From 8a7665b5a12405e02fd04341ce41a047d4a1f3a1 Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Fri, 21 Apr 2017 11:04:34 -0700 Subject: [PATCH 1/2] README.md: reorganize README * Highlights that dex is NOT a user-management system. * Highlights ID Tokens as dex's primary feature. * General cleanup. --- README.md | 46 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 3a2c8b4f..1474b17a 100644 --- a/README.md +++ b/README.md @@ -6,20 +6,45 @@ ![logo](Documentation/logos/dex-horizontal-color.png) -Dex is an OpenID Connect server that connects to other identity providers. Clients use a standards-based OAuth2 flow to login users, while the actual authentication is performed by established user management systems such as Google, GitHub, FreeIPA, etc. +Dex is an identity service that uses [OpenID Connect][openid-connect] to drive authentication for other apps. -[OpenID Connect][openid-connect] is a flavor of OAuth that builds on top of OAuth2 using the JOSE standards. This allows dex to provide: +Dex is NOT a user-management system, but acts as a portal to other identity providers through "connectors." This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend. -* Short-lived, signed tokens with standard fields (such as email) issued on behalf of users. -* "well-known" discovery of OAuth2 endpoints. -* OAuth2 mechanisms such as refresh tokens and revocation for long term access. -* Automatic signing key rotation. +## ID Tokens -Standards-based token responses allows applications to interact with any OpenID Connect server instead of writing backend specific "access_token" dances. Systems that can already consume ID Tokens issued by dex include: +ID Tokens are an OAuth2 extension introduced by OpenID Connect and dex's primary feature. ID Tokens are [JSON Web Tokens][jwt-io] (JWTs) signed by dex and returned as part of the OAuth2 response that attest to the end user's identity. An example JWT might look like: + +``` +eyJhbGciOiJSUzI1NiIsImtpZCI6IjlkNDQ3NDFmNzczYjkzOGNmNjVkZDMyNjY4NWI4NjE4MGMzMjRkOTkifQ.eyJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjU1NTYvZGV4Iiwic3ViIjoiQ2djeU16UXlOelE1RWdabmFYUm9kV0kiLCJhdWQiOiJleGFtcGxlLWFwcCIsImV4cCI6MTQ5Mjg4MjA0MiwiaWF0IjoxNDkyNzk1NjQyLCJhdF9oYXNoIjoiYmk5NmdPWFpTaHZsV1l0YWw5RXFpdyIsImVtYWlsIjoiZXJpYy5jaGlhbmdAY29yZW9zLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJncm91cHMiOlsiYWRtaW5zIiwiZGV2ZWxvcGVycyJdLCJuYW1lIjoiRXJpYyBDaGlhbmcifQ.OhROPq_0eP-zsQRjg87KZ4wGkjiQGnTi5QuG877AdJDb3R2ZCOk2Vkf5SdP8cPyb3VMqL32G4hLDayniiv8f1_ZXAde0sKrayfQ10XAXFgZl_P1yilkLdknxn6nbhDRVllpWcB12ki9vmAxklAr0B1C4kr5nI3-BZLrFcUR5sQbxwJj4oW1OuG6jJCNGHXGNTBTNEaM28eD-9nhfBeuBTzzO7BKwPsojjj4C9ogU4JQhGvm_l4yfVi0boSx8c0FX3JsiB0yLa1ZdJVWVl9m90XmbWRSD85pNDQHcWZP9hR6CMgbvGkZsgjG32qeRwUL_eNkNowSBNWLrGNPoON1gMg +``` + +ID Tokens contains standard claims assert which client app logged the user in, when the token expires, and the identity of the user. + +```json +{ + "iss": "http://127.0.0.1:5556/dex", + "sub": "CgcyMzQyNzQ5EgZnaXRodWI", + "aud": "example-app", + "exp": 1492882042, + "iat": 1492795642, + "at_hash": "bi96gOXZShvlWYtal9Eqiw", + "email": "jane.doe@coreos.com", + "email_verified": true, + "groups": [ + "admins", + "developers" + ], + "name": "Jane Doe" +} +``` + +Because these tokens are signed by dex and [contain standard-based claims][standard-claims] other services can consume them as service-to-service credentials. Systems that can already consume OpenID Connect ID Tokens issued by dex include: * [Kubernetes][kubernetes] * [AWS STS][aws-sts] +For details on how to request or validate an ID Token, see [_"Writing apps that use dex"_][using-dex]. + ## Kubernetes + dex Dex's main production use is as an auth-N addon in CoreOS's enterprise Kubernetes solution, [Tectonic][tectonic]. Dex runs natively on top of any Kubernetes cluster using Third Party Resources and can drive API server authentication through the OpenID Connect plugin. Clients, such as the [Tectonic Console][tectonic-console] and `kubectl`, can act on behalf users who can login to the cluster through any identity provider dex supports. @@ -29,11 +54,11 @@ More docs for running dex as a Kubernetes authenticator can be found [here](Docu ## Documentation * [Getting started](Documentation/getting-started.md) -* [Writing apps that use dex](Documentation/using-dex.md) +* [Intro to OpenID Connect](Documentation/openid-connect.md) +* [Writing apps that use dex][using-dex] * [What's new in v2](Documentation/v2.md) * [Custom scopes, claims, and client features](Documentation/custom-scopes-claims-clients.md) * [Storage options](Documentation/storage.md) -* [Intro to OpenID Connect](Documentation/openid-connect.md) * [gRPC API](Documentation/api.md) * [Using Kubernetes with dex](Documentation/kubernetes.md) * Identity provider logins @@ -56,6 +81,9 @@ Due to their public nature, GitHub and mailing lists are NOT appropriate places * For more details on dex development plans, check out the GitHub [milestones][milestones]. [openid-connect]: https://openid.net/connect/ +[standard-claims]: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims +[using-dex]: Documentation/using-dex.md +[jwt-io]: https://jwt.io/ [kubernetes]: http://kubernetes.io/docs/admin/authentication/#openid-connect-tokens [aws-sts]: https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html [tectonic]: https://tectonic.com/ From c400e860feec125fa9f9a30e507318edf04f183f Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Fri, 21 Apr 2017 14:22:46 -0700 Subject: [PATCH 2/2] Documentation: more diagrams --- Documentation/img/dex-backend-flow.png | Bin 0 -> 29612 bytes Documentation/using-dex.md | 3 +++ 2 files changed, 3 insertions(+) create mode 100644 Documentation/img/dex-backend-flow.png diff --git a/Documentation/img/dex-backend-flow.png b/Documentation/img/dex-backend-flow.png new file mode 100644 index 0000000000000000000000000000000000000000..457394227749285f3d432fd5919044e8f2feff02 GIT binary patch literal 29612 zcmd?Rc{J5~*f)$6B_x$8vvNwvtc+2HB!$ShEAvd)<|(2MA{Chn88c>{HYq}z%(HC> zna6G1w)gru=f0nNz0Z2yKi;+8`&rL=*XbN5d+*=={=UO?U7z9ly}Wl`Y?82}7|B#TlUL_%!dqhHV{XGc@gJVMFeQ9{%*b_D7nj|T@^=3S?&d8jTk998&m zdHmx0zn{HV$a;`frgg>g^@;u`bavWlnMbctKDbZU#r^Hc4FZ?)YTpLs<)dfoU)(Fc z#^EM-it84ac2T|Bgi!qcKAqe9fy5dfo`I2pzV+3IB2s%K zh97k|{tx-=p|Ug!6;G@Il;BqXQg>mptoMba`XT}!jPJ^sw+k)-Ad%u!az#p^

hKlI9M% zH_zp&_RAzBD(d6}#+`lNo}L~iL5|nmJw0@Dq$K`4gJU6Q^Q`W2{Gs5}GdjP_#r^y@ zO7`oT>~_qBnATff$koq~$~|)&Ph$4wVXjIy3G#wp(W|@I_Tyb0?2{Dhlv9p-3vkP1 zz{;i_Bl9Iki){~^hTi;UaR&DMsg;Ho-GMY>+bW{y5!2Iar2h=${So?_cN}!c5adZn z<;ddxaOkZt!CoOHCvc2gD;(EQF-0eykGKY0i*8U1NGhGY^Fd9E>KQ-+1(_f>A9 zleI`lBI78x#Z&MX?z$_aOniY8NVzSPvdQ)`tR2o0CC7imPD9o`jV8bB_HzyXXr8kK zbhUKSXLp9#AX{98fuEO036E8yj9X)sBy8v?%5Bvg_o>T^{rDUGvq_)tQ2&_E@b&S^ za#d2Q4&_tL&f8J4>2rwWQD>CWPjYAYL;m2r?2`prp%wBgVAh2c0JGxD#s!HI;JOe(ZZa!Dj6)Q1#&`j#H)1!NR z>i3%ld)_GhWR3aTqe7#!SWJJ>;#?fF-AJicvW|B;Yn5yyFQ1l-S3>S+g-my$VpSym zL0`9JL%Q1q)j$fGd-Gu@J!&3!I<)Q$mRD#;iT?R2Z4#GQcOAXBqcWOp!tCmyvLKm*P&FD(@k2Hf$WaY4jkjSg$S%xpSIr6KC;$O%Y6I*QlQNdHpOe*Q-ra zY32;=h^m2HjdyH9pz*;!F$Zd>9mGWfS5_t-_++T1r zCGN9NOYA0J;^eNt$zmk;4!N%F^pGm%iim<;eXc}^Xh~LH*8TBkx1!P>D;~>vG=Xg_ zzHlpI9`AY~PAuadjC`(g zD~c05(+KnVRHJ^FH(5M*rajT__<`cOU@zghnl|j^-aOog<0i^O;>njriqw%?8<*QJ zyx&%ssyx@`Ws&XDDqcg_lDIo0^h~&Z64d9Mu)@&&M_%@;uQDS zyYta+a+}NcFWU0&CQvMO#h`pXQSBx(2dkB(Fm6^1LS+ZZpM|&H*B7B z!L|!fRs3L*ULkvDKalQYHWmH!7~7)@s&6iam0an&&fQQ1Dc%33LY5q~H~ zoE75wi`#y@a2NSpaj}|Ecf(}+-uK6;=&A#c8oQVp7t30^Wm)s-bP4phaTI!C)Z`>B z^NQjS9zJsqw(aGSBCO`!FR&OxqgTA|Zk;!A-wI)8X)r-lfD>V8T8RhEgU_MTq%?V>sPrl@7IO1HSI6Y#Zlb1W>X5ExWTRgST`q-hoMC8xc z;H_xx9*QmbinZM>YJ+*-g;2rp@#kvM&y7$6L=B!E9Jx&&jhx{%4Y@^8lX9DwwnoQd zD#k2g3g=)$BW!woW>OsKSJ#1uS69u|86^h)P#rWsR})?S$ke!@pWJSV8GV?M;Qcf; znkvXEOEw|IrtynOA4Q|1^w(luK9PmuQJMA&5VHM)6zkl|dzqM+of|063LI|fD>pp9 z=h%cf;`n(Dy8KY5G#l8nd@wvnun8A1_;8G1`AJt~M*5?&g$9)s&6|;(D<!}eH<~z0+x7;su@Z^;H zBW*?GG>a@%Xmw?rQ^{VQnyz5@TX9-sOUw_VOqNLq`aViM>oY;V-|F>OIoN*Hr&hG; zhFBz68Um7>vTdxx1VlroX^V{P_u57t_YEvog$6j1x;yAqn9E9Qh_EMR)Zp;XOwa=b zoKbTQjjZCP1w2-(ol~4cqH>uzF7un`q|80`_ijgZ1V$v*g(HFaWsv`}W5{J1mXUkt z)@E_*asvxfMq2B^BD;*mr_;olK${%ph-w{8ACl6lQ||UVxMKAFF*^^xkfJJ=zaKWr z-PuXJAFcW(qj^48IDKkUvgv)PZ-bn+krsVXb)Uf}8;5c|w^6CC%_k{BZSy|WQf=zX z`hK4>@jKepPag!@D?u%5c?oiZyN}V!#d$cD*4_Ot8@&VWv0a@G-rdCSwY1=OD^K_A zdLuyuxyAb?ye;r$)_rPawp}0pZfGomBQGAztDck|OWTh8X3#*#-sAFO+Hr{iw1`#o z5<16nRIzbSYAG=bw#$2QtFP)x*95E3#nD&1?)Qj^W#f0|{4Tv;4|=8J`JnWGKC$D$?Xhll}ozx{H^ak3)ufY7Z6OfRO>QD75W=p6|SqVAJ^I0 z`TJ=_7y}fg)W!Ax-$Q`3rYaJ7QP@04u2StB3pmn!ott~~7DNJ-hfp9(=Wo3?$6k8N z!;jKT>t#Je9OJ)kA_H?gWxeuxUVC@cH(fS5Ec(<}re{VBp z{_PtLouzAXkxg&TI>kcOqx{M{Z$J6`FC_bD-Idids&YXl-*zTHFY9%m*PW;^53)&b z+2mpSGM?ti<}mlv&u|Fm;vB;8$ zYMslbWp|1pHHF-<8EQ<`>sr!DHm>08+Khf@v*ttl$MRDjx}t)1G=J&ZK=dk$c#X~Q z$-U_u!MVONb)ixze4Bxo#VDC-=L?%)B&$Del}1k(K{fcGEWwr^QUo%3IK8*CG0ozV z<$b%}al&?`x65q5gt0@U^7U)FITU&vlA7Bv1dMW(PC~^Oy9n44@+qk=Uj;7m^Yx`Q zcftNO9C=zKHW4=-2Q^1S@JSu0$B^^1yU=tPcZSQC6-u?)-yRV>EJe#-x>+INvP{Nr z{Ir@ok+_A)s3!VcQ2oxQlhr#zWiVZb&aa%{y}#8lpWEpwarf$1pGR^Rtl)T7J|5;- zq&~6g)!O2U$4`c@P2rbq2IN%ZL_Ok+QM#vbe)5oul|CH9)f?;W2dC{aZ>4z9GK&qw z&|r04)x)8}QiXEH^Y=?GZ28PxlM20vGt3S3VgnMdb}P(fG&3Q+BhjE{gTOUp$B_T< z6H>`VtW#vI>sho+Hfx5UEf{ZjLv>|$3Q#weZ*36I+!LvdeJXS5+a zyJ|mSgq(4c1MHrJ@6W%&S!Fui$;~}lL zJGxbC5!-v6Tk+O98#3Wy@F^3*W@1%%+~PIbVTRLRt7c4Xc9*Gmdis7VXMaz=YF`Y6 zuh`)33=-@&&6|~m%#1zF!qay3@s_m3`d`pBLe*)1oYeHXM(ovV7bP0^a);2t3n++g z248EmarOrvnYI|0``%S|B^=y@-KYM_fB6xFvnU>9sLp~xXpwK*jLue(rW^Qf{XIYk;80IrNGt-XLc$F;_ur>INQc2y=9lQJn7KCVc+jcF}UKD^J?JkffJEqXjRvkNIx0#e9Zj% z^z^mqL82v@-JVIIO}ldA%BvBtVv{Ylp&jX@D?=<{kTXuRlH%(1Ele$Yi>tzoUC8p~ zv0K|hsVny9g4pws^T_}dApWL`bsBV# zo4WctxW&*LDgdVbyypEIDFReG)$;R>R}5%J3HtB!L%WUC?@$Ipj8Ixn zu)j9Ixj!G$1?3fFa(>M9n};=2xto2&d$wS}=8<>Go5hcowEg(So=#}9tg40iPZcCU z$tE^Ev_Ia2E%Je6H&RQr8t{nSGKpRdw?(>-sXFcsIm!;RTOykb2QdXf3N`x)uI3ab zp5>ccu&J8E{Fm>+xfNR<_h6P<&5NYaQ^m^+o@8^s@x$G@U3fX#zQm{uf+N%nTB|J& zqFvqQnGLX2JmG8}xoNwPfQ6vXUG@@L53gPxc^#`6#Y9#UbJ%u86#u7BT6pJp)`RLwPLGOVpXLIFjhnjgeomA_#yUu0{Z zhNH;RM-M(ApDiEjhk4$iN`9w(z%wfUCHWQWAk#=l9w14Rz@#7Zcpa;j;(icl$zH#+Gb`9|tK^26Z@4L%u^ zTERM9R8KOm^81oLGIC{$1LjGT*LsEZGgP~t>3^KU%gxK_Jo^BurM@!;*w_IlV&hK7 zBxlJqn?^Ko?RTn@dYLw^O{QQN^2&THJ>?c@eLyWIe6ve?b8l2i6TiuCWJ(k8-1?A0~LllkXBiFd3R-#1%JDa z~u#$E&H?PEOKV`V2zePRak`%il?U0L-jy_n7i2L%!SmvZvpT%mB%k zcF}spf;O8W#SeJL#P*W2jR*o!1VgknNLaBg!NBGGnk7)F*tgP1d z_Mvy=FDE7e8R z2|S7o)OnGoG8}L{~m!}R!(zl_u+yJz%@2hG*2OS>QCSd6~of; zjm=T_$?z9lZE^<$cLt%4-#YK`mXG+XtRX`>wZdIMr8fP6-LkR)TT-~X<2_hnquW0l zU}aw>HF`^(vctYqjKbR*SapO(J?T8;wJxa|&0-VikVhRRad4|f1?x=K($eCxR58<7 zm3f@gu&ykpxr}P-kT#|#l~bCIx51Liy1!?!X&9>ZaK5v?u`nQlT>5oV%6S2VJ^e-N zdj?&yhOU{q=fxh|KGT(XKlMqR+s@jQXxGl&a((aht1=)}kce2Xq!!p@o3J_9r_jrn z)8fZN*c+vnM{B&^#mBQObMc0$7+D;nrDz8NT$7em?$|U5dtS_GGG9{`347aL)zUqi z<&NVcd8J8?@D9tAF8SBHWi$5%*LS=tHwSH4ihrsJ*4z|Ht1d}&m1T46Jnj*DqT#rSv zPr6YR`gxe&Mu#&0a>kw5)503A{tugKo!D_3VpCwW48*gj->atC2v6+xUC0db@e7H# zKRktBGtSu{X~NsuDKLgr44tABo|s7;KN`MeFPZ%ruDGi7A2Lhww-dfn#;q}DvLJCx z8l6$?gyQj?-wtI>Z643)EeLlidd2k`Pav2}uL=Y;hj_J47(ur5f2&OGdt${iN8eNm zphVw?og5o$?fLbRey2>J2VK?GQ)7U2y=&tm&hrSF%w+>d$_6tHnxf2ryN&x&N-bUV*7?fe?OC$Xrg zU}~n%Kn)s9hu_L=&$!fOo&#i{YNyDph#arGr9wVHsU#T?C0aKD2WJ9{)?hDqutpb^ zHmgM?DthoF*WEQ-+}5+bKbQx}Ur>eTxRh0?MqGe(dC4^eoMA$<$}f)x1Up;dw#_YsAgLS;F_$) z{HqIwwkK2lPE;_yHeFDz{}yksuniOY?b*faG{x2KpXio`N>?r6y|Y+dR5w(3)&Sq2 zuwz+|W|wsTIu!5Jo_JZ$$hI0`Y5%E>`!hLl8}?arf3NRu^|UaYV_BEh+9-#+RmslZ zr`_;k$Fj5Uzqv5H1y%SRDQ&0z(@RI1KA5@|PD?u`7uIBL$uXk6fbg^-C1&!$P75L228I+5e{k{qyu9dK!j^#0Fz!x$#tk1NGzY5@?J|CGe zlN`(L>IKE-<#N0^g028B7>nH_8{GL}}DN=wZ{z=rJVQc^d1Xz|g_dc#A%<-A@8+O^E2i+Fi4Q_uQ=cYEE{_(n9(X(6+KX^SA z>jPML#C@M~$PCMH1`tuiZm2)cgFbKiwL1aC8N7YRBpkh8XEN(GZlFs#o9l+vr#f!u zPYW78kwTdW{Kee*<{i^=11#O68`QOd!1CHj)qY~{J(HJpj|WPhfmiHu=5Nz><92}f z73IiBsYt}sID0WRP|u>j2zhQwRt@x0!xu1ik4fD@z-zNLpV16L~MLJ zxyV+t!xo<+z`;YpXmyuPN%!6B%8IvX;qht)E-0AIiE#hrtBLK`yBKM{S(_ zeRP4JFC!i%a7+>?j#c-fF#l>m7!aGjQDOi*00Y>uIh&_GJB7hK_P_zXZmEyRVDNjP zw3vhot;V92oeADU4o?Q#0S@zK)yfc&gJHG{>>^VG9A<^M3!o^)dE<^SORNfvcr5=k zmw`k=!vE5LSw2Fso}O2c~37y zY<%75I2&!JU*#K^ZBzSN8x@KH1aDFWr|VzTqtA95AH&OT_e-1?7zgql;5frKw?X9~ z?hY$Zvk3RUcZ1uC^E?Q=Y+TqPc~0$bwlbfUbC9}%vWy&g;Ez*Fv9mjR|f5g2g(<-@uNynA06AxJT6ppOz zUfN1v4_XuuEvQjxx~LxuGcxh~Ux$FY3;d0QV*G~gJxB%I%CZg{Yit_nfYZNuNx&-{ zWU@T05IrCT_WzlR-?J)&U%p@^WrsZ4(m8ZTF*Z2~NGkvBiHipCO5Kg}X1MSFmFEBw z^2C$vmGS5;sQCVNdkybAAHWQ?z<)0sfO^3H&GtUgoq^NJX(7eA!f;jKS?Vg&P3H-M zopA!j@@}&`@ie#$24jw+#Hkxri!6wmg;Gk*+n?T0O8Rx2mh_9Km=V-hC`!hV6ONrA zDvM)g)IP0BqBnmweJ7ZmW~8~Ju^||DvwkNu`rFP>F?=Q}YM*dntm(&6D9>;V6-ty^ zS67!|nTzMjdd$m_g4U_q+k$cKlZ0EII%Hq9aDUozp=~+o@SkKa8JOfxV-cvc81&D#=#V>YTEo1rk0y>Yf6Ed>~#2uM&By&=}U<=6c1G! z?jF4195Vi!O~FQ}s_A5koo6==%@BC{#LMuVwvv7g%OY?!qm(3=dddasQ{~MRFJH7< z+BOB51cF6EwAAEl;SH|a-R*yo%7v-8t!M@M-!$n{*G=(m{x(9h`l6 zToZo2oBwq=CU(>S=q!a^pgW)=t!lT*hB+-7BT#?e2{nD4IU`7lQ!1{#LqEk%OWA1g zZk?eywEgmoV3cl(kIr$#mq7x)4D-X8^%nnkJ=!n+_Zfe90NKL%RS|^%Zw1OHk18m9 zBI#y`CKt7_o+F?OEc)u`(X^`wrXqQ^(2oy5q-iJszlmb{49tF_oVHb}L-Qxz<%Chu zq_H7prMlzb+PFA+tKcugg1@Fi=_L={8g(~7N_J-;by8wM-~+u&BU8rn#7z*$R5h1} z+2;B`CIWx4NL(?gF{peH)%~Supz_0k$C`W5*E|y-!Iip_jl5(vGrnB6{^ie}4HQhH z^uHPg6sTOLL#%^|9}$+xgU8B}_O_6JjVNX7XDnqJdYteOQwxqg)T^qFCeV6yh@Q(TZP}M~j|fJ=5+%eWciH0GSJs zrt;hQfzILwk)@Eo$_^<~V>1l;Z2#q*$;b4fmI^S`!7S$MiThfMgU>uZcb5N9W2Jl_+3v z`w%xwac9mBRZJ%6B5Ur#Vm{UZh@YlZ1pWtP1Hz+r{)70!#W4?GpP@68DO`x6cQAWT z6^~&%1F`_Xn{Z|+p|t9#4VA~Q)1auc$*;cSvA_GLp~kGSb_sa%pVu@%8NaULS%BG&{iBb7MpQBsF+{8qaim7#wl7w5>R?&{LFBU~ z2=%;|wf@#qxiHufl?MKUbnm(uBpLgk6W-rC8f`8KRfQ<9*FZ16cB#IoA4S8yQ}&Ou z=d%r%kPwYd0_9WKvA={&fMQ(B72l;>CjIA^j=-Lu2Oabc&skUoa2lEDgC6$_AQrM) zpai2C82vyMfl4Fnt+zKs&!@BGeJNh0tvyw4_w`}x2H=sFd7N%k@#8M9a6+FG4RW;Q zsgCP@83x+5(UIdSDzdMglKAGLMi;heo1OHkY3i<24DJL~CeHDVlgKQHY2C0>71t@O@TuL_6eFA=C)g$ zjCsdSxmR$-p=b3T#$+ogl6e!>YA!HhGaF1n$F`arYWoY{!1OQrZY?;KIyF4a=0=#E zph94c0gtt1t|waJ*1@_|kM{l$t2Wly1v?FyMc6jr`7rfdY!?Xa|86b`A|?%!+wUK% z<|1&$?Yx#>qR*SRd8Fvsbjaw%VoU8a4h?rV?}4eHqM zyumQdq^>4AYH$vJv9~jKDEzUrl=Bx5Vjjof$}74V#VO21Kz%@VB%Lm845$T#^vj(9 znEu0Aw5if{Z<;C=K0&Q-0hs^7aJ*OFjn>0T(4S*El2{g_tDI0)ncmpBhmB<&8fq&8 z`Mq;8EVe@3s~AO#RlgU$Wz(DIP~<~9+|QC#jfMf4pFEKCi(Hge*Si~}e0W-; zMn1ivb3u4=NE5a*zw1h(k7Wq+yV#4KP}GYc$VFIL{& z%k$RU7AJr(B;k(ZRWEO590kdG$OADy^o=@xK_F1MP#GwW%w2M#&-eWorQ8ezf?oNo zngzB7_ahDzxGuOa`k$UPo?jn$MG-kjhNI&3Y~YAofZe1j4t5`Eqgm_lNJE+WRlcrScLa6znd z($!L%CFfDX%|QhB&$xaLo<`Xk4*!hPvV1F1FoNhk8XeT<`Lc+*&*f1YYRQ7)n@$jG zKJN<++`aH^tPQr@mEHah#$OO3E2ubH_uJH-;^3z)aj@W5nXNbLXrVU zzok=%Lua*n#Q*hy(FO zd(Y-?d!TqA34HDtF@>VS3j%N-m=J&sGE+%j`d8OM?2JE2@f`zQ#S=YZ(MgU7?UhWF zM1e5+{HGsc(Co{PKr+-W^}*H3+y(HsA$-U#e)jCz%4djPh(aS%MsVPqw*j>CCj#TD zlv6OZ0Cffe{A9Ki3P*8;Lx0(T!v9|sQ-x?2U}4(N$mEqt*!Kcb?|?H?=ojF-x3|&K z12PWF7Av{06Xn|+w{~Z{)-#Ok_MU(WZ+iF2U*;U+m0UMk8$S<SrSw_EsD1y%s*X=dWL6BSpDJ;8p zrVAK$7QE6huuG+8c=w_wqaiM3Qfa}m=U}CKWO$_}iqJ9(H~DmnC(lXVY*n`^jX$#`D%8WK z@gIJU*FsQ^7QEC6Nss^I@MLo*!1p-d;h2Fy5%OJnqhY`%HljUsjjqFfNl5Nm{w3|c z?u1`LlCSrtf;o9Y-II7p{HGPEeVals_di>?Dd*Z@fG+X$YqEd0cyLqk7%I&H zvoAhzwsuGLDO#ee8ypoF$CstHLsnUOh^4}FOS*59w+K#)C6J-2c!@QjL;Cn~aK9>} z!W(PBdelo#i@myZw!kaJ2waX~cHehJp1|P*bMD+oXKwT&s3cn?r`Ahj1TSgMhv|53 z?qKwz+aaY*I-F-(3w_~%(yc9cn5^rGA6~;)fnPApEClu#i}Jp7njOz6jR0qg0_6btUMxMtgySU&g;9asaoo^aE#2l~ zDa*VM-3u&2$me5-`q!>qbkshL&$tjFajl@n4o(P+kiKtvvi-fMay2bo9Mg>8FJa4+H~ypWjY8h7 z_KVwYkC$jKwt_IuSAB5rsp4wo^7FRQ) zsET)+jrlCl3l&LYG5Cpq<~{GcxDOFqsT`O~$6W8nh4+n}yFPhY$eu^DLYSQeOC!vG ziMQ%&*q_3i52DTq8nKmLQ{WgzEL*_j&&H-Sh0FS0umVR-+;7}bJbH2P6BtmfHvV+% zE*}sb7KbaeYA@PHO>0Bm>FPvn!MDQ~f8KGn$boG?MJig~`>xs~Xb*fg$oIe<&BL&@ z>vQoEt%y};B5_MUI$reg=Z<9b%C+*@5lxdsxVK+a4^OD{th<35Sv^_*1AqaK>d>(=6fIdvZvYhqWB{_?N);A{^OSA zuvv#_TiYVxc*TYwr_}Jsu~k!~u5Wz)y|!rW#bWpjaMsZfr$9PK?3Zy{zfQJ3Zvtzx zZ4A{gw-A{2dVouG1)&+0hn?H4THao&oXgJH=+@G(>dP~_ zM0buk6~ayD%)DSr)s*S{j>R;K`cp8>^Z@(KSn5@=YcA7%`}$~v>xYZ7zqo$@!nyF= zcN9xYg%}2qv^Jk0;sB5!)MU5rE`Ju9Xnb811;Kr$&#;)0%$E#o>)nj6x|Qvmw})DD z!p9xeHS?+oykI%~WMDVLB)pvxc~KG$$^9=idB=|sK^{kpFgC{e=6iff=$S8JM@+A7;X!lnqMH~J|ycxJX5yMEW;%F~J}t;RHkDp*|5%~b&88?6(v8-?w1!da4LdF0nT+`gRyg~j>F18e+E8QPka)D? zSKA|o`_c7mh^DxGL|2Ecvno8%1m$fdC0nJIaqdbq70 zBDjFz!ngw6;!FC5&BdV-pFOmyX1;OFMprUXI|>!WH+swF{@y0LoWxf@^F?+~i`pIZ z+&--mE*k6c9vqg9-BL(B5Izg_?AK#88qa_VBl z<brV%TtG#?ptbjyt3DJuISb$LK>VWU@| z_CBR$;I4WZlrjW2^}lrcUVWzk)QxCu9KDjT^rtnGE^H1YC@YpFZu}x^t8~CL`M4*e zkc7`wkpq@*>$NB3i-^LO_F4|-TCXA4M#=5~nh%ud>n#3elc@Zd2xPuG@wXj`iYqyR z95BQxahd(n6;042zwMMQ59fY8iWgh5lh(UF8P>&IV&r^E#&Jb!$ODuvJ6wg7bu4oZ z=fM{Vig#@miB?s4F~)lIt}^4(LKL8Z`t1FFke~a7)gf;{Zfju)`}FfK_Yz|9+w6T2 z+=ks!R_hf*-Gb@RK*!eGc$^}d;W*fbR;yotFHjdk+T=$agp-GqR!vJAbtgL!Bd^$T zllO+}!ml=WGE?C25z8XhXN4GK>p@dj$n$3L-QKkH5Gnx&%mNK4^H;eD1?rwb4p+w@UHYrCSKc6?Ha zWib-EcFxL{^uKQ!mdVsZw1c9BTZoOW&~_{x=MT+CVzWXgwu|zhPw9WQ$i!%UHYmFr zA-ijt8cjW%CSha$S~GVs53nuN*+?J+YAh2xD6VBSmw19dPk!8oy*BE zZE%YF(~g@=2@pG+GF4YDc@lyu6OfjrX9f;BfN&7c)a1oc zWQdh!!_FiR8{j=pR&AOUd$$V!Jy`nu`_!!c0gUA%c3*TeH z(#1f*?1gTXUZ@%-AInS=7eDQe-3Ji|44J}7zBaW^68V0(g2kXC8YD(g`a*xpr?n## z{B}ertL{knJDnNE8vEb|vzTb?nV=KmXa*R@`F(01B7D=Qb_N!Wr!;*A-9d$^;q7?1 z^*GFm9s>7y=EE22X>;{g=a?s@OqK$-33yJ zxywf0tKWC)X?;0V*LJ)c`Q9N4F}#N<86h1~txzC~A_5_@WjE6|AlqB*L~$YR*h#%} z0n0D^p-|!1_$&(`_o3ehtGfmAeX%fXFz)X1DsY!L5tT|ow@vl1Hc293m2}9^;4dKe zUiVx~c)Hd+H~8sGo8)Bixy4Jg;b4~}18_A9{ABlQ?qr(-UWyH??-odd9e&9pPgq0d z!rX&xD3_u>f9#%YE@owSoc-lZ%_b?&zRceR-iTu8TtQ&lH#>aW;^WUE2?!&)*d+{_ zHR5OM_31lS4n${SZzFxz>MYP@f-)EtP|NU}jo9n>ZmsTo4MDZ{f4cbkPR{{gDvrz; ze8noG*+*Ou{tsF>v28BX*T?e`B&ruEbKVmBTn}38FQ^y?3%w$Ml??a%{A(kxcGueI zY4e5aGYQUbqodP7{{Y>C?!+^4*_mZK4-^P+rrvGs|0s50&c%vVA_~!q2rdN2-oGl{ z@Izw4(zV?iTM3baTYi4Tiq*ucV4fISbC=dbfaRn)9vC(2RjpGq4hzK1HS0;PY9Ug& zXuMJ<@KSxo9_YgY;S12VmjVFZaT^Bii)?O z)^X3B3x&XUZgd%gTK}edk*K4*aq1u$#U|zw#*xlAUfgcuOY;7mnMAiF&y7EvWkdW( zo5881e~7gqUmfnmRLy-4X34%3pWf75K90c(s+nSL#V2c83+e;&5G|2Ia<~jklrL=NmOt`A#L`N~ z+D9!WxOA#Et}u`jf^JgFY9cKI+C`P+-(!xFe7N@0XU)n)@|U_Z1X_sg27_(MnE>0x zg9X71TYt-IHd(=Di$pDp$Qf102$cM{ zSx8l)aMH7CG#(+BB%!bZ-T_UBWi^>kcY$ICx=xUQ6_o~IxTSgNGf;T5&?V7()MKAZ zcARzfkSueIgqDZj*8-**Wd59J4zw2rhUENjDE)?3jh74E8L0UW+ruM&UoVzwU>q&O z45O2vt>T57P=~@lce?~lbz$RRNO&;6u9ptNv*)Ux@yq}5dLAqhbhEwVK@3TlTD!lY zMznNXoz*la)=@IC}JGY1auVswuQqX#0-W6G=Zhjl0+VtWxNYtjoDT z9~C&Hr}DKAE}SmE_Jg31={ny#@M?aj%%M6o`rb2}+=W`ppMFPL>;7IZn_a+R!3dQ52RR8couf6w_9Gp*%#huV%L z883y#<$*8CIN!Zo{gT^@rQ2vbb(5W^LVag==3>;E;YCJpR z&^1Q5B`vuKVzu(4Em~V*2+f_GoSaa7uR4Z1|HT&DyD8ckL$#=#3zbYXI7{IRnb5oN z->mzoN}pUrSle*v4d6(zd+f`;t#CX^5HThE^?!HHu8BN$tip^ucb8nNt(8-8cpgMRN4P!)d{|I*pLwVS1M2_6)?;naK7& zx<$<2yu*G|$giHqnp#2Hi71}yM_f-9!oERVtSJ}C+i>(SCikabK?5i zUdP$w*Q5)XG&;T(fUC;DYcF^YSA;RvVM)j@fSlIZM8iE^!r_$_pl7c`2k*9@J(w)U z?bmMn1)o{(P-g!wy$tTt?o{OncZO?AFqJgm_K2fzL#zO3w>1j#T3ep`UZ;-0O@eP) zIne<>*TXDfe_qTVcU(905!>BvsqM*d*d^bdI@u@1Sm<|866~bG)nRbx82M|V*6`;f z79~&WT@kdq(m-pHz1YE}&_;WrcGHg61oX1$8J6NH`%*$%#4Oj zIy29xsa0Atcj^M6bgEDspnU8Sr*=7VM_?eKkKXSB>F=$UYAG0$h=*P62(gZ%0E{HB_w>M!6;#ANF1@*Ku@-DhrV8HbgJ5jbz52#9;2r>7U#P{RX;a76lHo5(nI_8j?|=UzS&)8Ae;#UfS?SSRFeFFvL$AgE^i&w}Z57Hx;}tab|8Fr~9cJnOmd=mJ z4d_SDYFOSwSbv*jd|>hh5{X?4 zjKJTM+*|a$5r552iBBKfewJlnOAGC{^2Y18<_g6!Y#2s_R?YFVJq@Q|$C*&E4dJQ7LqK0nc@O=ebW84?fC7aMK60N^iwdBJwaUH6> zp0NOiKR;;}d%*MCTKpgVxBo(Cy1wRE4 zc(e^XdgcX}VL2^-9q@WDihV%|;9JS$=)yqMyJ(;zKTBfKVCXF@p|##5)gq{8`~eU5T(?>KMW;l^?uN zk@{=HbUj2bE*=^8-D{Jn^cq}jb3gQc4jNr05~jWQ-QEa@R)$-VW`T2dlqP0jUTWsmjoBT z>5^s?&f{cHEy4cV`1TAF6tsu*I(mWS8;nTcy8+)yXmstPiXDmVQJ4;Y?HhF={8he7 z^Lv#CcN}WI39MQEZfvb_lrNHntB@LFFvDcTho2MSf0>)~CLlsPNuFWJKSG zF+N&gary|d@s&x~Zk9NrM&@_qF2en36&-WSt_|<)`_`1yGas%~_lulKol!74A&Q9E zFhID$V6SJeJjnGQ2HAKaLlJX`emGsT+0r_p>BSxiG|Nxw-qM5oJddtY0t_YVnLn*+ zhs|PPUF+XCFjT|*;;;Bp8e0uMDfJ5o?ROyM5RF(zzJ&rK!p}qwlZPF%m7^G!$uB|pL&{QgXT3eOR{E?n}7Ya{GIc7lo{uwC%!VBw^o>;+3YZmJe_{bUd8{8;p~Pzp1}CP5H|(uc7WXp`$~AKhEP}en=pkMp3VOpS z{!{P~BbOTok@^I%YW1hc%z=uH(0pbI@PH&;T1;{M9<&0CiIRJ(oS^;+&)0(1yxG~= zxT~ANkyB0J(}3uNHEsh+)r5BxF`%_>qeiZBrEMmOZ^Lq*rCWLY;@pxE5~(`7LCeL@ zIhC3X!23odobP_={jCd+U4r&g&hc6eAaYlqd(gG2m&0kv`Z_hUniPp|E`i{fos$Eg z2L60GNnwnD0pitpAy!HEA4N%^B_Mh#JSL$pZED>!$JS=)i?Bvda_VC9OtLEb1`s+nc#2WMOGd8q=Dh2C8L-b?lJQ^J>*AuKMY83BR)0_dT z=HT0*?#9W&AkV5t8tdmF)LI`N_wTecJN1*b`}NK5gl*UAcifh@`LlparV^8V>-i7_NxpMeXTy!^X#3V-J>|1G#<+tj&dF`38&qAC8vp7u<}mia zb%Dxf9V>C&{f~&u{f#iQ_(=!Cb7(#>V9M3M1l=@hF$wiXkCeQQQg|UgFO>^O_uJ`+ z)+uNOEhC>SF5XqX2+yixYCvm*=H}#3?XXa8!&B3sPa)B1*NSs!p=a`Zi4<_B#7&dq zTd%Dbk3&Z}M-SY6tH5uHXD%xdved_S0(1+;2HmP09T+wPXD$pQ=M}1}hXIl7j5I-e zux%junn?CWvR~oHnz8h=&@UV@gVV2ai`@I>8OoOFL2qY%-$&Kgem0$6Q!F*1pJq9| zfGycX9)*YG(ifKvAJLHeIP?2C+W9*Epfw0wwl>r{KL}q$@{n$Y?v10}8a6=2@E7gL zrp{w>hCj-vwgd3=5FJTgagTAEqdDa`$_MT~B0|?>SVZqJxoCd}hB@R;Nbr=~mXVH} za;K)TH*nq}c`k(6^3r+a7Dz;27Sp4SYN|Vmu&!gvrtJl|UA?Tz+ALd7BNt9dJ;tui zRc?+OuDW~W@$iK`7IP~bSf*cByT?-N7Y2V(*jQdIn{SehhKJGs`6Yk(<1x9T-$l+S z=lDc?Ld$Nm`KR}@`<{g{+=X8Ga?5cEChIz^nWzNm_4^$Hrzs)-axl@YuwIrd7(Cja zPP3(6C|iXlVD*fvPO*E_-S`DNsu`YGBtOk@zSYs$wriNzcg3+hG+cg+hK(jE|I!h+ z@({P9!SN>X@EzFZDUD!p<`;S^4e91s4+Y{bUDJ%!DA{?G-=qF*g9CO<+W*ztmxn{S zhy7QIO>_=9A(KaWyzW&RLZ_ok}PAC$Tl-bv{@p1Q4+~A5e9>?6xEO|BW4&< zWGBpE%*^k8oZtIi*ZW@A@4w&s{^8=9JWtQ_{odbu`P}#CgP>XOZ9iQ*RQ>5w+heCh z^F&}Q?N~kzH-|D058UNbkrFX({{pD%-UHnib?jACt!t%}drQ=jj!9 zl^xz|UJ^-f$ar{FlU`AGtJ&&DS2M-Z=GDMEAa>g1(wo(?Ivx3t40@7O0{r!25U zG6T=*H6oV@jD5CY1?H1~+>ldHXb(z6`B9m9zfl6G;(qjg`2mY|?H}N7IaT@5ot&>m z6TiO6lpWCC(pE8Mae*=%&|jRn6ZSh%7&X6NJ|)Ic{ldjcR=`2pk{#ueZA+eyka#>_ z1Q<&B)-Cn7jYIzN&J7kN7N2UjZR>Hfk8$4XW^d{iZz10bxx~S}okp!Ak%nILf;kq! z&DU}>&)m*zHag-jxe>!pfnZ>a=e47#xWJjNfwxo?zJ4?#g;?5KTVjVULy|gPP>tHY zr>I%|IDZyFuBkBCIdHSCf`SG3Ght?93EzHV_K0r=jk*bM zpN9|$cR%Yr+fJ<%U_!c|GGT#fYZ8p{W?6j&)4T^tCI=rGVEvMw!_blhvrXx>`K(Zw*0;I&Ry`83B59p7nf<7JcJ7>iP{4J|0SK6=FHr1g& zZ>TGdfzI1OqG$-XPsPWYrop13^O;21%u`cdB_6N{8w+i?Er#hQQ6a}_j4$WdDauUO zy!ZJmx^9P%k2fU>f?(jZftNMiP7K8=9bETTurg;FTcyF{!WpzW*)Du_1}k^8Zzv{o zQ;KtSQ|~uTk5yQ*Cz4RqhpWC5t!eIkr+EcfxSOKDza`zPFwL;*Yivil4T2kJ`~QI0 zYWa3V0!kA8i`=bHqQ*MEVzStmT4Nkx*l$y*)bI=Ybe_=i`2#1OzCqlNA5?=6hA*N^ zp3|#Y%?Yb|dJcQ%B*C3&ZP_etA>$xeOP>S$w8t>ML&%;H@1Ok`kW@w9S4e=mwr`^b z))M-C8W+si7F-y2M}8bQ4?X5t1ZPNHH(f?*=A(S9hQe=er9y(2#V)1VuQK~CEcA~g zJlNvf0Na4D!7L=5GFh7d4g-xJ6X%Y$V|SnvDeK)lMR9)_l@c{X}hgI_@(7jBi0g&biE3FFwTF>&3k|+y*-^XU%L$n zE8!*whexBLrj%vpLkKquD}Cwi_E%S|VqTl)tH!#&J)ZqC+nM1;KH*51`9gf@s4!JQ zm4W*gZC}y4G~$I+AxlPGlH^*5mF!=8`l95IL&%R->kVH2n7<4M<3kA8&CUax#bb9D z*vHZ5Y=Mm!Tu0HJL$jCvg8cQ*T@+OnhlxslP5ZIpB^%G7byCzIvZDsV^Id;;WsFTz zx%Y-bJl?ve*Vl#ojdv9{ON5{eMgQrJsXkLo=(s~mF)lO-6soAvAxNpK|MwPM(RRhJ zPTd+aE;$T7UQ`g#PqFi;}UvOmy7~_76V! zMVjAWuNSUmLgJF{d_tk0MZf^z_+auQ5A9+Ec#T2%SuZr7#8ZBkSa={W_FWGEVggbemzPU#kXInqW7O)@7BKit?W{AA1 z7Q*)Te#?LPa$@MX?46=poSu&8sExu^UuTPM&V7pa=P{gbm!lZxlD!PBbJOw(=5zui zLBHC2A`P(}2Rx2&zX>Qzxo{aWC@fl_ZW0#ZD`aspkJf5&mmB{zpFu3SDy<2Vn=p5y z`a8r!R#d5kMZlPDbwd3D*pSc8dEv9=11vqgxAM6itjyMj=S)lr)6hk+fz2orlOuyC z#zM#%hk@(q)#d*MK_d~!rRW-FXbvpMrX*yrtSz|CU;TSxgfRM9>=(|^><EJ`Wk#-9LOSs z=OM0CW^35j`xLeD3=pW^MzI<~20>z!eqiAIcw=i;xdM`I zKvmouYF=b%{GFD`H4)uoZv9j|i*CER$Mu?A&l*9~lU1U#^cpr9 z!7!pvVTQO1rQ99qxTY#sjg_nR{s}_YPOCoEw|>g+hTd*ZhpCsPScnS9Z=dy^%jQnq zPslr#gwB3e)HaG57V91wvMieUbvyOrr?%fFF66`0aXDOU3e?S?>y!VKK ziDqu8d{2eBEKIg{@%IkI^dt)XftR{wV{dY#J*D+O*+9vZ>EZor}asy41Cj+MN^ z@wCRunwXW_0tuN(Z*`EUa)MrnDFeT9QF2K?`FMn(t5aix?@W$l909j zQO_f4eH)DxCoA#HP@k5-=auq~AjAYnmXS5+1tpx@z9M(nq2~z{qX*=|K9xO03VA2( z+_P5CQLmzX0qLE(Zypo1^dG0Z>pZxw+~2lfcL?;UwaziUL1#f?u_Gh!);ry~+pT;< zn&%BOCeu;@AgL~+J$%KZcDL%XRLH~gg~jKQ28@tQ><#=A)4lwjcT)UZ>o zD|D;L+PST@kT6YO6Y{kEvz=c3hbhIuP@(e30FBS31EJn`up;Skws6$VN_%tp#*UvA z#MGcJ)<1k`bGXXA*4-JvF9i;cY}mA6y;_2s_3ju=se1qaWFw#>9@+f|4u<7@{jI+fL1W8}v$ZaE>x?fjt z+TZg7gU2FZmNOWYuuNOb7V6Q2h_ms_cWpwspC&6LEc|8Y3^DKmCdJk0$-HBY(-d)Y z`!W?(_0>S{5BMb;L{{LW0&P;nw^Y4Py^D#4|%zEy^o?ILPQ)nj)@lPyrK9OSzFvK3mq7IgwIvA^&7k&1obHJ*VJlVIu(i+qR zo*@=Itfi>u+0qrs1CkF<7noD{!e#LnIJa~fQczFU6)-a;iQ3>wM4(Q9P6 z56Ldlhl5*&wC!Eyl*wy0impXT4us$P^HT=kB!%ahfPjSY)FS6zPG{aR=8(GF<(?;F zlZ(1Gu`^=ynZT)y@G`d`oBg|Ij-fwd;BDJie*d$$?@2qCmP623Z!SBH7+nA8bk%aO zcwq}8mJTx|pGYePoB>V&rMnQcxUgroIg_yJ5_S&>7) zumu0zwu2x8lbd&pyE-odDH)cmWp@ATAF{%RSi`jzAw?!i!y@4739VElv>+UZ{nBu> zZEf(qoL@XC?i<5>i!S%~#qsQtpv4?9FS4SdVCM!^e9PVYfo~SFI*0B=4!E@XmU=@Y z?+ojS;&WX&FH_uWz{MX?+@E+}lM>z2iJ51yYrb_$z`0Fw*ICTQ+Q8AtfS??nYYf%w ze~T_g(~G)6VZ)dl&r{a>7gazI>U*@KS;%~;EGk|CB8&>Wl)m4}Z@=fE>zCt@1TuXb zu`tMc1Yeh0z4H?<@hPQzyEW5oX6w8lLN5ESQAS!Dp7p;+8HAQ6Y~ddX*17KLtY-k) z3+_5N?A7%8l9D{cDMP0boA@BmZRS6NOwbFk=Gz#RsP$`B1VMr;Y~p!8auB%&NeLhs zHH<4AMDkrw$+o)u$am{9i#& zEGtAMryF(c+%m)mRc2EqrqZ=X zC04_9H?HUg=8yz&U~RZ>5$7!2t>*D-M&xmFaBXq0e1z^^!+PhQ96JN7&DFeF&eICp zr{Ks_>Q?kpMnN(q;RA^H%cN|83)7~19M^*8V8@~%){N!%%DBA|+U;GXIXBm7&TAj% z2ttm|+G_O5V<40U6E3S}N6e(0s=$@L-OpgL9heLg9Y+40H8M`;@`+LnsPh^4q>P_w z@m3eLXx9OARUNxt?W7&{oi2K7YA_?D)rfs<-WWhoD1;q8Tu)3~+yicL*k|jy^iG&-Pe(yKSY|dCl`kZu{yd{#4xg z`crAoukpN7oY2|3HCZWIzJd7R2NG|GM=$A`Ak{WT5`kfi5)aI6IjHTwQhSM(Yf|ji zl@$NlkfnNg$IFPk!;RE98;#6@$|;`-x80V0!ENd*U2*(Kdqev07VIvw$KsBn-R`-^ z)J%7Dwg<>hkEy1y<^4|VC=fXjUW0p%n#v=PDVl}=*_Qul&Nx|C_ zJF}95?+;{OhtaNI7rR2Sj((GRGdp~d zo^X(!)+s(KDLqhAd!hCF$4?JE>l$0r2f%6XM8lI_<}Wx0tEX_KewA`OBzIoUtb6JR z$C1Ur<&a2~mQ$KODhJ|vi@o>gFj^-nPZBCCZHynJc(JLi<8wF{w6pHC>DofP;_q@V z?C0@3V{dS6zhe#Z0r9XFd-sFUON>$%!n+uuUNRY#etw7lmp`UIuo z0XDGzs9^P#XYRPRRv+h&CdI*Tji7*3%NxIP%Z3gP6E}LQ!gp}s+!(yD=Mo<0@%Tke zjS0TUz7TrFa{1;SgSd|UQON7Se4_M4+uPzn;>8Tzj2R;1XGy5|_Pr!DS9WdnC;ewd zYRcY<#Rx^sId(_PGHGt^O&bYdZbZFu|B3SwcM25HXB6t&Ia}x4{A{0*>PB76-)PQ} zaqQK-2!}CbBz+ZXVpYoM;_A`|5o1InRe}sP)EWEL&B?WI?X7ec5(a|GPE&Ps>5p)@ z5;_|jy`YAsqaX^4S@S z#N4N$y65L;{;{il$v$dL7%{69nTKM=pjX!8kJ+@{!peR-nY~eh( z5OW^s2?);uLDwu*ko5>=TR*@=PZAHG`t#uf7eWfpFQvY$S=J<}P!`u+ZT}jncg@Z^ zoTlXhxuOK14z{kL)>aB3mf+pljJVL{Ce=kl-=gGP+1>Jq(ogC5_%+6-3lL7**X*Gp zxf=y^(rJSmy`@U$7y5-?2!$P2?Cnd0@%P@EfR=>@pA1=9;@hk+pOo&NDZL&2&f1>; zG@@g}Nt_vr$>7=kmUS|hQC3PD1u3e+nw~KEfUh{urNLQ@ zzVlOhVAe7{nGh>$-uD}~Kv@SsI_I~?rxs#n`#xR3la)wNog@96j0{oG@20&=dC0XB zzrgJ(yq4JsJF$Vxeg4mzdBcbcV`n4yg0^*_3mTc?xHG*4`C0O2P(@F?w6&R=sKzcLp$RxHN8?0`GVqJPGq@4UE z3*teItKg3XJVmn8gJ0*aHSF8IFm@C-D^$}@d2>s*aC8ABR~~FpWYr?*cpJTg!hx1T z7PsoxjTai&M%R?rpXd7S1hc=?5AMB0@L!oH#a?&CE>{3TaoMp1M!dbI7|yR>YX`2| zrGL^MTgz_!Qt>xL408xmn~9avtG5-u43aW07Ch33@gQCzZW;g~rj%uB?=L=sC6XRq zt>r1!ftmmll#0*}SxP7~@6J3VhG=|K*(@9mYXG+A%Rd(}u$pj#FZsxsN}J+(e3uly z7ZfNGrFANP9z(v&x-ZzS8>I@8ZEbtn@gU?As!Q{(&4#q-EO$SWLOgySws8Gw41>|S z6H=kyAr4BP6TDvThj#8*xa1$NGKR8Kt)O4a5$VjcNI?mP&PP8CF#VfYT@V}GKdiBu z7};V^ch&pmg%r`n4sR_BU0h|M&t}$5#^DSR6bCA6Gf(zeFLVyF)KBzcms%@stTQManhKDAE}i>UtgD$C@Tbo^&{&Z=<%e4k!MSsbBV|d zYkwZp$0u&TCG6R;&(zEz_2MCPx@^#pwbe2E)Zg|!OJ@#wo*157{gw=OI13rSrS7V< zn=?_5=FM`7IE5b`-E-nJGN7@b-*77}EhBnsyPKF1D&yIetQ+^0XL+m-YT(^kXN7z; zJ+qX8svD-tD^aJX=pOvj5hI`ydA$DfT#K!3-!6IpYf2^{K;@$Fr!NV=j>Tt zsEN-9!PO-I;GPEy?4C#;=jc((xa^AM#K~;_PDtFPhK1^X#w6wna)YeEE!dz?#qNV# zTA2kdX!vX_aoHE*L;sS1X_|*nCj*j+cY9IuNnaRGLzjMLbL6Q{Jd>3DJJ=B=HS4kx z>TQ9Vch=ZgYCx5fB5;!g*Z1G}XneT8%AN%uVX>nMYyIweHe+)6KVh#DbCCj(Kq`DMB%hQV{2IWj9K93s zuUs%Q7RX;vQq519aI$`k7tUNuU|;zekX=| zkt`>IZe@;@j%AvJW`$PfSyVf}6=y4%C4we`%iq}kG^SO2+ZWd?%+Rj+=4~!Sv2&s0 zS%r%sDi37Y<^l-{s9JeVIqxYyLdLylv7~FA_(KS)y;Dh1FE(0ah|8vP&0f!` zU!8HB`$Eu3og_XlFKD{ef1X4*KB~4neLYTk0^EE#9O*-5dZJ;E-0K@!FM*8F&6N+N zAE~Z-HBi}Q+=6YXBVkf?X^weq)|O`>gPDXZ$AR#YV;F=j6n)w+5ePGDXt1r`BzexQibjoz4qXrFAFT@vD+eRSL=fJA(V`FJQg<-jr<%}?XojO z$xFj;4oqNjQED>7n&YKj)5`o=t-iRXy0%4tvflA**5m(rhvhfZ->e``UYn`(s84uP zSRsTJR~Y7VeWo_9EU=rb@j^!!n&5!P?Nmb2C$iv^SizOX#k6M3Fn$ov*GM*f{gFWB zBWC){C?3vn{^OnKn42ISnrKze#A!}3$W+I-JCLnhMy2#5EJzGq=Cyb$uo@98g_3pn zK%mA2e^sQl4(yXlaqCKRZ?0&}M~$-Nj#zGA4|U5S%*+ z)T^~|0p&8M%1L18_aa?xChCI^l=ik#EoB@PQD}=1p=DZDU2mKc+!HlZxxb*WZTLW> zWCa(k2yOqyW(9joaM7SloOH^N$IY!7b8+YtYD9{y;wKqFkZ6x|kkoG#{q=um0)n6e z&i}RdCY3Fy^(Yh7j5B=JSLGcJl&F?# z#^lZz4Vbt!`O3G4JDe+OeRL6)VizD?_tcD6Q1>0yhdpDfA8FER#MU01bYo5!y(_GS z0IDw!0kmZ{d&+1nOh^-Ljgc2U7w1Pk(Usq=vBy9M8mC6E54~x)%DnBlf-@EQhnV8|Z| z!yUeDQaP%usc=+HK}Gqzin6wfrnZX4k)uboj~+cDF+BZWE