From b0f897829bfe37b7f737b744fc8546f1f8f919a9 Mon Sep 17 00:00:00 2001 From: John ODonnell Date: Wed, 6 Jul 2022 15:15:18 -0400 Subject: [PATCH] Add solution design for namespace-label-based K8s authentication --- .../namespace_label_authenticator.md | 581 ++++++++++++++++++ ...pdated-authnk8s-req-validation-process.png | Bin 0 -> 36492 bytes ...dated-authnk8s-req-validation-sequence.png | Bin 0 -> 42585 bytes 3 files changed, 581 insertions(+) create mode 100644 design/authenticators/authn_k8s/namespace_label_authenticator.md create mode 100644 design/authenticators/authn_k8s/updated-authnk8s-req-validation-process.png create mode 100644 design/authenticators/authn_k8s/updated-authnk8s-req-validation-sequence.png diff --git a/design/authenticators/authn_k8s/namespace_label_authenticator.md b/design/authenticators/authn_k8s/namespace_label_authenticator.md new file mode 100644 index 0000000000..94afae4802 --- /dev/null +++ b/design/authenticators/authn_k8s/namespace_label_authenticator.md @@ -0,0 +1,581 @@ +# Solution Design - Namespace Label Identity Scope for the Kubernetes Authenticator +[//]: # "Change the title above from 'Template' to your design's title" + +[//]: # "General notes:" +[//]: # "1. Design should be graphical-based and table-based - avoid long text explanations" +[//]: # "2. Design documents should not be updated after implementation" +[//]: # "3. Design decisions should be made before writing this document, and as such this document should not include options / choices" + + +## Table of Contents +[//]: # "You can use this tool to generate a TOC - https://ecotrust-canada.github.io/markdown-toc/" + +- [Solution Design - Namespace-Label Identity Scope for the Kubernetes Authenticator](#solution-design---namespace-label-identity-scope-for-the-kubernetes-authenticator) + - [Table of Contents](#table-of-contents) + - [Glossary](#glossary) + - [Useful Links](#useful-links) + - [Background](#background) + - [Existing Kubernetes Authentication Flow](#existing-kubernetes-authentication-flow) + - [Issue Description](#issue-description) + - [Disadvantages of the Existing Authentication Flow](#disadvantages-of-the-existing-authentication-flow) + - [Enter Rancher](#enter-rancher) + - [Solution](#solution) + - [Label-based Identity Scope](#label-based-identity-scope) + - [Querying Labeled Namespaces](#querying-labeled-namespaces) + - [Updates to Identity Resource Restrictions](#updates-to-identity-resource-restrictions) + - [Namespace Label Selector](#namespace-label-selector) + - [User Interface](#user-interface) + - [Design](#design) + - [Class / Component Diagrams](#class---component-diagrams) + - [Sequence Diagrams](#sequence-diagrams) + - [Performance](#performance) + - [Backwards Compatibility](#backwards-compatibility) + - [Affected Components](#affected-components) + - [Work in Parallel](#work-in-parallel) + - [Development Tasks](#development-tasks) + - [Test Plan](#test-plan) + - [Test Environments](#test-environments) + - [Test Cases (Including Performance)](#test-cases--including-performance-) + - [Functional Tests](#functional-tests) + - [Security Tests](#security-tests) + - [Error Handling / Recovery / Supportability tests](#error-handling---recovery---supportability-tests) + - [Performance Tests](#performance-tests) + - [Logs](#logs) + - [Documentation](#documentation) + - [Security](#security) + - [Open Questions](#open-questions) + - [Definition of Done](#definition-of-done) + - [Solution Review](#solution-review) + +Table of contents generated with markdown-toc + + +## Glossary +[//]: # "Describe terms that will be used throughout the design" +[//]: # "You can use this tool to generate a table - https://www.tablesgenerator.com/markdown_tables#" + +| **Term** | **Description** | +|----------|-----------------| +| | | +| | | + +## Useful Links +[//]: # "Add links that may be useful for the reader" + +| **Name** | **Link** | +|-------------|----------| +| Feature Doc | | +| Issue | | +| Kubernetes Docs: Labels and Selectors | https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | +| Proof-of-Concept branch | https://github.com/cyberark/conjur/compare/master...authn-k8s-label-selector | + +## Background +[//]: # "Give relevant background for the designed feature. What is the motivation for this solution?" + +### Existing Kubernetes Authentication Flow + +For context, let's lay out the basic flow of the Kubernetes Authenticator: + +![AuthnK8s Flow](./authn-k8s-process.png) + +Note that the `Validate*` loops ensures that the requests adheres to the +authenticating host's [resource restrictions](), which are used to scope +authenticator permissions to a subset of resources in a given cluster. Resource +restrictions are configured on each host through its annotations. + +The following is a policy sample that defines a Conjur host to use as an +authenticating identity, and the annotations that define its resource +restrictions: + +```yaml +- !host + id: test-app + annotations: + authn-k8s/namespace: + authn-k8s/authentication-container-name: + authn-k8s/service-account: + authn-k8s/deployment: + authn-k8s/deployment-config: + authn-k8s/stateful-set: +``` + +To summarize: + +- Hosts are required to scope permissions to at least a single namespace. All + other restrictions reduce scope further from this baseline. +- Deployment, DeploymentConfig, and StatefulSet scopes are mutually exclusive. +- Authentication container name is not exactly a request restriction, but + container existence is validated. + +## Issue Description +[//]: # "Elaborate on the issue you are writing a solution for" + +### Disadvantages of the Existing Authentication Flow + +With the existing authentication flow and resource restriction requirements, +hosts can only represent workloads in, at most, a single namespace. That +namespace must be statically-named, and known prior to host configuration. + +For complex environments with authenticating workloads in `n` clusters, each +with `m` namespaces, requires exactly `n` Authenticator instances, and `n * m` +namespace-scoped hosts. + +There is demand for the Kubernetes Authenticator to support use-cases where the +workload identity can be associated with: + +- a set of namespaces, with membership that is subject to change, +- a namespace whose name is not known ahead of time, and is subject to change. + +### Enter Rancher + +Demand for this feature is derived from demand for the Kubernetes Authenticator +to support Rancher as a Kubernetes management platform. Rancher uses an +abstraction called Projects, which represent unique collections of Kubernetes +namespaces, and users would like to be able to constrain workload identity to +Project-scope. + +Any solution designed to fit a general multi-namespace use-case should extend to +this Rancher use-case. + +## Solution +[//]: # "Elaborate on the solution you are suggesting in this page. Address the functional requirements and the non functional requirements that this solution is addressing. If there are a few options considered for the solution, mention them and explain why the actual solution was chosen over them. Add an execution plan when relevant. It doesn't have to be a full breakdown of the feature, but just a recommendation to how the solution should be approached." + +When designing a solution, we want to ensure: + +1. we use a sane mechanism for logically grouping namespaces, +2. that mechanism extends to the Rancher use-case, +3. we consider cases where an Authenticator instance is responsible for a large + group of namespaces. + +### Label-based Identity Scope + +Kubernetes uses labels as identifying attributes of objects that are meaningful +to users, and do not influence the core system. Labels do not provide uniqueness, +and it is expected that many objects will carry the same label(s). This makes it +a prime candidate for a namespace-grouping mechanism - namespaces decorated with +the same label key-value pair can be treated as a logical group. + +Using labels as a namespace grouping mechanism extends to the Rancher use-case. +When a namespace is added to a Rancher project, it is decorated with a label +`field.cattle.io/projectId`, where the label's value is the project's unique ID. +This label is actively maintained, and can't be edited by clients. + +After implementing a label-based identity scope, authenticating workloads in `n` +clusters, each with `m` similarly-labeled namespaces, requires exactly `n` +Authenticator instances and `n` label-scoped hosts. + +#### Querying Labeled Namespaces + +The label selector is Kubernetes' core grouping primitive, so it's an early +candidate here. Label selectors have two flavors to consider: + +- Equality-based selectors allow results filtering based on key-value equality, + and include the following operations: + - `key = value` or `key == value` + - `key != value` +- Set-based selectors allow results filtering based on a certain label's + inclusion in a set of accepted values, and include the following operations: + - `key in (value1, value2)` + - `key notin (value1, value2)` + - `key` or `!key` + +These flavors can be combined - a label selector can define multiple +comma-delimited filters, where both conditions must be satisfied. For example, +the label-selector `"key1=value1,key2 in (value2, value3)"` filters results so +listed resources must have a label `key1` set to `value1`, **and** must have a +label `key2` set to either `value2` or `value3`. + +The minimum subset of label selector flavors we need to support are +**single**, **positive**, **equality-based** selectors (`=` or `==`), allowing +an identity to scope to a single group of similarly-labeled namespaces. + +Should this feature also support: +| **Selector Type** | **Support?** | **Comments** | +|-------------------|--------------|--------------| +| **Multiple** positive equality-based selectors | **Nice to have, but not required** | Multiple equality-based selectors can be used to reduce scope from a single equality-based selector. An identity could authenticate workloads in a subset of namespaces in a single group based on additional labels. | +| **Negative** selectors (`!=`, `notin`, and `!`) | **No** | This feature should not support negative selectors, which would serve as a denylist in this context. Theoretically, new workloads would be able to authenticate by default, unless they reside in a denylisted namespace. An identity's scope should be meaningfully curated, not open-ended. | +| Positive **set-based** selectors (`in`) | **No** | Set-based selectors can be used to increase scope from a single equality-based selector. Support for this selector flavor would imply that a single host identity could authenticate on behalf of any number of namespace groups. This runs counter to having intentionally-scoped host identities - if two workloads are in separate namespaces, and those namespaces are designated to different sets, they should authenticate with separate identities. | +| Positive **existence-based** selectors | **No** | Existence based selectors filter results based on label keys, and does no validation on label values. While this could technically be leveraged to mimic positive equality-based selectors by using unique label keys, this would mean thoroughly polluting the label namespace. | + +In Kubernetes, label selectors can only be applied to functions that list +instances of a resource type - for example, a client can query a list of +namespaces in a cluster, but limit the results to only those namespaces that +match a given selector. Using label selectors with the Kubernetes Authenticator +will require permitting its identity to `list` all namespaces in the target +cluster. This operation could be negatively affected if the target cluster is +host to so many namespaces that the list operation becomes costly. + +```rb +# Retrieves all namespaces in the cluster, enforcing field selection based on +# authentication request origin namespace, and label selection based on the +# configuration of the requesting host identity +def namespace_by_label(name, label_selector) + k8s_client_for_method("get_namespaces").get_namespaces( + field_selector: "metadata.name=#{name}", + label_selector: label_selector + ) +end + +# Later, response object existence implies name and label match +namespace_obj = namespace_by_label("requesting_namespace", "key1=value1") +``` + +We can avoid the possible negative affect of a large list of namespaces by +implementing label validation Conjur-side. This operation would still require an +additional permission on the Authenticator's identity - that to `get` any +namespace in the target cluster. + +```rb +# Retrieves the authentication request origin namespace +def namespace_by_name(name) + k8s_client_for_method("get_namespace").get_namespace(name) +end + +# Later, response object existence implies name match +namespace_obj = namespace_by_name("requesting_namespace") +# Parse namespace labels into a hash-map, and validate against label selectors +labels_h = namespace_obj.metadata.labels.to_h +``` + +### Updates to Identity Resource Restrictions + +#### Namespace Label Selector + +Extending the Kubernetes Authenticator to support workloads in a group of +similarly-labeled namespaces would mean adding a new resource restriction. For +example: + +```yaml +- !host + id: test-app + annotations: + authn-k8s/namespace-label: "conjur.org/authn-k8s-project=dev" + authn-k8s/service-account: "test-app-sa" +``` + +The above host should approve certificate injection and authentication requests +from workloads with the following properties: + +- the workload exists in a namespace decorated with the + `conjur.org/authn-k8s-project` label set to the value `dev`, +- the workload is authenticating with a service account named `test-app-sa`, +- the requesting pod has a container named `authenticator`, which will serve as + the target for certificate and access token injection. + +The current set of [restrictions](https://github.com/cyberark/conjur/blob/master/app/domain/authentication/authn_k8s/consts.rb#L8) +that govern Kubernetes resource validation need to be updated. This requires a +new flavor of constraint that blends the existing [exclusive](https://github.com/cyberark/conjur/blob/master/app/domain/authentication/constraints/exclusive_constraint.rb) +and [required](https://github.com/cyberark/conjur/blob/master/app/domain/authentication/constraints/required_constraint.rb) +flavors. + +```rb +module Authentication + module Constraints + class RequiredExclusiveConstraint + + def initialize(required_exclusive:) + @required_exclusive = required_exclusive + end + + def validate(resource_restrictions:) + restrictions_found = resource_restrictions & @required_exclusive + raise Errors::Authentication::Constraints::NewError unless restrictions_found.length == 1 + end + end + end +end +``` + +### User Interface +[//]: # "Describe user interface (including command structure, inputs/outputs, etc where relevant)" + +Users will interact with this new feature when configuring host identities in +policy. All other factors in Authenticator setup are unchanged. + +```yaml +- !host + id: test-app + annotations: + authn-k8s/namespace-label: "key1=value1" +``` + +Rancher creates a unique ID for Projects at creation. This ID needs to inform +the host identity configuration, and can be found either through Rancher's GUI, +API, or CLI. + +```shell-session +# API call to retrieve the ID for a project +PROJECT_ID="$(curl -sk -H "Authorization: Bearer ${RANCHER_TOKEN}" \ + https://rancher.myorg.com/v3/projects?name=${PROJECT_NAME} \ + | jq '.data[0].id' \ + | tr -d '"' \ + | cut -d ":" -f2)" +``` + +```shell-session +# CLI call to retrieve the ID for a project +rancher login --token ${RANCHER_TOKEN} https://rancher.myorg.com/v3 +PROJECT_ID="$(rancher project ls \ + | grep ${PROJECT_NAME} \ + | awk '{print $1}' \ + | cut -d ":" -f2)" +``` + +This value then informs host configuration: +```yaml +- !host + id: test-app + annotations: + authn-k8s/namespace-label: "field.cattle.io/projectId=${PROJECT_ID}" +``` + +## Design +[//]: # "Add any diagrams, charts and explanations about the design aspect of the solution. Elaborate also about the expected user experience for the feature" + +### Class / Component Diagrams +[//]: # "Describe classes that are going to be added /changes and their immediate environment. Non-changed classes may be colored differently" + +![Updated AuthnK8s Request Validation Process Diagram](./updated-authnk8s-req-validation-process.png) + +### Sequence Diagrams +[//]: # "Describe main flows in system influenced by this design - using sequence diagram UML" + +![Updated AuthnK8s Request Validation Sequence Diagram](./updated-authnk8s-req-validation-sequence.png) + +## Performance +[//]: # "Describe potential performance issues that might be raised by the system as well as their mitigations" +[//]: # "How does this solution affect the performance of the product?" + +| **Subject** | **Description** | **Issue Mitigation** | +|-------------|-----------------|----------------------| +| **Many Similarly-Labeled Namespaces** | Using Kubernetes' native label selector implementation would mean receiving a list of all similarly-labeled namespaces, and limiting those results further based on a request's origin namespace. For a cluster with many similarly-labeled namespaces, this operation could be costly. | Instead of querying the Kubernetes API for a list of all similarly-labeled namespaces, we can get only the request's origin namespace, and then validate its labels against the configured selector locally. This means Conjur is only ever querying for a single resource instead of a open-ended multitude. | + +## Backwards Compatibility +[//]: # "How will the design of this solution impact backwards compatibility? Address how you are going to handle backwards compatibility, if necessary" + +This solution will not impact backwards compatibility. Configuring a host +identity with a single, hard-coded namespace will still be available with +existing configuration options. + +## Affected Components +[//]: # "List all components that will be affected by your solution" +[//]: # "[Conjur Open Source/Enterprise, clients, integrations, etc.]" +[//]: # "and elaborate on the impacts. This list should include all" +[//]: # "downstream components that will need to be updated to consume" +[//]: # "new releases as these changes are implemented" + +The only components affected by this solution are Conjur Open Source, in the +following modules: + +- app/domain/authentication/authn_k8s +- app/domain/authentication/constraints +- app/domain/authentication/resource_restrictions + +## Work in Parallel +[//]: # "How can we work in parallel for this task? How this can be done effectively without hindering the work of others who are working on different areas of the task." +[//]: # "For example, can we introduce minimal automation to run basic sanity tests to protect the work of others?" + +### Development Tasks + +- [ ] Community and Integrations team ramp-up: current Kubernetes Authenticator + behavior, new Authn-K8s and existing project testing strategies, solution + details. +- [ ] Given the name of a namespace, retrieve its labels from the K8s API server. +- [ ] Given a map of a namespace's labels and a desired label selector, validate + that the label map adheres to the selector. +- [ ] Create and test a new `Authentication::Constraint` class that can enforce + logical XOR on two or more resource restrictions. +- [ ] Update Authn-K8s request validation logic to use the new `Constraint` + class to validate a request's origin namespace against a desired label. +- [ ] Test the new Authn-K8s request validation end-to-end, using either a mock + K8s API server or live infrastructure. +- [ ] [Spike]: How should we suggest customers secure their labels? +- [ ] Perform final security review. +- [ ] Assist TW with updating Kubernetes Authenticator documentation. This + should include: + 1. Updates to the Kubernetes/OpenShift integration documentation. This should + include only general language about using labels to group namespaces and + assign identity scope. + 2. Updates to the Rancher integration documentation. This can include + Rancher-specific language regarding scoping identities to Projects. +- [ ] Perform UX review by manually following the new documentation. This will + include creating a label-scoped identity, creating a labeled namespace, + and authenticating a workload using labels. + +## Test Plan + +### Test Environments +[//]: # "Including build number, platforms etc. Considering the OS and version of PAS (PVWA, CPM), Conjur, Synchronizer etc." + +End-to-end tests should be run against resources deployed in full-fledged +Kubernetes environments, to best replicate the typical user experience. + +| **Platform** | **Versions** | +|--------------|--------------| +| OpenShift | v4.8 & 9 | +| GKE | >= v1.21 | + +While this solution is designed to easily extend to a Rancher use-case, Rancher +infrastructure is not required. Testing against labeled namespaces in standard +Kubernetes should adequately validate this feature. + +A recent [pull request](https://github.com/cyberark/conjur/pull/2566) in the +Conjur repo includes happy path tests for the Kubernetes Authenticator that use +in-memory mocks of a Kubernetes API server instead of live Kubernetes +infrastructure. This can be used as a basis to test this feature without waiting +for infrastructure setup and long CI builds. + +### Test Cases (Including Performance) + +#### Functional Tests + +[//]: # "Fill in the table below to depict the tests that should run to validate your solution" +[//]: # "You can use this tool to generate a table - https://www.tablesgenerator.com/markdown_tables#" + +| **Title** | **Given** | **When** | **Then** | **Comment** | +|-----------|-----------|----------|----------|-------------| +| **Login Happy Path** | Given the Kubernetes Authenticator `${service_id}` is configured to validate namespaces with label `x=y` | When a certificate injection request is received from a namespace labeled `x=y` | Then authentication succeeds with a 202 status, certificate injection, and [new log **4**](#logs) | | +| **Authentication Happy Path** | Given the Kubernetes Authenticator `${service_id}` is configured to validate namespaces with label `x=y` | When an authentication request is received from a namespace labeled `x=y` | Then authentication succeeds with a 200 status, an access token, and [new log **4**](#logs) | | + +#### Security Tests + +[//]: # "Fill in the table below to depict the tests that should run to validate your solution" +[//]: # "You can use this tool to generate a table - https://www.tablesgenerator.com/markdown_tables#" + +| **Title** | **Given** | **When** | **Then** | **Comment** | +|-----------|-----------|----------|----------|-------------| +| | | | | | +| | | | | | + +#### Error Handling / Recovery / Supportability tests + +[//]: # "Fill in the table below to depict the tests that should run to validate your solution" +[//]: # "You can use this tool to generate a table - https://www.tablesgenerator.com/markdown_tables#" + +| **Title** | **Given** | **When** | **Then** | **Comment** | +|-----------|-----------|----------|----------|-------------| +| **Misconfigured Authenticator** | Given that a policy file defines a Kubernetes Authenticator identity with both `authn-k8s.[namespace\|namespace-label]` annotations | When the identity authenticates with Conjur | Authentication should fail with a 401 response and [new log **0**](#logs). | | +| **Misconfigured Identity** | Given that the Kubernetes Authenticator is configured to validate a namespace label, and its identity does not have permission to `get` namespaces in a cluster | When an authentication request is received | Then the request fails with a 404 response and a KubeClient log indicating the namespace was not found | | +| **Misconfigured Namespace** | Given that a Kubernetes Authenticator is configured to authenticate requests from namespaces with the label `x=y` | When a requesting namespace does not have the label `x=y` | Then the request fails with a 401 response and [new log **1**](#logs) | | +| **Misconfigured Label** | Given that a policy file defines a Kubernetes Authenticator identity with the `authn-k8s/namespace-label` annotation, but its value does not adhere to the format `=` | When the identity authenticates with Conjur | Authentication should fail with a 403 response and [new log **2**](#logs) | | + +#### Performance Tests + +[//]: # "Fill in the table below to depict the tests that should run to validate your solution" +[//]: # "You can use this tool to generate a table - https://www.tablesgenerator.com/markdown_tables#" + +| **Scenario** | **Spec** | **Environment(s)** | **Comments** | +|--------------|----------|--------------------|--------------| +| | | | | + +## Logs +[//]: # "If the logs are listed in the feature doc, add a link to that section. If not, list them here." +[//]: # "You can use this tool to generate a table - https://www.tablesgenerator.com/markdown_tables#" + +| **ID** | **Scenario** | **Log message** | +|--------|--------------|-----------------| +| 0 | An authenticating host is configured with either both or none of `authn-k8s/namespace` or `authn-k8s/namespace-label` | Role must have exactly one of the following required constraints: {0} | +| 1 | An authenticating host is configured with `authn-k8s/namespace-label`, but the authenticating namespace does not conform | Kubernetes namespace {0} does not match label-selector {1} | +| 2 | An authenticating host is configured with `authn-k8s/namespace-label`, but its format does not match `"="` | Invalid namespace label selector {0}: must adhere to format "\=\" | +| 3 | Kubernetes Authenticator begins validating `authn-k8s/namespace-label` restriction | Validating resource restriction on request: 'namespace-label' | +| 4 | Kubernetes Authenticator successfully validates `authn-k8s/namespace-label` restriction | Validated K8s resource. Type:'namespace-label', Selector:'{0}', Namespace:'{1}' | + +## Documentation +[//]: # "Add notes on what should be documented in this solution. Elaborate on where this should be documented, including GitHub READMEs and/or official documentation." + +The new configuration option should be included in the official documentation +describing application identity and permission granularity for the Kubernetes +Authenticator: + +- [ ] Enterprise documentation, [here](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Integrations/k8s-ocp/k8s-appid-in-k8s.htm?tocpath=Integrations%7COpenShift%252FKubernetes%7C_____2#KubernetesresourcesobjectsinConjur) +- [ ] Open Source documentation, [here](https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-app-identity.htm?tocpath=Integrations%7COpenShift%252FKubernetes%7CSet%20up%20applications%7C_____5#DefineKubernetesresourcesobjectsasConjuridentities) + +The new Rancher integration documentation should include this effort, as it +enables scoping authentication to a Rancher Project. This documentation is not +live currently. + +## Security +[//]: # "Are there any security issues with your solution? Even if you mentioned them somewhere in the doc it may be convenient for the security architect review to have them centralized here" + +| **Security Issue** | **Description** | **Resolution** | +|--------------------|-----------------|----------------| +| **Added Permissions** | The Authenticator identity needs a new permission to get any namespace in a cluster. | This is necessary, and an improvement over requiring permission to list all namespaces in a cluster. List permission means the identity can discover unknown resources, but get permission requires knowledge of existing resources. | +| **Over-scoping** | If this feature leverages the full scope of Kubernetes' native label selector implementation, set-based selectors would allow an identity to scope to any number of namespace groups. | This feature should only accept a single, positive, equality-based label selector as a resource restriction. This means an identity can only scope to a single group of similarly-labeled namespaces. | + +## Open Questions +[//]: # "Add any question that is still open. It makes it easier for the reader to have the open questions accumulated here instead of them being acattered along the doc" + +1. Authentication Container Name + + The handshake between the Kubernetes Authenticator and a given workload is + configuration-based, and not credential-based. Essentially, if a workload is + deployed and configured in accordance with a host identity's resource + restrictions, we can trust that it was deployed knowingly and is legitimate. + + That said, once a label-based namespace restriction is implemented, we should + pay attention to how this affects the other types of resource restrictions. + For example, consider the following host: + + ```yaml + - !host + id: test-app + annotations: + authn-k8s/namespace-label: "conjur.org/project=devNamespaces" + authn-k8s/authentication-container-name: "authenticator" + authn-k8s/service-account: "test-app-sa" + ``` + + The `test-app` host will be able to authenticate on behalf of workloads in + any namespace with the right label - however, each workload must host a + container named `authenticator`, and belong to a service account named + `test-app-sa`. Enforcing configuration across similarly-labeled namespaces is + a good way to justify this scope of identity privilege, but it also means + that workloads across namespace groups either: + + - must use the same type of authentication sidecar (`authenticator`, + `secrets-provider-for-k8s`) + - must use a standard, and possibly misrepresentative, container name for all + authentication sidecars + + It might be useful for each workload's authentication container name to be + configured as annotations on a Pod, so that authentication container can be + defined on a workload-basis instead of a namespace-group-basis. + + We might be starting to shard configuration, though. If this feature is + extended to include a per-Pod authentication container name, a given host + will be configured across policy annotations, namespace labels, and pod + labels. + + This restriction may not be a barrier to acceptance, and shouldn't obstruct a + complete solution. + +2. Rancher uses + [field management](https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management) + to maintain labels describing Project memberships server-side. + + For our users that want to use labeled namespace groups in vanilla + Kubernetes, should we suggest field management to secure labels? Should we + provide a suggested implementation? + + Is this something that can be achieved by simply restricting `create`, + `update` and `patch` permissions on namespace resources? + +## Definition of Done + +- Solution designed is approved +- Test plan is reviewed +- Acceptance criteria have been met +- Tests are implemented according to test plan +- The behaviour is documented in Conjur Open Source and Enterprise +- All relevant components are released + +## Solution Review +[//]: # "Relevant personas can indicate their design approval by approving the pull request" + +| **Persona** | **Name** | +|--------------------|----------| +| Team leader | | +| Product owner | | +| System architect | | +| Security architect | | +| QA architect | | diff --git a/design/authenticators/authn_k8s/updated-authnk8s-req-validation-process.png b/design/authenticators/authn_k8s/updated-authnk8s-req-validation-process.png new file mode 100644 index 0000000000000000000000000000000000000000..300a3c98572a81a65c9fc3c0561a1a397a270239 GIT binary patch literal 36492 zcmdSAbx@p5(>J;VOOQYaaxVl6f#4)8?ye!|;%F&8URPLuZCK@3c006+0ln_w>0FXcc0OIRgMEH|K zL+1hb4-!OBMi2m~jz)jdLx$621`-M~0Dv160N@h<06f4S`RoG#j^E%dbO8Xa6aaw0 zCZk232LO1ZAooK_^!4@i`T6gM+D{_*i~eRHRzs;Pfy{OI^}ab^AN{9Dl@2-v08+T61e>S!K<{)Qp#ZsI-Cxmw=R&y<28(;p5X&R9wo< z&24Z0kd}dIV{^NkcfiT%+4$siLvx#$jBc z4-Gxjg5q*VH(w3mmZ4dCcK+t}j-r}gbV5pAVQER(ua2%B8AT0G-{6w+U&dy35-yK4T07l> zQwElAJ^eyGd_x1{3){x_qqAy$&z|Sk4V72b@CeK37+U=48&uIW%+4zo5R-ND4O&@U zSJQ=zPfW`wX?ppG{Jp#s5RfW(%f?AgMc2(cu(YDa(#~yeVM$0rVS096R9dOFq1n*X zHYhAwMa$6A&NVDD-qO}3GA_x%*BfGIC#|5?)Y{QH*13MWzV)zG+*Bc@pc0*xJi0kn zT2U<}r=g-}Xld`-yD+eHv7BC(H*+{Ep`hXy6H)!Ap=GoquLkPr7wqX55*3$hY3~vl zn-Uq9qG#!*sb?Ax5|x^fo1R_ZS@P)5A9r20wbC0-t5{55t6+N|P%An%83IoD3gueW-u)(iYi+In z4$K^441p-nz)}7G=;ISIzp%36S$(6;w4=>L>cF#T|Mifxo#85aC6!x)+c~?Pz|MY} z26Ze_B~El0eST$WX-Vf5U{`goinT9sd+2kcNh6Ll*)BY6R-EZSSEaqO!|@aOuQ9rr z+fku3sq1O-0ck6@bAuB>Mmylq?()!d9?XB+jf3hlkFM$H?yTcGoMC(PkiF8fUdmrU zK}^50vp(ayU{49TJ6Lu7O0X7-usV)I>Ee1bzjo>RYJ6FILuRs$bwNftl1y=Lbn0Wy zC7gYEo$+_*wf&L&N&EbVOB-l)+4ZaDb_Bb}LWf4na4y%#1MEEU@9$yav!o<)KiK>d z_wrr)?Kc;;19sBG9RlB-b<;Thn;p$}hM}MlPX4A=!>09rNW`JjKEZ!oARekqK+1fp$^Y?w5AJKT5`FQ-sok}72as=1P7BigX$P~b~@y7FUYQZdfeej z)O7BAkmR}qQ-G%6`}G!pcOHX{7^fquUw6dePHv z<4rMNp1-X*2!HM}o#%b~6h!=j$rZ{3Q7m=xygZa4<87^auYLGuQWm4`6OxGFgG=tu zxia<#)rWqRMIPt1j#S$qo;~Z`G1nZ-tDVaG_&dnq$#Lq%3oaA?{!p&f%y@szZMw=b?n>bxk0esToF<65FQ1iTxvr$|~a8o|muy&?CC|o3*2u=ie;v z-y4s*R2P}CZYAD+w?q!7%9MF?T%lFQic+R?5TVRsEysj>Ebfx7F^T(Nxz4*lZ8t~g z5PK`tkgj`Q_eksx6X%sV?hEJbBFI7LhVR$~F3p4ox6Hci-=7S2{$sfh2iET)ifugy z+#a1Dd3-uPYa@Blh?WyZuQFKYy^#&+g>g(Xgm{FueP=*i1bS(7Tb)0wa54{PZ15r7 zq&fES&Fo@bwcn6H_RD`4x-DKPTYK6bu_GmR+ostCEr1J+*@(3r1=b$+yn4(pjY2^` z%p8=_PCbT!88SL4s%xbzrI|WKR-9Y9r^l|oG+|4ya}8P!X7%SjEbF%%{`fj{5Dz(V zuQSnHS_ahJxpU5I?}O73CeQ3N$xlOsW4^txoLL{wc*nap_c@;gU^$q9QPiK4X zrA>}kpY|`o%dStEuyN_aVqsY7nPOu`u9OpLTkUNWVyB|-vwdY|b=iwPsh>A_^B?b~ zF03p%$S3F$VyLN#l@2+MB(I7d4INnsZhr{&Fov@Y(2Fiy<|Wha9_N*!Cy`qzw$bXm@owcX~N(Con-Q zL{G;`ndBrt_uOUwCHa)rA4RikGw7|OGg@_XizxXW7DMowJ4EvZ;lZ>Z!!wcj0kc&) z0*^3C;S$C%PSh-RKE%K0Uc0x<;qUcy zL`?h?+3-N*iNTND0eXM6u&MZGCb>t~cegO^4-rE+ah2zOq|{C+VgDJn@dei*KN*j+tOUjZcy*WZ?rBIb=*5Q5+%FdK#t92+Ld&ojTOJ0 zVf^e=w$0hBn&Cdeh!2#YFgSAXp+Gl5Hq%f`?o`EfN zyZ-G<4He!sV;b(`V`Q@)?b@|A5Dz+Xb{Euv_!xxR2MqS54W~730~tBaaM@hF=oans zY++c9a=(2+nNdIQ`y#Nn-AH9rr4+Tza_lNf=Q@ss+BimkDR%M_HHMWL+PKS7w41q+ z$#TZtspjJ9?$t*}=RiIZO4Pg^!u z&3ab@zQlGVS~Buh2|W5T@iOhD>{0njTf>09*X~r15q@@8%Zr`d_ZvolT5N|P6`Tc3 z2R)aaMDLp)N1gP8mnWwcTyKqDZkZIB*2>%;qDb;Vm`gh-UaU&D zhtGxoRVDqgkoytTd9^<7^0r+%8}X`m_7-*OcReHxJ%Qoo)<&Xfw;^LdIB68Vn8%OS>W#->mY4S(sZwrBD0`Pv21 zerZd!@3WBouEp+pJ#^&5ycKb~IvMOE+-3te`~4@o$rp)#FZ{h?nAckIctrQDUl(-> zj{2qsVw2f9|Ioeq6&x8?W;{9F&|X%$RmltJksurrDbkLI=%Q`YaTzpN>Ax>*@o{%0 zkFj-bCg`59z-e#&-l+Y+Zo$;G)Mb4R3$R-I=2`34=30>+M!?~}?QkwwydjZUl?lgM z#k6RSx6s;^z1slN9w8uT)46#`0vRt6w-GzHE9SqTY3pPpYX?W)?~ZD{6z*q6fSR=^Ak?&-0CM2#OqZxbY)AcMhLxa zAG#;fRR0R}$E(;_*2Ca*)T{J8i#z3zjB^+2_kgN}9xNtps1%JBLfbCcwVjU9D!~vr z_hD#zbL;8p5%b+?)@y|0*-TW)hFtZQjY>T=65}-S+2Yj$n{B`&lk*yKrl^{23267s ztyZPuV2IrOnEOzE7(G+AM2%wHzbksT%aH4tXtlJz=;?et(n`*=aOJ{FoHy?K`voxX z*qWQCtPTlHEq&9;VU|48)5lz|>(e%nHk9Aj>~dbkw!O_0771D{3xM)Z3;fQQxd0yNerC{S8%01dXmtHir2uZJ3vZB9_Gw@9ry3b zqvlAB<8dOyoaLracqi4S9x;oMSk@Y^2e^m09kbrw>a?@JY@oJ1R{8I#iw_KwUM=Vw zbfle4IpT7-KV&HCo;KY`^$PE4a{F^9pV*c$pFIO0$0)FW(xYGZcdJSk!`D*nmfiWX z&#p~BQs|~!q%}Qx+Qc}}j1@2~aX7cWpe$gYjzw_*0a|!n9 zjCYFxji58Ef^EKC8fd$W1waWmovYWf--Yc)?D^fAC03SCCU#d56Q`;OH7h^&vHU#s z;#lT(d-iKVu%mc5a(*fhvC83IX`OrUCAy{bdez^xwCZqot@m$yc;k7081mU;<6xJ# z(Qhi{|xf7*iXIgQ>Bl7!wlkLh*izRPP@q@9dlI;rx)CBR@D&4{MJpZAB5b1BRclc zs7W`gsSBo%YdwqK`|s;O+=gqz;OOsimD zT^LxVS!%bZ&}Mb*L$c=cX@V&I1Y~jA^zqoB0GtsZBZv@y4Z;6SR)>c=?ap^6ko`BX zQ|%&g!Igh~2F$a`?==^Eyk5ilZ{7bCWHUxP1gQ+%zuzXU!nAtiPV^@Q0h=&%R-!n) z!Sq8^xTn$XE!~_+#r=Hl)Z4~ju#|m7QP0gyIesjV-DrI6()#)W9{y`$qB|MOP-AIXnC48Ml6=H-o0(->lkwLQtLSBkPO%%c0o zz3!!C{z=_j*mSjuCD6QbX{Ni~&F#}Ea&k=F(N*bpiU!SpE(9kl&{#(`ZC8ueQW8tGxAAS$0F@p4%6QxLtY3W~H!j}Luk4w0 z9OrLW9v``Iq#Cum{Tle!n{IQE|jg;dmGI9y)~oDBk)gUbU-kQ1!6vCkat5-P9<5$;q{Z3+Z0a4+-U+1z?!V4jNfkw-Htlgt^NlBX91*@z*#@%J%~A?z%@(DH(T8SX{kHh${ab$}l#7W}ke zo{wF05c%MpQj&Ar#=YIV=Boe4(^@o4imw(_fdCNFSDB@XqJAWnct>w1HZ*c^7xk5G zr+3c1wRQQ5%=)HEX`Bx!$lItj5glQOs!`*J#j< z5#QPlN`e;cFKWoAV^_*>#IQZboQ%H;M1B<)LZ_z619EaG0FCvT)s3Zm3bT@V@5?at z_wYdIns02%>+a#?!N z|7Wb*5_r7cObZzEd*sq?zyIa@7<<5%mG|acvv~~Y?qY}rcx$uQdS1tSi1g-v?8X0g z$%j<}QiC76HReI}(a{e8_)eKQh8HHJKkzsw3zZqA z^vdP;B=$^#q4Ai2kN^uomP2!P1;a9|1$01+!v&_i%e?=zdZlWeE+!xgFExmozs)F5 zznc)i^K}wg-cwVfs7?&=1WsbnHV4m2`ArYy#dtZ;1AOM=Epd;CLaDWIl&ASo0NBil zHBhT^$~LyW+8JIXt?GyKNjGZ+C^T*{5%3c81t38Ziw9CD!61S6&T;Yi_w6M5Kc8@Y3gp9>mv)i4{NKdTPfjRfg}EFd z`54BU^X&B?0%i+8oLGb$Sa$kj0bFnobp3@WYn!qZn%3x?k(=#rLo$&8s?nO~ly@yn zGflC%sMVV=D_nS$_wDk{+HX_Kmu zTQ$GGjYcLKJ*5Lp!>+(!{$~X|;WI$YCqE{SX%Px=>??96xjipKh(d=lRi=_?vjQD8 zG0R0gZN*)*3WRLMy!U9BAEjwX7uOiNtM~DR!)#6I)r>{$G@Dx3;9EC2g?B7vn}IF> z9AT<+FLh;HbR2Tp#!S5qb)op5EARDPQ#)zt7z6vtK}`sCWVF6btbzNhWypYX@%9ZS z0+G;+i5M_iV%1c5#s+VA`$M2F@u z&HkR(x(X+lr{b_mBF!C;A;*>#g!iH)f+mdw3nNkL6D~lBdEh}@L({DW5cBQL;~V() zj5~|SbM=T#zK-T`uFLVrWF@9oVv|*5N0%>0%G^MfCpyAS#)!8X5E5Ip7{)izs)XlB zS=)+G1QgCm)2HdDh->xLrcD*S>Y*~VjQp;G-m~=Kk8UWl_kw1er!T2Plb!WHoUGCp z`LP!~XaRt~R3yz{UPZWJ$V$P`_6@E8dHA4{O#=m6QYJB}@GqK)X+y1Udfv1fCD%kT2d2$uFHV>RWFotM#i zh{vsLNcQtjmv_kP&9z}5=AvaCxAAd~Ks?RbLALSi$NTKp`1Ej0z_%VV*!ri;lCa<( zA~lnL&WJp%E)=~F3E2K20+2}<1%9f?j4dtkZD!ul_tn8GQN^T7OzsW&L_j%R+{mg! zt)a}2$P_yHoNvIw#&vNw_ICOw;B7c-hCGcFWSVdiL6p|kFg$O<1lJG=IVynfxq@?o znn0vF&KeGPwBuUgp2S$~4H>=iKVgd8`M-r7CfqLyg3<`BD42{hHmrAYMK23IhSYme ziM$j~i~nRtZ5zHh$573sB&Q&}+Ag3D0}}4XD^K`zA#0~OirJKrAll$TkWeXC-ge$e zYw(5wcqmGD-2LH66{DefQNb5#Njm6k3NA}_;iv*<=vlTrllv>n!9AEjjW(+>>hpq#-|3yu z?<(x3zd(Lk9JEU7s=YuuT&Gz?7~o&29K^XP7{cmtWlK{^x67qUe=tkLgY4=UD~@v; zXNRU6q-64D(JIO#WjbfkAOLK_TZrjp`OIc&S|D^bJWnY$5igbwomQ(rw1<|!bZ|`_ zr`e+8OE@vG`ES-sewhP~8Wsnl&p7q+Qu7oCh3H3?Vl!p=w=eo~TV3 zQ2u534J9mhei8>q;lpDTY!afgz-E&BNPbh9ZXh5)k~-DNkz_8b2CnEn=TKaBE~(kH zX`vFre=8-LKWuc{=YIMG??z;j$a~Gek+xT^NGkviBmVcZze#|oL?jJ-bLho2zXsm@ zG6}dG|940wDS2M2(Qwq!S_dY0ZEjp-sVGH(J_;P$fXH;7JXT2x0vrl6-Dpgct&p2Z z+`n>Vno;=q?}q7J3k1TcRCSZar=5Zx7jBtwVq@Kvngw;AAH z5iES`=B-Y?OmF>*c+AQCYa+HeRmrsTHyt{_hN6juEm@?UZDyJzL%bT-bvH%umx=%t z;Wz7{iZnsrpGNgBjxf{pN=gpU!%6CR%=Ry(BtsM&s;=L}SWN0~fg#RT_EK2?l0Dm~mNbgXP881^Z8<}?&VIjpHs?40)B8qUYA%=Su zq)$OXlWv?|S6&^%PZ(K|sRPLRL@vFhH!=K1ELZLqR0}lvMq(zgP$>qj4q|u(X^`-e zhe@Osv)Bo%m-X}1mke=5m?+J9h9LspDwN>&q(}bs6{~sE+@i{2J}o@CX$fJ0K7%}$ zfUNQ(-%6Pk;yYq41{3o$@z8w!D84_5HE)r3lUouT2ZFsCBh@*izXXIe?L?&IkX;L` zh;Zg7ZDML)iUvLAYXMu*o%~g~?n)Bud3MP%nOI_>y-keikN zHapxr`jwbedz2G8t+?B~ogi?tn8n}iH|MyL>};zz>NFv!vKZ;rexB53%4*)DDi!K| zlYs#|Oy`h>jNu~MB=D9sE8Q@Wgny!2eb)OwhH46Aj_8p&0G>E0y&kNO%)KZrCWz+= zB?Qvx!`q1&(9I1bfNZ*hq$<(S-hx=jm^A{xHuonMK8b8am=FqJ%%AW&!Nc%Vje5<8 zO8_8Fph$qpmNz2|OwV^``wl?nyG@k$G;a3>XrO5M8Q@b8!^A)mddW9wgkS(Trym?x z&eo{X^ADObvw%Pa00K|Y8KS(p8aCSdQtG6MV00gd4A&fXq}|QxkXRqBq~5kX4FaIx z2${THevJNu5LbFWpc$LXW~V}lQe`K^{MyV{hj35>uS_oK=nxD>mr6$Gw5l52rvF*6 zT&ApyAx0vY`wns}Qxe>dmy%D| zR!E!0yJMZf>AcMNTLZ7Sc*>P_T(h<>xVNA^2&mU`GGM zoJ~n7%Su9KyF|VhJ-cS$(|yfinSK%by8s>EHYn8|YpaK81x+1-OV}NZ8a=kQe2D@H z@`IC1mRKrGXw+JWU6XJ({5J0TACL{_$$oHWvRe%brj~ap7a)tUdxDQ)=-i7_n45x? zTSzAe<%^1amTFsdB}Ci|*D-`u>}vQ+MIkOo$`2xIqhxEgUNF`SjCL^`m*Ult7e-L< zFE&LkDG;4F1}hhpJZzltyRq7Gexs1%Mi?XN%#g>SOsfJX(AvWW!t)Y~n`LNw^?Bn9 z)&412Vb;k}R%q6qy)Z4Kw@|%T`1bTHPB3UX{Eg+D>$}S;lCfm|DfxW_e`%8~N;`hO zvFF&h+@@%Fv18)Vz9{D^U3_6GCNsEMf^!JnoAdx_wQe|+ju7FO{N(bjl6Mi}5p8N+ zqoCJBV32xJ&p8q@S7$NeR-}784@B9FcI1lYk+OHEp$sZsh3zM3)}P^dIS@yp3!B zQhtA>{5}d0=^cAo8138J>x@WjuTPM|6A^pa^KPZ1m5x*6$)!ITSTgd#ECK>-NIPj? zmc_O%FLl&et`sD<+fTM5G`nB%m)W%>P&?KAXp+nuv4pt~Px4~jC4>-B{Xqa#|Lo^W zqDaP=S1BPp1hc$-Yo-w0X5CrfeX8Z;yPY3Y@zx<1Cq2}V@tYr&)HNm7C6E8RnfGq- z>u&?6Y$imc3mt99O~x;UdXLJqVs#Ww3hTeSW-@R~&XjDb(Lpv;SC~|$j$1*=p(#pJ zoJ4oz=erV&AVi2paHyVS2^&#@g*nqaGY99mz3u zd+1KYIKcpKNGMkBS^_5#AX_+dBBgc{=3`Kl8gE_k671m`yP7AmVW!9+w3wf=dB=Z0)BL0oQy+`Q&o`*rEF_5c&phz> zZDv_*n+&%wS1uXc0mp3)!}xg<+Z$-1D_*-&YQtT&%5Z{uo*|zeTBlxBxQ+oJ5#3RF zNl4ild%a+Cd%9qHTC92v+L-e`nR_i>`%5!&e9ixu{o1ShGCaH}k!kjxxfs867Jl9b znCU@xBS6fw?gVJA;HZJxK?fT(qIbv8Ln`F3wKazLT>Zfe&{IW;RF*}Tg2NhsU&2fN(MBw=mX8%Y z@JerXH4Zy>cXTe0$Mi`qC#C^IXN%Nd2z+F^FT;I_ZVN1DbS}_ zYS-IUWhH>5HjcsUN;LqDC{cjOL`qF034wMxYC&$PKpVO%HwNR%ABxtM`h0R`(qKPq zA_ZMBM8Y&XA3)<1iyY$m{Hxx$P_eYvaTd6?z|%?Qb+3~DatXlZKQ%)%QnQ)02vKOD z56e@6znl;^pe{NzW@p(Tmq1RN1Xb`CrpV5<2Em|H>Q-0haJ?i_;*Kr5R9mf}Mcm%5 zrWRl|zzhHUi>5JH7qaz?|PeM&MzT&DZ~TGEM|CO++sC{$CE$*eI@d<_35|5%8#Q-HNaos`!g7 z&@Lpl2RD?LDN-cBKdh`M*!# za>NV-fGX<$WMANIySU(e`Z)T)-$*_J{2$2}0THaQ>W#KwIGnOex0wD)DZ)&|C9Yv3 z#&u|4&svi>F1zbLkR(!#%^yJBKTMcNiYr=stz;UOS06it+XAw~ln;B@T*hIBByE{Q zwn2^afA(w!uu9o-=^U(?IUk=+^*XtAwufHg)_`aW^?9{#K z_sZW7aYq!wZ`X2g(iO(B#O3$)EXUV;@`W9P@bVWA8=#hXSB-+qpAT`DW$FnX(O5cn zL^87*h0gv)y`KTjs1k$==iycjN%9%*WVx0LP1B6OWj{P_!&8s8#>Scf2F|n12TL$A zrV4yW=K8EDg z6=A_t@i+{o{!o4V!_4_thBTv^)~2s0RE8?V$Zj*8kHY}G9wGBF{Rj5&_8)dno4(R6 zU^*3BDp}HCsP)5o1lSkECS$=YNFV=k?f*IOQVqyrj<~V`2j+6|pZ?eKGrv3FJ|_yb z3UQQG1c0)5{)6k*1Tuh8wa+koYh~W1gk@ER2q{>P;J~i^cieOvv8oxf>jGA)aN!6M z^Mlp=aZ3cqpQQiDxD)_VeP=-KLLCLu{S*1o37)=_39dPv{Ak&q2u|5>SdM)?M<}K! zw!Un@x86$hY(@p!Y6548>s=Bi^&sPfyk2bz927zSMcJ3}eZ!lW);c6shVpHmWm!u& z#VZi%ZP=Z+R^&KZ*(p<*aZ&jx6x#qVXUQ@>(WWn+;y-i3wu7OudqE?u%ae!GFIRc0 zxZqzf;SgLNtQ>r;JA61&N0V%_6w)XOxe^&WkPvkk0Oqlt${Q6^fVUb*)>h$C#r#() zC3h4WJ&ES_wR)q|vztPipp|!EMO9ixYn9PV&&hCJllma724A&>2^2e*XqpPgrt!@@ zs|(!!tX{_`FMBM?e!~cX)f)E6#FzC5W0fO8e321(Pe_CkQ7H>{=tFV3@9hdl>5w>kSl#DkqKq%j zk*tP*og};8I&H+R{?NmfXf0?Fbj&s*1-a9X=(~4GhzAfQ^W9>fMsV7y?m7bi+h0 z=9-2$Fl&-jP#J!zUku&Ot9e~Z(wN)EekadK28}#+t-o`eeTh`Q?OZkjEF>$15^f55 z?tmqwG;d;%%sADeO{VFT_Mn4#;*x1OjOL7au`&~g8Gf2NG1-YIp7{%7P^-^qrg+N8 z)h?)=fdwh?LZxfh5TE}*UXM_sQ2k01BF48y79OHMF%%;U4_6zK81U&zvB~F>FH35E zncc@hO(D2M$_=#jF|l|V4l*pviRC6PMv+4Kw1mzt!1ajzP__SMX7Z`tTsjoZ5Xi^9 zPVg)rW344PG$nu+gXj>TCl}60UYBSQ%jP5-JZs8=&Qr9(XM>TmGNuv<% zUE84lN`#R*`kWNpvhD*`vszys%RZp3S1{y-oRh|=GZJQj?#2!{DHLOf%D85w0}?oyBD2;>A5fLEATOlKUOIuCzM1 zA`LEc*`NLgw_$AV9|o)%ffz|VqB>RFdRO7 zD;W*oo2)!0BciY@!d^88of-R z_6f)Tsji9KFDq7wW{r;SZEV#z#mrL%XrKH?6dGfqn0&qOP@XhpVq$&bGVx^7Fwi0Q zL1jm*YD`8??Y2tomx?BHw}&0`@{7#&pC6>W;Y%%arDTVSDP>N|hckK9+owmLp?PV= z-|YVg%x%qQRPMlRk}w=@;sP+<3@(I+7g_3fxfs}^``hKNnb5ZTs7ci%@CrsOMdFZoL-~(?} zWBDJ?SY)nBc*?6|r1x3Ncq{(hZal>+?BR;Qnmb>}+vjS;HTyArptI8?A^i514n~g_ zo23T79wSYkLWZ2{^pz&nKF~@e+k1Rfah7^0H?&6vOF)OK%seS|>L*KBJd+#0gj-8L zsU>IEdoa2r52_|5O3u*Jb+RC|WK4V;t?uTdfKSof{_(Y1dix>$1hqt1xA6*UKE=le z!3l;pDjrlRVQncowZ{P4L8QyU!IZTOJopVEX4VDTtJ>9CL7qEivIu9-UhV)LZGH1P z$@N0#&atU-73*%EbD#5`3cXE`Q{Z02#xb?prPr_E)s~Ird5+b&4K4p&7py7Ysc$`9E#?+3~$Zzt@?(ves9+Mms=BQkTn?ZF8FoI6+cJKmZPo8TH8c_xK^ zB0Mq~N^~{M!kh2JBy*i#irAcCb@wkG_Fz)d6I%3&(REcQCTa)Vb;xk zf@qDCjapu3;;$E-%(a^&kdUO45R%Au%O_X+mX159J8wxidJf+8@18v)L|z`0^^zR% zUI)GFoLJr5U*ct&mbmI;PLQdpntZ&pTTu-JpkqyOSj<~7ThLO82xgeb zOTaSy#Izc&2IZsW~)h3FfUBR0(X^8G1-7^orm~TGo)J>45zrq)yOl1?0T{7#Vfv$+!x^&!f7J1v)A1tp7dA;1ah0ixt^e3M ziDlMUYZ+Q|3gcBJfJ!~krk)u3X9Ue?tdZz~L?0Ars#OP?3jPtS*aAwgy;EZ0G}UuG z9qt2io*e!*bNuLPcfe>@#rCA9U!JqD+fg{#{d@ncWVXZma_ynk)fTQj+rbr? zg3V69(@d6D$QKOyfFCF72GIu_A-;v?Q|%q`)d1PA#?g+KznU0BT1Xy^6WK3*TN zbcxgPV1QtM16_-)59q;ARAMxm_ukl)G8AJ*L}`%R^5trX^#wdaV7fR2HOBEozSQFs z$8{+YtBqhnl9kbT|J~fSTqtv2`-z0$nndT8D2Oz zC4i0Q(s^c-oKd!{??}uLYjGSBC@C{;qoueS z*4|qSNJ;wZoRZnDq1wgQ2dtTE&R+%EBS2Yu)|exU2aL&g zlF0$3)25I+?@Z)_^y2c@FQo&YS#=bXL)tL6uMxdx2XpN5%~J~3Hez&=BuL6hXkZ+Mnmx?Q}j zdkm?Or!3@Gisz1D0cNg>pE=z!d;UU0(MRNVSvC}ws%6OYXezc(cHZ(1I*@rBXUGql zytH>^3qBop!hHcPZ7o*XR+Un-vb~5j+KDMgW0Ln}mcGL?ILO0siHJ1=# zqZ}0Z=nNi#BjU>2pJKk3)t3D5UsRi1#gla(EZA-r42%Fdh*^ezEi zV=L?rx;XON=7Ek|5qS?&vksJBdL#SlMIoA5My06Aevn_(_V!!`8S<+85w8O9uz5U8 z)S!7hP;vC4Du(qZEvoXJ8;#Okm5EUReUj?aT*)O7HZW1ZY&|hi+H-FZ8eX1}#y`FG zq;XphxvB#_=<}Rmqz?n57$F>`92;rP5^vQ1vau{RV60il7=NBh{G`VBD^nB(zxin8 z$u@}YM>pCTh(jMMF^qP_?kcejBJ~oyH$_-#rG0Iuq`6yqEqjH-SFo_LRl$dZtAQKf zX8_ds0P050)byi8zXAL-3^r1{CiGgTWg{>Z-O+kQyU9XxDGZ1(84)XTYn#Lz3a1y2 z9p$Fjx~BdP8z^n-fl(jICA8QHlhV(^pt!?@K@Z=T6PdtmCm7dOwKT|X?WZHs(Mo^l z-r2wRgGrRI<3E8?cK>FTw`TrzPSXC3`KmGv_0JO}P6e@O8fBqXy2{HG+kaLmQREa( z%TE{{*J)IyH#SQ$ZLOi^sW&OJ3&PNmP8RiiQGGpn9rc7^F9K=5%6?Me^e;swh8-fd z7l3L=!>a{#dsKhy{N1-_CLP+4s}O~y0Qp@eKME_d=SDIx+HhzUlF!*@25w>GidPXI#3g&5BdbW-_~~& zN!#>}FhC5gimmxJx@{?DbQqWnV82RA)c=I${M~CJi{Ie?9yqM}Mfd@E2zcljQvUF) z38^rg^1Z?M+vxq|-0A*m|8We6Xr^oOZU>_je|+mFZAg>ZV9|~E(m~{|CH6eoH9535 zcdpea={>8K6Ot#4%RoZ>SATo8!)O4N=>9}R^KIT)+Ik-%9Ky={<)Z>q9Tz>5@}3GsmPMk zsKLQ~RL0SBl7NqzEDzbA?Kvq*dOJPKpa`hmFR?1o|E$<3P~V~oHFUMK+6|kNmAp92 z&*3Rr;<~FO+7GTuGdEa6F{{CU<|~;M%a@yh#jr!J|Fn_~-<5iQ^UN1ika{p>;s1l} zv09)=h%8?|=9ZH{H*T66=cBSohc5yaOU`l(q6e)m@%NxbA*hTy4wf?BPppNnLbn;i z7lGhQR9PeDs{r==%-E@;``f*ppB^+skf&g8Vdp9MUrc#9_A)>Zyb~7bZiA|C)xP9V zru`Oqk!6(_0K8zBb|<0L`jQSU`W{Gm)V@U%5!}n@27SK~u@(}I=uR2Jtu$#|l9||5 z!&r1f6OFWhNjKtLZKiN=;>vopJ^*K%l>`ESwt8HxjEZTD@c&#Zcx(RI*`^V z_fy4>WTI;&ZEcb(ol>Wf=+1_vYm2QtB)5( zX*E@ihTPtfWR81?7na=dsHeE|yB!7%?{d&;dDcw&&OC&+Y&9Y0=~)LFagnEQ)Ss{q zYIcQUb6UAg!tSD9lhy@4mz9D$Kfkmfl863`}Qf2-#^{e(b72Dp@!*HdSp&&PJ5v$>%>FZRsIj0pQ znmxo=aOt#jm&T|H55bV#DqdCPQ5%oCjLvRbQ5;hV2bwmt4vf8vnKaL3z>22dYK_h) zqtjO=J2a)Ud&I=RierP4dHZ=-w-0D^y0WUeiDA~1hjVfk+PUjEsvCF5_~fw{j;GoU zT#ly|1t$ur872LwhXKXg5i0oFE9x_hCWPtK_^#JD8K7waBhyA+8zR=MI=meeFH_z} zRj5-w&KvmZ4Irk(Y=Rcr98V?>F4qH%LxKIj~-J0YcTFt z=YKOF&9H%Ux%-1pcto^$vBfl?3j|04ltVDtRegpg5@eWJFJv&3NP7vRmaCN!#rlU8 zD`SI`VmK1O;{cJ&>fn;`Ok%ItdAL@vrmGLBo&sr~P>5S=oWEbrj($|!pZ#*_cz=xw z5rMS~F5E~^ITu8`waZN*fhCM6MONE}N_;?u^8XieZxt3tx2}tl5Zr?{8bZ(@fkqmK zU?F&LjUbJ?J0U?rV*!FS9^8VvB)B!!1b26LJC#3k&a*DgSrH-)iQtzL*`>G?IWQV8e<9gIsqPa^1-o`(KN~`pL{l`bV*2Fs6QrEgt`LGv= zo7NOyjen`~2j9dCnxJLBZYlxK#n|4uu>RYZNC#gWw8)edIm8$)+}szzenI|Z4ZVkL zpb~l^d{DSTS_)tEGsOOXy)Z!d%{?!$e9Ke6lvUkcd0k$`y=Pjl0%`T`gk;8f=G2X) z0R7G0=VS%6W=^z!`(X5!aG_>CR+4$YX{s$gzt5}_&?GPMfPppKggiT#_0xm3cw*Ms z_nv7JcX&1rtCmJ>6{AIGX}2BUuq9Zsyb)%pB01(|H{c%7zb#c5Mfvx;+Khs#oyLEp z*FGGp!~;frWu?Scx;bXsE*#+_WjsUG9Aw35Y^IK%MRzA~{19zjGrF66V_pAw*xiob*#yO&BYOD!K;U(iwE9qYv!Q2?L7rNZ zDAc*usZGL`>aeuLLN7JeH+p3=o=~DBr>e3JpN%$e7ebU~&Ff~wJ8A^nRSUVe0&0B97h9rzvt|l$|KW3GV3EH7-1Ig2yCGwi}U_JNA5Hfzr zhp+zwwbQ`B-ZY}7!P4D+5G0a;q6Fhzuwg(9m)!A3DexkcYsB|hpa&Dbcs>;yk0H`K z%=CrLyF1XP_b8!?RrKyJO7oXJ5krCg!_1LG+$Wu)^HJdHM}I$TolTrE&}_ysgu}&a z|DZmf7&bNS$Iagi)(}Gci^;)D=PUN$A+U~fJo_9X>T+wPmUFJJjbq$sLHZm zIFK&Cmcv6tcPU{=I#R06at9qQ8TszYrq1`tNeoHdVEbw)fZ)eNFWab08VNvFBuPf&c5? zkFHxV3~wWVYp{x+q`s>&sy?8yi~qk0CJ7vb#2HO}Bd$D7qdc=`V%gd0sG0jEH1S2T z)w$;Wp#HSM=xyfoaFg&DyVX@PU7!IH$EOSF?o2lly1i9wX~sJ`7V|rq&yvJRfDjw; z>fwLJZ2+W#_a_3z9@EJ#_&$4|+;6#zyA@Q1@>fR|0l__cS;x?S$&wEK0QxLG!E^)& zEBueUR7{?w{ByPy=x-Es6Xw_mk0z?>l6(AgbxStWqY>OJ5H2KahZgO#6N(+bWmXbw zLL{I@cC41Wp!_;n&@j@ibKXi!OsX?&(bY`K3*w;`Dugwis}?DQR?%KG1D2B&@pLp> zJ4AGc^ek7H?0|f@wpuPkHI|GBu>-tkwjP3_!-TN<@?-f;D!YUkPOp`&4?TF+PQ17q zvSyjIXZj7F3I02_++OYamGc|F$pju?y?P&2#Y9}}n%^%JsUegc|hs ziha@Zae`W*BBIc(L^q+#G0_((uYh)Htb8B5Vx~nl;VfM$pnQ!cddkmmQZ8)9;R%Cc z3u45pY(MQ2J=Ar19^2D)JI1X1bS<(>)sU;J8D*v@L9p4Nq6iO<2R8%MrhKlR2-@Ap zXLq|0tU_E!+xKg2NnGl8ug(3JXX=bX#Qs$iQQ%gvY)GCuN;MYz0j;Q%9Db z!P$2Y+VR%&;U%A^rKZ}{-NjUEuI1RF*%VoK$lI53?-)YRIdu-GFDhC>Uv_3?d^|kw z5dWGsXg>1dK=HCroXQ0|^`YNF)rzn9)^`*_PI2bDmq>YcY#nhPgaj(J`_j#Fn%sa1 z>i2LS-^VVmfu#Sm`!3+4wKyQohS4qZVH~vgU^+L>VAj!PSUyZeoBxSvo=hKJfaOkm zv+73y+#Oq7a_o@^j_>lH`Jql93|t}uqWMq%v;hvNmb>zj{MS+7W!%k?z$tv-6vLlu zz(MkI*Tc5uz+3`&nP4;53tJBNs~b<&EfNu$k^5&`B>v1wjC7|E^ZxtAd*DeViMcO6 z8uM>G0xEy5#L1T^+`UQsF5VVdg*%H{4tJyqr7nwrc>FF7S5Alz1Vyj2TFQU37Wt`E z>Mz)OF4d@>c~Gu&2*S7rKVNW-Lq4}~bjEPjM)pX&EBcu$p#+ypkzDQ$)wxX7xtuj( z-r7kZl)We2Vpj2=Z-xnZb;caudyauGghfesv`qaI71B`r+#kE_!I;yucjr}Eh1AyD zSKgfujj~^cgylIw6)&?$x933bSyD z7htBXpbQk~Gur>b%~IurmirD51FJ6uk1zVB^g{~e@Zx=ayuJ4;Isd-edNnu#&B@8P z>E&8X!2TSQ2pPuX4~aV8>@H6(x3dZ9T8h55s*s1hG{kh^uUI;9eF0%0S%9@yAVFX4 z&eywRDk`$4X*XdN6{a!)#5BtT*drH>FYXE}Dkk&On`iOS{|bvtXnARA>9~$C{)%j8 zHf6sT4)-f9L46+%<|GOG#pT$!*-^f{F)?TY?@AN*iI3aAnB$k0JL-;F%dm2r?EAM>OeTzp&n~7QZPGWN zpFiU1^2tv$QQ2XBF5&Wlv+Tq&Bv?Ib3l5yj0>l%$-rzZ30 z>Oz)G^^_$=>@YFwiUrlrn2#pS;GhH=>#tB}za_XF(ta_omy&#yUVSYOv@+W&pZf1 zW|Mj@oMa$JNYx+wc#y^>oo8O1OicLtwIGc2XwxhdtPC-xb(*lt%_$+WMim|X{E!VD z?zp>rvb40N1voba=1ZEsMNnC4)Ty0CmBrLHqgfGYzkXs6`DT@1PHAhy>IqqSpyhgP zb9#sf)O)3px(zgqig+c`mm&!|__YG)2ctEE4cMrP0s3JwfrjR%6o*cOjVUZXP58y6 z?;I%Cpry8P=(#ED!WNiyv)?NrtGs@VYWwxrdkyxPB#(|be9OHThzoNzo~IkI<4KZM z&>|`@aHhMUE_ks@zN~~nS`u{+Z7r`1{#$Ad`itK8r6o#cKry;1cKt&7TU%i%w5BWB zk$U8F({8)^8lDt<-GR2HcN=MOOSewC!1(?l0 zPeDX|_RXNAJwfePFgzl^Sy+m7JT3ySY#GyNi9V=Xg^f~K&Nr@f*V3O{v?C>ANlk{H zPtDtHroXbAkPy&#xmbK;|JHOw*)(sEykOxMUa}d6q$Z(QQtcc0Vb_b-!>O&H=!d}D zWDhDKAXGgKN8^L>NK8pQytKTL0elvsS+{qx{Pn1jrHnDz%InPf*B%(Jc4L( z(X$&cU*#qt!I!KN$uWZfX<>noLk7=Hyqy5@qi4q{j%T|kLNl>6EmH7JOQoaiV6Y0O zOJ8SCRW&M2(1?$dV;|^*xb(vcEOc8;EOuKt^YE7;pd+FAU={)2Yv*h|0TZRAkJR>A zdrLDb2M%+fnd^WwPxN0`w-STRiNQ~pne>hg0+U~g(OS`A`KD%&+A})Omxn1-ERI4? zLt-184f6tN-(DhWR{}4_o;VckrsGQude{jrKmB?KD%P^9Hwhyw-0^c`q5sBIoK0c( zmJQI$b-TF7mXqtt#%yPAeFX0^uU`8K-#HdP=X9JM!}@%^kqsc=tnW(%Mok6SC}X@}R(Z`U#_lJ`hqd6WxJqfUWC2ENLsz5c zX7f#1C&>v<={m#0Z(%S9m`O?dRdc7xQ^XA3P#DW7Vw^MR11a=me{QZtMevPQ#4_&6 zp)i4xF#ON}SZnT(KT_V~aBqbYaTGk1${kCBB_GYrKZWATHJ!!2e&Cur=46e}mkRS7 zh?u3RF>Nxo?ggc|TD7~tH`B+dPO}}5W`>9jTxl`|+HK78{e9)E^~a1Sclgf-0h_M z*^gz36UT#p##v(A#a>Qqc2D08eG3rc5s2(JLmZ5}MyT#ei)|1<{2e>(CA7X)Wu%U- zKMpq7svQu7);dq*6Qb%_;;oi-x>c9{0;y2Lc57fiQn*+8r(<*-%D`7Qg3&*dN`!xB z}4Yz_uCy-a(X@`sd@p^c)(J76F0eu&>VFaui*`bal9h8MyCBboL-&R#W265 zL_@o@lu~ICwvGcY18ytnX4_@qBxbY%%g|d)n%NzCoow|u#vgoT5b%B{pk(q9d|2DV zPZ9r(iiLY}sPnsHHIltp1yLZ_kK2ESrI~B;Oq~khj%Wq-VNQc=Vn}nDA_>gk8H_y9 zrVsWM79S1pEaQ%rykNpPHA~@6aggnE3u144g<2U0PV)W~3f_ldaYQuk@>r`2n6!ch z$pJ({FDzx&#cwKYE0_KnQd_Z0Odcof-Fm)d)5mz=y;^@)e$CJeekh1pcghSa$54Yq>mL~ zX4os{9*cY>BHBGh<27V;8u%QeQJ^$^cjr+Z)Cof7S>X%$a4ubHEF9oXYacZ5?W>k$ zeT-Ry>8LS@+XQm=Ns~p3O_FqwZG+%OZ&Iu=!L&w4bTZvCe-hce>EGwp^mXWI?KHSw3BmBmbCIQg7H$oK{6Cx`7`48}=$llq+^lY$#earqkrt z0A-`P+@sVggkaz!Mk{9J9}&-XGt+AFND^guVrIb#mCUJCV(MD&nuQFJBq`#xz*AZn2Q=hj>a2%aIi2K5X%I0C;twrTi zpUV0iviuTn@;UgDk!!Qx-NE;6_hgh$TSHmrxzT+1Xhj8>kMs9>>AZPB0ho8DgBjn; z(Sc(;q^|;}E|sA+{aoD{a<#u?5Tq$7c4%35;wN-n^i2iQu5BoJb#ofVnrv`D#RO&J zV2)J;MNTFsM&*Hk|ukyNzswnMch;z0(_l+luT zcj^Tv($miuj>=p`g+!jQspgyaMRRtyPru_KB2OENjxYrTmUM8w^h#=brvK#PK?2I@ z4SSQ+;If?oCauB-tR-#!wjyo+0z_atZ@}sZVc0BMg{iE^22X;@|TX*G=!z# zDZRJi>iFkhB}%(TX0VRjMZO%2opRIct*u>+Zfa-r0=`bt_;uc^E+}y%u0#d1p$~F1 zs%vy!ybTmq!3Te^w;%?krla#Cp^F@|+Wj8*95JCiQ%Mg_Lt^4_`*x1v8f@Y!PdBIZ zP@>KDmaeXUrsX~<>>r^!Es~i6X`9_;Iw3|^a489QsP_4mVZ@q`1;^<*O{~*&)yJ7; zxU-jzZobAc)i@DJbzUTN1Hfp(dxE`k%kBp(wyxb%AY4U^_O(QN5-?fM0StMUJQ3i-+2EBcqv z-XLf%NaG}GGAf4$(!jI)Fm3z5Z1K&b6bBdAd`e+&sKIRaL^HJ)0&;Dl$8VN$D66om7MBm@{J0&EzE9RAYrd;}-AM5|igopqmCw>W}O@fSqgqv>^ z)tPA063zmMkE7JNLO@Ve>UE752Puc)>+<#UARrd1EsLyCPlejJ(rzU$+m)9)Io-(^ z3_#kv$}>|O+!O!WOQ|*{@66yy!%4}hnhoMPQ;_E0wnM-;wpP?b%Dzp zB~sB6vHS-=EpD|%IoIR80IhxyHzmXAPDoJT<-N>ckof*?MY3hYJUyOH+!wn&Yg$to zCfA&&*Vi+aB2IHB|LOgiM7yM@1{HSW%scdzfDMo+!^o_c4!az9HhhJ^3E{%36(+_@c%%TApu<9ye z+e^%?Gu;d;JCw>$@jyu4aQG7nFXlB=9G%O6c}-_ zqEe9;ZwpE5vl*cf(ZA($Sv}a6&xL=nqID1~fk00_x_phc4@zOen-$oG88wXB4O^|DvIhC8 z7i5mFNmii85&$`WJh{C#BCfK~kM%f?= zWmcm)zBT&KkmYar% zeW&^}NyG$Cq)TVJOTNxR{h5hbHE*!U(!qs07(qCb1Q{x{t{aqCYlxsYVX3u(OU4oF zVp9ld=ulKpB11Aoetny14ScM!vK||6pdFm9X;~VuQTVdoekkc;QBywT3!jw7!8_Ge zTxD>4Vo(GnyHDnn&`mgvvPz`i!dG3!MOZs3lzq7jVeTPyTwiaN0je(n^E6||f+t9L zV`)QWwIm@J5mP>tJUZcn495(U&^+|2s9{xft+GgSRhp@x49RwjmG_j1#;sYO3Y+S0 z1Rbs$O0$8lgl z-{*S~BZmIVY7DPI!|5mxNMCvF67y|}ACNhJn&mT>MHurRScz8+tsGGDS$fmqrzp6O z549JRs?V9WRyI+~65L4sjXn>ud^bOA1BDIjc{f@l@858wqzS*|OMuj~{2WV`aOZSW ztgBzb;6qS&titkX*C7kIRnbYRi?Ce8GTh;4qO*JSU1@|1q`@ws`1Gv4zR5HYVSf=I z8!vn4oNEwA!R{t2$AKp(E_@Urz89_}*nyW|+R9VEidz-nmX;@lui4SIW`VJxrWi@Z zo3H62l=SEqxY}GfE<#at88-LMmM}unQyY6=*;(YuYZ1-xNxlQp*YRwkGtKVNwl(V95)OxDoz!)C&G1M=e)941?!V%oK6Cf9|e4)V=gtmI2^ zHtbT{Ho(u~Z^&|Zdn!OvMSUw4BD{niw&?tVrng{H|r_iB7(|G7wii2;=%}y3!7yM^wi!aGrm9avz z6&Te|#?Ms5gQu4R1A?=Nj@8_lWU9TO4x%g17m^TsO#z~KW;)jHj;>@b5$jr!Ic>`i zQ687m1KBVcr4q;2#x6cr-{s~Z&4OZLU^G$(@3TXlCcm?2DrRL)yJiQ7Xwi7tryPPlA>dxBHiuwd1~H_Ys8xPm+BwJ!0@OMU6GFk1PH=4NZmx*Xc(%bsq$&V9X1vHE{Da zKD)Tsh1)!{73&q@L@iu~CoHSd#;f@XpBw!ok6&5~gWas{;IypWY5F!b8Z5x5u-!QQ zhRONA&FtB04SP>DmD`KbUfhk%O~B5;}3i73jB!TbJLVPA|rVT0(c0T`Z&i8e^57nu^I$f zhO}@^32nKjac=6snZ79IY*&M8UpgNjB5|b@72f{K_lbt66}&THKTz^MLC=M(zIS$i zVOM}p0euzLt>~52MW6*v?>;T(`8k=q#m*+~JN6Ot5th)hUO3<0xZ}wogp4vFtn*BW zFAGf_o-44VpN^)&a`c@IcC|Gf8$$Zrsrk5?~3)h@piD7reFaqXR^?S@Thnu}{rCiE}3wfz;gqWV!G$0*Y9tUV2Kgs2G(F7Q4)H85w$aFAQ#c$w>%uI;~}*rt`?w&-H@qpe(^pHCRvGc zr1L4V^Gx704jmPQZrFRiM1vUX18yn6zg_aFWlIOHX0wpQM615)mc$>9F>?f$tedC9 z(a?O8H?}FS%zQBnZUJ9LZb8S@7h%vn*94p$26yn}?B%OGjIyV`Y@Z7sN_K z6waNb`kOl!$?Sfrwam9O&$Ryd*#f{~^C8QnCnO)~Dtt407R0|$C3!2FRpQLCjQf$r zcTM5Yb*%Oyx^B#Wxdj=yxjygafesxH8ar@`2O`obzq(N;c9|X_2Ae%)2uRnG3A^Y# zo-I1*+SI*=dPnECTmr5J-vzH8CHA8lA5#0y>Obz^Ofkb;X1Y4m@k#E;BMuzQ@pWYB z*3!iVU_jOMDeSqr_bj-G7rqZ21#Jq?SBdGP~XQF zrbt4JIe00X)4g0LcJhGu*$w2HK$h?H=I8@dv+r@VDJx z|M~yGW}vdTN%_Z^oiqf2^zdl!_Vqt;vCG<}8>Um&KOwN%r&~C*B1!js9>_#+D!jx~ zN-<0x3F4M?{-XBwU||?}j~N#u1HXN5+5x_3a`tcC5J5qbQ_l|g_V|+XB*u1e; zjQqJ6uiB06U|AL-@~~@2evhZBb9%Zx69mT?tbF;QyMD%CnwGL-?^DWV%`)@8Z6 zJmQBauO9sq^hME0;VobSivBOK{`}$V1_HqViOj#wasPAfLhPSEud@DJ3Z@J5M9QO} zJPX+m)BAgHA|5J)hT<Pe^?AA!^Wr7eA6)G()eD08v*@m@;xw_?g8C5Y2YNX;ohd&dLM3>C|rE zK5Sjf#}e3Tq@lEN7D9Ws41`n#g+*k=VOKj34^FzzGZB-E+#Iq#t`FQjb&B(xT-|FE zHi`Vh|3f$QzeILGUyVqpExE(=4hExyBpXu4? zQ5PgI*CUWL1%6&UkBR^AENYMm8k@upyO@%F6D)%sTWYTzH9MfMuF!90%xTa?yQV(UEgPz6N$!fHH;`0 zUveePSONwGGhPOvTH~0q`v_|PHL$xvdjNuvHmul^CFAYoSoY>Xl`bCqfTp7%c0(odzA7aKz;ZaCuR6e>H_;L z^=Teba)3Njo&#gfiCAvcBq#e}WzGnhD5BfP@snfcE2y950}Bt1G$URbw$zinAHyjT z=8r4W!6%$-Y<3k{g>0yCD;DGD)PR6P*d2qU#sYHsZ`rO@YCp9WV{6c+>wQ_StP6Sy zE>5a)uzq;5lhM1(xeDcctcvw3Tg1-Epc&j~xauIwDg1ehkE2CTitdl2U!(IdWwD?f zjk(U_S`r(e^H|e8Dyqsac)BH4a;=1$ulBwGwOh$%S_7ZA4PPK0Tl49V3o)lV3sg0M zUtHVeinwlt&hwe4@krQgmQJ#f`Ha1_uENB!WpNQ%# zt+C?TQMxVSqExp5&;!`^NOUbnWy^yvJ(YNOQxQdXAOW^=W%kzW{K0m>M`iO;$zT%+ z{VwHJkY(@#tI#WlN{zNvjd8yXBAc))dq_a@G7ZSks{iUmvLQcK2mLtg$`I%+2S7a_ zHD09|p^hVU8#l*JgTP4l+qpz(9AF>Tnrrjp8k?uDT~RhWhkKN2%4EiyaXYZP?~?*F zQOE6Ph8K7MbIK2o|6cD02LpxIdG`q!H6#rG$es;Bfywa6Xu-#cRxE4PbTH99DCXK2 z;OTtzv=EZTZ~{rbUHI|yMy#j3FBN=P^nwKfd}B}R0PjFmRW1gtHd;jJuAtQW=~VDZ zb@sNf)W>GxW&!ZkL@hi-6dE88bp*V~?Im4R24Klu))*nr$()sg81mkbHLXt_@*KFoYBO<0U0f0Jr1@q9*%ssv*PhcreK=}mvHRQKU`0_c zb2X_6eeD!N%h*o9@JZx2i3?kdjFeT1+?0%p8jC@DIkV&$IqWXJHoaOA-VGBbcwa}*1KlA0S9S-qqLfgLfyaes zTU*uIRpYUd6T9fY{&lbPI{38B4-dUBLMd;VfE!9>3`k9vZ}Tmx$m?$+TwRpTVwf`+}hOq7`iN zVwLHWWGl$0gcV{Xc9?(=_&|FS#jXW|J!AhF8jIh@GIxTx^`_{I?!;{wwsD)7qO0}QZQ-oBNv>8Vp zXV%C8r7^?Zt0fwNqiY|f{g5$UF0v$LqibcI(7yxl;f}M>Dz#9|dOdHD6Ga6e9sV~* z^@lxJ#;D%~0^oc~W?nWI* zt~R20U#Axzu$z0+3jDYp8mudBWxKS2xSVu`F1w?iC1fRT5*TzPUI6LR=21U3W9w}& zU3j%m=c6_qa%+Ny|A7@aDT_xN+9$MDEgUD?xpzXe{JAo1W~V_ndRCD^S4alufxSJ! zticS~lVYW1oA8y?TQZDeW}%HK8*JIKv*bz}z*lLpZ8wXxJ40Q+WsYBLC+v;u&>#V< zp+KL7vgD=wj@>~`sm8)0d9^LdcvXD%!KmDtmp(70+%G?W=0~%^nRW|`{V83t6-_7I zmr}_RSR)h6^d#X5kx(%F$>YT_K232O;>YEwyR!d=i%GwYXvB*F`=N|Hi;YqQA%HKu z$>PCzt^3_GB8wxx62N)7xhdS=MFclo-4{ya1r~7i$28k{7jTXE%rFuHYJxtl3voYG zMWmOv4UzPUILZ#MJ@X`%Mg-u-BLJR;4EB(mC4FPIE01d*2$$9TvC!Rx{-Sgg6DB}&T z3kDvoNj#bc3yEA0vuxnjS!M>&0vtjaJ}dFk{Xdh-`xgeKOX2U0Y-t8#!JPmB#UJ=d z83xbjJhlyUNEdB;yN>s$p!0UMUuidL4t^Mr&g2#89+%|pKLri~C~qLv0tYjn8a_|% z5Zg}Jk1hBbj~y*0xkjj2<xJF4+4E7kJ!KIfqNU|N?3myJJoY4LW`>A>|)yr&kc*f|mW9YKac9bi8 zF&0Ni)NNvH`_BSgT(+Y7d_Z<6bM4XA`MW}BvDqvP>@GU4fA!1cwwfGSD0{%xz~MuW zJ|o`tJDhwg(IVY1NHx*~{pTHMPCz-*oFIQk>ScxM#m#TGcW=vkrJ`cX}N78KN zKAscW%Fp+-I$Hm}d{Xy3Xxq~mrcO7IkviYMHddm?S2mk5D{w2Z%j#C}qlu;=CVx{= zh<7?Dz^?MU(5ESp^U8ah+6C=@CT_#LK$#qBD!T84($jzDcd8pwD035cFLCKb^*=4H z=d5;zp3}#S9huMkGY2VhasI7I{(FS*|4+=Ox-Tkb*Gc;4tBsN0a2G0ExY0sF$^DsM zl^tL7gVbePs7`y(7O;*2nWxjaNiOqL01XxeOAKDge=pENep-jNApezIrQDUrnru`p zO%ElN$uBa8&+`LrZqt0JjL(M$?ghve=BeVcV`mCpnL~`YJeB7tDhV*tTl?pjW#L&j zt-Z27vJX(GB-4{gQQqOD|DPj{BQ3*}q)RBkM6nn5dxAS3Da4B6|LEOqHw4v*^a08q zvrX(_OrH85V^&~+s&4^ZGkF?Ln){1Ar z1wD@e8aTH0#2|BImYDnk=&S6Q34Pp~GNUjdqI1XP1EGi<1}kMV-EYbO1{==`7BGvWakg%A2O(2uv?FTY-bLOW1Vb(&5!N!1CkYG zFmgYvw&v6(ZEI&%xRb!}KKeq8w*DhW%pJ2@?h{{PdXS8?UtdUqDbPu2l8P8v_ zPv(XF+#g`cuINL!{4Q?xCX*Lg(U9!+xaaXKkO|5qV5&dxi>%p_tYIuvbP+ z?L#+SYH3Zu3xdXL8CH#~OqH~lzZNh6^ZBmLp_%-2(hF1GS@z>s?3e4o%1FWcMa9RL z4*}EW>%e)A+WL)LRJSER@L#xn7UIHQ_C{XyjpRlvXd0lW??FdQ@Y|!m;s<>>sC^{-mCV5Sqt-to!oAMtlaAHaBcNXv z=s;eR2BIeUCCvOWky-W4kX>O_@ge}LsymB5H9+5e1b=w_M?ye~VkM8YMX*^UIrOO7 zKw-{&`ka)LL>(IyO87?*eSa+f$yy7Q@4R`=+_rc*8Vga?6y1KpHi%`C85;XyDQ&T< zz-Zg}4P1DH0l-+ZTU&v!mn&9-x~d6gF%(LdEaTSkERS^A3sKbC%i@mUw(>wJOjY^! zl!VG9=)q#za-PIST@S7spA_?CJ`FAmqfVjK*8i?CL$?3k%|iuXFf(k(klz%xEXz(A z&S2;>uDcT6T^$QtfSChQc?{)EHnNf4@;|B^t@6s8jrORMFQ7Q!*H^s^^yaoX#E(4= z)`$VBw%CGU=Ao~j@4eW-74qlIt&|y53tI`n3N!f)`XDhaY%jY4h%6L*;*++Rd{e8y z8D$Dv{Deat5q~_(878%MQ|;Ip>r^xIfxx51L4i!L-N38!Q`V1scqUo!GX~JRq2=-} z1HnM@uD>@*1bZr_$mQcXBUj!?1^*_vf@iqg#Zd)ou&Y^?>Eab&GdSe>PQIH1l~a#s zUynY`4oFh0wb2|Z8U=)>v50{P5g9;XcaZgZ$%or}KywF`uuY#Ckij2cnGY>Vj>1Ae z5z!LPntaN{w#?-$t6=k$hq4+OI8(h2n;U{;m8J})rByjD=W0DLeb32V zi_d3)ujGekJG)UpHk@OLZ=)ugR^YCI^`6HixCXvRL4;}fVsqOPdrV2gIJDpnG6iBN zX@D)jx&cAc_|#MH`3x_vsaU3L5a_8JE~R%p%X%NICv@>XwEv_R<7Su`b(*${TK^kO z5`R2n{mlu$z=to6;m}P`X)TL<6{YMnG261@;@`U>()*{Egrt(Moz-lz zXV-FY8*HZ7JE5B72v$Z@$$8I)vB^ke#J#Wmx=aDZh?tO041kpfHloy(3-=sMP zeenZ|ZBxxqfXYh&Ki6wi%Ma;ddbTlixkH7_)s|D{=b8s)GswLJ(OrD3fV9pxYTrf6 zHTz_qZ{Xr1X=5->mWDLUYGq&E3QXnTAyazG`##o;1JgVgDg8)+4t_%D`{woF&QPkqhO)wp5;56VQR{ov#J_9WW~SQEB`>&%!LEB79K#ccD{i% z>m2(;$JH(~lKh>KS%`&TfNxUtkJ7Ln0j2z|J-z@6i7ukkzkeM1IpO=?XrO^W_@dC^ z3qTR=@}mCe2koUWxCzlaxA}v4K|i-gWuoKKR)bh{<75^oGmF|3UVnB>ipMc?Vtku< zIynFkazl)_i`H=SVU7J400B{frC>h>ab_kN<>!}@*qI{BuyXTm!!Vq4ANQmOwX3*t zK-9~`)*=zSW`uQ^`}#<0@=UQ7?N|ALte0Bp+4>R;`#FPYnK)&ptFVr4tjsJ9*FEd& z&liZi5Wv4S7Nb?hsepK$3*cU{b7A9Gfk7(4KN(#+zmF$F8ijp&?`NuCw1pp!=a|1C zFBNMk>+~A_Fine(?6V|+1xb;{gC55q zLh;*s{A#wM1>AgG&Fs7|ws=9de0ZMOHsd{petDGIYH3&seVi&^7$3dkCS*-7 zI39VO68+pmw}tZynp%I%LmmyI?qpSsw>{;$H}&!y8@QJHEIJ0mkj-X9SMoi*lY@Sh+(UpkC$)ZDg?b9h3=tyFTIpe%_7j4^eV z5Xy`$Eh^behEv|S2g2oh@2|a1Pcb`yR2KORI$exor*}Z(Q}pPkDyEH{B*YNd6CMPjsL5eEnpZ|1oMCEI4PMOS*u& zK47kOyD$5?DRln2bWWr_cW-QnI#oJ zV~pEtxNJ9IvXHs)Q$HdjiWmCI_rn;l!6kRHHb+AF6V;OJ5j=}1Y^?OHF^7UoOWilv zF1raIGK#iXKflw6vyST}kny=F*FgRJx-Xk@?3H3Yd((Shmm7faLo`cZ@{zU#OPKGS0uQg86TxA;4Mqmf0 zmqxDJeFjr6$So0U`9b5>nFQ4`-^hffC9Kprs}_=f>Y3yte&1#{sCrGd_93fN<7Y>x zB9jerh~+ias(Ot85NQLZn~-rYakR60IYY%WD-gf7vIdh~IaseT8Ayj_isKAwCUSqs z7~F-uH%MEX{T$-MNMgtJdhtZ-f|Cy7aN}1L2W*#$7kf=L1*(scL9pv&_9v$336cpj zXutAmxKPT~!~53#El+PWVg3g$1odKO8-|5PC}!Owvcu&usKhkKUKp`ar;)WWC>)6W zOhX(rAS{LbYfo9vW_(YrFSn0=ic?fSd!!>zc%|tgujKI;?0x3yxK9d`6H95N;&*oW z@*k?i47Y~m4X+stpZ6AgvOQ6}6y@(`3QJKV$HRV;^^HhD<9WVfek`|TUg*Ovjnu#W z=odELu!Nqt8!?PcyihI1oO`@}$11wA5$akYs*1kB=QStY-wYOd$tz>W*6xe|A@?&o zh`%e!c=2w8W{_iv`erwE@=8i7Fntbwboz^V1axm`ID0X^A#9|gX|kK8_l!s}zd zRMVVq$asPgC>)8lAffz7_Z#4AX47DQjmP+tM%CJi$HqY9#+TAf)4a}=bVGc?oZ=sDm7wT-iSm9B2mN%4Hu3jsS z$04GYZ@vIzDXiy?EYvh{RNRdR@=l#}-r_@&%VN;)I9mahIjVWtmZz3w{RE0zW3mjn z;A+hmhdqqMM!U)2usG{FRThmg+D*qSz4)>fmvBb?p%j5N0d`;q3$bKR@;M?Zir<5} zV7^fMPQSFY-RGar^(4zD;b8uQsi_#}KReg{2Ln&Wg86xHBe!wKu?hZJ+Man?i~qBr zp&%xN{!7Duf#rc}`0(S%NYsBYOe;tqa54P{Rs$XZ2kUrG^GTZEF8n=wnsH50=9PjB z>RxjBfYF##@ z#;O4Yv5gq04;Gp#(sw7^@ zCt)~<5TSptVwx2}1f_aH&;ZEZ>tSSkTWJ$Uie!LCtV)Sf<(QE=Wt|lgs}fr4Ii5db z<|VbBCn+mf9}48Y_kyJOng#7BuxYY!{((~8AZ@EZA*8&|$oT|e1DHQ)Xv+rOf~Y8j zCr;1HPmL-N>2={#JYVu_=DbH*+lzA?Wyf(j*vOk$uK$AH46tnDn@4F8_`(`v=G%_w zf`P9IktP`?5(BiKI6Qwg<@{>j7Y^KFL!|THzZ$raHptS}~pqM9SDesTj zUmLn%LZ#CHKxiNIFUo^9qvT)`H&a%L63XG@p$K!OD~@@Pqk`Ya8}$;`Adb56PiK_X zH$YJrC}PaI&}NZtj0<|w9g}nUfwkU{shM3a zS~MWF#ueB|X35Z9-{p7$<*!Y6mLf?bBJiU40h~xa>A^%Zc*fQ0<`1MaAHhZG+?@LV zn4SNZP1*k?1DYgP4SFLt)FxyFYq zva96>-fVYr*|Z11%`NOKM*OZ`m{T3|(EN=m=bS;mP_i_~+VX zvZe3p1(ZKp2hQKkKGEEC6-(+77FE%l#;A=qJFWh&_peu&^y7j{kYME22@85=09)d@ z6aF;{tZkgE;I?+&kG~~Xp1)oAq)Y21=cx`(FRdGVTlaizmRIYj&w4uf$B`oeT1Bsf zrw9s931OJ0Fg2+8RVYLqga5>+$PTB6|7XwXiSWs|Ey&>C7Ip2^-~X%n`_sKuKCd)m z@b9Tf+O;vwMfa5o1H+&8bsLw*bbuBkO!a% z?-di&fX1qpxJHzuB$lLFB^RXvDF!10BO_e{b6o?o5JPh-V>2s518oBXD+7aO&pp~G c8glbfGSez?YxpF>G9Bb_Pgg(SWjF~<0CcP3+5i9m literal 0 HcmV?d00001 diff --git a/design/authenticators/authn_k8s/updated-authnk8s-req-validation-sequence.png b/design/authenticators/authn_k8s/updated-authnk8s-req-validation-sequence.png new file mode 100644 index 0000000000000000000000000000000000000000..ecb848be05e8fab85a3b0be19164abf5098822c0 GIT binary patch literal 42585 zcmd?P2T;@B*Ea|%@>4`q1XKhR=~Y2Mx+q0JdM7|Yq)HDEdISVS1f+K&y@pQcAWfu3 zdhfj@v=EXIvf=r^&+g97GrRA9=b72rc{7vw=6iGQz2}~L&bgm+?g`gaSE9c8=q4E% z8MX2|d2KSXt1vP$iaY;YCAB0I75zw$Yc_Ifa%5zc(NyOa6r}ejmhZIH$jE#+$jCl_ zAtS?)nm%ulk$F5PBik`2Ba=ubBV%w$Z`6_^BfHY7`CeCnNF-v;uqP*{1Ofq%$1km{ z@9rUc`u-M`*Kcg@%*-#L4vvO~C&ngc+q(KH;jQ&8T|_*ZxcQ4X{DoM~MTAQd_Xdf$ zW8!uGgw zoj9LEJVO#sH;Lz1Rk;^i%af{#l0H5@b#--xg@p(NVtsx6{QMk;!{z4Y_V@Q+TwGu< zn8TyX&(_ZF`sViDKJw`37>gyz>I8{8n3`KgjL!~@%`UENoSmJ`FRlHZn44KxJwcp03;+Nyng-K$;k-_1cJff($doH?d_VHnu3A?1qFrV z%Cb#;D0Av7zuyu94P!a`M5)x*QX&cVsf-qG9J+sn(#)z!_>$;H#t z^Xu2I?(Xj9=H~eG^Wo9)sMusxZGgmUm4M*zhNd=COS_HDEf1f-qLPZ4*}2xPzNYp+ zYwH`!E31f+@$Npv-2B4a{9;L2l@rJ(BP;Lp6w}?)=jjvZAM~}Tw8H0eXjoWSaBy%( zM~97#&Bu=){Q|#+hlfv0ObiVTdHDzX1blJw@OO0g3kdq^9~kBehWJ22tnJ;tM<-NP z!_%{iQhpZHH@3j*n+i)Svhrb7HTA2jt9gZ`)6>&?dwXNki^s<&E9+Y*)BzfO3ch}O zlBD9~A5@j($-YuBy(7KcaCv70A|rc{cKIb&_6UwAHB!1Ot0_=!P+q^w&FhpNz(O($ zGG%!=U9XvaLKu`yEp;($ePFE~%=aZ^`5qbh!9PL9$H=BiR1?yFQWEy=>;2KgKiw^L zHjiEjrstldjLh%9X$j# zjw%X^WNZUL6BlOPCjy0$3vG}^u~C}qqY++bTf;dKs6bI4uMdeDl8unoGb*^rpI|xr zXmLA`t@C^vaV`BV1G8j3*TE38I}7rbZ1TE$1%~1AagJEPCdO`?Lhz?Xrc6%x`h*FE zGks?prW15=YBPn)9kqNxmF^pXXy3GPT271jT?LnUX(Ms?UB~+Fd4ZtU(QrSdjgu#F z`1>Z!URa@I=cmQ1GrbYWtD8sD=Y0${=s-9j8;(PmC0`AodWwDYp?xCBIjWvCBsb?k zip4p9Tx7)TO#hBFNB*Gn5!=(culv(Aw_){+Yh2);sL4d}RHPmau8DOK%~EKmJ;`)&H?; zyCt~MI%re<%vu_+`OiFA_^^ZN3wy&6b<9%Ur*03n+iNWXVfouDNCKz7 zT`%O|7t4&#rhwk*+TJPZ$gU9Z&h{b>AFLlO87&?%+HpXyVZ-UL_=A-egFF&v*Hdm; zZ=vLvN)Ao-rBPRGAJUJ}oBT7N9AM+Azu@aqmG9SvNP)CP_fkc*qhK){b%* zq)fo`!fOlO=V$6-ZIZXDKjv=%GU~z5If(h`__Tzo5oA*szzvK>_kockcV#yPE&uk( zOZv^JrA=R~(kh)dN1(uzA>mClp*_9^7uHl!lc?C%MW*s{q7#^zCW^RVQau?iNLku< z1z?pJ&#kt;lX(rA1eO30!X#cTw2ASmAElhi8+^;$m7Qe5o*XQ215hnX^l^0LrSZRKbMuiP3h98H?!w2wlolfFXr|| zw>TS}-*E1#4)~m`Y%@7~J-BY>SpZ#8{Vb5w>h+ghytHn?dm7>!Z4G5Z+H2-4%VF6VR&6?m@wzI8w4vYpb zy-kb5?t!A=9$Y0DH+lfnM;I&t#JxqiojTmf^nhbc0!G%?ZvjxAj-t5ldtw3J&VjJ# zrmuY|K4pT&)sY%g66dF9uaRhxp`Hi_|B(Xr@WVa4ARg^|ee!AN=!F-`JEIg=4!Jly zGW)*A@c|r3ab)xAaGi`Q-GVn`&A3&-uk|H_0dcMdouAyiFcs%LyWPix?VQ`6kz9}W z@gjC{_e&*wgrcp+ya5C}4Lg<+C#+B`z~VR5{2aQ;WBOq?y)<^S01TB9+w4>27Izal zU2kc4D<)10YW#Y(hSUMwLTpAak4^K6x8RpThMKwL{$0cooJz_*FA@iFi~zw*tVBlAyeD{*c)-D+ zq4BufgdKRw0!2ifsAD!8L2Xp{U_r_$bK6~jFkoGy6ftozu#H&v)j-OQW28gjeIjYz zW8;OPknM+v$a6#^t2WSt#6g7IJ+OvfVurL|Nwwa$K!T;w`F7sqSpwjU0Gc+CgTfz(RLDbhplE1*lJ7z=;OoO>Fm{In9$P*>vm3t&0zZ)x>D8qP6VA7m6=`y;+UTqn@NPi_A6BUfh2D}L!4xl}1n zuua>@IkX5yT9`8SQJLoN4&f+GBYKWGkHZ$iQhgVCE$bmW57d9BhINj&$O)%)!A8O5 zBy8u+APT(Y>CrJ^wB61|_~^7A2bb9q@Dp0cbZ2&hT~X5B{r5T4AEP>z^4)~$r50rI zUMO(MBFd5JJWC^h7MF`6|%-qfy1t>&jy2^B4iCv@~9j2K&j~t@RwaPy5-H&wY{3iW%QU zzRy_-MN6IzIvm4~tZ9%b-P#fm?A}FZwS&LtnL3-LAk>pruxcFDTBL;85CQ1g#a}tq zF*V-4y%ab$!$K2P-sXDzvHkG&g}N|+Qq8!a^>Kwn@TLJYS=Ak4(Y82SOl9fw=3)eF z&55sIlTxiS$oiDJ^+4*}dZ;z?FDDvj~GwJzI(=-r-KE2}j zr1M5-Ys@-KDL8j6Xmq}#VHHgI^3zhvdTG=4Ujs5!?~4^8*32^^4ECOrH=Sl9-utl7Im7ppzSLop z?DQTDQCAS%WFiH536z1t0@~8N{u<jtR#t2xK zd`tkOp7E{Qyv*F<9efLdqT5Ye9!Pml868Y4X`;5OJ-lvxKr;c6mZ{a)?yLTvc8l1K zY9!@><$fy)j6epiwKI>OBX%twI{_tMJrHA#P0oXm2|{>dNo=K_0B`hQj(jjj2`#yL z>vG*$;+Q2U(knk2)4SwlcZ{DuR8jrKM0h{)c69B)94VvKmV}fUVZt(RIX@?^lSvNL zzI^vAvY}4Et@Y$R`EiJy$n%0Z5H9YW2db>qRgOZN;GhmEHyJ8T+6Zi$Mw&^bw)j~J z{00vU0h1@*YV9p|_D}K549lJ2!rPNJzOf>de9_puURNupsn zNeB(A{w{+Vs?me+MmI_hV;cLFAQ=GxD_$&MNQzRhjc6tfwEe*h55jiqcPWel=LL|>1-rKN?) zg_QdSZLYvmIk`e7pNQ)*pRiDh^u{4>fLa&)ZgJQMHYQg45`ulT*Y;(VsX&kiSD6RO zOfiklhLfopQ#1aX^BJQ8&%h@yY$L5Tm>0HDIWnjnJ}L*MQfp?K43YP{8i?{;8lhtiz2 zMVGX(%e0C(oIafKnRLjHMt2JzmqyEka#s5)(`1fzOxvI;U;3xw>oLszV%Wb@GvJ<@ zjN4n8TCv^tcY#u?$?reSi(_?((oSXp0d08olRk|#IquecnE-)B!k$w@z-JtmaA8Y7 z-3ObX@u*x4z%<@wLG{!2%tG2R%)3%UEaeT({(bs{b@U?kJn8D*GSq9vR3M>q{W#hu zlR#NtJ!fBV+7=buDBMQ0@_pV2#*wfmR3cvz)Vt91M|A-#P<1jVI0`&fm5S-XuC7~k z_AeL7qnZytNyVHpNwGFt3k**q)Hdaxw{6e0SoQd31i}jHt!xAxT4a7r=*(4BGr-MQ z%y+q+rl+X@3F~`AIHJqh4cj*|wOb0X$MLLc0vwcB)EqHSmFS^L|>&w``n= z*U31KRc}FRk)NtF$PttTxdN~lU~_%JeiO!!=1ZBc(e7j(TO)J(xj-$*f$l9zdHYNN zgDv4iYoHb)!ep>gs!Q!Tn_y(Kmpj7u9YYkSV5Wy~{aa7wZKh7`&uO=3`=kqHHUq!2 z$ON<#HWvK5On;^Z979vGuAJ3Xq7HK?7o?H3_=n~AwUmceo4u+J-BX*yCyMy3c1`Dp zxiI`Y{W2_D0?I7V$FKEy+M|_+7@FHhH>)2Wahy?2-E@**n`u#^K`pQw{7EXfpcUFc z<}lEl7g&G&9G3qTEC1X6F8*A}IfmVN-uED=XUpes3Zi&yw<-y?3&pGqS2qcIc|}pp z?ntj|fiibovutPa2o$vRnXI3(Z<}BQ{$a=b@|h;t+`B&$ls=`0lqU4(=1oC696wyA z2hJdf{f9TCQPe%nS1URyg|b z4FEdN$;@Z7OVtAPPQiHz^#hbjG85oSk!*f^ZQKq)0L&m~0=RLL+` zXEFW@ln;(3r}56B6Dl!EGuU%kKk3X?f}208c_Dk)QvIb=3D zxAK0g3?=_hNAW-LT>7zy0pbZP4Nm8Qi$qE>Lak}C>`53A9&ILeaVmQhCQ7IcdC*a=s1l}Q$E zx2eB`nmI`VlV2RF2M->TPEl+knOV5J33u=!m;1 zFD$jqcNEBSC%|E}1J;EuYPbkjqpG`C*kDF|v2;l$Tf1HEYC`zsZ=E(r#7`RsbaspWK>xZl`t>%h zwzfAzt$6l@Q{LFQq}GeYv0cB+4~GT|Ix7A#6K7?(-@YvA0NYTQL2$$r&Q-)#9=9{Q zli}>I;ve>Ge-?_(U$H7p(Qc0Ct=Mry7diJf0(GFcsh$O`#f`|;w?Y9s&sebZ8T`=m z)UGX!LWCa;tjoSeESzP;R6b+ z7HFt?L0x^$yR&OL#TG4#j}&w*B~)c=A16)wa|=TPZ_Y0M3}GQ~@e`J+Q5_Sz?FtV5 zO4PIJw*hLFjWoi0@l9#)mzOlkK;-t{q(U9-jXUVz8dN;G0GtWtq zdvHT_`DC=TQk%inpw$AdO|9FqSoGG%|7Yt7Qc2d_vF#{Q;KCmnT;8VoJ777-VP?~# z^!#%{+uyu57RS|4h(W}l$c*5K{o;?6Lww)Vg-7@z&_HTeRrTX7xEZy;huv9cM1EU- zEB5X)Qp#5EUbGrPR0-gQS)Bn6){WW7&y|ljucXzq7sy))JU>oc)LLAlxS!PKlV!c0 zX0@AC)ST5?=9u@SpGBsJxmC9GLqH-Op(@^U(E!zkS?~oKu=r&b*hH#8AyCov&)7hm z(4oS}vFbe^ake&mJ0&V0bA_*cmaFzXf$m@IR5)(0s@!aVYD3Rb&(JTbPG;8%GZ8WY zVJfYm8ai@VVHW&LnE6?1!{o7YcL&JI;P~O;IeZ3Zibe}UCb}BSAqQCSBB9KOn4{gD zt_Nr6YKXJ=vGbt6*~y=XN~!0M+yJR|&4N>H)3KLd?uSWw0$;U2Xyg?8(!UPeA<1Wc|qi zz+WxsrGoKt$=jZ!rD#XoE+Ey)VSQw;iRE3)DV4FYKVX9wI5ybjqs}?=)50#m7_TCC zOfp9x{Q{w|tTI5({{qC)jCgU{ou@-gsJvT?6!aG~XgKpToa+@CPo|V3$CR-r))O zMzf<3rxiw(Oz6+XZG-F7s*e*r-X18)VvLy5WDCZcfZHgdpONz^oq`s&-_K~t__@-o z;81Z>1$qaRCHczvm?^D1ARW~hkoI<^XMv+%hW#$aF>kkaF6v|)p_zg$sdhUS!~RAT zECz&qKuSW-{!Gdodjj9*8yDN+`7f}Cb+UP*4KVo5$R5M=3nt#Stky%MFG_XmvRfzbz)-x~~I+xBn*v?WQB6G|Xi<+&zxm7oABZD18xcqaGs}0rO^JaL% zU8&K(5j$g`7I(B?O>xH`dE&9I5B5}k<_PMq{oT|VNand5!IpTl=)r{lM zfvhzvDuNn*)1~>exJKNPe|He%pdE`1f*FKHNPC}cNBbXTptkTr(6b3iA#6Cf{_a@` z%5Ux^C1gL2h4`mu0h@Y`@*r$TLa{>zgJWXr98obxX(+#0w(}uL79vlLnJuJ2;P zBG4Pv0+z)gH``7Yl3IU-jH3d!37EDL)AKpsdDw7yGp0MbRjjc1cD{E%Mh0(cbjS9jH?=6RxM|{pDZhstW z#@8{vSEhW_D(C^SWukYConv7J52t)YDy(-o1rBdgJG5|+KtekjxlIA@n3%oxzd9uN zp8`mevlFt-+vPO>KwL&!VO@(&m*~r!*D!-+w#J3`ut1c6<{yMkk$wlp9?&h*ILy@R zo#90Z`}~6}GnW)LBnt9D=v<9!$$@3s#cATEhVx84-Px=dVV%5_rR8@!8h8JTGzv9W zstm~M?2$JA;kPPQI~Iv7|Tz~EN7Gxv3qFY+Ep4t zipRm?1tqb)HW!a^#_e7axY41uxuk#RdfE_qJ^3$v&R_cGrf%|)0W!z{ffVK? zwC21OWDXuz94P2N!_+^+eqE^;zfnPFNCuZ6hhL$RKg=A^xp-O};_4dcw{-iGL2_AkL!=O)ut-!+?9TM>GikT}*4; z_FmwpUzm$M4ZpLvMcFtg?x296W^<^xL_7(T^*Eh8k7K#$Li{ptxxI*=hRI?!AxP?T zER=Ysv1~}t?<}J2B)=TH8Q{HZAey1%(%pbrhHMUU-i0c$T)a&i+VI%)Z98HJKsT3T zlP)?09VF70?2i`-y~paTE1N`Lu3Xq}ghPg}+Ia&MKTZSj8^vBTNbzO4z#b#Aq4)-9 zmmY+@6+_$BJTQ44A=|S3J*Z>=O1KcR8AcFR!qSGe&>IV3s{Vs*Cr=+OwNIb#X;1p4 zEAk$#_K%5ug}(7+ew9W;oO3I<>tGtr0xbLI7__Jqc{P17jOahL^V!Og&<&k;S8u1g z4wtYn0ze+ZgQ^4ni(UJ-ME;*!{omHfWHvSQ1wmt=pcLBpUZnx;yvmBrx+)&ArYl5J zEOUSOZ#l38L;K!Zq~2CY@k{8N+Apr&clgrPxLaHiu9{YB?wVp+@Q;~qYinRB#X~0a z84`RXm93Bg#39|I#(#;*#Ej-L?z3xdn@4E#tMrtQD~Fv+_{A9|@Nw&A95Sa?Xz#~* z-yR!T{d=bDvr)w-o^p$%-iAY^VC#^}Y^$^FWaa03%c38@d=b zm^K{)&F;)G+r)22CcIPvMQ!mjs0v(uubZ0i&AR9#&w)q0lY-;D^vQqzl-6kS+a(u& zi*?3#Z~{5b73rEW+ES5QHu{J9iUQ;BeqZUe+A+A_I{RJcCM!EPmcpuj+3{FFHtXh9 zwCrE<41w2v(}#9#9&&c4+{w2zJN&O)+O1&@EF^u}&J@oUS$s39b}hK8sYXj}x+a%A zWTDYPxqwYmE;+II_V#M2$|Fr4iM8+#>961Ib`=%xe!I1HW;Cggv*Sd?6J%3+cfnct zBtF=;6nod-n(J#3l zIh?Z@#iAK>+0y)>W$HUVE^k&UDjoFuifs7G5hGv$@|5ik)nB4kHs3+OtjxW+bL`5-8|y} z{AJZ=)va`*o>(`GYEBqaOKW{Ips*nDss}bgVFWC4OO%Ay@&|qH66AWv8QY|-J=*lo z`>d2VY=XIOym+#Nt+tEa^Lg7gQhm{G)*joBFC$}f5iae$)EcU(N9p}0Avz4EdC%V^ zNVO*^=D*&K%S5;xWhE*k+%~uFZZ%{q3N5=r?yLF7G3Iqp(Mus$w$-o283yUawkqrT zJU3JcLi%zWc~v}gHhRN1n0Soi>B!krIjoaRRuUtwiE)FXuriv%{P91L${Dle0O;`& zxM5G{d8CC&`^Givas8>A4(7FNdp)4W>wDJ_g+*Ud`g-RlSSzFA9&1@j^w47Y#GYRb z*H-?pqCMe#CwVEQYH6g*B!Xw|CtLT%cYS5?)&gb}r#=j2S0}A=^K|8Bxlw3e!3P&Z z5I*6?rt(UGwlK%E;SQhnJxj}$iYDd9WA}W;X-q2vcUw6q2>e@EqnEtVo%-fi`_U7I z)O`@$&j~w#viev3b*5PPp{_eJ=(ju_DlaCSxzZ0ov>W<%5CGfrO-U-QK*0}LUMf3f z+Cvj!cGi>|+_$!B5j_m?KPG6)~i4DYzEazp<(u-84nQZO(z+~xTcZ%F&i z-K1~N{{?O2{hvj@jjK~lM#eOR67q*t3`9j{)Y=jz_%GVkI=lxXO3IwlxSXtS>kY1q zJML%=#_#8SqTbIwVLa39t!_djd|%^=eWVHh9RT1>UMsFc&SW+ z9TlG)0Xgj;)gmD)1)dvqdigtFGgdfqYP1|-_Thyde-rcUg`m9UGJ}o@H~t39OP6(d z=*KoW^5_d|J7z;qJAn44b34l;*R* zy;mCmZL>!y&Du8=_An2VRbOAikWaOA?*9f}`IP{xUN9Zeng8jf{Dz3wmE2Y{EqPGY zkLiW0Jfe!)Vk52XlEy6libtR7c zBxqzZEwKwNy@ln@UKR?l_iAk$wwFUe#~TQDahs2b)_vcg-V#l#TJsO7+Yn-qdBYV} z^8e^%j0h>se;Dvh<5VP7aHqaTd@}sw1$u^RG?QgPJjbqRqft?+&5#7X=q9W`J$g53 zIa2GaceuNm_ufV>{aW$u+>*tgOG0e2n+T2be5)rkd-O1S+tp;2+Ju_(?1QGBooyYX zYa?%69)Gm@=)po&<2WqbcB6;I_xNNO3&BTq`Qwk?H>V#-sknG4~vwFlAt$5{e@(n37&Ecqy-`J=9Yz5HR{V zBWl}NCDgX0qkIL1oc}?)Brx`26!4yVzMkU9O^pjRtDCvjw<$Ic$Z%pU-+bvY=Bd@P zi&r)~9xg|I!C6VmB)`s>PZGc6rW}?vrE>jCXjp7gev@ zX#24EwGTyN9YW|hijfwi9gYmCSg+xk;5uqic~~M8`?X2z6B~H|Z@JpX{B3zCn8n5I zAz1pUm3x3|0V+1A>B}Lban{NhJblA`JpiLjM8EK^;$adG&jtY3dS!xxbPbM_es_RWronk zt6vQ6#+7-^WkFzzX5-f7@r-lG`_YB&d?J() z0B+&xZiE#$H^!{k375Fxs%$+C3U-;>c48f+<|RrbeV4g2^q=#M+~$d?+%~V=b%7;x z9GWzw@)oTC*}V@vSQ};Gx`U5WMr1hi_R>|U^4uf6hCurNf}No}Ps)Sx%Nk=?sA%Qi z&L?RNWz>Diwspn`f^`qd7OW5Pdl_l2EA$q7LN*wfM@>is~3ZV&qPaBIObJqE&BJ>=kUfqaavEG z(S1?VEb5r7mG_L;Jgm_2p+5d0pEXmpuJv@ZF{++;k>2@HuU6<9lbXU@U^Z~lLK`j; zovPPmN>gm@()dlO@}_m<`#|yM(xR{B@D3*}1@S$I6m*W~qko}j)f);Hi}xV6Xv=lFbpQKl%IzbYl$N`_cMsd1gZPfb-C!K<|KbBVy!q5XlDW z)(I0<%p1}-Caa5D0j6G^qong7aQ4HevJNWex3yZu)MEWTN2CCVMA|*^s=h02$IeIr z+bsqlBh6LM4|jU-Z$!GK;}gw{V&cPuXq@s6XYh-!Ej7Sr{DZdLMw5DW_Y%X6?(c+` z^6|T)TJByd?IXv*PkFj&sZL(IUpRR(CuQ|?4}vC=ICs!~(po!8ShOm?P#834vj?>= zWwgfpFUeOM(}f3ct5FoWpWKOsC=Y{0ROprL^6)ecb|l{h74hyg#Y`5T2qPJkeFC`h zBpJ4WF0}%|VwbY3&xILzhl&UT^4k9LaY@T=8VsFzG`!CIf$|mXTj>%mhaa66zUzM1 z#-lxNDJaOxcHhPn^KLWB!d2u_LP?b(5dmsNKw!GrcuUMa;(B~<2kSp)mi(sg3X$_7 zvNR<>wPKLaq;1JhSsz}sw@@DecB|r9U0u~oLtwvdGQbn`2-F^lumH>se6sB^(qIm6 zo^$1y%Ou5B12q70yy7Jjvv;t7j2bHFu>oyyJ=~P#Q@aS7j->l00~33cviJ26HMLv7 zc_dIPA}=mcyHR0f1w`tNSzp<8nZXoJ=-I_J)M*u&%z4sIo?O3sx#Z8V(w*-VaGa|S zMldlWVx!~(i^ww4WA#pZ70&eAiEsxlmo}_ z*!mm)LjM=t#F*4o7CoxM>lEYgL7g(M(Bh-j)UeFI^FgQ5d?Gw25vll>yn6B7ju~#7 zzqnz$I^P9GsuIiORZWYX4AE!QObMo!NbT2Ar3i75g}VE^Cw6pTo@x*qWw&%Z_@LOy zTBW=3*DUx)SDnSPZNr!AjO9{%x4~*03A)>}-^Wj^vegdy|1)t<)W8 zXC4=0vWQB9+Ulq_zsnm{>c-E||SeS@&d}vz~PTtF#ZRk?$+$rY^S(tNh@%ssDKNTj`XPR$ogu zA$~Oq5vtWOhq&B}bu)?zk}lELtHWDUY*(q054JS!G18xy6XXWt?s4Qg!+e=1ZuWruze--c)I$$|&V00Lsqg8~(ciAA zmnWM_bun~Q`_A<51PP6hB*TD`*9>XTLSmoSmyu{eqk}TOTVf`C>scjU>1h&9V{_jq zlEC;s4^O*4-YyHj>5;U=_~zea9yIt3)emdYinl(&nBr;X*~Yn-}cS8bWnnAv8^ z@D>jPa&*JX)}0FRZ!bkW?nr&V?sS8E9N-b7AMMns(>=E(+9-QapMESN>os;OY&9uiCEHn)D%-@|$=)<@Q0(QN(B;Oi z!1If#J1gP^6m4>5#|o6{lx-?setOrRTc?NY>nmtH?WFej{?DZZ>tVrwVrzHC;y)@~zs`3Vnvw<||GD<4gopZ50DbuT0mg9=p>Exh@f@gF z@wd3DV(%RJqWt$AubHEsgN>+avlKZh{g9pH$ofH*8_tT>IO=Mr18F3w3__7`0pI{*Lv z;$g`Rp1$Y+F@R{y3+g!c$jMLW=sbs@3&Dl$+^-JMQx{BYF^l6foN|6(@_fAAmu#8T54=Gyz~W9p zn_lf_an!rgO)A70pit?+I$zkjoMy54{RcYiHcmNOytwPoa;vb8q~~Y1)sKQ%Iwq*D zUM}d^UH&u}7z|_h4;wh@?c_Ue&j$s-F0I>3ed_;o`||JE^Z&TA`Tt9&FN`*y^h1A% zL$EAF&cqc#Vz=7niSe<Cn>m%GT?3TKoIU_dHhUiVLqOI7SWlxtcO0jKHzZxdCb(LB%1@8i?A#bDHLUYcU>IL}|2|07 z%OI0S>zWOO+U|}=8b$S$pz=pJq=f%Hk7C8UMdy3BQ~{=7JpQ>%|jL{4qGZA}%xaiM{EJKtj}Nt8ANg*-A)}?oM-aT0Ov) z-J>e_VDC7A^Wk3AD}+LuxMezUxAMze)*e$+9He@dbPz@Wo9jJ z#?giK>g%u3nowxbdIe~eIDS47#D)7%~1)68IYeF^i3d33r%!uL2 zZt62Vrci#~x0?a?4tpQ-=*jbkhyeB1s%3T943T0Vp{&7G#tIhC3nlfB0HyqYVhcC! z*#VNg<+>+gbHDqmKOM4FQ^{M`9eG1xp}(^hRHb!yQ?9nV^h@S$(P!-(kC}I6*CSVQ zy_G~FrriAWv|e);G^4(Vt zRPW+kncoq4-Wl3u*!8KYi-Nv64hBjmn?k+7`Svie&1bpudALwx0jnT4IS*!%!Z_8y zVuUoqt8-bO$XQtei?qMNL&mNdnL9p(5}pFqz!YW@qux2MQ-mz7MoOqAp2uIi8l~G9 z#66;V)1?1|a)a$2H^?9TQ-x>!X&Nug?G{?CQ!|x~?_R<0?#*{^el}?SWya1tW#3fE zn{k^aXP~eahniZv?|eZw%&YtrkmB(nT*7oT3}%qR=*XLJr}Ozr<^Px z7zNF(c!n#ps*O^8j|4UnGLXOZdESLtJe8}}_@O$cOS91=fA6h_v2OpKP7EuIlOe>g zV1@I8p7?0qJ&Nsr{6OK{>?g`+x;R6(Xn8s*e&&Z}p6pv}3Ho`ti#CgY*hGLg7HZkL zO0IoyxdAADC^n-%|0nkuea7D)-SL&zTGN$@Q$3rdUTKFrZi*O>R?P$-UV>I#HLlUZ zkow*Uce^M3+wexFvBw_d4L`+Gl-c8L9}lMfczXof=)b9_ecWZU-f%a$^u5Q|GVve9 zJiTn`Rqd_UdQAk!tX8LGY%C;y*!Cw}k&ZAJ#)Q8ayJTQmAC#G-eKCf4hnr=l*v>{+ zmMw*cm}sEazb9@0%D?+FHRA9u6$9UG?EIMIKVlTp==rPfX}aCWnU{T)xo2LpL%?^I zV#$nQCa=tHqVaVJo7AzoyG7Dl8$LN{Hh%WB^nPu>$&lHp-J6(&=T6sahd_JV|__!{u2j7}C3s04(*@9<*2oXaCk6?_8ZFF{u<%%Ee%{UrNYle|B zobFk|tc1cTV{g~NMAyJL$8jqyr;4K{T_N>&FbB-c%5mal;M`ARf9@sG;$~|Aw`J@X z?q*82>BGFI)06x&l`q}AU3u$#gvxnO`wl%U(h9gp_p+~C@Gr%_teZXJCnkG)JDxII3mxSXUNpVqv;EhR#dg_}CA_0UJpA1$ zY=$;|kgv4yiZdJnYQYIF7qodCd;pX)h}TDVcB?AGQ$rQ)hHWS1(hPY1ut_Oti#qA$ zthGA+rPp0w=VJb-4IUS#mORGK*pC|2Z+}ow>MiHgio)tU{ie1M8H}KpxvB&q!NryVfN$eq<9+s{5lb;y&3JMQh!t zxKXo5_E^YK#bZ*XOI^3VKTq6q&fj|d33WFaDn+ziH#ix>yEkWzF+J(*!CH=Mg|QBY zq6|$R_$VDbI`*qXG{D@7Ojvka^DJ53h8GcQz|Cr<-WD?p&eb&A&Hb3r9Se zz*;Fo#@W<5v;$co-}AS1gZHRN-tv2nK>nEpQ*PGx728m)&GtTTm(-dAcD z+*+r~m?FmhI{fH<^rMHP`WA!1+Od`vng|CN)@N8#@h0;JApVeTG5ys zCj@-=n)|?SFKchF#uL+e}KJfks7n*F{9dI-6B>@0T*T1s(#A=z8Mm}gcy#Sql^oQP5@nbAX z;UPechcoJ%4F3S7LkoP472x~uo6(*0=~N7-r>OI%r1)VXh3rdIEc@d_{@W_O@f9u_j@yS3}|)5cu$ z1AsVwAqg)mVCfZHec7%$u1@SK&A&kkFN&8u)TfKxOqz>y~{h9~c9@+1$l)WV%H z@g$G_I5@6Yt>vYyrJc44Z`7bJ%Sm-2hx$|>!h45qY+jN`D#KQeb zB`dXEc#Z#~f!UpLM@4+Os`1Y5AKq0Cgag0c7AHaLe2;Ri!fA0I`-glfc&Kcu; zg22vNYyZ~TtIXe=a~~+GXJ-xm4G=wOx#H8{j+$MWk#_~VKIDm61_~nf`y0lL6$;4$guS?V{fYJR+=Wd%Tp=C5yAZ=PTR8wc;l-(pAFJ zZYKo92eVikz9h?f?Cm8Jmm$0abf>><2tNEG6Q%?c5l@Kw2We`73#opnV4A^nMb>xb zAjA~q^j21R#ZjRVG^^wr0e+14>On*NhV2J6YCmT$$22(%?NmV_P6cMMf?`;R@ZHNk z^u|;g+MLrs05|Xb#Ww#k{Qi$j%>Vt79(OQZq?~SUJF@q@ed8&A4%kc<)Nra;=~3jc zQh8lDm40#Z)9h;Dw^P~@?gvD?cq-%1)gSYw%JVwp2uclgBB=kp6o4cK-3fj$2 zmm{JIT4wW@wr`g)FYa_>5DG^kwpe%fMr+*abr(cu-ZU>hFJ<)7GZ-1$@36oN4nf3L zfw8BZWrS`bHdvHx^XXNW-t^WzG^9(SfRJ!>c&52lA~Q$B9pNM1TwBeUd9MU zH%raRNV&NoHSQ2Dwk5PDh9fFHQ`J)R=cqdDAk##+s;&aC`EH(W$o341q2hwJvFe;W zu3et8>GPnc$Syr4gNBpI50Th4Fx@A2(HCakAHY&RQq-EUwm$1Aw`Vq2Yy(~8W!kRv zfx^@CxzTYAww=!_MYGk;SjT78wSPDEdew9|Gc@2j`!*J-K`Gc}N(gFDnUu40djTr` z{j&c@=60-yr&5?PAKk?Iz=l_=1S#y1QbF*TZ5U;=Wv6AB{!wf2SgL2Es+LipWOW?+ z0d5ULRG)l`tkZS@b7+%MdU<}65YNjHR`C{H&Fx1YpMOnaYZVfI*=t<`^-V*U#o9^_ z&z~X<(At-cZMd;AM-4htetl6bRRvWt>N!=aRPL7=5yx(}70vF9CF`ZWnw7+m(RcmGNx3LXW;r zUu0Y@r%z-TXd`#4`$3Es?3{xi5Mzt<4T5cn^+ghBT*;aLmJFaFtCg6w7Gg(f#KkHW zbR*<;R$392N-dX_o@a_JpqhMB=PHMcWY0&%I#r69`!{g)pv|%Eb*KDc1s2+kuv}2s zTxrk2X5v1IepqI1p29_mtnKIYQ*o&kqWzHp|2cbH*2FOkaS{8lRtht__6V(=Uf(7# z=@xfUf2?UTjuB6!IN{3JBArRkneRvR)guC)`m$e56`H%chDfSSLCX(H3!#d?!K;Or zjN-w#y2WSagAopOLiYgz6nDa}6so!*{zBcrd*yERXY9tmkperRfn)Ki0|Uqj8YfLD6M)DR)7 z*-sW=+8^+@noWYUH7P1@)^qIHc_?D+8FOF1d^|XiOA(Yf?pAmRFYVUYEG*IOwi+?w zxm^RDh8Go5{4UX@NNbzO*M;_ETI#B^e@ittff?TzwKWHw`;)LUzrL$TAy3ZgKW|+5 zxIsNNamkoIkLg!_l3SwR!2la4WYL$xY4pA~RP}CYnl3aGTd@5eQFgZ zvb140)YH=CNefg%UNEB7%$VP)uoae!PUWe^M)FWdn?2@G_-q&p!2ukS@%8 zkw*w57EF?*n>GO>C?g+~mWIn!C(&`(P^}CV`dbMn@;5q0ETJlmM*K-qfowlXWj{Oo zj7$3!fux5c*tPf!f@G{PE^D$Jk`v7@Bk;8Zcs zBzqFmqUcvZUHS7$MO`T#drFnAUMoJ)&k=x;qhz&|8W$Vhq*U$)#gt{ ziVKBydkuW}Q{G)jA}4TVDHMGXXu9y!Bp&)j9I~pXC+#MH=porEXkPDe=gGzse~oy~Y$}lhCP?NMzvDcz-76Ew zF08(CNA*lORL2m@b9?KB3rD61VuUd5Cs_uEq|DN6$=o2jgLr7_FfUuJ-yTa!0f(fC z@tX0kML)&~^@fu_hk+(&FSEa`g1MS=c7{h*s%QRyP7CpC8Q2^3HoSJ#y$jWWv%tcs zY-KHistM6M`k(Z2bJ_Dq=`(c+E%bf?d3x4U z!|zf=y^qv&_%0blV5}ftl}W|JHvzO8_hl+(aikdWg$Lyv1gQr}^CT%2DjKEBx`B)BW$xus!13^J6Mwl2V*z>mJd6 zE|dF13S!1BI0CrD%YUOEX~0=SVE7CzX9C{gbFVRVLJZbRbJzFMSh7Ttaz8}|`<1HW zTN6`PPiLJ^+y1_tC_u`_A%AJLp{*B*TV6Ya#e^AR8vp)v4=8v$4j?aKdi<)xsE#&_+?YJhdXaYYjT7?ykeV1V28iRaL)g|U;`(+%HUX%Pc>+EM)~r(+=`~R zgN|EKgq)Evtv=}b-67UB*kjg7=)MkgbQ#N|?8d-tBmNF6>Ds3`BLWBSI=XqKJVm3$sbU(CDzx;^ z{kNeqEaI)|iY*fJWAs$sY9FerYi}JTm#-K~lrJTiMy;tMLL_mqeUi;wR$<6|hUDDr9fH$#v%u6d&YlbKN0Ge!=n1ncpW z%1xmx>%Np-rTl?qdZ%1(7^i(xL0_>?*kci6-bn#U=wjg|H zt?Btq9$ktSJ)4>lr@Z-Squ8{sj09{oY{)>Tt2x~~9NgEwbdybr{^QlByLPE7R&~>I z0`ImdSIvvDixJ2~LyTTneoZv3YRF!|mF#>a3AR>u#ALVWW$HUecJcjmZUqGsLAv(1 zR3z}ziXm)J+iq!*|6UO%&S2jJr7LdNcwJbwu;Oyhg#RB^pE-b zzC-#*jSDR=Ueval(V?u%c0Gbd-?Edk3W@2Q_Ue_6rUHw(ODs9gYyj+tacV;lcH{|= zYU#BP`J+Z&=gpL=4VrXOTYyy}SrV}P7|PN{LCM8l`NB6TzrHX@UuQMBWHuuf01GUx zDT--+EJ!**_M(ASWm}^u>x-5!{R&{SV4{CO3K3FUk*?u_gf+z8Br2b6c^3(pvR$R+iY0~68PN9>9-FT(p9gIvG#5G4$VZQQe`QiRbq!|HF@r_ z&FaZb$XKzs0d9nqb2Tc%muJc$my#^Q3Bx!P0Eb!vN zF?(chomQrc1CaLXFItZ9%nB)h53OLzz^girM3$d$i;BoBUy*N7%?CD5h)MFRkLwf- z7ZV6B=)*G$?FlF@WJNyoz187rw(kiU&n~8%dlYEw(L_`WjGNS6;a(ugAWn1306B3! zv1Hbu2Sm6(1@#*%pZ2{N4k~`of^*1Hy(ev8i#-U3XXYSJ>P4zj9`p+!N$m8VfF3n! z`1P=BxUbl(O?5~i6#<@0>B?5Thu&|Z+Na?yKTm8!;jo?1y>MYJqfdf>d>ezKH)6DX z<0VD)eo_^gMB-Fx?@a16jM|fcKEe)%Hs#pd zK*`15a51wUQK9A*7Q>=H$Jz*3*#Nc=00h)6oZCuNo+5!J`_7vB?4G{}D5PuuI@#0H1Kq4+uL!Eom1r z5HdrTDV+mJVb|#vkBhT?eOlj@@_N)-^9}B?F8nwEc;t77YSW26w6<~+S`&Gck~Pe2 z`j6PvQA=Dg5~8l%$V)^M?~TJ;H$V0q;ZY@I9Qf(1tZTBS-ehlM1DAC1 zL2ED1q)PhN)%Tt`981wS*#M%v?E`bu#+VTP?t+-p*uvU?tBFjXqC_;Taq`cPkf{Rh zD?0~{2gh&;>kg&M!+R+o=dO4-l@cjTeT!ASY|O{!$>1v)#DSdv$xQL zw1yMCwgn>Vxp$x-sec)x??IrnoxY7eJn3g{*2wssaXQUS9DT~!0ox@~??iyxn7)mX zYGbN3vnywqUgmka@>uR_LUj;C>VV%)UVtH&XN^|TJ;GC?1CQuyA2p3uukjZ&nn>Vx zp}3WxGFFJ=fCea3&Utk)yp73H7E;kOes_G}a1U1rP8@m&6!lDBN}Ib&+A&0T;-4=x z=Vrv&CO-E=DR>=E&A~}Brsyi(TnP?$zXYcQI2c2DeZuDA5_1BN{t~Q_C(-(7Ynz8> zQ=C$CE+=)6#yIj#s|fwCFcI1AqK;cn@C>DIGa0{sh6UQW_>ARMUJq85R%I%WS~P8T zDW9X9dV4Jjc#K*vp_4$Zx8sVzp3+XwqifTxuUVd@sRP$nTPPXG>3zAID6^8L@2j zca-^1&Sp#oC&b7xZ(X?73TbmB2aph4GZA;rt@|$oFB0Q9bX*YZXirCRsNf=dekdGX zTUh(%EOf8m?=Gv#xWV5ZU{l{NJ??j^0E+74vjThf} zjjvQhx&Jg@#E7JQ?4-g+AgZ4Kymsj&xa}UE=Go=x++4&m?emv4Wt9`Ve=bb&pMTY8 z(ytw?o_ea{ql?Vly88hC%l`%J8n1)LBcINoKlNj`*7RrEP0PIW{Zq(TM|4Mbg+Nvj zPG=txPIF_EH5Ap8#NjwFabD)eoHh zD3nXOlx*^soJmNDjV;#B$ctf>phvW8%2;7GrNg!ca&mafG~Any?JfeB4d?` z!kguw!_}=iGW6#kbR1-HO<>ZEE z*0zBKX4NF>k5dM09}|h&;#}5xjZo(Ddeu zp7Uee0Zyp^v%Ads7@VA=cv& zjL060NzGkZTYM|SwOXCy_R3+y;p6X*h@UU!tU>F5E>JeYdb1A8;K&bVO&tgr`+?5c z)}nA9FJ9lw?JpRZ3+U5v%-M+3cA~U0=WP6^VHV}`TyB#G&uVu;i@^ZaIlCll^C`P94FLHom@2b(FfKz95y0S0GZ6scs~D5Nlzj!raB^Zv z#v~vIbCjgE_GFNuym!Lx-P$je4mMEyJB~7Unr4zQ{2XmRyESF!>z2VqF{14##qw(M*o( zJ@3b|Md<7tzQ?bMlXXJx&^|=xq%6)pZ-G z`^^BtY8#ZYoy+ri*Jl)bNfpl7o-~~(Rh%rOAJ^Os)h>uSZ0f~hKb|9d(xzIn5+LuQ zpo8Qy@peykHjdI?2E7U!k zAiiYi#MC7j{Q>Hx&4CO}sKmCnqd}to_D}{2{`~Po{u;UhlIi8Gdh4PMF{@4Vxs;(4 zHHz&Tvb30pyjm$*YD`^Y@$SlpXwSZ1L9p8yy_XP8BS1RFmf3Nlnd*$sR$7EEq& z>Mg}T`f&3uN)(6K2kT`-fJ_?(M1KR-gX@yHIX`Q@Zw7Sp#+qwBjp8zUC1>3Du zJF1UB5%t$@aQBYd{79G@&BWF?bylD5XEPmDJ4Mo>L$kz(oV9tXBXsyy!)JZE@f)lE zdrLZgKf-D0Kz>`6!f0n9T50WPKu<0Iy?n>U!@}}g0@;MtUeo!_b0n#F38(RMka}?; zydK5Z5dDlwb-hsi4JXx7q*7YBgH$vV@Au$aB|^Cy_#4}r&H$ucNan>1R|I(fE~~4k z&mbm58M%bPs^?WNE*t2xh;>*}*BOF8}#KS(@oOr{4QkJpTNX(3% zW64^Uim)k75khm&OogE7aVtF(75z+gi*=;2!&!Sg^*MC5C~>z(m4Y{^7smm>QT$^O zpCg>a&IZj&koR=5U5%q(Yn8u&+lonUwV!#5PQ9sz5A$;@qsqO?xANXxc`#t-wadS-BXOPep% zirb*q@zqK^V=d765*z)Kq9(V4s`n96ek-O_m!Air)j?WW95 zpNGlcTN#{&t5!8Nrj`nm8wj0pZ5crZq@})kE1wMaL`&FgW$C=23?)_+kg(gCJ==10 zhUQv8wN(Kw?YsXfAgsVbF>1g&BWtQfRNmHLgf~E6p*!HKRlAgSk)T7Pma(PybKKZT zV>jaadGJS05caQ80;RLlWo*J3 zVSW=Oj*ND4JX_6Mdq@_o@AhuB;V0$CUx!!P?cws8TeqAam;2|r<7X}_aN7*-f%Sx%N*^K*0B?W%OEg{!BuH*tduBSw@j~xC=Uh@z*S;g1Z z&08Q|ywMF#4;nC6=5qob*4KQOjV}ZSxeC0-+Q%;37r!{uU;0U2d#0$#n|YF#%#BxV zaHqgCxU<_dYuPZ1hhB@Wd+IIpyK@q(=bf%FoZnYE?&~v$4L_V7f+1b8?Q&yGlD*}t zzm97RM>{t^gj|Il5NcI`Dl#4u()k%FgA%Mz74-70r^B#!5TXi7Y}`KIT<_b+ z*6HvTyEuy@s#Zbi%D)c^(s7G3SGFV2EfNl+4{-b-hqo!hi&MT2NLw$EyKx#%790AW z2zjl?fWGKWH{a2#hC0;c$$OtbvT28k9x3@Af(Gw{lvH;k^s}PpnV9|-0J}u^Mj1CA zBHMFToqYwVcaAoI}i6paar&e1yg(mCz) zJB}T89U_0(GY~9iBn&-1(!*?C+OmZPN{|Z;pdhhTtp;7|4kT6NF(=}4gG?^oO3CY1 zWar*%0Z#n*)9DO~(PHWP3u=m-sdyrL?9<#b^^T?c#tHEkZ5|3u8zg;gPPyca8i+2A zWTEcgo5$fu{M4E(N%~+bC#+W?6^)#YOoQ1bGXbcfl#Q#}yJ2CA_&;}N4LXaq(8-~j z9;}9nWB9F>(sAS*KVNSiB+ytY(PuBG2enzwM}>1p6mpJ&V8%q8dRpdD`d66rBqY6a z^_eXX($)WjV#=hyAp7XdHwn-B!KETkf*%9@t!_3ns!8C^H?eo?HgK7tk}O|&*kbn% zdz#nD2MhuG6;LW|>1clUI`j13FSg-{NG((a{@O(JdtZIG3dTB5*+HJRyS8Uu@=2{Y zs*vco)=B)63_tEFM7G?$^0byYd(_{rG|z|V z=G-EjI51eSz(}J&ZRY>>2hNYuNbEhLYEl|EuxVpY^)*+-aRg}G5#h_C?bTk388;qW zEAw~EEytTiPl`9Z!4co?OxtIo+5Qr`>xU4@f3b?$Rgb~HByfbQDxT2&9wFR>_{;Tv z4f+!k7-%B*o^DPLPY-wej0lAIFLz*SSU*|g2iI$m6PoOd=YLI+igV?&!v2!_y#0>6a4&W5%Je8i;D!dFHsc0JF(~9&iJ{(Ab^!-m*vFNi`+k`OAx7 zCOs#~@jo`X)?m#B%@OhR?P<3!mV&M0(MrXY5>aczbW2@xPPsWk)O*oq8qC&c)FM^V zKRoR{QJqbRsFw@BQI_fH%47nQSJIh+2B)*PK|+$TeZr4|M!xrqfuZ6l4Mp9W-H4*@ zkf=oeRk62HNR20ug8mz>whr)*&pZwkcyO*!`BBQI2l8bCX?G>*B61S!)lWwu{NHrF z<~i<6!xOZen&aV0xf0{c5+oX{i0g^51nKETJKrA)`317gn0P40AOSr=hCSoteQD7G zYHWl0EIRuq#qIF)PZ(Mc`QS!)jzmwA?`CYpXejM>&VJ+?{C;x3s64l*}DbguTnYa?^b{S)>1A8vYmuAKdkc8EY4rp@}&)^$kwkADQ3S zS1uy)HWU%8<)Yp3PBJkn*Y|D1aB2*UH%Uo7rQ2_*yu4d5##1Rowexk_K&evExAkYZ zr$`YYTJn0*Krt(8kVLH4k<%%&xTyPNIBn#DcA~3Ijy*%$)C1<|ee9ElLetMSD>Tu6 zdnOGEtJ~MrPfgRTG(6sIDDgGK?gBSeLEOP3LL#eijlHJkeoRcsNAU5^!0WJpzUF&T(J}~Io zF1hQr|0DegK+Bl4x~=`)F14c+F*~vM|OhS1{QaD(yBb;Jo{Qv zxCvGX%dp*!dhj(VTVHYmgB>gLuW0Mc43OssbOEteM?EQ}XT z--IssR?jII;z1w+|K>}-J=W!SHrZ~nb#UEu)bDgoe?m>cfDV-bg>fAw5r>it*5&vI zlgE5(>JC5_h>Z@qd=G2#aUUNGw> z;Dv^3K_riFayE-yT4Nb32tf_Ol4LS1%V_jzYh$;;RxTS^MWs`%V4T(BgyW(Eq^Y65 zOkFWJ^`ptkiZ#}= zX7o?|G zElr6%L`JD0h?7kX!gr&^UMVTiUi(sxQ^S?I&kR9Cq%vC&`%>kMDPwn@ul0qW$xBXY zR*p+aj#8!9R$9$aLY0qw?O?9skv$Q*!!1CqzFJ%JZ#3sRKVxdRK5q;J5N)`u0h)!V&QiTv4t057J^HZS@47+=f!N3g*A& zH@W|N=5>44eqbu!CQUjMC-DrmD$g{?1i+K(X!!wg#{&EKzVp}hrA}L?W~g8lR5ceV zX_J;efpQ-~9SrHE`uNVHN{eBB>Iw^`4XnsRNegVdNTPvQHUM$%Rql^M(z~jELM{=x znbG7RMoqZeQ&&oinmXzcZbNCecqZeRkQ&8G&4QA`2vuWlj5PJm2<73G_0gv72&!NN zHIU~r2Sa=o<{R^X3)>nz@b~R`R9a;Ct6A}@qGzUaRiyGQcs5G*O_F|4;%vqJ-0GS4 z;A0hQ4aTvU*E*sjMggCiV8hVcr_+|hc}rWKz6B2V!dBIs7Pw0ZREBsZ7E3qEL^=KZ zzcb&C#JZBl7+rYqgD0PYHk0R;5}#!cg8aJT?wsgl3_lOQ-lIRDYWc3GNi=kMgrxVq z@LO26Um3&gk0xZFYkR2=Vh@k_AT8fO5S0)^q^v@nM(Y`+a56 zis&m=r~S?MN9|I4(2ZcNhI8EM+IroUhuN5}y7`b<<)4Z4ToMt~^8}EQ!>Q`F-3+&X z*~dDfb;mL$FsSrfL7gnjXkq%t{h7>?#Wod6Kg@^Z1A3jb`x=rI)$9S37-NjQvFh~6 zs+-w+v*v{RNNRCh!gjnIz-O-n=$2@Uw#Zn!Ge{{4|TFk>TAkj&q`^4v%OgTc(lBOnV!07}Yn zaZpAkQz??=rB5HmKVDJePX_euUgM3jZ>8@76iYWU^9;e`%64{4Pi|B!akPI<Vz;=gUa(?c%PixYa)3IXdpZ!+d1Ln1Xl48-g%y9PZ4EQ0-DhGux?;#K-S2_@ zRR5xjhL&XkHWh*E?%B~U8rTu*!-?#HKIRj zgJ;tR_XmgyP==+>^H(GT?8S4>M;_j(^O1=w@Z}2fBpcie{gY)LmoNGf0x@zp2Bgw& zo{)r9pHLtK*FJPnnmCgb@?{>Wr{%U0RP?y^dc;Ky=Frjw=HHHM8=l@OL*^Qe&ty-5 z6?$f2&`h6z=fqXAiG){%yky|F@GU`zQ3im?HPW3gN~fV(QwTLwiPd?MLEy+tGR;04 z#4t%q$UcAJt?D2TS7wjQL_OnB(mqJfcF;*E_SV7baqIS~7>94K@i>e%oL$rp{*EL7 zv(z#Pa;9h_Cl7gPJN49^u+^r1f-@4Izzl8lPHpr@QZzZx#!LG_ZKcYyzJ7Gw+bGKD zwgAE_H(yt;m0`z_#5JJdN-kRB?%m3U4bIsaD!0c_uHkn6CTQc?)+b)F{>sx+lHzwg zW6u{j4v}$oWsLIxJzwq+bbx!~S*JO+ehE z46@C`ot=(Zi60FgPy6roD;+k_Vl^euS4M{-9ySjAwlkjvOodd6bV?s2HJ=VFBBpPjjo>tWUii_;o=$N>!cw~m z7x!vW?8Z}%IQfu+XN-39x<&r8t>5xgIk~QtA%-eJ6 z=YLUQa2LvJcR2H$#J&HplnJOaq?X!X0RScA<`Y zn!5+-rycj>;mfCI%3_2-q4yKoYMfQ1&I>?iBG z!o{;M4IBNGbonnqHT_|oiCN& zcf0d(&dg(RS^a1o)8*ye3%A$}sx#6N-tE*wQxi7cx~V56GI;zCdiqW0;C$pc(DP!6 zHNriKQh6Io?VGYo*#)+SM;j(OKe2*sR=>>K_}V>HRZ9Ued2`dZaY9fWCpo@KC~>G(=_zb1lTQ_t5%MpyD&p0O3^w@_0XV~S2@TEci+?sH&xj3b z;uP-Kx-fdcoWC_c%Ad}AGG*B9nx;3s^Sa`x$(dtkc{g>F`v(2A=&V_}9W@TH#P_w+ z_bV#Tp=?XPjBi&7?fpAmsETg+aVzIcrulLSZKF?RxSW=oCo|{P?ixvo-!c=oyrpS& zB`Iu7AUq^NrSD4V-&9Ar&gD{_62d z4&6!N`j1At!EbisYa~D0N5XeAEEy;7K#iRnB6ZjiFth8>L|f8}c-64(&r|iwNQF*< z8{dg!?Q7WW&cRZT;wZ3^+U|~^88;qZ5-W9{r~Acy9bewY|FwtDL|AN`ER+x$H_Qc^bM|h&+ z7dOD7_+()kPSQ5o7^Ia~oTl(MjWC_j*Kx@R z3&2sOc2*Z|;^9slI6s^5=O+%>cfNA2M$Dvu6EKqaieBKXrS?j5LXfFx8@D(0@bf#) z_o?I84g>tTx>sag`cg;_yMv*%vL|_!P9lU!$juti+e1 z1bB$5Q?KZkCzOT^-1Zb-K90@w``4Mg!GH0Yl)o)}_#Z}3hDCM%W%Pv1CA;%~nb3p_ z)PIw#`7boD;X5i2QuqE`7g_n8V;*W?^%k42t1;btux&b}8}R$m>9@z|HNk%0)P!D- z-sLmA*tbt_+MeNm?M);9e|ZONboPK{jo0;{w?y{7<$5&5sDX1m4xoLH2qrAxv$@`w z?6j>D$r)_j6dvs`4n-DUt<1HM^9Kr=HV%9F^?fMAEf=@IbX@ zA8*i^4O+c8_`F{-uo>Eivk1mH)Y5Uijfz#)Cf(dP*$s~@Od3J$Kx)TN4O6pCk1rm6 zGb3JOfQ+)7@JyAM9@Ihg&<+?Zzrr!rWVHCANem z)&@48BQ7(fHTw%Nd=!P=%he*Y67zJ}#Fr30pL*^++PL~;iMo-`JWrfD=y&KHeQ^yT z#y14URLDr z=j!I^^a43fOFMj>{)*v@RmsFBEXUF6MNk_~Qe2%bbBgpLF`+O$ zIP|Yz>NtGMDM~XfZt#i{Qk|TkPren6xU6yihQ?%)R?075%~(r{iT_k+y$;gxYn#93 zK38FnyL)NQepY|b($eY&61V#w1-z_{n#u0fYfJ7b3R+$so3oy99Q%>EtF@Wt(8MC8 z`A3poeeG1>l*Na{>`q-iX^J_g=mT86UnqAHBD*O2Tf{&rDiMf@&9VK8*y@v4yi1|^ zS5v+PZAr*oRqy77_l0wt;A{_MERH)fa_8S}WBzgwwBeEW8PWU&cP4x(#wII(z6*@r z)lc@}3={z2`CUktI?x?ZCr$y33)FZJOWkK7)7t|GItdo9JX6?MDYu8pS6Q_|fAi~{d9`T%X0JKUZhc>;N z%C~Yg{&@6C-#1L+iglDmZ8z>DAL4rQN?2xFB=v4QJ4eUtV*WAbh3J~mw(xKQ((1f0 zuuIRGvI<)DGjWsvP57TtP<2v+f8J1?A10RXi7DkgZx8tUnaZXuW|y=zh6ER=zof_i z**O9?`@OXT{W;qAa}AsbbJN9BHUHJs0(3K_b2y3cGx>YOI_ugxw0e`EIRjrX{uL0b znbP^3c>7D7nDU4G|N8+_mMO3{i>CskY#cHQi;HZrw8s*Ncu4aTVqN!!$Hjhc_}k-s%?nhYR9AFPjl0n^RVmY^P0?Sw_a_kFr8S} zGNp3?L(&u8jEI&Nq9w5`Y?US+Lz)-74C62P9Fh+*0sHva#US+nBP-z#GGbmBP@Zbn zyJtKB5VH5zXFaLEKOmpXS4nrsq|g6=;-G7U;5u(htvIjX-S{CWr*H<41;#U_bB(*mY1v_8RHh4(e(W0b>RPr6Va3@nt04`M4! z(`!1##4=RUg+IrL(izFJM1GulsGD?Yj&TL5FNGQV7Gc&6^K{mxm^^?}EX}U`{!-}` zl(Ok-b#NTIT9)o>_ezFM!kj}4Tv#&lBulSe>vfH=x12r+X^Yxsvx|p2o+sx}r<*2u z?pNGp1urX?j6*~-wb!o*P$WpvapA}g7*=+F0aX|72B!*+nWwy}^;51w@xQVOA2TzP z!76nNf3c?B-_gSql0LUPqxGL~kMC@sr3QR)v~trxu9a-Fy2t#4NK#IJJbr(DwEKD_ z)QlqFdCI{dF+vyL8QEtbG51x{JEga%LgxgB`f5@j!<@JC4X8p1egAR3N@W=`)C`L5 z${tnu)K4{#03fPPn3i1yn*Bat+TOZP)b=|-wjl8h;pgp?HJ1Br z7@z20alk$95Qk|h+;L+U`+j0#R1$1Ay|Az1wQ4*?dmb8{>zUYR0@H%GMl(RQ#ci=Y zjm^fM#UR;%p z;NeJp+7?)3{Z^~eBjcGA&`hYxiDO)s)CS^+_6TQd}O9-VCKJFUXsG~ZF}w-=u63ydL4 zhoJBGb~eH@So=`P4oIrvDVl)*66*9{k?)9xt4rrhvu{N7z8IM*Inh{0d=v0D36Yu5tAYXSzBh?BLA+w)Y%u8!LC>AP^ z#((jtAC>I)b9t%Ak7|1gCoHXoXU0HUSbbw!<*9SEPP{%))@Di__69os0o-BAW|=tiC^L?{Q=?0|A<^q6k#@Ep`tSP( zCQ;?SV73S6eJY6uM>6T&&%R0$uY9A+lBZ<)E%}(2YxSJz$~bAEgX|}(Rfz*EU^DY> z)CKFO*2dh89Nxp_UB2Q%Rq=@KcJ)tWpP1*@g+wxKylsJn+n>mn<&hf=gI(pBUT(Z1 zxK6&|G$i&P%KZP->fs1c@A`jwyY8^2wk>}J6~)381Vllu2tgvfDk2CMl^RM22%$@p zNDpABiilE0AOuJNX`u#?5+sy>V1XE_1ce|dHGrTLDFS&X_`Z2_@4T5i-}~lG{y8~i zpS{mMYoEQ=UTgh+PW4WnCxNmp1j3UD0uboUS4VW|7>mxn)0By~kzlFbK^}(uYyLs}=6;6%U6!~*Fs|d2X`qfV4DcFO3dUF}-B!d=v03^o(lF8fOH?W0)of%-m++N1=b z?u_fVvE(+CNCO)sX$SE@VCTJJ_V+133r12B&RD_dcc8n5r82zQVbBr1Ae9olF%cHZ z9;Of5v`ge~^lG&cVl_n>&QoRFW3%DAF^IhMDzm1&ui;EGe`tk^3X7wl^3{7Vw9n3d zM5p4q?%?kZWu%3!w3+zOeELs?gz`85t{Vax@_pU+) zQgN3M%bGv=i35+rjkcpy`)Ne$puxI>Km)xs;mf06YzdaP5qQrqjbAal(NXQREtT;6 zcc(n0eta@+6=d}`ph(cT!ird#ClQ-`jfQ>~SpopW3-D{KD-~A+Y(czZW|Y;w1@9gQ zY_eM$!5Tq+x+ieEDJO1NZ|?2Xqt7Z=MOcjkfbtE;N4Ehm-d!6lsaxLp6PNPeL(D3- zak4j9M(01w9hM0HA7a-10UGIrN6l(&ES)Y5L}i#)t*+MA_?sMUbq92>GN-vJX=^F? z<3O8rIWFr-ND7Kl2Y(ynJ~XpimYPB)#b(umL21ym0Z@n3O?4 zd+be!-J*k7*H!w52R`8(Y%%we9}0Yu0|!V!UrYk29a56UwjA)Lwvo28{FWpopi*lZ zZQCO6rHJ(*c++@OuiN1=AViBAj*!@SMQ&o?Y!N$|WDVNEVSaj0PHU=*21?4j??1g}QdOIQ} z+Rar4_f{SN?j}woN#v#0<}Dt^0fNvPO^D}#L(vyE`&x8?Mq2~kmG+KjiVyN+j^OqJ z=N}Mq@Tgy zN()<^gBP%k;r{l; zk1=%A_k!BRt3A3z1Si%+{lB0}7+fx0wDkzg8CKZ_baDE=L2D&5j97u*p^d{ZnNaR1 z!5Jv*q3-FDjKfs60c{_X(o_pKGqIZDI+)ZGo1(DRXp{-LvxE{AV0vy zzSMJOcHEGgnKzQC0f`fhIUg)&%%x;wb#Fx@F@(BDX$2oBz06pwB02I~dR6!CB<_ZI zdKTAxPj*}jk?9v#;tsrAXj~d?iQTg2TQJLbN73TC6>sTdbteA1nNq%DE zcQRVA-FGqs=%>nSaD*7Q>Ake>WzhM#7$IZWeD#}KziSl5q_3NZpYq6!iPHcm2(%`L z>C1>DaF&-x!uuztN+`1BkkL13?%oe`b;UY$0I`qLK>NhaPRwJGcr%M;w1{E@WcfU| zWiCpO*?}4Wp(q#}V1S8WehD=x8c*TF4JW;1Ny+L5uum7|b1EcMV=Cx$_78NL1lmv| zPr=sQ!oN;8Q%5(|Y(gikztgJGzI^E1OGold26`*KGl-wAHIaO0L>V;`+b(z^)JVid z)PIO{D85n1BMn*%=l`W<9hsvG6T>Q6e^u&u<78!0`dhnw;=J!$d=5oeu29AMUG2&@g~Kbwyf znndgirs)Nn^`r6iF{Ls>2MJca$L-kU^`57|^ghZ`4dvx5ZZTS%2K9eEcmo zaPjAk$DYVwy`1ujmewZ7p*=IFxPpIvH2 z-AgHui=xz2%cl8BD5h1c!hC0^YpzhVzk|eUKCc#d&(Eb6-_Wuj#I>6;8pFpmW6o(I6YAj_2$X14h z-^3>_H=aQwLlvE;-?wSSEqL9p@nw&qG!xve`WO!Cwn0iWur3!5L|sdb2pAD8k)`6^0w?^=EofPk@Xm}XblV`xmjEKgM_Y@|%w!2JNt0`GM zD8c&za6-fCPayEt0YEmM@ev27*#}CDw3i<&ODe(H> ztE5;~AD=$gr<#x&QvDE%b=N3xVuMP1&B`9ZNFD(EX7_79WE@_oUsoEHr|KkJVe^#a zRhQfX*-CzA8=&6kKmf1~o(zaj}w9E0;k7DFmSsSn#4JJw*p7g2%gqBs~QQ_jXo9d;> z`N4-ZC~Z~2DaG@`9G^=ZtpaAFeB8P9`jFqBLo)*B3Vm(_EZ5i548&bf^24BM?P^h~ zllhv$w`$9Nm`fElHM&u%<*^c@j&0_5d?9zH0f-_NyHQnffHgRj)P;N;IBO^TLV)ym zK;1>(_DDrZEC%gzqa+cww^OjY-e^7IM|(g9{^*S+dPvPp(i)suv)(Wfq+c@!`c%Id z8Rbg;kQ5a_a%nJA4ZBlsi)RTB=(f~5RMxuJ%&emI_l+FC=Vq!M53(k+Sua^|IO7cu z(aXBfZ8Izh@_Cv4(f#QRX`Rdbl``lqI*%1&shQ=yTpgOtKAt-UFmZ;dOgrUVfK}V_ z^z$$xr}t0xGpLWKJnPNmt<=~-CBL)VJ1z1y0Q4i^@*J{Kq*G1Td@b={J5>dWo6A#9 zzQ?2GPpX`YmP)1ymnJv1%(65k;R8!kw%QD{^pzoP2_MI>V?`MVvYEV;)pi;=v42a? zHtC3)ve91fC;!mL4bBJ&D4|3QhLTf`ajUh2goI^_bGrMPoIAChq$z2Um`EIR+_QF* z-Z`wf<-!)&I)obrP%HtLcpia%U0^NU(UzV7)8SKg;4URfyW9Ti=OrN}L(sV!(I6HF zhee9)3ypK9MP9N!f8q4Qk|WF7YtLv==&))?dQD`SxyO6mjB{EjOZ4cs;^+4rtd!ym z@!;;2BPN3nR-R@If<+d=3^1V_IX^+awzMF*hUQyt&{~?Z=6QWDW;;Uu$wWyfWs08m zlPR*)&Zp3VEn~|F6ZzE?k#+< z@Uh^EE_<<@5tBwohmgEn#y8ny$XVZm+0G&}MG~1o`j+YWZ=y!XqS5)ikLKc$)l<68rfUHw z0#!8UJf}5BopX=&l6r7HjFW|752Y_uX<@kTXj=K!$&C~V z3cx(NzZ4w*>BzmIDl{H;$KSH*Oo2RU6%f_-bz2lsJXGz2rsx-9&dVK}f@kaJcr)$C@3oqVP81})=ihcXs_;bCeR+MgjJm5m}fPahB1zR{r^Ma1y zR{lOh%?Ca2rPYxv<)rHDhs~eV526GG0g7?1`v$iY%tmyC5vIynymuuglxmSXQat`H zS;yo2p~z%?Jm=7L!Ssb@L!mnK@tc?35SWt#Mq@yaGMH9HJoA$f5`cixOIG6W&|RzcwD#dtP> zNst6vGK4!SU9@eO7lnyYIicM2Zn;=qVDHw7wxsS$oYpls)}UAYf{-rdaFD03yiV*~ zVUkYyH17mRBT5rH`zbIfF=oGygL>1h+7Vs2>2(H>>#-!jX)Lgq+w$k74jEGYP)$N@Lg9)4S~#q69How*FKrEO3tVLgwNPRAsE=p0nKXpE+n|i z?`QvmabWk4H$$8&ypn;lI}gkecfS;Fwrc&CS>~S`ng5by`fn}dU`7Ej*Z?hqbDLRxuUI{IhGTi*QwO&{q$zG93c z_mnO*O@hlujZ`vw5nV>i&+>N5GR*chiMt`JduYVOMGh<`PQ+8WB zMxpEd=UVQHt!FXE!@s-oFEfAm2p1^mhb(@4%zP_gx7@uG@mOEvmp}bf_6R@z%I