From 493d163de919636e1ee33f694ba460a7cacee0c0 Mon Sep 17 00:00:00 2001 From: Basilio Bogado <541149+basiliskus@users.noreply.github.com> Date: Mon, 9 Sep 2024 14:09:43 -0700 Subject: [PATCH 1/7] Updated OML FHIR event display --- .../datatests/FHIR_to_HL7/sample_OML_20231013-0002.fhir | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prime-router/src/testIntegration/resources/datatests/FHIR_to_HL7/sample_OML_20231013-0002.fhir b/prime-router/src/testIntegration/resources/datatests/FHIR_to_HL7/sample_OML_20231013-0002.fhir index 9fe84199462..1911df7fcdc 100644 --- a/prime-router/src/testIntegration/resources/datatests/FHIR_to_HL7/sample_OML_20231013-0002.fhir +++ b/prime-router/src/testIntegration/resources/datatests/FHIR_to_HL7/sample_OML_20231013-0002.fhir @@ -73,7 +73,7 @@ "eventCoding" : { "system" : "http://terminology.hl7.org/CodeSystem/v2-0003", "code" : "O21", - "display" : "OML - Laboratory order" + "display" : "OML^O21^OML_O21" }, "destination" : [ { From 02816022f301b64f160d1a722f3fbe165ad42db0 Mon Sep 17 00:00:00 2001 From: Stephen Nesman <94193373+snesm@users.noreply.github.com> Date: Tue, 17 Sep 2024 09:54:26 -0400 Subject: [PATCH 2/7] pin ca.uhn.hapi.fhir:org.hl7.fhir.utilities:6.3.24 and ca.uhn.hapi.fhir:org.hl7.fhir.r4:6.3.24 (#15863) * Remediate Snyk finding * Code updates for updated FHIR library --------- Co-authored-by: Michael Kalish --- prime-router/build.gradle.kts | 3 ++ .../main/kotlin/cli/ProcessFhirCommands.kt | 2 +- .../engine/CustomFhirPathFunctions.kt | 2 +- .../translation/hl7/utils/ConstantResolver.kt | 35 ++++++++++++++----- .../hl7/utils/CustomFHIRFunctions.kt | 2 +- .../hl7/utils/FhirPathFunctions.kt | 3 +- .../translation/hl7/utils/FhirPathUtils.kt | 10 +++--- .../hl7/utils/ConstantResolverTests.kt | 28 ++++++++------- .../hl7/utils/FhirPathUtilsTests.kt | 8 ++--- 9 files changed, 58 insertions(+), 35 deletions(-) diff --git a/prime-router/build.gradle.kts b/prime-router/build.gradle.kts index 90a5971f314..b64a5b7208e 100644 --- a/prime-router/build.gradle.kts +++ b/prime-router/build.gradle.kts @@ -858,6 +858,9 @@ dependencies { // https://mvnrepository.com/artifact/ca.uhn.hapi.fhir/hapi-fhir-caching-caffeine implementation("ca.uhn.hapi.fhir:hapi-fhir-caching-caffeine:7.2.2") implementation("ca.uhn.hapi.fhir:hapi-fhir-client:7.2.2") + // pin + implementation("ca.uhn.hapi.fhir:org.hl7.fhir.utilities:6.3.24") + implementation("ca.uhn.hapi.fhir:org.hl7.fhir.r4:6.3.24") implementation("ca.uhn.hapi:hapi-base:2.5.1") implementation("ca.uhn.hapi:hapi-structures-v251:2.5.1") implementation("ca.uhn.hapi:hapi-structures-v27:2.5.1") diff --git a/prime-router/src/main/kotlin/cli/ProcessFhirCommands.kt b/prime-router/src/main/kotlin/cli/ProcessFhirCommands.kt index 32321a12871..0b2d70a7149 100644 --- a/prime-router/src/main/kotlin/cli/ProcessFhirCommands.kt +++ b/prime-router/src/main/kotlin/cli/ProcessFhirCommands.kt @@ -39,11 +39,11 @@ import gov.cdc.prime.router.fhirengine.translation.hl7.utils.FhirPathUtils import gov.cdc.prime.router.fhirengine.utils.FhirTranscoder import gov.cdc.prime.router.fhirengine.utils.HL7Reader import gov.cdc.prime.router.fhirengine.utils.getObservations +import org.hl7.fhir.r4.fhirpath.FHIRLexer.FHIRLexerException import org.hl7.fhir.r4.model.Base import org.hl7.fhir.r4.model.Bundle import org.hl7.fhir.r4.model.Extension import org.hl7.fhir.r4.model.Reference -import org.hl7.fhir.r4.utils.FHIRLexer.FHIRLexerException /** * Process data into/from FHIR. diff --git a/prime-router/src/main/kotlin/fhirengine/engine/CustomFhirPathFunctions.kt b/prime-router/src/main/kotlin/fhirengine/engine/CustomFhirPathFunctions.kt index 5fcfcaeb1f1..0083feea221 100644 --- a/prime-router/src/main/kotlin/fhirengine/engine/CustomFhirPathFunctions.kt +++ b/prime-router/src/main/kotlin/fhirengine/engine/CustomFhirPathFunctions.kt @@ -10,11 +10,11 @@ import gov.cdc.prime.router.common.NPIUtilities import gov.cdc.prime.router.fhirengine.translation.hl7.SchemaException import gov.cdc.prime.router.metadata.GeoData import gov.cdc.prime.router.metadata.LivdLookup +import org.hl7.fhir.r4.fhirpath.FHIRPathUtilityClasses.FunctionDetails import org.hl7.fhir.r4.model.Base import org.hl7.fhir.r4.model.Device import org.hl7.fhir.r4.model.Observation import org.hl7.fhir.r4.model.StringType -import org.hl7.fhir.r4.utils.FHIRPathUtilityClasses.FunctionDetails import java.time.LocalDate import java.util.Date import java.util.UUID diff --git a/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/ConstantResolver.kt b/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/ConstantResolver.kt index 5263b8c0ad4..d15800abd95 100644 --- a/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/ConstantResolver.kt +++ b/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/ConstantResolver.kt @@ -9,14 +9,14 @@ import org.apache.commons.text.StringSubstitutor import org.apache.commons.text.lookup.StringLookup import org.apache.logging.log4j.kotlin.Logging import org.hl7.fhir.exceptions.PathEngineException +import org.hl7.fhir.r4.fhirpath.FHIRPathEngine +import org.hl7.fhir.r4.fhirpath.FHIRPathUtilityClasses +import org.hl7.fhir.r4.fhirpath.TypeDetails import org.hl7.fhir.r4.model.Base import org.hl7.fhir.r4.model.Bundle import org.hl7.fhir.r4.model.IntegerType import org.hl7.fhir.r4.model.StringType -import org.hl7.fhir.r4.model.TypeDetails import org.hl7.fhir.r4.model.ValueSet -import org.hl7.fhir.r4.utils.FHIRPathEngine -import org.hl7.fhir.r4.utils.FHIRPathUtilityClasses.FunctionDetails import java.lang.IllegalArgumentException import java.lang.NumberFormatException @@ -145,7 +145,13 @@ class ConstantSubstitutor { */ class FhirPathCustomResolver(private val customFhirFunctions: FhirPathFunctions? = null) : FHIRPathEngine.IEvaluationContext, Logging { - override fun resolveConstant(appContext: Any?, name: String?, beforeContext: Boolean): List { + override fun resolveConstant( + engine: FHIRPathEngine?, + appContext: Any?, + name: String?, + beforeContext: Boolean, + explicitConstant: Boolean, + ): List { // Name is always passed in from the FHIR path engine require(!name.isNullOrBlank()) @@ -210,7 +216,12 @@ class FhirPathCustomResolver(private val customFhirFunctions: FhirPathFunctions? } } - override fun resolveConstantType(appContext: Any?, name: String?): TypeDetails { + override fun resolveConstantType( + engine: FHIRPathEngine?, + appContext: Any?, + name: String?, + explicitConstant: Boolean, + ): TypeDetails { throw NotImplementedError("Not implemented") } @@ -218,19 +229,25 @@ class FhirPathCustomResolver(private val customFhirFunctions: FhirPathFunctions? throw NotImplementedError("Not implemented") } - override fun resolveFunction(functionName: String?): FunctionDetails? { + override fun resolveFunction( + engine: FHIRPathEngine?, + functionName: String?, + ): FHIRPathUtilityClasses.FunctionDetails? { return CustomFHIRFunctions.resolveFunction(functionName, customFhirFunctions) } override fun checkFunction( + engine: FHIRPathEngine?, appContext: Any?, functionName: String?, + focus: TypeDetails?, parameters: MutableList?, ): TypeDetails { throw NotImplementedError("Not implemented") } override fun executeFunction( + engine: FHIRPathEngine?, appContext: Any?, focus: MutableList?, functionName: String?, @@ -246,7 +263,7 @@ class FhirPathCustomResolver(private val customFhirFunctions: FhirPathFunctions? } } - override fun resolveReference(appContext: Any?, url: String?, refContext: Base?): Base? { + override fun resolveReference(engine: FHIRPathEngine?, appContext: Any?, url: String?, refContext: Base?): Base? { // Name is always passed in from the FHIR path engine require(!url.isNullOrBlank()) @@ -256,11 +273,11 @@ class FhirPathCustomResolver(private val customFhirFunctions: FhirPathFunctions? } } - override fun conformsToProfile(appContext: Any?, item: Base?, url: String?): Boolean { + override fun conformsToProfile(engine: FHIRPathEngine?, appContext: Any?, item: Base?, url: String?): Boolean { throw NotImplementedError("Not implemented") } - override fun resolveValueSet(appContext: Any?, url: String?): ValueSet { + override fun resolveValueSet(engine: FHIRPathEngine?, appContext: Any?, url: String?): ValueSet { throw NotImplementedError("Not implemented") } } \ No newline at end of file diff --git a/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/CustomFHIRFunctions.kt b/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/CustomFHIRFunctions.kt index 8b6fb6f0734..e6986f75388 100644 --- a/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/CustomFHIRFunctions.kt +++ b/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/CustomFHIRFunctions.kt @@ -4,13 +4,13 @@ import ca.uhn.fhir.model.api.TemporalPrecisionEnum import fhirengine.translation.hl7.utils.FhirPathFunctions import fhirengine.translation.hl7.utils.helpers.convertDateToAge import gov.cdc.prime.router.fhirengine.translation.hl7.SchemaException +import org.hl7.fhir.r4.fhirpath.FHIRPathUtilityClasses.FunctionDetails import org.hl7.fhir.r4.model.Base import org.hl7.fhir.r4.model.BaseDateTimeType import org.hl7.fhir.r4.model.BooleanType import org.hl7.fhir.r4.model.DateTimeType import org.hl7.fhir.r4.model.IntegerType import org.hl7.fhir.r4.model.StringType -import org.hl7.fhir.r4.utils.FHIRPathUtilityClasses.FunctionDetails import java.time.DateTimeException import java.time.ZoneId import java.util.TimeZone diff --git a/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/FhirPathFunctions.kt b/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/FhirPathFunctions.kt index 19128b571c3..6a7d0da648c 100644 --- a/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/FhirPathFunctions.kt +++ b/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/FhirPathFunctions.kt @@ -1,7 +1,8 @@ package fhirengine.translation.hl7.utils +import org.hl7.fhir.r4.fhirpath.FHIRPathUtilityClasses.FunctionDetails import org.hl7.fhir.r4.model.Base -import org.hl7.fhir.r4.utils.FHIRPathUtilityClasses.FunctionDetails + /** * This interface contains the required method signatures required to implement custom FHIR functions */ diff --git a/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/FhirPathUtils.kt b/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/FhirPathUtils.kt index d658e2d73f2..e7328517f36 100644 --- a/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/FhirPathUtils.kt +++ b/prime-router/src/main/kotlin/fhirengine/translation/hl7/utils/FhirPathUtils.kt @@ -8,6 +8,9 @@ import gov.cdc.prime.router.fhirengine.translation.hl7.HL7ConversionException import gov.cdc.prime.router.fhirengine.translation.hl7.SchemaException import gov.cdc.prime.router.fhirengine.translation.hl7.schema.converter.ConverterSchemaElement import org.apache.logging.log4j.kotlin.Logging +import org.hl7.fhir.r4.fhirpath.ExpressionNode +import org.hl7.fhir.r4.fhirpath.FHIRLexer +import org.hl7.fhir.r4.fhirpath.FHIRPathEngine import org.hl7.fhir.r4.hapi.ctx.HapiWorkerContext import org.hl7.fhir.r4.model.Base import org.hl7.fhir.r4.model.BaseDateTimeType @@ -15,11 +18,8 @@ import org.hl7.fhir.r4.model.BooleanType import org.hl7.fhir.r4.model.Bundle import org.hl7.fhir.r4.model.DateTimeType import org.hl7.fhir.r4.model.DateType -import org.hl7.fhir.r4.model.ExpressionNode import org.hl7.fhir.r4.model.InstantType import org.hl7.fhir.r4.model.TimeType -import org.hl7.fhir.r4.utils.FHIRLexer.FHIRLexerException -import org.hl7.fhir.r4.utils.FHIRPathEngine import java.time.DateTimeException import java.time.LocalTime import java.time.format.DateTimeFormatter @@ -97,7 +97,7 @@ object FhirPathUtils : Logging { } else { pathEngine.evaluate(appContext, focusResource, bundle, bundle, expressionNode) } - } catch (e: FHIRLexerException) { + } catch (e: FHIRLexer.FHIRLexerException) { logger.error("${e.javaClass.name}: Syntax error in FHIR Path $expression.") emptyList() } catch (e: IndexOutOfBoundsException) { @@ -145,7 +145,7 @@ object FhirPathUtils : Logging { } } catch (e: Exception) { val msg = when (e) { - is FHIRLexerException -> "Syntax error in FHIR Path expression $expression" + is FHIRLexer.FHIRLexerException -> "Syntax error in FHIR Path expression $expression" is SchemaException -> e.message.toString() else -> "Unknown error while evaluating FHIR Path expression $expression for condition. " + diff --git a/prime-router/src/test/kotlin/fhirengine/translation/hl7/utils/ConstantResolverTests.kt b/prime-router/src/test/kotlin/fhirengine/translation/hl7/utils/ConstantResolverTests.kt index 7920025ac12..7f55193b5b0 100644 --- a/prime-router/src/test/kotlin/fhirengine/translation/hl7/utils/ConstantResolverTests.kt +++ b/prime-router/src/test/kotlin/fhirengine/translation/hl7/utils/ConstantResolverTests.kt @@ -86,24 +86,24 @@ class ConstantResolverTests { @Test fun `test fhir path resolver`() { mockkObject(FhirPathUtils) - assertFailure { FhirPathCustomResolver().resolveConstant(null, null, false) } - assertFailure { FhirPathCustomResolver().resolveConstant(null, "const1", false) } + assertFailure { FhirPathCustomResolver().resolveConstant(null, null, null, false, false) } + assertFailure { FhirPathCustomResolver().resolveConstant(null, null, "const1", false, false) } .hasClass(PathEngineException::class.java) val integerValue = 99 val urlPrefix = "https://reportstream.cdc.gov/fhir/StructureDefinition/" val constants = sortedMapOf("const1" to "'value1'", "int1" to "'$integerValue'", "rsext" to "'$urlPrefix'") val context = CustomContext.addConstants(constants, CustomContext(Bundle(), Bundle())) - assertThat(FhirPathCustomResolver().resolveConstant(context, "const2", false)).isEmpty() - assertThat(FhirPathCustomResolver().resolveConstant(context, "const1", false)).isNotNull() - var result = FhirPathCustomResolver().resolveConstant(context, "int1", false) + assertThat(FhirPathCustomResolver().resolveConstant(null, context, "const2", false, false)).isEmpty() + assertThat(FhirPathCustomResolver().resolveConstant(null, context, "const1", false, false)).isNotNull() + var result = FhirPathCustomResolver().resolveConstant(null, context, "int1", false, false) assertThat(result).isNotNull() assertThat(result).isNotEmpty() assertThat(result[0] is IntegerType).isTrue() assertThat((result[0] as IntegerType).value).isEqualTo(integerValue) // Now lets resolve a constant - result = FhirPathCustomResolver().resolveConstant(context, "const1", false) + result = FhirPathCustomResolver().resolveConstant(null, context, "const1", false, false) assertThat(result).isNotNull() assertThat(result.isNotEmpty()) assertThat(result[0].isPrimitive).isTrue() @@ -114,21 +114,21 @@ class ConstantResolverTests { // Test the ability to resolve constants with suffix val urlSuffix = "SomeSuffix" - result = FhirPathCustomResolver().resolveConstant(context, "`rsext-$urlSuffix`", false) + result = FhirPathCustomResolver().resolveConstant(null, context, "`rsext-$urlSuffix`", false, false) assertThat(result).isNotNull() assertThat(result.isNotEmpty()) assertThat(result[0].isPrimitive).isTrue() assertThat(result[0]).isInstanceOf(StringType::class.java) assertThat((result[0] as StringType).value).isEqualTo("$urlPrefix$urlSuffix") - result = FhirPathCustomResolver().resolveConstant(context, "`rsext`", false) + result = FhirPathCustomResolver().resolveConstant(null, context, "`rsext`", false, false) assertThat(result).isNotNull() assertThat(result.isNotEmpty()) assertThat(result[0].isPrimitive).isTrue() assertThat(result[0]).isInstanceOf(StringType::class.java) assertThat((result[0] as StringType).value).isEqualTo(urlPrefix) - result = FhirPathCustomResolver().resolveConstant(context, "unknownconst", false) + result = FhirPathCustomResolver().resolveConstant(null, context, "unknownconst", false, false) assertThat(result).isEmpty() } @@ -144,7 +144,7 @@ class ConstantResolverTests { val constants = sortedMapOf("const1" to "'value1'") // this does not matter but context wants something val context = CustomContext.addConstants(constants, CustomContext(Bundle(), Bundle())) - val result = FhirPathCustomResolver().resolveConstant(context, "const1", false) + val result = FhirPathCustomResolver().resolveConstant(null, context, "const1", false, false) assertThat(result).isNotNull() assertThat(result.isNotEmpty()) assertThat(result.size == 3) @@ -167,6 +167,7 @@ class ConstantResolverTests { val context = CustomContext(Bundle(), Bundle()) assertThat( FhirPathCustomResolver(CustomFhirPathFunctions()).executeFunction( + null, context, mutableListOf(Observation()), "livdTableLookup", @@ -180,6 +181,7 @@ class ConstantResolverTests { val context = CustomContext(Bundle(), Bundle()) assertFailure { FhirPathCustomResolver(CustomFhirPathFunctions()).executeFunction( + null, context, mutableListOf(Observation()), "unknown", @@ -198,15 +200,15 @@ class ConstantResolverTests { val bundle = Bundle() val customContext = CustomContext(bundle, bundle) - assertThat(FhirPathCustomResolver().resolveReference(customContext, org2Url, null)).isNull() + assertThat(FhirPathCustomResolver().resolveReference(null, customContext, org2Url, null)).isNull() bundle.addEntry().resource = org1 bundle.entry[0].fullUrl = "Organization/${org1.id}" - assertThat(FhirPathCustomResolver().resolveReference(customContext, org2Url, null)).isNull() + assertThat(FhirPathCustomResolver().resolveReference(null, customContext, org2Url, null)).isNull() bundle.addEntry().resource = org2 bundle.entry[1].fullUrl = org2Url - val reference = FhirPathCustomResolver().resolveReference(customContext, org2Url, null) + val reference = FhirPathCustomResolver().resolveReference(null, customContext, org2Url, null) assertThat(reference).isNotNull() assertThat(reference).isEqualTo(org2) } diff --git a/prime-router/src/test/kotlin/fhirengine/translation/hl7/utils/FhirPathUtilsTests.kt b/prime-router/src/test/kotlin/fhirengine/translation/hl7/utils/FhirPathUtilsTests.kt index e228719e1ca..173f4a61642 100644 --- a/prime-router/src/test/kotlin/fhirengine/translation/hl7/utils/FhirPathUtilsTests.kt +++ b/prime-router/src/test/kotlin/fhirengine/translation/hl7/utils/FhirPathUtilsTests.kt @@ -28,6 +28,7 @@ import io.mockk.spyk import io.mockk.verify import org.apache.logging.log4j.kotlin.KotlinLogger import org.hl7.fhir.exceptions.PathEngineException +import org.hl7.fhir.r4.fhirpath.FHIRLexer import org.hl7.fhir.r4.model.Bundle import org.hl7.fhir.r4.model.DateTimeType import org.hl7.fhir.r4.model.DateType @@ -37,7 +38,6 @@ import org.hl7.fhir.r4.model.InstantType import org.hl7.fhir.r4.model.Observation import org.hl7.fhir.r4.model.ServiceRequest import org.hl7.fhir.r4.model.TimeType -import org.hl7.fhir.r4.utils.FHIRLexer.FHIRLexerException import org.junit.jupiter.api.BeforeEach import java.util.Date import kotlin.test.Test @@ -69,7 +69,7 @@ class FhirPathUtilsTests { assertThat(FhirPathUtils.parsePath("")).isNull() // Invalid fhir path syntax - assertFailsWith { FhirPathUtils.parsePath("Bundle.#*($&id.exists()") } + assertFailsWith { FhirPathUtils.parsePath("Bundle.#*($&id.exists()") } } @Test @@ -101,7 +101,7 @@ class FhirPathUtilsTests { FhirPathUtils.evaluateCondition(null, bundle, bundle, bundle, path) } catch (e: Exception) { assertThat(e).isInstanceOf() - assertThat(e.cause).isNotNull().isInstanceOf() + assertThat(e.cause).isNotNull().isInstanceOf() } } @@ -193,7 +193,7 @@ class FhirPathUtilsTests { verify { mockedLogger.error( - "org.hl7.fhir.r4.utils.FHIRLexer\$FHIRLexerException: " + + "org.hl7.fhir.r4.fhirpath.FHIRLexer\$FHIRLexerException: " + "Syntax error in FHIR Path Bundle.#*(\$&id.exists()." ) } From 0bc5345dd5ef5312981e0e52376977218888fac5 Mon Sep 17 00:00:00 2001 From: Jamie Albinson Date: Tue, 17 Sep 2024 13:49:46 -0400 Subject: [PATCH 3/7] Authentication Microservice POC (#15765) --- auth/.gitignore | 40 +++++ auth/build.gradle.kts | 58 +++++++ auth/gradle/wrapper/gradle-wrapper.jar | Bin 0 -> 43453 bytes auth/gradle/wrapper/gradle-wrapper.properties | 7 + .../reportstream/auth/AuthApplication.kt | 11 ++ .../auth/AuthApplicationConstants.kt | 14 ++ .../auth/config/ApplicationConfig.kt | 32 ++++ .../auth/config/SecurityConfig.kt | 35 +++++ .../auth/controller/AuthController.kt | 47 ++++++ .../auth/controller/HealthController.kt | 25 +++ .../auth/model/ApplicationStatus.kt | 10 ++ .../auth/service/ProxyURIStrategy.kt | 55 +++++++ auth/src/main/resources/application.yml | 29 ++++ .../auth/controller/AuthControllerTest.kt | 146 ++++++++++++++++++ auth/src/test/resources/application.yml | 24 +++ settings.gradle.kts | 2 +- submissions/build.gradle.kts | 4 + .../submissions/config/SecurityConfig.kt | 31 ++++ .../controllers/SubmissionController.kt | 13 ++ .../src/main/resources/application.properties | 3 +- 20 files changed, 584 insertions(+), 2 deletions(-) create mode 100644 auth/.gitignore create mode 100644 auth/build.gradle.kts create mode 100644 auth/gradle/wrapper/gradle-wrapper.jar create mode 100644 auth/gradle/wrapper/gradle-wrapper.properties create mode 100644 auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/AuthApplication.kt create mode 100644 auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/AuthApplicationConstants.kt create mode 100644 auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/ApplicationConfig.kt create mode 100644 auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/SecurityConfig.kt create mode 100644 auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/controller/AuthController.kt create mode 100644 auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/controller/HealthController.kt create mode 100644 auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/model/ApplicationStatus.kt create mode 100644 auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/service/ProxyURIStrategy.kt create mode 100644 auth/src/main/resources/application.yml create mode 100644 auth/src/test/kotlin/gov/cdc/prime/reportstream/auth/controller/AuthControllerTest.kt create mode 100644 auth/src/test/resources/application.yml create mode 100644 submissions/src/main/kotlin/gov/cdc/prime/reportstream/submissions/config/SecurityConfig.kt diff --git a/auth/.gitignore b/auth/.gitignore new file mode 100644 index 00000000000..5a979af6fff --- /dev/null +++ b/auth/.gitignore @@ -0,0 +1,40 @@ +HELP.md +.gradle +build/ +!gradle/wrapper/gradle-wrapper.jar +!**/src/main/**/build/ +!**/src/test/**/build/ + +### STS ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache +bin/ +!**/src/main/**/bin/ +!**/src/test/**/bin/ + +### IntelliJ IDEA ### +.idea +*.iws +*.iml +*.ipr +out/ +!**/src/main/**/out/ +!**/src/test/**/out/ + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ + +### VS Code ### +.vscode/ + +### Kotlin ### +.kotlin diff --git a/auth/build.gradle.kts b/auth/build.gradle.kts new file mode 100644 index 00000000000..f04d2619d62 --- /dev/null +++ b/auth/build.gradle.kts @@ -0,0 +1,58 @@ +apply(from = rootProject.file("buildSrc/shared.gradle.kts")) + +plugins { + id("org.springframework.boot") version "3.3.2" + id("io.spring.dependency-management") version "1.1.6" + id("reportstream.project-conventions") + kotlin("plugin.spring") version "2.0.0" +} + +group = "gov.cdc.prime" +version = "0.0.1-SNAPSHOT" + +dependencies { + implementation(project(":shared")) + + implementation("org.jetbrains.kotlin:kotlin-reflect") + implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.8.1") + implementation("org.jetbrains.kotlinx:kotlinx-coroutines-reactor:1.8.1") + + /** + * Spring WebFlux was chosen for this project to be able to better handle periods of high traffic + */ + implementation("org.springframework.boot:spring-boot-starter-webflux") + implementation("org.springframework.cloud:spring-cloud-gateway-webflux") + implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server") + + runtimeOnly("com.nimbusds:oauth2-oidc-sdk:11.18") + + testImplementation("org.springframework.boot:spring-boot-starter-test") + testImplementation("org.springframework.security:spring-security-test") + testImplementation("org.jetbrains.kotlin:kotlin-test-junit5") + testImplementation("org.mockito.kotlin:mockito-kotlin:5.4.0") + testImplementation("com.squareup.okhttp3:mockwebserver:4.12.0") + + testRuntimeOnly("org.junit.platform:junit-platform-launcher") + + compileOnly("org.springframework.boot:spring-boot-devtools") +} + +// There is a conflict in logging implementations. Excluded these in favor of using log4j-slf4j2-impl +configurations.all { + exclude(group = "org.apache.logging.log4j", module = "log4j-to-slf4j") + exclude(group = "ch.qos.logback") +} + +dependencyManagement { + imports { + mavenBom("com.azure.spring:spring-cloud-azure-dependencies:5.14.0") + mavenBom("org.springframework.cloud:spring-cloud-dependencies:2023.0.3") + } +} + +kotlin { + compilerOptions { + // https://docs.spring.io/spring-boot/docs/2.0.x/reference/html/boot-features-kotlin.html#boot-features-kotlin-null-safety + freeCompilerArgs.addAll("-Xjsr305=strict") + } +} \ No newline at end of file diff --git a/auth/gradle/wrapper/gradle-wrapper.jar b/auth/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000000000000000000000000000000000000..e6441136f3d4ba8a0da8d277868979cfbc8ad796 GIT binary patch literal 43453 zcma&N1CXTcmMvW9vTb(Rwr$&4wr$(C?dmSu>@vG-+vuvg^_??!{yS%8zW-#zn-LkA z5&1^$^{lnmUON?}LBF8_K|(?T0Ra(xUH{($5eN!MR#ZihR#HxkUPe+_R8Cn`RRs(P z_^*#_XlXmGv7!4;*Y%p4nw?{bNp@UZHv1?Um8r6)Fei3p@ClJn0ECfg1hkeuUU@Or zDaPa;U3fE=3L}DooL;8f;P0ipPt0Z~9P0)lbStMS)ag54=uL9ia-Lm3nh|@(Y?B`; zx_#arJIpXH!U{fbCbI^17}6Ri*H<>OLR%c|^mh8+)*h~K8Z!9)DPf zR2h?lbDZQ`p9P;&DQ4F0sur@TMa!Y}S8irn(%d-gi0*WxxCSk*A?3lGh=gcYN?FGl z7D=Js!i~0=u3rox^eO3i@$0=n{K1lPNU zwmfjRVmLOCRfe=seV&P*1Iq=^i`502keY8Uy-WNPwVNNtJFx?IwAyRPZo2Wo1+S(xF37LJZ~%i)kpFQ3Fw=mXfd@>%+)RpYQLnr}B~~zoof(JVm^^&f zxKV^+3D3$A1G;qh4gPVjhrC8e(VYUHv#dy^)(RoUFM?o%W-EHxufuWf(l*@-l+7vt z=l`qmR56K~F|v<^Pd*p~1_y^P0P^aPC##d8+HqX4IR1gu+7w#~TBFphJxF)T$2WEa zxa?H&6=Qe7d(#tha?_1uQys2KtHQ{)Qco)qwGjrdNL7thd^G5i8Os)CHqc>iOidS} z%nFEDdm=GXBw=yXe1W-ShHHFb?Cc70+$W~z_+}nAoHFYI1MV1wZegw*0y^tC*s%3h zhD3tN8b=Gv&rj}!SUM6|ajSPp*58KR7MPpI{oAJCtY~JECm)*m_x>AZEu>DFgUcby z1Qaw8lU4jZpQ_$;*7RME+gq1KySGG#Wql>aL~k9tLrSO()LWn*q&YxHEuzmwd1?aAtI zBJ>P=&$=l1efe1CDU;`Fd+_;&wI07?V0aAIgc(!{a z0Jg6Y=inXc3^n!U0Atk`iCFIQooHqcWhO(qrieUOW8X(x?(RD}iYDLMjSwffH2~tB z)oDgNBLB^AJBM1M^c5HdRx6fBfka`(LD-qrlh5jqH~);#nw|iyp)()xVYak3;Ybik z0j`(+69aK*B>)e_p%=wu8XC&9e{AO4c~O1U`5X9}?0mrd*m$_EUek{R?DNSh(=br# z#Q61gBzEpmy`$pA*6!87 zSDD+=@fTY7<4A?GLqpA?Pb2z$pbCc4B4zL{BeZ?F-8`s$?>*lXXtn*NC61>|*w7J* z$?!iB{6R-0=KFmyp1nnEmLsA-H0a6l+1uaH^g%c(p{iT&YFrbQ$&PRb8Up#X3@Zsk zD^^&LK~111%cqlP%!_gFNa^dTYT?rhkGl}5=fL{a`UViaXWI$k-UcHJwmaH1s=S$4 z%4)PdWJX;hh5UoK?6aWoyLxX&NhNRqKam7tcOkLh{%j3K^4Mgx1@i|Pi&}<^5>hs5 zm8?uOS>%)NzT(%PjVPGa?X%`N2TQCKbeH2l;cTnHiHppPSJ<7y-yEIiC!P*ikl&!B z%+?>VttCOQM@ShFguHVjxX^?mHX^hSaO_;pnyh^v9EumqSZTi+#f&_Vaija0Q-e*| z7ulQj6Fs*bbmsWp{`auM04gGwsYYdNNZcg|ph0OgD>7O}Asn7^Z=eI>`$2*v78;sj-}oMoEj&@)9+ycEOo92xSyY344^ z11Hb8^kdOvbf^GNAK++bYioknrpdN>+u8R?JxG=!2Kd9r=YWCOJYXYuM0cOq^FhEd zBg2puKy__7VT3-r*dG4c62Wgxi52EMCQ`bKgf*#*ou(D4-ZN$+mg&7$u!! z-^+Z%;-3IDwqZ|K=ah85OLwkO zKxNBh+4QHh)u9D?MFtpbl)us}9+V!D%w9jfAMYEb>%$A;u)rrI zuBudh;5PN}_6J_}l55P3l_)&RMlH{m!)ai-i$g)&*M`eN$XQMw{v^r@-125^RRCF0 z^2>|DxhQw(mtNEI2Kj(;KblC7x=JlK$@78`O~>V!`|1Lm-^JR$-5pUANAnb(5}B}JGjBsliK4& zk6y(;$e&h)lh2)L=bvZKbvh@>vLlreBdH8No2>$#%_Wp1U0N7Ank!6$dFSi#xzh|( zRi{Uw%-4W!{IXZ)fWx@XX6;&(m_F%c6~X8hx=BN1&q}*( zoaNjWabE{oUPb!Bt$eyd#$5j9rItB-h*5JiNi(v^e|XKAj*8(k<5-2$&ZBR5fF|JA z9&m4fbzNQnAU}r8ab>fFV%J0z5awe#UZ|bz?Ur)U9bCIKWEzi2%A+5CLqh?}K4JHi z4vtM;+uPsVz{Lfr;78W78gC;z*yTch~4YkLr&m-7%-xc ztw6Mh2d>_iO*$Rd8(-Cr1_V8EO1f*^@wRoSozS) zy1UoC@pruAaC8Z_7~_w4Q6n*&B0AjOmMWa;sIav&gu z|J5&|{=a@vR!~k-OjKEgPFCzcJ>#A1uL&7xTDn;{XBdeM}V=l3B8fE1--DHjSaxoSjNKEM9|U9#m2<3>n{Iuo`r3UZp;>GkT2YBNAh|b z^jTq-hJp(ebZh#Lk8hVBP%qXwv-@vbvoREX$TqRGTgEi$%_F9tZES@z8Bx}$#5eeG zk^UsLBH{bc2VBW)*EdS({yw=?qmevwi?BL6*=12k9zM5gJv1>y#ML4!)iiPzVaH9% zgSImetD@dam~e>{LvVh!phhzpW+iFvWpGT#CVE5TQ40n%F|p(sP5mXxna+Ev7PDwA zamaV4m*^~*xV+&p;W749xhb_X=$|LD;FHuB&JL5?*Y2-oIT(wYY2;73<^#46S~Gx| z^cez%V7x$81}UWqS13Gz80379Rj;6~WdiXWOSsdmzY39L;Hg3MH43o*y8ibNBBH`(av4|u;YPq%{R;IuYow<+GEsf@R?=@tT@!}?#>zIIn0CoyV!hq3mw zHj>OOjfJM3F{RG#6ujzo?y32m^tgSXf@v=J$ELdJ+=5j|=F-~hP$G&}tDZsZE?5rX ztGj`!S>)CFmdkccxM9eGIcGnS2AfK#gXwj%esuIBNJQP1WV~b~+D7PJTmWGTSDrR` zEAu4B8l>NPuhsk5a`rReSya2nfV1EK01+G!x8aBdTs3Io$u5!6n6KX%uv@DxAp3F@{4UYg4SWJtQ-W~0MDb|j-$lwVn znAm*Pl!?Ps&3wO=R115RWKb*JKoexo*)uhhHBncEDMSVa_PyA>k{Zm2(wMQ(5NM3# z)jkza|GoWEQo4^s*wE(gHz?Xsg4`}HUAcs42cM1-qq_=+=!Gk^y710j=66(cSWqUe zklbm8+zB_syQv5A2rj!Vbw8;|$@C!vfNmNV!yJIWDQ>{+2x zKjuFX`~~HKG~^6h5FntRpnnHt=D&rq0>IJ9#F0eM)Y-)GpRjiN7gkA8wvnG#K=q{q z9dBn8_~wm4J<3J_vl|9H{7q6u2A!cW{bp#r*-f{gOV^e=8S{nc1DxMHFwuM$;aVI^ zz6A*}m8N-&x8;aunp1w7_vtB*pa+OYBw=TMc6QK=mbA-|Cf* zvyh8D4LRJImooUaSb7t*fVfih<97Gf@VE0|z>NcBwBQze);Rh!k3K_sfunToZY;f2 z^HmC4KjHRVg+eKYj;PRN^|E0>Gj_zagfRbrki68I^#~6-HaHg3BUW%+clM1xQEdPYt_g<2K+z!$>*$9nQ>; zf9Bei{?zY^-e{q_*|W#2rJG`2fy@{%6u0i_VEWTq$*(ZN37|8lFFFt)nCG({r!q#9 z5VK_kkSJ3?zOH)OezMT{!YkCuSSn!K#-Rhl$uUM(bq*jY? zi1xbMVthJ`E>d>(f3)~fozjg^@eheMF6<)I`oeJYx4*+M&%c9VArn(OM-wp%M<-`x z7sLP1&3^%Nld9Dhm@$3f2}87!quhI@nwd@3~fZl_3LYW-B?Ia>ui`ELg z&Qfe!7m6ze=mZ`Ia9$z|ARSw|IdMpooY4YiPN8K z4B(ts3p%2i(Td=tgEHX z0UQ_>URBtG+-?0E;E7Ld^dyZ;jjw0}XZ(}-QzC6+NN=40oDb2^v!L1g9xRvE#@IBR zO!b-2N7wVfLV;mhEaXQ9XAU+>=XVA6f&T4Z-@AX!leJ8obP^P^wP0aICND?~w&NykJ#54x3_@r7IDMdRNy4Hh;h*!u(Ol(#0bJdwEo$5437-UBjQ+j=Ic>Q2z` zJNDf0yO6@mr6y1#n3)s(W|$iE_i8r@Gd@!DWDqZ7J&~gAm1#~maIGJ1sls^gxL9LLG_NhU!pTGty!TbhzQnu)I*S^54U6Yu%ZeCg`R>Q zhBv$n5j0v%O_j{QYWG!R9W?5_b&67KB$t}&e2LdMvd(PxN6Ir!H4>PNlerpBL>Zvyy!yw z-SOo8caEpDt(}|gKPBd$qND5#a5nju^O>V&;f890?yEOfkSG^HQVmEbM3Ugzu+UtH zC(INPDdraBN?P%kE;*Ae%Wto&sgw(crfZ#Qy(<4nk;S|hD3j{IQRI6Yq|f^basLY; z-HB&Je%Gg}Jt@={_C{L$!RM;$$|iD6vu#3w?v?*;&()uB|I-XqEKqZPS!reW9JkLewLb!70T7n`i!gNtb1%vN- zySZj{8-1>6E%H&=V}LM#xmt`J3XQoaD|@XygXjdZ1+P77-=;=eYpoEQ01B@L*a(uW zrZeZz?HJsw_4g0vhUgkg@VF8<-X$B8pOqCuWAl28uB|@r`19DTUQQsb^pfqB6QtiT z*`_UZ`fT}vtUY#%sq2{rchyfu*pCg;uec2$-$N_xgjZcoumE5vSI{+s@iLWoz^Mf; zuI8kDP{!XY6OP~q5}%1&L}CtfH^N<3o4L@J@zg1-mt{9L`s^z$Vgb|mr{@WiwAqKg zp#t-lhrU>F8o0s1q_9y`gQNf~Vb!F%70f}$>i7o4ho$`uciNf=xgJ>&!gSt0g;M>*x4-`U)ysFW&Vs^Vk6m%?iuWU+o&m(2Jm26Y(3%TL; zA7T)BP{WS!&xmxNw%J=$MPfn(9*^*TV;$JwRy8Zl*yUZi8jWYF>==j~&S|Xinsb%c z2?B+kpet*muEW7@AzjBA^wAJBY8i|#C{WtO_or&Nj2{=6JTTX05}|H>N2B|Wf!*3_ z7hW*j6p3TvpghEc6-wufFiY!%-GvOx*bZrhZu+7?iSrZL5q9}igiF^*R3%DE4aCHZ zqu>xS8LkW+Auv%z-<1Xs92u23R$nk@Pk}MU5!gT|c7vGlEA%G^2th&Q*zfg%-D^=f z&J_}jskj|Q;73NP4<4k*Y%pXPU2Thoqr+5uH1yEYM|VtBPW6lXaetokD0u z9qVek6Q&wk)tFbQ8(^HGf3Wp16gKmr>G;#G(HRBx?F`9AIRboK+;OfHaLJ(P>IP0w zyTbTkx_THEOs%Q&aPrxbZrJlio+hCC_HK<4%f3ZoSAyG7Dn`=X=&h@m*|UYO-4Hq0 z-Bq&+Ie!S##4A6OGoC~>ZW`Y5J)*ouaFl_e9GA*VSL!O_@xGiBw!AF}1{tB)z(w%c zS1Hmrb9OC8>0a_$BzeiN?rkPLc9%&;1CZW*4}CDDNr2gcl_3z+WC15&H1Zc2{o~i) z)LLW=WQ{?ricmC`G1GfJ0Yp4Dy~Ba;j6ZV4r{8xRs`13{dD!xXmr^Aga|C=iSmor% z8hi|pTXH)5Yf&v~exp3o+sY4B^^b*eYkkCYl*T{*=-0HniSA_1F53eCb{x~1k3*`W zr~};p1A`k{1DV9=UPnLDgz{aJH=-LQo<5%+Em!DNN252xwIf*wF_zS^!(XSm(9eoj z=*dXG&n0>)_)N5oc6v!>-bd(2ragD8O=M|wGW z!xJQS<)u70m&6OmrF0WSsr@I%T*c#Qo#Ha4d3COcX+9}hM5!7JIGF>7<~C(Ear^Sn zm^ZFkV6~Ula6+8S?oOROOA6$C&q&dp`>oR-2Ym3(HT@O7Sd5c~+kjrmM)YmgPH*tL zX+znN>`tv;5eOfX?h{AuX^LK~V#gPCu=)Tigtq9&?7Xh$qN|%A$?V*v=&-2F$zTUv z`C#WyIrChS5|Kgm_GeudCFf;)!WH7FI60j^0o#65o6`w*S7R@)88n$1nrgU(oU0M9 zx+EuMkC>(4j1;m6NoGqEkpJYJ?vc|B zOlwT3t&UgL!pX_P*6g36`ZXQ; z9~Cv}ANFnJGp(;ZhS(@FT;3e)0)Kp;h^x;$*xZn*k0U6-&FwI=uOGaODdrsp-!K$Ac32^c{+FhI-HkYd5v=`PGsg%6I`4d9Jy)uW0y%) zm&j^9WBAp*P8#kGJUhB!L?a%h$hJgQrx!6KCB_TRo%9{t0J7KW8!o1B!NC)VGLM5! zpZy5Jc{`r{1e(jd%jsG7k%I+m#CGS*BPA65ZVW~fLYw0dA-H_}O zrkGFL&P1PG9p2(%QiEWm6x;U-U&I#;Em$nx-_I^wtgw3xUPVVu zqSuKnx&dIT-XT+T10p;yjo1Y)z(x1fb8Dzfn8e yu?e%!_ptzGB|8GrCfu%p?(_ zQccdaaVK$5bz;*rnyK{_SQYM>;aES6Qs^lj9lEs6_J+%nIiuQC*fN;z8md>r_~Mfl zU%p5Dt_YT>gQqfr@`cR!$NWr~+`CZb%dn;WtzrAOI>P_JtsB76PYe*<%H(y>qx-`Kq!X_; z<{RpAqYhE=L1r*M)gNF3B8r(<%8mo*SR2hu zccLRZwGARt)Hlo1euqTyM>^!HK*!Q2P;4UYrysje@;(<|$&%vQekbn|0Ruu_Io(w4#%p6ld2Yp7tlA`Y$cciThP zKzNGIMPXX%&Ud0uQh!uQZz|FB`4KGD?3!ND?wQt6!n*f4EmCoJUh&b?;B{|lxs#F- z31~HQ`SF4x$&v00@(P+j1pAaj5!s`)b2RDBp*PB=2IB>oBF!*6vwr7Dp%zpAx*dPr zb@Zjq^XjN?O4QcZ*O+8>)|HlrR>oD*?WQl5ri3R#2?*W6iJ>>kH%KnnME&TT@ZzrHS$Q%LC?n|e>V+D+8D zYc4)QddFz7I8#}y#Wj6>4P%34dZH~OUDb?uP%-E zwjXM(?Sg~1!|wI(RVuxbu)-rH+O=igSho_pDCw(c6b=P zKk4ATlB?bj9+HHlh<_!&z0rx13K3ZrAR8W)!@Y}o`?a*JJsD+twZIv`W)@Y?Amu_u zz``@-e2X}27$i(2=9rvIu5uTUOVhzwu%mNazS|lZb&PT;XE2|B&W1>=B58#*!~D&) zfVmJGg8UdP*fx(>Cj^?yS^zH#o-$Q-*$SnK(ZVFkw+er=>N^7!)FtP3y~Xxnu^nzY zikgB>Nj0%;WOltWIob|}%lo?_C7<``a5hEkx&1ku$|)i>Rh6@3h*`slY=9U}(Ql_< zaNG*J8vb&@zpdhAvv`?{=zDedJ23TD&Zg__snRAH4eh~^oawdYi6A3w8<Ozh@Kw)#bdktM^GVb zrG08?0bG?|NG+w^&JvD*7LAbjED{_Zkc`3H!My>0u5Q}m!+6VokMLXxl`Mkd=g&Xx z-a>m*#G3SLlhbKB!)tnzfWOBV;u;ftU}S!NdD5+YtOjLg?X}dl>7m^gOpihrf1;PY zvll&>dIuUGs{Qnd- zwIR3oIrct8Va^Tm0t#(bJD7c$Z7DO9*7NnRZorrSm`b`cxz>OIC;jSE3DO8`hX955ui`s%||YQtt2 z5DNA&pG-V+4oI2s*x^>-$6J?p=I>C|9wZF8z;VjR??Icg?1w2v5Me+FgAeGGa8(3S z4vg*$>zC-WIVZtJ7}o9{D-7d>zCe|z#<9>CFve-OPAYsneTb^JH!Enaza#j}^mXy1 z+ULn^10+rWLF6j2>Ya@@Kq?26>AqK{A_| zQKb*~F1>sE*=d?A?W7N2j?L09_7n+HGi{VY;MoTGr_)G9)ot$p!-UY5zZ2Xtbm=t z@dpPSGwgH=QtIcEulQNI>S-#ifbnO5EWkI;$A|pxJd885oM+ zGZ0_0gDvG8q2xebj+fbCHYfAXuZStH2j~|d^sBAzo46(K8n59+T6rzBwK)^rfPT+B zyIFw)9YC-V^rhtK`!3jrhmW-sTmM+tPH+;nwjL#-SjQPUZ53L@A>y*rt(#M(qsiB2 zx6B)dI}6Wlsw%bJ8h|(lhkJVogQZA&n{?Vgs6gNSXzuZpEyu*xySy8ro07QZ7Vk1!3tJphN_5V7qOiyK8p z#@jcDD8nmtYi1^l8ml;AF<#IPK?!pqf9D4moYk>d99Im}Jtwj6c#+A;f)CQ*f-hZ< z=p_T86jog%!p)D&5g9taSwYi&eP z#JuEK%+NULWus;0w32-SYFku#i}d~+{Pkho&^{;RxzP&0!RCm3-9K6`>KZpnzS6?L z^H^V*s!8<>x8bomvD%rh>Zp3>Db%kyin;qtl+jAv8Oo~1g~mqGAC&Qi_wy|xEt2iz zWAJEfTV%cl2Cs<1L&DLRVVH05EDq`pH7Oh7sR`NNkL%wi}8n>IXcO40hp+J+sC!W?!krJf!GJNE8uj zg-y~Ns-<~D?yqbzVRB}G>0A^f0!^N7l=$m0OdZuqAOQqLc zX?AEGr1Ht+inZ-Qiwnl@Z0qukd__a!C*CKuGdy5#nD7VUBM^6OCpxCa2A(X;e0&V4 zM&WR8+wErQ7UIc6LY~Q9x%Sn*Tn>>P`^t&idaOEnOd(Ufw#>NoR^1QdhJ8s`h^|R_ zXX`c5*O~Xdvh%q;7L!_!ohf$NfEBmCde|#uVZvEo>OfEq%+Ns7&_f$OR9xsihRpBb z+cjk8LyDm@U{YN>+r46?nn{7Gh(;WhFw6GAxtcKD+YWV?uge>;+q#Xx4!GpRkVZYu zzsF}1)7$?%s9g9CH=Zs+B%M_)+~*j3L0&Q9u7!|+T`^O{xE6qvAP?XWv9_MrZKdo& z%IyU)$Q95AB4!#hT!_dA>4e@zjOBD*Y=XjtMm)V|+IXzjuM;(l+8aA5#Kaz_$rR6! zj>#&^DidYD$nUY(D$mH`9eb|dtV0b{S>H6FBfq>t5`;OxA4Nn{J(+XihF(stSche7$es&~N$epi&PDM_N`As;*9D^L==2Q7Z2zD+CiU(|+-kL*VG+&9!Yb3LgPy?A zm7Z&^qRG_JIxK7-FBzZI3Q<;{`DIxtc48k> zc|0dmX;Z=W$+)qE)~`yn6MdoJ4co;%!`ddy+FV538Y)j(vg}5*k(WK)KWZ3WaOG!8 z!syGn=s{H$odtpqFrT#JGM*utN7B((abXnpDM6w56nhw}OY}0TiTG1#f*VFZr+^-g zbP10`$LPq_;PvrA1XXlyx2uM^mrjTzX}w{yuLo-cOClE8MMk47T25G8M!9Z5ypOSV zAJUBGEg5L2fY)ZGJb^E34R2zJ?}Vf>{~gB!8=5Z) z9y$>5c)=;o0HeHHSuE4U)#vG&KF|I%-cF6f$~pdYJWk_dD}iOA>iA$O$+4%@>JU08 zS`ep)$XLPJ+n0_i@PkF#ri6T8?ZeAot$6JIYHm&P6EB=BiaNY|aA$W0I+nz*zkz_z zkEru!tj!QUffq%)8y0y`T&`fuus-1p>=^hnBiBqD^hXrPs`PY9tU3m0np~rISY09> z`P3s=-kt_cYcxWd{de@}TwSqg*xVhp;E9zCsnXo6z z?f&Sv^U7n4`xr=mXle94HzOdN!2kB~4=%)u&N!+2;z6UYKUDqi-s6AZ!haB;@&B`? z_TRX0%@suz^TRdCb?!vNJYPY8L_}&07uySH9%W^Tc&1pia6y1q#?*Drf}GjGbPjBS zbOPcUY#*$3sL2x4v_i*Y=N7E$mR}J%|GUI(>WEr+28+V z%v5{#e!UF*6~G&%;l*q*$V?&r$Pp^sE^i-0$+RH3ERUUdQ0>rAq2(2QAbG}$y{de( z>{qD~GGuOk559Y@%$?N^1ApVL_a704>8OD%8Y%8B;FCt%AoPu8*D1 zLB5X>b}Syz81pn;xnB}%0FnwazlWfUV)Z-~rZg6~b z6!9J$EcE&sEbzcy?CI~=boWA&eeIa%z(7SE^qgVLz??1Vbc1*aRvc%Mri)AJaAG!p z$X!_9Ds;Zz)f+;%s&dRcJt2==P{^j3bf0M=nJd&xwUGlUFn?H=2W(*2I2Gdu zv!gYCwM10aeus)`RIZSrCK=&oKaO_Ry~D1B5!y0R=%!i2*KfXGYX&gNv_u+n9wiR5 z*e$Zjju&ODRW3phN925%S(jL+bCHv6rZtc?!*`1TyYXT6%Ju=|X;6D@lq$8T zW{Y|e39ioPez(pBH%k)HzFITXHvnD6hw^lIoUMA;qAJ^CU?top1fo@s7xT13Fvn1H z6JWa-6+FJF#x>~+A;D~;VDs26>^oH0EI`IYT2iagy23?nyJ==i{g4%HrAf1-*v zK1)~@&(KkwR7TL}L(A@C_S0G;-GMDy=MJn2$FP5s<%wC)4jC5PXoxrQBFZ_k0P{{s@sz+gX`-!=T8rcB(=7vW}^K6oLWMmp(rwDh}b zwaGGd>yEy6fHv%jM$yJXo5oMAQ>c9j`**}F?MCry;T@47@r?&sKHgVe$MCqk#Z_3S z1GZI~nOEN*P~+UaFGnj{{Jo@16`(qVNtbU>O0Hf57-P>x8Jikp=`s8xWs^dAJ9lCQ z)GFm+=OV%AMVqVATtN@|vp61VVAHRn87}%PC^RAzJ%JngmZTasWBAWsoAqBU+8L8u z4A&Pe?fmTm0?mK-BL9t+{y7o(7jm+RpOhL9KnY#E&qu^}B6=K_dB}*VlSEiC9fn)+V=J;OnN)Ta5v66ic1rG+dGAJ1 z1%Zb_+!$=tQ~lxQrzv3x#CPb?CekEkA}0MYSgx$Jdd}q8+R=ma$|&1a#)TQ=l$1tQ z=tL9&_^vJ)Pk}EDO-va`UCT1m#Uty1{v^A3P~83_#v^ozH}6*9mIjIr;t3Uv%@VeW zGL6(CwCUp)Jq%G0bIG%?{_*Y#5IHf*5M@wPo6A{$Um++Co$wLC=J1aoG93&T7Ho}P z=mGEPP7GbvoG!uD$k(H3A$Z))+i{Hy?QHdk>3xSBXR0j!11O^mEe9RHmw!pvzv?Ua~2_l2Yh~_!s1qS`|0~0)YsbHSz8!mG)WiJE| z2f($6TQtt6L_f~ApQYQKSb=`053LgrQq7G@98#igV>y#i==-nEjQ!XNu9 z~;mE+gtj4IDDNQJ~JVk5Ux6&LCSFL!y=>79kE9=V}J7tD==Ga+IW zX)r7>VZ9dY=V&}DR))xUoV!u(Z|%3ciQi_2jl}3=$Agc(`RPb z8kEBpvY>1FGQ9W$n>Cq=DIpski};nE)`p3IUw1Oz0|wxll^)4dq3;CCY@RyJgFgc# zKouFh!`?Xuo{IMz^xi-h=StCis_M7yq$u) z?XHvw*HP0VgR+KR6wI)jEMX|ssqYvSf*_3W8zVTQzD?3>H!#>InzpSO)@SC8q*ii- z%%h}_#0{4JG;Jm`4zg};BPTGkYamx$Xo#O~lBirRY)q=5M45n{GCfV7h9qwyu1NxOMoP4)jjZMxmT|IQQh0U7C$EbnMN<3)Kk?fFHYq$d|ICu>KbY_hO zTZM+uKHe(cIZfEqyzyYSUBZa8;Fcut-GN!HSA9ius`ltNebF46ZX_BbZNU}}ZOm{M2&nANL9@0qvih15(|`S~z}m&h!u4x~(%MAO$jHRWNfuxWF#B)E&g3ghSQ9|> z(MFaLQj)NE0lowyjvg8z0#m6FIuKE9lDO~Glg}nSb7`~^&#(Lw{}GVOS>U)m8bF}x zVjbXljBm34Cs-yM6TVusr+3kYFjr28STT3g056y3cH5Tmge~ASxBj z%|yb>$eF;WgrcOZf569sDZOVwoo%8>XO>XQOX1OyN9I-SQgrm;U;+#3OI(zrWyow3 zk==|{lt2xrQ%FIXOTejR>;wv(Pb8u8}BUpx?yd(Abh6? zsoO3VYWkeLnF43&@*#MQ9-i-d0t*xN-UEyNKeyNMHw|A(k(_6QKO=nKMCxD(W(Yop zsRQ)QeL4X3Lxp^L%wzi2-WVSsf61dqliPUM7srDB?Wm6Lzn0&{*}|IsKQW;02(Y&| zaTKv|`U(pSzuvR6Rduu$wzK_W-Y-7>7s?G$)U}&uK;<>vU}^^ns@Z!p+9?St1s)dG zK%y6xkPyyS1$~&6v{kl?Md6gwM|>mt6Upm>oa8RLD^8T{0?HC!Z>;(Bob7el(DV6x zi`I)$&E&ngwFS@bi4^xFLAn`=fzTC;aimE^!cMI2n@Vo%Ae-ne`RF((&5y6xsjjAZ zVguVoQ?Z9uk$2ON;ersE%PU*xGO@T*;j1BO5#TuZKEf(mB7|g7pcEA=nYJ{s3vlbg zd4-DUlD{*6o%Gc^N!Nptgay>j6E5;3psI+C3Q!1ZIbeCubW%w4pq9)MSDyB{HLm|k zxv-{$$A*pS@csolri$Ge<4VZ}e~78JOL-EVyrbxKra^d{?|NnPp86!q>t<&IP07?Z z^>~IK^k#OEKgRH+LjllZXk7iA>2cfH6+(e&9ku5poo~6y{GC5>(bRK7hwjiurqAiZ zg*DmtgY}v83IjE&AbiWgMyFbaRUPZ{lYiz$U^&Zt2YjG<%m((&_JUbZcfJ22(>bi5 z!J?<7AySj0JZ&<-qXX;mcV!f~>G=sB0KnjWca4}vrtunD^1TrpfeS^4dvFr!65knK zZh`d;*VOkPs4*-9kL>$GP0`(M!j~B;#x?Ba~&s6CopvO86oM?-? zOw#dIRc;6A6T?B`Qp%^<U5 z19x(ywSH$_N+Io!6;e?`tWaM$`=Db!gzx|lQ${DG!zb1Zl&|{kX0y6xvO1o z220r<-oaS^^R2pEyY;=Qllqpmue|5yI~D|iI!IGt@iod{Opz@*ml^w2bNs)p`M(Io z|E;;m*Xpjd9l)4G#KaWfV(t8YUn@A;nK^#xgv=LtnArX|vWQVuw3}B${h+frU2>9^ z!l6)!Uo4`5k`<<;E(ido7M6lKTgWezNLq>U*=uz&s=cc$1%>VrAeOoUtA|T6gO4>UNqsdK=NF*8|~*sl&wI=x9-EGiq*aqV!(VVXA57 zw9*o6Ir8Lj1npUXvlevtn(_+^X5rzdR>#(}4YcB9O50q97%rW2me5_L=%ffYPUSRc z!vv?Kv>dH994Qi>U(a<0KF6NH5b16enCp+mw^Hb3Xs1^tThFpz!3QuN#}KBbww`(h z7GO)1olDqy6?T$()R7y%NYx*B0k_2IBiZ14&8|JPFxeMF{vSTxF-Vi3+ZOI=Thq2} zyQgjYY1_7^ZQHh{?P))4+qUiQJLi1&{yE>h?~jU%tjdV0h|FENbM3X(KnJdPKc?~k zh=^Ixv*+smUll!DTWH!jrV*wSh*(mx0o6}1@JExzF(#9FXgmTXVoU+>kDe68N)dkQ zH#_98Zv$}lQwjKL@yBd;U(UD0UCl322=pav<=6g>03{O_3oKTq;9bLFX1ia*lw;#K zOiYDcBJf)82->83N_Y(J7Kr_3lE)hAu;)Q(nUVydv+l+nQ$?|%MWTy`t>{havFSQloHwiIkGK9YZ79^9?AZo0ZyQlVR#}lF%dn5n%xYksXf8gnBm=wO7g_^! zauQ-bH1Dc@3ItZ-9D_*pH}p!IG7j8A_o94#~>$LR|TFq zZ-b00*nuw|-5C2lJDCw&8p5N~Z1J&TrcyErds&!l3$eSz%`(*izc;-?HAFD9AHb-| z>)id`QCrzRws^9(#&=pIx9OEf2rmlob8sK&xPCWS+nD~qzU|qG6KwA{zbikcfQrdH z+ zQg>O<`K4L8rN7`GJB0*3<3`z({lWe#K!4AZLsI{%z#ja^OpfjU{!{)x0ZH~RB0W5X zTwN^w=|nA!4PEU2=LR05x~}|B&ZP?#pNgDMwD*ajI6oJqv!L81gu=KpqH22avXf0w zX3HjbCI!n9>l046)5rr5&v5ja!xkKK42zmqHzPx$9Nn_MZk`gLeSLgC=LFf;H1O#B zn=8|^1iRrujHfbgA+8i<9jaXc;CQBAmQvMGQPhFec2H1knCK2x!T`e6soyrqCamX% zTQ4dX_E*8so)E*TB$*io{$c6X)~{aWfaqdTh=xEeGvOAN9H&-t5tEE-qso<+C!2>+ zskX51H-H}#X{A75wqFe-J{?o8Bx|>fTBtl&tcbdR|132Ztqu5X0i-pisB-z8n71%q%>EF}yy5?z=Ve`}hVh{Drv1YWL zW=%ug_&chF11gDv3D6B)Tz5g54H0mDHNjuKZ+)CKFk4Z|$RD zfRuKLW`1B>B?*RUfVd0+u8h3r-{@fZ{k)c!93t1b0+Q9vOaRnEn1*IL>5Z4E4dZ!7 ztp4GP-^1d>8~LMeb}bW!(aAnB1tM_*la=Xx)q(I0Y@__Zd$!KYb8T2VBRw%e$iSdZ zkwdMwd}eV9q*;YvrBFTv1>1+}{H!JK2M*C|TNe$ZSA>UHKk);wz$(F$rXVc|sI^lD zV^?_J!3cLM;GJuBMbftbaRUs$;F}HDEDtIeHQ)^EJJ1F9FKJTGH<(Jj`phE6OuvE) zqK^K`;3S{Y#1M@8yRQwH`?kHMq4tHX#rJ>5lY3DM#o@or4&^_xtBC(|JpGTfrbGkA z2Tu+AyT^pHannww!4^!$5?@5v`LYy~T`qs7SYt$JgrY(w%C+IWA;ZkwEF)u5sDvOK zGk;G>Mh&elvXDcV69J_h02l&O;!{$({fng9Rlc3ID#tmB^FIG^w{HLUpF+iB`|
NnX)EH+Nua)3Y(c z&{(nX_ht=QbJ%DzAya}!&uNu!4V0xI)QE$SY__m)SAKcN0P(&JcoK*Lxr@P zY&P=}&B3*UWNlc|&$Oh{BEqwK2+N2U$4WB7Fd|aIal`FGANUa9E-O)!gV`((ZGCc$ zBJA|FFrlg~9OBp#f7aHodCe{6= zay$6vN~zj1ddMZ9gQ4p32(7wD?(dE>KA2;SOzXRmPBiBc6g`eOsy+pVcHu=;Yd8@{ zSGgXf@%sKKQz~;!J;|2fC@emm#^_rnO0esEn^QxXgJYd`#FPWOUU5b;9eMAF zZhfiZb|gk8aJIw*YLp4!*(=3l8Cp{(%p?ho22*vN9+5NLV0TTazNY$B5L6UKUrd$n zjbX%#m7&F#U?QNOBXkiiWB*_tk+H?N3`vg;1F-I+83{M2!8<^nydGr5XX}tC!10&e z7D36bLaB56WrjL&HiiMVtpff|K%|*{t*ltt^5ood{FOG0<>k&1h95qPio)2`eL${YAGIx(b4VN*~nKn6E~SIQUuRH zQ+5zP6jfnP$S0iJ@~t!Ai3o`X7biohli;E zT#yXyl{bojG@-TGZzpdVDXhbmF%F9+-^YSIv|MT1l3j zrxOFq>gd2%U}?6}8mIj?M zc077Zc9fq(-)4+gXv?Az26IO6eV`RAJz8e3)SC7~>%rlzDwySVx*q$ygTR5kW2ds- z!HBgcq0KON9*8Ff$X0wOq$`T7ml(@TF)VeoF}x1OttjuVHn3~sHrMB++}f7f9H%@f z=|kP_?#+fve@{0MlbkC9tyvQ_R?lRdRJ@$qcB(8*jyMyeME5ns6ypVI1Xm*Zr{DuS zZ!1)rQfa89c~;l~VkCiHI|PCBd`S*2RLNQM8!g9L6?n`^evQNEwfO@&JJRme+uopQX0%Jo zgd5G&#&{nX{o?TQwQvF1<^Cg3?2co;_06=~Hcb6~4XWpNFL!WU{+CK;>gH%|BLOh7@!hsa(>pNDAmpcuVO-?;Bic17R}^|6@8DahH)G z!EmhsfunLL|3b=M0MeK2vqZ|OqUqS8npxwge$w-4pFVXFq$_EKrZY?BuP@Az@(k`L z`ViQBSk`y+YwRT;&W| z2e3UfkCo^uTA4}Qmmtqs+nk#gNr2W4 zTH%hhErhB)pkXR{B!q5P3-OM+M;qu~f>}IjtF%>w{~K-0*jPVLl?Chz&zIdxp}bjx zStp&Iufr58FTQ36AHU)0+CmvaOpKF;W@sMTFpJ`j;3d)J_$tNQI^c<^1o<49Z(~K> z;EZTBaVT%14(bFw2ob@?JLQ2@(1pCdg3S%E4*dJ}dA*v}_a4_P(a`cHnBFJxNobAv zf&Zl-Yt*lhn-wjZsq<9v-IsXxAxMZ58C@e0!rzhJ+D@9^3~?~yllY^s$?&oNwyH!#~6x4gUrfxplCvK#!f z$viuszW>MFEcFL?>ux*((!L$;R?xc*myjRIjgnQX79@UPD$6Dz0jutM@7h_pq z0Zr)#O<^y_K6jfY^X%A-ip>P%3saX{!v;fxT-*0C_j4=UMH+Xth(XVkVGiiKE#f)q z%Jp=JT)uy{&}Iq2E*xr4YsJ5>w^=#-mRZ4vPXpI6q~1aFwi+lQcimO45V-JXP;>(Q zo={U`{=_JF`EQj87Wf}{Qy35s8r1*9Mxg({CvOt}?Vh9d&(}iI-quvs-rm~P;eRA@ zG5?1HO}puruc@S{YNAF3vmUc2B4!k*yi))<5BQmvd3tr}cIs#9)*AX>t`=~{f#Uz0 z0&Nk!7sSZwJe}=)-R^$0{yeS!V`Dh7w{w5rZ9ir!Z7Cd7dwZcK;BT#V0bzTt>;@Cl z#|#A!-IL6CZ@eHH!CG>OO8!%G8&8t4)Ro@}USB*k>oEUo0LsljsJ-%5Mo^MJF2I8- z#v7a5VdJ-Cd%(a+y6QwTmi+?f8Nxtm{g-+WGL>t;s#epv7ug>inqimZCVm!uT5Pf6 ziEgQt7^%xJf#!aPWbuC_3Nxfb&CFbQy!(8ANpkWLI4oSnH?Q3f?0k1t$3d+lkQs{~(>06l&v|MpcFsyAv zin6N!-;pggosR*vV=DO(#+}4ps|5$`udE%Kdmp?G7B#y%H`R|i8skKOd9Xzx8xgR$>Zo2R2Ytktq^w#ul4uicxW#{ zFjG_RNlBroV_n;a7U(KIpcp*{M~e~@>Q#Av90Jc5v%0c>egEdY4v3%|K1XvB{O_8G zkTWLC>OZKf;XguMH2-Pw{BKbFzaY;4v2seZV0>^7Q~d4O=AwaPhP3h|!hw5aqOtT@ z!SNz}$of**Bl3TK209@F=Tn1+mgZa8yh(Png%Zd6Mt}^NSjy)etQrF zme*llAW=N_8R*O~d2!apJnF%(JcN??=`$qs3Y+~xs>L9x`0^NIn!8mMRFA_tg`etw z3k{9JAjnl@ygIiJcNHTy02GMAvBVqEss&t2<2mnw!; zU`J)0>lWiqVqo|ex7!+@0i>B~BSU1A_0w#Ee+2pJx0BFiZ7RDHEvE*ptc9md(B{&+ zKE>TM)+Pd>HEmdJao7U@S>nL(qq*A)#eLOuIfAS@j`_sK0UEY6OAJJ-kOrHG zjHx`g!9j*_jRcJ%>CE9K2MVf?BUZKFHY?EpV6ai7sET-tqk=nDFh-(65rhjtlKEY% z@G&cQ<5BKatfdA1FKuB=i>CCC5(|9TMW%K~GbA4}80I5%B}(gck#Wlq@$nO3%@QP_ z8nvPkJFa|znk>V92cA!K1rKtr)skHEJD;k8P|R8RkCq1Rh^&}Evwa4BUJz2f!2=MH zo4j8Y$YL2313}H~F7@J7mh>u%556Hw0VUOz-Un@ZASCL)y8}4XXS`t1AC*^>PLwIc zUQok5PFS=*#)Z!3JZN&eZ6ZDP^-c@StY*t20JhCnbMxXf=LK#;`4KHEqMZ-Ly9KsS zI2VUJGY&PmdbM+iT)zek)#Qc#_i4uH43 z@T5SZBrhNCiK~~esjsO9!qBpaWK<`>!-`b71Y5ReXQ4AJU~T2Njri1CEp5oKw;Lnm)-Y@Z3sEY}XIgSy%xo=uek(kAAH5MsV$V3uTUsoTzxp_rF=tx zV07vlJNKtJhCu`b}*#m&5LV4TAE&%KtHViDAdv#c^x`J7bg z&N;#I2GkF@SIGht6p-V}`!F_~lCXjl1BdTLIjD2hH$J^YFN`7f{Q?OHPFEM$65^!u zNwkelo*5+$ZT|oQ%o%;rBX$+?xhvjb)SHgNHE_yP%wYkkvXHS{Bf$OiKJ5d1gI0j< zF6N}Aq=(WDo(J{e-uOecxPD>XZ@|u-tgTR<972`q8;&ZD!cep^@B5CaqFz|oU!iFj zU0;6fQX&~15E53EW&w1s9gQQ~Zk16X%6 zjG`j0yq}4deX2?Tr(03kg>C(!7a|b9qFI?jcE^Y>-VhudI@&LI6Qa}WQ>4H_!UVyF z((cm&!3gmq@;BD#5P~0;_2qgZhtJS|>WdtjY=q zLnHH~Fm!cxw|Z?Vw8*~?I$g#9j&uvgm7vPr#&iZgPP~v~BI4jOv;*OQ?jYJtzO<^y z7-#C={r7CO810!^s(MT!@@Vz_SVU)7VBi(e1%1rvS!?PTa}Uv`J!EP3s6Y!xUgM^8 z4f!fq<3Wer_#;u!5ECZ|^c1{|q_lh3m^9|nsMR1#Qm|?4Yp5~|er2?W^7~cl;_r4WSme_o68J9p03~Hc%X#VcX!xAu%1`R!dfGJCp zV*&m47>s^%Ib0~-2f$6oSgn3jg8m%UA;ArcdcRyM5;}|r;)?a^D*lel5C`V5G=c~k zy*w_&BfySOxE!(~PI$*dwG><+-%KT5p?whOUMA*k<9*gi#T{h3DAxzAPxN&Xws8o9Cp*`PA5>d9*Z-ynV# z9yY*1WR^D8|C%I@vo+d8r^pjJ$>eo|j>XiLWvTWLl(^;JHCsoPgem6PvegHb-OTf| zvTgsHSa;BkbG=(NgPO|CZu9gUCGr$8*EoH2_Z#^BnxF0yM~t`|9ws_xZ8X8iZYqh! zAh;HXJ)3P&)Q0(&F>!LN0g#bdbis-cQxyGn9Qgh`q+~49Fqd2epikEUw9caM%V6WgP)532RMRW}8gNS%V%Hx7apSz}tn@bQy!<=lbhmAH=FsMD?leawbnP5BWM0 z5{)@EEIYMu5;u)!+HQWhQ;D3_Cm_NADNeb-f56}<{41aYq8p4=93d=-=q0Yx#knGYfXVt z+kMxlus}t2T5FEyCN~!}90O_X@@PQpuy;kuGz@bWft%diBTx?d)_xWd_-(!LmVrh**oKg!1CNF&LX4{*j|) zIvjCR0I2UUuuEXh<9}oT_zT#jOrJAHNLFT~Ilh9hGJPI1<5`C-WA{tUYlyMeoy!+U zhA#=p!u1R7DNg9u4|QfED-2TuKI}>p#2P9--z;Bbf4Op*;Q9LCbO&aL2i<0O$ByoI z!9;Ght733FC>Pz>$_mw(F`zU?`m@>gE`9_p*=7o=7av`-&ifU(^)UU`Kg3Kw`h9-1 z6`e6+im=|m2v`pN(2dE%%n8YyQz;#3Q-|x`91z?gj68cMrHl}C25|6(_dIGk*8cA3 zRHB|Nwv{@sP4W+YZM)VKI>RlB`n=Oj~Rzx~M+Khz$N$45rLn6k1nvvD^&HtsMA4`s=MmuOJID@$s8Ph4E zAmSV^+s-z8cfv~Yd(40Sh4JG#F~aB>WFoX7ykaOr3JaJ&Lb49=B8Vk-SQT9%7TYhv z?-Pprt{|=Y5ZQ1?od|A<_IJU93|l4oAfBm?3-wk{O<8ea+`}u%(kub(LFo2zFtd?4 zwpN|2mBNywv+d^y_8#<$r>*5+$wRTCygFLcrwT(qc^n&@9r+}Kd_u@Ithz(6Qb4}A zWo_HdBj#V$VE#l6pD0a=NfB0l^6W^g`vm^sta>Tly?$E&{F?TTX~DsKF~poFfmN%2 z4x`Dc{u{Lkqz&y!33;X}weD}&;7p>xiI&ZUb1H9iD25a(gI|`|;G^NwJPv=1S5e)j z;U;`?n}jnY6rA{V^ zxTd{bK)Gi^odL3l989DQlN+Zs39Xe&otGeY(b5>rlIqfc7Ap4}EC?j<{M=hlH{1+d zw|c}}yx88_xQr`{98Z!d^FNH77=u(p-L{W6RvIn40f-BldeF-YD>p6#)(Qzf)lfZj z?3wAMtPPp>vMehkT`3gToPd%|D8~4`5WK{`#+}{L{jRUMt zrFz+O$C7y8$M&E4@+p+oV5c%uYzbqd2Y%SSgYy#xh4G3hQv>V*BnuKQhBa#=oZB~w{azUB+q%bRe_R^ z>fHBilnRTUfaJ201czL8^~Ix#+qOHSO)A|xWLqOxB$dT2W~)e-r9;bm=;p;RjYahB z*1hegN(VKK+ztr~h1}YP@6cfj{e#|sS`;3tJhIJK=tVJ-*h-5y9n*&cYCSdg#EHE# zSIx=r#qOaLJoVVf6v;(okg6?*L_55atl^W(gm^yjR?$GplNP>BZsBYEf_>wM0Lc;T zhf&gpzOWNxS>m+mN92N0{;4uw`P+9^*|-1~$uXpggj4- z^SFc4`uzj2OwdEVT@}Q`(^EcQ_5(ZtXTql*yGzdS&vrS_w>~~ra|Nb5abwf}Y!uq6R5f&6g2ge~2p(%c< z@O)cz%%rr4*cRJ5f`n@lvHNk@lE1a*96Kw6lJ~B-XfJW%?&-y?;E&?1AacU@`N`!O z6}V>8^%RZ7SQnZ-z$(jsX`amu*5Fj8g!3RTRwK^`2_QHe;_2y_n|6gSaGyPmI#kA0sYV<_qOZc#-2BO%hX)f$s-Z3xlI!ub z^;3ru11DA`4heAu%}HIXo&ctujzE2!6DIGE{?Zs>2}J+p&C$rc7gJC35gxhflorvsb%sGOxpuWhF)dL_&7&Z99=5M0b~Qa;Mo!j&Ti_kXW!86N%n= zSC@6Lw>UQ__F&+&Rzv?gscwAz8IP!n63>SP)^62(HK98nGjLY2*e^OwOq`3O|C92? z;TVhZ2SK%9AGW4ZavTB9?)mUbOoF`V7S=XM;#3EUpR+^oHtdV!GK^nXzCu>tpR|89 zdD{fnvCaN^^LL%amZ^}-E+214g&^56rpdc@yv0b<3}Ys?)f|fXN4oHf$six)-@<;W&&_kj z-B}M5U*1sb4)77aR=@%I?|Wkn-QJVuA96an25;~!gq(g1@O-5VGo7y&E_srxL6ZfS z*R%$gR}dyONgju*D&?geiSj7SZ@ftyA|}(*Y4KbvU!YLsi1EDQQCnb+-cM=K1io78o!v*);o<XwjaQH%)uIP&Zm?)Nfbfn;jIr z)d#!$gOe3QHp}2NBak@yYv3m(CPKkwI|{;d=gi552u?xj9ObCU^DJFQp4t4e1tPzM zvsRIGZ6VF+{6PvqsplMZWhz10YwS={?`~O0Ec$`-!klNUYtzWA^f9m7tkEzCy<_nS z=&<(awFeZvt51>@o_~>PLs05CY)$;}Oo$VDO)?l-{CS1Co=nxjqben*O1BR>#9`0^ zkwk^k-wcLCLGh|XLjdWv0_Hg54B&OzCE^3NCP}~OajK-LuRW53CkV~Su0U>zN%yQP zH8UH#W5P3-!ToO-2k&)}nFe`t+mdqCxxAHgcifup^gKpMObbox9LFK;LP3}0dP-UW z?Zo*^nrQ6*$FtZ(>kLCc2LY*|{!dUn$^RW~m9leoF|@Jy|M5p-G~j%+P0_#orRKf8 zvuu5<*XO!B?1E}-*SY~MOa$6c%2cM+xa8}_8x*aVn~57v&W(0mqN1W`5a7*VN{SUH zXz98DDyCnX2EPl-`Lesf`=AQT%YSDb`$%;(jUTrNen$NPJrlpPDP}prI>Ml!r6bCT;mjsg@X^#&<}CGf0JtR{Ecwd&)2zuhr#nqdgHj+g2n}GK9CHuwO zk>oZxy{vcOL)$8-}L^iVfJHAGfwN$prHjYV0ju}8%jWquw>}_W6j~m<}Jf!G?~r5&Rx)!9JNX!ts#SGe2HzobV5); zpj@&`cNcO&q+%*<%D7za|?m5qlmFK$=MJ_iv{aRs+BGVrs)98BlN^nMr{V_fcl_;jkzRju+c-y?gqBC_@J0dFLq-D9@VN&-`R9U;nv$Hg?>$oe4N&Ht$V_(JR3TG^! zzJsbQbi zFE6-{#9{G{+Z}ww!ycl*7rRdmU#_&|DqPfX3CR1I{Kk;bHwF6jh0opI`UV2W{*|nn zf_Y@%wW6APb&9RrbEN=PQRBEpM(N1w`81s=(xQj6 z-eO0k9=Al|>Ej|Mw&G`%q8e$2xVz1v4DXAi8G};R$y)ww638Y=9y$ZYFDM$}vzusg zUf+~BPX>(SjA|tgaFZr_e0{)+z9i6G#lgt=F_n$d=beAt0Sa0a7>z-?vcjl3e+W}+ z1&9=|vC=$co}-Zh*%3588G?v&U7%N1Qf-wNWJ)(v`iO5KHSkC5&g7CrKu8V}uQGcfcz zmBz#Lbqwqy#Z~UzHgOQ;Q-rPxrRNvl(&u6ts4~0=KkeS;zqURz%!-ERppmd%0v>iRlEf+H$yl{_8TMJzo0 z>n)`On|7=WQdsqhXI?#V{>+~}qt-cQbokEbgwV3QvSP7&hK4R{Z{aGHVS3;+h{|Hz z6$Js}_AJr383c_+6sNR|$qu6dqHXQTc6?(XWPCVZv=)D#6_;D_8P-=zOGEN5&?~8S zl5jQ?NL$c%O)*bOohdNwGIKM#jSAC?BVY={@A#c9GmX0=T(0G}xs`-%f3r=m6-cpK z!%waekyAvm9C3%>sixdZj+I(wQlbB4wv9xKI*T13DYG^T%}zZYJ|0$Oj^YtY+d$V$ zAVudSc-)FMl|54n=N{BnZTM|!>=bhaja?o7s+v1*U$!v!qQ%`T-6fBvmdPbVmro&d zk07TOp*KuxRUSTLRrBj{mjsnF8`d}rMViY8j`jo~Hp$fkv9F_g(jUo#Arp;Xw0M$~ zRIN!B22~$kx;QYmOkos@%|5k)!QypDMVe}1M9tZfkpXKGOxvKXB!=lo`p?|R1l=tA zp(1}c6T3Fwj_CPJwVsYtgeRKg?9?}%oRq0F+r+kdB=bFUdVDRPa;E~~>2$w}>O>v=?|e>#(-Lyx?nbg=ckJ#5U6;RT zNvHhXk$P}m9wSvFyU3}=7!y?Y z=fg$PbV8d7g25&-jOcs{%}wTDKm>!Vk);&rr;O1nvO0VrU&Q?TtYVU=ir`te8SLlS zKSNmV=+vF|ATGg`4$N1uS|n??f}C_4Sz!f|4Ly8#yTW-FBfvS48Tef|-46C(wEO_%pPhUC5$-~Y?!0vFZ^Gu`x=m7X99_?C-`|h zfmMM&Y@zdfitA@KPw4Mc(YHcY1)3*1xvW9V-r4n-9ZuBpFcf{yz+SR{ zo$ZSU_|fgwF~aakGr(9Be`~A|3)B=9`$M-TWKipq-NqRDRQc}ABo*s_5kV%doIX7LRLRau_gd@Rd_aLFXGSU+U?uAqh z8qusWWcvgQ&wu{|sRXmv?sl=xc<$6AR$+cl& zFNh5q1~kffG{3lDUdvEZu5c(aAG~+64FxdlfwY^*;JSS|m~CJusvi-!$XR`6@XtY2 znDHSz7}_Bx7zGq-^5{stTRy|I@N=>*y$zz>m^}^{d&~h;0kYiq8<^Wq7Dz0w31ShO^~LUfW6rfitR0(=3;Uue`Y%y@ex#eKPOW zO~V?)M#AeHB2kovn1v=n^D?2{2jhIQd9t|_Q+c|ZFaWt+r&#yrOu-!4pXAJuxM+Cx z*H&>eZ0v8Y`t}8{TV6smOj=__gFC=eah)mZt9gwz>>W$!>b3O;Rm^Ig*POZP8Rl0f zT~o=Nu1J|lO>}xX&#P58%Yl z83`HRs5#32Qm9mdCrMlV|NKNC+Z~ z9OB8xk5HJ>gBLi+m@(pvpw)1(OaVJKs*$Ou#@Knd#bk+V@y;YXT?)4eP9E5{J%KGtYinNYJUH9PU3A}66c>Xn zZ{Bn0<;8$WCOAL$^NqTjwM?5d=RHgw3!72WRo0c;+houoUA@HWLZM;^U$&sycWrFd zE7ekt9;kb0`lps{>R(}YnXlyGY}5pPd9zBpgXeJTY_jwaJGSJQC#-KJqmh-;ad&F- z-Y)E>!&`Rz!HtCz>%yOJ|v(u7P*I$jqEY3}(Z-orn4 zlI?CYKNl`6I){#2P1h)y(6?i;^z`N3bxTV%wNvQW+eu|x=kbj~s8rhCR*0H=iGkSj zk23lr9kr|p7#qKL=UjgO`@UnvzU)`&fI>1Qs7ubq{@+lK{hH* zvl6eSb9%yngRn^T<;jG1SVa)eA>T^XX=yUS@NCKpk?ovCW1D@!=@kn;l_BrG;hOTC z6K&H{<8K#dI(A+zw-MWxS+~{g$tI7|SfP$EYKxA}LlVO^sT#Oby^grkdZ^^lA}uEF zBSj$weBJG{+Bh@Yffzsw=HyChS(dtLE3i*}Zj@~!_T-Ay7z=B)+*~3|?w`Zd)Co2t zC&4DyB!o&YgSw+fJn6`sn$e)29`kUwAc+1MND7YjV%lO;H2}fNy>hD#=gT ze+-aFNpyKIoXY~Vq-}OWPBe?Rfu^{ps8>Xy%42r@RV#*QV~P83jdlFNgkPN=T|Kt7 zV*M`Rh*30&AWlb$;ae130e@}Tqi3zx2^JQHpM>j$6x`#{mu%tZlwx9Gj@Hc92IuY* zarmT|*d0E~vt6<+r?W^UW0&#U&)8B6+1+;k^2|FWBRP9?C4Rk)HAh&=AS8FS|NQaZ z2j!iZ)nbEyg4ZTp-zHwVlfLC~tXIrv(xrP8PAtR{*c;T24ycA-;auWsya-!kF~CWZ zw_uZ|%urXgUbc@x=L=_g@QJ@m#5beS@6W195Hn7>_}z@Xt{DIEA`A&V82bc^#!q8$ zFh?z_Vn|ozJ;NPd^5uu(9tspo8t%&-U9Ckay-s@DnM*R5rtu|4)~e)`z0P-sy?)kc zs_k&J@0&0!q4~%cKL)2l;N*T&0;mqX5T{Qy60%JtKTQZ-xb%KOcgqwJmb%MOOKk7N zgq})R_6**{8A|6H?fO+2`#QU)p$Ei2&nbj6TpLSIT^D$|`TcSeh+)}VMb}LmvZ{O| ze*1IdCt3+yhdYVxcM)Q_V0bIXLgr6~%JS<<&dxIgfL=Vnx4YHuU@I34JXA|+$_S3~ zy~X#gO_X!cSs^XM{yzDGNM>?v(+sF#<0;AH^YrE8smx<36bUsHbN#y57K8WEu(`qHvQ6cAZPo=J5C(lSmUCZ57Rj6cx!e^rfaI5%w}unz}4 zoX=nt)FVNV%QDJH`o!u9olLD4O5fl)xp+#RloZlaA92o3x4->?rB4`gS$;WO{R;Z3>cG3IgFX2EA?PK^M}@%1%A;?f6}s&CV$cIyEr#q5;yHdNZ9h{| z-=dX+a5elJoDo?Eq&Og!nN6A)5yYpnGEp}?=!C-V)(*~z-+?kY1Q7qs#Rsy%hu_60rdbB+QQNr?S1 z?;xtjUv|*E3}HmuNyB9aFL5H~3Ho0UsmuMZELp1a#CA1g`P{-mT?BchuLEtK}!QZ=3AWakRu~?f9V~3F;TV`5%9Pcs_$gq&CcU}r8gOO zC2&SWPsSG{&o-LIGTBqp6SLQZPvYKp$$7L4WRRZ0BR$Kf0I0SCFkqveCp@f)o8W)! z$%7D1R`&j7W9Q9CGus_)b%+B#J2G;l*FLz#s$hw{BHS~WNLODV#(!u_2Pe&tMsq={ zdm7>_WecWF#D=?eMjLj=-_z`aHMZ=3_-&E8;ibPmM}61i6J3is*=dKf%HC>=xbj4$ zS|Q-hWQ8T5mWde6h@;mS+?k=89?1FU<%qH9B(l&O>k|u_aD|DY*@~(`_pb|B#rJ&g zR0(~(68fpUPz6TdS@4JT5MOPrqDh5_H(eX1$P2SQrkvN8sTxwV>l0)Qq z0pzTuvtEAKRDkKGhhv^jk%|HQ1DdF%5oKq5BS>szk-CIke{%js?~%@$uaN3^Uz6Wf z_iyx{bZ(;9y4X&>LPV=L=d+A}7I4GkK0c1Xts{rrW1Q7apHf-))`BgC^0^F(>At1* za@e7{lq%yAkn*NH8Q1{@{lKhRg*^TfGvv!Sn*ed*x@6>M%aaqySxR|oNadYt1mpUZ z6H(rupHYf&Z z29$5g#|0MX#aR6TZ$@eGxxABRKakDYtD%5BmKp;HbG_ZbT+=81E&=XRk6m_3t9PvD zr5Cqy(v?gHcYvYvXkNH@S#Po~q(_7MOuCAB8G$a9BC##gw^5mW16cML=T=ERL7wsk zzNEayTG?mtB=x*wc@ifBCJ|irFVMOvH)AFRW8WE~U()QT=HBCe@s$dA9O!@`zAAT) zaOZ7l6vyR+Nk_OOF!ZlZmjoImKh)dxFbbR~z(cMhfeX1l7S_`;h|v3gI}n9$sSQ>+3@AFAy9=B_y$)q;Wdl|C-X|VV3w8 z2S#>|5dGA8^9%Bu&fhmVRrTX>Z7{~3V&0UpJNEl0=N32euvDGCJ>#6dUSi&PxFW*s zS`}TB>?}H(T2lxBJ!V#2taV;q%zd6fOr=SGHpoSG*4PDaiG0pdb5`jelVipkEk%FV zThLc@Hc_AL1#D&T4D=w@UezYNJ%0=f3iVRuVL5H?eeZM}4W*bomebEU@e2d`M<~uW zf#Bugwf`VezG|^Qbt6R_=U0}|=k;mIIakz99*>FrsQR{0aQRP6ko?5<7bkDN8evZ& zB@_KqQG?ErKL=1*ZM9_5?Pq%lcS4uLSzN(Mr5=t6xHLS~Ym`UgM@D&VNu8e?_=nSFtF$u@hpPSmI4Vo_t&v?>$~K4y(O~Rb*(MFy_igM7 z*~yYUyR6yQgzWnWMUgDov!!g=lInM+=lOmOk4L`O?{i&qxy&D*_qorRbDwj6?)!ef z#JLd7F6Z2I$S0iYI={rZNk*<{HtIl^mx=h>Cim*04K4+Z4IJtd*-)%6XV2(MCscPiw_a+y*?BKbTS@BZ3AUao^%Zi#PhoY9Vib4N>SE%4>=Jco0v zH_Miey{E;FkdlZSq)e<{`+S3W=*ttvD#hB8w=|2aV*D=yOV}(&p%0LbEWH$&@$X3x~CiF-?ejQ*N+-M zc8zT@3iwkdRT2t(XS`d7`tJQAjRmKAhiw{WOqpuvFp`i@Q@!KMhwKgsA}%@sw8Xo5Y=F zhRJZg)O4uqNWj?V&&vth*H#je6T}}p_<>!Dr#89q@uSjWv~JuW(>FqoJ5^ho0%K?E z9?x_Q;kmcsQ@5=}z@tdljMSt9-Z3xn$k)kEjK|qXS>EfuDmu(Z8|(W?gY6-l z@R_#M8=vxKMAoi&PwnaIYw2COJM@atcgfr=zK1bvjW?9B`-+Voe$Q+H$j!1$Tjn+* z&LY<%)L@;zhnJlB^Og6I&BOR-m?{IW;tyYC%FZ!&Z>kGjHJ6cqM-F z&19n+e1=9AH1VrVeHrIzqlC`w9=*zfmrerF?JMzO&|Mmv;!4DKc(sp+jy^Dx?(8>1 zH&yS_4yL7m&GWX~mdfgH*AB4{CKo;+egw=PrvkTaoBU+P-4u?E|&!c z)DKc;>$$B6u*Zr1SjUh2)FeuWLWHl5TH(UHWkf zLs>7px!c5n;rbe^lO@qlYLzlDVp(z?6rPZel=YB)Uv&n!2{+Mb$-vQl=xKw( zve&>xYx+jW_NJh!FV||r?;hdP*jOXYcLCp>DOtJ?2S^)DkM{{Eb zS$!L$e_o0(^}n3tA1R3-$SNvgBq;DOEo}fNc|tB%%#g4RA3{|euq)p+xd3I8^4E&m zFrD%}nvG^HUAIKe9_{tXB;tl|G<%>yk6R;8L2)KUJw4yHJXUOPM>(-+jxq4R;z8H#>rnJy*)8N+$wA$^F zN+H*3t)eFEgxLw+Nw3};4WV$qj&_D`%ADV2%r zJCPCo%{=z7;`F98(us5JnT(G@sKTZ^;2FVitXyLe-S5(hV&Ium+1pIUB(CZ#h|g)u zSLJJ<@HgrDiA-}V_6B^x1>c9B6%~847JkQ!^KLZ2skm;q*edo;UA)~?SghG8;QbHh z_6M;ouo_1rq9=x$<`Y@EA{C%6-pEV}B(1#sDoe_e1s3^Y>n#1Sw;N|}8D|s|VPd+g z-_$QhCz`vLxxrVMx3ape1xu3*wjx=yKSlM~nFgkNWb4?DDr*!?U)L_VeffF<+!j|b zZ$Wn2$TDv3C3V@BHpSgv3JUif8%hk%OsGZ=OxH@8&4`bbf$`aAMchl^qN>Eyu3JH} z9-S!x8-s4fE=lad%Pkp8hAs~u?|uRnL48O|;*DEU! zuS0{cpk%1E0nc__2%;apFsTm0bKtd&A0~S3Cj^?72-*Owk3V!ZG*PswDfS~}2<8le z5+W^`Y(&R)yVF*tU_s!XMcJS`;(Tr`J0%>p=Z&InR%D3@KEzzI+-2)HK zuoNZ&o=wUC&+*?ofPb0a(E6(<2Amd6%uSu_^-<1?hsxs~0K5^f(LsGqgEF^+0_H=uNk9S0bb!|O8d?m5gQjUKevPaO+*VfSn^2892K~%crWM8+6 z25@V?Y@J<9w%@NXh-2!}SK_(X)O4AM1-WTg>sj1{lj5@=q&dxE^9xng1_z9w9DK>| z6Iybcd0e zyi;Ew!KBRIfGPGytQ6}z}MeXCfLY0?9%RiyagSp_D1?N&c{ zyo>VbJ4Gy`@Fv+5cKgUgs~na$>BV{*em7PU3%lloy_aEovR+J7TfQKh8BJXyL6|P8un-Jnq(ghd!_HEOh$zlv2$~y3krgeH;9zC}V3f`uDtW(%mT#944DQa~^8ZI+zAUu4U(j0YcDfKR$bK#gvn_{JZ>|gZ5+)u?T$w7Q%F^;!Wk?G z(le7r!ufT*cxS}PR6hIVtXa)i`d$-_1KkyBU>qmgz-=T};uxx&sKgv48akIWQ89F{ z0XiY?WM^~;|T8zBOr zs#zuOONzH?svv*jokd5SK8wG>+yMC)LYL|vLqm^PMHcT=`}V$=nIRHe2?h)8WQa6O zPAU}d`1y(>kZiP~Gr=mtJLMu`i<2CspL|q2DqAgAD^7*$xzM`PU4^ga`ilE134XBQ z99P(LhHU@7qvl9Yzg$M`+dlS=x^(m-_3t|h>S}E0bcFMn=C|KamQ)=w2^e)35p`zY zRV8X?d;s^>Cof2SPR&nP3E+-LCkS0J$H!eh8~k0qo$}00b=7!H_I2O+Ro@3O$nPdm ztmbOO^B+IHzQ5w>@@@J4cKw5&^_w6s!s=H%&byAbUtczPQ7}wfTqxxtQNfn*u73Qw zGuWsrky_ajPx-5`R<)6xHf>C(oqGf_Fw|-U*GfS?xLML$kv;h_pZ@Kk$y0X(S+K80 z6^|z)*`5VUkawg}=z`S;VhZhxyDfrE0$(PMurAxl~<>lfZa>JZ288ULK7D` zl9|#L^JL}Y$j*j`0-K6kH#?bRmg#5L3iB4Z)%iF@SqT+Lp|{i`m%R-|ZE94Np7Pa5 zCqC^V3}B(FR340pmF*qaa}M}+h6}mqE~7Sh!9bDv9YRT|>vBNAqv09zXHMlcuhKD| zcjjA(b*XCIwJ33?CB!+;{)vX@9xns_b-VO{i0y?}{!sdXj1GM8+$#v>W7nw;+O_9B z_{4L;C6ol?(?W0<6taGEn1^uG=?Q3i29sE`RfYCaV$3DKc_;?HsL?D_fSYg}SuO5U zOB_f4^vZ_x%o`5|C@9C5+o=mFy@au{s)sKw!UgC&L35aH(sgDxRE2De%(%OT=VUdN ziVLEmdOvJ&5*tCMKRyXctCwQu_RH%;m*$YK&m;jtbdH#Ak~13T1^f89tn`A%QEHWs~jnY~E}p_Z$XC z=?YXLCkzVSK+Id`xZYTegb@W8_baLt-Fq`Tv|=)JPbFsKRm)4UW;yT+J`<)%#ue9DPOkje)YF2fsCilK9MIIK>p*`fkoD5nGfmLwt)!KOT+> zOFq*VZktDDyM3P5UOg`~XL#cbzC}eL%qMB=Q5$d89MKuN#$6|4gx_Jt0Gfn8w&q}%lq4QU%6#jT*MRT% zrLz~C8FYKHawn-EQWN1B75O&quS+Z81(zN)G>~vN8VwC+e+y(`>HcxC{MrJ;H1Z4k zZWuv$w_F0-Ub%MVcpIc){4PGL^I7M{>;hS?;eH!;gmcOE66z3;Z1Phqo(t zVP(Hg6q#0gIKgsg7L7WE!{Y#1nI(45tx2{$34dDd#!Z0NIyrm)HOn5W#7;f4pQci# zDW!FI(g4e668kI9{2+mLwB+=#9bfqgX%!B34V-$wwSN(_cm*^{y0jQtv*4}eO^sOV z*9xoNvX)c9isB}Tgx&ZRjp3kwhTVK?r9;n!x>^XYT z@Q^7zp{rkIs{2mUSE^2!Gf6$6;j~&4=-0cSJJDizZp6LTe8b45;{AKM%v99}{{FfC zz709%u0mC=1KXTo(=TqmZQ;c?$M3z(!xah>aywrj40sc2y3rKFw4jCq+Y+u=CH@_V zxz|qeTwa>+<|H%8Dz5u>ZI5MmjTFwXS-Fv!TDd*`>3{krWoNVx$<133`(ftS?ZPyY z&4@ah^3^i`vL$BZa>O|Nt?ucewzsF)0zX3qmM^|waXr=T0pfIb0*$AwU=?Ipl|1Y; z*Pk6{C-p4MY;j@IJ|DW>QHZQJcp;Z~?8(Q+Kk3^0qJ}SCk^*n4W zu9ZFwLHUx-$6xvaQ)SUQcYd6fF8&x)V`1bIuX@>{mE$b|Yd(qomn3;bPwnDUc0F=; zh*6_((%bqAYQWQ~odER?h>1mkL4kpb3s7`0m@rDKGU*oyF)$j~Ffd4fXV$?`f~rHf zB%Y)@5SXZvfwm10RY5X?TEo)PK_`L6qgBp=#>fO49$D zDq8Ozj0q6213tV5Qq=;fZ0$|KroY{Dz=l@lU^J)?Ko@ti20TRplXzphBi>XGx4bou zEWrkNjz0t5j!_ke{g5I#PUlEU$Km8g8TE|XK=MkU@PT4T><2OVamoK;wJ}3X0L$vX zgd7gNa359*nc)R-0!`2X@FOTB`+oETOPc=ubp5R)VQgY+5BTZZJ2?9QwnO=dnulIUF3gFn;BODC2)65)HeVd%t86sL7Rv^Y+nbn+&l z6BAJY(ETvwI)Ts$aiE8rht4KD*qNyE{8{x6R|%akbTBzw;2+6Echkt+W+`u^XX z_z&x%n) { + runApplication(*args) +} \ No newline at end of file diff --git a/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/AuthApplicationConstants.kt b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/AuthApplicationConstants.kt new file mode 100644 index 00000000000..2c2909dd275 --- /dev/null +++ b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/AuthApplicationConstants.kt @@ -0,0 +1,14 @@ +package gov.cdc.prime.reportstream.auth + +/** + * File used for application-wide constants + */ +object AuthApplicationConstants { + + /** + * All endpoints defined here + */ + object Endpoints { + const val HEALTHCHECK_ENDPOINT_V1 = "/api/v1/healthcheck" + } +} \ No newline at end of file diff --git a/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/ApplicationConfig.kt b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/ApplicationConfig.kt new file mode 100644 index 00000000000..c0aeb78fdbe --- /dev/null +++ b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/ApplicationConfig.kt @@ -0,0 +1,32 @@ +package gov.cdc.prime.reportstream.auth.config + +import org.springframework.boot.context.properties.ConfigurationProperties +import org.springframework.boot.context.properties.EnableConfigurationProperties +import org.springframework.context.annotation.Bean +import org.springframework.context.annotation.Configuration +import kotlin.time.TimeSource + +/** + * Simple class to automatically read configuration from application.yml (or environment variable overrides) + */ +@Configuration +@EnableConfigurationProperties(ProxyConfigurationProperties::class) +class ApplicationConfig( + val proxyConfig: ProxyConfigurationProperties, +) { + + @Bean + fun timeSource(): TimeSource { + return TimeSource.Monotonic + } +} + +@ConfigurationProperties("proxy") +data class ProxyConfigurationProperties( + val pathMappings: List, +) + +data class ProxyPathMapping( + val baseUrl: String, + val pathPrefix: String, +) \ No newline at end of file diff --git a/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/SecurityConfig.kt b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/SecurityConfig.kt new file mode 100644 index 00000000000..004493a1646 --- /dev/null +++ b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/SecurityConfig.kt @@ -0,0 +1,35 @@ +package gov.cdc.prime.reportstream.auth.config + +import gov.cdc.prime.reportstream.auth.AuthApplicationConstants +import org.springframework.context.annotation.Bean +import org.springframework.context.annotation.Configuration +import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity +import org.springframework.security.config.web.server.ServerHttpSecurity +import org.springframework.security.web.server.SecurityWebFilterChain + +/** + * Security configuration setup + * + * All incoming requests will require authentication via opaque token check + */ +@Configuration +@EnableWebFluxSecurity +class SecurityConfig { + + @Bean + fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + http + .authorizeExchange { authorize -> + authorize + // allow health endpoint without authentication + .pathMatchers(AuthApplicationConstants.Endpoints.HEALTHCHECK_ENDPOINT_V1).permitAll() + // all other requests must be authenticated + .anyExchange().authenticated() + } + .oauth2ResourceServer { + it.opaqueToken { } + } + + return http.build() + } +} \ No newline at end of file diff --git a/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/controller/AuthController.kt b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/controller/AuthController.kt new file mode 100644 index 00000000000..e62df018405 --- /dev/null +++ b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/controller/AuthController.kt @@ -0,0 +1,47 @@ +package gov.cdc.prime.reportstream.auth.controller + +import gov.cdc.prime.reportstream.auth.service.ProxyURIStrategy +import kotlinx.coroutines.reactive.awaitSingle +import org.apache.logging.log4j.kotlin.Logging +import org.springframework.cloud.gateway.webflux.ProxyExchange +import org.springframework.http.ResponseEntity +import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication +import org.springframework.web.bind.annotation.RequestMapping +import org.springframework.web.bind.annotation.RestController +import org.springframework.web.server.ServerWebExchange + +@RestController +class AuthController( + private val proxyURIStrategy: ProxyURIStrategy, +) : Logging { + + /** + * Main workhorse of the application. Handles all incoming requests and properly forwards them given successful + * authentication. Missing or invalid bearer tokens will result in a 401 unauthorized response. + * + * Authentication will be handled by the OAuth 2.0 resource server opaque token configuration + * @see https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/opaque-token.html + * + * Proxying will be handled by the Spring Cloud Gateway library from which the ProxyExchange object is injected + */ + @RequestMapping("**") + suspend fun proxy( + exchange: ServerWebExchange, + proxy: ProxyExchange, + auth: BearerTokenAuthentication, + ): ResponseEntity { + val sub = auth.tokenAttributes["sub"] + val scopes = auth.tokenAttributes["scope"] + + logger.info("Token with sub=$sub and scopes=$scopes is authenticated with Okta") + + val uri = proxyURIStrategy.getTargetURI(exchange.request.uri) + proxy.uri(uri.toString()) + + logger.info("Proxying request to ${exchange.request.method} $uri") + val response = proxy.forward().awaitSingle() + logger.info("Proxy response from ${exchange.request.method} $uri status=${response.statusCode}") + + return response + } +} \ No newline at end of file diff --git a/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/controller/HealthController.kt b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/controller/HealthController.kt new file mode 100644 index 00000000000..f90ee051982 --- /dev/null +++ b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/controller/HealthController.kt @@ -0,0 +1,25 @@ +package gov.cdc.prime.reportstream.auth.controller + +import gov.cdc.prime.reportstream.auth.AuthApplicationConstants +import gov.cdc.prime.reportstream.auth.model.ApplicationStatus +import org.springframework.http.MediaType +import org.springframework.web.bind.annotation.GetMapping +import org.springframework.web.bind.annotation.RestController +import kotlin.time.TimeSource + +@RestController +class HealthController( + timeSource: TimeSource, +) { + + private val applicationStart = timeSource.markNow() + + @GetMapping( + AuthApplicationConstants.Endpoints.HEALTHCHECK_ENDPOINT_V1, + produces = [MediaType.APPLICATION_JSON_VALUE] + ) + suspend fun health(): ApplicationStatus { + val uptime = applicationStart.elapsedNow().toString() + return ApplicationStatus("auth", "ok", uptime) + } +} \ No newline at end of file diff --git a/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/model/ApplicationStatus.kt b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/model/ApplicationStatus.kt new file mode 100644 index 00000000000..da9a90b2fa0 --- /dev/null +++ b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/model/ApplicationStatus.kt @@ -0,0 +1,10 @@ +package gov.cdc.prime.reportstream.auth.model + +/** + * Simple json response model for application status + */ +data class ApplicationStatus( + val application: String, + val status: String, + val uptime: String, +) \ No newline at end of file diff --git a/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/service/ProxyURIStrategy.kt b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/service/ProxyURIStrategy.kt new file mode 100644 index 00000000000..38686400a11 --- /dev/null +++ b/auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/service/ProxyURIStrategy.kt @@ -0,0 +1,55 @@ +package gov.cdc.prime.reportstream.auth.service + +import gov.cdc.prime.reportstream.auth.config.ApplicationConfig +import org.springframework.context.annotation.Profile +import org.springframework.stereotype.Component +import java.net.URI + +/** + * Implementations are ways to decide the ultimate destination of an incoming request + */ +interface ProxyURIStrategy { + fun getTargetURI(incomingUri: URI): URI +} + +/** + * This implementation decides via the path prefix. Currently used locally for when all services are + * running on different ports of localhost. + * + * Configured under proxyConfig.pathMappings + * + * http://localhost:9000/submissions/health -> http://localhost:8880/health + */ +@Component +@Profile("local") +class PathPrefixProxyURIStrategy( + private val applicationConfig: ApplicationConfig, +) : ProxyURIStrategy { + override fun getTargetURI(incomingUri: URI): URI { + val proxyPathMappings = applicationConfig.proxyConfig.pathMappings + val maybePathMapping = proxyPathMappings.find { incomingUri.path.startsWith(it.pathPrefix) } + return if (maybePathMapping != null) { + val baseUri = URI(maybePathMapping.baseUrl) + val path = incomingUri.path.removePrefix(maybePathMapping.pathPrefix) + URI( + baseUri.scheme, + baseUri.userInfo, + baseUri.host, + baseUri.port, + path, + incomingUri.query, + incomingUri.fragment + ) + } else { + throw IllegalStateException("no configured proxy target in path mappings for path=${incomingUri.path}") + } + } +} + +@Component +@Profile("deployed") +class HostProxyPathURIStrategy : ProxyURIStrategy { + override fun getTargetURI(incomingUri: URI): URI { + TODO("Not yet implemented") + } +} \ No newline at end of file diff --git a/auth/src/main/resources/application.yml b/auth/src/main/resources/application.yml new file mode 100644 index 00000000000..6a085c848dd --- /dev/null +++ b/auth/src/main/resources/application.yml @@ -0,0 +1,29 @@ +spring: + application: + name: "auth" + profiles: + active: local + security: + oauth2: + resourceserver: + opaquetoken: # Set client secret in SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENT_SECRET env variable + client-id: 0oaek8tip2lhrhHce1d7 + introspection-uri: https://reportstream.oktapreview.com/oauth2/ausekaai7gUuUtHda1d7/v1/introspect + cloud: + gateway: + proxy: + sensitive: [] # pass authorization and cookie headers downstream (filtered by default) + +server.port: 9000 + +proxy.pathMappings: + - pathPrefix: /reportstream + baseUrl: http://localhost:7071 + - pathPrefix: /submissions + baseUrl: http://localhost:8880 + +#Uncomment for verbose logging +#logging: +# level: +# web: debug +# org.springframework.web: debug diff --git a/auth/src/test/kotlin/gov/cdc/prime/reportstream/auth/controller/AuthControllerTest.kt b/auth/src/test/kotlin/gov/cdc/prime/reportstream/auth/controller/AuthControllerTest.kt new file mode 100644 index 00000000000..8242e7a3780 --- /dev/null +++ b/auth/src/test/kotlin/gov/cdc/prime/reportstream/auth/controller/AuthControllerTest.kt @@ -0,0 +1,146 @@ +package gov.cdc.prime.reportstream.auth.controller + +import gov.cdc.prime.reportstream.auth.service.ProxyURIStrategy +import okhttp3.mockwebserver.MockResponse +import okhttp3.mockwebserver.MockWebServer +import org.junit.jupiter.api.AfterEach +import org.junit.jupiter.api.BeforeEach +import org.junit.jupiter.api.extension.ExtendWith +import org.mockito.kotlin.any +import org.mockito.kotlin.given +import org.springframework.beans.factory.annotation.Autowired +import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient +import org.springframework.boot.test.context.SpringBootTest +import org.springframework.boot.test.mock.mockito.MockBean +import org.springframework.http.HttpHeaders +import org.springframework.http.MediaType +import org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.csrf +import org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.mockOpaqueToken +import org.springframework.test.context.junit.jupiter.SpringExtension +import org.springframework.test.web.reactive.server.WebTestClient +import java.net.URI +import java.nio.charset.Charset +import kotlin.test.Test +import kotlin.test.assertEquals + +@ExtendWith(SpringExtension::class) +@SpringBootTest +@AutoConfigureWebTestClient +class AuthControllerTest @Autowired constructor( + private val webTestClient: WebTestClient, + @MockBean private val mockedUriStrategy: ProxyURIStrategy, +) { + + private val server: MockWebServer = MockWebServer() + + @BeforeEach + fun setUp() { + server.start() + } + + @AfterEach + fun tearDown() { + server.shutdown() + } + + @Test + fun `successful proxy`() { + server.enqueue( + MockResponse() + .setHeader(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN) + .setBody("hello world!") + ) + + val incomingUri = URI("/service/path") + val outgoingUri = URI(server.url("/path").toString()) + given(mockedUriStrategy.getTargetURI(incomingUri)).willReturn(outgoingUri) + + webTestClient + .mutateWith(csrf()) + .mutateWith( + mockOpaqueToken() + .attributes { map -> + map["sub"] = "sub" + map["scope"] = listOf("scope1", "scope2") + } + ) + .post() + .uri("/service/path") + .accept(MediaType.TEXT_PLAIN) + .headers { headers -> + headers.add("x-test-header", "Pass this along") + } + .bodyValue("body") + .exchange() + // assertions on the response received from the mock server + .expectStatus().isOk + .expectHeader().contentType(MediaType.TEXT_PLAIN) + .expectBody(String::class.java).isEqualTo("hello world!") + + // assertions on recorded request to proxy + val recordedRequest = server.takeRequest() + assertEquals( + recordedRequest.headers.get("x-test-header"), + "Pass this along" + ) + assertEquals( + recordedRequest.body.readString(Charset.defaultCharset()), + "body" + ) + } + + @Test + fun `authorization fails in proxied server`() { + server.enqueue(MockResponse().setResponseCode(403)) + + given(mockedUriStrategy.getTargetURI(any())) + .willReturn(URI(server.url("/").toString())) + + webTestClient + .mutateWith(csrf()) + .mutateWith( + mockOpaqueToken() + .attributes { map -> + map["sub"] = "sub" + map["scope"] = listOf("scope1", "scope2") + } + ) + .post() + .uri("/random") + .accept(MediaType.TEXT_PLAIN) + .headers { headers -> + headers.add("x-test-header", "Pass this along") + } + .bodyValue("body") + .exchange() + // assertions on the response received from the mock server + .expectStatus().isForbidden + + // assertions on recorded request to proxy + val recordedRequest = server.takeRequest() + assertEquals( + recordedRequest.headers.get("x-test-header"), + "Pass this along" + ) + assertEquals( + recordedRequest.body.readString(Charset.defaultCharset()), + "body" + ) + } + + @Test + fun `authentication fails`() { + given(mockedUriStrategy.getTargetURI(any())) + .willReturn(URI(server.url("/").toString())) + + webTestClient + .mutateWith(csrf()) + .post() + .uri("/random") + .exchange() + .expectStatus().isUnauthorized + + // no request should be made to server + assertEquals(server.requestCount, 0) + } +} \ No newline at end of file diff --git a/auth/src/test/resources/application.yml b/auth/src/test/resources/application.yml new file mode 100644 index 00000000000..2925d96b9de --- /dev/null +++ b/auth/src/test/resources/application.yml @@ -0,0 +1,24 @@ +spring: + application: + name: "auth" + profiles: + active: test + security: + oauth2: + resourceserver: + opaquetoken: + client-id: mockClient + client-secret: mockSecret + introspection-uri: https://localhost:9999/oauth2/default/v1/introspect # should never be hit + cloud: + gateway: + proxy: + sensitive: [] # pass authorization and cookie headers downstream (filtered by default) + +server.port: 9000 + +proxy.pathMappings: + - pathPrefix: /reportstream + baseUrl: http://localhost:7071 + - pathPrefix: /submissions + baseUrl: http://localhost:8880 diff --git a/settings.gradle.kts b/settings.gradle.kts index 8ae87b5128c..2a0e2ecd57d 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -13,4 +13,4 @@ sourceControl { } } rootProject.name = "prime-reportstream" -include("shared", "submissions", "prime-router") +include("shared", "submissions", "prime-router", "auth") diff --git a/submissions/build.gradle.kts b/submissions/build.gradle.kts index 4f7c29c7d79..4f3f4c9294e 100644 --- a/submissions/build.gradle.kts +++ b/submissions/build.gradle.kts @@ -14,6 +14,10 @@ extra["springCloudAzureVersion"] = "5.14.0" dependencies { implementation("org.springframework.boot:spring-boot-starter-web") + implementation("org.springframework.boot:spring-boot-starter-security") + implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server") + implementation("org.springframework.security:spring-security-oauth2-jose:6.3.3") + implementation("com.azure.spring:spring-cloud-azure-starter-storage") implementation("com.microsoft.azure:applicationinsights-runtime-attach:3.5.4") implementation("com.microsoft.azure:applicationinsights-web:3.5.4") diff --git a/submissions/src/main/kotlin/gov/cdc/prime/reportstream/submissions/config/SecurityConfig.kt b/submissions/src/main/kotlin/gov/cdc/prime/reportstream/submissions/config/SecurityConfig.kt new file mode 100644 index 00000000000..cdfa64f27d4 --- /dev/null +++ b/submissions/src/main/kotlin/gov/cdc/prime/reportstream/submissions/config/SecurityConfig.kt @@ -0,0 +1,31 @@ +package gov.cdc.prime.reportstream.submissions.config + +import org.springframework.context.annotation.Bean +import org.springframework.context.annotation.Configuration +import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity +import org.springframework.security.config.annotation.web.builders.HttpSecurity +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity +import org.springframework.security.web.SecurityFilterChain + +/** + * Allow all requests sans any authn/authz checks. + */ +@Configuration +@EnableWebSecurity +@EnableMethodSecurity +class SecurityConfig { + @Bean + fun filterChain(http: HttpSecurity): SecurityFilterChain { + http + .authorizeHttpRequests { authorize -> + authorize + // TODO: add routes which require authentication here when required + .anyRequest().permitAll() // currently allow all requests unauthenticated + } + .oauth2ResourceServer { + it.jwt { } + } + + return http.build() + } +} \ No newline at end of file diff --git a/submissions/src/main/kotlin/gov/cdc/prime/reportstream/submissions/controllers/SubmissionController.kt b/submissions/src/main/kotlin/gov/cdc/prime/reportstream/submissions/controllers/SubmissionController.kt index 1e7612810d3..2de41c47a74 100644 --- a/submissions/src/main/kotlin/gov/cdc/prime/reportstream/submissions/controllers/SubmissionController.kt +++ b/submissions/src/main/kotlin/gov/cdc/prime/reportstream/submissions/controllers/SubmissionController.kt @@ -13,6 +13,9 @@ import gov.cdc.prime.reportstream.submissions.TelemetryService import org.slf4j.LoggerFactory import org.springframework.http.HttpStatus import org.springframework.http.ResponseEntity +import org.springframework.security.authorization.AuthorizationDeniedException +import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication +import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken import org.springframework.web.bind.MissingRequestHeaderException import org.springframework.web.bind.annotation.ControllerAdvice import org.springframework.web.bind.annotation.ExceptionHandler @@ -173,6 +176,16 @@ class SubmissionController( return ResponseEntity("Internal Server Error: ${e.message}", HttpStatus.INTERNAL_SERVER_ERROR) } + @ExceptionHandler(AuthorizationDeniedException::class) + fun handleAuthorizationException( + e: AuthorizationDeniedException, + auth: JwtAuthenticationToken + ): ResponseEntity { + logger.warn("Authorization denied for token attributes: ${auth.tokenAttributes}", e) + + return ResponseEntity.status(HttpStatus.FORBIDDEN).build() + } + /** * Handles exceptions of type IllegalArgumentException. * diff --git a/submissions/src/main/resources/application.properties b/submissions/src/main/resources/application.properties index 14a3fe573d2..a8750014f5d 100644 --- a/submissions/src/main/resources/application.properties +++ b/submissions/src/main/resources/application.properties @@ -3,4 +3,5 @@ server.port=8880 azure.storage.connection-string=${AZURE_STORAGE_CONNECTION_STRING:DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://localhost:10000/devstoreaccount1;QueueEndpoint=http://localhost:10001/devstoreaccount1;TableEndpoint=http://127.0.0.1:10002/devstoreaccount1;} azure.storage.container-name=${AZURE_STORAGE_CONTAINER_NAME:reports} azure.storage.queue-name=${AZURE_STORAGE_QUEUE_NAME:elr-fhir-receive} -azure.storage.table-name=${AZURE_STORAGE_TABLE_NAME:submission} \ No newline at end of file +azure.storage.table-name=${AZURE_STORAGE_TABLE_NAME:submission} +spring.security.oauth2.resourceserver.jwt.issuer-uri=https://reportstream.oktapreview.com/oauth2/ausekaai7gUuUtHda1d7 \ No newline at end of file From 2613aa4c3e007a9788737f49ea42b2f8b4e77405 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 19:03:13 +0000 Subject: [PATCH 4/7] Bump azure-storage/azurite in /.environment/docker/docker-compose (#15703) Bumps azure-storage/azurite from 3.31.0 to 3.32.0. --- updated-dependencies: - dependency-name: azure-storage/azurite dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .environment/docker/docker-compose/Dockerfile.azurite | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.environment/docker/docker-compose/Dockerfile.azurite b/.environment/docker/docker-compose/Dockerfile.azurite index 7e3f1c6b72c..34e8ca43509 100644 --- a/.environment/docker/docker-compose/Dockerfile.azurite +++ b/.environment/docker/docker-compose/Dockerfile.azurite @@ -1 +1 @@ -FROM mcr.microsoft.com/azure-storage/azurite:3.31.0 +FROM mcr.microsoft.com/azure-storage/azurite:3.32.0 From 9b76b758f01f37d7e459b1ee41c457043ee16970 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 13:44:53 -0400 Subject: [PATCH 5/7] Bump azure/login from 2.1.1 to 2.2.0 (#15914) Bumps [azure/login](https://github.com/azure/login) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/azure/login/releases) - [Commits](https://github.com/azure/login/compare/6c251865b4e6290e7b78be643ea2d005bc51f69a...a65d910e8af852a8061c627c456678983e180302) --- updated-dependencies: - dependency-name: azure/login dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release_chatops_app.yml | 2 +- .github/workflows/restore_databases.yml | 6 +++--- .github/workflows/start_test_servers.yml | 2 +- .github/workflows/stop_test_servers.yml | 2 +- .github/workflows/validate_resources.yml | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release_chatops_app.yml b/.github/workflows/release_chatops_app.yml index 72ca550d76d..3b590e47ecc 100644 --- a/.github/workflows/release_chatops_app.yml +++ b/.github/workflows/release_chatops_app.yml @@ -40,7 +40,7 @@ jobs: with: submodules: true - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 with: creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }} diff --git a/.github/workflows/restore_databases.yml b/.github/workflows/restore_databases.yml index 2f71e9fd54e..f0051fbeb7c 100644 --- a/.github/workflows/restore_databases.yml +++ b/.github/workflows/restore_databases.yml @@ -90,7 +90,7 @@ jobs: echo "SINK_BACKUP_STORAGE=pdh${{ env.SINK_ENV_NAME }}terraform" >> $GITHUB_ENV # Login to Azure - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 with: creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }} @@ -139,7 +139,7 @@ jobs: - name: Check out changes uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 with: creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }} @@ -230,7 +230,7 @@ jobs: - name: Check out changes uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 with: creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }} diff --git a/.github/workflows/start_test_servers.yml b/.github/workflows/start_test_servers.yml index 901a3f0a189..b1b52c9d2bb 100644 --- a/.github/workflows/start_test_servers.yml +++ b/.github/workflows/start_test_servers.yml @@ -17,7 +17,7 @@ jobs: uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # Login to Azure - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 with: creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }} diff --git a/.github/workflows/stop_test_servers.yml b/.github/workflows/stop_test_servers.yml index 6e7a42e2eab..9fd0ebd0506 100644 --- a/.github/workflows/stop_test_servers.yml +++ b/.github/workflows/stop_test_servers.yml @@ -28,7 +28,7 @@ jobs: sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }} tf-auth: true # Login to Azure - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 with: creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }} diff --git a/.github/workflows/validate_resources.yml b/.github/workflows/validate_resources.yml index d8cc76acd22..101557421ec 100644 --- a/.github/workflows/validate_resources.yml +++ b/.github/workflows/validate_resources.yml @@ -103,7 +103,7 @@ jobs: - name: Check Out Changes uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 with: creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }} @@ -136,7 +136,7 @@ jobs: - name: Check Out Changes uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 with: creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }} From 7d4313a69712ca1ed3868dd72a080f0402f92458 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 13:50:29 -0400 Subject: [PATCH 6/7] Bump azure/login from 2.1.1 to 2.2.0 in /.github/actions/vpn-azure (#15916) Bumps [azure/login](https://github.com/azure/login) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/azure/login/releases) - [Commits](https://github.com/azure/login/compare/6c251865b4e6290e7b78be643ea2d005bc51f69a...a65d910e8af852a8061c627c456678983e180302) --- updated-dependencies: - dependency-name: azure/login dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Nesman <94193373+snesm@users.noreply.github.com> --- .github/actions/vpn-azure/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/vpn-azure/action.yml b/.github/actions/vpn-azure/action.yml index 20b78d728b5..803ff5fe6a4 100644 --- a/.github/actions/vpn-azure/action.yml +++ b/.github/actions/vpn-azure/action.yml @@ -63,7 +63,7 @@ runs: fi shell: bash - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 if: inputs.sp-creds with: creds: ${{ inputs.sp-creds }} From 6af49696d52a46493083ed1b022596be1e797b8c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 18 Sep 2024 20:17:23 +0000 Subject: [PATCH 7/7] Bump azure/login from 2.1.1 to 2.2.0 in /.github/actions/build-vars (#15915) Bumps [azure/login](https://github.com/azure/login) from 2.1.1 to 2.2.0. - [Release notes](https://github.com/azure/login/releases) - [Commits](https://github.com/azure/login/compare/6c251865b4e6290e7b78be643ea2d005bc51f69a...a65d910e8af852a8061c627c456678983e180302) --- updated-dependencies: - dependency-name: azure/login dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/actions/build-vars/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/build-vars/action.yml b/.github/actions/build-vars/action.yml index 04aa8917865..663d29f06dd 100644 --- a/.github/actions/build-vars/action.yml +++ b/.github/actions/build-vars/action.yml @@ -234,7 +234,7 @@ runs: echo "has_frontend_change=${{ steps.filter.outputs.frontend_react }}" >> $GITHUB_OUTPUT fi - - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a + - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 if: inputs.sp-creds != 'false' with: creds: ${{ inputs.sp-creds }}