmVwb3NpdG9yeS5odG0wEwYDVR0lBAwwCgYIKwYBBQUHAwgwGQYJKwYB # BAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMB # Af8wHwYDVR0jBBgwFoAU1fZWy4/oolxiaNE9lJBb186aGMQwVgYDVR0fBE8wTTBL # oEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMv # TWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggr # BgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNS # b29DZXJBdXRfMjAxMC0wNi0yMy5jcnQwDQYJKoZIhvcNAQELBQADggIBAJ1Vffwq # reEsH2cBMSRb4Z5yS/ypb+pcFLY+TkdkeLEGk5c9MTO1OdfCcTY/2mRsfNB1OW27 # DzHkwo/7bNGhlBgi7ulmZzpTTd2YurYeeNg2LpypglYAA7AFvonoaeC6Ce5732pv # vinLbtg/SHUB2RjebYIM9W0jVOR4U3UkV7ndn/OOPcbzaN9l9qRWqveVtihVJ9Ak # vUCgvxm2EhIRXT0n4ECWOKz3+SmJw7wXsFSFQrP8DJ6LGYnn8AtqgcKBGUIZUnWK # NsIdw2FzLixre24/LAl4FOmRsqlb30mjdAy87JGA0j3mSj5mO0+7hvoyGtmW9I/2 # kQH2zsZ0/fZMcm8Qq3UwxTSwethQ/gpY3UA8x1RtnWN0SCyxTkctwRQEcb9k+SS+ # c23Kjgm9swFXSVRk2XPXfx5bRAGOWhmRaw2fpCjcZxkoJLo4S5pu+yFUa2pFEUep # 8beuyOiJXk+d0tBMdrVXVAmxaQFEfnyhYWxz/gq77EFmPWn9y8FBSX5+k77L+Dvk # txW/tM4+pTFRhLy/AsGConsXHRWJjXD+57XQKBqJC4822rpM+Zv/Cuk0+CQ1Zyvg # DbjmjJnW4SLq8CdCPSWU5nR0W2rRnj7tfqAxM328y+l7vzhwRNGQ8cirOoo6CGJ/ # 2XBjU02N7oJtpQUQwXEGahC0HVUzWLOhcGbyoYIDWTCCAkECAQEwggEBoYHZpIHW # MIHTMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQL # EyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJzAlBgNVBAsT # Hm5TaGllbGQgVFNTIEVTTjozMjFBLTA1RTAtRDk0NzElMCMGA1UEAxMcTWljcm9z # b2Z0IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUA8YrutmKpSrub # CaAYsU4pt1Ft8DaggYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAx # MDANBgkqhkiG9w0BAQsFAAIFAO0JAFgwIhgPMjAyNjAxMDcxNTU1MDRaGA8yMDI2 # MDEwODE1NTUwNFowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA7QkAWAIBADAKAgEA # AgIO+AIB/zAHAgEAAgIRojAKAgUA7QpR2AIBADA2BgorBgEEAYRZCgQCMSgwJjAM # BgorBgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEB # CwUAA4IBAQBKCwl0u6TSCZwJmMPxWohtPtNJ/j2PCzhTha1Jq4R+2+nQ/2dBmpmv # AkMZy3Z2R+YeK+kYcpIubfIKMBvHNOGSrLlFSxOu0rqB/2aNvJlUrXgep2uZvVy5 # Rjzed/s1ieX6mofaLjiwd7TQJtDTcU/FpGTEO9Bstk6lN6jRx4dLjsEPbIoey2oz # Q92hSEcVSR2PwPpsKGl8ynQknAP+IJoLDV8CCH1T/etSPfdn2f1qzB1H/FzjnjQR # oAIxJ6/1lkcimHJ/rtXknjQ+z2SAVqihhWDncDYhOU5TChX7wAa9IHMSIxilcBwl # 9kIQNRGNzSNhKcFhc6RI2fKGy1ITRYuKMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAIaqaAdBqAPQ6oAAQAAAhowDQYJYIZI # AWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG # 9w0BCQQxIgQgYiPn5LASuvQ/Qn29U5TR542hM6GuqWl/5ZYo89XvngEwgfoGCyqG # SIb3DQEJEAIvMYHqMIHnMIHkMIG9BCCdeiHHrbtpKcwB20doVU89WHIOH8S7w37u # aHcDmemK+zCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n # dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y # YXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMz # AAACGqmgHQagD0OqAAEAAAIaMCIEII6TDoJ5p36BO99T+BKi+ytOX7W+j0+Ia3Hc # +jWO5WVyMA0GCSqGSIb3DQEBCwUABIICAGGzfIUEc8ULyba+jnloTRYa1h1j8g4R # IpyVhyKLj6YzKKIPIm15ddu+7uaY+G7SVXkuz0AhHGOuKj8WUoUTPJYBoJG7dGuK # /qiKFwfJTwcX0D4SxYJwtPGd3BFw5M5/TkEcZ2JBYRw5qtuBX2E6ljgNygFA/rJR # Yr60lO7ytB3Lg6OKSkqKQ/FsO6ec3cG1Zp7BzaufArrfvokx02/ev6heSy07QfXM # 6QQRed/q0LG4/BbQAeoVuDdzZQXwb6kCeMP+mNlCbRhfyZFmxEFCjVJLV98mq4sI # DYpp5WKCtuTPyceLK2S1gzlcViqSg2dlefHVcAyv5BQPPxsQej/eJ9xPPsR1iqhp # IQSu5DX8iFBNj/Ej+fu+B0wk7UnC9uFIMXGTMw8HUCHZUv892yvUTbI9F+pvfvQH # s55W8lXVGsKjvm+HMIJaQh5F6ECKcNuZv9/80i+8JspRHsAzMNXPqRCFYWlQSies # x1Z2sE2MlAu0fiPwjx8k0oackYcIhgX9OP4hqEsp9iiBOCrP3eNLUlAWIdBalorS # /OARw31jDNN/MizBpqNr+k7JK0XQyAQRNxXhym8HlthYCKq2hzSe2/hrLyZ7bjJv # 9j+8rxC9A9y4XvSr/OCLFQLNYkhKQ9m3al+TBgbyrUepZNlqxHVK1U3cnVuOBbjR # 1loUYw30TiaB # SIG # End signature block |