functions/Invoke-DbaDbDataMasking.ps1
function Invoke-DbaDbDataMasking { <# .SYNOPSIS Masks data by using randomized values determined by a configuration file and a randomizer framework .DESCRIPTION TMasks data by using randomized values determined by a configuration file and a randomizer framework It will use a configuration file that can be made manually or generated using New-DbaDbMaskingConfig Note that the following column and data types are not currently supported: Identity ForeignKey Computed Hierarchyid Geography Geometry Xml .PARAMETER SqlInstance The target SQL Server instance or instances. .PARAMETER SqlCredential Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential). Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported. For MFA support, please use Connect-DbaInstance. .PARAMETER Database Databases to process through .PARAMETER Table Tables to process. By default all the tables will be processed .PARAMETER Column Columns to process. By default all the columns will be processed .PARAMETER FilePath Configuration file that contains the which tables and columns need to be masked .PARAMETER Locale Set the local to enable certain settings in the masking .PARAMETER CharacterString The characters to use in string data. 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' by default .PARAMETER ExcludeTable Exclude specific tables even if it's listed in the config file. .PARAMETER ExcludeColumn Exclude specific columns even if it's listed in the config file. .PARAMETER MaxValue Force a max length of strings instead of relying on datatype maxes. Note if a string datatype has a lower MaxValue, that will be used instead. Useful for adhoc updates and testing, otherwise, the config file should be used. .PARAMETER ModulusFactor Calculating the next nullable by using the remainder from the modulus. Default is every 10. .PARAMETER ExactLength Mask string values to the same length. So 'Tate' will be replaced with 4 random characters. .PARAMETER CommandTimeout Timeout for the database connection in seconds. Default is 300. .PARAMETER BatchSize Size of the batch to use to write the masked data back to the database .PARAMETER Retry The amount of retries to generate a unique row for a table. Default is 1000. .PARAMETER DictionaryFilePath Import the dictionary to be used in in the database masking .PARAMETER DictionaryExportPath Export the dictionary to the given path. Naming convention will be [computername]_[instancename]_[database]_Dictionary.csv Be careful with this feature, this export is the key to get the original values which is a security risk! .PARAMETER Force Forcefully execute commands when needed .PARAMETER WhatIf If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run. .PARAMETER Confirm If this switch is enabled, you will be prompted for confirmation before executing any operations that change state. .PARAMETER EnableException By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message. This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting. Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch. .NOTES Tags: Masking, DataMasking Author: Sander Stad (@sqlstad, sqlstad.nl) | Chrissy LeMaire (@cl, netnerds.net) Website: https://dbatools.io Copyright: (c) 2018 by dbatools, licensed under MIT License: MIT https://opensource.org/licenses/MIT .LINK https://dbatools.io/Invoke-DbaDbDataMasking .EXAMPLE Invoke-DbaDbDataMasking -SqlInstance SQLDB2 -Database DB1 -FilePath C:\Temp\sqldb1.db1.tables.json Apply the data masking configuration from the file "sqldb1.db1.tables.json" to the db1 database on sqldb2. Prompt for confirmation for each table. .EXAMPLE Get-ChildItem -Path C:\Temp\sqldb1.db1.tables.json | Invoke-DbaDbDataMasking -SqlInstance SQLDB2 -Database DB1 -Confirm:$false Apply the data masking configuration from the file "sqldb1.db1.tables.json" to the db1 database on sqldb2. Do not prompt for confirmation. .EXAMPLE New-DbaDbMaskingConfig -SqlInstance SQLDB1 -Database DB1 -Path C:\Temp\clone -OutVariable file $file | Invoke-DbaDbDataMasking -SqlInstance SQLDB2 -Database DB1 -Confirm:$false Create the data masking configuration file "sqldb1.db1.tables.json", then use it to mask the db1 database on sqldb2. Do not prompt for confirmation. .EXAMPLE Get-ChildItem -Path C:\Temp\sqldb1.db1.tables.json | Invoke-DbaDbDataMasking -SqlInstance SQLDB2, sqldb3 -Database DB1 -Confirm:$false See what would happen if you the data masking configuration from the file "sqldb1.db1.tables.json" to the db1 database on sqldb2 and sqldb3. Do not prompt for confirmation. #> [CmdLetBinding(SupportsShouldProcess, ConfirmImpact = "High")] param ( [DbaInstanceParameter[]]$SqlInstance, [PSCredential]$SqlCredential, [string[]]$Database, [parameter(Mandatory, ValueFromPipeline)] [Alias('Path', 'FullName')] [object]$FilePath, [string]$Locale = 'en', [string]$CharacterString = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789', [string[]]$Table, [string[]]$Column, [string[]]$ExcludeTable, [string[]]$ExcludeColumn, [int]$MaxValue, [int]$ModulusFactor, [switch]$ExactLength, [int]$CommandTimeout, [int]$BatchSize, [int]$Retry, [string[]]$DictionaryFilePath, [string]$DictionaryExportPath, [switch]$EnableException ) begin { if ($Force) { $ConfirmPreference = 'none' } $supportedDataTypes = @( 'bit', 'bigint', 'bool', 'char', 'date', 'datetime', 'datetime2', 'decimal', 'float', 'int', 'money', 'nchar', 'ntext', 'nvarchar', 'smalldatetime', 'smallint', 'text', 'time', 'tinyint', 'uniqueidentifier', 'userdefineddatatype', 'varchar' ) $supportedFakerMaskingTypes = Get-DbaRandomizedType | Select-Object Type -ExpandProperty Type -Unique $supportedFakerSubTypes = Get-DbaRandomizedType | Select-Object Subtype -ExpandProperty Subtype -Unique $supportedFakerSubTypes += "Date" # Set defaults if (-not $ModulusFactor) { $ModulusFactor = 10 Write-Message -Level Verbose -Message "Modulus factor set to $ModulusFactor" } if (-not $CommandTimeout) { $CommandTimeout = 300 Write-Message -Level Verbose -Message "Command time-out set to $CommandTimeout" } if (-not $BatchSize) { $BatchSize = 1000 Write-Message -Level Verbose -Message "Batch size set to $BatchSize" } if (-not $Retry) { $Retry = 1000 Write-Message -Level Verbose -Message "Retry count set to $Retry" } } process { if (Test-FunctionInterrupt) { return } if ($FilePath.ToString().StartsWith('http')) { $tables = Invoke-RestMethod -Uri $FilePath } else { # Test the configuration file try { $configErrors = @() $configErrors += Test-DbaDbDataMaskingConfig -FilePath $FilePath -EnableException if ($configErrors.Count -ge 1) { Stop-Function -Message "Errors found testing the configuration file." -Target $FilePath return $configErrors } } catch { Stop-Function -Message "Something went wrong testing the configuration file" -ErrorRecord $_ -Target $FilePath return } # Get all the items that should be processed try { $tables = Get-Content -Path $FilePath -ErrorAction Stop | ConvertFrom-Json -ErrorAction Stop } catch { Stop-Function -Message "Could not parse masking config file" -ErrorRecord $_ -Target $FilePath return } } # Test the columns for data types foreach ($tabletest in $tables.Tables) { if ($Table -and $tabletest.Name -notin $Table) { continue } foreach ($columntest in $tabletest.Columns) { if ($columntest.ColumnType -in 'hierarchyid', 'geography', 'xml', 'geometry' -and $columntest.Name -notin $Column) { Stop-Function -Message "$($columntest.ColumnType) is not supported, please remove the column $($columntest.Name) from the $($tabletest.Name) table" -Target $tables -Continue } } } foreach ($instance in $SqlInstance) { try { $server = Connect-SqlInstance -SqlInstance $instance -SqlCredential $SqlCredential -MinimumVersion 9 } catch { Stop-Function -Message "Error occurred while establishing connection to $instance" -Category ConnectionError -ErrorRecord $_ -Target $instance -Continue } # Check if the deterministic values table is already present if ($server.Databases['tempdb'].Tables.Name -contains 'DeterministicValues') { Write-Message -Level Verbose -Message "Deterministic values table already exists. Dropping it...." $query = "DROP TABLE [dbo].[DeterministicValues];" $server.Databases['tempdb'].Query($query) } # Create the deterministic value table $query = " CREATE TABLE dbo.DeterministicValues ( [ValueKey] VARCHAR(900), [NewValue] VARCHAR(900) ) CREATE UNIQUE NONCLUSTERED INDEX UNX__DeterministicValues_ValueKey ON dbo.DeterministicValues ( ValueKey ) " $null = $server.Databases['tempdb'].Query($query) # Import the dictionary files if ($DictionaryFilePath.Count -ge 1) { foreach ($file in $DictionaryFilePath) { Write-Message -Level Verbose -Message "Importing dictionary file '$file'" if (Test-Path -Path $file) { try { # Import the keys and values Import-DbaCsv -Path $file -SqlInstance $server -Database tempdb -Schema dbo -Table DeterministicValues } catch { Stop-Function -Message "Could not import csv data from file '$file'" -ErrorRecord $_ -Target $file } } else { Stop-Function -Message "Could not import dictionary file '$file'" -ErrorRecord $_ -Target $file } } } # Get the database name if (-not $Database) { $Database = $tables.Name } # Loop through the databases foreach ($dbName in $Database) { if ($server.VersionMajor -lt 9) { Stop-Function -Message "SQL Server version must be 2005 or greater" -Continue } $db = $server.Databases[$($dbName)] #$stepcounter = $nullmod = 0 $nullmod = 0 #region for each table foreach ($tableobject in $tables.Tables) { $elapsed = [System.Diagnostics.Stopwatch]::StartNew() $uniqueDataTableName = $null $uniqueValueColumns = @() $stringBuilder = [System.Text.StringBuilder]'' if ($tableobject.Name -in $ExcludeTable) { Write-Message -Level Verbose -Message "Skipping $($tableobject.Name) because it is explicitly excluded" continue } if ($tableobject.Name -notin $db.Tables.Name) { Stop-Function -Message "Table $($tableobject.Name) is not present in $db" -Target $db -Continue } $dbTable = $db.Tables | Where-Object { $_.Schema -eq $tableobject.Schema -and $_.Name -eq $tableobject.Name } [bool]$cleanupIdentityColumn = $false # Make sure there is an identity column present to speed things up if (-not ($dbTable.Columns | Where-Object { $_.Identity -eq $true })) { Write-Message -Level Verbose -Message "Adding identity column to table [$($dbTable.Schema)].[$($dbTable.Name)]" $query = "ALTER TABLE [$($dbTable.Schema)].[$($dbTable.Name)] ADD MaskingID BIGINT IDENTITY(1, 1) NOT NULL;" try { Invoke-DbaQuery -SqlInstance $server -SqlCredential $SqlCredential -Database $db.Name -Query $query } catch { Stop-Function -Message "Could not alter the table to add the masking id" -Target $db -Continue } $cleanupIdentityColumn = $true $identityColumn = "MaskingID" $dbTable.Columns.Refresh() } else { $identityColumn = $dbTable.Columns | Where-Object { $_.Identity } | Select-Object -ExpandProperty Name } # Check if the index for the identity column is already present $maskingIndexName = "NIX__$($dbTable.Schema)_$($dbTable.Name)_Masking" try { if ($dbTable.Indexes.Name -contains $maskingIndexName) { Write-Message -Level Verbose -Message "Masking index already exists in table [$($dbTable.Schema)].[$($dbTable.Name)]. Dropping it..." $dbTable.Indexes[$($maskingIndexName)].Drop() } } catch { Stop-Function -Message "Could not remove identity index to table [$($dbTable.Schema)].[$($dbTable.Name)]" -Continue } # Create the index for the identity column try { Write-Message -Level Verbose -Message "Adding index on identity column [$($identityColumn)] in table [$($dbTable.Schema)].[$($dbTable.Name)]" $query = "CREATE NONCLUSTERED INDEX [$($maskingIndexName)] ON [$($dbTable.Schema)].[$($dbTable.Name)]([$($identityColumn)])" $queryParams = @{ SqlInstance = $server SqlCredential = $SqlCredential Database = $db.Name Query = $query QueryTimeout = $CommandTimeout } Invoke-DbaQuery @queryParams } catch { Stop-Function -Message "Could not add identity index to table [$($dbTable.Schema)].[$($dbTable.Name)]" -Continue } try { if (-not $tableobject.FilterQuery) { # Get all the columns from the table $columnString = "[" + (($dbTable.Columns | Where-Object { $_.DataType -in $supportedDataTypes } | Select-Object Name -ExpandProperty Name) -join "],[") + "]" # Add the identifier column $columnString += ",[$($identityColumn)]" # Put it all together $query = "SELECT $($columnString) FROM [$($tableobject.Schema)].[$($tableobject.Name)]" } else { # Get the query from the table objects $query = ($tableobject.FilterQuery).ToLower() # Check if the query already contains the identifier column if (-not ($query | Select-String -Pattern $identityColumn)) { # Split up the query from the first "from" $queryParts = $query -split "from", 2 # Put it all together again with the identifier $query = "$($queryParts[0].Trim()), $($identityColumn) FROM $($queryParts[1].Trim())" } } # Get the data [array]$data = $db.Query($query) } catch { Stop-Function -Message "Failure retrieving the data from table [$($tableobject.Schema)].[$($tableobject.Name)]" -Target $Database -ErrorRecord $_ -Continue } #region unique indexes # Check if the table contains unique indexes if ($tableobject.HasUniqueIndex) { # Loop through the rows and generate a unique value for each row Write-Message -Level Verbose -Message "Generating unique values for [$($tableobject.Schema)].[$($tableobject.Name)]" $params = @{ SqlInstance = $server SqlCredential = $SqlCredential Database = $db.name Schema = $tableobject.Schema Table = $tableobject.Name } $indexToTable = Convert-DbaIndexToTable @params if ($indexToTable) { # compare the index columns to the column in the json table object $compareParams = @{ ReferenceObject = $indexToTable.Columns DifferenceObject = $tableobject.Columns.Name IncludeEqual = $true } $maskingColumnIndexCount = (Compare-Object @compareParams | Where-Object { $_.SideIndicator -eq "==" }).Count # Check if there is any need to generate unique values if ($maskingColumnIndexCount -ge 1) { # Check if the temporary table already exists $server.Databases['tempdb'].Tables.Refresh() $uniqueDataTableName = $indexToTable.TempTableName if ($server.Databases['tempdb'].Tables.Name -contains $indexToTable.TempTableName) { Write-Message -Level Verbose -Message "Table '$($indexToTable.TempTableName)' already exists. Dropping it.." try { $query = "DROP TABLE $($indexToTable.TempTableName)" Invoke-DbaQuery -SqlInstance $server -SqlCredential $SqlCredential -Database 'tempdb' -Query $query } catch { Stop-Function -Message "Could not drop temporary table" } } # Create the temporary table try { Write-Message -Level Verbose -Message "Creating temporary table '$($indexToTable.TempTableName)'" Invoke-DbaQuery -SqlInstance $server -SqlCredential $SqlCredential -Database 'tempdb' -Query $indexToTable.CreateStatement } catch { Stop-Function -Message "Could not create temporary table #[$($tableobject.Schema)].[$($tableobject.Name)]" } # Create the unique index table try { Write-Message -Level Verbose -Message "Creating the unique index for temporary table '$($indexToTable.TempTableName)'" Invoke-DbaQuery -SqlInstance $server -SqlCredential $SqlCredential -Database 'tempdb' -Query $indexToTable.UniqueIndexStatement } catch { Stop-Function -Message "Could not create temporary table #[$($tableobject.Schema)].[$($tableobject.Name)]" } # Create a unique row $retryCount = 0 for ($i = 0; $i -lt $data.Count; $i++) { $insertQuery = "INSERT INTO [$($indexToTable.TempTableName)]([$($indexToTable.Columns -join '],[')]) VALUES(" $insertFailed = $false $insertValues = @() foreach ($indexColumn in $indexToTable.Columns) { $columnMaskInfo = $tableobject.Columns | Where-Object { $_.Name -eq $indexColumn } if ($indexColumn -eq "RowNr") { $newValue = $i + 1 } elseif ($columnMaskInfo) { # make sure min is good if ($columnMaskInfo.MinValue) { $min = $columnMaskInfo.MinValue } else { if ($columnMaskInfo.CharacterString) { $min = 1 } else { $min = 0 } } # make sure max is good if ($MaxValue) { if ($columnMaskInfo.MaxValue -le $MaxValue) { $max = $columnMaskInfo.MaxValue } else { $max = $MaxValue } } else { $max = $columnMaskInfo.MaxValue } if (-not $columnMaskInfo.MaxValue -and -not (Test-Bound -ParameterName MaxValue)) { $max = 10 } if ((-not $columnMaskInfo.MinValue -or -not $columnMaskInfo.MaxValue) -and ($columnMaskInfo.ColumnType -match 'date')) { if (-not $columnMaskInfo.MinValue) { $min = (Get-Date).AddDays(-365) } if (-not $columnMaskInfo.MaxValue) { $max = (Get-Date).AddDays(365) } } if ($columnMaskInfo.CharacterString) { $charstring = $columnMaskInfo.CharacterString } else { $charstring = $CharacterString } # Generate a new value $newValue = $null $newValueParams = $null try { $newValueParams = $null if (-not $columnobject.SubType -and $columnobject.ColumnType -in $supportedDataTypes) { $newValueParams = @{ DataType = $columnMaskInfo.SubType Min = $columnMaskInfo.MinValue Max = $columnMaskInfo.MaxValue Locale = $Locale } } else { $newValueParams = @{ RandomizerType = $columnMaskInfo.MaskingType RandomizerSubtype = $columnMaskInfo.SubType Min = $min Max = $max CharacterString = $charstring Format = $columnMaskInfo.Format Separator = $columnMaskInfo.Separator Locale = $Locale } } $newValue = Get-DbaRandomizedValue @newValueParams } catch { Stop-Function -Message "Failure" -Target $columnMaskInfo -Continue -ErrorRecord $_ } } else { $newValue = $null } if ($columnMaskInfo) { try { $insertValue = Convert-DbaMaskingValue -Value $newValue -DataType $columnMaskInfo.ColumnType -Nullable:$columnMaskInfo.Nullable -EnableException if ($convertedValue.ErrorMessage) { $maskingErrorFlag = $true Stop-Function "Could not convert the value. $($convertedValue.ErrorMessage)" -Target $convertedValue } } catch { Stop-Function -Message "Could not convert value" -ErrorRecord $_ -Target $newValue } $insertValues += $insertValue.NewValue } elseif ($indexColumn -eq "RowNr") { $insertValues += $newValue } else { $insertValues += "NULL" } $uniqueValueColumns += $columnMaskInfo.Name } # Join all the values to the insert query $insertQuery += "$($insertValues -join ','));" # Try inserting the value try { $null = $server.Databases['tempdb'].Query($insertQuery) $insertFailed = $false } catch { Write-PSFMessage -Level Verbose -Message "Could not insert value" $insertFailed = $true } # Try to insert the value as long it's failed while ($insertFailed) { if ($retryCount -eq $Retry) { Stop-Function -Message "Could not create a unique row after $retryCount tries. Stopping..." return } $insertQuery = "INSERT INTO [$($indexToTable.TempTableName)]([$($indexToTable.Columns -join '],[')]) VALUES(" foreach ($indexColumn in $indexToTable.Columns) { $columnMaskInfo = $tableobject.Columns | Where-Object { $_.Name -eq $indexColumn } if ($indexColumn -eq "RowNr") { $newValue = $i + 1 } elseif ($columnMaskInfo) { # make sure min is good if ($columnMaskInfo.MinValue) { $min = $columnMaskInfo.MinValue } else { if ($columnMaskInfo.CharacterString) { $min = 1 } else { $min = 0 } } # make sure max is good if ($MaxValue) { if ($columnMaskInfo.MaxValue -le $MaxValue) { $max = $columnMaskInfo.MaxValue } else { $max = $MaxValue } } else { $max = $columnMaskInfo.MaxValue } if (-not $columnMaskInfo.MaxValue -and -not (Test-Bound -ParameterName MaxValue)) { $max = 10 } if ((-not $columnMaskInfo.MinValue -or -not $columnMaskInfo.MaxValue) -and ($columnMaskInfo.ColumnType -match 'date')) { if (-not $columnMaskInfo.MinValue) { $min = (Get-Date).AddDays(-365) } if (-not $columnMaskInfo.MaxValue) { $max = (Get-Date).AddDays(365) } } if ($columnMaskInfo.CharacterString) { $charstring = $columnMaskInfo.CharacterString } else { $charstring = $CharacterString } # Generate a new value $newValue = $null $newValueParams = $null try { $newValueParams = $null if (-not $columnobject.SubType -and $columnobject.ColumnType -in $supportedDataTypes) { $newValueParams = @{ DataType = $columnMaskInfo.SubType Min = $columnMaskInfo.MinValue Max = $columnMaskInfo.MaxValue Locale = $Locale } } else { $newValueParams = @{ RandomizerType = $columnMaskInfo.MaskingType RandomizerSubtype = $columnMaskInfo.SubType Min = $min Max = $max CharacterString = $charstring Format = $columnMaskInfo.Format Separator = $columnMaskInfo.Separator Locale = $Locale } } $newValue = Get-DbaRandomizedValue @newValueParams } catch { Stop-Function -Message "Failure" -Target $columnMaskInfo -Continue -ErrorRecord $_ } } else { $newValue = $null } if ($columnMaskInfo) { try { $insertValue = Convert-DbaMaskingValue -Value $newValue -DataType $columnMaskInfo.ColumnType -Nullable:$columnMaskInfo.Nullable -EnableException if ($convertedValue.ErrorMessage) { $maskingErrorFlag = $true Stop-Function "Could not convert the value. $($convertedValue.ErrorMessage)" -Target $convertedValue } } catch { Stop-Function -Message "Could not convert value" -ErrorRecord $_ -Target $newValue } $insertValues += $insertValue.NewValue } elseif ($indexColumn -eq "RowNr") { $insertValues += $newValue } else { $insertValues += "NULL" } } # Join all the values to the insert query $insertQuery += "$($insertValues -join ','));" # Try inserting the value try { $null = $server.Databases['tempdb'].Query($insertQuery) $insertFailed = $false } catch { Write-PSFMessage -Level Verbose -Message "Could not insert value" $insertFailed = $true $retryCount++ } } } try { Write-Message -Level Verbose -Message "Creating masking index for [$($indexToTable.TempTableName)]" $query = "CREATE NONCLUSTERED INDEX [NIX_$($indexToTable.TempTableName)_MaskID] ON [$($indexToTable.TempTableName)]([RowNr])" $null = $server.Databases['tempdb'].Query($query) } catch { Stop-Function -Message "Could not add masking index for [$($indexToTable.TempTableName)]" -ErrorRecord $_ } } else { Write-PSFMessage -Level Verbose -Message "Table [$($tableobject.Schema)].[$($tableobject.Name)] does not contain any masking index columns to process" } } else { Stop-Function -Message "The table does not have any indexes" } } #endregion unique indexes $tablecolumns = $tableobject.Columns if ($Column) { $tablecolumns = $tablecolumns | Where-Object { $_.Name -in $Column } } if ($ExcludeColumn) { if ([string]$uniqueIndex.Columns -match ($ExcludeColumn -join "|")) { Stop-Function -Message "Column present in -ExcludeColumn cannot be excluded because it's part of an unique index" -Target $ExcludeColumn -Continue } $tablecolumns = $tablecolumns | Where-Object { $_.Name -notin $ExcludeColumn } } if (-not $tablecolumns) { Write-Message -Level Verbose "No columns to process in [$($dbName)].[$($tableobject.Schema)].[$($tableobject.Name)], moving on" continue } if ($Pscmdlet.ShouldProcess($instance, "Masking $($data.Count) row(s) for column [$($tablecolumns.Name -join ', ')] in $($dbName).$($tableobject.Schema).$($tableobject.Name)")) { $totalBatches = [System.Math]::Ceiling($data.Count / $BatchSize) # Firgure out if the columns has actions $columnsWithActions = @() $columnsWithActions += $tableobject.Columns | Where-Object { $null -ne $_.Action } # Firgure out if the columns has composites $columnsWithComposites = @() $columnsWithComposites += $tableobject.Columns | Where-Object { $null -ne $_.Composite } # Check for both special actions if (($columnsWithComposites.Count -ge 1) -and ($columnsWithActions.Count -ge 1)) { Stop-Function -Message "You cannot use both composites and actions" } # Loop through each of the rows and change them foreach ($columnobject in $tablecolumns) { # Set the masking error [bool]$maskingErrorFlag = $false # Only start generating values if the column is not using Actions or Composites if (($columnobject.Name -notin $columnsWithActions.Name) -and ($columnobject.Name -notin $columnsWithComposites.Name)) { # Set the counters $rowNumber = $batchRowNr = $batchNr = 0 if ($columnobject.StaticValue) { $newValue = $columnobject.StaticValue if ($null -eq $newValue -and -not $columnobject.Nullable) { Write-PSFMessage -Message "Column '$($columnobject.Name)' static value cannot null when column is set not to be nullable." } else { try { $convertedValue = Convert-DbaMaskingValue -Value $newValue -DataType $columnobject.ColumnType -Nullable:$columnobject.Nullable -EnableException if ($convertedValue.ErrorMessage) { $maskingErrorFlag = $true Stop-Function "Could not convert the value. $($convertedValue.ErrorMessage)" -Target $convertedValue } else { $null = $stringBuilder.AppendLine("UPDATE [$($tableobject.Schema)].[$($tableobject.Name)] SET [$($columnObject.Name)] = $($convertedValue.NewValue)") } } catch { Stop-Function -Message "Could not convert value" -ErrorRecord $_ -Target $newValue } $batchRowNr++ } } else { Write-Message -Level Verbose -Message "Processing column [$($columnObject.Name)]" # Column does not have an action foreach ($row in $data) { # Start counting the rows $rowNumber++ if ((($batchRowNr) % 100) -eq 0) { $progressParams = @{ StepNumber = $batchNr TotalSteps = $totalBatches Activity = "Masking $($data.Count) rows in $($tableobject.Schema).$($tableobject.Name) in $($dbName) on $instance" Message = "Generating Updates" } Write-ProgressHelper @progressParams } $updates = @() $newValue = $null # Check for value being in deterministic masking table if (($null -ne $row.($columnobject.Name)) -and ($row.($columnobject.Name) -ne '')) { try { $lookupValue = Convert-DbaMaskingValue -Value $row.($columnobject.Name) -DataType varchar -Nullable:$columnobject.Nullable -EnableException if ($convertedValue.ErrorMessage) { $maskingErrorFlag = $true Stop-Function "Could not convert the value. $($convertedValue.ErrorMessage)" -Target $convertedValue } } catch { Stop-Function -Message "Could not convert value" -ErrorRecord $_ -Target $row.($columnobject.Name) } $query = "SELECT [NewValue] FROM dbo.DeterministicValues WHERE [ValueKey] = $($lookupValue.NewValue)" try { $lookupResult = $null $lookupResult = $server.Databases['tempdb'].Query($query) } catch { Stop-Function -Message "Something went wrong retrieving the deterministic values" -Target $query -ErrorRecord $_ } } # Check the columnobject properties and possible scenarios if ($columnobject.MaskingType -eq 'Static') { $newValue = $columnobject.StaticValue } elseif ($columnobject.KeepNull -and $columnobject.Nullable -and (($row.($columnobject.Name)).GetType().Name -eq 'DBNull') -or ($row.($columnobject.Name) -eq '')) { $newValue = $null } elseif (-not $columnobject.KeepNull -and $columnobject.Nullable -and (($nullmod++) % $ModulusFactor -eq 0)) { $newValue = $null } elseif ($tableobject.HasUniqueIndex -and $columnobject.Name -in $uniqueValueColumns) { $query = "SELECT $($columnobject.Name) FROM $($uniqueDataTableName) WHERE [RowNr] = $rowNumber" try { $uniqueData = Invoke-DbaQuery -SqlInstance $server -SqlCredential $SqlCredential -Database tempdb -Query $query } catch { Stop-Function -Message "Something went wrong getting the unique data" -Target $query -ErrorRecord $_ } if ($null -eq $uniqueData) { Stop-Function -Message "Could not find any unique values" -Target $tableobject return } $newValue = $uniqueData.$($columnobject.Name) } elseif ($columnobject.Deterministic -and $lookupResult.NewValue) { $newValue = $lookupResult.NewValue } else { # make sure min is good if ($columnobject.MinValue) { $min = $columnobject.MinValue } else { if ($columnobject.CharacterString) { $min = 1 } else { $min = 0 } } # make sure max is good if ($MaxValue) { if ($columnobject.MaxValue -le $MaxValue) { $max = $columnobject.MaxValue } else { $max = $MaxValue } } else { $max = $columnobject.MaxValue } if (-not $columnobject.MaxValue -and -not (Test-Bound -ParameterName MaxValue)) { $max = 10 } if ((-not $columnobject.MinValue -or -not $columnobject.MaxValue) -and ($columnobject.ColumnType -match 'date')) { if (-not $columnobject.MinValue) { $min = (Get-Date).AddDays(-365) } if (-not $columnobject.MaxValue) { $max = (Get-Date).AddDays(365) } } if ($columnobject.CharacterString) { $charstring = $columnobject.CharacterString } else { $charstring = $CharacterString } # Setup the new value parameters $newValueParams = $null if ($null -eq $columnobject.SubType) { $newValueParams = @{ DataType = $columnobject.ColumnType Min = $min Max = $max CharacterString = $charstring Format = $columnobject.Format Locale = $Locale } } elseif ($columnobject.SubType.ToLowerInvariant() -eq 'shuffle') { if ($columnobject.ColumnType -in 'bigint', 'char', 'int', 'nchar', 'nvarchar', 'smallint', 'tinyint', 'varchar') { $newValueParams = @{ RandomizerType = "Random" RandomizerSubtype = "Shuffle" Value = ($row.$($columnobject.Name)) Locale = $Locale } } elseif ($columnobject.ColumnType -in 'decimal', 'numeric', 'float', 'money', 'smallmoney', 'real') { $newValueParams = @{ RandomizerType = "Random" RandomizerSubtype = "Shuffle" Value = ($row.$($columnobject.Name)) Locale = $Locale } } } else { $newValueParams = @{ RandomizerType = $columnobject.MaskingType RandomizerSubtype = $columnobject.SubType Min = $min Max = $max CharacterString = $charstring Format = $columnobject.Format Separator = $columnobject.Separator Locale = $Locale } } # Generate the new value try { $newValue = Get-DbaRandomizedValue @newValueParams } catch { $maskingErrorFlag = $true Stop-Function -Message "Failure" -Target $columnobject -Continue -ErrorRecord $_ } } # Convert the values so they can used in TSQL try { if ($row.($columnobject.Name) -eq '') { $convertedValue = Convert-DbaMaskingValue -Value ' ' -DataType $columnobject.ColumnType -Nullable:$columnobject.Nullable -EnableException } else { $convertedValue = Convert-DbaMaskingValue -Value $newValue -DataType $columnobject.ColumnType -Nullable:$columnobject.Nullable -EnableException } if ($convertedValue.ErrorMessage) { $maskingErrorFlag = $true Stop-Function "Could not convert the value. $($convertedValue.ErrorMessage)" -Target $convertedValue } } catch { Stop-Function -Message "Could not convert value" -ErrorRecord $_ -Target $newValue } # Add to the updates $updates += "[$($columnobject.Name)] = $($convertedValue.NewValue)" # Check if this value is determinisic if ($columnobject.Deterministic -and ($null -eq $lookupResult.NewValue)) { if (($null -ne $row.($columnobject.Name)) -and ($row.($columnobject.Name) -ne '')) { try { $previous = Convert-DbaMaskingValue -Value $row.($columnobject.Name) -DataType $columnobject.ColumnType -Nullable:$columnobject.Nullable -EnableException if ($convertedValue.ErrorMessage) { $maskingErrorFlag = $true Stop-Function "Could not convert the value. $($convertedValue.ErrorMessage)" -Target $convertedValue } } catch { Stop-Function -Message "Could not convert value" -ErrorRecord $_ -Target $row.($columnobject.Name) } $query = "INSERT INTO dbo.DeterministicValues (ValueKey, NewValue) VALUES ($($previous.NewValue), $($convertedValue.NewValue));" try { $null = $server.Databases['tempdb'].Query($query) } catch { Stop-Function -Message "Could not save deterministic value.`n$_" -Target $query -ErrorRecord $_ } } } # Setup the query $updateQuery = "UPDATE [$($tableobject.Schema)].[$($tableobject.Name)] SET $($updates -join ', ') WHERE [$($identityColumn)] = $($row.$($identityColumn)); " $null = $stringBuilder.AppendLine($updateQuery) # Increase the batch row number to keep track of the batches $batchRowNr++ # if we reached the batchsize if ($batchRowNr -eq $BatchSize) { # Increase the batch nr if it's not already reached if ($batchNr -lt $totalBatches) { $batchNr++ } # Execute the batch try { $progressParams = @{ StepNumber = $batchNr TotalSteps = $totalBatches Activity = "Masking $($data.Count) rows in $($tableobject.Schema).$($tableobject.Name).$($columnobject.Name) in $($dbName) on $instance" Message = "Executing Batch $batchNr/$totalBatches" } Write-ProgressHelper @progressParams Write-Message -Level Verbose -Message "Executing batch $batchNr/$totalBatches" $queryParams = @{ SqlInstance = $instance SqlCredential = $SqlCredential Database = $db.Name Query = $stringBuilder.ToString() EnableException = $EnableException QueryTimeout = $CommandTimeout } Invoke-DbaQuery @queryParams } catch { $maskingErrorFlag = $true Stop-Function -Message "Error updating $($tableobject.Schema).$($tableobject.Name): $_ `n$($stringBuilder.ToString())" -Target $stringBuilder.ToString() -Continue -ErrorRecord $_ } $null = $stringBuilder.Clear() $batchRowNr = 0 } } if ($stringBuilder.Length -ge 1) { if ($batchNr -lt $totalBatches) { $batchNr++ } try { $progressParams = @{ StepNumber = $batchNr TotalSteps = $totalBatches Activity = "Masking $($data.Count) rows in $($tableobject.Schema).$($tableobject.Name) in $($dbName) on $instance" Message = "Executing Batch $batchNr/$totalBatches" } Write-ProgressHelper @progressParams Write-Message -Level Verbose -Message "Executing batch $batchNr/$totalBatches" $queryParams = @{ SqlInstance = $instance SqlCredential = $SqlCredential Database = $db.Name Query = $stringBuilder.ToString() EnableException = $EnableException QueryTimeout = $CommandTimeout } Invoke-DbaQuery @queryParams } catch { $maskingErrorFlag = $true Stop-Function -Message "Error updating $($tableobject.Schema).$($tableobject.Name): $_`n$($stringBuilder.ToString())" -Target $stringBuilder.ToString() -Continue -ErrorRecord $_ } } } } } $null = $stringBuilder.Clear() # Go through the actions if ($columnsWithActions.Count -ge 1) { foreach ($columnObject in $columnsWithActions) { Write-Message -Level Verbose -Message "Processing action for [$($columnObject.Name)]" [bool]$validAction = $true $columnAction = $columnobject.Action $query = "UPDATE [$($tableobject.Schema)].[$($tableobject.Name)] SET [$($columnObject.Name)] = " if ($columnAction.Category -eq 'DateTime') { switch ($columnAction.Type) { "Add" { $query += "DATEADD($($columnAction.SubCategory), $($columnAction.Value), [$($columnObject.Name)]);" } "Subtract" { $query += "DATEADD($($columnAction.SubCategory), - $($columnAction.Value), [$($columnObject.Name)]);" } default { $validAction = $false } } } elseif ($columnAction.Category -eq 'Number') { switch ($columnAction.Type) { "Add" { $query += "[$($columnObject.Name)] + $($columnAction.Value);" } "Divide" { $query += "[$($columnObject.Name)] / $($columnAction.Value);" } "Multiply" { $query += "[$($columnObject.Name)] * $($columnAction.Value);" } "Subtract" { $query += "[$($columnObject.Name)] - $($columnAction.Value);" } default { $validAction = $false } } } elseif ($columnAction.Category -eq 'Column') { switch ($columnAction.Type) { "Set" { if ($columnobject.ColumnType -like '*int*' -or $columnobject.ColumnType -in 'bit', 'bool', 'decimal', 'numeric', 'float', 'money', 'smallmoney', 'real') { $query += "$($columnAction.Value)" } elseif ($columnobject.ColumnType -in '*date*', 'time', 'uniqueidentifier') { $query += "'$($columnAction.Value)'" } else { $query += "'$($columnAction.Value)'" } } "Nullify" { if ($columnobject.Nullable) { $query += "NULL" } else { $validAction = $false } } default { $validAction = $false } } } # Add the query to the rest if ($validAction) { $null = $stringBuilder.AppendLine($query) } } try { if ($stringBuilder.Length -ge 1) { Invoke-DbaQuery -SqlInstance $instance -SqlCredential $SqlCredential -Database $db.Name -Query $stringBuilder.ToString() -EnableException } } catch { $stringBuilder.ToString() Stop-Function -Message "Error updating $($tableobject.Schema).$($tableobject.Name): $_" -Target $stringBuilder -Continue -ErrorRecord $_ } $null = $stringBuilder.Clear() } # Go through the composites if ($columnsWithComposites.Count -ge 1) { foreach ($columnObject in $columnsWithComposites) { Write-Message -Level Verbose -Message "Processing composite for [$($columnObject.Name)]" $compositeItems = @() foreach ($columnComposite in $columnObject.Composite) { if ($columnComposite.Type -eq 'Column') { $compositeItems += "[$($columnComposite.Value)]" } elseif ($columnComposite.Type -eq 'Static') { $compositeItems += "'$($columnComposite.Value)'" } elseif ($columnComposite.Type -in $supportedFakerMaskingTypes) { try { $newValue = $null if ($columnobject.SubType -in $supportedDataTypes) { $newValueParams = @{ DataType = $columnobject.SubType CharacterString = $charstring Min = $columnComposite.Min Max = $columnComposite.Max Locale = $Locale } $newValue = Get-DbaRandomizedValue @newValueParams } else { $newValueParams = @{ RandomizerType = $columnobject.MaskingType RandomizerSubtype = $columnobject.SubType Min = $min Max = $max CharacterString = $charstring Format = $columnobject.Format Separator = $columnobject.Separator Locale = $Locale } $newValue = Get-DbaRandomizedValue @newValueParams } } catch { Stop-Function -Message "Failure" -Target $faker -Continue -ErrorRecord $_ } if ($columnobject.ColumnType -match 'int') { $compositeItems += " $newValue" } elseif ($columnobject.ColumnType -in 'bit', 'bool') { if ($columnValue) { $compositeItems += "1" } else { $compositeItems += "0" } } else { $newValue = ($newValue).Tostring().Replace("'", "''") $compositeItems += "'$newValue'" } } else { $compositeItems += "" } } $compositeItems = $compositeItems | ForEach-Object { $_ = "ISNULL($($_), '')"; $_ } $null = $stringBuilder.AppendLine("UPDATE [$($tableobject.Schema)].[$($tableobject.Name)] SET [$($columnObject.Name)] = $($compositeItems -join ' + ')") } try { Invoke-DbaQuery -SqlInstance $instance -SqlCredential $SqlCredential -Database $db.Name -Query $stringBuilder.ToString() -EnableException } catch { Stop-Function -Message "Error updating $($tableobject.Schema).$($tableobject.Name): $_" -Target $stringBuilder -Continue -ErrorRecord $_ } $null = $stringBuilder.Clear() } # Clean up the masking index try { # Refresh the indexes to make sure to have the latest list $dbTable.Indexes.Refresh() # Check if the index is there if ($dbTable.Indexes.Name -contains $maskingIndexName) { Write-Message -Level verbose -Message "Removing identity index from table [$($dbTable.Schema)].[$($dbTable.Name)]" $dbTable.Indexes[$($maskingIndexName)].Drop() } } catch { Stop-Function -Message "Could not remove identity index from table [$($dbTable.Schema)].[$($dbTable.Name)]" -Continue } # Clean up the identity column if ($cleanupIdentityColumn) { try { Write-Message -Level Verbose -Message "Removing identity column [$($identityColumn)] from table [$($dbTable.Schema)].[$($dbTable.Name)]" $query = "ALTER TABLE [$($dbTable.Schema)].[$($dbTable.Name)] DROP COLUMN [$($identityColumn)]" Invoke-DbaQuery -SqlInstance $instance -SqlCredential $SqlCredential -Database $db.Name -Query $query -EnableException } catch { Stop-Function -Message "Could not remove identity column from table [$($dbTable.Schema)].[$($dbTable.Name)]" -Continue } } # Return the masking results if ($maskingErrorFlag) { $maskingStatus = "Failed" } else { $maskingStatus = "Successful" } [pscustomobject]@{ ComputerName = $db.Parent.ComputerName InstanceName = $db.Parent.ServiceName SqlInstance = $db.Parent.DomainInstanceName Database = $dbName Schema = $tableobject.Schema Table = $tableobject.Name Columns = $tableobject.Columns.Name Rows = $($data.Count) Elapsed = [prettytimespan]$elapsed.Elapsed Status = $maskingStatus } # Reset time $null = $elapsed.Reset() } # Cleanup if ($uniqueDataTableName) { Write-Message -Message "Cleaning up unique temporary table '$uniqueDataTableName'" -Level verbose $query = "DROP TABLE [$($uniqueDataTableName)];" try { $null = Invoke-DbaQuery -SqlInstance $server -SqlCredential $SqlCredential -Database 'tempdb' -Query $query -EnableException } catch { Stop-Function -Message "Could not clean up unique values table '$uniqueDataTableName'" -Target $uniqueDataTableName -ErrorRecord $_ } } } #endregion for each table # Export the dictionary when needed if ($DictionaryExportPath) { try { # Handle dictionary $query = "SELECT [ValueKey], [NewValue] FROM dbo.DeterministicValues" [array]$dictResult = $server.Databases['tempdb'].Query($query) if ($dictResult.Count -ge 1) { Write-Message -Message "Writing dictionary for $($db.Name)" -Level Verbose # Check if the output directory already exists if (-not (Test-Path -Path $DictionaryExportPath)) { $null = New-Item -Path $DictionaryExportPath -ItemType Directory } # Of course with Linux we need to change the slashes if (-not $script:isWindows) { $dictionaryFileName = $dictionaryFileName.Replace("\", "/") } # Setup the file paths $filenamepart = $server.Name.Replace('\', '$').Replace('TCP:', '').Replace(',', '.') $dictionaryFileName = "$DictionaryExportPath\$($filenamepart).$($db.Name).Dictionary.csv" # Export dictionary $null = $dictResult | Export-Csv -Path $dictionaryFileName -NoTypeInformation Get-ChildItem -Path $dictionaryFileName } else { Write-Message -Level Verbose -Message "No values to export as a dictionary" } } catch { Stop-Function -Message "Something went wrong writing the dictionary to the $DictionaryExportPath" -Target $DictionaryExportPath -Continue -ErrorRecord $_ } } } # End foreach database # Do some cleanup $null = $server.Databases['tempdb'].Tables.Refresh() if ($server.Databases['tempdb'].Tables.Name -contains 'DeterministicValues') { $query = "DROP TABLE dbo.DeterministicValues" try { Write-Message -Level Verbose -Message "Cleaning up deterministic values table" $null = $server.Databases['tempdb'].Query($query) } catch { Stop-Function -Message "Could not remove deterministic value table" -ErrorRecord $_ } } } # End foreach instance } # End process block } # End # SIG # Begin signature block # MIIZewYJKoZIhvcNAQcCoIIZbDCCGWgCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUNTfRn9PXNlX+t48oKXa2R1gu # Y/+gghSJMIIE/jCCA+agAwIBAgIQDUJK4L46iP9gQCHOFADw3TANBgkqhkiG9w0B # AQsFADByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYD # VQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFz # c3VyZWQgSUQgVGltZXN0YW1waW5nIENBMB4XDTIxMDEwMTAwMDAwMFoXDTMxMDEw # NjAwMDAwMFowSDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMu # MSAwHgYDVQQDExdEaWdpQ2VydCBUaW1lc3RhbXAgMjAyMTCCASIwDQYJKoZIhvcN # AQEBBQADggEPADCCAQoCggEBAMLmYYRnxYr1DQikRcpja1HXOhFCvQp1dU2UtAxQ # tSYQ/h3Ib5FrDJbnGlxI70Tlv5thzRWRYlq4/2cLnGP9NmqB+in43Stwhd4CGPN4 # bbx9+cdtCT2+anaH6Yq9+IRdHnbJ5MZ2djpT0dHTWjaPxqPhLxs6t2HWc+xObTOK # fF1FLUuxUOZBOjdWhtyTI433UCXoZObd048vV7WHIOsOjizVI9r0TXhG4wODMSlK # XAwxikqMiMX3MFr5FK8VX2xDSQn9JiNT9o1j6BqrW7EdMMKbaYK02/xWVLwfoYer # vnpbCiAvSwnJlaeNsvrWY4tOpXIc7p96AXP4Gdb+DUmEvQECAwEAAaOCAbgwggG0 # MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsG # AQUFBwMIMEEGA1UdIAQ6MDgwNgYJYIZIAYb9bAcBMCkwJwYIKwYBBQUHAgEWG2h0 # dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAfBgNVHSMEGDAWgBT0tuEgHf4prtLk # YaWyoiWyyBc1bjAdBgNVHQ4EFgQUNkSGjqS6sGa+vCgtHUQ23eNqerwwcQYDVR0f # BGowaDAyoDCgLoYsaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJl # ZC10cy5jcmwwMqAwoC6GLGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWFz # c3VyZWQtdHMuY3JsMIGFBggrBgEFBQcBAQR5MHcwJAYIKwYBBQUHMAGGGGh0dHA6 # Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBPBggrBgEFBQcwAoZDaHR0cDovL2NhY2VydHMu # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRFRpbWVzdGFtcGluZ0NB # LmNydDANBgkqhkiG9w0BAQsFAAOCAQEASBzctemaI7znGucgDo5nRv1CclF0CiNH # o6uS0iXEcFm+FKDlJ4GlTRQVGQd58NEEw4bZO73+RAJmTe1ppA/2uHDPYuj1UUp4 # eTZ6J7fz51Kfk6ftQ55757TdQSKJ+4eiRgNO/PT+t2R3Y18jUmmDgvoaU+2QzI2h # F3MN9PNlOXBL85zWenvaDLw9MtAby/Vh/HUIAHa8gQ74wOFcz8QRcucbZEnYIpp1 # FUL1LTI4gdr0YKK6tFL7XOBhJCVPst/JKahzQ1HavWPWH1ub9y4bTxMd90oNcX6X # t/Q/hOvB46NJofrOp79Wz7pZdmGJX36ntI5nePk2mOHLKNpbh6aKLzCCBRowggQC # oAMCAQICEAMFu4YhsKFjX7/erhIE520wDQYJKoZIhvcNAQELBQAwcjELMAkGA1UE # BhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj # ZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENvZGUg # U2lnbmluZyBDQTAeFw0yMDA1MTIwMDAwMDBaFw0yMzA2MDgxMjAwMDBaMFcxCzAJ # BgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTEPMA0GA1UEBxMGVmllbm5hMREw # DwYDVQQKEwhkYmF0b29sczERMA8GA1UEAxMIZGJhdG9vbHMwggEiMA0GCSqGSIb3 # DQEBAQUAA4IBDwAwggEKAoIBAQC8v2N7q+O/vggBtpjmteofFo140k73JXQ5sOD6 # QLzjgija+scoYPxTmFSImnqtjfZFWmucAWsDiMVVro/6yGjsXmJJUA7oD5BlMdAK # fuiq4558YBOjjc0Bp3NbY5ZGujdCmsw9lqHRAVil6P1ZpAv3D/TyVVq6AjDsJY+x # rRL9iMc8YpD5tiAj+SsRSuT5qwPuW83ByRHqkaJ5YDJ/R82ZKh69AFNXoJ3xCJR+ # P7+pa8tbdSgRf25w4ZfYPy9InEvsnIRVZMeDjjuGvqr0/Mar73UI79z0NYW80yN/ # 7VzlrvV8RnniHWY2ib9ehZligp5aEqdV2/XFVPV4SKaJs8R9AgMBAAGjggHFMIIB # wTAfBgNVHSMEGDAWgBRaxLl7KgqjpepxA8Bg+S32ZXUOWDAdBgNVHQ4EFgQU8MCg # +7YDgENO+wnX3d96scvjniIwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG # AQUFBwMDMHcGA1UdHwRwMG4wNaAzoDGGL2h0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv # bS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMDWgM6Axhi9odHRwOi8vY3JsNC5kaWdp # Y2VydC5jb20vc2hhMi1hc3N1cmVkLWNzLWcxLmNybDBMBgNVHSAERTBDMDcGCWCG # SAGG/WwDATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20v # Q1BTMAgGBmeBDAEEATCBhAYIKwYBBQUHAQEEeDB2MCQGCCsGAQUFBzABhhhodHRw # Oi8vb2NzcC5kaWdpY2VydC5jb20wTgYIKwYBBQUHMAKGQmh0dHA6Ly9jYWNlcnRz # LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJBc3N1cmVkSURDb2RlU2lnbmluZ0NB # LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCPzflwlQwf1jak # EqymPOc0nBxiY7F4FwcmL7IrTLhub6Pjg4ZYfiC79Akz5aNlqO+TJ0kqglkfnOsc # jfKQzzDwcZthLVZl83igzCLnWMo8Zk/D2d4ZLY9esFwqPNvuuVDrHvgh7H6DJ/zP # Vm5EOK0sljT0UQ6HQEwtouH5S8nrqCGZ8jKM/+DeJlm+rCAGGf7TV85uqsAn5JqD # En/bXE1AlyG1Q5YiXFGS5Sf0qS4Nisw7vRrZ6Qc4NwBty4cAYjzDPDixorWI8+FV # OUWKMdL7tV8i393/XykwsccCstBCp7VnSZN+4vgzjEJQql5uQfysjcW9rrb/qixp # csPTKYRHMIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0B # AQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYD # VQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVk # IElEIFJvb3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQsw # CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu # ZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQg # Q29kZSBTaWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA # +NOzHH8OEa9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ # 1DcZ17aq8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0 # sSgmuyRpwsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6s # cKKrzn/pfMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4Tz # rGdOtcT3jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg # 0A9kczyen6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIB # ADAOBgNVHQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUH # AQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYI # KwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFz # c3VyZWRJRFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0 # LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaG # NGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RD # QS5jcmwwTwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0 # dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYE # FFrEuXsqCqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6en # IZ3zbcgPMA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06 # GsTvMGHXfgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5j # DhNLrddfRHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgC # PC6Ro8AlEeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIy # sjaKJAL+L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4Gb # T8aTEAb8B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHvMIIFMTCC # BBmgAwIBAgIQCqEl1tYyG35B5AXaNpfCFTANBgkqhkiG9w0BAQsFADBlMQswCQYD # VQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln # aWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0Ew # HhcNMTYwMTA3MTIwMDAwWhcNMzEwMTA3MTIwMDAwWjByMQswCQYDVQQGEwJVUzEV # MBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t # MTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgVGltZXN0YW1waW5n # IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvdAy7kvNj3/dqbqC # mcU5VChXtiNKxA4HRTNREH3Q+X1NaH7ntqD0jbOI5Je/YyGQmL8TvFfTw+F+CNZq # FAA49y4eO+7MpvYyWf5fZT/gm+vjRkcGGlV+Cyd+wKL1oODeIj8O/36V+/OjuiI+ # GKwR5PCZA207hXwJ0+5dyJoLVOOoCXFr4M8iEA91z3FyTgqt30A6XLdR4aF5FMZN # JCMwXbzsPGBqrC8HzP3w6kfZiFBe/WZuVmEnKYmEUeaC50ZQ/ZQqLKfkdT66mA+E # f58xFNat1fJky3seBdCEGXIX8RcG7z3N1k3vBkL9olMqT4UdxB08r8/arBD13ays # 6Vb/kwIDAQABo4IBzjCCAcowHQYDVR0OBBYEFPS24SAd/imu0uRhpbKiJbLIFzVu # MB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMBIGA1UdEwEB/wQIMAYB # Af8CAQAwDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMIMHkGCCsG # AQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t # MEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl # cnRBc3N1cmVkSURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRwOi8v # Y3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3JsMDqg # OKA2hjRodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURS # b290Q0EuY3JsMFAGA1UdIARJMEcwOAYKYIZIAYb9bAACBDAqMCgGCCsGAQUFBwIB # FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAsGCWCGSAGG/WwHATANBgkq # hkiG9w0BAQsFAAOCAQEAcZUS6VGHVmnN793afKpjerN4zwY3QITvS4S/ys8DAv3F # p8MOIEIsr3fzKx8MIVoqtwU0HWqumfgnoma/Capg33akOpMP+LLR2HwZYuhegiUe # xLoceywh4tZbLBQ1QwRostt1AuByx5jWPGTlH0gQGF+JOGFNYkYkh2OMkVIsrymJ # 5Xgf1gsUpYDXEkdws3XVk4WTfraSZ/tTYYmo9WuWwPRYaQ18yAGxuSh1t5ljhSKM # Ycp5lH5Z/IwP42+1ASa2bKXuh1Eh5Fhgm7oMLSttosR+u8QlK0cCCHxJrhO24XxC # QijGGFbPQTS2Zl22dHv1VjMiLyI2skuiSpXY9aaOUjGCBFwwggRYAgEBMIGGMHIx # CzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3 # dy5kaWdpY2VydC5jb20xMTAvBgNVBAMTKERpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJ # RCBDb2RlIFNpZ25pbmcgQ0ECEAMFu4YhsKFjX7/erhIE520wCQYFKw4DAhoFAKB4 # MBgGCisGAQQBgjcCAQwxCjAIoAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQB # gjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkE # MRYEFECzDPIO9Kn+aQkGAWMercdff4IZMA0GCSqGSIb3DQEBAQUABIIBAA3vxdPG # E2lBN51w5f1bM4No2BvjoW07rX6PGAltMWfrs74JQYipY7aDuH03nwOY4FImxobr # +R10i3mCzXhRy78+Dkr5BJ2NlSf5Pru1rRZHXUtMrDnb97TRclMkAQiaAZPOTfKa # O+NXvSgrG75sZOOu+zJmLpbnB2o6auUAQPyXeSO1jTKDCaf9uLQDPCbYyLz1YGnG # O14jtgWljr0uurW/CcsWvBbfPdA6lUezxG8GiB8oqKGScjn8qaX5m1tEJ840/afj # /I4I/5OqrMHPRNz66SL9XXWeEcCnrd+WGSVgkRquNZu9WIDaaWhIEHQwZ2UQj8O1 # RC+/uF2GVOQi2OGhggIwMIICLAYJKoZIhvcNAQkGMYICHTCCAhkCAQEwgYYwcjEL # MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 # LmRpZ2ljZXJ0LmNvbTExMC8GA1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElE # IFRpbWVzdGFtcGluZyBDQQIQDUJK4L46iP9gQCHOFADw3TANBglghkgBZQMEAgEF # AKBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIx # MDgwNTAwMTA1NlowLwYJKoZIhvcNAQkEMSIEIMjKsB6N8p+M3qBpKvoURYstgpg0 # alQhYZsXphOZlVhdMA0GCSqGSIb3DQEBAQUABIIBAICjB0P/9nA3HfPAcGJtaFe1 # 5wsYZmztd18/RbfM+49LzIK8H1rEGnKaf5dUjfZLDJe3/YXKIhQ42zGKzvvTwDuW # 651Ujqh3iZAx3/rXpBeqv4IajVLJSrxfUkXAE8b42u9Wu3SjQuS4Y6WIERKnov0g # Em2vmspi1mTiPH8+pFamHMbQG51eFwE3Fqd+2UjO03Ei9eatX3nmVEK5nMn0XExr # 0b0sLBHDhux4VlrVzRKNjhS4ywzjfI0jNbfGFI4WR2VHI7SAb0eEqM7ySnJqg2pm # rRTZvP8QFx7qOJK73gcS0o7QXA6zXRgUcrEzzTe1HJAevaToNj5+e86+Oqldjk0= # SIG # End signature block |