From 4c5b2345fbdea42fbe8c57a8b7b696e281c3fffa Mon Sep 17 00:00:00 2001 From: Ashutosh Sultania Date: Wed, 29 May 2024 19:52:47 +0530 Subject: [PATCH 1/4] Added og lib configs --- .codecov.yml | 16 - .github/CODEOWNERS | 2 +- .github/ISSUE_TEMPLATE/Bug Report.yml | 69 ----- .github/ISSUE_TEMPLATE/Feature Request.yml | 53 ---- .github/ISSUE_TEMPLATE/config.yml | 5 - .github/PULL_REQUEST_TEMPLATE.md | 31 -- .github/actions/get-prerelease/action.yml | 30 -- .github/actions/get-release-notes/action.yml | 42 --- .github/actions/get-version/action.yml | 21 -- .github/actions/maven-publish/action.yml | 44 --- .github/actions/release-create/action.yml | 47 --- .github/actions/tag-exists/action.yml | 36 --- .github/stale.yml | 20 -- .github/workflows/build-and-test.yml | 27 -- .github/workflows/ci.yml | 37 +++ .github/workflows/codeql.yml | 41 --- .github/workflows/dependabot.yml | 14 - .github/workflows/java-release.yml | 88 ------ .github/workflows/release.yml | 27 -- .github/workflows/semgrep.yml | 24 -- .idea/vcs.xml | 6 - .shiprc | 8 - .version | 1 - LICENSE | 21 -- README.md | 162 +--------- build.gradle | 94 ------ build.gradle.kts | 7 + buildSrc/build.gradle.kts | 20 ++ .../kotlin/java-common-conventions.gradle.kts | 66 ++++ gradle.properties | 5 + gradlew | 282 +++++++++++------- gradlew.bat | 35 ++- main/build.gradle.kts | 61 ++++ .../java/com/auth0/AlgorithmNameVerifier.java | 0 .../auth0/AsymmetricSignatureVerifier.java | 0 .../src}/main/java/com/auth0/AuthCookie.java | 0 .../com/auth0/AuthenticationController.java | 8 +- .../main/java/com/auth0/AuthorizeUrl.java | 6 +- .../main/java/com/auth0/IdTokenVerifier.java | 0 .../auth0/IdentityVerificationException.java | 0 .../com/auth0/InvalidRequestException.java | 0 .../main/java/com/auth0/RandomStorage.java | 4 +- .../main/java/com/auth0/RequestProcessor.java | 4 +- .../src}/main/java/com/auth0/SameSite.java | 0 .../main/java/com/auth0/SessionUtils.java | 4 +- .../java/com/auth0/SignatureVerifier.java | 0 .../main/java/com/auth0/StorageUtils.java | 0 .../com/auth0/SymmetricSignatureVerifier.java | 0 .../com/auth0/TokenValidationException.java | 0 .../src}/main/java/com/auth0/Tokens.java | 0 .../java/com/auth0/TransientCookieStore.java | 6 +- .../auth0/AuthenticationControllerTest.java | 4 +- .../test/java/com/auth0/AuthorizeUrlTest.java | 4 +- .../java/com/auth0/IdTokenVerifierTest.java | 0 .../IdentityVerificationExceptionMatcher.java | 0 .../IdentityVerificationExceptionTest.java | 0 .../auth0/InvalidRequestExceptionMatcher.java | 0 .../auth0/InvalidRequestExceptionTest.java | 0 .../java/com/auth0/RandomStorageTest.java | 0 .../java/com/auth0/RequestProcessorTest.java | 4 +- .../test/java/com/auth0/SessionUtilsTest.java | 0 .../java/com/auth0/SignatureVerifierTest.java | 0 .../src}/test/java/com/auth0/TokensTest.java | 0 .../com/auth0/TransientCookieStoreTest.java | 2 +- .../src}/test/resources/bad-public.pem | 0 .../src}/test/resources/certificate.pem | 0 {src => main/src}/test/resources/private.pem | 0 {src => main/src}/test/resources/public.pem | 0 opslevel.yml | 6 - settings.gradle | 10 - settings.gradle.kts | 12 + 71 files changed, 425 insertions(+), 1091 deletions(-) delete mode 100644 .codecov.yml delete mode 100644 .github/ISSUE_TEMPLATE/Bug Report.yml delete mode 100644 .github/ISSUE_TEMPLATE/Feature Request.yml delete mode 100644 .github/ISSUE_TEMPLATE/config.yml delete mode 100644 .github/PULL_REQUEST_TEMPLATE.md delete mode 100644 .github/actions/get-prerelease/action.yml delete mode 100644 .github/actions/get-release-notes/action.yml delete mode 100644 .github/actions/get-version/action.yml delete mode 100644 .github/actions/maven-publish/action.yml delete mode 100644 .github/actions/release-create/action.yml delete mode 100644 .github/actions/tag-exists/action.yml delete mode 100644 .github/stale.yml delete mode 100644 .github/workflows/build-and-test.yml create mode 100644 .github/workflows/ci.yml delete mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/dependabot.yml delete mode 100644 .github/workflows/java-release.yml delete mode 100644 .github/workflows/release.yml delete mode 100644 .github/workflows/semgrep.yml delete mode 100644 .idea/vcs.xml delete mode 100644 .shiprc delete mode 100644 .version delete mode 100644 LICENSE delete mode 100644 build.gradle create mode 100644 build.gradle.kts create mode 100644 buildSrc/build.gradle.kts create mode 100644 buildSrc/src/main/kotlin/java-common-conventions.gradle.kts create mode 100644 gradle.properties create mode 100644 main/build.gradle.kts rename {src => main/src}/main/java/com/auth0/AlgorithmNameVerifier.java (100%) rename {src => main/src}/main/java/com/auth0/AsymmetricSignatureVerifier.java (100%) rename {src => main/src}/main/java/com/auth0/AuthCookie.java (100%) rename {src => main/src}/main/java/com/auth0/AuthenticationController.java (98%) rename {src => main/src}/main/java/com/auth0/AuthorizeUrl.java (98%) rename {src => main/src}/main/java/com/auth0/IdTokenVerifier.java (100%) rename {src => main/src}/main/java/com/auth0/IdentityVerificationException.java (100%) rename {src => main/src}/main/java/com/auth0/InvalidRequestException.java (100%) rename {src => main/src}/main/java/com/auth0/RandomStorage.java (95%) rename {src => main/src}/main/java/com/auth0/RequestProcessor.java (99%) rename {src => main/src}/main/java/com/auth0/SameSite.java (100%) rename {src => main/src}/main/java/com/auth0/SessionUtils.java (95%) rename {src => main/src}/main/java/com/auth0/SignatureVerifier.java (100%) rename {src => main/src}/main/java/com/auth0/StorageUtils.java (100%) rename {src => main/src}/main/java/com/auth0/SymmetricSignatureVerifier.java (100%) rename {src => main/src}/main/java/com/auth0/TokenValidationException.java (100%) rename {src => main/src}/main/java/com/auth0/Tokens.java (100%) rename {src => main/src}/main/java/com/auth0/TransientCookieStore.java (97%) rename {src => main/src}/test/java/com/auth0/AuthenticationControllerTest.java (99%) rename {src => main/src}/test/java/com/auth0/AuthorizeUrlTest.java (99%) rename {src => main/src}/test/java/com/auth0/IdTokenVerifierTest.java (100%) rename {src => main/src}/test/java/com/auth0/IdentityVerificationExceptionMatcher.java (100%) rename {src => main/src}/test/java/com/auth0/IdentityVerificationExceptionTest.java (100%) rename {src => main/src}/test/java/com/auth0/InvalidRequestExceptionMatcher.java (100%) rename {src => main/src}/test/java/com/auth0/InvalidRequestExceptionTest.java (100%) rename {src => main/src}/test/java/com/auth0/RandomStorageTest.java (100%) rename {src => main/src}/test/java/com/auth0/RequestProcessorTest.java (99%) rename {src => main/src}/test/java/com/auth0/SessionUtilsTest.java (100%) rename {src => main/src}/test/java/com/auth0/SignatureVerifierTest.java (100%) rename {src => main/src}/test/java/com/auth0/TokensTest.java (100%) rename {src => main/src}/test/java/com/auth0/TransientCookieStoreTest.java (99%) rename {src => main/src}/test/resources/bad-public.pem (100%) rename {src => main/src}/test/resources/certificate.pem (100%) rename {src => main/src}/test/resources/private.pem (100%) rename {src => main/src}/test/resources/public.pem (100%) delete mode 100644 opslevel.yml delete mode 100644 settings.gradle create mode 100644 settings.gradle.kts diff --git a/.codecov.yml b/.codecov.yml deleted file mode 100644 index 4a94c8f..0000000 --- a/.codecov.yml +++ /dev/null @@ -1,16 +0,0 @@ -coverage: - precision: 2 - round: down - range: "70...100" - status: - patch: - default: - threshold: 2% - if_no_uploads: error - changes: true - project: - default: - target: auto - threshold: 2% - if_no_uploads: error -comment: false diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 60f116c..63af35e 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @auth0/dx-sdks-engineer +* @OpenGov/platform-access-control diff --git a/.github/ISSUE_TEMPLATE/Bug Report.yml b/.github/ISSUE_TEMPLATE/Bug Report.yml deleted file mode 100644 index 19ed08d..0000000 --- a/.github/ISSUE_TEMPLATE/Bug Report.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: 🐞 Report a bug -description: Have you found a bug or issue? Create a bug report for this library -labels: ["bug"] - -body: - - type: markdown - attributes: - value: | - **Please do not report security vulnerabilities here**. The [Responsible Disclosure Program](https://auth0.com/responsible-disclosure-policy) details the procedure for disclosing security issues. - - - type: checkboxes - id: checklist - attributes: - label: Checklist - options: - - label: The issue can be reproduced in the [mvc-auth-commons sample app](https://github.com/auth0-samples/auth0-servlet-sample/tree/master/01-Login) (or N/A). - required: true - - label: I have looked into the [Readme](https://github.com/auth0/auth0-java-mvc-common#readme) and the [Examples](https://github.com/auth0/auth0-java-mvc-common/blob/master/EXAMPLES.md), and have not found a suitable solution or answer. - required: true - - label: I have looked into the [API documentation](https://javadoc.io/doc/com.auth0/mvc-auth-commons/latest/index.html) and have not found a suitable solution or answer. - required: true - - label: I have searched the [issues](https://github.com/auth0/auth0-java-mvc-common/issues) and have not found a suitable solution or answer. - required: true - - label: I have searched the [Auth0 Community](https://community.auth0.com) forums and have not found a suitable solution or answer. - required: true - - label: I agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). - required: true - - - type: textarea - id: description - attributes: - label: Description - description: Provide a clear and concise description of the issue, including what you expected to happen. - validations: - required: true - - - type: textarea - id: reproduction - attributes: - label: Reproduction - description: Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent. - placeholder: | - 1. Step 1... - 2. Step 2... - 3. ... - validations: - required: true - - - type: textarea - id: additional-context - attributes: - label: Additional context - description: Other libraries that might be involved, or any other relevant information you think would be useful. - validations: - required: false - - - type: input - id: environment-version - attributes: - label: mvc-auth-commons version - validations: - required: true - - - type: input - id: environment-java-version - attributes: - label: Java version - validations: - required: true diff --git a/.github/ISSUE_TEMPLATE/Feature Request.yml b/.github/ISSUE_TEMPLATE/Feature Request.yml deleted file mode 100644 index 1844d7a..0000000 --- a/.github/ISSUE_TEMPLATE/Feature Request.yml +++ /dev/null @@ -1,53 +0,0 @@ -name: 🧩 Feature request -description: Suggest an idea or a feature for this library -labels: ["feature request"] - -body: - - type: checkboxes - id: checklist - attributes: - label: Checklist - options: - - label: I have looked into the [Readme](https://github.com/auth0/auth0-java-mvc-common#readme) and the [Examples](https://github.com/auth0/auth0-java-mvc-common/blob/master/EXAMPLES.md), and have not found a suitable solution or answer. - required: true - - label: I have looked into the [API documentation](https://javadoc.io/doc/com.auth0/mvc-auth-commons/latest/index.html) and have not found a suitable solution or answer. - required: true - - label: I have searched the [issues](https://github.com/auth0/auth0-java-mvc-common/issues) and have not found a suitable solution or answer. - required: true - - label: I have searched the [Auth0 Community](https://community.auth0.com) forums and have not found a suitable solution or answer. - required: true - - label: I agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). - required: true - - - type: textarea - id: description - attributes: - label: Describe the problem you'd like to have solved - description: A clear and concise description of what the problem is. - placeholder: I'm always frustrated when... - validations: - required: true - - - type: textarea - id: ideal-solution - attributes: - label: Describe the ideal solution - description: A clear and concise description of what you want to happen. - validations: - required: true - - - type: textarea - id: alternatives-and-workarounds - attributes: - label: Alternatives and current workarounds - description: A clear and concise description of any alternatives you've considered or any workarounds that are currently in place. - validations: - required: false - - - type: textarea - id: additional-context - attributes: - label: Additional context - description: Add any other context or screenshots about the feature request here. - validations: - required: false diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml deleted file mode 100644 index 65c99a9..0000000 --- a/.github/ISSUE_TEMPLATE/config.yml +++ /dev/null @@ -1,5 +0,0 @@ -blank_issues_enabled: false -contact_links: - - name: Auth0 Community - url: https://community.auth0.com - about: Discuss this SDK in the Auth0 Community forums diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index 8675fc7..0000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,31 +0,0 @@ -### Changes - -Please describe both what is changing and why this is important. Include: - -- Endpoints added, deleted, deprecated, or changed -- Classes and methods added, deleted, deprecated, or changed -- Screenshots of new or changed UI, if applicable -- A summary of usage if this is a new feature or change to a public API (this should also be added to relevant documentation once released) -- Any alternative designs or approaches considered - -### References - -Please include relevant links supporting this change such as a: - -- support ticket -- community post -- StackOverflow post -- support forum thread - -### Testing - -Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors. - -- [ ] This change adds test coverage -- [ ] This change has been tested on the latest version of Java or why not - -### Checklist - -- [ ] I have read the [Auth0 general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) -- [ ] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) -- [ ] All existing and new tests complete without errors diff --git a/.github/actions/get-prerelease/action.yml b/.github/actions/get-prerelease/action.yml deleted file mode 100644 index ce7acdc..0000000 --- a/.github/actions/get-prerelease/action.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Return a boolean indicating if the version contains prerelease identifiers - -# -# Returns a simple true/false boolean indicating whether the version indicates it's a prerelease or not. -# -# TODO: Remove once the common repo is public. -# - -inputs: - version: - required: true - -outputs: - prerelease: - value: ${{ steps.get_prerelease.outputs.PRERELEASE }} - -runs: - using: composite - - steps: - - id: get_prerelease - shell: bash - run: | - if [[ "${VERSION}" == *"beta"* || "${VERSION}" == *"alpha"* ]]; then - echo "PRERELEASE=true" >> $GITHUB_OUTPUT - else - echo "PRERELEASE=false" >> $GITHUB_OUTPUT - fi - env: - VERSION: ${{ inputs.version }} diff --git a/.github/actions/get-release-notes/action.yml b/.github/actions/get-release-notes/action.yml deleted file mode 100644 index 287d206..0000000 --- a/.github/actions/get-release-notes/action.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Return the release notes extracted from the body of the PR associated with the release. - -# -# Returns the release notes from the content of a pull request linked to a release branch. It expects the branch name to be in the format release/vX.Y.Z, release/X.Y.Z, release/vX.Y.Z-beta.N. etc. -# -# TODO: Remove once the common repo is public. -# -inputs: - version: - required: true - repo_name: - required: false - repo_owner: - required: true - token: - required: true - -outputs: - release-notes: - value: ${{ steps.get_release_notes.outputs.RELEASE_NOTES }} - -runs: - using: composite - - steps: - - uses: actions/github-script@v7 - id: get_release_notes - with: - result-encoding: string - script: | - const { data: pulls } = await github.rest.pulls.list({ - owner: process.env.REPO_OWNER, - repo: process.env.REPO_NAME, - state: 'all', - head: `${process.env.REPO_OWNER}:release/${process.env.VERSION}`, - }); - core.setOutput('RELEASE_NOTES', pulls[0].body); - env: - GITHUB_TOKEN: ${{ inputs.token }} - REPO_OWNER: ${{ inputs.repo_owner }} - REPO_NAME: ${{ inputs.repo_name }} - VERSION: ${{ inputs.version }} diff --git a/.github/actions/get-version/action.yml b/.github/actions/get-version/action.yml deleted file mode 100644 index 9440ec9..0000000 --- a/.github/actions/get-version/action.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Return the version extracted from the branch name - -# -# Returns the version from the .version file. -# -# TODO: Remove once the common repo is public. -# - -outputs: - version: - value: ${{ steps.get_version.outputs.VERSION }} - -runs: - using: composite - - steps: - - id: get_version - shell: bash - run: | - VERSION=$(head -1 .version) - echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT diff --git a/.github/actions/maven-publish/action.yml b/.github/actions/maven-publish/action.yml deleted file mode 100644 index ee47706..0000000 --- a/.github/actions/maven-publish/action.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Publish release to Java - -inputs: - ossr-username: - required: true - ossr-password: - required: true - signing-key: - required: true - signing-password: - required: true - java-version: - required: true - is-android: - required: true - version: - required: true - -runs: - using: composite - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Java - shell: bash - run: | - curl -s "https://get.sdkman.io" | bash - source "/home/runner/.sdkman/bin/sdkman-init.sh" - sdk list java - sdk install java ${{ inputs.java-version }} && sdk default java ${{ inputs.java-version }} - - - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # pin@1.1.0 - - - name: Publish Java - shell: bash - if: inputs.is-android == 'false' - run: ./gradlew clean assemble sign publishMavenJavaPublicationToMavenRepository -PisSnapshot=false -Pversion="${{ inputs.version }}" -PossrhUsername="${{ inputs.ossr-username }}" -PossrhPassword="${{ inputs.ossr-password }}" -PsigningKey="${{ inputs.signing-key }}" -PsigningPassword="${{ inputs.signing-password }}" - - - name: Publish Android - shell: bash - if: inputs.is-android == 'true' - run: ./gradlew clean assemble sign publishAndroidLibraryPublicationToMavenRepository -PisSnapshot=false -Pversion="${{ inputs.version }}" -PossrhUsername="${{ inputs.ossr-username }}" -PossrhPassword="${{ inputs.ossr-password }}" -PsigningKey="${{ inputs.signing-key }}" -PsigningPassword="${{ inputs.signing-password }}" diff --git a/.github/actions/release-create/action.yml b/.github/actions/release-create/action.yml deleted file mode 100644 index 6a2bf80..0000000 --- a/.github/actions/release-create/action.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: Create a GitHub release - -# -# Creates a GitHub release with the given version. -# -# TODO: Remove once the common repo is public. -# - -inputs: - token: - required: true - files: - required: false - name: - required: true - body: - required: true - tag: - required: true - commit: - required: true - draft: - default: false - required: false - prerelease: - default: false - required: false - fail_on_unmatched_files: - default: true - required: false - -runs: - using: composite - - steps: - - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 - with: - body: ${{ inputs.body }} - name: ${{ inputs.name }} - tag_name: ${{ inputs.tag }} - target_commitish: ${{ inputs.commit }} - draft: ${{ inputs.draft }} - prerelease: ${{ inputs.prerelease }} - fail_on_unmatched_files: ${{ inputs.fail_on_unmatched_files }} - files: ${{ inputs.files }} - env: - GITHUB_TOKEN: ${{ inputs.token }} diff --git a/.github/actions/tag-exists/action.yml b/.github/actions/tag-exists/action.yml deleted file mode 100644 index b5fbdb7..0000000 --- a/.github/actions/tag-exists/action.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Return a boolean indicating if a tag already exists for the repository - -# -# Returns a simple true/false boolean indicating whether the tag exists or not. -# -# TODO: Remove once the common repo is public. -# - -inputs: - token: - required: true - tag: - required: true - -outputs: - exists: - description: 'Whether the tag exists or not' - value: ${{ steps.tag-exists.outputs.EXISTS }} - -runs: - using: composite - - steps: - - id: tag-exists - shell: bash - run: | - GET_API_URL="https://api.github.com/repos/${GITHUB_REPOSITORY}/git/ref/tags/${TAG_NAME}" - http_status_code=$(curl -LI $GET_API_URL -o /dev/null -w '%{http_code}\n' -s -H "Authorization: token ${GITHUB_TOKEN}") - if [ "$http_status_code" -ne "404" ] ; then - echo "EXISTS=true" >> $GITHUB_OUTPUT - else - echo "EXISTS=false" >> $GITHUB_OUTPUT - fi - env: - TAG_NAME: ${{ inputs.tag }} - GITHUB_TOKEN: ${{ inputs.token }} diff --git a/.github/stale.yml b/.github/stale.yml deleted file mode 100644 index b2e13fc..0000000 --- a/.github/stale.yml +++ /dev/null @@ -1,20 +0,0 @@ -# Configuration for probot-stale - https://github.com/probot/stale - -# Number of days of inactivity before an Issue or Pull Request becomes stale -daysUntilStale: 90 - -# Number of days of inactivity before an Issue or Pull Request with the stale label is closed. -daysUntilClose: 7 - -# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable -exemptLabels: [] - -# Set to true to ignore issues with an assignee (defaults to false) -exemptAssignees: true - -# Label to use when marking as stale -staleLabel: closed:stale - -# Comment to post when marking as stale. Set to `false` to disable -markComment: > - This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️ \ No newline at end of file diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml deleted file mode 100644 index 25155e8..0000000 --- a/.github/workflows/build-and-test.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: auth0/auth0-java-mvc-common/build-and-test - -on: - pull_request: - merge_group: - push: - branches: ["master", "main", "v1"] - -jobs: - gradle: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 - with: - distribution: temurin - java-version: 8 - - uses: gradle/gradle-build-action@a4cf152f482c7ca97ef56ead29bf08bcd953284c - with: - arguments: assemble apiDiff check jacocoTestReport --continue --console=plain - - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d - with: - flags: unittests - - uses: actions/upload-artifact@v3 - with: - name: Reports - path: lib/build/reports diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..43bf525 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,37 @@ +name: ci +on: + push: + branches: + - main + pull_request: + branches: + - '*' +jobs: + build: + runs-on: ubuntu-latest + env: + INTERNAL_MAVEN_USER: ${{ secrets.JF_ARTIFACTORY_USER_INTEGRATION }} + INTERNAL_MAVEN_PASS: ${{ secrets.JF_ARTIFACTORY_API_KEY_INTEGRATION }} + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '17' + - name: Cache Gradle + uses: actions/cache@v3 + with: + path: | + ~/.gradle/caches + ~/.gradle/wrapper + key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} + restore-keys: | + ${{ runner.os }}-gradle- + - name: Run Linting and Tests + run: ./gradlew check + - name: Run SonarQube + run: ./gradlew sonarqube -Dsonar.host.url='${{ secrets.SONAR_EXTERNAL_URL }}' -Dsonar.login=${{ secrets.SONAR_API_TOKEN }} + - name: Kill Gradle Daemons for caching + run: ./gradlew --stop diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 8e62d8d..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: [ "master", "2.0.0-dev" ] - pull_request: - branches: [ "master" ] - schedule: - - cron: "30 19 * * 6" - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ java ] - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - queries: +security-and-quality - - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml deleted file mode 100644 index f91f71d..0000000 --- a/.github/workflows/dependabot.yml +++ /dev/null @@ -1,14 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - - - package-ecosystem: "gradle" - directory: "/" - schedule: - interval: "daily" - ignore: - - dependency-name: "*" - update-types: ["version-update:semver-major"] \ No newline at end of file diff --git a/.github/workflows/java-release.yml b/.github/workflows/java-release.yml deleted file mode 100644 index 3f81eb1..0000000 --- a/.github/workflows/java-release.yml +++ /dev/null @@ -1,88 +0,0 @@ -name: Create Java and GitHub Release - -on: - workflow_call: - inputs: - java-version: - required: true - type: string - is-android: - required: true - type: string - secrets: - ossr-username: - required: true - ossr-password: - required: true - signing-key: - required: true - signing-password: - required: true - github-token: - required: true - -### TODO: Replace instances of './.github/actions/' w/ `auth0/dx-sdk-actions/` and append `@latest` after the common `dx-sdk-actions` repo is made public. -### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public. - -jobs: - release: - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) - runs-on: ubuntu-latest - environment: release - - steps: - # Checkout the code - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - # Get the version from the branch name - - id: get_version - uses: ./.github/actions/get-version - - # Get the prerelease flag from the branch name - - id: get_prerelease - uses: ./.github/actions/get-prerelease - with: - version: ${{ steps.get_version.outputs.version }} - - # Get the release notes - - id: get_release_notes - uses: ./.github/actions/get-release-notes - with: - token: ${{ secrets.github-token }} - version: ${{ steps.get_version.outputs.version }} - repo_owner: ${{ github.repository_owner }} - repo_name: ${{ github.event.repository.name }} - - # Check if the tag already exists - - id: tag_exists - uses: ./.github/actions/tag-exists - with: - tag: ${{ steps.get_version.outputs.version }} - token: ${{ secrets.github-token }} - - # If the tag already exists, exit with an error - - if: steps.tag_exists.outputs.exists == 'true' - run: exit 1 - - # Publish the release to Maven - - uses: ./.github/actions/maven-publish - with: - java-version: ${{ inputs.java-version }} - is-android: ${{ inputs.is-android }} - version: ${{ steps.get_version.outputs.version }} - ossr-username: ${{ secrets.ossr-username }} - ossr-password: ${{ secrets.ossr-password }} - signing-key: ${{ secrets.signing-key }} - signing-password: ${{ secrets.signing-password }} - - # Create a release for the tag - - uses: ./.github/actions/release-create - with: - token: ${{ secrets.github-token }} - name: ${{ steps.get_version.outputs.version }} - body: ${{ steps.get_release_notes.outputs.release-notes }} - tag: ${{ steps.get_version.outputs.version }} - commit: ${{ github.sha }} - prerelease: ${{ steps.get_prerelease.outputs.prerelease }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 63482cc..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: Create GitHub Release - -on: - pull_request: - types: - - closed - workflow_dispatch: - -permissions: - contents: write - -### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows/` and append `@latest` after the common `dx-sdk-actions` repo is made public. -### TODO: Also remove `get-prerelease`, `get-release-notes`, `get-version`, `maven-publish`, `release-create`, and `tag-exists` actions from this repo's .github/actions folder once the repo is public. -### TODO: Also remove `java-release` workflow from this repo's .github/workflows folder once the repo is public. - -jobs: - release: - uses: ./.github/workflows/java-release.yml - with: - java-version: 8.0.382-tem - is-android: false - secrets: - ossr-username: ${{ secrets.OSSR_USERNAME }} - ossr-password: ${{ secrets.OSSR_PASSWORD }} - signing-key: ${{ secrets.SIGNING_KEY }} - signing-password: ${{ secrets.SIGNING_PASSWORD }} - github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index e0227e3..0000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Semgrep - -on: - pull_request: {} - - push: - branches: ["master", "main"] - - schedule: - - cron: '30 0 1,15 * *' - -jobs: - semgrep: - name: Scan - runs-on: ubuntu-latest - container: - image: returntocorp/semgrep - if: (github.actor != 'dependabot[bot]') - steps: - - uses: actions/checkout@v3 - - - run: semgrep ci - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} diff --git a/.idea/vcs.xml b/.idea/vcs.xml deleted file mode 100644 index 94a25f7..0000000 --- a/.idea/vcs.xml +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/.shiprc b/.shiprc deleted file mode 100644 index edfe142..0000000 --- a/.shiprc +++ /dev/null @@ -1,8 +0,0 @@ -{ - "files": { - "README.md": [], - ".version": [], - "build.gradle": ["version = \"{MAJOR}.{MINOR}.{PATCH}\""] - }, - "prefixVersion": false -} \ No newline at end of file diff --git a/.version b/.version deleted file mode 100644 index 169f19b..0000000 --- a/.version +++ /dev/null @@ -1 +0,0 @@ -1.11.0 \ No newline at end of file diff --git a/LICENSE b/LICENSE deleted file mode 100644 index f7c61ba..0000000 --- a/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2016 Auth0, Inc. (http://auth0.com) - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/README.md b/README.md index 1ee3030..a12929a 100644 --- a/README.md +++ b/README.md @@ -1,161 +1 @@ -![Auth0 SDK to add authentication to your Java Servlet applications.](https://cdn.auth0.com/website/sdks/banners/auth0-java-mvc-common-banner.png) - -![Build Status](https://img.shields.io/github/checks-status/auth0/auth0-java-mvc-common/master) -[![Coverage Status](https://img.shields.io/codecov/c/github/auth0/auth0-java-mvc-common.svg?style=flat-square)](https://codecov.io/github/auth0/auth0-java-mvc-common) -[![License](http://img.shields.io/:license-mit-blue.svg?style=flat)](https://doge.mit-license.org/) -[![Maven Central](https://img.shields.io/maven-central/v/com.auth0/mvc-auth-commons.svg?style=flat-square)](https://mvnrepository.com/artifact/com.auth0/mvc-auth-commons) -[![javadoc](https://javadoc.io/badge2/com.auth0/auth0-java-mvc-common/javadoc.svg)](https://javadoc.io/doc/com.auth0/mvc-auth-commons) - -> **Note** -> As part of our ongoing commitment to best security practices, we have rotated the signing keys used to sign previous releases of this SDK. As a result, new patch builds have been released using the new signing key. Please upgrade at your earliest convenience. -> -> While this change won't affect most developers, if you have implemented a dependency signature validation step in your build process, you may notice a warning that past releases can't be verified. This is expected, and a result of the key rotation process. Updating to the latest version will resolve this for you. - -:books: [Documentation](#documentation) - :rocket: [Getting Started](#getting-started) - :computer: [API Reference](#api-reference) :speech_balloon: [Feedback](#feedback) - -## Documentation - -- [Quickstart](https://auth0.com/docs/quickstart/webapp/java) - our interactive guide for quickly adding login, logout and user information to a Java Servlet application using Auth0. -- [Sample App](https://github.com/auth0-samples/auth0-servlet-sample/tree/master/01-Login) - a sample Java Servlet application integrated with Auth0. -- [Examples](./EXAMPLES.md) - code samples for common scenarios. -- [Docs site](https://www.auth0.com/docs) - explore our docs site and learn more about Auth0. - -## Getting Started - -### Requirements - -Java 8 or above and `javax.servlet` version 3. - -> If you are using Spring, we recommend leveraging Spring's OIDC and OAuth2 support, as demonstrated by the [Spring Boot Quickstart](https://auth0.com/docs/quickstart/webapp/java-spring-boot). - -### Installation - -Add the dependency via Maven: - -```xml - - com.auth0 - mvc-auth-commons - 1.11.0 - -``` - -or Gradle: - -```gradle -implementation 'com.auth0:mvc-auth-commons:1.11.0' -``` - -### Configure Auth0 - -Create a **Regular Web Application** in the [Auth0 Dashboard](https://manage.auth0.com/#/applications). Verify that the "Token Endpoint Authentication Method" is set to `POST`. - -Next, configure the callback and logout URLs for your application under the "Application URIs" section of the "Settings" page: - -- **Allowed Callback URLs**: The URL of your application where Auth0 will redirect to during authentication, e.g., `http://localhost:3000/callback`. -- **Allowed Logout URLs**: The URL of your application where Auth0 will redirect to after user logout, e.g., `http://localhost:3000/login`. - -Note the **Domain**, **Client ID**, and **Client Secret**. These values will be used later. - -### Add login to your application - -Create a new `AuthenticationController` using your Auth0 domain, and Auth0 application client ID and secret. -Configure the builder with a `JwkProvider` for your Auth0 domain. - -```java -public class AuthenticationControllerProvider { - private String domain = "YOUR-AUTH0-DOMAIN"; - private String clientId = "YOUR-CLIENT-ID"; - private String clientSecret = "YOUR-CLIENT-SECRET"; - - private AuthenticationController authenticationController; - - static { - JwkProvider jwkProvider = new JwkProviderBuilder("YOUR-AUTH0-DOMAIN").build(); - authenticationController = AuthenticationController.newBuilder(domain, clientId, clientSecret) - .withJwkProvider(jwkProvider) - .build(); - } - - public getInstance() { - return authenticationController; - } -} -``` - -> Note: The `AuthenticationController.Builder` is not to be reused, and an `IllegalStateException` will be thrown if `build()` is called more than once. - -Redirect users to the Auth0 login page using the `AuthenticationController`: - -```java -@WebServlet(urlPatterns = {"/login"}) -public class LoginServlet extends HttpServlet { - - @Override - protected void doGet(final HttpServletRequest req, final HttpServletResponse res) throws ServletException, IOException { - // Where your application will handle the authoriztion callback - String redirectUrl = "http://localhost:3000/callback"; - - String authorizeUrl = AuthenticationControllerProvider - .getInstance() - .buildAuthorizeUrl(req, res, redirectUrl) - .build(); - res.sendRedirect(authorizeUrl); - } -} -``` - -Finally, complete the authentication and obtain the tokens by calling `handle()` on the `AuthenticationController`. - -```java -@WebServlet(urlPatterns = {"/callback"}) -public class CallbackServlet extends HttpServlet { - - @Override - public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { - try { - // authentication complete; the tokens can be stored as needed - Tokens tokens = AuthenticationControllerProvider - .getInstance() - .handle(req, res); - res.sendRedirect("URL-AFTER-AUTHENTICATED"); - } catch (IdentityVerificationException e) { - // handle authentication error - } - } -} -``` - -That's it! You have authenticated the user using Auth0. - -## API Reference - -- [JavaDocs](https://javadoc.io/doc/com.auth0/mvc-auth-commons) - -## Feedback - -### Contributing - -We appreciate feedback and contribution to this repo! Before you get started, please see the following: - -- [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) -- [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) - -### Raise an issue -To provide feedback or report a bug, [please raise an issue on our issue tracker](https://github.com/auth0/auth0-java-mvc-common/issues). - -### Vulnerability Reporting -Please do not report security vulnerabilities on the public Github issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues. - ---- - -

- - - - Auth0 Logo - -

-

Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?

-

-This project is licensed under the MIT license. See the LICENSE file for more info.

+Clone of https://github.com/auth0/auth0-java-mvc-common/ as they wouldn't update their Servlet versions to use `jakarta` instead of `javax` \ No newline at end of file diff --git a/build.gradle b/build.gradle deleted file mode 100644 index 74eefe1..0000000 --- a/build.gradle +++ /dev/null @@ -1,94 +0,0 @@ -plugins { - id 'java' - id 'jacoco' - id 'com.auth0.gradle.oss-library.java' -} - -repositories { - mavenCentral() -} - -group 'com.auth0' - -logger.lifecycle("Using version ${version} for ${name} group $group") - -def signingKey = findProperty('signingKey') -def signingKeyPwd = findProperty('signingPassword') - -oss { - name 'mvc-auth-commons' - repository 'auth0-java-mvc-common' - organization 'auth0' - description 'Java library that simplifies the use of Auth0 for server-side MVC web apps' - baselineCompareVersion '1.5.0' - skipAssertSigningConfiguration true - - developers { - auth0 { - displayName = 'Auth0' - email = 'oss@auth0.com' - } - lbalmaceda { - displayName = 'Luciano Balmaceda' - email = 'luciano.balmaceda@auth0.com' - } - } -} - -signing { - useInMemoryPgpKeys(signingKey, signingKeyPwd) -} - -jacocoTestReport { - reports { - xml.enabled = true - html.enabled = true - } -} - -java { - toolchain { - languageVersion = JavaLanguageVersion.of(8) - } - // Needed because of broken gradle metadata, see https://github.com/google/guava/issues/6612#issuecomment-1614992368 - sourceSets.all { - configurations.getByName(runtimeClasspathConfigurationName) { - attributes.attribute(Attribute.of("org.gradle.jvm.environment", String), "standard-jvm") - } - configurations.getByName(compileClasspathConfigurationName) { - attributes.attribute(Attribute.of("org.gradle.jvm.environment", String), "standard-jvm") - } - } -} - -compileJava { - sourceCompatibility '1.8' - targetCompatibility '1.8' -} - -test { - useJUnitPlatform() - testLogging { - events "skipped", "failed" - exceptionFormat "short" - } -} - -dependencies { - implementation 'javax.servlet:javax.servlet-api:3.1.0' - implementation 'org.apache.commons:commons-lang3:3.12.0' - implementation 'com.google.guava:guava-annotations:r03' - implementation 'commons-codec:commons-codec:1.15' - - api 'com.auth0:auth0:1.45.1' - api 'com.auth0:java-jwt:3.19.4' - api 'com.auth0:jwks-rsa:0.22.1' - - testImplementation 'org.bouncycastle:bcprov-jdk15on:1.64' - testImplementation 'org.hamcrest:java-hamcrest:2.0.0.0' - testImplementation 'org.hamcrest:hamcrest-core:1.3' - testImplementation 'org.mockito:mockito-core:2.8.9' - testImplementation 'org.junit.jupiter:junit-jupiter:5.8.1' - testImplementation 'org.springframework:spring-test:4.3.14.RELEASE' - testImplementation 'com.squareup.okhttp3:okhttp:4.11.0' -} \ No newline at end of file diff --git a/build.gradle.kts b/build.gradle.kts new file mode 100644 index 0000000..5542fe9 --- /dev/null +++ b/build.gradle.kts @@ -0,0 +1,7 @@ +plugins { + id("org.sonarqube") +} + +tasks.wrapper { + gradleVersion = "8.7" +} \ No newline at end of file diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts new file mode 100644 index 0000000..16c21ed --- /dev/null +++ b/buildSrc/build.gradle.kts @@ -0,0 +1,20 @@ +plugins { + `kotlin-dsl` +} + +java { + toolchain { + languageVersion.set(JavaLanguageVersion.of(17)) + } +} + +repositories { + gradlePluginPortal() +} + +dependencies { + implementation("com.diffplug.spotless:spotless-plugin-gradle:6.25.0") + implementation("net.ltgt.gradle:gradle-errorprone-plugin:3.1.0") + implementation("org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:4.0.0.2929") + implementation("pl.allegro.tech.build:axion-release-plugin:1.17.0") +} diff --git a/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts b/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts new file mode 100644 index 0000000..1c5915c --- /dev/null +++ b/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts @@ -0,0 +1,66 @@ +import net.ltgt.gradle.errorprone.errorprone + +plugins { + java + jacoco + id("com.diffplug.spotless") + id("net.ltgt.errorprone") + id("org.sonarqube") +} + +repositories { + mavenCentral() //TODO: Remove this once we have all packages cached by Artifactory + maven { + url = uri("https://artifactory.opengov.zone:443/artifactory/maven-all/") + credentials { + username = System.getenv("INTERNAL_MAVEN_USER") + password = System.getenv("INTERNAL_MAVEN_PASS") + } + } +} + +jacoco { + toolVersion = "0.8.8" +} + + +java { + toolchain { + languageVersion.set(JavaLanguageVersion.of(17)) + } +} + +dependencies { + errorprone("com.google.errorprone:error_prone_core:2.26.1") + testImplementation("org.junit.jupiter:junit-jupiter:5.10.2") +} + + +spotless { + java { + googleJavaFormat("1.15.0") + } +} + +tasks.withType { + options.compilerArgs.addAll(listOf("-Xlint:unchecked", "-Xlint:deprecation", "-Werror")) + options.errorprone.isEnabled.set(true) + options.errorprone.disable("SameNameButDifferent", "MissingSummary", "JavaTimeDefaultTimeZone", "ObjectEqualsForPrimitives", "AlmostJavadoc","UnusedVariable") +} + +tasks.named("check") { + dependsOn("spotlessCheck") +} + +tasks.withType { + useJUnitPlatform() + finalizedBy("jacocoTestReport") +} + +tasks.jacocoTestReport { + reports { + xml.required.set(true) + csv.required.set(true) + html.outputLocation.set(layout.buildDirectory.dir("jacocoHtml")) + } +} diff --git a/gradle.properties b/gradle.properties new file mode 100644 index 0000000..4257286 --- /dev/null +++ b/gradle.properties @@ -0,0 +1,5 @@ +org.gradle.jvmargs=--add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED \ + --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED \ + --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED \ + --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED \ + --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED diff --git a/gradlew b/gradlew index 4f906e0..1aa94a4 100755 --- a/gradlew +++ b/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat index ac1b06f..7101f8e 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,13 +41,13 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto execute +if %ERRORLEVEL% equ 0 goto execute -echo. -echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 goto fail @@ -56,11 +57,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe if exist "%JAVA_EXE%" goto execute -echo. -echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% -echo. -echo Please set the JAVA_HOME variable in your environment to match the -echo location of your Java installation. +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 goto fail @@ -75,13 +76,15 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/main/build.gradle.kts b/main/build.gradle.kts new file mode 100644 index 0000000..61e4e93 --- /dev/null +++ b/main/build.gradle.kts @@ -0,0 +1,61 @@ +plugins { + id("java-common-conventions") + id("maven-publish") + id("pl.allegro.tech.build.axion-release") +} + +dependencies { + implementation("jakarta.servlet:jakarta.servlet-api:6.0.0") + implementation("org.apache.commons:commons-lang3:3.12.0") + implementation("com.google.guava:guava-annotations:r03") + implementation("commons-codec:commons-codec:1.15") + + api("com.auth0:auth0:2.11.0") + api("com.auth0:java-jwt:3.19.4") + api("com.auth0:jwks-rsa:0.22.1") + + testImplementation("org.bouncycastle:bcprov-jdk18on:1.78.1") + testImplementation("org.hamcrest:hamcrest:2.2") + testImplementation("org.mockito:mockito-core:5.12.0") + testImplementation("org.junit.jupiter:junit-jupiter:5.10.2") + testImplementation("org.springframework:spring-test:6.1.8") + testImplementation("com.squareup.okhttp3:okhttp:4.12.0") +} + +version = "1.0.0" + +publishing { + publications { + create("mavenJava") { + groupId = "com.opengov" + artifactId = "opengov-auth0-mvc-auth-commons" + from(components["java"]) + } + } + repositories { + maven { + val releasesRepoUrl = uri("https://artifactory.opengov.zone:443/artifactory/maven-release-local/") + val snapshotsRepoUrl = uri("https://artifactory.opengov.zone:443/artifactory/maven-snapshot-local/") + url = if (version.toString().endsWith("SNAPSHOT")) snapshotsRepoUrl else releasesRepoUrl + credentials { + username = System.getenv("INTERNAL_MAVEN_PUBLISH_USER") + password = System.getenv("INTERNAL_MAVEN_PUBLISH_PASS") + } + } + } +} + +tasks.jacocoTestReport { + finalizedBy("jacocoTestCoverageVerification") +} + +tasks.jacocoTestCoverageVerification { + violationRules { + rule { + limit { + counter = "INSTRUCTION" + minimum = "0.15".toBigDecimal() + } + } + } +} diff --git a/src/main/java/com/auth0/AlgorithmNameVerifier.java b/main/src/main/java/com/auth0/AlgorithmNameVerifier.java similarity index 100% rename from src/main/java/com/auth0/AlgorithmNameVerifier.java rename to main/src/main/java/com/auth0/AlgorithmNameVerifier.java diff --git a/src/main/java/com/auth0/AsymmetricSignatureVerifier.java b/main/src/main/java/com/auth0/AsymmetricSignatureVerifier.java similarity index 100% rename from src/main/java/com/auth0/AsymmetricSignatureVerifier.java rename to main/src/main/java/com/auth0/AsymmetricSignatureVerifier.java diff --git a/src/main/java/com/auth0/AuthCookie.java b/main/src/main/java/com/auth0/AuthCookie.java similarity index 100% rename from src/main/java/com/auth0/AuthCookie.java rename to main/src/main/java/com/auth0/AuthCookie.java diff --git a/src/main/java/com/auth0/AuthenticationController.java b/main/src/main/java/com/auth0/AuthenticationController.java similarity index 98% rename from src/main/java/com/auth0/AuthenticationController.java rename to main/src/main/java/com/auth0/AuthenticationController.java index 1aed380..4dc825f 100644 --- a/src/main/java/com/auth0/AuthenticationController.java +++ b/main/src/main/java/com/auth0/AuthenticationController.java @@ -7,8 +7,8 @@ import com.google.common.annotations.VisibleForTesting; import org.apache.commons.lang3.Validate; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; /** @@ -317,7 +317,7 @@ public Tokens handle(HttpServletRequest request, HttpServletResponse response) t * when building the {@link AuthorizeUrl} that the user will be redirected to to login. Failure to do so may result * in a broken login experience for the user.

* - * @deprecated This method uses the {@link javax.servlet.http.HttpSession} for auth-based data, and is incompatible + * @deprecated This method uses the {@link jakarta.servlet.http.HttpSession} for auth-based data, and is incompatible * with clients that are using the "id_token" or "token" responseType with browsers that enforce SameSite cookie * restrictions. This method will be removed in version 2.0.0. Use * {@link AuthenticationController#handle(HttpServletRequest, HttpServletResponse)} instead. @@ -341,7 +341,7 @@ public Tokens handle(HttpServletRequest request) throws IdentityVerificationExce * {@link AuthenticationController#handle(HttpServletRequest)} method. Failure to do so may result in a broken login * experience for users.

* - * @deprecated This method stores data in the {@link javax.servlet.http.HttpSession}, and is incompatible with clients + * @deprecated This method stores data in the {@link jakarta.servlet.http.HttpSession}, and is incompatible with clients * that are using the "id_token" or "token" responseType with browsers that enforce SameSite cookie restrictions. * This method will be removed in version 2.0.0. Use * {@link AuthenticationController#buildAuthorizeUrl(HttpServletRequest, HttpServletResponse, String)} instead. diff --git a/src/main/java/com/auth0/AuthorizeUrl.java b/main/src/main/java/com/auth0/AuthorizeUrl.java similarity index 98% rename from src/main/java/com/auth0/AuthorizeUrl.java rename to main/src/main/java/com/auth0/AuthorizeUrl.java index e871ca6..d9dbf31 100644 --- a/src/main/java/com/auth0/AuthorizeUrl.java +++ b/main/src/main/java/com/auth0/AuthorizeUrl.java @@ -5,8 +5,8 @@ import com.auth0.exception.Auth0Exception; import com.auth0.json.auth.PushedAuthorizationResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.util.*; import static com.auth0.IdentityVerificationException.API_ERROR; @@ -39,7 +39,7 @@ public class AuthorizeUrl { * * Using this constructor with a non-null {@link HttpServletResponse} will store the state and nonce as * cookies when the {@link AuthorizeUrl#build()} method is called, with the appropriate SameSite attribute depending - * on the responseType. State and nonce will also be stored in the {@link javax.servlet.http.HttpSession} as a fallback, + * on the responseType. State and nonce will also be stored in the {@link jakarta.servlet.http.HttpSession} as a fallback, * but this behavior will be removed in a future release, and only cookies will be used. * * @param client the Auth0 Authentication API client diff --git a/src/main/java/com/auth0/IdTokenVerifier.java b/main/src/main/java/com/auth0/IdTokenVerifier.java similarity index 100% rename from src/main/java/com/auth0/IdTokenVerifier.java rename to main/src/main/java/com/auth0/IdTokenVerifier.java diff --git a/src/main/java/com/auth0/IdentityVerificationException.java b/main/src/main/java/com/auth0/IdentityVerificationException.java similarity index 100% rename from src/main/java/com/auth0/IdentityVerificationException.java rename to main/src/main/java/com/auth0/IdentityVerificationException.java diff --git a/src/main/java/com/auth0/InvalidRequestException.java b/main/src/main/java/com/auth0/InvalidRequestException.java similarity index 100% rename from src/main/java/com/auth0/InvalidRequestException.java rename to main/src/main/java/com/auth0/InvalidRequestException.java diff --git a/src/main/java/com/auth0/RandomStorage.java b/main/src/main/java/com/auth0/RandomStorage.java similarity index 95% rename from src/main/java/com/auth0/RandomStorage.java rename to main/src/main/java/com/auth0/RandomStorage.java index 66659a0..4382cc6 100644 --- a/src/main/java/com/auth0/RandomStorage.java +++ b/main/src/main/java/com/auth0/RandomStorage.java @@ -1,7 +1,7 @@ package com.auth0; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpSession; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpSession; class RandomStorage extends SessionUtils { diff --git a/src/main/java/com/auth0/RequestProcessor.java b/main/src/main/java/com/auth0/RequestProcessor.java similarity index 99% rename from src/main/java/com/auth0/RequestProcessor.java rename to main/src/main/java/com/auth0/RequestProcessor.java index 6796982..d5ae977 100644 --- a/src/main/java/com/auth0/RequestProcessor.java +++ b/main/src/main/java/com/auth0/RequestProcessor.java @@ -5,8 +5,8 @@ import com.auth0.json.auth.TokenHolder; import org.apache.commons.lang3.Validate; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.util.Arrays; import java.util.List; diff --git a/src/main/java/com/auth0/SameSite.java b/main/src/main/java/com/auth0/SameSite.java similarity index 100% rename from src/main/java/com/auth0/SameSite.java rename to main/src/main/java/com/auth0/SameSite.java diff --git a/src/main/java/com/auth0/SessionUtils.java b/main/src/main/java/com/auth0/SessionUtils.java similarity index 95% rename from src/main/java/com/auth0/SessionUtils.java rename to main/src/main/java/com/auth0/SessionUtils.java index a6906dc..4c29665 100644 --- a/src/main/java/com/auth0/SessionUtils.java +++ b/main/src/main/java/com/auth0/SessionUtils.java @@ -2,8 +2,8 @@ import org.apache.commons.lang3.Validate; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpSession; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpSession; /** * Helper class to handle easy session key-value storage. diff --git a/src/main/java/com/auth0/SignatureVerifier.java b/main/src/main/java/com/auth0/SignatureVerifier.java similarity index 100% rename from src/main/java/com/auth0/SignatureVerifier.java rename to main/src/main/java/com/auth0/SignatureVerifier.java diff --git a/src/main/java/com/auth0/StorageUtils.java b/main/src/main/java/com/auth0/StorageUtils.java similarity index 100% rename from src/main/java/com/auth0/StorageUtils.java rename to main/src/main/java/com/auth0/StorageUtils.java diff --git a/src/main/java/com/auth0/SymmetricSignatureVerifier.java b/main/src/main/java/com/auth0/SymmetricSignatureVerifier.java similarity index 100% rename from src/main/java/com/auth0/SymmetricSignatureVerifier.java rename to main/src/main/java/com/auth0/SymmetricSignatureVerifier.java diff --git a/src/main/java/com/auth0/TokenValidationException.java b/main/src/main/java/com/auth0/TokenValidationException.java similarity index 100% rename from src/main/java/com/auth0/TokenValidationException.java rename to main/src/main/java/com/auth0/TokenValidationException.java diff --git a/src/main/java/com/auth0/Tokens.java b/main/src/main/java/com/auth0/Tokens.java similarity index 100% rename from src/main/java/com/auth0/Tokens.java rename to main/src/main/java/com/auth0/Tokens.java diff --git a/src/main/java/com/auth0/TransientCookieStore.java b/main/src/main/java/com/auth0/TransientCookieStore.java similarity index 97% rename from src/main/java/com/auth0/TransientCookieStore.java rename to main/src/main/java/com/auth0/TransientCookieStore.java index df5dd3c..e828028 100644 --- a/src/main/java/com/auth0/TransientCookieStore.java +++ b/main/src/main/java/com/auth0/TransientCookieStore.java @@ -2,9 +2,9 @@ import org.apache.commons.lang3.Validate; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.nio.charset.StandardCharsets; diff --git a/src/test/java/com/auth0/AuthenticationControllerTest.java b/main/src/test/java/com/auth0/AuthenticationControllerTest.java similarity index 99% rename from src/test/java/com/auth0/AuthenticationControllerTest.java rename to main/src/test/java/com/auth0/AuthenticationControllerTest.java index 25302f0..04a09e4 100644 --- a/src/test/java/com/auth0/AuthenticationControllerTest.java +++ b/main/src/test/java/com/auth0/AuthenticationControllerTest.java @@ -16,8 +16,8 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.util.List; import static org.hamcrest.MatcherAssert.assertThat; diff --git a/src/test/java/com/auth0/AuthorizeUrlTest.java b/main/src/test/java/com/auth0/AuthorizeUrlTest.java similarity index 99% rename from src/test/java/com/auth0/AuthorizeUrlTest.java rename to main/src/test/java/com/auth0/AuthorizeUrlTest.java index 5818265..56c39e0 100644 --- a/src/test/java/com/auth0/AuthorizeUrlTest.java +++ b/main/src/test/java/com/auth0/AuthorizeUrlTest.java @@ -11,8 +11,8 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; import java.util.Collection; import java.util.Map; diff --git a/src/test/java/com/auth0/IdTokenVerifierTest.java b/main/src/test/java/com/auth0/IdTokenVerifierTest.java similarity index 100% rename from src/test/java/com/auth0/IdTokenVerifierTest.java rename to main/src/test/java/com/auth0/IdTokenVerifierTest.java diff --git a/src/test/java/com/auth0/IdentityVerificationExceptionMatcher.java b/main/src/test/java/com/auth0/IdentityVerificationExceptionMatcher.java similarity index 100% rename from src/test/java/com/auth0/IdentityVerificationExceptionMatcher.java rename to main/src/test/java/com/auth0/IdentityVerificationExceptionMatcher.java diff --git a/src/test/java/com/auth0/IdentityVerificationExceptionTest.java b/main/src/test/java/com/auth0/IdentityVerificationExceptionTest.java similarity index 100% rename from src/test/java/com/auth0/IdentityVerificationExceptionTest.java rename to main/src/test/java/com/auth0/IdentityVerificationExceptionTest.java diff --git a/src/test/java/com/auth0/InvalidRequestExceptionMatcher.java b/main/src/test/java/com/auth0/InvalidRequestExceptionMatcher.java similarity index 100% rename from src/test/java/com/auth0/InvalidRequestExceptionMatcher.java rename to main/src/test/java/com/auth0/InvalidRequestExceptionMatcher.java diff --git a/src/test/java/com/auth0/InvalidRequestExceptionTest.java b/main/src/test/java/com/auth0/InvalidRequestExceptionTest.java similarity index 100% rename from src/test/java/com/auth0/InvalidRequestExceptionTest.java rename to main/src/test/java/com/auth0/InvalidRequestExceptionTest.java diff --git a/src/test/java/com/auth0/RandomStorageTest.java b/main/src/test/java/com/auth0/RandomStorageTest.java similarity index 100% rename from src/test/java/com/auth0/RandomStorageTest.java rename to main/src/test/java/com/auth0/RandomStorageTest.java diff --git a/src/test/java/com/auth0/RequestProcessorTest.java b/main/src/test/java/com/auth0/RequestProcessorTest.java similarity index 99% rename from src/test/java/com/auth0/RequestProcessorTest.java rename to main/src/test/java/com/auth0/RequestProcessorTest.java index 7ffcf60..ef0f538 100644 --- a/src/test/java/com/auth0/RequestProcessorTest.java +++ b/main/src/test/java/com/auth0/RequestProcessorTest.java @@ -12,8 +12,8 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServletRequest; import java.util.Collections; import java.util.HashMap; import java.util.Map; diff --git a/src/test/java/com/auth0/SessionUtilsTest.java b/main/src/test/java/com/auth0/SessionUtilsTest.java similarity index 100% rename from src/test/java/com/auth0/SessionUtilsTest.java rename to main/src/test/java/com/auth0/SessionUtilsTest.java diff --git a/src/test/java/com/auth0/SignatureVerifierTest.java b/main/src/test/java/com/auth0/SignatureVerifierTest.java similarity index 100% rename from src/test/java/com/auth0/SignatureVerifierTest.java rename to main/src/test/java/com/auth0/SignatureVerifierTest.java diff --git a/src/test/java/com/auth0/TokensTest.java b/main/src/test/java/com/auth0/TokensTest.java similarity index 100% rename from src/test/java/com/auth0/TokensTest.java rename to main/src/test/java/com/auth0/TokensTest.java diff --git a/src/test/java/com/auth0/TransientCookieStoreTest.java b/main/src/test/java/com/auth0/TransientCookieStoreTest.java similarity index 99% rename from src/test/java/com/auth0/TransientCookieStoreTest.java rename to main/src/test/java/com/auth0/TransientCookieStoreTest.java index 949fb05..977f7dc 100644 --- a/src/test/java/com/auth0/TransientCookieStoreTest.java +++ b/main/src/test/java/com/auth0/TransientCookieStoreTest.java @@ -6,7 +6,7 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import javax.servlet.http.Cookie; +import jakarta.servlet.http.Cookie; import java.net.URLEncoder; import java.util.Arrays; import java.util.List; diff --git a/src/test/resources/bad-public.pem b/main/src/test/resources/bad-public.pem similarity index 100% rename from src/test/resources/bad-public.pem rename to main/src/test/resources/bad-public.pem diff --git a/src/test/resources/certificate.pem b/main/src/test/resources/certificate.pem similarity index 100% rename from src/test/resources/certificate.pem rename to main/src/test/resources/certificate.pem diff --git a/src/test/resources/private.pem b/main/src/test/resources/private.pem similarity index 100% rename from src/test/resources/private.pem rename to main/src/test/resources/private.pem diff --git a/src/test/resources/public.pem b/main/src/test/resources/public.pem similarity index 100% rename from src/test/resources/public.pem rename to main/src/test/resources/public.pem diff --git a/opslevel.yml b/opslevel.yml deleted file mode 100644 index 009a5ec..0000000 --- a/opslevel.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -version: 1 -repository: - owner: dx_sdks - tier: - tags: diff --git a/settings.gradle b/settings.gradle deleted file mode 100644 index a83fe1a..0000000 --- a/settings.gradle +++ /dev/null @@ -1,10 +0,0 @@ -pluginManagement { - repositories { - gradlePluginPortal() - } - plugins { - id 'com.auth0.gradle.oss-library.java' version '0.18.0' - } -} - -rootProject.name = 'mvc-auth-commons' diff --git a/settings.gradle.kts b/settings.gradle.kts new file mode 100644 index 0000000..3eac2f0 --- /dev/null +++ b/settings.gradle.kts @@ -0,0 +1,12 @@ +pluginManagement { + repositories { + gradlePluginPortal() + } + plugins { + id("com.auth0.gradle.oss-library.java") version "0.18.0" + } +} + +rootProject.name = "opengov-auth0-mvc-auth-commons" + +include("main") \ No newline at end of file From 34f063523f1b0fcba8d79b1130b5ef83835a3268 Mon Sep 17 00:00:00 2001 From: Ashutosh Sultania Date: Thu, 30 May 2024 00:17:12 +0530 Subject: [PATCH 2/4] test --- .../kotlin/java-common-conventions.gradle.kts | 2 +- gradle/wrapper/gradle-wrapper.jar | Bin 59203 -> 43453 bytes gradle/wrapper/gradle-wrapper.properties | 4 +++- main/build.gradle.kts | 6 +++--- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts b/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts index 1c5915c..359123a 100644 --- a/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts +++ b/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts @@ -44,7 +44,7 @@ spotless { tasks.withType { options.compilerArgs.addAll(listOf("-Xlint:unchecked", "-Xlint:deprecation", "-Werror")) - options.errorprone.isEnabled.set(true) + options.errorprone.isEnabled.set(false) options.errorprone.disable("SameNameButDifferent", "MissingSummary", "JavaTimeDefaultTimeZone", "ObjectEqualsForPrimitives", "AlmostJavadoc","UnusedVariable") } diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index e708b1c023ec8b20f512888fe07c5bd3ff77bb8f..e6441136f3d4ba8a0da8d277868979cfbc8ad796 100644 GIT binary patch literal 43453 zcma&N1CXTcmMvW9vTb(Rwr$&4wr$(C?dmSu>@vG-+vuvg^_??!{yS%8zW-#zn-LkA z5&1^$^{lnmUON?}LBF8_K|(?T0Ra(xUH{($5eN!MR#ZihR#HxkUPe+_R8Cn`RRs(P z_^*#_XlXmGv7!4;*Y%p4nw?{bNp@UZHv1?Um8r6)Fei3p@ClJn0ECfg1hkeuUU@Or zDaPa;U3fE=3L}DooL;8f;P0ipPt0Z~9P0)lbStMS)ag54=uL9ia-Lm3nh|@(Y?B`; zx_#arJIpXH!U{fbCbI^17}6Ri*H<>OLR%c|^mh8+)*h~K8Z!9)DPf zR2h?lbDZQ`p9P;&DQ4F0sur@TMa!Y}S8irn(%d-gi0*WxxCSk*A?3lGh=gcYN?FGl z7D=Js!i~0=u3rox^eO3i@$0=n{K1lPNU zwmfjRVmLOCRfe=seV&P*1Iq=^i`502keY8Uy-WNPwVNNtJFx?IwAyRPZo2Wo1+S(xF37LJZ~%i)kpFQ3Fw=mXfd@>%+)RpYQLnr}B~~zoof(JVm^^&f zxKV^+3D3$A1G;qh4gPVjhrC8e(VYUHv#dy^)(RoUFM?o%W-EHxufuWf(l*@-l+7vt z=l`qmR56K~F|v<^Pd*p~1_y^P0P^aPC##d8+HqX4IR1gu+7w#~TBFphJxF)T$2WEa zxa?H&6=Qe7d(#tha?_1uQys2KtHQ{)Qco)qwGjrdNL7thd^G5i8Os)CHqc>iOidS} z%nFEDdm=GXBw=yXe1W-ShHHFb?Cc70+$W~z_+}nAoHFYI1MV1wZegw*0y^tC*s%3h zhD3tN8b=Gv&rj}!SUM6|ajSPp*58KR7MPpI{oAJCtY~JECm)*m_x>AZEu>DFgUcby z1Qaw8lU4jZpQ_$;*7RME+gq1KySGG#Wql>aL~k9tLrSO()LWn*q&YxHEuzmwd1?aAtI zBJ>P=&$=l1efe1CDU;`Fd+_;&wI07?V0aAIgc(!{a z0Jg6Y=inXc3^n!U0Atk`iCFIQooHqcWhO(qrieUOW8X(x?(RD}iYDLMjSwffH2~tB z)oDgNBLB^AJBM1M^c5HdRx6fBfka`(LD-qrlh5jqH~);#nw|iyp)()xVYak3;Ybik z0j`(+69aK*B>)e_p%=wu8XC&9e{AO4c~O1U`5X9}?0mrd*m$_EUek{R?DNSh(=br# z#Q61gBzEpmy`$pA*6!87 zSDD+=@fTY7<4A?GLqpA?Pb2z$pbCc4B4zL{BeZ?F-8`s$?>*lXXtn*NC61>|*w7J* z$?!iB{6R-0=KFmyp1nnEmLsA-H0a6l+1uaH^g%c(p{iT&YFrbQ$&PRb8Up#X3@Zsk zD^^&LK~111%cqlP%!_gFNa^dTYT?rhkGl}5=fL{a`UViaXWI$k-UcHJwmaH1s=S$4 z%4)PdWJX;hh5UoK?6aWoyLxX&NhNRqKam7tcOkLh{%j3K^4Mgx1@i|Pi&}<^5>hs5 zm8?uOS>%)NzT(%PjVPGa?X%`N2TQCKbeH2l;cTnHiHppPSJ<7y-yEIiC!P*ikl&!B z%+?>VttCOQM@ShFguHVjxX^?mHX^hSaO_;pnyh^v9EumqSZTi+#f&_Vaija0Q-e*| z7ulQj6Fs*bbmsWp{`auM04gGwsYYdNNZcg|ph0OgD>7O}Asn7^Z=eI>`$2*v78;sj-}oMoEj&@)9+ycEOo92xSyY344^ z11Hb8^kdOvbf^GNAK++bYioknrpdN>+u8R?JxG=!2Kd9r=YWCOJYXYuM0cOq^FhEd zBg2puKy__7VT3-r*dG4c62Wgxi52EMCQ`bKgf*#*ou(D4-ZN$+mg&7$u!! z-^+Z%;-3IDwqZ|K=ah85OLwkO zKxNBh+4QHh)u9D?MFtpbl)us}9+V!D%w9jfAMYEb>%$A;u)rrI zuBudh;5PN}_6J_}l55P3l_)&RMlH{m!)ai-i$g)&*M`eN$XQMw{v^r@-125^RRCF0 z^2>|DxhQw(mtNEI2Kj(;KblC7x=JlK$@78`O~>V!`|1Lm-^JR$-5pUANAnb(5}B}JGjBsliK4& zk6y(;$e&h)lh2)L=bvZKbvh@>vLlreBdH8No2>$#%_Wp1U0N7Ank!6$dFSi#xzh|( zRi{Uw%-4W!{IXZ)fWx@XX6;&(m_F%c6~X8hx=BN1&q}*( zoaNjWabE{oUPb!Bt$eyd#$5j9rItB-h*5JiNi(v^e|XKAj*8(k<5-2$&ZBR5fF|JA z9&m4fbzNQnAU}r8ab>fFV%J0z5awe#UZ|bz?Ur)U9bCIKWEzi2%A+5CLqh?}K4JHi z4vtM;+uPsVz{Lfr;78W78gC;z*yTch~4YkLr&m-7%-xc ztw6Mh2d>_iO*$Rd8(-Cr1_V8EO1f*^@wRoSozS) zy1UoC@pruAaC8Z_7~_w4Q6n*&B0AjOmMWa;sIav&gu z|J5&|{=a@vR!~k-OjKEgPFCzcJ>#A1uL&7xTDn;{XBdeM}V=l3B8fE1--DHjSaxoSjNKEM9|U9#m2<3>n{Iuo`r3UZp;>GkT2YBNAh|b z^jTq-hJp(ebZh#Lk8hVBP%qXwv-@vbvoREX$TqRGTgEi$%_F9tZES@z8Bx}$#5eeG zk^UsLBH{bc2VBW)*EdS({yw=?qmevwi?BL6*=12k9zM5gJv1>y#ML4!)iiPzVaH9% zgSImetD@dam~e>{LvVh!phhzpW+iFvWpGT#CVE5TQ40n%F|p(sP5mXxna+Ev7PDwA zamaV4m*^~*xV+&p;W749xhb_X=$|LD;FHuB&JL5?*Y2-oIT(wYY2;73<^#46S~Gx| z^cez%V7x$81}UWqS13Gz80379Rj;6~WdiXWOSsdmzY39L;Hg3MH43o*y8ibNBBH`(av4|u;YPq%{R;IuYow<+GEsf@R?=@tT@!}?#>zIIn0CoyV!hq3mw zHj>OOjfJM3F{RG#6ujzo?y32m^tgSXf@v=J$ELdJ+=5j|=F-~hP$G&}tDZsZE?5rX ztGj`!S>)CFmdkccxM9eGIcGnS2AfK#gXwj%esuIBNJQP1WV~b~+D7PJTmWGTSDrR` zEAu4B8l>NPuhsk5a`rReSya2nfV1EK01+G!x8aBdTs3Io$u5!6n6KX%uv@DxAp3F@{4UYg4SWJtQ-W~0MDb|j-$lwVn znAm*Pl!?Ps&3wO=R115RWKb*JKoexo*)uhhHBncEDMSVa_PyA>k{Zm2(wMQ(5NM3# z)jkza|GoWEQo4^s*wE(gHz?Xsg4`}HUAcs42cM1-qq_=+=!Gk^y710j=66(cSWqUe zklbm8+zB_syQv5A2rj!Vbw8;|$@C!vfNmNV!yJIWDQ>{+2x zKjuFX`~~HKG~^6h5FntRpnnHt=D&rq0>IJ9#F0eM)Y-)GpRjiN7gkA8wvnG#K=q{q z9dBn8_~wm4J<3J_vl|9H{7q6u2A!cW{bp#r*-f{gOV^e=8S{nc1DxMHFwuM$;aVI^ zz6A*}m8N-&x8;aunp1w7_vtB*pa+OYBw=TMc6QK=mbA-|Cf* zvyh8D4LRJImooUaSb7t*fVfih<97Gf@VE0|z>NcBwBQze);Rh!k3K_sfunToZY;f2 z^HmC4KjHRVg+eKYj;PRN^|E0>Gj_zagfRbrki68I^#~6-HaHg3BUW%+clM1xQEdPYt_g<2K+z!$>*$9nQ>; zf9Bei{?zY^-e{q_*|W#2rJG`2fy@{%6u0i_VEWTq$*(ZN37|8lFFFt)nCG({r!q#9 z5VK_kkSJ3?zOH)OezMT{!YkCuSSn!K#-Rhl$uUM(bq*jY? zi1xbMVthJ`E>d>(f3)~fozjg^@eheMF6<)I`oeJYx4*+M&%c9VArn(OM-wp%M<-`x z7sLP1&3^%Nld9Dhm@$3f2}87!quhI@nwd@3~fZl_3LYW-B?Ia>ui`ELg z&Qfe!7m6ze=mZ`Ia9$z|ARSw|IdMpooY4YiPN8K z4B(ts3p%2i(Td=tgEHX z0UQ_>URBtG+-?0E;E7Ld^dyZ;jjw0}XZ(}-QzC6+NN=40oDb2^v!L1g9xRvE#@IBR zO!b-2N7wVfLV;mhEaXQ9XAU+>=XVA6f&T4Z-@AX!leJ8obP^P^wP0aICND?~w&NykJ#54x3_@r7IDMdRNy4Hh;h*!u(Ol(#0bJdwEo$5437-UBjQ+j=Ic>Q2z` zJNDf0yO6@mr6y1#n3)s(W|$iE_i8r@Gd@!DWDqZ7J&~gAm1#~maIGJ1sls^gxL9LLG_NhU!pTGty!TbhzQnu)I*S^54U6Yu%ZeCg`R>Q zhBv$n5j0v%O_j{QYWG!R9W?5_b&67KB$t}&e2LdMvd(PxN6Ir!H4>PNlerpBL>Zvyy!yw z-SOo8caEpDt(}|gKPBd$qND5#a5nju^O>V&;f890?yEOfkSG^HQVmEbM3Ugzu+UtH zC(INPDdraBN?P%kE;*Ae%Wto&sgw(crfZ#Qy(<4nk;S|hD3j{IQRI6Yq|f^basLY; z-HB&Je%Gg}Jt@={_C{L$!RM;$$|iD6vu#3w?v?*;&()uB|I-XqEKqZPS!reW9JkLewLb!70T7n`i!gNtb1%vN- zySZj{8-1>6E%H&=V}LM#xmt`J3XQoaD|@XygXjdZ1+P77-=;=eYpoEQ01B@L*a(uW zrZeZz?HJsw_4g0vhUgkg@VF8<-X$B8pOqCuWAl28uB|@r`19DTUQQsb^pfqB6QtiT z*`_UZ`fT}vtUY#%sq2{rchyfu*pCg;uec2$-$N_xgjZcoumE5vSI{+s@iLWoz^Mf; zuI8kDP{!XY6OP~q5}%1&L}CtfH^N<3o4L@J@zg1-mt{9L`s^z$Vgb|mr{@WiwAqKg zp#t-lhrU>F8o0s1q_9y`gQNf~Vb!F%70f}$>i7o4ho$`uciNf=xgJ>&!gSt0g;M>*x4-`U)ysFW&Vs^Vk6m%?iuWU+o&m(2Jm26Y(3%TL; zA7T)BP{WS!&xmxNw%J=$MPfn(9*^*TV;$JwRy8Zl*yUZi8jWYF>==j~&S|Xinsb%c z2?B+kpet*muEW7@AzjBA^wAJBY8i|#C{WtO_or&Nj2{=6JTTX05}|H>N2B|Wf!*3_ z7hW*j6p3TvpghEc6-wufFiY!%-GvOx*bZrhZu+7?iSrZL5q9}igiF^*R3%DE4aCHZ zqu>xS8LkW+Auv%z-<1Xs92u23R$nk@Pk}MU5!gT|c7vGlEA%G^2th&Q*zfg%-D^=f z&J_}jskj|Q;73NP4<4k*Y%pXPU2Thoqr+5uH1yEYM|VtBPW6lXaetokD0u z9qVek6Q&wk)tFbQ8(^HGf3Wp16gKmr>G;#G(HRBx?F`9AIRboK+;OfHaLJ(P>IP0w zyTbTkx_THEOs%Q&aPrxbZrJlio+hCC_HK<4%f3ZoSAyG7Dn`=X=&h@m*|UYO-4Hq0 z-Bq&+Ie!S##4A6OGoC~>ZW`Y5J)*ouaFl_e9GA*VSL!O_@xGiBw!AF}1{tB)z(w%c zS1Hmrb9OC8>0a_$BzeiN?rkPLc9%&;1CZW*4}CDDNr2gcl_3z+WC15&H1Zc2{o~i) z)LLW=WQ{?ricmC`G1GfJ0Yp4Dy~Ba;j6ZV4r{8xRs`13{dD!xXmr^Aga|C=iSmor% z8hi|pTXH)5Yf&v~exp3o+sY4B^^b*eYkkCYl*T{*=-0HniSA_1F53eCb{x~1k3*`W zr~};p1A`k{1DV9=UPnLDgz{aJH=-LQo<5%+Em!DNN252xwIf*wF_zS^!(XSm(9eoj z=*dXG&n0>)_)N5oc6v!>-bd(2ragD8O=M|wGW z!xJQS<)u70m&6OmrF0WSsr@I%T*c#Qo#Ha4d3COcX+9}hM5!7JIGF>7<~C(Ear^Sn zm^ZFkV6~Ula6+8S?oOROOA6$C&q&dp`>oR-2Ym3(HT@O7Sd5c~+kjrmM)YmgPH*tL zX+znN>`tv;5eOfX?h{AuX^LK~V#gPCu=)Tigtq9&?7Xh$qN|%A$?V*v=&-2F$zTUv z`C#WyIrChS5|Kgm_GeudCFf;)!WH7FI60j^0o#65o6`w*S7R@)88n$1nrgU(oU0M9 zx+EuMkC>(4j1;m6NoGqEkpJYJ?vc|B zOlwT3t&UgL!pX_P*6g36`ZXQ; z9~Cv}ANFnJGp(;ZhS(@FT;3e)0)Kp;h^x;$*xZn*k0U6-&FwI=uOGaODdrsp-!K$Ac32^c{+FhI-HkYd5v=`PGsg%6I`4d9Jy)uW0y%) zm&j^9WBAp*P8#kGJUhB!L?a%h$hJgQrx!6KCB_TRo%9{t0J7KW8!o1B!NC)VGLM5! zpZy5Jc{`r{1e(jd%jsG7k%I+m#CGS*BPA65ZVW~fLYw0dA-H_}O zrkGFL&P1PG9p2(%QiEWm6x;U-U&I#;Em$nx-_I^wtgw3xUPVVu zqSuKnx&dIT-XT+T10p;yjo1Y)z(x1fb8Dzfn8e yu?e%!_ptzGB|8GrCfu%p?(_ zQccdaaVK$5bz;*rnyK{_SQYM>;aES6Qs^lj9lEs6_J+%nIiuQC*fN;z8md>r_~Mfl zU%p5Dt_YT>gQqfr@`cR!$NWr~+`CZb%dn;WtzrAOI>P_JtsB76PYe*<%H(y>qx-`Kq!X_; z<{RpAqYhE=L1r*M)gNF3B8r(<%8mo*SR2hu zccLRZwGARt)Hlo1euqTyM>^!HK*!Q2P;4UYrysje@;(<|$&%vQekbn|0Ruu_Io(w4#%p6ld2Yp7tlA`Y$cciThP zKzNGIMPXX%&Ud0uQh!uQZz|FB`4KGD?3!ND?wQt6!n*f4EmCoJUh&b?;B{|lxs#F- z31~HQ`SF4x$&v00@(P+j1pAaj5!s`)b2RDBp*PB=2IB>oBF!*6vwr7Dp%zpAx*dPr zb@Zjq^XjN?O4QcZ*O+8>)|HlrR>oD*?WQl5ri3R#2?*W6iJ>>kH%KnnME&TT@ZzrHS$Q%LC?n|e>V+D+8D zYc4)QddFz7I8#}y#Wj6>4P%34dZH~OUDb?uP%-E zwjXM(?Sg~1!|wI(RVuxbu)-rH+O=igSho_pDCw(c6b=P zKk4ATlB?bj9+HHlh<_!&z0rx13K3ZrAR8W)!@Y}o`?a*JJsD+twZIv`W)@Y?Amu_u zz``@-e2X}27$i(2=9rvIu5uTUOVhzwu%mNazS|lZb&PT;XE2|B&W1>=B58#*!~D&) zfVmJGg8UdP*fx(>Cj^?yS^zH#o-$Q-*$SnK(ZVFkw+er=>N^7!)FtP3y~Xxnu^nzY zikgB>Nj0%;WOltWIob|}%lo?_C7<``a5hEkx&1ku$|)i>Rh6@3h*`slY=9U}(Ql_< zaNG*J8vb&@zpdhAvv`?{=zDedJ23TD&Zg__snRAH4eh~^oawdYi6A3w8<Ozh@Kw)#bdktM^GVb zrG08?0bG?|NG+w^&JvD*7LAbjED{_Zkc`3H!My>0u5Q}m!+6VokMLXxl`Mkd=g&Xx z-a>m*#G3SLlhbKB!)tnzfWOBV;u;ftU}S!NdD5+YtOjLg?X}dl>7m^gOpihrf1;PY zvll&>dIuUGs{Qnd- zwIR3oIrct8Va^Tm0t#(bJD7c$Z7DO9*7NnRZorrSm`b`cxz>OIC;jSE3DO8`hX955ui`s%||YQtt2 z5DNA&pG-V+4oI2s*x^>-$6J?p=I>C|9wZF8z;VjR??Icg?1w2v5Me+FgAeGGa8(3S z4vg*$>zC-WIVZtJ7}o9{D-7d>zCe|z#<9>CFve-OPAYsneTb^JH!Enaza#j}^mXy1 z+ULn^10+rWLF6j2>Ya@@Kq?26>AqK{A_| zQKb*~F1>sE*=d?A?W7N2j?L09_7n+HGi{VY;MoTGr_)G9)ot$p!-UY5zZ2Xtbm=t z@dpPSGwgH=QtIcEulQNI>S-#ifbnO5EWkI;$A|pxJd885oM+ zGZ0_0gDvG8q2xebj+fbCHYfAXuZStH2j~|d^sBAzo46(K8n59+T6rzBwK)^rfPT+B zyIFw)9YC-V^rhtK`!3jrhmW-sTmM+tPH+;nwjL#-SjQPUZ53L@A>y*rt(#M(qsiB2 zx6B)dI}6Wlsw%bJ8h|(lhkJVogQZA&n{?Vgs6gNSXzuZpEyu*xySy8ro07QZ7Vk1!3tJphN_5V7qOiyK8p z#@jcDD8nmtYi1^l8ml;AF<#IPK?!pqf9D4moYk>d99Im}Jtwj6c#+A;f)CQ*f-hZ< z=p_T86jog%!p)D&5g9taSwYi&eP z#JuEK%+NULWus;0w32-SYFku#i}d~+{Pkho&^{;RxzP&0!RCm3-9K6`>KZpnzS6?L z^H^V*s!8<>x8bomvD%rh>Zp3>Db%kyin;qtl+jAv8Oo~1g~mqGAC&Qi_wy|xEt2iz zWAJEfTV%cl2Cs<1L&DLRVVH05EDq`pH7Oh7sR`NNkL%wi}8n>IXcO40hp+J+sC!W?!krJf!GJNE8uj zg-y~Ns-<~D?yqbzVRB}G>0A^f0!^N7l=$m0OdZuqAOQqLc zX?AEGr1Ht+inZ-Qiwnl@Z0qukd__a!C*CKuGdy5#nD7VUBM^6OCpxCa2A(X;e0&V4 zM&WR8+wErQ7UIc6LY~Q9x%Sn*Tn>>P`^t&idaOEnOd(Ufw#>NoR^1QdhJ8s`h^|R_ zXX`c5*O~Xdvh%q;7L!_!ohf$NfEBmCde|#uVZvEo>OfEq%+Ns7&_f$OR9xsihRpBb z+cjk8LyDm@U{YN>+r46?nn{7Gh(;WhFw6GAxtcKD+YWV?uge>;+q#Xx4!GpRkVZYu zzsF}1)7$?%s9g9CH=Zs+B%M_)+~*j3L0&Q9u7!|+T`^O{xE6qvAP?XWv9_MrZKdo& z%IyU)$Q95AB4!#hT!_dA>4e@zjOBD*Y=XjtMm)V|+IXzjuM;(l+8aA5#Kaz_$rR6! zj>#&^DidYD$nUY(D$mH`9eb|dtV0b{S>H6FBfq>t5`;OxA4Nn{J(+XihF(stSche7$es&~N$epi&PDM_N`As;*9D^L==2Q7Z2zD+CiU(|+-kL*VG+&9!Yb3LgPy?A zm7Z&^qRG_JIxK7-FBzZI3Q<;{`DIxtc48k> zc|0dmX;Z=W$+)qE)~`yn6MdoJ4co;%!`ddy+FV538Y)j(vg}5*k(WK)KWZ3WaOG!8 z!syGn=s{H$odtpqFrT#JGM*utN7B((abXnpDM6w56nhw}OY}0TiTG1#f*VFZr+^-g zbP10`$LPq_;PvrA1XXlyx2uM^mrjTzX}w{yuLo-cOClE8MMk47T25G8M!9Z5ypOSV zAJUBGEg5L2fY)ZGJb^E34R2zJ?}Vf>{~gB!8=5Z) z9y$>5c)=;o0HeHHSuE4U)#vG&KF|I%-cF6f$~pdYJWk_dD}iOA>iA$O$+4%@>JU08 zS`ep)$XLPJ+n0_i@PkF#ri6T8?ZeAot$6JIYHm&P6EB=BiaNY|aA$W0I+nz*zkz_z zkEru!tj!QUffq%)8y0y`T&`fuus-1p>=^hnBiBqD^hXrPs`PY9tU3m0np~rISY09> z`P3s=-kt_cYcxWd{de@}TwSqg*xVhp;E9zCsnXo6z z?f&Sv^U7n4`xr=mXle94HzOdN!2kB~4=%)u&N!+2;z6UYKUDqi-s6AZ!haB;@&B`? z_TRX0%@suz^TRdCb?!vNJYPY8L_}&07uySH9%W^Tc&1pia6y1q#?*Drf}GjGbPjBS zbOPcUY#*$3sL2x4v_i*Y=N7E$mR}J%|GUI(>WEr+28+V z%v5{#e!UF*6~G&%;l*q*$V?&r$Pp^sE^i-0$+RH3ERUUdQ0>rAq2(2QAbG}$y{de( z>{qD~GGuOk559Y@%$?N^1ApVL_a704>8OD%8Y%8B;FCt%AoPu8*D1 zLB5X>b}Syz81pn;xnB}%0FnwazlWfUV)Z-~rZg6~b z6!9J$EcE&sEbzcy?CI~=boWA&eeIa%z(7SE^qgVLz??1Vbc1*aRvc%Mri)AJaAG!p z$X!_9Ds;Zz)f+;%s&dRcJt2==P{^j3bf0M=nJd&xwUGlUFn?H=2W(*2I2Gdu zv!gYCwM10aeus)`RIZSrCK=&oKaO_Ry~D1B5!y0R=%!i2*KfXGYX&gNv_u+n9wiR5 z*e$Zjju&ODRW3phN925%S(jL+bCHv6rZtc?!*`1TyYXT6%Ju=|X;6D@lq$8T zW{Y|e39ioPez(pBH%k)HzFITXHvnD6hw^lIoUMA;qAJ^CU?top1fo@s7xT13Fvn1H z6JWa-6+FJF#x>~+A;D~;VDs26>^oH0EI`IYT2iagy23?nyJ==i{g4%HrAf1-*v zK1)~@&(KkwR7TL}L(A@C_S0G;-GMDy=MJn2$FP5s<%wC)4jC5PXoxrQBFZ_k0P{{s@sz+gX`-!=T8rcB(=7vW}^K6oLWMmp(rwDh}b zwaGGd>yEy6fHv%jM$yJXo5oMAQ>c9j`**}F?MCry;T@47@r?&sKHgVe$MCqk#Z_3S z1GZI~nOEN*P~+UaFGnj{{Jo@16`(qVNtbU>O0Hf57-P>x8Jikp=`s8xWs^dAJ9lCQ z)GFm+=OV%AMVqVATtN@|vp61VVAHRn87}%PC^RAzJ%JngmZTasWBAWsoAqBU+8L8u z4A&Pe?fmTm0?mK-BL9t+{y7o(7jm+RpOhL9KnY#E&qu^}B6=K_dB}*VlSEiC9fn)+V=J;OnN)Ta5v66ic1rG+dGAJ1 z1%Zb_+!$=tQ~lxQrzv3x#CPb?CekEkA}0MYSgx$Jdd}q8+R=ma$|&1a#)TQ=l$1tQ z=tL9&_^vJ)Pk}EDO-va`UCT1m#Uty1{v^A3P~83_#v^ozH}6*9mIjIr;t3Uv%@VeW zGL6(CwCUp)Jq%G0bIG%?{_*Y#5IHf*5M@wPo6A{$Um++Co$wLC=J1aoG93&T7Ho}P z=mGEPP7GbvoG!uD$k(H3A$Z))+i{Hy?QHdk>3xSBXR0j!11O^mEe9RHmw!pvzv?Ua~2_l2Yh~_!s1qS`|0~0)YsbHSz8!mG)WiJE| z2f($6TQtt6L_f~ApQYQKSb=`053LgrQq7G@98#igV>y#i==-nEjQ!XNu9 z~;mE+gtj4IDDNQJ~JVk5Ux6&LCSFL!y=>79kE9=V}J7tD==Ga+IW zX)r7>VZ9dY=V&}DR))xUoV!u(Z|%3ciQi_2jl}3=$Agc(`RPb z8kEBpvY>1FGQ9W$n>Cq=DIpski};nE)`p3IUw1Oz0|wxll^)4dq3;CCY@RyJgFgc# zKouFh!`?Xuo{IMz^xi-h=StCis_M7yq$u) z?XHvw*HP0VgR+KR6wI)jEMX|ssqYvSf*_3W8zVTQzD?3>H!#>InzpSO)@SC8q*ii- z%%h}_#0{4JG;Jm`4zg};BPTGkYamx$Xo#O~lBirRY)q=5M45n{GCfV7h9qwyu1NxOMoP4)jjZMxmT|IQQh0U7C$EbnMN<3)Kk?fFHYq$d|ICu>KbY_hO zTZM+uKHe(cIZfEqyzyYSUBZa8;Fcut-GN!HSA9ius`ltNebF46ZX_BbZNU}}ZOm{M2&nANL9@0qvih15(|`S~z}m&h!u4x~(%MAO$jHRWNfuxWF#B)E&g3ghSQ9|> z(MFaLQj)NE0lowyjvg8z0#m6FIuKE9lDO~Glg}nSb7`~^&#(Lw{}GVOS>U)m8bF}x zVjbXljBm34Cs-yM6TVusr+3kYFjr28STT3g056y3cH5Tmge~ASxBj z%|yb>$eF;WgrcOZf569sDZOVwoo%8>XO>XQOX1OyN9I-SQgrm;U;+#3OI(zrWyow3 zk==|{lt2xrQ%FIXOTejR>;wv(Pb8u8}BUpx?yd(Abh6? zsoO3VYWkeLnF43&@*#MQ9-i-d0t*xN-UEyNKeyNMHw|A(k(_6QKO=nKMCxD(W(Yop zsRQ)QeL4X3Lxp^L%wzi2-WVSsf61dqliPUM7srDB?Wm6Lzn0&{*}|IsKQW;02(Y&| zaTKv|`U(pSzuvR6Rduu$wzK_W-Y-7>7s?G$)U}&uK;<>vU}^^ns@Z!p+9?St1s)dG zK%y6xkPyyS1$~&6v{kl?Md6gwM|>mt6Upm>oa8RLD^8T{0?HC!Z>;(Bob7el(DV6x zi`I)$&E&ngwFS@bi4^xFLAn`=fzTC;aimE^!cMI2n@Vo%Ae-ne`RF((&5y6xsjjAZ zVguVoQ?Z9uk$2ON;ersE%PU*xGO@T*;j1BO5#TuZKEf(mB7|g7pcEA=nYJ{s3vlbg zd4-DUlD{*6o%Gc^N!Nptgay>j6E5;3psI+C3Q!1ZIbeCubW%w4pq9)MSDyB{HLm|k zxv-{$$A*pS@csolri$Ge<4VZ}e~78JOL-EVyrbxKra^d{?|NnPp86!q>t<&IP07?Z z^>~IK^k#OEKgRH+LjllZXk7iA>2cfH6+(e&9ku5poo~6y{GC5>(bRK7hwjiurqAiZ zg*DmtgY}v83IjE&AbiWgMyFbaRUPZ{lYiz$U^&Zt2YjG<%m((&_JUbZcfJ22(>bi5 z!J?<7AySj0JZ&<-qXX;mcV!f~>G=sB0KnjWca4}vrtunD^1TrpfeS^4dvFr!65knK zZh`d;*VOkPs4*-9kL>$GP0`(M!j~B;#x?Ba~&s6CopvO86oM?-? zOw#dIRc;6A6T?B`Qp%^<U5 z19x(ywSH$_N+Io!6;e?`tWaM$`=Db!gzx|lQ${DG!zb1Zl&|{kX0y6xvO1o z220r<-oaS^^R2pEyY;=Qllqpmue|5yI~D|iI!IGt@iod{Opz@*ml^w2bNs)p`M(Io z|E;;m*Xpjd9l)4G#KaWfV(t8YUn@A;nK^#xgv=LtnArX|vWQVuw3}B${h+frU2>9^ z!l6)!Uo4`5k`<<;E(ido7M6lKTgWezNLq>U*=uz&s=cc$1%>VrAeOoUtA|T6gO4>UNqsdK=NF*8|~*sl&wI=x9-EGiq*aqV!(VVXA57 zw9*o6Ir8Lj1npUXvlevtn(_+^X5rzdR>#(}4YcB9O50q97%rW2me5_L=%ffYPUSRc z!vv?Kv>dH994Qi>U(a<0KF6NH5b16enCp+mw^Hb3Xs1^tThFpz!3QuN#}KBbww`(h z7GO)1olDqy6?T$()R7y%NYx*B0k_2IBiZ14&8|JPFxeMF{vSTxF-Vi3+ZOI=Thq2} zyQgjYY1_7^ZQHh{?P))4+qUiQJLi1&{yE>h?~jU%tjdV0h|FENbM3X(KnJdPKc?~k zh=^Ixv*+smUll!DTWH!jrV*wSh*(mx0o6}1@JExzF(#9FXgmTXVoU+>kDe68N)dkQ zH#_98Zv$}lQwjKL@yBd;U(UD0UCl322=pav<=6g>03{O_3oKTq;9bLFX1ia*lw;#K zOiYDcBJf)82->83N_Y(J7Kr_3lE)hAu;)Q(nUVydv+l+nQ$?|%MWTy`t>{havFSQloHwiIkGK9YZ79^9?AZo0ZyQlVR#}lF%dn5n%xYksXf8gnBm=wO7g_^! zauQ-bH1Dc@3ItZ-9D_*pH}p!IG7j8A_o94#~>$LR|TFq zZ-b00*nuw|-5C2lJDCw&8p5N~Z1J&TrcyErds&!l3$eSz%`(*izc;-?HAFD9AHb-| z>)id`QCrzRws^9(#&=pIx9OEf2rmlob8sK&xPCWS+nD~qzU|qG6KwA{zbikcfQrdH z+ zQg>O<`K4L8rN7`GJB0*3<3`z({lWe#K!4AZLsI{%z#ja^OpfjU{!{)x0ZH~RB0W5X zTwN^w=|nA!4PEU2=LR05x~}|B&ZP?#pNgDMwD*ajI6oJqv!L81gu=KpqH22avXf0w zX3HjbCI!n9>l046)5rr5&v5ja!xkKK42zmqHzPx$9Nn_MZk`gLeSLgC=LFf;H1O#B zn=8|^1iRrujHfbgA+8i<9jaXc;CQBAmQvMGQPhFec2H1knCK2x!T`e6soyrqCamX% zTQ4dX_E*8so)E*TB$*io{$c6X)~{aWfaqdTh=xEeGvOAN9H&-t5tEE-qso<+C!2>+ zskX51H-H}#X{A75wqFe-J{?o8Bx|>fTBtl&tcbdR|132Ztqu5X0i-pisB-z8n71%q%>EF}yy5?z=Ve`}hVh{Drv1YWL zW=%ug_&chF11gDv3D6B)Tz5g54H0mDHNjuKZ+)CKFk4Z|$RD zfRuKLW`1B>B?*RUfVd0+u8h3r-{@fZ{k)c!93t1b0+Q9vOaRnEn1*IL>5Z4E4dZ!7 ztp4GP-^1d>8~LMeb}bW!(aAnB1tM_*la=Xx)q(I0Y@__Zd$!KYb8T2VBRw%e$iSdZ zkwdMwd}eV9q*;YvrBFTv1>1+}{H!JK2M*C|TNe$ZSA>UHKk);wz$(F$rXVc|sI^lD zV^?_J!3cLM;GJuBMbftbaRUs$;F}HDEDtIeHQ)^EJJ1F9FKJTGH<(Jj`phE6OuvE) zqK^K`;3S{Y#1M@8yRQwH`?kHMq4tHX#rJ>5lY3DM#o@or4&^_xtBC(|JpGTfrbGkA z2Tu+AyT^pHannww!4^!$5?@5v`LYy~T`qs7SYt$JgrY(w%C+IWA;ZkwEF)u5sDvOK zGk;G>Mh&elvXDcV69J_h02l&O;!{$({fng9Rlc3ID#tmB^FIG^w{HLUpF+iB`|
NnX)EH+Nua)3Y(c z&{(nX_ht=QbJ%DzAya}!&uNu!4V0xI)QE$SY__m)SAKcN0P(&JcoK*Lxr@P zY&P=}&B3*UWNlc|&$Oh{BEqwK2+N2U$4WB7Fd|aIal`FGANUa9E-O)!gV`((ZGCc$ zBJA|FFrlg~9OBp#f7aHodCe{6= zay$6vN~zj1ddMZ9gQ4p32(7wD?(dE>KA2;SOzXRmPBiBc6g`eOsy+pVcHu=;Yd8@{ zSGgXf@%sKKQz~;!J;|2fC@emm#^_rnO0esEn^QxXgJYd`#FPWOUU5b;9eMAF zZhfiZb|gk8aJIw*YLp4!*(=3l8Cp{(%p?ho22*vN9+5NLV0TTazNY$B5L6UKUrd$n zjbX%#m7&F#U?QNOBXkiiWB*_tk+H?N3`vg;1F-I+83{M2!8<^nydGr5XX}tC!10&e z7D36bLaB56WrjL&HiiMVtpff|K%|*{t*ltt^5ood{FOG0<>k&1h95qPio)2`eL${YAGIx(b4VN*~nKn6E~SIQUuRH zQ+5zP6jfnP$S0iJ@~t!Ai3o`X7biohli;E zT#yXyl{bojG@-TGZzpdVDXhbmF%F9+-^YSIv|MT1l3j zrxOFq>gd2%U}?6}8mIj?M zc077Zc9fq(-)4+gXv?Az26IO6eV`RAJz8e3)SC7~>%rlzDwySVx*q$ygTR5kW2ds- z!HBgcq0KON9*8Ff$X0wOq$`T7ml(@TF)VeoF}x1OttjuVHn3~sHrMB++}f7f9H%@f z=|kP_?#+fve@{0MlbkC9tyvQ_R?lRdRJ@$qcB(8*jyMyeME5ns6ypVI1Xm*Zr{DuS zZ!1)rQfa89c~;l~VkCiHI|PCBd`S*2RLNQM8!g9L6?n`^evQNEwfO@&JJRme+uopQX0%Jo zgd5G&#&{nX{o?TQwQvF1<^Cg3?2co;_06=~Hcb6~4XWpNFL!WU{+CK;>gH%|BLOh7@!hsa(>pNDAmpcuVO-?;Bic17R}^|6@8DahH)G z!EmhsfunLL|3b=M0MeK2vqZ|OqUqS8npxwge$w-4pFVXFq$_EKrZY?BuP@Az@(k`L z`ViQBSk`y+YwRT;&W| z2e3UfkCo^uTA4}Qmmtqs+nk#gNr2W4 zTH%hhErhB)pkXR{B!q5P3-OM+M;qu~f>}IjtF%>w{~K-0*jPVLl?Chz&zIdxp}bjx zStp&Iufr58FTQ36AHU)0+CmvaOpKF;W@sMTFpJ`j;3d)J_$tNQI^c<^1o<49Z(~K> z;EZTBaVT%14(bFw2ob@?JLQ2@(1pCdg3S%E4*dJ}dA*v}_a4_P(a`cHnBFJxNobAv zf&Zl-Yt*lhn-wjZsq<9v-IsXxAxMZ58C@e0!rzhJ+D@9^3~?~yllY^s$?&oNwyH!#~6x4gUrfxplCvK#!f z$viuszW>MFEcFL?>ux*((!L$;R?xc*myjRIjgnQX79@UPD$6Dz0jutM@7h_pq z0Zr)#O<^y_K6jfY^X%A-ip>P%3saX{!v;fxT-*0C_j4=UMH+Xth(XVkVGiiKE#f)q z%Jp=JT)uy{&}Iq2E*xr4YsJ5>w^=#-mRZ4vPXpI6q~1aFwi+lQcimO45V-JXP;>(Q zo={U`{=_JF`EQj87Wf}{Qy35s8r1*9Mxg({CvOt}?Vh9d&(}iI-quvs-rm~P;eRA@ zG5?1HO}puruc@S{YNAF3vmUc2B4!k*yi))<5BQmvd3tr}cIs#9)*AX>t`=~{f#Uz0 z0&Nk!7sSZwJe}=)-R^$0{yeS!V`Dh7w{w5rZ9ir!Z7Cd7dwZcK;BT#V0bzTt>;@Cl z#|#A!-IL6CZ@eHH!CG>OO8!%G8&8t4)Ro@}USB*k>oEUo0LsljsJ-%5Mo^MJF2I8- z#v7a5VdJ-Cd%(a+y6QwTmi+?f8Nxtm{g-+WGL>t;s#epv7ug>inqimZCVm!uT5Pf6 ziEgQt7^%xJf#!aPWbuC_3Nxfb&CFbQy!(8ANpkWLI4oSnH?Q3f?0k1t$3d+lkQs{~(>06l&v|MpcFsyAv zin6N!-;pggosR*vV=DO(#+}4ps|5$`udE%Kdmp?G7B#y%H`R|i8skKOd9Xzx8xgR$>Zo2R2Ytktq^w#ul4uicxW#{ zFjG_RNlBroV_n;a7U(KIpcp*{M~e~@>Q#Av90Jc5v%0c>egEdY4v3%|K1XvB{O_8G zkTWLC>OZKf;XguMH2-Pw{BKbFzaY;4v2seZV0>^7Q~d4O=AwaPhP3h|!hw5aqOtT@ z!SNz}$of**Bl3TK209@F=Tn1+mgZa8yh(Png%Zd6Mt}^NSjy)etQrF zme*llAW=N_8R*O~d2!apJnF%(JcN??=`$qs3Y+~xs>L9x`0^NIn!8mMRFA_tg`etw z3k{9JAjnl@ygIiJcNHTy02GMAvBVqEss&t2<2mnw!; zU`J)0>lWiqVqo|ex7!+@0i>B~BSU1A_0w#Ee+2pJx0BFiZ7RDHEvE*ptc9md(B{&+ zKE>TM)+Pd>HEmdJao7U@S>nL(qq*A)#eLOuIfAS@j`_sK0UEY6OAJJ-kOrHG zjHx`g!9j*_jRcJ%>CE9K2MVf?BUZKFHY?EpV6ai7sET-tqk=nDFh-(65rhjtlKEY% z@G&cQ<5BKatfdA1FKuB=i>CCC5(|9TMW%K~GbA4}80I5%B}(gck#Wlq@$nO3%@QP_ z8nvPkJFa|znk>V92cA!K1rKtr)skHEJD;k8P|R8RkCq1Rh^&}Evwa4BUJz2f!2=MH zo4j8Y$YL2313}H~F7@J7mh>u%556Hw0VUOz-Un@ZASCL)y8}4XXS`t1AC*^>PLwIc zUQok5PFS=*#)Z!3JZN&eZ6ZDP^-c@StY*t20JhCnbMxXf=LK#;`4KHEqMZ-Ly9KsS zI2VUJGY&PmdbM+iT)zek)#Qc#_i4uH43 z@T5SZBrhNCiK~~esjsO9!qBpaWK<`>!-`b71Y5ReXQ4AJU~T2Njri1CEp5oKw;Lnm)-Y@Z3sEY}XIgSy%xo=uek(kAAH5MsV$V3uTUsoTzxp_rF=tx zV07vlJNKtJhCu`b}*#m&5LV4TAE&%KtHViDAdv#c^x`J7bg z&N;#I2GkF@SIGht6p-V}`!F_~lCXjl1BdTLIjD2hH$J^YFN`7f{Q?OHPFEM$65^!u zNwkelo*5+$ZT|oQ%o%;rBX$+?xhvjb)SHgNHE_yP%wYkkvXHS{Bf$OiKJ5d1gI0j< zF6N}Aq=(WDo(J{e-uOecxPD>XZ@|u-tgTR<972`q8;&ZD!cep^@B5CaqFz|oU!iFj zU0;6fQX&~15E53EW&w1s9gQQ~Zk16X%6 zjG`j0yq}4deX2?Tr(03kg>C(!7a|b9qFI?jcE^Y>-VhudI@&LI6Qa}WQ>4H_!UVyF z((cm&!3gmq@;BD#5P~0;_2qgZhtJS|>WdtjY=q zLnHH~Fm!cxw|Z?Vw8*~?I$g#9j&uvgm7vPr#&iZgPP~v~BI4jOv;*OQ?jYJtzO<^y z7-#C={r7CO810!^s(MT!@@Vz_SVU)7VBi(e1%1rvS!?PTa}Uv`J!EP3s6Y!xUgM^8 z4f!fq<3Wer_#;u!5ECZ|^c1{|q_lh3m^9|nsMR1#Qm|?4Yp5~|er2?W^7~cl;_r4WSme_o68J9p03~Hc%X#VcX!xAu%1`R!dfGJCp zV*&m47>s^%Ib0~-2f$6oSgn3jg8m%UA;ArcdcRyM5;}|r;)?a^D*lel5C`V5G=c~k zy*w_&BfySOxE!(~PI$*dwG><+-%KT5p?whOUMA*k<9*gi#T{h3DAxzAPxN&Xws8o9Cp*`PA5>d9*Z-ynV# z9yY*1WR^D8|C%I@vo+d8r^pjJ$>eo|j>XiLWvTWLl(^;JHCsoPgem6PvegHb-OTf| zvTgsHSa;BkbG=(NgPO|CZu9gUCGr$8*EoH2_Z#^BnxF0yM~t`|9ws_xZ8X8iZYqh! zAh;HXJ)3P&)Q0(&F>!LN0g#bdbis-cQxyGn9Qgh`q+~49Fqd2epikEUw9caM%V6WgP)532RMRW}8gNS%V%Hx7apSz}tn@bQy!<=lbhmAH=FsMD?leawbnP5BWM0 z5{)@EEIYMu5;u)!+HQWhQ;D3_Cm_NADNeb-f56}<{41aYq8p4=93d=-=q0Yx#knGYfXVt z+kMxlus}t2T5FEyCN~!}90O_X@@PQpuy;kuGz@bWft%diBTx?d)_xWd_-(!LmVrh**oKg!1CNF&LX4{*j|) zIvjCR0I2UUuuEXh<9}oT_zT#jOrJAHNLFT~Ilh9hGJPI1<5`C-WA{tUYlyMeoy!+U zhA#=p!u1R7DNg9u4|QfED-2TuKI}>p#2P9--z;Bbf4Op*;Q9LCbO&aL2i<0O$ByoI z!9;Ght733FC>Pz>$_mw(F`zU?`m@>gE`9_p*=7o=7av`-&ifU(^)UU`Kg3Kw`h9-1 z6`e6+im=|m2v`pN(2dE%%n8YyQz;#3Q-|x`91z?gj68cMrHl}C25|6(_dIGk*8cA3 zRHB|Nwv{@sP4W+YZM)VKI>RlB`n=Oj~Rzx~M+Khz$N$45rLn6k1nvvD^&HtsMA4`s=MmuOJID@$s8Ph4E zAmSV^+s-z8cfv~Yd(40Sh4JG#F~aB>WFoX7ykaOr3JaJ&Lb49=B8Vk-SQT9%7TYhv z?-Pprt{|=Y5ZQ1?od|A<_IJU93|l4oAfBm?3-wk{O<8ea+`}u%(kub(LFo2zFtd?4 zwpN|2mBNywv+d^y_8#<$r>*5+$wRTCygFLcrwT(qc^n&@9r+}Kd_u@Ithz(6Qb4}A zWo_HdBj#V$VE#l6pD0a=NfB0l^6W^g`vm^sta>Tly?$E&{F?TTX~DsKF~poFfmN%2 z4x`Dc{u{Lkqz&y!33;X}weD}&;7p>xiI&ZUb1H9iD25a(gI|`|;G^NwJPv=1S5e)j z;U;`?n}jnY6rA{V^ zxTd{bK)Gi^odL3l989DQlN+Zs39Xe&otGeY(b5>rlIqfc7Ap4}EC?j<{M=hlH{1+d zw|c}}yx88_xQr`{98Z!d^FNH77=u(p-L{W6RvIn40f-BldeF-YD>p6#)(Qzf)lfZj z?3wAMtPPp>vMehkT`3gToPd%|D8~4`5WK{`#+}{L{jRUMt zrFz+O$C7y8$M&E4@+p+oV5c%uYzbqd2Y%SSgYy#xh4G3hQv>V*BnuKQhBa#=oZB~w{azUB+q%bRe_R^ z>fHBilnRTUfaJ201czL8^~Ix#+qOHSO)A|xWLqOxB$dT2W~)e-r9;bm=;p;RjYahB z*1hegN(VKK+ztr~h1}YP@6cfj{e#|sS`;3tJhIJK=tVJ-*h-5y9n*&cYCSdg#EHE# zSIx=r#qOaLJoVVf6v;(okg6?*L_55atl^W(gm^yjR?$GplNP>BZsBYEf_>wM0Lc;T zhf&gpzOWNxS>m+mN92N0{;4uw`P+9^*|-1~$uXpggj4- z^SFc4`uzj2OwdEVT@}Q`(^EcQ_5(ZtXTql*yGzdS&vrS_w>~~ra|Nb5abwf}Y!uq6R5f&6g2ge~2p(%c< z@O)cz%%rr4*cRJ5f`n@lvHNk@lE1a*96Kw6lJ~B-XfJW%?&-y?;E&?1AacU@`N`!O z6}V>8^%RZ7SQnZ-z$(jsX`amu*5Fj8g!3RTRwK^`2_QHe;_2y_n|6gSaGyPmI#kA0sYV<_qOZc#-2BO%hX)f$s-Z3xlI!ub z^;3ru11DA`4heAu%}HIXo&ctujzE2!6DIGE{?Zs>2}J+p&C$rc7gJC35gxhflorvsb%sGOxpuWhF)dL_&7&Z99=5M0b~Qa;Mo!j&Ti_kXW!86N%n= zSC@6Lw>UQ__F&+&Rzv?gscwAz8IP!n63>SP)^62(HK98nGjLY2*e^OwOq`3O|C92? z;TVhZ2SK%9AGW4ZavTB9?)mUbOoF`V7S=XM;#3EUpR+^oHtdV!GK^nXzCu>tpR|89 zdD{fnvCaN^^LL%amZ^}-E+214g&^56rpdc@yv0b<3}Ys?)f|fXN4oHf$six)-@<;W&&_kj z-B}M5U*1sb4)77aR=@%I?|Wkn-QJVuA96an25;~!gq(g1@O-5VGo7y&E_srxL6ZfS z*R%$gR}dyONgju*D&?geiSj7SZ@ftyA|}(*Y4KbvU!YLsi1EDQQCnb+-cM=K1io78o!v*);o<XwjaQH%)uIP&Zm?)Nfbfn;jIr z)d#!$gOe3QHp}2NBak@yYv3m(CPKkwI|{;d=gi552u?xj9ObCU^DJFQp4t4e1tPzM zvsRIGZ6VF+{6PvqsplMZWhz10YwS={?`~O0Ec$`-!klNUYtzWA^f9m7tkEzCy<_nS z=&<(awFeZvt51>@o_~>PLs05CY)$;}Oo$VDO)?l-{CS1Co=nxjqben*O1BR>#9`0^ zkwk^k-wcLCLGh|XLjdWv0_Hg54B&OzCE^3NCP}~OajK-LuRW53CkV~Su0U>zN%yQP zH8UH#W5P3-!ToO-2k&)}nFe`t+mdqCxxAHgcifup^gKpMObbox9LFK;LP3}0dP-UW z?Zo*^nrQ6*$FtZ(>kLCc2LY*|{!dUn$^RW~m9leoF|@Jy|M5p-G~j%+P0_#orRKf8 zvuu5<*XO!B?1E}-*SY~MOa$6c%2cM+xa8}_8x*aVn~57v&W(0mqN1W`5a7*VN{SUH zXz98DDyCnX2EPl-`Lesf`=AQT%YSDb`$%;(jUTrNen$NPJrlpPDP}prI>Ml!r6bCT;mjsg@X^#&<}CGf0JtR{Ecwd&)2zuhr#nqdgHj+g2n}GK9CHuwO zk>oZxy{vcOL)$8-}L^iVfJHAGfwN$prHjYV0ju}8%jWquw>}_W6j~m<}Jf!G?~r5&Rx)!9JNX!ts#SGe2HzobV5); zpj@&`cNcO&q+%*<%D7za|?m5qlmFK$=MJ_iv{aRs+BGVrs)98BlN^nMr{V_fcl_;jkzRju+c-y?gqBC_@J0dFLq-D9@VN&-`R9U;nv$Hg?>$oe4N&Ht$V_(JR3TG^! zzJsbQbi zFE6-{#9{G{+Z}ww!ycl*7rRdmU#_&|DqPfX3CR1I{Kk;bHwF6jh0opI`UV2W{*|nn zf_Y@%wW6APb&9RrbEN=PQRBEpM(N1w`81s=(xQj6 z-eO0k9=Al|>Ej|Mw&G`%q8e$2xVz1v4DXAi8G};R$y)ww638Y=9y$ZYFDM$}vzusg zUf+~BPX>(SjA|tgaFZr_e0{)+z9i6G#lgt=F_n$d=beAt0Sa0a7>z-?vcjl3e+W}+ z1&9=|vC=$co}-Zh*%3588G?v&U7%N1Qf-wNWJ)(v`iO5KHSkC5&g7CrKu8V}uQGcfcz zmBz#Lbqwqy#Z~UzHgOQ;Q-rPxrRNvl(&u6ts4~0=KkeS;zqURz%!-ERppmd%0v>iRlEf+H$yl{_8TMJzo0 z>n)`On|7=WQdsqhXI?#V{>+~}qt-cQbokEbgwV3QvSP7&hK4R{Z{aGHVS3;+h{|Hz z6$Js}_AJr383c_+6sNR|$qu6dqHXQTc6?(XWPCVZv=)D#6_;D_8P-=zOGEN5&?~8S zl5jQ?NL$c%O)*bOohdNwGIKM#jSAC?BVY={@A#c9GmX0=T(0G}xs`-%f3r=m6-cpK z!%waekyAvm9C3%>sixdZj+I(wQlbB4wv9xKI*T13DYG^T%}zZYJ|0$Oj^YtY+d$V$ zAVudSc-)FMl|54n=N{BnZTM|!>=bhaja?o7s+v1*U$!v!qQ%`T-6fBvmdPbVmro&d zk07TOp*KuxRUSTLRrBj{mjsnF8`d}rMViY8j`jo~Hp$fkv9F_g(jUo#Arp;Xw0M$~ zRIN!B22~$kx;QYmOkos@%|5k)!QypDMVe}1M9tZfkpXKGOxvKXB!=lo`p?|R1l=tA zp(1}c6T3Fwj_CPJwVsYtgeRKg?9?}%oRq0F+r+kdB=bFUdVDRPa;E~~>2$w}>O>v=?|e>#(-Lyx?nbg=ckJ#5U6;RT zNvHhXk$P}m9wSvFyU3}=7!y?Y z=fg$PbV8d7g25&-jOcs{%}wTDKm>!Vk);&rr;O1nvO0VrU&Q?TtYVU=ir`te8SLlS zKSNmV=+vF|ATGg`4$N1uS|n??f}C_4Sz!f|4Ly8#yTW-FBfvS48Tef|-46C(wEO_%pPhUC5$-~Y?!0vFZ^Gu`x=m7X99_?C-`|h zfmMM&Y@zdfitA@KPw4Mc(YHcY1)3*1xvW9V-r4n-9ZuBpFcf{yz+SR{ zo$ZSU_|fgwF~aakGr(9Be`~A|3)B=9`$M-TWKipq-NqRDRQc}ABo*s_5kV%doIX7LRLRau_gd@Rd_aLFXGSU+U?uAqh z8qusWWcvgQ&wu{|sRXmv?sl=xc<$6AR$+cl& zFNh5q1~kffG{3lDUdvEZu5c(aAG~+64FxdlfwY^*;JSS|m~CJusvi-!$XR`6@XtY2 znDHSz7}_Bx7zGq-^5{stTRy|I@N=>*y$zz>m^}^{d&~h;0kYiq8<^Wq7Dz0w31ShO^~LUfW6rfitR0(=3;Uue`Y%y@ex#eKPOW zO~V?)M#AeHB2kovn1v=n^D?2{2jhIQd9t|_Q+c|ZFaWt+r&#yrOu-!4pXAJuxM+Cx z*H&>eZ0v8Y`t}8{TV6smOj=__gFC=eah)mZt9gwz>>W$!>b3O;Rm^Ig*POZP8Rl0f zT~o=Nu1J|lO>}xX&#P58%Yl z83`HRs5#32Qm9mdCrMlV|NKNC+Z~ z9OB8xk5HJ>gBLi+m@(pvpw)1(OaVJKs*$Ou#@Knd#bk+V@y;YXT?)4eP9E5{J%KGtYinNYJUH9PU3A}66c>Xn zZ{Bn0<;8$WCOAL$^NqTjwM?5d=RHgw3!72WRo0c;+houoUA@HWLZM;^U$&sycWrFd zE7ekt9;kb0`lps{>R(}YnXlyGY}5pPd9zBpgXeJTY_jwaJGSJQC#-KJqmh-;ad&F- z-Y)E>!&`Rz!HtCz>%yOJ|v(u7P*I$jqEY3}(Z-orn4 zlI?CYKNl`6I){#2P1h)y(6?i;^z`N3bxTV%wNvQW+eu|x=kbj~s8rhCR*0H=iGkSj zk23lr9kr|p7#qKL=UjgO`@UnvzU)`&fI>1Qs7ubq{@+lK{hH* zvl6eSb9%yngRn^T<;jG1SVa)eA>T^XX=yUS@NCKpk?ovCW1D@!=@kn;l_BrG;hOTC z6K&H{<8K#dI(A+zw-MWxS+~{g$tI7|SfP$EYKxA}LlVO^sT#Oby^grkdZ^^lA}uEF zBSj$weBJG{+Bh@Yffzsw=HyChS(dtLE3i*}Zj@~!_T-Ay7z=B)+*~3|?w`Zd)Co2t zC&4DyB!o&YgSw+fJn6`sn$e)29`kUwAc+1MND7YjV%lO;H2}fNy>hD#=gT ze+-aFNpyKIoXY~Vq-}OWPBe?Rfu^{ps8>Xy%42r@RV#*QV~P83jdlFNgkPN=T|Kt7 zV*M`Rh*30&AWlb$;ae130e@}Tqi3zx2^JQHpM>j$6x`#{mu%tZlwx9Gj@Hc92IuY* zarmT|*d0E~vt6<+r?W^UW0&#U&)8B6+1+;k^2|FWBRP9?C4Rk)HAh&=AS8FS|NQaZ z2j!iZ)nbEyg4ZTp-zHwVlfLC~tXIrv(xrP8PAtR{*c;T24ycA-;auWsya-!kF~CWZ zw_uZ|%urXgUbc@x=L=_g@QJ@m#5beS@6W195Hn7>_}z@Xt{DIEA`A&V82bc^#!q8$ zFh?z_Vn|ozJ;NPd^5uu(9tspo8t%&-U9Ckay-s@DnM*R5rtu|4)~e)`z0P-sy?)kc zs_k&J@0&0!q4~%cKL)2l;N*T&0;mqX5T{Qy60%JtKTQZ-xb%KOcgqwJmb%MOOKk7N zgq})R_6**{8A|6H?fO+2`#QU)p$Ei2&nbj6TpLSIT^D$|`TcSeh+)}VMb}LmvZ{O| ze*1IdCt3+yhdYVxcM)Q_V0bIXLgr6~%JS<<&dxIgfL=Vnx4YHuU@I34JXA|+$_S3~ zy~X#gO_X!cSs^XM{yzDGNM>?v(+sF#<0;AH^YrE8smx<36bUsHbN#y57K8WEu(`qHvQ6cAZPo=J5C(lSmUCZ57Rj6cx!e^rfaI5%w}unz}4 zoX=nt)FVNV%QDJH`o!u9olLD4O5fl)xp+#RloZlaA92o3x4->?rB4`gS$;WO{R;Z3>cG3IgFX2EA?PK^M}@%1%A;?f6}s&CV$cIyEr#q5;yHdNZ9h{| z-=dX+a5elJoDo?Eq&Og!nN6A)5yYpnGEp}?=!C-V)(*~z-+?kY1Q7qs#Rsy%hu_60rdbB+QQNr?S1 z?;xtjUv|*E3}HmuNyB9aFL5H~3Ho0UsmuMZELp1a#CA1g`P{-mT?BchuLEtK}!QZ=3AWakRu~?f9V~3F;TV`5%9Pcs_$gq&CcU}r8gOO zC2&SWPsSG{&o-LIGTBqp6SLQZPvYKp$$7L4WRRZ0BR$Kf0I0SCFkqveCp@f)o8W)! z$%7D1R`&j7W9Q9CGus_)b%+B#J2G;l*FLz#s$hw{BHS~WNLODV#(!u_2Pe&tMsq={ zdm7>_WecWF#D=?eMjLj=-_z`aHMZ=3_-&E8;ibPmM}61i6J3is*=dKf%HC>=xbj4$ zS|Q-hWQ8T5mWde6h@;mS+?k=89?1FU<%qH9B(l&O>k|u_aD|DY*@~(`_pb|B#rJ&g zR0(~(68fpUPz6TdS@4JT5MOPrqDh5_H(eX1$P2SQrkvN8sTxwV>l0)Qq z0pzTuvtEAKRDkKGhhv^jk%|HQ1DdF%5oKq5BS>szk-CIke{%js?~%@$uaN3^Uz6Wf z_iyx{bZ(;9y4X&>LPV=L=d+A}7I4GkK0c1Xts{rrW1Q7apHf-))`BgC^0^F(>At1* za@e7{lq%yAkn*NH8Q1{@{lKhRg*^TfGvv!Sn*ed*x@6>M%aaqySxR|oNadYt1mpUZ z6H(rupHYf&Z z29$5g#|0MX#aR6TZ$@eGxxABRKakDYtD%5BmKp;HbG_ZbT+=81E&=XRk6m_3t9PvD zr5Cqy(v?gHcYvYvXkNH@S#Po~q(_7MOuCAB8G$a9BC##gw^5mW16cML=T=ERL7wsk zzNEayTG?mtB=x*wc@ifBCJ|irFVMOvH)AFRW8WE~U()QT=HBCe@s$dA9O!@`zAAT) zaOZ7l6vyR+Nk_OOF!ZlZmjoImKh)dxFbbR~z(cMhfeX1l7S_`;h|v3gI}n9$sSQ>+3@AFAy9=B_y$)q;Wdl|C-X|VV3w8 z2S#>|5dGA8^9%Bu&fhmVRrTX>Z7{~3V&0UpJNEl0=N32euvDGCJ>#6dUSi&PxFW*s zS`}TB>?}H(T2lxBJ!V#2taV;q%zd6fOr=SGHpoSG*4PDaiG0pdb5`jelVipkEk%FV zThLc@Hc_AL1#D&T4D=w@UezYNJ%0=f3iVRuVL5H?eeZM}4W*bomebEU@e2d`M<~uW zf#Bugwf`VezG|^Qbt6R_=U0}|=k;mIIakz99*>FrsQR{0aQRP6ko?5<7bkDN8evZ& zB@_KqQG?ErKL=1*ZM9_5?Pq%lcS4uLSzN(Mr5=t6xHLS~Ym`UgM@D&VNu8e?_=nSFtF$u@hpPSmI4Vo_t&v?>$~K4y(O~Rb*(MFy_igM7 z*~yYUyR6yQgzWnWMUgDov!!g=lInM+=lOmOk4L`O?{i&qxy&D*_qorRbDwj6?)!ef z#JLd7F6Z2I$S0iYI={rZNk*<{HtIl^mx=h>Cim*04K4+Z4IJtd*-)%6XV2(MCscPiw_a+y*?BKbTS@BZ3AUao^%Zi#PhoY9Vib4N>SE%4>=Jco0v zH_Miey{E;FkdlZSq)e<{`+S3W=*ttvD#hB8w=|2aV*D=yOV}(&p%0LbEWH$&@$X3x~CiF-?ejQ*N+-M zc8zT@3iwkdRT2t(XS`d7`tJQAjRmKAhiw{WOqpuvFp`i@Q@!KMhwKgsA}%@sw8Xo5Y=F zhRJZg)O4uqNWj?V&&vth*H#je6T}}p_<>!Dr#89q@uSjWv~JuW(>FqoJ5^ho0%K?E z9?x_Q;kmcsQ@5=}z@tdljMSt9-Z3xn$k)kEjK|qXS>EfuDmu(Z8|(W?gY6-l z@R_#M8=vxKMAoi&PwnaIYw2COJM@atcgfr=zK1bvjW?9B`-+Voe$Q+H$j!1$Tjn+* z&LY<%)L@;zhnJlB^Og6I&BOR-m?{IW;tyYC%FZ!&Z>kGjHJ6cqM-F z&19n+e1=9AH1VrVeHrIzqlC`w9=*zfmrerF?JMzO&|Mmv;!4DKc(sp+jy^Dx?(8>1 zH&yS_4yL7m&GWX~mdfgH*AB4{CKo;+egw=PrvkTaoBU+P-4u?E|&!c z)DKc;>$$B6u*Zr1SjUh2)FeuWLWHl5TH(UHWkf zLs>7px!c5n;rbe^lO@qlYLzlDVp(z?6rPZel=YB)Uv&n!2{+Mb$-vQl=xKw( zve&>xYx+jW_NJh!FV||r?;hdP*jOXYcLCp>DOtJ?2S^)DkM{{Eb zS$!L$e_o0(^}n3tA1R3-$SNvgBq;DOEo}fNc|tB%%#g4RA3{|euq)p+xd3I8^4E&m zFrD%}nvG^HUAIKe9_{tXB;tl|G<%>yk6R;8L2)KUJw4yHJXUOPM>(-+jxq4R;z8H#>rnJy*)8N+$wA$^F zN+H*3t)eFEgxLw+Nw3};4WV$qj&_D`%ADV2%r zJCPCo%{=z7;`F98(us5JnT(G@sKTZ^;2FVitXyLe-S5(hV&Ium+1pIUB(CZ#h|g)u zSLJJ<@HgrDiA-}V_6B^x1>c9B6%~847JkQ!^KLZ2skm;q*edo;UA)~?SghG8;QbHh z_6M;ouo_1rq9=x$<`Y@EA{C%6-pEV}B(1#sDoe_e1s3^Y>n#1Sw;N|}8D|s|VPd+g z-_$QhCz`vLxxrVMx3ape1xu3*wjx=yKSlM~nFgkNWb4?DDr*!?U)L_VeffF<+!j|b zZ$Wn2$TDv3C3V@BHpSgv3JUif8%hk%OsGZ=OxH@8&4`bbf$`aAMchl^qN>Eyu3JH} z9-S!x8-s4fE=lad%Pkp8hAs~u?|uRnL48O|;*DEU! zuS0{cpk%1E0nc__2%;apFsTm0bKtd&A0~S3Cj^?72-*Owk3V!ZG*PswDfS~}2<8le z5+W^`Y(&R)yVF*tU_s!XMcJS`;(Tr`J0%>p=Z&InR%D3@KEzzI+-2)HK zuoNZ&o=wUC&+*?ofPb0a(E6(<2Amd6%uSu_^-<1?hsxs~0K5^f(LsGqgEF^+0_H=uNk9S0bb!|O8d?m5gQjUKevPaO+*VfSn^2892K~%crWM8+6 z25@V?Y@J<9w%@NXh-2!}SK_(X)O4AM1-WTg>sj1{lj5@=q&dxE^9xng1_z9w9DK>| z6Iybcd0e zyi;Ew!KBRIfGPGytQ6}z}MeXCfLY0?9%RiyagSp_D1?N&c{ zyo>VbJ4Gy`@Fv+5cKgUgs~na$>BV{*em7PU3%lloy_aEovR+J7TfQKh8BJXyL6|P8un-Jnq(ghd!_HEOh$zlv2$~y3krgeH;9zC}V3f`uDtW(%mT#944DQa~^8ZI+zAUu4U(j0YcDfKR$bK#gvn_{JZ>|gZ5+)u?T$w7Q%F^;!Wk?G z(le7r!ufT*cxS}PR6hIVtXa)i`d$-_1KkyBU>qmgz-=T};uxx&sKgv48akIWQ89F{ z0XiY?WM^~;|T8zBOr zs#zuOONzH?svv*jokd5SK8wG>+yMC)LYL|vLqm^PMHcT=`}V$=nIRHe2?h)8WQa6O zPAU}d`1y(>kZiP~Gr=mtJLMu`i<2CspL|q2DqAgAD^7*$xzM`PU4^ga`ilE134XBQ z99P(LhHU@7qvl9Yzg$M`+dlS=x^(m-_3t|h>S}E0bcFMn=C|KamQ)=w2^e)35p`zY zRV8X?d;s^>Cof2SPR&nP3E+-LCkS0J$H!eh8~k0qo$}00b=7!H_I2O+Ro@3O$nPdm ztmbOO^B+IHzQ5w>@@@J4cKw5&^_w6s!s=H%&byAbUtczPQ7}wfTqxxtQNfn*u73Qw zGuWsrky_ajPx-5`R<)6xHf>C(oqGf_Fw|-U*GfS?xLML$kv;h_pZ@Kk$y0X(S+K80 z6^|z)*`5VUkawg}=z`S;VhZhxyDfrE0$(PMurAxl~<>lfZa>JZ288ULK7D` zl9|#L^JL}Y$j*j`0-K6kH#?bRmg#5L3iB4Z)%iF@SqT+Lp|{i`m%R-|ZE94Np7Pa5 zCqC^V3}B(FR340pmF*qaa}M}+h6}mqE~7Sh!9bDv9YRT|>vBNAqv09zXHMlcuhKD| zcjjA(b*XCIwJ33?CB!+;{)vX@9xns_b-VO{i0y?}{!sdXj1GM8+$#v>W7nw;+O_9B z_{4L;C6ol?(?W0<6taGEn1^uG=?Q3i29sE`RfYCaV$3DKc_;?HsL?D_fSYg}SuO5U zOB_f4^vZ_x%o`5|C@9C5+o=mFy@au{s)sKw!UgC&L35aH(sgDxRE2De%(%OT=VUdN ziVLEmdOvJ&5*tCMKRyXctCwQu_RH%;m*$YK&m;jtbdH#Ak~13T1^f89tn`A%QEHWs~jnY~E}p_Z$XC z=?YXLCkzVSK+Id`xZYTegb@W8_baLt-Fq`Tv|=)JPbFsKRm)4UW;yT+J`<)%#ue9DPOkje)YF2fsCilK9MIIK>p*`fkoD5nGfmLwt)!KOT+> zOFq*VZktDDyM3P5UOg`~XL#cbzC}eL%qMB=Q5$d89MKuN#$6|4gx_Jt0Gfn8w&q}%lq4QU%6#jT*MRT% zrLz~C8FYKHawn-EQWN1B75O&quS+Z81(zN)G>~vN8VwC+e+y(`>HcxC{MrJ;H1Z4k zZWuv$w_F0-Ub%MVcpIc){4PGL^I7M{>;hS?;eH!;gmcOE66z3;Z1Phqo(t zVP(Hg6q#0gIKgsg7L7WE!{Y#1nI(45tx2{$34dDd#!Z0NIyrm)HOn5W#7;f4pQci# zDW!FI(g4e668kI9{2+mLwB+=#9bfqgX%!B34V-$wwSN(_cm*^{y0jQtv*4}eO^sOV z*9xoNvX)c9isB}Tgx&ZRjp3kwhTVK?r9;n!x>^XYT z@Q^7zp{rkIs{2mUSE^2!Gf6$6;j~&4=-0cSJJDizZp6LTe8b45;{AKM%v99}{{FfC zz709%u0mC=1KXTo(=TqmZQ;c?$M3z(!xah>aywrj40sc2y3rKFw4jCq+Y+u=CH@_V zxz|qeTwa>+<|H%8Dz5u>ZI5MmjTFwXS-Fv!TDd*`>3{krWoNVx$<133`(ftS?ZPyY z&4@ah^3^i`vL$BZa>O|Nt?ucewzsF)0zX3qmM^|waXr=T0pfIb0*$AwU=?Ipl|1Y; z*Pk6{C-p4MY;j@IJ|DW>QHZQJcp;Z~?8(Q+Kk3^0qJ}SCk^*n4W zu9ZFwLHUx-$6xvaQ)SUQcYd6fF8&x)V`1bIuX@>{mE$b|Yd(qomn3;bPwnDUc0F=; zh*6_((%bqAYQWQ~odER?h>1mkL4kpb3s7`0m@rDKGU*oyF)$j~Ffd4fXV$?`f~rHf zB%Y)@5SXZvfwm10RY5X?TEo)PK_`L6qgBp=#>fO49$D zDq8Ozj0q6213tV5Qq=;fZ0$|KroY{Dz=l@lU^J)?Ko@ti20TRplXzphBi>XGx4bou zEWrkNjz0t5j!_ke{g5I#PUlEU$Km8g8TE|XK=MkU@PT4T><2OVamoK;wJ}3X0L$vX zgd7gNa359*nc)R-0!`2X@FOTB`+oETOPc=ubp5R)VQgY+5BTZZJ2?9QwnO=dnulIUF3gFn;BODC2)65)HeVd%t86sL7Rv^Y+nbn+&l z6BAJY(ETvwI)Ts$aiE8rht4KD*qNyE{8{x6R|%akbTBzw;2+6Echkt+W+`u^XX z_z&x%nDQ>P;GjjD{w zH}lENr;dU&FbEU?00aa80D$0M0RRB{U*7-#kbjS|qAG&4l5%47zyJ#WrfA#1$1Ctx zf&Z_d{GW=lf^w2#qRJ|CvSJUi(^E3iv~=^Z(zH}F)3Z%V3`@+rNB7gTVU{Bb~90p|f+0(v;nz01EG7yDMX9@S~__vVgv%rS$+?IH+oZ03D5zYrv|^ zC1J)SruYHmCki$jLBlTaE5&dFG9-kq3!^i>^UQL`%gn6)jz54$WDmeYdsBE9;PqZ_ zoGd=P4+|(-u4U1dbAVQrFWoNgNd;0nrghPFbQrJctO>nwDdI`Q^i0XJDUYm|T|RWc zZ3^Qgo_Qk$%Fvjj-G}1NB#ZJqIkh;kX%V{THPqOyiq)d)0+(r9o(qKlSp*hmK#iIY zA^)Vr$-Hz<#SF=0@tL@;dCQsm`V9s1vYNq}K1B)!XSK?=I1)tX+bUV52$YQu*0%fnWEukW>mxkz+%3-S!oguE8u#MGzST8_Dy^#U?fA@S#K$S@9msUiX!gd_ow>08w5)nX{-KxqMOo7d?k2&?Vf z&diGDtZr(0cwPe9z9FAUSD9KC)7(n^lMWuayCfxzy8EZsns%OEblHFSzP=cL6}?J| z0U$H!4S_TVjj<`6dy^2j`V`)mC;cB%* z8{>_%E1^FH!*{>4a7*C1v>~1*@TMcLK{7nEQ!_igZC}ikJ$*<$yHy>7)oy79A~#xE zWavoJOIOC$5b6*q*F_qN1>2#MY)AXVyr$6x4b=$x^*aqF*L?vmj>Mgv+|ITnw_BoW zO?jwHvNy^prH{9$rrik1#fhyU^MpFqF2fYEt(;4`Q&XWOGDH8k6M=%@fics4ajI;st# zCU^r1CK&|jzUhRMv;+W~6N;u<;#DI6cCw-otsc@IsN3MoSD^O`eNflIoR~l4*&-%RBYk@gb^|-JXs&~KuSEmMxB}xSb z@K76cXD=Y|=I&SNC2E+>Zg?R6E%DGCH5J1nU!A|@eX9oS(WPaMm==k2s_ueCqdZw| z&hqHp)47`c{BgwgvY2{xz%OIkY1xDwkw!<0veB#yF4ZKJyabhyyVS`gZepcFIk%e2 zTcrmt2@-8`7i-@5Nz>oQWFuMC_KlroCl(PLSodswHqJ3fn<;gxg9=}~3x_L3P`9Sn zChIf}8vCHvTriz~T2~FamRi?rh?>3bX1j}%bLH+uFX+p&+^aXbOK7clZxdU~6Uxgy z8R=obwO4dL%pmVo*Ktf=lH6hnlz_5k3cG;m8lgaPp~?eD!Yn2kf)tU6PF{kLyn|oI@eQ`F z3IF7~Blqg8-uwUuWZScRKn%c2_}dXB6Dx_&xR*n9M9LXasJhtZdr$vBY!rP{c@=)& z#!?L$2UrkvClwQO>U*fSMs67oSj2mxiJ$t;E|>q%Kh_GzzWWO&3;ufU%2z%ucBU8H z3WIwr$n)cfCXR&>tyB7BcSInK>=ByZA%;cVEJhcg<#6N{aZC4>K41XF>ZgjG`z_u& zGY?;Ad?-sgiOnI`oppF1o1Gurqbi*;#x2>+SSV6|1^G@ooVy@fg?wyf@0Y!UZ4!}nGuLeC^l)6pwkh|oRY`s1Pm$>zZ3u-83T|9 zGaKJIV3_x+u1>cRibsaJpJqhcm%?0-L;2 zitBrdRxNmb0OO2J%Y&Ym(6*`_P3&&5Bw157{o7LFguvxC$4&zTy#U=W*l&(Q2MNO} zfaUwYm{XtILD$3864IA_nn34oVa_g^FRuHL5wdUd)+W-p-iWCKe8m_cMHk+=? zeKX)M?Dt(|{r5t7IenkAXo%&EXIb-i^w+0CX0D=xApC=|Xy(`xy+QG^UyFe z+#J6h_&T5i#sV)hj3D4WN%z;2+jJcZxcI3*CHXGmOF3^)JD5j&wfX)e?-|V0GPuA+ zQFot%aEqGNJJHn$!_}#PaAvQ^{3-Ye7b}rWwrUmX53(|~i0v{}G_sI9uDch_brX&6 zWl5Ndj-AYg(W9CGfQf<6!YmY>Ey)+uYd_JNXH=>|`OH-CDCmcH(0%iD_aLlNHKH z7bcW-^5+QV$jK?R*)wZ>r9t}loM@XN&M-Pw=F#xn(;u3!(3SXXY^@=aoj70;_=QE9 zGghsG3ekq#N||u{4We_25U=y#T*S{4I{++Ku)> zQ!DZW;pVcn>b;&g2;YE#+V`v*Bl&Y-i@X6D*OpNA{G@JAXho&aOk(_j^weW{#3X5Y z%$q_wpb07EYPdmyH(1^09i$ca{O<}7) zRWncXdSPgBE%BM#by!E>tdnc$8RwUJg1*x($6$}ae$e9Knj8gvVZe#bLi!<+&BkFj zg@nOpDneyc+hU9P-;jmOSMN|*H#>^Ez#?;%C3hg_65leSUm;iz)UkW)jX#p)e&S&M z1|a?wDzV5NVnlhRBCd_;F87wp>6c<&nkgvC+!@KGiIqWY4l}=&1w7|r6{oBN8xyzh zG$b#2=RJp_iq6)#t5%yLkKx(0@D=C3w+oiXtSuaQ%I1WIb-eiE$d~!)b@|4XLy!CZ z9p=t=%3ad@Ep+<9003D2KZ5VyP~_n$=;~r&YUg5UZ0KVD&tR1DHy9x)qWtKJp#Kq# zP*8p#W(8JJ_*h_3W}FlvRam?<4Z+-H77^$Lvi+#vmhL9J zJ<1SV45xi;SrO2f=-OB(7#iNA5)x1uNC-yNxUw|!00vcW2PufRm>e~toH;M0Q85MQLWd?3O{i8H+5VkR@l9Dg-ma ze2fZ%>G(u5(k9EHj2L6!;(KZ8%8|*-1V|B#EagbF(rc+5iL_5;Eu)L4Z-V;0HfK4d z*{utLse_rvHZeQ>V5H=f78M3Ntg1BPxFCVD{HbNA6?9*^YIq;B-DJd{Ca2L#)qWP? zvX^NhFmX?CTWw&Ns}lgs;r3i+Bq@y}Ul+U%pzOS0Fcv9~aB(0!>GT0)NO?p=25LjN z2bh>6RhgqD7bQj#k-KOm@JLgMa6>%-ok1WpOe)FS^XOU{c?d5shG(lIn3GiVBxmg`u%-j=)^v&pX1JecJics3&jvPI)mDut52? z3jEA)DM%}BYbxxKrizVYwq?(P&19EXlwD9^-6J+4!}9{ywR9Gk42jjAURAF&EO|~N z)?s>$Da@ikI4|^z0e{r`J8zIs>SpM~Vn^{3fArRu;?+43>lD+^XtUcY1HidJwnR6+ z!;oG2=B6Z_=M%*{z-RaHc(n|1RTKQdNjjV!Pn9lFt^4w|AeN06*j}ZyhqZ^!-=cyGP_ShV1rGxkx8t zB;8`h!S{LD%ot``700d0@Grql(DTt4Awgmi+Yr0@#jbe=2#UkK%rv=OLqF)9D7D1j z!~McAwMYkeaL$~kI~90)5vBhBzWYc3Cj1WI0RS`z000R8-@ET0dA~*r(gSiCJmQMN&4%1D zyVNf0?}sBH8zNbBLn>~(W{d3%@kL_eQ6jEcR{l>C|JK z(R-fA!z|TTRG40|zv}7E@PqCAXP3n`;%|SCQ|ZS%ym$I{`}t3KPL&^l5`3>yah4*6 zifO#{VNz3)?ZL$be;NEaAk9b#{tV?V7 zP|wf5YA*1;s<)9A4~l3BHzG&HH`1xNr#%){4xZ!jq%o=7nN*wMuXlFV{HaiQLJ`5G zBhDi#D(m`Q1pLh@Tq+L;OwuC52RdW7b8}~60WCOK5iYMUad9}7aWBuILb({5=z~YF zt?*Jr5NG+WadM{mDL>GyiByCuR)hd zA=HM?J6l1Xv0Dl+LW@w$OTcEoOda^nFCw*Sy^I@$sSuneMl{4ys)|RY#9&NxW4S)9 zq|%83IpslTLoz~&vTo!Ga@?rj_kw{|k{nv+w&Ku?fyk4Ki4I?);M|5Axm)t+BaE)D zm(`AQ#k^DWrjbuXoJf2{Aj^KT zFb1zMSqxq|vceV+Mf-)$oPflsO$@*A0n0Z!R{&(xh8s}=;t(lIy zv$S8x>m;vQNHuRzoaOo?eiWFe{0;$s`Bc+Osz~}Van${u;g(su`3lJ^TEfo~nERfP z)?aFzpDgnLYiERsKPu|0tq4l2wT)Atr6Qb%m-AUn6HnCue*yWICp7TjW$@sO zm5rm4aTcPQ(rfi7a`xP7cKCFrJD}*&_~xgLyr^-bmsL}y;A5P|al8J3WUoBSjqu%v zxC;mK!g(7r6RRJ852Z~feoC&sD3(6}^5-uLK8o)9{8L_%%rItZK9C){UxB|;G>JbP zsRRtS4-3B*5c+K2kvmgZK8472%l>3cntWUOVHxB|{Ay~aOg5RN;{PJgeVD*H%ac+y!h#wi%o2bF2Ca8IyMyH{>4#{E_8u^@+l-+n=V}Sq?$O z{091@v%Bd*3pk0^2UtiF9Z+(a@wy6 zUdw8J*ze$K#=$48IBi1U%;hmhO>lu!uU;+RS}p&6@rQila7WftH->*A4=5W|Fmtze z)7E}jh@cbmr9iup^i%*(uF%LG&!+Fyl@LFA-}Ca#bxRfDJAiR2dt6644TaYw1Ma79 zt8&DYj31j^5WPNf5P&{)J?WlCe@<3u^78wnd(Ja4^a>{^Tw}W>|Cjt^If|7l^l)^Q zbz|7~CF(k_9~n|h;ysZ+jHzkXf(*O*@5m zLzUmbHp=x!Q|!9NVXyipZ3)^GuIG$k;D)EK!a5=8MFLI_lpf`HPKl=-Ww%z8H_0$j ztJ||IfFG1lE9nmQ0+jPQy zCBdKkjArH@K7jVcMNz);Q(Q^R{d5G?-kk;Uu_IXSyWB)~KGIizZL(^&qF;|1PI7!E zTP`%l)gpX|OFn&)M%txpQ2F!hdA~hX1Cm5)IrdljqzRg!f{mN%G~H1&oqe`5eJCIF zHdD7O;AX-{XEV(a`gBFJ9ews#CVS2y!&>Cm_dm3C8*n3MA*e67(WC?uP@8TXuMroq z{#w$%z@CBIkRM7?}Xib+>hRjy?%G!fiw8! z8(gB+8J~KOU}yO7UGm&1g_MDJ$IXS!`+*b*QW2x)9>K~Y*E&bYMnjl6h!{17_8d!%&9D`a7r&LKZjC<&XOvTRaKJ1 zUY@hl5^R&kZl3lU3njk`3dPzxj$2foOL26r(9zsVF3n_F#v)s5vv3@dgs|lP#eylq62{<-vczqP!RpVBTgI>@O6&sU>W|do17+#OzQ7o5A$ICH z?GqwqnK^n2%LR;$^oZM;)+>$X3s2n}2jZ7CdWIW0lnGK-b#EG01)P@aU`pg}th&J-TrU`tIpb5t((0eu|!u zQz+3ZiOQ^?RxxK4;zs=l8q!-n7X{@jSwK(iqNFiRColuEOg}!7cyZi`iBX4g1pNBj zAPzL?P^Ljhn;1$r8?bc=#n|Ed7wB&oHcw()&*k#SS#h}jO?ZB246EGItsz*;^&tzp zu^YJ0=lwsi`eP_pU8}6JA7MS;9pfD;DsSsLo~ogzMNP70@@;Fm8f0^;>$Z>~}GWRw!W5J3tNX*^2+1f3hz{~rIzJo z6W%J(H!g-eI_J1>0juX$X4Cl6i+3wbc~k146UIX&G22}WE>0ga#WLsn9tY(&29zBvH1$`iWtTe zG2jYl@P!P)eb<5DsR72BdI7-zP&cZNI{7q3e@?N8IKc4DE#UVr->|-ryuJXk^u^>4 z$3wE~=q390;XuOQP~TNoDR?#|NSPJ%sTMInA6*rJ%go|=YjGe!B>z6u$IhgQSwoV* zjy3F2#I>uK{42{&IqP59)Y(1*Z>>#W8rCf4_eVsH)`v!P#^;BgzKDR`ARGEZzkNX+ zJUQu=*-ol=Xqqt5=`=pA@BIn@6a9G8C{c&`i^(i+BxQO9?YZ3iu%$$da&Kb?2kCCo zo7t$UpSFWqmydXf@l3bVJ=%K?SSw)|?srhJ-1ZdFu*5QhL$~-IQS!K1s@XzAtv6*Y zl8@(5BlWYLt1yAWy?rMD&bwze8bC3-GfNH=p zynNFCdxyX?K&G(ZZ)afguQ2|r;XoV^=^(;Cku#qYn4Lus`UeKt6rAlFo_rU`|Rq z&G?~iWMBio<78of-2X(ZYHx~=U0Vz4btyXkctMKdc9UM!vYr~B-(>)(Hc|D zMzkN4!PBg%tZoh+=Gba!0++d193gbMk2&krfDgcbx0jI92cq?FFESVg0D$>F+bil} zY~$)|>1HZsX=5sAZ2WgPB5P=8X#TI+NQ(M~GqyVB53c6IdX=k>Wu@A0Svf5#?uHaF zsYn|koIi3$(%GZ2+G+7Fv^lHTb#5b8sAHSTnL^qWZLM<(1|9|QFw9pnRU{svj}_Al zL)b9>fN{QiA($8peNEJyy`(a{&uh-T4_kdZFIVsKKVM(?05}76EEz?#W za^fiZOAd14IJ4zLX-n7Lq0qlQ^lW8Cvz4UKkV9~P}>sq0?xD3vg+$4vLm~C(+ zM{-3Z#qnZ09bJ>}j?6ry^h+@PfaD7*jZxBEY4)UG&daWb??6)TP+|3#Z&?GL?1i+280CFsE|vIXQbm| zM}Pk!U`U5NsNbyKzkrul-DzwB{X?n3E6?TUHr{M&+R*2%yOiXdW-_2Yd6?38M9Vy^ z*lE%gA{wwoSR~vN0=no}tP2Ul5Gk5M(Xq`$nw#ndFk`tcpd5A=Idue`XZ!FS>Q zG^0w#>P4pPG+*NC9gLP4x2m=cKP}YuS!l^?sHSFftZy{4CoQrb_ z^20(NnG`wAhMI=eq)SsIE~&Gp9Ne0nD4%Xiu|0Fj1UFk?6avDqjdXz{O1nKao*46y zT8~iA%Exu=G#{x=KD;_C&M+Zx4+n`sHT>^>=-1YM;H<72k>$py1?F3#T1*ef9mLZw z5naLQr?n7K;2l+{_uIw*_1nsTn~I|kkCgrn;|G~##hM;9l7Jy$yJfmk+&}W@JeKcF zx@@Woiz8qdi|D%aH3XTx5*wDlbs?dC1_nrFpm^QbG@wM=i2?Zg;$VK!c^Dp8<}BTI zyRhAq@#%2pGV49*Y5_mV4+OICP|%I(dQ7x=6Ob}>EjnB_-_18*xrY?b%-yEDT(wrO z9RY2QT0`_OpGfMObKHV;QLVnrK%mc?$WAdIT`kJQT^n%GuzE7|9@k3ci5fYOh(287 zuIbg!GB3xLg$YN=n)^pHGB0jH+_iIiC=nUcD;G6LuJsjn2VI1cyZx=a?ShCsF==QK z;q~*m&}L<-cb+mDDXzvvrRsybcgQ;Vg21P(uLv5I+eGc7o7tc6`;OA9{soHFOz zT~2?>Ts}gprIX$wRBb4yE>ot<8+*Bv`qbSDv*VtRi|cyWS>)Fjs>fkNOH-+PX&4(~ z&)T8Zam2L6puQl?;5zg9h<}k4#|yH9czHw;1jw-pwBM*O2hUR6yvHATrI%^mvs9q_ z&ccT0>f#eDG<^WG^q@oVqlJrhxH)dcq2cty@l3~|5#UDdExyXUmLQ}f4#;6fI{f^t zDCsgIJ~0`af%YR%Ma5VQq-p21k`vaBu6WE?66+5=XUd%Ay%D$irN>5LhluRWt7 zov-=f>QbMk*G##&DTQyou$s7UqjjW@k6=!I@!k+S{pP8R(2=e@io;N8E`EOB;OGoI zw6Q+{X1_I{OO0HPpBz!X!@`5YQ2)t{+!?M_iH25X(d~-Zx~cXnS9z>u?+If|iNJbx zyFU2d1!ITX64D|lE0Z{dLRqL1Ajj=CCMfC4lD3&mYR_R_VZ>_7_~|<^o*%_&jevU+ zQ4|qzci=0}Jydw|LXLCrOl1_P6Xf@c0$ieK2^7@A9UbF{@V_0p%lqW|L?5k>bVM8|p5v&2g;~r>B8uo<4N+`B zH{J)h;SYiIVx@#jI&p-v3dwL5QNV1oxPr8J%ooezTnLW>i*3Isb49%5i!&ac_dEXv zvXmVUck^QHmyrF8>CGXijC_R-y(Qr{3Zt~EmW)-nC!tiH`wlw5D*W7Pip;T?&j%kX z6DkZX4&}iw>hE(boLyjOoupf6JpvBG8}jIh!!VhnD0>}KSMMo{1#uU6kiFcA04~|7 zVO8eI&x1`g4CZ<2cYUI(n#wz2MtVFHx47yE5eL~8bot~>EHbevSt}LLMQX?odD{Ux zJMnam{d)W4da{l7&y-JrgiU~qY3$~}_F#G7|MxT)e;G{U`In&?`j<5D->}cb{}{T(4DF0BOk-=1195KB-E*o@c?`>y#4=dMtYtSY=&L{!TAjFVcq0y@AH`vH! z$41+u!Ld&}F^COPgL(EE{0X7LY&%D7-(?!kjFF7=qw<;`V{nwWBq<)1QiGJgUc^Vz ztMUlq1bZqKn17|6x6iAHbWc~l1HcmAxr%$Puv!znW)!JiukwIrqQ00|H$Z)OmGG@= zv%A8*4cq}(?qn4rN6o`$Y))(MyXr8R<2S^J+v(wmFmtac!%VOfN?&(8Nr!T@kV`N; z*Q33V3t`^rN&aBiHet)18wy{*wi1=W!B%B-Q6}SCrUl$~Hl{@!95ydml@FK8P=u4s z4e*7gV2s=YxEvskw2Ju!2%{8h01rx-3`NCPc(O zH&J0VH5etNB2KY6k4R@2Wvl^Ck$MoR3=)|SEclT2ccJ!RI9Nuter7u9@;sWf-%um;GfI!=eEIQ2l2p_YWUd{|6EG ze{yO6;lMc>;2tPrsNdi@&1K6(1;|$xe8vLgiouj%QD%gYk`4p{Ktv9|j+!OF-P?@p z;}SV|oIK)iwlBs+`ROXkhd&NK zzo__r!B>tOXpBJMDcv!Mq54P+n4(@dijL^EpO1wdg~q+!DT3lB<>9AANSe!T1XgC=J^)IP0XEZ()_vpu!!3HQyJhwh?r`Ae%Yr~b% zO*NY9t9#qWa@GCPYOF9aron7thfWT`eujS4`t2uG6)~JRTI;f(ZuoRQwjZjp5Pg34 z)rp$)Kr?R+KdJ;IO;pM{$6|2y=k_siqvp%)2||cHTe|b5Ht8&A{wazGNca zX$Ol?H)E_R@SDi~4{d-|8nGFhZPW;Cts1;08TwUvLLv&_2$O6Vt=M)X;g%HUr$&06 zISZb(6)Q3%?;3r~*3~USIg=HcJhFtHhIV(siOwV&QkQe#J%H9&E21!C*d@ln3E@J* zVqRO^<)V^ky-R|%{(9`l-(JXq9J)1r$`uQ8a}$vr9E^nNiI*thK8=&UZ0dsFN_eSl z(q~lnD?EymWLsNa3|1{CRPW60>DSkY9YQ;$4o3W7Ms&@&lv9eH!tk~N&dhqX&>K@} zi1g~GqglxkZ5pEFkllJ)Ta1I^c&Bt6#r(QLQ02yHTaJB~- zCcE=5tmi`UA>@P=1LBfBiqk)HB4t8D?02;9eXj~kVPwv?m{5&!&TFYhu>3=_ zsGmYZ^mo*-j69-42y&Jj0cBLLEulNRZ9vXE)8~mt9C#;tZs;=#M=1*hebkS;7(aGf zcs7zH(I8Eui9UU4L--))yy`&d&$In&VA2?DAEss4LAPCLd>-$i?lpXvn!gu^JJ$(DoUlc6wE98VLZ*z`QGQov5l4Fm_h?V-;mHLYDVOwKz7>e4+%AzeO>P6v}ndPW| zM>m#6Tnp7K?0mbK=>gV}=@k*0Mr_PVAgGMu$j+pWxzq4MAa&jpCDU&-5eH27Iz>m^ zax1?*HhG%pJ((tkR(V(O(L%7v7L%!_X->IjS3H5kuXQT2!ow(;%FDE>16&3r){!ex zhf==oJ!}YU89C9@mfDq!P3S4yx$aGB?rbtVH?sHpg?J5C->!_FHM%Hl3#D4eplxzQ zRA+<@LD%LKSkTk2NyWCg7u=$%F#;SIL44~S_OGR}JqX}X+=bc@swpiClB`Zbz|f!4 z7Ysah7OkR8liXfI`}IIwtEoL}(URrGe;IM8%{>b1SsqXh)~w}P>yiFRaE>}rEnNkT z!HXZUtxUp1NmFm)Dm@-{FI^aRQqpSkz}ZSyKR%Y}YHNzBk)ZIp} zMtS=aMvkgWKm9&oTcU0?S|L~CDqA+sHpOxwnswF-fEG)cXCzUR?ps@tZa$=O)=L+5 zf%m58cq8g_o}3?Bhh+c!w4(7AjxwQ3>WnVi<{{38g7yFboo>q|+7qs<$8CPXUFAN< zG&}BHbbyQ5n|qqSr?U~GY{@GJ{(Jny{bMaOG{|IkUj7tj^9pa9|FB_<+KHLxSxR;@ zHpS$4V)PP+tx}22fWx(Ku9y+}Ap;VZqD0AZW4gCDTPCG=zgJmF{|x;(rvdM|2|9a}cex6xrMkERnkE;}jvU-kmzd%_J50$M`lIPCKf+^*zL=@LW`1SaEc%=m zQ+lT06Gw+wVwvQ9fZ~#qd430v2HndFsBa9WjD0P}K(rZYdAt^5WQIvb%D^Q|pkVE^ zte$&#~zmULFACGfS#g=2OLOnIf2Of-k!(BIHjs77nr!5Q1*I9 z1%?=~#Oss!rV~?-6Gm~BWJiA4mJ5TY&iPm_$)H1_rTltuU1F3I(qTQ^U$S>%$l z)Wx1}R?ij0idp@8w-p!Oz{&*W;v*IA;JFHA9%nUvVDy7Q8woheC#|8QuDZb-L_5@R zOqHwrh|mVL9b=+$nJxM`3eE{O$sCt$UK^2@L$R(r^-_+z?lOo+me-VW=Zw z-Bn>$4ovfWd%SPY`ab-u9{INc*k2h+yH%toDHIyqQ zO68=u`N}RIIs7lsn1D){)~%>ByF<>i@qFb<-axvu(Z+6t7v<^z&gm9McRB~BIaDn$ z#xSGT!rzgad8o>~kyj#h1?7g96tOcCJniQ+*#=b7wPio>|6a1Z?_(TS{)KrPe}(8j z!#&A=k(&Pj^F;r)CI=Z{LVu>uj!_W1q4b`N1}E(i%;BWjbEcnD=mv$FL$l?zS6bW!{$7j1GR5ocn94P2u{ z70tAAcpqtQo<@cXw~@i-@6B23;317|l~S>CB?hR5qJ%J3EFgyBdJd^fHZu7AzHF(BQ!tyAz^L0`X z23S4Fe{2X$W0$zu9gm%rg~A>ijaE#GlYlrF9$ds^QtaszE#4M(OLVP2O-;XdT(XIC zatwzF*)1c+t~c{L=fMG8Z=k5lv>U0;C{caN1NItnuSMp)6G3mbahu>E#sj&oy94KC zpH}8oEw{G@N3pvHhp{^-YaZeH;K+T_1AUv;IKD<=mv^&Ueegrb!yf`4VlRl$M?wsl zZyFol(2|_QM`e_2lYSABpKR{{NlxlDSYQNkS;J66aT#MSiTx~;tUmvs-b*CrR4w=f z8+0;*th6kfZ3|5!Icx3RV11sp=?`0Jy3Fs0N4GZQMN=8HmT6%x9@{Dza)k}UwL6JT zHRDh;%!XwXr6yuuy`4;Xsn0zlR$k%r%9abS1;_v?`HX_hI|+EibVnlyE@3aL5vhQq zlIG?tN^w@0(v9M*&L+{_+RQZw=o|&BRPGB>e5=ys7H`nc8nx)|-g;s7mRc7hg{GJC zAe^vCIJhajmm7C6g! zL&!WAQ~5d_5)00?w_*|*H>3$loHrvFbitw#WvLB!JASO?#5Ig5$Ys10n>e4|3d;tS zELJ0|R4n3Az(Fl3-r^QiV_C;)lQ1_CW{5bKS15U|E9?ZgLec@%kXr84>5jV2a5v=w z?pB1GPdxD$IQL4)G||B_lI+A=08MUFFR4MxfGOu07vfIm+j=z9tp~5i_6jb`tR>qV z$#`=BQ*jpCjm$F0+F)L%xRlnS%#&gro6PiRfu^l!EVan|r3y}AHJQOORGx4~ z&<)3=K-tx518DZyp%|!EqpU!+X3Et7n2AaC5(AtrkW>_57i}$eqs$rupubg0a1+WO zGHZKLN2L0D;ab%{_S1Plm|hx8R?O14*w*f&2&bB050n!R2by zw!@XOQx$SqZ5I<(Qu$V6g>o#A!JVwErWv#(Pjx=KeS0@hxr4?13zj#oWwPS(7Ro|v z>Mp@Kmxo79q|}!5qtX2-O@U&&@6s~!I&)1WQIl?lTnh6UdKT_1R640S4~f=_xoN3- zI+O)$R@RjV$F=>Ti7BlnG1-cFKCC(t|Qjm{SalS~V-tX#+2ekRhwmN zZr`8{QF6y~Z!D|{=1*2D-JUa<(1Z=;!Ei!KiRNH?o{p5o3crFF=_pX9O-YyJchr$~ zRC`+G+8kx~fD2k*ZIiiIGR<8r&M@3H?%JVOfE>)})7ScOd&?OjgAGT@WVNSCZ8N(p zuQG~76GE3%(%h1*vUXg$vH{ua0b`sQ4f0*y=u~lgyb^!#CcPJa2mkSEHGLsnO^kb$ zru5_l#nu=Y{rSMWiYx?nO{8I!gH+?wEj~UM?IrG}E|bRIBUM>UlY<`T1EHpRr36vv zBi&dG8oxS|J$!zoaq{+JpJy+O^W(nt*|#g32bd&K^w-t>!Vu9N!k9eA8r!Xc{utY> zg9aZ(D2E0gL#W0MdjwES-7~Wa8iubPrd?8-$C4BP?*wok&O8+ykOx{P=Izx+G~hM8 z*9?BYz!T8~dzcZr#ux8kS7u7r@A#DogBH8km8Ry4slyie^n|GrTbO|cLhpqgMdsjX zJ_LdmM#I&4LqqsOUIXK8gW;V0B(7^$y#h3h>J0k^WJfAMeYek%Y-Dcb_+0zPJez!GM zAmJ1u;*rK=FNM0Nf}Y!!P9c4)HIkMnq^b;JFd!S3?_Qi2G#LIQ)TF|iHl~WKK6JmK zbv7rPE6VkYr_%_BT}CK8h=?%pk@3cz(UrZ{@h40%XgThP*-Oeo`T0eq9 zA8BnWZKzCy5e&&_GEsU4*;_k}(8l_&al5K-V*BFM=O~;MgRkYsOs%9eOY6s6AtE*<7GQAR2ulC3RAJrG_P1iQK5Z~&B z&f8X<>yJV6)oDGIlS$Y*D^Rj(cszTy5c81a5IwBr`BtnC6_e`ArI8CaTX_%rx7;cn zR-0?J_LFg*?(#n~G8cXut(1nVF0Oka$A$1FGcERU<^ggx;p@CZc?3UB41RY+wLS`LWFNSs~YP zuw1@DNN3lTd|jDL7gjBsd9}wIw}4xT2+8dBQzI00m<@?c2L%>}QLfK5%r!a-iII`p zX@`VEUH)uj^$;7jVUYdADQ2k*!1O3WdfgF?OMtUXNpQ1}QINamBTKDuv19^{$`8A1 zeq%q*O0mi@(%sZU>Xdb0Ru96CFqk9-L3pzLVsMQ`Xpa~N6CR{9Rm2)A|CI21L(%GW zh&)Y$BNHa=FD+=mBw3{qTgw)j0b!Eahs!rZnpu)z!!E$*eXE~##yaXz`KE5(nQM`s zD!$vW9XH)iMxu9R>r$VlLk9oIR%HxpUiW=BK@4U)|1WNQ=mz9a z^!KkO=>GaJ!GBXm{KJj^;kh-MkUlEQ%lza`-G&}C5y1>La1sR6hT=d*NeCnuK%_LV zOXt$}iP6(YJKc9j-Fxq~*ItVUqljQ8?oaysB-EYtFQp9oxZ|5m0^Hq(qV!S+hq#g( z?|i*H2MIr^Kxgz+3vIljQ*Feejy6S4v~jKEPTF~Qhq!(ms5>NGtRgO5vfPPc4Z^AM zTj!`5xEreIN)vaNxa|q6qWdg>+T`Ol0Uz)ckXBXEGvPNEL3R8hB3=C5`@=SYgAju1 z!)UBr{2~=~xa{b8>x2@C7weRAEuatC)3pkRhT#pMPTpSbA|tan%U7NGMvzmF?c!V8 z=pEWxbdXbTAGtWTyI?Fml%lEr-^AE}w#l(<7OIw;ctw}imYax&vR4UYNJZK6P7ZOd zP87XfhnUHxCUHhM@b*NbTi#(-8|wcv%3BGNs#zRCVV(W?1Qj6^PPQa<{yaBwZ`+<`w|;rqUY_C z&AeyKwwf*q#OW-F()lir=T^<^wjK65Lif$puuU5+tk$;e_EJ;Lu+pH>=-8=PDhkBg z8cWt%@$Sc#C6F$Vd+0507;{OOyT7Hs%nKS88q-W!$f~9*WGBpHGgNp}=C*7!RiZ5s zn1L_DbKF@B8kwhDiLKRB@lsXVVLK|ph=w%_`#owlf@s@V(pa`GY$8h%;-#h@TsO|Y8V=n@*!Rog7<7Cid%apR|x zOjhHCyfbIt%+*PCveTEcuiDi%Wx;O;+K=W?OFUV%)%~6;gl?<0%)?snDDqIvkHF{ zyI02)+lI9ov42^hL>ZRrh*HhjF9B$A@=H94iaBESBF=eC_KT$8A@uB^6$~o?3Wm5t1OIaqF^~><2?4e3c&)@wKn9bD? zoeCs;H>b8DL^F&>Xw-xjZEUFFTv>JD^O#1E#)CMBaG4DX9bD(Wtc8Rzq}9soQ8`jf zeSnHOL}<+WVSKp4kkq&?SbETjq6yr@4%SAqOG=9E(3YeLG9dtV+8vmzq+6PFPk{L; z(&d++iu=^F%b+ea$i2UeTC{R*0Isk;vFK!no<;L+(`y`3&H-~VTdKROkdyowo1iqR zbVW(3`+(PQ2>TKY>N!jGmGo7oeoB8O|P_!Ic@ zZ^;3dnuXo;WJ?S+)%P>{Hcg!Jz#2SI(s&dY4QAy_vRlmOh)QHvs_7c&zkJCmJGVvV zX;Mtb>QE+xp`KyciG$Cn*0?AK%-a|=o!+7x&&yzHQOS>8=B*R=niSnta^Pxp1`=md z#;$pS$4WCT?mbiCYU?FcHGZ#)kHVJTTBt^%XE(Q};aaO=Zik0UgLcc0I(tUpt(>|& zcxB_|fxCF7>&~5eJ=Dpn&5Aj{A^cV^^}(7w#p;HG&Q)EaN~~EqrE1qKrMAc&WXIE;>@<&)5;gD2?={Xf@Mvn@OJKw=8Mgn z!JUFMwD+s==JpjhroT&d{$kQAy%+d`a*XxDEVxy3`NHzmITrE`o!;5ClXNPb4t*8P zzAivdr{j_v!=9!^?T3y?gzmqDWX6mkzhIzJ-3S{T5bcCFMr&RPDryMcdwbBuZbsgN zGrp@^i?rcfN7v0NKGzDPGE#4yszxu=I_`MI%Z|10nFjU-UjQXXA?k8Pk|OE<(?ae) zE%vG#eZAlj*E7_3dx#Zz4kMLj>H^;}33UAankJiDy5ZvEhrjr`!9eMD8COp}U*hP+ zF}KIYx@pkccIgyxFm#LNw~G&`;o&5)2`5aogs`1~7cMZQ7zj!%L4E`2yzlQN6REX20&O<9 zKV6fyr)TScJPPzNTC2gL+0x#=u>(({{D7j)c-%tvqls3#Y?Z1m zV5WUE)zdJ{$p>yX;^P!UcXP?UD~YM;IRa#Rs5~l+*$&nO(;Ers`G=0D!twR(0GF@c zHl9E5DQI}Oz74n zfKP>&$q0($T4y$6w(p=ERAFh+>n%iaeRA%!T%<^+pg?M)@ucY<&59$x9M#n+V&>}=nO9wCV{O~lg&v#+jcUj(tQ z`0u1YH)-`U$15a{pBkGyPL0THv1P|4e@pf@3IBZS4dVJPo#H>pWq%Lr0YS-SeWash z8R7=jb28KPMI|_lo#GEO|5B?N_e``H*23{~a!AmUJ+fb4HX-%QI@lSEUxKlGV7z7Q zSKw@-TR>@1RL%w{x}dW#k1NgW+q4yt2Xf1J62Bx*O^WG8OJ|FqI4&@d3_o8Id@*)4 zYrk=>@!wv~mh7YWv*bZhxqSmFh2Xq)o=m;%n$I?GSz49l1$xRpPu_^N(vZ>*>Z<04 z2+rP70oM=NDysd!@fQdM2OcyT?3T^Eb@lIC-UG=Bw{BjQ&P`KCv$AcJ;?`vdZ4){d z&gkoUK{$!$$K`3*O-jyM1~p-7T*qb)Ys>Myt^;#1&a%O@x8A+E>! zY8=eD`ZG)LVagDLBeHg>=atOG?Kr%h4B%E6m@J^C+U|y)XX@f z8oyJDW|9g=<#f<{JRr{y#~euMnv)`7j=%cHWLc}ngjq~7k**6%4u>Px&W%4D94(r* z+akunK}O0DC2A%Xo9jyF;DobX?!1I(7%}@7F>i%&nk*LMO)bMGg2N+1iqtg+r(70q zF5{Msgsm5GS7DT`kBsjMvOrkx&|EU!{{~gL4d2MWrAT=KBQ-^zQCUq{5PD1orxlIL zq;CvlWx#f1NWvh`hg011I%?T_s!e38l*lWVt|~z-PO4~~1g)SrJ|>*tXh=QfXT)%( z+ex+inPvD&O4Ur;JGz>$sUOnWdpSLcm1X%aQDw4{dB!cnj`^muI$CJ2%p&-kULVCE z>$eMR36kN$wCPR+OFDM3-U(VOrp9k3)lI&YVFqd;Kpz~K)@Fa&FRw}L(SoD z9B4a+hQzZT-BnVltst&=kq6Y(f^S4hIGNKYBgMxGJ^;2yrO}P3;r)(-I-CZ)26Y6? z&rzHI_1GCvGkgy-t1E;r^3Le30|%$ebDRu2+gdLG)r=A~Qz`}~&L@aGJ{}vVs_GE* zVUjFnzHiXfKQbpv&bR&}l2bzIjAooB)=-XNcYmrGmBh(&iu@o!^hn0^#}m2yZZUK8 zufVm7Gq0y`Mj;9b>`c?&PZkU0j4>IL=UL&-Lp3j&47B5pAW4JceG{!XCA)kT<%2nqCxj<)uy6XR_uws~>_MEKPOpAQ!H zkn>FKh)<9DwwS*|Y(q?$^N!6(51O0 z^JM~Ax{AI1Oj$fs-S5d4T7Z_i1?{%0SsIuQ&r8#(JA=2iLcTN+?>wOL532%&dMYkT z*T5xepC+V6zxhS@vNbMoi|i)=rpli@R9~P!39tWbSSb904ekv7D#quKbgFEMTb48P zuq(VJ+&L8aWU(_FCD$3^uD!YM%O^K(dvy~Wm2hUuh6bD|#(I39Xt>N1Y{ZqXL`Fg6 zKQ?T2htHN!(Bx;tV2bfTtIj7e)liN-29s1kew>v(D^@)#v;}C4-G=7x#;-dM4yRWm zyY`cS21ulzMK{PoaQ6xChEZ}o_#}X-o}<&0)$1#3we?+QeLt;aVCjeA)hn!}UaKt< zat1fHEx13y-rXNMvpUUmCVzocPmN~-Y4(YJvQ#db)4|%B!rBsgAe+*yor~}FrNH08 z3V!97S}D7d$zbSD{$z;@IYMxM6aHdypIuS*pr_U6;#Y!_?0i|&yU*@16l z*dcMqDQgfNBf}?quiu4e>H)yTVfsp#f+Du0@=Kc41QockXkCkvu>FBd6Q+@FL!(Yx z2`YuX#eMEiLEDhp+9uFqME_E^faV&~9qjBHJkIp~%$x^bN=N)K@kvSVEMdDuzA0sn z88CBG?`RX1@#hQNd`o^V{37)!w|nA)QfiYBE^m=yQKv-fQF+UCMcuEe1d4BH7$?>b zJl-r9@0^Ie=)guO1vOd=i$_4sz>y3x^R7n4ED!5oXL3@5**h(xr%Hv)_gILarO46q+MaDOF%ChaymKoI6JU5Pg;7#2n9-18|S1;AK+ zgsn6;k6-%!QD>D?cFy}8F;r@z8H9xN1jsOBw2vQONVqBVEbkiNUqgw~*!^##ht>w0 zUOykwH=$LwX2j&nLy=@{hr)2O&-wm-NyjW7n~Zs9UlH;P7iP3 zI}S(r0YFVYacnKH(+{*)Tbw)@;6>%=&Th=+Z6NHo_tR|JCI8TJiXv2N7ei7M^Q+RM z?9o`meH$5Yi;@9XaNR#jIK^&{N|DYNNbtdb)XW1Lv2k{E>;?F`#Pq|&_;gm~&~Zc9 zf+6ZE%{x4|{YdtE?a^gKyzr}dA>OxQv+pq|@IXL%WS0CiX!V zm$fCePA%lU{%pTKD7|5NJHeXg=I0jL@$tOF@K*MI$)f?om)D63K*M|r`gb9edD1~Y zc|w7N)Y%do7=0{RC|AziW7#am$)9jciRJ?IWl9PE{G3U+$%FcyKs_0Cgq`=K3@ttV z9g;M!3z~f_?P%y3-ph%vBMeS@p7P&Ea8M@97+%XEj*(1E6vHj==d zjsoviB>j^$_^OI_DEPvFkVo(BGRo%cJeD){6Uckei=~1}>sp299|IRjhXe)%?uP0I zF5+>?0#Ye}T^Y$u_rc4=lPcq4K^D(TZG-w30-YiEM=dcK+4#o*>lJ8&JLi+3UcpZk z!^?95S^C0ja^jwP`|{<+3cBVog$(mRdQmadS+Vh~z zS@|P}=|z3P6uS+&@QsMp0no9Od&27O&14zHXGAOEy zh~OKpymK5C%;LLb467@KgIiVwYbYd6wFxI{0-~MOGfTq$nBTB!{SrWmL9Hs}C&l&l#m?s*{tA?BHS4mVKHAVMqm63H<|c5n0~k)-kbg zXidai&9ZUy0~WFYYKT;oe~rytRk?)r8bptITsWj(@HLI;@=v5|XUnSls7$uaxFRL+ zRVMGuL3w}NbV1`^=Pw*0?>bm8+xfeY(1PikW*PB>>Tq(FR`91N0c2&>lL2sZo5=VD zQY{>7dh_TX98L2)n{2OV=T10~*YzX27i2Q7W86M4$?gZIXZaBq#sA*{PH8){|GUi;oM>e?ua7eF4WFuFYZSG| zze?srg|5Ti8Og{O zeFxuw9!U+zhyk?@w zjsA6(oKD=Ka;A>Ca)oPORxK+kxH#O@zhC!!XS4@=swnuMk>t+JmLmFiE^1aX3f<)D@`%K0FGK^gg1a1j>zi z2KhV>sjU7AX3F$SEqrXSC}fRx64GDoc%!u2Yag68Lw@w9v;xOONf@o)Lc|Uh3<21ctTYu-mFZuHk*+R{GjXHIGq3p)tFtQp%TYqD=j1&y)>@zxoxUJ!G@ zgI0XKmP6MNzw>nRxK$-Gbzs}dyfFzt>#5;f6oR27ql!%+{tr+(`(>%51|k`ML} zY4eE)Lxq|JMas(;JibNQds1bUB&r}ydMQXBY4x(^&fY_&LlQC)3hylc$~8&~|06-D z#T+%66rYbHX%^KuqJED_wuGB+=h`nWA!>1n0)3wZrBG3%`b^Ozv6__dNa@%V14|!D zQ?o$z5u0^8`giv%qE!BzZ!3j;BlDlJDk)h@9{nSQeEk!z9RGW) z${RSF3phEM*ce*>Xdp}585vj$|40=&S{S-GTiE?Op*vY&Lvr9}BO$XWy80IF+6@%n z5*2ueT_g@ofP#u5pxb7n*fv^Xtt7&?SRc{*2Ka-*!BuOpf}neHGCiHy$@Ka1^Dint z;DkmIL$-e)rj4o2WQV%Gy;Xg(_Bh#qeOsTM2f@KEe~4kJ8kNLQ+;(!j^bgJMcNhvklP5Z6I+9Fq@c&D~8Fb-4rmDT!MB5QC{Dsb;BharP*O;SF4& zc$wj-7Oep7#$WZN!1nznc@Vb<_Dn%ga-O#J(l=OGB`dy=Sy&$(5-n3zzu%d7E#^8`T@}V+5B;PP8J14#4cCPw-SQTdGa2gWL0*zKM z#DfSXs_iWOMt)0*+Y>Lkd=LlyoHjublNLefhKBv@JoC>P7N1_#> zv=mLWe96%EY;!ZGSQDbZWb#;tzqAGgx~uk+-$+2_8U`!ypbwXl z^2E-FkM1?lY@yt8=J3%QK+xaZ6ok=-y%=KXCD^0r!5vUneW>95PzCkOPO*t}p$;-> ze5j-BLT_;)cZQzR2CEsm@rU7GZfFtdp*a|g4wDr%8?2QkIGasRfDWT-Dvy*U{?IHT z*}wGnzdlSptl#ZF^sf)KT|BJs&kLG91^A6ls{CzFprZ6-Y!V0Xysh%9p%iMd7HLsS zN+^Un$tDV)T@i!v?3o0Fsx2qI(AX_$dDkBzQ@fRM%n zRXk6hb9Py#JXUs+7)w@eo;g%QQ95Yq!K_d=z{0dGS+pToEI6=Bo8+{k$7&Z zo4>PH(`ce8E-Ps&uv`NQ;U$%t;w~|@E3WVOCi~R4oj5wP?%<*1C%}Jq%a^q~T7u>K zML5AKfQDv6>PuT`{SrKHRAF+^&edg6+5R_#H?Lz3iGoWo#PCEd0DS;)2U({{X#zU^ zw_xv{4x7|t!S)>44J;KfA|DC?;uQ($l+5Vp7oeqf7{GBF9356nx|&B~gs+@N^gSdd zvb*>&W)|u#F{Z_b`f#GVtQ`pYv3#||N{xj1NgB<#=Odt6{eB%#9RLt5v zIi|0u70`#ai}9fJjKv7dE!9ZrOIX!3{$z_K5FBd-Kp-&e4(J$LD-)NMTp^_pB`RT; zftVVlK2g@+1Ahv2$D){@Y#cL#dUj9*&%#6 zd2m9{1NYp>)6=oAvqdCn5#cx{AJ%S8skUgMglu2*IAtd+z1>B&`MuEAS(D(<6X#Lj z?f4CFx$)M&$=7*>9v1ER4b6!SIz-m0e{o0BfkySREchp?WdVPpQCh!q$t>?rL!&Jg zd#heM;&~A}VEm8Dvy&P|J*eAV&w!&Nx6HFV&B8jJFVTmgLaswn!cx$&%JbTsloz!3 zMEz1d`k==`Ueub_JAy_&`!ogbwx27^ZXgFNAbx=g_I~5nO^r)}&myw~+yY*cJl4$I znNJ32M&K=0(2Dj_>@39`3=FX!v3nZHno_@q^!y}%(yw0PqOo=);6Y@&ylVe>nMOZ~ zd>j#QQSBn3oaWd;qy$&5(5H$Ayi)0haAYO6TH>FR?rhqHmNOO+(})NB zLI@B@v0)eq!ug`>G<@htRlp3n!EpU|n+G+AvXFrWSUsLMBfL*ZB`CRsIVHNTR&b?K zxBgsN0BjfB>UVcJ|x%=-zb%OV7lmZc& zxiupadZVF7)6QuhoY;;FK2b*qL0J-Rn-8!X4ZY$-ZSUXV5DFd7`T41c(#lAeLMoeT z4%g655v@7AqT!i@)Edt5JMbN(=Q-6{=L4iG8RA%}w;&pKmtWvI4?G9pVRp|RTw`g0 zD5c12B&A2&P6Ng~8WM2eIW=wxd?r7A*N+&!Be7PX3s|7~z=APxm=A?5 zt>xB4WG|*Td@VX{Rs)PV0|yK`oI3^xn(4c_j&vgxk_Y3o(-`_5o`V zRTghg6%l@(qodXN;dB#+OKJEEvhfcnc#BeO2|E(5df-!fKDZ!%9!^BJ_4)9P+9Dq5 zK1=(v?KmIp34r?z{NEWnLB3Px{XYwy-akun4F7xTRr2^zeYW{gcK9)>aJDdU5;w5@ zak=<+-PLH-|04pelTb%ULpuuuJC7DgyT@D|p{!V!0v3KpDnRjANN12q6SUR3mb9<- z>2r~IApQGhstZ!3*?5V z8#)hJ0TdZg0M-BK#nGFP>$i=qk82DO z7h;Ft!D5E15OgW)&%lej*?^1~2=*Z5$2VX>V{x8SC+{i10BbtUk9@I#Vi&hX)q
Q!LwySI{Bnv%Sm)yh{^sSVJ8&h_D-BJ_YZe5eCaAWU9b$O2c z$T|{vWVRtOL!xC0DTc(Qbe`ItNtt5hr<)VijD0{U;T#bUEp381_y`%ZIav?kuYG{iyYdEBPW=*xNSc;Rlt6~F4M`5G+VtOjc z*0qGzCb@gME5udTjJA-9O<&TWd~}ysBd(eVT1-H82-doyH9RST)|+Pb{o*;$j9Tjs zhU!IlsPsj8=(x3bAKJTopW3^6AKROHR^7wZ185wJGVhA~hEc|LP;k7NEz-@4p5o}F z`AD6naG3(n=NF9HTH81=F+Q|JOz$7wm9I<+#BSmB@o_cLt2GkW9|?7mM;r!JZp89l zbo!Hp8=n!XH1{GwaDU+k)pGp`C|cXkCU5%vcH)+v@0eK>%7gWxmuMu9YLlChA|_D@ zi#5zovN_!a-0?~pUV-Rj*1P)KwdU-LguR>YM&*Nen+ln8Q$?WFCJg%DY%K}2!!1FE zDv-A%Cbwo^p(lzac&_TZ-l#9kq`mhLcY3h9ZTUVCM(Ad&=EriQY5{jJv<5K&g|*Lk zgV%ILnf1%8V2B0E&;Sp4sYbYOvvMebLwYwzkRQ#F8GpTQq#uv=J`uaSJ34OWITeSGo6+-8Xw znCk*n{kdDEi)Hi&u^)~cs@iyCkFWB2SWZU|Uc%^43ZIZQ-vWNExCCtDWjqHs;;tWf$v{}0{p0Rvxkq``)*>+Akq%|Na zA`@~-Vfe|+(AIlqru+7Ceh4nsVmO9p9jc8}HX^W&ViBDXT+uXbT#R#idPn&L>+#b6 zflC-4C5-X;kUnR~L>PSLh*gvL68}RBsu#2l`s_9KjUWRhiqF`j)`y`2`YU(>3bdBj z?>iyjEhe-~$^I5!nn%B6Wh+I`FvLNvauve~eX<+Ipl&04 zT}};W&1a3%W?dJ2=N#0t?e+aK+%t}5q%jSLvp3jZ%?&F}nOOWr>+{GFIa%wO_2`et z=JzoRR~}iKuuR+azPI8;Gf9)z3kyA4EIOSl!sRR$DlW}0>&?GbgPojmjmnln;cTqCt=ADbE zZ8GAnoM+S1(5$i8^O4t`ue;vO4i}z0wz-QEIVe5_u03;}-!G1NyY8;h^}y;tzY}i5 zqQr#Ur3Fy8sSa$Q0ys+f`!`+>9WbvU_I`Sj;$4{S>O3?#inLHCrtLy~!s#WXV=oVP zeE93*Nc`PBi4q@%Ao$x4lw9vLHM!6mn3-b_cebF|n-2vt-zYVF_&sDE--J-P;2WHo z+@n2areE0o$LjvjlV2X7ZU@j+`{*8zq`JR3gKF#EW|#+{nMyo-a>nFFTg&vhyT=b} zDa8+v0(Dgx0yRL@ZXOYIlVSZ0|MFizy0VPW8;AfA5|pe!#j zX}Py^8fl5SyS4g1WSKKtnyP+_PoOwMMwu`(i@Z)diJp~U54*-miOchy7Z35eL>^M z4p<-aIxH4VUZgS783@H%M7P9hX>t{|RU7$n4T(brCG#h9e9p! z+o`i;EGGq3&pF;~5V~eBD}lC)>if$w%Vf}AFxGqO88|ApfHf&Bvu+xdG)@vuF}Yvk z)o;~k-%+0K0g+L`Wala!$=ZV|z$e%>f0%XoLib%)!R^RoS+{!#X?h-6uu zF&&KxORdZU&EwQFITIRLo(7TA3W}y6X{?Y%y2j0It!ekU#<)$qghZtpcS>L3uh`Uj z7GY;6f$9qKynP#oS3$$a{p^{D+0oJQ71`1?OAn_m8)UGZmj3l*ZI)`V-a>MKGGFG< z&^jg#Ok%(hhm>hSrZ5;Qga4u(?^i>GiW_j9%_7M>j(^|Om$#{k+^*ULnEgzW_1gCICtAD^WpC`A z{9&DXkG#01Xo)U$OC(L5Y$DQ|Q4C6CjUKk1UkPj$nXH##J{c8e#K|&{mA*;b$r0E4 zUNo0jthwA(c&N1l=PEe8Rw_8cEl|-eya9z&H3#n`B$t#+aJ03RFMzrV@gowbe8v(c zIFM60^0&lCFO10NU4w@|61xiZ4CVXeaKjd;d?sv52XM*lS8XiVjgWpRB;&U_C0g+`6B5V&w|O6B*_q zsATxL!M}+$He)1eOWECce#eS@2n^xhlB4<_Nn?yCVEQWDs(r`|@2GqLe<#(|&P0U? z$7V5IgpWf09uIf_RazRwC?qEqRaHyL?iiS05UiGesJy%^>-C{{ypTBI&B0-iUYhk> zIk<5xpsuV@g|z(AZD+C-;A!fTG=df1=<%nxy(a(IS+U{ME4ZbDEBtcD_3V=icT6*_ z)>|J?>&6%nvHhZERBtjK+s4xnut*@>GAmA5m*OTp$!^CHTr}vM4n(X1Q*;{e-Rd2BCF-u@1ZGm z!S8hJ6L=Gl4T_SDa7Xx|-{4mxveJg=ctf`BJ*fy!yF6Dz&?w(Q_6B}WQVtNI!BVBC zKfX<>7vd6C96}XAQmF-Jd?1Q4eTfRB3q7hCh0f!(JkdWT5<{iAE#dKy*Jxq&3a1@~ z8C||Dn2mFNyrUV|<-)C^_y7@8c2Fz+2jrae9deBDu;U}tJ{^xAdxCD248(k;dCJ%o z`y3sADe>U%suxwwv~8A1+R$VB=Q?%U?4joI$um;aH+eCrBqpn- z%79D_7rb;R-;-9RTrwi9dPlg8&@tfWhhZ(Vx&1PQ+6(huX`;M9x~LrW~~#3{j0Bh2kDU$}@!fFQej4VGkJv?M4rU^x!RU zEwhu$!CA_iDjFjrJa`aocySDX16?~;+wgav;}Zut6Mg%C4>}8FL?8)Kgwc(Qlj{@#2Pt0?G`$h7P#M+qoXtlV@d}%c&OzO+QYKK`kyXaK{U(O^2DyIXCZlNQjt0^8~8JzNGrIxhj}}M z&~QZlbx%t;MJ(Vux;2tgNKGlAqphLq%pd}JG9uoVHUo?|hN{pLQ6Em%r*+7t^<);X zm~6=qChlNAVXNN*Sow->*4;}T;l;D1I-5T{Bif@4_}=>l`tK;qqDdt5zvisCKhMAH z#r}`)7VW?LZqfdmXQ%zo5bJ00{Xb9^YKrk0Nf|oIW*K@(=`o2Vndz}ZDyk{!u}PVx zzd--+_WC*U{~DH3{?GI64IB+@On&@9X>EUAo&L+G{L^dozaI4C3G#2wr~hseW@K&g zKWs{uHu-9Je!3;4pE>eBltKUXb^*hG8I&413)$J&{D4N%7PcloU6bn%jPxJyQL?g* z9g+YFFEDiE`8rW^laCNzQmi7CTnPfwyg3VDHRAl>h=In6jeaVOP@!-CP60j3+#vpL zEYmh_oP0{-gTe7Or`L6x)6w?77QVi~jD8lWN@3RHcm80iV%M1A!+Y6iHM)05iC64tb$X2lV_%Txk@0l^hZqi^%Z?#- zE;LE0uFx)R08_S-#(wC=dS&}vj6P4>5ZWjhthP=*Hht&TdLtKDR;rXEX4*z0h74FA zMCINqrh3Vq;s%3MC1YL`{WjIAPkVL#3rj^9Pj9Ss7>7duy!9H0vYF%>1jh)EPqvlr6h%R%CxDsk| z!BACz7E%j?bm=pH6Eaw{+suniuY7C9Ut~1cWfOX9KW9=H><&kQlinPV3h9R>3nJvK z4L9(DRM=x;R&d#a@oFY7mB|m8h4692U5eYfcw|QKwqRsshN(q^v$4$)HgPpAJDJ`I zkqjq(8Cd!K!+wCd=d@w%~e$=gdUgD&wj$LQ1r>-E=O@c ze+Z$x{>6(JA-fNVr)X;*)40Eym1TtUZI1Pwwx1hUi+G1Jlk~vCYeXMNYtr)1?qwyg zsX_e*$h?380O00ou?0R@7-Fc59o$UvyVs4cUbujHUA>sH!}L54>`e` zHUx#Q+Hn&Og#YVOuo*niy*GU3rH;%f``nk#NN5-xrZ34NeH$l`4@t);4(+0|Z#I>Y z)~Kzs#exIAaf--65L0UHT_SvV8O2WYeD>Mq^Y6L!Xu8%vnpofG@w!}R7M28?i1*T&zp3X4^OMCY6(Dg<-! zXmcGQrRgHXGYre7GfTJ)rhl|rs%abKT_Nt24_Q``XH{88NVPW+`x4ZdrMuO0iZ0g` z%p}y};~T5gbb9SeL8BSc`SO#ixC$@QhXxZ=B}L`tP}&k?1oSPS=4%{UOHe0<_XWln zwbl5cn(j-qK`)vGHY5B5C|QZd5)W7c@{bNVXqJ!!n$^ufc?N9C-BF2QK1(kv++h!>$QbAjq)_b$$PcJdV+F7hz0Hu@ zqj+}m0qn{t^tD3DfBb~0B36|Q`bs*xs|$i^G4uNUEBl4g;op-;Wl~iThgga?+dL7s zUP(8lMO?g{GcYpDS{NM!UA8Hco?#}eNEioRBHy4`mq!Pd-9@-97|k$hpEX>xoX+dY zDr$wfm^P&}Wu{!%?)U_(%Mn79$(ywvu*kJ9r4u|MyYLI_67U7%6Gd_vb##Nerf@>& z8W11z$$~xEZt$dPG}+*IZky+os5Ju2eRi;1=rUEeIn>t-AzC_IGM-IXWK3^6QNU+2pe=MBn4I*R@A%-iLDCOHTE-O^wo$sL_h{dcPl=^muAQb`_BRm};=cy{qSkui;`WSsj9%c^+bIDQ z0`_?KX0<-=o!t{u(Ln)v>%VGL z0pC=GB7*AQ?N7N{ut*a%MH-tdtNmNC+Yf$|KS)BW(gQJ*z$d{+{j?(e&hgTy^2|AR9vx1Xre2fagGv0YXWqtNkg*v%40v?BJBt|f9wX5 z{QTlCM}b-0{mV?IG>TW_BdviUKhtosrBqdfq&Frdz>cF~yK{P@(w{Vr7z2qKFwLhc zQuogKO@~YwyS9%+d-zD7mJG~@?EFJLSn!a&mhE5$_4xBl&6QHMzL?CdzEnC~C3$X@ zvY!{_GR06ep5;<#cKCSJ%srxX=+pn?ywDwtJ2{TV;0DKBO2t++B(tIO4)Wh`rD13P z4fE$#%zkd=UzOB74gi=-*CuID&Z3zI^-`4U^S?dHxK8fP*;fE|a(KYMgMUo`THIS1f!*6dOI2 zFjC3O=-AL`6=9pp;`CYPTdVX z8(*?V&%QoipuH0>WKlL8A*zTKckD!paN@~hh zmXzm~qZhMGVdQGd=AG8&20HW0RGV8X{$9LldFZYm zE?}`Q3i?xJRz43S?VFMmqRyvWaS#(~Lempg9nTM$EFDP(Gzx#$r)W&lpFKqcAoJh-AxEw$-bjW>`_+gEi z2w`99#UbFZGiQjS8kj~@PGqpsPX`T{YOj`CaEqTFag;$jY z8_{Wzz>HXx&G*Dx<5skhpETxIdhKH?DtY@b9l8$l?UkM#J-Snmts7bd7xayKTFJ(u zyAT&@6cAYcs{PBfpqZa%sxhJ5nSZBPji?Zlf&}#L?t)vC4X5VLp%~fz2Sx<*oN<7` z?ge=k<=X7r<~F7Tvp9#HB{!mA!QWBOf%EiSJ6KIF8QZNjg&x~-%e*tflL(ji_S^sO ztmib1rp09uon}RcsFi#k)oLs@$?vs(i>5k3YN%$T(5Or(TZ5JW9mA6mIMD08=749$ z!d+l*iu{Il7^Yu}H;lgw=En1sJpCKPSqTCHy4(f&NPelr31^*l%KHq^QE>z>Ks_bH zjbD?({~8Din7IvZeJ>8Ey=e;I?thpzD=zE5UHeO|neioJwG;IyLk?xOz(yO&0DTU~ z^#)xcs|s>Flgmp;SmYJ4g(|HMu3v7#;c*Aa8iF#UZo7CvDq4>8#qLJ|YdZ!AsH%^_7N1IQjCro

K7UpUK$>l@ zw`1S}(D?mUXu_C{wupRS-jiX~w=Uqqhf|Vb3Cm9L=T+w91Cu^ z*&Ty%sN?x*h~mJc4g~k{xD4ZmF%FXZNC;oVDwLZ_WvrnzY|{v8hc1nmx4^}Z;yriXsAf+Lp+OFLbR!&Ox?xABwl zu8w&|5pCxmu#$?Cv2_-Vghl2LZ6m7}VLEfR5o2Ou$x02uA-%QB2$c(c1rH3R9hesc zfpn#oqpbKuVsdfV#cv@5pV4^f_!WS+F>SV6N0JQ9E!T90EX((_{bSSFv9ld%I0&}9 zH&Jd4MEX1e0iqDtq~h?DBrxQX1iI0lIs<|kB$Yrh&cpeK0-^K%=FBsCBT46@h#yi!AyDq1V(#V}^;{{V*@T4WJ&U-NTq43w=|K>z8%pr_nC>%C(Wa_l78Ufib$r8Od)IIN=u>417 z`Hl{9A$mI5A(;+-Q&$F&h-@;NR>Z<2U;Y21>>Z;s@0V@SbkMQQj%_;~+qTuQ?c|AV zcWm3XZQHhP&R%QWarS%mJ!9R^&!_)*s(v+VR@I#QrAT}`17Y+l<`b-nvmDNW`De%y zrwTZ9EJrj1AFA>B`1jYDow}~*dfPs}IZMO3=a{Fy#IOILc8F0;JS4x(k-NSpbN@qM z`@aE_e}5{!$v3+qVs7u?sOV(y@1Os*Fgu`fCW9=G@F_#VQ%xf$hj0~wnnP0$hFI+@ zkQj~v#V>xn)u??YutKsX>pxKCl^p!C-o?+9;!Nug^ z{rP!|+KsP5%uF;ZCa5F;O^9TGac=M|=V z_H(PfkV1rz4jl?gJ(ArXMyWT4y(86d3`$iI4^l9`vLdZkzpznSd5Ikfrs8qcSy&>z zTIZgWZGXw0n9ibQxYWE@gI0(3#KA-dAdPcsL_|hg2@~C!VZDM}5;v_Nykfq!*@*Zf zE_wVgx82GMDryKO{U{D>vSzSc%B~|cjDQrt5BN=Ugpsf8H8f1lR4SGo#hCuXPL;QQ z#~b?C4MoepT3X`qdW2dNn& zo8)K}%Lpu>0tQei+{>*VGErz|qjbK#9 zvtd8rcHplw%YyQCKR{kyo6fgg!)6tHUYT(L>B7er5)41iG`j$qe*kSh$fY!PehLcD zWeKZHn<492B34*JUQh=CY1R~jT9Jt=k=jCU2=SL&&y5QI2uAG2?L8qd2U(^AW#{(x zThSy=C#>k+QMo^7caQcpU?Qn}j-`s?1vXuzG#j8(A+RUAY})F@=r&F(8nI&HspAy4 z4>(M>hI9c7?DCW8rw6|23?qQMSq?*Vx?v30U%luBo)B-k2mkL)Ljk5xUha3pK>EEj z@(;tH|M@xkuN?gsz;*bygizwYR!6=(Xgcg^>WlGtRYCozY<rFX2E>kaZo)O<^J7a`MX8Pf`gBd4vrtD|qKn&B)C&wp0O-x*@-|m*0egT=-t@%dD zgP2D+#WPptnc;_ugD6%zN}Z+X4=c61XNLb7L1gWd8;NHrBXwJ7s0ce#lWnnFUMTR& z1_R9Fin4!d17d4jpKcfh?MKRxxQk$@)*hradH2$3)nyXep5Z;B z?yX+-Bd=TqO2!11?MDtG0n(*T^!CIiF@ZQymqq1wPM_X$Iu9-P=^}v7npvvPBu!d$ z7K?@CsA8H38+zjA@{;{kG)#AHME>Ix<711_iQ@WWMObXyVO)a&^qE1GqpP47Q|_AG zP`(AD&r!V^MXQ^e+*n5~Lp9!B+#y3#f8J^5!iC@3Y@P`;FoUH{G*pj*q7MVV)29+j z>BC`a|1@U_v%%o9VH_HsSnM`jZ-&CDvbiqDg)tQEnV>b%Ptm)T|1?TrpIl)Y$LnG_ zzKi5j2Fx^K^PG1=*?GhK;$(UCF-tM~^=Z*+Wp{FSuy7iHt9#4n(sUuHK??@v+6*|10Csdnyg9hAsC5_OrSL;jVkLlf zHXIPukLqbhs~-*oa^gqgvtpgTk_7GypwH><53riYYL*M=Q@F-yEPLqQ&1Sc zZB%w}T~RO|#jFjMWcKMZccxm-SL)s_ig?OC?y_~gLFj{n8D$J_Kw%{r0oB8?@dWzn zB528d-wUBQzrrSSLq?fR!K%59Zv9J4yCQhhDGwhptpA5O5U?Hjqt>8nOD zi{)0CI|&Gu%zunGI*XFZh(ix)q${jT8wnnzbBMPYVJc4HX*9d^mz|21$=R$J$(y7V zo0dxdbX3N#=F$zjstTf*t8vL)2*{XH!+<2IJ1VVFa67|{?LP&P41h$2i2;?N~RA30LV`BsUcj zfO9#Pg1$t}7zpv#&)8`mis3~o+P(DxOMgz-V*(?wWaxi?R=NhtW}<#^Z?(BhSwyar zG|A#Q7wh4OfK<|DAcl9THc-W4*>J4nTevsD%dkj`U~wSUCh15?_N@uMdF^Kw+{agk zJ`im^wDqj`Ev)W3k3stasP`88-M0ZBs7;B6{-tSm3>I@_e-QfT?7|n0D~0RRqDb^G zyHb=is;IwuQ&ITzL4KsP@Z`b$d%B0Wuhioo1CWttW8yhsER1ZUZzA{F*K=wmi-sb#Ju+j z-l@In^IKnb{bQG}Ps>+Vu_W#grNKNGto+yjA)?>0?~X`4I3T@5G1)RqGUZuP^NJCq&^HykuYtMDD8qq+l8RcZNJsvN(10{ zQ1$XcGt}QH-U^WU!-wRR1d--{B$%vY{JLWIV%P4-KQuxxDeJaF#{eu&&r!3Qu{w}0f--8^H|KwE>)ORrcR+2Qf zb})DRcH>k0zWK8@{RX}NYvTF;E~phK{+F;MkIP$)T$93Ba2R2TvKc>`D??#mv9wg$ zd~|-`Qx5LwwsZ2hb*Rt4S9dsF%Cny5<1fscy~)d;0m2r$f=83<->c~!GNyb!U)PA; zq^!`@@)UaG)Ew(9V?5ZBq#c%dCWZrplmuM`o~TyHjAIMh0*#1{B>K4po-dx$Tk-Cq z=WZDkP5x2W&Os`N8KiYHRH#UY*n|nvd(U>yO=MFI-2BEp?x@=N<~CbLJBf6P)}vLS?xJXYJ2^<3KJUdrwKnJnTp{ zjIi|R=L7rn9b*D#Xxr4*R<3T5AuOS+#U8hNlfo&^9JO{VbH!v9^JbK=TCGR-5EWR@ zN8T-_I|&@A}(hKeL4_*eb!1G8p~&_Im8|wc>Cdir+gg90n1dw?QaXcx6Op_W1r=axRw>4;rM*UOpT#Eb9xU1IiWo@h?|5uP zka>-XW0Ikp@dIe;MN8B01a7+5V@h3WN{J=HJ*pe0uwQ3S&MyWFni47X32Q7SyCTNQ z+sR!_9IZa5!>f&V$`q!%H8ci!a|RMx5}5MA_kr+bhtQy{-^)(hCVa@I!^TV4RBi zAFa!Nsi3y37I5EK;0cqu|9MRj<^r&h1lF}u0KpKQD^5Y+LvFEwM zLU@@v4_Na#Axy6tn3P%sD^5P#<7F;sd$f4a7LBMk zGU^RZHBcxSA%kCx*eH&wgA?Qwazm8>9SCSz_!;MqY-QX<1@p$*T8lc?@`ikEqJ>#w zcG``^CoFMAhdEXT9qt47g0IZkaU)4R7wkGs^Ax}usqJ5HfDYAV$!=6?>J6+Ha1I<5 z|6=9soU4>E))tW$<#>F ziZ$6>KJf0bPfbx_)7-}tMINlc=}|H+$uX)mhC6-Hz+XZxsKd^b?RFB6et}O#+>Wmw9Ec9) z{q}XFWp{3@qmyK*Jvzpyqv57LIR;hPXKsrh{G?&dRjF%Zt5&m20Ll?OyfUYC3WRn{cgQ?^V~UAv+5 z&_m#&nIwffgX1*Z2#5^Kl4DbE#NrD&Hi4|7SPqZ}(>_+JMz=s|k77aEL}<=0Zfb)a z%F(*L3zCA<=xO)2U3B|pcTqDbBoFp>QyAEU(jMu8(jLA61-H!ucI804+B!$E^cQQa z)_ERrW3g!B9iLb3nn3dlkvD7KsY?sRvls3QC0qPi>o<)GHx%4Xb$5a3GBTJ(k@`e@ z$RUa^%S15^1oLEmA=sayrP5;9qtf!Z1*?e$ORVPsXpL{jL<6E)0sj&swP3}NPmR%FM?O>SQgN5XfHE< zo(4#Cv11(%Nnw_{_Ro}r6=gKd{k?NebJ~<~Kv0r(r0qe4n3LFx$5%x(BKvrz$m?LG zjLIc;hbj0FMdb9aH9Lpsof#yG$(0sG2%RL;d(n>;#jb!R_+dad+K;Ccw!|RY?uS(a zj~?=&M!4C(5LnlH6k%aYvz@7?xRa^2gml%vn&eKl$R_lJ+e|xsNfXzr#xuh(>`}9g zLHSyiFwK^-p!;p$yt7$F|3*IfO3Mlu9e>Dpx8O`37?fA`cj`C0B-m9uRhJjs^mRp# zWB;Aj6|G^1V6`jg7#7V9UFvnB4((nIwG?k%c7h`?0tS8J3Bn0t#pb#SA}N-|45$-j z$R>%7cc2ebAClXc(&0UtHX<>pd)akR3Kx_cK+n<}FhzmTx!8e9^u2e4%x{>T6pQ`6 zO182bh$-W5A3^wos0SV_TgPmF4WUP-+D25KjbC{y_6W_9I2_vNKwU(^qSdn&>^=*t z&uvp*@c8#2*paD!ZMCi3;K{Na;I4Q35zw$YrW5U@Kk~)&rw;G?d7Q&c9|x<Hg|CNMsxovmfth*|E*GHezPTWa^Hd^F4!B3sF;)? z(NaPyAhocu1jUe(!5Cy|dh|W2=!@fNmuNOzxi^tE_jAtzNJ0JR-avc_H|ve#KO}#S z#a(8secu|^Tx553d4r@3#6^MHbH)vmiBpn0X^29xEv!Vuh1n(Sr5I0V&`jA2;WS|Y zbf0e}X|)wA-Pf5gBZ>r4YX3Mav1kKY(ulAJ0Q*jB)YhviHK)w!TJsi3^dMa$L@^{` z_De`fF4;M87vM3Ph9SzCoCi$#Fsd38u!^0#*sPful^p5oI(xGU?yeYjn;Hq1!wzFk zG&2w}W3`AX4bxoVm03y>ts{KaDf!}b&7$(P4KAMP=vK5?1In^-YYNtx1f#}+2QK@h zeSeAI@E6Z8a?)>sZ`fbq9_snl6LCu6g>o)rO;ijp3|$vig+4t} zylEo7$SEW<_U+qgVcaVhk+4k+C9THI5V10qV*dOV6pPtAI$)QN{!JRBKh-D zk2^{j@bZ}yqW?<#VVuI_27*cI-V~sJiqQv&m07+10XF+#ZnIJdr8t`9s_EE;T2V;B z4UnQUH9EdX%zwh-5&wflY#ve!IWt0UE-My3?L#^Bh%kcgP1q{&26eXLn zTkjJ*w+(|_>Pq0v8{%nX$QZbf)tbJaLY$03;MO=Ic-uqYUmUCuXD>J>o6BCRF=xa% z3R4SK9#t1!K4I_d>tZgE>&+kZ?Q}1qo4&h%U$GfY058s%*=!kac{0Z+4Hwm!)pFLR zJ+5*OpgWUrm0FPI2ib4NPJ+Sk07j(`diti^i#kh&f}i>P4~|d?RFb#!JN)~D@)beox}bw?4VCf^y*`2{4`-@%SFTry2h z>9VBc9#JxEs1+0i2^LR@B1J`B9Ac=#FW=(?2;5;#U$0E0UNag_!jY$&2diQk_n)bT zl5Me_SUvqUjwCqmVcyb`igygB_4YUB*m$h5oeKv3uIF0sk}~es!{D>4r%PC*F~FN3owq5e0|YeUTSG#Vq%&Gk7uwW z0lDo#_wvflqHeRm*}l?}o;EILszBt|EW*zNPmq#?4A+&i0xx^?9obLyY4xx=Y9&^G;xYXYPxG)DOpPg!i_Ccl#3L}6xAAZzNhPK1XaC_~ z!A|mlo?Be*8Nn=a+FhgpOj@G7yYs(Qk(8&|h@_>w8Y^r&5nCqe0V60rRz?b5%J;GYeBqSAjo|K692GxD4` zRZyM2FdI+-jK2}WAZTZ()w_)V{n5tEb@>+JYluDozCb$fA4H)$bzg(Ux{*hXurjO^ zwAxc+UXu=&JV*E59}h3kzQPG4M)X8E*}#_&}w*KEgtX)cU{vm9b$atHa;s>| z+L6&cn8xUL*OSjx4YGjf6{Eq+Q3{!ZyhrL&^6Vz@jGbI%cAM9GkmFlamTbcQGvOlL zmJ?(FI)c86=JEs|*;?h~o)88>12nXlpMR4@yh%qdwFNpct;vMlc=;{FSo*apJ;p}! zAX~t;3tb~VuP|ZW;z$=IHf->F@Ml)&-&Bnb{iQyE#;GZ@C$PzEf6~q}4D>9jic@mTO5x76ulDz@+XAcm35!VSu zT*Gs>;f0b2TNpjU_BjHZ&S6Sqk6V1370+!eppV2H+FY!q*n=GHQ!9Rn6MjY!Jc77A zG7Y!lFp8?TIHN!LXO?gCnsYM-gQxsm=Ek**VmZu7vnuufD7K~GIxfxbsQ@qv2T zPa`tvHB$fFCyZl>3oYg?_wW)C>^_iDOc^B7klnTOoytQH18WkOk)L2BSD0r%xgRSW zQS9elF^?O=_@|58zKLK;(f77l-Zzu}4{fXed2saq!5k#UZAoDBqYQS{sn@j@Vtp|$ zG%gnZ$U|9@u#w1@11Sjl8ze^Co=)7yS(}=;68a3~g;NDe_X^}yJj;~s8xq9ahQ5_r zxAlTMnep*)w1e(TG%tWsjo3RR;yVGPEO4V{Zp?=a_0R#=V^ioQu4YL=BO4r0$$XTX zZfnw#_$V}sDAIDrezGQ+h?q24St0QNug_?{s-pI(^jg`#JRxM1YBV;a@@JQvH8*>> zIJvku74E0NlXkYe_624>znU0J@L<-c=G#F3k4A_)*;ky!C(^uZfj%WB3-*{*B$?9+ zDm$WFp=0(xnt6`vDQV3Jl5f&R(Mp};;q8d3I%Kn>Kx=^;uSVCw0L=gw53%Bp==8Sw zxtx=cs!^-_+i{2OK`Q;913+AXc_&Z5$@z3<)So0CU3;JAv=H?@Zpi~riQ{z-zLtVL z!oF<}@IgJp)Iyz1zVJ42!SPHSkjYNS4%ulVVIXdRuiZ@5Mx8LJS}J#qD^Zi_xQ@>DKDr-_e#>5h3dtje*NcwH_h;i{Sx7}dkdpuW z(yUCjckQsagv*QGMSi9u1`Z|V^}Wjf7B@q%j2DQXyd0nOyqg%m{CK_lAoKlJ7#8M} z%IvR?Vh$6aDWK2W!=i?*<77q&B8O&3?zP(Cs@kapc)&p7En?J;t-TX9abGT#H?TW? ztO5(lPKRuC7fs}zwcUKbRh=7E8wzTsa#Z{a`WR}?UZ%!HohN}d&xJ=JQhpO1PI#>X zHkb>pW04pU%Bj_mf~U}1F1=wxdBZu1790>3Dm44bQ#F=T4V3&HlOLsGH)+AK$cHk6 zia$=$kog?)07HCL*PI6}DRhpM^*%I*kHM<#1Se+AQ!!xyhcy6j7`iDX7Z-2i73_n# zas*?7LkxS-XSqv;YBa zW_n*32D(HTYQ0$feV_Fru1ZxW0g&iwqixPX3=9t4o)o|kOo79V$?$uh?#8Q8e>4e)V6;_(x&ViUVxma+i25qea;d-oK7ouuDsB^ab{ zu1qjQ%`n56VtxBE#0qAzb7lph`Eb-}TYpXB!H-}3Ykqyp`otprp7{VEuW*^IR2n$Fb99*nAtqT&oOFIf z@w*6>YvOGw@Ja?Pp1=whZqydzx@9X4n^2!n83C5{C?G@|E?&$?p*g68)kNvUTJ)I6 z1Q|(#UuP6pj78GUxq11m-GSszc+)X{C2eo-?8ud9sB=3(D47v?`JAa{V(IF zPZQ_0AY*9M97>Jf<o%#O_%Wq}8>YM=q0|tGY+hlXcpE=Z4Od z`NT7Hu2hnvRoqOw@g1f=bv`+nba{GwA$Ak0INlqI1k<9!x_!sL()h?hEWoWrdU3w` zZ%%)VR+Bc@_v!C#koM1p-3v_^L6)_Ktj4HE>aUh%2XZE@JFMOn)J~c`_7VWNb9c-N z2b|SZMR4Z@E7j&q&9(6H3yjEu6HV7{2!1t0lgizD;mZ9$r(r7W5G$ky@w(T_dFnOD z*p#+z$@pKE+>o@%eT(2-p_C}wbQ5s(%Sn_{$HDN@MB+Ev?t@3dPy`%TZ!z}AThZSu zN<1i$siJhXFdjV zP*y|V<`V8t=h#XTRUR~5`c`Z9^-`*BZf?WAehGdg)E2Je)hqFa!k{V(u+(hTf^Yq& zoruUh2(^3pe)2{bvt4&4Y9CY3js)PUHtd4rVG57}uFJL)D(JfSIo^{P=7liFXG zq5yqgof0V8paQcP!gy+;^pp-DA5pj=gbMN0eW=-eY+N8~y+G>t+x}oa!5r>tW$xhI zPQSv=pi;~653Gvf6~*JcQ%t1xOrH2l3Zy@8AoJ+wz@daW@m7?%LXkr!bw9GY@ns3e zSfuWF_gkWnesv?s3I`@}NgE2xwgs&rj?kH-FEy82=O8`+szN ziHch`vvS`zNfap14!&#i9H@wF7}yIPm=UB%(o(}F{wsZ(wA0nJ2aD^@B41>>o-_U6 zUqD~vdo48S8~FTb^+%#zcbQiiYoDKYcj&$#^;Smmb+Ljp(L=1Kt_J!;0s%1|JK}Wi z;={~oL!foo5n8=}rs6MmUW~R&;SIJO3TL4Ky?kh+b2rT9B1Jl4>#Uh-Bec z`Hsp<==#UEW6pGPhNk8H!!DUQR~#F9jEMI6T*OWfN^Ze&X(4nV$wa8QUJ>oTkruH# zm~O<`J7Wxseo@FqaZMl#Y(mrFW9AHM9Kb|XBMqaZ2a)DvJgYipkDD_VUF_PKd~dT7 z#02}bBfPn9a!X!O#83=lbJSK#E}K&yx-HI#T6ua)6o0{|={*HFusCkHzs|Fn&|C3H zBck1cmfcWVUN&i>X$YU^Sn6k2H;r3zuXbJFz)r5~3$d$tUj(l1?o={MM){kjgqXRO zc5R*#{;V7AQh|G|)jLM@wGAK&rm2~@{Pewv#06pHbKn#wL0P6F1!^qw9g&cW3Z=9} zj)POhOlwsh@eF=>z?#sIs*C-Nl(yU!#DaiaxhEs#iJqQ8w%(?+6lU02MYSeDkr!B- zPjMv+on6OLXgGnAtl(ao>|X2Y8*Hb}GRW5}-IzXnoo-d0!m4Vy$GS!XOLy>3_+UGs z2D|YcQx@M#M|}TDOetGi{9lGo9m-=0-^+nKE^*?$^uHkxZh}I{#UTQd;X!L+W@jm( zDg@N4+lUqI92o_rNk{3P>1gxAL=&O;x)ZT=q1mk0kLlE$WeWuY_$0`0jY-Kkt zP*|m3AF}Ubd=`<>(Xg0har*_@x2YH}bn0Wk*OZz3*e5;Zc;2uBdnl8?&XjupbkOeNZsNh6pvsq_ydmJI+*z**{I{0K)-;p1~k8cpJXL$^t!-`E}=*4G^-E8>H!LjTPxSx zcF+cS`ommfKMhNSbas^@YbTpH1*RFrBuATUR zt{oFWSk^$xU&kbFQ;MCX22RAN5F6eq9UfR$ut`Jw--p2YX)A*J69m^!oYfj2y7NYcH6&r+0~_sH^c^nzeN1AU4Ga7=FlR{S|Mm~MpzY0$Z+p2W(a={b-pR9EO1Rs zB%KY|@wLcAA@)KXi!d2_BxrkhDn`DT1=Dec}V!okd{$+wK z4E{n8R*xKyci1(CnNdhf$Dp2(Jpof0-0%-38X=Dd9PQgT+w%Lshx9+loPS~MOm%ZT zt%2B2iL_KU_ita%N>xjB!#71_3=3c}o zgeW~^U_ZTJQ2!PqXulQd=3b=XOQhwATK$y(9$#1jOQ4}4?~l#&nek)H(04f(Sr=s| zWv7Lu1=%WGk4FSw^;;!8&YPM)pQDCY9DhU`hMty1@sq1=Tj7bFsOOBZOFlpR`W>-J$-(kezWJj;`?x-v>ev{*8V z8p|KXJPV$HyQr1A(9LVrM47u-XpcrIyO`yWvx1pVYc&?154aneRpLqgx)EMvRaa#|9?Wwqs2+W8n5~79G z(}iCiLk;?enn}ew`HzhG+tu+Ru@T+K5juvZN)wY;x6HjvqD!&!)$$;1VAh~7fg0K| zEha#aN=Yv|3^~YFH}cc38ovVb%L|g@9W6fo(JtT6$fa?zf@Ct88e}m?i)b*Jgc{fl zExfdvw-BYDmH6>(4QMt#p0;FUIQqkhD}aH?a7)_%JtA~soqj{ppP_82yi9kaxuK>~ ze_)Zt>1?q=ZH*kF{1iq9sr*tVuy=u>Zev}!gEZx@O6-fjyu9X00gpIl-fS_pzjpqJ z1yqBmf9NF!jaF<+YxgH6oXBdK)sH(>VZ)1siyA$P<#KDt;8NT*l_0{xit~5j1P)FN zI8hhYKhQ)i z37^aP13B~u65?sg+_@2Kr^iWHN=U;EDSZ@2W2!5ALhGNWXnFBY%7W?1 z=HI9JzQ-pLKZDYTv<0-lt|6c-RwhxZ)mU2Os{bsX_i^@*fKUj8*aDO5pks=qn3Dv6 zwggpKLuyRCTVPwmw1r}B#AS}?X7b837UlXwp~E2|PJw2SGVueL7){Y&z!jL!XN=0i zU^Eig`S2`{+gU$68aRdWx?BZ{sU_f=8sn~>s~M?GU~`fH5kCc; z8ICp+INM3(3{#k32RZdv6b9MQYdZXNuk7ed8;G?S2nT+NZBG=Tar^KFl2SvhW$bGW#kdWL-I)s_IqVnCDDM9fm8g;P;8 z7t4yZn3^*NQfx7SwmkzP$=fwdC}bafQSEF@pd&P8@H#`swGy_rz;Z?Ty5mkS%>m#% zp_!m9e<()sfKiY(nF<1zBz&&`ZlJf6QLvLhl`_``%RW&{+O>Xhp;lwSsyRqGf=RWd zpftiR`={2(siiPAS|p}@q=NhVc0ELprt%=fMXO3B)4ryC2LT(o=sLM7hJC!}T1@)E zA3^J$3&1*M6Xq>03FX`R&w*NkrZE?FwU+Muut;>qNhj@bX17ZJxnOlPSZ=Zeiz~T_ zOu#yc3t6ONHB;?|r4w+pI)~KGN;HOGC)txxiUN8#mexj+W(cz%9a4sx|IRG=}ia zuEBuba3AHsV2feqw-3MvuL`I+2|`Ud4~7ZkN=JZ;L20|Oxna5vx1qbIh#k2O4$RQF zo`tL()zxaqibg^GbB+BS5#U{@K;WWQj~GcB1zb}zJkPwH|5hZ9iH2308!>_;%msji zJHSL~s)YHBR=Koa1mLEOHos*`gp=s8KA-C zu0aE+W!#iJ*0xqKm3A`fUGy#O+X+5W36myS>Uh2!R*s$aCU^`K&KKLCCDkejX2p=5 z%o7-fl03x`gaSNyr?3_JLv?2RLS3F*8ub>Jd@^Cc17)v8vYEK4aqo?OS@W9mt%ITJ z9=S2%R8M){CugT@k~~0x`}Vl!svYqX=E)c_oU6o}#Hb^%G1l3BudxA{F*tbjG;W_>=xV73pKY53v%>I)@D36I_@&p$h|Aw zonQS`07z_F#@T-%@-Tb|)7;;anoD_WH>9ewFy(ZcEOM$#Y)8>qi7rCnsH9GO-_7zF zu*C87{Df1P4TEOsnzZ@H%&lvV(3V@;Q!%+OYRp`g05PjY^gL$^$-t0Y>H*CDDs?FZly*oZ&dxvsxaUWF!{em4{A>n@vpXg$dwvt@_rgmHF z-MER`ABa8R-t_H*kv>}CzOpz;!>p^^9ztHMsHL|SRnS<-y5Z*r(_}c4=fXF`l^-i}>e7v!qs_jv zqvWhX^F=2sDNWA9c@P0?lUlr6ecrTKM%pNQ^?*Lq?p-0~?_j50xV%^(+H>sMul#Tw zeciF*1=?a7cI(}352%>LO96pD+?9!fNyl^9v3^v&Y4L)mNGK0FN43&Xf8jUlxW1Bw zyiu2;qW-aGNhs=zbuoxnxiwZ3{PFZM#Kw)9H@(hgX23h(`Wm~m4&TvoZoYp{plb^> z_#?vXcxd>r7K+1HKJvhed>gtK`TAbJUazUWQY6T~t2af%#<+Veyr%7-#*A#@&*;@g58{i|E%6yC_InGXCOd{L0;$)z#?n7M`re zh!kO{6=>7I?*}czyF7_frt#)s1CFJ_XE&VrDA?Dp3XbvF{qsEJgb&OLSNz_5g?HpK z9)8rsr4JN!Af3G9!#Qn(6zaUDqLN(g2g8*M)Djap?WMK9NKlkC)E2|-g|#-rp%!Gz zAHd%`iq|81efi93m3yTBw3g0j#;Yb2X{mhRAI?&KDmbGqou(2xiRNb^sV}%%Wu0?< z?($L>(#BO*)^)rSgyNRni$i`R4v;GhlCZ8$@e^ROX(p=2_v6Y!%^As zu022)fHdv_-~Yu_H6WVPLpHQx!W%^6j)cBhS`O3QBW#x(eX54d&I22op(N59b*&$v zFiSRY6rOc^(dgSV1>a7-5C;(5S5MvKcM2Jm-LD9TGqDpP097%52V+0>Xqq!! zq4e3vj53SE6i8J`XcQB|MZPP8j;PAOnpGnllH6#Ku~vS42xP*Nz@~y%db7Xi8s09P z1)e%8ys6&M8D=Dt6&t`iKG_4X=!kgRQoh%Z`dc&mlOUqXk-k`jKv9@(a^2-Upw>?< zt5*^DV~6Zedbec4NVl($2T{&b)zA@b#dUyd>`2JC0=xa_fIm8{5um zr-!ApXZhC8@=vC2WyxO|!@0Km)h8ep*`^he92$@YwP>VcdoS5OC^s38e#7RPsg4j+ zbVGG}WRSET&ZfrcR(x~k8n1rTP%CnfUNKUonD$P?FtNFF#cn!wEIab-;jU=B1dHK@ z(;(yAQJ`O$sMn>h;pf^8{JISW%d+@v6@CnXh9n5TXGC}?FI9i-D0OMaIg&mAg=0Kn zNJ7oz5*ReJukD55fUsMuaP+H4tDN&V9zfqF@ zr=#ecUk9wu{0;!+gl;3Bw=Vn^)z$ahVhhw)io!na&9}LmWurLb0zubxK=UEnU*{5P z+SP}&*(iBKSO4{alBHaY^)5Q=mZ+2OwIooJ7*Q5XJ+2|q`9#f?6myq!&oz?klihLq z4C)$XP!BNS0G_Z1&TM>?Jk{S~{F3n83ioli=IO6f%wkvCl(RFFw~j0tb{GvXTx>*sB0McY0s&SNvj4+^h`9nJ_wM>F!Uc>X}9PifQekn0sKI2SAJP!a4h z5cyGTuCj3ZBM^&{dRelIlT^9zcfaAuL5Y~bl!ppSf`wZbK$z#6U~rdclk``e+!qhe z6Qspo*%<)eu6?C;Bp<^VuW6JI|Ncvyn+LlSl;Mp22Bl7ARQ0Xc24%29(ZrdsIPw&-=yHQ7_Vle|5h>AST0 zUGX2Zk34vp?U~IHT|;$U86T+UUHl_NE4m|}>E~6q``7hccCaT^#y+?wD##Q%HwPd8 zV3x4L4|qqu`B$4(LXqDJngNy-{&@aFBvVsywt@X^}iH7P%>bR?ciC$I^U-4Foa`YKI^qDyGK7k%E%c_P=yzAi`YnxGA%DeNd++j3*h^ z=rn>oBd0|~lZ<6YvmkKY*ZJlJ;Im0tqgWu&E92eqt;+NYdxx`eS(4Hw_Jb5|yVvBg z*tbdY^!AN;luEyN4VRhS@-_DC{({ziH{&Z}iGElSV~qvT>L-8G%+yEL zX#MFOhj{InyKG=mvW-<1B@c-}x$vA(nU?>S>0*eN#!SLzQ)Ex7fvQ)S4D<8|I#N$3 zT5Ei`Z?cxBODHX8(Xp73v`IsAYC@9b;t}z0wxVuQSY1J^GRwDPN@qbM-ZF48T$GZ< z8WU+;Pqo?{ghI-KZ-i*ydXu`Ep0Xw^McH_KE9J0S7G;x8Fe`DVG?j3Pv=0YzJ}yZR z%2=oqHiUjvuk0~Ca>Kol4CFi0_xQT~;_F?=u+!kIDl-9g`#ZNZ9HCy17Ga1v^Jv9# z{T4Kb1-AzUxq*MutfOWWZgD*HnFfyYg0&e9f(5tZ>krPF6{VikNeHoc{linPPt#Si z&*g>(c54V8rT_AX!J&bNm-!umPvOR}vDai#`CX___J#=zeB*{4<&2WpaDncZsOkp* zsg<%@@rbrMkR_ux9?LsQxzoBa1s%$BBn6vk#{&&zUwcfzeCBJUwFYSF$08qDsB;gWQN*g!p8pxjofWbqNSZOEKOaTx@+* zwdt5*Q47@EOZ~EZL9s?1o?A%9TJT=Ob_13yyugvPg*e&ZU(r6^k4=2+D-@n=Hv5vu zSXG|hM(>h9^zn=eQ=$6`JO&70&2|%V5Lsx>)(%#;pcOfu>*nk_3HB_BNaH$`jM<^S zcSftDU1?nL;jy)+sfonQN}(}gUW?d_ikr*3=^{G)=tjBtEPe>TO|0ddVB zTklrSHiW+!#26frPXQQ(YN8DG$PZo?(po(QUCCf_OJC`pw*uey00%gmH!`WJkrKXj2!#6?`T25mTu9OJp2L8z3! z=arrL$ZqxuE{%yV)14Kd>k}j7pxZ6#$Dz8$@WV5p8kTqN<-7W)Q7Gt2{KoOPK_tZ| zf2WG~O5@{qPI+W<4f_;reuFVdO^5`ADC1!JQE|N`s3cq@(0WB!n0uh@*c{=LAd;~} zyGK@hbF-Oo+!nN)@i*O(`@FA#u?o=~e{`4O#5}z&=UkU*50fOrzi11D^&FOqe>wii z?*k+2|EcUs;Gx{!@KBT~>PAwLrIDT7Th=Utu?~?np@t^gFs?zgX=D${RwOY^WGh-+ z+#4$066ISh8eYW#FXWp~S`<*%O^ZuItL1Tyqt8#tZ zY120E;^VG`!lZn&3sPd$RkdHpU#|w+bYV)pJC|SH9g%|5IkxVTQcBA4CL0}$&}ef@ zW^Vtj%M;;_1xxP9x#ex17&4N*{ksO*_4O}xYu(p*JkL#yr}@7b)t5X?%CY<+s5_MJ zuiqt+N_;A(_)%lumoyRFixWa-M7qK_9s6<1X?JDa9fP!+_6u~~M$5L=ipB=7(j#f< zZ34J%=bs549%~_mA(|={uZNs_0?o7;-LBP(ZRnkd{-^|2|=4vUTmtByHL8 zEph`(LSEzQj68a+`d$V<45J7cyv^#|^|%fD#si1Nx!4NW*`l*{->HEWNh6-|g>-=r zXmQ|-i}Ku$ndUeHQ^&ieT!Lf}vf6GaqW9$DJ2NWrqwPY%%4nip$@vK$nRp*_C-v<| zuKz~ZyN&<%!NS26&x?jhy+@awJipMQ-8(X4#Ae5??U<1QMt1l9R=w9fAnEF}NYu$2 z>6}Vkc zIb*A?G*z8^IvibmBKn_u^5&T_1oey0gZS2~obf(#xk=erZGTEdQnt3DMGM+0oPwss zj5zXD;(oWhB_T@~Ig#9@v)AKtXu3>Inmgf@A|-lD-1U>cNyl3h?ADD9)GG4}zUGPk zZzaXe!~Kf?<~@$G?Uql3t8jy9{2!doq4=J}j9ktTxss{p6!9UdjyDERlA*xZ!=Q)KDs5O)phz>Vq3BNGoM(H|=1*Q4$^2fTZw z(%nq1P|5Rt81}SYJpEEzMPl5VJsV5&4e)ZWKDyoZ>1EwpkHx-AQVQc8%JMz;{H~p{=FXV>jIxvm4X*qv52e?Y-f%DJ zxEA165GikEASQ^fH6K#d!Tpu2HP{sFs%E=e$gYd$aj$+xue6N+Wc(rAz~wUsk2`(b z8Kvmyz%bKQxpP}~baG-rwYcYCvkHOi zlkR<=>ZBTU*8RF_d#Bl@zZsRIhx<%~Z@Z=ik z>adw3!DK(8R|q$vy{FTxw%#xliD~6qXmY^7_9kthVPTF~Xy1CfBqbU~?1QmxmU=+k z(ggxvEuA;0e&+ci-zQR{-f7aO{O(Pz_OsEjLh_K>MbvoZ4nxtk5u{g@nPv)cgW_R} z9}EA4K4@z0?7ue}Z(o~R(X&FjejUI2g~08PH1E4w>9o{)S(?1>Z0XMvTb|;&EuyOE zGvWNpYX)Nv<8|a^;1>bh#&znEcl-r!T#pn= z4$?Yudha6F%4b>*8@=BdtXXY4N+`U4Dmx$}>HeVJk-QdTG@t!tVT#0(LeV0gvqyyw z2sEp^9eY0N`u10Tm4n8No&A=)IeEC|gnmEXoNSzu!1<4R<%-9kY_8~5Ej?zRegMn78wuMs#;i&eUA0Zk_RXQ3b&TT} z;SCI=7-FUB@*&;8|n>(_g^HGf3@QODE3LpmX~ELnymQm{Sx9xrKS zK29p~?v@R$0=v6Dr5aW>-!{+h@?Q58|Kz8{{W`%J+lDAdb&M5VHrX_mDY;1-JLnf)ezmPau$)1;=`-FU=-r-83tX=C`S#}GZufju zQ>sXNT0Ny=k@nc%cFnvA_i4SC)?_ORXHq8B4D%el1uPX`c~uG#S1M7C+*MMqLw78E zhY2dI8@+N^qrMI1+;TUda(vGqGSRyU{Fnm`aqrr7bz42c5xsOO-~oZpkzorD1g}Y<6rk&3>PsSGy}W?MtqFky@A(X# zIuNZK0cK?^=;PUAu>j0#HtjbHCV*6?jzA&OoE$*Jlga*}LF`SF?WLhv1O|zqC<>*> zYB;#lsYKx0&kH@BFpW8n*yDcc6?;_zaJs<-jPSkCsSX-!aV=P5kUgF@Nu<{a%#K*F z134Q{9|YX7X(v$62_cY3^G%t~rD>Q0z@)1|zs)vjJ6Jq9;7#Ki`w+eS**En?7;n&7 zu==V3T&eFboN3ZiMx3D8qYc;VjFUk_H-WWCau(VFXSQf~viH0L$gwD$UfFHqNcgN`x}M+YQ6RnN<+@t>JUp#)9YOkqst-Ga?{FsDpEeX0(5v{0J~SEbWiL zXC2}M4?UH@u&|;%0y`eb33ldo4~z-x8zY!oVmV=c+f$m?RfDC35mdQ2E>Pze7KWP- z>!Bh<&57I+O_^s}9Tg^k)h7{xx@0a0IA~GAOt2yy!X%Q$1rt~LbTB6@Du!_0%HV>N zlf)QI1&gvERKwso23mJ!Ou6ZS#zCS5W`gxE5T>C#E|{i<1D35C222I33?Njaz`On7 zi<+VWFP6D{e-{yiN#M|Jgk<44u1TiMI78S5W`Sdb5f+{zu34s{CfWN7a3Cf^@L%!& zN$?|!!9j2c)j$~+R6n#891w-z8(!oBpL2K=+%a$r2|~8-(vQj5_XT`<0Ksf;oP+tz z9CObS!0m)Tgg`K#xBM8B(|Z)Wb&DYL{WTYv`;A=q6~Nnx2+!lTIXtj8J7dZE!P_{z z#f8w6F}^!?^KE#+ZDv+xd5O&3EmomZzsv?>E-~ygGum45fk!SBN&|eo1rKw^?aZJ4 E2O(~oYXATM diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 6499169..b82aa23 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.9.2-all.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/main/build.gradle.kts b/main/build.gradle.kts index 61e4e93..d932af9 100644 --- a/main/build.gradle.kts +++ b/main/build.gradle.kts @@ -10,9 +10,9 @@ dependencies { implementation("com.google.guava:guava-annotations:r03") implementation("commons-codec:commons-codec:1.15") - api("com.auth0:auth0:2.11.0") - api("com.auth0:java-jwt:3.19.4") - api("com.auth0:jwks-rsa:0.22.1") + implementation("com.auth0:auth0:1.45.1") + implementation("com.auth0:java-jwt:3.19.4") + implementation("com.auth0:jwks-rsa:0.22.1") testImplementation("org.bouncycastle:bcprov-jdk18on:1.78.1") testImplementation("org.hamcrest:hamcrest:2.2") From 3055503a6b09b188471a321c52d923f69c55235a Mon Sep 17 00:00:00 2001 From: Ashutosh Sultania Date: Thu, 30 May 2024 18:02:09 +0530 Subject: [PATCH 3/4] Remove some deprecated stuff --- EXAMPLES.md | 8 - .../kotlin/java-common-conventions.gradle.kts | 12 +- main/build.gradle.kts | 2 +- .../com/auth0/AuthenticationController.java | 35 +---- .../src/main/java/com/auth0/AuthorizeUrl.java | 12 +- .../main/java/com/auth0/RequestProcessor.java | 4 +- .../auth0/AuthenticationControllerTest.java | 141 ++++-------------- 7 files changed, 53 insertions(+), 161 deletions(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index 975df40..e318aef 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -96,11 +96,3 @@ AuthenticationController authController = AuthenticationController.newBuilder("Y .build(); ``` -## HTTP logging - -Once you have created the instance of the `AuthenticationController`, you can enable HTTP logging for all Requests and Responses to debug a specific endpoint. -**This will log everything including sensitive information** - do not use it in a production environment. - -```java -authController.setLoggingEnabled(true); -``` diff --git a/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts b/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts index 359123a..846dc81 100644 --- a/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts +++ b/buildSrc/src/main/kotlin/java-common-conventions.gradle.kts @@ -42,11 +42,13 @@ spotless { } } -tasks.withType { - options.compilerArgs.addAll(listOf("-Xlint:unchecked", "-Xlint:deprecation", "-Werror")) - options.errorprone.isEnabled.set(false) - options.errorprone.disable("SameNameButDifferent", "MissingSummary", "JavaTimeDefaultTimeZone", "ObjectEqualsForPrimitives", "AlmostJavadoc","UnusedVariable") -} + +// Disabled this as a lot of stuff is deprecated +//tasks.withType { +// options.compilerArgs.addAll(listOf("-Xlint:unchecked", "-Xlint:deprecation", "-Werror")) +// options.errorprone.isEnabled.set(false) +// options.errorprone.disable("SameNameButDifferent", "MissingSummary", "JavaTimeDefaultTimeZone", "ObjectEqualsForPrimitives", "AlmostJavadoc","UnusedVariable") +//} tasks.named("check") { dependsOn("spotlessCheck") diff --git a/main/build.gradle.kts b/main/build.gradle.kts index d932af9..03e46ee 100644 --- a/main/build.gradle.kts +++ b/main/build.gradle.kts @@ -10,7 +10,7 @@ dependencies { implementation("com.google.guava:guava-annotations:r03") implementation("commons-codec:commons-codec:1.15") - implementation("com.auth0:auth0:1.45.1") + implementation("com.auth0:auth0:2.12.0") implementation("com.auth0:java-jwt:3.19.4") implementation("com.auth0:jwks-rsa:0.22.1") diff --git a/main/src/main/java/com/auth0/AuthenticationController.java b/main/src/main/java/com/auth0/AuthenticationController.java index 4dc825f..aa2e95a 100644 --- a/main/src/main/java/com/auth0/AuthenticationController.java +++ b/main/src/main/java/com/auth0/AuthenticationController.java @@ -3,12 +3,10 @@ import com.auth0.client.HttpOptions; import com.auth0.client.auth.AuthAPI; import com.auth0.jwk.JwkProvider; -import com.auth0.net.Telemetry; import com.google.common.annotations.VisibleForTesting; -import org.apache.commons.lang3.Validate; - import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import org.apache.commons.lang3.Validate; /** @@ -196,8 +194,7 @@ public Builder withInvitation(String invitation) { * @throws UnsupportedOperationException if the Implicit Grant is chosen and the environment doesn't support UTF-8 encoding. */ public AuthenticationController build() throws UnsupportedOperationException { - AuthAPI apiClient = createAPIClient(domain, clientId, clientSecret, httpOptions); - setupTelemetry(apiClient); + AuthAPI apiClient = createAPIClient(domain, clientId, clientSecret, null); final boolean expectedAlgorithmIsExplicitlySetAndAsymmetric = jwkProvider != null; final SignatureVerifier signatureVerifier; @@ -214,15 +211,9 @@ public AuthenticationController build() throws UnsupportedOperationException { String issuer = getIssuer(domain); IdTokenVerifier.Options verifyOptions = createIdTokenVerificationOptions(issuer, clientId, signatureVerifier); - verifyOptions.setClockSkew(clockSkew); - verifyOptions.setMaxAge(authenticationMaxAge); - verifyOptions.setOrganization(this.organization); RequestProcessor processor = new RequestProcessor.Builder(apiClient, responseType, verifyOptions) .withLegacySameSiteCookie(useLegacySameSiteCookie) - .withOrganization(organization) - .withInvitation(invitation) - .withCookiePath(cookiePath) .build(); return new AuthenticationController(processor); @@ -242,9 +233,8 @@ AuthAPI createAPIClient(String domain, String clientId, String clientSecret, Htt } @VisibleForTesting - void setupTelemetry(AuthAPI client) { - Telemetry telemetry = new Telemetry("auth0-java-mvc-common", obtainPackageVersion()); - client.setTelemetry(telemetry); + AuthAPI createAPIClient(String domain, String clientId, String clientSecret) { + return new AuthAPI(domain, clientId, clientSecret, null); } @VisibleForTesting @@ -265,23 +255,6 @@ private String getIssuer(String domain) { } } - /** - * Whether to enable or not the HTTP Logger for every Request and Response. - * Enabling this can expose sensitive information. - * - * @param enabled whether to enable the HTTP logger or not. - */ - public void setLoggingEnabled(boolean enabled) { - requestProcessor.getClient().setLoggingEnabled(enabled); - } - - /** - * Disable sending the Telemetry header on every request to the Auth0 API - */ - public void doNotSendTelemetry() { - requestProcessor.getClient().doNotSendTelemetry(); - } - /** * Process a request to obtain a set of {@link Tokens} that represent successful authentication or authorization. * diff --git a/main/src/main/java/com/auth0/AuthorizeUrl.java b/main/src/main/java/com/auth0/AuthorizeUrl.java index d9dbf31..8e19b40 100644 --- a/main/src/main/java/com/auth0/AuthorizeUrl.java +++ b/main/src/main/java/com/auth0/AuthorizeUrl.java @@ -5,6 +5,7 @@ import com.auth0.exception.Auth0Exception; import com.auth0.json.auth.PushedAuthorizationResponse; +import com.auth0.net.Response; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import java.util.*; @@ -224,15 +225,18 @@ public String fromPushedAuthorizationRequest() throws InvalidRequestException { storeTransient(); try { - PushedAuthorizationResponse pushedAuthResponse = authAPI.pushedAuthorizationRequest(redirectUri, responseType, params).execute(); - String requestUri = pushedAuthResponse.getRequestURI(); + Response pushedAuthResponse = authAPI.pushedAuthorizationRequest(redirectUri, responseType, params).execute(); + if (pushedAuthResponse == null || pushedAuthResponse.getBody() == null) { + throw new InvalidRequestException(API_ERROR, "The PAR request returned a missing or empty response"); + } + String requestUri = pushedAuthResponse.getBody().getRequestURI(); if (requestUri == null || requestUri.isEmpty()) { throw new InvalidRequestException(API_ERROR, "The PAR request returned a missing or empty request_uri value"); } - if (pushedAuthResponse.getExpiresIn() == null) { + if (pushedAuthResponse.getBody().getExpiresIn() == null) { throw new InvalidRequestException(API_ERROR, "The PAR request returned a missing expires_in value"); } - return authAPI.authorizeUrlWithPAR(pushedAuthResponse.getRequestURI()); + return authAPI.authorizeUrlWithPAR(pushedAuthResponse.getBody().getRequestURI()); } catch (Auth0Exception e) { throw new InvalidRequestException(API_ERROR, e.getMessage(), e); } diff --git a/main/src/main/java/com/auth0/RequestProcessor.java b/main/src/main/java/com/auth0/RequestProcessor.java index d5ae977..d5316b0 100644 --- a/main/src/main/java/com/auth0/RequestProcessor.java +++ b/main/src/main/java/com/auth0/RequestProcessor.java @@ -3,6 +3,7 @@ import com.auth0.client.auth.AuthAPI; import com.auth0.exception.Auth0Exception; import com.auth0.json.auth.TokenHolder; +import com.auth0.net.Response; import org.apache.commons.lang3.Validate; import jakarta.servlet.http.HttpServletRequest; @@ -344,9 +345,10 @@ private void checkSessionState(HttpServletRequest request, String stateFromReque * @see AuthAPI#exchangeCode(String, String) */ private Tokens exchangeCodeForTokens(String authorizationCode, String redirectUri) throws Auth0Exception { - TokenHolder holder = client + Response tokenHolderResponse = client .exchangeCode(authorizationCode, redirectUri) .execute(); + TokenHolder holder = tokenHolderResponse.getBody(); return new Tokens(holder.getAccessToken(), holder.getIdToken(), holder.getRefreshToken(), holder.getTokenType(), holder.getExpiresIn()); } diff --git a/main/src/test/java/com/auth0/AuthenticationControllerTest.java b/main/src/test/java/com/auth0/AuthenticationControllerTest.java index 04a09e4..66bbabb 100644 --- a/main/src/test/java/com/auth0/AuthenticationControllerTest.java +++ b/main/src/test/java/com/auth0/AuthenticationControllerTest.java @@ -1,12 +1,32 @@ package com.auth0; -import com.auth0.client.HttpOptions; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.contains; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.everyItem; +import static org.hamcrest.Matchers.hasItem; +import static org.hamcrest.Matchers.instanceOf; +import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.notNullValue; +import static org.hamcrest.Matchers.nullValue; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.anyString; +import static org.mockito.Mockito.doReturn; +import static org.mockito.Mockito.eq; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + import com.auth0.client.auth.AuthAPI; import com.auth0.client.auth.AuthorizeUrlBuilder; import com.auth0.json.auth.TokenHolder; import com.auth0.jwk.JwkProvider; -import com.auth0.net.Telemetry; +import com.auth0.net.Response; import com.auth0.net.TokenRequest; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import java.util.List; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.mockito.ArgumentCaptor; @@ -16,16 +36,6 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; -import java.util.List; - -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.contains; -import static org.hamcrest.Matchers.*; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.mockito.Mockito.*; - @SuppressWarnings("deprecated") public class AuthenticationControllerTest { @@ -45,105 +55,11 @@ public void setUp() { AuthenticationController.Builder builder = AuthenticationController.newBuilder("domain", "clientId", "clientSecret"); builderSpy = spy(builder); - doReturn(client).when(builderSpy).createAPIClient(eq("domain"), eq("clientId"), eq("clientSecret"), eq(null)); + doReturn(client).when(builderSpy).createAPIClient(eq("domain"), eq("clientId"), eq("clientSecret")); doReturn(verificationOptions).when(builderSpy).createIdTokenVerificationOptions(eq("https://domain/"), eq("clientId"), signatureVerifierCaptor.capture()); doReturn("1.2.3").when(builderSpy).obtainPackageVersion(); } - @Test - public void shouldSetupClientWithTelemetry() { - AuthenticationController controller = builderSpy.build(); - - ArgumentCaptor telemetryCaptor = ArgumentCaptor.forClass(Telemetry.class); - - assertThat(controller, is(notNullValue())); - RequestProcessor requestProcessor = controller.getRequestProcessor(); - assertThat(requestProcessor.getClient(), is(client)); - verify(client).setTelemetry(telemetryCaptor.capture()); - - Telemetry capturedTelemetry = telemetryCaptor.getValue(); - assertThat(capturedTelemetry, is(notNullValue())); - assertThat(capturedTelemetry.getName(), is("auth0-java-mvc-common")); - assertThat(capturedTelemetry.getVersion(), is("1.2.3")); - } - - @Test - public void shouldCreateAuthAPIClientWithoutCustomHttpOptions() { - ArgumentCaptor captor = ArgumentCaptor.forClass(HttpOptions.class); - AuthenticationController.Builder spy = spy(AuthenticationController.newBuilder("domain", "clientId", "clientSecret")); - - spy.build(); - verify(spy).createAPIClient(eq("domain"), eq("clientId"), eq("clientSecret"), captor.capture()); - - HttpOptions actual = captor.getValue(); - assertThat(actual, is(nullValue())); - - } - - @Test - public void shouldCreateAuthAPIClientWithCustomHttpOptions() { - HttpOptions options = new HttpOptions(); - options.setConnectTimeout(5); - options.setReadTimeout(6); - - ArgumentCaptor captor = ArgumentCaptor.forClass(HttpOptions.class); - AuthenticationController.Builder spy = spy(AuthenticationController.newBuilder("domain", "clientId", "clientSecret") - .withHttpOptions(options)); - - spy.build(); - verify(spy).createAPIClient(eq("domain"), eq("clientId"), eq("clientSecret"), captor.capture()); - - HttpOptions actual = captor.getValue(); - assertThat(actual, is(notNullValue())); - assertThat(actual.getConnectTimeout(), is(5)); - assertThat(actual.getReadTimeout(), is(6)); - } - - @Test - public void shouldDisableTelemetry() { - AuthenticationController controller = builderSpy.build(); - controller.doNotSendTelemetry(); - - verify(client).doNotSendTelemetry(); - } - - @Test - public void shouldEnableLogging() { - AuthenticationController controller = builderSpy.build(); - - controller.setLoggingEnabled(true); - verify(client).setLoggingEnabled(true); - } - - @Test - public void shouldDisableLogging() { - AuthenticationController controller = builderSpy.build(); - - controller.setLoggingEnabled(true); - verify(client).setLoggingEnabled(true); - } - - @Test - public void shouldCreateWithSymmetricSignatureVerifierForNoCodeGrants() { - AuthenticationController controller = builderSpy - .withResponseType("id_token") - .build(); - - SignatureVerifier signatureVerifier = signatureVerifierCaptor.getValue(); - assertThat(signatureVerifier, is(notNullValue())); - assertThat(signatureVerifier, instanceOf(SymmetricSignatureVerifier.class)); - assertThat(verificationOptions, is(controller.getRequestProcessor().verifyOptions)); - - controller = builderSpy - .withResponseType("token") - .build(); - - signatureVerifier = signatureVerifierCaptor.getValue(); - assertThat(signatureVerifier, is(notNullValue())); - assertThat(signatureVerifier, instanceOf(SymmetricSignatureVerifier.class)); - assertThat(verificationOptions, is(controller.getRequestProcessor().verifyOptions)); - } - @Test public void shouldCreateWithAsymmetricSignatureVerifierWhenJwkProviderIsExplicitlySet() { JwkProvider jwkProvider = mock(JwkProvider.class); @@ -402,7 +318,6 @@ public void shouldSetLaxCookiesAndNoLegacyCookieWhenCodeFlow() { MockHttpServletResponse response = new MockHttpServletResponse(); AuthenticationController controller = AuthenticationController.newBuilder("domain", "clientId", "clientSecret") - .withResponseType("code") .build(); controller.buildAuthorizeUrl(new MockHttpServletRequest(), response, "https://redirect.uri/here") @@ -463,8 +378,10 @@ public void shouldCheckSessionFallbackWhenHandleCalledWithRequestAndResponse() t AuthenticationController controller = builderSpy.withResponseType("code").build(); TokenRequest codeExchangeRequest = mock(TokenRequest.class); + Response tokenHolderResponse = mock(Response.class); TokenHolder tokenHolder = mock(TokenHolder.class); - when(codeExchangeRequest.execute()).thenReturn(tokenHolder); + when(tokenHolderResponse.getBody()).thenReturn(tokenHolder); + when(codeExchangeRequest.execute()).thenReturn(tokenHolderResponse); when(client.exchangeCode("abc123", "http://localhost")).thenReturn(codeExchangeRequest); AuthorizeUrlBuilder mockBuilder = mock(AuthorizeUrlBuilder.class); @@ -496,11 +413,13 @@ public void shouldCheckSessionFallbackWhenHandleCalledWithRequestAndResponse() t @Test public void shouldCheckSessionFallbackWhenHandleCalledWithRequest() throws Exception { - AuthenticationController controller = builderSpy.withResponseType("code").build(); + AuthenticationController controller = builderSpy.build(); TokenRequest codeExchangeRequest = mock(TokenRequest.class); + Response tokenHolderResponse = mock(Response.class); TokenHolder tokenHolder = mock(TokenHolder.class); - when(codeExchangeRequest.execute()).thenReturn(tokenHolder); + when(tokenHolderResponse.getBody()).thenReturn(tokenHolder); + when(codeExchangeRequest.execute()).thenReturn(tokenHolderResponse); when(client.exchangeCode("abc123", "http://localhost")).thenReturn(codeExchangeRequest); AuthorizeUrlBuilder mockBuilder = mock(AuthorizeUrlBuilder.class); From 204f25af9755d1de58f901d102f74b91416f0381 Mon Sep 17 00:00:00 2001 From: Ashutosh Sultania Date: Tue, 11 Jun 2024 18:20:33 +0530 Subject: [PATCH 4/4] Convert stuff to use reactive --- main/build.gradle.kts | 4 +- .../auth0/AsymmetricSignatureVerifier.java | 1 - main/src/main/java/com/auth0/AuthCookie.java | 3 +- .../com/auth0/AuthenticationController.java | 75 ++------- .../src/main/java/com/auth0/AuthorizeUrl.java | 98 ++++++------ .../main/java/com/auth0/IdTokenVerifier.java | 3 +- .../main/java/com/auth0/RandomStorage.java | 32 ++-- .../main/java/com/auth0/RequestProcessor.java | 149 ++++++++++-------- main/src/main/java/com/auth0/SameSite.java | 2 +- .../src/main/java/com/auth0/SessionUtils.java | 47 +++--- .../java/com/auth0/SignatureVerifier.java | 3 +- .../src/main/java/com/auth0/StorageUtils.java | 3 +- .../java/com/auth0/TransientCookieStore.java | 64 ++++---- .../test/java/com/auth0/AuthorizeUrlTest.java | 30 ++-- .../java/com/auth0/IdTokenVerifierTest.java | 15 +- .../IdentityVerificationExceptionTest.java | 8 +- .../auth0/InvalidRequestExceptionTest.java | 6 +- .../java/com/auth0/RandomStorageTest.java | 6 +- .../java/com/auth0/RequestProcessorTest.java | 35 ++-- .../test/java/com/auth0/SessionUtilsTest.java | 6 +- .../java/com/auth0/SignatureVerifierTest.java | 19 ++- main/src/test/java/com/auth0/TokensTest.java | 6 +- .../com/auth0/TransientCookieStoreTest.java | 19 ++- 23 files changed, 323 insertions(+), 311 deletions(-) diff --git a/main/build.gradle.kts b/main/build.gradle.kts index 03e46ee..6c4b7f2 100644 --- a/main/build.gradle.kts +++ b/main/build.gradle.kts @@ -5,6 +5,8 @@ plugins { } dependencies { + implementation("org.springframework.boot:spring-boot-starter-webflux:3.2.5") + implementation("jakarta.servlet:jakarta.servlet-api:6.0.0") implementation("org.apache.commons:commons-lang3:3.12.0") implementation("com.google.guava:guava-annotations:r03") @@ -22,7 +24,7 @@ dependencies { testImplementation("com.squareup.okhttp3:okhttp:4.12.0") } -version = "1.0.0" +version = "1.0.1-SNAPSHOT" publishing { publications { diff --git a/main/src/main/java/com/auth0/AsymmetricSignatureVerifier.java b/main/src/main/java/com/auth0/AsymmetricSignatureVerifier.java index b8b82b4..07cff11 100644 --- a/main/src/main/java/com/auth0/AsymmetricSignatureVerifier.java +++ b/main/src/main/java/com/auth0/AsymmetricSignatureVerifier.java @@ -7,7 +7,6 @@ import com.auth0.jwt.JWTVerifier; import com.auth0.jwt.algorithms.Algorithm; import com.auth0.jwt.interfaces.RSAKeyProvider; - import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; diff --git a/main/src/main/java/com/auth0/AuthCookie.java b/main/src/main/java/com/auth0/AuthCookie.java index f82cdb0..bbfc925 100644 --- a/main/src/main/java/com/auth0/AuthCookie.java +++ b/main/src/main/java/com/auth0/AuthCookie.java @@ -1,10 +1,9 @@ package com.auth0; -import org.apache.commons.lang3.Validate; - import java.io.UnsupportedEncodingException; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; +import org.apache.commons.lang3.Validate; /** * Represents a cookie to be used for transfer of authentiction-based data such as state and nonce. diff --git a/main/src/main/java/com/auth0/AuthenticationController.java b/main/src/main/java/com/auth0/AuthenticationController.java index aa2e95a..0c1a4fe 100644 --- a/main/src/main/java/com/auth0/AuthenticationController.java +++ b/main/src/main/java/com/auth0/AuthenticationController.java @@ -4,9 +4,9 @@ import com.auth0.client.auth.AuthAPI; import com.auth0.jwk.JwkProvider; import com.google.common.annotations.VisibleForTesting; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; import org.apache.commons.lang3.Validate; +import org.springframework.web.server.ServerWebExchange; +import reactor.core.publisher.Mono; /** @@ -255,29 +255,6 @@ private String getIssuer(String domain) { } } - /** - * Process a request to obtain a set of {@link Tokens} that represent successful authentication or authorization. - * - * This method should be called when processing the callback request to your application. It will validate - * authentication-related request parameters, handle performing a Code Exchange request if using - * the "code" response type, and verify the integrity of the ID token (if present). - * - *

Important: When using this API, you must also use {@link AuthenticationController#buildAuthorizeUrl(HttpServletRequest, HttpServletResponse, String)} - * when building the {@link AuthorizeUrl} that the user will be redirected to to login. Failure to do so may result - * in a broken login experience for the user.

- * - * @param request the received request to process. - * @param response the received response to process. - * @return the Tokens obtained after the user authentication. - * @throws InvalidRequestException if the error is result of making an invalid authentication request. - * @throws IdentityVerificationException if an error occurred while verifying the request tokens. - */ - public Tokens handle(HttpServletRequest request, HttpServletResponse response) throws IdentityVerificationException { - Validate.notNull(request, "request must not be null"); - Validate.notNull(response, "response must not be null"); - - return requestProcessor.process(request, response); - } /** * Process a request to obtain a set of {@link Tokens} that represent successful authentication or authorization. @@ -286,75 +263,51 @@ public Tokens handle(HttpServletRequest request, HttpServletResponse response) t * authentication-related request parameters, handle performing a Code Exchange request if using * the "code" response type, and verify the integrity of the ID token (if present). * - *

Important: When using this API, you must also use the {@link AuthenticationController#buildAuthorizeUrl(HttpServletRequest, String)} + *

Important: When using this API, you must also use the {@link AuthenticationController#buildAuthorizeUrl(ServerWebExchange, String)} * when building the {@link AuthorizeUrl} that the user will be redirected to to login. Failure to do so may result * in a broken login experience for the user.

* * @deprecated This method uses the {@link jakarta.servlet.http.HttpSession} for auth-based data, and is incompatible * with clients that are using the "id_token" or "token" responseType with browsers that enforce SameSite cookie * restrictions. This method will be removed in version 2.0.0. Use - * {@link AuthenticationController#handle(HttpServletRequest, HttpServletResponse)} instead. + * {@link AuthenticationController#handle(ServerWebExchange)} instead. * - * @param request the received request to process. + * @param serverWebExchange the received serverWebExchange to process. * @return the Tokens obtained after the user authentication. * @throws InvalidRequestException if the error is result of making an invalid authentication request. * @throws IdentityVerificationException if an error occurred while verifying the request tokens. */ @Deprecated - public Tokens handle(HttpServletRequest request) throws IdentityVerificationException { - Validate.notNull(request, "request must not be null"); + public Mono handle(ServerWebExchange serverWebExchange) { + Validate.notNull(serverWebExchange, "serverWebExchange must not be null"); - return requestProcessor.process(request, null); + return requestProcessor.process(serverWebExchange); } /** * Pre builds an Auth0 Authorize Url with the given redirect URI using a random state and a random nonce if applicable. * *

Important: When using this API, you must also obtain the tokens using the - * {@link AuthenticationController#handle(HttpServletRequest)} method. Failure to do so may result in a broken login + * {@link AuthenticationController#handle(ServerWebExchange)} method. Failure to do so may result in a broken login * experience for users.

* * @deprecated This method stores data in the {@link jakarta.servlet.http.HttpSession}, and is incompatible with clients * that are using the "id_token" or "token" responseType with browsers that enforce SameSite cookie restrictions. * This method will be removed in version 2.0.0. Use - * {@link AuthenticationController#buildAuthorizeUrl(HttpServletRequest, HttpServletResponse, String)} instead. + * {@link AuthenticationController#buildAuthorizeUrl(ServerWebExchange, String)} instead. * - * @param request the caller request. Used to keep the session context. + * @param serverWebExchange the caller serverWebExchange. Used to keep the session context. * @param redirectUri the url to call back with the authentication result. * @return the authorize url builder to continue any further parameter customization. */ @Deprecated - public AuthorizeUrl buildAuthorizeUrl(HttpServletRequest request, String redirectUri) { - Validate.notNull(request, "request must not be null"); + public AuthorizeUrl buildAuthorizeUrl(ServerWebExchange serverWebExchange, String redirectUri) { + Validate.notNull(serverWebExchange, "serverWebExchange must not be null"); Validate.notNull(redirectUri, "redirectUri must not be null"); String state = StorageUtils.secureRandomString(); String nonce = StorageUtils.secureRandomString(); - return requestProcessor.buildAuthorizeUrl(request, null, redirectUri, state, nonce); + return requestProcessor.buildAuthorizeUrl(serverWebExchange, redirectUri, state, nonce); } - - /** - * Pre builds an Auth0 Authorize Url with the given redirect URI using a random state and a random nonce if applicable. - * - *

Important: When using this API, you must also obtain the tokens using the - * {@link AuthenticationController#handle(HttpServletRequest, HttpServletResponse)} method. Failure to do so will result in a broken login - * experience for users.

- * - * @param request the HTTP request - * @param response the HTTP response. Used to store auth-based cookies. - * @param redirectUri the url to call back with the authentication result. - * @return the authorize url builder to continue any further parameter customization. - */ - public AuthorizeUrl buildAuthorizeUrl(HttpServletRequest request, HttpServletResponse response, String redirectUri) { - Validate.notNull(request, "request must not be null"); - Validate.notNull(response, "response must not be null"); - Validate.notNull(redirectUri, "redirectUri must not be null"); - - String state = StorageUtils.secureRandomString(); - String nonce = StorageUtils.secureRandomString(); - - return requestProcessor.buildAuthorizeUrl(request, response, redirectUri, state, nonce); - } - } diff --git a/main/src/main/java/com/auth0/AuthorizeUrl.java b/main/src/main/java/com/auth0/AuthorizeUrl.java index 8e19b40..e79423d 100644 --- a/main/src/main/java/com/auth0/AuthorizeUrl.java +++ b/main/src/main/java/com/auth0/AuthorizeUrl.java @@ -1,16 +1,22 @@ package com.auth0; +import static com.auth0.IdentityVerificationException.API_ERROR; + import com.auth0.client.auth.AuthAPI; import com.auth0.client.auth.AuthorizeUrlBuilder; import com.auth0.exception.Auth0Exception; import com.auth0.json.auth.PushedAuthorizationResponse; - import com.auth0.net.Response; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; -import java.util.*; - -import static com.auth0.IdentityVerificationException.API_ERROR; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import org.springframework.http.server.reactive.AbstractServerHttpResponse; +import org.springframework.http.server.reactive.ServerHttpRequest; +import org.springframework.http.server.reactive.ServerHttpResponse; +import org.springframework.web.server.ServerWebExchange; +import reactor.core.publisher.Mono; /** * Class to create and customize an Auth0 Authorize URL. @@ -21,8 +27,7 @@ public class AuthorizeUrl { private static final String SCOPE_OPENID = "openid"; - private HttpServletResponse response; - private HttpServletRequest request; + private ServerWebExchange serverWebExchange; private final String responseType; private boolean useLegacySameSiteCookie = true; private boolean setSecureCookie = false; @@ -38,20 +43,18 @@ public class AuthorizeUrl { /** * Creates a new instance that can be used to build an Auth0 Authorization URL. * - * Using this constructor with a non-null {@link HttpServletResponse} will store the state and nonce as + * Using this constructor with a non-null {@link AbstractServerHttpResponse} will store the state and nonce as * cookies when the {@link AuthorizeUrl#build()} method is called, with the appropriate SameSite attribute depending * on the responseType. State and nonce will also be stored in the {@link jakarta.servlet.http.HttpSession} as a fallback, * but this behavior will be removed in a future release, and only cookies will be used. * * @param client the Auth0 Authentication API client * @parem request the HTTP request. Used to store state and nonce as a fallback if cookies not set. - * @param response the response where the state and nonce will be stored as cookies * @param redirectUri the url to redirect to after authentication * @param responseType the response type to use */ - AuthorizeUrl(AuthAPI client, HttpServletRequest request, HttpServletResponse response, String redirectUri, String responseType) { - this.request = request; - this.response = response; + AuthorizeUrl(AuthAPI client, ServerWebExchange serverWebExchange, String redirectUri, String responseType) { + this.serverWebExchange = serverWebExchange; this.responseType = responseType; this.authAPI = client; this.redirectUri = redirectUri; @@ -112,7 +115,7 @@ public AuthorizeUrl withSecureCookie(boolean secureCookie) { /** * Sets whether a fallback cookie should be used for clients that do not support "SameSite=None". - * Only applicable when this instance is created with {@link AuthorizeUrl#AuthorizeUrl(AuthAPI, HttpServletRequest, HttpServletResponse, String, String)}. + * Only applicable when this instance is created with {@link AuthorizeUrl#AuthorizeUrl(AuthAPI, ServerWebExchange, String, String)}. * * @param useLegacySameSiteCookie whether or not to set fallback auth cookies for clients that do not support "SameSite=None" * @return the builder instance @@ -206,11 +209,13 @@ public AuthorizeUrl withParameter(String name, String value) { * @return the string URL * @throws IllegalStateException if it's called more than once */ - public String build() throws IllegalStateException { - storeTransient(); - AuthorizeUrlBuilder builder = authAPI.authorizeUrl(redirectUri).withResponseType(responseType); - params.forEach(builder::withParameter); - return builder.build(); + public Mono build() throws IllegalStateException { + return storeTransient() + .then(Mono.fromCallable(() -> { + AuthorizeUrlBuilder builder = authAPI.authorizeUrl(redirectUri).withResponseType(responseType); + params.forEach(builder::withParameter); + return builder.build(); + })); } /** @@ -221,32 +226,35 @@ public String build() throws IllegalStateException { * @throws InvalidRequestException if there is an error when making the request. * @see RFC 9126 */ - public String fromPushedAuthorizationRequest() throws InvalidRequestException { - storeTransient(); - - try { - Response pushedAuthResponse = authAPI.pushedAuthorizationRequest(redirectUri, responseType, params).execute(); - if (pushedAuthResponse == null || pushedAuthResponse.getBody() == null) { - throw new InvalidRequestException(API_ERROR, "The PAR request returned a missing or empty response"); - } - String requestUri = pushedAuthResponse.getBody().getRequestURI(); - if (requestUri == null || requestUri.isEmpty()) { - throw new InvalidRequestException(API_ERROR, "The PAR request returned a missing or empty request_uri value"); - } - if (pushedAuthResponse.getBody().getExpiresIn() == null) { - throw new InvalidRequestException(API_ERROR, "The PAR request returned a missing expires_in value"); - } - return authAPI.authorizeUrlWithPAR(pushedAuthResponse.getBody().getRequestURI()); - } catch (Auth0Exception e) { - throw new InvalidRequestException(API_ERROR, e.getMessage(), e); - } + public Mono fromPushedAuthorizationRequest() throws InvalidRequestException { + return storeTransient() + .then(Mono.fromCallable(() -> { + try { + Response pushedAuthResponse = authAPI.pushedAuthorizationRequest(redirectUri, responseType, params).execute(); + if (pushedAuthResponse == null || pushedAuthResponse.getBody() == null) { + throw new InvalidRequestException(API_ERROR, "The PAR request returned a missing or empty response"); + } + String requestUri = pushedAuthResponse.getBody().getRequestURI(); + if (requestUri == null || requestUri.isEmpty()) { + throw new InvalidRequestException(API_ERROR, "The PAR request returned a missing or empty request_uri value"); + } + if (pushedAuthResponse.getBody().getExpiresIn() == null) { + throw new InvalidRequestException(API_ERROR, "The PAR request returned a missing expires_in value"); + } + return authAPI.authorizeUrlWithPAR(pushedAuthResponse.getBody().getRequestURI()); + } catch (Auth0Exception e) { + throw new InvalidRequestException(API_ERROR, e.getMessage(), e); + } + })); } - private void storeTransient() { + private Mono storeTransient() { if (used) { throw new IllegalStateException("The AuthorizeUrl instance must not be reused."); } + ServerHttpResponse response = serverWebExchange.getResponse(); + ServerHttpRequest request = serverWebExchange.getRequest(); if (response != null) { SameSite sameSiteValue = containsFormPost() ? SameSite.NONE : SameSite.LAX; @@ -254,12 +262,12 @@ private void storeTransient() { TransientCookieStore.storeNonce(response, nonce, sameSiteValue, useLegacySameSiteCookie, setSecureCookie, cookiePath); } - // Also store in Session just in case developer uses deprecated - // AuthenticationController.handle(HttpServletRequest) API - RandomStorage.setSessionState(request, state); - RandomStorage.setSessionNonce(request, nonce); - - used = true; + return Mono.fromCallable(() -> RandomStorage.setSessionState(serverWebExchange, state)) + .flatMap(webSessionMono -> RandomStorage.setSessionNonce(serverWebExchange, nonce)) + .flatMap(webSessionMono -> { + used = true; + return Mono.empty(); + }); } private boolean containsFormPost() { diff --git a/main/src/main/java/com/auth0/IdTokenVerifier.java b/main/src/main/java/com/auth0/IdTokenVerifier.java index d163e71..96a47e3 100644 --- a/main/src/main/java/com/auth0/IdTokenVerifier.java +++ b/main/src/main/java/com/auth0/IdTokenVerifier.java @@ -1,11 +1,10 @@ package com.auth0; import com.auth0.jwt.interfaces.DecodedJWT; -import org.apache.commons.lang3.Validate; - import java.util.Calendar; import java.util.Date; import java.util.List; +import org.apache.commons.lang3.Validate; /** * Token verification utility class. diff --git a/main/src/main/java/com/auth0/RandomStorage.java b/main/src/main/java/com/auth0/RandomStorage.java index 4382cc6..033addc 100644 --- a/main/src/main/java/com/auth0/RandomStorage.java +++ b/main/src/main/java/com/auth0/RandomStorage.java @@ -1,7 +1,10 @@ package com.auth0; -import jakarta.servlet.http.HttpServletRequest; + import jakarta.servlet.http.HttpSession; +import org.springframework.web.server.ServerWebExchange; +import org.springframework.web.server.WebSession; +import reactor.core.publisher.Mono; class RandomStorage extends SessionUtils { @@ -9,44 +12,45 @@ class RandomStorage extends SessionUtils { * Check's if the request {@link HttpSession} saved state is equal to the given state. * After the check, the value will be removed from the session. * - * @param req the request + * @param exchange the serverWebExchange * @param state the state value to compare against. * @return whether the state matches the expected one or not. */ - static boolean checkSessionState(HttpServletRequest req, String state) { - String currentState = (String) remove(req, StorageUtils.STATE_KEY); - return (currentState == null && state == null) || currentState != null && currentState.equals(state); + static Mono checkSessionState(ServerWebExchange exchange, String state) { + return remove(exchange, StorageUtils.STATE_KEY) + .map(currentState -> ((currentState == null && state == null) || currentState != null && currentState.equals(state))); } /** * Saves the given state in the request {@link HttpSession}. * If a state is already bound to the session, the value is replaced. * - * @param req the request. + * @param exchange the serverWebExchange. * @param state the state value to set. */ - static void setSessionState(HttpServletRequest req, String state) { - set(req, StorageUtils.STATE_KEY, state); + static Mono setSessionState(ServerWebExchange exchange, String state) { + return set(exchange, StorageUtils.STATE_KEY, state); } /** * Saves the given nonce in the request {@link HttpSession}. * If a nonce is already bound to the session, the value is replaced. * - * @param req the request. + * @param exchange the serverWebExchange. * @param nonce the nonce value to set. */ - static void setSessionNonce(HttpServletRequest req, String nonce) { - set(req, StorageUtils.NONCE_KEY, nonce); + static Mono setSessionNonce(ServerWebExchange exchange, String nonce) { + return set(exchange, StorageUtils.NONCE_KEY, nonce); } /** * Removes the nonce present in the request {@link HttpSession} and then returns it. * - * @param req the HTTP Servlet request. + * @param exchange the serverWebExchange. * @return the nonce value or null if it was not set. */ - static String removeSessionNonce(HttpServletRequest req) { - return (String) remove(req, StorageUtils.NONCE_KEY); + static Mono removeSessionNonce(ServerWebExchange exchange) { + return remove(exchange, StorageUtils.NONCE_KEY) + .map(nonce -> nonce != null ? nonce.toString() : null); } } \ No newline at end of file diff --git a/main/src/main/java/com/auth0/RequestProcessor.java b/main/src/main/java/com/auth0/RequestProcessor.java index d5316b0..b39f903 100644 --- a/main/src/main/java/com/auth0/RequestProcessor.java +++ b/main/src/main/java/com/auth0/RequestProcessor.java @@ -1,17 +1,22 @@ package com.auth0; +import static com.auth0.InvalidRequestException.API_ERROR; +import static com.auth0.InvalidRequestException.INVALID_STATE_ERROR; +import static com.auth0.InvalidRequestException.JWT_VERIFICATION_ERROR; +import static com.auth0.InvalidRequestException.MISSING_ACCESS_TOKEN; +import static com.auth0.InvalidRequestException.MISSING_ID_TOKEN; + import com.auth0.client.auth.AuthAPI; import com.auth0.exception.Auth0Exception; import com.auth0.json.auth.TokenHolder; import com.auth0.net.Response; -import org.apache.commons.lang3.Validate; - -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; import java.util.Arrays; import java.util.List; - -import static com.auth0.InvalidRequestException.*; +import org.apache.commons.lang3.Validate; +import org.springframework.http.server.reactive.ServerHttpRequest; +import org.springframework.http.server.reactive.ServerHttpResponse; +import org.springframework.web.server.ServerWebExchange; +import reactor.core.publisher.Mono; /** * Main class to handle the Authorize Redirect request. @@ -122,17 +127,16 @@ AuthAPI getClient() { /** * Pre builds an Auth0 Authorize Url with the given redirect URI, state and nonce parameters. * - * @param request the request, used to store state and nonce in the Session - * @param response the response, used to set state and nonce as cookies. If null, session will be used instead. + * @param serverWebExchange the serverWebExchange, used to store state and nonce in the Session * @param redirectUri the url to call with the authentication result. * @param state a valid state value. * @param nonce the nonce value that will be used if the response type contains 'id_token'. Can be null. * @return the authorize url builder to continue any further parameter customization. */ - AuthorizeUrl buildAuthorizeUrl(HttpServletRequest request, HttpServletResponse response, String redirectUri, + AuthorizeUrl buildAuthorizeUrl(ServerWebExchange serverWebExchange, String redirectUri, String state, String nonce) { - AuthorizeUrl creator = new AuthorizeUrl(client, request, response, redirectUri, responseType) + AuthorizeUrl creator = new AuthorizeUrl(client, serverWebExchange, redirectUri, responseType) .withState(state); if (this.organization != null) { @@ -146,7 +150,7 @@ AuthorizeUrl buildAuthorizeUrl(HttpServletRequest request, HttpServletResponse r } // null response means state and nonce will be stored in session, so legacy cookie flag does not apply - if (response != null) { + if (serverWebExchange.getResponse() != null) { creator.withLegacySameSiteCookie(useLegacySameSiteCookie); } @@ -163,20 +167,27 @@ AuthorizeUrl buildAuthorizeUrl(HttpServletRequest request, HttpServletResponse r * 4). Clearing the stored state, nonce and max_age values. * 5). Handling success and any failure outcomes. * - * @throws IdentityVerificationException if an error occurred while processing the request */ - Tokens process(HttpServletRequest request, HttpServletResponse response) throws IdentityVerificationException { - assertNoError(request); - assertValidState(request, response); + Mono process(ServerWebExchange serverWebExchange) { + + ServerHttpRequest request = serverWebExchange.getRequest(); + ServerHttpResponse response = serverWebExchange.getResponse(); + + return assertNoError(request) + .then(assertValidState(serverWebExchange)) + .then(getTokens(serverWebExchange, request, response)); + } + private Mono getTokens(ServerWebExchange serverWebExchange, + ServerHttpRequest request, ServerHttpResponse response) { Tokens frontChannelTokens = getFrontChannelTokens(request); List responseTypeList = getResponseType(); if (responseTypeList.contains(KEY_ID_TOKEN) && frontChannelTokens.getIdToken() == null) { - throw new InvalidRequestException(MISSING_ID_TOKEN, "ID Token is missing from the response."); + return Mono.error(new InvalidRequestException(MISSING_ID_TOKEN, "ID Token is missing from the response.")); } if (responseTypeList.contains(KEY_TOKEN) && frontChannelTokens.getAccessToken() == null) { - throw new InvalidRequestException(MISSING_ACCESS_TOKEN, "Access Token is missing from the response."); + return Mono.error(new InvalidRequestException(MISSING_ACCESS_TOKEN, "Access Token is missing from the response.")); } String nonce; @@ -186,15 +197,24 @@ Tokens process(HttpServletRequest request, HttpServletResponse response) throws // Just in case the developer created the authorizeUrl that stores state/nonce in the session if (nonce == null) { - nonce = RandomStorage.removeSessionNonce(request); + return RandomStorage.removeSessionNonce(serverWebExchange) + .flatMap(newNonce -> { + verifyOptions.setNonce(newNonce); + return getVerifiedTokens(serverWebExchange, frontChannelTokens, + responseTypeList); + }); + } else { + verifyOptions.setNonce(nonce); + return getVerifiedTokens(serverWebExchange, frontChannelTokens, responseTypeList); } } else { - nonce = RandomStorage.removeSessionNonce(request); + return RandomStorage.removeSessionNonce(serverWebExchange) + .flatMap(newNonce -> { + verifyOptions.setNonce(newNonce); + return getVerifiedTokens(serverWebExchange, frontChannelTokens, + responseTypeList); + }); } - - verifyOptions.setNonce(nonce); - - return getVerifiedTokens(request, frontChannelTokens, responseTypeList); } static boolean requiresFormPostResponseMode(List responseType) { @@ -204,16 +224,15 @@ static boolean requiresFormPostResponseMode(List responseType) { /** * Obtains code request tokens (if using Code flow) and validates the ID token. - * @param request the HTTP request + * @param exchange the ServerWebExchange * @param frontChannelTokens the tokens obtained from the front channel * @param responseTypeList the reponse types * @return a Tokens object that wraps the values obtained from the front-channel and/or the code request response. - * @throws IdentityVerificationException */ - private Tokens getVerifiedTokens(HttpServletRequest request, Tokens frontChannelTokens, List responseTypeList) - throws IdentityVerificationException { + private Mono getVerifiedTokens(ServerWebExchange exchange, Tokens frontChannelTokens, List responseTypeList) { + ServerHttpRequest request = exchange.getRequest(); - String authorizationCode = request.getParameter(KEY_CODE); + String authorizationCode = request.getQueryParams().getFirst(KEY_CODE); Tokens codeExchangeTokens = null; try { @@ -223,7 +242,7 @@ private Tokens getVerifiedTokens(HttpServletRequest request, Tokens frontChannel } if (responseTypeList.contains(KEY_CODE)) { // Code/Hybrid flow - String redirectUri = request.getRequestURL().toString(); + String redirectUri = request.getURI().toString(); codeExchangeTokens = exchangeCodeForTokens(authorizationCode, redirectUri); if (!responseTypeList.contains(KEY_ID_TOKEN)) { // If we already verified the front-channel token, don't verify it again. @@ -234,9 +253,9 @@ private Tokens getVerifiedTokens(HttpServletRequest request, Tokens frontChannel } } } catch (TokenValidationException e) { - throw new IdentityVerificationException(JWT_VERIFICATION_ERROR, "An error occurred while trying to verify the ID Token.", e); + return Mono.error(new IdentityVerificationException(JWT_VERIFICATION_ERROR, "An error occurred while trying to verify the ID Token.", e)); } catch (Auth0Exception e) { - throw new IdentityVerificationException(API_ERROR, "An error occurred while exchanging the authorization code.", e); + return Mono.error(new IdentityVerificationException(API_ERROR, "An error occurred while exchanging the authorization code.", e)); } // Keep the front-channel ID Token and the code-exchange Access Token. return mergeTokens(frontChannelTokens, codeExchangeTokens); @@ -266,9 +285,9 @@ private AuthorizeUrl getAuthorizeUrl(String nonce, AuthorizeUrl creator) { * @param request the request * @return a new instance of Tokens wrapping the values present in the request parameters. */ - private Tokens getFrontChannelTokens(HttpServletRequest request) { - Long expiresIn = request.getParameter(KEY_EXPIRES_IN) == null ? null : Long.parseLong(request.getParameter(KEY_EXPIRES_IN)); - return new Tokens(request.getParameter(KEY_ACCESS_TOKEN), request.getParameter(KEY_ID_TOKEN), null, request.getParameter(KEY_TOKEN_TYPE), expiresIn); + private Tokens getFrontChannelTokens(ServerHttpRequest request) { + Long expiresIn = request.getQueryParams().getFirst(KEY_EXPIRES_IN) == null ? null : Long.parseLong(request.getQueryParams().getFirst(KEY_EXPIRES_IN)); + return new Tokens(request.getQueryParams().getFirst(KEY_ACCESS_TOKEN), request.getQueryParams().getFirst(KEY_ID_TOKEN), null, request.getQueryParams().getFirst(KEY_TOKEN_TYPE), expiresIn); } /** @@ -277,38 +296,35 @@ private Tokens getFrontChannelTokens(HttpServletRequest request) { * @param request the request * @throws InvalidRequestException if the request contains an error */ - private void assertNoError(HttpServletRequest request) throws InvalidRequestException { - String error = request.getParameter(KEY_ERROR); + private Mono assertNoError(ServerHttpRequest request) { + String error = request.getQueryParams().getFirst(KEY_ERROR); if (error != null) { - String errorDescription = request.getParameter(KEY_ERROR_DESCRIPTION); - throw new InvalidRequestException(error, errorDescription); + String errorDescription = request.getQueryParams().getFirst(KEY_ERROR_DESCRIPTION); + return Mono.error(new InvalidRequestException(error, errorDescription)); } + return Mono.empty(); } /** * Checks whether the state received in the request parameters is the same as the one in the state cookie or session * for this request. * - * @param request the request + * @param serverWebExchange the serverWebExchange * @throws InvalidRequestException if the request contains a different state from the expected one */ - private void assertValidState(HttpServletRequest request, HttpServletResponse response) throws InvalidRequestException { - // TODO in v2: - // - only store state/nonce in cookies, remove session storage - // - create specific exception classes for various state validation failures (missing from auth response, missing - // state cookie, mismatch) - - String stateFromRequest = request.getParameter(KEY_STATE); + private Mono assertValidState(ServerWebExchange serverWebExchange) { + ServerHttpRequest request = serverWebExchange.getRequest(); + ServerHttpResponse response = serverWebExchange.getResponse(); + String stateFromRequest = request.getQueryParams().getFirst(KEY_STATE); if (stateFromRequest == null) { - throw new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one. No state parameter was found on the authorization response."); + return Mono.error(new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one. No state parameter was found on the authorization response.")); } // If response is null, check the Session. // This can happen when the deprecated handle method that only takes the request parameter is called if (response == null) { - checkSessionState(request, stateFromRequest); - return; + return checkSessionState(serverWebExchange, stateFromRequest); } String cookieState = TransientCookieStore.getState(request, response); @@ -316,23 +332,30 @@ private void assertValidState(HttpServletRequest request, HttpServletResponse re // Just in case state was stored in Session by building auth URL with deprecated method, but then called the // supported handle method with the request and response if (cookieState == null) { - if (SessionUtils.get(request, StorageUtils.STATE_KEY) == null) { - throw new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one. No state cookie or state session attribute found. Check that you are using non-deprecated methods and that cookies are not being removed on the server."); - } - checkSessionState(request, stateFromRequest); - return; + return SessionUtils.get(serverWebExchange, StorageUtils.STATE_KEY) + .flatMap(state -> { + if (state == null) { + return Mono.error(new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one. No state cookie or state session attribute found. Check that you are using non-deprecated methods and that cookies are not being removed on the server.")); + } + return checkSessionState(serverWebExchange, stateFromRequest); + }); } if (!cookieState.equals(stateFromRequest)) { - throw new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one."); + return Mono.error(new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one.")); } + + return Mono.empty(); } - private void checkSessionState(HttpServletRequest request, String stateFromRequest) throws InvalidRequestException { - boolean valid = RandomStorage.checkSessionState(request, stateFromRequest); - if (!valid) { - throw new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one."); - } + private Mono checkSessionState(ServerWebExchange serverWebExchange, String stateFromRequest) { + return RandomStorage.checkSessionState(serverWebExchange, stateFromRequest) + .flatMap(valid -> { + if (!valid) { + return Mono.error(new InvalidRequestException(INVALID_STATE_ERROR, "The received state doesn't match the expected one.")); + } + return Mono.empty(); + }); } /** @@ -360,9 +383,9 @@ private Tokens exchangeCodeForTokens(String authorizationCode, String redirectUr * @param codeExchangeTokens the code-exchange obtained tokens. * @return a merged version of Tokens using the best tokens when possible. */ - private Tokens mergeTokens(Tokens frontChannelTokens, Tokens codeExchangeTokens) { + private Mono mergeTokens(Tokens frontChannelTokens, Tokens codeExchangeTokens) { if (codeExchangeTokens == null) { - return frontChannelTokens; + return Mono.just(frontChannelTokens); } // Prefer access token from the code exchange @@ -386,7 +409,7 @@ private Tokens mergeTokens(Tokens frontChannelTokens, Tokens codeExchangeTokens) // Refresh token only available from the code exchange String refreshToken = codeExchangeTokens.getRefreshToken(); - return new Tokens(accessToken, idToken, refreshToken, type, expiresIn); + return Mono.just(new Tokens(accessToken, idToken, refreshToken, type, expiresIn)); } } \ No newline at end of file diff --git a/main/src/main/java/com/auth0/SameSite.java b/main/src/main/java/com/auth0/SameSite.java index f714d74..fc3059b 100644 --- a/main/src/main/java/com/auth0/SameSite.java +++ b/main/src/main/java/com/auth0/SameSite.java @@ -10,7 +10,7 @@ enum SameSite { NONE("None"), STRICT("Strict"); - private String value; + private final String value; String getValue() { return this.value; diff --git a/main/src/main/java/com/auth0/SessionUtils.java b/main/src/main/java/com/auth0/SessionUtils.java index 4c29665..b926b3e 100644 --- a/main/src/main/java/com/auth0/SessionUtils.java +++ b/main/src/main/java/com/auth0/SessionUtils.java @@ -1,9 +1,9 @@ package com.auth0; import org.apache.commons.lang3.Validate; - -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpSession; +import org.springframework.web.server.ServerWebExchange; +import org.springframework.web.server.WebSession; +import reactor.core.publisher.Mono; /** * Helper class to handle easy session key-value storage. @@ -14,51 +14,56 @@ public abstract class SessionUtils { /** * Extracts the HttpSession from the given request. * - * @param req a valid request to get the session from + * @param serverWebExchange a valid request to get the session from * @return the session of the request */ - protected static HttpSession getSession(HttpServletRequest req) { - return req.getSession(true); + protected static Mono getSession(ServerWebExchange serverWebExchange) { + return serverWebExchange.getSession(); } /** * Set's the attribute value to the request session. * - * @param req a valid request to get the session from + * @param serverWebExchange a valid request to get the session from * @param name the name of the attribute * @param value the value to set */ - public static void set(HttpServletRequest req, String name, Object value) { - Validate.notNull(req); + public static Mono set(ServerWebExchange serverWebExchange, String name, Object value) { + Validate.notNull(serverWebExchange); Validate.notNull(name); - getSession(req).setAttribute(name, value); + return serverWebExchange.getSession().map(session -> { + session.getAttributes().put(name, value); + return session; + }); } /** * Get the attribute with the given name from the request session. * - * @param req a valid request to get the session from + * @param serverWebExchange a valid request to get the session from * @param name the name of the attribute * @return the attribute stored in the session or null if it doesn't exists */ - public static Object get(HttpServletRequest req, String name) { - Validate.notNull(req); + public static Mono get(ServerWebExchange serverWebExchange, String name) { + Validate.notNull(serverWebExchange); Validate.notNull(name); - return getSession(req).getAttribute(name); + + return serverWebExchange.getSession() + .map(session -> session.getAttributes().get(name)); } /** - * Same as {@link #get(HttpServletRequest, String)} but it also removes the value from the request session. + * Same as {@link #get(ServerWebExchange, String)} but it also removes the value from the request session. * - * @param req a valid request to get the session from + * @param serverWebExchange a valid request to get the session from * @param name the name of the attribute * @return the attribute stored in the session or null if it doesn't exists */ - public static Object remove(HttpServletRequest req, String name) { - Validate.notNull(req); + public static Mono remove(ServerWebExchange serverWebExchange, String name) { + Validate.notNull(serverWebExchange); Validate.notNull(name); - Object value = get(req, name); - getSession(req).removeAttribute(name); - return value; + Object value = get(serverWebExchange, name); + return serverWebExchange.getSession() + .map(session -> session.getAttributes().remove(name)); } } diff --git a/main/src/main/java/com/auth0/SignatureVerifier.java b/main/src/main/java/com/auth0/SignatureVerifier.java index 3d41df0..4d25415 100644 --- a/main/src/main/java/com/auth0/SignatureVerifier.java +++ b/main/src/main/java/com/auth0/SignatureVerifier.java @@ -6,10 +6,9 @@ import com.auth0.jwt.exceptions.JWTVerificationException; import com.auth0.jwt.exceptions.SignatureVerificationException; import com.auth0.jwt.interfaces.DecodedJWT; -import org.apache.commons.lang3.Validate; - import java.util.Arrays; import java.util.List; +import org.apache.commons.lang3.Validate; abstract class SignatureVerifier { diff --git a/main/src/main/java/com/auth0/StorageUtils.java b/main/src/main/java/com/auth0/StorageUtils.java index 162d4d3..af206b0 100644 --- a/main/src/main/java/com/auth0/StorageUtils.java +++ b/main/src/main/java/com/auth0/StorageUtils.java @@ -1,8 +1,7 @@ package com.auth0; -import org.apache.commons.codec.binary.Base64; - import java.security.SecureRandom; +import org.apache.commons.codec.binary.Base64; class StorageUtils { diff --git a/main/src/main/java/com/auth0/TransientCookieStore.java b/main/src/main/java/com/auth0/TransientCookieStore.java index e828028..5557c41 100644 --- a/main/src/main/java/com/auth0/TransientCookieStore.java +++ b/main/src/main/java/com/auth0/TransientCookieStore.java @@ -1,13 +1,15 @@ package com.auth0; -import org.apache.commons.lang3.Validate; - -import jakarta.servlet.http.Cookie; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.nio.charset.StandardCharsets; +import java.util.List; +import org.apache.commons.lang3.Validate; +import org.springframework.http.HttpCookie; +import org.springframework.http.ResponseCookie; +import org.springframework.http.server.reactive.ServerHttpRequest; +import org.springframework.http.server.reactive.ServerHttpResponse; +import org.springframework.util.MultiValueMap; /** * Allows storage and retrieval/removal of cookies. @@ -27,7 +29,7 @@ private TransientCookieStore() {} * @param useLegacySameSiteCookie whether to set a fallback cookie or not * @param isSecureCookie whether to always set the Secure cookie attribute or not */ - static void storeState(HttpServletResponse response, String state, SameSite sameSite, boolean useLegacySameSiteCookie, boolean isSecureCookie, String cookiePath) { + static void storeState(ServerHttpResponse response, String state, SameSite sameSite, boolean useLegacySameSiteCookie, boolean isSecureCookie, String cookiePath) { store(response, StorageUtils.STATE_KEY, state, sameSite, useLegacySameSiteCookie, isSecureCookie, cookiePath); } @@ -40,7 +42,7 @@ static void storeState(HttpServletResponse response, String state, SameSite same * @param useLegacySameSiteCookie whether to set a fallback cookie or not * @param isSecureCookie whether to always set the Secure cookie attribute or not */ - static void storeNonce(HttpServletResponse response, String nonce, SameSite sameSite, boolean useLegacySameSiteCookie, boolean isSecureCookie, String cookiePath) { + static void storeNonce(ServerHttpResponse response, String nonce, SameSite sameSite, boolean useLegacySameSiteCookie, boolean isSecureCookie, String cookiePath) { store(response, StorageUtils.NONCE_KEY, nonce, sameSite, useLegacySameSiteCookie, isSecureCookie, cookiePath); } @@ -51,7 +53,7 @@ static void storeNonce(HttpServletResponse response, String nonce, SameSite same * @param response the response object * @return the value of the state cookie, if it exists */ - static String getState(HttpServletRequest request, HttpServletResponse response) { + static String getState(ServerHttpRequest request, ServerHttpResponse response) { return getOnce(StorageUtils.STATE_KEY, request, response); } @@ -62,11 +64,11 @@ static String getState(HttpServletRequest request, HttpServletResponse response) * @param response the response object * @return the value of the nonce cookie, if it exists */ - static String getNonce(HttpServletRequest request, HttpServletResponse response) { + static String getNonce(ServerHttpRequest request, ServerHttpResponse response) { return getOnce(StorageUtils.NONCE_KEY, request, response); } - private static void store(HttpServletResponse response, String key, String value, SameSite sameSite, boolean useLegacySameSiteCookie, boolean isSecureCookie, String cookiePath) { + private static void store(ServerHttpResponse response, String key, String value, SameSite sameSite, boolean useLegacySameSiteCookie, boolean isSecureCookie, String cookiePath) { Validate.notNull(response, "response must not be null"); Validate.notNull(key, "key must not be null"); Validate.notNull(sameSite, "sameSite must not be null"); @@ -85,28 +87,30 @@ private static void store(HttpServletResponse response, String key, String value } // Servlet Cookie API does not yet support setting the SameSite attribute, so just set cookie on header - response.addHeader("Set-Cookie", sameSiteCookie.buildHeaderString()); + response.getHeaders().add("Set-Cookie", sameSiteCookie.buildHeaderString()); // set legacy fallback cookie (if configured) for clients that won't accept SameSite=None if (isSameSiteNone && useLegacySameSiteCookie) { AuthCookie legacyCookie = new AuthCookie("_" + key, value); legacyCookie.setSecure(isSecureCookie); - response.addHeader("Set-Cookie", legacyCookie.buildHeaderString()); + response.getHeaders().add("Set-Cookie", legacyCookie.buildHeaderString()); } } - private static String getOnce(String cookieName, HttpServletRequest request, HttpServletResponse response) { - Cookie[] requestCookies = request.getCookies(); + private static String getOnce(String cookieName, ServerHttpRequest request, ServerHttpResponse response) { + MultiValueMap requestCookies = request.getCookies(); if (requestCookies == null) { return null; } - Cookie foundCookie = null; - for (Cookie c : requestCookies) { - if (cookieName.equals(c.getName())) { - foundCookie = c; - break; + HttpCookie foundCookie = null; + for (List cs : requestCookies.values()) { + for (HttpCookie c : cs) { + if (cookieName.equals(c.getName())) { + foundCookie = c; + break; + } } } @@ -116,11 +120,13 @@ private static String getOnce(String cookieName, HttpServletRequest request, Htt delete(foundCookie, response); } - Cookie foundLegacyCookie = null; - for (Cookie c : requestCookies) { - if (("_" + cookieName).equals(c.getName())) { - foundLegacyCookie = c; - break; + HttpCookie foundLegacyCookie = null; + for (List cs : requestCookies.values()) { + for (HttpCookie c : cs) { + if (("_" + cookieName).equals(c.getName())) { + foundLegacyCookie = c; + break; + } } } @@ -133,10 +139,12 @@ private static String getOnce(String cookieName, HttpServletRequest request, Htt return foundCookieVal != null ? foundCookieVal : foundLegacyCookieVal; } - private static void delete(Cookie cookie, HttpServletResponse response) { - cookie.setMaxAge(0); - cookie.setValue(""); - response.addCookie(cookie); + private static void delete(HttpCookie cookie, ServerHttpResponse response) { + ResponseCookie newCookie = ResponseCookie.from(cookie.getName(), "") + .maxAge(0) + .build(); + response.getCookies() + .add(cookie.getName(), newCookie); } private static String decode(String valueToDecode) { diff --git a/main/src/test/java/com/auth0/AuthorizeUrlTest.java b/main/src/test/java/com/auth0/AuthorizeUrlTest.java index 56c39e0..bc7a956 100644 --- a/main/src/test/java/com/auth0/AuthorizeUrlTest.java +++ b/main/src/test/java/com/auth0/AuthorizeUrlTest.java @@ -1,29 +1,33 @@ package com.auth0; +import static org.hamcrest.CoreMatchers.hasItem; +import static org.hamcrest.CoreMatchers.instanceOf; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.notNullValue; +import static org.hamcrest.CoreMatchers.nullValue; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.ArgumentMatchers.anyMap; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + import com.auth0.client.HttpOptions; import com.auth0.client.auth.AuthAPI; import com.auth0.exception.Auth0Exception; import com.auth0.json.auth.PushedAuthorizationResponse; import com.auth0.net.Request; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import java.util.Collection; +import java.util.Map; import okhttp3.HttpUrl; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; -import java.util.Collection; -import java.util.Map; - -import static org.hamcrest.CoreMatchers.*; -import static org.hamcrest.MatcherAssert.assertThat; -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.mockito.ArgumentMatchers.*; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; - public class AuthorizeUrlTest { private AuthAPI client; diff --git a/main/src/test/java/com/auth0/IdTokenVerifierTest.java b/main/src/test/java/com/auth0/IdTokenVerifierTest.java index ced54c7..e6ebb3d 100644 --- a/main/src/test/java/com/auth0/IdTokenVerifierTest.java +++ b/main/src/test/java/com/auth0/IdTokenVerifierTest.java @@ -1,18 +1,17 @@ package com.auth0; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + import com.auth0.jwt.JWT; import com.auth0.jwt.algorithms.Algorithm; import com.auth0.jwt.interfaces.DecodedJWT; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; - import java.util.Calendar; import java.util.Date; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; public class IdTokenVerifierTest { diff --git a/main/src/test/java/com/auth0/IdentityVerificationExceptionTest.java b/main/src/test/java/com/auth0/IdentityVerificationExceptionTest.java index 0f70c4f..b11b893 100644 --- a/main/src/test/java/com/auth0/IdentityVerificationExceptionTest.java +++ b/main/src/test/java/com/auth0/IdentityVerificationExceptionTest.java @@ -1,12 +1,12 @@ package com.auth0; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; - -import static org.hamcrest.core.Is.is; import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.core.Is.is; import static org.mockito.Mockito.mock; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + public class IdentityVerificationExceptionTest { private Throwable cause; private IdentityVerificationException exception; diff --git a/main/src/test/java/com/auth0/InvalidRequestExceptionTest.java b/main/src/test/java/com/auth0/InvalidRequestExceptionTest.java index e513d58..2905a51 100644 --- a/main/src/test/java/com/auth0/InvalidRequestExceptionTest.java +++ b/main/src/test/java/com/auth0/InvalidRequestExceptionTest.java @@ -1,11 +1,11 @@ package com.auth0; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.core.Is.is; + import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import static org.hamcrest.core.Is.is; -import static org.hamcrest.MatcherAssert.assertThat; - public class InvalidRequestExceptionTest { private InvalidRequestException exception; diff --git a/main/src/test/java/com/auth0/RandomStorageTest.java b/main/src/test/java/com/auth0/RandomStorageTest.java index 49a4af7..106014f 100644 --- a/main/src/test/java/com/auth0/RandomStorageTest.java +++ b/main/src/test/java/com/auth0/RandomStorageTest.java @@ -1,12 +1,12 @@ package com.auth0; -import org.junit.jupiter.api.Test; -import org.springframework.mock.web.MockHttpServletRequest; - import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.CoreMatchers.nullValue; import static org.hamcrest.MatcherAssert.assertThat; +import org.junit.jupiter.api.Test; +import org.springframework.mock.web.MockHttpServletRequest; + public class RandomStorageTest { @Test diff --git a/main/src/test/java/com/auth0/RequestProcessorTest.java b/main/src/test/java/com/auth0/RequestProcessorTest.java index ef0f538..f7684dc 100644 --- a/main/src/test/java/com/auth0/RequestProcessorTest.java +++ b/main/src/test/java/com/auth0/RequestProcessorTest.java @@ -1,9 +1,31 @@ package com.auth0; +import static org.hamcrest.CoreMatchers.containsString; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.notNullValue; +import static org.hamcrest.CoreMatchers.nullValue; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.not; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.doNothing; +import static org.mockito.Mockito.doThrow; +import static org.mockito.Mockito.eq; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.never; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoMoreInteractions; +import static org.mockito.Mockito.when; + import com.auth0.client.auth.AuthAPI; import com.auth0.exception.Auth0Exception; import com.auth0.json.auth.TokenHolder; import com.auth0.net.TokenRequest; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServletRequest; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; import org.hamcrest.CoreMatchers; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -12,19 +34,6 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; -import jakarta.servlet.http.Cookie; -import jakarta.servlet.http.HttpServletRequest; -import java.util.Collections; -import java.util.HashMap; -import java.util.Map; - -import static org.hamcrest.CoreMatchers.*; -import static org.hamcrest.MatcherAssert.assertThat; -import static org.hamcrest.Matchers.not; -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.mockito.Mockito.*; - public class RequestProcessorTest { @Mock diff --git a/main/src/test/java/com/auth0/SessionUtilsTest.java b/main/src/test/java/com/auth0/SessionUtilsTest.java index d7edf62..d6beb98 100644 --- a/main/src/test/java/com/auth0/SessionUtilsTest.java +++ b/main/src/test/java/com/auth0/SessionUtilsTest.java @@ -1,12 +1,12 @@ package com.auth0; -import org.junit.jupiter.api.Test; -import org.springframework.mock.web.MockHttpServletRequest; - import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.CoreMatchers.nullValue; import static org.hamcrest.MatcherAssert.assertThat; +import org.junit.jupiter.api.Test; +import org.springframework.mock.web.MockHttpServletRequest; + public class SessionUtilsTest { @Test public void shouldGetAndRemoveAttribute() { diff --git a/main/src/test/java/com/auth0/SignatureVerifierTest.java b/main/src/test/java/com/auth0/SignatureVerifierTest.java index 326387f..7ed79c5 100644 --- a/main/src/test/java/com/auth0/SignatureVerifierTest.java +++ b/main/src/test/java/com/auth0/SignatureVerifierTest.java @@ -1,12 +1,16 @@ package com.auth0; +import static org.hamcrest.CoreMatchers.notNullValue; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + import com.auth0.jwk.Jwk; import com.auth0.jwk.JwkException; import com.auth0.jwk.JwkProvider; import com.auth0.jwt.interfaces.DecodedJWT; -import org.bouncycastle.util.io.pem.PemReader; -import org.junit.jupiter.api.Test; - import java.io.FileInputStream; import java.io.FileReader; import java.io.IOException; @@ -19,13 +23,8 @@ import java.security.spec.EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.Scanner; - -import static org.hamcrest.CoreMatchers.notNullValue; -import static org.hamcrest.MatcherAssert.assertThat; -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; +import org.bouncycastle.util.io.pem.PemReader; +import org.junit.jupiter.api.Test; public class SignatureVerifierTest { diff --git a/main/src/test/java/com/auth0/TokensTest.java b/main/src/test/java/com/auth0/TokensTest.java index 5034bce..cd2750f 100644 --- a/main/src/test/java/com/auth0/TokensTest.java +++ b/main/src/test/java/com/auth0/TokensTest.java @@ -1,10 +1,10 @@ package com.auth0; -import org.junit.jupiter.api.Test; - +import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.core.Is.is; import static org.hamcrest.core.IsNull.nullValue; -import static org.hamcrest.MatcherAssert.assertThat; + +import org.junit.jupiter.api.Test; public class TokensTest { diff --git a/main/src/test/java/com/auth0/TransientCookieStoreTest.java b/main/src/test/java/com/auth0/TransientCookieStoreTest.java index 977f7dc..c667970 100644 --- a/main/src/test/java/com/auth0/TransientCookieStoreTest.java +++ b/main/src/test/java/com/auth0/TransientCookieStoreTest.java @@ -1,18 +1,21 @@ package com.auth0; -import org.hamcrest.beans.HasPropertyWithValue; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; -import org.springframework.mock.web.MockHttpServletRequest; -import org.springframework.mock.web.MockHttpServletResponse; +import static org.hamcrest.CoreMatchers.everyItem; +import static org.hamcrest.CoreMatchers.hasItem; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.notNullValue; +import static org.hamcrest.CoreMatchers.nullValue; +import static org.hamcrest.MatcherAssert.assertThat; import jakarta.servlet.http.Cookie; import java.net.URLEncoder; import java.util.Arrays; import java.util.List; - -import static org.hamcrest.CoreMatchers.*; -import static org.hamcrest.MatcherAssert.assertThat; +import org.hamcrest.beans.HasPropertyWithValue; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; public class TransientCookieStoreTest {