From facdbaa7ec652ee5c8c4d06a63afc26553fa2ba4 Mon Sep 17 00:00:00 2001 From: Shlomo Heigh Date: Thu, 24 Aug 2023 11:52:01 -0400 Subject: [PATCH] Design for single-use-token (SUT) authenticator --- design/authenticators/AUTHENTICATORS.md | 49 +-- .../authn_sut/authn_sut_solution_design.md | 282 ++++++++++++++++++ design/authenticators/authn_sut/psm.drawio | 95 ++++++ design/authenticators/authn_sut/psm.png | Bin 0 -> 40134 bytes design/authenticators/authn_sut/sut.drawio | 72 +++++ design/authenticators/authn_sut/sut.png | Bin 0 -> 21696 bytes .../authn_sut/sut_3rd_party.drawio | 92 ++++++ .../authn_sut/sut_3rd_party.png | Bin 0 -> 30333 bytes 8 files changed, 571 insertions(+), 19 deletions(-) create mode 100644 design/authenticators/authn_sut/authn_sut_solution_design.md create mode 100644 design/authenticators/authn_sut/psm.drawio create mode 100644 design/authenticators/authn_sut/psm.png create mode 100644 design/authenticators/authn_sut/sut.drawio create mode 100644 design/authenticators/authn_sut/sut.png create mode 100644 design/authenticators/authn_sut/sut_3rd_party.drawio create mode 100644 design/authenticators/authn_sut/sut_3rd_party.png diff --git a/design/authenticators/AUTHENTICATORS.md b/design/authenticators/AUTHENTICATORS.md index 11911a5e68..1dd86df67c 100644 --- a/design/authenticators/AUTHENTICATORS.md +++ b/design/authenticators/AUTHENTICATORS.md @@ -4,24 +4,26 @@ Authenticators allow you to customize the user login and authentication methods for Conjur. There are two endpoints used by Conjur to authenticate users and services to the API. -* '/login' is used to authenticate users with a username and password. This +- '/login' is used to authenticate users with a username and password. This endpoint allows users to initially authenticate with a memorable password and exchange it for an API key. The format of this key is configurable by the authenticator. -* '/authenticate' is used to authenticate either a user or service and returns +- '/authenticate' is used to authenticate either a user or service and returns a short-lived access token for API requests. ## Existing Authenticators Links to the current Authenticator Feature specs: -* [Authn-LDAP](authn_ldap.md) -* [Authn-IAM](authn_iam.md) -* [Authn-OIDC](authn_oidc.md) -* [Authn-Azure](authn_azure/authn_azure_solution_design.md) -* [Authn-GCP](authn_gcp/authn_gcp_solution_design.md) + +- [Authn-LDAP](authn_ldap.md) +- [Authn-IAM](authn_iam.md) +- [Authn-OIDC](authn_oidc.md) +- [Authn-Azure](authn_azure/authn_azure_solution_design.md) +- [Authn-GCP](authn_gcp/authn_gcp_solution_design.md) ## Authenticator Status + This feature allows the person who configures an authenticator to get immediate feedback on its configuration. If there was a problem during the authenticator configuration process, the reason will be returned to the user so that they can make the necessary changes. @@ -35,9 +37,11 @@ separate login step allows users to authenticate with a memorable password, while using a random, rotatable access key for actual API authentication. To login, send a `GET` request to: -``` + +```txt /:authenticator-type/:optional-service-id/:conjur-account/login ``` + [Basic Authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) is used to send the username and password. @@ -68,9 +72,11 @@ Successful authentication returns a new **Conjur token**, which you can use to make subsequent requests to protected Conjur services. To authenticate and receive this token, `POST` to: -``` + +```txt /:authenticator-type/:optional-service-id/:conjur-account/:username/authenticate ``` + with the key (or other credential relevant to your authenticator) as plain text in the request body. @@ -80,7 +86,6 @@ The request parameters are the same as login with the addition of: your authenticator. This could be an ordinary password, an API key, an OAuth token, etc -- depending on the type of authenticator. - ## Security requirements ### Must whitelist before using @@ -99,7 +104,8 @@ authenticators must be explicitly whitelisted via the environment variable Here is an example `CONJUR_AUTHENTICATORS` which whitelists an LDAP authenticator as well as the default Conjur authenticator: -``` + +```txt CONJUR_AUTHENTICATORS=authn-ldap/sysadmins,authn ``` @@ -112,22 +118,26 @@ webservices in your Conjur policy, and users must be authorized to use them. This requires two steps: 1. Add the authenticator as a webservice in your conjur policy: -```yaml -- !policy - id: conjur/my-authenticator/optional-service-id -``` + + ```yaml + - !policy + id: conjur/my-authenticator/optional-service-id + ``` + 2. Add any users that need to access it to your policy, and grant them the `authenticate` privilege. - -## Creating custom authenticators: +## Creating custom authenticators 1. Create a new directory under `/app/domain/authentication`. For example: -``` + +```txt /app/domain/authentication/my_authenticator ``` + 2. That directory must contain a file named `authenticator.rb`, with the - following structure: + following structure: + ```ruby module Authentication module MyAuthenticator @@ -182,6 +192,7 @@ end authenticator is instantiated by conjur, it will be passed the `ENV` through the kwarg `env`. If you don't need any configuration from the environment, you can opt out like so: + ```ruby module Authentication module MyAuthenticator diff --git a/design/authenticators/authn_sut/authn_sut_solution_design.md b/design/authenticators/authn_sut/authn_sut_solution_design.md new file mode 100644 index 0000000000..f026909ac1 --- /dev/null +++ b/design/authenticators/authn_sut/authn_sut_solution_design.md @@ -0,0 +1,282 @@ +# Single Use Token (SUT) Authenticator + +## Overview/Introduction + +The Single Use Token (SUT) Authenticator is a new authenticator for Conjur that +will allow users to authenticate to Conjur using a single-use token. A user will +be able to generate a single use token by providing their username and password +to a new API endpoint. The user will then be able to use the token to +authenticate to Conjur. + +## Summary of Existing Functionality + +There is currently no way to create a single-use token for authenticating to +Conjur. + +## Requirements + +The driver behind this effort is to enable integration between Conjur UI and +PSM. That integration will require a mechanism for generating a single-use token +that can be used to authenticate to Conjur. The requirements for this effort are +as follows: + +### Feature Spec for Conjur UI-PSM Integration (CNJR-2392) + +> Privileged Session Manager (PSM) enables users to log on to remote +> machines/applications securely through a proxy machine facilitating +> streamlined and native workflows for the IT admins. Conjur is now going to +> integrate with PSM providing integrity across Cyberark products and easy +> access to the Conjur UI via PSM. +> +> In order for PSM to connect to the Conjur UI, a new API(s) would be provided +> that PSM could call to establish the UI session and login the user directly +> into the main UI dashboard, without showing the initial login screen. More +> details will be added in the solution design (TBD). +> +> The overall UX will remain the same where users will continue to use the +> existing workflow of logging onto the PVWA, clicking connect on a defined +> Conjur instance 1 and connecting through PSM straight into the Conjur UI +> console. + +The SUT authenticator will be the mechanism used to authenticate the user to +Conjur when they click "Connect" on a Conjur instance in PVWA. PSM will generate +a SUT for the user using their stored username and password or API key. PSM will +then pass the SUT to the Conjur UI via a URL parameter. The Conjur UI will use +the SUT to authenticate the user to Conjur and start a session. + +## Assumptions and Prerequisites + +Assumptions: Defining the assumptions being made in preparing this Solution +Design. Detailing why these assumptions are valid and/or acceptable. +Prerequisites: Do we need additional tooling to develop this feature? Do we need +additional tooling to test this feature in our pipeline? What needs to be in +place to build this feature? + +## Out-of-scope + +- SUTs will not be able to be used to authenticate to Conjur via the CLI + - SUTs are intended to be used in automated processes. The CLI is intended to + be used by humans (developers, operators, etc.) +- There are many possible use cases for SUTs. This effort will focus on the + basic use case necessary for Conjur UI-PSM integration. Additional use cases + may be considered in the future. +- The PSM integration itself will not be part of this effort. This effort will + only focus on the SUT authenticator and the API endpoint for generating SUTs. + The PSM team will implement the PSM integration in a separate effort in the + PSM codebase. + +## Design + +### High-Level Design + +#### Workflows + +##### Basic SUT Workflow + +The following diagram shows the basic workflow for using a SUT to authenticate +to Conjur. The first step is to call the +`GET /authn-sut///login` endpoint with the user's +credentials to generate a SUT. The SUT is then passed to the +`POST /authn-sut///authenticate` +endpoint to authenticate the user to Conjur and retrieve a short-lived auth +token. + +![Basic SUT Workflow](./sut.png) + +##### 3rd Party Client Workflow + +The following diagram shows the workflow for using a SUT to authenticate to +Conjur on behalf of a 3rd party client. The first step is to call the +`GET /authn-sut///login` endpoint with the user's +credentials to generate a SUT. The SUT is then handed off to the 3rd party +client. The 3rd party client then calls the +`POST /authn-sut///authenticate` +endpoint with the SUT to authenticate the user to Conjur and retrieve a +short-lived auth token. This way the 3rd party client never has access to the +user's credentials. + +![3rd Party Client Workflow](./sut_3rd_party.png) + +##### PSM Integration Workflow + +The following diagram shows the workflow for using a SUT to authenticate to +Conjur via the PSM integration. The first step is to call the +`GET /authn-sut///login` endpoint with the user's +credentials to generate a SUT. The SUT is then passed to the Conjur UI via a URL +parameter: `GET /ui/callback?sut=`. The Conjur UI then calls +the `POST /authn-sut///authenticate` endpoint with +the SUT to authenticate the user to Conjur and retrieve a short-lived auth +token. The Conjur UI then starts a session for the user. + +![PSM Integration Workflow](./psm.png) + +#### Policy + +As with other authenticators, the SUT authenticator will be disabled by default. +It will be enabled by creating an authenticator policy resource in Conjur and +adding it to the list of enabled authenticators in the Conjur configuration, for +example in the `CONJUR_AUTHENTICATORS` environment variable. + +The authenticator webservice must be declared in Conjur policy: + +```yml +- !policy + id: conjur/authn-sut/ + body: + - !webservice + + - !group clients + + - !permit + role: !group clients + privilege: [ read, authenticate ] + resource: !webservice +``` + +and the `clients` group can be used to entitle a user(s) to use the +authenticator: + +```yml +- !grant + role: !group conjur/authn-sut//clients + member: !user +``` + +#### API + +We will need two new API endpoints for the SUT authenticator: + +##### `GET /authn-sut///login` + +This endpoint will be used to generate a SUT for a user. The user will provide +their username and password (or API key) in the request body. The endpoint will +return a SUT that can be used to authenticate the user to Conjur. + +The format of the URL matches the existing authenticator endpoint for +authn-ldap. + +##### `POST /authn-sut///authenticate` + +This endpoint will be used to authenticate a user to Conjur using a SUT. The +user will provide the SUT in the request body. The endpoint will return a +short-lived auth token. + +The format of the URL matches the existing authenticator endpoint for +authn-ldap. + +### Low Level Design + +#### Data Model + +The SUT will be a cryptographically secure, random string. It will be generated +by the Conjur server and stored in the database. The SUT will be associated with +the user and expiration time. The SUT will be marked as used once it is utilized +to authenticate the user to Conjur. + +When we store the SUT in the database, we will store a hash of the SUT instead +of the SUT itself. This will prevent an attacker with access to the database +from being able to use the SUTs to authenticate to Conjur. The SUT will be +hashed using a cryptographically secure hash function, such as SHA-256. +When a user presents a SUT to authenticate to Conjur, we will hash the SUT and +compare it to the hash stored in the database. + +##### SUT Format + +We cannot use JWTs for the SUT as we need the ability to revoke the SUT after it +is used, a feature not easily implemented with JWTs. This would make it +impossible to prevent replay attacks. + +##### Open Questions + +- Is it possible to restrict use of the SUT to a specific IP range (like with + hostfactory tokens) or other criteria to limit risk if the SUT is leaked? +- Is it better to actually delete the SUT from the database once it is used or + to just mark it as used? +- Is it better to store a `used_at` timestamp or a boolean `used` flag? +- Should the SUT expiration be configurable (via policy) or should it be a fixed + value? What should the default expiration be? (30 seconds?) + +##### Example Database Table + +| id | role_id | guid_hash | expires_at | used_at | +|----|---------|-----------|------------|---------| +| 1 | user:john.doe | lkduj... | 2023-09-28 12:08:23 | NULL | +| 2 | user:demo.user | 2k1g2... | 2023-09-28 12:09:45 | 2023-09-28 12:09:10 | + +For this example, we would need a migration to add the `authn_sut_tokens` table. +That would look something like this: + +```ruby +Sequel.migration do + change do + create_table :authn_sut_tokens do + primary_key :id + foreign_key :role_id, :roles, type: String, null: false, on_delete: :cascade + String :guid_hash, null: false, unique: true + DateTime :expires_at, null: false + DateTime :used_at + end + end +end +``` + +#### Authenticator + +The SUT authenticator will be implemented as a new authenticator plugin. The +implementation will follow the existing authenticator plugin pattern, as +documented in [AUTHENTICATORS.md](../AUTHENTICATORS.md) + +## Security + +Due to the fact that this feature will be used to authenticate to Conjur, it is +critical that the implementation is secure. Threat modeling should be performed +before implementation begins to identify potential security issues and ensure +that they are addressed. There should be an additional security review of the +implementation before it is merged. + +Much of the security of this feature will be provided by the underlying +authenticator architecture, so we only need to be concerned with the security of +the SUT and the implementation of the SUT authenticator plugin. + +## Testing + +### Unit Tests + +Unit tests should cover virtually all lines of code in the implementation. + +### Integration Tests + +Integration tests should cover the following scenarios + +| Scenario | Path Type | Test Purpose | Failure Scenarios | Details | +|----------|-----------|--------------|-------------------|---------| +| Generate SUT | Happy | Verify that a SUT can be generated for a user | | | +| Generate SUT - Invalid credentials | Sad | Verify that a SUT cannot be generated for a user with invalid credentials | | | +| Generate SUT - Invalid authenticator | Sad | Verify that a SUT cannot be generated for a user with an invalid authenticator | | | +| Generate SUT - Disabled authenticator | Sad | Verify that a SUT cannot be generated for a user with a disabled authenticator | | | +| Generate SUT - Authenticator not enabled for user | Sad | Verify that a SUT cannot be generated for a disabled user | | | +| Authenticate with SUT | Happy | Verify that a user can authenticate to Conjur with a SUT | | | +| Authenticate with SUT - Invalid SUT | Sad | Verify that a user cannot authenticate to Conjur with an invalid SUT | | | +| Authenticate with SUT - Expired SUT | Sad | Verify that a user cannot authenticate to Conjur with an expired SUT | | | +| Authenticate with SUT - Used SUT | Sad | Verify that a user cannot authenticate to Conjur with a used SUT | | | +| Authenticate with SUT - Invalid authenticator | Sad | Verify that a user cannot authenticate to Conjur with an invalid authenticator | | | +| Authenticate with SUT - Disabled authenticator | Sad | Verify that a user cannot authenticate to Conjur with a disabled authenticator | | | +| Authenticate with SUT - Authenticator not enabled for user | Sad | Verify that a user cannot authenticate to Conjur with a disabled user | | | + +## Project Cost & Schedule + +For the following table, "Effort" is estimated in terms of developer days. "Risk" +is an estimate of the risk of missing said estimate. Low risk means high likelihood +of hitting the estimate, while high risk means low likelihood of hitting the estimate. + +| Task | Jira ID | Effort | Risk | +|------|---------|--------|------| +| Solution Design | CNJR-2514 | 4 | Low | +| Threat Modeling | | 2 | Low | +| Implement SUT Generator | | 5 | Low | +| Create SUT Generator Feature Tests | | 2 | Low | +| Implement SUT Authenticator | | 5 | Low | +| Create SUT Authenticator Feature Tests | | 2 | Low | +| Create End-to-End Tests | | 3 | Low | +| Implementation Security Review | | 2 | Low | +| Total | | 25 | Low | diff --git a/design/authenticators/authn_sut/psm.drawio b/design/authenticators/authn_sut/psm.drawio new file mode 100644 index 0000000000..ab70612726 --- /dev/null +++ b/design/authenticators/authn_sut/psm.drawio @@ -0,0 +1,95 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/design/authenticators/authn_sut/psm.png b/design/authenticators/authn_sut/psm.png new file mode 100644 index 0000000000000000000000000000000000000000..fa512e85bb6fbbfbb345a7c2c4eb399f84619ddc GIT binary patch literal 40134 zcmeFZ2RNKvyEYs`41&=^v>7#ei5hkE7NU#JAfgjN^j?yPQIlv9Qj{PfO7s#2QIZgX z=u$)w(M$5LTgm%8@AK~Ref!=2-upZDad`4@&pm6_z1CIE>pZVDak}SKNr>o)jvYHj zqOPW-ckCFhDfmwsb^=^!X>KS1|HJXtQ$-ys>1FtG>=tuj+c%;SxE5k6<3?1n-4E| zU$Q~F`yRZ1|I+@#dAYlTw<_=NiK4v=w0KABa_~Ntf8o{N^Y^lMJN)o}{S9FMpe?*= z_#Ztln575wvWJ(uoxL|$Je2Pxrz`gQ9yWH+WnZw%;M%1tt}fs& zA@HlMjh(Zjm%EP}TF2*#i<2947j*sb)9k&j*dH0g!6gryzs>kh24wHvWKD=qy1s9*$*d&&ZGL2Tss#VZ*M2NKgZ^S5&rEM`(NdEzgO?j>x7Qt z;*qQTdjqP-(HsAzf&O_ucND7skUf864m&SK2-gYJ z3kruXxH_TH5ST`J*?T)(v$5R=)=--DfKu2#Bo#%mizTaCdO<2A}|n*?$Dr|7Xcj=y0lk z*vr4}$ls9A|41MEi)%>!U7_;t^|8M=>)#LbPxP^UnD?iu@w~k+0Ak)wZjQjTg#~@Q zp?|NqJKO)y^PvN)`&XUltmt9%Ka6L5hlS36(5Lu>4iUrAu!ohvKi8@LTE+f9=Tv|1 z3&KbF=V&GWy-p?icg6Ex2KpyD)u9djA=v5vLwEWIiOa_cgjtYoTp-?sT|@;+VIoTW z{QQ62+5hGVOlaRa|3&8$^@K&l|Ll5vhpFU0=zD*c^!{@^@BfTw`F{dRiX2r4M-KDv^}N4#;lB*@ zPxQRMawNaYH5JBUY909FPnzfc=7WnzYUz{SZFWaQz=mb3;}hSUCI1QE(p02!JeBcFb9DrA=+%do zB0e_jyT6`059wVTmM!uk3!^%tmtSpLe(vGWtjF_;_`n%=XdTt!QY zJ0hNIVW=s@8pqMw2yO6!9&8Pvt@Ec3&*kivY;tqDgY4!LnTij-9jvAg-sw(d+WXYk z>0pL6cTNrlf9dpc>qT9@gXCdz39j#4RlEx(`~W_$csHB((;w#th7bMlMp!w`%%O#P zPY`-;FSl{7@=Uv>HwO>lEkakg_a=F6EHi3ASlLKzc=uZJm;FW2M1aMSG41WS)5Dih z2^KKJF%k@atoDI@Ja5&jNSm!n3Cg$2m zWh&MO1H|5dmnKOx3`BQIS2R;&=A&f&wTJ8J*R;QE?A80-{j@Sq4?YiTBc`-;65V43@dlxgMB*_xt;hBTG?kc`?h8O z<3@k-e|G~k`W$L!XNS)$`2LwASv>{qm^x-IT-`&57A*P)mU4cp2Hudpwe)9~D{lsUp3~0F6s**>)yE8yUP>#U`ULI>+Y5_wHCi$h?p+&6_E{X0>`X+o zl6YS%F_-k;noA#KPMPaY?;dq;?D%$FJ|6 z)aGW>i(bYKS%vVKRk@`mv1`6?_@Ilfao`^7CkK1XsZ7&0n21oEy(vB(Yv=nZ%eU(W zoyhD|3^QrmC-5BXcI`LH12){wn3P$o`6$gl+&4t!%hAa31gD+nW@y)m28+95uH14z zH|-d1kTObP&n?xlI=#s!B-H)&b8oIG?6|Q1%536dhqirJ3g%OGzD`c>gM+YeRS!LdBN4pox3&6KXAYyvbYUWefP|jy?IWG^taH8^CFV6+`ZZp2 z@x_+)7vs+QwU3zt;|6ZwZ`3-U0iIbOJ>^Yib&aL`1Q}DY>^X6_F)j~@D+|LH#sh!! zB%UB1ZSa^vjXAnFsO;nQS7-X)#?id(Em}SOgxhw=4=%$KK2fHZdS=sQviZGm|)V zT`xyADBtv%LzmqR0WFz;^_0Dx4b4<;L-bg+XOe)Gto$tdIOKKPO7L}xjg>tERjBa#yw}_fhc|_SFf`0Uf7ve-x zJU#W|>NgF{T>n`4do(#@5E|&cm2LsO`$~lGpW4Mx@taG0o;(@QR^N-dn)FVDKRY{s(wTEUgOLU!$30;|BL2hy{^j-Mev z5%BWaiJXGH?KOQXH=Tdly37msR}sfCElK9+Zv#4w>#1&dHkU|9K-6H-X%Slv$|(j&_z z-?XYYat4E6N`Z<5{#P~In|1E9$MU4*^UJBlR*jZ>OjrFkKKOQz*9Qz%+3faiA|su@ zdj~q7FTq{|*A3%C_2bs5Oe<#m@U%utvyep>pI`18XUPmtW!Fqo>$xjBH`|$cbSsj1}-%C{wC2yKX$i% zgrm)7zQLp?F@Zx>?pAX(;oLFU@cSiJjSbR2UWv?Ktd=CVjVyeG^}6Ks-o*5n3n zXk6;NKlOTM^ZIo;^xRElD5*48#Ml!X2^e4A-?Gw%?ZQCtxZ+Xs*5cRzrP0m%D_=_+ z+l4x4A4QX#?gDX#NBi#C3+G9w1|kHJ?*dWCZfua4w5g8FS_*}Ib62vC>=`oY<O*pl=x9X3>vgv<7hec3Yee62ab+v;<=xx2eR`nYw7t zug5(79<7H$64zKn*WY41XQXnA3539@a67{^3PIP#tMR-Nw29)>6Qef_PRE{#eqzm|?SuOBcrQCcEht zM&UtPfmK&re^!;}E2Uv(!s0?TR9kqavAQpLjEWP@-0MZpqY*+wezkD2pQCQI08B(n z+NFXy?0cQf040Z(?iPJc;7VM%LgeCd3t>x)TJ%fj84#3`1R8hsqG&Let`l(8nY33; zwJFh{s2^ygCW$(~dtCRVgDF6Z@GL9m^=w|vAtoN;oX~^NECP2DDMJJ*D9rba)p#2Q zQ&D`tT&Jd{W^aulGj?A_(9-*x`{^@hm*gwaD3L4CF))7{tx6xV4A6dn!`6`;C14qQ z7V(K5p*if8CFPUyxz!s#3dysJ@2^jyB7s2Y(6}|Ro#1#qrOht=`KCDgvY@QzbYwi= zOml+N(|b2w(D7H;Oq)C~+}|%MQ`m=%#Sdn#1-4YPo|88fhuItGK)x`M8J@bJ63o_e z9Y%>qX$rEK-d37QHJr>eR$O|Q9QCj;QG<0e6QVrvB-yAomwD`0 z%tsNA$)@VyDfYBJ*&VI-a>{9~&J0WfT1Xm|FkF0wMQy(xZ;?04n_CNR`=}tTnQ1-t z8`UzsZyDt&kk#{7n8wEGFB8{7>hh)8$8+^GTiFyn5QX3N_!@oC~zOrU#Z zf^I3-v~WQV$WmB5Zj!j2sv- z25xGU@L^a5-;&=YcX|%gCv)#bUi-%LQkLz86nu%P$Wfwcx#c%npb&8)ds#PTJMp7K zeuF6b?fO?yOq8qfWU306;F;2jQAf#r6#q@+bZH2cDN}}EK&|sO;u|N%Uf|+aXEIQ^ zVC?tItMgU%-#JIon|6g2yaQW~7c$G8i;ZV+CaXBCbBdz@Yz1XU@84i`oB?wo0NDRh zQ3Q&kKVW81t^6;h|KFnWe~U_p4ERSy<-!VDa>%uk0f8&%02mZqGN)f8*IDCLL)X9d zu`BGXeX1K50B(Tq1<=b)CVwwzJu^wESU`Z1vi$m>%mMq{at1p?fQ(WiF>JsFM@#>S?t7v*86N24ly zDV8~K_$VFgB@Guu3CEP=H9-t|GfYu3B`8W`Mws7Zlgw*G-oJuyrIvoDh)cRZqupcH z)ypp);Kvt(@}?WZs+zBxiy|G(745OA@lw9$?!i)?4C1%mHuywdc5IhglO*oNkXw|wXQol*_Cafd2KnusnLD+(1Xjv-k=J+J z|51hWQ17aQEI{%FW>qET4S}XNKY^k~qYR(tI;}t&m_S!NHBb1@Y-IP@;PL(CXh6tg z<}wP-%E4ocA8KcGS%vJe=LD_a0hkm(kN3!1GV8bHrKPt&=RM@Ezw#x?Wu!u#DR|RH zf8)KUrv#Fif#oh3@}XY}k1>BUKcF&%0*aII)I#xg739IPdrYl84_KaTcJ}}AG1Yan zQaz4>ecEW%*ed8joy7CYgGnGgbPhkYOI0Oc64;dlFi3iBKwqywj~&$D@l;&8@(!*fR)SAR`*wO>)#eO!9$N1vSi_Uad}^#xO(iT+&0nGu=b z-RipS`67+U)HC`j&x4lgH@YZwq!FN&NCQ=Gfn3nedMX%I4V0S$jZ;41RfMkh7ePI5 zG5G$T!tuGzyHY-dmkI1HzrG)}y6|4V->6K;TH3vFuW}`v&$L|W?pY_~M98mtmdue{ zMS?9*zZf=xmGklcc*oJeibUsKEIBKBx-CwlczOh2)t2KA^KQOhyD}g=W=*U0P7{}$ z12XeXoTe(`QnPnpi%J!^*r`Z&zIQOseR-6Vc1!N33BP6CEuk6 zQ2GTdhCkXP5<5T9*l18>#P|6WsIav~Wnm~7U!+d6ECsl^YW!tMItJtqlu`W`ms!arfxSH?P|lu3dG$BjNm~1(3)1d?;_&TOW0%<~B$a zaqLx#K1t_RCO&JZ08=n0VUjl4BOPa%wO9k}3SkPU7drW>#*l9xY9~h#({@D?QYL}o zqibj8mYiGp5->y!P-LeZLrrf3{EFQA@hScBV=i`c7Qe~o;FbE7`?*a4qG&AKhfmsY zsqRO@wq&F^D2WV$Pi=2>@svK!5ilu}huEPybaVUi)~6gE9jcb75p<;Yq2 z_rO&mSpbjvhVw<*)Co<(a$yRO1Q2II;PY~et0}f;Yhe8ZvqVOIVsS_eF?fF2a80~U zd-)`SjL?!NvT0H@yq_@ey5Mc>{D;~q3JKU(1wWRMP8cl*Te)SxH&OLe?$oZhaL1D^ zgs!aSmq1xe>TdyN)j%|4SfHmYyZxEwG z$<=4VaP2{$)$qf+R(_+3O30-ytIBJxi%pqEi7{zRCsQI9! zN4Q?E_R0NH>qua{Oa*yam$Qr_4Ys zVSr~(hP}`w^C~ZUi9e6pq`;jAB%xvFW-5=dku8z>%BHx<6g^vqBG*IpSiV(C_fz!vwlIXssz`7GT_mDCCVxGjX#3XJXO4Zrtq
    -OOT&=ns1$g{6*)(bDbftSg801`6IZ26tv zYv`nPM}NG#xKFDNlke}j1WtT$EUT|h1ct&?jiO_nP>Lp=m(elHjsswjuwNAY7tliH zmyqVM+Txz(q+;u5^*zp#F1~z69A?ITyMQ&t`RVhPY?*+8tCU=DKff9BQOQX@RfZnB zO6%?u3mep3%|leC4o;lcpr!be#{j6%No6`*e$Qj7r`jm|}JguTx zZ*K9w&NZAvd^+9s>j{^tP;I>)noPsk9TEF3^tw@l#ihF@_r))PAjyY%r-GXRt;3me z1~d0w@l1ni_~~1K#5Q*oj<>Tf`@+=)NajbqqHQNKC1g(!2<1&~GA__GUR%5T-1%HW zj%mdu3`9d;R@7zCjL?>P`jk`bR8$qABmDdwVdXuBa~-YDRE;-I386U7XFl%5UFgq^ z7DE<0X9>i&Z{H= zW>d>fE?44ZszDBW)O)5a`aURdizyt3cd2T-bL2uSZ!(^Kem+Omf{`vo7l=-8d`jjN zNB*>nr}(uVauzwgeRz4pJCixq&XXm(tdldcf8@DyDp%O&rq|+JYhQ=bRc_L&LzKWL zf=_VNB^z&D*q!xnqdcC+mrnguIrS9KOB$c8#eEo}>=>3^qzOEhMS68^#Km2hCQ#jR z8Lu{d~1tF=W(d0CDb6cuCaJPm=&v(8D>l*zLoMf-*!TYr5ChdO)}MTVxk=YNKPj#h z$$J`svqK2XT`Hb;Cp}5^qS~uue0LH&qN@Qq8DdZ57bc}!0nyDZKuwz3Zu7cXiALJu zdutRn85M*b42KIROoj~++QMvPV`*n)6*lip!W|j5z=o3y}9*<{pr8Kb2rt#EH@ zI7?oKrWc`vu>V;GMbq&iDlz_;cYO;^)U@@9}9sW67l_*!(uUyyT z1K6p@c(kYp?~kwIC{5wYaM3V#S`PMd4|#8Eh4ZISUJ%Qr(V+U7bezra9!ufmR`@YR ziMMdmO}U@)*3DldJsu#+EdjMV$Q()YUEHgZ1@=9Ff%oS6lu$$!@i#qm&E%Q2Mt)FN zcnqE_6Jdi(9o7|9#K~||iA!`Xc)1ENGC!X}gM#~{GSU4)EwR|{@G1hrY3!qxr9?Y? z9U8BihRtc>_hmK_R05XLi~XMg2P$m>mjIh7tqH|_e?x#+j9poaW5s`Z7$J#JSN*QT zk;Jx3uT`0;XOmq&yb$HDARv$OV8LTuX=WJ^tOVR`;cPHW)vt5hZ-%59(FX`%gOFBd zn%l`yY(cHWCz?;_00fdN=c7GdU_V`~u2PqYH>R;)ym)=}x*^|~bgfpfjCgoyetD`@ z@^MpQ7S0sLG?Dwv?(-9#*t3BP&uy`LFC6vE3; z$pN;(=R4*ZldpA0@8)rYrr*=VF)~EV6XwKSrt?#^9~xVZdI3hGruu8YSn@HyNuxm9 zvrRG_uA#@2532}kdFHcj?DHG_pLFE*^2dWC9Z71;VCm8NT;*DCzao*8%CiQE=YWgd z=D?m-Ysxx+S83F$G#w!s`CL7Mnu;+#Z!XA*%l6u;*j0ELXw=wGs@`v*puhw zUG9{mi0>N|B_3dU?)8ePhvHEnL-)=_Thd;{=0pzDqn^IRSHxwTRK^9)8%0~Zo*mZvm(ntbld#V3>}6H@U4QK3_)94)k7Yt!+JC_J?$Gd%t{?0NF$ z+?3;WgFfqNcxv)Ww>L{Vg+sBZUIJoZ%jXE&*d{ws?tMVf@_sYSL!lOaOgW81Gja;0 z&2hJNl?`VWjUeC|Toau7{FQK-Q(39oBZAWrlf@C1u^&`EqCLMS9|NiPm{$o)*^Me< zM2QKgw$z%E!9z()x-Oh0+)O*R-g%b|NoCxSWlMSkZxwMb4{KYko3qw~*}fhMQdWpI zLN!n5aP^-Ni&lD(et3%qvh~{Pji*1@mgPVdDxgfG4UNl#R}rWdVDB}o1Lk^|@2eC0 zaQExsR+8~d?)AHPZped-T)hs~6q*k7&a1dorj@J?$A8z|QU`hW@r=f&+k5iz;K`Ud z66{!TEW|0_T|j^Th8j6X=$9Ot7WeEAqw1kwQ-I;>Q1aa|6~-Jfdu(BB5SrNEp)Fn( z9Cr%q>i&!$?Uu>M4zKh3{^lAe%Cf-vev5s7L`NisCg5Fxn1cE0Hl|A+0VPE1Qok|ULcz{ zp7-XHOvR0}IKYXrvxTl^1!3Is+ca~s6>Gs!v%#EW#AAQGPuzLDp zJg+FpMULJVwm9XKY;aky?&&}*h??1=pX?0J%Lj?79N@6(??5M2ogXR{0JOm~*Bhnv z>vzYlj=H|dQzd)rngR%d_8WApx1?8MzXUv~o&q>L709z#eI1!pYaiy2-KVxv&hLuL z?&f3fV~Lz`zB^EO08T6Ihc_I+}WVlj3^Ifu3 z2Q>`P;ySLJhMVT8-bzzt4jNdkHyRUk9XY!-UsQ^R;?9L?gRSZ70$k{PxC6eMfi7F39fgG3xs1__ovnT^b1i&`UG{Wz5yrx28!=Tm?>qZvcWm=Bcu@Em1j z<$}sda*(@{v;aCJqT*r^ad?$jyZAzrhS!7zPzHLg&CaPn8~2~NDbA*g*3ObLj3#B| zP8YCBqv5-#2Ba`{&|lywoz82Dgs7&cb{&N|HpPI1NCjncp={gI5GdI50ZJ2g>}BXo z+@AcD52ZsozrL@$vOelw zB-M<6vgt7>e!EzGA$hdSrj<=h%xI6H_(Df0&T)_W1WQNNg|M3t^%!c1w>eoEpC9uT zD4YN%KG4n(^O^|SI73eTxs%)AaUumJoTjw#=L-rA(aQsg5Hkh<;vC>#(m^KfYK|Zn zoPc4102ShC5WF=nC5I{#awq#dCuPsejfsPIOAz5h+=Acy!MHm+>LhSN@ z+9D7%@9njmVhLm!2UR885jC?|_v5_JFEFcFu;=N3z3N0@Ocr-9(;Az;Kj=v^tRNQEHCcgzkjKSsZ!`_7D!Dx zxKgs!bo@7}-jQJNbB`^NwUI==%y4fgXo-Sbz{TLyTyQ%$F6dh^w0s=$b4!(_h2;hP z*-Q5#+w5-1Tvg;B>P+T*poT$e4CM*G3=dlV$!qb# z;JFOoT;2nrodo$6Oj>WKaixoAp5Ctk9-Jxd@0ElkMsk=m_IIp)c?+t}F3_}MI0|a# zU$n-K*46O)q|-$A;rN!%SydCTpxNSaJ4|J!>fQ`-9nh)40edz@)&<&SSc;5G8x+vZ`l}y&CkkZg@tHVdW%JrL(1-9enr93%Gz^Kn4>`MXmrwxAS$L>WmUio%iP*(63UUL|x|vM?+A) zh%89ql3>Ws-8X>8l)&J>zWCyb6Qir>&rdf%&XnCPn@e0}+b0$$A7V97=w{Z4L>g%$ z?5&mXwJvqCFW$d9osM9WHlZ==+R#ET}zNZeXxXi3`?m%a#^pwhvvw)^0GYr4J)NI35A z5yAIKW3#OHS~4QwO3UL2bK?gZ)YNWDvBJ7&g|qY_$6K3iTTZ?sRRD#+D!Y+F5-wxHkYYm zPov;8c&CVzD5b?=9}u3Wb6Y`=RbkoGb%BP*6mO3cqtFnr9#T|ddCEA|1Q09NE!q+J z^MG1s(U>G}Wro!N8!>*K1^RDNL+oKpu!b1sV3RrFW;6V-h~Or(G(Zwp^Rt+5^(&H{ zK^)J8<;Ls^M2bhO5l_iPawEo;-P!h7b@^Hx$v#ZeZsPyEp!_*v<4W{qWf z^R1i16^f!mBkncteb+?op^{|V2x&c+o*7<6h2RIwL(1p5 zz*<4cv;HJdhOWMTO!?i-A2>rDnne@o^oDy2|8+I2w^r4+k_$u;$&PI zd&^BJ>UiEPhYUM*9ExRP97biMG7m(Xp#ZtUjgRrM`5WDMoQ@1`G^U?_eR=!H9>jaE zpS%9lE5sk;GRij-DiiWO-)MzN=|yFu5aIsqsGj#6Gv5I{b&J0_89`KF$vdwlR}FQ z5n3d%X1tm!xjLmgVN3T*6hQcvxNnu)8d}eOIOn#01F!BpK!2ru_u_t@&Mre) z-wEx|{EcOkIPT?f@+4{mKJ_tFdT||FtDZMQ{TtS@B?|68dKEFr(Ms~)HGP}4tnLG$fekIiqmr<4Tr zKQ^ale7`Zd>p?v~;Nb6lPnH#0B}Z@U)Mw3uM*(F((9KNN4Y7T-O~!sfhOq5`2fKs= zW@m|j060%_YjBc0#qY2XNRt>UzOVXyGGEkXI7ow02{|F;EE(364OJ7?tV5m{A@k4qcb>XZz_LP@T1n#Kib06&2FT)pd>C#n z1R6F3i-*{p!4(HyC88hq80b-Z_(n;J z@_}9|e5s#hupK-BzeVj;>ew96My9d13)qb}B^KwLKD>AiH2^<6pT(^hLuwf01O&d7 zx(5LDmYk2RtC|QlgW%R+NNgv_6_0-cg;GPxXPyn{ue5&U{iH4VJsINZ1WbPN7PQ4b zA*2WpJ=>?goOG!34&03fI%E=%Z!(Oem5th%aUok!@>vDNZA z{<%3*D4X$S z1SbCKHhw8P&IWvWPf;p2lNXi>EUXLC(t0x`p}xp2Af!HVXvcPjW5bUX=sk#E7^~4I zq^K+2#IoMvy7ju1OpX`sLMM!_29U}-s%!?VS?T;}Lr^V+_RhwVjvg9dKTXhj{h-bS z!ptivxy*JQ38}zoI(bU#?$3kX=`gUKs)S8VwvogbvlEyq&l#1quS*R(=PiS`><4vX zA$`86p`*QB11P%`#mshel3w}6fGr(-3&?P4ji_ZHhK(f#L9Y6Xy~!hYrm~$hQCX$dw zo_5qDB3(erypIYDWA9IX9=PR2{U!n{<^A!-3IiX2%!Ebz9e5mw6y4Gba2ln?h`3_r z;7tYDy;Xf`8l|w?N?whi!z?*^b_0m%hEbxmK3{1ng8e#JX8Q?JK#xFS8F$NVaE#%7 zW~%tsILIu;=KRIip%BB%0oOt|w;mUuLAl=%aZCgHRDpROD1UgCF6beNr%$4eBZ<_1 zEKB1@6QA>4EN+PaEpkcsm9KZ*7P2!)ppte7!>`eW^TCa=-@_BbBv5{2A*>;Vz@NJG zqsur-EPznIBHf&4*bumtA+2$VcBU&syp+BJ2;>ibs>p1906~m89gyP2b6u(SpopcQ zq@=7k>`)EN-cvwRBHEWF~NyE%1$iK`rR z2jo(;B8(;_!#TeK_toD3;qc;|211T_O2sem1|LJB`9!IeT#euN`}B0uhH4&UylQ7- ze2HtU0r0u7WwH!}*9Dj)vUuygV@^ROraFNwFmkKE1VM59tIM1GxWMl(X$zTR>BQblGdd%^}(D|Y#a@o0feSLxl7-~PjLao znR4QZFdgVY!LU#6w3(hu7z`69bpL|Tl5l>h>-#=jI>YehF75WTBd08J-(xB%n?cMOb`!`%q zgXVmMACI6_LtwdMACr%RwHI-vO;fhXFbc;^(t6?vsK&-C-UfJm6)D--oVhjlF<-5m zjMvW@J}P6KLFn>2^ap89z@p@{!J?VqCQfeduGRW5ab0v<4-baPsDRKykRe$rSIu z%mm1u&?QPoFopM*rdp!rCYvJ^>NS?d5OE)dn;Bz}GisSSvRiEfCl$~)nPe`0I}>Fw z32yFm+MT(gWq56G`7*3(6G`kYX{&l|w|U$G>P{Z{(JiqmRrBqX>i0?M4i6$_BZ*bi zi=hqB+q7l{77g*9z#WOxLAd!7L4t|uk$y_fNovq;8VK^V(d5(P=X%-N+V4tapQtTw zO^*8T+LIp<9Bt?5v3nAaN?LhSQcURORKLV!f=~3elzI&L3|ii@wpI+u>4$g*0EMI;gIeMT$)(}$ zu+gb%hRod9ujG|&IIrQR0Ntd3+(|5^__E}yN{z=KKP1S9uZ=y|uI-^3zJ`jMN}9_Z_)}@8Xzf?8Ewi zjY8dvdPrwbiwave9rH2sAc42rQry8*kK-@9sQ zOgv~Xuj59d~h5=V6)ansl)a9DnJAG>~aKc!lmBAU0MBQO=78##4(nf`%`b5 zFjJ84$mHdzeo6|tTUllk$P+#!HCoFk1qS?h-b_B&6vgLGsA*$G41p&2jzdP);=k-M zwcFzIzPy0-@?c_>1iP6Mx{;cB2~APqnQ zn6&MuO^^aPjx!{p-?a!y%Z~h>kav~O6 zm&Zg+D6YN~fERQUvg)BtLBpC2{6KqgB7!LO1~Tyqw-4L&b&@3XXLZL}{o*Gv;fdjD zD6D`k8leyjN=oiV!j==+h*{pLZ?dyC3bz5Br^d*3GvY4d{_+VM+w5W>9&5fYw>QkD z^2*aC=;e;wAk3Aoh;W`%t_7!63@kpof9lN|^nu{eR13(5g$#mY$34+0fcd?^zHaBj z1!G*FAJp`pW*LW$9FaaF6}zg4o+@*?K@g+cA>dy3J$hbF+83UQ-62|c2a#0{4?z0n zSkT1?LWt)m2!_^#IE|dW4_~G73{m?z!h;nRR<;1wWmrNfeU@D#C6>}u?$_?KF8^>W zY74L^2Gu0tL|Yo5%Srz}NXASY43jqkc_W9HuOi!wclj7RWEKGx7?Qd{C}{y#0uA)W z8wyIfBy8n*!3=%+rIs=fzp9~P1#r)cj^P%ZATVw<1(FD#N!;bfvF4cYI&QzxNoqwo z%p*fUR@}1#Cp?Tvk)%vwtD+_fdvLdEj@%G^w5e_Kcb+eY%G=1ETcbi4=F>7i{`?X`6bG5-ZHD^_5@w7Hk0**_sRM` z;Y0g@IX9y(PECWH?hG|o~+6|_x(wHGf@X!j|-eo zF&kX$5{Adi4rfKSHz$Q<7e7aO87Uc=joj_#dAqN2r3+|Wy@f}?a?gI6*Z4T0U+gij z^2CTJagJrvbKBQ&ch$*XLrj2l#kKc_6#bc@X=F}4pE6rFXmIK*U}5&)A5VL#gRWMO z+^QRC_3StiKyNW8W}9@w9p-eVxH<=WqrHE_+#-9|IMg?^|Fa2cjRFrb5x*N>Jx&AW z0tm!zW>E`dglxBfI2b*fJ7vf=3HS%75%oIY1;%OKD^S2RAO@xcpJJJCUuNm%EJ|-> z!6AWqaNk*5N-D|xR>Rf=FD1MQ!K*kazUfXciPS!9hR_}okI@Fy3l&bb`e&-G<5bOLq+DEZQRt8dHwe>ikzovRAmTN~1=z3RFJPB=Zd^5spreK*Y+;>EMr^V2b(&5<6uTNedpMtq6^`P0dR@l3 zaSDD9OBBPj1k5#-4W~~wzm?o{*&5_Dt>B+qj_RP5WLgF&M>W5G?yv*?S}#w9guNQj z^DH2s=r$@|@@$JG@6x<7-A3p%(NJFux;YAsOZhu)F{gu0VO0*T+i=cukC4BUkk~-Q zFaF9E^x2>xA?7A1%`Cuqy~4IWsAD%ccyrmt37ilFG5O+~M>+zaa!3U&o`ntI;3&#} zT<@V4oiV4*?p@X5|Ol)-Bd2ohWh4z<9--!D^G6to0HQt|69(@8+ zHoRYeiXzfG2!ule(dENUD&*}NbXCjnD2uXOuRi1!wh3p@}L4q|@SY4TtjNAGvco&^eDNf$_t8qMMO_TzQ_dX+AwkTldn_AB_?^PyQ#mm3EO zjeL8Z7X!YgK*_@UbARr=HAO827tmdyJ81FDL7Pr4xNc=P>LOP;irx2ZQ1eM)!2X$ItwiAzruxc%H)Oz!mFEQMa*sNaqu26q^L>$a`aw?3LIJfH69g%KuFxQ~u0ysdLy1@lbczT}5 z#UYQ%_xH=jZH)q5Uq(~SAVjGHMbrM(Z6R(|BBp0e;pSYiG_gFhehOH521H#DfiY$IFY9NX3; zl>yr3p*t$x11-o^58 z(uRl^1fO_f5e@@6fc(H0ja+H1S5s2Wy2M&Gsoe}HqBBpaiskX9>HV5@%g9cR$jgMe zBRS3v=g;ei!uBf2e>vw}BBPZt z)QEnUXduj5;hw+F8`K#i=M`VPOgC>HvENsbWh~vXXb+j3F52Js{ROnCnD0?Y*t}{Z z!4tia1iH>aZgNh=wkY&(+HrjUQ1gXod7@P2m&GBH$@AmH$DWMA2g6?&hZL%< zYhwVIFM7h9?Kcg+PN3SZ>CW|GUh0sg54FawRPl;M7s{s2h_Q=;e$U%Nz1DUC;3z!x zIhVkAAv-($1p~4Mc)3J0LB>N;`m<`D(X{Xw^b8h}xdgjqZOvFsyOTII%w&F?V|X4J zu)eUHdA5GqKSCk&dW>@z^vo_C%aGXb4C-sCV{|Q#ZC}P~OxEoz*3L_uh8=?)ccH%= z`5L|+ek#nQ>HJ5KkBn^ZgEKb}jr=^>A26qbLK4F;D!C52aJV&SXH5Y_d(i{|%|d8` zE@LEK+sTn8y0A?;u@lNr$u4!3VC{b2@Cr`Hn7p5f&DZ)dxA6JOB z`0+HN?gD|5E8tgBZ$ANFrZHl6(y|16cfzvw8;6}`?=>lYrfA~5y8Du1a+J$1)i$8? z<=$Xq9+L=w-zOYLGW^0_qHHr3#6+>8J*vGy&%m?`$YYnY5!c|o5lx{(&Y)17|Fj&9 zxDqV~H{+5h-b%L$#(>_JGdB315dmb(vJ3`jZO}6_XctL50VHbnwid?Y+hlzV3HYey zutA9o@@yHuIgegM7dVW=rjsq*l}F{`vK&g6E6dPoH;a~8AGQOCh zae{&7xA5!x)xT^@xBWmEtI^YycZQ$(C1+?8wz zT)xum?7%kCdM=`lHCAl*W)YcE)x3Iu!L4SF zCQ{31H?yL(3&N;P{hr@Jb#?^Gi^#t00yO&}=6Gsfret34UTba-)<1mG1TexBrhqds zx=)l_0X0yNI{+b{Ib^!g;&uu)98Sm!w}85grZi$}fkIXkkvF9s-a!EVgu}RFc?Uv3 z>yA2f>%Id6z@%r(&eg*k#C@Bd4z2Z_i!0_ zjOiK*r+osVpB|8BBrs7@iw!$&>?807zKa!)iPDie&WmF;Qo-j(Z00PVPn4N_uJ${{ zf6}>g8MJxb2sLgcc>MzPG1 zMwIlYrS+j~>M~rWFz1cn{0gA0fjQzaTm{c8R>iMU&|$U|!A$HODo%m9a!V?4HK7rK z^&lbgss{2;!OW+8MwLaw9g^$#v^pl6ej-qj$fnKm(;?sQ8R>Z5NjhP!C7SVN&2;`O z7J<(|K+)*Oqw(|C_0X=yUt^Uc%&uq>ISIaT$1rD7nTQw81CRVJPWIgSBpd~|g=eW# zM;`YK0>Ih5nySVGNS7CE2AXhR$LEBJk6`bL7HRw>D?aWWTF2+N=D}Fyp>~;ObEgfY zPtPDQjm;=|2XcRPC6yXid82QeiV`kBE24u|&*LV#8|#b4nr^VET&ELk1}@<@>- zGJKP=*G1jkkrP#rf#jjOyjUHB>@N2QjiJIRizTsfON-ge>j|LS7cTezwfE)GRK9K7 z?6%l;v2Al?*rq~AnI-d>XfW)Ii6)9<79oVlJftEeWgaR+hD@15%9Ob%Wu8g$o%g1m z?|HuWpLebAS?~JZ@BOXTZ?&}T`?|0Dy3Xr7kMlT=`&t*y=%Fgwf`vQJBcy?az)OyI z*h|h|QF>K-@;go~?uaQ-2-Blm>82T8HeDiKYw&4ecYTQF%K;#@00PKO2W1)N{>oLW z;&#vLbsRuCWf=)vCirEy*tfLv^T0u0M4u2CZ#6KeCA9wR-0`^BU&aV6VH9IsGTr#Y z?Z`1rJ;Tv&J_mrN#(N9SU~#TFJp7gsK1j4MCq&bg&b>Rf+~yg?_Ln?c#NASxR`PX! zMP+*dR;$bxCPN~Nn42`W(AC@^AFN6Fmg0GDbvmWd%1DdLNAV;8x+XmW*x)%~80|D6 zB4*=tW)ahpIwXN=acXyNcSb1sBfQPKV&^0^P%i(F+Sn*(#iJ+r5D3FOHR~aopuW|R zSF=;g=Y|1p{qcf+!FRb8cA0HVA;KqYt1|yo{K!}W)1!&ddc)+25*XE}zv>{~cOh3I zeVh@p!z&t2TLQTTf(bAX@8-xz0=0OllTCHY5U%=?IE3t5rPak|?}O9DgAewN;e$I)#eH$~V>Ge`vi z^i_}R8NeDY4u(6|iB!{pnVzLa_`T-$*q5WxQQL}W7Lm~xK!eso#v%1Aq#Ow0+cT2m zg*=*BK407J9PYh-Zz<5w9;s?GVs5$h!EBh|;IXqu0hu0S)k++({fy_zbS#vwn$XY} z&Uo0F00Ll}z_^>aBo6WT&{9j}+I@s1e&`f+H6S zA4no?;2MqA@3iMd76B-o0#|{anL7YdCGm50yTG|B7*E6*_Z41=1_PmlbZxUzIGjqx z;!Jq$2g}lCoF{ezi#HlXz&hZsMbAjQ!*n1Dy03DhXZ5WI{Es7y73yApHy+q>q;)P? zQw+sy_g!`w0t9cZ{wn~ML;}N32QD!NG=VrHb9XiGpWg+>ru=SGD_a3k0nf%J1alb+ z3=1K01l?x^N&+H?&M?dtgl11Fq9^K<10riLuvZtS`izpimWc>O^ce7BD>i?7LZN@x zb{+T*@gp_2Gi9OaONbWGi-Y2-2`qLD`kv_}8(QI}9stR~+-u2TOiA!mTIepw{}5@l z!398N4EB!K0H+rLWPT(C(+gz$b{=n6+9PTA{O8AP6R9;Q&Bop`TbxcRR`gv>-u$I; zrqFIbu&m;ND5wQcnBTmQ0G5ymRFjS}_v`M%zLckL9;^efrU~%1r*KGj0LMfIWYS2A z|3`2Anvzgt40LDj3jRXVS0G1Oe?BlClAzxDgn7 z`$)QGL1YC`aRl9?W)y4yYoHue1kR4hyAvE73Ek+om`cRw$y+%_X&3j(4N#$9+XtfR zeNcfLZ1{?)?2}-jeJSI)Z1;T|g9)Rb;u`(gX=L#>IP3Sux(*}^r&sCxUcg1Q_W{p^ zfuLXC)?FKy8MoZ5X89FUXG?-%-lAc^-cumbi3P`|p>~}h9)B9pZD+`fuCn>@0LJYI zxET-_g0!PFF49pb?<~=oZQ<3hRzg=rGrXA`dSlU*MSN1GkHAyR=59(z9f5$BcKyXC z%xLCN2hriih_3k};){kiTV*34_`gxNGK2C1rD3ICif&5M%4I2SINRB#SC>Ahzq*xY z30&^0<8gE%@EzCu;MEhWpxM~lf+#njqgcbNyG>5`-9_zv#B!Ws9j|276$AI zN}GC!9(~%Wuj|xs`#bDzBXQ1-za7|xwp6jKsGaYs`l1hAIKKAvzI`eb98EQ7dwNwR zP;Q^5q8sE0N(YTyU9d23yNVe2>)_69{#wv`Ab=gw3@WX3oa{NsD0_<%`9f3=hJ`%3rvs&0}u*Rd+!87gRe1 z5>P?YgoFlVmR%-Fm8JgrdsOL_uc{Y=_E~(;Q8kAVz1J}=qOY^U%d=#vurJ0HyLOWH z$YKOu8FzSAwjAJ;CVGF<9H=z~X*+>(bDD~V`}pWZ?%d1J=@VSpC);1jXE~BL4SAi!|-82e7vrAHJr15w~Uu#pP)NRZ=E^cJ&4U?80v04qld3ZlDWXJ&2!} z^K?rPtE-gS1C?HS)CzZP`|&&!cl`cS{GAo79M7>Eb<)&K!U_9OS4R{hDYiP6(d$m5 z&b-4S2)VN5m~U+T50<{YmFsAG<~uT|#1P@hGjeq6!#h)+k_=8-h}5}=7#WNJ@=jWx zZQIX#k4L`2D#<5}F!3O$(o6cJYM!gQSiTKM+U=P~4fC_3`4e#4$e&>Xs^`(}TtDTD z+?%Xc*j(4kLWLwr)9VI8FC$(|35nDgg|ZlQzap2Rs-x)))u5qI&mKO)P!N^8S>`}{ zqvnzlm~#|id0xHlp}`pIkOj|#2M2K%W@SHo1?{39wc)6sNruR9HESQUu;P4kFuZG} zUROo&;zE7qTt@EKA}YBvsDl_F#f>a55OW?%HOtmHq}c2u(qU9%pc_T^_FWwy)Fe3@ z_5v&S<-l-zy8BEGPYfn5rSFAsQ`8K@GyshL%`dLvy z7e#Y+Rcv+p3PcQbP?GeJ*`Ke>N){ z%d!mPBhaw4L1@7y>fwx$J}>_AMqBsnF%j_9N0_5jj7&2;;5BKGOfz~%V0VNMC6cg# z$CdHDNdkv|{!?k({gi^yW|TSt~puyOkz4G3Sa^yb_8hhMLKWJLa6ni(n( z$M@EGLfgwh5%qgZ;Mab1BA(|xN#IwWmhfchkHD`8>t*+rJuw$awW2 zumb|z;wO;bJ3x88NT+G2g5t(Kr`x-CUv^keSCb}7c#p8JpiI)0W+|G!XVJ_EwtUOAzu|Z{y=)p=-9Di_H=9F zFB1u_%;30W{DKdx4rZaG4yX@zjRy4`A565yg{GMFMG)A$ki67U+frU=E(b{9_r9W; zMrgFz-wh7_zK_sncSS6;iR7mgm~ZJOgpo$nk(47ZE@e|K>Oqz=19@Z`z$PzjDHXuv z5%Q<{F{lD|GenYKoqP`VMPUn-3fpaGpATql4K=lQZqRgE0Ev?)an|KgUo%+NAZ;^& z?p%wTT#}N@oBhj@1hu$6Biy>iwrp~l-c3uDA3^0n3wGtEEmM(?chRK}J6~C`yRp4z zR732AQiS3-3r|YOVNife;gkL zr5As)oNLY9Gy4jAWgWiqat%7n44 z+jVA}tkgoDVEDGKuIu{iqX<=vtPi@@nj&B}F&g#RnKxn=3OKWwkiG>MfDpYgCbap8 zb0g%xt{zYX-M6x`%8>58M#?{q=SUao0t?)-Sj@?#EE;{4i_F)c)Mbhiu%oD|+>41) z_TDbgCK{64{}N)mx0xP0fC!{6KCc!TcQw#mk0?OuI^>@BnU;ei8yd^C1t<(%}hVJ`*0tl#MwO~r5;6z|GN9OQshi#Nmgby3c;dmYK zY;u|E@KZoJ@AkZQwq-iXTOzfHbcP0La3?eU-UyJpA|l_13)SW&$(26f4B={8 z>~NN8#kF&gqbtX3eH7TK>gqqTR3N~VA8PpY=lnQ=)_$rLef|R^q#bS}!pf!jBUv@o z0oX74-^B?9@1~dc6-@HC{QUEAZd4B~Xt&IvD)}+0Put&(828vTL~v&k@^8l7C1Bn6 zuGS#(kpqa>*S4a^ret!n>V13FilF)qob=G}A zIJAKeXxL$G<}INA1j?=Ju9H1VqK2qLX2lL8^sr()3{@)%Z4Z*3NQzlz@KTgdIT{eM zcv0IGI`UDg-K^rN9Xg`rqfbr{|KtLwQS|fVbRf1cn z=D)u4`~j|C;l0<=xYZ1;zeZ%kM)BA4Aqd?F%&OW%dw}e!LR2N7F?oD~yM~+~&b#Ky zH=_;va7g6X;HP0=yGX+Ge0@c|hqD_&&Gz$4umY$WPr~VRZ4JnPm$IhC)Z#i-iJaRT zSXyP+7uKNY*v{0iBg}%Q$7`ntN|SMsoGn8SXZMoQoNQAi;A#^zfJWJne_m&hcNP&( z90iB7UZ->S9=rkC{O?6LVB|s?Zu8sgE;^EK=A|P=z6d^u9negTyAmezT)uF)g|dlR zD)zw!c>Q=KKR-W8+(x@G=}4*2&uC+TLGSe|tYVgxJ$h~Bk#k=|x?UObNw7r6$Uq2p98l0O(xaKaCj z01r_aXQ*EF2DEg2cO`HfFMM|o@xTFp#bnS zPHh%;WG(@XqY+Ua1FUg2{4DgGdSaX|*xA`d<_Te+!vSu?ceG1w`@qTJih%oj0uJsb z%Qx2M?*R~{cq;7}9aSofRSU>Fd>~3M0PTR%_#8q4L3AkyMk6SwjR;C`(qP~n13+0b zXh3n@gCJ=}gW7_GaB?Uj%pboPJmPf`kP$zheXP}%$52nKp1!>u))6Gf?c^4OG zkN(mJZ)^L`A;hCCSk~=3*Xwp8w|22WIv#b+xzBGYD3!l8#p(oC00K57b^*3rjf4hR zaO|}ivjzsGR#6#WW}k_-xS(UVnQOYfH9U17qY9n` zZILu>7o4d0tQFAaoVfDjH^^X~OSUE-6@~Wt?wy9WS$H-I(02=>ug~BBhGeUdaQ4C5pG1#e-+p@LbNz}`Ps`=_bF)K0}4mM zk%~w?H{|jTJkg~}N8Gy4w?0T$rO^h=2u+|~;X6G8!UR5P9S6|xG%YNGHd7lCSpx-P zUUJP2%E(SoZTSC;p=x=s_U0MJrZGy*y+@2G2(kCV)C$zH)!nh(fvr6Y#%v(a@{ov) z%~U1jbAR`8@J!^ncX4GJWXa!*a?NTq`ZuXvyl(k+$>^~-_k zdP?gj&Ilo3;m<>ZH+lyp4SK^JfLkz-Gsb+uJmoX6_Cd!Z?+GB;V295H8s8#=&;HwMN)_|E4u_fKe*>z z^3gX)V=FIPMR^Ib>*SMpmP*dM(L}H$I4x(CV~Y8Cee|l5b@^h4&X0F$@Ylo2Vm83x zbI*>ruydps+RLhHOh<@a_kfDim2a)fi_?M-t{x@XH_z^CDMLi?LBy{d@rPtQdF!GQ z4U=jk*ae=R?f@nmA7p1Is#BpU_`_q=fcx8JfRwLQQ)9kpx@aVbaO*L7-__?-?a$1u z$iRQ$&KN$SqKUWSPw^OW7bF&>&U*k$hj$%754v?Dij6e@Ib$3A@@ih;Zq7DUnFLA+ z&Pnp9S~;pRT`!O?>hC?fUAhIq$n2RPI|nhjJqtxeE+B%FY^LFB)k#FEMs8E8$QSVD zf(K*IsPEkqlFJAY@js({z5OF@U)g$IqhZj=-=xvgVXD8MAMaO&b+eeVwUBx`Ff>0%{ z{vzNEDfP7C4%W>?+z%+)m4BOYaNjOrHyxbvF8i4QN1b_#GL-}x=f?-i(plc{o)(qY zc5BXu+Dse0hc6|WvI|)1*Z7zs+hVy@cAi?O_bNCxqP=Jph|NCNn22z7SVTg3uN02S zpsHMMtn_oS{}6M%QA8sTB9-kA07+WwlU?(5bia#BN<3IABIE)2(snxDlz4D!2-(=U}BuGw@bG@oTx7OZdK3*KKqb9&GhYNyw zBu}NoS)>lK$GahZY&wuSMRwjFaLqxyC=~Jm;ulaIr4;gnLZBdubAqs4l@@`TQ_vto z2e^`YjBYRQn#g|Z@*ciY3w5kT1qAawnd_R7HWDYg{uC-S|415o;zRh{(Ma0^mQ)`* zJ^d+3cURs`K{%i1Wq-R?D9#h-v|&A5K$30Yn}yT6QRQ+@Ue#7aZH%IRj-KHxU1d7GVM<~iT z=pzpp7HR((oh37Qh;V5`fw=`;0|+F2fi)&8N)vcq>p>+H01o}_+nHAEKWADa%ImBz zC^&JN_r%BULj;*Ay{J!WXQ z#gDZ8@5$p!m@Z0#E|Sw2Bo{RJN;)}+Ywp6ckIqw;erZY*&`m^qNzX9Ce7((~ffg^| zIscN&GW#aNQ%kA|)1puMIKdX7AVjd}lURau32gJaFI$!KT8cvA)7KpTYCV*cUqfGF zKN7T)!-Rj0v;av9T=rK_9Xr;tG1499u$zJC(qS_I<1s{%ohbf^4qwG=sC!!b%RQyS zdxNF=D6mZO`JgX)-X=O_O0{*RZy{C#yq26Gf|@$loam)ZRzif4dmyKP!rqj%vtjHq zCjkhzvK5JYF9g-d8tcg3KjoM%Y6W~qT)seJ@L{ygzS&Se>2U$Tp8HLUXOa3jmM-#& ziz}G(Uaihb-kw@^ULUU)Q0*;!f}y<}qNo5<8v%F|#o?wLul&z?FGx>L_Tr>nBD$Ij z);r6rTjn4dd_D?k_Z%LdhQ#F(_A_(~;vuiM3l9rBz_EYpPFT`A-@0g4ofM1tX zrGHeRJ@WAel*XUzCiLOhqi2(}OK^nJy)`n)1eV;#nP66RAQyeLK zOJ5`b)Aa-Ro|w=0jl-5wc2{15!sh}^ z-D3H}3-tUFWU#er0<^NJL5bh51p{+!#d?mNK;h0nzvsY&MmU(WK~+68np#<10EUqu zOb=JU^<0_4h|QU;^C^-U(g%fvBw9eHMH{+VZHe&0jm*q&H!n@cT$7^dU@+UuaS>Ey zk-i9;5K(fF`19fj02Sb><|Of}o6FN&s<}TxcC21kr)QU_lYOL5P1H1^2u?j?TKuZr z#(}>7u(5vsM+4NrCo9R0u;S;=oxM~BWiN%BIiWt78iT%Dl1B&jD*Q;jD>E3}uh0^UHQA$X&E1Uh?haNsUAgKO(B zCsZwKcbW@s+=z&J)F`Xjo5zGge%T?OqRw@1PHt{8FxvaQa?4$~(yk8en}_z22&|;N z7R$d%ZHRR-KPoqPk&#kfWjllOmBWjPl=1N2RJF7~C-wLD|Js1%KCOd$$dXXbiKVy~_#1u`mnFFSqzkjy2w!VQ5&wRZNu`teN&GS_#OkAg< zbvfx-4RcY;zY=bCt9G6TpA@%w@Zau+4%+u6s9}$;g1Aih%Tz7A;lobGV{yCyipH$m zTu~|eK~onO7a*nO2*b)Tuj})LvaA;zl9El=$Df2>H7|3UtI`05`G={gsfA51E9Xap zOuurp+O55e4&K!BAtQ%}eIvS3FW$!85qLwtep|b`u4n)NxLF0ytQ>OOuyq$#*Y2*a zuHT4b_n@@XczY|P?wjslU}gHLw|A`%ZcMsN!F%&luw;JYo^P^sxtu8UWef{*S5tf^ ze$~Ra;is-$L7Ca}S=A)(!W19Q-J#HkT8&;9`EtF2!^A2Bk;M*Fq}2Bg))#Ilp{<7ziv54!nq3Ll zaEqg8s*eDlNPX0f?8Fy8-I^Vmic&1@`F`YH&u745;()vAv`$B(&>2*!gQ=Ok^|F|L zb*=($`uoBlmSRReD|7YvJ;6-=JdLd%dnRu$A2BnG)F$SWQn4ou5M+ zq9T{>BMVZ$m;U*FOH<=R_OR}@mvHHSVhL9ki(R0VUQLR&ja zn3y#z$n0?m**V`siSoYiUNvOZ42qmyMqj3eo!4^TfSzS*B)!w5g#`EZ9hI2%y;fvv z6H)O}lLGfY-)UWdjAv!l$^+9oFXI(Qt9s4%Gw9|aU#`&DVNGFF(yoJr3D&vL@)?tb zhGm`KDE>d!MAprJFt_JK3g(j{W*VYKA()aa&JBW_4Ob@lhHwzlrGumrvlO=F>i-PJO%!~ z@RxrHN}HjFFVMP`iv3#y#Ei(X{_j@PT(Hr`Bcu=F#6((pchFRP`?p5IA}qb@>jXI} z)w^u6yvKK;L$TMFeQwRjlrUWq^=-KIqWt8(L`!5MZ$v$9q|R|niDwEb(~56RcuQ}L z`E%IV=sik<82YY^DB;V!6_clqZyk;QQOvh7O(_2GwqFUJYCHEeD=tgZgcp?TH`*Fs zX?kK*IUY>KD!)f#;mbcq3+oy>#A3@|Dvs*DcB&Ijs?^>JK3|molh+(8{V%xD|Ko7` zQvKk_@UZ8oLdAj{sFXw39S?MvqarCUcs|uXT!n0-RbHKF zM$<86(F3q$L>?ZzBanwjf+M7B|Jlg9HvKOf=D+KW{#Q)y|1Z}JE16wgQt?qdfTU&F z48#MzCe&LIX1KJJ3=%w8ytZjg8JI~rQtGP>^;rlK7_=R;qARa#9j5c3XC_BJ`z7%2 z$pB|;!3t(O|N8(1&4*yK?dYV*pot{b{~V8olOz9|=Ai#2N6h~u+yCZdyZE0gx5}eD k?|OF(inRP+JWppi@1>~{>xG#d$>2XNwd1Ne%9eir3;yIq`2YX_ literal 0 HcmV?d00001 diff --git a/design/authenticators/authn_sut/sut.drawio b/design/authenticators/authn_sut/sut.drawio new file mode 100644 index 0000000000..cea4809276 --- /dev/null +++ b/design/authenticators/authn_sut/sut.drawio @@ -0,0 +1,72 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/design/authenticators/authn_sut/sut.png b/design/authenticators/authn_sut/sut.png new file mode 100644 index 0000000000000000000000000000000000000000..88f71cdd3cd59e14be9e21144d767c6b8d733e87 GIT binary patch literal 21696 zcmeIa2{@H)+cvyN$UH=3W|=Z%9ztf;%8)rEGF#@%lqoU`3xz~j$yhRk%*mLcBqB18 z88XlO=MwjG56|~L&-=aiwtdh4{eRnbcU#xGuJbyFW7v=V*cGm!u1tt`5f1`^5W-;! zS`Y{Z0{kb2iw&+M=VH==|6#alDa%1#cG1p3AQWHR6!qO4ysQxRmJn7!`CmV=3Mzu1 zEfA*GE~XBw0(=MyRzU?;0RaaWn4E>Zo~w_BwvCRMnVgk^793m#cQ~3lSpK?4!_?Z6 zhaY|Qcn}9KWfxOt8#N~jOM7sih1ajULw=J|;I9kTE~jrh9z=i-eL)-H zb22>t$#d532n$QsU(cT0=;q{P?}l*x<3)2PM@LI@w?Euy>f++$`N!L=oa|55crutX zSjHb7LSN7}H?{xk)f)&4H=AGgiV2@g4}CYx5@Bs~`euHQgr{x*LXOUIL!|JM(I<3pdIhpD~$$=c-Y z5$I=+FT1*VpDr0p)ERw;vx}3tr7PG!IZqpeo29n1sX6+xCpc$t&Bo2a9(>{lKbo1E z+gZCfxjR~1cXzW#IHK=DU;j0-v*|x(crs}ZOBXlG6AL-MbZSDDP7aoCF5Y08C*KO4 zY~HE$oP6~B$5HT~TA0o6jzQ$)KGT!axBhKlumvYO3Vv|#I^ObszWpb5`uqKIa1N+NXSvp$CqMZ^Lh@%tQPUI|1U2QDUE{Qgn-`Nx}Oc!r`aGj4= z7<_a5(ct8^;|~gG3*kHcN&#&k=uiJkn{zXDv9>&MloMC5wD^PX|J4Y8XJ)4k|9dMt zz2;(RZ|a8dK$|^y{fUkLGt)bHgN73V?RKX&{#(d6F>=AvaZiVEb#iwxw>)|39|r8; z^{0VE{^TtJr$O{|pkI6Nmw}EwLHX20jwkuAoI~_K`mFy$4p#6_=kdRNu!4f(zzdG! z^ofo9W;1{P(Te}Kj@I1X)YTPX{zvEiHNrm${Qn^b^V{y7?&j%1o$ltp>v4ZRVg5f4 z^!It(sW1PNe8gw&Vrc<_BEr<(l~q8*9z;1gGmxi5tkFLKS2lHbvvK5cbq7I5$==Bt z;rQ!-ewXvn2cv3g2C&;7qOhqw!rBppHFGe!r3?5Dow*SJ9m$@2;efEPK;s5E7fV-! zkEz))hCs(*XLO7^&c4EOtilT5%3qD*)YATp1_by{(A>#*;K}2x_SXP?f)aT6c=-jy zPXh1%FdF~S&v^JxBHgKFI9XY_f;58m#oyzI|6cUuKgB`+z+!(rk$z@bu8-45q82rx1)Ga+hrglX*S_9J-;B$9H|Lx{vXZauEL%*5Q-{M3< z!Y4j?5*T@ee%a;!(5HC##eR)*I_wEl{Cl11uYmpkI;Z-xF9`fO-~78y^=I$=%Rqml zQ=Qn*@0?2epSsh(NL=V7hE8(krf$Fofv58QpUz+Wrxy1=_B}pcArZcleLBS?e~;%0 z|2dzXyyfq8z5iZ0@P9=<`>oPG-N}E~_5R|+rzQL8K!2m_orK-rxt{z9hrwrReoXHC zXC<>!JNg?OieF6hB+HyQ)QPkH4^tUB@StPQX(l_30jG!ezk?3}l>7$`2tNFQOFb>e zPg&a2&%ZIa46HSP;AMos6=Ze1j2Ca=B%D|5uTkj|pCPz!5l71!^ei)g5vJjikP3yX zGy4SuV1+YNpTi_m7(Jr^#Uo3|*$!f4q~4M)Pfc^uw{BeTT2jAJbH%#5-Z9i?OLxS_ z_s5qfjF5)dYza)+w=_06zUx0mLIxd!2V`Ys8{Ax+ot@u%U*X^gW2eHD-Q^`-YVTKM{UWozW!kHf%`^8D?Hx*uLlh>_b52eKZZ%qfo` z)m5=>kSnaEyyxH&tp*-dm!J+8#2vcHksh&j4^VWI+*P+IkZ&SW-^`$ID3j|Ua(OiT z5)b}OQT^LmFu1{x34tU2!STie)FShXMQ`*Cg|VeUsg~vWay=e#pEo7J4V8MZLD{b2 zZ@Nr~s#e6^G;o6v7j%))dSEdxw)ECysnm6F!%GVA){+GeUDzP6%U~KixS=2K|BKV= z(?=do#7H|Y4hmazrcl6<&^xgo?k$6@T24avg|NVP+v3@`cV^P#_)O(2+7r&bHf!n` zQaehrriG_VdXw=Omey~L_%C}nmpcyg-5FQFI(wGMai~Jfef~V}t+&C`olm%!%Rkd! zy%*LLc_9n&IUAP15%*MOdy$q2Q74=G;Q_5;4|Im#ym|CsYs7ORo$CfKw^0SjRC{8{ zRQ%noC8j&$@5THNC0(XF5I-({az|=HeGhisKUPBLK4mF$vD1k;L(1&>m15|ndKnqv zN81xIu=J}^>giXb1uWaYuAXJt=*`uhXiwy_?Tcw+gVM#%;!M`iDfTpm61S|+eFp2n z)5+10J*%Fj6#ef0S$yZs1p}1I<1Xvi^sBxRPbEArA+0UwTRS*V!?J61BL0W>RFehH?jPKAs(HX99}*yV@A2{S%DtUcQ!ruu z+I!+x57xDZ>iii-?yV7m`8}IO%R(1{f7~-h2IL{p~^i3U491}{Zuz| zgd$K99t&YLceln{<5;@4Qv~^+pX zP6)oUGOoDwO)x0`U~kL(Q>J1DQfR7s>-*hqI(R%o5*CRz*oeb!|HB~Qcl&mF+4p3{ z@B42l^;mv*qzK$;IRAsF(|4WzQF}U<2l}up*&)S4{Ww^(@;&}X2clXiSl}CnZY#i#O&i4>_Nv*eMv@$V{`ZIUB0f)BC1SmG|0X2EXl$*izy% z?M|UCq?s~-m>h%ktu54OyD-(3zrHqqRCvZC*WykudU-mW!gep<@y%RtZFQzG*Ln@@$T=ZNra2pWi$H$~7A#|{Zg#C0tyjC$G5xH7G)@T- zOzN&G!ZeqpAkDbE$bo!AVlhbfd8}f&{+pot#=LHsSGt7fl5;vDy9XI7C0e5KPBrn8 zZj_aoHw}*x(oN>7h~`&Lra2C*{^Z9VQ1~AHd`k>N{{B3x%AHZx*l8}Z%LR2f zBUE#p6eLOi|35YV=O6|ePH-Ymdvx#O{xp4*&43w!+7MLXE+)an!^6vtSGyZ9g2VT& z$dtrBsU|zgZoEY0N$8XD+k=Rdc!VHJj6R#VfjtG5knHW8$dV9*+4bNK668Y?RhL*s zMqDfird$ukXz=VTrnPC7)%Yw#cZmsC;S6TNr5#H9-ZeWjC>^0W+>r?v7xR9AKM4tP zllY+vg{%w-305W+20482{lY^IYDpJOS;iDnDgwqg7M==%^Zd>dZA)PoAEzGO4`3i+ zgty@Ey(jK>>0nijLIKMXlzg6bzg`fR05etwW_YB@G(ZQrU#YBXn7~YO{=9`5$@#=2 zBx>TChq8_wcRvvomLz<4X}GGwWAUQPOcx#BL8Pj3+Erh?Rr3OU{wixY?23SKf-4V} zMYgCLcPwgos4|F%?#gYD4PhxloB~!IVIat5I*rs`&5}cQ$1;cYeyquUq9Ivzp~M9a`&JrwzT`_hjYdx zd~qn&szz4NQkzeh(ntG(dM}N_0jikzIo6nCR4D+vO2MVKJ{Rb{zs*lXFBt~jvEyc} zLrY7IWFvwOW1hw1ki3?7iNf~6160<#yQapjkN_{_FzI52@*bh(7)gC1*NyuiX+~u! z$7DK>y>n!@A1s9{#%=uQZ^_Zj;&T`jqRnuo|ikk}qubs!_ zP-;)~4*W)HeYZ!0h+|n*C`)a>T)S0nKTxb+<0I_1JIBtgUj*4&8rGfx7@^O12XWbHVSbHyNoN9eCjeRvV}0V%O9 zG5-yuXuXN2M(!Yu3Nyv-hY~ZqeAxnjXRG}}z3CyHgiNI=sB0p&`(K&FfNjjUGto>1 zz<}TWitc|f0<(R^+@gkUPFo(tfw)AP`)!o zxMq;g>^-g}1N(V0;VFi3LDP3w`&)HKO$!4hcNV_#3)y^xh&m3{gYnM8ORlHRzBH+O zn1AC{-X6mhx3FM`@imG>+I|KZ0j9Z}U@^XzJisTwd6FB|-t*oE)&~IeC&9Fgm#WOH z;sEs;9z=iQaGyCm*yFli<$rXQ3|&!OVN5i_xZ(IAm*Z#cHTk7p#JH@Gm(txVfNB|rQ zfCtC51df#`b=AexI9`@%zk}V}+S;AzClP$qHOs?Q7r?Q&erv(4^jaD3=5{d@30CSU zed0D9Ym`4y+o*J%}3D>*> zEno*_O3@eR<3I7TXwMf#rR?B!=Oil3B{z*lqi_f>qHvMLSmBYog{+?76`(Ls232t) zTSsf^`ww@umx^F1{#h@jT&Go8MRoG^2-AHxsd6Ymzg+#yf?|FW zn4d1Gd$NFKg7HEpb|ea3nqXD{d+RpWLO_4JpMlK%+U$yN z>y8d3eAZ_J0f^&h3z^Xp&8CaW8}a$U^ZfA^u+3n6-PTGLSJ z+|>O=hy7it;#pl2{Pvmf(9k#C{_Jp9nS(4l>K@h9xd*6&YM#`|_I+DFf%e2rVvsNW z7|!`ZP-jQ?9J%T|S$BDDnBgiOq3Q6HPcvy!cN4zn~E?ilvnQf@yJ!}xGF2pV?)~$j>aTmfg2b1Tx;Or~)79j%z<4rv* z!X~*ekaTEeMvmO9>c5KtV;-RMYY`sh<-iXmg(4gWM?IVz309szD1ctLmAI00aqGk7 zx*RuI5p|LdG1DvbC8`x=L;cMO64Q6TaniCv7r6$<=&vKKQa(vwily4>mKOa~)s0yOd)= zT0Y+ORAM-BvUYz}j#trwiYvmS4I%r1P#dedogv zMk|9}mN`~Or!XZ5n>9WgT9qHUNt$Z;%afa)RA`2Xe|=TEo0s>wfsj)zMM!h9t5a}j zczd+rjHQI=ZqYn_d39)CFzTQy3yNTSp|VI+C(m_(Kn&~MO)-l?#8R#K0fFNWwjGyv z+;BIL5hHqGhC^>VHwW!rwg(ROZ{~1^G#N%d>Q0fN_=+jd|pwv z*^mCZ0~1P=>KD1K+rtBz(#1HPFEB>R$DwvCu@j`kR-8YGm1owi_o!U!F|C8o4y~%) zw|*eu*!+6(;fUX!+ClVtwY~Y?+^jeEU1u_4-RcRQ3a?n0K?@VlEM6q1gbNx%8}5{w zR(q}JB#QT~iQU~Sh(H=7gf~5^juT>8jCH|rH#3eg6b|nll%p?3(wCW#vC~8{-udvh zeBLD^QO+`hMP=!>KlO?$ndulSQfRFLUXMdWtFd)^g|%;D6gw3ln<~3tzL_UbS|p0P z(0^~SeBP+9efrTBI3|4fH@aXK=+#;RyS`+&aGJs6)SF>c5EONAyA7rH<(8miz zCXBAruR&BGf(vR{HZa$Ik6)nDj4!1oUDHjE6QYTkczh?z#46Ysyqz}j`1ag{ z?R6{P3}HP?Tx}1Od-PaqVxgU_eK+03t&EEFaGzKwN~u#8Tvn4h0EB@f;yzSWJcyiV z!?~TZH2TY?7^(Ak2Ep3l-g1y4QlBR#oqKaK7ryqRtbijmxEp3T`H;ing}+IPAyvLb zTtPH~4Ot3+He*%e+PT}g9|3UEO&qgep%#!2n*30Jqm-4#Q+mzCBRwzn%aqsCk9iBP zwdiQLwjT6-wf1vj%0C2NFLkl{W~%KP5_C z8Uo}Qs}~*y{BS<+8P?NDEWQ7%_&U{qc2)Kec`_i?sMjZr@G;0)5G%DYai!-1RvgBv zmTR@&N>~y&iGQmdX9N+)Y~E{Ht{dCArElP3n#FOX3^`+<+Jhaq2QkB-THalO{&)$| zf_sFD)DnFmF%at=X)()iCA~e}jPr8biGZ2C!VlI5ovVht74MfEx$9^K<$*5liNy(G z1Mg@!i4K|>v)A;vr8u#&ww|+N z9YqDP3q%LL+?4a-5cpfM03x51nc+*|RG1L)N)=!8$T1fo30N}4BH78X9^|lT$4^Rm zVfg^)Q+Tn2&{|#+%W-WNPs+!S^eC=FE#D7dyiJ99Y++O)txZM_Bwjc&R&7fko6|Ec zGUJEt?&)*)l4Bs<5Rm10M4E-CJ}xf&iO{oR3QQ3P^sS1FQ$#nrAhghF?nvev^e{!?U!4Em2%UjoXj8N z88&+UYOq178<83J113mGkRH|eELH))-w4>nuaV#iVSUGpRW6pm?BwZTIIe^VlY#6vvHBgT(ItezmBPqWAsOGwh9{}fc#(K#7wXvBs$B#71t zpV8=6?0dLnr$ET}X-BRH)EP4cC0}-E6$=(zP~+~-)Z^EV!&kOU zE(+NM^c&wLEHr$bt=3x#s$&-O=BU|`y1H&rP{l#B)t^Ryu)KZmrL?-(opCI`ov91G z`7QNbclY+!x+$_FFI;}u%kuy={Ilj9V;xwVtyo)|x_p33=!Qs*?Uzf{yYu<&SV*BG zP*C(z&{jE*VU9OPM*^06hkypY3+PORricO~>H~+v{T(!I411qZ1~^AkfJNncJ}uK1 zF4<%bWh9<&y^Mi7C`&Y z4wSH4btGl9+JIWI;@*w`KoJoDQa5T}dn$w=162G2P-ePn`u#|b@d*oEYwh3?jLI|ioX2|1g$YYknb^#iD59;7A!r}P*j7o}; zl)6q>fL5mkv}h=esAJ9uxt+23_Rld%Oc~x}M&QBMr~Jo_;mL2H=rsFnx1S;(N_Ke_Z6d=V4UoqUgIy;SVa*r7Bu!KiUWQ z7n%WIa0gI|itC|7bXxC~DuX^1nbz%0P=q=R zYNSpH8bmiXUz4h+lSn>tqDcL@En=?b@je{&^oqMJdAhb!>0s}%{{*o=4RgCiNmLUn z6dv-4y)Ev&5U96VJ!4DZQBYP9qWMkK+0xHV1&9K4YCD3(&$0Pm9OS>gKumCg*MpwIH@~483m%%71$d$NgTF z$6_ykR5fQh;N{tkkZk9Ceq7i~0!=ZBffC=J4LI}Poobp0osNXAR|dsnwk5~o(PZs{ z9i+R z41%%zfDQT2bwm~S7Z_wQ8($-azK)G6O(cZnns3a1$uTHl;~@VTx)^``Y6Cc;bS8vS z9_X>@`j%c~F;>5*hffXH7GdJodbHAa`5IGd5}>B0YO%|lY6-nq5b6T^G~tgOz}|u$ zoAeO0v;55F0cdb&p*qSj$$VBP+lKqiO*kCTeMG>uc*F~_*O0MZOWIELVKHSw$Y-;) zE#U^Cs7Y57Q%MCkOp!P&SCsmriaF23MsbR(Ch=ha%0_orC`${;(iW{1Vhsw2ClOH2 zo1juuMsy}zqhj@Gr(=Srpp;!u_VrhFUK!ttOL{TX@Ibj8KjGH4lTxo`dx9+RkKtRR zzEn+qM+aLGk^|R`gDmC>O*)1cGgcP^UF6Gbza$vRg*U~c#OL&-(KLs^*%9opvn)>E zBja(){EV|eC*xY(4A#4Iv6EfrLV5^R*dEFCm=Jf%Jwsa`JepM8UyStL`X}Z2?;t2@?v^MfrSgH6<%?1yr4LZpX3!^}9u$1| z*0Z6nku8rP5c+7e7C`Hby@6tIs*RYY#!Iqn}Me zUaV)a$+pA^T~s%H0relNfmdX37EQ@) zZF+1e&7E4UJ1ep1Qk5UMsRVk@wJ#YCr84+gWC$p*QiB3wOI`0#{DZnHo}Hw)hV&C0&`@ZkwT_rSE&JpqJn>}WNI6TNOgjQea(BsFRuVbzzR%KsMkRn zw+}Z!#=QfsCpYRynz<0P*PO*LAsNlg;HKTZpL8b1(gWuLcCM`Uv=<&@+y^419t53D zyqf_D9|i`t9hF{-oiJrWO1|m1G^n0t4EIhXB{d(j&fIP&3 z*pNX?MgyA9#{_=#FIu_MmOivRs5vuqFCYJvch7?v`LQrAK%=rO94Ck3x_ z&dEo8L!(OOU#K!ktf$F}jwA^hf}NEO8m)En)WDFuTmYdH+VHnXU>-8gv0qOc1uol~CRJ5W8;wh)+Vd&QWpt>$ zms;Fel0;rAoEuIIIB~$vH!as4J>)hheg>H5(PhA#0;nJ`3ND7c!Y~0%?N~`~7l2my zLNqYY{q^eAb}ksmfjPddPbEarzy!1n-ovDUss?M5swx*8+W=i$g2dt8$Wf+gV~CjB zEJ@Fc>oI^0!Mj|yFR-~h5(DD!C}>G==;kGK2c4xYv7Lcj5H0RU(55vI{%|MFE(aom>%>RRMa(1)k zC~8OK^p2FzdOct+HOn1up=A?*()F^c7X}157)NUhEg}Ju1486Xw%U{4W&eYX8z7sW z1&w7HKv(mFWz5GT~l623YJnje~^63=nFo6UiS<9^R` zmHb%%WKCK?e2xRK!2K1_L5x53{Ep6PnkX3Q`Aa%5(h4A50eyx@N}i#|)t<}rKo}GL zCI806gA2woDME8X5N^^gkqW;gI=dDuky2P|=m3X4RFN`_dC&SH-uFd2iu8Ms)*7 zxV!NqpW`hk4lZd~OM^2F0cW3etIA{kBFICE*{aFCSmOiSl|h47*u&4@5amdtse2$i zc{$I1-1o~{28|P$p^7{5HCG*yCA|e|4>oVQKLy*($r(l-I&38dzX3|%Di-A~*YlWh z24X0CO@OH=3=E^maM~U#OoN4eu|}y3+@DlJT9v8}_xBX;_+P`24!fd}@337!b2LU!a3vHp zG`EFCW>Lbm<7dWAfwd=ce=c`2dDU<2))gM$d)w~Yn?mFRj>fMJ*zu*eT4{aLK#afd-Q@qVQGCW=e!{BMSm45gq~UP*hf`O>=3vyIk{PG8$Ma zvq|l}q$}=uJz>bS6K9y#>B? z6k+3SGMFgtYGv610DHkzZ@NP?mUC1~`Q-5>PxsDr2enb1-|&wOL8}f9=;A9`yIJ?+ z@-+-KbZ2kV!8tCP49oo{*?G$c1|?Rxin7;{#ud&PhWac6{4SQz1Aqzh)_}k!x72L@ zbAk%h9Yanpqg2`}ZXEPdJ}7!MrFJ96b$g>6b2l}fYKu1HwHPa?0}n(?AcMOE026m7 z-u*kI@d9U;?bHO)`t840i}$@UdG)dp9;|hiotZbRn7B7lO8aMpGic!`+7G||@?&G? z?x30CWN)juZ1|9Ahk#DNiFrmqDrNEiV$7Jidanj;hl!^91 zbs5nMZ;o=7`Zm!LGb{kN>3<>8@dye>T6ay!(Z6cD>m_1kJ5=qh9amW13=eMM!?QN0 z7h7)l;bnC{*vj6kKZXxxN^4UzB#X52n?7IngSZ52!sZwIo$d-$M*Fwa`ugE0Y|Ar+mw+Joi8`{_DPJkTiU7 zP_L_S_GAbUcCcRxB#la#4XUovsU2rPL!tkLjj}(Qx4h(N+{0z`?Fawy&m>txZw|;sB=>XDDK0ppfpP;^Rriw zr1{maQ|LTnM=LRs^e20l@-o1_lDaX%j zl{<~t>LO6{zO7NK^GIpY0cY~a@^ zr%UCROE&r2z5y8*zEC8KcRL-_GhYrU&Rnq0wcp$jrPMXcRTrU@xZ<~8k*B6+#wNaM zq*t`2)Kic%!|7RsT_$aR`)J3i-eJ+6d;9$$^j^tNJ@Ly0?H-SG8XP7cvE8b4u_U0E z)c+zn#?0z4{iJ>B!(-hsHgys1srI+*QN@LJ&MnW&Z37-(HhDDD_iUz5!CJ)wrykF( zA!?T6LagN1?_Lvx6tcyAiZG;=u&7cj=smcO#l|t3%oPeeW6H1Nw=Ji(9Tz{nK`xb^h>OwneRlRcKi>6JC<-`Q1Xvvp@=mJLe6q$7b+>A z(o5CvZ61-bPf;SN&LxAUcZupHt|k7}%}~OOxOJdc^?hl7p*Vtmis+iS>T*_JH(6e9 zhWHAgVD#s{M2+X`C(OruhSREW1gE<r^-5SeX#ffWgEbBnI$_ ztu8q@+VU#c)R(O(?^|$@uXcKscJjKElJDaOK@m#dfNBLxC1SN~xTKv1p730b(^CPp zOCxNk)V(hUnQtf{`so z==ZIykG9r-9l0KbR9{PWni|sTf%Nz_xoiSCd+|BG;%vZWA)S!e6AZFlg^Zn zLCLB0UI)obd^?pZvo9$#O&Dx2=&U~O6X1&Q9*vE6cojfKwYI_akE( z>dOGBqw}i%(L!S&(eEwd1NsmSXV?zZfm-h6bz%0oG{{wmjN^DWR)5TE3y0%^)^!K& zud&>Ov&HX7i-LV!kf}`_-Wk2@rtTs(2_X z+)gk*=Gen7Vihb9@lpvi22I+#ftpujaLlZlkz^E?@4C;M*tMhT<5rAvfb{boDOtwz zSjJcy%AlJdebr)2!=EAYfe*6`G7bA#Y1*`Rc{`xqVS^}A-Z%5XGMtbjj6e4hM$bYv zKzSwjDncBTd5pMX)aa%V`<}`!FQ@`Tm~J0$hiQ;e#~18CByXj>t*6a|)^bSeyNqcf z%C%C(XTkY>LS+b0b;Xs&mj2@NF_1!{Z}~F+*tK{j77+4p7k&K4birUnZxvIqb53PY zlcWPF2j1>`?ud@`ujIg zMFgS$2yfMxci`jU3GfHtbxU`j(Z>uJEamTfAIJ!$BZ9~0UpA@;0E#0fK>ajJ5(HZ0 z#FpN0ibXxfysdEBP$xis2c+~xQOAOZ6|OTx=%7bHcjf#8Jc`wwjM?us62RX=jBB>f ze)K5?K$THGgn&Z}x_+A%0J5(|rf2ZZbKL%B!-RPC@eWBXU{2nICZ^81VW|U6x>3<> zS+wFFD9CO=)$U*QS?8!d+_g*Z1maU#w3rAGo_qHkpQU}w)8zup4>pJ&xMh*hIRF~S z(9&=R!C;hw{EOjm(90PV|73#gKG(y#Jy>Q31mcx@NKmz1xVryS-fd}!y6#|;27D0; zl*6)$-=bpS3V_*fjHVGq%fCSfz?k$as8absiGjMFPA_cRD+8JicV<5_xeo)rbQ}n% zs01u0QgjVjIKv7}}$}m`}7=IriL6>~DmTn0r z|GesdxWj(MVw^r!i8xZ~)3Un-tiV^4MQ_p#W+6J?ImBIfCcxZ-MkkL5(bh_kwvUe$H0=@}i7)2Y`bK zfN_D`D}=chhnSvY6-o+9P37TTAoBu+Iz13QX2Tv@7@-;O2q2T!+xn0$Ej{1=Dh4zU zCO~5X%ohjEH5BN-mLnYolqEhHTU!wj`pbieB17HbE*D@CvM8xJql@BjbB6^4qHy8y3e;^O_MqZ?2P#*c^OAQr z?Mv+k$UuRt444(?(RvJbv9=hC_ON?DM;jv6fp#3?+?^$hL<^)-&1Z0ATkvYxnOZ-ly8<5Pwd6U*HP%uYm<_th-3{5V`rVRU<_jV;Qa zGfrdLG+2G{X}=Y;YeEbdBhZ+QFGPw;ehmd3n!FzZ0#+94)RxQNYZxnU@&I`phjDcU zGvWtN(AIOH7Ba@+g!{1m1H8*oe+TUnLaV-afCO8a&wrI?le{Y+o!hYL?)yHB)TTEl zE&@qCy!5U7dK;Z-oRG;xa(m0{BP|I0F*1`(*`hM37qwPL zEffgEcJ!~jJxeV-4J?TBiF{)t2ow9d`Fc&D8wDh$dt{fD`l52EbJqyvU{~JV`{0(G z4Rp7r)sr&AB%@Z307p@2(#ClwmX><>PF$4XW%sXuddh_*Y1#lOB!#JW_F!C5^6>38 zx~L-RKwkYKnOmWx0>Y+X6VoUz>3Csx0exv+PSPqK`?+gm&@TYJ<+lYEW9@0aP^Y7K z4ccOc@bgf2rNe!?EZ5DzIEhycO3_a=Mcd*HxE8qfa zOJ$`b^$PSO6sX17)lzzWIc+~i8GBb-XGuj>!_)fSL65p{AB*@{B@EU2-sJH^wt6!- zMU%@Sq43@V--e)mvpR$_2*QoQGFm^GugI-SccEMR4>g+0q{|=NoU@JcqjpePBg6n1 z$!p59jSlGIzB#)LeF9v*0QX&-`tvOYQ=vqA@u+0i4#g|&G(Go}WnhC`Ry&Y_i7T&{ z!>()*fV2&Oy35j!-LVn!EB()VTxDf$0xI_h#tBqN8=#{U7xavx7~O7!juA&wW1v}b zTC7z}8{PrBt~>e`J{OUxg{?c-0Y{4}4?E~4jgIN#{Qy883z?c%%KP0glq4qLbWMr~ zWe7nU$&rLnVpZ4x$=xSR_m1J<0Xicp6t-IO1ZRN4%OyUfI*seCcnN&KtyAGnl2$fG zt&CMVw?=HHS#-jDAOX2nGE91Sm=EO`MFTn^Icfl9+^gAoG;A8@o=y^1#(zc@v=3+l zAn;u-NK_75+2f{PCIRc~h)=Wcz$KACi!s9(i!Y-B1O*QpQ7?}1l}!wq>fThRICB;V zDj3jugWTba?rjQ{4!Ho`Tn;pYKkfH8^C(3^zvDAyAT7iLf?E~*%xe0$XtxsyYoav= zvixPN`s)C5L3vz4Pc#$@5JLdC|0}5mWo6?Dr!Mk)&~pN>TJdfZAL~DkA!E`QPl#;@ z1nzSg;&%~^uHsH5AwTg24Q_^Rct)X>O#EFGV41S@J3vPwF%oJP2q2^lVDr)QYCdDA z`uSpD2LO%55~Uu3jQF7^i&BLU{iP!ji>f>G=Osl!2LJ6PVgHjQ!H7q3|GK1Ijz2F6 zb>`#064bQPg%G;%-=M+jc{@pj7SufdP8jzI=d1%7|jo(l~qFxW@&G5QCQAI$CMOWN#$^=2J)qc zNFVFUT2IwTT98?Q8B@GFg&q#b)+<}%ofj(oF+$2}=^rFx)@Z97EP0;dWv#Z7|sfY#VAB@%2L zDFFqIoX0+*3Y0{`o<&J7cre2;jLsaFBxpv8MzFd`qmu-NHF^Yz{iT%qZAE05v+V!w ziq0ARlNDVJxcSS4(S3oFE?6w;2&+EqSc?Sq{nvIf(gy_oi{b$+-##|7a*&av|5)B2 z!n@%JdQ-MbxB0K%#2SZG;QT5V(52U@AMIW}&AgLDC#B1441&1-TJ!{*=%n(}|K&t? zay{iimFJ2R={?9?|7`W#U+SUB{1>P7(22)};1Yn25Mj+FHXx`2twkNILk32>i^1ax U>TvK+l0x8$>IyIAZr}fZ0O`$qX#fBK literal 0 HcmV?d00001 diff --git a/design/authenticators/authn_sut/sut_3rd_party.drawio b/design/authenticators/authn_sut/sut_3rd_party.drawio new file mode 100644 index 0000000000..996fb4a636 --- /dev/null +++ b/design/authenticators/authn_sut/sut_3rd_party.drawio @@ -0,0 +1,92 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/design/authenticators/authn_sut/sut_3rd_party.png b/design/authenticators/authn_sut/sut_3rd_party.png new file mode 100644 index 0000000000000000000000000000000000000000..12b876801b60b68f1ccd59dcdbe2a7029a769499 GIT binary patch literal 30333 zcmeEucU)6ln{5ca2q;LEVxb$V^cFy>C`cz1>4e^;mmrFC1O=29K#>|nLKOs5Kzfj- z6h%;~Qbj-!?+(J-{N~+^XvkCo+T+R{PRM)z@G=sNQ?bE;OKpDx4l6`h4BaU zor3m<7umng(a*`w-sk7F`zQK(c)0pHdH(sJt%tk2y{+$`PPF#+_VEAnX$~H)`|r3v zm?wCRKV5`Bpl@sK`s-0+Cp%x{&vT^?UJHM=hP{&`^5D)Q!ut>IW_@t-{sAAPwVj9m z&+GRN?aiCFhX=S+b#F;j>|OD5cQ7wMuT%RszWwd_z3tuiZ~ni(04yJV1ut8>`t84) zimMa;+P%X*zJUj?3?9@Ie}<>GhpoL2m_KEIq?50`zNfV<{;)q-XK)PZ>*fkRiGV+C ztZiK!y*>Qg?R5NnU7g(VXW@_k9NE+Q_b1$c=*#xrzV`bTvUljfgzP=s?0vlh!DH@! zduD&~4y#I*Wf_{HK4@=6tQa9qsoWW#1L-?f&HZzZ&5m%v$wx8A_vZMFq{9Z z*MU|3(-QwO(BJ2E2mbsIa+0vEx4j(*j84|BK3t*_t{~DW+kjjp;fVhWxU;pNFVY?6 z;|BtdnyZJSll#wy{zKl!FO0Ue4Zv@Iip18gPLA#%wAq5u?Y+Tw`0VWj5R%gV7j8~= zc6jWd>}~Jk6l86)ha>Q@*b^V;_A;=zGMD&SaO78`IIy(8A_7t2eMGlE9=LLEntu(_ z`$z#MEGQx>y&ru4lMxvvBD|l>_KgE3vLEmcjKjmh!3Sg$JaqaaocQ+zQIP{U^gAT` zby0rLnEy|@*)QH9{TFEV&$`(!{`%K}{zf<3#|M9KvkUhAAYuDBxjO>u78UmM!T;;) z;bQ+U;zqxj(%<4oXT$XpZ*WY3!ljFiO$yA7dRnsRpI~c942yLasO%O z6BaxpA-q3N2e{<#aXs;U13B<$k^Q?I7|h?3(Efe2;Qxz+CMNP9biKd&@Gk@Xjjp#( z9RA>XD*IZ7u(j=;$n&q2%?|A7Z*V9PDak)$xqWB-Pv$aw;K9e9-~4HR*uU4G4$$%M z08z}_4%}7O+S@nqm*Dp|3wOV$bfUt)(7AsTj*A|^v;7G=U{`;TRQ|6icLy5SAI$xi zx%#hCqW;2m|EVeb!yFw*LH`$Ir(fdF!MzSl_@BiPVrPIf@h5Ni4XYmv_4kFc19|PA zT-*Omiuu=Fnct>w-*-g+!z*)e;lDM|-?%Qna;ATb?*6*~+dqhA|5#!8vy1+;w|_It z{TBkZzv#;U5x@q-ir?!^;KQGab_creK{@c?^KYfX@JFYx5C|tk^Q@9VfaRxb@>)av zAMH)|F8c7@F?d;~i7b4{X~6Q_?1b`5IcInbPGe0cHcBh##@&E8dOj@&=FSXSt~;a) zKSI(gmxJq<>-;twXFt9xTMo+kHZJ48EFLm~2oCRE-ZXQuC-9`w>cGI$>^#t;{>sF! zeyHEO_)-8J$c_;lZlE#_x5rkSzUpsJWILzmV&9Q+RniU%pGYSsE(#tlGqsrS+l8V@ zJ-K~#BF%aT{v>Wq2ibHE3^+lU2YdVToJ;?6&i~BMf3RXi{eE?$<>jyRI~tbTI!*ew2}(|APUkk#$irbnEu!r<%7X z{FlagFXj_%l|4MZ`h8I?d^YqDC#CFHCPfVo?{$cVM-FqH`#|COx#4owH{n0N-yHk4 zu^6qH%8l~t&XJdWvNc8NI#GYr;_+p1;j|mRbGYN(nUXZdmqNua$ZrhB+a0b6CPH|n zzO0TnSH#gBLLBQ#l3OFQ4BarK7cinqw+!Nw@tsS?gmvU9D!vI?gbkLNuGcQIiaSTu zybY86P^ouMD=&C+iAfyLive=!K+HT%^MBA>-kCkgybfh z6aE}a4ePx(%lc#%Ps@G(Jb=WZm9E8(HHA0b&U_oPeyH=7Kzg2BLw$z~ZnVOd^i>N{ zdGK=Mi0|OnjYY2xu5_#B2m%LATCBp49iObQuk%}LT|yThST<5^kir~PW9eI}-NvXI zzuhK6gq3hCJhIq(r-A!A?H2wMSC6Y)o5T)Wcy>r~JmQvsalX?)AeP&56e59Hs6Kp;$c{ z`sKEyX`Kg)P$QPXhg9PjHr!5=VM9_CJ`z6;L-Vj;N2}f99D43B^V&GSe#GTGRAT=` zWaPmmj>e!3(cyWJ#HZJRRrQ`J1#Roe5$qdC~9!(P_ ziQ9=G^Y_xbcM5o7*1x@r<{*J}B`JI@5;4Mks14cn9xT>xhp;rAsY3Qc`xL&FfmE>h z)?>{o-|x<{bMFLCPQcTh>_B1Hi0#1aGQ#pwOnqnVDsNaB=*c*Z2$7P-JTtZoY^~*G z51Kn}P^{NVm67RQ-w{$;Xjo>`8k-^E#=;5;wV2; z=^%LIo((4y1IOr2e(Mgok=rP?1$ab{+yjH+l#bjVmJh86w&b=x59m}l^sua}#;xaW z<^;~%=JQc-?9Fm`v;3xUY%nIdosoE1)9wh8OK+n2{ih(yuf&Kfo}p6X_L-hcuP?71 z+v$_l62bc37Sh>KK6~W_SWxRHui}}-+Pc{gttCd~v2PlKGdX4_&J~cWgt|Z3b|7@p zK9?>?{0#ME_p8gg>UDU#zep43z4kS>Wy@-6?AE7r^zD{iU=c}H?y%j!gS5{KfO zkOD5GG$u|y_zTm^!o?dSU4Bf<$4htQjG8wH<@?beus=p!9*B#uM=?F61$+gMF%+_SgET4I*xmz#dPVG`VuWD(2=fGOsRyBKN34|l-hNK$gccVE{`1~0nuEUUH)3r~v0DjWN*_FtSz=e1lnx+6^kaKT**Ip*dw6jaoj#fy zFVIl1{FW$&F_r82L)$NIoNOy;t?R1mjy}VIqvO^VUNzFj8ua@mGa&oF&%$Y&PI-mN zcEnH?2qcT->@a+aNVBb)sw%d{W^g>1mUIrw+&p2akG|D%gB>$w-gmAE9+z|c31#|e z)5tENrX8tU+J$o*#(l-ENpW`@6ac4y(mNAwj(f@7eNbN$l)z%=o zRY>Iu$sw%@n~UZK{(T6CguXP{H(yS>pK94HNh9b z7rZ79(Oz%G-1#>ezAimpj<>&aDS}DA^>YVLZbmJvO-@WA<&y3(4?P50RiL_31@bI_ zJ!C}*m3B$x7Ai1=Y+b3NcT&>0o|x%wz1OtbKwSkq4z(QLgs67Cy&i_utS#monR zHZ0U;p1zDuy5ml$m}-OFF;E<|{}~mxnhUw&mLO1iTNx%f)<&BQpPiL=&)V!?kct~~ zi}qfjng2}kOt!Jjuw!SqCt4mh2*Q=PJEg+8t?uj9ND<7bpkA?=RDv}szR45E+5)&_ z$gxMtJvrC>@v#k7()!5+Iq^aEreHw*>Ri};fg5o~OmrPg8c#0GJJ{*&IOc{rl$q|N zc#GnucBW)QHx`DtqaxG}E8n3j;EGG5u}z!NsAtW$K!tc7sm=nc`VF~C0MefNI_!3g zK$6DWkmPnKte%_Pt#?<>vX<(?DS(utQEA6i>-S>*mM#d&Ri^#zz8`KG-!Z&4uH5>X zFbNaJ9d_GB_q6`AYlnI|72ABg+|_t`2L?;2vzvUDgoSems!KfpQ_!O zvTA;us@E5o))(aI!W@anPlXHgQ;?nrA6b8?gPRKW8!Womc5C^Rpn`Rom@$KQqTl?> zRwjAm3-sYDm^MnmT25}Hh{Rg){T!{p&6naGfiG4F-t-AsVq*_uw^ZXq2C#RwZBg6TMxvJK69dJ>O*cY%d++erLK+_)CA$8q*U7svahtp6tCB6^*yrS(t|-)0PLGPg9U# z}>&r4Nq_9=o<&KwafidZDAhc9y6o4;VUA~caWZuGSD{fufX)=_fH+8cXcyO_)$zSZJzoG^{7%((cTGNCOZp}D6 zNekF70HGW4@Gix??}Dc25B@Y!)geF635EU7IsY?1|4-V6_6eXQl$6>f(N9JhJu)U( zhu73>4`a>O<;*S01DP?qok+LJhXrn#S^iL_%!{qcL2oOPhs}l(lb{m4Ue()}trv`U z%+K_x3>X&XSNC+ifyBPr+N~-tkgnYpepE5>E{LeOT90#@B0jNuRfM@u*En}iSI_xCqwl(HR)-QT$<`7%zAJN z4Fdde_zL~Q!&s&!>oMoMlL>M|8Wg84pvDNY@&j|EP`4`SUqnD_AW{=;fleopd`t?2 zVrOeKP_%q-TqpTtBJGf=;Vozf2BK8T9bwt=1~>SL4*7a`+W7&!Mi{Xg!3!>&)^4H^ zrOG|H4y20U=R>C%mQp9Jj_~^wtd(V#P+@#d@t}Y~u8(us0rHe8A@~6?OU4oCP&fhuH^6_=$MSx}S z#F!U>E!qy5sQ1GoGu;vcKHudx6YtHM!a`3Yuw<7)H;(3ntZ9CH+w^wa|Ht>u`!~M< zGJ`gLU`evJFj#EcsW6-6gKG%%!8#3)2pE+KEBcRnkpjBG3}}7#PUbKVBHM&}U17aj z?0gQJ?Bz2I<#U zo_P?ZxVK1;%U(Kq=FZcUPx*0(D(4}Qr+NrX1)$FypGK>mRrV>wJ&UGcO`mEAT-U{z zOA}f~WdRFekt#8%$Vbt%`@QI6S{Ao^K`X}mf)#+{D<~Q0I3W1;YbWQVoxtk{OeaXf zM<#swry%f@f&` z0VQRD+kG!JEF~djCr8+}#VY}FZ(D8s@l{1(Xq56(28-fB$EoKr0khfu!Y;$7L)JQY zkYm-b%S+=iAG*?6aW>gxrLvblHtQ&Ux9fac>vb}(t1XcJJ?W$;WSbbFv~*&qN1522 zNS6_U>MF4VGf-j}?ExrL#kE7MHgBJVN^K14C$WylSDv6c{BWsp({f!Bag`}rJY>t0 zkPmQGIL5qA*s=Fm!{?Xh0^Z+He@Tq+T@2m+kp4sLwqV1G@_5*{Pb85{-MhfF^L^)E z^6K5aj$%}%DL1b3nUxqm!;Po_NL;}O1~W?KJ};U}HzQd0{s^5=+t-PZb;V0J8H6n3 zk8o)*xtNwoG^{+OY&)SkavbJ+A)aBeGHAoubrjnHVLzU{>b4V)RuwMQ&4U*4EWRo+ z6i7`vjX(uE9KqH$UgU@F*` zwDB2unPdmV2tM=&qDDFyG8RCh*E>>qbYfKn$|t>suWk#s#RZC8F0*QhB*8NMxCJN) zkfG>+V=Q@j>Bn;ww8o^Bj=4YX8Qi$^<7+yK9nn9Gv4|72sK1L%N-G(ya^YaCUB(`V z;cUj7dI}bAZqgOzE5%s>tw^F_YbvfSNG<(Do&f`_wD2a206y$`-iv^D-7Jh(wN5uA;*MzvsFqMw{2K|#CyWegu0!Okl zzm0vK?f)jQO|_%80t5oqE+Y^(w08{3B&5))Ci!Lq7097-Ge*e?-_-4Q;_*LXNnmZE z=W`V%Y6Z!oZt)w6reOe$G+*Zp(N_^q!w0>9{D=f0vPC1dBSx5}-5@&3)=z9?GKE>agoFpN{&L_P*N7PoHGtrJG(eC9yk1cNC;Hyzf|T%^f;NZf<_w zq}tWg_J-FHivTRchwj@0&o#1n`~BK(T}wQ7!>DNDu|MlM(;zzAyg6^%V?!}VP;ndY zJ5_iNU!QZglh<$0I!ygqfuuh7bj5DN6Wu)Jb_=ancdI@Etx$|XBGPPkC%$yoW3(Z# zvMy;vm``od&N+D3Kazp;y`q8x7f5E2Xpl^gN3bgu#i#qxA_I%7Y3y6q$=IPsHs4Np zATn?6UWB8M*4_}NhhKy&`M*D8u5WOhFZm3GIZXtsgu zj&Ks6)`z2Sy=N1|X@!tdVvjti(ArCZQHBKIih9FnOR5Vbi9RmGtbpfvHYzZ|E%A9A z!vh{^_%O;$ z#Pg(KO^hS!+HOOj6PZ^!5n}1{+N3kPPcxwex%uAUDg-Da;jb;J2;`9U&F=B6&s8Iq zVyrjT$XML9JAF5Xj5B>`>oj?i?!0@~qb*kw{kZc1qN?-bQg4B?W!Sd8K{;Z`m8J8f zYwZml$sg~z?_yZsM0{qneJ)!yg?;bFEXhqLrb$={Lr55AS5=c_(4Md>YI2 zIaD`4XJ~9;4@qFX>&^J}3MtK)4h+^|Tl%e=&=H&acq^?r*Emo;YtugED!Ls}EynxHd@RtiENxs^MR_KDFzP6;I!fYsWr zY6QGrm6Q82I~6A+v2<}bQ@3r}kIbnnT}YA@BZGN%DQvrSCt;=aOO^Y?=&{Go*rtdP z1gzsFiF-Jg2;gO9oaXJ~sTg>i5vwwV|JA-5CrQcVL3MwfJG6hazq_kUJDB#X0h= zc{&2@@b%@I8tr@Q0V3EE5JM47VU2uONH47KD7!yGpy8;SVn^$En3VX%k^RoqK&bT* zDtD5zEb?D|11;~SIy$-~5*`56M}| zLXvW|1eQFVT!pr(45RooLWBO<6OS}zt(@z50uRx(#4o9~U0=0whSDETQ2%_^3>)Bn ze8L|*C~7%Mgq{CW1OrX%48f=`hiJKF<7h1<^FV90bhNQpQO?qfLG;Ee+oXFYD;Yx8 z$!=+?0%vqO2p|-%YU}yV$lr|}Eov4&Jo3(>TKtU~?q$id7rggduScI5FjTY3vyYop z?V_J>z#>If>jC6?3ul~&>XTd7ra&H!CzI$erPd)q$PG%%h^WOc)m^1zyb}>pzlt=> z=ZdvbrDQrDk2z0@-3s5OeS{3nUwlbWjxSCOM!T!+I#4m@C5O*i51!6V6GJqbVBiAt z?7?7~;qt=sh(Z!g)CxcDDBJ}?Bv_gP7wC8_3mZ93cEc<9I9=&bu@NlaA+`M<=;k#0WlWzWiceWcriO zh@Ij0O{FKRfrb*$50^ai^v`$Z&?2UWyr8gBe$T^FyL;4&&3VY0_wlgBy>f)#+yxd3 z7;%a+V1>kx?k*An4t83UY}M$%R|17Te+fbO`d}BQyFG;K7gho1-63 z(WO@T4`I*(&2{RG`Ki=|0W{4NU`m2Uio<@V%*jVz5j4L};u+0vt%V6(dGF@SMiLlN z;(l<((-MdzIXmOg0&(dh^i8s5hho(m-H2f2GV$#%F0$)!)>4d9po@&yNNTPaRNggg zHuZY}2|zr|Cnyz*;NQ!}=UP@YW!r~@`K;(Uk%ojgvmh|-lf}?+br&Q4W^aB^F32vP zO+#U&^=1jTphmnnO85qur)j^HxE@6m9HcKY89qxx>_XYIfSAINyYTB^pjE32*?vs< z7xWENEm0RBy%k=TqsV@(ul;2td)a{raM=BO6I=>Xe~4c*XRTPIU?*eXv|^kQ$=Oppskk5A{&g zkb3A}7igRcO$~vjr+|pPf76w_3}C@yy7|viY!w0=6a|nVvVAJE&rl7^L5Y`^ozGY-_51u068Tj7hG&J3?LoF^1-c@oO(}pO5`$HI2(^AY{ zg@~I{5b1%Naz5q~xdnpw^SKi9dvIO)T57m79d(K&{QKi- z5aX%Q-{>h+_psn8KM^XTDn_eaI4L&G>e97{8?1cs#gFqWQ* zqkg-X;v9i7g)bov3PGLI1nXtR3&$-`PQJ7Sr6P64ZvND%&#)$cBF6N^58j{u7;r51Z|&pR2qs)y!^_=@mj5|X}>tpl8rUG{SP zh9Sj6sOclSidD*U5y3hR0Xs+NpAnZK>d}3ge@r7?L$tg;T6o>!V<+W^(x<U0aWXKEimf2{0dIX~NznO=N?7;!sA=&KGX9eSMi4zdIM+yHlU?qYbMjf6Nn#EC{p(3XEciOa)E1Blg%i+ z!a${a+N_#Nad+z^=E+y*hK*sf>(sD)xhG~oN0IIO*A12X7qXlCV(Iy8I`i#|K!H3% zK3D=YFkHEx8^!{->C>s!I1x~{)n_O-22Y45x-m#x&{PbMCwQ;v2Ti+A@l6?rPpWac z443hBHho!M)FjmJ=@v*CvQ9EC{@_Bb~in!or=A= zQ|GR|mw?ZY8mTET17Y|d8mDdz-RZu03rbf1th4_R$Bsq^LnM&l4RU{US)?&(dD zO}rixw6X9CbhUuK6&^wtR!R3Wp2{P~%N>a5q38Q@N z_A1{5`V}=)9D#7!^LjipKjGW5awdZoIM<0uTEVtNHW%|~BB7^;S|VfMKm(d9NQxI< z03t21QvBo)D0mXm0R^_-tHR>3|FRlr6`(5W7aatm5~0fl0Gtt6+7F$#D1EyQ50iyq zp|DF&#&3qc4c&YiT2JeE_VY&3{nya^l%UYI|qnuaW$dP-~I%V-&phbqxg*nSS7w}_8=2qfsq z@F@)PQ_yNFW5S0RcezLn=eV@W0iua(aSSkJzVD+5jlD=MTC5#iXQC&c=QRJd&i|prTq{NcN?y$a#nFp@k20A5jpa|^C ziY1^R-y#q|%#zs?Q_yR4B>ClKJ_K?hlc=2rAOhxKzRX!?Z}{u*ZE}%g$6X3#@51ws zB1x?1LGm~306xKM%=R*06_;;+Z3%|JFbSzb(Dql21QCzt^iJybhe~=)ouy)x=zi|f zFLSo}I2s3I%C-#tByQWEM=5Mp?OJ%Op3SK|<}zC$2`rM5AX-prI4^L0h6LXaLREOb zG*M7{H#4mqcuXFkUVMgD(pc_BAeNCtnCQ$XO@g(>@SdXYk5wPBsC4LwU%au@iNu|d zl2OE~nu3am4@JZT*#^H9s6zkJ}SIt~w{niXfEUjOAa%&@p=W5LK!DaqlCF5>0na6(;}do=sAnH zGZW*K--v}{~4Wefah{t-w^@4aI!Rp#WjaRmEOcvP{3#!H(6KPSB zyP1>(Of?MIuN;&)t&=0pF0zi*IQFsAy#jq&eXL|Y)&BTKxI;)hQ@r`M#^X|@XT-Kx z?;>6f^%BE(8L2UHJFB|nm`CT`(JLv#XW3?bVj@IN=cgwRKQB?~nAjXUY#obEzVZBM z0=`!#?e6DO^^EiUcEZwh7S34L)=~dO(CF2Sv3Lw5`ML~Kx+ya821P%uQcJ3FN3*&$ zVWX*qvxQmGJ}eq`aM>T{1uTM&7z-T{2Dv8qX;;;Pu)OmE%O0T0rg%k$$TRa}8qDhm z;6^-TO4iZHKbIn?UC-{O1ubvh_;L$?C%-@FUFMCxH;mXuMNVCyr_u=@PJkqCs%#gX z3xXlS47~t=m^`Mua1}4<5B=vX2P3?R7J&loUiHU$RdJ6Juw0xQP5I>8X(reR8j~~2I{)Ohz}+YFGDphoeB^p!8rep zdx=a4%#;?Hb3Q{k)eYX_?2)DH1nl`GcYdOtQ!!9;w9UkcqpU5FEdf-Q9km%Ou7wjy ziHlx$>gT_6iV)G046WvGp7x)UIp$Idaju~!Lqih?JO}jZs0m+5uVVCkg+q1?npIcc zn`-M%TNJIOf^`-H&n8!uW#sZ(s4}b%K5fqKcO@2}Mb1P( z6sLF#AEiLO^w5VRzU|j7hhutWPI-E9l=B%SK*fO=l@2wA6xkQVov5q7Sgt7w?$YCi zuYVb(Bv^>6|Ay|$ ziC>n(2_Z0Sqe}e-#l}@0nML8jLwndzm;y_TBm4s*y+ek!K3Gt4Yy;~heocz4JfPjv z3>g;EOI1KO2((GylaKgclOcEzen`XF(h5AmMG~SD0ZmE4Dh`#s*Ns3Ab?$jSS9`Ld zzyaddKs5_+;wVBGiz5#Z^j)~g(LIVHTvlMXkp`XDpA?16z6PpG=-M1V-((!rkHFk! zui!yXwcK?~Kkw)4H$u#pOk?;p0FF)tRoE%%ryCb8TR-}4fxhJ`U-AW@b5FjAH^0#o z6eUEPaQ~^nL;oZ)5$M)vnc4cE#4Exl#b*Fy+LK6P+ZV;Za}xMV@W@(U1&s)QL(&9I zKUo#-L4Tq5y$DGPPkXv)xbJYDWKbzRUoty!?U4+x)Zrc=Cj&uiK#U9Iax%QcybD1@ z*N~Ug(QC*M2OyqNL1uX@x-PurM5VdOW4>si-Wx}>hfu|Te4V;eZb*3#E(OS{Jj?58 z!DHfy`mmqWd0_IQgdQgv@SXt79lS@6a+IXeqoK3VN!0Ssd#YIeW+}`D z@tdiBockAUUL&8AV{m}1@254Q@2Ce(5jOd6+rYYM(Q3sG-9hC(e~Fs34;k{ zp+MVb@R!$Xp-vg286sZaFeyLfv9Q`x*`Lpad*pn*w1R;jcdXg%w;3mh9HxUHU+>w; zA7*^$McdGMhA&ljjrzbr}0p?6jf&Z_JQ$5U*NJgqAeyGZzpH?1)|Q!U5IV zb%Tk!@EMRc(G^B)4wf1pIEkl<;0b$7W}4Sow^C0yL^oJ%BL%v85l|G0=GN7Y3w6L8 zXi14n2s0=nDiB6oK#2m1!L?czmptfsf^mX~=6m>HB@Cv!hY;SC2IwQu_*C}KAS#ao zEZ@%hQfbG#i<8G7*?T2vqkwDoocVv7)F=etl|_$rZUMPxpBzS({hVhd_8TRc^e-Bq zzN`}cCC|Dki;vxfA3Ivau&3`FQ$6HtL~)JAxv$7lk5d7x>y|K&E8ouuSOPU6`{jul zp|!F{Xg#dghwS)hH9(B`LGtS}!`weL*I|CXRS|TO|0hR`KYkyvM_l(jQu9Fs&=ViO z8Y97zJ&fr+ZQf+Aa|}IQ+H?2K_N-kAV0F@ZBQ|bNA{jJbP2tvK)o#4{h1$?_=X%Qk z`C1xLyD{xwW;Sut>BCJFy+#)F7BHa289+$yS#3Q(e~K21@3zJ_D}$?5i}mh#E|%9s z=DNLo!seLeMFN@(C~DL)L8b8!08P!HAC%7I8=d2KP~)Elt&s2=CsbcHJPg@h!&4W2 z;~6n7TTS#Wk%|1J6UYfhX%m@&+kAw;a;Ea(To56sRau&$CfeT6pXW)%;&8bvs9DOo zj@KRroJnSPJ@*G1Ac_FcGViriH#-IRUNh)eSgt=oRKBylZac`EbM&K*O|WJ7cfTy3 z3!|l}0bvMO zD8BExGO5%6$RzM>E_}np`<~2^w!quFN|)CJ$PqB$D!$%MzE|m2&ZA->^{=FaHsG6X z-CT|>-!_*O)#CaMgp2Z&UJYI*!|9Hj5)>tLqvfI zpt+xY`3_2P_c4$nKnG{sd5bJ>K;jZXD|&_t;FtF^wr4w1+aa@H5$x6g!x1mk$xQ@| z)Y+1I_Oos&aH)s71oAl8$IoXaZi^tIZq>XAqAWFj&?eR=cjdv8uM|x?YjJ$TG5sfy zpkGzoVanu+&aWGi?&=B|sN_tr}=Fc!!#j;A&76)evx*Vm%cg{Mx7T;l0h zeG$|SEeA}U1~8>8FICaQyv!@h5e&A2OtfzSkDs18CgEz*z2n4nvb%y>8*C>L794&O z`VEMS)6)ElgvjDb>S?~>wG`-WBee2!zaqov+i9X(%%F4${f69HdDo8Y$!8V3^d#g} zrDIZzJgDPcsW_2Mg(X8q9g3tUoOeRSUS^|aIrE~HLelkB1Tak-AVP6F#HLlwJ%7au zC{>)ur6^|T5sT2Bo`90D?_ZhYm@TpzE(2?7gR1T|7sQ*1h$Aa3xXz`W`LqR!Ry`gw z&txV-Hz)W+5ZEAbw^8~`Ne@8YWo>3IH3WE}jBMIYD7lD6ki>LY)&cb{nSi*Lq}k(E z{18Z-TRo=eTg}IJL2zKVos^mgjJG{uhf|dVRSvp2_CpBJ5Q8OW;CYCPJR3I*PNII( zREbh&x_p;G<(i7|cos$JyH z_rKi`>;+f9x!GfNnPg_*L%TPdZhUX0%LvBgkzGtjG^a)lhjoh5ZW-ZpS$>VbmGBPO z=Mn(~kLTUFxs|X)`*;!CDD66GF?skRK>*|rSTcwh0y6{Y77v5yq@EW@p5{uXm3ss_ zotBQ&eNEiF2{U78`my_%Kn!{mcD{cegnvH4cI=vC8NL3ShQOr9=`Hi!srF}iFr4F6 zF6jh?CNZ2ZT#$!srxdJDU)etUKv%o8f~V_koz9r--Qe20e#e#K!Y*a|WjOKOLeXE( zgnl6Kyn4fLPYE0=x~TS}6z-5TnP(VNx;ZDBCFzmlRp-T(e;#BEeUH*|khf1g2Ef{G z**a+~-4tizSGRn$#tv;CgK7P25+~>Gpd3es&uOAXbS1US&^n0KpWwT zcvYGJ9aUc~O50P+SDBQJ>7DA~Kf4?}t1b^C zgejh)K6`t~L5H&>YhDYN@8?+PbCCqhGLaI&H7M@t+^Hp-Zz1oCk~jy2-ub#d(PFbyCMU)j`&_asH3MISB4W_3hpvi+wINL=sc7j}*9#RpWQAX)}+%v44?#9F+N$2^D9RR>0Z zOGbeopj{|(wvt^gfOg#EwtCzu)iBVI?E=COB#6)F2K|p%ZEehdZ3S(4dTw+aNLFd=;ndg;bMIr zA6KJyPp_UgH7qqEPAZz(E|5D>3K|eeo*u)oh&fQz`%M>4|2W0|syB2CBwD*($q!yu zQ9rZn3@&)MmCql9<|5s^$hvDh>d!lK;i{AG^FDV!_FEjzPzbHBfH<5nB|$hs11KZ> zP!Z7b_+Hux9^iku6jG(s%tXtOG<}XphMKUVX-DElepxYetIQFj0NR~}q0*jrALYzG z13Vxyl%$Y(llEnqshI2QN3C%3q`P3>-(etKM*#gk!$&z#Blz?26|7Z1v9xU)Rq9(H zl2b{!P1JAPMYo=82v8;}H&W@1b$+ujc}2K!GNoe$k=$PBBY#qzS_+ZOlmebMFK;OKehV1hakTb!6fy5${utGsu27eADesF*S08FAdm)w#fH0 z_xcvEz6FhNXVV2O;xqd+>%2dRE4+FPp8PyqSiS*o(+UI{9)5bgkv zOJhe=&RqkEp5x2M*S0oEVB4!znFbFb49a4Cg|ihNgg^sW0C0~e<|)2C7{85B#;+vi zcK(OcG9nVOlgiCD-Hg`PBF-9fgp1{rTxtqyvr%K@d0I0KWb_As$XYnKl=h5=RVVYn;R$3g3Ss0>O^j=I z3`2RJ;*at1zouKO=I>yOme-arV-yr?A~Gj0BeIocB-nOs2<*Ll?%1FIfv9TWy9VPd z5R*MR9fV~G*XP%4>!^9vW?xsi7@szM^!&XF?cK2?;SSF5VU(9q|Cp>W({40JSTi1t z%=GoWW+0gt6LE-7<{QbI`OtyaA$*75b*Nq46(oLI4llpHh>IOM5BjU`XOfE$9f?#2 zMVyxt-^@eXgYm@2UYbX&x>m{BaB$D4-siLOcCnGVr>I%C?U z(W)+pJ`2Rzi1{T;+w;(;CM4^ceM%cVU5XPYvL}_h%%ks}z^Dk!*!$Luks(0UFo`E> z4V149(cBTz5T?>wpZVC)w=Uj58cr?9*HeL7ouj$Cc}&qw1>)0$5 zEwz_Qsju|Ylw76PxCxzwWYA3JN(Q9xL=NMdv%jFHmS)_K_?ykL8{oI}&Vp#=THDV{ z6YCJG&N@Yo=sm0;_a(YzSI)iN&3kP!Fr^~J9_>dGL9-`7{@yjwT*Fest{7(AeacNn zsT8Dn2f7RHqFPmPfFUNc7C@d4c_nX(Sm!%+>fQ0K{uoEjwJjERM9_ra$n9sD^Vi-pqwvML zbZ_+lOZ9+vMzr`=>M`Xr9&g5P=DwC#iC1$k>U;}Uqw%%&O;QUnFMR`d^Mzw)dn78e zD@G+Qe>5pzlT^3QtlQ@E$KHPuWy=2gS%P6ZC{g+riYJr0gs=BV&d6yXND9^`8^`a* ztM9C^I6rk024v1|KsE!taXbm9{jxa2q0)81PMxS+2J3dSw6U5`_fYdK5OcqRGF~Fc zKt0FqXiL?Dp6x^L&Nt^|H zltt8MJS%m>dc{b|t;@}7+CI+@^t>&g^VhmRmME-*wq};oPtNsX3@ikW{pwi%vk+59 zchZ)VUSu4rNWyn9@YZ$Ox_7(;iLAxm1uysNli7RqNs)(4rEYSF>uwfULI^)ls1x^gu+{%c0OP?OWRDK9ZOTA5Kl4ft5S zU+Il2lPV+Z$FB@O068Y3&*^9ZYl0$?AUFHU4yeW2>};))V92BzHUXPRBu9W>J-FV{ z?!|@&PR%9`W6fU&l-o~6WduAF@AJNUHECEnC+-C{VAbX(@5QGkX*N{}X~ONF+D`^& zF_p&&){}u>LwH=VAhMFj(dJkmen30Fo^66S!KwNM0 z(`6`yc~!CK*Um|K#C;s8uwGFc`39u0Vw%Y6Ry{eI-V2p$Rpf|X;CHfOHj1?iyA zbIkFQHVb1lLf|I@kP&e!%IByp9O94WkHy7+mUt8$7P;X(UMm8?nVq>6uv!U0b?!(U z(10Axqx*Bk7(fLVQJPO@n}%#H0njlf$>yOyP{R`9l3UiP+Jy8AsY;9=xWnTFC7?8@ zgfWii1&8G9zIKcCJqKmP^Fw5kSmBCp6d~ymS1PKCaw5)p(*b8zn8CTU(=D>g4YpH{ znF>I2^Ce~razkG}J+sJ@FmqS2>DNrTtqPM`sw7ilG$c>gCG+A(ghdKV!FotEUWtQl zQSEg~>GM#6*1J*XvR0tw=8(d>j9%U!WKHvKWh>XXpA%G4;qCR|Qg4=Yi&P%IiM}Z2 z0``mW>YZ-xnZ5un#9)4(90(-$i|NWW`(v7wd9@o`kolu8v`)SrT5|XDAcn90eox_b1MKqOz zopNbLYzXn^Lnf3*i>M}@&5R^lT^s`_+hdl`Ur@%$KsW^=$ZzB#CuI&nzW0C@v~Mr; z_Z4o=2_VY9gc(i>YAfSd$R^n#XQoyhZQk>wT@~>Bexr!uHRzzbnbx`27>RG1`b6;& zGP!l%>D>uOZ9JE>WNoe3>tbrVfsq)y3*_4Ihea{x6O7F6!6WFUSiFwQ7*0_@Fpsug zrHN@2e0#drY6t02GgPHG1qV{1CA8TDhOf6Z7;?hmhRa@klg15xyU6`0 zH@GV)nDaDHHpe$u5iHYdu>I^kWQAKp%uX~lmR^Kt?e$U#LkM*YlcD4WXlMim6s)z- zg`EhByXpjvL&vX7)~zK+d^oj~+W&U1hIP;J;oQ$U>t2yJ8?+zB2|h(Od#9@$v4r8Y zo?b9a{k_Cx#rw0(O1LctlqrwgYkrL{y*id~Y3Y6t0A)~k3jk?*g(lF8b<83DQ8JXk z2rU<3OdxEu-xsC}Y2E~d6eBL62TYW=X%Ps3%EWh4Ag1hhNQQXFoK{l&dm+X7e|2)@;ZUw^{GAy}Q#fQML`_K9MY817 zME304oC!^&#*)z3l^JV{rDIF9Skf1ROc6PjX_2IbLMmxml~5dxl=R*2Xt}=Y`{%p9 z`G01f_kP~@d4KnBxj~^W8QlM&C7MNs+}Z3SP*BbpaVd$O2O-NgDr3_@gdrVh~X8fVy~iP$f9X$A$%IjU>(- z6I_k}M^!J_QgboEEua^wj|S)&8skskX$1nu7XDtXi|tRPjpcyqg<&%llYrzFgbVV~ z?|R`)MW?VF>~VMgZM2>MdXL!|TCx&Vj&6QoR2PI^I{0X6qt2w4lSxwRMfv-IWLc1F z$(l$T?x$4nW4!^GAL|8Xf9Wsc>c@Jq!DYYJ`$|ar>VmUjAEol_uf?4My*sJti%XP% zK1It;x`}G@0FhrwR5V$!ZmT)ypz8~BR(}UH;0V_ z95LKSo+IH58B17?q2Zvq)14TN$$qexX92sd7&kxH|Ncb^lAqufj>N#N(^aX|eWCKN zK8gx038cmusQz?n@$?AieCfgAyXNTB5kBN4uS0|42u%3H&r=_st=@MkN_mm^s?pCw z#Y3R7gr0y{=sCwS^FmkkU9HCXnx1Ju5A17{!D@{Dw=UL>nW}>fQB~^@G{xLXSI!Fn z0p<^DJVoge7q-lQ@@a;?v?iqkgr5vRhb4PDUu}>M|1cyELmRFEEfQ+d9Stcv$8u}J z!$L!SiWv0~G8iNf1a*w97-fR$1>ylc4G#ck%tcLKl^>ooh=aF>6g@MZ0oey(P(^f6 zx026vX?dFV2B3D}WwjjQ8pPJwH!E>#BA$k=P_{pnj=JhJsCB&ZV_s^vVd3)mtp`k-Fo+rW|`>FW00q!d>2r2En2(m=vD7WM2I{Q^Ke=-Vxj;bW-o*|M__W$R>nwg zXRjZ`IwHS}HG}{bW)UybE$3$1zGXl*mjqNnf&PJ2)_JM~XK{$6QhjgbUIEoD3kE{) zdXMdI2D8otRP%ZA${^km2}KkX@nP7IDHwFLWBv&|D88*B^!2Ui;pF|;_LA0-DT5>D z)CC9AHrHZ!b$8S>zQE(8xsu<)Vd_m$oBc^6LeZxESAmed{cVZa+zg7Kn8|#z0aeeY zji@#8?fjy6DtBA(QhMQ?LrkUKAH+DHYoLj8}%~#z+xymI5xn= zZT&jsj2D96z2BQdGbec)e{Pu>DpF_%2D_(vr@r&*t1?e3xl^>`e-Gd5fVm@%B__fT z?D9=#-h=X$jr|cX%}~qk2F=kP#|D~ONo3^Y%HGs$Ui71ZcW@@~Fy&R{WJJn9@%w`~ zwzJ+ptO}GgX~-Og#3_?{GAQsi^IrDqU$%Z3*Jb_9(AAOHE8Vqysckfw zP1??O8mS9=?^XpKAxasD9!UY`TZngx^gH%9JWZZ{|FEcQiMEge^+r(J*KnLBNN^1p zt$F2}cR<+ju+dg3mY5VFCu&_)#AJpk*Y+4ifHqnf`c}ah8qiEm{!63L`{g!;(b~JH zPsHR5XiQy*@S%g2fRXSa|LHgJq8;X#C32f3>LN9sRyDtYoBL|189Oj`*of-PXcDU~ zI<_eslLP}Kj zr#NM=j_W)a#6*+<0Q?c=Qt6S~zxbUDmE4^i^cT>iGAoocb};ns`&!$``1BO$Yj`(j z{w8x$u3O;5QDsk6CZx1Ih@1~oj z^%vV{UcOGYnA#+ksJSR%bB!sriM}Kn7;oDxbuJssZ(%gB4rS&UnVkFJ{7nx_tFew> z^)yDP49-;^vdS~I$^vSW@p=><;Em&3;$<{~=hEGD`dP${Z?0S~(4w}9kUeZWn=Wig z)TK7k+u`7StrJuQyW7#n_FbMWopmD#%bhwhG{mC)1I}k!dm2G`Q~GB~xg~YI2S9Y~ zVD$sU&4_sr$|go79HzG>2%xE}d=)?)6JCbG}7BZ zU1#l4VL4N9F^l*zkN&9CY+Xz0(W?|?>Z!NNdtxath*MOgCq7SWS8HySbdH&tLD6c9N*-IW&Nwr71vid3pzDr_O{g2u?%YhdbI}W99z7$hZRp(+iga;lW9jkQ z@7uExC!VSBr+N9MV9~d|&{OJbJ6s9os!-umm~IR?bG`g0W>(AS?NDxStO}on71C&@ zN0I8%1Yv^667u|dcKtG(R?m{#k3w8((u23h|KY!VVH%H$DF%JF4oqq;W} zHEn#IE|xQg@pHnY70CQ0W#9|n`RlpBZi7 z(2X~bQ>uahO@X#w9#={v5i5*YRy(nyo_y}SwI!>L!2c5A@haFafbsL9e_%^y8*J-b z->z~2Jt%l{T75V1SQ!`hZB#*u$=5-5IsE&`A(h{Pp?WRiyywh^x;1?l(cVV8#?%H@bMn6(HI05n}P%%o@~$qcx>y=ff~ySe9&@Js^^JgB@zV>_kQ?~KDxsY+qTaf#xJOx`W@P*F0Lz77DiqPBvglM+wej*nAW&;C}!7N zux5R~WehQM81P34x*`kKQ^XoOu>6GT+E!(3_4R-%N!Y=UZeT<^EzyknP zGVH6ua+?&Fg!JG17PqBiZluM`Kf$6lLvnbJtAKmc8R@?8|J6C>KkEF2rj)Eh(X*lL z7ns*}@R?5iP9y}shb=d8WucdiFXL$CYYt69+xXET_%-moqJ!vXHgSi6nFUoDg!qz&@u3wzOJw!(@S{`6EZL=DNL+oRWN1 z-tgmHKq)jNYQA0P#Meji zgsGidE#bkK{X)^m#TE|B;+#m4_+YOs%b58Z@c0uo0*u^6^L~2f=3M#TFb8rUw?2