From e2f4a26a8400f24883afd8c06139abef75c4814a Mon Sep 17 00:00:00 2001 From: Ian Young Date: Tue, 24 May 2011 14:00:57 +0000 Subject: [PATCH] Rejig the entire checking framework so that it uses the same xsl:message conventions as the system we're building into the aggregator code. This means that the same checking transforms will be usable in both systems interchangeably. This also includes renaming the "fatal" template to "error" and adding a new "info" template. Update to sdss-mdcheck V1.3 to support these new conventions. --- build/check.xsl | 4 +-- build/check_adfs.xsl | 10 +++---- build/check_fixups.xsl | 6 ++-- build/check_framework.xsl | 39 ++++++++++++++++++++++--- build/check_future.xsl | 4 +-- build/check_idpdisc.xsl | 8 ++--- build/check_imported.xsl | 2 +- build/check_init.xsl | 4 +-- build/check_mdiop.xsl | 4 +-- build/check_mdui.xsl | 24 +++++++-------- build/check_misc.xsl | 36 +++++++++++------------ build/check_namespaces.xsl | 2 +- build/check_nokeyname.xsl | 4 +-- build/check_saml2int.xsl | 12 ++++---- build/check_shibboleth.xsl | 20 ++++++------- build/check_vhosts.xsl | 2 +- tools/mdcheck/lib/sdss-mdcheck-1.2.jar | Bin 6782 -> 0 bytes tools/mdcheck/lib/sdss-mdcheck-1.3.jar | Bin 0 -> 6812 bytes 18 files changed, 106 insertions(+), 75 deletions(-) delete mode 100644 tools/mdcheck/lib/sdss-mdcheck-1.2.jar create mode 100644 tools/mdcheck/lib/sdss-mdcheck-1.3.jar diff --git a/build/check.xsl b/build/check.xsl index fac6c068..c669b169 100644 --- a/build/check.xsl +++ b/build/check.xsl @@ -41,7 +41,7 @@ --> - + unknown owner name: @@ -51,7 +51,7 @@ Check for badly formatted e-mail addresses. --> - + badly formatted e-mail address: '' diff --git a/build/check_adfs.xsl b/build/check_adfs.xsl index 308d6f03..15e6bdfe 100644 --- a/build/check_adfs.xsl +++ b/build/check_adfs.xsl @@ -29,7 +29,7 @@ - + ADFS IdP role lacks SSO service with appropriate Binding @@ -45,7 +45,7 @@ The current UK federation metadata has one entity which breaks this rule at present. Change this from "warning" to "fatal" once that has been resolved. --> - + ADFS SP role lacks SSO service with appropriate Binding @@ -57,7 +57,7 @@ - + ADFS SingleSignOnService requires appropriate protocolSupportEnumeration @@ -65,7 +65,7 @@ - + ADFS AssertionConsumerService requires appropriate protocolSupportEnumeration @@ -73,7 +73,7 @@ - + ADFS SingleLogoutService requires appropriate protocolSupportEnumeration diff --git a/build/check_fixups.xsl b/build/check_fixups.xsl index c92e6d8f..583d8e64 100644 --- a/build/check_fixups.xsl +++ b/build/check_fixups.xsl @@ -35,13 +35,13 @@ --> - + IdP SSO KeyDescriptor lacking @use - + IdP AA KeyDescriptor lacking @use @@ -54,7 +54,7 @@ See https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataCorrectness#MetadataCorrectness-Version2.0 --> - + KeyDescriptor contains EncryptionMethod: OpenSAML-C 2.0 problem diff --git a/build/check_framework.xsl b/build/check_framework.xsl index 301cb1c1..613c1b6a 100644 --- a/build/check_framework.xsl +++ b/build/check_framework.xsl @@ -22,13 +22,13 @@ - + - *** + [ERROR] + + + + + + + + + + + : + + + + + + + + + + + + [INFO] - + URL-encoded Location attribute; should be entity-encoded diff --git a/build/check_idpdisc.xsl b/build/check_idpdisc.xsl index fdf0f0cf..6cb582f3 100644 --- a/build/check_idpdisc.xsl +++ b/build/check_idpdisc.xsl @@ -30,7 +30,7 @@ - + DiscoveryResponse index values not all different @@ -43,20 +43,20 @@ --> - + missing index attribute on DiscoveryResponse - + missing Binding attribute on DiscoveryResponse - + incorrect Binding value on DiscoveryResponse diff --git a/build/check_imported.xsl b/build/check_imported.xsl index e663fe9e..4daaa77e 100644 --- a/build/check_imported.xsl +++ b/build/check_imported.xsl @@ -33,7 +33,7 @@ IdPs registered with the UK federation are expected to have at least one scope. --> - + this IdP does not have any Scope elements diff --git a/build/check_init.xsl b/build/check_init.xsl index 1aa56807..f33fd624 100644 --- a/build/check_init.xsl +++ b/build/check_init.xsl @@ -26,14 +26,14 @@ --> - + missing Binding attribute on RequestInitiator - + incorrect Binding value on RequestInitiator diff --git a/build/check_mdiop.xsl b/build/check_mdiop.xsl index 4f404b33..167cdaf3 100644 --- a/build/check_mdiop.xsl +++ b/build/check_mdiop.xsl @@ -36,7 +36,7 @@ [not(ds:KeyInfo/ds:KeyName)] [not(ds:KeyInfo/ds:KeyValue)] [not(ds:KeyInfo/ds:X509Data/ds:X509Certificate)]"> - + KeyDescriptor does not contain a key representation @@ -45,7 +45,7 @@ Section 2.5.1: only one X.509 certificate may appear in any KeyDescriptor. --> - + KeyDescriptor contains more than one X509Certificate diff --git a/build/check_mdui.xsl b/build/check_mdui.xsl index da82da96..2380787a 100644 --- a/build/check_mdui.xsl +++ b/build/check_mdui.xsl @@ -37,7 +37,7 @@ MUST NOT appear more than once within a given element. --> - + more than one UIInfo element in one Extensions element @@ -50,7 +50,7 @@ --> - + misspelled or misplaced mdui element within md:Extensions: @@ -69,13 +69,13 @@ SPSSODescriptor elements, which are the ones we'll actually make use of.] --> - + UIInfo appearing outside Extensions element - + UIInfo appearing outside role descriptor element @@ -120,7 +120,7 @@ - + non-unique lang values on @@ -159,19 +159,19 @@ This is a SHOULD in the specification; we treat it as a MUST here. --> - + mdui:Logo URL does not start with https:// - + missing @height on - + missing @width on @@ -197,7 +197,7 @@ - + missing @xml:lang on @@ -210,12 +210,12 @@ element of an element. --> - + DiscoHints appearing outside Extensions element - + DiscoHints appearing outside IDPSSODescriptor element @@ -226,7 +226,7 @@ MUST NOT appear more than once within a given element. --> - + more than one DiscoHints element in one Extensions element diff --git a/build/check_misc.xsl b/build/check_misc.xsl index 1444c42a..69681d5c 100644 --- a/build/check_misc.xsl +++ b/build/check_misc.xsl @@ -45,7 +45,7 @@ - + duplicate entityID: @@ -59,7 +59,7 @@ - + duplicate OrganisationDisplayName: @@ -76,7 +76,7 @@ Check for entities which do not have an OrganizationName at all. --> - + entity lacks OrganizationName @@ -87,19 +87,19 @@ --> - + IdP SSO Descriptor lacking KeyDescriptor - + SP SSO Descriptor lacking KeyDescriptor - + IdP AA Descriptor lacking KeyDescriptor @@ -113,7 +113,7 @@ - + AssertionConsumerService index values not all different @@ -128,7 +128,7 @@ - + ArtifactResolutionService index values not all different @@ -144,7 +144,7 @@ Entity IDs should not contain space characters. --> - + entity ID contains space character @@ -156,7 +156,7 @@ - + entity ID does not start with acceptable prefix @@ -166,7 +166,7 @@ Check for OrganizationDisplayName elements containing line breaks. --> - + OrganizationDisplayName contains line break @@ -179,7 +179,7 @@ At present, however, this produces no false positives. --> - + Location contains space character @@ -195,7 +195,7 @@ At present, however, this simpler rule produces no false positives. --> - + Location does not start with https:// @@ -206,7 +206,7 @@ --> - + Location @@ -221,7 +221,7 @@ Check for Locations that aren't valid URLs. --> - + Location is not a valid URL: @@ -238,7 +238,7 @@ At present, however, this produces no false positives. --> - + Binding contains space character @@ -251,7 +251,7 @@ but it's nice to have a clear error message earlier in the process. --> - + empty xml:lang attribute @@ -261,7 +261,7 @@ A Shibboleth scope shouldn't be just "ac.uk". --> - + bare 'ac.uk' scope not permitted diff --git a/build/check_namespaces.xsl b/build/check_namespaces.xsl index d946b7b9..bb5478ba 100644 --- a/build/check_namespaces.xsl +++ b/build/check_namespaces.xsl @@ -83,7 +83,7 @@ --> - + Unknown namespace: diff --git a/build/check_nokeyname.xsl b/build/check_nokeyname.xsl index c265d2d8..ae93274a 100644 --- a/build/check_nokeyname.xsl +++ b/build/check_nokeyname.xsl @@ -31,7 +31,7 @@ - + (hidden) @@ -39,7 +39,7 @@ identity provider lacks PKIX validatable credential - + : diff --git a/build/check_saml2int.xsl b/build/check_saml2int.xsl index 6b0ab157..a52d4797 100644 --- a/build/check_saml2int.xsl +++ b/build/check_saml2int.xsl @@ -42,7 +42,7 @@ [md:NameIDFormat] [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'])] [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]"> - + SAML2Int: SP excludes both SAML 2 name identifier formats @@ -58,7 +58,7 @@ [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')] [md:NameIDFormat] [not(md:NameIDFormat[.='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'])]"> - + SAML2Int: IdP excludes SAML 2 transient name identifier format @@ -70,12 +70,12 @@ Check for correct NameFormat on Attribute elements. --> - + SAML2Int: Attribute element lacks NameFormat attribute - + SAML2Int: Attribute element has incorrect NameFormat attribute @@ -86,12 +86,12 @@ might be added in future. --> - + SAML2IntX: RequestedAttribute element lacks NameFormat attribute - + SAML2IntX: RequestedAttribute element has incorrect NameFormat attribute diff --git a/build/check_shibboleth.xsl b/build/check_shibboleth.xsl index 14c16b9b..03ee5ddc 100644 --- a/build/check_shibboleth.xsl +++ b/build/check_shibboleth.xsl @@ -39,7 +39,7 @@ --> - + OrganizationURL '' does not start with acceptable prefix @@ -57,14 +57,14 @@ --> - + Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration - + Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration @@ -81,7 +81,7 @@ --> - + Shibboleth 1.x support claimed but no appropriate SSO service binding @@ -99,7 +99,7 @@ [contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')] [md:NameIDFormat] [not(md:NameIDFormat[.='urn:mace:shibboleth:1.0:nameIdentifier'])]"> - + SAML 1.1 SP excludes Shibboleth transient name identifier format @@ -117,7 +117,7 @@ The issue here is that the KeyName does not have the ds: namespace. --> - + ds:KeyInfo child element not in ds namespace @@ -133,7 +133,7 @@ See https://bugs.internet2.edu/jira/browse/SIDPO-34 --> - + SIDPO-34: Attribute lacking NameFormat in IDPSSODescriptor @@ -144,7 +144,7 @@ This has a default in the schema so omitting it can cause signing brittleness. --> - + Scope lacks @regexp @@ -156,7 +156,7 @@ This isn't part of the specification, but is assumed by some software. --> - + Scope value contains space character @@ -167,7 +167,7 @@ problems with comments inside certificate representations. --> - + X509Certificate contains XML comment diff --git a/build/check_vhosts.xsl b/build/check_vhosts.xsl index 4a09451f..7b7a1999 100644 --- a/build/check_vhosts.xsl +++ b/build/check_vhosts.xsl @@ -49,7 +49,7 @@ - + at least one SOAP location on same vhost as an SSO location diff --git a/tools/mdcheck/lib/sdss-mdcheck-1.2.jar b/tools/mdcheck/lib/sdss-mdcheck-1.2.jar deleted file mode 100644 index 47001af660361c1c4f0120378ab5ae42d47575ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6782 zcmb7I1yod9+XiHi&Y`=zI|k_n85kN#DPe|gluikeMw+2Zxln?|I)DN!L zi{9&Z|L@;xopbh@d7o#$XRkNTel%5YAfqE(4OTyGi9aTP-q0?e>hch2PGt=RZp}Z< zP!U)z&AL?Chwong?Q?kne>PK>)=*ZE*M@MZD;%kh46CVfa!q2Xa*(?y6@FKh zu8p+FBwScjrJjn=a|eD36}{M!Vj+y{_yJ3k-x@`%bC0VUvB@?0Oh-Zx#hpu zVEkp{de_zUUknL;HH6-^w6(IlUj5HaW8is0ed$;K<cGnc)BGyHM4 za^bRcFn4v$)PZVGOW{74B1WQ>;?M*G5y2`L#<^@NczsA(wirQtA9&%p$cxAckVDg* z=m2{DuL%B$n5gii2Y@D{X zQ4&Ivb+`-(Ob^Sp$$8qVu?N1Z(pjK+?>sy{8h8$TG)c z%TlJc@Jr{TN)62HE1{_X*j$4<)N^(UIfOs?j#)N7*{~6#g5s;ku$HaqH5mDrl(Ce5 zVcReyM$~)2yr7MEsHUZCTSrgbIi{^IXm9%kKH)STX$yxHjn%8c#bjPJkRBKG?TL|l z0x|WFe!8Kt9yEA&rU&7+Mln?z4CB#sVaZZS-dhnd(mZ#2vf?nUw@jtbQMM&A#8XJw zlFfMmohx+4t%0Mpm(4@NcZdhe)38epF1gFDC`{q=>V9O>$+EDo5LHK_3U4B%n_X3l`yWex?G1iJVK8WE}6wY4mYVGuz&L%S}eIx4tDhyZQ#+P1t0h8Xes%PL* zksPqEk_pA@8|!Cwl#%_|6F^W95TtO_e}K1j<1D{=ecx7;=2#`IBHUIy;OwJ-a;hz& zoq&0~5;wR8Gc5k&>*BD@kWNMwM#1@RY(rEvX^`N$>MtMW|MWK7c0 zE}H1p5vKSY#`LN0EVC#SsVndofS-?cLicfgRD$oRX6YI;U4NNs^*0d^g#MRQQ}>p4 zadC7}vvYN`g8fLjBnVWSTnG37hF>#S!zlnP)v-4$4g<90cGPQC6P3sle8xvE(Y+&- z@|1A_-ugsFaUdmo(tk~l5-roCpL#9M#cz*E%G)_2VKB>e9Q4|I4D|Zt`RT3kZ%907 zB|Y8ec9`qI0+nl}VL0v#JW1VxjJLGJr&;~Vx7@8h$qitQzz<4d4PHXF$K76bXK1{4 zrL^HGSjV8e!BTu1+|w4eM7D>T;nc3c-?pRss_jk!Qd+m{c{NlAT4j+Wv-*)u8>xLP z-EFpD)nmuN{R<5c_Z0AWJ)Jyy3%~_T-%Wn6FD;5%ZYYZWG>Wfo*u!?bIH~)vK>KvK zw!`!kz~q8AS6FXQW|-^f`|RFwl>vr$`mv2Lc_%;rJ4J>&eZ*kgl210DkvrctXf+?P0Yjd-?En`x~okh-E!ASgT}b*sJ6s;lhHCd;zh69AmXsctu8y zkiw`pfq{G~NT0qfi3fgdzi_OQNW{MR=>i-hft$SBuuy(aK1`kz*&|d3lt~VHtI(b( zzk?=vj{_-O*6it1*I98lEK-{H>0~(>_w=V=0&u;RcJXs@pXV>^uzIx3+oAX*B0&KO zvzldW)6^2^KFOXRJYA+ZvNV?J|&gY>3u6kP&rS4m`FVIu|K;O!wVb5Q|0h>j*Hl&1^NxuH6uc)fB~2 ze+h^QR3mATNS%va-|hiUNR80s2H(~+ym;LzcVF#AOeL7PRqjh*@hy)?bdz&WvHQMq zMnNv~6iYJM%`wqwX450YB>GgV{X0Y`jgR=48*=u+*zuTWXm;}=k=dd|ow)DjQpkAP zRButlfH|gK(DapblGC<_H|8G$4q@w@y9~0DV0CG9kBI}e7U#V$y#Hlo|Lf%i`r3Ij z4pBcWMYS4ze@?_ts%NID5J=q{4)N2M#WWi& zlD@B37v9l)`jMbvu94w1WW9AuDSdXkFC1w~9%mZI#>Y&R z=ZL)P9R<}v4j@oh-E@?0-A?kDrH@HQgkI#EctgAujQ5P7gB?`E3l=B6@WBmp{)QR1 zyp3D!#i+U&Hm?d4TTfAMM=x-9vLqGN*3T^yGJXjKsMBz?@oyU4hATeH>z;h3ZK$C8 zVe*_)QAFc0WP)&nTaU^}V^O}ltB-GpWM;j(ScvI%!0h%UAe1i7OI~AYn)pDUHl4jS!(-*w2A}c*KO`%A*De^= zNZwOi#)^)R1i-N*%689mmPiIyj$H~J{=-avdJn@vGH2$K_I0VSI@4S zM6iuc#>62-R?!o5rlF8lxd99j)-4}!AGiAjdZ+ct7KWbP^2uzXPH*69o0vs-l2X4h zWoO^MTV0M$-@f|=qCe!2nUZ^bT*VfKR z>&EZ^!LWk-8<{{@jrVZdV8K1Bxf@~T$U=e+cD85&?rwFSZYb%CWJ|4!4Fc{0P)vbF zKq@nmqW-a?*wwTwfLY8vISGp)zE_eg@D_%8pwvpN69( zj$T|?7{&*zsWuyv+9j5S$i2y!)}J& zl%nsvdsF}xkUo1Xxso>Fc@9{l*|S-i>CI12`~46Q*pi)j<_-r-L~ohF-ra|1F3vi} zhD{MRMp12zj-|2SFvf&kFrivOq3A9;*VyW6A?s@!@eTm#v|Z?gT@UH5z_aC18+ZTh zeS&Rb+^pQJr!Uc}9y5Nz;=@+e$`oKxiw2fpYmbwAoGsH9M~dwZrBovhPZ&*zhQf;Pme=GA{LsU^;x~L!x5b+uJN8bYHe%K4$B1=i9g;~}OTXs=l? z@@nGC}jr9+qaSG z;Vx~J#_8{B#yvb6=VBb)W!eC`nkbv_CsPIblko4hz1CX&0LxFus8!(cC3zi@B)Y6a zFX9PwwTnCo<8{nyn9IeSvy_B&p}%BdG)l|MjCWw9I}W9zU8jr-;dlpkuxi3>pO;sW zG32fey6}2k1p2@?7m_8!SRoR1w2-7n+2;qisVN<>Jk+B%%*YLr6}6S)Aq^^C52;fhis} z(+x)vL@e)XiL`LFk}y=GEu1h6c^`N7d`4axV+C&G^lbIwM8RrNKRUHoh}U>tAK-&>`s66hHR?B zz-PU}FTzne%L4Lj=F5nBQt}1&}5`y%21|x_zb5bR>di!`4stE7Cb!LqE{m3-q`Rb2E&*H ziEo(nn+Cci32>Jn_qU>1AZ3;DTC#R29g{?qc`22nokn(p6bT91Jag{c7<@9C7fiYL zr!?<)v9I(u2ch_hs~4)Bu2Xv1EQY&h0CXddl^enmpT99ov^>CXV~1Ye&LP1GZ+#C| z+_)-}KcT%*5O%d|Jw-?9ZTGg@Wo;9H;;b+alsQF~lTo2`vsp(f>K-U~ef{fb_D_Wg z=kkl}FNFze?qLP{Nn`oD97Xm|V|RNlb4#wjX)}MvG5;&>3e5RWy@vi$otG#^ryvtA#rkqa(O`=VjzRCB_3SRfT{EuOv?bh4u!pL00G;OMm;_QDcu6N zh|lVDI90X(D3No>BlvBv_mQ+1(p%9{#C$iA=52? ziAUnbYZmFLN0~{ACmyYROH0pNS)=SfTs-v(=}I1j*Tk}N6%vHdSitDpCNe}zX8aRn zzgftcH8lHjnqaim&eVnA*Uco^KESY~^(7_H^iHfnOMa-ND+8*wA_GG=T2p6?%m6ur-|G8g%cfW-bU4LFgS(;RpBR-F94uJ z%*^CFC(rGGb`fa>ZeeMld!d$uu9(&7fYA8En5W$a3?7+yvr*{Ep;^?#oji=*Q<}X` z3g78qL6Na8(lzl9)>52I3O*pTJZ==uGkTmkc-48k0CcQzMk>~nuAqw1B0e;E4#^rc}Ahq^0+abW<(A~TKAT9V#WjE8Vbt>Amo z&Au3TkIKr%_?b^#?j%%HKu64+RxDFn`0h&$>w#DTyB#anav+t;=K7s^#K8$(5i;)Q ztDR@Z7v~Z-1UA(R@Ex3I?n{FTsRrmBaCxG!dY^=P;Q>a`Z^bh!PKY??1WE~GDUq>h zhD~zs##17b^gp+_^*_w95y|#ckhI163Su^-denm-|5b%)P3hK!%Ln4?gUwZhXB(m5 z*jz@o-Q^|tzeo60a5}j-I$626*;%=2d)yvX*uHXy)4HfPoZq5U>YR=JFRkc}m4OXsg6%MvR zHB~h(#HgUNmS)yL(vrai<4ctm5eazXzl+S5?q3dEg!j@{&%e^_8uok9`O5fezyp6t z@t-8Q zzjFUpU;FzSe?P2WuQ7r8f3NZV=zh)l`*w4^sTTM@#oCYN^J7E*3BGDS*WkE+f`94< z|K`M1tX}gB{438dedU@I72$X7=?5)55c4v6{>q~7Z}yXOzmWdftbXSHU3IzUF1Zv^ b{vX`ewMJ7F@J9w=BVZ!{EzBEqp}Q6$1~j6=xE-iKq)6f&|m*~cbigkvOo&#WS4Mj1I) zwjXbAuX^8p@BjDzUe`0O>$yLl`+lD59?$oq0>Qw<1Dq{&XVlFQZ2N zC0QPoKg~b@wNtYOX$Cx#)5jjC2iebNP$?yOSs68TZm8@gw6{kQ0_Gkfgn&8vdj~3D zydwhB3l3Zg{heG8@NE#ze6~g`1!p6RTTMy`j1&S>b4ukXCZokCi4lO2dy)3QHcy`@ z2skP<&OUn@M{FBhqNyOk{ zSdc2h+8*Ty0Ki53tt4UjA)(|~hcz^o z#5;(cZq=o!DuVg$jBJ)d2l$G`t3z}lRsDlG6H5Afg2kL-b@_w$3M{nf_XIsXb8mU3(K-G*UDyYyRJXn|5eEiNK4RB=-YHe}ZLwTIdVOOoQFu93SE zEEZR_u*$0IjN|Df8E-f)@HbxLXQ3u38jEs!NjwCtn_nXPsDt##rX|M@UbKj>v%Vpd zW0M|(h(Nwh^JBj!thY0lxz=ML74&+$Cz6-|i9=*UU=)NWW~ZH7-N;K@r@l-;ZnEZ4 zFsnl#P}VN=f`Ll==9@6-ftO&-+bPIo^Z9u_lCqlJ2D5nH=0Vlsha8?wyzRW+CHpFl zx-Ir`gk@}S>+#+M+OWDYBNRfWov@Q>m#@oTnQzw^4L(j~KyMlcSQODO5}U0nHme0R z$R?Tg`ntZzT@K*%P&;~kd-SV&|8`9%R=t76#)_*QOwei6wu(R*N#me>2iE-DYEEO# zlndQX=;0!UBmI23Ik{H+vUOO&*u>TgI8~<6i!PL3-C|CniPo<9Aw*~iA~tHW*?j5U)lhwpeI-5w zx%oCw3FV7n)f+f3#8r9}#N?yuv+tu)lT_B)$=6PrmnfHlH1^yg8}0zH$;!T->*8DB zh)KKE)MLE$usCOhIZ85MY@EfLPBni?Mq6cxnE_a$O4-8C`pw^u#WaW6DjybmwY%Qq zURUsACSp8!Ro`W%WliZ%g-l!dMo`ilj4Zxpk^Wzaezbw_b+$f|yfSfGXD2uSfbjoP zXHa(;2M0R`MN3B~Q`;Z)7I)86lT?%VWQwKKP!AG{_mGCwsQfYh%gPA$dzU6(;%YUr zYdsf9PA)~g%XSsP8n9Gm_}CnQ%)?Zc$YaQ0D9m#d5vR@|JdQd@Ox^42wKKCl-am-A zbwROdh}baEMxqP_-y{E6{e|2U`c}Cp6XfQPwxPVvyTd*}Q%F=*f&ZIRNI&*J_eO356%fwTb%N?fW zP`GH5w!#HvYRV;mGR>}}Jp~ap9Vs2dj4`1mr4mC_nUAviiniKQU7qlPr40jHdwWAP zGW>bs5TZD_n|P#g5vAmh#^A;{q4!5KSiUG+vZdxlz&gP1$9Ov;zlAg$iM2it$nKM3c| zl?^nkW&6_fG*8ON#E$-vN50;&ci2@;r>n{z59XI!S0pg(3?dCBSAykp6xOCvBn~g}Eo;nLQ>DYI*_6y1pEG7P^Q?jSzT7X02)#?wYvNJ}iqB zj(iz3#r-XT9Fu85BGYPYp@Ao8p$UVQS;qbD=kY+wSL}kyTi9&(4uw1*`2ks; z4DvyYZ)rgwed4#{@f7Sy&qv zh7rkIrc|Nl^WgJoOi~PXMfI&VD`?1kdfejaqv+XPx93pUbrM^f)0e1rjaJMTmW%Xz{t70+84#W!)cw+#HAw;Ekc zm9_Eg#kz&57fpTG1_k#sQk~KrI>IRYX%X#5xo=_%n7omXd>@?LdmJT^cg0Xzra8u{ zfIU?vNIl1)FymfQb$(IQqrZL{zIThsLy2X`>8}oy900ibKXi*fr?Hm1SIh$4$xX|N z?3o2#^+*T?u*%K{;VxNv5%TQa8w#C#iuY(?cb(hAB2&pCFc-To0ml7(a8U%Q>Rne9 zlosw|+pDKECE*-+ohPME+4V^1+ruwpry2A9xB-E?UxTBaJ=uS>-3F-}ISxuW>6B;t$dY8b)X_!(EsKf$_RvG5h z#<)B{SleoLet7Pb_hdx4MQpW|v`J2!)l#Fn!;`B;ev-_l1+`2V&3w%xb*1WZWj<7TN|)}e%Ml2?OIl#aDIUVsTd2@gTfhp+*Rl3 zXKD;%#(p@+l&BCWa>k(`>MoU-;hx19r(pd>n$OIRjBAJjLP#Jqq7_`hIyG)Op(AjA zHi9KfHnXL4ZbQP8-9#nPy)I%?Tp$}_l^C-1MoLXYRbzJ}7DivMIxUXNw#nRfXz|ev zemvp#3FzEXjCHvf$l2e!1h#@JYEPllUc%)D#g&9GOU9;s#sgh!HVrsq9Li;+q;X1+ z#axcxL;*gm_ZiaSE~ZXArK7jGtffVv)#8i_rYb1;eBInUv1;N?38yOMRXw{e*Ts25xb(~MC~BVHZBbX;WV$$Ztam4kON0=2 zYlu=-uv<~59yVP#p~+;`1)EA!oK%hRR-A>?Z{c&L>Pn3p_3CRTCQ3)I8}Y3TSkRL*p5q~mrpJZP~1mVy^FxO$+&%( zVMXmP|E5_sA2j9VavN^Ok&5to8}cxE5Lhq|roQQ`^KN2u5QwY@xZ71nU^$w=If`fw zh@@kk2MAi?RBVwt8@>aXI93gFsM?M5(h1~F1J>538U0?laSg3oddVs&uC!r0`jV=Z ze7%;4*bx`R3Pim1t8>868!8T{vnP6vG`%P~cf;I_j6nYW&F6-Af;BWFDun3~bpzH* zx7A@MnE?mutkhe`I z4G`?T6L$Fu(9v0sNU*Z9vZ@j%Nt;@yy3z)2Wj#R#s>ZArmGTE-t{bRN&+=37Oue07 ziZ7TBdOtH*hwR_2%i`O4Z)Fy|vCAuX~ zU#F`16SjjG_n|t;-m}K?uC4vstsO$*KI!-=EpJ%-m9`ysrcjfS!*z8obzBa>*CXp5 z@7AXt%D#{8D$9yZt#?ZTBa&%p$8mytse^RNS8-z9=WW}9$)jyky~Ll-(Bvo7Eed&& z;Ma?SOB0R9v>LH9Q<&%+u3cSjvjb6GtWpAQREK^D6}zgCimOskY51*Fs-Fufh~aDB z>Op2sEpwHcRNDU|4wf48fM)#q*t>u`nRoPcD3t|QxSwIx)UIm@=ofov+$R(2J>Z{` zyo$+bcIh#7xY%2NurR9qNtD8~mt}c;;}>%ylJQF;FTk1}uog}ysPVt zkx+u6E`O-=+MI=GAxOVKt7dOy-tk7f5e{dsv&DQ@5rMo7%(qLAR5%6+F(XblOmi>j zq#>3HAu+~R=0qtCM;P|-P9(8TT7MmI+_)C(`P8{$mbg=L4(e7h%S&kI(@W1oxT!(; z#HGtDdST%cR1sYh_AO3#JX-nN#@t&m0_#_v;htnlc@3dB;}O%VEp7?oHOLBYOp!1n zyG77V!BC=z@dFL&{j9@)1In?;l2|KvfQx=%W&L=k&RSu`^&-|oc&s-EcXJ0Cmz9R} z=5lz#9=FhPj@NLF_FR^X~bB)Z67#-BV>A82~_R!6aIUW$L*TNQ~74tFAI77#g z-@42pQ74^GI9+3O3M4QG@|5kBhgZst9Ic)*61LIWwA}7|cU*tW9ktTQy|TJ=Vw_Su z99(;x+bI;nvr4s_#8tE0N&CdL_LOyq2!8((#gSy8HXGPJ^(aN_3nN~y)Vj!tRG4AY zgeE^1vtWK~iENTF8CogT5)CJZ#_BkXd@2)+=2FEa&p}3BChHLI1|nBz48X#b-Fgd6M*=d$P4*w zIZZkGItll!)F(E+2t4l06DRQ}jQ%wQM3+Ie+&oLy$ysUn(46AWo`RUlFO@-W-E$Yo z9Zo;aD^H{GUmD@mh?pL~^liZ}QTxTfVvm4GZL8PO$c(1G8J>hl&}Q-x50@HJb$I0w zU&W@-!Gq|!ESA;0^zk7I2Y9y3{Dfki$%thJNu%-B=$v9Xo7(}4-}be_O~Egyl6HYs z?|42mZCSc`_iM?O;nqh{_ULF>h0j}c!0VQ;HQbF}hdy|lem?XER|w~st3v&6*;mW2 z9{1{nOdMgAQ0aTKA6I67j4!-{Qy9z8-YpZSP@7EV`XQzna2yXUW7S=N=k!J%v?HC! zG7jlZIx|Ddo^`m1UcYql5zq6*TWFqpth%)In8$siGy4pv}<_#Xw3aL>E`b^wtvN)fx-WjbJXonH$StwNvZ+?fCH@Wa?al( z{mJ<+BnUe=w;S9hOufr?l9yPbKIn(rl+oY!b6n zVDA=*H3@I@GZQX~F60>NRe6)#RI`fLzn&5e*U&4IO<4$2S&wUWxH6dmMK76vr!I(v zF%$AtMECPLN`@hdOv0Ho$})KQ8z?kHLs}bznzdD#3kHWOZeqd{DVh5lzQfzVcXfo=$BEM|NQ1 zd0{$DeJOc)0BD;ovl&ZTIhI9`ue_?IVf$r+v%!Vd*h8A}<)Vp3=PvI<#uG6f85+XV z9Xo$;3@G-_4YZsxL3PyU*k@I0mE?tF!98S=(t(&J`1LyqwM}cXu2s2o#wb*jlWv#T zv9GxwVVG?XvY;6kf9P{cEmMmN{|%QEIZmEswVZVoE26K>J8}URo0{CDj@R1q7C$c3 zB#MUgU4=dZl_YD7H7ml_g}~*AlF{cy^YYZSV*wI=B5qdc4*C;kPQgFxS9>5Vw)spJ6J6^q=qC!fq$4J2J$$Q zvBB0>!9mu_LHP3NcI*O>4CB8`(5KO#E@Hr{)YZ0!d8<)@ UVEs`+7XcRmSf?rDLvcp>ALzLd_W%F@ literal 0 HcmV?d00001