From 678e8b543d3ae46ad3f338a34ee0a90ffa07df58 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Mon, 26 Oct 2020 20:23:57 +0000 Subject: [PATCH 1/9] add proxy --- Workbench/docker-compose.yml | 14 +++++++++++--- Workbench/webproxy/Dockerfile | 4 ++++ .../webproxy/container_files/httpd/proxy.conf | 8 ++++++++ 3 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 Workbench/webproxy/Dockerfile create mode 100644 Workbench/webproxy/container_files/httpd/proxy.conf diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml index 83071fc..0a635e2 100644 --- a/Workbench/docker-compose.yml +++ b/Workbench/docker-compose.yml @@ -56,7 +56,7 @@ services: aliases: - grouper-ui ports: - - 4443:443 + - 8443:443 secrets: - g_database_password.txt - source: grouper.hibernate.properties @@ -191,7 +191,7 @@ services: depends_on: - midpoint_data ports: - - 8443:443 + - 10443:443 environment: - ENV - USERTOKEN @@ -242,7 +242,7 @@ services: networks: - net ports: - - 443:443 + - 13443:443 mq: build: ./mq/ @@ -256,6 +256,13 @@ services: volumes: - mq:/var/lib/rabbitmq + webproxy: + build: ./webproxy/ + networks: + - net + ports: + - 443:443 + networks: net: driver: bridge @@ -296,3 +303,4 @@ volumes: midpoint_mysql: midpoint_home: mq: + diff --git a/Workbench/webproxy/Dockerfile b/Workbench/webproxy/Dockerfile new file mode 100644 index 0000000..c07c899 --- /dev/null +++ b/Workbench/webproxy/Dockerfile @@ -0,0 +1,4 @@ +FROM tier/shibboleth_sp:latest + +COPY container_files/httpd/proxy.conf /etc/httpd/conf.d/ + diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf new file mode 100644 index 0000000..9c9f396 --- /dev/null +++ b/Workbench/webproxy/container_files/httpd/proxy.conf @@ -0,0 +1,8 @@ +#Proxy config +ProxyPass /midpoint https://midpoint_server:10443/midpoint +ProxyPass /grouper https://grouper_ui:8443/grouper +ProxyPass /grouper-ws https://grouper_ws:9443/grouper-ws +ProxyPass /idp https://idp:13443/ +ProxyPass /rabbit https://rabbit:15672/ +ProxyPass /comanage https://comanage:12443/ + From 268debce49a13e479a4b6d66689504327665079c Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Tue, 27 Oct 2020 10:03:14 -0500 Subject: [PATCH 2/9] fix proxy conf --- Workbench/webproxy/container_files/httpd/proxy.conf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf index 9c9f396..0befa7e 100644 --- a/Workbench/webproxy/container_files/httpd/proxy.conf +++ b/Workbench/webproxy/container_files/httpd/proxy.conf @@ -1,8 +1,8 @@ #Proxy config -ProxyPass /midpoint https://midpoint_server:10443/midpoint -ProxyPass /grouper https://grouper_ui:8443/grouper -ProxyPass /grouper-ws https://grouper_ws:9443/grouper-ws -ProxyPass /idp https://idp:13443/ -ProxyPass /rabbit https://rabbit:15672/ -ProxyPass /comanage https://comanage:12443/ +ProxyPass /midpoint https://midpoint-server/midpoint +ProxyPass /grouper https://grouper-ui/grouper +ProxyPass /grouper-ws https://grouper-ws/grouper-ws +ProxyPass /idp https://idp/ +ProxyPass /rabbit https://mq:15672/ +ProxyPass /comanage https://comanage/ From 2be7b43e720ca8d74718ce8e759444db595a60a3 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Tue, 27 Oct 2020 10:14:02 -0500 Subject: [PATCH 3/9] bugfix --- Workbench/webproxy/container_files/httpd/proxy.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf index 0befa7e..259d807 100644 --- a/Workbench/webproxy/container_files/httpd/proxy.conf +++ b/Workbench/webproxy/container_files/httpd/proxy.conf @@ -1,4 +1,5 @@ #Proxy config +SSLProxyEngine on ProxyPass /midpoint https://midpoint-server/midpoint ProxyPass /grouper https://grouper-ui/grouper ProxyPass /grouper-ws https://grouper-ws/grouper-ws From 8269a6f655851561ddbda138cba1db84eaa2a397 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Wed, 28 Oct 2020 13:34:28 -0500 Subject: [PATCH 4/9] fix grouper and midpoint --- .../grouper/httpd/shib.conf | 54 +++++++++++++++++++ .../grouper/shibboleth/shibboleth2.xml | 2 +- Workbench/docker-compose.yml | 3 ++ .../shibboleth-idp/metadata/grouper-sp.xml | 27 ++++------ .../shibboleth-idp/metadata/midpoint-sp.xml | 8 +-- Workbench/midpoint_server/Dockerfile | 1 + .../webproxy/container_files/httpd/proxy.conf | 21 +++++++- 7 files changed, 94 insertions(+), 22 deletions(-) create mode 100644 Workbench/configs-and-secrets/grouper/httpd/shib.conf mode change 100644 => 100755 Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml diff --git a/Workbench/configs-and-secrets/grouper/httpd/shib.conf b/Workbench/configs-and-secrets/grouper/httpd/shib.conf new file mode 100644 index 0000000..9c33671 --- /dev/null +++ b/Workbench/configs-and-secrets/grouper/httpd/shib.conf @@ -0,0 +1,54 @@ +# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig + +# RPM installations on platforms with a conf.d directory will +# result in this file being copied into that directory for you +# and preserved across upgrades. + +# For non-RPM installs, you should copy the relevant contents of +# this file to a configuration location you control. + +# +# Load the Shibboleth module. +# +LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so + +# +# Turn this on to support "require valid-user" rules from other +# mod_authn_* modules, and use "require shib-session" for anonymous +# session-based authorization in mod_shib. +# +ShibCompatValidUser Off + +# +# Ensures handler will be accessible. +# + + AuthType None + Require all granted + SetHandler shib + + +# +# Used for example style sheet in error templates. +# + + + AuthType None + Require all granted + + Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css + + +# +# Configure the module for content. +# +# You MUST enable AuthType shibboleth for the module to process +# any requests, and there MUST be a require command as well. To +# enable Shibboleth but not specify any session/access requirements +# use "require shibboleth". +# + + AuthType shibboleth + ShibRequestSetting requireSession 1 + require shib-session + diff --git a/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml b/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml old mode 100644 new mode 100755 index 0c38f82..6389055 --- a/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml +++ b/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml @@ -34,7 +34,7 @@ Note that while we default checkAddress to "false", this has a negative impact on the security of your site. Stealing sessions via cookie theft is much easier with this disabled. --> - @@ -25,14 +21,13 @@ and do *NOT* provide it in real time to your partners. - - + + sp.example.org - CN=sp.example.org,O=Internet2/TIER,L=Ann Arbor,ST=MI,C=US MIIDPDCCAiQCCQDNZe8r0hVtuTANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJV UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEXMBUGA1UECgwOSW50 ZXJuZXQyL1RJRVIxFzAVBgNVBAMMDnNwLmV4YW1wbGUub3JnMB4XDTE3MDkyMjE5 @@ -64,15 +59,15 @@ Z75p+JrWYZJYrx/vpWxL8g== - - - - - - - - - + + + + + + + + + diff --git a/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml b/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml index 5789ed8..b04e2e1 100644 --- a/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml +++ b/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml @@ -25,8 +25,8 @@ and do *NOT* provide it in real time to your partners. - - + + @@ -64,8 +64,8 @@ AIW0+dXJ2IyzM+0sv2g4DOsXsnSvinGqjr82A54mXGSr7edhPdlQhILFkJfhTwLq+mjnyQSNe3s2 - - + + diff --git a/Workbench/midpoint_server/Dockerfile b/Workbench/midpoint_server/Dockerfile index 34ce0cd..33f4f5b 100644 --- a/Workbench/midpoint_server/Dockerfile +++ b/Workbench/midpoint_server/Dockerfile @@ -3,6 +3,7 @@ FROM tier/midpoint:latest MAINTAINER info@evolveum.com ENV MP_DIR /opt/midpoint +ENV MP_MEM_MAX 2048m VOLUME ${MP_DIR}/var diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf index 259d807..de6773b 100644 --- a/Workbench/webproxy/container_files/httpd/proxy.conf +++ b/Workbench/webproxy/container_files/httpd/proxy.conf @@ -1,9 +1,28 @@ #Proxy config SSLProxyEngine on +SSLProxyVerify none +SSLProxyCheckPeerCN off +SSLProxyCheckPeerName off +SSLProxyCheckPeerExpire off +ProxyPreserveHost On + ProxyPass /midpoint https://midpoint-server/midpoint +ProxyPassReverse /midpoint https://midpoint-server/midpoint + ProxyPass /grouper https://grouper-ui/grouper +ProxyPassReverse /grouper https://grouper-ui/grouper +ProxyPass /grouperSSO https://grouper-ui/grouperSSO +ProxyPassReverse /grouperSSO https://grouper-ui/grouperSSO + ProxyPass /grouper-ws https://grouper-ws/grouper-ws -ProxyPass /idp https://idp/ +ProxyPassReverse /grouper-ws https://grouper-ws/grouper-ws + +ProxyPass /idp https://idp/idp +ProxyPassReverse /idp https://idp/idp + ProxyPass /rabbit https://mq:15672/ +ProxyPassReverse /rabbit https://mq:15672/ + ProxyPass /comanage https://comanage/ +ProxyPassReverse /comanage https://comanage/ From d232829e64b21135a71cc3cf4986b61360b164b5 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Wed, 28 Oct 2020 15:07:34 -0500 Subject: [PATCH 5/9] add jump page --- .../grouper/shibboleth/shibboleth2.xml | 2 +- .../shibboleth-idp/conf/access-control.xml | 69 +++++++++++++++++++ Workbench/webproxy/Dockerfile | 1 + .../webproxy/container_files/httpd/index.html | 18 +++++ 4 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 Workbench/idp/shibboleth-idp/conf/access-control.xml create mode 100644 Workbench/webproxy/container_files/httpd/index.html diff --git a/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml b/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml index 6389055..1d514fb 100755 --- a/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml +++ b/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml @@ -54,7 +54,7 @@ - + diff --git a/Workbench/idp/shibboleth-idp/conf/access-control.xml b/Workbench/idp/shibboleth-idp/conf/access-control.xml new file mode 100644 index 0000000..17aea1c --- /dev/null +++ b/Workbench/idp/shibboleth-idp/conf/access-control.xml @@ -0,0 +1,69 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/Workbench/webproxy/Dockerfile b/Workbench/webproxy/Dockerfile index c07c899..98f78cc 100644 --- a/Workbench/webproxy/Dockerfile +++ b/Workbench/webproxy/Dockerfile @@ -1,4 +1,5 @@ FROM tier/shibboleth_sp:latest COPY container_files/httpd/proxy.conf /etc/httpd/conf.d/ +COPY container_files/httpd/index.html /var/www/html/ diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html new file mode 100644 index 0000000..1160f0c --- /dev/null +++ b/Workbench/webproxy/container_files/httpd/index.html @@ -0,0 +1,18 @@ +
+

Welcome to the InCommon TAP Workbench!

+
+This is your own personal instance of the InCommon Trusted Access Platform Workbench. +

+It is running on your local machine. +

+For more information, see this page. +

+The system contains the following TAP components (click the links to access each component in its own tab): + + From 4215e82a7f3105b5ac52201e9baa5783ea016045 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 29 Oct 2020 10:01:32 -0500 Subject: [PATCH 6/9] update Grouper SP --- .../grouper/shibboleth/shibboleth2.xml | 106 ++++++++---------- Workbench/grouper_ui/Dockerfile | 4 +- 2 files changed, 47 insertions(+), 63 deletions(-) mode change 100755 => 100644 Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml diff --git a/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml b/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml old mode 100755 new mode 100644 index 1d514fb..7ea21f0 --- a/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml +++ b/Workbench/configs-and-secrets/grouper/shibboleth/shibboleth2.xml @@ -1,55 +1,48 @@ - + + - - + REMOTE_USER="uid" + cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"> - + - - SAML2 - + + SAML2 + SAML2 Local - + + + + @@ -65,19 +58,25 @@ - + + + + - - + + + - - - - - - - + + - Example of a second application (for a second vhost) that has a different entityID. - Resources on the vhost would map to an applicationId of "admin": - --> - diff --git a/Workbench/grouper_ui/Dockerfile b/Workbench/grouper_ui/Dockerfile index 60c8015..89fa4b8 100644 --- a/Workbench/grouper_ui/Dockerfile +++ b/Workbench/grouper_ui/Dockerfile @@ -1,7 +1,9 @@ -FROM tier/grouper:2.4.0-a47-u25-w5-p6-20190611 +FROM tier/grouper:2.4.0-a96-u57-w11-p12-20200324-rc1 LABEL author="tier-packaging@internet2.edu " #COPY in custom css, images, etc +RUN yum -y update + CMD ["ui"] From b4a8a911e09bc6a63f3890d2b9ef7184a5530a41 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 29 Oct 2020 14:56:02 -0500 Subject: [PATCH 7/9] upgrade idp --- Workbench/idp/Dockerfile | 2 +- .../shibboleth-idp/conf/attribute-filter.xml | 49 +-- .../conf/attribute-resolver.xml | 305 +++--------------- .../edit-webapp/images/csp_logo.jpg | Bin 0 -> 22665 bytes .../messages/messages.properties | 2 + Workbench/webproxy/Dockerfile | 1 + .../container_files/httpd/csp_logo.jpg | Bin 0 -> 22665 bytes .../webproxy/container_files/httpd/index.html | 3 +- 8 files changed, 71 insertions(+), 291 deletions(-) create mode 100644 Workbench/idp/shibboleth-idp/edit-webapp/images/csp_logo.jpg create mode 100644 Workbench/idp/shibboleth-idp/messages/messages.properties create mode 100644 Workbench/webproxy/container_files/httpd/csp_logo.jpg diff --git a/Workbench/idp/Dockerfile b/Workbench/idp/Dockerfile index 4968448..b4e2b8f 100644 --- a/Workbench/idp/Dockerfile +++ b/Workbench/idp/Dockerfile @@ -1,4 +1,4 @@ -FROM tier/shib-idp:3.4.6_20191002 +FROM tier/shib-idp:latest LABEL author="tier-packaging@internet2.edu " diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml index b3cfee1..5dfaec8 100644 --- a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml +++ b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml @@ -1,47 +1,26 @@ - - + xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> - - + + - - - + - - - + - - - + - + - - + + - - - + - + - + diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml b/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml index ee9519f..03df80f 100644 --- a/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml +++ b/Workbench/idp/shibboleth-idp/conf/attribute-resolver.xml @@ -1,245 +1,47 @@ - - + xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd"> - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - + + + + + + + + + + @@ -247,47 +49,42 @@ - - + - - - + + - \ No newline at end of file + diff --git a/Workbench/idp/shibboleth-idp/edit-webapp/images/csp_logo.jpg b/Workbench/idp/shibboleth-idp/edit-webapp/images/csp_logo.jpg new file mode 100644 index 0000000000000000000000000000000000000000..cbcdab10bcbc0569f0daa585856e53e1beab6563 GIT binary patch literal 22665 zcmb@t1yo$i(=WOQ4;q5QAi-@Q!CitwaCZpq?ivX05J>RgFj#OW5InfMyF<_bfj2ql zJLmh~``)|j-nDMe+P!~WQ(awMQ{B6IchA$@(;DzxR#HY10D%BN8ukI6jsYGeO9xj6 z7fT063U-!P0M8p4c?1ODuk;tD`3pXuB8{Gp1F8}B1D}09x_#sSw1I&jBPM33q@pM( z^H$<7k?5Dkj*hl)&jG;B-ql$}>J5dKwhjgICIAB902F{6U@$guaTHZjdizJ_Kli`n z|C?RUz_?*)67omZzvTZtfNg5#VgdjlB^diVQx_9E7_Nm~3nq@vt^fcZ52I6gxH|s9 zFgk$i3{wz>`~P5zzwy!^{O)gj_7{(uiWmU=u?Y&gv9YrS0HDKq2vE42Sit01bQb%WXKuS5mQ(Jh^&RbY48KX$Wmkoyc)L;qFR z%|>1HA8ctR^RG;AOEt}Z=yI6*Cmw(=@E!;SqJVfH8At=N zfjpoXCBCvTIl+0ueSnLF`wW*0R|Z!P*9kWWHx0K2cL;X{55S|r z%g1CJHz|KN5ZGT=fYROH^cYAPr|RkAHn}ZKtjMlpg@2i@FPeg zs3VvlI3f5WL?fgj6eH9lbR$e6tRtKuJR)Ksf)SYz`4D9gwGb^3JrF|?QxFRg>kxYo zrxCXiuaS_D@R8_{xRIohw2`cle2}7%GLb5gI*`VZHj%E7k&%gznUDpM6_JgRU6DhP zQ<2M%zadW`ZzJELprMeXu%Sqz=%Co61fis$KvCLJCQx=!?w>t>M)QpCnc_3kXI{_Z zp5;Glem44S``JAzHYy#eAgUUwHR^lR&!`osJ*Z2l7ief`lxVzY%4k+-foPx6zM}P` zt)u-ye}T@3E{3j$?uH(VUWDF(K97EZfq_AbA%dZU;ffK9QG(Hhv4U}niG#_4DT8T> z8GxCNS&un^d4lx}iv~*+%K*z8D+Q|tYZU9~`LpM=&&8e_Klgv0{=Dh=?DH#Z9PHQF zir9A8(b!Pz0qngO$S-JLNW3t8@!>_@i>?=&IPf@BIAS;^IKepiI6XMqxJbBkxH7ob zxKX&}xFfh{crWlc@HFr|@zU|y@Ye9*@oDj8@NMzq@T>7>@b3sn2}B9Z2qFk72qp+_ z2uTP<2+as12`dSw3Gav~h$M(?h!Thzh?a>Fh#85Mi9Lw3h7eI#oq+b72%7b3SJ|49Cg{D1UDC;D9aDF!449tInR zOolN=I7UuJOU87@Q6@MhE+#9cOr~*WL}p%Qd*)o`SqM5r6ygpkg{-sSv%F;qVrgJG zVWno(VNGD|V|{$Z`O5ZH{;S2;FJ8;O4tm}E`X?JBn+aPw+Y~znyCi!6dn5Zf2NQ=G zM;6B%Cl04PXBg*q&fi?zT+Un-T>ISA+(z6P+_OBmJW4##JpH_gyl;2|cw2dY@p19F z@>TPl@Bf;oa~LKH$qLSKZ|gkK693+D=Nh){``iWG|M ziZX~=ia?%OXvofSICNd>5XR_R~ezM(i=yIxZX>uEH8Q(g;ZI*|Vmz7VFUs9k^uvchM z1QcZylN6Vg=#-q4T9lELm6X$!cT`@h_^R}&;;0&`LRGKT-l)Z?EvnP2yQzQIz|zpu zDABml6xU4DT+?FJ^3xjBCf2snZqz~6(axzd%;P1fDk17yt8;5<>ul>A8%3KUnEiS23cIpoFY z72&n(E$Ln0gWzN0^WFEQ?|a{MKT*FNe~|w>|L*}*0UrXk1Em6s-=n^_c|RQVDkw4N zGFUUX`2*>Pzz>@tQX!?Gn4!+0vtj&U+2IJ`R^cNN>=CIEkCCR4KcZemr9?eMn?(PJ zc^&gP<|)=Zb|j7~E-M}>-adXNK{%l}5j)X4aWhFiss1Cy$HL6uR}OtoC~_Zps>idvf5j5?gU$a+w{SN&OoWy4ydcH?-HY}5B< z{^q(CmX@N{m#yh-cx`d*sO=xxpT2p2yXtW4IO??M-286%eX&ccYpPqhd!$FMr@vRS zx2sRI?_0lMf9n9>K+_MN9}RinR=_K{s|>4^Yg}t> z>*DJ}8>$~umyS~4Pyd}CV{>AgF?@se>_uk_H`Qh_# zhTqMPa*s<-c27@^#?Hon#RBlK9M0Sv0Dcw$0ERX!b{GQyRNcSh=f5~Wf5-eV{3rJR zbNxyG6aG8K{_7hq04Ndx0QEosc-sL0S+I)+hS6d7KVg!Z2mr^<{_h2&{7Ek6>}-Dl z5V|ugG`W3xx*!DrIT3tBf`PK|6|cVnj;}2qJZEL;9%dXJO@DV@E}A4L?l!g6%PInH#`C& zHWKoSm#;-}l#QKmDc>jL;8C%?QK>>vedp|&m|NXBj!(_b$t~u>74)&@I{^)cxO(vV znTcCo*91%^32bc%Yw$l?L_matM?(Ii4mUQeK{y0B6eKth!XLNzyFqNkKg}s4;owrT z89Tumtm+&;V_(Ok;&^k8ubTL@0HDLV0EZ2a4G07CxZ?jmN#du$O!OxJjuNg(%ezhe z-4~iV?ns^`q0&P8n-*TJ)a#u5H6Ct}i)Any{{|91;xS1wEuYNR*{f_3wI*D=Mg584 zZBDU=9N|8+ExQ1@EPE*Vz2QTd_uj7(@{L2`EB>{jh&USbDC;`~#R5YrVLs$10ML+3 zH?Z>lc66#1EFA5>yBcySJz1rbEv7Q8PZCz8Lep>H$+%V$ErUM(qYpidvm;30`z0I} zWj*}|>>P1%iF54#?c^9m?$W9>UqT9d0FiQ-9P(V8!KVs=)EDAx6Wd0EI*~TLyv2tH zuDOdEgydAWZ3H9~^SYo+7`gTtx4!C?+J$JE{%$9_o8Q-6Z_<>Qrv}k2d?A;X7C!PXDymlJgcO@3e_{PnyfVBiLSF8)VcU*{yc~8%*+AKA zs4m&;f#yN?rkR_&+{wdl$$u=q4Pqb0|7LYuY-sCKrSJrNw33?oe7EMwpZ)EnE}xCT zd>xaxqx{_TRgeMZwW~)>T%c-RX55&44=|I6f}M<=mc zS{f9ZA{!Z@jjJ59E4T}QR+ItiIaW~$OzYMeewCbR_m3L6KNiO0cXwZR`%2$Qb@<4J z+4vQ!8R#95uxHCjbn_V~e)c=II@$5QVZ72DR<%DQunTc@;VdkD0(LKM4esj>)_u!h zaZ$n53o>m1V*WH<&>F#eg0h7QILx`RDR;e_7CQU;^AI5MSoS!L>U~a7hogbSVcnv2 zB>_D>eeSU}Esy2>zzN_)*W`s)TE%3lqPA3_NR&v?Zz9;S)pCMn`gUY(n&3s*k?ZJZ z49S%uk$fE&GcFrF48I>QouGX(iPajA96e>##*MgT6si$2*mubb?Rxlt;S@t zzY_^f<6Zakb*|;jcSA5Gcb<*O)6uq^xk~6>?l0;-h7TlJQam=ZDv2nsS*YL>j2L9f zl;>?C4)VA_G$3Zg#*C<`wRi%aku=_<1o_ig7_dzU5QGjAjMER7NL)Ne5z z+P~&brcpFLiHQ{^U^u1#2yi%8saAIshgH+i6p@c*bLlt;%h`Thj3R{L*N{ynY*oJD zDZ_|Ute*64(=?fBRO4KGls0+-iknP}Z8po(s;Yh#e*Uh%BBrC*nBjxps6~apQ@EiX zTCMa5fPVcdCR-@Ln3!@3?zyt-KLy1-@~9;?T(5I6KwkZB=zjtn;cuZ?k+C)*z8tPY zD`_5~uRN3DoGXiGbXgAbW?}=SkL!em_oXjGgUY9;lHHyw{BT!YFLRlbPS}mGmtsaY zJ>TJBmOqtWc0HCdanAP@$>373_1I~26w>QcuS#L9?Pg zC9NV>%Z4)661=Kk4d_TkCd`A3X4NI0fTW>?Pb3EXdpwIb`WjFctzFLbVVC#F6tPB? z@^ad`9;vmjc-XwcgYavUf=<=HIMIDMl?$n^pH#CtEGa1b=%-B*XSpX8uEg9@#YAe} z;?fnFxsOq%p^L`ADk;0597wy%>>pt1b$%|8JYd(XtY4g}E~fG$+;Ct>7=FnYb=oX- z(mQv%&?a43On5ly;%m#Ew18BA6ZlOso{W9m6pID!-ldCyto>n=qi{$~ah{H%*5Z{J zc4BHT@8&u+rcjN5ujrotW~YpIDOV$p9;;vq-S?jZh~av1#YRJ0&v!Bx(U;4(_W#6pNTDPa2QQCgt&S9VaUaq1nEy_O`|tW-i%U8%9! zJ+xM^bq+0%+H>um_fn0NET?60E8%jMuQ-z);`D-y;@8#rPMIN-(aSHa!ueg+PJstu zGUdmWC+`)wD&-4v%T{uIwB1KXdK5tR!mP*`!Z=fI25sR>?_vvg?GqNOrHPnLTG7M& z)+KBGM^E_bmDM>y(^mB4pk!?OC<0>01_I9nkR#Trb*d+y01M*!d8b;8xvcME;0=#K zNAR-~iXfke^>Hc0&SkeUysh$(F)%|lfsDiFnN?PPCVqV_!(!JEeJ}-I&KH^Ir!ERk z$3$e)75*{Y`FFx*bPnH|=1($@Pqg|3ZXt=2I?b~sd%6%BF1ipO z`?-UCaO?4Aa39&%^^P-bzMKz1JdjsLcyA-kThZbnmCqfnb)UI6N?6sYYYzX;6i|pi z?{#F4;{?wq6%>zSYsjAM+t8(XWZe*<2tO|^*RCVt3^bDQBimYMe;A_Et33YA|Ay0DiW~l+HNuW(<*Z4x;92esuZ?gL@4AM$fL< z`92w%o$u6t>IMIpyjV5NV#u5p3KdpwicJ?(q!aKzZIj|Ge~i+xZt*E8YuCiFJHuX^p_pEoO2AP*|H>+tks}yB{`t!Fy6&ptC+%Bqux{Sls ze#4Wdii+6ij_)pe@#P>|~Xzpoqj5p^Q{Y7!}sC?^us_Ijhvg(t^ z(LgK>eJ2o{-t8GYM2;PD&Eh!V=GM-dkwP0b9IG6BDS9r@ae{DTksjiU-{Lx5r??!7 zPXzV__BYzAqHS!sWFw)GsofQHuNRhhwUyFECqC+^oZ|_Ss&3mJu^#1b?1eh=M8iEB z;jswAd!dbXypenFUDBlH$GaTQ$Jv@TzJ)KS+8VT>!(mV*0WK>tF?UYnhKef7b7UJ7$b6-qW&)URu!ySpt z#YssxM{Xs{u?saJ`l)_ffkW!+K`dbF-#55dUyf@cX?>@!X^q3~&R6_(K6mAg<&+FL zN5##478xyMySn? zuJ0=FZDjW&%hkQ?FnEvh;Jsy{oT)4iV~ObEiL}(MZHqLtk849GRc0pCHF+j0HS{K~>uZwu-wq&I24%BSU5Zl5hHp17RJw@#rM5x+an9+MF{P>lvOh3HUq!lm zmq9(o z*RG*w;~7ZB8xz(x0>+Bp+=BASx!vd*TBM;Es;jd%6nsh|%DU(WjrpXMWQ}#=aBA?# zbHtYL#ArHNyG^QIYiVuyDq_W)nDkMS2H~5B%FFvbmdkMdsKq47)ol9WdEP;0Eu(Hf zP7GM6%=%WjT8@5Eb?V%_Y>Zo=8j!5?acUdI&Yzreok68-aEpnE@%>B%?gu>W1Esv@ zk;s|TGT|1(U9*xy$7*=N3ai<<@e{Ubmqwi2I#7Ofc1gW`(*b**^Ml6;dE@!%B8;ZP zP&Ixcp-}iIz*U$`Z<^b&MUQ1NwSx1CvpTy{pkQ}H_9qjqu@e?{^Y-q(plew3QC`1) zc3M-W=R6+oGLF7=)zs@Qp$8U>C&1K!zb$h)i@)esvOMMLqY#-asQ2*Z5UabiAbMWD zBS3R%`lB;>senSqO$|BTA<65aCWlOZD5T-dcw%q=gvf=J#}XcXlSw8?*WB)_SaHXf z*6t+OixP}viJHB>9#tk@szAGlxw>64eLH?Pq3vSV&FF7coE3wriP7U4E z?-0ysg;%6>*6&LDXw&9Kmi0kN30rW%5y2@|Fv}Aedv%HL_mz9j{Py=r#r?|{Y=^dv zD`pbH<)Jt6>|Nca%z{Ce5Wd*7LrvtOW&#KMwk`1cK$pJoy&Sj7Xg5=B?H2UHijOnj zA2xkkM?qTxk#iVSrhc(KU^mudrUNWHb*9+2iTn`*hp}QE^q6yXlKNzs1p$~ZrZ!h* zvR7^x__=b5cD{}p{0N-SHKt8@L-Nu?GSF+c)f7?x=yBxOq@1pC>CvBubRWkeDc|Wz zH}(W!v(eZgd97B898WoHl8?c(yv&M-vmqPJ+aE{zsChjgq|WWstvzN*2TjOXbOp4< zAF(@Tte{)9%mdhDYwaQ>B)u9K;rY2ExTLmI0YxR&oKoxWH;yP6@recCp=B)hHnEI- zQZ^0V;uyjUKYmU;0knZm$2Y8nJh`OX=XH&RbT41&fd)kcZ_8-Q<|XvgvSbhSD$5Iv z2J;+$&BQ)}!N_`mFP>+;&0A|meN}TaKOSZ)nz-nTm@Xo#o8YXC62Bs=y(7Mo(IO)| zP7@#VT4$S@FwlCI&@`E68sNjF`I(l9BQZ_3^7*|zYUh5Nm}a4a^6W&*-kGl-weim6 z1ApW^8s|dFFYBOnDcT2BZmL$YFSo%R<=U#tpR6xTTG7nZvZrjo@XjaL{hsh!UgXAm zA1AhX6?$yIK zUP+F-p_IPa<>BQEKG}FubkP&zn9OILU_}8k1K;W^eu64lnV^b#_%VmNVY2T_4;o?; z$Hc28RCb&)W_aCLM^SCs0$Pf~EGB(v=`KV+>SO7nBtm9WHQo_^P;Du5vfA!i42rcX zMI2R>*qb!acg`n7w;i`{f4%mQ5eFv_zLoFW`zpsfThpL6Z>VOT$nlHtuW%a3(!)-? z({6_6Zcw-Cam6^rV~u_JheyfHzMifVZMUkL79aYy(CT8hBYPvyC_m(NUz_1{-2*E| zmg}27Q4TxT#JVL)f1adYblr}E%j&PnNWUE8H76qJ9%tse>X9;dF0)~GVn{M-E4Z8V-0 zTb%r{WTMV*t{t7zxAs>O2%qhL^}TrAaemj~?}z{;^`^IhmM2$fjH?M{k}v8eeoZxqsNKAF?0y@iRUX z_WnM9ia%VTjX|Ro8KlqVQtXM(v!AZlkYWJaoo&9F}&Y!4K@-0d;o5-QMZCyMF9-9KU z>nfL*7wS_|it;$yDXPsgubZf|0ugJbk~NlPERKy|O;0GSPz3H|or&HCwL{X(hs_fv z#&oUrw>-G3f_(-B&KhKpb&h7oRo3TLZ|__b_U=2fStEOno&fp5LXK|NWCU-uQFhre zXW|W@*Lw}%ar_Z<++N7N3{mT7sEwp+y;<)D-4|$k$El22rR$b5ne|CZt`<U$*>MuDTIrR>TZ zxujH-hk0TOMwyKrEqi6Coek9WTGnL{5?mA!+%5zu5(TRojV@c*8hL z)U(yK)Z4qb>hn{lxQ~xJjB~_f!5L*u6m@jmM=K?}=F1eOYl5SV^<$0H_WRL`rkmZg zucv90J;h>~+HZPC0!E^y{C%Z&kAIY(wh%Q=It-XY%}h>BIY&DqCoB1PLw9f`xs77&xKO9k_q{w!N;-qLyV?c`CEc&Pb-%iZ!tHQorUG-$r zaB!4jx`OBp1Kn?^^^fo#0d?$Wq#b-bATJ^K@X;z?JJbO=JPEFxy65-$^SS1{pS$!V zrPl`q&Q}x0Wv&^NC8*UeD+Vrvv*7OX8?UYI|9ucH^v;m$r_jvWuX1+{ z$zBJfPfBVFD}J*5Hw(g$?BV=J=(OxZWdoUy88WmxuW-wC!j>_K)?2GRepAQ(+5(79@5?$6kwT*tv1=h@u5<;)98Rc58U&} zmpib)iMP;0`@6Z>+9@LiK82hsBltwCTSs)TSi@NYT;6}~v{N31xd7&V*EV))5#}I& zlah4WdCi1B2xYzt5W|UoE+xtm2EJq<0h`q1uhv_AziewBwGx2HXK*C9;!4W=C_T#p+d!HIJv7w^noPIFaAXU93 zmX#NN!&GRSF}W=_j~jqGi8yAwQVCx1;{JV$s5&#Frf0KT4o#j^6o^ff$};QTN*)Vu z4%sQ4mbZhJ#?^+Tnmb(v>VJDV`$+SxLO5;6YV~9`pxA${I#QL=3P{$3=tX;3!b{-% z!u)m)`R(*DxyAPcbT?e}U8rNT7Qyv>1t$vaQZ0O!?{wjG#r!sXs z;fzZ652dKz?Foo*IE>pV2+x#LZIJ1w&;FN`{ZI2Llx`4(Wjc!7fPW~y|0UX5D`KjS z|9{;Wo~jHd_zm|o}hoU#FEmWr+#s@chK={OP59=r^)yRGFy5uqvn8yr(D09{XiiQ0i+4(YWS~Rg8sQ z3w)?3{fpaPKh3ylx`i^o!udt(8J7VxCqx&Cx2DbmyZ0j5H=np8dJ?`%o*P7s^L>4| zbUwh$eFB76X)f|=huxdL5!qOz$x8cKM@E44c0FFMBaSJ%~)*45D@Mjl;0KpbMIX zC!R4(3yxMFP*!?Z7c3w6dnf0LL?GzGlUrUwm&P{?RC|7xAh}vCR0aQyN}yjm@)%;5 z{Z>PV!HS|F)N@e81OUygZN{2{$r$;47OoPPFI-{UN{0PcgaS)aOQ;o<>GD&WnYTSk zUy6jcCrKyc2>e*X$v3W8jr*VGbm z8_XIDwLxRP1QcboiIv=fbhc2J>YK?1-$x}v;pZBbU_@_D0s{yYx`PYm+Poj^q4D+a z4f3}Yq?cHU&iZ)H*SIb+*Mz&iY*B|2!$H&c$1-J8+^9iE*L5$1=Ub%>5U7(9BR{04 zSK5UH@hpsYVq?Fnhs`m}kD(1wS#|ZQ*eMYoV#(9E8}C25Sl?*s*JpZt{8^MfuEYPq z#PPl#<^Yg*@y=34#;tWy2-Aw9yPVW=vW)r^Uq!w5r{BE!u3ll2`vr*F` zJ6}-0o0lJ@sI|vn|Hd=gJS#PUx1*J_qv^}@F|eNRM^zR0>iC98p9Z!W(p|rzzl6?O zwtckvO(#l}5=#;@NR$Y5M|L_fQABz_S?Q%p+~SAl#+^4k-l>YkGNRSBctR2Kz7*KQ zf0Hh+5%0i%%*&m5ol%ilWNR^Q!%$jVK($N?+cVLT%m~le3~j_2_;AL%hV_13a9sE0 z?$@>N^)OYeJWvBlovLV!)Q72MWQIJDb zG}_(42-26ZRw7?&>zrEa(6(<)C&f;BarvqN;-ffYA~oKp5lgu7I#!rS4QwlsqEPs? zaax&w7Fb@xOrPYnYBl(dE2kRG%`X>vT2vfD(+gVQLlLoc z;V^B%0K?x!n+Q}TB~R8sBF9yfy4Qd@IJn84iJRklwr@a^Fq1uvSdT(-*EL9pO-l)d~@+qWaQ__4!v^F`P{RB)@c5A1- z@M3C3HNkVW-?2NNJgHjn(bli+;Z)<=?HyMVWl2cyWn=Gl>I0wmGm$#C>N((C&!WyB z81TBsQDeRA_ko=dW!96fo2{--#P2u5Ac`ZS5065mft}wlT%;Nx%fH`wmoQmHbmHa0c^sRrM} z@i4!m1`uq+pDpMbR-MV+q5S zu=0pY_yvVucX4~}goplXc3sDCcZZR!@ys25QuaX6GYVF-CqU~!Cw*Db&ZRt`IeF;l zUBY!eC!yx|FVNF&C4*vd>Ulcvi1AfViG--@>z-(IDu3rR&_gCgzZvcg%U& z%WL7HH~XBK$1t%t0b5dECEIrD+C4^-XP2~T?zblSTJf}(?T~wYo2mlupuM}`2zifk zY0>v@;guBoiuX4@esGkO^?K0xfX>4Qp6ttC!cLJ>d(dyN67S!oAB}GhbnWED;N>60BWJoWa_{VYeR;9c zvgi88BOb?r%N%HQ`eWj$2rH~uJ^R%NO{FJe zF~>SVq_iZS(SyAHp?8Sq0`1c~hA!r_($30>AC|v0Ts#?}GLjf$ii}smZ0!i)TAXyiO-0QX+Pk%a!Fn2Nj9(%ZsS$3w#=)M7P$CFm|$E z1`j!pG#qnzF>+-F_{OnPmJAJ?I6#rV0=Ri+z9qgS5^30%bh!ydb32XXL5W6|QQUY1 z)k(AlXyzZuElFhS_XsI$&xER*zYs_$l63hgiLiL_LP-0NsXf68_@#Een%}Hvks7z8 za3KzXN1gWrIxmfU$~5NnbQVM0Y)`EV( z+Ome+YWtEt_xcZhOPkbwU}^poW>_a>Z*q`Z9NxHnDrS~AIb+3o7Zf{-bEB_xMBu>z zw@dzl_*tL2k%lFyuuw()oLy4e4u1cARKs8vG5jkm5gDE}9*Y4n4v7^K{HiaNCF^Kp zJN^FsE^;1isRL&kJJ(qgiTYP!EZ9@+8{Bi9R0`+t{Ly`an?3ZwT9)z z)j?%+8aE;v8+Mgnro75%Cg1Ec)zOS3DYjHM>x!ZjTk4|~_mOXl|@TjTm; z5QMIP=}N!1uCk;_qP>5yD}p+Z{W3#_=;Rg}V$4~~Ri$#KDU&8iKv0(tDDvAJp*CET zP;fN3TO@7rTwp%R&VqkH>&b?cmzP&=`x?o2%9V$;V4K~9dXl`4kBSaoVAIx0Ny6XL z7I;=(?TwDMiLic1`+3M}NLQ$iR1j-97dM(pIE2M&O$x4B$Nyflh!tDU^2Q@Qen&Vd z&8zlTWu};{WgX{_bPv)@wHPwdK61qMP`Xj}moZI=ZwSX%6oKM8n@=@2w88Bxvsei# z!!Bj?ZmzB>J@#%8J&ENK{vzM!ueif-qTSFA)sA0OD$lRg^(ZXxX>hiE!CGOZA{^-G zK(HW_wb~tnX^ZFSA>#6YxKTKfOT5j!T%yl!&^xd!;Pn%zi0SJF zv$BP@&Rbv4{=YvmVB>9UXbe7L8LkgK0YwA%(Hfk)_o3e|y@Xw%yJy}{0H(!nA;qP4Rh7a^ zoKHaBz97;$FaKG{R(>!O3+}C$9I(RJygzBVj1cxL zUlB-&UlDFU{3e}r6FDx`qzmOjoqGTaFZg`hi}`(4Po6s)*V*;EsO2$ybrsF{4x&!p zuhB06vYHu(EsV;=?rgKY6OXVS6dd-dp8!PS1>xJ|;sE)iQx*O9uockoZ+yeG!j{{% zj~Y(^Yx4pk)W_ioz_-ud?|K3lN^S5re*y?>v+tjP zpVYeV>iFNSZX72)0RfNVQMMZD{;&7iRXt^APQSDM{`TbwxPnxw z7C^q$DO-}`vtTx7MG-^ZAPH*1YU zA6W>+|7AF72`>1)}-9sFSXvq&lJYcx8N&1Q{EZqqhc8+Jc zuyXa`M~}HroQtP9jt5^FR0Y3fq$l#%5L#f0)3V||yjEH*<8+ky439?bWG_M;O96ha zCyI=AC}sIF&m!@+U*nrD1XIqc#*$A6yA(nY)mCjVGO4YOmM=WttpE<- zP7vy0%NuL%(`ZUEu%Rs~qVx1t9Sq+;=*vRxI4K`?^r=BwdPwG!;Ha%~x3a*9nryR| zCGc;oKQ3lEK_`hWP8~HmK=QQcLnA99K9thosB2HIZNL`vf24^SCF#jGeLj9E(r4hM z#qtW0P}s#JUx!Uzg@o!a*9WCCObF(jKN6>*wej9Q;j>J~Hd*XKvb+ zee>R6)VZQ-L@xn(2?e;Lf3t(fvrZ-_9s1GmT?wDO*n$<>0;hTVQUGJD#9{LyW7({A zshtTwU!*oEZg4l)@f11tCrg_b2<;sgwojezwVwcI10$cdAfH$Z^RRL6CeK>DV;Nd| z$yX9mM}k2o+API~Nuhyr9s9_ag_!O(B^bqD>k&;|8}nY1aKBMNO8&a*v##;#injycR$zj4B3|W z@GATiIwIq8rZKwq+c~HHK(4g3)M}sjK#ABQxeVbnR{N!4z(l5S-07jigId6_l@2p? z5th46Szb1i^SpHZdjU@VH|?VcRl~T+iTG_Fc=Ih_s{j?!a7`86`ULQFosvr5-bBo= zEJ8M?E;@L|R*A;yqy9SN`T3MT+C2e}ZFWyUWZbWE(?uFHPWLH$_6ao!c=gF~JC$)|bpf@rn)=m5snA+;g7=A@F1n(>8DLMt zyQ_vrM&X^>@)yzwp*Pao{SY%tyPxfmo8^0EIb}i6*CM?HJ@lT)weg!2S&Wt9x^qi0 z7&;k8-O1GR*O`2I`nqt!v}gzHv%dC-$q*mz4_)GX&u z>$qgCEjsZk-mg!-kr@o^034~}`*5a>PiC4IujlF0mF4&$Q|MT>vC*M2Er(#7j=K>{ zA&|T;f~CMGZ271N&Xkey?o~$~4)1&DsERfJ^j#TRYsHWN3FgjPoWO5`Cjh6%7`N1l z+sR|*DwGXft+CLUJSpSn?jeCmrwK>q*X1j-<|q${?=TB_yr6|INO|d5;%xK&e!i{R z8ojc!*?8QjSH7O&C$_(goLw??nwT;+P-Fvm^>Z`VD&M4w0?t)n@^-8rTf?f z)BpWaHRiD8b=%(Eod&nJ(#Qm}%Zfu8aM3GRs*Asn#Y=jq%efss$LVLrt{rab;eh47 z*|_Efj(b;GYCfvpAOStne|xHYDQuQLPrAZ~p=G&^-s9>M;|2e6liDatn~3nhv5n-- z^j%82(u|HE>o`N6(3c{Tf+H#j&C)M29tw-x%6&$&+|o!Wvb{WdOhQpp#}*#VRKr5K zpI@OLO@4Jj+0jCOM8YZ2D9-zi7m6>V&y^Qn9{hx>r2FFFfX8YHflQ@aO7EgSZi^qDmnx%UFpAd5+huF6&5)DYvd7rCD;38z37A>g|Aa_UJQqyE`GRI zS_&y8*0<4glZilFhh>{F8z(Z?z7WtuIw8SgDsDc_ElmrpW`ue)^X54ENbiaM*pn#G z;msNTq1I(}E$tTiIoLqw-LKovlud6)yG;OoGNR6hM65R@b#{9(n!kygh4^w77a2ph z-%2zgkde#@oKLxdaRaQpK???T4RS`8QHWkEMX4F$;^#|rCxTMpOhsRyFSw~1(E45< z(M;hajxX{13x34L#;e{L|0@jrA2L}kpFH!K<_cl}&2qiFE)m(pnL<)T*lH>4TRan* zMa`_?$(Syr_M{kE?7vAU1lx+lq`pMmZE8+3ZLIP1_fPR*{*rUid<}WUcBkyDNkcjX&lLvn!s+B(IoZJ`;?TB*ue!%9MTa42_d88BfPLXbCL3lNaE%?GFGo=0Dqmb;fOs+#*-PrOn|2pt_ zomRRJJ)uz&)F*&RdLSlNpEfhmmVCXJ&9#o6LI67->Nu$2ebISM|2V>8j^QVJ7cR&m zn`?4RCgUU5)JWFOyPrH+>tn`QsW&4gOFXyQ!m_tUtj8vDeSTfmwKTJ1wef{7CCfWO zPMMHp(09>L-(5MZe;;<7c-|*gMo>n>yr*o(r_F3e^6uk#xK;qel7c|sEwslrHt6dU zAaxl-!<5=25L}=B&2LFsNDO|iy1?FIHSvCeF-K8mn%iUlxbOTVzdyWOGxgt40Twc_ zX1q_XS09G{ZgV*~hYn?CYoE6TZd&FlD1-RkR-?B}le^Y4Nay zC8#}S(dw*4U*OBmrnR&q#76d=H;5;wWZ|viH=2XVJ~A3f5k4ME|48lHwDkFDHx3W$ zPlGt5-xN9z`WpQsFm7?Wx5yYN3a^~4<%<;+=f*@NNW@6#9UX9@KfQ42jt-4A#LLK= z$AGkhR7+T$RJ(bwvC$pEDxQF?n%B)z1l(pw#J8_*N$^BLYo5B5lUWC463zz@hP=Ic zA5~pBG-G3IbT~|@HzfrX(t{Y0nPD5ul{Q(u2_|;R@*M7!h55PZ ziU%kpnkJ=)u{O8Y+J~#r=j+{MRFNUMuXni3tyguW@JuBcBs%q5-psd2CT3`kNgv!} zhz{XFt{T_}Dyc$!;;7a<>Dd};QyPmW$J;|I@RuMs-qn+GL4d%ZOIMtdCwb(i(ox}R zF#~nm9&yU(bHs_oEq8LF6LZfep!wtklNaP#n>_r{%ss@57V=(E!fU!`3kPkCI zO9V5&L^5jL>`>!mx?f1X_I>NYk3bO@?`xC)r7~ zwdj zHW`uJm}2sG(sBQpCO?vdt_ZxJNN!^jS0H?v7M}K~5E7ABsF=taR^Db}&T&ZTH>+YZ_SNP98=*v;aH8#%U`3i(U%Ap)be!{TxzcTB{|W+$z<67SY?{7?tP0) zHv&#vw#O8WWZ0lWvL_6qijr?{Jxr&}2nDh>dU>nvFo+#RPGWSdUKdTtU?e67)pf2j z)q;WU7>ph6i`?>DI#e4kenE4%GJc#XciZ?6AT=s^evzV^=ZZWTT7?Nj+Z$t@t!4bF zkTo3czKicJQ`|4CbEVImtX}5sm&bXG0(IR8h3JM2AQb4erKx~_1Y zKTX)RCezbMZ1PlYAU$?rh?Ie3VJG>@Ugd-@tq)40R;7%sM(6Y%5Wd|T*IDy7+Oc6m*s+b&Iv_styaNDOqnQU4wQ@ou6J~cp_ zMNW0y^UQ{>yN?EizF6%IK;fIEH~L+~O+&Qs=@DuQT>r3#{stio)4w4v zkoojw;x%`8UV2q+9R?oN(I$vr;!!rh7K_2K&5A)2Mk837w@6yu1qQtU#+KLxe3pWs zx>+Iix{{eq+St}r4etTjw4Xu{J#_K`N^1aFyDiZ_ZURW^#JP(?5(F%peTM4CVL~NB zR=UuTX6{4&BoGyX$(g2O&!xlVYiG`v=iBoZ+Wk7O?2sm=vK$uLV*(Bd49{({$#`?h zs?WG%)IGx{vEV-dU3hfNDI$}DUtP5Y^4HIfGKuDUJAwsiI=axMM6Vz>QGPtj8_1g) zr@+X*X*euBH??a{nX%e0i=|Zh*PK|2R=+O=a@?aS6Pi7T`89RZ+;_gjIV13)g*m=Q zw(!ZrFODxRVGk_wP0(*L7GmpRt(R63E`FaEccpV;KPRwQA5rz|j>`9d*0Z)=gAHE_ zS59-M4fh1INiqBZARkb7EZ>Cnn|gy1%KbLAmj3{VEMG1^C`?d{?x}G3*gcCIS9Ptz zKIP5LFD*|yqzmWgI|CSf1C@`0NpJnOgan&WWe?5OThYSlt(A-1Pw(wxPGP-f?}qwC zQsR#}mLt~cnwj7Ft4)*yh+6O+NHaWB>KC^8jx1}E(DATkb#}GwgB`Ud47h3h0R;MJ z-FpRvjzs%Q?_^X2W&I6hZFESyP;LqO@N)Zgv!$g@=d!**PRVB0=-Oy|V2TWEFh=7y zSN?VhmY>;HK5wQaYLVySnW83Iob%%lGC!mz-m54&0^&7n9O&-{K)sEv8xoflt_{x? zB5{hZqLXj0kw2xr1=AYn7c%=T`0c~-1-rkLEIgulC7&VyP)VR52T z7mkv+&!yV&P>E7~SU)VQcY&qyDW7Ax) z3Z!NM;H4<%cTeX9HGjjB@qL5mKUZ0*xvI%QUEdP0M9sia&WrHB{6CnLqu8Otdvl9` zla9e*kz)caThIjlwYC#tkJIETNmTE)^Sk{$atTd8x@O=t2z}55mjNDC>m2(lNQ@!& zhK3u0kj=}(NY8rb<#twOPs>DX5J>P^i(-!=kn?FK?)U8)qJF{6{?+4o+t-s$RwsOe zS7WNvy}?&%YH(y)>7;SJ{v%+o*{-e_bx+(h!D*OR_DLdS%^f4$Z@Zr{w0hb~L zBIlk+4Kyey;BFV!gSRY{4fIPL#gZ^jn7X;Ef3_U)Ra}@TK!D57-ePKBF0jES{S|z~ z#BAcc{VV?f_%=5;it1@aGE}GP>Lfqe3ZTV7Z4~JY|V$naQw@ z%Bz0QJPy7Fk^aFUi0B3df8S`CWk{rGnPG-#7k{ZXHQyAOEYybd~tkq{BJ-N`Q%RDU{gc%(?1@77Ou0oWkse)_f zo#CT39Y~L+@7~Wb2A`yjD4WIH^7E6Ogl40)fXks2ah3pzD7hnr@CcF2u~`e}qH<(0 zSob`cp#(-qsaG$Q26BeeLJ8BRwX~03iQTWmO;V6{F#$cK-p8-f?&|C9{PuJRzX4wt z1vrWC+oiE>HlZ@SCxDyWkh{dtNo-OTvcn}dy#k0;*7PLj8#to8H9E{L*rX%+0e=;& z*LT2@s5k4BZMo5fwfW!!@W#bet1CI%xNd}syWi=ayird`6zk!+>`o3dDlYZa=~y8LEIB5NwZe8ly} z2`v^~=8SK0E(6)7JFvClN)@zDXI$%2cPk8;@4NS3IiSoYhZF%;zEGBsye4q$B7+m( z%4QCVD}>bP>M1mwI7J0r86PZ+6=`!6^G_kJ0C1kKd~bT)d`(_9V*G=G%>%xKu5TEJ zq>LK|SdR6}TelFrG(z6bPvk7gQ)NAZwF5-h(lq(k5rKn!|A3wU&T#yv2zsP8MI<>D z97c|m=sltY#nmu@4L2HRv=e`>(`uJcD{aJwzz$tj0J|u;R$(dq-roRsHr!z zy%8k&InFjdrICjm5-H_2?W2O)lijBM0{~k8_&tN`Q2%i)1-qS&?pfB_kj@1AdLnfN z{mwy3wDft@N|GvIi@4kZw2Q4M1CV~l7*!(V6V(#vJ6hgPqcWW3?SglhrU+F6#5LD5}WRslDgYftnlF z;xBdqO_WDwuX-((x);B;gMOvXToI_X>SfiCZ*t>0X|l6h;r@q1b)6`c7HtP z2>pmghHnFNM6^#p=WrC_>n8l>I9Aad-kD;K!Wg^SW3xMi*Yk_5z5N;*!d$cRsQoFr z2u9hVZ-%QXMJON{fpfH9!Y@vo$f{*&*J)|D?z{+0xAEjR<032k1E2{E7{OngG}xL< z6^iAImI|(vf(sn2T;HHc*a~KHnIL|vd{k=~ZJ=SoV1Fnnq0x)G)dv15k!oItx-27& z{KS;MYJzY70sLws42A6}9UiQ;0j715@y>0jhN_W7bj?@Xy@~xQ1|!N5>~rTVm3xJO z8Je_#CUJ-*;I)KXhEpWt`+1jpkoY>$L?0-&S6H%V`g@w5I_3wGL5k4dy=TA50xm2? zA;^AsTrS2q^?~+sUUu%h<3F%bYnBhLhQF93I}9y(`xw$yVoTUd^(L0u9sS z>txWeh3l0!DFLrS9A@mmaj4~S8R>?&hjDi|J?6Q(iS8E<;n`^%+}~lY)4LX351-8u zJiul?HqY@$uEB)Buwip*kKXmchs4-vQ(rqf%+!#neDVyywYEb;IsJ!>@U@A;*78IcigB1-$vf1M05*&FG7>!<) z5apg2ZcaSkWKISt#uuawCv7aoVrsh5ZNjI{@kb6+lF8Trb^FMviy+pj1x)Lz?zd*o zyp+Ek$hGaF`?{i!o`0-=*4>vck_>J|v-5TFCfuQK*{gaw|0IV+F89N4XK$>s;dn7L`4&(Nq{Ii~$(FpC~(jf9l4W}^V3>iV8# zuv}nB)|c^ln>X6$vNasOWZ#}3e!*mp+60>tT+)sPSeGJ?s|WUFX59BC))dH4XD23E zMz7^l^>pFVR|)v2FwhlIVnlAqy9Xgs6g_PO26(aLpSc6ZAXNOQ`XOY zv0ulvhV@)J^op$0nm2gjVk&=y_fhiMvX54qW*JCb>IzPLxaqhCFwYlBdGo(S$Ny`o H_Gji_dnsES literal 0 HcmV?d00001 diff --git a/Workbench/idp/shibboleth-idp/messages/messages.properties b/Workbench/idp/shibboleth-idp/messages/messages.properties new file mode 100644 index 0000000..1544641 --- /dev/null +++ b/Workbench/idp/shibboleth-idp/messages/messages.properties @@ -0,0 +1,2 @@ +idp.logo = /images/csp_logo.jpg +idp.logo.alt-text = InCommon CSP diff --git a/Workbench/webproxy/Dockerfile b/Workbench/webproxy/Dockerfile index 98f78cc..160806d 100644 --- a/Workbench/webproxy/Dockerfile +++ b/Workbench/webproxy/Dockerfile @@ -2,4 +2,5 @@ FROM tier/shibboleth_sp:latest COPY container_files/httpd/proxy.conf /etc/httpd/conf.d/ COPY container_files/httpd/index.html /var/www/html/ +COPY container_files/httpd/csp_logo.jpg /var/www/html/ diff --git a/Workbench/webproxy/container_files/httpd/csp_logo.jpg b/Workbench/webproxy/container_files/httpd/csp_logo.jpg new file mode 100644 index 0000000000000000000000000000000000000000..cbcdab10bcbc0569f0daa585856e53e1beab6563 GIT binary patch literal 22665 zcmb@t1yo$i(=WOQ4;q5QAi-@Q!CitwaCZpq?ivX05J>RgFj#OW5InfMyF<_bfj2ql zJLmh~``)|j-nDMe+P!~WQ(awMQ{B6IchA$@(;DzxR#HY10D%BN8ukI6jsYGeO9xj6 z7fT063U-!P0M8p4c?1ODuk;tD`3pXuB8{Gp1F8}B1D}09x_#sSw1I&jBPM33q@pM( z^H$<7k?5Dkj*hl)&jG;B-ql$}>J5dKwhjgICIAB902F{6U@$guaTHZjdizJ_Kli`n z|C?RUz_?*)67omZzvTZtfNg5#VgdjlB^diVQx_9E7_Nm~3nq@vt^fcZ52I6gxH|s9 zFgk$i3{wz>`~P5zzwy!^{O)gj_7{(uiWmU=u?Y&gv9YrS0HDKq2vE42Sit01bQb%WXKuS5mQ(Jh^&RbY48KX$Wmkoyc)L;qFR z%|>1HA8ctR^RG;AOEt}Z=yI6*Cmw(=@E!;SqJVfH8At=N zfjpoXCBCvTIl+0ueSnLF`wW*0R|Z!P*9kWWHx0K2cL;X{55S|r z%g1CJHz|KN5ZGT=fYROH^cYAPr|RkAHn}ZKtjMlpg@2i@FPeg zs3VvlI3f5WL?fgj6eH9lbR$e6tRtKuJR)Ksf)SYz`4D9gwGb^3JrF|?QxFRg>kxYo zrxCXiuaS_D@R8_{xRIohw2`cle2}7%GLb5gI*`VZHj%E7k&%gznUDpM6_JgRU6DhP zQ<2M%zadW`ZzJELprMeXu%Sqz=%Co61fis$KvCLJCQx=!?w>t>M)QpCnc_3kXI{_Z zp5;Glem44S``JAzHYy#eAgUUwHR^lR&!`osJ*Z2l7ief`lxVzY%4k+-foPx6zM}P` zt)u-ye}T@3E{3j$?uH(VUWDF(K97EZfq_AbA%dZU;ffK9QG(Hhv4U}niG#_4DT8T> z8GxCNS&un^d4lx}iv~*+%K*z8D+Q|tYZU9~`LpM=&&8e_Klgv0{=Dh=?DH#Z9PHQF zir9A8(b!Pz0qngO$S-JLNW3t8@!>_@i>?=&IPf@BIAS;^IKepiI6XMqxJbBkxH7ob zxKX&}xFfh{crWlc@HFr|@zU|y@Ye9*@oDj8@NMzq@T>7>@b3sn2}B9Z2qFk72qp+_ z2uTP<2+as12`dSw3Gav~h$M(?h!Thzh?a>Fh#85Mi9Lw3h7eI#oq+b72%7b3SJ|49Cg{D1UDC;D9aDF!449tInR zOolN=I7UuJOU87@Q6@MhE+#9cOr~*WL}p%Qd*)o`SqM5r6ygpkg{-sSv%F;qVrgJG zVWno(VNGD|V|{$Z`O5ZH{;S2;FJ8;O4tm}E`X?JBn+aPw+Y~znyCi!6dn5Zf2NQ=G zM;6B%Cl04PXBg*q&fi?zT+Un-T>ISA+(z6P+_OBmJW4##JpH_gyl;2|cw2dY@p19F z@>TPl@Bf;oa~LKH$qLSKZ|gkK693+D=Nh){``iWG|M ziZX~=ia?%OXvofSICNd>5XR_R~ezM(i=yIxZX>uEH8Q(g;ZI*|Vmz7VFUs9k^uvchM z1QcZylN6Vg=#-q4T9lELm6X$!cT`@h_^R}&;;0&`LRGKT-l)Z?EvnP2yQzQIz|zpu zDABml6xU4DT+?FJ^3xjBCf2snZqz~6(axzd%;P1fDk17yt8;5<>ul>A8%3KUnEiS23cIpoFY z72&n(E$Ln0gWzN0^WFEQ?|a{MKT*FNe~|w>|L*}*0UrXk1Em6s-=n^_c|RQVDkw4N zGFUUX`2*>Pzz>@tQX!?Gn4!+0vtj&U+2IJ`R^cNN>=CIEkCCR4KcZemr9?eMn?(PJ zc^&gP<|)=Zb|j7~E-M}>-adXNK{%l}5j)X4aWhFiss1Cy$HL6uR}OtoC~_Zps>idvf5j5?gU$a+w{SN&OoWy4ydcH?-HY}5B< z{^q(CmX@N{m#yh-cx`d*sO=xxpT2p2yXtW4IO??M-286%eX&ccYpPqhd!$FMr@vRS zx2sRI?_0lMf9n9>K+_MN9}RinR=_K{s|>4^Yg}t> z>*DJ}8>$~umyS~4Pyd}CV{>AgF?@se>_uk_H`Qh_# zhTqMPa*s<-c27@^#?Hon#RBlK9M0Sv0Dcw$0ERX!b{GQyRNcSh=f5~Wf5-eV{3rJR zbNxyG6aG8K{_7hq04Ndx0QEosc-sL0S+I)+hS6d7KVg!Z2mr^<{_h2&{7Ek6>}-Dl z5V|ugG`W3xx*!DrIT3tBf`PK|6|cVnj;}2qJZEL;9%dXJO@DV@E}A4L?l!g6%PInH#`C& zHWKoSm#;-}l#QKmDc>jL;8C%?QK>>vedp|&m|NXBj!(_b$t~u>74)&@I{^)cxO(vV znTcCo*91%^32bc%Yw$l?L_matM?(Ii4mUQeK{y0B6eKth!XLNzyFqNkKg}s4;owrT z89Tumtm+&;V_(Ok;&^k8ubTL@0HDLV0EZ2a4G07CxZ?jmN#du$O!OxJjuNg(%ezhe z-4~iV?ns^`q0&P8n-*TJ)a#u5H6Ct}i)Any{{|91;xS1wEuYNR*{f_3wI*D=Mg584 zZBDU=9N|8+ExQ1@EPE*Vz2QTd_uj7(@{L2`EB>{jh&USbDC;`~#R5YrVLs$10ML+3 zH?Z>lc66#1EFA5>yBcySJz1rbEv7Q8PZCz8Lep>H$+%V$ErUM(qYpidvm;30`z0I} zWj*}|>>P1%iF54#?c^9m?$W9>UqT9d0FiQ-9P(V8!KVs=)EDAx6Wd0EI*~TLyv2tH zuDOdEgydAWZ3H9~^SYo+7`gTtx4!C?+J$JE{%$9_o8Q-6Z_<>Qrv}k2d?A;X7C!PXDymlJgcO@3e_{PnyfVBiLSF8)VcU*{yc~8%*+AKA zs4m&;f#yN?rkR_&+{wdl$$u=q4Pqb0|7LYuY-sCKrSJrNw33?oe7EMwpZ)EnE}xCT zd>xaxqx{_TRgeMZwW~)>T%c-RX55&44=|I6f}M<=mc zS{f9ZA{!Z@jjJ59E4T}QR+ItiIaW~$OzYMeewCbR_m3L6KNiO0cXwZR`%2$Qb@<4J z+4vQ!8R#95uxHCjbn_V~e)c=II@$5QVZ72DR<%DQunTc@;VdkD0(LKM4esj>)_u!h zaZ$n53o>m1V*WH<&>F#eg0h7QILx`RDR;e_7CQU;^AI5MSoS!L>U~a7hogbSVcnv2 zB>_D>eeSU}Esy2>zzN_)*W`s)TE%3lqPA3_NR&v?Zz9;S)pCMn`gUY(n&3s*k?ZJZ z49S%uk$fE&GcFrF48I>QouGX(iPajA96e>##*MgT6si$2*mubb?Rxlt;S@t zzY_^f<6Zakb*|;jcSA5Gcb<*O)6uq^xk~6>?l0;-h7TlJQam=ZDv2nsS*YL>j2L9f zl;>?C4)VA_G$3Zg#*C<`wRi%aku=_<1o_ig7_dzU5QGjAjMER7NL)Ne5z z+P~&brcpFLiHQ{^U^u1#2yi%8saAIshgH+i6p@c*bLlt;%h`Thj3R{L*N{ynY*oJD zDZ_|Ute*64(=?fBRO4KGls0+-iknP}Z8po(s;Yh#e*Uh%BBrC*nBjxps6~apQ@EiX zTCMa5fPVcdCR-@Ln3!@3?zyt-KLy1-@~9;?T(5I6KwkZB=zjtn;cuZ?k+C)*z8tPY zD`_5~uRN3DoGXiGbXgAbW?}=SkL!em_oXjGgUY9;lHHyw{BT!YFLRlbPS}mGmtsaY zJ>TJBmOqtWc0HCdanAP@$>373_1I~26w>QcuS#L9?Pg zC9NV>%Z4)661=Kk4d_TkCd`A3X4NI0fTW>?Pb3EXdpwIb`WjFctzFLbVVC#F6tPB? z@^ad`9;vmjc-XwcgYavUf=<=HIMIDMl?$n^pH#CtEGa1b=%-B*XSpX8uEg9@#YAe} z;?fnFxsOq%p^L`ADk;0597wy%>>pt1b$%|8JYd(XtY4g}E~fG$+;Ct>7=FnYb=oX- z(mQv%&?a43On5ly;%m#Ew18BA6ZlOso{W9m6pID!-ldCyto>n=qi{$~ah{H%*5Z{J zc4BHT@8&u+rcjN5ujrotW~YpIDOV$p9;;vq-S?jZh~av1#YRJ0&v!Bx(U;4(_W#6pNTDPa2QQCgt&S9VaUaq1nEy_O`|tW-i%U8%9! zJ+xM^bq+0%+H>um_fn0NET?60E8%jMuQ-z);`D-y;@8#rPMIN-(aSHa!ueg+PJstu zGUdmWC+`)wD&-4v%T{uIwB1KXdK5tR!mP*`!Z=fI25sR>?_vvg?GqNOrHPnLTG7M& z)+KBGM^E_bmDM>y(^mB4pk!?OC<0>01_I9nkR#Trb*d+y01M*!d8b;8xvcME;0=#K zNAR-~iXfke^>Hc0&SkeUysh$(F)%|lfsDiFnN?PPCVqV_!(!JEeJ}-I&KH^Ir!ERk z$3$e)75*{Y`FFx*bPnH|=1($@Pqg|3ZXt=2I?b~sd%6%BF1ipO z`?-UCaO?4Aa39&%^^P-bzMKz1JdjsLcyA-kThZbnmCqfnb)UI6N?6sYYYzX;6i|pi z?{#F4;{?wq6%>zSYsjAM+t8(XWZe*<2tO|^*RCVt3^bDQBimYMe;A_Et33YA|Ay0DiW~l+HNuW(<*Z4x;92esuZ?gL@4AM$fL< z`92w%o$u6t>IMIpyjV5NV#u5p3KdpwicJ?(q!aKzZIj|Ge~i+xZt*E8YuCiFJHuX^p_pEoO2AP*|H>+tks}yB{`t!Fy6&ptC+%Bqux{Sls ze#4Wdii+6ij_)pe@#P>|~Xzpoqj5p^Q{Y7!}sC?^us_Ijhvg(t^ z(LgK>eJ2o{-t8GYM2;PD&Eh!V=GM-dkwP0b9IG6BDS9r@ae{DTksjiU-{Lx5r??!7 zPXzV__BYzAqHS!sWFw)GsofQHuNRhhwUyFECqC+^oZ|_Ss&3mJu^#1b?1eh=M8iEB z;jswAd!dbXypenFUDBlH$GaTQ$Jv@TzJ)KS+8VT>!(mV*0WK>tF?UYnhKef7b7UJ7$b6-qW&)URu!ySpt z#YssxM{Xs{u?saJ`l)_ffkW!+K`dbF-#55dUyf@cX?>@!X^q3~&R6_(K6mAg<&+FL zN5##478xyMySn? zuJ0=FZDjW&%hkQ?FnEvh;Jsy{oT)4iV~ObEiL}(MZHqLtk849GRc0pCHF+j0HS{K~>uZwu-wq&I24%BSU5Zl5hHp17RJw@#rM5x+an9+MF{P>lvOh3HUq!lm zmq9(o z*RG*w;~7ZB8xz(x0>+Bp+=BASx!vd*TBM;Es;jd%6nsh|%DU(WjrpXMWQ}#=aBA?# zbHtYL#ArHNyG^QIYiVuyDq_W)nDkMS2H~5B%FFvbmdkMdsKq47)ol9WdEP;0Eu(Hf zP7GM6%=%WjT8@5Eb?V%_Y>Zo=8j!5?acUdI&Yzreok68-aEpnE@%>B%?gu>W1Esv@ zk;s|TGT|1(U9*xy$7*=N3ai<<@e{Ubmqwi2I#7Ofc1gW`(*b**^Ml6;dE@!%B8;ZP zP&Ixcp-}iIz*U$`Z<^b&MUQ1NwSx1CvpTy{pkQ}H_9qjqu@e?{^Y-q(plew3QC`1) zc3M-W=R6+oGLF7=)zs@Qp$8U>C&1K!zb$h)i@)esvOMMLqY#-asQ2*Z5UabiAbMWD zBS3R%`lB;>senSqO$|BTA<65aCWlOZD5T-dcw%q=gvf=J#}XcXlSw8?*WB)_SaHXf z*6t+OixP}viJHB>9#tk@szAGlxw>64eLH?Pq3vSV&FF7coE3wriP7U4E z?-0ysg;%6>*6&LDXw&9Kmi0kN30rW%5y2@|Fv}Aedv%HL_mz9j{Py=r#r?|{Y=^dv zD`pbH<)Jt6>|Nca%z{Ce5Wd*7LrvtOW&#KMwk`1cK$pJoy&Sj7Xg5=B?H2UHijOnj zA2xkkM?qTxk#iVSrhc(KU^mudrUNWHb*9+2iTn`*hp}QE^q6yXlKNzs1p$~ZrZ!h* zvR7^x__=b5cD{}p{0N-SHKt8@L-Nu?GSF+c)f7?x=yBxOq@1pC>CvBubRWkeDc|Wz zH}(W!v(eZgd97B898WoHl8?c(yv&M-vmqPJ+aE{zsChjgq|WWstvzN*2TjOXbOp4< zAF(@Tte{)9%mdhDYwaQ>B)u9K;rY2ExTLmI0YxR&oKoxWH;yP6@recCp=B)hHnEI- zQZ^0V;uyjUKYmU;0knZm$2Y8nJh`OX=XH&RbT41&fd)kcZ_8-Q<|XvgvSbhSD$5Iv z2J;+$&BQ)}!N_`mFP>+;&0A|meN}TaKOSZ)nz-nTm@Xo#o8YXC62Bs=y(7Mo(IO)| zP7@#VT4$S@FwlCI&@`E68sNjF`I(l9BQZ_3^7*|zYUh5Nm}a4a^6W&*-kGl-weim6 z1ApW^8s|dFFYBOnDcT2BZmL$YFSo%R<=U#tpR6xTTG7nZvZrjo@XjaL{hsh!UgXAm zA1AhX6?$yIK zUP+F-p_IPa<>BQEKG}FubkP&zn9OILU_}8k1K;W^eu64lnV^b#_%VmNVY2T_4;o?; z$Hc28RCb&)W_aCLM^SCs0$Pf~EGB(v=`KV+>SO7nBtm9WHQo_^P;Du5vfA!i42rcX zMI2R>*qb!acg`n7w;i`{f4%mQ5eFv_zLoFW`zpsfThpL6Z>VOT$nlHtuW%a3(!)-? z({6_6Zcw-Cam6^rV~u_JheyfHzMifVZMUkL79aYy(CT8hBYPvyC_m(NUz_1{-2*E| zmg}27Q4TxT#JVL)f1adYblr}E%j&PnNWUE8H76qJ9%tse>X9;dF0)~GVn{M-E4Z8V-0 zTb%r{WTMV*t{t7zxAs>O2%qhL^}TrAaemj~?}z{;^`^IhmM2$fjH?M{k}v8eeoZxqsNKAF?0y@iRUX z_WnM9ia%VTjX|Ro8KlqVQtXM(v!AZlkYWJaoo&9F}&Y!4K@-0d;o5-QMZCyMF9-9KU z>nfL*7wS_|it;$yDXPsgubZf|0ugJbk~NlPERKy|O;0GSPz3H|or&HCwL{X(hs_fv z#&oUrw>-G3f_(-B&KhKpb&h7oRo3TLZ|__b_U=2fStEOno&fp5LXK|NWCU-uQFhre zXW|W@*Lw}%ar_Z<++N7N3{mT7sEwp+y;<)D-4|$k$El22rR$b5ne|CZt`<U$*>MuDTIrR>TZ zxujH-hk0TOMwyKrEqi6Coek9WTGnL{5?mA!+%5zu5(TRojV@c*8hL z)U(yK)Z4qb>hn{lxQ~xJjB~_f!5L*u6m@jmM=K?}=F1eOYl5SV^<$0H_WRL`rkmZg zucv90J;h>~+HZPC0!E^y{C%Z&kAIY(wh%Q=It-XY%}h>BIY&DqCoB1PLw9f`xs77&xKO9k_q{w!N;-qLyV?c`CEc&Pb-%iZ!tHQorUG-$r zaB!4jx`OBp1Kn?^^^fo#0d?$Wq#b-bATJ^K@X;z?JJbO=JPEFxy65-$^SS1{pS$!V zrPl`q&Q}x0Wv&^NC8*UeD+Vrvv*7OX8?UYI|9ucH^v;m$r_jvWuX1+{ z$zBJfPfBVFD}J*5Hw(g$?BV=J=(OxZWdoUy88WmxuW-wC!j>_K)?2GRepAQ(+5(79@5?$6kwT*tv1=h@u5<;)98Rc58U&} zmpib)iMP;0`@6Z>+9@LiK82hsBltwCTSs)TSi@NYT;6}~v{N31xd7&V*EV))5#}I& zlah4WdCi1B2xYzt5W|UoE+xtm2EJq<0h`q1uhv_AziewBwGx2HXK*C9;!4W=C_T#p+d!HIJv7w^noPIFaAXU93 zmX#NN!&GRSF}W=_j~jqGi8yAwQVCx1;{JV$s5&#Frf0KT4o#j^6o^ff$};QTN*)Vu z4%sQ4mbZhJ#?^+Tnmb(v>VJDV`$+SxLO5;6YV~9`pxA${I#QL=3P{$3=tX;3!b{-% z!u)m)`R(*DxyAPcbT?e}U8rNT7Qyv>1t$vaQZ0O!?{wjG#r!sXs z;fzZ652dKz?Foo*IE>pV2+x#LZIJ1w&;FN`{ZI2Llx`4(Wjc!7fPW~y|0UX5D`KjS z|9{;Wo~jHd_zm|o}hoU#FEmWr+#s@chK={OP59=r^)yRGFy5uqvn8yr(D09{XiiQ0i+4(YWS~Rg8sQ z3w)?3{fpaPKh3ylx`i^o!udt(8J7VxCqx&Cx2DbmyZ0j5H=np8dJ?`%o*P7s^L>4| zbUwh$eFB76X)f|=huxdL5!qOz$x8cKM@E44c0FFMBaSJ%~)*45D@Mjl;0KpbMIX zC!R4(3yxMFP*!?Z7c3w6dnf0LL?GzGlUrUwm&P{?RC|7xAh}vCR0aQyN}yjm@)%;5 z{Z>PV!HS|F)N@e81OUygZN{2{$r$;47OoPPFI-{UN{0PcgaS)aOQ;o<>GD&WnYTSk zUy6jcCrKyc2>e*X$v3W8jr*VGbm z8_XIDwLxRP1QcboiIv=fbhc2J>YK?1-$x}v;pZBbU_@_D0s{yYx`PYm+Poj^q4D+a z4f3}Yq?cHU&iZ)H*SIb+*Mz&iY*B|2!$H&c$1-J8+^9iE*L5$1=Ub%>5U7(9BR{04 zSK5UH@hpsYVq?Fnhs`m}kD(1wS#|ZQ*eMYoV#(9E8}C25Sl?*s*JpZt{8^MfuEYPq z#PPl#<^Yg*@y=34#;tWy2-Aw9yPVW=vW)r^Uq!w5r{BE!u3ll2`vr*F` zJ6}-0o0lJ@sI|vn|Hd=gJS#PUx1*J_qv^}@F|eNRM^zR0>iC98p9Z!W(p|rzzl6?O zwtckvO(#l}5=#;@NR$Y5M|L_fQABz_S?Q%p+~SAl#+^4k-l>YkGNRSBctR2Kz7*KQ zf0Hh+5%0i%%*&m5ol%ilWNR^Q!%$jVK($N?+cVLT%m~le3~j_2_;AL%hV_13a9sE0 z?$@>N^)OYeJWvBlovLV!)Q72MWQIJDb zG}_(42-26ZRw7?&>zrEa(6(<)C&f;BarvqN;-ffYA~oKp5lgu7I#!rS4QwlsqEPs? zaax&w7Fb@xOrPYnYBl(dE2kRG%`X>vT2vfD(+gVQLlLoc z;V^B%0K?x!n+Q}TB~R8sBF9yfy4Qd@IJn84iJRklwr@a^Fq1uvSdT(-*EL9pO-l)d~@+qWaQ__4!v^F`P{RB)@c5A1- z@M3C3HNkVW-?2NNJgHjn(bli+;Z)<=?HyMVWl2cyWn=Gl>I0wmGm$#C>N((C&!WyB z81TBsQDeRA_ko=dW!96fo2{--#P2u5Ac`ZS5065mft}wlT%;Nx%fH`wmoQmHbmHa0c^sRrM} z@i4!m1`uq+pDpMbR-MV+q5S zu=0pY_yvVucX4~}goplXc3sDCcZZR!@ys25QuaX6GYVF-CqU~!Cw*Db&ZRt`IeF;l zUBY!eC!yx|FVNF&C4*vd>Ulcvi1AfViG--@>z-(IDu3rR&_gCgzZvcg%U& z%WL7HH~XBK$1t%t0b5dECEIrD+C4^-XP2~T?zblSTJf}(?T~wYo2mlupuM}`2zifk zY0>v@;guBoiuX4@esGkO^?K0xfX>4Qp6ttC!cLJ>d(dyN67S!oAB}GhbnWED;N>60BWJoWa_{VYeR;9c zvgi88BOb?r%N%HQ`eWj$2rH~uJ^R%NO{FJe zF~>SVq_iZS(SyAHp?8Sq0`1c~hA!r_($30>AC|v0Ts#?}GLjf$ii}smZ0!i)TAXyiO-0QX+Pk%a!Fn2Nj9(%ZsS$3w#=)M7P$CFm|$E z1`j!pG#qnzF>+-F_{OnPmJAJ?I6#rV0=Ri+z9qgS5^30%bh!ydb32XXL5W6|QQUY1 z)k(AlXyzZuElFhS_XsI$&xER*zYs_$l63hgiLiL_LP-0NsXf68_@#Een%}Hvks7z8 za3KzXN1gWrIxmfU$~5NnbQVM0Y)`EV( z+Ome+YWtEt_xcZhOPkbwU}^poW>_a>Z*q`Z9NxHnDrS~AIb+3o7Zf{-bEB_xMBu>z zw@dzl_*tL2k%lFyuuw()oLy4e4u1cARKs8vG5jkm5gDE}9*Y4n4v7^K{HiaNCF^Kp zJN^FsE^;1isRL&kJJ(qgiTYP!EZ9@+8{Bi9R0`+t{Ly`an?3ZwT9)z z)j?%+8aE;v8+Mgnro75%Cg1Ec)zOS3DYjHM>x!ZjTk4|~_mOXl|@TjTm; z5QMIP=}N!1uCk;_qP>5yD}p+Z{W3#_=;Rg}V$4~~Ri$#KDU&8iKv0(tDDvAJp*CET zP;fN3TO@7rTwp%R&VqkH>&b?cmzP&=`x?o2%9V$;V4K~9dXl`4kBSaoVAIx0Ny6XL z7I;=(?TwDMiLic1`+3M}NLQ$iR1j-97dM(pIE2M&O$x4B$Nyflh!tDU^2Q@Qen&Vd z&8zlTWu};{WgX{_bPv)@wHPwdK61qMP`Xj}moZI=ZwSX%6oKM8n@=@2w88Bxvsei# z!!Bj?ZmzB>J@#%8J&ENK{vzM!ueif-qTSFA)sA0OD$lRg^(ZXxX>hiE!CGOZA{^-G zK(HW_wb~tnX^ZFSA>#6YxKTKfOT5j!T%yl!&^xd!;Pn%zi0SJF zv$BP@&Rbv4{=YvmVB>9UXbe7L8LkgK0YwA%(Hfk)_o3e|y@Xw%yJy}{0H(!nA;qP4Rh7a^ zoKHaBz97;$FaKG{R(>!O3+}C$9I(RJygzBVj1cxL zUlB-&UlDFU{3e}r6FDx`qzmOjoqGTaFZg`hi}`(4Po6s)*V*;EsO2$ybrsF{4x&!p zuhB06vYHu(EsV;=?rgKY6OXVS6dd-dp8!PS1>xJ|;sE)iQx*O9uockoZ+yeG!j{{% zj~Y(^Yx4pk)W_ioz_-ud?|K3lN^S5re*y?>v+tjP zpVYeV>iFNSZX72)0RfNVQMMZD{;&7iRXt^APQSDM{`TbwxPnxw z7C^q$DO-}`vtTx7MG-^ZAPH*1YU zA6W>+|7AF72`>1)}-9sFSXvq&lJYcx8N&1Q{EZqqhc8+Jc zuyXa`M~}HroQtP9jt5^FR0Y3fq$l#%5L#f0)3V||yjEH*<8+ky439?bWG_M;O96ha zCyI=AC}sIF&m!@+U*nrD1XIqc#*$A6yA(nY)mCjVGO4YOmM=WttpE<- zP7vy0%NuL%(`ZUEu%Rs~qVx1t9Sq+;=*vRxI4K`?^r=BwdPwG!;Ha%~x3a*9nryR| zCGc;oKQ3lEK_`hWP8~HmK=QQcLnA99K9thosB2HIZNL`vf24^SCF#jGeLj9E(r4hM z#qtW0P}s#JUx!Uzg@o!a*9WCCObF(jKN6>*wej9Q;j>J~Hd*XKvb+ zee>R6)VZQ-L@xn(2?e;Lf3t(fvrZ-_9s1GmT?wDO*n$<>0;hTVQUGJD#9{LyW7({A zshtTwU!*oEZg4l)@f11tCrg_b2<;sgwojezwVwcI10$cdAfH$Z^RRL6CeK>DV;Nd| z$yX9mM}k2o+API~Nuhyr9s9_ag_!O(B^bqD>k&;|8}nY1aKBMNO8&a*v##;#injycR$zj4B3|W z@GATiIwIq8rZKwq+c~HHK(4g3)M}sjK#ABQxeVbnR{N!4z(l5S-07jigId6_l@2p? z5th46Szb1i^SpHZdjU@VH|?VcRl~T+iTG_Fc=Ih_s{j?!a7`86`ULQFosvr5-bBo= zEJ8M?E;@L|R*A;yqy9SN`T3MT+C2e}ZFWyUWZbWE(?uFHPWLH$_6ao!c=gF~JC$)|bpf@rn)=m5snA+;g7=A@F1n(>8DLMt zyQ_vrM&X^>@)yzwp*Pao{SY%tyPxfmo8^0EIb}i6*CM?HJ@lT)weg!2S&Wt9x^qi0 z7&;k8-O1GR*O`2I`nqt!v}gzHv%dC-$q*mz4_)GX&u z>$qgCEjsZk-mg!-kr@o^034~}`*5a>PiC4IujlF0mF4&$Q|MT>vC*M2Er(#7j=K>{ zA&|T;f~CMGZ271N&Xkey?o~$~4)1&DsERfJ^j#TRYsHWN3FgjPoWO5`Cjh6%7`N1l z+sR|*DwGXft+CLUJSpSn?jeCmrwK>q*X1j-<|q${?=TB_yr6|INO|d5;%xK&e!i{R z8ojc!*?8QjSH7O&C$_(goLw??nwT;+P-Fvm^>Z`VD&M4w0?t)n@^-8rTf?f z)BpWaHRiD8b=%(Eod&nJ(#Qm}%Zfu8aM3GRs*Asn#Y=jq%efss$LVLrt{rab;eh47 z*|_Efj(b;GYCfvpAOStne|xHYDQuQLPrAZ~p=G&^-s9>M;|2e6liDatn~3nhv5n-- z^j%82(u|HE>o`N6(3c{Tf+H#j&C)M29tw-x%6&$&+|o!Wvb{WdOhQpp#}*#VRKr5K zpI@OLO@4Jj+0jCOM8YZ2D9-zi7m6>V&y^Qn9{hx>r2FFFfX8YHflQ@aO7EgSZi^qDmnx%UFpAd5+huF6&5)DYvd7rCD;38z37A>g|Aa_UJQqyE`GRI zS_&y8*0<4glZilFhh>{F8z(Z?z7WtuIw8SgDsDc_ElmrpW`ue)^X54ENbiaM*pn#G z;msNTq1I(}E$tTiIoLqw-LKovlud6)yG;OoGNR6hM65R@b#{9(n!kygh4^w77a2ph z-%2zgkde#@oKLxdaRaQpK???T4RS`8QHWkEMX4F$;^#|rCxTMpOhsRyFSw~1(E45< z(M;hajxX{13x34L#;e{L|0@jrA2L}kpFH!K<_cl}&2qiFE)m(pnL<)T*lH>4TRan* zMa`_?$(Syr_M{kE?7vAU1lx+lq`pMmZE8+3ZLIP1_fPR*{*rUid<}WUcBkyDNkcjX&lLvn!s+B(IoZJ`;?TB*ue!%9MTa42_d88BfPLXbCL3lNaE%?GFGo=0Dqmb;fOs+#*-PrOn|2pt_ zomRRJJ)uz&)F*&RdLSlNpEfhmmVCXJ&9#o6LI67->Nu$2ebISM|2V>8j^QVJ7cR&m zn`?4RCgUU5)JWFOyPrH+>tn`QsW&4gOFXyQ!m_tUtj8vDeSTfmwKTJ1wef{7CCfWO zPMMHp(09>L-(5MZe;;<7c-|*gMo>n>yr*o(r_F3e^6uk#xK;qel7c|sEwslrHt6dU zAaxl-!<5=25L}=B&2LFsNDO|iy1?FIHSvCeF-K8mn%iUlxbOTVzdyWOGxgt40Twc_ zX1q_XS09G{ZgV*~hYn?CYoE6TZd&FlD1-RkR-?B}le^Y4Nay zC8#}S(dw*4U*OBmrnR&q#76d=H;5;wWZ|viH=2XVJ~A3f5k4ME|48lHwDkFDHx3W$ zPlGt5-xN9z`WpQsFm7?Wx5yYN3a^~4<%<;+=f*@NNW@6#9UX9@KfQ42jt-4A#LLK= z$AGkhR7+T$RJ(bwvC$pEDxQF?n%B)z1l(pw#J8_*N$^BLYo5B5lUWC463zz@hP=Ic zA5~pBG-G3IbT~|@HzfrX(t{Y0nPD5ul{Q(u2_|;R@*M7!h55PZ ziU%kpnkJ=)u{O8Y+J~#r=j+{MRFNUMuXni3tyguW@JuBcBs%q5-psd2CT3`kNgv!} zhz{XFt{T_}Dyc$!;;7a<>Dd};QyPmW$J;|I@RuMs-qn+GL4d%ZOIMtdCwb(i(ox}R zF#~nm9&yU(bHs_oEq8LF6LZfep!wtklNaP#n>_r{%ss@57V=(E!fU!`3kPkCI zO9V5&L^5jL>`>!mx?f1X_I>NYk3bO@?`xC)r7~ zwdj zHW`uJm}2sG(sBQpCO?vdt_ZxJNN!^jS0H?v7M}K~5E7ABsF=taR^Db}&T&ZTH>+YZ_SNP98=*v;aH8#%U`3i(U%Ap)be!{TxzcTB{|W+$z<67SY?{7?tP0) zHv&#vw#O8WWZ0lWvL_6qijr?{Jxr&}2nDh>dU>nvFo+#RPGWSdUKdTtU?e67)pf2j z)q;WU7>ph6i`?>DI#e4kenE4%GJc#XciZ?6AT=s^evzV^=ZZWTT7?Nj+Z$t@t!4bF zkTo3czKicJQ`|4CbEVImtX}5sm&bXG0(IR8h3JM2AQb4erKx~_1Y zKTX)RCezbMZ1PlYAU$?rh?Ie3VJG>@Ugd-@tq)40R;7%sM(6Y%5Wd|T*IDy7+Oc6m*s+b&Iv_styaNDOqnQU4wQ@ou6J~cp_ zMNW0y^UQ{>yN?EizF6%IK;fIEH~L+~O+&Qs=@DuQT>r3#{stio)4w4v zkoojw;x%`8UV2q+9R?oN(I$vr;!!rh7K_2K&5A)2Mk837w@6yu1qQtU#+KLxe3pWs zx>+Iix{{eq+St}r4etTjw4Xu{J#_K`N^1aFyDiZ_ZURW^#JP(?5(F%peTM4CVL~NB zR=UuTX6{4&BoGyX$(g2O&!xlVYiG`v=iBoZ+Wk7O?2sm=vK$uLV*(Bd49{({$#`?h zs?WG%)IGx{vEV-dU3hfNDI$}DUtP5Y^4HIfGKuDUJAwsiI=axMM6Vz>QGPtj8_1g) zr@+X*X*euBH??a{nX%e0i=|Zh*PK|2R=+O=a@?aS6Pi7T`89RZ+;_gjIV13)g*m=Q zw(!ZrFODxRVGk_wP0(*L7GmpRt(R63E`FaEccpV;KPRwQA5rz|j>`9d*0Z)=gAHE_ zS59-M4fh1INiqBZARkb7EZ>Cnn|gy1%KbLAmj3{VEMG1^C`?d{?x}G3*gcCIS9Ptz zKIP5LFD*|yqzmWgI|CSf1C@`0NpJnOgan&WWe?5OThYSlt(A-1Pw(wxPGP-f?}qwC zQsR#}mLt~cnwj7Ft4)*yh+6O+NHaWB>KC^8jx1}E(DATkb#}GwgB`Ud47h3h0R;MJ z-FpRvjzs%Q?_^X2W&I6hZFESyP;LqO@N)Zgv!$g@=d!**PRVB0=-Oy|V2TWEFh=7y zSN?VhmY>;HK5wQaYLVySnW83Iob%%lGC!mz-m54&0^&7n9O&-{K)sEv8xoflt_{x? zB5{hZqLXj0kw2xr1=AYn7c%=T`0c~-1-rkLEIgulC7&VyP)VR52T z7mkv+&!yV&P>E7~SU)VQcY&qyDW7Ax) z3Z!NM;H4<%cTeX9HGjjB@qL5mKUZ0*xvI%QUEdP0M9sia&WrHB{6CnLqu8Otdvl9` zla9e*kz)caThIjlwYC#tkJIETNmTE)^Sk{$atTd8x@O=t2z}55mjNDC>m2(lNQ@!& zhK3u0kj=}(NY8rb<#twOPs>DX5J>P^i(-!=kn?FK?)U8)qJF{6{?+4o+t-s$RwsOe zS7WNvy}?&%YH(y)>7;SJ{v%+o*{-e_bx+(h!D*OR_DLdS%^f4$Z@Zr{w0hb~L zBIlk+4Kyey;BFV!gSRY{4fIPL#gZ^jn7X;Ef3_U)Ra}@TK!D57-ePKBF0jES{S|z~ z#BAcc{VV?f_%=5;it1@aGE}GP>Lfqe3ZTV7Z4~JY|V$naQw@ z%Bz0QJPy7Fk^aFUi0B3df8S`CWk{rGnPG-#7k{ZXHQyAOEYybd~tkq{BJ-N`Q%RDU{gc%(?1@77Ou0oWkse)_f zo#CT39Y~L+@7~Wb2A`yjD4WIH^7E6Ogl40)fXks2ah3pzD7hnr@CcF2u~`e}qH<(0 zSob`cp#(-qsaG$Q26BeeLJ8BRwX~03iQTWmO;V6{F#$cK-p8-f?&|C9{PuJRzX4wt z1vrWC+oiE>HlZ@SCxDyWkh{dtNo-OTvcn}dy#k0;*7PLj8#to8H9E{L*rX%+0e=;& z*LT2@s5k4BZMo5fwfW!!@W#bet1CI%xNd}syWi=ayird`6zk!+>`o3dDlYZa=~y8LEIB5NwZe8ly} z2`v^~=8SK0E(6)7JFvClN)@zDXI$%2cPk8;@4NS3IiSoYhZF%;zEGBsye4q$B7+m( z%4QCVD}>bP>M1mwI7J0r86PZ+6=`!6^G_kJ0C1kKd~bT)d`(_9V*G=G%>%xKu5TEJ zq>LK|SdR6}TelFrG(z6bPvk7gQ)NAZwF5-h(lq(k5rKn!|A3wU&T#yv2zsP8MI<>D z97c|m=sltY#nmu@4L2HRv=e`>(`uJcD{aJwzz$tj0J|u;R$(dq-roRsHr!z zy%8k&InFjdrICjm5-H_2?W2O)lijBM0{~k8_&tN`Q2%i)1-qS&?pfB_kj@1AdLnfN z{mwy3wDft@N|GvIi@4kZw2Q4M1CV~l7*!(V6V(#vJ6hgPqcWW3?SglhrU+F6#5LD5}WRslDgYftnlF z;xBdqO_WDwuX-((x);B;gMOvXToI_X>SfiCZ*t>0X|l6h;r@q1b)6`c7HtP z2>pmghHnFNM6^#p=WrC_>n8l>I9Aad-kD;K!Wg^SW3xMi*Yk_5z5N;*!d$cRsQoFr z2u9hVZ-%QXMJON{fpfH9!Y@vo$f{*&*J)|D?z{+0xAEjR<032k1E2{E7{OngG}xL< z6^iAImI|(vf(sn2T;HHc*a~KHnIL|vd{k=~ZJ=SoV1Fnnq0x)G)dv15k!oItx-27& z{KS;MYJzY70sLws42A6}9UiQ;0j715@y>0jhN_W7bj?@Xy@~xQ1|!N5>~rTVm3xJO z8Je_#CUJ-*;I)KXhEpWt`+1jpkoY>$L?0-&S6H%V`g@w5I_3wGL5k4dy=TA50xm2? zA;^AsTrS2q^?~+sUUu%h<3F%bYnBhLhQF93I}9y(`xw$yVoTUd^(L0u9sS z>txWeh3l0!DFLrS9A@mmaj4~S8R>?&hjDi|J?6Q(iS8E<;n`^%+}~lY)4LX351-8u zJiul?HqY@$uEB)Buwip*kKXmchs4-vQ(rqf%+!#neDVyywYEb;IsJ!>@U@A;*78IcigB1-$vf1M05*&FG7>!<) z5apg2ZcaSkWKISt#uuawCv7aoVrsh5ZNjI{@kb6+lF8Trb^FMviy+pj1x)Lz?zd*o zyp+Ek$hGaF`?{i!o`0-=*4>vck_>J|v-5TFCfuQK*{gaw|0IV+F89N4XK$>s;dn7L`4&(Nq{Ii~$(FpC~(jf9l4W}^V3>iV8# zuv}nB)|c^ln>X6$vNasOWZ#}3e!*mp+60>tT+)sPSeGJ?s|WUFX59BC))dH4XD23E zMz7^l^>pFVR|)v2FwhlIVnlAqy9Xgs6g_PO26(aLpSc6ZAXNOQ`XOY zv0ulvhV@)J^op$0nm2gjVk&=y_fhiMvX54qW*JCb>IzPLxaqhCFwYlBdGo(S$Ny`o H_Gji_dnsES literal 0 HcmV?d00001 diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html index 1160f0c..55279c2 100644 --- a/Workbench/webproxy/container_files/httpd/index.html +++ b/Workbench/webproxy/container_files/httpd/index.html @@ -1,4 +1,5 @@ -
+ +

Welcome to the InCommon TAP Workbench!


This is your own personal instance of the InCommon Trusted Access Platform Workbench. From d4efae9ac9f0d5f1bd10bb74094640bc118702b7 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Fri, 30 Oct 2020 12:19:40 -0500 Subject: [PATCH 8/9] fix rabbit --- .../mq/container_files/etc-rabbitmq/rabbitmq.conf | 1 + Workbench/webproxy/container_files/httpd/index.html | 1 + Workbench/webproxy/container_files/httpd/proxy.conf | 13 +++++++++++-- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Workbench/mq/container_files/etc-rabbitmq/rabbitmq.conf b/Workbench/mq/container_files/etc-rabbitmq/rabbitmq.conf index 4c789ba..6f9abed 100644 --- a/Workbench/mq/container_files/etc-rabbitmq/rabbitmq.conf +++ b/Workbench/mq/container_files/etc-rabbitmq/rabbitmq.conf @@ -1,2 +1,3 @@ # Allow guest access from anywhere (change this in production!) loopback_users = none + diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html index 55279c2..826a26b 100644 --- a/Workbench/webproxy/container_files/httpd/index.html +++ b/Workbench/webproxy/container_files/httpd/index.html @@ -14,6 +14,7 @@

Welcome to the InCommon TAP Workbench!

  • Shibboleth SP
  • Grouper
  • midPoint
    • +
  • Rabbit MQ
  • COmanage (coming soon)
    • diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf index de6773b..150e6bf 100644 --- a/Workbench/webproxy/container_files/httpd/proxy.conf +++ b/Workbench/webproxy/container_files/httpd/proxy.conf @@ -5,6 +5,7 @@ SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPreserveHost On +AllowEncodedSlashes On ProxyPass /midpoint https://midpoint-server/midpoint ProxyPassReverse /midpoint https://midpoint-server/midpoint @@ -20,8 +21,16 @@ ProxyPassReverse /grouper-ws https://grouper-ws/grouper-ws ProxyPass /idp https://idp/idp ProxyPassReverse /idp https://idp/idp -ProxyPass /rabbit https://mq:15672/ -ProxyPassReverse /rabbit https://mq:15672/ +ProxyPass /rabbit http://mq:15672/ nocanon +ProxyPassReverse /rabbit http://mq:15672/ +ProxyPass /js http://mq:15672/js +ProxyPassReverse /js http://mq:15672/js +ProxyPass /css http://mq:15672/css +ProxyPassReverse /css http://mq:15672/css +ProxyPass /img http://mq:15672/img +ProxyPassReverse /img http://mq:15672/img +ProxyPass /api http://mq:15672/api +ProxyPassReverse /api http://mq:15672/api ProxyPass /comanage https://comanage/ ProxyPassReverse /comanage https://comanage/ From 6173b3e3bc66036a82679a6ed547fc6fb0af44ef Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Fri, 30 Oct 2020 16:47:12 -0500 Subject: [PATCH 9/9] add ldap and sql UI --- Workbench/directory/Dockerfile | 8 +- .../etc/phpMyAdmin/config.inc.php | 261 ++++++++ .../etc/phpldapadmin/config.php | 584 ++++++++++++++++++ .../container_files/httpd/phpMyAdmin.conf | 77 +++ .../container_files/httpd/phpldapadmin.conf | 21 + .../webproxy/container_files/httpd/index.html | 2 + .../webproxy/container_files/httpd/proxy.conf | 6 + 7 files changed, 956 insertions(+), 3 deletions(-) create mode 100644 Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php create mode 100644 Workbench/directory/container_files/etc/phpldapadmin/config.php create mode 100644 Workbench/directory/container_files/httpd/phpMyAdmin.conf create mode 100644 Workbench/directory/container_files/httpd/phpldapadmin.conf diff --git a/Workbench/directory/Dockerfile b/Workbench/directory/Dockerfile index 6e34ead..5d5fd92 100644 --- a/Workbench/directory/Dockerfile +++ b/Workbench/directory/Dockerfile @@ -4,11 +4,13 @@ LABEL author="tier-packaging@internet2.edu " RUN yum install -y epel-release \ && yum update -y \ - && yum install -y 389-ds-base \ + && yum install -y 389-ds-base phpMyAdmin phpldapadmin mod_ssl \ && yum clean all \ && rm -rf /var/cache/yum COPY container_files/seed-data/ /seed-data/ +COPY container_files/httpd/* /etc/httpd/conf.d/ +COPY container_files/etc/ /etc/ RUN useradd ldapadmin \ && rm -fr /var/lock /usr/lib/systemd/system \ @@ -23,6 +25,6 @@ RUN useradd ldapadmin \ && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ ldapadd -H ldap:/// -f /seed-data/data.ldif -x -D "cn=Directory Manager" -w password -EXPOSE 389 +EXPOSE 389 443 -CMD rm -rf /var/lock/dirsrv/slapd-dir/server/* && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && sleep infinity +CMD rm -rf /var/lock/dirsrv/slapd-dir/server/* && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && httpd -DFOREGROUND && sleep infinity diff --git a/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php b/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php new file mode 100644 index 0000000..fd8ac2d --- /dev/null +++ b/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php @@ -0,0 +1,261 @@ +. + */ + +/* + * This is needed for cookie based authentication to encrypt password in + * cookie + */ +$cfg['blowfish_secret'] = 'd7Y5iRSDpGaQkvSqxKWPwHfazswioRBO'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ + +/** + * Server(s) configuration + */ +$i = 0; + +// The $cfg['Servers'] array starts with $cfg['Servers'][1]. Do not use +// $cfg['Servers'][0]. You can disable a server config entry by setting host +// to ''. If you want more than one server, just copy following section +// (including $i incrementation) serveral times. There is no need to define +// full server array, just define values you need to change. +$i++; +$cfg['Servers'][$i]['host'] = 'grouper_data'; // MySQL hostname or IP address +$cfg['Servers'][$i]['port'] = '3306'; // MySQL port - leave blank for default port +$cfg['Servers'][$i]['socket'] = ''; // Path to the socket - leave blank for default socket +$cfg['Servers'][$i]['connect_type'] = 'tcp'; // How to connect to MySQL server ('tcp' or 'socket') +$cfg['Servers'][$i]['extension'] = 'mysqli'; // The php MySQL extension to use ('mysql' or 'mysqli') +$cfg['Servers'][$i]['compress'] = FALSE; // Use compressed protocol for the MySQL connection + // (requires PHP >= 4.3.0) +$cfg['Servers'][$i]['controluser'] = ''; // MySQL control user settings + // (this user must have read-only +$cfg['Servers'][$i]['controlpass'] = ''; // access to the "mysql/user" + // and "mysql/db" tables). + // The controluser is also + // used for all relational + // features (pmadb) +$cfg['Servers'][$i]['auth_type'] = 'config'; // Authentication method (config, http or cookie based)? +$cfg['Servers'][$i]['user'] = 'root'; // MySQL user +$cfg['Servers'][$i]['password'] = ''; // MySQL password (only needed + // with 'config' auth_type) +$cfg['Servers'][$i]['only_db'] = 'grouper'; // If set to a db-name, only + // this db is displayed in left frame + // It may also be an array of db-names, where sorting order is relevant. +$cfg['Servers'][$i]['hide_db'] = ''; // Database name to be hidden from listings +$cfg['Servers'][$i]['verbose'] = ''; // Verbose name for this host - leave blank to show the hostname + +$cfg['Servers'][$i]['pmadb'] = ''; // Database used for Relation, Bookmark and PDF Features + // (see scripts/create_tables.sql) + // - leave blank for no support + // DEFAULT: 'phpmyadmin' +$cfg['Servers'][$i]['bookmarktable'] = ''; // Bookmark table + // - leave blank for no bookmark support + // DEFAULT: 'pma_bookmark' +$cfg['Servers'][$i]['relation'] = ''; // table to describe the relation between links (see doc) + // - leave blank for no relation-links support + // DEFAULT: 'pma_relation' +$cfg['Servers'][$i]['table_info'] = ''; // table to describe the display fields + // - leave blank for no display fields support + // DEFAULT: 'pma_table_info' +$cfg['Servers'][$i]['table_coords'] = ''; // table to describe the tables position for the PDF schema + // - leave blank for no PDF schema support + // DEFAULT: 'pma_table_coords' +$cfg['Servers'][$i]['pdf_pages'] = ''; // table to describe pages of relationpdf + // - leave blank if you don't want to use this + // DEFAULT: 'pma_pdf_pages' +$cfg['Servers'][$i]['column_info'] = ''; // table to store column information + // - leave blank for no column comments/mime types + // DEFAULT: 'pma_column_info' +$cfg['Servers'][$i]['history'] = ''; // table to store SQL history + // - leave blank for no SQL query history + // DEFAULT: 'pma_history' +$cfg['Servers'][$i]['verbose_check'] = TRUE; // set to FALSE if you know that your pma_* tables + // are up to date. This prevents compatibility + // checks and thereby increases performance. +$cfg['Servers'][$i]['AllowRoot'] = TRUE; // whether to allow root login +$cfg['Servers'][$i]['AllowDeny']['order'] // Host authentication order, leave blank to not use + = ''; +$cfg['Servers'][$i]['AllowDeny']['rules'] // Host authentication rules, leave blank for defaults + = array(); +$cfg['Servers'][$i]['AllowNoPassword'] // Allow logins without a password. Do not change the FALSE + = TRUE; // default unless you're running a passwordless MySQL server +$cfg['Servers'][$i]['designer_coords'] // Leave blank (default) for no Designer support, otherwise + = ''; // set to suggested 'pma_designer_coords' if really needed +$cfg['Servers'][$i]['bs_garbage_threshold'] // Blobstreaming: Recommented default value from upstream + = 50; // DEFAULT: '50' +$cfg['Servers'][$i]['bs_repository_threshold'] // Blobstreaming: Recommented default value from upstream + = '32M'; // DEFAULT: '32M' +$cfg['Servers'][$i]['bs_temp_blob_timeout'] // Blobstreaming: Recommented default value from upstream + = 600; // DEFAULT: '600' +$cfg['Servers'][$i]['bs_temp_log_threshold'] // Blobstreaming: Recommented default value from upstream + = '32M'; // DEFAULT: '32M' + +$i++; +$cfg['Servers'][$i]['host'] = 'midpoint_data'; // MySQL hostname or IP address +$cfg['Servers'][$i]['port'] = '3306'; // MySQL port - leave blank for default port +$cfg['Servers'][$i]['socket'] = ''; // Path to the socket - leave blank for default socket +$cfg['Servers'][$i]['connect_type'] = 'tcp'; // How to connect to MySQL server ('tcp' or 'socket') +$cfg['Servers'][$i]['extension'] = 'mysqli'; // The php MySQL extension to use ('mysql' or 'mysqli') +$cfg['Servers'][$i]['compress'] = FALSE; // Use compressed protocol for the MySQL connection + // (requires PHP >= 4.3.0) +$cfg['Servers'][$i]['controluser'] = ''; // MySQL control user settings + // (this user must have read-only +$cfg['Servers'][$i]['controlpass'] = ''; // access to the "mysql/user" + // and "mysql/db" tables). + // The controluser is also + // used for all relational + // features (pmadb) +$cfg['Servers'][$i]['auth_type'] = 'config'; // Authentication method (config, http or cookie based)? +$cfg['Servers'][$i]['user'] = 'registry_user'; // MySQL user +$cfg['Servers'][$i]['password'] = 'WJzesbe3poNZ91qIbmR7'; // MySQL password (only needed + // with 'config' auth_type) +$cfg['Servers'][$i]['only_db'] = 'registry'; // If set to a db-name, only + // this db is displayed in left frame + // It may also be an array of db-names, where sorting order is relevant. +$cfg['Servers'][$i]['hide_db'] = ''; // Database name to be hidden from listings +$cfg['Servers'][$i]['verbose'] = ''; // Verbose name for this host - leave blank to show the hostname + +$cfg['Servers'][$i]['pmadb'] = ''; // Database used for Relation, Bookmark and PDF Features + // (see scripts/create_tables.sql) + // - leave blank for no support + // DEFAULT: 'phpmyadmin' +$cfg['Servers'][$i]['bookmarktable'] = ''; // Bookmark table + // - leave blank for no bookmark support + // DEFAULT: 'pma_bookmark' +$cfg['Servers'][$i]['relation'] = ''; // table to describe the relation between links (see doc) + // - leave blank for no relation-links support + // DEFAULT: 'pma_relation' +$cfg['Servers'][$i]['table_info'] = ''; // table to describe the display fields + // - leave blank for no display fields support + // DEFAULT: 'pma_table_info' +$cfg['Servers'][$i]['table_coords'] = ''; // table to describe the tables position for the PDF schema + // - leave blank for no PDF schema support + // DEFAULT: 'pma_table_coords' +$cfg['Servers'][$i]['pdf_pages'] = ''; // table to describe pages of relationpdf + // - leave blank if you don't want to use this + // DEFAULT: 'pma_pdf_pages' +$cfg['Servers'][$i]['column_info'] = ''; // table to store column information + // - leave blank for no column comments/mime types + // DEFAULT: 'pma_column_info' +$cfg['Servers'][$i]['history'] = ''; // table to store SQL history + // - leave blank for no SQL query history + // DEFAULT: 'pma_history' +$cfg['Servers'][$i]['verbose_check'] = TRUE; // set to FALSE if you know that your pma_* tables + // are up to date. This prevents compatibility + // checks and thereby increases performance. +$cfg['Servers'][$i]['AllowRoot'] = TRUE; // whether to allow root login +$cfg['Servers'][$i]['AllowDeny']['order'] // Host authentication order, leave blank to not use + = ''; +$cfg['Servers'][$i]['AllowDeny']['rules'] // Host authentication rules, leave blank for defaults + = array(); +$cfg['Servers'][$i]['AllowNoPassword'] // Allow logins without a password. Do not change the FALSE + = TRUE; // default unless you're running a passwordless MySQL server +$cfg['Servers'][$i]['designer_coords'] // Leave blank (default) for no Designer support, otherwise + = ''; // set to suggested 'pma_designer_coords' if really needed +$cfg['Servers'][$i]['bs_garbage_threshold'] // Blobstreaming: Recommented default value from upstream + = 50; // DEFAULT: '50' +$cfg['Servers'][$i]['bs_repository_threshold'] // Blobstreaming: Recommented default value from upstream + = '32M'; // DEFAULT: '32M' +$cfg['Servers'][$i]['bs_temp_blob_timeout'] // Blobstreaming: Recommented default value from upstream + = 600; // DEFAULT: '600' +$cfg['Servers'][$i]['bs_temp_log_threshold'] // Blobstreaming: Recommented default value from upstream + = '32M'; // DEFAULT: '32M' + +$i++; +$cfg['Servers'][$i]['host'] = 'sources'; // MySQL hostname or IP address +$cfg['Servers'][$i]['port'] = '3306'; // MySQL port - leave blank for default port +$cfg['Servers'][$i]['socket'] = ''; // Path to the socket - leave blank for default socket +$cfg['Servers'][$i]['connect_type'] = 'tcp'; // How to connect to MySQL server ('tcp' or 'socket') +$cfg['Servers'][$i]['extension'] = 'mysqli'; // The php MySQL extension to use ('mysql' or 'mysqli') +$cfg['Servers'][$i]['compress'] = FALSE; // Use compressed protocol for the MySQL connection + // (requires PHP >= 4.3.0) +$cfg['Servers'][$i]['controluser'] = ''; // MySQL control user settings + // (this user must have read-only +$cfg['Servers'][$i]['controlpass'] = ''; // access to the "mysql/user" + // and "mysql/db" tables). + // The controluser is also + // used for all relational + // features (pmadb) +$cfg['Servers'][$i]['auth_type'] = 'config'; // Authentication method (config, http or cookie based)? +$cfg['Servers'][$i]['user'] = 'sis_user'; // MySQL user +$cfg['Servers'][$i]['password'] = '49321420423'; // MySQL password (only needed + // with 'config' auth_type) +$cfg['Servers'][$i]['only_db'] = ''; // If set to a db-name, only + // this db is displayed in left frame + // It may also be an array of db-names, where sorting order is relevant. +$cfg['Servers'][$i]['hide_db'] = ''; // Database name to be hidden from listings +$cfg['Servers'][$i]['verbose'] = ''; // Verbose name for this host - leave blank to show the hostname + +$cfg['Servers'][$i]['pmadb'] = ''; // Database used for Relation, Bookmark and PDF Features + // (see scripts/create_tables.sql) + // - leave blank for no support + // DEFAULT: 'phpmyadmin' +$cfg['Servers'][$i]['bookmarktable'] = ''; // Bookmark table + // - leave blank for no bookmark support + // DEFAULT: 'pma_bookmark' +$cfg['Servers'][$i]['relation'] = ''; // table to describe the relation between links (see doc) + // - leave blank for no relation-links support + // DEFAULT: 'pma_relation' +$cfg['Servers'][$i]['table_info'] = ''; // table to describe the display fields + // - leave blank for no display fields support + // DEFAULT: 'pma_table_info' +$cfg['Servers'][$i]['table_coords'] = ''; // table to describe the tables position for the PDF schema + // - leave blank for no PDF schema support + // DEFAULT: 'pma_table_coords' +$cfg['Servers'][$i]['pdf_pages'] = ''; // table to describe pages of relationpdf + // - leave blank if you don't want to use this + // DEFAULT: 'pma_pdf_pages' +$cfg['Servers'][$i]['column_info'] = ''; // table to store column information + // - leave blank for no column comments/mime types + // DEFAULT: 'pma_column_info' +$cfg['Servers'][$i]['history'] = ''; // table to store SQL history + // - leave blank for no SQL query history + // DEFAULT: 'pma_history' +$cfg['Servers'][$i]['verbose_check'] = TRUE; // set to FALSE if you know that your pma_* tables + // are up to date. This prevents compatibility + // checks and thereby increases performance. +$cfg['Servers'][$i]['AllowRoot'] = TRUE; // whether to allow root login +$cfg['Servers'][$i]['AllowDeny']['order'] // Host authentication order, leave blank to not use + = ''; +$cfg['Servers'][$i]['AllowDeny']['rules'] // Host authentication rules, leave blank for defaults + = array(); +$cfg['Servers'][$i]['AllowNoPassword'] // Allow logins without a password. Do not change the FALSE + = TRUE; // default unless you're running a passwordless MySQL server +$cfg['Servers'][$i]['designer_coords'] // Leave blank (default) for no Designer support, otherwise + = ''; // set to suggested 'pma_designer_coords' if really needed +$cfg['Servers'][$i]['bs_garbage_threshold'] // Blobstreaming: Recommented default value from upstream + = 50; // DEFAULT: '50' +$cfg['Servers'][$i]['bs_repository_threshold'] // Blobstreaming: Recommented default value from upstream + = '32M'; // DEFAULT: '32M' +$cfg['Servers'][$i]['bs_temp_blob_timeout'] // Blobstreaming: Recommented default value from upstream + = 600; // DEFAULT: '600' +$cfg['Servers'][$i]['bs_temp_log_threshold'] // Blobstreaming: Recommented default value from upstream + = '32M'; // DEFAULT: '32M' + +/* + * End of servers configuration + */ + +/* + * Directories for saving/loading files from server + */ +$cfg['UploadDir'] = '/var/lib/phpMyAdmin/upload'; +$cfg['SaveDir'] = '/var/lib/phpMyAdmin/save'; + +/* + * Disable the default warning that is displayed on the DB Details Structure + * page if any of the required Tables for the relation features is not found + */ +$cfg['PmaNoRelation_DisableWarning'] = TRUE; + +/* + * phpMyAdmin 4.4.x is no longer maintained by upstream, but security fixes + * are still backported by downstream. + */ +$cfg['VersionCheck'] = FALSE; +?> + diff --git a/Workbench/directory/container_files/etc/phpldapadmin/config.php b/Workbench/directory/container_files/etc/phpldapadmin/config.php new file mode 100644 index 0000000..eafe857 --- /dev/null +++ b/Workbench/directory/container_files/etc/phpldapadmin/config.php @@ -0,0 +1,584 @@ +custom variable to do so. + * For example, the default for defining the language in config_default.php + * + * $this->default->appearance['language'] = array( + * 'desc'=>'Language', + * 'default'=>'auto'); + * + * to override this, use $config->custom->appearance['language'] = 'en_EN'; + * + * This file is also used to configure your LDAP server connections. + * + * You must specify at least one LDAP server there. You may add + * as many as you like. You can also specify your language, and + * many other options. + * + * NOTE: Commented out values in this file prefixed by //, represent the + * defaults that have been defined in config_default.php. + * Commented out values prefixed by #, dont reflect their default value, you can + * check config_default.php if you want to see what the default is. + * + * DONT change config_default.php, you changes will be lost by the next release + * of PLA. Instead change this file - as it will NOT be replaced by a new + * version of phpLDAPadmin. + */ + +/********************************************* + * Useful important configuration overrides * + *********************************************/ + +/* If you are asked to put PLA in debug mode, this is how you do it: */ +# $config->custom->debug['level'] = 255; +# $config->custom->debug['syslog'] = true; +# $config->custom->debug['file'] = '/tmp/pla_debug.log'; + +/* phpLDAPadmin can encrypt the content of sensitive cookies if you set this + to a big random string. */ +$config->custom->session['blowfish'] = 'beee41ae7ca5107fc9a61946c4734264'; # Autogenerated for 66388f647a9e + +/* If your auth_type is http, you can override your HTTP Authentication Realm. */ +// $config->custom->session['http_realm'] = sprintf('%s %s',app_name(),'login'); + +/* The language setting. If you set this to 'auto', phpLDAPadmin will attempt + to determine your language automatically. + If PLA doesnt show (all) strings in your language, then you can do some + translation at http://translations.launchpad.net/phpldapadmin and download + the translation files, replacing those provided with PLA. + (We'll pick up the translations before making the next release too!) */ +// $config->custom->appearance['language'] = 'auto'; + +/* The temporary storage directory where we will put jpegPhoto data + This directory must be readable and writable by your web server. */ +// $config->custom->jpeg['tmpdir'] = '/tmp'; // Example for Unix systems +# $config->custom->jpeg['tmpdir'] = 'c:\\temp'; // Example for Windows systems + +/* Set this to (bool)true if you do NOT want a random salt used when + calling crypt(). Instead, use the first two letters of the user's + password. This is insecure but unfortunately needed for some older + environments. */ +# $config->custom->password['no_random_crypt_salt'] = true; + +/* PHP script timeout control. If php runs longer than this many seconds then + PHP will stop with an Maximum Execution time error. Increase this value from + the default if queries to your LDAP server are slow. The default is either + 30 seconds or the setting of max_exection_time if this is null. */ +// $config->custom->session['timelimit'] = 30; + +// $config->custom->appearance['show_clear_password'] = false; + +// $config->custom->search['size_limit'] = 50; +# $config->custom->search['size_limit'] = 1000; + +/* Our local timezone + This is to make sure that when we ask the system for the current time, we + get the right local time. If this is not set, all time() calculations will + assume UTC if you have not set PHP date.timezone. */ +// $config->custom->appearance['timezone'] = null; +# $config->custom->appearance['timezone'] = 'Australia/Melbourne'; + +/********************************************* + * Commands * + *********************************************/ + +/* Command availability ; if you don't authorize a command the command + links will not be shown and the command action will not be permitted. + For better security, set also ACL in your ldap directory. */ +/* +$config->custom->commands['cmd'] = array( + 'entry_internal_attributes_show' => true, + 'entry_refresh' => true, + 'oslinks' => true, + 'switch_template' => true +); + +$config->custom->commands['script'] = array( + 'add_attr_form' => true, + 'add_oclass_form' => true, + 'add_value_form' => true, + 'collapse' => true, + 'compare' => true, + 'compare_form' => true, + 'copy' => true, + 'copy_form' => true, + 'create' => true, + 'create_confirm' => true, + 'delete' => true, + 'delete_attr' => true, + 'delete_form' => true, + 'draw_tree_node' => true, + 'expand' => true, + 'export' => true, + 'export_form' => true, + 'import' => true, + 'import_form' => true, + 'login' => true, + 'logout' => true, + 'login_form' => true, + 'mass_delete' => true, + 'mass_edit' => true, + 'mass_update' => true, + 'modify_member_form' => true, + 'monitor' => true, + 'purge_cache' => true, + 'query_engine' => true, + 'rename' => true, + 'rename_form' => true, + 'rdelete' => true, + 'refresh' => true, + 'schema' => true, + 'server_info' => true, + 'show_cache' => true, + 'template_engine' => true, + 'update_confirm' => true, + 'update' => true +); +*/ + +/********************************************* + * Appearance * + *********************************************/ + +/* If you want to choose the appearance of the tree, specify a class name which + inherits from the Tree class. */ +// $config->custom->appearance['tree'] = 'AJAXTree'; +# $config->custom->appearance['tree'] = 'HTMLTree'; + +/* Just show your custom templates. */ +// $config->custom->appearance['custom_templates_only'] = false; + +/* Disable the default template. */ +// $config->custom->appearance['disable_default_template'] = false; + +/* Hide the warnings for invalid objectClasses/attributes in templates. */ +// $config->custom->appearance['hide_template_warning'] = false; + +/* Set to true if you would like to hide header and footer parts. */ +// $config->custom->appearance['minimalMode'] = false; + +/* Configure what objects are shown in left hand tree */ +// $config->custom->appearance['tree_filter'] = '(objectclass=*)'; + +/* The height and width of the tree. If these values are not set, then + no tree scroll bars are provided. */ +// $config->custom->appearance['tree_height'] = null; +# $config->custom->appearance['tree_height'] = 600; +// $config->custom->appearance['tree_width'] = null; +# $config->custom->appearance['tree_width'] = 250; + +/* Confirm create and update operations, allowing you to review the changes + and optionally skip attributes during the create/update operation. */ +// $config->custom->confirm['create'] = true; +// $config->custom->confirm['update'] = true; + +/* Confirm copy operations, and treat them like create operations. This allows + you to edit the attributes (thus changing any that might conflict with + uniqueness) before creating the new entry. */ +// $config->custom->confirm['copy'] = true; + +/********************************************* + * User-friendly attribute translation * + *********************************************/ + +/* Use this array to map attribute names to user friendly names. For example, if + you don't want to see "facsimileTelephoneNumber" but rather "Fax". */ +// $config->custom->appearance['friendly_attrs'] = array(); +$config->custom->appearance['friendly_attrs'] = array( + 'facsimileTelephoneNumber' => 'Fax', + 'gid' => 'Group', + 'mail' => 'Email', + 'telephoneNumber' => 'Telephone', + 'uid' => 'User Name', + 'userPassword' => 'Password' +); + +/********************************************* + * Hidden attributes * + *********************************************/ + +/* You may want to hide certain attributes from being edited. If you want to + hide attributes from the user, you should use your LDAP servers ACLs. + NOTE: The user must be able to read the hide_attrs_exempt entry to be + excluded. */ +// $config->custom->appearance['hide_attrs'] = array(); +# $config->custom->appearance['hide_attrs'] = array('objectClass'); + +/* Members of this list will be exempt from the hidden attributes. */ +// $config->custom->appearance['hide_attrs_exempt'] = null; +# $config->custom->appearance['hide_attrs_exempt'] = 'cn=PLA UnHide,ou=Groups,c=AU'; + +/********************************************* + * Read-only attributes * + *********************************************/ + +/* You may want to phpLDAPadmin to display certain attributes as read only, + meaning that users will not be presented a form for modifying those + attributes, and they will not be allowed to be modified on the "back-end" + either. You may configure this list here: + NOTE: The user must be able to read the readonly_attrs_exempt entry to be + excluded. */ +// $config->custom->appearance['readonly_attrs'] = array(); + +/* Members of this list will be exempt from the readonly attributes. */ +// $config->custom->appearance['readonly_attrs_exempt'] = null; +# $config->custom->appearance['readonly_attrs_exempt'] = 'cn=PLA ReadWrite,ou=Groups,c=AU'; + +/********************************************* + * Group attributes * + *********************************************/ + +/* Add "modify group members" link to the attribute. */ +// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid'); + +/* Configure filter for member search. This only applies to "modify group members" feature */ +// $config->custom->modify_member['filter'] = '(objectclass=Person)'; + +/* Attribute that is added to the group member attribute. */ +// $config->custom->modify_member['attr'] = 'dn'; + +/* For Posix attributes */ +// $config->custom->modify_member['posixattr'] = 'uid'; +// $config->custom->modify_member['posixfilter'] = '(uid=*)'; +// $config->custom->modify_member['posixgroupattr'] = 'memberUid'; + +/********************************************* + * Support for attrs display order * + *********************************************/ + +/* Use this array if you want to have your attributes displayed in a specific + order. You can use default attribute names or their fridenly names. + For example, "sn" will be displayed right after "givenName". All the other + attributes that are not specified in this array will be displayed after in + alphabetical order. */ +// $config->custom->appearance['attr_display_order'] = array(); +# $config->custom->appearance['attr_display_order'] = array( +# 'givenName', +# 'sn', +# 'cn', +# 'displayName', +# 'uid', +# 'uidNumber', +# 'gidNumber', +# 'homeDirectory', +# 'mail', +# 'userPassword' +# ); + +/********************************************* + * Define your LDAP servers in this section * + *********************************************/ + +$servers = new Datastore(); + +/* $servers->NewServer('ldap_pla') must be called before each new LDAP server + declaration. */ +$servers->newServer('ldap_pla'); + +/* A convenient name that will appear in the tree viewer and throughout + phpLDAPadmin to identify this LDAP server to users. */ +$servers->setValue('server','name','Example LDAP Server'); + +/* Examples: + 'ldap.example.com', + 'ldaps://ldap.example.com/', + 'ldapi://%2fusr%local%2fvar%2frun%2fldapi' + (Unix socket at /usr/local/var/run/ldap) */ +$servers->setValue('server','host','127.0.0.1'); + +/* The port your LDAP server listens on (no quotes). 389 is standard. */ +$servers->setValue('server','port',389); + +/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin + auto-detect it for you. */ +$servers->setValue('server','base',array('dc=internet2,dc=edu')); + +/* Five options for auth_type: + 1. 'cookie': you will login via a web form, and a client-side cookie will + store your login dn and password. + 2. 'session': same as cookie but your login dn and password are stored on the + web server in a persistent session variable. + 3. 'http': same as session but your login dn and password are retrieved via + HTTP authentication. + 4. 'config': specify your login dn and password here in this config file. No + login will be required to use phpLDAPadmin for this server. + 5. 'sasl': login will be taken from the webserver's kerberos authentication. + Currently only GSSAPI has been tested (using mod_auth_kerb). + + Choose wisely to protect your authentication information appropriately for + your situation. If you choose 'cookie', your cookie contents will be + encrypted using blowfish and the secret your specify above as + session['blowfish']. */ +$servers->setValue('login','auth_type','cookie'); + +/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or + 'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS + BLANK. If you specify a login_attr in conjunction with a cookie or session + auth_type, then you can also specify the bind_id/bind_pass here for searching + the directory for users (ie, if your LDAP server does not allow anonymous + binds. */ +// $servers->setValue('login','bind_id',''); +$servers->setValue('login','bind_id','cn=admin,dc=internet2,dc=edu'); + +/* Your LDAP password. If you specified an empty bind_id above, this MUST also + be blank. */ +// $servers->setValue('login','bind_pass',''); +$servers->setValue('login','bind_pass','password'); + +/* Use TLS (Transport Layer Security) to connect to the LDAP server. */ +// $servers->setValue('server','tls',false); + +/************************************ + * SASL Authentication * + ************************************/ + +/* Enable SASL authentication LDAP SASL authentication requires PHP 5.x + configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to + false), then all other sasl options are ignored. */ +// $servers->setValue('login','auth_type','sasl'); + +/* SASL auth mechanism */ +// $servers->setValue('sasl','mech','GSSAPI'); + +/* SASL authentication realm name */ +// $servers->setValue('sasl','realm',''); +# $servers->setValue('sasl','realm','EXAMPLE.COM'); + +/* SASL authorization ID name + If this option is undefined, authorization id will be computed from bind DN, + using authz_id_regex and authz_id_replacement. */ +// $servers->setValue('sasl','authz_id', null); + +/* SASL authorization id regex and replacement + When authz_id property is not set (default), phpLDAPAdmin will try to + figure out authorization id by itself from bind distinguished name (DN). + + This procedure is done by calling preg_replace() php function in the + following way: + + $authz_id = preg_replace($sasl_authz_id_regex,$sasl_authz_id_replacement, + $bind_dn); + + For info about pcre regexes, see: + - pcre(3), perlre(3) + - http://www.php.net/preg_replace */ +// $servers->setValue('sasl','authz_id_regex',null); +// $servers->setValue('sasl','authz_id_replacement',null); +# $servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i'); +# $servers->setValue('sasl','authz_id_replacement','$1'); + +/* SASL auth security props. + See http://beepcore-tcl.sourceforge.net/tclsasl.html#anchor5 for explanation. */ +// $servers->setValue('sasl','props',null); + +/* Default password hashing algorithm. One of md5, ssha, sha, md5crpyt, smd5, + blowfish, crypt or leave blank for now default algorithm. */ +// $servers->setValue('appearance','password_hash','md5'); +$servers->setValue('appearance','password_hash',''); + +/* If you specified 'cookie' or 'session' as the auth_type above, you can + optionally specify here an attribute to use when logging in. If you enter + 'uid' and login as 'dsmith', phpLDAPadmin will search for (uid=dsmith) + and log in as that user. + Leave blank or specify 'dn' to use full DN for logging in. Note also that if + your LDAP server requires you to login to perform searches, you can enter the + DN to use when searching in 'bind_id' and 'bind_pass' above. */ +// $servers->setValue('login','attr','dn'); +$servers->setValue('login','attr','dn'); + +/* Base DNs to used for logins. If this value is not set, then the LDAP server + Base DNs are used. */ +// $servers->setValue('login','base',array()); + +/* If 'login,attr' is used above such that phpLDAPadmin will search for your DN + at login, you may restrict the search to a specific objectClasses. EG, set this + to array('posixAccount') or array('inetOrgPerson',..), depending upon your + setup. */ +// $servers->setValue('login','class',array()); + +/* If you specified something different from 'dn', for example 'uid', as the + login_attr above, you can optionally specify here to fall back to + authentication with dn. + This is useful, when users should be able to log in with their uid, but + the ldap administrator wants to log in with his root-dn, that does not + necessarily have the uid attribute. + When using this feature, login_class is ignored. */ +// $servers->setValue('login','fallback_dn',false); + +/* Specify true If you want phpLDAPadmin to not display or permit any + modification to the LDAP server. */ +// $servers->setValue('server','read_only',false); + +/* Specify false if you do not want phpLDAPadmin to draw the 'Create new' links + in the tree viewer. */ +// $servers->setValue('appearance','show_create',true); + +/* Set to true if you would like to initially open the first level of each tree. */ +// $servers->setValue('appearance','open_tree',false); + +/* This feature allows phpLDAPadmin to automatically determine the next + available uidNumber for a new entry. */ +// $servers->setValue('auto_number','enable',true); + +/* The mechanism to use when finding the next available uidNumber. Two possible + values: 'uidpool' or 'search'. + The 'uidpool' mechanism uses an existing uidPool entry in your LDAP server to + blindly lookup the next available uidNumber. The 'search' mechanism searches + for entries with a uidNumber value and finds the first available uidNumber + (slower). */ +// $servers->setValue('auto_number','mechanism','search'); + +/* The DN of the search base when the 'search' mechanism is used above. */ +# $servers->setValue('auto_number','search_base','ou=People,dc=example,dc=com'); + +/* The minimum number to use when searching for the next available number + (only when 'search' is used for auto_number. */ +// $servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500)); + +/* If you set this, then phpldapadmin will bind to LDAP with this user ID when + searching for the uidnumber. The idea is, this user id would have full + (readonly) access to uidnumber in your ldap directory (the logged in user + may not), so that you can be guaranteed to get a unique uidnumber for your + directory. */ +// $servers->setValue('auto_number','dn',null); + +/* The password for the dn above. */ +// $servers->setValue('auto_number','pass',null); + +/* Enable anonymous bind login. */ +// $servers->setValue('login','anon_bind',true); + +/* Use customized page with prefix when available. */ +# $servers->setValue('custom','pages_prefix','custom_'); + +/* If you set this, then only these DNs are allowed to log in. This array can + contain individual users, groups or ldap search filter(s). Keep in mind that + the user has not authenticated yet, so this will be an anonymous search to + the LDAP server, so make your ACLs allow these searches to return results! */ +# $servers->setValue('login','allowed_dns',array( +# 'uid=stran,ou=People,dc=example,dc=com', +# '(&(gidNumber=811)(objectClass=groupOfNames))', +# '(|(uidNumber=200)(uidNumber=201))', +# 'cn=callcenter,ou=Group,dc=example,dc=com')); + +/* Set this if you dont want this LDAP server to show in the tree */ +// $servers->setValue('server','visible',true); + +/* Set this if you want to hide the base DNs that dont exist instead of + displaying the message "The base entry doesnt exist, create it?" +// $servers->setValue('server','hide_noaccess_base',false); +# $servers->setValue('server','hide_noaccess_base',true); + +/* This is the time out value in minutes for the server. After as many minutes + of inactivity you will be automatically logged out. If not set, the default + value will be ( session_cache_expire()-1 ) */ +# $servers->setValue('login','timeout',30); + +/* Set this if you want phpldapadmin to perform rename operation on entry which + has children. Certain servers are known to allow it, certain are not. */ +// $servers->setValue('server','branch_rename',false); + +/* If you set this, then phpldapadmin will show these attributes as + internal attributes, even if they are not defined in your schema. */ +// $servers->setValue('server','custom_sys_attrs',array('')); +# $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','passwordAllowChangeTime')); + +/* If you set this, then phpldapadmin will show these attributes on + objects, even if they are not defined in your schema. */ +// $servers->setValue('server','custom_attrs',array('')); +# $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock')); + +/* These attributes will be forced to MAY attributes and become option in the + templates. If they are not defined in the templates, then they wont appear + as per normal template processing. You may want to do this because your LDAP + server may automatically calculate a default value. + In Fedora Directory Server using the DNA Plugin one could ignore uidNumber, + gidNumber and sambaSID. */ +// $servers->setValue('server','force_may',array('')); +# $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID')); + +/********************************************* + * Unique attributes * + *********************************************/ + +/* You may want phpLDAPadmin to enforce some attributes to have unique values + (ie: not belong to other entries in your tree. This (together with + 'unique','dn' and 'unique','pass' option will not let updates to + occur with other attributes have the same value. */ +# $servers->setValue('unique','attrs',array('mail','uid','uidNumber')); + +/* If you set this, then phpldapadmin will bind to LDAP with this user ID when + searching for attribute uniqueness. The idea is, this user id would have full + (readonly) access to your ldap directory (the logged in user may not), so + that you can be guaranteed to get a unique uidnumber for your directory. */ +// $servers->setValue('unique','dn',null); + +/* The password for the dn above. */ +// $servers->setValue('unique','pass',null); + +/************************************************************************** + * If you want to configure additional LDAP servers, do so below. * + * Remove the commented lines and use this section as a template for all * + * your other LDAP servers. * + **************************************************************************/ + +/* +$servers->newServer('ldap_pla'); +$servers->setValue('server','name','LDAP Server'); +$servers->setValue('server','host','127.0.0.1'); +$servers->setValue('server','port',389); +$servers->setValue('server','base',array('')); +$servers->setValue('login','auth_type','cookie'); +$servers->setValue('login','bind_id',''); +$servers->setValue('login','bind_pass',''); +$servers->setValue('server','tls',false); + +# SASL auth +$servers->setValue('login','auth_type','sasl'); +$servers->setValue('sasl','mech','GSSAPI'); +$servers->setValue('sasl','realm','EXAMPLE.COM'); +$servers->setValue('sasl','authz_id',null); +$servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i'); +$servers->setValue('sasl','authz_id_replacement','$1'); +$servers->setValue('sasl','props',null); + +$servers->setValue('appearance','password_hash','md5'); +$servers->setValue('login','attr','dn'); +$servers->setValue('login','fallback_dn',false); +$servers->setValue('login','class',null); +$servers->setValue('server','read_only',false); +$servers->setValue('appearance','show_create',true); + +$servers->setValue('auto_number','enable',true); +$servers->setValue('auto_number','mechanism','search'); +$servers->setValue('auto_number','search_base',null); +$servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500)); +$servers->setValue('auto_number','dn',null); +$servers->setValue('auto_number','pass',null); + +$servers->setValue('login','anon_bind',true); +$servers->setValue('custom','pages_prefix','custom_'); +$servers->setValue('unique','attrs',array('mail','uid','uidNumber')); +$servers->setValue('unique','dn',null); +$servers->setValue('unique','pass',null); + +$servers->setValue('server','visible',true); +$servers->setValue('login','timeout',30); +$servers->setValue('server','branch_rename',false); +$servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','passwordAllowChangeTime')); +$servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock')); +$servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID')); +*/ +?> + diff --git a/Workbench/directory/container_files/httpd/phpMyAdmin.conf b/Workbench/directory/container_files/httpd/phpMyAdmin.conf new file mode 100644 index 0000000..98e9d17 --- /dev/null +++ b/Workbench/directory/container_files/httpd/phpMyAdmin.conf @@ -0,0 +1,77 @@ +# phpMyAdmin - Web based MySQL browser written in php +# +# Allows only localhost by default +# +# But allowing phpMyAdmin to anyone other than localhost should be considered +# dangerous unless properly secured by SSL + +Alias /phpMyAdmin /usr/share/phpMyAdmin +Alias /phpmyadmin /usr/share/phpMyAdmin + + + AddDefaultCharset UTF-8 + + + # Apache 2.4 + + Require all granted + Require ip 127.0.0.1 + Require ip ::1 + + + + # Apache 2.2 + Order Deny,Allow + Deny from All + Allow from 127.0.0.1 + Allow from ::1 + + + + + + # Apache 2.4 + + Require all granted + Require ip 127.0.0.1 + Require ip ::1 + + + + # Apache 2.2 + Order Deny,Allow + Deny from All + Allow from 127.0.0.1 + Allow from ::1 + + + +# These directories do not require access over HTTP - taken from the original +# phpMyAdmin upstream tarball +# + + Order Deny,Allow + Deny from All + Allow from None + + + + Order Deny,Allow + Deny from All + Allow from None + + + + Order Deny,Allow + Deny from All + Allow from None + + +# This configuration prevents mod_security at phpMyAdmin directories from +# filtering SQL etc. This may break your mod_security implementation. +# +# +# +# SecRuleInheritance Off +# +# diff --git a/Workbench/directory/container_files/httpd/phpldapadmin.conf b/Workbench/directory/container_files/httpd/phpldapadmin.conf new file mode 100644 index 0000000..a4264ec --- /dev/null +++ b/Workbench/directory/container_files/httpd/phpldapadmin.conf @@ -0,0 +1,21 @@ +# +# Web-based tool for managing LDAP servers +# + +Alias /phpldapadmin /usr/share/phpldapadmin/htdocs +Alias /ldapadmin /usr/share/phpldapadmin/htdocs + + + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order Deny,Allow + Deny from all + Allow from 127.0.0.1 + Allow from ::1 + + + diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html index 826a26b..6476c86 100644 --- a/Workbench/webproxy/container_files/httpd/index.html +++ b/Workbench/webproxy/container_files/httpd/index.html @@ -15,6 +15,8 @@

    Welcome to the InCommon TAP Workbench!

  • Grouper
  • midPoint
  • Rabbit MQ
    • +
  • LDAP Admin
    • +
  • SQL Admin
  • COmanage (coming soon)
    • diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf index 150e6bf..4530105 100644 --- a/Workbench/webproxy/container_files/httpd/proxy.conf +++ b/Workbench/webproxy/container_files/httpd/proxy.conf @@ -32,6 +32,12 @@ ProxyPassReverse /img http://mq:15672/img ProxyPass /api http://mq:15672/api ProxyPassReverse /api http://mq:15672/api +ProxyPass /ldapadmin https://directory/ldapadmin +ProxyPassReverse /ldapadmin https://directory/ldapadmin + +ProxyPass /phpmyadmin https://directory/phpmyadmin +ProxyPassReverse /phpmyadmin https://directory/phpmyadmin + ProxyPass /comanage https://comanage/ ProxyPassReverse /comanage https://comanage/