Modules/Providers/ProviderHelpers/AADConditionalAccessHelper.psm1

class CapHelper {
    <#
    .description
        Class for parsing conditional access policies (Caps) to generate a
        pre-processed version that can be used to generate the HTML table
        of the condiational access policies in the report.
    #>


    <# The following hashtables are used to map the codes used in the
        API output to human-friendly strings #>

    [System.Collections.Hashtable] $ExternalUserStrings = @{"b2bCollaborationGuest" = "B2B collaboration guest users";
        "b2bCollaborationMember" = "B2B collaboration member users";
        "b2bDirectConnectUser" = "B2B direct connect users";
        "internalGuest" = "Local guest users";
        "serviceProvider" = "Service provider users";
        "otherExternalUser" = "Other external users"}

    [System.Collections.Hashtable] $StateStrings = @{"enabled" = "On";
        "enabledForReportingButNotEnforced" = "Report-only";
        "disabled" = "Off"}

    [System.Collections.Hashtable] $ActionStrings = @{"urn:user:registersecurityinfo" = "Register security info";
        "urn:user:registerdevice" = "Register or join devices"}

    [System.Collections.Hashtable] $ClientAppStrings = @{"exchangeActiveSync" = "Exchange ActiveSync Clients";
        "browser" = "Browser";
        "mobileAppsAndDesktopClients" = "Mobile apps and desktop clients";
        "other" = "Other clients";
        "all" = "all"}

    [System.Collections.Hashtable] $GrantControlStrings = @{"mfa" = "multifactor authentication";
        "compliantDevice" = "device to be marked compliant";
        "domainJoinedDevice" = "Hybrid Azure AD joined device";
        "approvedApplication" = "approved client app";
        "compliantApplication" = "app protection policy";
        "passwordChange" = "password change"}

    [System.Collections.Hashtable] $CondAccessAppControlStrings = @{"monitorOnly" = "Monitor only";
        "blockDownloads" = "Block downloads";
        "mcasConfigured" = "Use custom policy"}

    [string[]] GetMissingKeys([System.Object]$Obj, [string[]] $Keys) {
        <#
        .Description
        Returns a list of the keys in $Keys are not members of $Obj. Used
        to validate the structure of the conditonal access policies.
        .Functionality
        Internal
        #>

        $Missing = @()
        if ($null -eq $Obj) {
            # Note that $null needs to come first in the above check to keep the
            # linter happy. "$null should be on the left side of equality comparisons"
            return $Missing
        }
        foreach ($Key in $Keys) {
            $HasKey = [bool]($Obj.PSobject.Properties.name -match $Key)
            if (-not $HasKey) {
                $Missing += $Key
            }
        }
        return $Missing
    }

    [string[]] GetIncludedUsers([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of included users/roles used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("Conditions"))
        $Missing += $this.GetMissingKeys($Cap.Conditions, @("Users"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Users, @("IncludeGroups",
        "IncludeGuestsOrExternalUsers", "IncludeRoles", "IncludeUsers"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()

        $CapIncludedUsers = $Cap.Conditions.Users.IncludeUsers
        if ($CapIncludedUsers -Contains "All") {
            $Output += "All"
        }
        elseif ($CapIncludedUsers -Contains "None") {
            $Output += "None"
        }
        else {
            # Users
            if ($CapIncludedUsers.Length -eq 1) {
                $Output += "1 specific user"
            }
            elseif ($CapIncludedUsers.Length -gt 1) {
                $Output += "$($CapIncludedUsers.Length) specific users"
            }

            # Roles
            $CapIncludedRoles = $Cap.Conditions.Users.IncludeRoles
            if ($Cap.Conditions.Users.IncludeRoles.Length -eq 1) {
                $Output += "1 specific role"
            }
            elseif ($CapIncludedRoles.Length -gt 1) {
                $Output += "$($CapIncludedRoles.Length) specific roles"
            }

            # Groups
            $CapIncludedGroups = $Cap.Conditions.Users.IncludeGroups
            if ($CapIncludedGroups.Length -eq 1) {
                $Output += "1 specific group"
            }
            elseif ($CapIncludedGroups.Length -gt 1) {
                $Output += "$($CapIncludedGroups.Length) specific groups"
            }

            # External/guests
            if ($null -ne $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.ExternalTenants.MembershipKind) {
                $GuestOrExternalUserTypes = $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.GuestOrExternalUserTypes -Split ","
                $Output += @($GuestOrExternalUserTypes | ForEach-Object {$this.ExternalUserStrings[$_]})
            }
        }
        return $Output
    }

    [string[]] GetExcludedUsers([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of excluded users/roles used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("Conditions"))
        $Missing += $this.GetMissingKeys($Cap.Conditions, @("Users"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Users, @("ExcludeGroups",
            "ExcludeGuestsOrExternalUsers", "ExcludeRoles", "ExcludeUsers"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()

        # Users
        $CapExcludedUsers = $Cap.Conditions.Users.ExcludeUsers
        if ($CapExcludedUsers.Length -eq 1) {
            $Output += "1 specific user"
        }
        elseif ($CapExcludedUsers.Length -gt 1) {
            $Output += "$($CapExcludedUsers.Length) specific users"
        }

        # Roles
        $CapExcludedRoles = $Cap.Conditions.Users.ExcludeRoles
        if ($CapExcludedRoles.Length -eq 1) {
            $Output += "1 specific role"
        }
        elseif ($CapExcludedRoles.Length -gt 1) {
            $Output += "$($CapExcludedRoles.Length) specific roles"
        }

        # Groups
        $CapExcludedGroups = $Cap.Conditions.Users.ExcludeGroups
        if ($CapExcludedGroups.Length -eq 1) {
            $Output += "1 specific group"
        }
        elseif ($CapExcludedGroups.Length -gt 1) {
            $Output += "$($CapExcludedGroups.Length) specific groups"
        }

        # External/guests
        if ($null -ne $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind) {
            $GuestOrExternalUserTypes = $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.GuestOrExternalUserTypes -Split ","
            $Output += @($GuestOrExternalUserTypes | ForEach-Object {$this.ExternalUserStrings[$_]})
        }

        # If no users are excluded, rather than display an empty cell, display "None"
        if ($Output.Length -eq 0) {
            $Output += "None"
        }
        return $Output
    }

    [string[]] GetApplications([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of included/excluded applications/actions used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("Conditions"))
        $Missing += $this.GetMissingKeys($Cap.Conditions, @("Applications"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Applications, @("ApplicationFilter",
            "ExcludeApplications", "IncludeApplications",
            "IncludeAuthenticationContextClassReferences", "IncludeUserActions"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()

        $CapIncludedActions = $Cap.Conditions.Applications.IncludeUserActions
        $CapAppFilterMode = $Cap.Conditions.Applications.ApplicationFilter.Mode
        $CapIncludedApps = $Cap.Conditions.Applications.IncludeApplications
        if ($CapIncludedApps.Length -gt 0 -or
            $null -ne $CapAppFilterMode) {
            # For "Select what this policy applies to", "Cloud Apps" was selected
            $Output += "Policy applies to: apps"
            # Included apps:
            if ($CapIncludedApps -Contains "All") {
                $Output += "Apps included: All"
            }
            elseif ($CapIncludedApps -Contains "None") {
                $Output += "Apps included: None"
            }
            elseif ($CapIncludedApps.Length -eq 1) {
                $Output += "Apps included: 1 specific app"
            }
            elseif ($CapIncludedApps.Length -gt 1) {
                $Output += "Apps included: $($CapIncludedApps.Length) specific apps"
            }
            if ($CapAppFilterMode -eq "include") {
                $Output += "Apps included: custom application filter"
            }

            $CapExcludedApps = $Cap.Conditions.Applications.ExcludeApplications
            if ($CapExcludedApps.Length -eq 1) {
                $Output += "Apps excluded: 1 specific app"
            }
            elseif ($CapExcludedApps.Length -gt 1) {
                $Output += "Apps excluded: $($CapExcludedApps.Length) specific apps"
            }
            if ($CapAppFilterMode -eq "exclude") {
                $Output += "Apps excluded: custom application filter"
            }
            if ($CapAppFilterMode -ne "exclude" -and
                $CapExcludedApps.Length -eq 0) {
                    $Output += "Apps excluded: None"
            }
        }
        elseif ($CapIncludedActions.Length -gt 0) {
            # For "Select what this policy applies to", "User actions" was selected
            $Output += "Policy applies to: actions"
            $Output += "User action: $($this.ActionStrings[$CapIncludedActions[0]])"
            # While "IncludeUserActions" is a list, the GUI doesn't actually let you select more than one
            # item at a time, hence "IncludeUserActions[0]" above
        }
        else {
            # For "Select what this policy applies to", "Authentication context" was selected
            $AuthContexts = $Cap.Conditions.Applications.IncludeAuthenticationContextClassReferences
            if ($AuthContexts.Length -eq 1) {
                $Output += "Policy applies to: 1 authentication context"
            }
            else {
                $Output += "Policy applies to: $($AuthContexts.Length) authentication contexts"
            }
        }
        return $Output
    }

    [string[]] GetConditions([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of conditions used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("Conditions"))
        $Missing += $this.GetMissingKeys($Cap.Conditions, @("UserRiskLevels",
            "SignInRiskLevels", "Platforms", "Locations", "ClientAppTypes", "Devices"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Platforms, @("ExcludePlatforms", "IncludePlatforms"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Locations, @("ExcludeLocations", "IncludeLocations"))
        $Missing += $this.GetMissingKeys($Cap.Conditions.Devices, @("DeviceFilter"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()

        # User risk
        $CapUserRiskLevels = $Cap.Conditions.UserRiskLevels
        if ($CapUserRiskLevels.Length -gt 0) {
            $Output += "User risk levels: $($CapUserRiskLevels -Join ', ')"
        }
        # Sign-in risk
        $CapSignInRiskLevels = $Cap.Conditions.SignInRiskLevels
        if ($CapSignInRiskLevels.Length -gt 0) {
            $Output += "Sign-in risk levels: $($CapSignInRiskLevels -Join ', ')"
        }
        # Device platforms
        $CapIncludedPlatforms = $Cap.Conditions.Platforms.IncludePlatforms
        if ($null -ne $CapIncludedPlatforms) {
            $Output += "Device platforms included: $($CapIncludedPlatforms -Join ', ')"
            $CapExcludedPlatforms = $Cap.Conditions.Platforms.ExcludePlatforms
            if ($CapExcludedPlatforms.Length -eq 0) {
                $Output += "Device platforms excluded: none"
            }
            else {
                $Output += "Device platforms excluded: $($CapExcludedPlatforms -Join ', ')"
            }
        }
        # Locations
        $CapIncludedLocations = $Cap.Conditions.Locations.IncludeLocations
        if ($null -ne $CapIncludedLocations) {
            if ($CapIncludedLocations -Contains "All") {
                $Output += "Locations included: all locations"
            }
            elseif ($CapIncludedLocations -Contains "AllTrusted") {
                $Output += "Locations included: all trusted locations"
            }
            elseif ($CapIncludedLocations.Length -eq 1) {
                $Output += "Locations included: 1 specific location"
            }
            else {
                $Output += "Locations included: $($CapIncludedLocations.Length) specific locations"
            }

            $CapExcludedLocations = $Cap.Conditions.Locations.ExcludeLocations
            if ($CapExcludedLocations -Contains "AllTrusted") {
                $Output += "Locations excluded: all trusted locations"
            }
            elseif ($CapExcludedLocations.Length -eq 0) {
                $Output += "Locations excluded: none"
            }
            elseif ($CapExcludedLocations.Length -eq 1) {
                $Output += "Locations excluded: 1 specific location"
            }
            else {
                $Output += "Locations excluded: $($CapExcludedLocations.Length) specific locations"
            }
        }
        # Client Apps
        $ClientApps += @($Cap.Conditions.ClientAppTypes | ForEach-Object {$this.ClientAppStrings[$_]})
        $Output += "Client apps included: $($ClientApps -Join ', ')"
        # Filter for devices
        if ($null -ne $Cap.Conditions.Devices.DeviceFilter.Mode) {
            if ($Cap.Conditions.Devices.DeviceFilter.Mode -eq "include") {
                $Output += "Custom device filter in include mode active"
            }
            else {
                $Output += "Custom device filter in exclude mode active"
            }
        }

        return $Output
    }

    [string] GetAccessControls([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of access controls used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("GrantControls"))
        $Missing += $this.GetMissingKeys($Cap.GrantControls, @("AuthenticationStrength",
        "BuiltInControls", "CustomAuthenticationFactors", "Operator", "TermsOfUse"))
        $Missing += $this.GetMissingKeys($Cap.GrantControls.AuthenticationStrength, @("DisplayName"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = ""
        if ($null -ne $Cap.GrantControls.BuiltInControls) {
            if ($Cap.GrantControls.BuiltInControls -Contains "block") {
                $Output = "Block access"
            }
            else {
                $GrantControls = @($Cap.GrantControls.BuiltInControls | ForEach-Object {$this.GrantControlStrings[$_]})
                if ($null -ne $Cap.GrantControls.AuthenticationStrength.DisplayName) {
                    $GrantControls += "authentication strength ($($Cap.GrantControls.AuthenticationStrength.DisplayName))"
                }

                if ($Cap.GrantControls.TermsOfUse.Length -gt 0) {
                    $GrantControls += "terms of use"
                }

                $Output = "Allow access but require $($GrantControls -Join ', ')"
                if ($GrantControls.Length -gt 1) {
                    # If multiple access controls are in place, insert the AND or the OR
                    # before the final access control
                    $Output = $Output.Insert($Output.LastIndexOf(',')+1, " $($Cap.GrantControls.Operator)")
                }
            }
        }

        if ($Output -eq "") {
            $Output = "None"
        }
        return $Output
    }

    [string[]] GetSessionControls([System.Object]$Cap) {
        <#
        .Description
        Parses a given conditional access policy (Cap) to generate the list of session controls used in the policy.
        .Functionality
        Internal
        #>


        # Perform some basic validation of the CAP. If some of these values
        # are missing it could indicate that the API has been restructured.
        $Missing = @()
        $Missing += $this.GetMissingKeys($Cap, @("SessionControls"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls, @("ApplicationEnforcedRestrictions",
            "CloudAppSecurity", "ContinuousAccessEvaluation", "DisableResilienceDefaults",
            "PersistentBrowser", "SignInFrequency"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.ApplicationEnforcedRestrictions, @("IsEnabled"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.CloudAppSecurity, @("CloudAppSecurityType",
            "IsEnabled"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.ContinuousAccessEvaluation, @("Mode"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.PersistentBrowser, @("IsEnabled", "Mode"))
        $Missing += $this.GetMissingKeys($Cap.SessionControls.SignInFrequency, @("IsEnabled",
            "FrequencyInterval", "Type", "Value"))
        if ($Missing.Length -gt 0) {
            Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')"
            return @()
        }

        # Begin processing the CAP
        $Output = @()
        if ($Cap.SessionControls.ApplicationEnforcedRestrictions.IsEnabled) {
            $Output += "Use app enforced restrictions"
        }
        if ($Cap.SessionControls.CloudAppSecurity.IsEnabled) {
            $Mode = $this.CondAccessAppControlStrings[$Cap.SessionControls.CloudAppSecurity.CloudAppSecurityType]
            $Output += "Use Conditional Access App Control ($($Mode))"
        }
        if ($Cap.SessionControls.SignInFrequency.IsEnabled) {
            if ($Cap.SessionControls.SignInFrequency.FrequencyInterval -eq "everyTime") {
                $Output += "Sign-in frequency (every time)"
            }
            else {
                $Value = $Cap.SessionControls.SignInFrequency.Value
                $Unit = $Cap.SessionControls.SignInFrequency.Type
                $Output += "Sign-in frequency (every $($Value) $($Unit))"
            }
        }
        if ($Cap.SessionControls.PersistentBrowser.IsEnabled) {
            $Mode = $Cap.SessionControls.PersistentBrowser.Mode
            $Output += "Persistent browser session ($($Mode) persistent)"
        }
        if ($Cap.SessionControls.ContinuousAccessEvaluation.Mode -eq "disabled") {
            $Output += "Customize continuous access evaluation"
        }
        if ($Cap.SessionControls.DisableResilienceDefaults) {
            $Output += "Disable resilience defaults"
        }
        if ($Output.Length -eq 0) {
            $Output += "None"
        }
        return $Output
    }

    [string] ExportCapPolicies([System.Object]$Caps) {
        <#
        .Description
        Parses the conditional access policies (Caps) to generate a pre-processed version that can be used to
        generate the HTML of the condiational access policies in the report.
        .Functionality
        Internal
        #>

            $Table = @()

            foreach ($Cap in $Caps) {
                $State = $this.StateStrings[$Cap.State]
                $UsersIncluded = $($this.GetIncludedUsers($Cap)) -Join ", "
                $UsersExcluded = $($this.GetExcludedUsers($Cap)) -Join ", "
                $Users = @("Users included: $($UsersIncluded)", "Users excluded: $($UsersExcluded)")
                $Apps = $this.GetApplications($Cap)
                $Conditions = $this.GetConditions($Cap)
                $AccessControls = $this.GetAccessControls($Cap)
                $SessionControls = $this.GetSessionControls($Cap)
                $CapDetails = [pscustomobject]@{
                    "Name" = $Cap.DisplayName;
                    "State" = $State;
                    "Users" = $Users
                    "Apps/Actions" = $Apps;
                    "Conditions" = $Conditions;
                    "Block/Grant Access" = $AccessControls;
                    "Session Controls" = $SessionControls;
                }

                $Table += $CapDetails
            }

            $CapTableJson = ConvertTo-Json $Table
            return $CapTableJson
    }
}

function Get-CapTracker {
    [CapHelper]::New()
}
# SIG # Begin signature block
# MIIuuQYJKoZIhvcNAQcCoIIuqjCCLqYCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCxpri0kvAHU+vp
# mZydMXROEijdGbuDwFxBVxXxPe2doaCCE6MwggWQMIIDeKADAgECAhAFmxtXno4h
# MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
# EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV
# BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z
# ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ
# bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0
# IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
# AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z
# G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ
# anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s
# Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL
# 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb
# BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3
# JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c
# AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx
# YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0
# viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL
# T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud
# EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf
# Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk
# aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS
# PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK
# 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB
# cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp
# 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg
# dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri
# RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7
# 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5
# nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3
# i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H
# EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G
# CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ
# bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0
# IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla
# MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE
# AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz
# ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C
# 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce
# 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da
# E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T
# SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA
# FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh
# D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM
# 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z
# 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05
# huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY
# mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP
# /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T
# AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD
# VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG
# A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY
# aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj
# ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV
# HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU
# cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN
# BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry
# sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL
# IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf
# Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh
# OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh
# dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV
# 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j
# wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH
# Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC
# XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l
# /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW
# eE4wggdXMIIFP6ADAgECAhANkQ8dPvvR0q3Ytt4H0T3aMA0GCSqGSIb3DQEBCwUA
# MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE
# AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz
# ODQgMjAyMSBDQTEwHhcNMjQwMTMwMDAwMDAwWhcNMjUwMTI5MjM1OTU5WjBfMQsw
# CQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV
# BAcTCldhc2hpbmd0b24xDTALBgNVBAoTBENJU0ExDTALBgNVBAMTBENJU0EwggIi
# MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCT1y7uJCQax8JfiDEYgpiU9URj
# EXCTRqtZbDALM9rPUudiuM3mj6A1SUSAAWYv6DTsvGPvxyMI2Idg0mQunl4Ms9DJ
# yVwe5k4+Anj/73Nx1AbOPYP8xRZcD10FkctKGhV0PzvrDcwU15hsQWtiepFgg+bX
# fHkGMeu426oc69f43vKE43DiqKTf0/UBX/qgpj3JZvJ3zc1kilBOv4sBCksfCjbW
# tLZD0tqAgBsNPo3Oy5mQG31E1eZdTNvrdTnEXacSwb3k615z7mHy7nqBUkOruZ9E
# tnvC2qla+uL3ks91O/e/LnKzH9Lj1JmEBf6jwPN/MYR9Dymni4Mi3AQ8mpQMyFmi
# XcSHymibSNbtTMavpdBWjFfrcvPETX7krROUOoLzMQmNgHArceSh55tgvDRdSU5c
# WK3BTvK3l3mgCdgjre7XGYxV3W8apyxk5+RKfHdbv9cpRwpSuDnI8sHeqmB3fnfo
# Cr1PPu4WhKegt20CobhDVybiBdhDVqUdR53ful4N/coQOEHDrIExB5nJf9Pvdrza
# DyIGKAMIXD79ba5/rQEo+2cA66oJkPlvB5hEGI/jtDcYwDBgalbwB7Kc8zAAhl6+
# JvHfYpXOkppSfEQbaRXZI+LGXWQAFa5pJDfDEAyZSXprStgw594sWUOysp+UOxFe
# kSA4mBr0o1jVpdaulwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R
# hvv+YXsIiGX0TkIwHQYDVR0OBBYEFAmyTB5bcWyA+8+rq540jPRLJ1nYMD4GA1Ud
# IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl
# cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw
# gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp
# Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j
# cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0
# ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF
# BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
# MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
# cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ
# BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAh2Jnt9IPoBvOQlYQUlCP9iJ5y
# XAvEWe1camOwedqMZsHEPpT2yd6+fMzPZmV3/bYJgaN2OrDS1snf62S7yc+AulVw
# PAXSp1lSAiFEbZ6PFEdEBIag9B65Mp/cvRtJsIWQIc//jWqFMHpkU6r3MW9YARRu
# vaIf5/0qlM4VEwn3lTf+jJdxhhyoOFTWWd3BrlMPcT06z6F6hFfyycQkZ3Y9wEJ3
# uOU9bCNLZL1HCjlKT+oI0WsgeRdbe2sYrnvv9NmDY9oEi8PEq+DGjiTgLbY5OcAX
# uUogPPw6gbcuNn8Hq6FFKPIQxaksB8dF8Gw4m2lQoUWESPRF8Zaq9lmZN3+QzA79
# yskfJtAFqz3gUP5wJBdNfi/u1sGbLI0QnJQkIKfFuz7DfDPldw0gIl05BIYwZBmj
# TpFRu1/+gIlP1Ul4L/wt9Lxk6pglObLsdxHP2UQrG30JaUN0gv3xZMBBByHGVVTe
# cyU4qwJ0ulMdv/kjHwh+m58uOF8gHXLfyBmOjYpohN3+l0rS0qdArZMNSmLTA7N8
# n3V3AZLKB//1yhPt++gR4pCFdXmgwYDDLRxjlV0cMsG1UeSQUdI0aieh/grg5TQO
# CergVXS5h3sz5U0ZQPWND41LJhA0gF2OGZNHdUc9+0dwTsfxAERrjaTdeZp0/rdZ
# 9iGBoiRsS4U86S8xkDGCGmwwghpoAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV
# BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0
# IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDZEPHT770dKt
# 2LbeB9E92jANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgACh
# AoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAM
# BgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCChypn83Rl9rEsRURMtReivWo0Z
# VdDJtGZVAViiPH2CUTANBgkqhkiG9w0BAQEFAASCAgATEwgWsl0YxZiNo4S5m0c4
# FNj/DcII0r4RtDqUE54GsLDcGTTS0MXd3+1Hr9fz7Mr4ny58/vuDG5It83BTR6OS
# Q3Xao0u4A7xZ3jXW4b8vGUpSZjyEkUcDzLAnxMmmxAjWlog0pz9VOHudOnbwQ4kd
# GTJj037KrpsBLlMg7EqxEn9ASKlwqOabulMUE7KKO6/SZOFW823vKWoGMOiJpDHS
# wUl6FV3yZn7IHiROx+V/WDm2to9uhMNIwPqMC4Y3QeqZI4xvMdFrQFtLI93jo/Lm
# n9m5r2LGIqfeCkWtFOUem23FmNj+iWXW6Cw0AVLWO533HL89hKH7W+WJ/4ntkptz
# yHzQ0jzN6YTZN0qVhgNCZucQdKhiBX/YlCgYYHi5nUa4xMlCuK1VWDF9Y8c+SDWi
# vkkGAWelSzW/8Lr7TjbvJ2MYamBrN489/0kkErnAJViNZ8YO6Rz0VYmC6EHrQRkr
# ifPU9lGZ7qDl7L6hu/wpzXX76cue/WG+UzTm7FFIbHXYfGzRpAF9g13gvNmTnHE/
# C0ljiXTyeYT42jaGffGTNQbxEL7rCB6Tuv3ze2f1MrsuMjEOftEzPINz+qmkM00+
# bwFENmr5PrVgHF+/RJQiuyvyfWKx9ZGfD5d6nlNYMAbHVqWmBRY4NPUkDWIBbOnc
# /3DiUhjhi7N5Usr64tDEgaGCFzkwghc1BgorBgEEAYI3AwMBMYIXJTCCFyEGCSqG
# SIb3DQEHAqCCFxIwghcOAgEDMQ8wDQYJYIZIAWUDBAIBBQAwdwYLKoZIhvcNAQkQ
# AQSgaARmMGQCAQEGCWCGSAGG/WwHATAxMA0GCWCGSAFlAwQCAQUABCCbkGC4Z0N1
# gwMqOszh4W6vcdyfrs82OcpcIG8mpzHvlAIQTaSZTspIUUpKPsn+TjiClxgPMjAy
# NDExMjYyMDU2NTJaoIITAzCCBrwwggSkoAMCAQICEAuuZrxaun+Vh8b56QTjMwQw
# DQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0
# LCBJbmMuMTswOQYDVQQDEzJEaWdpQ2VydCBUcnVzdGVkIEc0IFJTQTQwOTYgU0hB
# MjU2IFRpbWVTdGFtcGluZyBDQTAeFw0yNDA5MjYwMDAwMDBaFw0zNTExMjUyMzU5
# NTlaMEIxCzAJBgNVBAYTAlVTMREwDwYDVQQKEwhEaWdpQ2VydDEgMB4GA1UEAxMX
# RGlnaUNlcnQgVGltZXN0YW1wIDIwMjQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
# ggIKAoICAQC+anOf9pUhq5Ywultt5lmjtej9kR8YxIg7apnjpcH9CjAgQxK+CMR0
# Rne/i+utMeV5bUlYYSuuM4vQngvQepVHVzNLO9RDnEXvPghCaft0djvKKO+hDu6O
# bS7rJcXa/UKvNminKQPTv/1+kBPgHGlP28mgmoCw/xi6FG9+Un1h4eN6zh926SxM
# e6We2r1Z6VFZj75MU/HNmtsgtFjKfITLutLWUdAoWle+jYZ49+wxGE1/UXjWfISD
# mHuI5e/6+NfQrxGFSKx+rDdNMsePW6FLrphfYtk/FLihp/feun0eV+pIF496OVh4
# R1TvjQYpAztJpVIfdNsEvxHofBf1BWkadc+Up0Th8EifkEEWdX4rA/FE1Q0rqViT
# bLVZIqi6viEk3RIySho1XyHLIAOJfXG5PEppc3XYeBH7xa6VTZ3rOHNeiYnY+V4j
# 1XbJ+Z9dI8ZhqcaDHOoj5KGg4YuiYx3eYm33aebsyF6eD9MF5IDbPgjvwmnAalNE
# eJPvIeoGJXaeBQjIK13SlnzODdLtuThALhGtyconcVuPI8AaiCaiJnfdzUcb3dWn
# qUnjXkRFwLtsVAxFvGqsxUA2Jq/WTjbnNjIUzIs3ITVC6VBKAOlb2u29Vwgfta8b
# 2ypi6n2PzP0nVepsFk8nlcuWfyZLzBaZ0MucEdeBiXL+nUOGhCjl+QIDAQABo4IB
# izCCAYcwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAww
# CgYIKwYBBQUHAwgwIAYDVR0gBBkwFzAIBgZngQwBBAIwCwYJYIZIAYb9bAcBMB8G
# A1UdIwQYMBaAFLoW2W1NhS9zKXaaL3WMaiCPnshvMB0GA1UdDgQWBBSfVywDdw4o
# FZBmpWNe7k+SH3agWzBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsMy5kaWdp
# Y2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2VGltZVN0YW1w
# aW5nQ0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDAkBggrBgEFBQcwAYYYaHR0cDov
# L29jc3AuZGlnaWNlcnQuY29tMFgGCCsGAQUFBzAChkxodHRwOi8vY2FjZXJ0cy5k
# aWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2VGltZVN0
# YW1waW5nQ0EuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQA9rR4fdplb4ziEEkfZQ5H2
# EdubTggd0ShPz9Pce4FLJl6reNKLkZd5Y/vEIqFWKt4oKcKz7wZmXa5VgW9B76k9
# NJxUl4JlKwyjUkKhk3aYx7D8vi2mpU1tKlY71AYXB8wTLrQeh83pXnWwwsxc1Mt+
# FWqz57yFq6laICtKjPICYYf/qgxACHTvypGHrC8k1TqCeHk6u4I/VBQC9VK7iSpU
# 5wlWjNlHlFFv/M93748YTeoXU/fFa9hWJQkuzG2+B7+bMDvmgF8VlJt1qQcl7YFU
# MYgZU1WM6nyw23vT6QSgwX5Pq2m0xQ2V6FJHu8z4LXe/371k5QrN9FQBhLLISZi2
# yemW0P8ZZfx4zvSWzVXpAb9k4Hpvpi6bUe8iK6WonUSV6yPlMwerwJZP/Gtbu3CK
# ldMnn+LmmRTkTXpFIEB06nXZrDwhCGED+8RsWQSIXZpuG4WLFQOhtloDRWGoCwwc
# 6ZpPddOFkM2LlTbMcqFSzm4cd0boGhBq7vkqI1uHRz6Fq1IX7TaRQuR+0BGOzISk
# cqwXu7nMpFu3mgrlgbAW+BzikRVQ3K2YHcGkiKjA4gi4OA/kz1YCsdhIBHXqBzR0
# /Zd2QwQ/l4Gxftt/8wY3grcc/nS//TVkej9nmUYu83BDtccHHXKibMs/yXHhDXNk
# oPIdynhVAku7aRZOwqw6pDCCBq4wggSWoAMCAQICEAc2N7ckVHzYR6z9KGYqXlsw
# DQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0
# IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNl
# cnQgVHJ1c3RlZCBSb290IEc0MB4XDTIyMDMyMzAwMDAwMFoXDTM3MDMyMjIzNTk1
# OVowYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMTswOQYD
# VQQDEzJEaWdpQ2VydCBUcnVzdGVkIEc0IFJTQTQwOTYgU0hBMjU2IFRpbWVTdGFt
# cGluZyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMaGNQZJs8E9
# cklRVcclA8TykTepl1Gh1tKD0Z5Mom2gsMyD+Vr2EaFEFUJfpIjzaPp985yJC3+d
# H54PMx9QEwsmc5Zt+FeoAn39Q7SE2hHxc7Gz7iuAhIoiGN/r2j3EF3+rGSs+Qtxn
# jupRPfDWVtTnKC3r07G1decfBmWNlCnT2exp39mQh0YAe9tEQYncfGpXevA3eZ9d
# rMvohGS0UvJ2R/dhgxndX7RUCyFobjchu0CsX7LeSn3O9TkSZ+8OpWNs5KbFHc02
# DVzV5huowWR0QKfAcsW6Th+xtVhNef7Xj3OTrCw54qVI1vCwMROpVymWJy71h6aP
# TnYVVSZwmCZ/oBpHIEPjQ2OAe3VuJyWQmDo4EbP29p7mO1vsgd4iFNmCKseSv6De
# 4z6ic/rnH1pslPJSlRErWHRAKKtzQ87fSqEcazjFKfPKqpZzQmiftkaznTqj1QPg
# v/CiPMpC3BhIfxQ0z9JMq++bPf4OuGQq+nUoJEHtQr8FnGZJUlD0UfM2SU2LINIs
# VzV5K6jzRWC8I41Y99xh3pP+OcD5sjClTNfpmEpYPtMDiP6zj9NeS3YSUZPJjAw7
# W4oiqMEmCPkUEBIDfV8ju2TjY+Cm4T72wnSyPx4JduyrXUZ14mCjWAkBKAAOhFTu
# zuldyF4wEr1GnrXTdrnSDmuZDNIztM2xAgMBAAGjggFdMIIBWTASBgNVHRMBAf8E
# CDAGAQH/AgEAMB0GA1UdDgQWBBS6FtltTYUvcyl2mi91jGogj57IbzAfBgNVHSME
# GDAWgBTs1+OC0nFdZEzfLmc/57qYrhwPTzAOBgNVHQ8BAf8EBAMCAYYwEwYDVR0l
# BAwwCgYIKwYBBQUHAwgwdwYIKwYBBQUHAQEEazBpMCQGCCsGAQUFBzABhhhodHRw
# Oi8vb2NzcC5kaWdpY2VydC5jb20wQQYIKwYBBQUHMAKGNWh0dHA6Ly9jYWNlcnRz
# LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRSb290RzQuY3J0MEMGA1UdHwQ8
# MDowOKA2oDSGMmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0
# ZWRSb290RzQuY3JsMCAGA1UdIAQZMBcwCAYGZ4EMAQQCMAsGCWCGSAGG/WwHATAN
# BgkqhkiG9w0BAQsFAAOCAgEAfVmOwJO2b5ipRCIBfmbW2CFC4bAYLhBNE88wU86/
# GPvHUF3iSyn7cIoNqilp/GnBzx0H6T5gyNgL5Vxb122H+oQgJTQxZ822EpZvxFBM
# Yh0MCIKoFr2pVs8Vc40BIiXOlWk/R3f7cnQU1/+rT4osequFzUNf7WC2qk+RZp4s
# nuCKrOX9jLxkJodskr2dfNBwCnzvqLx1T7pa96kQsl3p/yhUifDVinF2ZdrM8HKj
# I/rAJ4JErpknG6skHibBt94q6/aesXmZgaNWhqsKRcnfxI2g55j7+6adcq/Ex8HB
# anHZxhOACcS2n82HhyS7T6NJuXdmkfFynOlLAlKnN36TU6w7HQhJD5TNOXrd/yVj
# mScsPT9rp/Fmw0HNT7ZAmyEhQNC3EyTN3B14OuSereU0cZLXJmvkOHOrpgFPvT87
# eK1MrfvElXvtCl8zOYdBeHo46Zzh3SP9HSjTx/no8Zhf+yvYfvJGnXUsHicsJttv
# FXseGYs2uJPU5vIXmVnKcPA3v5gA3yAWTyf7YGcWoWa63VXAOimGsJigK+2VQbc6
# 1RWYMbRiCQ8KvYHZE/6/pNHzV9m8BPqC3jLfBInwAM1dwvnQI38AC+R2AibZ8GV2
# QqYphwlHK+Z/GqSFD/yYlvZVVCsfgPrA8g4r5db7qS9EFUrnEw4d2zc4GqEr9u3W
# fPwwggWNMIIEdaADAgECAhAOmxiO+dAt5+/bUOIIQBhaMA0GCSqGSIb3DQEBDAUA
# MGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT
# EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg
# Um9vdCBDQTAeFw0yMjA4MDEwMDAwMDBaFw0zMTExMDkyMzU5NTlaMGIxCzAJBgNV
# BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp
# Y2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDCCAiIw
# DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/mkHNo3rvkXUo8MCIwaTPswqcl
# LskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/zG6Q4FutWxpdtHauyefLKEdLkX9YF
# PFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZanMylNEQRBAu34LzB4TmdDttceIt
# DBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7sWxq868nPzaw0QF+xembud8hIqGZX
# V59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1
# ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfbBHMqbpEBfCFM1LyuGwN1XXhm2Tox
# RJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3JFxGj2T3wWmIdph2PVldQnaHiZdp
# ekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3cAORFJYm2mkQZK37AlLTSYW3rM9nF
# 30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqxYxhElRp2Yn72gLD76GSmM9GJB+G9
# t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0viastkF13nqsX40/ybzTQRESW+UQ
# UOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aLT8LWRV+dIPyhHsXAj6KxfgommfXk
# aS+YHS312amyHeUbAgMBAAGjggE6MIIBNjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
# DgQWBBTs1+OC0nFdZEzfLmc/57qYrhwPTzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEt
# UYunpyGd823IDzAOBgNVHQ8BAf8EBAMCAYYweQYIKwYBBQUHAQEEbTBrMCQGCCsG
# AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUHMAKGN2h0
# dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RD
# QS5jcnQwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29t
# L0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDARBgNVHSAECjAIMAYGBFUdIAAw
# DQYJKoZIhvcNAQEMBQADggEBAHCgv0NcVec4X6CjdBs9thbX979XB72arKGHLOyF
# XqkauyL4hxppVCLtpIh3bb0aFPQTSnovLbc47/T/gLn4offyct4kvFIDyE7QKt76
# LVbP+fT3rDB6mouyXtTP0UNEm0Mh65ZyoUi0mcudT6cGAxN3J0TU53/oWajwvy8L
# punyNDzs9wPHh6jSTEAZNUZqaVSwuKFWjuyk1T3osdz9HNj0d1pcVIxv76FQPfx2
# CWiEn2/K2yCNNWAcAgPLILCsWKAOQGPFmCLBsln1VWvPJ6tsds5vIy30fnFqI2si
# /xK4VC0nftg62fC2h5b9W9FcrBjDTZ9ztwGpn1eqXijiuZQxggN2MIIDcgIBATB3
# MGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjE7MDkGA1UE
# AxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBUaW1lU3RhbXBp
# bmcgQ0ECEAuuZrxaun+Vh8b56QTjMwQwDQYJYIZIAWUDBAIBBQCggdEwGgYJKoZI
# hvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNDExMjYyMDU2
# NTJaMCsGCyqGSIb3DQEJEAIMMRwwGjAYMBYEFNvThe5i29I+e+T2cUhQhyTVhltF
# MC8GCSqGSIb3DQEJBDEiBCAHabA1Cj7g85Id1L/GHGXR8pxaeZcSwM9L30nmUo6/
# ajA3BgsqhkiG9w0BCRACLzEoMCYwJDAiBCB2dp+o8mMvH0MLOiMwrtZWdf7Xc9sF
# 1mW5BZOYQ4+a2zANBgkqhkiG9w0BAQEFAASCAgBGCDge5kAa3MZVCgygyGSfORUW
# C02XiU0vciLxnmbFVRZzAhwnOnhKmMRIq/xbM6U+myuQszIdf2Jp/9gxKauzeLzq
# txUkBZz5WyBF2q/Y/1Na13A2INBMNtGwKssaSJ5+0XRNZOndCE+riOTE6poFpFON
# nFZMX/M0l21aStIOk8Dq2RnncnA8oRSPeeAAGzs/mpz0rCJ4+ebwJWgLhHFJIJ66
# Lwvw3JEmkRc5T3ks1wXwbLCkSKvJ974v1iL2Yjm+P9GnuOB3yFEtlB8JlPTDbUJW
# YWhCnE4YmHIHYYc/GvcXSeHCdY8iU5xp5UtS9/jlkjXBDPW2TLQ620R8Hvg6W2sy
# e9BTR1dzOBehT43/fY9fNfdMonhgaCKb+ybEhMeWcMNPt1GSK2xLUEk+wJvTvn/d
# 0LNo11thPv+3SN93HOXCibuG9T3I1n1CIjMByeBuc/X3l1+2VgM+FdV0FQMiOeR+
# UoqH1D8kW1QNIOBMMAWDfIZNpqWIITPNubbqtJdAXwAjsp+VyNvepAnZYIhMkfAl
# vT4oOwDZyyFs3URbmA/4kqqvIG7mMhR7nFyayg2dH4pN1dnJro/mO5duirqchULS
# H91KAgt+STUW8QjLnChCdu4fxPheBBlsGMBpZixdD59LeZ81pC63g87TnrSzAH8F
# SVU4zCOyNHazV3DwxA==
# SIG # End signature block