From bcdc6900ffc50060a9159b4c03608cd7674f7fa0 Mon Sep 17 00:00:00 2001 From: vtarnavsky <166396931+vtarnavsky@users.noreply.github.com> Date: Tue, 30 Apr 2024 22:41:19 +0300 Subject: [PATCH 1/9] Create AAA Restrictions.md --- doc/aaa/AAA Restrictions/AAA Restrictions.md | 204 +++++++++++++++++++ 1 file changed, 204 insertions(+) create mode 100644 doc/aaa/AAA Restrictions/AAA Restrictions.md diff --git a/doc/aaa/AAA Restrictions/AAA Restrictions.md b/doc/aaa/AAA Restrictions/AAA Restrictions.md new file mode 100644 index 0000000000..4de2076d30 --- /dev/null +++ b/doc/aaa/AAA Restrictions/AAA Restrictions.md @@ -0,0 +1,204 @@ +# HLD Restrictions # + +## Table of Content + +### Revision +| Rev | Date | Author | Change Description | +| :---: | :-----: | :--------------: | ------------------ | +| 0.1 | 04/2024 | Vladi Tarnavsky | Draft | + +### Scope +The scope includes the design and implementation details for AAA restrictions, focusing on authentication sequences, session management, and user activity accounting in switches SONIC OS based. + +### Definitions/Abbreviations +- **API**: Application Programmable Interface +- **AAA**: Authentication, Authorization, and Accounting +- **PAM**: Pluggable Authentication Module + + +### Reference +| Ref link | Description | +| :--------------------------------------------------------------------------------------------------: | :-------------------------------------------------------: | +| https://github.com/sonic-net/SONiC/blob/master/doc/aaa/AAA%20Improvements/AAA%20Improvements.md | Sonic AAA improvements | +| https://man7.org/linux/man-pages/man3/pam.3.html | Linux PAM | +| https://confluence.nvidia.com/pages/viewpage.action?pageId=1347495920 | Pluggable Authentication Modules Library | +| http://pubs.opengroup.org/onlinepubs/8329799/chap5.htm | Implementation details of ldap pam & nss | +| http://wpollock.com/AUnix2/PAM-Help.htm | PAM options | +| https://packages.debian.org/sid/libpam-ldapd | PAM options | + +### Overview +AAA (Authentication, Authorization, and Accounting) in Sonic establishes a robust framework for access control, policy enforcement, usage auditing, and service billing, supporting standard protocols such as RADIUS, TACACS+, and LDAP for user authentication. + +This HLD emphasizes enhancing the security of aaa by introducing "restrictions" on the number and frequency of login attempts. The focus is on augmenting the system's security by preventing brute force attacks and ensuring that user authentication attempts are both monitored and controlled effectively. + +### Requirements + +- Limit Login Attempts: Specify the maximum number of unsuccessful login attempts allowed before a user account is temporarily locked. This prevents continuous guessing of credentials. +- Control Login Speed: Introduce delays between consecutive login attempts to slow down any automated login attempts, significantly reducing the risk of brute force attacks. +- Define Unlock Time: Establish a configurable unlock time that specifies how long a user account remains locked before allowing another login attempt. This control helps manage the access of users who have shown suspicious login behaviors. +- TODO: SONIC rest API/nginx? + +### Architecture Design + +Arc design diagram\ +![arc_aaa_sonic](restrictions.png) + +### High-Level Design + +#### Sonic-cli +The CLI will update the CONFIG_DB aaa tables with the commands mentioned above & will show the current configuration. + +#### PAM, NSLCD, NSS +The file list below will be modified according to the flows of the feature, more description in flow chapter to support login session limitations and aaa. +/etc/common-auth-sonic or /etc/common-auth +/etc/pam_talley2 , /etc/pam_faillock , /etc/pam_faildelay.so +/etc/nsswitch.conf + +#### Hostcfgd +Hostcfgd – listen to changes in CONFIG_DB in the aaa table, and when the table have a new modification/or init happens it will trigger a callback in hostcfgd handle in AAA class to modify the PAM & NSS configuration files in Linux. + +#### Database +will update the Redis CONFIG_DB to have the necessary fields. +AAA: { + Authentication: { + restrictions: { + lockout-state: (True/False) + lockout-reattempt: (duration_sec)* + lockout-attempts: (number>2) + fail-delay: (duration_sec) + } + } +} +* lockout-reattempt: 0 is considered without a limit. will not allow reattempt without resetting the counter. + +### Init Flow +#### Compilation +No new pkg are added in the build time. + +#### Feature Default +Restrictions are enabled by default. +In addition, this affects the common-auth-sonic file switching to a duplicative branch to use pam_faildelay.so and pam_faillock.so + lockout-state: "True" + lockout-reattempt: (15 sec) + lockout-attempts: (5 attempts) + fail-delay: (0 sec) + +#### Dependencies + +not relevant + +### SAI API + +not relevant + +#### Manifest (if the feature is an Application Extension) + +not relevant + +#### CLI/YANG model Enhancements + +TBD + +#### Config DB Enhancements + +AAA:{ + Authentication:{ + Restrictions: + lockout-state: {{“True”}} + lockout-reattempt: {{ (5 (duration_sec)) }} + lockout-attempts: {{ (5 (num>2)) }} + fail-delay: {{ (0 (duration_sec)) }} + + Failthought: {{“True”}} + Login :{{“local, ldap”}} + } +} +``` + +### Warmboot and Fastboot Design Impact +not relevant + +### Memory Consumption +not relevant + +### Pluggable Authentication Modules +compared to AAA Improvements we changed the authentication flow + +#### PAM authentication + +PAM configuration files contain "stacks" of PAM modules that `pam_authenticate()` invokes in the order they appear in the stack until authentication succeeds or fails. To understand the concept of stacking, please refer to [this document](https://docs.oracle.com/cd/E19253-01/816-4557/pam-15/index.html). +We introduce and use more complex deny and permit to allow restrictions on the attempts +```bash +auth required pam_faillock.so preauth audit silent deny={{ attempts }} unlock_time={{ unlock_time }} +auth [default=die] pam_faillock.so authfail audit deny={{ attempts }} unlock_time={{ unlock_time }} +auth sufficient pam_faillock.so authsucc audit deny={{ attempts }} unlock_time={{ unlock_time }} + +### Flows +The flows are aaa sonic-based flows. + +### AAA Authentication successful +The Pluggable Authentication Module (PAM) can be used to authenticate a CLI (SSH, or console) user to a Linux device. If a user provides correct credential based on a login attempt (ssh or local) and logins to the system gaining his privilege level. +More details: +PAM - A module-based system for allowing service-based authentication and accounting. Unlike NSS, you are not extending existing databases; PAM modules can use whatever logic they like, though shell logins still depend on the passwd and group databases of NSS. (you always need UID/GID lookups) +Successful authentication is in case aaa configuration is configured for a remote connection and a remote connection is established, authenticated, and authorized for a valid user from the correct source (by order). +for successful flow, this feature is tested to not interrupt the correct flow. + +### AAA Authentication unsuccessful +Positive unsuccessful login is when a user for a variety of reasons should not be given access or specific permission and is not allowed to get them. The reasons are – to many login attempts, a blocked user, wrong credentials, server authentication error or incorrect user for a login order (ldap user trying to connect while only local is allowed) in those cases the right expected behavior is authentication unsuccessful. +for those flows, we have a new type of unsuccessful attempt the user is blocked because of too many tries, or too quick a retry. + +#### Error Flow +same as aaa Error flows + +### Restrictions/Limitations + +### Testing Requirements/Design +Test all the new SONiC following commands about aaa configuration below by using `show aaa authentication restrictions` command and see that the expected configuration applied. +In addition, review all the configurations below in this file /etc/pam.d/common-auth-sonic. + +Test all the new SONiC following commands about AAA restrictions configurations below by using `show aaa` command and see that the expected configuration applied. + +AAA restrictions configuration: + +- Configure AAA authentication restrictions fail-delay +- Configure AAA authentication restrictions lockout-attempts +- Configure AAA authentication restrictions lockout-reattempt +- Configure AAA authentication restrictions lockout-state + +#### Unit Test cases +Test changes in the database affect the end-point configuration. +Check config files after all configs are set + +#### System Test cases + +repeat aaa system Test cases. +new cases: +configure restrictions lockout-state enabled, lockout-reattempt 300, lockout-attempts 3. +fail 3 times, try to log in within lockout-reattempt seconds with the correct password, and fail. +configure restrictions fail-delay 60. +try to log in with an incorrect password and see you may not retry again. try with a different ssh with the correct password in the fail-delay time. + +#### Debug +same as aaa flows + +### CLI +The AAA commands are existing and will be extended for the restrictions feature support +restrictions commands are as defined as follows: + +``` +config aaa authentication restrictions fail-delay +config aaa authentication restrictions lockout-attempts +config aaa authentication restrictions lockout-reattempt +config aaa authentication restrictions lockout-state + +show aaa +show aaa authentication +show aaa authentication restrictions + +``` + +### Open/Action items - if any + + +NOTE: All the sections and sub-sections given above are mandatory in the design document. Users can add additional sections/sub-sections if required. + From d87cc3b76659225c4546e571b75fc6b66dea44b1 Mon Sep 17 00:00:00 2001 From: vtarnavsky <166396931+vtarnavsky@users.noreply.github.com> Date: Thu, 2 May 2024 10:23:02 +0300 Subject: [PATCH 2/9] Add files via upload --- doc/aaa/AAA Restrictions/restrictions.png | Bin 0 -> 51892 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 doc/aaa/AAA Restrictions/restrictions.png diff --git a/doc/aaa/AAA Restrictions/restrictions.png b/doc/aaa/AAA Restrictions/restrictions.png new file mode 100644 index 0000000000000000000000000000000000000000..f464741b4474d5de1df1e0933f3c01567acfd052 GIT binary patch literal 51892 zcmYJa18^nZ*EJkl6WbHpnb@{%I};ld+twr#+qP}nzOnJ$-~WB8zOK5ryQ@*>^x0>f zz1LnlLQ!4<5e^p)1Ox<8N>WrA1O&7Mczgu|2K-OvrgsAFKz}Ps2!m8lFaO(k?)mS#I~v~0;04+M$pt60*46t~k^5BT6;zU^ktN}BYDy@z zB=;(kBq3;crcj`I&$?nuu40_%8)}#7hT(_TCRo&@G9)4BNRavLao@Ttg<^-T`gFxy z&CqW)KPBt*;i!uo!xfEyFFl}Qh~@)x%iC`Pqg5as@}e$^?=R>Njwrzih1%MM9_Kr+2DI0GX1(FRv zfM($U_FSyV7=o@1puzTZ6`wEv49@xdgr+{_| z@XD>WDz+*vffhNlBIciIt~FTd4WPPE5=S{8q`6nFOcREaAX21~pi16@9gsT3dQb_= zowqx@SM-P-Wl>#H6+Ro%aj(|y@_Ta%HrNZ(9 z9C|ugQ7!K=o`Hd3yRD+Aw6<0x>?t-ll$}?1nD?9sc*i5>97sHaB^Kq9D?zeGa^75- zN=J8>_dko!9FLe1QN+<%F()}EaDHDUVf)BOWy!r$aJZjZGex;V$OQ%ub1q_>d=tv9 zD+~F)iW(wI3(NMKUu)4?u@#8FTs^{K^%@%B5cnirpDOBcROJ3O6MBZL*!+SG{Aw<4 z2b<)BLy>hj4>jA!y}&L05i>k4?Ov_d`+5)r%tL8C;q>@PGhwzAGOQf9)B#a+O`(e$$PhK|bP9(0mh znr+8ry;8_k{nom3jPcQ7U;2JvrS9i+*0l9Tcg5dOUpEsHa`HYYZycebPtpJEGCkfJ z(l>-g8Vkep*fXDvs-eI;Rt$|MU0qj~+4VfFB-d+rly%yTV9IT`uFMcSJ&+JPOzl>) zAomVxSt+o5|1$O>$g9^SR%Qg#3MJ2AH#|tjY_Zj>Ek4|+_9xO6>xQ#%UvzHQo9$M+ z+5NFx&aYb1YKi=zbV;Jy-s1T|GH=OhNWkh1=QD#_5g5Ri26P}G zCZeH#bK%su5W{@)PL}T3FO_^q=VVm_IBQQ8TdAQXY;{WE}EU9F@ERFC3O97TWC>Z>`+)5?eD#DtguuhaONo4!f%AagE4BC@iuZTtR`aFIGoD zpWSVA&>TJ4`PYr$+?sxyccEb0(NRwh8eI59Plz8Rt?V^wDHe|WG2j;EA~bMy$Eguy zP6(IncGrAiQUvV~B7jeSGjd=iMoV2wi#reI=MbG7-!`%w5P!5$x=qH>xkNh;Ae-DU zrl@Eu5JFhySr#z390@-pbkyv`>I5S*&tZ@={Bma9_2yg*F5-OhP3Ti6NT$3!jnS}_ zdL|Q)$US61TRqkYw|g7Vx14k}1Ld=t?at3h6D0Kt(bJ5((3LHBe% zZo;jFtBf=vHg0^rTHQeu6Gy^{(I_D#UA#dz;^X9mZV51BQkm-i@%ofW{`mJljDlMf zqAFH3u>8w#EeLxNQW?hAohqEChCEErYz8YpPHY2`7=ea@j+EmA7Z^%;3?~oYoo?DK zIz9mGB_^mRZCTiA0EM)fsP-v+70ydMX;Mg%{}bZ;brOlzNd&BkyG#5)AF9}|hxKf|f0 ze;UyJZ{RS660=0(J1KS|_LBk+8DK9H@hMF*1mh(!#VuU`5g?Q3zo=)>YE0q*e}*U_ zgXj`yrIly@1NFJEML}#!MH#)*;zilAlvT`cUqSDLjA%2`vQFhZvyhl;z8}P^a^XVK z%ub)9X-ScrrV&M!%D^Qi6$E`AgCf_ORgnxa#bM$?QC%W934Rp1^&JX!%n4@pM*KM! z1!ck)g%`Q*+$$2?n~}MO{75953RQ|E#00(j2viTFf+7FkhxjNVhFpP_BMHy;;C)Q{ zVT?RzMp&1zn8|-|ND^{@*7$`h@_)zB{pCr;TYd@ujjrV0OJFObV|*6)|2_da5>A7~ zjDD?QV2{)3=;XN9Q`?ED*JL^~i_>EK|GPi_wvg!i<=Ouw7v0=! zJ?4x<`rooZjnA^}dy9t<+m`u069 z^9FQ1FKHM&HlY7Rjp)1^r~Q8K`F_6{K(5hh7@ko}h9>esxm~R@@&CHdizDRIHV1na zxasxnd5!5QpsMM5!gVI}JWRl#Re#ZX444cf^g2cM|2TMoMf<3PP_NeIHoH5tWIJ~t zf7g_*3fKFELY5c>^y-awNbFPpLXe|b~sPUrC? ztQOOvU(0qIyTg9>Iy+vMbt9y6r^tYI+A)`lm8y!$%H%Vi>(2Y!ysyUQV)MsLb}U_w zf=OB9`64NiFvKhYfBx{taoQT6*Q2yg0a~ z^5$(YQ8W&#`QXjo=${z3^Rkle`=<>e+02LK)jEr8Cn#rA&wPpJYn2jt-;cVH>+bh! zW{2*x6N;NYXrj)Cd6~Gc_nq&L69J{;A+M)=h;Y;su(i)eM*p>Tvx(6JvQGjDsInB= z|4df@bgjXn#eVDhZ7z=g<3>b4M#*p|=l6BnSLk0|pE)su>8uk6s`0Cq9R{?4P^2wA zZJGtC%AHyg9-jB|it5BHtZTcArRC*n?Is#6PknuT;JBE!L;laExaw}kMu?uzmoDl7 ze$V?#g)}rY#&w!nT3YJn#XUN7wA74@&z$EZCwP@cW_U87iYWMS-s5)!$$MxRoC1<8LUB_7WOU8-V}!`~8f7L_bsX z$HzxwBU@2T=Xv>mb_V=D;$Gv))HU62=X~xvQ}geJ2Fo3Xi85?*-YQ8< zc?qANVRgN)ntD3EzkmbWD?hkhlIJ|_etW;~Qt=(Ar)8>wS?LGJOT(@7? ze|>N4XgdnUvyVSQj_mL62fBMtdB}XKnyQOk637$vV1WTW3cKH54<&uU z&;wba2fY4YKCd5#lA8W<25o;CJ`TH8LUU_M+xi86k7^YO-}W)u8{3kE&kakd*|8b>XA{;YacjQ_=uDDD16}=!z=-VDA1H(Z%4Jf++?cxg;|owv;cw5s4OZu!0Yj zrWk@FU8KX|co#K3*m{di3*!-}LB<`(Vw=D?xMRCGHL@kr_y%}^JoH?dh*6g~@rdyq zS@^#9HyiSiMWsqXgwQ6k9WNV|Cs=6LQ9zq60#h_A5_i#&T`F+>WXYWNGLF9rDMBO_ zC;m1Th0>!hDm^9?mJLzm+6+jb0Q*3QStdZ;cSkAuM~8OjUY}*mQ{u=gqNoI3Y#lDr zRx|SPh5{ZdAWH5Z0d6w)I7ug=uz)Y2vU@cSZU%4qR|tWP8I5^%PZirbjy zz<_ky`Ox5tErumzWy`Z^Cp6;S(eW1?_$uTm+xTV8sz%6#a3t5*4?{k|k6H2{Yih5_ zJ6#b@wFk6moJm3+C#9 zm;yTh#!3xE#Bt`)Bp)<-7hoM(;F(*YzNA{E+5A#WJ2SBmsfLVC^3Uz^K+}RxO6^ff zdV$!fnA-(y;@Olr1M2*QOx%;)k(l^CVPLGAI|2Z+?ggT$KqsbtkW1L$8ds5Ihi_bp zW4GhsuT)!mlCR>eIdyZCjs_BoLQBWbyuRcAUAUltr@u%s(d=9G?_sES^VtX%&|6qgY@>%hGyQaA!haLrnh3bioEBJraPs|c=YJ$SDv@q?2T3ep7XMVYuc^;F zO^MqM1(1S-)g~T7SLVV-8d@%FftS#Y7Wnw*1br{hKIMWuIIMk|ML6@XNIR(^G`J6! z06C2m#ra4K@Db(WNhu1{48Kx?dj0=8W5BJ#CU`>tA=*7qD-vWi(?G(bvVuR-ue#Tk z?gS}P>vTREErP*CH-7alWNAak#`t?E21wY)Q88tlS8X z8aXKlM3##oxfxNPURnJi{tUze;OCPkSDl25EEWkZFNmyBrV$kKXl^_h z8G)OI!Q3$H_;-bnGOJjcN)_t(sL-rSc(sY7x<~)tf=womr_=@r32!u#xIRI2!b)>^ z?yMX7{2HGhh-;ak269|>yjZfr)m(*8Oh33wqB3}(8 zjm#6yuBELTS87G^MHK}tW>g7*8D6>zt?Dfgp_XWk|YA^bwoYDsy7TL zHy8rY)*7&x2XZu|ni?*a)FU*iE-{N;3B0>s?e=s2WzJE^s0UN;e{fftc9B1362F_|EmCumC?s z`AP@Y1H+R3E5DF=OK5o?!$caA0`iSufOKp>=**+Zcp%R7h84}S*7F6$!Ul5p&+Z%| zMiA-u9N599kvS}hN)`yqvWAH79?--$;3Ys9pdrEK0>lF_cj2;7i_o>;V5=gg^xr zgULFW+uC;w%JPGA)%J#>l`ZFxA!8x`QN{ZP> zm|0@q888a31Z+N3)jknIk}pNH$c+AiAZh72*eo$t*#XyHv(b66UBC38`Ff16RD>~V z=y$Wc*K(QFPC7vsbacu&&(<<#{DdODGviWHRIu#CBIQ8KaCFH)1{a|~LjO2NV&GeJ zCnclCr#2UjSW`pE{Cg(Nn`#h`6}6<6oO(x*VxS2Io5>vE!b0?~D3oX}py84c=pj4= zjh|qYn{<>TQLbz$b<&fuW+(hm#rJlgFR6@0TV|DG<)I9~wkq>$FE%gADhBNdST^Wg z{9Qk_sS9-&byAdzF2RJ|TgTmoU{wGD*qXR)X=#i_AACDV4Ztr(*kdDOq>Rss0(r%5 zYxAOld2KDXpv}c&o7&74bzU=l3i0ti zvorr>ex>=Xi3=JuS_+Aax8|1yTo_74^%8P(qFqG1BS;YCdiZKB#F)vXeLbB#*J#&~ zqBH5uEV*=5R$jK9=&#orbyef-Ha%W&e#~t3be@f0*tg#uW953ojtF!ADES9@Jel!( zg7% z%tPt zQ;M$~>BoVes?bFixa-SP7cCAun++0ahFrV1kDG&m**4T$=C~mesaQ|&(t1AQMia+V z3Vct1mf>!z5fcgn_nY$a@?wR&X4eb#g~gtayNS6%gVVK=XEB5Kw>B)@R+rcMFe1;^ z>S_*@*^xNB@9Pc#0wK$x&CbWMRY@L)+4v!rL=VhANXqtn1&wYJp`j;*wGR}84b-~@ zYVH}QeR#~tikK0`ul1iN20mXQX}a?b?lUL3zUD{cW=zQhJYQ=Td9itH_LDj$@NtbiOAgn~dNfX=e8(67$R ze-SlfG`IP9pkv>4(7xg4@u{Yv*JeL;zE7}mZe4C6pSRs%@$BvY^qFPfas0&NfZ6l* zbp#Azl*-ERiWE?PHOFGp-*#u@@s2y{!v7tBG(R%U`#m?rx$Si&*Rt(#Z@02_-;n3V zTlSf)WdH&G_GG8ycD3nu5(g-+tkmrC;U4A^H9plYNstwGA#0#b;BHFD#XUsqkk0* z8T|h=bjazyrNBS1)$SR zY`#FQNNp*l1c~2lz0vCP{h5)Dj*6D?+x9J*L<9;rNsOK@wRAY_&Ntg+c&njAw4Lbdg zVSX#?G`XpSJ=rzPi!e<%@srpqMV=j}l^C6-v(Rm1ayr;k;p6^#P~`_xNy$8KU(1^r zpPnXUv)p}gI%u}tcG-Gdv0H83uCGjb&x=-qMs}b3E5_IEUQ=31M@Kg~Gegg?UFWz5 zHdL^?cS?hK+bqWvq;S7J# zTCG}FCifa!LK#U}v=zTR*J2HqLJzUIIVC4+p-HC1)kfX-_SM4Gb?H`fu=%f=8ityh z8GDM^lG+hF!oTo}3YuE#eKOo}T3TtF3R(h6bv30>7c);SJ^F{Zn6;9dAFwGY|JZM+ zX{0M?Cv0qJWMtgz*BXtkv#svCKa2&xw@-5Y%~8dUKcd-9Q@JTt;LLHb;|4?kED$>RFYDEP6xh0N_W zK6nGUyDA_jb5!HswfA<{H`ip7wp6haL-@HL{)3Fec9qHJ z|EW@o&+9Rp<>SMZ5&~+N1Qv||w1P0qF#1lg z?n&?oNusjM8v8BJpW`vpAuq@5Qn@Rf%fu#7l>v6E0bh+%^xiYYXJLz-jUFXxeW=5Y zL9g3*qd8}Zoqa!r$}^^4BmN5vs(KbSVaL|6N_0Q2d>tvY1lXVB$>``Hj@MIITKfg| zUtquLiAos+I6yxYbw^-BgVwk+D05U7YZPWU?BE2E^?8LMgA57g$Yc4bailw38we4| zS7Nft-_{<=09}vE!T#?Tsq}c?U$Y`RUHj#G1EJs7U+)f`w@~D>=ay`5hlO!dS)UOn zkZJS=k6jhj?e7)>AtCrkA#Q0YUl%q0TdhWFc6KfU!vyZ%GvB)I_i{H@cKnbd?8@EY zXsqJD|C(vVRrI^C<5qd^-%3z+KU$B->&+$P9%SxK=5784WLU(evwDAR06HIoi8eV* z1y>%2FuvcT40L_=hIZbsk8GAJ{jb|jW_SR+l1{0aH9gC%XAeU=M0GYpSPLzo{zROmwP>?B{zZqX)FT`U zbMUt2`Fr!I$Bw|B?7P%b^E%AQ(0&We>G^R=eMuvM=71B)B7w3`Iuy*}hX>9YOzFe2 z4N%61Up#E(NLFXvI~ZT#SCW?&m(*d>v-z_#)%^*1qPXBXP#Lp`gzYiTZIQ=n)!*7= zqaGpx%0IcB98h3U6!QJ7(Syz7cei?b;P=_Hq5ERHg`!))e6zLg zfTHtj_@X2R|3}QP-xf2uuV;rR-|vfz{*NOP-(S0LX0(_-uRlZ6$D}Z|&ye_!k_mL0 zfgs?iaXbCx`(EEpp$9RJf8KlVt&5+<1?iPHc8KHTrB$p(>?GE>blM*!tHF+V-0>mL zMu9L(fRD_@mWy`3@7muGQD!fzL7#rsKAvx-Bo|{XEvj>f6DUa#8N&@CoLIQO$d)?bh(7dv+Q%QR2hywjZLyILD1tuH%+8Q|PPURm2R_ zuWU4%ob>;b>2LuQWCcc^XKHSqEp-6yQYthmbs-1Pe_L)wvG$_ zz$_d5orKkmRU{Snw9)I}w{aN4kvUsmQiH+8bI~+(;RBI9%^d9}uXWQySGnN=X%AN8 zZW;$Qbop*rk`oXco~eBxf};GO%OY$>#*QS0OSw^q%;B|tg>%`!(Tp*J#2B234V&L? zNTl{l0|)+$gA4yfhMXYs#KzAwYP06zy9cH+^qDNKgFNrSiZd|f-(AL&zn{Z)G*nd~ z!1^4y8eP4eZl@DLgXNc^cTZ39{4WzEfZ4?8Nw(9AOf{R`vd6Q9G-Q@dz8-V1r4(3L zYAJ(U?}EBc@L*pOB(#V^*gi4BW19?dv|YU3_FnX$7p$qkn|5D zD4P-dOwa;*jjB*uC4WfDb?R3uHtt2DcZtzkf&nxbt5v^+mwyWh#J z==ra$Ncf)E?09_a#OXN=r2u^%z8nahF)Ltt>xX)kVA~qh^4NG?wBfn1&r7kIaiX>AsB(JI+q?s?XBonUj+c?mGrb z(P36pRWppz3W5t^r6V1rHgyz{b8=F$#!M)dmsc#;=n=IX+-QneWdN5>^cI7hhsNG% zy`Ok14u=ZUt=3sjb{%e4_z{ELGv~!-TKloNpjGUav8C)bqxN$=h;}eDyCx@mR&B6Y~Mut$O6;a8_$&FSjni?8dFi`yk zwRRg#uC6#|XMuvmgmFN#Jw86p42_in&xK$V4tcPI8RfaTTST0tGFVFE=#r>Yzw(UP7aUZg4Nl3j+m>Pn1n7hQ0xTLlzVw1&z}=9j2z{Lw1zc ztp$$j`31qDIUGJWvn0N6k6>|{Oo$l&iaAn~k~sGtj7oBtodAq)AIBEcSKJa!!&^M!xBkRVSeIXlDu zzK5@aZ6g_^AAx~TIA0~9rNmN3rN}??_!x6fpV{(ugD?Jff{AW!YBtcm5Zo8^my{J< zSm0E=RPX)im;WXf&n&77l%@{XByU-&&&yZJY`8eA)~jK=p9V0q=r>y)7NH1!le7y* zd%Zd<6T%oNykhJ$n}Zjl9f{O2FeGj_7%5(3Tv+*Z_fRwDP!YJ|!ZM@u)B{q` zub^M|>b1o@`zItGZ0!1IHp;52EK~?YXc;~Qf=g}rS?km65VM}PFim$Pl|@~`V8l>R z{uNfG4k8>-i*AzO@M%%RfGqayL@z{j!*Q#2P_F@mfZ~CoCB%XLf_=~*F>GI^c;=X+ zf$ktmT|!#0V;#~=D59=ZA$B=7HYC>F7D0B&Ayt!c+xY}2w4KU7KF|P&92pdh4)ZMd zF0gQTkeAe=$gN*)a8po7e-30Drv|;ecdCyIP5BM;`30d-qIh`dz+?LjGK9*=E!@}}`(Ux`YERl*z~OPB;tVeZn?(bP~$ zy@#*FVn_GNp#JTpV3bNu(1>#8Vt>N*$-pRzlG81x6$>=x3Pb<#R0~2Kf_PB3t4pGw zB}g&4n(v*Rc0x?wKo2W#xS^?tKSqQhqK%J~(Mx%R3lbk|=*vW?9h=bypq^rr3rDx> z<#1NafLtDY2&hm~!(O-KZbddz)SSMVGW`kvw;?hadic*p5(Vr(OveI;xL(D3kH|M6>3mTRFp%OAKbQV5> zw2F*CvUt#h*A-@>@&M(9k6aWIEZzFuZ^XxgmKu|g3w0l6je|6xN?us-t5L|2=zb1C z7e+0)Rw~PeVQxN4APHJUO}F9V}YVDmvZ1R_(u#BU+d+ z=l;n+2=ipe_SkD799^;~=PPV)1XQS7Ax%qc?HJZRR4nKGwNu7Ff8E3JkE`FZ`4z9YG20M6TpWg`fMYhgu5$dY-r)PrU7+>)y{7Zw zZsFUvyuBW7J!*jIE5!IV2EIIvAWRzj5X~Bc<_8qK>h#?Us67GAAhP4a^L`7Hl|+Dj zzCblv%<|Q`8a~ql&_m~Y9b_HaXbGZF%(~LN*^>=s^efcH4`D5^YbDi(k;R*HDOfuE zQOYOH|4}1R-TDyu&HwsR823quTeeZ_cEze7&|7D9NXd))gZ%`_Rm03rO*g(2zcw6q8@D)(L7N@gX*VijmSt#8SI4+x&s`l5= zjqCS3gU*`|c$1OnIy-pPaHx9=_cbWoXmY0!mY-b-EFRA>*W9ZM5oABu5H}(Vn5uCt zf}QBdXA-%Jip&50?L?QDeDgWJpXtVq6Az-O2y(&-NGYKyBALa96b}-HuOo_q0u)5- z&vOj~?2eC1e?MFFeDxu=@W1X*>U*92WV*@LYS731bZ)F3hENHvR|h4>$aFJ+#oFLj4*=Cm6(NQjN;r?TMPvbdRtXOoQzKsrMH{h*eIyY zg#rgP_#x-Jn+PM8ppF`ibgD^(lFets;qthS=fHLFurMP4=xlThcPT6{i2ng6!l$Om zZ21f5LDHkcJ__b339u#S_3V9;Fa8S^A!jMYp{off8z|kUwzOY8*!FjSdnoG*Snt;B zfS(o+V5Ce74KXQ!REj5BHR0pJreACXX_Z?E0tM$Ov#O0l2!6g}XXlgCVRHCNmCLH> zyw0rgzp}wHaMU+97gtj|N)(H718gIj|G}TlcI4`fv?5eKjt3DyL{|(ZSv3xVz*sHE ze9+V!j@L&C`y&E6n`cOY)$JqRj)Qa{2?JtW%p4NcM+fdy91>icJ8Q1EXR%O{w^;Ux zp<&>842*NJ`DOJXA&^LVZ~uq}389U!4k;8S@F>F5h#}FG+%WlLdudaJgV)jG2Tg_R zn;i6ova_eubbpMGA5ARuYuD)WP4iz=D)y3pd+1Z4?-qQJqR{MifqjViChNm|8u#W) zP&}<+Y7Fcuo6F{fHULBMn6&8j(}x9dVFsQkcRHQ=*6Q}q68HcyIRp^&qcC|XM{6!@ zIP8a3aG`}JW`9eMbN8reMHVvUR7Qg?XEk!vgaf?$ zr}3kTRC@h-lMQtS(8AZ_<>f_Hjg%U#CgY08ctb-R*&1%a135=k2+nw z*HPvYtwyDO9h?tDhskqw4s9yKdab?PSoNJF(`s=kN=%?$u(q4+Mzi^Aear=C0DmuC zGe%8CnULKOPji)Sx68%xRBfmtrW-XKh2HJBo5s}los200J{M4Q>{cqxCJy;rutqF} zO@YT*sncybRxFnlFCM@~N84@v8rejvZm-`1TOZWkPdubV1vHDHMxf9YLnf`ppk>?1 z&XFmc47W_L-Q#TBOlI5-5Y!hUz1qBP(Q9(&+GAe zsZ69J=z|xvr(9KCy;8H?_;bAp1H%jjw-}7aUMPM}6FtQQt{g}PS64Uh*NsQQJ&cuO z&_+hNLx6#XyDUYjRcJ8ibVz3ltF+jz*Lp3@KVB@Wsx6rom0)2UA2@2e#x{5kgf7vh zI&8G3gjQZ?*LvHOld&)9aN23M*}hii@XX1PTN{Z6Ujv!dZp$xV9JTrN`PSqRwS0Vl z+H0wWbC!Q-s2C$wXro@G-)(wUO~9i`IXMszArJhRW9@1{=5U9kn74f+8%DWUA5Kp2 z-rqn09;?wIOTgi}v*+`O5pBoQZhw$Eg?-8Q{V7B`j!0n7!T)Vxks9FlaBE@5(+F6u zy06qS;Jtk*#9OZM-|JE6x}VljYhniqlFtVt&I`qiNQ2bEzkO`)nV?d^o~?po9qA8 zX1~>rfnlzY#eZ?g^a7LqtRhG*AEH~g^7OX%jG$a7AL@e zo3m2l!^@tXy4>SGqdDmZ*mD2=tnru2csV{C%R_gy-D$8uURhAD)ZHmF35$;BI15H5 z{FpE(@ntfs9c$H+$X=HM-5DtUTU*ACL2@1&d{3tfabGsmmu)hsjPDOg z3Qk?8JJ3WQI`3|FJnrW(6Bij4xmpe8u07qpguV|-no$njAEbzyg)8gf3uiUza(;okj*Yg7}Pd00< z*>2-{iw9_m2YX>(?EZZp)M%73o{wukC)A$>JPqaTIS@oN{SCW-PkUcZFa|E|$2Pcb zq(-0(=Q*w8;BndyA}|{dN{+aWbU!|+e0yFN-kO;E-5yC%x}I-0iJV>6W9j=`XN(Yj zdhB=nK4!Sw?r?Z_3vq2~(&4BgTI`V#tg=ztS+P+I5P@X6OBQ_DVn%CszhHJe9h2^a zy8q$cgj&bhQZ*80zy4%*q`-eW7=mT+vVEvP==Z_AiVGAQex4S_jl|%6w}cV-IgCe7 z)N~&orRi(8Iok$6eQb3!_exjxa7b`Gj8c z>4S9!C`@EWE0+EI1blN{Z$0;w--{}#JeP~L&)1VY`n4`r%&IKTi>Q0XPQy)!1^>4O@17T*$g3wXJ-BC-Yu-vGkM~Xq z*gOHun58A*@Si+UMglQ@M=5|EkA=(>+IH8oyXhC$1qqr9HZBa~j7YGTgU3P;YDDs*S? zc#Q|+_Xb>4=&e?~=MlxNizx6tD)f9tSd{}c#+Uv?zA*gSO!$H# zd(MST?bYcY2?&VWr1;y_dhNY~rBPf1;s|)m&a0{PI@aaZzZwBd=ZR5K>y4lZu2=Jj zRrPc_t6rf{{>X$JIy^@qUc z=iOR<2*iCHL`dlKUQ{;teJyMVx$7d2H1*ZRTr5AItzAsA&QzAWg~jn+jR<8eJRh7x9HcisO%=TItjrNQ3y z_pk9+KO~mEixP12(|`Jxrnl_g8{k0~$zu3(Qbjn?ht9-NMeH7k`}lAn`%V`;JFmkt z*KM8~%~jukZ$iJ5skGq0fSa8?Cul|YfWN`t1f}KGKqmfv)=0$bIq>I&p5tCfPKTRb zkCVw}v-k6r_g4tkKZ`%$1&SrpdWCc0VG9u@g2rud1lRI*7E;7vLNl`W+ zm^lep+%Sk#4et-SpQt5=f$ME(Jd`A-d`|a#-)a`MXUuabW4hLo-_xF~K4fy0C&@0)^!WDsNQGJBSvVp6G1qrb& zxu!fkI1SM-jNc9mZ-}n!YJ>*E zyH|*70?onTOe0iE@C2qOheuYweryqB*($4*^TYruwf5r}Y3LdjDCr7odIjuPO6(n}Q@l9-c15FwhM zX=N1%RA1lS)lbS=)42rnY()*c;Bpg@M>@f0fy-0kK%6O3*`AB*xzaz#X{ho*X;h|u zjJCk*)(IjWX9cP(i=Y4L6I1!20sWQ9XR%z8Cl4&OfG2ue8Swvl7x9HgB4xaRq>G!O zenk+1#tJCzKf~#eap%b;n?$tvTt^Hvgn>e5!yiV((YnFS2xdE*?I&Xuaka~pSBnu8 zWWW`!}_|22qW^p%ZuZEo!$BV>a{9~5gnUgz@pr->EbK19>iVTL;_Dt!<( z=Jp@{l~`BA<$~~Rtyk3kCA}zmE;z_Vj2j_(@mF%!+IHobTGp?qthkv1H41J<*9YjP z*1h(H5moATou60Kcz%>ge4V5rH*%MeouA-XQDhm*6-BO*VZ-2vgIxY8oQqyxUq{5_ z1XA)zBz)EWm=)7~DUSIhlKhFOQ-cvyj{GIFE??!8QGwSa#=5pl=1soP|J5{Jgbg=XNqqaq z#Lk~HQ7qJJj2HL^(=`rFz$NR9cD={#zF3suqwMSMz#6OhO%#z;Uvy<9_wSQys_mvi zj}u@qixRdrNQ`KlBnBdxe#wz_U-MKk6wx)vD< z!qe&6?}gMUBL6q$%C5EFC)K)b^%8NpOrN$RF~3i|B9ql z<7BKEqNswBRmhx7XK~nRHF;sAyH6C$#qqv*I5|1R+PMcIt zrfZ9ce>S3AL3aiDI9Z1?hw8H7LJ=RHwzhdfl8HwLOuE}{Xe%o}ed##V=+u$YXQyVQ zgbbKZW-F=S>D5^ubwb|vVYh;i@ZA=uuMDv1apiAaMtYCvKma8_>?gK(@00OUvNq2Y7hxvS$LVg%q0E0PUS$#q+{moBNGNB-l zoy&i)5pC0=9ry6-2wa}KtP1>mCfntSTXi%1IuB6>-!VOBx3?0{-(QS6900ES%LN6V zlf=JISEk;I^j|IWP3TqVRjTV#lU~>h*sTOS7@M9edI#G??ysB@TWW;fhG zUC5f*PRDmzPy1!!{SMy!^3+aGlSCZhZg_OGtRAwU$1IUYbuALf_`^fAqc$#jNVTmv zMf&aEs2RSihlHNjqi_A!9EX~nR;S(FzB)^E^L50Pt=5jBhhp05m-pcB)1?XpBO^SF zWf`W*vrv&dsjkz+nv>&0-CyUO4hGJk2$QtcJw_X`Ie~^R$wI*;J~w@2{{ArLN?h~= zH12l+egd5rlz?c@_xUJ>mx;V@=QRwCT(@JZ+~Q(0b6jy0wLmdM*7Veb2sRfq+p#o4 zV3{BvIA}4=W%fffLaT2rDQi7T-yyI#=WVKG`)lO=y64gcYsd3F$5Q7Tw8Z6d9>Z;u z&;8SKvCZQ9?W6~r+4%5gZ@|Xd4m;6NH7t+g<&L)I-}&B*}%ogc@lczkjeX6IML&J*6MTsoy$VSN(-${Z#w-; z?_^J$wP$EAUe z?Yup?f8CV`_`dJMZ+ky?@%XxV~2fuv+}R2uhDuARB(OX@4apiCw_NXP!w&2b|KbzA_`lzTalpO#QY zE4Djzc9ZFKJHVniqk+&sls$#M#y>$v7{`4t%rW^NA*^+q>72E@iiOOMobYh)Ldn30 zh?NyQRQc@Md4X-rIM?RXG5Iw}TT9ETs2X!nOHngGeec1N`$LlzU0L@WLsug`QkNZZ z1OW=yHbWEP$%G4kP+pY*z&&g{2dockjbrKqGF+h*;sij^m*CG*lqXdysf-EaB+IK` zje*Jg)f`siCnE9$t4(r9Fuw2CsH%v{mMg^~0gPpR#*ubA?F0ykNmAN<6WdP5 zw$bs##sqWvt8@PP&rPZ?Qr#8w?zPu?pJ%DTsoY(=@RbdgAw!+a<~)pC&N+7gBUOyL z*H)yftE$iK>;^XV^l}#6;tkmA>bW43@f_+wz4FOej%gWbXlb0i12qngrHgZOG^`IN z&FGXt!OC**ygGL;_)U1qo}wbKVTe&y4suILf4HdC%97kj`NQP_wFgtWQGUPQXI}2D z_FHHKmT=Xq%*@2HgQRqn4SKF{1xxL4lF(GK_gm6-yzv{iaq{ zK}u;xYulcjz3}?!yDzR0-}zs`Iy(>0o!fKOpw{Yzh^r`zu${Y)9=J!--q{h(dk*T1 zq98BF^x^i4TMqG|Cos-Pr7D-LOdnc+4^&_YL)_)XoA0plNyA;BLJJVzE7?##jb#T=qSX_gU0^KL}ZG77818$NE5E5g{=w{27oVtFb8vk;S!Rfi=5 z0UZKI4_AoGtbK-|Q&3?=R0NRlc2>9fF-wui`0KyOvQ9_I3F<};QK{AqbIg*5-<(A4 zz=Zit?Y^4g&+prz=2b3_wMzBHjcF=H$D3_hTe*`&pYaHOj7FRB`EOb;b$MR<4lDBx zmW2w=8l&%-$i*UZ$O^u7NWRAJi?WzMBMx|-wvY$j=|u>s!%*zU1to^r$^?p`K8=4J zBWvF&+V;?&--Gi`N}}}qiB%cdm>0BRxIv8O{ZXun6Lg0gXVQQV z3EuY@*=E7DsjkDBzG<`a_*fCcd=PJl~>>Y zcboH{meyxM_szt_M8e3yd`0$m*-|xxTXtwvr;@<=?ua%C#NwaJ;_2d$pmH@EIt#6s z#p=#plYt(u#_9}aHj)cT=8W?#S*ZeU@=%$Vj@&M-2eNA@qNrIMX`gPn{+1A&1cQ%0 z5gZq;c0V4$(1vTD6`crX|8*jj1S(xo=TPjKs z!le&k7lWBQguW*a{3e$)ghr7-f8?#ecZaP~SqTD)`tS~|%`Db31|`~!?x;@|kE z1uOh5-y#$qEfEYe+gNPcpK(b(FH8ogbtKn~nYc1EpWm=xV`V*TvjS&9B+(Xp{rAHd z4bb-Xj8@aHXSp|J4!u@Uc;0Sspa;D!Wv9A$+H9cUv{nXEYb)EOivs&IW@zNM`K|P2 z|8=z1D{M=izl548^Q*#gSWD+ArDFHq_ypkYYpPe^hzFu5=-goM!u}>j;BFhSHF+q4 z<j|s~|)nkQ+xH!h(k3 zvIG)WW!Ec+L@)1^*XUQ|J|~bx3(Zs0kZlNSQ{e$@U z!Gj$2t?jMxC4-ih2V|ZBf2wDVI2qbKsE-=8y3`KV9`a3R{rD+tM%tuk*Y@gftf5}N z3JLzLqzFKNM7sVr5bYTRGn!Dk1S zb8s?Adh4}0b2V(#Tk2dxS0}|yg0^`F%v|OJU4xg1(U)mMB}I8rb_>x`7t@McB~{$M zWI+CvgJ+2g$!arU*D0l^4k=4jKBbkB!Ja?I&Tx=6{lQLGH*ZK)10k?#B5?T1((5{# zm7K1NFj;PNGH9$+=mZfx!1bQR_t;xxWi$J0)b-X1-83ezWolGV7b(m<$gTk~5Dzn2bu63l2GUBH00qoFMkZRT-{O;b9>n+67;PhLs)UOZv%_H)6 z#7db+n75c@2gxwC`uOwx%PL*?lKZ>5ZN}XBpT!~smkN=QXr0Ifk8YB9emuT7@|RBl zYh;kaV8Djq!c{ItT;@2$j!&Q&4zLcJ(8R{nX}NxkY{mY-V~zIW2j=ybDxgKei51e;Wyl~Pk?j8?Y9 zwsZ))uz^=~n zm?fYZeuNE~2wx70bf=2T@xeRM7S0|Lwa5CnQd&49JK z$k(GNh(WLuB!&&nci^-(D&T=|%ez5NhBK;a!<8HrX^i!rlBfyr#mE$78GB8mjQWf^HWUf7w?xJ!}aa%oO8*Z_3357oZW7 z8z)wcZ8Gi@Uti@O{npgRAg#z0N6`m9t$fDt6R$y>V(C;x8_k z2{X`IpKB|2NWz1Ouk$)VCs9Gii_w_NRhpiQvFw`jes8AZb|}udf-nO1Q-(rHO?XNu}fu%%$`;;UmdyB5(UM+{DMqd-pk=}>wu|RXvjdm*T-wq zjgik?W%Hpnpc&w7YX5OAjyM>G8WS^2{uG)LhQ<~ovl=7-P~68v0e=Lfq*T;sJZ9QO z4G)rT`@TG_?RlTu@`)As)HXl*4{hbVC;7gGTLsc3ye z13|w37h9JoZ-}vhVH2;C3|vbmUcs?u^2;fxg0C9Q@C+aOODNf0|YUa|VA$=yTY z=Vgg=;u3n%Q z(UV7*fuL7ifTk6?&?`V$9cC9FkuXyS<0{RYN1bWbdb|3K14hWCi;4_GAIEd(HZX** zmlbpf%e&(~(q2b&ypmB}F!BD(Tup_=oJ+eoy;T}HbYnhA9PE&d^@R?h$_&e)$I9&e zN7`%KZ;tph;KAWn8$`lEeMk|M9RFQyR3=!i^|)qO9Y*iz{YH{~b=R!S5SLOhzc~8) z;gPplZ#|FHfG-)=*Dpbsi&z>2R$Y(7Tv*9DbnbRJv>i%JE@&HMxCb!6*k0=bKtb|f znv_Vzn&`(FOj0d|qneiT>0ca{a-bVhjt?MDb^?yx71P#e8dt8!o?h%u9P=xBp+GXx zEm=64CT74x{V8-Wuxz23*zT& z5eo+X{vDlzra#y+ej1C@f|XTcpEwTn=aT=n64pfej#ON?T>cmbqXsuIn~fYCCM8k{ z3zAp?CI!MhnN?*cG}QcI-tiec43u<2Vzx;p8AB5YBm%1GsX{~s-#W2V1dw3yMu&IO zKAYp(S!p9eP0(<>CU4q5N!4+X9%2JjKqOz;dPK!@-b@&w%YV0E8Bb3197|+FptsyKE zYtoxwtqJ6MLHb`z9tWNaOn}UsrgE?W${`oB0Fidl#qv#t(f0pR^mXm<=n6sFP;VkK z91S+TyD15BT_B}crxM}iS!7V#`vT=VVrRG2*2aVdYi z9HG`^_|uy3^i*4XBy=i!-nv4N+6ACvDlA}5fn3WS&J3oHUNc4>g@8O5h}Tp`SfxSn zKLkHQKwbTcro%Z~;q1J{u+}Z_NOEb&D?xo32rvhM>m9o^`VuMXnc+%ns2CIpbgmAc znTa?E+Fk=woiaZ5E2Dui~nsa*%DIb4%3gOfLMb^H{-0aiR>AaJ8T95W!dGj4vLC* zZIs9(Aom%QFo-JMte&q#zV)fTo8rfdcAgfAv-p@*X6cDir7(HV?`Hu>TjpJute4K8 z@^qZE)8kF)er6V6$BpVR8*1nqDj2kWg~*C7?*-GHNB!+ad)~E+4CcI*I+Gtx6eQHH z-D;IJum!eU+BmvD4Xqqge>YSd4?KQ>1=UDceo(=UR0Y?U@bCCW!SNb42tq1l zNbVu?V-tmg@)ENY5=+PB+Y(;mg0JqE4(P$FRK6|m$z-sUb$T5bJ^4&hC%G={fWIQL z0`z^sC>W;F^J7>gxKV1kF*^rQg8;qoH@PUyRsa29^XymQI%RckRZfe#`=qD>0l(!Z z=e{p1SD&X-MBKfXDbb{^qsWms9lAlav}$1qv$dG%h8|E{jYDNAlCByn1Jdbz^LMQFH1l zsIbG)P2$C~%xc9TI%haOfdU)yy&h zj?-s5RZ(y39w8`0`c^|{#J2Y$%r_xyN(S8G-?zKMebk`a!1%#9_f&u>a@N#jEUWZ2jA zITAm>>`DYZ!{bPvg3lu|9(g3rS|w)4eV_&*!+$DTCPFQ4v>W~y@i|552Ey|Cwqn;= zKM0b392hc+O*It+&o_o=w6g--Y$SI1kN<^*MTu$g<N@b?zk$7KRRm=$nl@TU1=)BTP zraOg}ee7cW8?+4EqYnNM=8s8DSdKM{aeJ)LPa|F+NbZ1z?)q_HN2b}?eZ7*kXVUCi z4ReF+x3Tt78guiYIEyLg9(LLZjQ>p<|33UF`o7Ao)3K64H$vd^T7V*AvzIFqGqBOdFPRdYvEMk)%TN-&{w#IhSvcbHJ!1EamK%^ze+b-X9n+Xb7lpd0r=Jl zk3@Yv^nV-8kZGlgghnX61y43oE*hV92Qy+mZC=2bgcizv(nRd}}gzCf5e(z^J$r_skTPQv} zheoiD-^s+Zf{Nc!AClHf2Ec*PKjJ6QGcL6q%%jen{<%k^tBG~#({o`KQJ&$goajg_ zKJ5BA4pr9&zK(XZV}Fm@W`^j3WIrl=H2AJM(HmSXRo&~2v;+5|txJ2KY(ea{-umBt z?{)@(fBqsOe6)dW)4;h^`*2XrEcXK32pPt79zU|mr?DmeC#Zk!YpngcSfB4YIxcRf ztKptiwY#KMJ`W!IJ6jy-yFsH-U{~{Ch%(BD zxu~DAP+}1f27AaM7w*!0(A^K@_#{c^3X&G%lR@d<8Aw9CdbXSD-Q@TMQ>^)$Ufs?! zPO1|Q+Yh6aLfr^OHnx=?#nJt)I959Zr@x-|yrKgT4SR7nShqcb#I$vLFLB{TP5tOQe zE3Kuu=e~&*caTsLn#hc{HC9p+da;Z{=r+2QU6ZO5hv^6J(;rRb4ld^i?|G_EkYtnq}LcRuY_70KKb8Ar`5I@k#`ZhcZ@&%9e!ZXAZswMd%rQRV!9x9A6A^q$pGXF6TplM2(!_*S; ztK>ds-~k<8i>Aj`osmIodzPjqpA6Ygc*hBOMb$6_*OHQ(^cKcjowl?_HDVhMQgQeP zNaoX6R>;4Xi_>U3DglQ<#Vg3>>K35Fo3bBN$S0}IM7ay#{~&$gNM-*D3kJ0RY}EKl zk;ISUsxcvIu;xsePyn#>3wa=Vc3~$;Q+R+$lkC#Qw7}&ZOaA$t+zISjuNTz@m<(8FHR?{E} zC5L2?-CGR#ZQTuDEo}J0`EO1Pv7fbD=1}Ho=%o3=I%qO$#}M1R*kWwd-Nwk^#>7}j z7<+7LcfdCM2kpq*3Zk=V6Dt?mZT+ymgE1>b82A*!nn?0*6o8wtnJ=*fj$evM=2M2s z^pA?aAx-)qTV~3yqwWKt?lAcEY|mGL3~N*0u*ZAEZrzvG@H4LQqIpoY0}55mEmTlnI>fr=}AF!aNlWq ze=D5vYhDQLp6bF!!FM*Cm!|i1=#`fyf#%|^tswq8E|<|O-QJ_?qPdNFeiWNyyi>k& z|M2Qk3!g5tY0XZb<6UlR@y{M(T2zHOmgrHfu~nlu)mW}O#t6P;pdT(4TT5%8SpK|r zpf=bu8D#%As#)oGHOm+Xb6k(DJ)t`YN4`Kj+2|SY8MtEnD*OA0AcsiM+0__AQ`!ocTbrmDh#<+}xgp`?Jv#>{93<9rtmjg!SfEDy$r8lW zfXCcjhQ}3SL@UDlg(6VNzB|>j1m-Y zGn@M%C5LkkfUWeg*sYOqF;qdvUa2lyxi1Ib3mJkha1 z+)pvjUYzm=Wn$cS&y(A z#gS?w1~(A}Zb(NAMsg8eM#1DgK};j<9VPP*ncPFpMiH?j6iYNhkLjT;btFrE6G?~W zd|`+QLGc~ZJ!M&v6r&Mso-E|Y`Hqwlqu^~~ItThJElGk09t{C71H=on_H>HH>ANNy zTU#EtJ@dQkcN!ffCp_1ncH}oR`m(0FG3dEC$^78-W|g=g=xq5(=o|wxL&1e*sO=Ci zj8+L6tZmwmE|Lv`s*C}2XCy01m zykdBaLn@0{Wv!wi$P^}3X>3E*L2`jlIwm;hf)6^)P) zBLu2MkJAo z{V?QNKYvjKPb0RUDH#S0y)88~1hAA8S@qHLqpBVO2s1I6--VIcKJ!i1J1IqiqqKuQ8*IVXL#(ZkC8l3WSpr=k)p!kPR z$^Hp_CZaWs6q<|Pa?(}_oNfXQcrh(7EhG{{u@Z5<)p%I~@BCE1udLwn^M7b2#J(AM zrBFY=olo|UNr@Jr8>ST76|3=?!nm(9+|E~~G6-?q9iIC8g>N082$>8oa@7rtVkghS z%f~f=EuxsraU8LL+AC|Qwme!A)V)fm!K(%zJkNJLZyD};Bu+e z;R83(RFUyO*xM1Va-yJS(OAMz@X0+;h7nwv<2XDCU}pI0%2ydg1ZAVr^mA%cc~j+MIT@b#&J5F&v=G z;mHBif_YQ-E<3(tXblduR&i1K5=Z7<2=rWpiQuam8PV8F65_?ZJu6|l>z?y4cP?|R zE2&_hFoqjW^my!;tmwawB~{@o-6H-#|D7MN<*>n?-8jzD5fJ2R7#J{@9Dkl9dZDw5 z87xC@*PKm78{4=!C3Se+GShl8$V7fy&T@0Sh=Ax=XCm3g%V~!|1T~`2Ub60=H9vAR}Q-)L$UPgAZM2DY(92gH0-2!|huM z%MHl@`%~pi$jt2l^;hW&dTr_WIl_Qocc(HYKT5!Vu`$ds}9Kq>gst5b4dkUffPzj zo{n2EVdT2uMYUH3ZM}c*t8aR~t|JpJ5D^gv-Py*(B96Zw-}HT6PnDYJ-5!5DKDLw$ zQM?v7_uoB_9g6Puc>ZuKtNU>}TeM)*?U~?XacN)Q*Jd*aajUPcz7P(NY2tfwT(wvw z=U7%m*Ke@qWIBN=@_IXRYO>i7Xyl|aJDpQ#(3X*vMT!75>6sz&@A3ikY9g;JByrB$ z9k#bc;?NNhEy6F+XrURU-QUX?RFhCf`7pO>Z1Ih5vLoB=-%oga^xir*oVHhm?(#mE zx8KG{%fv<~hs122npzQY>-x_BPGMEAlH$G&Q;bz)>@4a)n;$X;m+9;dW{FpZr;8|y zr>8n>yA`2l*pTR=?jE=NDHMJyqy@!vjGH~LNJ(CYy#S(5@RtD&%w7jalCh~Tqq55^&KQba{6~O);0&4z? zs(x6n#Afj8vtv5x!QJ$C3nOOpjw|6-Zv^TxRS zS*%5J^6*eVI{^%BTv<*z4PRS&Fz0|Q{&Hl+Fz~H%bn=KH$cLz9w-(hdct&Htw}--iH*-OgIsyM&bw7w z)q%b@z5jfViu?aP+0HJ8wUSZ7D4gJ)Gz=lKh(i{q`OT zgMw}c`%jNgRPuPPwtviiu6p&YGzZPS2fknYm=p0jC__D&F>pCG@)Ev(E$#nUsYgIS z07(y)mKJNWpT4?pbk;QgeW3;cfV{ij8b(x20kVxWxdAmH;WRhq(X+o~r(oH)_w}*$ zKY9|xM0rPiWeLqE`2!c4YG}*d8lo%C6RR0xO9e7#N$c-S{7+8r=OyI5nKzNyp67A! zC=4+UBv9x04qF~r1z3eCYaP3JDhge5?FCn`xvRBnb{ouwTi1-2TJ3ctd0~)U1654qY^d!4ug6U9b?z;St>?C zTac$L#tk;hmFl1+5(El}C<0IE>RE$2RFipW`^c;lG|gXd@9f`-=M#b z9Do0QEE$Qy56Y45dLJj)*Y!M~2@FFssPu~}|& zEc@~BBT3I7rmcWMG>h(4^$1=hoj9>hHW-8CW)4e(uZxdH_huayK4(7)!%~1GNs>Kf z)cB-3(cd`s!<$I+49}lvCaL)R4~!feEAI_%|LaIxeV;eTMK?V+6L7s@ebfKXi<+9+ z9}I(SMr^>tXot&PCr(eDjmauhjIP6HYjs31Q>xUXs&0fCktxRf&W4F3?jF+6aBfD> zbTKz^9tE)TCJoq6~JniAizH zY0y<~BZsVrd8-Xdve?uY4`v^9`9(y$H)~=xXnTBM6>(mxyJBwl|JSc7>hbR;sNMa~ zqH-QjPB}dtyiyew4vzb|&mssYOO7EJ0^Y8-kAe=6G%ap!e@dw}*RJ@-$Di9j9rM}; zYNjTq5eQ`TZ2u$@3o?z(4tRR5j?Uz{@63y*<+iy_(X1!^vHeqI;X@9ZuSmo`k4ob6kd;O3FzTbjk_n&XLoL(8%1svb+Ip;(??k8xyZgvB{ zN}xgh_x78<_u0%^gVj0%L5q{=wyVvP&OYO6%wVVV=zV4 zYs^iMq`kHRsL>VA8@h1rA<5kNPlwihSWYVRSRa%xWIE8wYe=euSl|cxSIGA`L1gW7 zd4F;KH<1+7<8;_1c>OUbPb?TZ^7r}A0|+<#1pfQd)Hc4my79L@n=e)s{+zCD-}^eV zNXqANJMv=bM!L4+!eOkhYckx@*lwN^Io!%J{`)0(v*-5dm?ZqyhRmkzW_}QcnsK+X zKIju~4D+ki8;jB)h$)QcMx>_QSp`8B1CMsB+hYEpKdM@a z=%RMc`Wc^#Npj9jXy0SY>8qMP;t7sr(5##IFx_t_0cypO!T^o0|?6YzElu?9MY;4Ej6{aa`v2$-}yz z&aCbbf2eqTU)k>b!KF;f?%*A0Y^>}tll5@wxYgJz8HEA~i!wbil^{it$LmN>zae~k zlokfgNrW`eS|IBDwYhQuvPRYX*+eWg`B?p)1w!?t*+eZCx+3CmoOYU8LDhrfX4`L& zD|NY1!&kc;aq1DTH0fvw>5(-Y5tby!cObuiKMh=1;PGZ&F@}bOp5!Igy9L}Ra+_I1 zKw%F5WwZ>}*!y3tJZtpc@QAS-p}BP-QC71`>=Oz&naG9;7bN9fxrV0osu}J(+21=fD8ozG{yV+!9@U$Jaii2YMo1C zR~;vlf|@OEHDbXoh!gbi#9O0#xoY6d%)k&URSHt#40Rule%`P3pKtY(R&jguEk!ni z?wu|gE8Hz@;QG0qEOa0WOD47&?;EYRg-Ty|8u2M6jr<*UifZI_hy zItjEvCwqbNU`xIN?Z5o+XEQNI*}#91Lr z0+DjWcLt)4s|MF5cNr1+`5OLf0Tv=h9Y)pFtd*SoJXKv3w6Y_0=a;JR*K{Z}qEqkH zDxq_ad{~Ul01FQFi$DZYEkuGFCx-#HH7V@AQh*TX37O%|Mwd|&f(2ijH!kV<#@$P} zuRh{f{LdC-N8^JYL{&wfTAlqNN!lF^-0^@ah!;&O5KvhJY0R;sQ9##-WjK3zs+mS9 zbJVi@Y`MwB{lyN)V~hM^H=@&*tB|U~hj;Bv=rkg`R*)E2)bRK=~Q@ z$P&IG6eYO_5nSWMNDPH(T99mh3X#iLt6F|J1S+^&X}1+QOI zZH$9OBLYaxPusfd`}1^ z%-0vn77t=^Fu`pHxe=5^)5H}&xDX#Mhy!o;=@>r1G&>3#U=Q56&ZL5`fE)qPa+HMnzdwmPC-{nD3FbBCSEo zq-{q*aYVFA7le@0DEHG@ISxO3mdheej6ThIn7`ze)057|`J#+0GpE z)zBkQAIcaBOrs=~v}if&Cb#cW;Z&Agf$Z=|L1ss^i0^6G=0DM$+$b)|_YM)p2rr5W ze~%7jhm1}JfBll6Si14sGY2k#XADB)hQdxnQ!pzLPZLX>fNaHJr$xT}i_}WEK>8T=7(7z22_l>=O9y_-}s3CpiIq*RND!LY(B-jFA zEX%W5l2IprgvDZhGYl`<7m-g4<{Ep}Z2w1=B7`P)UBZ3JnM-Qk_2&~?(yqxXm&Is4FOqet???Aid&VJ3s42e0Td;Z z8y!;|_|+L{omXJNMwYOjU67Eis3U}{0V^9d{99bZVJ_rE-;gw{H}vw^7=PRcYGbCD z>`A+>XwkAu3oM*sTmmv+oDiPG8hDpNidy!TC6C{z|hxLc!w#L42A1k z2}#NT$uy8dgX%*$U1qo4475!!lbY$hzW?g1H%A}OFFwHJ`9*t!57YID1S{$FMA9? z^r(ytpJ5S1{TqTDXynK=l|U%{-<2{0KuZc3f+>K9D+HQOln?@QN)lX{5vRK_o{P|z zZ-;cb1^qZ04d)S6P)ZmqoXb~oJ{8rTl-%8-IL={Bya4o?xgxMF1&Pz!~k*(b4AQ#Z2o-8H!5J!gL zL(CLt0tnEYz*B>b6-!v%%1sh8ozQh%ueTLs2%2327UudsPs*$_x-fDdnGytiMCDr4 zw*4&wjzp?bSvKeGT>S%0SbwX0%PHQ$W2O=hgCXtdM3VNJv}ag#rr+zSZEC6E!7$^E zMZ`Xg_IPc*#px@=Nw7I8XJIbaNLr&+R zNs!;;gLC}bE%z@g!3%TBH^g9(3;2pSPcUafc+I?9T&;R?9kZWhCQJO7UWPF><>}~HC18@7h z32Y*95O)3wP12{mxVw&dWz17HQ;SIk({sTaN*j@`&LvS>4larMV@T50D6!9>P zMG(y=X6(v69VnAESZS9uU{2&+wHPY};SOps{zURGV6Yb9-cGtJaXK|df?f;s`M!_m ztHc(vSRsEXPS`U&j>MnHf4K;OufZMS>Oiv}Hl-+4(odu70~#ocdPW32S@fIOwu_Yu zIU~o0Wol36C4!ko2yjJC2gonU$SKG>Xr9sr?#6w~<*05-<%OCvIP zXgen8s2l5O8Eb&-vz3*<>tctdk)t?3_;e2bhAqDBpx8W8@ZoDyVMjBAGMfScfaa*y zbsmAdgtQ^gZ-kWQ6*d3Qxxgd*XmNxun;AKJ$bv3z?eE{!)gv3#h9fMjwd;DI%=4ZI zFXz_G#LW1l+)^kTnyI3UaNf(4E_cw2<}uCeOn2}>mp*NxyT ziM!mNY%nI?;Fuvc21QTRLeXyJLZ^I~LPPtiR#U}n!g;7XRqEsM{a!L~{wOZ=G2#oL zLKzv`{k+3C1h`H#Jag1_*AE;7FQPEOk5>c;A3ZK;vNc36Tat1|s@e(6+w+Q|Q( z`d*Ihqs#$g*aU7(^*zQa;`QJyme~Md(-Y1{+^ph3glP_tNk*>4dDjm=Fc0PeUIKx_ zpVi7R4|G}15%sZ~;~|E56v1~NE1WtJJMJ|QDL!z3napr-d4$ZH#<|Jx0fe%xn##eM z-AshfMHJ7xsnF$|^4aR?{jmj7$Kf91VCCZfL8-Aw_b`>!sP#@x=I3mrey_7NmG>#a zvrc6%))tIiYoC~6n4HvM(xi2JL3CZUfVQbMd?3g5FEYDD4vQ`LBNJbnH>u6E*2DfFkIT%qD`B3vTKnSpXOd0oc?*qk?iEj4no z6G*t9A-vxQo9keGHY!6N#|p&Amq$}ZW{+OYQThG9#pg0d3s^}jb0!z0WaQ_p{Zh;V z_1x_he2wz;zZo_={_weL1GUGE^yPRtIW={2`QTdbmMay$L6Hfbt^bJ#JM^{?R+n+- zVjMIvu~oAlc(7Y@N^sbARrr?{R*ZJ_LH?3+ODthT}5NOBctYBA{#n|7rH@%1r zXa&PZj1Y((ixJ9s<&q9QLWlvE@hLG(58Jl9i7O`5-@Oco2 zE!d`0rLQleBA#R%u;q20o}WJ@d*mV_jB8wR1sJq<*W&-8LqtE+pU^ESK0`5X!piLs z;1|KOxsACH&lF9zFB^aoqd zY8vujCtw?q6%~Z4e;TDj%QA6}fT@6C#RR9s`yeU=qmO`^TXcO=$<_;+!=xXk z23-0H-P!w^+}G=^jRJFOTR)fUUM4<$pYa#p%8Idng~VW5%@sCtXh%_UVy!%y7vLsU z!`Ov!405A67hnE~wjdZIzo1s{hn-)Dtjo&CEVs5i8!S>|$;KI*J}#|Qvn9pLEf{U5 z{csGC8BP26R?zQC1+FzQGf`Vx*J#e3O=U`KNkRS+sCCPbwg#Ol$ts?)K+6{FeQI*v zn-0Of8(}sJEqC8)dZMVW1k)LVpw7&N1`ZFzStPbcLutNC2qpE>YArH9(Yets4-f)* zwpQMtul_z?tlbSm54^hW3{T^jTIuqj~I$>2c2iR!pm|^ft;nfFuv-#qeTCI)zoNVE0HtJ4O!FSQOk{RRY1Pv-0 z1|KAPh(kjK90Cnd6C*VZU=yYGNaKnEJF?A=pAe|gKN)zECvIl)a(W9BSTf=ihc05NX{N(wuOV}Nh%$ z93;ddvWny*qN>NT0*T{KjRdY)YVo42#19!3K!FbjiD88hEqE zwz!lgBnid>QJhJ{z-`Ro7ednKDeNM)z1GoqOI#e2A)~QQfxhy}ygt=(>@AN(kGnsA z7w)}`MV$tAsv-XxURzP>>T)YLO+KJPRp7tFS27>@33uP^@id%*mSMM?zVXAVc6vtm zw`_fy)=bOW`$d%#jG;~=Q+CBra0xCGfloZRGISB84Y_$Iyebh%ivR2p9nZ&oN!yk0 zGf{`{NTRa6A~tWDvy+7>o~iIfFy$lO5d4tu<+n$|PeYqb8tpZbzFN2O{Q%5FuUtza zGKnqd(gouO+iLM<(<~~_D=(!t*w|EA2(;W{!a6dV24c<7ML|P*X%ZIJEI>uf*3&^N zAj=E_K7+CsDSzYgq#ZjVH}kTKxD-wFfsk_FbGQc9T3tR`6Zs6tj^pj~c? z+0YzUCBv=B73T-A1_y1pKMX4x8Uj33-m$0Jr7g;v3bJ?1Efx zlIA-06{IH?m$okcIIhHdD##d6mpq(!GJsmME*mS4e_#3NlvGa>ky-2v0AGO(4% zx3+pZTQn;A{5`~5HJQu*G%&iV-!6sKNtWUS$XaaR9#42N5GY_E4-DLQ6xQ)&` zj*T8gLF5a1B}kcfdtGWOX>fP+7jM8<|!hYbV5R9FpArvp!(fcfw4 z=Ual;17xD#YNFEQe>aks>`3_Az|*thA#FBxIBxV{*YIT5i`rfQj2EF_FL`!XPa*I_^3GLm~S=drWf#DDuN28QUCt-@o2Z18xlNc=TG+ zX<1=Ehw}IjAke2Sgryp;8mv9~6#owZp+R20g9B)i_pqqjL1vo;RRRhkNh6JF6f^v8tQX&D7L* zB=F`d3(h$G>w%!9ne?yY{89tImxqhvK%~8ifzW&>J@SAwNpt*~i_j!ogo9zL1OmqD zRr9*_%xm8%!&B-wCHwr?3Xo#G<_AuOrY0A!(RI@laF^w|Z@vB2)K91W@Q%BN3>h4) zs{_HItR4tNZTsoxp4+f)-910~N!Lyt?O2Rn118r%aA(Qx$DVj16bRgP*N?KYGM%_3 zj7Gj+$tRq+hJ;*r*++x*a%y?MjJb!$dhA$v1Xzz_4$1{HR`-@Ho#{lXCcp8?yKjC_ z8Sz)F{p5$&T{!9zyRHm6$ED>wlB0w{++##W<9q@UVKA7c;$eL0fBya7pL_0+{=@n! zb(P|vW`d?#k>Kku%^NvlR7N(M6t^7MdN`@+@=Hy)K6EI5O;d~x*=LP5_t*ke4^|)A z%8!jfln#cTiGQjxch0B%2DIzizr7N#=2r=Lv(i867{_t=Mw%=Kwi9Z|!vzm2Ax+;l ze`$xDg6zTqt~leRH9vSJVO-P$m;34gqh$B)aT6xYo-+sL-hhDvL%|@lR5uM+ZfiGe z7(ZeByoC$ewQt|MS5JdquM=~pVJuv-v$4;HPcIzq~b3@m7Q(X4R-q&#? zt_q@ZU3cZGRbBh_b}~Yikf$6QejB)X$fuU&<&8@~_cZ>}dBEJhW5b{UeXhCe@{7(o zD;lfavSoWTW_9UQaPK`go-%Y;-vOO^_wUvFEd+~ zh(?-t;zDU&fZriFIarQqNd3WI%q$-G+t9#!nrc*6RWDpLr&H&)1w~n&6Q#ZxFqK-t z6#+-UGB~k;0Rove=zPBEt7!`tFAk??-2Q_*wrt}A@-h%n3opI*KGfrQ)cu@>qu4QAN?bt9LITCS3IaMW2-P#~q zjoD6fzz3#@Dav+YjvY*9YUDz3Q@ar_We0W9n1|zClf;Qd{BG)hI~# z0h{GAAYCsXp^AHJaYzl0QmiTqwxa>zVq&87ni1%ics#mk0 z>ozP}v~<9rL1&$H_WJefca@X`LP5}_E9erDf0|Z|dep<)oQ~t#W&jsx#Uqt)or0z_ zeE8tkUi!~#&;O-o_pY8D*A;^%h2`?O2LmP#n$vu}4xTq31cN^jizh}xL^N2SmV$Ta z17MT+l7^ZMU<6q41$hO_7O#xf*rpNEIDJ9MWH*uAMFN{_s7N2{fJ+PS!f|Xv=eJ5V z&oqtjish?g5i2*ZfcN8CGQ zzHC=nDcI07151`HF-&vtkW+j2>C?CW$+PCnftG4wRqK+aOWL$6>fNVzzmo?PwrvOA zgu?O;%bpSD6Q4BqS`|P&xC%N@!dm5vW>6wrneAAfY6n8P;?#QaTE(@XROg<5ez&gO z-P#DI1H}vQ#V=R)19JFsu&9k}!rPq;6pkQ14>DsG{^5N1$1^oIaEhQA=+mp8VTLeQ z?JVAf&c%7a8El)E_{lV0E6k$S(_yX+r$SSVfDw*H?1c-L6&IKE?|*V(VWDNkaUmRy zyieg5KlYJgy}ckbreQc#2)*J%MkJwXe2!t;%T}(;D=0YsqKouU__VXnS-W}j+D)4+ zRkJ;BazsXU_ORh2<}F;fdD}K47_N>)R<2!p##v`|?%A_Lr;Y;Da zb$59H#Z3y^6Zl93LT6CLV+3aMi3W1{-6xPN4LyIhXilgu_*yr$frAEy(?SauFIu^B zrR}((Ksp$mAA8`BFky7S>;(O>U1E@Ml;JO0g|O#pSmT}nhzkIa5H9B)P#g&)H{~vQ zh}@KE30b!%rvxNLpj5Ewm*uFP=FFW}Syei4V86n`9LKUaQ{kMP zZZOc1ZXGxwSdS_s`Y;J{gn-UApO+lfp4z!c?2%T?Mi0(jJEhC`yAK1TV?_Q;)8e=XiHhrSnOshs+-v}pOhP{U0x(l@vJ?yPa1=dn zn8nKQTT*gogWIiBa-di`~04jp>d(4m)o^Xnsr4W07IM=8on|P z=hy=RiX;sUrn%)qX4O0Gf%+H4>Nl`{x_*~7Kls*)s>I_lB)W9zbjqMp+P7=JecQI_ z(?46WVrev52MQDKYS2LErvw$pzViz$98w_+Bt37rwbP@ z2nK`w`}ZF(;N(y^1jp7t_Z}&-0eiXBI&B* zlJ8^ywW(R={2So(_PJ34ge5eS;N z81RZ=7zG9SIoUa(V5qdTbo1uTyGwUtaxw$7q`+djVWJZ;WI#uPpkx9)is4CnOqlYN zjvTHMC{uq^K$d5wq&7b*L6CA&0tGl1D>{EF0aejtLpPu(0|?Q!?W)SEO`A8bS+%Nc zcWHiJZr5&IJ9q7pmXYCr2r;L7PQWxaZCGDelwHt1Q*rC$8F3Q-@3D>J(bhW@NQz7X z;;0|Unj$nEU#Faj~)zDoqNubMGI=G zD@P6=VMii$6_s_n%i`75g9Z*9I(YD>lP9MKLVbGnbgHV6SyxpVsjWS2*oYoIx^LRJ z(J;&a@07D?$xHB+JB1bk<TVbz`p(ZwryL4>*6<`ZQfcalHEmZ2LEp=po~`5qeIPV%DhI0kAc9LD@>XgWp} zTBYb3c$2TJK?7h67)Cs9VGL^l1172yi5Z>>V*!p2SdUXVWQ9|rbEKF=GnxVvZi+}L z(IfJ12Fs&&gkUK)@oPbc`FpssFe;N{6%9gyl?eODRLq=WTUEpn+OUXMxWeZGNMN4|CH(p@3lo z42^zIJkHm8JO>jx277jT8fF-J6)Imc<9&DA&eYAEU^pGqKIq1Z8>VK$9kFb$dRX?b=Fzkx^)W%0~Hk&t5&UAwruIjl`B@_|B4l>R<2mT zejS|Rox66Hm6caj)kLFl8_p$Xe>%sS1_v7S7z_l!nc-kCWSTS;c~4M0l!#k)GzLGR zwxXh{tgK@D_Tu&HH?CZ{dgaPht5>gHxoXvtB}`))y8gd=W0_DM0bfmUL-C6C*&20CwijIqOD>dql2J< zt=DW{A3%8sTCgwM#Kky>_pj>F;W+)t*fc7ss>_wB*G^c+{vy( z5F0#1b|Q`@WCAhrC6Z|*Fe+riMi;{8FpOX@m=;b;PfO3r$jr>n4Di#f9Fdd~65_{$ zSOeRQl*@aKXgSU+9>riR=&BwL1gFB*>)*Ne5Mk^2eJ_qY=5Yjwtd#>p1Y-znf^Nhh zK+l7Z92b4B@mK$aw*sDF5pm~5&?-hU%rTRT zYCBRGZhQ<2GZ6kS$~qpu-3Vs1X&N9Cyk?_Derie%NGOWK#W6T3DuzbjL?|sth{F@= zB%UABo)f;6YGC5l40)4?YyJ2gcAisS^05Z$u&+KM(K=L#{Km;lFcbP!&e;LNu;D|_JoAi^BZmzb(7#u&UR}F(Y1_6f zEX0hAOxSf`E;(hw`T~)~<8e5uh{0=;for+(xNA9ZB@`QD52G8_f;1Rhrcs@oYSB_OTg;}s)&!_0 zezLV7#d-}vsuI5l&e1D|s?IyiCUlQaC&XUlh~dRq8VLxIBc7iX;=GJm8N)<{t;z3d zdx7+@V(3ON#9xtj70UrF8Bh*>bqH)ljWA#tnu_j3ZP>P|#=RD*)D1prbGeJ(Bfy!& zk1c>MQ9C#b0}$>EN2IhJ;0e=!rCCRB1h!!S&E`CgSsn>CPi*2Z(&C2CSHO|uA-`Hk zIH5?KQN#te5|AX4$pbfBvIPf@41)gRqTfJdG0Tdglhf0~d3j*2!j2s~bno7+PoG}k z!BbBiJY>k=p+ip{Hf-qd;loCZ7%l_S$V3=Cco2%AaE~6{yL9Q)p+mcZf_zk^^P?3Q z3#dG9IhM^|-NkV9X->@X7(I+-5Y3bSlULHJx??{`v0fvP?0^KE4saN>&=J-h(x51t zCKHANeN+rp*im#*xrqa5%3;4|7?^f7(*R#pR@Ly)7yi2r->w%mz!U^`^4mT9K~lKD zhM~aHL-mMM>{1QWMiX=$W&nm7{8=NwhqkB|HAqE)#YXeaglEjJ@I|9BjAezt(#@t~ zaN?X`YCcvmji_ZIM@5C=T4;WXN6d$gBRc3&`4Ouh71I(rqFT$kc>-aiGA-i9AUUN$ z;B+R&9&Zt%i)i~h(%GO%2sVrokytDmi$$<0_>n>6L}BrP(Joj0qAL*g+Q`li>RT7%bSQ8*$q;%z*e|dJY`% z+w>?2?x9^4Ls6YCnQ^p&Su}0j2a|5RBkDMCV8CCxX+|Au%Z?p8OH0i_XzW{WefY@~ z{`erwL^G)BCi&8UG04-w62y7YHW-rF5HD;UaHO{wj?Gpz9pb&$J;W4D5NJrtxt7z(E6=lVb?p_eqtRyAQ-RNae z8y#=38mnY|g1MT4q_FT;tXz=?Cqt`5iuD=-;{!ttbOi20ymrI-_a=S#?!<{})~{fA`%_KAT=sSF6LT zPT@$QQBpt-i30{FG}!C$siiGR}R9Sx1n1t!8MBG?Ts|Qj5w?*Z=_)W$P!6#thg?C0_NM|WlNuW z=GmF^7A{`4V(I*O?b^0OcKA8F?8tSWlNrT@;_fLT?%TO`T2~6 zix!`C_Svt#`Np!9D~AjkoROX}cgfy?m)%Wa)+q^bIgqu;uC)LHF1v{CpQ@P}0S0ii06tu0%!wNs~_hN;sQOSDA_28Nek zPGmI>(HDH|PJytT|DSsrX=*Z4a2lCTZUQm~@VD!s(M*X3I}(~GcZkEt*nE5!(2b27 z))yt;Nb`^M{~Y6xJ#l~QA2cir`k(?|UI*Y}-&_IdC+^^jRnUjFWT?+!a-#F%HF{m;V>>7h_{EQURX z8Pp7u^Sh@yhVJlwBG>C}*t%ulz=2Ob^60t4&xl5?E3dx#%{Sh7bKHdg{rS)5Em@)| z`gK=b^NrI_|KI=lpPoH>xfaOUtcyh7dG9@VHDjK8_N^CQIDPo=x8HkjS4oL&J3C8D zzy9^Fzxm2bKfm|h zqaYKCWpBt#0O_Xp9ZGVXH5L-$@`KEkX*3AO`Wf|slQ(SFv5w=B^#qM22G}73T@Q}{ ziPF-tXe2sf#A&f;%y#U{F8}VC=bg7~+49p*8_}~*uXuS`r_P+G|_X=zqXb$&sCX&UipG#-t+wiBtYR%{FPnuY-@EE4cekTav}x40zIE;e7ry?&3%A{H{gW@hVu{BRmTgDk z@klfR1#w)ik*=<)-nnxp*bVkrt6N$v)F~0Y2a`~RPMa)|#7Pv!EkSpgwo30b+3%g;w z@ll6k+59M;r`Fci>9DVKlA5C^hG~XEAuuK_5Z4WagEk+%i96P!2Ez;lfa2&00pD{=udUn>)Lk3IOwya_^=nah#kNuo~2b}Oo?VA&xQ z?<}sUs#JwrWLYtsG?*5us;DR{F9&Uj+H{ADo4wtorL(^HeB`Nv?)%j*?zsJyAp`pd zO^}s>qd=HCKN}>yLJy6}$jU4(E+(a>g|}|oh5?(MlLN&E^MVj@u23+@RyOp-jt^i+ zH()-nKc^=I)o}(6A9nK(uD|W>n{U16rd#j1zPZ9}ci(WwJ-1|Krdt-~yhgwm?-K1g z{E0b*!$FGm8iG~-NRWnM+r!Shs$|D=)t^cFdcDPB~@$#;p@4Oj^Hg z-A5mPw0`xP5yOVU%B!iXvBgV{F!bONN23u8a>usd=OUl4j#*ZurnXnVzC~?{CQh0( zf60=Wvt~`6{2|B`wqLhy-8QUSH*40cmCKiZ`pMMo+joMJz*78HhH<4 zX-u6w`M=M;uxZm499xi=2S#4DY#FRMn_p_Na7KZ;YjIv~fbS9;_ppWqX?je3k(XfoN3qrWlNhXckb9R zXu?7?yL9ZB5emV%ZQG^|3_U~BZoTbRSb0DD-2;z3_0-_Or{v}4M5A@1F1m2=z(Ie1 z^wInO_@|Tm_PO}nvr#fLJ-uUx4j?r*7C)(d`E6Ah zcvt&&?YeaB@zSfWFI}{xYv(Qn`30e1;PT7AclyYY5B%jXKe_KW;k2~dZ}~pIY?+l= zlwTlzjKa&#$mr7Xr1WqY*L&!cM+e+bHZvNn7MWk|bnHW!;5&M7JTF zf#wbMv8Uw;;!9HA{;o(K(jYVy9DEEsoeU{7iWBdfD_#0_>fJL2e}^~P8W~bD3zimN ze$e@4P`(6)mZ)0LFp%%)itRXj%K;4v7`(d{vo%woX z3z#w2LR;WN^X)hKt1u^RHDF+<^T+4KyJ&2nM(>!76u0dtJI6K60Bl1jzU^>5hB-s>~ye@8F zia~@Nm7U8ICd)JjG&LRxjCp0&>8E`&lo7POI7a}lkB?%}1YPA#5}2H5Ag39Q9)Jb- zM_eHqg&q7Sz98W8TUG2sYyz@tj!sUXi>tT}wT&dfXSkMak9%+2|NZ$d z|9tF;zdrbn)ytP(c+NR#fq(-q*zx2m9tKVh`u8x{6%1|oWoR;64G&sjOAIk7sSfK5 z@bd#W9ooyUP-57V`5gWzPLN+C&_R$asj%_02Rg` z7LXi;3gph_2hZX+grt#3e^top&|Kls%N4p}7H@W-+D6)n^FzF@V_|$`W@hH**?~}iPtQ~@ zoSufwygXE$k0z1+j$Ajl9FDhD%7iF~!|Jb6M*oF%W83^?9kTMW3-ZB6oF4r-zY)k> z#8eXj)FqeEA`_!nyz+=`TF5L$`OriKkVcNorwEY{mXvMT@IX6t>a=vEU{tPKzaD0?mzfqrBhfIv?Ie0h)*~f-C}4Rug?|vC?~#HHx?{(N z#42TE2xIaPuy0}HG@2)|*c~|HOnzAApCtcJ6{{bislJpMU;&QBh%5W|nO`D^{-D zx@{}SXyKxTPe1$A+wZ^q;YS~S_|arg9x6d*VVlBWC>RI^Kl=EiC;t2R_z&M(zG7vs z9=*~t(&S@h6qBPJj>WdE+g^D2`8VHr?fr@4rhPg!H#Zl<(z2}iU(S2}`RB%tA3Nd0 z@jJKe=-#6TTm+6Qd6j||gmtc%{wn31)bC~-yAZmGVF(Dtl353Y>}c7IOz=nyVn2xE z_atC7AuuhR3UWc>K)FT3P*r1fwcR>*`pvI@{n&$l{l7mvaO%KQtXN#uf%*+q<*%wG zw*7Pal?eVKZGpuY{9+=Lr{24Hf)EoqGR;;XB{F4G8JY@du*jr5?hp<>1W(no{M zLxrrc(P}B1dg5#lH$4+^BGCwVQ-sf~Ok@0n@#DsgKdHk>?b^5fXv)VkXU>FWAB)9a zdF7Qazx=XW*B(;gV=8c=)c>T3#G^+6?rVo%Th;qZm z^;19n6zLw_x|^mkcI=p?OP7Q~!B0N^c*)YmZHwA;XxDz>!Udmx`Y|TY{aFUB7bgnq zai#-=o2Gz&68A^^z59ny4qs#B@FpFJNxXhqLM9Sh$-Q6;epJPv*Q~^&v1n;|w5%dp zUTMXm&v?~t`ar|Bhzh=?+Ljrtd8~#2fdLcI z?vf>o7q3{c;?CRe_|?yT^V?tEcftARPn|loxOit)R#w-pT^1~yw{-bZc%U+1EUAWi z(Wp_s`_1ou`%E$V^io-**1dw+EA{rCOmH@~^BQ|FFvzw=f!772y}U%O<~1NYs3|F3^{ z!G#wrTfPi7{{F73_2PtKJwbDDG)O$qThWtEVLhOUou1?osRBs|@`9knc?D4_;?5v^ z9t=QDgD2|RaSP2u4e~~^IEodDuXi&rN9;ig?h3aBk|#|jB)FLfGL0C4$NCQt4gsjZ zaUJ;Sy7-2NBt4-)#~=>Sta?HrP!a(mkrHhXH$4+^a&IHxm+>5D?b@}5W(*xVw4$QC zsY{hlMT-`JC0o#_2=(PyPf*Ph8W#$0fPz#UFEcAM91hdnb@=;sy?XV6 zhYQmmIT#xl1IWb0oR^npS#eZonEEA`T(V;MiY1Ge@Hh5w0@s6oI&S>?xBl?vAKZ2O z3oks6e&K=~@r1gzwzi<4AT2E|5{bU{+N-zy==%@+>GvDfuSdrM=0RX22u4~#do z+vaa&@V06=J?))w@8167+kf!mJ2!6La_W#Fs9zj+Tmj>tteC!W{&bDosdx#}7q9k|_aVQi9 zJK2`grBk;N!$-`WJ9l@Z_^t9k z>DgCbfBE&(Pe0@3mtL-@sDz0s4nuLdvJJIhjL~}$<3*yug&)%pe9-a`!(2`NVj;&p zsR#5clwW8f z%q>62d(}Qc>=TmtGEUUMu%`ev5%cFVRKB&VacK&uhkJQ;71OPzaz%ST}TwRGah=!pwD6;8eAGOf@q(QBiu40IT>3XyK zP@^cqIZJTwSAjUZVW{6gzu%iLpw*P0=$B*;Wr&g1uWuh%aG!rZt01qiO@870dGnun z=4n`Yu=wEof&q&P+hk|u%$_~Bs;ato?|!tVJq=da8K<9FT2eOUqbZK%n3}1&YS0Yk zWai{$=Y;|xUDd&NvImC^8M=AH#<{cSDUSK+`4rutV|(Me$JLvqG=R@8Vsdn zWo75*7oc^kSFb@LCp#C0Uw&Rer;c5^bne=|Lx))0s*6PBnkdn=AWA+~7wUldPxLvZ z+RAV&tX%O{ZrN1OzP+vop`2Vq#uL%J0Z3ShDXOUurTtp`8n~hjHcVz_#=13YVD7gm zYRjKV;Z;$~u#^*4EpqVpf#^SLNBSxTp zxTkPDGpEX$fbd-l{BQ$Lyh(MKPBoRgh%?z!h>XJ-o!nqL*eQ8;Ad zhK=JUzQ1JolG$@+Px@d&ZB@;cS6|TnuW$e1!-nfB z7u)k{Fd)#&P$q@HPrq^F>Y_GT1?{pGHzKdKX`SElXmQq4xm=$Lm1;C#JGb|p_zJCZua6OOVW)%etw~5S+s<3jhF`ECP3vhY(WL3%^~a` z5%WKJ^mqy+9eG`dGTUNJ+B<5<{vLa2!N zgGUs%=sD;`(}qd12o6T~vWHQh@T_6)?%J`gZC--)I1YFMS^n6?UaSY>Rj?i}PY4Ra zQB`nRFdW>lX+27hy71z2&OQg1rR#d%zI~(7$d>J!4c)x#+n2$mjazY$RJ(TV+O%nd zW5JC5`}FVJrE@_+0le3)UAq<)6>(J3BzI)V4jnpR^W*^ovof>Ru3sOwqTRdo{Qk|~ z@7Spm-04s#4PG<&E*K2KDMk+5Wyi5%kw{iX=H=hLynnxb@n|$XJpMO6#OwY9WyD+>KNdlt3zi079S@?-Y~*-cv)s}?VJU>maHDx_PVQq`!|GKNV=^<*xs!-g@?#7x9M6EhJ5hm(mI*f&$e_$&8wVh|NTT;j`G z{4HMiwTf<(Y}+<}@nWqoyWhE|JL$n%&w_spNg9~{g|SRA@z4b2$%(27KnvIe;gZXn zdZ0W@^YnnSWZslhy0`CpQcooUef$6Io!N6-$92ZWJBU0g5#1vMItO1VPkTi;mk^?LAEwNlm1{eF_@`xH^7Qo)Z)l7tOT z>2|wfJ^H8aWdx;Ci4^9`?3F9!a;eOz<>VF zS6@AI<@NJkf6e&e&|u=M7jCA>Pk;G~E3bdI63zLkc^hVx2V^~!WTqH0O@q~ZpQ1=4 zrIzHIpWXc5U%b^QRW4jQzp${-n9<8OnROa#@?O{5PaO^cMCT&DUBGg%QcQGpZSBVA zpEp-mFJHNG=Ji*%XG+_-K6>THVLxGXlDmNUIXXh-Fc-2#Nc&+uP7I_YlWpP$Nsxu* z?EQEC_1Yht73+2Ab%(^99%elari`FkxTLwc%|;QOBt~kQMT{#tpdWGS^@@i}Ko~|4 zmWo8edb3*{l5Fh4dZgnXvJK5~BD2!WWn!2Lgd%n_+V^_P+sKWJ&Sz^7?n?L`jtFN9F>vfwp;<<1L zFkP&dXQ8h(C1*vdflO%stjAfY-NZl_aq5+{Cay;}GX0=I&d62I!uH+O=I38EZ~ks$ zeSLd-o9m!*>pj-!hp?|Y91a-gxwg7kY7YE9BC3`vv-QUDV`na$Kel|bQ;OQU@uw-( zKuY%QzXzOP=^=mSph^Y!+6L;1TU{h z1qNx9hNa~FU%mO-r63Vy{-7~|MowB_@{qSu2%Y4q6Jf}mT*k# z|DwRmq-ZRIJ#kc@pbh204JR4S=W;A&7NBHKBvuDh3hptd*xZ?c#~xcDwse?_v0ba9 z#AJo|+%8oCoM^>L*-$8loL?!DrB1ns5@w_ha3ATeCLAEUG%IpIUC^Pi-p_t|_1nyF zFAZ3aKUG89(~XIw&~>2y(V&xb|QKwP&)C z>X|t!*7HhmqI2K1_ZaA*KT3AO*cF2@6N$l?iNxR_iNs*<#DP#HfZ~ul4rG!#gsiX; z{hT?S-YvMw3DHXecoY(&E5uRWzSIQBPkGwFzf{kQvItjb`}%+X$7?TMeBsQ+yq#e0 zwl3zJzA1*W-aq`^TR-^0kE``sx8J41`Fa%yPA|MFApW);xMNIlx%~SFDjLPEi|wOO zS);h3Pb*weNxTLa!TY!cI$DW71+k3;_(xS$4?|aU?TC?BwA?u zdE3i7e%{IR9wAel-cmJnO|#(5P3pHd{E{Zrye)*Xz-6wijfY+v?d@)DdXH3-R^!jZO~Z-20)X2<+N} zy^jkT%H<0`PeIKO?MdS(^W)SnWqv93V|E#OP=e$rzC%uIvLmvy&Ofv&$AEf@%l5JF zN16E7Kx~Jbz_d>*Mt*yH6V|JiEBa2V8vxzKrW~3-dMB5Umn%`4=>d3Vi@9c(S{foz<)~Dz)#W>I zL}Q^iy2w7Y5Vg^aJW2Y>ts|7kd=u4A>tAz_=!c}+2DS_@Fx0w*vdwtq2AQ_28}0=4(*B` zmG~S5BtyG^h6E;*p_dGTbJ>Uran_Iba#}+|~vC#oRvNQBP9t)QlhYmA#_K8`_ zXG!c%uFb_%+Q6eJjQ^o{*RD#ov!175E}K5SVy>QEiPghBgOCPH&n$NLe+B`UFmd-W zY}zYF&!i+bZ$IWl0Zv^O3wRLCwY4nGjxQaPE2-58uEWKO4AYG~jN(g|E`IXqZ}EI$ z`zcZN8V%#Sfw-OyoJd{R1uXr6u@C#eW5dqcQvzd?j}Lp}^Bc2sjpY+d`t>C;p(VBV zaA4A`m(aPx$PZ5~9bdh_qR;VQJ?a#6cN6dk2Z3Gj!-)?vW5fgPD$(2)ca#8>#W)c> z91k~!v5Im9J{*sqNIZTb@c|Qw_e`|D?2e9tX1d^j4jj|j4750FXa`Cgh{a(0mQ5!P zvON;EbSSeD`7%&te%NoVuhhfn_}qdq9Yy13TD-fa(+8vJ%P*cid9v~Td%sG0?Mk^4 zdXb;uD9g%BI1(L9F@QdY7aamQ<0)7efm?iFga5Q8^rJWozPRz* zt=7sbuUw9*w2pC*bM?TDJ7xMY(Td89G@&Y|!P&*7*;?)9%`fsG(Y*$GfPEwc^~9cj z6U>&DTYjGK`G4RAhUU( z@25Glb?dvf4rBA#y32by>+|4D?G?QQk{#e0u%nmmj_MN0*l`%z0@`-zuU^eT`~A<}^`EoSxB3 z7Nyx@y?)`$^4;5CZMB+uEFfXo%6H7>x@+=Bz}St|b6xfX>hrl*Km%V=iXu0scc2 zCjHLsuWl^Vs^?BEd)>aiIH=#ju?rm*Cqnk$s?DZ9{Il0;jr^Ur-@I|-Bi~EQ<%%BS z&cisaqwf)HiMzU3`dx-4WIjkmP9d2S;}X6$y%gsgV9q2d<>im}9mO zS4_V%ecg6=A1h+84Qd-vaO{qFkrzW?&Ym(S$crWatLfj(fV zau11`kk=%iQr0Dkew{^8C(GWwe*OMt`_h${gScuhEHX&KcFZ0$Fb#BST7EQC-q#&J z!qbA8kW;E42gm-~jStOai(|I1pl=E0`khS}AP%!zUwqbXuDS> zHCBf;TG`VMxFq$W*vsOyU;5zJAK(0{>H9OMPF+5I=DZPop6N}sEX@-5F2be7#`G2% z!-1W?8>E=LghxsMVIp9QCFzk}&f#CN;R-5>Q&yWgv8l^y>><`mAPh^UFf^d&!@aN^ zMeFOUpM7?HW8?0L<1>Hw+KY2bb+5aDQTmbI6t;IlqCDw~w{?YS$7J8luwscQnDIXh zxBAK3?|rcCdFNkvDPp#eaM1|=&3yvOy?!W|wvI4uKrL?ZbQBt^3Y&wy1{(Cd#7nVz zob^2GH}BkDyLIzVuDyDErr{+$oO_jpBdDoi2r*bcoPN+!eX-DXStuFQXCL`)2|3E1c^%iqTfuPg<>wPd~ffZ8saU!3$TGFJ35BF$jhy330kw>ugQ}WM2Zb;zu#eF%nDSh)<^(M$g(&0++LDY8qubM1e*nec&L( zecRgFTDfgynnC^M|{{=53K%d&3N1G(XU{rR1q;e8R!gm$7j>(yZ6%Y^|-qb-(Mh zn{x{@=g*y9Tsn6A*nCie3bs6N)AM>FVZCq%p+`~>jI1AD=tG$Lmc)(=O(`bLdgxRN z*3t$Jw=S0^e!0ArBp-hK@#nYhE}mFkIDWEJu7zPmpJOqLu=+UcEn<4kpxUFcjy#k| z3=Wb=48}|(24f}?gM%azgE13{!I+7}V2{KRbCZigaPV~xo@0!2X`V85y7T3Y>+`kh zcVD@>RG*QT$3a*R7SM0sq%undvtcvP!vIxSuQA)t1JO)BRNwZ(NORu2oV3HOR=Re7 z>+bF5?K>;mTidg9v-5L{)q0~bGpDaSi6`SQ)Gxy8PJ;R}-hg~$NzxHvAyZ4RK}2lH zrk`l#04q{16P>m>BFhykIZ+Cb9P@1Xn(cObW23pb(Ohq>=3cUVVt#pfVR31uHdm=t zW1XU#ii}2GFHGz+5RtjzWupYj@G3om@Mm=KBP!1-&CyG0lOgr_V28% z|MrV7@2;&ijx8-LosOcJxKxVc$Vt|jklP-Gk_P?a2+tDoG|=Y*jVM7elR3-`CQEv_ z6PvB|`}bBbnwQR>yL9?=nSPbQahQ)@!_fU+D?nud#nv%)>v=jsd#Nu3hu7om#VA8$ z1Z=$zzR1I@oAi^sv)#G3vU=yv>e|{?XFG}GdbQH1Q~@Fe-T4}&O1&J{OK~-f<1o_W z31MVkr4k#egX5qfR?SBBQPMa~^*Dp)!;cV?x<6)==;M3h!!*@rV%cFj-R~#ePN&n` z==NHj_GYKoqWp!0>ha@^6DJoMb2D+6N0^wtcnX!_Ibw)C6TY)48f8A6ELWB`Xq_!e zc*c@bk7-~%E0*iZGq8a%g8}ukF^ImKrFWXmPrv%|erqczRm!C@#E14xwp4DfD(R5Z z&=H;~By@8*>}eynxN2UvzNV9aUbmC>x|K@l%<}Ttr4tL4nuqCk`+m$E5WS~Zu+%U2 z4$nlhyhFu$t^@O*fjKHVHiLzlzgW;$T3D%8H`h0iviv#znHQI7MIq}aeH=PWMc)$b_V7W= zS;|7YZ?PkJ!llx6S%06opfxm3>LGsfz8pq?C}uj zY2vJBiU+|!cFxz6+~x7<0nadG^1I$`-CMuEw$^O5TG)@AbS;25XWrGYh&9w%kw-?k?m=c>Ldr%n;#%r%=(>fx6|L)z&p#KEL=2s zX+2mhOOmvos}Rx6)={K@TGx8C^CkFxE46jmrKE(LKZjLW!&dASl)s!_EP*6Wo@ ztyHc?x@{;Q&;$<9fQ$~1NPTU9QG&HatVa&x1gBorlXPo^olsC@(ZEB1iL)NTip60s zgs343mBw09+5Z2B! z5T!7u-)YCB?`8mJB8u!nh#ST0QfLApGFL#Xa_g`X^$#7fdr)qGBIhnS9|EyI$1u|| zl}Zt2Cwe|tA2C3~I5?S?;y$3bSYDl|(oS$coud_T*BR_|fRfpDDbo+xznU%kmnm5X zw$_@jWGyMABgrTy+1;o>-i+sy2YU3j1MiJuzk} z#(k;>u(%j)T#BnLv13V>IAlH2sUd+w>>aV*YmC)ULu4n2H59;>4 zesjR`i2KaN)6v1{4z9?Ngd;pVNcg4~ZD{Dq&D0sPFlxTrF?q zx_c{5$Q@Tvr5;5^C4+1(wmVK(h*kgwjkwkEEcU4uUogm*ZSfng_=A1@Me1{HVa4mJ|4~u1I%7|13*dyt{7%kID+&QO1SCsHP<2i5M z5sq+#BkaNv>mA_;NBI515$he{2uJvRg6I7|@r^nE=TnyU00000NkvXXu0mjfXjuH> literal 0 HcmV?d00001 From 4bab64baa4079d85864baab185a186c5d5b6a583 Mon Sep 17 00:00:00 2001 From: vtarnavsky <166396931+vtarnavsky@users.noreply.github.com> Date: Sun, 5 May 2024 17:48:17 +0300 Subject: [PATCH 3/9] Update AAA Restrictions.md --- doc/aaa/AAA Restrictions/AAA Restrictions.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/aaa/AAA Restrictions/AAA Restrictions.md b/doc/aaa/AAA Restrictions/AAA Restrictions.md index 4de2076d30..7256db3978 100644 --- a/doc/aaa/AAA Restrictions/AAA Restrictions.md +++ b/doc/aaa/AAA Restrictions/AAA Restrictions.md @@ -111,6 +111,7 @@ AAA:{ Failthought: {{“True”}} Login :{{“local, ldap”}} + } } } ``` From e283bafa53752c8e48f0b20809da2ec7ef7052a5 Mon Sep 17 00:00:00 2001 From: vtarnavsky <166396931+vtarnavsky@users.noreply.github.com> Date: Sun, 5 May 2024 17:50:17 +0300 Subject: [PATCH 4/9] Update AAA Restrictions.md --- doc/aaa/AAA Restrictions/AAA Restrictions.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/aaa/AAA Restrictions/AAA Restrictions.md b/doc/aaa/AAA Restrictions/AAA Restrictions.md index 7256db3978..9f265933df 100644 --- a/doc/aaa/AAA Restrictions/AAA Restrictions.md +++ b/doc/aaa/AAA Restrictions/AAA Restrictions.md @@ -103,17 +103,16 @@ TBD AAA:{ Authentication:{ - Restrictions: + Restrictions:{ lockout-state: {{“True”}} lockout-reattempt: {{ (5 (duration_sec)) }} lockout-attempts: {{ (5 (num>2)) }} fail-delay: {{ (0 (duration_sec)) }} - + } Failthought: {{“True”}} Login :{{“local, ldap”}} } } -} ``` ### Warmboot and Fastboot Design Impact From 127ade4e47188eda61fa96fd9dc392f7d476768d Mon Sep 17 00:00:00 2001 From: vtarnavsky <166396931+vtarnavsky@users.noreply.github.com> Date: Sun, 5 May 2024 17:51:09 +0300 Subject: [PATCH 5/9] Update AAA Restrictions.md --- doc/aaa/AAA Restrictions/AAA Restrictions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/aaa/AAA Restrictions/AAA Restrictions.md b/doc/aaa/AAA Restrictions/AAA Restrictions.md index 9f265933df..73b9be7078 100644 --- a/doc/aaa/AAA Restrictions/AAA Restrictions.md +++ b/doc/aaa/AAA Restrictions/AAA Restrictions.md @@ -100,7 +100,7 @@ not relevant TBD #### Config DB Enhancements - +''' AAA:{ Authentication:{ Restrictions:{ @@ -113,7 +113,7 @@ AAA:{ Login :{{“local, ldap”}} } } -``` +''' ### Warmboot and Fastboot Design Impact not relevant From 73b8855fbf9dda530b4c8197d1007eb2b81fe678 Mon Sep 17 00:00:00 2001 From: vtarnavsky <166396931+vtarnavsky@users.noreply.github.com> Date: Sun, 5 May 2024 17:52:13 +0300 Subject: [PATCH 6/9] Update AAA Restrictions.md --- doc/aaa/AAA Restrictions/AAA Restrictions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/aaa/AAA Restrictions/AAA Restrictions.md b/doc/aaa/AAA Restrictions/AAA Restrictions.md index 73b9be7078..998902b294 100644 --- a/doc/aaa/AAA Restrictions/AAA Restrictions.md +++ b/doc/aaa/AAA Restrictions/AAA Restrictions.md @@ -100,7 +100,7 @@ not relevant TBD #### Config DB Enhancements -''' +``` AAA:{ Authentication:{ Restrictions:{ @@ -113,7 +113,7 @@ AAA:{ Login :{{“local, ldap”}} } } -''' +``` ### Warmboot and Fastboot Design Impact not relevant @@ -132,7 +132,7 @@ We introduce and use more complex deny and permit to allow restrictions on the a auth required pam_faillock.so preauth audit silent deny={{ attempts }} unlock_time={{ unlock_time }} auth [default=die] pam_faillock.so authfail audit deny={{ attempts }} unlock_time={{ unlock_time }} auth sufficient pam_faillock.so authsucc audit deny={{ attempts }} unlock_time={{ unlock_time }} - +``` ### Flows The flows are aaa sonic-based flows. From 9b04883c81fe8b5d87396c732bb0382d52c36265 Mon Sep 17 00:00:00 2001 From: vtarnavsky <166396931+vtarnavsky@users.noreply.github.com> Date: Mon, 6 May 2024 14:23:33 +0300 Subject: [PATCH 7/9] Update AAA Restrictions.md --- doc/aaa/AAA Restrictions/AAA Restrictions.md | 68 +++++++++++++++++--- 1 file changed, 58 insertions(+), 10 deletions(-) diff --git a/doc/aaa/AAA Restrictions/AAA Restrictions.md b/doc/aaa/AAA Restrictions/AAA Restrictions.md index 998902b294..093c949c2b 100644 --- a/doc/aaa/AAA Restrictions/AAA Restrictions.md +++ b/doc/aaa/AAA Restrictions/AAA Restrictions.md @@ -96,22 +96,70 @@ not relevant not relevant #### CLI/YANG model Enhancements - -TBD +```yang +//filename: sonic-system-aaa.yang +module sonic-system-aaa { +... + container sonic-system-aaa { + container AAA { + list AAA_LIST { + key "type"; + + leaf type { + type enumeration { + enum authentication; + **enum restrictions;** +** + leaf lockout_state { + type stypes:boolean_type; + description "Enable or disable lockout of a user in case of failed authentication attempts. A user with restricted access remains so until successful login or admin clearance"; + default True; + + leaf fail-delay { + default 0; + type uint32 { + range "1..999" { + error-message "Error: Valid range is 0 - 999"; + } + } + description "Configure the added delay (seconds) for each failed authentication attempt"; + } + + leaf lockout-attempts { + default 5; + type uint32 { + range "3..999" { + error-message "Error: Valid range is 3 - 999"; + } + } + description "Configure the maximum permitted consecutive auth failures before user lockout"; + } + + leaf lockout-reattempt { + default 15; + type uint32 { + range "0..99999" { + error-message "Error: Valid range is 0 - 99999"; + } + } + description "Configure wait time (seconds) for a locked user's retry. '0' is blacklisted, but not blocked"; + } +** +``` #### Config DB Enhancements ``` AAA:{ Authentication:{ - Restrictions:{ - lockout-state: {{“True”}} - lockout-reattempt: {{ (5 (duration_sec)) }} - lockout-attempts: {{ (5 (num>2)) }} - fail-delay: {{ (0 (duration_sec)) }} - } - Failthought: {{“True”}} - Login :{{“local, ldap”}} + ... } + Restrictions:{ + lockout-state: {{“True”}} + lockout-reattempt: {{ (5 (duration_sec)) }} + lockout-attempts: {{ (5 (num>2)) }} + fail-delay: {{ (0 (duration_sec)) }} + } + } ``` From ac4baa4edbfe127526d8f3a4cd2e3bdfd8f1643b Mon Sep 17 00:00:00 2001 From: vtarnavsky <166396931+vtarnavsky@users.noreply.github.com> Date: Mon, 6 May 2024 15:21:03 +0300 Subject: [PATCH 8/9] Update AAA Restrictions.md --- doc/aaa/AAA Restrictions/AAA Restrictions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/aaa/AAA Restrictions/AAA Restrictions.md b/doc/aaa/AAA Restrictions/AAA Restrictions.md index 093c949c2b..5c87869b2c 100644 --- a/doc/aaa/AAA Restrictions/AAA Restrictions.md +++ b/doc/aaa/AAA Restrictions/AAA Restrictions.md @@ -1,4 +1,4 @@ -# HLD Restrictions # +# HLD AAA Restrictions # ## Table of Content From 1d127d2c9d9d7cd99ad96d49680c3bc735aff50c Mon Sep 17 00:00:00 2001 From: vtarnavsky <166396931+vtarnavsky@users.noreply.github.com> Date: Tue, 7 May 2024 17:42:46 +0300 Subject: [PATCH 9/9] Update AAA Restrictions.md --- doc/aaa/AAA Restrictions/AAA Restrictions.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/doc/aaa/AAA Restrictions/AAA Restrictions.md b/doc/aaa/AAA Restrictions/AAA Restrictions.md index 5c87869b2c..11ed5eff35 100644 --- a/doc/aaa/AAA Restrictions/AAA Restrictions.md +++ b/doc/aaa/AAA Restrictions/AAA Restrictions.md @@ -8,7 +8,7 @@ | 0.1 | 04/2024 | Vladi Tarnavsky | Draft | ### Scope -The scope includes the design and implementation details for AAA restrictions, focusing on authentication sequences, session management, and user activity accounting in switches SONIC OS based. +The scope includes the design and implementation details for AAA restrictions, focusing on authentication sequences, session management, and user activity accounting in SONIC switches. ### Definitions/Abbreviations - **API**: Application Programmable Interface @@ -29,14 +29,13 @@ The scope includes the design and implementation details for AAA restrictions, f ### Overview AAA (Authentication, Authorization, and Accounting) in Sonic establishes a robust framework for access control, policy enforcement, usage auditing, and service billing, supporting standard protocols such as RADIUS, TACACS+, and LDAP for user authentication. -This HLD emphasizes enhancing the security of aaa by introducing "restrictions" on the number and frequency of login attempts. The focus is on augmenting the system's security by preventing brute force attacks and ensuring that user authentication attempts are both monitored and controlled effectively. +This HLD aims to boost aaa security by limiting the number and frequency of login attempts. The goal is to strengthen the system's defenses against brute-force attacks and enhance overall security. ### Requirements - Limit Login Attempts: Specify the maximum number of unsuccessful login attempts allowed before a user account is temporarily locked. This prevents continuous guessing of credentials. - Control Login Speed: Introduce delays between consecutive login attempts to slow down any automated login attempts, significantly reducing the risk of brute force attacks. - Define Unlock Time: Establish a configurable unlock time that specifies how long a user account remains locked before allowing another login attempt. This control helps manage the access of users who have shown suspicious login behaviors. -- TODO: SONIC rest API/nginx? ### Architecture Design @@ -76,9 +75,9 @@ AAA: { No new pkg are added in the build time. #### Feature Default -Restrictions are enabled by default. +Restrictions are disabled by default. In addition, this affects the common-auth-sonic file switching to a duplicative branch to use pam_faildelay.so and pam_faillock.so - lockout-state: "True" + lockout-state: "False" lockout-reattempt: (15 sec) lockout-attempts: (5 attempts) fail-delay: (0 sec)