From ec2a925a3bbd1cc738242b8ddddbc5bc24e57e6b Mon Sep 17 00:00:00 2001 From: Bartosz Leper Date: Fri, 13 Dec 2024 09:50:47 +0100 Subject: [PATCH 1/2] Move the new role editor to a full-screen dialog (#49881) (#50134) * Add admin rule tab to the role editor Also tightens some constraints about standard role editor conformance. * Add a way to delete an admin rule * Add the options panel to role editor * Move RoleEditorAdapter to a separate file * Move the role editor to a full-screen dialog * Review * Review * Review * Lint * Review --- .../src/Roles/RoleEditor/EditorHeader.tsx | 14 +- .../src/Roles/RoleEditor/RoleEditor.story.tsx | 30 ++- .../src/Roles/RoleEditor/RoleEditor.tsx | 70 +++--- .../Roles/RoleEditor/RoleEditorAdapter.tsx | 229 ++++++++++++++++++ .../src/Roles/RoleEditor/RoleEditorDialog.tsx | 128 ++++++++++ .../teleport/src/Roles/RoleEditor/Shared.tsx | 9 +- .../src/Roles/RoleEditor/StandardEditor.tsx | 201 ++++++++------- .../src/Roles/RoleEditor/YamlEditor.tsx | 2 +- .../src/Roles/RoleEditor/tagpromo.png | Bin 0 -> 61787 bytes web/packages/teleport/src/Roles/Roles.tsx | 156 +++--------- 10 files changed, 594 insertions(+), 245 deletions(-) create mode 100644 web/packages/teleport/src/Roles/RoleEditor/RoleEditorAdapter.tsx create mode 100644 web/packages/teleport/src/Roles/RoleEditor/RoleEditorDialog.tsx create mode 100644 web/packages/teleport/src/Roles/RoleEditor/tagpromo.png diff --git a/web/packages/teleport/src/Roles/RoleEditor/EditorHeader.tsx b/web/packages/teleport/src/Roles/RoleEditor/EditorHeader.tsx index 2ee25880cedad..4eaaea9bc9e27 100644 --- a/web/packages/teleport/src/Roles/RoleEditor/EditorHeader.tsx +++ b/web/packages/teleport/src/Roles/RoleEditor/EditorHeader.tsx @@ -17,9 +17,10 @@ */ import React from 'react'; -import { Flex, ButtonText, H2, Indicator, Box } from 'design'; +import { Flex, H2, Indicator, Box, ButtonIcon } from 'design'; import { HoverTooltip } from 'design/Tooltip'; -import { Trash } from 'design/Icon'; + +import { Cross, Trash } from 'design/Icon'; import useTeleport from 'teleport/useTeleport'; import { Role } from 'teleport/services/resources'; @@ -35,6 +36,7 @@ export const EditorHeader = ({ isProcessing, standardEditorId, yamlEditorId, + onClose, }: { role?: Role; onDelete(): void; @@ -43,6 +45,7 @@ export const EditorHeader = ({ isProcessing: boolean; standardEditorId: string; yamlEditorId: string; + onClose(): void; }) => { const ctx = useTeleport(); const isCreating = !role; @@ -51,6 +54,9 @@ export const EditorHeader = ({ return ( + + +

{isCreating @@ -77,14 +83,14 @@ export const EditorHeader = ({ : 'You do not have access to delete a role' } > - - + )} diff --git a/web/packages/teleport/src/Roles/RoleEditor/RoleEditor.story.tsx b/web/packages/teleport/src/Roles/RoleEditor/RoleEditor.story.tsx index abd6ed5393f69..f90bf567450aa 100644 --- a/web/packages/teleport/src/Roles/RoleEditor/RoleEditor.story.tsx +++ b/web/packages/teleport/src/Roles/RoleEditor/RoleEditor.story.tsx @@ -16,21 +16,23 @@ * along with this program. If not, see . */ -import React from 'react'; +import React, { useState } from 'react'; import { StoryObj } from '@storybook/react'; import { delay, http, HttpResponse } from 'msw'; import { Info } from 'design/Alert'; import Flex from 'design/Flex'; +import { ButtonPrimary } from 'design/Button'; import { createTeleportContext } from 'teleport/mocks/contexts'; import TeleportContextProvider from 'teleport/TeleportContextProvider'; import cfg from 'teleport/config'; import { YamlSupportedResourceKind } from 'teleport/services/yaml/types'; - import { Access } from 'teleport/services/user'; +import useResources from 'teleport/components/useResources'; import { withDefaults } from './withDefaults'; import { RoleEditor } from './RoleEditor'; +import { RoleEditorDialog } from './RoleEditorDialog'; export default { title: 'Teleport/Roles/Role Editor', @@ -264,6 +266,30 @@ export const noAccess: StoryObj = { }, }; +export const Dialog: StoryObj = { + render() { + const [open, setOpen] = useState(false); + const resources = useResources([], {}); + return ( + <> + setOpen(true)}>Open + setOpen(false)} + onSave={async () => setOpen(false)} + onDelete={async () => setOpen(false)} + /> + + ); + }, + parameters: { + msw: { + handlers: [yamlifyHandler, parseHandler], + }, + }, +}; + const dummyRoleYaml = `kind: role metadata: name: dummy-role diff --git a/web/packages/teleport/src/Roles/RoleEditor/RoleEditor.tsx b/web/packages/teleport/src/Roles/RoleEditor/RoleEditor.tsx index b109c82e8b87d..77945701e8c47 100644 --- a/web/packages/teleport/src/Roles/RoleEditor/RoleEditor.tsx +++ b/web/packages/teleport/src/Roles/RoleEditor/RoleEditor.tsx @@ -16,7 +16,7 @@ * along with this program. If not, see . */ -import { Alert, Flex } from 'design'; +import { Alert, Box, Flex } from 'design'; import React, { useId, useState } from 'react'; import { useAsync } from 'shared/hooks/useAsync'; @@ -27,6 +27,8 @@ import { yamlService } from 'teleport/services/yaml'; import { YamlSupportedResourceKind } from 'teleport/services/yaml/types'; import { CaptureEvent, userEventService } from 'teleport/services/userEvent'; +import DeleteRole from '../DeleteRole'; + import { roleEditorModelToRole, newRole, @@ -47,7 +49,7 @@ export type RoleEditorProps = { originalRole?: RoleWithYaml; onCancel?(): void; onSave?(r: Partial): Promise; - onDelete?(): void; + onDelete?(): Promise; }; /** @@ -88,6 +90,8 @@ export const RoleEditor = ({ standardModel.roleModel.requiresReset ? EditorTab.Yaml : EditorTab.Standard ); + const [deleting, setDeleting] = useState(false); + // Converts YAML representation to a standard editor model. const [parseAttempt, parseYaml] = useAsync(async () => { const parsedRole = await yamlService.parse( @@ -181,32 +185,35 @@ export const RoleEditor = ({ {({ validator }) => ( - onTabChange(index, validator)} - isProcessing={isProcessing} - standardEditorId={standardEditorId} - yamlEditorId={yamlEditorId} - /> - {saveAttempt.status === 'error' && ( - - {saveAttempt.statusText} - - )} - {parseAttempt.status === 'error' && ( - - {parseAttempt.statusText} - - )} - {yamlifyAttempt.status === 'error' && ( - - {yamlifyAttempt.statusText} - - )} + + setDeleting(true)} + selectedEditorTab={selectedEditorTab} + onEditorTabChange={index => onTabChange(index, validator)} + isProcessing={isProcessing} + standardEditorId={standardEditorId} + yamlEditorId={yamlEditorId} + onClose={onCancel} + /> + {saveAttempt.status === 'error' && ( + + {saveAttempt.statusText} + + )} + {parseAttempt.status === 'error' && ( + + {parseAttempt.statusText} + + )} + {yamlifyAttempt.status === 'error' && ( + + {yamlifyAttempt.statusText} + + )} + {selectedEditorTab === EditorTab.Standard && ( -
+ handleSave({ object })} @@ -215,7 +222,7 @@ export const RoleEditor = ({ isProcessing={isProcessing} onChange={setStandardModel} /> -
+
)} {selectedEditorTab === EditorTab.Yaml && ( @@ -229,6 +236,13 @@ export const RoleEditor = ({ /> )} + {deleting && ( + setDeleting(false)} + onDelete={onDelete} + /> + )} )}
diff --git a/web/packages/teleport/src/Roles/RoleEditor/RoleEditorAdapter.tsx b/web/packages/teleport/src/Roles/RoleEditor/RoleEditorAdapter.tsx new file mode 100644 index 0000000000000..5951066f0355e --- /dev/null +++ b/web/packages/teleport/src/Roles/RoleEditor/RoleEditorAdapter.tsx @@ -0,0 +1,229 @@ +/** + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +import { Danger } from 'design/Alert'; +import Flex from 'design/Flex'; +import { Indicator } from 'design/Indicator'; +import React, { useEffect } from 'react'; +import { useAsync } from 'shared/hooks/useAsync'; +import { useTheme } from 'styled-components'; +import { H1 } from 'design/Text'; +import Box from 'design/Box'; +import { H3, P, P3 } from 'design/Text/Text'; +import { ButtonSecondary } from 'design/Button'; +import Image from 'design/Image'; + +import { StepComponentProps, StepSlider } from 'design/StepSlider'; + +import { ChevronLeft, ChevronRight } from 'design/Icon'; + +import { State as ResourcesState } from 'teleport/components/useResources'; +import { Role, RoleWithYaml } from 'teleport/services/resources'; +import { yamlService } from 'teleport/services/yaml'; +import { YamlSupportedResourceKind } from 'teleport/services/yaml/types'; +import { ButtonLockedFeature } from 'teleport/components/ButtonLockedFeature'; + +import { RoleEditor } from './RoleEditor'; +import tagpromo from './tagpromo.png'; + +/** + * This component is responsible for converting from the `Resource` + * representation of a role to a more accurate `RoleWithYaml` structure. The + * conversion is asynchronous and it's performed on the server side. + */ +export function RoleEditorAdapter({ + resources, + onSave, + onDelete, + onCancel, +}: { + resources: ResourcesState; + onSave: (role: Partial) => Promise; + onDelete: () => Promise; + onCancel: () => void; +}) { + const theme = useTheme(); + const [convertAttempt, convertToRole] = useAsync( + async (yaml: string): Promise => { + if (resources.status === 'creating' || !resources.item) { + return null; + } + return { + yaml, + object: await yamlService.parse(YamlSupportedResourceKind.Role, { + yaml, + }), + }; + } + ); + + const originalContent = resources.item?.content ?? ''; + useEffect(() => { + convertToRole(originalContent); + }, [originalContent]); + + return ( + + + {convertAttempt.status === 'processing' && ( + + + + )} + {convertAttempt.status === 'error' && ( + {convertAttempt.statusText} + )} + {convertAttempt.status === 'success' && ( + + )} + + + {/* Same width as promo image + border */} + +

Teleport Policy

+ + +

+ Teleport Policy will visualize resource access paths as you + create and edit roles so you can always see what you are + granting before you push a role into production. +

+
+ + + Contact Sales + + + Learn More + + +
+ + + + + + +
+
+
+ ); +} + +const promoImageWidth = 782; + +const promoFlows = { + default: [PromoPanel1, PromoPanel2], +}; + +function PromoPanel1(props: StepComponentProps) { + return ( + + See what you’re granting before pushing to prod. Teleport Policy will + show resource access paths granted by your role before you save + changes. + + } + /> + ); +} + +function PromoPanel2(props: StepComponentProps) { + return ( + + Prevent mistakes. Teleport Policy shows you what access is removed and + what is added as you make edits to a role—all before you save your + changes. + + } + /> + ); +} + +function PromoPanel({ + prev, + next, + refCallback, + stepIndex, + flowLength, + heading, + content, +}: StepComponentProps & { + heading: React.ReactNode; + content: React.ReactNode; +}) { + return ( + + +

{heading}

+ + {content} + +
+ + + + + = flowLength - 1} + > + + + +
+ ); +} diff --git a/web/packages/teleport/src/Roles/RoleEditor/RoleEditorDialog.tsx b/web/packages/teleport/src/Roles/RoleEditor/RoleEditorDialog.tsx new file mode 100644 index 0000000000000..f5c6370820363 --- /dev/null +++ b/web/packages/teleport/src/Roles/RoleEditor/RoleEditorDialog.tsx @@ -0,0 +1,128 @@ +/** + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +import Dialog from 'design/Dialog'; +import { forwardRef, useRef } from 'react'; +import { Transition, TransitionStatus } from 'react-transition-group'; +import { css } from 'styled-components'; + +import { State as ResourcesState } from 'teleport/components/useResources'; +import { RoleWithYaml } from 'teleport/services/resources'; + +import { RoleEditorAdapter } from './RoleEditorAdapter'; + +/** + * Renders a full-screen dialog with a slide-in effect. + * + * TODO(bl-nero): This component has been copied from `ReviewRequests` and + * `NotificationRoutingRulesDialog`. It probably should become reusable. + */ +export function RoleEditorDialog({ + open, + onClose, + resources, + onSave, + onDelete, +}: { + open: boolean; + onClose(): void; + resources: ResourcesState; + onSave(role: Partial): Promise; + onDelete(): Promise; +}) { + const transitionRef = useRef(); + return ( + + {transitionState => ( + + )} + + ); +} + +const DialogInternal = forwardRef< + HTMLDivElement, + { + onClose(): void; + transitionState: TransitionStatus; + resources: ResourcesState; + onSave(role: Partial): Promise; + onDelete(): Promise; + } +>(({ onClose, transitionState, resources, onSave, onDelete }, ref) => { + return ( + fullScreenDialogCss()} + disableEscapeKeyDown={false} + open={true} + ref={ref} + className={transitionState} + > + + + ); +}); + +const fullScreenDialogCss = () => css` + padding: 0; + width: 100%; + height: 100%; + max-height: 100%; + right: 0; + border-radius: 0; + overflow-y: hidden; + flex-direction: row; + background: ${props => props.theme.colors.levels.sunken}; + transition: width 300ms ease-out; + + &.entering { + right: -100%; + } + + &.entered { + right: 0px; + transition: right 300ms ease-out; + } + + &.exiting { + right: -100%; + transition: right 300ms ease-out; + } + + &.exited { + right: -100%; + } +`; diff --git a/web/packages/teleport/src/Roles/RoleEditor/Shared.tsx b/web/packages/teleport/src/Roles/RoleEditor/Shared.tsx index 3652e87a537ca..88899621defb8 100644 --- a/web/packages/teleport/src/Roles/RoleEditor/Shared.tsx +++ b/web/packages/teleport/src/Roles/RoleEditor/Shared.tsx @@ -18,6 +18,7 @@ import { Box, ButtonPrimary, ButtonSecondary, Flex } from 'design'; import { HoverTooltip } from 'design/Tooltip'; +import { useTheme } from 'styled-components'; import useTeleport from 'teleport/useTeleport'; @@ -34,6 +35,7 @@ export const EditorSaveCancelButton = ({ }) => { const ctx = useTeleport(); const roleAccess = ctx.storeUser.getRoleAccess(); + const theme = useTheme(); let hoverTooltipContent = ''; if (isEditing && !roleAccess.edit) { @@ -43,7 +45,12 @@ export const EditorSaveCancelButton = ({ } return ( - + {roleModel.requiresReset && ( - + + + )} - + - - handleChange({ ...roleModel, metadata })} - /> - - - - {roleModel.accessSpecs.map((spec, i) => { - const validationResult = validation.accessSpecs[i]; - return ( - setAccessSpec(value)} - onRemove={() => removeAccessSpec(spec.kind)} - /> - ); - })} - - - - Add New Specifications - - } - buttonProps={{ - size: 'medium', - fill: 'filled', - disabled: isProcessing || allowedSpecKinds.length === 0, - }} - > - {allowedSpecKinds.map(kind => ( - addAccessSpec(kind)}> - {specSections[kind].title} - - ))} - - - - - - - - - - + + handleChange({ ...roleModel, metadata })} + /> + + + + {roleModel.accessSpecs.map((spec, i) => { + const validationResult = validation.accessSpecs[i]; + return ( + setAccessSpec(value)} + onRemove={() => removeAccessSpec(spec.kind)} + /> + ); + })} + + + + Add New Specifications + + } + buttonProps={{ + size: 'medium', + fill: 'filled', + disabled: isProcessing || allowedSpecKinds.length === 0, + }} + > + {allowedSpecKinds.map(kind => ( + addAccessSpec(kind)}> + {specSections[kind].title} + + ))} + + + + + + + + + + + handleSave()} @@ -1175,7 +1188,9 @@ const OptionLabel = styled(LabelInput)` ${props => props.theme.typography.body2} `; -export const EditorWrapper = styled(Box)<{ mute?: boolean }>` +export const EditorWrapper = styled(Flex)<{ mute?: boolean }>` + flex-direction: column; + flex: 1; opacity: ${p => (p.mute ? 0.4 : 1)}; pointer-events: ${p => (p.mute ? 'none' : '')}; `; diff --git a/web/packages/teleport/src/Roles/RoleEditor/YamlEditor.tsx b/web/packages/teleport/src/Roles/RoleEditor/YamlEditor.tsx index df8be5b3925db..5f58d7826f2bb 100644 --- a/web/packages/teleport/src/Roles/RoleEditor/YamlEditor.tsx +++ b/web/packages/teleport/src/Roles/RoleEditor/YamlEditor.tsx @@ -55,7 +55,7 @@ export const YamlEditor = ({ return ( - + nS^w;Qoq`^bOqT_T-P#?GcfQ!Yd49ITjQ91$gMW_SBR|%!WYM=T zkMG|kckeqK+6qkFGWeastaMq>OlNzy!S^JH|94z|UO&1qVwt%ydgvj>y5qm*KW|l> z;4jg>MEd0KIauG`_6jY3Ia!(Zf158MNMHyGy@TCp*P_Z?Jn4;-t>M?b`rU8-Q$U*` zhmXDRH4xw<^7J7wZZco-pp7;oF=6OFq=cK+!Cfk)&ahI3nuvS0UVNsrfm%Q7E$@@h z5S%-sgBug)rr8_`VYOdmdv6wi*&tuBK41#+tsSkK3gxhKC-Yyi3_Eb90gAt?7(`;alh7}coA$+}u9>DCT^(OXN+~7y+{}`_xG*w&wfD*?IoMU zesMN%pFyeg0Z-q|5oyngErtmAFxH_t`94wfRN48BH=}p>g5ZHo7LPCZpKfG-fK@kl z0l!LgIxSR6e9Bq7RY7LJ!;(SjtzPMWSAZC24IP~-@!)-f0AWUg#arri`WXQ^ri|o7Q}d17 z7ehbgf^Z0&)AUmnCks}IIfAz}X(r>)Yi42uPeAO0W-ThV2CZ>f8|Grobye6!&Sk|m z;x7*^Y5@H1c5zl4gS`giDzp~j*yI-jm76+)ato( zt?wt;2(X*YXtVs$toY`lO{f0~iJ9b972VO~y}&!b{%t-{2mREt7I(%1OSvFtbLXYX zToK>YjAa=Oy|IBX+`3^wD1cvtgpsnU$9nII>k-VNwF=# zZ|ncHEuZH?@e)0XdhrY7?08&PD8_7AgAJIqZ>i4y9>Lc;j!RGlQ1L!(run;dUU2@> zWcWL!k>A$;PTJSUPE>!FgOl$6Gnu_k|L!E>dtJY9`n%|TtmC%AgCraJX}|m&kd~%9 zx1wF_Gf0o8+%tlmr%3Rz4`)z5v9`|_5ESIDU_Yx*tz-03V>goBb74NRgc7-APc>)G z2gt3(zKTyuaii_GF0o-ZTJV$V@C^I-J{%HLSv3HBb|oHfkUqGfFCRPBH~{pd{A~kP zLDiklz8OS4H+$8Lx(64p?D0*_f7-k)w>|XfE|tVO&uW<>uv1Pxw($$I#@2UXnSbf3rY@CNJVK_zO2==xdz7q2jr{5Z9Q{=d)vKU01E_l&(Cbmz80 zlB

zJ>t2gPk*P&GOk|Rh>fbJP8!(->ZY(aKm|(B9*Fk-*=CGAxV-eumU=LNjg@j z13)=H;Nf)3g*f$NF`;pw0$PRz))j4 z$}H}|o8*D9!cB%5Ps)|ud1jKKc_N3qZRpEKPe75qX%fouFad zIu8JC*uXq!RV;PGx4HUxG8uQaScBsAN#A)XcD&*n4)9=NSS$OyR6>MsBej-+_;VE3 z<`DcD4)jeuSlK+Jyk$wZP=}XMxrbPyJ$k#3`MF9NI;ypw5oKHe6YUiv**fz z{rAcKF6jK5^QTF5l>e#c0ErSfTMsvAz1dPgRcaC1VUBTaF zyV%)>ntH!QBW=bejnEF_1?mIsrZuxwdu%)0 z2a{@Ems0Qu+hq_%!+(;qPdY54gA9RJ58E$LD)3P8Ycjvwj6g^cX!k)kl&2qlcyp5t zH@e+xEY>ZDG&$4#s5ZqdE{c9RsS2L5vKOnwnNhLm?aI4_`TrLZ9`%xZ+ui9ZP>=y@ zR=~UL{k@fV$qGY>k}QpLWNC~7yphi)LIHkq{+FSZlWX1F<}#C0Rvrl?PGRA!cUJZM zhO!3of9)MjF6`4Swx9!+Jl9JM74EPmQm_qkOk8>gZ(RKDd(SK)l-zCfe2*#bi#DK3oiv5 z`s85o`IB=py$u~fFWI~VIwn1Ew@L;5wtyEOx$`$>j&zQ^gj^mkzDl*Mk>K9Ev1Y2$ zv0$?t8x+?@MB*Cnf@y{F^?SJ7w)*D`J31p}M3KMUw$+tIV*JH={<30Ck^MaJ0l-Hg6BXECig+h)+} zwY2c-3P*8_RnN%RKsd1jQPkL@3CMU|yL{M2g&`@udxd|f>D)~kwHpsAul1D=26ySKMg(N^uLnaST|uDJa% zQRDpT;(*Z|NPbT8TR8a+U$ilfNNI+zUXddkzhmSJ+_$&xLI$61dN%zEPF?Ar!I zJg+ulVw1_Wkw=!36N7S4Ux37AafzbTc`4Lm!+PhLGNaXUbaJfgCEBkIaqdasEck@!)C7^@%$Jnx z&eXjYbQawMd^hvw$NS!WfD`DAgw;?~%~xL$xO<$xI!h9iYk%wc8)iqkdeCK6oO~vJ z=9=%AVsiBC%`U;iPn~x_$wFq*yvNp6hAi6P7!FmiYOYqE+er*JA z1{#0UF&fKZ5NgodN2_8jUF@*Q8QA%40+3ik;*O4TVoz!VG z?D1j=5PT9BB51()?YeySdL%vZ0wCE=bo@f{utfgvlZTu#$K zskoY@vsU6Y3~N~M3U`aDe%wQnR~v}75A3}`raGB+Ma0<8`#zV7{!U>yfvauPWRSi3 zt;c7Dx;mIk8W^&-pm}spvqQIG`zMu9E9qW}%r{&&VrCNhy8Y3Sg8FD4w~+-&4c+Au z+loae+0pv>(NVh^Y<9L?e1IMb4_R(^h+9}cXs*W?h^{)@JgZ=(d(?pa3w3r@+_*KA zM;`5FyBAmu$UMX{758l-Z3&lWyB zwS{k<=%OukK4uyfbbrE&R8EITyHLJf{-W?ujh8}WA~dB$?=Xq`D)k5}9|+r@8!Va! z_)u2$rJ4CG9DF zss~kb%n@aXv?95quIkWpb7$YT_5W@Xkpd~Y$LQPvWobEL_pgc{{)IrE@?r1SHQAFf zV|V}7hgt95tv;yNRnksxeAw;%H`97Plq*ozWJM?v$Po+tH#is&r(UkhATg)(e?zi` zlXW$8Hk3h&=7H;<22fDc6F;!B@bw-)KGb*k&~%JIP7$@|&2KNoy|O?h>wufgM9jM} z)T8-;{vG125c~3i8)~)zlYADO79`^d=BlYtN8D#WH}N+&F;9xLP<9V@>KMY<4om&B zzV1z`V^(E=0_v#hV&G;WDWmYD<#V=+UHbXe!^DcMjCQ-lSOQ z+iWFS_D|}&Z0o63YP5Thozw^ztx!VC{`h(FxdmiD4;bxGoHa-JNTxO+IWHs(8wj2o z0ydmPLb#$x_vd3iaY{vbFOD||I*_|{_>Q8!2RPZ9`^nayfIC@XW4v`Kk`=3uZRp|SsHjCn4o|M$F zq3Sa1E8s0cezPA9?yxV9Ki(4JI-prg32kS0xU1iRc|dDIArt*>f++ZzCu()nE_Yy` z$oRv34?rfYegKod=`8MMEUrCs5I2zQNa5@KB))J%T>OgNuK#z&g+LEq9c>x<*~}~F z`Gavgi(zj{#M@aX-3rCb(ck<13n7l%d~*Rg1gkp~wqxtnD$9FkRIqyR7+<5oC=6il z|1G);ICr!3>24;w5nv$zVs_USurY|iSu6Yav#ygNy(V1Lb}M{NJW$Z=dR|!djr zLZ^AUKtlp3uEjtJQ#EM+zqoUi1^e!{8Fv9r@qK4`#!M~co_l+}c%wf)`8ip|l1*8N z)7ktDfKTXRi<3UNJ6@Hd&1T(z^XAWM5O z6%vv>?=SWuGzDYgof7068Tr9K&E<>YTu*oC7n_{2qp5}8o_Pm$+#uOSPlj32va$*$ zCL-Ngx3-hvy4IJ8#A%H2NJr1~2YEif|1W|asKps3f)T)Le3Fj)Mn z+X0BGrZB^`GB1!HGZa+tzg=&H4{C_xpQI2>MRz^t^N)0uHgh1|{9x+)G?Q#BwylE&X) zON_WV?twYOHl{L@bGA>h`zAN}TdtngJ`2y|e0>4OSEZPM3km`cV~SyZL~}Y{Z`5gd zb+#iHE7yFXgMeQQX2h=3+FDXz*pJUbymdC@?Url%TH^Bdwb$-CUf(I!#TB{o#6Y}; z>+#f6YH=>Gcyc9`#$9yenRGS-fPggHj81;Gayd`@a!KKI?Do1NS}al}k~#FdT-19F zL2Od_!Y5Dh^wc74`Q%b<-wD%}e^wC2vvbSpM7R3SDBlrkciC1R*EU)%Og3zhx-Gh0 z@5~?TY?26*ip;_pKHqFZLlG7xGLLc1+91zI^q9579>r&8y4?D_vZo zh6e@C%aC=+^0l+TJvbZQcg$%T&jdMu@_X-cl8?<c;w9fb^uTMjocj;Ls6w)&|fK-?Qa<#=9Y&^sSDGXuE+E8 zoCFm1_3_*4YztqIdC@tw_`;w0olcZ1&DK$c!r{`phPR|=tO|7+r+px?wis`ri~z*f zE@YG*|6IH7IbBWPzY)wB5LhhPZU}3D1ax@|Wqt^p9ZkEV0oJTr5_#3%#YRiY(sX>y z!)j!RT=4*aEu~%9vU5~b9YSVobIt6x$Zq#cJ6KFD{H2p3|C5_q$UT7UbMom~Pi#z9 zizbVf&Qu4!u5pzwT%nmY{AFK1Itm@auEYKN!cWpb1vWE2}7 z%&kQ8tY}wWNritb3bcEo`HFNf(#*=(UINWlbgRXBpopVI{3p^I8%-=h*NAtrNy)`uhkv!Wfll2@9#XGX$T7#rQ zzSlACe9A@w1!MPR?nXlfcvVHfllE<;tPa zittYIWQBx5M)&~&RbtDAZkK(nXuf$*aoOuT9nMSFmGP&dP2!TKgV-O{9*6(DV%RLc zJR8F!b=q-n;pOM4^p6{apj(NUQ0V&nyhi&sppd)kkq* zVs$W@(@KreoBP5l5u#XDwd4dtiH_cBaiSP5>%|z0c+m((RKXFlqrE(_6iq%7&o%EYO2dXJ91ZQb+ko8(hlQYP)E=5u`{z^b&UaXMyWm1G%pPySUbaw57rxkT(nrW(h6BdM#MvJp?X1&mQeJHj!(PqI$KCSx5fT4JcAgtg{L6#p^Xi9ym-6tz|T4 zu=0C&cw}6@;2rAm$3L8Z6%k%=cLU|xnH&Q|lbzh-l&@30e7wB1k%cBggZ>HE`^q4@ z?{s2k?6fpzLn8(`P#S{#MElVJ~ zZ><(4p65Jee7!c7dwfr#RqS-gp9ya2J8Bl zt^=C#m3EGCOpqf)@tI>2TsvDIuyLKrX#g8(cf2S&XcKGrRqagvn{q=&2?J7a1jF9s zpYZf69Rqzk9!UT9et-Wwjgb*{L&pLX%VWVIMx9rV$z{xo)6zklnE&%({PJm;^H@3vaj9f(0>RYn zN|Ywnb(oD*4OlyL`7zdrQJ&15O~q|nceonG^(milo=f=pj24`Ew%K;$unVuJpIy*0U@m3{>pdtac(Ox$+avIY=HaG3!G9cbH4;@pui&<-4o zbR(F1I=Ufyg}JO5oiYzNPvsI|0QN+DZcsWCKBQDK6@xsR17BC0iz^!NxDP>9#EpdQ zB>&5{fYp;L7K*5nZ||&Dj{f06*x2lC_^l-7@c!y^=LAQd8M|j)kc6s+9H@0T;@OdXl4X!^_J)cN9bswcSCyY-AMe&8uE#MPx3-gU<<3f?CtPYS$FGSIDP6Ef=hUT)zaC*y4k34M2N#TF)m^6mL1 zOpW5sQQof@qK0hqO}#n(oSao^6OY!Jj2mu#j*{qb1X`T0nKgCa#})R$Fpxru{PKg~eAZ#O&tHV(nGPV9TKRJyD2{;$$vn<8*v3H~L*h;ydKHnT080+s z+KuROwb$@-x`?eE`91;M2d%e=_Mfk}DgDF>_Zd~<`yoy;iYVgn8mPC^?`*jelctM( z)8ExvK@?ufKQ~8Qv1niU3No7Ac(l;RBA+D{Ey85@@^DV>IFbsAd@fqZ{*;bYd_D*H zdsPlOv!@N#(aqV;5-vI>Q@e{YO&BTE)TCFoPzDs}H6B13mwjVtL^6tAC6A34C|K+q zEQX$5pKQa&yYSM0oJC`9XS-g0zTVzRSzcRDGew-fmDCHhAN74WLqAVT8=RnAZjpyZ zvijFbC(0WLGFYKK@_n=nZZD4lOBQz~C)HyOfpEH?CTbs4sF8t(?PUbGd(!V^xK9U5 zli?8@_7m$rw$CPA#0s5g1)Q2_wO)f5X z>GRhs?9zt%3*N9PS5v+?8yiXrlZ!CZ?`Xz>$sgt_hO}(i{qX8gJezil<@g6#RYYCw zJ}SZxD5?AXry@>ox?yf(=9DJCW@+mF;l$)IWO)lABrV#*V9pTqd@jABHS;`Flplsm zP>F_9AVS4QC#X$)Mxa|H^#F2rL?O}I(8dgo`?i<_7apN{EmU9FL)<7#$~i)$G=AI8 z)yy?;eMR*8wHF2x`-{V|$?LXO zup#WeTW4FwETV}L1#j{k%@lE{5%`x3HUeMUt9>~^O8N7;(oGef0;pNv>r3rb%@E~x-yIpR3Ec<(+eAGOv(Kl`?Vef#gt>n{m z$oo7wj!s`WX{?95(=-qVG&xxk{1k5L{X_i3QB8)fuxMLzYNgDXkWkIMpk!>(+O1fX zd9M>AfVmx{ggYu0W4o$!(u%w7R=I!femo=*;Bpri$7$RdoEr_8;BYvp4;hqEAXriu z6cnuJaQSwiG8X&eCFPHQ-2(e}YoLz@x04&LMUyGD1ApJwww6!1bHBb&qhG~7N@8(>&vTvGqMcx56+C#Dor*Ko5@)@ue3)e{BL1KlWS`= z?)2~9PtLd{vGKt9D&2dX)fm9puChr)p0 zeI{IIVHz3)v@8D{i}H(dplW&Z2=t{6Q4e?IShN#+&aPsVw?VscBOU3h%{ZU}5e6Q1sm6>N2^C4-7eiet zlxWegZAD9Udm94VwPyVl3gb0d6KuzV+l)n}m+_8Rit-^#LUYl5dC0?&zCMH6@}ED& zs8>BHsAKx0{_k(>FUO2IxKVM&(9|7tMVqloi&YvOUQ_`C+6|+u@ON##e9uwj&B4DGy1bylbF4xdboDB8Knv>J@g2kWy! zx?aZDJtKtgT@)!`SK;chZI!*y)dyOMcGLLxUeH#ZB}1*Sc5M;XVX{W)?n_r-aR|oJu}?MFA(9- z>ta7$@z&G_$z-!q%)^AkVe30Km-E!?ypBrd$2{uZ3vOzKvh-5tv-K*aAfD|8v-SPe zU3@E4O|r03=?UrDURv#!sxF-U)8xkZr26a_e3aT)1n8B<+zpN1LsH<@!g>FvnhDuC zHQgW6xLeWA7h$z}2?M8Xf+NWTz^0bE4G2DXipzOvy&SVZEA3F`o zC&v3l9NBh02j9_7w`>0`?&MrlwBkCCdwLCa0Dj3E73 zhvP>B4v9?rP%Zga-Yx3OUb6XXtlX+Ok}`zjlkW_L@f|-=oH0@h0#j&~{ENxCEVN$U z|8VAGPbU*xaOZx4i|Q|OD^2OA${B(Z7~w8QvY%-Dx<@+kvvfAD+PBz=*H_b@DAjO& z#pVKAGT93z@iuu$wW;-pNT&}~9!`y%rSqRJp0fPM!*Ie~-?w{l*iI}oYJ8l3L`ULT zYs8w0JE#$_k)WmAhtno@EESi}@QrVxG;xaAvvfV~xzgSnLIr%7Q5{12?yY;N-8D@g zIwg0?wyrL|N4a)BFJX`&4R{%FPWd0JM6`Z^+aN%Ya<0AHmuo5TXhP@fu>yV_by5;$ zzeU+a3Kci5w-1hLrYDi(W7NNOUM$V~8914r0YU`d_+H!htimEZ{}AJI@t<^+idx+q zsX$D{TIJ6mrUsHgtBEEBuk81=5)dAuQx)TjFL^GvUA)tKZu217-apJ1=xaTJ``#19 z(SUlK+>(yQTCdX&ZtXCSLsedi0!PkXc6aiI&?Q%8LDNKQH>08M@V{tMCak#2#~4!R z@NC>vjW@L5-e!?HSW0=^N4Ttv_=Y4%jIxk5m7YTouJ&UdOkf)st~TQo?klf>U%YAb_)1UwG9qdA6Giat8txLz@w;AlYpfW)5p1`#96h=soW0nj!tvHd|rix)Cf)m3rPIx?KgR zsKEHPYOysayAz@G2G(_e!gj*v^D!8w9Q_ZBvZ3gXMUwx^u0 zQcDnNbL;Lp2)bFrlZ)7768<_`eSe2075&s6TnC2&O#v)z@z0Y z{;4@cvu^p$$-JmT>hOaPtmb@1%BUCZ0)i`w(MzuOb+ik9YX{X}B4-}Mx<20pfg}f5 z$eR!@1-TPDv~quS?jN^U6>eAe=ht5iJG&@x0>eDtl^)N1SvsM^XL;P-AweiuW1O2APnu56i6SWHuP3sb=AK49f9YXR&*SzLXtWgffU???d;EWe zg{uClnN0f(*a1)3o1Z2-s+@HW1!BSNp#RcK7)#+6A7X9}AQ)Pg1k)*vu-OHzs)cG{*Npo+sUcBND~##Wc&N9YHp!KHImEH*+|*KX;a4?bEy3z$lotvwWxs!X z3u9u#7~Vp*qh67C7{s6Q;aE_8`QbQE3~`F5vPnU7UPtfEM_spkn8onx=bXVk=NH{( z;*4Nt`|wzU*4f79j*LPTg>HKh&~%8-)!=8DVtsb|;bckFz~>s*{a;-2MGz!%#$$7R z>n==@@rmpHZ#4?a5xX{(kn_-500wB&w~sW~-JQq&40fh9j3hB#Z9p1z=pCUm8E`(B!| zq?Nu?C~n05DxK*WgNk*WNNS*-cr5P(VG*}99WDA~Fp;M&9b;y*U0FW*Og)jT^ZK2J zh9K;;9|XvMDO0%P#F?8bgmQYA!aagVk$w` z)oVOmL-xtdp(2({`SC_We`RUewbT8?+NV)LV4ad3xC2MW??;JKht-xThTib!*7ZV~ z?Apu)9jM(`$!Bm_W&;xak+o72zB}#WO`%eto;PdQ{%%a%AA{#owBhrvD{qyj{w z6U&)@HM{hKOK>)_eZ4bp_Kkd#+h{7o#WE%$YPn=(o@-%{%<-ni{Npb#e~0>ChTou; zZ_%&>Bi3<@^azK)7f@-0<#juUVQh}v_a%WCBre0z<`^3{ATYwQ@gZUL;m>uhP21O{ z#l2p~sB72reW$bxs)CAR_ZNgm-4W#Q8}xJ1-W?X1Lh$W5;C3A})x5<*K@iLNEbK4k z|JbB@4&!kS$9e?hr;h4#SDGi8{Run&Qat1_Z@`*tJujo9|9X#w&yfNL9L@&*a#J)Y zmy-JNJ4g&EpDA48-;eyFBGz08F+olsU_^D2r}5d>X{?E?Q6SJb%)!4nGn%BIXyWwr z^_%GH8+-UkAa-N6n9GX*~VhJ%ai%~lon>4~aE#(*Z znjNx?UaUM#D6H)4$QxXlo|Oq&J>jq~McVJ2u)o&P2(_+f#0!LeFWCrwQ%qF%8TSk4 zhaw2I005sc>Ppv+68$MZIMmYLzLWHT0!u_4gd96q5ZjD(w;hFbHZ1DD5s6v2=Jx!~ zIofqq!yAtneERTyA{U=sWrQRK*!ycI?ucb44JgV7fZ(X$wJanl`<+xNw<`zs=l<#5^_(!8um4=wiPa;l-#5kUGCe8K@OB0{R*1p-cvCp`cK<+Dx>L!>LF#j2P0) zWkqhc{zCCQ@K&hd+|)lCOWSCRFUY3S4@m=sf!Yl&wm)DBck{cVGFNnkb}o<`M+Dtq z(01--6#-YhxTUlZVHTdB{iy_>`PU%Rcscy$<xD)5`O zCqxKWZGRMPZ@Okg8armE@R^;s$;fbx8|b_uno8hoqN$@i{q?JuLV!bXH_&m>lK%bD zw1vB^@7JU$xBe-?*&%=AXuEWlYzDiLP+>-Z9_8qS2UTGaIoJoSJyrU;oO(~iYu>@- z5pSe$K5v9)qm2N6yhEUb3w5PcJgIO|j=urMNgpuL(%_dmf^lInNv7(Cv~29wZqgYs zQaZ*r*wke=tk<~{G$fL_nHyooRt`w{b+D+($5>H{DZ7)OjC?yTxt+}2O~q&4PM=p* z6L4jw_hh2yitg+CHQQ7wov&YeQGD)LsH0`eL%TxPeLFH{lfl%MJe$@Olg@!2rj%=I zA2%!Ty$Sm{3)erRj0b~IQ;Rolv)QFZMbr1J%*{(p)CH(!Y$%(!VfD0NP5DE-FK#4g z7S&4wVd6n2M|_-GjyCTPo8=0Jx92@?^!AC&&hQ7Por@+hrajM(lV^lEi$fhcB8BtG zjP-ntekszM)rK$9_V?tvL?a5tzSWA_l)<;WU};)~tbaHR>?*lAqy!hvu;XhSLEHhe zw5@FmE2d9xK~ZZ-$tQXg&@P=+8C>! zZiZ2=E2FeVC?mWU)S=o>aXPs-202{13LvD(%zf7(HK8*%FF@RCU3yZUplwN?Jk6mZ zB1&ZLVx`;XTA0XcF2hsD*(lqLM+*L^uLX~w-+%NU8o|m@)fsC%y!)m=!Xa`M%hvF% z9UVo48a>qn^u|Hf!QyiM$Qk9Q$ zJ2L(JS&Dt4(XfV|AlrIB5qw92`C0CIQS{_~px|c4J!UXfaI}!28XS}@_MX49LmF%= zU)h-=!YN_C`7EQ;^?kMreewikmXnlNE!gt)yLA%5mh(-5GyzU!tHg>X{Yf{^ojHlL z%&YTeH&rHp)(0 zMB9le*dI*AuV5u8n6rYru8YH;K23Va%U}Eb3s-rGsWMnBnu7>Bb z4nL-7lXO*(Ch^vr4WL)Y6J_o@%|VzvdG%4nNYRwZ>ikK8b66oj>^nN-FRkR+{eo`X zUi8U_uDSvVNW%A;xq9RlyV0{nEd za}=>rb;ULZo-xf89Sy5uPWK2d!pdz5*_F-%Q5)uuzLkP*82Qh)w^ z%pV?K?GA|?oVFkrGSE$)jCcAlW^~5whJnQAUR%3q3N|$WStgh<^o_;cYq7LKi^LJ_ z7zfE~F^h`<*Nj&job}+*!}#WZL?TfKF-f11L_9>&*iSzbgwTp9rd&6$6vwofWbq#~ zfeBW#QUkhx0;qSX84VGAV!y^i9M_5S&`rOzm+e=X%d{nX-kI#vv_o;e?)vyyX&rb; z0$rN9^onvgNZXz>lPvl>X738?OVZjB8FXG8+UX2+Lqowt@1zDWJ$GI(FF@U@?LyW) zESJG1uueu93E7ydAb6CF<77ZE;d8T=GHYegHWa!U86UMru_;6FBi<{H7AFM`cM^r**0ny2t9wxmORt+#m^+G#=TH)HCe1CmR{zb`1pZ zl>NM+LO0gN0R&qP#CfcF0Qjh(f8MQsyy5w7gioqPQm(reARzGs;p*D4AO5o*{Hs<2 z#dR*x#}|~`yK$gVgfUkk-6POXb@%89Rq?tRW?^qRpXF|~V7D6pg1SBlW#(L639cQR zTfCjtjXEglvU^Pd*<%;z|2RieMLT6vuC>T5wy{511F%56vFCC~7fv=!eDkMKMdg|8 zRzsbT-+hO$_<^aUGXfo$DtmI|_E!j&93(`FAjsgozU==nYY@|e!t^qKd;-$^k%(+1 z4K3u0cjF%>NHNIO_&?-ILjNRea_!;bM3v?s^}+Le1?pMc31UQOGK6y&HHPg4#K0uF57}zHzix>Er9&E+fF$SQXcaJIA8X0{)*l?}H61%hAHb z5A1ca1L~@EzRDL&{_s6R;6l>*4!NmaA-K;sW@#C0vuEh>$LhpGfYX@ft+r17Xyfa` z?WjhjqO0!O9oN!(8kF3>fWH4Ij~BOH14Y;hvC;VcUi%=QVf9FNE918dZc4O*{Evkz zh6|B3lQ91;l|&k;1Ekk}?poRQi2n7nD!w1H+Mt1CVN`X8WOS9886w)bM`@B2xv?MG ztirwv@if?4z_@c=V;I3!sMlV@WA}WfGP0;Ph9W6ZTs`CiH{WOXMu8YL+SFR|lD}G? za;*<2@Z6e>3{hwFX4NTnCK&x}%4T3etl1K_PeQRbzkurojfZ7Ir$X}8twdM)JvhI? z_65EVb8SA=EG0dsN|cx82sZ?QvpHAWMERFZJMfGTNS+^@j3ZI2^|bp2^L;u$;5t+K z$$F5#jbq&;Chd=GUenB?3?=qDiDvjdjW>(2R?{e&cCYPX91pGcaY|zygC^m;!GW~r z<#kn}E$tOc*LKaS-%DCLQEt@XA7>T*HK{&(xHlbteS?))N@=dcm1yPU)Ws)C6@l1C zRFQDQA4P5V&9O*!k9G+qNQp>bjQ+Zx4&a9Ww@a{a&?6u2Gd!9UO)u=(u~Ja-VJL_R z$N5wu-(Ll}P?jw&?(dyz5+IPgbC#x|R_Mwqjry;bGYe~Or(FC#%hQKyKJg2zd@iN4 zB@OWPuzTfY`}TFl^gK0Zpc`T@Zd?pB_grTx6{{{oG;_*|`QHSwTFBl4&vviaB94zP z$c@^X&JSP8Fv2$mdQR)&l`Jj_Tp0gi!z?V(-HH)6qL6M)Xny$92RM!UFBWn4D5^er zH*RWIe>M@t$gyoQM)b$fSF~rx9$;ZKm)7pCf3}F%H$v*Pe2&hxf{c(C=pC8mLgB`u zL=8^qyqC|B8<0vX`t(AZ*~7`z9+K0(#)^_1g`g#$Ll=3*b=TuwW9xcdjPUeGw0vdB z1o6xMeFP1z9v$JrooC88M2_kjjF^s2SC&`W?V`{>?$4K}Q&%*Eu$3Y4uUr zGR9RAjp-(3-=JNb2SNCH>0yYI7Mse&xv}ru67SolZOaYFpA_uj#u}5_S@KadxJT6! z%{6}Mkpt90XGBRX>LA1q@3WBM+g(cKY0-DZi@wWJ%|M#B`(8a78GSto)(FLDf_WHu zar}((0t_BR!7XOtt;=3vhF+WD?&|D@BGN-c3@z>mcE5{Oj>$-QT!xz9U~})Zqw$vp zulUDmT5o{cW4%dF7XpoUPn8~%A5;yPZauWnO&Q%B;(hT3kL{QrRxCP@@0vBElWfRu z<#pHmu%=6FIF~@NBXzeM?Pe-o80o_IDXwkf_$SnSEQW*MnqVG>$~~s=m;y#jF0=S6 zB5ikQDnvk(KTfC~Ky_3T)p3H;Z0a32kROcpT$lqzhiBikNI)6weN>vv!=yqr)wz8lE!xMDIC#3?V&TR_rP8~DVQF~zTV-$0{gGm9Z0t5N zo9SQEk7`3RE+k~_ybBxhi3PR(%`W{4jPcV?N}gFV#mnh_{P@u&gHsjod|+a2?K;U- zAW7L`N)IW5U_A1Cr{X8%cD;d9H0g1`b}Y5#dNs+_;xjv_l2esy)UxT!(vA&1tqXsm z|36bI^3tYKw6y3IdX2oZD3qw2*YO@jRH1W{5K@V6lIe-sCe?@8j3Dd!_p!1%MER6a zGac!DwIq&}4ht<32tTd&e|=xSpG~BDPvkwoCzGpOeog^N*r(Sb862pBL5y2h*mw%@ z?%$O-E+<@DEq?uaxEh|6tli+^ja)nwE4Wy`eW#+dn_RsJOt26j`mS0vw zi#Uj)Bd#2x%1$81rcs1eG<{FKnz;>DAQ-7o&N6ZvLB za{rH~vkHi^TiY;*f=G!dARW?;bR*pz(uj0-4j?TcA>EQghjf>KbPOTgT>>-23STh%6_Ky$` z){k=ojTU7d2A%mFc*;cI24MzKIU%su!~#-Fp5U#woo&(RVV|JA2!0Iqty7MT^G4Qi zuxfK5`q35Kk9drOomHdVqVsTQwwMlfE?XrDr$A)*QLh(VBk{G{govU`^EzBKY88v?S;NgXxTdr>ej^ z7qNtM+95nh)p7ITYzBe0dJt(A@f#pn`~Th0g-29sa^b8HxuLgY-bSOsB=0CrXK17c za+lLN5ZoEBHI(lzMe4XO_V+mFhH5Vx$y@8pXFbI`Aq^#PZl>SZ70UhXY8`%2i`9{{ z5hv3DIQ2NbpRVhL9+!Xzd1ec{xf196<8BRNXGv!N&J7`gQ)BA65OHD! zvb8q%v}kq_P;B(f>M&=1^*V_U{EgweUwt!dM5{#Xxo!O-e&@m4ywhZ+qzMOovek;T zVFJ~c&uH3=CAj8;N+AVj{c2xFuvsD6P?|cr1+b|@a$}R#?2&cbo~9c|JYwnz$YO*6|dCXEl1boDs*x;s?o;Qnq zb$B}R)X};9_(_t36WGF8dg_mp*K(7sV89q?DX#z1V(@q?C>Ey@_j3zwZ#BEC$xc-_ zu|4<)>gm#~-eZO&nvM6V>QGnL-#RQj!<*qXbY;uE&p0YV2qW5Gq6Bax%5ub?{Y4Kl z&7K5bk56dvCrb*5ZQi}CP^IN=ye9G|7UJ-hk*pjVjB7qyPRHlgv=p;?k;hRdd6>r^ z8-pf3B0eIzK^R|~GgOye=9S@HmTu41sl>2)`t{dR+HdR^IiKK>oG$rm2?uX`0iK*% z`a~6Cu)32<(B417`U!%Mmn0NoC#XAtzi_?nK=$b;Wp&;k2ef?kbi0a}tWAlA<@iBN z{db*#nKQK3ONDf*dVFl@dvK~9rZm#R0I?b{gX3T|Ub(g|V`+9I@6pJ|R+#zr@X4 zrUnvh@pCb5A*mHo_VbW)Qp7+h+MGx zQEzUpJB0^v?yqU~a>V~5+lLvWY9+y^6I0#L;i^)Pr{_QTCog;g+ZrEym8I9r%#mah`D%wkL&Ht2Jxq>A@K~<5MWqZ!8^B*gFlj~(X!+Z(K z;lNS_T7Wc7ZMv^}GKxLvJPW&P5#%lJZ;tch=Ec4>xqpYdArwM^ZI!?tO8w<_zCI8Vx96Ubd%|8%t%;Mfhv_|!!=q&_fs9Om)AYE=0b{7Ht zJ8w8`A%O$YAV0L5RnG=#bv22XYLAf4O!aLTCvsj`0b!HmVpb~yKD07*ld?(5T92I4qZLGf@@>nsVM{Kv@xZW%K-0{8J@OH=o zl-p|iVQRPQ{zh?%E}UsEmFpoKuTzUW{(Vqknd$D)k{!|TbSu!VKN)hQeEmYOIWM>u z9e!$OtwSPKfDVVvt!8P^W8d?i6O!XbR;{MuI6f~CxC?l|X;-^3U*?md{I%G~8&N0j zMAHA4ujfV*kZkOURJ_LLcxNsx#JU`}mnlP$oR)hh^B#GXVm8)%RR4awQs`P=YYz?U zr>77s60qlHQ^dd(VF`(w`qRReXZmUKtE4F~RN1zx@@L_PkyHIULPTJ%74_RraaSJC zCjAJ}UVhEi6B~BwV1#A;G!Y9>1ct&(|10QXbh#5C!CVWK2_YFdi# zk{TLXS~lB(n^^Ga=*eB}gSl&#zpwx`e`evzZ$`{^tP?7V7>%x4W%nz0#Efskzaoj$ zyO-EUc~K&>$ElgGXt1iR?E5$Hv5Kp@7v)I54@2X;zOOM2OMjP5v7o_@cMvK(5|l(F zvc-jJw9V#ArxFZ<#bm$oCXul)a2;=h7)^IM}Lhjv?Zj&1k*I74Z5n0vzN`# zj0|Se+z$=C0b{*0IGLOS?`?x9`mkc2)S;%)^t+%jb093S!y{;`nJ1|VNpWmzprmwn ztiP|j;tOM`r<>j%3lxz>a1GZ9HB<7tRmw8S%%k5sfSwu2m%H6y>Umg*f1!p|0CQH} zrtj5V_9%9wR0q-pvIXR|gvZisD>q7TTxr3WWwR4Uxj5<)eQi%);>tlk9m2ks`SmyJ z41GFXIXs1-zuC6-=@6(Ms+)BmnaXe8~O9=o{ZzAcBKHwW)E* zYx5S@?$%HI-XFYbF-zt>RLz=I5Wp}!$Y~ZYy4qKpilhvb1l;54 z1DnjXKm^G1gt1r)({F!)^3Yw>f0y;{-ekl|%P!%#5U>lQCrZx)?&cg%@3VzG(*dhl zE-9%{n>7{YDUO7;iFsY0Z~=AE!sTYlDHAk%{p$6$x^pjh>i<5VCy*pvU0rB|(;q>S z115#6*@RDAZ@&F$0HPNOCTwXjJPu9Lr1TTEU`e^qd(w4Pi&UNZMP287yhQ6WbeNqC zG6Hc|L39v`*EJRDCxB1+xGO$WQDc%nnl>@T@pvZ+zl_P6)p{J*#)tDi?qRgCKWs8| zmpFF@>d0tiLQm@V8|q(vm1fLRnBm?b%cTJC@ z5R`bfD{z0me?9|P+ii-Z1$hrpexSUzD0(OmjBMF6`uEtTp4O9#9wM*@RCjF|>ZAB; zryeu%xPg(a4Irz=!#NePG_yUpjdxteIoa(JJwj(sqEomy!z_6r9kyqcW~&SOZI8pW ze2VL-v$Hu;Z>{5tHNs?5A+MM{I3%Z&aV%u4CHP{}NJK{G%~#taUh*OuHWoj-u?+X2 zQq8jI@hk{*qgTWjbVkoX^FGv$))# zYG&Aifv+;?BF8^QB(Wu$5NM>{$?QId%}Rh|9>;by0o&Ea&j5*p*Ocnj?U-|zidE5~ zoOeF9Qrw3=1o#TP02NHvmS;tXEiA#bKcgN0J@On?=(}?z!+rh`mls99aVxm{nM~9# zxJw;BR@j@ui4hWx#Q;Rtxia%iOYp?*zh9HMF#av zJSfA^;BU5km#AFO=BvBVK)>@GJncI>d*A03Hj;Wcd-%2}hsuh(#WrL9K#sONO4@tw zt^RrXI|!y-DWi1#^sHx`8W;kxb)^(a|1kH4p^xp~`2%Ianp8UD^;_6h_uT0~vmk(PaitKFFqla|$u)1;~Gd=dO<&!vD!Fh?ErY-By`8M^|Hdl68f%;ETiQc}@#ndsWnzSw1q(pA?sASt1wIvq{LVof2E9>I%L4GL)@ucN+7W8z zimUQozlZ7K|e6gTK0gf@$Ahp4|nF=zPQV0#bvE` zg!wBzsx{_+D-Z&{E+2x#lT@aM-5E*&KM@uHD`xq}6^)E1*Y-I64VQc4O zN;)|?X}+02X`JOjun^uM?>p)dl~}vhgR;;hKNaahr*2}moEA(5uiPIjfFwPpSN+yA0193J0&=WxOF(2?2h02Nli$%&V2nfC+!x@ znnfcQc$ebyl~>-I`{j-eoyNBwbsIIo{%N*f_cx1|SkIY>``6+f!Msf9PlnZX&|p8J zNg51PPNje8-MAi{ADiLai_Vh$CA}4n2`9XR3 zBHYsL1K>}6W-hCVmyaC2_=xAlYtk*yrpJ-UkU4#%h~`al%u^|ffy6#8&i58Jizo<8!IaZxzH2Bh3S1~+dg0kMu z>v{{7$E8C_u>w>zpdoW{>hk}>;@Y3DUDAF+0srW>%_=rZ)^{iSOAgqQYl#PFkp<$# zHef2Y9eI|NH*S5izupz6Kz^bs6E(S#`8lQxoy`XfzTy&{E7c}u&*RLOz^-`*5Lf<-1du)Q(< zns5FW5ox~AL)BHa_A8RsyfZML@#{Dm(}HjlICTazEE_r zM0xCFGnv;?x6jm)@&a%N`vAk^XP z*^a)eiK^W+yQ$B70zYCO$al0_cu*zUzvJfI3h@s_NOF zxVt}GvDS^w4(A=t4RESF#|%Wf4W8ecnRvR}VBmcaz3n=)9@MvuFR0tBkMKI_9zWu%?{y8XB#rG?wTn(V2vv}bE_Y(Mc>Z-tbs=#l zTY-J#ouKu1_EQg`xT4pt*q)Zw&lAqO@FAV)%D}t`lh3`&OYg+>@dTH z8I0*GZnhqA>u`>?lt9HoV87V$eo?DSIibS7FXtpqO2*Bs(y!kEFZmr zE1iGDZ16NoUqf}n&v0vSp_X!$U5L2f=IbX}bV4u3#)akc(0^m|z0Zilq$1uxzH{o7 zHH|U`wI-Td>AJ=;9J=n&}E3pfCN@UxrK4bb#I>cjlxF!9@co{s4qVE{Fr29_xq_C*XtMd44>N(LfE0>&b^`*3}5dhPsgMS zdvPeSfyn&)Fq!5=e_?6QKW=!TxUbgZ!zvIZkHl5^M|w~Qx*u|$+N4eLxY$y7aod?Z zYI$&wh&HlW&Wy1YD~8S${r{Y!u>mc=UZE2E-nT8@&ayEP0f=Re!}GpGVp7t4DU2ao z?Hr6_WdK|y4@9daIX;M$XD2EamsE?Yo(KJXb}DmSsGIWdk%iksMH(#-CDbs7!cUB? z5wwB>&M%;O3F52`_xqMp#5~jI`lqrBT6A$s+m`*$&|ZQYTi*OYz$2D8mj|)No!-%& zhZlHvs)Hkea6Tkjwfpw&yn*>+zWV$Naqn}nS*`X@7p1ykM;^l3%rys+&?>{5L)b!I zao)p;F*$Y51t7Yp)8Ok&$6$?Q2vlV^kgzezJ;9Gf8?imG%Yfvz$?6Hd(D7XLMT$y` zZpdeg_-a=ey=d=87u022-njvCI;V78f=nVlUr(DlcL3zY%x0xz`VLS3X7Gz=OG;{P zKU3*jh1gBgg~3vv`78kv5wmG1#81bVw$m6SlbmK;;jS5deVIt@xrRv z9tpeyRZ26Onr4rIdLqKiijHCiL1uxm}W86PX`KQsD+-GNsCtSwp;6r+QJ=*Qv~0N z_J}&mBEClGFbMi2Y#OFmI0`co00FZs>pqV>fil|$N($tBs=XBPGIlsLYfzGSw?2dW zBX>WAVVP}HRV1?1ZE>DxX|}0zjKSNfFuO)FH6zJ_w~^Xto!BHrxiM|6shOjJ+DA91 zVL_L2r_nKJ1-j@pvz(qAHohD(a?Odf`TSX1>E~8gKLw&&>N|g;GUU=Nw<(pW^qiKE zZX1y``gECGm-1=-F?gWu1?wM*C_8(*xd@V4!^8y5vT{ehG^IoTpA^`CTpu4dDcAC+ zryBx~AM5kFE3WPq9$`dqgv|on?KThOC6$JEYRp5Tk@&R+=6k91?4J%r`9$=Qv+3b6 z=;2NUM5$qFlXkx1D{IxIR%B1A=4f&36?KrOumpBesqjl z@FK%%A23LlRCx}-1Y>zsuHPRB5((;>PX_na5^t}`oh5Cc*HLcTe)8Y})9F}TghjI_ z!#>y?K&9|8?MdOnAEZ8FhAv1>qhn*&^)7F1J;5Or5Sq5p7T#!aGVQ1Aj^7)!b#jWp zRaLG&wZRG4U!zfbr<%q=4(NVujhg|$oZ#n|*tQTP(>d}=l%12Y$-Sl3!vEPU0>Df; z+*B=A{GOQZ%aueYK%lj%g^>OV3VkHtezF#?aVGk^R_wr{Tn93pt0yML;QZQ`Ticm z|N6$lMcq?^Wr2RP!NmCJ*!oEdEJuG2{L9$15>U|VX=!QgsJc5U&C3AmF zG~_g&pLqMtdsJZ&#XH=-F9}(16-68+Pb)M??_5Q<#1=flz}DS ztB%V(Ea;i=Ib;VIMhBT+Poa^V&Hk#yHhdTyW%h&3n@$%^Jt?!lAZ`drcFiqKE=& zUUiPjD!il8=PG6TGg^dPe=+oLJhsNT{GQLf+m-nBimR$J+0>|nmH`g}<8an&GMGyY z>mS0^Xl?mGlq(3PA$)U6_NmsU6Tt96ypB8}H z0&J**7B{2l5$fT+pIZU~68}qGqw34YcD~(UG;=Le!|}NA5-%&jLfW8RyZ88ojB6!V z%1f!rvCN;JZ#=F17inMB;wQFEvY8r)%&IXFMZn>YNyLp*>ikpt0@w2L^WK{-R6B!J`{i~&~ z=^43@X$%2s7onGpE&hluMbrH03w)4BiUI&fE-4Q0F!?MB;I3$~ZpE_WGu@au!!d_w zj{?U;vkOz)WYki&_%=!TO5^FWY%ToXek5c2f5=O%O68ZwQj^)}Mx0^k=u|ATu!Ts%|>Y16DUgW{tc@fY2U9vZdd38Pq z!>=lnM56ex!);))T`+BGrx21W6!&{dPV@5r36s0&~l1SmC}S1fZ7d` zi{BPhF%udJcz>2#GkxeS@U6>m#IIGB>Mk>HBZITHl5J3#p72Yd#__Zv-!7K{6!$zd zb_c53wuG_kmd%gAiLH873}BA#+|0#OjfI`1A}qyAu9s#bo&qMASQm~fJR5)zP5y~+ zIYkL_68Dcc7OAi~Hl8I~Z}K&6bPO<9Lk~gaKLt{4w?=b~hZN_s#&R?o$106}T9rid z-b+HJUnE?{ZRNobZ5@1oHe8z*Ncvp|SFTudaf9dNb7k|dGk(@f)_0^JUGGzrj=eT0O4c-Eh;WSwtG`40PTyq`?i3(`o3 zf5@d^ARd#Y!GD1vbwcWF?r-+eL}%i&%3@ET;X*BiE8Txe!r1y~hv_6xPgsaGtKwjC zv4>D0|CfGOf#=7?`lxZ+{=na-HUc%&%LvPTvt7+BiBoi{N*5;g68^7=YDPs7e{3t8 z-bD~YHyhmbgHC6Z_>Xsc@_3wPtI-PQ9NthxN{VB}joDR;GJWBK%1KF4In~MkW@1jW z7q5!cKo7wrQyf~HFN=cVovU_-FmzpLex137t58mHrk`OqIau<%lqoXRq%H|L?a-h$ZQSsDNSmFdu<0&;1xbqI=e zjOzEA{+o@61x;-P3~XZpr4=+kWjzC?G-$&+X^IV=o-YSAXc82IgY;1L86ZB4o=fc$+Ub@8y(xV{yFqha~_X85}xEdp4*!eBh>2^P(M=GamW{GW_e zE~Dr+efQ6GF;R_7^wD2F5$cMk*jjF4*Gj9UoRE&7!+Rlsr~~@{OtKFvt4@)Ed)3OS z>*+_=k*A*;o-+#eQ~59L(usXU9A2KP0g8Ev7X(+yE;D_bea(pUyW45}aA2D(qE2)y z`iG&dXxyY|>C~TDoS0GXKIw349RQqu-L$I_s(yj{MyDrHPnRep0y5B{3No7|gB@ zz$1Y^@I$8=;uRX{FS;ZJQ98`59?ZVLoiZR2wXGrK5X1~h8~PDRU_=f054a^>j*fD7UvquoPj98g6!Q6`93Cje?68;L zsocDf@AO0Fy*H7~wXDL)4%e6FZ-?5M+()6|^(8pnPv57%(zc(~{%n?b1c1`ce^ld( z1{0{)EO=_8;6M9a{fQC-Dh0ySm8SX|0xA~qN&8&+wWrToniwvubndBMT{?0j&!>dH z`#Ph5CgiO&J!yH3@yNby@z0;m%TwS9R{<~I*qKdyJ3<@?@2nIB>DA2rCD|&{BQXpq zNuQHnXA~D;;z}GLspDw}!K1KYk}&t_u@$&mc{jkQGMlL-Bub!MipKOeuB)O~-`MN&!}JhC&3 z*-!a}zEQ}0(14NX;6z+n4G{MVZnttN(rLZJ#(>h**(4hr$zW=KqnS=$D?~*@_SkuV zyHlT|1+m6D%~q}Eaj{{lq88w0?SGL=DU9^Qb`coaooTvp`NQ&V3p0}}?e^|d*Xh=_Iz@Z7(6 z8+_=OOk(WH%;~zr1{#E(UYE^SZlpF1G;>dCeOdsL2ek2mw3?(#Z>hd9M z+v}V1`Z#d^kuNq!L`szZif<&zg47ofJMz!r?g-S6(d{{c0&h&gOh)6h(CC;}PCfSyZ}Of3h`}Q3xFw zO*_2K!2lB8`v>;`P|T!khVt=()I$z=S|#oy6JF3cqM$HE>TIOroHPQBbnaA)iFx)W z?!l_VSf<}Z(|O^f2=#{9DKlZ{&I)Hi$j|RPNjOq;E6xhZ<1Jo;q2G5#fE(VpUAx9- zdKEimm`j%P_g7PZYWd{*+}CrZQtqES2g0zo@q%vIknS>#?m=+y`t%hH@cX5JC0xF@t})NaAal;(Pmv{#$`;y!fAq z3p${xsc@{JLm)(wTs6*=U>STRDFHBzz#T>_RFU2J08Ok{ZwQGxuLxhH+ zj8$cVmJtmf6Pf6~h7KdmApcNyV<8nhN_NdE-GzOov@;)#cQ+(DYIF0$m}Z4PL0IdKeXh<_1W8EYV!_?(6J<=H;GS6#X>k6Z$@Y|v8b3H z`FjhiVJWw@KR6y-`iV@evDT9;DR-fjCvNiO3+8-Ma?YFvTB_G{F4bCOpKs#-zP&El z82xpGnsqsF6oP14StrtpNrpE529tyVJBp;VCUZ>@WG#Lg-Ap8S^M{}A6SatAWEh3N z7oCI7>4bdDvIDQL)~ECChqIt*L3i=c8Kp^e#mKZsuc$(}3!B<8g4)dh=dtKvk_r;()bUVl=YfY0w7nd@#CixBZTK>={3XWinDCQ&Qjgo;MevDH=&`q$W)QI55mppuX4LAI`u{+Rhr_h)1>C;# zz#AsEv3(|R^_MH;z4bY>H5_N8hyc2)*L)BTY}-mIGKDx@%W;1j6(H@Y%eh`8?ZU~? zpU~Rt;J#HFw_4UPfVftL%x=an=cg#;Y77R_$QSO1G-$QBH_wuORHba5`&ol$PlcNeyq!a-s+_fv;kCN(k>5zarEn3V!dc(Wu3M1`lmw_P4Y5e=`iX zxmS$B?IJ6&nP|40m$)=DJ0-jQJjdYcVgY_ddNuuf5k*EW;B_8!diKhEX(Op3m(`!% zrdZrE$69)qA$?^nCL=Dtx^177T~ z#>V#weBUWk&N9?P>HC=lb+yWHJxhqQWW8t0G@b8qD`wJ$VK0FMAf-;v+b=jB^S79m zq0Ww-(0~B(dI|)SCDvGc_+%dNI6F*xbm}4{`1;N1yNz9~{MrvS%yRkqtdPcIZ`*fi z8fZu9BnP5JNOW{P3eV7dAIN$_U2$NfQ&6WaL zyQx<$CS2a7xJ2CvvNvcR{_3OLeAk%yvuZ1v!gS|KrVW1o3_idSsHSvub2ZZ2Gs-Oe zNXq;S+P&GJlE{f z3IsU@=mV0wyPPzNf9`*+FfV6sf<<^>m_$z@P0L(@E;I_`J?bf)j2!sAn52sj<;ax` zI;DGk?PJK1p9UzeZ5RrEn(Zpd@yvovbV6_a;_dEm!@rBYknTjdaoq$yMVp1S}m>3R752t^irT|esK zV#pLo)tM}y=?74XJ2MZVWm#$c+kV-qe^#zgvol) zBNh@{o0%8H9&n@Q93;^<@i#v13|UJ^>lK?GY-5%%T)k!n2Boj(R&!b>H?|L&-Y2ZkMJ1p!`n^# zHn%erWOH7S>Y{eCiI(~9jrP)E#uH?Q;??28dyms=5#)yO{@ilztIo$o5WKf}vaFec z9DY|*GkukY3+es(8VOSqD^}VsIXJoCg4aCWGJRu;e@xkro8bW74dt*VMfX&(hf8V@ z$UgUBNWANVcgYo8Xx(?WD3=1dZ5k-E?hoUk(-uI~0NW;r@MabXwxL8pH(WU)+#fiM z1wRDc;pM6Gko}(XuCEv9>3rmQJ3-cn#3f;uKY|Gh@KF8GtZQgo=q3;QiEh)}?TfXaRF3v#Y{TjO z@7{IXl2y-}S3d6#>oOh*Vk!>wLA7!I?b8taV6pHl(iHs=uA0D2eATfY7kAaMn1*I2%42jS(M9hxGYUu)8n8s zfH}{@^M+7Qo+eHgM#fbl*_0&V@oS;4732;#>g9$hq0?jgc(XCJD3k593x2>C?~A@URv+M zioz?Dzqxi77TTB-;;CT69}~_{!3t5I&M7#;Qja9Bv_F{6#I_H@L7nH;zP>0iUPkqb zd^jE(hLG;fBL2r#lBEQB*h^&^u@}?gLLf1-oewNZ#tMnrpv$?myt(e~n`OLGqXzAg zhG-p;@|@F==-r06ou3U23D#Hh=k}-tmZ2pgCENIQMnrPVmZlHyk20<(_CyDls&#m%evD;w>jo0zh5i_RZShMQw8X zkeNt^;Y(uvvntp~7RU6~3e9S(Z<-16dK8*v+NBh3X@9{(!V$JM>LNBPSXdX88ZCuU zv98KU+Q0OCY}eRGUo%cJb?a-o7}1*kH??p7gflClM~FiQgKiw@-yYY!WWtjlZ>@sk z`kbg~P4vNPB7W^3ySk@M{#peo;OucBUrl__0?iBKn4J|y#Fbi2qQjDD1qgFgAlyXV z4jPJrbT-^v&m9QcwN3qI*|*Nw-XME~B6(+9U+`m30--zXTtbUgxf)ZPvosdw4|4_j zeAO~kgwEp{1~LIiJBepQ`IGWaVJ1GXk8lG)9OB=dmxD1-NH-!}3?01Hw_ESAeY{+L zN&@z4EU8H#rJUoCn8`?fz>IuyN{Mdt^6A^Rqci)IK{7+C+5-^ zoi$$d%@wPp?Wr!&yf-NDRDQ~C2X(hvo4M^pgUfl9;zT0>v;Gp|+@dZ`pY?(h3t64V(Q;DGf>Npv> z+i=Qb7+(T07nL#+OmXq3leqc)wI6!npLZzI1%+QhAKEE_jkcdc@JO(qQhRGXbCOu z8(7JwhfzcOav_~L^Au~s(khZ%iqET=@#qpdbH9IR^xgk1@za_QLIelo7sizHQv>Tp zwZq=$v-@sLCBJB#XDStnc{Vql6ST(zLhj-S1wene2`KvETIqO3B``@#g*DSN?Q&8b zec@+`j3=Abz=`i?dZ~uJSDblBalE6ZLHen!DQn+RbaY`nOWHG2G!u~?)E~p7b~WbB z$!mK^;?9;bw?)1m%ERyYJEbPe3Q0N?`nZ23Xt+!dB~N!Dc_hQBtrQEC6$jIm{V z&gJ(hcH~NCSAM=sKK0d02}IZz{D*K`#V*ey7M9&;3JKs*_l0Ol7<+~5U}%Flv^tw4 zeG^9n-Su|u{^Uvc+~{j^OC8T|-IlU56`;2!sYM=L`+I~onw?``wo$Fo``-LR17Xr2MGy|Pk1(w)a55k za;8j%!bK)K#mNu=U^VFV7uZeSjR?ji&(XwHl38@JniRlwT4K;b)Gs5C0LQYjw-Tv9 zMKot2`#K@8{{2~C3jhR6czVp8(nnz`dVagf<2fRnCJ6nt)WB&>>@!wFqS;P5lgDqT zM=!6m#P(V$ba;+P#HxwbAm@_vcEx1=W$jt-TGTD~-C~0kLUR9e8t`#irq3~FIbTtTxT~@gFXth@0jdmOkoKP_fs@Ci{kkk z<)xh*a`YLd1>@#SIQmB-Iu$uppd0gBslG7!j}Cg*g$}{~u`PVR3}#0cgX2%r?;6k% z=5UTty(Rc3)X;qxLZH<9Z^Nt>8iQK8!4)8CF&?%J{pb+U)8{XxJ~mh5TUE%4cHcbUtVj1Bo&*# zxezAspB$Sxa;EBf63k`|IyMoUmn%0SZ-<72(2WdYgG3ybhi)oT3%f6T_>!i54GPP% zJ8V)#dO2}^>Wt-_tUc=Md~fU}$!3*4k1v%JFF=V>>^*}o^mfWp#vInVn3zjF>-ek1 z7s0sL570oV0Tx_Os6U=(_X}a^&i=Q7EtE33C89!{z+5~lMTov}^jsO>BKSuWBJ1(~^3u$C`CNLyaNv6?z|6b<=;CG^hY z`|`l}@^2)1AGG;wn}p0tt4cb80m|=I?%xjK>gK4J;Zo7z%z%m|n6JWD$eF z|27CsrmJ-B(WYB!U?8C3OW?r??@LzKaO-4&iD?iXho;Fz{YCIOzpj@Wl@edJ8(Auq z?6CsE14HAMdCWtoM-`5F?4qiJ;YG&a_{Z`c{w=X%M7d;W?1X~-Pd)VRs2oTGycfr zH%O{88VHZDd_bB#wqzaI$%e&|_N6vMJd-xl`pKb)+^+EivtxE-?xcw6_ zLfwP@JqAxVo(5f5<7}+meA8upwWHJy=IGe?K{tOP;YI)(iXA?BNjg7F7_A{1$W%qVr$Lfqegwf_Bk~UI`&yRPae{{MVy8;2?5)zyBjw;EKLaW0 z+4@F+_r3o~Nowgdf-P!)6eW!-b-k**&Vaiot8bB@W25vvbK8d)AEZDI0ilXOGSol< z55BVa;#mu3zJpI#5w~W?8evoK&-pt2h*EAM>J`fm#O~wvu|+OmN)S~hmyaRn3$snOl02#F0Uaz<}A-! zq*qd=376S~F;AMoH8qG}nR#%B6_=l4`)5b~&U_ptq#mEoe>*z_4$b!MtFW|E^FPom z1QmV)pqm^O+KTtD?dSx_Q>LQCN`4J{k$*+q$vG@#jwe0FVW*3o!|&Ji1S~M3_LoC& zuq5%bRXDf{MfGdpsAy(-VL&N?aM`}HjTE;IZT!w#w?SrpzaLei_|=1t_}r^vtb0Q* z?=xqx;rQsz!lH3}BT3cV7L%TC@*k5z0AJ&rKHP}+@i6j|9>+STUSZwC<+f?oWp<8? zF3_|vi9*n>Cu`F|NU3WoOk)p}wXC*O)~Pjq12mgE*K8$*69@N(eCADGu&>+C25W$$ zYa2$d(h-*D$4h0(L5@81SnG>@*?>{^L6#(TuQ(g|ja3Im6<|IW4^4O>^ zhJWMv?k^-6x2psGKt@d-siZg*&Lt(d6!UG>y2#7VWMPM+Ys6qD6iIc?x1nNII5KRq zGDP;_!uuZUp}&-X2>ZFC$STtyxFfu+o*pvKHmx}B^~3U zqof!FhDj{!3v&0)jBrp{Pbb|xr-*$W>Y0h%?D+Rctl;Rr$`(#>L#qK54=8yZm$Y;u znzc)^nlMcKK7%wYW-wyn;eihPmJ^**09)n#)H$bL9(s5`b();zE9xqBlZMt;o|H3( z&O>{b9s(hchZ28-F4eNxKLT}pKmF*>_AoaW5+~$6TuV&6Sahvc@AX*c%?Ewa)J}J0 zH4_Ph3$KF&XRv#U9%Ex|Z6!z!YK9xcsz>cCKP-1R5jQl&P%bEsh02(_4^rvw#wX`G zFz^iy;%VM(e&}tBGVbJUn=V88{-tv~h_@msW$SQ}qG(Ve5WnE;c-%V9W9JYP+cJ)M z>vdC%67nlNN!==;j-+NFR$+{|A~6E>rd-h0U8HBCI55h4ymbfo5iD;BbqRWO=Hhw` zk3(XeR-+z1iBq$tUk{j8lQ2{$x+n~jao5VmdsU<{heS*@w&~PP#Ro%~C5s)KV!6;* z8q6c#h4R^i5ZpO~G`d+)KP{N7`GocPKM^UFA|W|?a4Xh+nFD)2>srhdIENS5+sFtB zCwy&J`8aQL4`=$SRjtf*j+L8RtVTm-?Rn)SV2XBa!AT7eti{QiQdf|xdu!JVl+y3n zBof?ht;5{M{w;)|{@&>aXei~*T`+A6R_65|I5B3|GwU`n6XMuy&w}?wc!}3AW9Mn+ zyYVri8yqBNQULmm9dWAcfZgu!*i>Zu^U+=cMBgGT8-k7?1xpaTo4_t=pWIC`u3 z=jRwY$sa$ea@#+kd!KD2v+}bG16_-Kj=c&Kt&CF!S-GeZ?(Z}R^itx}H9I@Z^gGGU zB3BiSnd&#?f`G^hR3KesW?mym;&b(m&qkl>_a(HR=^pkAnEc-)C7fnO;VK_KkEl5L zC%)U>CEs$seR;*Hdlu@VuU1xG(jLcxD;AB3ml#xyT^QY0G@P^=5|KyUv4X6>5YvjN z-TTMPipcO$N`8v6dtrVLjcRh6Limj(w|{EL6w&=Wr?*mQIDk5_Zx&1}Gp?+DCpXUT zse6k5*o~lf2rVgVJXw3rn>#2E!}fv>&RspsAZL7h+Pwv#2w;`=zy zS3J;ew2p!d43T#oH!H~pd!4sLj|b5m6&VS>&>c^JVW8uFUG5?{mdPiD! z&?*snAuUm2Fft^xiBfNInbZj4gm#CMe6jB*X)0DxgLK zYzX&_O^hKUtOO!ST41FnARZM_LM>N|baX%H$1Y!>2W^lVp0ExTF zyEB30WuOO2{>A_PvXAFWXk6gx^LroQaf&gkCkyJOsW zLl2Bx^xnZDadCEN&nvKtI1leU$&1ObCzX_@Fr{ggU)#5_hR{~;|1bTn)o22_3lo)| zp#h@*ea-(3>kd`Roq_#99(e@Rr~{72%S-o1j?f?aG0{gi-^F@LpV;Mgdg{IT%L&Yn ze0`tqt0u>NpIYfHvFtjY*2rUHN;`wEKh8cAAq8kvG-Q&`SbUiaa)cc)YMc$^d^Oi; ze*|BDv!L?fFZ-_gGm}K0U1Q0rhG7j$AyQ^-+&nDYec)Gca4 z5>w1CK_37c2nsK{*ElqWPEbdg<~!_+olLjS`mR(WwFFqfI&3$`F3bld^$S?1Xx+oa!srD7%pSMB~n1IM9u;$lY@#V zl*_u@2=^n(zG*?RKRgYK+~G{5kpa`Xsc|`HGk5;hMUWj40#%i99L~;AU|o8fUJRn^ zrfl#5zdb-(yxB6sm7Qv^>Oh9{W$@_##!;u_wOqdJ=aYvnjjSrW*g(&AN#$mwb>}(|p2;bl8e#;O%Fv{``y15jC zo|a_$`POr!A)N9a@#66{Re@QYj!SBlkH^vx{vtYq9vRL!u>G>Iz+w=m!yfs$$wz$& z0(1XmjIm^2*upt|b51$%>;b58!EdkDUt9rE#vEAoFfSnk#I(Uz?7;H)ZYNV*d5v?Q z|C;FSv6D`PO0fpD*}(4X=#dHoIBH0d4x?zUu0-{?ZzU_NoE;UU1JpTr2_pZA3&=toKY87QR7ouN4S?OppVRMLKT`=CNO zvFDS=?$jru6pd&-6tgP5G&SRL#T%%Aa#fr<+!g6#H(KZC8=E!IUJ5s_Xy@&{-eHM| zU8P)xfY6PNEa+AwYG~&jz#~w|o1Io}Baf|qm-B^T^4Ii_uvI!U=lt&h@mC87Sw}QF z;~j1({2r&u+z!XtYU(}NJeVkDSM-`RiHV=5b7QrGX%96tG8ikT80i^~ek-`Je!lDD z-RT#DtO1?%eMz#vIHeAQbueGygW%+AW&f*bl4x->huZgf9^DRWiqwg34oBUjI(OEP zJK!YMExkpw7-?6Lu1bdiWl9A9-R*VP{tpJt#?S3ZY~a@z1Df@Pxdt7o-=~vw-=b7k z=2k|LDft(}&4#Q;y3uCjdb$?Q+_iHvGqK~TOs10)aeMi7JYB$x0xFL5#Dn!%I29GS zKgdLty8OZ;BHOJEx^=KSE4HdR)>Yqt-o#)n)zvv5`OXLq0Q54~kXEOMX+>J>;RK2P ztm3U|z4M^Fcwf1HD~>%;-RWM%)CTq}h2-7t62RrAg@+!3)teAekmXurzq3fUjXgt@ z!RTj0&=Xp8xD0nY+2%wUj_NNmxlGdOEO;49MbytX-BcoFNO?79oZ0Zt@0-gjqeE^; zrZ$CrD(L1dbCgPy#1lKUODCk7b2GkqR8+oyfmADfSSyiZ7Xy$GO3ebfeT#~S5`x1t zc>zgxq=gRGYeQD=(;NpuB^9NpuAb#M{tnJgi9AEKw|Uv=(H^6v;+%*jPH}~&{1cO* ziHTt@7MX9Go~4KHyc=QD|03S)U{!#$HBCHTPG6rp-_Gl2c)J&8_a5Q~R#yHxp%Hwz zqy^jp9GCMmzLe9>wL=T`(yZ{}y?NwtOIiw#vWCq~GAy;Vb!#!+g#S|CwEaXUVHtu!V_9GG|s*hoIdJ)w`0;_wENMt2ao z?{HORQEXb*&Z9&Fx$otQetg85+9ZbHFk8zW=`AG~vjFvct6{5#Z`okfs3dI-`SA?G z^gm?Di@t)HJCl<qHEFMH!dY1G9T2o%MVJ>Z1uH!q8JCaf!oY}(e36J_6koNsr` zb!3HmD0}s_B$XrH&0JK*{*UXr3rT|t0LD#ZDUf#o(D}_3Ti%-{Hd;1Rp0@!YLv@q* zN4q&ucc#Wv&s9!9u925mRSB-Ou&6q(VT|`Csmr)VfP3A_A3B`OhPKkt9?VKpG~WYx z_lNwpcw5d4hRI~Bv$f`FMJ@KKPp^jnFiNE=XP$dS=LPUNK;QrNYIJryQ_m@WiLA|WYAwn9<;e19RU3hz>bYJ& z)yd`gAwc4*NmnYC;xS#zbux4G9zN%uG*O+Wl>;IK`;OkCUaP^pUT0}LoFKWI-2l_s z7|9Nwqw#}w2Y}vP^2JD~`td2^XVw_%lI7oX>N+NJuwhLgJ`8(F9=yBV>-(v4(s-hr z&BA(A&L|<0bR<+xQjB+lT^$(yXB4p|{{b=>x(S>_V5&>-Rgzj(qI9>HvvO6GCWA*U ziKGhRo){WG5p_)$4N2X7FLy@|g#2$|hNK?}R|sREiJ1P)%SZ8a7>22$zO%90V`zuD z4@(kAT<&5&1@}xzePMi ztdu<2L&_y8)X4-?LT=0dJ4)$tb?Y8{gyQ{QTj%wiJIP7Z4JT`lthc(X_<3NMftLio zCAWdwTU9r7B%~1K=y$omMkj?JFNQ3T9{j@Nh+2ZhV?A*r)%P87vr*Nxkp<3AMwLf; z@zaFq>_(o*KLcX2o#U_tuZK}P$HfU_(re*tB{T^1r+V05$aKiCqcd-ZmswWw$3!)f z+}A;uwKX9o-#;pIzWsXHr;}EOcC>tb_vY1|DfuscEU%PY#j(ov7P)k796M(eJTaj6 z0)(E}J_oZ0zV9Lw*CeqN@akx4h_2=HPPbfo7|TNBEnD^u6G6TP>ZZzqjTtU>V9KFi z4P;h;Zcnq49w1~d!q^zl<;R2l9_=9SoX*>VP{8tmB}c$0CWmxx)^ou$thF*J^Xd|^ z;e6W${^dja@neDng_98}=64O}4R;Epm1$54G1u$I>!Qx@%TQj2N7{50iRN7gt|fCh z?UV_IR4A$R^+M}TKuf4t4_x#Hmg-Kw>v8l_k*HSmy_qW^yS^*(4r0aXUWP7?HO}Gi z3Fl(6pdXhj>&R}nWmWTDn;w-*AjBKrtDN!C76E#naUH3(twCS0kZBEn9Mvo@{fp4& z>)qx)M}*B3TAqwe8zPwc zYKNFuAe>WuvV0AhY5eBIU3L>@*4Wrt@}mSziZZU0(3}k&ptkw-o(O5Ctw!@SWNg{s zs&!~5OA=W$q$a4dE6^r$Ot+?ey4bS$+|Wd({T1|mrJ#T;bIDz^XwNxqRW@Z=d(L{X zU9+&=TmbqUytTc*Xfu^MAMI={yco06TDerGR0w=ayXvj51f5f{p)Rz0ejD99D{Lxz zs`Pcq{&__m=T{=OAz?C{J-#SApGOq>G}fct05wlePNvQnRLawx86g6YYH=x$9 zL>dOJAu0^@3P-jIfuO%YiD#`UCwtYXSF&5o@sVRtPNGO@lNA|n+Mcq$z3W7xjCoD@`CTGO(Y}jktE@HI#WowonJ#V9_uEsO`EcH7>CMN;F!W+#F z=OQC`PWnuJl}MMOE2s3xtKvD099?tW$HjsShl_18TI`Q?)iFi3_#WI^HB8fHP^Q0V zX#<>Zy?*DU>lCPZX1EhLDC@((*4ack#q-Pcx344R}KQsxm9j1SGjLVB^JZ;5xo&Fal zGV&IU>Q}Dl&cBUnHFKR=`gV+^jts-MUl#KSp<*jl|7cO6eb=}XXqCCUjmMLd5iG(i z)h$b_YZrz7X`iD1H&&Qpm8L?JRK{33pVWd?SYe^Vb{{t?WaVh?bn+uW6_lVTznD~Z z#w-|5#DXbcd$2a}NdbJsx#>X-+}M+2FP7r~|Fu12B{XbZMsB-~<)UugOL!q3*j?D? zkU(&_+^PbUP^K8fr!yuqO4~%m60!a^cewD;*4YfRIi}JF0wB!e?p>sSOUF1Z{qYuM zJgwWuD}9=kie+S}UGnM2$6Cpjgm{_yq3!ZVSfKz4#*k(iRPewNTb+Q2xnz`fmfw1I=Ey?sGj@ijXVdPjR()Jju|W}Mgyb!L z-#&E_Ts?6k!0h#uUAD9FVQVy!uHe_MEp<;L+&$`otM^}vQI^eVU0E+oBS6k?g;f4*x2G2?tvq?F)vk$H zwZaEZ!WozOPdDd=A^V$sfV#PIpX1C<%%Z-<0n-Mk?0?zA!U*dtFov|pU)32{___^F z!`!!>8{)1-8DBL1u6gtCwf6}gL00x%^OyD{*h%=db9st54|?HeaA$p|V1gR$N3AKt z2~OrXP+TP+g5_)Y47AB;JI->1{dvn5n3XzgZqZbj9^!{s;?dT23Eux#h_{?0-gi`? zb@rwMMgrfCuCBvm+SQroBdA{hzwi)u`BICsiw(5f7!f|<9H)xoKcB8K4<4a&6!N(CAzgAH`d#D z7bH%Un9x3i@@W6255TI`G_yT>*cBX30D#{0WrvmIrp*}2<~ZpXG$y}K)?fg>u&?7G zC5fYj^Z3ALS)E}TK#4mzRVK%MZ`V~g&Gddp1H<64+^fu|2_hbTH7=WxK9=7tP#D~E;+e*moBC86RX;_s>z@Wb=e zr9LJQjVhE>3j<3cO4JAtPL_`>-#dG^-9u3*Ko&UY%Awg2oW6o$J|CtsOj~{4UOcE)`P0282UATGzG%X}uI=-0jyF$P5K^WQA~m&tx%~gQg-E z(GGLnDq*_o`S>ng(|RzE5S8e=qVt|Qst6r%K}`vvH{^h=#qEI5-Ai|ekgn{td z|Nbi2oZIIxG?Vz%-i9O(>b-qz&0jXk=Um;gBj=a(nyT$6jjIvwOV_`sDj%L6_-!4? z%(5TCn8I12XHVC~d*ivhfxkJz5qBl=64SMMOd>22dXd}i65xTxPiCPC>BRW-qvOU8 zm4qjM+;MBM0>$&)2=9-%$&hh@r?}Fg5)Dm_S>;&GQexm15&)!6A+Io<`WWtf0R^nU z*L3gaU%Ffia@4d&jOrT%P7csykkj!t1}(PKp*EZ4%CGi@%m!BP=Nt#>@)F6=Wc{JH z=|STHcSA~;hkRc?O$#0IU&9foB7Zo-aQ%m-X9SONQ9nDafm`O{Xax{>4PnsX9 zA)Jddz<{W!Vr0-O{z&nMtfuE(@~O4X<`C)5Uv_CxP+>t3#Gq$ZcYK7z97!K?=l`Ht zw&Ie2Jx~oZS}C(@I^zSICW+CjO3;(AkoeeDnIh}4oPgM{V91U3+lxIl0O2)IkhS!M zp%B)p*r+2*e=H}Vwl?7zF9kWKS#>#O0p_#u(m|hzB-bAQcZWr;sY#wD5#~Te zewoi@4dD~ucTY@TK&wQeQK6IQf3f{FCmT$by_$dkC&b27Sy2$#_m$gs#=^NmCT#!+ zr+(7Zt}diYS&V^L!m%69A;?BVDy!|d!f7;tkx+HJRuuP6ZRmN@39E*9$X_k>jhW-W z9E+3)j+ec-e(~zvHxEvpJl{Pi2G9-~u;kg@$}H+g_&8^p*8zsk2pRsMFO^zG>D?qe z@o_MZrD=_Tt=y_74r6e%S=Dz#WLXtlT7KgbVDH-EmD1#uHZ<+5O2Wr(olKv6@Qr;T zn&q@*Zs#amU30z4y!?nkoigCDj*EbFHn@dPxudzRkQrsz$D{IacoYC+Il^IdftO2c z<2SzSu3uRFlpVWcDLBPFd4Ds~7~fLPHBB=7%T6xYEbzApep?L)c5%%C~+NK zUp|zGISAFGkfKUCP)8)iC@e3DxAW1{L_cdN0DKrZ?>K?PBw<29*0)oJpwT%5ZH zOcc0ngn;EosEIZ%>Zb6&Ct+l~s<|Sfm&m{32e%j3jw1121rWGe1v{YUYjLed=z|*E zc;)=hn*MjK`g_{qU6=?t)YVFEHtR{b>I-w(QMd4koNFH4A!&6#EGl9y7O>cz-{iEr zoQEH@t0-dZ<2(}%zO#=B->e+gNt3qJS>mTpHvL#}$!za_B3;hK$KeXl=sWmj?p#tC zl~cSJtj3MtPL2meQ<^-jsIfdrLW3;?G0A9Y3-V#R}bQ5gq<_zBD;z&&Cm0j8`L~{TIug_O6TF#B9NuhmLJ>G+3klUuI*cu#G5Kv0=*mRbx^v0G*)E^K1 zI_$+U5aMH-yD5tL-i@{W4jgnH_b^*vWHQ}BNjM%qbTB|p-iZ=I#qj9T)?`@Y-wF_l z`c$xk>WcC+p!^YcDmCmEA5J+d4cBS02e)4NHw*;zxx$w13oDWW&o7rLDM}58i@Qx24Mc(X0%?bXOH3=LLu~QX7#0Z2O5vGpzryfpuEP~mCdN-`O zP+?F5wDt_XTBQRfH2}DOvh{6{hL)zt9=gE_7N@wT_-8Zo>_@Sh+N_b<25)(?c3J%WW4j6_vA2D)-s{iQFqQt)6g4bzz2E|5qe=!Rn6oZeg`%VA7h`Pfur>3TD1-jS(t50W3x zN(+vw%BX{jF^=q`fA!%b_n8?S#{Mn_34`P8$wWBn}iw&xXD0#i6lof&qJ; z6h(<4d&fRt%tXi4OPn?=0z!P{zpUnbqW| zh5ws)$#IK+u>j0N)NsS8zYwi6`vUgf3$pfmeknS-eV{rP)iFJuS0n{IKDq>RBa>a( zY?)@|_px@3L_Z6$GuoGuQ}wfz%CrqygXOYs!my#23fb!!VhkLG8 zS62^jr__>wF8g<`~hY3VZel#Ab+!I8ZZ;Sf&6Z6 zX=oqV=Uv!aZhj=CziG37BsfOcYpnGIen{eikwABLmUYzv^CxipOfb`9DZYwhcwqA$ z(E5wI!o9~21}brfdH11?q#k}cS?7&Tv=wudSJ4JxiWO=z&nKsMfu0ekUpo=XgEaJX zD*?Z$$B?^OnUJFta4r1I*UE2Z#oB1lwLeHmetMof7?1m2-plET%3F{N8}INPNx3;z zCy-&_c7#&Ddt=P)e1ZN)Bd~KR%2w?wmdGev)%jFT{7bLRPDxZ0lh&4g$Rz%%2MI@2 zXL^4k2eHKi(q_|md50-0yYoi?Ut~v7JbZunQT?jj<1SH})?10o&>1=lNcAo=a=)63 zW^G*^yoa_jcHAP1=8-|4ZuE+FjAd>PC%28{GM))XN9Zi}cK%Ev`1qbR=7_SRE`yA{ z@0xsjBE90u&m2Qt&l6r2{3vsz-;r?k4;#xC!_wKb=A_#LD?o5HYdIN4C(En5JCbHtN z<~~ZudT(?Gu*bglYUia4VEVcb1m-wmdt=0TX^n+6v7wU!kD${705SlyuOE{-?pJV} zDb{VDuhp*tPCErq6|M+QbJU1D(rAegbI*3+QW&Ni&4PVIuVa-reJ6# zzps+`8s_(EVk`0?=2U4#3DKgV9el{ejp{Ca(e5aRUiRc9@=B9^H2EYG5jUsYT;_j02Zx3dM;4YlogMbQ#5c7l1t|lVW|!0_P2vhV^}nDUvWHxvsAn(4w_BJ z73KQwLdc!!|4;9Z#t^~HRkRGlEF>06O5Bgl z^AqY|L$Tf>(35B+cUXU0Ue&eEg&l1kL?S|h9$B4>hsft`K}zfl_6XnIMe=A_ACmI6 zW`7OvKJE^Wmac$8XW6N0y`i7kE1!X`wn;MpZbZI;J~MM_m+-Vf;#2V+M{&n!-7}dn zYj&^Q1zgFmSJRZ6hux@Bm-`G)w3d~kqaeWJQHqs|Sj-}$+~Rq&Vc~vs1(|cba(&+H zd=L@m#h4Uwe;=C-waKtqO;>Zbu+hk8n1BCwU2XUhZVm#f^iRVU`Fu(e3rlCWip=gR zO{uJP?K#hYTUV7ppQ1KW5iOE?Xd2B-J2esQF|SCgX3o=gITljpc-iieIx!UXZpBY| zqNwe}6?u7%(ABc56%wyBu>s=2sIN8PP;Q_;H}}NOZjkf=C775??FW=KG=bZc6?-8UGf?yt zo#6cLLvA&J#IJw&=r1=u1+XC}4QYfQLhvIaA}UKh!nTn$PCGR)yk;yZ{!AV_JsC0} zTvaqjkk036)|*wMw!Yea_mq6~oD+4k`Eh)5d8Ez7LDvoJ4qaG#^iQQN^}Bn(Lg+u} zZV&mhS*;p{xkKq-(M6JHQzYGOr|?YoZWu`Vlx2N9^y24syM^(-p2Xp%Jv&B9KFC}1 zl|h(ZL#Ov+$$fV>-3*K@)GXi7?B$mF$me6el@=-a!FXUM#hsR;lv7NU{Ix^Eu@;Hq zI0EIQ^uvh8X>fQki(rX$0nIf_Vcbdw;qHDLkWmmU zlFa(B%j(UiGoCD_gJG3DN4tr{2{xT?)6-7ua!=;JTb;l%*W?!N2E#y^yNWVTj|=#iV$py1o* z|B4>b&^L`xWB8F#Z_c}ArcHPHVZqe(V3_gL_SUQNNsVD9VSFM-*HKki?Gb@0N39-P zs!@F=@2WXLSwW}7Oq_xxbyD$Nu@n&}Z^03cazpjg3q?duIV@$vx^%{UN47&*$f<0RMC%H? z=Fs8XyXz1VEqfQsNH$sTiLp!$d5^2+$NF@we;sNxFp9yz{?8*%zS^fb5>NtEe{WCN zpn3`o-ph^-df*zaJRoo5)%;ck?hZOP?(ySgMq8hWtHhD?Fhj`2h=mY@=^ zYmSNaHWj;5$pEttb`~Iv>&aqm-BGhMPK~yjbc4fhi(tdT+MZ)PtO=0_!_21hiZCGo60mT(=cvh~@Gkp2d12NtThS)<_9 z*6NivuuL!!Kpnba){)q#ET35MyeYP>gd4@s8^ih|#X3%2v@8OeN* znu7pX-G;ctAP`bPx+Ff}_b^6qM^xar2CZeAqN}BVK_Q>h(+ky?V&d!6I)2>0b;`tc z9$gu*`$2<6f#f|#fpkviU>&+f>N_H(YjJN+If!)s8vkOnd!}A;m&NEONdroat*>86 z2WQjuVqArjiNI2<&Tavf`+{=A3hVFPmRb^BOwi>^qhMHd69CngBu6Q3?yaj!99K(X zsmxr-00&_C;vZk$`XnCZErR=lOT>Pgb`t8+eCN?iI!sNBU=$#4GfoTO31J z1Sfa$Hh3$PvMyDYJ=Z^IYSctWy6H_%_21FW2I5a82J0WXp+RG5MKN7Df~@{|N+tUT zQa+t#Yp;9%&tw1k+A_2c%ksIO|4p~-QNmfH#z>oK?~qi==F!-P*RB7XVacN(_f->% z;J~9i<+KIXBNNVtz+!}7Wv^tt>i&Q^{NM7wr%p?wcfCNjs%(zcX;F*g^=DSH#IXs7 zOg$JBMAc4#;`HdIB#RXq4e3~^Lh1}DWeP&dZoa0X`Q97_TBRI~`AxbL9Ci^xIxZ10 z-H%=Oc6hXsf=W< zxxNc)swUC>xzIb5eslD5ThjFX~*f)&j2V-085n~79+M{jiKeQm<m#C|$NOp(C>QXx;?xRYgX z86cXU>v=<2(#T<8qTpd}Z=WKSX6*Uqq4l&wSXsH&Y4caMPAT-9Dr<6o9~}kF6ktU? z{Nj{D@i-byHp|oaY42{nX6xfP%>4q5L{6D}QZ^s}uf^AQXcjb6h68v=r$$EnD+VUx z16Tz*W#kL@0H-*MlZ96xF|U^}SkUc=!omfY2XTb+pXag;_89$mS+6Igqdrc5Wu97r zcU2T2$dtit5bM-+|L_FcxAlhJjmfj08)c9JZR*~|8y+5-{z&qj?$u`0o407eA;Hjt z%kk5R`S}=o4QPZTlPUa@B)6;0^2t(@{g!lVQD7BhV9h;pOg3WD*7hN@vhyna@lldx z-E?nDYt17TQ*yNkqXzC6zyKm0@!IjCcKSSWwYXn?y!Vvbnl8b*ihgzrsMJo$=8#>E z7PwpHCQGMs5hmtOEp*Af+$C85?_s>6%fnyT;IvBO813?Uz97sLUFWzC`EuA}@22zD2G2k-|3zIxoClaT0&b%Z|^2e)LAmhd+ zT_D@~jU)af&#OZ)NO&?hi{CNMpK_%h;-8{8U)PEBL-F9(uckZC6k_?YFI4(AHnC%w zcmUK7rCiQ6>}FCfHAnFJ;3?u=nf?<7%_KdhF4Z@bbd$DAbuR+x>;-L zYSzlVJVQvLh5hsQsDtI*UoFe-9ZtHX=PRQF8=0HOGCzJ{A=S3iH+E9ABt(SaH;joK!p~Xnek2`(LMkk z^4Kk1Fb)sZk)y$!097WyT#bmG2s64zT9J2QIyt`h5ag5nNvz(<azSyuR@bFB^jrkbCjrqJ;m%RrE8;5C4NKng{1D3s|wW6ZtpXk_94D;HZIMXMG)tM zyUyY87=L-C0z>0hgzZ5i#sZMJqn@$(xNr`@Ymfk(lh0Dmm$uK06=@4EJFt7; znBDcg&zFOA#HRtl-&S*~x|tjzSQv)HB6ObUMuUUn%YVef8#!D29VRCd)XO;&TXy!VMekYD(q z;J#IU{A+>bYdZWU-}`qKIP-Wdp3jvT83z>ADu{m$GFw*vLxB@z?XbPwlGt#7xeH>r z(v*dORh2m6HN65yoN@d;gB1ASdocXIQjN&>)xbxhg!>gG@x%>nT)Isd<7GiZ zn{SNar+|orgtSTF3qn**)IW~_#`>4;;PlMQJ1Gheu=#{1P4e)p`+7T)xRAGDihm7p zi~Cl`Ssp$cZC^#_EVUlB!c5yrv}>RBliMY8?-(Kve2rTKd`PW}@2jk&j89QhTOsj) z8-OM*blxtLi}MrvS5rErl!Od=Tp|I3&Q1q#+zQ<&>I=p`8fc4Ik-86X7Xl!GDlr%;srV<8)y0@n17B{kRVoqBJxs!xfV^2u>y~f zu<-6~A*u7`r{rR!qbU_N{zA>#d&0c+eWbVh1Pf|%i+v`UhoCHFL&#BEWEOFrqsjUh zW+~b!U*TYg@)8UAq{cKin)d7$!~h^s3a9||@Oj?1W%TS1eeKWP2McqJVJqaxLmaMa97vVt-Hs}xpQc-eTR ztM^5CYWZ*>}|U5Kyp$aTu*b>d#;04^N_A zlnHyX!^!I3zlha+i=iAi%&TO(SIk7LiW@WN^T~JdyZo@Is}XC6GVD-}`Sl(v?nt^d z+GktCm}{-NswFA&`ww!y5~(52M8lay645dBI?H6}`Xzyj)W}6gNc&i~T#5!i9RqRn zshn2)rFCpoYRaVB*)5s%+sAQTAS2t(pYByR%mvCstf{ymi?13|X_O$4PWm;0c0wAq7(}yA)vt{y8gVqm-zWPJ`m-Aw(qb zb4yEm_yb(Ll{s&GVb)*$edkIvYcCeX4Jc(Ah;l`bd+tk8y!I;^Wf=IzF&(Ou?oVOj z_b`Ym<)BFS`JGz+7zHb$1ft|uwZurQ{1w&%E!kZ878~mAc7Ea1wk+}i+Ce6ZpL%f- znMsTS_5opoL$^MSu41~JRT$4)p(LJmTQl@C! zMW>^F6ktT~+Wmxp=)l?*jK-*Hp{mE`LfnI)es8enFE4i@*^~uFKQkAYiU?+3A{(yy zXdQ}nADbnrlqKp5Y|4I$prv7q7=6d3R?$H^@aE4mIw5ogDL5|NTWNX5xO8Ba3+idX zb+xnmO}syAQT0p6jGI!(s^J=CxMr4jHN@ow()z!Dh6Ldpefikc15TB)cSA31s6skH391YI>XG& z3}L|(p6aciBm``a@0RshKKR9F98F)SeA?vpN#bdde1=&Hd#CYpH^S+BCsjNjD`yND zN~S6v-dIa;bR>$h?Zr9^Em(Mw6E%bL2tCX-`XTh6=R;7dhgPzrgEdjAPiKv%RL4ME zRML-QHz`bX$OIt*>nGWh%fy4p9%iwiNrJzrZl0jSgctm^FElvPFt$+4reFK_mqr1H zuYMk$p8FMzy3FonlRMI;`$1(mX728Zy6$&xW@LSC+rGQ;N}YDx(`Ilv`e*Wf$-Y_h zUGdT@tgq*dj6j|s@!eD1x+(_&9A~)H%#G9NJqyRK?rNUOPp`vRG2%f(vCWw zR~u#SrdZk7q)*##g4=i7J>wBvDxW5*LDgSP0`S49Lcl*nPBY9LHS+M~*qsI8T+@QV z+Pm0DkWo3sFXkX4^R7@*@qTBr0&gqh3o`YAMh?QH{Gpx>E5Y)kQ0=+gM>9x)1g{69 za#w9#T9OOJvA7uH_Ltn~;rx0sOr?(ZngpAl9T@Nv!Qx4G3B&n=OhZ!z4jm5?G!|gL zK)QCY4ys};iNK=-^|sECYW(QTVpixyo8)6D$z9bF#k*tS+H1_@sMXuK!fkQYuN1ec1mtwTt&gO#>enclktFYhiqq`;EzX3S)pt zaCSJ9rM;CuMP{lHLjo6pJaajUg`Zz$?S6GhE%E>g8BRDj&GWqt(M#)oJaQTu5kp3~ zUUCDLQCsLA%p4q|bUhBpjqjDGL7@Lv*IS1*`Mz<(CRl)kK{=6bgh|6xKpZLEAkAnH z5M&IM5+z58ba!`4OUFRi=#J4b7$e@>ul}C*c#h+J`D?IX+i_j@^{MkbWxRJEY!Bhz znMQ*9i8;v?C1TUo)~>&6Fg)2xYJ@t}BZBQGPlx?OsbxRY6S)bh=3HyQFUy0)>Rw-E z*>v+xo9Rtpnczl;jw^@pPy%Y)fY}qp zPb;pP=;!c6RT}2YwZzjoqo!R(+LB$9@r)`qVY8! zhwr2!D>C}^!g6P5rVIilRmekP-rlPhR3s!0n`JkIJ<2Ewm%RbjhA7idQI^EF^g2f> zoD1dHo_k?`OYEl+WvDf%bJ-8CV`}LSVtO zw%z7IFbbvo4rt{@=x4-+Icg83*VX8h%$C@t9=tpc&!p>zUhX${NS_QAO z?W9wPwbpoG9e}k@Qj4bk585H!zWM9G@<@bKoN~ya5t6?UHc&J{M%IsJpVPTvc*3N@ z7CGV)6EoJka=T7JE^c?Gr(Z`iWMZ;zD1I|%G#=t%F}HnjZls&3BG}&sjP+BPwfdO* z7golZ#^hJqeqLT;BaYIW0##X%#d;p^G&(VnuE49q`_oqwj;2$qE*2GO9-iou2gc}{ z6BF1Y&UC-JIGVjtbg)Fv8|+3m&0(345(M0{;;WRwGMmK5!~%bD8vP}*J&(H$`&2NN z7`>-Hhj$9Nc*C_O$IwC>7PmEdYaQnn3&R|lq(eb{-e+Q0$p($Qu;w35XG;?L+;^Aq z4#*%E_oC#@#j*#?)WG<+KUjDYQ(Oh!{fzrg*=3(=tI2jhRHe0-r3K@=i*QF@ zrJ&$J%cirIE#sPVjK;}n2R983b?ID*dn7Q5Vb`8P2{JupZt=zh=)q@8GZo0A8?RTX zbo;_9?M-^4I`2~SJFrmM^I6A#aA)<>EkE%L6p$*`ounKtz9lLyT*yf~K_;J8tUx6{ z7}J#Ge4$dH5bW$E#`~=9h2-;at2T5@al=UVt0?DoI4F~nRd!Xy99i4@yvh5ql=7ni z?M?<@;usr6I?@SD6hI6RfFmG4$|k%uyK{-VmuJ|oXJunL=sDY4p@1?J`HgD@X+PH# zB@i#O214{Y&Fx&LgoTYggO~iw<6a>W=p))n#7GmWyWD3)NbAGf6-7Q~Or^gpz4Ie3 z^@Wvu<#1oxQVx@lse^skF2&d~C!Gs7rMwEX4z2UGTk&#>To}~+R*$)fh*;Is*09%L zO9g-6VF|O}iuF~=y`|TmYsO+C9c->PC%?T)jwZS`F|yg&pnwdbW}GsO&bfWV9BC_= zoX#CJ=Kl@1@JmWiyp6;f*J}K-k%@M2L$*8SxBqL`oQwiVhn5CM%-#2{ao@v=GU@VS zPTr>T%e$JRa4Ib9o3ocOpbl=kK0%*PA6HH&Hf2{?%gZaS)&L@cSC|{9eMQkj(?cqM z#QT|eB}8$}j2CY$=iq5CrCx`#hp1u#VBW_k^`I1w#MXYvFR0nRelbhNHpyRiRy~Rv zsub25M|kRNZMjq)W9%Ry2&)Aw*|ss;O3qU}yUNq51Tr^L7M}Q$GO{Xf?-)(3-<3tJ za?tkRRIi03qXAUC(>0&~x_3kB6VglKU~ve{-OF9FL(!+ur_G%CnR<0!heUjKWu}m; zNHr6pNVX-JYUa=)N(nTVWU-@^ta>dWF;!k)tsvi_qHSa(gwGk?IEZ(Z%Y3A)Hr?y8 z=xn22Bw@gc<=d$?g_(QkS&v}_TF-pJ{(;9D)w|gA^0RT*It-bZ<1?**@$;%p%-u(PzkvZa zA$fLU{eo?tUgH;!bUe99HZT>6hhzTky!$Gc0jG*@9~vi7I2%aN3VajR#2<^$MbkKL zDSBF2`7SS8z?W>S-iDp@Jv*hqd_cqFefHff(37obya?e)$y(}v$dkcW%6J{hWaav- ziZ_T^!-MOW=e7D4ho*seQPkcJ?~cptKKUa_M72Ya9P1?w=08B|BWa3mUM)`qAVQA6 zqd)!WdGnD3LfQsvGaqL=8+>?Ln={kzLi5lzgy_$sS07)|^L(MpT`+%{U5u>H>#kw8 zIw$zqS(`l&n_DlLfZ zO)mZTAEzd6&XO&2fpH%93Gxb=95P=@6eQ3QLk;;K-U#z$;_R%$GHX+yNTv_z?-tSr z{!+72jV*_FneQPCc$C$2i|-jT+p*8+HoklzQfPJcMITXm^)wb!a(V1+3C~sO)U(%4 z3GkbT8Ie%A3As6P4>_^q^vyhl-$aw|G9{GHH#$9OpJ1NHRWiI7MU=aRi?48U`P$$p zM=*C8OozRSod=uKU{XK$OSYVr%0qKWj6G}vi#1uEJk@_$|A06w@Q`9TeKU;`UqH4ev>ajg z)3dPx-i2f2ee?lyX6^XC!;JBk|KcYFw#9<7Vm4jW{MDk3sUadx)!*sGv(X{7v>1|b z9Nl#<7ZY6#8z0-8ml>`hmq$w?TU)y?O<^AuBoBvK757)zXuq)+&tUBqtVgCX`#!6@ zSV*k&)z18A8;5zU_vGOL%HO>ypfORVE?PTRIit{zuYlxc7}G^I+3Zq~N0D-YV$`Ei zD==4Q1V-O=mX%C6gTN(`htZ)|&5T>2aIe|=O*VotPo`2gW3o?_xw{ybPL*k|F z-et8NPDZ#H$O~EoytXg`Z-J3pQ(;}JDwo}OOku&+JGI1&?v#eXs7@be+9x5#w%@s8*J<8k^RM%+nh$r#5*VdI?)_PV$*r?57?ReC zFR0dvs2@qbC@Vu<`-!^Z`IpX$-m&zTK~Od{HogKJgFkoV%KdrPCHmJ+J~5m!`plAe z{eb3XH#eDg4&JVOV|K=)rbcCyEi%Q1J;sHOsCL-WEGciF1m$Q(#9*su-0QZ%CS%qtATZ)5|Ujl zP^T%RbJU+M3+NY>_5qmFy&Jh!z0ny;a=fJ#y5k|%E$BNMe9R}zZa0k`9E-t3MeEhZ zx)3R~l1G5cqyhhiFmt{k8{zC#J0R`oaOH<&VP-RT`ymIdWksx1DLmabsltOn=Bf?{ zWsz9qP8wF>D^;RzeC6cMx+V87+`=LJ<3|>;Y*=eRh+MZ?#9|bd)5TZ!grbx#)fO@w z%c+E!#@txW?*B5#q*1{K!KGE$A()=>>n_NrPX<;32J2eQ0PaKH7AX3j++D|`FcTF?1N z1vk_gK{>xn6ktYG_7ce}MGAuvYaS=3`*jETE&Y=Tg!h~5GYQu!yZ+@Ygs7{mT+U|67$%+|ro1yTlOQ2xYr*-FD%cNJrvEgF zpBZWJ+oRZ)`%}T_ddJhXOwj49K^=9SZUG8lQyIe+esb*;cHfm7RD>>g^knA)E^t?W z{D{v0Jh@<>@XWgRtT59w>12sd{{S&@YmecRIUlk$_cHKyYp(?{0Nv!Uc=1CVE*AZ9 z^f&pH5UJwoYI`lNd*4DtDYMAGZO#nfg}nF6qPyUSqph33cr0L|$5GRT;MpQ8Xp=A% z!TRnRhVq|sMNbOiaeLUM5$$ZC{k@7ntsRw9R~PV=_WDz$9G9J|z4Hc7bH`{*5I`U7 zUVw8J3(~LhpfbEWWi@Q<3 zR{2JApZ)OQxABI!n1n57uC#*}44mqE1EB{jY)#QKM{(!29nlg^hU2bsZa{bJjUJmtlkM7GvsR86guhTq6!rLh^9{u z8J6-mAG!8vsoffXX7tivUsoxyrQjxhPj^hE67)p*u-)8wE6NkIx6d-3smj7`-`34n zJLVb#`&knKyFT{JA@W__fU1Eg-q|}^q|gka>Q$m{@|bNr)X^Z?A;_2U^Vu)+VT^ha zt`$Eo!lj5W=lfUHy zo|tW) z5j59^Ct{@X*%C~|NZ&qMZ;51(xGSb2>HdJ8AgakG&DC+1>w1d{4c$f>B`X2wgjjY4 z&G2098cC%t*2*b4{iR?^wVB^pHSHA)z|D>4XB&6{@S!^fN4ueJMofV9`zn6l#-E^5 z5ONtO8~&>d3yx;QC!6Ee^DR2J;#Qok%)#o~-R`K`mlPdv=$ z571M@-F~K2;=6R$KkyRGPe{a{1uG@6j^MAV-Mv9qLVJUtccQy8G0 zX`!~?yK|dt$CH3m=ZLDbpy{J^-M8>O7`gd@UqmWOE()+kg5JHEbR*hOWsY$3D6?(t ze`q;Bt#t%DJz(qW`>qq(r%1S;G}Cy*5}{cWNPpW?W8bU2_v=9>vIC}F=CJFr_XQ=& zBb@X;c;Rv1txCp!@^~USpdj|q;_6o}uRVABNaPmJw|RG5l)lyvZj)wVNr$5de3h@} z_}%OJF!E=Eu)OVhz*m$K7dP+FWQ({fjqqP7eU{o7RqtU5(ybarv5&bx2%S~ zfR($wafb~X3o(K^E?bGdN>~N&DEu1k=68MafBwJw;LPOU_VqkpF#d~kUQGyHWR-w^ z5*F`Td$IZ{@7L=(pNziQg#GpSC=qV4LIS%59T zPPsBxSg>uzTsN0BXN#w9Zu6LTI4dK2AN6=td~UFq=H8ALl#hzy+)9koXNf3eBBKr- zPaB;YUg{G8RTJ(p*s<%EU1m4ZH#!YZ zH=J5mEdwxGiFS>x(K1X&`TooA4j;L%g(RJbrZjI>E`T#%9Z|@a<7N&x|7Ul_nA_&Ow;t zYYZ@4?8>0qOO~GRp2JOsYP}+l64vI@I@I2!qXxbl}tt{`Bu z`YCW@+rd$gKj7xatjk>gdBwBT%rSZ?pFS}FV^&gH=h+fGAe2|&B)s&dvW2LDj`1bo zV(L8`Ysig@pOem)@6`qtoIXB1rNXHP&^s5Y3 zT4P}Fl;gf$5`PZ#zFcY6kG6cOv1Pq%8D-J`A&%YewIMW zlXG*qP+-d3wrq7*2k`igOKhUM@^0Z6B^)MMh@@VWkT}&T>o$tybBu?&fPiil`b%da zr6hB>_@#@<7VAkKK~mnQJp&whhMMAX4n20SwKvLZHaWE>C+OZ02GErC(MWxTswjX8PJHd6K+UC~QY1&)rH#Z~}3@ z9=Id#%WprBtI1+7G-ay>%q)TJBQvr~D)vbAA{J%vwP*#%;UNxfNh40LJ?-XU9;>PO zu5R5RQbdc%A_MVxp=8P-x&bqAzDxeUOT6*t=DX%)KrdQ-M|!3$vx7G1x+0E3m}bxK zilU-2{iIOoz+?g2d|2GuX-uyxh8AS^vS8zaGv{ z0mYOz$+m7E1qB85y#@IAs%@Ur{z}Z8UDILaw8KHQris|Lu=vUT}}?5C(Xn&l|JWiW1sWBq$W$DT{gHbCiRxsG;mcxgx z^j1$OP^}{r>_e5l?Y&Lky>inV${`lsuv=hraJ`8F`f{FKgW#T7PMXO;>xf)&32{YkEQZD$J5igIlFv8?0yR^ z@G%j;zaYMtujY)~czCv9*;IGO6go6soW0*zCj2*+G>X%* z;Q3{-`&Gb+4Pn~g%g^Vky9F)h)Xu&3hY0PEr05oWzl=pjSxJPMsIr;Ngd~Z1e>U0u z;(Fz{4_;CZotjdip+@WGfo^Pm1(tYKfi8MmvOzH~&qIu{*p}$13BSp$YsC2-?eB|k zd|viWzP!<}7{H@}mm z;SlGVcie@)ELx`?Ro#N_afx_QhWtMIBQHId$u+Z!LC%Su-uOK`ha#y8vSyyYCL?c2 z9?6d?oDdIdR~&wWBpTT(i0P8B3&C2E)I~xgQFq2&{R>s&GbM$4zeyYIZwBPK1buqDThvmj6MqH4;1BzMp*);S+*Wk z-tX~Vw_KQexqecgtmm=ok-@j|$g5ZTZCgf0o{Vn8rGs0L(6T=jZ89M5Q)>JikQa2z zoWpGf9B{Q%x*VMwcsgWQ4z2l2cJk$(`A(vKZ`5i`5Q%91Sxz4v*fg;anzXra@*i;t zDQam8g(0ndaYsO&XGs|B)PHzWo0Ve2GHYQFI=g7~?-~7fUIsprfIq(Ao2_r2-XA?r ziUkEHib7X-72nizDkV)Fe`WzGq4^AHp21B9dmU|uTQ*Y9?9FVyTd-I{pZva;)>qI< z4`9dg%G$?i)ZP&bLbq-CStIm)C zL;gpwh{(m^_Aeb(_uZQPa^WT`Arm9S97SJWuNwL^A!g~2$&)QcFKs`D)rz}HDfXO- znewKXKy%3Troa^mvIei47&fXvA<58?r1Sy%=~8Qjn8Nt18E-_KQb_Q)*R8qN<05_2 zZ8Lnk^Si<_sm6aagjj_)^52TT;!XxTU2DW^vjVUj|2Ko6@*E>YZxy`&0jo|k=Ci&WK64{jwTOTTSz2Y9I z_VLI;!)7F@Z*XejDBC+Z$vTRI1em=Yl|iSdFK*L{fA2=(U0{Fo`GBdmk4yG}1cFZ{ zt3O0Hz{J(H&w@kjyI>ieJQ&Px#jIQBS-V!f*4A+4-+6S2i_%g%6^uK4Fn8m+Y~h>7 zvCq;v?wiDq@{cCLm4Z*_aayewjtD%4xlUoV>f!^cSCY%lLC(Q`eCz4eBj*}h;tQ^? zKS?{G3l9|}5GF#WWm3&^8;_+IRNlqr8gR5bnJ&**vM8Y%Cdh((_+FvZ%G9SQZqM!b z#*R9+*;KYs^| z!k%LlNqD|0iF@AVyU4q7D}2T*Iy%P6K4m{zZqu0_2q8J1R+LFKKC_kQy1B$$c)#CR zw^~~I#tJ)lEz-#_Z{I&Pxw`T~#cMYzws+bS4lSMX!o5=avG3JTT1MydIoKZ^h z(Fu}}T#V$!>l{w<_YNV2)C!gpaE?W!d* zLH-L&8)wx&1B#kqRwM)ITs+$v$=1OFnm{_dSeyrS@~UQFI!Vw1kXZws+`UWqlXamd zC3{FrOq9cm<`iX_b=)aUhch@>(uj`ceEth+FX5VLL+Wbh=k;KYeCwLAxzZK21cvB@ zOX`0UP(LNz!{T_UZhT~MWcZKSUb@8bZwvlkxBj>R=gLvwpkI54;bj^iH-wD%%D!i- z8vEpHo2fq1Qmvb*3+*H!XC9Jke#`R~YN30$O4kd9N2ar;kwb_1X3+?+2tUNN0R7Pn z@*^^p%_}dxAPQQlcql2ujBXC&0D?p4%;S2Q`X0EP>)LoIXiXJ_qYSO_hnWxCK1Ys@ zF2T(`RCG)LSv&pelxCE@>14g(TC*Z-x){;x0Q|Le>8fB#lTM;r}Dn#F1_%OQW=;^Yr1 z-H74x=@^S1jt-lbbN;TN9!^SSen2In2{q)*eeI9WA%h%2Yqwr(u&xdvT-arx-5Svn zBmwnf53)GXADKk5puKXXpLH8Ysu@6~J;=yZ)v=VYP`IC2?0};-LbIWJRird)dLpdY zBrf%=t$spzB!DTiNKkr{6)v8KuvII$oTEUe9D;2{L?W0dZhH2|0D-)$v!V2ehK@r{ z@(=o6VYZOV6*I0<5k8XLf^DH~`5+zlEE0wz$0d;?)Qmhb2R_AUBjt;=#-+*CC zEhbCtZiRz3Yro*ZzIVVh$Pam*!rt8NQ7F4FupZ;{ZuOYqdv_)}3T))6w#EvD7OUZQ zRY}LS_6Bu@s$(x3h4Z(D5XYn+DnO)^`vquMsY=kz8p*3BUeDB1%ICR< z3}S5@@jrHdh-cpR3IhSbw8b>2#FTMFp+jv8H8bD*G9oa_?fIKQ6>1vmXF9Fg>dubCMaH_R_825`4jGZXSy6q= zKvKLISakqStboCeG>$KfJb1AvJN1saCw6rG*^&A^ zYOvy?yy?4U!!){>E#utuT)rW*eT^fY^3gZubj*Zs(Q7h|iuKB0&yK@5-VM7c*Xz0t z#8`MD$sJ!e7(Qre=z$3a8OW9RTt*{kF(8JT z?sIj)em^5Pk;QDvM$AWgQyvUueTy+CkT1zDtrQfN+a(f`{UPW{|D#MpTT_=VbBYDQ z(;(x>k|}k6jJ<|k(b=^tLRWLnu@~sJ6SDvCJaE}AxH0H0 zAVAs-qWpuefS+pe+>5L?Fw+y`dK)IY`Y&Vu=>@adH29 z4aF-Rva7~M%?hGB-f|geRdLaSF_z@p0%ZTa;H686Fg~T$rU8li*adHU8*s_~8;<@{ zu4%D@n33dzXjSY^VfE$huWW8Bkeb%gw?A^*RoX_o+e#yY8NXs#jby2-==U@HLU{lOx!T{1gie~ER=se&QF z8nTJ8gdA4qSJNanf#0t~mhXG-8_Cz8RRvZrt}cW?A|5z|mHc_9P#GoZ!k2G9|3Cha B#Wnx{ literal 0 HcmV?d00001 diff --git a/web/packages/teleport/src/Roles/Roles.tsx b/web/packages/teleport/src/Roles/Roles.tsx index 9f98116131706..db545667d4321 100644 --- a/web/packages/teleport/src/Roles/Roles.tsx +++ b/web/packages/teleport/src/Roles/Roles.tsx @@ -17,11 +17,8 @@ */ import React, { useEffect, useState } from 'react'; -import { Alert, Box, Button, Flex, H3, Indicator, Link } from 'design'; +import { Alert, Box, Button, Flex, H3, Link } from 'design'; import { P } from 'design/Text/Text'; -import { useAsync } from 'shared/hooks/useAsync'; -import { Danger } from 'design/Alert'; -import { useTheme } from 'styled-components'; import { MissingPermissionsTooltip } from 'shared/components/MissingPermissionsTooltip'; import { HoverTooltip } from 'design/Tooltip'; @@ -35,18 +32,14 @@ import useTeleport from 'teleport/useTeleport'; import { CaptureEvent, userEventService } from 'teleport/services/userEvent'; import { useServerSidePagination } from 'teleport/components/hooks'; import { storageService } from 'teleport/services/storageService'; -import { RoleWithYaml, Role, RoleResource } from 'teleport/services/resources'; -import useResources, { - State as ResourcesState, -} from 'teleport/components/useResources'; -import { yamlService } from 'teleport/services/yaml'; -import { YamlSupportedResourceKind } from 'teleport/services/yaml/types'; +import { RoleWithYaml, RoleResource } from 'teleport/services/resources'; +import useResources from 'teleport/components/useResources'; import { RoleList } from './RoleList'; import DeleteRole from './DeleteRole'; import { useRoles, State } from './useRoles'; -import { RoleEditor } from './RoleEditor'; import templates from './templates'; +import { RoleEditorDialog } from './RoleEditor/RoleEditorDialog'; export function RolesContainer() { const ctx = useTeleport(); @@ -135,13 +128,9 @@ export function Roles(props: State) { ...p, agents: p.agents.filter(r => r.id !== resources.item.id), })); - } - - function handleRoleEditorDelete() { - const id = resources.item?.id; - if (id) { - resources.remove(id); - } + // The new editor doesn't use `resources` to delete, so we need to close it + // by resetting the state here. + resources.disregard(); } const canCreate = rolesAcl.create; @@ -195,41 +184,43 @@ export function Roles(props: State) { /> - {/* New editor or descriptive text, depending on state. */} - {useNewRoleEditor && - (resources.status === 'creating' || resources.status === 'editing') ? ( - - ) : ( - -

Role-based access control

-

- Teleport Role-based access control (RBAC) provides fine-grained - control over who can access resources and in which contexts. A - Teleport role can be assigned automatically based on user identity - when used with single sign-on (SSO). -

-

- Learn more in{' '} - - the cluster management (RBAC) - {' '} - section of online documentation. -

- )} + +

Role-based access control

+

+ Teleport Role-based access control (RBAC) provides fine-grained + control over who can access resources and in which contexts. A + Teleport role can be assigned automatically based on user identity + when used with single sign-on (SSO). +

+

+ Learn more in{' '} + + the cluster management (RBAC) + {' '} + section of online documentation. +

+
{/* Old editor. */} @@ -259,73 +250,6 @@ export function Roles(props: State) { ); } -/** - * This component is responsible for converting from the `Resource` - * representation of a role to a more accurate `RoleWithYaml` structure. The - * conversion is asynchronous and it's performed on the server side. - */ -function RoleEditorAdapter({ - resources, - onSave, - onDelete, -}: { - resources: ResourcesState; - onSave: (role: Partial) => Promise; - onDelete: () => void; -}) { - const theme = useTheme(); - const [convertAttempt, convertToRole] = useAsync( - async (yaml: string): Promise => { - if (resources.status === 'creating' || !resources.item) { - return null; - } - return { - yaml, - object: await yamlService.parse(YamlSupportedResourceKind.Role, { - yaml, - }), - }; - } - ); - - const originalContent = resources.item?.content ?? ''; - useEffect(() => { - convertToRole(originalContent); - }, [originalContent]); - - return ( - - {convertAttempt.status === 'processing' && ( - - - - )} - {convertAttempt.status === 'error' && ( - {convertAttempt.statusText} - )} - {convertAttempt.status === 'success' && ( - - )} - - ); -} - function Directions() { return ( <> From f0549aad4708c9329d6c3a96186a222402ae2280 Mon Sep 17 00:00:00 2001 From: Pawel Kopiczko Date: Fri, 13 Dec 2024 10:21:37 +0000 Subject: [PATCH 2/2] Expose /.well-known/jwks-okta for Okta API services type App (#50177) --- lib/web/apiserver.go | 3 ++ lib/web/jwt.go | 65 +++++++++++++++++++++++++++++++++++++++++ lib/web/oidcidp.go | 41 -------------------------- lib/web/oidcidp_test.go | 33 ++------------------- lib/web/okta.go | 32 ++++++++++++++++++++ lib/web/okta_test.go | 46 +++++++++++++++++++++++++++++ lib/web/spiffe_test.go | 22 +------------- 7 files changed, 150 insertions(+), 92 deletions(-) create mode 100644 lib/web/jwt.go create mode 100644 lib/web/okta.go create mode 100644 lib/web/okta_test.go diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go index cf2b6aa76ced5..cd0fd426c9d59 100644 --- a/lib/web/apiserver.go +++ b/lib/web/apiserver.go @@ -1012,6 +1012,9 @@ func (h *Handler) bindDefaultEndpoints() { // SAML IDP integration endpoints h.GET("/webapi/scripts/integrations/configure/gcp-workforce-saml.sh", h.WithLimiter(h.gcpWorkforceConfigScript)) + // Okta integration endpoints. + h.GET("/.well-known/jwks-okta", h.WithLimiter(h.jwksOkta)) + // Azure OIDC integration endpoints h.GET("/webapi/scripts/integrations/configure/azureoidc.sh", h.WithLimiter(h.azureOIDCConfigure)) diff --git a/lib/web/jwt.go b/lib/web/jwt.go new file mode 100644 index 0000000000000..40ae3011db979 --- /dev/null +++ b/lib/web/jwt.go @@ -0,0 +1,65 @@ +// Teleport +// Copyright (C) 2024 Gravitational, Inc. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package web + +import ( + "context" + + "github.com/gravitational/trace" + + "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/lib/jwt" +) + +func (h *Handler) jwks(ctx context.Context, caType types.CertAuthType, includeBlankKeyID bool) (*JWKSResponse, error) { + clusterName, err := h.GetProxyClient().GetDomainName(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + + // Fetch the JWT public keys only. + ca, err := h.GetProxyClient().GetCertAuthority(ctx, types.CertAuthID{ + Type: caType, + DomainName: clusterName, + }, false /* loadKeys */) + if err != nil { + return nil, trace.Wrap(err) + } + + pairs := ca.GetTrustedJWTKeyPairs() + + // Create response and allocate space for the keys. + var resp JWKSResponse + resp.Keys = make([]jwt.JWK, 0, len(pairs)) + + // Loop over and all add public keys in JWK format. + for _, key := range pairs { + jwk, err := jwt.MarshalJWK(key.PublicKey) + if err != nil { + return nil, trace.Wrap(err) + } + resp.Keys = append(resp.Keys, jwk) + + // Return an additional copy of the same JWK + // with KeyID set to the empty string for compatibility. + if includeBlankKeyID { + jwk.KeyID = "" + resp.Keys = append(resp.Keys, jwk) + } + } + return &resp, nil +} diff --git a/lib/web/oidcidp.go b/lib/web/oidcidp.go index 28a9b7b7465b0..7b9c433f378f7 100644 --- a/lib/web/oidcidp.go +++ b/lib/web/oidcidp.go @@ -19,7 +19,6 @@ package web import ( - "context" "net/http" "github.com/gravitational/trace" @@ -27,7 +26,6 @@ import ( "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/integrations/awsoidc" - "github.com/gravitational/teleport/lib/jwt" "github.com/gravitational/teleport/lib/utils/oidc" ) @@ -51,45 +49,6 @@ func (h *Handler) jwksOIDC(_ http.ResponseWriter, r *http.Request, _ httprouter. return h.jwks(r.Context(), types.OIDCIdPCA, true) } -func (h *Handler) jwks(ctx context.Context, caType types.CertAuthType, includeBlankKeyID bool) (*JWKSResponse, error) { - clusterName, err := h.GetProxyClient().GetDomainName(ctx) - if err != nil { - return nil, trace.Wrap(err) - } - - // Fetch the JWT public keys only. - ca, err := h.GetProxyClient().GetCertAuthority(ctx, types.CertAuthID{ - Type: caType, - DomainName: clusterName, - }, false /* loadKeys */) - if err != nil { - return nil, trace.Wrap(err) - } - - pairs := ca.GetTrustedJWTKeyPairs() - - // Create response and allocate space for the keys. - var resp JWKSResponse - resp.Keys = make([]jwt.JWK, 0, len(pairs)) - - // Loop over and all add public keys in JWK format. - for _, key := range pairs { - jwk, err := jwt.MarshalJWK(key.PublicKey) - if err != nil { - return nil, trace.Wrap(err) - } - resp.Keys = append(resp.Keys, jwk) - - // Return an additional copy of the same JWK - // with KeyID set to the empty string for compatibility. - if includeBlankKeyID { - jwk.KeyID = "" - resp.Keys = append(resp.Keys, jwk) - } - } - return &resp, nil -} - // thumbprint returns the thumbprint as required by AWS when adding an OIDC Identity Provider. // This is documented here: // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html diff --git a/lib/web/oidcidp_test.go b/lib/web/oidcidp_test.go index a663a13db6a92..20c9063a7fcb0 100644 --- a/lib/web/oidcidp_test.go +++ b/lib/web/oidcidp_test.go @@ -72,41 +72,14 @@ func TestOIDCIdPPublicEndpoints(t *testing.T) { resp, err = publicClt.Get(ctx, gotConfiguration.JWKSURI, nil) require.NoError(t, err) - type jwksKey struct { - Use string `json:"use"` - KeyID *string `json:"kid"` - KeyType string `json:"kty"` - Alg string `json:"alg"` - } - type jwksKeys struct { - Keys []jwksKey `json:"keys"` - } - - var gotKeys jwksKeys + var gotKeys JWKSResponse err = json.Unmarshal(resp.Bytes(), &gotKeys) require.NoError(t, err) // Expect the same key twice, once with a synthesized Key ID, and once with an empty Key ID for compatibility. require.Len(t, gotKeys.Keys, 2) - require.NotEmpty(t, *gotKeys.Keys[0].KeyID) - require.Equal(t, "", *gotKeys.Keys[1].KeyID) - expectedKeys := jwksKeys{ - Keys: []jwksKey{ - { - Use: "sig", - KeyType: "RSA", - Alg: "RS256", - KeyID: gotKeys.Keys[0].KeyID, - }, - { - Use: "sig", - KeyType: "RSA", - Alg: "RS256", - KeyID: new(string), - }, - }, - } - require.Equal(t, expectedKeys, gotKeys) + require.NotEmpty(t, gotKeys.Keys[0].KeyID) + require.Empty(t, gotKeys.Keys[1].KeyID) } func TestThumbprint(t *testing.T) { diff --git a/lib/web/okta.go b/lib/web/okta.go new file mode 100644 index 0000000000000..67dec290784ae --- /dev/null +++ b/lib/web/okta.go @@ -0,0 +1,32 @@ +// Teleport +// Copyright (C) 2024 Gravitational, Inc. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package web + +import ( + "net/http" + + "github.com/julienschmidt/httprouter" + + "github.com/gravitational/teleport/api/types" +) + +// jwksOkta returns public keys used to verify JWT tokens signed for use with Okta API Service App +// machine-to-machine authentication. +// https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/ +func (h *Handler) jwksOkta(_ http.ResponseWriter, r *http.Request, _ httprouter.Params) (interface{}, error) { + return h.jwks(r.Context(), types.OktaCA, false /* includeBlankKeyID */) +} diff --git a/lib/web/okta_test.go b/lib/web/okta_test.go new file mode 100644 index 0000000000000..b884aa5f85283 --- /dev/null +++ b/lib/web/okta_test.go @@ -0,0 +1,46 @@ +// Teleport +// Copyright (C) 2024 Gravitational, Inc. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package web + +import ( + "context" + "encoding/json" + "testing" + + "github.com/stretchr/testify/require" +) + +// TestJWKSOktaPublicEndpoint ensures the public endpoint for the Okta API Service App integration +// is available. +func TestJWKSOktaPublicEndpoint(t *testing.T) { + t.Parallel() + ctx := context.Background() + env := newWebPack(t, 1) + proxy := env.proxies[0] + + publicClt := proxy.newClient(t) + + resp, err := publicClt.Get(ctx, publicClt.Endpoint(".well-known/jwks-okta"), nil) + require.NoError(t, err) + + var gotKeys JWKSResponse + err = json.Unmarshal(resp.Bytes(), &gotKeys) + require.NoError(t, err) + + require.Len(t, gotKeys.Keys, 1) + require.NotEmpty(t, gotKeys.Keys[0].KeyID) +} diff --git a/lib/web/spiffe_test.go b/lib/web/spiffe_test.go index eef680d411123..1eb49b33b4369 100644 --- a/lib/web/spiffe_test.go +++ b/lib/web/spiffe_test.go @@ -131,30 +131,10 @@ func TestSPIFFEJWTPublicEndpoints(t *testing.T) { resp, err = publicClt.Get(ctx, gotConfiguration.JWKSURI, nil) require.NoError(t, err) - type jwksKey struct { - Use string `json:"use"` - KeyID string `json:"kid"` - KeyType string `json:"kty"` - Alg string `json:"alg"` - } - type jwksKeys struct { - Keys []jwksKey `json:"keys"` - } - gotKeys := jwksKeys{} + var gotKeys JWKSResponse err = json.Unmarshal(resp.Bytes(), &gotKeys) require.NoError(t, err) require.Len(t, gotKeys.Keys, 1) require.NotEmpty(t, gotKeys.Keys[0].KeyID) - expectedKeys := jwksKeys{ - Keys: []jwksKey{ - { - Use: "sig", - KeyType: "EC", - Alg: "ES256", - KeyID: gotKeys.Keys[0].KeyID, - }, - }, - } - require.Equal(t, expectedKeys, gotKeys) }