From e4a78072308de4336718e3e3a4531c09b624e0a5 Mon Sep 17 00:00:00 2001
From: Jingze <52855280+Jing-ze@users.noreply.github.com>
Date: Tue, 27 Aug 2024 17:16:59 +0800
Subject: [PATCH] feat: OIDC wasm plugin (#1049)
---
plugins/wasm-go/extensions/oidc/README.md | 413 ++++++++++--
plugins/wasm-go/extensions/oidc/VERSION | 1 -
plugins/wasm-go/extensions/oidc/doc/Oidc.md | 199 ------
.../wasm-go/extensions/oidc/doc/auth0_0.png | Bin 25365 -> 0 bytes
.../wasm-go/extensions/oidc/doc/auth0_1.png | Bin 63222 -> 0 bytes
.../extensions/oidc/doc/keycloak_0.png | Bin 121093 -> 0 bytes
.../extensions/oidc/doc/keycloak_1.png | Bin 58712 -> 0 bytes
.../extensions/oidc/doc/keycloak_2.png | Bin 116997 -> 0 bytes
.../extensions/oidc/doc/keycloak_3.png | Bin 36739 -> 0 bytes
.../wasm-go/extensions/oidc/doc/oath_2.png | Bin 36720 -> 0 bytes
.../wasm-go/extensions/oidc/doc/okta_1.png | Bin 112822 -> 0 bytes
.../wasm-go/extensions/oidc/doc/okta_2.png | Bin 126722 -> 0 bytes
.../wasm-go/extensions/oidc/doc/okta_3.png | Bin 61518 -> 0 bytes
.../wasm-go/extensions/oidc/doc/okta_4.png | Bin 36951 -> 0 bytes
plugins/wasm-go/extensions/oidc/go.mod | 30 +-
plugins/wasm-go/extensions/oidc/go.sum | 92 ++-
plugins/wasm-go/extensions/oidc/main.go | 296 +++------
plugins/wasm-go/extensions/oidc/oc/config.go | 116 ----
plugins/wasm-go/extensions/oidc/oc/cookie.go | 188 ------
.../wasm-go/extensions/oidc/oc/encryption.go | 76 ---
.../wasm-go/extensions/oidc/oc/exchange.go | 256 -------
plugins/wasm-go/extensions/oidc/oc/jwks.go | 628 ------------------
.../wasm-go/extensions/oidc/oc/provider.go | 290 --------
plugins/wasm-go/extensions/oidc/oc/util.go | 112 ----
plugins/wasm-go/extensions/oidc/oc/verifer.go | 219 ------
25 files changed, 488 insertions(+), 2428 deletions(-)
delete mode 100644 plugins/wasm-go/extensions/oidc/VERSION
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/Oidc.md
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/auth0_0.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/auth0_1.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/keycloak_0.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/keycloak_1.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/keycloak_2.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/keycloak_3.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/oath_2.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/okta_1.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/okta_2.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/okta_3.png
delete mode 100644 plugins/wasm-go/extensions/oidc/doc/okta_4.png
delete mode 100644 plugins/wasm-go/extensions/oidc/oc/config.go
delete mode 100644 plugins/wasm-go/extensions/oidc/oc/cookie.go
delete mode 100644 plugins/wasm-go/extensions/oidc/oc/encryption.go
delete mode 100644 plugins/wasm-go/extensions/oidc/oc/exchange.go
delete mode 100644 plugins/wasm-go/extensions/oidc/oc/jwks.go
delete mode 100644 plugins/wasm-go/extensions/oidc/oc/provider.go
delete mode 100644 plugins/wasm-go/extensions/oidc/oc/util.go
delete mode 100644 plugins/wasm-go/extensions/oidc/oc/verifer.go
diff --git a/plugins/wasm-go/extensions/oidc/README.md b/plugins/wasm-go/extensions/oidc/README.md
index 0eccaa866..d967b2997 100644
--- a/plugins/wasm-go/extensions/oidc/README.md
+++ b/plugins/wasm-go/extensions/oidc/README.md
@@ -1,58 +1,222 @@
-# 功能说明
-`oidc` 本插件实现了 OIDC 认证能力, 插件目前存在的 CSRF 攻击问题,不建议用于生产环境
+# OIDC Wasm 插件
-# 配置字段
-| 字段 | 数据类型 | 填写要求 | 默认值 | 描述 |
-|-------------------|--------|------|------------|------------------------------------------------------------------|
-| issuer | string | 必填 | - | 设置认证服务的 issuer ,即签发人。 |
-| client_id | string | 必填 | - | 输入服务注册的应用 ID 。 |
-| client_secret | string | 必填 | - | 输入服务注册的应用 Secret 。 |
-| redirect_url | string | 必填 | - | 输入授权成功后的重定向地址,需要与 OIDC 中配置的重定向地址保持一致。该地址的后缀需为 (oauth2/callback)。 |
-| client_url | string | 必填 | - | 登陆成功跳转后的地址,如果未跳转成功,请检查设置的 cookiename 是否重复。 |
-| scopes | Array | 必填 | - | 输入授权作用域的数组。 |
-| skip_expiry_check | bool | 选填 | false | 控制是否检测 IDToken 的过期状态。 |
-| skip_nonce_check | bool | 选填 | true | 控制是否检测 Nonce 值。 |
-| timeout_millis | int | 选填 | 500 | 设置请求与认证服务连接的超时时长。如果频繁遇到超时错误,建议增加该时长。 |
-| cookie_name | string | 选填 | "_oidc_wasm" | 设置 cookie 的名称, 如果一个域名下多个路由设置不同的认证服务,建议设置不同名称。 |
-| cookie_domain | string | 必填 | - | 设置 cookie 的域名。 |
-| cookie_path | string | 选填 | "/" | 设置 cookie 的存储路径。 |
-| cookie_secure | bool | 选填 | false | 控制 cookie 是否只在 HTTPS 下传输。 |
-| cookie_httponly | bool | 选填 | true | 控制 cookie 是否仅限于 HTTP 传输,禁止JavaScript访问。 |
-| cookie_samesite | string | 选填 | "Lax" | 设置 cookie 的 SameSite 属性,如:"Lax", "none"。第三方跳转一般建议默认设置为Lax |
-| service_source | string | 必填 | - | 类型为固定 ip 或者 DNS ,输入认证 oidc 服务的注册来源。 |
-| service_name | string | 必填 | - | 输入认证 oidc 服务的注册名称。 |
-| service_port | int | 必填 | - | 输入认证 oidc 服务的服务端口。 |
-| service_host | string | 必填 | - | 当类型为固定ip时必须填写,输入认证 oidc 服务的主机名。 |
-| service_domain | string | 必填 | - | 当类型为DNS时必须填写,输入认证 oidc 服务的domain。 |
+## 简介
-这是一个用于OIDC认证配置的表格,确保在提供所有必要的信息时遵循上述指导。
-# 配置示例
-- 固定ip
-```yaml
-issuer: "http://127.0.0.1:9090/realms/myrealm"
-redirect_url: "http://foo.bar.com/bar/oauth2/callback"
-client_url: "http://foo.bar.com/"
-scopes:
- - "openid"
- - "email"
-cookie_name: "_oauth2_wasm_keyclocak"
-cookie_domain: "foo.bar.com"
-client_id: "xxxxxxxxxxxx"
-client_secret: "xxxxxxxxxxxxxx"
-service_host: "127.0.0.1:9090"
-service_name: "keyclocak"
-service_port: 80
-service_source: "ip"
+本仓库提供了一个高度可集成的Wasm插件支持OpenID Connect(OIDC)身份认证,同时强化了对跨站请求伪造(CSRF)攻击的防御能力,支持OpenID Connect协议中的Logout Endpoint。在通过Wasm插件OIDC验证后的请求会携带 `Authorization`的标头对应Access Token。
+
+### OIDC 流程图
+
+
+ 
+
+
+### OIDC 流程解析
+
+1. 模拟用户访问对应服务api
+
+ ```shell
+ curl --url "foo.bar.com/headers"
+ ```
+
+2. Higress重定向到OIDC Provider登录页同时携带client_id、response_type、scope等OIDC认证的参数并设置csrf cookie防御CSRF攻击
+
+ ```shell
+ curl --url "https://dev-o43xb1mz7ya7ach4.us.auth0.com/authorize"\
+ --url-query "approval_prompt=force" \
+ --url-query "client_id=YagFqRD9tfNIaac5BamjhsSatjrAnsnZ" \
+ --url-query "redirect_uri=http%3A%2F%2Ffoo.bar.com%2Foauth2%2Fcallback" \
+ --url-query "response_type=code" \
+ --url-query "scope=openid+email+offline_access" \
+ --url-query "state=nT06xdCqn4IqemzBRV5hmO73U_hCjskrH_VupPqdcdw%3A%2Ffoo" \
+ --header "Set-Cookie: _oauth2_proxy_csrf=LPruATEDgcdmelr8zScD_ObhsbP4zSzvcgmPlcNDcJpFJ0OvhxP2hFotsU-kZnYxd5KsIjzeIXGTOjf8TKcbTHbDIt-aQoZORXI_0id3qeY0Jt78223DPeJ1xBqa8VO0UiEOUFOR53FGxirJOdKFxaAvxDFb1Ok=|1718962455|V1QGWyjQ4hMNOQ4Jtf17HeQJdVqHdt5d65uraFduMIU=; Path=/; Expires=Fri, 21 Jun 2024 08:06:20 GMT; HttpOnly"
+ ```
+
+3. 用户在登录页进行登录
+
+
+
+4. 携带授权重定向到Higress并携带了state参数用于验证CSRF Cookie,授权code用于交换Token
+
+ ```shell
+ curl --url "http://foo.bar.com/oauth2/callback" \
+ --url-query "state=nT06xdCqn4IqemzBRV5hmO73U_hCjskrH_VupPqdcdw%3A%2Ffoo" \
+ --url-query "code=0bdopoS2c2lx95u7iO0OH9kY1TvaEdJHo4lB6CT2_qVFm"
+ ```
+
+5. 利用授权交换id_token和access_token
+
+ ```shell
+ curl -X POST \
+ --url "https://dev-o43xb1mz7ya7ach4.us.auth0.com/oauth/token" \
+ --data "grant_type=authorization_code" \
+ --data "client_id=YagFqRD9tfNIaac5BamjhsSatjrAnsnZ" \
+ --data "client_secret=ekqv5XoZuMFtYms1NszEqRx03qct6BPvGeJUeptNG4y09PrY16BKT9IWezTrrhJJ" \
+ --data "redirect_uri=http%3A%2F%2Ffoo.bar.com%2Foauth2%2Fcallback" \
+ --data "code=0bdopoS2c2lx95u7iO0OH9kY1TvaEdJHo4lB6CT2_qVFm" \
+ ```
+
+ 返回的请求里包含了id_token, access_token,refresh_token用于后续刷新access_token
+
+ ```json
+ {
+ "access_token": "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtbzQzeGIxbXo3eWE3YWNoNC51cy5hdXRoMC5jb20vIn0..WP_WRVM-y3fM1sN4.fAQqtKoKZNG9Wj0OhtrMgtsjTJ2J72M2klDRd9SvUKGbiYsZNPmIl_qJUf81D3VIjD59o9xrOOJIzXTgsfFVA2x15g-jBlNh68N7dyhXu9237Tbplweu1jA25IZDSnjitQ3pbf7xJVIfPnWcrzl6uT8G1EP-omFcl6AQprV2FoKFMCGFCgeafuttppKe1a8mpJDj7AFLPs-344tT9mvCWmI4DuoLFh0PiqMMJBByoijRSxcSdXLPxZng84j8JVF7H6mFa-dj-icP-KLy6yvzEaRKz_uwBzQCzgYK434LIpqw_PRuN3ClEsenwRgIsNdVjvKcoAysfoZhmRy9BQaE0I7qTohSBFNX6A.mgGGeeWgugfXcUcsX4T5dQ",
+ "refresh_token": "GrZ1f2JvzjAZQzSXmyr1ScWbv8aMFBvzAXHBUSiILcDEG",
+ "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Imc1Z1ExSF9ZbTY0WUlvVkQwSVpXTCJ9.eyJlbWFpbCI6IjE2MDExNTYyNjhAcXEuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJpc3MiOiJodHRwczovL2Rldi1vNDN4YjFtejd5YTdhY2g0LnVzLmF1dGgwLmNvbS8iLCJhdWQiOiJZYWdGcVJEOXRmTklhYWM1QmFtamhzU2F0anJBbnNuWiIsImlhdCI6MTcxOTE5ODYzOCwiZXhwIjoxNzE5MjM0NjM4LCJzdWIiOiJhdXRoMHw2NjVkNzFlNzRjMTMxMTc3YmU2NmU2MDciLCJzaWQiOiJjdDJVOF9ZUS16VDdFOGkwRTNNeUstejc5ZGlWUWhhVSJ9.gfzXKJ0FeqzYqOUDLQHWcUG19IOLqkpLN09xTmIat0umrlGV5VNSumgWH3XJmmwnhdb8AThH3Jf-7kbRJzu4rM-BbGbFTRBTzNHeUajFOFrIgld5VENQ_M_sXHkTp0psWKSr9vF24kmilCfSbvC5lBKjt878ljZ7-xteWuaUYOMUdcJb4DSv0-zjX01sonJxYamTlhji3M4TAW7VwhwqyZt8dBhVSNaRw1wUKj-M1JrBDLyx65sroZtSqVA0udIrqMHEbWYb2de7JjzlqG003HRMzwOm7OXgEd5ZVFqgmBLosgixOU5DJ4A26nlqK92Sp6VqDMRvA-3ym8W_m-wJ_A",
+ "scope": "openid email offline_access",
+ "expires_in": 86400,
+ "token_type": "Bearer"
+ }
+ ```
+
+6. 将获得的id_token和access_token加密存储在Cookie _oauth2_proxy中,用于后续用户登录状态的验证,同时清除Cookie _oauth2_proxy_csrf
+
+ ```json
+ "Set-Cookie": [
+ "_oauth2_proxy_csrf=; Path=/; Expires=Mon, 24 Jun 2024 02:17:39 GMT; HttpOnly",
+ "_oauth2_proxy=8zM_Pcfpp_gesKFe4SMg08o5Iv0A8WAOQOmG1-vZBbQ56UggYVC0Cu-gFMEoxJZU5q1O5vqRlVBizlLetgVjRCksGVbttwl8tQ7h5YiyIubbbtvF1T4JzLh3QfzUUrwbB-VznOkh8qLbjAhddocecjBt4rMiDyceKXqMr4eO5TUEMx4vHtJYnTYalMeTYhGXk5MNSyrdZX9NnQnkdrCjiOQM13ggwob2nYwhGWaAlgzFSWkgkdtBy2Cl_YMWZ8_gKk9rDX289-JrJyGpr5k9O9RzRhZoY2iE3Mcr8-Q37RTji1Ga22QO-XkAcSaGqY1Qo7jLdmgZTYKC5JvtdLc4rj3vcbveYxU7R3Pt2vEribQjKTh4Sqb0aA03p4cxXyZN4SUfBW1NAOm4JLPUhKJy8frqC9_E0nVqPvpvnacaoQs8WkX2zp75xHoMa3SD6KZhQ5JUiPEiNkOaUsyafLvht6lLkNDhgzW3BP2czoe0DCDBLnsot0jH-qQpMZYkaGr-ZnRKI1OPl1vHls3mao5juOAW1VB2A9aughgc8SJ55IFZpMfFMdHdTDdMqPODkItX2PK44GX-pHeLxkOqrzp3GHtMInpL5QIQlTuux3erm3CG-ntlUE7JBtN2T9LEb8XfIFu58X9_vzMun4JQlje2Thi9_taI_z1DSaTtvNNb54wJfSPwYCCl4OsH-BacVmPQhH6TTZ6gP2Qsm5TR2o1U2D9fuVkSM-OPCG9l3tILambIQwC3vofMW6X8SIFSmhJUDvN7NbwxowBiZ6Y7GJRZlAk_GKDkpsdrdIvC67QqczZFphRVnm6qi-gPO41APCbcO6fgTwyOhbP3RrZZKWSIqWJYhNE3_Sfkf0565H7sC7Hc8XUUjJvP3WnjKS9x7KwzWa-dsUjV3-Q-VNl-rXTguVNAIirYK-qrMNMZGCRcJqcLnUF0V_J2lVmFyVsSlE3t0sDw2xmbkOwDptXFOjQL5Rb4esUMYdCBWFajBfvUtcZEFtYhD0kb6VcbjXO3NCVW5qKh_l9C9SRCc7TG1vcRAqUQlRXHacTGWfcWsuQkCJ3Mp_oWaDxs1GRDykQYxAn5sTICovThWEU2C6o75grWaNrkj5NU-0eHh3ryvxLmGLBOXZV9OQhtKShWmUgywSWMxOHOuZAqdAPULc8KheuGFjXYp-RnCbFYWePJmwzfQw89kSkj1KUZgMYwKEjSz62z2qc9KLczomv76ortQzvo4Hv9kaW6xVuQj5R5Oq6_WMBOqsmUMzcXpxCIOGjcdcZRBc0Fm09Uy9oV1PRqvAE4PGtfyrCaoqILBix8UIww63B07YGwzQ-hAXDysBK-Vca2x7GmGdXsNXXcTgu00bdsjtHZPDBBWGfL3g_rMAXr2vWyvK4CwNjcaPAmrlF3geHPwbIePT0hskBboX1v1bsuhzsai7rGM4r53pnb1ZEoTQDa1B-HyokFgo14XiwME0zE1ifpNzefjpkz1YY2krJlqfCydNwoKaTit4tD2yHlnxAeFF9iIrxzSKErNUFpmyLa7ge7V33vhEH-6k5oBTLE2Q2BrC6aAkLCcPwU9xv_SzBDQPRY0MEYv3kGF03Swo1crRbGh-aifYX9NiHDsmG6r1vAnx0MAOw2Jzuz2x6SSdfBrzlcoWBlrwiZzd9kAKq75n1Uy9uzZ8SRnkBrEZySHBwEbu196VklkRE0jqwC-e3wWNNuviSOfwkVeX-7QdOoO10yw9VK2sW52lFvIEf4chv_ta7bGfAZOWBjpktG6ZLD81SE6A88zpqG2SysSyNMp9hl-umG-5sFsjCn_c9E8bDvwkUOUVb9bNqhBDsZgR0BNPawiOZjmyfhzmwmWf-zgFzfFSV6BvOwNRi3sCOHTsWcuk9NBQ_YK8CpNkVl3WeIBSDfidimuC_QV9UWKs1GPk35ZRkM4zKtLY2JsBFWKaDy_P80TcOzcMBoP8gIBClXZ-WUqfE8s1yyc4jrq-qL1_wJ24ef1O9FktsbyZiDKXw2vnqsT8-g_hCeG-unrT1ZFscf8oNdqczARHX-K4vKH2k3uIqEx1M=|1719199056|2rsgdUIClHNEpxBLlHOVRYup6e4oKensQfljtmn4B80=; Path=/; Expires=Mon, 01 Jul 2024 03:17:36 GMT; HttpOnly"
+ ]
+ ```
+
+7. 携带 Authorization的标头对应access_token访问对应api
+
+ ```shell
+ curl --url "foo.bar.com/headers"
+ --header "Authorization: Bearer eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtbzQzeGIxbXo3eWE3YWNoNC51cy5hdXRoMC5jb20vIn0..WP_WRVM-y3fM1sN4.fAQqtKoKZNG9Wj0OhtrMgtsjTJ2J72M2klDRd9SvUKGbiYsZNPmIl_qJUf81D3VIjD59o9xrOOJIzXTgsfFVA2x15g-jBlNh68N7dyhXu9237Tbplweu1jA25IZDSnjitQ3pbf7xJVIfPnWcrzl6uT8G1EP-omFcl6AQprV2FoKFMCGFCgeafuttppKe1a8mpJDj7AFLPs-344tT9mvCWmI4DuoLFh0PiqMMJBByoijRSxcSdXLPxZng84j8JVF7H6mFa-dj-icP-KLy6yvzEaRKz_uwBzQCzgYK434LIpqw_PRuN3ClEsenwRgIsNdVjvKcoAysfoZhmRy9BQaE0I7qTohSBFNX6A.mgGGeeWgugfXcUcsX4T5dQ"
+ ```
+
+8. 后端服务根据access_token获取用户信息并返回对应的Http响应
+
+ ```json
+ {
+ "email": "******",
+ "email_verified": false,
+ "iss": "https://dev-o43xb1mz7ya7ach4.us.auth0.com/",
+ "aud": "YagFqRD9tfNIaac5BamjhsSatjrAnsnZ",
+ "iat": 1719198638,
+ "exp": 1719234638,
+ "sub": "auth0|665d71e74c131177be66e607",
+ "sid": "ct2U8_YQ-zT7E8i0E3MyK-z79diVQhaU"
+ }
+ ```
+
+## 配置
+
+### 配置项
+
+| Option | Type | Description | Default |
+| ----------------------------- | ------------ | ------------------------------------------------------------ | ----------------- |
+| cookie_name | string | the name of the cookie that the oauth_proxy creates. Should be changed to use a [cookie prefix](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes) (`__Host-` or `__Secure-`) if `--cookie-secure` is set. | `"_oauth2_proxy"` |
+| cookie_secret | string | the seed string for secure cookies (optionally base64 encoded) | |
+| cookie_domains | string\|list | Optional cookie domains to force cookies to (e.g. `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match). | |
+| cookie_path | string | an optional cookie path to force cookies to (e.g. `/poc/`) | `"/"` |
+| cookie_expire | duration | expire timeframe for cookie. If set to 0, cookie becomes a session-cookie which will expire when the browser is closed. | 168h0m0s |
+| cookie_refresh | duration | refresh the cookie after this duration; `0` to disable | |
+| cookie_secure | bool | set [secure (HTTPS only) cookie flag](https://owasp.org/www-community/controls/SecureFlag) | true |
+| cookie_httponly | bool | set HttpOnly cookie flag | true |
+| cookie_samesite | string | set SameSite cookie attribute (`"lax"`, `"strict"`, `"none"`, or `""`). | `""` |
+| cookie_csrf_per_request | bool | Enable having different CSRF cookies per request, making it possible to have parallel requests. | false |
+| cookie_csrf_expire | duration | expire timeframe for CSRF cookie | 15m |
+| client_id | string | the OAuth Client ID | |
+| client_secret | string | the OAuth Client Secret | |
+| provider | string | OAuth provider | oidc |
+| pass_authorization_header | bool | pass OIDC IDToken to upstream via Authorization Bearer header | true |
+| oidc_issuer_url | string | the OpenID Connect issuer URL, e.g. `"https://dev-o43xb1mz7ya7ach4.us.auth0.com"` | |
+| oidc_verifier_request_timeout | uint32 | OIDC verifier discovery request timeout | 2000(ms) |
+| scope | string | OAuth scope specification | |
+| redirect_url | string | the OAuth Redirect URL, e.g. `"https://internalapp.yourcompany.com/oauth2/callback"` | |
+| service_name | string | registered name of the OIDC service, e.g. `auth.dns`, `keycloak.static` | |
+| service_port | int64 | service port of the OIDC service | |
+| service_host | string | host of the OIDC service when type is static ip | |
+| match_type | string | match type (`whitelist` or `blacklist`) | `"whitelist"` |
+| match_list | rule\|list | a list of (match_rule_domain, match_rule_path, and match_rule_type). | |
+| match_rule_domain | string | match rule domain, support wildcard pattern such as `*.bar.com` | |
+| match_rule_path | string | match rule path such as `/headers` | |
+| match_rule_type | string | match rule type can be `exact` or `prefix` or `regex` | |
+
+### 生成 Cookie 密钥
+
+``` python
+python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
```
-- DNS域名
-- 在服务来源中注册好服务后,创建对应的ingress
+
+参考:[Oauth2-proxy Generating a Cookie Secret](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#generating-a-cookie-secret)
+
+### 黑白名单模式
+
+支持黑白名单模式配置,默认为白名单模式,白名单为空,即所有请求都需要经过验证,匹配域名支持泛域名例如`*.bar.com`,匹配规则支持精确匹配`exact`,前缀匹配`prefix`,正则匹配`regex`
+
+* **白名单模式**
+
+```yaml
+match_type: 'whitelist'
+match_list:
+ - match_rule_domain: '*.bar.com'
+ match_rule_path: '/foo'
+ match_rule_type: 'prefix'
+```
+
+泛域名`*.bar.com`下前缀匹配`/foo`的请求无需验证
+
+* **黑名单模式**
+
+```yaml
+match_type: 'blacklist'
+match_list:
+ - match_rule_domain: '*.bar.com'
+ match_rule_path: '/headers'
+ match_rule_type: 'prefix'
+```
+
+只有泛域名`*.bar.com`下前缀匹配`/header`的请求需要验证
+
+### 注销用户
+
+注销用户需重定向到`/oauth2/sign_out`这个端点。这个端点仅移除oauth2-proxy自己设置的cookie,也就是说,用户仍然在OIDC Provider处保持登录状态,并且在再次访问应用时可能会自动重新登录。因此还需要使用`rd`查询参数将用户重定向到认证提供商的注销页面,即重定向用户到类似如下地址(注意URL编码!):
+
+```
+/oauth2/sign_out?rd=https%3A%2F%2Fmy-oidc-provider.example.com%2Fsign_out_page
+```
+
+或者,可以在`X-Auth-Request-Redirect`头部中包含重定向URL:
+
+```
+GET /oauth2/sign_out HTTP/1.1
+X-Auth-Request-Redirect: https://my-oidc-provider.example.com/sign_out_page
+...
+```
+
+重定向URL中可以包含`post_logout_redirect_uri`参数指定OIDC Provider登出后跳转到的页面,例如后端服务的登出页面,不携带该参数则默认跳转到OIDC Provider的登出页面,详情见下方auth0和keycloak的示例(如果OIDC Provider支持会话管理和发现,那么"sign_out_page"应该是从[metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)中获取的`end_session_endpoint`)
+
+### OIDC 服务 HTTPS 协议
+
+如果 OIDC Provider 为 HTTPS 协议,参考Higress中[配置后端服务协议:HTTPS](https://higress.io/docs/latest/user/annotation-use-case/#%E9%85%8D%E7%BD%AE%E5%90%8E%E7%AB%AF%E6%9C%8D%E5%8A%A1%E5%8D%8F%E8%AE%AEhttps%E6%88%96grpc)的说明需要通过使用注解`higress.io/backend-protocol: "HTTPS"`配置请求转发至后端服务使用HTTPS协议,参考Auth0示例中Ingress配置
+
+## 配置示例
+
+### Auth0 配置示例
+
+#### Step 1: 配置 Auth0 账户
+
+- 登录到开发人员 Okta 网站 [Developer Auth0 site](https://auth0.com/)
+- 注册测试 web 应用程序
+
+**注**:需填写Allowed Callback URLs, Allowed Logout URLs, Allowed Web Origins等配置项,否则 OIDC Provider 会认为用户跳转的重定向 URL 或登出 URL 无效
+
+#### Step 2: Higress 配置服务来源
+
+* 在Higress服务来源中创建auth0 DNS来源
+
+
+
+#### Step 3: OIDC 服务 HTTPS 配置
+
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
- name: example-ingress
+ name: auth0-ingress
annotations:
- higress.io/destination: okta.dns
+ higress.io/destination: auth.dns
higress.io/backend-protocol: "HTTPS"
higress.io/ignore-path-case: "false"
spec:
@@ -68,29 +232,152 @@ spec:
apiGroup: networking.higress.io
kind: McpBridge
name: default
-
```
-- 创建wasm插件
+
+#### Step 4: Wasm 插件配置
+
```yaml
-issuer: "https://dev-65874123.okta.com"
-redirect_url: "http://foo.bar.com/a/oauth2/callback"
-scopes:
- - "openid"
- - "email"
-client_url: "http://foo.bar.com/a"
-cookie_domain: "foo.bar.com"
-client_id: "xxxxxxxxxxxxxxx"
-client_secret: "xxxxxxx"
-service_domain: "dev-65874123.okta.com"
-service_name: "okta"
+redirect_url: 'http://foo.bar.com/oauth2/callback'
+oidc_issuer_url: 'https://dev-o43xb1mz7ya7ach4.us.auth0.com/'
+client_id: 'XXXXXXXXXXXXXXXX'
+client_secret: 'XXXXXXXXXXXXXXXX'
+scope: 'openid email offline_access'
+cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
+service_name: 'auth.dns'
service_port: 443
-service_source: "dns"
-timeout_millis: 2000
+match_type: 'whitelist'
+match_list:
+ - match_rule_domain: '*.bar.com'
+ match_rule_path: '/foo'
+ match_rule_type: 'prefix'
```
-在通过插件验证后会携带 `Authorization`的标头携带令牌
+**注**:必须先配置服务来源,wasm插件在初始化时需要访问配置的服务获取openid-configuration
+#### 访问服务页面,未登陆的话进行跳转
+
+#### 登陆成功跳转到服务页面
+headers中可以看到携带了_oauth2_proxy 的cookie用于下次登陆访问,Authorization对应IDToken用于后端服务获得用户信息
+
+
+#### 访问登出跳转到登出页面
+
+```
+http://foo.bar.com/oauth2/sign_out?rd=https%3A%2F%2Fdev-o43xb1mz7ya7ach4.us.auth0.com%2Foidc%2Flogout
+```
+
+
+
+#### 访问登出跳转到登出页面(携带post_logout_redirect_uri参数跳转指定uri)
+
+```
+http://foo.bar.com/oauth2/sign_out?rd=https%3A%2F%2Fdev-o43xb1mz7ya7ach4.us.auth0.com%2Foidc%2Flogout%3Fpost_logout_redirect_uri%3Dhttp%3A%2F%2Ffoo.bar.com%2Ffoo
+```
+
+注:post_logout_redirect_uri跳转的uri需要在OIDC Provider Allowed URLs处配置才可以正常跳转
+
+
+
+### keycloak 配置示例
+
+#### Step 1: Get started with keycloak on docker
+
+
+
+**注**:需填写Valid redirect URIs, Valid post logout URIs, Web origins配置项,否则 OIDC Provider 会认为用户跳转的重定向 URL 或登出 URL 无效
+
+#### Step 2: Higress 配置服务来源
+
+* 在Higress服务来源中创建Keycloak固定地址服务
+
+
+
+#### Step 3: Wasm 插件配置
+
+```yaml
+redirect_url: 'http://foo.bar.com/oauth2/callback'
+oidc_issuer_url: 'http://127.0.0.1:9090/realms/myrealm'
+client_id: 'XXXXXXXXXXXXXXXX'
+client_secret: 'XXXXXXXXXXXXXXXX'
+scope: 'openid email'
+cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
+service_name: 'keycloak.static'
+service_port: 80
+service_host: '127.0.0.1:9090'
+match_type: 'blacklist'
+match_list:
+ - match_rule_domain: '*.bar.com'
+ match_rule_path: '/headers'
+ match_rule_type: 'prefix'
+```
+
+#### 访问服务页面,未登陆的话进行跳转
+
+
+
+#### 登陆成功跳转到服务页面
+
+
+
+#### 访问登出跳转到登出页面
+
+```
+http://foo.bar.com/oauth2/sign_out?rd=http%3A%2F%2F127.0.0.1:9090%2Frealms%2Fmyrealm%2Fprotocol%2Fopenid-connect%2Flogout
+```
+
+
+
+#### 访问登出跳转到登出页面(携带post_logout_redirect_uri参数跳转指定uri)
+
+```
+http://foo.bar.com/oauth2/sign_out?rd=http%3A%2F%2F127.0.0.1:9090%2Frealms%2Fmyrealm%2Fprotocol%2Fopenid-connect%2Flogout%3Fpost_logout_redirect_uri%3Dhttp%3A%2F%2Ffoo.bar.com%2Ffoo
+```
+
+
+
+### Aliyun 配置示例
+
+#### Step 1: 配置 Aliyun OAuth应用
+
+参考[Web应用登录阿里云](https://help.aliyun.com/zh/ram/user-guide/access-alibaba-cloud-apis-from-a-web-application)流程配置 OAuth 应用
+
+#### Step 2: Higress 配置服务来源
+
+* 在Higress服务来源中创建Aliyun DNS服务
+
+
+
+#### Step 3: Wasm 插件配置
+
+```yaml
+redirect_url: 'http://foo.bar.com/oauth2/callback'
+provider: aliyun
+oidc_issuer_url: 'https://oauth.aliyun.com/'
+client_id: 'XXXXXXXXXXXXXXXX'
+client_secret: 'XXXXXXXXXXXXXXXX'
+scope: 'openid'
+cookie_secret: 'nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY='
+service_name: 'aliyun.dns'
+service_port: 443
+match_type: whitelist
+match_list:
+ - match_rule_domain: 'foo.bar.com'
+ match_rule_path: /foo
+ match_rule_type: prefix
+```
+
+#### 访问服务页面,未登陆的话进行跳转
+
+
+
+直接使用RAM用户登录或者点击主账户登录
+
+
+
+#### 登陆成功跳转到服务页面
+
+
\ No newline at end of file
diff --git a/plugins/wasm-go/extensions/oidc/VERSION b/plugins/wasm-go/extensions/oidc/VERSION
deleted file mode 100644
index afaf360d3..000000000
--- a/plugins/wasm-go/extensions/oidc/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-1.0.0
\ No newline at end of file
diff --git a/plugins/wasm-go/extensions/oidc/doc/Oidc.md b/plugins/wasm-go/extensions/oidc/doc/Oidc.md
deleted file mode 100644
index 0d9c399d5..000000000
--- a/plugins/wasm-go/extensions/oidc/doc/Oidc.md
+++ /dev/null
@@ -1,199 +0,0 @@
-
-
-# OpenID Connect
-
-本文介绍了一个示例 OpenID Connect 插件配置,用于使用与 Okta , Auth0 , keycloak 身份提供程序对浏览器客户端进行身份验证。
-
-## OpenID Connect with Okta
-### 配置 okta 账户
-* 登录到开发人员 Okta 网站 [Developer Okta site](https://developer.okta.com/)
-* 注册测试 web 应用程序
-
-### 将测试 okta 应用程序与 Higress 关联
-* 创建服务来源
-
-* 查看服务列表,有即成功
-
-### 将测试 okta 应用程序与您的 Oidc-Wasm 插件关联
-* 创建访问 okta 的 ingress
-```yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: example-ingress
- annotations:
- higress.io/destination: okta.dns
- higress.io/backend-protocol: "HTTPS"
- higress.io/ignore-path-case: "false"
-spec:
- ingressClassName: higress
- rules:
- - host: foo.bar.com
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- resource:
- apiGroup: networking.higress.io
- kind: McpBridge
- name: default
-
-```
-* 配置 oidc 插件
-```yaml
-issuer: "https://dev-65874123.okta.com"
-redirect_url: "http://foo.bar.com/a/oauth2/callback"
-scopes:
- - "openid"
- - "email"
-client_url: "http://foo.bar.com/a"
-cookie_domain: "foo.bar.com"
-client_id: "xxxx"
-client_secret: "xxxxx"
-service_domain: "dev-65874123.okta.com"
-service_name: "okta"
-service_port: 443
-service_source: "dns"
-timeout_millis: 2000
-```
-### 访问服务页面,未登陆的话进行跳转
-
-### 登陆成功跳转到服务页面
-
-
-
-
-
----
-
-## OpenID Connect with auth0
-### 配置 auth0 账户
-* 登录到开发人员 Okta 网站 [Developer Auth0 site](https://auth0.com/)
-* 注册测试 web 应用程序
-
-### 将测试 auth0 应用程序与 Higress 关联
-* 创建服务来源
-
-
-### 将测试 auth0 应用程序与您的 Oidc-Wasm 插件关联
-* 创建访问 auth0 的 ingress
-```yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: example-ingress
- annotations:
- higress.io/destination: auth.dns
- higress.io/backend-protocol: "HTTPS"
- higress.io/ignore-path-case: "false"
-spec:
- ingressClassName: higress
- rules:
- - host: foo.bar.com
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- resource:
- apiGroup: networking.higress.io
- kind: McpBridge
- name: default
-
-
-```
-* 配置 oidc 插件
-```yaml
-CookieName: "_oauth2_wasm_c"
-client_id: "xxxxx"
-client_secret: "xxxxxx"
-cookie_domain: "foo.bar.com"
-cookie_path: "/b"
-client_url: "http://foo.bar.com/b"
-service_domain: "dev-650jsqsvuyrk4ahg.us.auth0.com"
-issuer: "https://dev-650jsqsvuyrk4ahg.us.auth0.com/"
-redirect_url: "http://foo.bar.com/b/oauth2/callback"
-scopes:
- - "openid"
- - "email"
-service_name: "auth"
-service_port: 443
-service_source: "dns"
-timeout_millis: 2000
-```
-
-
-
-### 访问服务页面,未登陆的话进行跳转
-
-
-### 登陆成功跳转到服务页面
-
-
----
-
-
-
-## OpenID Connect with keyclocak
-### 配置 keyclocak 账户
-* 本文档采用 docker 本机进行部署,所以注册的 ip 应该采用 ifconfig 获取网卡 ip
-
-
-* 注册测试 web 应用程序
-
-### 将测试 keyclocak 应用程序与 Higress 关联
-* 创建服务来源
-
-
-### 将测试 keyclocak 应用程序与您的 Oidc-Wasm 插件关联
-* 配置 oidc 插件
-```yaml
-issuer: "http://127.0.0.1:9090/realms/myrealm"
-redirect_url: "http://foo.bar.com/bar/oauth2/callback"
-client_url: "http://foo.bar.com/"
-scopes:
- - "openid"
- - "email"
-cookie_name: "_oauth2_wasm_keyclocak"
-cookie_domain: "foo.bar.com"
-client_id: "myclinet"
-client_secret: "EdKdKBX4N0jtYuPD4aGxZWiI7EVh4pr9"
-service_host: "127.0.0.1:9090"
-service_name: "keyclocak"
-service_port: 80
-service_source: "ip"
-```
-
-
-### 访问服务页面,未登陆的话进行跳转
-
-### 登陆成功跳转到服务页面
-
-
-
-## 与oauth2-proxy支持的服务对比
-| 服务 | 是否支持 | |
-| ----------------------- | ----------------- | ---------------------------------------- |
-| Auth0 | 支持 | |
-| Okta | 支持 | |
-| dex | 支持 | |
-| Keycloak | 支持 | |
-| Gitea | 支持 | |
-| GitLab | 支持 | |
-| Google | 不支持 | 域名不一致 |
-| GitHub | 不支持 | 域名不一致 |
-| Microsoft Azure AD | 不支持 | |
-| Azure | 不支持 | |
-
-
-
-
-
-
-## 主要的差异
-| 主要功能差异 | OAuth2-Proxy | OIDC-Wasm |
-|----------------------------------------------------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 将服务放置在 OAuth2-Proxy 后 | ✓ | 不具备直接验证的能力 |
-| 在当前层可以展示具体信息,如 email 等 | ✓ | 作为网关的插件,校验 token 的正确性后只是进行了转发。在实现的过程中已经捕捉到了 ID Token 信息,可以实现提取出具体的信息用于优化日志展示等。 |
-| 校验一些非标准的 issuer,如启动 skipIssuerCheck 的 Github | ✓ | 已经抽象出 OIDCHandler,开启 skipIssuerChecker。只要实现 OIDCHandler 的能力,可以在 ProcessRedirect 中指定 authURL 的校验,在 ProcessExchangeToken 中指定 TokenURL 获取 token,在 ProcessVerify 中校验 token |
\ No newline at end of file
diff --git a/plugins/wasm-go/extensions/oidc/doc/auth0_0.png b/plugins/wasm-go/extensions/oidc/doc/auth0_0.png
deleted file mode 100644
index 1af35a98b3d9999b0d2915305b182a56abfaa737..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 25365
zcmaI81zeR|yFI$xZm~raML>v;byCo&W6bXcF
z0r>wvZ2OD!f5V+R@Sp8>CDiT_2zx3>|GO#pT^*O{7v;?C4(My`mS
zqL?o34<9}-Gcl#6F6Y{~Q$31faVYC+X!veVzYRkrz0QkO+&pz?*W(dq$~fYvm7r$T
z%J=~a<)GwjN`;tKqq3tD6BC6NVrl`?9{O_BD@TA?{FOsBN83Jm~{(6%~HhJiyP==lj9sj@Yy{WyN<;j-%!jq9J
zFNm5b!Sq$P``^D2R3*9M5){L#vLDJm{;&60gS+_Ev`BORpVv`h?k(C{#)x$GP5-|2
z)X0HCS&2eCrYgV`>+rv?lWHybHO>F^&Zt<+U<7Zfq%)0jp2(hmKj>CR6y=nN4`XZy
z8?M)7kjwvdyKcc&45_K9^5)zB{Vc)cn>b}9<1Ho=>1?xKZ>A?uDTp6X5K|UcU^FrN
zKmNd8OH}P<>L&a5({H346qJ?4nt1ec2dUG#|C|D8^K^+ojaa6W|MeS*`|){a2kC!*
zfS`KGTqeMt=D$bKuBe;K#z&LZ&1IM`E2dO8C-V2NFEpL>7U
zi-Q7qlZK44n}5CM#y4NZ7(Tent7a55ag$^1TAlx~-d`VkW9(ugs`Q=3r>TAAu!nkS;T)6!Pz_5MKJq
z@uesRE}Z!FPP&d__hsc1i5aP>2P|g)Sl2~eGupuX|9&rtsHhvG!FJH!yXsd2-lU5*
z4&V>WR^niw_W3nwZv=~jG{Tc}el3LC0VUTd9nx?Exj`Z#fRZ!rAj5wB{kzWJrtT8pc
zxK!$UeB`d>%L87GTmJpx=kV;qkvBV->;umH`3X&xtFYQVhe&w#q%c)fO>qaH&
zU6Z=p`Ay@MlO)wV#Tnx*p1=DYnt4a$1M~%}0)u~#P)3ij^|A~GbxrS&LAf1ZH|bU_
zXB_=ChNIVH_FMd)Z@!UPKAjNWoNac*JTN%_sp+rb-#nnKoM%ew|H1xrTfrmUU*jg2
zj4CZyIMcKyT=zL(Vf=eybfY>~jT|@(F2|(H2lh0WMs@ujA`_2l$K~;){ej-$?3^|E
zzwY&A#P#mW_H6&P|Kn3rMNXW#Lcu-!@qe<-(=FumB9s(VRG}lzM+pQ9&RW9L_jlFE
z+@glRynmt*;%^-?mpmH$ft4qzi0679>F0GXC@MCS^2Qq-jgU=8uYAegMG)AnqA#Rb
zHA7o=J@PW8xDua$dDR$y=kGzbHJjuaiFp_Cs2K*D{hkMoKkiXze@LrIbMmzSkJ+%W
z(rU3NQ`-2B4pm~P=*H^Y*Gezh;|1pZ4PS5ky=9BNqho*3J!Y?!O>Qbu8X7%6W(Gnz
zZiIA}hcZ}>wWLIzF*lxc-B?@l6J2-r@UZXNx{Z((x0{xK7rjW�V2vhA07@Q-`u=
zwVv#u>&i1xQ8!_h37Z~?bxq3oxiH?owz}FJQ6Y5d)ZOnrMbrWmgz6e!dQlOlAJeA|
z8deP&)3rkyqXh1)EiWjkR902Vg`GNf>eQ)|D_aS=4-TBXUKb^B+UwkQa&qk)eOW`p
z7mGZstfSLk-uoR9{y5uI_Egcho6(?7NGtWA|Aud%*>MI2*Y%$xg%$()^%2VW3P-l%
z()Wvxc36M!QFAQP`QW>0Guix9fBB7qJ4v+PyYgyHtv8ga%vrmb&%c|6Nw
zKXY4_c7Ib-lcm|so6r3G8dbENgU8efb_zX3_YCHS>#;Icwzl%gH`=&r$sXMLG5uxB
z4ocNrL;r(KWbMMj!q$Sl@mKt=XKJY7g2t_>9@PkmfvKtfENxL0m3H=62Eu0}LEKfP
z7uD8Xhi-bWt}XSS)~|ax@w3;q-}%RvCn?``>m&H^t$RObhj7J{4Bh!=w1QUOf>^JK
ztj!Y*tU3h3CCwt!xoYw$DEzB@Xw5rbKF8dpUC&^p_4)H>OlMI^iR)bb8T~ZN
zkp|6t)6UvZF8Xse>6mhdvi0SK@qhmLC)R0JGE<|-)YSBQU)eeP*}-;g*D?uzhE8jK
z!u0I);-Xf$OIc3Ny{lJ0PjLMXMWU;k+5N^omsIDXs@TgULz(SbP`Zf-
z5!;c^q%GZMva2f&Ek|E}#lz2U<9o?ev%L&0K}!!QH2qq#oVrOQuhDJl
zbhVt}`&)K;bD6Yfmf?oDb*dN{84U-%VcORWVx9FTPT5R!goTA6p7ieO3NtX=#^%*_
zUCSF{Q^u=x)QY;3oKX6#*lN@g_p79m81c7}xw-57H-&*(x%-*r4BzvI
zXCpxj)rK0Bx<(6HAIjh4Hqnx*d~)E?86hE|)>YbiObr5YWx!9=m}~Rq%}89tY`xkN
z+o`0k@~h7;hS;`iGdYMWC@E8l2ZUC!Hd5A@3Z0l6Zsl`cwi-C48qB7=;~@JB;rg}D
zZyyvEp3R6pW8Sya=Qy?0?|SA=Ynlp|fx*a#MJZugYTKSYM|gB4FzwjjL!+ZcKRXs4
z@20)%L(^L3Xgd(*lZ04eu$<}>&RJhsoFul5EiA9CEP1)xP|dFXoNLe2Ow%Zu%@N#B
zuzM?T_N+|UsS9GcU8nf@`PEk&MK^Zs+I3jKGGRuo)ZKlXfq_ApmiCLQ$8w?zi;I!Z
zi8oL66k5DDRd#Y(4dJ+9+@2Y|U|OAH(762L2XeLkcw5He;-ZoDHDx|d&W5%&{quPh|31igcTihW?qnkZ
z=M83^nobx1+up8w*Oc1MSa6!kwKd1A?qgt#kUc63D?7W47_Jb)sTsj6f21};(Dpkr
z!eLt4m2UHLkLpokviM-Aw#%!$yt2Dr?z^+!$Y;0x-lLqV#I4V;nZUy!BI44StyjJ}
zD{X2z;ZAY9tH9j6llkb;n{{E_-@ktsc3iCcdN8?Qa)CM?$Du*Qu})YId;y=^8yxME0Sa*wHzn&
zlx+1J`tMHlm32)Ocl_tIlZw-7tVQw$Y7J+`r+2slb~`%*GK!zCZw#+dfP1c4cbjEn
zvV82F_RLBIr=_rd;M9jC4F01W)SyuTAlgeL&HbIXRMT3@|RoGRJ@;v
zl$6vM#?=%j?lZvR>+74QlC}Q%0r^;aR+hMvvon(B=)l0W_{%;@OM#uWmbY)m4ec`Z
zjKk(iBEPsc{hmCKSw4h0*_T_n)NW>@?)kAAGD6HFtZ!5N6H&5-ky
zpI>~0JrTK>g{_rJHAsD0|KX!YyXgd#9Dh!gZ+!1A$TA`((K}7Qt?<~7Ex&-|5^grz
z9O~FkYr>PplxUQ0T0Wa+wm8wLv&_TBX8gu&6QWL$atLTlQc@BTW`k+FMz`JD$EWqk
zn!B&>bxLtsi5C5(#kskhSEQHGr)L-PqqY)C84q%4O-xR%AyGNl+xM2(W}!~S#Kcq?
zoDr)yOEH8bRd*yw#AUV6hP922la#lr{f{#!W~k?(t}T6QdOuONhhD^Ktc6vFTbXcP
z9jR0yTek)okk7b!cxd`_cFJ26M@C#+VR#jU&
z4oHFO)$GFATkfjeEw&Q>(sAjIxB@cu#>@wL(K2$Z134{iBv!jF@=TWXc-z$Ll}x=S
z2?>na+Wm3jUe~didBcKhXUDV3U+dNcpl(tkW=PvbE=EWVH;NqXLw%YlI$pN??jFL?
zbDf=?TmJsry*i9r2Sxnr__&FV&i=!PoyOZZ%Ctmr*BSDao(E9U?wmT5o8e1$?t0k_Llz~j>O!e_NQuHOkoPthEp2Nk>O)3KNJC^2{XUr$a>nw1Vpg>cm}
zWCPN=y1H_N&H!HuJIr?g;bZd?UER9u+Q|t|_ZyO{W1TxYIt(W{Zsf}#5@_}Oyu4~7
z&rD%O9Tq3TgMt#)G~KFsg1DJfUm0Uf^*+@fE
zvpd%)UfA<5!Vh`DXgS&(3jcr;(wy3_dx*q2Y%CF*3Dw)TZ=XMZ9`oml>nmNe8b{`m
z-7)i?TonJN$8s4HlYHLZRLwIEj*RTabocc1d<=S1
z{}}KC*of%8hg^jUoT-u(WATnx7EnK{e0>@DeizvTx#SYZrA({<5c+A;j+gV~d5Gbz
zgiwOp;WX3E>@FQeQqo>%*UtNl#F|@?2{^^6^xjl_StpTw~BA?Z}A~+N#aX6
zNjSlWX(^5QYRg7JX1oZ>-rP25FCO4|9ii!atFXKol{mZ*Yd6JLwqJr_+vx0(E
z6%|g)qsdju42tQh+#I2xR~Db&`~xc0a)fxgkG`e23@8l>?>rs7utShsesRcQ?Uy$%
zP=pIwr|RXAP0Ga`Fc?FAllkgYNx$#!r|-9rk%0pkP3}7(1-7|S2doTSWjz+;9(C5@
zqS(Iu`$e&s&56>qT(!8>uFyVqtq|-6Iw~qEN=l`4)mH$?U_s+YjvNtPoqq7@eP@n=
zv$Jzv7g^OatSxZ^0)zZ}1WhjG;x0=Yn+7aC0DEt5Z{DrQV(W3NWpDZ-%ErslscjS<
zAnre(m{E!=h*L_|L`vQ{$u#L*r9IQd4|35}=2#FN-HWOYmU>71_;bLIq=GGGrlwu_
zW-Ft~u?-P?wLgCJy?;W!b4r^lK>R$D17E)e096sI5eY~!AQsZWY^`9UfZU-h3SUW7YW|!5
zXx0@9qm~yw?bX83nnQ?d%HO
zfm~4)wZ#N&CJgy$x=9Uq(a!k!MslL|LtZ<
z`Uo*uJ~__@F_BVLKdYJknw<)|LtEP-mZ$1gB-9crF0G!9W4yddV!(rSVikm^f#R1h
zlWpCqU1XUERss%Z(wf?e4TJeO$&h5Ld5}Xr!MUc~c_sfKP{hp446D+Mr>|zi%gUUA
zN9z`~!G#eM`X9oD%st}{UE`ZiGUBP}Jbk@DdvcZB(QyUKsooHW4uX@DQy;hv<~6)Z
zQ&Usc)fFW70K4kl*})p*nlohm4&xaL@t0-8PJO|EyB=_$dH~uimN_o<*$w#ovw3R>
zyV@*u%sxWt=YW6!)asw*8*5W<{@IL>bF!NsRD|2K}Opu_MWV+e^+PVI+>q)Q4PtPx@XTH)$;*ptDZqjo>#+ZPlg|by;nQ
zJ_p$bE17yd!+6oLwZ1+>qsa1{?RVV{GJ;|vaTI_@_Bf(Uv)BsL`4cdE^Iw0d=NadL
z`v@Y!!7QWKG+sOX1a>23e!yN}v1>?SwzjqdVmllcCyJa`Y@pzYB_MC_*|R6a5zVWO
zmHv(E>8efOxZr1MHial8sI{o;A#IJ-ATvLH{?sh7k&Ud|M9{hl2*vLu6DzVd(U~I~
z!8^0GwDHx8iytKjNqK(iqV7<(#><;;5lo)d!1cAkCz%-x8e@cA*H@ufxI%FNU|Fmz_QD0g>v!`9SbcT%PVB&-tIv}qGS
zx%R8u;)znhG5!9p?dC&9PaD%1@lm^%H+S-X`SJzZQ{E(_ob+-{O9!Z?{ez8UuI%TnC&aiIV97sS2njYJ+%J
zL_`Eg9gMJ*;e>R^L~~*-m~UhBIRnAb{H7=LE-!rM6C6VK5^l0FF(tWftRp@(Ajd5V
z+k=lRP4&~`ULjsJQx~b_o2p^E&wQ=K*Hv;26#&Nz`W$MTnqC2K=jZ2>A`LhS`AS!J
z5cnVRtWL3+s;cVUyVH+$QUPqK;agX(d{FBDiv5kx0g7Z9?MQOR+6x>#dS2}D9y;(z
zwH#dsf?ZR6jIbjv2EB$&F~J?P0#wx7(*t4hmVrTN1AC}i5j%;-GcbJp-dm!epkV&`
zXVO7-?boZ&f(tS25Q^5Y?T`g_ZrcW|8Rz5UGfEjja2si;s=B3N1`+p
zk(E2o^dYWDGnMJ?j(UTjKK+9ek;k2ODTO$in>EC>H^(VrBSD4ogn$`SZLNw>_i$dj
zR?cCI?K^kULJR>wK>1Bz`S@`AesX^m!<#
z!Eo6%LfFx!Cg22+(fHG+dx<~5(I7SUzEC(`D+>q-?W!Cy&loUx-m>$i&&qrE?P~@!
zLb{iW+?%bpfDeDga{oAs;h;SzJ6xq-J_i#G(VC61t>;90slI)TO)ok+SlWC8<&
zrRgu1IA-y~GT}T!5RC<+GeIg4w(T~K&{++pX9(wQq-A6dpR<_&{zWaqFOFo~C@`Mk
z)GU7Z_;Ew5sOZ_VcF-C^i0^JVtF`4CHZkB+*k$z?3>f5c;ElfsTHElQw$x}3_t@Be
zjGlvmf`S5BBIQOw=D~v12LZlV+ty6YZrX
zrSb6bnd~oj)zFAaPEL-GA1LT|DFM8MM3TIq8tV=*QU~#*{}vGXh_FKo&mMxE4FH9S
zxw-kGECVm^{9sKWwybw0EMjEF;
z-M|JhvGnrt^1w;NJs5|#mzRkkg^KaNUV!fWNvNA~@$q@HWPN>o0Ll8|wYY2v#DSTC
z59U3EO$`m4yu4PBT(DfY>1%@G6nl;c87^Bw&PGnvfC}Q}C4KekRe%=tf;*ZC68_24
ztc3Hv7O3-BU&Qbt64q2}T4-n2u}hE7o;_O^3$Xoj4!R{@+DnrKz0RAbkf2ZCGT5?E
zCR9{aJDy#5Fgwy{E|?`pMu+*RsbO6c=~6N!xS4)}PEEmmXcuIoTGFm=O)CI~hP*=}
z1PH3C>@(CVubu2`jb3OuEDusrXIz)P-VMO*6OL?XZ*Q*&7y?lV0xP9IbQF0&ft*H>
zx%qkC+MQ&CL07~&eL
z_%3Rm1n_8lmpG=f^7AL8z3{SVt*p?Nq>n9-76&j&21V2(Or>G;rq78K`}gOdxFCsj
zb#%yJ_d$A3u^A^O`+&TsqsCKuL)p+#QULlr-P6*5yp+#bk12t=K{Rqk
zrz%|73qf?ldXeB}Fa)g~%OZ?j01!@h`0(QQ-fpmYOtK%{IY>h}o5^;4zVIUV(7ikJ
zHLN@}_B?8)q=LZ^5Efb8oG?}$tCq&%ITYsOPRXVu
zAqE{Jt$loQVnRk`%a$#ZU3t=u>Q@!X?7Yz*vPWrn@q&c{b-aCeO2mFP!5xX^eVA5O
zw6wkmGohLZq7#RDZlUc|%#$Y{5+nn?`E0MXBF=UkU_*1zX?cDW(wBCgu`(7q+fvQO
z))uwyF6MwF`?5D!4-5@0#3r7A==B$RA*?C<(|6ctH$@f`?fXLGnXD5W9+^qczn{v>hk;9-9%49``(OQeQAQ
zpH*3zV>~dCL|{qFA|q4ky0MPt!(z~$y#y_NsK29a8Qojyoj!m0;_tr>+K6UT6()j)
z*YFvOr~6?+s~133&@k2^F&q#d?aWC=0R%e|XFPW77Fvp)ajQUOT@v0^a1}+*9HU@W
zeR&h$8`Jk1%1~_{bh2@v`&3%v6WQX7XggxNBj8gHHUet^7<%`j+d`ec>FH@K{T>=#
z7FO02$X{K0{LV;PH=rGWnD5`W57%T?D`6jBSeB^|+<)lM3r)@X#~tEWJSH$fDc3oq
z)KloKH@*YyPL>I`MBPCKqTWRYbqe4f+AuGmzopV^AWML_Snyh~kor53mtxq><0~pe
z9Mo5Qyxs5Kb(j&k!@RXSIh+2$TN0KFW>JX4FQv%+xGANKZ)Tw=%%d(|dc5mZp0nTw
z0)Z5&Qtpe<%>4ZP^fVBja;nL0viFemM1FjJfXdiostmH1oNPd9A1J5k(=076
z`g(Y&OQR)1I-pZAnNiwyY;qALY0E$!aD(@j_C
z!!x6~buJ^%BcjxE4ZnQ<9+R>ez!I$&Uq8PyyN5ppr(pvoDEw6|kUg2b3eB0cet-;8
z<;`_Dh3s5fr5!gw<7l>qW_$9vjj%vLrRA&@Py?t#)XomqcVj*N+Ok9J$`$lB!dxDS+#B{r
ztM}=#OU;twrI>ld79hh$+YR&Z3>u&TTJzE-R3-zf)y@gg5r-zh7pbWg6;)mdEy)T&
zL4)DU<88X^N2n>jOlvEDwtSY%hb69#GhI2hgHXMVWK)R$k4@q6Em~cvswZYK>1Odv
z1VnAta9%Tk0zrA2wqty~E>Qe;HcrE?yp%Br-`#XUfb4h5UN^Wz|3z
zzj~ES$Zr$JsZjriv>Ew6Y;i0#dB!9=$r}ewPR_=ay##`v1w0prAJy`p^l608cz?^&
zpcYqBJ|JFW40lKx2$#^*B?3XHN{^agNlChW;$6MR)=)=?baG9SmJ!||5%FQU8D76`
z@C}WiB&SroI{SaUSNwtcw7kLZ`)y%0B2UK5tB4;^7PBvviBXZQv4ZpB*L|Ec4R4VER?#!pUCtQDZIY{QiA3s{X%`BBSr?Xix%S@;D4_ltwE*@y3f7(T;
zLarr_9#Ki*&QcEiX}1{l%RlvIr<`;iH*HZ<+HJMOs*flBu%TR!|83hlpU;zF9M9s3
z@$;o92e#Vq$NU=no7%T$l_TUx6UgGp!enid?jf3$^K1Ne7ha?UM>k#8m`|0U$us7m
zWBwg+Zv;K#uKxb#(a3}dW1WQkfy=xBim}5U5>*583%?CXTC9THDe{3D`Bm%zGe7Q~
zb@_MV-KZ`tr|_qyjw!!NSJWB$V*rNMtj{E-o8zF07
z8C!_5ak@sp|HtnN$s;II*%$<2F#{lP98&uAT`ec5dhlkF1XqQYAe*FtKkryJ%QHbC
zjfrUSr*HLHec)xYU%A4~pjNev$@$NLuLtd+`}YE$5By)jvFDF;!E=>T{QsWm1h(VI
z-;@;M{>eFYF~oPS09$GxMkwIKvAbU@JOD8N-nx}uz;Y0Ud31_{lk*NBA3$tqlv8tcZS9O{$0;tH>?EFvA=+?Q|3;Xf1=)Gnuc<@6rz;#M;GQjAL3zxe7
zR?nP_Qtb(gm&1xh2g0RB$fc|4WA(mIcbNsa1v&j)(34&MV7`+xl8fnz#^jJ#!G~y_
zeF>A7e`bX9vT-nEk3`4_tlDL0Q8Y#NY-_%dm_NFWfP^K*#UfKW$O~M4z3qc8-ZGh?tFv-Jhf5diG8|nxon`g6N_`26
ze9h-2-K4?55c*zB?5_u6VzcK?lw0KozH8VQ%eY%BG$uIKE`C!9W7E^o_tLx)iT9h+
zqyFv*+WEZ3Kihujr0q{;iA60c3i}{N$1LgkufyGsKh(@PHfP`O7#qBv@OMwZlNrDE
zDrQM?R}cAs4l(NdD@m?FqdK+xHJ$t^tw@PcrjZCU=mq^hn%}nl^}-<~^nuE2;`WvQ~U<|a5Zra)X0O@Xs5vHY}c+MiVzWNirO;w1d
zkh*gBj6z5N20FD<3sR(*%gST{#7Yl$a1s(Sb+I~e;)E>vj%X$Rk5vf=eg^R#@P1{gkAYzy6;(T$H{cza+T|iUuPoo5TUgLUyB47_4!uF{
z%!9Wtq0PfGQ(aw+P3k&Z!whQFY4g-B99Bd_kaw~N&p~*N*4i_A)9ps!rf^=;B-$Ao
zenZ;?dJ+v4l?r~4q~PHWIxSlWZZbFQ)ujqQGMh7&3sJDI*|=x;9HN)aEAXe@U}m_z
zS5hLNKSHueBOpPlKGDyX$56#GUR)r&T~#dMWscIx?6?|BRS0c;Iay~QNi1kc-
zLUK8a=c#wAwgs_D5
z8ifCxQF8)R9FEiMJUq?a-6dd>i00Z%9XM`V7PfU-%T~1?q!quYbHe=NW{ItW5-B~y
z(Ogf2kEAxS@|3@FuO2LC^m{O$9&nf|>M%AnzJPL>GFhR`!EL98IkJBq>+3MBxt
zE|jDRSPYHdi$azlNxo2fU$1;GK_*4ROcTx$D1P`8!`G=PSCYgI#SV>ReMh7Y)kuD`
z(y}rRSMrJvAGpBrkztUDAr2s~=L&_9dLBoFi=m3H?juaIxqEpN$n=;$6V_zWrt3vibl>VnB2=Sbu`PqfdP%d-Ku;wrL?(`IL!vqbQ$FBPF
z8KNmQ^-jmjTZ7g9=t<+BiEYV<_f9)?F1P9FX{`6@K+$nmOA7>AL|`=95O6Tz
zv*Kdt=d^*4LrZpDU1{cUC#@?=1A0X6nqk`=9nd^8kL*D!m#hIG}&ap%d=`dN+L4h
zDjB^u0=l)9r-B4)b**Gar)_MQ6BAj`nx|!U95Scd?1soltC=X({gARS}-ZF>~Mb@8xzFtB?(Vx
zv|`7iM^Oe{5F0bswGWykNd<#?8w;W1$Bz&9eiRiJ8eS6Xk|)CGM8Um>X$>xGlx}p|
zx)63#y(R7F)NyfTK_8+$BWgJ)f!?Kb5X%h4(AC{-Fd6@s+r(ZfDqE}qnhea$$xy$-
zVoc5Pcm&l@Fyer9m7w((Y#`W;
z)-X%j+7{G}wUNx_xCK~Z5hFLDF8BzHqlHQK;22t``q%beLH(<$Du$EvY{GgxvAg>m
zyTJWl|MoJz2v{G@lKDLk}X5kg#xGxGSZ&QD^oLy0viVBf3+2
z(|7IMDJ><%6RpG{BC-zK5H5w7;8civIHY1Yx!Jr_oh3?FDQs?-XI
zvIRYC5)z=J(*)AexgF^L_GY2o%xxJN8N@xB;_-AIa2Dj`$IU~
z0Z9-|JSvu}ZwgZ(Afhd+igpRfW%!eS4#7_$xsZI{&(H4_T5f2&)4=qdjC77IZ3aV;
zyVbW(U*M6fBDGJA(CM&<1s9>=Hw{CBc5x*cO)G$>>&WxsVk=+!(A9zPWj)oWDTXpW
zH93jp_vm+7;eZcMZB>!;jlb1V222l-0t$rxR8QnZ0Su*tFO>{L`N6QxdDrnK%yIp|m;7>&DAbwXtqoYl=
zyXxjCQcDKvb(QEPh_wL7L<~N*Z7Wh`5Ij|A3)ZP#Ac@>K7*GiO*@omW94Idmj?QdO
z&YY_Y4LAi!okr^b`Ow=0BKr*xFOEVaNR)-8$?m0+sn@4_-_yIUa-*_BSYAXg0^SeQ
zFQAzTv@EQw=HVKHxkGQU=0&QYZuMSKQDoZXaQ#7ZTpC3dh8`E#c!oy8*ZU29w6ZqP
zJ|f$72o`1GfvqBXA1Mb4EB%jOK`WYuk}|>iJAM>39(f(!!glo2R9~mKlNy)o>=Qut
zNpB(ZGvJiWA(;^!dF$8>dqF@Msf}21L2Ut;$IyJVG0+f$YDzjELITg#aIypk1+^eT
ziO)+wk#L-85rKwHXB2!v7>Y1jDli46m$54*RO1h@rM)Oa{#XT42d}tQmsSl`9Tt5O
z8krn|623A&dK$SH0yu1>MvZ^LQDcdP01W*ON`q4#?j$#iy*+ioMY%K7&|!};&`V}z+)fJ|O4h5QfW>EX
zs`M=b?n7c?LOVQ6j1vuwLxb97kG$`&lW;B;*?W%q{env5gqm>AR&ftUxDv&gC;fbM<7yPCHE)Hod+;o0VEbhctCot>O0#eX6>;B=Qc
z#m|YHMls#-Hs;~FJ=?cK_>jOoUZaC?6dmUem6b;QFVNU0K~dKYmz*8EN$>fO9Xkf&
z)b>4l_$T+$)4L8-?XFGun`3SmKCzIg6601jbMq;*CO9!)*uGfg47i&L3YI|XWJI5W
zsF=``f({tW8AfP|S2;OEn{zkc5McH|aFMnzCW}tcYI;H5V;`r0x#4&R$w$1V
zG5;TH`cIrZ60g9?3rI95_~`u3&(5Oj5HRH8^5e@^Y)Nz>B78fMxZsi;h6mCdj;Q!1gYH9(y>Cb4tkk%8+39A__#U)u;Su-54kWla2$Aef0@&z5?0XhpdCxfoyFE^Xvd&_qdSr7e`->@6dFauB#9qEUP5h@Tqr~1xfA*O
ze~x{D!qwpLd{q_63{#c7R$5w$;}+`3A;>dpXoG?B0Y@**&-Y~Od9_`r4V+tA62*u~
zCqjT|u+II37CJaY1-=G*T0dq7r?Z&F6{>JxNtUv!;$JTS4xhax-_%%3a<(Dt&=ZdI
zHH+jqv5UsI2aMiat
z&C^}t{sl4J>6Nd_Cl@w?@icqzXMX4VBoF9b>}67Roh4;NoGVat-Me)P%)xz#J-a95W{vtij;(e
zDws}SAQ26;dqW>jFrc!g#IYa+oLbzzV~09U@Sy(>5|!8e9o_&=r59IWoJ46Z19BtV
zO;cD{NIE5h0$;@%3Gr|@*@IEDJEx)0Q2IkM@jEQgd{*q1jt&vcG5nA5N>c#iIyM6-
z7h@-OJqE%E2@P#OH&uF^0UJByw29=$sGC(9d#}Mz#(;fbX!bP^COz;Zz2*c-^{U6C
zTVc&(U_h)YD_g^>AHc)ahM(R=b_r!ESNAxDJp?GA!erqoz24+oHq*OlcsnqU8*BX=
zWym>Ie&eX0z_hKN%l~5wF9k%0RZHHQnIr~)tbvWzW#70Ak`@+r7DY{IgGYbbd>;E0
zw(2>wAWgWg_#W;=l7S`HcDzkitSwz_KOG(EU?*U^mpkSR*~lk4BV_$UOsc_B@Fg(}
zI)qCbXGz5pFm)tj-=4!~@4_%fIxKaUJKB}w8eJIxlonj+V9vQg(cm$I4bdg=?m^mu
zUb2kp47-~OJnm3#jW@KwV9a4{fC>_E+CUCz`NU9vBZ>k^dZ3*^K7tI^jVuBC#_Q#=
zlat=)#}^{S!HJ}($IR>qP=q`PS0|Wz`1M%SX)-c0oG=@#k6c1L8Cmbd*!Jvs4Q&IR
zcdThog5-Xk9aMy)%r6xNH@Zuf3L~2H$v?M$FMa=AY-{taYNC+O^B2z_J`Sgm99(Fg
z3$T!p8{pkFU@E5nj(9dLd^>g1_5+o8ujS#f$8x%gH^fKcx+a(WBK7i?I7<#yuD+&^
zUF+;^Q+LeBQ_0Bt?x@)wEacy!^lea6FhcG|uY|OZ`wR7pV!5liU*8^JZAzZmtrO9u(nUkOrL^`o$7T5fM2<;nuGuFhWXRD4jlE&QlPwaJ4PwjW
zDMTIL=k>7LHGORxI^i{zBp>Jyuwl-dPP^Sbx3y;Y=YebIWSdhRW^`(eSw3HuJ8Vic?aQ*XeSmQ
z=wW4H{6m##7?Mg_N=j>+NNufZTh*#0-Qoxi4xWvzO?40x7q5>J2(-SJmX>y}G4fm
zP^tq5@+<}}Bl&`{O?QK8!r#@7y}?hJlr<=z&bV*p$t_hLMb3*}y$7-P-6J8^-mHFl
z?8%-ocKIvuH2sr1)-pm5YiVhj);+#;?hCFhR$;k4yMtZCM%6N$OfO2rSzTJ%OPfCr
zkq_QD(cs(4XJKtU)UTrsucw+?Vq&64aX3HIXqoOI7Ke>|(mQuE!7U^)>0+Y1
zk;1;8R>>C*Hqv;-2Dp8za~?~*5-n~e!+l*`Ot)_>guI4d?8^r>X?d^N*Uy@obe~_^L{IcRnL9!jO)nofAo1dI
ze@XLtWbPPyZ}{b}v!PsO34CVK&m*@eUEk=8{GhC)c8Tgpi^&8r#oFhNkXOEfQW_%P
zJ>TfC*KU@${lwgpmAPxJ81qIQ{v9b;x5fgFG6?A@a~xk%?@
zu!oAMGcq#F%*;At*YM%bpKtPCZidYcpsu*6h~&9Ny1k~NVryfwXUC4);uktfAyz`T
z?1VD}$MsIg!=aUseF_utI~^lm`X|#>eZR&7@Yj?am3>PTG%mt*j<+UJNHnKYsk!QCwMB
zIXXUm?;oaJtC|6vb%Th=Kogta-Ue19`l=iMx;D8wlUz-LED|vl8gb+
zI7h#IW4Sjl_3hh>=g;33vtuosp}K%1tXK0A2)Sojn|cBhQl$1feDb#{W=hIBobv4c
zu3X7ShPTOQvzbcvs(+E87DwosZFoERmWDa!3)j17MfHBUvRo0+w#R9vJim%^Okrw3
zq_aON*oo~}{c__zr8eGUx=(bTUlOxo^m)CZ`F6uWyk&*kk;#acgZ*os!lAqG#k)%%
zw_oQw(z@eS-MihI-@E_AAaSnbvY1#k)z884PtPAfKq@IYN3jOFg8VClW*GWlx~aDN
z6f7*b9dl3d;FYb_bmH{s9Q1?6#>P;sEqu`Mf|qlmh{J|%13sr$4>!*;?vuR4iuhFb
z`1I)$h=hr;@!}})LtUNBwQD)~`HKKUS$bb&ci;P)@Z*UIi~6ID35rOj)29QiKg=b+
z%FWdkZh}++*8|8Rv{e;lWxYy%)dL3^JpKIoa}3DO#6wHT$l&mLfE_imbR;4yZ2nsl
z>3~yscsLkkNJz-+S_@9ulVlmRawHmKU*EnU;51Rh@~BZ?O`p<(zz5;%{Og}Lot^ejtkVO_X3C!L`se&9
zODb(hC1i(m@s{1aWwV_^
z!S<5WbY}bO*wBxBo?DYnHtAx_^2GB+RfF{;OU-@eU2@oN6<
z4p=nd1~h_)71JiAHAOPO!u1XQgv1y?o!?pRx`9)YuS5z
zH6bxKHfCjJHej>kC?rm&L%&;%+RSq!p^oM+LN4Vi)x&%DK1)ufLaDUQrlh2tev)>;
znDL%4fxt`a_&uh7q;}ddO6|!Ch$yHk@ss7>fBl2zEOHsAR_V9FK}uTMllwdhKRrby
zoV&;S%8+o7m0_d0{Pk-Qz9iGxEzvmY
z@c-k~C)##j_vKUo)TH~+7ACvro|vh=`3j2w+I0EweCyR7G&7roNCbT@QufWB7|@)S
z79|xG6?o?#?Ti(&p9PJ=K`sxR4Rvd~bUsM^e3`eAo4~@TSeYz}tC&^VQ$eq9w*>Sk
z6)ZWGrN3R?G!&#*b4{ut@pk99ZNNTZmiXknpr|WEU;o1Ux7VMzfAb7mFPq~_H&Dy#
zc_|B@(scO#EiPqOp4=hwagQ1X#IsUwV@-4S)&I27dDYRZxhXD=dH(saM_S1df)PFV
z;@rsq@KeM6mYXw*4INKmP{`zEfqrSqWy~S1(z__(mF!1HX^#=
zuNDFA7Q$jf^NG!b(pI#~IsGNT2rFDq@$>Noi|(d99y-eFKea-@e*190L2te4AkGXN
zJZLGJ%`S|YHFHuxFo^}>*&!(EF)`?(H$2)C77?-d_10((j@&svziPL#Xcq2xET8A`
zDPMx}0lZ1k;eD&(n=;->`VdOip3fF^D&k-ZO&|MI0
zDEeq%kJxM**BTLWSq(c79?HDW14oq~Ja_<@j3ahtclc;JY1t259Oh-7^AKwRo&g;A
zfhW4aHjiEqe6pW;D)~5%9(_|&V+5+#+1UwDqvvz+`Ab-*efqDm-1EKu_}v4~1Eod}
zQ&Wvm6kQLIP%*lOJDBen7R<5c2uQh5$-;lY#ULdoH+<&0va)8mOK(d{P_2FyGvy8(
z+(B`cu6yI*?JXlE#Sn)BC3_Vd9E$6_k-!sJ>}g8N@RS6o3AK$T%vmHTiPdltKwr-0
z-n{`&Ic_#KHpP@&|4kPO1Vak$jZ3fMM{7j}d%_YaQ!t<^|3AdiG2uyXB4z=cfrlO&dyWU;BzV%~PLLI}$tfNmxiV_`Ynp!0n)~Wf0
zbEsKq@>51P!B!(rj?wK0xZWy;wkTC+?4+Az*nEtl$uno3Xx*GipMC9Q;sFB|
z$+rudJD;*f#xb4v$;MajB%bSY5f6ny$F~D$@G6T&iH+I7e&~u7cvV*7IVpF292^|b
zdEj7Yw}O>-cJ`}0SFn`Y!EO9&XbGv6U9+`a0!9Q5j}ms|$1xxns#8)@_IXtF^f=)>
z7x@vPoA+Lon!(ZpS%e-BMKbBPA-El^h#?yit<=Di%CNZ^zB&xy0W9u_A|Fv%8JS(K
z0u#^G!+qg!GGsF`F~Q~sV>^gg4OW3S_{SwyR77ll($hQmOb$|s&Y+=$Q7oca1Z^ih
z5ilQKcAz%>HJ&NI^kW%7d;5&QF2yWX{V0WWi;PMC*6e6~GZ!LwsP<{xktttZ86HL5GT0WHYJm
z;v&+$mq8FuL2x~`zP^s@?B2O^AUXH8bGpWa<8jAJ5Mqz+)z#CJWZcIYLFxpA^ov8L
zkdu+oKbNwnfma_7J4G9#D%ZL`7
z;CXcM7=<$)4*(?U=jr*?cM;?QXZ;F=V6g;m7KPQDQ@IPf3msjY<7&5~5-rsPjvd@^
zSzca_5wteOk4$ujZdl97%F^MvJ2>zJkww)jB%}@d2>r*Ay72e12We^19jzUb0TsJ`
z5n_XchTPVTgv|y2Phr;{2xY#8k(Suqa#^v~QNzT_wMf<$F)qW7>#*xKZn=$HQ5)qF
zMJ{VMGGt0FJMKk=E^_IzF^gSHgQ84V8L>y=C?)6l_MFu@=btnGF!P!3`uqLf_kG^y
zc}zqZBpPQhUvS&irdut%d`bo{y@`L_II``L8iRi+?B`t__tmz_EOn(HR2-OWH00MZ
zB9%XJ+Y)6@p?leo9cx~%8I*aTQ+XsgZ}iYbHG@xT&X(m>aTZABDa;oW4K7=1R9|l9
zaR!$%Gwe#VzRRf4O}oV&dbkLg@^2R@v^%^~=Cpfr>HO6Nn(r^Jj0-%AP+CE#?oL32?-1r$cuC!p
z1&as+2!4=w$jcu^2#o96hqj=)ETppcfn|1fZrZ#VQ^E(*f?okf^!B#m^nlL6$>*rW
zBh2FiQ+F|hG!(LlH~^{R$&=jug7X?~D5SPY#GX9f0>yC6sDwHO_T+dmBBzA5Pqzz
ztY8)f62WPGf3eG!5bL7{0vHD!F9-%z<>c<5Tcw-u3y-(O(2(EN6#_^VA_qV*EqfkW
zBqV(O;%u^TtRIH(e$5+khl(CEn*)EoegV`K#HhjmhExZ}Acr83w?)ZUo6
z01Sr_BhV;Vu4qJ%u`gXh-sfya8uyXlSVGePssJ3r`OZOq`!+GrR{3cXz1Kw?iAR5MI$c4m_uQ?po*=
zxeLKq13F|Z_ITvVN=jrrnY1**$ze)A5OzKUil(gGV_l2Bx`L`|2YL&S9|xG4!an1V
zNI|=grRA;R;ld2yWe~y;&R`I~K=6!;S3t
z(Y4mIBsR--={IhV=Z)p4FTQa&6uMV->FGf4vkvQb^f0Ci=^&#nUA$rLZv)$Ukq_Kc
zPBDiLv>&P`v|1t4@_x^7Cwy@T0P#KEOAvOahNH;-F&W@S;V~!|8~X~1MpS?xpCDmw)OJBTiIf{k
zbkeIFLt=|gor2t-uyK561p`6}adD7rG6cpCBm)DVAR`B;7a?db_UU356-C}XpOVeN
zO4Ne^DYj}A%q1}mDHJ?+FiC-mk6ZYQi`~E&M{ETA*j@hyXas&&t`)yESqy_Uu(?9|
zG(T5V#1IJqJ~GvXwk2v|c!OLR+aoQV4NOLx(R$J=6=n+v`%voXC%;b^LYO7Kj6c@8
zYK;9aJS+5tG98HdElf)&&+dWXg(m3wq6iazH#I#r4ma8eU=+Yza1SVa
z+-Kms(0hNare>+dk`fmqA2@VkTNnH)D+E@rbWIljF-`Ob0DfNNe~J@BfeBjG?gJT8
zp!=X!hf0!(0(ffpMtAolm<3N#3&wvhCghhGG$7!eZiac61iB96n?xQWR-4An_(6|l
zVIfv0w5K4YA!NUJY(4eh#m`VP6_)Ilx0FUp3}htdI_21vxXh_63KpoAHCtX}4N|Gz
zyHNf3+D@l&^wbkKDoIj(vpZEbF4Q;uUa`jBo=ZA$sV~6y%n&fmsYE6K&K5mS_U;F(
zdG1w_QLRexZ6ht7O=neCpVrvBTIq7CY|?#hPU*$0+cIl1IP<>cAcomL%00G!sp}Tm`nw}l9VyjC|G~z=I5{ez-+MEyZ0rQ
zSA?|T{wk0q)%EloNx6pmTsD+r%7APNPz9ZLYNdG_nnpy)30$O^KQyEuFQ3n1VXaeE
zROGJJ;7%P!IIpa#LccfLzJkoM1KNyom0w9y2FOzH6OSl^CyrT9%B?O7Bbb-i8z^EO
z7dY14r+;Q4l<6RocBsODIfsCWmV$SYV;V+HOiT=gFfhx#xrW^`%DR8Lvm^W4t53Ob
zxu~uVedkr+42?OI>ae{^Q^lMvgc%Z?9m^~wyv0(s0O>$cX!>cc<64o@{oT47V~f|D
zG5RzbB(qd4AI#NsMFGEK4DDWCHT{ZnHejUC?ty84JDtrt(Z1)nPyVf+<}!oY)Wc?{
zEG8Ot^@`FP%F_>ibcgO0V^~4GKzFv(9jDLc_wEm^)me&`XASosQ_=k1P{x_BlGSec
z+2FoMqU1O;>Hf?X+E!W3*v0IG&_UVmFDn-2G-tP^jcpKhW{R4yd1L;4n~ux64RXgF
z!#!MT=uXb_^zYwQTy4ORviNwkDGE)Or)JZ$fV7Z->*$;V8>dHbECB{87%Ui6?pLZY
zHbC~>Zen6Iw{Ih%g}81;=+u*v-h*Irs!jZj|0&}QdU}0msC9R1p)|=!oTz(?Scx!=
z4Ec4L31-qV7LufQFKxuRgm$Two7E`{A2
z)JZK%8De_QUi&A9i>!A#9xfnNmPF?*o3DOpX%f`*hq24I0?0Of{yJ`PX_^6QYGAPllLACL3!A@uh4#!3vr
z&Lhygot$r45
zdBP$4=zl4J%(G8|L4p1%R&#>fbkHZ?jlqEP<2S@w538#9Yn>4pwl+2)$SRSLE>6}p
zTxu`w%oX&(9ihd
zlwZ!EnjG#}^4BMB;=f;q4-{tQ+iH@qF>fsUp!g%+*OgkdE*j3Y?xeLTJR24CYOUz6
zh{I&lGsIIvnwc54*KY<-HfsvT#9pk30`UhkKRTVrOJK2s+esrU$~Syodhb6Zf5dw?
zr`%cQVC&@Df_p2vM0|eufav;2wRMslikPfzNk?>yY550v9k#P+G&{ceIrgT@YX5Kl
z8yV=XGD<2L1aKA1T2a|yFJo3(6tNqPo<?KN89TA
yzxT2FzwfJ7wQYPelQEyz6R{#3#7?eXd$=sxIkwT1+{AMxc1pE!pwwIVrT!Brdra{F
diff --git a/plugins/wasm-go/extensions/oidc/doc/auth0_1.png b/plugins/wasm-go/extensions/oidc/doc/auth0_1.png
deleted file mode 100644
index a5048c2707773e14d9e6b307cb2b91a080940796..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 63222
zcmeFZhgVZs-zXf%M;!|?=l~)DBZvwJs7P<)&_qC#-jUvW2@nWYniT21NbfBWAT*KQ
zr3MH|Xdyr#p(UYnPjKFK-?hGf;C^d8XDO%dy??#!y%YNSl@i^R+gCs!5S{W1c?}Tg
zGA9UhLHYOJfF~yw?gGH+vg-?d4-n{j2krm4c)shbAkbeRW%=h?K56UdK%X?LWWi0y
z?@!;MTzMm|s{E#LWrnGy=AV1xpwEndJl7XH`Ux|Dz_q~4ddB^4)F+HLhzR~h$UEcO
zEP**(k?Z?Hz1;q&mpnY@UUGfasVsY&t)nqBrp1@jAs#qzFZo`qC+3-*b;>Y4rDRrU
zr)gM60ND*Z1l_xDeIAshI+*mtV!GO@Aj5A>Pw+n=Mf6Q|
zsj9ba9}*H0s!V|w|>2=q`%$a=tMPCrdz}EUio7WWcaywfgQX_fCOs1;3Iej|0~cWL}`h_#`^eyJ`;r
z)Clqo&|Aknl|MjPAL{Myfk0OHcwLh!KA^ub$_9#F_Gq)p1i+1(0d@}b+PivsT~F{F
zs7sX>m+1fk@qSEIq?vCJ=x=j#kzbT~p*nE!*HvgJ06p#a>j@1|+HrF_
z0)0&afH^yE+yus;9slj@|7n_4o$vOeF)D6Nw>6BTwnIJewjsQuUr$JAtOLY!UGzov9kjoh#rp0SYPkJLJ$Ky4;
z=m75U7>*+20FWNC(j@m?H3dzQM-6kbMo08mbER&Sd2HC7C;WH%YZ1Kt+
zz6reh?M##UkdtK>Qu7qBh?>Znd8vzs9mJx*{cV}nKY(6v`0rIFz!~&$ra?%f$lpC7
zEadr`WAR*4ix*KJzT{WwdxfBTg54Yj?8@8LyJsXao&I2Iu}gTbFoGb^cj{gRfgYFB
zOb)0|kIL@&kzB=C2Dz?kQ1Frf0dV>2Ol5J8QX?{wN~rmf?PV|q>2I@`aiGDcGaSjVn7_=S4>#=biE>m&**qSx$lfB`=4lBU^%zgbkgPG{H($g3`_rIF3(
zfTi
z0l~TA@m)_4`0!mDqc@Ck{FfB8E%#0o8KoNZdL8yh@1tL2@&Nee{VO<**np9s!eHpV
zbf*>d&=AI`$SHBaifTPPqsl(-`dtFlq=|j{1m3omL4I`lyvB(w+2cQeFunelqBUG)
zJzR!OLu~prnD(ma9_vMFMQ1CN>tr)Hz?&NYrZ4i0AK~2V;(Vix3Ac-fqKJl6Vz*As
zD;y#7g!6>j+6_MywZ~rvfnH;N@zr6fu_(UU%y1zYc1(znjc7eEFEx_XC;+75wXz0;
z9RTrA2ad;Xo6R21nabz-!OAlvSes>s=_*=Q(tHSp3wxrScP}L(l1xdFc++sQY$Qo`
zCQv#!cd;i$%v|HBH@C2u_XK7wvQU^J_D$f#QllvI_eIVBaU~=app25{A}d??K!)gh
zQmnUn=t`q}EFPtCcm+N^(sr`{l2_L`sT)&PRscP|JK}0?ZPsysL8(KDLf=egZY%u?)Lqhf_DG`w)}hz+jN^=igBkRiYz-_
zVg)n`=l@0gKI=x-k?QtRkHbRpICBP@mr~^SANM&JnbV^W(}+0?TcCy4^XxNUr;Wn
z@{5TR70hL}>8!fu>L@p*sHqu@|3C&(CpYp#twIwecrVx`aw-Psn8N)_R|u=;zsRV)
zRVHZ3^D?gP{$4@+`mqtobb)Z^HCVTkkO*Z|my!K(6;RWuOTYM8Qb%9fAw7H%d$p{9
zJpxB}6zAAxQ3-~uanwcpSOB_KoPKZ744gq1<55$O5?|nM&rtMiG(UGMSsseiMQk2i
zfktow#=~2^mL^Sw^8ZR-#1Xr-blbS=T86J8B8NY|Z#eC+-V8Zh7q$6=2JyKwhNkr$436|FB|%qj&4KVMD0-=r|)Izy#&U3{rrD)
z-7v0xSpV7xRi_+6GrL-x|0)UQrpS8pPsJj)Qiy21Vp9?yBD^%wZzmC-DldlnuaLCL(
zFA=0c;)Y4;F<=PaUHN5=OkE@pjcX{;$;Lc=UX8qo{qss%EvfwbT=8qtBEnakyn$X1
z-<<_RaTON!jg3Ep8u9v>$HR&UyGJOr9uji1XP!7l1J2F!m-_%WNna0?tHM;ABWFe3
z+VuPn;}A!{npWG8Qy$Hr{x4L@)3NA1MsAXa$lGC6Ps~eZj&?q<*RH?zB0arW0nnNEmjU^0z|Y~RAD?})WVYd}^ST0R-;uC8r-_DL
z-_{SM*wKa;gQlDVWvyGnBn;oamIQYSLK$VTw^3k4`P0lb_dp*g^>D9OrK*7+n%Wz+
zdMptbF#OY6sX)p{v`Hr{uHv0QY{U<+j4~V$%9G0>ZgzrSl7sH
zjnnL-gBQ^>K51RS*3shL4#&p}Ceth&rne;n(XtB?|Xe*B0C=
z_4zZg1Qrkr&#oX90Zb|s`xUo?rkK~%!-O#G4AEgP^0w!7S|v0teAC5BOf-`Xq9wGC
z$S)WNVBNO?p&mVRV_jdq423(&i*Tj_Li~aa?R8Cq-fjK61cGoYSKtmkP3~r&-2glhb^ev@G+5ES%@bNjX;yU(&H)7Rsem^hK{G8hv#%@bd*HohuVf}1!tsYx&V0BHL851ML*E1f^=
zRkX~6n+>1o>zO55RJH$`L5^HUS3zw6<-{Y`1EHU1nemczNqrP~m2|{bt|%=kaLug>yi_9B?>MJ5
z_~4HCQyYMgm4atsUsrUFJ!imcODG4!$KAZVD}FOC%dbYU=}}iLR2Wz7&XT71m3P0Q
zzr*oH*8hoN*^(s^Q|U@o#3^&gPG6xe3eBHf3qGU1|Nf4L#c1FcEnci1Q&G%XN7Tb4
zvz~*Bp@`55j#L!@#!As&i1$CQ_~IZqNR3sHx1_$NM^}j0vUL)UKB39uISbkPhYK{G
zDyE(FI-9(|yx0FlWkZE^x~1+%^cZ1b2S_n%fpKq@k7on}IdV(tOd`8vQym4fOaQRDe%$Y=9CjCIjGQX`F?T
z04$*YW||<-|6jB7>vw3i7SQ7>2yZXvVN1@@ORowulGq6oz{B<6Gv~SORV*dAe#ekDM|=hZWGf}GrK#IrzXk8xps0WE7*|jUD#&K>ayRn5L~AuKW@A~
ztRleX?wY@!zb`6soL>V-At+q<%zNHgoe}No$|om>ywH_KY=-eU1l>A1I!`^S&EpW_zC$SkiJD+>ja
z4uc|+3piZX?%2B$QkLOH+M2TX+-6h2Ac1mJXg21n>R@ujSP3U5C+wuEHo5JRvtg~Z
z3JKMi$^mf?Y1>e9fG^<#l@?2PUp)E~FrOo5G0TfWICRLZ!CrTaKJ`+>koPlLN{*_$
zR^~GcKW%5%{wxpYfZZx)cWuAPWU>a$=5O1$&`zI<^E05<8)U&6CHd~f62r#ZHad(f
z@xBYu`Dg})2PT^*tC9u=sGN94w+=2|ZmRHSiovFBiPta_SA10s$E?1HK>lS2uDy;_)7!ln!)`?o07vv#
z?2I?&Lc=~b=)ryz=R)FOlr)D>0V4~H7`;3c5;CJ-@GN6b^&o+w+EkBN?R3cJ5OsC5
zMyJfqy~rFFE3p2KO66$U$F{h4%dw&k;6r&)Nn0(lrmp0sF2s_ZMz?0a%Tb+SD-7N|
z9OSmDOven}TZkC@6U#YIJnsaI)Q(e4e>=8&MbNsbC|2
zfEJZHB;h+$=mm}kMp4Kb=Cr;~tE7{j1;K%I@h6Uf$Em*GCN!ea@I)&7n>~UaQqa7;
z9nV*gsf`sa?5jb0p&PLt8)PbZ_$wegwYbPUjsPn67hNZ{ngdnB;LcF1`_{%WkRSCp
zIv^ZYdv~O%D*fK&aeADo%Ov?3txs)MK`~D9?bdo)Iw~Q
z^BOA})@KY4EFBrDO2{pF90vrPlkrG{_bQ{VKueB#m(Js?sfO?$WI*&EhSD6wUk#qe
zX=B@U-i`rFBa!dVi-^k30wGR@zAPV`un?g@OF@3QfkT9<4(BwN^U!n-EAI6eN;2Ae
zh3^YYIxJ#LeagV#RWNAme%L(h>=V;SMe!(IcYLj)%*&y2pkdK>fh5lLrpQYG`_(Oi&@{V0Hx2mx#9PK5t3JT2Bp~Pj+QzPg8qI$5Sy7qUpZYPG2z5
zXgd_<;BnUoKT|R5IULp*2yr01*AzTmqN7SZe)~P8Vzw#&R5`MXMhHN|UdDfZS-FGa
z5C?=^i9>Q@WtC%pXy}A=vhF~VJ^A%4pns-%+L2P*&73Z>v0_ocb`1Ya-zxETGf|+I
zPUc{Mn_$9s6t1+b#3t!9)Xm|uUwd-N8bw5`jnBS|t=Ka#%&gNfip|`aWzFD|ay>k+
zi>EJYU2sS}tgt%d`Z6>SxUhPaV>N(^Yb^IOJR$F#61UD3pzz=IIRdkW-{lLYWf=Cx
z#YP48bE{;ouY1fnusS#W6*#x$BEG+}N^0Fo);*-t^K+)goHz$$)=`!Z{$^n%v<9C8
zYRhK<5~4aLno#FWckA)rDC)`1
zi4lJGGRbuJTkkRTQR-CvW{QWqWLE7l5?z9jB#EGFrA#^8dVfSsFi&$jnJ)?l#v3Yo
z&Vs4*VY^fXPph?ZJs&da!LDzW{n|eM)gV7tY_IAm$Cq*$9<qJkT{R-hP_{I-moFf1WVjxc%zBkT%J`~4FYGRMTSgG?)G%ae3VS(
zIC&#rmHN|lIsAhtT)L^6o7xrkr9!IYMGYgvn;jxG&C6C^zNX@&Z3kks3)eo4&-6HG
z2$TqTE5P_BU^$rCIAAba;Y)%)F@|R!Iio9G|AgZ|8IZOtK3^o{wmV-hVAA)#m!Ua}
z?T1fc2PbVN@@O|DoM~x_|A~U;C3aoWJjv^`mWhfnB4p8426uDAlSB(o|A*F
ztnp8tcwcibO&fXnK^{`l1e=w1YmSU=U72xn(c6T9*r-xeI_n!*e9ebHc*m-V$^J(o
zggDN5O=^=1t%Ef)cY-?vi&EX>aJNU#3Bah8S8`*~QjNB0|`xDX;DWp=FxpJqZrrnaXRHy9YSH38YL
zr=MOLQ!i;g`Ak`{_jMdBr#F$f%bD$9F}B#iRI*ztbV&4t=j`D8C!pOnGJZ;z`+a?t
z@a&4~D-EmWWV7Jw;?+MXkwo7TddTq~i=z`0mvFz8t;|ldycs(^-ffc$eC-!<&E?%l
zy$nD%<+B-`@2=Wv=|YlNwpsyf8&g$n!|HxW$ZjetYvhWM|H1k}3Qeza1{)}qwl2{1
zPGZr}3d)vja38@Lt-1_O{-)G4=`q&n`QemMT|zDV_ObFK1VcP9?uF4K|7Fuz&~?qw
zZ<2*9j5Qcxi1zg(BhZOyU|Y{}>ar5W)l@28P(%*6JIw
z2n2KpHA<}*lvnDvNVQnLob2Twvh<;d$L1NOe`$eEIM^%kQmfl`+@hj+!^8yI!x^Q2
zK=)^f1A=5dExz<7c?i9KAHLhst|6w~+lC(G*1MO)8Kf)lRk1i5W!i$#f!b%gk(X#T)Q^%d((d(7g?#9j@
zwdIkSO?umDO5^OAvTJxb_K8Dhv{Ll`vovWgW*#R$_keCe!^v7D`CJ>3
zp<;oj2xspAV{Q2k!~=t;g7DJ*4ZIF5q&z2A@+yN2pY2F4K#D}EM#g1`IQT(_ygm*l
z>o@N;Gn@GLURoYHU1v-6P#RnjFZOck&*EFvYZVZcxt}KHu^mzhe)!82#+>EJ>+vbm
zXJP5nvO%?|ia>zR<}`82&M6QUX##}WGh
zUSFd~Gw%IID)^I)Q54B(b!BGJ{DE+jgFP`vLI=}quN2LYTuYBRT~8=L)|DEJF}U<_
z2;+_SA67Yi&Ed@6XmJt6{U{HOz-PkgMV_<%V#T|&G?a8_ObkEBz%a6(r?$Y8z(Lm9*k>wY
zx*UFG)5}lj_%=+``_)A(EJli06bj@AB
zZ5am+{cR3#H+;M3N41n0^%FA05y0q)~Tef3{F<4+`PsWUx
zec?PMnU(urRJ`ZT=036()MOXay+j3F2v7qLgT+5WUy;`j^tDS;5vZO~Ay&NV9skYg
z%vP`75)avCbItn_rh0D2wS46qVh@cW`?64{k+=G2kZ__vL&M@s$w_TP4xhv%w%O+x
zeXOLK=0+ZHCAjFZ*q`3*OJR&$m}&&TAM8c)4;)I_{_dK(E;
zPO{|BGCj)7Ko`uf&Rk_UC1CrtVJw?I*42mvTeWF|?Fl%e*91)5u~e76j!vPqi?94_
zo!UE*j}A|$2}V*q(!5_%AMfOtp0;f(aHJWdWEoV{?dv_~w;8cV9d_sCigtJD1NK{7
z0--0;U@yA{S{XGp-z8+`LYDT=D|2r@L|9XMrZR^-H
z2GL?QHaVbIkyEJJeU)Eb7KIU?B;2}tIK6t!8k@FU4!1EhFrCuLXm#uE5!E?{
zAesp)#Rct*=A7E48>SEg=H@2{(<`)FxA;k7rwbnW>g&)FhyG%ej*Fku_q&%Ur!iJ0
z_9sJB9a*Zm(tTr1>SPzySj!Y_JA9AT1u-{DFqN>G_7F|e74E}7O^AU`c-LY)z?w>a
z2aOeuh5Y++5~K`C0!(d;NoE(_;MH!j3bk%Jx|q|d)h7!~)@TL&T1HUWIy3D_80{QZ
zZ8?YwV1wmFIW*auY?wXJB~3hHC7K*Hf2`PBx}d3Ot9@v){27Nl>RdQPgyH2OtW24E#i;Fy(f;QPfsNVx_l=3;LN9x?E|_=Z&E~^*U9P+dR26ZzyGrqrubd*1<>2TMcO=MB{tc+
z_W=`sTHtbSb8?PXXIWifNrThdE80BXqJqYidnX&3cx?4{(Q>@QWSKE+=>rc+SMX$f
z8$SDP$XJrAc=+TfWrFWeN+)2a*bW`rKv*<7Pt`zmw5_6Ht`2)}h7*DY*?k9ae^AEOFoAdJ=Jkb+>dXb#u#6bU5AIyaN1
z)6v8Icu~E>VwXpa$HA-=NdYCdQ}yFs01DSbh-DhTi=m8
zZ5)!+3x?!FV{=?O`Izzio%Q^nHoaUG+=NQ4hbHjNz@Y(<^=RE$5nPEj6x)
zVDZSyfpt;~qTXMr$P(kb?dlfV2>-(0HjTQ?vi-K##!o%H2OBt`_Nw~_-!4C8jGkr
z%bLgx091g7Qn2CM;PCb8?QZ)>V(v2)ND1_bZo0r(R4re_thF?Ty`VM+=>6y
zd!9c1co#+V&iIE+ae|+{7%@Gw0fMw3l^JaH4*1q7$Ly=cQ;mN9p`72in?zu(;4Gco
z!&Kqxej1t>`TyWjaWuzHl|NNy=M$hBEMDsHcFGGvczmuW3Qu6h@*h26YTreaSjp>u
zxQMW`I8MK5E~Q2)3VMpwN)D^`6y6=I$~Ld#=II>KzB|q~I#TILw+@-ew}D{_m6JUx
z!21N;x9dXaOb(fYc-Pl`G#fa#+YbFCt15OG7j-7
z8G%WeTX&*ET%Ry;L0c6!UW)X!TwPuv*gmxMD{10j{1e&Zhv?fNnj3LgggSbEoG|XY
z^(7B?_li{iXVFRHFE3##H4`HRIFdDbp7=riy7Kv9pIPle=SsNj%^6Sr6zOxn&CK!g
zdqHwnZYedDZ5=Te18Zl_j+WpfUBe-JfyCE)0N=OWus{(WxirSzS{V`yOK(7L`wihYO&g*CP6$b$44p=+3ONXU=9
ze=V)WmN2v)`U+yMXyRmXmzu$B6QycjEMhiQs*t*d(t$hr{gdY5?`;PQi?S}@?hqeK
zto?bR71FtD30YY8Dll+1giihx!}oj+HhAPp{Fy!S3ZkKiS)G${>RCbh%r(eOTbvK-
zF*T$(>l|$KK4KDaI?eicDjW1{Jvv<61*ovZoky0womSgyySj9*Kzc~r
zA|6Q+ls+xSS%oWys3;F(bXi}k;~H7y*mzdO^OO?R)I(HyXBqqxtc^W#!-w^JYutRK
zOKil_E>oNR9tW<5x2d5yBnT59&n143ZT0M$Tk1Ne8tAPuO)UN9HWWQfy6VLM9%8-a
zD%71fRKnWqQQlOlFL(1i5%JzGx#appP$6d}1Ol^(P_{j=&mHoC+Ta?x(6vgsgPC`H
z5FO*YrTkVA7ep-Y0fh8;Nxy9QpV{*~tHUJn9>Asz#PoY4TKuGQbXimn*T-_*=Eov|
zPxks9PW;bHsX;w3d++1CYjeIO`(4#^SH~`0N)xaf$WfudH|2|3rBk}>5BmBLY-Z9o
z4G>Js{=WfTo{Cc`pPye?54EtCYR%i8y|C7_R!a>8Dr0AdQSHnjeo!Tk?g=VdcPuuI
z@_r14nbFl*E%RjSgSY{FwfWJ}d5I86s^IsBY5;=pbN4erMu4AhI+41t{;jS+jeWW1
zfpw`Q8)9<#iQ(ieh>`ulZp{`fahWkbflapN!2^rjb~}!w25C#W0^>{I)`OM53#9ER
z+h_>Y-)L>?@VNGnDMAe{sbSMpkDGI=D;U+@qx{%4OsC}P^Sv}!GYMD>9x^~2hoCf9
zdHum=2bE8_E?vARLTANpf@q$?iQ{AtixcAQu^W-f`unxeRxHUNIb)?J%GiI`=in{O{(9u4FG#PV{2fWKARP%sZS3(#UBWI>>t;%>#nvf
zj8^x}eZ}n_DBWb`y{yG-CEbKslohm=toCebPkt=o(K#un6xG-lMlFZXgx{uhnm{nW
zJUqECx0rUhT}XE+Q76NlW6)HZM0~;(Trjn$vAkj1d~vvu<#-`Y4!=QXZ`;|o+vN>s
zg6;F^48QQ42^N&PC6?huwO=S@6bKB+_9m>0)91fBAulin>Ngy}*zkRl3Lb{V-dKov
zAj@%QK&v#S#?V4O3B>6J0xCRC7CfHbm!IK
z=4x!P`mjMQb>V)Z3q2f9^H}wZP+v0%cOT@<*74rt**Kq*9K&
zvSffZT%=SP=)w`BAw8S4iJvQBl%-B`!_A^vh60$e;pk>xeY?wULt8tOq+TrKr#9;7
zqGYXK5Wo{}or9J9y9R$s$vcHkOQk*ymPostBc!|j5Ew;3vXUF3WB-rQ_7e9uP5exl
z90ZdhJ36nLgz$l!V1Ag_VFMY4KYc}J*FJcMHKio#(;y*mn3m^oR18CXRR1w@Kj1Lt
zANS?AC7oUe5-HkIZ(mCtPECAS0x$-m7$z-%8_6=IG@}C3?W0tZcgm4~w5hu!dz6ep
z9l8*GUBA^{%FK-W1LKK^0k5Gk}${E*VJ9_#^RX1@%6Ci>RLvA8#z0*PAZM
zN0SK`@Zawdcb*7%VTdB*u73S#?_V9xl}evG?03%>RaVZ5*}3<&BR`_u)TE0uBbbv4wacNqIt9(0NrM2rf#KkiUC#n;
z5)|#$7qUvLELSaq$1si-pkWjYP;n(0j>nMUG1uTs%Hi-v|82l_y)t!^noF7q&~Hzt
zbgc5N9L-EzgqwvJL`|>d+le@=tv2ho
zr%?=rwhaz6CN6wGXNvgZdp|9Z-yra}@#Vo+aLLo+wP1hY6S?0^vT&G&yq{X5(y=kW5xg+sZ9Fhr-4KZ4$f^f&L
z3;bk@;y(h^1}jVLXbvE+2JO=iL02_3V^qhudRIn|gx@GK=j5o4?Peey7X7|hGPxL<
znu|DpxxKy8t@xrv?z2MvBOb26JFoLLhPKY5jO3Ood2-A>-BmE%5sm$#&5hV+
z8uzj21=i&c3K8{S)zaeaNuqOUw&mi%PM47N>~YcEU}Wt1`1{2_yQc-cW?YeEo~np7NtBEax9YkQiORK6(3N^Hy>&;PTL(KiTXS5u%Kt8)(fK
zs)NfdwiPITDeG?ag==qE8klb@Q!sbM~BC^(hkvNJB@?b>htt!Qbp
z|FX_SYWA6;A~y55btj{~j&#A~0Z?TE`HM=x!8GIaj#Q$FE7u$y+^TAmWn>janR98m
zFMKkr){1M)b(VH|{yw)!VU9c$(cr`X^*+7O5!`MYj<9+gcDd-jrK>}dwKc`
zmAM`@Vy2t&#By9TJ}sd#>-LjM?KIb7g0?@1db2x7)DYfn-8?X`d>Mn>hRL={b@M2%
zWgP4w(NOtLJUo>*UpnTzxLf
z7uypl8b7%ubW1#*O59fb^k*8k-hC+%n~4@?5gDPicAOmXmdH|MX80YMM@5kKk%CuR
z841pCud4@GvnN&3IWqB@0i$Kmy$moat1_zhS;uP7vg!v4IL
zqT+sgW+I^l>Bc4~YSn?6mGtpYhm?Mk!&wRN$Uk^hZ54xt#;-|D0B6+a`o>WB>
zCoB(bG6|HGo-~nfc`ImSz1z0^@x6(Z+L%tMvHH7}@}9Xr#`g`6H%LNiLRxZb@bR=K
zsSn=7+}jDy6}TH|chKtKV9)Iv`R7vOhpP%xcSH>%5bJGE{rUyt4=YXhi@{h#$t
zZ*`lv`t(k_%@9Pu;*;9b!LPbfwt9j_A1!BP?9!Yj_)sE$rtrvxAB5U25}kd`vHP4C
zRa;s~+X{_H=TZdz{jGo&Zc@k{q5SKY5wE`ypTOR>#pbWZUU%x1eC9F4A8{$Jb!#A7
zjZMkMCQpA@vM`z&yUs!{$hWO1?ySPHwBi){EZ07s-FxC0-_-WCJSL)C`>43*KGS%{
zbzf0dMH}UOQA-1ykb_*{g|%eiiTpnU0(x9R2F9EszR%?6>C}Y!c0J>6pvMLJJn~Uz
zR;s`xh{!w?ASSzJh)ADXD8M_^C8
ziN2LbMHEjMJSF4Z%WQt*dlo&KC5dXG8ehWif+IqW8?6t6+SSDlnVhB!ZkVMC3Fn<$
zqO`H_VbU;KBBM-vz4ovmdySe-&Z0@FvF##rg#JBnEw#o|jx@z;nUIL^zmj5#<#Wqv*hr^9`|3Y!S~B)wJ1qtRf8?N-PBWNu{!^0#=F*}D~W5&&C0tK?Oj
zVfTHew4Ekjgu##gS}Mvx+`2+$EVPkVWT87}l7$eg;6^krW_{oP5Iw@AY*7v8S8d+A
zB1mH?T>4xt@jR3={w`CR8+PP+5^OlRTiX5(6H_P@Ti))g
z7nczkUvni#$hvVBRu#Nd`Aw!<1dO~PC;
zli072!1=8#PVUV0inu2$l%=b6`anmQ$CjJ753=6`=_3H$@{}8PMyfF8m1n(?a;vQQ
zT=WW${7d;I!bU?wej<`eP0g$rmdu{IY^PSyNU(ho!yJ{nJMmR3$n)W&+Ui5t*RqIc_7j3CJ=&2_l(S(YGxTrT@O{|J5=;HA;^vn8*8ONOpUZWlax
zdUewI+EHi&FR2-wZ?1Uc`R?BFL*K6o)+3Wmu@M)F!IrHCp3{LwBDn{NUnc_YJQL|G
zUfXb}yLb`GO)3-I?cEyFQtFX_#z_^H44lr?9$S9D>wq1i-_yrzkB!K2YHt&Z+1`^=
z4owd_<kx
z7P-J1-03`iP9|Nk>HuHWSx1Co?12|Gdj%-+^u~ZE0@^oSo3>6>UtYkZ|;7
zW3vBEe`po<^e;8MatdGGjq$|pe6c_vUhDY=_XR$!5Pej@@G+@%jpbrLYbuVwFVar$DTJ*
zQFoOUM{`=!MWy=4COXRmT+C8h^6^Zjy9xb4ovT69x5B&XM?Co2L=NQy3GalILAjEl
zVG~4q+)xp`jOw8^8UZhY>Zq*7PER3#Ms?cK+w
zMx;|ojMY?On^U@nc57B)1@3ZUS(Rt4!9Cs8`TSIP{@abNcjUW}yjQM$QkBaQ0q?2$
zUMDWlt*O|OFoO&phZpBafsKVWABGy4%4E(pT@XAv!tm^T9O7&r9klh~LHl|E+oeEQ
zZl(xe-xf&VK_+B4#zx9G)oH_#L+CJi{)rrW;C2Qz(;vTYDrGmMcB<@>v#fVg+&RsW
zG+A|;@?`dFZjae2{jLdhyZnMsW~slAYU_*Pwg_=PBc8k9W)~afu8!G}QZ>=aX?bUf!GP9zd+|li$Btoq#nQu~^J;cv**UI#6tg-hI71
z>=={XHJB{y3Z_Kba3oQtOM5>$jmS_(${Z3}!BaJn8JTZdZ=_rOm<_MHvW!2mI9Tnr
z4v&nI39z+zH6-~UNAU=W#~OaW7tQO{k2qy24qU22r0(Ob9w64XYL;q
z7*=4)V|W(KbhM~)Y)bE=Y}k*;zqaABK2>Ku!fCVIfhm@%3Gf<1jM;ev*|b(VVJQ)Z
zmm+-G;#0A{mi&H&vj{huN^;kWI~mPkPBZ@tM5s811<`U
zMlMLhrEOMOoh{}ntfMMltVu5x)p$jf`r1(hN6uyth8OW}K=_+BFScGhUfCvgw
zH~%sEGMNEN*!x82H}wm^T!Z;9e>xZ0nz&B}sIH>x&(kdzdr{$2Y3%2F|CUSrqxLHp
z%5j?Ml=`2i_iYj<8H@S#Gs$yF(1^yEu7Mtdz#5UP6p!+a;bC@P2Q+4U*R<6@&-WoD
zdn_X0|~hbYmfH(X>=n!HiZd1!~?|Pe1Ehth@Dkh}2FU^nrzx?n`XA0doTy
z-c>+d=TJJ>Ju^e*S=G0q$ha*SvkTbR_1aK;IYa_jcyjU;+Afq3Xq0l8HAYNo9vai@
zfouxyj9q#ldi~Xpxz(K$_nxt)@=;oSKMjU0orq_avbj0@ZFV64;)7WUyH^yNipP@{C%YQEmeh4Y0fe$Vx!XU%d;k|XDH
zj&D;Yy_Yz!RR`>T^U_#045mn>0@bhdy2c1$pj6n}YK{w+rmF;#+5=)2fq>j4!
zZ1;5QvP;!ky^0YsJLt3ax?>!Z@CW|RE+M^*8tt%;9u)Z63f=tZB0fwkjRtDqE2YwS
zW8PM*DQzwSpjc!+f9-oZpnM#DxvLjE4
zRrJrYfi#1_iHi{#&9)!=Vc&>BvVUf?ku9p-yEe$@pDqeI(@JQNtBF>x*r)d5RoOkk
z%iB@S{FAQ(iE@0<^hqBfpf>f)rWf-aqw8#Zw6YTS>AR$__IGr(Fbt^FSx&ZONz_?W
zzIa>@fSXxtw5%7AbH+(q{I#?RA-XrX{L=h#?#Sfm=DMe{4z}Ng+DKI07M&;^~W#W!rIP$>KTPnR(-bL
zUYXV&)}wNU(9Upu&N$iAf-w{1uqi6pODWaCHlprGFHcu7Dx=ESP^x}U6s)EPU5*wN
z9d6`bKM*u9ZqIgVE{lNW`vdcd>HPEFqc$n{Ywcg}xex`N4-<`*)tyWZZTrXW1OTY0
z*GyPnM%byj?1%QbawVOMf2s>5{mFNXuKLS>|fLy)ajsV-~Kyz2#hKAODGODjY_>lXWhQsf&2n9b|
z{v+?gXU3;7>1EBC>oGNJO%aM(j{ZsW&n;CQGj$TVpFM(O_{(&uWi>N%OqXQ;1|IwO
zJbmuM>L8Vu2XRrMCOCWvsqRwx485So>R_uz_^97v{RWs(5clW;CspxSwgX9-Q|qQF
z(Qjkp!%L-^n_#kY$mil6*%=$&eACRUk+$+$juksDAAurpc!G0K(6LVH;s+-?@_(2N
z3H{k{&L5RsROeboMcve#!K(%@pO(V^_+lS)s9Im|z`$U&F|l2D-!mP+?>p^>4uG>!
zuS9BQbMuipj_}HMzT!Ta;Orw47`PAX5A%ORl@cq;OMEfkXa?2P-ZwRbC#r}T)=`{Q
zQtOY#j#Nwjp{5P{FZqZ9{yp^N9aDFc{env-c2m}B841Vc
zilYS|Ze;9Ic<=eCx9>U3aw)Nqv$OnyI_$)&?
z9(U}QajKIF48d_dZrv-nF14d?QG3N9uS9!KE@!v*fXIm)$z4f!`m~nm)1jH;czk$nV*%YN1`|Q^gzp@F|23ddzmWs8mB5tC%Sg?DI%(mo=2Tk2
z2!y=;E6{xBkVx8OEuo~s$K3+7swo@(ux8Y+FaG!iWxaJWN11^xZ}+F}r=(SfdhBpO
zE5i4(OD)paII+dIRVwZD`SX(koQdgcHWP3>l25s~h<88tuhaHp?gzaD+FPAG>e(p$8ObM-G%9&y+gAXxfh$fa={J(|-5?
z1S)^?0Eu@l5jiMO^M2WUUya={iKDESpHASWSq~m_5_lqxOp0$_ZgxsFF{PA@I}<-J
zpO|4Jot0zEUObhB2wSwxKi@g2aqEY$nnH;9xY~69vzUY8GNN*(3Dnp
z2F<)P$7rba1Ao
z)+6x+*UGjSKSG}*M8$p%UMI}6&P)69%#-$^JqE6KQriP
zJF0}eRv3kY9)J6`b9J)0A#kYa934s(nTXTSRNg6ZPgGAJO0(KDCFAl0G$Zq0Z^$S2
zYss5J)~(iQ`vXBn|A)Qz4r_AT_C|5JmmFm&+a-!fTPlKd>76VKVrWsSbde@qYJdPi
zU4T+G^sbW7dv75i(wmgfNstzLq$QA$7vPr3m
zaNiH`V#y~zD6g8mPV}s~w}L{a!;=a*50E@`Di?AgnP(ca2Fl97)b_5*`F2j`=jOO3
zeSxQ=|A3n85V|5kPY;$Br!-pfFUsWI(iq!P|3KY8JsLt^Y8>gC0rouuitxGoWTaUv
zvlu1o>qaWZC7!yergiq+Wg+S10U;~Zu4NEJ@nE%vq{D@G
zzbWRzrav>f(5ra*PGWqn09Wlr@2tKMAfJm8^X`ZA)o-{HJxc>(SGMN-078y29p7v%0EB>xGaS{Q~O4Y>USv>=!SjORdJJZ^D}GT
zUNQ4Rv6NouXKpoNVR?iQlaJW@a_cvjGTim#&rEd-C0_qYoiYCpWRCe)!x|L~TsI%t
z-ZT|Tj3$qksAw(K+xqBhyWCA%J|Z%bn_Tdo(ESx(*H-A8|Ak$D{nJLBJmG(3dH-KC
z@&EH46dHIr!l)XO)yS@%xILPey|IZ>*Txb=riJ3lmVZ}Iw9GO%5s{Z?eO-x6ti$qN
z;K;CC&zfGc{L6&Xq}{>W`snkM={e_(0+&FEBN`NIbZW_nB5j4M!(wEQV|jf*a{tfT
zhYxBVe;J#`Z;bNwntkL;-e+dd0M!59$wb_m_#L1X$MQH+TCrfXp!MLS@V(%!M{l3Z!X2*X$$@B*Nn_0$6e4f7ChxLo%
zMjKT_%R2=T_etFAWaEUwO&1Nb#MQ@psZNeYJ7FR%<5Po?4d9)&_(kW!C8eSiJ_4`r
zDbC{ZmT9kGQsNj`Ed2$#;7O=LRplA5ltNF4(?r+Flx8vd6UG(k
z##kM329H}09X}{LzI)ksL+9aY5*NiDUJ`V-sc(brA!&FPZX9&K+;Hbr(o*5)+=ATI
zmcS+cgs0?K*=%{qbN&kE+|~M@kY;E`<@mM%%`7ET_GM$BT+uS-pf^e+|HYyIn_N|%
zYR2X%H8N}}ZzJ}m*^}EE8}IPKQuhkSr|kn7q1QO4H+^z)Rdc0c!-x3L4G&Z)Wi&1bSzGjz8%3>Ch}%_eLK%y0O2lSsD$$C6fR6*fLE?PfCBy`hb$XbT&xS
z@-G1_&saEPJcSjz$hv;dh1K=tgC3*Qm{sO32T(iOIs4-c{OgCEm!gn&bibC$8i);`Af6$<2jg+qmNmE
zpVXD&k@{QodzqBg57hPelCMt!mlCpIWor*IOAUky7RtA+KT4gC(hsB;k};3_Uk>ON
zS>GNBX#Z_K$@HxMaNL?}0<&>@M!kt%MinBRwb_mu`Z0PN%J)
zd@Dti?_I_!i~1s->mNLr|Bg@=UO7{slXXq_IHly^oT#DM&4cq#@9VFRnY?=<@*?G%
zvC(Ido)GPCn^LgK=kkSxJKmNH%a65MqwrefwPK$>-n){vQ98!YIWO}XhC%$+h&NCM
z)385DOX1I@(o%4b741~b`LqYN?Mit*O4iu`nLU~8UYOj^UuSDSAYEqn3`_xH|qt8!eCTDpuI_}
zakhwnQGr&a=8Mf>5wl!g#;4cZiIb3Es?#&LhQe=JOV4ztQ8ldlvpiE&k&0{zzVK_P
zfF$xfv6tY2`YqIt)Bedl{;B6PO}s!?>c@YsJCZ{Q@ao+mk>mQr=WsH#q{DThfVkDT
zEM5HcsrO?^yP{%asbCKNq8IlgAE#>a4cQm{h#u7XKoAd|Qu+vW9MaOy+jy=0mzj*r
zi|e}CgBgheLng{IuEo#C7M0hEIX@3fpF7raQ1tX(^hxaObCSFb&cP{EXW}P+UE_=?Xk!j+~rTHK;Fx>jIf-<``%D
z#aDT!JM$#|DpKOM2#85@dm(Wzvn=_B>@L6D&g;FQ8*XWb?*+BwE>nE6YY7Fb;#i;I
zOVII&ctx#uIY_fa-f^7e^pkv(E5a0f;#Imx8cQk9L(WX4oG)>{pDj`$@l2(i_xdRz
zEhUNY@t$)U51m{8jLAmwDbzsU43aS-MG1{g4;Y~_a+F<+q-|KH`(vNK3TJn3&tqM3
zMSe+o6J4u?5US^L#OQ0du*pn&BxvnpP4r#*RL9?KeoEleS}Qx+JD3vMo#kpyu;-kL
zw}%*);WrX7g&!ZhquraRT4Hxo<_#qo?IiAwyTCu_8NXQ0K8RAGw?grHB(&<6`sf~85}0xp{Zq^fBO%UqUoHW
zUt-^R-WI%fnQD0DebMDD=OCzg)bAc9NW*IJ!^`fB5|b;d2WkkUWVL@*k}I2fany}l
z8jtkb&JDozvVVoBMQ`2!^QzSO1+tjb@+qu+(v*Al5qSKUIHPT6;u+?^UF&dVdd26>
zl_(7YzT3q+@e&%ojx|T@(=%V1rras-1Z(f~6<&U_&Yw4=wNKHS13lecZH*AgA4c9a
zqnhv@7M;0Z99Np$_~mL0Z|Q4tHAy2At-bTai+?=aa@{khw-AW|BY3WHl_`KG5U#pB
z5=DlMCh3qu&A&t>{ONi5J>KW_G?>K1s!>^
z#buwH@;ggD>xvw#C1u|>tHkFQx|vlzj^8$HHc~DsyWrfesn1Rm*#3NmtM#(OvB2e!
z8&$@dpk(n{v^fB4LR~JNtk{2)7{YG#6r&&PO%ASCsflk#6MZYB(q$Je1|O+hb{%Fj
z7Z7%MAEIPJ^194txMm)>T^_Or0s1CnpIxZwyiZ{@qgD#|Hr}=6Gw8okl0PyPzUE@P
zvID834_PubpNfr$>m_%3`}Wv*_um`&o9t7in(FSacQc&Cok=q#zV`&b1p_t
zZu#o>$2beODsMbV)QmKaTfL%H{Z$B(sG57DNkq_2(%Hxem4*@CWsPjOZpf)uuntG*
zMZS9?aEkk-TfiX!;X~$_Q$wNCe~-Pud)NT9V}8B$r_{g%q#u$T(r-wp+q$@fS&p@j
zYpG>Q+<4}qXt^KL`0bM=hj&|*ChiYd{^1Fb2xV(3{Rg=M^afCk;Qvid=D#*zH%Yp{
zt6UBJxdGzOjsFpSK6$?^|H`cWpMQ&`Vu05Lo&NLTX8+)2PX782E8G8E%JBbu$A0$c
zKZ^tn^|;l01N@NF2yim!o?`i1{-M@G&VujEv}`OEUO&Np9palNVld+gjzV%j$MVOY
zxWG)Mn{ul8z^oCfeUgxn<VQg{r6aa>QjGGiw?EmW~DTZ
zU54(P5HWLCm;!SeoXGzVMl24%LaPCp#g8L4#u}>nr%CRAX9>b^S^BI*AHxmEe7!+t
zOek_Dtl&OtNGb6AdgUKbCPiDSXkytf*s}*RJ94}nGKADOALSoo;GlE+vF&Uk+j^Pc96e>R
zY<)C%mxOB111+kU3ao~TvaskjLhC|k
z2MSwr%<2>teLoi}+VlOXGR2qAvX~@DST_Es)M5V5_(W2H-+<$Po8JGgrmH`@_n%6e
zoopX<@HHjGG0wJo{FKjydPAc@4}AnKtbXMCwD=nycnMBa(duy6HY4N>34gvv-4rTP^fj_6uU?E9@Tea{8m9(89taica8g+vWf}lXe?gT
zIKia&HvTB$NR#)daTMpf8+z(Ar3uLOJ*m%hTTGtXf{n4}@z-D1-YE4ewHT*RXNdKT
zSEhJ|S;NL9{(!k}A;lNwO`!wUhnZ251;#~hSlL5Hx#L1+c08t9WiMaly+k@b?Nj8$&@Ouwwfw4YijHj
z(dke+uzLzm$MnHfU(UB0=&A4MdZ<#4fDlV$9R~Pe98X*KH`Bw*g0{ZM;25}xmX&YG
z6@Wtdzhge&N96Dwy0}3aT%ii>4c^Fc;;LwAsN9S-ts6A;hj;a26FDMdU~+M(ceYY;
z6v}M~L;vrjUTSO(kvq
z;KDS^@CzQPUi~xHb-sA<$5jmUS`wFum8G>cV`?a<(r~)`tKUGHT$M*ta1R1y+Zi1)
z_dPya4YB3cg|Yu~_@>1NcZ8?mP;koV^i3-TRQ5SmmQe9q0GS?Y@_sHtUT`ghvervU
z>RJgQH}`EnP34G?kGuM$H(QzCN}8B^YcB*!T+2S5xjDg@g&oZHwH%@wmbW>`JS`>#
zQZB~ojsDxgYy_NN*M1zmy_&XB_i@Nw1>}oYV-rbCTFjH(Y6&6rqU#1)9NVVtj>?@p
zrac(1HfH#bX#?IwQ?=(yD(mq`%C}-RiTYe$-*ZhDxGV4}b0bqbt!h<{I2oz}G?QL|
zQS%xS0Fy^~$+)U#%j*}}9O;{kIoxpOZx&Nii2?z3ep%c~y)xjZ(`TwA&nmwAnmvZUrPorVR6)FhT!JcwY;et(ou5w%D5x;)C~B
zE08SaJTNQpBSIXUJ}YS%ICWWN%g{p?n5<`%n2@Xab+Oe{s@?pc3j5lTh2_fuIcTwt
z&Hg?l#LmonsIg)lh_BkO5#^jahfn3ydb7k3Gvs{
z&GC&6YcVno5Xu;Lg!|p>50@TtZXdR{yJ=^K?76@uat)JlbG5bKs-gG0a>%u%{d5>9
zX{zEy&pOg+_LVNUF?ryaE>}`y5V*C*uM(_JTxh82a||Ya5naLicA%=v)YWSe1m2wU
z1smg!Fy3rsDzs6L^lygQV?w5C8@;I|i5x=Bi}8+pSVN}NH6(}7B31ZiY9+b-)gfv|
zN5gSt*MNL;d2}L(G%zW__#Vw1NlQOrKA-ve+*})8-acZBfivPr_H(6A7OE-e&
zXc{~kmpz?caZC6&mB95^9Y`-cn%!3jEE4CZn#A!?FGJC%y(PA38#)VvfN1+<9e$J9
zN_CaGXl~O-zH6T&3OC9?)rYToTZ07|*pQCxWw)qoD|~aK@6Imrll_+;0@yGG{O+U5
zjq5~3-;wb1A{!C9!31s+f696=CX@CUVfRe>&YIQS6X+NfFIUj;>2ba!2ckGb#nDsl
zbOc1@lY*_b{-pOv6VC6?Pp~4i=|@3){SR|XOG_cz!OX+xNy1d8Jv(T3!yH~Uqz;2`
ziCQZz(()jn?GzatoHEg}8x~A*Z(KI1;txSCPGv2!tN-Y}nQK^tWs{`n!4rU_U*=j&
zz^C#t&$t#;zd6O&Zi4r`#?J*VYgo6;n~2Jk+bqoB%0pnC;X7R|i~Hp4klD$5_$Ia{
zb~m0BRm*^8$I%W-c=&UDOKEB+t4J_)D`5UZnTp*pPQ}9}JNykhkJOzaVpCm?0^SVQ
zXlEZD>#F3_pMS5$Z3lrnEb$^PL?A5L75(u@p-Am>IqY24{SU+W6m7DRuz-ybY;bzI
zb?_sDY)qFSf8grywjKF{ILyrly7Te0=F!H5{Rr5$6PiJ1CF5XaP97om@uY04;H^gA
zjX`=htHK(bqzS5apKEj}Z7B6vTq7#^cE7()o*kVY_hZPHT?NELgqdZg^};Hh8$$`>
z&dv#*_^#Qqw{KuQQ~qReI_D7N@Yc-Gmd>d{q)FewP@@yL9(naoF5
z&9}h#*VXM9uL^K=c5Bld?CMC=d!(6Fg)(@tDBLaKZvZiknqv#dZ)|K92_U^YheDH9
zXV%sdMMc5a!sT6mFT5O)=%;JU>Yo}+q=K#jDx;}>{7QG4KjiSk-8W~pYRwk~x0<%b
z6<>V&2#81}nA%0(A%e(9jN_F$3>23-vLQ?^d8-wZAHxd
zj^lXZX*N`aL9B`m@w*5j8TE{w4{x5qX)S&)(dL9pMo>d{;%(a=Bk
z`YSj0*3eVntOE6_0N4