AzStackHciConnectivity/AzStackHci.Connectivity.Helpers.psm1

class AzStackHciConnectivityTarget
{
    # Attributes for Azure Monitor schema
    [string]$Name #Name of the individual test/rule/alert that was executed. Unique, not exposed to the customer.
    [string]$Title #User-facing name; one or more sentences indicating the direct issue.
    [string]$Severity #Severity of the result (Critical, Warning, Informational, Hidden) – this answers how important the result is. Critical is the only update-blocking severity.
    [string]$Description #Detailed overview of the issue and what impact the issue has on the stamp.
    [psobject]$Tags #Key-value pairs that allow grouping/filtering individual tests. For example, "Group": "ReadinessChecks", "UpdateType": "ClusterAware"
    [string]$Status #The status of the check running (i.e. Failed, Succeeded, In Progress) – this answers whether the check ran, and passed or failed.
    [string]$Remediation #Set of steps that can be taken to resolve the issue found.
    [string]$TargetResourceID #The unique identifier for the affected resource (such as a node or drive).
    [string]$TargetResourceName #The name of the affected resource.
    [string]$TargetResourceType #The type of resource being referred to (well-known set of nouns in infrastructure, aligning with Monitoring).
    [datetime]$Timestamp #The Time in which the HealthCheck was called.
    [psobject[]]$AdditionalData #Property bag of key value pairs for additional information.
    [string]$HealthCheckSource #The name of the services called for the HealthCheck (I.E. Test-AzureStack, Test-Cluster).

    # Attribute for performing check
    [string[]]$EndPoint
    [string[]]$Protocol

    # Additional Attributes for end user interaction
    [string[]]$Service # short cut property to Service from tags
    [string[]]$OperationType # short cut property to Operation Type from tags
    [string[]]$Group # short cut property to group from tags
    [bool]$Mandatory # short cut property to mandatory from tags
    [bool]$System # targets for system checks such as proxy traversal
    [string]$Region # Region of the target
    [bool]$ArcGateway # Support by Arc Gateway and hence does not need checking explicitly
}

class AzStackHciConnectivityManifest
{
    [string]$Title
    [System.Version]$Version
    [PsObject[]]$Targets
}

Import-LocalizedData -BindingVariable lcTxt -FileName AzStackHci.Connectivity.Strings.psd1

function Test-Dns
{
    <#
    .SYNOPSIS
        Test DNS Resolution
    #>

    [CmdletBinding()]
    param (
        [System.Management.Automation.Runspaces.PSSession]
        $PsSession,

        [string]
        $RegionName
    )

    # Define dns target in config so it can be injected at runtime.
    # fall back to microsoft.com if one is not defined
    if ($RegionName -eq 'AzureLocal')
    {
        [array]$dnsTargetHostname = $Script:AzStackHciConnectivityTargets | `
            Where-Object {$_.Name -eq 'System_Check_DNS_External_Hostname_Resolution' -and $_.Region -eq $RegionName} | `
            Select-Object -ExpandProperty EndPoint
    }
    else
    {
        [array]$dnsTargetHostname = $Script:AzStackHciConnectivityTargets | `
            Where-Object {$_.Name -eq 'System_Check_DNS_External_Hostname_Resolution' -and $_.Region -eq 'Global'} | `
            Select-Object -ExpandProperty EndPoint
    }


    if ($null -eq $dnsTargetHostname)
    {
        Log-Info "No DNS target found, using microsoft.com as fall back" -ConsoleOut -Type Warning
        $dnsTargetHostname = @('microsoft.com')
    }

    if ($dnsTargetHostname.count -ne 1)
    {
        throw "Expected 1 System_Check_DNS_External_Hostname_Resolution, found $($dnsTargetHostname.count)"
    }

    # scriptblock to test dns resolution for each dns server
    $testDnsSb = {
        $dnsTargetHostname = $args[0]
        # Pass in localized strings
        $NoDnsConfigured = $args[1]
        $QueryDnsFail = $args[2]
        $QueryDnsPass = $args[3]
        $SkipDnsWithProxy = $args[4]
        # Test if proxy is enabled and return because proxy maybe doing dns resolution
        function IsProxyEnabled
        {
            $line1, $line2, $line3, $JsonLines = netsh winhttp show advproxy
            $proxy = $JsonLines | ConvertFrom-Json -ErrorAction SilentlyContinue
            [bool]$proxy.Proxy
        }

        if (IsProxyEnabled)
        {
            return @{
                Resource  = $SkipDnsWithProxy
                Status    = 'SUCCESS'
                TimeStamp = [datetime]::UtcNow
                Source    = $ENV:COMPUTERNAME
                Detail    = $SkipDnsWithProxy -f $ENV:COMPUTERNAME
            }
        }

        $AdditionalData = @()

        # Get local DNS servers
        $dnsServers = @()
        $netAdapter = Get-NetAdapter | Where-Object Status -EQ Up
        $dnsServer = Get-DnsClientServerAddress -InterfaceIndex $netAdapter.ifIndex -AddressFamily IPv4
        $dnsServers += $dnsServer | ForEach-Object { $PSITEM.Address } | Sort-Object | Get-Unique

        if (-not $dnsServers)
        {
            return @{
                Resource  = $NoDnsConfigured
                Status    = 'FAILURE'
                TimeStamp = [datetime]::UtcNow
                Source    = $ENV:COMPUTERNAME
                Detail    = $NoDnsConfigured
            }
        }
        else
        {
            $dnsTargetHostname = $dnsTargetHostname | Select-Object -first 1
            foreach ($dnsServer in $dnsServers)
            {
                $dnsResult = $false
                $dnsResult = Resolve-DnsName -Name $dnsTargetHostname -Server $dnsServer -DnsOnly -ErrorAction SilentlyContinue -QuickTimeout -Type A
                if ([int]($dnsResult.count) -eq 0)
                {
                    $detail = $QueryDnsFail -f $dnsServer, $dnsTargetHostname, $ENV:COMPUTERNAME, [int]($dnsResult.count)
                }
                else
                {
                    $detail = $QueryDnsPass -f $dnsServer, $dnsTargetHostname, $ENV:COMPUTERNAME, [int]($dnsResult.count), ($dnsResult.IpAddress -join ',')
                }

                if ($dnsResult)
                {
                    if ($dnsResult[0] -is [Microsoft.DnsClient.Commands.DnsRecord])
                    {
                        $status = 'SUCCESS'
                    }
                    else
                    {
                        $status = 'FAILURE'
                    }
                }
                else
                {
                    $status = 'FAILURE'
                }
                $AdditionalData += @{
                    Resource  = $dnsServer
                    Status    = $status
                    TimeStamp = [datetime]::UtcNow
                    Source    = $ENV:COMPUTERNAME
                    Detail    = $detail
                }
            }
        }
        $AdditionalData
    }

    # run scriptblock
    $dnsargs = @{
        ArgumentList = $dnsTargetHostname, $lcTxt.NoDnsConfigured, $lcTxt.QueryDnsFail, $lcTxt.QueryDnsPass, $lcTxt.SkipDnsWithProxy
    }
    $testDnsServer = if ($PsSession)
    {
        Invoke-Command -Session $PsSession -ScriptBlock $testDnsSb @dnsArgs
    }
    else
    {
        Invoke-Command -ScriptBlock $testDnsSb @dnsArgs
    }

    # build result
    $now = [datetime]::UtcNow

    # Write result to verbose log
    $testDnsServer | Foreach-Object {
        Log-Info $_.Detail -Type $(if ( $_.Status -eq 'FAILURE' ){ "WARNING" } else { "INFO" } )
    }

    $testDnsResult += $testDnsServer | Foreach-Object {
        $params = @{
            Name               = 'AzStackHci_Connectivity_Test_Dns'
            Title              = 'Test DNS'
            DisplayName        = 'Test DNS'
            Severity           = 'Critical'
            Description        = 'Test DNS Resolution'
            Tags               = @{
                Service        = 'System'
            }
            Remediation        = 'https://learn.microsoft.com/en-us/azure-stack/hci/deploy/deployment-tool-checklist'
            TargetResourceID   = "$($PsItem.Source)/$($PsItem.Resource)"
            TargetResourceName = $PsItem.Resource
            TargetResourceType = 'DNS'
            Timestamp          = $now
            Status             = $PsItem.Status
            AdditionalData     = $PsItem
            HealthCheckSource  = $ENV:EnvChkrId
        }
        New-AzStackHciResultObject @params
    }
    return $testDnsResult
}

function Get-AzStackHciConnectivityServiceName
{
    <#
    .SYNOPSIS
        Retrieve Services from built target packs
    .DESCRIPTION
        Retrieve Services from built target packs
    .EXAMPLE
        PS C:\> Get-AzStackHciServices
        Explanation of what the example does
    .INPUTS
        Service
    .OUTPUTS
        PSObject
    .NOTES
    #>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $false)]
        [string[]]
        $Service,

        [Parameter(Mandatory = $false)]
        [switch]
        $IncludeSystem
    )
    try
    {
        Get-AzStackHciConnectivityTarget -IncludeSystem:$IncludeSystem | Select-Object -ExpandProperty Service | Sort-Object | Get-Unique
    }
    catch
    {
        throw "Failed to get services names. Error: $($_.Exception.Message)"
    }
}

function Get-AzStackHciConnectivityOperationName
{
    <#
    .SYNOPSIS
        Retrieve Operation Types from built target packs
    .DESCRIPTION
        Retrieve Operation Types from built target packs e.g. Deployment, Update, Secret Rotation.
    .EXAMPLE
        PS C:\> Get-AzStackHciConnectivityOperationName
        Explanation of what the example does
    .INPUTS
        Service
    .OUTPUTS
        PSObject
    .NOTES
    #>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $false)]
        [string]
        $OperationType
    )
    try
    {
        Get-AzStackHciConnectivityTarget | Select-Object -ExpandProperty OperationType | Sort-Object | Get-Unique
    }
    catch
    {
        throw "Failed to get services names. Error: $($_.Exception.Message)"
    }
}

function Get-AzStackHciConnectivityTarget
{
    <#
        .SYNOPSIS
            Retrieve Endpoints from built target packs
        .DESCRIPTION
            Retrieve Endpoints from built target packs
        .EXAMPLE
            PS> Get-AzStackHciConnectivityTarget
            Get all connectivity targets
        .EXAMPLE
            Get-AzStackHciConnectivityTarget -Service ARC | ft Name, Title, Service, OperationType -AutoSize
            Get all ARC connectivity targets
        .EXAMPLE
            PS> Get-AzStackHciConnectivityTarget -Service ARC -OperationType Workload | ft Name, Title, Service, OperationType -AutoSize
            Get all ARC targets for workloads
        .EXAMPLE
            PS> Get-AzStackHciConnectivityTarget -OperationType Workload | ft Name, Title, Service, OperationType -AutoSize
            Get all targets for workloads
        .EXAMPLE
            PS> Get-AzStackHciConnectivityTarget -OperationType ARC -OperationType Update -Additive | ft Name, Title, Service, OperationType -AutoSize
            Get all ARC targets and all targets for Update
        .INPUTS
            Service - String array
            OperationType - String array
            Additive - Switch
        .OUTPUTS
            PSObject
        .NOTES
    #>

    [CmdletBinding()]
    param (

        [Parameter(Mandatory = $false)]
        [string[]]
        $Service,

        [Parameter(Mandatory = $false)]
        [string[]]
        $OperationType,

        [Parameter(Mandatory = $false)]
        [switch]
        $Additive,

        [Parameter(Mandatory = $false)]
        [switch]
        $IncludeSystem,

        [Parameter(Mandatory = $false)]
        [switch]
        $LocalOnly,

        [Parameter()]
        [system.uri]
        $Uri = 'https://aka.ms/hciconnectivitytargets',

        [Parameter()]
        [psobject[]]
        $RuntimeConnectivityTarget,

        [Parameter()]
        [string]
        $RegionName,

        [Parameter()]
        [switch]
        $ARCGateway

    )
    try
    {
        Import-AzStackHciConnectivityTarget -LocalOnly:$LocalOnly -Uri $Uri -RuntimeConnectivityTarget $RuntimeConnectivityTarget
        $executionTargets = @()
        # Additive allows the user to "-OR" their parameter values

        if ($Additive)
        {
            Write-Verbose -Message "Getting targets additively"
            if (-not [string]::IsNullOrEmpty($Service))
            {
                Write-Verbose -Message ("Getting targets by Service: {0}" -f ($Service -join ','))
                foreach ($svc in $Service)
                {
                    $executionTargets += $Script:AzStackHciConnectivityTargets | Where-Object { $svc -in $_.Service }
                }
            }
            if (-not [string]::IsNullOrEmpty($OperationType))
            {
                Write-Verbose -Message ("Getting targets by Operation Type: {0}" -f ($OperationType -join ','))
                foreach ($Op in $OperationType)
                {
                    $executionTargets += $Script:AzStackHciConnectivityTargets | Where-Object { $Op -in $_.OperationType }
                }
            }
            if ([string]::IsNullOrEmpty($OperationType) -and [string]::IsNullOrEmpty($Service))
            {
                $executionTargets += $Script:AzStackHciConnectivityTargets
            }
        }
        else
        {
            if ([string]::IsNullOrEmpty($OperationType) -and [string]::IsNullOrEmpty($Service))
            {
                $executionTargets += $Script:AzStackHciConnectivityTargets
            }
            elseif (-not [string]::IsNullOrEmpty($Service) -and [string]::IsNullOrEmpty($OperationType))
            {
                Write-Verbose -Message ("Getting targets by Service: {0}" -f ($Service -join ','))
                foreach ($svc in $Service)
                {
                    $executionTargets += $Script:AzStackHciConnectivityTargets | Where-Object { $svc -in $_.Service }
                }
            }
            elseif (-not [string]::IsNullOrEmpty($OperationType) -and [string]::IsNullOrEmpty($Service))
            {
                Write-Verbose -Message ("Getting targets by Operation Type: {0}" -f ($OperationType -join ','))
                foreach ($Op in $OperationType)
                {
                    $executionTargets += $Script:AzStackHciConnectivityTargets | Where-Object { $Op -in $_.OperationType }
                }
            }
            else
            {
                Write-Verbose -Message ("Getting targets by Operation Type: {0} and Service: {1}" -f ($OperationType -join ','), ($Service -join ','))
                $executionTargetsByOp = @()
                foreach ($Op in $OperationType)
                {
                    $executionTargetsByOp += $Script:AzStackHciConnectivityTargets | Where-Object { $Op -in $_.OperationType }
                }
                foreach ($svc in $Service)
                {
                    $executionTargets += $executionTargetsByOp | Where-Object { $svc -in $_.Service }
                }
            }
        }

        # Always add Mandatory targets
        $executionTargets += $Script:AzStackHciConnectivityTargets | Where-Object Mandatory | ForEach-Object {
            if ($PSITEM -notin $executionTargets)
            {
                $PSITEM
            }
        }

        # Any endpoint defined as an ARCGateway does not need to be checked explicitly
        if ($ARCGateway)
        {
            # Log substractions
            $substractions = $executionTargets | Where-Object { $_.ARCGateway }
            Write-Verbose "Removing the following definitions due to ARCGateway support: $($substractions | Format-table Name, ARCGateway, EndPoint | Out-String)"
            $executionTargets = $executionTargets | Where-Object { !$_.ARCGateway }
        }

        # AzureLocal should only be AzureLocal
        # Regular regions should be region + global e.g. EastUS + Global
        if ($RegionName -eq 'AzureLocal')
        {
            $executionTargets = $executionTargets | Where-Object { $_.Region -eq 'AzureLocal' }
        }
        else
        {
            $executionTargets = $executionTargets | Where-Object { $RegionName -in $_.Region -or 'Global' -in $_.Region }
        }

        if ($IncludeSystem)
        {
            return $executionTargets
        }
        else
        {
            return ($executionTargets | Where-Object Service -NotContains 'System')
        }
    }
    catch
    {
        throw "Get failed: $($_.exception)"
    }
}

function Validate-RuntimeConnectivityTarget
{
    <#
    .SYNOPSIS
        Validate Runtime Connectivity Target
    .DESCRIPTION
        Validate Runtime Connectivity Target
    .EXAMPLE
        PS C:\> Validate-RuntimeConnectivityTarget
        Explanation of what the example does
    .INPUTS
        URI
    .OUTPUTS
        Output (if any)
    .NOTES
    #>

    [CmdletBinding()]
    param (
        [Parameter()]
        [psobject[]]
        $RuntimeConnectivityTarget
    )
    try
    {
        foreach ($target in $RuntimeConnectivityTarget)
        {
            # this maybe bolstered to include more checks as needed like valid hostname, valid protocol, etc.
            ##### QUESTION: should we only allow 1 endpoint and 1 protocol per custom rule?
            if (-not $target.DisplayName -or $target.DisplayName -isnot [string])
            {
                throw $lcTxt.RuntimeConnectivityTargetFailed -f "DisplayName", 'a String'
            }
            if (-not $target.Description -or $target.Description -isnot [string])
            {
                throw $lcTxt.RuntimeConnectivityTargetFailed -f "Description", 'a String'
            }
            if (-not $target.Service -or $target.Service -isnot [System.Array])
            {
                throw $lcTxt.RuntimeConnectivityTargetFailed -f "Service", 'an Array'
            }
            if (-not $target.EndPoint -or $target.EndPoint -isnot [System.Array])
            {
                throw $lcTxt.RuntimeConnectivityTargetFailed -f  "EndPoint", 'an Array'
            }
            if (-not $target.Protocol -or $target.Protocol -notmatch 'http|https')
            {
                throw $lcTxt.RuntimeConnectivityTargetFailed -f "Protocol", 'http or https'
            }
            if (-not $target.Severity -or $target.Severity -notmatch 'CRITICAL|WARNING')
            {
                throw $lcTxt.RuntimeConnectivityTargetFailed -f "Severity", 'CRITICAL or WARNING'
            }
            if (-not $target.Remediation -or $target.Remediation -notmatch 'https?://.*')
            {
                throw $lcTxt.RuntimeConnectivityTargetFailed -f "Remediation", 'a URL'
            }
        }
    }
    catch
    {
        throw $_
    }

}

function Validate-CustomDefinitionUri
{
    <#
    .SYNOPSIS
        Validate Custom Definition Uri
    .DESCRIPTION
        Validate Custom Definition Uri
    .EXAMPLE
        PS C:\> Validate-CustomDefinitionUri -Uri $Uri
        Explanation of what the example does
    .INPUTS
        URI
    .OUTPUTS
        Output (if any)
    .NOTES
    #>

    [CmdletBinding()]
    param (
        [Parameter()]
        [system.uri]
        $Uri
    )
    try
    {
        if ($Uri.Scheme -ne 'https')
        {
            throw $lcTxt.CustomDefinitionUriFailed -f "Uri"
        }
    }
    catch
    {
        throw $_
    }
}

function Import-AzStackHciConnectivityTarget
{
    <#
    .SYNOPSIS
        Retrieve Endpoints from built target packs
    .DESCRIPTION
        Retrieve Endpoints from built target packs
    .EXAMPLE
        PS C:\> Import-AzStackHciConnectivityTarget
        Explanation of what the example does
    .INPUTS
        URI
    .OUTPUTS
        PSObject
    .NOTES
    #>

    [CmdletBinding()]
    param (
        [switch]
        $LocalOnly,

        [Parameter()]
        [system.uri]
        $Uri = 'https://aka.ms/hciconnectivitytargets',

        [Parameter()]
        [psobject[]]
        $RuntimeConnectivityTarget
    )
    try
    {
        $Script:AzStackHciConnectivityTargets = @()
        if (-not $LocalOnly)
        {
            $Script:AzStackHciConnectivityTargets += Get-CloudEndpointFromManifest -Uri $Uri
        }

        if ($Script:AzStackHciConnectivityTargets) {
            return
        }
        else
        {
            $targetFiles = Get-ChildItem -Path "$PSScriptRoot\Targets\*.json" | Select-Object -ExpandProperty FullName
            Write-Verbose ("Importing {0}" -f ($targetFiles -join ','))
            ForEach ($targetFile in $targetFiles)
            {
                try
                {
                    # TO DO - Add validations:
                    # - protocol should not contain ://
                    $targetPackContent = Get-Content -Path $targetFile | ConvertFrom-Json -WarningAction SilentlyContinue
                    foreach ($target in $targetPackContent)
                    {
                        #Set Name of the individual test/rule/alert that was executed. Unique, not exposed to the customer.
                        $target | Add-Member -MemberType NoteProperty -Name HealthCheckSource -Value $ENV:EnvChkrId
                        $target.TargetResourceID = $target.EndPoint -join '_'
                        $target.TargetResourceName = $target.EndPoint -join '_'
                        $target.TargetResourceType = 'External Endpoint'
                        $Script:AzStackHciConnectivityTargets += [AzStackHciConnectivityTarget]$target
                    }
                }
                catch
                {
                    throw ("Unable to read {0}. Error: {1}" -f (Split-Path -Path $targetFile -Leaf), $_.Exception.Message)
                }
            }

            # adding this here so it is subject to any filters (include/exclude/file-based override) that the user may have set
            ##### QUESTION: should this throw an exception if the target is malformed, or continue with the rest of the targets/tests? (currently throws exception)
            if ($RuntimeConnectivityTarget.count -ge 1)
            {
                foreach ($rtTarget in $RuntimeConnectivityTarget)
                {
                    $Script:AzStackHciConnectivityTargets += ConvertTo-AzStackHciConnectivityTarget -RuntimeConnectivityTarget $rtTarget
                }
            }
        }
    }
    catch
    {
        throw "Import failed: $($_.exception)"
    }
}

function ConvertTo-AzStackHciConnectivityTarget
{
    <#
    .SYNOPSIS
        Convert Runtime connectivity (psobject) target to AzStackHciConnectivityTarget
    .DESCRIPTION
        Convert Runtime connectivity (psobject) target to AzStackHciConnectivityTarget
    .EXAMPLE
        PS C:\> ConvertTo-AzStackHciConnectivityTarget -RuntimeConnectivityTarget $RuntimeConnectivityTarget
    .INPUTS
        URI
    .OUTPUTS
        Output (if any)
    .NOTES
    #>

    [CmdletBinding()]
    param (
        [Parameter()]
        [psobject]
        $RuntimeConnectivityTarget
    )
    try
    {
        Log-Info "Converting Runtime Connectivity Target to AzStackHciConnectivityTarget:"
        Log-Info ($RuntimeConnectivityTarget | Out-String)
        $hash = @{
            Name = "AzStackHci_Connectivity_{0}_{1}" -f ($RuntimeConnectivityTarget.Service | Select-Object -first 1), $RuntimeConnectivityTarget.DisplayName -replace '\s', '_'
            Service = $RuntimeConnectivityTarget.Service
            Title = $RuntimeConnectivityTarget.DisplayName
            Severity = $RuntimeConnectivityTarget.Severity
            Description = $RuntimeConnectivityTarget.Description
            Remediation = $RuntimeConnectivityTarget.Remediation
            TargetResourceID = $RuntimeConnectivityTarget.EndPoint -join '_' -replace '\*', 'www'
            TargetResourceName = $RuntimeConnectivityTarget.EndPoint -join '_' -replace '\*', 'www'
            TargetResourceType = 'External Endpoint'
            HealthCheckSource = $ENV:EnvChkrId
            Protocol = $RuntimeConnectivityTarget.Protocol
            EndPoint = $RuntimeConnectivityTarget.EndPoint
            # Any runtime endpoint will need to be global and ARCGateway:false to ensure it is not filtered out
            Region = 'Global'
            ARCGateway = $false
        }
        $target = New-Object -TypeName AzStackHciConnectivityTarget -Property $hash
        return $target
    }
    catch
    {
        throw $_
    }
}

function Get-SigningRootChain
{
    <#
    .SYNOPSIS
        Get signing root for https endpoint
    .DESCRIPTION
        Get signing root for https endpoint
    .EXAMPLE
        PS C:\> Get-SigningRoot -uri MicrosoftOnline.com
        Explanation of what the example does
    .INPUTS
        URI
    .OUTPUTS
        Output (if any)
    .NOTES
    #>

    [CmdletBinding()]
    param (
        [Parameter()]
        [System.Uri]
        $Uri,

        [Parameter()]
        [System.Management.Automation.Runspaces.PSSession]
        $PsSession,

        [Parameter()]
        [string]
        $Proxy,

        [Parameter()]
        [pscredential]
        $proxyCredential
    )
    try
    {
        $sb = {
            $uri = $args[0]
            $proxy = $args[1]
            $proxyCredential = $args[2]
            $GetSslCertChainFunction = $args[3]

            if (-not (Get-Command -Name Get-SslCertificateChain -ErrorAction SilentlyContinue))
            {
                throw "Cannot find Get-SslCertificateChain in AzStackHci.EnvironmentChecker.PortableUtilities module"
            }
            else
            {
                Write-Verbose "Found Get-SslCertificateChain in AzStackHci.EnvironmentChecker.Utilities module"
                $chain = Get-SslCertificateChain -Url $Uri -Proxy $Proxy -ProxyCredential $ProxyCredential
            }
            return $chain.ChainElements.Certificate
        }
        $ChainElements = if ($PsSession)
        {
            Invoke-Command -Session $PsSession -ScriptBlock $sb -ArgumentList $Uri, $Proxy, $ProxyCredential,${function:Get-SslCertificateChain}
        }
        else
        {
            Invoke-Command -ScriptBlock $sb -ArgumentList $Uri, $Proxy, $ProxyCredential,${function:Get-SslCertificateChain}
        }
        return $ChainElements
    }
    catch
    {
        throw $_
    }
}

function Test-RootCA
{
    <#
    .SYNOPSIS
        Short description
    .DESCRIPTION
        Long description
    .EXAMPLE
        PS C:\> <example usage>
        Explanation of what the example does
    .INPUTS
        Inputs (if any)
    .OUTPUTS
        Output (if any)
    .NOTES
        General notes
    #>

    [CmdletBinding()]
    param(
        [Parameter()]
        [System.Management.Automation.Runspaces.PSSession]
        $PsSession,

        [Parameter()]
        [string]
        $Proxy,

        [Parameter()]
        [pscredential]
        $ProxyCredential
    )
    try
    {
        if ($Script:AzStackHciConnectivityTargets)
        {
            $rootCATarget = $Script:AzStackHciConnectivityTargets | Where-Object Name -EQ System_Check_SSL_Inspection_Detection
            if ($rootCATarget.count -ne 1)
            {
                throw "Expected 1 System_RootCA, found $($rootCATarget.count)"
            }
            Install-UtilityModule -PsSession $PsSession -CmdletName Get-SslCertificateChain
            # We have two endpoints to check, they expire 6 months apart
            # meaning we should get a warning if criteria needs to change
            # 1 only require 1 endpoint to not be re-encrypted to succeed.
            $rootCATargetUrls = @()
            $rootCATarget.EndPoint | Foreach-Object {
                foreach ($p in $rootCATarget.Protocol) {
                    $rootCATargetUrls += "{0}://{1}" -f $p,$PSITEM
                }
            }

            $AdditionalData = @()

            foreach ($rootCATargetUrl in $rootCATargetUrls) {
                Log-Info "Testing SSL chain for $rootCATargetUrl"
                [array]$ChainElements = Get-SigningRootChain -Uri $rootCATargetUrl -PsSession $PsSession -Proxy $Proxy -ProxyCredential $ProxyCredential
                # This is our canary internet endpoint, if we can't get the chain we probably don't have internet access.
                if ($null -eq $ChainElements)
                {
                    $Status = 'FAILURE'
                    $detail = "Failed to get certificate chain for $rootCATargetUrl. Ensure the endpoint is accessible and proxy configuration is correct."
                    Log-Info $detail -Type Warning
                }
                else
                {
                    # Remove the leaf as this will always contain O=Microsoft in its subject
                    $ChainElements = $ChainElements[1..($ChainElements.Length-1)]
                    $subjectMatchCount = 0
                    # We check for 2 expected subjects and only require 1 to succeed
                    $rootCATarget.Tags.ExpectedSubject | Foreach-Object {
                        if ($ChainElements.Subject -match $PSITEM)
                        {
                            $subjectMatchCount++
                        }
                    }
                    if ($subjectMatchCount -ge 1)
                    {
                        $Status = 'SUCCESS'
                        $detail = "Expected at least 1 chain certificate subject to match $($rootCATarget.Tags.ExpectedSubject -join ' or '). $subjectMatchCount matched."
                        Log-Info $detail
                    }
                    else
                    {
                        $Status = 'FAILURE'
                        $detail = "Expected at least 1 chain certificate subjects to match $($rootCATarget.Tags.ExpectedSubject -join ' or '). $subjectMatchCount matched. Actual subjects $($ChainElements.Subject -join ','). SSL decryption and re-encryption detected."
                        Log-Info $detail -Type Error
                    }
                }
                $AdditionalData += @{
                    Source    = if ([string]::IsNullOrEmpty($PsSession.ComputerName)) { $ENV:COMPUTERNAME } else { $PsSession.ComputerName }
                    Resource  = $rootCATargetUrl
                    Status    = $Status
                    Detail    = $detail
                    TimeStamp = [datetime]::UtcNow
                }
            }

            $result = @()
            $result += $AdditionalData | ForEach-Object {
                $params = @{
                    Name               = $rootCATarget.Name
                    Title              = $rootCATarget.Title
                    DisplayName        = $rootCATarget.Title
                    Severity           = $rootCATarget.Severity
                    Description        = $rootCATarget.Description
                    Tags               = @{
                        Service = 'System'
                        Mandatory = $true
                    }
                    Remediation        = 'https://learn.microsoft.com/en-us/azure-stack/hci/deploy/deployment-tool-checklist'
                    TargetResourceID   = "$($PsItem.Source)/$($PsItem.Resource)"
                    TargetResourceName = $PsItem.Resource
                    TargetResourceType = $rootCATarget.TargetResourceType
                    Timestamp          = $PsItem.TimeStamp
                    Status             = $PsItem.Status
                    AdditionalData     = $PsItem
                    HealthCheckSource  = $ENV:EnvChkrId
                }
                New-AzStackHciResultObject @params
            }
            Remove-UtilityModule -PsSession $PsSession
            return $result
        }
        else
        {
            throw "No AzStackHciConnectivityTargets"
        }
    }
    catch
    {
        Log-Info "Test-RootCA failed with error: $($_.exception.message)" -Type Warning
    }
}

function Get-UniqueEndpoint
{
    [CmdletBinding()]
    param (
        [Parameter()]
        [PsObject]
        $Target
    )
    # Build list of unique endpoints
    $uriList = @()
    foreach ($t in $Target)
    {
        foreach ($u in $t.EndPoint)
        {
            foreach ($p in $t.Protocol)
            {
                $uriList += "{0}://{1}" -f $p.tolower(), ($u -Replace '\*', 'www')
            }
        }
    }
    Log-Info "Uri Count (total): $($uriList.count)"
    $uriList = $uriList | Sort-Object -Unique
    Log-Info "Uri Count (Unique): $($uriList.count)"
    return $uriList
}

function Invoke-WebRequestEx
{
    <#
    .SYNOPSIS
        Get Connectivity via Invoke-WebRequest
    .DESCRIPTION
        Get Connectivity via Invoke-WebRequest, supporting proxy.
        This function takes a connectivity target definition, creates a PS(5) Job for each endpoint and protocol and returns the results.
        If PsSession is provided, the jobs are run on the remote machine.
        Success is defined as a 200 status code or a valid status code (not service available),
        with a GET method and the response Uri is the same as the request Uri.
    .EXAMPLE
        PS C:\> Invoke-WebRequestEx -Target $Target
        Explanation of what the example does
    .INPUTS
        URI
    .OUTPUTS
        Output (if any)
    .NOTES
        In the case of a proxy being provided, the proxy is used for all endpoints.
        In the case of a proxy being configured on the box, invoke-webrequest will use the wininet proxy for all calls.
        Certificate Validation is disabled for the calls.
    #>

    [CmdletBinding()]
    param (
        [Parameter()]
        [psobject[]]
        $Target,

        [Parameter()]
        [System.Management.Automation.Runspaces.PSSession[]]
        $PsSession,

        [Parameter()]
        [string]
        $Proxy,

        [Parameter()]
        [pscredential]
        $ProxyCredential

    )

    if (-not $Target)
    {
        Log-Info "No targets to test. Returning No_Target result"
        $params = @{
            Name               = 'AzStackHci_Connectivity_No_Targets'
            Title              = 'No Connectivity Targets to Test'
            DisplayName        = 'No Connectivity Targets to Test'
            Severity           = 'INFORMATIONAL'
            Description        = 'No Connectivity Targets to Test'
            Tags               = @{
                Service        = $_.Service
                Mandatory      = $_.Mandatory
                ARCGateway     = $_.ARCGateway
                Region         = $_.Region
            }
            Remediation        = 'No action required'
            TargetResourceID   = $PsSession -join ','
            TargetResourceName = $PsSession -join ','
            TargetResourceType = 'Endpoint'
            Timestamp          = [datetime]::UtcNow
            Status             = 'SUCCESS'
            AdditionalData     = @{}
            HealthCheckSource  = $ENV:EnvChkrId
        }
        return (New-AzStackHciResultObject @params)
    }
    $Target | Add-Member -MemberType NoteProperty -Name TimeStamp -Value [datetime]::UtcNow -Force
    $ScriptBlock = {
        $Uri = $args[0]
        $TimeoutSecs = $args[1]
        $maxJobs = $args[2]
        $Proxy = $args[3]
        $ProxyCredential = $args[4]

        $timeoutSecondsDefault = 10
        if ([string]::IsNullOrEmpty($TimeoutSecs))
        {
            $timeout = $timeoutSecondsDefault
        }
        else
        {
            $timeout = $TimeoutSecs
        }
        # Create an array of jobs for all uris and protocols
        $inProgressJobList = @()
        $totalJobList = @()
        $results = @()
        foreach ($u in $uri)
        {
            $iwrScriptBlock = {
                $retry = 0
                $maxRetry = 3
                do {
                    $retry++
                    if ($retry -gt 1)
                    {
                        Start-Sleep -Seconds 5
                    }

                    try
                    {
                        $uri = $args[0]
                        $proxy = $args[1]
                        $proxyCred = $args[2]
                        $Timeout = $args[3]
                        $iwrParams =@{
                            Uri = $Uri
                            UseBasicParsing = $true
                            TimeoutSec = 30
                        }

                        # Ignore certificate validation and use TLS 1.2
                        if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
                        {
                            $certCallback = @"
                            using System;
                            using System.Net;
                            using System.Net.Security;
                            using System.Security.Cryptography.X509Certificates;
                            public class ServerCertificateValidationCallback
                            {
                                public static void Ignore()
                                {
                                    if(ServicePointManager.ServerCertificateValidationCallback == null)
                                    {
                                        ServicePointManager.ServerCertificateValidationCallback +=
                                            delegate
                                            (
                                                Object obj,
                                                X509Certificate certificate,
                                                X509Chain chain,
                                                SslPolicyErrors errors
                                            )
                                            {
                                                return true;
                                            };
                                    }
                                }
                            }
"@

                            $null = Add-Type $certCallback
                            $null = [ServerCertificateValidationCallback]::Ignore()
                            $null = [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
                        }

                        if ($proxy) {
                            $iwrParams.Add('Proxy', $proxy)
                            $iwrParams.Add('ProxyUseDefaultCredentials', $true)
                        }

                        if ($proxyCred) {
                            $iwrParams.Remove('ProxyUseDefaultCredentials')
                            $iwrParams.Add('ProxyCredential', $proxyCred)
                        }
                        $stopwatch = [System.Diagnostics.Stopwatch]::new()
                        $Stopwatch.Start()
                        $webOut = Invoke-WebRequest @iwrParams
                        $Stopwatch.Stop()
                        $statusCode = $webout.StatusCode
                        $webResponse = $webOut.BaseResponse
                        $headers = $webOut.Headers
                        $content = $webOut.Content
                    }
                    catch {
                        if ($stopwatch.IsRunning)
                        {
                            $stopwatch.Stop()
                        }
                        $webResponse = $_.Exception.Response

                        if ($webResponse) {
                            try {
                                $statusCode = [int]$webResponse.StatusCode
                                $headers = @{}
                                $content = [System.Text.Encoding]::UTF8.GetString($webResponse.GetResponseStream().ToArray())
                                foreach ($header in $webResponse.Headers) {
                                    $headers.$header = $webResponse.GetResponseHeader($header)
                                }
                                if ($webResponse.ContentType -eq 'application/json') {
                                    $content = ConvertFrom-Json -InputObject $content
                                }
                            }
                            catch {}
                        }
                        $exception = @{ExceptionMessage = $_.Exception.Message; ErrorDetails = $_.ErrorDetails.Message; NonHTTPFailure = [System.String]::IsNullOrEmpty($webResponse) }
                    }

                    # Response Analysis
                    # if status code is 200 return true
                    # otherwise if the status code is a HTTP status code and the response Uri is the same as the request Uri and the method is GET, return true
                    $isHttpStatusCode = $webResponse.StatusCode -is [System.Net.HttpStatusCode]
                    $responseUriMatch = ([system.uri]$webResponse.ResponseUri).Host -eq ([system.uri]$uri).Host
                    $responseMethodIsGet = $webResponse.Method -eq 'GET'
                    $serviceUnavailable = $webResponse.StatusCode -eq [System.Net.HttpStatusCode]::ServiceUnavailable
                    $test = $webResponse.StatusCode -eq [System.Net.HttpStatusCode]::OK -or ($isHttpStatusCode -and $responseUriMatch -and $responseMethodIsGet -and !$serviceUnavailable)
                    # Gather TCP net connection to test connectivity if it failed.
                    if (-not $test)
                    {
                        $tnc = Test-NetConnection -ComputerName ([system.uri]$uri).Host -Port ([system.uri]$uri).Port -InformationLevel Quiet -WarningAction SilentlyContinue
                    }

                    $Detail = "TestIsSuccess: $test`r`nStatusCode: $statusCode`r`nResponseUri: $($webResponse.ResponseUri)`r`nResponseUriMatch: $responseUriMatch`r`nResponseMethodIsGet: $responseMethodIsGet`r`nTCPNetConnection: $tnc`r`nserviceUnavailable: $serviceUnavailable"
                } while ($test -eq $false -and $retry -lt $maxRetry)
                return @{
                    Source              = $env:ComputerName
                    Retry               = "$retry / $maxRetry"
                    LatencyInMs         = $stopwatch.ElapsedMilliseconds
                    ExceptionMessage    = $Exception.ExceptionMessage
                    Resource            = $Uri
                    Protocol            = $p
                    Status              = if ($test) { "SUCCESS" } else { "FAILURE" }
                    TimeStamp           = [datetime]::UtcNow
                    StatusCode          = $StatusCode
                    Detail              = $Detail
                    DebugDtls           = @{
                        'Test' = $test
                        'Retries' = "$retry / $maxRetry"
                        'Uri' = $Uri
                        'StatusCode'= $statusCode
                        'TCPNetConnection' = $tnc
                        'WebResponse' = $webResponse
                        'Headers' = $headers
                        'Exception' = $exception
                        'serviceUnavailable' = $serviceUnavailable
                        'ResponseUriMatch' = $responseUriMatch
                        'ResponseMethodIsGet' = $responseMethodIsGet
                        'ResponseUri' = $webResponse.ResponseUri
                        'ExceptionMessage' = $Exception.ExceptionMessage
                        'ErrorDetails' = $Exception.ErrorDetails
                        'NonHTTPFailure' = $Exception.NonHTTPFailure
                        'Server' = $webResponse.Server
                        'PowerShellVersion' = $PSVersionTable.PSVersion.Major
                        'LatencyInMs' = $stopwatch.ElapsedMilliseconds
                    }
                }
            }

            # Start job for a url
            # add job to inProgressJobList and totalJobList
            # check inProgressJobList is greater or equal than maxJobs
            # if so wait for any job to finish before adding more
            $job = Start-Job -PSVersion 5.1 -ArgumentList $u, $proxy, $proxyCred, $timeout -ScriptBlock $iwrScriptBlock
            $inProgressJobList += $job
            $totalJobList += $job.id
            if ($inProgressJobList.Count -ge $maxJobs) {
                $finishedJob = @()
                $finishedJob = $inProgressJobList | Wait-Job -Any
                if ($finishedJob) {
                    $inProgressJobList = $inProgressJobList | Where-Object { $_ -ne $finishedJob }
                }
            }
        }
        Wait-Job -Id $totalJobList | Out-Null
        $results += Receive-Job -Id $totalJobList
        Remove-Job -Id $totalJobList
        return $results
    }
    # Set max concurrent jobs
    if ($ENV:EnvChkrId -like 'PreUpdate*')
    {
        $maxJobs = 3
    }
    else
    {
        $maxJobs = 10
    }
    # Create a copy of the Target object
    $result = $Target | Select-Object -Property *
    $UriList = Get-UniqueEndpoint -Target $Target
    $sessionArgs = @()
    if ($result)
    {
        $sessionArgs += @($uriList,$result.Tags.TimeoutSecs, $maxJobs)
    }
    if ($Proxy)
    {
        $sessionArgs += $Proxy
    }
    if ($ProxyCredential)
    {
        $sessionArgs += $ProxyCredential
    }
    # Run Invoke-WebRequests on remote machines if PsSession is provided
    $AdditionalDataResults = @()
    $AdditionalDataResults += if ($PsSession)
    {
        Log-Info "Sending requests to $($PsSession.ComputerName -join ',') to test $($UriList.Count) URIs, this may take a while."
        Invoke-Command -Session $PsSession -ScriptBlock $ScriptBlock -ArgumentList $sessionArgs
        Log-Info "Received responses from $($PsSession.ComputerName -join ',')."
    }
    else
    {
        Log-Info "Sending requests to $ENV:COMPUTERNAME to test $($UriList.Count) URIs, this may take a while."
        Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $sessionArgs
        Log-Info "Received responses from $ENV:COMPUTERNAME."
    }
    $finalResult = Update-TargetWithResult -Target $Target -AdditionalDataResults $AdditionalDataResults
    return $finalResult
}

function Log-EndPointResult
{
    [CmdletBinding()]
    param (
        [Parameter()]
        [psobject]
        $Result,

        [string]
        $Name,

        [string]
        $Severity
    )
    # In the case of failures, log the debug info to aid troubleshooting
    if ( $Result.Status -eq 'FAILURE' ){
        Log-Info ("{0}: {1} {2} ({3})" -f $Result.Status, $Result.Source, $Result.Resource, $result.ExceptionMessage) -Type $Severity -Function 'Invoke-WebrequestEx'
        Log-Info ("Debug {0}: {1} {2}" -f $Result.Source, $Result.Resource, ($Result.DebugDtls | ConvertTo-Json)) -Type $Severity -Function 'Invoke-WebrequestEx'
    }
    else {
        Log-Info ("{0}: {1} {2} ({3}ms)" -f $Result.Status, $Result.Source, $Result.Resource, $result.LatencyInMs) -Function 'Invoke-WebrequestEx'
    }
}

function Update-TargetWithResult
{
    [CmdletBinding()]
    param (
        [Parameter()]
        [PsObject[]]
        $Target,

        [Parameter()]
        [PsObject[]]
        $AdditionalDataResults
    )
    # Match the test result to all the target that match the endpoint
    $result = $Target | Select-Object -Property *
    $finalResult = @()

    # Inspect each result
    foreach ($dataResult in $AdditionalDataResults)
    {
        # find the target that matches the endpoint
        $matchingResult = @()
        $matchingResult = $result | Where-Object { ([system.uri]$dataResult.Resource).Scheme -in $_.Protocol -and ($dataResult.Resource -replace "https?://", "") -in $_.EndPoint}
        $matchingResult | Foreach-Object {
            Log-EndPointResult -Result $dataResult -Severity $PsItem.Severity -Name $PsItem.Name
            $dataResult.DebugDtls = 'redacted'
             # Create output
             $params = @{
                Name               = $PsItem.Name
                Title              = $PsItem.Title
                DisplayName        = $PsItem.Title
                Severity           = $PsItem.Severity
                Description        = $PsItem.Description
                Tags               = @{
                    Service        = $_.Service
                    Mandatory      = $_.Mandatory
                    ARCGateway     = $_.ARCGateway
                    Region         = $_.Region
                }
                Remediation        = $PsItem.Remediation
                TargetResourceID   = "$($dataResult.Source)/$($dataResult.Resource)"
                TargetResourceName = $dataResult.Resource
                TargetResourceType = $PsItem.TargetResourceType
                Timestamp          = $dataResult.TimeStamp
                Status             = $dataResult.Status
                AdditionalData     = $dataResult
                HealthCheckSource  = $ENV:EnvChkrId
            }
            $finalResult += New-AzStackHciResultObject @params
        }
    }
    return $finalResult
}

function Get-ProxyDiagnostics
{
    [CmdletBinding()]
    param(
        [Parameter()]
        [System.Management.Automation.Runspaces.PSSession[]]
        $PsSession,

        [Parameter()]
        [switch]
        $ARCGateway
    )
    Log-Info "Gathering proxy diagnostics"
    $proxyConfigs = @()
    $proxyConfigsRecommendations = @()
    $proxyConfigConsistency = @()
    if ($PsSession)
    {
        foreach ($session in $PsSession)
        {
            $proxyConfigs += Get-WinHttpProxyHelper -PsSession $session
            $proxyConfigs += Get-ProxyEnvironmentVariable -PsSession $session
        }
    }
    else {
        $proxyConfigs += Get-WinHttpProxyHelper
        $proxyConfigs += Get-ProxyEnvironmentVariable
    }

    $proxyConfigConsistency += Test-ProxySettingsConsistency -ProxyConfig $proxyConfigs -ARCGateway:$ARCGateway
    return ($proxyConfigs + $proxyConfigConsistency + $proxyConfigsRecommendations)
}

function Get-WinHttpProxyHelper
{
    [CmdletBinding()]
    param(
        [Parameter()]
        [System.Management.Automation.Runspaces.PSSession]
        $PsSession
    )
    Log-Info "Gathering WinHttp Proxy settings"
    $proxyHelperSb = {

        # gather machine scope proxy settings
        try {
            $line1, $line2, $line3, $JsonLines = netsh winhttp show advproxy
            $machineScope = $JsonLines #ConvertFrom-Json (-Join $JsonLines)
        }
        catch {
        }

        # Make sure we return the same object type as the other proxy functions
        $AdditionalData = @()
        $AdditionalData += @{
            Detail        = $machineScope
            Source        = $ENV:COMPUTERNAME
            Resource      = 'WinHttp'
            Status        = 'SUCCESS'
            TimeStamp    = [datetime]::UtcNow
        }
        return $AdditionalData
    }

    $winHttpOutput = if ($PsSession)
    {
        Invoke-Command -Session $PsSession -ScriptBlock $proxyHelperSb
        $TargetResourceName = "WinHttp_Proxy_$($PsSession.ComputerName)"
    }
    else
    {
        Invoke-Command -ScriptBlock $proxyHelperSb
        $TargetResourceName = "WinHttp_Proxy_$($ENV:COMPUTERNAME)"
    }

    # Write our findings to the log and create output objects
    $results = @()
    $results += foreach ($AdditionalData in $winHttpOutput | Sort-Object Source)
    {
        Log-Info "Machine Scope Proxy for $($AdditionalData.Source) (netsh winhttp show advproxy):"
        $AdditionalData.Detail | Format-List | Out-String -Stream | ForEach-Object {if (![string]::IsNullOrEmpty($_)){ Log-Info $_}}
        # Create output object
        $params = @{
            Name               = 'AzStackHci_Connectivity_Collect_Proxy_Diagnostics_WinHttp'
            Title              = 'WinHttp Proxy Settings'
            DisplayName        = "$($AdditionalData.Source) WinHttp Proxy Settings"
            Severity           = 'INFORMATIONAL'
            Description        = 'Collects proxy configuration for WinHttp'
            Tags               = @{
                Service = 'System'
            }
            Remediation        = "https://learn.microsoft.com/en-us/azure-stack/hci/manage/configure-proxy-settings#configure-proxy-settings-for-azure-stack-hci-operating-system"
            TargetResourceID   = "$($AdditionalData.Source)/$($AdditionalData.Resource)"
            TargetResourceName = $AdditionalData.Resource
            TargetResourceType = 'Proxy Settings'
            Timestamp          = [datetime]::UtcNow
            Status             = $AdditionalData.Status
            AdditionalData     = $AdditionalData
            HealthCheckSource  = $ENV:EnvChkrId
        }
        New-AzStackHciResultObject @params
    }
    return $results
}

function Get-ProxyEnvironmentVariable
{
    <#
    .SYNOPSIS
        Get Proxy configuration from environment variables
    .DESCRIPTION
        Get Proxy configuration from environment variables
    .EXAMPLE
        PS C:\> Get-ProxyEnvironmentVariable
        Explanation of what the example does
    .INPUTS
        URI
    .OUTPUTS
        Output (if any)
    .NOTES
    #>

    [CmdletBinding()]
    param (
        [Parameter()]
        [System.Management.Automation.Runspaces.PSSession]
        $PsSession
    )
    Log-Info "Gathering machine Proxy settings from environment variables"

    $envProxySb = {
        $AdditionalData = @()
        $AdditionalData += @{
            Detail      =  @{
                ProxyIsEnabled  = [bool]([Environment]::GetEnvironmentVariable("HTTPS_PROXY","MACHINE"))
                Proxy           = [Environment]::GetEnvironmentVariable("HTTPS_PROXY","MACHINE")
                ProxyBypass     = [Environment]::GetEnvironmentVariable("NO_PROXY","Machine")
            } | ConvertTo-Json
            Source      = $ENV:COMPUTERNAME
            Resource    = 'Environment'
            Status      = 'SUCCESS'
            TimeStamp    = [datetime]::UtcNow
        }
        return $AdditionalData
    }
    [array]$EnvironmentProxyOutput = if ($PsSession)
    {
        Invoke-Command -Session $PsSession -ScriptBlock $envProxySb
        $TargetResourceName = "Environment_Proxy_$($PsSession.ComputerName)"
    }
    else
    {
        Invoke-Command -ScriptBlock $envProxySb
        $TargetResourceName = "Environment_Proxy_$($ENV:COMPUTERNAME)"
    }
    # Write our findings to the log
    $results = @()
    $results += foreach ($AdditionalData in $EnvironmentProxyOutput | Sort-Object Source)
    {
        Log-Info "Environment Scope Proxy for $($AdditionalData.Source) (ENV:HTTPS_PROXY):"
        $AdditionalData.Detail | Format-List | Out-String -Stream | ForEach-Object {if (![string]::IsNullOrEmpty($_)){ Log-Info $_}}
        # Create output object
        $params = @{
            Name               = 'AzStackHci_Connectivity_Collect_Proxy_Diagnostics_Environment'
            Title              = 'Environment Proxy Settings'
            DisplayName        = "$($AdditionalData.Source) Environment Proxy Settings"
            Severity           = 'Information'
            Description        = 'Collects proxy configuration from environment variables'
            Tags               = @{
                Service = 'System'
            }
            Remediation        = "https://learn.microsoft.com/en-us/azure-stack/hci/manage/configure-proxy-settings#configure-proxy-settings-for-azure-arc-enabled-servers"
            TargetResourceID   = "$($AdditionalData.Source)/$($AdditionalData.Resource)"
            TargetResourceName = $AdditionalData.Resource
            TargetResourceType = 'Proxy Settings'
            Timestamp          = $AdditionalData.TimeStamp
            Status             = $AdditionalData.Status
            AdditionalData     = $AdditionalData
            HealthCheckSource  = $ENV:EnvChkrId
        }
        New-AzStackHciResultObject @params
    }
    return $results
}

function Test-ProxySettingsConsistency
{
    [CmdletBinding()]
    param(
        [Parameter()]
        [System.Array]
        $ProxyConfig,

        [Parameter()]
        [switch]
        $ARCGateway
    )

    Log-Info "Testing all proxy settings are consistent"

    # TO DO agree on desired proxy config for ARCGateway
    # return dummy result for now
    if ($ARCGateway)
    {
        $params = @{
            Name               = 'AzStackHci_Connectivity_Proxy_Settings_ARCGateway'
            Title              = 'Proxy Settings ARCGateway'
            DisplayName        = 'Dummy result for ARCGateway Proxy Settings'
            Severity           = 'Informational'
            Description        = 'Checks that all nodes are configured consistently for proxy settings in ARCGateway mode'
            Tags               = @{
                Service = 'System'
            }
            Remediation        = "https://learn.microsoft.com/en-us/azure-stack/hci/manage/configure-proxy-settings"
            TargetResourceID   = "ARCGateway_Proxy_Settings"
            TargetResourceName = "ARCGateway_Proxy_Settings"
            TargetResourceType = 'ARC Gateway Proxy Settings'
            Timestamp          = [datetime]::UtcNow
            Status             = $Status
            AdditionalData     = @{
                Source = 'None'
                Resource = 'ARCGateway Proxy Settings'
                Status = 'SUCCESS'
                Detail = 'Dummy result for ARCGateway Proxy Settings'
                TimeStamp = [datetime]::UtcNow
            }
            HealthCheckSource  = $ENV:EnvChkrId
        }
        return (New-AzStackHciResultObject @params)
    }

    $simplifiedProxyConfig = Get-SimpleProxyConfigObject -ProxyConfig $ProxyConfig
    if (Compare-PSObjectArray -Array $simplifiedProxyConfig -Property Proxy)
    {
        # Check all winHttp are configured
        $dtl = $lcTxt.ProxySettingsConsistencyPass
        Log-Info $dtl
        $status = 'SUCCESS'
    }
    else
    {
        $dtl = $lcTxt.ProxySettingsConsistencyFail -f ([string]($simplifiedProxyConfig | Format-Table | Out-String) -replace '\r\n','')
        Log-Info $dtl -Type 'Critical'
        $status = 'FAILURE'
    }

    $params = @{
        Name               = 'AzStackHci_Connectivity_Proxy_Settings_Consistency'
        Title              = 'Proxy Settings Consistency'
        DisplayName        = "$($simplifiedProxyConfig.Source -join ',') Environment Proxy Settings"
        Severity           = 'Critical'
        Description        = 'Checks that all nodes are configured consistently for proxy settings'
        Tags               = @{
            Service = 'System'
        }
        Remediation        = "https://learn.microsoft.com/en-us/azure-stack/hci/manage/configure-proxy-settings"
        TargetResourceID   = "$($simplifiedProxyConfig.Source -join ',')/Proxy_Settings"
        TargetResourceName = "Proxy_Settings_AllServers"
        TargetResourceType = 'Proxy Settings'
        Timestamp          = [datetime]::UtcNow
        Status             = $Status
        AdditionalData     = @{
            Source = $simplifiedProxyConfig.Source -join ','
            Resource = 'Proxy Settings'
            Status = $status
            Detail = $dtl
            TimeStamp = [datetime]::UtcNow
        }
        HealthCheckSource  = $ENV:EnvChkrId
    }
    [array]$result = New-AzStackHciResultObject @params
    $ByPassCheck = Test-ProxyByPassListRecommendations -ProxyConfig $simplifiedProxyConfig
    return @($result + $ByPassCheck)
}

function Get-SimpleProxyConfigObject
{
    param(
        [Parameter()]
        [System.Array]
        $ProxyConfig
    )
    try {
        $simplifiedProxyConfig = @()
        $simplifiedProxyConfig += foreach ($p in $ProxyConfig)
        {
            $ProxyConfigObject = ConvertFrom-Json -InputObject $p.AdditionalData.Detail
            $hash = @{
                Source    = $p.AdditionalData.Source
                Resource  = $p.AdditionalData.Resource
                ProxyIsEnabled  = $ProxyConfigObject.ProxyIsEnabled
                Proxy           = $ProxyConfigObject.Proxy -replace 'http://|https://',''
                ProxyBypass     = $ProxyConfigObject.ProxyBypass -replace ';',','
            }
            New-Object -TypeName PsObject -Property $hash
        }
        return $simplifiedProxyConfig
    }
    catch {
        throw $_
    }

}

function Test-ProxyByPassListRecommendations
{
    [CmdletBinding()]
    param (
        [Parameter()]
        [System.Array]
        $ProxyConfig
    )

    if ($true -in $ProxyConfig.ProxyIsEnabled)
    {
        $requiredByPassList = @("localhost","127.0.0.1",".svc","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") # should also contain domain name, but we don't know that.
        Log-Info ($lcTxt.ProxyByPassListRecommendations -f ($requiredByPassList -join ','))

        $result = @()
        foreach ($config in $ProxyConfig)
        {
            # Check if each entry is present
            $missingByPassEntry = @()
            foreach ($entry in $requiredByPassList)
            {
                if ($entry -notin ($config.ProxyBypass -split ','))
                {
                    $missingByPassEntry += $entry
                }
            }

            # Set status based on missing entries
            if ($missingByPassEntry.count -gt 0)
            {
                $ByPassDtl = ($lcTxt.ProxyByPassListRecommendationsMissing -f ($missingByPassEntry -join ','), $config.Resource, $config.Source)
                Log-Info $ByPassDtl -Type Warning
                $status = 'FAILURE'
            }
            else
            {
                $ByPassDtl = ($lcTxt.ProxyByPassListRecommendationsPass -f $config.Resource, $config.Source)
                Log-Info $ByPassDtl
                $status = 'SUCCESS'
            }

            $params = @{
                Name               = 'AzStackHci_Connectivity_Proxy_ByPassList_Recommendations'
                Title              = 'Proxy ByPassList Recommendations'
                DisplayName        = "$($config.Source) Proxy ByPassList Recommendations"
                Severity           = 'WARNING'
                Description        = 'Checks that all nodes are configured with recommended proxy bypass list items'
                Tags               = @{
                    Service = 'System'
                }
                Remediation        = "https://learn.microsoft.com/en-us/azure-stack/hci/manage/configure-proxy-settings"
                TargetResourceID   = "$($config.Source)/Proxy_Bypass_List"
                TargetResourceName = $config.Resource
                TargetResourceType = 'Proxy Settings'
                Timestamp          = [datetime]::UtcNow
                Status             = $Status
                AdditionalData     = @{
                    Source    = $config.Source
                    Resource  = "Proxy_ByPassList_Recommendations_$($config.Source)"
                    Status    = $status
                    Detail    = $ByPassDtl
                    TimeStamp = [datetime]::UtcNow
                }
                HealthCheckSource  = $ENV:EnvChkrId
            }
            $result += New-AzStackHciResultObject @params

            #region Critical Failure for proxy bypass invalid entries
            [System.String] $bypassCriticalRstStatus = "SUCCESS"
            [System.String] $bypassCriticalRstDeail = ""

            if ($config.ProxyBypass -match ",,")
            {
                $bypassCriticalRstStatus = "FAILURE"
                $bypassCriticalRstDeail += "Proxy bypass list contains ',,' in $($config.Resource) on $($config.Source)."
            }

            if ($config.ProxyBypass -match "<local>")
            {
                $bypassCriticalRstStatus = "FAILURE"
                $bypassCriticalRstDeail += "Proxy bypass list contains '<local>' in $($config.Resource) on $($config.Source)."
            }

            if ([System.String]::IsNullOrEmpty($bypassCriticalRstDeail))
            {
                $bypassCriticalRstDeail = "Entries in proxy bypass list in $($config.Resource) on $($config.Source) are valid."
            }

            $proxyByPassInvalidEntriesCheckRstObject = @{
                Name               = 'AzStackHci_Connectivity_Proxy_ByPassList_InvalidEntries'
                Title              = 'Proxy ByPassList Invalid Entries'
                DisplayName        = "$($config.Source) Proxy Invalid Entries"
                Severity           = 'CRITICAL'
                Description        = 'Checks that all nodes proxy bypass list does not have invalid entries in it'
                Tags               = @{
                    Service = 'System'
                }
                Remediation        = "https://learn.microsoft.com/en-us/azure-stack/hci/manage/configure-proxy-settings"
                TargetResourceID   = "$($config.Source)/Proxy_Bypass_List"
                TargetResourceName = $config.Resource
                TargetResourceType = 'Proxy Settings'
                Timestamp          = [datetime]::UtcNow
                Status             = $bypassCriticalRstStatus
                AdditionalData     = @{
                    Source    = $config.Source
                    Resource  = "Proxy_ByPassList_InvalidEntries_$($config.Source)"
                    Detail    = $bypassCriticalRstDeail
                    Status    = $bypassCriticalRstStatus
                    TimeStamp = [datetime]::UtcNow
                }
                HealthCheckSource  = $ENV:EnvChkrId
            }

            $result += New-AzStackHciResultObject @proxyByPassInvalidEntriesCheckRstObject
            #endregion
        }
        return $result
    }
    else
    {
        Log-Info "No proxy is configured. Skipping proxy bypass list recommendations"
    }
}
function Write-FailedUrls
{
    [CmdletBinding()]
    param (
        $result
    )
    if (-not [string]::IsNullOrEmpty($Global:AzStackHciEnvironmentLogFile))
    {
        $file = Join-Path -Path (Split-Path $Global:AzStackHciEnvironmentLogFile -Parent) -ChildPath FailedUrls.txt
    }
    $FailedUrls = ($result.AdditionalData | Where-Object Status -NE 'SUCCESS').Resource
    if ($FailedUrls.count -gt 0)
    {
        Log-Info ("[Over]Writing {0} to {1}" -f ($FailedUrls -split ','), $file)
        $FailedUrls | Out-File $file -Force
        Log-Info "`nFailed Urls log: $file" -ConsoleOut
    }
}

function Select-AzStackHciConnectivityTarget
{
    <#
    .SYNOPSIS
        Apply user exclusions to Connectivity Targets
    #>


    [CmdletBinding()]
    param (
        [Parameter()]
        [psobject]
        $Targets,

        [Parameter()]
        [string[]]
        $Exclude,

        [Parameter()]
        [string]
        $FilePath = "$PSScriptRoot\..\ExcludeTests.txt"
    )

    try
    {
        $returnList = @($Targets)
        if ($exclude)
        {
            Log-Info "Removing tests $($exclude -join ',')"
            $returnList = $returnList | Where-Object { $_.Service | Select-String -Pattern $exclude -NotMatch }
        }
        if ($returnList.count -eq 0)
        {
            throw "No tests to perform after filtering"
        }
        if (Test-Path -Path $FilePath)
        {
            $fileExclusion = Get-Content -Path $FilePath
            Log-Info "Reading exclusion file $FilePath" -ConsoleOut
            Log-Info "Applying file exclusions: $($fileExclusion -join ',')" -ConsoleOut
            $returnList = $returnList | Where-Object {( $_.Service | Select-String -Pattern $fileExclusion -NotMatch ) -and ( $_.endpoint | Select-String -Pattern $fileExclusion -NotMatch )}
        }

        Log-Info "Test list: $($returnList.Name -join ',')"
        if ($returnList.Count -eq 0)
        {
            Log-Info -Message "No tests to run." -ConsoleOut -Type Warning
            break noTestsBreak
        }
        return $returnList
    }
    catch
    {
        Log-Info "Failed to filter test list. Error: $($_.exception)" -Type Warning
    }
}

function Get-CloudEndpointFromManifest
{
    [CmdletBinding()]
    param (
        [Parameter()]
        [system.uri]
        $Uri = 'https://aka.ms/hciconnectivitytargets'
    )

    try
    {
        $tempXmlFile = Join-Path -Path $env:temp -ChildPath 'AzStackHciConnectivityTarget.xml'
        Write-Verbose "Retrieving connectivity targets from $Uri to temp location: $tempXmlFile..."
        $iwrParams = @{
            Uri = $Uri
            UseBasicParsing = $true
            OutFile = $tempXmlFile
        }
        $response = Invoke-WebRequest @iwrParams

        $testSigningScript = Join-Path -Path $PSScriptRoot -ChildPath 'TestXmlSigning.ps1'
        Write-Verbose "Validating signature of $tempXmlFile..."
        [bool]$checkSigningResult = Start-Job -PSVersion 5.1 -ScriptBlock { & $USING:testSigningScript $USING:tempXmlFile } | Wait-Job | Receive-Job -ErrorAction SilentlyContinue
        Write-Verbose "Signature validation result: $checkSigningResult"
        if (-not $checkSigningResult)
        {
            throw "Failed to validate signature of $tempXmlFile from $url"
        }
        [xml]$manifest = Get-Content -Path  $tempXmlFile
        $version = $manifest.Objects.Object.Property | Where-Object Name -eq Version | Select -ExpandProperty '#text'
        $title = $manifest.Objects.Object.Property | Where-Object Name -eq Title | Select -ExpandProperty '#text'
        $targets = $manifest.Objects.Object.Property | Where-Object Name -eq Targets | Select -ExpandProperty 'Property'
        [AzStackHciConnectivityTarget[]]$targets = New-AzStackHciConnectivityTargetFromXml -TargetXml $targets
        if ($targets.count -eq 0)
        {
            throw "No connectivity targets found in $tempXmlFile"
        }
        # Make sure DNS and SSL tests are present
        if ('System_Check_DNS_External_Hostname_Resolution' -notin $targets.Name)
        {
            Log-Info 'System_Check_DNS_External_Hostname_Resolution is missing from the connectivity targets' -Type Warning
        }
        if ('System_Check_SSL_Inspection_Detection' -notin $targets.Name)
        {
            throw 'System_Check_SSL_Inspection_Detection is missing from the connectivity targets'
        }
        $msg = "Retrieved $($targets.count) connectivity targets from $($title) version $($version)"
        Write-Verbose $msg
        return $targets
    }
    catch
    {
        $msg = "Failed to get connectivity targets from $Uri. Error: $($_.exception.message)"
        Write-Verbose $msg
    }
    finally
    {
        if (Test-Path -Path $tempXmlFile)
        {
            Remove-Item -Path $tempXmlFile -ErrorAction SilentlyContinue
        }
    }
}


function Export-AzStackHciConnectivityTargetToXml
{
    [CmdletBinding()]
    param (
        [Parameter(Mandatory)]
        [string]
        $TargetDirectory,

        [Parameter(Mandatory)]
        [string]
        $TargetFileName,

        [Parameter(Mandatory)]
        [string]
        $Version
    )
    $AzStackHciConnectivityTargets = Get-AzStackHciConnectivityTarget -LocalOnly -IncludeSystem
    Write-Host ("Found {0} connectivity targets for manifest" -f [int]($Script:AzStackHciConnectivityTargets.Count))
    Write-Host "Creating manifest with version $version"
    $manifest = New-Object AzStackHciConnectivityManifest -Property @{
        Title = 'AzStackHci Connectivity Endpoint Definitions'
        Version = $Version
        Targets = $Script:AzStackHciConnectivityTargets
    }
    $manifest | ConvertTo-Xml -Depth 5 -As Stream | Out-File $TargetDirectory\$TargetFileName -Encoding utf8
}

function New-AzStackHciConnectivityTargetFromXml
{
    param ($TargetXml)
    foreach ($target in $TargetXml)
    {
        $ErrorActionPreference = 'Stop'
        $AzStackHciConnectivityTargetObject = New-Object AzStackHciConnectivityTarget
        # Arrays
        'EndPoint', 'Protocol', 'Service', 'OperationType' | Foreach-Object {
            $AzStackHciConnectivityTargetObject.$PSITEM = ($target.Property | Where-Object Name -eq $PSITEM).ChildNodes.'#text'
        }

        # Booleans
        'Mandatory', 'System' | ForEach-Object {
            $AzStackHciConnectivityTargetObject.$PSITEM = if (($target.Property | Where-Object Name -eq $PSITEM).'#text' -eq 'True') { $true } else { $false }
        }

        # Strings
        'Name', 'Title', 'Severity', 'Description', 'Remediation', 'TargetResourceID', 'TargetResourceName', 'TargetResourceType', 'Group', 'Region' | Foreach-Object {
            $AzStackHciConnectivityTargetObject.$PSITEM = ($target.Property | Where-Object Name -eq $PSITEM).'#text'
        }

        # Tags
        $ErrorActionPreference = 'SilentlyContinue'
        $tagsProperties = $target.Property | Where-Object Name -eq Tags | Select-Object -ExpandProperty Property

        $Groups = $tagsProperties | Where-Object Name -eq Group
        $Mandatory = $tagsProperties | Where-Object Name -eq Mandatory
        $Service = $tagsProperties | Where-Object Name -eq Service
        $OperationType = $tagsProperties | Where-Object Name -eq OperationType
        $ExpectedSubject = $tagsProperties | Where-Object Name -eq ExpectedSubject
        $ArcGateway = $tagsProperties | Where-Object Name -eq ARCGateway

        # Tags are optional, we iterate through them to
        $tagHash = @{}
        if ($Groups) { $tagHash += @{Group = $Groups.'#text'}}
        if ($Service) { $tagHash += @{Service = $Service.ChildNodes.'#text'}}
        if ($Mandatory) { $tagHash += @{Mandatory = if ($Mandatory.'#text' -eq 'True') { $true } else { $false }}}
        if ($OperationType) { $tagHash += @{OperationType = $OperationType.ChildNodes.'#text'}}
        if ($ExpectedSubject) { $tagHash += @{ExpectedSubject = $ExpectedSubject.ChildNodes.'#text'}}
        if ($ArcGateway) { $tagHash += @{ARCGateway = if ($ArcGateway.'#text' -eq 'True') { $true } else { $false }}}

        $AzStackHciConnectivityTargetObject.Tags = New-Object PsObject -Property $tagHash
        $AzStackHciConnectivityTargetObject
    }
}

function Compare-PSObjectArray {
    param (
        [Parameter(Mandatory=$true)]
        [PSObject[]]$Array,
        [Parameter(Mandatory=$true)]
        [string[]]$property
    )

    # Get the first PSObject in the array
    $first = $Array[0]
    Log-Info "Comparing first object (below) objects with properties '$($property -join ',')':"
    Log-Info ($first | Sort-Object Source | Format-List | Out-String)

    # Compare the first PSObject to the rest of the PSObjects in the array
    $fail = @()
    for ($i = 1; $i -lt $Array.Count; $i++) {
        $result = Compare-Object $first $Array[$i] -Property $property
        # If the PSObjects do not match, return false
        if ($result) {
            $fail += $Array[$i]
        }
    }
    if ($fail.count -gt 0)
    {
        Log-Info "Objects properties '$($property -join ',')' do not match:"
        Log-Info ($fail | Sort-Object Source | Format-List | Out-String)
        return $false
    }
    # If all PSObjects match, return true
    return $true
}

# Convert PsObject to Hashtable
function ConvertTo-Hashtable {
    param (
        [Parameter(Mandatory=$true)]
        [PSObject]$Object
    )

    $hash = @{}
    foreach ($property in $Object.PsObject.Properties) {
        $hash[$property.Name] = $property.Value
    }
    return $hash
}


function New-ARCGatewayRuntimeTarget
{
    [CmdletBinding()]
    param (
        [Parameter()]
        [string]
        $ARCGatewayName
    )
    try
    {
        $properties = @{
            Name = 'AzStackHci_Connectivity_ARCGateway_RuntimeTarget'
            DisplayName = 'ARC Gateway Runtime Target'
            Description = 'ARC Gateway Runtime Target'
            Service = @('ARCGateway')
            Endpoint = @("$ARCGatewayName.gw.arc.azure.net")
            Protocol = @('HTTPS')
            Severity = 'CRITICAL'
            # TO DO UPDATE THIS REMEDIATION LINK
            Remediation = 'https://aka.ms/ARC-Gateway-Connectivity-Requirements'
            ARCGateway = $false
            Region = 'Global'
        }
        return (New-Object -TypeName PSObject -Property $properties)
    }
    catch
    {
        throw "Failed to create ARC Gateway runtime target. Error: $($_.exception.message)"
    }
}
# SIG # Begin signature block
# MIIoRgYJKoZIhvcNAQcCoIIoNzCCKDMCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCC0Xz2EywfpJuVX
# mQ6Eu19QVxLq8Eo88S7/3eGigRPNa6CCDXYwggX0MIID3KADAgECAhMzAAAEBGx0
# Bv9XKydyAAAAAAQEMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMjQwOTEyMjAxMTE0WhcNMjUwOTExMjAxMTE0WjB0MQsw
# CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u
# ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
# AQC0KDfaY50MDqsEGdlIzDHBd6CqIMRQWW9Af1LHDDTuFjfDsvna0nEuDSYJmNyz
# NB10jpbg0lhvkT1AzfX2TLITSXwS8D+mBzGCWMM/wTpciWBV/pbjSazbzoKvRrNo
# DV/u9omOM2Eawyo5JJJdNkM2d8qzkQ0bRuRd4HarmGunSouyb9NY7egWN5E5lUc3
# a2AROzAdHdYpObpCOdeAY2P5XqtJkk79aROpzw16wCjdSn8qMzCBzR7rvH2WVkvF
# HLIxZQET1yhPb6lRmpgBQNnzidHV2Ocxjc8wNiIDzgbDkmlx54QPfw7RwQi8p1fy
# 4byhBrTjv568x8NGv3gwb0RbAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE
# AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQU8huhNbETDU+ZWllL4DNMPCijEU4w
# RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW
# MBQGA1UEBRMNMjMwMDEyKzUwMjkyMzAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci
# tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j
# b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG
# CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu
# Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0
# MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAIjmD9IpQVvfB1QehvpC
# Ge7QeTQkKQ7j3bmDMjwSqFL4ri6ae9IFTdpywn5smmtSIyKYDn3/nHtaEn0X1NBj
# L5oP0BjAy1sqxD+uy35B+V8wv5GrxhMDJP8l2QjLtH/UglSTIhLqyt8bUAqVfyfp
# h4COMRvwwjTvChtCnUXXACuCXYHWalOoc0OU2oGN+mPJIJJxaNQc1sjBsMbGIWv3
# cmgSHkCEmrMv7yaidpePt6V+yPMik+eXw3IfZ5eNOiNgL1rZzgSJfTnvUqiaEQ0X
# dG1HbkDv9fv6CTq6m4Ty3IzLiwGSXYxRIXTxT4TYs5VxHy2uFjFXWVSL0J2ARTYL
# E4Oyl1wXDF1PX4bxg1yDMfKPHcE1Ijic5lx1KdK1SkaEJdto4hd++05J9Bf9TAmi
# u6EK6C9Oe5vRadroJCK26uCUI4zIjL/qG7mswW+qT0CW0gnR9JHkXCWNbo8ccMk1
# sJatmRoSAifbgzaYbUz8+lv+IXy5GFuAmLnNbGjacB3IMGpa+lbFgih57/fIhamq
# 5VhxgaEmn/UjWyr+cPiAFWuTVIpfsOjbEAww75wURNM1Imp9NJKye1O24EspEHmb
# DmqCUcq7NqkOKIG4PVm3hDDED/WQpzJDkvu4FrIbvyTGVU01vKsg4UfcdiZ0fQ+/
# V0hf8yrtq9CkB8iIuk5bBxuPMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq
# hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
# bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
# IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG
# EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
# A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg
# Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
# CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03
# a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr
# rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg
# OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy
# 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9
# sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh
# dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k
# A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB
# w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn
# Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90
# lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w
# ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o
# ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD
# VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa
# BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny
# bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG
# AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
# L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV
# HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3
# dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG
# AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl
# AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb
# C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l
# hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6
# I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0
# wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560
# STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam
# ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa
# J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah
# XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA
# 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt
# Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr
# /Xmfwb1tbWrJUnMTDXpQzTGCGiYwghoiAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw
# EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN
# aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp
# Z25pbmcgUENBIDIwMTECEzMAAAQEbHQG/1crJ3IAAAAABAQwDQYJYIZIAWUDBAIB
# BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO
# MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIGo/f9PRpphH1npaPA2ZOuCB
# 88tQkUx+3JEpMA11FBmBMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A
# cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB
# BQAEggEAEjqF5DnZ03Na41+HxQKENjLUuW/RhFBZ9IKRc00i6QsyGXvenz3PmUZ0
# JFfYvgyOj8dBVGW2UPLOuIUL8uQXJdfOHGZcQH/5aPeRap705SD9Cylq/LLx+OCL
# L1DCdUTXc5lTp9Dyjn9Ptf4XU1aT3ZbLSWWe1/Fa3UXOIU8GY/MbYFHO0JdzImrJ
# CqxkKdeM7ZJyGMyZ17+P9nfquF52iDytlhwRuZ4cDVyTpI6exwKRzsqmxUS/ho9I
# 3HsBq60LZvAja8Tgg3rfV01z0NLNe2Qc4a9jmGW/JPdi2ONcEgoVfII0UpWUZY0W
# ATY6p/r9YFXwei8gvDjSlXxO5HcVOqGCF7AwghesBgorBgEEAYI3AwMBMYIXnDCC
# F5gGCSqGSIb3DQEHAqCCF4kwgheFAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFaBgsq
# hkiG9w0BCRABBKCCAUkEggFFMIIBQQIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl
# AwQCAQUABCCdTU6Iek4uYdvT4N6twoof0DQiBLWLAx0k72xeF5eDfgIGZ0of5w8m
# GBMyMDI0MTIwNDE1MDM1Mi43MzZaMASAAgH0oIHZpIHWMIHTMQswCQYDVQQGEwJV
# UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
# ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJl
# bGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVT
# Tjo0MzFBLTA1RTAtRDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAg
# U2VydmljZaCCEf4wggcoMIIFEKADAgECAhMzAAAB+vs7RNN3M8bTAAEAAAH6MA0G
# CSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u
# MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp
# b24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4XDTI0
# MDcyNTE4MzExMVoXDTI1MTAyMjE4MzExMVowgdMxCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9w
# ZXJhdGlvbnMgTGltaXRlZDEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjQzMUEt
# MDVFMC1EOTQ3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNl
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyhZVBM3PZcBfEpAf7fII
# hygwYVVP64USeZbSlRR3pvJebva0LQCDW45yOrtpwIpGyDGX+EbCbHhS5Td4J0Yl
# c83ztLEbbQD7M6kqR0Xj+n82cGse/QnMH0WRZLnwggJdenpQ6UciM4nMYZvdQjyb
# A4qejOe9Y073JlXv3VIbdkQH2JGyT8oB/LsvPL/kAnJ45oQIp7Sx57RPQ/0O6qay
# J2SJrwcjA8auMdAnZKOixFlzoooh7SyycI7BENHTpkVKrRV5YelRvWNTg1pH4EC2
# KO2bxsBN23btMeTvZFieGIr+D8mf1lQQs0Ht/tMOVdah14t7Yk+xl5P4Tw3xfAGg
# Hsvsa6ugrxwmKTTX1kqXH5XCdw3TVeKCax6JV+ygM5i1NroJKwBCW11Pwi0z/ki9
# 0ZeO6XfEE9mCnJm76Qcxi3tnW/Y/3ZumKQ6X/iVIJo7Lk0Z/pATRwAINqwdvzpdt
# X2hOJib4GR8is2bpKks04GurfweWPn9z6jY7GBC+js8pSwGewrffwgAbNKm82ZDF
# vqBGQQVJwIHSXpjkS+G39eyYOG2rcILBIDlzUzMFFJbNh5tDv3GeJ3EKvC4vNSAx
# tGfaG/mQhK43YjevsB72LouU78rxtNhuMXSzaHq5fFiG3zcsYHaa4+w+YmMrhTEz
# D4SAish35BjoXP1P1Ct4Va0CAwEAAaOCAUkwggFFMB0GA1UdDgQWBBRjjHKbL5WV
# 6kd06KocQHphK9U/vzAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBf
# BgNVHR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3Bz
# L2NybC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmww
# bAYIKwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29m
# dC5jb20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0El
# MjAyMDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUF
# BwMIMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAuFbCorFrvodG
# +ZNJH3Y+Nz5QpUytQVObOyYFrgcGrxq6MUa4yLmxN4xWdL1kygaW5BOZ3xBlPY7V
# puf5b5eaXP7qRq61xeOrX3f64kGiSWoRi9EJawJWCzJfUQRThDL4zxI2pYc1wnPp
# 7Q695bHqwZ02eaOBudh/IfEkGe0Ofj6IS3oyZsJP1yatcm4kBqIH6db1+weM4q46
# NhAfAf070zF6F+IpUHyhtMbQg5+QHfOuyBzrt67CiMJSKcJ3nMVyfNlnv6yvttYz
# LK3wS+0QwJUibLYJMI6FGcSuRxKlq6RjOhK9L3QOjh0VCM11rHM11ZmN0euJbbBC
# VfQEufOLNkG88MFCUNE10SSbM/Og/CbTko0M5wbVvQJ6CqLKjtHSoeoAGPeeX24f
# 5cPYyTcKlbM6LoUdO2P5JSdI5s1JF/On6LiUT50adpRstZajbYEeX/N7RvSbkn0d
# jD3BvT2Of3Wf9gIeaQIHbv1J2O/P5QOPQiVo8+0AKm6M0TKOduihhKxAt/6Yyk17
# Fv3RIdjT6wiL2qRIEsgOJp3fILw4mQRPu3spRfakSoQe5N0e4HWFf8WW2ZL0+c83
# Qzh3VtEPI6Y2e2BO/eWhTYbIbHpqYDfAtAYtaYIde87ZymXG3MO2wUjhL9HvSQzj
# oquq+OoUmvfBUcB2e5L6QCHO6qTO7WowggdxMIIFWaADAgECAhMzAAAAFcXna54C
# m0mZAAAAAAAVMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UE
# CBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9z
# b2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZp
# Y2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0yMTA5MzAxODIyMjVaFw0zMDA5MzAxODMy
# MjVaMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
# EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV
# BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMIICIjANBgkqhkiG9w0B
# AQEFAAOCAg8AMIICCgKCAgEA5OGmTOe0ciELeaLL1yR5vQ7VgtP97pwHB9KpbE51
# yMo1V/YBf2xK4OK9uT4XYDP/XE/HZveVU3Fa4n5KWv64NmeFRiMMtY0Tz3cywBAY
# 6GB9alKDRLemjkZrBxTzxXb1hlDcwUTIcVxRMTegCjhuje3XD9gmU3w5YQJ6xKr9
# cmmvHaus9ja+NSZk2pg7uhp7M62AW36MEBydUv626GIl3GoPz130/o5Tz9bshVZN
# 7928jaTjkY+yOSxRnOlwaQ3KNi1wjjHINSi947SHJMPgyY9+tVSP3PoFVZhtaDua
# Rr3tpK56KTesy+uDRedGbsoy1cCGMFxPLOJiss254o2I5JasAUq7vnGpF1tnYN74
# kpEeHT39IM9zfUGaRnXNxF803RKJ1v2lIH1+/NmeRd+2ci/bfV+AutuqfjbsNkz2
# K26oElHovwUDo9Fzpk03dJQcNIIP8BDyt0cY7afomXw/TNuvXsLz1dhzPUNOwTM5
# TI4CvEJoLhDqhFFG4tG9ahhaYQFzymeiXtcodgLiMxhy16cg8ML6EgrXY28MyTZk
# i1ugpoMhXV8wdJGUlNi5UPkLiWHzNgY1GIRH29wb0f2y1BzFa/ZcUlFdEtsluq9Q
# BXpsxREdcu+N+VLEhReTwDwV2xo3xwgVGD94q0W29R6HXtqPnhZyacaue7e3Pmri
# Lq0CAwEAAaOCAd0wggHZMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUC
# BBYEFCqnUv5kxJq+gpE8RjUpzxD/LwTuMB0GA1UdDgQWBBSfpxVdAF5iXYP05dJl
# pxtTNRnpcjBcBgNVHSAEVTBTMFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIB
# FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9y
# eS5odG0wEwYDVR0lBAwwCgYIKwYBBQUHAwgwGQYJKwYBBAGCNxQCBAweCgBTAHUA
# YgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU
# 1fZWy4/oolxiaNE9lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2Ny
# bC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIw
# MTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDov
# L3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0w
# Ni0yMy5jcnQwDQYJKoZIhvcNAQELBQADggIBAJ1VffwqreEsH2cBMSRb4Z5yS/yp
# b+pcFLY+TkdkeLEGk5c9MTO1OdfCcTY/2mRsfNB1OW27DzHkwo/7bNGhlBgi7ulm
# ZzpTTd2YurYeeNg2LpypglYAA7AFvonoaeC6Ce5732pvvinLbtg/SHUB2RjebYIM
# 9W0jVOR4U3UkV7ndn/OOPcbzaN9l9qRWqveVtihVJ9AkvUCgvxm2EhIRXT0n4ECW
# OKz3+SmJw7wXsFSFQrP8DJ6LGYnn8AtqgcKBGUIZUnWKNsIdw2FzLixre24/LAl4
# FOmRsqlb30mjdAy87JGA0j3mSj5mO0+7hvoyGtmW9I/2kQH2zsZ0/fZMcm8Qq3Uw
# xTSwethQ/gpY3UA8x1RtnWN0SCyxTkctwRQEcb9k+SS+c23Kjgm9swFXSVRk2XPX
# fx5bRAGOWhmRaw2fpCjcZxkoJLo4S5pu+yFUa2pFEUep8beuyOiJXk+d0tBMdrVX
# VAmxaQFEfnyhYWxz/gq77EFmPWn9y8FBSX5+k77L+DvktxW/tM4+pTFRhLy/AsGC
# onsXHRWJjXD+57XQKBqJC4822rpM+Zv/Cuk0+CQ1ZyvgDbjmjJnW4SLq8CdCPSWU
# 5nR0W2rRnj7tfqAxM328y+l7vzhwRNGQ8cirOoo6CGJ/2XBjU02N7oJtpQUQwXEG
# ahC0HVUzWLOhcGbyoYIDWTCCAkECAQEwggEBoYHZpIHWMIHTMQswCQYDVQQGEwJV
# UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
# ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJl
# bGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVT
# Tjo0MzFBLTA1RTAtRDk0NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAg
# U2VydmljZaIjCgEBMAcGBSsOAwIaAxUA94Z+bUJn+nKwBvII6sg0Ny7aPDaggYMw
# gYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
# BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD
# VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQsF
# AAIFAOr6jPUwIhgPMjAyNDEyMDQwODEwMjlaGA8yMDI0MTIwNTA4MTAyOVowdzA9
# BgorBgEEAYRZCgQBMS8wLTAKAgUA6vqM9QIBADAKAgEAAgIXjQIB/zAHAgEAAgIS
# 3DAKAgUA6vvedQIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAow
# CAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBCwUAA4IBAQDPPd1HJ/gN
# bg8NlD1VkvZ3hq5sL/D4pPZ53+McXvc5gWQUD/+7sdCGHoEy+2Bwbo1KHNQj4AEJ
# OjmYrvczOOfTLb0a2Bg3UIXlYAI9wsSPtUiXFYImrSg1KTRvNsH2YiJWMy9GUPKw
# nEsJnsfZ4IrzbzJRRCA3nTn/18liyrlXrN+SCntqLPgI+ZolzohLEpHGy+r45T5I
# WpUd1lhhfGD7H/BiJLIjUo37E+MNDSW5qqP3CziwVoJ/V/omSTJdgeFvwrWpRS/S
# APuLtV7T9IRj5O0/a9h1mi5kJdhsc3iOKr/mMhp6LrZ3MAPDweBmuJShyeDFNIM4
# UdRxm1ol0mgoMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
# Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m
# dCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENB
# IDIwMTACEzMAAAH6+ztE03czxtMAAQAAAfowDQYJYIZIAWUDBAIBBQCgggFKMBoG
# CSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQgY4XscX7K
# vekyBtXiFL8ceXFqxf9lFrl+4TIjIBL7rQUwgfoGCyqGSIb3DQEJEAIvMYHqMIHn
# MIHkMIG9BCB98n8tya8+B2jjU/dpJRIwHwHHpco5ogNStYocbkOeVjCBmDCBgKR+
# MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS
# ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMT
# HU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB+vs7RNN3M8bTAAEA
# AAH6MCIEIBbs2QBr//WX4EjY9A/juKhaSHF2xW/WZbmZJY9gklquMA0GCSqGSIb3
# DQEBCwUABIICAJPoUnflqwY1nPiAmT3jq8LhACBFl3I0WaAYvX0PuHFyhL/2soPW
# qtE2iw7FqAZRO445ZiKcPhFV3YPCqehH9e3W3/ZRD1Hw3OArAJxxd8qGjhqpO+ZK
# fU7HCjPsEWZ+8HuMKsdy+PeWudCgV40c6xIno7v4ZubdbX6LIVP2f81CzwAkf/Dp
# XkvnXnP1CVSIAocXXuJi8UZA0h/TuFHYVtLnPEWMb0tba8rIgNt/FiyfFjBMwcA9
# 8SnV7y/9ZtLqNG1d/aZzB4JpVHaGNvdY1dggNl/On58EGnyX18hIBW26qBYxzOUT
# 574QIFdL/hq+a8MQwmq3FBK7M+mF4EhzYMB2egZfvyvHwjirDDeXrRKxCcx8fEX9
# +SvQftyy8JIsP9wVLbVpAc+tEtAGEk139Dux83eeQvLSj2WzDVzT6N/yUaZngXLL
# O6sBgfF0xNAwU9opOYgzdLnXOvFmOYhGdcY8yAhpz0sIC40AMkcfBsW0YQo0isdF
# rJZ629zivbo+ynC0HKazqPut8S25UGzLQvtZhdRcWhPrycbzmE6mrUInJcZtgEu/
# WjwHpmUTQ+9ImuFLidrGcgt3VAfcOSt4FocXqJSfsdHQTKn9+O6y63p3rx1758wR
# 1hLRvY1JsnaJ3AM0Psc8GmLE5f7qvmecaEnUxuSRRQVc0Qx2YreUInl5
# SIG # End signature block