Modules/Providers/ProviderHelpers/AADConditionalAccessHelper.psm1

class CapHelper {
    <#
    .description
        Class for parsing conditional access policies (Caps) to generate a
        pre-processed version that can be used to generate the HTML table
        of the condiational access policies in the report.
    #>


    <# The following hashtables are used to map the codes used in the
        API output to human-friendly strings #>

    [System.Collections.Hashtable] $ExternalUserStrings = @{"b2bCollaborationGuest" = "B2B collaboration guest users";
        "b2bCollaborationMember" = "B2B collaboration member users";
        "b2bDirectConnectUser" = "B2B direct connect users";
        "internalGuest" = "Local guest users";
        "serviceProvider" = "Service provider users";
        "otherExternalUser" = "Other external users"}

    [System.Collections.Hashtable] $StateStrings = @{"enabled" = "On";
        "enabledForReportingButNotEnforced" = "Report-only";
        "disabled" = "Off"}

    [System.Collections.Hashtable] $ActionStrings = @{"urn:user:registersecurityinfo" = "Register security info";
        "urn:user:registerdevice" = "Register or join devices"}

    [System.Collections.Hashtable] $ClientAppStrings = @{"exchangeActiveSync" = "Exchange ActiveSync Clients";
        "browser" = "Browser";
        "mobileAppsAndDesktopClients" = "Mobile apps and desktop clients";
        "other" = "Other clients";
        "all" = "all"}

    [System.Collections.Hashtable] $GrantControlStrings = @{"mfa" = "multifactor authentication";
        "compliantDevice" = "device to be marked compliant";
        "domainJoinedDevice" = "Hybrid Azure AD joined device";
        "approvedApplication" = "approved client app";
        "compliantApplication" = "app protection policy";
        "passwordChange" = "password change"}

    [System.Collections.Hashtable] $CondAccessAppControlStrings = @{"monitorOnly" = "Monitor only";
        "blockDownloads" = "Block downloads";
        "mcasConfigured" = "Use custom policy"}

    [string[]] GetMissingKeys([System.Object]$Obj, [string[]] $Keys) {
        <#
        .Description
        Returns a list of the keys in $Keys are not members of $Obj. Used
        to validate the structure of the conditonal access policies.
        .Functionality
        Internal
        #>

        $Missing = @()
        if ($null -eq $Obj) {
            # Note that $null needs to come first in the above check to keep the
            # linter happy. "$null should be on the left side of equality comparisons"
            return $Missing
        }
        foreach ($Key in $Keys) {
            $HasKey = [bool]($Obj.PSobject.Properties.name -match $Key)
            if (-not $HasKey) {
                $Missing += $Key
            }
        }
        return $Missing
    }

    [string[]] GetIncludedUsers([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of included users/roles used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("Conditions"))
        $Missing += $this.GetMissingKeys($Cap.Conditions, @("Users"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Users, @("IncludeGroups",
        "IncludeGuestsOrExternalUsers", "IncludeRoles", "IncludeUsers"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()

        $CapIncludedUsers = $Cap.Conditions.Users.IncludeUsers
        if ($CapIncludedUsers -Contains "All") {
            $Output += "All"
        }
        elseif ($CapIncludedUsers -Contains "None") {
            $Output += "None"
        }
        else {
            # Users
            if ($CapIncludedUsers.Length -eq 1) {
                $Output += "1 specific user"
            }
            elseif ($CapIncludedUsers.Length -gt 1) {
                $Output += "$($CapIncludedUsers.Length) specific users"
            }

            # Roles
            $CapIncludedRoles = $Cap.Conditions.Users.IncludeRoles
            if ($Cap.Conditions.Users.IncludeRoles.Length -eq 1) {
                $Output += "1 specific role"
            }
            elseif ($CapIncludedRoles.Length -gt 1) {
                $Output += "$($CapIncludedRoles.Length) specific roles"
            }

            # Groups
            $CapIncludedGroups = $Cap.Conditions.Users.IncludeGroups
            if ($CapIncludedGroups.Length -eq 1) {
                $Output += "1 specific group"
            }
            elseif ($CapIncludedGroups.Length -gt 1) {
                $Output += "$($CapIncludedGroups.Length) specific groups"
            }

            # External/guests
            if ($null -ne $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.ExternalTenants.MembershipKind) {
                $GuestOrExternalUserTypes = $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.GuestOrExternalUserTypes -Split ","
                $Output += @($GuestOrExternalUserTypes | ForEach-Object {$this.ExternalUserStrings[$_]})
            }
        }
        return $Output
    }

    [string[]] GetExcludedUsers([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of excluded users/roles used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("Conditions"))
        $Missing += $this.GetMissingKeys($Cap.Conditions, @("Users"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Users, @("ExcludeGroups",
            "ExcludeGuestsOrExternalUsers", "ExcludeRoles", "ExcludeUsers"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()

        # Users
        $CapExcludedUsers = $Cap.Conditions.Users.ExcludeUsers
        if ($CapExcludedUsers.Length -eq 1) {
            $Output += "1 specific user"
        }
        elseif ($CapExcludedUsers.Length -gt 1) {
            $Output += "$($CapExcludedUsers.Length) specific users"
        }

        # Roles
        $CapExcludedRoles = $Cap.Conditions.Users.ExcludeRoles
        if ($CapExcludedRoles.Length -eq 1) {
            $Output += "1 specific role"
        }
        elseif ($CapExcludedRoles.Length -gt 1) {
            $Output += "$($CapExcludedRoles.Length) specific roles"
        }

        # Groups
        $CapExcludedGroups = $Cap.Conditions.Users.ExcludeGroups
        if ($CapExcludedGroups.Length -eq 1) {
            $Output += "1 specific group"
        }
        elseif ($CapExcludedGroups.Length -gt 1) {
            $Output += "$($CapExcludedGroups.Length) specific groups"
        }

        # External/guests
        if ($null -ne $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind) {
            $GuestOrExternalUserTypes = $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.GuestOrExternalUserTypes -Split ","
            $Output += @($GuestOrExternalUserTypes | ForEach-Object {$this.ExternalUserStrings[$_]})
        }

        # If no users are excluded, rather than display an empty cell, display "None"
        if ($Output.Length -eq 0) {
            $Output += "None"
        }
        return $Output
    }

    [string[]] GetApplications([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of included/excluded applications/actions used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("Conditions"))
        $Missing += $this.GetMissingKeys($Cap.Conditions, @("Applications"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Applications, @("ApplicationFilter",
            "ExcludeApplications", "IncludeApplications",
            "IncludeAuthenticationContextClassReferences", "IncludeUserActions"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()

        $CapIncludedActions = $Cap.Conditions.Applications.IncludeUserActions
        $CapAppFilterMode = $Cap.Conditions.Applications.ApplicationFilter.Mode
        $CapIncludedApps = $Cap.Conditions.Applications.IncludeApplications
        if ($CapIncludedApps.Length -gt 0 -or
            $null -ne $CapAppFilterMode) {
            # For "Select what this policy applies to", "Cloud Apps" was selected
            $Output += "Policy applies to: apps"
            # Included apps:
            if ($CapIncludedApps -Contains "All") {
                $Output += "Apps included: All"
            }
            elseif ($CapIncludedApps -Contains "None") {
                $Output += "Apps included: None"
            }
            elseif ($CapIncludedApps.Length -eq 1) {
                $Output += "Apps included: 1 specific app"
            }
            elseif ($CapIncludedApps.Length -gt 1) {
                $Output += "Apps included: $($CapIncludedApps.Length) specific apps"
            }
            if ($CapAppFilterMode -eq "include") {
                $Output += "Apps included: custom application filter"
            }

            $CapExcludedApps = $Cap.Conditions.Applications.ExcludeApplications
            if ($CapExcludedApps.Length -eq 1) {
                $Output += "Apps excluded: 1 specific app"
            }
            elseif ($CapExcludedApps.Length -gt 1) {
                $Output += "Apps excluded: $($CapExcludedApps.Length) specific apps"
            }
            if ($CapAppFilterMode -eq "exclude") {
                $Output += "Apps excluded: custom application filter"
            }
            if ($CapAppFilterMode -ne "exclude" -and
                $CapExcludedApps.Length -eq 0) {
                    $Output += "Apps excluded: None"
            }
        }
        elseif ($CapIncludedActions.Length -gt 0) {
            # For "Select what this policy applies to", "User actions" was selected
            $Output += "Policy applies to: actions"
            $Output += "User action: $($this.ActionStrings[$CapIncludedActions[0]])"
            # While "IncludeUserActions" is a list, the GUI doesn't actually let you select more than one
            # item at a time, hence "IncludeUserActions[0]" above
        }
        else {
            # For "Select what this policy applies to", "Authentication context" was selected
            $AuthContexts = $Cap.Conditions.Applications.IncludeAuthenticationContextClassReferences
            if ($AuthContexts.Length -eq 1) {
                $Output += "Policy applies to: 1 authentication context"
            }
            else {
                $Output += "Policy applies to: $($AuthContexts.Length) authentication contexts"
            }
        }
        return $Output
    }

    [string[]] GetConditions([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of conditions used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("Conditions"))
        $Missing += $this.GetMissingKeys($Cap.Conditions, @("UserRiskLevels",
            "SignInRiskLevels", "Platforms", "Locations", "ClientAppTypes", "Devices"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Platforms, @("ExcludePlatforms", "IncludePlatforms"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Locations, @("ExcludeLocations", "IncludeLocations"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Devices, @("DeviceFilter"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()

        # User risk
        $CapUserRiskLevels = $Cap.Conditions.UserRiskLevels
        if ($CapUserRiskLevels.Length -gt 0) {
            $Output += "User risk levels: $($CapUserRiskLevels -Join ', ')"
        }
        # Sign-in risk
        $CapSignInRiskLevels = $Cap.Conditions.SignInRiskLevels
        if ($CapSignInRiskLevels.Length -gt 0) {
            $Output += "Sign-in risk levels: $($CapSignInRiskLevels -Join ', ')"
        }
        # Device platforms
        $CapIncludedPlatforms = $Cap.Conditions.Platforms.IncludePlatforms
        if ($null -ne $CapIncludedPlatforms) {
            $Output += "Device platforms included: $($CapIncludedPlatforms -Join ', ')"
            $CapExcludedPlatforms = $Cap.Conditions.Platforms.ExcludePlatforms
            if ($CapExcludedPlatforms.Length -eq 0) {
                $Output += "Device platforms excluded: none"
            }
            else {
                $Output += "Device platforms excluded: $($CapExcludedPlatforms -Join ', ')"
            }
        }
        # Locations
        $CapIncludedLocations = $Cap.Conditions.Locations.IncludeLocations
        if ($null -ne $CapIncludedLocations) {
            if ($CapIncludedLocations -Contains "All") {
                $Output += "Locations included: all locations"
            }
            elseif ($CapIncludedLocations -Contains "AllTrusted") {
                $Output += "Locations included: all trusted locations"
            }
            elseif ($CapIncludedLocations.Length -eq 1) {
                $Output += "Locations included: 1 specific location"
            }
            else {
                $Output += "Locations included: $($CapIncludedLocations.Length) specific locations"
            }

            $CapExcludedLocations = $Cap.Conditions.Locations.ExcludeLocations
            if ($CapExcludedLocations -Contains "AllTrusted") {
                $Output += "Locations excluded: all trusted locations"
            }
            elseif ($CapExcludedLocations.Length -eq 0) {
                $Output += "Locations excluded: none"
            }
            elseif ($CapExcludedLocations.Length -eq 1) {
                $Output += "Locations excluded: 1 specific location"
            }
            else {
                $Output += "Locations excluded: $($CapExcludedLocations.Length) specific locations"
            }
        }
        # Client Apps
        $ClientApps += @($Cap.Conditions.ClientAppTypes | ForEach-Object {$this.ClientAppStrings[$_]})
        $Output += "Client apps included: $($ClientApps -Join ', ')"
        # Filter for devices
        if ($null -ne $Cap.Conditions.Devices.DeviceFilter.Mode) {
            if ($Cap.Conditions.Devices.DeviceFilter.Mode -eq "include") {
                $Output += "Custom device filter in include mode active"
            }
            else {
                $Output += "Custom device filter in exclude mode active"
            }
        }

        return $Output
    }

    [string] GetAccessControls([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of access controls used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("GrantControls"))
        $Missing += $this.GetMissingKeys($Cap.GrantControls, @("AuthenticationStrength",
        "BuiltInControls", "CustomAuthenticationFactors", "Operator", "TermsOfUse"))
        $Missing += $this.GetMissingKeys($Cap.GrantControls.AuthenticationStrength, @("DisplayName"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = ""
        if ($null -ne $Cap.GrantControls.BuiltInControls) {
            if ($Cap.GrantControls.BuiltInControls -Contains "block") {
                $Output = "Block access"
            }
            else {
                $GrantControls = @($Cap.GrantControls.BuiltInControls | ForEach-Object {$this.GrantControlStrings[$_]})
                if ($null -ne $Cap.GrantControls.AuthenticationStrength.DisplayName) {
                    $GrantControls += "authentication strength ($($Cap.GrantControls.AuthenticationStrength.DisplayName))"
                }

                if ($Cap.GrantControls.TermsOfUse.Length -gt 0) {
                    $GrantControls += "terms of use"
                }

                $Output = "Allow access but require $($GrantControls -Join ', ')"
                if ($GrantControls.Length -gt 1) {
                    # If multiple access controls are in place, insert the AND or the OR
                    # before the final access control
                    $Output = $Output.Insert($Output.LastIndexOf(',')+1, " $($Cap.GrantControls.Operator)")
                }
            }
        }

        if ($Output -eq "") {
            $Output = "None"
        }
        return $Output
    }

    [string[]] GetSessionControls([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of session controls used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("SessionControls"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls, @("ApplicationEnforcedRestrictions",
            "CloudAppSecurity", "ContinuousAccessEvaluation", "DisableResilienceDefaults",
            "PersistentBrowser", "SignInFrequency"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.ApplicationEnforcedRestrictions, @("IsEnabled"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.CloudAppSecurity, @("CloudAppSecurityType",
            "IsEnabled"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.ContinuousAccessEvaluation, @("Mode"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.PersistentBrowser, @("IsEnabled", "Mode"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.SignInFrequency, @("IsEnabled",
            "FrequencyInterval", "Type", "Value"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()
        if ($Cap.SessionControls.ApplicationEnforcedRestrictions.IsEnabled) {
            $Output += "Use app enforced restrictions"
        }
        if ($Cap.SessionControls.CloudAppSecurity.IsEnabled) {
            $Mode = $this.CondAccessAppControlStrings[$Cap.SessionControls.CloudAppSecurity.CloudAppSecurityType]
            $Output += "Use Conditional Access App Control ($($Mode))"
        }
        if ($Cap.SessionControls.SignInFrequency.IsEnabled) {
            if ($Cap.SessionControls.SignInFrequency.FrequencyInterval -eq "everyTime") {
                $Output += "Sign-in frequency (every time)"
            }
            else {
                $Value = $Cap.SessionControls.SignInFrequency.Value
                $Unit = $Cap.SessionControls.SignInFrequency.Type
                $Output += "Sign-in frequency (every $($Value) $($Unit))"
            }
        }
        if ($Cap.SessionControls.PersistentBrowser.IsEnabled) {
            $Mode = $Cap.SessionControls.PersistentBrowser.Mode
            $Output += "Persistent browser session ($($Mode) persistent)"
        }
        if ($Cap.SessionControls.ContinuousAccessEvaluation.Mode -eq "disabled") {
            $Output += "Customize continuous access evaluation"
        }
        if ($Cap.SessionControls.DisableResilienceDefaults) {
            $Output += "Disable resilience defaults"
        }
        if ($Output.Length -eq 0) {
            $Output += "None"
        }
        return $Output
    }

    [string] ExportCapPolicies([System.Object]$Caps) {
        <#
        .Description
        Parses the conditional access policies (Caps) to generate a pre-processed version that can be used to
        generate the HTML of the condiational access policies in the report.
        .Functionality
        Internal
        #>

            $Table = @()

            foreach ($Cap in $Caps) {
                $State = $this.StateStrings[$Cap.State]
                $UsersIncluded = $($this.GetIncludedUsers($Cap)) -Join ", "
                $UsersExcluded = $($this.GetExcludedUsers($Cap)) -Join ", "
                $Users = @("Users included: $($UsersIncluded)", "Users excluded: $($UsersExcluded)")
                $Apps = $this.GetApplications($Cap)
                $Conditions = $this.GetConditions($Cap)
                $AccessControls = $this.GetAccessControls($Cap)
                $SessionControls = $this.GetSessionControls($Cap)
                $CapDetails = [pscustomobject]@{
                    "Name" = $Cap.DisplayName;
                    "State" = $State;
                    "Users" = $Users
                    "Apps/Actions" = $Apps;
                    "Conditions" = $Conditions;
                    "Block/Grant Access" = $AccessControls;
                    "Session Controls" = $SessionControls;
                }

                $Table += $CapDetails
            }

            $CapTableJson = ConvertTo-Json $Table
            return $CapTableJson
    }
}

function Get-CapTracker {
    [CapHelper]::New()
}
# SIG # Begin signature block
# MIIuvwYJKoZIhvcNAQcCoIIusDCCLqwCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCxpri0kvAHU+vp
# mZydMXROEijdGbuDwFxBVxXxPe2doaCCE6MwggWQMIIDeKADAgECAhAFmxtXno4h
# MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
# EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV
# BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z
# ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ
# bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0
# IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
# AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z
# G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ
# anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s
# Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL
# 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb
# BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3
# JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c
# AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx
# YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0
# viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL
# T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud
# EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf
# Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk
# aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS
# PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK
# 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB
# cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp
# 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg
# dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri
# RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7
# 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5
# nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3
# i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H
# EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G
# CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ
# bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0
# IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla
# MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE
# AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz
# ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C
# 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce
# 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da
# E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T
# SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA
# FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh
# D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM
# 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z
# 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05
# huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY
# mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP
# /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T
# AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD
# VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG
# A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY
# aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj
# ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV
# HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU
# cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN
# BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry
# sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL
# IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf
# Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh
# OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh
# dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV
# 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j
# wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH
# Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC
# XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l
# /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW
# eE4wggdXMIIFP6ADAgECAhANkQ8dPvvR0q3Ytt4H0T3aMA0GCSqGSIb3DQEBCwUA
# MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE
# AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz
# ODQgMjAyMSBDQTEwHhcNMjQwMTMwMDAwMDAwWhcNMjUwMTI5MjM1OTU5WjBfMQsw
# CQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV
# BAcTCldhc2hpbmd0b24xDTALBgNVBAoTBENJU0ExDTALBgNVBAMTBENJU0EwggIi
# MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCT1y7uJCQax8JfiDEYgpiU9URj
# EXCTRqtZbDALM9rPUudiuM3mj6A1SUSAAWYv6DTsvGPvxyMI2Idg0mQunl4Ms9DJ
# yVwe5k4+Anj/73Nx1AbOPYP8xRZcD10FkctKGhV0PzvrDcwU15hsQWtiepFgg+bX
# fHkGMeu426oc69f43vKE43DiqKTf0/UBX/qgpj3JZvJ3zc1kilBOv4sBCksfCjbW
# tLZD0tqAgBsNPo3Oy5mQG31E1eZdTNvrdTnEXacSwb3k615z7mHy7nqBUkOruZ9E
# tnvC2qla+uL3ks91O/e/LnKzH9Lj1JmEBf6jwPN/MYR9Dymni4Mi3AQ8mpQMyFmi
# XcSHymibSNbtTMavpdBWjFfrcvPETX7krROUOoLzMQmNgHArceSh55tgvDRdSU5c
# WK3BTvK3l3mgCdgjre7XGYxV3W8apyxk5+RKfHdbv9cpRwpSuDnI8sHeqmB3fnfo
# Cr1PPu4WhKegt20CobhDVybiBdhDVqUdR53ful4N/coQOEHDrIExB5nJf9Pvdrza
# DyIGKAMIXD79ba5/rQEo+2cA66oJkPlvB5hEGI/jtDcYwDBgalbwB7Kc8zAAhl6+
# JvHfYpXOkppSfEQbaRXZI+LGXWQAFa5pJDfDEAyZSXprStgw594sWUOysp+UOxFe
# kSA4mBr0o1jVpdaulwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R
# hvv+YXsIiGX0TkIwHQYDVR0OBBYEFAmyTB5bcWyA+8+rq540jPRLJ1nYMD4GA1Ud
# IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl
# cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw
# gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp
# Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j
# cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0
# ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF
# BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
# MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
# cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ
# BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAh2Jnt9IPoBvOQlYQUlCP9iJ5y
# XAvEWe1camOwedqMZsHEPpT2yd6+fMzPZmV3/bYJgaN2OrDS1snf62S7yc+AulVw
# PAXSp1lSAiFEbZ6PFEdEBIag9B65Mp/cvRtJsIWQIc//jWqFMHpkU6r3MW9YARRu
# vaIf5/0qlM4VEwn3lTf+jJdxhhyoOFTWWd3BrlMPcT06z6F6hFfyycQkZ3Y9wEJ3
# uOU9bCNLZL1HCjlKT+oI0WsgeRdbe2sYrnvv9NmDY9oEi8PEq+DGjiTgLbY5OcAX
# uUogPPw6gbcuNn8Hq6FFKPIQxaksB8dF8Gw4m2lQoUWESPRF8Zaq9lmZN3+QzA79
# yskfJtAFqz3gUP5wJBdNfi/u1sGbLI0QnJQkIKfFuz7DfDPldw0gIl05BIYwZBmj
# TpFRu1/+gIlP1Ul4L/wt9Lxk6pglObLsdxHP2UQrG30JaUN0gv3xZMBBByHGVVTe
# cyU4qwJ0ulMdv/kjHwh+m58uOF8gHXLfyBmOjYpohN3+l0rS0qdArZMNSmLTA7N8
# n3V3AZLKB//1yhPt++gR4pCFdXmgwYDDLRxjlV0cMsG1UeSQUdI0aieh/grg5TQO
# CergVXS5h3sz5U0ZQPWND41LJhA0gF2OGZNHdUc9+0dwTsfxAERrjaTdeZp0/rdZ
# 9iGBoiRsS4U86S8xkDGCGnIwghpuAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV
# BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0
# IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDZEPHT770dKt
# 2LbeB9E92jANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgACh
# AoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAM
# BgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCChypn83Rl9rEsRURMtReivWo0Z
# VdDJtGZVAViiPH2CUTANBgkqhkiG9w0BAQEFAASCAgATEwgWsl0YxZiNo4S5m0c4
# FNj/DcII0r4RtDqUE54GsLDcGTTS0MXd3+1Hr9fz7Mr4ny58/vuDG5It83BTR6OS
# Q3Xao0u4A7xZ3jXW4b8vGUpSZjyEkUcDzLAnxMmmxAjWlog0pz9VOHudOnbwQ4kd
# GTJj037KrpsBLlMg7EqxEn9ASKlwqOabulMUE7KKO6/SZOFW823vKWoGMOiJpDHS
# wUl6FV3yZn7IHiROx+V/WDm2to9uhMNIwPqMC4Y3QeqZI4xvMdFrQFtLI93jo/Lm
# n9m5r2LGIqfeCkWtFOUem23FmNj+iWXW6Cw0AVLWO533HL89hKH7W+WJ/4ntkptz
# yHzQ0jzN6YTZN0qVhgNCZucQdKhiBX/YlCgYYHi5nUa4xMlCuK1VWDF9Y8c+SDWi
# vkkGAWelSzW/8Lr7TjbvJ2MYamBrN489/0kkErnAJViNZ8YO6Rz0VYmC6EHrQRkr
# ifPU9lGZ7qDl7L6hu/wpzXX76cue/WG+UzTm7FFIbHXYfGzRpAF9g13gvNmTnHE/
# C0ljiXTyeYT42jaGffGTNQbxEL7rCB6Tuv3ze2f1MrsuMjEOftEzPINz+qmkM00+
# bwFENmr5PrVgHF+/RJQiuyvyfWKx9ZGfD5d6nlNYMAbHVqWmBRY4NPUkDWIBbOnc
# /3DiUhjhi7N5Usr64tDEgaGCFz8wghc7BgorBgEEAYI3AwMBMYIXKzCCFycGCSqG
# SIb3DQEHAqCCFxgwghcUAgEDMQ8wDQYJYIZIAWUDBAIBBQAwdwYLKoZIhvcNAQkQ
# AQSgaARmMGQCAQEGCWCGSAGG/WwHATAxMA0GCWCGSAFlAwQCAQUABCCbkGC4Z0N1
# gwMqOszh4W6vcdyfrs82OcpcIG8mpzHvlAIQRML3ypM1fKjgK5ER9aXuvxgPMjAy
# NDA0MDIxNzUzNTRaoIITCTCCBsIwggSqoAMCAQICEAVEr/OUnQg5pr/bP1/lYRYw
# DQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0
# LCBJbmMuMTswOQYDVQQDEzJEaWdpQ2VydCBUcnVzdGVkIEc0IFJTQTQwOTYgU0hB
# MjU2IFRpbWVTdGFtcGluZyBDQTAeFw0yMzA3MTQwMDAwMDBaFw0zNDEwMTMyMzU5
# NTlaMEgxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjEgMB4G
# A1UEAxMXRGlnaUNlcnQgVGltZXN0YW1wIDIwMjMwggIiMA0GCSqGSIb3DQEBAQUA
# A4ICDwAwggIKAoICAQCjU0WHHYOOW6w+VLMj4M+f1+XS512hDgncL0ijl3o7Kpxn
# 3GIVWMGpkxGnzaqyat0QKYoeYmNp01icNXG/OpfrlFCPHCDqx5o7L5Zm42nnaf5b
# w9YrIBzBl5S0pVCB8s/LB6YwaMqDQtr8fwkklKSCGtpqutg7yl3eGRiF+0XqDWFs
# nf5xXsQGmjzwxS55DxtmUuPI1j5f2kPThPXQx/ZILV5FdZZ1/t0QoRuDwbjmUpW1
# R9d4KTlr4HhZl+NEK0rVlc7vCBfqgmRN/yPjyobutKQhZHDr1eWg2mOzLukF7qr2
# JPUdvJscsrdf3/Dudn0xmWVHVZ1KJC+sK5e+n+T9e3M+Mu5SNPvUu+vUoCw0m+Pe
# bmQZBzcBkQ8ctVHNqkxmg4hoYru8QRt4GW3k2Q/gWEH72LEs4VGvtK0VBhTqYggT
# 02kefGRNnQ/fztFejKqrUBXJs8q818Q7aESjpTtC/XN97t0K/3k0EH6mXApYTAA+
# hWl1x4Nk1nXNjxJ2VqUk+tfEayG66B80mC866msBsPf7Kobse1I4qZgJoXGybHGv
# PrhvltXhEBP+YUcKjP7wtsfVx95sJPC/QoLKoHE9nJKTBLRpcCcNT7e1NtHJXwik
# cKPsCvERLmTgyyIryvEoEyFJUX4GZtM7vvrrkTjYUQfKlLfiUKHzOtOKg8tAewID
# AQABo4IBizCCAYcwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwFgYDVR0l
# AQH/BAwwCgYIKwYBBQUHAwgwIAYDVR0gBBkwFzAIBgZngQwBBAIwCwYJYIZIAYb9
# bAcBMB8GA1UdIwQYMBaAFLoW2W1NhS9zKXaaL3WMaiCPnshvMB0GA1UdDgQWBBSl
# tu8T5+/N0GSh1VapZTGj3tXjSTBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3Js
# My5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2VGlt
# ZVN0YW1waW5nQ0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDAkBggrBgEFBQcwAYYY
# aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFgGCCsGAQUFBzAChkxodHRwOi8vY2Fj
# ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2
# VGltZVN0YW1waW5nQ0EuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCBGtbeoKm1mBe8
# cI1PijxonNgl/8ss5M3qXSKS7IwiAqm4z4Co2efjxe0mgopxLxjdTrbebNfhYJwr
# 7e09SI64a7p8Xb3CYTdoSXej65CqEtcnhfOOHpLawkA4n13IoC4leCWdKgV6hCmY
# tld5j9smViuw86e9NwzYmHZPVrlSwradOKmB521BXIxp0bkrxMZ7z5z6eOKTGnai
# aXXTUOREEr4gDZ6pRND45Ul3CFohxbTPmJUaVLq5vMFpGbrPFvKDNzRusEEm3d5a
# l08zjdSNd311RaGlWCZqA0Xe2VC1UIyvVr1MxeFGxSjTredDAHDezJieGYkD6tSR
# N+9NUvPJYCHEVkft2hFLjDLDiOZY4rbbPvlfsELWj+MXkdGqwFXjhr+sJyxB0Joz
# Sqg21Llyln6XeThIX8rC3D0y33XWNmdaifj2p8flTzU8AL2+nCpseQHc2kTmOt44
# OwdeOVj0fHMxVaCAEcsUDH6uvP6k63llqmjWIso765qCNVcoFstp8jKastLYOrix
# RoZruhf9xHdsFWyuq69zOuhJRrfVf8y2OMDY7Bz1tqG4QyzfTkx9HmhwwHcK1ALg
# XGC7KP845VJa1qwXIiNO9OzTF/tQa/8Hdx9xl0RBybhG02wyfFgvZ0dl5Rtztpn5
# aywGRu9BHvDwX+Db2a2QgESvgBBBijCCBq4wggSWoAMCAQICEAc2N7ckVHzYR6z9
# KGYqXlswDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp
# Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMY
# RGlnaUNlcnQgVHJ1c3RlZCBSb290IEc0MB4XDTIyMDMyMzAwMDAwMFoXDTM3MDMy
# MjIzNTk1OVowYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMu
# MTswOQYDVQQDEzJEaWdpQ2VydCBUcnVzdGVkIEc0IFJTQTQwOTYgU0hBMjU2IFRp
# bWVTdGFtcGluZyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMaG
# NQZJs8E9cklRVcclA8TykTepl1Gh1tKD0Z5Mom2gsMyD+Vr2EaFEFUJfpIjzaPp9
# 85yJC3+dH54PMx9QEwsmc5Zt+FeoAn39Q7SE2hHxc7Gz7iuAhIoiGN/r2j3EF3+r
# GSs+QtxnjupRPfDWVtTnKC3r07G1decfBmWNlCnT2exp39mQh0YAe9tEQYncfGpX
# evA3eZ9drMvohGS0UvJ2R/dhgxndX7RUCyFobjchu0CsX7LeSn3O9TkSZ+8OpWNs
# 5KbFHc02DVzV5huowWR0QKfAcsW6Th+xtVhNef7Xj3OTrCw54qVI1vCwMROpVymW
# Jy71h6aPTnYVVSZwmCZ/oBpHIEPjQ2OAe3VuJyWQmDo4EbP29p7mO1vsgd4iFNmC
# KseSv6De4z6ic/rnH1pslPJSlRErWHRAKKtzQ87fSqEcazjFKfPKqpZzQmiftkaz
# nTqj1QPgv/CiPMpC3BhIfxQ0z9JMq++bPf4OuGQq+nUoJEHtQr8FnGZJUlD0UfM2
# SU2LINIsVzV5K6jzRWC8I41Y99xh3pP+OcD5sjClTNfpmEpYPtMDiP6zj9NeS3YS
# UZPJjAw7W4oiqMEmCPkUEBIDfV8ju2TjY+Cm4T72wnSyPx4JduyrXUZ14mCjWAkB
# KAAOhFTuzuldyF4wEr1GnrXTdrnSDmuZDNIztM2xAgMBAAGjggFdMIIBWTASBgNV
# HRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBS6FtltTYUvcyl2mi91jGogj57IbzAf
# BgNVHSMEGDAWgBTs1+OC0nFdZEzfLmc/57qYrhwPTzAOBgNVHQ8BAf8EBAMCAYYw
# EwYDVR0lBAwwCgYIKwYBBQUHAwgwdwYIKwYBBQUHAQEEazBpMCQGCCsGAQUFBzAB
# hhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQQYIKwYBBQUHMAKGNWh0dHA6Ly9j
# YWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRSb290RzQuY3J0MEMG
# A1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy
# dFRydXN0ZWRSb290RzQuY3JsMCAGA1UdIAQZMBcwCAYGZ4EMAQQCMAsGCWCGSAGG
# /WwHATANBgkqhkiG9w0BAQsFAAOCAgEAfVmOwJO2b5ipRCIBfmbW2CFC4bAYLhBN
# E88wU86/GPvHUF3iSyn7cIoNqilp/GnBzx0H6T5gyNgL5Vxb122H+oQgJTQxZ822
# EpZvxFBMYh0MCIKoFr2pVs8Vc40BIiXOlWk/R3f7cnQU1/+rT4osequFzUNf7WC2
# qk+RZp4snuCKrOX9jLxkJodskr2dfNBwCnzvqLx1T7pa96kQsl3p/yhUifDVinF2
# ZdrM8HKjI/rAJ4JErpknG6skHibBt94q6/aesXmZgaNWhqsKRcnfxI2g55j7+6ad
# cq/Ex8HBanHZxhOACcS2n82HhyS7T6NJuXdmkfFynOlLAlKnN36TU6w7HQhJD5TN
# OXrd/yVjmScsPT9rp/Fmw0HNT7ZAmyEhQNC3EyTN3B14OuSereU0cZLXJmvkOHOr
# pgFPvT87eK1MrfvElXvtCl8zOYdBeHo46Zzh3SP9HSjTx/no8Zhf+yvYfvJGnXUs
# HicsJttvFXseGYs2uJPU5vIXmVnKcPA3v5gA3yAWTyf7YGcWoWa63VXAOimGsJig
# K+2VQbc61RWYMbRiCQ8KvYHZE/6/pNHzV9m8BPqC3jLfBInwAM1dwvnQI38AC+R2
# AibZ8GV2QqYphwlHK+Z/GqSFD/yYlvZVVCsfgPrA8g4r5db7qS9EFUrnEw4d2zc4
# GqEr9u3WfPwwggWNMIIEdaADAgECAhAOmxiO+dAt5+/bUOIIQBhaMA0GCSqGSIb3
# DQEBDAUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAX
# BgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3Vy
# ZWQgSUQgUm9vdCBDQTAeFw0yMjA4MDEwMDAwMDBaFw0zMTExMDkyMzU5NTlaMGIx
# CzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3
# dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBH
# NDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/mkHNo3rvkXUo8MCIw
# aTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/zG6Q4FutWxpdtHauyefLK
# EdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZanMylNEQRBAu34LzB4Tm
# dDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7sWxq868nPzaw0QF+xembu
# d8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL2pNe3I6PgNq2kZhAkHnD
# eMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfbBHMqbpEBfCFM1LyuGwN1
# XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3JFxGj2T3wWmIdph2PVld
# QnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3cAORFJYm2mkQZK37AlLTS
# YW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqxYxhElRp2Yn72gLD76GSm
# M9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0viastkF13nqsX40/ybzT
# QRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aLT8LWRV+dIPyhHsXAj6Kx
# fgommfXkaS+YHS312amyHeUbAgMBAAGjggE6MIIBNjAPBgNVHRMBAf8EBTADAQH/
# MB0GA1UdDgQWBBTs1+OC0nFdZEzfLmc/57qYrhwPTzAfBgNVHSMEGDAWgBRF66Kv
# 9JLLgjEtUYunpyGd823IDzAOBgNVHQ8BAf8EBAMCAYYweQYIKwYBBQUHAQEEbTBr
# MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH
# MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ
# RFJvb3RDQS5jcnQwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNl
# cnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDARBgNVHSAECjAIMAYG
# BFUdIAAwDQYJKoZIhvcNAQEMBQADggEBAHCgv0NcVec4X6CjdBs9thbX979XB72a
# rKGHLOyFXqkauyL4hxppVCLtpIh3bb0aFPQTSnovLbc47/T/gLn4offyct4kvFID
# yE7QKt76LVbP+fT3rDB6mouyXtTP0UNEm0Mh65ZyoUi0mcudT6cGAxN3J0TU53/o
# Wajwvy8LpunyNDzs9wPHh6jSTEAZNUZqaVSwuKFWjuyk1T3osdz9HNj0d1pcVIxv
# 76FQPfx2CWiEn2/K2yCNNWAcAgPLILCsWKAOQGPFmCLBsln1VWvPJ6tsds5vIy30
# fnFqI2si/xK4VC0nftg62fC2h5b9W9FcrBjDTZ9ztwGpn1eqXijiuZQxggN2MIID
# cgIBATB3MGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjE7
# MDkGA1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBUaW1l
# U3RhbXBpbmcgQ0ECEAVEr/OUnQg5pr/bP1/lYRYwDQYJYIZIAWUDBAIBBQCggdEw
# GgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNDA0
# MDIxNzUzNTRaMCsGCyqGSIb3DQEJEAIMMRwwGjAYMBYEFGbwKzLCwskPgl3OqorJ
# xk8ZnM9AMC8GCSqGSIb3DQEJBDEiBCCoDBkmn5HZOF4g4khU/SCkYmCNjdAKcNYQ
# UsyiS1qBMzA3BgsqhkiG9w0BCRACLzEoMCYwJDAiBCDS9uRt7XQizNHUQFdoQTZv
# goraVZquMxavTRqa1Ax4KDANBgkqhkiG9w0BAQEFAASCAgBDlag0z0YnuOdQHD68
# tGqErLnsa3wrMq+V0hOjgD9piMUKb6ykSpB3JoYIpWnF90qgP5vh2kzfGPQk9vmR
# LYuuYnAd2Vwd0xqfeqxuWvniFI6hOnhPCud5zD1pgKHjdvy6vUhXGCTvCYaB1sA7
# kmMAgv7lSY0cV/6MQW3eA+pnTatHjl81Ps0uaDMceFnzi/9xCkVduik/0qu2rqC3
# wHsYXhiMo2DWbcmetl+VGuSHvCfmXTrZU46K94o57z4iMmQuMoIXSJX2vl3YZUsR
# fEYlbPwEv9QQOfCVe4DivXHXCUysgY7rrrE4LaTw5m8vtKtLfImm1AKyGyuQas2S
# Qyrz3mRkQeHj2QhlrtOlydkyHfa2jDkW7e7jEeQI4/UCvo4OVDPFpDk07bEZAb9N
# Or4ULxX3TGJBbEbeKavFV8R+SblRR7SqLkTHIrFDJE6ctZCBbWlIuoCFgs2Ob35e
# q9kpWrUeTiHzoKmIvz8748k+tYtExNdB7DMZjKd/7kCiCKyJJsHa0/chYOwo13hC
# ihT4B8fqlHDAd+3jtPS7jzDlHoUm9ZPkyS7jSZwJAVn2wwNGNlK3fbp30EljZ753
# pQ+TeZRPYh1fz1Lz1dsU/nqrRXS4aDtVofkq5l5UfDLzAiz/AhaGggaQxWA8w/iW
# QAdUlcRyascTZWLn/HpKbdueNg==
# SIG # End signature block