From a42554a640abb4cc57acb988a83444a616c1cba8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pekka=20P=C3=B6yry?= Date: Tue, 15 Nov 2016 11:58:40 +0200 Subject: [PATCH 001/331] Rename deprecated assertations --- tests/src/OneLogin/saml2_tests/response_test.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index f8904d3c..e9246577 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -279,7 +279,7 @@ def testCheckOneCondition(self): settings.set_strict(True) response = OneLogin_Saml2_Response(settings, xml) self.assertFalse(response.is_valid(self.get_request_data())) - self.assertEquals('The Assertion must include a Conditions element', response.get_error()) + self.assertEqual('The Assertion must include a Conditions element', response.get_error()) xml_2 = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) response_2 = OneLogin_Saml2_Response(settings, xml_2) @@ -298,7 +298,7 @@ def testCheckOneAuthnStatement(self): settings.set_strict(True) response = OneLogin_Saml2_Response(settings, xml) self.assertFalse(response.is_valid(self.get_request_data())) - self.assertEquals('The Assertion must include an AuthnStatement element', response.get_error()) + self.assertEqual('The Assertion must include an AuthnStatement element', response.get_error()) xml_2 = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) response_2 = OneLogin_Saml2_Response(settings, xml_2) @@ -724,7 +724,7 @@ def testIsInValidDestination(self): message_3 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'empty_destination.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, message_3) self.assertFalse(response_4.is_valid(self.get_request_data())) - self.assertEquals('The response has an empty Destination value', response_4.get_error()) + self.assertEqual('The response has an empty Destination value', response_4.get_error()) # No Destination dom.firstChild.removeAttribute('Destination') From e7b17a70dafc02447712c2bca1d9b2756533e25d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pekka=20P=C3=B6yry?= Date: Thu, 17 Nov 2016 19:28:47 +0200 Subject: [PATCH 002/331] Make logout request function is_valid support raising exceptions --- src/onelogin/saml2/logout_request.py | 7 ++++++- .../OneLogin/saml2_tests/logout_request_test.py | 16 ++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index c714bffa..6daafe9c 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -212,12 +212,15 @@ def get_session_indexes(request): session_indexes.append(session_index_node.text) return session_indexes - def is_valid(self, request_data): + def is_valid(self, request_data, raises=False): """ Checks if the Logout Request received is valid :param request_data: Request Data :type request_data: dict + :param raises: Optional argument. If true, the function will raise an exception as soon as first validation test fails + :type raises: bool + :return: If the Logout Request is or not valid :rtype: boolean """ @@ -274,6 +277,8 @@ def is_valid(self, request_data): debug = self.__settings.is_debug_active() if debug: print(err) + if raises: + raise return False def get_error(self): diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index e8f3b1b5..c30bd09d 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -336,3 +336,19 @@ def testIsValid(self): request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url) logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) self.assertTrue(logout_request5.is_valid(request_data)) + + def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self): + request = OneLogin_Saml2_Utils.b64encode('invalid') + request_data = { + 'http_host': 'example.com', + 'script_name': 'index.html', + } + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + settings.set_strict(True) + + logout_request = OneLogin_Saml2_Logout_Request(settings, request) + + self.assertFalse(logout_request.is_valid(request_data)) + + with self.assertRaises(Exception): + logout_request.is_valid(request_data, raises=True) From d3549f9f469a748c4d92b453b2a757d5c7ee8f05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pekka=20P=C3=B6yry?= Date: Thu, 17 Nov 2016 19:38:44 +0200 Subject: [PATCH 003/331] Improve logout request tests --- .../saml2_tests/logout_request_test.py | 43 ++++++------------- 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index c30bd09d..7ab11346 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -121,10 +121,8 @@ def testGetNameIdData(self): self.assertEqual(expected_name_id_data, name_id_data_2) request_2 = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_encrypted_nameid.xml')) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(Exception, 'Key is required in order to decrypt the NameID'): OneLogin_Saml2_Logout_Request.get_nameid(request_2) - exception = context.exception - self.assertIn("Key is required in order to decrypt the NameID", str(exception)) settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) key = settings.get_sp_key() @@ -140,16 +138,12 @@ def testGetNameIdData(self): encrypted_id_nodes = dom_2.getElementsByTagName('saml:EncryptedID') encrypted_data = encrypted_id_nodes[0].firstChild.nextSibling encrypted_id_nodes[0].removeChild(encrypted_data) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(Exception, 'Not NameID found in the Logout Request'): OneLogin_Saml2_Logout_Request.get_nameid(dom_2.toxml(), key) - exception = context.exception - self.assertIn("Not NameID found in the Logout Request", str(exception)) inv_request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'no_nameId.xml')) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(Exception, 'Not NameID found in the Logout Request'): OneLogin_Saml2_Logout_Request.get_nameid(inv_request) - exception = context.exception - self.assertIn("Not NameID found in the Logout Request", str(exception)) def testGetNameId(self): """ @@ -160,10 +154,8 @@ def testGetNameId(self): self.assertEqual(name_id, 'ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c') request_2 = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_encrypted_nameid.xml')) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(Exception, 'Key is required in order to decrypt the NameID'): OneLogin_Saml2_Logout_Request.get_nameid(request_2) - exception = context.exception - self.assertIn("Key is required in order to decrypt the NameID", str(exception)) settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) key = settings.get_sp_key() @@ -242,12 +234,9 @@ def testIsInvalidIssuer(self): self.assertTrue(logout_request.is_valid(request_data)) settings.set_strict(True) - try: - logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) - valid = logout_request2.is_valid(request_data) - self.assertFalse(valid) - except Exception as e: - self.assertIn('Invalid issuer in the Logout Request', str(e)) + logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) + with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Logout Request'): + logout_request2.is_valid(request_data, raises=True) def testIsInvalidDestination(self): """ @@ -264,12 +253,9 @@ def testIsInvalidDestination(self): self.assertTrue(logout_request.is_valid(request_data)) settings.set_strict(True) - try: - logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) - valid = logout_request2.is_valid(request_data) - self.assertFalse(valid) - except Exception as e: - self.assertIn('The LogoutRequest was received at', str(e)) + logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) + with self.assertRaisesRegexp(Exception, 'The LogoutRequest was received at'): + logout_request2.is_valid(request_data, raises=True) dom = parseString(request) dom.documentElement.setAttribute('Destination', None) @@ -298,12 +284,9 @@ def testIsInvalidNotOnOrAfter(self): self.assertTrue(logout_request.is_valid(request_data)) settings.set_strict(True) - try: - logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) - valid = logout_request2.is_valid(request_data) - self.assertFalse(valid) - except Exception as e: - self.assertIn('Timing issues (please check your clock settings)', str(e)) + logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) + with self.assertRaisesRegexp(Exception, 'Timing issues \(please check your clock settings\)'): + logout_request2.is_valid(request_data, raises=True) def testIsValid(self): """ From 2965e0091c611edc42df86991f3455bbc8a65270 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pekka=20P=C3=B6yry?= Date: Thu, 17 Nov 2016 19:34:41 +0200 Subject: [PATCH 004/331] Make logout response function is_valid support raising exceptions --- src/onelogin/saml2/logout_response.py | 8 +++++++- .../saml2_tests/logout_response_test.py | 17 +++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py index 9a12beb8..dd7dc0ee 100644 --- a/src/onelogin/saml2/logout_response.py +++ b/src/onelogin/saml2/logout_response.py @@ -63,11 +63,15 @@ def get_status(self): status = entries[0].attrib['Value'] return status - def is_valid(self, request_data, request_id=None): + def is_valid(self, request_data, request_id=None, raises=False): """ Determines if the SAML LogoutResponse is valid :param request_id: The ID of the LogoutRequest sent by this SP to the IdP :type request_id: string + + :param raises: Optional argument. If true, the function will raise an exception as soon as first validation test fails + :type raises: bool + :return: Returns if the SAML LogoutResponse is or not valid :rtype: boolean """ @@ -111,6 +115,8 @@ def is_valid(self, request_data, request_id=None): debug = self.__settings.is_debug_active() if debug: print(err) + if raises: + raise return False def __query(self, query): diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py index 51ee0f49..c95caf91 100644 --- a/tests/src/OneLogin/saml2_tests/logout_response_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py @@ -277,3 +277,20 @@ def testIsValid(self): response_3 = OneLogin_Saml2_Logout_Response(settings, message_3) self.assertTrue(response_3.is_valid(request_data)) + + def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self): + message = OneLogin_Saml2_Utils.deflate_and_base64_encode('invalid') + request_data = { + 'http_host': 'example.com', + 'script_name': 'index.html', + 'get_data': {} + } + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + settings.set_strict(True) + + response = OneLogin_Saml2_Logout_Response(settings, message) + + self.assertFalse(response.is_valid(request_data)) + + with self.assertRaises(Exception): + response.is_valid(request_data, raises=True) From c3d92fbfe62873e0bfb1bd933c00db36ea82de92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pekka=20P=C3=B6yry?= Date: Thu, 17 Nov 2016 20:18:33 +0200 Subject: [PATCH 005/331] Improve logout response tests --- .../saml2_tests/logout_response_test.py | 21 ++++++------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py index c95caf91..7ec22f8b 100644 --- a/tests/src/OneLogin/saml2_tests/logout_response_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py @@ -201,11 +201,8 @@ def testIsInValidIssuer(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) - try: - valid = response_2.is_valid(request_data) - self.assertFalse(valid) - except Exception as e: - self.assertIn('Invalid issuer in the Logout Request', str(e)) + with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Logout Request'): + response_2.is_valid(request_data, raises=True) def testIsInValidDestination(self): """ @@ -226,11 +223,8 @@ def testIsInValidDestination(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) - try: - valid = response_2.is_valid(request_data) - self.assertFalse(valid) - except Exception as e: - self.assertIn('The LogoutRequest was received at', str(e)) + with self.assertRaisesRegexp(Exception, 'The LogoutRequest was received at'): + response_2.is_valid(request_data, raises=True) # Empty destination dom = parseString(OneLogin_Saml2_Utils.decode_base64_and_inflate(message)) @@ -264,11 +258,8 @@ def testIsValid(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) - try: - valid = response_2.is_valid(request_data) - self.assertFalse(valid) - except Exception as e: - self.assertIn('The LogoutRequest was received at', str(e)) + with self.assertRaisesRegexp(Exception, 'The LogoutRequest was received at'): + response_2.is_valid(request_data, raises=True) plain_message = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(message)) current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data) From 5545e21ad3a680cdcd2a6246ee6f7466e5ec7cd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pekka=20P=C3=B6yry?= Date: Tue, 15 Nov 2016 13:05:23 +0200 Subject: [PATCH 006/331] Make response function is_valid support raising exceptions --- src/onelogin/saml2/response.py | 7 ++++++- tests/src/OneLogin/saml2_tests/response_test.py | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index bb6a9b44..c4b0751d 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -47,7 +47,7 @@ def __init__(self, settings, response): self.encrypted = True self.decrypted_document = self.__decrypt_assertion(decrypted_document) - def is_valid(self, request_data, request_id=None): + def is_valid(self, request_data, request_id=None, raises=False): """ Validates the response object. @@ -57,6 +57,9 @@ def is_valid(self, request_data, request_id=None): :param request_id: Optional argument. The ID of the AuthNRequest sent by this SP to the IdP :type request_id: string + :param raises: Optional argument. If true, the function will raise an exception as soon as first validation test fails + :type raises: bool + :returns: True if the SAML Response is valid, False if not :rtype: bool """ @@ -226,6 +229,8 @@ def is_valid(self, request_data, request_id=None): debug = self.__settings.is_debug_active() if debug: print(err) + if raises: + raise return False def check_status(self): diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index e9246577..06816d06 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -1349,3 +1349,18 @@ def testIsValidWithoutInResponseTo(self): 'http_host': 'pitbulk.no-ip.org', 'script_name': 'newonelogin/demo1/index.php?acs' })) + + def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self): + """ + Tests that the internal exception gets raised if the raise parameter + is True. + """ + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + settings.set_strict(True) + xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_conditions.xml.base64')) + response = OneLogin_Saml2_Response(settings, xml) + + self.assertFalse(response.is_valid(self.get_request_data())) + + with self.assertRaises(Exception): + response.is_valid(self.get_request_data(), raises=True) From 16e38bed9cb76777c12a310c8bddd634f4008a60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pekka=20P=C3=B6yry?= Date: Tue, 15 Nov 2016 10:58:20 +0200 Subject: [PATCH 007/331] Improve response tests --- .../src/OneLogin/saml2_tests/response_test.py | 201 +++++------------- 1 file changed, 54 insertions(+), 147 deletions(-) diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 06816d06..a2d8c65b 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -79,21 +79,15 @@ def testReturnNameId(self): xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, xml_4) - try: + with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): response_4.get_nameid() - self.assertTrue(False) - except Exception as e: - self.assertIn('Not NameID found in the assertion of the Response', str(e)) json_settings['security']['wantNameId'] = True settings = OneLogin_Saml2_Settings(json_settings) response_5 = OneLogin_Saml2_Response(settings, xml_4) - try: + with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): response_5.get_nameid() - self.assertTrue(False) - except Exception as e: - self.assertIn('Not NameID found in the assertion of the Response', str(e)) json_settings['security']['wantNameId'] = False settings = OneLogin_Saml2_Settings(json_settings) @@ -106,30 +100,21 @@ def testReturnNameId(self): settings = OneLogin_Saml2_Settings(json_settings) response_7 = OneLogin_Saml2_Response(settings, xml_4) - try: + with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): response_7.get_nameid() - self.assertTrue(False) - except Exception as e: - self.assertIn('Not NameID found in the assertion of the Response', str(e)) json_settings['strict'] = True settings = OneLogin_Saml2_Settings(json_settings) xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'wrong_spnamequalifier.xml.base64')) response_8 = OneLogin_Saml2_Response(settings, xml_5) - try: + with self.assertRaisesRegexp(Exception, 'The SPNameQualifier value mistmatch the SP entityID value.'): response_8.get_nameid() - self.assertTrue(False) - except Exception as e: - self.assertIn('The SPNameQualifier value mistmatch the SP entityID value.', str(e)) xml_6 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'empty_nameid.xml.base64')) response_9 = OneLogin_Saml2_Response(settings, xml_6) - try: + with self.assertRaisesRegexp(Exception, 'An empty NameID value found'): response_9.get_nameid() - self.assertTrue(False) - except Exception as e: - self.assertIn('An empty NameID value found', str(e)) def testGetNameIdData(self): """ @@ -168,21 +153,15 @@ def testGetNameIdData(self): xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, xml_4) - try: + with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): response_4.get_nameid_data() - self.assertTrue(False) - except Exception as e: - self.assertIn('Not NameID found in the assertion of the Response', str(e)) json_settings['security']['wantNameId'] = True settings = OneLogin_Saml2_Settings(json_settings) response_5 = OneLogin_Saml2_Response(settings, xml_4) - try: + with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): response_5.get_nameid_data() - self.assertTrue(False) - except Exception as e: - self.assertIn('Not NameID found in the assertion of the Response', str(e)) json_settings['security']['wantNameId'] = False settings = OneLogin_Saml2_Settings(json_settings) @@ -195,11 +174,8 @@ def testGetNameIdData(self): settings = OneLogin_Saml2_Settings(json_settings) response_7 = OneLogin_Saml2_Response(settings, xml_4) - try: + with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): response_7.get_nameid_data() - self.assertTrue(False) - except Exception as e: - self.assertIn('Not NameID found in the assertion of the Response', str(e)) json_settings['security']['wantNameId'] = False settings = OneLogin_Saml2_Settings(json_settings) @@ -212,30 +188,21 @@ def testGetNameIdData(self): settings = OneLogin_Saml2_Settings(json_settings) response_7 = OneLogin_Saml2_Response(settings, xml_4) - try: + with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): response_7.get_nameid_data() - self.assertTrue(False) - except Exception as e: - self.assertIn('Not NameID found in the assertion of the Response', str(e)) json_settings['strict'] = True settings = OneLogin_Saml2_Settings(json_settings) xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'wrong_spnamequalifier.xml.base64')) response_8 = OneLogin_Saml2_Response(settings, xml_5) - try: + with self.assertRaisesRegexp(Exception, 'The SPNameQualifier value mistmatch the SP entityID value.'): response_8.get_nameid_data() - self.assertTrue(False) - except Exception as e: - self.assertIn('The SPNameQualifier value mistmatch the SP entityID value.', str(e)) xml_6 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'empty_nameid.xml.base64')) response_9 = OneLogin_Saml2_Response(settings, xml_6) - try: + with self.assertRaisesRegexp(Exception, 'An empty NameID value found'): response_9.get_nameid_data() - self.assertTrue(False) - except Exception as e: - self.assertIn('An empty NameID value found', str(e)) def testCheckStatus(self): """ @@ -252,19 +219,13 @@ def testCheckStatus(self): xml_2 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'status_code_responder.xml.base64')) response_2 = OneLogin_Saml2_Response(settings, xml_2) - try: + with self.assertRaisesRegexp(Exception, 'The status code of the Response was not Success, was Responder'): response_2.check_status() - self.assertTrue(False) - except Exception as e: - self.assertIn('The status code of the Response was not Success, was Responder', str(e)) xml_3 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'status_code_responer_and_msg.xml.base64')) response_3 = OneLogin_Saml2_Response(settings, xml_3) - try: + with self.assertRaisesRegexp(Exception, 'The status code of the Response was not Success, was Responder -> something_is_wrong'): response_3.check_status() - self.assertTrue(False) - except Exception as e: - self.assertIn('The status code of the Response was not Success, was Responder -> something_is_wrong', str(e)) def testCheckOneCondition(self): """ @@ -374,17 +335,13 @@ def testGetIssuers(self): xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_issuer_response.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, xml_4) - try: + with self.assertRaisesRegexp(Exception, 'Issuer of the Response not found or multiple.'): response_4.get_issuers() - except Exception as e: - self.assertIn('Issuer of the Response not found or multiple.', str(e)) xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_issuer_assertion.xml.base64')) response_5 = OneLogin_Saml2_Response(settings, xml_5) - try: + with self.assertRaisesRegexp(Exception, 'Issuer of the Assertion not found or multiple.'): response_5.get_issuers() - except Exception as e: - self.assertIn('Issuer of the Assertion not found or multiple.', str(e)) def testGetSessionIndex(self): """ @@ -535,11 +492,8 @@ def testValidateVersion(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_saml2.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - try: - valid = response.is_valid(self.get_request_data()) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('Reference validation failed', str(e)) + with self.assertRaisesRegexp(Exception, 'Unsupported SAML version'): + response.is_valid(self.get_request_data(), raises=True) def testValidateID(self): """ @@ -549,11 +503,8 @@ def testValidateID(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_id.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - try: - valid = response.is_valid(self.get_request_data()) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('Missing ID attribute on SAML Response', str(e)) + with self.assertRaisesRegexp(Exception, 'Missing ID attribute on SAML Response'): + response.is_valid(self.get_request_data(), raises=True) def testIsInValidReference(self): """ @@ -582,11 +533,8 @@ def testIsInValidExpired(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, xml) - try: - valid = response_2.is_valid(self.get_request_data()) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('Timing issues (please check your clock settings)', str(e)) + with self.assertRaisesRegexp(Exception, 'Timing issues \(please check your clock settings\)'): + response_2.is_valid(self.get_request_data(), raises=True) def testIsInValidNoStatement(self): """ @@ -643,11 +591,8 @@ def testIsInValidNoKey(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_key.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - try: - valid = response.is_valid(self.get_request_data()) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('Signature validation failed. SAML Response rejected', str(e)) + with self.assertRaisesRegexp(Exception, 'Signature validation failed. SAML Response rejected'): + response.is_valid(self.get_request_data(), raises=True) def testIsInValidMultipleAssertions(self): """ @@ -658,11 +603,8 @@ def testIsInValidMultipleAssertions(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'multiple_assertions.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - try: - valid = response.is_valid(self.get_request_data()) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('SAML Response must contain 1 assertion', str(e)) + with self.assertRaisesRegexp(Exception, 'SAML Response must contain 1 assertion'): + response.is_valid(self.get_request_data(), raises=True) def testIsInValidEncAttrs(self): """ @@ -677,11 +619,8 @@ def testIsInValidEncAttrs(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, xml) - try: - valid = response_2.is_valid(self.get_request_data()) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('There is an EncryptedAttribute in the Response and this SP not support them', str(e)) + with self.assertRaisesRegexp(Exception, 'There is an EncryptedAttribute in the Response and this SP not support them'): + response_2.is_valid(self.get_request_data(), raises=True) def testIsInValidDuplicatedAttrs(self): """ @@ -691,11 +630,8 @@ def testIsInValidDuplicatedAttrs(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'duplicated_attributes.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - try: + with self.assertRaisesRegexp(Exception, 'Found an Attribute element with duplicated Name'): response.get_attributes() - self.assertFalse(True) - except Exception as e: - self.assertEqual('Found an Attribute element with duplicated Name', str(e)) def testIsInValidDestination(self): """ @@ -786,18 +722,12 @@ def testIsInValidIssuer(self): settings.set_strict(True) response_3 = OneLogin_Saml2_Response(settings, message) - try: - valid = response_3.is_valid(request_data) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('is not a valid audience for this Response', str(e)) + with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Assertion/Response'): + response_3.is_valid(request_data, raises=True) response_4 = OneLogin_Saml2_Response(settings, message_2) - try: - valid = response_4.is_valid(request_data) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('is not a valid audience for this Response', str(e)) + with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Assertion/Response'): + response_4.is_valid(request_data, raises=True) def testIsInValidSessionIndex(self): """ @@ -821,11 +751,8 @@ def testIsInValidSessionIndex(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, message) - try: - valid = response_2.is_valid(request_data) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response', str(e)) + with self.assertRaisesRegexp(Exception, 'The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response'): + response_2.is_valid(request_data, raises=True) def testDatetimeWithMiliseconds(self): """ @@ -915,40 +842,28 @@ def testIsInValidSubjectConfirmation(self): settings.set_strict(True) response = OneLogin_Saml2_Response(settings, message) - try: - self.assertFalse(response.is_valid(request_data)) - except Exception as e: - self.assertEqual('A valid SubjectConfirmation was not found on this Response', str(e)) + with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + response.is_valid(request_data, raises=True) response_2 = OneLogin_Saml2_Response(settings, message_2) - try: - self.assertFalse(response_2.is_valid(request_data)) - except Exception as e: - self.assertEqual('A valid SubjectConfirmation was not found on this Response', str(e)) + with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + response_2.is_valid(request_data, raises=True) response_3 = OneLogin_Saml2_Response(settings, message_3) - try: - self.assertFalse(response_3.is_valid(request_data)) - except Exception as e: - self.assertEqual('A valid SubjectConfirmation was not found on this Response', str(e)) + with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + response_3.is_valid(request_data, raises=True) response_4 = OneLogin_Saml2_Response(settings, message_4) - try: - self.assertFalse(response_4.is_valid(request_data)) - except Exception as e: - self.assertEqual('A valid SubjectConfirmation was not found on this Response', str(e)) + with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + response_4.is_valid(request_data, raises=True) response_5 = OneLogin_Saml2_Response(settings, message_5) - try: - self.assertFalse(response_5.is_valid(request_data)) - except Exception as e: - self.assertEqual('A valid SubjectConfirmation was not found on this Response', str(e)) + with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + response_5.is_valid(request_data, raises=True) response_6 = OneLogin_Saml2_Response(settings, message_6) - try: - self.assertFalse(response_6.is_valid(request_data)) - except Exception as e: - self.assertEqual('A valid SubjectConfirmation was not found on this Response', str(e)) + with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + response_6.is_valid(request_data, raises=True) def testIsInValidRequestId(self): """ @@ -973,10 +888,8 @@ def testIsInValidRequestId(self): settings.set_strict(True) response = OneLogin_Saml2_Response(settings, message) - try: - self.assertFalse(response.is_valid(request_data, request_id)) - except Exception as e: - self.assertEqual('The InResponseTo of the Response', str(e)) + with self.assertRaisesRegexp(Exception, 'The InResponseTo of the Response'): + response.is_valid(request_data, request_id, raises=True) valid_request_id = '_57bcbf70-7b1f-012e-c821-782bcb13bb38' response.is_valid(request_data, valid_request_id) @@ -1020,10 +933,8 @@ def testIsInValidSignIssues(self): settings_info['security']['wantAssertionsSigned'] = True settings_4 = OneLogin_Saml2_Settings(settings_info) response_4 = OneLogin_Saml2_Response(settings_4, message) - try: - self.assertFalse(response_4.is_valid(request_data)) - except Exception as e: - self.assertEqual('The Assertion of the Response is not signed and the SP require it', str(e)) + with self.assertRaisesRegexp(Exception, 'The Assertion of the Response is not signed and the SP require it'): + response_4.is_valid(request_data, raises=True) settings_info['security']['wantAssertionsSigned'] = False settings_info['strict'] = False @@ -1050,10 +961,8 @@ def testIsInValidSignIssues(self): settings_info['security']['wantMessagesSigned'] = True settings_8 = OneLogin_Saml2_Settings(settings_info) response_8 = OneLogin_Saml2_Response(settings_8, message) - try: - self.assertFalse(response_8.is_valid(request_data)) - except Exception as e: - self.assertEqual('The Message of the Response is not signed and the SP require it', str(e)) + with self.assertRaisesRegexp(Exception, 'The Message of the Response is not signed and the SP require it'): + response_8.is_valid(request_data, raises=True) def testIsInValidEncIssues(self): """ @@ -1134,10 +1043,8 @@ def testIsInValidCert(self): xml = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - try: - self.assertFalse(response.is_valid(self.get_request_data())) - except Exception as e: - self.assertIn('openssl_x509_read(): supplied parameter cannot be', str(e)) + with self.assertRaisesRegexp(Exception, 'failed to load key'): + response.is_valid(self.get_request_data(), raises=True) def testIsInValidCert2(self): """ From 7ac264071e53a899b1b03975b0bd0960ca85b0e4 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 22 Dec 2016 12:07:15 +0100 Subject: [PATCH 008/331] Rename parameter --- src/onelogin/saml2/logout_request.py | 8 ++-- src/onelogin/saml2/logout_response.py | 8 ++-- src/onelogin/saml2/response.py | 8 ++-- .../saml2_tests/logout_request_test.py | 8 ++-- .../saml2_tests/logout_response_test.py | 8 ++-- .../src/OneLogin/saml2_tests/response_test.py | 40 +++++++++---------- 6 files changed, 40 insertions(+), 40 deletions(-) diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index 6daafe9c..d74993d3 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -212,14 +212,14 @@ def get_session_indexes(request): session_indexes.append(session_index_node.text) return session_indexes - def is_valid(self, request_data, raises=False): + def is_valid(self, request_data, raise_exceptions=False): """ Checks if the Logout Request received is valid :param request_data: Request Data :type request_data: dict - :param raises: Optional argument. If true, the function will raise an exception as soon as first validation test fails - :type raises: bool + :param raise_exceptions: Whether to return false on failure or raise an exception + :type raise_exceptions: Boolean :return: If the Logout Request is or not valid :rtype: boolean @@ -277,7 +277,7 @@ def is_valid(self, request_data, raises=False): debug = self.__settings.is_debug_active() if debug: print(err) - if raises: + if raise_exceptions: raise return False diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py index dd7dc0ee..a9cdba8d 100644 --- a/src/onelogin/saml2/logout_response.py +++ b/src/onelogin/saml2/logout_response.py @@ -63,14 +63,14 @@ def get_status(self): status = entries[0].attrib['Value'] return status - def is_valid(self, request_data, request_id=None, raises=False): + def is_valid(self, request_data, request_id=None, raise_exceptions=False): """ Determines if the SAML LogoutResponse is valid :param request_id: The ID of the LogoutRequest sent by this SP to the IdP :type request_id: string - :param raises: Optional argument. If true, the function will raise an exception as soon as first validation test fails - :type raises: bool + :param raise_exceptions: Whether to return false on failure or raise an exception + :type raise_exceptions: Boolean :return: Returns if the SAML LogoutResponse is or not valid :rtype: boolean @@ -115,7 +115,7 @@ def is_valid(self, request_data, request_id=None, raises=False): debug = self.__settings.is_debug_active() if debug: print(err) - if raises: + if raise_exceptions: raise return False diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index dc3b077b..16184336 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -47,7 +47,7 @@ def __init__(self, settings, response): self.encrypted = True self.decrypted_document = self.__decrypt_assertion(decrypted_document) - def is_valid(self, request_data, request_id=None, raises=False): + def is_valid(self, request_data, request_id=None, raise_exceptions=False): """ Validates the response object. @@ -57,8 +57,8 @@ def is_valid(self, request_data, request_id=None, raises=False): :param request_id: Optional argument. The ID of the AuthNRequest sent by this SP to the IdP :type request_id: string - :param raises: Optional argument. If true, the function will raise an exception as soon as first validation test fails - :type raises: bool + :param raise_exceptions: Whether to return false on failure or raise an exception + :type raise_exceptions: Boolean :returns: True if the SAML Response is valid, False if not :rtype: bool @@ -229,7 +229,7 @@ def is_valid(self, request_data, request_id=None, raises=False): debug = self.__settings.is_debug_active() if debug: print(err) - if raises: + if raise_exceptions: raise return False diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index 7ab11346..3741db90 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -236,7 +236,7 @@ def testIsInvalidIssuer(self): settings.set_strict(True) logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Logout Request'): - logout_request2.is_valid(request_data, raises=True) + logout_request2.is_valid(request_data, raise_exceptions=True) def testIsInvalidDestination(self): """ @@ -255,7 +255,7 @@ def testIsInvalidDestination(self): settings.set_strict(True) logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) with self.assertRaisesRegexp(Exception, 'The LogoutRequest was received at'): - logout_request2.is_valid(request_data, raises=True) + logout_request2.is_valid(request_data, raise_exceptions=True) dom = parseString(request) dom.documentElement.setAttribute('Destination', None) @@ -286,7 +286,7 @@ def testIsInvalidNotOnOrAfter(self): settings.set_strict(True) logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) with self.assertRaisesRegexp(Exception, 'Timing issues \(please check your clock settings\)'): - logout_request2.is_valid(request_data, raises=True) + logout_request2.is_valid(request_data, raise_exceptions=True) def testIsValid(self): """ @@ -334,4 +334,4 @@ def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self): self.assertFalse(logout_request.is_valid(request_data)) with self.assertRaises(Exception): - logout_request.is_valid(request_data, raises=True) + logout_request.is_valid(request_data, raise_exceptions=True) diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py index 7ec22f8b..2cc1083b 100644 --- a/tests/src/OneLogin/saml2_tests/logout_response_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py @@ -202,7 +202,7 @@ def testIsInValidIssuer(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Logout Request'): - response_2.is_valid(request_data, raises=True) + response_2.is_valid(request_data, raise_exceptions=True) def testIsInValidDestination(self): """ @@ -224,7 +224,7 @@ def testIsInValidDestination(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) with self.assertRaisesRegexp(Exception, 'The LogoutRequest was received at'): - response_2.is_valid(request_data, raises=True) + response_2.is_valid(request_data, raise_exceptions=True) # Empty destination dom = parseString(OneLogin_Saml2_Utils.decode_base64_and_inflate(message)) @@ -259,7 +259,7 @@ def testIsValid(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) with self.assertRaisesRegexp(Exception, 'The LogoutRequest was received at'): - response_2.is_valid(request_data, raises=True) + response_2.is_valid(request_data, raise_exceptions=True) plain_message = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(message)) current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data) @@ -284,4 +284,4 @@ def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self): self.assertFalse(response.is_valid(request_data)) with self.assertRaises(Exception): - response.is_valid(request_data, raises=True) + response.is_valid(request_data, raise_exceptions=True) diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index a2d8c65b..5639bd59 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -493,7 +493,7 @@ def testValidateVersion(self): xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_saml2.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) with self.assertRaisesRegexp(Exception, 'Unsupported SAML version'): - response.is_valid(self.get_request_data(), raises=True) + response.is_valid(self.get_request_data(), raise_exceptions=True) def testValidateID(self): """ @@ -504,7 +504,7 @@ def testValidateID(self): xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_id.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) with self.assertRaisesRegexp(Exception, 'Missing ID attribute on SAML Response'): - response.is_valid(self.get_request_data(), raises=True) + response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidReference(self): """ @@ -534,7 +534,7 @@ def testIsInValidExpired(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, xml) with self.assertRaisesRegexp(Exception, 'Timing issues \(please check your clock settings\)'): - response_2.is_valid(self.get_request_data(), raises=True) + response_2.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidNoStatement(self): """ @@ -592,7 +592,7 @@ def testIsInValidNoKey(self): xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_key.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) with self.assertRaisesRegexp(Exception, 'Signature validation failed. SAML Response rejected'): - response.is_valid(self.get_request_data(), raises=True) + response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidMultipleAssertions(self): """ @@ -604,7 +604,7 @@ def testIsInValidMultipleAssertions(self): xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'multiple_assertions.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) with self.assertRaisesRegexp(Exception, 'SAML Response must contain 1 assertion'): - response.is_valid(self.get_request_data(), raises=True) + response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidEncAttrs(self): """ @@ -620,7 +620,7 @@ def testIsInValidEncAttrs(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, xml) with self.assertRaisesRegexp(Exception, 'There is an EncryptedAttribute in the Response and this SP not support them'): - response_2.is_valid(self.get_request_data(), raises=True) + response_2.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidDuplicatedAttrs(self): """ @@ -723,11 +723,11 @@ def testIsInValidIssuer(self): settings.set_strict(True) response_3 = OneLogin_Saml2_Response(settings, message) with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Assertion/Response'): - response_3.is_valid(request_data, raises=True) + response_3.is_valid(request_data, raise_exceptions=True) response_4 = OneLogin_Saml2_Response(settings, message_2) with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Assertion/Response'): - response_4.is_valid(request_data, raises=True) + response_4.is_valid(request_data, raise_exceptions=True) def testIsInValidSessionIndex(self): """ @@ -752,7 +752,7 @@ def testIsInValidSessionIndex(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, message) with self.assertRaisesRegexp(Exception, 'The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response'): - response_2.is_valid(request_data, raises=True) + response_2.is_valid(request_data, raise_exceptions=True) def testDatetimeWithMiliseconds(self): """ @@ -843,27 +843,27 @@ def testIsInValidSubjectConfirmation(self): settings.set_strict(True) response = OneLogin_Saml2_Response(settings, message) with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): - response.is_valid(request_data, raises=True) + response.is_valid(request_data, raise_exceptions=True) response_2 = OneLogin_Saml2_Response(settings, message_2) with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): - response_2.is_valid(request_data, raises=True) + response_2.is_valid(request_data, raise_exceptions=True) response_3 = OneLogin_Saml2_Response(settings, message_3) with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): - response_3.is_valid(request_data, raises=True) + response_3.is_valid(request_data, raise_exceptions=True) response_4 = OneLogin_Saml2_Response(settings, message_4) with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): - response_4.is_valid(request_data, raises=True) + response_4.is_valid(request_data, raise_exceptions=True) response_5 = OneLogin_Saml2_Response(settings, message_5) with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): - response_5.is_valid(request_data, raises=True) + response_5.is_valid(request_data, raise_exceptions=True) response_6 = OneLogin_Saml2_Response(settings, message_6) with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): - response_6.is_valid(request_data, raises=True) + response_6.is_valid(request_data, raise_exceptions=True) def testIsInValidRequestId(self): """ @@ -889,7 +889,7 @@ def testIsInValidRequestId(self): settings.set_strict(True) response = OneLogin_Saml2_Response(settings, message) with self.assertRaisesRegexp(Exception, 'The InResponseTo of the Response'): - response.is_valid(request_data, request_id, raises=True) + response.is_valid(request_data, request_id, raise_exceptions=True) valid_request_id = '_57bcbf70-7b1f-012e-c821-782bcb13bb38' response.is_valid(request_data, valid_request_id) @@ -934,7 +934,7 @@ def testIsInValidSignIssues(self): settings_4 = OneLogin_Saml2_Settings(settings_info) response_4 = OneLogin_Saml2_Response(settings_4, message) with self.assertRaisesRegexp(Exception, 'The Assertion of the Response is not signed and the SP require it'): - response_4.is_valid(request_data, raises=True) + response_4.is_valid(request_data, raise_exceptions=True) settings_info['security']['wantAssertionsSigned'] = False settings_info['strict'] = False @@ -962,7 +962,7 @@ def testIsInValidSignIssues(self): settings_8 = OneLogin_Saml2_Settings(settings_info) response_8 = OneLogin_Saml2_Response(settings_8, message) with self.assertRaisesRegexp(Exception, 'The Message of the Response is not signed and the SP require it'): - response_8.is_valid(request_data, raises=True) + response_8.is_valid(request_data, raise_exceptions=True) def testIsInValidEncIssues(self): """ @@ -1044,7 +1044,7 @@ def testIsInValidCert(self): response = OneLogin_Saml2_Response(settings, xml) with self.assertRaisesRegexp(Exception, 'failed to load key'): - response.is_valid(self.get_request_data(), raises=True) + response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidCert2(self): """ @@ -1270,4 +1270,4 @@ def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self): self.assertFalse(response.is_valid(self.get_request_data())) with self.assertRaises(Exception): - response.is_valid(self.get_request_data(), raises=True) + response.is_valid(self.get_request_data(), raise_exceptions=True) From b144b06723c1d3a58993dff3e678ae39c7dfeebc Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 22 Dec 2016 12:46:20 +0100 Subject: [PATCH 009/331] Optionally raise detailed exceptions vs. returning False --- .travis.yml | 4 +- src/onelogin/saml2/logout_request.py | 4 +- src/onelogin/saml2/response.py | 14 +- src/onelogin/saml2/utils.py | 167 ++++++++++-------- .../saml2_tests/logout_request_test.py | 2 +- .../src/OneLogin/saml2_tests/response_test.py | 4 +- 6 files changed, 108 insertions(+), 87 deletions(-) diff --git a/.travis.yml b/.travis.yml index c6b32510..b38e5565 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,9 +1,9 @@ language: python python: - '2.7.6' -# - '2.7.9' +# - '2.7.9' # - '2.7.12' - - '3.3.4' +# - '3.3.4' # - '3.3.5' # - '3.3.6' - '3.4.3' diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index d74993d3..c4061a71 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -10,7 +10,7 @@ """ from onelogin.saml2.constants import OneLogin_Saml2_Constants -from onelogin.saml2.utils import OneLogin_Saml2_Utils +from onelogin.saml2.utils import OneLogin_Saml2_Utils, return_false_on_exception from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates from onelogin.saml2.xml_utils import OneLogin_Saml2_XML @@ -246,7 +246,7 @@ def is_valid(self, request_data, raise_exceptions=False): if root.get('NotOnOrAfter', None): na = OneLogin_Saml2_Utils.parse_SAML_to_time(root.get('NotOnOrAfter')) if na <= OneLogin_Saml2_Utils.now(): - raise Exception('Timing issues (please check your clock settings)') + raise Exception('Could not validate timestamp: expired. Check system clock.)') # Check destination if root.get('Destination', None): diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index 16184336..db739ffe 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -11,7 +11,7 @@ from copy import deepcopy from onelogin.saml2.constants import OneLogin_Saml2_Constants -from onelogin.saml2.utils import OneLogin_Saml2_Utils +from onelogin.saml2.utils import OneLogin_Saml2_Utils, return_false_on_exception from onelogin.saml2.xml_utils import OneLogin_Saml2_XML @@ -124,8 +124,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): raise Exception('The Assertion must include a Conditions element') # Validates Assertion timestamps - if not self.validate_timestamps(): - raise Exception('Timing issues (please check your clock settings)') + self.validate_timestamps(raise_exceptions=True) # Checks that an AuthnStatement element exists and is unique if not self.check_one_authnstatement(): @@ -216,11 +215,11 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): fingerprintalg = idp_data.get('certFingerprintAlgorithm', None) # If find a Signature on the Response, validates it checking the original response - if has_signed_response and not OneLogin_Saml2_Utils.validate_sign(self.document, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH): + if has_signed_response and not OneLogin_Saml2_Utils.validate_sign(self.document, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH, raise_exceptions=False): raise Exception('Signature validation failed. SAML Response rejected') document_check_assertion = self.decrypted_document if self.encrypted else self.document - if has_signed_assertion and not OneLogin_Saml2_Utils.validate_sign(document_check_assertion, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH): + if has_signed_assertion and not OneLogin_Saml2_Utils.validate_sign(document_check_assertion, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH, raise_exceptions=False): raise Exception('Signature validation failed. SAML Response rejected') return True @@ -502,6 +501,7 @@ def validate_signed_elements(self, signed_elements): return True + @return_false_on_exception def validate_timestamps(self): """ Verifies that the document is valid according to Conditions Element @@ -515,9 +515,9 @@ def validate_timestamps(self): nb_attr = conditions_node.get('NotBefore') nooa_attr = conditions_node.get('NotOnOrAfter') if nb_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nb_attr) > OneLogin_Saml2_Utils.now() + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT: - return False + raise Exception('Could not validate timestamp: not yet valid. Check system clock.') if nooa_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nooa_attr) + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT <= OneLogin_Saml2_Utils.now(): - return False + raise Exception('Could not validate timestamp: expired. Check system clock.') return True def __query_assertion(self, xpath_expr): diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index a8d9fe87..9765d4f9 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -16,6 +16,7 @@ from isodate import parse_duration as duration_parser import re from textwrap import wrap +from functools import wraps from uuid import uuid4 import zlib @@ -33,6 +34,24 @@ from urllib import quote_plus # py2 +def return_false_on_exception(func): + """ + Decorator. When applied to a function, it will, by default, suppress any exceptions + raised by that function and return False. It may be overridden by passing a + "raise_exceptions" keyword argument when calling the wrapped function. + """ + @wraps(func) + def exceptfalse(*args, **kwargs): + if not kwargs.pop('raise_exceptions', False): + try: + return func(*args, **kwargs) + except Exception: + return False + else: + return func(*args, **kwargs) + return exceptfalse + + class OneLogin_Saml2_Utils(object): """ @@ -719,6 +738,7 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant return OneLogin_Saml2_XML.to_string(elem) @staticmethod + @return_false_on_exception def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False, xpath=None): """ Validates a signature (Message or Assertion). @@ -743,36 +763,34 @@ def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', valid :param xpath: The xpath of the signed element :type: string - """ - try: - if xml is None or xml == '': - raise Exception('Empty string supplied as input') - - elem = OneLogin_Saml2_XML.to_etree(xml) - xmlsec.enable_debug_trace(debug) - xmlsec.tree.add_ids(elem, ["ID"]) - if xpath: - signature_nodes = OneLogin_Saml2_XML.query(elem, xpath) - else: - signature_nodes = OneLogin_Saml2_XML.query(elem, OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH) + :param raise_exceptions: Whether to return false on failure or raise an exception + :type raise_exceptions: Boolean + """ + if xml is None or xml == '': + raise Exception('Empty string supplied as input') - if len(signature_nodes) == 0: - signature_nodes = OneLogin_Saml2_XML.query(elem, OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH) + elem = OneLogin_Saml2_XML.to_etree(xml) + xmlsec.enable_debug_trace(debug) + xmlsec.tree.add_ids(elem, ["ID"]) - if len(signature_nodes) == 1: - signature_node = signature_nodes[0] + if xpath: + signature_nodes = OneLogin_Saml2_XML.query(elem, xpath) + else: + signature_nodes = OneLogin_Saml2_XML.query(elem, OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH) - return OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug) - else: - return False - except xmlsec.Error as e: - if debug: - print(e) + if len(signature_nodes) == 0: + signature_nodes = OneLogin_Saml2_XML.query(elem, OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH) - return False + if len(signature_nodes) == 1: + signature_node = signature_nodes[0] + # Raises expection if invalid + return OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug, raise_exceptions=True) + else: + raise Exception('Expected exactly one signature node; got {}.'.format(len(signature_nodes))) @staticmethod + @return_false_on_exception def validate_metadata_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False): """ Validates a signature of a EntityDescriptor. @@ -794,35 +812,36 @@ def validate_metadata_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha :param debug: Activate the xmlsec debug :type: bool + + :param raise_exceptions: Whether to return false on failure or raise an exception + :type raise_exceptions: Boolean """ - try: - if xml is None or xml == '': - raise Exception('Empty string supplied as input') + if xml is None or xml == '': + raise Exception('Empty string supplied as input') - elem = OneLogin_Saml2_XML.to_etree(xml) - xmlsec.enable_debug_trace(debug) - xmlsec.tree.add_ids(elem, ["ID"]) + elem = OneLogin_Saml2_XML.to_etree(xml) + xmlsec.enable_debug_trace(debug) + xmlsec.tree.add_ids(elem, ["ID"]) - signature_nodes = OneLogin_Saml2_XML.query(elem, '/md:EntitiesDescriptor/ds:Signature') + signature_nodes = OneLogin_Saml2_XML.query(elem, '/md:EntitiesDescriptor/ds:Signature') - if len(signature_nodes) == 0: - signature_nodes += OneLogin_Saml2_XML.query(elem, '/md:EntityDescriptor/ds:Signature') + if len(signature_nodes) == 0: + signature_nodes += OneLogin_Saml2_XML.query(elem, '/md:EntityDescriptor/ds:Signature') - if len(signature_nodes) == 0: - signature_nodes += OneLogin_Saml2_XML.query(elem, '/md:EntityDescriptor/md:SPSSODescriptor/ds:Signature') - signature_nodes += OneLogin_Saml2_XML.query(elem, '/md:EntityDescriptor/md:IDPSSODescriptor/ds:Signature') + if len(signature_nodes) == 0: + signature_nodes += OneLogin_Saml2_XML.query(elem, '/md:EntityDescriptor/md:SPSSODescriptor/ds:Signature') + signature_nodes += OneLogin_Saml2_XML.query(elem, '/md:EntityDescriptor/md:IDPSSODescriptor/ds:Signature') - if len(signature_nodes) > 0: - for signature_node in signature_nodes: - if not OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug): - return False - return True - else: - return False - except Exception: - return False + if len(signature_nodes) > 0: + for signature_node in signature_nodes: + # Raises expection if invalid + OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug, raise_exceptions=True) + return True + else: + raise Exception('Could not validate metadata signature: No signature nodes found.') @staticmethod + @return_false_on_exception def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False): """ Validates a signature node. @@ -847,40 +866,42 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger :param debug: Activate the xmlsec debug :type: bool + + :param raise_exceptions: Whether to return false on failure or raise an exception + :type raise_exceptions: Boolean """ - try: - if (cert is None or cert == '') and fingerprint: - x509_certificate_nodes = OneLogin_Saml2_XML.query(signature_node, '//ds:Signature/ds:KeyInfo/ds:X509Data/ds:X509Certificate') - if len(x509_certificate_nodes) > 0: - x509_certificate_node = x509_certificate_nodes[0] - x509_cert_value = x509_certificate_node.text - x509_fingerprint_value = OneLogin_Saml2_Utils.calculate_x509_fingerprint(x509_cert_value, fingerprintalg) - if fingerprint == x509_fingerprint_value: - cert = OneLogin_Saml2_Utils.format_cert(x509_cert_value) - - if cert is None or cert == '': - return False + if (cert is None or cert == '') and fingerprint: + x509_certificate_nodes = OneLogin_Saml2_XML.query(signature_node, '//ds:Signature/ds:KeyInfo/ds:X509Data/ds:X509Certificate') + if len(x509_certificate_nodes) > 0: + x509_certificate_node = x509_certificate_nodes[0] + x509_cert_value = x509_certificate_node.text + x509_fingerprint_value = OneLogin_Saml2_Utils.calculate_x509_fingerprint(x509_cert_value, fingerprintalg) + if fingerprint == x509_fingerprint_value: + cert = OneLogin_Saml2_Utils.format_cert(x509_cert_value) - # Check if Reference URI is empty - reference_elem = OneLogin_Saml2_XML.query(signature_node, '//ds:Reference') - if len(reference_elem) > 0: - if reference_elem[0].get('URI') == '': - reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID')) + if cert is None or cert == '': + raise Exception('Could not validate node signature: No certificate provided.') - if validatecert: - manager = xmlsec.KeysManager() - manager.load_cert_from_memory(cert, xmlsec.KeyFormat.CERT_PEM, xmlsec.KeyDataType.TRUSTED) - dsig_ctx = xmlsec.SignatureContext(manager) - else: - dsig_ctx = xmlsec.SignatureContext() - dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None) + # Check if Reference URI is empty + reference_elem = OneLogin_Saml2_XML.query(signature_node, '//ds:Reference') + if len(reference_elem) > 0: + if reference_elem[0].get('URI') == '': + reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID')) + + if validatecert: + manager = xmlsec.KeysManager() + manager.load_cert_from_memory(cert, xmlsec.KeyFormat.CERT_PEM, xmlsec.KeyDataType.TRUSTED) + dsig_ctx = xmlsec.SignatureContext(manager) + else: + dsig_ctx = xmlsec.SignatureContext() + dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None) - dsig_ctx.set_enabled_key_data([xmlsec.KeyData.X509]) + dsig_ctx.set_enabled_key_data([xmlsec.KeyData.X509]) + try: dsig_ctx.verify(signature_node) - return True - except xmlsec.Error as e: - if debug: - print(e) + except Exception: + raise Exception('Signature validation failed. SAML Response rejected') + return True @staticmethod def sign_binary(msg, key, algorithm=xmlsec.Transform.RSA_SHA1, debug=False): diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index 3741db90..c4e385cc 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -285,7 +285,7 @@ def testIsInvalidNotOnOrAfter(self): settings.set_strict(True) logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) - with self.assertRaisesRegexp(Exception, 'Timing issues \(please check your clock settings\)'): + with self.assertRaisesRegexp(Exception, 'Could not validate timestamp: expired. Check system clock.'): logout_request2.is_valid(request_data, raise_exceptions=True) def testIsValid(self): diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 5639bd59..1bd726c0 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -533,7 +533,7 @@ def testIsInValidExpired(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'Timing issues \(please check your clock settings\)'): + with self.assertRaisesRegexp(Exception, 'Could not validate timestamp: expired. Check system clock.'): response_2.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidNoStatement(self): @@ -1043,7 +1043,7 @@ def testIsInValidCert(self): xml = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'failed to load key'): + with self.assertRaisesRegexp(Exception, 'Signature validation failed. SAML Response rejected'): response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidCert2(self): From 9ea32f567508a532101a9888b199062f105b77c6 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 30 Dec 2016 00:16:43 +0100 Subject: [PATCH 010/331] Implement a more specific exception class for handling some validation errors. Improve tests --- src/onelogin/saml2/auth.py | 50 ++-- src/onelogin/saml2/errors.py | 74 +++++- src/onelogin/saml2/logout_request.py | 38 ++- src/onelogin/saml2/logout_response.py | 27 +- src/onelogin/saml2/response.py | 231 ++++++++++++++---- src/onelogin/saml2/settings.py | 5 +- src/onelogin/saml2/utils.py | 28 ++- tests/src/OneLogin/saml2_tests/auth_test.py | 22 +- .../saml2_tests/logout_response_test.py | 13 +- .../src/OneLogin/saml2_tests/response_test.py | 20 +- tests/src/OneLogin/saml2_tests/utils_test.py | 8 +- 11 files changed, 384 insertions(+), 132 deletions(-) diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 1e470b32..4b855119 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -16,10 +16,9 @@ from onelogin.saml2 import compat from onelogin.saml2.settings import OneLogin_Saml2_Settings from onelogin.saml2.response import OneLogin_Saml2_Response -from onelogin.saml2.errors import OneLogin_Saml2_Error from onelogin.saml2.logout_response import OneLogin_Saml2_Logout_Response from onelogin.saml2.constants import OneLogin_Saml2_Constants -from onelogin.saml2.utils import OneLogin_Saml2_Utils +from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError from onelogin.saml2.logout_request import OneLogin_Saml2_Logout_Request from onelogin.saml2.authn_request import OneLogin_Saml2_Authn_Request @@ -429,7 +428,7 @@ def __build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Const if not key: raise OneLogin_Saml2_Error( "Trying to sign the %s but can't load the SP private key." % saml_type, - OneLogin_Saml2_Error.SP_CERTS_NOT_FOUND + OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND ) msg = self.__build_sign_query(data[saml_type], @@ -472,7 +471,7 @@ def validate_response_signature(self, request_data): return self.__validate_signature(request_data, 'SAMLResponse') - def __validate_signature(self, data, saml_type): + def __validate_signature(self, data, saml_type, raise_exceptions=False): """ Validate Signature @@ -484,22 +483,30 @@ def __validate_signature(self, data, saml_type): :param saml_type: The target URL the user should be redirected to :type saml_type: string SAMLRequest | SAMLResponse - """ - - signature = data.get('Signature', None) - if signature is None: - if self.__settings.is_strict() and self.__settings.get_security_data().get('wantMessagesSigned', False): - self.__error_reason = 'The %s is not signed. Rejected.' % saml_type - return False - return True - - x509cert = self.get_settings().get_idp_cert() - - if x509cert is None: - self.__errors.append("In order to validate the sign on the %s, the x509cert of the IdP is required" % saml_type) - return False + :param raise_exceptions: Whether to return false on failure or raise an exception + :type raise_exceptions: Boolean + """ try: + signature = data.get('Signature', None) + if signature is None: + if self.__settings.is_strict() and self.__settings.get_security_data().get('wantMessagesSigned', False): + raise OneLogin_Saml2_ValidationError( + 'The %s is not signed. Rejected.' % saml_type, + OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE + ) + return True + + x509cert = self.get_settings().get_idp_cert() + + if not x509cert: + error_msg = "In order to validate the sign on the %s, the x509cert of the IdP is required" % saml_type + self.__errors.append(error_msg) + raise OneLogin_Saml2_Error( + error_msg, + OneLogin_Saml2_Error.CERT_NOT_FOUND + ) + sign_alg = data.get('SigAlg', OneLogin_Saml2_Constants.RSA_SHA1) if isinstance(sign_alg, bytes): sign_alg = sign_alg.decode('utf8') @@ -520,8 +527,13 @@ def __validate_signature(self, data, saml_type): x509cert, sign_alg, self.__settings.is_debug_active()): - raise Exception('Signature validation failed. %s rejected.' % saml_type) + raise OneLogin_Saml2_ValidationError( + 'Signature validation failed. %s rejected.' % saml_type, + OneLogin_Saml2_ValidationError.INVALID_SIGNATURE + ) return True except Exception as e: self.__error_reason = str(e) + if raise_exceptions: + raise e return False diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py index c28a23bd..0f84a09b 100644 --- a/src/onelogin/saml2/errors.py +++ b/src/onelogin/saml2/errors.py @@ -25,7 +25,7 @@ class OneLogin_Saml2_Error(Exception): SETTINGS_INVALID_SYNTAX = 1 SETTINGS_INVALID = 2 METADATA_SP_INVALID = 3 - SP_CERTS_NOT_FOUND = 4 + CERT_NOT_FOUND = 4 REDIRECT_INVALID_URL = 5 PUBLIC_CERT_FILE_NOT_FOUND = 6 PRIVATE_KEY_FILE_NOT_FOUND = 7 @@ -34,6 +34,8 @@ class OneLogin_Saml2_Error(Exception): SAML_LOGOUTREQUEST_INVALID = 10 SAML_LOGOUTRESPONSE_INVALID = 11 SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12 + PRIVATE_KEY_NOT_FOUND = 13 + UNSUPPORTED_SETTINGS_OBJECT = 14 def __init__(self, message, code=0, errors=None): """ @@ -50,3 +52,73 @@ def __init__(self, message, code=0, errors=None): Exception.__init__(self, message) self.code = code + + +class OneLogin_Saml2_ValidationError(Exception): + """ + This class implements another custom Exception handler, related + to exceptions that happens during validation process. + Defines custom error codes . + """ + + # Validation Errors + UNSUPPORTED_SAML_VERSION = 0 + MISSING_ID = 1 + WRONG_NUMBER_OF_ASSERTIONS = 2 + MISSING_STATUS = 3 + MISSING_STATUS_CODE = 4 + STATUS_CODE_IS_NOT_SUCCESS = 5 + WRONG_SIGNED_ELEMENT = 6 + ID_NOT_FOUND_IN_SIGNED_ELEMENT = 7 + DUPLICATED_ID_IN_SIGNED_ELEMENTS = 8 + INVALID_SIGNED_ELEMENT = 9 + DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS = 10 + UNEXPECTED_SIGNED_ELEMENTS = 11 + WRONG_NUMBER_OF_SIGNATURES_IN_RESPONSE = 12 + WRONG_NUMBER_OF_SIGNATURES_IN_ASSERTION = 13 + INVALID_XML_FORMAT = 14 + WRONG_INRESPONSETO = 15 + NO_ENCRYPTED_ASSERTION = 16 + NO_ENCRYPTED_NAMEID = 17 + MISSING_CONDITIONS = 18 + ASSERTION_TOO_EARLY = 19 + ASSERTION_EXPIRED = 20 + WRONG_NUMBER_OF_AUTHSTATEMENTS = 21 + NO_ATTRIBUTESTATEMENT = 22 + ENCRYPTED_ATTRIBUTES = 23 + WRONG_DESTINATION = 24 + EMPTY_DESTINATION = 25 + WRONG_AUDIENCE = 26 + ISSUER_NOT_FOUND_IN_RESPONSE = 27 + ISSUER_NOT_FOUND_IN_ASSERTION = 28 + WRONG_ISSUER = 29 + SESSION_EXPIRED = 30 + WRONG_SUBJECTCONFIRMATION = 31 + NO_SIGNED_RESPONSE = 32 + NO_SIGNED_ASSERTION = 33 + NO_SIGNATURE_FOUND = 34 + KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA = 35 + CHILDREN_NODE_NOT_FOIND_IN_KEYINFO = 36 + UNSUPPORTED_RETRIEVAL_METHOD = 37 + NO_NAMEID = 38 + EMPTY_NAMEID = 39 + SP_NAME_QUALIFIER_NAME_MISMATCH = 40 + DUPLICATED_ATTRIBUTE_NAME_FOUND = 41 + INVALID_SIGNATURE = 42 + WRONG_NUMBER_OF_SIGNATURES = 43 + RESPONSE_EXPIRED = 44 + + def __init__(self, message, code=0, errors=None): + """ + Initializes the Exception instance. + Arguments are: + * (str) message. Describes the error. + * (int) code. The code error (defined in the error class). + """ + assert isinstance(code, int) + + if errors is not None: + message = message % errors + + Exception.__init__(self, message) + self.code = code diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index c4061a71..93a57bb2 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -10,7 +10,7 @@ """ from onelogin.saml2.constants import OneLogin_Saml2_Constants -from onelogin.saml2.utils import OneLogin_Saml2_Utils, return_false_on_exception +from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates from onelogin.saml2.xml_utils import OneLogin_Saml2_XML @@ -141,7 +141,10 @@ def get_nameid_data(request, key=None): if len(encrypted_entries) == 1: if key is None: - raise Exception('Key is required in order to decrypt the NameID') + raise OneLogin_Saml2_Error( + 'Private Key is required in order to decrypt the NameID, check settings', + OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND + ) encrypted_data_nodes = OneLogin_Saml2_XML.query(elem, '/samlp:LogoutRequest/saml:EncryptedID/xenc:EncryptedData') if len(encrypted_data_nodes) == 1: @@ -153,7 +156,10 @@ def get_nameid_data(request, key=None): name_id = entries[0] if name_id is None: - raise Exception('Not NameID found in the Logout Request') + raise OneLogin_Saml2_ValidationError( + 'Not NameID found in the Logout Request', + OneLogin_Saml2_ValidationError.NO_NAMEID + ) name_id_data = { 'Value': name_id.text @@ -236,7 +242,10 @@ def is_valid(self, request_data, raise_exceptions=False): if self.__settings.is_strict(): res = OneLogin_Saml2_XML.validate_xml(root, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active()) if isinstance(res, str): - raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd') + raise OneLogin_Saml2_ValidationError( + 'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd', + OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT + ) security = self.__settings.get_security_data() @@ -246,30 +255,41 @@ def is_valid(self, request_data, raise_exceptions=False): if root.get('NotOnOrAfter', None): na = OneLogin_Saml2_Utils.parse_SAML_to_time(root.get('NotOnOrAfter')) if na <= OneLogin_Saml2_Utils.now(): - raise Exception('Could not validate timestamp: expired. Check system clock.)') + raise OneLogin_Saml2_ValidationError( + 'Could not validate timestamp: expired. Check system clock.)', + OneLogin_Saml2_ValidationError.RESPONSE_EXPIRED + ) # Check destination if root.get('Destination', None): destination = root.get('Destination') if destination != '': if current_url not in destination: - raise Exception( + raise OneLogin_Saml2_ValidationError( 'The LogoutRequest was received at ' '%(currentURL)s instead of %(destination)s' % { 'currentURL': current_url, 'destination': destination, - } + }, + OneLogin_Saml2_ValidationError.WRONG_DESTINATION ) # Check issuer issuer = OneLogin_Saml2_Logout_Request.get_issuer(root) if issuer is not None and issuer != idp_entity_id: - raise Exception('Invalid issuer in the Logout Request') + raise OneLogin_Saml2_ValidationError( + 'Invalid issuer in the Logout Request', + OneLogin_Saml2_ValidationError.WRONG_ISSUER + ) if security['wantMessagesSigned']: if 'Signature' not in get_data: - raise Exception('The Message of the Logout Request is not signed and the SP require it') + raise OneLogin_Saml2_ValidationError( + 'The Message of the Logout Request is not signed and the SP require it', + OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE + ) + return True except Exception as err: # pylint: disable=R0801 diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py index a9cdba8d..18152651 100644 --- a/src/onelogin/saml2/logout_response.py +++ b/src/onelogin/saml2/logout_response.py @@ -9,7 +9,7 @@ """ -from onelogin.saml2.utils import OneLogin_Saml2_Utils +from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_ValidationError from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates from onelogin.saml2.xml_utils import OneLogin_Saml2_XML @@ -84,30 +84,45 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): if self.__settings.is_strict(): res = OneLogin_Saml2_XML.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active()) if isinstance(res, str): - raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd') + raise OneLogin_Saml2_ValidationError( + 'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd', + OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT + ) security = self.__settings.get_security_data() # Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided in_response_to = self.document.get('InResponseTo', None) if request_id is not None and in_response_to and in_response_to != request_id: - raise Exception('The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s' % (in_response_to, request_id)) + raise OneLogin_Saml2_ValidationError( + 'The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s' % (in_response_to, request_id), + OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO + ) # Check issuer issuer = self.get_issuer() if issuer is not None and issuer != idp_entity_id: - raise Exception('Invalid issuer in the Logout Request') + raise OneLogin_Saml2_ValidationError( + 'Invalid issuer in the Logout Request', + OneLogin_Saml2_ValidationError.WRONG_ISSUER + ) current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data) # Check destination destination = self.document.get('Destination', None) if destination and current_url not in destination: - raise Exception('The LogoutRequest was received at $currentURL instead of $destination') + raise OneLogin_Saml2_ValidationError( + 'The LogoutResponse was received at %s instead of %s' % (current_url, destination), + OneLogin_Saml2_ValidationError.WRONG_DESTINATION + ) if security['wantMessagesSigned']: if 'Signature' not in get_data: - raise Exception('The Message of the Logout Response is not signed and the SP require it') + raise OneLogin_Saml2_ValidationError( + 'The Message of the Logout Response is not signed and the SP require it', + OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE + ) return True # pylint: disable=R0801 except Exception as err: diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index db739ffe..b8f233aa 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -11,7 +11,7 @@ from copy import deepcopy from onelogin.saml2.constants import OneLogin_Saml2_Constants -from onelogin.saml2.utils import OneLogin_Saml2_Utils, return_false_on_exception +from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError, return_false_on_exception from onelogin.saml2.xml_utils import OneLogin_Saml2_XML @@ -67,15 +67,24 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): try: # Checks SAML version if self.document.get('Version', None) != '2.0': - raise Exception('Unsupported SAML version') + raise OneLogin_Saml2_ValidationError( + 'Unsupported SAML version', + OneLogin_Saml2_ValidationError.UNSUPPORTED_SAML_VERSION + ) # Checks that ID exists if self.document.get('ID', None) is None: - raise Exception('Missing ID attribute on SAML Response') + raise OneLogin_Saml2_ValidationError( + 'Missing ID attribute on SAML Response', + OneLogin_Saml2_ValidationError.MISSING_ID + ) # Checks that the response only has one assertion if not self.validate_num_assertions(): - raise Exception('SAML Response must contain 1 assertion') + raise OneLogin_Saml2_ValidationError( + 'SAML Response must contain 1 assertion', + OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS + ) # Checks that the response has the SUCCESS status self.check_status() @@ -94,13 +103,19 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): no_valid_xml_msg = 'Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd' res = OneLogin_Saml2_XML.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active()) if isinstance(res, str): - raise Exception(no_valid_xml_msg) + raise OneLogin_Saml2_ValidationError( + no_valid_xml_msg, + OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT + ) # If encrypted, check also the decrypted document if self.encrypted: res = OneLogin_Saml2_XML.validate_xml(self.decrypted_document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active()) if isinstance(res, str): - raise Exception(no_valid_xml_msg) + raise OneLogin_Saml2_ValidationError( + no_valid_xml_msg, + OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT + ) security = self.__settings.get_security_data() current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data) @@ -109,35 +124,56 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): in_response_to = self.document.get('InResponseTo', None) if in_response_to is not None and request_id is not None: if in_response_to != request_id: - raise Exception('The InResponseTo of the Response: %s, does not match the ID of the AuthNRequest sent by the SP: %s' % (in_response_to, request_id)) + raise OneLogin_Saml2_ValidationError( + 'The InResponseTo of the Response: %s, does not match the ID of the AuthNRequest sent by the SP: %s' % (in_response_to, request_id), + OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO + ) if not self.encrypted and security['wantAssertionsEncrypted']: - raise Exception('The assertion of the Response is not encrypted and the SP require it') + raise OneLogin_Saml2_ValidationError( + 'The assertion of the Response is not encrypted and the SP require it', + OneLogin_Saml2_ValidationError.NO_ENCRYPTED_ASSERTION + ) if security['wantNameIdEncrypted']: encrypted_nameid_nodes = self.__query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData') if len(encrypted_nameid_nodes) != 1: - raise Exception('The NameID of the Response is not encrypted and the SP require it') + raise OneLogin_Saml2_ValidationError( + 'The NameID of the Response is not encrypted and the SP require it', + OneLogin_Saml2_ValidationError.NO_ENCRYPTED_NAMEID + ) # Checks that a Conditions element exists if not self.check_one_condition(): - raise Exception('The Assertion must include a Conditions element') + raise OneLogin_Saml2_ValidationError( + 'The Assertion must include a Conditions element', + OneLogin_Saml2_ValidationError.MISSING_CONDITIONS + ) # Validates Assertion timestamps self.validate_timestamps(raise_exceptions=True) # Checks that an AuthnStatement element exists and is unique if not self.check_one_authnstatement(): - raise Exception('The Assertion must include an AuthnStatement element') + raise OneLogin_Saml2_ValidationError( + 'The Assertion must include an AuthnStatement element', + OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_AUTHSTATEMENTS + ) # Checks that there is at least one AttributeStatement if required attribute_statement_nodes = self.__query_assertion('/saml:AttributeStatement') if security.get('wantAttributeStatement', True) and not attribute_statement_nodes: - raise Exception('There is no AttributeStatement on the Response') + raise OneLogin_Saml2_ValidationError( + 'There is no AttributeStatement on the Response', + OneLogin_Saml2_ValidationError.NO_ATTRIBUTESTATEMENT + ) encrypted_attributes_nodes = self.__query_assertion('/saml:AttributeStatement/saml:EncryptedAttribute') if encrypted_attributes_nodes: - raise Exception('There is an EncryptedAttribute in the Response and this SP not support them') + raise OneLogin_Saml2_ValidationError( + 'There is an EncryptedAttribute in the Response and this SP not support them', + OneLogin_Saml2_ValidationError.ENCRYPTED_ATTRIBUTES + ) # Checks destination destination = self.document.get('Destination', None) @@ -147,25 +183,39 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): # request_data # current_url_routed = OneLogin_Saml2_Utils.get_self_routed_url_no_query(request_data) # if not destination.startswith(current_url_routed): - raise Exception('The response was received at %s instead of %s' % (current_url, destination)) + raise OneLogin_Saml2_ValidationError( + 'The response was received at %s instead of %s' % (current_url, destination), + OneLogin_Saml2_ValidationError.WRONG_DESTINATION + ) elif destination == '': - raise Exception('The response has an empty Destination value') - + raise OneLogin_Saml2_ValidationError( + 'The response has an empty Destination value', + OneLogin_Saml2_ValidationError.EMPTY_DESTINATION + ) # Checks audience valid_audiences = self.get_audiences() if valid_audiences and sp_entity_id not in valid_audiences: - raise Exception('%s is not a valid audience for this Response' % sp_entity_id) + raise OneLogin_Saml2_ValidationError( + '%s is not a valid audience for this Response' % sp_entity_id, + OneLogin_Saml2_ValidationError.WRONG_AUDIENCE + ) # Checks the issuers issuers = self.get_issuers() for issuer in issuers: if issuer is None or issuer != idp_entity_id: - raise Exception('Invalid issuer in the Assertion/Response') + raise OneLogin_Saml2_ValidationError( + 'Invalid issuer in the Assertion/Response', + OneLogin_Saml2_ValidationError.WRONG_ISSUER + ) # Checks the session Expiration session_expiration = self.get_session_not_on_or_after() if session_expiration and session_expiration <= OneLogin_Saml2_Utils.now(): - raise Exception('The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response') + raise OneLogin_Saml2_ValidationError( + 'The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response', + OneLogin_Saml2_ValidationError.SESSION_EXPIRED + ) # Checks the SubjectConfirmation, at least one SubjectConfirmation must be valid any_subject_confirmation = False @@ -199,16 +249,28 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): break if not any_subject_confirmation: - raise Exception('A valid SubjectConfirmation was not found on this Response') + raise OneLogin_Saml2_ValidationError( + 'A valid SubjectConfirmation was not found on this Response', + OneLogin_Saml2_ValidationError.WRONG_SUBJECTCONFIRMATION + ) if security['wantAssertionsSigned'] and not has_signed_assertion: - raise Exception('The Assertion of the Response is not signed and the SP require it') + raise OneLogin_Saml2_ValidationError( + 'The Assertion of the Response is not signed and the SP require it', + OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE + ) if security['wantMessagesSigned'] and not has_signed_response: - raise Exception('The Message of the Response is not signed and the SP require it') + raise OneLogin_Saml2_ValidationError( + 'The Message of the Response is not signed and the SP require it', + OneLogin_Saml2_ValidationError.NO_SIGNED_ASSERTION + ) if not signed_elements or (not has_signed_response and not has_signed_assertion): - raise Exception('No Signature found. SAML Response rejected') + raise OneLogin_Saml2_ValidationError( + 'No Signature found. SAML Response rejected', + OneLogin_Saml2_ValidationError.NO_SIGNATURE_FOUND + ) else: cert = idp_data.get('x509cert', None) fingerprint = idp_data.get('certFingerprint', None) @@ -216,11 +278,17 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): # If find a Signature on the Response, validates it checking the original response if has_signed_response and not OneLogin_Saml2_Utils.validate_sign(self.document, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH, raise_exceptions=False): - raise Exception('Signature validation failed. SAML Response rejected') + raise OneLogin_Saml2_ValidationError( + 'Signature validation failed. SAML Response rejected', + OneLogin_Saml2_ValidationError.INVALID_SIGNATURE + ) document_check_assertion = self.decrypted_document if self.encrypted else self.document if has_signed_assertion and not OneLogin_Saml2_Utils.validate_sign(document_check_assertion, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH, raise_exceptions=False): - raise Exception('Signature validation failed. SAML Response rejected') + raise OneLogin_Saml2_ValidationError( + 'Signature validation failed. SAML Response rejected', + OneLogin_Saml2_ValidationError.INVALID_SIGNATURE + ) return True except Exception as err: @@ -247,7 +315,10 @@ def check_status(self): status_msg = status.get('msg', None) if status_msg: status_exception_msg += ' -> ' + status_msg - raise Exception(status_exception_msg) + raise OneLogin_Saml2_ValidationError( + status_exception_msg, + OneLogin_Saml2_ValidationError.STATUS_CODE_IS_NOT_SUCCESS + ) def check_one_condition(self): """ @@ -292,13 +363,19 @@ def get_issuers(self): if len(message_issuer_nodes) == 1: issuers.add(message_issuer_nodes[0].text) else: - raise Exception('Issuer of the Response not found or multiple.') + raise OneLogin_Saml2_ValidationError( + 'Issuer of the Response not found or multiple.', + OneLogin_Saml2_ValidationError.ISSUER_NOT_FOUND_IN_RESPONSE + ) assertion_issuer_nodes = self.__query_assertion('/saml:Issuer') if len(assertion_issuer_nodes) == 1: issuers.add(assertion_issuer_nodes[0].text) else: - raise Exception('Issuer of the Assertion not found or multiple.') + raise OneLogin_Saml2_ValidationError( + 'Issuer of the Assertion not found or multiple.', + OneLogin_Saml2_ValidationError.ISSUER_NOT_FOUND_IN_ASSERTION + ) return list(set(issuers)) @@ -324,10 +401,16 @@ def get_nameid_data(self): if nameid is None: security = self.__settings.get_security_data() if security.get('wantNameId', True): - raise Exception('Not NameID found in the assertion of the Response') + raise OneLogin_Saml2_ValidationError( + 'Not NameID found in the assertion of the Response', + OneLogin_Saml2_ValidationError.NO_NAMEID + ) else: if self.__settings.is_strict() and not nameid.text: - raise Exception('An empty NameID value found') + raise OneLogin_Saml2_ValidationError( + 'An empty NameID value found', + OneLogin_Saml2_ValidationError.EMPTY_NAMEID + ) nameid_data = {'Value': nameid.text} for attr in ['Format', 'SPNameQualifier', 'NameQualifier']: @@ -337,7 +420,10 @@ def get_nameid_data(self): sp_data = self.__settings.get_sp_data() sp_entity_id = sp_data.get('entityId', '') if sp_entity_id != value: - raise Exception('The SPNameQualifier value mistmatch the SP entityID value.') + raise OneLogin_Saml2_ValidationError( + 'The SPNameQualifier value mistmatch the SP entityID value.', + OneLogin_Saml2_ValidationError.SP_NAME_QUALIFIER_NAME_MISMATCH + ) nameid_data[attr] = value return nameid_data @@ -395,7 +481,10 @@ def get_attributes(self): for attribute_node in attribute_nodes: attr_name = attribute_node.get('Name') if attr_name in attributes.keys(): - raise Exception('Found an Attribute element with duplicated Name') + raise OneLogin_Saml2_ValidationError( + 'Found an Attribute element with duplicated Name', + OneLogin_Saml2_ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND + ) values = [] for attr in attribute_node.iterchildren('{%s}AttributeValue' % OneLogin_Saml2_Constants.NSMAP['saml']): @@ -441,14 +530,23 @@ def process_signed_elements(self): for sign_node in sign_nodes: signed_element = sign_node.getparent().tag if signed_element != response_tag and signed_element != assertion_tag: - raise Exception('Invalid Signature Element %s SAML Response rejected' % signed_element) + raise OneLogin_Saml2_ValidationError( + 'Invalid Signature Element %s SAML Response rejected' % signed_element, + OneLogin_Saml2_ValidationError.WRONG_SIGNED_ELEMENT + ) if not sign_node.getparent().get('ID'): - raise Exception('Signed Element must contain an ID. SAML Response rejected') + raise OneLogin_Saml2_ValidationError( + 'Signed Element must contain an ID. SAML Response rejected', + OneLogin_Saml2_ValidationError.ID_NOT_FOUND_IN_SIGNED_ELEMENT + ) id_value = sign_node.getparent().get('ID') if id_value in verified_ids: - raise Exception('Duplicated ID. SAML Response rejected') + raise OneLogin_Saml2_ValidationError( + 'Duplicated ID. SAML Response rejected', + OneLogin_Saml2_ValidationError.DUPLICATED_ID_IN_SIGNED_ELEMENTS + ) verified_ids.append(id_value) # Check that reference URI matches the parent ID and no duplicate References or IDs @@ -459,22 +557,37 @@ def process_signed_elements(self): sei = ref.get('URI')[1:] if sei != id_value: - raise Exception('Found an invalid Signed Element. SAML Response rejected') + raise OneLogin_Saml2_ValidationError( + 'Found an invalid Signed Element. SAML Response rejected', + OneLogin_Saml2_ValidationError.INVALID_SIGNED_ELEMENT + ) if sei in verified_seis: - raise Exception('Duplicated Reference URI. SAML Response rejected') + raise OneLogin_Saml2_ValidationError( + 'Duplicated Reference URI. SAML Response rejected', + OneLogin_Saml2_ValidationError.DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS + ) verified_seis.append(sei) signed_elements.append(signed_element) if signed_elements: - if not self.validate_signed_elements(signed_elements): - raise Exception('Found an unexpected Signature Element. SAML Response rejected') + if not self.validate_signed_elements(signed_elements, raise_exceptions=True): + raise OneLogin_Saml2_ValidationError( + 'Found an unexpected Signature Element. SAML Response rejected', + OneLogin_Saml2_ValidationError.UNEXPECTED_SIGNED_ELEMENT + ) return signed_elements + @return_false_on_exception def validate_signed_elements(self, signed_elements): """ Verifies that the document has the expected signed nodes. + + :param signed_elements: The signed elements to be checked + :type signed_elements: list + :param raise_exceptions: Whether to return false on failure or raise an exception + :type raise_exceptions: Boolean """ if len(signed_elements) > 2: return False @@ -492,12 +605,18 @@ def validate_signed_elements(self, signed_elements): if response_tag in signed_elements: expected_signature_nodes = OneLogin_Saml2_XML.query(self.document, OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH) if len(expected_signature_nodes) != 1: - raise Exception('Unexpected number of Response signatures found. SAML Response rejected.') + raise OneLogin_Saml2_ValidationError( + 'Unexpected number of Response signatures found. SAML Response rejected.', + OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_SIGNATURES_IN_RESPONSE + ) if assertion_tag in signed_elements: expected_signature_nodes = self.__query(OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH) if len(expected_signature_nodes) != 1: - raise Exception('Unexpected number of Assertion signatures found. SAML Response rejected.') + raise OneLogin_Saml2_ValidationError( + 'Unexpected number of Assertion signatures found. SAML Response rejected.', + OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_SIGNATURES_IN_ASSERTION + ) return True @@ -515,9 +634,15 @@ def validate_timestamps(self): nb_attr = conditions_node.get('NotBefore') nooa_attr = conditions_node.get('NotOnOrAfter') if nb_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nb_attr) > OneLogin_Saml2_Utils.now() + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT: - raise Exception('Could not validate timestamp: not yet valid. Check system clock.') + raise OneLogin_Saml2_ValidationError( + 'Could not validate timestamp: not yet valid. Check system clock.', + OneLogin_Saml2_ValidationError.ASSERTION_TOO_EARLY + ) if nooa_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nooa_attr) + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT <= OneLogin_Saml2_Utils.now(): - raise Exception('Could not validate timestamp: expired. Check system clock.') + raise OneLogin_Saml2_ValidationError( + 'Could not validate timestamp: expired. Check system clock.', + OneLogin_Saml2_ValidationError.ASSERTION_EXPIRED + ) return True def __query_assertion(self, xpath_expr): @@ -582,7 +707,10 @@ def __decrypt_assertion(self, xml): debug = self.__settings.is_debug_active() if not key: - raise Exception('No private key available, check settings') + raise OneLogin_Saml2_Error( + 'No private key available to decrypt the assertion, check settings', + OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND + ) encrypted_assertion_nodes = OneLogin_Saml2_XML.query(xml, '/samlp:Response/saml:EncryptedAssertion') if encrypted_assertion_nodes: @@ -590,15 +718,24 @@ def __decrypt_assertion(self, xml): if encrypted_data_nodes: keyinfo = OneLogin_Saml2_XML.query(encrypted_assertion_nodes[0], '//saml:EncryptedAssertion/xenc:EncryptedData/ds:KeyInfo') if not keyinfo: - raise Exception('No KeyInfo present, invalid Assertion') + raise OneLogin_Saml2_ValidationError( + 'No KeyInfo present, invalid Assertion', + OneLogin_Saml2_ValidationError.KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA + ) keyinfo = keyinfo[0] children = keyinfo.getchildren() if not children: - raise Exception('No child to KeyInfo, invalid Assertion') + raise OneLogin_Saml2_ValidationError( + 'KeyInfo has no children nodes, invalid Assertion', + OneLogin_Saml2_ValidationError.CHILDREN_NODE_NOT_FOIND_IN_KEYINFO + ) for child in children: if 'RetrievalMethod' in child.tag: if child.attrib['Type'] != 'http://www.w3.org/2001/04/xmlenc#EncryptedKey': - raise Exception('Unsupported Retrieval Method found') + raise OneLogin_Saml2_ValidationError( + 'Unsupported Retrieval Method found', + OneLogin_Saml2_ValidationError.UNSUPPORTED_RETRIEVAL_METHOD + ) uri = child.attrib['URI'] if not uri.startswith('#'): break diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py index ea0cf4ce..a96523d3 100644 --- a/src/onelogin/saml2/settings.py +++ b/src/onelogin/saml2/settings.py @@ -114,7 +114,10 @@ def __init__(self, settings=None, custom_base_path=None, sp_validation_only=Fals ','.join(self.__errors) ) else: - raise Exception('Unsupported settings object') + raise OneLogin_Saml2_Error( + 'Unsupported settings object', + OneLogin_Saml2_Error.UNSUPPORTED_SETTINGS_OBJECT + ) self.format_idp_cert() self.format_sp_cert() diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index 9765d4f9..4d042374 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -24,7 +24,7 @@ from onelogin.saml2 import compat from onelogin.saml2.constants import OneLogin_Saml2_Constants -from onelogin.saml2.errors import OneLogin_Saml2_Error +from onelogin.saml2.errors import OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError from onelogin.saml2.xml_utils import OneLogin_Saml2_XML @@ -628,11 +628,17 @@ def get_status(dom): status_entry = OneLogin_Saml2_XML.query(dom, '/samlp:Response/samlp:Status') if len(status_entry) != 1: - raise Exception('Missing valid Status on response') + raise OneLogin_Saml2_ValidationError( + 'Missing Status on response', + OneLogin_Saml2_ValidationError.MISSING_STATUS + ) code_entry = OneLogin_Saml2_XML.query(dom, '/samlp:Response/samlp:Status/samlp:StatusCode', status_entry[0]) if len(code_entry) != 1: - raise Exception('Missing valid Status Code on response') + raise OneLogin_Saml2_ValidationError( + 'Missing Status Code on response', + OneLogin_Saml2_ValidationError.MISSING_STATUS_CODE + ) code = code_entry[0].values()[0] status['code'] = code @@ -787,7 +793,10 @@ def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', valid # Raises expection if invalid return OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug, raise_exceptions=True) else: - raise Exception('Expected exactly one signature node; got {}.'.format(len(signature_nodes))) + raise OneLogin_Saml2_ValidationError( + 'Expected exactly one signature node; got {}.'.format(len(signature_nodes)), + OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_SIGNATURES + ) @staticmethod @return_false_on_exception @@ -880,7 +889,10 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger cert = OneLogin_Saml2_Utils.format_cert(x509_cert_value) if cert is None or cert == '': - raise Exception('Could not validate node signature: No certificate provided.') + raise OneLogin_Saml2_Error( + 'Could not validate node signature: No certificate provided.', + OneLogin_Saml2_Error.CERT_NOT_FOUND + ) # Check if Reference URI is empty reference_elem = OneLogin_Saml2_XML.query(signature_node, '//ds:Reference') @@ -897,10 +909,8 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None) dsig_ctx.set_enabled_key_data([xmlsec.KeyData.X509]) - try: - dsig_ctx.verify(signature_node) - except Exception: - raise Exception('Signature validation failed. SAML Response rejected') + dsig_ctx.verify(signature_node) + return True @staticmethod diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py index b7ff8586..41567617 100644 --- a/tests/src/OneLogin/saml2_tests/auth_test.py +++ b/tests/src/OneLogin/saml2_tests/auth_test.py @@ -12,7 +12,7 @@ from onelogin.saml2.auth import OneLogin_Saml2_Auth from onelogin.saml2.constants import OneLogin_Saml2_Constants from onelogin.saml2.settings import OneLogin_Saml2_Settings -from onelogin.saml2.utils import OneLogin_Saml2_Utils +from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error from onelogin.saml2.logout_request import OneLogin_Saml2_Logout_Request try: @@ -143,10 +143,8 @@ def testProcessNoResponse(self): Case No Response, An exception is throw """ auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=self.loadSettingsJSON()) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(OneLogin_Saml2_Error, 'SAML Response not found'): auth.process_response() - exception = context.exception - self.assertIn("SAML Response not found", str(exception)) self.assertEqual(auth.get_errors(), ['invalid_binding']) def testProcessResponseInvalid(self): @@ -259,10 +257,8 @@ def testProcessNoSLO(self): Case No Message, An exception is throw """ auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=self.loadSettingsJSON()) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(OneLogin_Saml2_Error, 'SAML LogoutRequest/LogoutResponse not found'): auth.process_slo(True) - exception = context.exception - self.assertIn("SAML LogoutRequest/LogoutResponse not found", str(exception)) self.assertEqual(auth.get_errors(), ['invalid_binding']) def testProcessSLOResponseInvalid(self): @@ -773,10 +769,8 @@ def testLogoutNoSLO(self): del settings_info['idp']['singleLogoutService'] auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info) # The Header of the redirect produces an Exception - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(OneLogin_Saml2_Error, 'The IdP does not support Single Log Out'): auth.logout('http://example.com/returnto') - exception = context.exception - self.assertIn("The IdP does not support Single Log Out", str(exception)) def testLogoutNameIDandSessionIndex(self): """ @@ -863,10 +857,8 @@ def testBuildRequestSignature(self): settings['sp']['privateKey'] = '' settings['custom_base_path'] = u'invalid/path/' auth2 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(OneLogin_Saml2_Error, "Trying to sign the SAMLRequest but can't load the SP private key"): auth2.add_request_signature(parameters) - exception = context.exception - self.assertIn("Trying to sign the SAMLRequest but can't load the SP private key", str(exception)) def testBuildResponseSignature(self): """ @@ -886,10 +878,8 @@ def testBuildResponseSignature(self): settings['sp']['privateKey'] = '' settings['custom_base_path'] = u'invalid/path/' auth2 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(OneLogin_Saml2_Error, "Trying to sign the SAMLResponse but can't load the SP private key"): auth2.add_response_signature(parameters) - exception = context.exception - self.assertIn("Trying to sign the SAMLResponse but can't load the SP private key", str(exception)) def testIsInValidLogoutResponseSign(self): """ diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py index 2cc1083b..8ca47436 100644 --- a/tests/src/OneLogin/saml2_tests/logout_response_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py @@ -170,11 +170,10 @@ def testIsInValidRequestId(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) - try: - valid = response_2.is_valid(request_data, request_id) - self.assertFalse(valid) - except Exception as e: - self.assertIn('The InResponseTo of the Logout Response:', str(e)) + self.assertFalse(response_2.is_valid(request_data, request_id)) + self.assertIn('The InResponseTo of the Logout Response:', response_2.get_error()) + with self.assertRaisesRegexp(Exception, 'The InResponseTo of the Logout Response:'): + response_2.is_valid(request_data, request_id, raise_exceptions=True) def testIsInValidIssuer(self): """ @@ -223,7 +222,7 @@ def testIsInValidDestination(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) - with self.assertRaisesRegexp(Exception, 'The LogoutRequest was received at'): + with self.assertRaisesRegexp(Exception, 'The LogoutResponse was received at'): response_2.is_valid(request_data, raise_exceptions=True) # Empty destination @@ -258,7 +257,7 @@ def testIsValid(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Logout_Response(settings, message) - with self.assertRaisesRegexp(Exception, 'The LogoutRequest was received at'): + with self.assertRaisesRegexp(Exception, 'The LogoutResponse was received at'): response_2.is_valid(request_data, raise_exceptions=True) plain_message = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(message)) diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 1bd726c0..b3c6e6af 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -388,12 +388,10 @@ def testOnlyRetrieveAssertionWithIDThatMatchesSignatureReference(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'wrapped_response_2.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - try: - self.assertTrue(response.is_valid(self.get_request_data())) - nameid = response.get_nameid() - self.assertNotEqual('root@example.com', nameid) - except Exception: - self.assertEqual('Invalid Signature Element {urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor SAML Response rejected', response.get_error()) + with self.assertRaisesRegexp(Exception, 'Invalid Signature Element {urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor SAML Response rejected'): + response.is_valid(self.get_request_data(), raise_exceptions=True) + nameid = response.get_nameid() + self.assertEqual('root@example.com', nameid) def testDoesNotAllowSignatureWrappingAttack(self): """ @@ -514,11 +512,11 @@ def testIsInValidReference(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - try: - valid = response.is_valid(self.get_request_data()) - self.assertFalse(valid) - except Exception as e: - self.assertEqual('Reference validation failed', str(e)) + self.assertFalse(response.is_valid(self.get_request_data())) + self.assertEqual('Signature validation failed. SAML Response rejected', response.get_error()) + + with self.assertRaisesRegexp(Exception, 'Signature validation failed. SAML Response rejected'): + response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidExpired(self): """ diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py index c1b04ba6..60f79c08 100644 --- a/tests/src/OneLogin/saml2_tests/utils_test.py +++ b/tests/src/OneLogin/saml2_tests/utils_test.py @@ -391,19 +391,15 @@ def testGetStatus(self): xml_inv = b64decode(xml_inv) dom_inv = etree.fromstring(xml_inv) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(Exception, 'Missing Status on response'): OneLogin_Saml2_Utils.get_status(dom_inv) - exception = context.exception - self.assertIn("Missing valid Status on response", str(exception)) xml_inv2 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_status_code.xml.base64')) xml_inv2 = b64decode(xml_inv2) dom_inv2 = etree.fromstring(xml_inv2) - with self.assertRaises(Exception) as context: + with self.assertRaisesRegexp(Exception, 'Missing Status Code on response'): OneLogin_Saml2_Utils.get_status(dom_inv2) - exception = context.exception - self.assertIn("Missing valid Status Code on response", str(exception)) def testParseDuration(self): """ From 73ee97717d75a71f4863deea069f9e83ca83897a Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 30 Dec 2016 00:30:22 +0100 Subject: [PATCH 011/331] Add support for retrieving the last ID of the generated AuthNRequest / LogoutRequest --- README.md | 9 +++++++++ src/onelogin/saml2/auth.py | 10 ++++++++++ 2 files changed, 19 insertions(+) diff --git a/README.md b/README.md index b8b3d1fc..a96162d2 100644 --- a/README.md +++ b/README.md @@ -523,6 +523,10 @@ The login method can recieve 3 more optional parameters: * is_passive When true the AuthNReuqest will set the Ispassive='true' * set_nameid_policy When true the AuthNReuqest will set a nameIdPolicy element. +If a match on the future SAMLResponse ID and the AuthNRequest ID to be sent is required, that AuthNRequest ID must to be extracted and stored for future validation, we can get that ID by + +auth.get_last_request_id() + #### The SP Endpoints #### Related to the SP there are 3 important endpoints: The metadata view, the ACS view and the SLS view. @@ -706,6 +710,10 @@ Also there are 2 optional parameters that can be set: SAML Response with a NameId, then this NameId will be used. * session_index. SessionIndex that identifies the session of the user. +If a match on the LogoutResponse ID and the LogoutRequest ID to be sent is required, that LogoutRequest ID must to be extracted and stored for future validation, we can get that ID by + +auth.get_last_request_id() + ####Example of a view that initiates the SSO request and handles the response (is the acs target)#### We can code a unique file that initiates the SSO process, handle the response, get the attributes, initiate the slo and processes the logout response. @@ -781,6 +789,7 @@ Main class of OneLogin Python Toolkit * ***get_last_error_reason*** Returns the reason of the last error * ***get_sso_url*** Gets the SSO url. * ***get_slo_url*** Gets the SLO url. +* ***get_last_request_id*** The ID of the last Request SAML message generated (AuthNRequest, LogoutRequest). * ***build_request_signature*** Builds the Signature of the SAML Request. * ***build_response_signature*** Builds the Signature of the SAML Response. * ***get_settings*** Returns the settings info. diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 4b855119..0dd776e0 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -58,6 +58,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None): self.__authenticated = False self.__errors = [] self.__error_reason = None + self.__last_request_id = None def get_settings(self): """ @@ -260,6 +261,13 @@ def get_attribute(self, name): assert isinstance(name, compat.str_type) return self.__attributes.get(name) + def get_last_request_id(self): + """ + :returns: The ID of the last Request SAML message generated. + :rtype: string + """ + return self.__last_request_id + def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_policy=True): """ Initiates the SSO process. @@ -280,6 +288,7 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_ :rtype: string """ authn_request = OneLogin_Saml2_Authn_Request(self.__settings, force_authn, is_passive, set_nameid_policy) + self.__last_request_id = authn_request.get_id() saml_request = authn_request.get_request() parameters = {'SAMLRequest': saml_request} @@ -328,6 +337,7 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None): session_index=session_index, nq=nq ) + self.__last_request_id = logout_request.id parameters = {'SAMLRequest': logout_request.get_request()} if return_to is not None: From a510f167812d1ae56f4dd2c9ee42547b4847cf6f Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 30 Dec 2016 01:32:59 +0100 Subject: [PATCH 012/331] Add hooks to retrieve last-sent and last-received requests and responses --- README.md | 8 +- src/onelogin/saml2/auth.py | 32 ++++++++ src/onelogin/saml2/authn_request.py | 8 ++ src/onelogin/saml2/logout_request.py | 9 +++ src/onelogin/saml2/logout_response.py | 9 +++ src/onelogin/saml2/response.py | 11 +++ src/onelogin/saml2/xml_templates.py | 78 +++++++++--------- .../decrypted_valid_encrypted_assertion.xml | 7 ++ ...ty_decrypted_valid_encrypted_assertion.xml | 7 ++ .../pretty_signed_message_response.xml | 48 +++++++++++ tests/src/OneLogin/saml2_tests/auth_test.py | 81 +++++++++++++++++++ .../saml2_tests/authn_request_test.py | 28 +++++++ .../saml2_tests/logout_request_test.py | 20 +++++ .../saml2_tests/logout_response_test.py | 24 ++++++ .../src/OneLogin/saml2_tests/response_test.py | 19 +++++ 15 files changed, 348 insertions(+), 41 deletions(-) create mode 100644 tests/data/responses/decrypted_valid_encrypted_assertion.xml create mode 100644 tests/data/responses/pretty_decrypted_valid_encrypted_assertion.xml create mode 100644 tests/data/responses/pretty_signed_message_response.xml diff --git a/README.md b/README.md index a96162d2..a8021196 100644 --- a/README.md +++ b/README.md @@ -794,6 +794,8 @@ Main class of OneLogin Python Toolkit * ***build_response_signature*** Builds the Signature of the SAML Response. * ***get_settings*** Returns the settings info. * ***set_strict*** Set the strict mode active/disable. +* ***get_last_request_xml*** Returns the most recently-constructed/processed XML SAML request (AuthNRequest, LogoutRequest) +* ***get_last_response_xml*** Returns the most recently-constructed/processed XML SAML response (SAMLResponse, LogoutResponse). If the SAMLResponse was encrypted, by default tries to return the decrypted XML. ####OneLogin_Saml2_Auth - authn_request.py#### @@ -802,7 +804,7 @@ SAML 2 Authentication Request class * `__init__` This class handles an AuthNRequest. It builds an AuthNRequest object. * ***get_request*** Returns unsigned AuthnRequest. * ***get_id*** Returns the AuthNRequest ID. - +* ***get_xml*** Returns the XML that will be sent as part of the request. ####OneLogin_Saml2_Response - response.py#### @@ -821,6 +823,7 @@ SAML 2 Authentication Response class * ***validate_num_assertions*** Verifies that the document only contains a single Assertion (encrypted or not) * ***validate_timestamps*** Verifies that the document is valid according to Conditions Element * ***get_error*** After execute a validation process, if fails this method returns the cause +* ***get_xml_document*** If necessary, decrypt the XML response document, and return it. ####OneLogin_Saml2_LogoutRequest - logout_request.py#### @@ -835,6 +838,7 @@ SAML 2 Logout Request class * ***get_session_indexes*** Gets the SessionIndexes from the Logout Request. * ***is_valid*** Checks if the Logout Request recieved is valid. * ***get_error*** After execute a validation process, if fails this method returns the cause. +* ***get_xml*** Returns the XML that will be sent as part of the request or that was received at the SP ####OneLogin_Saml2_LogoutResponse - logout_response.py#### @@ -847,7 +851,7 @@ SAML 2 Logout Response class * ***build*** Creates a Logout Response object. * ***get_response*** Returns a Logout Response object. * ***get_error*** After execute a validation process, if fails this method returns the cause. - +* ***get_xml*** Returns the XML that will be sent as part of the response or that was received at the SP ####OneLogin_Saml2_Settings - settings.py#### diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 0dd776e0..188c0ea5 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -12,6 +12,7 @@ """ import xmlsec +from lxml import etree from onelogin.saml2 import compat from onelogin.saml2.settings import OneLogin_Saml2_Settings @@ -59,6 +60,8 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None): self.__errors = [] self.__error_reason = None self.__last_request_id = None + self.__last_request = None + self.__last_response = None def get_settings(self): """ @@ -92,6 +95,7 @@ def process_response(self, request_id=None): if 'post_data' in self.__request_data and 'SAMLResponse' in self.__request_data['post_data']: # AuthnResponse -- HTTP_POST Binding response = OneLogin_Saml2_Response(self.__settings, self.__request_data['post_data']['SAMLResponse']) + self.__last_response = response.get_xml_document() if response.is_valid(self.__request_data, request_id): self.__attributes = response.get_attributes() @@ -128,6 +132,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_ get_data = 'get_data' in self.__request_data and self.__request_data['get_data'] if get_data and 'SAMLResponse' in get_data: logout_response = OneLogin_Saml2_Logout_Response(self.__settings, get_data['SAMLResponse']) + self.__last_response = logout_response.get_xml() if not self.validate_response_signature(get_data): self.__errors.append('invalid_logout_response_signature') self.__errors.append('Signature validation failed. Logout Response rejected') @@ -141,6 +146,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_ elif get_data and 'SAMLRequest' in get_data: logout_request = OneLogin_Saml2_Logout_Request(self.__settings, get_data['SAMLRequest']) + self.__last_request = logout_request.get_xml() if not self.validate_request_signature(get_data): self.__errors.append("invalid_logout_request_signature") self.__errors.append('Signature validation failed. Logout Request rejected') @@ -154,6 +160,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_ in_response_to = logout_request.id response_builder = OneLogin_Saml2_Logout_Response(self.__settings) response_builder.build(in_response_to) + self.__last_response = response_builder.get_xml() logout_response = response_builder.get_response() parameters = {'SAMLResponse': logout_response} @@ -288,6 +295,7 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_ :rtype: string """ authn_request = OneLogin_Saml2_Authn_Request(self.__settings, force_authn, is_passive, set_nameid_policy) + self.__last_request = authn_request.get_xml() self.__last_request_id = authn_request.get_id() saml_request = authn_request.get_request() @@ -337,6 +345,7 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None): session_index=session_index, nq=nq ) + self.__last_request = logout_request.get_xml() self.__last_request_id = logout_request.id parameters = {'SAMLRequest': logout_request.get_request()} @@ -547,3 +556,26 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False): if raise_exceptions: raise e return False + + def get_last_response_xml(self, pretty_print_if_possible=False): + """ + Retrieves the raw XML (decrypted) of the last SAML response, + or the last Logout Response generated or processed + :returns: SAML response XML + :rtype: string|None + """ + response = None + if self.__last_response is not None: + if isinstance(self.__last_response, basestring): + response = self.__last_response + else: + response = etree.tostring(self.__last_response, pretty_print=pretty_print_if_possible) + return response + + def get_last_request_xml(self): + """ + Retrieves the raw XML sent in the last SAML request + :returns: SAML request XML + :rtype: string|None + """ + return self.__last_request or None diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py index 706ad9de..ee6e1d2b 100644 --- a/src/onelogin/saml2/authn_request.py +++ b/src/onelogin/saml2/authn_request.py @@ -140,3 +140,11 @@ def get_id(self): :rtype: string """ return self.__id + + def get_xml(self): + """ + Returns the XML that will be sent as part of the request + :return: XML request body + :rtype: string + """ + return self.__authn_request diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index 93a57bb2..63a7409b 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -111,6 +111,15 @@ def get_request(self, deflate=True): request = OneLogin_Saml2_Utils.b64encode(self.__logout_request) return request + def get_xml(self): + """ + Returns the XML that will be sent as part of the request + or that was received at the SP + :return: XML request body + :rtype: string + """ + return self.__logout_request + @staticmethod def get_id(request): """ diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py index 18152651..206b3683 100644 --- a/src/onelogin/saml2/logout_response.py +++ b/src/onelogin/saml2/logout_response.py @@ -187,3 +187,12 @@ def get_error(self): After executing a validation process, if it fails this method returns the cause """ return self.__error + + def get_xml(self): + """ + Returns the XML that will be sent as part of the response + or that was received at the SP + :return: XML response body + :rtype: string + """ + return self.__logout_response diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index b8f233aa..f2e7e2ca 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -754,3 +754,14 @@ def get_error(self): After executing a validation process, if it fails this method returns the cause """ return self.__error + + def get_xml_document(self): + """ + If necessary, decrypt the XML response document, and return it. + :return: Decrypted XML response document + :rtype: string + """ + if self.encrypted: + return self.decrypted_document + else: + return self.document diff --git a/src/onelogin/saml2/xml_templates.py b/src/onelogin/saml2/xml_templates.py index c55cf658..6be5c536 100644 --- a/src/onelogin/saml2/xml_templates.py +++ b/src/onelogin/saml2/xml_templates.py @@ -21,26 +21,26 @@ class OneLogin_Saml2_Templates(object): AUTHN_REQUEST = """\ + xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" + ID="%(id)s" + Version="2.0"%(provider_name)s%(force_authn_str)s%(is_passive_str)s + IssueInstant="%(issue_instant)s" + Destination="%(destination)s" + ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + AssertionConsumerServiceURL="%(assertion_url)s"%(attr_consuming_service_str)s> %(entity_id)s%(nameid_policy_str)s %(requested_authn_context_str)s """ LOGOUT_REQUEST = """\ + xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" + ID="%(id)s" + Version="2.0" + IssueInstant="%(issue_instant)s" + Destination="%(single_logout_url)s"> %(entity_id)s %(name_id)s %(session_index)s @@ -48,13 +48,13 @@ class OneLogin_Saml2_Templates(object): LOGOUT_RESPONSE = """\ + xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" + ID="%(id)s" + Version="2.0" + IssueInstant="%(issue_instant)s" + Destination="%(destination)s" + InResponseTo="%(in_response_to)s"> %(entity_id)s @@ -105,18 +105,18 @@ class OneLogin_Saml2_Templates(object): RESPONSE = """\ + xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" + ID="%(id)s" + InResponseTo="%(in_response_to)s" + Version="2.0" + IssueInstant="%(issue_instant)s" + Destination="%(destination)s"> %(entity_id)s + xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" + Value="%(status)s"> %(entity_id)s %(name_id)s + NameQualifier="%(entity_id)s" + SPNameQualifier="%(requester)s" + Format="%(name_id_policy)s">%(name_id)s + NotOnOrAfter="%(not_after)s" + InResponseTo="%(in_response_to)s" + Recipient="%(destination)s"> @@ -145,9 +145,9 @@ class OneLogin_Saml2_Templates(object): + AuthnInstant="%(issue_instant)s" + SessionIndex="%(session_index)s" + SessionNotOnOrAfter="%(not_after)s"> %(authn_context)s diff --git a/tests/data/responses/decrypted_valid_encrypted_assertion.xml b/tests/data/responses/decrypted_valid_encrypted_assertion.xml new file mode 100644 index 00000000..0237994f --- /dev/null +++ b/tests/data/responses/decrypted_valid_encrypted_assertion.xml @@ -0,0 +1,7 @@ + + http://idp.example.com/ + + + + http://idp.example.com/_68392312d490db6d355555cfbbd8ec95d746516f60http://stuff.com/endpoints/metadata.phpurn:oasis:names:tc:SAML:2.0:ac:classes:Passwordtesttest@example.comtestwaa2useradmin + \ No newline at end of file diff --git a/tests/data/responses/pretty_decrypted_valid_encrypted_assertion.xml b/tests/data/responses/pretty_decrypted_valid_encrypted_assertion.xml new file mode 100644 index 00000000..fbc5942f --- /dev/null +++ b/tests/data/responses/pretty_decrypted_valid_encrypted_assertion.xml @@ -0,0 +1,7 @@ + + http://idp.example.com/ + + + + http://idp.example.com/_68392312d490db6d355555cfbbd8ec95d746516f60http://stuff.com/endpoints/metadata.phpurn:oasis:names:tc:SAML:2.0:ac:classes:Passwordtesttest@example.comtestwaa2useradmin + diff --git a/tests/data/responses/pretty_signed_message_response.xml b/tests/data/responses/pretty_signed_message_response.xml new file mode 100644 index 00000000..7dcb65ee --- /dev/null +++ b/tests/data/responses/pretty_signed_message_response.xml @@ -0,0 +1,48 @@ + + https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php + + + + 1dQFiYU0o2OF7c/RVV8Gpgb4u3I=wRgBXOq/FiLZc2mureTC/j6zY709OikJ5HeUSruHTdYjEg9aZy1RbxlKIYEIfXpnX7NBoKxfAMm+O0fsrqOjgcYxTVkqZjOr71qiXNbtwjeAkdYSpk5brsAcnfcPdv8QReYr3D7t5ZVCgYuvXQ+dNELKeag7e1ASOzVqOdp5Z9Y= +MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo + + + + + https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php + + _b98f98bb1ab512ced653b58baaff543448daed535d + + + + + + + https://pitbulk.no-ip.org/newonelogin/demo1/metadata.php + + + + + urn:oasis:names:tc:SAML:2.0:ac:classes:Password + + + + + test + + + test@example.com + + + test + + + waa2 + + + user + admin + + + + diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py index 41567617..fcfe1bde 100644 --- a/tests/src/OneLogin/saml2_tests/auth_test.py +++ b/tests/src/OneLogin/saml2_tests/auth_test.py @@ -1065,3 +1065,84 @@ def testIsValidLogoutRequestSign(self): auth = OneLogin_Saml2_Auth(request_data, old_settings=settings_2) auth.process_slo() self.assertIn('Signature validation failed. Logout Request rejected', auth.get_errors()) + + def testGetLastSAMLResponse(self): + settings = self.loadSettingsJSON() + message = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64')) + message_wrapper = {'post_data': {'SAMLResponse': message}} + auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings) + auth.process_response() + expected_message = self.file_contents(join(self.data_path, 'responses', 'pretty_signed_message_response.xml')) + self.assertEqual(auth.get_last_response_xml(True), expected_message) + + # with encrypted assertion + message = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64')) + message_wrapper = {'post_data': {'SAMLResponse': message}} + auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings) + auth.process_response() + decrypted_response = self.file_contents(join(self.data_path, 'responses', 'decrypted_valid_encrypted_assertion.xml')) + self.assertEqual(auth.get_last_response_xml(False), decrypted_response) + pretty_decrypted_response = self.file_contents(join(self.data_path, 'responses', 'pretty_decrypted_valid_encrypted_assertion.xml')) + self.assertEqual(auth.get_last_response_xml(True), pretty_decrypted_response) + + def testGetLastAuthnRequest(self): + settings = self.loadSettingsJSON() + auth = OneLogin_Saml2_Auth({'http_host': 'localhost', 'script_name': 'thing'}, old_settings=settings) + auth.login() + expectedFragment = ( + ' Destination="http://idp.example.com/SSOService.php"\n' + ' ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"\n' + ' AssertionConsumerServiceURL="http://stuff.com/endpoints/endpoints/acs.php">\n' + ' http://stuff.com/endpoints/metadata.php\n' + ' \n' + ' \n' + ' urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\n' + ' \n' + ) + self.assertIn(expectedFragment, auth.get_last_request_xml()) + + def testGetLastLogoutRequest(self): + settings = self.loadSettingsJSON() + auth = OneLogin_Saml2_Auth({'http_host': 'localhost', 'script_name': 'thing'}, old_settings=settings) + auth.logout() + expectedFragment = ( + ' Destination="http://idp.example.com/SingleLogoutService.php">\n' + ' http://stuff.com/endpoints/metadata.php\n' + ' http://idp.example.com/\n' + ' \n' + ) + self.assertIn(expectedFragment, auth.get_last_request_xml()) + + request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml')) + message = OneLogin_Saml2_Utils.deflate_and_base64_encode(request) + message_wrapper = {'get_data': {'SAMLRequest': message}} + auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings) + auth.process_slo() + self.assertEqual(request, auth.get_last_request_xml()) + + def testGetLastLogoutResponse(self): + settings = self.loadSettingsJSON() + request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml')) + message = OneLogin_Saml2_Utils.deflate_and_base64_encode(request) + message_wrapper = {'get_data': {'SAMLRequest': message}} + auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings) + auth.process_slo() + expectedFragment = ( + ' Destination="http://idp.example.com/SingleLogoutService.php"\n' + ' InResponseTo="ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e">\n' + ' http://stuff.com/endpoints/metadata.php\n' + ' \n' + ' \n' + ' \n' + '' + ) + self.assertIn(expectedFragment, auth.get_last_response_xml()) + + response = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response.xml')) + message = OneLogin_Saml2_Utils.deflate_and_base64_encode(response) + message_wrapper = {'get_data': {'SAMLResponse': message}} + auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings) + auth.process_slo() + self.assertEqual(response, auth.get_last_response_xml()) diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py index 2a46c880..598ed115 100644 --- a/tests/src/OneLogin/saml2_tests/authn_request_test.py +++ b/tests/src/OneLogin/saml2_tests/authn_request_test.py @@ -73,6 +73,34 @@ def testCreateRequest(self): self.assertRegex(inflated, '^\n' + ' http://stuff.com/endpoints/metadata.php\n' + ' http://idp.example.com/\n' + ' \n' + ) + self.assertIn(expectedFragment, logout_request_generated.get_xml()) + + logout_request_processed = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request)) + self.assertEqual(request, logout_request_processed.get_xml()) diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py index 8ca47436..9689d688 100644 --- a/tests/src/OneLogin/saml2_tests/logout_response_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py @@ -284,3 +284,27 @@ def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self): with self.assertRaises(Exception): response.is_valid(request_data, raise_exceptions=True) + + def testGetXML(self): + """ + Tests that we can get the logout response XML directly without + going through intermediate steps + """ + response = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response.xml')) + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + + logout_response_generated = OneLogin_Saml2_Logout_Response(settings) + logout_response_generated.build("InResponseValue") + expectedFragment = ( + 'Destination="http://idp.example.com/SingleLogoutService.php"\n' + ' InResponseTo="InResponseValue">\n' + ' http://stuff.com/endpoints/metadata.php\n' + ' \n' + ' \n' + ' \n' + '' + ) + self.assertIn(expectedFragment, logout_response_generated.get_xml()) + + logout_response_processed = OneLogin_Saml2_Logout_Response(settings, OneLogin_Saml2_Utils.deflate_and_base64_encode(response)) + self.assertEqual(response, logout_response_processed.get_xml()) diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index b3c6e6af..49f0f1ca 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -4,6 +4,7 @@ # All rights reserved. from base64 import b64decode +from lxml import etree from datetime import datetime from datetime import timedelta from freezegun import freeze_time @@ -59,6 +60,24 @@ def testConstruct(self): self.assertIsInstance(response_enc, OneLogin_Saml2_Response) + def testGetXMLDocument(self): + """ + Tests that we can retrieve the raw text of an encrypted XML response + without going through intermediate steps + """ + json_settings = self.loadSettingsJSON() + settings = OneLogin_Saml2_Settings(json_settings) + + xml = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64')) + response = OneLogin_Saml2_Response(settings, xml) + prety_xml = self.file_contents(join(self.data_path, 'responses', 'pretty_signed_message_response.xml')) + self.assertEqual(etree.tostring(response.get_xml_document(), pretty_print=True), prety_xml) + + xml_2 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64')) + response_2 = OneLogin_Saml2_Response(settings, xml_2) + decrypted = self.file_contents(join(self.data_path, 'responses', 'decrypted_valid_encrypted_assertion.xml')) + self.assertEqual(etree.tostring(response_2.get_xml_document()), decrypted) + def testReturnNameId(self): """ Tests the get_nameid method of the OneLogin_Saml2_Response From 37788e233a339c8ff213ae28bbc82625dc5ff2ad Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 30 Dec 2016 15:03:53 +0100 Subject: [PATCH 013/331] Suggested changes --- src/onelogin/saml2/errors.py | 2 ++ src/onelogin/saml2/logout_request.py | 2 +- src/onelogin/saml2/response.py | 2 +- src/onelogin/saml2/utils.py | 10 +++++++++- .../OneLogin/saml2_tests/logout_request_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/response_test.py | 14 +++++++------- 6 files changed, 22 insertions(+), 12 deletions(-) diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py index 0f84a09b..cdb825e0 100644 --- a/src/onelogin/saml2/errors.py +++ b/src/onelogin/saml2/errors.py @@ -25,6 +25,8 @@ class OneLogin_Saml2_Error(Exception): SETTINGS_INVALID_SYNTAX = 1 SETTINGS_INVALID = 2 METADATA_SP_INVALID = 3 + # SP_CERTS_NOT_FOUND is deprecated, use CERT_NOT_FOUND instead + SP_CERTS_NOT_FOUND = 4 CERT_NOT_FOUND = 4 REDIRECT_INVALID_URL = 5 PUBLIC_CERT_FILE_NOT_FOUND = 6 diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index 63a7409b..5c73ca29 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -166,7 +166,7 @@ def get_nameid_data(request, key=None): if name_id is None: raise OneLogin_Saml2_ValidationError( - 'Not NameID found in the Logout Request', + 'NameID not found in the Logout Request', OneLogin_Saml2_ValidationError.NO_NAMEID ) diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index f2e7e2ca..9968788b 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -402,7 +402,7 @@ def get_nameid_data(self): security = self.__settings.get_security_data() if security.get('wantNameId', True): raise OneLogin_Saml2_ValidationError( - 'Not NameID found in the assertion of the Response', + 'NameID not found in the assertion of the Response', OneLogin_Saml2_ValidationError.NO_NAMEID ) else: diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index 4d042374..42b42b10 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -909,7 +909,15 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None) dsig_ctx.set_enabled_key_data([xmlsec.KeyData.X509]) - dsig_ctx.verify(signature_node) + + try: + dsig_ctx.verify(signature_node) + except Exception as err: + raise OneLogin_Saml2_ValidationError( + 'Signature validation failed. SAML Response rejected', + OneLogin_Saml2_ValidationError.INVALID_SIGNATURE, + str(err) + ) return True diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index 58c02f82..e2bd0cfa 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -138,11 +138,11 @@ def testGetNameIdData(self): encrypted_id_nodes = dom_2.getElementsByTagName('saml:EncryptedID') encrypted_data = encrypted_id_nodes[0].firstChild.nextSibling encrypted_id_nodes[0].removeChild(encrypted_data) - with self.assertRaisesRegexp(Exception, 'Not NameID found in the Logout Request'): + with self.assertRaisesRegexp(Exception, 'NameID not found in the Logout Request'): OneLogin_Saml2_Logout_Request.get_nameid(dom_2.toxml(), key) inv_request = self.file_contents(join(self.data_path, 'logout_requests', 'invalids', 'no_nameId.xml')) - with self.assertRaisesRegexp(Exception, 'Not NameID found in the Logout Request'): + with self.assertRaisesRegexp(Exception, 'NameID not found in the Logout Request'): OneLogin_Saml2_Logout_Request.get_nameid(inv_request) def testGetNameId(self): diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 49f0f1ca..0af0c286 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -98,14 +98,14 @@ def testReturnNameId(self): xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): response_4.get_nameid() json_settings['security']['wantNameId'] = True settings = OneLogin_Saml2_Settings(json_settings) response_5 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): response_5.get_nameid() json_settings['security']['wantNameId'] = False @@ -119,7 +119,7 @@ def testReturnNameId(self): settings = OneLogin_Saml2_Settings(json_settings) response_7 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): response_7.get_nameid() json_settings['strict'] = True @@ -172,14 +172,14 @@ def testGetNameIdData(self): xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): response_4.get_nameid_data() json_settings['security']['wantNameId'] = True settings = OneLogin_Saml2_Settings(json_settings) response_5 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): response_5.get_nameid_data() json_settings['security']['wantNameId'] = False @@ -193,7 +193,7 @@ def testGetNameIdData(self): settings = OneLogin_Saml2_Settings(json_settings) response_7 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): response_7.get_nameid_data() json_settings['security']['wantNameId'] = False @@ -207,7 +207,7 @@ def testGetNameIdData(self): settings = OneLogin_Saml2_Settings(json_settings) response_7 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegexp(Exception, 'Not NameID found in the assertion of the Response'): + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): response_7.get_nameid_data() json_settings['strict'] = True From a096f36ae1edd477b4c4817df9dd2eb1319fd134 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 30 Dec 2016 17:06:26 +0100 Subject: [PATCH 014/331] Minor bug --- src/onelogin/saml2/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index 42b42b10..74d46be1 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -914,7 +914,7 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger dsig_ctx.verify(signature_node) except Exception as err: raise OneLogin_Saml2_ValidationError( - 'Signature validation failed. SAML Response rejected', + 'Signature validation failed. SAML Response rejected. %s', OneLogin_Saml2_ValidationError.INVALID_SIGNATURE, str(err) ) From acb88e0690467a9f591fe172ad6e112dbad44e13 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sat, 31 Dec 2016 10:02:27 +0100 Subject: [PATCH 015/331] Fix typo --- src/onelogin/saml2/errors.py | 2 +- src/onelogin/saml2/response.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py index cdb825e0..f00d51b2 100644 --- a/src/onelogin/saml2/errors.py +++ b/src/onelogin/saml2/errors.py @@ -100,7 +100,7 @@ class OneLogin_Saml2_ValidationError(Exception): NO_SIGNED_ASSERTION = 33 NO_SIGNATURE_FOUND = 34 KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA = 35 - CHILDREN_NODE_NOT_FOIND_IN_KEYINFO = 36 + CHILDREN_NODE_NOT_FOUND_IN_KEYINFO = 36 UNSUPPORTED_RETRIEVAL_METHOD = 37 NO_NAMEID = 38 EMPTY_NAMEID = 39 diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index 9968788b..f2aca97f 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -727,7 +727,7 @@ def __decrypt_assertion(self, xml): if not children: raise OneLogin_Saml2_ValidationError( 'KeyInfo has no children nodes, invalid Assertion', - OneLogin_Saml2_ValidationError.CHILDREN_NODE_NOT_FOIND_IN_KEYINFO + OneLogin_Saml2_ValidationError.CHILDREN_NODE_NOT_FOUND_IN_KEYINFO ) for child in children: if 'RetrievalMethod' in child.tag: From fa6d3ea9314650d66c5e855649e4443524dd853d Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 2 Jan 2017 17:23:10 +0100 Subject: [PATCH 016/331] Minor fix on docs --- README.md | 4 ++-- src/onelogin/saml2/response.py | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a8021196..f873229e 100644 --- a/README.md +++ b/README.md @@ -795,7 +795,7 @@ Main class of OneLogin Python Toolkit * ***get_settings*** Returns the settings info. * ***set_strict*** Set the strict mode active/disable. * ***get_last_request_xml*** Returns the most recently-constructed/processed XML SAML request (AuthNRequest, LogoutRequest) -* ***get_last_response_xml*** Returns the most recently-constructed/processed XML SAML response (SAMLResponse, LogoutResponse). If the SAMLResponse was encrypted, by default tries to return the decrypted XML. +* ***get_last_response_xml*** Returns the most recently-constructed/processed XML SAML response (SAMLResponse, LogoutResponse). If the SAMLResponse had an encrypted assertion, decrypts it. ####OneLogin_Saml2_Auth - authn_request.py#### @@ -823,7 +823,7 @@ SAML 2 Authentication Response class * ***validate_num_assertions*** Verifies that the document only contains a single Assertion (encrypted or not) * ***validate_timestamps*** Verifies that the document is valid according to Conditions Element * ***get_error*** After execute a validation process, if fails this method returns the cause -* ***get_xml_document*** If necessary, decrypt the XML response document, and return it. +* ***get_xml_document*** Returns the SAML Response document (If contains an encrypted assertion, decrypts it). ####OneLogin_Saml2_LogoutRequest - logout_request.py#### diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index f2aca97f..7c110f4b 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -757,9 +757,10 @@ def get_error(self): def get_xml_document(self): """ - If necessary, decrypt the XML response document, and return it. + Returns the SAML Response document (If contains an encrypted assertion, decrypts it) + :return: Decrypted XML response document - :rtype: string + :rtype: DOMDocument """ if self.encrypted: return self.decrypted_document From cbbe084b64134799568618259e7385f9a6513051 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 3 Jan 2017 17:13:58 +0100 Subject: [PATCH 017/331] Fix name --- src/onelogin/saml2/auth.py | 2 +- src/onelogin/saml2/errors.py | 2 +- src/onelogin/saml2/logout_request.py | 2 +- src/onelogin/saml2/logout_response.py | 2 +- src/onelogin/saml2/response.py | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 188c0ea5..340fb0d8 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -512,7 +512,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False): if self.__settings.is_strict() and self.__settings.get_security_data().get('wantMessagesSigned', False): raise OneLogin_Saml2_ValidationError( 'The %s is not signed. Rejected.' % saml_type, - OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE + OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE ) return True diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py index f00d51b2..d206f9c2 100644 --- a/src/onelogin/saml2/errors.py +++ b/src/onelogin/saml2/errors.py @@ -96,7 +96,7 @@ class OneLogin_Saml2_ValidationError(Exception): WRONG_ISSUER = 29 SESSION_EXPIRED = 30 WRONG_SUBJECTCONFIRMATION = 31 - NO_SIGNED_RESPONSE = 32 + NO_SIGNED_MESSAGE = 32 NO_SIGNED_ASSERTION = 33 NO_SIGNATURE_FOUND = 34 KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA = 35 diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index 5c73ca29..710b732d 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -296,7 +296,7 @@ def is_valid(self, request_data, raise_exceptions=False): if 'Signature' not in get_data: raise OneLogin_Saml2_ValidationError( 'The Message of the Logout Request is not signed and the SP require it', - OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE + OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE ) return True diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py index 206b3683..f5ea249c 100644 --- a/src/onelogin/saml2/logout_response.py +++ b/src/onelogin/saml2/logout_response.py @@ -121,7 +121,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): if 'Signature' not in get_data: raise OneLogin_Saml2_ValidationError( 'The Message of the Logout Response is not signed and the SP require it', - OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE + OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE ) return True # pylint: disable=R0801 diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index 7c110f4b..55ddeec7 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -257,7 +257,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): if security['wantAssertionsSigned'] and not has_signed_assertion: raise OneLogin_Saml2_ValidationError( 'The Assertion of the Response is not signed and the SP require it', - OneLogin_Saml2_ValidationError.NO_SIGNED_RESPONSE + OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE ) if security['wantMessagesSigned'] and not has_signed_response: From c90a62d3c8579fa08285ac3849665f1261d4a875 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 3 Jan 2017 22:24:11 +0100 Subject: [PATCH 018/331] Typo --- src/onelogin/saml2/response.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index 55ddeec7..ba2b3545 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -257,13 +257,13 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): if security['wantAssertionsSigned'] and not has_signed_assertion: raise OneLogin_Saml2_ValidationError( 'The Assertion of the Response is not signed and the SP require it', - OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE + OneLogin_Saml2_ValidationError.NO_SIGNED_ASSERTION ) if security['wantMessagesSigned'] and not has_signed_response: raise OneLogin_Saml2_ValidationError( 'The Message of the Response is not signed and the SP require it', - OneLogin_Saml2_ValidationError.NO_SIGNED_ASSERTION + OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE ) if not signed_elements or (not has_signed_response and not has_signed_assertion): From 91172ab9d7ff91d7b2cc238990d9c9e83e220702 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 10 Jan 2017 10:30:03 +0100 Subject: [PATCH 019/331] Add CVE reference to the README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f873229e..e7c5e057 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ This version supports Python3, There is a separate version that only support Pyt #### Warning #### -Update python3-saml to 1.2.1 that patch 1.2.0 (that had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). +Update python3-saml to 1.2.1 that patch 1.2.0 (that had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json) 1.2.0 version includes a security patch that contains extra validations that will prevent signature wrapping attacks. From 55083289ec191d8d24be998f7d3711d69de51fa2 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Wed, 11 Jan 2017 14:00:11 +0100 Subject: [PATCH 020/331] Release 1.2.2 --- README.md | 2 +- changelog.md | 8 ++++++++ setup.py | 4 ++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e7c5e057..d6c1e9c2 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ This version supports Python3, There is a separate version that only support Pyt #### Warning #### -Update python3-saml to 1.2.1 that patch 1.2.0 (that had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json) +Update python3-saml to >= 1.2.1, 1.2.0 had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json) 1.2.0 version includes a security patch that contains extra validations that will prevent signature wrapping attacks. diff --git a/changelog.md b/changelog.md index 112dd435..6ec3b9ea 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,13 @@ # python3-saml changelog +### 1.2.2 (January 11, 2017) + * [#37](https://github.com/onelogin/python3-saml/pull/37) Add option to raise response validation exceptions + * [#42](https://github.com/onelogin/python3-saml/pull/42) Optionally raise detailed exceptions vs. returning False. Implement a more specific exception class for handling some validation errors. Improve/Fix tests. Add support for retrieving the last ID of the generated AuthNRequest / LogoutRequest. Add hooks to retrieve last-sent and last-received requests and responses + * Improved inResponse validation on Responses + * Add the ability to extract the specific certificate from IdP metadata when several defined + * Fix Invalid True attribute value in Metadata XML + * [#35](https://github.com/onelogin/python3-saml/pull/35) Fix typos and json sample code in documentation + ### 1.2.1 (October 18, 2016) * [#30](https://github.com/onelogin/python3-saml/pull/30) Bug on signature checks diff --git a/setup.py b/setup.py index 6dfcf7bd..57be437a 100644 --- a/setup.py +++ b/setup.py @@ -9,10 +9,10 @@ setup( name='python3-saml', - version='1.2.1', + version='1.2.2', description='Onelogin Python Toolkit. Add SAML support to your Python software using this library', classifiers=[ - 'Development Status :: 4 - Beta', + 'Development Status :: 5 - Production/Stable', 'Intended Audience :: Developers', 'Intended Audience :: System Administrators', 'Operating System :: OS Independent', From 1846d82bf8ad46333c7a975a0181b1fe1442af2e Mon Sep 17 00:00:00 2001 From: Andreas Hug Date: Sat, 14 Jan 2017 18:48:36 +0100 Subject: [PATCH 021/331] Fix py3 problems with strings and encoding --- src/onelogin/saml2/auth.py | 8 +++++++- src/onelogin/saml2/logout_request.py | 3 ++- src/onelogin/saml2/logout_response.py | 3 ++- tests/src/OneLogin/saml2_tests/response_test.py | 4 ++-- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 340fb0d8..bd1e3ced 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -24,6 +24,12 @@ from onelogin.saml2.authn_request import OneLogin_Saml2_Authn_Request +try: + basestring +except NameError: + basestring = str + + class OneLogin_Saml2_Auth(object): """ @@ -569,7 +575,7 @@ def get_last_response_xml(self, pretty_print_if_possible=False): if isinstance(self.__last_response, basestring): response = self.__last_response else: - response = etree.tostring(self.__last_response, pretty_print=pretty_print_if_possible) + response = etree.tostring(self.__last_response, encoding='unicode', pretty_print=pretty_print_if_possible) return response def get_last_request_xml(self): diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index 710b732d..e3f2a3be 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -9,6 +9,7 @@ """ +from onelogin.saml2 import compat from onelogin.saml2.constants import OneLogin_Saml2_Constants from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates @@ -95,7 +96,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq= logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(request, ignore_zip=True) self.id = self.get_id(logout_request) - self.__logout_request = logout_request + self.__logout_request = compat.to_string(logout_request) def get_request(self, deflate=True): """ diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py index f5ea249c..0aed8343 100644 --- a/src/onelogin/saml2/logout_response.py +++ b/src/onelogin/saml2/logout_response.py @@ -9,6 +9,7 @@ """ +from onelogin.saml2 import compat from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_ValidationError from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates from onelogin.saml2.xml_utils import OneLogin_Saml2_XML @@ -36,7 +37,7 @@ def __init__(self, settings, response=None): self.__error = None if response is not None: - self.__logout_response = OneLogin_Saml2_Utils.decode_base64_and_inflate(response) + self.__logout_response = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(response)) self.document = OneLogin_Saml2_XML.to_etree(self.__logout_response) def get_issuer(self): diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 0af0c286..46e9c8a1 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -71,12 +71,12 @@ def testGetXMLDocument(self): xml = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) prety_xml = self.file_contents(join(self.data_path, 'responses', 'pretty_signed_message_response.xml')) - self.assertEqual(etree.tostring(response.get_xml_document(), pretty_print=True), prety_xml) + self.assertEqual(etree.tostring(response.get_xml_document(), encoding='unicode', pretty_print=True), prety_xml) xml_2 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64')) response_2 = OneLogin_Saml2_Response(settings, xml_2) decrypted = self.file_contents(join(self.data_path, 'responses', 'decrypted_valid_encrypted_assertion.xml')) - self.assertEqual(etree.tostring(response_2.get_xml_document()), decrypted) + self.assertEqual(etree.tostring(response_2.get_xml_document(), encoding='unicode'), decrypted) def testReturnNameId(self): """ From 6c90f88a0c8e6ca8cba1f78743d31c1c86859ee5 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 15 Jan 2017 09:21:10 +0100 Subject: [PATCH 022/331] Release 1.2.3 --- changelog.md | 3 +++ setup.py | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/changelog.md b/changelog.md index 6ec3b9ea..f1b66a59 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,8 @@ # python3-saml changelog +### 1.2.3 (January 15, 2017) + * Fix p3 compatibility + ### 1.2.2 (January 11, 2017) * [#37](https://github.com/onelogin/python3-saml/pull/37) Add option to raise response validation exceptions * [#42](https://github.com/onelogin/python3-saml/pull/42) Optionally raise detailed exceptions vs. returning False. Implement a more specific exception class for handling some validation errors. Improve/Fix tests. Add support for retrieving the last ID of the generated AuthNRequest / LogoutRequest. Add hooks to retrieve last-sent and last-received requests and responses diff --git a/setup.py b/setup.py index 57be437a..0d894d3c 100644 --- a/setup.py +++ b/setup.py @@ -9,7 +9,7 @@ setup( name='python3-saml', - version='1.2.2', + version='1.2.3', description='Onelogin Python Toolkit. Add SAML support to your Python software using this library', classifiers=[ 'Development Status :: 5 - Production/Stable', From a99b86909afe6f795e052e797c07b9658360fffd Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 23 Jan 2017 09:57:10 +0100 Subject: [PATCH 023/331] Remove unnecesary code --- src/onelogin/saml2/auth.py | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index bd1e3ced..0480e9f0 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -24,12 +24,6 @@ from onelogin.saml2.authn_request import OneLogin_Saml2_Authn_Request -try: - basestring -except NameError: - basestring = str - - class OneLogin_Saml2_Auth(object): """ @@ -572,7 +566,7 @@ def get_last_response_xml(self, pretty_print_if_possible=False): """ response = None if self.__last_response is not None: - if isinstance(self.__last_response, basestring): + if isinstance(self.__last_response, compat.str_type): response = self.__last_response else: response = etree.tostring(self.__last_response, encoding='unicode', pretty_print=pretty_print_if_possible) From 24a170095cfff54142dc22a924e4e263b3f1f71e Mon Sep 17 00:00:00 2001 From: Christopher Perrin Date: Wed, 25 Jan 2017 17:38:55 +0100 Subject: [PATCH 024/331] Fixed bug with formated cert fingerprints - Added Test - Fixed typo in README.md --- README.md | 4 +- src/onelogin/saml2/response.py | 2 + tests/settings/settings6.json | 48 ++++++++++++++++ .../src/OneLogin/saml2_tests/response_test.py | 57 +++++++++++++++++++ 4 files changed, 109 insertions(+), 2 deletions(-) create mode 100644 tests/settings/settings6.json diff --git a/README.md b/README.md index d6c1e9c2..4bb3bf2e 100644 --- a/README.md +++ b/README.md @@ -289,8 +289,8 @@ This is the settings.json file: * Notice that if you want to validate any SAML Message sent by the HTTP-Redirect binding, you * will need to provide the whole x509cert. */ - // "certFingerprint" => "", - // "certFingerprintAlgorithm" => "sha1", + // "certFingerprint": "", + // "certFingerprintAlgorithm": "sha1", } } ``` diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index ba2b3545..faf303ce 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -274,6 +274,8 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): else: cert = idp_data.get('x509cert', None) fingerprint = idp_data.get('certFingerprint', None) + if fingerprint: + fingerprint = OneLogin_Saml2_Utils.format_finger_print(fingerprint) fingerprintalg = idp_data.get('certFingerprintAlgorithm', None) # If find a Signature on the Response, validates it checking the original response diff --git a/tests/settings/settings6.json b/tests/settings/settings6.json new file mode 100644 index 00000000..5730925d --- /dev/null +++ b/tests/settings/settings6.json @@ -0,0 +1,48 @@ +{ + "strict": false, + "debug": false, + "custom_base_path": "../../../tests/data/customPath/", + "sp": { + "entityId": "http://stuff.com/endpoints/metadata.php", + "assertionConsumerService": { + "url": "http://stuff.com/endpoints/endpoints/acs.php" + }, + "singleLogoutService": { + "url": "http://stuff.com/endpoints/endpoints/sls.php" + }, + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" + }, + "idp": { + "entityId": "http://idp.example.com/", + "singleSignOnService": { + "url": "http://idp.example.com/SSOService.php" + }, + "singleLogoutService": { + "url": "http://idp.example.com/SingleLogoutService.php" + }, + "certFingerprint": "AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9", + "certFingerprintAlgorithm": "sha1" + }, + "security": { + "authnRequestsSigned": true, + "wantAssertionsSigned": false, + "signMetadata": false + }, + "contactPerson": { + "technical": { + "givenName": "technical_name", + "emailAddress": "technical@example.com" + }, + "support": { + "givenName": "support_name", + "emailAddress": "support@example.com" + } + }, + "organization": { + "en-US": { + "name": "sp_test", + "displayname": "SP test", + "url": "http://sp.example.com" + } + } +} diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 46e9c8a1..28b34f86 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -1238,6 +1238,63 @@ def testIsValidSign(self): # Modified message self.assertFalse(response_9.is_valid(self.get_request_data())) + def testIsValidSignFingerprint(self): + """ + Tests the is_valid method of the OneLogin_Saml2_Response + Case valid sign response / sign assertion / both signed + + Strict mode will always fail due destination problem, if we manipulate + it the sign will fail. + """ + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON("settings6.json")) + + # expired cert + xml = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64')) + response = OneLogin_Saml2_Response(settings, xml) + self.assertTrue(response.is_valid(self.get_request_data())) + + xml_2 = self.file_contents(join(self.data_path, 'responses', 'signed_assertion_response.xml.base64')) + response_2 = OneLogin_Saml2_Response(settings, xml_2) + self.assertTrue(response_2.is_valid(self.get_request_data())) + + xml_3 = self.file_contents(join(self.data_path, 'responses', 'double_signed_response.xml.base64')) + response_3 = OneLogin_Saml2_Response(settings, xml_3) + self.assertTrue(response_3.is_valid(self.get_request_data())) + + settings_2 = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings2.json')) + xml_4 = self.file_contents(join(self.data_path, 'responses', 'signed_message_response2.xml.base64')) + response_4 = OneLogin_Saml2_Response(settings_2, xml_4) + self.assertTrue(response_4.is_valid(self.get_request_data())) + + xml_5 = self.file_contents(join(self.data_path, 'responses', 'signed_assertion_response2.xml.base64')) + response_5 = OneLogin_Saml2_Response(settings_2, xml_5) + self.assertTrue(response_5.is_valid(self.get_request_data())) + + xml_6 = self.file_contents(join(self.data_path, 'responses', 'double_signed_response2.xml.base64')) + response_6 = OneLogin_Saml2_Response(settings_2, xml_6) + self.assertTrue(response_6.is_valid(self.get_request_data())) + + dom = parseString(b64decode(xml_4)) + dom.firstChild.firstChild.firstChild.nodeValue = 'https://example.com/other-idp' + xml_7 = OneLogin_Saml2_Utils.b64encode(dom.toxml()) + response_7 = OneLogin_Saml2_Response(settings, xml_7) + # Modified message + self.assertFalse(response_7.is_valid(self.get_request_data())) + + dom_2 = parseString(OneLogin_Saml2_Utils.b64decode(xml_5)) + dom_2.firstChild.firstChild.firstChild.nodeValue = 'https://example.com/other-idp' + xml_8 = OneLogin_Saml2_Utils.b64encode(dom_2.toxml()) + response_8 = OneLogin_Saml2_Response(settings, xml_8) + # Modified message + self.assertFalse(response_8.is_valid(self.get_request_data())) + + dom_3 = parseString(OneLogin_Saml2_Utils.b64decode(xml_6)) + dom_3.firstChild.firstChild.firstChild.nodeValue = 'https://example.com/other-idp' + xml_9 = OneLogin_Saml2_Utils.b64encode(dom_3.toxml()) + response_9 = OneLogin_Saml2_Response(settings, xml_9) + # Modified message + self.assertFalse(response_9.is_valid(self.get_request_data())) + def testIsValidSignWithEmptyReferenceURI(self): settings_info = self.loadSettingsJSON() del settings_info['idp']['x509cert'] From 5abf90836f4086369afaedc33207988e16176b19 Mon Sep 17 00:00:00 2001 From: Christopher Perrin Date: Wed, 25 Jan 2017 17:44:41 +0100 Subject: [PATCH 025/331] Clarify the testcase comment --- tests/src/OneLogin/saml2_tests/response_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 28b34f86..36fd2184 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -1241,7 +1241,7 @@ def testIsValidSign(self): def testIsValidSignFingerprint(self): """ Tests the is_valid method of the OneLogin_Saml2_Response - Case valid sign response / sign assertion / both signed + Case valid sign response / sign assertion / both signed with fingerprint Strict mode will always fail due destination problem, if we manipulate it the sign will fail. From 01f3f5fbe9747e5a7ae1ac06c217f678ff2885c2 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Wed, 22 Feb 2017 00:38:53 +0100 Subject: [PATCH 026/331] Fix indentation issue at validate_signed_elements method --- src/onelogin/saml2/response.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index faf303ce..c7bbf6d8 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -573,12 +573,12 @@ def process_signed_elements(self): signed_elements.append(signed_element) - if signed_elements: - if not self.validate_signed_elements(signed_elements, raise_exceptions=True): - raise OneLogin_Saml2_ValidationError( - 'Found an unexpected Signature Element. SAML Response rejected', - OneLogin_Saml2_ValidationError.UNEXPECTED_SIGNED_ELEMENT - ) + if signed_elements: + if not self.validate_signed_elements(signed_elements, raise_exceptions=True): + raise OneLogin_Saml2_ValidationError( + 'Found an unexpected Signature Element. SAML Response rejected', + OneLogin_Saml2_ValidationError.UNEXPECTED_SIGNED_ELEMENT + ) return signed_elements @return_false_on_exception From 90781d92ee2ab54c278e36bc9e1b9b8f61103d42 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 6 Mar 2017 13:37:25 +0100 Subject: [PATCH 027/331] Validate serial number as string to work around libxml2 limitation --- src/onelogin/saml2/schemas/xmldsig-core-schema.xsd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/onelogin/saml2/schemas/xmldsig-core-schema.xsd b/src/onelogin/saml2/schemas/xmldsig-core-schema.xsd index dd5254bb..6f5acc75 100644 --- a/src/onelogin/saml2/schemas/xmldsig-core-schema.xsd +++ b/src/onelogin/saml2/schemas/xmldsig-core-schema.xsd @@ -188,7 +188,7 @@ - + From 2ee1bced605d972d637911faa45aed394bdbc3b5 Mon Sep 17 00:00:00 2001 From: Jerome Thiard Date: Mon, 6 Mar 2017 15:09:36 +0100 Subject: [PATCH 028/331] Make the Issuer on the Response Optional backport of onelogin/python-saml@7e4d502c4b64ac6075577197a0096de89fb1ad01 --- src/onelogin/saml2/errors.py | 2 +- src/onelogin/saml2/response.py | 15 ++++++++------- tests/src/OneLogin/saml2_tests/response_test.py | 4 ++-- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py index d206f9c2..22f2a926 100644 --- a/src/onelogin/saml2/errors.py +++ b/src/onelogin/saml2/errors.py @@ -91,7 +91,7 @@ class OneLogin_Saml2_ValidationError(Exception): WRONG_DESTINATION = 24 EMPTY_DESTINATION = 25 WRONG_AUDIENCE = 26 - ISSUER_NOT_FOUND_IN_RESPONSE = 27 + ISSUER_MULTIPLE_IN_RESPONSE = 27 ISSUER_NOT_FOUND_IN_ASSERTION = 28 WRONG_ISSUER = 29 SESSION_EXPIRED = 30 diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index c7bbf6d8..fb8c6444 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -362,13 +362,14 @@ def get_issuers(self): issuers = set() message_issuer_nodes = OneLogin_Saml2_XML.query(self.document, '/samlp:Response/saml:Issuer') - if len(message_issuer_nodes) == 1: - issuers.add(message_issuer_nodes[0].text) - else: - raise OneLogin_Saml2_ValidationError( - 'Issuer of the Response not found or multiple.', - OneLogin_Saml2_ValidationError.ISSUER_NOT_FOUND_IN_RESPONSE - ) + if len(message_issuer_nodes) > 0: + if len(message_issuer_nodes) == 1: + issuers.add(message_issuer_nodes[0].text) + else: + raise OneLogin_Saml2_ValidationError( + 'Issuer of the Response is multiple.', + OneLogin_Saml2_ValidationError.ISSUER_MULTIPLE_IN_RESPONSE + ) assertion_issuer_nodes = self.__query_assertion('/saml:Issuer') if len(assertion_issuer_nodes) == 1: diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 36fd2184..0e0728df 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -354,8 +354,8 @@ def testGetIssuers(self): xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_issuer_response.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegexp(Exception, 'Issuer of the Response not found or multiple.'): - response_4.get_issuers() + response_4.get_issuers() + self.assertEqual(['https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php'], response_4.get_issuers()) xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_issuer_assertion.xml.base64')) response_5 = OneLogin_Saml2_Response(settings, xml_5) From 4016b245f590cb43bc246ba9369147baf4d6649d Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 6 Mar 2017 20:48:27 +0100 Subject: [PATCH 029/331] Fix minor typos on Readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4bb3bf2e..394efdba 100644 --- a/README.md +++ b/README.md @@ -50,8 +50,8 @@ since 2002, but lately it is becoming popular due its advantages: General description ------------------- -OneLogin's SAML Python toolkit lets you turn you Python application into an SP -(Service Provider) that can connect to any IdP (Identity Provider). +OneLogin's SAML Python toolkit lets you turn your Python application into a SP +(Service Provider) that can be connected to an IdP (Identity Provider). Supports: From 476f32f34339fcee1ba65ff0f8f7fb5ffcc8988f Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sat, 11 Mar 2017 01:44:02 +0100 Subject: [PATCH 030/331] Add DigestMethod support. Add sign_algorithm and digest_algorithm parameters to sign_metadata and add_sign --- README.md | 9 ++++++- demo-django/saml/advanced_settings.json | 3 ++- src/onelogin/saml2/metadata.py | 7 ++++-- src/onelogin/saml2/settings.py | 8 +++++- src/onelogin/saml2/utils.py | 18 +++++++++++-- .../src/OneLogin/saml2_tests/metadata_test.py | 22 ++++++++++++++++ tests/src/OneLogin/saml2_tests/utils_test.py | 25 +++++++++++++++++++ 7 files changed, 85 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 394efdba..422ab1ba 100644 --- a/README.md +++ b/README.md @@ -374,7 +374,14 @@ In addition to the required settings data (idp, sp), extra settings can be defin // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' - "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1" + "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1", + + // Algorithm that the toolkit will use on digest process. Options: + // 'http://www.w3.org/2000/09/xmldsig#sha1' + // 'http://www.w3.org/2001/04/xmlenc#sha256' + // 'http://www.w3.org/2001/04/xmldsig-more#sha384' + // 'http://www.w3.org/2001/04/xmlenc#sha512' + 'digestAlgorithm': "http://www.w3.org/2000/09/xmldsig#sha1" }, // Contact information template, it is recommended to suply a diff --git a/demo-django/saml/advanced_settings.json b/demo-django/saml/advanced_settings.json index 16893d1f..3115e17e 100644 --- a/demo-django/saml/advanced_settings.json +++ b/demo-django/saml/advanced_settings.json @@ -10,7 +10,8 @@ "wantNameId" : true, "wantNameIdEncrypted": false, "wantAssertionsEncrypted": false, - "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1" + "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1", + "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1" }, "contactPerson": { "technical": { diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py index 25ab8fb6..51dab807 100644 --- a/src/onelogin/saml2/metadata.py +++ b/src/onelogin/saml2/metadata.py @@ -192,7 +192,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N return metadata @staticmethod - def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1): + def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1, digest_algorithm=OneLogin_Saml2_Constants.SHA1): """ Signs the metadata with the key/cert provided @@ -210,8 +210,11 @@ def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.R :param sign_algorithm: Signature algorithm method :type sign_algorithm: string + + :param digest_algorithm: Digest algorithm method + :type digest_algorithm: string """ - return OneLogin_Saml2_Utils.add_sign(metadata, key, cert, False, sign_algorithm) + return OneLogin_Saml2_Utils.add_sign(metadata, key, cert, False, sign_algorithm, digest_algorithm) @staticmethod def __add_x509_key_descriptors(root, cert, signing): diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py index a96523d3..aae9bdb3 100644 --- a/src/onelogin/saml2/settings.py +++ b/src/onelogin/saml2/settings.py @@ -292,6 +292,9 @@ def __add_default_values(self): # Signature Algorithm self.__security.setdefault('signatureAlgorithm', OneLogin_Saml2_Constants.RSA_SHA1) + # Digest Algorithm + self.__security.setdefault('digestAlgorithm', OneLogin_Saml2_Constants.SHA1) + # AttributeStatement required by default self.__security.setdefault('wantAttributeStatement', True) @@ -638,7 +641,10 @@ def get_sp_metadata(self): cert_metadata_file ) - metadata = OneLogin_Saml2_Metadata.sign_metadata(metadata, key_metadata, cert_metadata) + signature_algorithm = self.__security['signatureAlgorithm'] + digest_algorithm = self.__security['digestAlgorithm'] + + metadata = OneLogin_Saml2_Metadata.sign_metadata(metadata, key_metadata, cert_metadata, signature_algorithm, digest_algorithm) return metadata diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index 74d46be1..a8c57790 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -679,7 +679,7 @@ def decrypt_element(encrypted_data, key, debug=False): return enc_ctx.decrypt(encrypted_data) @staticmethod - def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1): + def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1, digest_algorithm=OneLogin_Saml2_Constants.SHA1): """ Adds signature key and senders certificate to an element (Message or Assertion). @@ -698,6 +698,12 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant :param sign_algorithm: Signature algorithm method :type sign_algorithm: string + + :param digest_algorithm: Digest algorithm method + :type digest_algorithm: string + + :returns: Signed XML + :rtype: string """ if xml is None or xml == '': raise Exception('Empty string supplied as input') @@ -728,7 +734,15 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant if elem_id: elem_id = '#' + elem_id - ref = xmlsec.template.add_reference(signature, xmlsec.Transform.SHA1, uri=elem_id) + digest_algorithm_transform_map = { + OneLogin_Saml2_Constants.SHA1: xmlsec.Transform.SHA1, + OneLogin_Saml2_Constants.SHA256: xmlsec.Transform.SHA256, + OneLogin_Saml2_Constants.SHA384: xmlsec.Transform.SHA384, + OneLogin_Saml2_Constants.SHA512: xmlsec.Transform.SHA512 + } + digest_algorithm_transform = digest_algorithm_transform_map.get(digest_algorithm, xmlsec.Transform.SHA1) + + ref = xmlsec.template.add_reference(signature, digest_algorithm_transform, uri=elem_id) xmlsec.template.add_transform(ref, xmlsec.Transform.ENVELOPED) xmlsec.template.add_transform(ref, xmlsec.Transform.EXCL_C14N) key_info = xmlsec.template.ensure_key_info(signature) diff --git a/tests/src/OneLogin/saml2_tests/metadata_test.py b/tests/src/OneLogin/saml2_tests/metadata_test.py index 8b2067ad..abaebe15 100644 --- a/tests/src/OneLogin/saml2_tests/metadata_test.py +++ b/tests/src/OneLogin/saml2_tests/metadata_test.py @@ -12,6 +12,7 @@ from onelogin.saml2 import compat from onelogin.saml2.metadata import OneLogin_Saml2_Metadata from onelogin.saml2.settings import OneLogin_Saml2_Settings +from onelogin.saml2.constants import OneLogin_Saml2_Constants class OneLogin_Saml2_Metadata_Test(unittest.TestCase): @@ -218,6 +219,7 @@ def testSignMetadata(self): self.assertIn('\n', signed_metadata) self.assertIn('', signed_metadata) + self.assertIn('', signed_metadata) self.assertIn('\n\n', signed_metadata) @@ -226,6 +228,26 @@ def testSignMetadata(self): exception = context.exception self.assertIn("Empty string supplied as input", str(exception)) + signed_metadata_2 = compat.to_string(OneLogin_Saml2_Metadata.sign_metadata(metadata, key, cert, OneLogin_Saml2_Constants.RSA_SHA256, OneLogin_Saml2_Constants.SHA384)) + + self.assertIn('', signed_metadata_2) + + self.assertIn('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', signed_metadata_2) + + self.assertIn('\n', signed_metadata_2) + self.assertIn('', signed_metadata_2) + self.assertIn('', signed_metadata_2) + self.assertIn('\n\n', signed_metadata_2) + def testAddX509KeyDescriptors(self): """ Tests the addX509KeyDescriptors method of the OneLogin_Saml2_Metadata diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py index 60f79c08..eccc25f8 100644 --- a/tests/src/OneLogin/saml2_tests/utils_test.py +++ b/tests/src/OneLogin/saml2_tests/utils_test.py @@ -713,6 +713,31 @@ def testAddSign(self): ds_signature_8 = res_8.firstChild.firstChild.nextSibling.firstChild.nextSibling self.assertIn('ds:Signature', ds_signature_8.tagName) + def testAddSignCheckAlg(self): + """ + Tests the add_sign method of the OneLogin_Saml2_Utils + Case: Review signature & digest algorithm + """ + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + key = settings.get_sp_key() + cert = settings.get_sp_cert() + + xml_authn = b64decode(self.file_contents(join(self.data_path, 'requests', 'authn_request.xml.base64'))) + xml_authn_signed = compat.to_string(OneLogin_Saml2_Utils.add_sign(xml_authn, key, cert)) + self.assertIn('', xml_authn_signed) + self.assertIn('', xml_authn_signed) + self.assertIn('', xml_authn_signed) + + xml_authn_signed_2 = compat.to_string(OneLogin_Saml2_Utils.add_sign(xml_authn, key, cert, False, OneLogin_Saml2_Constants.RSA_SHA256, OneLogin_Saml2_Constants.SHA384)) + self.assertIn('', xml_authn_signed_2) + self.assertIn('', xml_authn_signed_2) + self.assertIn('', xml_authn_signed_2) + + xml_authn_signed_3 = compat.to_string(OneLogin_Saml2_Utils.add_sign(xml_authn, key, cert, False, OneLogin_Saml2_Constants.RSA_SHA384, OneLogin_Saml2_Constants.SHA512)) + self.assertIn('', xml_authn_signed_3) + self.assertIn('', xml_authn_signed_3) + self.assertIn('', xml_authn_signed_3) + def testValidateSign(self): """ Tests the validate_sign method of the OneLogin_Saml2_Utils From c45c0f8ae029254642db036cf06058ec9e302098 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 12 Mar 2017 12:57:19 +0100 Subject: [PATCH 031/331] Improve NameIdFormat support. Be able to provide a NameIDFormat to LogoutRequest --- demo-flask/saml/advanced_settings.json | 3 +- src/onelogin/saml2/auth.py | 22 +++- src/onelogin/saml2/logout_request.py | 28 ++++- src/onelogin/saml2/response.py | 13 ++ src/onelogin/saml2/utils.py | 3 +- tests/src/OneLogin/saml2_tests/auth_test.py | 116 +++++++++++++++++- .../saml2_tests/logout_request_test.py | 11 ++ .../src/OneLogin/saml2_tests/response_test.py | 57 +++++++++ 8 files changed, 242 insertions(+), 11 deletions(-) diff --git a/demo-flask/saml/advanced_settings.json b/demo-flask/saml/advanced_settings.json index 16893d1f..3115e17e 100644 --- a/demo-flask/saml/advanced_settings.json +++ b/demo-flask/saml/advanced_settings.json @@ -10,7 +10,8 @@ "wantNameId" : true, "wantNameIdEncrypted": false, "wantAssertionsEncrypted": false, - "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1" + "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1", + "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1" }, "contactPerson": { "technical": { diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 0480e9f0..ad78b662 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -54,6 +54,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None): self.__settings = OneLogin_Saml2_Settings(old_settings, custom_base_path) self.__attributes = dict() self.__nameid = None + self.__nameid_format = None self.__session_index = None self.__session_expiration = None self.__authenticated = False @@ -100,6 +101,7 @@ def process_response(self, request_id=None): if response.is_valid(self.__request_data, request_id): self.__attributes = response.get_attributes() self.__nameid = response.get_nameid() + self.__nameid_format = response.get_nameid_format() self.__session_index = response.get_session_index() self.__session_expiration = response.get_session_not_on_or_after() self.__authenticated = True @@ -221,6 +223,15 @@ def get_nameid(self): """ return self.__nameid + def get_nameid_format(self): + """ + Returns the nameID Format. + + :returns: NameID Format + :rtype: string|None + """ + return self.__nameid_format + def get_session_index(self): """ Returns the SessionIndex from the AuthnStatement. @@ -311,7 +322,7 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_ self.add_request_signature(parameters, security['signatureAlgorithm']) return self.redirect_to(self.get_sso_url(), parameters) - def logout(self, return_to=None, name_id=None, session_index=None, nq=None): + def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name_id_format=None): """ Initiates the SLO process. @@ -327,6 +338,9 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None): :param nq: IDP Name Qualifier :type: string + :param name_id_format: The NameID Format that will be set in the LogoutRequest. + :type: string + :returns: Redirection URL """ slo_url = self.get_slo_url() @@ -339,11 +353,15 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None): if name_id is None and self.__nameid is not None: name_id = self.__nameid + if name_id_format is None and self.__nameid_format is not None: + name_id_format = self.__nameid_format + logout_request = OneLogin_Saml2_Logout_Request( self.__settings, name_id=name_id, session_index=session_index, - nq=nq + nq=nq, + name_id_format=name_id_format ) self.__last_request = logout_request.get_xml() self.__last_request_id = logout_request.id diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index e3f2a3be..507f88db 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -25,7 +25,7 @@ class OneLogin_Saml2_Logout_Request(object): """ - def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None): + def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None): """ Constructs the Logout Request object. @@ -43,6 +43,9 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq= :param nq: IDP Name Qualifier :type: string + + :param name_id_format: The NameID Format that will be set in the LogoutRequest. + :type: string """ self.__settings = settings self.__error = None @@ -63,7 +66,8 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq= cert = idp_data['x509cert'] if name_id is not None: - name_id_format = sp_data['NameIDFormat'] + if name_id_format is None: + name_id_format = sp_data['NameIDFormat'] sp_name_qualifier = None else: name_id = idp_data['entityId'] @@ -75,7 +79,8 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq= sp_name_qualifier, name_id_format, cert, - nq=nq, + False, + nq ) if session_index: @@ -194,6 +199,23 @@ def get_nameid(request, key=None): name_id = OneLogin_Saml2_Logout_Request.get_nameid_data(request, key) return name_id['Value'] + @staticmethod + def get_nameid_format(request, key=None): + """ + Gets the NameID Format of the Logout Request Message + :param request: Logout Request Message + :type request: string|DOMDocument + :param key: The SP key + :type key: string + :return: Name ID Format + :rtype: string + """ + name_id_format = None + name_id_data = OneLogin_Saml2_Logout_Request.get_nameid_data(request, key) + if name_id_data and 'Format' in name_id_data.keys(): + name_id_format = name_id_data['Format'] + return name_id_format + @staticmethod def get_issuer(request): """ diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index fb8c6444..a0919d4c 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -444,6 +444,19 @@ def get_nameid(self): nameid_value = nameid_data['Value'] return nameid_value + def get_nameid_format(self): + """ + Gets the NameID Format provided by the SAML Response from the IdP + + :returns: NameID Format + :rtype: string|None + """ + nameid_format = None + nameid_data = self.get_nameid_data() + if nameid_data and 'Format' in nameid_data.keys(): + nameid_format = nameid_data['Format'] + return nameid_format + def get_session_not_on_or_after(self): """ Gets the SessionNotOnOrAfter from the AuthnStatement diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index a8c57790..f6f33051 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -584,7 +584,8 @@ def generate_name_id(value, sp_nq, sp_format, cert=None, debug=False, nq=None): name_id = OneLogin_Saml2_XML.make_child(root, '{%s}NameID' % OneLogin_Saml2_Constants.NS_SAML) if sp_nq is not None: name_id.set('SPNameQualifier', sp_nq) - name_id.set('Format', sp_format) + if sp_format is not None: + name_id.set('Format', sp_format) if nq is not None: name_id.set('NameQualifier', nq) name_id.text = value diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py index fcfe1bde..84c4728f 100644 --- a/tests/src/OneLogin/saml2_tests/auth_test.py +++ b/tests/src/OneLogin/saml2_tests/auth_test.py @@ -24,15 +24,16 @@ class OneLogin_Saml2_Auth_Test(unittest.TestCase): data_path = join(dirname(__file__), '..', '..', '..', 'data') - def loadSettingsJSON(self): - filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json') + def loadSettingsJSON(self, filename=None): + if filename: + filename = join(dirname(__file__), '..', '..', '..', 'settings', filename) + else: + filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json') if exists(filename): stream = open(filename, 'r') settings = json.load(stream) stream.close() return settings - else: - raise Exception('Settings json file does not exist') def file_contents(self, filename): f = open(filename, 'r') @@ -810,6 +811,7 @@ def testLogoutNameID(self): auth.process_response() name_id_from_response = auth.get_nameid() + name_id_format_from_response = auth.get_nameid_format() target_url = auth.logout() parsed_query = parse_qs(urlparse(target_url)[4]) @@ -817,7 +819,21 @@ def testLogoutNameID(self): logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query['SAMLRequest'][0]) name_id_from_request = OneLogin_Saml2_Logout_Request.get_nameid(logout_request) + name_id_format_from_request = OneLogin_Saml2_Logout_Request.get_nameid_format(logout_request) self.assertEqual(name_id_from_response, name_id_from_request) + self.assertEqual(name_id_format_from_response, name_id_format_from_request) + + new_name_id = "new_name_id" + new_name_id_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + target_url_2 = auth.logout(name_id=new_name_id, name_id_format=new_name_id_format) + parsed_query = parse_qs(urlparse(target_url_2)[4]) + self.assertIn('SAMLRequest', parsed_query) + logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query['SAMLRequest'][0]) + + name_id_from_request = OneLogin_Saml2_Logout_Request.get_nameid(logout_request) + name_id_format_from_request = OneLogin_Saml2_Logout_Request.get_nameid_format(logout_request) + self.assertEqual(new_name_id, name_id_from_request) + self.assertEqual(new_name_id_format, name_id_format_from_request) def testSetStrict(self): """ @@ -840,6 +856,98 @@ def testSetStrict(self): self.assertRaises(AssertionError, auth.set_strict, '42') + def testIsAuthenticated(self): + """ + Tests the is_authenticated method of the OneLogin_Saml2_Auth + """ + request_data = self.get_request() + del request_data['get_data'] + message = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64')) + request_data['post_data'] = { + 'SAMLResponse': message + } + auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON()) + auth.process_response() + self.assertFalse(auth.is_authenticated()) + + message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) + request_data['post_data'] = { + 'SAMLResponse': message + } + auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON()) + auth.process_response() + self.assertTrue(auth.is_authenticated()) + + def testGetNameId(self): + """ + Tests the get_nameid method of the OneLogin_Saml2_Auth + """ + settings = self.loadSettingsJSON() + request_data = self.get_request() + del request_data['get_data'] + message = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64')) + request_data['post_data'] = { + 'SAMLResponse': message + } + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings) + auth.process_response() + self.assertFalse(auth.is_authenticated()) + self.assertEqual(auth.get_nameid(), None) + + message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) + request_data['post_data'] = { + 'SAMLResponse': message + } + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings) + auth.process_response() + self.assertTrue(auth.is_authenticated()) + self.assertEqual("492882615acf31c8096b627245d76ae53036c090", auth.get_nameid()) + + settings_2 = self.loadSettingsJSON('settings2.json') + message = self.file_contents(join(self.data_path, 'responses', 'signed_message_encrypted_assertion2.xml.base64')) + request_data['post_data'] = { + 'SAMLResponse': message + } + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings_2) + auth.process_response() + self.assertTrue(auth.is_authenticated()) + self.assertEqual("25ddd7d34a7d79db69167625cda56a320adf2876", auth.get_nameid()) + + def testGetNameIdFormat(self): + """ + Tests the get_nameid_format method of the OneLogin_Saml2_Auth + """ + settings = self.loadSettingsJSON() + request_data = self.get_request() + del request_data['get_data'] + message = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64')) + request_data['post_data'] = { + 'SAMLResponse': message + } + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings) + auth.process_response() + self.assertFalse(auth.is_authenticated()) + self.assertEqual(auth.get_nameid_format(), None) + + message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) + request_data['post_data'] = { + 'SAMLResponse': message + } + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings) + auth.process_response() + self.assertTrue(auth.is_authenticated()) + self.assertEqual("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", auth.get_nameid_format()) + + settings_2 = self.loadSettingsJSON('settings2.json') + message = self.file_contents(join(self.data_path, 'responses', 'signed_message_encrypted_assertion2.xml.base64')) + request_data['post_data'] = { + 'SAMLResponse': message + } + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings_2) + auth.process_response() + self.assertTrue(auth.is_authenticated()) + self.assertEqual("urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified", auth.get_nameid_format()) + def testBuildRequestSignature(self): """ Tests the build_request_signature method of the OneLogin_Saml2_Auth diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index e2bd0cfa..b23050a1 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -145,6 +145,17 @@ def testGetNameIdData(self): with self.assertRaisesRegexp(Exception, 'NameID not found in the Logout Request'): OneLogin_Saml2_Logout_Request.get_nameid(inv_request) + idp_data = settings.get_idp_data() + expected_name_id_data = { + 'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress', + 'NameQualifier': idp_data['entityId'], + 'Value': 'ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69' + } + + logout_request = OneLogin_Saml2_Logout_Request(settings, None, expected_name_id_data['Value'], None, idp_data['entityId'], expected_name_id_data['Format']) + name_id_data_3 = OneLogin_Saml2_Logout_Request.get_nameid_data(logout_request.get_xml()) + self.assertEqual(expected_name_id_data, name_id_data_3) + def testGetNameId(self): """ Tests the get_nameid of the OneLogin_Saml2_LogoutRequest diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 0e0728df..bd2a294c 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -135,6 +135,63 @@ def testReturnNameId(self): with self.assertRaisesRegexp(Exception, 'An empty NameID value found'): response_9.get_nameid() + def testReturnNameIdFormat(self): + """ + Tests the get_nameid_format method of the OneLogin_Saml2_Response + """ + json_settings = self.loadSettingsJSON() + settings = OneLogin_Saml2_Settings(json_settings) + xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64')) + response = OneLogin_Saml2_Response(settings, xml) + self.assertEqual('urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', response.get_nameid_format()) + + xml_2 = self.file_contents(join(self.data_path, 'responses', 'response_encrypted_nameid.xml.base64')) + response_2 = OneLogin_Saml2_Response(settings, xml_2) + self.assertEqual('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', response_2.get_nameid_format()) + + xml_3 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64')) + response_3 = OneLogin_Saml2_Response(settings, xml_3) + self.assertEqual('urn:oasis:names:tc:SAML:2.0:nameid-format:transient', response_3.get_nameid_format()) + + xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64')) + response_4 = OneLogin_Saml2_Response(settings, xml_4) + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): + response_4.get_nameid() + + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) + + response_5 = OneLogin_Saml2_Response(settings, xml_4) + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): + response_5.get_nameid() + + json_settings['security']['wantNameId'] = False + settings = OneLogin_Saml2_Settings(json_settings) + + response_6 = OneLogin_Saml2_Response(settings, xml_4) + nameid_6 = response_6.get_nameid() + self.assertIsNone(nameid_6) + + del json_settings['security']['wantNameId'] + settings = OneLogin_Saml2_Settings(json_settings) + + response_7 = OneLogin_Saml2_Response(settings, xml_4) + with self.assertRaisesRegexp(Exception, 'NameID not found in the assertion of the Response'): + response_7.get_nameid() + + json_settings['strict'] = True + settings = OneLogin_Saml2_Settings(json_settings) + + xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'wrong_spnamequalifier.xml.base64')) + response_8 = OneLogin_Saml2_Response(settings, xml_5) + with self.assertRaisesRegexp(Exception, 'The SPNameQualifier value mistmatch the SP entityID value.'): + response_8.get_nameid() + + xml_6 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'empty_nameid.xml.base64')) + response_9 = OneLogin_Saml2_Response(settings, xml_6) + with self.assertRaisesRegexp(Exception, 'An empty NameID value found'): + response_9.get_nameid() + def testGetNameIdData(self): """ Tests the get_nameid_data method of the OneLogin_Saml2_Response From 21a5b406aba7b5cf957573d6152d4f0ae374232f Mon Sep 17 00:00:00 2001 From: Charles Beebe Date: Fri, 24 Mar 2017 11:02:18 -0400 Subject: [PATCH 032/331] Add a Pyramid demo. Add a Pyramid demo in demo_pyramid dir (generated with 'pyramid-cookiecutter-starter' Cookiecutter template). Add 'pyramid' as a keyword in setup.py. --- demo_pyramid/.coveragerc | 3 + demo_pyramid/.gitignore | 21 +++ demo_pyramid/CHANGES.txt | 4 + demo_pyramid/MANIFEST.in | 2 + demo_pyramid/README.txt | 29 ++++ demo_pyramid/demo_pyramid/__init__.py | 19 +++ .../demo_pyramid/saml/advanced_settings.json | 33 ++++ demo_pyramid/demo_pyramid/saml/certs/README | 11 ++ demo_pyramid/demo_pyramid/saml/settings.json | 30 ++++ .../demo_pyramid/static/pyramid-16x16.png | Bin 0 -> 1319 bytes demo_pyramid/demo_pyramid/static/pyramid.png | Bin 0 -> 12901 bytes demo_pyramid/demo_pyramid/static/theme.css | 154 ++++++++++++++++++ .../demo_pyramid/templates/attrs.jinja2 | 31 ++++ .../demo_pyramid/templates/index.jinja2 | 54 ++++++ .../demo_pyramid/templates/layout.jinja2 | 64 ++++++++ demo_pyramid/demo_pyramid/tests.py | 29 ++++ demo_pyramid/demo_pyramid/views.py | 122 ++++++++++++++ demo_pyramid/development.ini | 59 +++++++ demo_pyramid/production.ini | 53 ++++++ demo_pyramid/pytest.ini | 3 + demo_pyramid/setup.py | 54 ++++++ setup.py | 2 +- 22 files changed, 776 insertions(+), 1 deletion(-) create mode 100644 demo_pyramid/.coveragerc create mode 100644 demo_pyramid/.gitignore create mode 100644 demo_pyramid/CHANGES.txt create mode 100644 demo_pyramid/MANIFEST.in create mode 100644 demo_pyramid/README.txt create mode 100644 demo_pyramid/demo_pyramid/__init__.py create mode 100644 demo_pyramid/demo_pyramid/saml/advanced_settings.json create mode 100644 demo_pyramid/demo_pyramid/saml/certs/README create mode 100644 demo_pyramid/demo_pyramid/saml/settings.json create mode 100644 demo_pyramid/demo_pyramid/static/pyramid-16x16.png create mode 100644 demo_pyramid/demo_pyramid/static/pyramid.png create mode 100644 demo_pyramid/demo_pyramid/static/theme.css create mode 100644 demo_pyramid/demo_pyramid/templates/attrs.jinja2 create mode 100644 demo_pyramid/demo_pyramid/templates/index.jinja2 create mode 100644 demo_pyramid/demo_pyramid/templates/layout.jinja2 create mode 100644 demo_pyramid/demo_pyramid/tests.py create mode 100644 demo_pyramid/demo_pyramid/views.py create mode 100644 demo_pyramid/development.ini create mode 100644 demo_pyramid/production.ini create mode 100644 demo_pyramid/pytest.ini create mode 100644 demo_pyramid/setup.py diff --git a/demo_pyramid/.coveragerc b/demo_pyramid/.coveragerc new file mode 100644 index 00000000..fd429eb0 --- /dev/null +++ b/demo_pyramid/.coveragerc @@ -0,0 +1,3 @@ +[run] +source = demo_pyramid +omit = demo_pyramid/test* diff --git a/demo_pyramid/.gitignore b/demo_pyramid/.gitignore new file mode 100644 index 00000000..1853d983 --- /dev/null +++ b/demo_pyramid/.gitignore @@ -0,0 +1,21 @@ +*.egg +*.egg-info +*.pyc +*$py.class +*~ +.coverage +coverage.xml +build/ +dist/ +.tox/ +nosetests.xml +env*/ +tmp/ +Data.fs* +*.sublime-project +*.sublime-workspace +.*.sw? +.sw? +.DS_Store +coverage +test diff --git a/demo_pyramid/CHANGES.txt b/demo_pyramid/CHANGES.txt new file mode 100644 index 00000000..14b902fd --- /dev/null +++ b/demo_pyramid/CHANGES.txt @@ -0,0 +1,4 @@ +0.0 +--- + +- Initial version. diff --git a/demo_pyramid/MANIFEST.in b/demo_pyramid/MANIFEST.in new file mode 100644 index 00000000..3b3962e4 --- /dev/null +++ b/demo_pyramid/MANIFEST.in @@ -0,0 +1,2 @@ +include *.txt *.ini *.cfg *.rst +recursive-include demo_pyramid *.ico *.png *.css *.gif *.jpg *.pt *.txt *.mak *.mako *.js *.html *.xml *.jinja2 diff --git a/demo_pyramid/README.txt b/demo_pyramid/README.txt new file mode 100644 index 00000000..04ea6d64 --- /dev/null +++ b/demo_pyramid/README.txt @@ -0,0 +1,29 @@ +demo_pyramid +=============================== + +Getting Started +--------------- + +- Change directory into your newly created project. + + cd demo_pyramid + +- Create a Python virtual environment. + + python3 -m venv env + +- Upgrade packaging tools. + + env/bin/pip install --upgrade pip setuptools + +- Install the project in editable mode with its testing requirements. + + env/bin/pip install -e ".[testing]" + +- Run your project's tests. + + env/bin/pytest + +- Run your project. + + env/bin/pserve development.ini diff --git a/demo_pyramid/demo_pyramid/__init__.py b/demo_pyramid/demo_pyramid/__init__.py new file mode 100644 index 00000000..805e51d1 --- /dev/null +++ b/demo_pyramid/demo_pyramid/__init__.py @@ -0,0 +1,19 @@ +from pyramid.config import Configurator +from pyramid.session import SignedCookieSessionFactory + + +session_factory = SignedCookieSessionFactory('onelogindemopytoolkit') + + +def main(global_config, **settings): + """ This function returns a Pyramid WSGI application. + """ + config = Configurator(settings=settings) + config.set_session_factory(session_factory) + config.include('pyramid_jinja2') + config.add_static_view('static', 'static', cache_max_age=3600) + config.add_route('index', '/') + config.add_route('attrs', '/attrs/') + config.add_route('metadata', '/metadata/') + config.scan() + return config.make_wsgi_app() diff --git a/demo_pyramid/demo_pyramid/saml/advanced_settings.json b/demo_pyramid/demo_pyramid/saml/advanced_settings.json new file mode 100644 index 00000000..3115e17e --- /dev/null +++ b/demo_pyramid/demo_pyramid/saml/advanced_settings.json @@ -0,0 +1,33 @@ +{ + "security": { + "nameIdEncrypted": false, + "authnRequestsSigned": false, + "logoutRequestSigned": false, + "logoutResponseSigned": false, + "signMetadata": false, + "wantMessagesSigned": false, + "wantAssertionsSigned": false, + "wantNameId" : true, + "wantNameIdEncrypted": false, + "wantAssertionsEncrypted": false, + "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1", + "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1" + }, + "contactPerson": { + "technical": { + "givenName": "technical_name", + "emailAddress": "technical@example.com" + }, + "support": { + "givenName": "support_name", + "emailAddress": "support@example.com" + } + }, + "organization": { + "en-US": { + "name": "sp_test", + "displayname": "SP test", + "url": "http://sp.example.com" + } + } +} \ No newline at end of file diff --git a/demo_pyramid/demo_pyramid/saml/certs/README b/demo_pyramid/demo_pyramid/saml/certs/README new file mode 100644 index 00000000..03c13737 --- /dev/null +++ b/demo_pyramid/demo_pyramid/saml/certs/README @@ -0,0 +1,11 @@ +Take care of this folder that could contain private key. Be sure that this folder never is published. + +Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as: + + * sp.key Private Key + * sp.crt Public cert + +Also you can use other cert to sign the metadata of the SP using the: + + * metadata.key + * metadata.crt diff --git a/demo_pyramid/demo_pyramid/saml/settings.json b/demo_pyramid/demo_pyramid/saml/settings.json new file mode 100644 index 00000000..ec40b674 --- /dev/null +++ b/demo_pyramid/demo_pyramid/saml/settings.json @@ -0,0 +1,30 @@ +{ + "strict": true, + "debug": true, + "sp": { + "entityId": "https:///metadata/", + "assertionConsumerService": { + "url": "https:///?acs", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + }, + "singleLogoutService": { + "url": "https:///?sls", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", + "x509cert": "", + "privateKey": "" + }, + "idp": { + "entityId": "https://app.onelogin.com/saml/metadata/", + "singleSignOnService": { + "url": "https://app.onelogin.com/trust/saml2/http-post/sso/", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "singleLogoutService": { + "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "x509cert": "" + } +} diff --git a/demo_pyramid/demo_pyramid/static/pyramid-16x16.png b/demo_pyramid/demo_pyramid/static/pyramid-16x16.png new file mode 100644 index 0000000000000000000000000000000000000000..979203112e76ba4cfdb8cd6f108f4275e987d99a GIT binary patch literal 1319 zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`k|nMYCBgY=CFO}lsSJ)O`AMk? zp1FzXsX?iUDV2pMQ*9U+n3Xd_B1$5BeXNr6bM+EIYV;~{3xK*A7;Nk-3KEmEQ%e+* zQqwc@Y?a>c-mj#PnPRIHZt82`Ti~3Uk?B!Ylp0*+7m{3+ootz+WN)WnQ(*-(AUCxn zQK2F?C$HG5!d3}vt`(3C64qBz04piUwpD^SD#ABF!8yMuRl!uxR5#hc&_u!9QqR!T z(8R(}N5ROz&{*HVSl`fC*U-qyz|zXlQ~?TIxIyg#@@$ndN=gc>^!3Zj z%k|2Q_413-^$jg8E%gnI^o@*kfhu&1EAvVcD|GXUm0>2hq!uR^WfqiV=I1GZOiWD5 zFD$Tv3bSNU;+l1ennz|zM-B0$V)JVzP|XC=H|jx7ncO3BHWAB;NpiyW)Z+ZoqGVvir744~DzI`cN=+=uFAB-e&w+(vKt_H^esM;Afr7KMf`)Hma%LWg zuL;)R>ucqiS6q^qmz?V9Vygr+LN7Bj#mdRl*wM}0&C<--)xyxw)!5S9(bdAp)YZVy zz`)Yd%><^`B|o_|H#M&WrZ)wl*Ab^)P+G_>0NU)5T9jFqn&MWJpQ`}&vsET;x0vHJ z52`l>w_7Z5>eUB2MjsTjNHGl)0wy026P|8?9C*r4%>yR)B4E1CQ{KVEz`!`m)5S5Q z;#SXOUk#T)k>lxKj4~&v95M;sSJp8lNikLV)bX~~P1`qaNLZPZ<6^QgASli8jmk<% zZdJ~1%}JBkHhu^^q;ghbe{lMjv_0X)ug#yI+xz_S{hiM(g*saf_f6Pt#!wis>2u+! z{;RjXUlmP?^Kq|yJMn}2uJ~!L3EU-*{+zn6Ya6$jYueOB4G#Lx+=R;oM4sqe*Sq0$ zQ2Nf{-BFQxlX@Dog;`l=SkyQh`W)n22F}BoCTQYYC=p8g*kiK(1`FEnD$cY`NZX8<>GJicU)2$Vj5iRl-7k*od z3K)m{Gsp@4JM)eDo7z=gtG;>hu{QvcXxLU8eD@D+$BKJ@RM`zyYKvG z-8a3ur|aAMt1Vr-yH|CEDauQLkO+_f002lzQdIf%fB4Ui0QY*V)U3(^0FZ<%L_`#& zL`1-fj&^1i)}{b}Bq%eIA9uoG!laCfFcwoR zb`OTl9xm%u?u}UK6Z+-0LfvF1uNzRlu;BSs+a-xXQEAzvn#Z125}lrEE$o@!cYog? z@lko^ANF`uyQDsu%o2*s(%P^-sbKEJ1>90;Svb?qHr@sbgo4>hFv21pO(baNe1U?G_am z$%uaYhJupCKc=2k-Lpftu1m0%A~@dHZKRf6W*s6Qm&D`7K|3 zP8#?(KABe7=AZNd-k*6CTcqHJ?f3yA6ws8mf*wHc;}7VpNW)zn=9RJ4PSI>0zxN+V zk#)jtw`7ILRrYRCqD>sB@)+LaZvtH~TpCmeT z5;T(}&;kNeCnT`+Is{plpj-ki?E!QC9#b�i5=5IxreNAbVsKKM4p@aIXvt)VjX~ zLcj$&PM%O%3~m8hs_+6jp*DiMh>#*THuP7Kuo(0>$o&*`2|it5S+0m8|22g(K^uZ@ z;6o1l6qp_E8Ol2dBLz5X2wDO(`F*c>PlO=RH?}G2hLZu0*R!%E-GVEC+T4e?MR);V z_^jU-j{q4)fSwlDL?FBr6^_xQgu)=RiX|@qmWrjtpcW9eMoGpx>_EeXqAIZV+wop(eQ& zddcwQJrU|q&zm1a_C786I&8KaRWQwHi;?Yq$Niu!>Pxo{x^?XH0JL7G3nMSGE+k(f zUy_Yz(!p+;7({Its{k~zBrv5lr7AiB!al-t5Jn%nl7ESUGkGw&`+$zo+uAQnLLE{> z)bjDzQo)pX%9L+Y8~jzJEXj4L`Kdd};zxK*BpmUzAbJW_l-Xc?DzrF3#ROVvYz1i| zG2!p>JkqTYcZj=4p)#n%c22V_r7crip;Odb+M8J-{$29VK@ZtjSD$_LrTfkfWNmFpri8%bWfq{-bz; zG=eUIHw0<~$?St1Z_;ejM$&fE_SuIT%(amlVYGL(_Z#(C5>wBQegW7bxl~NRGd`Qh@8sO z+`6hk+hoHeiq)PuHG4Tn`%qrZs+LxT_(Bd(Ki{xdzI*yTJu-iUW<)0L8m>OWDT4~* zF$1aATP;{kn}(yBhyLY(G%H_1)}q=hRjbx3!NSzR4{{?Yj)v46H5je}8Uyq(_rMi`oz6O&CSQn6^7ABOjKl`T{3!jW>_L33Rec#ReVI^tJu7RoS3IrvY1S=CWBV} zj(DVYB)Etlmy{64lhVbp^w-RqOvv`h52Wogrgu6?^(V`Yjk~2|lT|VLy;=@*B!r~I z8|W`#Sbe3tvQ^jmt**N;i}CFtk8%5h^!rhlx_72eu`tO&bwSgj$pgA!#!^*MI8xg{ z1);{xPj&iN{yU`!F$wu^-<3|6j#~sZ+%?P!QyGTW(CfbAr|D$wXU}I5X&beeKU2fX zgG|TD(mH9GwWoafEqfywNtsR+sD)f_S-1XC!ZdqS=^Mu0^-kK3?HKXM&yhzT4l@qd zPanHneg{AGa-3PAR(@Wn(phPhch&7}+q&sGjVCclej0Ri%*4SHsn< zivG#tyrZ`6kG}f8qNkFVv6B*?B?^c7qCd^QpIhWA;Y#4_i;5ep-F6tVd)~Ye@x&@W zRD74;dI!Tz#&h{&=#KO}3x)5yd$@PmAOxpk0jGthtmnp|-)tuF z1Tmvv`is|f*M_*fh^p4)UD+SflPZC8Hjg7w~i z(0ycHzisp0{qmAY2ps|UaK_Z-`J%VVf9SpbJPluprYHE#gZtV1+4y8Tj|NGBE~`wi z@_GJl(X6!d`Xp!3V6r~+V{~wf2=hzgeYHYA>}2UAy?BH8kwm4$WaNG1nn&&R*Nd^p z+GwW(`UQ`^uUfv~m z>;IhlXnZ{sdw8O7r;wN(CFtsf_;lq)ZDY2#@hj-(BO9-l&+9uSqP?V+699mW^=F3y zq-Ed(05Fsms+!K4an_%9V_D}HiKIYqFDouet3gNdDqgq~Fhlhumg^ihwjqz23(aGJ`+0c#A)`{X@o%~NfqNYy9ju!UL z7IwDaKm8gS*?n^6Cnx`7=s&-I`RQz7_P>^Fo&FuxYkS4<|x%%;|+Hm0`DPOm)H|7z|vxBnsje@?m?+W*VgUrGE|YPxyZ`@-LQ%osGStsgu(yO@QOyl)q#D)Ytr9GXh*} z|0et${3k)d(c(2y!#{rg$EUwz|J2v|ZwCGj{*CY_^}LD}Zl>0nq86_S{VNJK78X9{ z|0?+>Q^d~N&QZnQ(Ae~kXMa)t2K`g}FFRWQr=7n^{>C&h=5_jHWNB*b{I~1%de#0K z{lbPHng0g!G5=R>zSpt9D`#h7VdgGs=xi#$#=^?Z$im9V@=leFg_nhumy?^1`5!ue z^Wcv}#L?8y+0Ieb&dyrkuP|)>G{NtfUNiMi`M;@r%zx_WZ*}#rqWuefty%%3SLXlR z0R)f+r_;Fr0E#pzQ6W_~sMAcu7M!n%L-`n@_FrK&I5Ctcs4eqYZOO14!psI+MDrsT(i5x*g|To^~3a zG(P=0{jmS|yL#iajCX&owCt=*MaK8c$v*)0zil)1J#>d*NO7`^HAY{0d&~02KKt_%Xg6cfO#nv8b)Ua-40z&0(uXf(uOcr&ku?L3B3P?hlUS z>VhrlISxGTaoh|P?^iWWhV%lXOrhv(^;xDR%1buy`MO;#8IECW(wBj%OM06l;o&Dg z_t{hIHs-|9QteQX6_vQ46z;7-9BzVR&x{29(n4cJ4FDWf=&N)~)lGI=E7`02B6go) z=iiKw-6unW%A7Be3W)ESUXn($gAMbhoKh88cjXAs*zc36EQ}lgSmAairK0&GdX3ZA zwh(VLk^Kt7kZ%j{M3uh4)DPeep>H;(#PQ7%c$oa4rY89lnqJwZvz`woVWhWTw+Yt4 zK4Z?lOIC7fdL{7TL>YLd1VYhMkf)>>sG7<6sCi@j;dDj?-g`#>pw+-!OoAG9N4i|~ zeV<%)x8PqKB+Fotdk_^bJG$@J!o42!876Z5@8~BdYV^iQA4M~MF4<$54r~0Ff_Q1&*4xzmrX1KOYSRpELIw>?DZ)mm zFK_GBShr5fn}g46mJx_Pas|Y>PqDsQE4&b>`1w%aGo;@X@s;Nl*lk5$5MGxo&fZa~ z?)Y9Rmi-z7&KQGc_gS>J^@R5LdoGtFY8iZj&|=_6q0RQ1g;q89e5r$5_4S0&a)DQ` z7*pE~UrO~c)K@vEAM(}0siTPqLN|~uSWfh>==;JS=?6%x67xnVLg0SX0;dw)(QYaD z!fQ;uWtNbQKGxM3j!x(;)P87Q6_D+-sl;lR%V{3cV~^olt7GJBzJR;b=~9(!Rb>Wf zO@=*jvZGFZCSDq<2iV0<23iTJvt#ydEoHlX#ZxXcgrYkL-o%LE_o$6FtCN9 zlcTA@S;BN?S9l{x?dSoWnVOEvAClv9$$|Pd-7H34>`>0(90|@(*RN^71(;U|IgZZ) zZug2l923m((p(=P&l2{WO{6xPmUIw_2oyDR68pd+CusR0wZ5CG&93)<%Lx8~uxYBm ze-G zNw<06f}q@gVA8Qb(}fP=Zu`?e&__018nWFT8S_5OBn%=uSYRS5z!Bb0v0gC5z?M+* z_hR*MbOQQ+cgez@-}LxHbl-C%xo<)%N|8DmlT8`Ch}#1YLRj4BQiMS>rL+&$SErCb zds6l{MUU?;ZrUiKy`0766{bKXSIGo^Ur-X?36(qO3!!T2I~D=KRMED9r}@R{l2M(Nv?cylDF1VI^29xSqn9TeS38h9L$J4&L>Ec<7Uza28R zX>DFt@0RIAo;Z~C(DO?P2CgmMFc7o>af=(<_XSJ7XHM%!_z8lwM47LPb15t<5}EP5 z(mBmYkczz4-Y%%-gr%#24WEK|C<>&1R1{AK*K5Ez1`cC0Dki|i<&CI^$DQ{58q!G1 zPkF)4^*3=x|5^040+&pK3i-8JQXY?kV@V~fF8-~4m7G1M^$kG_!tL0U*FBzY5Ku26 zH+A2H_I;>)FHp=JtWv9jOA~xBFp&B-K?yxJ_m9=}9v>~|dgrdW<2OmV=$Qe3usLq( zLW6Q?4BnLGv923wp)FSzT=P4)zN}C*){RW?sYu>A#ATVSzWl9_XRhmuA0o;OD7 zLxy8cz=xcz4KN*P)($VF2fn0LjQ~pO@)};rCNAwaQ9Olf)P#9+`_O$hLg<%%bMP47 zSgn!5??!W#2%1kVL8EGD-Kmf-L2nP*GpusVngEF=P8VpK5!C(M5ual@B5=GPporHm z=t{(2cJ{dK73HYOa@-jpVoMmZ@KsX#8t(7s2bzMWOw}%oFQ{3_Y;e>?kl;tZ6SSLO zmcn?H9Wl^ru#<={zr-R7C#&^*-!wLmsgvRU#*0Ulnv1C#@Tu4Sf-_WxH&KaiVUmUZ zR5X7Q9J8~eocTMC^+S$XGXTdBFQi;5u< zuUs!xDLz2~RK=mVMtBYMpijukBfad#z-48x%E81X&rY9`$0U%1^mg^? z>TX2JO+)D9AXLYF{F&M<9#$!4+xse7j^4^-9YedAJ4L^F-PJ{;L=WaM z;CK&Bt-!AJK9kVQfq1dGvtVdg#zaF|VRwZD9#FJ8iXkihP* zM@V+&9q|$&`z|z3lYcs6E*-+uM>Hcf>=|$57C!!~BW_baR7XD@psemUQ5y%kr>yd1 zm8R927JKP-M5?1q?ZnPx~YXH0ZFCq=^@gs+bs?4^}Op`zA_CBxkPj6Az z;MI_gpZMYpTd<|@Mb}Fa{lJ|9ss`EgWag+hOWFkr`ZK4QWV<~AlI>!wr0lSSbV~5M?-~y9)8}?rjttq? z?^rV9;r(VVgQc|x4RH8HiBL$Xx&jpLq#W=yr1G14m#KFleBO;R`i+iqmIV?i2Qg|H z!YA+}qi!5KM-5*Ct%AhX7L=b!Fk;WZUfQA=B?fYSdi{{^&I)6!1IbRk93xWB*ioWC z-?tV_L00i(^fhn8M_lA)Ko!YJ()=M8^^mw{;%=H}o12}4K5crtox2ij!9g_=0Xe3< zID(mRnOuw1VR-}i9O*)uJe?#bf3vhkA@etj43hODQnYmrv0UzhO`^lFJ-1}P;Ac?$ zhiHPOZ>h5;`B~^>#-nzw0Fl9#U{xfJP*TACY!(t=8uUk?VW*nFi3j;vW| zxKM;M)HFBQDik}!miY#WErQKTN!Q*z?wcS*9tmabvs|u;E>15Q2dUyGN-b@LD@g*q zxa4N5vkh>HdiAekp$y&A`I`z15?W+r#REcsM!bqP%YJ80Y%MQ7@{cJM z${FeHRrCiGz;e}b{EqW5)pyhjnT+AUs*_%3>c*71W<-mp=jrq=n-|I;DRkz0NMxgPIsuX!Y zR7vp%sdh$oStk(aqcqV?4H9HKi(0<1#1S=HfO_w@=65S|gGcS03Fw+|mgy%zoO{()m0} z>pAmc+1M0RbgWr&WvFv|yn%jBRqVrr_U;2-)vrD~xJ6k6;)b#u<|!;Kc*Tw_WsJMh zh#POWb=0nym|w~>*-(?kSXUNZJJ@{-n~a>(h&!cg!s(_6AI94!uX?&F-##~?~` z-~KI!D`FZ@9lPFp_&LWAt5Ug{V(<6!o2?iv1fuQ-p)HK6;`KD^3gqU5==q~=+u<_{}p9aZZg%uQAoDv{B!5p!x? z?Yz%z9yZ?P(tX@%>`f?*m$JrC*0rn*Sn7>p}n{_>4w}@QdRjgr$IbLT@0B z0Oc`npAp|qbd?1666a>DtY=5;QPnFpX+E7#RCSOyY}y_At!bo}rNiExdV($9kFsJ# z5(^aR!wwzNf+!vZO%`?N+MBYG_=G{CA*6n@*p>QRKVC>-UYv`gn*zqWSE)qvor{J0Y39m3U+bmeAu*LrMJx-`c@_H+Md^&Uao z*%a0orrd6}m9!vAH36E1zL;zOUHC1E`^ECUZDZ_0A~E17Dw>4q33h5q)O+fK&PwW| zpPZl0($)I-E}bki!H0=GZ7=few9+nw7V;7D0u*BJZ#PPu` zlA(UtVA`W21{#bu8Yk`(qWRel%T%s*TEls6i1R98B+yaoxK}IMIrP@NMsRqyf1?yM zVnSn2At^0mnDY#-4Qpjg$drVpRBz3Rs?#6U&N_mc-!h?S-62gqi14bK}%x=*@5ABC$@^)0|}3t=BxoOn@pl_}$J#d;E@;1%Ww zwT%8|h*_+45u3nzqKub-PLF!;LA-(HA_s1gQ+7MFcviUpD8hPx%s0Zb1__vV)25W5 zS8{t2u3;1^9m!;F=SKmH&O9g)-TOhZF0c~7o7DNtsbdX0Tn;$h`NWy72*Mr#gHQS# zxa;YG>k!+`V6gK%<|AxR0=w-BYvnhxV_;6*wa{Yk+{0;B$x3X}7Ts=)lDo|UGy%$3 ze(nY-aNI$*KmL+r5rTu;W1F^>jJy^sKai!dL>Y>OxAuj4P4bm5R=V>w`O3fgBeEjm zd~78>4=abld8DYhhvcp(qB}w@gIuMGrdY2^bMsi?&x!AEHF{hc zg+DNk`;;y^5U@qHYv=l>ylIkSKv`8XcdBRg;rpD%iSyg|$79xK4KALACso;aG|J4{ zM=o}BWcpcJ_KWUFN?+hr{n&QgXhF{Bw41yMii;`_47xsc=oiVa{2v8tGY5O%13zW5 zMwu0SaukgGf@_5T!7pGgvWky^G(b8|<3Q8c?2Uxz;%QICsI2NeBU(~c(>lU$tH6(C z!?)hYYB0_>NwsFik*o@lw6(twlS4|#5OmRiv&TD9A6z@RJWNVz&4kkC_)Ex;=+C8% zhHW9oet8E%$zeE0Lx)l| z=wi>IIXK<#^2zteGFqb+r$okBf*p0SN|+e-y7uB{@}g!jRmHwcAD#4Zq9gfyip+yb zg$p2O6nybR$|(m`%9&h-k;~b0WPC*SWDv0 z1&u*-B!%bl&r%mubHAmK3X&*R)ku>#Sn8&-cW zK2P^rNE3`Q0+iXeUh@BCMUQms&JW=t9&VE&B=j{C_Mt z$mL|laTbhQgi+&2b%Qj`DcB8l_!W28*z<;=$}o~q$YZ5ib#+OCo=#EfVrgPSawAWd z%WVsIlIueGb^Y3(soWx^r_q}!j>S~mK`W5qoTfHg!!)Hpx3H`rxF;vV&q!5gyXfe} z0w`eJ`B@bPHZN8O{n}7ct|M7Y)O;n&H{BRtSwk_lvB@p=mUnMu$2+*_ZDam<*g2lV)D*CN+d5a+`ovbJ*R=J07&JhgO=jzjd`-bU(l369g@NNrgdz_k zKoFKRlMxmvxJ37=Bl>ZIpqmbal3z$ZE^S5i&CR0o139PaX1W0jev36_8BKBDBWBgY z+%U+5sdYYFRpUB=UK}(m(IhK;P9vq0l@!jGw&92`OV>^M^F>373n5EmP=f%-E$UZMe?68(8}P<^m%x{pAz(AgGxC!4Ig1;|%a<*AzsN%*Uyc2owx7h3Fy+Jzq=sO^hwGFuo^~ zc{n)Li1;l8scyJNbWB?Usx}BfKosHBm}Jx1lq&Bi_P^1ZB6Q=hU%}Lr@(6cSFhF3B zQL_L=1zoL|{=*JeurG~%BX~^>5)_xqCEUEh>~aQBbQ%)&Ts2gu(hZp+EKRf>%`opE z*rmwaJt+>Mnv1~lc@PIm0c7WFc2l$3h0%AxBnqzgoF!)#MxJ8YmbTp&<@5YFFG3`n zRK)lKO;%E~Gd#h`ByiHOT05kr608$S{`H=nP8or#9#R1(yyX(?t)HXo<_Q?L9UaSu z%VWW5L6SQ5+_`r{T}8_(05a^QeSC0DhQ=4=d@hDHk$`fyPl6_l6ZA%!QeyK~R$5X<@EBPs z6mr#>@yPjP8Aes{u7xe2wZqgBavJ&=D0JT;%Au~&D1+|+O|2bK=&FF;;1CCNjvM6Y2rA1#PB>ldCu^Ct^?5 zjC#04phl(9-(H_Sde@MxP!O|LS0mcfLz5Vu1n6OmnD)X=iqC@>x(L#NvCQ-qo09hM zf0;W)QMG_V`AHR1FjhM=`sw$yR-1(C=)?~$j|$*5_7@oysinfSvsF@)5mlV-Jwt?` zO4MsO^fJy-0uS1*DCG15#`uDLhk5*WF${jJCX$_&vpLZij=-9%Qx{$B1AFBF6n&B9 zvc%BGkJ?v>?M=E|^in=s&8#&xM7x$6#DrASZ_h2tJ!)$teX+Y?t<#m^3PNsCCZSvl zDeIF`JQ2BJt(EA7qaK%&SuoL58S%<(wlzfRf3n|t z!#tm7n;`Nka^>_JNY&)=i1Q9d*Jj&#$i}O2Ib|LL}gk)s3 zZAKLWg#nkq>onjIOpnBUE3gGjyq5YPf|9!OI>C>E9Df}8=GFeSJv{kU1@|1{tDB~c9FCD4zW$$KV*<%O!``!3xt zBX2aSMkfYlXYO$QF!(&hV%3;zU!%?Vk(GI!MolHcs-63phqvybJKhd*jeJ%PyIz=F zxl+8=`GMP2u;N(R)O=P0)A;8^Q&6e<29GZHmKI=`GBo}gxcCa&Um`VpXjpa1J;gdm zBE_l24tcG0WX;7R(gt5Sau=sIsJau`N+Y1}V#T*WntsL4$^nCO2u+=xDKOFBsl&q+c*?onp_Ig$2xVgMqVTsR zA~SQu=?fQ((O*cZ6rfBN(b8z7z5Ob zv;^yp+3g+pGEyAGPyJ)Bz@&f##wb~8Fkugu` zSVE>qA?d=z3+dg3yv`Sxd4dc`a_J^$^43+TWMmub-`(I^rrOr@-gO2y=o#XyoE=$`zXVKEqG0;D@1eH2^^P95q-@m z?VTX;b!IM1ni4IdgWjXef=wpy^j>w@BQc$JKFrzU!2I|uQwI&U9a=5?#{Z;}D|nE> zIP4KYBYTc?FZ}@HV5e62A+-3=mfm&Ctgb8v4w`Ja3mA8_fF3n<9?8vMC z64R^afvmMB*F>Q;Q&+5DK3s2q8H8DB1hM`ukk+R+J^{8I>558d4%IB-C8ca4y`8_?B3 z>Dl+_wKI%`l{_G_My6lTc|h#N>N=pIC(K{@Q!qEhZlw8EAD^> zZT8CnaH6nr&{z*|R^kiBQ+F~Xc#k)Zy@qx=9X;1owIH&e11>e87B%t5{HdoXS2-to zr#8ZScpc~&xA-Rzj|7=3lm?zNxvYzQFKs}`i7PHh*@@1f#4bY=*JAGO$B`KswU6qk z4pv|D(EcXX?%Kgk61Rp87zrFONG1qP5O2PD5;%um4G&L#&VdIksYvht7=x@A%-0}) z#M0klAu-FByr+33Z>(rhsl9r{hKy(dGIb0NO@Upvu zF|hY1SW4V1-iLMxtBVWRX{0+t#+3TzYB|i!p-tu;%KcE(?OVhTZAcDp3R2|PDiGg} zmQ!0&b4?b@50a{16wL8ddl(&o4ZNGif}F!QvwPq4tjrRx^QQg=y*}#STZ+-TgYO3N z>n8i!y?A01eJmuz7c+$#v1s_y%&Dw0zk9lwW>rQ>9Mj!Qi}%{U!*_vy4|JDp04i(n zH?m{#z{^5aANtNPZ6C!y^sYAVmnHpn$N+j6S;F=gHKtH^yZ|^Au9_5R*O_?Qj;zem zxaZs0$F~cllF440*kOy9khe)tt|^BDNJ8Tcu{-DD>$IZ_Kc|8u4!r56T3aoqK?q06 zi?@8kkW6&x!?7cg@NoQyCY%D##F^$x2} zmJs7q`ZtUjtlKHFFz4p;aWhHjF6Um@rktsn?oI1D*-Hd!(Df5N>jAUh#W*oc<&Bi7 zHo%dei>%VPt3hk6MxNi_Es7TtGMdasl<|~f(O$o~A?FarcW*)Fe*vwclnHDZ?}+SP zgYR&kn8RYb9O9><=RQuodIuwAN)ulS;SGy)PX}i^~1UYf0k$b`JnqicQgxToaq?rolg6VA7$>(o?TbE z6jEI3BBqxbUgL{6t@896dly!z7dXPugQXkT$}T@PWqm_3(f}$Agk`G%;50L{=*mi| zTE(qgB%svciozkc)BYou have the following attributes:

+ + + + + + {% for attr in attributes %} + + + {% endfor %} + +
NameValues
{{ attr.0 }}
    + {% for val in attr.1 %} +
  • {{ val }}
    • + {% endfor %} +
+ {% else %} + + {% endif %} + Logout +{% else %} + Login and access again to this page +{% endif %} + +{% endblock %} diff --git a/demo_pyramid/demo_pyramid/templates/index.jinja2 b/demo_pyramid/demo_pyramid/templates/index.jinja2 new file mode 100644 index 00000000..c2438d87 --- /dev/null +++ b/demo_pyramid/demo_pyramid/templates/index.jinja2 @@ -0,0 +1,54 @@ +{% extends "layout.jinja2" %} + +{% block content %} + +
+

Pyramid Starter project

+

Welcome to demo_pyramid, a Pyramid application generated by
Cookiecutter.

+
+ +{% if errors %} + +{% endif %} + +{% if not_auth_warn %} + +{% endif %} + +{% if success_slo %} + +{% endif %} + +{% if paint_logout %} + {% if attributes %} + + + + + + {% for attr in attributes %} + + + {% endfor %} + +
NameValues
{{ attr.0 }}
    + {% for val in attr.1 %} +
  • {{ val }}
    • + {% endfor %} +
+ {% else %} + + {% endif %} + Logout +{% else %} + Login Login and access to attrs page +{% endif %} + +{% endblock %} diff --git a/demo_pyramid/demo_pyramid/templates/layout.jinja2 b/demo_pyramid/demo_pyramid/templates/layout.jinja2 new file mode 100644 index 00000000..57ad87c0 --- /dev/null +++ b/demo_pyramid/demo_pyramid/templates/layout.jinja2 @@ -0,0 +1,64 @@ + + + + + + + + + + + Cookiecutter Starter project for the Pyramid Web Framework + + + + + + + + + + + + + +
+
+
+
+ +
+
+ {% block content %} +

No content

+ {% endblock content %} +
+
+
+
+ +
+
+
+
+ Copyright © Pylons Project +
+
+
+
+ + + + + + + + diff --git a/demo_pyramid/demo_pyramid/tests.py b/demo_pyramid/demo_pyramid/tests.py new file mode 100644 index 00000000..58882283 --- /dev/null +++ b/demo_pyramid/demo_pyramid/tests.py @@ -0,0 +1,29 @@ +import unittest + +from pyramid import testing + + +class ViewTests(unittest.TestCase): + def setUp(self): + self.config = testing.setUp() + + def tearDown(self): + testing.tearDown() + + def test_my_view(self): + from .views import my_view + request = testing.DummyRequest() + info = my_view(request) + self.assertEqual(info['project'], 'demo_pyramid') + + +class FunctionalTests(unittest.TestCase): + def setUp(self): + from demo_pyramid import main + app = main({}) + from webtest import TestApp + self.testapp = TestApp(app) + + def test_root(self): + res = self.testapp.get('/', status=200) + self.assertTrue(b'Pyramid' in res.body) diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py new file mode 100644 index 00000000..853457bb --- /dev/null +++ b/demo_pyramid/demo_pyramid/views.py @@ -0,0 +1,122 @@ +import os + +from pyramid.httpexceptions import (HTTPFound, HTTPInternalServerError, HTTPOk,) +from pyramid.view import view_config + +from onelogin.saml2.auth import OneLogin_Saml2_Auth +from onelogin.saml2.utils import OneLogin_Saml2_Utils + +SAML_PATH = os.path.join(os.path.dirname(__file__), 'saml') + + +def init_saml_auth(req): + auth = OneLogin_Saml2_Auth(req, custom_base_path=SAML_PATH) + return auth + + +def prepare_pyramid_request(request): + # If server is behind proxys or balancers use the HTTP_X_FORWARDED fields + return { + 'https': 'on' if request.scheme == 'https' else 'off', + 'http_host': request.host, + 'server_port': request.server_port, + 'script_name': request.path, + 'get_data': request.GET.copy(), + # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144 + # 'lowercase_urlencoding': True, + 'post_data': request.POST.copy(), + } + + +@view_config(route_name='index', renderer='templates/index.jinja2') +def index(request): + req = prepare_pyramid_request(request) + auth = init_saml_auth(req) + errors = [] + not_auth_warn = False + success_slo = False + attributes = False + paint_logout = False + + session = request.session + + if 'sso' in request.GET: + return HTTPFound(auth.login()) + elif 'sso2' in request.GET: + return_to = '%s/attrs/' % request.host_url + return HTTPFound(auth.login(return_to)) + elif 'slo' in request.GET: + name_id = None + session_index = None + if 'samlNameId' in session: + name_id = session['samlNameId'] + if 'samlSessionIndex' in session: + session_index = session['samlSessionIndex'] + + return HTTPFound(auth.logout(name_id=name_id, session_index=session_index)) + elif 'acs' in request.GET: + auth.process_response() + errors = auth.get_errors() + not_auth_warn = not auth.is_authenticated() + if len(errors) == 0: + session['samlUserdata'] = auth.get_attributes() + session['samlNameId'] = auth.get_nameid() + session['samlSessionIndex'] = auth.get_session_index() + self_url = OneLogin_Saml2_Utils.get_self_url(req) + if 'RelayState' in request.POST and self_url != request.POST['RelayState']: + return HTTPFound(auth.redirect_to(request.POST['RelayState'])) + elif 'sls' in request.GET: + dscb = lambda: session.clear() + url = auth.process_slo(delete_session_cb=dscb) + errors = auth.get_errors() + if len(errors) == 0: + if url is not None: + return HTTPFound(url) + else: + success_slo = True + + if 'samlUserdata' in session: + paint_logout = True + if len(session['samlUserdata']) > 0: + attributes = session['samlUserdata'].items() + + return { + 'errors': errors, + 'not_auth_warn': not_auth_warn, + 'success_slo': success_slo, + 'attributes': attributes, + 'paint_logout': paint_logout, + } + + +@view_config(route_name='attrs', renderer='templates/attrs.jinja2') +def attrs(request): + paint_logout = False + attributes = False + + session = request.session + + if 'samlUserdata' in session: + paint_logout = True + if len(session['samlUserdata']) > 0: + attributes = session['samlUserdata'].items() + + return { + 'paint_logout': paint_logout, + 'attributes': attributes, + } + + +@view_config(route_name='metadata', renderer='html') +def metadata(request): + req = prepare_pyramid_request(request) + auth = init_saml_auth(req) + settings = auth.get_settings() + metadata = settings.get_sp_metadata() + errors = settings.validate_metadata(metadata) + + if len(errors) == 0: + resp = HTTPOk(body=metadata, headers={'Content-Type': 'text/xml'}) + else: + resp = HTTPInternalServerError(body=', '.join(errors)) + return resp diff --git a/demo_pyramid/development.ini b/demo_pyramid/development.ini new file mode 100644 index 00000000..64042ee7 --- /dev/null +++ b/demo_pyramid/development.ini @@ -0,0 +1,59 @@ +### +# app configuration +# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/environment.html +### + +[app:main] +use = egg:demo_pyramid + +pyramid.reload_templates = true +pyramid.debug_authorization = false +pyramid.debug_notfound = false +pyramid.debug_routematch = false +pyramid.default_locale_name = en +pyramid.includes = + pyramid_debugtoolbar + +# By default, the toolbar only appears for clients from IP addresses +# '127.0.0.1' and '::1'. +# debugtoolbar.hosts = 127.0.0.1 ::1 + +### +# wsgi server configuration +### + +[server:main] +use = egg:waitress#main +listen = 127.0.0.1:6543 [::1]:6543 + +### +# logging configuration +# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/logging.html +### + +[loggers] +keys = root, demo_pyramid + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = INFO +handlers = console + +[logger_demo_pyramid] +level = DEBUG +handlers = +qualname = demo_pyramid + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(asctime)s %(levelname)-5.5s [%(name)s:%(lineno)s][%(threadName)s] %(message)s diff --git a/demo_pyramid/production.ini b/demo_pyramid/production.ini new file mode 100644 index 00000000..84b482ae --- /dev/null +++ b/demo_pyramid/production.ini @@ -0,0 +1,53 @@ +### +# app configuration +# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/environment.html +### + +[app:main] +use = egg:demo_pyramid + +pyramid.reload_templates = false +pyramid.debug_authorization = false +pyramid.debug_notfound = false +pyramid.debug_routematch = false +pyramid.default_locale_name = en + +### +# wsgi server configuration +### + +[server:main] +use = egg:waitress#main +listen = *:6543 + +### +# logging configuration +# http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/logging.html +### + +[loggers] +keys = root, demo_pyramid + +[handlers] +keys = console + +[formatters] +keys = generic + +[logger_root] +level = WARN +handlers = console + +[logger_demo_pyramid] +level = WARN +handlers = +qualname = demo_pyramid + +[handler_console] +class = StreamHandler +args = (sys.stderr,) +level = NOTSET +formatter = generic + +[formatter_generic] +format = %(asctime)s %(levelname)-5.5s [%(name)s:%(lineno)s][%(threadName)s] %(message)s diff --git a/demo_pyramid/pytest.ini b/demo_pyramid/pytest.ini new file mode 100644 index 00000000..97c77860 --- /dev/null +++ b/demo_pyramid/pytest.ini @@ -0,0 +1,3 @@ +[pytest] +testpaths = demo_pyramid +python_files = *.py diff --git a/demo_pyramid/setup.py b/demo_pyramid/setup.py new file mode 100644 index 00000000..50291385 --- /dev/null +++ b/demo_pyramid/setup.py @@ -0,0 +1,54 @@ +import os + +from setuptools import setup, find_packages + +here = os.path.abspath(os.path.dirname(__file__)) +with open(os.path.join(here, 'README.txt')) as f: + README = f.read() +with open(os.path.join(here, 'CHANGES.txt')) as f: + CHANGES = f.read() + +requires = [ + 'pyramid', + 'pyramid_jinja2', + 'pyramid_debugtoolbar', + 'waitress', + 'xmlsec', + 'isodate', + 'python3-saml', +] + +tests_require = [ + 'WebTest >= 1.3.1', # py3 compat + 'pytest', + 'pytest-cov', +] + +setup( + name='demo_pyramid', + version='0.0', + description='demo_pyramid', + long_description=README + '\n\n' + CHANGES, + classifiers=[ + 'Programming Language :: Python', + 'Framework :: Pyramid', + 'Topic :: Internet :: WWW/HTTP', + 'Topic :: Internet :: WWW/HTTP :: WSGI :: Application', + ], + author='', + author_email='', + url='', + keywords='web pyramid pylons', + packages=find_packages(), + include_package_data=True, + zip_safe=False, + extras_require={ + 'testing': tests_require, + }, + install_requires=requires, + entry_points={ + 'paste.app_factory': [ + 'main = demo_pyramid:main', + ], + }, +) diff --git a/setup.py b/setup.py index 0d894d3c..1dc1a0cd 100644 --- a/setup.py +++ b/setup.py @@ -47,5 +47,5 @@ 'coveralls==0.4.4', ), }, - keywords='saml saml2 xmlsec django flask python3', + keywords='saml saml2 xmlsec django flask pyramid python3', ) From d39c963571121487dcc1c8d1c84ce03ba6c69f56 Mon Sep 17 00:00:00 2001 From: Charles Beebe Date: Thu, 30 Mar 2017 10:50:38 -0400 Subject: [PATCH 033/331] Update README with Pyramid demo instructions. --- README.md | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/README.md b/README.md index 422ab1ba..1e68f8f3 100644 --- a/README.md +++ b/README.md @@ -153,6 +153,11 @@ openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout saml.key This folder contains a Flask project that will be used as demo to show how to add SAML support to the Flask Framework. 'index.py' is the main flask file that has all the code, this file uses the templates stored at the 'templates' folder. In the 'saml' folder we found the 'certs' folder to store the x509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json). +#### demo_pyramid #### + +This folder contains a Pyramid project that will be used as demo to show how to add SAML support to the [Pyramid Web Framework](http://docs.pylonsproject.org/projects/pyramid/en/latest/). '\_\_init__.py' is the main file that configures the app and its routes, 'views.py' is where all the logic and SAML handling takes place, and the templates are stored in the 'templates' folder. The 'saml' folder is the same as in the other two demos. + + #### setup.py #### Setup script is the centre of all activity in building, distributing, and installing modules. @@ -1134,3 +1139,80 @@ libxmlsec1-dev ``` Finally, add python3-saml to your requrements.txt and ```git push``` to trigger a build. + +### Demo Pyramid ### + +Unlike the other two projects, you don't need a pre-existing virtualenv to get +up and running here, since Pyramid comes from the +[buildout](http://www.buildout.org/en/latest/) school of thought. + +To run the demo you need to install Pyramid, the requirements, etc.: +``` + cd demo_pyramid + python3 -m venv env + env/bin/pip install --upgrade pip setuptools + env/bin/pip install -e ".[testing]" +``` + +If you want to make sure the tests pass, run: +``` + env/bin/pytest +``` + +Next, edit the settings in `demo_pyramid/saml/settings.json`. (Pyramid runs on +port 6543 by default.) + +Now you can run the demo like this: +``` + env/bin/pserve development.ini +``` + +If that worked, the demo is now running at http://localhost:6543. + +####Content#### + +The Pyramid project contains: + + +* ***\_\_init__.py*** is the main Pyramid file that configures the app and its routes. + +* ***views.py*** is where all the SAML handling takes place. + +* ***templates*** is the folder where Pyramid stores the templates of the project. It was implemented a layout.jinja2 template that is extended by index.jinja2 and attrs.jinja2, the templates of our simple demo that shows messages, user attributes when available and login and logout links. + +* ***saml*** is a folder that contains the 'certs' folder that could be used to store the x509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json). + + +####SP setup#### + +The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In demo_pyramid the first method is used. + +In the views.py file we define the SAML_PATH, which will target the 'saml' folder. We require it in order to load the settings files. + +First we need to edit the saml/settings.json, configure the SP part and review the metadata of the IdP and complete the IdP info. Later edit the saml/advanced_settings.json files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt. + +####IdP setup#### + +Once the SP is configured, the metadata of the SP is published at the /metadata/ url. Based on that info, configure the IdP. + +####How it works#### + +1. First time you access to the main view 'http://localhost:6543', you can select to login and return to the same view or login and be redirected to /?attrs (attrs view). + + 2. When you click: + + 2.1 in the first link, we access to /?sso (index view). An AuthNRequest is sent to the IdP, we authenticate at the IdP and then a Response is sent through the user's client to the SP, specifically the Assertion Consumer Service view: /?acs. Notice that a RelayState parameter is set to the url that initiated the process, the index view. + + 2.2 in the second link we access to /?attrs (attrs view), we will expetience have the same process described at 2.1 with the diference that as RelayState is set the attrs url. + + 3. The SAML Response is processed in the ACS /?acs, if the Response is not valid, the process stops here and a message is shown. Otherwise we are redirected to the RelayState view. a) / or b) /?attrs + + 4. We are logged in the app and the user attributes are showed. At this point, we can test the single log out functionality. + + The single log out funcionality could be tested by 2 ways. + + 5.1 SLO Initiated by SP. Click on the "logout" link at the SP, after that a Logout Request is sent to the IdP, the session at the IdP is closed and replies through the client to the SP with a Logout Response (sent to the Single Logout Service endpoint). The SLS endpoint /?sls of the SP process the Logout Response and if is valid, close the user session of the local app. Notice that the SLO Workflow starts and ends at the SP. + + 5.2 SLO Initiated by IdP. In this case, the action takes place on the IdP side, the logout process is initiated at the IdP, sends a Logout Request to the SP (SLS endpoint, /?sls). The SLS endpoint of the SP process the Logout Request and if is valid, close the session of the user at the local app and send a Logout Response to the IdP (to the SLS endpoint of the IdP). The IdP receives the Logout Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP. + +Notice that all the SAML Requests and Responses are handled at a unique view (index) and how GET parameters are used to know the action that must be done. From fa2593dad1947497d829aada17e772a37e37f22c Mon Sep 17 00:00:00 2001 From: Colin Jeanne Date: Fri, 7 Apr 2017 20:17:31 -0700 Subject: [PATCH 034/331] Allows underscores in URL hosts Underscore is a valid character in the host portion of a URL but the simply URL validation regex does not currently support it. Ideally this would be using `urllib` or `urlparse` but since that module changed from 2 to 3 the simple fix is to just update the regex. --- src/onelogin/saml2/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py index aae9bdb3..307a2229 100644 --- a/src/onelogin/saml2/settings.py +++ b/src/onelogin/saml2/settings.py @@ -33,7 +33,7 @@ # Released under a BSD 3-Clause License url_regex = re.compile( r'^(?:[a-z0-9\.\-]*)://' # scheme is validated separately - r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain... + r'(?:(?:[A-Z0-9_](?:[A-Z0-9-_]{0,61}[A-Z0-9_])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain... r'localhost|' # localhost... r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4 r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6 From 1bb7cba6869334b5bda3aa7fe050803ce3a900d8 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 16 Apr 2017 17:28:32 +0200 Subject: [PATCH 035/331] Add error reason --- demo_pyramid/demo_pyramid/templates/index.jinja2 | 3 ++- demo_pyramid/demo_pyramid/views.py | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/demo_pyramid/demo_pyramid/templates/index.jinja2 b/demo_pyramid/demo_pyramid/templates/index.jinja2 index c2438d87..65bcedd6 100644 --- a/demo_pyramid/demo_pyramid/templates/index.jinja2 +++ b/demo_pyramid/demo_pyramid/templates/index.jinja2 @@ -14,7 +14,8 @@ {% for err in errors %}
  • {{err}}
    • {% endfor %} - + Reason: {{ error_reason }} + {% endif %} diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py index 853457bb..86814a99 100644 --- a/demo_pyramid/demo_pyramid/views.py +++ b/demo_pyramid/demo_pyramid/views.py @@ -33,6 +33,7 @@ def index(request): req = prepare_pyramid_request(request) auth = init_saml_auth(req) errors = [] + error_reason = "" not_auth_warn = False success_slo = False attributes = False @@ -65,6 +66,8 @@ def index(request): self_url = OneLogin_Saml2_Utils.get_self_url(req) if 'RelayState' in request.POST and self_url != request.POST['RelayState']: return HTTPFound(auth.redirect_to(request.POST['RelayState'])) + else: + error_reason = auth.get_last_error_reason() elif 'sls' in request.GET: dscb = lambda: session.clear() url = auth.process_slo(delete_session_cb=dscb) @@ -82,6 +85,7 @@ def index(request): return { 'errors': errors, + 'error_reason': error_reason, 'not_auth_warn': not_auth_warn, 'success_slo': success_slo, 'attributes': attributes, From 65903b0d662424d615757f31b3ec4a705fb11acf Mon Sep 17 00:00:00 2001 From: Paul Albee Date: Wed, 26 Apr 2017 15:41:58 -0700 Subject: [PATCH 036/331] Updated requirements to use Django 1.11 and python3-saml. --- demo-django/requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/demo-django/requirements.txt b/demo-django/requirements.txt index 5a55855e..1aa1df39 100644 --- a/demo-django/requirements.txt +++ b/demo-django/requirements.txt @@ -1 +1,2 @@ -Django==1.6.5 +Django==1.11 +python3-saml From 3557f2b563168a3050a82ec0d5f39ec8e63fdf21 Mon Sep 17 00:00:00 2001 From: Paul Albee Date: Wed, 26 Apr 2017 15:47:54 -0700 Subject: [PATCH 037/331] Updated settings.py for Django 1.11 --- demo-django/demo/settings.py | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/demo-django/demo/settings.py b/demo-django/demo/settings.py index 3428fdab..fcc3cea2 100644 --- a/demo-django/demo/settings.py +++ b/demo-django/demo/settings.py @@ -10,8 +10,8 @@ # Build paths inside the project like this: os.path.join(BASE_DIR, ...) import os -BASE_DIR = os.path.dirname(os.path.dirname(__file__)) +BASE_DIR = os.path.dirname(os.path.dirname(__file__)) # Quick-start development settings - unsuitable for production # See https://docs.djangoproject.com/en/1.6/howto/deployment/checklist/ @@ -22,11 +22,8 @@ # SECURITY WARNING: don't run with debug turned on in production! DEBUG = True -TEMPLATE_DEBUG = True - ALLOWED_HOSTS = [] - # Application definition INSTALLED_APPS = ( @@ -38,7 +35,7 @@ 'django.contrib.staticfiles', ) -MIDDLEWARE_CLASSES = ( +MIDDLEWARE = ( 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', # 'django.middleware.csrf.CsrfViewMiddleware', @@ -51,7 +48,6 @@ WSGI_APPLICATION = 'demo.wsgi.application' - # Database # https://docs.djangoproject.com/en/1.6/ref/settings/#databases @@ -75,16 +71,26 @@ USE_TZ = True - -# Static files (CSS, JavaScript, Images) -# https://docs.djangoproject.com/en/1.6/howto/static-files/ - STATIC_URL = '/static/' SAML_FOLDER = os.path.join(BASE_DIR, 'saml') SESSION_ENGINE = 'django.contrib.sessions.backends.file' -TEMPLATE_DIRS = ( - os.path.join(BASE_DIR, 'templates'), -) +TEMPLATES = [ + { + 'BACKEND': 'django.template.backends.django.DjangoTemplates', + 'DIRS': [os.path.join(BASE_DIR, 'templates')] + , + 'APP_DIRS': True, + 'OPTIONS': { + 'debug': True, + 'context_processors': [ + 'django.template.context_processors.debug', + 'django.template.context_processors.request', + 'django.contrib.auth.context_processors.auth', + 'django.contrib.messages.context_processors.messages', + ], + }, + }, +] From 09a1cb9863e35da9db738a58372d17af71fda6dd Mon Sep 17 00:00:00 2001 From: Paul Albee Date: Wed, 26 Apr 2017 15:51:07 -0700 Subject: [PATCH 038/331] Updated urls.py to use callables for the views and to do away with the patterns function. --- demo-django/demo/urls.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/demo-django/demo/urls.py b/demo-django/demo/urls.py index 4f55a0b3..cb05b321 100644 --- a/demo-django/demo/urls.py +++ b/demo-django/demo/urls.py @@ -1,11 +1,10 @@ -from django.conf.urls import patterns, url - +from django.conf.urls import url from django.contrib import admin +from .views import attrs, index, metadata admin.autodiscover() -urlpatterns = patterns( - '', - url(r'^$', 'demo.views.index', name='index'), - url(r'^attrs/$', 'demo.views.attrs', name='attrs'), - url(r'^metadata/$', 'demo.views.metadata', name='metadata'), -) +urlpatterns = [ + url(r'^$', index, name='index'), + url(r'^attrs/$', attrs, name='attrs'), + url(r'^metadata/$', metadata, name='metadata'), +] From 6a17663e17a3c6e779c1dea92fc33f7f1ff88ea3 Mon Sep 17 00:00:00 2001 From: Paul Albee Date: Wed, 26 Apr 2017 15:52:05 -0700 Subject: [PATCH 039/331] Removed deprecated import. --- demo-django/demo/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py index 21fcad24..999cf427 100644 --- a/demo-django/demo/views.py +++ b/demo-django/demo/views.py @@ -1,5 +1,5 @@ from django.conf import settings -from django.core.urlresolvers import reverse +from django.urls import reverse from django.http import (HttpResponse, HttpResponseRedirect, HttpResponseServerError) from django.shortcuts import render_to_response From e88ad9e33d87cfd23923143886e26b056ad1f368 Mon Sep 17 00:00:00 2001 From: Paul Albee Date: Wed, 26 Apr 2017 15:53:13 -0700 Subject: [PATCH 040/331] Updated how context gets built for render_to_response. --- demo-django/demo/views.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py index 999cf427..a74e6c68 100644 --- a/demo-django/demo/views.py +++ b/demo-django/demo/views.py @@ -78,13 +78,13 @@ def index(request): if len(request.session['samlUserdata']) > 0: attributes = request.session['samlUserdata'].items() + context = RequestContext(request, {'errors': errors, + 'not_auth_warn': not_auth_warn, + 'success_slo': success_slo, + 'attributes': attributes, + 'paint_logout': paint_logout}).flatten() return render_to_response('index.html', - {'errors': errors, - 'not_auth_warn': not_auth_warn, - 'success_slo': success_slo, - 'attributes': attributes, - 'paint_logout': paint_logout}, - context_instance=RequestContext(request)) + context=context) def attrs(request): @@ -97,9 +97,8 @@ def attrs(request): attributes = request.session['samlUserdata'].items() return render_to_response('attrs.html', - {'paint_logout': paint_logout, - 'attributes': attributes}, - context_instance=RequestContext(request)) + context=RequestContext(request, {'paint_logout': paint_logout, + 'attributes': attributes}).flatten()) def metadata(request): From 84222126061420a6001d250d7a1993c9e64c077e Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 9 May 2017 12:10:46 +0200 Subject: [PATCH 041/331] Checking the status of response before assertion count --- src/onelogin/saml2/response.py | 6 +++--- tests/src/OneLogin/saml2_tests/response_test.py | 10 ++++++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index a0919d4c..9c7d755e 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -79,6 +79,9 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): OneLogin_Saml2_ValidationError.MISSING_ID ) + # Checks that the response has the SUCCESS status + self.check_status() + # Checks that the response only has one assertion if not self.validate_num_assertions(): raise OneLogin_Saml2_ValidationError( @@ -86,9 +89,6 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS ) - # Checks that the response has the SUCCESS status - self.check_status() - idp_data = self.__settings.get_idp_data() idp_entity_id = idp_data['entityId'] sp_data = self.__settings.get_sp_data() diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index bd2a294c..44369657 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -1402,3 +1402,13 @@ def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self): with self.assertRaises(Exception): response.is_valid(self.get_request_data(), raise_exceptions=True) + + def testStatusCheckBeforeAssertionCheck(self): + """ + Tests the status of a response is checked before the assertion count. As failed statuses will have no assertions + """ + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'status_code_responder.xml.base64')) + response = OneLogin_Saml2_Response(settings, xml) + with self.assertRaisesRegexp(Exception, 'The status code of the Response was not Success, was Responder'): + response.is_valid(self.get_request_data(), raise_exceptions=True) \ No newline at end of file From f7a9652aced9a24666452f458302835bae12b62b Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 9 May 2017 17:23:32 +0200 Subject: [PATCH 042/331] #56. Be able to relax SSL Certificate verification when retrieving idp metadata --- src/onelogin/saml2/idp_metadata_parser.py | 17 +++++++++++++---- tests/src/OneLogin/saml2_tests/response_test.py | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py index 4a03af23..a3776d7e 100644 --- a/src/onelogin/saml2/idp_metadata_parser.py +++ b/src/onelogin/saml2/idp_metadata_parser.py @@ -14,6 +14,8 @@ except ImportError: import urllib2 +import ssl + from onelogin.saml2.constants import OneLogin_Saml2_Constants from onelogin.saml2.xml_utils import OneLogin_Saml2_XML from onelogin.saml2.utils import OneLogin_Saml2_Utils @@ -25,7 +27,7 @@ class OneLogin_Saml2_IdPMetadataParser(object): """ @staticmethod - def get_metadata(url): + def get_metadata(url, validate_cert=True): """ Gets the metadata XML from the provided URL :param url: Url where the XML of the Identity Provider Metadata is published. @@ -34,7 +36,14 @@ def get_metadata(url): :rtype: string """ valid = False - response = urllib2.urlopen(url) + + if validate_cert: + response = urllib2.urlopen(url) + else: + ctx = ssl.create_default_context() + ctx.check_hostname = False + ctx.verify_mode = ssl.CERT_NONE + response = urllib2.urlopen(url, context=ctx) xml = response.read() if xml: @@ -52,7 +61,7 @@ def get_metadata(url): return xml @staticmethod - def parse_remote(url, **kwargs): + def parse_remote(url, validate_cert=True, **kwargs): """ Gets the metadata XML from the provided URL and parse it, returning a dict with extracted data :param url: Url where the XML of the Identity Provider Metadata is published. @@ -60,7 +69,7 @@ def parse_remote(url, **kwargs): :returns: settings dict with extracted data :rtype: dict """ - idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url) + idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url, validate_cert) return OneLogin_Saml2_IdPMetadataParser.parse(idp_metadata, **kwargs) @staticmethod diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 44369657..d5bb4e08 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -1411,4 +1411,4 @@ def testStatusCheckBeforeAssertionCheck(self): xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'status_code_responder.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) with self.assertRaisesRegexp(Exception, 'The status code of the Response was not Success, was Responder'): - response.is_valid(self.get_request_data(), raise_exceptions=True) \ No newline at end of file + response.is_valid(self.get_request_data(), raise_exceptions=True) From 728d51f5ef07b8f8e6ec16c1eaeb878739c5f44b Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sat, 13 May 2017 10:31:37 +0200 Subject: [PATCH 043/331] Be able to register future SP x509cert on the settings and publish it on SP metadata --- README.md | 19 +++++++ demo-django/saml/certs/README | 6 ++- demo-flask/saml/certs/README | 6 ++- demo_pyramid/demo_pyramid/saml/certs/README | 6 ++- src/onelogin/saml2/settings.py | 28 +++++++++++ tests/settings/settings7.json | 50 +++++++++++++++++++ .../saml2_tests/logout_request_test.py | 7 +-- .../saml2_tests/logout_response_test.py | 7 +-- .../src/OneLogin/saml2_tests/response_test.py | 10 ++-- .../src/OneLogin/saml2_tests/settings_test.py | 40 +++++++++++++-- 10 files changed, 157 insertions(+), 22 deletions(-) create mode 100644 tests/settings/settings7.json diff --git a/README.md b/README.md index 1e68f8f3..3769538a 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,9 @@ Or also we can provide those data in the setting file at the 'x509cert' and the Sometimes we could need a signature on the metadata published by the SP, in this case we could use the x.509 cert previously mentioned or use a new x.509 cert: metadata.crt and metadata.key. +Use `sp_new.crt` if you are in a key rollover process and you want to +publish that x509certificate on Service Provider metadata. + If you want to create self-signed certs, you can do it at the https://www.samltool.com/self_signed_certs.php service, or using the command: ```bash @@ -253,6 +256,15 @@ This is the settings.json file: // the certs folder. But we can also provide them with the following parameters "x509cert": "", "privateKey": "" + + /* + * Key rollover + * If you plan to update the SP x509cert and privateKey + * you can define here the new x509cert and it will be + * published on the SP metadata so Identity Providers can + * read them and get ready for rollover. + */ + // 'x509certNew': '', }, // Identity Provider Data that we want connected with our SP. @@ -776,6 +788,11 @@ else: print ', '.join(errors) ``` +### SP Key rollover ### + +If you plan to update the SP x509cert and privateKey you can define the new x509cert as $settings['sp']['x509certNew'] and it will be +published on the SP metadata so Identity Providers can read them and get ready for rollover. + ### Main classes and methods ### @@ -884,6 +901,7 @@ Configuration of the OneLogin Python Toolkit * ***check_sp_certs*** Checks if the x509 certs of the SP exists and are valid. * ***get_sp_key*** Returns the x509 private key of the SP. * ***get_sp_cert*** Returns the x509 public cert of the SP. +* ***get_sp_cert_new*** Returns the future x509 public cert of the SP. * ***get_idp_cert*** Returns the x509 public cert of the IdP. * ***get_sp_data*** Gets the SP data. * ***get_idp_data*** Gets the IdP data. @@ -892,6 +910,7 @@ Configuration of the OneLogin Python Toolkit * ***get_organization*** Gets organization data. * ***format_idp_cert*** Formats the IdP cert. * ***format_sp_cert*** Formats the SP cert. +* ***format_sp_cert_new*** Formats the SP cert new. * ***format_sp_key*** Formats the private key. * ***set_strict*** Activates or deactivates the strict mode. * ***is_strict*** Returns if the 'strict' mode is active. diff --git a/demo-django/saml/certs/README b/demo-django/saml/certs/README index 03c13737..7e837fb9 100644 --- a/demo-django/saml/certs/README +++ b/demo-django/saml/certs/README @@ -2,8 +2,10 @@ Take care of this folder that could contain private key. Be sure that this folde Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as: - * sp.key Private Key - * sp.crt Public cert + * sp.key Private Key + * sp.crt Public cert + * sp_new.crt Future Public cert + Also you can use other cert to sign the metadata of the SP using the: diff --git a/demo-flask/saml/certs/README b/demo-flask/saml/certs/README index 03c13737..7e837fb9 100644 --- a/demo-flask/saml/certs/README +++ b/demo-flask/saml/certs/README @@ -2,8 +2,10 @@ Take care of this folder that could contain private key. Be sure that this folde Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as: - * sp.key Private Key - * sp.crt Public cert + * sp.key Private Key + * sp.crt Public cert + * sp_new.crt Future Public cert + Also you can use other cert to sign the metadata of the SP using the: diff --git a/demo_pyramid/demo_pyramid/saml/certs/README b/demo_pyramid/demo_pyramid/saml/certs/README index 03c13737..7e837fb9 100644 --- a/demo_pyramid/demo_pyramid/saml/certs/README +++ b/demo_pyramid/demo_pyramid/saml/certs/README @@ -2,8 +2,10 @@ Take care of this folder that could contain private key. Be sure that this folde Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as: - * sp.key Private Key - * sp.crt Public cert + * sp.key Private Key + * sp.crt Public cert + * sp_new.crt Future Public cert + Also you can use other cert to sign the metadata of the SP using the: diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py index 307a2229..eda30cee 100644 --- a/src/onelogin/saml2/settings.py +++ b/src/onelogin/saml2/settings.py @@ -121,6 +121,8 @@ def __init__(self, settings=None, custom_base_path=None, sp_validation_only=Fals self.format_idp_cert() self.format_sp_cert() + if 'x509certNew' in self.__sp: + self.format_sp_cert_new() self.format_sp_key() def __load_paths(self, base_path=None): @@ -523,6 +525,22 @@ def get_sp_cert(self): return cert or None + def get_sp_cert_new(self): + """ + Returns the x509 public of the SP planned + to be used soon instead the other public cert + :returns: SP public cert new + :rtype: string or None + """ + cert = self.__sp.get('x509certNew') + cert_file_name = self.__paths['cert'] + 'sp_new.crt' + + if not cert and exists(cert_file_name): + with open(cert_file_name) as f: + cert = f.read() + + return cert or None + def get_idp_cert(self): """ Returns the x509 public cert of the IdP. @@ -589,6 +607,10 @@ def get_sp_metadata(self): self.__security['metadataCacheDuration'], self.get_contacts(), self.get_organization() ) + + cert_new = self.get_sp_cert_new() + metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new) + cert = self.get_sp_cert() metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert) @@ -699,6 +721,12 @@ def format_sp_cert(self): """ self.__sp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self.__sp['x509cert']) + def format_sp_cert_new(self): + """ + Formats the SP cert. + """ + self.__sp['x509certNew'] = OneLogin_Saml2_Utils.format_cert(self.__sp['x509certNew']) + def format_sp_key(self): """ Formats the private key. diff --git a/tests/settings/settings7.json b/tests/settings/settings7.json new file mode 100644 index 00000000..e573624b --- /dev/null +++ b/tests/settings/settings7.json @@ -0,0 +1,50 @@ +{ + "strict": false, + "debug": false, + "custom_base_path": "../../../tests/data/customPath/", + "sp": { + "entityId": "http://stuff.com/endpoints/metadata.php", + "assertionConsumerService": { + "url": "http://stuff.com/endpoints/endpoints/acs.php" + }, + "singleLogoutService": { + "url": "http://stuff.com/endpoints/endpoints/sls.php" + }, + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", + "privateKey": "MIICXgIBAAKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABAoGAD4/Z4LWVWV6D1qMIp1Gzr0ZmdWTE1SPdZ7Ej8glGnCzPdguCPuzbhGXmIg0VJ5D+02wsqws1zd48JSMXXM8zkYZVwQYIPUsNn5FetQpwxDIMPmhHg+QNBgwOnk8JK2sIjjLPL7qY7Itv7LT7Gvm5qSOkZ33RCgXcgz+okEIQMYkCQQDzbTOyDL0c5WQV6A2k06T/azdhUdGXF9C0+WkWSfNaovmTgRXh1G+jMlr82Snz4p4/STt7P/XtyWzF3pkVgZr3AkEA7nPjXwHlttNEMo6AtxHd47nizK2NUN803ElIUT8P9KSCoERmSXq66PDekGNic4ldpsSvOeYCk8MAYoDBy9kvVwJBAMLgX4xg6lzhv7hR5+pWjTb1rIY6rCHbrPfU264+UZXz9v2BT/VUznLF81WMvStD9xAPHpFS6R0OLghSZhdzhI0CQQDL8Duvfxzrn4b9QlmduV8wLERoT6rEVxKLsPVz316TGrxJvBZLk/cV0SRZE1cZf4ukXSWMfEcJ/0Zt+LdG1CqjAkEAqwLSglJ9Dy3HpgMz4vAAyZWzAxvyA1zW0no9GOLcPQnYaNUN/Fy2SYtETXTb0CQ9X1rt8ffkFP7ya+5TC83aMg==", + "x509cert": "MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo", + "x509certNew": "MIICVDCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBHMQswCQYDVQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTcwNDA3MDgzMDAzWhcNMjcwNDA1MDgzMDAzWjBHMQswCQYDVQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKhPS4/0azxbQekHHewQGKD7Pivr3CDpsrKxY3xlVanxj427OwzOb5KUVzsDEazumt6sZFY8HfidsjXY4EYA4ZzyL7ciIAR5vlAsIYN9nJ4AwVDnN/RjVwj+TN6BqWPLpVIpHc6Dl005HyE0zJnk1DZDn2tQVrIzbD3FhCp7YeotAgMBAAGjUDBOMB0GA1UdDgQWBBRYZx4thASfNvR/E7NsCF2IaZ7wIDAfBgNVHSMEGDAWgBRYZx4thASfNvR/E7NsCF2IaZ7wIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACz4aobx9aG3kh+rNyrlgM3K6dYfnKG1/YH5sJCAOvg8kDr0fQAQifH8lFVWumKUMoAe0bFTfwWtp/VJ8MprrEJth6PFeZdczpuv+fpLcNj2VmNVJqvQYvS4m36OnBFh1QFZW8UrbFIfdtm2nuZ+twSKqfKwjLdqcoX0p39h7Uw/" + }, + "idp": { + "entityId": "http://idp.example.com/", + "singleSignOnService": { + "url": "http://idp.example.com/SSOService.php" + }, + "singleLogoutService": { + "url": "http://idp.example.com/SingleLogoutService.php" + }, + "x509cert": "MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo" + }, + "security": { + "authnRequestsSigned": false, + "wantAssertionsSigned": false, + "signMetadata": false + }, + "contactPerson": { + "technical": { + "givenName": "technical_name", + "emailAddress": "technical@example.com" + }, + "support": { + "givenName": "support_name", + "emailAddress": "support@example.com" + } + }, + "organization": { + "en-US": { + "name": "sp_test", + "displayname": "SP test", + "url": "http://sp.example.com" + } + } +} \ No newline at end of file diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index b23050a1..a9afaae6 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -20,7 +20,8 @@ class OneLogin_Saml2_Logout_Request_Test(unittest.TestCase): - data_path = join(dirname(__file__), '..', '..', '..', 'data') + data_path = join(dirname(dirname(dirname(dirname(__file__)))), 'data') + settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings') # assertRegexpMatches deprecated on python3 def assertRegex(self, text, regexp, msg=None): @@ -29,8 +30,8 @@ def assertRegex(self, text, regexp, msg=None): else: return self.assertRegexpMatches(text, regexp, msg) - def loadSettingsJSON(self): - filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json') + def loadSettingsJSON(self, name='settings1.json'): + filename = join(self.settings_path, name) if exists(filename): stream = open(filename, 'r') settings = json.load(stream) diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py index 9689d688..50620587 100644 --- a/tests/src/OneLogin/saml2_tests/logout_response_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py @@ -22,7 +22,8 @@ class OneLogin_Saml2_Logout_Response_Test(unittest.TestCase): - data_path = join(dirname(__file__), '..', '..', '..', 'data') + data_path = join(dirname(dirname(dirname(dirname(__file__)))), 'data') + settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings') # assertRegexpMatches deprecated on python3 def assertRegex(self, text, regexp, msg=None): @@ -31,8 +32,8 @@ def assertRegex(self, text, regexp, msg=None): else: return self.assertRegexpMatches(text, regexp, msg) - def loadSettingsJSON(self): - filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json') + def loadSettingsJSON(self, name='settings1.json'): + filename = join(self.settings_path, name) if exists(filename): stream = open(filename, 'r') settings = json.load(stream) diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index d5bb4e08..4272953e 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -20,13 +20,11 @@ class OneLogin_Saml2_Response_Test(unittest.TestCase): - data_path = join(dirname(__file__), '..', '..', '..', 'data') + data_path = join(dirname(dirname(dirname(dirname(__file__)))), 'data') + settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings') - def loadSettingsJSON(self, filename=None): - if filename: - filename = join(dirname(__file__), '..', '..', '..', 'settings', filename) - else: - filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json') + def loadSettingsJSON(self, name='settings1.json'): + filename = join(self.settings_path, name) if exists(filename): stream = open(filename, 'r') settings = json.load(stream) diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py index ed5d7b0a..05d1a85a 100644 --- a/tests/src/OneLogin/saml2_tests/settings_test.py +++ b/tests/src/OneLogin/saml2_tests/settings_test.py @@ -14,11 +14,11 @@ class OneLogin_Saml2_Settings_Test(unittest.TestCase): - data_path = join(dirname(__file__), '..', '..', '..', 'data') - settings_path = join(dirname(__file__), '..', '..', '..', 'settings') + data_path = join(dirname(dirname(dirname(dirname(__file__)))), 'data') + settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings') - def loadSettingsJSON(self): - filename = join(self.settings_path, 'settings1.json') + def loadSettingsJSON(self, name='settings1.json'): + filename = join(self.settings_path, name) if exists(filename): stream = open(filename, 'r') settings = json.load(stream) @@ -186,6 +186,21 @@ def testGetSPCert(self): settings_3 = OneLogin_Saml2_Settings(settings_data, custom_base_path=custom_base_path) self.assertIsNone(settings_3.get_sp_cert()) + def testGetSPCertNew(self): + """ + Tests the get_sp_cert_new method of the OneLogin_Saml2_Settings + """ + settings_data = self.loadSettingsJSON() + cert = "-----BEGIN CERTIFICATE-----\nMIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC\nTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD\nVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG\n9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4\nMTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi\nZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl\naWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO\nNoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS\nKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d\n1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8\nBUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n\nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar\nQ4/67OZfHd7R+POBXhophSMv1ZOo\n-----END CERTIFICATE-----\n" + settings = OneLogin_Saml2_Settings(settings_data) + self.assertEqual(cert, settings.get_sp_cert()) + self.assertIsNone(settings.get_sp_cert_new()) + + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings7.json')) + cert_new = "-----BEGIN CERTIFICATE-----\nMIICVDCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBHMQswCQYDVQQGEwJ1czEQ\nMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhh\nbXBsZS5jb20wHhcNMTcwNDA3MDgzMDAzWhcNMjcwNDA1MDgzMDAzWjBHMQswCQYD\nVQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIG\nA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKhP\nS4/0azxbQekHHewQGKD7Pivr3CDpsrKxY3xlVanxj427OwzOb5KUVzsDEazumt6s\nZFY8HfidsjXY4EYA4ZzyL7ciIAR5vlAsIYN9nJ4AwVDnN/RjVwj+TN6BqWPLpVIp\nHc6Dl005HyE0zJnk1DZDn2tQVrIzbD3FhCp7YeotAgMBAAGjUDBOMB0GA1UdDgQW\nBBRYZx4thASfNvR/E7NsCF2IaZ7wIDAfBgNVHSMEGDAWgBRYZx4thASfNvR/E7Ns\nCF2IaZ7wIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACz4aobx9aG3\nkh+rNyrlgM3K6dYfnKG1/YH5sJCAOvg8kDr0fQAQifH8lFVWumKUMoAe0bFTfwWt\np/VJ8MprrEJth6PFeZdczpuv+fpLcNj2VmNVJqvQYvS4m36OnBFh1QFZW8UrbFIf\ndtm2nuZ+twSKqfKwjLdqcoX0p39h7Uw/\n-----END CERTIFICATE-----\n" + self.assertEqual(cert, settings.get_sp_cert()) + self.assertEqual(cert_new, settings.get_sp_cert_new()) + def testGetSPKey(self): """ Tests the get_sp_key method of the OneLogin_Saml2_Settings @@ -395,6 +410,23 @@ def testGetSPMetadata(self): self.assertIn('', metadata) self.assertIn('', metadata) self.assertIn('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', metadata) + self.assertEquals(2, metadata.count(' Date: Mon, 15 May 2017 12:53:25 +0200 Subject: [PATCH 044/331] Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption --- README.md | 32 +++++++ src/onelogin/saml2/auth.py | 37 ++++++-- src/onelogin/saml2/logout_request.py | 8 +- src/onelogin/saml2/settings.py | 27 +++++- src/onelogin/saml2/utils.py | 22 ++++- tests/settings/settings8.json | 58 ++++++++++++ tests/src/OneLogin/saml2_tests/auth_test.py | 25 +++-- .../saml2_tests/authn_request_test.py | 9 +- .../saml2_tests/logout_request_test.py | 21 +++-- .../saml2_tests/logout_response_test.py | 15 ++- .../src/OneLogin/saml2_tests/response_test.py | 91 ++++++++++--------- .../src/OneLogin/saml2_tests/settings_test.py | 14 +-- tests/src/OneLogin/saml2_tests/utils_test.py | 19 ++-- 13 files changed, 282 insertions(+), 96 deletions(-) create mode 100644 tests/settings/settings8.json diff --git a/README.md b/README.md index 3769538a..71e43104 100644 --- a/README.md +++ b/README.md @@ -308,6 +308,22 @@ This is the settings.json file: */ // "certFingerprint": "", // "certFingerprintAlgorithm": "sha1", + + /* In some scenarios the IdP uses different certificates for + * signing/encryption, or is under key rollover phase and + * more than one certificate is published on IdP metadata. + * In order to handle that the toolkit offers that parameter. + * (when used, 'x509cert' and 'certFingerprint' values are + * ignored). + */ + // 'x509certMulti': { + // 'signing': [ + // '' + // ], + // 'encryption': [ + // '' + // ] + // } } } ``` @@ -788,12 +804,27 @@ else: print ', '.join(errors) ``` + ### SP Key rollover ### If you plan to update the SP x509cert and privateKey you can define the new x509cert as $settings['sp']['x509certNew'] and it will be published on the SP metadata so Identity Providers can read them and get ready for rollover. +### IdP with multiple certificates ### + +In some scenarios the IdP uses different certificates for +signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata. + +In order to handle that the toolkit offers the $settings['idp']['x509certMulti'] parameter. + +When that parameter is used, 'x509cert' and 'certFingerprint' values will be ignored by the toolkit. + +The 'x509certMulti' is an array with 2 keys: +- 'signing'. An array of certs that will be used to validate IdP signature +- 'encryption' An array with one unique cert that will be used to encrypt data to be sent to the IdP. + + ### Main classes and methods ### Described below are the main classes and methods that can be invoked from the SAML2 library. @@ -909,6 +940,7 @@ Configuration of the OneLogin Python Toolkit * ***get_contacts*** Gets contacts data. * ***get_organization*** Gets organization data. * ***format_idp_cert*** Formats the IdP cert. +* ***format_idp_cert_multi*** Formats all registered IdP certs. * ***format_sp_cert*** Formats the SP cert. * ***format_sp_cert_new*** Formats the SP cert new. * ***format_sp_key*** Formats the private key. diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index ad78b662..ea77ebd4 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -534,10 +534,15 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False): ) return True - x509cert = self.get_settings().get_idp_cert() + idp_data = self.get_settings().get_idp_data() - if not x509cert: - error_msg = "In order to validate the sign on the %s, the x509cert of the IdP is required" % saml_type + exists_x509cert = 'x509cert' in idp_data and idp_data['x509cert'] + exists_multix509sign = 'x509certMulti' in idp_data and \ + 'signing' in idp_data['x509certMulti'] and \ + idp_data['x509certMulti']['signing'] + + if not (exists_x509cert or exists_multix509sign): + error_msg = 'In order to validate the sign on the %s, the x509cert of the IdP is required' % saml_type self.__errors.append(error_msg) raise OneLogin_Saml2_Error( error_msg, @@ -559,15 +564,29 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False): lowercase_urlencoding ) - if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, - OneLogin_Saml2_Utils.b64decode(signature), - x509cert, - sign_alg, - self.__settings.is_debug_active()): + if exists_multix509sign: + for cert in idp_data['x509certMulti']['signing']: + if OneLogin_Saml2_Utils.validate_binary_sign(signed_query, + OneLogin_Saml2_Utils.b64decode(signature), + cert, + sign_alg): + return True raise OneLogin_Saml2_ValidationError( - 'Signature validation failed. %s rejected.' % saml_type, + 'Signature validation failed. %s rejected' % saml_type, OneLogin_Saml2_ValidationError.INVALID_SIGNATURE ) + else: + cert = idp_data['x509cert'] + + if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, + OneLogin_Saml2_Utils.b64decode(signature), + cert, + sign_alg, + self.__settings.is_debug_active()): + raise OneLogin_Saml2_ValidationError( + 'Signature validation failed. %s rejected' % saml_type, + OneLogin_Saml2_ValidationError.INVALID_SIGNATURE + ) return True except Exception as e: self.__error_reason = str(e) diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index 507f88db..7c9bf4c9 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -63,7 +63,13 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq= cert = None if security['nameIdEncrypted']: - cert = idp_data['x509cert'] + exists_multix509enc = 'x509certMulti' in idp_data and \ + 'encryption' in idp_data['x509certMulti'] and \ + idp_data['x509certMulti']['encryption'] + if exists_multix509enc: + cert = idp_data['x509certMulti']['encryption'][0] + else: + cert = idp_data['x509cert'] if name_id is not None: if name_id_format is None: diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py index eda30cee..f57ff5c8 100644 --- a/src/onelogin/saml2/settings.py +++ b/src/onelogin/saml2/settings.py @@ -120,11 +120,14 @@ def __init__(self, settings=None, custom_base_path=None, sp_validation_only=Fals ) self.format_idp_cert() + if 'x509certMulti' in self.__idp: + self.format_idp_cert_multi() self.format_sp_cert() if 'x509certNew' in self.__sp: self.format_sp_cert_new() self.format_sp_key() + def __load_paths(self, base_path=None): """ Set the paths of the different folders @@ -368,14 +371,21 @@ def check_idp_settings(self, settings): exists_x509 = bool(idp.get('x509cert')) exists_fingerprint = bool(idp.get('certFingerprint')) + exists_multix509sign = 'x509certMulti' in idp and \ + 'signing' in idp['x509certMulti'] and \ + idp['x509certMulti']['signing'] + exists_multix509enc = 'x509certMulti' in idp and \ + 'encryption' in idp['x509certMulti'] and \ + idp['x509certMulti']['encryption'] + want_assert_sign = bool(security.get('wantAssertionsSigned')) want_mes_signed = bool(security.get('wantMessagesSigned')) nameid_enc = bool(security.get('nameIdEncrypted')) if (want_assert_sign or want_mes_signed) and \ - not(exists_x509 or exists_fingerprint): + not(exists_x509 or exists_fingerprint or exists_multix509sign): errors.append('idp_cert_or_fingerprint_not_found_and_required') - if nameid_enc and not exists_x509: + if nameid_enc and not (exists_x509 or exists_multix509enc): errors.append('idp_cert_not_found_and_required') return errors @@ -715,6 +725,19 @@ def format_idp_cert(self): """ self.__idp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509cert']) + def format_idp_cert_multi(self): + """ + Formats the Multple IdP certs. + """ + if 'x509certMulti' in self.__idp: + if 'signing' in self.__idp['x509certMulti']: + for idx in range(len(self.__idp['x509certMulti']['signing'])): + self.__idp['x509certMulti']['signing'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['signing'][idx]) + + if 'encryption' in self.__idp['x509certMulti']: + for idx in range(len(self.__idp['x509certMulti']['encryption'])): + self.__idp['x509certMulti']['encryption'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['encryption'][idx]) + def format_sp_cert(self): """ Formats the SP cert. diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index f6f33051..d649d19a 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -760,7 +760,7 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant @staticmethod @return_false_on_exception - def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False, xpath=None): + def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False, xpath=None, multicerts=None): """ Validates a signature (Message or Assertion). @@ -785,6 +785,9 @@ def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', valid :param xpath: The xpath of the signed element :type: string + :param multicerts: Multiple public certs + :type: list + :param raise_exceptions: Whether to return false on failure or raise an exception :type raise_exceptions: Boolean """ @@ -805,8 +808,21 @@ def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', valid if len(signature_nodes) == 1: signature_node = signature_nodes[0] - # Raises expection if invalid - return OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug, raise_exceptions=True) + + if not multicerts: + return OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug, raise_exceptions=True) + else: + # If multiple certs are provided, I may ignore cert and + # fingerprint provided by the method and just check the + # certs multicerts + fingerprint = fingerprintalg = None + for cert in multicerts: + if OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, False, raise_exceptions=False): + return True + raise OneLogin_Saml2_ValidationError( + 'Signature validation failed. SAML Response rejected.', + OneLogin_Saml2_ValidationError.INVALID_SIGNATURE + ) else: raise OneLogin_Saml2_ValidationError( 'Expected exactly one signature node; got {}.'.format(len(signature_nodes)), diff --git a/tests/settings/settings8.json b/tests/settings/settings8.json new file mode 100644 index 00000000..ce30e498 --- /dev/null +++ b/tests/settings/settings8.json @@ -0,0 +1,58 @@ +{ + "strict": false, + "debug": false, + "custom_base_path": "../../../tests/data/customPath/", + "sp": { + "entityId": "http://stuff.com/endpoints/metadata.php", + "assertionConsumerService": { + "url": "http://stuff.com/endpoints/endpoints/acs.php" + }, + "singleLogoutService": { + "url": "http://stuff.com/endpoints/endpoints/sls.php" + }, + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", + "privateKey": "MIICXgIBAAKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABAoGAD4/Z4LWVWV6D1qMIp1Gzr0ZmdWTE1SPdZ7Ej8glGnCzPdguCPuzbhGXmIg0VJ5D+02wsqws1zd48JSMXXM8zkYZVwQYIPUsNn5FetQpwxDIMPmhHg+QNBgwOnk8JK2sIjjLPL7qY7Itv7LT7Gvm5qSOkZ33RCgXcgz+okEIQMYkCQQDzbTOyDL0c5WQV6A2k06T/azdhUdGXF9C0+WkWSfNaovmTgRXh1G+jMlr82Snz4p4/STt7P/XtyWzF3pkVgZr3AkEA7nPjXwHlttNEMo6AtxHd47nizK2NUN803ElIUT8P9KSCoERmSXq66PDekGNic4ldpsSvOeYCk8MAYoDBy9kvVwJBAMLgX4xg6lzhv7hR5+pWjTb1rIY6rCHbrPfU264+UZXz9v2BT/VUznLF81WMvStD9xAPHpFS6R0OLghSZhdzhI0CQQDL8Duvfxzrn4b9QlmduV8wLERoT6rEVxKLsPVz316TGrxJvBZLk/cV0SRZE1cZf4ukXSWMfEcJ/0Zt+LdG1CqjAkEAqwLSglJ9Dy3HpgMz4vAAyZWzAxvyA1zW0no9GOLcPQnYaNUN/Fy2SYtETXTb0CQ9X1rt8ffkFP7ya+5TC83aMg==", + "x509cert": "MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo" + }, + "idp": { + "entityId": "http://idp.example.com/", + "singleSignOnService": { + "url": "http://idp.example.com/SSOService.php" + }, + "singleLogoutService": { + "url": "http://idp.example.com/SingleLogoutService.php" + }, + "x509cert": "", + "x509certMulti": { + "signing": [ + "MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m", + "MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo" + ], + "encryption": [ + "MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo" + ] + } + }, + "security": { + "authnRequestsSigned": false, + "wantAssertionsSigned": false, + "signMetadata": false + }, + "contactPerson": { + "technical": { + "givenName": "technical_name", + "emailAddress": "technical@example.com" + }, + "support": { + "givenName": "support_name", + "emailAddress": "support@example.com" + } + }, + "organization": { + "en-US": { + "name": "sp_test", + "displayname": "SP test", + "url": "http://sp.example.com" + } + } +} \ No newline at end of file diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py index 84c4728f..dff71ddd 100644 --- a/tests/src/OneLogin/saml2_tests/auth_test.py +++ b/tests/src/OneLogin/saml2_tests/auth_test.py @@ -22,13 +22,18 @@ class OneLogin_Saml2_Auth_Test(unittest.TestCase): - data_path = join(dirname(__file__), '..', '..', '..', 'data') + data_path = join(dirname(dirname(dirname(dirname(__file__)))), 'data') + settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings') - def loadSettingsJSON(self, filename=None): - if filename: - filename = join(dirname(__file__), '..', '..', '..', 'settings', filename) + # assertRaisesRegexp deprecated on python3 + def assertRaisesRegex(self, exception, regexp, msg=None): + if hasattr(unittest.TestCase, 'assertRaisesRegex'): + return super(OneLogin_Saml2_Auth_Test, self).assertRaisesRegex(exception, regexp, msg=msg) else: - filename = join(dirname(__file__), '..', '..', '..', 'settings', 'settings1.json') + return self.assertRaisesRegexp(exception, regexp) + + def loadSettingsJSON(self, name='settings1.json'): + filename = join(self.settings_path, name) if exists(filename): stream = open(filename, 'r') settings = json.load(stream) @@ -144,7 +149,7 @@ def testProcessNoResponse(self): Case No Response, An exception is throw """ auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=self.loadSettingsJSON()) - with self.assertRaisesRegexp(OneLogin_Saml2_Error, 'SAML Response not found'): + with self.assertRaisesRegex(OneLogin_Saml2_Error, 'SAML Response not found'): auth.process_response() self.assertEqual(auth.get_errors(), ['invalid_binding']) @@ -258,7 +263,7 @@ def testProcessNoSLO(self): Case No Message, An exception is throw """ auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=self.loadSettingsJSON()) - with self.assertRaisesRegexp(OneLogin_Saml2_Error, 'SAML LogoutRequest/LogoutResponse not found'): + with self.assertRaisesRegex(OneLogin_Saml2_Error, 'SAML LogoutRequest/LogoutResponse not found'): auth.process_slo(True) self.assertEqual(auth.get_errors(), ['invalid_binding']) @@ -770,7 +775,7 @@ def testLogoutNoSLO(self): del settings_info['idp']['singleLogoutService'] auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info) # The Header of the redirect produces an Exception - with self.assertRaisesRegexp(OneLogin_Saml2_Error, 'The IdP does not support Single Log Out'): + with self.assertRaisesRegex(OneLogin_Saml2_Error, 'The IdP does not support Single Log Out'): auth.logout('http://example.com/returnto') def testLogoutNameIDandSessionIndex(self): @@ -965,7 +970,7 @@ def testBuildRequestSignature(self): settings['sp']['privateKey'] = '' settings['custom_base_path'] = u'invalid/path/' auth2 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings) - with self.assertRaisesRegexp(OneLogin_Saml2_Error, "Trying to sign the SAMLRequest but can't load the SP private key"): + with self.assertRaisesRegex(OneLogin_Saml2_Error, "Trying to sign the SAMLRequest but can't load the SP private key"): auth2.add_request_signature(parameters) def testBuildResponseSignature(self): @@ -986,7 +991,7 @@ def testBuildResponseSignature(self): settings['sp']['privateKey'] = '' settings['custom_base_path'] = u'invalid/path/' auth2 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings) - with self.assertRaisesRegexp(OneLogin_Saml2_Error, "Trying to sign the SAMLResponse but can't load the SP private key"): + with self.assertRaisesRegex(OneLogin_Saml2_Error, "Trying to sign the SAMLResponse but can't load the SP private key"): auth2.add_response_signature(parameters) def testIsInValidLogoutResponseSign(self): diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py index 598ed115..abbded20 100644 --- a/tests/src/OneLogin/saml2_tests/authn_request_test.py +++ b/tests/src/OneLogin/saml2_tests/authn_request_test.py @@ -22,6 +22,7 @@ class OneLogin_Saml2_Authn_Request_Test(unittest.TestCase): + settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings') # assertRegexpMatches deprecated on python3 def assertRegex(self, text, regexp, msg=None): @@ -30,8 +31,8 @@ def assertRegex(self, text, regexp, msg=None): else: return self.assertRegexpMatches(text, regexp, msg) - def loadSettingsJSON(self, filename='settings1.json'): - filename = join(dirname(__file__), '..', '..', '..', 'settings', filename) + def loadSettingsJSON(self, name='settings1.json'): + filename = join(self.settings_path, name) if exists(filename): stream = open(filename, 'r') settings = json.load(stream) @@ -90,7 +91,7 @@ def testGetXML(self): authn_request = OneLogin_Saml2_Authn_Request(settings) inflated = authn_request.get_xml() - self.assertRegexpMatches(inflated, '^ something_is_wrong'): + with self.assertRaisesRegex(Exception, 'The status code of the Response was not Success, was Responder -> something_is_wrong'): response_3.check_status() def testCheckOneCondition(self): @@ -414,7 +421,7 @@ def testGetIssuers(self): xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_issuer_assertion.xml.base64')) response_5 = OneLogin_Saml2_Response(settings, xml_5) - with self.assertRaisesRegexp(Exception, 'Issuer of the Assertion not found or multiple.'): + with self.assertRaisesRegex(Exception, 'Issuer of the Assertion not found or multiple.'): response_5.get_issuers() def testGetSessionIndex(self): @@ -462,7 +469,7 @@ def testOnlyRetrieveAssertionWithIDThatMatchesSignatureReference(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'wrapped_response_2.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'Invalid Signature Element {urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor SAML Response rejected'): + with self.assertRaisesRegex(Exception, 'Invalid Signature Element {urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor SAML Response rejected'): response.is_valid(self.get_request_data(), raise_exceptions=True) nameid = response.get_nameid() self.assertEqual('root@example.com', nameid) @@ -564,7 +571,7 @@ def testValidateVersion(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_saml2.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'Unsupported SAML version'): + with self.assertRaisesRegex(Exception, 'Unsupported SAML version'): response.is_valid(self.get_request_data(), raise_exceptions=True) def testValidateID(self): @@ -575,7 +582,7 @@ def testValidateID(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_id.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'Missing ID attribute on SAML Response'): + with self.assertRaisesRegex(Exception, 'Missing ID attribute on SAML Response'): response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidReference(self): @@ -589,7 +596,7 @@ def testIsInValidReference(self): self.assertFalse(response.is_valid(self.get_request_data())) self.assertEqual('Signature validation failed. SAML Response rejected', response.get_error()) - with self.assertRaisesRegexp(Exception, 'Signature validation failed. SAML Response rejected'): + with self.assertRaisesRegex(Exception, 'Signature validation failed. SAML Response rejected'): response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidExpired(self): @@ -605,7 +612,7 @@ def testIsInValidExpired(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'Could not validate timestamp: expired. Check system clock.'): + with self.assertRaisesRegex(Exception, 'Could not validate timestamp: expired. Check system clock.'): response_2.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidNoStatement(self): @@ -663,7 +670,7 @@ def testIsInValidNoKey(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_key.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'Signature validation failed. SAML Response rejected'): + with self.assertRaisesRegex(Exception, 'Signature validation failed. SAML Response rejected'): response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidMultipleAssertions(self): @@ -675,7 +682,7 @@ def testIsInValidMultipleAssertions(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'multiple_assertions.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'SAML Response must contain 1 assertion'): + with self.assertRaisesRegex(Exception, 'SAML Response must contain 1 assertion'): response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidEncAttrs(self): @@ -691,7 +698,7 @@ def testIsInValidEncAttrs(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'There is an EncryptedAttribute in the Response and this SP not support them'): + with self.assertRaisesRegex(Exception, 'There is an EncryptedAttribute in the Response and this SP not support them'): response_2.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidDuplicatedAttrs(self): @@ -702,7 +709,7 @@ def testIsInValidDuplicatedAttrs(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'duplicated_attributes.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'Found an Attribute element with duplicated Name'): + with self.assertRaisesRegex(Exception, 'Found an Attribute element with duplicated Name'): response.get_attributes() def testIsInValidDestination(self): @@ -794,11 +801,11 @@ def testIsInValidIssuer(self): settings.set_strict(True) response_3 = OneLogin_Saml2_Response(settings, message) - with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Assertion/Response'): + with self.assertRaisesRegex(Exception, 'Invalid issuer in the Assertion/Response'): response_3.is_valid(request_data, raise_exceptions=True) response_4 = OneLogin_Saml2_Response(settings, message_2) - with self.assertRaisesRegexp(Exception, 'Invalid issuer in the Assertion/Response'): + with self.assertRaisesRegex(Exception, 'Invalid issuer in the Assertion/Response'): response_4.is_valid(request_data, raise_exceptions=True) def testIsInValidSessionIndex(self): @@ -823,7 +830,7 @@ def testIsInValidSessionIndex(self): settings.set_strict(True) response_2 = OneLogin_Saml2_Response(settings, message) - with self.assertRaisesRegexp(Exception, 'The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response'): + with self.assertRaisesRegex(Exception, 'The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response'): response_2.is_valid(request_data, raise_exceptions=True) def testDatetimeWithMiliseconds(self): @@ -914,27 +921,27 @@ def testIsInValidSubjectConfirmation(self): settings.set_strict(True) response = OneLogin_Saml2_Response(settings, message) - with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + with self.assertRaisesRegex(Exception, 'A valid SubjectConfirmation was not found on this Response'): response.is_valid(request_data, raise_exceptions=True) response_2 = OneLogin_Saml2_Response(settings, message_2) - with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + with self.assertRaisesRegex(Exception, 'A valid SubjectConfirmation was not found on this Response'): response_2.is_valid(request_data, raise_exceptions=True) response_3 = OneLogin_Saml2_Response(settings, message_3) - with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + with self.assertRaisesRegex(Exception, 'A valid SubjectConfirmation was not found on this Response'): response_3.is_valid(request_data, raise_exceptions=True) response_4 = OneLogin_Saml2_Response(settings, message_4) - with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + with self.assertRaisesRegex(Exception, 'A valid SubjectConfirmation was not found on this Response'): response_4.is_valid(request_data, raise_exceptions=True) response_5 = OneLogin_Saml2_Response(settings, message_5) - with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + with self.assertRaisesRegex(Exception, 'A valid SubjectConfirmation was not found on this Response'): response_5.is_valid(request_data, raise_exceptions=True) response_6 = OneLogin_Saml2_Response(settings, message_6) - with self.assertRaisesRegexp(Exception, 'A valid SubjectConfirmation was not found on this Response'): + with self.assertRaisesRegex(Exception, 'A valid SubjectConfirmation was not found on this Response'): response_6.is_valid(request_data, raise_exceptions=True) def testIsInValidRequestId(self): @@ -960,7 +967,7 @@ def testIsInValidRequestId(self): settings.set_strict(True) response = OneLogin_Saml2_Response(settings, message) - with self.assertRaisesRegexp(Exception, 'The InResponseTo of the Response'): + with self.assertRaisesRegex(Exception, 'The InResponseTo of the Response'): response.is_valid(request_data, request_id, raise_exceptions=True) valid_request_id = '_57bcbf70-7b1f-012e-c821-782bcb13bb38' @@ -1005,7 +1012,7 @@ def testIsInValidSignIssues(self): settings_info['security']['wantAssertionsSigned'] = True settings_4 = OneLogin_Saml2_Settings(settings_info) response_4 = OneLogin_Saml2_Response(settings_4, message) - with self.assertRaisesRegexp(Exception, 'The Assertion of the Response is not signed and the SP require it'): + with self.assertRaisesRegex(Exception, 'The Assertion of the Response is not signed and the SP require it'): response_4.is_valid(request_data, raise_exceptions=True) settings_info['security']['wantAssertionsSigned'] = False @@ -1033,7 +1040,7 @@ def testIsInValidSignIssues(self): settings_info['security']['wantMessagesSigned'] = True settings_8 = OneLogin_Saml2_Settings(settings_info) response_8 = OneLogin_Saml2_Response(settings_8, message) - with self.assertRaisesRegexp(Exception, 'The Message of the Response is not signed and the SP require it'): + with self.assertRaisesRegex(Exception, 'The Message of the Response is not signed and the SP require it'): response_8.is_valid(request_data, raise_exceptions=True) def testIsInValidEncIssues(self): @@ -1115,7 +1122,7 @@ def testIsInValidCert(self): xml = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'Signature validation failed. SAML Response rejected'): + with self.assertRaisesRegex(Exception, 'Signature validation failed. SAML Response rejected'): response.is_valid(self.get_request_data(), raise_exceptions=True) def testIsInValidCert2(self): @@ -1408,5 +1415,5 @@ def testStatusCheckBeforeAssertionCheck(self): settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) xml = self.file_contents(join(self.data_path, 'responses', 'invalids', 'status_code_responder.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) - with self.assertRaisesRegexp(Exception, 'The status code of the Response was not Success, was Responder'): + with self.assertRaisesRegex(Exception, 'The status code of the Response was not Success, was Responder'): response.is_valid(self.get_request_data(), raise_exceptions=True) diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py index 05d1a85a..fbd9a554 100644 --- a/tests/src/OneLogin/saml2_tests/settings_test.py +++ b/tests/src/OneLogin/saml2_tests/settings_test.py @@ -410,9 +410,9 @@ def testGetSPMetadata(self): self.assertIn('', metadata) self.assertIn('', metadata) self.assertIn('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', metadata) - self.assertEquals(2, metadata.count(' Date: Mon, 15 May 2017 13:18:34 +0200 Subject: [PATCH 045/331] pep8 --- src/onelogin/saml2/auth.py | 8 ++++---- src/onelogin/saml2/settings.py | 1 - src/onelogin/saml2/utils.py | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index ea77ebd4..dfd10eb2 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -579,10 +579,10 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False): cert = idp_data['x509cert'] if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query, - OneLogin_Saml2_Utils.b64decode(signature), - cert, - sign_alg, - self.__settings.is_debug_active()): + OneLogin_Saml2_Utils.b64decode(signature), + cert, + sign_alg, + self.__settings.is_debug_active()): raise OneLogin_Saml2_ValidationError( 'Signature validation failed. %s rejected' % saml_type, OneLogin_Saml2_ValidationError.INVALID_SIGNATURE diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py index f57ff5c8..369b78f2 100644 --- a/src/onelogin/saml2/settings.py +++ b/src/onelogin/saml2/settings.py @@ -127,7 +127,6 @@ def __init__(self, settings=None, custom_base_path=None, sp_validation_only=Fals self.format_sp_cert_new() self.format_sp_key() - def __load_paths(self, base_path=None): """ Set the paths of the different folders diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index d649d19a..1b60ee2a 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -808,7 +808,7 @@ def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', valid if len(signature_nodes) == 1: signature_node = signature_nodes[0] - + if not multicerts: return OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug, raise_exceptions=True) else: From 701d65ec467465b89db490fd602850cbf56401a3 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 15 May 2017 13:23:21 +0200 Subject: [PATCH 046/331] Allow metadata to be retrieved from source containing data of multiple entities --- README.md | 17 ++++++ src/onelogin/saml2/idp_metadata_parser.py | 28 ++++++++-- .../metadata/idp_multiple_descriptors.xml | 53 +++++++++++++++++++ .../saml2_tests/idp_metadata_parser_test.py | 38 +++++++++++++ 4 files changed, 132 insertions(+), 4 deletions(-) create mode 100644 tests/data/metadata/idp_multiple_descriptors.xml diff --git a/README.md b/README.md index 71e43104..e074f739 100644 --- a/README.md +++ b/README.md @@ -477,6 +477,23 @@ json_data_file.close() auth = OneLogin_Saml2_Auth(req, settings_data) ``` +#### Metadata Based Configuration + +The method above requires a little extra work to manually specify attributes about the IdP. (And your SP application) + +There's an easier method -- use a metadata exchange. Metadata is just an XML file that defines the capabilities of both the IdP and the SP application. It also contains the X.509 public key certificates which add to the trusted relationship. The IdP administrator can also configure custom settings for an SP based on the metadata. + +Using ````parse_remote```` IdP metadata can be obtained and added to the settings withouth further ado. + +`` +idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://example.com/auth/saml2/idp/metadata') +`` + +If the Metadata contains several entities, the relevant EntityDescriptor can be specified when retrieving the settings from the IdpMetadataParser by its Entity Id value: + +idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(https://example.com/metadatas, entity_id='idp_entity_id') + + #### How load the library #### In order to use the toolkit library you need to import the file that contains the class that you will need diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py index a3776d7e..9f557b33 100644 --- a/src/onelogin/saml2/idp_metadata_parser.py +++ b/src/onelogin/saml2/idp_metadata_parser.py @@ -32,6 +32,10 @@ def get_metadata(url, validate_cert=True): Gets the metadata XML from the provided URL :param url: Url where the XML of the Identity Provider Metadata is published. :type url: string + + :param validate_cert: If the url uses https schema, that flag enables or not the verification of the associated certificate. + :type validate_cert: bool + :returns: metadata XML :rtype: string """ @@ -61,22 +65,31 @@ def get_metadata(url, validate_cert=True): return xml @staticmethod - def parse_remote(url, validate_cert=True, **kwargs): + def parse_remote(url, validate_cert=True, entity_id=None, **kwargs): """ Gets the metadata XML from the provided URL and parse it, returning a dict with extracted data :param url: Url where the XML of the Identity Provider Metadata is published. :type url: string + + :param validate_cert: If the url uses https schema, that flag enables or not the verification of the associated certificate. + :type validate_cert: bool + + :param entity_id: Specify the entity_id of the EntityDescriptor that you want to parse a XML + that contains multiple EntityDescriptor. + :type entity_id: string + :returns: settings dict with extracted data :rtype: dict """ idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url, validate_cert) - return OneLogin_Saml2_IdPMetadataParser.parse(idp_metadata, **kwargs) + return OneLogin_Saml2_IdPMetadataParser.parse(idp_metadata, entity_id=entity_id, **kwargs) @staticmethod def parse( idp_metadata, required_sso_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT, required_slo_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT, + entity_id=None, index=0): """ Parses the Identity Provider metadata and return a dict with extracted data. @@ -104,6 +117,10 @@ def parse( :type required_slo_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT or OneLogin_Saml2_Constants.BINDING_HTTP_POST + :param entity_id: Specify the entity_id of the EntityDescriptor that you want to parse a XML + that contains multiple EntityDescriptor. + :type entity_id: string + :param index: If the metadata contains more than 1 certificate, use index to get the right certificate. :type index: number @@ -113,10 +130,13 @@ def parse( data = {} dom = OneLogin_Saml2_XML.to_etree(idp_metadata) - entity_descriptor_nodes = OneLogin_Saml2_XML.query(dom, '//md:EntityDescriptor') - idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = idp_x509_cert = None + entity_desc_path = '//md:EntityDescriptor' + if entity_id: + entity_desc_path += "[@entityID='%s']" % entity_id + entity_descriptor_nodes = OneLogin_Saml2_XML.query(dom, entity_desc_path) + if len(entity_descriptor_nodes) > 0: for entity_descriptor_node in entity_descriptor_nodes: idp_descriptor_nodes = OneLogin_Saml2_XML.query(entity_descriptor_node, './md:IDPSSODescriptor') diff --git a/tests/data/metadata/idp_multiple_descriptors.xml b/tests/data/metadata/idp_multiple_descriptors.xml new file mode 100644 index 00000000..a74f8e4a --- /dev/null +++ b/tests/data/metadata/idp_multiple_descriptors.xml @@ -0,0 +1,53 @@ + + + + + + + + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + + + + + + + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + + + + + + + + + + + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + + + + + + + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + + + + + + diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py index d0c6a2de..08a0ab70 100644 --- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py +++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py @@ -281,6 +281,44 @@ def test_parse_required_binding_all(self): self.assertEqual(expected_settings6_7, settings6) self.assertEqual(expected_settings6_7, settings7) + def test_parse_with_entity_id(self): + """ + Tests the parse method of the OneLogin_Saml2_IdPMetadataParser + Case: Provide entity_id to identify the desired IdPDescriptor from + EntitiesDescriptor + """ + xml_idp_metadata = self.file_contents(join(self.data_path, 'metadata', 'idp_multiple_descriptors.xml')) + + # should find first descriptor + data = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata) + self.assertEqual("https://foo.example.com/access/saml/idp.xml", data["idp"]["entityId"]) + + # should find desired descriptor + data2 = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata, entity_id="https://bar.example.com/access/saml/idp.xml") + self.assertEqual("https://bar.example.com/access/saml/idp.xml", data2["idp"]["entityId"]) + + expected_settings_json = """ + { + "sp": { + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" + }, + "idp": { + "singleLogoutService": { + "url": "https://hello.example.com/access/saml/logout", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "entityId": "https://bar.example.com/access/saml/idp.xml", + "x509cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=", + "singleSignOnService": { + "url": "https://hello.example.com/access/saml/login", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + } + } + } + """ + expected_settings = json.loads(expected_settings_json) + self.assertEqual(expected_settings, data2) + def testMergeSettings(self): """ Tests the merge_settings method of the OneLogin_Saml2_IdPMetadataParser From 650d2b9efa1b8b6d6b155d420e46fb607803ec60 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 15 May 2017 13:52:13 +0200 Subject: [PATCH 047/331] Adapt IdP XML metadata parser to take care of multiple IdP certtificates and be able to inject the data obtained on the settings. --- src/onelogin/saml2/idp_metadata_parser.py | 170 +++++++++--------- .../metadata/idp_metadata_multi_certs.xml | 75 ++++++++ .../saml2_tests/idp_metadata_parser_test.py | 104 +++++++++++ 3 files changed, 266 insertions(+), 83 deletions(-) create mode 100644 tests/data/metadata/idp_metadata_multi_certs.xml diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py index 9f557b33..01d3f8c6 100644 --- a/src/onelogin/saml2/idp_metadata_parser.py +++ b/src/onelogin/saml2/idp_metadata_parser.py @@ -18,7 +18,6 @@ from onelogin.saml2.constants import OneLogin_Saml2_Constants from onelogin.saml2.xml_utils import OneLogin_Saml2_XML -from onelogin.saml2.utils import OneLogin_Saml2_Utils class OneLogin_Saml2_IdPMetadataParser(object): @@ -89,8 +88,7 @@ def parse( idp_metadata, required_sso_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT, required_slo_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT, - entity_id=None, - index=0): + entity_id=None): """ Parses the Identity Provider metadata and return a dict with extracted data. @@ -121,16 +119,13 @@ def parse( that contains multiple EntityDescriptor. :type entity_id: string - :param index: If the metadata contains more than 1 certificate, use index to get the right certificate. - :type index: number - :returns: settings dict with extracted data :rtype: dict """ data = {} dom = OneLogin_Saml2_XML.to_etree(idp_metadata) - idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = idp_x509_cert = None + idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = certs = None entity_desc_path = '//md:EntityDescriptor' if entity_id: @@ -138,82 +133,83 @@ def parse( entity_descriptor_nodes = OneLogin_Saml2_XML.query(dom, entity_desc_path) if len(entity_descriptor_nodes) > 0: - for entity_descriptor_node in entity_descriptor_nodes: - idp_descriptor_nodes = OneLogin_Saml2_XML.query(entity_descriptor_node, './md:IDPSSODescriptor') - if len(idp_descriptor_nodes) > 0: - idp_descriptor_node = idp_descriptor_nodes[0] - - idp_entity_id = entity_descriptor_node.get('entityID', None) - - want_authn_requests_signed = entity_descriptor_node.get('WantAuthnRequestsSigned', None) - - name_id_format_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, './md:NameIDFormat') - if len(name_id_format_nodes) > 0: - idp_name_id_format = name_id_format_nodes[0].text - - sso_nodes = OneLogin_Saml2_XML.query( - idp_descriptor_node, - "./md:SingleSignOnService[@Binding='%s']" % required_sso_binding - ) - - if len(sso_nodes) > 0: - idp_sso_url = sso_nodes[0].get('Location', None) - - slo_nodes = OneLogin_Saml2_XML.query( - idp_descriptor_node, - "./md:SingleLogoutService[@Binding='%s']" % required_slo_binding - ) - - if len(slo_nodes) > 0: - idp_slo_url = slo_nodes[0].get('Location', None) - - # Attempt to extract the cert/public key to be used for - # verifying signatures (as opposed to extracing a key to be - # used for encryption), by specifying `use=signing` in the - # XPath expression. If that does not yield a cert, retry - # using a more relaxed XPath expression (the `use` attribute - # is optional according to the saml-metadata-2.0-os spec). - cert_nodes = OneLogin_Saml2_XML.query( - idp_descriptor_node, - "./md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate" - ) - - if not cert_nodes: - cert_nodes = OneLogin_Saml2_XML.query( - idp_descriptor_node, - "./md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate" - ) - - if len(cert_nodes) > 0: - idp_x509_cert = OneLogin_Saml2_Utils.format_cert(cert_nodes[index].text, False) - - data['idp'] = {} - - if idp_entity_id is not None: - data['idp']['entityId'] = idp_entity_id - - if idp_sso_url is not None: - data['idp']['singleSignOnService'] = {} - data['idp']['singleSignOnService']['url'] = idp_sso_url - data['idp']['singleSignOnService']['binding'] = required_sso_binding - - if idp_slo_url is not None: - data['idp']['singleLogoutService'] = {} - data['idp']['singleLogoutService']['url'] = idp_slo_url - data['idp']['singleLogoutService']['binding'] = required_slo_binding - - if idp_x509_cert is not None: - data['idp']['x509cert'] = idp_x509_cert - - if want_authn_requests_signed is not None: - data['security'] = {} - data['security']['authnRequestsSigned'] = want_authn_requests_signed - - if idp_name_id_format: - data['sp'] = {} - data['sp']['NameIDFormat'] = idp_name_id_format - - break + entity_descriptor_node = entity_descriptor_nodes[0] + idp_descriptor_nodes = OneLogin_Saml2_XML.query(entity_descriptor_node, './md:IDPSSODescriptor') + if len(idp_descriptor_nodes) > 0: + idp_descriptor_node = idp_descriptor_nodes[0] + + idp_entity_id = entity_descriptor_node.get('entityID', None) + + want_authn_requests_signed = entity_descriptor_node.get('WantAuthnRequestsSigned', None) + + name_id_format_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, './md:NameIDFormat') + if len(name_id_format_nodes) > 0: + idp_name_id_format = name_id_format_nodes[0].text + + sso_nodes = OneLogin_Saml2_XML.query( + idp_descriptor_node, + "./md:SingleSignOnService[@Binding='%s']" % required_sso_binding + ) + + if len(sso_nodes) > 0: + idp_sso_url = sso_nodes[0].get('Location', None) + + slo_nodes = OneLogin_Saml2_XML.query( + idp_descriptor_node, + "./md:SingleLogoutService[@Binding='%s']" % required_slo_binding + ) + + if len(slo_nodes) > 0: + idp_slo_url = slo_nodes[0].get('Location', None) + + signing_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, "./md:KeyDescriptor[not(contains(@use, 'encryption'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate") + encryption_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, "./md:KeyDescriptor[not(contains(@use, 'signing'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate") + + if len(signing_nodes) > 0 or len(encryption_nodes) > 0: + certs = {} + if len(signing_nodes) > 0: + certs['signing'] = [] + for cert_node in signing_nodes: + certs['signing'].append(''.join(cert_node.text.split())) + if len(encryption_nodes) > 0: + certs['encryption'] = [] + for cert_node in encryption_nodes: + certs['encryption'].append(''.join(cert_node.text.split())) + + data['idp'] = {} + + if idp_entity_id is not None: + data['idp']['entityId'] = idp_entity_id + + if idp_sso_url is not None: + data['idp']['singleSignOnService'] = {} + data['idp']['singleSignOnService']['url'] = idp_sso_url + data['idp']['singleSignOnService']['binding'] = required_sso_binding + + if idp_slo_url is not None: + data['idp']['singleLogoutService'] = {} + data['idp']['singleLogoutService']['url'] = idp_slo_url + data['idp']['singleLogoutService']['binding'] = required_slo_binding + + if want_authn_requests_signed is not None: + data['security'] = {} + data['security']['authnRequestsSigned'] = want_authn_requests_signed + + if idp_name_id_format: + data['sp'] = {} + data['sp']['NameIDFormat'] = idp_name_id_format + + if certs is not None: + if len(certs) == 1 or \ + (('signing' in certs and len(certs['signing']) == 1) and + ('encryption' in certs and len(certs['encryption']) == 1 and + certs['signing'][0] == certs['encryption'][0])): + if 'signing' in certs: + data['idp']['x509cert'] = certs['signing'][0] + else: + data['idp']['x509cert'] = certs['encryption'][0] + else: + data['idp']['x509certMulti'] = certs return data @staticmethod @@ -234,6 +230,14 @@ def merge_settings(settings, new_metadata_settings): # Guarantee to not modify original data (`settings.copy()` would not # be sufficient, as it's just a shallow copy). result_settings = deepcopy(settings) + + # previously I will take care of cert stuff + if 'idp' in new_metadata_settings and 'idp' in result_settings: + if new_metadata_settings['idp'].get('x509cert', None) and result_settings['idp'].get('x509certMulti', None): + del result_settings['idp']['x509certMulti'] + if new_metadata_settings['idp'].get('x509certMulti', None) and result_settings['idp'].get('x509cert', None): + del result_settings['idp']['x509cert'] + # Merge `new_metadata_settings` into `result_settings`. dict_deep_merge(result_settings, new_metadata_settings) return result_settings diff --git a/tests/data/metadata/idp_metadata_multi_certs.xml b/tests/data/metadata/idp_metadata_multi_certs.xml new file mode 100644 index 00000000..f993f64a --- /dev/null +++ b/tests/data/metadata/idp_metadata_multi_certs.xml @@ -0,0 +1,75 @@ + + + + + + + MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEF +BQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJj +aWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwW +T25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUy +MjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChz +Z2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNV +BAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo +3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRw +tnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xx +VRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5 +L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t +1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/ +BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCB +pIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYD +VQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQL +DAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaC +FD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0B +AQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXM +GI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65c +hjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIB +vlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37 +MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZ +WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw== + + + + + + + MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEUMBIGA1UECAwLZXhhbXBsZS5jb20xFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xNzA0MTUxNjMzMThaFw0xODA0MTUxNjMzMThaME8xCzAJBgNVBAYTAnVzMRQwEgYDVQQIDAtleGFtcGxlLmNvbTEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6GLkl5lDUZdHNDAojp5i24OoPlqrt5TGXJIPqAZYT1hQvJW5nv17MFDHrjmtEnmW4ACKEy0fAX80QWIcHunZSkbEGHb+NG/6oTi5RipXMvmHnfFnPJJ0AdtiLiPE478CV856gXekV4Xx5u3KrylcOgkpYsp0GMIQBDzleMUXlYQIDAQABo1AwTjAdBgNVHQ4EFgQUnP8vlYPGPL2n6ZzDYij2kMDC8wMwHwYDVR0jBBgwFoAUnP8vlYPGPL2n6ZzDYij2kMDC8wMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQAlQGAl+b8Cpot1g+65lLLjVoY7APJPWLW0klKQNlMU0s4MU+71Y3ExUEOXDAZgKcFoavb1fEOGMwEf38NaJAy1e/l6VNuixXShffq20ymqHQxOG0q8ujeNkgZF9k6XDfn/QZ3AD0o/IrCT7UMc/0QsfgIjWYxwCvp2syApc5CYfQ== + + + + + + + MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEF +BQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJj +aWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwW +T25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUy +MjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChz +Z2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNV +BAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo +3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRw +tnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xx +VRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5 +L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t +1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/ +BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCB +pIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYD +VQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQL +DAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaC +FD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0B +AQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXM +GI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65c +hjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIB +vlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37 +MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZ +WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw== + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + \ No newline at end of file diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py index 08a0ab70..2ab5aa27 100644 --- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py +++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py @@ -319,6 +319,44 @@ def test_parse_with_entity_id(self): expected_settings = json.loads(expected_settings_json) self.assertEqual(expected_settings, data2) + def test_parse_multi_certs(self): + """ + Tests the parse method of the OneLogin_Saml2_IdPMetadataParser + Case: IdP metadata contains multiple certs + """ + xml_idp_metadata = self.file_contents(join(self.data_path, 'metadata', 'idp_metadata_multi_certs.xml')) + data = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata) + + expected_settings_json = """ + { + "sp": { + "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" + }, + "idp": { + "singleLogoutService": { + "url": "https://idp.examle.com/saml/slo", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "x509certMulti": { + "encryption": [ + "MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUyMjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRwtnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xxVRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCBpIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaCFD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXMGI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65chjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIBvlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZWQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==" + ], + "signing": [ + "MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUyMjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRwtnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xxVRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCBpIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaCFD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXMGI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65chjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIBvlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZWQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==", + "MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEUMBIGA1UECAwLZXhhbXBsZS5jb20xFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xNzA0MTUxNjMzMThaFw0xODA0MTUxNjMzMThaME8xCzAJBgNVBAYTAnVzMRQwEgYDVQQIDAtleGFtcGxlLmNvbTEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6GLkl5lDUZdHNDAojp5i24OoPlqrt5TGXJIPqAZYT1hQvJW5nv17MFDHrjmtEnmW4ACKEy0fAX80QWIcHunZSkbEGHb+NG/6oTi5RipXMvmHnfFnPJJ0AdtiLiPE478CV856gXekV4Xx5u3KrylcOgkpYsp0GMIQBDzleMUXlYQIDAQABo1AwTjAdBgNVHQ4EFgQUnP8vlYPGPL2n6ZzDYij2kMDC8wMwHwYDVR0jBBgwFoAUnP8vlYPGPL2n6ZzDYij2kMDC8wMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQAlQGAl+b8Cpot1g+65lLLjVoY7APJPWLW0klKQNlMU0s4MU+71Y3ExUEOXDAZgKcFoavb1fEOGMwEf38NaJAy1e/l6VNuixXShffq20ymqHQxOG0q8ujeNkgZF9k6XDfn/QZ3AD0o/IrCT7UMc/0QsfgIjWYxwCvp2syApc5CYfQ==" + ] + }, + "entityId": "https://idp.examle.com/saml/metadata", + "singleSignOnService": { + "url": "https://idp.examle.com/saml/sso", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + } + } + } + """ + expected_settings = json.loads(expected_settings_json) + self.assertEqual(expected_settings, data) + def testMergeSettings(self): """ Tests the merge_settings method of the OneLogin_Saml2_IdPMetadataParser @@ -453,3 +491,69 @@ def testMergeSettings(self): """ expected_settings2 = json.loads(expected_settings2_json) self.assertEqual(expected_settings2, settings_result2) + + # Test merging multiple certs + xml_idp_metadata = self.file_contents(join(self.data_path, 'metadata', 'idp_metadata_multi_certs.xml')) + data3 = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata) + settings_result3 = OneLogin_Saml2_IdPMetadataParser.merge_settings(settings, data3) + expected_settings3_json = """ + { + "debug": false, + "strict": false, + "custom_base_path": "../../../tests/data/customPath/", + "sp": { + "singleLogoutService": { + "url": "http://stuff.com/endpoints/endpoints/sls.php" + }, + "assertionConsumerService": { + "url": "http://stuff.com/endpoints/endpoints/acs.php" + }, + "entityId": "http://stuff.com/endpoints/metadata.php", + "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" + }, + "idp": { + "singleLogoutService": { + "url": "https://idp.examle.com/saml/slo", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "x509certMulti": { + "encryption": [ + "MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUyMjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRwtnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xxVRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCBpIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaCFD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXMGI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65chjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIBvlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZWQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==" + ], + "signing": [ + "MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUyMjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRwtnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xxVRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCBpIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaCFD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXMGI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65chjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIBvlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZWQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==", + "MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEUMBIGA1UECAwLZXhhbXBsZS5jb20xFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xNzA0MTUxNjMzMThaFw0xODA0MTUxNjMzMThaME8xCzAJBgNVBAYTAnVzMRQwEgYDVQQIDAtleGFtcGxlLmNvbTEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6GLkl5lDUZdHNDAojp5i24OoPlqrt5TGXJIPqAZYT1hQvJW5nv17MFDHrjmtEnmW4ACKEy0fAX80QWIcHunZSkbEGHb+NG/6oTi5RipXMvmHnfFnPJJ0AdtiLiPE478CV856gXekV4Xx5u3KrylcOgkpYsp0GMIQBDzleMUXlYQIDAQABo1AwTjAdBgNVHQ4EFgQUnP8vlYPGPL2n6ZzDYij2kMDC8wMwHwYDVR0jBBgwFoAUnP8vlYPGPL2n6ZzDYij2kMDC8wMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQAlQGAl+b8Cpot1g+65lLLjVoY7APJPWLW0klKQNlMU0s4MU+71Y3ExUEOXDAZgKcFoavb1fEOGMwEf38NaJAy1e/l6VNuixXShffq20ymqHQxOG0q8ujeNkgZF9k6XDfn/QZ3AD0o/IrCT7UMc/0QsfgIjWYxwCvp2syApc5CYfQ==" + ] + }, + "entityId": "https://idp.examle.com/saml/metadata", + "singleSignOnService": { + "url": "https://idp.examle.com/saml/sso", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + } + }, + "security": { + "authnRequestsSigned": false, + "wantAssertionsSigned": false, + "signMetadata": false + }, + "contactPerson": { + "technical": { + "emailAddress": "technical@example.com", + "givenName": "technical_name" + }, + "support": { + "emailAddress": "support@example.com", + "givenName": "support_name" + } + }, + "organization": { + "en-US": { + "displayname": "SP test", + "url": "http://sp.example.com", + "name": "sp_test" + } + } + } + """ + expected_settings3 = json.loads(expected_settings3_json) + self.assertEqual(expected_settings3, settings_result3) From ec4f4ab6f8eda7440edb74f47e9701fc2bc7764a Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 18 May 2017 12:35:22 +0200 Subject: [PATCH 048/331] Publish KeyDescriptor[use=encryption] only when required --- src/onelogin/saml2/metadata.py | 8 ++++-- src/onelogin/saml2/settings.py | 6 +++-- .../src/OneLogin/saml2_tests/settings_test.py | 27 ++++++++++++++++--- 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py index 51dab807..e66e542d 100644 --- a/src/onelogin/saml2/metadata.py +++ b/src/onelogin/saml2/metadata.py @@ -229,7 +229,7 @@ def __add_x509_key_descriptors(root, cert, signing): key_descriptor.set('use', ('encryption', 'signing')[signing]) @staticmethod - def add_x509_key_descriptors(metadata, cert=None): + def add_x509_key_descriptors(metadata, cert=None, add_encryption=True): """ Adds the x509 descriptors (sign/encryption) to the metadata The same cert will be used for sign/encrypt @@ -240,6 +240,9 @@ def add_x509_key_descriptors(metadata, cert=None): :param cert: x509 cert :type cert: string + :param add_encryption: Determines if the KeyDescriptor[use="encryption"] should be added. + :type add_encryption: boolean + :returns: Metadata with KeyDescriptors :rtype: string """ @@ -256,6 +259,7 @@ def add_x509_key_descriptors(metadata, cert=None): except StopIteration: raise Exception('Malformed metadata.') - OneLogin_Saml2_Metadata.__add_x509_key_descriptors(sp_sso_descriptor, cert, False) + if add_encryption: + OneLogin_Saml2_Metadata.__add_x509_key_descriptors(sp_sso_descriptor, cert, False) OneLogin_Saml2_Metadata.__add_x509_key_descriptors(sp_sso_descriptor, cert, True) return OneLogin_Saml2_XML.to_string(root) diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py index 369b78f2..f38343c1 100644 --- a/src/onelogin/saml2/settings.py +++ b/src/onelogin/saml2/settings.py @@ -617,11 +617,13 @@ def get_sp_metadata(self): self.get_contacts(), self.get_organization() ) + add_encryption = self.__security['wantNameIdEncrypted'] or self.__security['wantAssertionsEncrypted'] + cert_new = self.get_sp_cert_new() - metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new) + metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new, add_encryption) cert = self.get_sp_cert() - metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert) + metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert, add_encryption) # Sign metadata if 'signMetadata' in self.__security and self.__security['signMetadata'] is not False: diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py index fbd9a554..5b297519 100644 --- a/tests/src/OneLogin/saml2_tests/settings_test.py +++ b/tests/src/OneLogin/saml2_tests/settings_test.py @@ -399,7 +399,10 @@ def testGetSPMetadata(self): Tests the getSPMetadata method of the OneLogin_Saml2_Settings Case unsigned metadata """ - settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + settings_info = self.loadSettingsJSON() + settings_info['security']['wantNameIdEncrypted'] = False + settings_info['security']['wantAssertionsEncrypted'] = False + settings = OneLogin_Saml2_Settings(settings_info) metadata = compat.to_string(settings.get_sp_metadata()) self.assertNotEqual(len(metadata), 0) @@ -410,6 +413,14 @@ def testGetSPMetadata(self): self.assertIn('', metadata) self.assertIn('', metadata) self.assertIn('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', metadata) + self.assertEqual(1, metadata.count(' Date: Thu, 18 May 2017 13:34:00 +0200 Subject: [PATCH 049/331] Release 1.2.4 --- changelog.md | 16 ++++++++++++++++ setup.py | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/changelog.md b/changelog.md index f1b66a59..92c21d9f 100644 --- a/changelog.md +++ b/changelog.md @@ -1,4 +1,20 @@ # python3-saml changelog +### 1.2.4 (May 18, 2017) +* Publish KeyDescriptor[use=encryption] only when required +* [#57](https://github.com/onelogin/python3-saml/pull/57) Be able to register future SP x509cert on the settings and publish it on SP metadata +* [#57](https://github.com/onelogin/python3-saml/pull/57) Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption +* [#57](https://github.com/onelogin/python3-saml/pull/57) Allow metadata to be retrieved from source containing data of multiple entities +* [#57](https://github.com/onelogin/python3-saml/pull/57) Adapt IdP XML metadata parser to take care of multiple IdP certtificates and be able to inject the data obtained on the settings. +* Be able to relax SSL Certificate verification when retrieving idp metadata +* Checking the status of response before assertion count +* Allows underscores in URL hosts +* Add a Pyramid demo +* Be able to provide a NameIDFormat to LogoutRequest +* Add DigestMethod support. Add sign_algorithm and digest_algorithm par +ameters to sign_metadata and add_sign. +* Validate serial number as string to work around libxml2 limitation +* Make the Issuer on the Response Optional +* Fixed bug with formated cert fingerprints ### 1.2.3 (January 15, 2017) * Fix p3 compatibility diff --git a/setup.py b/setup.py index 1dc1a0cd..42c68856 100644 --- a/setup.py +++ b/setup.py @@ -9,7 +9,7 @@ setup( name='python3-saml', - version='1.2.3', + version='1.2.4', description='Onelogin Python Toolkit. Add SAML support to your Python software using this library', classifiers=[ 'Development Status :: 5 - Production/Stable', From c4dda566fa7fb514707591f123bd2abeafa9477d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Raphae=CC=88l=20Slinckx?= Date: Fri, 2 Jun 2017 12:55:36 +0200 Subject: [PATCH 050/331] Properly use multi certs when validating auth response signature. Fixes #58 This part of the code was skipped for some reasons from the equivalent commit in python-saml --- src/onelogin/saml2/response.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index 9c7d755e..b8b9ef90 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -278,15 +278,19 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): fingerprint = OneLogin_Saml2_Utils.format_finger_print(fingerprint) fingerprintalg = idp_data.get('certFingerprintAlgorithm', None) + multicerts = None + if 'x509certMulti' in idp_data and 'signing' in idp_data['x509certMulti'] and idp_data['x509certMulti']['signing']: + multicerts = idp_data['x509certMulti']['signing'] + # If find a Signature on the Response, validates it checking the original response - if has_signed_response and not OneLogin_Saml2_Utils.validate_sign(self.document, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH, raise_exceptions=False): + if has_signed_response and not OneLogin_Saml2_Utils.validate_sign(self.document, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH, multicerts=multicerts, raise_exceptions=False): raise OneLogin_Saml2_ValidationError( 'Signature validation failed. SAML Response rejected', OneLogin_Saml2_ValidationError.INVALID_SIGNATURE ) document_check_assertion = self.decrypted_document if self.encrypted else self.document - if has_signed_assertion and not OneLogin_Saml2_Utils.validate_sign(document_check_assertion, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH, raise_exceptions=False): + if has_signed_assertion and not OneLogin_Saml2_Utils.validate_sign(document_check_assertion, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH, multicerts=multicerts, raise_exceptions=False): raise OneLogin_Saml2_ValidationError( 'Signature validation failed. SAML Response rejected', OneLogin_Saml2_ValidationError.INVALID_SIGNATURE From 6f049187dc6f923e671dfa12dd4656fb17d2faa6 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 2 Jun 2017 13:25:01 +0200 Subject: [PATCH 051/331] Release 1.2.5 --- changelog.md | 2 ++ setup.py | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/changelog.md b/changelog.md index 92c21d9f..aa29c728 100644 --- a/changelog.md +++ b/changelog.md @@ -1,4 +1,6 @@ # python3-saml changelog +### 1.2.5 (Jun 2, 2017) +* Fix issue related with multicers (multicerts were not used on response view) ### 1.2.4 (May 18, 2017) * Publish KeyDescriptor[use=encryption] only when required * [#57](https://github.com/onelogin/python3-saml/pull/57) Be able to register future SP x509cert on the settings and publish it on SP metadata diff --git a/setup.py b/setup.py index 42c68856..d9e6cd96 100644 --- a/setup.py +++ b/setup.py @@ -9,7 +9,7 @@ setup( name='python3-saml', - version='1.2.4', + version='1.2.5', description='Onelogin Python Toolkit. Add SAML support to your Python software using this library', classifiers=[ 'Development Status :: 5 - Production/Stable', From f45794f3a3ea3424f6c40fdcef13231dd4264ba3 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 13 Jun 2017 17:36:13 +0200 Subject: [PATCH 052/331] Fix test on python3 --- changelog.md | 2 +- tests/src/OneLogin/saml2_tests/settings_test.py | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/changelog.md b/changelog.md index aa29c728..854b1852 100644 --- a/changelog.md +++ b/changelog.md @@ -1,6 +1,6 @@ # python3-saml changelog ### 1.2.5 (Jun 2, 2017) -* Fix issue related with multicers (multicerts were not used on response view) +* Fix issue related with multicers (multicerts were not used on response validation) ### 1.2.4 (May 18, 2017) * Publish KeyDescriptor[use=encryption] only when required * [#57](https://github.com/onelogin/python3-saml/pull/57) Be able to register future SP x509cert on the settings and publish it on SP metadata diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py index 5b297519..f33ec10e 100644 --- a/tests/src/OneLogin/saml2_tests/settings_test.py +++ b/tests/src/OneLogin/saml2_tests/settings_test.py @@ -437,14 +437,14 @@ def testGetSPMetadataWithx509certNew(self): metadata = compat.to_string(settings.get_sp_metadata()) self.assertNotEqual(len(metadata), 0) self.assertIn(' Date: Thu, 15 Jun 2017 19:41:48 +0200 Subject: [PATCH 053/331] Use defusedxml that will prevent XEE and other attacks based on the abuse of XML. Release 2.1.6 --- README.md | 6 +++++- changelog.md | 3 +++ setup.py | 5 +++-- src/onelogin/saml2/auth.py | 3 ++- src/onelogin/saml2/xml_utils.py | 5 +++-- 5 files changed, 16 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index e074f739..5ef708a7 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,8 @@ This version supports Python3, There is a separate version that only support Pyt #### Warning #### +Release 1.2.6 adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672) + Update python3-saml to >= 1.2.1, 1.2.0 had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json) 1.2.0 version includes a security patch that contains extra validations that will prevent signature wrapping attacks. @@ -80,7 +82,9 @@ Installation * python 2.7 // python 3.3 * [xmlsec](https://pypi.python.org/pypi/xmlsec) Python bindings for the XML Security Library. - * [isodate](https://pypi.python.org/pypi/isodate) An ISO 8601 date/time/duration parser and formatter + * [isodate](https://pypi.python.org/pypi/isodate) An ISO 8601 date/time/ + duration parser and formatter + * [defusedxml](https://pypi.python.org/pypi/defusedxml) XML bomb protection for Python stdlib modules Review the setup.py file to know the version of the library that python3-saml is using diff --git a/changelog.md b/changelog.md index 854b1852..9b57a5db 100644 --- a/changelog.md +++ b/changelog.md @@ -1,4 +1,7 @@ # python3-saml changelog +### 1.2.6 (Jun 15, 2017) +* Use defusedxml that will prevent XEE and other attacks based on the abuse on XMLs. (CVE-2017-9672) + ### 1.2.5 (Jun 2, 2017) * Fix issue related with multicers (multicerts were not used on response validation) ### 1.2.4 (May 18, 2017) diff --git a/setup.py b/setup.py index d9e6cd96..482d3f30 100644 --- a/setup.py +++ b/setup.py @@ -9,7 +9,7 @@ setup( name='python3-saml', - version='1.2.5', + version='1.2.6', description='Onelogin Python Toolkit. Add SAML support to your Python software using this library', classifiers=[ 'Development Status :: 5 - Production/Stable', @@ -34,7 +34,8 @@ test_suite='tests', install_requires=[ 'isodate>=0.5.0', - 'xmlsec>=0.6.0' + 'xmlsec>=0.6.0', + 'defusedxml==0.5.0' ], dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'], extras_require={ diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index dfd10eb2..362f8be0 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -13,6 +13,7 @@ import xmlsec from lxml import etree +from defusedxml.lxml import tostring from onelogin.saml2 import compat from onelogin.saml2.settings import OneLogin_Saml2_Settings @@ -606,7 +607,7 @@ def get_last_response_xml(self, pretty_print_if_possible=False): if isinstance(self.__last_response, compat.str_type): response = self.__last_response else: - response = etree.tostring(self.__last_response, encoding='unicode', pretty_print=pretty_print_if_possible) + response = tostring(self.__last_response, encoding='unicode', pretty_print=pretty_print_if_possible) return response def get_last_request_xml(self): diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py index f7f590bd..eb9300c4 100644 --- a/src/onelogin/saml2/xml_utils.py +++ b/src/onelogin/saml2/xml_utils.py @@ -11,6 +11,7 @@ from os.path import join, dirname from lxml import etree +from defusedxml.lxml import tostring, fromstring from onelogin.saml2 import compat from onelogin.saml2.constants import OneLogin_Saml2_Constants @@ -21,10 +22,10 @@ class OneLogin_Saml2_XML(object): _element_class = type(etree.Element('root')) - _parse_etree = staticmethod(etree.fromstring) + _parse_etree = staticmethod(fromstring) _schema_class = etree.XMLSchema _text_class = compat.text_types - _unparse_etree = staticmethod(etree.tostring) + _unparse_etree = staticmethod(tostring) dump = staticmethod(etree.dump) make_root = staticmethod(etree.Element) From 1ffe629b261f88005ae9d55cd852863c77c8c6a1 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 15 Jun 2017 19:50:44 +0200 Subject: [PATCH 054/331] Fix pyflakes --- src/onelogin/saml2/auth.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 362f8be0..1eb23b8b 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -12,7 +12,6 @@ """ import xmlsec -from lxml import etree from defusedxml.lxml import tostring from onelogin.saml2 import compat From 16cd67c0efa329ac016abdb8471cb0d654a68825 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Wed, 26 Jul 2017 13:01:25 +0200 Subject: [PATCH 055/331] Fix minor typo --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5ef708a7..656ac0e2 100644 --- a/README.md +++ b/README.md @@ -828,7 +828,7 @@ else: ### SP Key rollover ### -If you plan to update the SP x509cert and privateKey you can define the new x509cert as $settings['sp']['x509certNew'] and it will be +If you plan to update the SP x509cert and privateKey you can define the new x509cert as settings['sp']['x509certNew'] and it will be published on the SP metadata so Identity Providers can read them and get ready for rollover. @@ -837,7 +837,7 @@ published on the SP metadata so Identity Providers can read them and get ready f In some scenarios the IdP uses different certificates for signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata. -In order to handle that the toolkit offers the $settings['idp']['x509certMulti'] parameter. +In order to handle that the toolkit offers the settings['idp']['x509certMulti'] parameter. When that parameter is used, 'x509cert' and 'certFingerprint' values will be ignored by the toolkit. From 6e178d335d6215e53e87dd46eea290f86e69c41a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Borgstr=C3=B6m?= Date: Fri, 1 Sep 2017 13:31:14 +0200 Subject: [PATCH 056/331] Add get_last_message_id and get_last_assertion_id I tried to follow the pattern used in php-saml --- src/onelogin/saml2/auth.py | 25 +++++++++++- src/onelogin/saml2/logout_response.py | 2 + src/onelogin/saml2/response.py | 19 +++++++++ tests/src/OneLogin/saml2_tests/auth_test.py | 43 +++++++++++++++++++++ 4 files changed, 87 insertions(+), 2 deletions(-) diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 1eb23b8b..9404c3d4 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -61,6 +61,8 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None): self.__errors = [] self.__error_reason = None self.__last_request_id = None + self.__last_message_id = None + self.__last_assertion_id = None self.__last_request = None self.__last_response = None @@ -104,6 +106,8 @@ def process_response(self, request_id=None): self.__nameid_format = response.get_nameid_format() self.__session_index = response.get_session_index() self.__session_expiration = response.get_session_not_on_or_after() + self.__last_message_id = response.get_id() + self.__last_assertion_id = response.get_assertion_id() self.__authenticated = True else: @@ -143,8 +147,10 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_ self.__error_reason = logout_response.get_error() elif logout_response.get_status() != OneLogin_Saml2_Constants.STATUS_SUCCESS: self.__errors.append('logout_not_success') - elif not keep_local_session: - OneLogin_Saml2_Utils.delete_local_session(delete_session_cb) + else: + self.__last_message_id = logout_response.id + if not keep_local_session: + OneLogin_Saml2_Utils.delete_local_session(delete_session_cb) elif get_data and 'SAMLRequest' in get_data: logout_request = OneLogin_Saml2_Logout_Request(self.__settings, get_data['SAMLRequest']) @@ -160,6 +166,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_ OneLogin_Saml2_Utils.delete_local_session(delete_session_cb) in_response_to = logout_request.id + self.__last_message_id = logout_request.id response_builder = OneLogin_Saml2_Logout_Response(self.__settings) response_builder.build(in_response_to) self.__last_response = response_builder.get_xml() @@ -286,6 +293,20 @@ def get_last_request_id(self): """ return self.__last_request_id + def get_last_message_id(self): + """ + :returns: The ID of the last Response SAML message processed. + :rtype: string + """ + return self.__last_message_id + + def get_last_assertion_id(self): + """ + :returns: The ID of the last assertion processed. + :rtype: string + """ + return self.__last_assertion_id + def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_policy=True): """ Initiates the SSO process. diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py index 0aed8343..7a27af82 100644 --- a/src/onelogin/saml2/logout_response.py +++ b/src/onelogin/saml2/logout_response.py @@ -35,10 +35,12 @@ def __init__(self, settings, response=None): """ self.__settings = settings self.__error = None + self.id = None if response is not None: self.__logout_response = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(response)) self.document = OneLogin_Saml2_XML.to_etree(self.__logout_response) + self.id = self.document.get('ID', None) def get_issuer(self): """ diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index b8b9ef90..704ddbb0 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -786,3 +786,22 @@ def get_xml_document(self): return self.decrypted_document else: return self.document + + def get_id(self): + """ + :returns: the ID of the response + :rtype: string + """ + return self.document.get('ID', None) + + def get_assertion_id(self): + """ + :returns: the ID of the assertion in the response + :rtype: string + """ + if not self.validate_num_assertions(): + raise OneLogin_Saml2_ValidationError( + 'SAML Response must contain 1 assertion', + OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS + ) + return self.__query_assertion('')[0].get('ID', None) diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py index dff71ddd..ec419cd6 100644 --- a/tests/src/OneLogin/saml2_tests/auth_test.py +++ b/tests/src/OneLogin/saml2_tests/auth_test.py @@ -1259,3 +1259,46 @@ def testGetLastLogoutResponse(self): auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings) auth.process_slo() self.assertEqual(response, auth.get_last_response_xml()) + + def testGetLastMessageAndAssertionId(self): + """ + Tests the get_last_message_id and get_last_assertion_id of the OneLogin_Saml2_Auth class + Case Valid Response + """ + request_data = self.get_request() + message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) + del request_data['get_data'] + request_data['post_data'] = { + 'SAMLResponse': message + } + auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON()) + + auth.process_response() + self.assertEqual(auth.get_last_message_id(), 'pfxcc31568b-c46d-ff75-ba2e-5303484980da') + self.assertEqual(auth.get_last_assertion_id(), 'pfx08c2a6bb-7ee4-8dc2-8fe2-f055eed93de4') + + def testGetIdFromLogoutRequest(self): + """ + Tests the get_last_message_id of the OneLogin_Saml2_Auth class + Case Valid Logout request + """ + settings = self.loadSettingsJSON() + request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml')) + message = OneLogin_Saml2_Utils.deflate_and_base64_encode(request) + message_wrapper = {'get_data': {'SAMLRequest': message}} + auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings) + auth.process_slo() + self.assertIn(auth.get_last_message_id(), 'ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e') + + def testGetIdFromLogoutResponse(self): + """ + Tests the get_last_message_id of the OneLogin_Saml2_Auth class + Case Valid Logout response + """ + settings = self.loadSettingsJSON() + response = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response.xml')) + message = OneLogin_Saml2_Utils.deflate_and_base64_encode(response) + message_wrapper = {'get_data': {'SAMLResponse': message}} + auth = OneLogin_Saml2_Auth(message_wrapper, old_settings=settings) + auth.process_slo() + self.assertIn(auth.get_last_message_id(), '_f9ee61bd9dbf63606faa9ae3b10548d5b3656fb859') From 362e2cb5c944f02262b2ee1cd7ec56b149021bb1 Mon Sep 17 00:00:00 2001 From: Brian Morgan Date: Thu, 7 Sep 2017 13:29:51 -0400 Subject: [PATCH 057/331] fix for issue where if there were multiple signing certs and no encryption certs, only the first signing cert is returned --- src/onelogin/saml2/idp_metadata_parser.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py index 01d3f8c6..2f74ebe5 100644 --- a/src/onelogin/saml2/idp_metadata_parser.py +++ b/src/onelogin/saml2/idp_metadata_parser.py @@ -200,7 +200,9 @@ def parse( data['sp']['NameIDFormat'] = idp_name_id_format if certs is not None: - if len(certs) == 1 or \ + if (len(certs) == 1 and \ + (('signing' in certs and len(certs['signing']) == 1) or + ('encryption' in certs and len(certs['encryption']) == 1))) or \ (('signing' in certs and len(certs['signing']) == 1) and ('encryption' in certs and len(certs['encryption']) == 1 and certs['signing'][0] == certs['encryption'][0])): From 49574c3ef9f3740d42b02683ecc300ea7d5dcfd9 Mon Sep 17 00:00:00 2001 From: Brian Morgan Date: Thu, 7 Sep 2017 13:52:19 -0400 Subject: [PATCH 058/331] fix pep8 failure --- src/onelogin/saml2/idp_metadata_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py index 2f74ebe5..0d51a4ea 100644 --- a/src/onelogin/saml2/idp_metadata_parser.py +++ b/src/onelogin/saml2/idp_metadata_parser.py @@ -200,7 +200,7 @@ def parse( data['sp']['NameIDFormat'] = idp_name_id_format if certs is not None: - if (len(certs) == 1 and \ + if (len(certs) == 1 and (('signing' in certs and len(certs['signing']) == 1) or ('encryption' in certs and len(certs['encryption']) == 1))) or \ (('signing' in certs and len(certs['signing']) == 1) and From 3d35b5cc34ba7ec4ec062e708d775dc9cb016f6c Mon Sep 17 00:00:00 2001 From: Brian Morgan Date: Thu, 7 Sep 2017 14:11:07 -0400 Subject: [PATCH 059/331] add test for idp metadata with multiple signing certs and no encryption certs --- .../idp_metadata_multi_signing_certs.xml | 75 +++++++++++++++++++ .../saml2_tests/idp_metadata_parser_test.py | 36 +++++++++ 2 files changed, 111 insertions(+) create mode 100644 tests/data/metadata/idp_metadata_multi_signing_certs.xml diff --git a/tests/data/metadata/idp_metadata_multi_signing_certs.xml b/tests/data/metadata/idp_metadata_multi_signing_certs.xml new file mode 100644 index 00000000..0cba257a --- /dev/null +++ b/tests/data/metadata/idp_metadata_multi_signing_certs.xml @@ -0,0 +1,75 @@ + + + + + + + MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEF +BQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJj +aWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwW +T25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUy +MjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChz +Z2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNV +BAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo +3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRw +tnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xx +VRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5 +L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t +1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/ +BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCB +pIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYD +VQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQL +DAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaC +FD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0B +AQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXM +GI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65c +hjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIB +vlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37 +MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZ +WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw== + + + + + + + MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEUMBIGA1UECAwLZXhhbXBsZS5jb20xFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xNzA0MTUxNjMzMThaFw0xODA0MTUxNjMzMThaME8xCzAJBgNVBAYTAnVzMRQwEgYDVQQIDAtleGFtcGxlLmNvbTEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6GLkl5lDUZdHNDAojp5i24OoPlqrt5TGXJIPqAZYT1hQvJW5nv17MFDHrjmtEnmW4ACKEy0fAX80QWIcHunZSkbEGHb+NG/6oTi5RipXMvmHnfFnPJJ0AdtiLiPE478CV856gXekV4Xx5u3KrylcOgkpYsp0GMIQBDzleMUXlYQIDAQABo1AwTjAdBgNVHQ4EFgQUnP8vlYPGPL2n6ZzDYij2kMDC8wMwHwYDVR0jBBgwFoAUnP8vlYPGPL2n6ZzDYij2kMDC8wMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQAlQGAl+b8Cpot1g+65lLLjVoY7APJPWLW0klKQNlMU0s4MU+71Y3ExUEOXDAZgKcFoavb1fEOGMwEf38NaJAy1e/l6VNuixXShffq20ymqHQxOG0q8ujeNkgZF9k6XDfn/QZ3AD0o/IrCT7UMc/0QsfgIjWYxwCvp2syApc5CYfQ== + + + + + + + MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEF +BQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJj +aWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwW +T25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUy +MjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChz +Z2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNV +BAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo +3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRw +tnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xx +VRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5 +L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t +1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/ +BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCB +pIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYD +VQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQL +DAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaC +FD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0B +AQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXM +GI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65c +hjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIB +vlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37 +MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZ +WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw== + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py index 2ab5aa27..106cce56 100644 --- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py +++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py @@ -357,6 +357,42 @@ def test_parse_multi_certs(self): expected_settings = json.loads(expected_settings_json) self.assertEqual(expected_settings, data) + def test_parse_multi_singing_certs(self): + """ + Tests the parse method of the OneLogin_Saml2_IdPMetadataParser + Case: IdP metadata contains multiple signing certs and no encryption certs + """ + xml_idp_metadata = self.file_contents(join(self.data_path, 'metadata', 'idp_metadata_multi_signing_certs.xml')) + data = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata) + + expected_settings_json = """ + { + "sp": { + "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" + }, + "idp": { + "singleLogoutService": { + "url": "https://idp.examle.com/saml/slo", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "x509certMulti": { + "signing": [ + "MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUyMjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRwtnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xxVRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCBpIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaCFD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXMGI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65chjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIBvlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZWQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==", + "MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEUMBIGA1UECAwLZXhhbXBsZS5jb20xFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xNzA0MTUxNjMzMThaFw0xODA0MTUxNjMzMThaME8xCzAJBgNVBAYTAnVzMRQwEgYDVQQIDAtleGFtcGxlLmNvbTEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6GLkl5lDUZdHNDAojp5i24OoPlqrt5TGXJIPqAZYT1hQvJW5nv17MFDHrjmtEnmW4ACKEy0fAX80QWIcHunZSkbEGHb+NG/6oTi5RipXMvmHnfFnPJJ0AdtiLiPE478CV856gXekV4Xx5u3KrylcOgkpYsp0GMIQBDzleMUXlYQIDAQABo1AwTjAdBgNVHQ4EFgQUnP8vlYPGPL2n6ZzDYij2kMDC8wMwHwYDVR0jBBgwFoAUnP8vlYPGPL2n6ZzDYij2kMDC8wMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQAlQGAl+b8Cpot1g+65lLLjVoY7APJPWLW0klKQNlMU0s4MU+71Y3ExUEOXDAZgKcFoavb1fEOGMwEf38NaJAy1e/l6VNuixXShffq20ymqHQxOG0q8ujeNkgZF9k6XDfn/QZ3AD0o/IrCT7UMc/0QsfgIjWYxwCvp2syApc5CYfQ==", + "MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUyMjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRwtnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xxVRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCBpIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaCFD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXMGI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65chjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIBvlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZWQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==" + ] + }, + "entityId": "https://idp.examle.com/saml/metadata", + "singleSignOnService": { + "url": "https://idp.examle.com/saml/sso", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + } + } + } + """ + expected_settings = json.loads(expected_settings_json) + self.assertEqual(expected_settings, data) + def testMergeSettings(self): """ Tests the merge_settings method of the OneLogin_Saml2_IdPMetadataParser From b9f9a4e594618b7deee174a9e38bca44a3d304b8 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Wed, 13 Sep 2017 16:03:58 +0200 Subject: [PATCH 060/331] On a LogoutRequest if the NameIdFormat is entity, NameQualifier and SPNameQualifier will be ommited. If the NameIdFormat is not entity and a NameQualifier is provided, then the SPNameQualifier will be also added. Update info related to LogoutRequest on the README --- README.md | 10 +++++++++- src/onelogin/saml2/logout_request.py | 11 ++++++++--- tests/src/OneLogin/saml2_tests/auth_test.py | 2 +- .../saml2_tests/logout_request_test.py | 19 ++++++++++++++++++- 4 files changed, 36 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 656ac0e2..eb701321 100644 --- a/README.md +++ b/README.md @@ -765,15 +765,23 @@ target_url = 'https://example.com' auth.logout(return_to=target_url) ``` -Also there are 2 optional parameters that can be set: +Also there are 4 optional parameters that can be set: * name_id. That will be used to build the LogoutRequest. If not name_id parameter is set and the auth object processed a SAML Response with a NameId, then this NameId will be used. * session_index. SessionIndex that identifies the session of the user. +* nq. IDP Name Qualifier +* name_id_format. The NameID Format that will be set in the LogoutRequest + +If no name_id is provided, the LogoutRequest will contain a NameID with the entity Format. +If name_id is provided and no name_id_format is provided, the NameIDFormat of the settings will be used. +If nq is provided, the SPNameQualifier will be also attached to the NameId. If a match on the LogoutResponse ID and the LogoutRequest ID to be sent is required, that LogoutRequest ID must to be extracted and stored for future validation, we can get that ID by +```python auth.get_last_request_id() +``` ####Example of a view that initiates the SSO request and handles the response (is the acs target)#### diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index 7c9bf4c9..814e619f 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -72,12 +72,17 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq= cert = idp_data['x509cert'] if name_id is not None: - if name_id_format is None: + if not name_id_format: name_id_format = sp_data['NameIDFormat'] - sp_name_qualifier = None else: - name_id = idp_data['entityId'] name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY + + sp_name_qualifier = None + if name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY: + name_id = idp_data['entityId'] + nq = None + elif nq is not None: + # We only gonna include SPNameQualifier if NameQualifier is provided sp_name_qualifier = sp_data['entityId'] name_id_obj = OneLogin_Saml2_Utils.generate_name_id( diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py index dff71ddd..71a41d53 100644 --- a/tests/src/OneLogin/saml2_tests/auth_test.py +++ b/tests/src/OneLogin/saml2_tests/auth_test.py @@ -1223,7 +1223,7 @@ def testGetLastLogoutRequest(self): expectedFragment = ( ' Destination="http://idp.example.com/SingleLogoutService.php">\n' ' http://stuff.com/endpoints/metadata.php\n' - ' http://idp.example.com/\n' + ' http://idp.example.com/\n' ' \n' ) self.assertIn(expectedFragment, auth.get_last_request_xml()) diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index dbece6b0..6626309d 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -157,6 +157,7 @@ def testGetNameIdData(self): expected_name_id_data = { 'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress', 'NameQualifier': idp_data['entityId'], + 'SPNameQualifier': 'http://stuff.com/endpoints/metadata.php', 'Value': 'ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69' } @@ -164,6 +165,22 @@ def testGetNameIdData(self): name_id_data_3 = OneLogin_Saml2_Logout_Request.get_nameid_data(logout_request.get_xml()) self.assertEqual(expected_name_id_data, name_id_data_3) + expected_name_id_data = { + 'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress', + 'Value': 'ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69' + } + logout_request = OneLogin_Saml2_Logout_Request(settings, None, expected_name_id_data['Value'], None, None, expected_name_id_data['Format']) + name_id_data_4 = OneLogin_Saml2_Logout_Request.get_nameid_data(logout_request.get_xml()) + self.assertEqual(expected_name_id_data, name_id_data_4) + + expected_name_id_data = { + 'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity', + 'Value': 'http://idp.example.com/' + } + logout_request = OneLogin_Saml2_Logout_Request(settings) + name_id_data_5 = OneLogin_Saml2_Logout_Request.get_nameid_data(logout_request.get_xml()) + self.assertEqual(expected_name_id_data, name_id_data_5) + def testGetNameId(self): """ Tests the get_nameid of the OneLogin_Saml2_LogoutRequest @@ -367,7 +384,7 @@ def testGetXML(self): expectedFragment = ( 'Destination="http://idp.example.com/SingleLogoutService.php">\n' ' http://stuff.com/endpoints/metadata.php\n' - ' http://idp.example.com/\n' + ' http://idp.example.com/\n' ' \n' ) self.assertIn(expectedFragment, logout_request_generated.get_xml()) From 90474ff37a40b2f44ecc399eacbd1d37d7cd60b7 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 14 Sep 2017 13:11:18 +0200 Subject: [PATCH 061/331] Add more tests and documentation related to get_last_message_id and get_last_assertion_id. Add get_last_assertion_not_on_or_after --- README.md | 13 +++++ src/onelogin/saml2/auth.py | 9 ++++ src/onelogin/saml2/response.py | 11 ++++ .../data/responses/valid_response.xml.base64 | 2 +- tests/src/OneLogin/saml2_tests/auth_test.py | 52 ++++++++++++++++--- .../src/OneLogin/saml2_tests/response_test.py | 49 +++++++++++++++++ 6 files changed, 128 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index eb701321..abd26580 100644 --- a/README.md +++ b/README.md @@ -854,6 +854,13 @@ The 'x509certMulti' is an array with 2 keys: - 'encryption' An array with one unique cert that will be used to encrypt data to be sent to the IdP. +### Replay attacks ### + +In order to avoid replay attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting. + +Get the ID of the last processed message/assertion with the get_last_message_id/get_last_assertion_id method of the Auth object. + + ### Main classes and methods ### Described below are the main classes and methods that can be invoked from the SAML2 library. @@ -885,6 +892,9 @@ Main class of OneLogin Python Toolkit * ***set_strict*** Set the strict mode active/disable. * ***get_last_request_xml*** Returns the most recently-constructed/processed XML SAML request (AuthNRequest, LogoutRequest) * ***get_last_response_xml*** Returns the most recently-constructed/processed XML SAML response (SAMLResponse, LogoutResponse). If the SAMLResponse had an encrypted assertion, decrypts it. +* ***get_last_message_id*** The ID of the last Response SAML message processed. +* ***get_last_assertion_id*** The ID of the last assertion processed. +* ***get_last_assertion_not_on_or_after*** The NotOnOrAfter value of the valid SubjectConfirmationData node (if any) of the last assertion processed (is only calculated with strict = true) ####OneLogin_Saml2_Auth - authn_request.py#### @@ -913,6 +923,9 @@ SAML 2 Authentication Response class * ***validate_timestamps*** Verifies that the document is valid according to Conditions Element * ***get_error*** After execute a validation process, if fails this method returns the cause * ***get_xml_document*** Returns the SAML Response document (If contains an encrypted assertion, decrypts it). +* ***get_id*** the ID of the response +* ***get_assertion_id*** the ID of the assertion in the response +* ***get_assertion_not_on_or_after*** the NotOnOrAfter value of the valid SubjectConfirmationData if any ####OneLogin_Saml2_LogoutRequest - logout_request.py#### diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 9404c3d4..226ae012 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -65,6 +65,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None): self.__last_assertion_id = None self.__last_request = None self.__last_response = None + self.__last_assertion_not_on_or_after = None def get_settings(self): """ @@ -109,6 +110,7 @@ def process_response(self, request_id=None): self.__last_message_id = response.get_id() self.__last_assertion_id = response.get_assertion_id() self.__authenticated = True + self.__last_assertion_not_on_or_after = response.get_assertion_not_on_or_after() else: self.__errors.append('invalid_response') @@ -255,6 +257,13 @@ def get_session_expiration(self): """ return self.__session_expiration + def get_last_assertion_not_on_or_after(self): + """ + The NotOnOrAfter value of the valid SubjectConfirmationData node + (if any) of the last assertion processed + """ + return self.__last_assertion_not_on_or_after + def get_errors(self): """ Returns a list with code errors if something went wrong diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index 704ddbb0..c48daa29 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -39,6 +39,7 @@ def __init__(self, settings, response): self.document = OneLogin_Saml2_XML.to_etree(self.response) self.decrypted_document = None self.encrypted = None + self.valid_scd_not_on_or_after = None # Quick check for the presence of EncryptedAssertion encrypted_assertion_nodes = self.__query('/samlp:Response/saml:EncryptedAssertion') @@ -245,6 +246,10 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False): parsed_nb = OneLogin_Saml2_Utils.parse_SAML_to_time(nb) if parsed_nb > OneLogin_Saml2_Utils.now(): continue + + if nooa: + self.valid_scd_not_on_or_after = OneLogin_Saml2_Utils.parse_SAML_to_time(nooa) + any_subject_confirmation = True break @@ -475,6 +480,12 @@ def get_session_not_on_or_after(self): not_on_or_after = OneLogin_Saml2_Utils.parse_SAML_to_time(authn_statement_nodes[0].get('SessionNotOnOrAfter')) return not_on_or_after + def get_assertion_not_on_or_after(self): + """ + Returns the NotOnOrAfter value of the valid SubjectConfirmationData node if any + """ + return self.valid_scd_not_on_or_after + def get_session_index(self): """ Gets the SessionIndex from the AuthnStatement diff --git a/tests/data/responses/valid_response.xml.base64 b/tests/data/responses/valid_response.xml.base64 index 42ff8eb4..5a917f2f 100644 --- a/tests/data/responses/valid_response.xml.base64 +++ b/tests/data/responses/valid_response.xml.base64 @@ -1 +1 @@ -PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGNjMzE1NjhiLWM0NmQtZmY3NS1iYTJlLTUzMDM0ODQ5ODBkYSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGNjMzE1NjhiLWM0NmQtZmY3NS1iYTJlLTUzMDM0ODQ5ODBkYSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+cTZnVllaZUJmV21TelhzUUNEVUFYc2hyNjVRPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5ES041ZWVwbm5CU3NvNVd3VHFwZ1lxQ2hsUXA1YXlVYUUrWlVVZ09CK2t5RDJEOUMxRjlSblVTK1VTa2hJQ2dDWVNTamtqQWE4OTZNNzgzdFFMd3dwcGZBSG1NMWpUcTRUVm1xKzlQOTZyQ29LUzUwR0FiZHVOUXFlSTl2T1EraTlXRWVkcFFFeWFsNEJNbS9pTkxHNE00Lzl5alRrVTU2OUdOOGZBOUJSb1E9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDA4YzJhNmJiLTdlZTQtOGRjMi04ZmUyLWYwNTVlZWQ5M2RlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZngwOGMyYTZiYi03ZWU0LThkYzItOGZlMi1mMDU1ZWVkOTNkZTQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPkVnQzhKSU1zL2VHaXdiSTBVc3AvWGRYUEtnOD08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+MW9JZFJ1bUJDaUNOdXVtYzVYNkhQYWI1L2xXZjZqR0dOR0dGOWxKRWxOc2lOYThpK3dSdkEveVF1YUFvMmp5bGNnV1pMWmZscjc2VnYrYVF0ZFA0LzNDR0djall5cUxWc0k0SS9iZjdXakk0dW1nMXl6aU5zNzMrelUzQThKK21LV013Q1J0eEZibm9BcnNyZzVFcVdOT2MrYkdWMEFsYnFCZTF4RllGcGVnPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDZ1RDQ0Flb0NDUUNiT2xyV0RkWDdGVEFOQmdrcWhraUc5dzBCQVFVRkFEQ0JoREVMTUFrR0ExVUVCaE1DVGs4eEdEQVdCZ05WQkFnVEQwRnVaSEpsWVhNZ1UyOXNZbVZ5WnpFTU1Bb0dBMVVFQnhNRFJtOXZNUkF3RGdZRFZRUUtFd2RWVGtsT1JWUlVNUmd3RmdZRFZRUURFdzltWldsa1pTNWxjbXhoYm1jdWJtOHhJVEFmQmdrcWhraUc5dzBCQ1FFV0VtRnVaSEpsWVhOQWRXNXBibVYwZEM1dWJ6QWVGdzB3TnpBMk1UVXhNakF4TXpWYUZ3MHdOekE0TVRReE1qQXhNelZhTUlHRU1Rc3dDUVlEVlFRR0V3Sk9UekVZTUJZR0ExVUVDQk1QUVc1a2NtVmhjeUJUYjJ4aVpYSm5NUXd3Q2dZRFZRUUhFd05HYjI4eEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReEdEQVdCZ05WQkFNVEQyWmxhV1JsTG1WeWJHRnVaeTV1YnpFaE1COEdDU3FHU0liM0RRRUpBUllTWVc1a2NtVmhjMEIxYm1sdVpYUjBMbTV2TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEaXZiaFI3UDUxNngvUzNCcUt4dXBRZTBMT05vbGl1cGlCT2VzQ08zU0hiRHJsMytxOUliZm5mbUUwNHJOdU1jUHNJeEIxNjFUZERwSWVzTENuN2M4YVBISVNLT3RQbEFlVFpTbmI4UUF1N2FSalpxMytQYnJQNXVXM1RjZkNHUHRLVHl0SE9nZS9PbEpibzA3OGRWaFhRMTRkMUVEd1hKVzFyUlh1VXQ0QzhRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUNEVmZwODZIT2JxWStlOEJVb1dROStWTVF4MUFTRG9oQmp3T3NnMld5a1VxUlhGK2RMZmNVSDlkV1I2M0N0WklLRkRiU3ROb21QblF6N25iSytvbnlnd0JzcFZFYm5IdVVpaFpxM1pVZG11bVFxQ3c0VXZzLzFVdnEzb3JPby9XSlZoVHl2TGdGVksyUWFyUTQvNjdPWmZIZDdSK1BPQlhob3BoU012MVpPbzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+NDkyODgyNjE1YWNmMzFjODA5NmI2MjcyNDVkNzZhZTUzMDM2YzA5MDwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMy0wOC0yM1QwNjo1NzowMVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMi0xOVQwMTozNjozMVoiIE5vdE9uT3JBZnRlcj0iMjAyMy0wOC0yM1QwNjo1NzowMVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMi0xOVQwMTozNzowMVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTQtMDItMTlUMDk6Mzc6MDFaIiBTZXNzaW9uSW5kZXg9Il82MjczZDc3YjhjZGUwYzMzM2VjNzlkMjJhOWZhMDAwM2I5ZmUyZDc1Y2IiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c21hcnRpbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zbWFydGluQHlhY28uZXM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iY24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPlNpeHRvMzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJzbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWFydGluMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5hZG1pbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg== \ No newline at end of file +PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeDQyYmU0MGJmLTM5YzMtNzdmMC1jNmFlLThiZjJlMjNhMWEyZSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDQyYmU0MGJmLTM5YzMtNzdmMC1jNmFlLThiZjJlMjNhMWEyZSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+M1JNaTI0V0F2cjlnTHdWZ0NtUDlsM2NneCtFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5FR2ZSVnRTblJqVkJwdkpMdjExNnhWcmovaDVVQnJlTDNnV0V3ZnNORHkrMU9iaC9XTHZlR01uS2xIN0draHU5eXNIUVkxYzRnSER4SVgyaXZtM3YzVFhqK0V3ZDVhMVE2dXgvbXZJSFRvSUR5SnFLL25LSUtVZFEwTWhIcHVXUnF1OEJoWGZQcnRGdWkzOHRhamJpNjFTUnMxN0ZJc3YvbFJLb1JScWJIYlU9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDU3ZGZkYTYwLWIyMTEtNGNkYS0wZjYzLTZkNWRlYjY5ZTViYiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZng1N2RmZGE2MC1iMjExLTRjZGEtMGY2My02ZDVkZWI2OWU1YmIiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPndIVUpDalpLRWVtd3E2eGZzMkNIbUd3UXNIND08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+Y2VFd0NtbFQ2d3lpdGVLZE5JaVNFLzBoTG5rMkRweEh0K24vdzlhTHp4MmpneDJOTzBiUTFjb0xyYlBmc1A1SjhNYkNBQWRUb20yUkxaTUxIdTNwZjBHeXJ6cUUxTkhIMmthaGJiSWtKYnZJWkhhaE1JaFZNUW1RMzhJMDdQRC8wc3BjdkJqQS9lblk0SWtWR2VQdmUwV3FhaU5ZUGNOeDNaTDJPdENMZEtzPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDZ1RDQ0Flb0NDUUNiT2xyV0RkWDdGVEFOQmdrcWhraUc5dzBCQVFVRkFEQ0JoREVMTUFrR0ExVUVCaE1DVGs4eEdEQVdCZ05WQkFnVEQwRnVaSEpsWVhNZ1UyOXNZbVZ5WnpFTU1Bb0dBMVVFQnhNRFJtOXZNUkF3RGdZRFZRUUtFd2RWVGtsT1JWUlVNUmd3RmdZRFZRUURFdzltWldsa1pTNWxjbXhoYm1jdWJtOHhJVEFmQmdrcWhraUc5dzBCQ1FFV0VtRnVaSEpsWVhOQWRXNXBibVYwZEM1dWJ6QWVGdzB3TnpBMk1UVXhNakF4TXpWYUZ3MHdOekE0TVRReE1qQXhNelZhTUlHRU1Rc3dDUVlEVlFRR0V3Sk9UekVZTUJZR0ExVUVDQk1QUVc1a2NtVmhjeUJUYjJ4aVpYSm5NUXd3Q2dZRFZRUUhFd05HYjI4eEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReEdEQVdCZ05WQkFNVEQyWmxhV1JsTG1WeWJHRnVaeTV1YnpFaE1COEdDU3FHU0liM0RRRUpBUllTWVc1a2NtVmhjMEIxYm1sdVpYUjBMbTV2TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEaXZiaFI3UDUxNngvUzNCcUt4dXBRZTBMT05vbGl1cGlCT2VzQ08zU0hiRHJsMytxOUliZm5mbUUwNHJOdU1jUHNJeEIxNjFUZERwSWVzTENuN2M4YVBISVNLT3RQbEFlVFpTbmI4UUF1N2FSalpxMytQYnJQNXVXM1RjZkNHUHRLVHl0SE9nZS9PbEpibzA3OGRWaFhRMTRkMUVEd1hKVzFyUlh1VXQ0QzhRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUNEVmZwODZIT2JxWStlOEJVb1dROStWTVF4MUFTRG9oQmp3T3NnMld5a1VxUlhGK2RMZmNVSDlkV1I2M0N0WklLRkRiU3ROb21QblF6N25iSytvbnlnd0JzcFZFYm5IdVVpaFpxM1pVZG11bVFxQ3c0VXZzLzFVdnEzb3JPby9XSlZoVHl2TGdGVksyUWFyUTQvNjdPWmZIZDdSK1BPQlhob3BoU012MVpPbzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+NDkyODgyNjE1YWNmMzFjODA5NmI2MjcyNDVkNzZhZTUzMDM2YzA5MDwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjA1NC0wOC0yM1QwNjo1NzowMVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMi0xOVQwMTozNjozMVoiIE5vdE9uT3JBZnRlcj0iMjA1NC0wOC0yM1QwNjo1NzowMVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMi0xOVQwMTozNzowMVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwNTQtMDItMTlUMDk6Mzc6MDFaIiBTZXNzaW9uSW5kZXg9Il82MjczZDc3YjhjZGUwYzMzM2VjNzlkMjJhOWZhMDAwM2I5ZmUyZDc1Y2IiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c21hcnRpbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zbWFydGluQHlhY28uZXM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iY24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPlNpeHRvMzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJzbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWFydGluMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5hZG1pbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg== \ No newline at end of file diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py index b9540dcc..d851f126 100644 --- a/tests/src/OneLogin/saml2_tests/auth_test.py +++ b/tests/src/OneLogin/saml2_tests/auth_test.py @@ -125,7 +125,7 @@ def testGetSessionExpiration(self): self.assertIsNone(auth2.get_session_expiration()) auth2.process_response() - self.assertEqual(1392802621, auth2.get_session_expiration()) + self.assertEqual(2655106621, auth2.get_session_expiration()) def testGetLastErrorReason(self): """ @@ -1179,6 +1179,21 @@ def testIsValidLogoutRequestSign(self): auth.process_slo() self.assertIn('Signature validation failed. Logout Request rejected', auth.get_errors()) + def testGetLastRequestID(self): + settings_info = self.loadSettingsJSON() + request_data = self.get_request() + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings_info) + + auth.login() + id1 = auth.get_last_request_id() + self.assertNotEqual(id1, None) + + auth.logout() + id2 = auth.get_last_request_id() + self.assertNotEqual(id2, None) + + self.assertNotEqual(id1, id2) + def testGetLastSAMLResponse(self): settings = self.loadSettingsJSON() message = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64')) @@ -1260,22 +1275,45 @@ def testGetLastLogoutResponse(self): auth.process_slo() self.assertEqual(response, auth.get_last_response_xml()) - def testGetLastMessageAndAssertionId(self): + def testGetInfoFromLastResponseReceived(self): """ - Tests the get_last_message_id and get_last_assertion_id of the OneLogin_Saml2_Auth class - Case Valid Response + Tests the get_last_message_id, get_last_assertion_id and get_last_assertion_not_on_or_after + of the OneLogin_Saml2_Auth class """ + settings = self.loadSettingsJSON() request_data = self.get_request() message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) del request_data['get_data'] request_data['post_data'] = { 'SAMLResponse': message } - auth = OneLogin_Saml2_Auth(request_data, old_settings=self.loadSettingsJSON()) + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings) auth.process_response() - self.assertEqual(auth.get_last_message_id(), 'pfxcc31568b-c46d-ff75-ba2e-5303484980da') - self.assertEqual(auth.get_last_assertion_id(), 'pfx08c2a6bb-7ee4-8dc2-8fe2-f055eed93de4') + self.assertEqual(auth.get_last_message_id(), 'pfx42be40bf-39c3-77f0-c6ae-8bf2e23a1a2e') + self.assertEqual(auth.get_last_assertion_id(), 'pfx57dfda60-b211-4cda-0f63-6d5deb69e5bb') + self.assertIsNone(auth.get_last_assertion_not_on_or_after()) + + # NotOnOrAfter is only calculated with strict = true + # If invalid, response id and assertion id are not obtained + + settings['strict'] = True + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings) + auth.process_response() + self.assertNotEqual(len(auth.get_errors()), 0) + self.assertIsNone(auth.get_last_message_id()) + self.assertIsNone(auth.get_last_assertion_id()) + self.assertIsNone(auth.get_last_assertion_not_on_or_after()) + + request_data['https'] = 'on' + request_data['http_host'] = 'pitbulk.no-ip.org' + request_data['script_name'] = '/newonelogin/demo1/index.php?acs' + auth = OneLogin_Saml2_Auth(request_data, old_settings=settings) + auth.process_response() + self.assertEqual(len(auth.get_errors()), 0) + self.assertEqual(auth.get_last_message_id(), 'pfx42be40bf-39c3-77f0-c6ae-8bf2e23a1a2e') + self.assertEqual(auth.get_last_assertion_id(), 'pfx57dfda60-b211-4cda-0f63-6d5deb69e5bb') + self.assertEqual(auth.get_last_assertion_not_on_or_after(), 2671081021) def testGetIdFromLogoutRequest(self): """ diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 46952a89..29e665a1 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -1417,3 +1417,52 @@ def testStatusCheckBeforeAssertionCheck(self): response = OneLogin_Saml2_Response(settings, xml) with self.assertRaisesRegex(Exception, 'The status code of the Response was not Success, was Responder'): response.is_valid(self.get_request_data(), raise_exceptions=True) + + def testGetId(self): + """ + Tests that we can retrieve the ID of the Response + """ + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + xml = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64')) + response = OneLogin_Saml2_Response(settings, xml) + self.assertEqual(response.get_id(), 'pfxc3d2b542-0f7e-8767-8e87-5b0dc6913375') + + def testGetAssertionId(self): + """ + Tests that we can retrieve the ID of the Assertion + """ + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + xml = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64')) + response = OneLogin_Saml2_Response(settings, xml) + self.assertEqual(response.get_assertion_id(), '_cccd6024116641fe48e0ae2c51220d02755f96c98d') + + def testGetAssertionNotOnOrAfter(self): + """ + Tests that we can retrieve the NotOnOrAfter value of + the valid SubjectConfirmationData + """ + settings_data = self.loadSettingsJSON() + request_data = self.get_request_data() + settings = OneLogin_Saml2_Settings(settings_data) + message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64')) + response = OneLogin_Saml2_Response(settings, message) + self.assertIsNone(response.get_assertion_not_on_or_after()) + + response.is_valid(request_data) + self.assertIsNone(response.get_error()) + self.assertIsNone(response.get_assertion_not_on_or_after()) + + settings_data['strict'] = True + settings = OneLogin_Saml2_Settings(settings_data) + response = OneLogin_Saml2_Response(settings, message) + + response.is_valid(request_data) + self.assertNotEqual(response.get_error(), None) + self.assertIsNone(response.get_assertion_not_on_or_after()) + + request_data['https'] = 'on' + request_data['http_host'] = 'pitbulk.no-ip.org' + request_data['script_name'] = '/newonelogin/demo1/index.php?acs' + response.is_valid(request_data) + self.assertIsNone(response.get_error()) + self.assertEqual(response.get_assertion_not_on_or_after(), 2671081021) From 07bb2ba245d3aebbd24c808a1823b12645f4d755 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 14 Sep 2017 15:33:45 +0200 Subject: [PATCH 062/331] Reset errorReason attribute of the auth object after each Process method --- src/onelogin/saml2/auth.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py index 226ae012..25f3e5b9 100644 --- a/src/onelogin/saml2/auth.py +++ b/src/onelogin/saml2/auth.py @@ -95,6 +95,7 @@ def process_response(self, request_id=None): :raises: OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND, when a POST with a SAMLResponse is not found """ self.__errors = [] + self.__error_reason = None if 'post_data' in self.__request_data and 'SAMLResponse' in self.__request_data['post_data']: # AuthnResponse -- HTTP_POST Binding @@ -136,6 +137,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_ :returns: Redirection url """ self.__errors = [] + self.__error_reason = None get_data = 'get_data' in self.__request_data and self.__request_data['get_data'] if get_data and 'SAMLResponse' in get_data: From e446db5fd745d4f9799236c31aed89037135b8c4 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 15 Sep 2017 12:18:45 +0200 Subject: [PATCH 063/331] Improve previous commited tests --- src/onelogin/saml2/response.py | 10 +- .../src/OneLogin/saml2_tests/response_test.py | 247 ++++++++++++++---- 2 files changed, 204 insertions(+), 53 deletions(-) diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index c48daa29..d14b8fb3 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -410,15 +410,17 @@ def get_nameid_data(self): nameid_nodes = self.__query_assertion('/saml:Subject/saml:NameID') if nameid_nodes: nameid = nameid_nodes[0] + + is_strict = self.__settings.is_strict() + want_nameid = self.__settings.get_security_data().get('wantNameId', True) if nameid is None: - security = self.__settings.get_security_data() - if security.get('wantNameId', True): + if is_strict and want_nameid: raise OneLogin_Saml2_ValidationError( 'NameID not found in the assertion of the Response', OneLogin_Saml2_ValidationError.NO_NAMEID ) else: - if self.__settings.is_strict() and not nameid.text: + if is_strict and want_nameid and not nameid.text: raise OneLogin_Saml2_ValidationError( 'An empty NameID value found', OneLogin_Saml2_ValidationError.EMPTY_NAMEID @@ -428,7 +430,7 @@ def get_nameid_data(self): for attr in ['Format', 'SPNameQualifier', 'NameQualifier']: value = nameid.get(attr, None) if value: - if self.__settings.is_strict() and attr == 'SPNameQualifier': + if is_strict and attr == 'SPNameQualifier': sp_data = self.__settings.get_sp_data() sp_entity_id = sp_data.get('entityId', '') if sp_entity_id != value: diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 29e665a1..df2ae703 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -88,6 +88,7 @@ def testReturnNameId(self): Tests the get_nameid method of the OneLogin_Saml2_Response """ json_settings = self.loadSettingsJSON() + json_settings['strict'] = False settings = OneLogin_Saml2_Settings(json_settings) xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) @@ -101,50 +102,98 @@ def testReturnNameId(self): response_3 = OneLogin_Saml2_Response(settings, xml_3) self.assertEqual('_68392312d490db6d355555cfbbd8ec95d746516f60', response_3.get_nameid()) + json_settings['strict'] = True + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) + xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, xml_4) with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): response_4.get_nameid() - json_settings['security']['wantNameId'] = True + json_settings['security']['wantNameId'] = False settings = OneLogin_Saml2_Settings(json_settings) - response_5 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): - response_5.get_nameid() + self.assertIsNone(response_5.get_nameid()) + json_settings['strict'] = False json_settings['security']['wantNameId'] = False settings = OneLogin_Saml2_Settings(json_settings) - response_6 = OneLogin_Saml2_Response(settings, xml_4) - nameid_6 = response_6.get_nameid() - self.assertIsNone(nameid_6) + self.assertIsNone(response_6.get_nameid()) + + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_7 = OneLogin_Saml2_Response(settings, xml_4) + self.assertIsNone(response_7.get_nameid()) del json_settings['security']['wantNameId'] settings = OneLogin_Saml2_Settings(json_settings) + response_8 = OneLogin_Saml2_Response(settings, xml_4) + self.assertIsNone(response_8.get_nameid()) - response_7 = OneLogin_Saml2_Response(settings, xml_4) + json_settings['strict'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_9 = OneLogin_Saml2_Response(settings, xml_4) with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): - response_7.get_nameid() + response_9.get_nameid() + + json_settings['strict'] = False + settings = OneLogin_Saml2_Settings(json_settings) + xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'wrong_spnamequalifier.xml.base64')) + response_10 = OneLogin_Saml2_Response(settings, xml_5) + self.assertEqual('test@example.com', response_10.get_nameid()) json_settings['strict'] = True settings = OneLogin_Saml2_Settings(json_settings) xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'wrong_spnamequalifier.xml.base64')) - response_8 = OneLogin_Saml2_Response(settings, xml_5) + response_11 = OneLogin_Saml2_Response(settings, xml_5) with self.assertRaisesRegex(Exception, 'The SPNameQualifier value mistmatch the SP entityID value.'): - response_8.get_nameid() + response_11.get_nameid() + + json_settings['strict'] = True + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) xml_6 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'empty_nameid.xml.base64')) - response_9 = OneLogin_Saml2_Response(settings, xml_6) + response_12 = OneLogin_Saml2_Response(settings, xml_6) with self.assertRaisesRegex(Exception, 'An empty NameID value found'): - response_9.get_nameid() + response_12.get_nameid() + + json_settings['security']['wantNameId'] = False + settings = OneLogin_Saml2_Settings(json_settings) + response_13 = OneLogin_Saml2_Response(settings, xml_6) + self.assertIsNone(response_13.get_nameid()) + + json_settings['strict'] = False + json_settings['security']['wantNameId'] = False + settings = OneLogin_Saml2_Settings(json_settings) + response_14 = OneLogin_Saml2_Response(settings, xml_6) + self.assertIsNone(response_14.get_nameid()) + + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_15 = OneLogin_Saml2_Response(settings, xml_6) + self.assertIsNone(response_15.get_nameid()) + + del json_settings['security']['wantNameId'] + settings = OneLogin_Saml2_Settings(json_settings) + response_16 = OneLogin_Saml2_Response(settings, xml_6) + self.assertIsNone(response_16.get_nameid()) + + json_settings['strict'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_17 = OneLogin_Saml2_Response(settings, xml_6) + with self.assertRaisesRegex(Exception, 'An empty NameID value found'): + response_17.get_nameid() def testReturnNameIdFormat(self): """ Tests the get_nameid_format method of the OneLogin_Saml2_Response """ json_settings = self.loadSettingsJSON() + json_settings['strict'] = False settings = OneLogin_Saml2_Settings(json_settings) xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) @@ -158,50 +207,98 @@ def testReturnNameIdFormat(self): response_3 = OneLogin_Saml2_Response(settings, xml_3) self.assertEqual('urn:oasis:names:tc:SAML:2.0:nameid-format:transient', response_3.get_nameid_format()) + json_settings['strict'] = True + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) + xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, xml_4) with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): - response_4.get_nameid() + response_4.get_nameid_format() - json_settings['security']['wantNameId'] = True + json_settings['security']['wantNameId'] = False settings = OneLogin_Saml2_Settings(json_settings) - response_5 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): - response_5.get_nameid() + self.assertIsNone(response_5.get_nameid_format()) + json_settings['strict'] = False json_settings['security']['wantNameId'] = False settings = OneLogin_Saml2_Settings(json_settings) - response_6 = OneLogin_Saml2_Response(settings, xml_4) - nameid_6 = response_6.get_nameid() - self.assertIsNone(nameid_6) + self.assertIsNone(response_6.get_nameid_format()) + + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_7 = OneLogin_Saml2_Response(settings, xml_4) + self.assertIsNone(response_7.get_nameid_format()) del json_settings['security']['wantNameId'] settings = OneLogin_Saml2_Settings(json_settings) + response_8 = OneLogin_Saml2_Response(settings, xml_4) + self.assertIsNone(response_8.get_nameid_format()) - response_7 = OneLogin_Saml2_Response(settings, xml_4) + json_settings['strict'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_9 = OneLogin_Saml2_Response(settings, xml_4) with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): - response_7.get_nameid() + response_9.get_nameid_format() + + json_settings['strict'] = False + settings = OneLogin_Saml2_Settings(json_settings) + xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'wrong_spnamequalifier.xml.base64')) + response_10 = OneLogin_Saml2_Response(settings, xml_5) + self.assertEqual('urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', response_10.get_nameid_format()) json_settings['strict'] = True settings = OneLogin_Saml2_Settings(json_settings) xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'wrong_spnamequalifier.xml.base64')) - response_8 = OneLogin_Saml2_Response(settings, xml_5) + response_11 = OneLogin_Saml2_Response(settings, xml_5) with self.assertRaisesRegex(Exception, 'The SPNameQualifier value mistmatch the SP entityID value.'): - response_8.get_nameid() + response_11.get_nameid_format() + + json_settings['strict'] = True + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) xml_6 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'empty_nameid.xml.base64')) - response_9 = OneLogin_Saml2_Response(settings, xml_6) + response_12 = OneLogin_Saml2_Response(settings, xml_6) with self.assertRaisesRegex(Exception, 'An empty NameID value found'): - response_9.get_nameid() + response_12.get_nameid_format() + + json_settings['security']['wantNameId'] = False + settings = OneLogin_Saml2_Settings(json_settings) + response_13 = OneLogin_Saml2_Response(settings, xml_6) + self.assertEqual('urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', response_13.get_nameid_format()) + + json_settings['strict'] = False + json_settings['security']['wantNameId'] = False + settings = OneLogin_Saml2_Settings(json_settings) + response_14 = OneLogin_Saml2_Response(settings, xml_6) + self.assertEqual('urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', response_14.get_nameid_format()) + + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_15 = OneLogin_Saml2_Response(settings, xml_6) + self.assertEqual('urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', response_15.get_nameid_format()) + + del json_settings['security']['wantNameId'] + settings = OneLogin_Saml2_Settings(json_settings) + response_16 = OneLogin_Saml2_Response(settings, xml_6) + self.assertEqual('urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', response_16.get_nameid_format()) + + json_settings['strict'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_17 = OneLogin_Saml2_Response(settings, xml_6) + with self.assertRaisesRegex(Exception, 'An empty NameID value found'): + response_17.get_nameid_format() def testGetNameIdData(self): """ Tests the get_nameid_data method of the OneLogin_Saml2_Response """ json_settings = self.loadSettingsJSON() + json_settings['strict'] = False settings = OneLogin_Saml2_Settings(json_settings) xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64')) response = OneLogin_Saml2_Response(settings, xml) @@ -232,58 +329,110 @@ def testGetNameIdData(self): nameid_data_3 = response_3.get_nameid_data() self.assertEqual(expected_nameid_data_3, nameid_data_3) + json_settings['strict'] = True + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) + xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64')) response_4 = OneLogin_Saml2_Response(settings, xml_4) with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): response_4.get_nameid_data() - json_settings['security']['wantNameId'] = True + json_settings['security']['wantNameId'] = False settings = OneLogin_Saml2_Settings(json_settings) - response_5 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): - response_5.get_nameid_data() + nameid_data_5 = response_5.get_nameid_data() + self.assertEqual({}, nameid_data_5) + json_settings['strict'] = False json_settings['security']['wantNameId'] = False settings = OneLogin_Saml2_Settings(json_settings) - response_6 = OneLogin_Saml2_Response(settings, xml_4) nameid_data_6 = response_6.get_nameid_data() self.assertEqual({}, nameid_data_6) - del json_settings['security']['wantNameId'] + json_settings['security']['wantNameId'] = True settings = OneLogin_Saml2_Settings(json_settings) - response_7 = OneLogin_Saml2_Response(settings, xml_4) - with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): - response_7.get_nameid_data() - - json_settings['security']['wantNameId'] = False - settings = OneLogin_Saml2_Settings(json_settings) - - response_6 = OneLogin_Saml2_Response(settings, xml_4) - nameid_data_6 = response_6.get_nameid_data() - self.assertEqual({}, nameid_data_6) + nameid_data_7 = response_7.get_nameid_data() + self.assertEqual({}, nameid_data_7) del json_settings['security']['wantNameId'] settings = OneLogin_Saml2_Settings(json_settings) + response_8 = OneLogin_Saml2_Response(settings, xml_4) + nameid_data_8 = response_8.get_nameid_data() + self.assertEqual({}, nameid_data_8) - response_7 = OneLogin_Saml2_Response(settings, xml_4) + json_settings['strict'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_9 = OneLogin_Saml2_Response(settings, xml_4) with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'): - response_7.get_nameid_data() + response_9.get_nameid_data() + + expected_nameid_data_4 = { + 'Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', + 'SPNameQualifier': 'wrong-sp-entityid', + 'Value': 'test@example.com' + } + json_settings['strict'] = False + settings = OneLogin_Saml2_Settings(json_settings) + xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'wrong_spnamequalifier.xml.base64')) + response_10 = OneLogin_Saml2_Response(settings, xml_5) + nameid_data_10 = response_10.get_nameid_data() + self.assertEqual(expected_nameid_data_4, nameid_data_10) json_settings['strict'] = True settings = OneLogin_Saml2_Settings(json_settings) xml_5 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'wrong_spnamequalifier.xml.base64')) - response_8 = OneLogin_Saml2_Response(settings, xml_5) + response_11 = OneLogin_Saml2_Response(settings, xml_5) with self.assertRaisesRegex(Exception, 'The SPNameQualifier value mistmatch the SP entityID value.'): - response_8.get_nameid_data() + response_11.get_nameid_data() + + expected_nameid_data_5 = { + 'Value': None, + 'Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', + } + + json_settings['strict'] = True + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) xml_6 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'empty_nameid.xml.base64')) - response_9 = OneLogin_Saml2_Response(settings, xml_6) + response_12 = OneLogin_Saml2_Response(settings, xml_6) with self.assertRaisesRegex(Exception, 'An empty NameID value found'): - response_9.get_nameid_data() + response_12.get_nameid_data() + + json_settings['security']['wantNameId'] = False + settings = OneLogin_Saml2_Settings(json_settings) + response_13 = OneLogin_Saml2_Response(settings, xml_6) + nameid_data_13 = response_13.get_nameid_data() + nameid_data_13 = self.assertEqual(expected_nameid_data_5, nameid_data_13) + + json_settings['strict'] = False + json_settings['security']['wantNameId'] = False + settings = OneLogin_Saml2_Settings(json_settings) + response_14 = OneLogin_Saml2_Response(settings, xml_6) + nameid_data_14 = response_14.get_nameid_data() + self.assertEqual(expected_nameid_data_5, nameid_data_14) + + json_settings['security']['wantNameId'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_15 = OneLogin_Saml2_Response(settings, xml_6) + nameid_data_15 = response_15.get_nameid_data() + self.assertEqual(expected_nameid_data_5, nameid_data_15) + + del json_settings['security']['wantNameId'] + settings = OneLogin_Saml2_Settings(json_settings) + response_16 = OneLogin_Saml2_Response(settings, xml_6) + nameid_data_16 = response_16.get_nameid_data() + self.assertEqual(expected_nameid_data_5, nameid_data_16) + + json_settings['strict'] = True + settings = OneLogin_Saml2_Settings(json_settings) + response_17 = OneLogin_Saml2_Response(settings, xml_6) + with self.assertRaisesRegex(Exception, 'An empty NameID value found'): + response_17.get_nameid_data() def testCheckStatus(self): """ From c193ee3458d49cd8286e71777b6dc041c6f53fe7 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 15 Sep 2017 14:02:42 +0200 Subject: [PATCH 064/331] Improve decrypt method, Add an option to decrypt an element in place or copy it before decryption. --- src/onelogin/saml2/response.py | 2 +- src/onelogin/saml2/utils.py | 19 +++++- tests/data/misc/sp4.key | 28 ++++++++ tests/src/OneLogin/saml2_tests/utils_test.py | 72 ++++++++++++++++---- 4 files changed, 105 insertions(+), 16 deletions(-) create mode 100644 tests/data/misc/sp4.key diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index d14b8fb3..c2d35da7 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -778,7 +778,7 @@ def __decrypt_assertion(self, xml): keyinfo.append(encrypted_key[0]) encrypted_data = encrypted_data_nodes[0] - decrypted = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key, debug) + decrypted = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key, debug=debug, inplace=True) xml.replace(encrypted_assertion_nodes[0], decrypted) return xml diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index 1b60ee2a..5a92d4c1 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -10,14 +10,17 @@ """ import base64 -from datetime import datetime +from copy import deepcopy import calendar +from datetime import datetime +from defusedxml.lxml import fromstring from hashlib import sha1, sha256, sha384, sha512 from isodate import parse_duration as duration_parser import re from textwrap import wrap from functools import wraps from uuid import uuid4 +from xml.dom.minidom import Element import zlib import xmlsec @@ -655,7 +658,7 @@ def get_status(dom): return status @staticmethod - def decrypt_element(encrypted_data, key, debug=False): + def decrypt_element(encrypted_data, key, debug=False, inplace=False): """ Decrypts an encrypted element. @@ -668,10 +671,20 @@ def decrypt_element(encrypted_data, key, debug=False): :param debug: Activate the xmlsec debug :type: bool + :param inplace: update passed data with decrypted result + :type: bool + :returns: The decrypted element. :rtype: lxml.etree.Element """ - encrypted_data = OneLogin_Saml2_XML.to_etree(encrypted_data) + + if isinstance(encrypted_data, Element): + encrypted_data = fromstring(str(encrypted_data.toxml())) + if not inplace and isinstance(encrypted_data, OneLogin_Saml2_XML._element_class): + encrypted_data = deepcopy(encrypted_data) + elif isinstance(encrypted_data, OneLogin_Saml2_XML._text_class): + encrypted_data = OneLogin_Saml2_XML._parse_etree(encrypted_data) + xmlsec.enable_debug_trace(debug) manager = xmlsec.KeysManager() diff --git a/tests/data/misc/sp4.key b/tests/data/misc/sp4.key new file mode 100644 index 00000000..8be7be60 --- /dev/null +++ b/tests/data/misc/sp4.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD4ZrcXcjCBOQS7 +stUabuXPYnXKvcoJUrMVPRX1zfrXvpfghCrykbL1TKoqGfmEA9oNRoMBOmZCgLlK +eb0TfuEO/u1jf4rRFcK7U/dYEiX74bQgUnJUWTfFlhwPjxGhn9zDrc2tSpworJBV +amyBZIo5Beap5OJLote/Wqp1DZjNyEZ2m8m+lv8udmejmlo5RMoIzuG3VdH6ADC9 +LKF+QsXC/HRZBhLE/y+75/XrNODvX8eM8+9Xp21QlVF1EIZDfNQ2iHsA8GEpJDC5 +aomTW/xExBysejnwP2ROrfm3PIfP64EbB4G01f8eErlXeUD0oQ0gECgIXsJpfBkD +IWMHwx3/AgMBAAECggEAdbLNvFlJ7GDlAj75RJ4ZXAuOPrNw4LwDyON53U9tNP7F +HgfiBa/NuPdLhclq9geRMUsg1dsjCw3NPiGy2mL7JszaFJQhZXLHI1Xk1CE9SD0o +yUvniln/2CqJP0IOG6QQydM3qo24snkZpq9XnHPUHrLSGdwu8aHGUpAWRoJbzdzR +tBWBn6SlkuaE52vcGh7eMdKSICRCg2/gg6LIi89pkiI9tfozAL2LPcDTRGp3DA3w +U6OO8k+d1La4s9G0i22OGSwPxGerTHnBIzpeM/ivRwBypFy3EV9bbjQlheI53xAo +ZMmGeSnQ89MWgY64pnWrX862Mf1EZYTjumDe2dl1kQKBgQD9pBG2BbcQ8qieTf84 +92LeOYTPRdd0N+gdyDKKorRO772zgxBwpSwO285nzy/FKSnpJIDtuee6OFClnDor +Ui6lG1WPQeoSEdH1V10XkfSaoFOz7Hyv9H2dCLvW/VO9KYq07VAmQcvNZnqIW+tI +edSHcQ3I8tnw4CiFa0BPvdhk9wKBgQD6tiuN2NvuNFFLvwpBGp3hjGyn6siyXDyP +8IXQmP66NxKqcX/NafVO3bVh6VrPGd7PL1PloQZ5EBG2PPtRdf/g4aeZKZleCUXm +9OgMEOUqdbTP9TGrmgNPtNBx3jnhnX/GTy/7GK77YlXEVplezWaerwRM7NCFCtp2 +W6K1M961OQKBgQDDSznr2hirrvuP8GRMW4a/rrAI3DDZplZN4CCySDbm9IcvGgJl +iXgT9MDHg2q3t0sy3U18PYEkDEpkSZcsVfneXN6TEGCHCzuLWXovNM2O5VWtmrAi +1vCFIf1nuuRoKP1I89SbsFuYyogcSBIwWsX+h1ji2cJfSmlI2VzKSVW93wKBgQDA +sqwfRoMkP0oM8jUrfQ3Egm4xUiAYFxTlfXUcs7t13UaXgs08USifCYGUVAvcCoJa +tIHDiVS0UEmMzKpOHmghrM9oxbR/tpjnv21reMDrNbVX8ZnPz3ykEtHz816BrtC6 +17qFQJ+d0CMj2XvghfdOGC8yAQL0fzcSqbQRmmCe4QKBgFWY9fqHEKdG/UlxZfBB +C/QRNTJsrbZf9Ok/o1h6BHnK64xUc4elShEwV9IdC4QNW0UCr7WXoGLUkhfUphId +q//KUDNc7VrWj5URsZcGi7WMkqNm9kPkpeuh3iSvh3+q7tK0/yfuj9ZQOjKzQnit +VZBooJAJGdSqYgitpyxB71/n +-----END PRIVATE KEY----- diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py index ff925560..48c807b2 100644 --- a/tests/src/OneLogin/saml2_tests/utils_test.py +++ b/tests/src/OneLogin/saml2_tests/utils_test.py @@ -8,6 +8,7 @@ from lxml import etree from os.path import dirname, join, exists import unittest +from defusedxml.lxml import fromstring from xml.dom.minidom import parseString from onelogin.saml2 import compat @@ -613,7 +614,7 @@ def testDecryptElement(self): encrypted_nameid_nodes = dom_nameid_enc.find('.//saml:EncryptedID', namespaces=OneLogin_Saml2_Constants.NSMAP) encrypted_data = encrypted_nameid_nodes[0] decrypted_nameid = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key) - self.assertEqual('{%s}NameID' % OneLogin_Saml2_Constants.NS_SAML, decrypted_nameid.tag) + self.assertEqual('saml:NameID', decrypted_nameid.tag) self.assertEqual('2de11defd199f8d5bb63f9b7deb265ba5c675c10', decrypted_nameid.text) xml_assertion_enc = b64decode(self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion_encrypted_nameid.xml.base64'))) @@ -636,24 +637,71 @@ def testDecryptElement(self): key2 = f.read() f.close() - self.assertRaises(Exception, OneLogin_Saml2_Utils.decrypt_element, encrypted_data, key2) + # sp.key and sp2.key are equivalent we should be able to decrypt the nameID again + decrypted_nameid = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key2) + self.assertIn('{%s}NameID' % (OneLogin_Saml2_Constants.NS_SAML), decrypted_nameid.tag) + self.assertEqual('457bdb600de717891c77647b0806ce59c089d5b8', decrypted_nameid.text) - key_3_file_name = join(self.data_path, 'misc', 'sp2.key') + key_3_file_name = join(self.data_path, 'misc', 'sp3.key') f = open(key_3_file_name, 'r') key3 = f.read() f.close() - self.assertRaises(Exception, OneLogin_Saml2_Utils.decrypt_element, encrypted_data, key3) + + # sp.key and sp3.key are equivalent we should be able to decrypt the nameID again + decrypted_nameid = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key3) + self.assertIn('{%s}NameID' % (OneLogin_Saml2_Constants.NS_SAML), decrypted_nameid.tag) + self.assertEqual('457bdb600de717891c77647b0806ce59c089d5b8', decrypted_nameid.text) + + key_4_file_name = join(self.data_path, 'misc', 'sp4.key') + f = open(key_4_file_name, 'r') + key4 = f.read() + f.close() + + with self.assertRaisesRegex(Exception, "(1, 'failed to decrypt')"): + OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key4) + xml_nameid_enc_2 = b64decode(self.file_contents(join(self.data_path, 'responses', 'invalids', 'encrypted_nameID_without_EncMethod.xml.base64'))) - dom_nameid_enc_2 = etree.fromstring(xml_nameid_enc_2) - encrypted_nameid_nodes_2 = dom_nameid_enc_2.find('.//saml:EncryptedID', namespaces=OneLogin_Saml2_Constants.NSMAP) - encrypted_data_2 = encrypted_nameid_nodes_2[0] - self.assertRaises(Exception, OneLogin_Saml2_Utils.decrypt_element, encrypted_data_2, key) + dom_nameid_enc_2 = parseString(xml_nameid_enc_2) + encrypted_nameid_nodes_2 = dom_nameid_enc_2.getElementsByTagName('saml:EncryptedID') + encrypted_data_2 = encrypted_nameid_nodes_2[0].firstChild + + with self.assertRaisesRegex(Exception, "(1, 'failed to decrypt')"): + OneLogin_Saml2_Utils.decrypt_element(encrypted_data_2, key) xml_nameid_enc_3 = b64decode(self.file_contents(join(self.data_path, 'responses', 'invalids', 'encrypted_nameID_without_keyinfo.xml.base64'))) - dom_nameid_enc_3 = etree.fromstring(xml_nameid_enc_3) - encrypted_nameid_nodes_3 = dom_nameid_enc_3.find('.//saml:EncryptedID', namespaces=OneLogin_Saml2_Constants.NSMAP) - encrypted_data_3 = encrypted_nameid_nodes_3[0] - self.assertRaises(Exception, OneLogin_Saml2_Utils.decrypt_element, encrypted_data_3, key) + dom_nameid_enc_3 = parseString(xml_nameid_enc_3) + encrypted_nameid_nodes_3 = dom_nameid_enc_3.getElementsByTagName('saml:EncryptedID') + encrypted_data_3 = encrypted_nameid_nodes_3[0].firstChild + + with self.assertRaisesRegex(Exception, "(1, 'failed to decrypt')"): + OneLogin_Saml2_Utils.decrypt_element(encrypted_data_3, key) + + def testDecryptElementInplace(self): + """ + Tests the decrypt_element method of the OneLogin_Saml2_Utils with inplace=True + """ + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + + key = settings.get_sp_key() + + xml_nameid_enc = b64decode(self.file_contents(join(self.data_path, 'responses', 'response_encrypted_nameid.xml.base64'))) + dom = fromstring(xml_nameid_enc) + encrypted_node = dom.xpath('//saml:EncryptedID/xenc:EncryptedData', namespaces=OneLogin_Saml2_Constants.NSMAP)[0] + + # can be decrypted twice when copy the node first + for _ in range(2): + decrypted_nameid = OneLogin_Saml2_Utils.decrypt_element(encrypted_node, key, inplace=False) + self.assertIn('NameID', decrypted_nameid.tag) + self.assertEqual('2de11defd199f8d5bb63f9b7deb265ba5c675c10', decrypted_nameid.text) + + # can only be decrypted once in place + decrypted_nameid = OneLogin_Saml2_Utils.decrypt_element(encrypted_node, key, inplace=True) + self.assertIn('NameID', decrypted_nameid.tag) + self.assertEqual('2de11defd199f8d5bb63f9b7deb265ba5c675c10', decrypted_nameid.text) + + # can't be decrypted twice since it has been decrypted inplace + with self.assertRaisesRegex(Exception, "(1, 'failed to decrypt')"): + OneLogin_Saml2_Utils.decrypt_element(encrypted_node, key, inplace=True) def testAddSign(self): """ From 09f6123b14a9c9c23696034dc53b1c9246aa62b1 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sat, 16 Sep 2017 08:52:49 +0200 Subject: [PATCH 065/331] Release 1.3.0 --- changelog.md | 7 +++++++ setup.py | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/changelog.md b/changelog.md index 9b57a5db..fb747fa1 100644 --- a/changelog.md +++ b/changelog.md @@ -1,4 +1,11 @@ # python3-saml changelog +### 1.3.0 (Sep 15, 2017) +* Improve decrypt method, Add an option to decrypt an element in place or copy it before decryption. +* [#63](https://github.com/onelogin/python3-saml/pull/63) Be able to get at the auth object the last processed ID (response/assertion) and the last generated ID, as well as the NotOnOrAfter value of the valid SubjectConfirmationData in the processed SAMLResponse +* On a LogoutRequest if the NameIdFormat is entity, NameQualifier and SPNameQualifier will be ommited. If the NameIdFormat is not entity and a NameQualifier is provided, then the SPNameQualifier will be also added. +* Reset errorReason attribute of the auth object before each Process method +* [#65](https://github.com/onelogin/python3-saml/pull/65) Fix issue on getting multiple certs when only sign or encryption certs + ### 1.2.6 (Jun 15, 2017) * Use defusedxml that will prevent XEE and other attacks based on the abuse on XMLs. (CVE-2017-9672) diff --git a/setup.py b/setup.py index 482d3f30..fee27292 100644 --- a/setup.py +++ b/setup.py @@ -9,7 +9,7 @@ setup( name='python3-saml', - version='1.2.6', + version='1.3.0', description='Onelogin Python Toolkit. Add SAML support to your Python software using this library', classifiers=[ 'Development Status :: 5 - Production/Stable', From e1db820a8c9a75978548319240a700d01443863e Mon Sep 17 00:00:00 2001 From: Carlton Duffett Date: Mon, 16 Oct 2017 14:04:21 -0700 Subject: [PATCH 066/331] Documented advanced req parameters; Fixed section headers for GitHub-flavored markdown --- README.md | 78 +++++++++++++++++++++++++++++++++---------------------- 1 file changed, 47 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index abd26580..8a723882 100644 --- a/README.md +++ b/README.md @@ -264,7 +264,7 @@ This is the settings.json file: /* * Key rollover * If you plan to update the SP x509cert and privateKey - * you can define here the new x509cert and it will be + * you can define here the new x509cert and it will be * published on the SP metadata so Identity Providers can * read them and get ready for rollover. */ @@ -511,7 +511,7 @@ from onelogin.saml2.utils import OneLogin_Saml2_Utils #### The Request #### -Building an OneLogin_Saml2_Auth object requires a 'request' parameter. +Building a OneLogin\_Saml2\_Auth object requires a 'request' parameter. ```python auth = OneLogin_Saml2_Auth(req) @@ -519,17 +519,23 @@ auth = OneLogin_Saml2_Auth(req) This parameter has the following scheme: -```javascript +```python req = { "http_host": "", "script_name": "", "server_port": "", "get_data": "", - "post_data": "" + "post_data": "", + + /* Advanced request options */ + "https": "", + "lowercase_urlencoding": "", + "request_uri": "", + "query_string": "" } ``` -Each python framework built its own request object, you may map its data to match what the saml toolkit expects. +Each python framework builds its own request object, you may map its data to match what the saml toolkit expects. Let`s see some examples: ```python @@ -553,6 +559,16 @@ def prepare_from_flask_request(request): } ``` +An explanation of some advanced request parameters: + +* `https` - Defaults to "off". Set this to "on" if you receive responses over HTTPS. + +* `lowercase_urlencoding` - Defaults to `false`. ADFS users should set this to `true`. + +* `request_uri` - The path where your SAML server recieves requests. Set this if requests are not recieved at the server's root. + +* `query_string` - Set this with additional query parameters that should be passed to the request endpoint. + #### Initiate SSO #### @@ -783,7 +799,7 @@ If a match on the LogoutResponse ID and the LogoutRequest ID to be sent is requi auth.get_last_request_id() ``` -####Example of a view that initiates the SSO request and handles the response (is the acs target)#### +#### Example of a view that initiates the SSO request and handles the response (is the acs target) #### We can code a unique file that initiates the SSO process, handle the response, get the attributes, initiate the slo and processes the logout response. @@ -836,7 +852,7 @@ else: ### SP Key rollover ### -If you plan to update the SP x509cert and privateKey you can define the new x509cert as settings['sp']['x509certNew'] and it will be +If you plan to update the SP x509cert and privateKey you can define the new x509cert as settings['sp']['x509certNew'] and it will be published on the SP metadata so Identity Providers can read them and get ready for rollover. @@ -850,7 +866,7 @@ In order to handle that the toolkit offers the settings['idp']['x509certMulti'] When that parameter is used, 'x509cert' and 'certFingerprint' values will be ignored by the toolkit. The 'x509certMulti' is an array with 2 keys: -- 'signing'. An array of certs that will be used to validate IdP signature +- 'signing'. An array of certs that will be used to validate IdP signature - 'encryption' An array with one unique cert that will be used to encrypt data to be sent to the IdP. @@ -865,7 +881,7 @@ Get the ID of the last processed message/assertion with the get_last_message_id/ Described below are the main classes and methods that can be invoked from the SAML2 library. -####OneLogin_Saml2_Auth - auth.py#### +#### OneLogin_Saml2_Auth - auth.py #### Main class of OneLogin Python Toolkit @@ -896,7 +912,7 @@ Main class of OneLogin Python Toolkit * ***get_last_assertion_id*** The ID of the last assertion processed. * ***get_last_assertion_not_on_or_after*** The NotOnOrAfter value of the valid SubjectConfirmationData node (if any) of the last assertion processed (is only calculated with strict = true) -####OneLogin_Saml2_Auth - authn_request.py#### +#### OneLogin_Saml2_Auth - authn_request.py #### SAML 2 Authentication Request class @@ -905,7 +921,7 @@ SAML 2 Authentication Request class * ***get_id*** Returns the AuthNRequest ID. * ***get_xml*** Returns the XML that will be sent as part of the request. -####OneLogin_Saml2_Response - response.py#### +#### OneLogin_Saml2_Response - response.py #### SAML 2 Authentication Response class @@ -927,7 +943,7 @@ SAML 2 Authentication Response class * ***get_assertion_id*** the ID of the assertion in the response * ***get_assertion_not_on_or_after*** the NotOnOrAfter value of the valid SubjectConfirmationData if any -####OneLogin_Saml2_LogoutRequest - logout_request.py#### +#### OneLogin_Saml2_LogoutRequest - logout_request.py #### SAML 2 Logout Request class @@ -942,7 +958,7 @@ SAML 2 Logout Request class * ***get_error*** After execute a validation process, if fails this method returns the cause. * ***get_xml*** Returns the XML that will be sent as part of the request or that was received at the SP -####OneLogin_Saml2_LogoutResponse - logout_response.py#### +#### OneLogin_Saml2_LogoutResponse - logout_response.py #### SAML 2 Logout Response class @@ -955,7 +971,7 @@ SAML 2 Logout Response class * ***get_error*** After execute a validation process, if fails this method returns the cause. * ***get_xml*** Returns the XML that will be sent as part of the response or that was received at the SP -####OneLogin_Saml2_Settings - settings.py#### +#### OneLogin_Saml2_Settings - settings.py #### Configuration of the OneLogin Python Toolkit @@ -990,7 +1006,7 @@ Configuration of the OneLogin Python Toolkit * ***is_strict*** Returns if the 'strict' mode is active. * ***is_debug_active*** Returns if the debug is active. -####OneLogin_Saml2_Metadata - metadata.py#### +#### OneLogin_Saml2_Metadata - metadata.py #### A class that contains functionality related to the metadata of the SP @@ -998,7 +1014,7 @@ A class that contains functionality related to the metadata of the SP * ***sign_metadata*** Signs the metadata with the key/cert provided. * ***add_x509_key_descriptors*** Adds the x509 descriptors (sign/encryption) to the metadata -####OneLogin_Saml2_Utils - utils.py#### +#### OneLogin_Saml2_Utils - utils.py #### Auxiliary class that contains several methods @@ -1030,7 +1046,7 @@ Auxiliary class that contains several methods * ***validate_sign*** Validates a signature (Message or Assertion). * ***validate_binary_sign*** Validates signed bynary data (Used to validate GET Signature). -####OneLogin_Saml2_XML- xml_utils.py#### +#### OneLogin_Saml2_XML- xml_utils.py #### A class that contains methods to handle XMLs @@ -1040,7 +1056,7 @@ A class that contains methods to handle XMLs * ***query*** Extracts nodes that match the query from the Element * ***extract_tag_text*** -####OneLogin_Saml2_IdPMetadataParser - idp_metadata_parser.py#### +#### OneLogin_Saml2_IdPMetadataParser - idp_metadata_parser.py #### A class that contains methods to obtain and parse metadata from IdP @@ -1111,7 +1127,7 @@ Now, with the virtualenv loaded, you can run the demo like this: You'll have the demo running at http://localhost:8000 -####Content#### +#### Content #### The flask project contains: @@ -1123,7 +1139,7 @@ The flask project contains: * ***saml*** Is a folder that contains the 'certs' folder that could be used to store the x509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json). -####SP setup#### +#### SP setup #### The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-flask it used the first method. @@ -1131,11 +1147,11 @@ In the index.py file we define the app.config['SAML_PATH'], that will target to First we need to edit the saml/settings.json, configure the SP part and review the metadata of the IdP and complete the IdP info. Later edit the saml/advanced_settings.json files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt. -####IdP setup#### +#### IdP setup #### Once the SP is configured, the metadata of the SP is published at the /metadata url. Based on that info, configure the IdP. -####How it works#### +#### How it works #### 1. First time you access to the main view 'http://localhost:8000', you can select to login and return to the same view or login and be redirected to /?attrs (attrs view). @@ -1180,7 +1196,7 @@ Note that many of the configuration files expect HTTPS. This is not required by If you want to integrate a production django application, take a look on this SAMLServiceProviderBackend that uses our toolkit to add SAML support: https://github.com/KristianOellegaard/django-saml-service-provider -####Content#### +#### Content #### The django project contains: @@ -1196,7 +1212,7 @@ The django project contains: * ***templates***. Is the folder where django stores the templates of the project. It was implemented a base.html template that is extended by index.html and attrs.html, the templates of our simple demo that shows messages, user attributes when available and login and logout links. -####SP setup#### +#### SP setup #### The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-django it used the first method. @@ -1204,15 +1220,15 @@ After set the SAML_FOLDER in the demo/settings.py, the settings of the python to First we need to edit the saml/settings.json, configure the SP part and review the metadata of the IdP and complete the IdP info. Later edit the saml/advanced_settings.json files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt. -####IdP setup#### +#### IdP setup #### Once the SP is configured, the metadata of the SP is published at the /metadata url. Based on that info, configure the IdP. -####How it works#### +#### How it works #### This demo works very similar to the flask-demo (We did it intentionally). -###Getting up and running on Heroku### +### Getting up and running on Heroku ### Getting python3-saml up and running on Heroku will require some extra legwork: python3-saml depends on python-xmlsec which depends on headers from the xmlsec1-dev linux package to install correctly. @@ -1262,7 +1278,7 @@ Now you can run the demo like this: If that worked, the demo is now running at http://localhost:6543. -####Content#### +#### Content #### The Pyramid project contains: @@ -1276,7 +1292,7 @@ The Pyramid project contains: * ***saml*** is a folder that contains the 'certs' folder that could be used to store the x509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json). -####SP setup#### +#### SP setup #### The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In demo_pyramid the first method is used. @@ -1284,11 +1300,11 @@ In the views.py file we define the SAML_PATH, which will target the 'saml' folde First we need to edit the saml/settings.json, configure the SP part and review the metadata of the IdP and complete the IdP info. Later edit the saml/advanced_settings.json files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt. -####IdP setup#### +#### IdP setup #### Once the SP is configured, the metadata of the SP is published at the /metadata/ url. Based on that info, configure the IdP. -####How it works#### +#### How it works #### 1. First time you access to the main view 'http://localhost:6543', you can select to login and return to the same view or login and be redirected to /?attrs (attrs view). From 5e817e7e4c984d711b2affe9ead5060267ca1257 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 19 Oct 2017 12:11:18 +0200 Subject: [PATCH 067/331] Fix issue with LogoutRequest rejected by ADFS due NameID with unspecified format instead no format attribute --- src/onelogin/saml2/logout_request.py | 2 +- src/onelogin/saml2/utils.py | 2 +- .../saml2_tests/logout_request_test.py | 58 +++++++++++++++++++ tests/src/OneLogin/saml2_tests/utils_test.py | 11 ++++ 4 files changed, 71 insertions(+), 2 deletions(-) diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index 814e619f..bf02b0bb 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -72,7 +72,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq= cert = idp_data['x509cert'] if name_id is not None: - if not name_id_format: + if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED: name_id_format = sp_data['NameIDFormat'] else: name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index 5a92d4c1..098b52a3 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -557,7 +557,7 @@ def format_finger_print(fingerprint): return formatted_fingerprint.lower() @staticmethod - def generate_name_id(value, sp_nq, sp_format, cert=None, debug=False, nq=None): + def generate_name_id(value, sp_nq, sp_format=None, cert=None, debug=False, nq=None): """ Generates a nameID. diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index 6626309d..77b584bf 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -89,6 +89,64 @@ def testCreateDeflatedSAMLLogoutRequestURLParameter(self): inflated = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(payload)) self.assertRegex(inflated, '^') + def testGetIDFromSAMLLogoutRequest(self): """ Tests the get_id method of the OneLogin_Saml2_LogoutRequest diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py index 48c807b2..ae4b2436 100644 --- a/tests/src/OneLogin/saml2_tests/utils_test.py +++ b/tests/src/OneLogin/saml2_tests/utils_test.py @@ -511,6 +511,17 @@ def testNameidGenerationDoesNotIncludeNameQualifierAttribute(self): self.assertNotIn(not_expected_attribute, name_id.attrib.keys()) + def testGenerateNameIdWithoutFormat(self): + """ + Tests the generateNameId method of the OneLogin_Saml2_Utils + """ + name_id_value = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde' + name_id_format = None + + name_id = OneLogin_Saml2_Utils.generate_name_id(name_id_value, None, name_id_format) + expected_name_id = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde' + self.assertEqual(name_id, expected_name_id) + def testGenerateNameIdWithSPNameQualifier(self): """ Tests the generateNameId method of the OneLogin_Saml2_Utils From e08cc28f650f6acdf5446307e8cedc7848322370 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 3 Nov 2017 14:31:04 +0100 Subject: [PATCH 068/331] Fix test --- tests/src/OneLogin/saml2_tests/logout_request_test.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py index 77b584bf..843ccb7b 100644 --- a/tests/src/OneLogin/saml2_tests/logout_request_test.py +++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py @@ -139,13 +139,13 @@ def testConstructorEncryptIdUsingX509certMulti(self): parameters = {'SAMLRequest': logout_request.get_request()} logout_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SingleLogoutService.php', parameters, True) - self.assertRegexpMatches(logout_url, '^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=') + self.assertRegex(logout_url, '^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=') url_parts = urlparse(logout_url) exploded = parse_qs(url_parts.query) payload = exploded['SAMLRequest'][0] - inflated = OneLogin_Saml2_Utils.decode_base64_and_inflate(payload) - self.assertRegexpMatches(inflated, '^') + inflated = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(payload)) + self.assertRegex(inflated, '^') def testGetIDFromSAMLLogoutRequest(self): """ From b9e28d5b4a0fcb1b3f98882c06951b1809db7729 Mon Sep 17 00:00:00 2001 From: Mikko Keskinen Date: Thu, 9 Nov 2017 16:09:30 +0200 Subject: [PATCH 069/331] Fix signature tag position in the SP metadata --- src/onelogin/saml2/utils.py | 2 +- tests/src/OneLogin/saml2_tests/metadata_test.py | 5 +++++ tests/src/OneLogin/saml2_tests/utils_test.py | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index 098b52a3..26528500 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -742,7 +742,7 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant issuer = issuer[0] issuer.addnext(signature) else: - elem[0].insert(0, signature) + elem.insert(0, signature) elem_id = elem.get('ID', None) if elem_id: diff --git a/tests/src/OneLogin/saml2_tests/metadata_test.py b/tests/src/OneLogin/saml2_tests/metadata_test.py index abaebe15..edee2321 100644 --- a/tests/src/OneLogin/saml2_tests/metadata_test.py +++ b/tests/src/OneLogin/saml2_tests/metadata_test.py @@ -13,6 +13,7 @@ from onelogin.saml2.metadata import OneLogin_Saml2_Metadata from onelogin.saml2.settings import OneLogin_Saml2_Settings from onelogin.saml2.constants import OneLogin_Saml2_Constants +from onelogin.saml2.xml_utils import OneLogin_Saml2_XML class OneLogin_Saml2_Metadata_Test(unittest.TestCase): @@ -248,6 +249,10 @@ def testSignMetadata(self): self.assertIn('\n\n', signed_metadata_2) + root = OneLogin_Saml2_XML.to_etree(signed_metadata_2) + first_child = OneLogin_Saml2_XML.query(root, '/md:EntityDescriptor/*[1]')[0] + self.assertEqual('{http://www.w3.org/2000/09/xmldsig#}Signature', first_child.tag) + def testAddX509KeyDescriptors(self): """ Tests the addX509KeyDescriptors method of the OneLogin_Saml2_Metadata diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py index ae4b2436..a1d7817e 100644 --- a/tests/src/OneLogin/saml2_tests/utils_test.py +++ b/tests/src/OneLogin/saml2_tests/utils_test.py @@ -774,7 +774,7 @@ def testAddSign(self): xml_metadata_signed = compat.to_string(OneLogin_Saml2_Utils.add_sign(xml_metadata, key, cert)) self.assertIn('', xml_metadata_signed) res_8 = parseString(xml_metadata_signed) - ds_signature_8 = res_8.firstChild.firstChild.nextSibling.firstChild.nextSibling + ds_signature_8 = res_8.firstChild.firstChild.nextSibling self.assertIn('ds:Signature', ds_signature_8.tagName) def testAddSignCheckAlg(self): From 6505e5c9bfef6541862b3e65a5fb97c6e59845b6 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Fri, 10 Nov 2017 20:01:29 +0100 Subject: [PATCH 070/331] Keep add_sign backward compatibility --- src/onelogin/saml2/utils.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index 26528500..a839b008 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -742,7 +742,11 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant issuer = issuer[0] issuer.addnext(signature) else: - elem.insert(0, signature) + entity_descriptor = OneLogin_Saml2_XML.query(elem, '//md:EntityDescriptor') + if len(entity_descriptor) > 0: + elem.insert(0, signature) + else: + elem[0].insert(0, signature) elem_id = elem.get('ID', None) if elem_id: From e5d4dc9565f2091719168b2eb95a9e8da140ee11 Mon Sep 17 00:00:00 2001 From: Carlton Duffett Date: Thu, 16 Nov 2017 18:42:16 -0800 Subject: [PATCH 071/331] NS_PREFIX constants --- src/onelogin/saml2/constants.py | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/src/onelogin/saml2/constants.py b/src/onelogin/saml2/constants.py index ede4013d..a570b884 100644 --- a/src/onelogin/saml2/constants.py +++ b/src/onelogin/saml2/constants.py @@ -47,6 +47,24 @@ class OneLogin_Saml2_Constants(object): NS_XENC = 'http://www.w3.org/2001/04/xmlenc#' NS_DS = 'http://www.w3.org/2000/09/xmldsig#' + # Namespace Prefixes + NS_PREFIX_SAML = 'saml' + NS_PREFIX_SAMLP = 'samlp' + NS_PREFIX_MD = 'md' + NS_PREFIX_XS = 'xs' + NS_PREFIX_XSI = 'xsi' + NS_PREFIX_XENC = 'xenc' + NS_PREFIX_DS = 'ds' + + # Prefix:Namespace Mappings + NSMAP = { + NS_PREFIX_SAMLP: NS_SAMLP, + NS_PREFIX_SAML: NS_SAML, + NS_PREFIX_DS: NS_DS, + NS_PREFIX_XENC: NS_XENC, + NS_PREFIX_MD: NS_MD + } + # Bindings BINDING_HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' BINDING_HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' @@ -76,15 +94,6 @@ class OneLogin_Saml2_Constants(object): STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout' STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded' - # Namespaces - NSMAP = { - 'samlp': NS_SAMLP, - 'saml': NS_SAML, - 'ds': NS_DS, - 'xenc': NS_XENC, - 'md': NS_MD - } - # Sign & Crypto SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1' SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256' From 0e7b7310b31a5cb693a5105ef5debcdff6769108 Mon Sep 17 00:00:00 2001 From: Carlton Duffett Date: Thu, 16 Nov 2017 18:42:47 -0800 Subject: [PATCH 072/331] Override cleanup_namespaces to preserve xmlns:xs namespace --- src/onelogin/saml2/xml_utils.py | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py index eb9300c4..3ddc34e0 100644 --- a/src/onelogin/saml2/xml_utils.py +++ b/src/onelogin/saml2/xml_utils.py @@ -30,7 +30,28 @@ class OneLogin_Saml2_XML(object): dump = staticmethod(etree.dump) make_root = staticmethod(etree.Element) make_child = staticmethod(etree.SubElement) - cleanup_namespaces = staticmethod(etree.cleanup_namespaces) + + @staticmethod + def cleanup_namespaces(tree_or_element, top_nsmap=None, keep_ns_prefixes=None): + """ + Keeps the xmlns:xs namespace intact when etree.cleanup_namespaces is invoked. + :param tree_or_element: An XML tree or element + :type tree_or_element: etree.Element + :param top_nsmap: A mapping from namespace prefixes to namespace URIs + :type top_nsmap: dict + :param keep_ns_prefixes: List of prefixes that should not be removed as part of the cleanup + :type keep_ns_prefixes: list + :returns: An XML tree or element + :rtype: etree.Element + """ + all_prefixes_to_keep = [ + OneLogin_Saml2_Constants.NS_PREFIX_XS + ] + + if keep_ns_prefixes: + all_prefixes_to_keep = list(set(all_prefixes_to_keep.extend(keep_ns_prefixes))) + + return etree.cleanup_namespaces(tree_or_element, keep_ns_prefixes=all_prefixes_to_keep) @staticmethod def to_string(xml, **kwargs): From 189632c7823be1a27f03a1f51ab4a5fa975423c0 Mon Sep 17 00:00:00 2001 From: Carlton Duffett Date: Thu, 16 Nov 2017 18:58:12 -0800 Subject: [PATCH 073/331] On second thought, let's put this near the bottom of the file... --- src/onelogin/saml2/xml_utils.py | 43 +++++++++++++++++---------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py index 3ddc34e0..088223c5 100644 --- a/src/onelogin/saml2/xml_utils.py +++ b/src/onelogin/saml2/xml_utils.py @@ -31,27 +31,6 @@ class OneLogin_Saml2_XML(object): make_root = staticmethod(etree.Element) make_child = staticmethod(etree.SubElement) - @staticmethod - def cleanup_namespaces(tree_or_element, top_nsmap=None, keep_ns_prefixes=None): - """ - Keeps the xmlns:xs namespace intact when etree.cleanup_namespaces is invoked. - :param tree_or_element: An XML tree or element - :type tree_or_element: etree.Element - :param top_nsmap: A mapping from namespace prefixes to namespace URIs - :type top_nsmap: dict - :param keep_ns_prefixes: List of prefixes that should not be removed as part of the cleanup - :type keep_ns_prefixes: list - :returns: An XML tree or element - :rtype: etree.Element - """ - all_prefixes_to_keep = [ - OneLogin_Saml2_Constants.NS_PREFIX_XS - ] - - if keep_ns_prefixes: - all_prefixes_to_keep = list(set(all_prefixes_to_keep.extend(keep_ns_prefixes))) - - return etree.cleanup_namespaces(tree_or_element, keep_ns_prefixes=all_prefixes_to_keep) @staticmethod def to_string(xml, **kwargs): @@ -144,6 +123,28 @@ def query(dom, query, context=None): else: return context.xpath(query, namespaces=OneLogin_Saml2_Constants.NSMAP) + @staticmethod + def cleanup_namespaces(tree_or_element, top_nsmap=None, keep_ns_prefixes=None): + """ + Keeps the xmlns:xs namespace intact when etree.cleanup_namespaces is invoked. + :param tree_or_element: An XML tree or element + :type tree_or_element: etree.Element + :param top_nsmap: A mapping from namespace prefixes to namespace URIs + :type top_nsmap: dict + :param keep_ns_prefixes: List of prefixes that should not be removed as part of the cleanup + :type keep_ns_prefixes: list + :returns: An XML tree or element + :rtype: etree.Element + """ + all_prefixes_to_keep = [ + OneLogin_Saml2_Constants.NS_PREFIX_XS + ] + + if keep_ns_prefixes: + all_prefixes_to_keep = list(set(all_prefixes_to_keep.extend(keep_ns_prefixes))) + + return etree.cleanup_namespaces(tree_or_element, keep_ns_prefixes=all_prefixes_to_keep) + @staticmethod def extract_tag_text(xml, tagname): open_tag = compat.to_bytes("<%s" % tagname) From 0003e7c688f65370790318b0b565612dbf972e67 Mon Sep 17 00:00:00 2001 From: Carlton Duffett Date: Fri, 17 Nov 2017 09:06:10 -0800 Subject: [PATCH 074/331] Appease pep8 --- src/onelogin/saml2/xml_utils.py | 1 - tests/pep8.rc | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py index 088223c5..5063f475 100644 --- a/src/onelogin/saml2/xml_utils.py +++ b/src/onelogin/saml2/xml_utils.py @@ -31,7 +31,6 @@ class OneLogin_Saml2_XML(object): make_root = staticmethod(etree.Element) make_child = staticmethod(etree.SubElement) - @staticmethod def to_string(xml, **kwargs): """ diff --git a/tests/pep8.rc b/tests/pep8.rc index b60901e4..27d6de8d 100644 --- a/tests/pep8.rc +++ b/tests/pep8.rc @@ -1,3 +1,3 @@ [pep8] -ignore = E501 +ignore = E501,E731 max-line-length = 160 \ No newline at end of file From 08638bec5112ce57ebbf8ec21059831b21b7c9d9 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 17 Dec 2017 21:05:56 +0100 Subject: [PATCH 075/331] Add more tests to cover IdPMetadataParser --- ...tadata_different_sign_and_encrypt_cert.xml | 72 +++++++++++++++++++ ...dp_metadata_same_sign_and_encrypt_cert.xml | 71 ++++++++++++++++++ .../saml2_tests/idp_metadata_parser_test.py | 56 ++++++++++++++- 3 files changed, 198 insertions(+), 1 deletion(-) create mode 100644 tests/data/metadata/idp_metadata_different_sign_and_encrypt_cert.xml create mode 100644 tests/data/metadata/idp_metadata_same_sign_and_encrypt_cert.xml diff --git a/tests/data/metadata/idp_metadata_different_sign_and_encrypt_cert.xml b/tests/data/metadata/idp_metadata_different_sign_and_encrypt_cert.xml new file mode 100644 index 00000000..df90353a --- /dev/null +++ b/tests/data/metadata/idp_metadata_different_sign_and_encrypt_cert.xml @@ -0,0 +1,72 @@ + + + + + + + MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzET +MBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYD +VQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbTAeFw0xMzA2 +MDUxNzE2MjBaFw0xODA2MDUxNzE2MjBaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9u +ZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAse8rnep4qL2GmhH10pMQyJ2Jae+AQHyfgVjaQZ7Z +0QQog5jX91vcJRSMi0XWJnUtOr6lF0dq1+yckjZ92wyLrH+7fvngNO1aV4Mjk9sT +gf+iqMrae6y6fRxDt9PXrEFVjvd3vv7QTJf2FuIPy4vVP06Dt8EMkQIr8rmLmU0m +Tr1k2DkrdtdlCuNFTXuAu3QqfvNCRrRwfNObn9MP6JeOUdcGLJsBjGF8exfcN1SF +zRF0JFr3dmOlx761zK5liD0T1sYWnDquatj/JD9fZMbKecBKni1NglH/LVd+b6aJ +UAr5LulERULUjLqYJRKW31u91/4Qazdo9tbvwqyFxaoUrwIDAQABo4HUMIHRMAwG +A1UdEwEB/wQCMAAwHQYDVR0OBBYEFPWcXvQSlTXnzZD2xziuoUvrrDedMIGRBgNV +HSMEgYkwgYaAFPWcXvQSlTXnzZD2xziuoUvrrDedoWukaTBnMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREw +DwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbYIBATAO +BgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADggEBAB/8xe3rzqXQVxzHyAHu +AuPa73ClDoL1cko0Fp8CGcqEIyj6Te9gx5z6wyfv+Lo8RFvBLlnB1lXqbC+fTGcV +gG/4oKLJ5UwRFxInqpZPnOAudVNnd0PYOODn9FWs6u+OTIQIaIcPUv3MhB9lwHIJ +sTk/bs9xcru5TPyLIxLLd6ib/pRceKH2mTkzUd0DYk9CQNXXeoGx/du5B9nh3ClP +TbVakRzl3oswgI5MQIphYxkW70SopEh4kOFSRE1ND31NNIq1YrXlgtkguQBFsZWu +QOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh78 +1sE= + + + + + + + MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEF +BQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJj +aWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwW +T25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUy +MjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChz +Z2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNV +BAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo +3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRw +tnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xx +VRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5 +L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t +1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/ +BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCB +pIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYD +VQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQL +DAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaC +FD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0B +AQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXM +GI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65c +hjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIB +vlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37 +MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZ +WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw== + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + + + + Support + support@onelogin.com + + \ No newline at end of file diff --git a/tests/data/metadata/idp_metadata_same_sign_and_encrypt_cert.xml b/tests/data/metadata/idp_metadata_same_sign_and_encrypt_cert.xml new file mode 100644 index 00000000..e7fd250b --- /dev/null +++ b/tests/data/metadata/idp_metadata_same_sign_and_encrypt_cert.xml @@ -0,0 +1,71 @@ + + + + + + + MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzET +MBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYD +VQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbTAeFw0xMzA2 +MDUxNzE2MjBaFw0xODA2MDUxNzE2MjBaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9u +ZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAse8rnep4qL2GmhH10pMQyJ2Jae+AQHyfgVjaQZ7Z +0QQog5jX91vcJRSMi0XWJnUtOr6lF0dq1+yckjZ92wyLrH+7fvngNO1aV4Mjk9sT +gf+iqMrae6y6fRxDt9PXrEFVjvd3vv7QTJf2FuIPy4vVP06Dt8EMkQIr8rmLmU0m +Tr1k2DkrdtdlCuNFTXuAu3QqfvNCRrRwfNObn9MP6JeOUdcGLJsBjGF8exfcN1SF +zRF0JFr3dmOlx761zK5liD0T1sYWnDquatj/JD9fZMbKecBKni1NglH/LVd+b6aJ +UAr5LulERULUjLqYJRKW31u91/4Qazdo9tbvwqyFxaoUrwIDAQABo4HUMIHRMAwG +A1UdEwEB/wQCMAAwHQYDVR0OBBYEFPWcXvQSlTXnzZD2xziuoUvrrDedMIGRBgNV +HSMEgYkwgYaAFPWcXvQSlTXnzZD2xziuoUvrrDedoWukaTBnMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREw +DwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbYIBATAO +BgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADggEBAB/8xe3rzqXQVxzHyAHu +AuPa73ClDoL1cko0Fp8CGcqEIyj6Te9gx5z6wyfv+Lo8RFvBLlnB1lXqbC+fTGcV +gG/4oKLJ5UwRFxInqpZPnOAudVNnd0PYOODn9FWs6u+OTIQIaIcPUv3MhB9lwHIJ +sTk/bs9xcru5TPyLIxLLd6ib/pRceKH2mTkzUd0DYk9CQNXXeoGx/du5B9nh3ClP +TbVakRzl3oswgI5MQIphYxkW70SopEh4kOFSRE1ND31NNIq1YrXlgtkguQBFsZWu +QOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh78 +1sE= + + + + + + + MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzET +MBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYD +VQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbTAeFw0xMzA2 +MDUxNzE2MjBaFw0xODA2MDUxNzE2MjBaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9u +ZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAse8rnep4qL2GmhH10pMQyJ2Jae+AQHyfgVjaQZ7Z +0QQog5jX91vcJRSMi0XWJnUtOr6lF0dq1+yckjZ92wyLrH+7fvngNO1aV4Mjk9sT +gf+iqMrae6y6fRxDt9PXrEFVjvd3vv7QTJf2FuIPy4vVP06Dt8EMkQIr8rmLmU0m +Tr1k2DkrdtdlCuNFTXuAu3QqfvNCRrRwfNObn9MP6JeOUdcGLJsBjGF8exfcN1SF +zRF0JFr3dmOlx761zK5liD0T1sYWnDquatj/JD9fZMbKecBKni1NglH/LVd+b6aJ +UAr5LulERULUjLqYJRKW31u91/4Qazdo9tbvwqyFxaoUrwIDAQABo4HUMIHRMAwG +A1UdEwEB/wQCMAAwHQYDVR0OBBYEFPWcXvQSlTXnzZD2xziuoUvrrDedMIGRBgNV +HSMEgYkwgYaAFPWcXvQSlTXnzZD2xziuoUvrrDedoWukaTBnMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREw +DwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbYIBATAO +BgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADggEBAB/8xe3rzqXQVxzHyAHu +AuPa73ClDoL1cko0Fp8CGcqEIyj6Te9gx5z6wyfv+Lo8RFvBLlnB1lXqbC+fTGcV +gG/4oKLJ5UwRFxInqpZPnOAudVNnd0PYOODn9FWs6u+OTIQIaIcPUv3MhB9lwHIJ +sTk/bs9xcru5TPyLIxLLd6ib/pRceKH2mTkzUd0DYk9CQNXXeoGx/du5B9nh3ClP +TbVakRzl3oswgI5MQIphYxkW70SopEh4kOFSRE1ND31NNIq1YrXlgtkguQBFsZWu +QOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh78 +1sE= + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + + + + Support + support@onelogin.com + + \ No newline at end of file diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py index 106cce56..f919e1f2 100644 --- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py +++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py @@ -393,7 +393,61 @@ def test_parse_multi_singing_certs(self): expected_settings = json.loads(expected_settings_json) self.assertEqual(expected_settings, data) - def testMergeSettings(self): + def test_parse_multi_same_signing_and_encrypt_cert(self): + """ + Tests the parse method of the OneLogin_Saml2_IdPMetadataParser + Case: IdP metadata contains multiple signature cert and encrypt cert + that is the same + """ + xml_idp_metadata = self.file_contents(join(self.data_path, 'metadata', 'idp_metadata_same_sign_and_encrypt_cert.xml')) + data = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata) + + expected_settings_json = """ + { + "sp": { + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + }, + "idp": { + "x509cert": "MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbTAeFw0xMzA2MDUxNzE2MjBaFw0xODA2MDUxNzE2MjBaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAse8rnep4qL2GmhH10pMQyJ2Jae+AQHyfgVjaQZ7Z0QQog5jX91vcJRSMi0XWJnUtOr6lF0dq1+yckjZ92wyLrH+7fvngNO1aV4Mjk9sTgf+iqMrae6y6fRxDt9PXrEFVjvd3vv7QTJf2FuIPy4vVP06Dt8EMkQIr8rmLmU0mTr1k2DkrdtdlCuNFTXuAu3QqfvNCRrRwfNObn9MP6JeOUdcGLJsBjGF8exfcN1SFzRF0JFr3dmOlx761zK5liD0T1sYWnDquatj/JD9fZMbKecBKni1NglH/LVd+b6aJUAr5LulERULUjLqYJRKW31u91/4Qazdo9tbvwqyFxaoUrwIDAQABo4HUMIHRMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPWcXvQSlTXnzZD2xziuoUvrrDedMIGRBgNVHSMEgYkwgYaAFPWcXvQSlTXnzZD2xziuoUvrrDedoWukaTBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbYIBATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADggEBAB/8xe3rzqXQVxzHyAHuAuPa73ClDoL1cko0Fp8CGcqEIyj6Te9gx5z6wyfv+Lo8RFvBLlnB1lXqbC+fTGcVgG/4oKLJ5UwRFxInqpZPnOAudVNnd0PYOODn9FWs6u+OTIQIaIcPUv3MhB9lwHIJsTk/bs9xcru5TPyLIxLLd6ib/pRceKH2mTkzUd0DYk9CQNXXeoGx/du5B9nh3ClPTbVakRzl3oswgI5MQIphYxkW70SopEh4kOFSRE1ND31NNIq1YrXlgtkguQBFsZWuQOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh781sE=", + "entityId": "https://app.onelogin.com/saml/metadata/383123", + "singleSignOnService": { + "url": "https://app.onelogin.com/trust/saml2/http-post/sso/383123", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + } + } + } + """ + expected_settings = json.loads(expected_settings_json) + self.assertEqual(expected_settings, data) + + xml_idp_metadata_2 = self.file_contents(join(self.data_path, 'metadata', 'idp_metadata_different_sign_and_encrypt_cert.xml')) + data_2 = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata_2) + expected_settings_json_2 = """ + { + "sp": { + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" + }, + "idp": { + "x509certMulti": { + "encryption": [ + "MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUyMjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRwtnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xxVRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCBpIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaCFD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXMGI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65chjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIBvlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZWQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==" + ], + "signing": [ + "MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbTAeFw0xMzA2MDUxNzE2MjBaFw0xODA2MDUxNzE2MjBaMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAse8rnep4qL2GmhH10pMQyJ2Jae+AQHyfgVjaQZ7Z0QQog5jX91vcJRSMi0XWJnUtOr6lF0dq1+yckjZ92wyLrH+7fvngNO1aV4Mjk9sTgf+iqMrae6y6fRxDt9PXrEFVjvd3vv7QTJf2FuIPy4vVP06Dt8EMkQIr8rmLmU0mTr1k2DkrdtdlCuNFTXuAu3QqfvNCRrRwfNObn9MP6JeOUdcGLJsBjGF8exfcN1SFzRF0JFr3dmOlx761zK5liD0T1sYWnDquatj/JD9fZMbKecBKni1NglH/LVd+b6aJUAr5LulERULUjLqYJRKW31u91/4Qazdo9tbvwqyFxaoUrwIDAQABo4HUMIHRMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPWcXvQSlTXnzZD2xziuoUvrrDedMIGRBgNVHSMEgYkwgYaAFPWcXvQSlTXnzZD2xziuoUvrrDedoWukaTBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMU2FudGEgTW9uaWNhMREwDwYDVQQKDAhPbmVMb2dpbjEZMBcGA1UEAwwQYXBwLm9uZWxvZ2luLmNvbYIBATAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADggEBAB/8xe3rzqXQVxzHyAHuAuPa73ClDoL1cko0Fp8CGcqEIyj6Te9gx5z6wyfv+Lo8RFvBLlnB1lXqbC+fTGcVgG/4oKLJ5UwRFxInqpZPnOAudVNnd0PYOODn9FWs6u+OTIQIaIcPUv3MhB9lwHIJsTk/bs9xcru5TPyLIxLLd6ib/pRceKH2mTkzUd0DYk9CQNXXeoGx/du5B9nh3ClPTbVakRzl3oswgI5MQIphYxkW70SopEh4kOFSRE1ND31NNIq1YrXlgtkguQBFsZWuQOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh781sE=" + ] + }, + "entityId": "https://app.onelogin.com/saml/metadata/383123", + "singleSignOnService": { + "url": "https://app.onelogin.com/trust/saml2/http-post/sso/383123", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + } + } + } + """ + expected_settings_2 = json.loads(expected_settings_json_2) + self.assertEqual(expected_settings_2, data_2) + + def test_merge_settings(self): """ Tests the merge_settings method of the OneLogin_Saml2_IdPMetadataParser """ From 349757d98f0b7feaee867826a0782df4307fc32e Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 27 Feb 2018 15:12:48 +0100 Subject: [PATCH 076/331] Fix vulnerability CVE-2017-11427. Process text of nodes properly, ignoring comments --- src/onelogin/saml2/idp_metadata_parser.py | 6 +++--- src/onelogin/saml2/logout_request.py | 6 +++--- src/onelogin/saml2/logout_response.py | 2 +- src/onelogin/saml2/response.py | 21 +++++++++++++------ src/onelogin/saml2/utils.py | 4 ++-- src/onelogin/saml2/xml_utils.py | 5 +++++ .../response_node_text_attack.xml.base64 | 1 + .../src/OneLogin/saml2_tests/response_test.py | 13 ++++++++++++ 8 files changed, 43 insertions(+), 15 deletions(-) create mode 100644 tests/data/responses/response_node_text_attack.xml.base64 diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py index 0d51a4ea..7fc11958 100644 --- a/src/onelogin/saml2/idp_metadata_parser.py +++ b/src/onelogin/saml2/idp_metadata_parser.py @@ -144,7 +144,7 @@ def parse( name_id_format_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, './md:NameIDFormat') if len(name_id_format_nodes) > 0: - idp_name_id_format = name_id_format_nodes[0].text + idp_name_id_format = OneLogin_Saml2_XML.element_text(name_id_format_nodes[0]) sso_nodes = OneLogin_Saml2_XML.query( idp_descriptor_node, @@ -170,11 +170,11 @@ def parse( if len(signing_nodes) > 0: certs['signing'] = [] for cert_node in signing_nodes: - certs['signing'].append(''.join(cert_node.text.split())) + certs['signing'].append(''.join(OneLogin_Saml2_XML.element_text(cert_node).split())) if len(encryption_nodes) > 0: certs['encryption'] = [] for cert_node in encryption_nodes: - certs['encryption'].append(''.join(cert_node.text.split())) + certs['encryption'].append(''.join(OneLogin_Saml2_XML.element_text(cert_node).split())) data['idp'] = {} diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py index bf02b0bb..2ca540c0 100644 --- a/src/onelogin/saml2/logout_request.py +++ b/src/onelogin/saml2/logout_request.py @@ -188,7 +188,7 @@ def get_nameid_data(request, key=None): ) name_id_data = { - 'Value': name_id.text + 'Value': OneLogin_Saml2_XML.element_text(name_id) } for attr in ['Format', 'SPNameQualifier', 'NameQualifier']: if attr in name_id.attrib: @@ -241,7 +241,7 @@ def get_issuer(request): issuer = None issuer_nodes = OneLogin_Saml2_XML.query(elem, '/samlp:LogoutRequest/saml:Issuer') if len(issuer_nodes) == 1: - issuer = issuer_nodes[0].text + issuer = OneLogin_Saml2_XML.element_text(issuer_nodes[0]) return issuer @staticmethod @@ -258,7 +258,7 @@ def get_session_indexes(request): session_indexes = [] session_index_nodes = OneLogin_Saml2_XML.query(elem, '/samlp:LogoutRequest/samlp:SessionIndex') for session_index_node in session_index_nodes: - session_indexes.append(session_index_node.text) + session_indexes.append(OneLogin_Saml2_XML.element_text(session_index_node)) return session_indexes def is_valid(self, request_data, raise_exceptions=False): diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py index 7a27af82..e568d6e0 100644 --- a/src/onelogin/saml2/logout_response.py +++ b/src/onelogin/saml2/logout_response.py @@ -51,7 +51,7 @@ def get_issuer(self): issuer = None issuer_nodes = self.__query('/samlp:LogoutResponse/saml:Issuer') if len(issuer_nodes) == 1: - issuer = issuer_nodes[0].text + issuer = OneLogin_Saml2_XML.element_text(issuer_nodes[0]) return issuer def get_status(self): diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py index c2d35da7..1177bc31 100644 --- a/src/onelogin/saml2/response.py +++ b/src/onelogin/saml2/response.py @@ -359,7 +359,7 @@ def get_audiences(self): :rtype: list """ audience_nodes = self.__query_assertion('/saml:Conditions/saml:AudienceRestriction/saml:Audience') - return [node.text for node in audience_nodes if node.text is not None] + return [OneLogin_Saml2_XML.element_text(node) for node in audience_nodes if OneLogin_Saml2_XML.element_text(node) is not None] def get_issuers(self): """ @@ -373,7 +373,9 @@ def get_issuers(self): message_issuer_nodes = OneLogin_Saml2_XML.query(self.document, '/samlp:Response/saml:Issuer') if len(message_issuer_nodes) > 0: if len(message_issuer_nodes) == 1: - issuers.add(message_issuer_nodes[0].text) + issuer_value = OneLogin_Saml2_XML.element_text(message_issuer_nodes[0]) + if issuer_value: + issuers.add(issuer_value) else: raise OneLogin_Saml2_ValidationError( 'Issuer of the Response is multiple.', @@ -382,7 +384,9 @@ def get_issuers(self): assertion_issuer_nodes = self.__query_assertion('/saml:Issuer') if len(assertion_issuer_nodes) == 1: - issuers.add(assertion_issuer_nodes[0].text) + issuer_value = OneLogin_Saml2_XML.element_text(assertion_issuer_nodes[0]) + if issuer_value: + issuers.add(issuer_value) else: raise OneLogin_Saml2_ValidationError( 'Issuer of the Assertion not found or multiple.', @@ -420,13 +424,13 @@ def get_nameid_data(self): OneLogin_Saml2_ValidationError.NO_NAMEID ) else: - if is_strict and want_nameid and not nameid.text: + if is_strict and want_nameid and not OneLogin_Saml2_XML.element_text(nameid): raise OneLogin_Saml2_ValidationError( 'An empty NameID value found', OneLogin_Saml2_ValidationError.EMPTY_NAMEID ) - nameid_data = {'Value': nameid.text} + nameid_data = {'Value': OneLogin_Saml2_XML.element_text(nameid)} for attr in ['Format', 'SPNameQualifier', 'NameQualifier']: value = nameid.get(attr, None) if value: @@ -521,7 +525,12 @@ def get_attributes(self): values = [] for attr in attribute_node.iterchildren('{%s}AttributeValue' % OneLogin_Saml2_Constants.NSMAP['saml']): - values.append(attr.text) + attr_text = OneLogin_Saml2_XML.element_text(attr) + if attr_text: + attr_text = attr_text.strip() + if attr_text: + values.append(attr_text) + attributes[attr_name] = values return attributes diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index a839b008..22e1228b 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -653,7 +653,7 @@ def get_status(dom): if len(subcode_entry) == 1: status['msg'] = subcode_entry[0].values()[0] elif len(message_entry) == 1: - status['msg'] = message_entry[0].text + status['msg'] = OneLogin_Saml2_XML.element_text(message_entry[0]) return status @@ -931,7 +931,7 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger x509_certificate_nodes = OneLogin_Saml2_XML.query(signature_node, '//ds:Signature/ds:KeyInfo/ds:X509Data/ds:X509Certificate') if len(x509_certificate_nodes) > 0: x509_certificate_node = x509_certificate_nodes[0] - x509_cert_value = x509_certificate_node.text + x509_cert_value = OneLogin_Saml2_XML.element_text(x509_certificate_node) x509_fingerprint_value = OneLogin_Saml2_Utils.calculate_x509_fingerprint(x509_cert_value, fingerprintalg) if fingerprint == x509_fingerprint_value: cert = OneLogin_Saml2_Utils.format_cert(x509_cert_value) diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py index 5063f475..4d9937de 100644 --- a/src/onelogin/saml2/xml_utils.py +++ b/src/onelogin/saml2/xml_utils.py @@ -156,3 +156,8 @@ def extract_tag_text(xml, tagname): end = xml.find(close_tag, start) + len(close_tag) assert end != -1 return compat.to_string(xml[start:end]) + + @staticmethod + def element_text(node): + etree.strip_tags(node, etree.Comment) + return node.text diff --git a/tests/data/responses/response_node_text_attack.xml.base64 b/tests/data/responses/response_node_text_attack.xml.base64 new file mode 100644 index 00000000..ba9f2f12 --- /dev/null +++ b/tests/data/responses/response_node_text_attack.xml.base64 @@ -0,0 +1 @@ +PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFZlcnNpb249IjIuMCIgSUQ9InBmeGE0NjU3NGRmLWIzYjAtYTA2YS0yM2M4LTYzNjQxMzE5ODc3MiIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiI+DQogICAgPHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzEzNTkwPC9zYW1sOklzc3Vlcj4NCiAgICA8ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxkczpTaWduZWRJbmZvPg0KICAgICAgICA8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+DQogICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4YTQ2NTc0ZGYtYjNiMC1hMDZhLTIzYzgtNjM2NDEzMTk4NzcyIj4NCiAgICAgICAgICA8ZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPg0KICAgICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICAgIDwvZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICA8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4NCiAgICAgICAgICA8ZHM6RGlnZXN0VmFsdWU+cEpRN01TL2VrNEtSUldHbXYvSDQzUmVIWU1zPTwvZHM6RGlnZXN0VmFsdWU+DQogICAgICAgIDwvZHM6UmVmZXJlbmNlPg0KICAgICAgPC9kczpTaWduZWRJbmZvPg0KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPnlpdmVLY1BkRHB1RE5qNnNoclEzQUJ3ci9jQTNDcnlEMnBoRy94TFpzektXeFU1L21sYUt0OGV3YlpPZEtLdnRPczJwSEJ5NUR1YTNrOTRBRnp4R3llbDVnT293bW95WEpyQU9ya1BPMHZsaTFWOG8zaFBQVVp3UmdTWDZROXBTMUNxUWdoS2lFYXNSeXlscXFKVWFQWXptT3pPRTgvWGxNa3dpV21PMD08L2RzOlNpZ25hdHVyZVZhbHVlPg0KICAgICAgPGRzOktleUluZm8+DQogICAgICAgIDxkczpYNTA5RGF0YT4NCiAgICAgICAgICA8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUJyVENDQWFHZ0F3SUJBZ0lCQVRBREJnRUFNR2N4Q3pBSkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUhEQXhUWVc1MFlTQk5iMjVwWTJFeEVUQVBCZ05WQkFvTUNFOXVaVXh2WjJsdU1Sa3dGd1lEVlFRRERCQmhjSEF1YjI1bGJHOW5hVzR1WTI5dE1CNFhEVEV3TURNd09UQTVOVGcwTlZvWERURTFNRE13T1RBNU5UZzBOVm93WnpFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RlRBVEJnTlZCQWNNREZOaGJuUmhJRTF2Ym1sallURVJNQThHQTFVRUNnd0lUMjVsVEc5bmFXNHhHVEFYQmdOVkJBTU1FR0Z3Y0M1dmJtVnNiMmRwYmk1amIyMHdnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JBT2pTdTFmalB5OGQ1dzRReUwxemQ0aEl3MU1ra2ZmNFdZL1RMRzhPWmtVNVlUU1dtbUhQRDVrdllINXVvWFMvNnFRODFxWHBSMndWOENUb3daSlVMZzA5ZGRSZFJuOFFzcWoxRnlPQzVzbEUzeTJiWjJvRnVhNzJvZi80OWZwdWpuRlQ2S25RNjFDQk1xbERvVFFxT1Q2MnZHSjhuUDZNWld2QTZzeHF1ZDVBZ01CQUFFd0F3WUJBQU1CQUE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgPC9kczpLZXlJbmZvPg0KICAgIDwvZHM6U2lnbmF0dXJlPg0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnN1cHBvcnQ8IS0tIGF0dGFjayEgLS0+QG9uZWxvZ2luLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiIFJlY2lwaWVudD0ie3JlY2lwaWVudH0iLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0xMS0xOFQyMTo1MjozN1oiIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+e2F1ZGllbmNlfTwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMC0xMS0xOFQyMTo1NzozN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMTlUMjE6NTc6MzdaIiBTZXNzaW9uSW5kZXg9Il81MzFjMzJkMjgzYmRmZjdlMDRlNDg3YmNkYmM0ZGQ4ZCI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9InN1cm5hbWUiPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnM8IS0tIGF0dGFjayEgLS0+bWl0aDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0iYW5vdGhlcl92YWx1ZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dmFsdWUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnZhbHVlMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0icm9sZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+cm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImZpcnN0bmFtZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+Ym9iPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4gIA0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImF0dHJpYnV0ZV93aXRoX25pbF92YWx1ZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOm5pbD0idHJ1ZSIvPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJhdHRyaWJ1dGVfd2l0aF9uaWxzX2FuZF9lbXB0eV9zdHJpbmdzIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUvPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZT52YWx1ZVByZXNlbnQ8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOm5pbD0idHJ1ZSIvPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTpuaWw9IjEiLz4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+ \ No newline at end of file diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index df2ae703..9a02882b 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -634,6 +634,19 @@ def testDoesNotAllowSignatureWrappingAttack(self): self.assertEqual('test@onelogin.com', response.get_nameid()) self.assertFalse(response.is_valid(self.get_request_data())) + def testNodeTextAttack(self): + """ + Tests the get_nameid and get_attributes methods of the OneLogin_Saml2_Response + Test that the node text with comment attack (VU#475445) is not allowed + """ + xml = self.file_contents(join(self.data_path, 'responses', 'response_node_text_attack.xml.base64')) + settings = OneLogin_Saml2_Settings(self.loadSettingsJSON()) + response = OneLogin_Saml2_Response(settings, xml) + attributes = response.get_attributes() + nameid = response.get_nameid() + self.assertEqual("smith", attributes.get('surname')[0]) + self.assertEqual('support@onelogin.com', nameid) + def testGetSessionNotOnOrAfter(self): """ Tests the get_session_not_on_or_after method of the OneLogin_Saml2_Response From 3ed4e5cf2e42b3915f1283908abb461a7bb8be1f Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 27 Feb 2018 15:31:31 +0100 Subject: [PATCH 077/331] Improve how fingerprint is calcultated --- src/onelogin/saml2/utils.py | 32 +++++++++++-------- .../src/OneLogin/saml2_tests/response_test.py | 2 +- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py index 22e1228b..ce226cbb 100644 --- a/src/onelogin/saml2/utils.py +++ b/src/onelogin/saml2/utils.py @@ -498,9 +498,9 @@ def delete_local_session(callback=None): @staticmethod def calculate_x509_fingerprint(x509_cert, alg='sha1'): """ - Calculates the fingerprint of a x509cert. + Calculates the fingerprint of a formatted x509cert. - :param x509_cert: x509 cert + :param x509_cert: x509 cert formatted :type: string :param alg: The algorithm to build the fingerprint @@ -513,22 +513,27 @@ def calculate_x509_fingerprint(x509_cert, alg='sha1'): lines = x509_cert.split('\n') data = '' + inData = False for line in lines: # Remove '\r' from end of line if present. line = line.rstrip() - if line == '-----BEGIN CERTIFICATE-----': - # Delete junk from before the certificate. - data = '' - elif line == '-----END CERTIFICATE-----': - # Ignore data after the certificate. - break - elif line == '-----BEGIN PUBLIC KEY-----' or line == '-----BEGIN RSA PRIVATE KEY-----': - # This isn't an X509 certificate. - return None + if not inData: + if line == '-----BEGIN CERTIFICATE-----': + inData = True + elif line == '-----BEGIN PUBLIC KEY-----' or line == '-----BEGIN RSA PRIVATE KEY-----': + # This isn't an X509 certificate. + return None else: + if line == '-----END CERTIFICATE-----': + break + # Append the current line to the certificate data. data += line + + if not data: + return None + decoded_data = base64.b64decode(compat.to_bytes(data)) if alg == 'sha512': @@ -932,9 +937,10 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger if len(x509_certificate_nodes) > 0: x509_certificate_node = x509_certificate_nodes[0] x509_cert_value = OneLogin_Saml2_XML.element_text(x509_certificate_node) - x509_fingerprint_value = OneLogin_Saml2_Utils.calculate_x509_fingerprint(x509_cert_value, fingerprintalg) + x509_cert_value_formatted = OneLogin_Saml2_Utils.format_cert(x509_cert_value) + x509_fingerprint_value = OneLogin_Saml2_Utils.calculate_x509_fingerprint(x509_cert_value_formatted, fingerprintalg) if fingerprint == x509_fingerprint_value: - cert = OneLogin_Saml2_Utils.format_cert(x509_cert_value) + cert = x509_cert_value_formatted if cert is None or cert == '': raise OneLogin_Saml2_Error( diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py index 9a02882b..bd9a4280 100644 --- a/tests/src/OneLogin/saml2_tests/response_test.py +++ b/tests/src/OneLogin/saml2_tests/response_test.py @@ -1332,7 +1332,7 @@ def testIsValid2(self): self.assertTrue(response_2.is_valid(self.get_request_data())) settings_info_3 = self.loadSettingsJSON('settings2.json') - idp_cert = settings_info_3['idp']['x509cert'] + idp_cert = OneLogin_Saml2_Utils.format_cert(settings_info_3['idp']['x509cert']) settings_info_3['idp']['certFingerprint'] = OneLogin_Saml2_Utils.calculate_x509_fingerprint(idp_cert) settings_info_3['idp']['x509cert'] = '' settings_3 = OneLogin_Saml2_Settings(settings_info_3) From bfa51108beded2db2aebf6ad4627de179c6e88e2 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 27 Feb 2018 16:30:59 +0100 Subject: [PATCH 078/331] Release 1.4.0 --- README.md | 6 +++++- changelog.md | 10 ++++++++++ setup.py | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8a723882..1bb49c91 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,11 @@ This version supports Python3, There is a separate version that only support Pyt #### Warning #### -Release 1.2.6 adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672) +Update python-saml to 1.4.0, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability. + +That version also change how calculate fingerprint method works, and will expect as input a formatted x509 certificate + +Update python-saml3 to 1.2.6 that adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672) Update python3-saml to >= 1.2.1, 1.2.0 had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json) diff --git a/changelog.md b/changelog.md index fb747fa1..71f85885 100644 --- a/changelog.md +++ b/changelog.md @@ -1,4 +1,14 @@ # python3-saml changelog + +### 1.4.0 (Feb 27, 2018) +* Fix vulnerability [CVE-2017-11427](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11427). Process text of nodes properly, ignoring comments +* Improve how fingerprint is calcultated +* Fix issue with LogoutRequest rejected by ADFS due NameID with unspecified format instead no format attribute +* Fix signature position in the SP metadata +* [#80](https://github.com/onelogin/python3-saml/pull/80) Preserve xmlns:xs namespace when signing and serializing responses +* Redefine NSMAP constant +* Updated Django demo (Django 1.11). + ### 1.3.0 (Sep 15, 2017) * Improve decrypt method, Add an option to decrypt an element in place or copy it before decryption. * [#63](https://github.com/onelogin/python3-saml/pull/63) Be able to get at the auth object the last processed ID (response/assertion) and the last generated ID, as well as the NotOnOrAfter value of the valid SubjectConfirmationData in the processed SAMLResponse diff --git a/setup.py b/setup.py index fee27292..c8882163 100644 --- a/setup.py +++ b/setup.py @@ -9,7 +9,7 @@ setup( name='python3-saml', - version='1.3.0', + version='1.4.0', description='Onelogin Python Toolkit. Add SAML support to your Python software using this library', classifiers=[ 'Development Status :: 5 - Production/Stable', From 76a5576bd8d7179a22f47a0682b250d2fd0b6d7e Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 27 Feb 2018 17:31:22 +0100 Subject: [PATCH 079/331] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1bb49c91..eb0b3127 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ This version supports Python3, There is a separate version that only support Pyt Update python-saml to 1.4.0, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability. -That version also change how calculate fingerprint method works, and will expect as input a formatted x509 certificate +This version also changes how the calculate fingerprint method works, and will expect as input a formatted x509 certificate Update python-saml3 to 1.2.6 that adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672) From 817a1363e7cd1121b02a9f8863615939eef6dc77 Mon Sep 17 00:00:00 2001 From: frennkie Date: Sat, 17 Mar 2018 11:35:44 +0100 Subject: [PATCH 080/331] use print with round brackets (compatible) --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index eb0b3127..47d38204 100644 --- a/README.md +++ b/README.md @@ -624,9 +624,9 @@ saml_settings = auth.get_settings() metadata = saml_settings.get_sp_metadata() errors = saml_settings.validate_metadata(metadata) if len(errors) == 0: - print metadata + print(metadata) else: - print "Error found on Metadata: %s" % (', '.join(errors)) + print("Error found on Metadata: %s" % (', '.join(errors))) ``` The get_sp_metadata will return the metadata signed or not based on the security info of the advanced_settings.json ('signMetadata'). @@ -656,11 +656,11 @@ if not errors: auth.redirect_to(req['post_data']['RelayState']) else: for attr_name in request.session['samlUserdata'].keys(): - print '%s ==> %s' % (attr_name, '|| '.join(request.session['samlUserdata'][attr_name])) + print('%s ==> %s' % (attr_name, '|| '.join(request.session['samlUserdata'][attr_name]))) else: - print 'Not authenticated' + print('Not authenticated') else: - print "Error when processing SAML Response: %s" % (', '.join(errors)) + print("Error when processing SAML Response: %s" % (', '.join(errors))) ``` The SAML response is processed and then checked that there are no errors. It also verifies that the user is authenticated and stored the userdata in session. @@ -697,9 +697,9 @@ The following code is equivalent: ```python attributes = auth.get_attributes(); -print attributes['cn'] +print(attributes['cn']) -print auth.get_attribute('cn') +print(auth.get_attribute('cn')) ``` Before trying to get an attribute, check that the user is authenticated. If the user isn't authenticated, an empty dict will be returned. For example, if we call to get_attributes before a auth.process_response, the get_attributes() will return an empty dict. @@ -717,9 +717,9 @@ if len(errors) == 0: if url is not None: return redirect(url) else: - print "Sucessfully Logged out" + print("Sucessfully Logged out") else: - print "Error when processing SLO: %s" % (', '.join(errors)) + print("Error when processing SLO: %s" % (', '.join(errors))) ``` If the SLS endpoints receives a Logout Response, the response is validated and the session could be closed, using the callback. @@ -848,9 +848,9 @@ elif 'sls' in request.args: # Single msg = "Sucessfully logged out" if len(errors) == 0: - print msg + print(msg) else: - print ', '.join(errors) + print(', '.join(errors)) ``` From 783fc6716a5453dbcbcbd57f5198004139113f51 Mon Sep 17 00:00:00 2001 From: Stephen Fuhry Date: Wed, 21 Mar 2018 11:41:43 +0000 Subject: [PATCH 081/331] test framework should run on 2.7, 3.4, 3.5, & 3.6 --- .gitignore | 1 + .travis.yml | 12 ++++-------- README.md | 2 +- setup.py | 4 +++- 4 files changed, 9 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index ca8905ff..c16b943e 100644 --- a/.gitignore +++ b/.gitignore @@ -20,6 +20,7 @@ __pycache_ .coverage .pypirc /.idea +.mypy_cache/ *.key *.crt diff --git a/.travis.yml b/.travis.yml index b38e5565..39b74bb1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,13 +1,9 @@ language: python python: - - '2.7.6' -# - '2.7.9' -# - '2.7.12' -# - '3.3.4' -# - '3.3.5' -# - '3.3.6' - - '3.4.3' - - '3.5.0' + - '2.7' + - '3.4' + - '3.5' + - '3.6' install: - sudo apt-get update -qq diff --git a/README.md b/README.md index 47d38204..9a3b2ec2 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ Installation ### Dependencies ### - * python 2.7 // python 3.3 + * python 2.7 // python 3.6 * [xmlsec](https://pypi.python.org/pypi/xmlsec) Python bindings for the XML Security Library. * [isodate](https://pypi.python.org/pypi/isodate) An ISO 8601 date/time/ duration parser and formatter diff --git a/setup.py b/setup.py index c8882163..2182ad9e 100644 --- a/setup.py +++ b/setup.py @@ -17,7 +17,9 @@ 'Intended Audience :: System Administrators', 'Operating System :: OS Independent', 'Programming Language :: Python :: 2.7', - 'Programming Language :: Python :: 3.3', + 'Programming Language :: Python :: 3.4', + 'Programming Language :: Python :: 3.5', + 'Programming Language :: Python :: 3.6', ], author='OneLogin', author_email='support@onelogin.com', From 724252bb9e33910953d2114b618c356c8b82f1fc Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Mon, 23 Apr 2018 19:00:37 +0200 Subject: [PATCH 082/331] Fix #87. Update copyright and license reference --- LICENSE | 2 +- docs/saml2/_modules/saml2/auth.html | 4 ++-- docs/saml2/_modules/saml2/authn_request.html | 4 ++-- docs/saml2/_modules/saml2/constants.html | 4 ++-- docs/saml2/_modules/saml2/errors.html | 4 ++-- docs/saml2/_modules/saml2/logout_request.html | 4 ++-- docs/saml2/_modules/saml2/logout_response.html | 4 ++-- docs/saml2/_modules/saml2/metadata.html | 4 ++-- docs/saml2/_modules/saml2/response.html | 4 ++-- docs/saml2/_modules/saml2/settings.html | 4 ++-- docs/saml2/_modules/saml2/utils.html | 4 ++-- setup.py | 4 ++-- src/onelogin/__init__.py | 4 ++-- src/onelogin/saml2/__init__.py | 4 ++-- src/onelogin/saml2/auth.py | 4 ++-- src/onelogin/saml2/authn_request.py | 4 ++-- src/onelogin/saml2/compat.py | 4 ++-- src/onelogin/saml2/constants.py | 4 ++-- src/onelogin/saml2/errors.py | 4 ++-- src/onelogin/saml2/idp_metadata_parser.py | 4 ++-- src/onelogin/saml2/logout_request.py | 4 ++-- src/onelogin/saml2/logout_response.py | 4 ++-- src/onelogin/saml2/metadata.py | 4 ++-- src/onelogin/saml2/response.py | 4 ++-- src/onelogin/saml2/settings.py | 4 ++-- src/onelogin/saml2/utils.py | 4 ++-- src/onelogin/saml2/xml_templates.py | 4 ++-- src/onelogin/saml2/xml_utils.py | 4 ++-- tests/src/OneLogin/saml2_tests/auth_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/authn_request_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/error_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/logout_request_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/logout_response_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/metadata_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/response_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/settings_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/signed_response_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/utils_test.py | 4 ++-- tests/src/OneLogin/saml2_tests/xml_utils_test.py | 4 ++-- 40 files changed, 79 insertions(+), 79 deletions(-) diff --git a/LICENSE b/LICENSE index dbbca9c6..1c8f814e 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2010-2016 OneLogin, Inc. +Copyright (c) 2010-2018 OneLogin, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation diff --git a/docs/saml2/_modules/saml2/auth.html b/docs/saml2/_modules/saml2/auth.html index 7efab654..f70e70b2 100644 --- a/docs/saml2/_modules/saml2/auth.html +++ b/docs/saml2/_modules/saml2/auth.html @@ -51,8 +51,8 @@

    Navigation

    Source code for saml2.auth

     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from base64 import b64encode
 from urllib import urlencode, quote
diff --git a/docs/saml2/_modules/saml2/authn_request.html b/docs/saml2/_modules/saml2/authn_request.html
index 674eae42..207ee7a6 100644
--- a/docs/saml2/_modules/saml2/authn_request.html
+++ b/docs/saml2/_modules/saml2/authn_request.html
@@ -51,8 +51,8 @@ 
    Navigation
    
   
    Source code for saml2.authn_request
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from base64 import b64encode
 from datetime import datetime
diff --git a/docs/saml2/_modules/saml2/constants.html b/docs/saml2/_modules/saml2/constants.html
index 3b098931..306ec1b3 100644
--- a/docs/saml2/_modules/saml2/constants.html
+++ b/docs/saml2/_modules/saml2/constants.html
@@ -51,8 +51,8 @@ 
    Navigation
    
   
    Source code for saml2.constants
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 
 
    [docs]class OneLogin_Saml2_Constants:
diff --git a/docs/saml2/_modules/saml2/errors.html b/docs/saml2/_modules/saml2/errors.html
index e33ebb39..ef958f31 100644
--- a/docs/saml2/_modules/saml2/errors.html
+++ b/docs/saml2/_modules/saml2/errors.html
@@ -51,8 +51,8 @@ 
    Navigation
    
   
    Source code for saml2.errors
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 
 
    [docs]class OneLogin_Saml2_Error(Exception):
diff --git a/docs/saml2/_modules/saml2/logout_request.html b/docs/saml2/_modules/saml2/logout_request.html
index b6cddbc1..1b690dd4 100644
--- a/docs/saml2/_modules/saml2/logout_request.html
+++ b/docs/saml2/_modules/saml2/logout_request.html
@@ -51,8 +51,8 @@ 
    Navigation
    
   
    Source code for saml2.logout_request
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from base64 import b64decode
 from datetime import datetime
diff --git a/docs/saml2/_modules/saml2/logout_response.html b/docs/saml2/_modules/saml2/logout_response.html
index dc6037d1..3ea3bbf7 100644
--- a/docs/saml2/_modules/saml2/logout_response.html
+++ b/docs/saml2/_modules/saml2/logout_response.html
@@ -51,8 +51,8 @@ 
    Navigation
    
   
    Source code for saml2.logout_response
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from base64 import b64decode
 from datetime import datetime
diff --git a/docs/saml2/_modules/saml2/metadata.html b/docs/saml2/_modules/saml2/metadata.html
index 055db317..7b0a1be5 100644
--- a/docs/saml2/_modules/saml2/metadata.html
+++ b/docs/saml2/_modules/saml2/metadata.html
@@ -51,8 +51,8 @@ 
    Navigation
    
   
    Source code for saml2.metadata
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from time import gmtime, strftime
 from datetime import datetime
diff --git a/docs/saml2/_modules/saml2/response.html b/docs/saml2/_modules/saml2/response.html
index 219be1b8..d3fee4e3 100644
--- a/docs/saml2/_modules/saml2/response.html
+++ b/docs/saml2/_modules/saml2/response.html
@@ -51,8 +51,8 @@ 
    Navigation
    
   
    Source code for saml2.response
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from base64 import b64decode
 from copy import deepcopy
diff --git a/docs/saml2/_modules/saml2/settings.html b/docs/saml2/_modules/saml2/settings.html
index c18ebdf9..42800b51 100644
--- a/docs/saml2/_modules/saml2/settings.html
+++ b/docs/saml2/_modules/saml2/settings.html
@@ -51,8 +51,8 @@ 
    Navigation
    
   
    Source code for saml2.settings
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from datetime import datetime
 import json
diff --git a/docs/saml2/_modules/saml2/utils.html b/docs/saml2/_modules/saml2/utils.html
index 726ba9dd..613d2a09 100644
--- a/docs/saml2/_modules/saml2/utils.html
+++ b/docs/saml2/_modules/saml2/utils.html
@@ -51,8 +51,8 @@ 
    Navigation
    
   
    Source code for saml2.utils
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 import base64
 from datetime import datetime
diff --git a/setup.py b/setup.py
index 2182ad9e..ef9ab63f 100644
--- a/setup.py
+++ b/setup.py
@@ -1,8 +1,8 @@
 #! /usr/bin/env python
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from setuptools import setup
 
diff --git a/src/onelogin/__init__.py b/src/onelogin/__init__.py
index 110bc9df..ba664a65 100644
--- a/src/onelogin/__init__.py
+++ b/src/onelogin/__init__.py
@@ -1,8 +1,8 @@
 # -*- coding: utf-8 -*-
 
 """
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Add SAML support to your Python softwares using this library.
 Forget those complicated libraries and use that open source
diff --git a/src/onelogin/saml2/__init__.py b/src/onelogin/saml2/__init__.py
index 110bc9df..ba664a65 100644
--- a/src/onelogin/saml2/__init__.py
+++ b/src/onelogin/saml2/__init__.py
@@ -1,8 +1,8 @@
 # -*- coding: utf-8 -*-
 
 """
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Add SAML support to your Python softwares using this library.
 Forget those complicated libraries and use that open source
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 25f3e5b9..df732701 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Auth class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Main class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index ee6e1d2b..2a1eda88 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Authn_Request class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 AuthNRequest class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/compat.py b/src/onelogin/saml2/compat.py
index ce0296ea..13fe5a6f 100644
--- a/src/onelogin/saml2/compat.py
+++ b/src/onelogin/saml2/compat.py
@@ -2,8 +2,8 @@
 
 """ py3 compatibility class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 """
 
diff --git a/src/onelogin/saml2/constants.py b/src/onelogin/saml2/constants.py
index a570b884..edc765bf 100644
--- a/src/onelogin/saml2/constants.py
+++ b/src/onelogin/saml2/constants.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Constants class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Constants class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py
index 22f2a926..140b1ed3 100644
--- a/src/onelogin/saml2/errors.py
+++ b/src/onelogin/saml2/errors.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Error class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Error class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index 7fc11958..093cf92f 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -1,8 +1,8 @@
 # -*- coding: utf-8 -*-
 
 """ OneLogin_Saml2_IdPMetadataParser class
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 Metadata class of OneLogin's Python Toolkit.
 """
 
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index 2ca540c0..152765e4 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Logout_Request class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Logout Request class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index e568d6e0..75dc089c 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Logout_Response class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Logout Response class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index e66e542d..9d58e5b7 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -2,8 +2,8 @@
 
 """ OneLoginSaml2Metadata class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Metadata class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 1177bc31..fe7b9f71 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Response class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 SAML Response class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index f38343c1..4dd6b220 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Settings class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Setting class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index ce226cbb..07dfe9d4 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Utils class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Auxiliary class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/xml_templates.py b/src/onelogin/saml2/xml_templates.py
index 6be5c536..99025546 100644
--- a/src/onelogin/saml2/xml_templates.py
+++ b/src/onelogin/saml2/xml_templates.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_Auth class
 
-Copyright (c) 2014, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Main class of OneLogin's Python Toolkit.
 
diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py
index 4d9937de..03d826a6 100644
--- a/src/onelogin/saml2/xml_utils.py
+++ b/src/onelogin/saml2/xml_utils.py
@@ -2,8 +2,8 @@
 
 """ OneLogin_Saml2_XML class
 
-Copyright (c) 2015, OneLogin, Inc.
-All rights reserved.
+Copyright (c) 2010-2018 OneLogin, Inc.
+MIT License
 
 Auxiliary class of OneLogin's Python Toolkit.
 
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index d851f126..87730a20 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from base64 import b64decode, b64encode
 import json
diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py
index abbded20..c0dcbf2c 100644
--- a/tests/src/OneLogin/saml2_tests/authn_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/authn_request_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/error_test.py b/tests/src/OneLogin/saml2_tests/error_test.py
index 8758f736..cd7546b7 100644
--- a/tests/src/OneLogin/saml2_tests/error_test.py
+++ b/tests/src/OneLogin/saml2_tests/error_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 import unittest
 from onelogin.saml2.errors import OneLogin_Saml2_Error
diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
index f919e1f2..952f9b18 100644
--- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
+++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 try:
     from urllib.error import URLError
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
index 843ccb7b..d606ca89 100644
--- a/tests/src/OneLogin/saml2_tests/logout_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
index f273f6fb..eda0b9f3 100644
--- a/tests/src/OneLogin/saml2_tests/logout_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/metadata_test.py b/tests/src/OneLogin/saml2_tests/metadata_test.py
index edee2321..2c926f8a 100644
--- a/tests/src/OneLogin/saml2_tests/metadata_test.py
+++ b/tests/src/OneLogin/saml2_tests/metadata_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index bd9a4280..0f33c0a5 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from base64 import b64decode
 from lxml import etree
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index f33ec10e..75031009 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 import json
 from os.path import dirname, join, exists, sep
diff --git a/tests/src/OneLogin/saml2_tests/signed_response_test.py b/tests/src/OneLogin/saml2_tests/signed_response_test.py
index ec493014..45afb505 100644
--- a/tests/src/OneLogin/saml2_tests/signed_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/signed_response_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py
index a1d7817e..366a125b 100644
--- a/tests/src/OneLogin/saml2_tests/utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/utils_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 from base64 import b64decode
 import json
diff --git a/tests/src/OneLogin/saml2_tests/xml_utils_test.py b/tests/src/OneLogin/saml2_tests/xml_utils_test.py
index 7043b4e4..507575f1 100644
--- a/tests/src/OneLogin/saml2_tests/xml_utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/xml_utils_test.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2014, OneLogin, Inc.
-# All rights reserved.
+# Copyright (c) 2010-2018 OneLogin, Inc.
+# MIT License
 
 import json
 import unittest

From a4e998358113ef496d2cd1356800a97641c7e5c2 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 23 Apr 2018 19:22:05 +0200
Subject: [PATCH 083/331] Update coveralls and coverage dependency version

---
 setup.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup.py b/setup.py
index ef9ab63f..76ff881d 100644
--- a/setup.py
+++ b/setup.py
@@ -42,12 +42,12 @@
     dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'],
     extras_require={
         'test': (
-            'coverage==3.7.1',
+            'coverage>=3.6',
             'freezegun==0.3.5',
             'pylint==1.3.1',
             'pep8==1.5.7',
             'pyflakes==0.8.1',
-            'coveralls==0.4.4',
+            'coveralls==1.1',
         ),
     },
     keywords='saml saml2 xmlsec django flask pyramid python3',

From 73f646cdf8f4ea78f7db4f327a4e18f4c72571fc Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 24 Apr 2018 12:23:42 +0200
Subject: [PATCH 084/331] Fix #94. Add ID to EntityDescriptor before sign it on
 add_sign method

---
 src/onelogin/saml2/utils.py                   | 20 +++++++++++++------
 .../src/OneLogin/saml2_tests/metadata_test.py |  2 ++
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 07dfe9d4..9daf17d2 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -728,9 +728,7 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant
             raise Exception('Empty string supplied as input')
 
         elem = OneLogin_Saml2_XML.to_etree(xml)
-        xmlsec.enable_debug_trace(debug)
-        xmlsec.tree.add_ids(elem, ["ID"])
-        # Sign the metadata with our private key.
+
         sign_algorithm_transform_map = {
             OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.Transform.DSA_SHA1,
             OneLogin_Saml2_Constants.RSA_SHA1: xmlsec.Transform.RSA_SHA1,
@@ -746,16 +744,26 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant
         if len(issuer) > 0:
             issuer = issuer[0]
             issuer.addnext(signature)
+            elem_to_sign = issuer.getparent()
         else:
             entity_descriptor = OneLogin_Saml2_XML.query(elem, '//md:EntityDescriptor')
             if len(entity_descriptor) > 0:
                 elem.insert(0, signature)
             else:
                 elem[0].insert(0, signature)
+            elem_to_sign = elem
 
-        elem_id = elem.get('ID', None)
-        if elem_id:
-            elem_id = '#' + elem_id
+        elem_id = elem_to_sign.get('ID', None)
+        if elem_id is not None:
+            if elem_id:
+                elem_id = '#' + elem_id
+        else:
+            generated_id = generated_id = OneLogin_Saml2_Utils.generate_unique_id()
+            elem_id = '#' + generated_id
+            elem_to_sign.attrib['ID'] = generated_id
+
+        xmlsec.enable_debug_trace(debug)
+        xmlsec.tree.add_ids(elem_to_sign, ["ID"])
 
         digest_algorithm_transform_map = {
             OneLogin_Saml2_Constants.SHA1: xmlsec.Transform.SHA1,
diff --git a/tests/src/OneLogin/saml2_tests/metadata_test.py b/tests/src/OneLogin/saml2_tests/metadata_test.py
index 2c926f8a..07dca694 100644
--- a/tests/src/OneLogin/saml2_tests/metadata_test.py
+++ b/tests/src/OneLogin/saml2_tests/metadata_test.py
@@ -208,6 +208,7 @@ def testSignMetadata(self):
 
         self.assertIn('
Date: Tue, 24 Apr 2018 18:27:30 +0200
Subject: [PATCH 085/331] Add test for generated signed_metadata

---
 tests/src/OneLogin/saml2_tests/metadata_test.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/src/OneLogin/saml2_tests/metadata_test.py b/tests/src/OneLogin/saml2_tests/metadata_test.py
index 07dca694..8c6acb1b 100644
--- a/tests/src/OneLogin/saml2_tests/metadata_test.py
+++ b/tests/src/OneLogin/saml2_tests/metadata_test.py
@@ -13,6 +13,7 @@
 from onelogin.saml2.metadata import OneLogin_Saml2_Metadata
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.utils import OneLogin_Saml2_Utils
 from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
 
 
@@ -205,6 +206,7 @@ def testSignMetadata(self):
         cert = self.file_contents(join(cert_path, 'sp.crt'))
 
         signed_metadata = compat.to_string(OneLogin_Saml2_Metadata.sign_metadata(metadata, key, cert))
+        self.assertTrue(OneLogin_Saml2_Utils.validate_metadata_sign(signed_metadata, cert))
 
         self.assertIn('
Date: Wed, 25 Apr 2018 16:00:43 +0200
Subject: [PATCH 086/331] Release 1.4.1

---
 changelog.md | 4 ++++
 setup.py     | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 71f85885..bed7b450 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,8 @@
 # python3-saml changelog
+### 1.4.1 (Apr 25, 2018)
+* Add ID to EntityDescriptor before sign it on add_sign method.
+* Update defusedxml, coveralls and coverage dependencies
+* Update copyright and license reference
 
 ### 1.4.0 (Feb 27, 2018)
 * Fix vulnerability [CVE-2017-11427](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11427). Process text of nodes properly, ignoring comments
diff --git a/setup.py b/setup.py
index 76ff881d..7b822c93 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.4.0',
+    version='1.4.1',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From 3da2298a2f6d4f8f841b4f3a9ab8eac43466d040 Mon Sep 17 00:00:00 2001
From: Jeff Franklin 
Date: Mon, 28 May 2018 18:15:23 -0700
Subject: [PATCH 087/331] Check that the response has all of the AuthnContexts
 that we provided in the request.

---
 README.md                                     |  4 +-
 src/onelogin/saml2/auth.py                    |  9 +++++
 src/onelogin/saml2/errors.py                  |  1 +
 src/onelogin/saml2/response.py                | 22 +++++++++++
 src/onelogin/saml2/settings.py                |  1 +
 tests/src/OneLogin/saml2_tests/auth_test.py   | 14 +++++++
 .../src/OneLogin/saml2_tests/response_test.py | 38 +++++++++++++++++++
 7 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9a3b2ec2..e4505f4f 100644
--- a/README.md
+++ b/README.md
@@ -396,11 +396,13 @@ In addition to the required settings data (idp, sp), extra settings can be defin
 
         // Authentication context.
         // Set to false and no AuthContext will be sent in the AuthNRequest,
-        // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+        // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
         // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
         "requestedAuthnContext": true,
 	// Allows the authn comparison parameter to be set, defaults to 'exact' if the setting is not present.
         "requestedAuthnContextComparison": "exact",
+        // Set to true to check that the AuthnContext received matches the one requested.
+        "failOnAuthnContextMismatch": false,
 
         // In some environment you will need to set how long the published metadata of the Service Provider gonna be valid.
         // is possible to not set the 2 following parameters (or set to null) and default values will be set (2 days, 1 week)
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index df732701..44717f08 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -63,6 +63,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
         self.__last_request_id = None
         self.__last_message_id = None
         self.__last_assertion_id = None
+        self.__last_authn_contexts = []
         self.__last_request = None
         self.__last_response = None
         self.__last_assertion_not_on_or_after = None
@@ -110,6 +111,7 @@ def process_response(self, request_id=None):
                 self.__session_expiration = response.get_session_not_on_or_after()
                 self.__last_message_id = response.get_id()
                 self.__last_assertion_id = response.get_assertion_id()
+                self.__last_authn_contexts = response.get_authn_contexts()
                 self.__authenticated = True
                 self.__last_assertion_not_on_or_after = response.get_assertion_not_on_or_after()
 
@@ -318,6 +320,13 @@ def get_last_assertion_id(self):
         """
         return self.__last_assertion_id
 
+    def get_last_authn_contexts(self):
+        """
+        :returns: The list of authentication contexts sent in the last SAML resposne.
+        :rtype: list
+        """
+        return self.__last_authn_contexts
+
     def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_policy=True):
         """
         Initiates the SSO process.
diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py
index 140b1ed3..6faba2e2 100644
--- a/src/onelogin/saml2/errors.py
+++ b/src/onelogin/saml2/errors.py
@@ -109,6 +109,7 @@ class OneLogin_Saml2_ValidationError(Exception):
     INVALID_SIGNATURE = 42
     WRONG_NUMBER_OF_SIGNATURES = 43
     RESPONSE_EXPIRED = 44
+    AUTHN_CONTEXT_MISMATCH = 45
 
     def __init__(self, message, code=0, errors=None):
         """
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index fe7b9f71..4da2e652 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -161,6 +161,18 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                         OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_AUTHSTATEMENTS
                     )
 
+                # Checks that the response has all of the AuthnContexts that we provided in the request.
+                # Only check if failOnAuthnContextMismatch is true and requestedAuthnContext is set to a list.
+                requested_authn_contexts = security['requestedAuthnContext']
+                if security['failOnAuthnContextMismatch'] and requested_authn_contexts and requested_authn_contexts is not True:
+                    authn_contexts = self.get_authn_contexts()
+                    unmatched_contexts = set(requested_authn_contexts).difference(authn_contexts)
+                    if unmatched_contexts:
+                        raise OneLogin_Saml2_ValidationError(
+                            'The AuthnContext "%s" didn\'t include requested context "%s"' % (', '.join(authn_contexts), ', '.join(unmatched_contexts)),
+                            OneLogin_Saml2_ValidationError.AUTHN_CONTEXT_MISMATCH
+                        )
+
                 # Checks that there is at least one AttributeStatement if required
                 attribute_statement_nodes = self.__query_assertion('/saml:AttributeStatement')
                 if security.get('wantAttributeStatement', True) and not attribute_statement_nodes:
@@ -361,6 +373,16 @@ def get_audiences(self):
         audience_nodes = self.__query_assertion('/saml:Conditions/saml:AudienceRestriction/saml:Audience')
         return [OneLogin_Saml2_XML.element_text(node) for node in audience_nodes if OneLogin_Saml2_XML.element_text(node) is not None]
 
+    def get_authn_contexts(self):
+        """
+        Gets the authentication contexts
+
+        :returns: The authentication classes for the SAML Response
+        :rtype: list
+        """
+        authn_context_nodes = self.__query_assertion('/saml:AuthnStatement/saml:AuthnContext/saml:AuthnContextClassRef')
+        return [OneLogin_Saml2_XML.element_text(node) for node in authn_context_nodes]
+
     def get_issuers(self):
         """
         Gets the issuers (from message and from assertion)
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 4dd6b220..003aa0ad 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -310,6 +310,7 @@ def __add_default_values(self):
         self.__sp.setdefault('privateKey', '')
 
         self.__security.setdefault('requestedAuthnContext', True)
+        self.__security.setdefault('failOnAuthnContextMismatch', False)
 
     def check_settings(self, settings):
         """
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 87730a20..2a2b557c 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -1231,6 +1231,20 @@ def testGetLastAuthnRequest(self):
         )
         self.assertIn(expectedFragment, auth.get_last_request_xml())
 
+    def testGetLastAuthnContexts(self):
+        settings = self.loadSettingsJSON()
+        request_data = self.get_request()
+        message = self.file_contents(
+            join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        del request_data['get_data']
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+
+        auth.process_response()
+        self.assertEqual(auth.get_last_authn_contexts(), ['urn:oasis:names:tc:SAML:2.0:ac:classes:Password'])
+
     def testGetLastLogoutRequest(self):
         settings = self.loadSettingsJSON()
         auth = OneLogin_Saml2_Auth({'http_host': 'localhost', 'script_name': 'thing'}, old_settings=settings)
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 0f33c0a5..a0c61a69 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -932,6 +932,44 @@ def testIsInValidAudience(self):
         self.assertFalse(response_2.is_valid(request_data))
         self.assertIn('is not a valid audience for this Response', response_2.get_error())
 
+    def testIsInValidAuthenticationContext(self):
+        """
+        Tests that requestedAuthnContext, when set, is compared against the
+        response AuthnContext, which is what you use for two-factor
+        authentication. Without this check you can get back a valid response
+        that didn't complete the two-factor step.
+        """
+        request_data = self.get_request_data()
+        message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        two_factor_context = 'urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken'
+        password_context = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'
+        settings_dict = self.loadSettingsJSON()
+        settings_dict['security']['requestedAuthnContext'] = [two_factor_context]
+        settings_dict['security']['failOnAuthnContextMismatch'] = True
+        settings_dict['strict'] = True
+        settings = OneLogin_Saml2_Settings(settings_dict)
+
+        # check that we catch when the contexts don't match
+        response = OneLogin_Saml2_Response(settings, message)
+        self.assertFalse(response.is_valid(request_data))
+        self.assertIn('The AuthnContext "%s" didn\'t include requested context "%s"' % (password_context, two_factor_context), response.get_error())
+
+        # now drop in the expected AuthnContextClassRef and see that it passes
+        original_message = compat.to_string(OneLogin_Saml2_Utils.b64decode(message))
+        two_factor_message = original_message.replace(password_context, two_factor_context)
+        two_factor_message = OneLogin_Saml2_Utils.b64encode(two_factor_message)
+        response = OneLogin_Saml2_Response(settings, two_factor_message)
+        response.is_valid(request_data)
+        # check that we got as far as destination validation, which comes later
+        self.assertIn('The response was received at', response.get_error())
+
+        # with the default setting, check that we succeed with our original context
+        settings_dict['security']['requestedAuthnContext'] = True
+        settings = OneLogin_Saml2_Settings(settings_dict)
+        response = OneLogin_Saml2_Response(settings, message)
+        response.is_valid(request_data)
+        self.assertIn('The response was received at', response.get_error())
+
     def testIsInValidIssuer(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response class

From 2fec2a8270b68f5f902f7986a07661854ac7ca98 Mon Sep 17 00:00:00 2001
From: SamvanLeipsig 
Date: Tue, 5 Jun 2018 11:20:20 +0200
Subject: [PATCH 088/331] fix confusing alternative naming of python3-saml in
 readme warning

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9a3b2ec2..4f9408a4 100644
--- a/README.md
+++ b/README.md
@@ -14,11 +14,11 @@ This version supports Python3, There is a separate version that only support Pyt
 
 #### Warning ####
 
-Update python-saml to 1.4.0, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability.
+Update python3-saml to 1.4.0, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability.
 
 This version also changes how the calculate fingerprint method works, and will expect as input a formatted x509 certificate
 
-Update python-saml3 to 1.2.6 that adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672)
+Update python3-saml to 1.2.6 that adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672)
 
 Update python3-saml to >= 1.2.1, 1.2.0 had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json)
 

From 09b543cdc2e13bebc112ff0338a50cdcc1dd1ae5 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 26 Jul 2018 13:44:50 +0200
Subject: [PATCH 089/331] Adapt renders from Django demo for Django 1.11
 version

---
 demo-django/demo/views.py | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index a74e6c68..398de41a 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -2,8 +2,7 @@
 from django.urls import reverse
 from django.http import (HttpResponse, HttpResponseRedirect,
                          HttpResponseServerError)
-from django.shortcuts import render_to_response
-from django.template import RequestContext
+from django.shortcuts import render
 
 from onelogin.saml2.auth import OneLogin_Saml2_Auth
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
@@ -78,13 +77,8 @@ def index(request):
         if len(request.session['samlUserdata']) > 0:
             attributes = request.session['samlUserdata'].items()
 
-    context = RequestContext(request, {'errors': errors,
-                                       'not_auth_warn': not_auth_warn,
-                                       'success_slo': success_slo,
-                                       'attributes': attributes,
-                                       'paint_logout': paint_logout}).flatten()
-    return render_to_response('index.html',
-                              context=context)
+    return render(request, 'index.html', {'errors': errors, 'not_auth_warn': not_auth_warn, 'success_slo': success_slo,
+                                          'attributes': attributes, 'paint_logout': paint_logout})        
 
 
 def attrs(request):
@@ -95,10 +89,9 @@ def attrs(request):
         paint_logout = True
         if len(request.session['samlUserdata']) > 0:
             attributes = request.session['samlUserdata'].items()
-
-    return render_to_response('attrs.html',
-                              context=RequestContext(request, {'paint_logout': paint_logout,
-                                                               'attributes': attributes}).flatten())
+    return render(request, 'attrs.html',
+                  {'paint_logout': paint_logout,
+                   'attributes': attributes})
 
 
 def metadata(request):

From 20e839d758d4974254b049e790dce34dd82ecd3b Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 26 Jul 2018 14:16:52 +0200
Subject: [PATCH 090/331] Update pylint dependency to 1.9.1

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 7b822c93..ae68aad7 100644
--- a/setup.py
+++ b/setup.py
@@ -44,7 +44,7 @@
         'test': (
             'coverage>=3.6',
             'freezegun==0.3.5',
-            'pylint==1.3.1',
+            'pylint==1.9.1',
             'pep8==1.5.7',
             'pyflakes==0.8.1',
             'coveralls==1.1',

From 4a30dc50c656ea8eee9d43d781715c2b2786b04b Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sun, 5 Aug 2018 21:13:48 +0200
Subject: [PATCH 091/331] Discourage the use of the fingerprint on production
 environments

---
 README.md | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 4f9408a4..598d5c23 100644
--- a/README.md
+++ b/README.md
@@ -120,6 +120,8 @@ Security warning
 In production, the **strict** parameter MUST be set as **"true"**. Otherwise
 your environment is not secure and will be exposed to attacks.
 
+In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
+
 Getting started
 ---------------
 
@@ -301,8 +303,11 @@ This is the settings.json file:
         // Public x509 certificate of the IdP
         "x509cert": ""
         /*
-         *  Instead of using the whole x509cert you can use a fingerprint in
-         *  order to validate a SAMLResponse.
+         *  Instead of using the whole x509cert you can use a fingerprint in order to
+         *  validate a SAMLResponse (but you still need the x509cert to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding).
+         *  But take in mind that the fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass,
+         *  that why we don't recommend it use for production environments.
+         *
          *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
          *  or add for example the -sha256 , -sha384 or -sha512 parameter)
          *

From 547a25d3e530d7b2c8c744d08def8189dfb1be57 Mon Sep 17 00:00:00 2001
From: Nick Barrett 
Date: Tue, 14 Aug 2018 15:45:15 +0100
Subject: [PATCH 092/331] Handle nested `NameID` children inside attributes.

---
 src/onelogin/saml2/response.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index fe7b9f71..9d07bf9d 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -531,6 +531,15 @@ def get_attributes(self):
                     if attr_text:
                         values.append(attr_text)
 
+                # Parse any nested NameID children
+                for nameid in attr.iterchildren('{%s}NameID' % OneLogin_Saml2_Constants.NSMAP['saml']):
+                    values.append({
+                        'NameID': {
+                            'Format': nameid.get('Format'),
+                            'NameQualifier': nameid.get('NameQualifier'),
+                            'value': nameid.text
+                        }
+                    })
             attributes[attr_name] = values
         return attributes
 

From e7c9f75c87611464c27e13b510e24cb713e28d33 Mon Sep 17 00:00:00 2001
From: Nick Barrett 
Date: Tue, 14 Aug 2018 15:45:27 +0100
Subject: [PATCH 093/331] Add tests for the nested `NameID` attributes.

---
 ...ponse_with_nested_nameid_values.xml.base64 | 71 +++++++++++++++++++
 .../src/OneLogin/saml2_tests/response_test.py | 20 ++++++
 2 files changed, 91 insertions(+)
 create mode 100644 tests/data/responses/response_with_nested_nameid_values.xml.base64

diff --git a/tests/data/responses/response_with_nested_nameid_values.xml.base64 b/tests/data/responses/response_with_nested_nameid_values.xml.base64
new file mode 100644
index 00000000..3092c3cf
--- /dev/null
+++ b/tests/data/responses/response_with_nested_nameid_values.xml.base64
@@ -0,0 +1,71 @@
+PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDph
+c3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9j
+b2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50
+PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij4KICA8c2Ft
+bHA6U3RhdHVzPgogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0
+YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPgogIDxzYW1sOkFzc2Vy
+dGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhz
+aT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFZlcnNpb249IjIu
+MCIgSUQ9InBmeGE0NjU3NGRmLWIzYjAtYTA2YS0yM2M4LTYzNjQxMzE5ODc3MiIgSXNzdWVJbnN0
+YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiI+CiAgICA8c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAu
+b25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEvMTM1OTA8L3NhbWw6SXNzdWVyPgogICAgPGRzOlNp
+Z25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAg
+ICAgIDxkczpTaWduZWRJbmZvPgogICAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFs
+Z29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAg
+ICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAv
+MDkveG1sZHNpZyNyc2Etc2hhMSIvPgogICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4YTQ2
+NTc0ZGYtYjNiMC1hMDZhLTIzYzgtNjM2NDEzMTk4NzcyIj4KICAgICAgICAgIDxkczpUcmFuc2Zv
+cm1zPgogICAgICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5v
+cmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KICAgICAgICAgICAgPGRz
+OlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1j
+MTRuIyIvPgogICAgICAgICAgPC9kczpUcmFuc2Zvcm1zPgogICAgICAgICAgPGRzOkRpZ2VzdE1l
+dGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+
+CiAgICAgICAgICA8ZHM6RGlnZXN0VmFsdWU+cEpRN01TL2VrNEtSUldHbXYvSDQzUmVIWU1zPTwv
+ZHM6RGlnZXN0VmFsdWU+CiAgICAgICAgPC9kczpSZWZlcmVuY2U+CiAgICAgIDwvZHM6U2lnbmVk
+SW5mbz4KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPnlpdmVLY1BkRHB1RE5qNnNoclEzQUJ3ci9j
+QTNDcnlEMnBoRy94TFpzektXeFU1L21sYUt0OGV3YlpPZEtLdnRPczJwSEJ5NUR1YTNrOTRBRit6
+eEd5ZWw1Z09vd21veVhKcitBT3Ira1BPMHZsaTFWOG8zaFBQVVp3UmdTWDZROXBTMUNxUWdoS2lF
+YXNSeXlscXFKVWFQWXptT3pPRTgvWGxNa3dpV21PMD08L2RzOlNpZ25hdHVyZVZhbHVlPgogICAg
+ICA8ZHM6S2V5SW5mbz4KICAgICAgICA8ZHM6WDUwOURhdGE+CiAgICAgICAgICA8ZHM6WDUwOUNl
+cnRpZmljYXRlPk1JSUJyVENDQWFHZ0F3SUJBZ0lCQVRBREJnRUFNR2N4Q3pBSkJnTlZCQVlUQWxW
+VE1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUhEQXhUWVc1MFlTQk5iMjVw
+WTJFeEVUQVBCZ05WQkFvTUNFOXVaVXh2WjJsdU1Sa3dGd1lEVlFRRERCQmhjSEF1YjI1bGJHOW5h
+VzR1WTI5dE1CNFhEVEV3TURNd09UQTVOVGcwTlZvWERURTFNRE13T1RBNU5UZzBOVm93WnpFTE1B
+a0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RlRBVEJnTlZCQWNNREZO
+aGJuUmhJRTF2Ym1sallURVJNQThHQTFVRUNnd0lUMjVsVEc5bmFXNHhHVEFYQmdOVkJBTU1FR0Z3
+Y0M1dmJtVnNiMmRwYmk1amIyMHdnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JB
+T2pTdTFmalB5OGQ1dzRReUwxK3pkNGhJdzFNa2tmZjRXWS9UTEc4T1prVTVZVFNXbW1IUEQ1a3ZZ
+SDV1b1hTLzZxUTgxcVhwUjJ3VjhDVG93WkpVTGcwOWRkUmRSbjhRc3FqMUZ5T0M1c2xFM3kyYloy
+b0Z1YTcyb2YvNDlmcHVqbkZUNktuUTYxQ0JNcWxEb1RRcU9UNjJ2R0o4blA2TVpXdkE2c3hxdWQ1
+QWdNQkFBRXdBd1lCQUFNQkFBPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT4KICAgICAgICA8L2RzOlg1
+MDlEYXRhPgogICAgICA8L2RzOktleUluZm8+CiAgICA8L2RzOlNpZ25hdHVyZT4KICAgIDxzYW1s
+OlN1YmplY3Q+CiAgICAgIDxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpT
+QU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c3VwcG9ydEBvbmVsb2dpbi5jb208
+L3NhbWw6TmFtZUlEPgogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJu
+Om9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+CiAgICAgICAgPHNhbWw6U3ViamVj
+dENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEwLTExLTE4VDIyOjAyOjM3WiIgUmVj
+aXBpZW50PSJ7cmVjaXBpZW50fSIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPgogICAgPC9z
+YW1sOlN1YmplY3Q+CiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0xMS0xOFQy
+MTo1MjozN1oiIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiPgogICAgICA8c2Ft
+bDpBdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgICAgIDxzYW1sOkF1ZGllbmNlPnthdWRpZW5jZX08
+L3NhbWw6QXVkaWVuY2U+CiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgPC9z
+YW1sOkNvbmRpdGlvbnM+CiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIw
+MTAtMTEtMThUMjE6NTc6MzdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDEwLTExLTE5VDIxOjU3
+OjM3WiIgU2Vzc2lvbkluZGV4PSJfNTMxYzMyZDI4M2JkZmY3ZTA0ZTQ4N2JjZGJjNGRkOGQiPgog
+ICAgICA8c2FtbDpBdXRobkNvbnRleHQ+CiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NS
+ZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6
+QXV0aG5Db250ZXh0Q2xhc3NSZWY+CiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+CiAgICA8L3Nh
+bWw6QXV0aG5TdGF0ZW1lbnQ+CiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+CiAgICAgIDxz
+YW1sOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiPgogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHht
+bG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRw
+Oi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmlu
+ZyI+ZGVtbzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4KICAg
+ICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImFub3RoZXJfdmFsdWUiPgogICAgICAgIDxzYW1sOkF0
+dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIg
+eG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNp
+OnR5cGU9InhzOnN0cmluZyI+CiAgICAgICAgICAgIDxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpv
+YXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiIE5hbWVRdWFs
+aWZpZXI9Imh0dHBzOi8vaWRwSUQiIFNQTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zcElEIj52YWx1
+ZTwvc2FtbDpOYW1lSUQ+CiAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPgogICAgICA8L3Nh
+bWw6QXR0cmlidXRlPgogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4KICA8L3NhbWw6QXNz
+ZXJ0aW9uPgo8L3NhbWxwOlJlc3BvbnNlPgo=
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 0f33c0a5..29793b86 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -610,6 +610,26 @@ def testGetAttributes(self):
         response_3 = OneLogin_Saml2_Response(settings, xml_3)
         self.assertEqual({}, response_3.get_attributes())
 
+    def testGetNestedNameIDAttributes(self):
+        """
+        Tests the getAttributes method of the OneLogin_Saml2_Response with nested
+        nameID data
+        """
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        xml = self.file_contents(join(self.data_path, 'responses', 'response_with_nested_nameid_values.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        expected_attributes = {
+            'uid': ['demo'],
+            'another_value': [{
+                'NameID': {
+                    'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+                    'NameQualifier': 'https://idpID',
+                    'value': 'value'
+                }
+            }]
+        }
+        self.assertEqual(expected_attributes, response.get_attributes())
+
     def testOnlyRetrieveAssertionWithIDThatMatchesSignatureReference(self):
         """
         Tests the get_nameid method of the OneLogin_Saml2_Response

From 5001ece419526019deab654b19b0cdc37d88c861 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 27 Sep 2018 16:55:04 +0200
Subject: [PATCH 094/331] Fix DSA constant

---
 src/onelogin/saml2/constants.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/constants.py b/src/onelogin/saml2/constants.py
index edc765bf..7b3f0085 100644
--- a/src/onelogin/saml2/constants.py
+++ b/src/onelogin/saml2/constants.py
@@ -100,7 +100,7 @@ class OneLogin_Saml2_Constants(object):
     SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#sha384'
     SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'
 
-    DSA_SHA1 = 'http://www.w3.org/2000/09/xmld/sig#dsa-sha1'
+    DSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
     RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
     RSA_SHA256 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
     RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'

From a246326f3b38515ff4fb540893b1dd75350c5e01 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 17 Oct 2018 01:21:06 +0200
Subject: [PATCH 095/331] If debug enable, print reason for the SAMLResponse
 invalidation

---
 demo-django/demo/views.py        | 7 ++++++-
 demo-django/templates/index.html | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index 398de41a..648e5e0a 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -33,6 +33,7 @@ def index(request):
     req = prepare_django_request(request)
     auth = init_saml_auth(req)
     errors = []
+    error_reason = None
     not_auth_warn = False
     success_slo = False
     attributes = False
@@ -56,12 +57,16 @@ def index(request):
         auth.process_response()
         errors = auth.get_errors()
         not_auth_warn = not auth.is_authenticated()
+
         if not errors:
             request.session['samlUserdata'] = auth.get_attributes()
             request.session['samlNameId'] = auth.get_nameid()
             request.session['samlSessionIndex'] = auth.get_session_index()
             if 'RelayState' in req['post_data'] and OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
                 return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
+        else:
+            if auth.get_settings().is_debug_active():
+                error_reason = auth.get_last_error_reason()
     elif 'sls' in req['get_data']:
         dscb = lambda: request.session.flush()
         url = auth.process_slo(delete_session_cb=dscb)
@@ -77,7 +82,7 @@ def index(request):
         if len(request.session['samlUserdata']) > 0:
             attributes = request.session['samlUserdata'].items()
 
-    return render(request, 'index.html', {'errors': errors, 'not_auth_warn': not_auth_warn, 'success_slo': success_slo,
+    return render(request, 'index.html', {'errors': errors, 'error_reason': error_reason, 'not_auth_warn': not_auth_warn, 'success_slo': success_slo,
                                           'attributes': attributes, 'paint_logout': paint_logout})        
 
 
diff --git a/demo-django/templates/index.html b/demo-django/templates/index.html
index f7d51101..87f2f08b 100644
--- a/demo-django/templates/index.html
+++ b/demo-django/templates/index.html
@@ -10,6 +10,9 @@
           
  • {{err}}
    • 
         {% endfor %}
     
+    {% if error_reason %}
+      
    Reason: {{error_reason}}
    
+    {% endif %}
   
    
 {% endif %}
 

From 69c9b13ed0c6a37f9d2258b44fb927a208e46325 Mon Sep 17 00:00:00 2001
From: Matthew Shin 
Date: Thu, 18 Oct 2018 18:53:24 -0500
Subject: [PATCH 096/331] Add expected/received in WRONG_ISSUER error

---
 src/onelogin/saml2/logout_request.py                   | 6 +++++-
 src/onelogin/saml2/logout_response.py                  | 6 +++++-
 src/onelogin/saml2/response.py                         | 6 +++++-
 tests/src/OneLogin/saml2_tests/logout_response_test.py | 2 +-
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index 152765e4..9dfb0c3e 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -322,7 +322,11 @@ def is_valid(self, request_data, raise_exceptions=False):
                 issuer = OneLogin_Saml2_Logout_Request.get_issuer(root)
                 if issuer is not None and issuer != idp_entity_id:
                     raise OneLogin_Saml2_ValidationError(
-                        'Invalid issuer in the Logout Request',
+                        'Invalid issuer in the Logout Request (expected %(idpEntityId)s, got %(issuer)s)' %
+                        {
+                            'idpEntityId': idp_entity_id,
+                            'issuer': issuer
+                        },
                         OneLogin_Saml2_ValidationError.WRONG_ISSUER
                     )
 
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index 75dc089c..006d4e6b 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -106,7 +106,11 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 issuer = self.get_issuer()
                 if issuer is not None and issuer != idp_entity_id:
                     raise OneLogin_Saml2_ValidationError(
-                        'Invalid issuer in the Logout Request',
+                        'Invalid issuer in the Logout Response (expected %(idpEntityId)s, got %(issuer)s)' %
+                        {
+                            'idpEntityId': idp_entity_id,
+                            'issuer': issuer
+                        },
                         OneLogin_Saml2_ValidationError.WRONG_ISSUER
                     )
 
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 7a12ccda..c44b5a46 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -218,7 +218,11 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 for issuer in issuers:
                     if issuer is None or issuer != idp_entity_id:
                         raise OneLogin_Saml2_ValidationError(
-                            'Invalid issuer in the Assertion/Response',
+                            'Invalid issuer in the Assertion/Response (expected %(idpEntityId)s, got %(issuer)s)' %
+                            {
+                                'idpEntityId': idp_entity_id,
+                                'issuer': issuer
+                            },
                             OneLogin_Saml2_ValidationError.WRONG_ISSUER
                         )
 
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
index eda0b9f3..5a7994c0 100644
--- a/tests/src/OneLogin/saml2_tests/logout_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -208,7 +208,7 @@ def testIsInValidIssuer(self):
 
         settings.set_strict(True)
         response_2 = OneLogin_Saml2_Logout_Response(settings, message)
-        with self.assertRaisesRegex(Exception, 'Invalid issuer in the Logout Request'):
+        with self.assertRaisesRegex(Exception, 'Invalid issuer in the Logout Response'):
             response_2.is_valid(request_data, raise_exceptions=True)
 
     def testIsInValidDestination(self):

From 01166a135ac5c50806c57ce9d1819ee1d187b689 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 2 Nov 2018 12:43:06 +0100
Subject: [PATCH 097/331] Fix #116. Don't require compression on LogoutResponse
 messages by relaxing the decode_base64_and_inflate call

---
 src/onelogin/saml2/logout_response.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index 006d4e6b..67a72f35 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -38,7 +38,7 @@ def __init__(self, settings, response=None):
         self.id = None
 
         if response is not None:
-            self.__logout_response = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(response))
+            self.__logout_response = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(response, ignore_zip=True))
             self.document = OneLogin_Saml2_XML.to_etree(self.__logout_response)
             self.id = self.document.get('ID', None)
 

From 3ae8d01370e86763056086fac30660f0fb00ce57 Mon Sep 17 00:00:00 2001
From: Yuqing 
Date: Tue, 13 Nov 2018 16:09:03 +0100
Subject: [PATCH 098/331] Fixed UNEXPECTED_SIGNED_ELEMENT should be
 UNEXPECTED_SIGNED_ELEMENTS

---
 src/onelogin/saml2/response.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index c44b5a46..dd10771f 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -652,7 +652,7 @@ def process_signed_elements(self):
             if not self.validate_signed_elements(signed_elements, raise_exceptions=True):
                 raise OneLogin_Saml2_ValidationError(
                     'Found an unexpected Signature Element. SAML Response rejected',
-                    OneLogin_Saml2_ValidationError.UNEXPECTED_SIGNED_ELEMENT
+                    OneLogin_Saml2_ValidationError.UNEXPECTED_SIGNED_ELEMENTS
                 )
         return signed_elements
 

From f026d9bbdeee1d08863a52de55f2c60529841898 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sat, 15 Dec 2018 23:28:37 +0100
Subject: [PATCH 099/331] Update Shibboleth XML URL

---
 .../src/OneLogin/saml2_tests/idp_metadata_parser_test.py  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
index 952f9b18..6e1aaa1d 100644
--- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
+++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -51,7 +51,7 @@ def testGetMetadata(self):
             data = OneLogin_Saml2_IdPMetadataParser.get_metadata('http://google.es')
 
         try:
-            data = OneLogin_Saml2_IdPMetadataParser.get_metadata('https://www.testshib.org/metadata/testshib-providers.xml')
+            data = OneLogin_Saml2_IdPMetadataParser.get_metadata('https://idp.testshib.org/idp/shibboleth')
             self.assertTrue(data is not None and data is not {})
         except URLError:
             pass
@@ -64,7 +64,7 @@ def testParseRemote(self):
             data = OneLogin_Saml2_IdPMetadataParser.parse_remote('http://google.es')
 
         try:
-            data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://www.testshib.org/metadata/testshib-providers.xml')
+            data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://idp.testshib.org/idp/shibboleth')
         except URLError:
             xml = self.file_contents(join(self.data_path, 'metadata', 'testshib-providers.xml'))
             data = OneLogin_Saml2_IdPMetadataParser.parse(xml)
@@ -148,7 +148,7 @@ def test_parse_testshib_required_binding_sso_redirect(self):
         """
         try:
             xmldoc = OneLogin_Saml2_IdPMetadataParser.get_metadata(
-                'https://www.testshib.org/metadata/testshib-providers.xml')
+                'https://idp.testshib.org/idp/shibboleth')
         except URLError:
             xmldoc = self.file_contents(join(self.data_path, 'metadata', 'testshib-providers.xml'))
 
@@ -186,7 +186,7 @@ def test_parse_testshib_required_binding_sso_post(self):
         """
         try:
             xmldoc = OneLogin_Saml2_IdPMetadataParser.get_metadata(
-                'https://www.testshib.org/metadata/testshib-providers.xml')
+                'https://idp.testshib.org/idp/shibboleth')
         except URLError:
             xmldoc = self.file_contents(join(self.data_path, 'metadata', 'testshib-providers.xml'))
 

From ca5c0829c150af972b64d3e35f99eaf290dd1068 Mon Sep 17 00:00:00 2001
From: cclauss 
Date: Fri, 18 Jan 2019 10:40:49 +0100
Subject: [PATCH 100/331] Py3.7 & flake8 is a superset of pep8 and pyflakes

---
 .travis.yml                                           |  8 ++++++--
 demo-django/demo/settings.py                          |  3 +--
 demo-django/demo/views.py                             |  2 +-
 demo-django/demo/wsgi.py                              |  2 +-
 setup.cfg                                             |  5 +++++
 setup.py                                              | 11 +++++------
 src/onelogin/saml2/idp_metadata_parser.py             |  2 +-
 src/onelogin/saml2/utils.py                           |  4 ++--
 tests/pep8.rc                                         |  3 ---
 tests/src/OneLogin/saml2_tests/authn_request_test.py  |  4 ++--
 .../OneLogin/saml2_tests/idp_metadata_parser_test.py  |  2 +-
 tests/src/OneLogin/saml2_tests/logout_request_test.py |  6 +++---
 .../src/OneLogin/saml2_tests/logout_response_test.py  |  2 +-
 13 files changed, 29 insertions(+), 25 deletions(-)
 delete mode 100644 tests/pep8.rc

diff --git a/.travis.yml b/.travis.yml
index 39b74bb1..8023585e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,6 +5,11 @@ python:
   - '3.5'
   - '3.6'
 
+matrix:
+  include:
+    - python: '3.7'
+      dist: xenial  # required for Python >= 3.7 (travis-ci/travis-ci#9069)
+
 install:
   - sudo apt-get update -qq
   - sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
@@ -15,7 +20,6 @@ script:
   - 'coverage run --source=src/onelogin/saml2 --rcfile=tests/coverage.rc setup.py test'
   - 'coverage report -m --rcfile=tests/coverage.rc'
 # - 'pylint src/onelogin/saml2 --rcfile=tests/pylint.rc'
-  - 'pep8 tests/src/OneLogin/saml2_tests/*.py demo-flask/*.py demo-django/*.py src/onelogin/saml2/*.py --config=tests/pep8.rc'
-  - 'pyflakes src/onelogin/saml2 demo-django demo-flask tests/src/OneLogin/saml2_tests'
+  - 'flake8 .'
 
 after_success: 'coveralls'
diff --git a/demo-django/demo/settings.py b/demo-django/demo/settings.py
index fcc3cea2..17bbf6d4 100644
--- a/demo-django/demo/settings.py
+++ b/demo-django/demo/settings.py
@@ -80,8 +80,7 @@
 TEMPLATES = [
     {
         'BACKEND': 'django.template.backends.django.DjangoTemplates',
-        'DIRS': [os.path.join(BASE_DIR, 'templates')]
-        ,
+        'DIRS': [os.path.join(BASE_DIR, 'templates')],
         'APP_DIRS': True,
         'OPTIONS': {
             'debug': True,
diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index 648e5e0a..535b42af 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -83,7 +83,7 @@ def index(request):
             attributes = request.session['samlUserdata'].items()
 
     return render(request, 'index.html', {'errors': errors, 'error_reason': error_reason, 'not_auth_warn': not_auth_warn, 'success_slo': success_slo,
-                                          'attributes': attributes, 'paint_logout': paint_logout})        
+                                          'attributes': attributes, 'paint_logout': paint_logout})
 
 
 def attrs(request):
diff --git a/demo-django/demo/wsgi.py b/demo-django/demo/wsgi.py
index bd706154..b1c7db13 100644
--- a/demo-django/demo/wsgi.py
+++ b/demo-django/demo/wsgi.py
@@ -10,5 +10,5 @@
 import os
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "demo.settings")
 
-from django.core.wsgi import get_wsgi_application
+from django.core.wsgi import get_wsgi_application  # noqa: E402
 application = get_wsgi_application()
diff --git a/setup.cfg b/setup.cfg
index e66de0fb..e9d41598 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,2 +1,7 @@
+[flake8]
+ignore = E731,W504
+max-complexity = 48
+max-line-length = 1900
+
 [wheel]
 python-tag = py27
diff --git a/setup.py b/setup.py
index ae68aad7..631a8bc2 100644
--- a/setup.py
+++ b/setup.py
@@ -42,12 +42,11 @@
     dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'],
     extras_require={
         'test': (
-            'coverage>=3.6',
-            'freezegun==0.3.5',
-            'pylint==1.9.1',
-            'pep8==1.5.7',
-            'pyflakes==0.8.1',
-            'coveralls==1.1',
+            'coverage>=4.5.2',
+            'freezegun==0.3.11',
+            'pylint==1.9.4',
+            'flake8==3.6.0',
+            'coveralls==1.5.1',
         ),
     },
     keywords='saml saml2 xmlsec django flask pyramid python3',
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index 093cf92f..036028a2 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -55,7 +55,7 @@ def get_metadata(url, validate_cert=True):
                 idp_descriptor_nodes = OneLogin_Saml2_XML.query(dom, '//md:IDPSSODescriptor')
                 if idp_descriptor_nodes:
                     valid = True
-            except:
+            except Exception:
                 pass
 
         if not valid:
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 9daf17d2..488a8374 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -391,7 +391,7 @@ def generate_unique_id():
 
     @staticmethod
     def parse_time_to_SAML(time):
-        """
+        r"""
         Converts a UNIX timestamp to SAML2 timestamp on the form
         yyyy-mm-ddThh:mm:ss(\.s+)?Z.
 
@@ -406,7 +406,7 @@ def parse_time_to_SAML(time):
 
     @staticmethod
     def parse_SAML_to_time(timestr):
-        """
+        r"""
         Converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(\.s+)?Z
         to a UNIX timestamp. The sub-second part is ignored.
 
diff --git a/tests/pep8.rc b/tests/pep8.rc
deleted file mode 100644
index 27d6de8d..00000000
--- a/tests/pep8.rc
+++ /dev/null
@@ -1,3 +0,0 @@
-[pep8]
-ignore = E501,E731
-max-line-length = 160
\ No newline at end of file
diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py
index c0dcbf2c..71c99539 100644
--- a/tests/src/OneLogin/saml2_tests/authn_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/authn_request_test.py
@@ -267,7 +267,7 @@ def testCreateDeflatedSAMLRequestURLParameter(self):
             'SAMLRequest': authn_request.get_request()
         }
         auth_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SSOService.php', parameters, True)
-        self.assertRegex(auth_url, '^http://idp\.example\.com\/SSOService\.php\?SAMLRequest=')
+        self.assertRegex(auth_url, r'^http://idp\.example\.com\/SSOService\.php\?SAMLRequest=')
         exploded = urlparse(auth_url)
         exploded = parse_qs(exploded[4])
         payload = exploded['SAMLRequest'][0]
@@ -295,7 +295,7 @@ def testCreateEncSAMLRequest(self):
             'SAMLRequest': authn_request.get_request()
         }
         auth_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SSOService.php', parameters, True)
-        self.assertRegex(auth_url, '^http://idp\.example\.com\/SSOService\.php\?SAMLRequest=')
+        self.assertRegex(auth_url, r'^http://idp\.example\.com\/SSOService\.php\?SAMLRequest=')
         exploded = urlparse(auth_url)
         exploded = parse_qs(exploded[4])
         payload = exploded['SAMLRequest'][0]
diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
index 6e1aaa1d..f4859244 100644
--- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
+++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -5,7 +5,7 @@
 
 try:
     from urllib.error import URLError
-except:
+except ImportError:
     from urllib2 import URLError
 
 from copy import deepcopy
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
index d606ca89..1ea9e7f7 100644
--- a/tests/src/OneLogin/saml2_tests/logout_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -65,7 +65,7 @@ def testConstructor(self):
 
         parameters = {'SAMLRequest': logout_request.get_request()}
         logout_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SingleLogoutService.php', parameters, True)
-        self.assertRegex(logout_url, '^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=')
+        self.assertRegex(logout_url, r'^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=')
         url_parts = urlparse(logout_url)
         exploded = parse_qs(url_parts.query)
         payload = exploded['SAMLRequest'][0]
@@ -82,7 +82,7 @@ def testCreateDeflatedSAMLLogoutRequestURLParameter(self):
 
         parameters = {'SAMLRequest': logout_request.get_request()}
         logout_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SingleLogoutService.php', parameters, True)
-        self.assertRegex(logout_url, '^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=')
+        self.assertRegex(logout_url, r'^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=')
         url_parts = urlparse(logout_url)
         exploded = parse_qs(url_parts.query)
         payload = exploded['SAMLRequest'][0]
@@ -139,7 +139,7 @@ def testConstructorEncryptIdUsingX509certMulti(self):
 
         parameters = {'SAMLRequest': logout_request.get_request()}
         logout_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SingleLogoutService.php', parameters, True)
-        self.assertRegex(logout_url, '^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=')
+        self.assertRegex(logout_url, r'^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLRequest=')
         url_parts = urlparse(logout_url)
         exploded = parse_qs(url_parts.query)
         payload = exploded['SAMLRequest'][0]
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
index 5a7994c0..eb6f5e60 100644
--- a/tests/src/OneLogin/saml2_tests/logout_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -77,7 +77,7 @@ def testCreateDeflatedSAMLLogoutResponseURLParameter(self):
 
         logout_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SingleLogoutService.php', parameters, True)
 
-        self.assertRegex(logout_url, '^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLResponse=')
+        self.assertRegex(logout_url, r'^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLResponse=')
         url_parts = urlparse(logout_url)
         exploded = parse_qs(url_parts.query)
         inflated = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(exploded['SAMLResponse'][0]))

From 01054802679dbda963cda4e2e8e5697151b69eae Mon Sep 17 00:00:00 2001
From: cclauss 
Date: Fri, 18 Jan 2019 20:43:57 +0100
Subject: [PATCH 101/331] setup.py: Add the Python 3.7 trove classifier for
 PyPI

Now that #124 is merged and Python 3.7 is passing the Travis tests.
---
 setup.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/setup.py b/setup.py
index 631a8bc2..a6bbd9c0 100644
--- a/setup.py
+++ b/setup.py
@@ -20,6 +20,7 @@
         'Programming Language :: Python :: 3.4',
         'Programming Language :: Python :: 3.5',
         'Programming Language :: Python :: 3.6',
+        'Programming Language :: Python :: 3.7',
     ],
     author='OneLogin',
     author_email='support@onelogin.com',

From 61eacb44d5789bd96edd11309a2bcae66e0d725f Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 29 Jan 2019 13:34:11 +0100
Subject: [PATCH 102/331] Security improvements. Use of tagid to prevent XPath
 injection. Disable DTD on _parse_etree (fromstring defusedxml) method.

---
 src/onelogin/saml2/response.py  | 18 ++++++++++++------
 src/onelogin/saml2/utils.py     |  3 +--
 src/onelogin/saml2/xml_utils.py | 16 ++++++++++++----
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index dd10771f..a291a841 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -737,6 +737,7 @@ def __query_assertion(self, xpath_expr):
         signature_expr = '/ds:Signature/ds:SignedInfo/ds:Reference'
         signed_assertion_query = '/samlp:Response' + assertion_expr + signature_expr
         assertion_reference_nodes = self.__query(signed_assertion_query)
+        tagid = None
 
         if not assertion_reference_nodes:
             # Check if the message is signed
@@ -744,23 +745,28 @@ def __query_assertion(self, xpath_expr):
             message_reference_nodes = self.__query(signed_message_query)
             if message_reference_nodes:
                 message_id = message_reference_nodes[0].get('URI')
-                final_query = "/samlp:Response[@ID='%s']/" % message_id[1:]
+                final_query = "/samlp:Response[@ID=$tagid]/"
+                tagid = message_id[1:]
             else:
                 final_query = "/samlp:Response"
             final_query += assertion_expr
         else:
             assertion_id = assertion_reference_nodes[0].get('URI')
-            final_query = '/samlp:Response' + assertion_expr + "[@ID='%s']" % assertion_id[1:]
+            final_query = '/samlp:Response' + assertion_expr + "[@ID=$tagid]"
+            tagid = assertion_id[1:]
         final_query += xpath_expr
-        return self.__query(final_query)
+        return self.__query(final_query, tagid)
 
-    def __query(self, query):
+    def __query(self, query, tagid=None):
         """
         Extracts nodes that match the query from the Response
 
         :param query: Xpath Expresion
         :type query: String
 
+        :param tagid: Tag ID
+        :type query: String
+
         :returns: The queried nodes
         :rtype: list
         """
@@ -768,7 +774,7 @@ def __query(self, query):
             document = self.decrypted_document
         else:
             document = self.document
-        return OneLogin_Saml2_XML.query(document, query)
+        return OneLogin_Saml2_XML.query(document, query, None, tagid)
 
     def __decrypt_assertion(self, xml):
         """
@@ -817,7 +823,7 @@ def __decrypt_assertion(self, xml):
                         if not uri.startswith('#'):
                             break
                         uri = uri.split('#')[1]
-                        encrypted_key = OneLogin_Saml2_XML.query(encrypted_assertion_nodes[0], './xenc:EncryptedKey[@Id="' + uri + '"]')
+                        encrypted_key = OneLogin_Saml2_XML.query(encrypted_assertion_nodes[0], './xenc:EncryptedKey[@Id=$tagid]', None, uri)
                         if encrypted_key:
                             keyinfo.append(encrypted_key[0])
 
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 488a8374..4647c230 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -13,7 +13,6 @@
 from copy import deepcopy
 import calendar
 from datetime import datetime
-from defusedxml.lxml import fromstring
 from hashlib import sha1, sha256, sha384, sha512
 from isodate import parse_duration as duration_parser
 import re
@@ -684,7 +683,7 @@ def decrypt_element(encrypted_data, key, debug=False, inplace=False):
         """
 
         if isinstance(encrypted_data, Element):
-            encrypted_data = fromstring(str(encrypted_data.toxml()))
+            encrypted_data = OneLogin_Saml2_XML.to_etree(str(encrypted_data.toxml()))
         if not inplace and isinstance(encrypted_data, OneLogin_Saml2_XML._element_class):
             encrypted_data = deepcopy(encrypted_data)
         elif isinstance(encrypted_data, OneLogin_Saml2_XML._text_class):
diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py
index 03d826a6..7257ac69 100644
--- a/src/onelogin/saml2/xml_utils.py
+++ b/src/onelogin/saml2/xml_utils.py
@@ -62,7 +62,7 @@ def to_etree(xml):
         if isinstance(xml, OneLogin_Saml2_XML._element_class):
             return xml
         if isinstance(xml, OneLogin_Saml2_XML._text_class):
-            return OneLogin_Saml2_XML._parse_etree(xml)
+            return OneLogin_Saml2_XML._parse_etree(xml, forbid_dtd=True)
 
         raise ValueError('unsupported type %r' % type(xml))
 
@@ -101,7 +101,7 @@ def validate_xml(xml, schema, debug=False):
         return xml
 
     @staticmethod
-    def query(dom, query, context=None):
+    def query(dom, query, context=None, tagid=None):
         """
         Extracts nodes that match the query from the Element
 
@@ -114,13 +114,21 @@ def query(dom, query, context=None):
         :param context: Context Node
         :type: DOMElement
 
+        :param tagid: Tag ID
+        :type query: String
+
         :returns: The queried nodes
         :rtype: list
         """
         if context is None:
-            return dom.xpath(query, namespaces=OneLogin_Saml2_Constants.NSMAP)
+            source = dom
+        else:
+            source = context
+
+        if tagid is None:
+            return source.xpath(query, namespaces=OneLogin_Saml2_Constants.NSMAP)
         else:
-            return context.xpath(query, namespaces=OneLogin_Saml2_Constants.NSMAP)
+            return source.xpath(query, tagid=tagid, namespaces=OneLogin_Saml2_Constants.NSMAP)
 
     @staticmethod
     def cleanup_namespaces(tree_or_element, top_nsmap=None, keep_ns_prefixes=None):

From 29e1b51c1d830e1dd4c08455fcdb268d20bf7f36 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 29 Jan 2019 18:14:20 +0100
Subject: [PATCH 103/331] Release 1.5.0

---
 README.md    |  2 ++
 changelog.md | 10 ++++++++++
 setup.py     |  2 +-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index de699ca6..f55241ac 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,8 @@ This version supports Python3, There is a separate version that only support Pyt
 
 #### Warning ####
 
+Update python3-saml to 1.5.0, this version includes security improvements for preventing XEE and Xpath Injections.
+
 Update python3-saml to 1.4.0, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability.
 
 This version also changes how the calculate fingerprint method works, and will expect as input a formatted x509 certificate
diff --git a/changelog.md b/changelog.md
index bed7b450..32a386e7 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,14 @@
 # python3-saml changelog
+### 1.5.0 (Jan 29, 2019)
+* Security improvements. Use of tagid to prevent XPath injection. Disable DTD on fromstring defusedxml method
+* [#97](https://github.com/onelogin/python3-saml/pull/97) Check that the response has all of the AuthnContexts that we provided
+* Adapt renders from Django demo for Django 1.11 version
+* Update pylint dependency to 1.9.1
+* If debug enable, print reason for the SAMLResponse invalidation
+* Fix DSA constant
+* [#106](https://github.com/onelogin/python3-saml/pull/106) Support NameID children inside of AttributeValue elements
+* Start using flake8 for code quality
+
 ### 1.4.1 (Apr 25, 2018)
 * Add ID to EntityDescriptor before sign it on add_sign method.
 * Update defusedxml, coveralls and coverage dependencies
diff --git a/setup.py b/setup.py
index a6bbd9c0..2946d386 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.4.1',
+    version='1.5.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From b70832d6a3de324e143875c37927e661d93c959d Mon Sep 17 00:00:00 2001
From: O-P Lamminen 
Date: Wed, 30 Jan 2019 09:16:12 +0200
Subject: [PATCH 104/331] Fixed setting NameFormat attribute for AttributeValue
 tags in metadata XML

---
 src/onelogin/saml2/metadata.py                  |  2 +-
 tests/src/OneLogin/saml2_tests/metadata_test.py | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index 9d58e5b7..0aab105c 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -134,7 +134,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
                 if 'nameFormat' in req_attribs.keys() and req_attribs['nameFormat']:
                     req_attr_nameformat_str = " NameFormat=\"%s\"" % req_attribs['nameFormat']
                 if 'friendlyName' in req_attribs.keys() and req_attribs['friendlyName']:
-                    req_attr_nameformat_str = " FriendlyName=\"%s\"" % req_attribs['friendlyName']
+                    req_attr_friendlyname_str = " FriendlyName=\"%s\"" % req_attribs['friendlyName']
                 if 'isRequired' in req_attribs.keys() and req_attribs['isRequired']:
                     req_attr_isrequired_str = " isRequired=\"%s\"" % 'true' if req_attribs['isRequired'] else 'false'
                 if 'attributeValue' in req_attribs.keys() and req_attribs['attributeValue']:
diff --git a/tests/src/OneLogin/saml2_tests/metadata_test.py b/tests/src/OneLogin/saml2_tests/metadata_test.py
index 8c6acb1b..58afb5b9 100644
--- a/tests/src/OneLogin/saml2_tests/metadata_test.py
+++ b/tests/src/OneLogin/saml2_tests/metadata_test.py
@@ -157,11 +157,11 @@ def testBuilderAttributeConsumingService(self):
         self.assertIn("""        
             Test Service
             Test Service
-            
-            
-            
-            
-            
+            
+            
+            
+            
+            
         """, metadata)
 
     def testBuilderAttributeConsumingServiceWithMultipleAttributeValue(self):
@@ -183,7 +183,7 @@ def testBuilderAttributeConsumingServiceWithMultipleAttributeValue(self):
                 userType
                 admin
             
-            
+            
         """, metadata)
 
     def testSignMetadata(self):

From a82cbdcb961e3d737488074d59a7cb069ccb3814 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 31 Jan 2019 12:25:45 +0100
Subject: [PATCH 105/331] Update README with get_last_authn_contexts method

---
 README.md                  | 1 +
 src/onelogin/saml2/auth.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f55241ac..130fc1d4 100644
--- a/README.md
+++ b/README.md
@@ -915,6 +915,7 @@ Main class of OneLogin Python Toolkit
 * ***get_sso_url*** Gets the SSO url.
 * ***get_slo_url*** Gets the SLO url.
 * ***get_last_request_id*** The ID of the last Request SAML message generated (AuthNRequest, LogoutRequest).
+* ***get_last_authn_contexts*** Returns the list of authentication contexts sent in the last SAML Response.
 * ***build_request_signature*** Builds the Signature of the SAML Request.
 * ***build_response_signature*** Builds the Signature of the SAML Response.
 * ***get_settings*** Returns the settings info.
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 44717f08..106aabd8 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -322,7 +322,7 @@ def get_last_assertion_id(self):
 
     def get_last_authn_contexts(self):
         """
-        :returns: The list of authentication contexts sent in the last SAML resposne.
+        :returns: The list of authentication contexts sent in the last SAML Response.
         :rtype: list
         """
         return self.__last_authn_contexts

From b0e7046cf9dc3b7bf01086b613d09e8a6296a78e Mon Sep 17 00:00:00 2001
From: O-P Lamminen 
Date: Tue, 19 Feb 2019 16:48:43 +0200
Subject: [PATCH 106/331] Fix for lxml issues parsing SLO XML messages
 specifying encoding. - Adding bytes_type to compat - Changing
 OneLogin_Saml2_XML.to_etree() to always pass bytes to _parse_etree() - Adding
 test cases for SLO messages with XML encoding specified

---
 src/onelogin/saml2/compat.py                  |  2 ++
 src/onelogin/saml2/xml_utils.py               |  5 ++-
 .../logout_request_with_encoding.xml          | 13 ++++++++
 .../logout_response_with_encoding.xml         | 14 ++++++++
 ...response_with_encoding_deflated.xml.base64 |  1 +
 .../saml2_tests/logout_request_test.py        | 32 +++++++++++++++++++
 .../saml2_tests/logout_response_test.py       | 28 ++++++++++++++++
 7 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/logout_requests/logout_request_with_encoding.xml
 create mode 100644 tests/data/logout_responses/logout_response_with_encoding.xml
 create mode 100644 tests/data/logout_responses/logout_response_with_encoding_deflated.xml.base64

diff --git a/src/onelogin/saml2/compat.py b/src/onelogin/saml2/compat.py
index 13fe5a6f..b69e61e4 100644
--- a/src/onelogin/saml2/compat.py
+++ b/src/onelogin/saml2/compat.py
@@ -22,6 +22,7 @@
 
 if isinstance(b'', type('')):  # py 2.x
     text_types = (basestring,)  # noqa
+    bytes_type = bytes
     str_type = basestring  # noqa
 
     def utf8(data):
@@ -42,6 +43,7 @@ def to_bytes(data):
 
 else:  # py 3.x
     text_types = (bytes, str)
+    bytes_type = bytes
     str_type = str
 
     def utf8(data):
diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py
index 7257ac69..c7274298 100644
--- a/src/onelogin/saml2/xml_utils.py
+++ b/src/onelogin/saml2/xml_utils.py
@@ -25,6 +25,7 @@ class OneLogin_Saml2_XML(object):
     _parse_etree = staticmethod(fromstring)
     _schema_class = etree.XMLSchema
     _text_class = compat.text_types
+    _bytes_class = compat.bytes_type
     _unparse_etree = staticmethod(tostring)
 
     dump = staticmethod(etree.dump)
@@ -61,8 +62,10 @@ def to_etree(xml):
         """
         if isinstance(xml, OneLogin_Saml2_XML._element_class):
             return xml
-        if isinstance(xml, OneLogin_Saml2_XML._text_class):
+        if isinstance(xml, OneLogin_Saml2_XML._bytes_class):
             return OneLogin_Saml2_XML._parse_etree(xml, forbid_dtd=True)
+        if isinstance(xml, OneLogin_Saml2_XML._text_class):
+            return OneLogin_Saml2_XML._parse_etree(compat.to_bytes(xml), forbid_dtd=True)
 
         raise ValueError('unsupported type %r' % type(xml))
 
diff --git a/tests/data/logout_requests/logout_request_with_encoding.xml b/tests/data/logout_requests/logout_request_with_encoding.xml
new file mode 100644
index 00000000..44891df7
--- /dev/null
+++ b/tests/data/logout_requests/logout_request_with_encoding.xml
@@ -0,0 +1,13 @@
+
+
+    http://idp.example.com/
+    ONELOGIN_1e442c129e1f822c8096086a1103c5ee2c7cae1c
+
diff --git a/tests/data/logout_responses/logout_response_with_encoding.xml b/tests/data/logout_responses/logout_response_with_encoding.xml
new file mode 100644
index 00000000..4354c3e6
--- /dev/null
+++ b/tests/data/logout_responses/logout_response_with_encoding.xml
@@ -0,0 +1,14 @@
+
+
+    http://idp.example.com/
+    
+        
+    
+
diff --git a/tests/data/logout_responses/logout_response_with_encoding_deflated.xml.base64 b/tests/data/logout_responses/logout_response_with_encoding_deflated.xml.base64
new file mode 100644
index 00000000..eaf313b9
--- /dev/null
+++ b/tests/data/logout_responses/logout_response_with_encoding_deflated.xml.base64
@@ -0,0 +1 @@
+fVLdS8MwEH8X/B9K3tcmaxvWsFbELwZzAzd98EXS5KqFNgm9VPbnO6pjm1jzFO5+X8nd/GrXNsEndFhbkxMWUhKAUVbX5j0nz9v7yYxcFZcXc5Rt48TSvtvePwE6axCCPdegGFo56TsjrMQahZEtoPBKbK4fl2IaUuE6662yDbm8CP48R6X/hSQidH6fdVRpcZuTtyoD4KzUmS4rHnPKKykzCXHJaJrMdFrGPOVVOUuzUZ2Xw5/sbcfNEHtYGPTS+D2SsnjCphNGtzQRcSZi9jpKvQX0tZF+8Pjw3okoQt9XVahsG4HRztbG48kNGwzdhxsPYw6D2dqcrFd3y/XDYvU2ZeksUUpXUsmYS5akErKMJslUK53xsgJOWcpgVLf4bgwrIIYXd8VP4Fq7EHaydQ0MsefRKeiE58TGS99jcTQ5q99YDcGLbHr4f/44oMWmVwoQSRAdTKJfLofC+cYWXw==
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
index 1ea9e7f7..3d724d82 100644
--- a/tests/src/OneLogin/saml2_tests/logout_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -414,6 +414,38 @@ def testIsValid(self):
         logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
         self.assertTrue(logout_request5.is_valid(request_data))
 
+    def testIsValidWithXMLEncoding(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html'
+        }
+        request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_with_encoding.xml'))
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
+        logout_request = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertTrue(logout_request.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertFalse(logout_request2.is_valid(request_data))
+
+        settings.set_strict(False)
+        dom = parseString(request)
+        logout_request3 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertTrue(logout_request3.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request4 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertFalse(logout_request4.is_valid(request_data))
+
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+        request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
+        logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertTrue(logout_request5.is_valid(request_data))
+
     def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
         request = OneLogin_Saml2_Utils.b64encode('invalid')
         request_data = {
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
index eb6f5e60..054e9762 100644
--- a/tests/src/OneLogin/saml2_tests/logout_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -276,6 +276,34 @@ def testIsValid(self):
         response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
         self.assertTrue(response_3.is_valid(request_data))
 
+    def testIsValidWithXMLEncoding(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html',
+            'get_data': {}
+        }
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        message = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response_with_encoding_deflated.xml.base64'))
+
+        response = OneLogin_Saml2_Logout_Response(settings, message)
+        self.assertTrue(response.is_valid(request_data))
+
+        settings.set_strict(True)
+        response_2 = OneLogin_Saml2_Logout_Response(settings, message)
+        with self.assertRaisesRegex(Exception, 'The LogoutResponse was received at'):
+            response_2.is_valid(request_data, raise_exceptions=True)
+
+        plain_message = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+        plain_message = plain_message.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
+        message_3 = OneLogin_Saml2_Utils.deflate_and_base64_encode(plain_message)
+
+        response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
+        self.assertTrue(response_3.is_valid(request_data))
+
     def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
         message = OneLogin_Saml2_Utils.deflate_and_base64_encode('invalid')
         request_data = {

From eb9680adca69e542a501dff3ad4aac2595316309 Mon Sep 17 00:00:00 2001
From: James McClune 
Date: Wed, 27 Feb 2019 23:03:43 -0500
Subject: [PATCH 107/331] README: added inline markup to important references

Also fixed minor grammatical errors.

Signed-off-by: James McClune 
---
 README.md | 314 +++++++++++++++++++++++++++---------------------------
 1 file changed, 157 insertions(+), 157 deletions(-)

diff --git a/README.md b/README.md
index 130fc1d4..55b1d7e3 100644
--- a/README.md
+++ b/README.md
@@ -10,23 +10,23 @@ Add SAML support to your Python software using this library.
 Forget those complicated libraries and use the open source library provided
 and supported by OneLogin Inc.
 
-This version supports Python3, There is a separate version that only support Python2: [python-saml](https://pypi.python.org/pypi/python-saml)
+This version supports Python3. There is a separate version that only support Python2: [python-saml](https://pypi.python.org/pypi/python-saml)
 
 #### Warning ####
 
-Update python3-saml to 1.5.0, this version includes security improvements for preventing XEE and Xpath Injections.
+Update ``python3-saml`` to ``1.5.0``, this version includes security improvements for preventing XEE and Xpath Injections.
 
-Update python3-saml to 1.4.0, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability.
+Update ``python3-saml`` to ``1.4.0``, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability.
 
-This version also changes how the calculate fingerprint method works, and will expect as input a formatted x509 certificate
+This version also changes how the calculate fingerprint method works, and will expect as input a formatted X.509 certificate.
 
-Update python3-saml to 1.2.6 that adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672)
+Update ``python3-saml`` to ``1.2.6`` that adds the use defusedxml that will prevent XEE and other attacks based on the abuse of XML. (CVE-2017-9672)
 
-Update python3-saml to >= 1.2.1, 1.2.0 had a bug on signature validation process (when using wantAssertionsSigned and wantMessagesSigned). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json)
+Update ``python3-saml`` to ``>= 1.2.1``, ``1.2.0`` had a bug on signature validation process (when using ``wantAssertionsSigned`` and ``wantMessagesSigned``). [CVE-2016-1000251](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/DWF/2016/1000251/CVE-2016-1000251.json)
 
-1.2.0 version includes a security patch that contains extra validations that will prevent signature wrapping attacks.
+``1.2.0`` version includes a security patch that contains extra validations that will prevent signature wrapping attacks.
 
-python3-saml < v1.2.0 is vulnerable and allows signature wrapping!
+``python3-saml < v1.2.0`` is vulnerable and allows signature wrapping!
 
 #### Security Guidelines ####
 
@@ -55,23 +55,23 @@ since 2002, but lately it is becoming popular due its advantages:
  * **Opportunity** - B2B cloud vendor should support SAML to facilitate the
    integration of their product.
 
-General description
+General Description
 -------------------
 
 OneLogin's SAML Python toolkit lets you turn your Python application into a SP
 (Service Provider) that can be connected to an IdP (Identity Provider).
 
-Supports:
+**Supports:**
 
  * SSO and SLO (SP-Initiated and IdP-Initiated).
  * Assertion and nameId encryption.
  * Assertion signatures.
- * Message signatures: AuthNRequest, LogoutRequest, LogoutResponses.
+ * Message signatures: ``AuthNRequest``, ``LogoutRequest``, ``LogoutResponses``.
  * Enable an Assertion Consumer Service endpoint.
  * Enable a Single Logout Service endpoint.
  * Publish the SP metadata (which can be signed).
 
-Key features:
+**Key Features:**
 
  * **saml2int** - Implements the SAML 2.0 Web Browser SSO Profile.
  * **Session-less** - Forget those common conflicts between the SP and
@@ -79,7 +79,7 @@ Key features:
  * **Easy to use** - Programmer will be allowed to code high-level and
    low-level programming, 2 easy to use APIs are available.
  * **Tested** - Thoroughly tested.
- * **Popular** - OneLogin's customers use it. Add easy support to your django/flask web projects.
+ * **Popular** - OneLogin's customers use it. Add easy support to your Django/Flask web projects.
 
 Installation
 ------------
@@ -92,22 +92,22 @@ Installation
  duration parser and formatter
  * [defusedxml](https://pypi.python.org/pypi/defusedxml) XML bomb protection for Python stdlib modules
 
-Review the setup.py file to know the version of the library that python3-saml is using
+Review the ``setup.py`` file to know the version of the library that ``python3-saml`` is using
 
 ### Code ###
 
-#### Option 1. Download from github ####
+#### Option 1. Download from GitHub ####
 
-The toolkit is hosted on github. You can download it from:
+The toolkit is hosted on GitHub. You can download it from:
 
  * Lastest release: https://github.com/onelogin/python3-saml/releases/latest
  * Master repo: https://github.com/onelogin/python3-saml/tree/master
 
-Copy the core of the library (src/onelogin/saml2 folder) and merge the setup.py inside the python application. (each application has its structure so take your time to locate the Python SAML toolkit in the best place).
+Copy the core of the library ``(src/onelogin/saml2 folder)`` and merge the ``setup.py`` inside the Python application. (Each application has its structure so take your time to locate the Python SAML toolkit in the best place).
 
 #### Option 2. Download from pypi ####
 
-The toolkit is hosted in pypi, you can find the python3-saml package at https://pypi.python.org/pypi/python3-saml
+The toolkit is hosted in pypi, you can find the ``python3-saml`` package at https://pypi.python.org/pypi/python3-saml
 
 You can install it executing:
 ```
@@ -116,7 +116,7 @@ $ pip install python3-saml
 
 If you want to know how a project can handle python packages review this [guide](https://packaging.python.org/en/latest/tutorial.html) and review this [sampleproject](https://github.com/pypa/sampleproject)
 
-Security warning
+Security Warning
 ----------------
 
 In production, the **strict** parameter MUST be set as **"true"**. Otherwise
@@ -124,12 +124,12 @@ your environment is not secure and will be exposed to attacks.
 
 In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
 
-Getting started
+Getting Started
 ---------------
 
 ### Knowing the toolkit ###
 
-The new OneLogin SAML Toolkit contains different folders (certs, lib, demo-django, demo-flask and tests) and some files.
+The new OneLogin SAML Toolkit contains different folders (``certs``, ``lib``, ``demo-django``, ``demo-flask`` and ``tests``) and some files.
 
 Let's start describing them:
 
@@ -140,37 +140,37 @@ the classes and methods that are described in a later section.
 
 #### demo-django ####
 
-This folder contains a Django project that will be used as demo to show how to add SAML support to the Django Framework. 'demo' is the main folder of the django project (with its settings.py, views.py, urls.py), 'templates' is the django templates of the project and 'saml' is a folder that contains the 'certs' folder that could be used to store the x509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json).
+This folder contains a Django project that will be used as demo to show how to add SAML support to the Django Framework. **demo** is the main folder of the Django project (with its ``settings.py``, ``views.py``, ``urls.py``), **templates** is the Django templates of the project and **saml** is a folder that contains the ``certs`` folder that could be used to store the X.509 public and private key, and the SAML toolkit settings (``settings.json`` and ``advanced_settings.json``).
 
 ***Notice about certs***
 
-SAML requires a x.509 cert to sign and encrypt elements like NameID, Message, Assertion, Metadata.
+SAML requires a X.509 cert to sign and encrypt elements like ``NameID``, ``Message``, ``Assertion``, ``Metadata``.
 
-If our environment requires sign or encrypt support, the certs folder may contain the x509 cert and the private key that the SP will use:
+If our environment requires sign or encrypt support, the certs folder may contain the X.509 cert and the private key that the SP will use:
 
 * sp.crt The public cert of the SP
-* sp.key The privake key of the SP
+* sp.key The private key of the SP
 
-Or also we can provide those data in the setting file at the 'x509cert' and the privateKey' json parameters of the 'sp' element.
+Or also we can provide those data in the setting file at the ``X.509cert`` and the ``privateKey`` JSON parameters of the ``sp`` element.
 
-Sometimes we could need a signature on the metadata published by the SP, in this case we could use the x.509 cert previously mentioned or use a new x.509 cert: metadata.crt and metadata.key.
+Sometimes we could need a signature on the metadata published by the SP, in this case we could use the X.509 cert previously mentioned or use a new X.509 cert: ``metadata.crt`` and ``metadata.key``.
 
-Use `sp_new.crt` if you are in a key rollover process and you want to
-publish that x509certificate on Service Provider metadata.
+Use ``sp_new.crt`` if you are in a key rollover process and you want to
+publish that X.509 certificate on Service Provider metadata.
 
 If you want to create self-signed certs, you can do it at the https://www.samltool.com/self_signed_certs.php service, or using the command:
 
 ```bash
-openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout saml.key
+openssl req -new -X.509 -days 3652 -nodes -out sp.crt -keyout saml.key
 ```
 
 #### demo-flask ####
 
-This folder contains a Flask project that will be used as demo to show how to add SAML support to the Flask Framework. 'index.py' is the main flask file that has all the code, this file uses the templates stored at the 'templates' folder. In the 'saml' folder we found the 'certs' folder to store the x509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json).
+This folder contains a Flask project that will be used as demo to show how to add SAML support to the Flask Framework. ``index.py`` is the main Flask file that has all the code, this file uses the templates stored at the ``templates`` folder. In the ``saml`` folder we found the ``certs`` folder to store the X.509 public and private key, and the SAML toolkit settings (``settings.json`` and ``advanced_settings.json``).
 
 #### demo_pyramid ####
 
-This folder contains a Pyramid project that will be used as demo to show how to add SAML support to the [Pyramid Web Framework](http://docs.pylonsproject.org/projects/pyramid/en/latest/).  '\_\_init__.py' is the main file that configures the app and its routes, 'views.py' is where all the logic and SAML handling takes place, and the templates are stored in the 'templates' folder. The 'saml' folder is the same as in the other two demos.
+This folder contains a Pyramid project that will be used as demo to show how to add SAML support to the [Pyramid Web Framework](http://docs.pylonsproject.org/projects/pyramid/en/latest/).  ``\_\_init__.py`` is the main file that configures the app and its routes, ``views.py`` is where all the logic and SAML handling takes place, and the templates are stored in the ``templates`` folder. The ``saml`` folder is the same as in the other two demos.
 
 
 #### setup.py ####
@@ -191,9 +191,9 @@ The previous line will run the tests for the whole toolkit. You can also run the
 python setup.py test --test-suite tests.src.OneLogin.saml2_tests.auth_test.OneLogin_Saml2_Auth_Test
 ```
 
-With the --test-suite parameter you can specify the module to test. You'll find all the module available and their class names at tests/src/OneLogin/saml2_tests/
+With the ``--test-suite`` parameter you can specify the module to test. You'll find all the module available and their class names at ``tests/src/OneLogin/saml2_tests/``.
 
-### How it works ###
+### How It Works ###
 
 #### Settings ####
 
@@ -201,13 +201,13 @@ First of all we need to configure the toolkit. The SP's info, the IdP's info, an
 
 There are two ways to provide the settings information:
 
-* Use a settings.json file that we should locate in any folder, but indicates its path with the 'custom_base_path' parameter.
+* Use a ``settings.json`` file that we should locate in any folder, but indicates its path with the ``custom_base_path`` parameter.
 
-* Use a json object with the setting data and provide it directly to the constructor of the class (if your toolkit integation requires certs, remember to provide the 'custom_base_path' as part of the settings or as a parameter in the constructor.
+* Use a JSON object with the setting data and provide it directly to the constructor of the class (if your toolkit integation requires certs, remember to provide the ``custom_base_path`` as part of the settings or as a parameter in the constructor).
 
-In the demo-django and in the demo-flask folders you will find a 'saml' folder, inside there is a 'certs' folder and a settings.json and a advanced_settings.json files. Those files contain the settings for the saml toolkit. Copy them in your project and set the correct values.
+In the demo-django and in the demo-flask folders you will find a ``saml`` folder, inside there is a ``certs`` folder and a ``settings.json`` and ``advanced_settings.json`` file. Those files contain the settings for the SAML toolkit. Copy them in your project and set the correct values.
 
-This is the settings.json file:
+This is the ``settings.json`` file:
 
 ```javascript
 {
@@ -264,15 +264,15 @@ This is the settings.json file:
         // represent the requested subject.
         // Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported.
         "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
-        // Usually x509cert and privateKey of the SP are provided by files placed at
+        // Usually X.509cert and privateKey of the SP are provided by files placed at
         // the certs folder. But we can also provide them with the following parameters
         "x509cert": "",
         "privateKey": ""
 
         /*
          * Key rollover
-         * If you plan to update the SP x509cert and privateKey
-         * you can define here the new x509cert and it will be
+         * If you plan to update the SP X.509cert and privateKey
+         * you can define here the new X.509cert and it will be
          * published on the SP metadata so Identity Providers can
          * read them and get ready for rollover.
          */
@@ -302,15 +302,15 @@ This is the settings.json file:
             // only for this endpoint.
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         },
-        // Public x509 certificate of the IdP
+        // Public X.509 certificate of the IdP
         "x509cert": ""
         /*
-         *  Instead of using the whole x509cert you can use a fingerprint in order to
-         *  validate a SAMLResponse (but you still need the x509cert to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding).
+         *  Instead of using the whole X.509cert you can use a fingerprint in order to
+         *  validate a SAMLResponse (but you still need the X.509cert to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding).
          *  But take in mind that the fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass,
          *  that why we don't recommend it use for production environments.
          *
-         *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
+         *  (openssl X.509 -noout -fingerprint -in "idp.crt" to generate it,
          *  or add for example the -sha256 , -sha384 or -sha512 parameter)
          *
          *  If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
@@ -319,7 +319,7 @@ This is the settings.json file:
          *  'sha1' is the default value.
          *
          *  Notice that if you want to validate any SAML Message sent by the HTTP-Redirect binding, you
-         *  will need to provide the whole x509cert.
+         *  will need to provide the whole X.509cert.
          */
         // "certFingerprint": "",
         // "certFingerprintAlgorithm": "sha1",
@@ -328,7 +328,7 @@ This is the settings.json file:
          * signing/encryption, or is under key rollover phase and
          * more than one certificate is published on IdP metadata.
          * In order to handle that the toolkit offers that parameter.
-         * (when used, 'x509cert' and 'certFingerprint' values are
+         * (when used, 'X.509cert' and 'certFingerprint' values are
          * ignored).
          */
         // 'x509certMulti': {
@@ -343,7 +343,7 @@ This is the settings.json file:
 }
 ```
 
-In addition to the required settings data (idp, sp), extra settings can be defined in `advanced_settings.json`:
+In addition to the required settings data (IdP, SP), extra settings can be defined in `advanced_settings.json`:
 
 ```javascript
 {
@@ -459,11 +459,11 @@ In addition to the required settings data (idp, sp), extra settings can be defin
 }
 ```
 
-In the security section, you can set the way that the SP will handle the messages and assertions. Contact the admin of the IdP and ask them what the IdP expects, and decide what validations will handle the SP and what requirements the SP will have and communicate them to the IdP's admin too.
+In the ``security`` section, you can set the way that the SP will handle the messages and assertions. Contact the admin of the IdP and ask them what the IdP expects, and decide what validations will handle the SP and what requirements the SP will have and communicate them to the IdP's admin too.
 
 Once we know what kind of data could be configured, let's talk about the way settings are handled within the toolkit.
 
-The settings files described (settings.json and advanced_settings.json) are loaded by the toolkit if not other dict with settings info is provided in the constructors of the toolkit. Let's see some examples.
+The settings files described (``settings.json`` and ``advanced_settings.json``) are loaded by the toolkit if not other dict with settings info is provided in the constructors of the toolkit. Let's see some examples.
 
 ```python
 # Initializes toolkit with settings.json & advanced_settings.json files.
@@ -483,7 +483,7 @@ auth = OneLogin_Saml2_Auth(req, settings_data)
 settings = OneLogin_Saml2_Settings(settings_data)
 ```
 
-You can declare the settings_data in the file that contains the constructor execution or locate them in any file and load the file in order to get the dict available as we see in the following example:
+You can declare the ``settings_data`` in the file that contains the constructor execution or locate them in any file and load the file in order to get the dict available as we see in the following example:
 
 ```python
 filename = "/var/www/django-project/custom_settings.json" # The custom_settings.json contains a
@@ -506,9 +506,9 @@ Using ````parse_remote```` IdP metadata can be obtained and added to the setting
 idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://example.com/auth/saml2/idp/metadata')
 ``
 
-If the Metadata contains several entities, the relevant EntityDescriptor can be specified when retrieving the settings from the IdpMetadataParser by its Entity Id value:
+If the Metadata contains several entities, the relevant ``EntityDescriptor`` can be specified when retrieving the settings from the ``IdpMetadataParser`` by its ``entityId`` value:
 
-idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(https://example.com/metadatas, entity_id='idp_entity_id')
+``idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(https://example.com/metadatas, entity_id='idp_entity_id')``
 
 
 #### How load the library ####
@@ -524,7 +524,7 @@ from onelogin.saml2.utils import OneLogin_Saml2_Utils
 
 #### The Request ####
 
-Building a OneLogin\_Saml2\_Auth object requires a 'request' parameter.
+Building a ``OneLogin\_Saml2\_Auth`` object requires a ``request`` parameter:
 
 ```python
 auth = OneLogin_Saml2_Auth(req)
@@ -548,7 +548,7 @@ req = {
 }
 ```
 
-Each python framework builds its own request object, you may map its data to match what the saml toolkit expects.
+Each Python framework builds its own ``request`` object, you may map its data to match what the SAML toolkit expects.
 Let`s see some examples:
 
 ```python
@@ -574,7 +574,7 @@ def prepare_from_flask_request(request):
 
 An explanation of some advanced request parameters:
 
-* `https` - Defaults to "off". Set this to "on" if you receive responses over HTTPS.
+* `https` - Defaults to ``off``. Set this to ``on`` if you receive responses over HTTPS.
 
 * `lowercase_urlencoding` - Defaults to `false`. ADFS users should set this to `true`.
 
@@ -585,7 +585,7 @@ An explanation of some advanced request parameters:
 
 #### Initiate SSO ####
 
-In order to send an AuthNRequest to the IdP:
+In order to send an ``AuthNRequest`` to the IdP:
 
 ```python
 from onelogin.saml2.auth import OneLogin_Saml2_Auth
@@ -597,11 +597,11 @@ auth = OneLogin_Saml2_Auth(req)   # Constructor of the SP, loads settings.json
 auth.login()      # Method that builds and sends the AuthNRequest
 ```
 
-The AuthNRequest will be sent signed or unsigned based on the security info of the advanced_settings.json ('authnRequestsSigned').
+The ``AuthNRequest`` will be sent signed or unsigned based on the security info of the ``advanced_settings.json`` file (i.e. ``authnRequestsSigned``).
 
-The IdP will then return the SAML Response to the user's client. The client is then forwarded to the Attribute Consumer Service of the SP with this information.
+The IdP will then return the SAML Response to the user's client. The client is then forwarded to the **Attribute Consumer Service (ACS)** of the SP with this information.
 
-We can set a 'return_to' url parameter to the login function and that will be converted as a 'RelayState' parameter:
+We can set a ``return_to`` url parameter to the login function and that will be converted as a ``RelayState`` parameter:
 
 ```python
 target_url = 'https://example.com'
@@ -609,13 +609,13 @@ auth.login(return_to=target_url)
 ```
 The login method can recieve 3 more optional parameters:
 
-* force_authn       When true the AuthNReuqest will set the ForceAuthn='true'
-* is_passive        When true the AuthNReuqest will set the Ispassive='true'
-* set_nameid_policy When true the AuthNReuqest will set a nameIdPolicy element.
+* ``force_authn``       When ``true``, the ``AuthNReuqest`` will set the ``ForceAuthn='true'``
+* ``is_passive``        When true, the ``AuthNReuqest`` will set the ``Ispassive='true'``
+* ``set_nameid_policy`` When true, the ``AuthNReuqest`` will set a ``nameIdPolicy`` element.
 
-If a match on the future SAMLResponse ID and the AuthNRequest ID to be sent is required, that AuthNRequest ID must to be extracted and stored for future validation, we can get that ID by
+If a match on the future ``SAMLResponse`` ID and the ``AuthNRequest`` ID to be sent is required, that ``AuthNRequest`` ID must to be extracted and stored for future validation, we can get that ID by
 
-auth.get_last_request_id()
+``auth.get_last_request_id()``
 
 #### The SP Endpoints ####
 
@@ -638,7 +638,7 @@ else:
     print("Error found on Metadata: %s" % (', '.join(errors)))
 ```
 
-The get_sp_metadata will return the metadata signed or not based on the security info of the advanced_settings.json ('signMetadata').
+The ``get_sp_metadata`` will return the metadata signed or not based on the security info of the ``advanced_settings.json`` (``signMetadata``).
 
 Before the XML metadata is exposed, a check takes place to ensure that the info to be provided is valid.
 
@@ -646,9 +646,9 @@ Instead of using the Auth object, you can directly use
 ```
 saml_settings = OneLogin_Saml2_Settings(settings=None, custom_base_path=None, sp_validation_only=True)
 ```
-to get the settings object and with the sp_validation_only=True parameter we will avoid the IdP Settings validation.
+to get the settings object and with the ``sp_validation_only=True`` parameter we will avoid the IdP settings validation.
 
-***Attribute Consumer Service(ACS)***
+***Attribute Consumer Service (ACS)***
 
 This code handles the SAML response that the IdP forwards to the SP through the user's client.
 
@@ -676,10 +676,10 @@ The SAML response is processed and then checked that there are no errors. It als
 
 At that point there are 2 possible alternatives:
 
-* If no RelayState is provided, we could show the user data in this view or however we wanted.
-* If RelayState is provided, a redirection takes place.
+* If no ``RelayState`` is provided, we could show the user data in this view or however we wanted.
+* If ``RelayState`` is provided, a redirection takes place.
 
-Notice that we saved the user data in the session before the redirection to have the user data available at the RelayState view.
+Notice that we saved the user data in the session before the redirection to have the user data available at the ``RelayState`` view.
 
 In order to retrieve attributes we use:
 
@@ -687,7 +687,7 @@ In order to retrieve attributes we use:
 attributes = auth.get_attributes();
 ```
 
-With this method we get a dict with all the user data provided by the IdP in the Assertion of the SAML Response.
+With this method we get a dict with all the user data provided by the IdP in the assertion of the SAML response.
 
 If we execute print attributes we could get:
 
@@ -711,7 +711,7 @@ print(attributes['cn'])
 print(auth.get_attribute('cn'))
 ```
 
-Before trying to get an attribute, check that the user is authenticated. If the user isn't authenticated, an empty dict will be returned. For example, if we call to get_attributes before a auth.process_response, the get_attributes() will return an empty dict.
+Before trying to get an attribute, check that the user is authenticated. If the user isn't authenticated, an empty dict will be returned. For example, if we call to ``get_attributes`` before a ``auth.process_response``, the ``get_attributes()`` will return an empty dict.
 
 
 ***Single Logout Service (SLS)***
@@ -772,7 +772,7 @@ else:
     return self.redirect_to(self.get_slo_url(), parameters)
 ```
 
-If we don't want that process_slo to destroy the session, pass a true parameter to the process_slo method
+If we don't want that ``process_slo`` to destroy the session, pass a ``true`` parameter to the ``process_slo`` method:
 
 ```python
 keepLocalSession = true
@@ -783,11 +783,11 @@ auth.process_slo(keep_local_session=keepLocalSession);
 
 In order to send a Logout Request to the IdP:
 
-The Logout Request will be sent signed or unsigned based on the security info of the advanced_settings.json ('logoutRequestSigned').
+The Logout Request will be sent signed or unsigned based on the security info of the ``advanced_settings.json`` (``logoutRequestSigned``).
 
-The IdP will return the Logout Response through the user's client to the Single Logout Service of the SP.
+The IdP will return the Logout Response through the user's client to the Single Logout Service (SLS) of the SP.
 
-We can set a 'return_to' url parameter to the logout function and that will be converted as a 'RelayState' parameter:
+We can set a ``return_to`` url parameter to the logout function and that will be converted as a ``RelayState`` parameter:
 
 ```python
 target_url = 'https://example.com'
@@ -796,17 +796,17 @@ auth.logout(return_to=target_url)
 
 Also there are 4 optional parameters that can be set:
 
-* name_id. That will be used to build the LogoutRequest. If not name_id parameter is set and the auth object processed a
-SAML Response with a NameId, then this NameId will be used.
-* session_index. SessionIndex that identifies the session of the user.
-* nq. IDP Name Qualifier
-* name_id_format. The NameID Format that will be set in the LogoutRequest
+* ``name_id``: That will be used to build the ``LogoutRequest``. If no ``name_id`` parameter is set and the auth object processed a
+SAML Response with a ``NameId``, then this ``NameId`` will be used.
+* ``session_index``: ``SessionIndex`` that identifies the session of the user.
+* ``nq``: IDP Name Qualifier.
+* ``name_id_format``: The ``NameID`` Format that will be set in the ``LogoutRequest``.
 
-If no name_id is provided, the LogoutRequest will contain a NameID with the entity Format.
-If name_id is provided and no name_id_format is provided, the NameIDFormat of the settings will be used.
-If nq is provided, the SPNameQualifier will be also attached to the NameId.
+If no ``name_id`` is provided, the ``LogoutRequest`` will contain a ``NameID`` with the entity Format.
+If ``name_id`` is provided and no ``name_id_format`` is provided, the ``NameIDFormat`` of the settings will be used.
+If ``nq`` is provided, the ``SPNameQualifier`` will be also attached to the ``NameId``.
 
-If a match on the LogoutResponse ID and the LogoutRequest ID to be sent is required, that LogoutRequest ID must to be extracted and stored for future validation, we can get that ID by
+If a match on the ``LogoutResponse`` ID and the ``LogoutRequest`` ID to be sent is required, that ``LogoutRequest`` ID must to be extracted and stored for future validation, we can get that ID by:
 
 ```python
 auth.get_last_request_id()
@@ -814,7 +814,7 @@ auth.get_last_request_id()
 
 #### Example of a view that initiates the SSO request and handles the response (is the acs target) ####
 
-We can code a unique file that initiates the SSO process, handle the response, get the attributes, initiate the slo and processes the logout response.
+We can code a unique file that initiates the SSO process, handle the response, get the attributes, initiate the SLO and processes the logout response.
 
 Note: Review the demos, in a later section we explain the demo use case further in detail.
 
@@ -865,7 +865,7 @@ else:
 
 ### SP Key rollover ###
 
-If you plan to update the SP x509cert and privateKey you can define the new x509cert as settings['sp']['x509certNew'] and it will be
+If you plan to update the SP ``X.509cert`` and ``privateKey`` you can define the new ``X.509cert`` as ``settings['sp']['X.509certNew']`` and it will be
 published on the SP metadata so Identity Providers can read them and get ready for rollover.
 
 
@@ -874,20 +874,20 @@ published on the SP metadata so Identity Providers can read them and get ready f
 In some scenarios the IdP uses different certificates for
 signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.
 
-In order to handle that the toolkit offers the settings['idp']['x509certMulti'] parameter.
+In order to handle that the toolkit offers the ``settings['idp']['X.509certMulti']`` parameter.
 
-When that parameter is used, 'x509cert' and 'certFingerprint' values will be ignored by the toolkit.
+When that parameter is used, ``X.509cert`` and ``certFingerprint`` values will be ignored by the toolkit.
 
-The 'x509certMulti' is an array with 2 keys:
-- 'signing'. An array of certs that will be used to validate IdP signature
-- 'encryption' An array with one unique cert that will be used to encrypt data to be sent to the IdP.
+The ``X.509certMulti`` is an array with 2 keys:
+- ``signing``: An array of certs that will be used to validate IdP signature
+- ``encryption``: An array with one unique cert that will be used to encrypt data to be sent to the IdP.
 
 
 ### Replay attacks ###
 
 In order to avoid replay attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting.
 
-Get the ID of the last processed message/assertion with the get_last_message_id/get_last_assertion_id method of the Auth object.
+Get the ID of the last processed message/assertion with the ``get_last_message_id/get_last_assertion_id`` method of the ``Auth`` object.
 
 
 ### Main classes and methods ###
@@ -907,32 +907,32 @@ Main class of OneLogin Python Toolkit
 * ***is_authenticated*** Checks if the user is authenticated or not.
 * ***get_attributes*** Returns the set of SAML attributes.
 * ***get_attribute*** Returns the requested SAML attribute.
-* ***get_nameid*** Returns the nameID.
-* ***get_session_index*** Gets the SessionIndex from the AuthnStatement.
-* ***get_session_expiration*** Gets the SessionNotOnOrAfter from the AuthnStatement.
+* ***get_nameid*** Returns the ``nameID``.
+* ***get_session_index*** Gets the ``SessionIndex`` from the ``AuthnStatement``.
+* ***get_session_expiration*** Gets the ``SessionNotOnOrAfter`` from the ``AuthnStatement``.
 * ***get_errors*** Returns a list with code errors if something went wrong.
 * ***get_last_error_reason*** Returns the reason of the last error
 * ***get_sso_url*** Gets the SSO url.
 * ***get_slo_url*** Gets the SLO url.
-* ***get_last_request_id*** The ID of the last Request SAML message generated (AuthNRequest, LogoutRequest).
+* ***get_last_request_id*** The ID of the last Request SAML message generated (``AuthNRequest``, ``LogoutRequest``).
 * ***get_last_authn_contexts*** Returns the list of authentication contexts sent in the last SAML Response.
 * ***build_request_signature*** Builds the Signature of the SAML Request.
 * ***build_response_signature*** Builds the Signature of the SAML Response.
 * ***get_settings*** Returns the settings info.
 * ***set_strict*** Set the strict mode active/disable.
-* ***get_last_request_xml*** Returns the most recently-constructed/processed XML SAML request (AuthNRequest, LogoutRequest)
-* ***get_last_response_xml*** Returns the most recently-constructed/processed XML SAML response (SAMLResponse, LogoutResponse). If the SAMLResponse had an encrypted assertion, decrypts it.
+* ***get_last_request_xml*** Returns the most recently-constructed/processed XML SAML request (``AuthNRequest``, ``LogoutRequest``)
+* ***get_last_response_xml*** Returns the most recently-constructed/processed XML SAML response (``SAMLResponse``, ``LogoutResponse``). If the SAMLResponse had an encrypted assertion, decrypts it.
 * ***get_last_message_id*** The ID of the last Response SAML message processed.
 * ***get_last_assertion_id*** The ID of the last assertion processed.
-* ***get_last_assertion_not_on_or_after*** The NotOnOrAfter value of the valid SubjectConfirmationData node (if any) of the last assertion processed (is only calculated with strict = true)
+* ***get_last_assertion_not_on_or_after*** The ``NotOnOrAfter`` value of the valid ``SubjectConfirmationData`` node (if any) of the last assertion processed (is only calculated with strict = true)
 
 #### OneLogin_Saml2_Auth - authn_request.py ####
 
 SAML 2 Authentication Request class
 
-* `__init__` This class handles an AuthNRequest. It builds an AuthNRequest object.
-* ***get_request*** Returns unsigned AuthnRequest.
-* ***get_id*** Returns the AuthNRequest ID.
+* `__init__` This class handles an ``AuthNRequest``. It builds an ``AuthNRequest`` object.
+* ***get_request*** Returns unsigned ``AuthnRequest``.
+* ***get_id*** Returns the ``AuthNRequest`` ID.
 * ***get_xml*** Returns the XML that will be sent as part of the request.
 
 #### OneLogin_Saml2_Response - response.py ####
@@ -946,28 +946,28 @@ SAML 2 Authentication Response class
 * ***get_issuers*** Gets the issuers (from message and from assertion)
 * ***get_nameid_data*** Gets the NameID Data provided by the SAML Response from the IdP (returns a dict)
 * ***get_nameid*** Gets the NameID provided by the SAML Response from the IdP (returns a string)
-* ***get_session_not_on_or_after*** Gets the SessionNotOnOrAfter from the AuthnStatement
-* ***get_session_index*** Gets the SessionIndex from the AuthnStatement
-* ***get_attributes*** Gets the Attributes from the AttributeStatement element.
+* ***get_session_not_on_or_after*** Gets the ``SessionNotOnOrAfter`` from the ``AuthnStatement``
+* ***get_session_index*** Gets the ``SessionIndex`` from the ``AuthnStatement``
+* ***get_attributes*** Gets the Attributes from the ``AttributeStatement`` element.
 * ***validate_num_assertions*** Verifies that the document only contains a single Assertion (encrypted or not)
 * ***validate_timestamps*** Verifies that the document is valid according to Conditions Element
 * ***get_error*** After execute a validation process, if fails this method returns the cause
 * ***get_xml_document*** Returns the SAML Response document (If contains an encrypted assertion, decrypts it).
 * ***get_id*** the ID of the response
 * ***get_assertion_id*** the ID of the assertion in the response
-* ***get_assertion_not_on_or_after*** the NotOnOrAfter value of the valid SubjectConfirmationData if any
+* ***get_assertion_not_on_or_after*** the ``NotOnOrAfter`` value of the valid ``SubjectConfirmationData`` if any
 
 #### OneLogin_Saml2_LogoutRequest - logout_request.py ####
 
 SAML 2 Logout Request class
 
 * `__init__` Constructs the Logout Request object.
-* ***get_request*** Returns the Logout Request defated, base64encoded.
+* ***get_request*** Returns the Logout Request deflated, base64-encoded.
 * ***get_id*** Returns the ID of the Logout Request. (If you have the object you can access to the id attribute)
 * ***get_nameid_data*** Gets the NameID Data of the the Logout Request (returns a dict).
 * ***get_nameid*** Gets the NameID of the Logout Request Message (returns a string).
 * ***get_issuer*** Gets the Issuer of the Logout Request Message.
-* ***get_session_indexes*** Gets the SessionIndexes from the Logout Request.
+* ***get_session_indexes*** Gets the ``SessionIndexes`` from the Logout Request.
 * ***is_valid*** Checks if the Logout Request recieved is valid.
 * ***get_error*** After execute a validation process, if fails this method returns the cause.
 * ***get_xml*** Returns the XML that will be sent as part of the request or that was received at the SP
@@ -979,7 +979,7 @@ SAML 2 Logout Response class
 * `__init__` Constructs a Logout Response object.
 * ***get_issuer*** Gets the Issuer of the Logout Response Message
 * ***get_status*** Gets the Status of the Logout Response.
-* ***is_valid*** Determines if the SAML LogoutResponse is valid
+* ***is_valid*** Determines if the SAML ``LogoutResponse`` is valid
 * ***build*** Creates a Logout Response object.
 * ***get_response*** Returns a Logout Response object.
 * ***get_error*** After execute a validation process, if fails this method returns the cause.
@@ -1001,11 +1001,11 @@ Configuration of the OneLogin Python Toolkit
 * ***get_lib_path*** Returns lib path.
 * ***get_ext_lib_path*** Returns external lib path.
 * ***get_schemas_path*** Returns schema path.
-* ***check_sp_certs*** Checks if the x509 certs of the SP exists and are valid.
-* ***get_sp_key*** Returns the x509 private key of the SP.
-* ***get_sp_cert*** Returns the x509 public cert of the SP.
-* ***get_sp_cert_new*** Returns the future x509 public cert of the SP.
-* ***get_idp_cert*** Returns the x509 public cert of the IdP.
+* ***check_sp_certs*** Checks if the X.509 certs of the SP exists and are valid.
+* ***get_sp_key*** Returns the X.509 private key of the SP.
+* ***get_sp_cert*** Returns the X.509 public cert of the SP.
+* ***get_sp_cert_new*** Returns the future X.509 public cert of the SP.
+* ***get_idp_cert*** Returns the X.509 public cert of the IdP.
 * ***get_sp_data*** Gets the SP data.
 * ***get_idp_data*** Gets the IdP data.
 * ***get_security_data***  Gets security data.
@@ -1017,7 +1017,7 @@ Configuration of the OneLogin Python Toolkit
 * ***format_sp_cert_new*** Formats the SP cert new.
 * ***format_sp_key*** Formats the private key.
 * ***set_strict*** Activates or deactivates the strict mode.
-* ***is_strict*** Returns if the 'strict' mode is active.
+* ***is_strict*** Returns if the ``strict`` mode is active.
 * ***is_debug_active*** Returns if the debug is active.
 
 #### OneLogin_Saml2_Metadata - metadata.py ####
@@ -1026,7 +1026,7 @@ A class that contains functionality related to the metadata of the SP
 
 * ***builder*** Generates the metadata of the SP based on the settings.
 * ***sign_metadata*** Signs the metadata with the key/cert provided.
-* ***add_x509_key_descriptors*** Adds the x509 descriptors (sign/encryption) to the metadata
+* ***add_X.509_key_descriptors*** Adds the X.509 descriptors (sign/encryption) to the metadata
 
 #### OneLogin_Saml2_Utils - utils.py ####
 
@@ -1034,7 +1034,7 @@ Auxiliary class that contains several methods
 
 * ***decode_base64_and_inflate*** Base64 decodes and then inflates according to RFC1951.
 * ***deflate_and_base64_encode*** Deflates and the base64 encodes a string.
-* ***format_cert*** Returns a x509 cert (adding header & footer if required).
+* ***format_cert*** Returns a X.509 cert (adding header & footer if required).
 * ***format_private_key*** Returns a private key (adding header & footer if required).
 * ***redirect*** Executes a redirection to the provided url (or return the target url).
 * ***get_self_url_host*** Returns the protocol + the current host + the port (if different than common ports).
@@ -1050,7 +1050,7 @@ Auxiliary class that contains several methods
 * ***parse_duration*** Interprets a ISO8601 duration value relative to a given timestamp.
 * ***get_expire_time*** Compares 2 dates and returns the earliest.
 * ***delete_local_session*** Deletes the local session.
-* ***calculate_x509_fingerprint*** Calculates the fingerprint of a x509cert.
+* ***calculate_X.509_fingerprint*** Calculates the fingerprint of a X.509 cert.
 * ***format_finger_print*** Formates a fingerprint.
 * ***generate_name_id*** Generates a nameID.
 * ***get_status*** Gets Status from a Response.
@@ -1080,12 +1080,12 @@ A class that contains methods to obtain and parse metadata from IdP
 * ***merge_settings*** Will update the settings with the provided new settings data extracted from the IdP metadata
 
 
-For more info, look at the source code; each method is documented and details about what does and how to use it are provided. Make sure to also check the doc folder where HTML documentation about the classes and methods is provided.
+For more info, look at the source code. Each method is documented and details about what does and how to use it are provided. Make sure to also check the doc folder where HTML documentation about the classes and methods is provided.
 
 Demos included in the toolkit
 -----------------------------
 
-The toolkit includes 2 demos to teach how use the toolkit (A django and a flask project), take a look on it.
+The toolkit includes 2 demos to teach how use the toolkit (A Django and a Flask project), take a look on it.
 Demos require that SP and IdP are well configured before test it, so edit the settings files.
 
 Notice that each python framework has it own way to handle routes/urls and process request, so focus on
@@ -1093,7 +1093,7 @@ how it deployed. New demos using other python frameworks are welcome as a contri
 
 ### Getting Started ###
 
-We said that this toolkit includes a django application demo and a flask application demo,
+We said that this toolkit includes a Django application demo and a Flask application demo,
 let's see how fast is it to deploy them.
 
 ***Virtualenv***
@@ -1150,40 +1150,40 @@ The flask project contains:
 
 * ***templates***. Is the folder where flask stores the templates of the project. It was implemented a base.html template that is extended by index.html and attrs.html, the templates of our simple demo that shows messages, user attributes when available and login and logout links.
 
-* ***saml*** Is a folder that contains the 'certs' folder that could be used to store the x509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json).
+* ***saml*** Is a folder that contains the 'certs' folder that could be used to store the X.509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json).
 
 
 #### SP setup ####
 
-The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-flask it used the first method.
+The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: Settings files or define a setting dict. In the ``demo-flask``, it uses the first method.
 
-In the index.py file we define the app.config['SAML_PATH'], that will target to the 'saml' folder. We require it in order to load the settings files.
+In the ``index.py`` file we define the ``app.config['SAML_PATH']``, that will target to the ``saml`` folder. We require it in order to load the settings files.
 
-First we need to edit the saml/settings.json, configure the SP part and review the metadata of the IdP and complete the IdP info.  Later edit the saml/advanced_settings.json files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt.
+First we need to edit the ``saml/settings.json`` file, configure the SP part and review the metadata of the IdP and complete the IdP info.  Later edit the ``saml/advanced_settings.json`` files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt.
 
 #### IdP setup ####
 
-Once the SP is configured, the metadata of the SP is published at the /metadata url. Based on that info, configure the IdP.
+Once the SP is configured, the metadata of the SP is published at the ``/metadata`` url. Based on that info, configure the IdP.
 
 #### How it works ####
 
-1. First time you access to the main view 'http://localhost:8000', you can select to login and return to the same view or login and be redirected to /?attrs (attrs view).
+1. First time you access to the main view (http://localhost:8000), you can select to login and return to the same view or login and be redirected to ``/?attrs`` (attrs view).
 
  2. When you click:
 
-    2.1 in the first link, we access to /?sso (index view). An AuthNRequest is sent to the IdP, we authenticate at the IdP and then a Response is sent through the user's client to the SP, specifically the Assertion Consumer Service view: /?acs. Notice that a RelayState parameter is set to the url that initiated the process, the index view.
+    2.1 in the first link, we access to ``/?sso`` (index view). An ``AuthNRequest`` is sent to the IdP, we authenticate at the IdP and then a Response is sent through the user's client to the SP, specifically the Assertion Consumer Service view: ``/?acs``. Notice that a ``RelayState`` parameter is set to the url that initiated the process, the index view.
 
-    2.2 in the second link we access to /?attrs (attrs view), we will expetience have the same process described at 2.1 with the diference that as RelayState is set the attrs url.
+    2.2 in the second link we access to ``/?attrs`` (attrs view), we will expetience have the same process described at 2.1 with the diference that as ``RelayState`` is set the ``attrs`` url.
 
- 3. The SAML Response is processed in the ACS /?acs, if the Response is not valid, the process stops here and a message is shown. Otherwise we are redirected to the RelayState view. a) / or b) /?attrs
+ 3. The SAML Response is processed in the ACS ``/?acs``, if the Response is not valid, the process stops here and a message is shown. Otherwise we are redirected to the ``RelayState`` view. a) / or b) ``/?attrs``
 
  4. We are logged in the app and the user attributes are showed. At this point, we can test the single log out functionality.
 
- The single log out funcionality could be tested by 2 ways.
+ The single log out functionality could be tested by 2 ways.
 
-    5.1 SLO Initiated by SP. Click on the "logout" link at the SP, after that a Logout Request is sent to the IdP, the session at the IdP is closed and replies through the client to the SP with a Logout Response (sent to the Single Logout Service endpoint). The SLS endpoint /?sls of the SP process the Logout Response and if is valid, close the user session of the local app. Notice that the SLO Workflow starts and ends at the SP.
+    5.1 SLO Initiated by SP. Click on the ``logout`` link at the SP, after that a Logout Request is sent to the IdP, the session at the IdP is closed and replies through the client to the SP with a Logout Response (sent to the Single Logout Service endpoint). The SLS endpoint ``/?sls`` of the SP process the Logout Response and if is valid, close the user session of the local app. Notice that the SLO Workflow starts and ends at the SP.
 
-    5.2 SLO Initiated by IdP. In this case, the action takes place on the IdP side, the logout process is initiated at the IdP, sends a Logout Request to the SP (SLS endpoint, /?sls). The SLS endpoint of the SP process the Logout Request and if is valid, close the session of the user at the local app and send a Logout Response to the IdP (to the SLS endpoint of the IdP). The IdP receives the Logout Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP.
+    5.2 SLO Initiated by IdP. In this case, the action takes place on the IdP side, the logout process is initiated at the IdP, sends a Logout Request to the SP (SLS endpoint, ``/?sls``). The SLS endpoint of the SP process the Logout Request and if is valid, close the session of the user at the local app and send a Logout Response to the IdP (to the SLS endpoint of the IdP). The IdP receives the Logout Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP.
 
 Notice that all the SAML Requests and Responses are handled at a unique view (index) and how GET parameters are used to know the action that must be done.
 
@@ -1214,37 +1214,37 @@ If you want to integrate a production django application, take a look on this SA
 
 The django project contains:
 
-* ***manage.py***. A file that is automatically created in each Django project. Is a thin wrapper around django-admin.py that takes care of putting the project’s package on sys.path and sets the DJANGO_SETTINGS_MODULE environment variable.
+* ***manage.py***. A file that is automatically created in each Django project. Is a thin wrapper around django-admin.py that takes care of putting the project’s package on ``sys.path`` and sets the ``DJANGO_SETTINGS_MODULE`` environment variable.
 
-* ***saml*** Is a folder that contains the 'certs' folder that could be used to store the x509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json).
+* ***saml*** Is a folder that contains the 'certs' folder that could be used to store the X.509 public and private key, and the saml toolkit settings (``settings.json`` and ``advanced_settings.json``).
 
 * ***demo*** Is the main folder of the django project, that contains the typical files:
-  * ***settings.py*** Contains the default parameters of a django project except the SAML_FOLDER parameter, that may contain the path where is located the 'saml' folder.
-  * ***urls.py*** A file that define url routes. In the demo we defined '/' that is related to the index view, '/attrs' that is related with the attrs view and '/metadata', related to th metadata view.
+  * ***settings.py*** Contains the default parameters of a django project except the ``SAML_FOLDER`` parameter, that may contain the path where is located the ``saml`` folder.
+  * ***urls.py*** A file that define url routes. In the demo we defined ``'/'`` that is related to the index view, ``'/attrs'`` that is related with the attrs view and ``'/metadata'``, related to the metadata view.
   * ***views.py*** This file contains the views of the django project and some aux methods.
   * ***wsgi.py*** A file that let as deploy django using WSGI, the Python standard for web servers and applications.
 
-* ***templates***. Is the folder where django stores the templates of the project. It was implemented a base.html template that is extended by index.html and attrs.html, the templates of our simple demo that shows messages, user attributes when available and login and logout links.
+* ***templates***. Is the folder where django stores the templates of the project. It was implemented a ``base.html`` template that is extended by ``index.html`` and ``attrs.html``, the templates of our simple demo that shows messages, user attributes when available and login and logout links.
 
 #### SP setup ####
 
 The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-django it used the first method.
 
-After set the SAML_FOLDER in the demo/settings.py, the settings of the python toolkit will be loaded on the django web.
+After set the ``SAML_FOLDER`` in the ``demo/settings.py``, the settings of the Python toolkit will be loaded on the Django web.
 
-First we need to edit the saml/settings.json, configure the SP part and review the metadata of the IdP and complete the IdP info.  Later edit the saml/advanced_settings.json files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt.
+First we need to edit the ``saml/settings.json``, configure the SP part and review the metadata of the IdP and complete the IdP info.  Later edit the ``saml/advanced_settings.json`` files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt.
 
 #### IdP setup ####
 
-Once the SP is configured, the metadata of the SP is published at the /metadata url. Based on that info, configure the IdP.
+Once the SP is configured, the metadata of the SP is published at the ``/metadata`` url. Based on that info, configure the IdP.
 
 #### How it works ####
 
-This demo works very similar to the flask-demo (We did it intentionally).
+This demo works very similar to the ``flask-demo`` (We did it intentionally).
 
 ### Getting up and running on Heroku ###
 
-Getting python3-saml up and running on Heroku will require some extra legwork: python3-saml depends on python-xmlsec which depends on headers from the xmlsec1-dev linux package to install correctly.
+Getting ``python3-saml`` up and running on Heroku will require some extra legwork: ``python3-saml`` depends on ``python-xmlsec`` which depends on headers from the ``xmlsec1-dev`` Linux package to install correctly.
 
 First you will need to add the ```apt``` buildpack to your build server:
 
@@ -1253,7 +1253,7 @@ heroku buildpacks:set --index=1 -a your-app https://github.com/ABASystems/heroku
 heroku buildpacks:set --index=2 -a your-app https://github.com/ABASystems/heroku-buildpack-python
 ```
 
-You can confirm the buildpacks have been added in the correct order with ```heroku buildpacks -a your-app```, you should see the apt buildpack first followed by the python buildpack.
+You can confirm the buildpacks have been added in the correct order with ```heroku buildpacks -a your-app```, you should see the apt buildpack first followed by the Python buildpack.
 
 Then add an ```Aptfile``` into the root of your repository containing the ```libxmlsec1-dev``` package, the file should look like:
 ```
@@ -1261,7 +1261,7 @@ libxmlsec1-dev
 
 ```
 
-Finally, add python3-saml to your requrements.txt and ```git push``` to trigger a build.
+Finally, add ``python3-saml`` to your ``requirements.txt`` and ```git push``` to trigger a build.
 
 ### Demo Pyramid ###
 
@@ -1301,34 +1301,34 @@ The Pyramid project contains:
 
 * ***views.py*** is where all the SAML handling takes place.
 
-* ***templates*** is the folder where Pyramid stores the templates of the project. It was implemented a layout.jinja2 template that is extended by index.jinja2 and attrs.jinja2, the templates of our simple demo that shows messages, user attributes when available and login and logout links.
+* ***templates*** is the folder where Pyramid stores the templates of the project. It was implemented a ``layout.jinja2`` template that is extended by ``index.jinja2`` and ``attrs.jinja2``, the templates of our simple demo that shows messages, user attributes when available and login and logout links.
 
-* ***saml*** is a folder that contains the 'certs' folder that could be used to store the x509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json).
+* ***saml*** is a folder that contains the 'certs' folder that could be used to store the X.509 public and private key, and the saml toolkit settings (``settings.json`` and ``advanced_settings.json``).
 
 
 #### SP setup ####
 
-The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In demo_pyramid the first method is used.
+The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In ``demo_pyramid`` the first method is used.
 
-In the views.py file we define the SAML_PATH, which will target the 'saml' folder. We require it in order to load the settings files.
+In the ``views.py`` file we define the ``SAML_PATH``, which will target the ``saml`` folder. We require it in order to load the settings files.
 
-First we need to edit the saml/settings.json, configure the SP part and review the metadata of the IdP and complete the IdP info.  Later edit the saml/advanced_settings.json files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt.
+First we need to edit the ``saml/settings.json``, configure the SP part and review the metadata of the IdP and complete the IdP info.  Later edit the ``saml/advanced_settings.json`` files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt.
 
 #### IdP setup ####
 
-Once the SP is configured, the metadata of the SP is published at the /metadata/ url. Based on that info, configure the IdP.
+Once the SP is configured, the metadata of the SP is published at the ``/metadata`` url. Based on that info, configure the IdP.
 
 #### How it works ####
 
-1. First time you access to the main view 'http://localhost:6543', you can select to login and return to the same view or login and be redirected to /?attrs (attrs view).
+1. First time you access to the main view (http://localhost:6543), you can select to login and return to the same view or login and be redirected to ``/?attrs`` (attrs view).
 
  2. When you click:
 
-    2.1 in the first link, we access to /?sso (index view). An AuthNRequest is sent to the IdP, we authenticate at the IdP and then a Response is sent through the user's client to the SP, specifically the Assertion Consumer Service view: /?acs. Notice that a RelayState parameter is set to the url that initiated the process, the index view.
+    2.1 in the first link, we access to ``/?sso`` (index view). An ``AuthNRequest`` is sent to the IdP, we authenticate at the IdP and then a Response is sent through the user's client to the SP, specifically the Assertion Consumer Service view: ``/?acs``. Notice that a ``RelayState`` parameter is set to the url that initiated the process, the index view.
 
-    2.2 in the second link we access to /?attrs (attrs view), we will expetience have the same process described at 2.1 with the diference that as RelayState is set the attrs url.
+    2.2 in the second link we access to ``/?attrs`` (attrs view), we will experience the same process described at 2.1 with the diference that as ``RelayState`` is set the ``attrs`` url.
 
- 3. The SAML Response is processed in the ACS /?acs, if the Response is not valid, the process stops here and a message is shown. Otherwise we are redirected to the RelayState view. a) / or b) /?attrs
+ 3. The SAML Response is processed in the ACS ``/?acs``, if the Response is not valid, the process stops here and a message is shown. Otherwise we are redirected to the ``RelayState`` view. a) ``/`` or b) ``/?attrs``
 
  4. We are logged in the app and the user attributes are showed. At this point, we can test the single log out functionality.
 

From 771072e2ae1380acde4ec6af2d7b46b96dccfd2d Mon Sep 17 00:00:00 2001
From: O-P Lamminen 
Date: Wed, 20 Feb 2019 15:08:45 +0200
Subject: [PATCH 108/331] Updating cert in testshib metadata to match the one
 validated by unit tests, allowing remote IdP tests to pass also when offline.

---
 tests/data/metadata/testshib-providers.xml | 39 ++++++++++------------
 1 file changed, 17 insertions(+), 22 deletions(-)

diff --git a/tests/data/metadata/testshib-providers.xml b/tests/data/metadata/testshib-providers.xml
index c00a1b77..47c2a873 100644
--- a/tests/data/metadata/testshib-providers.xml
+++ b/tests/data/metadata/testshib-providers.xml
@@ -37,28 +37,23 @@
                 
                     
                         
-                            MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
-                            MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
-                            VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
-                            MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
-                            EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
-                            c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
-                            AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
-                            yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
-                            3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
-                            NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
-                            kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
-                            gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
-                            A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
-                            9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
-                            bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
-                            aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
-                            BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
-                            I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
-                            93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
-                            /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
-                            Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
-                            8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==
+                            MIIDAzCCAeugAwIBAgIVAPX0G6LuoXnKS0Muei006mVSBXbvMA0GCSqGSIb3DQEB
+                            CwUAMBsxGTAXBgNVBAMMEGlkcC50ZXN0c2hpYi5vcmcwHhcNMTYwODIzMjEyMDU0
+                            WhcNMzYwODIzMjEyMDU0WjAbMRkwFwYDVQQDDBBpZHAudGVzdHNoaWIub3JnMIIB
+                            IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9C4J2DiRTEhJAWzPt1S3ryh
+                            m3M2P3hPpwJwvt2q948vdTUxhhvNMuc3M3S4WNh6JYBs53R+YmjqJAII4ShMGNEm
+                            lGnSVfHorex7IxikpuDPKV3SNf28mCAZbQrX+hWA+ann/uifVzqXktOjs6DdzdBn
+                            xoVhniXgC8WCJwKcx6JO/hHsH1rG/0DSDeZFpTTcZHj4S9MlLNUtt5JxRzV/MmmB
+                            3ObaX0CMqsSWUOQeE4nylSlp5RWHCnx70cs9kwz5WrflnbnzCeHU2sdbNotBEeTH
+                            ot6a2cj/pXlRJIgPsrL/4VSicPZcGYMJMPoLTJ8mdy6mpR6nbCmP7dVbCIm/DQID
+                            AQABoz4wPDAdBgNVHQ4EFgQUUfaDa2mPi24x09yWp1OFXmZ2GPswGwYDVR0RBBQw
+                            EoIQaWRwLnRlc3RzaGliLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEASKKgqTxhqBzR
+                            OZ1eVy++si+eTTUQZU4+8UywSKLia2RattaAPMAcXUjO+3cYOQXLVASdlJtt+8QP
+                            dRkfp8SiJemHPXC8BES83pogJPYEGJsKo19l4XFJHPnPy+Dsn3mlJyOfAa8RyWBS
+                            80u5lrvAcr2TJXt9fXgkYs7BOCigxtZoR8flceGRlAZ4p5FPPxQR6NDYb645jtOT
+                            MVr3zgfjP6Wh2dt+2p04LG7ENJn8/gEwtXVuXCsPoSCDx9Y0QmyXTJNdV1aB0AhO
+                            RkWPlFYwp+zOyOIR+3m1+pqWFpn0eT/HrxpdKa74FA3R2kq4R7dXe4G0kUgXTdqX
+                            MLRKhDgdmA==
                         
                     
                 

From f610a8ad5f32e9c064dceb5ef1a631c6158bcb6d Mon Sep 17 00:00:00 2001
From: Heewa Barfchin 
Date: Tue, 19 Mar 2019 12:04:00 -0400
Subject: [PATCH 109/331] Update Heroku instructions

* Use `heroku buildpacks:add` instead of `:set` so existing buildpacks aren't overwritten
* Replace deprecated ABASystems' apt buildpack (redirects to uptick/heroku-buildpack-apt, which hasn't been updated in 3 years, forked from ddollar/heroku-buildpack-apt, which explicitly says it's deprecated) with Heroku's (https://github.com/heroku/heroku-buildpack-apt)
* Replace ABASystems' python buildpack with Heroku's (heroku/python)
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 55b1d7e3..2b25f961 100644
--- a/README.md
+++ b/README.md
@@ -1249,8 +1249,8 @@ Getting ``python3-saml`` up and running on Heroku will require some extra legwor
 First you will need to add the ```apt``` buildpack to your build server:
 
 ```
-heroku buildpacks:set --index=1 -a your-app https://github.com/ABASystems/heroku-buildpack-apt
-heroku buildpacks:set --index=2 -a your-app https://github.com/ABASystems/heroku-buildpack-python
+heroku buildpacks:add --index=1 -a your-app heroku-community/apt
+heroku buildpacks:add --index=2 -a your-app heroku/python
 ```
 
 You can confirm the buildpacks have been added in the correct order with ```heroku buildpacks -a your-app```, you should see the apt buildpack first followed by the Python buildpack.

From 5946ea6398b45ae87cf8ab3a3ff3530baed950e3 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 2 Apr 2019 13:12:22 +0200
Subject: [PATCH 110/331] Add support for Subjects on AuthNRequests by the new
 name_id_value_req parameter

---
 README.md                                     | 20 ++++----
 src/onelogin/saml2/auth.py                    |  7 ++-
 src/onelogin/saml2/authn_request.py           | 14 +++++-
 src/onelogin/saml2/xml_templates.py           |  2 +-
 tests/src/OneLogin/saml2_tests/auth_test.py   | 46 +++++++++++++++++--
 .../saml2_tests/authn_request_test.py         | 31 +++++++++++++
 6 files changed, 103 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 2b25f961..404712e2 100644
--- a/README.md
+++ b/README.md
@@ -151,7 +151,7 @@ If our environment requires sign or encrypt support, the certs folder may contai
 * sp.crt The public cert of the SP
 * sp.key The private key of the SP
 
-Or also we can provide those data in the setting file at the ``X.509cert`` and the ``privateKey`` JSON parameters of the ``sp`` element.
+Or also we can provide those data in the setting file at the ``x509cert`` and the ``privateKey`` JSON parameters of the ``sp`` element.
 
 Sometimes we could need a signature on the metadata published by the SP, in this case we could use the X.509 cert previously mentioned or use a new X.509 cert: ``metadata.crt`` and ``metadata.key``.
 
@@ -161,7 +161,7 @@ publish that X.509 certificate on Service Provider metadata.
 If you want to create self-signed certs, you can do it at the https://www.samltool.com/self_signed_certs.php service, or using the command:
 
 ```bash
-openssl req -new -X.509 -days 3652 -nodes -out sp.crt -keyout saml.key
+openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout saml.key
 ```
 
 #### demo-flask ####
@@ -264,7 +264,7 @@ This is the ``settings.json`` file:
         // represent the requested subject.
         // Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported.
         "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
-        // Usually X.509cert and privateKey of the SP are provided by files placed at
+        // Usually X.509 cert and privateKey of the SP are provided by files placed at
         // the certs folder. But we can also provide them with the following parameters
         "x509cert": "",
         "privateKey": ""
@@ -310,7 +310,7 @@ This is the ``settings.json`` file:
          *  But take in mind that the fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass,
          *  that why we don't recommend it use for production environments.
          *
-         *  (openssl X.509 -noout -fingerprint -in "idp.crt" to generate it,
+         *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
          *  or add for example the -sha256 , -sha384 or -sha512 parameter)
          *
          *  If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
@@ -343,7 +343,7 @@ This is the ``settings.json`` file:
 }
 ```
 
-In addition to the required settings data (IdP, SP), extra settings can be defined in `advanced_settings.json`:
+In addition to the required settings data (idp, sp), extra settings can be defined in `advanced_settings.json`:
 
 ```javascript
 {
@@ -865,7 +865,7 @@ else:
 
 ### SP Key rollover ###
 
-If you plan to update the SP ``X.509cert`` and ``privateKey`` you can define the new ``X.509cert`` as ``settings['sp']['X.509certNew']`` and it will be
+If you plan to update the SP ``x509cert`` and ``privateKey`` you can define the new ``x509cert`` as ``settings['sp']['x509certNew']`` and it will be
 published on the SP metadata so Identity Providers can read them and get ready for rollover.
 
 
@@ -874,11 +874,11 @@ published on the SP metadata so Identity Providers can read them and get ready f
 In some scenarios the IdP uses different certificates for
 signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.
 
-In order to handle that the toolkit offers the ``settings['idp']['X.509certMulti']`` parameter.
+In order to handle that the toolkit offers the ``settings['idp']['x509certMulti']`` parameter.
 
-When that parameter is used, ``X.509cert`` and ``certFingerprint`` values will be ignored by the toolkit.
+When that parameter is used, ``x509cert`` and ``certFingerprint`` values will be ignored by the toolkit.
 
-The ``X.509certMulti`` is an array with 2 keys:
+The ``x509certMulti`` is an array with 2 keys:
 - ``signing``: An array of certs that will be used to validate IdP signature
 - ``encryption``: An array with one unique cert that will be used to encrypt data to be sent to the IdP.
 
@@ -1026,7 +1026,7 @@ A class that contains functionality related to the metadata of the SP
 
 * ***builder*** Generates the metadata of the SP based on the settings.
 * ***sign_metadata*** Signs the metadata with the key/cert provided.
-* ***add_X.509_key_descriptors*** Adds the X.509 descriptors (sign/encryption) to the metadata
+* ***add_x509_key_descriptors*** Adds the X.509 descriptors (sign/encryption) to the metadata
 
 #### OneLogin_Saml2_Utils - utils.py ####
 
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 106aabd8..5d6aa84f 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -327,7 +327,7 @@ def get_last_authn_contexts(self):
         """
         return self.__last_authn_contexts
 
-    def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_policy=True):
+    def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_policy=True, name_id_value_req=None):
         """
         Initiates the SSO process.
 
@@ -343,10 +343,13 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_
         :param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element.
         :type set_nameid_policy: bool
 
+        :param name_id_value_req: Optional argument. Indicates to the IdP the subject that should be authenticated
+        :type name_id_value_req: string
+
         :returns: Redirection URL
         :rtype: string
         """
-        authn_request = OneLogin_Saml2_Authn_Request(self.__settings, force_authn, is_passive, set_nameid_policy)
+        authn_request = OneLogin_Saml2_Authn_Request(self.__settings, force_authn, is_passive, set_nameid_policy, name_id_value_req)
         self.__last_request = authn_request.get_xml()
         self.__last_request_id = authn_request.get_id()
 
diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index 2a1eda88..57da1561 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -22,7 +22,7 @@ class OneLogin_Saml2_Authn_Request(object):
 
     """
 
-    def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True):
+    def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True, name_id_value_req=None):
         """
         Constructs the AuthnRequest object.
 
@@ -37,6 +37,9 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
 
         :param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element.
         :type set_nameid_policy: bool
+
+        :param name_id_value_req: Optional argument. Indicates to the IdP the subject that should be authenticated
+        :type name_id_value_req: string
         """
         self.__settings = settings
 
@@ -71,6 +74,14 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
         if is_passive is True:
             is_passive_str = "\n" + '    IsPassive="true"'
 
+        subject_str = ''
+        if name_id_value_req:
+            subject_str = """
+    
+        %s
+        
+    """ % (sp_data['NameIDFormat'], name_id_value_req)
+
         nameid_policy_str = ''
         if set_nameid_policy:
             name_id_policy_format = sp_data['NameIDFormat']
@@ -112,6 +123,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
                 'destination': destination,
                 'assertion_url': sp_data['assertionConsumerService']['url'],
                 'entity_id': sp_data['entityId'],
+                'subject_str': subject_str,
                 'nameid_policy_str': nameid_policy_str,
                 'requested_authn_context_str': requested_authn_context_str,
                 'attr_consuming_service_str': attr_consuming_service_str,
diff --git a/src/onelogin/saml2/xml_templates.py b/src/onelogin/saml2/xml_templates.py
index 99025546..ec4f6260 100644
--- a/src/onelogin/saml2/xml_templates.py
+++ b/src/onelogin/saml2/xml_templates.py
@@ -29,7 +29,7 @@ class OneLogin_Saml2_Templates(object):
   Destination="%(destination)s"
   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   AssertionConsumerServiceURL="%(assertion_url)s"%(attr_consuming_service_str)s>
-    %(entity_id)s%(nameid_policy_str)s
+    %(entity_id)s%(subject_str)s%(nameid_policy_str)s
 %(requested_authn_context_str)s
 """
 
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 2a2b557c..02193ee2 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -609,7 +609,7 @@ def testLoginSigned(self):
     def testLoginForceAuthN(self):
         """
         Tests the login method of the OneLogin_Saml2_Auth class
-        Case Logout with no parameters. A AuthN Request is built with ForceAuthn and redirect executed
+        Case AuthN Request is built with ForceAuthn and redirect executed
         """
         settings_info = self.loadSettingsJSON()
         return_to = u'http://example.com/returnto'
@@ -642,7 +642,7 @@ def testLoginForceAuthN(self):
     def testLoginIsPassive(self):
         """
         Tests the login method of the OneLogin_Saml2_Auth class
-        Case Logout with no parameters. A AuthN Request is built with IsPassive and redirect executed
+        Case AuthN Request is built with IsPassive and redirect executed
         """
         settings_info = self.loadSettingsJSON()
         return_to = u'http://example.com/returnto'
@@ -676,7 +676,7 @@ def testLoginIsPassive(self):
     def testLoginSetNameIDPolicy(self):
         """
         Tests the login method of the OneLogin_Saml2_Auth class
-        Case Logout with no parameters. A AuthN Request is built with and without NameIDPolicy
+        Case AuthN Request is built with and without NameIDPolicy
         """
         settings_info = self.loadSettingsJSON()
         return_to = u'http://example.com/returnto'
@@ -707,6 +707,46 @@ def testLoginSetNameIDPolicy(self):
         request_3 = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query_3['SAMLRequest'][0]))
         self.assertNotIn('', request)
+        self.assertNotIn('', request_2)
+        self.assertIn('Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testuser@example.com', request_2)
+        self.assertIn('', request_2)
+
+        settings_info['sp']['NameIDFormat'] = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+        auth_3 = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        target_url_3 = auth_3.login(return_to, name_id_value_req='testuser@example.com')
+        parsed_query_3 = parse_qs(urlparse(target_url_3)[4])
+        self.assertIn(sso_url, target_url_3)
+        self.assertIn('SAMLRequest', parsed_query_3)
+        request_3 = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(parsed_query_3['SAMLRequest'][0]))
+        self.assertIn('', request_3)
+        self.assertIn('Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser@example.com', request_3)
+        self.assertIn('', request_3)
+
     def testLogout(self):
         """
         Tests the logout method of the OneLogin_Saml2_Auth class
diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py
index 71c99539..3f1262f2 100644
--- a/tests/src/OneLogin/saml2_tests/authn_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/authn_request_test.py
@@ -257,6 +257,37 @@ def testCreateRequestSetNameIDPolicy(self):
         self.assertRegex(inflated_3, '^', inflated)
+
+        authn_request_2 = OneLogin_Saml2_Authn_Request(settings, name_id_value_req='testuser@example.com')
+        authn_request_encoded_2 = authn_request_2.get_request()
+        inflated_2 = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(authn_request_encoded_2))
+        self.assertRegex(inflated_2, '^', inflated_2)
+        self.assertIn('Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testuser@example.com', inflated_2)
+        self.assertIn('', inflated_2)
+
+        saml_settings['sp']['NameIDFormat'] = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+        settings = OneLogin_Saml2_Settings(saml_settings)
+        authn_request_3 = OneLogin_Saml2_Authn_Request(settings, name_id_value_req='testuser@example.com')
+        authn_request_encoded_3 = authn_request_3.get_request()
+        inflated_3 = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(authn_request_encoded_3))
+        self.assertRegex(inflated_3, '^', inflated_3)
+        self.assertIn('Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser@example.com', inflated_3)
+        self.assertIn('', inflated_3)
+
     def testCreateDeflatedSAMLRequestURLParameter(self):
         """
         Tests the OneLogin_Saml2_Authn_Request Constructor.

From ce81bcb924de4cab85d84876d3b8979d32fa7a47 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 10 Apr 2019 00:27:34 +0200
Subject: [PATCH 111/331] Release 1.6.0

---
 changelog.md | 5 +++++
 setup.py     | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 32a386e7..42466c4b 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,9 @@
 # python3-saml changelog
+### 1.6.0 (Apr 10, 2019)
+* Add support for Subjects on AuthNRequests by the new name_id_value_req parameter
+* [#127](https://github.com/onelogin/python3-saml/pull/127) Fix for SLO when XML specifies encoding
+* [#126](https://github.com/onelogin/python3-saml/pull/126) Fixed setting NameFormat attribute for AttributeValue tags
+
 ### 1.5.0 (Jan 29, 2019)
 * Security improvements. Use of tagid to prevent XPath injection. Disable DTD on fromstring defusedxml method
 * [#97](https://github.com/onelogin/python3-saml/pull/97) Check that the response has all of the AuthnContexts that we provided
diff --git a/setup.py b/setup.py
index 2946d386..65ff747e 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.5.0',
+    version='1.6.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From 7b427fe284007574285f8a3076b58c2c8f78e668 Mon Sep 17 00:00:00 2001
From: davideZanin 
Date: Tue, 23 Apr 2019 11:41:56 +0200
Subject: [PATCH 112/331] demo-tornado initial commit

---
 demo-tornado/Docs/DEVELOPING.md               |  82 +++++++++
 demo-tornado/README.txt                       |   7 +
 demo-tornado/Settings.py                      |   6 +
 demo-tornado/requirements.txt                 |  13 ++
 .../saml/advanced_settings (copia).json       |  33 ++++
 demo-tornado/saml/advanced_settings.json      |  36 ++++
 demo-tornado/saml/certs/README                |  13 ++
 demo-tornado/saml/settings (copia).json       |  30 ++++
 .../saml/settings (seconda copia).json        |  30 ++++
 demo-tornado/saml/settings.json               |  30 ++++
 demo-tornado/templates/attrs.html             |  35 ++++
 demo-tornado/templates/base.html              |  26 +++
 demo-tornado/templates/index.html             |  66 +++++++
 demo-tornado/views.py                         | 167 ++++++++++++++++++
 14 files changed, 574 insertions(+)
 create mode 100644 demo-tornado/Docs/DEVELOPING.md
 create mode 100644 demo-tornado/README.txt
 create mode 100644 demo-tornado/Settings.py
 create mode 100644 demo-tornado/requirements.txt
 create mode 100644 demo-tornado/saml/advanced_settings (copia).json
 create mode 100644 demo-tornado/saml/advanced_settings.json
 create mode 100644 demo-tornado/saml/certs/README
 create mode 100644 demo-tornado/saml/settings (copia).json
 create mode 100644 demo-tornado/saml/settings (seconda copia).json
 create mode 100644 demo-tornado/saml/settings.json
 create mode 100644 demo-tornado/templates/attrs.html
 create mode 100644 demo-tornado/templates/base.html
 create mode 100644 demo-tornado/templates/index.html
 create mode 100644 demo-tornado/views.py

diff --git a/demo-tornado/Docs/DEVELOPING.md b/demo-tornado/Docs/DEVELOPING.md
new file mode 100644
index 00000000..27ba1243
--- /dev/null
+++ b/demo-tornado/Docs/DEVELOPING.md
@@ -0,0 +1,82 @@
+# OneLogin's SAML Python Toolkit (compatible with Python3)
+
+Installation
+------------
+
+### Dependencies ###
+
+ *  python 3.6
+ * apt-get install libxml2-dev libxmlsec1-dev libxmlsec1-openssl
+ * pip install xmlsec
+ * pip install isodate
+ * pip install defusedxml
+ * pip install python3-saml
+ * pip install tornado
+
+
+***Virtualenv***
+
+The use of virtualenv/virtualenvwrapper is highly recommended.
+
+### Create certificates ###
+
+in saml/cert run :
+ * openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key
+ * openssl req -new -x509 -days 3652 -nodes -out metadata.crt -keyout metadata.key
+
+### Useful extesion for SAML messages ###
+* [SAML Chrome Panel 1.8.9](https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace/related)
+
+
+
+# Test with keycloack idp
+
+Installation
+------------
+
+### Install Docker ###
+* sudo apt-get remove docker docker-engine docker.io containerd runc
+
+* sudo apt-get update
+
+* sudo apt-get install \
+    apt-transport-https \
+    ca-certificates \
+    curl \
+    gnupg-agent \
+    software-properties-common
+* curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+
+* sudo add-apt-repository \
+   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+   $(lsb_release -cs) \
+   stable"
+
+* sudo apt-get update
+
+* sudo apt-get install docker-ce docker-ce-cli containerd.io
+
+* sudo docker run hello-world
+
+
+### Keycloack starting ###
+First run only:
+* docker run --name keycloackContainer -d -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=H2 jboss/keycloak
+
+After first run:
+* sudo docker start keycloackContainer
+
+Remember to stop keycloack after usage:
+* sudo docker stop keycloackContainer
+
+
+### Keycloack useful urls ###
+* master: http://localhost:8080/auth/admin
+* users: http://localhost:8080/auth/realms/idp_dacd/account/
+* saml request: http://localhost:8080/auth/realms/idp_dacd/protocol/saml
+* metadata: http://localhost:8080/auth/realms/idp_dacd/protocol/saml/descriptor
+
+
+
+
+
diff --git a/demo-tornado/README.txt b/demo-tornado/README.txt
new file mode 100644
index 00000000..dd4418ca
--- /dev/null
+++ b/demo-tornado/README.txt
@@ -0,0 +1,7 @@
+Fully-working tornado-demo.
+
+ABOUT ISSSUE
+This is only a demo, some issues about session still remain.
+
+PRODUCTION
+Remember also to disable debugging in production.
diff --git a/demo-tornado/Settings.py b/demo-tornado/Settings.py
new file mode 100644
index 00000000..4b80459a
--- /dev/null
+++ b/demo-tornado/Settings.py
@@ -0,0 +1,6 @@
+import os
+
+BASE_DIR = os.path.dirname(__file__)
+
+SAML_PATH = os.path.join(BASE_DIR, 'saml')
+TEMPLATE_PATH = os.path.join(BASE_DIR, 'templates')
diff --git a/demo-tornado/requirements.txt b/demo-tornado/requirements.txt
new file mode 100644
index 00000000..99192d20
--- /dev/null
+++ b/demo-tornado/requirements.txt
@@ -0,0 +1,13 @@
+Click==7.0
+defusedxml==0.5.0
+isodate==0.6.0
+itsdangerous==1.1.0
+Jinja2==2.10.1
+lxml==4.3.3
+MarkupSafe==1.1.1
+pkgconfig==1.5.1
+python3-saml==1.6.0
+six==1.12.0
+tornado==6.0.2
+Werkzeug==0.15.2
+xmlsec==1.3.3
diff --git a/demo-tornado/saml/advanced_settings (copia).json b/demo-tornado/saml/advanced_settings (copia).json
new file mode 100644
index 00000000..3115e17e
--- /dev/null
+++ b/demo-tornado/saml/advanced_settings (copia).json	
@@ -0,0 +1,33 @@
+{
+    "security": {
+        "nameIdEncrypted": false,
+        "authnRequestsSigned": false,
+        "logoutRequestSigned": false,
+        "logoutResponseSigned": false,
+        "signMetadata": false,
+        "wantMessagesSigned": false,
+        "wantAssertionsSigned": false,
+        "wantNameId" : true,
+        "wantNameIdEncrypted": false,
+        "wantAssertionsEncrypted": false,
+        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}
\ No newline at end of file
diff --git a/demo-tornado/saml/advanced_settings.json b/demo-tornado/saml/advanced_settings.json
new file mode 100644
index 00000000..e14e1170
--- /dev/null
+++ b/demo-tornado/saml/advanced_settings.json
@@ -0,0 +1,36 @@
+{
+    "security": {
+        "nameIdEncrypted": false,
+        "authnRequestsSigned": true,
+        "logoutRequestSigned": true,
+        "logoutResponseSigned": true,
+        "signMetadata": {
+                                            "keyFileName": "metadata.key",
+                                            "certFileName": "metadata.crt"
+                                         },
+        "wantMessagesSigned": false,
+        "wantAssertionsSigned": true,
+        "wantNameId" : true,
+        "wantNameIdEncrypted": false,
+        "wantAssertionsEncrypted": false,
+        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}
diff --git a/demo-tornado/saml/certs/README b/demo-tornado/saml/certs/README
new file mode 100644
index 00000000..7e837fb9
--- /dev/null
+++ b/demo-tornado/saml/certs/README
@@ -0,0 +1,13 @@
+Take care of this folder that could contain private key. Be sure that this folder never is published.
+
+Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as:
+
+ * sp.key     Private Key
+ * sp.crt     Public cert
+ * sp_new.crt Future Public cert
+
+
+Also you can use other cert to sign the metadata of the SP using the:
+
+ * metadata.key
+ * metadata.crt
diff --git a/demo-tornado/saml/settings (copia).json b/demo-tornado/saml/settings (copia).json
new file mode 100644
index 00000000..ec40b674
--- /dev/null
+++ b/demo-tornado/saml/settings (copia).json	
@@ -0,0 +1,30 @@
+{
+    "strict": true,
+    "debug": true,
+    "sp": {
+        "entityId": "https:///metadata/",
+        "assertionConsumerService": {
+            "url": "https:///?acs",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        },
+        "singleLogoutService": {
+            "url": "https:///?sls",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+        "x509cert": "",
+        "privateKey": ""
+    },
+    "idp": {
+        "entityId": "https://app.onelogin.com/saml/metadata/",
+        "singleSignOnService": {
+            "url": "https://app.onelogin.com/trust/saml2/http-post/sso/",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "singleLogoutService": {
+            "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "x509cert": ""
+    }
+}
diff --git a/demo-tornado/saml/settings (seconda copia).json b/demo-tornado/saml/settings (seconda copia).json
new file mode 100644
index 00000000..49a626b6
--- /dev/null
+++ b/demo-tornado/saml/settings (seconda copia).json	
@@ -0,0 +1,30 @@
+{
+    "strict": true,
+    "debug": true,
+    "sp": {
+        "entityId": "http://0.0.0.0:8000/metadata/",
+        "assertionConsumerService": {
+            "url": "http://0.0.0.0:8000/?acs",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        },
+        "singleLogoutService": {
+            "url": "http://0.0.0.0:8000/?sls",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+        "x509cert": "",
+        "privateKey": ""
+    },
+    "idp": {
+        "entityId": "http://localhost:8080/auth/realms/idp_dacd",
+        "singleSignOnService": {
+            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "singleLogoutService": {
+            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "x509cert": "MIICnzCCAYcCBgFqC3f1FDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhpZHBfZGFjZDAeFw0xOTA0MTEwODE0MzJaFw0yOTA0MTEwODE2MTJaMBMxETAPBgNVBAMMCGlkcF9kYWNkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhRERlbbwUxabS4lnGFOpxBKACpcwQwOSvyCKD3bLDvzfQIRh1x3RDq+6xxBcdP86PKRYjwZc/64HYFUbe9FCDLf1SDQz7XTtpftydRrTUydVaj+3FHhyCLcLkJldMVneVMZWIXSzUISvcURL3sr6HVJ74Uy0KPPOo3vQQ6RRaNaB3RCdZaNbzxjbG5eBgSvWHGE+vkozHpS7y6LHXDP1wXenH65RRrat8PQ/Qp4WVi2U5rVfA2SFbcwohjaJ+vOYH+oARnk5a2IosAMHBtONorPnPrcV7MqUXX7q19hnlFRZA34YVcF6kkWWsS1V/mRm2kK6EE/mABvX4mrefWg+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARKkt9TKg5jLLc7HZSYxHD0MGqDQ8jMAXjpYYaEoIGyYnE31WOEG6HlzHFrkp5ioBT8vTIfejpGGkcL0qspSjQRBYH1eHOEToFo2vhmr0yDUtePNVcQtRN0ImAwNvKU/PciSi4dX0Y8Z/VfeRn8k979o0X82xZSYIxLhKlFp9toOHz0pNTU0Ie4h1zxcPd0L7KAn5eQPHoJwXsdWkM9aoZtCQCjbiexpfOdEOfnUn8QisinAWqcC/gKl9XG7XU4P5cevTeqZgnK0W+ilJVkkJX2zZWlAji+0PKLGr3BgJCfkwUcsm1C8U2ysTGkW1mZHfKVzK2NPA0bSlGgZwbvki+"
+    }
+}
diff --git a/demo-tornado/saml/settings.json b/demo-tornado/saml/settings.json
new file mode 100644
index 00000000..c91e5cc9
--- /dev/null
+++ b/demo-tornado/saml/settings.json
@@ -0,0 +1,30 @@
+{
+    "strict": true,
+    "debug": true,
+    "sp": {
+        "entityId": "http://localhost:8000/metadata/",
+        "assertionConsumerService": {
+            "url": "http://localhost:8000/?acs",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        },
+        "singleLogoutService": {
+            "url": "http://localhost:8000/?sls",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+        "x509cert": "",
+        "privateKey": ""
+    },
+    "idp": {
+        "entityId": "http://localhost:8080/auth/realms/idp_dacd",
+        "singleSignOnService": {
+            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "singleLogoutService": {
+            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "x509cert": "MIICnzCCAYcCBgFqC3f1FDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhpZHBfZGFjZDAeFw0xOTA0MTEwODE0MzJaFw0yOTA0MTEwODE2MTJaMBMxETAPBgNVBAMMCGlkcF9kYWNkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhRERlbbwUxabS4lnGFOpxBKACpcwQwOSvyCKD3bLDvzfQIRh1x3RDq+6xxBcdP86PKRYjwZc/64HYFUbe9FCDLf1SDQz7XTtpftydRrTUydVaj+3FHhyCLcLkJldMVneVMZWIXSzUISvcURL3sr6HVJ74Uy0KPPOo3vQQ6RRaNaB3RCdZaNbzxjbG5eBgSvWHGE+vkozHpS7y6LHXDP1wXenH65RRrat8PQ/Qp4WVi2U5rVfA2SFbcwohjaJ+vOYH+oARnk5a2IosAMHBtONorPnPrcV7MqUXX7q19hnlFRZA34YVcF6kkWWsS1V/mRm2kK6EE/mABvX4mrefWg+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARKkt9TKg5jLLc7HZSYxHD0MGqDQ8jMAXjpYYaEoIGyYnE31WOEG6HlzHFrkp5ioBT8vTIfejpGGkcL0qspSjQRBYH1eHOEToFo2vhmr0yDUtePNVcQtRN0ImAwNvKU/PciSi4dX0Y8Z/VfeRn8k979o0X82xZSYIxLhKlFp9toOHz0pNTU0Ie4h1zxcPd0L7KAn5eQPHoJwXsdWkM9aoZtCQCjbiexpfOdEOfnUn8QisinAWqcC/gKl9XG7XU4P5cevTeqZgnK0W+ilJVkkJX2zZWlAji+0PKLGr3BgJCfkwUcsm1C8U2ysTGkW1mZHfKVzK2NPA0bSlGgZwbvki+"
+    }
+}
diff --git a/demo-tornado/templates/attrs.html b/demo-tornado/templates/attrs.html
new file mode 100644
index 00000000..e2429739
--- /dev/null
+++ b/demo-tornado/templates/attrs.html
@@ -0,0 +1,35 @@
+{% extends "base.html" %}
+
+{% block content %}
+
+{% if paint_logout %}
+  {% if attributes %}
+    
    You have the following attributes:
    
+    
+      
+        
+      
+      
+        {% for attr, i in attributes %}
+            {% if i == 0 %}
+                
+                
+        {% end %}
+      
+    
    NameValues
    {{ attr }}
      
+            {% end %}
+            {% if i == 1 %}
+                {% for val in attr %}
+                    
    • {{ val }}
      • 
+                {% end %}
+            {% end %}
+            
    
+  {% else %}
+    
+  {% end %}
+  Logout
+{% else %}
+  Login and access again to this page
+{% end %}
+
+{% end %}
diff --git a/demo-tornado/templates/base.html b/demo-tornado/templates/base.html
new file mode 100644
index 00000000..e403a8ef
--- /dev/null
+++ b/demo-tornado/templates/base.html
@@ -0,0 +1,26 @@
+
+
+  
+    
+    
+    
+
+    A Python SAML Toolkit by OneLogin demo
+
+    
+
+    
+    
+    
+  
+  
+    
    
+      
    A Python SAML Toolkit by OneLogin demo
    
+
+      {% block content %}{% end %}
+    
    
+  
+
diff --git a/demo-tornado/templates/index.html b/demo-tornado/templates/index.html
new file mode 100644
index 00000000..52bee968
--- /dev/null
+++ b/demo-tornado/templates/index.html
@@ -0,0 +1,66 @@
+{% extends "base.html" %}
+
+{% block content %}
+
+{% if errors %}
+  
+{% end %}
+
+{% if not_auth_warn %}
+  
+{% end %}
+
+{% if success_slo %}
+  
+{% end %}
+
+{% if paint_logout %}
+  {% if attributes %}
+    
+      
+        
+      
+      
+        {% for attr in attributes %}
+          
+              
+            
+          
+        {% end %}
+
+
+        
+      
+    
    NameValues
    {{ attr[0] }}
      
+              
+              {% for elem in attr[1] %}
+                
    • {{ elem }}
      • 
+              {% end %}
+            
    
+  {% else %}
+    
+  {% end %}
+  Logout
+{% else %}
+  Login Login and access to attrs page
+{% end %}
+
+{% end %}
diff --git a/demo-tornado/views.py b/demo-tornado/views.py
new file mode 100644
index 00000000..5ac3e03a
--- /dev/null
+++ b/demo-tornado/views.py
@@ -0,0 +1,167 @@
+import tornado.ioloop
+import tornado.web
+import Settings
+import tornado.httpserver
+import tornado.httputil
+
+from onelogin.saml2.auth import OneLogin_Saml2_Auth
+from onelogin.saml2.settings import OneLogin_Saml2_Settings
+from onelogin.saml2.utils import OneLogin_Saml2_Utils
+
+##Global session info
+session = {}
+
+class Application(tornado.web.Application):
+    def __init__(self):
+        handlers = [
+            (r"/", IndexHandler),
+            (r"/attrs", AttrsHandler),
+            (r"/metadata",MetadataHandler),
+        ]
+        settings = {
+            "template_path": Settings.TEMPLATE_PATH,
+            "saml_path": Settings.SAML_PATH,
+            "autorealod": True,
+            "debug": True
+        }
+        tornado.web.Application.__init__(self, handlers, **settings)
+
+
+class IndexHandler(tornado.web.RequestHandler):
+    def post(self):
+        req = prepare_tornado_request(self.request)
+        auth = init_saml_auth(req)
+        attributes = False
+        paint_logout = False
+
+        auth.process_response()
+        errors = auth.get_errors()
+        not_auth_warn = not auth.is_authenticated()
+
+        if len(errors) == 0:
+             session['samlUserdata'] = auth.get_attributes()
+             session['samlNameId'] = auth.get_nameid()
+             session['samlSessionIndex'] = auth.get_session_index()
+             self_url = OneLogin_Saml2_Utils.get_self_url(req)
+             if 'RelayState' in self.request.arguments and self_url != self.request.arguments['RelayState'][0].decode('utf-8'):
+                return self.redirect(self.request.arguments['RelayState'][0].decode('utf-8'))
+
+        if 'samlUserdata' in session:
+            paint_logout = True
+            if len(session['samlUserdata']) > 0:
+                attributes = session['samlUserdata'].items()
+
+        self.render('index.html',errors=errors,not_auth_warn=not_auth_warn,attributes=attributes,paint_logout=paint_logout)
+
+    def get(self):
+        req = prepare_tornado_request(self.request)
+        auth = init_saml_auth(req)
+        errors = []
+        not_auth_warn = False
+        success_slo = False
+        attributes = False
+        paint_logout = False
+
+        if 'sso' in req['get_data']:
+            print('-sso-')
+            return self.redirect(auth.login())
+        elif 'sso2' in req['get_data']:
+            print('-sso2-')
+            return_to = '%s/attrs' % self.request.host
+            return self.redirect(auth.login(return_to))
+        elif 'slo' in req['get_data']:
+            print('-slo-')
+            name_id = None
+            session_index = None
+            if 'samlNameId' in session:
+                name_id = session['samlNameId']
+            if 'samlSessionIndex' in session:
+                session_index = session['samlSessionIndex']
+            return self.redirect(auth.logout(name_id=name_id, session_index=session_index))
+        elif 'acs' in req['get_data']:
+            print('-acs-')
+            auth.process_response()
+            errors = auth.get_errors()
+            not_auth_warn = not auth.is_authenticated()
+            if len(errors) == 0:
+                session['samlUserdata'] = auth.get_attributes()
+                session['samlNameId'] = auth.get_nameid()
+                session['samlSessionIndex'] = auth.get_session_index()
+                self_url = OneLogin_Saml2_Utils.get_self_url(req)
+                if 'RelayState' in self.request.arguments and self_url != self.request.arguments['RelayState'][0].decode('utf-8'):
+                    return self.redirect(auth.redirect_to(self.request.arguments['RelayState'][0].decode('utf-8')))
+        elif 'sls' in req['get_data']:
+            print('-sls-')
+            dscb = lambda: session.clear() ## clear out the session
+            url = auth.process_slo(delete_session_cb=dscb)
+            errors = auth.get_errors()
+            if len(errors) == 0:
+                if url is not None:
+                    return self.redirect(url)
+                else:
+                    success_slo = True
+
+        if 'samlUserdata' in session:
+            print('-samlUserdata-')
+            paint_logout = True
+            if len(session['samlUserdata']) > 0:
+                attributes = session['samlUserdata'].items()
+                print("ATTRIBUTES", attributes)
+        self.render('index.html',errors=errors,not_auth_warn=not_auth_warn,success_slo=success_slo,attributes=attributes,paint_logout=paint_logout)
+
+class AttrsHandler(tornado.web.RequestHandler):
+    def get(self):
+        paint_logout = False
+        attributes = False
+
+        if 'samlUserdata' in session:
+            paint_logout = True
+            if len(session['samlUserdata']) > 0:
+                attributes = session['samlUserdata'].items()
+
+        self.render('attrs.html',paint_logout=paint_logout,attributes=attributes)
+
+class MetadataHandler(tornado.web.RequestHandler):
+    def get(self):
+        req = prepare_tornado_request(self.request)
+        auth = init_saml_auth(req)
+        saml_settings = auth.get_settings()
+        #saml_settings = OneLogin_Saml2_Settings(settings=None, custom_base_path=settings.SAML_FOLDER, sp_validation_only=True)
+        metadata = saml_settings.get_sp_metadata()
+        errors = saml_settings.validate_metadata(metadata)
+
+        if len(errors) == 0:
+            #resp = HttpResponse(content=metadata, content_type='text/xml')
+            self.set_header('Content-Type','text/xml')
+            self.write(metadata)
+        else:
+            #resp = HttpResponseServerError(content=', '.join(errors))
+            self.write(', '.join(errors))
+        #return resp
+
+def prepare_tornado_request(request):        
+
+    dataDict = {}
+    for key in request.arguments:
+        dataDict[key] = request.arguments[key][0].decode('utf-8')
+
+    result = {
+        'https': 'on' if request == 'https' else 'off',
+        'http_host': tornado.httputil.split_host_and_port(request.host)[0],
+        'script_name': request.path,
+        'server_port': tornado.httputil.split_host_and_port(request.host)[1],
+        'get_data': dataDict,
+        'post_data': dataDict,
+        'query_string': request.query
+    }
+    return result
+
+def init_saml_auth(req):
+    auth = OneLogin_Saml2_Auth(req, custom_base_path=Settings.SAML_PATH)
+    return auth
+
+if __name__ == "__main__":
+    app = Application()
+    http_server = tornado.httpserver.HTTPServer(app)
+    http_server.listen(8000)
+    tornado.ioloop.IOLoop.instance().start()

From e46e3353c6e55c71cd000fc84170de50b17dcefc Mon Sep 17 00:00:00 2001
From: davideZanin 
Date: Tue, 23 Apr 2019 14:32:18 +0200
Subject: [PATCH 113/331] docs updated

---
 README.md                                     | 105 +++++++++++++++++-
 demo-tornado/Docs/DEVELOPING.md               |  82 --------------
 demo-tornado/requirements.txt                 |   5 -
 .../saml/advanced_settings (copia).json       |  33 ------
 demo-tornado/saml/settings (copia).json       |  30 -----
 .../saml/settings (seconda copia).json        |  30 -----
 6 files changed, 104 insertions(+), 181 deletions(-)
 delete mode 100644 demo-tornado/Docs/DEVELOPING.md
 delete mode 100644 demo-tornado/saml/advanced_settings (copia).json
 delete mode 100644 demo-tornado/saml/settings (copia).json
 delete mode 100644 demo-tornado/saml/settings (seconda copia).json

diff --git a/README.md b/README.md
index 404712e2..993105c9 100644
--- a/README.md
+++ b/README.md
@@ -172,6 +172,9 @@ This folder contains a Flask project that will be used as demo to show how to ad
 
 This folder contains a Pyramid project that will be used as demo to show how to add SAML support to the [Pyramid Web Framework](http://docs.pylonsproject.org/projects/pyramid/en/latest/).  ``\_\_init__.py`` is the main file that configures the app and its routes, ``views.py`` is where all the logic and SAML handling takes place, and the templates are stored in the ``templates`` folder. The ``saml`` folder is the same as in the other two demos.
 
+#### demo-tornado ####
+
+This folder contains a Tornado project that will be used as demo to show how to add SAML support to the Tornado Framework. ``views.py`` (with its ``settings.py``) is the main Flask file that has all the code, this file uses the templates stored at the ``templates`` folder. In the ``saml`` folder we found the ``certs`` folder to store the X.509 public and private key, and the SAML toolkit settings (``settings.json`` and ``advanced_settings.json``).
 
 #### setup.py ####
 
@@ -1085,7 +1088,7 @@ For more info, look at the source code. Each method is documented and details ab
 Demos included in the toolkit
 -----------------------------
 
-The toolkit includes 2 demos to teach how use the toolkit (A Django and a Flask project), take a look on it.
+The toolkit includes 3 demos to teach how use the toolkit (A Django, Flask and a Tornado project), take a look on it.
 Demos require that SP and IdP are well configured before test it, so edit the settings files.
 
 Notice that each python framework has it own way to handle routes/urls and process request, so focus on
@@ -1165,6 +1168,106 @@ First we need to edit the ``saml/settings.json`` file, configure the SP part and
 
 Once the SP is configured, the metadata of the SP is published at the ``/metadata`` url. Based on that info, configure the IdP.
 
+#### How it works ####
+
+ 1. First time you access to the main view (http://localhost:8000), you can select to login and return to the same view or login and be redirected to ``/?attrs`` (attrs view).
+
+ 2. When you click:
+
+    2.1 in the first link, we access to ``/?sso`` (index view). An ``AuthNRequest`` is sent to the IdP, we authenticate at the IdP and then a Response is sent through the user's client to the SP, specifically the Assertion Consumer Service view: ``/?acs``. Notice that a ``RelayState`` parameter is set to the url that initiated the process, the index view.
+
+    2.2 in the second link we access to ``/?attrs`` (attrs view), we will expetience have the same process described at 2.1 with the diference that as ``RelayState`` is set the ``attrs`` url.
+
+ 3. The SAML Response is processed in the ACS ``/?acs``, if the Response is not valid, the process stops here and a message is shown. Otherwise we are redirected to the ``RelayState`` view. a) / or b) ``/?attrs``
+
+ 4. We are logged in the app and the user attributes are showed. At this point, we can test the single log out functionality.
+
+ The single log out functionality could be tested by 2 ways.
+
+    5.1 SLO Initiated by SP. Click on the ``logout`` link at the SP, after that a Logout Request is sent to the IdP, the session at the IdP is closed and replies through the client to the SP with a Logout Response (sent to the Single Logout Service endpoint). The SLS endpoint ``/?sls`` of the SP process the Logout Response and if is valid, close the user session of the local app. Notice that the SLO Workflow starts and ends at the SP.
+
+    5.2 SLO Initiated by IdP. In this case, the action takes place on the IdP side, the logout process is initiated at the IdP, sends a Logout Request to the SP (SLS endpoint, ``/?sls``). The SLS endpoint of the SP process the Logout Request and if is valid, close the session of the user at the local app and send a Logout Response to the IdP (to the SLS endpoint of the IdP). The IdP receives the Logout Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP.
+
+Notice that all the SAML Requests and Responses are handled at a unique view (index) and how GET parameters are used to know the action that must be done.
+
+### Demo Tornado ###
+
+You'll need a virtualenv with the toolkit installed on it.
+
+First of all you need some packages, execute:
+```
+apt-get install libxml2-dev libxmlsec1-dev libxmlsec1-openssl
+```
+
+To run the demo you need to install the requirements first. Load your
+virtualenv and execute:
+```
+ pip install -r demo-tornado/requirements.txt
+```
+
+
+This will install tornado and its dependencies. Once it has finished, you have to complete the configuration
+of the toolkit. You'll find it at `demo-tornado/saml/settings.json`
+
+Now, with the virtualenv loaded, you can run the demo like this:
+```
+ cd demo-tornado
+ python views.py
+```
+
+You'll have the demo running at http://localhost:8000
+
+#### Content ####
+
+The tornado project contains:
+
+* ***views.py*** Is the main flask file, where or the SAML handle take place.
+
+* ***settings.py*** Contains the base path and the path where is located the ``saml`` folder and the ``template`` folder
+
+* ***templates***. Is the folder where tornado stores the templates of the project. It was implemented a base.html template that is extended by index.html and attrs.html, the templates of our simple demo that shows messages, user attributes when available and login and logout links.
+
+* ***saml*** Is a folder that contains the 'certs' folder that could be used to store the X.509 public and private key, and the saml toolkit settings (settings.json and advanced_settings.json).
+
+#### SP setup ####
+
+The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: Settings files or define a setting dict. In the ``demo-tornado``, it uses the first method.
+
+In the ``settings.py`` file we define the ``SAML_PATH``, that will target to the ``saml`` folder. We require it in order to load the settings files.
+
+First we need to edit the ``saml/settings.json`` file, configure the SP part and review the metadata of the IdP and complete the IdP info.  Later edit the ``saml/advanced_settings.json`` files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt.
+
+#### IdP setup ####
+
+Once the SP is configured, the metadata of the SP is published at the ``/metadata`` url. Based on that info, configure the IdP.
+
+#####Test with keycloack#####
+
+You can test your SP with every compatible IdP, for example Keycloack by Red Hat (Check if you need also authorization and not only authentication )
+
+###### Install Docker ######
+
+Install docker as suggested by [docker guide](https://docs.docker.com/install/linux/docker-ce/ubuntu/) 
+
+###### Keycloack starting ######
+
+First run:
+* docker run --name keycloackContainer -d -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=H2 jboss/keycloak
+
+After first run:
+* sudo docker start keycloackContainer
+
+Remember to stop keycloack after usage:
+* sudo docker stop keycloackContainer
+
+
+###### Keycloack useful urls ######
+
+* master: http://localhost:8080/auth/admin
+* users: http://localhost:8080/auth/realms/idp_dacd/account/
+* saml request: http://localhost:8080/auth/realms/idp_dacd/protocol/saml
+* metadata: http://localhost:8080/auth/realms/idp_dacd/protocol/saml/descriptor
+
 #### How it works ####
 
 1. First time you access to the main view (http://localhost:8000), you can select to login and return to the same view or login and be redirected to ``/?attrs`` (attrs view).
diff --git a/demo-tornado/Docs/DEVELOPING.md b/demo-tornado/Docs/DEVELOPING.md
deleted file mode 100644
index 27ba1243..00000000
--- a/demo-tornado/Docs/DEVELOPING.md
+++ /dev/null
@@ -1,82 +0,0 @@
-# OneLogin's SAML Python Toolkit (compatible with Python3)
-
-Installation
-------------
-
-### Dependencies ###
-
- *  python 3.6
- * apt-get install libxml2-dev libxmlsec1-dev libxmlsec1-openssl
- * pip install xmlsec
- * pip install isodate
- * pip install defusedxml
- * pip install python3-saml
- * pip install tornado
-
-
-***Virtualenv***
-
-The use of virtualenv/virtualenvwrapper is highly recommended.
-
-### Create certificates ###
-
-in saml/cert run :
- * openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key
- * openssl req -new -x509 -days 3652 -nodes -out metadata.crt -keyout metadata.key
-
-### Useful extesion for SAML messages ###
-* [SAML Chrome Panel 1.8.9](https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace/related)
-
-
-
-# Test with keycloack idp
-
-Installation
-------------
-
-### Install Docker ###
-* sudo apt-get remove docker docker-engine docker.io containerd runc
-
-* sudo apt-get update
-
-* sudo apt-get install \
-    apt-transport-https \
-    ca-certificates \
-    curl \
-    gnupg-agent \
-    software-properties-common
-* curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-
-* sudo add-apt-repository \
-   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
-   $(lsb_release -cs) \
-   stable"
-
-* sudo apt-get update
-
-* sudo apt-get install docker-ce docker-ce-cli containerd.io
-
-* sudo docker run hello-world
-
-
-### Keycloack starting ###
-First run only:
-* docker run --name keycloackContainer -d -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=H2 jboss/keycloak
-
-After first run:
-* sudo docker start keycloackContainer
-
-Remember to stop keycloack after usage:
-* sudo docker stop keycloackContainer
-
-
-### Keycloack useful urls ###
-* master: http://localhost:8080/auth/admin
-* users: http://localhost:8080/auth/realms/idp_dacd/account/
-* saml request: http://localhost:8080/auth/realms/idp_dacd/protocol/saml
-* metadata: http://localhost:8080/auth/realms/idp_dacd/protocol/saml/descriptor
-
-
-
-
-
diff --git a/demo-tornado/requirements.txt b/demo-tornado/requirements.txt
index 99192d20..66787013 100644
--- a/demo-tornado/requirements.txt
+++ b/demo-tornado/requirements.txt
@@ -1,13 +1,8 @@
-Click==7.0
 defusedxml==0.5.0
 isodate==0.6.0
-itsdangerous==1.1.0
-Jinja2==2.10.1
 lxml==4.3.3
-MarkupSafe==1.1.1
 pkgconfig==1.5.1
 python3-saml==1.6.0
 six==1.12.0
 tornado==6.0.2
-Werkzeug==0.15.2
 xmlsec==1.3.3
diff --git a/demo-tornado/saml/advanced_settings (copia).json b/demo-tornado/saml/advanced_settings (copia).json
deleted file mode 100644
index 3115e17e..00000000
--- a/demo-tornado/saml/advanced_settings (copia).json	
+++ /dev/null
@@ -1,33 +0,0 @@
-{
-    "security": {
-        "nameIdEncrypted": false,
-        "authnRequestsSigned": false,
-        "logoutRequestSigned": false,
-        "logoutResponseSigned": false,
-        "signMetadata": false,
-        "wantMessagesSigned": false,
-        "wantAssertionsSigned": false,
-        "wantNameId" : true,
-        "wantNameIdEncrypted": false,
-        "wantAssertionsEncrypted": false,
-        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
-    },
-    "contactPerson": {
-        "technical": {
-            "givenName": "technical_name",
-            "emailAddress": "technical@example.com"
-        },
-        "support": {
-            "givenName": "support_name",
-            "emailAddress": "support@example.com"
-        }
-    },
-    "organization": {
-        "en-US": {
-            "name": "sp_test",
-            "displayname": "SP test",
-            "url": "http://sp.example.com"
-        }
-    }
-}
\ No newline at end of file
diff --git a/demo-tornado/saml/settings (copia).json b/demo-tornado/saml/settings (copia).json
deleted file mode 100644
index ec40b674..00000000
--- a/demo-tornado/saml/settings (copia).json	
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-    "strict": true,
-    "debug": true,
-    "sp": {
-        "entityId": "https:///metadata/",
-        "assertionConsumerService": {
-            "url": "https:///?acs",
-            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-        },
-        "singleLogoutService": {
-            "url": "https:///?sls",
-            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        },
-        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
-        "x509cert": "",
-        "privateKey": ""
-    },
-    "idp": {
-        "entityId": "https://app.onelogin.com/saml/metadata/",
-        "singleSignOnService": {
-            "url": "https://app.onelogin.com/trust/saml2/http-post/sso/",
-            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        },
-        "singleLogoutService": {
-            "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/",
-            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        },
-        "x509cert": ""
-    }
-}
diff --git a/demo-tornado/saml/settings (seconda copia).json b/demo-tornado/saml/settings (seconda copia).json
deleted file mode 100644
index 49a626b6..00000000
--- a/demo-tornado/saml/settings (seconda copia).json	
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-    "strict": true,
-    "debug": true,
-    "sp": {
-        "entityId": "http://0.0.0.0:8000/metadata/",
-        "assertionConsumerService": {
-            "url": "http://0.0.0.0:8000/?acs",
-            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-        },
-        "singleLogoutService": {
-            "url": "http://0.0.0.0:8000/?sls",
-            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        },
-        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
-        "x509cert": "",
-        "privateKey": ""
-    },
-    "idp": {
-        "entityId": "http://localhost:8080/auth/realms/idp_dacd",
-        "singleSignOnService": {
-            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
-            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        },
-        "singleLogoutService": {
-            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
-            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        },
-        "x509cert": "MIICnzCCAYcCBgFqC3f1FDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhpZHBfZGFjZDAeFw0xOTA0MTEwODE0MzJaFw0yOTA0MTEwODE2MTJaMBMxETAPBgNVBAMMCGlkcF9kYWNkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhRERlbbwUxabS4lnGFOpxBKACpcwQwOSvyCKD3bLDvzfQIRh1x3RDq+6xxBcdP86PKRYjwZc/64HYFUbe9FCDLf1SDQz7XTtpftydRrTUydVaj+3FHhyCLcLkJldMVneVMZWIXSzUISvcURL3sr6HVJ74Uy0KPPOo3vQQ6RRaNaB3RCdZaNbzxjbG5eBgSvWHGE+vkozHpS7y6LHXDP1wXenH65RRrat8PQ/Qp4WVi2U5rVfA2SFbcwohjaJ+vOYH+oARnk5a2IosAMHBtONorPnPrcV7MqUXX7q19hnlFRZA34YVcF6kkWWsS1V/mRm2kK6EE/mABvX4mrefWg+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARKkt9TKg5jLLc7HZSYxHD0MGqDQ8jMAXjpYYaEoIGyYnE31WOEG6HlzHFrkp5ioBT8vTIfejpGGkcL0qspSjQRBYH1eHOEToFo2vhmr0yDUtePNVcQtRN0ImAwNvKU/PciSi4dX0Y8Z/VfeRn8k979o0X82xZSYIxLhKlFp9toOHz0pNTU0Ie4h1zxcPd0L7KAn5eQPHoJwXsdWkM9aoZtCQCjbiexpfOdEOfnUn8QisinAWqcC/gKl9XG7XU4P5cevTeqZgnK0W+ilJVkkJX2zZWlAji+0PKLGr3BgJCfkwUcsm1C8U2ysTGkW1mZHfKVzK2NPA0bSlGgZwbvki+"
-    }
-}

From 43118e7c41b8f4a34232780cdf5c1700a164b8a8 Mon Sep 17 00:00:00 2001
From: davideZanin 
Date: Tue, 23 Apr 2019 14:42:16 +0200
Subject: [PATCH 114/331] docs updated

---
 demo-tornado/README.md  | 9 +++++++++
 demo-tornado/README.txt | 7 -------
 2 files changed, 9 insertions(+), 7 deletions(-)
 create mode 100644 demo-tornado/README.md
 delete mode 100644 demo-tornado/README.txt

diff --git a/demo-tornado/README.md b/demo-tornado/README.md
new file mode 100644
index 00000000..aab7ef19
--- /dev/null
+++ b/demo-tornado/README.md
@@ -0,0 +1,9 @@
+#Tornado Demo#
+Fully-working tornado-demo.
+
+###ABOUT ISSUE###
+This is only a demo, some issues about session still remain. 
+Actually the session is global.
+
+###PRODUCTION###
+Remember to disable debugging in production.
diff --git a/demo-tornado/README.txt b/demo-tornado/README.txt
deleted file mode 100644
index dd4418ca..00000000
--- a/demo-tornado/README.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Fully-working tornado-demo.
-
-ABOUT ISSSUE
-This is only a demo, some issues about session still remain.
-
-PRODUCTION
-Remember also to disable debugging in production.

From 47ba1cad2dd44ab10f1962e67ba4d46c85c29e94 Mon Sep 17 00:00:00 2001
From: davideZanin 
Date: Tue, 23 Apr 2019 14:52:46 +0200
Subject: [PATCH 115/331] solved formatting error

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 993105c9..6b8a7449 100644
--- a/README.md
+++ b/README.md
@@ -1241,7 +1241,7 @@ First we need to edit the ``saml/settings.json`` file, configure the SP part and
 
 Once the SP is configured, the metadata of the SP is published at the ``/metadata`` url. Based on that info, configure the IdP.
 
-#####Test with keycloack#####
+##### Test with keycloack #####
 
 You can test your SP with every compatible IdP, for example Keycloack by Red Hat (Check if you need also authorization and not only authentication )
 

From a46fddb33cbb0f2254fa7de09803b432a5fbd6f9 Mon Sep 17 00:00:00 2001
From: davideZanin 
Date: Tue, 23 Apr 2019 15:35:25 +0200
Subject: [PATCH 116/331] ready to pull req

---
 demo-tornado/README.md                   |  6 +++---
 demo-tornado/saml/advanced_settings.json | 15 ++++++---------
 demo-tornado/saml/settings.json          | 16 ++++++++--------
 3 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/demo-tornado/README.md b/demo-tornado/README.md
index aab7ef19..428d192c 100644
--- a/demo-tornado/README.md
+++ b/demo-tornado/README.md
@@ -1,9 +1,9 @@
-#Tornado Demo#
+# Tornado Demo #
 Fully-working tornado-demo.
 
-###ABOUT ISSUE###
+### About issues ###
 This is only a demo, some issues about session still remain. 
 Actually the session is global.
 
-###PRODUCTION###
+### Production ###
 Remember to disable debugging in production.
diff --git a/demo-tornado/saml/advanced_settings.json b/demo-tornado/saml/advanced_settings.json
index e14e1170..3115e17e 100644
--- a/demo-tornado/saml/advanced_settings.json
+++ b/demo-tornado/saml/advanced_settings.json
@@ -1,15 +1,12 @@
 {
     "security": {
         "nameIdEncrypted": false,
-        "authnRequestsSigned": true,
-        "logoutRequestSigned": true,
-        "logoutResponseSigned": true,
-        "signMetadata": {
-                                            "keyFileName": "metadata.key",
-                                            "certFileName": "metadata.crt"
-                                         },
+        "authnRequestsSigned": false,
+        "logoutRequestSigned": false,
+        "logoutResponseSigned": false,
+        "signMetadata": false,
         "wantMessagesSigned": false,
-        "wantAssertionsSigned": true,
+        "wantAssertionsSigned": false,
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
@@ -33,4 +30,4 @@
             "url": "http://sp.example.com"
         }
     }
-}
+}
\ No newline at end of file
diff --git a/demo-tornado/saml/settings.json b/demo-tornado/saml/settings.json
index c91e5cc9..391b91c1 100644
--- a/demo-tornado/saml/settings.json
+++ b/demo-tornado/saml/settings.json
@@ -2,13 +2,13 @@
     "strict": true,
     "debug": true,
     "sp": {
-        "entityId": "http://localhost:8000/metadata/",
+        "entityId": "https:///metadata/",
         "assertionConsumerService": {
-            "url": "http://localhost:8000/?acs",
+            "url": "https:///?acs",
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         },
         "singleLogoutService": {
-            "url": "http://localhost:8000/?sls",
+            "url": "https:///?sls",
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         },
         "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
@@ -16,15 +16,15 @@
         "privateKey": ""
     },
     "idp": {
-        "entityId": "http://localhost:8080/auth/realms/idp_dacd",
+        "entityId": "https://app.onelogin.com/saml/metadata/",
         "singleSignOnService": {
-            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "url": "https://app.onelogin.com/trust/saml2/http-post/sso/",
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         },
         "singleLogoutService": {
-            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/",
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         },
-        "x509cert": "MIICnzCCAYcCBgFqC3f1FDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhpZHBfZGFjZDAeFw0xOTA0MTEwODE0MzJaFw0yOTA0MTEwODE2MTJaMBMxETAPBgNVBAMMCGlkcF9kYWNkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhRERlbbwUxabS4lnGFOpxBKACpcwQwOSvyCKD3bLDvzfQIRh1x3RDq+6xxBcdP86PKRYjwZc/64HYFUbe9FCDLf1SDQz7XTtpftydRrTUydVaj+3FHhyCLcLkJldMVneVMZWIXSzUISvcURL3sr6HVJ74Uy0KPPOo3vQQ6RRaNaB3RCdZaNbzxjbG5eBgSvWHGE+vkozHpS7y6LHXDP1wXenH65RRrat8PQ/Qp4WVi2U5rVfA2SFbcwohjaJ+vOYH+oARnk5a2IosAMHBtONorPnPrcV7MqUXX7q19hnlFRZA34YVcF6kkWWsS1V/mRm2kK6EE/mABvX4mrefWg+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARKkt9TKg5jLLc7HZSYxHD0MGqDQ8jMAXjpYYaEoIGyYnE31WOEG6HlzHFrkp5ioBT8vTIfejpGGkcL0qspSjQRBYH1eHOEToFo2vhmr0yDUtePNVcQtRN0ImAwNvKU/PciSi4dX0Y8Z/VfeRn8k979o0X82xZSYIxLhKlFp9toOHz0pNTU0Ie4h1zxcPd0L7KAn5eQPHoJwXsdWkM9aoZtCQCjbiexpfOdEOfnUn8QisinAWqcC/gKl9XG7XU4P5cevTeqZgnK0W+ilJVkkJX2zZWlAji+0PKLGr3BgJCfkwUcsm1C8U2ysTGkW1mZHfKVzK2NPA0bSlGgZwbvki+"
+        "x509cert": ""
     }
-}
+}
\ No newline at end of file

From 064b7275fba1e5f39a9116ba1cdcc5d01fc34daa Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 26 Apr 2019 11:50:45 +0200
Subject: [PATCH 117/331] Update defusedxml

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 65ff747e..e93bccba 100644
--- a/setup.py
+++ b/setup.py
@@ -38,7 +38,7 @@
     install_requires=[
         'isodate>=0.5.0',
         'xmlsec>=0.6.0',
-        'defusedxml==0.5.0'
+        'defusedxml>=0.5.0'
     ],
     dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'],
     extras_require={

From 527f4fe7d7ba15383c72678be6ecca1ab6a965d8 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" 
Date: Wed, 8 May 2019 13:29:08 +0200
Subject: [PATCH 118/331] Make tests pass in 2020

moving this beyond 2038 requires fixes on 32-bit systems to avoid errors:
   File "/home/abuild/rpmbuild/BUILD/python3-saml-1.6.0/src/onelogin/sam
.py", line 419, in parse_SAML_to_time
     data = datetime.strptime(timestr, '%Y-%m-%dT%H:%M:%SZ')
 TypeError: strptime() argument 1 must be string, not long
---
 tests/data/metadata/metadata_settings1.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/data/metadata/metadata_settings1.xml b/tests/data/metadata/metadata_settings1.xml
index c9529f00..893e9679 100644
--- a/tests/data/metadata/metadata_settings1.xml
+++ b/tests/data/metadata/metadata_settings1.xml
@@ -1,6 +1,6 @@
 
 
     

From b0f2ac94e01dcb648abb2a8381070986c1410a65 Mon Sep 17 00:00:00 2001
From: Robert Ellegate 
Date: Fri, 10 May 2019 11:20:41 -0400
Subject: [PATCH 119/331] Fix typos

Fixed typo in https://github.com/onelogin/python3-saml#option-1-download-from-github
    Changed `Lastest release` to `Latest release`

Changed hyperlink to Python 2 version to match hyperlink in [onelogin/python-saml](https://github.com/onelogin/python-saml) repo
    Changed hyperlink from `https://pypi.python.org/pypi/python-saml` to `https://github.com/onelogin/python-saml`
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 404712e2..b3f27804 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ Add SAML support to your Python software using this library.
 Forget those complicated libraries and use the open source library provided
 and supported by OneLogin Inc.
 
-This version supports Python3. There is a separate version that only support Python2: [python-saml](https://pypi.python.org/pypi/python-saml)
+This version supports Python3. There is a separate version that only support Python2: [python-saml](https://github.com/onelogin/python-saml)
 
 #### Warning ####
 
@@ -100,7 +100,7 @@ Review the ``setup.py`` file to know the version of the library that ``python3-s
 
 The toolkit is hosted on GitHub. You can download it from:
 
- * Lastest release: https://github.com/onelogin/python3-saml/releases/latest
+ * Latest release: https://github.com/onelogin/python3-saml/releases/latest
  * Master repo: https://github.com/onelogin/python3-saml/tree/master
 
 Copy the core of the library ``(src/onelogin/saml2 folder)`` and merge the ``setup.py`` inside the Python application. (Each application has its structure so take your time to locate the Python SAML toolkit in the best place).

From 55b3f49be914de388a409b70478b10056c9eba24 Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Sun, 2 Jun 2019 01:06:05 -0400
Subject: [PATCH 120/331] Added get_in_response_to method to Response and
 LogoutResponse classes

---
 src/onelogin/saml2/logout_response.py           |  5 ++++-
 src/onelogin/saml2/response.py                  | 10 +++++++++-
 tests/src/OneLogin/saml2_tests/response_test.py |  4 ++--
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index 67a72f35..f8b81ff4 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -95,7 +95,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 security = self.__settings.get_security_data()
 
                 # Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided
-                in_response_to = self.document.get('InResponseTo', None)
+                in_response_to = self.get_in_response_to()
                 if request_id is not None and in_response_to and in_response_to != request_id:
                     raise OneLogin_Saml2_ValidationError(
                         'The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s' % (in_response_to, request_id),
@@ -175,6 +175,9 @@ def build(self, in_response_to):
 
         self.__logout_response = logout_response
 
+    def get_in_response_to(self):
+        return self.document.get('InResponseTo')
+
     def get_response(self, deflate=True):
         """
         Returns a Logout Response object.
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index a291a841..1ceaac32 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -122,7 +122,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
 
                 # Check if the InResponseTo of the Response matchs the ID of the AuthNRequest (requestId) if provided
-                in_response_to = self.document.get('InResponseTo', None)
+                in_response_to = self.get_in_response_to()
                 if in_response_to is not None and request_id is not None:
                     if in_response_to != request_id:
                         raise OneLogin_Saml2_ValidationError(
@@ -387,6 +387,14 @@ def get_authn_contexts(self):
         authn_context_nodes = self.__query_assertion('/saml:AuthnStatement/saml:AuthnContext/saml:AuthnContextClassRef')
         return [OneLogin_Saml2_XML.element_text(node) for node in authn_context_nodes]
 
+    def get_in_response_to(self):
+        """
+        Gets the ID of the request which this response is in response to
+        :returns: ID of AuthNRequest this Response is in response to or None if it is not present
+        :rtype: str
+        """
+        return self.document.get('InResponseTo')
+
     def get_issuers(self):
         """
         Gets the issuers (from message and from assertion)
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index b5937045..dfda45b8 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -75,8 +75,8 @@ def testGetXMLDocument(self):
 
         xml = self.file_contents(join(self.data_path, 'responses', 'signed_message_response.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
-        prety_xml = self.file_contents(join(self.data_path, 'responses', 'pretty_signed_message_response.xml'))
-        self.assertEqual(etree.tostring(response.get_xml_document(), encoding='unicode', pretty_print=True), prety_xml)
+        pretty_xml = self.file_contents(join(self.data_path, 'responses', 'pretty_signed_message_response.xml'))
+        self.assertEqual(etree.tostring(response.get_xml_document(), encoding='unicode', pretty_print=True), pretty_xml)
 
         xml_2 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64'))
         response_2 = OneLogin_Saml2_Response(settings, xml_2)

From 3002e0d32c73e86f0cc64acb8770bed3f7d14ed7 Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Sun, 2 Jun 2019 01:14:12 -0400
Subject: [PATCH 121/331] Added InResponseTo tests

---
 .../src/OneLogin/saml2_tests/response_test.py  | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index dfda45b8..d487c11b 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -407,7 +407,7 @@ def testGetNameIdData(self):
         settings = OneLogin_Saml2_Settings(json_settings)
         response_13 = OneLogin_Saml2_Response(settings, xml_6)
         nameid_data_13 = response_13.get_nameid_data()
-        nameid_data_13 = self.assertEqual(expected_nameid_data_5, nameid_data_13)
+        self.assertEqual(expected_nameid_data_5, nameid_data_13)
 
         json_settings['strict'] = False
         json_settings['security']['wantNameId'] = False
@@ -685,6 +685,22 @@ def testGetSessionNotOnOrAfter(self):
         response_3 = OneLogin_Saml2_Response(settings, xml_3)
         self.assertEqual(2696012228, response_3.get_session_not_on_or_after())
 
+    def testGetInResponseTo(self):
+        """
+        Tests the retrieval of the InResponseTo attribute
+        """
+
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
+        # Response without an InResponseTo element should return None
+        xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        self.assertIsNone(response.get_in_response_to())
+
+        xml_3 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64'))
+        response_3 = OneLogin_Saml2_Response(settings, xml_3)
+        self.assertEqual('ONELOGIN_be60b8caf8e9d19b7a3551b244f116c947ff247d', response_3.get_in_response_to())
+
     def testIsInvalidXML(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response

From 754f6350259897ac858c035ab2b8ce0ac9bf136e Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Sun, 2 Jun 2019 01:17:09 -0400
Subject: [PATCH 122/331] Added method docstring

---
 src/onelogin/saml2/logout_response.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index f8b81ff4..6dd0a6d8 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -176,6 +176,11 @@ def build(self, in_response_to):
         self.__logout_response = logout_response
 
     def get_in_response_to(self):
+        """
+        Gets the ID of the LogoutRequest which this response is in response to
+        :returns: ID of LogoutRequest this LogoutResponse is in response to or None if it is not present
+        :rtype: str
+        """
         return self.document.get('InResponseTo')
 
     def get_response(self, deflate=True):

From f4be65c0e649d2c34b27c54a82f12b9c3aa7b233 Mon Sep 17 00:00:00 2001
From: John Doe <34662+johndoe46@users.noreply.github.com>
Date: Tue, 18 Jun 2019 12:43:03 +0200
Subject: [PATCH 123/331] fix path in flask demo

---
 demo-flask/index.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/demo-flask/index.py b/demo-flask/index.py
index 441dc83b..e7c88d75 100644
--- a/demo-flask/index.py
+++ b/demo-flask/index.py
@@ -11,7 +11,7 @@
 
 app = Flask(__name__)
 app.config['SECRET_KEY'] = 'onelogindemopytoolkit'
-app.config['SAML_PATH'] = os.path.join(os.path.dirname(os.path.dirname(__file__)), 'saml')
+app.config['SAML_PATH'] = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'saml')
 
 
 def init_saml_auth(req):

From ae90bac7c94c82c4a5625aff57163aab2a8098d4 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 26 Jun 2019 00:43:22 +0200
Subject: [PATCH 124/331] Adjusted acs endpoint to extract NameQualifier and
 SPNameQualifier from SAMLResponse. Adjusted single logout service to provide
 NameQualifier and SPNameQualifier to logout method. Add
 getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from
 Auth and LogoutRequest constructor to support SPNameQualifier parameter.
 Align LogoutRequest constructor with SAML specs

---
 README.md                                     | 16 ++++-
 demo-django/demo/views.py                     | 16 +++--
 demo-flask/index.py                           | 17 +++--
 src/onelogin/saml2/auth.py                    | 30 +++++++-
 src/onelogin/saml2/logout_request.py          | 23 ++++---
 src/onelogin/saml2/response.py                | 26 +++++++
 ...lid_response_with_namequalifier.xml.base64 |  1 +
 tests/src/OneLogin/saml2_tests/auth_test.py   | 67 ++++++++++++++++++
 .../saml2_tests/logout_request_test.py        |  1 -
 .../src/OneLogin/saml2_tests/response_test.py | 68 +++++++++++++++++++
 10 files changed, 242 insertions(+), 23 deletions(-)
 create mode 100644 tests/data/responses/valid_response_with_namequalifier.xml.base64

diff --git a/README.md b/README.md
index b3f27804..52f3b923 100644
--- a/README.md
+++ b/README.md
@@ -794,17 +794,17 @@ target_url = 'https://example.com'
 auth.logout(return_to=target_url)
 ```
 
-Also there are 4 optional parameters that can be set:
+Also there are another 5 optional parameters that can be set:
 
 * ``name_id``: That will be used to build the ``LogoutRequest``. If no ``name_id`` parameter is set and the auth object processed a
 SAML Response with a ``NameId``, then this ``NameId`` will be used.
 * ``session_index``: ``SessionIndex`` that identifies the session of the user.
 * ``nq``: IDP Name Qualifier.
 * ``name_id_format``: The ``NameID`` Format that will be set in the ``LogoutRequest``.
+* ``spnq``: The ``NameID SP NameQualifier`` will be set in the ``LogoutRequest``.
 
 If no ``name_id`` is provided, the ``LogoutRequest`` will contain a ``NameID`` with the entity Format.
 If ``name_id`` is provided and no ``name_id_format`` is provided, the ``NameIDFormat`` of the settings will be used.
-If ``nq`` is provided, the ``SPNameQualifier`` will be also attached to the ``NameId``.
 
 If a match on the ``LogoutResponse`` ID and the ``LogoutRequest`` ID to be sent is required, that ``LogoutRequest`` ID must to be extracted and stored for future validation, we can get that ID by:
 
@@ -830,7 +830,12 @@ elif 'sso2' in request.args:                       # Another SSO init action
     return_to = '%sattrs/' % request.host_url      # but set a custom RelayState URL
     return redirect(auth.login(return_to))
 elif 'slo' in request.args:                     # SLO action. Will sent a Logout Request to IdP
-    return redirect(auth.logout())
+    nameid = request.session['samlNameId']
+    nameid_format = request.session['samlNameIdFormat']
+    nameid_nq = request.session['samlNameIdNameQualifier']
+    nameid_spnq = request.session['samlNameIdSPNameQualifier']
+    session_index = request.session['samlSessionIndex']
+    return redirect(auth.logout(None, nameid, session_index, nameid_nq, nameid_format, nameid_spnq))
 elif 'acs' in request.args:                 # Assertion Consumer Service
     auth.process_response()                     # Process the Response of the IdP
     errors = auth.get_errors()              # This method receives an array with the errors
@@ -839,6 +844,11 @@ elif 'acs' in request.args:                 # Assertion Consumer Service
             msg = "Not authenticated"           # data retrieved or not (user authenticated)
         else:
             request.session['samlUserdata'] = auth.get_attributes()     # Retrieves user data
+            request.session['samlNameId'] = auth.get_nameid()
+            request.session['samlNameIdFormat'] = auth.get_nameid_format()
+            request.session['samlNameIdNameQualifier'] = auth.get_nameid_nq()
+            request.session['samlNameIdSPNameQualifier'] = auth.get_nameid_spnq()
+            request.session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
                 return redirect(auth.redirect_to(request.form['RelayState']))   # Redirect if there is a relayState
diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index 535b42af..22e5f6aa 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -45,14 +45,19 @@ def index(request):
         return_to = OneLogin_Saml2_Utils.get_self_url(req) + reverse('attrs')
         return HttpResponseRedirect(auth.login(return_to))
     elif 'slo' in req['get_data']:
-        name_id = None
-        session_index = None
+        name_id = session_index = name_id_format = name_id_nq = name_id_spnq = None
         if 'samlNameId' in request.session:
             name_id = request.session['samlNameId']
         if 'samlSessionIndex' in request.session:
             session_index = request.session['samlSessionIndex']
-
-        return HttpResponseRedirect(auth.logout(name_id=name_id, session_index=session_index))
+        if 'samlNameIdFormat' in request.session:
+            name_id_format = request.session['samlNameIdFormat']
+        if 'samlNameIdNameQualifier' in request.session:
+            name_id_nq = request.session['samlNameIdNameQualifier']
+        if 'samlNameIdSPNameQualifier' in request.session:
+            name_id_spnq = request.session['samlNameIdSPNameQualifier']
+
+        return HttpResponseRedirect(auth.logout(name_id=name_id, session_index=session_index, nq=name_id_nq, name_id_format=name_id_format, spnq=name_id_spnq))
     elif 'acs' in req['get_data']:
         auth.process_response()
         errors = auth.get_errors()
@@ -61,6 +66,9 @@ def index(request):
         if not errors:
             request.session['samlUserdata'] = auth.get_attributes()
             request.session['samlNameId'] = auth.get_nameid()
+            request.session['samlNameIdFormat'] = auth.get_nameid_format()
+            request.session['samlNameIdNameQualifier'] = auth.get_nameid_nq()
+            request.session['samlNameIdSPNameQualifier'] = auth.get_nameid_spnq()
             request.session['samlSessionIndex'] = auth.get_session_index()
             if 'RelayState' in req['post_data'] and OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
                 return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
diff --git a/demo-flask/index.py b/demo-flask/index.py
index e7c88d75..caf9a72a 100644
--- a/demo-flask/index.py
+++ b/demo-flask/index.py
@@ -50,21 +50,28 @@ def index():
         return_to = '%sattrs/' % request.host_url
         return redirect(auth.login(return_to))
     elif 'slo' in request.args:
-        name_id = None
-        session_index = None
+        name_id = session_index = name_id_format = name_id_nq = name_id_spnq = None
         if 'samlNameId' in session:
             name_id = session['samlNameId']
         if 'samlSessionIndex' in session:
             session_index = session['samlSessionIndex']
-
-        return redirect(auth.logout(name_id=name_id, session_index=session_index))
+        if 'samlNameIdFormat' in session:
+            name_id_format = session['samlNameIdFormat']
+        if 'samlNameIdNameQualifier' in session:
+            name_id_nq = session['samlNameIdNameQualifier']
+        if 'samlNameIdSPNameQualifier' in session:
+            name_id_spnq = session['samlNameIdSPNameQualifier']
+
+        return redirect(auth.logout(name_id=name_id, session_index=session_index, nq=name_id_nq, name_id_format=name_id_format, spnq=name_id_spnq))
     elif 'acs' in request.args:
         auth.process_response()
         errors = auth.get_errors()
         not_auth_warn = not auth.is_authenticated()
         if len(errors) == 0:
-            session['samlUserdata'] = auth.get_attributes()
             session['samlNameId'] = auth.get_nameid()
+            session['samlNameIdFormat'] = auth.get_nameid_format()
+            session['samlNameIdNameQualifier'] = auth.get_nameid_nq()
+            session['samlNameIdSPNameQualifier'] = auth.get_nameid_spnq()
             session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 5d6aa84f..2a9b7cde 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -55,6 +55,8 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
         self.__attributes = dict()
         self.__nameid = None
         self.__nameid_format = None
+        self.__nameid_nq = None
+        self.__nameid_spnq = None
         self.__session_index = None
         self.__session_expiration = None
         self.__authenticated = False
@@ -107,6 +109,8 @@ def process_response(self, request_id=None):
                 self.__attributes = response.get_attributes()
                 self.__nameid = response.get_nameid()
                 self.__nameid_format = response.get_nameid_format()
+                self.__nameid_nq = response.get_nameid_nq()
+                self.__nameid_spnq = response.get_nameid_spnq()
                 self.__session_index = response.get_session_index()
                 self.__session_expiration = response.get_session_not_on_or_after()
                 self.__last_message_id = response.get_id()
@@ -245,6 +249,24 @@ def get_nameid_format(self):
         """
         return self.__nameid_format
 
+    def get_nameid_nq(self):
+        """
+        Returns the nameID NameQualifier of the Assertion.
+
+        :returns: NameID NameQualifier
+        :rtype: string|None
+        """
+        return self.__nameid_nq
+
+    def get_nameid_spnq(self):
+        """
+        Returns the nameID SP NameQualifier of the Assertion.
+
+        :returns: NameID SP NameQualifier
+        :rtype: string|None
+        """
+        return self.__nameid_spnq
+
     def get_session_index(self):
         """
         Returns the SessionIndex from the AuthnStatement.
@@ -366,7 +388,7 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_
             self.add_request_signature(parameters, security['signatureAlgorithm'])
         return self.redirect_to(self.get_sso_url(), parameters)
 
-    def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name_id_format=None):
+    def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name_id_format=None, spnq=None):
         """
         Initiates the SLO process.
 
@@ -385,6 +407,9 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name
         :param name_id_format: The NameID Format that will be set in the LogoutRequest.
         :type: string
 
+        :param spnq: SP Name Qualifier
+        :type: string
+
         :returns: Redirection URL
         """
         slo_url = self.get_slo_url()
@@ -405,7 +430,8 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name
             name_id=name_id,
             session_index=session_index,
             nq=nq,
-            name_id_format=name_id_format
+            name_id_format=name_id_format,
+            spnq=spnq
         )
         self.__last_request = logout_request.get_xml()
         self.__last_request_id = logout_request.id
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index 9dfb0c3e..252726b7 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -25,7 +25,7 @@ class OneLogin_Saml2_Logout_Request(object):
 
     """
 
-    def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None):
+    def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None, spnq=None):
         """
         Constructs the Logout Request object.
 
@@ -46,6 +46,9 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
 
         :param name_id_format: The NameID Format that will be set in the LogoutRequest.
         :type: string
+
+        :param spnq: SP Name Qualifier
+        :type: string
         """
         self.__settings = settings
         self.__error = None
@@ -75,19 +78,23 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
                     name_id_format = sp_data['NameIDFormat']
             else:
+                name_id = idp_data['entityId']
                 name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY
 
-            sp_name_qualifier = None
-            if name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY:
-                name_id = idp_data['entityId']
+            # From saml-core-2.0-os 8.3.6, when the entity Format is used:
+            # "The NameQualifier, SPNameQualifier, and SPProvidedID attributes
+            # MUST be omitted.
+            if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY:
                 nq = None
-            elif nq is not None:
-                # We only gonna include SPNameQualifier if NameQualifier is provided
-                sp_name_qualifier = sp_data['entityId']
+                spnq = None
+
+            # NameID Format UNSPECIFIED omitted
+            if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
+                name_id_format = None
 
             name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
                 name_id,
-                sp_name_qualifier,
+                spnq,
                 name_id_format,
                 cert,
                 False,
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 1ceaac32..8aa309c5 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -506,6 +506,32 @@ def get_nameid_format(self):
             nameid_format = nameid_data['Format']
         return nameid_format
 
+    def get_nameid_nq(self):
+        """
+        Gets the NameID NameQualifier provided by the SAML Response from the IdP
+
+        :returns: NameID NameQualifier
+        :rtype: string|None
+        """
+        nameid_nq = None
+        nameid_data = self.get_nameid_data()
+        if nameid_data and 'NameQualifier' in nameid_data.keys():
+            nameid_nq = nameid_data['NameQualifier']
+        return nameid_nq
+
+    def get_nameid_spnq(self):
+        """
+        Gets the NameID SP NameQualifier provided by the SAML response from the IdP.
+
+        :returns: NameID SP NameQualifier
+        :rtype: string|None
+        """
+        nameid_spnq = None
+        nameid_data = self.get_nameid_data()
+        if nameid_data and 'SPNameQualifier' in nameid_data.keys():
+            nameid_spnq = nameid_data['SPNameQualifier']
+        return nameid_spnq
+
     def get_session_not_on_or_after(self):
         """
         Gets the SessionNotOnOrAfter from the AuthnStatement
diff --git a/tests/data/responses/valid_response_with_namequalifier.xml.base64 b/tests/data/responses/valid_response_with_namequalifier.xml.base64
new file mode 100644
index 00000000..a98de3ff
--- /dev/null
+++ b/tests/data/responses/valid_response_with_namequalifier.xml.base64
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeDhmZWI5YWNkLTFlODYtYWMxMi05MDIzLTEzYjg0NDc5YjI1YiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDhmZWI5YWNkLTFlODYtYWMxMi05MDIzLTEzYjg0NDc5YjI1YiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+NVRWZURYbGQ3YzhURmtybVlDeFpuL2ZHRTRzPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5hZlFaVUE2REpHa0hLNjVMMENBaTJBSDJkOWNwbExuekNPTHBCYm9hUmVmaWdtVC92L0tJZGcyYXpWRzY2Ykk1aFA1NTBNR0c2ZVVzaWJ1N2N3ZytFbG9tejVBalE3dzlGZG8waHdWWWhib3JaSkN2TUxLUzBEWkFzc01XZnZ3RGNUNmhra3UreXFlS2RhZ1BBOTYwQ25YcUMxeHpjMk43WS82dlBCU081bVU9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDQxN2ZiOTc2LTk0NGEtNDNiZi05ZTUyLWZiOWM1OTYxNzYxZiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZng0MTdmYjk3Ni05NDRhLTQzYmYtOWU1Mi1mYjljNTk2MTc2MWYiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPmxSbTJ3UW13ZGhmZVZuMDFaS1Ewb05CN1JqQT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+aktwQUNmMWkxR0FMSWQ5Y0liQlFsTkJQMVhpZDhhYXFKOUxyTkFIZ1lpR2VIc0NscldVUkZJREprOGI0T3RmdHdXTGZKeXBXbXgwWm15M2hpTTJyVHBIbDBLMGVqSFNsOS9Ed0pabkNEQW1CS1lhZ0ZFR0xxWXYwaXI0Y2lYaForTkdXSDY1czhBRlVibjU2SytaS3lpMFkwMWc4TmVqaS92OTNlZFZ6ZTZnPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDZ1RDQ0Flb0NDUUNiT2xyV0RkWDdGVEFOQmdrcWhraUc5dzBCQVFVRkFEQ0JoREVMTUFrR0ExVUVCaE1DVGs4eEdEQVdCZ05WQkFnVEQwRnVaSEpsWVhNZ1UyOXNZbVZ5WnpFTU1Bb0dBMVVFQnhNRFJtOXZNUkF3RGdZRFZRUUtFd2RWVGtsT1JWUlVNUmd3RmdZRFZRUURFdzltWldsa1pTNWxjbXhoYm1jdWJtOHhJVEFmQmdrcWhraUc5dzBCQ1FFV0VtRnVaSEpsWVhOQWRXNXBibVYwZEM1dWJ6QWVGdzB3TnpBMk1UVXhNakF4TXpWYUZ3MHdOekE0TVRReE1qQXhNelZhTUlHRU1Rc3dDUVlEVlFRR0V3Sk9UekVZTUJZR0ExVUVDQk1QUVc1a2NtVmhjeUJUYjJ4aVpYSm5NUXd3Q2dZRFZRUUhFd05HYjI4eEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReEdEQVdCZ05WQkFNVEQyWmxhV1JsTG1WeWJHRnVaeTV1YnpFaE1COEdDU3FHU0liM0RRRUpBUllTWVc1a2NtVmhjMEIxYm1sdVpYUjBMbTV2TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEaXZiaFI3UDUxNngvUzNCcUt4dXBRZTBMT05vbGl1cGlCT2VzQ08zU0hiRHJsMytxOUliZm5mbUUwNHJOdU1jUHNJeEIxNjFUZERwSWVzTENuN2M4YVBISVNLT3RQbEFlVFpTbmI4UUF1N2FSalpxMytQYnJQNXVXM1RjZkNHUHRLVHl0SE9nZS9PbEpibzA3OGRWaFhRMTRkMUVEd1hKVzFyUlh1VXQ0QzhRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUNEVmZwODZIT2JxWStlOEJVb1dROStWTVF4MUFTRG9oQmp3T3NnMld5a1VxUlhGK2RMZmNVSDlkV1I2M0N0WklLRkRiU3ROb21QblF6N25iSytvbnlnd0JzcFZFYm5IdVVpaFpxM1pVZG11bVFxQ3c0VXZzLzFVdnEzb3JPby9XSlZoVHl2TGdGVksyUWFyUTQvNjdPWmZIZDdSK1BPQlhob3BoU012MVpPbzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vdGVzdC5leGFtcGxlLmNvbS9zYW1sL21ldGFkYXRhIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+NDkyODgyNjE1YWNmMzFjODA5NmI2MjcyNDVkNzZhZTUzMDM2YzA5MDwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjA1NC0wOC0yM1QwNjo1NzowMVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMi0xOVQwMTozNjozMVoiIE5vdE9uT3JBZnRlcj0iMjA1NC0wOC0yM1QwNjo1NzowMVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMi0xOVQwMTozNzowMVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwNTQtMDItMTlUMDk6Mzc6MDFaIiBTZXNzaW9uSW5kZXg9Il82MjczZDc3YjhjZGUwYzMzM2VjNzlkMjJhOWZhMDAwM2I5ZmUyZDc1Y2IiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c21hcnRpbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zbWFydGluQHlhY28uZXM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iY24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPlNpeHRvMzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJzbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWFydGluMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5hZG1pbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 02193ee2..c7c391c7 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -227,6 +227,9 @@ def testProcessResponseValid(self):
         self.assertEqual(auth.get_attribute('mail'), attributes['mail'])
         session_index = auth.get_session_index()
         self.assertEqual('_6273d77b8cde0c333ec79d22a9fa0003b9fe2d75cb', session_index)
+        self.assertEqual("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", auth.get_nameid_format())
+        self.assertIsNone(auth.get_nameid_nq())
+        self.assertEqual("http://stuff.com/endpoints/metadata.php", auth.get_nameid_spnq())
 
     def testRedirectTo(self):
         """
@@ -993,6 +996,70 @@ def testGetNameIdFormat(self):
         self.assertTrue(auth.is_authenticated())
         self.assertEqual("urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified", auth.get_nameid_format())
 
+    def testGetNameIdNameQualifier(self):
+        """
+        Tests the get_nameid_nq method of the OneLogin_Saml2_Auth
+        """
+        settings = self.loadSettingsJSON()
+        message = self.file_contents(join(self.data_path, 'responses', 'valid_response_with_namequalifier.xml.base64'))
+        request_data = self.get_request()
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        self.assertIsNone(auth.get_nameid_nq())
+        auth.process_response()
+        self.assertTrue(auth.is_authenticated())
+        self.assertEqual("https://test.example.com/saml/metadata", auth.get_nameid_nq())
+
+    def testGetNameIdNameQualifier2(self):
+        """
+        Tests the get_nameid_nq method of the OneLogin_Saml2_Auth
+        """
+        settings = self.loadSettingsJSON()
+        message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        request_data = self.get_request()
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        self.assertIsNone(auth.get_nameid_nq())
+        auth.process_response()
+        self.assertTrue(auth.is_authenticated())
+        self.assertIsNone(auth.get_nameid_nq())
+
+    def testGetNameIdSPNameQualifier(self):
+        """
+        Tests the get_nameid_spnq method of the OneLogin_Saml2_Auth
+        """
+        settings = self.loadSettingsJSON()
+        message = self.file_contents(join(self.data_path, 'responses', 'valid_response_with_namequalifier.xml.base64'))
+        request_data = self.get_request()
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        self.assertIsNone(auth.get_nameid_spnq())
+        auth.process_response()
+        self.assertTrue(auth.is_authenticated())
+        self.assertIsNone(auth.get_nameid_spnq())
+
+    def testGetNameIdSPNameQualifier2(self):
+        """
+        Tests the get_nameid_spnq method of the OneLogin_Saml2_Auth
+        """
+        settings = self.loadSettingsJSON()
+        message = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        request_data = self.get_request()
+        request_data['post_data'] = {
+            'SAMLResponse': message
+        }
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        self.assertIsNone(auth.get_nameid_spnq())
+        auth.process_response()
+        self.assertTrue(auth.is_authenticated())
+        self.assertEqual("http://stuff.com/endpoints/metadata.php", auth.get_nameid_spnq())
+
     def testBuildRequestSignature(self):
         """
         Tests the build_request_signature method of the OneLogin_Saml2_Auth
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
index 3d724d82..d4c8ee6c 100644
--- a/tests/src/OneLogin/saml2_tests/logout_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -215,7 +215,6 @@ def testGetNameIdData(self):
         expected_name_id_data = {
             'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress',
             'NameQualifier': idp_data['entityId'],
-            'SPNameQualifier': 'http://stuff.com/endpoints/metadata.php',
             'Value': 'ONELOGIN_9c86c4542ab9d6fce07f2f7fd335287b9b3cdf69'
         }
 
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index d487c11b..3ce359d9 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -293,6 +293,74 @@ def testReturnNameIdFormat(self):
         with self.assertRaisesRegex(Exception, 'An empty NameID value found'):
             response_17.get_nameid_format()
 
+    def testReturnNameIdNameQualifier(self):
+        """
+        Tests the get_nameid_nq method of the OneLogin_Saml2_Response
+        """
+        json_settings = self.loadSettingsJSON()
+        json_settings['strict'] = False
+        settings = OneLogin_Saml2_Settings(json_settings)
+        xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        self.assertIsNone(response.get_nameid_nq())
+
+        xml_2 = self.file_contents(join(self.data_path, 'responses', 'response_encrypted_nameid.xml.base64'))
+        response_2 = OneLogin_Saml2_Response(settings, xml_2)
+        self.assertIsNone(response_2.get_nameid_nq())
+
+        xml_3 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64'))
+        response_3 = OneLogin_Saml2_Response(settings, xml_3)
+        self.assertIsNone(response_3.get_nameid_nq())
+
+        xml_4 = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        response_4 = OneLogin_Saml2_Response(settings, xml_4)
+        self.assertIsNone(response_4.get_nameid_nq())
+
+        xml_5 = self.file_contents(join(self.data_path, 'responses', 'valid_response_with_namequalifier.xml.base64'))
+        response_5 = OneLogin_Saml2_Response(settings, xml_5)
+        self.assertEqual('https://test.example.com/saml/metadata', response_5.get_nameid_nq())
+
+        json_settings['strict'] = True
+        settings = OneLogin_Saml2_Settings(json_settings)
+        xml_6 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64'))
+        response_6 = OneLogin_Saml2_Response(settings, xml_6)
+        with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'):
+            response_6.get_nameid_nq()
+
+    def testReturnNameIdNameSPQualifier(self):
+        """
+        Tests the get_nameid_spnq method of the OneLogin_Saml2_Response
+        """
+        json_settings = self.loadSettingsJSON()
+        json_settings['strict'] = False
+        settings = OneLogin_Saml2_Settings(json_settings)
+        xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        self.assertIsNone(response.get_nameid_spnq())
+
+        xml_2 = self.file_contents(join(self.data_path, 'responses', 'response_encrypted_nameid.xml.base64'))
+        response_2 = OneLogin_Saml2_Response(settings, xml_2)
+        self.assertEqual("http://stuff.com/endpoints/metadata.php", response_2.get_nameid_spnq())
+
+        xml_3 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion.xml.base64'))
+        response_3 = OneLogin_Saml2_Response(settings, xml_3)
+        self.assertEqual("http://stuff.com/endpoints/metadata.php", response_3.get_nameid_spnq())
+
+        xml_4 = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        response_4 = OneLogin_Saml2_Response(settings, xml_4)
+        self.assertEqual("http://stuff.com/endpoints/metadata.php", response_4.get_nameid_spnq())
+
+        xml_5 = self.file_contents(join(self.data_path, 'responses', 'valid_response_with_namequalifier.xml.base64'))
+        response_5 = OneLogin_Saml2_Response(settings, xml_5)
+        self.assertIsNone(response_5.get_nameid_spnq())
+
+        json_settings['strict'] = True
+        settings = OneLogin_Saml2_Settings(json_settings)
+        xml_6 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'no_nameid.xml.base64'))
+        response_6 = OneLogin_Saml2_Response(settings, xml_6)
+        with self.assertRaisesRegex(Exception, 'NameID not found in the assertion of the Response'):
+            response_6.get_nameid_spnq()
+
     def testGetNameIdData(self):
         """
         Tests the get_nameid_data method of the OneLogin_Saml2_Response

From ec21c28b9997ad3acf80c5d4ce3ef9e4afc6ca6e Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 27 Jun 2019 16:34:34 +0200
Subject: [PATCH 125/331] Support authnrequest_id logoutrequest_id on demos

---
 demo-django/demo/views.py | 21 +++++++++++++++++++--
 demo-flask/index.py       | 17 +++++++++++++++--
 2 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index 22e5f6aa..337ef669 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -41,6 +41,10 @@ def index(request):
 
     if 'sso' in req['get_data']:
         return HttpResponseRedirect(auth.login())
+        # If AuthNRequest ID need to be stored in order to later validate it, do instead
+        # sso_built_url = auth.login()
+        # request.session['AuthNRequestID'] = auth.get_last_request_id()
+        # return HttpResponseRedirect(sso_built_url)
     elif 'sso2' in req['get_data']:
         return_to = OneLogin_Saml2_Utils.get_self_url(req) + reverse('attrs')
         return HttpResponseRedirect(auth.login(return_to))
@@ -58,12 +62,22 @@ def index(request):
             name_id_spnq = request.session['samlNameIdSPNameQualifier']
 
         return HttpResponseRedirect(auth.logout(name_id=name_id, session_index=session_index, nq=name_id_nq, name_id_format=name_id_format, spnq=name_id_spnq))
+        # If LogoutRequest ID need to be stored in order to later validate it, do instead
+        # slo_built_url = auth.logout(name_id=name_id, session_index=session_index)
+        # request.session['LogoutRequestID'] = auth.get_last_request_id()
+        #return HttpResponseRedirect(slo_built_url)
     elif 'acs' in req['get_data']:
-        auth.process_response()
+        request_id = None
+        if 'AuthNRequestID' in request.session:
+            request_id = request.session['AuthNRequestID']
+
+        auth.process_response(request_id=request_id)
         errors = auth.get_errors()
         not_auth_warn = not auth.is_authenticated()
 
         if not errors:
+            if 'AuthNRequestID' in request.session:
+                del request.session['AuthNRequestID']
             request.session['samlUserdata'] = auth.get_attributes()
             request.session['samlNameId'] = auth.get_nameid()
             request.session['samlNameIdFormat'] = auth.get_nameid_format()
@@ -76,8 +90,11 @@ def index(request):
             if auth.get_settings().is_debug_active():
                 error_reason = auth.get_last_error_reason()
     elif 'sls' in req['get_data']:
+        request_id = None
+        if 'LogoutRequestID' in request.session:
+            request_id = request.session['LogoutRequestID']
         dscb = lambda: request.session.flush()
-        url = auth.process_slo(delete_session_cb=dscb)
+        url = auth.process_slo(request_id=request_id, delete_session_cb=dscb)
         errors = auth.get_errors()
         if len(errors) == 0:
             if url is not None:
diff --git a/demo-flask/index.py b/demo-flask/index.py
index caf9a72a..b344da4c 100644
--- a/demo-flask/index.py
+++ b/demo-flask/index.py
@@ -46,6 +46,10 @@ def index():
 
     if 'sso' in request.args:
         return redirect(auth.login())
+        # If AuthNRequest ID need to be stored in order to later validate it, do instead
+        # sso_built_url = auth.login()
+        # request.session['AuthNRequestID'] = auth.get_last_request_id()
+        # return redirect(sso_built_url)
     elif 'sso2' in request.args:
         return_to = '%sattrs/' % request.host_url
         return redirect(auth.login(return_to))
@@ -64,10 +68,16 @@ def index():
 
         return redirect(auth.logout(name_id=name_id, session_index=session_index, nq=name_id_nq, name_id_format=name_id_format, spnq=name_id_spnq))
     elif 'acs' in request.args:
-        auth.process_response()
+        request_id = None
+        if 'AuthNRequestID' in session:
+            request_id = session['AuthNRequestID']
+
+        auth.process_response(request_id=request_id)
         errors = auth.get_errors()
         not_auth_warn = not auth.is_authenticated()
         if len(errors) == 0:
+            if 'AuthNRequestID' in session:
+                del session['AuthNRequestID']
             session['samlNameId'] = auth.get_nameid()
             session['samlNameIdFormat'] = auth.get_nameid_format()
             session['samlNameIdNameQualifier'] = auth.get_nameid_nq()
@@ -77,8 +87,11 @@ def index():
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
                 return redirect(auth.redirect_to(request.form['RelayState']))
     elif 'sls' in request.args:
+        request_id = None
+        if 'LogoutRequestID' in session:
+            request_id = session['LogoutRequestID']
         dscb = lambda: session.clear()
-        url = auth.process_slo(delete_session_cb=dscb)
+        url = auth.process_slo(request_id=request_id, delete_session_cb=dscb)
         errors = auth.get_errors()
         if len(errors) == 0:
             if url is not None:

From 45b920760ad9bbd5ce119164718f6be9a8beea46 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 2 Jul 2019 19:12:43 +0200
Subject: [PATCH 126/331] Release 1.7.0

---
 changelog.md | 5 +++++
 setup.py     | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 42466c4b..8c651302 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,9 @@
 # python3-saml changelog
+### 1.7.0 (Jun 25, 2019)
+* Adjusted acs endpoint to extract NameQualifier and SPNameQualifier from SAMLResponse. Adjusted single logout service to provide NameQualifier and SPNameQualifier to logout method. Add getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from Auth and LogoutRequest constructor to support SPNameQualifier parameter. Align LogoutRequest constructor with SAML specs
+* Added get_in_response_to method to Response and LogoutResponse classes
+* Update defusexml dependency
+
 ### 1.6.0 (Apr 10, 2019)
 * Add support for Subjects on AuthNRequests by the new name_id_value_req parameter
 * [#127](https://github.com/onelogin/python3-saml/pull/127) Fix for SLO when XML specifies encoding
diff --git a/setup.py b/setup.py
index e93bccba..3a248144 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.6.0',
+    version='1.7.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From 839edb1227ba89b96a1e228f24008d1362672438 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 2 Jul 2019 19:18:16 +0200
Subject: [PATCH 127/331] Update date of release

---
 changelog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 8c651302..c82d0cd6 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,5 @@
 # python3-saml changelog
-### 1.7.0 (Jun 25, 2019)
+### 1.7.0 (Jul 02, 2019)
 * Adjusted acs endpoint to extract NameQualifier and SPNameQualifier from SAMLResponse. Adjusted single logout service to provide NameQualifier and SPNameQualifier to logout method. Add getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from Auth and LogoutRequest constructor to support SPNameQualifier parameter. Align LogoutRequest constructor with SAML specs
 * Added get_in_response_to method to Response and LogoutResponse classes
 * Update defusexml dependency

From e63a2f8305ad0646eb89d1ff62853a4d97b6594c Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 2 Jul 2019 20:09:38 +0200
Subject: [PATCH 128/331] Fix flake8

---
 demo-django/demo/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index 337ef669..4c61e599 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -65,7 +65,7 @@ def index(request):
         # If LogoutRequest ID need to be stored in order to later validate it, do instead
         # slo_built_url = auth.logout(name_id=name_id, session_index=session_index)
         # request.session['LogoutRequestID'] = auth.get_last_request_id()
-        #return HttpResponseRedirect(slo_built_url)
+        # return HttpResponseRedirect(slo_built_url)
     elif 'acs' in req['get_data']:
         request_id = None
         if 'AuthNRequestID' in request.session:

From 40883d925ce17e2b2dcd2d19cab3c710b2fe20b4 Mon Sep 17 00:00:00 2001
From: Craig Martin 
Date: Tue, 9 Jul 2019 11:34:44 -0400
Subject: [PATCH 129/331] use python style comment in python code block

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 52f3b923..e652786e 100644
--- a/README.md
+++ b/README.md
@@ -540,7 +540,7 @@ req = {
     "get_data": "",
     "post_data": "",
 
-    /* Advanced request options */
+    # Advanced request options
     "https": "",
     "lowercase_urlencoding": "",
     "request_uri": "",

From 25dfdc0a694299fe2a37f6edfb2dc39cb6c57e10 Mon Sep 17 00:00:00 2001
From: Jeff Tchang 
Date: Fri, 26 Jul 2019 12:16:14 -0700
Subject: [PATCH 130/331] Don't clean xsd and xsi namespaces

---
 src/onelogin/saml2/constants.py | 1 +
 src/onelogin/saml2/xml_utils.py | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/constants.py b/src/onelogin/saml2/constants.py
index 7b3f0085..e0778bd2 100644
--- a/src/onelogin/saml2/constants.py
+++ b/src/onelogin/saml2/constants.py
@@ -53,6 +53,7 @@ class OneLogin_Saml2_Constants(object):
     NS_PREFIX_MD = 'md'
     NS_PREFIX_XS = 'xs'
     NS_PREFIX_XSI = 'xsi'
+    NS_PREFIX_XSD = 'xsd'
     NS_PREFIX_XENC = 'xenc'
     NS_PREFIX_DS = 'ds'
 
diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py
index c7274298..d966e615 100644
--- a/src/onelogin/saml2/xml_utils.py
+++ b/src/onelogin/saml2/xml_utils.py
@@ -147,7 +147,9 @@ def cleanup_namespaces(tree_or_element, top_nsmap=None, keep_ns_prefixes=None):
         :rtype: etree.Element
         """
         all_prefixes_to_keep = [
-            OneLogin_Saml2_Constants.NS_PREFIX_XS
+            OneLogin_Saml2_Constants.NS_PREFIX_XS,
+            OneLogin_Saml2_Constants.NS_PREFIX_XSI,
+            OneLogin_Saml2_Constants.NS_PREFIX_XSD
         ]
 
         if keep_ns_prefixes:

From c77f75f645451032769decd4ae8cba5df30e72bb Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" 
Date: Thu, 1 Aug 2019 13:19:47 +0200
Subject: [PATCH 131/331] tests: make tests pass in 2020

For this we update 2020 to 2999

diff decoded is
a/tests/data/responses/unsigned_response.xml
b/tests/data/responses/unsigned_response.xml
@@ -9,15 +9,15 @@
     
       someone@example.com
       
-        
+        
       
     
-    
+    
       
         http://stuff.com/endpoints/metadata.php
       
     
-    
+    
       
         urn:oasis:names:tc:SAML:2.0:ac:classes:Password
       
---
 .../invalids/invalid_subjectconfirmation_nb.xml.base64          | 2 +-
 tests/data/responses/unsigned_response.xml.base64               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/data/responses/invalids/invalid_subjectconfirmation_nb.xml.base64 b/tests/data/responses/invalids/invalid_subjectconfirmation_nb.xml.base64
index ff6d371c..5d1f8bc1 100644
--- a/tests/data/responses/invalids/invalid_subjectconfirmation_nb.xml.base64
+++ b/tests/data/responses/invalids/invalid_subjectconfirmation_nb.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdEJlZm9yZT0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdEJlZm9yZT0iMjk5OS0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjI5OTktMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjI5OTktMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
diff --git a/tests/data/responses/unsigned_response.xml.base64 b/tests/data/responses/unsigned_response.xml.base64
index 66892b53..18abcf23 100644
--- a/tests/data/responses/unsigned_response.xml.base64
+++ b/tests/data/responses/unsigned_response.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjk5OS0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjI5OTktMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjI5OTktMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+

From 93f427085dffd2bd4d3b086a7c4183357bb7f646 Mon Sep 17 00:00:00 2001
From: Florent PIGOUT 
Date: Wed, 14 Aug 2019 18:04:18 +0200
Subject: [PATCH 132/331] Drop python3.4 support

Python3.4 is not supported anymore by lxml. Since lots of distribution
handle python3.5 by default and because it breaks the CI, it looks
obvious to drop it.
---
 .travis.yml  | 1 -
 changelog.md | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 8023585e..3ddd4236 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,7 +1,6 @@
 language: python
 python:
   - '2.7'
-  - '3.4'
   - '3.5'
   - '3.6'
 
diff --git a/changelog.md b/changelog.md
index c82d0cd6..9d7e4384 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,7 @@
 # python3-saml changelog
+### 1.7.1 (unrelease)
+* Drop python3.4 support
+
 ### 1.7.0 (Jul 02, 2019)
 * Adjusted acs endpoint to extract NameQualifier and SPNameQualifier from SAMLResponse. Adjusted single logout service to provide NameQualifier and SPNameQualifier to logout method. Add getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from Auth and LogoutRequest constructor to support SPNameQualifier parameter. Align LogoutRequest constructor with SAML specs
 * Added get_in_response_to method to Response and LogoutResponse classes

From 86645a8e2538ad09df38bddead37c090181d1350 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" 
Date: Wed, 21 Aug 2019 10:12:01 +0200
Subject: [PATCH 133/331] Drop broken python-3.4 tests

They failed with `This lxml version requires Python 2.7, 3.5 or later.`
---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 8023585e..43d4b210 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,9 +1,9 @@
 language: python
 python:
   - '2.7'
-  - '3.4'
   - '3.5'
   - '3.6'
+  - '3.7'
 
 matrix:
   include:

From b7ae95132f35a5b649c546bb79442422aff3073a Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 11 Sep 2019 16:35:40 +0200
Subject: [PATCH 134/331] Set true as the default value for strict setting

---
 src/onelogin/saml2/settings.py                  | 4 ++--
 tests/src/OneLogin/saml2_tests/settings_test.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 003aa0ad..5057a5ab 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -83,7 +83,7 @@ def __init__(self, settings=None, custom_base_path=None, sp_validation_only=Fals
         """
         self.__sp_validation_only = sp_validation_only
         self.__paths = {}
-        self.__strict = False
+        self.__strict = True
         self.__debug = False
         self.__sp = {}
         self.__idp = {}
@@ -214,7 +214,7 @@ def __load_settings_from_dict(self, settings):
             self.__errors = []
             self.__sp = settings['sp']
             self.__idp = settings.get('idp', {})
-            self.__strict = settings.get('strict', False)
+            self.__strict = settings.get('strict', True)
             self.__debug = settings.get('debug', False)
             self.__security = settings.get('security', {})
             self.__contacts = settings.get('contactPerson', {})
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 75031009..942fdd96 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -755,7 +755,7 @@ def testIsStrict(self):
         del settings_info['strict']
 
         settings = OneLogin_Saml2_Settings(settings_info)
-        self.assertFalse(settings.is_strict())
+        self.assertTrue(settings.is_strict())
 
         settings_info['strict'] = False
         settings_2 = OneLogin_Saml2_Settings(settings_info)

From 1694935585554699d474fcf10f8b31a6aeb52cc7 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 11 Sep 2019 16:42:36 +0200
Subject: [PATCH 135/331] Release 1.8.0

---
 README.md    | 2 ++
 changelog.md | 6 ++++--
 setup.py     | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e652786e..106e93c2 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,8 @@ This version supports Python3. There is a separate version that only support Pyt
 
 #### Warning ####
 
+Version 1.8.0 sets strict mode active by default
+
 Update ``python3-saml`` to ``1.5.0``, this version includes security improvements for preventing XEE and Xpath Injections.
 
 Update ``python3-saml`` to ``1.4.0``, this version includes a fix for the [CVE-2017-11427](https://www.cvedetails.com/cve/CVE-2017-11427/) vulnerability.
diff --git a/changelog.md b/changelog.md
index 9d7e4384..f0e28708 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,6 +1,8 @@
 # python3-saml changelog
-### 1.7.1 (unrelease)
-* Drop python3.4 support
+### 1.8.0 (Sep 11, 2019)
+* Set true as the default value for strict setting
+* [#152](https://github.com/onelogin/python3-saml/pull/152/files) Don't clean xsd and xsi namespaces
+* Drop python3.4 support due lxml. See lxml 4.4.0 (2019-07-27)
 
 ### 1.7.0 (Jul 02, 2019)
 * Adjusted acs endpoint to extract NameQualifier and SPNameQualifier from SAMLResponse. Adjusted single logout service to provide NameQualifier and SPNameQualifier to logout method. Add getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from Auth and LogoutRequest constructor to support SPNameQualifier parameter. Align LogoutRequest constructor with SAML specs
diff --git a/setup.py b/setup.py
index 3a248144..cb483f2d 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.7.0',
+    version='1.8.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From f900996dd53c2c96eeec25cc2bedf086847dbbbe Mon Sep 17 00:00:00 2001
From: Mika Lehtinen 
Date: Fri, 18 Oct 2019 11:56:22 +0300
Subject: [PATCH 136/331] Fix parameter type annotations in merge_settings

---
 src/onelogin/saml2/idp_metadata_parser.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index 036028a2..88411f45 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -219,9 +219,9 @@ def merge_settings(settings, new_metadata_settings):
         """
         Will update the settings with the provided new settings data extracted from the IdP metadata
         :param settings: Current settings dict data
-        :type settings: string
+        :type settings: dict
         :param new_metadata_settings: Settings to be merged (extracted from IdP metadata after parsing)
-        :type new_metadata_settings: string
+        :type new_metadata_settings: dict
         :returns: merged settings
         :rtype: dict
         """

From 99567790002a317630be417c84b53c892b81682d Mon Sep 17 00:00:00 2001
From: Florent PIGOUT 
Date: Wed, 14 Aug 2019 17:11:36 +0200
Subject: [PATCH 137/331] Do not touch signed message

---
 src/onelogin/saml2/utils.py                         |  8 ++++----
 ...ponse_without_assertion_reference_uri.xml.base64 |  1 +
 .../response_without_reference_uri.xml.base64       |  2 +-
 tests/src/OneLogin/saml2_tests/response_test.py     | 13 +++++++++++--
 4 files changed, 17 insertions(+), 7 deletions(-)
 create mode 100644 tests/data/responses/response_without_assertion_reference_uri.xml.base64

diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 4647c230..ebaa9c6d 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -956,10 +956,10 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger
             )
 
         # Check if Reference URI is empty
-        reference_elem = OneLogin_Saml2_XML.query(signature_node, '//ds:Reference')
-        if len(reference_elem) > 0:
-            if reference_elem[0].get('URI') == '':
-                reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID'))
+        # reference_elem = OneLogin_Saml2_XML.query(signature_node, '//ds:Reference')
+        # if len(reference_elem) > 0:
+        #     if reference_elem[0].get('URI') == '':
+        #         reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID'))
 
         if validatecert:
             manager = xmlsec.KeysManager()
diff --git a/tests/data/responses/response_without_assertion_reference_uri.xml.base64 b/tests/data/responses/response_without_assertion_reference_uri.xml.base64
new file mode 100644
index 00000000..8c4dab5d
--- /dev/null
+++ b/tests/data/responses/response_without_assertion_reference_uri.xml.base64
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzYW1scDpSZXNwb25zZSB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0icGZ4ZDU5NDM0N2QtNDk1Zi1iOGQxLTBlZTItNDFjZmRhMTRkZDM1IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wMS0wMlQyMjo0ODo0OFoiIERlc3RpbmF0aW9uPSJodHRwOi8vbG9jYWxob3N0OjkwMDEvdjEvdXNlcnMvYXV0aG9yaXplL3NhbWwiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89Il9lZDkxNWE0MC03NGZiLTAxMzItNWIxNi00OGUwZWIxNGExYzciPgogIDxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9leGFtcGxlLmNvbTwvSXNzdWVyPgogIDxzYW1scDpTdGF0dXM+CiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+CiAgPC9zYW1scDpTdGF0dXM+CgogIDxBc3NlcnRpb24geG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfNzAwYWMzMjAtNzRmZi0wMTMyLTViMTQtNDhlMGViMTRhMWM3IiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBWZXJzaW9uPSIyLjAiPgogICAgPElzc3Vlcj5odHRwOi8vZXhhbXBsZS5jb208L0lzc3Vlcj4KICAgIDxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogIDxkczpTaWduZWRJbmZvPgogICAgPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICAgIDxkczpSZWZlcmVuY2UgVVJJPSIiPgogICAgICA8ZHM6VHJhbnNmb3Jtcz4KICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDwvZHM6VHJhbnNmb3Jtcz4KICAgICAgPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+CiAgICAgIDxkczpEaWdlc3RWYWx1ZT5qQ2dlWENQREZsd2pUZ3FnUHAwbVUyVHF3OWc9PC9kczpEaWdlc3RWYWx1ZT4KICAgIDwvZHM6UmVmZXJlbmNlPgogIDwvZHM6U2lnbmVkSW5mbz4KICA8ZHM6U2lnbmF0dXJlVmFsdWU+bG9SN21DRmlNSURIUHBLeVgzRUd2dzJYeTZycEtFZWZVMDhYS1lWRXJ6MXB3a1BUUFFlYU5iK2RGMHZLai9rNQoyUmJ2Z3ZFUFN2ZGI3RDJOMTY5QjJMTGVmbXpaWTBDY0RKcThkK3lNbnZSNER3YitSUFl6bWJoS29XQ1ZyY3VPCnNvbEUxQTg3WFZjenNpd2JYRWllM2p4RHdDSk5vWi9GRFJRZy80RHRQVmc9PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+CiAgPGRzOlg1MDlEYXRhPgogICAgPGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDVnpDQ0FjQUNDUURJVkhhTlNCWUw2VEFOQmdrcWhraUc5dzBCQVFzRkFEQndNUXN3Q1FZRFZRUUdFd0pHVWpFT01Bd0dBMVVFQ0F3RlVHRnlhWE14RGpBTUJnTlZCQWNNQlZCaGNtbHpNUll3RkFZRFZRUUtEQTFPYjNaaGNHOXpkQ0JVUlZOVU1Ta3dKd1lKS29aSWh2Y05BUWtCRmhwbWJHOXlaVzUwTG5CcFoyOTFkRUJ1YjNaaGNHOXpkQzVtY2pBZUZ3MHhOREF5TVRNeE16VXpOREJhRncweE5UQXlNVE14TXpVek5EQmFNSEF4Q3pBSkJnTlZCQVlUQWtaU01RNHdEQVlEVlFRSURBVlFZWEpwY3pFT01Bd0dBMVVFQnd3RlVHRnlhWE14RmpBVUJnTlZCQW9NRFU1dmRtRndiM04wSUZSRlUxUXhLVEFuQmdrcWhraUc5dzBCQ1FFV0dtWnNiM0psYm5RdWNHbG5iM1YwUUc1dmRtRndiM04wTG1aeU1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ2hMRkhuM0xuTjRKUS83V0NkWXVweGtVZ2NOT1FuUEYreWxsKy9EUHB1eDlucGZZMDU5UElVYXRCOFg3a0NuNWk4dFJ3SXkvaWtISlI2TXI4K01QdmM2Vk9aRHhQTmRadk1vLzhsaHhyYk4zSmRydzN3aFptVS9LUFI5RjNCZEZkdStTTHpyTWwxVERVWmxQdFk5WHpVRlhjcU44SVhjeThUSnpDQmVOZXkzUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRHQkFDdEo4ZmVHemUxTkhCNVZ3MThqTVVQdkhvN0gzR3dtajZaREFYUWxhaUFYTXVOQnhOWFZXVndpZmw2VituVzN3OVFhN0Zlby9uWi9PNFRVT0gxbnorYWRrbGNDRDRRcFphRUlibUFicmlQV0pLZ2I0TFdHaHFRcnV3WVI3SXRUUjFNTlg5Z0xiUDB6MHp2REVRbm50L1ZVV0ZFQkxTSnE0WjROcmU4TEZtUzI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4KICA8L2RzOlg1MDlEYXRhPgo8L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+CiAgICAgIDxOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnNhbWxAdXNlci5jb208L05hbWVJRD4KICAgICAgPFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4KICAgICAgICA8U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJfZWQ5MTVhNDAtNzRmYi0wMTMyLTViMTYtNDhlMGViMTRhMWM3IiBOb3RPbk9yQWZ0ZXI9IjIwMzgtMDEtMDJUMjI6NTE6NDhaIiBSZWNpcGllbnQ9Imh0dHA6Ly9sb2NhbGhvc3Q6OTAwMS92MS91c2Vycy9hdXRob3JpemUvc2FtbCIvPgogICAgICA8L1N1YmplY3RDb25maXJtYXRpb24+CiAgICA8L1N1YmplY3Q+CiAgICA8Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTUtMDEtMDJUMjI6NDg6NDNaIiBOb3RPbk9yQWZ0ZXI9IjIwMzgtMDEtMDJUMjM6NDg6NDhaIj4KICAgICAgPEF1ZGllbmNlUmVzdHJpY3Rpb24+CiAgICAgICAgPEF1ZGllbmNlPmh0dHA6Ly9sb2NhbGhvc3Q6OTAwMS88L0F1ZGllbmNlPgogICAgICAgIDxBdWRpZW5jZT5mbGF0X3dvcmxkPC9BdWRpZW5jZT4KICAgICAgPC9BdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgPC9Db25kaXRpb25zPgogICAgPEF0dHJpYnV0ZVN0YXRlbWVudD4KICAgICAgPEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiPgogICAgICAgIDxBdHRyaWJ1dGVWYWx1ZT5zYW1sQHVzZXIuY29tPC9BdHRyaWJ1dGVWYWx1ZT4KICAgICAgPC9BdHRyaWJ1dGU+CiAgICA8L0F0dHJpYnV0ZVN0YXRlbWVudD4KICAgIDxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBTZXNzaW9uSW5kZXg9Il83MDBhYzMyMC03NGZmLTAxMzItNWIxNC00OGUwZWIxNGExYzciPgogICAgICA8QXV0aG5Db250ZXh0PgogICAgICAgIDxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46ZmVkZXJhdGlvbjphdXRoZW50aWNhdGlvbjp3aW5kb3dzPC9BdXRobkNvbnRleHRDbGFzc1JlZj4KICAgICAgPC9BdXRobkNvbnRleHQ+CiAgICA8L0F1dGhuU3RhdGVtZW50PgogIDwvQXNzZXJ0aW9uPgo8L3NhbWxwOlJlc3BvbnNlPgo=
diff --git a/tests/data/responses/response_without_reference_uri.xml.base64 b/tests/data/responses/response_without_reference_uri.xml.base64
index 7ceecf01..d830db01 100644
--- a/tests/data/responses/response_without_reference_uri.xml.base64
+++ b/tests/data/responses/response_without_reference_uri.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGQ1OTQzNDdkLTQ5NWYtYjhkMS0wZWUyLTQxY2ZkYTE0ZGQzNSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo5MDAxL3YxL3VzZXJzL2F1dGhvcml6ZS9zYW1sIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfZWQ5MTVhNDAtNzRmYi0wMTMyLTViMTYtNDhlMGViMTRhMWM3Ij4NCiAgPElzc3VlciB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL2V4YW1wbGUuY29tPC9Jc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5qQ2dlWENQREZsd2pUZ3FnUHAwbVUyVHF3OWc9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkRmdXByMTh3UityRGFndENQRWZRbFNHSHp3NE5kZlBIWjRIc3pGZTFKUENKWGpmYnlFTTFmZytqemdHYk1NdDZYemdDWGNLSk03RS9DUFNURGt2TWUzRFVKbEh1NERodURPQXovRHN5b0J3V3VWK1JmM1dpTmNGNFhDYzl3QlF6dm4vYXREN3pXNnh3TzdOL2hrQVpKcWZ2SmRkbnBNTUhLR1hxRy9aSFpBdz08L2RzOlNpZ25hdHVyZVZhbHVlPg0KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ3FEQ0NBaEdnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVEwRkFEQnhNUXN3Q1FZRFZRUUdFd0oxY3pFVE1CRUdBMVVFQ0F3S1YyRnphR2x1WjNSdmJqRWlNQ0FHQTFVRUNnd1pSbXhoZENCWGIzSnNaQ0JMYm05M2JHVmtaMlVzSUVsdVl6RWNNQm9HQTFVRUF3d1RiR1ZoY200dVpteGhkSGR2Y214a0xtTnZiVEVMTUFrR0ExVUVCd3dDUkVNd0hoY05NVFV3TnpBNE1EazFPVEF6V2hjTk1qVXdOekExTURrMU9UQXpXakJ4TVFzd0NRWURWUVFHRXdKMWN6RVRNQkVHQTFVRUNBd0tWMkZ6YUdsdVozUnZiakVpTUNBR0ExVUVDZ3daUm14aGRDQlhiM0pzWkNCTGJtOTNiR1ZrWjJVc0lFbHVZekVjTUJvR0ExVUVBd3dUYkdWaGNtNHVabXhoZEhkdmNteGtMbU52YlRFTE1Ba0dBMVVFQnd3Q1JFTXdnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JBTVBEd3NsNW82eDJRb3VOaTEvRTdJVXFSWWoyWW9jSlJGc3VFR1RldnlVKzJhRkNhQk5WL3R0NnNBYk05V1N1dEx1cWpFL2hmYm5sRWNaMDMrZ24wQ29MbDZZbXdiS0tlUnBrSXplVmhveUoxWVlNUUVBVmhMcmR5OFBvd3U4VUNaMFBiQXorbjlka2lSek01cENDTzc3K2d5Y0ZUQkZLSEFBOXFJcFVaWmtQQWdNQkFBR2pVREJPTUIwR0ExVWREZ1FXQkJRSFU1OGl1R3hGbFp1ckJVSndvbGFsSnIrRlJ6QWZCZ05WSFNNRUdEQVdnQlFIVTU4aXVHeEZsWnVyQlVKd29sYWxKcitGUnpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCRFFVQUE0R0JBQzZpSGZNbWQraE1TUnpma29zaTNDK3d2cUhDTEVVc2czSEZwa1ptNWp4bVREbEY1cU8rQnQwbjB4bWZvcVdCekJNbE5DOFRzR3JhZmhKM3p1OEdORjBMZW8xMXJmYzFHTUdCdnI1SG9aM1dBQXltbkJFREFBb3N4TjZXWlJtajF4YWdhMTMrNnBXZkdCKysyblB3Y1pXUC84ZGtQY1JvZ2V2VjB4MHA1Njg2PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCg0KICA8QXNzZXJ0aW9uIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzcwMGFjMzIwLTc0ZmYtMDEzMi01YjE0LTQ4ZTBlYjE0YTFjNyIgSXNzdWVJbnN0YW50PSIyMDE1LTAxLTAyVDIyOjQ4OjQ4WiIgVmVyc2lvbj0iMi4wIj4NCiAgICA8SXNzdWVyPmh0dHA6Ly9leGFtcGxlLmNvbTwvSXNzdWVyPg0KICAgIDxTdWJqZWN0Pg0KICAgICAgPE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c2FtbEB1c2VyLmNvbTwvTmFtZUlEPg0KICAgICAgPFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iX2VkOTE1YTQwLTc0ZmItMDEzMi01YjE2LTQ4ZTBlYjE0YTFjNyIgTm90T25PckFmdGVyPSIyMDM4LTAxLTAyVDIyOjUxOjQ4WiIgUmVjaXBpZW50PSJodHRwOi8vbG9jYWxob3N0OjkwMDEvdjEvdXNlcnMvYXV0aG9yaXplL3NhbWwiLz4NCiAgICAgIDwvU3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L1N1YmplY3Q+DQogICAgPENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTAxLTAyVDIyOjQ4OjQzWiIgTm90T25PckFmdGVyPSIyMDM4LTAxLTAyVDIzOjQ4OjQ4WiI+DQogICAgICA8QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPEF1ZGllbmNlPmh0dHA6Ly9sb2NhbGhvc3Q6OTAwMS88L0F1ZGllbmNlPg0KICAgICAgICA8QXVkaWVuY2U+ZmxhdF93b3JsZDwvQXVkaWVuY2U+DQogICAgICA8L0F1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9Db25kaXRpb25zPg0KICAgIDxBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL2VtYWlsYWRkcmVzcyI+DQogICAgICAgIDxBdHRyaWJ1dGVWYWx1ZT5zYW1sQHVzZXIuY29tPC9BdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvQXR0cmlidXRlPg0KICAgIDwvQXR0cmlidXRlU3RhdGVtZW50Pg0KICAgIDxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBTZXNzaW9uSW5kZXg9Il83MDBhYzMyMC03NGZmLTAxMzItNWIxNC00OGUwZWIxNGExYzciPg0KICAgICAgPEF1dGhuQ29udGV4dD4NCiAgICAgICAgPEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpmZWRlcmF0aW9uOmF1dGhlbnRpY2F0aW9uOndpbmRvd3M8L0F1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9BdXRobkNvbnRleHQ+DQogICAgPC9BdXRoblN0YXRlbWVudD4NCiAgPC9Bc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
\ No newline at end of file
+PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzYW1scDpSZXNwb25zZSB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJRD0icGZ4ZDU5NDM0N2QtNDk1Zi1iOGQxLTBlZTItNDFjZmRhMTRkZDM1IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wMS0wMlQyMjo0ODo0OFoiIERlc3RpbmF0aW9uPSJodHRwOi8vbG9jYWxob3N0OjkwMDEvdjEvdXNlcnMvYXV0aG9yaXplL3NhbWwiIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJblJlc3BvbnNlVG89Il9lZDkxNWE0MC03NGZiLTAxMzItNWIxNi00OGUwZWIxNGExYzciPgogIDxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9leGFtcGxlLmNvbTwvSXNzdWVyPgogIDxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogIDxkczpTaWduZWRJbmZvPgogICAgPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICAgIDxkczpSZWZlcmVuY2UgVVJJPSIiPgogICAgICA8ZHM6VHJhbnNmb3Jtcz4KICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDwvZHM6VHJhbnNmb3Jtcz4KICAgICAgPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+CiAgICAgIDxkczpEaWdlc3RWYWx1ZT5qQ2dlWENQREZsd2pUZ3FnUHAwbVUyVHF3OWc9PC9kczpEaWdlc3RWYWx1ZT4KICAgIDwvZHM6UmVmZXJlbmNlPgogIDwvZHM6U2lnbmVkSW5mbz4KICA8ZHM6U2lnbmF0dXJlVmFsdWU+bG9SN21DRmlNSURIUHBLeVgzRUd2dzJYeTZycEtFZWZVMDhYS1lWRXJ6MXB3a1BUUFFlYU5iK2RGMHZLai9rNQoyUmJ2Z3ZFUFN2ZGI3RDJOMTY5QjJMTGVmbXpaWTBDY0RKcThkK3lNbnZSNER3YitSUFl6bWJoS29XQ1ZyY3VPCnNvbEUxQTg3WFZjenNpd2JYRWllM2p4RHdDSk5vWi9GRFJRZy80RHRQVmc9PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8+CiAgPGRzOlg1MDlEYXRhPgogICAgPGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDVnpDQ0FjQUNDUURJVkhhTlNCWUw2VEFOQmdrcWhraUc5dzBCQVFzRkFEQndNUXN3Q1FZRFZRUUdFd0pHVWpFT01Bd0dBMVVFQ0F3RlVHRnlhWE14RGpBTUJnTlZCQWNNQlZCaGNtbHpNUll3RkFZRFZRUUtEQTFPYjNaaGNHOXpkQ0JVUlZOVU1Ta3dKd1lKS29aSWh2Y05BUWtCRmhwbWJHOXlaVzUwTG5CcFoyOTFkRUJ1YjNaaGNHOXpkQzVtY2pBZUZ3MHhOREF5TVRNeE16VXpOREJhRncweE5UQXlNVE14TXpVek5EQmFNSEF4Q3pBSkJnTlZCQVlUQWtaU01RNHdEQVlEVlFRSURBVlFZWEpwY3pFT01Bd0dBMVVFQnd3RlVHRnlhWE14RmpBVUJnTlZCQW9NRFU1dmRtRndiM04wSUZSRlUxUXhLVEFuQmdrcWhraUc5dzBCQ1FFV0dtWnNiM0psYm5RdWNHbG5iM1YwUUc1dmRtRndiM04wTG1aeU1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ2hMRkhuM0xuTjRKUS83V0NkWXVweGtVZ2NOT1FuUEYreWxsKy9EUHB1eDlucGZZMDU5UElVYXRCOFg3a0NuNWk4dFJ3SXkvaWtISlI2TXI4K01QdmM2Vk9aRHhQTmRadk1vLzhsaHhyYk4zSmRydzN3aFptVS9LUFI5RjNCZEZkdStTTHpyTWwxVERVWmxQdFk5WHpVRlhjcU44SVhjeThUSnpDQmVOZXkzUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRHQkFDdEo4ZmVHemUxTkhCNVZ3MThqTVVQdkhvN0gzR3dtajZaREFYUWxhaUFYTXVOQnhOWFZXVndpZmw2VituVzN3OVFhN0Zlby9uWi9PNFRVT0gxbnorYWRrbGNDRDRRcFphRUlibUFicmlQV0pLZ2I0TFdHaHFRcnV3WVI3SXRUUjFNTlg5Z0xiUDB6MHp2REVRbm50L1ZVV0ZFQkxTSnE0WjROcmU4TEZtUzI8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4KICA8L2RzOlg1MDlEYXRhPgo8L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz4KICAgIDxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz4KICA8L3NhbWxwOlN0YXR1cz4KCiAgPEFzc2VydGlvbiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il83MDBhYzMyMC03NGZmLTAxMzItNWIxNC00OGUwZWIxNGExYzciIElzc3VlSW5zdGFudD0iMjAxNS0wMS0wMlQyMjo0ODo0OFoiIFZlcnNpb249IjIuMCI+CiAgICA8SXNzdWVyPmh0dHA6Ly9leGFtcGxlLmNvbTwvSXNzdWVyPgogICAgPFN1YmplY3Q+CiAgICAgIDxOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnNhbWxAdXNlci5jb208L05hbWVJRD4KICAgICAgPFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4KICAgICAgICA8U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJfZWQ5MTVhNDAtNzRmYi0wMTMyLTViMTYtNDhlMGViMTRhMWM3IiBOb3RPbk9yQWZ0ZXI9IjIwMzgtMDEtMDJUMjI6NTE6NDhaIiBSZWNpcGllbnQ9Imh0dHA6Ly9sb2NhbGhvc3Q6OTAwMS92MS91c2Vycy9hdXRob3JpemUvc2FtbCIvPgogICAgICA8L1N1YmplY3RDb25maXJtYXRpb24+CiAgICA8L1N1YmplY3Q+CiAgICA8Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTUtMDEtMDJUMjI6NDg6NDNaIiBOb3RPbk9yQWZ0ZXI9IjIwMzgtMDEtMDJUMjM6NDg6NDhaIj4KICAgICAgPEF1ZGllbmNlUmVzdHJpY3Rpb24+CiAgICAgICAgPEF1ZGllbmNlPmh0dHA6Ly9sb2NhbGhvc3Q6OTAwMS88L0F1ZGllbmNlPgogICAgICAgIDxBdWRpZW5jZT5mbGF0X3dvcmxkPC9BdWRpZW5jZT4KICAgICAgPC9BdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgPC9Db25kaXRpb25zPgogICAgPEF0dHJpYnV0ZVN0YXRlbWVudD4KICAgICAgPEF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiPgogICAgICAgIDxBdHRyaWJ1dGVWYWx1ZT5zYW1sQHVzZXIuY29tPC9BdHRyaWJ1dGVWYWx1ZT4KICAgICAgPC9BdHRyaWJ1dGU+CiAgICA8L0F0dHJpYnV0ZVN0YXRlbWVudD4KICAgIDxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBTZXNzaW9uSW5kZXg9Il83MDBhYzMyMC03NGZmLTAxMzItNWIxNC00OGUwZWIxNGExYzciPgogICAgICA8QXV0aG5Db250ZXh0PgogICAgICAgIDxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46ZmVkZXJhdGlvbjphdXRoZW50aWNhdGlvbjp3aW5kb3dzPC9BdXRobkNvbnRleHRDbGFzc1JlZj4KICAgICAgPC9BdXRobkNvbnRleHQ+CiAgICA8L0F1dGhuU3RhdGVtZW50PgogIDwvQXNzZXJ0aW9uPgo8L3NhbWxwOlJlc3BvbnNlPgo=
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 3ce359d9..cba1620e 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1661,15 +1661,24 @@ def testIsValidSignFingerprint(self):
         # Modified message
         self.assertFalse(response_9.is_valid(self.get_request_data()))
 
-    def testIsValidSignWithEmptyReferenceURI(self):
+    def testMessageSignedIsValidSignWithEmptyReferenceURI(self):
         settings_info = self.loadSettingsJSON()
         del settings_info['idp']['x509cert']
-        settings_info['idp']['certFingerprint'] = "194d97e4d8c9c8cfa4b721e5ee497fd9660e5213"
+        settings_info['idp']['certFingerprint'] = "657302a5e11a4794a1e50a705988d66c9377575d"
         settings = OneLogin_Saml2_Settings(settings_info)
         xml = self.file_contents(join(self.data_path, 'responses', 'response_without_reference_uri.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
         self.assertTrue(response.is_valid(self.get_request_data()))
 
+    def testAssertionSignedIsValidSignWithEmptyReferenceURI(self):
+        settings_info = self.loadSettingsJSON()
+        del settings_info['idp']['x509cert']
+        settings_info['idp']['certFingerprint'] = "657302a5e11a4794a1e50a705988d66c9377575d"
+        settings = OneLogin_Saml2_Settings(settings_info)
+        xml = self.file_contents(join(self.data_path, 'responses', 'response_without_assertion_reference_uri.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        self.assertTrue(response.is_valid(self.get_request_data()))
+
     def testIsValidWithoutInResponseTo(self):
         """
         If assertion contains InResponseTo but not the Response tag, we should

From 2cda97555aa7fe928d05ee61a8323773a13c5687 Mon Sep 17 00:00:00 2001
From: Florent PIGOUT 
Date: Wed, 14 Aug 2019 17:12:52 +0200
Subject: [PATCH 138/331] Update changelog

---
 changelog.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/changelog.md b/changelog.md
index f0e28708..f93b5878 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,7 @@
 # python3-saml changelog
+### 1.8.1 (unreleased)
+* Do not touch message when validate his signature
+
 ### 1.8.0 (Sep 11, 2019)
 * Set true as the default value for strict setting
 * [#152](https://github.com/onelogin/python3-saml/pull/152/files) Don't clean xsd and xsi namespaces

From a6b07e92242fdf8b37d9384b5ac2e4d678d652ee Mon Sep 17 00:00:00 2001
From: Jordan Ephron 
Date: Mon, 18 Nov 2019 13:47:50 -0800
Subject: [PATCH 139/331] Fix typo: Attribute -> Assertion

Fixes a typo in which the Assertion Consumer Service was erroniously referred to as the Attribute Consumer Service
See line 497 of https://www.oasis-open.org/committees/download.php/56783/sstc-saml-profiles-errata-2.0-wd-07-diff.pdf
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 106e93c2..0217a7c2 100644
--- a/README.md
+++ b/README.md
@@ -601,7 +601,7 @@ auth.login()      # Method that builds and sends the AuthNRequest
 
 The ``AuthNRequest`` will be sent signed or unsigned based on the security info of the ``advanced_settings.json`` file (i.e. ``authnRequestsSigned``).
 
-The IdP will then return the SAML Response to the user's client. The client is then forwarded to the **Attribute Consumer Service (ACS)** of the SP with this information.
+The IdP will then return the SAML Response to the user's client. The client is then forwarded to the **Assertion Consumer Service (ACS)** of the SP with this information.
 
 We can set a ``return_to`` url parameter to the login function and that will be converted as a ``RelayState`` parameter:
 
@@ -650,7 +650,7 @@ saml_settings = OneLogin_Saml2_Settings(settings=None, custom_base_path=None, sp
 ```
 to get the settings object and with the ``sp_validation_only=True`` parameter we will avoid the IdP settings validation.
 
-***Attribute Consumer Service (ACS)***
+***Assertion Consumer Service (ACS)***
 
 This code handles the SAML response that the IdP forwards to the SP through the user's client.
 

From c13e998d36171d096518a76b4b6cef048b8ef717 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 19 Nov 2019 21:13:31 +0100
Subject: [PATCH 140/331] Fix failOnAuthnContextMismatch code

---
 README.md                                       | 2 +-
 src/onelogin/saml2/authn_request.py             | 4 +---
 src/onelogin/saml2/response.py                  | 4 ++--
 src/onelogin/saml2/settings.py                  | 1 +
 tests/src/OneLogin/saml2_tests/response_test.py | 2 +-
 5 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 106e93c2..e9e689d2 100644
--- a/README.md
+++ b/README.md
@@ -410,7 +410,7 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         "requestedAuthnContext": true,
 	// Allows the authn comparison parameter to be set, defaults to 'exact' if the setting is not present.
         "requestedAuthnContextComparison": "exact",
-        // Set to true to check that the AuthnContext received matches the one requested.
+        // Set to true to check that the AuthnContext(s) received match(es) the requested.
         "failOnAuthnContextMismatch": false,
 
         // In some environment you will need to set how long the published metadata of the Service Provider gonna be valid.
diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index 57da1561..73547735 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -95,9 +95,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
 
         requested_authn_context_str = ''
         if security['requestedAuthnContext'] is not False:
-            authn_comparison = 'exact'
-            if 'requestedAuthnContextComparison' in security.keys():
-                authn_comparison = security['requestedAuthnContextComparison']
+            authn_comparison = security['requestedAuthnContextComparison']
 
             if security['requestedAuthnContext'] is True:
                 requested_authn_context_str = """    
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 8aa309c5..83eafe7d 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -166,10 +166,10 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 requested_authn_contexts = security['requestedAuthnContext']
                 if security['failOnAuthnContextMismatch'] and requested_authn_contexts and requested_authn_contexts is not True:
                     authn_contexts = self.get_authn_contexts()
-                    unmatched_contexts = set(requested_authn_contexts).difference(authn_contexts)
+                    unmatched_contexts = set(authn_contexts).difference(requested_authn_contexts)
                     if unmatched_contexts:
                         raise OneLogin_Saml2_ValidationError(
-                            'The AuthnContext "%s" didn\'t include requested context "%s"' % (', '.join(authn_contexts), ', '.join(unmatched_contexts)),
+                            'The AuthnContext "%s" was not a requested context "%s"' % (', '.join(unmatched_contexts), ', '.join(requested_authn_contexts)),
                             OneLogin_Saml2_ValidationError.AUTHN_CONTEXT_MISMATCH
                         )
 
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 5057a5ab..8acee0be 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -310,6 +310,7 @@ def __add_default_values(self):
         self.__sp.setdefault('privateKey', '')
 
         self.__security.setdefault('requestedAuthnContext', True)
+        self.__security.setdefault('requestedAuthnContextComparison', 'exact')
         self.__security.setdefault('failOnAuthnContextMismatch', False)
 
     def check_settings(self, settings):
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 3ce359d9..ad0ef3b8 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1056,7 +1056,7 @@ def testIsInValidAuthenticationContext(self):
         # check that we catch when the contexts don't match
         response = OneLogin_Saml2_Response(settings, message)
         self.assertFalse(response.is_valid(request_data))
-        self.assertIn('The AuthnContext "%s" didn\'t include requested context "%s"' % (password_context, two_factor_context), response.get_error())
+        self.assertIn('The AuthnContext "%s" was not a requested context "%s"' % (password_context, two_factor_context), response.get_error())
 
         # now drop in the expected AuthnContextClassRef and see that it passes
         original_message = compat.to_string(OneLogin_Saml2_Utils.b64decode(message))

From 5f162dc9947bb34cd7502177f35e4edbf9a477dd Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 20 Nov 2019 10:20:46 +0100
Subject: [PATCH 141/331] Allow any number of decimal places for seconds on
 SAML datetimes

---
 src/onelogin/saml2/utils.py                  | 17 ++++++++++++++---
 tests/src/OneLogin/saml2_tests/utils_test.py |  8 ++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 4647c230..3045f5fd 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -65,6 +65,10 @@ class OneLogin_Saml2_Utils(object):
     RESPONSE_SIGNATURE_XPATH = '/samlp:Response/ds:Signature'
     ASSERTION_SIGNATURE_XPATH = '/samlp:Response/saml:Assertion/ds:Signature'
 
+    TIME_FORMAT = "%Y-%m-%dT%H:%M:%SZ"
+    TIME_FORMAT_2 = "%Y-%m-%dT%H:%M:%S.%fZ"
+    TIME_FORMAT_WITH_FRAGMENT = re.compile(r'^(\d{4,4}-\d{2,2}-\d{2,2}T\d{2,2}:\d{2,2}:\d{2,2})(\.\d*)?Z?$')
+
     @staticmethod
     def escape_url(url, lowercase_urlencoding=False):
         """
@@ -401,7 +405,7 @@ def parse_time_to_SAML(time):
         :rtype: string
         """
         data = datetime.utcfromtimestamp(float(time))
-        return data.strftime('%Y-%m-%dT%H:%M:%SZ')
+        return data.strftime(OneLogin_Saml2_Utils.TIME_FORMAT)
 
     @staticmethod
     def parse_SAML_to_time(timestr):
@@ -416,9 +420,16 @@ def parse_SAML_to_time(timestr):
         :rtype: int
         """
         try:
-            data = datetime.strptime(timestr, '%Y-%m-%dT%H:%M:%SZ')
+            data = datetime.strptime(timestr, OneLogin_Saml2_Utils.TIME_FORMAT)
         except ValueError:
-            data = datetime.strptime(timestr, '%Y-%m-%dT%H:%M:%S.%fZ')
+            try:
+                data = datetime.strptime(timestr, OneLogin_Saml2_Utils.TIME_FORMAT_2)
+            except ValueError:
+                elem = OneLogin_Saml2_Utils.TIME_FORMAT_WITH_FRAGMENT.match(timestr)
+                if not elem:
+                    raise Exception("time data %s does not match format %s" % (timestr, r'yyyy-mm-ddThh:mm:ss(\.s+)?Z'))
+                data = datetime.strptime(elem.groups()[0] + "Z", OneLogin_Saml2_Utils.TIME_FORMAT)
+
         return calendar.timegm(data.utctimetuple())
 
     @staticmethod
diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py
index 366a125b..597c4852 100644
--- a/tests/src/OneLogin/saml2_tests/utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/utils_test.py
@@ -450,6 +450,14 @@ def testParseSAML2Time(self):
         saml_time2 = '2013-12-10T04:39:31.120Z'
         self.assertEqual(time, OneLogin_Saml2_Utils.parse_SAML_to_time(saml_time2))
 
+        # Now test if toolkit supports microseconds
+        saml_time3 = '2013-12-10T04:39:31.120240Z'
+        self.assertEqual(time, OneLogin_Saml2_Utils.parse_SAML_to_time(saml_time3))
+
+        # Now test if toolkit supports nanoseconds
+        saml_time4 = '2013-12-10T04:39:31.120240360Z'
+        self.assertEqual(time, OneLogin_Saml2_Utils.parse_SAML_to_time(saml_time4))
+
     def testParseTime2SAML(self):
         """
         Tests the parse_time_to_SAML method of the OneLogin_Saml2_Utils

From 218cb497950a222b09160edfb888e46b4bef089d Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 20 Nov 2019 13:13:14 +0100
Subject: [PATCH 142/331] Update demos

---
 demo-django/demo/views.py       | 5 +++--
 demo-django/requirements.txt    | 2 +-
 demo-flask/index.py             | 6 ++++++
 demo-flask/requirements.txt     | 2 +-
 demo-flask/templates/index.html | 3 +++
 5 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index 4c61e599..c02d226e 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -86,8 +86,7 @@ def index(request):
             request.session['samlSessionIndex'] = auth.get_session_index()
             if 'RelayState' in req['post_data'] and OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
                 return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
-        else:
-            if auth.get_settings().is_debug_active():
+        elif auth.get_settings().is_debug_active():
                 error_reason = auth.get_last_error_reason()
     elif 'sls' in req['get_data']:
         request_id = None
@@ -101,6 +100,8 @@ def index(request):
                 return HttpResponseRedirect(url)
             else:
                 success_slo = True
+        elif auth.get_settings().is_debug_active():
+            error_reason = auth.get_last_error_reason()
 
     if 'samlUserdata' in request.session:
         paint_logout = True
diff --git a/demo-django/requirements.txt b/demo-django/requirements.txt
index 1aa1df39..a4a895b0 100644
--- a/demo-django/requirements.txt
+++ b/demo-django/requirements.txt
@@ -1,2 +1,2 @@
-Django==1.11
+Django==1.11.26
 python3-saml
diff --git a/demo-flask/index.py b/demo-flask/index.py
index b344da4c..c37dc9c7 100644
--- a/demo-flask/index.py
+++ b/demo-flask/index.py
@@ -39,6 +39,7 @@ def index():
     req = prepare_flask_request(request)
     auth = init_saml_auth(req)
     errors = []
+    error_reason = None
     not_auth_warn = False
     success_slo = False
     attributes = False
@@ -86,6 +87,8 @@ def index():
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
                 return redirect(auth.redirect_to(request.form['RelayState']))
+        elif auth.get_settings().is_debug_active():
+                error_reason = auth.get_last_error_reason()
     elif 'sls' in request.args:
         request_id = None
         if 'LogoutRequestID' in session:
@@ -98,6 +101,8 @@ def index():
                 return redirect(url)
             else:
                 success_slo = True
+        elif auth.get_settings().is_debug_active():
+            error_reason = auth.get_last_error_reason()
 
     if 'samlUserdata' in session:
         paint_logout = True
@@ -107,6 +112,7 @@ def index():
     return render_template(
         'index.html',
         errors=errors,
+        error_reason=error_reason,
         not_auth_warn=not_auth_warn,
         success_slo=success_slo,
         attributes=attributes,
diff --git a/demo-flask/requirements.txt b/demo-flask/requirements.txt
index 335836f7..d9340937 100644
--- a/demo-flask/requirements.txt
+++ b/demo-flask/requirements.txt
@@ -1 +1 @@
-flask==0.10.1
+flask==1.0
diff --git a/demo-flask/templates/index.html b/demo-flask/templates/index.html
index ad42cf5c..fd1ff051 100644
--- a/demo-flask/templates/index.html
+++ b/demo-flask/templates/index.html
@@ -10,6 +10,9 @@
           
  • {{err}}
    • 
         {% endfor %}
     
+    {% if error_reason %}
+        {{error_reason}}
+    {% endif %}
   
    
 {% endif %}
 

From 2fdd7ef4bb9291e7e5f61164cb02ab89702f10a9 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 20 Nov 2019 13:16:14 +0100
Subject: [PATCH 143/331] Fix #160. Fix get_attribute docstring

---
 src/onelogin/saml2/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 2a9b7cde..1bf5f8a6 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -315,7 +315,7 @@ def get_attribute(self, name):
         :param name: Name of the attribute
         :type name: string
 
-        :returns: Attribute value if exists or []
+        :returns: Attribute value if exists or None
         :rtype: string
         """
         assert isinstance(name, compat.str_type)

From 4d28828d8d67c4be2f44274e1fdaba3e31d1d0ce Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 20 Nov 2019 17:31:34 +0100
Subject: [PATCH 144/331] Update tornado version. Remove unnecesary doc.
 Improve demo

---
 README.md                         | 29 ++---------------------------
 demo-tornado/requirements.txt     |  9 +--------
 demo-tornado/templates/index.html |  3 +++
 demo-tornado/views.py             | 24 ++++++++++++++++--------
 4 files changed, 22 insertions(+), 43 deletions(-)

diff --git a/README.md b/README.md
index a2d2ec7b..f0e16ff0 100644
--- a/README.md
+++ b/README.md
@@ -178,6 +178,8 @@ This folder contains a Pyramid project that will be used as demo to show how to
 
 This folder contains a Tornado project that will be used as demo to show how to add SAML support to the Tornado Framework. ``views.py`` (with its ``settings.py``) is the main Flask file that has all the code, this file uses the templates stored at the ``templates`` folder. In the ``saml`` folder we found the ``certs`` folder to store the X.509 public and private key, and the SAML toolkit settings (``settings.json`` and ``advanced_settings.json``).
 
+It requires python3.5 (it's using tornado 6.0.3)
+
 #### setup.py ####
 
 Setup script is the centre of all activity in building, distributing, and installing modules.
@@ -1253,33 +1255,6 @@ First we need to edit the ``saml/settings.json`` file, configure the SP part and
 
 Once the SP is configured, the metadata of the SP is published at the ``/metadata`` url. Based on that info, configure the IdP.
 
-##### Test with keycloack #####
-
-You can test your SP with every compatible IdP, for example Keycloack by Red Hat (Check if you need also authorization and not only authentication )
-
-###### Install Docker ######
-
-Install docker as suggested by [docker guide](https://docs.docker.com/install/linux/docker-ce/ubuntu/) 
-
-###### Keycloack starting ######
-
-First run:
-* docker run --name keycloackContainer -d -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=H2 jboss/keycloak
-
-After first run:
-* sudo docker start keycloackContainer
-
-Remember to stop keycloack after usage:
-* sudo docker stop keycloackContainer
-
-
-###### Keycloack useful urls ######
-
-* master: http://localhost:8080/auth/admin
-* users: http://localhost:8080/auth/realms/idp_dacd/account/
-* saml request: http://localhost:8080/auth/realms/idp_dacd/protocol/saml
-* metadata: http://localhost:8080/auth/realms/idp_dacd/protocol/saml/descriptor
-
 #### How it works ####
 
 1. First time you access to the main view (http://localhost:8000), you can select to login and return to the same view or login and be redirected to ``/?attrs`` (attrs view).
diff --git a/demo-tornado/requirements.txt b/demo-tornado/requirements.txt
index 66787013..17ee9ac2 100644
--- a/demo-tornado/requirements.txt
+++ b/demo-tornado/requirements.txt
@@ -1,8 +1 @@
-defusedxml==0.5.0
-isodate==0.6.0
-lxml==4.3.3
-pkgconfig==1.5.1
-python3-saml==1.6.0
-six==1.12.0
-tornado==6.0.2
-xmlsec==1.3.3
+tornado==6.0.3
diff --git a/demo-tornado/templates/index.html b/demo-tornado/templates/index.html
index 52bee968..f8dfac0a 100644
--- a/demo-tornado/templates/index.html
+++ b/demo-tornado/templates/index.html
@@ -9,6 +9,9 @@
         {% for err in errors %}
           
  • {{err}}
    • 
         {% end %}
+        {% if error_reason %}
+          {{error_reason}}
+        {% end %}
     
   
    
 {% end %}
diff --git a/demo-tornado/views.py b/demo-tornado/views.py
index 5ac3e03a..ed195fb7 100644
--- a/demo-tornado/views.py
+++ b/demo-tornado/views.py
@@ -31,31 +31,36 @@ class IndexHandler(tornado.web.RequestHandler):
     def post(self):
         req = prepare_tornado_request(self.request)
         auth = init_saml_auth(req)
+        error_reason = None
         attributes = False
         paint_logout = False
+        success_slo = False
 
         auth.process_response()
         errors = auth.get_errors()
         not_auth_warn = not auth.is_authenticated()
 
         if len(errors) == 0:
-             session['samlUserdata'] = auth.get_attributes()
-             session['samlNameId'] = auth.get_nameid()
-             session['samlSessionIndex'] = auth.get_session_index()
-             self_url = OneLogin_Saml2_Utils.get_self_url(req)
-             if 'RelayState' in self.request.arguments and self_url != self.request.arguments['RelayState'][0].decode('utf-8'):
+            session['samlUserdata'] = auth.get_attributes()
+            session['samlNameId'] = auth.get_nameid()
+            session['samlSessionIndex'] = auth.get_session_index()
+            self_url = OneLogin_Saml2_Utils.get_self_url(req)
+            if 'RelayState' in self.request.arguments and self_url != self.request.arguments['RelayState'][0].decode('utf-8'):
                 return self.redirect(self.request.arguments['RelayState'][0].decode('utf-8'))
+        elif auth.get_settings().is_debug_active():
+            error_reason = auth.get_last_error_reason()
 
         if 'samlUserdata' in session:
             paint_logout = True
             if len(session['samlUserdata']) > 0:
                 attributes = session['samlUserdata'].items()
 
-        self.render('index.html',errors=errors,not_auth_warn=not_auth_warn,attributes=attributes,paint_logout=paint_logout)
+        self.render('index.html',errors=errors,error_reason=error_reason,not_auth_warn=not_auth_warn,success_slo=success_slo,attributes=attributes,paint_logout=paint_logout)
 
     def get(self):
         req = prepare_tornado_request(self.request)
         auth = init_saml_auth(req)
+        error_reason = None
         errors = []
         not_auth_warn = False
         success_slo = False
@@ -90,6 +95,8 @@ def get(self):
                 self_url = OneLogin_Saml2_Utils.get_self_url(req)
                 if 'RelayState' in self.request.arguments and self_url != self.request.arguments['RelayState'][0].decode('utf-8'):
                     return self.redirect(auth.redirect_to(self.request.arguments['RelayState'][0].decode('utf-8')))
+                elif auth.get_settings().is_debug_active():
+                    error_reason = auth.get_last_error_reason()
         elif 'sls' in req['get_data']:
             print('-sls-')
             dscb = lambda: session.clear() ## clear out the session
@@ -100,14 +107,15 @@ def get(self):
                     return self.redirect(url)
                 else:
                     success_slo = True
-
+            elif auth.get_settings().is_debug_active():
+                error_reason = auth.get_last_error_reason()
         if 'samlUserdata' in session:
             print('-samlUserdata-')
             paint_logout = True
             if len(session['samlUserdata']) > 0:
                 attributes = session['samlUserdata'].items()
                 print("ATTRIBUTES", attributes)
-        self.render('index.html',errors=errors,not_auth_warn=not_auth_warn,success_slo=success_slo,attributes=attributes,paint_logout=paint_logout)
+        self.render('index.html',errors=errors,error_reason=error_reason,not_auth_warn=not_auth_warn,success_slo=success_slo,attributes=attributes,paint_logout=paint_logout)
 
 class AttrsHandler(tornado.web.RequestHandler):
     def get(self):

From 4e5eb138183d8d2ae99b1eb3ef9ec9fe43e35cbd Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 20 Nov 2019 18:15:47 +0100
Subject: [PATCH 145/331] Fix flake8

---
 demo-tornado/views.py | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/demo-tornado/views.py b/demo-tornado/views.py
index ed195fb7..6fe72bcd 100644
--- a/demo-tornado/views.py
+++ b/demo-tornado/views.py
@@ -5,18 +5,18 @@
 import tornado.httputil
 
 from onelogin.saml2.auth import OneLogin_Saml2_Auth
-from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
 
-##Global session info
+# Global session info
 session = {}
 
+
 class Application(tornado.web.Application):
     def __init__(self):
         handlers = [
             (r"/", IndexHandler),
             (r"/attrs", AttrsHandler),
-            (r"/metadata",MetadataHandler),
+            (r"/metadata", MetadataHandler),
         ]
         settings = {
             "template_path": Settings.TEMPLATE_PATH,
@@ -55,7 +55,7 @@ def post(self):
             if len(session['samlUserdata']) > 0:
                 attributes = session['samlUserdata'].items()
 
-        self.render('index.html',errors=errors,error_reason=error_reason,not_auth_warn=not_auth_warn,success_slo=success_slo,attributes=attributes,paint_logout=paint_logout)
+        self.render('index.html', errors=errors, error_reason=error_reason, not_auth_warn=not_auth_warn, success_slo=success_slo, attributes=attributes, paint_logout=paint_logout)
 
     def get(self):
         req = prepare_tornado_request(self.request)
@@ -99,7 +99,7 @@ def get(self):
                     error_reason = auth.get_last_error_reason()
         elif 'sls' in req['get_data']:
             print('-sls-')
-            dscb = lambda: session.clear() ## clear out the session
+            dscb = lambda: session.clear()  # clear out the session
             url = auth.process_slo(delete_session_cb=dscb)
             errors = auth.get_errors()
             if len(errors) == 0:
@@ -115,7 +115,8 @@ def get(self):
             if len(session['samlUserdata']) > 0:
                 attributes = session['samlUserdata'].items()
                 print("ATTRIBUTES", attributes)
-        self.render('index.html',errors=errors,error_reason=error_reason,not_auth_warn=not_auth_warn,success_slo=success_slo,attributes=attributes,paint_logout=paint_logout)
+        self.render('index.html', errors=errors, error_reason=error_reason, not_auth_warn=not_auth_warn, success_slo=success_slo, attributes=attributes, paint_logout=paint_logout)
+
 
 class AttrsHandler(tornado.web.RequestHandler):
     def get(self):
@@ -127,27 +128,28 @@ def get(self):
             if len(session['samlUserdata']) > 0:
                 attributes = session['samlUserdata'].items()
 
-        self.render('attrs.html',paint_logout=paint_logout,attributes=attributes)
+        self.render('attrs.html', paint_logout=paint_logout, attributes=attributes)
+
 
 class MetadataHandler(tornado.web.RequestHandler):
     def get(self):
         req = prepare_tornado_request(self.request)
         auth = init_saml_auth(req)
         saml_settings = auth.get_settings()
-        #saml_settings = OneLogin_Saml2_Settings(settings=None, custom_base_path=settings.SAML_FOLDER, sp_validation_only=True)
         metadata = saml_settings.get_sp_metadata()
         errors = saml_settings.validate_metadata(metadata)
 
         if len(errors) == 0:
-            #resp = HttpResponse(content=metadata, content_type='text/xml')
-            self.set_header('Content-Type','text/xml')
+            # resp = HttpResponse(content=metadata, content_type='text/xml')
+            self.set_header('Content-Type', 'text/xml')
             self.write(metadata)
         else:
-            #resp = HttpResponseServerError(content=', '.join(errors))
+            # resp = HttpResponseServerError(content=', '.join(errors))
             self.write(', '.join(errors))
-        #return resp
+        # return resp
 
-def prepare_tornado_request(request):        
+
+def prepare_tornado_request(request):
 
     dataDict = {}
     for key in request.arguments:
@@ -164,6 +166,7 @@ def prepare_tornado_request(request):
     }
     return result
 
+
 def init_saml_auth(req):
     auth = OneLogin_Saml2_Auth(req, custom_base_path=Settings.SAML_PATH)
     return auth

From c660f6f639a783c66f05c003bc2a04ba6b162048 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 20 Nov 2019 18:17:19 +0100
Subject: [PATCH 146/331] Release 1.9.0

---
 changelog.md | 7 +++++--
 setup.py     | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/changelog.md b/changelog.md
index f93b5878..b5e5da52 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,6 +1,9 @@
 # python3-saml changelog
-### 1.8.1 (unreleased)
-* Do not touch message when validate his signature
+### 1.9.0 (Nov 20, 2019)
+* Allow any number of decimal places for seconds on SAML datetimes
+* Fix failOnAuthnContextMismatch code
+* Improve signature validation when no reference uri
+* Update demo versions. Improve them and add Tornado demo.
 
 ### 1.8.0 (Sep 11, 2019)
 * Set true as the default value for strict setting
diff --git a/setup.py b/setup.py
index cb483f2d..5a928564 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.8.0',
+    version='1.9.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From 57da6e5c0e3a5c90092cd9213a49acd5a6a41b49 Mon Sep 17 00:00:00 2001
From: nirn 
Date: Thu, 19 Dec 2019 11:10:39 +0200
Subject: [PATCH 147/331] Add samlUserdata to demo-flask session

Unlike demo-django, samlUserdata isn't set in demo-flask's session and /attrs/ always lacks attributes.
---
 demo-flask/index.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/demo-flask/index.py b/demo-flask/index.py
index c37dc9c7..b523cb92 100644
--- a/demo-flask/index.py
+++ b/demo-flask/index.py
@@ -79,6 +79,7 @@ def index():
         if len(errors) == 0:
             if 'AuthNRequestID' in session:
                 del session['AuthNRequestID']
+            session['samlUserdata'] = auth.get_attributes()
             session['samlNameId'] = auth.get_nameid()
             session['samlNameIdFormat'] = auth.get_nameid_format()
             session['samlNameIdNameQualifier'] = auth.get_nameid_nq()
@@ -88,7 +89,7 @@ def index():
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
                 return redirect(auth.redirect_to(request.form['RelayState']))
         elif auth.get_settings().is_debug_active():
-                error_reason = auth.get_last_error_reason()
+            error_reason = auth.get_last_error_reason()
     elif 'sls' in request.args:
         request_id = None
         if 'LogoutRequestID' in session:

From 0c4f8463b74e77a4032476b74101cebc7f55046d Mon Sep 17 00:00:00 2001
From: Rahul Raina 
Date: Tue, 7 Jan 2020 17:53:28 +0800
Subject: [PATCH 148/331] Adding support to read idp.crt from certs folder

---
 src/onelogin/saml2/settings.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 8acee0be..1d8e9518 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -558,7 +558,12 @@ def get_idp_cert(self):
         :returns: IdP public cert
         :rtype: string
         """
-        return self.__idp.get('x509cert')
+        cert = self.__idp.get('x509cert')
+        cert_file_name = self.__paths['cert'] + 'idp.crt'
+        if not cert and exists(cert_file_name):
+            with open(cert_file_name) as f:
+                cert = f.read()
+        return cert or None
 
     def get_idp_data(self):
         """

From 222620128c48615e37ca3f3dd76866308958043d Mon Sep 17 00:00:00 2001
From: Rahul Raina 
Date: Tue, 7 Jan 2020 18:23:57 +0800
Subject: [PATCH 149/331] Adding tests and new settings file

---
 tests/settings/settings9.json                 | 46 +++++++++++++++++++
 .../src/OneLogin/saml2_tests/settings_test.py | 22 +++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 tests/settings/settings9.json

diff --git a/tests/settings/settings9.json b/tests/settings/settings9.json
new file mode 100644
index 00000000..351c5c95
--- /dev/null
+++ b/tests/settings/settings9.json
@@ -0,0 +1,46 @@
+{
+    "strict": false,
+    "debug": false,
+    "custom_base_path": "../../../tests/data/customPath/",
+    "sp": {
+        "entityId": "http://stuff.com/endpoints/metadata.php",
+        "assertionConsumerService": {
+            "url": "http://stuff.com/endpoints/endpoints/acs.php"
+        },
+        "singleLogoutService": {
+            "url": "http://stuff.com/endpoints/endpoints/sls.php"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+    },
+    "idp": {
+        "entityId": "http://idp.example.com/",
+        "singleSignOnService": {
+            "url": "http://idp.example.com/SSOService.php"
+        },
+        "singleLogoutService": {
+            "url": "http://idp.example.com/SingleLogoutService.php"
+        }
+    },
+    "security": {
+        "authnRequestsSigned": false,
+        "wantAssertionsSigned": false,
+        "signMetadata": false
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 942fdd96..32b037fe 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -222,6 +222,28 @@ def testGetSPKey(self):
         settings_3 = OneLogin_Saml2_Settings(settings_data, custom_base_path=custom_base_path)
         self.assertIsNone(settings_3.get_sp_key())
 
+    def testGetIDPCert(self):
+        """
+        Tests the get_idp_cert method of the OneLogin_Saml2_Settings
+        """
+
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings9.json'))
+        cert = "-----BEGIN CERTIFICATE-----\nMIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC\nTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD\nVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG\n9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4\nMTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi\nZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl\naWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO\nNoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS\nKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d\n1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8\nBUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n\nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar\nQ4/67OZfHd7R+POBXhophSMv1ZOo\n-----END CERTIFICATE-----\n"
+        self.assertEqual(cert, settings.get_idp_cert())
+
+        settings_data = self.loadSettingsJSON()
+
+        settings = OneLogin_Saml2_Settings(settings_data)
+        settings_data['idp']['x509cert'] = cert
+        self.assertEqual(cert, settings.get_sp_cert())
+
+        del settings_data['idp']['x509cert']
+        del settings_data['custom_base_path']
+        custom_base_path = dirname(__file__)
+
+        settings_3 = OneLogin_Saml2_Settings(settings_data, custom_base_path=custom_base_path)
+        self.assertIsNone(settings_3.get_idp_cert())
+
     def testFormatIdPCert(self):
         """
         Tests the format_idp_cert method of the OneLogin_Saml2_Settings

From 7668721e9677f087e256798a97f8c33a46872c69 Mon Sep 17 00:00:00 2001
From: Rahul Raina 
Date: Wed, 8 Jan 2020 14:32:13 +0800
Subject: [PATCH 150/331] Adding helper methods to load idp_cert

---
 src/onelogin/saml2/auth.py                    |  5 +-
 src/onelogin/saml2/logout_request.py          |  2 +-
 src/onelogin/saml2/response.py                |  2 +-
 tests/settings/settings10.json                | 46 +++++++++++++++++++
 .../src/OneLogin/saml2_tests/response_test.py |  6 +--
 5 files changed, 53 insertions(+), 8 deletions(-)
 create mode 100644 tests/settings/settings10.json

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 1bf5f8a6..72d37847 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -605,8 +605,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
                 return True
 
             idp_data = self.get_settings().get_idp_data()
-
-            exists_x509cert = 'x509cert' in idp_data and idp_data['x509cert']
+            exists_x509cert = self.get_settings().get_idp_cert() is not None
             exists_multix509sign = 'x509certMulti' in idp_data and \
                 'signing' in idp_data['x509certMulti'] and \
                 idp_data['x509certMulti']['signing']
@@ -646,7 +645,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
                 )
             else:
-                cert = idp_data['x509cert']
+                cert = self.get_settings().get_idp_cert()
 
                 if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query,
                                                                  OneLogin_Saml2_Utils.b64decode(signature),
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index 252726b7..ef4d05e2 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -72,7 +72,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 if exists_multix509enc:
                     cert = idp_data['x509certMulti']['encryption'][0]
                 else:
-                    cert = idp_data['x509cert']
+                    cert = self.__settings.get_idp_cert()
 
             if name_id is not None:
                 if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 83eafe7d..a5004fea 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -293,7 +293,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.NO_SIGNATURE_FOUND
                 )
             else:
-                cert = idp_data.get('x509cert', None)
+                cert  = self.__settings.get_idp_cert()
                 fingerprint = idp_data.get('certFingerprint', None)
                 if fingerprint:
                     fingerprint = OneLogin_Saml2_Utils.format_finger_print(fingerprint)
diff --git a/tests/settings/settings10.json b/tests/settings/settings10.json
new file mode 100644
index 00000000..f118b4d0
--- /dev/null
+++ b/tests/settings/settings10.json
@@ -0,0 +1,46 @@
+{
+    "strict": false,
+    "debug": false,
+    "sp": {
+        "entityId": "http://stuff.com/endpoints/metadata.php",
+        "assertionConsumerService": {
+            "url": "http://stuff.com/endpoints/endpoints/acs.php"
+        },
+        "singleLogoutService": {
+            "url": "http://stuff.com/endpoints/endpoints/sls.php"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+    },
+    "idp": {
+        "entityId": "http://idp.example.com/",
+        "singleSignOnService": {
+            "url": "http://idp.example.com/SSOService.php"
+        },
+        "singleLogoutService": {
+            "url": "http://idp.example.com/SingleLogoutService.php"
+        },
+        "x509cert": "MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m"
+    },
+    "security": {
+        "authnRequestsSigned": false,
+        "wantAssertionsSigned": false,
+        "signMetadata": false
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index e6641b73..7d9934a1 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1473,7 +1473,7 @@ def testIsValid2(self):
         response_2 = OneLogin_Saml2_Response(settings_2, xml_2)
         self.assertTrue(response_2.is_valid(self.get_request_data()))
 
-        settings_info_3 = self.loadSettingsJSON('settings2.json')
+        settings_info_3 = self.loadSettingsJSON('settings10.json')
         idp_cert = OneLogin_Saml2_Utils.format_cert(settings_info_3['idp']['x509cert'])
         settings_info_3['idp']['certFingerprint'] = OneLogin_Saml2_Utils.calculate_x509_fingerprint(idp_cert)
         settings_info_3['idp']['x509cert'] = ''
@@ -1662,7 +1662,7 @@ def testIsValidSignFingerprint(self):
         self.assertFalse(response_9.is_valid(self.get_request_data()))
 
     def testMessageSignedIsValidSignWithEmptyReferenceURI(self):
-        settings_info = self.loadSettingsJSON()
+        settings_info = self.loadSettingsJSON("settings10.json")
         del settings_info['idp']['x509cert']
         settings_info['idp']['certFingerprint'] = "657302a5e11a4794a1e50a705988d66c9377575d"
         settings = OneLogin_Saml2_Settings(settings_info)
@@ -1671,7 +1671,7 @@ def testMessageSignedIsValidSignWithEmptyReferenceURI(self):
         self.assertTrue(response.is_valid(self.get_request_data()))
 
     def testAssertionSignedIsValidSignWithEmptyReferenceURI(self):
-        settings_info = self.loadSettingsJSON()
+        settings_info = self.loadSettingsJSON('settings10.json')
         del settings_info['idp']['x509cert']
         settings_info['idp']['certFingerprint'] = "657302a5e11a4794a1e50a705988d66c9377575d"
         settings = OneLogin_Saml2_Settings(settings_info)

From 70c9a50286b014f8bda2124227740ef47a6575fa Mon Sep 17 00:00:00 2001
From: Rahul Raina 
Date: Wed, 8 Jan 2020 14:37:34 +0800
Subject: [PATCH 151/331] Fixing spacing

---
 src/onelogin/saml2/auth.py     | 1 +
 src/onelogin/saml2/response.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 72d37847..e432f769 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -605,6 +605,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
                 return True
 
             idp_data = self.get_settings().get_idp_data()
+
             exists_x509cert = self.get_settings().get_idp_cert() is not None
             exists_multix509sign = 'x509certMulti' in idp_data and \
                 'signing' in idp_data['x509certMulti'] and \
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index a5004fea..1e7736a8 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -293,7 +293,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.NO_SIGNATURE_FOUND
                 )
             else:
-                cert  = self.__settings.get_idp_cert()
+                cert = self.__settings.get_idp_cert()
                 fingerprint = idp_data.get('certFingerprint', None)
                 if fingerprint:
                     fingerprint = OneLogin_Saml2_Utils.format_finger_print(fingerprint)

From 08970a9dd1882af3cd5a07720e639700c134d991 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 15 Jan 2020 17:22:40 +0100
Subject: [PATCH 152/331] Fix flake8

---
 demo-tornado/views.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/demo-tornado/views.py b/demo-tornado/views.py
index 6fe72bcd..7d143087 100644
--- a/demo-tornado/views.py
+++ b/demo-tornado/views.py
@@ -171,6 +171,7 @@ def init_saml_auth(req):
     auth = OneLogin_Saml2_Auth(req, custom_base_path=Settings.SAML_PATH)
     return auth
 
+
 if __name__ == "__main__":
     app = Application()
     http_server = tornado.httpserver.HTTPServer(app)

From 6f8ca9c1f628db3a818312e678d5c2c108efbe9c Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 15 Jan 2020 18:30:29 +0100
Subject: [PATCH 153/331] Fix tests

---
 src/onelogin/saml2/settings.py                  |  2 +-
 tests/data/customPath/certs/idp.crt             | 16 ++++++++++++++++
 tests/src/OneLogin/saml2_tests/settings_test.py |  4 ++--
 3 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 tests/data/customPath/certs/idp.crt

diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 1d8e9518..404024ab 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -559,7 +559,7 @@ def get_idp_cert(self):
         :rtype: string
         """
         cert = self.__idp.get('x509cert')
-        cert_file_name = self.__paths['cert'] + 'idp.crt'
+        cert_file_name = self.get_cert_path() + 'idp.crt'
         if not cert and exists(cert_file_name):
             with open(cert_file_name) as f:
                 cert = f.read()
diff --git a/tests/data/customPath/certs/idp.crt b/tests/data/customPath/certs/idp.crt
new file mode 100644
index 00000000..483db3ce
--- /dev/null
+++ b/tests/data/customPath/certs/idp.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
+Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD
+VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG
+9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4
+MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi
+ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl
+aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO
+NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS
+KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d
+1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8
+BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n
+bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar
+Q4/67OZfHd7R+POBXhophSMv1ZOo
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 32b037fe..837af55f 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -228,14 +228,14 @@ def testGetIDPCert(self):
         """
 
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings9.json'))
-        cert = "-----BEGIN CERTIFICATE-----\nMIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC\nTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD\nVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG\n9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4\nMTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi\nZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl\naWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO\nNoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS\nKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d\n1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8\nBUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n\nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar\nQ4/67OZfHd7R+POBXhophSMv1ZOo\n-----END CERTIFICATE-----\n"
+        cert = "-----BEGIN CERTIFICATE-----\nMIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC\nTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD\nVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG\n9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4\nMTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi\nZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl\naWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO\nNoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS\nKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d\n1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8\nBUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n\nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar\nQ4/67OZfHd7R+POBXhophSMv1ZOo\n-----END CERTIFICATE-----"
         self.assertEqual(cert, settings.get_idp_cert())
 
         settings_data = self.loadSettingsJSON()
 
         settings = OneLogin_Saml2_Settings(settings_data)
         settings_data['idp']['x509cert'] = cert
-        self.assertEqual(cert, settings.get_sp_cert())
+        self.assertEqual(cert, settings.get_idp_cert())
 
         del settings_data['idp']['x509cert']
         del settings_data['custom_base_path']

From 589425d1fbd2161ce2a566dfcb92835a221a3541 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 21 Feb 2020 10:47:09 +0100
Subject: [PATCH 154/331] Add sha256 instead sha1 algorithm for sign/digest as
 recommended value on documentation and settings

---
 README.md                                             | 4 ++--
 demo-django/saml/advanced_settings.json               | 4 ++--
 demo-flask/saml/advanced_settings.json                | 4 ++--
 demo-tornado/saml/advanced_settings.json              | 4 ++--
 demo_pyramid/demo_pyramid/saml/advanced_settings.json | 4 ++--
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index f0e16ff0..97f43add 100644
--- a/README.md
+++ b/README.md
@@ -431,14 +431,14 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
-        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+        "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
 
         // Algorithm that the toolkit will use on digest process. Options:
         //    'http://www.w3.org/2000/09/xmldsig#sha1'
         //    'http://www.w3.org/2001/04/xmlenc#sha256'
         //    'http://www.w3.org/2001/04/xmldsig-more#sha384'
         //    'http://www.w3.org/2001/04/xmlenc#sha512'
-        'digestAlgorithm': "http://www.w3.org/2000/09/xmldsig#sha1"
+        'digestAlgorithm': "http://www.w3.org/2001/04/xmlenc#sha256"
     },
 
     // Contact information template, it is recommended to suply a
diff --git a/demo-django/saml/advanced_settings.json b/demo-django/saml/advanced_settings.json
index 3115e17e..1307b0ae 100644
--- a/demo-django/saml/advanced_settings.json
+++ b/demo-django/saml/advanced_settings.json
@@ -10,8 +10,8 @@
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
-        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
+        "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
     },
     "contactPerson": {
         "technical": {
diff --git a/demo-flask/saml/advanced_settings.json b/demo-flask/saml/advanced_settings.json
index 3115e17e..1307b0ae 100644
--- a/demo-flask/saml/advanced_settings.json
+++ b/demo-flask/saml/advanced_settings.json
@@ -10,8 +10,8 @@
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
-        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
+        "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
     },
     "contactPerson": {
         "technical": {
diff --git a/demo-tornado/saml/advanced_settings.json b/demo-tornado/saml/advanced_settings.json
index 3115e17e..1307b0ae 100644
--- a/demo-tornado/saml/advanced_settings.json
+++ b/demo-tornado/saml/advanced_settings.json
@@ -10,8 +10,8 @@
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
-        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
+        "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
     },
     "contactPerson": {
         "technical": {
diff --git a/demo_pyramid/demo_pyramid/saml/advanced_settings.json b/demo_pyramid/demo_pyramid/saml/advanced_settings.json
index 3115e17e..1307b0ae 100644
--- a/demo_pyramid/demo_pyramid/saml/advanced_settings.json
+++ b/demo_pyramid/demo_pyramid/saml/advanced_settings.json
@@ -10,8 +10,8 @@
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
-        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
+        "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
     },
     "contactPerson": {
         "technical": {

From 802c6121b6ae97cbf063cfe04d579753dff6b23a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 5 Jun 2020 17:32:18 +0000
Subject: [PATCH 155/331] Bump django from 1.11.26 to 1.11.29 in /demo-django

Bumps [django](https://github.com/django/django) from 1.11.26 to 1.11.29.
- [Release notes](https://github.com/django/django/releases)
- [Commits](https://github.com/django/django/compare/1.11.26...1.11.29)

Signed-off-by: dependabot[bot] 
---
 demo-django/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/demo-django/requirements.txt b/demo-django/requirements.txt
index a4a895b0..46ceaced 100644
--- a/demo-django/requirements.txt
+++ b/demo-django/requirements.txt
@@ -1,2 +1,2 @@
-Django==1.11.26
+Django==1.11.29
 python3-saml

From b192e2a3585bdf24a461c76aa8fe6da2952340c1 Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Fri, 21 Aug 2020 16:22:32 +0300
Subject: [PATCH 156/331] Add
 OneLogin_Saml2_Authn_Request._generate_request_id() override point

Refs https://github.com/onelogin/python3-saml/issues/208#issuecomment-678099281
---
 src/onelogin/saml2/authn_request.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index 73547735..ef9ed603 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -47,8 +47,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
         idp_data = self.__settings.get_idp_data()
         security = self.__settings.get_security_data()
 
-        uid = OneLogin_Saml2_Utils.generate_unique_id()
-        self.__id = uid
+        self.__id = self._generate_request_id()
         issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
 
         destination = idp_data['singleSignOnService']['url']
@@ -113,7 +112,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
 
         request = OneLogin_Saml2_Templates.AUTHN_REQUEST % \
             {
-                'id': uid,
+                'id': self.__id,
                 'provider_name': provider_name_str,
                 'force_authn_str': force_authn_str,
                 'is_passive_str': is_passive_str,
@@ -129,6 +128,14 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
 
         self.__authn_request = request
 
+    def _generate_request_id(self):
+        """
+        Generate an unique request ID.
+
+        You can override this in a subclass.
+        """
+        return OneLogin_Saml2_Utils.generate_unique_id()
+
     def get_request(self, deflate=True):
         """
         Returns unsigned AuthnRequest.

From 53db80de9e4d853742565e500f640bfcb01ad295 Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Fri, 21 Aug 2020 16:27:15 +0300
Subject: [PATCH 157/331] Make request/response/metadata classes overridable by
 subclassing

---
 src/onelogin/saml2/auth.py     | 17 +++++++++++------
 src/onelogin/saml2/settings.py | 10 ++++++----
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index e432f769..cd7c1607 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -34,6 +34,11 @@ class OneLogin_Saml2_Auth(object):
     SAML Response, a Logout Request or a Logout Response).
     """
 
+    authn_request_class = OneLogin_Saml2_Authn_Request
+    logout_request_class = OneLogin_Saml2_Logout_Request
+    logout_response_class = OneLogin_Saml2_Logout_Response
+    response_class = OneLogin_Saml2_Response
+
     def __init__(self, request_data, old_settings=None, custom_base_path=None):
         """
         Initializes the SP SAML instance.
@@ -102,7 +107,7 @@ def process_response(self, request_id=None):
 
         if 'post_data' in self.__request_data and 'SAMLResponse' in self.__request_data['post_data']:
             # AuthnResponse -- HTTP_POST Binding
-            response = OneLogin_Saml2_Response(self.__settings, self.__request_data['post_data']['SAMLResponse'])
+            response = self.response_class(self.__settings, self.__request_data['post_data']['SAMLResponse'])
             self.__last_response = response.get_xml_document()
 
             if response.is_valid(self.__request_data, request_id):
@@ -147,7 +152,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
 
         get_data = 'get_data' in self.__request_data and self.__request_data['get_data']
         if get_data and 'SAMLResponse' in get_data:
-            logout_response = OneLogin_Saml2_Logout_Response(self.__settings, get_data['SAMLResponse'])
+            logout_response = self.logout_response_class(self.__settings, get_data['SAMLResponse'])
             self.__last_response = logout_response.get_xml()
             if not self.validate_response_signature(get_data):
                 self.__errors.append('invalid_logout_response_signature')
@@ -163,7 +168,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
                     OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
 
         elif get_data and 'SAMLRequest' in get_data:
-            logout_request = OneLogin_Saml2_Logout_Request(self.__settings, get_data['SAMLRequest'])
+            logout_request = self.logout_request_class(self.__settings, get_data['SAMLRequest'])
             self.__last_request = logout_request.get_xml()
             if not self.validate_request_signature(get_data):
                 self.__errors.append("invalid_logout_request_signature")
@@ -177,7 +182,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
 
                 in_response_to = logout_request.id
                 self.__last_message_id = logout_request.id
-                response_builder = OneLogin_Saml2_Logout_Response(self.__settings)
+                response_builder = self.logout_response_class(self.__settings)
                 response_builder.build(in_response_to)
                 self.__last_response = response_builder.get_xml()
                 logout_response = response_builder.get_response()
@@ -371,7 +376,7 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_
         :returns: Redirection URL
         :rtype: string
         """
-        authn_request = OneLogin_Saml2_Authn_Request(self.__settings, force_authn, is_passive, set_nameid_policy, name_id_value_req)
+        authn_request = self.authn_request_class(self.__settings, force_authn, is_passive, set_nameid_policy, name_id_value_req)
         self.__last_request = authn_request.get_xml()
         self.__last_request_id = authn_request.get_id()
 
@@ -425,7 +430,7 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name
         if name_id_format is None and self.__nameid_format is not None:
             name_id_format = self.__nameid_format
 
-        logout_request = OneLogin_Saml2_Logout_Request(
+        logout_request = self.logout_request_class(
             self.__settings,
             name_id=name_id,
             session_index=session_index,
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 404024ab..6df22432 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -66,6 +66,8 @@ class OneLogin_Saml2_Settings(object):
 
     """
 
+    metadata_class = OneLogin_Saml2_Metadata
+
     def __init__(self, settings=None, custom_base_path=None, sp_validation_only=False):
         """
         Initializes the settings:
@@ -616,7 +618,7 @@ def get_sp_metadata(self):
         :returns: SP metadata (xml)
         :rtype: string
         """
-        metadata = OneLogin_Saml2_Metadata.builder(
+        metadata = self.metadata_class.builder(
             self.__sp, self.__security['authnRequestsSigned'],
             self.__security['wantAssertionsSigned'],
             self.__security['metadataValidUntil'],
@@ -627,10 +629,10 @@ def get_sp_metadata(self):
         add_encryption = self.__security['wantNameIdEncrypted'] or self.__security['wantAssertionsEncrypted']
 
         cert_new = self.get_sp_cert_new()
-        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert_new, add_encryption)
+        metadata = self.metadata_class.add_x509_key_descriptors(metadata, cert_new, add_encryption)
 
         cert = self.get_sp_cert()
-        metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert, add_encryption)
+        metadata = self.metadata_class.add_x509_key_descriptors(metadata, cert, add_encryption)
 
         # Sign metadata
         if 'signMetadata' in self.__security and self.__security['signMetadata'] is not False:
@@ -684,7 +686,7 @@ def get_sp_metadata(self):
             signature_algorithm = self.__security['signatureAlgorithm']
             digest_algorithm = self.__security['digestAlgorithm']
 
-            metadata = OneLogin_Saml2_Metadata.sign_metadata(metadata, key_metadata, cert_metadata, signature_algorithm, digest_algorithm)
+            metadata = self.metadata_class.sign_metadata(metadata, key_metadata, cert_metadata, signature_algorithm, digest_algorithm)
 
         return metadata
 

From ca04d1d92864726c7b8594f2dd357e4b839dbeb1 Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Sat, 22 Aug 2020 13:34:54 +0300
Subject: [PATCH 158/331] Make some staticmethods classmethods instead

---
 src/onelogin/saml2/idp_metadata_parser.py | 15 ++++++++-------
 src/onelogin/saml2/logout_request.py      | 14 +++++++-------
 src/onelogin/saml2/metadata.py            | 16 ++++++++--------
 3 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index 88411f45..1172bd06 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -25,8 +25,8 @@ class OneLogin_Saml2_IdPMetadataParser(object):
     A class that contain methods related to obtaining and parsing metadata from IdP
     """
 
-    @staticmethod
-    def get_metadata(url, validate_cert=True):
+    @classmethod
+    def get_metadata(cls, url, validate_cert=True):
         """
         Gets the metadata XML from the provided URL
         :param url: Url where the XML of the Identity Provider Metadata is published.
@@ -63,8 +63,8 @@ def get_metadata(url, validate_cert=True):
 
         return xml
 
-    @staticmethod
-    def parse_remote(url, validate_cert=True, entity_id=None, **kwargs):
+    @classmethod
+    def parse_remote(cls, url, validate_cert=True, entity_id=None, **kwargs):
         """
         Gets the metadata XML from the provided URL and parse it, returning a dict with extracted data
         :param url: Url where the XML of the Identity Provider Metadata is published.
@@ -80,11 +80,12 @@ def parse_remote(url, validate_cert=True, entity_id=None, **kwargs):
         :returns: settings dict with extracted data
         :rtype: dict
         """
-        idp_metadata = OneLogin_Saml2_IdPMetadataParser.get_metadata(url, validate_cert)
-        return OneLogin_Saml2_IdPMetadataParser.parse(idp_metadata, entity_id=entity_id, **kwargs)
+        idp_metadata = cls.get_metadata(url, validate_cert)
+        return cls.parse(idp_metadata, entity_id=entity_id, **kwargs)
 
-    @staticmethod
+    @classmethod
     def parse(
+            cls,
             idp_metadata,
             required_sso_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT,
             required_slo_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT,
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index ef4d05e2..cd59e368 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -203,8 +203,8 @@ def get_nameid_data(request, key=None):
 
         return name_id_data
 
-    @staticmethod
-    def get_nameid(request, key=None):
+    @classmethod
+    def get_nameid(cls, request, key=None):
         """
         Gets the NameID of the Logout Request Message
         :param request: Logout Request Message
@@ -214,11 +214,11 @@ def get_nameid(request, key=None):
         :return: Name ID Value
         :rtype: string
         """
-        name_id = OneLogin_Saml2_Logout_Request.get_nameid_data(request, key)
+        name_id = cls.get_nameid_data(request, key)
         return name_id['Value']
 
-    @staticmethod
-    def get_nameid_format(request, key=None):
+    @classmethod
+    def get_nameid_format(cls, request, key=None):
         """
         Gets the NameID Format of the Logout Request Message
         :param request: Logout Request Message
@@ -229,7 +229,7 @@ def get_nameid_format(request, key=None):
         :rtype: string
         """
         name_id_format = None
-        name_id_data = OneLogin_Saml2_Logout_Request.get_nameid_data(request, key)
+        name_id_data = cls.get_nameid_data(request, key)
         if name_id_data and 'Format' in name_id_data.keys():
             name_id_format = name_id_data['Format']
         return name_id_format
@@ -326,7 +326,7 @@ def is_valid(self, request_data, raise_exceptions=False):
                             )
 
                 # Check issuer
-                issuer = OneLogin_Saml2_Logout_Request.get_issuer(root)
+                issuer = self.get_issuer(root)
                 if issuer is not None and issuer != idp_entity_id:
                     raise OneLogin_Saml2_ValidationError(
                         'Invalid issuer in the Logout Request (expected %(idpEntityId)s, got %(issuer)s)' %
diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index 0aab105c..9528b0e8 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -34,8 +34,8 @@ class OneLogin_Saml2_Metadata(object):
     TIME_VALID = 172800   # 2 days
     TIME_CACHED = 604800  # 1 week
 
-    @staticmethod
-    def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=None, contacts=None, organization=None):
+    @classmethod
+    def builder(cls, sp, authnsign=False, wsign=False, valid_until=None, cache_duration=None, contacts=None, organization=None):
         """
         Builds the metadata of the SP
 
@@ -61,7 +61,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
         :type organization: dict
         """
         if valid_until is None:
-            valid_until = int(time()) + OneLogin_Saml2_Metadata.TIME_VALID
+            valid_until = int(time()) + cls.TIME_VALID
         if not isinstance(valid_until, basestring):
             if isinstance(valid_until, datetime):
                 valid_until_time = valid_until.timetuple()
@@ -72,7 +72,7 @@ def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=N
             valid_until_str = valid_until
 
         if cache_duration is None:
-            cache_duration = OneLogin_Saml2_Metadata.TIME_CACHED
+            cache_duration = cls.TIME_CACHED
         if not isinstance(cache_duration, compat.str_type):
             cache_duration_str = 'PT%sS' % cache_duration  # Period of Time x Seconds
         else:
@@ -228,8 +228,8 @@ def __add_x509_key_descriptors(root, cert, signing):
         x509_certificate.text = OneLogin_Saml2_Utils.format_cert(cert, False)
         key_descriptor.set('use', ('encryption', 'signing')[signing])
 
-    @staticmethod
-    def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
+    @classmethod
+    def add_x509_key_descriptors(cls, metadata, cert=None, add_encryption=True):
         """
         Adds the x509 descriptors (sign/encryption) to the metadata
         The same cert will be used for sign/encrypt
@@ -260,6 +260,6 @@ def add_x509_key_descriptors(metadata, cert=None, add_encryption=True):
             raise Exception('Malformed metadata.')
 
         if add_encryption:
-            OneLogin_Saml2_Metadata.__add_x509_key_descriptors(sp_sso_descriptor, cert, False)
-        OneLogin_Saml2_Metadata.__add_x509_key_descriptors(sp_sso_descriptor, cert, True)
+            cls.__add_x509_key_descriptors(sp_sso_descriptor, cert, False)
+        cls.__add_x509_key_descriptors(sp_sso_descriptor, cert, True)
         return OneLogin_Saml2_XML.to_string(root)

From 468c747338f7fe2a7549382bc2fd294282658686 Mon Sep 17 00:00:00 2001
From: Florian Best 
Date: Wed, 4 Nov 2020 15:38:06 +0100
Subject: [PATCH 159/331] tornado-demo: Fix autoreloading

---
 demo-tornado/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/demo-tornado/views.py b/demo-tornado/views.py
index 7d143087..70cfea68 100644
--- a/demo-tornado/views.py
+++ b/demo-tornado/views.py
@@ -21,7 +21,7 @@ def __init__(self):
         settings = {
             "template_path": Settings.TEMPLATE_PATH,
             "saml_path": Settings.SAML_PATH,
-            "autorealod": True,
+            "autoreload": True,
             "debug": True
         }
         tornado.web.Application.__init__(self, handlers, **settings)

From 51da7ec96414f4387c430f36e1584e1f1fabe936 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 24 Nov 2020 18:08:37 +0100
Subject: [PATCH 160/331] Fix #225 Fix  get_session_expiration signature

---
 src/onelogin/saml2/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index e432f769..76a79272 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -279,7 +279,7 @@ def get_session_expiration(self):
         """
         Returns the SessionNotOnOrAfter from the AuthnStatement.
         :returns: The SessionNotOnOrAfter of the assertion
-        :rtype: DateTime|None
+        :rtype: unix/posix timestamp|None
         """
         return self.__session_expiration
 

From 082dfc75ceadaf317f9b8c66bdcec3a35f4105a2 Mon Sep 17 00:00:00 2001
From: BeritJanssen 
Date: Thu, 3 Dec 2020 12:45:13 +0100
Subject: [PATCH 161/331] adding returnUrl parameter to singleLogoutService of
 IdP

---
 README.md                             |  3 +++
 src/onelogin/saml2/auth.py            | 12 +++++++++++-
 src/onelogin/saml2/logout_response.py |  3 ++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 97f43add..c172f276 100644
--- a/README.md
+++ b/README.md
@@ -304,6 +304,9 @@ This is the ``settings.json`` file:
         "singleLogoutService": {
             // URL Location of the IdP where SLO Request will be sent.
             "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/",
+            // URL Location where the  from the SP will returned (after IdP-initiated logout)
+            // OPTIONAL: only specify if different from url parameter 
+            "returnUrl": "/slo_return/"
             // SAML protocol binding to be used when returning the 
             // message. OneLogin Toolkit supports the HTTP-Redirect binding
             // only for this endpoint.
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 76a79272..37aada61 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -190,7 +190,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
                 if security['logoutResponseSigned']:
                     self.add_response_signature(parameters, security['signatureAlgorithm'])
 
-                return self.redirect_to(self.get_slo_url(), parameters)
+                return self.redirect_to(self.get_slo_return_url(), parameters)
         else:
             self.__errors.append('invalid_binding')
             raise OneLogin_Saml2_Error(
@@ -468,6 +468,16 @@ def get_slo_url(self):
         if 'url' in idp_data['singleLogoutService']:
             return idp_data['singleLogoutService']['url']
 
+    def get_return_slo_url(self):
+        """
+        Gets the SLO return URL for IdP-initiated logout.
+
+        :returns: an URL, the SLO return endpoint of the IdP
+        :rtype: string
+        """
+        slo_data = self.__settings.get_idp_data()['singeLogoutService']
+        return slo_data.get('returnUrl', self.get_slo_url())
+
     def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
         Builds the Signature of the SAML Request.
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index 6dd0a6d8..8400818d 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -162,12 +162,13 @@ def build(self, in_response_to):
 
         uid = OneLogin_Saml2_Utils.generate_unique_id()
         issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
+        destination = idp_data['singeLogoutService'].get('returnUrl', idp_data['singeLogoutService']['url'])
 
         logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % \
             {
                 'id': uid,
                 'issue_instant': issue_instant,
-                'destination': idp_data['singleLogoutService']['url'],
+                'destination': destination,
                 'in_response_to': in_response_to,
                 'entity_id': sp_data['entityId'],
                 'status': "urn:oasis:names:tc:SAML:2.0:status:Success"

From b7402c0029d63e6a7fecb9955bc33d5b10b33fac Mon Sep 17 00:00:00 2001
From: BeritJanssen 
Date: Thu, 3 Dec 2020 13:06:45 +0100
Subject: [PATCH 162/331] correct typo

---
 README.md                             | 2 +-
 src/onelogin/saml2/auth.py            | 2 +-
 src/onelogin/saml2/logout_response.py | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index c172f276..6d3602d4 100644
--- a/README.md
+++ b/README.md
@@ -306,7 +306,7 @@ This is the ``settings.json`` file:
             "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/",
             // URL Location where the  from the SP will returned (after IdP-initiated logout)
             // OPTIONAL: only specify if different from url parameter 
-            "returnUrl": "/slo_return/"
+            "returnUrl": "https://app.onelogin.com/trust/saml2/http-redirect/slo_return/"
             // SAML protocol binding to be used when returning the 
             // message. OneLogin Toolkit supports the HTTP-Redirect binding
             // only for this endpoint.
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 37aada61..cd8d1624 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -475,7 +475,7 @@ def get_return_slo_url(self):
         :returns: an URL, the SLO return endpoint of the IdP
         :rtype: string
         """
-        slo_data = self.__settings.get_idp_data()['singeLogoutService']
+        slo_data = self.__settings.get_idp_data()['singleLogoutService']
         return slo_data.get('returnUrl', self.get_slo_url())
 
     def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index 8400818d..bb5c3fbb 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -162,7 +162,7 @@ def build(self, in_response_to):
 
         uid = OneLogin_Saml2_Utils.generate_unique_id()
         issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
-        destination = idp_data['singeLogoutService'].get('returnUrl', idp_data['singeLogoutService']['url'])
+        destination = idp_data['singleLogoutService'].get('returnUrl', idp_data['singleLogoutService']['url'])
 
         logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % \
             {

From da8a673b6c19892348d1e86e0a5b3fbd68360414 Mon Sep 17 00:00:00 2001
From: BeritJanssen 
Date: Thu, 3 Dec 2020 13:13:12 +0100
Subject: [PATCH 163/331] correct function name

---
 src/onelogin/saml2/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index cd8d1624..ac79fb7b 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -468,7 +468,7 @@ def get_slo_url(self):
         if 'url' in idp_data['singleLogoutService']:
             return idp_data['singleLogoutService']['url']
 
-    def get_return_slo_url(self):
+    def get_slo_return_url(self):
         """
         Gets the SLO return URL for IdP-initiated logout.
 

From 90835cdbbe787c0fae0a378a66da1800952085c4 Mon Sep 17 00:00:00 2001
From: BeritJanssen 
Date: Thu, 3 Dec 2020 14:17:16 +0100
Subject: [PATCH 164/331] test implemented

---
 tests/settings/settings1.json               |  3 ++-
 tests/src/OneLogin/saml2_tests/auth_test.py | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/tests/settings/settings1.json b/tests/settings/settings1.json
index 69d7d25e..276a8964 100644
--- a/tests/settings/settings1.json
+++ b/tests/settings/settings1.json
@@ -18,7 +18,8 @@
             "url": "http://idp.example.com/SSOService.php"
         },
         "singleLogoutService": {
-            "url": "http://idp.example.com/SingleLogoutService.php"
+            "url": "http://idp.example.com/SingleLogoutService.php",
+            "returnUrl": "http://idp.example.com/SingleLogoutReturn.php"
         },
         "x509cert": "MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo"
     },
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index c7c391c7..b78ecdfb 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -87,6 +87,21 @@ def testGetSLOurl(self):
         slo_url = settings_info['idp']['singleLogoutService']['url']
         self.assertEqual(auth.get_slo_url(), slo_url)
 
+    def testGetSLOReturnUrl(self):
+        """
+        Tests the get_slo_return_url method of the OneLogin_Saml2_Auth class
+        """
+        settings_info = self.loadSettingsJSON()
+        auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        slo_url = settings_info['idp']['singleLogoutService']['returnUrl']
+        self.assertEqual(auth.get_slo_return_url(), slo_url)
+        # test that the function falls back to the url setting if returnUrl is not set
+        settings_info['idp']['singleLogoutService'].pop('returnUrl')
+        auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
+        slo_url = settings_info['idp']['singleLogoutService']['url']
+        self.assertEqual(auth.get_slo_return_url(), slo_url)
+
+
     def testGetSessionIndex(self):
         """
         Tests the get_session_index method of the OneLogin_Saml2_Auth class

From b266fd5a2f475a2b0abcf63a935a06cea855bbb6 Mon Sep 17 00:00:00 2001
From: BeritJanssen 
Date: Thu, 3 Dec 2020 14:44:01 +0100
Subject: [PATCH 165/331] fixed tests

---
 tests/settings/settings1.json               | 3 +--
 tests/src/OneLogin/saml2_tests/auth_test.py | 1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/settings/settings1.json b/tests/settings/settings1.json
index 276a8964..69d7d25e 100644
--- a/tests/settings/settings1.json
+++ b/tests/settings/settings1.json
@@ -18,8 +18,7 @@
             "url": "http://idp.example.com/SSOService.php"
         },
         "singleLogoutService": {
-            "url": "http://idp.example.com/SingleLogoutService.php",
-            "returnUrl": "http://idp.example.com/SingleLogoutReturn.php"
+            "url": "http://idp.example.com/SingleLogoutService.php"
         },
         "x509cert": "MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo"
     },
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index b78ecdfb..8ca6c814 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -92,6 +92,7 @@ def testGetSLOReturnUrl(self):
         Tests the get_slo_return_url method of the OneLogin_Saml2_Auth class
         """
         settings_info = self.loadSettingsJSON()
+        settings_info['idp']['singleLogoutService']['returnUrl'] = "http://idp.example.com/SingleLogoutReturn.php"
         auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
         slo_url = settings_info['idp']['singleLogoutService']['returnUrl']
         self.assertEqual(auth.get_slo_return_url(), slo_url)

From ae5cae2524a04c47f78c3994c2a463e1a225f1e9 Mon Sep 17 00:00:00 2001
From: BeritJanssen 
Date: Thu, 3 Dec 2020 14:54:26 +0100
Subject: [PATCH 166/331] rename returnUrl to responseUrl

---
 README.md                                   |  2 +-
 src/onelogin/saml2/auth.py                  |  6 +++---
 src/onelogin/saml2/logout_response.py       |  2 +-
 tests/src/OneLogin/saml2_tests/auth_test.py | 16 ++++++++--------
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 6d3602d4..8e3ccbec 100644
--- a/README.md
+++ b/README.md
@@ -306,7 +306,7 @@ This is the ``settings.json`` file:
             "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/",
             // URL Location where the  from the SP will returned (after IdP-initiated logout)
             // OPTIONAL: only specify if different from url parameter 
-            "returnUrl": "https://app.onelogin.com/trust/saml2/http-redirect/slo_return/"
+            "responseUrl": "https://app.onelogin.com/trust/saml2/http-redirect/slo_return/"
             // SAML protocol binding to be used when returning the 
             // message. OneLogin Toolkit supports the HTTP-Redirect binding
             // only for this endpoint.
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index ac79fb7b..041f9445 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -190,7 +190,7 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
                 if security['logoutResponseSigned']:
                     self.add_response_signature(parameters, security['signatureAlgorithm'])
 
-                return self.redirect_to(self.get_slo_return_url(), parameters)
+                return self.redirect_to(self.get_slo_response_url(), parameters)
         else:
             self.__errors.append('invalid_binding')
             raise OneLogin_Saml2_Error(
@@ -468,7 +468,7 @@ def get_slo_url(self):
         if 'url' in idp_data['singleLogoutService']:
             return idp_data['singleLogoutService']['url']
 
-    def get_slo_return_url(self):
+    def get_slo_response_url(self):
         """
         Gets the SLO return URL for IdP-initiated logout.
 
@@ -476,7 +476,7 @@ def get_slo_return_url(self):
         :rtype: string
         """
         slo_data = self.__settings.get_idp_data()['singleLogoutService']
-        return slo_data.get('returnUrl', self.get_slo_url())
+        return slo_data.get('responseUrl', self.get_slo_url())
 
     def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index bb5c3fbb..7ce7f97d 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -162,7 +162,7 @@ def build(self, in_response_to):
 
         uid = OneLogin_Saml2_Utils.generate_unique_id()
         issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
-        destination = idp_data['singleLogoutService'].get('returnUrl', idp_data['singleLogoutService']['url'])
+        destination = idp_data['singleLogoutService'].get('responseUrl', idp_data['singleLogoutService']['url'])
 
         logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % \
             {
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 8ca6c814..dcb35f72 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -87,20 +87,20 @@ def testGetSLOurl(self):
         slo_url = settings_info['idp']['singleLogoutService']['url']
         self.assertEqual(auth.get_slo_url(), slo_url)
 
-    def testGetSLOReturnUrl(self):
+    def testGetSLOresponseUrl(self):
         """
-        Tests the get_slo_return_url method of the OneLogin_Saml2_Auth class
+        Tests the get_slo_response_url method of the OneLogin_Saml2_Auth class
         """
         settings_info = self.loadSettingsJSON()
-        settings_info['idp']['singleLogoutService']['returnUrl'] = "http://idp.example.com/SingleLogoutReturn.php"
+        settings_info['idp']['singleLogoutService']['responseUrl'] = "http://idp.example.com/SingleLogoutReturn.php"
         auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
-        slo_url = settings_info['idp']['singleLogoutService']['returnUrl']
-        self.assertEqual(auth.get_slo_return_url(), slo_url)
-        # test that the function falls back to the url setting if returnUrl is not set
-        settings_info['idp']['singleLogoutService'].pop('returnUrl')
+        slo_url = settings_info['idp']['singleLogoutService']['responseUrl']
+        self.assertEqual(auth.get_slo_response_url(), slo_url)
+        # test that the function falls back to the url setting if responseUrl is not set
+        settings_info['idp']['singleLogoutService'].pop('responseUrl')
         auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings_info)
         slo_url = settings_info['idp']['singleLogoutService']['url']
-        self.assertEqual(auth.get_slo_return_url(), slo_url)
+        self.assertEqual(auth.get_slo_response_url(), slo_url)
 
 
     def testGetSessionIndex(self):

From d6385fb25f3978b13cb0a563b9294e6c303d70e3 Mon Sep 17 00:00:00 2001
From: "Volm, David" 
Date: Thu, 3 Dec 2020 10:19:12 -0600
Subject: [PATCH 167/331] Optionally set request.scheme based on
 X-Forwarded-Proto header in demo_pyramid

---
 demo_pyramid/demo_pyramid/views.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py
index 86814a99..b393f14d 100644
--- a/demo_pyramid/demo_pyramid/views.py
+++ b/demo_pyramid/demo_pyramid/views.py
@@ -16,6 +16,10 @@ def init_saml_auth(req):
 
 def prepare_pyramid_request(request):
     # If server is behind proxys or balancers use the HTTP_X_FORWARDED fields
+
+    if 'X-Forwarded-Proto' in request.headers:
+        request.scheme = request.headers['X-Forwarded-Proto']
+
     return {
         'https': 'on' if request.scheme == 'https' else 'off',
         'http_host': request.host,

From f11d48f5a8df7224a951fd3f67818d844a0411ae Mon Sep 17 00:00:00 2001
From: Tessa Bloomer 
Date: Tue, 8 Dec 2020 13:59:30 -0600
Subject: [PATCH 168/331] Resolved issue 226 with testing

---
 src/onelogin/saml2/response.py                | 12 +++-
 .../src/OneLogin/saml2_tests/response_test.py | 60 ++++++++++++++++++-
 2 files changed, 69 insertions(+), 3 deletions(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 1e7736a8..a40ab7e6 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -10,6 +10,7 @@
 """
 
 from copy import deepcopy
+from urllib.parse import urlsplit, urlunsplit
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError, return_false_on_exception
 from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
@@ -191,7 +192,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 # Checks destination
                 destination = self.document.get('Destination', None)
                 if destination:
-                    if not destination.startswith(current_url):
+                    if not self.__standardize_url(destination).startswith(self.__standardize_url(current_url)):
                         # TODO: Review if following lines are required, since we can control the
                         # request_data
                         #  current_url_routed = OneLogin_Saml2_Utils.get_self_routed_url_no_query(request_data)
@@ -865,6 +866,15 @@ def __decrypt_assertion(self, xml):
                 decrypted = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key, debug=debug, inplace=True)
                 xml.replace(encrypted_assertion_nodes[0], decrypted)
         return xml
+            
+    def __standardize_url(self, url):
+        try:
+            parsed = list(urlsplit(url))
+            parsed[1] = parsed[1].lower()
+            standardized_url = urlunsplit(parsed)
+            return standardized_url
+        except Exception:
+            return url
 
     def get_error(self):
         """
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 7d9934a1..41d72fab 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -18,7 +18,6 @@
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
 
-
 class OneLogin_Saml2_Response_Test(unittest.TestCase):
     data_path = join(dirname(dirname(dirname(dirname(__file__)))), 'data')
     settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings')
@@ -50,6 +49,24 @@ def get_request_data(self):
             'script_name': 'index.html'
         }
 
+    def get_request_data_domain_capitalized(self):
+        return {
+            'http_host': 'StuFF.Com',
+            'script_name': 'endpoints/endpoints/acs.php'
+        }
+    
+    def get_request_data_path_capitalized(self):
+        return {
+            'http_host': 'stuff.com',
+            'script_name': 'Endpoints/endPoints/acs.php'
+        }
+
+    def get_request_data_both_capitalized(self):
+        return {
+            'http_host': 'StuFF.Com',
+            'script_name': 'Endpoints/endPoints/aCs.php'
+        }
+
     def testConstruct(self):
         """
         Tests the OneLogin_Saml2_Response Constructor.
@@ -977,7 +994,7 @@ def testIsInValidDuplicatedAttrs(self):
         response = OneLogin_Saml2_Response(settings, xml)
         with self.assertRaisesRegex(Exception, 'Found an Attribute element with duplicated Name'):
             response.get_attributes()
-
+    
     def testIsInValidDestination(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response class
@@ -1014,6 +1031,45 @@ def testIsInValidDestination(self):
         self.assertFalse(response_5.is_valid(self.get_request_data()))
         self.assertIn('A valid SubjectConfirmation was not found on this Response', response_5.get_error())
 
+        settings.set_strict(True)
+        response_2 = OneLogin_Saml2_Response(settings, message)
+        self.assertFalse(response_2.is_valid(self.get_request_data()))
+        self.assertIn('The response was received at', response_2.get_error())
+
+    def testIsInValidCapitalizationOfDestinationElements(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_Response class
+        Case Invalid Response due to differences in capitalization of path
+        """
+
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        message = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
+        
+        #Test path capitalized
+        settings.set_strict(True)
+        response = OneLogin_Saml2_Response(settings, message)
+        self.assertFalse(response.is_valid(self.get_request_data_path_capitalized()))
+        self.assertIn('The response was received at', response.get_error())
+
+        #Test both domain and path capitalized
+        response_2 = OneLogin_Saml2_Response(settings, message)
+        self.assertFalse(response_2.is_valid(self.get_request_data_both_capitalized()))
+        self.assertIn('The response was received at', response_2.get_error())
+
+    def testIsValidCapitalizationOfDestinationHost(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_Response class
+        Case Valid Response, even if host is differently capitalized (per RFC)
+        """
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        message = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
+        
+        #Test path capitalized
+        settings.set_strict(True)
+        response = OneLogin_Saml2_Response(settings, message)
+        self.assertFalse(response.is_valid(self.get_request_data_domain_capitalized()))
+        self.assertNotIn('The response was received at', response.get_error())
+
     def testIsInValidAudience(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response class

From 1cb34cdb0a21f9ce6a1e54c3604188b09a677f1c Mon Sep 17 00:00:00 2001
From: Tessa Bloomer 
Date: Tue, 8 Dec 2020 14:01:48 -0600
Subject: [PATCH 169/331] Fixed comment

---
 tests/src/OneLogin/saml2_tests/response_test.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 41d72fab..e3e6b390 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1036,7 +1036,7 @@ def testIsInValidDestination(self):
         self.assertFalse(response_2.is_valid(self.get_request_data()))
         self.assertIn('The response was received at', response_2.get_error())
 
-    def testIsInValidCapitalizationOfDestinationElements(self):
+    def testIsInValidDestinationCapitalizationOfElements(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response class
         Case Invalid Response due to differences in capitalization of path
@@ -1056,7 +1056,7 @@ def testIsInValidCapitalizationOfDestinationElements(self):
         self.assertFalse(response_2.is_valid(self.get_request_data_both_capitalized()))
         self.assertIn('The response was received at', response_2.get_error())
 
-    def testIsValidCapitalizationOfDestinationHost(self):
+    def testIsValidDestinationCapitalizationOfHost(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response class
         Case Valid Response, even if host is differently capitalized (per RFC)
@@ -1064,11 +1064,13 @@ def testIsValidCapitalizationOfDestinationHost(self):
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
         message = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
         
-        #Test path capitalized
+        #Test domain capitalized
         settings.set_strict(True)
         response = OneLogin_Saml2_Response(settings, message)
         self.assertFalse(response.is_valid(self.get_request_data_domain_capitalized()))
         self.assertNotIn('The response was received at', response.get_error())
+        #Assert we got past the destination check, which appears later
+        self.assertIn('A valid SubjectConfirmation was not found', response.get_error())
 
     def testIsInValidAudience(self):
         """

From 534974ac6c45a71f9a8dc67c547d4ef34ff5869e Mon Sep 17 00:00:00 2001
From: Tessa Bloomer 
Date: Tue, 8 Dec 2020 14:56:28 -0600
Subject: [PATCH 170/331] suggested changes

---
 src/onelogin/saml2/response.py | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index a40ab7e6..248d2f77 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -192,7 +192,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 # Checks destination
                 destination = self.document.get('Destination', None)
                 if destination:
-                    if not self.__standardize_url(destination).startswith(self.__standardize_url(current_url)):
+                    if not self.__normalize_url(destination).startswith(self.__normalize_url(current_url)):
                         # TODO: Review if following lines are required, since we can control the
                         # request_data
                         #  current_url_routed = OneLogin_Saml2_Utils.get_self_routed_url_no_query(request_data)
@@ -867,12 +867,24 @@ def __decrypt_assertion(self, xml):
                 xml.replace(encrypted_assertion_nodes[0], decrypted)
         return xml
             
-    def __standardize_url(self, url):
+    def __normalize_url(self, url):
+        """
+        Returns normalized URL for comparison. 
+        This method converts the hostname to lowercase, as it should be case-insensitive (per RFC 4343)
+        If standardization fails, the original URL is returned
+        Python documentation indicates that URL split also normalizes query strings if empty query fields are present
+
+        :param url: URL
+        :type url: String
+
+        :returns: A normalized URL, or the given URL string if parsing fails
+        :rtype: list
+        """
         try:
             parsed = list(urlsplit(url))
             parsed[1] = parsed[1].lower()
-            standardized_url = urlunsplit(parsed)
-            return standardized_url
+            normalized_url = urlunsplit(parsed)
+            return normalized_url
         except Exception:
             return url
 

From 021ee793075b378809be6f4c9270106857c38b78 Mon Sep 17 00:00:00 2001
From: Tessa Bloomer 
Date: Tue, 8 Dec 2020 15:10:58 -0600
Subject: [PATCH 171/331] Clarification in comment

---
 src/onelogin/saml2/response.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 248d2f77..fc233272 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -870,7 +870,7 @@ def __decrypt_assertion(self, xml):
     def __normalize_url(self, url):
         """
         Returns normalized URL for comparison. 
-        This method converts the hostname to lowercase, as it should be case-insensitive (per RFC 4343)
+        This method converts the netloc to lowercase, as it should be case-insensitive (per RFC 4343, RFC 7617)
         If standardization fails, the original URL is returned
         Python documentation indicates that URL split also normalizes query strings if empty query fields are present
 
@@ -882,6 +882,8 @@ def __normalize_url(self, url):
         """
         try:
             parsed = list(urlsplit(url))
+            #scheme and hostname converted to lowercase
+            parsed[0] = parsed[0].lower()
             parsed[1] = parsed[1].lower()
             normalized_url = urlunsplit(parsed)
             return normalized_url

From 9c40592324ca45f6549349e2f767e2da24b66bc7 Mon Sep 17 00:00:00 2001
From: Tessa Bloomer 
Date: Tue, 8 Dec 2020 15:22:20 -0600
Subject: [PATCH 172/331] Changes suggested

---
 src/onelogin/saml2/response.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index fc233272..2b4fdc25 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -881,11 +881,8 @@ def __normalize_url(self, url):
         :rtype: list
         """
         try:
-            parsed = list(urlsplit(url))
-            #scheme and hostname converted to lowercase
-            parsed[0] = parsed[0].lower()
-            parsed[1] = parsed[1].lower()
-            normalized_url = urlunsplit(parsed)
+            scheme, netloc, *rest = urlsplit(url)
+            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), *rest))
             return normalized_url
         except Exception:
             return url

From 707fd2a4afa73fa7d2cd454e17bba99003831b77 Mon Sep 17 00:00:00 2001
From: "Volm, David" 
Date: Fri, 11 Dec 2020 17:31:47 -0600
Subject: [PATCH 173/331] Optionally set request.server_port based on
 X-Forwarded-Port header in demo_pyramid

---
 demo_pyramid/demo_pyramid/views.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py
index b393f14d..a213e367 100644
--- a/demo_pyramid/demo_pyramid/views.py
+++ b/demo_pyramid/demo_pyramid/views.py
@@ -19,6 +19,8 @@ def prepare_pyramid_request(request):
 
     if 'X-Forwarded-Proto' in request.headers:
         request.scheme = request.headers['X-Forwarded-Proto']
+    if 'X-Forwarded-Port' in request.headers:
+        request.server_port = int(request.headers['X-Forwarded-Port'])
 
     return {
         'https': 'on' if request.scheme == 'https' else 'off',

From 92fae88f373ccc387f423689e113eff9391d51bd Mon Sep 17 00:00:00 2001
From: Tessa Bloomer 
Date: Mon, 4 Jan 2021 16:32:14 -0600
Subject: [PATCH 174/331] Suggested edits made

---
 src/onelogin/saml2/logout_request.py  |  2 +-
 src/onelogin/saml2/logout_response.py |  2 +-
 src/onelogin/saml2/response.py        | 22 +---------------------
 src/onelogin/saml2/utils.py           | 21 +++++++++++++++++++++
 4 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index ef4d05e2..7d83e835 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -314,7 +314,7 @@ def is_valid(self, request_data, raise_exceptions=False):
                 if root.get('Destination', None):
                     destination = root.get('Destination')
                     if destination != '':
-                        if current_url not in destination:
+                        if OneLogin_Saml2_Utils.normalize_url(current_url) not in OneLogin_Saml2_Utils.normalize_url(destination):
                             raise OneLogin_Saml2_ValidationError(
                                 'The LogoutRequest was received at '
                                 '%(currentURL)s instead of %(destination)s' %
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index 6dd0a6d8..bc4a3bfb 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -118,7 +118,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 # Check destination
                 destination = self.document.get('Destination', None)
-                if destination and current_url not in destination:
+                if destination and OneLogin_Saml2_Utils.normalize_url(current_url) not in OneLogin_Saml2_Utils.normalize_url(destination):
                     raise OneLogin_Saml2_ValidationError(
                         'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
                         OneLogin_Saml2_ValidationError.WRONG_DESTINATION
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 2b4fdc25..37402459 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -192,7 +192,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 # Checks destination
                 destination = self.document.get('Destination', None)
                 if destination:
-                    if not self.__normalize_url(destination).startswith(self.__normalize_url(current_url)):
+                    if not OneLogin_Saml2_Utils.normalize_url(destination).startswith(OneLogin_Saml2_Utils.normalize_url(current_url)):
                         # TODO: Review if following lines are required, since we can control the
                         # request_data
                         #  current_url_routed = OneLogin_Saml2_Utils.get_self_routed_url_no_query(request_data)
@@ -867,26 +867,6 @@ def __decrypt_assertion(self, xml):
                 xml.replace(encrypted_assertion_nodes[0], decrypted)
         return xml
             
-    def __normalize_url(self, url):
-        """
-        Returns normalized URL for comparison. 
-        This method converts the netloc to lowercase, as it should be case-insensitive (per RFC 4343, RFC 7617)
-        If standardization fails, the original URL is returned
-        Python documentation indicates that URL split also normalizes query strings if empty query fields are present
-
-        :param url: URL
-        :type url: String
-
-        :returns: A normalized URL, or the given URL string if parsing fails
-        :rtype: list
-        """
-        try:
-            scheme, netloc, *rest = urlsplit(url)
-            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), *rest))
-            return normalized_url
-        except Exception:
-            return url
-
     def get_error(self):
         """
         After executing a validation process, if it fails this method returns the cause
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index b0856ebc..7a0d2f13 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -1062,3 +1062,24 @@ def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_
             if debug:
                 print(e)
             return False
+
+        @staticmethod
+        def normalize_url(self, url):
+        """
+        Returns normalized URL for comparison. 
+        This method converts the netloc to lowercase, as it should be case-insensitive (per RFC 4343, RFC 7617)
+        If standardization fails, the original URL is returned
+        Python documentation indicates that URL split also normalizes query strings if empty query fields are present
+
+        :param url: URL
+        :type url: String
+
+        :returns: A normalized URL, or the given URL string if parsing fails
+        :rtype: String
+        """
+        try:
+            scheme, netloc, *rest = urlsplit(url)
+            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), *rest))
+            return normalized_url
+        except Exception:
+            return url
\ No newline at end of file

From 8d9ea1a232ef24c6ce49fe98d3dfae5ef395b4d2 Mon Sep 17 00:00:00 2001
From: Tessa Bloomer 
Date: Mon, 4 Jan 2021 17:21:33 -0600
Subject: [PATCH 175/331] Fixed tests

---
 src/onelogin/saml2/logout_response.py           |  2 +-
 src/onelogin/saml2/response.py                  |  2 +-
 src/onelogin/saml2/utils.py                     |  6 +++---
 tests/src/OneLogin/saml2_tests/response_test.py |  2 +-
 tests/src/OneLogin/saml2_tests/utils_test.py    | 12 ++++++++++++
 5 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index bc4a3bfb..86de96c6 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -118,7 +118,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 # Check destination
                 destination = self.document.get('Destination', None)
-                if destination and OneLogin_Saml2_Utils.normalize_url(current_url) not in OneLogin_Saml2_Utils.normalize_url(destination):
+                if destination and OneLogin_Saml2_Utils.normalize_url(url=current_url) not in OneLogin_Saml2_Utils.normalize_url(url=destination):
                     raise OneLogin_Saml2_ValidationError(
                         'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
                         OneLogin_Saml2_ValidationError.WRONG_DESTINATION
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 37402459..54d140c3 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -192,7 +192,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                 # Checks destination
                 destination = self.document.get('Destination', None)
                 if destination:
-                    if not OneLogin_Saml2_Utils.normalize_url(destination).startswith(OneLogin_Saml2_Utils.normalize_url(current_url)):
+                    if not OneLogin_Saml2_Utils.normalize_url(url=destination).startswith(OneLogin_Saml2_Utils.normalize_url(url=current_url)):
                         # TODO: Review if following lines are required, since we can control the
                         # request_data
                         #  current_url_routed = OneLogin_Saml2_Utils.get_self_routed_url_no_query(request_data)
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 7a0d2f13..3c22e406 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -20,7 +20,7 @@
 from functools import wraps
 from uuid import uuid4
 from xml.dom.minidom import Element
-
+from urllib.parse import urlsplit, urlunsplit
 import zlib
 import xmlsec
 
@@ -1063,8 +1063,8 @@ def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_
                 print(e)
             return False
 
-        @staticmethod
-        def normalize_url(self, url):
+    @staticmethod
+    def normalize_url(url):
         """
         Returns normalized URL for comparison. 
         This method converts the netloc to lowercase, as it should be case-insensitive (per RFC 4343, RFC 7617)
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index e3e6b390..efe6fd0f 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1063,12 +1063,12 @@ def testIsValidDestinationCapitalizationOfHost(self):
         """
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
         message = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
-        
         #Test domain capitalized
         settings.set_strict(True)
         response = OneLogin_Saml2_Response(settings, message)
         self.assertFalse(response.is_valid(self.get_request_data_domain_capitalized()))
         self.assertNotIn('The response was received at', response.get_error())
+
         #Assert we got past the destination check, which appears later
         self.assertIn('A valid SubjectConfirmation was not found', response.get_error())
 
diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py
index 597c4852..c332a5e8 100644
--- a/tests/src/OneLogin/saml2_tests/utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/utils_test.py
@@ -917,3 +917,15 @@ def testValidateSign(self):
         # Signature Wrapping attack
         wrapping_attack1 = b64decode(self.file_contents(join(self.data_path, 'responses', 'invalids', 'signature_wrapping_attack.xml.base64')))
         self.assertFalse(OneLogin_Saml2_Utils.validate_sign(wrapping_attack1, cert))
+
+    def testNormalizeUrl(self):
+        base_url = 'https://blah.com/path'
+        capital_scheme = 'hTTps://blah.com/path'
+        capital_domain = 'https://blAH.Com/path'
+        capital_path = 'https://blah.com/PAth'
+        capital_all = 'HTTPS://BLAH.COM/PATH'
+
+        self.assertIn(base_url, OneLogin_Saml2_Utils.normalize_url(capital_scheme))
+        self.assertIn(base_url, OneLogin_Saml2_Utils.normalize_url(capital_domain))
+        self.assertNotIn(base_url, OneLogin_Saml2_Utils.normalize_url(capital_path))
+        self.assertNotIn(base_url, OneLogin_Saml2_Utils.normalize_url(capital_all))

From a8d03a512825f098d347d9a44b2006391c84508c Mon Sep 17 00:00:00 2001
From: Tessa Bloomer 
Date: Mon, 4 Jan 2021 17:32:22 -0600
Subject: [PATCH 176/331] more testing

---
 .../saml2_tests/logout_request_test.py        | 64 +++++++++++++++++++
 .../saml2_tests/logout_response_test.py       | 58 +++++++++++++++++
 2 files changed, 122 insertions(+)

diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
index d4c8ee6c..e1510c4d 100644
--- a/tests/src/OneLogin/saml2_tests/logout_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -413,6 +413,70 @@ def testIsValid(self):
         logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
         self.assertTrue(logout_request5.is_valid(request_data))
 
+    def testIsValidWithCapitalization(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
+        """
+        request_data = {
+            'http_host': 'exaMPLe.com',
+            'script_name': 'index.html'
+        }
+        request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml'))
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
+        logout_request = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertTrue(logout_request.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertFalse(logout_request2.is_valid(request_data))
+
+        settings.set_strict(False)
+        dom = parseString(request)
+        logout_request3 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertTrue(logout_request3.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request4 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertFalse(logout_request4.is_valid(request_data))
+
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+        request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url.lower())
+        logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertTrue(logout_request5.is_valid(request_data))
+
+    def testIsInValidWithCapitalization(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'INdex.html'
+        }
+        request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml'))
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
+        logout_request = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertTrue(logout_request.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request2 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertFalse(logout_request2.is_valid(request_data))
+
+        settings.set_strict(False)
+        dom = parseString(request)
+        logout_request3 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertTrue(logout_request3.is_valid(request_data))
+
+        settings.set_strict(True)
+        logout_request4 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(dom.toxml()))
+        self.assertFalse(logout_request4.is_valid(request_data))
+
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+        request = request.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url.lower())
+        logout_request5 = OneLogin_Saml2_Logout_Request(settings, OneLogin_Saml2_Utils.b64encode(request))
+        self.assertFalse(logout_request5.is_valid(request_data))
+
     def testIsValidWithXMLEncoding(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
index 054e9762..3ab17653 100644
--- a/tests/src/OneLogin/saml2_tests/logout_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -276,6 +276,64 @@ def testIsValid(self):
         response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
         self.assertTrue(response_3.is_valid(request_data))
 
+    def testIsValidWithCapitalization(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
+        """
+        request_data = {
+            'http_host': 'exaMPLe.com',
+            'script_name': 'index.html',
+            'get_data': {}
+        }
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        message = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response_deflated.xml.base64'))
+
+        response = OneLogin_Saml2_Logout_Response(settings, message)
+        self.assertTrue(response.is_valid(request_data))
+
+        settings.set_strict(True)
+        response_2 = OneLogin_Saml2_Logout_Response(settings, message)
+        with self.assertRaisesRegex(Exception, 'The LogoutResponse was received at'):
+            response_2.is_valid(request_data, raise_exceptions=True)
+
+        plain_message = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
+        
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data).lower()
+        plain_message = plain_message.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
+        message_3 = OneLogin_Saml2_Utils.deflate_and_base64_encode(plain_message)
+
+        response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
+        self.assertTrue(response_3.is_valid(request_data))
+
+    def testIsInValidWithCapitalization(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'INdex.html',
+            'get_data': {}
+        }
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        message = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response_deflated.xml.base64'))
+
+        response = OneLogin_Saml2_Logout_Response(settings, message)
+        self.assertTrue(response.is_valid(request_data))
+
+        settings.set_strict(True)
+        response_2 = OneLogin_Saml2_Logout_Response(settings, message)
+        with self.assertRaisesRegex(Exception, 'The LogoutResponse was received at'):
+            response_2.is_valid(request_data, raise_exceptions=True)
+
+        plain_message = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
+        current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data).lower()
+        plain_message = plain_message.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
+        message_3 = OneLogin_Saml2_Utils.deflate_and_base64_encode(plain_message)
+
+        response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
+        self.assertFalse(response_3.is_valid(request_data))
+
+
     def testIsValidWithXMLEncoding(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_LogoutResponse

From 9fdb11d1cd0190cfc783306cf9aed5133121a1ce Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 8 Jan 2021 19:48:37 +0100
Subject: [PATCH 177/331] Adding get_idp_sso_url, get_idp_slo_url and
 get_idp_slo_response_url methods to the Settings class and use it in the
 toolkit

---
 src/onelogin/saml2/auth.py                    | 10 ++----
 src/onelogin/saml2/logout_request.py          |  2 +-
 src/onelogin/saml2/logout_response.py         |  3 +-
 src/onelogin/saml2/settings.py                | 31 ++++++++++++++++
 .../src/OneLogin/saml2_tests/settings_test.py | 35 +++++++++++++++++++
 5 files changed, 71 insertions(+), 10 deletions(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 041f9445..67da5183 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -454,8 +454,7 @@ def get_sso_url(self):
         :returns: An URL, the SSO endpoint of the IdP
         :rtype: string
         """
-        idp_data = self.__settings.get_idp_data()
-        return idp_data['singleSignOnService']['url']
+        return self.__settings.get_idp_sso_url()
 
     def get_slo_url(self):
         """
@@ -464,9 +463,7 @@ def get_slo_url(self):
         :returns: An URL, the SLO endpoint of the IdP
         :rtype: string
         """
-        idp_data = self.__settings.get_idp_data()
-        if 'url' in idp_data['singleLogoutService']:
-            return idp_data['singleLogoutService']['url']
+        return self.__settings.get_idp_slo_url()
 
     def get_slo_response_url(self):
         """
@@ -475,8 +472,7 @@ def get_slo_response_url(self):
         :returns: an URL, the SLO return endpoint of the IdP
         :rtype: string
         """
-        slo_data = self.__settings.get_idp_data()['singleLogoutService']
-        return slo_data.get('responseUrl', self.get_slo_url())
+        return self.__settings.get_idp_slo_response_url()
 
     def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index ef4d05e2..78b01de6 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -110,7 +110,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 {
                     'id': uid,
                     'issue_instant': issue_instant,
-                    'single_logout_url': idp_data['singleLogoutService']['url'],
+                    'single_logout_url': self.__settings.get_idp_slo_response_url(),
                     'entity_id': sp_data['entityId'],
                     'name_id': name_id_obj,
                     'session_index': session_index_str,
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index 7ce7f97d..de827f6a 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -162,13 +162,12 @@ def build(self, in_response_to):
 
         uid = OneLogin_Saml2_Utils.generate_unique_id()
         issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
-        destination = idp_data['singleLogoutService'].get('responseUrl', idp_data['singleLogoutService']['url'])
 
         logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % \
             {
                 'id': uid,
                 'issue_instant': issue_instant,
-                'destination': destination,
+                'destination': self.__settings.get_idp_slo_response_url(),
                 'in_response_to': in_response_to,
                 'entity_id': sp_data['entityId'],
                 'status': "urn:oasis:names:tc:SAML:2.0:status:Success"
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 404024ab..5df25991 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -506,6 +506,37 @@ def check_sp_certs(self):
         cert = self.get_sp_cert()
         return key is not None and cert is not None
 
+    def get_idp_sso_url(self):
+        """
+        Gets the IdP SSO URL.
+
+        :returns: An URL, the SSO endpoint of the IdP
+        :rtype: string
+        """
+        idp_data = self.get_idp_data()
+        return idp_data['singleSignOnService']['url']
+
+    def get_idp_slo_url(self):
+        """
+        Gets the IdP SLO URL.
+
+        :returns: An URL, the SLO endpoint of the IdP
+        :rtype: string
+        """
+        idp_data = self.get_idp_data()
+        if 'url' in idp_data['singleLogoutService']:
+            return idp_data['singleLogoutService']['url']
+
+    def get_idp_slo_response_url(self):
+        """
+        Gets the IdP SLO return URL for IdP-initiated logout.
+
+        :returns: an URL, the SLO return endpoint of the IdP
+        :rtype: string
+        """
+        slo_data = self.get_idp_data()['singleLogoutService']
+        return slo_data.get('responseUrl', self.get_idp_slo_url())
+
     def get_sp_key(self):
         """
         Returns the x509 private key of the SP.
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 837af55f..fb7ba7fe 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -165,6 +165,41 @@ def testGetSchemasPath(self):
         base = settings.get_base_path()
         self.assertEqual(join(base, 'lib', 'schemas') + sep, settings.get_schemas_path())
 
+    def testGetIdPSSOurl(self):
+        """
+        Tests the get_idp_sso_url method of the OneLogin_Saml2_Settings class
+        """
+        settings_info = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(settings_info)
+
+        sso_url = settings_info['idp']['singleSignOnService']['url']
+        self.assertEqual(settings.get_idp_sso_url(), sso_url)
+
+    def testGetIdPSLOurl(self):
+        """
+        Tests the get_idp_slo_url method of the OneLogin_Saml2_Settings class
+        """
+        settings_info = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(settings_info)
+
+        slo_url = settings_info['idp']['singleLogoutService']['url']
+        self.assertEqual(settings.get_idp_slo_url(), slo_url)
+
+    def testGetIdPSLOresponseUrl(self):
+        """
+        Tests the get_idp_slo_response_url method of the OneLogin_Saml2_Settings class
+        """
+        settings_info = self.loadSettingsJSON()
+        settings_info['idp']['singleLogoutService']['responseUrl'] = "http://idp.example.com/SingleLogoutReturn.php"
+        settings = OneLogin_Saml2_Settings(settings_info)
+        slo_url = settings_info['idp']['singleLogoutService']['responseUrl']
+        self.assertEqual(settings.get_idp_slo_response_url(), slo_url)
+        # test that the function falls back to the url setting if responseUrl is not set
+        settings_info['idp']['singleLogoutService'].pop('responseUrl')
+        settings = OneLogin_Saml2_Settings(settings_info)
+        slo_url = settings_info['idp']['singleLogoutService']['url']
+        self.assertEqual(settings.get_idp_slo_response_url(), slo_url)
+
     def testGetSPCert(self):
         """
         Tests the get_sp_cert method of the OneLogin_Saml2_Settings

From fa1ddab1573eb710583046633bce47ace33006aa Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sat, 9 Jan 2021 00:07:24 +0100
Subject: [PATCH 178/331] Update Readme.md

---
 README.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 8e3ccbec..e98b60c4 100644
--- a/README.md
+++ b/README.md
@@ -241,11 +241,13 @@ This is the ``settings.json`` file:
             // HTTP-POST binding only.
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         },
-        // Specifies info about where and how the  message MUST be
-        // returned to the requester, in this case our SP.
+        // Specifies info about where and how the  message MUST be sent.
         "singleLogoutService": {
-            // URL Location where the  from the IdP will be returned
+            // URL Location where the  from the IdP will be sent (IdP-initiated logout)
             "url": "https:///?sls",
+            // URL Location where the  from the IdP will sent (SP-initiated logout, reply)
+            // OPTIONAL: only specify if different from url parameter
+            //"responseUrl": "https:///?sls",
             // SAML protocol binding to be used when returning the 
             // message. OneLogin Toolkit supports the HTTP-Redirect binding
             // only for this endpoint.
@@ -302,11 +304,11 @@ This is the ``settings.json`` file:
         },
         // SLO endpoint info of the IdP.
         "singleLogoutService": {
-            // URL Location of the IdP where SLO Request will be sent.
+            // URL Location where the  from the IdP will be sent (IdP-initiated logout)
             "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/",
-            // URL Location where the  from the SP will returned (after IdP-initiated logout)
+            // URL Location where the  from the IdP will sent (SP-initiated logout, reply)
             // OPTIONAL: only specify if different from url parameter 
-            "responseUrl": "https://app.onelogin.com/trust/saml2/http-redirect/slo_return/"
+            "responseUrl": "https://app.onelogin.com/trust/saml2/http-redirect/slo_return/",
             // SAML protocol binding to be used when returning the 
             // message. OneLogin Toolkit supports the HTTP-Redirect binding
             // only for this endpoint.

From ee8b5d7c2426506be9873a82772c231743bc052d Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sat, 9 Jan 2021 00:30:17 +0100
Subject: [PATCH 179/331] Refactor

---
 src/onelogin/saml2/settings.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 5df25991..e51a7124 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -534,8 +534,9 @@ def get_idp_slo_response_url(self):
         :returns: an URL, the SLO return endpoint of the IdP
         :rtype: string
         """
-        slo_data = self.get_idp_data()['singleLogoutService']
-        return slo_data.get('responseUrl', self.get_idp_slo_url())
+        idp_data = self.get_idp_data()
+        if 'url' in idp_data['singleLogoutService']:
+            return idp_data['singleLogoutService'].get('responseUrl', self.get_idp_slo_url())
 
     def get_sp_key(self):
         """

From 3aa3c575ffc4e55a3e06a1535dbe3094e7a31ae0 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sat, 9 Jan 2021 00:56:03 +0100
Subject: [PATCH 180/331] See #223 Fix doc signature of get_attribute method

---
 src/onelogin/saml2/auth.py                  | 4 ++--
 tests/src/OneLogin/saml2_tests/auth_test.py | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 67da5183..c173b1b5 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -315,8 +315,8 @@ def get_attribute(self, name):
         :param name: Name of the attribute
         :type name: string
 
-        :returns: Attribute value if exists or None
-        :rtype: string
+        :returns: Attribute value(s) if exists or None
+        :rtype: list
         """
         assert isinstance(name, compat.str_type)
         return self.__attributes.get(name)
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index dcb35f72..81d009e9 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -102,7 +102,6 @@ def testGetSLOresponseUrl(self):
         slo_url = settings_info['idp']['singleLogoutService']['url']
         self.assertEqual(auth.get_slo_response_url(), slo_url)
 
-
     def testGetSessionIndex(self):
         """
         Tests the get_session_index method of the OneLogin_Saml2_Auth class

From a1e1f8b4d0fa4cd17467446f5cbe72dc1fc80bd8 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sat, 9 Jan 2021 02:07:49 +0100
Subject: [PATCH 181/331] Close #217. Support single-label-domains as valid.
 New security parameter allowSingleLabelDomains

---
 README.md                                     |  4 +++
 demo-django/saml/advanced_settings.json       |  1 +
 demo-flask/saml/advanced_settings.json        |  1 +
 demo-tornado/saml/advanced_settings.json      |  1 +
 .../demo_pyramid/saml/advanced_settings.json  |  1 +
 src/onelogin/saml2/logout_response.py         |  1 -
 src/onelogin/saml2/settings.py                | 33 +++++++++++++++----
 .../src/OneLogin/saml2_tests/settings_test.py | 19 +++++++----
 8 files changed, 47 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index e98b60c4..c5528a2f 100644
--- a/README.md
+++ b/README.md
@@ -430,6 +430,10 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         // Provide the desire Duration, for example PT518400S (6 days)
         "metadataCacheDuration": null,
 
+        // If enabled, URLs with single-label-domains will
+        // be allowed and not rejected by the settings validator (Enable it under Docker/Kubernetes/testing env, not recommended on production)
+        "allowSingleLabelDomains": false,
+
         // Algorithm that the toolkit will use on signing process. Options:
         //    'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
         //    'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
diff --git a/demo-django/saml/advanced_settings.json b/demo-django/saml/advanced_settings.json
index 1307b0ae..fef16fe9 100644
--- a/demo-django/saml/advanced_settings.json
+++ b/demo-django/saml/advanced_settings.json
@@ -10,6 +10,7 @@
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
+        "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
         "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
     },
diff --git a/demo-flask/saml/advanced_settings.json b/demo-flask/saml/advanced_settings.json
index 1307b0ae..fef16fe9 100644
--- a/demo-flask/saml/advanced_settings.json
+++ b/demo-flask/saml/advanced_settings.json
@@ -10,6 +10,7 @@
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
+        "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
         "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
     },
diff --git a/demo-tornado/saml/advanced_settings.json b/demo-tornado/saml/advanced_settings.json
index 1307b0ae..fef16fe9 100644
--- a/demo-tornado/saml/advanced_settings.json
+++ b/demo-tornado/saml/advanced_settings.json
@@ -10,6 +10,7 @@
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
+        "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
         "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
     },
diff --git a/demo_pyramid/demo_pyramid/saml/advanced_settings.json b/demo_pyramid/demo_pyramid/saml/advanced_settings.json
index 1307b0ae..fef16fe9 100644
--- a/demo_pyramid/demo_pyramid/saml/advanced_settings.json
+++ b/demo_pyramid/demo_pyramid/saml/advanced_settings.json
@@ -10,6 +10,7 @@
         "wantNameId" : true,
         "wantNameIdEncrypted": false,
         "wantAssertionsEncrypted": false,
+        "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
         "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
     },
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index de827f6a..7548d57f 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -158,7 +158,6 @@ def build(self, in_response_to):
         :type in_response_to: string
         """
         sp_data = self.__settings.get_sp_data()
-        idp_data = self.__settings.get_idp_data()
 
         uid = OneLogin_Saml2_Utils.generate_unique_id()
         issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index e51a7124..128802f5 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -39,10 +39,19 @@
     r'\[?[A-F0-9]*:[A-F0-9:]+\]?)'  # ...or ipv6
     r'(?::\d+)?'  # optional port
     r'(?:/?|[/?]\S+)$', re.IGNORECASE)
+url_regex_single_label_domain = re.compile(
+    r'^(?:[a-z0-9\.\-]*)://'  # scheme is validated separately
+    r'(?:(?:[A-Z0-9_](?:[A-Z0-9-_]{0,61}[A-Z0-9_])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|'  # domain...
+    r'(?:[A-Z0-9_](?:[A-Z0-9-_]{0,61}[A-Z0-9_]))|'  # single-label-domain
+    r'localhost|'  # localhost...
+    r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|'  # ...or ipv4
+    r'\[?[A-F0-9]*:[A-F0-9:]+\]?)'  # ...or ipv6
+    r'(?::\d+)?'  # optional port
+    r'(?:/?|[/?]\S+)$', re.IGNORECASE)
 url_schemes = ['http', 'https', 'ftp', 'ftps']
 
 
-def validate_url(url):
+def validate_url(url, allow_single_label_domain=False):
     """
     Auxiliary method to validate an urllib
     :param url: An url to be validated
@@ -54,8 +63,12 @@ def validate_url(url):
     scheme = url.split('://')[0].lower()
     if scheme not in url_schemes:
         return False
-    if not bool(url_regex.search(url)):
-        return False
+    if allow_single_label_domain:
+        if not bool(url_regex_single_label_domain.search(url)):
+            return False
+    else:
+        if not bool(url_regex.search(url)):
+            return False
     return True
 
 
@@ -353,17 +366,18 @@ def check_idp_settings(self, settings):
             if not settings.get('idp'):
                 errors.append('idp_not_found')
             else:
+                allow_single_domain_urls = self._get_allow_single_label_domain(settings)
                 idp = settings['idp']
                 if not idp.get('entityId'):
                     errors.append('idp_entityId_not_found')
 
                 if not idp.get('singleSignOnService', {}).get('url'):
                     errors.append('idp_sso_not_found')
-                elif not validate_url(idp['singleSignOnService']['url']):
+                elif not validate_url(idp['singleSignOnService']['url'], allow_single_domain_urls):
                     errors.append('idp_sso_url_invalid')
 
                 slo_url = idp.get('singleLogoutService', {}).get('url')
-                if slo_url and not validate_url(slo_url):
+                if slo_url and not validate_url(slo_url, allow_single_domain_urls):
                     errors.append('idp_slo_url_invalid')
 
                 if 'security' in settings:
@@ -407,6 +421,7 @@ def check_sp_settings(self, settings):
             if not settings.get('sp'):
                 errors.append('sp_not_found')
             else:
+                allow_single_domain_urls = self._get_allow_single_label_domain(settings)
                 # check_sp_certs uses self.__sp so I add it
                 old_sp = self.__sp
                 self.__sp = settings['sp']
@@ -419,7 +434,7 @@ def check_sp_settings(self, settings):
 
                 if not sp.get('assertionConsumerService', {}).get('url'):
                     errors.append('sp_acs_not_found')
-                elif not validate_url(sp['assertionConsumerService']['url']):
+                elif not validate_url(sp['assertionConsumerService']['url'], allow_single_domain_urls):
                     errors.append('sp_acs_url_invalid')
 
                 if sp.get('attributeConsumingService'):
@@ -448,7 +463,7 @@ def check_sp_settings(self, settings):
                         errors.append('sp_attributeConsumingService_serviceDescription_type_invalid')
 
                 slo_url = sp.get('singleLogoutService', {}).get('url')
-                if slo_url and not validate_url(slo_url):
+                if slo_url and not validate_url(slo_url, allow_single_domain_urls):
                     errors.append('sp_sls_url_invalid')
 
                 if 'signMetadata' in security and isinstance(security['signMetadata'], dict):
@@ -833,3 +848,7 @@ def is_debug_active(self):
         :rtype: boolean
         """
         return self.__debug
+
+    def _get_allow_single_label_domain(self, settings):
+        security = settings.get('security', {})
+        return 'allowSingleLabelDomains' in security.keys() and security['allowSingleLabelDomains']
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index fb7ba7fe..25e87e38 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -71,11 +71,18 @@ def testLoadSettingsFromDict(self):
         except Exception as e:
             self.assertIn('Invalid dict settings: idp_sso_url_invalid', str(e))
 
+        settings_info['idp']['singleSignOnService']['url'] = 'http://single-label-domain'
+        settings_info['security'] = {}
+        settings_info['security']['allowSingleLabelDomains'] = True
+        settings_4 = OneLogin_Saml2_Settings(settings_info)
+        self.assertEqual(len(settings_4.get_errors()), 0)
+
+        del settings_info['security']
         del settings_info['sp']
         del settings_info['idp']
         try:
-            settings_4 = OneLogin_Saml2_Settings(settings_info)
-            self.assertNotEqual(len(settings_4.get_errors()), 0)
+            settings_5 = OneLogin_Saml2_Settings(settings_info)
+            self.assertNotEqual(len(settings_5.get_errors()), 0)
         except Exception as e:
             self.assertIn('Invalid dict settings', str(e))
             self.assertIn('idp_not_found', str(e))
@@ -85,8 +92,8 @@ def testLoadSettingsFromDict(self):
         settings_info['security']['authnRequestsSigned'] = True
         settings_info['custom_base_path'] = dirname(__file__)
         try:
-            settings_5 = OneLogin_Saml2_Settings(settings_info)
-            self.assertNotEqual(len(settings_5.get_errors()), 0)
+            settings_6 = OneLogin_Saml2_Settings(settings_info)
+            self.assertNotEqual(len(settings_6.get_errors()), 0)
         except Exception as e:
             self.assertIn('Invalid dict settings: sp_cert_not_found_and_required', str(e))
 
@@ -94,8 +101,8 @@ def testLoadSettingsFromDict(self):
         settings_info['security']['nameIdEncrypted'] = True
         del settings_info['idp']['x509cert']
         try:
-            settings_6 = OneLogin_Saml2_Settings(settings_info)
-            self.assertNotEqual(len(settings_6.get_errors()), 0)
+            settings_7 = OneLogin_Saml2_Settings(settings_info)
+            self.assertNotEqual(len(settings_7.get_errors()), 0)
         except Exception as e:
             self.assertIn('Invalid dict settings: idp_cert_not_found_and_required', str(e))
 

From 8c828e3f615617a6e34f3e400f55d21cc6b5d3a9 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sat, 9 Jan 2021 02:12:59 +0100
Subject: [PATCH 182/331] Add doc to validate_url method

---
 src/onelogin/saml2/settings.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 128802f5..924fb0c2 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -56,6 +56,8 @@ def validate_url(url, allow_single_label_domain=False):
     Auxiliary method to validate an urllib
     :param url: An url to be validated
     :type url: string
+    :param allow_single_label_domain: In order to allow or not single label domain
+    :type url: bool
     :returns: True if the url is valid
     :rtype: bool
     """

From f1e4af244efd6c16921653ffa5f76a71f12f7985 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sat, 9 Jan 2021 03:36:15 +0100
Subject: [PATCH 183/331] Remove external lib method get_ext_lib_path. Add
 set_cert_path in order to allow set the cert path in a different folder than
 the toolkit

---
 src/onelogin/saml2/settings.py                | 18 +++----
 .../src/OneLogin/saml2_tests/settings_test.py | 48 +++++++++++++++----
 2 files changed, 45 insertions(+), 21 deletions(-)

diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 924fb0c2..04a66047 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -153,8 +153,7 @@ def __load_paths(self, base_path=None):
         self.__paths = {
             'base': base_path,
             'cert': base_path + 'certs' + sep,
-            'lib': base_path + 'lib' + sep,
-            'extlib': base_path + 'extlib' + sep,
+            'lib': dirname(__file__) + sep
         }
 
     def __update_paths(self, settings):
@@ -187,6 +186,12 @@ def get_cert_path(self):
         """
         return self.__paths['cert']
 
+    def set_cert_path(self, path):
+        """
+        Set a new cert path
+        """
+        self.__paths['cert'] = path
+
     def get_lib_path(self):
         """
         Returns lib path
@@ -196,15 +201,6 @@ def get_lib_path(self):
         """
         return self.__paths['lib']
 
-    def get_ext_lib_path(self):
-        """
-        Returns external lib path
-
-        :return: The external library folder path
-        :rtype: string
-        """
-        return self.__paths['extlib']
-
     def get_schemas_path(self):
         """
         Returns schema path
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 25e87e38..41e6de6f 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -148,29 +148,57 @@ def testGetCertPath(self):
         settings = OneLogin_Saml2_Settings(custom_base_path=self.settings_path)
         self.assertEqual(self.settings_path + sep + 'certs' + sep, settings.get_cert_path())
 
-    def testGetLibPath(self):
+    def testSetCertPath(self):
         """
-        Tests getLibPath method of the OneLogin_Saml2_Settings
+        Tests setCertPath method of the OneLogin_Saml2_Settings
         """
         settings = OneLogin_Saml2_Settings(custom_base_path=self.settings_path)
-        base = settings.get_base_path()
-        self.assertEqual(join(base, 'lib') + sep, settings.get_lib_path())
+        self.assertEqual(self.settings_path + sep + 'certs' + sep, settings.get_cert_path())
 
-    def testGetExtLibPath(self):
+        settings.set_cert_path('/tmp')
+        self.assertEqual('/tmp', settings.get_cert_path())
+
+    def testGetLibPath(self):
         """
-        Tests getExtLibPath method of the OneLogin_Saml2_Settings
+        Tests getLibPath method of the OneLogin_Saml2_Settings
         """
+        settingsInfo = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(settingsInfo)
+        path = settings.get_base_path()
+        self.assertEqual(settings.get_lib_path(), join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/onelogin/saml2/'))
+        self.assertEqual(path, join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/onelogin/saml2/../../../tests/data/customPath/'))
+
+        del settingsInfo['custom_base_path']
+        settings = OneLogin_Saml2_Settings(settingsInfo)
+        path = settings.get_base_path()
+        self.assertEqual(settings.get_lib_path(), join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/onelogin/saml2/'))
+        self.assertEqual(path, join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/'))
+
         settings = OneLogin_Saml2_Settings(custom_base_path=self.settings_path)
-        base = settings.get_base_path()
-        self.assertEqual(join(base, 'extlib') + sep, settings.get_ext_lib_path())
+        path = settings.get_base_path()
+        self.assertEqual(settings.get_lib_path(), join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/onelogin/saml2/'))
+        self.assertEqual(path, join(dirname(dirname(dirname(dirname(__file__)))), 'settings/'))
 
     def testGetSchemasPath(self):
         """
         Tests getSchemasPath method of the OneLogin_Saml2_Settings
         """
+        settingsInfo = self.loadSettingsJSON()
+        settings = OneLogin_Saml2_Settings(settingsInfo)
+        path = settings.get_base_path()
+        self.assertEqual(settings.get_schemas_path(), join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/onelogin/saml2/schemas/'))
+        self.assertEqual(path, join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/onelogin/saml2/../../../tests/data/customPath/'))
+
+        del settingsInfo['custom_base_path']
+        settings = OneLogin_Saml2_Settings(settingsInfo)
+        path = settings.get_base_path()
+        self.assertEqual(settings.get_schemas_path(), join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/onelogin/saml2/schemas/'))
+        self.assertEqual(path, join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/'))
+
         settings = OneLogin_Saml2_Settings(custom_base_path=self.settings_path)
-        base = settings.get_base_path()
-        self.assertEqual(join(base, 'lib', 'schemas') + sep, settings.get_schemas_path())
+        path = settings.get_base_path()
+        self.assertEqual(settings.get_schemas_path(), join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/onelogin/saml2/schemas/'))
+        self.assertEqual(path, join(dirname(dirname(dirname(dirname(__file__)))), 'settings/')) 
 
     def testGetIdPSSOurl(self):
         """

From 52f0daa7e88bb4bf5bcc6b6423852767dbba98f6 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 11 Jan 2021 17:39:07 +0100
Subject: [PATCH 184/331] Close #218. Add support for
 get_friendlyname_attributes and get_friendlyname_attribute

---
 src/onelogin/saml2/auth.py                    | 24 +++++++++++++
 src/onelogin/saml2/response.py                | 36 +++++++++++++++++++
 .../response1_with_friendlyname.xml.base64    |  1 +
 tests/src/OneLogin/saml2_tests/auth_test.py   |  2 ++
 .../src/OneLogin/saml2_tests/response_test.py | 26 +++++++++++++-
 5 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/responses/response1_with_friendlyname.xml.base64

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index c173b1b5..67559abf 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -53,6 +53,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
         else:
             self.__settings = OneLogin_Saml2_Settings(old_settings, custom_base_path)
         self.__attributes = dict()
+        self.__friendlyname_attributes = dict()
         self.__nameid = None
         self.__nameid_format = None
         self.__nameid_nq = None
@@ -107,6 +108,7 @@ def process_response(self, request_id=None):
 
             if response.is_valid(self.__request_data, request_id):
                 self.__attributes = response.get_attributes()
+                self.__friendlyname_attributes = response.get_friendlyname_attributes()
                 self.__nameid = response.get_nameid()
                 self.__nameid_format = response.get_nameid_format()
                 self.__nameid_nq = response.get_nameid_nq()
@@ -231,6 +233,15 @@ def get_attributes(self):
         """
         return self.__attributes
 
+    def get_friendlyname_attributes(self):
+        """
+        Returns the set of SAML attributes indexed by FiendlyName.
+
+        :returns: SAML attributes
+        :rtype: dict
+        """
+        return self.__friendlyname_attributes
+
     def get_nameid(self):
         """
         Returns the nameID.
@@ -321,6 +332,19 @@ def get_attribute(self, name):
         assert isinstance(name, compat.str_type)
         return self.__attributes.get(name)
 
+    def get_friendlyname_attribute(self, friendlyname):
+        """
+        Returns the requested SAML attribute searched by FriendlyName.
+
+        :param friendlyname: FriendlyName of the attribute
+        :type friendlyname: string
+
+        :returns: Attribute value(s) if exists or None
+        :rtype: list
+        """
+        assert isinstance(friendlyname, compat.str_type)
+        return self.__friendlyname_attributes.get(friendlyname)
+
     def get_last_request_id(self):
         """
         :returns: The ID of the last Request SAML message generated.
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 1e7736a8..792c88af 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -603,6 +603,42 @@ def get_attributes(self):
             attributes[attr_name] = values
         return attributes
 
+    def get_friendlyname_attributes(self):
+        """
+        Gets the Attributes from the AttributeStatement element indexed by FiendlyName.
+        EncryptedAttributes are not supported
+        """
+        attributes = {}
+        attribute_nodes = self.__query_assertion('/saml:AttributeStatement/saml:Attribute')
+        for attribute_node in attribute_nodes:
+            attr_friendlyname = attribute_node.get('FriendlyName')
+            if attr_friendlyname:
+                if attr_friendlyname in attributes.keys():
+                    raise OneLogin_Saml2_ValidationError(
+                        'Found an Attribute element with duplicated FriendlyName',
+                        OneLogin_Saml2_ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND
+                    )
+
+                values = []
+                for attr in attribute_node.iterchildren('{%s}AttributeValue' % OneLogin_Saml2_Constants.NSMAP['saml']):
+                    attr_text = OneLogin_Saml2_XML.element_text(attr)
+                    if attr_text:
+                        attr_text = attr_text.strip()
+                        if attr_text:
+                            values.append(attr_text)
+
+                    # Parse any nested NameID children
+                    for nameid in attr.iterchildren('{%s}NameID' % OneLogin_Saml2_Constants.NSMAP['saml']):
+                        values.append({
+                            'NameID': {
+                                'Format': nameid.get('Format'),
+                                'NameQualifier': nameid.get('NameQualifier'),
+                                'value': nameid.text
+                            }
+                        })
+                attributes[attr_friendlyname] = values
+        return attributes
+
     def validate_num_assertions(self):
         """
         Verifies that the document only contains a single Assertion (encrypted or not)
diff --git a/tests/data/responses/response1_with_friendlyname.xml.base64 b/tests/data/responses/response1_with_friendlyname.xml.base64
new file mode 100644
index 00000000..a17c3941
--- /dev/null
+++ b/tests/data/responses/response1_with_friendlyname.xml.base64
@@ -0,0 +1 @@
+PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFZlcnNpb249IjIuMCIgSUQ9InBmeDhmZmIzOTgzLWNiZjYtOTJhMS1mMmM0LTYxOWFlMWJlMWM4NiIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiI+DQogICAgPHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzEzNTkwPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgPGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4NCiAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+DQogIDxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4OGZmYjM5ODMtY2JmNi05MmExLWYyYzQtNjE5YWUxYmUxYzg2Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5oZ3VRYkNIYW5pYmJEQzdxM1p6eHpIY1Bvbkk9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkdhbmNEOXZSb2g5TWJUMDAyRHk3OXQxbTZJNllmaFVLUGZibGttcDJ1ZG9sWHVqdjZlMU1XdnNWbXhOenRzSUdseEFhMHFLRGlTTXpDTkRac2szanN5c1VsMW5BS25BZzE4NWpmWGpzemhzZG1SK005MWR4azZrZmNMVW9zT29sb3ZhZFdMUFdxbjdQM2o4LzV4enA5THBSQTNndkI0MTgyUlNpcldDQlhQUT08L2RzOlNpZ25hdHVyZVZhbHVlPg0KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2dUQ0NBZW9DQ1FDYk9scldEZFg3RlRBTkJna3Foa2lHOXcwQkFRVUZBRENCaERFTE1Ba0dBMVVFQmhNQ1RrOHhHREFXQmdOVkJBZ1REMEZ1WkhKbFlYTWdVMjlzWW1WeVp6RU1NQW9HQTFVRUJ4TURSbTl2TVJBd0RnWURWUVFLRXdkVlRrbE9SVlJVTVJnd0ZnWURWUVFERXc5bVpXbGtaUzVsY214aGJtY3VibTh4SVRBZkJna3Foa2lHOXcwQkNRRVdFbUZ1WkhKbFlYTkFkVzVwYm1WMGRDNXViekFlRncwd056QTJNVFV4TWpBeE16VmFGdzB3TnpBNE1UUXhNakF4TXpWYU1JR0VNUXN3Q1FZRFZRUUdFd0pPVHpFWU1CWUdBMVVFQ0JNUFFXNWtjbVZoY3lCVGIyeGlaWEpuTVF3d0NnWURWUVFIRXdOR2IyOHhFREFPQmdOVkJBb1RCMVZPU1U1RlZGUXhHREFXQmdOVkJBTVREMlpsYVdSbExtVnliR0Z1Wnk1dWJ6RWhNQjhHQ1NxR1NJYjNEUUVKQVJZU1lXNWtjbVZoYzBCMWJtbHVaWFIwTG01dk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRGl2YmhSN1A1MTZ4L1MzQnFLeHVwUWUwTE9Ob2xpdXBpQk9lc0NPM1NIYkRybDMrcTlJYmZuZm1FMDRyTnVNY1BzSXhCMTYxVGREcEllc0xDbjdjOGFQSElTS090UGxBZVRaU25iOFFBdTdhUmpacTMrUGJyUDV1VzNUY2ZDR1B0S1R5dEhPZ2UvT2xKYm8wNzhkVmhYUTE0ZDFFRHdYSlcxclJYdVV0NEM4UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFDRFZmcDg2SE9icVkrZThCVW9XUTkrVk1ReDFBU0RvaEJqd09zZzJXeWtVcVJYRitkTGZjVUg5ZFdSNjNDdFpJS0ZEYlN0Tm9tUG5RejduYksrb255Z3dCc3BWRWJuSHVVaWhacTNaVWRtdW1RcUN3NFV2cy8xVXZxM29yT28vV0pWaFR5dkxnRlZLMlFhclE0LzY3T1pmSGQ3UitQT0JYaG9waFNNdjFaT288L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT4NCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5zdXBwb3J0QG9uZWxvZ2luLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiIFJlY2lwaWVudD0ie3JlY2lwaWVudH0iLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0xMS0xOFQyMTo1MjozN1oiIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+e2F1ZGllbmNlfTwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMC0xMS0xOFQyMTo1NzozN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMTlUMjE6NTc6MzdaIiBTZXNzaW9uSW5kZXg9Il81MzFjMzJkMjgzYmRmZjdlMDRlNDg3YmNkYmM0ZGQ4ZCI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgRnJpZW5kbHlOYW1lPSJ1c2VybmFtZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+ZGVtbzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0iYW5vdGhlcl92YWx1ZSI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+dmFsdWU8L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 81d009e9..2ccd3994 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -240,6 +240,8 @@ def testProcessResponseValid(self):
         attributes = auth.get_attributes()
         self.assertNotEqual(len(attributes), 0)
         self.assertEqual(auth.get_attribute('mail'), attributes['mail'])
+        friendlyname_attributes = auth.get_friendlyname_attributes()
+        self.assertEqual(len(friendlyname_attributes), 0)
         session_index = auth.get_session_index()
         self.assertEqual('_6273d77b8cde0c333ec79d22a9fa0003b9fe2d75cb', session_index)
         self.assertEqual("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", auth.get_nameid_format())
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 7d9934a1..c6eb7eac 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -656,7 +656,7 @@ def testGetSessionIndex(self):
 
     def testGetAttributes(self):
         """
-        Tests the getAttributes method of the OneLogin_Saml2_Response
+        Tests the get_attributes method of the OneLogin_Saml2_Response
         """
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
@@ -678,6 +678,30 @@ def testGetAttributes(self):
         response_3 = OneLogin_Saml2_Response(settings, xml_3)
         self.assertEqual({}, response_3.get_attributes())
 
+    def testGetFriendlyAttributes(self):
+        """
+        Tests the get_friendlyname_attributes method of the OneLogin_Saml2_Response
+        """
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+        xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        self.assertEqual({}, response.get_friendlyname_attributes())
+
+        expected_attributes = {
+            'username': ['demo']
+        }
+        xml_2 = self.file_contents(join(self.data_path, 'responses', 'response1_with_friendlyname.xml.base64'))
+        response_2 = OneLogin_Saml2_Response(settings, xml_2)
+        self.assertEqual(expected_attributes, response_2.get_friendlyname_attributes())
+
+        xml_3 = self.file_contents(join(self.data_path, 'responses', 'response2.xml.base64'))
+        response_3 = OneLogin_Saml2_Response(settings, xml_3)
+        self.assertEqual({}, response_3.get_friendlyname_attributes())
+
+        xml_4 = self.file_contents(join(self.data_path, 'responses', 'invalids', 'encrypted_attrs.xml.base64'))
+        response_4 = OneLogin_Saml2_Response(settings, xml_4)
+        self.assertEqual({}, response_4.get_friendlyname_attributes())
+
     def testGetNestedNameIDAttributes(self):
         """
         Tests the getAttributes method of the OneLogin_Saml2_Response with nested

From 06e15d3cbc9db1f7d0a8fb265b7dca2583cc4b92 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 11 Jan 2021 21:06:53 +0100
Subject: [PATCH 185/331] Adapt code to work with py2.7 as well. Follow same
 pattern on response, logoutrequest and logoutresponse destination check

---
 src/onelogin/saml2/logout_request.py  | 25 ++++++++++++-------------
 src/onelogin/saml2/logout_response.py | 11 ++++++-----
 src/onelogin/saml2/response.py        |  1 -
 src/onelogin/saml2/utils.py           |  8 ++++----
 4 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index 6ee8b553..865841f1 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -311,19 +311,18 @@ def is_valid(self, request_data, raise_exceptions=False):
                         )
 
                 # Check destination
-                if root.get('Destination', None):
-                    destination = root.get('Destination')
-                    if destination != '':
-                        if OneLogin_Saml2_Utils.normalize_url(current_url) not in OneLogin_Saml2_Utils.normalize_url(destination):
-                            raise OneLogin_Saml2_ValidationError(
-                                'The LogoutRequest was received at '
-                                '%(currentURL)s instead of %(destination)s' %
-                                {
-                                    'currentURL': current_url,
-                                    'destination': destination,
-                                },
-                                OneLogin_Saml2_ValidationError.WRONG_DESTINATION
-                            )
+                destination = root.get('Destination', None)
+                if destination:
+                    if not OneLogin_Saml2_Utils.normalize_url(url=destination).startswith(OneLogin_Saml2_Utils.normalize_url(url=current_url)):
+                        raise OneLogin_Saml2_ValidationError(
+                            'The LogoutRequest was received at '
+                            '%(currentURL)s instead of %(destination)s' %
+                            {
+                                'currentURL': current_url,
+                                'destination': destination,
+                            },
+                            OneLogin_Saml2_ValidationError.WRONG_DESTINATION
+                        )
 
                 # Check issuer
                 issuer = OneLogin_Saml2_Logout_Request.get_issuer(root)
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index 7c89f9e3..b31f64da 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -118,11 +118,12 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 # Check destination
                 destination = self.document.get('Destination', None)
-                if destination and OneLogin_Saml2_Utils.normalize_url(url=current_url) not in OneLogin_Saml2_Utils.normalize_url(url=destination):
-                    raise OneLogin_Saml2_ValidationError(
-                        'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
-                        OneLogin_Saml2_ValidationError.WRONG_DESTINATION
-                    )
+                if destination:
+                    if not OneLogin_Saml2_Utils.normalize_url(url=destination).startswith(OneLogin_Saml2_Utils.normalize_url(url=current_url)):
+                        raise OneLogin_Saml2_ValidationError(
+                            'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
+                            OneLogin_Saml2_ValidationError.WRONG_DESTINATION
+                        )
 
                 if security['wantMessagesSigned']:
                     if 'Signature' not in get_data:
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 8030de26..6de385e9 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -10,7 +10,6 @@
 """
 
 from copy import deepcopy
-from urllib.parse import urlsplit, urlunsplit
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError, return_false_on_exception
 from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 3c22e406..bc618f03 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -20,7 +20,6 @@
 from functools import wraps
 from uuid import uuid4
 from xml.dom.minidom import Element
-from urllib.parse import urlsplit, urlunsplit
 import zlib
 import xmlsec
 
@@ -31,8 +30,9 @@
 
 
 try:
-    from urllib.parse import quote_plus  # py3
+    from urllib.parse import quote_plus, urlsplit, urlunsplit  # py3
 except ImportError:
+    from urlparse import urlsplit, urlunsplit
     from urllib import quote_plus  # py2
 
 
@@ -1078,8 +1078,8 @@ def normalize_url(url):
         :rtype: String
         """
         try:
-            scheme, netloc, *rest = urlsplit(url)
-            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), *rest))
+            scheme, netloc, path, query, fragment = urlsplit(url)
+            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), path, query, fragment))
             return normalized_url
         except Exception:
             return url
\ No newline at end of file

From a281bc5482a8b1e10f36ad1a8bb9836b5a9d50ca Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 11 Jan 2021 21:53:03 +0100
Subject: [PATCH 186/331] pep8 fixes

---
 .../OneLogin/saml2_tests/logout_response_test.py |  3 +--
 tests/src/OneLogin/saml2_tests/response_test.py  | 16 ++++++++--------
 tests/src/OneLogin/saml2_tests/settings_test.py  |  2 +-
 3 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
index 3ab17653..90872f10 100644
--- a/tests/src/OneLogin/saml2_tests/logout_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -297,7 +297,7 @@ def testIsValidWithCapitalization(self):
             response_2.is_valid(request_data, raise_exceptions=True)
 
         plain_message = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
-        
+
         current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data).lower()
         plain_message = plain_message.replace('http://stuff.com/endpoints/endpoints/sls.php', current_url)
         message_3 = OneLogin_Saml2_Utils.deflate_and_base64_encode(plain_message)
@@ -333,7 +333,6 @@ def testIsInValidWithCapitalization(self):
         response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
         self.assertFalse(response_3.is_valid(request_data))
 
-
     def testIsValidWithXMLEncoding(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index cdecf91f..3ace583e 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -18,6 +18,7 @@
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
 
+
 class OneLogin_Saml2_Response_Test(unittest.TestCase):
     data_path = join(dirname(dirname(dirname(dirname(__file__)))), 'data')
     settings_path = join(dirname(dirname(dirname(dirname(__file__)))), 'settings')
@@ -54,7 +55,7 @@ def get_request_data_domain_capitalized(self):
             'http_host': 'StuFF.Com',
             'script_name': 'endpoints/endpoints/acs.php'
         }
-    
+
     def get_request_data_path_capitalized(self):
         return {
             'http_host': 'stuff.com',
@@ -1018,7 +1019,7 @@ def testIsInValidDuplicatedAttrs(self):
         response = OneLogin_Saml2_Response(settings, xml)
         with self.assertRaisesRegex(Exception, 'Found an Attribute element with duplicated Name'):
             response.get_attributes()
-    
+
     def testIsInValidDestination(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response class
@@ -1065,17 +1066,16 @@ def testIsInValidDestinationCapitalizationOfElements(self):
         Tests the is_valid method of the OneLogin_Saml2_Response class
         Case Invalid Response due to differences in capitalization of path
         """
-
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
         message = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
-        
-        #Test path capitalized
+
+        # Test path capitalized
         settings.set_strict(True)
         response = OneLogin_Saml2_Response(settings, message)
         self.assertFalse(response.is_valid(self.get_request_data_path_capitalized()))
         self.assertIn('The response was received at', response.get_error())
 
-        #Test both domain and path capitalized
+        # Test both domain and path capitalized
         response_2 = OneLogin_Saml2_Response(settings, message)
         self.assertFalse(response_2.is_valid(self.get_request_data_both_capitalized()))
         self.assertIn('The response was received at', response_2.get_error())
@@ -1087,13 +1087,13 @@ def testIsValidDestinationCapitalizationOfHost(self):
         """
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
         message = self.file_contents(join(self.data_path, 'responses', 'unsigned_response.xml.base64'))
-        #Test domain capitalized
+        # Test domain capitalized
         settings.set_strict(True)
         response = OneLogin_Saml2_Response(settings, message)
         self.assertFalse(response.is_valid(self.get_request_data_domain_capitalized()))
         self.assertNotIn('The response was received at', response.get_error())
 
-        #Assert we got past the destination check, which appears later
+        # Assert we got past the destination check, which appears later
         self.assertIn('A valid SubjectConfirmation was not found', response.get_error())
 
     def testIsInValidAudience(self):
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 41e6de6f..ddf8c531 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -198,7 +198,7 @@ def testGetSchemasPath(self):
         settings = OneLogin_Saml2_Settings(custom_base_path=self.settings_path)
         path = settings.get_base_path()
         self.assertEqual(settings.get_schemas_path(), join(dirname(dirname(dirname(dirname(dirname(__file__))))), 'src/onelogin/saml2/schemas/'))
-        self.assertEqual(path, join(dirname(dirname(dirname(dirname(__file__)))), 'settings/')) 
+        self.assertEqual(path, join(dirname(dirname(dirname(dirname(__file__)))), 'settings/'))
 
     def testGetIdPSSOurl(self):
         """

From 8d130bf62ad27752e10d9cf3af59f9144585f1a2 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 12 Jan 2021 12:56:12 +0100
Subject: [PATCH 187/331] More pep8 fixes

---
 src/onelogin/saml2/response.py | 2 +-
 src/onelogin/saml2/utils.py    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 6de385e9..677ef6b7 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -901,7 +901,7 @@ def __decrypt_assertion(self, xml):
                 decrypted = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key, debug=debug, inplace=True)
                 xml.replace(encrypted_assertion_nodes[0], decrypted)
         return xml
-            
+
     def get_error(self):
         """
         After executing a validation process, if it fails this method returns the cause
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index bc618f03..4ca5962c 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -1066,7 +1066,7 @@ def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_
     @staticmethod
     def normalize_url(url):
         """
-        Returns normalized URL for comparison. 
+        Returns normalized URL for comparison.
         This method converts the netloc to lowercase, as it should be case-insensitive (per RFC 4343, RFC 7617)
         If standardization fails, the original URL is returned
         Python documentation indicates that URL split also normalizes query strings if empty query fields are present
@@ -1082,4 +1082,4 @@ def normalize_url(url):
             normalized_url = urlunsplit((scheme.lower(), netloc.lower(), path, query, fragment))
             return normalized_url
         except Exception:
-            return url
\ No newline at end of file
+            return url

From 95f06d340b0727a65a081575e2f8750353b2a4e5 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 12 Jan 2021 13:15:25 +0100
Subject: [PATCH 188/331] Add _generate_request_id to logout_request and
 logout_response and replace staticmethod by classmethod

---
 src/onelogin/saml2/logout_request.py  | 27 ++++++++++++++++-----------
 src/onelogin/saml2/logout_response.py | 11 +++++++++--
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index 51944a62..b7d77ca6 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -59,8 +59,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
             idp_data = self.__settings.get_idp_data()
             security = self.__settings.get_security_data()
 
-            uid = OneLogin_Saml2_Utils.generate_unique_id()
-            self.id = uid
+            self.id = self._generate_request_id()
 
             issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
 
@@ -108,7 +107,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
 
             logout_request = OneLogin_Saml2_Templates.LOGOUT_REQUEST % \
                 {
-                    'id': uid,
+                    'id': self.id,
                     'issue_instant': issue_instant,
                     'single_logout_url': self.__settings.get_idp_slo_response_url(),
                     'entity_id': sp_data['entityId'],
@@ -144,8 +143,8 @@ def get_xml(self):
         """
         return self.__logout_request
 
-    @staticmethod
-    def get_id(request):
+    @classmethod
+    def get_id(cls, request):
         """
         Returns the ID of the Logout Request
         :param request: Logout Request Message
@@ -157,8 +156,8 @@ def get_id(request):
         elem = OneLogin_Saml2_XML.to_etree(request)
         return elem.get('ID', None)
 
-    @staticmethod
-    def get_nameid_data(request, key=None):
+    @classmethod
+    def get_nameid_data(cls, request, key=None):
         """
         Gets the NameID Data of the the Logout Request
         :param request: Logout Request Message
@@ -234,8 +233,8 @@ def get_nameid_format(cls, request, key=None):
             name_id_format = name_id_data['Format']
         return name_id_format
 
-    @staticmethod
-    def get_issuer(request):
+    @classmethod
+    def get_issuer(cls, request):
         """
         Gets the Issuer of the Logout Request Message
         :param request: Logout Request Message
@@ -251,8 +250,8 @@ def get_issuer(request):
             issuer = OneLogin_Saml2_XML.element_text(issuer_nodes[0])
         return issuer
 
-    @staticmethod
-    def get_session_indexes(request):
+    @classmethod
+    def get_session_indexes(cls, request):
         """
         Gets the SessionIndexes from the Logout Request
         :param request: Logout Request Message
@@ -359,3 +358,9 @@ def get_error(self):
         After executing a validation process, if it fails this method returns the cause
         """
         return self.__error
+
+    def _generate_request_id(self):
+        """
+        Generate an unique logout request ID.
+        """
+        return OneLogin_Saml2_Utils.generate_unique_id()
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index b31f64da..73decb10 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -160,12 +160,13 @@ def build(self, in_response_to):
         """
         sp_data = self.__settings.get_sp_data()
 
-        uid = OneLogin_Saml2_Utils.generate_unique_id()
+        self.id = self._generate_request_id()
+
         issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
 
         logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % \
             {
-                'id': uid,
+                'id': self.id,
                 'issue_instant': issue_instant,
                 'destination': self.__settings.get_idp_slo_response_url(),
                 'in_response_to': in_response_to,
@@ -211,3 +212,9 @@ def get_xml(self):
         :rtype: string
         """
         return self.__logout_response
+
+    def _generate_request_id(self):
+        """
+        Generate an unique logout response ID.
+        """
+        return OneLogin_Saml2_Utils.generate_unique_id()
\ No newline at end of file

From c25df8164563df28ec94dd6f5d7a9a6c65c06e83 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 13 Jan 2021 12:51:13 +0100
Subject: [PATCH 189/331] Added custom lxml parser based on the one defined at
 xmldefused. Update copyright

---
 LICENSE                                       |   2 +-
 setup.py                                      |   5 +-
 src/onelogin/__init__.py                      |   2 +-
 src/onelogin/saml2/__init__.py                |   2 +-
 src/onelogin/saml2/auth.py                    |  14 +-
 src/onelogin/saml2/authn_request.py           |   4 +-
 src/onelogin/saml2/compat.py                  |   2 +-
 src/onelogin/saml2/constants.py               |   2 +-
 src/onelogin/saml2/errors.py                  |   2 +-
 src/onelogin/saml2/idp_metadata_parser.py     |   2 +-
 src/onelogin/saml2/logout_request.py          |   2 +-
 src/onelogin/saml2/logout_response.py         |   4 +-
 src/onelogin/saml2/metadata.py                |   2 +-
 src/onelogin/saml2/response.py                |   2 +-
 src/onelogin/saml2/settings.py                |   2 +-
 src/onelogin/saml2/utils.py                   |   2 +-
 src/onelogin/saml2/xml_templates.py           |   2 +-
 src/onelogin/saml2/xml_utils.py               |   9 +-
 src/onelogin/saml2/xmlparser.py               | 147 ++++++++++++++++++
 tests/src/OneLogin/saml2_tests/auth_test.py   |   2 +-
 .../saml2_tests/authn_request_test.py         |   2 +-
 tests/src/OneLogin/saml2_tests/error_test.py  |   2 +-
 .../saml2_tests/idp_metadata_parser_test.py   |   2 +-
 .../saml2_tests/logout_request_test.py        |   2 +-
 .../saml2_tests/logout_response_test.py       |   2 +-
 .../src/OneLogin/saml2_tests/metadata_test.py |   2 +-
 .../src/OneLogin/saml2_tests/response_test.py |   2 +-
 .../src/OneLogin/saml2_tests/settings_test.py |   2 +-
 .../saml2_tests/signed_response_test.py       |   2 +-
 tests/src/OneLogin/saml2_tests/utils_test.py  |   4 +-
 .../OneLogin/saml2_tests/xml_utils_test.py    |   2 +-
 31 files changed, 191 insertions(+), 44 deletions(-)
 create mode 100644 src/onelogin/saml2/xmlparser.py

diff --git a/LICENSE b/LICENSE
index 1c8f814e..734c18ba 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation
diff --git a/setup.py b/setup.py
index 5a928564..3053b82c 100644
--- a/setup.py
+++ b/setup.py
@@ -1,7 +1,7 @@
 #! /usr/bin/env python
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 from setuptools import setup
@@ -37,8 +37,9 @@
     test_suite='tests',
     install_requires=[
         'isodate>=0.5.0',
+        'lxml>=3.3.5',
         'xmlsec>=0.6.0',
-        'defusedxml>=0.5.0'
+        'defusedxml==0.6.0'
     ],
     dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'],
     extras_require={
diff --git a/src/onelogin/__init__.py b/src/onelogin/__init__.py
index ba664a65..52ea1212 100644
--- a/src/onelogin/__init__.py
+++ b/src/onelogin/__init__.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
 """
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Add SAML support to your Python softwares using this library.
diff --git a/src/onelogin/saml2/__init__.py b/src/onelogin/saml2/__init__.py
index ba664a65..52ea1212 100644
--- a/src/onelogin/saml2/__init__.py
+++ b/src/onelogin/saml2/__init__.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
 """
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Add SAML support to your Python softwares using this library.
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index f8bddda4..a67e2071 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Auth class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Main class of OneLogin's Python Toolkit.
@@ -12,16 +12,16 @@
 """
 
 import xmlsec
-from defusedxml.lxml import tostring
 
 from onelogin.saml2 import compat
-from onelogin.saml2.settings import OneLogin_Saml2_Settings
-from onelogin.saml2.response import OneLogin_Saml2_Response
-from onelogin.saml2.logout_response import OneLogin_Saml2_Logout_Response
+from onelogin.saml2.authn_request import OneLogin_Saml2_Authn_Request
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
-from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError
 from onelogin.saml2.logout_request import OneLogin_Saml2_Logout_Request
-from onelogin.saml2.authn_request import OneLogin_Saml2_Authn_Request
+from onelogin.saml2.logout_response import OneLogin_Saml2_Logout_Response
+from onelogin.saml2.response import OneLogin_Saml2_Response
+from onelogin.saml2.settings import OneLogin_Saml2_Settings
+from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError
+from onelogin.saml2.xmlparser import tostring
 
 
 class OneLogin_Saml2_Auth(object):
diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index ef9ed603..48ad9d2a 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Authn_Request class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 AuthNRequest class of OneLogin's Python Toolkit.
@@ -131,8 +131,6 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
     def _generate_request_id(self):
         """
         Generate an unique request ID.
-
-        You can override this in a subclass.
         """
         return OneLogin_Saml2_Utils.generate_unique_id()
 
diff --git a/src/onelogin/saml2/compat.py b/src/onelogin/saml2/compat.py
index b69e61e4..90bcfac7 100644
--- a/src/onelogin/saml2/compat.py
+++ b/src/onelogin/saml2/compat.py
@@ -2,7 +2,7 @@
 
 """ py3 compatibility class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 """
diff --git a/src/onelogin/saml2/constants.py b/src/onelogin/saml2/constants.py
index e0778bd2..e85a7fb9 100644
--- a/src/onelogin/saml2/constants.py
+++ b/src/onelogin/saml2/constants.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Constants class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Constants class of OneLogin's Python Toolkit.
diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py
index 6faba2e2..6a50f9f1 100644
--- a/src/onelogin/saml2/errors.py
+++ b/src/onelogin/saml2/errors.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Error class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Error class of OneLogin's Python Toolkit.
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index 1172bd06..2d7eec2c 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
 """ OneLogin_Saml2_IdPMetadataParser class
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 Metadata class of OneLogin's Python Toolkit.
 """
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index b7d77ca6..caf0701f 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Logout_Request class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Logout Request class of OneLogin's Python Toolkit.
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index 73decb10..bd942200 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Logout_Response class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Logout Response class of OneLogin's Python Toolkit.
@@ -217,4 +217,4 @@ def _generate_request_id(self):
         """
         Generate an unique logout response ID.
         """
-        return OneLogin_Saml2_Utils.generate_unique_id()
\ No newline at end of file
+        return OneLogin_Saml2_Utils.generate_unique_id()
diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index 9528b0e8..89e0af8f 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -2,7 +2,7 @@
 
 """ OneLoginSaml2Metadata class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Metadata class of OneLogin's Python Toolkit.
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 677ef6b7..04264919 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Response class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 SAML Response class of OneLogin's Python Toolkit.
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 09e593e7..ab3dbe37 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Settings class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Setting class of OneLogin's Python Toolkit.
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 4ca5962c..1290033e 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Utils class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Auxiliary class of OneLogin's Python Toolkit.
diff --git a/src/onelogin/saml2/xml_templates.py b/src/onelogin/saml2/xml_templates.py
index ec4f6260..306b1afe 100644
--- a/src/onelogin/saml2/xml_templates.py
+++ b/src/onelogin/saml2/xml_templates.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_Auth class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Main class of OneLogin's Python Toolkit.
diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py
index d966e615..8cbd434b 100644
--- a/src/onelogin/saml2/xml_utils.py
+++ b/src/onelogin/saml2/xml_utils.py
@@ -2,7 +2,7 @@
 
 """ OneLogin_Saml2_XML class
 
-Copyright (c) 2010-2018 OneLogin, Inc.
+Copyright (c) 2010-2021 OneLogin, Inc.
 MIT License
 
 Auxiliary class of OneLogin's Python Toolkit.
@@ -11,9 +11,9 @@
 
 from os.path import join, dirname
 from lxml import etree
-from defusedxml.lxml import tostring, fromstring
 from onelogin.saml2 import compat
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.xmlparser import tostring, fromstring
 
 
 for prefix, url in OneLogin_Saml2_Constants.NSMAP.items():
@@ -63,9 +63,9 @@ def to_etree(xml):
         if isinstance(xml, OneLogin_Saml2_XML._element_class):
             return xml
         if isinstance(xml, OneLogin_Saml2_XML._bytes_class):
-            return OneLogin_Saml2_XML._parse_etree(xml, forbid_dtd=True)
+            return OneLogin_Saml2_XML._parse_etree(xml, forbid_dtd=True, forbid_entities=True)
         if isinstance(xml, OneLogin_Saml2_XML._text_class):
-            return OneLogin_Saml2_XML._parse_etree(compat.to_bytes(xml), forbid_dtd=True)
+            return OneLogin_Saml2_XML._parse_etree(compat.to_bytes(xml), forbid_dtd=True, forbid_entities=True)
 
         raise ValueError('unsupported type %r' % type(xml))
 
@@ -172,5 +172,6 @@ def extract_tag_text(xml, tagname):
 
     @staticmethod
     def element_text(node):
+        # Double check, the LXML Parser already removes comments
         etree.strip_tags(node, etree.Comment)
         return node.text
diff --git a/src/onelogin/saml2/xmlparser.py b/src/onelogin/saml2/xmlparser.py
new file mode 100644
index 00000000..33010ac5
--- /dev/null
+++ b/src/onelogin/saml2/xmlparser.py
@@ -0,0 +1,147 @@
+# -*- coding: utf-8 -*-
+
+# Based on the lxml example from defusedxml
+#
+# Copyright (c) 2013 by Christian Heimes 
+# Licensed to PSF under a Contributor Agreement.
+# See https://www.python.org/psf/license for licensing details.
+"""lxml.etree protection"""
+
+from __future__ import print_function, absolute_import
+
+import threading
+
+from lxml import etree as _etree
+
+from defusedxml.lxml import DTDForbidden, EntitiesForbidden, NotSupportedError
+
+LXML3 = _etree.LXML_VERSION[0] >= 3
+
+__origin__ = "lxml.etree"
+
+tostring = _etree.tostring
+
+
+class RestrictedElement(_etree.ElementBase):
+    """A restricted Element class that filters out instances of some classes
+    """
+
+    __slots__ = ()
+    blacklist = (_etree._Entity, _etree._ProcessingInstruction, _etree._Comment)
+
+    def _filter(self, iterator):
+        blacklist = self.blacklist
+        for child in iterator:
+            if isinstance(child, blacklist):
+                continue
+            yield child
+
+    def __iter__(self):
+        iterator = super(RestrictedElement, self).__iter__()
+        return self._filter(iterator)
+
+    def iterchildren(self, tag=None, reversed=False):
+        iterator = super(RestrictedElement, self).iterchildren(tag=tag, reversed=reversed)
+        return self._filter(iterator)
+
+    def iter(self, tag=None, *tags):
+        iterator = super(RestrictedElement, self).iter(tag=tag, *tags)
+        return self._filter(iterator)
+
+    def iterdescendants(self, tag=None, *tags):
+        iterator = super(RestrictedElement, self).iterdescendants(tag=tag, *tags)
+        return self._filter(iterator)
+
+    def itersiblings(self, tag=None, preceding=False):
+        iterator = super(RestrictedElement, self).itersiblings(tag=tag, preceding=preceding)
+        return self._filter(iterator)
+
+    def getchildren(self):
+        iterator = super(RestrictedElement, self).__iter__()
+        return list(self._filter(iterator))
+
+    def getiterator(self, tag=None):
+        iterator = super(RestrictedElement, self).getiterator(tag)
+        return self._filter(iterator)
+
+
+class GlobalParserTLS(threading.local):
+    """Thread local context for custom parser instances
+    """
+
+    parser_config = {
+        "resolve_entities": False,
+        'remove_comments': True,
+        'no_network': True,
+        'remove_pis': True,
+        'huge_tree': False
+    }
+
+    element_class = RestrictedElement
+
+    def createDefaultParser(self):
+        parser = _etree.XMLParser(**self.parser_config)
+        element_class = self.element_class
+        if self.element_class is not None:
+            lookup = _etree.ElementDefaultClassLookup(element=element_class)
+            parser.set_element_class_lookup(lookup)
+        return parser
+
+    def setDefaultParser(self, parser):
+        self._default_parser = parser
+
+    def getDefaultParser(self):
+        parser = getattr(self, "_default_parser", None)
+        if parser is None:
+            parser = self.createDefaultParser()
+            self.setDefaultParser(parser)
+        return parser
+
+
+_parser_tls = GlobalParserTLS()
+getDefaultParser = _parser_tls.getDefaultParser
+
+
+def check_docinfo(elementtree, forbid_dtd=False, forbid_entities=True):
+    """Check docinfo of an element tree for DTD and entity declarations
+    The check for entity declarations needs lxml 3 or newer. lxml 2.x does
+    not support dtd.iterentities().
+    """
+    docinfo = elementtree.docinfo
+    if docinfo.doctype:
+        if forbid_dtd:
+            raise DTDForbidden(docinfo.doctype, docinfo.system_url, docinfo.public_id)
+        if forbid_entities and not LXML3:
+            # lxml < 3 has no iterentities()
+            raise NotSupportedError("Unable to check for entity declarations " "in lxml 2.x")
+
+    if forbid_entities:
+        for dtd in docinfo.internalDTD, docinfo.externalDTD:
+            if dtd is None:
+                continue
+            for entity in dtd.iterentities():
+                raise EntitiesForbidden(entity.name, entity.content, None, None, None, None)
+
+
+def parse(source, parser=None, base_url=None, forbid_dtd=True, forbid_entities=True):
+    if parser is None:
+        parser = getDefaultParser()
+    elementtree = _etree.parse(source, parser, base_url=base_url)
+    check_docinfo(elementtree, forbid_dtd, forbid_entities)
+    return elementtree
+
+
+def fromstring(text, parser=None, base_url=None, forbid_dtd=True, forbid_entities=True):
+    if parser is None:
+        parser = getDefaultParser()
+    rootelement = _etree.fromstring(text, parser, base_url=base_url)
+    elementtree = rootelement.getroottree()
+    check_docinfo(elementtree, forbid_dtd, forbid_entities)
+    return rootelement
+
+
+XML = fromstring
+
+
+def iterparse(*args, **kwargs):
+    raise NotSupportedError("iterparse not available")
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 2ccd3994..ea8cf1d3 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 from base64 import b64decode, b64encode
diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py
index 3f1262f2..b23c633a 100644
--- a/tests/src/OneLogin/saml2_tests/authn_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/authn_request_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 import json
diff --git a/tests/src/OneLogin/saml2_tests/error_test.py b/tests/src/OneLogin/saml2_tests/error_test.py
index cd7546b7..9a36a283 100644
--- a/tests/src/OneLogin/saml2_tests/error_test.py
+++ b/tests/src/OneLogin/saml2_tests/error_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 import unittest
diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
index f4859244..4aa653b5 100644
--- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
+++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 try:
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
index e1510c4d..c18eaee4 100644
--- a/tests/src/OneLogin/saml2_tests/logout_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 import json
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
index 90872f10..e6f31b0f 100644
--- a/tests/src/OneLogin/saml2_tests/logout_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 import json
diff --git a/tests/src/OneLogin/saml2_tests/metadata_test.py b/tests/src/OneLogin/saml2_tests/metadata_test.py
index 58afb5b9..0a12a6d4 100644
--- a/tests/src/OneLogin/saml2_tests/metadata_test.py
+++ b/tests/src/OneLogin/saml2_tests/metadata_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 import json
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 3ace583e..5110f6e7 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 from base64 import b64decode
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index ddf8c531..4cb271f5 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 import json
diff --git a/tests/src/OneLogin/saml2_tests/signed_response_test.py b/tests/src/OneLogin/saml2_tests/signed_response_test.py
index 45afb505..b820e6c7 100644
--- a/tests/src/OneLogin/saml2_tests/signed_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/signed_response_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 import json
diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py
index c332a5e8..87112b0c 100644
--- a/tests/src/OneLogin/saml2_tests/utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/utils_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 from base64 import b64decode
@@ -8,13 +8,13 @@
 from lxml import etree
 from os.path import dirname, join, exists
 import unittest
-from defusedxml.lxml import fromstring
 from xml.dom.minidom import parseString
 
 from onelogin.saml2 import compat
 from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
+from onelogin.saml2.xmlparser import fromstring
 
 
 class OneLogin_Saml2_Utils_Test(unittest.TestCase):
diff --git a/tests/src/OneLogin/saml2_tests/xml_utils_test.py b/tests/src/OneLogin/saml2_tests/xml_utils_test.py
index 507575f1..c9e01a61 100644
--- a/tests/src/OneLogin/saml2_tests/xml_utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/xml_utils_test.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
+# Copyright (c) 2010-2021 OneLogin, Inc.
 # MIT License
 
 import json

From 3ccf9ab5a0bb2669afa30a8d6ee601f56c97fedc Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 14 Jan 2021 11:29:15 +0100
Subject: [PATCH 190/331] Release 1.10.0

---
 changelog.md | 13 +++++++++++++
 setup.py     |  4 ++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/changelog.md b/changelog.md
index b5e5da52..d83c1b3b 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,17 @@
 # python3-saml changelog
+### 1.10.0 (Jan 14, 2021)
+* Added custom lxml parser based on the one defined at xmldefused. Parser will ignore comments and processing instructions and by default have deactivated huge_tree, DTD and access to external documents
+* Destination URL Comparison is now case-insensitive for netloc
+* Support single-label-domains as valid. New security parameter allowSingleLabelDomains
+* Added get_idp_sso_url, get_idp_slo_url and get_idp_slo_response_url methods to the Settings class and use it in the toolkit
+* [#212](https://github.com/onelogin/python3-saml/pull/212) Overridability enhancements. Made classes overridable by subclassing. Use of classmethods instead staticmethods
+* Add get_friendlyname_attributes support
+* Remove external lib method get_ext_lib_path. Add set_cert_path in order to allow set the cert path in a different folder than the toolkit
+* Add sha256 instead sha1 algorithm for sign/digest as recommended value on documentation and settings
+* [#178](https://github.com/onelogin/python3-saml/pull/178) Support for adding idp.crt from filesystem
+* Add samlUserdata to demo-flask session
+* Fix autoreloading in demo-tornado
+
 ### 1.9.0 (Nov 20, 2019)
 * Allow any number of decimal places for seconds on SAML datetimes
 * Fix failOnAuthnContextMismatch code
diff --git a/setup.py b/setup.py
index 3053b82c..5efa23f4 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.9.0',
+    version='1.10.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
@@ -38,7 +38,7 @@
     install_requires=[
         'isodate>=0.5.0',
         'lxml>=3.3.5',
-        'xmlsec>=0.6.0',
+        'xmlsec>=1.0.5',
         'defusedxml==0.6.0'
     ],
     dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'],

From 615bb73452ddd714827f74efbbb0d1a94292f989 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 14 Jan 2021 11:39:45 +0100
Subject: [PATCH 191/331] Add reference to python 3.8 and 3.9 support

---
 .travis.yml | 2 ++
 setup.py    | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 43d4b210..b690a1d0 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -4,6 +4,8 @@ python:
   - '3.5'
   - '3.6'
   - '3.7'
+  - '3.8'
+  - '3.9'
 
 matrix:
   include:
diff --git a/setup.py b/setup.py
index 5efa23f4..f97f0189 100644
--- a/setup.py
+++ b/setup.py
@@ -21,6 +21,8 @@
         'Programming Language :: Python :: 3.5',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
+	'Programming Language :: Python :: 3.8',
+	'Programming Language :: Python :: 3.9',
     ],
     author='OneLogin',
     author_email='support@onelogin.com',

From d5304e09d7cf8980fddadc2fdb164e3b7d2d305a Mon Sep 17 00:00:00 2001
From: "Volm, David" 
Date: Fri, 15 Jan 2021 11:04:51 -0600
Subject: [PATCH 192/331] Commented out X-Forwarded bit in `views.py`

---
 demo_pyramid/demo_pyramid/views.py | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py
index a213e367..6529d67b 100644
--- a/demo_pyramid/demo_pyramid/views.py
+++ b/demo_pyramid/demo_pyramid/views.py
@@ -15,12 +15,13 @@ def init_saml_auth(req):
 
 
 def prepare_pyramid_request(request):
-    # If server is behind proxys or balancers use the HTTP_X_FORWARDED fields
-
-    if 'X-Forwarded-Proto' in request.headers:
-        request.scheme = request.headers['X-Forwarded-Proto']
-    if 'X-Forwarded-Port' in request.headers:
-        request.server_port = int(request.headers['X-Forwarded-Port'])
+    ## Uncomment this portion to set the request.scheme and request.server_port
+    ## based on the supplied `X-Forwarded` headers
+    #
+    # if 'X-Forwarded-Proto' in request.headers:
+    #    request.scheme = request.headers['X-Forwarded-Proto']
+    # if 'X-Forwarded-Port' in request.headers:
+    #    request.server_port = int(request.headers['X-Forwarded-Port'])
 
     return {
         'https': 'on' if request.scheme == 'https' else 'off',

From 3fa8f72fe70ec53fe2996cd58425247408407b51 Mon Sep 17 00:00:00 2001
From: "Volm, David" 
Date: Fri, 15 Jan 2021 11:08:39 -0600
Subject: [PATCH 193/331] More description for X-Forwarded header in comments.

---
 demo_pyramid/demo_pyramid/views.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py
index 6529d67b..93ec55eb 100644
--- a/demo_pyramid/demo_pyramid/views.py
+++ b/demo_pyramid/demo_pyramid/views.py
@@ -16,7 +16,8 @@ def init_saml_auth(req):
 
 def prepare_pyramid_request(request):
     ## Uncomment this portion to set the request.scheme and request.server_port
-    ## based on the supplied `X-Forwarded` headers
+    ## based on the supplied `X-Forwarded` headers.
+    ## Useful for running behind reverse proxies or balancers.
     #
     # if 'X-Forwarded-Proto' in request.headers:
     #    request.scheme = request.headers['X-Forwarded-Proto']

From 2db92842dc65a318ddd605443b3aa75a808813c9 Mon Sep 17 00:00:00 2001
From: nltommynl 
Date: Tue, 26 Jan 2021 17:09:47 +0100
Subject: [PATCH 194/331] Update logout_request.py

fix for incorrect slo url.
---
 src/onelogin/saml2/logout_request.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index caf0701f..3ed3fb15 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -109,7 +109,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 {
                     'id': self.id,
                     'issue_instant': issue_instant,
-                    'single_logout_url': self.__settings.get_idp_slo_response_url(),
+                    'single_logout_url': self.__settings.get_idp_slo_url(),
                     'entity_id': sp_data['entityId'],
                     'name_id': name_id_obj,
                     'session_index': session_index_str,

From 982560576664175be7018cda8428b6731aabe31e Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 27 Jan 2021 11:45:47 +0100
Subject: [PATCH 195/331] Release 1.10.1

---
 changelog.md                       | 3 +++
 demo_pyramid/demo_pyramid/views.py | 6 +++---
 setup.py                           | 6 +++---
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/changelog.md b/changelog.md
index d83c1b3b..4114cc04 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,7 @@
 # python3-saml changelog
+### 1.10.1 (Jan 27, 2021)
+* Fix bug on LogoutRequest class, get_idp_slo_response_url was used instead get_idp_slo_url
+
 ### 1.10.0 (Jan 14, 2021)
 * Added custom lxml parser based on the one defined at xmldefused. Parser will ignore comments and processing instructions and by default have deactivated huge_tree, DTD and access to external documents
 * Destination URL Comparison is now case-insensitive for netloc
diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py
index 93ec55eb..6dab4edc 100644
--- a/demo_pyramid/demo_pyramid/views.py
+++ b/demo_pyramid/demo_pyramid/views.py
@@ -15,9 +15,9 @@ def init_saml_auth(req):
 
 
 def prepare_pyramid_request(request):
-    ## Uncomment this portion to set the request.scheme and request.server_port
-    ## based on the supplied `X-Forwarded` headers.
-    ## Useful for running behind reverse proxies or balancers.
+    # Uncomment this portion to set the request.scheme and request.server_port
+    # based on the supplied `X-Forwarded` headers.
+    # Useful for running behind reverse proxies or balancers.
     #
     # if 'X-Forwarded-Proto' in request.headers:
     #    request.scheme = request.headers['X-Forwarded-Proto']
diff --git a/setup.py b/setup.py
index f97f0189..9537c8d4 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.10.0',
+    version='1.10.1',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
@@ -21,8 +21,8 @@
         'Programming Language :: Python :: 3.5',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
-	'Programming Language :: Python :: 3.8',
-	'Programming Language :: Python :: 3.9',
+        'Programming Language :: Python :: 3.8',
+        'Programming Language :: Python :: 3.9',
     ],
     author='OneLogin',
     author_email='support@onelogin.com',

From 4b6c4b1f2ed3f6eab70ff4391e595b808ace168c Mon Sep 17 00:00:00 2001
From: cdrx 
Date: Wed, 27 Jan 2021 11:17:29 +0000
Subject: [PATCH 196/331] Remove the dependency on defusedxml

---
 README.md                       |  1 -
 setup.py                        |  3 +--
 src/onelogin/saml2/xmlparser.py | 41 +++++++++++++++++++++++++++++++--
 3 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index c5528a2f..6d198601 100644
--- a/README.md
+++ b/README.md
@@ -92,7 +92,6 @@ Installation
  * [xmlsec](https://pypi.python.org/pypi/xmlsec) Python bindings for the XML Security Library.
  * [isodate](https://pypi.python.org/pypi/isodate) An ISO 8601 date/time/
  duration parser and formatter
- * [defusedxml](https://pypi.python.org/pypi/defusedxml) XML bomb protection for Python stdlib modules
 
 Review the ``setup.py`` file to know the version of the library that ``python3-saml`` is using
 
diff --git a/setup.py b/setup.py
index 9537c8d4..61ee6de2 100644
--- a/setup.py
+++ b/setup.py
@@ -40,8 +40,7 @@
     install_requires=[
         'isodate>=0.5.0',
         'lxml>=3.3.5',
-        'xmlsec>=1.0.5',
-        'defusedxml==0.6.0'
+        'xmlsec>=1.0.5'
     ],
     dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'],
     extras_require={
diff --git a/src/onelogin/saml2/xmlparser.py b/src/onelogin/saml2/xmlparser.py
index 33010ac5..4bf8df3d 100644
--- a/src/onelogin/saml2/xmlparser.py
+++ b/src/onelogin/saml2/xmlparser.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 
 # Based on the lxml example from defusedxml
+# DTDForbidden, EntitiesForbidden, NotSupportedError are clones of the classes defined at defusedxml
 #
 # Copyright (c) 2013 by Christian Heimes 
 # Licensed to PSF under a Contributor Agreement.
@@ -13,8 +14,6 @@
 
 from lxml import etree as _etree
 
-from defusedxml.lxml import DTDForbidden, EntitiesForbidden, NotSupportedError
-
 LXML3 = _etree.LXML_VERSION[0] >= 3
 
 __origin__ = "lxml.etree"
@@ -22,6 +21,44 @@
 tostring = _etree.tostring
 
 
+class DTDForbidden(ValueError):
+    """Document type definition is forbidden
+    """
+
+    def __init__(self, name, sysid, pubid):
+        super(DTDForbidden, self).__init__()
+        self.name = name
+        self.sysid = sysid
+        self.pubid = pubid
+
+    def __str__(self):
+        tpl = "DTDForbidden(name='{}', system_id={!r}, public_id={!r})"
+        return tpl.format(self.name, self.sysid, self.pubid)
+
+
+class EntitiesForbidden(ValueError):
+    """Entity definition is forbidden
+    """
+
+    def __init__(self, name, value, base, sysid, pubid, notation_name):
+        super(EntitiesForbidden, self).__init__()
+        self.name = name
+        self.value = value
+        self.base = base
+        self.sysid = sysid
+        self.pubid = pubid
+        self.notation_name = notation_name
+
+    def __str__(self):
+        tpl = "EntitiesForbidden(name='{}', system_id={!r}, public_id={!r})"
+        return tpl.format(self.name, self.sysid, self.pubid)
+
+
+class NotSupportedError(ValueError):
+    """The operation is not supported
+    """
+
+
 class RestrictedElement(_etree.ElementBase):
     """A restricted Element class that filters out instances of some classes
     """

From c735bfb52bb475fff3691c8cd59646ba289cbdf5 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 28 Jan 2021 01:02:23 +0100
Subject: [PATCH 197/331] Update dev dependency due lack of python support 3.8
 and 3.9

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 61ee6de2..452f1b9e 100644
--- a/setup.py
+++ b/setup.py
@@ -46,7 +46,7 @@
     extras_require={
         'test': (
             'coverage>=4.5.2',
-            'freezegun==0.3.11',
+            'freezegun>=0.3.11, <=1.1.0',
             'pylint==1.9.4',
             'flake8==3.6.0',
             'coveralls==1.5.1',

From 22734cd4d2c51b37b128fbfabc422aad48174563 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 28 Jan 2021 10:37:56 +0100
Subject: [PATCH 198/331] Update dev dependency due lack of python support 3.8
 (flake8)

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 452f1b9e..a999c1fa 100644
--- a/setup.py
+++ b/setup.py
@@ -48,7 +48,7 @@
             'coverage>=4.5.2',
             'freezegun>=0.3.11, <=1.1.0',
             'pylint==1.9.4',
-            'flake8==3.6.0',
+            'flake8>=3.6.0',
             'coveralls==1.5.1',
         ),
     },

From be1c1c8ae7d472518acbcfb0fcf2b48a9c5a7365 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Thu, 28 Jan 2021 13:41:51 +0100
Subject: [PATCH 199/331] Fix pep8

---
 demo-django/demo/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index c02d226e..418ab0c8 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -87,7 +87,7 @@ def index(request):
             if 'RelayState' in req['post_data'] and OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
                 return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
         elif auth.get_settings().is_debug_active():
-                error_reason = auth.get_last_error_reason()
+            error_reason = auth.get_last_error_reason()
     elif 'sls' in req['get_data']:
         request_id = None
         if 'LogoutRequestID' in request.session:

From 2f78c44c107024b9c0e982c7d5e986533a1efd87 Mon Sep 17 00:00:00 2001
From: Alexander Schrijver 
Date: Wed, 13 May 2020 16:45:07 +0200
Subject: [PATCH 200/331] Add the abilitity to change the
 AttributeConsumingService index in the metadata file.

---
 src/onelogin/saml2/metadata.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index 89e0af8f..bd839c58 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -162,7 +162,7 @@ def builder(cls, sp, authnsign=False, wsign=False, valid_until=None, cache_durat
 
                 requested_attribute_data.append(requested_attribute)
 
-            str_attribute_consuming_service = """        
+            str_attribute_consuming_service = """        
             %(service_name)s
 %(attr_cs_desc)s%(requested_attribute_str)s
         
@@ -170,6 +170,7 @@ def builder(cls, sp, authnsign=False, wsign=False, valid_until=None, cache_durat
                 {
                     'service_name': sp['attributeConsumingService']['serviceName'],
                     'attr_cs_desc': attr_cs_desc_str,
+                    'attribute_consuming_service_index': sp['attributeConsumingService'].get('index', '1'),
                     'requested_attribute_str': '\n'.join(requested_attribute_data)
                 }
 

From 7ed8932d36d550f6c994a0abf6fb2abf53035501 Mon Sep 17 00:00:00 2001
From: Alexander Schrijver 
Date: Mon, 11 May 2020 11:16:58 +0200
Subject: [PATCH 201/331] Add the ability to set AttributeConsumingServiceIndex
 in the authn request.

---
 src/onelogin/saml2/authn_request.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index 48ad9d2a..4af455d2 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -108,7 +108,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
 
         attr_consuming_service_str = ''
         if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']:
-            attr_consuming_service_str = "\n    AttributeConsumingServiceIndex=\"1\""
+            attr_consuming_service_str = "\n    AttributeConsumingServiceIndex=\"%s\"" % sp_data['attributeConsumingService'].get('index', '1')
 
         request = OneLogin_Saml2_Templates.AUTHN_REQUEST % \
             {

From 332ea51b92fe6240855a4113fa0fd37da81b77ce Mon Sep 17 00:00:00 2001
From: Alexander Schrijver 
Date: Fri, 29 Jan 2021 16:19:09 +0100
Subject: [PATCH 202/331] Add a comment describing the
 attributeConsumingService 'index' configuration option.

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index c5528a2f..1001c4b8 100644
--- a/README.md
+++ b/README.md
@@ -257,6 +257,11 @@ This is the ``settings.json`` file:
         // attributeConsumingService. nameFormat, attributeValue and
         // friendlyName can be ommited
         "attributeConsumingService": {
+                // OPTIONAL: only specifiy if SP requires this.
+                // index is an integer which identifies the attributeConsumingService used
+                // to the SP. OneLogin toolkit supports configuring only one attributeConsumingService
+                // but in certain cases the SP requires a different value.  Defaults to '1'.
+                // "index": '1',
                 "serviceName": "SP test",
                 "serviceDescription": "Test Service",
                 "requestedAttributes": [

From 7d4351811efa2968ca5048e29701e67a99d090fe Mon Sep 17 00:00:00 2001
From: Alexander Schrijver 
Date: Fri, 5 Feb 2021 14:22:24 +0100
Subject: [PATCH 203/331] Move storing the response data into its own method in
 the Auth class

This makes it easier to incorporate other response methods into the
code.
---
 src/onelogin/saml2/auth.py | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index a67e2071..33de8724 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -94,6 +94,21 @@ def set_strict(self, value):
         assert isinstance(value, bool)
         self.__settings.set_strict(value)
 
+    def store_valid_response(self, response):
+        self.__attributes = response.get_attributes()
+        self.__friendlyname_attributes = response.get_friendlyname_attributes()
+        self.__nameid = response.get_nameid()
+        self.__nameid_format = response.get_nameid_format()
+        self.__nameid_nq = response.get_nameid_nq()
+        self.__nameid_spnq = response.get_nameid_spnq()
+        self.__session_index = response.get_session_index()
+        self.__session_expiration = response.get_session_not_on_or_after()
+        self.__last_message_id = response.get_id()
+        self.__last_assertion_id = response.get_assertion_id()
+        self.__last_authn_contexts = response.get_authn_contexts()
+        self.__authenticated = True
+        self.__last_assertion_not_on_or_after = response.get_assertion_not_on_or_after()
+
     def process_response(self, request_id=None):
         """
         Process the SAML Response sent by the IdP.
@@ -112,20 +127,7 @@ def process_response(self, request_id=None):
             self.__last_response = response.get_xml_document()
 
             if response.is_valid(self.__request_data, request_id):
-                self.__attributes = response.get_attributes()
-                self.__friendlyname_attributes = response.get_friendlyname_attributes()
-                self.__nameid = response.get_nameid()
-                self.__nameid_format = response.get_nameid_format()
-                self.__nameid_nq = response.get_nameid_nq()
-                self.__nameid_spnq = response.get_nameid_spnq()
-                self.__session_index = response.get_session_index()
-                self.__session_expiration = response.get_session_not_on_or_after()
-                self.__last_message_id = response.get_id()
-                self.__last_assertion_id = response.get_assertion_id()
-                self.__last_authn_contexts = response.get_authn_contexts()
-                self.__authenticated = True
-                self.__last_assertion_not_on_or_after = response.get_assertion_not_on_or_after()
-
+                self.store_valid_response(response)
             else:
                 self.__errors.append('invalid_response')
                 self.__error_reason = response.get_error()

From ded055793d7a6ab7dbe0fc74b67a70a6a88bcbb7 Mon Sep 17 00:00:00 2001
From: John-Scott Atlakson <24574+jsma@users.noreply.github.com>
Date: Tue, 9 Feb 2021 14:57:40 -0800
Subject: [PATCH 204/331] Update README.md

Update self-sign certificate example to use ``sp.key`` since that is the hard-coded filename that must be used.
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6d198601..622db674 100644
--- a/README.md
+++ b/README.md
@@ -162,7 +162,7 @@ publish that X.509 certificate on Service Provider metadata.
 If you want to create self-signed certs, you can do it at the https://www.samltool.com/self_signed_certs.php service, or using the command:
 
 ```bash
-openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout saml.key
+openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key
 ```
 
 #### demo-flask ####

From 9cc63eb2aae97e9c82d11cc2229c37c5cc39f2b1 Mon Sep 17 00:00:00 2001
From: Alexander Schrijver 
Date: Mon, 11 May 2020 11:18:11 +0200
Subject: [PATCH 205/331] Add the ability to change the ProtocolBinding in the
 authn request.

---
 src/onelogin/saml2/authn_request.py | 1 +
 src/onelogin/saml2/xml_templates.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index 48ad9d2a..c0ced249 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -124,6 +124,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
                 'nameid_policy_str': nameid_policy_str,
                 'requested_authn_context_str': requested_authn_context_str,
                 'attr_consuming_service_str': attr_consuming_service_str,
+                'acs_binding': sp_data['assertionConsumerService'].get('binding', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST')
             }
 
         self.__authn_request = request
diff --git a/src/onelogin/saml2/xml_templates.py b/src/onelogin/saml2/xml_templates.py
index 306b1afe..5575d116 100644
--- a/src/onelogin/saml2/xml_templates.py
+++ b/src/onelogin/saml2/xml_templates.py
@@ -27,7 +27,7 @@ class OneLogin_Saml2_Templates(object):
   Version="2.0"%(provider_name)s%(force_authn_str)s%(is_passive_str)s
   IssueInstant="%(issue_instant)s"
   Destination="%(destination)s"
-  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+  ProtocolBinding="%(acs_binding)s"
   AssertionConsumerServiceURL="%(assertion_url)s"%(attr_consuming_service_str)s>
     %(entity_id)s%(subject_str)s%(nameid_policy_str)s
 %(requested_authn_context_str)s

From 88f66a858044c9818ad60368320ebd0ba677917f Mon Sep 17 00:00:00 2001
From: sheng zhang 
Date: Wed, 24 Feb 2021 14:45:03 -0800
Subject: [PATCH 206/331] Update README.md

for issue https://github.com/onelogin/python3-saml/issues/249
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8a524de8..dc854bbb 100644
--- a/README.md
+++ b/README.md
@@ -689,7 +689,7 @@ if not errors:
     else:
       print('Not authenticated')
 else:
-    print("Error when processing SAML Response: %s" % (', '.join(errors)))
+    print("Error when processing SAML Response: %s %s" % (', '.join(errors), auth.get_last_error_reason()))
 ```
 
 The SAML response is processed and then checked that there are no errors. It also verifies that the user is authenticated and stored the userdata in session.
@@ -748,7 +748,7 @@ if len(errors) == 0:
     else:
         print("Sucessfully Logged out")
 else:
-    print("Error when processing SLO: %s" % (', '.join(errors)))
+    print("Error when processing SLO: %s %s" % (', '.join(errors), auth.get_last_error_reason()))
 ```
 
 If the SLS endpoints receives a Logout Response, the response is validated and the session could be closed, using the callback.

From 1fbb515ba34255a684ac29125fdc38030446746a Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Mon, 10 May 2021 16:12:19 -0400
Subject: [PATCH 207/331] Added timeout kwarg to metadata retrieval

---
 README.md                                 |  8 +++++++-
 src/onelogin/saml2/idp_metadata_parser.py | 18 ++++++++++++------
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index dc854bbb..614e6e21 100644
--- a/README.md
+++ b/README.md
@@ -520,12 +520,18 @@ The method above requires a little extra work to manually specify attributes abo
 
 There's an easier method -- use a metadata exchange.  Metadata is just an XML file that defines the capabilities of both the IdP and the SP application.  It also contains the X.509 public key certificates which add to the trusted relationship.  The IdP administrator can also configure custom settings for an SP based on the metadata.
 
-Using ````parse_remote```` IdP metadata can be obtained and added to the settings withouth further ado.
+Using ````parse_remote```` IdP metadata can be obtained and added to the settings without further ado.
 
 ``
 idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://example.com/auth/saml2/idp/metadata')
 ``
 
+You can specify a timeout in seconds for metadata retrieval, if not it is not guaranteed that the request will complete
+
+``
+idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://example.com/auth/saml2/idp/metadata', timeout=5)
+``
+
 If the Metadata contains several entities, the relevant ``EntityDescriptor`` can be specified when retrieving the settings from the ``IdpMetadataParser`` by its ``entityId`` value:
 
 ``idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(https://example.com/metadatas, entity_id='idp_entity_id')``
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index 2d7eec2c..5da7989a 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -26,7 +26,7 @@ class OneLogin_Saml2_IdPMetadataParser(object):
     """
 
     @classmethod
-    def get_metadata(cls, url, validate_cert=True):
+    def get_metadata(cls, url, validate_cert=True, timeout=None):
         """
         Gets the metadata XML from the provided URL
         :param url: Url where the XML of the Identity Provider Metadata is published.
@@ -35,18 +35,21 @@ def get_metadata(cls, url, validate_cert=True):
         :param validate_cert: If the url uses https schema, that flag enables or not the verification of the associated certificate.
         :type validate_cert: bool
 
+        :param timeout: Timeout in seconds to wait for metadata response
+        :type timeout: int
+
         :returns: metadata XML
         :rtype: string
         """
         valid = False
 
         if validate_cert:
-            response = urllib2.urlopen(url)
+            response = urllib2.urlopen(url, timeout=timeout)
         else:
             ctx = ssl.create_default_context()
             ctx.check_hostname = False
             ctx.verify_mode = ssl.CERT_NONE
-            response = urllib2.urlopen(url, context=ctx)
+            response = urllib2.urlopen(url, context=ctx, timeout=timeout)
         xml = response.read()
 
         if xml:
@@ -59,12 +62,12 @@ def get_metadata(cls, url, validate_cert=True):
                 pass
 
         if not valid:
-            raise Exception('Not valid IdP XML found from URL: %s' % (url))
+            raise Exception('Not valid IdP XML found from URL: %s' % (url,))
 
         return xml
 
     @classmethod
-    def parse_remote(cls, url, validate_cert=True, entity_id=None, **kwargs):
+    def parse_remote(cls, url, validate_cert=True, entity_id=None, timeout=None, **kwargs):
         """
         Gets the metadata XML from the provided URL and parse it, returning a dict with extracted data
         :param url: Url where the XML of the Identity Provider Metadata is published.
@@ -77,10 +80,13 @@ def parse_remote(cls, url, validate_cert=True, entity_id=None, **kwargs):
                           that contains multiple EntityDescriptor.
         :type entity_id: string
 
+        :param timeout: Timeout in seconds to wait for metadata response
+        :type timeout: int
+
         :returns: settings dict with extracted data
         :rtype: dict
         """
-        idp_metadata = cls.get_metadata(url, validate_cert)
+        idp_metadata = cls.get_metadata(url, validate_cert, timeout)
         return cls.parse(idp_metadata, entity_id=entity_id, **kwargs)
 
     @classmethod

From b14e438cdb5bf51be6df34d3f686598178da1d96 Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Mon, 10 May 2021 16:25:20 -0400
Subject: [PATCH 208/331] Fixed readme

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 614e6e21..c48f2c55 100644
--- a/README.md
+++ b/README.md
@@ -526,7 +526,7 @@ Using ````parse_remote```` IdP metadata can be obtained and added to the setting
 idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://example.com/auth/saml2/idp/metadata')
 ``
 
-You can specify a timeout in seconds for metadata retrieval, if not it is not guaranteed that the request will complete
+You can specify a timeout in seconds for metadata retrieval, without it is not guaranteed that the request will complete
 
 ``
 idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://example.com/auth/saml2/idp/metadata', timeout=5)

From 293bcde73b12b7374f120752680c05a399b76774 Mon Sep 17 00:00:00 2001
From: Eugene Toder 
Date: Sat, 27 Mar 2021 17:41:59 -0400
Subject: [PATCH 209/331] Add an option to use query string for validation

When validating request or response signature in process_slo() we
currently rebuild query string from 'get_data' elements. This requires
URL encoding components of the string. Unfortunately, some IdPs (Azure
AD, ADFS) use lower-case encoding. To handle this, one needs to pass
lowercase_urlencoding=True. This complicates code that needs to support
different IdPs.

Instead, if 'query_string' is passed, take parts from it directly. This
avoids the need to URL encode them. This is similar to the
`retrieveParametersFromServer` argument in the PHP version.

This feature is disabled by default. Pass validate_signature_from_qs=True
to enable it.
---
 README.md                  | 11 ++++++-----
 src/onelogin/saml2/auth.py | 36 ++++++++++++++++++++++++++----------
 2 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index dc854bbb..bb67791d 100644
--- a/README.md
+++ b/README.md
@@ -562,9 +562,10 @@ req = {
 
     # Advanced request options
     "https": "",
-    "lowercase_urlencoding": "",
     "request_uri": "",
-    "query_string": ""
+    "query_string": "",
+    "validate_signature_from_qs": False,
+    "lowercase_urlencoding": False
 }
 ```
 
@@ -596,12 +597,12 @@ An explanation of some advanced request parameters:
 
 * `https` - Defaults to ``off``. Set this to ``on`` if you receive responses over HTTPS.
 
-* `lowercase_urlencoding` - Defaults to `false`. ADFS users should set this to `true`.
-
-* `request_uri` - The path where your SAML server recieves requests. Set this if requests are not recieved at the server's root.
+* `request_uri` - The path where your SAML server receives requests. Set this if requests are not received at the server's root.
 
 * `query_string` - Set this with additional query parameters that should be passed to the request endpoint.
 
+* `validate_signature_from_qs` - If `True`, use `query_string` to validate request and response signatures. Otherwise, use `get_data`. Defaults to `False`. Note that when using `get_data`, query parameters need to be url-encoded for validation. By default we use upper-case url-encoding. Some IdPs, notably Microsoft AD, use lower-case url-encoding, which makes signature validation to fail. To fix this issue, either pass `query_string` and set `validate_signature_from_qs` to `True`, which works for all IdPs, or set `lowercase_urlencoding` to `True`, which only works for AD.
+
 
 #### Initiate SSO ####
 
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 33de8724..cfaee5fd 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -528,6 +528,22 @@ def add_response_signature(self, response_data, sign_algorithm=OneLogin_Saml2_Co
         """
         return self.__build_signature(response_data, 'SAMLResponse', sign_algorithm)
 
+    @staticmethod
+    def __build_sign_query_from_qs(query_string, saml_type):
+        """
+        Build sign query from query string
+
+        :param query_string: The query string
+        :type query_string: str
+
+        :param saml_type: The target URL the user should be redirected to
+        :type saml_type: string SAMLRequest | SAMLResponse
+        """
+        args = ('%s=' % saml_type, 'RelayState=', 'SigAlg=')
+        parts = query_string.split('&')
+        # Join in the order of arguments rather than the original order of parts.
+        return '&'.join(part for arg in args for part in parts if part.startswith(arg))
+
     @staticmethod
     def __build_sign_query(saml_data, relay_state, algorithm, saml_type, lowercase_urlencoding=False):
         """
@@ -660,16 +676,16 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
             if isinstance(sign_alg, bytes):
                 sign_alg = sign_alg.decode('utf8')
 
-            lowercase_urlencoding = False
-            if 'lowercase_urlencoding' in self.__request_data.keys():
-                lowercase_urlencoding = self.__request_data['lowercase_urlencoding']
-
-            signed_query = self.__build_sign_query(data[saml_type],
-                                                   data.get('RelayState', None),
-                                                   sign_alg,
-                                                   saml_type,
-                                                   lowercase_urlencoding
-                                                   )
+            query_string = self.__request_data.get('query_string')
+            if query_string and self.__request_data.get('validate_signature_from_qs'):
+                signed_query = self.__build_sign_query_from_qs(query_string, saml_type)
+            else:
+                lowercase_urlencoding = self.__request_data.get('lowercase_urlencoding', False)
+                signed_query = self.__build_sign_query(data[saml_type],
+                                                       data.get('RelayState'),
+                                                       sign_alg,
+                                                       saml_type,
+                                                       lowercase_urlencoding)
 
             if exists_multix509sign:
                 for cert in idp_data['x509certMulti']['signing']:

From 11cc4f57870a3ffe8109956285834fe47222305b Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Mon, 10 May 2021 23:56:49 -0400
Subject: [PATCH 210/331] Removed comma

---
 src/onelogin/saml2/idp_metadata_parser.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index 5da7989a..279d80c5 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -62,7 +62,7 @@ def get_metadata(cls, url, validate_cert=True, timeout=None):
                 pass
 
         if not valid:
-            raise Exception('Not valid IdP XML found from URL: %s' % (url,))
+            raise Exception('Not valid IdP XML found from URL: %s' % (url))
 
         return xml
 

From b04065170aac60d81920196c85dee843ad779d64 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 14 May 2021 04:32:59 +0200
Subject: [PATCH 211/331] Create Makefile. Create python-package.yml

---
 .github/workflows/python-package.yml | 35 ++++++++++++++++++++++++++++
 .gitignore                           |  2 ++
 Makefile                             | 35 ++++++++++++++++++++++++++++
 setup.py                             |  3 ++-
 4 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/python-package.yml
 create mode 100644 Makefile

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
new file mode 100644
index 00000000..ac505be2
--- /dev/null
+++ b/.github/workflows/python-package.yml
@@ -0,0 +1,35 @@
+# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: Python package
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: [2.7,3.5,3.6,3.7, 3.8,3.9]
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v2
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update -qq
+        sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
+        make install-req
+        make install-test
+
+    - name: Test
+      run: |
+        make pytest
+        make pycodestyle
+        make flake8
+
diff --git a/.gitignore b/.gitignore
index c16b943e..d449f63f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,7 @@ __pycache_
 /*.eg
 *.egg-info
 /eggs
+/.eggs
 /build
 /dist
 /venv
@@ -21,6 +22,7 @@ __pycache_
 .pypirc
 /.idea
 .mypy_cache/
+.pytest_cache
 
 *.key
 *.crt
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..7f3faddb
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,35 @@
+PIP=pip
+FLAKE8=flake8
+PYTEST=pytest
+PYCODESTYLE=pycodestyle
+COVERAGE=coverage
+COVERAGE_CONFIG=tests/coverage.rc
+PEP8_CONFIG=tests/pep8.rc
+MAIN_SOURCE=src/onelogin/saml2
+DEMOS=demo-django demo-flask
+TESTS=tests/src/OneLogin/saml2_tests
+SOURCES=$(MAIN_SOURCE) $(DEMO) $(TESTS)
+
+install-req:
+	$(PIP) install --upgrade 'setuptools<45.0.0'
+	$(PIP) install .
+
+install-test:
+	$(PIP) install -e ".[test]" 
+
+pytest:
+	$(COVERAGE) run --source $(MAIN_SOURCE) --rcfile=$(COVERAGE_CONFIG) -m pytest
+	$(COVERAGE) report -m --rcfile=$(COVERAGE_CONFIG)
+
+pycodestyle:
+	$(PYCODESTYLE) --ignore=E501,E731,W504 $(SOURCES) --config=$(PEP8_CONFIG)
+
+flake8:
+	$(FLAKE8) --ignore=E501,E731,W504 $(SOURCES)
+
+clean: 
+	rm -rf .pytest_cache/
+	rm -rf .eggs/
+	find . -type d -name "__pycache__" -exec rm -r {} +
+	find . -type d -name "*.egg-info" -exec rm -r {} +
+	rm .coverage
diff --git a/setup.py b/setup.py
index a999c1fa..cff7b7c7 100644
--- a/setup.py
+++ b/setup.py
@@ -49,7 +49,8 @@
             'freezegun>=0.3.11, <=1.1.0',
             'pylint==1.9.4',
             'flake8>=3.6.0',
-            'coveralls==1.5.1',
+            'coveralls>=1.11.1',
+            'pytest>=4.6',
         ),
     },
     keywords='saml saml2 xmlsec django flask pyramid python3',

From 277b642da278e484b0b983eea38ee1051feff13e Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 26 May 2021 16:31:33 +0200
Subject: [PATCH 212/331] Add warning about the use of
 OneLogin_Saml2_IdPMetadataParser class

---
 README.md                                 | 7 +++++++
 src/onelogin/saml2/idp_metadata_parser.py | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 56f279a5..752fcd43 100644
--- a/README.md
+++ b/README.md
@@ -522,6 +522,13 @@ There's an easier method -- use a metadata exchange.  Metadata is just an XML fi
 
 Using ````parse_remote```` IdP metadata can be obtained and added to the settings without further ado.
 
+Take in mind that the OneLogin_Saml2_IdPMetadataParser class does not validate in any way the URL that is introduced in order to be parsed. 
+
+Usually the same administrator that handles the Service Provider also sets the URL to the IdP, which should be a trusted resource.
+
+But there are other scenarios, like a SAAS app where the administrator of the app delegates this functionality to other users. In this case, extra precaution should be taken in order to validate such URL inputs and avoid attacks like SSRF.
+
+
 ``
 idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://example.com/auth/saml2/idp/metadata')
 ``
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index 279d80c5..e341aebc 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -23,6 +23,9 @@
 class OneLogin_Saml2_IdPMetadataParser(object):
     """
     A class that contain methods related to obtaining and parsing metadata from IdP
+    
+    This class does not validate in any way the URL that is introduced,
+    make sure to validate it properly before use it in a get_metadata method.
     """
 
     @classmethod

From 5cef5089bac191a2412e66e3ac8e9cd51c63c97a Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Fri, 4 Jun 2021 11:13:32 -0400
Subject: [PATCH 213/331] Fixed friendlyname

---
 src/onelogin/saml2/response.py | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 04264919..df0f85bb 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -613,12 +613,6 @@ def get_friendlyname_attributes(self):
         for attribute_node in attribute_nodes:
             attr_friendlyname = attribute_node.get('FriendlyName')
             if attr_friendlyname:
-                if attr_friendlyname in attributes.keys():
-                    raise OneLogin_Saml2_ValidationError(
-                        'Found an Attribute element with duplicated FriendlyName',
-                        OneLogin_Saml2_ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND
-                    )
-
                 values = []
                 for attr in attribute_node.iterchildren('{%s}AttributeValue' % OneLogin_Saml2_Constants.NSMAP['saml']):
                     attr_text = OneLogin_Saml2_XML.element_text(attr)
@@ -636,7 +630,10 @@ def get_friendlyname_attributes(self):
                                 'value': nameid.text
                             }
                         })
-                attributes[attr_friendlyname] = values
+                if attr_friendlyname in attributes:
+                    attributes[attr_friendlyname].extend(values)
+                else:
+                    attributes[attr_friendlyname] = values
         return attributes
 
     def validate_num_assertions(self):

From f88368aa11d8f9fa31b768557e3156e2679dc302 Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Fri, 4 Jun 2021 11:46:43 -0400
Subject: [PATCH 214/331] Added duplicate friendlyname attribute test

---
 .../response1_with_duplicate_friendlynames.xml.base64  |  1 +
 tests/src/OneLogin/saml2_tests/response_test.py        | 10 ++++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 tests/data/responses/response1_with_duplicate_friendlynames.xml.base64

diff --git a/tests/data/responses/response1_with_duplicate_friendlynames.xml.base64 b/tests/data/responses/response1_with_duplicate_friendlynames.xml.base64
new file mode 100644
index 00000000..18871d35
--- /dev/null
+++ b/tests/data/responses/response1_with_duplicate_friendlynames.xml.base64
@@ -0,0 +1 @@
+PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBWZXJzaW9uPSIyLjAiIElEPSJwZng4ZmZiMzk4My1jYmY2LTkyYTEtZjJjNC02MTlhZTFiZTFjODYiIElzc3VlSW5zdGFudD0iMjAxMC0xMS0xOFQyMTo1NzozN1oiPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbC9tZXRhZGF0YS8xMzU5MDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNwZng4ZmZiMzk4My1jYmY2LTkyYTEtZjJjNC02MTlhZTFiZTFjODYiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPmhndVFiQ0hhbmliYkRDN3EzWnp4ekhjUG9uST08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+R2FuY0Q5dlJvaDlNYlQwMDJEeTc5dDFtNkk2WWZoVUtQZmJsa21wMnVkb2xYdWp2NmUxTVd2c1ZteE56dHNJR2x4QWEwcUtEaVNNekNORFpzazNqc3lzVWwxbkFLbkFnMTg1amZYanN6aHNkbVIrTTkxZHhrNmtmY0xVb3NPb2xvdmFkV0xQV3FuN1AzajgvNXh6cDlMcFJBM2d2QjQxODJSU2lyV0NCWFBRPTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2dUQ0NBZW9DQ1FDYk9scldEZFg3RlRBTkJna3Foa2lHOXcwQkFRVUZBRENCaERFTE1Ba0dBMVVFQmhNQ1RrOHhHREFXQmdOVkJBZ1REMEZ1WkhKbFlYTWdVMjlzWW1WeVp6RU1NQW9HQTFVRUJ4TURSbTl2TVJBd0RnWURWUVFLRXdkVlRrbE9SVlJVTVJnd0ZnWURWUVFERXc5bVpXbGtaUzVsY214aGJtY3VibTh4SVRBZkJna3Foa2lHOXcwQkNRRVdFbUZ1WkhKbFlYTkFkVzVwYm1WMGRDNXViekFlRncwd056QTJNVFV4TWpBeE16VmFGdzB3TnpBNE1UUXhNakF4TXpWYU1JR0VNUXN3Q1FZRFZRUUdFd0pPVHpFWU1CWUdBMVVFQ0JNUFFXNWtjbVZoY3lCVGIyeGlaWEpuTVF3d0NnWURWUVFIRXdOR2IyOHhFREFPQmdOVkJBb1RCMVZPU1U1RlZGUXhHREFXQmdOVkJBTVREMlpsYVdSbExtVnliR0Z1Wnk1dWJ6RWhNQjhHQ1NxR1NJYjNEUUVKQVJZU1lXNWtjbVZoYzBCMWJtbHVaWFIwTG01dk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRGl2YmhSN1A1MTZ4L1MzQnFLeHVwUWUwTE9Ob2xpdXBpQk9lc0NPM1NIYkRybDMrcTlJYmZuZm1FMDRyTnVNY1BzSXhCMTYxVGREcEllc0xDbjdjOGFQSElTS090UGxBZVRaU25iOFFBdTdhUmpacTMrUGJyUDV1VzNUY2ZDR1B0S1R5dEhPZ2UvT2xKYm8wNzhkVmhYUTE0ZDFFRHdYSlcxclJYdVV0NEM4UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFDRFZmcDg2SE9icVkrZThCVW9XUTkrVk1ReDFBU0RvaEJqd09zZzJXeWtVcVJYRitkTGZjVUg5ZFdSNjNDdFpJS0ZEYlN0Tm9tUG5RejduYksrb255Z3dCc3BWRWJuSHVVaWhacTNaVWRtdW1RcUN3NFV2cy8xVXZxM29yT28vV0pWaFR5dkxnRlZLMlFhclE0LzY3T1pmSGQ3UitQT0JYaG9waFNNdjFaT288L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c3VwcG9ydEBvbmVsb2dpbi5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMThUMjI6MDI6MzdaIiBSZWNpcGllbnQ9IntyZWNpcGllbnR9Ii8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMTEtMThUMjE6NTI6MzdaIiBOb3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMThUMjI6MDI6MzdaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnthdWRpZW5jZX08L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOVQyMTo1NzozN1oiIFNlc3Npb25JbmRleD0iXzUzMWMzMmQyODNiZGZmN2UwNGU0ODdiY2RiYzRkZDhkIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiIEZyaWVuZGx5TmFtZT0idXNlcm5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+ZGVtbzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJmcmllbmRseTEiIEZyaWVuZGx5TmFtZT0iZnJpZW5kbHl0ZXN0Ij48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmZyaWVuZGx5MTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJmcmllbmRseTIiIEZyaWVuZGx5TmFtZT0iZnJpZW5kbHl0ZXN0Ij48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmZyaWVuZGx5Mjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJhbm90aGVyX3ZhbHVlIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnZhbHVlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 5110f6e7..711cc5d6 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -701,6 +701,7 @@ def testGetFriendlyAttributes(self):
         Tests the get_friendlyname_attributes method of the OneLogin_Saml2_Response
         """
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
         self.assertEqual({}, response.get_friendlyname_attributes())
@@ -720,6 +721,15 @@ def testGetFriendlyAttributes(self):
         response_4 = OneLogin_Saml2_Response(settings, xml_4)
         self.assertEqual({}, response_4.get_friendlyname_attributes())
 
+        expected_attributes = {
+            'username': ['demo'],
+            'friendlytest': ['friendly1', 'friendly2']
+        }
+        xml_5 = self.file_contents(join(self.data_path, 'responses',
+                                        'response1_with_duplicate_friendlynames.xml.base64'))
+        response_5 = OneLogin_Saml2_Response(settings, xml_5)
+        self.assertEqual(expected_attributes, response_5.get_friendlyname_attributes())
+
     def testGetNestedNameIDAttributes(self):
         """
         Tests the getAttributes method of the OneLogin_Saml2_Response with nested

From da3d8967cceb30e9701881e6b8d2ef51cea3423c Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Fri, 4 Jun 2021 11:52:19 -0400
Subject: [PATCH 215/331] Fixed PEP8 error

---
 src/onelogin/saml2/idp_metadata_parser.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index e341aebc..1b94e1a8 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -23,7 +23,7 @@
 class OneLogin_Saml2_IdPMetadataParser(object):
     """
     A class that contain methods related to obtaining and parsing metadata from IdP
-    
+
     This class does not validate in any way the URL that is introduced,
     make sure to validate it properly before use it in a get_metadata method.
     """

From 06b443b01e89086fdcf7dc3cab42e41ee25b7b0a Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Mon, 7 Jun 2021 13:42:04 -0400
Subject: [PATCH 216/331] Added setting to settings file, updated tests

---
 src/onelogin/saml2/response.py                | 50 ++++++-------------
 src/onelogin/saml2/settings.py                |  3 ++
 ...nse1_with_duplicate_attributes.xml.base64} |  2 +-
 tests/settings/settings11.json                | 48 ++++++++++++++++++
 .../src/OneLogin/saml2_tests/response_test.py | 35 +++++++++++--
 5 files changed, 99 insertions(+), 39 deletions(-)
 rename tests/data/responses/{response1_with_duplicate_friendlynames.xml.base64 => response1_with_duplicate_attributes.xml.base64} (89%)
 create mode 100644 tests/settings/settings11.json

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index df0f85bb..c5ca4b86 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -573,46 +573,28 @@ def get_attributes(self):
         Gets the Attributes from the AttributeStatement element.
         EncryptedAttributes are not supported
         """
-        attributes = {}
-        attribute_nodes = self.__query_assertion('/saml:AttributeStatement/saml:Attribute')
-        for attribute_node in attribute_nodes:
-            attr_name = attribute_node.get('Name')
-            if attr_name in attributes.keys():
-                raise OneLogin_Saml2_ValidationError(
-                    'Found an Attribute element with duplicated Name',
-                    OneLogin_Saml2_ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND
-                )
-
-            values = []
-            for attr in attribute_node.iterchildren('{%s}AttributeValue' % OneLogin_Saml2_Constants.NSMAP['saml']):
-                attr_text = OneLogin_Saml2_XML.element_text(attr)
-                if attr_text:
-                    attr_text = attr_text.strip()
-                    if attr_text:
-                        values.append(attr_text)
-
-                # Parse any nested NameID children
-                for nameid in attr.iterchildren('{%s}NameID' % OneLogin_Saml2_Constants.NSMAP['saml']):
-                    values.append({
-                        'NameID': {
-                            'Format': nameid.get('Format'),
-                            'NameQualifier': nameid.get('NameQualifier'),
-                            'value': nameid.text
-                        }
-                    })
-            attributes[attr_name] = values
-        return attributes
+        return self._get_attributes('Name')
 
     def get_friendlyname_attributes(self):
         """
         Gets the Attributes from the AttributeStatement element indexed by FiendlyName.
         EncryptedAttributes are not supported
         """
+        return self._get_attributes('FriendlyName')
+
+    def _get_attributes(self, attr_name):
+        allow_duplicates = self.__settings.get_security_data().get('allowRepeatAttributeName', False)
         attributes = {}
         attribute_nodes = self.__query_assertion('/saml:AttributeStatement/saml:Attribute')
         for attribute_node in attribute_nodes:
-            attr_friendlyname = attribute_node.get('FriendlyName')
-            if attr_friendlyname:
+            attr_key = attribute_node.get(attr_name)
+            if attr_key:
+                if not allow_duplicates and attr_key in attributes:
+                    raise OneLogin_Saml2_ValidationError(
+                        f'Found an Attribute element with duplicated {attr_name}',
+                        OneLogin_Saml2_ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND
+                    )
+
                 values = []
                 for attr in attribute_node.iterchildren('{%s}AttributeValue' % OneLogin_Saml2_Constants.NSMAP['saml']):
                     attr_text = OneLogin_Saml2_XML.element_text(attr)
@@ -630,10 +612,10 @@ def get_friendlyname_attributes(self):
                                 'value': nameid.text
                             }
                         })
-                if attr_friendlyname in attributes:
-                    attributes[attr_friendlyname].extend(values)
+                if attr_key in attributes:
+                    attributes[attr_key].extend(values)
                 else:
-                    attributes[attr_friendlyname] = values
+                    attributes[attr_key] = values
         return attributes
 
     def validate_num_assertions(self):
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index ab3dbe37..38e79041 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -315,6 +315,9 @@ def __add_default_values(self):
         # AttributeStatement required by default
         self.__security.setdefault('wantAttributeStatement', True)
 
+        # Disallow duplicate attribute names by default
+        self.__security.setdefault('allowRepeatAttributeName', False)
+
         self.__idp.setdefault('x509cert', '')
         self.__idp.setdefault('certFingerprint', '')
         self.__idp.setdefault('certFingerprintAlgorithm', 'sha1')
diff --git a/tests/data/responses/response1_with_duplicate_friendlynames.xml.base64 b/tests/data/responses/response1_with_duplicate_attributes.xml.base64
similarity index 89%
rename from tests/data/responses/response1_with_duplicate_friendlynames.xml.base64
rename to tests/data/responses/response1_with_duplicate_attributes.xml.base64
index 18871d35..de113c3c 100644
--- a/tests/data/responses/response1_with_duplicate_friendlynames.xml.base64
+++ b/tests/data/responses/response1_with_duplicate_attributes.xml.base64
@@ -1 +1 @@
-PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBWZXJzaW9uPSIyLjAiIElEPSJwZng4ZmZiMzk4My1jYmY2LTkyYTEtZjJjNC02MTlhZTFiZTFjODYiIElzc3VlSW5zdGFudD0iMjAxMC0xMS0xOFQyMTo1NzozN1oiPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbC9tZXRhZGF0YS8xMzU5MDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNwZng4ZmZiMzk4My1jYmY2LTkyYTEtZjJjNC02MTlhZTFiZTFjODYiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPmhndVFiQ0hhbmliYkRDN3EzWnp4ekhjUG9uST08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+R2FuY0Q5dlJvaDlNYlQwMDJEeTc5dDFtNkk2WWZoVUtQZmJsa21wMnVkb2xYdWp2NmUxTVd2c1ZteE56dHNJR2x4QWEwcUtEaVNNekNORFpzazNqc3lzVWwxbkFLbkFnMTg1amZYanN6aHNkbVIrTTkxZHhrNmtmY0xVb3NPb2xvdmFkV0xQV3FuN1AzajgvNXh6cDlMcFJBM2d2QjQxODJSU2lyV0NCWFBRPTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2dUQ0NBZW9DQ1FDYk9scldEZFg3RlRBTkJna3Foa2lHOXcwQkFRVUZBRENCaERFTE1Ba0dBMVVFQmhNQ1RrOHhHREFXQmdOVkJBZ1REMEZ1WkhKbFlYTWdVMjlzWW1WeVp6RU1NQW9HQTFVRUJ4TURSbTl2TVJBd0RnWURWUVFLRXdkVlRrbE9SVlJVTVJnd0ZnWURWUVFERXc5bVpXbGtaUzVsY214aGJtY3VibTh4SVRBZkJna3Foa2lHOXcwQkNRRVdFbUZ1WkhKbFlYTkFkVzVwYm1WMGRDNXViekFlRncwd056QTJNVFV4TWpBeE16VmFGdzB3TnpBNE1UUXhNakF4TXpWYU1JR0VNUXN3Q1FZRFZRUUdFd0pPVHpFWU1CWUdBMVVFQ0JNUFFXNWtjbVZoY3lCVGIyeGlaWEpuTVF3d0NnWURWUVFIRXdOR2IyOHhFREFPQmdOVkJBb1RCMVZPU1U1RlZGUXhHREFXQmdOVkJBTVREMlpsYVdSbExtVnliR0Z1Wnk1dWJ6RWhNQjhHQ1NxR1NJYjNEUUVKQVJZU1lXNWtjbVZoYzBCMWJtbHVaWFIwTG01dk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRGl2YmhSN1A1MTZ4L1MzQnFLeHVwUWUwTE9Ob2xpdXBpQk9lc0NPM1NIYkRybDMrcTlJYmZuZm1FMDRyTnVNY1BzSXhCMTYxVGREcEllc0xDbjdjOGFQSElTS090UGxBZVRaU25iOFFBdTdhUmpacTMrUGJyUDV1VzNUY2ZDR1B0S1R5dEhPZ2UvT2xKYm8wNzhkVmhYUTE0ZDFFRHdYSlcxclJYdVV0NEM4UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFDRFZmcDg2SE9icVkrZThCVW9XUTkrVk1ReDFBU0RvaEJqd09zZzJXeWtVcVJYRitkTGZjVUg5ZFdSNjNDdFpJS0ZEYlN0Tm9tUG5RejduYksrb255Z3dCc3BWRWJuSHVVaWhacTNaVWRtdW1RcUN3NFV2cy8xVXZxM29yT28vV0pWaFR5dkxnRlZLMlFhclE0LzY3T1pmSGQ3UitQT0JYaG9waFNNdjFaT288L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c3VwcG9ydEBvbmVsb2dpbi5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMThUMjI6MDI6MzdaIiBSZWNpcGllbnQ9IntyZWNpcGllbnR9Ii8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMTEtMThUMjE6NTI6MzdaIiBOb3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMThUMjI6MDI6MzdaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnthdWRpZW5jZX08L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOVQyMTo1NzozN1oiIFNlc3Npb25JbmRleD0iXzUzMWMzMmQyODNiZGZmN2UwNGU0ODdiY2RiYzRkZDhkIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiIEZyaWVuZGx5TmFtZT0idXNlcm5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+ZGVtbzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJmcmllbmRseTEiIEZyaWVuZGx5TmFtZT0iZnJpZW5kbHl0ZXN0Ij48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmZyaWVuZGx5MTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJmcmllbmRseTIiIEZyaWVuZGx5TmFtZT0iZnJpZW5kbHl0ZXN0Ij48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmZyaWVuZGx5Mjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJhbm90aGVyX3ZhbHVlIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnZhbHVlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
+PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBWZXJzaW9uPSIyLjAiIElEPSJwZng4ZmZiMzk4My1jYmY2LTkyYTEtZjJjNC02MTlhZTFiZTFjODYiIElzc3VlSW5zdGFudD0iMjAxMC0xMS0xOFQyMTo1NzozN1oiPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbC9tZXRhZGF0YS8xMzU5MDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNwZng4ZmZiMzk4My1jYmY2LTkyYTEtZjJjNC02MTlhZTFiZTFjODYiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPmhndVFiQ0hhbmliYkRDN3EzWnp4ekhjUG9uST08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+R2FuY0Q5dlJvaDlNYlQwMDJEeTc5dDFtNkk2WWZoVUtQZmJsa21wMnVkb2xYdWp2NmUxTVd2c1ZteE56dHNJR2x4QWEwcUtEaVNNekNORFpzazNqc3lzVWwxbkFLbkFnMTg1amZYanN6aHNkbVIrTTkxZHhrNmtmY0xVb3NPb2xvdmFkV0xQV3FuN1AzajgvNXh6cDlMcFJBM2d2QjQxODJSU2lyV0NCWFBRPTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ2dUQ0NBZW9DQ1FDYk9scldEZFg3RlRBTkJna3Foa2lHOXcwQkFRVUZBRENCaERFTE1Ba0dBMVVFQmhNQ1RrOHhHREFXQmdOVkJBZ1REMEZ1WkhKbFlYTWdVMjlzWW1WeVp6RU1NQW9HQTFVRUJ4TURSbTl2TVJBd0RnWURWUVFLRXdkVlRrbE9SVlJVTVJnd0ZnWURWUVFERXc5bVpXbGtaUzVsY214aGJtY3VibTh4SVRBZkJna3Foa2lHOXcwQkNRRVdFbUZ1WkhKbFlYTkFkVzVwYm1WMGRDNXViekFlRncwd056QTJNVFV4TWpBeE16VmFGdzB3TnpBNE1UUXhNakF4TXpWYU1JR0VNUXN3Q1FZRFZRUUdFd0pPVHpFWU1CWUdBMVVFQ0JNUFFXNWtjbVZoY3lCVGIyeGlaWEpuTVF3d0NnWURWUVFIRXdOR2IyOHhFREFPQmdOVkJBb1RCMVZPU1U1RlZGUXhHREFXQmdOVkJBTVREMlpsYVdSbExtVnliR0Z1Wnk1dWJ6RWhNQjhHQ1NxR1NJYjNEUUVKQVJZU1lXNWtjbVZoYzBCMWJtbHVaWFIwTG01dk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRGl2YmhSN1A1MTZ4L1MzQnFLeHVwUWUwTE9Ob2xpdXBpQk9lc0NPM1NIYkRybDMrcTlJYmZuZm1FMDRyTnVNY1BzSXhCMTYxVGREcEllc0xDbjdjOGFQSElTS090UGxBZVRaU25iOFFBdTdhUmpacTMrUGJyUDV1VzNUY2ZDR1B0S1R5dEhPZ2UvT2xKYm8wNzhkVmhYUTE0ZDFFRHdYSlcxclJYdVV0NEM4UUlEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFDRFZmcDg2SE9icVkrZThCVW9XUTkrVk1ReDFBU0RvaEJqd09zZzJXeWtVcVJYRitkTGZjVUg5ZFdSNjNDdFpJS0ZEYlN0Tm9tUG5RejduYksrb255Z3dCc3BWRWJuSHVVaWhacTNaVWRtdW1RcUN3NFV2cy8xVXZxM29yT28vV0pWaFR5dkxnRlZLMlFhclE0LzY3T1pmSGQ3UitQT0JYaG9waFNNdjFaT288L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c3VwcG9ydEBvbmVsb2dpbi5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMThUMjI6MDI6MzdaIiBSZWNpcGllbnQ9IntyZWNpcGllbnR9Ii8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMTEtMThUMjE6NTI6MzdaIiBOb3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMThUMjI6MDI6MzdaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnthdWRpZW5jZX08L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOVQyMTo1NzozN1oiIFNlc3Npb25JbmRleD0iXzUzMWMzMmQyODNiZGZmN2UwNGU0ODdiY2RiYzRkZDhkIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiIEZyaWVuZGx5TmFtZT0idXNlcm5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+ZGVtbzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJmcmllbmRseTEiIEZyaWVuZGx5TmFtZT0iZnJpZW5kbHl0ZXN0Ij48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmZyaWVuZGx5MTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJmcmllbmRseTIiIEZyaWVuZGx5TmFtZT0iZnJpZW5kbHl0ZXN0Ij48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPmZyaWVuZGx5Mjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJhbm90aGVyX3ZhbHVlIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnZhbHVlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImR1cGxpY2F0ZV9uYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm5hbWUxPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImR1cGxpY2F0ZV9uYW1lIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPm5hbWUyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
diff --git a/tests/settings/settings11.json b/tests/settings/settings11.json
new file mode 100644
index 00000000..a039b32d
--- /dev/null
+++ b/tests/settings/settings11.json
@@ -0,0 +1,48 @@
+{
+    "strict": false,
+    "debug": false,
+    "custom_base_path": "../../../tests/data/customPath/",
+    "sp": {
+        "entityId": "http://stuff.com/endpoints/metadata.php",
+        "assertionConsumerService": {
+            "url": "http://stuff.com/endpoints/endpoints/acs.php"
+        },
+        "singleLogoutService": {
+            "url": "http://stuff.com/endpoints/endpoints/sls.php"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+    },
+    "idp": {
+        "entityId": "http://idp.example.com/",
+        "singleSignOnService": {
+            "url": "http://idp.example.com/SSOService.php"
+        },
+        "singleLogoutService": {
+            "url": "http://idp.example.com/SingleLogoutService.php"
+        },
+        "x509cert": "MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo"
+    },
+    "security": {
+        "authnRequestsSigned": false,
+        "wantAssertionsSigned": false,
+        "signMetadata": false,
+        "allowRepeatAttributeName": true
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 711cc5d6..c8fee9d5 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -14,6 +14,7 @@
 from xml.dom.minidom import parseString
 
 from onelogin.saml2 import compat
+from onelogin.saml2.errors import OneLogin_Saml2_ValidationError
 from onelogin.saml2.response import OneLogin_Saml2_Response
 from onelogin.saml2.settings import OneLogin_Saml2_Settings
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
@@ -696,6 +697,24 @@ def testGetAttributes(self):
         response_3 = OneLogin_Saml2_Response(settings, xml_3)
         self.assertEqual({}, response_3.get_attributes())
 
+        # Test retrieving duplicate attributes
+        xml_4 = self.file_contents(join(self.data_path, 'responses',
+                                        'response1_with_duplicate_attributes.xml.base64'))
+        response_4 = OneLogin_Saml2_Response(settings, xml_4)
+        with self.assertRaises(OneLogin_Saml2_ValidationError) as duplicate_name_exc:
+            response_4.get_attributes()
+        self.assertIn('Found an Attribute element with duplicated Name', str(duplicate_name_exc.exception))
+
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings11.json'))
+        expected_attributes = {'another_value': ['value'],
+                               'duplicate_name': ['name1', 'name2'],
+                               'friendly1': ['friendly1'],
+                               'friendly2': ['friendly2'],
+                               'uid': ['demo']}
+
+        response_5 = OneLogin_Saml2_Response(settings, xml_4)
+        self.assertEqual(expected_attributes, response_5.get_attributes())
+
     def testGetFriendlyAttributes(self):
         """
         Tests the get_friendlyname_attributes method of the OneLogin_Saml2_Response
@@ -721,14 +740,22 @@ def testGetFriendlyAttributes(self):
         response_4 = OneLogin_Saml2_Response(settings, xml_4)
         self.assertEqual({}, response_4.get_friendlyname_attributes())
 
+        # Test retrieving duplicate attributes
+        xml_5 = self.file_contents(join(self.data_path, 'responses',
+                                        'response1_with_duplicate_attributes.xml.base64'))
+        response_5 = OneLogin_Saml2_Response(settings, xml_5)
+        with self.assertRaises(OneLogin_Saml2_ValidationError) as duplicate_name_exc:
+            response_5.get_friendlyname_attributes()
+        self.assertIn('Found an Attribute element with duplicated FriendlyName', str(duplicate_name_exc.exception))
+
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON('settings11.json'))
         expected_attributes = {
             'username': ['demo'],
             'friendlytest': ['friendly1', 'friendly2']
         }
-        xml_5 = self.file_contents(join(self.data_path, 'responses',
-                                        'response1_with_duplicate_friendlynames.xml.base64'))
-        response_5 = OneLogin_Saml2_Response(settings, xml_5)
-        self.assertEqual(expected_attributes, response_5.get_friendlyname_attributes())
+
+        response_6 = OneLogin_Saml2_Response(settings, xml_5)
+        self.assertEqual(expected_attributes, response_6.get_friendlyname_attributes())
 
     def testGetNestedNameIDAttributes(self):
         """

From 50cbbf77448c20a482b60e342796fc18845a908c Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Mon, 7 Jun 2021 13:44:59 -0400
Subject: [PATCH 217/331] Changed to support Python2 Syntax

---
 src/onelogin/saml2/response.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index c5ca4b86..d69242d3 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -591,7 +591,7 @@ def _get_attributes(self, attr_name):
             if attr_key:
                 if not allow_duplicates and attr_key in attributes:
                     raise OneLogin_Saml2_ValidationError(
-                        f'Found an Attribute element with duplicated {attr_name}',
+                        'Found an Attribute element with duplicated ' + attr_name,
                         OneLogin_Saml2_ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND
                     )
 

From b794a89916e8e0aaed3d1b9c6b149964a2e98320 Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Mon, 7 Jun 2021 17:27:41 -0400
Subject: [PATCH 218/331] Added to readme

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 752fcd43..6a237212 100644
--- a/README.md
+++ b/README.md
@@ -451,7 +451,11 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         //    'http://www.w3.org/2001/04/xmlenc#sha256'
         //    'http://www.w3.org/2001/04/xmldsig-more#sha384'
         //    'http://www.w3.org/2001/04/xmlenc#sha512'
-        'digestAlgorithm': "http://www.w3.org/2001/04/xmlenc#sha256"
+        'digestAlgorithm': "http://www.w3.org/2001/04/xmlenc#sha256",
+            
+        // Specify if you want the SP to view assertions with duplicated Name or FriendlyName attributes to be valid
+        // Defaults to false if not specified
+        'allowRepeatAttributeName': false
     },
 
     // Contact information template, it is recommended to suply a

From a6878640b408e892f53364a41494d5e494c8cb14 Mon Sep 17 00:00:00 2001
From: "Mahoney, John" 
Date: Tue, 15 Jun 2021 22:04:39 -0400
Subject: [PATCH 219/331] Added test for nested nameid attributes in
 FriendlyName attribute retrieval

---
 ...ponse_with_nested_nameid_values.xml.base64 | 72 +------------------
 .../src/OneLogin/saml2_tests/response_test.py | 11 +++
 2 files changed, 12 insertions(+), 71 deletions(-)

diff --git a/tests/data/responses/response_with_nested_nameid_values.xml.base64 b/tests/data/responses/response_with_nested_nameid_values.xml.base64
index 3092c3cf..3b99e137 100644
--- a/tests/data/responses/response_with_nested_nameid_values.xml.base64
+++ b/tests/data/responses/response_with_nested_nameid_values.xml.base64
@@ -1,71 +1 @@
-PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDph
-c3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9j
-b2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50
-PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij4KICA8c2Ft
-bHA6U3RhdHVzPgogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0
-YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPgogIDxzYW1sOkFzc2Vy
-dGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhz
-aT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFZlcnNpb249IjIu
-MCIgSUQ9InBmeGE0NjU3NGRmLWIzYjAtYTA2YS0yM2M4LTYzNjQxMzE5ODc3MiIgSXNzdWVJbnN0
-YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiI+CiAgICA8c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAu
-b25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEvMTM1OTA8L3NhbWw6SXNzdWVyPgogICAgPGRzOlNp
-Z25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAg
-ICAgIDxkczpTaWduZWRJbmZvPgogICAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFs
-Z29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAg
-ICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAv
-MDkveG1sZHNpZyNyc2Etc2hhMSIvPgogICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4YTQ2
-NTc0ZGYtYjNiMC1hMDZhLTIzYzgtNjM2NDEzMTk4NzcyIj4KICAgICAgICAgIDxkczpUcmFuc2Zv
-cm1zPgogICAgICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5v
-cmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KICAgICAgICAgICAgPGRz
-OlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1j
-MTRuIyIvPgogICAgICAgICAgPC9kczpUcmFuc2Zvcm1zPgogICAgICAgICAgPGRzOkRpZ2VzdE1l
-dGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+
-CiAgICAgICAgICA8ZHM6RGlnZXN0VmFsdWU+cEpRN01TL2VrNEtSUldHbXYvSDQzUmVIWU1zPTwv
-ZHM6RGlnZXN0VmFsdWU+CiAgICAgICAgPC9kczpSZWZlcmVuY2U+CiAgICAgIDwvZHM6U2lnbmVk
-SW5mbz4KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPnlpdmVLY1BkRHB1RE5qNnNoclEzQUJ3ci9j
-QTNDcnlEMnBoRy94TFpzektXeFU1L21sYUt0OGV3YlpPZEtLdnRPczJwSEJ5NUR1YTNrOTRBRit6
-eEd5ZWw1Z09vd21veVhKcitBT3Ira1BPMHZsaTFWOG8zaFBQVVp3UmdTWDZROXBTMUNxUWdoS2lF
-YXNSeXlscXFKVWFQWXptT3pPRTgvWGxNa3dpV21PMD08L2RzOlNpZ25hdHVyZVZhbHVlPgogICAg
-ICA8ZHM6S2V5SW5mbz4KICAgICAgICA8ZHM6WDUwOURhdGE+CiAgICAgICAgICA8ZHM6WDUwOUNl
-cnRpZmljYXRlPk1JSUJyVENDQWFHZ0F3SUJBZ0lCQVRBREJnRUFNR2N4Q3pBSkJnTlZCQVlUQWxW
-VE1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUhEQXhUWVc1MFlTQk5iMjVw
-WTJFeEVUQVBCZ05WQkFvTUNFOXVaVXh2WjJsdU1Sa3dGd1lEVlFRRERCQmhjSEF1YjI1bGJHOW5h
-VzR1WTI5dE1CNFhEVEV3TURNd09UQTVOVGcwTlZvWERURTFNRE13T1RBNU5UZzBOVm93WnpFTE1B
-a0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RlRBVEJnTlZCQWNNREZO
-aGJuUmhJRTF2Ym1sallURVJNQThHQTFVRUNnd0lUMjVsVEc5bmFXNHhHVEFYQmdOVkJBTU1FR0Z3
-Y0M1dmJtVnNiMmRwYmk1amIyMHdnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JB
-T2pTdTFmalB5OGQ1dzRReUwxK3pkNGhJdzFNa2tmZjRXWS9UTEc4T1prVTVZVFNXbW1IUEQ1a3ZZ
-SDV1b1hTLzZxUTgxcVhwUjJ3VjhDVG93WkpVTGcwOWRkUmRSbjhRc3FqMUZ5T0M1c2xFM3kyYloy
-b0Z1YTcyb2YvNDlmcHVqbkZUNktuUTYxQ0JNcWxEb1RRcU9UNjJ2R0o4blA2TVpXdkE2c3hxdWQ1
-QWdNQkFBRXdBd1lCQUFNQkFBPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT4KICAgICAgICA8L2RzOlg1
-MDlEYXRhPgogICAgICA8L2RzOktleUluZm8+CiAgICA8L2RzOlNpZ25hdHVyZT4KICAgIDxzYW1s
-OlN1YmplY3Q+CiAgICAgIDxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpT
-QU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c3VwcG9ydEBvbmVsb2dpbi5jb208
-L3NhbWw6TmFtZUlEPgogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJu
-Om9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+CiAgICAgICAgPHNhbWw6U3ViamVj
-dENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEwLTExLTE4VDIyOjAyOjM3WiIgUmVj
-aXBpZW50PSJ7cmVjaXBpZW50fSIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPgogICAgPC9z
-YW1sOlN1YmplY3Q+CiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0xMS0xOFQy
-MTo1MjozN1oiIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiPgogICAgICA8c2Ft
-bDpBdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgICAgIDxzYW1sOkF1ZGllbmNlPnthdWRpZW5jZX08
-L3NhbWw6QXVkaWVuY2U+CiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPgogICAgPC9z
-YW1sOkNvbmRpdGlvbnM+CiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIw
-MTAtMTEtMThUMjE6NTc6MzdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDEwLTExLTE5VDIxOjU3
-OjM3WiIgU2Vzc2lvbkluZGV4PSJfNTMxYzMyZDI4M2JkZmY3ZTA0ZTQ4N2JjZGJjNGRkOGQiPgog
-ICAgICA8c2FtbDpBdXRobkNvbnRleHQ+CiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NS
-ZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6
-QXV0aG5Db250ZXh0Q2xhc3NSZWY+CiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+CiAgICA8L3Nh
-bWw6QXV0aG5TdGF0ZW1lbnQ+CiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+CiAgICAgIDxz
-YW1sOkF0dHJpYnV0ZSBOYW1lPSJ1aWQiPgogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHht
-bG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRw
-Oi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmlu
-ZyI+ZGVtbzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4KICAg
-ICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImFub3RoZXJfdmFsdWUiPgogICAgICAgIDxzYW1sOkF0
-dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIg
-eG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNp
-OnR5cGU9InhzOnN0cmluZyI+CiAgICAgICAgICAgIDxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpv
-YXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiIE5hbWVRdWFs
-aWZpZXI9Imh0dHBzOi8vaWRwSUQiIFNQTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zcElEIj52YWx1
-ZTwvc2FtbDpOYW1lSUQ+CiAgICAgICAgPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPgogICAgICA8L3Nh
-bWw6QXR0cmlidXRlPgogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4KICA8L3NhbWw6QXNz
-ZXJ0aW9uPgo8L3NhbWxwOlJlc3BvbnNlPgo=
+PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJHT1NBTUxSMTI5MDExNzQ1NzE3OTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgRGVzdGluYXRpb249IntyZWNpcGllbnR9Ij4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFZlcnNpb249IjIuMCIgSUQ9InBmeGE0NjU3NGRmLWIzYjAtYTA2YS0yM2M4LTYzNjQxMzE5ODc3MiIgSXNzdWVJbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiI+DQogICAgPHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzEzNTkwPC9zYW1sOklzc3Vlcj4NCiAgICA8ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxkczpTaWduZWRJbmZvPg0KICAgICAgICA8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+DQogICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4YTQ2NTc0ZGYtYjNiMC1hMDZhLTIzYzgtNjM2NDEzMTk4NzcyIj4NCiAgICAgICAgICA8ZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPg0KICAgICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgICAgICAgIDwvZHM6VHJhbnNmb3Jtcz4NCiAgICAgICAgICA8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4NCiAgICAgICAgICA8ZHM6RGlnZXN0VmFsdWU+cEpRN01TL2VrNEtSUldHbXYvSDQzUmVIWU1zPTwvZHM6RGlnZXN0VmFsdWU+DQogICAgICAgIDwvZHM6UmVmZXJlbmNlPg0KICAgICAgPC9kczpTaWduZWRJbmZvPg0KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPnlpdmVLY1BkRHB1RE5qNnNoclEzQUJ3ci9jQTNDcnlEMnBoRy94TFpzektXeFU1L21sYUt0OGV3YlpPZEtLdnRPczJwSEJ5NUR1YTNrOTRBRit6eEd5ZWw1Z09vd21veVhKcitBT3Ira1BPMHZsaTFWOG8zaFBQVVp3UmdTWDZROXBTMUNxUWdoS2lFYXNSeXlscXFKVWFQWXptT3pPRTgvWGxNa3dpV21PMD08L2RzOlNpZ25hdHVyZVZhbHVlPg0KICAgICAgPGRzOktleUluZm8+DQogICAgICAgIDxkczpYNTA5RGF0YT4NCiAgICAgICAgICA8ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUJyVENDQWFHZ0F3SUJBZ0lCQVRBREJnRUFNR2N4Q3pBSkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUlV3RXdZRFZRUUhEQXhUWVc1MFlTQk5iMjVwWTJFeEVUQVBCZ05WQkFvTUNFOXVaVXh2WjJsdU1Sa3dGd1lEVlFRRERCQmhjSEF1YjI1bGJHOW5hVzR1WTI5dE1CNFhEVEV3TURNd09UQTVOVGcwTlZvWERURTFNRE13T1RBNU5UZzBOVm93WnpFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RlRBVEJnTlZCQWNNREZOaGJuUmhJRTF2Ym1sallURVJNQThHQTFVRUNnd0lUMjVsVEc5bmFXNHhHVEFYQmdOVkJBTU1FR0Z3Y0M1dmJtVnNiMmRwYmk1amIyMHdnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JBT2pTdTFmalB5OGQ1dzRReUwxK3pkNGhJdzFNa2tmZjRXWS9UTEc4T1prVTVZVFNXbW1IUEQ1a3ZZSDV1b1hTLzZxUTgxcVhwUjJ3VjhDVG93WkpVTGcwOWRkUmRSbjhRc3FqMUZ5T0M1c2xFM3kyYloyb0Z1YTcyb2YvNDlmcHVqbkZUNktuUTYxQ0JNcWxEb1RRcU9UNjJ2R0o4blA2TVpXdkE2c3hxdWQ1QWdNQkFBRXdBd1lCQUFNQkFBPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT4NCiAgICAgICAgPC9kczpYNTA5RGF0YT4NCiAgICAgIDwvZHM6S2V5SW5mbz4NCiAgICA8L2RzOlNpZ25hdHVyZT4NCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5zdXBwb3J0QG9uZWxvZ2luLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiIFJlY2lwaWVudD0ie3JlY2lwaWVudH0iLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0xMS0xOFQyMTo1MjozN1oiIE5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOFQyMjowMjozN1oiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+e2F1ZGllbmNlfTwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMC0xMS0xOFQyMTo1NzozN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTAtMTEtMTlUMjE6NTc6MzdaIiBTZXNzaW9uSW5kZXg9Il81MzFjMzJkMjgzYmRmZjdlMDRlNDg3YmNkYmM0ZGQ4ZCI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+ZGVtbzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0iYW5vdGhlcl92YWx1ZSIgRnJpZW5kbHlOYW1lPSJhbm90aGVyX2ZyaWVuZGx5X3ZhbHVlIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj4NCiAgICAgICAgICAgIDxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiIE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vaWRwSUQiIFNQTmFtZVF1YWxpZmllcj0iaHR0cHM6Ly9zcElEIj52YWx1ZTwvc2FtbDpOYW1lSUQ+DQogICAgICAgIDwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index c8fee9d5..a51f8e60 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -777,6 +777,17 @@ def testGetNestedNameIDAttributes(self):
         }
         self.assertEqual(expected_attributes, response.get_attributes())
 
+        expected_attributes = {
+            'another_friendly_value': [{
+                'NameID': {
+                    'Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+                    'NameQualifier': 'https://idpID',
+                    'value': 'value'
+                }
+            }]
+        }
+        self.assertEqual(expected_attributes, response.get_friendlyname_attributes())
+
     def testOnlyRetrieveAssertionWithIDThatMatchesSignatureReference(self):
         """
         Tests the get_nameid method of the OneLogin_Saml2_Response

From 5eaad0a3c6cb06769b0d21cdf1f294aac2f364f9 Mon Sep 17 00:00:00 2001
From: Arne Schwabe 
Date: Mon, 28 Jun 2021 13:57:37 +0200
Subject: [PATCH 220/331] Fix misleading comment with fingerprint hash weaker
 than a certificate verification

The reasoning of a fingerprint hash weaker than providing a certificate like a CA is wrong.

A X509 signature of a certificate always uses a Hash like SHA1, SHA256, etc, which is then signed. E.g.

 openssl1.1 x509 -text -in sp-test.pem

    Signature Algorithm: ecdsa-with-SHA256

So these are as vulnerable to collision attacks as fingeprints.

Depending on the implementation of the fingerprint, there are other for not using them. E.g. some implementation ignore other problem with a certificate like validity or missing EKUs.
---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 6a237212..3bbf2a1f 100644
--- a/README.md
+++ b/README.md
@@ -323,8 +323,8 @@ This is the ``settings.json`` file:
         /*
          *  Instead of using the whole X.509cert you can use a fingerprint in order to
          *  validate a SAMLResponse (but you still need the X.509cert to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding).
-         *  But take in mind that the fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass,
-         *  that why we don't recommend it use for production environments.
+         *  But take in mind that the algortithm for the fingerprint should be as strong as the algorithm in a normal certificate signature
+	 *  (e.g. SHA256 or strong)
          *
          *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
          *  or add for example the -sha256 , -sha384 or -sha512 parameter)

From 53ee46fe2632c5f137fa6d1df72403cbd703b9be Mon Sep 17 00:00:00 2001
From: Chris Volny 
Date: Wed, 30 Jun 2021 16:48:46 -0400
Subject: [PATCH 221/331] make the redirect scheme matcher case-insensitive.

---
 src/onelogin/saml2/utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 1290033e..db88bd34 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -210,7 +210,7 @@ def redirect(url, parameters={}, request_data={}):
             url = '%s%s' % (OneLogin_Saml2_Utils.get_self_url_host(request_data), url)
 
         # Verify that the URL is to a http or https site.
-        if re.search('^https?://', url) is None:
+        if re.search('^https?://', url, flags=re.IGNORECASE) is None:
             raise OneLogin_Saml2_Error(
                 'Redirect to invalid URL: ' + url,
                 OneLogin_Saml2_Error.REDIRECT_INVALID_URL

From e7f6c67eee9eb25ab7746af96ab00ad0a3fd145e Mon Sep 17 00:00:00 2001
From: Zhaofeng Li 
Date: Sat, 3 Jul 2021 18:35:58 -0700
Subject: [PATCH 222/331] tests: Update expiry dates for responses

---
 tests/data/responses/invalids/encrypted_attrs.xml.base64        | 2 +-
 tests/data/responses/invalids/invalid_audience.xml.base64       | 2 +-
 .../data/responses/invalids/invalid_issuer_assertion.xml.base64 | 2 +-
 tests/data/responses/invalids/invalid_issuer_message.xml.base64 | 2 +-
 tests/data/responses/invalids/invalid_sessionindex.xml.base64   | 2 +-
 .../invalids/invalid_subjectconfirmation_inresponse.xml.base64  | 2 +-
 .../invalids/invalid_subjectconfirmation_noa.xml.base64         | 2 +-
 .../invalids/invalid_subjectconfirmation_recipient.xml.base64   | 2 +-
 tests/data/responses/invalids/no_nameid.xml.base64              | 2 +-
 .../responses/invalids/no_subjectconfirmation_data.xml.base64   | 2 +-
 .../responses/invalids/no_subjectconfirmation_method.xml.base64 | 2 +-
 .../data/responses/invalids/response_encrypted_attrs.xml.base64 | 2 +-
 tests/data/responses/no_audience.xml.base64                     | 2 +-
 .../data/responses/unsigned_response_with_miliseconds.xm.base64 | 2 +-
 14 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/tests/data/responses/invalids/encrypted_attrs.xml.base64 b/tests/data/responses/invalids/encrypted_attrs.xml.base64
index f452075c..a170970a 100644
--- a/tests/data/responses/invalids/encrypted_attrs.xml.base64
+++ b/tests/data/responses/invalids/encrypted_attrs.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaGh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocCIgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4Ii8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NFoiIE5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QxNDo1OToxNFoiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjA3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QyMjo1NDoxNFoiIFNlc3Npb25JbmRleD0iXzUxYmUzNzk2NWZlYjU1NzlkODAzMTQxMDc2OTM2ZGMyZTlkMWQ5OGViZiI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KIDxzYW1sOkVuY3J5cHRlZEF0dHJpYnV0ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4NCiAgICAgICAgICA8eGVuYzpFbmNyeXB0ZWREYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCIgSWQ9Il9GMzk2MjVBRjY4QjRGQzA3OENDNzU4MkQyOEQwNUQ5QyI+DQogICAgICAgICAgICA8eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMjU2LWNiYyIvPg0KICAgICAgICAgICAgPGRzOktleUluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICAgICAgICAgICAgICA8eGVuYzpFbmNyeXB0ZWRLZXk+DQogICAgICAgICAgICAgICAgPHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIi8+DQogICAgICAgICAgICAgICAgPGRzOktleUluZm8geG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogICAgICAgICAgICAgICAgICA8ZHM6S2V5TmFtZT42MjM1NWZiZDFmNjI0NTAzYzVjOTY3NzQwMmVjY2EwMGVmMWY2Mjc3PC9kczpLZXlOYW1lPg0KICAgICAgICAgICAgICAgIDwvZHM6S2V5SW5mbz4NCiAgICAgICAgICAgICAgICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgICAgICAgICAgICAgPHhlbmM6Q2lwaGVyVmFsdWU+SzBtQkx4Zkx6aUtWVUtFQU9ZZTdENnVWU0NQeTh2eVdWaDNSZWNuUEVTKzhRa0FoT3VSU3VFL0xRcEZyMGh1SS9pQ0V5OXBkZTFRZ2pZREx0akhjdWpLaTJ4R3FXNmprWFcvRXVLb21xV1BQQTJ4WXMxZnBCMXN1NGFYVU9RQjZPSjcwL29EY09zeTgzNGdoRmFCV2lsRThmcXlEQlVCdlcrMkl2YU1VWmFid04vczltVmtXek0zcjMwdGxraExLN2lPcmJHQWxkSUh3RlU1ejdQUFI2Uk8zWTNmSXhqSFU0ME9uTHNKYzN4SXFkTEgzZlhwQzBrZ2k1VXNwTGRxMTRlNU9vWGpMb1BHM0JPM3p3T0FJSjhYTkJXWTV1UW9mNktyS2JjdnRaU1kwZk12UFloWWZOanRSRnk4eTQ5b3ZMOWZ3akNSVERsVDUrYUhxc0NUQnJ3PT08L3hlbmM6Q2lwaGVyVmFsdWU+DQogICAgICAgICAgICAgICAgPC94ZW5jOkNpcGhlckRhdGE+DQogICAgICAgICAgICAgIDwveGVuYzpFbmNyeXB0ZWRLZXk+DQogICAgICAgICAgICA8L2RzOktleUluZm8+DQogICAgICAgICAgICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgICAgICAgICA8eGVuYzpDaXBoZXJWYWx1ZT5aekN1NmF4R2dBWVpIVmY3N05YOGFwWktCL0dKRGV1VjZiRkJ5QlMwQUlnaVhrdkRVQW1MQ3BhYlRBV0JNK3l6MTlvbEE2cnJ5dU9mcjgyZXYyYnpQTlVSdm00U1l4YWh2dUw0UGlibjV3Smt5MEJsNTRWcW1jVStBcWowZEF2T2dxRzF5M1g0d085bjliUnNUdjY5MjFtMGVxUkFGcGg4a0s4TDloaXJLMUJ4WUJZajJSeUZDb0ZEUHhWWjV3eXJhM3E0cW1FNC9FTFFwRlA2bWZVOExYYjB1b1dKVWpHVWVsUzJBYTdiWmlzOHpFcHdvdjRDd3RsTmpsdFFpaDRtdjd0dENBZllxY1FJRnpCVEIrREFhMCtYZ2d4Q0xjZEIzK21RaVJjRUNCZndISEo3Z1JtbnVCRWdlV1QzQ0dLYTNOYjdHTVhPZnV4RktGNXBJZWhXZ28za2ROUUxhbG9yOFJWVzZJOFAvSThmUTMzRmUrTnNIVm5KM3p3U0EvL2E8L3hlbmM6Q2lwaGVyVmFsdWU+DQogICAgICAgICAgICA8L3hlbmM6Q2lwaGVyRGF0YT4NCiAgICAgICAgICA8L3hlbmM6RW5jcnlwdGVkRGF0YT4NCiAgICAgICAgPC9zYW1sOkVuY3J5cHRlZEF0dHJpYnV0ZT4NCiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICA8L3NhbWw6QXNzZXJ0aW9uPg0KPC9zYW1scDpSZXNwb25zZT4=
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaGh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocCIgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4Ii8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NFoiIE5vdE9uT3JBZnRlcj0iMjA5OS0wNi0xN1QxNDo1OToxNFoiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjA3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QyMjo1NDoxNFoiIFNlc3Npb25JbmRleD0iXzUxYmUzNzk2NWZlYjU1NzlkODAzMTQxMDc2OTM2ZGMyZTlkMWQ5OGViZiI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KIDxzYW1sOkVuY3J5cHRlZEF0dHJpYnV0ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4NCiAgICAgICAgICA8eGVuYzpFbmNyeXB0ZWREYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCIgSWQ9Il9GMzk2MjVBRjY4QjRGQzA3OENDNzU4MkQyOEQwNUQ5QyI+DQogICAgICAgICAgICA8eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMjU2LWNiYyIvPg0KICAgICAgICAgICAgPGRzOktleUluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICAgICAgICAgICAgICA8eGVuYzpFbmNyeXB0ZWRLZXk+DQogICAgICAgICAgICAgICAgPHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIi8+DQogICAgICAgICAgICAgICAgPGRzOktleUluZm8geG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogICAgICAgICAgICAgICAgICA8ZHM6S2V5TmFtZT42MjM1NWZiZDFmNjI0NTAzYzVjOTY3NzQwMmVjY2EwMGVmMWY2Mjc3PC9kczpLZXlOYW1lPg0KICAgICAgICAgICAgICAgIDwvZHM6S2V5SW5mbz4NCiAgICAgICAgICAgICAgICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgICAgICAgICAgICAgPHhlbmM6Q2lwaGVyVmFsdWU+SzBtQkx4Zkx6aUtWVUtFQU9ZZTdENnVWU0NQeTh2eVdWaDNSZWNuUEVTKzhRa0FoT3VSU3VFL0xRcEZyMGh1SS9pQ0V5OXBkZTFRZ2pZREx0akhjdWpLaTJ4R3FXNmprWFcvRXVLb21xV1BQQTJ4WXMxZnBCMXN1NGFYVU9RQjZPSjcwL29EY09zeTgzNGdoRmFCV2lsRThmcXlEQlVCdlcrMkl2YU1VWmFid04vczltVmtXek0zcjMwdGxraExLN2lPcmJHQWxkSUh3RlU1ejdQUFI2Uk8zWTNmSXhqSFU0ME9uTHNKYzN4SXFkTEgzZlhwQzBrZ2k1VXNwTGRxMTRlNU9vWGpMb1BHM0JPM3p3T0FJSjhYTkJXWTV1UW9mNktyS2JjdnRaU1kwZk12UFloWWZOanRSRnk4eTQ5b3ZMOWZ3akNSVERsVDUrYUhxc0NUQnJ3PT08L3hlbmM6Q2lwaGVyVmFsdWU+DQogICAgICAgICAgICAgICAgPC94ZW5jOkNpcGhlckRhdGE+DQogICAgICAgICAgICAgIDwveGVuYzpFbmNyeXB0ZWRLZXk+DQogICAgICAgICAgICA8L2RzOktleUluZm8+DQogICAgICAgICAgICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgICAgICAgICA8eGVuYzpDaXBoZXJWYWx1ZT5aekN1NmF4R2dBWVpIVmY3N05YOGFwWktCL0dKRGV1VjZiRkJ5QlMwQUlnaVhrdkRVQW1MQ3BhYlRBV0JNK3l6MTlvbEE2cnJ5dU9mcjgyZXYyYnpQTlVSdm00U1l4YWh2dUw0UGlibjV3Smt5MEJsNTRWcW1jVStBcWowZEF2T2dxRzF5M1g0d085bjliUnNUdjY5MjFtMGVxUkFGcGg4a0s4TDloaXJLMUJ4WUJZajJSeUZDb0ZEUHhWWjV3eXJhM3E0cW1FNC9FTFFwRlA2bWZVOExYYjB1b1dKVWpHVWVsUzJBYTdiWmlzOHpFcHdvdjRDd3RsTmpsdFFpaDRtdjd0dENBZllxY1FJRnpCVEIrREFhMCtYZ2d4Q0xjZEIzK21RaVJjRUNCZndISEo3Z1JtbnVCRWdlV1QzQ0dLYTNOYjdHTVhPZnV4RktGNXBJZWhXZ28za2ROUUxhbG9yOFJWVzZJOFAvSThmUTMzRmUrTnNIVm5KM3p3U0EvL2E8L3hlbmM6Q2lwaGVyVmFsdWU+DQogICAgICAgICAgICA8L3hlbmM6Q2lwaGVyRGF0YT4NCiAgICAgICAgICA8L3hlbmM6RW5jcnlwdGVkRGF0YT4NCiAgICAgICAgPC9zYW1sOkVuY3J5cHRlZEF0dHJpYnV0ZT4NCiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICA8L3NhbWw6QXNzZXJ0aW9uPg0KPC9zYW1scDpSZXNwb25zZT4=
\ No newline at end of file
diff --git a/tests/data/responses/invalids/invalid_audience.xml.base64 b/tests/data/responses/invalids/invalid_audience.xml.base64
index a2575836..787c8a79 100644
--- a/tests/data/responses/invalids/invalid_audience.xml.base64
+++ b/tests/data/responses/invalids/invalid_audience.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9pbnZhbGlkLmF1ZGllbmNlLmNvbTwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwOTktMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9pbnZhbGlkLmF1ZGllbmNlLmNvbTwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwOTktMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
diff --git a/tests/data/responses/invalids/invalid_issuer_assertion.xml.base64 b/tests/data/responses/invalids/invalid_issuer_assertion.xml.base64
index 07748ece..426ea5c2 100644
--- a/tests/data/responses/invalids/invalid_issuer_assertion.xml.base64
+++ b/tests/data/responses/invalids/invalid_issuer_assertion.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2ludmFsaWQuaXNzdWVyLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+ICAgIA0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJoZWxsby5jb20iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOk5hbWVJRD4NCiAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIwLTA2LTE3VDE0OjU5OjE0WiIgUmVjaXBpZW50PSJodHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9lbmRwb2ludHMvYWNzLnBocCIgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4Ii8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NFoiIE5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QxNDo1OToxNFoiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjA3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QyMjo1NDoxNFoiIFNlc3Npb25JbmRleD0iXzUxYmUzNzk2NWZlYjU1NzlkODAzMTQxMDc2OTM2ZGMyZTlkMWQ5OGViZiI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICA8L3NhbWw6QXNzZXJ0aW9uPg0KPC9zYW1scDpSZXNwb25zZT4=
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2ludmFsaWQuaXNzdWVyLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+ICAgIA0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJoZWxsby5jb20iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOk5hbWVJRD4NCiAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIwLTA2LTE3VDE0OjU5OjE0WiIgUmVjaXBpZW50PSJodHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9lbmRwb2ludHMvYWNzLnBocCIgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4Ii8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NFoiIE5vdE9uT3JBZnRlcj0iMjA5OS0wNi0xN1QxNDo1OToxNFoiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjA3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjA5OS0wNi0xN1QyMjo1NDoxNFoiIFNlc3Npb25JbmRleD0iXzUxYmUzNzk2NWZlYjU1NzlkODAzMTQxMDc2OTM2ZGMyZTlkMWQ5OGViZiI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICA8L3NhbWw6QXNzZXJ0aW9uPg0KPC9zYW1scDpSZXNwb25zZT4=
\ No newline at end of file
diff --git a/tests/data/responses/invalids/invalid_issuer_message.xml.base64 b/tests/data/responses/invalids/invalid_issuer_message.xml.base64
index f1f49fe5..0c06a25e 100644
--- a/tests/data/responses/invalids/invalid_issuer_message.xml.base64
+++ b/tests/data/responses/invalids/invalid_issuer_message.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaW52YWxpZC5pc3Nlci5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPg0KICA8c2FtbHA6U3RhdHVzPg0KICAgIDxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz4NCiAgPC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIElEPSJwZng3ODQxOTkxYy1jNzNmLTQwMzUtZTJlZS1jMTcwYzBlMWQzZTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjE0WiI+DQogICAgPHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vPC9zYW1sOklzc3Vlcj4gICAgDQogICAgPHNhbWw6U3ViamVjdD4NCiAgICAgIDxzYW1sOk5hbWVJRCBTUE5hbWVRdWFsaWZpZXI9ImhlbGxvLmNvbSIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6TmFtZUlEPg0KICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPg0KICAgICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDYtMTdUMTQ6NTk6MTRaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL2VuZHBvaW50cy9hY3MucGhwIiBJblJlc3BvbnNlVG89Il81N2JjYmY3MC03YjFmLTAxMmUtYzgyMS03ODJiY2IxM2JiMzgiLz4NCiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA2LTE3VDE0OjUzOjQ0WiIgTm90T25PckFmdGVyPSIyMDIxLTA2LTE3VDE0OjU5OjE0WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDIxLTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg0KICA=
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaW52YWxpZC5pc3Nlci5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPg0KICA8c2FtbHA6U3RhdHVzPg0KICAgIDxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz4NCiAgPC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIElEPSJwZng3ODQxOTkxYy1jNzNmLTQwMzUtZTJlZS1jMTcwYzBlMWQzZTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjE0WiI+DQogICAgPHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vPC9zYW1sOklzc3Vlcj4gICAgDQogICAgPHNhbWw6U3ViamVjdD4NCiAgICAgIDxzYW1sOk5hbWVJRCBTUE5hbWVRdWFsaWZpZXI9ImhlbGxvLmNvbSIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6TmFtZUlEPg0KICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPg0KICAgICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDYtMTdUMTQ6NTk6MTRaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL2VuZHBvaW50cy9hY3MucGhwIiBJblJlc3BvbnNlVG89Il81N2JjYmY3MC03YjFmLTAxMmUtYzgyMS03ODJiY2IxM2JiMzgiLz4NCiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA2LTE3VDE0OjUzOjQ0WiIgTm90T25PckFmdGVyPSIyMDk5LTA2LTE3VDE0OjU5OjE0WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDk5LTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg0KICA=
\ No newline at end of file
diff --git a/tests/data/responses/invalids/invalid_sessionindex.xml.base64 b/tests/data/responses/invalids/invalid_sessionindex.xml.base64
index cc5a581c..f2e4c4c6 100644
--- a/tests/data/responses/invalids/invalid_sessionindex.xml.base64
+++ b/tests/data/responses/invalids/invalid_sessionindex.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTMtMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwOTktMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTMtMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
diff --git a/tests/data/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64 b/tests/data/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64
index 2ce545f8..b6a4e2eb 100644
--- a/tests/data/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64
+++ b/tests/data/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iaW52YWxpZF9pbnJlc3BvbnNlIi8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NFoiIE5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QxNDo1OToxNFoiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjA3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QyMjo1NDoxNFoiIFNlc3Npb25JbmRleD0iXzUxYmUzNzk2NWZlYjU1NzlkODAzMTQxMDc2OTM2ZGMyZTlkMWQ5OGViZiI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICA8L3NhbWw6QXNzZXJ0aW9uPg0KPC9zYW1scDpSZXNwb25zZT4=
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iaW52YWxpZF9pbnJlc3BvbnNlIi8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NFoiIE5vdE9uT3JBZnRlcj0iMjA5OS0wNi0xN1QxNDo1OToxNFoiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjA3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjA5OS0wNi0xN1QyMjo1NDoxNFoiIFNlc3Npb25JbmRleD0iXzUxYmUzNzk2NWZlYjU1NzlkODAzMTQxMDc2OTM2ZGMyZTlkMWQ5OGViZiI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICA8L3NhbWw6QXNzZXJ0aW9uPg0KPC9zYW1scDpSZXNwb25zZT4=
\ No newline at end of file
diff --git a/tests/data/responses/invalids/invalid_subjectconfirmation_noa.xml.base64 b/tests/data/responses/invalids/invalid_subjectconfirmation_noa.xml.base64
index 6d4b70aa..4f922132 100644
--- a/tests/data/responses/invalids/invalid_subjectconfirmation_noa.xml.base64
+++ b/tests/data/responses/invalids/invalid_subjectconfirmation_noa.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwOTktMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwOTktMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
diff --git a/tests/data/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64 b/tests/data/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64
index 1bf1d25a..30c55eb2 100644
--- a/tests/data/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64
+++ b/tests/data/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL2ludmFsaWQucmVjaXBlbnQuZXhhbXBsZS5jb20iIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL2ludmFsaWQucmVjaXBlbnQuZXhhbXBsZS5jb20iIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwOTktMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICAgIDxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocDwvc2FtbDpBdWRpZW5jZT4NCiAgICAgIDwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgIDwvc2FtbDpDb25kaXRpb25zPg0KICAgIDxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDowN1oiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwOTktMDYtMTdUMjI6NTQ6MTRaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
diff --git a/tests/data/responses/invalids/no_nameid.xml.base64 b/tests/data/responses/invalids/no_nameid.xml.base64
index 3c2b6d9b..db8879b2 100644
--- a/tests/data/responses/invalids/no_nameid.xml.base64
+++ b/tests/data/responses/invalids/no_nameid.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPg0KICAgICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDYtMTdUMTQ6NTk6MTRaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL2VuZHBvaW50cy9hY3MucGhwIiBJblJlc3BvbnNlVG89Il81N2JjYmY3MC03YjFmLTAxMmUtYzgyMS03ODJiY2IxM2JiMzgiLz4NCiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA2LTE3VDE0OjUzOjQ0WiIgTm90T25PckFmdGVyPSIyMDIxLTA2LTE3VDE0OjU5OjE0WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDIxLTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPg0KICAgICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDYtMTdUMTQ6NTk6MTRaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL2VuZHBvaW50cy9hY3MucGhwIiBJblJlc3BvbnNlVG89Il81N2JjYmY3MC03YjFmLTAxMmUtYzgyMS03ODJiY2IxM2JiMzgiLz4NCiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA2LTE3VDE0OjUzOjQ0WiIgTm90T25PckFmdGVyPSIyMDk5LTA2LTE3VDE0OjU5OjE0WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDk5LTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/tests/data/responses/invalids/no_subjectconfirmation_data.xml.base64 b/tests/data/responses/invalids/no_subjectconfirmation_data.xml.base64
index 3c92f561..bc28d907 100644
--- a/tests/data/responses/invalids/no_subjectconfirmation_data.xml.base64
+++ b/tests/data/responses/invalids/no_subjectconfirmation_data.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+ICAgICAgICANCiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA2LTE3VDE0OjUzOjQ0WiIgTm90T25PckFmdGVyPSIyMDIxLTA2LTE3VDE0OjU5OjE0WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDIxLTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+ICAgICAgICANCiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA2LTE3VDE0OjUzOjQ0WiIgTm90T25PckFmdGVyPSIyMDk5LTA2LTE3VDE0OjU5OjE0WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDk5LTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/tests/data/responses/invalids/no_subjectconfirmation_method.xml.base64 b/tests/data/responses/invalids/no_subjectconfirmation_method.xml.base64
index 07ce153a..37b69370 100644
--- a/tests/data/responses/invalids/no_subjectconfirmation_method.xml.base64
+++ b/tests/data/responses/invalids/no_subjectconfirmation_method.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmhvbGRlci1vZi1rZXkiPg0KICAgICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDYtMTdUMTQ6NTk6MTRaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL2VuZHBvaW50cy9hY3MucGhwIiBJblJlc3BvbnNlVG89Il81N2JjYmY3MC03YjFmLTAxMmUtYzgyMS03ODJiY2IxM2JiMzgiLz4NCiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA2LTE3VDE0OjUzOjQ0WiIgTm90T25PckFmdGVyPSIyMDIxLTA2LTE3VDE0OjU5OjE0WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDIxLTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmhvbGRlci1vZi1rZXkiPg0KICAgICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDYtMTdUMTQ6NTk6MTRaIiBSZWNpcGllbnQ9Imh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL2VuZHBvaW50cy9hY3MucGhwIiBJblJlc3BvbnNlVG89Il81N2JjYmY3MC03YjFmLTAxMmUtYzgyMS03ODJiY2IxM2JiMzgiLz4NCiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA2LTE3VDE0OjUzOjQ0WiIgTm90T25PckFmdGVyPSIyMDk5LTA2LTE3VDE0OjU5OjE0WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDk5LTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/tests/data/responses/invalids/response_encrypted_attrs.xml.base64 b/tests/data/responses/invalids/response_encrypted_attrs.xml.base64
index 32449899..ad6392c5 100644
--- a/tests/data/responses/invalids/response_encrypted_attrs.xml.base64
+++ b/tests/data/responses/invalids/response_encrypted_attrs.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaGh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocCIgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4Ii8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NFoiIE5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QxNDo1OToxNFoiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjA3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QyMjo1NDoxNFoiIFNlc3Npb25JbmRleD0iXzUxYmUzNzk2NWZlYjU1NzlkODAzMTQxMDc2OTM2ZGMyZTlkMWQ5OGViZiI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KIDxzYW1sOkVuY3J5cHRlZEF0dHJpYnV0ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4NCiAgICAgICAgICA8eGVuYzpFbmNyeXB0ZWREYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCIgSWQ9Il9GMzk2MjVBRjY4QjRGQzA3OENDNzU4MkQyOEQwNUQ5QyI+DQogICAgICAgICAgICA8eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMjU2LWNiYyIvPg0KICAgICAgICAgICAgPGRzOktleUluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICAgICAgICAgICAgICA8eGVuYzpFbmNyeXB0ZWRLZXk+DQogICAgICAgICAgICAgICAgPHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIi8+DQogICAgICAgICAgICAgICAgPGRzOktleUluZm8geG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogICAgICAgICAgICAgICAgICA8ZHM6S2V5TmFtZT42MjM1NWZiZDFmNjI0NTAzYzVjOTY3NzQwMmVjY2EwMGVmMWY2Mjc3PC9kczpLZXlOYW1lPg0KICAgICAgICAgICAgICAgIDwvZHM6S2V5SW5mbz4NCiAgICAgICAgICAgICAgICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgICAgICAgICAgICAgPHhlbmM6Q2lwaGVyVmFsdWU+SzBtQkx4Zkx6aUtWVUtFQU9ZZTdENnVWU0NQeTh2eVdWaDNSZWNuUEVTKzhRa0FoT3VSU3VFL0xRcEZyMGh1SS9pQ0V5OXBkZTFRZ2pZREx0akhjdWpLaTJ4R3FXNmprWFcvRXVLb21xV1BQQTJ4WXMxZnBCMXN1NGFYVU9RQjZPSjcwL29EY09zeTgzNGdoRmFCV2lsRThmcXlEQlVCdlcrMkl2YU1VWmFid04vczltVmtXek0zcjMwdGxraExLN2lPcmJHQWxkSUh3RlU1ejdQUFI2Uk8zWTNmSXhqSFU0ME9uTHNKYzN4SXFkTEgzZlhwQzBrZ2k1VXNwTGRxMTRlNU9vWGpMb1BHM0JPM3p3T0FJSjhYTkJXWTV1UW9mNktyS2JjdnRaU1kwZk12UFloWWZOanRSRnk4eTQ5b3ZMOWZ3akNSVERsVDUrYUhxc0NUQnJ3PT08L3hlbmM6Q2lwaGVyVmFsdWU+DQogICAgICAgICAgICAgICAgPC94ZW5jOkNpcGhlckRhdGE+DQogICAgICAgICAgICAgIDwveGVuYzpFbmNyeXB0ZWRLZXk+DQogICAgICAgICAgICA8L2RzOktleUluZm8+DQogICAgICAgICAgICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgICAgICAgICA8eGVuYzpDaXBoZXJWYWx1ZT5aekN1NmF4R2dBWVpIVmY3N05YOGFwWktCL0dKRGV1VjZiRkJ5QlMwQUlnaVhrdkRVQW1MQ3BhYlRBV0JNK3l6MTlvbEE2cnJ5dU9mcjgyZXYyYnpQTlVSdm00U1l4YWh2dUw0UGlibjV3Smt5MEJsNTRWcW1jVStBcWowZEF2T2dxRzF5M1g0d085bjliUnNUdjY5MjFtMGVxUkFGcGg4a0s4TDloaXJLMUJ4WUJZajJSeUZDb0ZEUHhWWjV3eXJhM3E0cW1FNC9FTFFwRlA2bWZVOExYYjB1b1dKVWpHVWVsUzJBYTdiWmlzOHpFcHdvdjRDd3RsTmpsdFFpaDRtdjd0dENBZllxY1FJRnpCVEIrREFhMCtYZ2d4Q0xjZEIzK21RaVJjRUNCZndISEo3Z1JtbnVCRWdlV1QzQ0dLYTNOYjdHTVhPZnV4RktGNXBJZWhXZ28za2ROUUxhbG9yOFJWVzZJOFAvSThmUTMzRmUrTnNIVm5KM3p3U0EvL2E8L3hlbmM6Q2lwaGVyVmFsdWU+DQogICAgICAgICAgICA8L3hlbmM6Q2lwaGVyRGF0YT4NCiAgICAgICAgICA8L3hlbmM6RW5jcnlwdGVkRGF0YT4NCiAgICAgICAgPC9zYW1sOkVuY3J5cHRlZEF0dHJpYnV0ZT4NCiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICA8L3NhbWw6QXNzZXJ0aW9uPg0KPC9zYW1scDpSZXNwb25zZT4=
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaGh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL21ldGFkYXRhLnBocCIgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4Ii8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NFoiIE5vdE9uT3JBZnRlcj0iMjA5OS0wNi0xN1QxNDo1OToxNFoiPg0KICAgICAgPHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjA3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjA5OS0wNi0xN1QyMjo1NDoxNFoiIFNlc3Npb25JbmRleD0iXzUxYmUzNzk2NWZlYjU1NzlkODAzMTQxMDc2OTM2ZGMyZTlkMWQ5OGViZiI+DQogICAgICA8c2FtbDpBdXRobkNvbnRleHQ+DQogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9zYW1sOkF1dGhuQ29udGV4dD4NCiAgICA8L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+DQogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KIDxzYW1sOkVuY3J5cHRlZEF0dHJpYnV0ZSB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj4NCiAgICAgICAgICA8eGVuYzpFbmNyeXB0ZWREYXRhIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgVHlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCIgSWQ9Il9GMzk2MjVBRjY4QjRGQzA3OENDNzU4MkQyOEQwNUQ5QyI+DQogICAgICAgICAgICA8eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMjU2LWNiYyIvPg0KICAgICAgICAgICAgPGRzOktleUluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICAgICAgICAgICAgICA8eGVuYzpFbmNyeXB0ZWRLZXk+DQogICAgICAgICAgICAgICAgPHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIi8+DQogICAgICAgICAgICAgICAgPGRzOktleUluZm8geG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogICAgICAgICAgICAgICAgICA8ZHM6S2V5TmFtZT42MjM1NWZiZDFmNjI0NTAzYzVjOTY3NzQwMmVjY2EwMGVmMWY2Mjc3PC9kczpLZXlOYW1lPg0KICAgICAgICAgICAgICAgIDwvZHM6S2V5SW5mbz4NCiAgICAgICAgICAgICAgICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgICAgICAgICAgICAgPHhlbmM6Q2lwaGVyVmFsdWU+SzBtQkx4Zkx6aUtWVUtFQU9ZZTdENnVWU0NQeTh2eVdWaDNSZWNuUEVTKzhRa0FoT3VSU3VFL0xRcEZyMGh1SS9pQ0V5OXBkZTFRZ2pZREx0akhjdWpLaTJ4R3FXNmprWFcvRXVLb21xV1BQQTJ4WXMxZnBCMXN1NGFYVU9RQjZPSjcwL29EY09zeTgzNGdoRmFCV2lsRThmcXlEQlVCdlcrMkl2YU1VWmFid04vczltVmtXek0zcjMwdGxraExLN2lPcmJHQWxkSUh3RlU1ejdQUFI2Uk8zWTNmSXhqSFU0ME9uTHNKYzN4SXFkTEgzZlhwQzBrZ2k1VXNwTGRxMTRlNU9vWGpMb1BHM0JPM3p3T0FJSjhYTkJXWTV1UW9mNktyS2JjdnRaU1kwZk12UFloWWZOanRSRnk4eTQ5b3ZMOWZ3akNSVERsVDUrYUhxc0NUQnJ3PT08L3hlbmM6Q2lwaGVyVmFsdWU+DQogICAgICAgICAgICAgICAgPC94ZW5jOkNpcGhlckRhdGE+DQogICAgICAgICAgICAgIDwveGVuYzpFbmNyeXB0ZWRLZXk+DQogICAgICAgICAgICA8L2RzOktleUluZm8+DQogICAgICAgICAgICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgICAgICAgICA8eGVuYzpDaXBoZXJWYWx1ZT5aekN1NmF4R2dBWVpIVmY3N05YOGFwWktCL0dKRGV1VjZiRkJ5QlMwQUlnaVhrdkRVQW1MQ3BhYlRBV0JNK3l6MTlvbEE2cnJ5dU9mcjgyZXYyYnpQTlVSdm00U1l4YWh2dUw0UGlibjV3Smt5MEJsNTRWcW1jVStBcWowZEF2T2dxRzF5M1g0d085bjliUnNUdjY5MjFtMGVxUkFGcGg4a0s4TDloaXJLMUJ4WUJZajJSeUZDb0ZEUHhWWjV3eXJhM3E0cW1FNC9FTFFwRlA2bWZVOExYYjB1b1dKVWpHVWVsUzJBYTdiWmlzOHpFcHdvdjRDd3RsTmpsdFFpaDRtdjd0dENBZllxY1FJRnpCVEIrREFhMCtYZ2d4Q0xjZEIzK21RaVJjRUNCZndISEo3Z1JtbnVCRWdlV1QzQ0dLYTNOYjdHTVhPZnV4RktGNXBJZWhXZ28za2ROUUxhbG9yOFJWVzZJOFAvSThmUTMzRmUrTnNIVm5KM3p3U0EvL2E8L3hlbmM6Q2lwaGVyVmFsdWU+DQogICAgICAgICAgICA8L3hlbmM6Q2lwaGVyRGF0YT4NCiAgICAgICAgICA8L3hlbmM6RW5jcnlwdGVkRGF0YT4NCiAgICAgICAgPC9zYW1sOkVuY3J5cHRlZEF0dHJpYnV0ZT4NCiAgICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pg0KICA8L3NhbWw6QXNzZXJ0aW9uPg0KPC9zYW1scDpSZXNwb25zZT4=
\ No newline at end of file
diff --git a/tests/data/responses/no_audience.xml.base64 b/tests/data/responses/no_audience.xml.base64
index 6ac34337..25550e3b 100644
--- a/tests/data/responses/no_audience.xml.base64
+++ b/tests/data/responses/no_audience.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDIxLTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBEZXN0aW5hdGlvbj0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDc4NDE5OTFjLWM3M2YtNDAzNS1lMmVlLWMxNzBjMGUxZDNlNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPiAgICANCiAgICA8c2FtbDpTdWJqZWN0Pg0KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpOYW1lSUQ+DQogICAgICA8c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQogICAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMC0wNi0xN1QxNDo1OToxNFoiIFJlY2lwaWVudD0iaHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvZW5kcG9pbnRzL2Fjcy5waHAiIEluUmVzcG9uc2VUbz0iXzU3YmNiZjcwLTdiMWYtMDEyZS1jODIxLTc4MmJjYjEzYmIzOCIvPg0KICAgICAgPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+DQogICAgPC9zYW1sOlN1YmplY3Q+DQogICAgPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTAtMDYtMTdUMTQ6NTM6NDRaIiBOb3RPbk9yQWZ0ZXI9IjIwOTktMDYtMTdUMTQ6NTk6MTRaIj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDk5LTA2LTE3VDIyOjU0OjE0WiIgU2Vzc2lvbkluZGV4PSJfNTFiZTM3OTY1ZmViNTU3OWQ4MDMxNDEwNzY5MzZkYzJlOWQxZDk4ZWJmIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQogICAgICAgIDxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNvbWVvbmVAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+DQogICAgICA8L3NhbWw6QXR0cmlidXRlPg0KICAgIDwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogIDwvc2FtbDpBc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
\ No newline at end of file
diff --git a/tests/data/responses/unsigned_response_with_miliseconds.xm.base64 b/tests/data/responses/unsigned_response_with_miliseconds.xm.base64
index 76522b7e..1722cbf9 100644
--- a/tests/data/responses/unsigned_response_with_miliseconds.xm.base64
+++ b/tests/data/responses/unsigned_response_with_miliseconds.xm.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTQuMTIwWiIgRGVzdGluYXRpb249Imh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL2VuZHBvaW50cy9hY3MucGhwIiBJblJlc3BvbnNlVG89Il81N2JjYmY3MC03YjFmLTAxMmUtYzgyMS03ODJiY2IxM2JiMzgiPg0KICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPg0KICA8c2FtbHA6U3RhdHVzPg0KICAgIDxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz4NCiAgPC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIElEPSJwZng3ODQxOTkxYy1jNzNmLTQwMzUtZTJlZS1jMTcwYzBlMWQzZTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjE0LjEyMFoiPg0KICAgIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+ICAgIA0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJoZWxsby5jb20iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOk5hbWVJRD4NCiAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIwLTA2LTE3VDE0OjU5OjE0WiIgUmVjaXBpZW50PSJodHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9lbmRwb2ludHMvYWNzLnBocCIgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4Ii8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NC4xNzNaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDYtMTdUMTQ6NTk6MTQuMjM1WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDcuMTIwWiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyMS0wNi0xN1QyMjo1NDoxNC4xMjBaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzMmFlZDY3LTgyMGYtNDI5Ni0wYzIwLTIwNWExMGRkNTc4NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTQuMTIwWiIgRGVzdGluYXRpb249Imh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL2VuZHBvaW50cy9hY3MucGhwIiBJblJlc3BvbnNlVG89Il81N2JjYmY3MC03YjFmLTAxMmUtYzgyMS03ODJiY2IxM2JiMzgiPg0KICA8c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPg0KICA8c2FtbHA6U3RhdHVzPg0KICAgIDxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz4NCiAgPC9zYW1scDpTdGF0dXM+DQogIDxzYW1sOkFzc2VydGlvbiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIElEPSJwZng3ODQxOTkxYy1jNzNmLTQwMzUtZTJlZS1jMTcwYzBlMWQzZTQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDExLTA2LTE3VDE0OjU0OjE0LjEyMFoiPg0KICAgIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+ICAgIA0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJoZWxsby5jb20iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOk5hbWVJRD4NCiAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIwLTA2LTE3VDE0OjU5OjE0WiIgUmVjaXBpZW50PSJodHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9lbmRwb2ludHMvYWNzLnBocCIgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4Ii8+DQogICAgICA8L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L3NhbWw6U3ViamVjdD4NCiAgICA8c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMC0wNi0xN1QxNDo1Mzo0NC4xNzNaIiBOb3RPbk9yQWZ0ZXI9IjIwOTktMDYtMTdUMTQ6NTk6MTQuMjM1WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDcuMTIwWiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjA5OS0wNi0xN1QyMjo1NDoxNC4xMjBaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiPg0KICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Pg0KICAgICAgICA8c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj4NCiAgICAgIDwvc2FtbDpBdXRobkNvbnRleHQ+DQogICAgPC9zYW1sOkF1dGhuU3RhdGVtZW50Pg0KICAgIDxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c29tZW9uZUBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
\ No newline at end of file

From aa1481eae7f315e24d9f96dfd2ee0aca90f27d4f Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Tue, 20 Jul 2021 15:08:55 +0300
Subject: [PATCH 223/331] Replace double-underscored names with single
 underscores

This will avoid Python's class-name-prefix mangling of attributes and methods
while still retaining the signal that they're meant for private use of the library.

This makes it easier to e.g. subclass classes should one need to, and to access
data from outside (while being mindful of the fact that you're accessing notionally
private data).

Only one change to a test was required (and that test was indeed accessing a private
field from outside...).
---
 src/onelogin/saml2/auth.py                    | 280 +++++++++---------
 src/onelogin/saml2/authn_request.py           |  22 +-
 src/onelogin/saml2/logout_request.py          |  40 +--
 src/onelogin/saml2/logout_response.py         |  42 +--
 src/onelogin/saml2/metadata.py                |   6 +-
 src/onelogin/saml2/response.py                |  92 +++---
 src/onelogin/saml2/settings.py                | 246 +++++++--------
 .../saml2_tests/authn_request_test.py         |   2 +-
 8 files changed, 365 insertions(+), 365 deletions(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index cfaee5fd..c284fe46 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -52,29 +52,29 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
         :param custom_base_path: Optional. Path where are stored the settings file and the cert folder
         :type custom_base_path: string
         """
-        self.__request_data = request_data
+        self._request_data = request_data
         if isinstance(old_settings, OneLogin_Saml2_Settings):
-            self.__settings = old_settings
+            self._settings = old_settings
         else:
-            self.__settings = OneLogin_Saml2_Settings(old_settings, custom_base_path)
-        self.__attributes = dict()
-        self.__friendlyname_attributes = dict()
-        self.__nameid = None
-        self.__nameid_format = None
-        self.__nameid_nq = None
-        self.__nameid_spnq = None
-        self.__session_index = None
-        self.__session_expiration = None
-        self.__authenticated = False
-        self.__errors = []
-        self.__error_reason = None
-        self.__last_request_id = None
-        self.__last_message_id = None
-        self.__last_assertion_id = None
-        self.__last_authn_contexts = []
-        self.__last_request = None
-        self.__last_response = None
-        self.__last_assertion_not_on_or_after = None
+            self._settings = OneLogin_Saml2_Settings(old_settings, custom_base_path)
+        self._attributes = dict()
+        self._friendlyname_attributes = dict()
+        self._nameid = None
+        self._nameid_format = None
+        self._nameid_nq = None
+        self._nameid_spnq = None
+        self._session_index = None
+        self._session_expiration = None
+        self._authenticated = False
+        self._errors = []
+        self._error_reason = None
+        self._last_request_id = None
+        self._last_message_id = None
+        self._last_assertion_id = None
+        self._last_authn_contexts = []
+        self._last_request = None
+        self._last_response = None
+        self._last_assertion_not_on_or_after = None
 
     def get_settings(self):
         """
@@ -82,7 +82,7 @@ def get_settings(self):
         :return: Setting info
         :rtype: OneLogin_Saml2_Setting object
         """
-        return self.__settings
+        return self._settings
 
     def set_strict(self, value):
         """
@@ -92,22 +92,22 @@ def set_strict(self, value):
         :type value: bool
         """
         assert isinstance(value, bool)
-        self.__settings.set_strict(value)
+        self._settings.set_strict(value)
 
     def store_valid_response(self, response):
-        self.__attributes = response.get_attributes()
-        self.__friendlyname_attributes = response.get_friendlyname_attributes()
-        self.__nameid = response.get_nameid()
-        self.__nameid_format = response.get_nameid_format()
-        self.__nameid_nq = response.get_nameid_nq()
-        self.__nameid_spnq = response.get_nameid_spnq()
-        self.__session_index = response.get_session_index()
-        self.__session_expiration = response.get_session_not_on_or_after()
-        self.__last_message_id = response.get_id()
-        self.__last_assertion_id = response.get_assertion_id()
-        self.__last_authn_contexts = response.get_authn_contexts()
-        self.__authenticated = True
-        self.__last_assertion_not_on_or_after = response.get_assertion_not_on_or_after()
+        self._attributes = response.get_attributes()
+        self._friendlyname_attributes = response.get_friendlyname_attributes()
+        self._nameid = response.get_nameid()
+        self._nameid_format = response.get_nameid_format()
+        self._nameid_nq = response.get_nameid_nq()
+        self._nameid_spnq = response.get_nameid_spnq()
+        self._session_index = response.get_session_index()
+        self._session_expiration = response.get_session_not_on_or_after()
+        self._last_message_id = response.get_id()
+        self._last_assertion_id = response.get_assertion_id()
+        self._last_authn_contexts = response.get_authn_contexts()
+        self._authenticated = True
+        self._last_assertion_not_on_or_after = response.get_assertion_not_on_or_after()
 
     def process_response(self, request_id=None):
         """
@@ -118,22 +118,22 @@ def process_response(self, request_id=None):
 
         :raises: OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND, when a POST with a SAMLResponse is not found
         """
-        self.__errors = []
-        self.__error_reason = None
+        self._errors = []
+        self._error_reason = None
 
-        if 'post_data' in self.__request_data and 'SAMLResponse' in self.__request_data['post_data']:
+        if 'post_data' in self._request_data and 'SAMLResponse' in self._request_data['post_data']:
             # AuthnResponse -- HTTP_POST Binding
-            response = self.response_class(self.__settings, self.__request_data['post_data']['SAMLResponse'])
-            self.__last_response = response.get_xml_document()
+            response = self.response_class(self._settings, self._request_data['post_data']['SAMLResponse'])
+            self._last_response = response.get_xml_document()
 
-            if response.is_valid(self.__request_data, request_id):
+            if response.is_valid(self._request_data, request_id):
                 self.store_valid_response(response)
             else:
-                self.__errors.append('invalid_response')
-                self.__error_reason = response.get_error()
+                self._errors.append('invalid_response')
+                self._error_reason = response.get_error()
 
         else:
-            self.__errors.append('invalid_binding')
+            self._errors.append('invalid_binding')
             raise OneLogin_Saml2_Error(
                 'SAML Response not found, Only supported HTTP_POST Binding',
                 OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND
@@ -151,57 +151,57 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
 
         :returns: Redirection url
         """
-        self.__errors = []
-        self.__error_reason = None
+        self._errors = []
+        self._error_reason = None
 
-        get_data = 'get_data' in self.__request_data and self.__request_data['get_data']
+        get_data = 'get_data' in self._request_data and self._request_data['get_data']
         if get_data and 'SAMLResponse' in get_data:
-            logout_response = self.logout_response_class(self.__settings, get_data['SAMLResponse'])
-            self.__last_response = logout_response.get_xml()
+            logout_response = self.logout_response_class(self._settings, get_data['SAMLResponse'])
+            self._last_response = logout_response.get_xml()
             if not self.validate_response_signature(get_data):
-                self.__errors.append('invalid_logout_response_signature')
-                self.__errors.append('Signature validation failed. Logout Response rejected')
-            elif not logout_response.is_valid(self.__request_data, request_id):
-                self.__errors.append('invalid_logout_response')
-                self.__error_reason = logout_response.get_error()
+                self._errors.append('invalid_logout_response_signature')
+                self._errors.append('Signature validation failed. Logout Response rejected')
+            elif not logout_response.is_valid(self._request_data, request_id):
+                self._errors.append('invalid_logout_response')
+                self._error_reason = logout_response.get_error()
             elif logout_response.get_status() != OneLogin_Saml2_Constants.STATUS_SUCCESS:
-                self.__errors.append('logout_not_success')
+                self._errors.append('logout_not_success')
             else:
-                self.__last_message_id = logout_response.id
+                self._last_message_id = logout_response.id
                 if not keep_local_session:
                     OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
 
         elif get_data and 'SAMLRequest' in get_data:
-            logout_request = self.logout_request_class(self.__settings, get_data['SAMLRequest'])
-            self.__last_request = logout_request.get_xml()
+            logout_request = self.logout_request_class(self._settings, get_data['SAMLRequest'])
+            self._last_request = logout_request.get_xml()
             if not self.validate_request_signature(get_data):
-                self.__errors.append("invalid_logout_request_signature")
-                self.__errors.append('Signature validation failed. Logout Request rejected')
-            elif not logout_request.is_valid(self.__request_data):
-                self.__errors.append('invalid_logout_request')
-                self.__error_reason = logout_request.get_error()
+                self._errors.append("invalid_logout_request_signature")
+                self._errors.append('Signature validation failed. Logout Request rejected')
+            elif not logout_request.is_valid(self._request_data):
+                self._errors.append('invalid_logout_request')
+                self._error_reason = logout_request.get_error()
             else:
                 if not keep_local_session:
                     OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
 
                 in_response_to = logout_request.id
-                self.__last_message_id = logout_request.id
-                response_builder = self.logout_response_class(self.__settings)
+                self._last_message_id = logout_request.id
+                response_builder = self.logout_response_class(self._settings)
                 response_builder.build(in_response_to)
-                self.__last_response = response_builder.get_xml()
+                self._last_response = response_builder.get_xml()
                 logout_response = response_builder.get_response()
 
                 parameters = {'SAMLResponse': logout_response}
-                if 'RelayState' in self.__request_data['get_data']:
-                    parameters['RelayState'] = self.__request_data['get_data']['RelayState']
+                if 'RelayState' in self._request_data['get_data']:
+                    parameters['RelayState'] = self._request_data['get_data']['RelayState']
 
-                security = self.__settings.get_security_data()
+                security = self._settings.get_security_data()
                 if security['logoutResponseSigned']:
                     self.add_response_signature(parameters, security['signatureAlgorithm'])
 
                 return self.redirect_to(self.get_slo_response_url(), parameters)
         else:
-            self.__errors.append('invalid_binding')
+            self._errors.append('invalid_binding')
             raise OneLogin_Saml2_Error(
                 'SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding',
                 OneLogin_Saml2_Error.SAML_LOGOUTMESSAGE_NOT_FOUND
@@ -218,9 +218,9 @@ def redirect_to(self, url=None, parameters={}):
 
         :returns: Redirection URL
         """
-        if url is None and 'RelayState' in self.__request_data['get_data']:
-            url = self.__request_data['get_data']['RelayState']
-        return OneLogin_Saml2_Utils.redirect(url, parameters, request_data=self.__request_data)
+        if url is None and 'RelayState' in self._request_data['get_data']:
+            url = self._request_data['get_data']['RelayState']
+        return OneLogin_Saml2_Utils.redirect(url, parameters, request_data=self._request_data)
 
     def is_authenticated(self):
         """
@@ -229,7 +229,7 @@ def is_authenticated(self):
         :returns: True if is authenticated, False if not
         :rtype: bool
         """
-        return self.__authenticated
+        return self._authenticated
 
     def get_attributes(self):
         """
@@ -238,7 +238,7 @@ def get_attributes(self):
         :returns: SAML attributes
         :rtype: dict
         """
-        return self.__attributes
+        return self._attributes
 
     def get_friendlyname_attributes(self):
         """
@@ -247,7 +247,7 @@ def get_friendlyname_attributes(self):
         :returns: SAML attributes
         :rtype: dict
         """
-        return self.__friendlyname_attributes
+        return self._friendlyname_attributes
 
     def get_nameid(self):
         """
@@ -256,7 +256,7 @@ def get_nameid(self):
         :returns: NameID
         :rtype: string|None
         """
-        return self.__nameid
+        return self._nameid
 
     def get_nameid_format(self):
         """
@@ -265,7 +265,7 @@ def get_nameid_format(self):
         :returns: NameID Format
         :rtype: string|None
         """
-        return self.__nameid_format
+        return self._nameid_format
 
     def get_nameid_nq(self):
         """
@@ -274,7 +274,7 @@ def get_nameid_nq(self):
         :returns: NameID NameQualifier
         :rtype: string|None
         """
-        return self.__nameid_nq
+        return self._nameid_nq
 
     def get_nameid_spnq(self):
         """
@@ -283,7 +283,7 @@ def get_nameid_spnq(self):
         :returns: NameID SP NameQualifier
         :rtype: string|None
         """
-        return self.__nameid_spnq
+        return self._nameid_spnq
 
     def get_session_index(self):
         """
@@ -291,7 +291,7 @@ def get_session_index(self):
         :returns: The SessionIndex of the assertion
         :rtype: string
         """
-        return self.__session_index
+        return self._session_index
 
     def get_session_expiration(self):
         """
@@ -299,14 +299,14 @@ def get_session_expiration(self):
         :returns: The SessionNotOnOrAfter of the assertion
         :rtype: unix/posix timestamp|None
         """
-        return self.__session_expiration
+        return self._session_expiration
 
     def get_last_assertion_not_on_or_after(self):
         """
         The NotOnOrAfter value of the valid SubjectConfirmationData node
         (if any) of the last assertion processed
         """
-        return self.__last_assertion_not_on_or_after
+        return self._last_assertion_not_on_or_after
 
     def get_errors(self):
         """
@@ -315,7 +315,7 @@ def get_errors(self):
         :returns: List of errors
         :rtype: list
         """
-        return self.__errors
+        return self._errors
 
     def get_last_error_reason(self):
         """
@@ -324,7 +324,7 @@ def get_last_error_reason(self):
         :returns: Reason of the last error
         :rtype: None | string
         """
-        return self.__error_reason
+        return self._error_reason
 
     def get_attribute(self, name):
         """
@@ -337,7 +337,7 @@ def get_attribute(self, name):
         :rtype: list
         """
         assert isinstance(name, compat.str_type)
-        return self.__attributes.get(name)
+        return self._attributes.get(name)
 
     def get_friendlyname_attribute(self, friendlyname):
         """
@@ -350,35 +350,35 @@ def get_friendlyname_attribute(self, friendlyname):
         :rtype: list
         """
         assert isinstance(friendlyname, compat.str_type)
-        return self.__friendlyname_attributes.get(friendlyname)
+        return self._friendlyname_attributes.get(friendlyname)
 
     def get_last_request_id(self):
         """
         :returns: The ID of the last Request SAML message generated.
         :rtype: string
         """
-        return self.__last_request_id
+        return self._last_request_id
 
     def get_last_message_id(self):
         """
         :returns: The ID of the last Response SAML message processed.
         :rtype: string
         """
-        return self.__last_message_id
+        return self._last_message_id
 
     def get_last_assertion_id(self):
         """
         :returns: The ID of the last assertion processed.
         :rtype: string
         """
-        return self.__last_assertion_id
+        return self._last_assertion_id
 
     def get_last_authn_contexts(self):
         """
         :returns: The list of authentication contexts sent in the last SAML Response.
         :rtype: list
         """
-        return self.__last_authn_contexts
+        return self._last_authn_contexts
 
     def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_policy=True, name_id_value_req=None):
         """
@@ -402,9 +402,9 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_
         :returns: Redirection URL
         :rtype: string
         """
-        authn_request = self.authn_request_class(self.__settings, force_authn, is_passive, set_nameid_policy, name_id_value_req)
-        self.__last_request = authn_request.get_xml()
-        self.__last_request_id = authn_request.get_id()
+        authn_request = self.authn_request_class(self._settings, force_authn, is_passive, set_nameid_policy, name_id_value_req)
+        self._last_request = authn_request.get_xml()
+        self._last_request_id = authn_request.get_id()
 
         saml_request = authn_request.get_request()
         parameters = {'SAMLRequest': saml_request}
@@ -412,9 +412,9 @@ def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_
         if return_to is not None:
             parameters['RelayState'] = return_to
         else:
-            parameters['RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(self.__request_data)
+            parameters['RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(self._request_data)
 
-        security = self.__settings.get_security_data()
+        security = self._settings.get_security_data()
         if security.get('authnRequestsSigned', False):
             self.add_request_signature(parameters, security['signatureAlgorithm'])
         return self.redirect_to(self.get_sso_url(), parameters)
@@ -450,30 +450,30 @@ def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name
                 OneLogin_Saml2_Error.SAML_SINGLE_LOGOUT_NOT_SUPPORTED
             )
 
-        if name_id is None and self.__nameid is not None:
-            name_id = self.__nameid
+        if name_id is None and self._nameid is not None:
+            name_id = self._nameid
 
-        if name_id_format is None and self.__nameid_format is not None:
-            name_id_format = self.__nameid_format
+        if name_id_format is None and self._nameid_format is not None:
+            name_id_format = self._nameid_format
 
         logout_request = self.logout_request_class(
-            self.__settings,
+            self._settings,
             name_id=name_id,
             session_index=session_index,
             nq=nq,
             name_id_format=name_id_format,
             spnq=spnq
         )
-        self.__last_request = logout_request.get_xml()
-        self.__last_request_id = logout_request.id
+        self._last_request = logout_request.get_xml()
+        self._last_request_id = logout_request.id
 
         parameters = {'SAMLRequest': logout_request.get_request()}
         if return_to is not None:
             parameters['RelayState'] = return_to
         else:
-            parameters['RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(self.__request_data)
+            parameters['RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(self._request_data)
 
-        security = self.__settings.get_security_data()
+        security = self._settings.get_security_data()
         if security.get('logoutRequestSigned', False):
             self.add_request_signature(parameters, security['signatureAlgorithm'])
         return self.redirect_to(slo_url, parameters)
@@ -485,7 +485,7 @@ def get_sso_url(self):
         :returns: An URL, the SSO endpoint of the IdP
         :rtype: string
         """
-        return self.__settings.get_idp_sso_url()
+        return self._settings.get_idp_sso_url()
 
     def get_slo_url(self):
         """
@@ -494,7 +494,7 @@ def get_slo_url(self):
         :returns: An URL, the SLO endpoint of the IdP
         :rtype: string
         """
-        return self.__settings.get_idp_slo_url()
+        return self._settings.get_idp_slo_url()
 
     def get_slo_response_url(self):
         """
@@ -503,7 +503,7 @@ def get_slo_response_url(self):
         :returns: an URL, the SLO return endpoint of the IdP
         :rtype: string
         """
-        return self.__settings.get_idp_slo_response_url()
+        return self._settings.get_idp_slo_response_url()
 
     def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
@@ -515,7 +515,7 @@ def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Cons
         :param sign_algorithm: Signature algorithm method
         :type sign_algorithm: string
         """
-        return self.__build_signature(request_data, 'SAMLRequest', sign_algorithm)
+        return self._build_signature(request_data, 'SAMLRequest', sign_algorithm)
 
     def add_response_signature(self, response_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
@@ -526,10 +526,10 @@ def add_response_signature(self, response_data, sign_algorithm=OneLogin_Saml2_Co
         :param sign_algorithm: Signature algorithm method
         :type sign_algorithm: string
         """
-        return self.__build_signature(response_data, 'SAMLResponse', sign_algorithm)
+        return self._build_signature(response_data, 'SAMLResponse', sign_algorithm)
 
     @staticmethod
-    def __build_sign_query_from_qs(query_string, saml_type):
+    def _build_sign_query_from_qs(query_string, saml_type):
         """
         Build sign query from query string
 
@@ -545,7 +545,7 @@ def __build_sign_query_from_qs(query_string, saml_type):
         return '&'.join(part for arg in args for part in parts if part.startswith(arg))
 
     @staticmethod
-    def __build_sign_query(saml_data, relay_state, algorithm, saml_type, lowercase_urlencoding=False):
+    def _build_sign_query(saml_data, relay_state, algorithm, saml_type, lowercase_urlencoding=False):
         """
         Build sign query
 
@@ -570,7 +570,7 @@ def __build_sign_query(saml_data, relay_state, algorithm, saml_type, lowercase_u
         sign_data.append('SigAlg=%s' % OneLogin_Saml2_Utils.escape_url(algorithm, lowercase_urlencoding))
         return '&'.join(sign_data)
 
-    def __build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
+    def _build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
         """
         Builds the Signature
         :param data: The Request data
@@ -591,10 +591,10 @@ def __build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Const
                 OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND
             )
 
-        msg = self.__build_sign_query(data[saml_type],
-                                      data.get('RelayState', None),
-                                      sign_algorithm,
-                                      saml_type)
+        msg = self._build_sign_query(data[saml_type],
+                                     data.get('RelayState', None),
+                                     sign_algorithm,
+                                     saml_type)
 
         sign_algorithm_transform_map = {
             OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.Transform.DSA_SHA1,
@@ -605,7 +605,7 @@ def __build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Const
         }
         sign_algorithm_transform = sign_algorithm_transform_map.get(sign_algorithm, xmlsec.Transform.RSA_SHA1)
 
-        signature = OneLogin_Saml2_Utils.sign_binary(msg, key, sign_algorithm_transform, self.__settings.is_debug_active())
+        signature = OneLogin_Saml2_Utils.sign_binary(msg, key, sign_algorithm_transform, self._settings.is_debug_active())
         data['Signature'] = OneLogin_Saml2_Utils.b64encode(signature)
         data['SigAlg'] = sign_algorithm
 
@@ -618,7 +618,7 @@ def validate_request_signature(self, request_data):
 
         """
 
-        return self.__validate_signature(request_data, 'SAMLRequest')
+        return self._validate_signature(request_data, 'SAMLRequest')
 
     def validate_response_signature(self, request_data):
         """
@@ -629,9 +629,9 @@ def validate_response_signature(self, request_data):
 
         """
 
-        return self.__validate_signature(request_data, 'SAMLResponse')
+        return self._validate_signature(request_data, 'SAMLResponse')
 
-    def __validate_signature(self, data, saml_type, raise_exceptions=False):
+    def _validate_signature(self, data, saml_type, raise_exceptions=False):
         """
         Validate Signature
 
@@ -650,7 +650,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
         try:
             signature = data.get('Signature', None)
             if signature is None:
-                if self.__settings.is_strict() and self.__settings.get_security_data().get('wantMessagesSigned', False):
+                if self._settings.is_strict() and self._settings.get_security_data().get('wantMessagesSigned', False):
                     raise OneLogin_Saml2_ValidationError(
                         'The %s is not signed. Rejected.' % saml_type,
                         OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE
@@ -666,7 +666,7 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
 
             if not (exists_x509cert or exists_multix509sign):
                 error_msg = 'In order to validate the sign on the %s, the x509cert of the IdP is required' % saml_type
-                self.__errors.append(error_msg)
+                self._errors.append(error_msg)
                 raise OneLogin_Saml2_Error(
                     error_msg,
                     OneLogin_Saml2_Error.CERT_NOT_FOUND
@@ -676,16 +676,16 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
             if isinstance(sign_alg, bytes):
                 sign_alg = sign_alg.decode('utf8')
 
-            query_string = self.__request_data.get('query_string')
-            if query_string and self.__request_data.get('validate_signature_from_qs'):
-                signed_query = self.__build_sign_query_from_qs(query_string, saml_type)
+            query_string = self._request_data.get('query_string')
+            if query_string and self._request_data.get('validate_signature_from_qs'):
+                signed_query = self._build_sign_query_from_qs(query_string, saml_type)
             else:
-                lowercase_urlencoding = self.__request_data.get('lowercase_urlencoding', False)
-                signed_query = self.__build_sign_query(data[saml_type],
-                                                       data.get('RelayState'),
-                                                       sign_alg,
-                                                       saml_type,
-                                                       lowercase_urlencoding)
+                lowercase_urlencoding = self._request_data.get('lowercase_urlencoding', False)
+                signed_query = self._build_sign_query(data[saml_type],
+                                                      data.get('RelayState'),
+                                                      sign_alg,
+                                                      saml_type,
+                                                      lowercase_urlencoding)
 
             if exists_multix509sign:
                 for cert in idp_data['x509certMulti']['signing']:
@@ -705,14 +705,14 @@ def __validate_signature(self, data, saml_type, raise_exceptions=False):
                                                                  OneLogin_Saml2_Utils.b64decode(signature),
                                                                  cert,
                                                                  sign_alg,
-                                                                 self.__settings.is_debug_active()):
+                                                                 self._settings.is_debug_active()):
                     raise OneLogin_Saml2_ValidationError(
                         'Signature validation failed. %s rejected' % saml_type,
                         OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
                     )
             return True
         except Exception as e:
-            self.__error_reason = str(e)
+            self._error_reason = str(e)
             if raise_exceptions:
                 raise e
             return False
@@ -725,11 +725,11 @@ def get_last_response_xml(self, pretty_print_if_possible=False):
         :rtype: string|None
         """
         response = None
-        if self.__last_response is not None:
-            if isinstance(self.__last_response, compat.str_type):
-                response = self.__last_response
+        if self._last_response is not None:
+            if isinstance(self._last_response, compat.str_type):
+                response = self._last_response
             else:
-                response = tostring(self.__last_response, encoding='unicode', pretty_print=pretty_print_if_possible)
+                response = tostring(self._last_response, encoding='unicode', pretty_print=pretty_print_if_possible)
         return response
 
     def get_last_request_xml(self):
@@ -738,4 +738,4 @@ def get_last_request_xml(self):
         :returns: SAML request XML
         :rtype: string|None
         """
-        return self.__last_request or None
+        return self._last_request or None
diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index cdbf2c44..0aa1623d 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -41,13 +41,13 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
         :param name_id_value_req: Optional argument. Indicates to the IdP the subject that should be authenticated
         :type name_id_value_req: string
         """
-        self.__settings = settings
+        self._settings = settings
 
-        sp_data = self.__settings.get_sp_data()
-        idp_data = self.__settings.get_idp_data()
-        security = self.__settings.get_security_data()
+        sp_data = self._settings.get_sp_data()
+        idp_data = self._settings.get_idp_data()
+        security = self._settings.get_security_data()
 
-        self.__id = self._generate_request_id()
+        self._id = self._generate_request_id()
         issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
 
         destination = idp_data['singleSignOnService']['url']
@@ -112,7 +112,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
 
         request = OneLogin_Saml2_Templates.AUTHN_REQUEST % \
             {
-                'id': self.__id,
+                'id': self._id,
                 'provider_name': provider_name_str,
                 'force_authn_str': force_authn_str,
                 'is_passive_str': is_passive_str,
@@ -127,7 +127,7 @@ def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_pol
                 'acs_binding': sp_data['assertionConsumerService'].get('binding', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST')
             }
 
-        self.__authn_request = request
+        self._authn_request = request
 
     def _generate_request_id(self):
         """
@@ -144,9 +144,9 @@ def get_request(self, deflate=True):
         :rtype: str object
         """
         if deflate:
-            request = OneLogin_Saml2_Utils.deflate_and_base64_encode(self.__authn_request)
+            request = OneLogin_Saml2_Utils.deflate_and_base64_encode(self._authn_request)
         else:
-            request = OneLogin_Saml2_Utils.b64encode(self.__authn_request)
+            request = OneLogin_Saml2_Utils.b64encode(self._authn_request)
         return request
 
     def get_id(self):
@@ -155,7 +155,7 @@ def get_id(self):
         :return: AuthNRequest ID
         :rtype: string
         """
-        return self.__id
+        return self._id
 
     def get_xml(self):
         """
@@ -163,4 +163,4 @@ def get_xml(self):
         :return: XML request body
         :rtype: string
         """
-        return self.__authn_request
+        return self._authn_request
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index 3ed3fb15..84cdd86b 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -50,14 +50,14 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
         :param spnq: SP Name Qualifier
         :type: string
         """
-        self.__settings = settings
-        self.__error = None
+        self._settings = settings
+        self._error = None
         self.id = None
 
         if request is None:
-            sp_data = self.__settings.get_sp_data()
-            idp_data = self.__settings.get_idp_data()
-            security = self.__settings.get_security_data()
+            sp_data = self._settings.get_sp_data()
+            idp_data = self._settings.get_idp_data()
+            security = self._settings.get_security_data()
 
             self.id = self._generate_request_id()
 
@@ -71,7 +71,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 if exists_multix509enc:
                     cert = idp_data['x509certMulti']['encryption'][0]
                 else:
-                    cert = self.__settings.get_idp_cert()
+                    cert = self._settings.get_idp_cert()
 
             if name_id is not None:
                 if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
@@ -109,7 +109,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
                 {
                     'id': self.id,
                     'issue_instant': issue_instant,
-                    'single_logout_url': self.__settings.get_idp_slo_url(),
+                    'single_logout_url': self._settings.get_idp_slo_url(),
                     'entity_id': sp_data['entityId'],
                     'name_id': name_id_obj,
                     'session_index': session_index_str,
@@ -118,7 +118,7 @@ def __init__(self, settings, request=None, name_id=None, session_index=None, nq=
             logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(request, ignore_zip=True)
             self.id = self.get_id(logout_request)
 
-        self.__logout_request = compat.to_string(logout_request)
+        self._logout_request = compat.to_string(logout_request)
 
     def get_request(self, deflate=True):
         """
@@ -129,9 +129,9 @@ def get_request(self, deflate=True):
         :rtype: str object
         """
         if deflate:
-            request = OneLogin_Saml2_Utils.deflate_and_base64_encode(self.__logout_request)
+            request = OneLogin_Saml2_Utils.deflate_and_base64_encode(self._logout_request)
         else:
-            request = OneLogin_Saml2_Utils.b64encode(self.__logout_request)
+            request = OneLogin_Saml2_Utils.b64encode(self._logout_request)
         return request
 
     def get_xml(self):
@@ -141,7 +141,7 @@ def get_xml(self):
         :return: XML request body
         :rtype: string
         """
-        return self.__logout_request
+        return self._logout_request
 
     @classmethod
     def get_id(cls, request):
@@ -279,24 +279,24 @@ def is_valid(self, request_data, raise_exceptions=False):
         :return: If the Logout Request is or not valid
         :rtype: boolean
         """
-        self.__error = None
+        self._error = None
         try:
-            root = OneLogin_Saml2_XML.to_etree(self.__logout_request)
+            root = OneLogin_Saml2_XML.to_etree(self._logout_request)
 
-            idp_data = self.__settings.get_idp_data()
+            idp_data = self._settings.get_idp_data()
             idp_entity_id = idp_data['entityId']
 
             get_data = ('get_data' in request_data and request_data['get_data']) or dict()
 
-            if self.__settings.is_strict():
-                res = OneLogin_Saml2_XML.validate_xml(root, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
+            if self._settings.is_strict():
+                res = OneLogin_Saml2_XML.validate_xml(root, 'saml-schema-protocol-2.0.xsd', self._settings.is_debug_active())
                 if isinstance(res, str):
                     raise OneLogin_Saml2_ValidationError(
                         'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd',
                         OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
                     )
 
-                security = self.__settings.get_security_data()
+                security = self._settings.get_security_data()
 
                 current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
 
@@ -345,8 +345,8 @@ def is_valid(self, request_data, raise_exceptions=False):
             return True
         except Exception as err:
             # pylint: disable=R0801
-            self.__error = str(err)
-            debug = self.__settings.is_debug_active()
+            self._error = str(err)
+            debug = self._settings.is_debug_active()
             if debug:
                 print(err)
             if raise_exceptions:
@@ -357,7 +357,7 @@ def get_error(self):
         """
         After executing a validation process, if it fails this method returns the cause
         """
-        return self.__error
+        return self._error
 
     def _generate_request_id(self):
         """
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index bd942200..e9368e8a 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -33,13 +33,13 @@ def __init__(self, settings, response=None):
             * (string)                    response. An UUEncoded SAML Logout
                                                     response from the IdP.
         """
-        self.__settings = settings
-        self.__error = None
+        self._settings = settings
+        self._error = None
         self.id = None
 
         if response is not None:
-            self.__logout_response = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(response, ignore_zip=True))
-            self.document = OneLogin_Saml2_XML.to_etree(self.__logout_response)
+            self._logout_response = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(response, ignore_zip=True))
+            self.document = OneLogin_Saml2_XML.to_etree(self._logout_response)
             self.id = self.document.get('ID', None)
 
     def get_issuer(self):
@@ -49,7 +49,7 @@ def get_issuer(self):
         :rtype: string
         """
         issuer = None
-        issuer_nodes = self.__query('/samlp:LogoutResponse/saml:Issuer')
+        issuer_nodes = self._query('/samlp:LogoutResponse/saml:Issuer')
         if len(issuer_nodes) == 1:
             issuer = OneLogin_Saml2_XML.element_text(issuer_nodes[0])
         return issuer
@@ -60,7 +60,7 @@ def get_status(self):
         :return: The Status
         :rtype: string
         """
-        entries = self.__query('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode')
+        entries = self._query('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode')
         if len(entries) == 0:
             return None
         status = entries[0].attrib['Value']
@@ -78,21 +78,21 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
         :return: Returns if the SAML LogoutResponse is or not valid
         :rtype: boolean
         """
-        self.__error = None
+        self._error = None
         try:
-            idp_data = self.__settings.get_idp_data()
+            idp_data = self._settings.get_idp_data()
             idp_entity_id = idp_data['entityId']
             get_data = request_data['get_data']
 
-            if self.__settings.is_strict():
-                res = OneLogin_Saml2_XML.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
+            if self._settings.is_strict():
+                res = OneLogin_Saml2_XML.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self._settings.is_debug_active())
                 if isinstance(res, str):
                     raise OneLogin_Saml2_ValidationError(
                         'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd',
                         OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
                     )
 
-                security = self.__settings.get_security_data()
+                security = self._settings.get_security_data()
 
                 # Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided
                 in_response_to = self.get_in_response_to()
@@ -134,15 +134,15 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
             return True
         # pylint: disable=R0801
         except Exception as err:
-            self.__error = str(err)
-            debug = self.__settings.is_debug_active()
+            self._error = str(err)
+            debug = self._settings.is_debug_active()
             if debug:
                 print(err)
             if raise_exceptions:
                 raise
             return False
 
-    def __query(self, query):
+    def _query(self, query):
         """
         Extracts a node from the Etree (Logout Response Message)
         :param query: Xpath Expression
@@ -158,7 +158,7 @@ def build(self, in_response_to):
         :param in_response_to: InResponseTo value for the Logout Response.
         :type in_response_to: string
         """
-        sp_data = self.__settings.get_sp_data()
+        sp_data = self._settings.get_sp_data()
 
         self.id = self._generate_request_id()
 
@@ -168,13 +168,13 @@ def build(self, in_response_to):
             {
                 'id': self.id,
                 'issue_instant': issue_instant,
-                'destination': self.__settings.get_idp_slo_response_url(),
+                'destination': self._settings.get_idp_slo_response_url(),
                 'in_response_to': in_response_to,
                 'entity_id': sp_data['entityId'],
                 'status': "urn:oasis:names:tc:SAML:2.0:status:Success"
             }
 
-        self.__logout_response = logout_response
+        self._logout_response = logout_response
 
     def get_in_response_to(self):
         """
@@ -193,16 +193,16 @@ def get_response(self, deflate=True):
         :rtype: string
         """
         if deflate:
-            response = OneLogin_Saml2_Utils.deflate_and_base64_encode(self.__logout_response)
+            response = OneLogin_Saml2_Utils.deflate_and_base64_encode(self._logout_response)
         else:
-            response = OneLogin_Saml2_Utils.b64encode(self.__logout_response)
+            response = OneLogin_Saml2_Utils.b64encode(self._logout_response)
         return response
 
     def get_error(self):
         """
         After executing a validation process, if it fails this method returns the cause
         """
-        return self.__error
+        return self._error
 
     def get_xml(self):
         """
@@ -211,7 +211,7 @@ def get_xml(self):
         :return: XML response body
         :rtype: string
         """
-        return self.__logout_response
+        return self._logout_response
 
     def _generate_request_id(self):
         """
diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index bd839c58..34c5f2c1 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -218,7 +218,7 @@ def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.R
         return OneLogin_Saml2_Utils.add_sign(metadata, key, cert, False, sign_algorithm, digest_algorithm)
 
     @staticmethod
-    def __add_x509_key_descriptors(root, cert, signing):
+    def _add_x509_key_descriptors(root, cert, signing):
         key_descriptor = OneLogin_Saml2_XML.make_child(root, '{%s}KeyDescriptor' % OneLogin_Saml2_Constants.NS_MD)
         root.remove(key_descriptor)
         root.insert(0, key_descriptor)
@@ -261,6 +261,6 @@ def add_x509_key_descriptors(cls, metadata, cert=None, add_encryption=True):
             raise Exception('Malformed metadata.')
 
         if add_encryption:
-            cls.__add_x509_key_descriptors(sp_sso_descriptor, cert, False)
-        cls.__add_x509_key_descriptors(sp_sso_descriptor, cert, True)
+            cls._add_x509_key_descriptors(sp_sso_descriptor, cert, False)
+        cls._add_x509_key_descriptors(sp_sso_descriptor, cert, True)
         return OneLogin_Saml2_XML.to_string(root)
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index d69242d3..7d372ab6 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -33,8 +33,8 @@ def __init__(self, settings, response):
         :param response: The base64 encoded, XML string containing the samlp:Response
         :type response: string
         """
-        self.__settings = settings
-        self.__error = None
+        self._settings = settings
+        self._error = None
         self.response = OneLogin_Saml2_Utils.b64decode(response)
         self.document = OneLogin_Saml2_XML.to_etree(self.response)
         self.decrypted_document = None
@@ -42,11 +42,11 @@ def __init__(self, settings, response):
         self.valid_scd_not_on_or_after = None
 
         # Quick check for the presence of EncryptedAssertion
-        encrypted_assertion_nodes = self.__query('/samlp:Response/saml:EncryptedAssertion')
+        encrypted_assertion_nodes = self._query('/samlp:Response/saml:EncryptedAssertion')
         if encrypted_assertion_nodes:
             decrypted_document = deepcopy(self.document)
             self.encrypted = True
-            self.decrypted_document = self.__decrypt_assertion(decrypted_document)
+            self.decrypted_document = self._decrypt_assertion(decrypted_document)
 
     def is_valid(self, request_data, request_id=None, raise_exceptions=False):
         """
@@ -64,7 +64,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
         :returns: True if the SAML Response is valid, False if not
         :rtype: bool
         """
-        self.__error = None
+        self._error = None
         try:
             # Checks SAML version
             if self.document.get('Version', None) != '2.0':
@@ -90,9 +90,9 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
                 )
 
-            idp_data = self.__settings.get_idp_data()
+            idp_data = self._settings.get_idp_data()
             idp_entity_id = idp_data['entityId']
-            sp_data = self.__settings.get_sp_data()
+            sp_data = self._settings.get_sp_data()
             sp_entity_id = sp_data['entityId']
 
             signed_elements = self.process_signed_elements()
@@ -100,9 +100,9 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
             has_signed_response = '{%s}Response' % OneLogin_Saml2_Constants.NS_SAMLP in signed_elements
             has_signed_assertion = '{%s}Assertion' % OneLogin_Saml2_Constants.NS_SAML in signed_elements
 
-            if self.__settings.is_strict():
+            if self._settings.is_strict():
                 no_valid_xml_msg = 'Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd'
-                res = OneLogin_Saml2_XML.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
+                res = OneLogin_Saml2_XML.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self._settings.is_debug_active())
                 if isinstance(res, str):
                     raise OneLogin_Saml2_ValidationError(
                         no_valid_xml_msg,
@@ -111,14 +111,14 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 # If encrypted, check also the decrypted document
                 if self.encrypted:
-                    res = OneLogin_Saml2_XML.validate_xml(self.decrypted_document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
+                    res = OneLogin_Saml2_XML.validate_xml(self.decrypted_document, 'saml-schema-protocol-2.0.xsd', self._settings.is_debug_active())
                     if isinstance(res, str):
                         raise OneLogin_Saml2_ValidationError(
                             no_valid_xml_msg,
                             OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
                         )
 
-                security = self.__settings.get_security_data()
+                security = self._settings.get_security_data()
                 current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
 
                 # Check if the InResponseTo of the Response matchs the ID of the AuthNRequest (requestId) if provided
@@ -137,7 +137,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     )
 
                 if security['wantNameIdEncrypted']:
-                    encrypted_nameid_nodes = self.__query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')
+                    encrypted_nameid_nodes = self._query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')
                     if len(encrypted_nameid_nodes) != 1:
                         raise OneLogin_Saml2_ValidationError(
                             'The NameID of the Response is not encrypted and the SP require it',
@@ -174,14 +174,14 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                         )
 
                 # Checks that there is at least one AttributeStatement if required
-                attribute_statement_nodes = self.__query_assertion('/saml:AttributeStatement')
+                attribute_statement_nodes = self._query_assertion('/saml:AttributeStatement')
                 if security.get('wantAttributeStatement', True) and not attribute_statement_nodes:
                     raise OneLogin_Saml2_ValidationError(
                         'There is no AttributeStatement on the Response',
                         OneLogin_Saml2_ValidationError.NO_ATTRIBUTESTATEMENT
                     )
 
-                encrypted_attributes_nodes = self.__query_assertion('/saml:AttributeStatement/saml:EncryptedAttribute')
+                encrypted_attributes_nodes = self._query_assertion('/saml:AttributeStatement/saml:EncryptedAttribute')
                 if encrypted_attributes_nodes:
                     raise OneLogin_Saml2_ValidationError(
                         'There is an EncryptedAttribute in the Response and this SP not support them',
@@ -236,7 +236,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
                 # Checks the SubjectConfirmation, at least one SubjectConfirmation must be valid
                 any_subject_confirmation = False
-                subject_confirmation_nodes = self.__query_assertion('/saml:Subject/saml:SubjectConfirmation')
+                subject_confirmation_nodes = self._query_assertion('/saml:Subject/saml:SubjectConfirmation')
 
                 for scn in subject_confirmation_nodes:
                     method = scn.get('Method', None)
@@ -293,7 +293,7 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                     OneLogin_Saml2_ValidationError.NO_SIGNATURE_FOUND
                 )
             else:
-                cert = self.__settings.get_idp_cert()
+                cert = self._settings.get_idp_cert()
                 fingerprint = idp_data.get('certFingerprint', None)
                 if fingerprint:
                     fingerprint = OneLogin_Saml2_Utils.format_finger_print(fingerprint)
@@ -319,8 +319,8 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
 
             return True
         except Exception as err:
-            self.__error = str(err)
-            debug = self.__settings.is_debug_active()
+            self._error = str(err)
+            debug = self._settings.is_debug_active()
             if debug:
                 print(err)
             if raise_exceptions:
@@ -351,7 +351,7 @@ def check_one_condition(self):
         """
         Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique.
         """
-        condition_nodes = self.__query_assertion('/saml:Conditions')
+        condition_nodes = self._query_assertion('/saml:Conditions')
         if len(condition_nodes) == 1:
             return True
         else:
@@ -361,7 +361,7 @@ def check_one_authnstatement(self):
         """
         Checks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique.
         """
-        authnstatement_nodes = self.__query_assertion('/saml:AuthnStatement')
+        authnstatement_nodes = self._query_assertion('/saml:AuthnStatement')
         if len(authnstatement_nodes) == 1:
             return True
         else:
@@ -374,7 +374,7 @@ def get_audiences(self):
         :returns: The valid audiences for the SAML Response
         :rtype: list
         """
-        audience_nodes = self.__query_assertion('/saml:Conditions/saml:AudienceRestriction/saml:Audience')
+        audience_nodes = self._query_assertion('/saml:Conditions/saml:AudienceRestriction/saml:Audience')
         return [OneLogin_Saml2_XML.element_text(node) for node in audience_nodes if OneLogin_Saml2_XML.element_text(node) is not None]
 
     def get_authn_contexts(self):
@@ -384,7 +384,7 @@ def get_authn_contexts(self):
         :returns: The authentication classes for the SAML Response
         :rtype: list
         """
-        authn_context_nodes = self.__query_assertion('/saml:AuthnStatement/saml:AuthnContext/saml:AuthnContextClassRef')
+        authn_context_nodes = self._query_assertion('/saml:AuthnStatement/saml:AuthnContext/saml:AuthnContextClassRef')
         return [OneLogin_Saml2_XML.element_text(node) for node in authn_context_nodes]
 
     def get_in_response_to(self):
@@ -416,7 +416,7 @@ def get_issuers(self):
                     OneLogin_Saml2_ValidationError.ISSUER_MULTIPLE_IN_RESPONSE
                 )
 
-        assertion_issuer_nodes = self.__query_assertion('/saml:Issuer')
+        assertion_issuer_nodes = self._query_assertion('/saml:Issuer')
         if len(assertion_issuer_nodes) == 1:
             issuer_value = OneLogin_Saml2_XML.element_text(assertion_issuer_nodes[0])
             if issuer_value:
@@ -439,18 +439,18 @@ def get_nameid_data(self):
         nameid = None
         nameid_data = {}
 
-        encrypted_id_data_nodes = self.__query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')
+        encrypted_id_data_nodes = self._query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')
         if encrypted_id_data_nodes:
             encrypted_data = encrypted_id_data_nodes[0]
-            key = self.__settings.get_sp_key()
+            key = self._settings.get_sp_key()
             nameid = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key)
         else:
-            nameid_nodes = self.__query_assertion('/saml:Subject/saml:NameID')
+            nameid_nodes = self._query_assertion('/saml:Subject/saml:NameID')
             if nameid_nodes:
                 nameid = nameid_nodes[0]
 
-        is_strict = self.__settings.is_strict()
-        want_nameid = self.__settings.get_security_data().get('wantNameId', True)
+        is_strict = self._settings.is_strict()
+        want_nameid = self._settings.get_security_data().get('wantNameId', True)
         if nameid is None:
             if is_strict and want_nameid:
                 raise OneLogin_Saml2_ValidationError(
@@ -469,7 +469,7 @@ def get_nameid_data(self):
                 value = nameid.get(attr, None)
                 if value:
                     if is_strict and attr == 'SPNameQualifier':
-                        sp_data = self.__settings.get_sp_data()
+                        sp_data = self._settings.get_sp_data()
                         sp_entity_id = sp_data.get('entityId', '')
                         if sp_entity_id != value:
                             raise OneLogin_Saml2_ValidationError(
@@ -541,7 +541,7 @@ def get_session_not_on_or_after(self):
         :rtype: time|None
         """
         not_on_or_after = None
-        authn_statement_nodes = self.__query_assertion('/saml:AuthnStatement[@SessionNotOnOrAfter]')
+        authn_statement_nodes = self._query_assertion('/saml:AuthnStatement[@SessionNotOnOrAfter]')
         if authn_statement_nodes:
             not_on_or_after = OneLogin_Saml2_Utils.parse_SAML_to_time(authn_statement_nodes[0].get('SessionNotOnOrAfter'))
         return not_on_or_after
@@ -563,7 +563,7 @@ def get_session_index(self):
         :rtype: string|None
         """
         session_index = None
-        authn_statement_nodes = self.__query_assertion('/saml:AuthnStatement[@SessionIndex]')
+        authn_statement_nodes = self._query_assertion('/saml:AuthnStatement[@SessionIndex]')
         if authn_statement_nodes:
             session_index = authn_statement_nodes[0].get('SessionIndex')
         return session_index
@@ -583,9 +583,9 @@ def get_friendlyname_attributes(self):
         return self._get_attributes('FriendlyName')
 
     def _get_attributes(self, attr_name):
-        allow_duplicates = self.__settings.get_security_data().get('allowRepeatAttributeName', False)
+        allow_duplicates = self._settings.get_security_data().get('allowRepeatAttributeName', False)
         attributes = {}
-        attribute_nodes = self.__query_assertion('/saml:AttributeStatement/saml:Attribute')
+        attribute_nodes = self._query_assertion('/saml:AttributeStatement/saml:Attribute')
         for attribute_node in attribute_nodes:
             attr_key = attribute_node.get(attr_name)
             if attr_key:
@@ -645,7 +645,7 @@ def process_signed_elements(self):
         :returns: The signed elements tag names
         :rtype: list
         """
-        sign_nodes = self.__query('//ds:Signature')
+        sign_nodes = self._query('//ds:Signature')
 
         signed_elements = []
         verified_seis = []
@@ -737,7 +737,7 @@ def validate_signed_elements(self, signed_elements):
                 )
 
         if assertion_tag in signed_elements:
-            expected_signature_nodes = self.__query(OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH)
+            expected_signature_nodes = self._query(OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH)
             if len(expected_signature_nodes) != 1:
                 raise OneLogin_Saml2_ValidationError(
                     'Unexpected number of Assertion signatures found. SAML Response rejected.',
@@ -754,7 +754,7 @@ def validate_timestamps(self):
         :returns: True if the condition is valid, False otherwise
         :rtype: bool
         """
-        conditions_nodes = self.__query_assertion('/saml:Conditions')
+        conditions_nodes = self._query_assertion('/saml:Conditions')
 
         for conditions_node in conditions_nodes:
             nb_attr = conditions_node.get('NotBefore')
@@ -771,7 +771,7 @@ def validate_timestamps(self):
                 )
         return True
 
-    def __query_assertion(self, xpath_expr):
+    def _query_assertion(self, xpath_expr):
         """
         Extracts nodes that match the query from the Assertion
 
@@ -785,13 +785,13 @@ def __query_assertion(self, xpath_expr):
         assertion_expr = '/saml:Assertion'
         signature_expr = '/ds:Signature/ds:SignedInfo/ds:Reference'
         signed_assertion_query = '/samlp:Response' + assertion_expr + signature_expr
-        assertion_reference_nodes = self.__query(signed_assertion_query)
+        assertion_reference_nodes = self._query(signed_assertion_query)
         tagid = None
 
         if not assertion_reference_nodes:
             # Check if the message is signed
             signed_message_query = '/samlp:Response' + signature_expr
-            message_reference_nodes = self.__query(signed_message_query)
+            message_reference_nodes = self._query(signed_message_query)
             if message_reference_nodes:
                 message_id = message_reference_nodes[0].get('URI')
                 final_query = "/samlp:Response[@ID=$tagid]/"
@@ -804,9 +804,9 @@ def __query_assertion(self, xpath_expr):
             final_query = '/samlp:Response' + assertion_expr + "[@ID=$tagid]"
             tagid = assertion_id[1:]
         final_query += xpath_expr
-        return self.__query(final_query, tagid)
+        return self._query(final_query, tagid)
 
-    def __query(self, query, tagid=None):
+    def _query(self, query, tagid=None):
         """
         Extracts nodes that match the query from the Response
 
@@ -825,7 +825,7 @@ def __query(self, query, tagid=None):
             document = self.document
         return OneLogin_Saml2_XML.query(document, query, None, tagid)
 
-    def __decrypt_assertion(self, xml):
+    def _decrypt_assertion(self, xml):
         """
         Decrypts the Assertion
 
@@ -835,8 +835,8 @@ def __decrypt_assertion(self, xml):
         :returns: Decrypted Assertion
         :rtype: Element
         """
-        key = self.__settings.get_sp_key()
-        debug = self.__settings.is_debug_active()
+        key = self._settings.get_sp_key()
+        debug = self._settings.is_debug_active()
 
         if not key:
             raise OneLogin_Saml2_Error(
@@ -885,7 +885,7 @@ def get_error(self):
         """
         After executing a validation process, if it fails this method returns the cause
         """
-        return self.__error
+        return self._error
 
     def get_xml_document(self):
         """
@@ -916,4 +916,4 @@ def get_assertion_id(self):
                 'SAML Response must contain 1 assertion',
                 OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
             )
-        return self.__query_assertion('')[0].get('ID', None)
+        return self._query_assertion('')[0].get('ID', None)
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 38e79041..3163995e 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -98,37 +98,37 @@ def __init__(self, settings=None, custom_base_path=None, sp_validation_only=Fals
         :param sp_validation_only: Avoid the IdP validation
         :type sp_validation_only: boolean
         """
-        self.__sp_validation_only = sp_validation_only
-        self.__paths = {}
-        self.__strict = True
-        self.__debug = False
-        self.__sp = {}
-        self.__idp = {}
-        self.__security = {}
-        self.__contacts = {}
-        self.__organization = {}
-        self.__errors = []
-
-        self.__load_paths(base_path=custom_base_path)
-        self.__update_paths(settings)
+        self._sp_validation_only = sp_validation_only
+        self._paths = {}
+        self._strict = True
+        self._debug = False
+        self._sp = {}
+        self._idp = {}
+        self._security = {}
+        self._contacts = {}
+        self._organization = {}
+        self._errors = []
+
+        self._load_paths(base_path=custom_base_path)
+        self._update_paths(settings)
 
         if settings is None:
             try:
-                valid = self.__load_settings_from_file()
+                valid = self._load_settings_from_file()
             except Exception as e:
                 raise e
             if not valid:
                 raise OneLogin_Saml2_Error(
                     'Invalid dict settings at the file: %s',
                     OneLogin_Saml2_Error.SETTINGS_INVALID,
-                    ','.join(self.__errors)
+                    ','.join(self._errors)
                 )
         elif isinstance(settings, dict):
-            if not self.__load_settings_from_dict(settings):
+            if not self._load_settings_from_dict(settings):
                 raise OneLogin_Saml2_Error(
                     'Invalid dict settings: %s',
                     OneLogin_Saml2_Error.SETTINGS_INVALID,
-                    ','.join(self.__errors)
+                    ','.join(self._errors)
                 )
         else:
             raise OneLogin_Saml2_Error(
@@ -137,14 +137,14 @@ def __init__(self, settings=None, custom_base_path=None, sp_validation_only=Fals
             )
 
         self.format_idp_cert()
-        if 'x509certMulti' in self.__idp:
+        if 'x509certMulti' in self._idp:
             self.format_idp_cert_multi()
         self.format_sp_cert()
-        if 'x509certNew' in self.__sp:
+        if 'x509certNew' in self._sp:
             self.format_sp_cert_new()
         self.format_sp_key()
 
-    def __load_paths(self, base_path=None):
+    def _load_paths(self, base_path=None):
         """
         Set the paths of the different folders
         """
@@ -152,13 +152,13 @@ def __load_paths(self, base_path=None):
             base_path = dirname(dirname(dirname(__file__)))
         if not base_path.endswith(sep):
             base_path += sep
-        self.__paths = {
+        self._paths = {
             'base': base_path,
             'cert': base_path + 'certs' + sep,
             'lib': dirname(__file__) + sep
         }
 
-    def __update_paths(self, settings):
+    def _update_paths(self, settings):
         """
         Set custom paths if necessary
         """
@@ -168,7 +168,7 @@ def __update_paths(self, settings):
         if 'custom_base_path' in settings:
             base_path = settings['custom_base_path']
             base_path = join(dirname(__file__), base_path)
-            self.__load_paths(base_path)
+            self._load_paths(base_path)
 
     def get_base_path(self):
         """
@@ -177,7 +177,7 @@ def get_base_path(self):
         :return: The base toolkit folder path
         :rtype: string
         """
-        return self.__paths['base']
+        return self._paths['base']
 
     def get_cert_path(self):
         """
@@ -186,13 +186,13 @@ def get_cert_path(self):
         :return: The cert folder path
         :rtype: string
         """
-        return self.__paths['cert']
+        return self._paths['cert']
 
     def set_cert_path(self, path):
         """
         Set a new cert path
         """
-        self.__paths['cert'] = path
+        self._paths['cert'] = path
 
     def get_lib_path(self):
         """
@@ -201,7 +201,7 @@ def get_lib_path(self):
         :return: The library folder path
         :rtype: string
         """
-        return self.__paths['lib']
+        return self._paths['lib']
 
     def get_schemas_path(self):
         """
@@ -210,9 +210,9 @@ def get_schemas_path(self):
         :return: The schema folder path
         :rtype: string
         """
-        return self.__paths['lib'] + 'schemas/'
+        return self._paths['lib'] + 'schemas/'
 
-    def __load_settings_from_dict(self, settings):
+    def _load_settings_from_dict(self, settings):
         """
         Loads settings info from a settings Dict
 
@@ -224,22 +224,22 @@ def __load_settings_from_dict(self, settings):
         """
         errors = self.check_settings(settings)
         if len(errors) == 0:
-            self.__errors = []
-            self.__sp = settings['sp']
-            self.__idp = settings.get('idp', {})
-            self.__strict = settings.get('strict', True)
-            self.__debug = settings.get('debug', False)
-            self.__security = settings.get('security', {})
-            self.__contacts = settings.get('contactPerson', {})
-            self.__organization = settings.get('organization', {})
-
-            self.__add_default_values()
+            self._errors = []
+            self._sp = settings['sp']
+            self._idp = settings.get('idp', {})
+            self._strict = settings.get('strict', True)
+            self._debug = settings.get('debug', False)
+            self._security = settings.get('security', {})
+            self._contacts = settings.get('contactPerson', {})
+            self._organization = settings.get('organization', {})
+
+            self._add_default_values()
             return True
 
-        self.__errors = errors
+        self._errors = errors
         return False
 
-    def __load_settings_from_file(self):
+    def _load_settings_from_file(self):
         """
         Loads settings info from the settings json file
 
@@ -265,69 +265,69 @@ def __load_settings_from_file(self):
             with open(advanced_filename, 'r') as json_data:
                 settings.update(json.loads(json_data.read()))  # Merge settings
 
-        return self.__load_settings_from_dict(settings)
+        return self._load_settings_from_dict(settings)
 
-    def __add_default_values(self):
+    def _add_default_values(self):
         """
         Add default values if the settings info is not complete
         """
-        self.__sp.setdefault('assertionConsumerService', {})
-        self.__sp['assertionConsumerService'].setdefault('binding', OneLogin_Saml2_Constants.BINDING_HTTP_POST)
+        self._sp.setdefault('assertionConsumerService', {})
+        self._sp['assertionConsumerService'].setdefault('binding', OneLogin_Saml2_Constants.BINDING_HTTP_POST)
 
-        self.__sp.setdefault('attributeConsumingService', {})
+        self._sp.setdefault('attributeConsumingService', {})
 
-        self.__sp.setdefault('singleLogoutService', {})
-        self.__sp['singleLogoutService'].setdefault('binding', OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT)
+        self._sp.setdefault('singleLogoutService', {})
+        self._sp['singleLogoutService'].setdefault('binding', OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT)
 
-        self.__idp.setdefault('singleLogoutService', {})
+        self._idp.setdefault('singleLogoutService', {})
 
         # Related to nameID
-        self.__sp.setdefault('NameIDFormat', OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED)
-        self.__security.setdefault('nameIdEncrypted', False)
+        self._sp.setdefault('NameIDFormat', OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED)
+        self._security.setdefault('nameIdEncrypted', False)
 
         # Metadata format
-        self.__security.setdefault('metadataValidUntil', None)  # None means use default
-        self.__security.setdefault('metadataCacheDuration', None)  # None means use default
+        self._security.setdefault('metadataValidUntil', None)  # None means use default
+        self._security.setdefault('metadataCacheDuration', None)  # None means use default
 
         # Sign provided
-        self.__security.setdefault('authnRequestsSigned', False)
-        self.__security.setdefault('logoutRequestSigned', False)
-        self.__security.setdefault('logoutResponseSigned', False)
-        self.__security.setdefault('signMetadata', False)
+        self._security.setdefault('authnRequestsSigned', False)
+        self._security.setdefault('logoutRequestSigned', False)
+        self._security.setdefault('logoutResponseSigned', False)
+        self._security.setdefault('signMetadata', False)
 
         # Sign expected
-        self.__security.setdefault('wantMessagesSigned', False)
-        self.__security.setdefault('wantAssertionsSigned', False)
+        self._security.setdefault('wantMessagesSigned', False)
+        self._security.setdefault('wantAssertionsSigned', False)
 
         # NameID element expected
-        self.__security.setdefault('wantNameId', True)
+        self._security.setdefault('wantNameId', True)
 
         # Encrypt expected
-        self.__security.setdefault('wantAssertionsEncrypted', False)
-        self.__security.setdefault('wantNameIdEncrypted', False)
+        self._security.setdefault('wantAssertionsEncrypted', False)
+        self._security.setdefault('wantNameIdEncrypted', False)
 
         # Signature Algorithm
-        self.__security.setdefault('signatureAlgorithm', OneLogin_Saml2_Constants.RSA_SHA1)
+        self._security.setdefault('signatureAlgorithm', OneLogin_Saml2_Constants.RSA_SHA1)
 
         # Digest Algorithm
-        self.__security.setdefault('digestAlgorithm', OneLogin_Saml2_Constants.SHA1)
+        self._security.setdefault('digestAlgorithm', OneLogin_Saml2_Constants.SHA1)
 
         # AttributeStatement required by default
-        self.__security.setdefault('wantAttributeStatement', True)
+        self._security.setdefault('wantAttributeStatement', True)
 
         # Disallow duplicate attribute names by default
-        self.__security.setdefault('allowRepeatAttributeName', False)
+        self._security.setdefault('allowRepeatAttributeName', False)
 
-        self.__idp.setdefault('x509cert', '')
-        self.__idp.setdefault('certFingerprint', '')
-        self.__idp.setdefault('certFingerprintAlgorithm', 'sha1')
+        self._idp.setdefault('x509cert', '')
+        self._idp.setdefault('certFingerprint', '')
+        self._idp.setdefault('certFingerprintAlgorithm', 'sha1')
 
-        self.__sp.setdefault('x509cert', '')
-        self.__sp.setdefault('privateKey', '')
+        self._sp.setdefault('x509cert', '')
+        self._sp.setdefault('privateKey', '')
 
-        self.__security.setdefault('requestedAuthnContext', True)
-        self.__security.setdefault('requestedAuthnContextComparison', 'exact')
-        self.__security.setdefault('failOnAuthnContextMismatch', False)
+        self._security.setdefault('requestedAuthnContext', True)
+        self._security.setdefault('requestedAuthnContextComparison', 'exact')
+        self._security.setdefault('failOnAuthnContextMismatch', False)
 
     def check_settings(self, settings):
         """
@@ -345,7 +345,7 @@ def check_settings(self, settings):
         if not isinstance(settings, dict) or len(settings) == 0:
             errors.append('invalid_syntax')
         else:
-            if not self.__sp_validation_only:
+            if not self._sp_validation_only:
                 errors += self.check_idp_settings(settings)
             sp_errors = self.check_sp_settings(settings)
             errors += sp_errors
@@ -425,9 +425,9 @@ def check_sp_settings(self, settings):
                 errors.append('sp_not_found')
             else:
                 allow_single_domain_urls = self._get_allow_single_label_domain(settings)
-                # check_sp_certs uses self.__sp so I add it
-                old_sp = self.__sp
-                self.__sp = settings['sp']
+                # check_sp_certs uses self._sp so I add it
+                old_sp = self._sp
+                self._sp = settings['sp']
 
                 sp = settings['sp']
                 security = settings.get('security', {})
@@ -508,9 +508,9 @@ def check_sp_settings(self, settings):
                             ('url' not in organization or len(organization['url']) == 0):
                         errors.append('organization_not_enought_data')
                         break
-        # Restores the value that had the self.__sp
+        # Restores the value that had the self._sp
         if 'old_sp' in locals():
-            self.__sp = old_sp
+            self._sp = old_sp
 
         return errors
 
@@ -562,8 +562,8 @@ def get_sp_key(self):
         :returns: SP private key
         :rtype: string or None
         """
-        key = self.__sp.get('privateKey')
-        key_file_name = self.__paths['cert'] + 'sp.key'
+        key = self._sp.get('privateKey')
+        key_file_name = self._paths['cert'] + 'sp.key'
 
         if not key and exists(key_file_name):
             with open(key_file_name) as f:
@@ -577,8 +577,8 @@ def get_sp_cert(self):
         :returns: SP public cert
         :rtype: string or None
         """
-        cert = self.__sp.get('x509cert')
-        cert_file_name = self.__paths['cert'] + 'sp.crt'
+        cert = self._sp.get('x509cert')
+        cert_file_name = self._paths['cert'] + 'sp.crt'
 
         if not cert and exists(cert_file_name):
             with open(cert_file_name) as f:
@@ -593,8 +593,8 @@ def get_sp_cert_new(self):
         :returns: SP public cert new
         :rtype: string or None
         """
-        cert = self.__sp.get('x509certNew')
-        cert_file_name = self.__paths['cert'] + 'sp_new.crt'
+        cert = self._sp.get('x509certNew')
+        cert_file_name = self._paths['cert'] + 'sp_new.crt'
 
         if not cert and exists(cert_file_name):
             with open(cert_file_name) as f:
@@ -608,7 +608,7 @@ def get_idp_cert(self):
         :returns: IdP public cert
         :rtype: string
         """
-        cert = self.__idp.get('x509cert')
+        cert = self._idp.get('x509cert')
         cert_file_name = self.get_cert_path() + 'idp.crt'
         if not cert and exists(cert_file_name):
             with open(cert_file_name) as f:
@@ -622,7 +622,7 @@ def get_idp_data(self):
         :returns: IdP info
         :rtype: dict
         """
-        return self.__idp
+        return self._idp
 
     def get_sp_data(self):
         """
@@ -631,7 +631,7 @@ def get_sp_data(self):
         :returns: SP info
         :rtype: dict
         """
-        return self.__sp
+        return self._sp
 
     def get_security_data(self):
         """
@@ -640,7 +640,7 @@ def get_security_data(self):
         :returns: Security info
         :rtype: dict
         """
-        return self.__security
+        return self._security
 
     def get_contacts(self):
         """
@@ -649,7 +649,7 @@ def get_contacts(self):
         :returns: Contacts info
         :rtype: dict
         """
-        return self.__contacts
+        return self._contacts
 
     def get_organization(self):
         """
@@ -658,7 +658,7 @@ def get_organization(self):
         :returns: Organization info
         :rtype: dict
         """
-        return self.__organization
+        return self._organization
 
     def get_sp_metadata(self):
         """
@@ -667,14 +667,14 @@ def get_sp_metadata(self):
         :rtype: string
         """
         metadata = self.metadata_class.builder(
-            self.__sp, self.__security['authnRequestsSigned'],
-            self.__security['wantAssertionsSigned'],
-            self.__security['metadataValidUntil'],
-            self.__security['metadataCacheDuration'],
+            self._sp, self._security['authnRequestsSigned'],
+            self._security['wantAssertionsSigned'],
+            self._security['metadataValidUntil'],
+            self._security['metadataCacheDuration'],
             self.get_contacts(), self.get_organization()
         )
 
-        add_encryption = self.__security['wantNameIdEncrypted'] or self.__security['wantAssertionsEncrypted']
+        add_encryption = self._security['wantNameIdEncrypted'] or self._security['wantAssertionsEncrypted']
 
         cert_new = self.get_sp_cert_new()
         metadata = self.metadata_class.add_x509_key_descriptors(metadata, cert_new, add_encryption)
@@ -683,8 +683,8 @@ def get_sp_metadata(self):
         metadata = self.metadata_class.add_x509_key_descriptors(metadata, cert, add_encryption)
 
         # Sign metadata
-        if 'signMetadata' in self.__security and self.__security['signMetadata'] is not False:
-            if self.__security['signMetadata'] is True:
+        if 'signMetadata' in self._security and self._security['signMetadata'] is not False:
+            if self._security['signMetadata'] is True:
                 # Use the SP's normal key to sign the metadata:
                 if not cert:
                     raise OneLogin_Saml2_Error(
@@ -700,16 +700,16 @@ def get_sp_metadata(self):
                     )
             else:
                 # Use a custom key to sign the metadata:
-                if ('keyFileName' not in self.__security['signMetadata'] or
-                        'certFileName' not in self.__security['signMetadata']):
+                if ('keyFileName' not in self._security['signMetadata'] or
+                        'certFileName' not in self._security['signMetadata']):
                     raise OneLogin_Saml2_Error(
                         'Invalid Setting: signMetadata value of the sp is not valid',
                         OneLogin_Saml2_Error.SETTINGS_INVALID_SYNTAX
                     )
-                key_file_name = self.__security['signMetadata']['keyFileName']
-                cert_file_name = self.__security['signMetadata']['certFileName']
-                key_metadata_file = self.__paths['cert'] + key_file_name
-                cert_metadata_file = self.__paths['cert'] + cert_file_name
+                key_file_name = self._security['signMetadata']['keyFileName']
+                cert_file_name = self._security['signMetadata']['certFileName']
+                key_metadata_file = self._paths['cert'] + key_file_name
+                cert_metadata_file = self._paths['cert'] + cert_file_name
 
                 try:
                     with open(key_metadata_file, 'r') as f_metadata_key:
@@ -731,8 +731,8 @@ def get_sp_metadata(self):
                         cert_metadata_file
                     )
 
-            signature_algorithm = self.__security['signatureAlgorithm']
-            digest_algorithm = self.__security['digestAlgorithm']
+            signature_algorithm = self._security['signatureAlgorithm']
+            digest_algorithm = self._security['digestAlgorithm']
 
             metadata = self.metadata_class.sign_metadata(metadata, key_metadata, cert_metadata, signature_algorithm, digest_algorithm)
 
@@ -755,7 +755,7 @@ def validate_metadata(self, xml):
             raise Exception('Empty string supplied as input')
 
         errors = []
-        root = OneLogin_Saml2_XML.validate_xml(xml, 'saml-schema-metadata-2.0.xsd', self.__debug)
+        root = OneLogin_Saml2_XML.validate_xml(xml, 'saml-schema-metadata-2.0.xsd', self._debug)
         if isinstance(root, str):
             errors.append(root)
         else:
@@ -781,38 +781,38 @@ def format_idp_cert(self):
         """
         Formats the IdP cert.
         """
-        self.__idp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509cert'])
+        self._idp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self._idp['x509cert'])
 
     def format_idp_cert_multi(self):
         """
         Formats the Multple IdP certs.
         """
-        if 'x509certMulti' in self.__idp:
-            if 'signing' in self.__idp['x509certMulti']:
-                for idx in range(len(self.__idp['x509certMulti']['signing'])):
-                    self.__idp['x509certMulti']['signing'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['signing'][idx])
+        if 'x509certMulti' in self._idp:
+            if 'signing' in self._idp['x509certMulti']:
+                for idx in range(len(self._idp['x509certMulti']['signing'])):
+                    self._idp['x509certMulti']['signing'][idx] = OneLogin_Saml2_Utils.format_cert(self._idp['x509certMulti']['signing'][idx])
 
-            if 'encryption' in self.__idp['x509certMulti']:
-                for idx in range(len(self.__idp['x509certMulti']['encryption'])):
-                    self.__idp['x509certMulti']['encryption'][idx] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509certMulti']['encryption'][idx])
+            if 'encryption' in self._idp['x509certMulti']:
+                for idx in range(len(self._idp['x509certMulti']['encryption'])):
+                    self._idp['x509certMulti']['encryption'][idx] = OneLogin_Saml2_Utils.format_cert(self._idp['x509certMulti']['encryption'][idx])
 
     def format_sp_cert(self):
         """
         Formats the SP cert.
         """
-        self.__sp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self.__sp['x509cert'])
+        self._sp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self._sp['x509cert'])
 
     def format_sp_cert_new(self):
         """
         Formats the SP cert.
         """
-        self.__sp['x509certNew'] = OneLogin_Saml2_Utils.format_cert(self.__sp['x509certNew'])
+        self._sp['x509certNew'] = OneLogin_Saml2_Utils.format_cert(self._sp['x509certNew'])
 
     def format_sp_key(self):
         """
         Formats the private key.
         """
-        self.__sp['privateKey'] = OneLogin_Saml2_Utils.format_private_key(self.__sp['privateKey'])
+        self._sp['privateKey'] = OneLogin_Saml2_Utils.format_private_key(self._sp['privateKey'])
 
     def get_errors(self):
         """
@@ -821,7 +821,7 @@ def get_errors(self):
         :returns: Errors
         :rtype: list
         """
-        return self.__errors
+        return self._errors
 
     def set_strict(self, value):
         """
@@ -832,7 +832,7 @@ def set_strict(self, value):
         """
         assert isinstance(value, bool)
 
-        self.__strict = value
+        self._strict = value
 
     def is_strict(self):
         """
@@ -841,7 +841,7 @@ def is_strict(self):
         :returns: Strict parameter
         :rtype: boolean
         """
-        return self.__strict
+        return self._strict
 
     def is_debug_active(self):
         """
@@ -850,7 +850,7 @@ def is_debug_active(self):
         :returns: Debug parameter
         :rtype: boolean
         """
-        return self.__debug
+        return self._debug
 
     def _get_allow_single_label_domain(self, settings):
         security = settings.get('security', {})
diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py
index b23c633a..cbf225a1 100644
--- a/tests/src/OneLogin/saml2_tests/authn_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/authn_request_test.py
@@ -52,7 +52,7 @@ def testCreateRequest(self):
 
         saml_settings = self.loadSettingsJSON()
         settings = OneLogin_Saml2_Settings(saml_settings)
-        settings._OneLogin_Saml2_Settings__organization = {
+        settings._organization = {
             u'en-US': {
                 u'url': u'http://sp.example.com',
                 u'name': u'sp_test'

From 3bd411d9ad00a38d02cfa9e4f550ca011a18b514 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 23 Jul 2021 02:26:33 +0200
Subject: [PATCH 224/331] Release 1.11.0

---
 changelog.md | 12 ++++++++++++
 setup.py     |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 4114cc04..4571ed31 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,16 @@
 # python3-saml changelog
+### 1.11.0 (Jul 23, 2021)
+* [#261](https://github.com/onelogin/python3-saml/pull/261) Allow duplicate named attributes, controlled by a new setting
+* [#268](https://github.com/onelogin/python3-saml/pull/268) Make the redirect scheme matcher case-insensitive
+* [#256](https://github.com/onelogin/python3-saml/pull/256) Improve signature validation process. Add an option to use query string for validation
+* [#259](https://github.com/onelogin/python3-saml/pull/259) Add get metadata timeout
+* [#246](https://github.com/onelogin/python3-saml/pull/246) Add the ability to change the ProtocolBinding in the authn request.
+* [#248](https://github.com/onelogin/python3-saml/pull/248) Move storing the response data into its own method in the Auth class
+* Remove the dependency on defusedxml
+* [#241](https://github.com/onelogin/python3-saml/pull/241) Improve AttributeConsumingService support
+* Update expired dates from test responses
+* Migrate from Travis to Github Actions
+
 ### 1.10.1 (Jan 27, 2021)
 * Fix bug on LogoutRequest class, get_idp_slo_response_url was used instead get_idp_slo_url
 
diff --git a/setup.py b/setup.py
index cff7b7c7..c783d224 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.10.1',
+    version='1.11.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From f435584496977bb91e2f62aecf3fe22fa47095b9 Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Fri, 23 Jul 2021 14:34:21 +0300
Subject: [PATCH 225/331] Deprecate server_port from request data dictionary

`server_port` is unnecessary, since the HTTP Host header sent by the client
already includes any non-standard port.  In addition, when the Python
application server is sitting behind a reverse proxy/TLS terminator,
SERVER_PORT is likely to be wrong anyway (since it would be the server port
of the non-reverse-proxied server).

See https://github.com/onelogin/python3-saml/issues/273#issuecomment-885566427
---
 README.md                                     |  5 +-
 demo-django/demo/views.py                     |  1 -
 demo-flask/index.py                           |  4 +-
 demo-tornado/views.py                         |  3 +-
 demo_pyramid/demo_pyramid/views.py            |  5 +-
 src/onelogin/saml2/utils.py                   | 49 +++++++------------
 .../src/OneLogin/saml2_tests/response_test.py | 24 ++++++---
 tests/src/OneLogin/saml2_tests/utils_test.py  |  7 +--
 8 files changed, 41 insertions(+), 57 deletions(-)

diff --git a/README.md b/README.md
index 3bbf2a1f..05b5faf2 100644
--- a/README.md
+++ b/README.md
@@ -573,7 +573,6 @@ This parameter has the following scheme:
 req = {
     "http_host": "",
     "script_name": "",
-    "server_port": "",
     "get_data": "",
     "post_data": "",
 
@@ -594,7 +593,6 @@ def prepare_from_django_request(request):
     return {
         'http_host': request.META['HTTP_HOST'],
         'script_name': request.META['PATH_INFO'],
-        'server_port': request.META['SERVER_PORT'],
         'get_data': request.GET.copy(),
         'post_data': request.POST.copy()
     }
@@ -602,8 +600,7 @@ def prepare_from_django_request(request):
 def prepare_from_flask_request(request):
     url_data = urlparse(request.url)
     return {
-        'http_host': request.host,
-        'server_port': url_data.port,
+        'http_host': request.netloc,
         'script_name': request.path,
         'get_data': request.args.copy(),
         'post_data': request.form.copy()
diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index 418ab0c8..6003b821 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -20,7 +20,6 @@ def prepare_django_request(request):
         'https': 'on' if request.is_secure() else 'off',
         'http_host': request.META['HTTP_HOST'],
         'script_name': request.META['PATH_INFO'],
-        'server_port': request.META['SERVER_PORT'],
         'get_data': request.GET.copy(),
         # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144
         # 'lowercase_urlencoding': True,
diff --git a/demo-flask/index.py b/demo-flask/index.py
index b523cb92..8a251a0a 100644
--- a/demo-flask/index.py
+++ b/demo-flask/index.py
@@ -21,11 +21,9 @@ def init_saml_auth(req):
 
 def prepare_flask_request(request):
     # If server is behind proxys or balancers use the HTTP_X_FORWARDED fields
-    url_data = urlparse(request.url)
     return {
         'https': 'on' if request.scheme == 'https' else 'off',
-        'http_host': request.host,
-        'server_port': url_data.port,
+        'http_host': request.netloc,
         'script_name': request.path,
         'get_data': request.args.copy(),
         # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144
diff --git a/demo-tornado/views.py b/demo-tornado/views.py
index 70cfea68..e5d062aa 100644
--- a/demo-tornado/views.py
+++ b/demo-tornado/views.py
@@ -157,9 +157,8 @@ def prepare_tornado_request(request):
 
     result = {
         'https': 'on' if request == 'https' else 'off',
-        'http_host': tornado.httputil.split_host_and_port(request.host)[0],
+        'http_host': request.host,
         'script_name': request.path,
-        'server_port': tornado.httputil.split_host_and_port(request.host)[1],
         'get_data': dataDict,
         'post_data': dataDict,
         'query_string': request.query
diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py
index 6dab4edc..96434b8b 100644
--- a/demo_pyramid/demo_pyramid/views.py
+++ b/demo_pyramid/demo_pyramid/views.py
@@ -15,19 +15,16 @@ def init_saml_auth(req):
 
 
 def prepare_pyramid_request(request):
-    # Uncomment this portion to set the request.scheme and request.server_port
+    # Uncomment this portion to set the request.scheme
     # based on the supplied `X-Forwarded` headers.
     # Useful for running behind reverse proxies or balancers.
     #
     # if 'X-Forwarded-Proto' in request.headers:
     #    request.scheme = request.headers['X-Forwarded-Proto']
-    # if 'X-Forwarded-Port' in request.headers:
-    #    request.server_port = int(request.headers['X-Forwarded-Port'])
 
     return {
         'https': 'on' if request.scheme == 'https' else 'off',
         'http_host': request.host,
-        'server_port': request.server_port,
         'script_name': request.path,
         'get_data': request.GET.copy(),
         # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index db88bd34..51ab4e00 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -10,6 +10,7 @@
 """
 
 import base64
+import warnings
 from copy import deepcopy
 import calendar
 from datetime import datetime
@@ -254,27 +255,25 @@ def get_self_url_host(request_data):
         :rtype: string
         """
         current_host = OneLogin_Saml2_Utils.get_self_host(request_data)
-        port = ''
-        if OneLogin_Saml2_Utils.is_https(request_data):
-            protocol = 'https'
-        else:
-            protocol = 'http'
-
-        if 'server_port' in request_data and request_data['server_port'] is not None:
-            port_number = str(request_data['server_port'])
-            port = ':' + port_number
+        protocol = 'https' if OneLogin_Saml2_Utils.is_https(request_data) else 'http'
 
-            if protocol == 'http' and port_number == '80':
-                port = ''
-            elif protocol == 'https' and port_number == '443':
-                port = ''
+        if request_data.get('server_port') is not None:
+            warnings.warn(
+                'The server_port key in request data is deprecated. '
+                'The http_host key should include a port, if required.',
+                category=DeprecationWarning,
+            )
+            port_suffix = ':%s' % request_data['server_port']
+            if not current_host.endswith(port_suffix):
+                if not ((protocol == 'https' and port_suffix == ':443') or (protocol == 'http' and port_suffix == ':80')):
+                    current_host += port_suffix
 
-        return '%s://%s%s' % (protocol, current_host, port)
+        return '%s://%s' % (protocol, current_host)
 
     @staticmethod
     def get_self_host(request_data):
         """
-        Returns the current host.
+        Returns the current host (which may include a port number part).
 
         :param request_data: The request as a dict
         :type: dict
@@ -283,22 +282,11 @@ def get_self_host(request_data):
         :rtype: string
         """
         if 'http_host' in request_data:
-            current_host = request_data['http_host']
+            return request_data['http_host']
         elif 'server_name' in request_data:
-            current_host = request_data['server_name']
-        else:
-            raise Exception('No hostname defined')
-
-        if ':' in current_host:
-            current_host_data = current_host.split(':')
-            possible_port = current_host_data[-1]
-            try:
-                int(possible_port)
-                current_host = current_host_data[0]
-            except ValueError:
-                current_host = ':'.join(current_host_data)
-
-        return current_host
+            warnings.warn("The server_name key in request data is undocumented & deprecated.", category=DeprecationWarning)
+            return request_data['server_name']
+        raise Exception('No hostname defined')
 
     @staticmethod
     def is_https(request_data):
@@ -312,6 +300,7 @@ def is_https(request_data):
         :rtype: boolean
         """
         is_https = 'https' in request_data and request_data['https'] != 'off'
+        # TODO: this use of server_port should be removed too
         is_https = is_https or ('server_port' in request_data and str(request_data['server_port']) == '443')
         return is_https
 
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index a51f8e60..3f83bc2b 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -4,6 +4,7 @@
 # MIT License
 
 from base64 import b64decode
+
 from lxml import etree
 from datetime import datetime
 from datetime import timedelta
@@ -1528,22 +1529,31 @@ def testIsInValidEncIssues(self):
         self.assertFalse(response_5.is_valid(request_data))
         self.assertEqual('The NameID of the Response is not encrypted and the SP require it', response_5.get_error())
 
+    def testIsInValidEncIssues_2(self):
         settings_info_2 = self.loadSettingsJSON('settings3.json')
         settings_info_2['strict'] = True
         settings_info_2['security']['wantNameIdEncrypted'] = True
         settings_2 = OneLogin_Saml2_Settings(settings_info_2)
 
         request_data = {
-            'http_host': 'pytoolkit.com',
-            'server_port': 8000,
             'script_name': '',
             'request_uri': '?acs',
         }
-
-        message_2 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion_encrypted_nameid.xml.base64'))
-        response_6 = OneLogin_Saml2_Response(settings_2, message_2)
-        self.assertFalse(response_6.is_valid(request_data))
-        self.assertEqual('The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response', response_6.get_error())
+        for separate_port in (False, True):
+            if separate_port:
+                request_data.update({
+                    'http_host': 'pytoolkit.com',
+                    'server_port': 8000,
+                })
+            else:
+                request_data.update({
+                    'http_host': 'pytoolkit.com:8000',
+                })
+
+            message_2 = self.file_contents(join(self.data_path, 'responses', 'valid_encrypted_assertion_encrypted_nameid.xml.base64'))
+            response_6 = OneLogin_Saml2_Response(settings_2, message_2)
+            self.assertFalse(response_6.is_valid(request_data))
+            self.assertEqual('The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response', response_6.get_error())
 
     def testIsInValidCert(self):
         """
diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py
index 87112b0c..54d9ae66 100644
--- a/tests/src/OneLogin/saml2_tests/utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/utils_test.py
@@ -190,7 +190,7 @@ def testGetselfhost(self):
         request_data = {
             'http_host': 'example.com:443'
         }
-        self.assertEqual('example.com', OneLogin_Saml2_Utils.get_self_host(request_data))
+        self.assertEqual('example.com:443', OneLogin_Saml2_Utils.get_self_host(request_data))
 
         request_data = {
             'http_host': 'example.com:ok'
@@ -211,11 +211,6 @@ def testisHTTPS(self):
         }
         self.assertTrue(OneLogin_Saml2_Utils.is_https(request_data))
 
-        request_data = {
-            'server_port': '80'
-        }
-        self.assertFalse(OneLogin_Saml2_Utils.is_https(request_data))
-
         request_data = {
             'server_port': '443'
         }

From 562ceedfefdc0e2b9335488cf537ddc3bd8c897d Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Sun, 25 Jul 2021 15:10:32 +0300
Subject: [PATCH 226/331] Add Pip cache to CI

---
 .github/workflows/python-package.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index ac505be2..38ac7f4c 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -19,14 +19,18 @@ jobs:
       uses: actions/setup-python@v2
       with:
         python-version: ${{ matrix.python-version }}
-
+    - uses: actions/cache@v2
+      with:
+        path: ~/.cache/pip
+        key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.py') }}
+        restore-keys: |
+          ${{ runner.os }}-pip-
     - name: Install dependencies
       run: |
         sudo apt-get update -qq
         sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
         make install-req
         make install-test
-
     - name: Test
       run: |
         make pytest

From 69d132c52ba354bb4d9660df2a0606b91ca316bb Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Sun, 25 Jul 2021 15:14:41 +0300
Subject: [PATCH 227/331] Separate linting in CI

---
 .github/workflows/python-package.yml | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 38ac7f4c..1cc6b96a 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -32,8 +32,27 @@ jobs:
         make install-req
         make install-test
     - name: Test
+      run: make pytest
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-python@v2
+      with:
+        python-version: 3.9
+    - uses: actions/cache@v2
+      with:
+        path: ~/.cache/pip
+        key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.py') }}
+        restore-keys: |
+          ${{ runner.os }}-pip-
+    - name: Install dependencies
+      run: |
+        sudo apt-get update -qq
+        sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
+        make install-req
+        make install-test
+    - name: Run linters
       run: |
-        make pytest
         make pycodestyle
         make flake8
-

From f7f45a7b6e9a14cbb3ebd8771e945fe022886ccc Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Sun, 25 Jul 2021 15:17:16 +0300
Subject: [PATCH 228/331] Move flake8 ignores to setup.cfg

---
 Makefile  | 2 +-
 setup.cfg | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 7f3faddb..30f8af09 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,7 @@ pycodestyle:
 	$(PYCODESTYLE) --ignore=E501,E731,W504 $(SOURCES) --config=$(PEP8_CONFIG)
 
 flake8:
-	$(FLAKE8) --ignore=E501,E731,W504 $(SOURCES)
+	$(FLAKE8) $(SOURCES)
 
 clean: 
 	rm -rf .pytest_cache/
diff --git a/setup.cfg b/setup.cfg
index e9d41598..36fa9534 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,5 +1,5 @@
 [flake8]
-ignore = E731,W504
+ignore = E731,W504,E501
 max-complexity = 48
 max-line-length = 1900
 

From 603f95132023a410e77fa8ea77f0a45138b4b28e Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Sun, 25 Jul 2021 15:17:56 +0300
Subject: [PATCH 229/331] Fix typos in makefile causing demos to be ignored by
 lint

---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 30f8af09..45d73ecb 100644
--- a/Makefile
+++ b/Makefile
@@ -6,9 +6,9 @@ COVERAGE=coverage
 COVERAGE_CONFIG=tests/coverage.rc
 PEP8_CONFIG=tests/pep8.rc
 MAIN_SOURCE=src/onelogin/saml2
-DEMOS=demo-django demo-flask
+DEMOS=demo-django demo-flask demo-tornado demo_pyramid
 TESTS=tests/src/OneLogin/saml2_tests
-SOURCES=$(MAIN_SOURCE) $(DEMO) $(TESTS)
+SOURCES=$(MAIN_SOURCE) $(DEMOS) $(TESTS)
 
 install-req:
 	$(PIP) install --upgrade 'setuptools<45.0.0'

From c84af25048554c8f13d94f9fa1544b30a51e78c1 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 13 Aug 2021 18:36:01 +0200
Subject: [PATCH 230/331] Release 1.12.0

---
 changelog.md | 3 +++
 setup.py     | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 4571ed31..cc17cb4e 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,7 @@
 # python3-saml changelog
+### 1.12.0 (Aug 13, 2021)
+* [#276](https://github.com/onelogin/python3-saml/pull/276) Deprecate server_port from request data dictionary
+
 ### 1.11.0 (Jul 23, 2021)
 * [#261](https://github.com/onelogin/python3-saml/pull/261) Allow duplicate named attributes, controlled by a new setting
 * [#268](https://github.com/onelogin/python3-saml/pull/268) Make the redirect scheme matcher case-insensitive
diff --git a/setup.py b/setup.py
index c783d224..4aad2c76 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.11.0',
+    version='1.12.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From e77d015ba4ce077787fee321614dee86d78b583d Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 16 Aug 2021 14:13:32 +0200
Subject: [PATCH 231/331] Restore request.host

Flask example hits error: AttributeError: 'Request' object has no attribute 'netloc'
---
 demo-flask/index.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/demo-flask/index.py b/demo-flask/index.py
index 8a251a0a..5f43292a 100644
--- a/demo-flask/index.py
+++ b/demo-flask/index.py
@@ -23,7 +23,7 @@ def prepare_flask_request(request):
     # If server is behind proxys or balancers use the HTTP_X_FORWARDED fields
     return {
         'https': 'on' if request.scheme == 'https' else 'off',
-        'http_host': request.netloc,
+        'http_host': request.host,
         'script_name': request.path,
         'get_data': request.args.copy(),
         # Uncomment if using ADFS as IdP, https://github.com/onelogin/python-saml/pull/144

From 8a47e705365035da0e97f96edd49bb6721035c85 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 16 Aug 2021 14:19:10 +0200
Subject: [PATCH 232/331] Fix pycodestyle

---
 demo-flask/index.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/demo-flask/index.py b/demo-flask/index.py
index 5f43292a..a10ac8ce 100644
--- a/demo-flask/index.py
+++ b/demo-flask/index.py
@@ -3,8 +3,6 @@
 from flask import (Flask, request, render_template, redirect, session,
                    make_response)
 
-from urllib.parse import urlparse
-
 from onelogin.saml2.auth import OneLogin_Saml2_Auth
 from onelogin.saml2.utils import OneLogin_Saml2_Utils
 

From c137dddc6f44c9c5ee3e8884e6d53b0376508126 Mon Sep 17 00:00:00 2001
From: Gunesh Pinar 
Date: Thu, 26 Aug 2021 23:19:37 -0700
Subject: [PATCH 233/331] Implement
 OneLogin_Saml2_Auth.get_last_assertion_issue_instant()

---
 README.md                                   |  1 +
 src/onelogin/saml2/auth.py                  |  9 +++++++++
 src/onelogin/saml2/response.py              | 13 +++++++++++++
 tests/src/OneLogin/saml2_tests/auth_test.py |  7 +++++--
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 05b5faf2..3a5f39ff 100644
--- a/README.md
+++ b/README.md
@@ -970,6 +970,7 @@ Main class of OneLogin Python Toolkit
 * ***get_last_message_id*** The ID of the last Response SAML message processed.
 * ***get_last_assertion_id*** The ID of the last assertion processed.
 * ***get_last_assertion_not_on_or_after*** The ``NotOnOrAfter`` value of the valid ``SubjectConfirmationData`` node (if any) of the last assertion processed (is only calculated with strict = true)
+* ***get_last_assertion_issue_instant*** The `IssueInstant` value of the last assertion processed.
 
 #### OneLogin_Saml2_Auth - authn_request.py ####
 
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index c284fe46..6c72932b 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -71,6 +71,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
         self._last_request_id = None
         self._last_message_id = None
         self._last_assertion_id = None
+        self._last_assertion_issue_instant = None
         self._last_authn_contexts = []
         self._last_request = None
         self._last_response = None
@@ -105,6 +106,7 @@ def store_valid_response(self, response):
         self._session_expiration = response.get_session_not_on_or_after()
         self._last_message_id = response.get_id()
         self._last_assertion_id = response.get_assertion_id()
+        self._last_assertion_issue_instant = response.get_assertion_issue_instant()
         self._last_authn_contexts = response.get_authn_contexts()
         self._authenticated = True
         self._last_assertion_not_on_or_after = response.get_assertion_not_on_or_after()
@@ -373,6 +375,13 @@ def get_last_assertion_id(self):
         """
         return self._last_assertion_id
 
+    def get_last_assertion_issue_instant(self):
+        """
+        :returns: The IssueInstant of the last assertion processed.
+        :rtype: unix/posix timestamp|None
+        """
+        return self._last_assertion_issue_instant
+
     def get_last_authn_contexts(self):
         """
         :returns: The list of authentication contexts sent in the last SAML Response.
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 7d372ab6..4ef0418c 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -917,3 +917,16 @@ def get_assertion_id(self):
                 OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
             )
         return self._query_assertion('')[0].get('ID', None)
+
+    def get_assertion_issue_instant(self):
+        """
+        :returns: the IssueInstant of the assertion in the response
+        :rtype: unix/posix timestamp|None
+        """
+        if not self.validate_num_assertions():
+            raise OneLogin_Saml2_ValidationError(
+                'SAML Response must contain 1 assertion',
+                OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
+            )
+        issue_instant = self._query_assertion('')[0].get('IssueInstant', None)
+        return OneLogin_Saml2_Utils.parse_SAML_to_time(issue_instant)
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index ea8cf1d3..87a57f19 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -1415,7 +1415,7 @@ def testGetLastLogoutResponse(self):
 
     def testGetInfoFromLastResponseReceived(self):
         """
-        Tests the get_last_message_id, get_last_assertion_id and get_last_assertion_not_on_or_after
+        Tests the get_last_message_id, get_last_assertion_id, get_last_assertion_not_on_or_after and get_last_assertion_issue_instant
         of the OneLogin_Saml2_Auth class
         """
         settings = self.loadSettingsJSON()
@@ -1431,8 +1431,9 @@ def testGetInfoFromLastResponseReceived(self):
         self.assertEqual(auth.get_last_message_id(), 'pfx42be40bf-39c3-77f0-c6ae-8bf2e23a1a2e')
         self.assertEqual(auth.get_last_assertion_id(), 'pfx57dfda60-b211-4cda-0f63-6d5deb69e5bb')
         self.assertIsNone(auth.get_last_assertion_not_on_or_after())
+        self.assertEqual(auth.get_last_assertion_issue_instant(), 1392773821)
 
-        # NotOnOrAfter is only calculated with strict = true
+        # NotOnOrAfter is only calculated with strict = true 
         # If invalid, response id and assertion id are not obtained
 
         settings['strict'] = True
@@ -1442,6 +1443,7 @@ def testGetInfoFromLastResponseReceived(self):
         self.assertIsNone(auth.get_last_message_id())
         self.assertIsNone(auth.get_last_assertion_id())
         self.assertIsNone(auth.get_last_assertion_not_on_or_after())
+        self.assertIsNone(auth.get_last_assertion_issue_instant())
 
         request_data['https'] = 'on'
         request_data['http_host'] = 'pitbulk.no-ip.org'
@@ -1452,6 +1454,7 @@ def testGetInfoFromLastResponseReceived(self):
         self.assertEqual(auth.get_last_message_id(), 'pfx42be40bf-39c3-77f0-c6ae-8bf2e23a1a2e')
         self.assertEqual(auth.get_last_assertion_id(), 'pfx57dfda60-b211-4cda-0f63-6d5deb69e5bb')
         self.assertEqual(auth.get_last_assertion_not_on_or_after(), 2671081021)
+        self.assertEqual(auth.get_last_assertion_issue_instant(), 1392773821)
 
     def testGetIdFromLogoutRequest(self):
         """

From 149a4666e18a0f54794f4552de0da4a2753ff6a4 Mon Sep 17 00:00:00 2001
From: Gunesh Pinar 
Date: Thu, 26 Aug 2021 23:37:37 -0700
Subject: [PATCH 234/331] Revert Whitespace Change

---
 tests/src/OneLogin/saml2_tests/auth_test.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 87a57f19..809ebdfb 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -1433,7 +1433,7 @@ def testGetInfoFromLastResponseReceived(self):
         self.assertIsNone(auth.get_last_assertion_not_on_or_after())
         self.assertEqual(auth.get_last_assertion_issue_instant(), 1392773821)
 
-        # NotOnOrAfter is only calculated with strict = true 
+        # NotOnOrAfter is only calculated with strict = true
         # If invalid, response id and assertion id are not obtained
 
         settings['strict'] = True

From b6ffc5932d16dacf314123dcd653a92e1332f32e Mon Sep 17 00:00:00 2001
From: Gunesh Pinar 
Date: Mon, 4 Oct 2021 22:40:40 -0700
Subject: [PATCH 235/331] Implement get_last_response_in_response_to()

---
 README.md                                   | 1 +
 src/onelogin/saml2/auth.py                  | 9 +++++++++
 tests/src/OneLogin/saml2_tests/auth_test.py | 5 ++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3a5f39ff..dccc84f3 100644
--- a/README.md
+++ b/README.md
@@ -967,6 +967,7 @@ Main class of OneLogin Python Toolkit
 * ***set_strict*** Set the strict mode active/disable.
 * ***get_last_request_xml*** Returns the most recently-constructed/processed XML SAML request (``AuthNRequest``, ``LogoutRequest``)
 * ***get_last_response_xml*** Returns the most recently-constructed/processed XML SAML response (``SAMLResponse``, ``LogoutResponse``). If the SAMLResponse had an encrypted assertion, decrypts it.
+* ***get_last_response_in_response_to*** The `InResponseTo` of the most recently processed SAML Response.
 * ***get_last_message_id*** The ID of the last Response SAML message processed.
 * ***get_last_assertion_id*** The ID of the last assertion processed.
 * ***get_last_assertion_not_on_or_after*** The ``NotOnOrAfter`` value of the valid ``SubjectConfirmationData`` node (if any) of the last assertion processed (is only calculated with strict = true)
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index 6c72932b..c097678b 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -75,6 +75,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
         self._last_authn_contexts = []
         self._last_request = None
         self._last_response = None
+        self._last_response_in_response_to = None
         self._last_assertion_not_on_or_after = None
 
     def get_settings(self):
@@ -109,6 +110,7 @@ def store_valid_response(self, response):
         self._last_assertion_issue_instant = response.get_assertion_issue_instant()
         self._last_authn_contexts = response.get_authn_contexts()
         self._authenticated = True
+        self._last_response_in_response_to = response.get_in_response_to()
         self._last_assertion_not_on_or_after = response.get_assertion_not_on_or_after()
 
     def process_response(self, request_id=None):
@@ -389,6 +391,13 @@ def get_last_authn_contexts(self):
         """
         return self._last_authn_contexts
 
+    def get_last_response_in_response_to(self):
+        """
+        :returns: InResponseTo attribute of the last Response SAML processed or None if it is not present.
+        :rtype: string
+        """
+        return self._last_response_in_response_to
+
     def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_policy=True, name_id_value_req=None):
         """
         Initiates the SSO process.
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 809ebdfb..0f979073 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -1415,7 +1415,7 @@ def testGetLastLogoutResponse(self):
 
     def testGetInfoFromLastResponseReceived(self):
         """
-        Tests the get_last_message_id, get_last_assertion_id, get_last_assertion_not_on_or_after and get_last_assertion_issue_instant
+        Tests the get_last_response_in_response_to, get_last_message_id, get_last_assertion_id, get_last_assertion_not_on_or_after and get_last_assertion_issue_instant
         of the OneLogin_Saml2_Auth class
         """
         settings = self.loadSettingsJSON()
@@ -1428,6 +1428,7 @@ def testGetInfoFromLastResponseReceived(self):
         auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
 
         auth.process_response()
+        self.assertEqual(auth.get_last_response_in_response_to(), 'ONELOGIN_5fe9d6e499b2f0913206aab3f7191729049bb807')
         self.assertEqual(auth.get_last_message_id(), 'pfx42be40bf-39c3-77f0-c6ae-8bf2e23a1a2e')
         self.assertEqual(auth.get_last_assertion_id(), 'pfx57dfda60-b211-4cda-0f63-6d5deb69e5bb')
         self.assertIsNone(auth.get_last_assertion_not_on_or_after())
@@ -1440,6 +1441,7 @@ def testGetInfoFromLastResponseReceived(self):
         auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
         auth.process_response()
         self.assertNotEqual(len(auth.get_errors()), 0)
+        self.assertIsNone(auth.get_last_response_in_response_to())
         self.assertIsNone(auth.get_last_message_id())
         self.assertIsNone(auth.get_last_assertion_id())
         self.assertIsNone(auth.get_last_assertion_not_on_or_after())
@@ -1451,6 +1453,7 @@ def testGetInfoFromLastResponseReceived(self):
         auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
         auth.process_response()
         self.assertEqual(len(auth.get_errors()), 0)
+        self.assertEqual(auth.get_last_response_in_response_to(), 'ONELOGIN_5fe9d6e499b2f0913206aab3f7191729049bb807')
         self.assertEqual(auth.get_last_message_id(), 'pfx42be40bf-39c3-77f0-c6ae-8bf2e23a1a2e')
         self.assertEqual(auth.get_last_assertion_id(), 'pfx57dfda60-b211-4cda-0f63-6d5deb69e5bb')
         self.assertEqual(auth.get_last_assertion_not_on_or_after(), 2671081021)

From 138916d1cd5cc391b5f39c9f9eaef494a3fa8834 Mon Sep 17 00:00:00 2001
From: Gunesh Pinar 
Date: Mon, 4 Oct 2021 22:41:40 -0700
Subject: [PATCH 236/331] Clarify README description

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index dccc84f3..2d132e9e 100644
--- a/README.md
+++ b/README.md
@@ -967,7 +967,7 @@ Main class of OneLogin Python Toolkit
 * ***set_strict*** Set the strict mode active/disable.
 * ***get_last_request_xml*** Returns the most recently-constructed/processed XML SAML request (``AuthNRequest``, ``LogoutRequest``)
 * ***get_last_response_xml*** Returns the most recently-constructed/processed XML SAML response (``SAMLResponse``, ``LogoutResponse``). If the SAMLResponse had an encrypted assertion, decrypts it.
-* ***get_last_response_in_response_to*** The `InResponseTo` of the most recently processed SAML Response.
+* ***get_last_response_in_response_to*** The `InResponseTo` ID of the most recently processed SAML Response.
 * ***get_last_message_id*** The ID of the last Response SAML message processed.
 * ***get_last_assertion_id*** The ID of the last assertion processed.
 * ***get_last_assertion_not_on_or_after*** The ``NotOnOrAfter`` value of the valid ``SubjectConfirmationData`` node (if any) of the last assertion processed (is only calculated with strict = true)

From 4c4d54005b8dd3d8ffa630e45b4d217e8f01621e Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 18 Oct 2021 21:21:11 +0200
Subject: [PATCH 237/331] Warn about Open Redirect and Reply attacks

---
 README.md                          | 30 ++++++++++++++++++++++++++++++
 demo-django/demo/views.py          |  4 ++++
 demo-flask/index.py                |  4 ++++
 demo-tornado/views.py              |  4 ++++
 demo_pyramid/demo_pyramid/views.py |  4 ++++
 5 files changed, 46 insertions(+)

diff --git a/README.md b/README.md
index 3a5f39ff..739ff670 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,36 @@ your environment is not secure and will be exposed to attacks.
 
 In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
 
+
+### Avoiding Open Redirect attacks ###
+
+Some implementations uses the RelayState parameter as a way to control the flow when SSO and SLO succeeded. So basically the
+user is redirected to the value of the RelayState.
+
+If you are using Signature Validation on the HTTP-Redirect binding, you will have the RelayState value integrity covered, otherwise, and
+on HTTP-POST binding, you can't trust the RelayState so before
+executing the validation, you need to verify that its value belong
+a trusted and expected URL.
+
+Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html).
+
+### Avoiding Reply attacks ###
+
+A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
+
+SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that
+make harder this kind of attacks, but they are still possible.
+
+In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need
+to be stored the amount of time of the SAML Message life time, so 
+we don't need to store all processed message/assertion Ids, but the most recent ones.
+
+The OneLogin_Saml2_Auth class contains the [get_last_request_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L357), [get_last_message_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L364) and [get_last_assertion_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L371) methods to retrieve the IDs 
+
+Checking that the ID of the current Message/Assertion does not exists in the lis of the ones already processed will prevent reply
+attacks.
+
+
 Getting Started
 ---------------
 
diff --git a/demo-django/demo/views.py b/demo-django/demo/views.py
index 6003b821..b9acdd76 100644
--- a/demo-django/demo/views.py
+++ b/demo-django/demo/views.py
@@ -84,6 +84,8 @@ def index(request):
             request.session['samlNameIdSPNameQualifier'] = auth.get_nameid_spnq()
             request.session['samlSessionIndex'] = auth.get_session_index()
             if 'RelayState' in req['post_data'] and OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the req['post_data']['RelayState'] is a trusted URL.
                 return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
         elif auth.get_settings().is_debug_active():
             error_reason = auth.get_last_error_reason()
@@ -96,6 +98,8 @@ def index(request):
         errors = auth.get_errors()
         if len(errors) == 0:
             if url is not None:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the url is a trusted URL
                 return HttpResponseRedirect(url)
             else:
                 success_slo = True
diff --git a/demo-flask/index.py b/demo-flask/index.py
index a10ac8ce..3ad2a4e6 100644
--- a/demo-flask/index.py
+++ b/demo-flask/index.py
@@ -83,6 +83,8 @@ def index():
             session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the request.form['RelayState'] is a trusted URL.
                 return redirect(auth.redirect_to(request.form['RelayState']))
         elif auth.get_settings().is_debug_active():
             error_reason = auth.get_last_error_reason()
@@ -95,6 +97,8 @@ def index():
         errors = auth.get_errors()
         if len(errors) == 0:
             if url is not None:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the url is a trusted URL.
                 return redirect(url)
             else:
                 success_slo = True
diff --git a/demo-tornado/views.py b/demo-tornado/views.py
index e5d062aa..70ef1565 100644
--- a/demo-tornado/views.py
+++ b/demo-tornado/views.py
@@ -46,6 +46,8 @@ def post(self):
             session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in self.request.arguments and self_url != self.request.arguments['RelayState'][0].decode('utf-8'):
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the self.request.arguments['RelayState'][0] is a trusted URL.
                 return self.redirect(self.request.arguments['RelayState'][0].decode('utf-8'))
         elif auth.get_settings().is_debug_active():
             error_reason = auth.get_last_error_reason()
@@ -104,6 +106,8 @@ def get(self):
             errors = auth.get_errors()
             if len(errors) == 0:
                 if url is not None:
+                    # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                    # the value of the url is a trusted URL.
                     return self.redirect(url)
                 else:
                     success_slo = True
diff --git a/demo_pyramid/demo_pyramid/views.py b/demo_pyramid/demo_pyramid/views.py
index 96434b8b..5b6be9dd 100644
--- a/demo_pyramid/demo_pyramid/views.py
+++ b/demo_pyramid/demo_pyramid/views.py
@@ -70,6 +70,8 @@ def index(request):
             session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.POST and self_url != request.POST['RelayState']:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the request.POST['RelayState'] is a trusted URL.
                 return HTTPFound(auth.redirect_to(request.POST['RelayState']))
         else:
             error_reason = auth.get_last_error_reason()
@@ -79,6 +81,8 @@ def index(request):
         errors = auth.get_errors()
         if len(errors) == 0:
             if url is not None:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the url is a trusted URL.
                 return HTTPFound(url)
             else:
                 success_slo = True

From b4199c5364d4b4c00d9930d9e4dab655ecdfaf81 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 18 Oct 2021 21:29:09 +0200
Subject: [PATCH 238/331] Modify examples of README as well

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 739ff670..003beb63 100644
--- a/README.md
+++ b/README.md
@@ -727,6 +727,8 @@ if not errors:
         request.session['samlUserdata'] = auth.get_attributes()
         if 'RelayState' in req['post_data'] and
           OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
+            # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the req['post_data']['RelayState'] is a trusted URL.
             auth.redirect_to(req['post_data']['RelayState'])
         else:
             for attr_name in request.session['samlUserdata'].keys():
@@ -789,6 +791,8 @@ url = auth.process_slo(delete_session_cb=delete_session_callback)
 errors = auth.get_errors()
 if len(errors) == 0:
     if url is not None:
+        # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+        # the value of the url is a trusted URL.
         return redirect(url)
     else:
         print("Sucessfully Logged out")
@@ -916,6 +920,8 @@ elif 'acs' in request.args:                 # Assertion Consumer Service
             request.session['samlSessionIndex'] = auth.get_session_index()
             self_url = OneLogin_Saml2_Utils.get_self_url(req)
             if 'RelayState' in request.form and self_url != request.form['RelayState']:
+                # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+                # the value of the request.form['RelayState'] is a trusted URL.
                 return redirect(auth.redirect_to(request.form['RelayState']))   # Redirect if there is a relayState
             else:                           # If there is user data we save that to print it later.
                 msg = ''
@@ -927,6 +933,8 @@ elif 'sls' in request.args:                                             # Single
     errors = auth.get_errors()              #  Retrieves possible validation errors
     if len(errors) == 0:
         if url is not None:
+            # To avoid 'Open Redirect' attacks, before execute the redirection confirm
+            # the value of the url is a trusted URL.
             return redirect(url)
         else:
             msg = "Sucessfully logged out"

From 6f973d181a50530542a73628e4bd3166f05e9aac Mon Sep 17 00:00:00 2001
From: Mateusz Mandera 
Date: Mon, 8 Nov 2021 12:46:13 +0100
Subject: [PATCH 239/331] Support building a LogoutResponse with non-success
 status

---
 src/onelogin/saml2/logout_response.py         | 22 ++++++++++---------
 .../saml2_tests/logout_response_test.py       | 20 +++++++++++++++++
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index e9368e8a..d1110a73 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -10,6 +10,7 @@
 """
 
 from onelogin.saml2 import compat
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
 from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_ValidationError
 from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates
 from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
@@ -152,11 +153,13 @@ def _query(self, query):
         """
         return OneLogin_Saml2_XML.query(self.document, query)
 
-    def build(self, in_response_to):
+    def build(self, in_response_to, status=OneLogin_Saml2_Constants.STATUS_SUCCESS):
         """
         Creates a Logout Response object.
         :param in_response_to: InResponseTo value for the Logout Response.
         :type in_response_to: string
+        :param: status: The status of the response
+        :type: status: string
         """
         sp_data = self._settings.get_sp_data()
 
@@ -164,15 +167,14 @@ def build(self, in_response_to):
 
         issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
 
-        logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % \
-            {
-                'id': self.id,
-                'issue_instant': issue_instant,
-                'destination': self._settings.get_idp_slo_response_url(),
-                'in_response_to': in_response_to,
-                'entity_id': sp_data['entityId'],
-                'status': "urn:oasis:names:tc:SAML:2.0:status:Success"
-            }
+        logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % {
+            "id": self.id,
+            "issue_instant": issue_instant,
+            "destination": self._settings.get_idp_slo_response_url(),
+            "in_response_to": in_response_to,
+            "entity_id": sp_data["entityId"],
+            "status": status,
+        }
 
         self._logout_response = logout_response
 
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
index e6f31b0f..4b3da96a 100644
--- a/tests/src/OneLogin/saml2_tests/logout_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -401,3 +401,23 @@ def testGetXML(self):
 
         logout_response_processed = OneLogin_Saml2_Logout_Response(settings, OneLogin_Saml2_Utils.deflate_and_base64_encode(response))
         self.assertEqual(response, logout_response_processed.get_xml())
+
+    def testBuildWithStatus(self):
+        """
+        Tests the build method when called specifying a non-default status for the LogoutResponse.
+        """
+        settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
+
+        response_builder = OneLogin_Saml2_Logout_Response(settings)
+        response_builder.build("InResponseValue", status=OneLogin_Saml2_Constants.STATUS_REQUESTER)
+        generated_encoded_response = response_builder.get_response()
+
+        # Parse and verify the status of the response, as the receiver will do:
+        parsed_response = OneLogin_Saml2_Logout_Response(settings, generated_encoded_response)
+        expectedFragment = (
+            '    \n'
+            '        \n'
+            '    \n'
+        )
+        self.assertIn(expectedFragment, parsed_response.get_xml())
+        self.assertEqual(parsed_response.get_status(), OneLogin_Saml2_Constants.STATUS_REQUESTER)

From d2716a1642b55e45028d63c653304786973e2108 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 28 Jan 2022 12:58:45 +0100
Subject: [PATCH 240/331] Adding python 3.10 to CI. See #294

---
 .github/workflows/python-package.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 1cc6b96a..91d8f7b4 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: [2.7,3.5,3.6,3.7, 3.8,3.9]
+        python-version: [2.7,3.5,3.6,3.7, 3.8,3.9,3.10.2]
 
     steps:
     - uses: actions/checkout@v2

From 9726d5c2e1e345023249e7caa7a2a2159e5a2558 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 28 Jan 2022 13:33:19 +0100
Subject: [PATCH 241/331] Upgrade dependencies

---
 setup.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/setup.py b/setup.py
index 4aad2c76..d6c5de51 100644
--- a/setup.py
+++ b/setup.py
@@ -38,9 +38,9 @@
     },
     test_suite='tests',
     install_requires=[
-        'isodate>=0.5.0',
-        'lxml>=3.3.5',
-        'xmlsec>=1.0.5'
+        'lxml>=4.7.1',
+        'isodate>=0.6.1',
+        'xmlsec>=1.3.9'
     ],
     dependency_links=['http://github.com/mehcode/python-xmlsec/tarball/master'],
     extras_require={

From b5fdfc9b3c8722abbef020aa64a8c4d29d7288b2 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 28 Jan 2022 13:36:21 +0100
Subject: [PATCH 242/331] Remove 3.10 for now from CI

---
 .github/workflows/python-package.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 91d8f7b4..1cc6b96a 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: [2.7,3.5,3.6,3.7, 3.8,3.9,3.10.2]
+        python-version: [2.7,3.5,3.6,3.7, 3.8,3.9]
 
     steps:
     - uses: actions/checkout@v2

From a55cc9a379da03eff9f96a886f6164fd0792a62e Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 28 Jan 2022 18:00:18 +0100
Subject: [PATCH 243/331] Fixing lxml to 4.7.0, it seems 4.7.1 had conflicts
 when the signature inside a encrypted element is validated. See #292

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index d6c5de51..21108ec8 100644
--- a/setup.py
+++ b/setup.py
@@ -38,7 +38,7 @@
     },
     test_suite='tests',
     install_requires=[
-        'lxml>=4.7.1',
+        'lxml==4.7.0',
         'isodate>=0.6.1',
         'xmlsec>=1.3.9'
     ],

From 6e34b695f0c596f0e07fa6eb297032013e1fb0f0 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 28 Jan 2022 19:03:31 +0100
Subject: [PATCH 244/331] Set sha256 and rsa-sha256 as default algorithms to be
 used

---
 src/onelogin/saml2/auth.py                      |  8 ++++----
 src/onelogin/saml2/metadata.py                  |  2 +-
 src/onelogin/saml2/settings.py                  |  4 ++--
 src/onelogin/saml2/utils.py                     | 12 ++++++------
 tests/src/OneLogin/saml2_tests/auth_test.py     | 10 +++++-----
 tests/src/OneLogin/saml2_tests/metadata_test.py |  4 ++--
 tests/src/OneLogin/saml2_tests/settings_test.py |  2 +-
 tests/src/OneLogin/saml2_tests/utils_test.py    |  4 ++--
 8 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index c097678b..d17c7d48 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -523,7 +523,7 @@ def get_slo_response_url(self):
         """
         return self._settings.get_idp_slo_response_url()
 
-    def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
+    def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256):
         """
         Builds the Signature of the SAML Request.
 
@@ -535,7 +535,7 @@ def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Cons
         """
         return self._build_signature(request_data, 'SAMLRequest', sign_algorithm)
 
-    def add_response_signature(self, response_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
+    def add_response_signature(self, response_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256):
         """
         Builds the Signature of the SAML Response.
         :param response_data: The Response parameters
@@ -588,7 +588,7 @@ def _build_sign_query(saml_data, relay_state, algorithm, saml_type, lowercase_ur
         sign_data.append('SigAlg=%s' % OneLogin_Saml2_Utils.escape_url(algorithm, lowercase_urlencoding))
         return '&'.join(sign_data)
 
-    def _build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1):
+    def _build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256):
         """
         Builds the Signature
         :param data: The Request data
@@ -621,7 +621,7 @@ def _build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Consta
             OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.Transform.RSA_SHA384,
             OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.Transform.RSA_SHA512
         }
-        sign_algorithm_transform = sign_algorithm_transform_map.get(sign_algorithm, xmlsec.Transform.RSA_SHA1)
+        sign_algorithm_transform = sign_algorithm_transform_map.get(sign_algorithm, xmlsec.Transform.RSA_SHA256)
 
         signature = OneLogin_Saml2_Utils.sign_binary(msg, key, sign_algorithm_transform, self._settings.is_debug_active())
         data['Signature'] = OneLogin_Saml2_Utils.b64encode(signature)
diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index 34c5f2c1..cccd7ce0 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -193,7 +193,7 @@ def builder(cls, sp, authnsign=False, wsign=False, valid_until=None, cache_durat
         return metadata
 
     @staticmethod
-    def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1, digest_algorithm=OneLogin_Saml2_Constants.SHA1):
+    def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256, digest_algorithm=OneLogin_Saml2_Constants.SHA256):
         """
         Signs the metadata with the key/cert provided
 
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index 3163995e..c258758c 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -307,10 +307,10 @@ def _add_default_values(self):
         self._security.setdefault('wantNameIdEncrypted', False)
 
         # Signature Algorithm
-        self._security.setdefault('signatureAlgorithm', OneLogin_Saml2_Constants.RSA_SHA1)
+        self._security.setdefault('signatureAlgorithm', OneLogin_Saml2_Constants.RSA_SHA256)
 
         # Digest Algorithm
-        self._security.setdefault('digestAlgorithm', OneLogin_Saml2_Constants.SHA1)
+        self._security.setdefault('digestAlgorithm', OneLogin_Saml2_Constants.SHA256)
 
         # AttributeStatement required by default
         self._security.setdefault('wantAttributeStatement', True)
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 51ab4e00..34176e25 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -697,7 +697,7 @@ def decrypt_element(encrypted_data, key, debug=False, inplace=False):
         return enc_ctx.decrypt(encrypted_data)
 
     @staticmethod
-    def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA1, digest_algorithm=OneLogin_Saml2_Constants.SHA1):
+    def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256, digest_algorithm=OneLogin_Saml2_Constants.SHA256):
         """
         Adds signature key and senders certificate to an element (Message or
         Assertion).
@@ -735,7 +735,7 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant
             OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.Transform.RSA_SHA384,
             OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.Transform.RSA_SHA512
         }
-        sign_algorithm_transform = sign_algorithm_transform_map.get(sign_algorithm, xmlsec.Transform.RSA_SHA1)
+        sign_algorithm_transform = sign_algorithm_transform_map.get(sign_algorithm, xmlsec.Transform.RSA_SHA256)
 
         signature = xmlsec.template.create(elem, xmlsec.Transform.EXCL_C14N, sign_algorithm_transform, ns='ds')
 
@@ -770,7 +770,7 @@ def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constant
             OneLogin_Saml2_Constants.SHA384: xmlsec.Transform.SHA384,
             OneLogin_Saml2_Constants.SHA512: xmlsec.Transform.SHA512
         }
-        digest_algorithm_transform = digest_algorithm_transform_map.get(digest_algorithm, xmlsec.Transform.SHA1)
+        digest_algorithm_transform = digest_algorithm_transform_map.get(digest_algorithm, xmlsec.Transform.SHA256)
 
         ref = xmlsec.template.add_reference(signature, digest_algorithm_transform, uri=elem_id)
         xmlsec.template.add_transform(ref, xmlsec.Transform.ENVELOPED)
@@ -983,7 +983,7 @@ def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, finger
         return True
 
     @staticmethod
-    def sign_binary(msg, key, algorithm=xmlsec.Transform.RSA_SHA1, debug=False):
+    def sign_binary(msg, key, algorithm=xmlsec.Transform.RSA_SHA256, debug=False):
         """
         Sign binary message
 
@@ -1009,7 +1009,7 @@ def sign_binary(msg, key, algorithm=xmlsec.Transform.RSA_SHA1, debug=False):
         return dsig_ctx.sign_binary(compat.to_bytes(msg), algorithm)
 
     @staticmethod
-    def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_Saml2_Constants.RSA_SHA1, debug=False):
+    def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_Saml2_Constants.RSA_SHA256, debug=False):
         """
         Validates signed binary data (Used to validate GET Signature).
 
@@ -1041,7 +1041,7 @@ def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_
                 OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.Transform.RSA_SHA384,
                 OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.Transform.RSA_SHA512
             }
-            sign_algorithm_transform = sign_algorithm_transform_map.get(algorithm, xmlsec.Transform.RSA_SHA1)
+            sign_algorithm_transform = sign_algorithm_transform_map.get(algorithm, xmlsec.Transform.RSA_SHA256)
 
             dsig_ctx.verify_binary(compat.to_bytes(signed_query),
                                    sign_algorithm_transform,
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 0f979073..4a872c81 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -567,7 +567,7 @@ def testProcessSLORequestSignedResponse(self):
         self.assertIn('SigAlg', parsed_query)
         self.assertIn('Signature', parsed_query)
         self.assertIn('http://relaystate.com', parsed_query['RelayState'])
-        self.assertIn(OneLogin_Saml2_Constants.RSA_SHA1, parsed_query['SigAlg'])
+        self.assertIn(OneLogin_Saml2_Constants.RSA_SHA256, parsed_query['SigAlg'])
 
     def testLogin(self):
         """
@@ -624,7 +624,7 @@ def testLoginSigned(self):
         self.assertIn('SigAlg', parsed_query)
         self.assertIn('Signature', parsed_query)
         self.assertIn(return_to, parsed_query['RelayState'])
-        self.assertIn(OneLogin_Saml2_Constants.RSA_SHA1, parsed_query['SigAlg'])
+        self.assertIn(OneLogin_Saml2_Constants.RSA_SHA256, parsed_query['SigAlg'])
 
     def testLoginForceAuthN(self):
         """
@@ -824,7 +824,7 @@ def testLogoutSigned(self):
         self.assertIn('SigAlg', parsed_query)
         self.assertIn('Signature', parsed_query)
         self.assertIn(return_to, parsed_query['RelayState'])
-        self.assertIn(OneLogin_Saml2_Constants.RSA_SHA1, parsed_query['SigAlg'])
+        self.assertIn(OneLogin_Saml2_Constants.RSA_SHA256, parsed_query['SigAlg'])
 
     def testLogoutNoSLO(self):
         """
@@ -1088,7 +1088,7 @@ def testBuildRequestSignature(self):
         auth = OneLogin_Saml2_Auth(self.get_request(), old_settings=settings)
 
         auth.add_request_signature(parameters)
-        valid_signature = 'Pb1EXAX5TyipSJ1SndEKZstLQTsT+1D00IZAhEepBM+OkAZQSToivu3njgJu47HZiZAqgXZFgloBuuWE/+GdcSsRYEMkEkiSDWTpUr25zKYLJDSg6GNo6iAHsKSuFt46Z54Xe/keYxYP03Hdy97EwuuSjBzzgRc5tmpV+KC7+a0='
+        valid_signature = 'CqdIlbO6GieeJFV+PYqyqz1QVJunQXdZZl+ZyIby9O3/eMJM0XHi+TWReRrpgNxKkbmmvx5fp/t7mphbLiVYNMgGINEaaa/OfoaGwU9GM5YCVULA2t7qZBel1yrIXGMxijJizB7UPR2ZMo4G+Wdhx1zbmbB0GYM0A27w6YCe/+k='
         self.assertEqual(valid_signature, parameters["Signature"])
 
         settings['sp']['privateKey'] = ''
@@ -1109,7 +1109,7 @@ def testBuildResponseSignature(self):
         parameters = {"SAMLResponse": message, 'RelayState': relay_state}
 
         auth.add_response_signature(parameters)
-        valid_signature = 'IcyWLRX6Dz3wHBfpcUaNLVDMGM3uo6z2Z11Gjq0/APPJaHboKGljffsgMVAGBml497yckq+eYKmmz+jpURV9yTj2sF9qfD6CwX2dEzSzMdRzB40X7pWyHgEJGIhs6BhaOt5oXEk4T+h3AczERqpVYFpL00yo7FNtyQkhZFpHFhM='
+        valid_signature = 'fFGaOuO/2+ch/xlwU5o7iS6R+v2quWchLAtiDyQTxStFQZKY1NsBs/eYIin2Meq7oTl1Ks6tpT6JshH5OwhPh/08K7M2oa6FIKb99cjg+jIJ/WwpuJ5h9SH0XXP8y3RLhCxLIomHDsBOGQK8WvOlXFUg+9nvOaEMNi6raUWrGhA='
         self.assertEqual(valid_signature, parameters['Signature'])
 
         settings['sp']['privateKey'] = ''
diff --git a/tests/src/OneLogin/saml2_tests/metadata_test.py b/tests/src/OneLogin/saml2_tests/metadata_test.py
index 0a12a6d4..c95ceead 100644
--- a/tests/src/OneLogin/saml2_tests/metadata_test.py
+++ b/tests/src/OneLogin/saml2_tests/metadata_test.py
@@ -222,8 +222,8 @@ def testSignMetadata(self):
         self.assertIn('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', signed_metadata)
 
         self.assertIn('\n', signed_metadata)
-        self.assertIn('', signed_metadata)
-        self.assertIn('', signed_metadata)
+        self.assertIn('', signed_metadata)
+        self.assertIn('', signed_metadata)
         self.assertIn('\n\n', signed_metadata)
 
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 4cb271f5..16f59e26 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -593,7 +593,7 @@ def generateAndCheckMetadata(self, settings):
         self.assertIn('', metadata)
         self.assertIn('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', metadata)
         self.assertIn('\n', metadata)
-        self.assertIn('', metadata)
+        self.assertIn('', metadata)
         self.assertIn('\n\n', metadata)
 
diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py
index 54d9ae66..39cb46de 100644
--- a/tests/src/OneLogin/saml2_tests/utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/utils_test.py
@@ -792,8 +792,8 @@ def testAddSignCheckAlg(self):
         xml_authn = b64decode(self.file_contents(join(self.data_path, 'requests', 'authn_request.xml.base64')))
         xml_authn_signed = compat.to_string(OneLogin_Saml2_Utils.add_sign(xml_authn, key, cert))
         self.assertIn('', xml_authn_signed)
-        self.assertIn('', xml_authn_signed)
-        self.assertIn('', xml_authn_signed)
+        self.assertIn('', xml_authn_signed)
+        self.assertIn('', xml_authn_signed)
 
         xml_authn_signed_2 = compat.to_string(OneLogin_Saml2_Utils.add_sign(xml_authn, key, cert, False, OneLogin_Saml2_Constants.RSA_SHA256, OneLogin_Saml2_Constants.SHA384))
         self.assertIn('', xml_authn_signed_2)

From 171a89e75a6e39f9cb38472162418555c85aa02d Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 28 Jan 2022 20:53:13 +0100
Subject: [PATCH 245/331] Add rejectDeprecatedAlgorithm settings. Define
 DEPRECATED_ALGORITHMS list on Constants. If flag enabled, reject signatures
 on response, logout_request and logout_response with deprecated algorithm

---
 README.md                                     |  9 +++-
 demo-django/saml/advanced_settings.json       |  3 +-
 demo-flask/saml/advanced_settings.json        |  3 +-
 demo-tornado/saml/advanced_settings.json      |  3 +-
 .../demo_pyramid/saml/advanced_settings.json  |  3 +-
 src/onelogin/saml2/auth.py                    | 11 ++++-
 src/onelogin/saml2/constants.py               |  3 ++
 src/onelogin/saml2/errors.py                  |  2 +
 src/onelogin/saml2/response.py                | 23 +++++++++
 src/onelogin/saml2/settings.py                |  3 ++
 tests/src/OneLogin/saml2_tests/auth_test.py   | 47 ++++++++++++++++++-
 .../src/OneLogin/saml2_tests/response_test.py | 13 +++++
 12 files changed, 115 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 53e94e6c..43fd5322 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,8 @@ This version supports Python3. There is a separate version that only support Pyt
 
 #### Warning ####
 
+Version 1.13.0 sets sha256 and rsa-sha256 as default algorithms
+
 Version 1.8.0 sets strict mode active by default
 
 Update ``python3-saml`` to ``1.5.0``, this version includes security improvements for preventing XEE and Xpath Injections.
@@ -485,7 +487,12 @@ In addition to the required settings data (idp, sp), extra settings can be defin
             
         // Specify if you want the SP to view assertions with duplicated Name or FriendlyName attributes to be valid
         // Defaults to false if not specified
-        'allowRepeatAttributeName': false
+        'allowRepeatAttributeName': false,
+
+        // If the toolkit receive a message signed with a
+        // deprecated algoritm (defined at the constant class)
+        // will raise an error and reject the message
+        "rejectDeprecatedAlgorithm": true
     },
 
     // Contact information template, it is recommended to suply a
diff --git a/demo-django/saml/advanced_settings.json b/demo-django/saml/advanced_settings.json
index fef16fe9..3960911a 100644
--- a/demo-django/saml/advanced_settings.json
+++ b/demo-django/saml/advanced_settings.json
@@ -12,7 +12,8 @@
         "wantAssertionsEncrypted": false,
         "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+        "rejectDeprecatedAlgorithm": true
     },
     "contactPerson": {
         "technical": {
diff --git a/demo-flask/saml/advanced_settings.json b/demo-flask/saml/advanced_settings.json
index fef16fe9..3960911a 100644
--- a/demo-flask/saml/advanced_settings.json
+++ b/demo-flask/saml/advanced_settings.json
@@ -12,7 +12,8 @@
         "wantAssertionsEncrypted": false,
         "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+        "rejectDeprecatedAlgorithm": true
     },
     "contactPerson": {
         "technical": {
diff --git a/demo-tornado/saml/advanced_settings.json b/demo-tornado/saml/advanced_settings.json
index fef16fe9..3960911a 100644
--- a/demo-tornado/saml/advanced_settings.json
+++ b/demo-tornado/saml/advanced_settings.json
@@ -12,7 +12,8 @@
         "wantAssertionsEncrypted": false,
         "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+        "rejectDeprecatedAlgorithm": true
     },
     "contactPerson": {
         "technical": {
diff --git a/demo_pyramid/demo_pyramid/saml/advanced_settings.json b/demo_pyramid/demo_pyramid/saml/advanced_settings.json
index fef16fe9..3960911a 100644
--- a/demo_pyramid/demo_pyramid/saml/advanced_settings.json
+++ b/demo_pyramid/demo_pyramid/saml/advanced_settings.json
@@ -12,7 +12,8 @@
         "wantAssertionsEncrypted": false,
         "allowSingleLabelDomains": false,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"
+        "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
+        "rejectDeprecatedAlgorithm": true
     },
     "contactPerson": {
         "technical": {
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index d17c7d48..dc045f25 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -167,7 +167,6 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
                 self._errors.append('Signature validation failed. Logout Response rejected')
             elif not logout_response.is_valid(self._request_data, request_id):
                 self._errors.append('invalid_logout_response')
-                self._error_reason = logout_response.get_error()
             elif logout_response.get_status() != OneLogin_Saml2_Constants.STATUS_SUCCESS:
                 self._errors.append('logout_not_success')
             else:
@@ -183,7 +182,6 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
                 self._errors.append('Signature validation failed. Logout Request rejected')
             elif not logout_request.is_valid(self._request_data):
                 self._errors.append('invalid_logout_request')
-                self._error_reason = logout_request.get_error()
             else:
                 if not keep_local_session:
                     OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
@@ -694,6 +692,15 @@ def _validate_signature(self, data, saml_type, raise_exceptions=False):
             if isinstance(sign_alg, bytes):
                 sign_alg = sign_alg.decode('utf8')
 
+            security = self._settings.get_security_data()
+            reject_deprecated_alg = security.get('rejectDeprecatedAlgorithm', False)
+            if reject_deprecated_alg:
+                if sign_alg in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                    raise OneLogin_Saml2_ValidationError(
+                        'Deprecated signature algorithm found: %s' % sign_alg,
+                        OneLogin_Saml2_ValidationError.DEPRECATED_SIGNATURE_METHOD
+                    )
+
             query_string = self._request_data.get('query_string')
             if query_string and self._request_data.get('validate_signature_from_qs'):
                 signed_query = self._build_sign_query_from_qs(query_string, saml_type)
diff --git a/src/onelogin/saml2/constants.py b/src/onelogin/saml2/constants.py
index e85a7fb9..a938f8e3 100644
--- a/src/onelogin/saml2/constants.py
+++ b/src/onelogin/saml2/constants.py
@@ -114,3 +114,6 @@ class OneLogin_Saml2_Constants(object):
     AES256_CBC = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
     RSA_1_5 = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
     RSA_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
+
+    # Define here the deprecated algorithms
+    DEPRECATED_ALGORITHMS = [DSA_SHA1, RSA_SHA1, SHA1]
diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py
index 6a50f9f1..b231f982 100644
--- a/src/onelogin/saml2/errors.py
+++ b/src/onelogin/saml2/errors.py
@@ -110,6 +110,8 @@ class OneLogin_Saml2_ValidationError(Exception):
     WRONG_NUMBER_OF_SIGNATURES = 43
     RESPONSE_EXPIRED = 44
     AUTHN_CONTEXT_MISMATCH = 45
+    DEPRECATED_SIGNATURE_METHOD = 46
+    DEPRECATED_DIGEST_METHOD = 47
 
     def __init__(self, message, code=0, errors=None):
         """
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 4ef0418c..3cf0964e 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -653,6 +653,9 @@ def process_signed_elements(self):
         response_tag = '{%s}Response' % OneLogin_Saml2_Constants.NS_SAMLP
         assertion_tag = '{%s}Assertion' % OneLogin_Saml2_Constants.NS_SAML
 
+        security = self._settings.get_security_data()
+        reject_deprecated_alg = security.get('rejectDeprecatedAlgorithm', False)
+
         for sign_node in sign_nodes:
             signed_element = sign_node.getparent().tag
             if signed_element != response_tag and signed_element != assertion_tag:
@@ -695,6 +698,26 @@ def process_signed_elements(self):
                         )
                     verified_seis.append(sei)
 
+            # Check the signature and digest algorithm
+            if reject_deprecated_alg:
+                sig_method_node = OneLogin_Saml2_XML.query(sign_node, './/ds:SignatureMethod')
+                if sig_method_node:
+                    sig_method = sig_method_node[0].get("Algorithm")
+                    if sig_method in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Deprecated signature algorithm found: %s' % sig_method,
+                            OneLogin_Saml2_ValidationError.DEPRECATED_SIGNATURE_METHOD
+                        )
+
+                dig_method_node = OneLogin_Saml2_XML.query(sign_node, './/ds:DigestMethod')
+                if dig_method_node:
+                    dig_method = dig_method_node[0].get("Algorithm")
+                    if dig_method in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Deprecated digest algorithm found: %s' % dig_method,
+                            OneLogin_Saml2_ValidationError.DEPRECATED_DIGEST_METHOD
+                        )
+
             signed_elements.append(signed_element)
 
         if signed_elements:
diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index c258758c..e6ea7b74 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -312,6 +312,9 @@ def _add_default_values(self):
         # Digest Algorithm
         self._security.setdefault('digestAlgorithm', OneLogin_Saml2_Constants.SHA256)
 
+        # Reject Deprecated Algorithms
+        self._security.setdefault('rejectDeprecatedAlgorithm', False)
+
         # AttributeStatement required by default
         self._security.setdefault('wantAttributeStatement', True)
 
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 4a872c81..efaf1b40 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -1215,9 +1215,31 @@ def testIsInValidLogoutResponseSign(self):
         auth.process_slo()
         self.assertIn('Signature validation failed. Logout Response rejected', auth.get_errors())
 
+    def testIsInValidLogoutResponseSignatureRejectingDeprecatedAlgorithm(self):
+        """
+        Tests the process_slo method of the OneLogin_Saml2_Auth
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html',
+            'get_data': {
+                'SAMLResponse': 'fZHbasJAEIZfJey9ZrNZc1gSodRSBKtQxYveyGQz1kCyu2Q24OM3jS21UHo3p++f4Z+CoGud2th3O/hXJGcNYXDtWkNqapVs6I2yQA0pAx2S8lrtH142Ssy5cr31VtuW3SH/E0CEvW+sYcF6VbLTIktFLMWZgxQR8DSP85wDB4GJGMOqShYVaoBUsOCIPY1kyUahEScacG3Ig/FjiUdyxuOZ4IcoUVGq4vSNBSsk3xjwE3Xx3qkwJD+cz3NtuxBN7WxjPN1F1NLcXdwob77tONiS7bZPm93zenvCqopxgVJmuU50jREsZF4noKWAOuNZJbNznnBky+LTDDVd2S+/dje1m+MVOtfidEER3g8Vt2fsPfiBfmePtsbgCO2A/9tL07TaD1ojEQuXtw0/ouFfD19+AA==',
+                'RelayState': 'http://stuff.com/endpoints/endpoints/index.php',
+                'SigAlg': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+                'Signature': 'OV9c4R0COSjN69fAKCpV7Uj/yx6/KFxvbluVCzdK3UuortpNMpgHFF2wYNlMSG9GcYGk6p3I8nB7Z+1TQchMWZOlO/StjAqgtZhtpiwPcWryNuq8vm/6hnJ3zMDhHTS7F8KG4qkCXmJ9sQD3Y31UNcuygBwIbNakvhDT5Qo9Nsw='
+            }
+        }
+        settings_info = self.loadSettingsJSON('settings8.json')
+        settings_info['security']['rejectDeprecatedAlgorithm'] = True
+        settings = OneLogin_Saml2_Settings(settings_info)
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        auth.process_slo()
+        self.assertIn('Signature validation failed. Logout Response rejected', auth.get_errors())
+        self.assertEqual('Deprecated signature algorithm found: http://www.w3.org/2000/09/xmldsig#rsa-sha1', auth.get_last_error_reason())
+
     def testIsValidLogoutRequestSign(self):
         """
-        Tests the is_valid method of the OneLogin_Saml2_LogoutRequest
+        Tests the process_slo method of the OneLogin_Saml2_Auth
         """
         request_data = {
             'http_host': 'example.com',
@@ -1303,6 +1325,29 @@ def testIsValidLogoutRequestSign(self):
         auth.process_slo()
         self.assertIn('Signature validation failed. Logout Request rejected', auth.get_errors())
 
+    def testIsInValidLogoutRequestSignatureRejectingDeprecatedAlgorithm(self):
+        """
+        Tests the process_slo method of the OneLogin_Saml2_Auth
+        """
+        request_data = {
+            'http_host': 'example.com',
+            'script_name': 'index.html',
+            'get_data': {
+                'SAMLRequest': 'fZJNa+MwEIb/itHdiTz6sC0SQyEsBPoB27KHXoIsj7cGW3IlGfLzV7G7kN1DL2KYmeedmRcdgp7GWT26326JP/FzwRCz6zTaoNbKkSzeKqfDEJTVEwYVjXp9eHpUsKNq9i4640Zyh3xP6BDQx8FZkp1PR3KpqexAl72QmpUCS8SW01IiZz2TVVGD4X1VQYlAsl/oQyKPJAklPIQFzzZEbWNK0YLnlOVA3wqpQCoB7yQ7pWsGq+NKfcQ4q/0+xKXvd8ZNe7Td7AYbw10UxrCbP2aSPbv4Yl/8Qx/R3+SB5bTOoXiDQvFNvjnc7lXrIr75kh+6eYdXPc0jrkMO+/umjXhOtpxP2Q/nJx2/9+uWGbq8X1tV9NqGAW0kzaVvoe1AAJeCSWqYaUVRM2SilKKuqDTpFSlszdcK29RthVm9YriZebYdXpsLdhVAB7VJzif3haYMqqTVcl0JMBR4y+s2zak3sf/4v8l/vlHzBw==',
+                'RelayState': '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
+                'SigAlg': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+                'Signature': 'Ouxo9BV6zmq4yrgamT9EbSKy/UmvSxGS8z26lIMgKOEP4LFR/N23RftdANmo4HafrzSfA0YTXwhKDqbOByS0j+Ql8OdQOes7vGioSjo5qq/Bi+5i6jXwQfphnfcHAQiJL4gYVIifkhhHRWpvYeiysF1Y9J02me0izwazFmoRXr4='
+            }
+        }
+        settings_info = self.loadSettingsJSON('settings8.json')
+        settings_info = self.loadSettingsJSON('settings8.json')
+        settings_info['security']['rejectDeprecatedAlgorithm'] = True
+        settings = OneLogin_Saml2_Settings(settings_info)
+        auth = OneLogin_Saml2_Auth(request_data, old_settings=settings)
+        auth.process_slo()
+        self.assertIn('Signature validation failed. Logout Request rejected', auth.get_errors())
+        self.assertEqual('Deprecated signature algorithm found: http://www.w3.org/2000/09/xmldsig#rsa-sha1', auth.get_last_error_reason())
+
     def testGetLastRequestID(self):
         settings_info = self.loadSettingsJSON()
         request_data = self.get_request()
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 3f83bc2b..ada973a6 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1030,6 +1030,19 @@ def testIsInValidNoKey(self):
         with self.assertRaisesRegex(Exception, 'Signature validation failed. SAML Response rejected'):
             response.is_valid(self.get_request_data(), raise_exceptions=True)
 
+    def testIsInValidDeprecatedAlgorithm(self):
+        """
+        Tests the is_valid method of the OneLogin_Saml2_Response
+        Case Deprecated algorithm used
+        """
+        settings_dict = self.loadSettingsJSON()
+        settings_dict['security']['rejectDeprecatedAlgorithm'] = True
+        settings = OneLogin_Saml2_Settings(settings_dict)
+        xml = self.file_contents(join(self.data_path, 'responses', 'valid_response.xml.base64'))
+        response = OneLogin_Saml2_Response(settings, xml)
+        with self.assertRaisesRegex(Exception, 'Deprecated signature algorithm found: http://www.w3.org/2000/09/xmldsig#rsa-sha1'):
+            response.is_valid(self.get_request_data(), raise_exceptions=True)
+
     def testIsInValidMultipleAssertions(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response

From 4fe73342d61363a0b7b7ec2f8a8fdc2caee21206 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 28 Jan 2022 22:47:16 +0100
Subject: [PATCH 246/331] Release 1.13.0

---
 changelog.md | 10 ++++++++++
 setup.py     |  4 ++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/changelog.md b/changelog.md
index cc17cb4e..2dc040c6 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,14 @@
 # python3-saml changelog
+### 1.13.0 (Jan 28, 2022)
+
+- [#296](https://github.com/onelogin/python3-saml/pull/296) Add rejectDeprecatedAlgorithm settings in order to be able reject messages signed with deprecated algorithms.
+- Set sha256 and rsa-sha256 as default algorithms
+- [#288](https://github.com/onelogin/python3-saml/pull/288) Support building a LogoutResponse with non-success status
+- Added warning about Open Redirect and Reply attacks
+- [##274](https://github.com/onelogin/python3-saml/pull/274) Replace double-underscored names with single underscores
+- Add at OneLogin_Saml2_Auth get_last_assertion_issue_instant() and get_last_response_in_response_to() methods
+- Upgrade dependencies
+
 ### 1.12.0 (Aug 13, 2021)
 * [#276](https://github.com/onelogin/python3-saml/pull/276) Deprecate server_port from request data dictionary
 
diff --git a/setup.py b/setup.py
index 21108ec8..c309285b 100644
--- a/setup.py
+++ b/setup.py
@@ -1,7 +1,7 @@
 #! /usr/bin/env python
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
+# Copyright (c) 2010-2022 OneLogin, Inc.
 # MIT License
 
 from setuptools import setup
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.12.0',
+    version='1.13.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From dc05f2bec590088e54d88f78af78034bb0f1c6c0 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 28 Jan 2022 22:48:38 +0100
Subject: [PATCH 247/331] Remove extra space

---
 changelog.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 2dc040c6..cb4a5024 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,6 +1,5 @@
 # python3-saml changelog
 ### 1.13.0 (Jan 28, 2022)
-
 - [#296](https://github.com/onelogin/python3-saml/pull/296) Add rejectDeprecatedAlgorithm settings in order to be able reject messages signed with deprecated algorithms.
 - Set sha256 and rsa-sha256 as default algorithms
 - [#288](https://github.com/onelogin/python3-saml/pull/288) Support building a LogoutResponse with non-success status

From c94fe93172de89140bed3fca3957544570aa0c91 Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Mon, 31 Jan 2022 11:29:52 +0200
Subject: [PATCH 248/331] Don't require yanked version of lxml

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index c309285b..b794f921 100644
--- a/setup.py
+++ b/setup.py
@@ -38,7 +38,7 @@
     },
     test_suite='tests',
     install_requires=[
-        'lxml==4.7.0',
+        'lxml~=4.7.1',
         'isodate>=0.6.1',
         'xmlsec>=1.3.9'
     ],

From b75a927bd0475b3de8cac3ffee6da7aa0ba2e75d Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Mon, 31 Jan 2022 11:23:58 +0200
Subject: [PATCH 249/331] CI: fix targeting rules

---
 .github/workflows/python-package.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 1cc6b96a..5dcec1eb 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -3,7 +3,13 @@
 
 name: Python package
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
 
 jobs:
   test:

From 34ffd8c46d16f4d5babd16e8e44cd2c7eb429610 Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Mon, 31 Jan 2022 11:09:40 +0200
Subject: [PATCH 250/331] CI: fix quoting for python-version list

---
 .github/workflows/python-package.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 5dcec1eb..53fd4645 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -17,8 +17,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: [2.7,3.5,3.6,3.7, 3.8,3.9]
-
+        python-version:
+          - "2.7"
+          - "3.5"
+          - "3.6"
+          - "3.7"
+          - "3.8"
+          - "3.9"
     steps:
     - uses: actions/checkout@v2
     - name: Set up Python ${{ matrix.python-version }}

From 38f44ba9e09e7e4b55e7699f59c7e2a5e71487eb Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Mon, 31 Jan 2022 11:32:20 +0200
Subject: [PATCH 251/331] CI: upgrade, don't downgrade, setuptools

---
 .github/workflows/python-package.yml | 2 ++
 Makefile                             | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 53fd4645..6330e7f7 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -38,6 +38,7 @@ jobs:
           ${{ runner.os }}-pip-
     - name: Install dependencies
       run: |
+        pip install -U setuptools
         sudo apt-get update -qq
         sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
         make install-req
@@ -59,6 +60,7 @@ jobs:
           ${{ runner.os }}-pip-
     - name: Install dependencies
       run: |
+        pip install -U setuptools
         sudo apt-get update -qq
         sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
         make install-req
diff --git a/Makefile b/Makefile
index 45d73ecb..95848867 100644
--- a/Makefile
+++ b/Makefile
@@ -11,7 +11,6 @@ TESTS=tests/src/OneLogin/saml2_tests
 SOURCES=$(MAIN_SOURCE) $(DEMOS) $(TESTS)
 
 install-req:
-	$(PIP) install --upgrade 'setuptools<45.0.0'
 	$(PIP) install .
 
 install-test:

From 891228ed247c19c22ced8c6cbe7c0dd7f4392fbd Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Mon, 31 Jan 2022 11:33:18 +0200
Subject: [PATCH 252/331] CI: run on Python 3.10

Refs #294
---
 .github/workflows/python-package.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 6330e7f7..0f1e37f2 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -24,6 +24,7 @@ jobs:
           - "3.7"
           - "3.8"
           - "3.9"
+          - "3.10"
     steps:
     - uses: actions/checkout@v2
     - name: Set up Python ${{ matrix.python-version }}
@@ -51,7 +52,7 @@ jobs:
     - uses: actions/checkout@v2
     - uses: actions/setup-python@v2
       with:
-        python-version: 3.9
+        python-version: "3.10"
     - uses: actions/cache@v2
       with:
         path: ~/.cache/pip

From 66f367de4b0462d5d3011bbc21253554162bf07a Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Mon, 31 Jan 2022 11:33:27 +0200
Subject: [PATCH 253/331] Set Python 3.10 trove specifier

---
 setup.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/setup.py b/setup.py
index c309285b..b49ab57f 100644
--- a/setup.py
+++ b/setup.py
@@ -23,6 +23,7 @@
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
         'Programming Language :: Python :: 3.9',
+        'Programming Language :: Python :: 3.10',
     ],
     author='OneLogin',
     author_email='support@onelogin.com',

From f10edf68feaddeb0472819d220f28014c8ac8834 Mon Sep 17 00:00:00 2001
From: Aarni Koskela 
Date: Mon, 31 Jan 2022 12:43:43 +0200
Subject: [PATCH 254/331] Remove coveralls mentions

The stats haven't been updated since 2017
---
 .travis.yml | 2 --
 README.md   | 1 -
 setup.py    | 1 -
 3 files changed, 4 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index b690a1d0..820f9499 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -23,5 +23,3 @@ script:
   - 'coverage report -m --rcfile=tests/coverage.rc'
 # - 'pylint src/onelogin/saml2 --rcfile=tests/pylint.rc'
   - 'flake8 .'
-
-after_success: 'coveralls'
diff --git a/README.md b/README.md
index 43fd5322..8894edaf 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,6 @@
 # OneLogin's SAML Python Toolkit (compatible with Python3)
 
 [![Build Status](https://api.travis-ci.org/onelogin/python3-saml.png?branch=master)](http://travis-ci.org/onelogin/python3-saml)
-[![Coverage Status](https://coveralls.io/repos/github/onelogin/python3-saml/badge.svg?branch=master)](https://coveralls.io/github/onelogin/python3-saml?branch=master)
 [![PyPi Version](https://img.shields.io/pypi/v/python3-saml.svg)](https://pypi.python.org/pypi/python3-saml)
 ![Python versions](https://img.shields.io/pypi/pyversions/python3-saml.svg)
 
diff --git a/setup.py b/setup.py
index c309285b..04c23b40 100644
--- a/setup.py
+++ b/setup.py
@@ -49,7 +49,6 @@
             'freezegun>=0.3.11, <=1.1.0',
             'pylint==1.9.4',
             'flake8>=3.6.0',
-            'coveralls>=1.11.1',
             'pytest>=4.6',
         ),
     },

From 3dad0d3fff75636a70840c55ff430801227246b1 Mon Sep 17 00:00:00 2001
From: eriktalvi 
Date: Tue, 15 Feb 2022 16:25:49 -0800
Subject: [PATCH 255/331] Update setup.py

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index b794f921..a148b49a 100644
--- a/setup.py
+++ b/setup.py
@@ -38,7 +38,7 @@
     },
     test_suite='tests',
     install_requires=[
-        'lxml~=4.7.1',
+        'lxml>4.7.1',
         'isodate>=0.6.1',
         'xmlsec>=1.3.9'
     ],

From 34098971c8bb4ed810849db65a78e5066f2725e7 Mon Sep 17 00:00:00 2001
From: eriktalvi 
Date: Tue, 15 Feb 2022 16:27:47 -0800
Subject: [PATCH 256/331] Update setup.py

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index a148b49a..691f86d5 100644
--- a/setup.py
+++ b/setup.py
@@ -38,7 +38,7 @@
     },
     test_suite='tests',
     install_requires=[
-        'lxml>4.7.1',
+        'lxml<4.7.1',
         'isodate>=0.6.1',
         'xmlsec>=1.3.9'
     ],

From 809912de0862dd0e44fcbb11774d8da7b64e3418 Mon Sep 17 00:00:00 2001
From: Bryan Vestey 
Date: Fri, 18 Feb 2022 14:50:12 -0800
Subject: [PATCH 257/331] Release 1.14.0

---
 changelog.md | 5 +++++
 setup.py     | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index cb4a5024..93037656 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,9 @@
 # python3-saml changelog
+### 1.14.0 (Feb 18, 2022)
+- [#297](https://github.com/onelogin/python3-saml/pull/297) Don't require yanked version of lxml.
+- [#298](https://github.com/onelogin/python3-saml/pull/298) Add support for python 3.10 and cleanup the GHA.
+- [#299](https://github.com/onelogin/python3-saml/pull/299) Remove stats from coveralls removed as they are no longer maintained.
+
 ### 1.13.0 (Jan 28, 2022)
 - [#296](https://github.com/onelogin/python3-saml/pull/296) Add rejectDeprecatedAlgorithm settings in order to be able reject messages signed with deprecated algorithms.
 - Set sha256 and rsa-sha256 as default algorithms
diff --git a/setup.py b/setup.py
index 6df390ec..21105b36 100644
--- a/setup.py
+++ b/setup.py
@@ -9,7 +9,7 @@
 
 setup(
     name='python3-saml',
-    version='1.13.0',
+    version='1.14.0',
     description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',

From 220a3359afd7db10fbbd11f6c359d91960b0ef9d Mon Sep 17 00:00:00 2001
From: Noam <69756316+noamsan@users.noreply.github.com>
Date: Mon, 18 Jul 2022 13:54:30 +0300
Subject: [PATCH 258/331] Typo fix: reply -> replay

"Reply attacks" should be "Replay attacks".
---
 README.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 8894edaf..d22347a2 100644
--- a/README.md
+++ b/README.md
@@ -139,9 +139,9 @@ a trusted and expected URL.
 
 Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html).
 
-### Avoiding Reply attacks ###
+### Avoiding Replay attacks ###
 
-A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
+A replay attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
 
 SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that
 make harder this kind of attacks, but they are still possible.
@@ -152,8 +152,7 @@ we don't need to store all processed message/assertion Ids, but the most recent
 
 The OneLogin_Saml2_Auth class contains the [get_last_request_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L357), [get_last_message_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L364) and [get_last_assertion_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L371) methods to retrieve the IDs 
 
-Checking that the ID of the current Message/Assertion does not exists in the lis of the ones already processed will prevent reply
-attacks.
+Checking that the ID of the current Message/Assertion does not exists in the lis of the ones already processed will prevent replay attacks.
 
 
 Getting Started

From 0a79044f0c429132ceb79f527677a4ca5caa3124 Mon Sep 17 00:00:00 2001
From: Anand Nanduri 
Date: Wed, 3 Aug 2022 17:58:00 -0400
Subject: [PATCH 259/331] handle unicode characters gracefully in python 2

---
 src/onelogin/saml2/compat.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/onelogin/saml2/compat.py b/src/onelogin/saml2/compat.py
index 90bcfac7..804d4d46 100644
--- a/src/onelogin/saml2/compat.py
+++ b/src/onelogin/saml2/compat.py
@@ -39,6 +39,8 @@ def to_string(data):
 
     def to_bytes(data):
         """ return bytes """
+        if isinstance(data, unicode):
+            return data.encode("utf8")
         return str(data)
 
 else:  # py 3.x

From ff2b31c0083605f032f3bd3b6d350d87b3ca94aa Mon Sep 17 00:00:00 2001
From: Bryan Vestey 
Date: Fri, 12 Aug 2022 09:46:11 -0700
Subject: [PATCH 260/331] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index d22347a2..6c2a9127 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,7 @@
 [![PyPi Version](https://img.shields.io/pypi/v/python3-saml.svg)](https://pypi.python.org/pypi/python3-saml)
 ![Python versions](https://img.shields.io/pypi/pyversions/python3-saml.svg)
 
+**Notice:** This project is currently not under active development, please see [#320](https://github.com/onelogin/python3-saml/issues/320) for more information.
 
 Add SAML support to your Python software using this library.
 Forget those complicated libraries and use the open source library provided

From ba572e24fd3028c0e38c8f9dcd02af46ddcc0870 Mon Sep 17 00:00:00 2001
From: Bryan Vestey 
Date: Fri, 12 Aug 2022 09:47:11 -0700
Subject: [PATCH 261/331] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6c2a9127..9986ff5e 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 [![PyPi Version](https://img.shields.io/pypi/v/python3-saml.svg)](https://pypi.python.org/pypi/python3-saml)
 ![Python versions](https://img.shields.io/pypi/pyversions/python3-saml.svg)
 
-**Notice:** This project is currently not under active development, please see [#320](https://github.com/onelogin/python3-saml/issues/320) for more information.
+## **Notice:** This project is currently not under active development, please see [#320](https://github.com/onelogin/python3-saml/issues/320) for more information.
 
 Add SAML support to your Python software using this library.
 Forget those complicated libraries and use the open source library provided

From 344c28640f8a718aeffd72f1ff56835488965eb0 Mon Sep 17 00:00:00 2001
From: George Khaburzaniya 
Date: Fri, 18 Nov 2022 13:31:08 -0800
Subject: [PATCH 262/331] Remove references to onelogin provided support.

---
 LICENSE                                       |   2 +-
 README.md                                     |  52 ++-
 demo-django/saml/certs/README                 |   2 +-
 demo-django/templates/base.html               |   4 +-
 demo-flask/saml/certs/README                  |   2 +-
 demo-flask/templates/base.html                |   4 +-
 demo-tornado/saml/certs/README                |   2 +-
 demo-tornado/templates/base.html              |   4 +-
 demo_pyramid/demo_pyramid/saml/certs/README   |   2 +-
 docs/saml2/_modules/index.html                |  21 +-
 docs/saml2/_modules/saml2/auth.html           |  29 +-
 docs/saml2/_modules/saml2/authn_request.html  |  30 +-
 docs/saml2/_modules/saml2/constants.html      |  30 +-
 docs/saml2/_modules/saml2/errors.html         |  30 +-
 docs/saml2/_modules/saml2/logout_request.html |  30 +-
 .../saml2/_modules/saml2/logout_response.html |  29 +-
 docs/saml2/_modules/saml2/metadata.html       |  29 +-
 docs/saml2/_modules/saml2/response.html       |  29 +-
 docs/saml2/_modules/saml2/settings.html       |  29 +-
 docs/saml2/_modules/saml2/utils.html          |  29 +-
 docs/saml2/_sources/index.txt                 |   2 +-
 docs/saml2/genindex.html                      | 359 +++++++++---------
 docs/saml2/index.html                         |  27 +-
 docs/saml2/py-modindex.html                   |  23 +-
 docs/saml2/saml2.html                         |  29 +-
 docs/saml2/search.html                        |  29 +-
 setup.py                                      |   9 +-
 src/onelogin/__init__.py                      |   6 +-
 src/onelogin/saml2/__init__.py                |   6 +-
 src/onelogin/saml2/auth.py                    |   4 +-
 src/onelogin/saml2/authn_request.py           |   4 +-
 src/onelogin/saml2/compat.py                  |   2 -
 src/onelogin/saml2/constants.py               |   6 +-
 src/onelogin/saml2/errors.py                  |   4 +-
 src/onelogin/saml2/idp_metadata_parser.py     |   4 +-
 src/onelogin/saml2/logout_request.py          |   4 +-
 src/onelogin/saml2/logout_response.py         |   4 +-
 src/onelogin/saml2/metadata.py                |   4 +-
 src/onelogin/saml2/response.py                |   4 +-
 src/onelogin/saml2/utils.py                   |   4 +-
 src/onelogin/saml2/xml_templates.py           |   4 +-
 src/onelogin/saml2/xml_utils.py               |   4 +-
 tests/data/metadata/idp_metadata.xml          |   4 +-
 ...tadata_different_sign_and_encrypt_cert.xml |   4 +-
 ...dp_metadata_same_sign_and_encrypt_cert.xml |   4 +-
 tests/src/OneLogin/saml2_tests/auth_test.py   |   2 -
 .../saml2_tests/authn_request_test.py         |   2 -
 tests/src/OneLogin/saml2_tests/error_test.py  |   2 -
 .../saml2_tests/idp_metadata_parser_test.py   |   2 -
 .../saml2_tests/logout_request_test.py        |   2 -
 .../saml2_tests/logout_response_test.py       |   2 -
 .../src/OneLogin/saml2_tests/metadata_test.py |   2 -
 .../src/OneLogin/saml2_tests/response_test.py |   8 +-
 .../src/OneLogin/saml2_tests/settings_test.py |   2 -
 .../saml2_tests/signed_response_test.py       |   2 -
 tests/src/OneLogin/saml2_tests/utils_test.py  |   2 -
 .../OneLogin/saml2_tests/xml_utils_test.py    |   2 -
 57 files changed, 433 insertions(+), 540 deletions(-)

diff --git a/LICENSE b/LICENSE
index 734c18ba..0fd253e9 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2010-2021 OneLogin, Inc.
+Copyright (c) 2010-2022 OneLogin, Inc.
 
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation
diff --git a/README.md b/README.md
index 9986ff5e..08f15fde 100644
--- a/README.md
+++ b/README.md
@@ -1,16 +1,13 @@
-# OneLogin's SAML Python Toolkit (compatible with Python3)
+# SAML Python Toolkit (compatible with Python3)
 
 [![Build Status](https://api.travis-ci.org/onelogin/python3-saml.png?branch=master)](http://travis-ci.org/onelogin/python3-saml)
 [![PyPi Version](https://img.shields.io/pypi/v/python3-saml.svg)](https://pypi.python.org/pypi/python3-saml)
 ![Python versions](https://img.shields.io/pypi/pyversions/python3-saml.svg)
 
-## **Notice:** This project is currently not under active development, please see [#320](https://github.com/onelogin/python3-saml/issues/320) for more information.
-
 Add SAML support to your Python software using this library.
-Forget those complicated libraries and use the open source library provided
-and supported by OneLogin Inc.
+Forget those complicated libraries and use the open source library provided by the SAML tool community.
 
-This version supports Python3. There is a separate version that only support Python2: [python-saml](https://github.com/onelogin/python-saml)
+This version supports Python3. Python 2 support was deprecated on Jan 1st, 2020: [python-saml](https://github.com/onelogin/python-saml)
 
 #### Warning ####
 
@@ -34,7 +31,7 @@ Update ``python3-saml`` to ``>= 1.2.1``, ``1.2.0`` had a bug on signature valida
 
 #### Security Guidelines ####
 
-If you believe you have discovered a security vulnerability in this toolkit, please report it at https://www.onelogin.com/security with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
+If you believe you have discovered a security vulnerability in this toolkit, please report it in an issue with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
 
 Why add SAML support to my software?
 ------------------------------------
@@ -62,7 +59,7 @@ since 2002, but lately it is becoming popular due its advantages:
 General Description
 -------------------
 
-OneLogin's SAML Python toolkit lets you turn your Python application into a SP
+SAML Python toolkit lets you turn your Python application into a SP
 (Service Provider) that can be connected to an IdP (Identity Provider).
 
 **Supports:**
@@ -83,7 +80,6 @@ OneLogin's SAML Python toolkit lets you turn your Python application into a SP
  * **Easy to use** - Programmer will be allowed to code high-level and
    low-level programming, 2 easy to use APIs are available.
  * **Tested** - Thoroughly tested.
- * **Popular** - OneLogin's customers use it. Add easy support to your Django/Flask web projects.
 
 Installation
 ------------
@@ -103,8 +99,8 @@ Review the ``setup.py`` file to know the version of the library that ``python3-s
 
 The toolkit is hosted on GitHub. You can download it from:
 
- * Latest release: https://github.com/onelogin/python3-saml/releases/latest
- * Master repo: https://github.com/onelogin/python3-saml/tree/master
+ * Latest release: https://github.com/saml-toolkits/python3-saml/releases/latest
+ * Master repo: https://github.com/saml-toolkits/python3-saml/tree/master
 
 Copy the core of the library ``(src/onelogin/saml2 folder)`` and merge the ``setup.py`` inside the Python application. (Each application has its structure so take your time to locate the Python SAML toolkit in the best place).
 
@@ -148,10 +144,10 @@ SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that
 make harder this kind of attacks, but they are still possible.
 
 In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need
-to be stored the amount of time of the SAML Message life time, so 
+to be stored the amount of time of the SAML Message life time, so
 we don't need to store all processed message/assertion Ids, but the most recent ones.
 
-The OneLogin_Saml2_Auth class contains the [get_last_request_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L357), [get_last_message_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L364) and [get_last_assertion_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L371) methods to retrieve the IDs 
+The OneLogin_Saml2_Auth class contains the [get_last_request_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L357), [get_last_message_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L364) and [get_last_assertion_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L371) methods to retrieve the IDs
 
 Checking that the ID of the current Message/Assertion does not exists in the lis of the ones already processed will prevent replay attacks.
 
@@ -161,7 +157,7 @@ Getting Started
 
 ### Knowing the toolkit ###
 
-The new OneLogin SAML Toolkit contains different folders (``certs``, ``lib``, ``demo-django``, ``demo-flask`` and ``tests``) and some files.
+The new SAML Toolkit contains different folders (``certs``, ``lib``, ``demo-django``, ``demo-flask`` and ``tests``) and some files.
 
 Let's start describing them:
 
@@ -267,7 +263,7 @@ This is the ``settings.json`` file:
             // URL Location where the  from the IdP will be returned
             "url": "https:///?acs",
             // SAML protocol binding to be used when returning the 
-            // message. OneLogin Toolkit supports this endpoint for the
+            // message. SAML Toolkit supports this endpoint for the
             // HTTP-POST binding only.
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         },
@@ -279,7 +275,7 @@ This is the ``settings.json`` file:
             // OPTIONAL: only specify if different from url parameter
             //"responseUrl": "https:///?sls",
             // SAML protocol binding to be used when returning the 
-            // message. OneLogin Toolkit supports the HTTP-Redirect binding
+            // message. SAML Toolkit supports the HTTP-Redirect binding
             // only for this endpoint.
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         },
@@ -289,7 +285,7 @@ This is the ``settings.json`` file:
         "attributeConsumingService": {
                 // OPTIONAL: only specifiy if SP requires this.
                 // index is an integer which identifies the attributeConsumingService used
-                // to the SP. OneLogin toolkit supports configuring only one attributeConsumingService
+                // to the SP. SAML toolkit supports configuring only one attributeConsumingService
                 // but in certain cases the SP requires a different value.  Defaults to '1'.
                 // "index": '1',
                 "serviceName": "SP test",
@@ -333,7 +329,7 @@ This is the ``settings.json`` file:
             // will be sent.
             "url": "https://app.onelogin.com/trust/saml2/http-post/sso/",
             // SAML protocol binding to be used when returning the 
-            // message. OneLogin Toolkit supports the HTTP-Redirect binding
+            // message. SAML Toolkit supports the HTTP-Redirect binding
             // only for this endpoint.
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         },
@@ -342,10 +338,10 @@ This is the ``settings.json`` file:
             // URL Location where the  from the IdP will be sent (IdP-initiated logout)
             "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/",
             // URL Location where the  from the IdP will sent (SP-initiated logout, reply)
-            // OPTIONAL: only specify if different from url parameter 
+            // OPTIONAL: only specify if different from url parameter
             "responseUrl": "https://app.onelogin.com/trust/saml2/http-redirect/slo_return/",
             // SAML protocol binding to be used when returning the 
-            // message. OneLogin Toolkit supports the HTTP-Redirect binding
+            // message. SAML Toolkit supports the HTTP-Redirect binding
             // only for this endpoint.
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         },
@@ -483,7 +479,7 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         //    'http://www.w3.org/2001/04/xmldsig-more#sha384'
         //    'http://www.w3.org/2001/04/xmlenc#sha512'
         'digestAlgorithm': "http://www.w3.org/2001/04/xmlenc#sha256",
-            
+
         // Specify if you want the SP to view assertions with duplicated Name or FriendlyName attributes to be valid
         // Defaults to false if not specified
         'allowRepeatAttributeName': false,
@@ -562,7 +558,7 @@ There's an easier method -- use a metadata exchange.  Metadata is just an XML fi
 
 Using ````parse_remote```` IdP metadata can be obtained and added to the settings without further ado.
 
-Take in mind that the OneLogin_Saml2_IdPMetadataParser class does not validate in any way the URL that is introduced in order to be parsed. 
+Take in mind that the OneLogin_Saml2_IdPMetadataParser class does not validate in any way the URL that is introduced in order to be parsed.
 
 Usually the same administrator that handles the Service Provider also sets the URL to the IdP, which should be a trusted resource.
 
@@ -985,7 +981,7 @@ Described below are the main classes and methods that can be invoked from the SA
 
 #### OneLogin_Saml2_Auth - auth.py ####
 
-Main class of OneLogin Python Toolkit
+Main class of SAML Python Toolkit
 
 * `__init__` Initializes the SP SAML instance.
 * ***login*** Initiates the SSO process.
@@ -1078,7 +1074,7 @@ SAML 2 Logout Response class
 
 #### OneLogin_Saml2_Settings - settings.py ####
 
-Configuration of the OneLogin Python Toolkit
+Configuration of the SAML Python Toolkit
 
 * `__init__`  Initializes the settings: Sets the paths of the different folders and Loads settings info from settings file or array/object provided.
 * ***check_settings*** Checks the settings info.
@@ -1246,7 +1242,7 @@ The flask project contains:
 
 #### SP setup ####
 
-The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: Settings files or define a setting dict. In the ``demo-flask``, it uses the first method.
+The SAML Python Toolkit allows you to provide the settings info in 2 ways: Settings files or define a setting dict. In the ``demo-flask``, it uses the first method.
 
 In the ``index.py`` file we define the ``app.config['SAML_PATH']``, that will target to the ``saml`` folder. We require it in order to load the settings files.
 
@@ -1319,7 +1315,7 @@ The tornado project contains:
 
 #### SP setup ####
 
-The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: Settings files or define a setting dict. In the ``demo-tornado``, it uses the first method.
+The SAML Python Toolkit allows you to provide the settings info in 2 ways: Settings files or define a setting dict. In the ``demo-tornado``, it uses the first method.
 
 In the ``settings.py`` file we define the ``SAML_PATH``, that will target to the ``saml`` folder. We require it in order to load the settings files.
 
@@ -1392,7 +1388,7 @@ The django project contains:
 
 #### SP setup ####
 
-The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-django it used the first method.
+The SAML Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-django it used the first method.
 
 After set the ``SAML_FOLDER`` in the ``demo/settings.py``, the settings of the Python toolkit will be loaded on the Django web.
 
@@ -1472,7 +1468,7 @@ The Pyramid project contains:
 
 #### SP setup ####
 
-The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In ``demo_pyramid`` the first method is used.
+The SAML Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In ``demo_pyramid`` the first method is used.
 
 In the ``views.py`` file we define the ``SAML_PATH``, which will target the ``saml`` folder. We require it in order to load the settings files.
 
diff --git a/demo-django/saml/certs/README b/demo-django/saml/certs/README
index 7e837fb9..ed973e05 100644
--- a/demo-django/saml/certs/README
+++ b/demo-django/saml/certs/README
@@ -1,6 +1,6 @@
 Take care of this folder that could contain private key. Be sure that this folder never is published.
 
-Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as:
+SAML Python Toolkit expects that certs for the SP could be stored in this folder as:
 
  * sp.key     Private Key
  * sp.crt     Public cert
diff --git a/demo-django/templates/base.html b/demo-django/templates/base.html
index a55dbf0b..960ca0bc 100644
--- a/demo-django/templates/base.html
+++ b/demo-django/templates/base.html
@@ -5,7 +5,7 @@
     
     
 
-    A Python SAML Toolkit by OneLogin demo
+    A Python SAML Toolkit demo
 
     
 
@@ -18,7 +18,7 @@
   
   
     
    
-      
    A Python SAML Toolkit by OneLogin demo
    
+      
    A Python SAML Toolkit demo
    
 
       {% block content %}{% endblock %}
     
    
diff --git a/demo-flask/saml/certs/README b/demo-flask/saml/certs/README
index 7e837fb9..ed973e05 100644
--- a/demo-flask/saml/certs/README
+++ b/demo-flask/saml/certs/README
@@ -1,6 +1,6 @@
 Take care of this folder that could contain private key. Be sure that this folder never is published.
 
-Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as:
+SAML Python Toolkit expects that certs for the SP could be stored in this folder as:
 
  * sp.key     Private Key
  * sp.crt     Public cert
diff --git a/demo-flask/templates/base.html b/demo-flask/templates/base.html
index a55dbf0b..960ca0bc 100644
--- a/demo-flask/templates/base.html
+++ b/demo-flask/templates/base.html
@@ -5,7 +5,7 @@
     
     
 
-    A Python SAML Toolkit by OneLogin demo
+    A Python SAML Toolkit demo
 
     
 
@@ -18,7 +18,7 @@
   
   
     
    
-      
    A Python SAML Toolkit by OneLogin demo
    
+      
    A Python SAML Toolkit demo
    
 
       {% block content %}{% endblock %}
     
    
diff --git a/demo-tornado/saml/certs/README b/demo-tornado/saml/certs/README
index 7e837fb9..ed973e05 100644
--- a/demo-tornado/saml/certs/README
+++ b/demo-tornado/saml/certs/README
@@ -1,6 +1,6 @@
 Take care of this folder that could contain private key. Be sure that this folder never is published.
 
-Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as:
+SAML Python Toolkit expects that certs for the SP could be stored in this folder as:
 
  * sp.key     Private Key
  * sp.crt     Public cert
diff --git a/demo-tornado/templates/base.html b/demo-tornado/templates/base.html
index e403a8ef..e71bb136 100644
--- a/demo-tornado/templates/base.html
+++ b/demo-tornado/templates/base.html
@@ -5,7 +5,7 @@
     
     
 
-    A Python SAML Toolkit by OneLogin demo
+    A Python SAML Toolkit demo
 
     
 
@@ -18,7 +18,7 @@
   
   
     
    
-      
    A Python SAML Toolkit by OneLogin demo
    
+      
    A Python SAML Toolkit demo
    
 
       {% block content %}{% end %}
     
    
diff --git a/demo_pyramid/demo_pyramid/saml/certs/README b/demo_pyramid/demo_pyramid/saml/certs/README
index 7e837fb9..ed973e05 100644
--- a/demo_pyramid/demo_pyramid/saml/certs/README
+++ b/demo_pyramid/demo_pyramid/saml/certs/README
@@ -1,6 +1,6 @@
 Take care of this folder that could contain private key. Be sure that this folder never is published.
 
-Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as:
+SAML Python Toolkit expects that certs for the SP could be stored in this folder as:
 
  * sp.key     Private Key
  * sp.crt     Public cert
diff --git a/docs/saml2/_modules/index.html b/docs/saml2/_modules/index.html
index d672e465..12fa0756 100644
--- a/docs/saml2/_modules/index.html
+++ b/docs/saml2/_modules/index.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    Overview: module code — OneLogin SAML Python library classes and methods
-    
+
+    Overview: module code — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-     
+    
   
   
     
    
@@ -37,15 +37,15 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    •  
+        
  • SAML Python library classes and methods »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    All modules for which code is available
    
 
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_modules/saml2/auth.html b/docs/saml2/_modules/saml2/auth.html
index f70e70b2..494ef85c 100644
--- a/docs/saml2/_modules/saml2/auth.html
+++ b/docs/saml2/_modules/saml2/auth.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.auth — OneLogin SAML Python library classes and methods
-    
+
+    saml2.auth — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,21 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.auth
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
 
 from base64 import b64encode
 from urllib import urlencode, quote
@@ -363,7 +361,7 @@ 
    Source code for saml2.auth
             dsig_ctx = xmlsec.DSigCtx()
         dsig_ctx.signKey = xmlsec.Key.load(file_key.name, xmlsec.KeyDataFormatPem, None)
         file_key.close()
-        
+
         data = {
             'SAMLRequest': quote(saml_request),
             'RelayState': quote(relay_state),
@@ -448,12 +446,11 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
diff --git a/docs/saml2/_modules/saml2/authn_request.html b/docs/saml2/_modules/saml2/authn_request.html
index 207ee7a6..2bd22b2f 100644
--- a/docs/saml2/_modules/saml2/authn_request.html
+++ b/docs/saml2/_modules/saml2/authn_request.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.authn_request — OneLogin SAML Python library classes and methods
-    
+
+    saml2.authn_request — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,22 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.authn_request
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
-
 from base64 import b64encode
 from datetime import datetime
 from zlib import compress
@@ -164,13 +161,12 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_modules/saml2/constants.html b/docs/saml2/_modules/saml2/constants.html
index 306ec1b3..1b0af52f 100644
--- a/docs/saml2/_modules/saml2/constants.html
+++ b/docs/saml2/_modules/saml2/constants.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.constants — OneLogin SAML Python library classes and methods
-    
+
+    saml2.constants — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,22 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  •  SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.constants
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
-
 
 
    [docs]class OneLogin_Saml2_Constants:
     # Value added to the current time in time condition validations
@@ -154,13 +151,12 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  •  SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_modules/saml2/errors.html b/docs/saml2/_modules/saml2/errors.html
index ef958f31..ea6894b1 100644
--- a/docs/saml2/_modules/saml2/errors.html
+++ b/docs/saml2/_modules/saml2/errors.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.errors — OneLogin SAML Python library classes and methods
-    
+
+    saml2.errors —  SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,22 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  •  SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.errors
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
-
 
 
    [docs]class OneLogin_Saml2_Error(Exception):
 
@@ -123,13 +120,12 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  •  SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_modules/saml2/logout_request.html b/docs/saml2/_modules/saml2/logout_request.html
index 1b690dd4..ceb9779f 100644
--- a/docs/saml2/_modules/saml2/logout_request.html
+++ b/docs/saml2/_modules/saml2/logout_request.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.logout_request — OneLogin SAML Python library classes and methods
-    
+
+    saml2.logout_request — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,22 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.logout_request
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
-
 from base64 import b64decode
 from datetime import datetime
 from lxml import etree
@@ -360,13 +357,12 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_modules/saml2/logout_response.html b/docs/saml2/_modules/saml2/logout_response.html
index 3ea3bbf7..9362300f 100644
--- a/docs/saml2/_modules/saml2/logout_response.html
+++ b/docs/saml2/_modules/saml2/logout_response.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.logout_response — OneLogin SAML Python library classes and methods
-    
+
+    saml2.logout_response — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,21 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.logout_response
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
 
 from base64 import b64decode
 from datetime import datetime
@@ -270,13 +268,12 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_modules/saml2/metadata.html b/docs/saml2/_modules/saml2/metadata.html
index 7b0a1be5..6f3d0b93 100644
--- a/docs/saml2/_modules/saml2/metadata.html
+++ b/docs/saml2/_modules/saml2/metadata.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.metadata — OneLogin SAML Python library classes and methods
-    
+
+    saml2.metadata — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,21 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.metadata
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
 
 from time import gmtime, strftime
 from datetime import datetime
@@ -277,13 +275,12 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_modules/saml2/response.html b/docs/saml2/_modules/saml2/response.html
index d3fee4e3..7f815169 100644
--- a/docs/saml2/_modules/saml2/response.html
+++ b/docs/saml2/_modules/saml2/response.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.response — OneLogin SAML Python library classes and methods
-    
+
+    saml2.response — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,21 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.response
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
 
 from base64 import b64decode
 from copy import deepcopy
@@ -520,13 +518,12 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_modules/saml2/settings.html b/docs/saml2/_modules/saml2/settings.html
index 42800b51..fe2bf6f5 100644
--- a/docs/saml2/_modules/saml2/settings.html
+++ b/docs/saml2/_modules/saml2/settings.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.settings — OneLogin SAML Python library classes and methods
-    
+
+    saml2.settings — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,21 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.settings
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
 
 from datetime import datetime
 import json
@@ -683,13 +681,12 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_modules/saml2/utils.html b/docs/saml2/_modules/saml2/utils.html
index 613d2a09..63cc42a3 100644
--- a/docs/saml2/_modules/saml2/utils.html
+++ b/docs/saml2/_modules/saml2/utils.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    saml2.utils — OneLogin SAML Python library classes and methods
-    
+
+    saml2.utils — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -38,21 +38,19 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Source code for saml2.utils
     # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2018 OneLogin, Inc.
-# MIT License
 
 import base64
 from datetime import datetime
@@ -793,13 +791,12 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    • 
-          
  • Class code »
    •  
+        
  • SAML Python library classes and methods »
    • 
+          
  • Class code »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/_sources/index.txt b/docs/saml2/_sources/index.txt
index 43d48f47..50ca26a4 100644
--- a/docs/saml2/_sources/index.txt
+++ b/docs/saml2/_sources/index.txt
@@ -3,7 +3,7 @@
    You can adapt this file completely to your liking, but it should at least
    contain the root `toctree` directive.
 
-Welcome to OneLogin SAML Python library documentation
+Welcome to SAML Python library documentation
 =====================================================
 
 Contents:
diff --git a/docs/saml2/genindex.html b/docs/saml2/genindex.html
index 3ee2939c..d9f60b97 100644
--- a/docs/saml2/genindex.html
+++ b/docs/saml2/genindex.html
@@ -9,12 +9,12 @@
 
   
     
-    
-    Index — OneLogin SAML Python library classes and methods
-    
+
+    Index — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-     
+    
   
   
     
    
@@ -39,15 +39,15 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    •  
+        
  • SAML Python library classes and methods »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
 
 
    Index
    
 
@@ -70,54 +70,54 @@ 
    Index
    
  | T
  | V
  | W
- 
+
 
    
 
    A
    
 
    
   
    
-      
+
   
    AC_KERBEROS (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    AC_PASSWORD (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    AC_SMARTCARD (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    AC_UNSPECIFIED (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    AC_X509 (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    add_sign() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
   
    		
   
    
-      
+
   
    add_x509_key_descriptors() (saml2.metadata.OneLogin_Saml2_Metadata static method)
   
    
 
-      
+
   
    ALOWED_CLOCK_DRIFT (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    ATTRNAME_FORMAT_BASIC (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    ATTRNAME_FORMAT_UNSPECIFIED (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    ATTRNAME_FORMAT_URI (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
@@ -127,41 +127,41 @@ 
    A
    
 
    B
    
 
    
   
    
-      
+
   
    BINDING_DEFLATE (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    BINDING_HTTP_ARTIFACT (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    BINDING_HTTP_POST (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    BINDING_HTTP_REDIRECT (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    BINDING_SOAP (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
   
    		
   
    
-      
+
   
    build() (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
   
    
 
-      
+
   
    build_request_signature() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    build_response_signature() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    builder() (saml2.metadata.OneLogin_Saml2_Metadata static method)
   
    
 
@@ -171,33 +171,33 @@ 
    B
    
 
    C
    
 
    
   
    
-      
+
   
    calculate_x509_fingerprint() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    check_settings() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    check_sp_certs() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    check_status() (saml2.response.OneLogin_Saml2_Response method)
   
    
 
   
    		
   
    
-      
+
   
    CM_BEARER (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    CM_HOLDER_KEY (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    CM_SENDER_VOUCHES (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
@@ -207,21 +207,21 @@ 
    C
    
 
    D
    
 
    
   
    
-      
+
   
    decode_base64_and_inflate() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    decrypt_element() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
   
    		
   
    
-      
+
   
    deflate_and_base64_encode() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    delete_local_session() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
@@ -231,17 +231,17 @@ 
    D
    
 
    F
    
 
    
   
    
-      
+
   
    format_cert() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    format_finger_print() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
   
    		
   
    
-      
+
   
    format_idp_cert() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
@@ -251,200 +251,200 @@ 
    F
    
 
    G
    
 
    
   
    
-      
+
   
    generate_name_id() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    generate_unique_id() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    get_attribute() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    get_attributes() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
       
    
-        
+
   
    (saml2.response.OneLogin_Saml2_Response method)
   
    
 
       
    
-      
+
   
    get_audiences() (saml2.response.OneLogin_Saml2_Response method)
   
    
 
-      
+
   
    get_base_path() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_cert_path() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_contacts() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_errors() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
       
    
-        
+
   
    (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
       
    
-      
+
   
    get_expire_time() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    get_ext_lib_path() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_id() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
   
    
 
-      
+
   
    get_idp_data() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_issuer() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
   
    
 
       
    
-        
+
   
    (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
   
    
 
       
    
-      
+
   
    get_issuers() (saml2.response.OneLogin_Saml2_Response method)
   
    
 
-      
+
   
    get_lib_path() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_name_id() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
   
    
 
-      
+
   
    get_name_id_data() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
   
    
 
-      
+
   
    get_nameid() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
       
    
-        
+
   
    (saml2.response.OneLogin_Saml2_Response method)
   
    
 
       
    
-      
+
   
    get_nameid_data() (saml2.response.OneLogin_Saml2_Response method)
   
    
 
   
    		
   
    
-      
+
   
    get_organization() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_request() (saml2.authn_request.OneLogin_Saml2_Authn_Request method)
   
    
 
       
    
-        
+
   
    (saml2.logout_request.OneLogin_Saml2_Logout_Request method)
   
    
 
       
    
-      
+
   
    get_response() (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
   
    
 
-      
+
   
    get_schemas_path() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_security_data() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_self_host() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    get_self_url() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    get_self_url_host() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    get_self_url_no_query() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    get_session_index() (saml2.response.OneLogin_Saml2_Response method)
   
    
 
-      
+
   
    get_session_indexes() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
   
    
 
-      
+
   
    get_session_not_on_or_after() (saml2.response.OneLogin_Saml2_Response method)
   
    
 
-      
+
   
    get_settings() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    get_slo_url() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    get_sp_cert() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_sp_data() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_sp_key() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_sp_metadata() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    get_sso_url() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    get_status() (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
   
    
 
       
    
-        
+
   
    (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
@@ -455,34 +455,34 @@ 
    G
    
 
    I
    
 
    
   
    
-      
+
   
    is_authenticated() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    is_debug_active() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    is_https() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
   
    		
   
    
-      
+
   
    is_strict() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    is_valid() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
   
    
 
       
    
-        
+
   
    (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
   
    
 
-        
+
   
    (saml2.response.OneLogin_Saml2_Response method)
   
    
 
@@ -493,13 +493,13 @@ 
    I
    
 
    L
    
 
    
   
    
-      
+
   
    login() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
   
    		
   
    
-      
+
   
    logout() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
@@ -509,7 +509,7 @@ 
    L
    
 
    M
    
 
    
   
    
-      
+
   
    METADATA_SP_INVALID (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
@@ -519,73 +519,73 @@ 
    M
    
 
    N
    
 
    
   
    
-      
+
   
    NAMEID_EMAIL_ADDRESS (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NAMEID_ENCRYPTED (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NAMEID_ENTITY (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NAMEID_KERBEROS (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NAMEID_PERSISTENT (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NAMEID_TRANSIENT (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NAMEID_X509_SUBJECT_NAME (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NS_DS (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
   
    		
   
    
-      
+
   
    NS_MD (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NS_SAML (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NS_SAMLP (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NS_SOAP (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NS_XENC (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NS_XS (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NS_XSI (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    NSMAP (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
@@ -595,45 +595,45 @@ 
    N
    
 
    O
    
 
    
   
    
-      
+
   
    OneLogin_Saml2_Auth (class in saml2.auth)
   
    
 
-      
+
   
    OneLogin_Saml2_Authn_Request (class in saml2.authn_request)
   
    
 
-      
+
   
    OneLogin_Saml2_Constants (class in saml2.constants)
   
    
 
-      
+
   
    OneLogin_Saml2_Error
   
    
 
-      
+
   
    OneLogin_Saml2_Logout_Request (class in saml2.logout_request)
   
    
 
   
    		
   
    
-      
+
   
    OneLogin_Saml2_Logout_Response (class in saml2.logout_response)
   
    
 
-      
+
   
    OneLogin_Saml2_Metadata (class in saml2.metadata)
   
    
 
-      
+
   
    OneLogin_Saml2_Response (class in saml2.response)
   
    
 
-      
+
   
    OneLogin_Saml2_Settings (class in saml2.settings)
   
    
 
-      
+
   
    OneLogin_Saml2_Utils (class in saml2.utils)
   
    
 
@@ -643,33 +643,33 @@ 
    O
    
 
    P
    
 
    
   
    
-      
+
   
    parse_duration() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    parse_SAML_to_time() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    parse_time_to_SAML() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    PRIVATE_KEY_FILE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
   
    		
   
    
-      
+
   
    process_response() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    process_slo() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    PUBLIC_CERT_FILE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
@@ -679,7 +679,7 @@ 
    P
    
 
    Q
    
 
    
   
    
-      
+
   
    query() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
@@ -689,21 +689,21 @@ 
    Q
    
 
    R
    
 
    
   
    
-      
+
   
    redirect() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
-      
+
   
    REDIRECT_INVALID_URL (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
   
    		
   
    
-      
+
   
    redirect_to() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
-      
+
   
    RSA_SHA1 (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
@@ -713,123 +713,123 @@ 
    R
    
 
    S
    
 
    
   
    
-      
+
   
    saml2.auth (module)
   
    
 
-      
+
   
    saml2.authn_request (module)
   
    
 
-      
+
   
    saml2.constants (module)
   
    
 
-      
+
   
    saml2.errors (module)
   
    
 
-      
+
   
    saml2.logout_request (module)
   
    
 
-      
+
   
    saml2.logout_response (module)
   
    
 
-      
+
   
    saml2.metadata (module)
   
    
 
-      
+
   
    saml2.response (module)
   
    
 
-      
+
   
    saml2.settings (module)
   
    
 
-      
+
   
    saml2.utils (module)
   
    
 
-      
+
   
    SAML_LOGOUTMESSAGE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
-      
+
   
    SAML_LOGOUTREQUEST_INVALID (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
-      
+
   
    SAML_LOGOUTRESPONSE_INVALID (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
-      
+
   
    SAML_RESPONSE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
   
    		
   
    
-      
+
   
    SAML_SINGLE_LOGOUT_NOT_SUPPORTED (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
-      
+
   
    set_strict() (saml2.auth.OneLogin_Saml2_Auth method)
   
    
 
       
    
-        
+
   
    (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
       
    
-      
+
   
    SETTINGS_FILE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
-      
+
   
    SETTINGS_INVALID (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
-      
+
   
    SETTINGS_INVALID_SYNTAX (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
-      
+
   
    sign_metadata() (saml2.metadata.OneLogin_Saml2_Metadata static method)
   
    
 
-      
+
   
    SP_CERTS_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
   
    
 
-      
+
   
    STATUS_NO_PASSIVE (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    STATUS_PARTIAL_LOGOUT (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    STATUS_PROXY_COUNT_EXCEEDED (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    STATUS_REQUESTER (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    STATUS_RESPONDER (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    STATUS_SUCCESS (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
-      
+
   
    STATUS_VERSION_MISMATCH (saml2.constants.OneLogin_Saml2_Constants attribute)
   
    
 
@@ -839,13 +839,13 @@ 
    S
    
 
    T
    
 
    
   
    
-      
+
   
    TIME_CACHED (saml2.metadata.OneLogin_Saml2_Metadata attribute)
   
    
 
   
    		
   
    
-      
+
   
    TIME_VALID (saml2.metadata.OneLogin_Saml2_Metadata attribute)
   
    
 
@@ -855,29 +855,29 @@ 
    T
    
 
    V
    
 
    
   
    
-      
+
   
    validate_metadata() (saml2.settings.OneLogin_Saml2_Settings method)
   
    
 
-      
+
   
    validate_num_assertions() (saml2.response.OneLogin_Saml2_Response method)
   
    
 
-      
+
   
    validate_sign() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
   
    		
   
    
-      
+
   
    validate_timestamps() (saml2.response.OneLogin_Saml2_Response method)
   
    
 
-      
+
   
    validate_url() (in module saml2.settings)
   
    
 
-      
+
   
    validate_xml() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
@@ -887,7 +887,7 @@ 
    V
    
 
    W
    
 ]", "i"),
-	// checked="checked" or checked
-	rchecked = /checked\s*(?:[^=]|=\s*.checked.)/i,
-	rscriptType = /\/(java|ecma)script/i,
-	rcleanScript = /^\s*", "" ],
-		legend: [ 1, "
    ", "
    " ],
-		thead: [ 1, "
    
   
    
-      
+
   
    write_temp_file() (saml2.utils.OneLogin_Saml2_Utils static method)
   
    
 
@@ -902,7 +902,7 @@ 
    W
    
       
    
         
    
 
-   
+
 
 
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/index.html b/docs/saml2/index.html
index d17bd654..1015fa57 100644
--- a/docs/saml2/index.html
+++ b/docs/saml2/index.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    Welcome to OneLogin SAML Python library documentation
-    
+
+    Welcome to SAML Python library documentation
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -41,17 +41,17 @@ 
    Navigation
    
         
  • 
           next |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    •  
+        
  • SAML Python library classes and methods »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    
-
    Welcome to OneLogin SAML Python library documentation
    
+
    Welcome to SAML Python library documentation
    
 
    Contents:
    
 
    
 
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/py-modindex.html b/docs/saml2/py-modindex.html
index e7321859..5f2d4393 100644
--- a/docs/saml2/py-modindex.html
+++ b/docs/saml2/py-modindex.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    Python Class Index — OneLogin SAML Python library classes and methods
-    
+
+    Python Class Index — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
- 
+    
+
 
 
   
@@ -40,15 +40,15 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    •  
+        
  • SAML Python library classes and methods »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
 
    
    Python Class Index
    
 
@@ -143,12 +143,11 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    •  
+        
  • SAML Python library classes and methods »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/saml2.html b/docs/saml2/saml2.html
index 6dd1e00a..6b9631f0 100644
--- a/docs/saml2/saml2.html
+++ b/docs/saml2/saml2.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    OneLogin saml2 Module — OneLogin SAML Python library classes and methods
-    
+
+    OneLogin saml2 Module — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
-     
+    
+    
   
   
     
    
@@ -39,17 +39,17 @@ 
    Navigation
    
           modules |
         
  • 
-          previous |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    •  
+        
  • SAML Python library classes and methods »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    
 
    OneLogin saml2 Module
    
 
    
@@ -1998,7 +1998,7 @@ 
    Table Of Contents
    
 
   
    Previous topic
    
   
    Welcome to OneLogin SAML Python library documentation
    
+                        title="previous chapter">Welcome to SAML Python library documentation
    
   
    This Page
    
   
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/docs/saml2/search.html b/docs/saml2/search.html
index 531d00de..933fde97 100644
--- a/docs/saml2/search.html
+++ b/docs/saml2/search.html
@@ -7,12 +7,12 @@
 
   
     
-    
-    Search — OneLogin SAML Python library classes and methods
-    
+
+    Search — SAML Python library classes and methods
+
     
     
-    
+
     
     
     
-    
+    
   
-  
+
   
-   
+
 
   
   
@@ -45,15 +45,15 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    •  
+        
  • SAML Python library classes and methods »
    • 
       
-    
      
+    
    
 
     
    
       
    
         
    
           
    
-            
+
   
    Search
    
   
    
   
@@ -73,9 +73,9 @@ 
    Search
    
     
     
   
-  
+
   
    
-  
+
   
    
 
           
    
@@ -96,12 +96,11 @@ 
    Navigation
    
         
  • 
           modules |
    • 
-        
  • OneLogin SAML Python library classes and methods »
    •  
+        
  • SAML Python library classes and methods »
    • 
       
     
    
     
    
-        © Copyright 2014, OneLogin Inc..
       Created using Sphinx 1.1.3.
     
    
   
-
\ No newline at end of file
+
diff --git a/setup.py b/setup.py
index 21105b36..8e0b7355 100644
--- a/setup.py
+++ b/setup.py
@@ -1,16 +1,13 @@
 #! /usr/bin/env python
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2022 OneLogin, Inc.
-# MIT License
-
 from setuptools import setup
 
 
 setup(
     name='python3-saml',
     version='1.14.0',
-    description='Onelogin Python Toolkit. Add SAML support to your Python software using this library',
+    description='Saml Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
         'Intended Audience :: Developers',
@@ -25,10 +22,8 @@
         'Programming Language :: Python :: 3.9',
         'Programming Language :: Python :: 3.10',
     ],
-    author='OneLogin',
-    author_email='support@onelogin.com',
     license='MIT',
-    url='https://github.com/onelogin/python3-saml',
+    url='https://github.com/saml-toolkit/python3-saml',
     packages=['onelogin', 'onelogin/saml2'],
     include_package_data=True,
     package_data={
diff --git a/src/onelogin/__init__.py b/src/onelogin/__init__.py
index 52ea1212..57f87a32 100644
--- a/src/onelogin/__init__.py
+++ b/src/onelogin/__init__.py
@@ -1,14 +1,10 @@
 # -*- coding: utf-8 -*-
 
 """
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
 Add SAML support to your Python softwares using this library.
-Forget those complicated libraries and use that open source
-library provided and supported by OneLogin Inc.
 
-OneLogin's SAML Python toolkit let you build a SP (Service Provider)
+SAML Python toolkit let you build a SP (Service Provider)
 over your Python application and connect it to any IdP (Identity Provider).
 
 Supports:
diff --git a/src/onelogin/saml2/__init__.py b/src/onelogin/saml2/__init__.py
index 52ea1212..57f87a32 100644
--- a/src/onelogin/saml2/__init__.py
+++ b/src/onelogin/saml2/__init__.py
@@ -1,14 +1,10 @@
 # -*- coding: utf-8 -*-
 
 """
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
 Add SAML support to your Python softwares using this library.
-Forget those complicated libraries and use that open source
-library provided and supported by OneLogin Inc.
 
-OneLogin's SAML Python toolkit let you build a SP (Service Provider)
+SAML Python toolkit let you build a SP (Service Provider)
 over your Python application and connect it to any IdP (Identity Provider).
 
 Supports:
diff --git a/src/onelogin/saml2/auth.py b/src/onelogin/saml2/auth.py
index dc045f25..ac85ebc1 100644
--- a/src/onelogin/saml2/auth.py
+++ b/src/onelogin/saml2/auth.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_Auth class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-Main class of OneLogin's Python Toolkit.
+Main class of SAML Python Toolkit.
 
 Initializes the SP SAML instance
 
diff --git a/src/onelogin/saml2/authn_request.py b/src/onelogin/saml2/authn_request.py
index 0aa1623d..0a9f4438 100644
--- a/src/onelogin/saml2/authn_request.py
+++ b/src/onelogin/saml2/authn_request.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_Authn_Request class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-AuthNRequest class of OneLogin's Python Toolkit.
+AuthNRequest class of SAML Python Toolkit.
 
 """
 
diff --git a/src/onelogin/saml2/compat.py b/src/onelogin/saml2/compat.py
index 90bcfac7..42e32b08 100644
--- a/src/onelogin/saml2/compat.py
+++ b/src/onelogin/saml2/compat.py
@@ -2,8 +2,6 @@
 
 """ py3 compatibility class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
 """
 
diff --git a/src/onelogin/saml2/constants.py b/src/onelogin/saml2/constants.py
index a938f8e3..44220c44 100644
--- a/src/onelogin/saml2/constants.py
+++ b/src/onelogin/saml2/constants.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_Constants class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-Constants class of OneLogin's Python Toolkit.
+Constants class of SAML Python Toolkit.
 
 """
 
@@ -14,7 +12,7 @@ class OneLogin_Saml2_Constants(object):
     """
 
     This class defines all the constants that will be used
-    in the OneLogin's Python Toolkit.
+    in the SAML Python Toolkit.
 
     """
 
diff --git a/src/onelogin/saml2/errors.py b/src/onelogin/saml2/errors.py
index b231f982..bcb4890d 100644
--- a/src/onelogin/saml2/errors.py
+++ b/src/onelogin/saml2/errors.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_Error class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-Error class of OneLogin's Python Toolkit.
+Error class of SAML Python Toolkit.
 
 Defines common Error codes and has a custom initializator.
 
diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index 1b94e1a8..aa8fe2a2 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -1,9 +1,7 @@
 # -*- coding: utf-8 -*-
 
 """ OneLogin_Saml2_IdPMetadataParser class
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
-Metadata class of OneLogin's Python Toolkit.
+Metadata class of SAML Python Toolkit.
 """
 
 
diff --git a/src/onelogin/saml2/logout_request.py b/src/onelogin/saml2/logout_request.py
index 84cdd86b..23fc6216 100644
--- a/src/onelogin/saml2/logout_request.py
+++ b/src/onelogin/saml2/logout_request.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_Logout_Request class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-Logout Request class of OneLogin's Python Toolkit.
+Logout Request class of SAML Python Toolkit.
 
 """
 
diff --git a/src/onelogin/saml2/logout_response.py b/src/onelogin/saml2/logout_response.py
index d1110a73..40e9978a 100644
--- a/src/onelogin/saml2/logout_response.py
+++ b/src/onelogin/saml2/logout_response.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_Logout_Response class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-Logout Response class of OneLogin's Python Toolkit.
+Logout Response class of SAML Python Toolkit.
 
 """
 
diff --git a/src/onelogin/saml2/metadata.py b/src/onelogin/saml2/metadata.py
index cccd7ce0..d07685f8 100644
--- a/src/onelogin/saml2/metadata.py
+++ b/src/onelogin/saml2/metadata.py
@@ -2,10 +2,8 @@
 
 """ OneLoginSaml2Metadata class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-Metadata class of OneLogin's Python Toolkit.
+Metadata class of SAML Python Toolkit.
 
 """
 
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
index 3cf0964e..595b8449 100644
--- a/src/onelogin/saml2/response.py
+++ b/src/onelogin/saml2/response.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_Response class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-SAML Response class of OneLogin's Python Toolkit.
+SAML Response class of SAML Python Toolkit.
 
 """
 
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index 34176e25..b3498337 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_Utils class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-Auxiliary class of OneLogin's Python Toolkit.
+Auxiliary class of SAML Python Toolkit.
 
 """
 
diff --git a/src/onelogin/saml2/xml_templates.py b/src/onelogin/saml2/xml_templates.py
index 5575d116..2484d6f3 100644
--- a/src/onelogin/saml2/xml_templates.py
+++ b/src/onelogin/saml2/xml_templates.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_Auth class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-Main class of OneLogin's Python Toolkit.
+Main class of SAML Python Toolkit.
 
 Initializes the SP SAML instance
 
diff --git a/src/onelogin/saml2/xml_utils.py b/src/onelogin/saml2/xml_utils.py
index 8cbd434b..5cda946c 100644
--- a/src/onelogin/saml2/xml_utils.py
+++ b/src/onelogin/saml2/xml_utils.py
@@ -2,10 +2,8 @@
 
 """ OneLogin_Saml2_XML class
 
-Copyright (c) 2010-2021 OneLogin, Inc.
-MIT License
 
-Auxiliary class of OneLogin's Python Toolkit.
+Auxiliary class of SAML Python Toolkit.
 
 """
 
diff --git a/tests/data/metadata/idp_metadata.xml b/tests/data/metadata/idp_metadata.xml
index 146428c1..7c57cdf1 100644
--- a/tests/data/metadata/idp_metadata.xml
+++ b/tests/data/metadata/idp_metadata.xml
@@ -37,6 +37,6 @@ QOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh78
   
   
     Support
-    support@onelogin.com
+    support@example.com
   
-
\ No newline at end of file
+
diff --git a/tests/data/metadata/idp_metadata_different_sign_and_encrypt_cert.xml b/tests/data/metadata/idp_metadata_different_sign_and_encrypt_cert.xml
index df90353a..5736ff48 100644
--- a/tests/data/metadata/idp_metadata_different_sign_and_encrypt_cert.xml
+++ b/tests/data/metadata/idp_metadata_different_sign_and_encrypt_cert.xml
@@ -67,6 +67,6 @@ WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==
   
   
     Support
-    support@onelogin.com
+    support@example.com
   
-
\ No newline at end of file
+
diff --git a/tests/data/metadata/idp_metadata_same_sign_and_encrypt_cert.xml b/tests/data/metadata/idp_metadata_same_sign_and_encrypt_cert.xml
index e7fd250b..ae8d09e9 100644
--- a/tests/data/metadata/idp_metadata_same_sign_and_encrypt_cert.xml
+++ b/tests/data/metadata/idp_metadata_same_sign_and_encrypt_cert.xml
@@ -66,6 +66,6 @@ QOPR6cEwFZzP0tHTYbI839WgxX6hfhIUTUz6mLqq4+3P4BG3+1OXeVDg63y8Uh78
   
   
     Support
-    support@onelogin.com
+    support@example.com
   
-
\ No newline at end of file
+
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index efaf1b40..82db914f 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 from base64 import b64decode, b64encode
 import json
diff --git a/tests/src/OneLogin/saml2_tests/authn_request_test.py b/tests/src/OneLogin/saml2_tests/authn_request_test.py
index cbf225a1..af7aa2cc 100644
--- a/tests/src/OneLogin/saml2_tests/authn_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/authn_request_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/error_test.py b/tests/src/OneLogin/saml2_tests/error_test.py
index 9a36a283..7d311130 100644
--- a/tests/src/OneLogin/saml2_tests/error_test.py
+++ b/tests/src/OneLogin/saml2_tests/error_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 import unittest
 from onelogin.saml2.errors import OneLogin_Saml2_Error
diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
index 4aa653b5..46cfdbf4 100644
--- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
+++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 try:
     from urllib.error import URLError
diff --git a/tests/src/OneLogin/saml2_tests/logout_request_test.py b/tests/src/OneLogin/saml2_tests/logout_request_test.py
index c18eaee4..cabe7b47 100644
--- a/tests/src/OneLogin/saml2_tests/logout_request_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_request_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/logout_response_test.py b/tests/src/OneLogin/saml2_tests/logout_response_test.py
index 4b3da96a..eea09882 100644
--- a/tests/src/OneLogin/saml2_tests/logout_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/logout_response_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/metadata_test.py b/tests/src/OneLogin/saml2_tests/metadata_test.py
index c95ceead..31d94cf8 100644
--- a/tests/src/OneLogin/saml2_tests/metadata_test.py
+++ b/tests/src/OneLogin/saml2_tests/metadata_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index ada973a6..6bd31144 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 from base64 import b64decode
 
@@ -112,7 +110,7 @@ def testReturnNameId(self):
         settings = OneLogin_Saml2_Settings(json_settings)
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
-        self.assertEqual('support@onelogin.com', response.get_nameid())
+        self.assertEqual('support@example.com', response.get_nameid())
 
         xml_2 = self.file_contents(join(self.data_path, 'responses', 'response_encrypted_nameid.xml.base64'))
         response_2 = OneLogin_Saml2_Response(settings, xml_2)
@@ -391,7 +389,7 @@ def testGetNameIdData(self):
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
         expected_nameid_data = {
-            'Value': 'support@onelogin.com',
+            'Value': 'support@example.com',
             'Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
         }
         nameid_data = response.get_nameid_data()
@@ -824,7 +822,7 @@ def testNodeTextAttack(self):
         attributes = response.get_attributes()
         nameid = response.get_nameid()
         self.assertEqual("smith", attributes.get('surname')[0])
-        self.assertEqual('support@onelogin.com', nameid)
+        self.assertEqual('support@example.com', nameid)
 
     def testGetSessionNotOnOrAfter(self):
         """
diff --git a/tests/src/OneLogin/saml2_tests/settings_test.py b/tests/src/OneLogin/saml2_tests/settings_test.py
index 16f59e26..36505cae 100644
--- a/tests/src/OneLogin/saml2_tests/settings_test.py
+++ b/tests/src/OneLogin/saml2_tests/settings_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 import json
 from os.path import dirname, join, exists, sep
diff --git a/tests/src/OneLogin/saml2_tests/signed_response_test.py b/tests/src/OneLogin/saml2_tests/signed_response_test.py
index b820e6c7..bed0e028 100644
--- a/tests/src/OneLogin/saml2_tests/signed_response_test.py
+++ b/tests/src/OneLogin/saml2_tests/signed_response_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 import json
 from os.path import dirname, join, exists
diff --git a/tests/src/OneLogin/saml2_tests/utils_test.py b/tests/src/OneLogin/saml2_tests/utils_test.py
index 39cb46de..f1e66453 100644
--- a/tests/src/OneLogin/saml2_tests/utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/utils_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 from base64 import b64decode
 import json
diff --git a/tests/src/OneLogin/saml2_tests/xml_utils_test.py b/tests/src/OneLogin/saml2_tests/xml_utils_test.py
index c9e01a61..45a57452 100644
--- a/tests/src/OneLogin/saml2_tests/xml_utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/xml_utils_test.py
@@ -1,7 +1,5 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (c) 2010-2021 OneLogin, Inc.
-# MIT License
 
 import json
 import unittest

From 21003d11286163758a87744a0ea0c91c80e90545 Mon Sep 17 00:00:00 2001
From: George Khaburzaniya 
Date: Fri, 18 Nov 2022 13:47:02 -0800
Subject: [PATCH 263/331] Pin ubuntu version for github workflow to 20.04.

---
 .github/workflows/python-package.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 0f1e37f2..e9b9cae8 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -13,7 +13,7 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     strategy:
       fail-fast: false
       matrix:
@@ -47,7 +47,7 @@ jobs:
     - name: Test
       run: make pytest
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@v2
     - uses: actions/setup-python@v2

From e07d54c6a8b89de45459ff4c28bd1bd06171c9ce Mon Sep 17 00:00:00 2001
From: George Khaburzaniya 
Date: Fri, 18 Nov 2022 13:58:02 -0800
Subject: [PATCH 264/331] Fix tests and whitespace.

---
 src/onelogin/saml2/settings.py                  | 2 +-
 tests/src/OneLogin/saml2_tests/response_test.py | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/onelogin/saml2/settings.py b/src/onelogin/saml2/settings.py
index e6ea7b74..ace5cf50 100644
--- a/src/onelogin/saml2/settings.py
+++ b/src/onelogin/saml2/settings.py
@@ -404,7 +404,7 @@ def check_idp_settings(self, settings):
                     nameid_enc = bool(security.get('nameIdEncrypted'))
 
                     if (want_assert_sign or want_mes_signed) and \
-                            not(exists_x509 or exists_fingerprint or exists_multix509sign):
+                            not (exists_x509 or exists_fingerprint or exists_multix509sign):
                         errors.append('idp_cert_or_fingerprint_not_found_and_required')
                     if nameid_enc and not (exists_x509 or exists_multix509enc):
                         errors.append('idp_cert_not_found_and_required')
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index 6bd31144..a4bcf0de 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -110,7 +110,7 @@ def testReturnNameId(self):
         settings = OneLogin_Saml2_Settings(json_settings)
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
-        self.assertEqual('support@example.com', response.get_nameid())
+        self.assertEqual('support@onelogin.com', response.get_nameid())
 
         xml_2 = self.file_contents(join(self.data_path, 'responses', 'response_encrypted_nameid.xml.base64'))
         response_2 = OneLogin_Saml2_Response(settings, xml_2)
@@ -389,7 +389,7 @@ def testGetNameIdData(self):
         xml = self.file_contents(join(self.data_path, 'responses', 'response1.xml.base64'))
         response = OneLogin_Saml2_Response(settings, xml)
         expected_nameid_data = {
-            'Value': 'support@example.com',
+            'Value': 'support@onelogin.com',
             'Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
         }
         nameid_data = response.get_nameid_data()
@@ -822,7 +822,7 @@ def testNodeTextAttack(self):
         attributes = response.get_attributes()
         nameid = response.get_nameid()
         self.assertEqual("smith", attributes.get('surname')[0])
-        self.assertEqual('support@example.com', nameid)
+        self.assertEqual('support@onelogin.com', nameid)
 
     def testGetSessionNotOnOrAfter(self):
         """

From 960b3a1d44a92329747de46302c15a95a151bab3 Mon Sep 17 00:00:00 2001
From: Stu Tomlinson 
Date: Tue, 30 Aug 2022 14:38:36 +0100
Subject: [PATCH 265/331] Remove lxml version restriction

Add documentation on how to avoid libxml2 version incompatibilities
---
 README.md | 9 +++++++++
 setup.py  | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 08f15fde..9367178c 100644
--- a/README.md
+++ b/README.md
@@ -88,6 +88,7 @@ Installation
 
  * python 2.7 // python 3.6
  * [xmlsec](https://pypi.python.org/pypi/xmlsec) Python bindings for the XML Security Library.
+ * [lxml](https://pypi.python.org/pypi/lxml) Python bindings for the libxml2 and libxslt libraries.
  * [isodate](https://pypi.python.org/pypi/isodate) An ISO 8601 date/time/
  duration parser and formatter
 
@@ -115,6 +116,14 @@ $ pip install python3-saml
 
 If you want to know how a project can handle python packages review this [guide](https://packaging.python.org/en/latest/tutorial.html) and review this [sampleproject](https://github.com/pypa/sampleproject)
 
+#### NOTE ####
+To avoid ``libxml2`` library version incompatibilities between ``xmlsec`` and ``lxml`` it is recommended that ``lxml`` is not installed from binary.
+
+This can be ensured by executing:
+```
+$ pip install --force-reinstall --no-binary lxml lxml
+```
+
 Security Warning
 ----------------
 
diff --git a/setup.py b/setup.py
index 8e0b7355..eedf9671 100644
--- a/setup.py
+++ b/setup.py
@@ -34,7 +34,7 @@
     },
     test_suite='tests',
     install_requires=[
-        'lxml<4.7.1',
+        'lxml>=4.6.5',
         'isodate>=0.6.1',
         'xmlsec>=1.3.9'
     ],

From 01a154cda1bde7bfd1edd572679d886062c45674 Mon Sep 17 00:00:00 2001
From: Stu Tomlinson 
Date: Fri, 16 Dec 2022 16:02:27 +0000
Subject: [PATCH 266/331] Add test for libxml2 version compatibility

---
 .../OneLogin/saml2_tests/xml_utils_test.py    | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/tests/src/OneLogin/saml2_tests/xml_utils_test.py b/tests/src/OneLogin/saml2_tests/xml_utils_test.py
index 45a57452..bc563621 100644
--- a/tests/src/OneLogin/saml2_tests/xml_utils_test.py
+++ b/tests/src/OneLogin/saml2_tests/xml_utils_test.py
@@ -3,6 +3,7 @@
 
 import json
 import unittest
+import xmlsec
 
 from base64 import b64decode
 from lxml import etree
@@ -32,6 +33,29 @@ def file_contents(self, filename):
         f.close()
         return content
 
+    def testLibxml2(self):
+        """
+        Tests that libxml2 versions used by xmlsec and lxml are compatible
+
+        If this test fails, reinstall lxml without using binary to ensure it is
+        linked to same version of libxml2 as xmlsec:
+        pip install --force-reinstall --no-binary lxml lxml
+
+        See https://bugs.launchpad.net/lxml/+bug/1960668
+        """
+        env = etree.fromstring('')
+        sig = xmlsec.template.create(
+            env,
+            xmlsec.Transform.EXCL_C14N,
+            xmlsec.Transform.RSA_SHA256,
+            ns="ds"
+        )
+
+        ds = etree.QName(sig).namespace
+        cm = sig.find(".//{%s}CanonicalizationMethod" % ds)
+
+        self.assertIsNotNone(cm)
+
     def testValidateXML(self):
         """
         Tests the validate_xml method of the OneLogin_Saml2_XML

From 53dd64e094f33e6444d7381b8306a45fec9b5445 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sun, 25 Dec 2022 13:09:05 +0100
Subject: [PATCH 267/331] Avoid lxml 4.7.0

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index eedf9671..36898896 100644
--- a/setup.py
+++ b/setup.py
@@ -34,7 +34,7 @@
     },
     test_suite='tests',
     install_requires=[
-        'lxml>=4.6.5',
+        'lxml>=4.6.5, !=4.7.0',
         'isodate>=0.6.1',
         'xmlsec>=1.3.9'
     ],

From 379f906d21a7ff1203517c3189c06db281c5a1b5 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sun, 25 Dec 2022 13:27:31 +0100
Subject: [PATCH 268/331] Force travis to always use lxml from no binary

---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 820f9499..09b1e7e1 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,6 +16,7 @@ install:
   - sudo apt-get update -qq
   - sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
   - 'travis_retry pip install .'
+  - 'travis_retry pip install --force-reinstall --no-binary lxml lxml'
   - 'travis_retry pip install -e ".[test]"'
 
 script: 

From 62163143dc22b333172f2838adc66d29675c1195 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sun, 25 Dec 2022 21:36:48 +0100
Subject: [PATCH 269/331] Adopt Poetry. Prepare for 1.15.0 release.

---
 .gitignore     |   1 +
 .travis.yml    |   4 +-
 pyproject.toml | 180 +++++++++++++++++++++++++++++++++++++++++++++++++
 setup.py       |   8 +--
 4 files changed, 187 insertions(+), 6 deletions(-)
 create mode 100644 pyproject.toml

diff --git a/.gitignore b/.gitignore
index d449f63f..7504184a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,7 @@ __pycache_
 /.idea
 .mypy_cache/
 .pytest_cache
+poetry.lock
 
 *.key
 *.crt
diff --git a/.travis.yml b/.travis.yml
index 09b1e7e1..6ce39386 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -19,8 +19,8 @@ install:
   - 'travis_retry pip install --force-reinstall --no-binary lxml lxml'
   - 'travis_retry pip install -e ".[test]"'
 
-script: 
+script:
   - 'coverage run --source=src/onelogin/saml2 --rcfile=tests/coverage.rc setup.py test'
   - 'coverage report -m --rcfile=tests/coverage.rc'
 # - 'pylint src/onelogin/saml2 --rcfile=tests/pylint.rc'
-  - 'flake8 .'
+  - 'flake8 --toml-config pyproject.toml'
diff --git a/pyproject.toml b/pyproject.toml
new file mode 100644
index 00000000..71bf94f4
--- /dev/null
+++ b/pyproject.toml
@@ -0,0 +1,180 @@
+[tool.poetry]
+name = "python3-saml"
+version = "1.15.0"
+description = "Saml Python Toolkit. Add SAML support to your Python software using this library"
+license = "Apache-2.0"
+authors = ["SAML-Toolkits "]
+maintainers = ["Sixto Martin "]
+readme = "README.md"
+homepage = "https://saml.info"
+repository = "https://github.com/SAML-Toolkits/python3-saml"
+documentation = "https://pysaml2.readthedocs.io"
+keywords = [
+    "saml",
+    "saml2",
+    "sso",
+    "xmlsec",
+    "federation",
+    "identity",
+]
+classifiers = [
+    "Topic :: Software Development :: Build Tools",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+]
+packages = [
+    { include = "onelogin", from = "src" },
+    { include = "onelogin/saml2", from = "src" },
+]
+
+include = [
+    { path = "src/onelogin/saml2/schemas"},
+    { path = "tests", format = "sdist" }
+]
+
+[tool.poetry.urls]
+"Bug Tracker" = "https://github.com/SAML-Toolkits/python3-saml/issues"
+
+[tool.poetry.dependencies]
+python = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+lxml = ">=4.6.5, !=4.7.0"
+xmlsec = ">=1.3.9"
+isodate = ">=0.6.1"
+
+[tool.poetry.group.dev]
+optional = true
+
+[tool.poetry.group.dev.dependencies]
+black = "*"
+isort = {version = "^5.10.1", extras = ["pyproject"]}
+flake8 = ">=3.6.0"
+Flake8-pyproject = "^1.1.0.post0"
+flake8-bugbear = "^22.8.23"
+flake8-logging-format = "^0.7.5"
+ipdb = "^0.13.9"
+
+[tool.poetry.group.test]
+optional = true
+
+[tool.poetry.group.test.dependencies]
+freezegun= ">=0.3.11, <=1.1.0"
+pytest = ">=6.0"
+flake8 = ">=3.6.0"
+#pylint = ">=1.9.4"
+
+[tool.poetry.group.coverage]
+optional = true
+
+[tool.poetry.group.coverage.dependencies]
+coverage = ">=4.5.2"
+pytest-cov = "*"
+
+[tool.poetry.group.docs]
+optional = true
+
+[tool.poetry.group.docs.dependencies]
+sphinx = "*"
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"
+
+[tool.pytest.ini_options]
+minversion = "6.0"
+addopts = "-ra -vvv"
+testpaths = [
+    "tests",
+]
+pythonpath = [
+    "tests",
+]
+
+[tool.coverage.run]
+branch = true
+source = ["src/onelogin/saml2"]
+ignore_errors = true
+
+[tool.coverage.report]
+exclude_lines = [
+  "pragma: no cover",
+  "def __repr__",
+  "def __str__",
+  "raise AssertionError",
+  "raise NotImplementedError",
+  "if __name__ == .__main__.:",
+  "if TYPE_CHECKING:",
+  "if typing.TYPE_CHECKING:",
+]
+
+[tool.coverage.html]
+directory = "cov_html"
+
+[tool.flake8]
+max-line-length = 210
+max-complexity = 22
+count = true
+show-source = true
+statistics = true
+disable-noqa = false
+# 'ignore' defaults to: E121,E123,E126,E226,E24,E704,W503,W504
+extend-ignore = [
+    'B904',
+    'B006',
+    'B950',
+    'B017',
+    'C901',
+    'E501',
+    'E731',
+]
+per-file-ignores = [
+    '__init__.py:F401',
+]
+# 'select' defaults to: E,F,W,C90
+extend-select = [
+    # * Default warnings reported by flake8-bugbear (B) -
+    #   https://github.com/PyCQA/flake8-bugbear#list-of-warnings
+    'B',
+    # * The B950 flake8-bugbear opinionated warnings -
+    #   https://github.com/PyCQA/flake8-bugbear#opinionated-warnings
+    'B9',
+]
+extend-exclude = [
+    '.github', '.gitlab',
+    '.Python', '.*.pyc', '.*.pyo', '.*.pyd', '.*.py.class', '*.egg-info',
+    'venv*', '.venv*', '.*_cache',
+    'lib', 'lib64', '.*.so',
+    'build', 'dist', 'sdist', 'wheels',
+]
+
+[tool.black]
+line-length = 200
+extend-exclude = '''
+# A regex preceded with ^/ will apply only to files and directories
+# in the root of the project.
+(
+    \.pytest_cache
+)
+'''
+
+[tool.isort]
+profile = 'black'
+# The 'black' profile means:
+#   multi_line_output = 3
+#   include_trailing_comma = true
+#   force_grid_wrap = 0
+#   use_parentheses = true
+#   ensure_newline_before_comments = true
+#   line_length = 88
+line_length = 200  # override black provile line_length
+force_single_line = true  # override black profile multi_line_output
+star_first = true
+group_by_package = true
+force_sort_within_sections = true
+lines_after_imports = 2
+honor_noqa = true
+atomic = true
+ignore_comments = true
+skip_gitignore = true
+src_paths = [
+    'src',
+    'tests',
+]
diff --git a/setup.py b/setup.py
index 36898896..72544008 100644
--- a/setup.py
+++ b/setup.py
@@ -6,7 +6,7 @@
 
 setup(
     name='python3-saml',
-    version='1.14.0',
+    version='1.15.0',
     description='Saml Python Toolkit. Add SAML support to your Python software using this library',
     classifiers=[
         'Development Status :: 5 - Production/Stable',
@@ -23,7 +23,7 @@
         'Programming Language :: Python :: 3.10',
     ],
     license='MIT',
-    url='https://github.com/saml-toolkit/python3-saml',
+    url='https://github.com/SAML-Toolkits/python3-saml',
     packages=['onelogin', 'onelogin/saml2'],
     include_package_data=True,
     package_data={
@@ -43,10 +43,10 @@
         'test': (
             'coverage>=4.5.2',
             'freezegun>=0.3.11, <=1.1.0',
-            'pylint==1.9.4',
+#            'pylint>=1.9.4',
             'flake8>=3.6.0',
             'pytest>=4.6',
         ),
     },
-    keywords='saml saml2 xmlsec django flask pyramid python3',
+    keywords='saml saml2 sso xmlsec federation identity',
 )

From 36e071f1aa4efe2e74faba15ed1a45eba44b916a Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sun, 25 Dec 2022 22:08:18 +0100
Subject: [PATCH 270/331] Fix #310. Remove python 3.4 references

---
 .travis.yml    | 1 +
 pyproject.toml | 2 +-
 setup.py       | 1 -
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 6ce39386..16f9a5d5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -6,6 +6,7 @@ python:
   - '3.7'
   - '3.8'
   - '3.9'
+  - '3.10'
 
 matrix:
   include:
diff --git a/pyproject.toml b/pyproject.toml
index 71bf94f4..54ce0363 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -35,7 +35,7 @@ include = [
 "Bug Tracker" = "https://github.com/SAML-Toolkits/python3-saml/issues"
 
 [tool.poetry.dependencies]
-python = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+python = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
 lxml = ">=4.6.5, !=4.7.0"
 xmlsec = ">=1.3.9"
 isodate = ">=0.6.1"
diff --git a/setup.py b/setup.py
index 72544008..44323e5a 100644
--- a/setup.py
+++ b/setup.py
@@ -14,7 +14,6 @@
         'Intended Audience :: System Administrators',
         'Operating System :: OS Independent',
         'Programming Language :: Python :: 2.7',
-        'Programming Language :: Python :: 3.4',
         'Programming Language :: Python :: 3.5',
         'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',

From b9d15cf37924b93f7d56aeaa351b9c985a7271cf Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sun, 25 Dec 2022 23:10:39 +0100
Subject: [PATCH 271/331] Document how install dependencies for testing

---
 README.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9367178c..6303ee58 100644
--- a/README.md
+++ b/README.md
@@ -224,7 +224,12 @@ Read more at https://pythonhosted.org/an_example_pypi_project/setuptools.html
 
 Contains the unit test of the toolkit.
 
-In order to execute the test you only need to load the virtualenv with the toolkit installed on it and execute:
+In order to execute the test you only need to load the virtualenv with the toolkit installed on it properly:
+```
+pip install -e ".[test]"
+```
+
+and execute:
 ```
 python setup.py test
 ```

From 12e019c4c7a5987a4df87bafe8c5d7b7189afb04 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 00:11:55 +0100
Subject: [PATCH 272/331] Fix WantAuthnRequestsSigned parser.  See #306

---
 src/onelogin/saml2/idp_metadata_parser.py     |  2 +-
 .../metadata/idp_multiple_descriptors.xml     |  2 +-
 .../saml2_tests/idp_metadata_parser_test.py   | 31 +++++++++++++++++--
 3 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index aa8fe2a2..f5085157 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -148,7 +148,7 @@ def parse(
 
                 idp_entity_id = entity_descriptor_node.get('entityID', None)
 
-                want_authn_requests_signed = entity_descriptor_node.get('WantAuthnRequestsSigned', None)
+                want_authn_requests_signed = idp_descriptor_node.get('WantAuthnRequestsSigned', None)
 
                 name_id_format_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, './md:NameIDFormat')
                 if len(name_id_format_nodes) > 0:
diff --git a/tests/data/metadata/idp_multiple_descriptors.xml b/tests/data/metadata/idp_multiple_descriptors.xml
index a74f8e4a..863cbb8d 100644
--- a/tests/data/metadata/idp_multiple_descriptors.xml
+++ b/tests/data/metadata/idp_multiple_descriptors.xml
@@ -26,7 +26,7 @@
     
   
   
-    
+    
       
         
           
diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
index 46cfdbf4..13dbdbc8 100644
--- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
+++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -291,12 +291,37 @@ def test_parse_with_entity_id(self):
         data = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata)
         self.assertEqual("https://foo.example.com/access/saml/idp.xml", data["idp"]["entityId"])
 
+        expected_settings_json = """
+        {
+            "security": {"authnRequestsSigned": "true"},
+            "sp": {
+                "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+            },
+            "idp": {
+                "singleLogoutService": {
+                    "url": "https://hello.example.com/access/saml/logout",
+                    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                },
+                "entityId": "https://foo.example.com/access/saml/idp.xml",
+                "x509cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
+                "singleSignOnService": {
+                    "url": "https://hello.example.com/access/saml/login",
+                    "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                }
+            }
+        }
+        """
+        expected_settings = json.loads(expected_settings_json)
+        self.assertEqual(expected_settings, data)
+
+
         # should find desired descriptor
         data2 = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata, entity_id="https://bar.example.com/access/saml/idp.xml")
         self.assertEqual("https://bar.example.com/access/saml/idp.xml", data2["idp"]["entityId"])
 
-        expected_settings_json = """
+        expected_settings_json2 = """
         {
+            "security": {"authnRequestsSigned": "false"},
             "sp": {
                 "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
             },
@@ -314,8 +339,8 @@ def test_parse_with_entity_id(self):
             }
         }
         """
-        expected_settings = json.loads(expected_settings_json)
-        self.assertEqual(expected_settings, data2)
+        expected_settings2 = json.loads(expected_settings_json2)
+        self.assertEqual(expected_settings2, data2)
 
     def test_parse_multi_certs(self):
         """

From acef8ebbdf467b1875fc1fdaf15d61d1884b8c9f Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 02:53:27 +0100
Subject: [PATCH 273/331] Fix Poetry with py27

---
 .travis.yml    |  3 ++-
 pyproject.toml | 62 ++++++++++++++++++++++++++------------------------
 setup.py       |  2 +-
 3 files changed, 35 insertions(+), 32 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 16f9a5d5..c5f1fc4f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -24,4 +24,5 @@ script:
   - 'coverage run --source=src/onelogin/saml2 --rcfile=tests/coverage.rc setup.py test'
   - 'coverage report -m --rcfile=tests/coverage.rc'
 # - 'pylint src/onelogin/saml2 --rcfile=tests/pylint.rc'
-  - 'flake8 --toml-config pyproject.toml'
+#  - 'flake8 --toml-config pyproject.toml'
+  - 'flake8 .'
diff --git a/pyproject.toml b/pyproject.toml
index 54ce0363..8280a909 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -40,46 +40,48 @@ lxml = ">=4.6.5, !=4.7.0"
 xmlsec = ">=1.3.9"
 isodate = ">=0.6.1"
 
-[tool.poetry.group.dev]
-optional = true
-
-[tool.poetry.group.dev.dependencies]
-black = "*"
-isort = {version = "^5.10.1", extras = ["pyproject"]}
-flake8 = ">=3.6.0"
-Flake8-pyproject = "^1.1.0.post0"
-flake8-bugbear = "^22.8.23"
-flake8-logging-format = "^0.7.5"
-ipdb = "^0.13.9"
-
-[tool.poetry.group.test]
-optional = true
-
-[tool.poetry.group.test.dependencies]
-freezegun= ">=0.3.11, <=1.1.0"
-pytest = ">=6.0"
-flake8 = ">=3.6.0"
+#[tool.poetry.group.dev]
+#optional = true
+
+#[tool.poetry.group.dev.dependencies]
+#black = "*"
+#isort = {version = "^5.10.1", extras = ["pyproject"]}
+flake8 = { version = ">=3.6.0, <=5.0.0", optional = true}
+#Flake8-pyproject = "^1.1.0.post0"
+#flake8-bugbear = "^22.8.23"
+#flake8-logging-format = "^0.7.5"
+ipdb = { version = "^0.13.9", optional = true}
+#[tool.poetry.group.test.dependencies]
+freezegun= { version = ">=0.3.11, <=1.1.0", optional = true}
+pytest = { version = ">=4.6.11", optional = true}
+coverage = { version = ">=4.5.2", optional = true}
 #pylint = ">=1.9.4"
 
-[tool.poetry.group.coverage]
-optional = true
+[tool.poetry.extras]
+test = ["flake8", "ipdb", "freezegun", "pytest", "coverage"]
 
-[tool.poetry.group.coverage.dependencies]
-coverage = ">=4.5.2"
-pytest-cov = "*"
+#[tool.poetry.group.test]
+#optional = true
 
-[tool.poetry.group.docs]
-optional = true
+#[tool.poetry.group.coverage]
+#optional = true
 
-[tool.poetry.group.docs.dependencies]
-sphinx = "*"
+#[tool.poetry.group.coverage.dependencies]
+#coverage = ">=4.5.2"
+#pytest-cov = "*"
+
+#[tool.poetry.group.docs]
+#optional = true
+
+#[tool.poetry.group.docs.dependencies]
+#sphinx = "*"
 
 [build-system]
-requires = ["poetry-core"]
+requires = ["poetry>=1.1.15"]
 build-backend = "poetry.core.masonry.api"
 
 [tool.pytest.ini_options]
-minversion = "6.0"
+minversion = "4.6.11"
 addopts = "-ra -vvv"
 testpaths = [
     "tests",
diff --git a/setup.py b/setup.py
index 44323e5a..79dfa8d9 100644
--- a/setup.py
+++ b/setup.py
@@ -43,7 +43,7 @@
             'coverage>=4.5.2',
             'freezegun>=0.3.11, <=1.1.0',
 #            'pylint>=1.9.4',
-            'flake8>=3.6.0',
+            'flake8>=3.6.0, <=5.0.0',
             'pytest>=4.6',
         ),
     },

From 89b961c2a143eb8a434aeb1035afebe4ae9fb6e9 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 03:06:53 +0100
Subject: [PATCH 274/331] Fix travis setuptools issue

---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index c5f1fc4f..546e6caf 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,6 +16,7 @@ matrix:
 install:
   - sudo apt-get update -qq
   - sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
+  - 'travis_retry pip install --upgrade setuptools'
   - 'travis_retry pip install .'
   - 'travis_retry pip install --force-reinstall --no-binary lxml lxml'
   - 'travis_retry pip install -e ".[test]"'

From 31f1a856987d2a38cf6a5e2654c4c9d013eecfea Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 03:36:04 +0100
Subject: [PATCH 275/331] Remove Poetry file

---
 .travis.yml    |   3 +-
 pyproject.toml | 182 -------------------------------------------------
 2 files changed, 1 insertion(+), 184 deletions(-)
 delete mode 100644 pyproject.toml

diff --git a/.travis.yml b/.travis.yml
index 546e6caf..3fa95d6c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,9 +16,8 @@ matrix:
 install:
   - sudo apt-get update -qq
   - sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
-  - 'travis_retry pip install --upgrade setuptools'
-  - 'travis_retry pip install .'
   - 'travis_retry pip install --force-reinstall --no-binary lxml lxml'
+  - 'travis_retry pip install .'
   - 'travis_retry pip install -e ".[test]"'
 
 script:
diff --git a/pyproject.toml b/pyproject.toml
deleted file mode 100644
index 8280a909..00000000
--- a/pyproject.toml
+++ /dev/null
@@ -1,182 +0,0 @@
-[tool.poetry]
-name = "python3-saml"
-version = "1.15.0"
-description = "Saml Python Toolkit. Add SAML support to your Python software using this library"
-license = "Apache-2.0"
-authors = ["SAML-Toolkits "]
-maintainers = ["Sixto Martin "]
-readme = "README.md"
-homepage = "https://saml.info"
-repository = "https://github.com/SAML-Toolkits/python3-saml"
-documentation = "https://pysaml2.readthedocs.io"
-keywords = [
-    "saml",
-    "saml2",
-    "sso",
-    "xmlsec",
-    "federation",
-    "identity",
-]
-classifiers = [
-    "Topic :: Software Development :: Build Tools",
-    "Topic :: Software Development :: Libraries :: Python Modules",
-]
-packages = [
-    { include = "onelogin", from = "src" },
-    { include = "onelogin/saml2", from = "src" },
-]
-
-include = [
-    { path = "src/onelogin/saml2/schemas"},
-    { path = "tests", format = "sdist" }
-]
-
-[tool.poetry.urls]
-"Bug Tracker" = "https://github.com/SAML-Toolkits/python3-saml/issues"
-
-[tool.poetry.dependencies]
-python = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
-lxml = ">=4.6.5, !=4.7.0"
-xmlsec = ">=1.3.9"
-isodate = ">=0.6.1"
-
-#[tool.poetry.group.dev]
-#optional = true
-
-#[tool.poetry.group.dev.dependencies]
-#black = "*"
-#isort = {version = "^5.10.1", extras = ["pyproject"]}
-flake8 = { version = ">=3.6.0, <=5.0.0", optional = true}
-#Flake8-pyproject = "^1.1.0.post0"
-#flake8-bugbear = "^22.8.23"
-#flake8-logging-format = "^0.7.5"
-ipdb = { version = "^0.13.9", optional = true}
-#[tool.poetry.group.test.dependencies]
-freezegun= { version = ">=0.3.11, <=1.1.0", optional = true}
-pytest = { version = ">=4.6.11", optional = true}
-coverage = { version = ">=4.5.2", optional = true}
-#pylint = ">=1.9.4"
-
-[tool.poetry.extras]
-test = ["flake8", "ipdb", "freezegun", "pytest", "coverage"]
-
-#[tool.poetry.group.test]
-#optional = true
-
-#[tool.poetry.group.coverage]
-#optional = true
-
-#[tool.poetry.group.coverage.dependencies]
-#coverage = ">=4.5.2"
-#pytest-cov = "*"
-
-#[tool.poetry.group.docs]
-#optional = true
-
-#[tool.poetry.group.docs.dependencies]
-#sphinx = "*"
-
-[build-system]
-requires = ["poetry>=1.1.15"]
-build-backend = "poetry.core.masonry.api"
-
-[tool.pytest.ini_options]
-minversion = "4.6.11"
-addopts = "-ra -vvv"
-testpaths = [
-    "tests",
-]
-pythonpath = [
-    "tests",
-]
-
-[tool.coverage.run]
-branch = true
-source = ["src/onelogin/saml2"]
-ignore_errors = true
-
-[tool.coverage.report]
-exclude_lines = [
-  "pragma: no cover",
-  "def __repr__",
-  "def __str__",
-  "raise AssertionError",
-  "raise NotImplementedError",
-  "if __name__ == .__main__.:",
-  "if TYPE_CHECKING:",
-  "if typing.TYPE_CHECKING:",
-]
-
-[tool.coverage.html]
-directory = "cov_html"
-
-[tool.flake8]
-max-line-length = 210
-max-complexity = 22
-count = true
-show-source = true
-statistics = true
-disable-noqa = false
-# 'ignore' defaults to: E121,E123,E126,E226,E24,E704,W503,W504
-extend-ignore = [
-    'B904',
-    'B006',
-    'B950',
-    'B017',
-    'C901',
-    'E501',
-    'E731',
-]
-per-file-ignores = [
-    '__init__.py:F401',
-]
-# 'select' defaults to: E,F,W,C90
-extend-select = [
-    # * Default warnings reported by flake8-bugbear (B) -
-    #   https://github.com/PyCQA/flake8-bugbear#list-of-warnings
-    'B',
-    # * The B950 flake8-bugbear opinionated warnings -
-    #   https://github.com/PyCQA/flake8-bugbear#opinionated-warnings
-    'B9',
-]
-extend-exclude = [
-    '.github', '.gitlab',
-    '.Python', '.*.pyc', '.*.pyo', '.*.pyd', '.*.py.class', '*.egg-info',
-    'venv*', '.venv*', '.*_cache',
-    'lib', 'lib64', '.*.so',
-    'build', 'dist', 'sdist', 'wheels',
-]
-
-[tool.black]
-line-length = 200
-extend-exclude = '''
-# A regex preceded with ^/ will apply only to files and directories
-# in the root of the project.
-(
-    \.pytest_cache
-)
-'''
-
-[tool.isort]
-profile = 'black'
-# The 'black' profile means:
-#   multi_line_output = 3
-#   include_trailing_comma = true
-#   force_grid_wrap = 0
-#   use_parentheses = true
-#   ensure_newline_before_comments = true
-#   line_length = 88
-line_length = 200  # override black provile line_length
-force_single_line = true  # override black profile multi_line_output
-star_first = true
-group_by_package = true
-force_sort_within_sections = true
-lines_after_imports = 2
-honor_noqa = true
-atomic = true
-ignore_comments = true
-skip_gitignore = true
-src_paths = [
-    'src',
-    'tests',
-]

From 2b5743a1decb850027308a817aa4b98492398a67 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 03:38:13 +0100
Subject: [PATCH 276/331] Add Poetry file

---
 pyproject.toml | 182 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 182 insertions(+)
 create mode 100644 pyproject.toml

diff --git a/pyproject.toml b/pyproject.toml
new file mode 100644
index 00000000..8280a909
--- /dev/null
+++ b/pyproject.toml
@@ -0,0 +1,182 @@
+[tool.poetry]
+name = "python3-saml"
+version = "1.15.0"
+description = "Saml Python Toolkit. Add SAML support to your Python software using this library"
+license = "Apache-2.0"
+authors = ["SAML-Toolkits "]
+maintainers = ["Sixto Martin "]
+readme = "README.md"
+homepage = "https://saml.info"
+repository = "https://github.com/SAML-Toolkits/python3-saml"
+documentation = "https://pysaml2.readthedocs.io"
+keywords = [
+    "saml",
+    "saml2",
+    "sso",
+    "xmlsec",
+    "federation",
+    "identity",
+]
+classifiers = [
+    "Topic :: Software Development :: Build Tools",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+]
+packages = [
+    { include = "onelogin", from = "src" },
+    { include = "onelogin/saml2", from = "src" },
+]
+
+include = [
+    { path = "src/onelogin/saml2/schemas"},
+    { path = "tests", format = "sdist" }
+]
+
+[tool.poetry.urls]
+"Bug Tracker" = "https://github.com/SAML-Toolkits/python3-saml/issues"
+
+[tool.poetry.dependencies]
+python = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
+lxml = ">=4.6.5, !=4.7.0"
+xmlsec = ">=1.3.9"
+isodate = ">=0.6.1"
+
+#[tool.poetry.group.dev]
+#optional = true
+
+#[tool.poetry.group.dev.dependencies]
+#black = "*"
+#isort = {version = "^5.10.1", extras = ["pyproject"]}
+flake8 = { version = ">=3.6.0, <=5.0.0", optional = true}
+#Flake8-pyproject = "^1.1.0.post0"
+#flake8-bugbear = "^22.8.23"
+#flake8-logging-format = "^0.7.5"
+ipdb = { version = "^0.13.9", optional = true}
+#[tool.poetry.group.test.dependencies]
+freezegun= { version = ">=0.3.11, <=1.1.0", optional = true}
+pytest = { version = ">=4.6.11", optional = true}
+coverage = { version = ">=4.5.2", optional = true}
+#pylint = ">=1.9.4"
+
+[tool.poetry.extras]
+test = ["flake8", "ipdb", "freezegun", "pytest", "coverage"]
+
+#[tool.poetry.group.test]
+#optional = true
+
+#[tool.poetry.group.coverage]
+#optional = true
+
+#[tool.poetry.group.coverage.dependencies]
+#coverage = ">=4.5.2"
+#pytest-cov = "*"
+
+#[tool.poetry.group.docs]
+#optional = true
+
+#[tool.poetry.group.docs.dependencies]
+#sphinx = "*"
+
+[build-system]
+requires = ["poetry>=1.1.15"]
+build-backend = "poetry.core.masonry.api"
+
+[tool.pytest.ini_options]
+minversion = "4.6.11"
+addopts = "-ra -vvv"
+testpaths = [
+    "tests",
+]
+pythonpath = [
+    "tests",
+]
+
+[tool.coverage.run]
+branch = true
+source = ["src/onelogin/saml2"]
+ignore_errors = true
+
+[tool.coverage.report]
+exclude_lines = [
+  "pragma: no cover",
+  "def __repr__",
+  "def __str__",
+  "raise AssertionError",
+  "raise NotImplementedError",
+  "if __name__ == .__main__.:",
+  "if TYPE_CHECKING:",
+  "if typing.TYPE_CHECKING:",
+]
+
+[tool.coverage.html]
+directory = "cov_html"
+
+[tool.flake8]
+max-line-length = 210
+max-complexity = 22
+count = true
+show-source = true
+statistics = true
+disable-noqa = false
+# 'ignore' defaults to: E121,E123,E126,E226,E24,E704,W503,W504
+extend-ignore = [
+    'B904',
+    'B006',
+    'B950',
+    'B017',
+    'C901',
+    'E501',
+    'E731',
+]
+per-file-ignores = [
+    '__init__.py:F401',
+]
+# 'select' defaults to: E,F,W,C90
+extend-select = [
+    # * Default warnings reported by flake8-bugbear (B) -
+    #   https://github.com/PyCQA/flake8-bugbear#list-of-warnings
+    'B',
+    # * The B950 flake8-bugbear opinionated warnings -
+    #   https://github.com/PyCQA/flake8-bugbear#opinionated-warnings
+    'B9',
+]
+extend-exclude = [
+    '.github', '.gitlab',
+    '.Python', '.*.pyc', '.*.pyo', '.*.pyd', '.*.py.class', '*.egg-info',
+    'venv*', '.venv*', '.*_cache',
+    'lib', 'lib64', '.*.so',
+    'build', 'dist', 'sdist', 'wheels',
+]
+
+[tool.black]
+line-length = 200
+extend-exclude = '''
+# A regex preceded with ^/ will apply only to files and directories
+# in the root of the project.
+(
+    \.pytest_cache
+)
+'''
+
+[tool.isort]
+profile = 'black'
+# The 'black' profile means:
+#   multi_line_output = 3
+#   include_trailing_comma = true
+#   force_grid_wrap = 0
+#   use_parentheses = true
+#   ensure_newline_before_comments = true
+#   line_length = 88
+line_length = 200  # override black provile line_length
+force_single_line = true  # override black profile multi_line_output
+star_first = true
+group_by_package = true
+force_sort_within_sections = true
+lines_after_imports = 2
+honor_noqa = true
+atomic = true
+ignore_comments = true
+skip_gitignore = true
+src_paths = [
+    'src',
+    'tests',
+]

From 0078a91b132b64e00dc7d8dc7a20b79bcc9c7e11 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 03:50:05 +0100
Subject: [PATCH 277/331] Fix pycodestyle

---
 tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
index 13dbdbc8..22970b88 100644
--- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
+++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -314,7 +314,6 @@ def test_parse_with_entity_id(self):
         expected_settings = json.loads(expected_settings_json)
         self.assertEqual(expected_settings, data)
 
-
         # should find desired descriptor
         data2 = OneLogin_Saml2_IdPMetadataParser.parse(xml_idp_metadata, entity_id="https://bar.example.com/access/saml/idp.xml")
         self.assertEqual("https://bar.example.com/access/saml/idp.xml", data2["idp"]["entityId"])

From aa984e0c324c78fd4ace1dddc5de0540cf8fffdc Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 04:02:14 +0100
Subject: [PATCH 278/331] Force pip and setuptools upgrade

---
 .travis.yml    | 1 +
 pyproject.toml | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 3fa95d6c..11dace15 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,6 +17,7 @@ install:
   - sudo apt-get update -qq
   - sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
   - 'travis_retry pip install --force-reinstall --no-binary lxml lxml'
+  - 'travis retry pip install --upgrade pip setuptools'
   - 'travis_retry pip install .'
   - 'travis_retry pip install -e ".[test]"'
 
diff --git a/pyproject.toml b/pyproject.toml
index 8280a909..fe5e9ce3 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -50,7 +50,8 @@ flake8 = { version = ">=3.6.0, <=5.0.0", optional = true}
 #Flake8-pyproject = "^1.1.0.post0"
 #flake8-bugbear = "^22.8.23"
 #flake8-logging-format = "^0.7.5"
-ipdb = { version = "^0.13.9", optional = true}
+#ipdb = "^0.13.9"
+
 #[tool.poetry.group.test.dependencies]
 freezegun= { version = ">=0.3.11, <=1.1.0", optional = true}
 pytest = { version = ">=4.6.11", optional = true}
@@ -58,7 +59,7 @@ coverage = { version = ">=4.5.2", optional = true}
 #pylint = ">=1.9.4"
 
 [tool.poetry.extras]
-test = ["flake8", "ipdb", "freezegun", "pytest", "coverage"]
+test = ["flake8", "freezegun", "pytest", "coverage"]
 
 #[tool.poetry.group.test]
 #optional = true

From 28e52caf405f5a593c53189a731d98061ed9b582 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 04:10:44 +0100
Subject: [PATCH 279/331] Adding setuptools and wheel at build-system of
 pyproject.toml

---
 pyproject.toml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index fe5e9ce3..b9bdb1ad 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -78,7 +78,11 @@ test = ["flake8", "freezegun", "pytest", "coverage"]
 #sphinx = "*"
 
 [build-system]
-requires = ["poetry>=1.1.15"]
+requires = [
+  "poetry>=1.1.15",
+  "setuptools >= 40.1.0",
+  "wheel"
+]
 build-backend = "poetry.core.masonry.api"
 
 [tool.pytest.ini_options]

From ff3423e9e14922d0ffeb14152a95d983815dc800 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 04:16:00 +0100
Subject: [PATCH 280/331] Remove setuptools and pip upgrade from travis

---
 .travis.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 11dace15..3fa95d6c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,7 +17,6 @@ install:
   - sudo apt-get update -qq
   - sudo apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
   - 'travis_retry pip install --force-reinstall --no-binary lxml lxml'
-  - 'travis retry pip install --upgrade pip setuptools'
   - 'travis_retry pip install .'
   - 'travis_retry pip install -e ".[test]"'
 

From cb414ffc16a7a324056a596475dc27a2fedc881f Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Mon, 26 Dec 2022 04:39:36 +0100
Subject: [PATCH 281/331] Update Django demo

---
 demo-django/demo/urls.py     | 8 ++++----
 demo-django/requirements.txt | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/demo-django/demo/urls.py b/demo-django/demo/urls.py
index cb05b321..5b64e7ce 100644
--- a/demo-django/demo/urls.py
+++ b/demo-django/demo/urls.py
@@ -1,10 +1,10 @@
-from django.conf.urls import url
+from django.urls import re_path
 from django.contrib import admin
 from .views import attrs, index, metadata
 admin.autodiscover()
 
 urlpatterns = [
-    url(r'^$', index, name='index'),
-    url(r'^attrs/$', attrs, name='attrs'),
-    url(r'^metadata/$', metadata, name='metadata'),
+    re_path(r'^$', index, name='index'),
+    re_path(r'^attrs/$', attrs, name='attrs'),
+    re_path(r'^metadata/$', metadata, name='metadata'),
 ]
diff --git a/demo-django/requirements.txt b/demo-django/requirements.txt
index 46ceaced..59c062ab 100644
--- a/demo-django/requirements.txt
+++ b/demo-django/requirements.txt
@@ -1,2 +1,2 @@
-Django==1.11.29
+Django==4.0.4
 python3-saml

From ca87c0156aa399b1a0b5a5b36edf5fbdd4bc8f4d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 26 Dec 2022 03:40:23 +0000
Subject: [PATCH 282/331] Bump django from 4.0.4 to 4.0.8 in /demo-django

Bumps [django](https://github.com/django/django) from 4.0.4 to 4.0.8.
- [Release notes](https://github.com/django/django/releases)
- [Commits](https://github.com/django/django/compare/4.0.4...4.0.8)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] 
---
 demo-django/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/demo-django/requirements.txt b/demo-django/requirements.txt
index 59c062ab..b9e19128 100644
--- a/demo-django/requirements.txt
+++ b/demo-django/requirements.txt
@@ -1,2 +1,2 @@
-Django==4.0.4
+Django==4.0.8
 python3-saml

From 27a9122f282af738442535a9bf89956157b7b271 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 27 Dec 2022 22:54:09 +0100
Subject: [PATCH 283/331] Release 1.15.0

---
 changelog.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/changelog.md b/changelog.md
index 93037656..4bdb83ee 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,4 +1,13 @@
 # python3-saml changelog
+### 1.15.0 (Feb 18, 2022)
+- [#317](https://github.com/SAML-Toolkits/python3-saml/pull/317) Handle unicode characters gracefully in python 2
+- [#338](https://github.com/SAML-Toolkits/python3-saml/pull/338) Fix WantAuthnRequestsSigned parser
+- [#339](https://github.com/SAML-Toolkits/python3-saml/pull/339) Add Poetry support
+- Remove version restriction on lxml dependency
+- Updated Django demo to 4.X (only py3 compatible)
+- Updated Travis file. Forced lxml to be installed using no-validate_binary
+- Removed references to OneLogin from documentation
+
 ### 1.14.0 (Feb 18, 2022)
 - [#297](https://github.com/onelogin/python3-saml/pull/297) Don't require yanked version of lxml.
 - [#298](https://github.com/onelogin/python3-saml/pull/298) Add support for python 3.10 and cleanup the GHA.

From 352a42554a4bbc6221f47b12f4d3048a671a1500 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 28 Dec 2022 01:34:39 +0100
Subject: [PATCH 284/331] Update poetry file

---
 pyproject.toml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index b9bdb1ad..6b60e493 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -8,7 +8,6 @@ maintainers = ["Sixto Martin "]
 readme = "README.md"
 homepage = "https://saml.info"
 repository = "https://github.com/SAML-Toolkits/python3-saml"
-documentation = "https://pysaml2.readthedocs.io"
 keywords = [
     "saml",
     "saml2",

From d468f7422706b8595afed25c06944fbcc7410d18 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 28 Dec 2022 01:48:22 +0100
Subject: [PATCH 285/331] Update flake8 options

---
 .travis.yml | 2 +-
 setup.py    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 3fa95d6c..6313f31b 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -25,4 +25,4 @@ script:
   - 'coverage report -m --rcfile=tests/coverage.rc'
 # - 'pylint src/onelogin/saml2 --rcfile=tests/pylint.rc'
 #  - 'flake8 --toml-config pyproject.toml'
-  - 'flake8 .'
+  - 'flake8 --ignore E226,E302,E41,E731,E501,C901,W504'
diff --git a/setup.py b/setup.py
index 79dfa8d9..fe264709 100644
--- a/setup.py
+++ b/setup.py
@@ -42,7 +42,7 @@
         'test': (
             'coverage>=4.5.2',
             'freezegun>=0.3.11, <=1.1.0',
-#            'pylint>=1.9.4',
+            # 'pylint>=1.9.4',
             'flake8>=3.6.0, <=5.0.0',
             'pytest>=4.6',
         ),

From ce0516e8f66efe2adc91180a66b25ba1f7921df0 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 28 Dec 2022 01:55:11 +0100
Subject: [PATCH 286/331] Fix date of changelog

---
 changelog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 4bdb83ee..6d9435c0 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,5 @@
 # python3-saml changelog
-### 1.15.0 (Feb 18, 2022)
+### 1.15.0 (Dec 27, 2022)
 - [#317](https://github.com/SAML-Toolkits/python3-saml/pull/317) Handle unicode characters gracefully in python 2
 - [#338](https://github.com/SAML-Toolkits/python3-saml/pull/338) Fix WantAuthnRequestsSigned parser
 - [#339](https://github.com/SAML-Toolkits/python3-saml/pull/339) Add Poetry support

From 69680a3916bf9215f2a3c6bb5a6286ffa8d2d771 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 3 Jan 2023 14:59:53 +0100
Subject: [PATCH 287/331] Update CI status badget

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6303ee58..bbb04566 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # SAML Python Toolkit (compatible with Python3)
 
-[![Build Status](https://api.travis-ci.org/onelogin/python3-saml.png?branch=master)](http://travis-ci.org/onelogin/python3-saml)
+[![Python package](https://github.com/SAML-Toolkits/python3-saml/actions/workflows/python-package.yml/badge.svg)](https://github.com/SAML-Toolkits/python3-saml/actions/workflows/python-package.yml)
 [![PyPi Version](https://img.shields.io/pypi/v/python3-saml.svg)](https://pypi.python.org/pypi/python3-saml)
 ![Python versions](https://img.shields.io/pypi/pyversions/python3-saml.svg)
 

From dfb6a272e8c21350161545524d7cc9de534ff8e2 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 3 Jan 2023 15:03:07 +0100
Subject: [PATCH 288/331] Add coverage badget

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index bbb04566..d9c474bb 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
 # SAML Python Toolkit (compatible with Python3)
 
 [![Python package](https://github.com/SAML-Toolkits/python3-saml/actions/workflows/python-package.yml/badge.svg)](https://github.com/SAML-Toolkits/python3-saml/actions/workflows/python-package.yml)
+[![Coverage Status](https://coveralls.io/repos/github/SAML-Toolkits/python3-saml/badge.svg?branch=master)](https://coveralls.io/github/SAML-Toolkits/python3-saml?branch=master)
 [![PyPi Version](https://img.shields.io/pypi/v/python3-saml.svg)](https://pypi.python.org/pypi/python3-saml)
 ![Python versions](https://img.shields.io/pypi/pyversions/python3-saml.svg)
 

From a1db9bcba7c81baf159ba5027b3f8e0b2f88e9e6 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 3 Jan 2023 15:58:59 +0100
Subject: [PATCH 289/331] Update License

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index 0fd253e9..c141165e 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,5 @@
 Copyright (c) 2010-2022 OneLogin, Inc.
+Copyright (c) 2023 IAM Digital Services, SL.
 
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation

From 7b17e62521cd76833563b16ca029228192f18417 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 4 Jan 2023 20:25:58 +0100
Subject: [PATCH 290/331] Add Pypi downloads badget

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index d9c474bb..bccfef27 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
 # SAML Python Toolkit (compatible with Python3)
 
 [![Python package](https://github.com/SAML-Toolkits/python3-saml/actions/workflows/python-package.yml/badge.svg)](https://github.com/SAML-Toolkits/python3-saml/actions/workflows/python-package.yml)
+![PyPI Downloads](https://img.shields.io/pypi/dm/python3-saml.svg?label=PyPI%20Downloads)
 [![Coverage Status](https://coveralls.io/repos/github/SAML-Toolkits/python3-saml/badge.svg?branch=master)](https://coveralls.io/github/SAML-Toolkits/python3-saml?branch=master)
 [![PyPi Version](https://img.shields.io/pypi/v/python3-saml.svg)](https://pypi.python.org/pypi/python3-saml)
 ![Python versions](https://img.shields.io/pypi/pyversions/python3-saml.svg)

From 028411f154e1429faff2a7a8009896e53383f032 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 4 Jan 2023 21:25:42 +0100
Subject: [PATCH 291/331] Update Security Guidelines

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bccfef27..aeb7b4dd 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ Update ``python3-saml`` to ``>= 1.2.1``, ``1.2.0`` had a bug on signature valida
 
 #### Security Guidelines ####
 
-If you believe you have discovered a security vulnerability in this toolkit, please report it in an issue with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
+If you believe you have discovered a security vulnerability in this gem, please report it by mail to the maintainer: sixto.martin.garcia+security@gmail.com
 
 Why add SAML support to my software?
 ------------------------------------

From cc23a40c7dbcf56b6213d915c0ab1793893b6d42 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Wed, 4 Jan 2023 21:26:52 +0100
Subject: [PATCH 292/331] Typo

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index aeb7b4dd..52c65e13 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ Update ``python3-saml`` to ``>= 1.2.1``, ``1.2.0`` had a bug on signature valida
 
 #### Security Guidelines ####
 
-If you believe you have discovered a security vulnerability in this gem, please report it by mail to the maintainer: sixto.martin.garcia+security@gmail.com
+If you believe you have discovered a security vulnerability in this toolkit, please report it by mail to the maintainer: sixto.martin.garcia+security@gmail.com
 
 Why add SAML support to my software?
 ------------------------------------

From 538622df70b45520f60e7fb6b569aa00be54f504 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sat, 7 Jan 2023 23:25:16 +0100
Subject: [PATCH 293/331] Add coveralls support (#342)

* Add coveralls support

* Set environment on CI

* Fix coverage

* Add coveralls dependency

* Try removing service_name

* Another try to upload to coveralls
---
 .github/workflows/python-package.yml | 9 +++++++++
 pyproject.toml                       | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index e9b9cae8..3a2a5f33 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -48,6 +48,7 @@ jobs:
       run: make pytest
   lint:
     runs-on: ubuntu-20.04
+    environment: CI
     steps:
     - uses: actions/checkout@v2
     - uses: actions/setup-python@v2
@@ -70,3 +71,11 @@ jobs:
       run: |
         make pycodestyle
         make flake8
+    - name: Run coveralls
+      env:
+        COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
+      run: |
+        pip install coveralls
+        coverage run  setup.py test
+        coverage report -m
+        coveralls
diff --git a/pyproject.toml b/pyproject.toml
index 6b60e493..962caeac 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -97,7 +97,6 @@ pythonpath = [
 [tool.coverage.run]
 branch = true
 source = ["src/onelogin/saml2"]
-ignore_errors = true
 
 [tool.coverage.report]
 exclude_lines = [
@@ -110,6 +109,7 @@ exclude_lines = [
   "if TYPE_CHECKING:",
   "if typing.TYPE_CHECKING:",
 ]
+ignore_errors = true
 
 [tool.coverage.html]
 directory = "cov_html"

From e3f5519a44ebfc9ab4d85bbde2dae82607073aff Mon Sep 17 00:00:00 2001
From: David Ongaro 
Date: Mon, 1 May 2023 13:34:51 -0700
Subject: [PATCH 294/331] Fix spelling in documentation and comments (#352)

Co-authored-by: Ongaro, David 
---
 README.md                                     | 28 +++++++++----------
 changelog.md                                  |  2 +-
 src/onelogin/saml2/utils.py                   |  2 +-
 tests/src/OneLogin/saml2_tests/auth_test.py   |  2 +-
 .../src/OneLogin/saml2_tests/response_test.py |  2 +-
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 52c65e13..fad22156 100644
--- a/README.md
+++ b/README.md
@@ -154,7 +154,7 @@ A replay attack is basically try to reuse an intercepted valid SAML Message in o
 SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that
 make harder this kind of attacks, but they are still possible.
 
-In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need
+In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs already validated and processed. Those values only need
 to be stored the amount of time of the SAML Message life time, so
 we don't need to store all processed message/assertion Ids, but the most recent ones.
 
@@ -297,9 +297,9 @@ This is the ``settings.json`` file:
         },
         // If you need to specify requested attributes, set a
         // attributeConsumingService. nameFormat, attributeValue and
-        // friendlyName can be ommited
+        // friendlyName can be omitted
         "attributeConsumingService": {
-                // OPTIONAL: only specifiy if SP requires this.
+                // OPTIONAL: only specify if SP requires this.
                 // index is an integer which identifies the attributeConsumingService used
                 // to the SP. SAML toolkit supports configuring only one attributeConsumingService
                 // but in certain cases the SP requires a different value.  Defaults to '1'.
@@ -366,7 +366,7 @@ This is the ``settings.json`` file:
         /*
          *  Instead of using the whole X.509cert you can use a fingerprint in order to
          *  validate a SAMLResponse (but you still need the X.509cert to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding).
-         *  But take in mind that the algortithm for the fingerprint should be as strong as the algorithm in a normal certificate signature
+         *  But take in mind that the algorithm for the fingerprint should be as strong as the algorithm in a normal certificate signature
 	 *  (e.g. SHA256 or strong)
          *
          *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
@@ -501,7 +501,7 @@ In addition to the required settings data (idp, sp), extra settings can be defin
         'allowRepeatAttributeName': false,
 
         // If the toolkit receive a message signed with a
-        // deprecated algoritm (defined at the constant class)
+        // deprecated algorithm (defined at the constant class)
         // will raise an error and reject the message
         "rejectDeprecatedAlgorithm": true
     },
@@ -520,7 +520,7 @@ In addition to the required settings data (idp, sp), extra settings can be defin
     },
 
     // Organization information template, the info in en_US lang is
-    // recomended, add more if required.
+    // recommended, add more if required.
     "organization": {
         "en-US": {
             "name": "sp_test",
@@ -690,7 +690,7 @@ We can set a ``return_to`` url parameter to the login function and that will be
 target_url = 'https://example.com'
 auth.login(return_to=target_url)
 ```
-The login method can recieve 3 more optional parameters:
+The login method can receive 3 more optional parameters:
 
 * ``force_authn``       When ``true``, the ``AuthNReuqest`` will set the ``ForceAuthn='true'``
 * ``is_passive``        When true, the ``AuthNReuqest`` will set the ``Ispassive='true'``
@@ -785,7 +785,7 @@ If we execute print attributes we could get:
 }
 ```
 
-Each attribute name can be used as a key to obtain the value. Every attribute is a list of values. A single-valued attribute is a listy of a single element.
+Each attribute name can be used as a key to obtain the value. Every attribute is a list of values. A single-valued attribute is a list of a single element.
 
 The following code is equivalent:
 
@@ -813,7 +813,7 @@ if len(errors) == 0:
         # the value of the url is a trusted URL.
         return redirect(url)
     else:
-        print("Sucessfully Logged out")
+        print("Successfully Logged out")
 else:
     print("Error when processing SLO: %s %s" % (', '.join(errors), auth.get_last_error_reason()))
 ```
@@ -955,7 +955,7 @@ elif 'sls' in request.args:                                             # Single
             # the value of the url is a trusted URL.
             return redirect(url)
         else:
-            msg = "Sucessfully logged out"
+            msg = "Successfully logged out"
 
 if len(errors) == 0:
   print(msg)
@@ -1071,7 +1071,7 @@ SAML 2 Logout Request class
 * ***get_nameid*** Gets the NameID of the Logout Request Message (returns a string).
 * ***get_issuer*** Gets the Issuer of the Logout Request Message.
 * ***get_session_indexes*** Gets the ``SessionIndexes`` from the Logout Request.
-* ***is_valid*** Checks if the Logout Request recieved is valid.
+* ***is_valid*** Checks if the Logout Request received is valid.
 * ***get_error*** After execute a validation process, if fails this method returns the cause.
 * ***get_xml*** Returns the XML that will be sent as part of the request or that was received at the SP
 
@@ -1154,7 +1154,7 @@ Auxiliary class that contains several methods
 * ***get_expire_time*** Compares 2 dates and returns the earliest.
 * ***delete_local_session*** Deletes the local session.
 * ***calculate_X.509_fingerprint*** Calculates the fingerprint of a X.509 cert.
-* ***format_finger_print*** Formates a fingerprint.
+* ***format_finger_print*** Formats a fingerprint.
 * ***generate_name_id*** Generates a nameID.
 * ***get_status*** Gets Status from a Response.
 * ***decrypt_element*** Decrypts an encrypted element.
@@ -1204,7 +1204,7 @@ let's see how fast is it to deploy them.
 The use of a [virtualenv](http://virtualenv.readthedocs.org/en/latest/) is
 highly recommended.
 
-Virtualenv helps isolating the python enviroment used to run the toolkit. You
+Virtualenv helps isolating the python environment used to run the toolkit. You
 can find more details and an installation guide in the
 [official documentation](http://virtualenv.readthedocs.org/en/latest/).
 
@@ -1508,7 +1508,7 @@ Once the SP is configured, the metadata of the SP is published at the ``/metadat
 
  4. We are logged in the app and the user attributes are showed. At this point, we can test the single log out functionality.
 
- The single log out funcionality could be tested by 2 ways.
+ The single log out functionality could be tested by 2 ways.
 
     5.1 SLO Initiated by SP. Click on the "logout" link at the SP, after that a Logout Request is sent to the IdP, the session at the IdP is closed and replies through the client to the SP with a Logout Response (sent to the Single Logout Service endpoint). The SLS endpoint /?sls of the SP process the Logout Response and if is valid, close the user session of the local app. Notice that the SLO Workflow starts and ends at the SP.
 
diff --git a/changelog.md b/changelog.md
index 6d9435c0..a47a9865 100644
--- a/changelog.md
+++ b/changelog.md
@@ -101,7 +101,7 @@
 ### 1.3.0 (Sep 15, 2017)
 * Improve decrypt method, Add an option to decrypt an element in place or copy it before decryption.
 * [#63](https://github.com/onelogin/python3-saml/pull/63) Be able to get at the auth object the last processed ID (response/assertion) and the last generated ID, as well as the NotOnOrAfter value of the valid SubjectConfirmationData in the processed SAMLResponse
-* On a LogoutRequest if the NameIdFormat is entity, NameQualifier and SPNameQualifier will be ommited. If the NameIdFormat is not entity and a NameQualifier is provided, then the SPNameQualifier will be also added.
+* On a LogoutRequest if the NameIdFormat is entity, NameQualifier and SPNameQualifier will be omitted. If the NameIdFormat is not entity and a NameQualifier is provided, then the SPNameQualifier will be also added.
 * Reset errorReason attribute of the auth object before each Process method
 * [#65](https://github.com/onelogin/python3-saml/pull/65) Fix issue on getting multiple certs when only sign or encryption certs
 
diff --git a/src/onelogin/saml2/utils.py b/src/onelogin/saml2/utils.py
index b3498337..6050ea8d 100644
--- a/src/onelogin/saml2/utils.py
+++ b/src/onelogin/saml2/utils.py
@@ -901,7 +901,7 @@ def validate_metadata_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha
 
         if len(signature_nodes) > 0:
             for signature_node in signature_nodes:
-                # Raises expection if invalid
+                # Raises exception if invalid
                 OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug, raise_exceptions=True)
             return True
         else:
diff --git a/tests/src/OneLogin/saml2_tests/auth_test.py b/tests/src/OneLogin/saml2_tests/auth_test.py
index 82db914f..b088874f 100644
--- a/tests/src/OneLogin/saml2_tests/auth_test.py
+++ b/tests/src/OneLogin/saml2_tests/auth_test.py
@@ -310,7 +310,7 @@ def testProcessSLOResponseInvalid(self):
     def testProcessSLOResponseNoSucess(self):
         """
         Tests the process_slo method of the OneLogin_Saml2_Auth class
-        Case Logout Response not sucess
+        Case Logout Response not success
         """
         request_data = self.get_request()
         message = self.file_contents(join(self.data_path, 'logout_responses', 'invalids', 'status_code_responder.xml.base64'))
diff --git a/tests/src/OneLogin/saml2_tests/response_test.py b/tests/src/OneLogin/saml2_tests/response_test.py
index a4bcf0de..fbe714f4 100644
--- a/tests/src/OneLogin/saml2_tests/response_test.py
+++ b/tests/src/OneLogin/saml2_tests/response_test.py
@@ -1282,7 +1282,7 @@ def testIsInValidSessionIndex(self):
     def testDatetimeWithMiliseconds(self):
         """
         Tests the is_valid method of the OneLogin_Saml2_Response class
-        Somtimes IdPs uses datetimes with miliseconds, this
+        Sometimes IdPs uses datetimes with miliseconds, this
         test is to verify that the toolkit supports them
         """
         settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())

From 07d4730f7ed2018b854c3de733466f8d90e92b0b Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 14 Mar 2023 00:37:38 +0100
Subject: [PATCH 295/331] Fix WantAuthnRequestsSigned parser

---
 src/onelogin/saml2/idp_metadata_parser.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index f5085157..dc802ae5 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -201,7 +201,7 @@ def parse(
 
                 if want_authn_requests_signed is not None:
                     data['security'] = {}
-                    data['security']['authnRequestsSigned'] = want_authn_requests_signed
+                    data['security']['authnRequestsSigned'] = want_authn_requests_signed == "true"
 
                 if idp_name_id_format:
                     data['sp'] = {}

From 24a8f095b06cb15cb43aac3abae2aefc183c73a4 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Tue, 14 Mar 2023 00:47:52 +0100
Subject: [PATCH 296/331] Fix tests

---
 tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
index 22970b88..93c08dab 100644
--- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
+++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -293,7 +293,7 @@ def test_parse_with_entity_id(self):
 
         expected_settings_json = """
         {
-            "security": {"authnRequestsSigned": "true"},
+            "security": {"authnRequestsSigned": true},
             "sp": {
                 "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
             },
@@ -320,7 +320,7 @@ def test_parse_with_entity_id(self):
 
         expected_settings_json2 = """
         {
-            "security": {"authnRequestsSigned": "false"},
+            "security": {"authnRequestsSigned": false},
             "sp": {
                 "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
             },

From bd65578e5a21494c89320094c61c1c77250bea33 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sat, 13 May 2023 09:51:33 +0200
Subject: [PATCH 297/331] Fix payloads of tests that had expiration dates on
 May 2023

---
 tests/data/logout_requests/invalids/invalid_issuer.xml        | 2 +-
 tests/data/logout_requests/invalids/invalid_issuer.xml.base64 | 2 +-
 tests/data/logout_requests/invalids/no_nameId.xml             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/data/logout_requests/invalids/invalid_issuer.xml b/tests/data/logout_requests/invalids/invalid_issuer.xml
index e1edabde..4b7714d1 100644
--- a/tests/data/logout_requests/invalids/invalid_issuer.xml
+++ b/tests/data/logout_requests/invalids/invalid_issuer.xml
@@ -5,7 +5,7 @@
                      Version="2.0"
                      IssueInstant="2013-12-10T04:39:31Z"
                      Destination="http://stuff.com/endpoints/endpoints/sls.php"
-                     NotOnOrAfter="2023-05-10T04:39:31Z"
+                     NotOnOrAfter="2053-05-10T04:39:31Z"
                      >
     https://example.hello.com/access/saml
     
     https://example.hello.com/access/saml
 

From 918b4bbecf46da46e117e1c5da8ec7a27779ce7d Mon Sep 17 00:00:00 2001
From: ManInDark <61268856+ManInDark@users.noreply.github.com>
Date: Fri, 19 May 2023 18:56:53 +0200
Subject: [PATCH 298/331] Fixed error in README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fad22156..251b79e1 100644
--- a/README.md
+++ b/README.md
@@ -160,7 +160,7 @@ we don't need to store all processed message/assertion Ids, but the most recent
 
 The OneLogin_Saml2_Auth class contains the [get_last_request_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L357), [get_last_message_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L364) and [get_last_assertion_id](https://github.com/onelogin/python3-saml/blob/ab62b0d6f3e5ac2ae8e95ce3ed2f85389252a32d/src/onelogin/saml2/auth.py#L371) methods to retrieve the IDs
 
-Checking that the ID of the current Message/Assertion does not exists in the lis of the ones already processed will prevent replay attacks.
+Checking that the ID of the current Message/Assertion does not exists in the list of the ones already processed will prevent replay attacks.
 
 
 Getting Started

From b82703f29648237a6288e48de84135637ede0238 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Fri, 21 Jul 2023 12:34:10 +0200
Subject: [PATCH 299/331] Add support github-action python2.7 by the use of a
 container (#367)

* Add support github-action python2.7 by the use of a container

See https://github.com/actions/runner-images/issues/7401#issuecomment-1571065641
---
 .github/workflows/python-package.yml | 30 ++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 3a2a5f33..49477719 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -12,13 +12,12 @@ on:
       - master
 
 jobs:
-  test:
+  test_py3:
     runs-on: ubuntu-20.04
     strategy:
       fail-fast: false
       matrix:
         python-version:
-          - "2.7"
           - "3.5"
           - "3.6"
           - "3.7"
@@ -26,7 +25,7 @@ jobs:
           - "3.9"
           - "3.10"
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
       with:
@@ -46,11 +45,34 @@ jobs:
         make install-test
     - name: Test
       run: make pytest
+  test_py2:
+    runs-on: ubuntu-20.04
+    container:
+      image: python:2.7.18-buster
+    strategy:
+      fail-fast: false
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/cache@v2
+      with:
+        path: ~/.cache/pip
+        key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.py') }}
+        restore-keys: |
+          ${{ runner.os }}-pip-
+    - name: Install dependencies
+      run: |
+        pip install -U setuptools
+        apt-get update -qq
+        apt-get install -qq swig python-dev libxml2-dev libxmlsec1-dev
+        make install-req
+        make install-test
+    - name: Test
+      run: make pytest
   lint:
     runs-on: ubuntu-20.04
     environment: CI
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - uses: actions/setup-python@v2
       with:
         python-version: "3.10"

From 888c8bc623c2bab44ba51917f2d76395d4d5ab41 Mon Sep 17 00:00:00 2001
From: gahooa 
Date: Fri, 21 Jul 2023 06:38:07 -0400
Subject: [PATCH 300/331] Clarify wording about auth.login in readme (#363)

The previous wording indicated that auth.login() would take some action, whereas it really just returns a URL for you to do something with (redirect or print out).  This clarifies that.
---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 251b79e1..8f903035 100644
--- a/README.md
+++ b/README.md
@@ -677,7 +677,8 @@ req = prepare_request_for_toolkit(request)
 auth = OneLogin_Saml2_Auth(req)   # Constructor of the SP, loads settings.json
                                   # and advanced_settings.json
 
-auth.login()      # Method that builds and sends the AuthNRequest
+auth.login()      # This method will build and return a AuthNRequest URL that can be
+                  # either redirected to, or printed out onto the screen as a hyperlink
 ```
 
 The ``AuthNRequest`` will be sent signed or unsigned based on the security info of the ``advanced_settings.json`` file (i.e. ``authnRequestsSigned``).

From d1bfaeb17a786735827b8252b91deafde29dabd8 Mon Sep 17 00:00:00 2001
From: Galyna Zholtkevych 
Date: Fri, 21 Jul 2023 15:34:36 +0300
Subject: [PATCH 301/331] Issue #364: Some urls come with 403 response (#366)

* Issue #364: Some urls come with 403 response

python3-saml urllib dependency responds with 403 status
to urls with default Python user-agent
---
 src/onelogin/saml2/idp_metadata_parser.py         | 12 ++++++++----
 .../saml2_tests/idp_metadata_parser_test.py       | 15 +++++++++++++++
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/onelogin/saml2/idp_metadata_parser.py b/src/onelogin/saml2/idp_metadata_parser.py
index dc802ae5..29ba08be 100644
--- a/src/onelogin/saml2/idp_metadata_parser.py
+++ b/src/onelogin/saml2/idp_metadata_parser.py
@@ -27,7 +27,7 @@ class OneLogin_Saml2_IdPMetadataParser(object):
     """
 
     @classmethod
-    def get_metadata(cls, url, validate_cert=True, timeout=None):
+    def get_metadata(cls, url, validate_cert=True, timeout=None, headers=None):
         """
         Gets the metadata XML from the provided URL
         :param url: Url where the XML of the Identity Provider Metadata is published.
@@ -38,19 +38,23 @@ def get_metadata(cls, url, validate_cert=True, timeout=None):
 
         :param timeout: Timeout in seconds to wait for metadata response
         :type timeout: int
+        :param headers: Extra headers to send in the request
+        :type headers: dict
 
         :returns: metadata XML
         :rtype: string
         """
         valid = False
 
+        request = urllib2.Request(url, headers=headers or {})
+
         if validate_cert:
-            response = urllib2.urlopen(url, timeout=timeout)
+            response = urllib2.urlopen(request, timeout=timeout)
         else:
             ctx = ssl.create_default_context()
             ctx.check_hostname = False
             ctx.verify_mode = ssl.CERT_NONE
-            response = urllib2.urlopen(url, context=ctx, timeout=timeout)
+            response = urllib2.urlopen(request, context=ctx, timeout=timeout)
         xml = response.read()
 
         if xml:
@@ -87,7 +91,7 @@ def parse_remote(cls, url, validate_cert=True, entity_id=None, timeout=None, **k
         :returns: settings dict with extracted data
         :rtype: dict
         """
-        idp_metadata = cls.get_metadata(url, validate_cert, timeout)
+        idp_metadata = cls.get_metadata(url, validate_cert, timeout, headers=kwargs.pop('headers', None))
         return cls.parse(idp_metadata, entity_id=entity_id, **kwargs)
 
     @classmethod
diff --git a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
index 93c08dab..3d027ed1 100644
--- a/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
+++ b/tests/src/OneLogin/saml2_tests/idp_metadata_parser_test.py
@@ -54,6 +54,12 @@ def testGetMetadata(self):
         except URLError:
             pass
 
+    def testGetMetadataWithHeaders(self):
+        data = OneLogin_Saml2_IdPMetadataParser.get_metadata('https://samltest.id/saml/providers',
+                                                             headers={'User-Agent': 'Mozilla/5.0'})
+        self.assertIsNotNone(data)
+        self.assertIn(b'entityID=', data)
+
     def testParseRemote(self):
         """
         Tests the parse_remote method of the OneLogin_Saml2_IdPMetadataParser
@@ -86,6 +92,15 @@ def testParseRemote(self):
         expected_settings = json.loads(expected_settings_json)
         self.assertEqual(expected_settings, data)
 
+    def testParseRemoteWithHeaders(self):
+        """
+        Tests the parse_remote method passing headers of the OneLogin_Saml2_IdPMetadataParser
+        """
+        data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://samltest.id/saml/providers')
+        self.assertEqual(data['idp']['entityId'], 'https://samltest.id/saml/idp')
+        self.assertIsNotNone(data['idp']['singleSignOnService']['url'])
+        self.assertIsNotNone(data['idp']['x509certMulti'])
+
     def testParse(self):
         """
         Tests the parse method of the OneLogin_Saml2_IdPMetadataParser

From af6fffcdf1e240ae7c2fa758bb3d21449428ca2b Mon Sep 17 00:00:00 2001
From: Joey Chai 
Date: Sun, 10 Sep 2023 16:54:28 +0800
Subject: [PATCH 302/331] docs: restore flask request.host (#371)

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8f903035..5c9d0ab2 100644
--- a/README.md
+++ b/README.md
@@ -648,7 +648,7 @@ def prepare_from_django_request(request):
 def prepare_from_flask_request(request):
     url_data = urlparse(request.url)
     return {
-        'http_host': request.netloc,
+        'http_host': request.host,
         'script_name': request.path,
         'get_data': request.args.copy(),
         'post_data': request.form.copy()

From 08719379e5bfba49365dbd22f3633e0f3fa8eb09 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sun, 1 Oct 2023 02:55:45 +0200
Subject: [PATCH 303/331] Upload PDF version of documentation

---
 docs/SAML_Python3_Toolkit_Guide.pdf | Bin 0 -> 311673 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 docs/SAML_Python3_Toolkit_Guide.pdf

diff --git a/docs/SAML_Python3_Toolkit_Guide.pdf b/docs/SAML_Python3_Toolkit_Guide.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..3425fb195608c896f7bad8ec0302ff9546d3251e
GIT binary patch
literal 311673
zcmd421CV9gw)dINN>|#pZQHhO+nJTFv~AnAtxDUrt*_3x=f1e#y(jv;=;*Jzcf?+r
zbI-N*SZj-V37SWZZUnx2LklK9vB;4&mV3mzSwt$_t37Z)V0l(CJelNlZZJv}qt
zpC3qC5pydiV+TB15i5NsVpyAHf+1H;R#n~o~#(CGc(;H1y
zW*sR9_G;6I8o|ylg~w)($sf*7c?lr3$?;eE0Aiily&_nmJuD1j2(VXb-m0d5S@7X^|L<-~`R&T8L=M&aDidj`-
zNAC7nJ(sU~DQ9bJI5Nchs)}f*TXK1r?ib%O
zwiJ1to^O8gHrX?InuS{k_S__gbMl@JX%QEMsYk9qC0X&zP$u^&XKVOnRkXrLoE1R^f{VO8WR
zQm&$(buJSo3&=(`9=dUJ5&Qg~KcH3yVD^ZRv6#LH7^{0@Dy*47q7Y?F1xOuQ>}7SB
zYUac)fU6{i1<;w-p{u?)7?DW{7*6auk-(hpSdx_>kPrH`n~#6mN3&D(9gl#`zy}F8
zQovabXKOZdFrj(1E)j0a*WSTr-%ViyfON>=jb7^?_MR%_3=e%nd@8fRx~RTxCZq!i
z_w51(a%D0>o!c=Lo7BYcsrWqV8F5|+TLPe4EEOxjSZ3(78OJgp#kK7;m;^K}oZ&F(
z_z2@>gqIacBS=c>z5uWdzZ5=(^er*JpTdje4kJo2)
z)nd=>V(}=Au(PJ2W+JIvFqGu6+Kpj(_B`FcBfPfHkDI*CyszJN!^_-OGzJVetj?&m
zag@)7?5d|j$L2}sc-!OK=}lG1V~9^!!Z(YJm8d#Ek6JqUDWLWuN;xShlwA;Ulig7c
zY2l(dTj4?^C+^i(4sC$w+I}*XJ@WaZGfgO!XvI7R
zJGER^X4{pJ(@o1tO`Lo(w?Ui}TvO0&Lh3*8zt`xLk^sbbpY^sz>6spAT=AB=2J9^+
zFJ6mu_F#&tjB%d+Jf2b6cxw{I^D}aTbMP1KQim~vDU%_s%WdzTQXg&=ySvZ0BV`K%
zRr%B`{{@}lKfOAsson!$cXX^=WW{OB*D6O&@8m#vS4|6nOYFR%*2
zkOpQOhG3S~@{&$e;FQ42DDVVLNq7#C#yEEWpb?&3Py?+S3HbC4N<;>xafV=0LGrU)h
z|1C0*$$iTzBaUYYvM{{?5oHRJxZo<~%|F|}W~b0AaPo?#LEtWHqXe__0E*vWM<$y>3&IDEi?8g8hLhokIw|SK_HJLXy?lP|ad$rI57`}?rVSe$JO>-mk0Z@b;^3A8g}ES+Kz3KV
zwgZhB-8)G^*n><0I-(r|ZZ>^rkH<;ascPSom?PvOm9Mir%LQTuphNww<{LpoxzDO2?*c@%D*0
zHUqFLYZUyU61BKaZSx5SzE`{qX>4QkS2po`>yJ!?`Cl>;C3ibxJX$qb0}EqACrDaF
zX9K4{kBHbhSpQB=elP#*K@UkQrzEUK^E+EHmeIF1#v`M3vbLjjGInFIGcuu}rZb^q
zWTj`Iqcdh=WYafhr)6PfWnf}vGGt+3F*ahNV`Va7V4jmT|T=_?-^@^L*kqCbmN6hE8~le_XTzB&~pets9;u-R~WGW>!1~
zI&DZ=Q3qRRJ3I!4e{@hVcC>YNFf?|=`y=5Jc5@O{bo!lH{kf-4_vcEG|Bvwv^?xsa
zXIixS^#43cN5lB%@juqTTX=YA70vXG%xz5n?BHm|g2(trHuw879L?D97+L?^{@qK&
z*2d{~7d%=MYC386BYk|&E^mZvKT&Ln
z)Fj@g(MJU4!PuT-94H0
zDf;*p*{OB-jzhqENc&A
z09xhNSWPbj+Mt*1=POoQ+=-mV9rb)tCsH6hoAWuqTMskF_abnYQ;#O<#~s$#0x3?`
zAwgtQ&Y}G$*hV9QIWR_&b8&oCl|@7R7%<+RqWrE+y^Ofzkb?
zFpQ_K^m^|h#O&l)Q@&4*kdU~-S1;heZbeT-OlJhoAKrgyI3<8ScpD#YZ=T`eH$Ch&
zPh(;d7ElCqY62nKBaQL{hM;5%}6bXB}?WRR~xis&mFd<2Z&1;2YxY7jy~s+@W7_i0LmY_mTPEJCkh4shuJ0jV$0^h`)Opov09)m`cCSU5H=#5$7gX^JY(I`>&D
z-4Yseo%_VN&l3<}Q1cgB1!w=plKHl7|KJ;L#*8qT@RFZM{8(qir*j5;SVqU0^J=sG
zT46)?&*@3Rd3Wub*!evBhx|UeHpZ|fDo(S=6A+FM+v>Os2J{DRuo)ck2C6xt)kAtt
z=~3`Ue03h9V)B(581$7CEyqlbC4E*Sb$cn{&HAVPQ0`bv7eSu7Xrs|2BcAkvdhtP(
z7yqU7U&<%aHrz_d-xc0&`wzP0hb#Km)?Nn{RX%+Hx$fg_{>I{re`E2#;_Ba7{IAzl
zdOT(}CboZlDa}|=^VCvS?)s|ySUc;$^~9Y5g!cn>6A})D&D$k(Ib1W4n;8h^pg>TM
zjN!J5$-xkk>c8U*uj5x+-{L8m%=9!p
zjDBm)eoO6CGp*k8c-J|5d#h{&1Oq@J0|&Xv6GcJt#<;uX0k8z%OY1%k9qzc+a{~L(
ziT)$hKMx#-9Oq^L0f2O-=FKl8n?mhmQ(oc%%%HB??#AD%-E+(wpfKiD1Vtg_19@*w
zXbGOX<~nvbNp_Su@%x6r{Xj@EjRru?G1U(X0*_Nds3g=;SS*x<8?fpH>q1&yhuEwHhb$NGy>eT$6KaK$}Hqhp<5
z`3>DLjQqWjD;#EMe4H!55z7~LI)1c>nb%rrNGk^3Jq0R~-9EyLR0?Riaht;SjjfF;
z5u{CBmYs|;TDZCn%HHC87>PZ
z;2#GyniVMN7L6Jt%atae6&(n0oE4K{{WkR}FyBau&l@PlR?s7pGSDN7GCYq!dm&ek
z*U=*{u{t;2rjFN>l44*a(!1-mC*>Hm&`TLjrWq;TE%Oc9B}Iv{Ug(sI^X>)^HG}h$H
zViFgWUTiV>6_IA{?;d9y=ACAkrl{zsN0LrH*=xm~KFvHqKgGOZ*fq>B%rTsFHsWkj
z4qCxS(ZF@=_6uE3QfeG~JX5)5RZG9JMtP+iOL+=)GQA?*sxeCA$mPss&1TrfH2>Al
zL;gY;^@tzGwT383Ml)?xEiJWB9J7w4YWezFo88>r;GEtCxBW_OXEb|BMmv?z)Y*0*
z1R}8^IiF0XYflqGJik#4oR!@kwWMN2$-Fjg0)#Yv*FlPeEYdQU*Ecw-@NvqX`of2q
zkkI)G6Q^j8Yzncst$&z7R^UCyi5Z_;+E}&@L7v`lWvBnBNm=E#a+h_1+gVw?vD%9Y
zv~1JG*xj$0sHh%qMsodVk;-nu?WoMfafU3zg8AI()kuOPzm%F0|-8=i>u
z7bz=0@%<1c*Swgbt*QB^9ecO=V3;&a?{;7_4zGvS>gJuI`5C2VwAEE9Q;TO4&D2-$
zM9}W0+pFqbaCH2~Jjptl&a4-z^
z1aXy%7iE_|g-*x&rf0IR@9jV$^=^R~s%|(URX`9uE9OVOt=KRf+KaCD+&k}E(M6H%
zBPbWHTS51I)X|ljDD3%6CSfms*u@2rsvn?TJIVs@H(1x0^fWBXWqqqC741cG_&`W=
zhX$Ipt)oH~?Y3EgECz6cF~d^>A5_A6t}W``ebCUH-q(AGm!H&7V8b2i4j3MuvdJCf
zkv`TRuS@r@9@97hg*?7~W+=RJ<~luH9L_JdeYjUwP=x_(DXgqdXL)>9J~)l^%KM;V
z=3pjaW?4wbNXE!cEfKb)*QhvL*ll<|KR!=6U$(M!(Q@%}F_1S9b~2VSwkm99s3P#u
zHqbT@HJF$zWJTT3`u-DQ0Ib8WB`+m!nZQm4B;iugP+bS2%#Ow{b873fqF?5z
z;9J-}>5F)gcUN{hT>dH#UnrC)S{YszJ{t`=ZRcWnCgSd7>})jr(tqQyIKE*&@%3
z##Y9VOq}TG?jI`obFyZ|YFmmWB?W>+)43zlTAooLHHUh42p?}t?9(H$dn$6Pe3^{d
z>}fo15Q&CZLeMSFyh;g=TTg?8do(+->=~*EMgeBa%0t;9wRHtgeZ~MQBJ@@-%SepD
zqDcUHxvWN@YS$8GVMt@$s$zKQ*=MhP=x)ez*>7ndw$)dMem_V)Eng^|FV=;Q?4|2;
zg^+uG#*x6x&XsqB=E3QaNeqHJ`{X6qz`}=Y3%bZF{=0cNOS?*N5O^jUR>H4@Wh+u%d*qFjCNkS1~0P>xdQ2zdb=>Wf|h6g
z&=Y#9Kr-(DB4vAce}dULyR|53OxN?}7IV?~@7hopCR6JiXBXb+o~j*N8y}xxo#@iD
z&+(`<8C>=|eX6@q_QV{AmHL8kU$2|OP%CJ`QYMBdG-chXtm7lFtU~;;EZ?~%I%XTf
zJYDE<8fpbU{HsXT(g5XgM)&D^p+^rgnD7$BG{tUs+#1P|93_fv#LHNS7~9C&XkPn|
zqs+1(Qh!H*dn1t>{UId9F!vN=aw=oV!osXV`NIwaY=3+FJ%Qu9)8qUO1L)pavSjD0
z#zq`92ZNnFI9!Cx1c?wQ-`)u6*(l{k{t&0FcS2H;h-F46G|Wk=1j8$&>_)52X4CSh
zK_rIrkYDHt-vRKWRq`CREgUAxp
z)=qm0Rj&_`25-!=O~q3I?ys$8KTTfAQ**MTJW?cinP}S53x7uYM@D+WVy@Ggpwg6G
z%JfE;)x%zp=;9I|WD#`Udm6+Y(qYAJ1)791#zV(TJ7G1SEt{P!(mIE!Gn%FY9}+MM
zQ}`)Nw?T-eAIAbOok3qxwq^3(hVufX6LaSotzvz!$u68jF1fM5T@!5f!gx#l^y~d7
ze(Z|J;O{nG<4dYL#uh9F_6HuzNuD%;T6TD3(xk;srf~yzSL`(GfU&>n?0o$|Jzb_k
z$+?-u+|y^uvbTJ%=8Z7Y(rdJWT9YWe6k(S+AmS9?8|rR-_5G^p=In=lRR#A}i@_bC
z-7aWKdhc%yvx`s&3i9hJ!*^T9AErHJG2V#m}yp`VyX?Vfri~hmg+Zg&pZDSz8v;&O)MT8`bAz6d?6>$
z*0Q2N7B5ktKJVz?EI^%D$h0Xz#x1ytZ8Y7>{){{}tF$~e6{}sm?db;VSik@zn5M+{
znvJJZ+0ccOG_$nIZUTr;ERSn0TZarQsc!`-5A!>8w!bh=!XST#Z{R7I-LV;7xmj
zAg)z5O&A54k8yz%26BZdNm&osyewKou-v{aL*Ohlpf;fbOfBrBCQyU82K-TgVUds7
z9&*JJZLqsIQFDKK^w6S7WKF}EA_8qZKY%F$_g2@dJT0hl2%$$u_tEcE+?t>
zE%wXk?`x?0raYrcS;sV{HTUx8g&(+(CGq$pkpoAaK7dt+Drt(%
zI0v#~F6jQ!wxnBV>l$O0kh?!ICDOv=6rVJaFlJg3aHJZ4`0@*EP^1Ts%ZXt~7h=B<
z-oRKP44Tuli5qL&JOgT9e?vn{
zc7|zk-BHzk#s#X5=-ra-83+2>h}LbIJk(v(!<4p4k4)|o+evP_4o7;|+P(tOx!>z<
zy{X6Oz`IsN{j?d0R^~+%M_%
z?C2*8p>^3qYW*Atii`TJhDvkRC)!@q0u>HIgZ#|s2RFPU2$Woc_#C(LoYT{%;PvAt
zkY70HA(R%8U2YGkA>FT_rxiNc?M|R0sEJI|omOqOY5%7{(Ob`VHq~vcI4)D5LpM7X
z#piP$w(&^D;*gtEp!&*ZL_c*`N-oLm4aiMmJFv)!?`+;_eZ?U=4Q8C#McYc8GVpAz
zV5AG%LVm6iqwiBR8Ft^UQvA|-r2LwrU2oPl*nBeLqg{7eYF&6_&YXAEIHTZG@a^u&
zSaCOk@%JG+)F(=PKC%unva{
za(S{6q6I@*p5<_1?RU0?aB;oBNnY(@rpLh9XG{nEfDl23IO(I#BOG&CaShw)f~9_r
z4x4ep;=#dwM_UN`Ak`y+j|F-=Fa&X@5YS_zhKv@9=4
z^>fi=Yldo=vC?GI0M$TZf?}Fsis#G6gn1#G%aQtajrWk3b6#mjj-Kj|7sFip9@a>8
zg1h7QWefUwi1?AM7&7AYpPb=e74QF3e3_Av&XA4HfXM3e
zm|5SDP2YrpiCv$O)#QK5mzn+oyZ^$MS=s)TFaJT4|M6%3Et#A!8SFLt_O|fjA%49zvF49KgshS;QHT?
zG!y%OB56hjrvDyEFDUfN^wU9i9#MK(!C7ArNvBcz181m|B7hI*V>l(6u{sM2ymPy7
zFp;38eFy)UIN*ZC%R3G-5(kfqq0d|*zd%P}ABG+e_d2k#YZ&icraydSkddYc@34QP~T?P
ze|pRYW)MN28ynGrP?QD!y&Jz2n|6AgV)NMKjPE*Sa^f294m}ZXhs%Y4%VTgq6#_}|
zNbgjMTh<`T%)dyX#J6w=C8l9JPhRNFo#dJwKT!sFg)2}lE;yKe6`GL-E=^^FIDDR{
zI((jFsbhy>QmW2)X6nB;XC{`(~&Kp#RC{9)FtYF`Umsha5(0_p1;52aQ`wLBtu)F-6oLk`}qg*
z@6e41hbTrAh@_1X#)T9I2jJPN206sg<=-8>fg`ackvY-t?`dc!;^Yux0+V26
z>e76Cr*zt#-%AM6$ip}}Mq9t;;pwh-1gEysSSkVwitU%bCU)!W9n{E3rtaU|ia&t!
zzd`8Vy3(H-&)?mOze2$OL@)bCB>6qmZ>b88{QjHoNB_Hr)BnL@
z|Gc`tn*X7F{ojdAq7M4*e*~w0eYoaindHQ1ResS<(J?8JO>F}K5Uqen{f*WBRYCk~
zP80K=5$5j$%71}mRysDi|Lu$yYMyRL!cDvj#pT7to;uvA;@^nwMvTPzDCz0>017Al
z!&=br@c3tP@Chgpgg~ItdWh-2fk6a@Pzmt~ZCep?Y+2U6>3quNb2JYC3;=@yEO0!PsyM#c{>thLcI^gGFzU)<
z=lktaW(xRv6Szmnd_|klRQII^8US}e|4I9aicH$GUs>>g8{jhTWUeTQ&3ma6V*85U
z8n{?7z%ksKd;zK?i^Kcy<1Ux7oNGNmi;bZBE9KB)49>ATL7now8_j^6K=9ypPBe70&(JTem4Ey>I
zqW1HUZ;R@KKSq5hS+Ez&1rk-&wp
zL`>Eyq=1!L$%xP?$z7PNm7B-YvatnD9`~z&XigWPfbs#MRsk9?R?qqOAnC+&uoh;)
zrJq4G{V+DgJ9hpL_Uz2sj%aOF2b|9B;7&S0v~Bl-ILULlE65-V)a}mENB75Im3B@6
z8gAnSB)@vGw3ym@Rm~DPb#b)j*RePQj;tOBQ3$6;?hcJ3ad<}$cXXGzEL<;X?r0I}
z!WB|h$^cZ6IXU(kL5hdb?GHIb%~{P2GvY7e8__iq9c$|sPZoas{M9PxdU6SJn9Nld
zLTbjdaddogdLk2`ltdA<|9x6+?n0hgS=PCL{jKG-MQ{jj#JE))uPM0z$Mc$!7^cu2~wX5lTx||sP%`e63H@28S9$uBFQl#
zmT(n;tDpRsMB&NmMpgU9phzpn7W0-i%=pFly>XOhWfkt?RkV
zg$pa1Eha8T=1>DUT~NE4ZjvMc_LN#w=7CtF;UZN<=h0AKMh%)r;Kq;*C&R~b0A_VH
zRl;yXHUBt(SWwwej55S@=1+iI47PNI*C`h=Why>Zz`kv~UDKwA+N?GpaIA^_JH9l1OA!?*3;UPlU
zYH!n*??PFW$?=awJuoI2v-?3LqWP}EaP3RnD4n0N+y?EM7EZN;j`-sd(6Uq^4uyRx
zxhl()4UnDd@;eoF$}N;!$Re%HJhjX-c&iFX-LzffGP8Bmrv&7SnrZbW)0d5no{#fQ
z4Am{aUK5|=(4Ti+_J*gw9+qdOSwao-guU>i>bOvby{zmamJk6GwCXUy-`24PNy*l$
zRt_N2ut{T5#Sl}3g7eT=7KUI_%gdx0=Z!`Nv|W>uMtS8Yb%_tzwyp9lKd$S*dRo2@95Chr!y
zW#t`MQ2ZNUeTg^QV^CFOGoi`NP-FnN}tED}a>VUfWp-C?O$
zSr(q%XsjgMwO3jOdIz!yuxb}s5=a>#76Q3b;TA{KBbV%51R1Hj3P7ZjO!k=HLh}fw
z>bEcPD0h$3k29kl)`89vWYE&?!cicP1vEjfc{%%a_UTk{=g>MRiAP^!EODp}FN!s`
zi2L|gt1hmwl$e-g8irefpX;p^UbJX#PG-wz)n2GHb7nby$avuBCcxc_yh&D>oP6sd
z@9ss7(H=UuH&~1oc0x&Aem-e+<>g)?+w^=Yuii=wUpuo4PNZEh)P94WjRg+8ATAiT
zr~4%(#F-OLu1u3ZV=rbH2Wgn$qTI~_c9Fzj3d`wP+d6n12k?aaw)H5P#4HTm=QOKH
zvHx6c!oG6jAimcZWckFzeDLLRNm(tq#%YttV!Pty<|&$}^?u$EM{B;ND#njW#?$AQ
zfU1`{pwyCNmoxq-U0l3&Kki1Usy6YcYi_0F#oM6Pq$<<2lx?<%2N^QaFp!g_=i18%
zArU|RO&JW1h*=mT5*Y$ktOp0>gI~#;&~xt8HjCtd(ZKGP*P{U^`r#QW7it^*W(O-J
zJ7o;=1f+3Ly+Uwt>ZnN%bQ(URRS^;qDhQ-MXs*8hs)oj!aYmYy*CQVSGz+39i{JRtzyflWNE0lgkzC;!bTtnH
zd$7vN3d$EXyk{D%(ZwIvGY?J|oU*Ym9w;n?&>kT#L~LVig?0PhhnV@x-C*YqTQpmz
z)8lArp*(x&W7e9t;hZXUOoT3R_Gf9I@9z5xVuJW*JqK@ZK2bjtn=Py(2T?K)51QOX
zoHQmbG}tXO_xFSkxzRFX-NNoR(Rh4TVeyg^Kxw$gy51I@vhku<1(71p)pYVjHcPj5
zJ07s+-E^odTN*do{)jUuhvTN@b~0nyf><~@QxbD=k2u30o!N`BS4U_TxMeU4AsqML
z14p2WEl)hMTcmW0x@EmQ@VHap$G#O8DO)6Z6z0#KH2zYKLz14E@sn}N#pF);$z6*|
zGCKO$FcGnX-fXI5L^Y+BD4#u(HWM)6z;Xwt7n{-(K-Kfk6BL-4gsG<;F+oIX7|O$m
zgNt47=-~W-Z5hnU`>>Hsg4Psq>ZGEb%njpDis*OT{D_r0vb3WV?zR
ziZwM!jltQ5cPgXZ?sS(0Fz`Ny5a)?(8-x=B89(upI%R|czgEXnqAKL{S+Dcx<{4RD
zQ$c}^27sJgd`d@t7GQV7IQpSw$&jub+QK@@vQJ`GpBvv_bgp4NvS&P51)Wf%K*#CClMjH&E1
z5I?89_%>9g(P?TKL%_ttC^)sUo~V_BTH)ChYyICFX30Y~`e?
zsgt_t(TVP7*jO_bSKKRPA`f^{CY30h)jq{C$I+!wz8jv`D2=LCY!=tyY^IEhN~6Y}
z+jrVjJ+WlOo~vD!j~w5(=u#-HwH|P8(tc*zvh|#NjJn{o8ob(9X+26X|t%{vbEyy&}*haYSXBkS^@MohZCu+oKB(+gAX3a{L
z;ug6StwM|&@(g|{R(~))Wzyds6i#E?wAtEBMispsR<6&?Gj-_q2DI0D>;P|hS+U=d
zvZ_yMt#&+wCN~XcylT5ropbc#G0a!Ln1qpzthKb94w?4oh0Ie(lRA<5?%lLixEZK1
ze$=%S-qG|=jIX|B@S1}#Rey;)%s`!NnA$n0{q~uFJk%X(grqxcLYWYH5s^gl
z1K7wM+8cP^8eU5dFw=@FeeAG4WZB}x`Q$_HN>0U0%uJT8uzs$sT96xaIIPrH-qjcD
z;pk)eYZ_O?vtyd2PTGpG@b&VZqtI~T)s*iuxjyo;I^C?}o$YH!?9&k9%jV1X$*i_{
zQ~Pdk6Q?F1*~Uu3wLE~xn46{M*T+|OHa8V2#tulKsvfG90cVMd#AJPGq0TDQxE@U-
zmOiOk<9zn23m;`hUaYbmkn3oV%?~UKP`6}ByIABt9u2~1n-F&vVKDcI4p|&h*0H05
zcsj8x!t8|b19mF#=G#y&@B=O{>DyUu&To9zW^#;whtF&cu1x3(if032$WiLz>u7>5g53tyTx!I84dQ}P
za8eQvV0TeCR+De>?d~oQ=4z4yMq*+^4aDH&gd!R3bdv{`wdg5X#S%)lOKjD;3@-0{X`WFt$vxxQs9e9
zBG$}&*qPXQ?ebJ(i&rw_^gQ2g*wz02ahdsusV)5YRBGYulKZXGno*eHhosk&%$l0&
z%=E88Squ$|Z2!Gm{1%Bed$~~enCwB#bge66u4dE&YdG
zZh>oMks5U=ceoiDW7Y77Y?}xVUK9b{6q#?N@Tb-_MdLo?SzQkK4a?^pL^YEkyh1l`
zR_|4?-Of9#K(vtWnn>L)JF3ph7=yIQy8YcqZn?1CCH+Y(?;S8-lG~<&*VQj>I@`r7
zZkOk7K2@;Ovpw~DH}TPoFTX_ydlDa_Yg!=Qi6P#%>i`Zf-EB{u_i5qhOaAxx9#^wx
z&hYDrle6bkVYgQfu7_cr_k)|O9H_`dC70%`+
z!W;V&le>k#{{d)ef&GQU&sj!GGJbJ!CrtxYH$JM7Mr$KDx|(AI7qz9#1X9=eyDD{(
zB~JKl8o8R`ShTQxVGnXN>^3C`4+lW<9DTBGz(VwK$7)FQv6?W9GO?O?Mp?uz1F$dk
z^-dv}uiCZ(aPl`Tsv3cum6u<6!teNg;V3(O2voH9cei9bWOjZ%FEklPJ>X0kl-Hju
z8FRr;jXUQoRETVnzxACfh`nl%DZ1O2h#R-&o|Euvnz97Q43Zk5?M$Gn?`+QBP?~qF
zVKWG>QT*aTQKVmP1kl6fOvSOlxe6Xguyu9GBj{0j^2X1PCpqx6y
zw^MXIp3(fe@3$j?L=~sa{8%GyuQ7M+l^
zGUv}Av1x5DsJg!_@N`(Dr0X6G>I-IirL3F`<;q|Y{8ps4`FVI+V8CJSulaefQp)fA
za3&UR#sCi4=-(hSO`$pjhAX5pP1)%chXFq>yncYct<~zXJYFCkcuUsE1}8s-8U&-x
z&E;`@U`T}2ILUP0g2B{5yFx}ST2Y0JTxRw
zMgV;z>jl|W^6zm=L(2Z?U$J@6923BrkEw^cDGK!kHw9<{{%
z7mZw@ei>gnTp~h3sUiu?HDO~Op3{?EDK7(@Ki}erL{g=Z_ZKbKb+>d+w^!U3W(oIA
z!hf>DKXBzg0qg%MF^Jue{&yB5Uq=OpXD0P?mH&Fs{B;dlILyVh^kzZflNJKQ$;0iBt!5D0J
z$M;RKq#+5HQYeHsgtdYwq`Zz*CI}Nnh4%<*#84q&ccgkzt4z>=PWsfw`{Ym^r@;nD
zJmQc|L9;-mg6kbu)#znzDK^*f(K=K{YoQhO
ze5p-dzww?G!JXe~da0S~e99^v>rwkVvEg6Qyte$f%>W*B#~m_{4IHId-bRT6Qt7IW!?B?B8=yKJxdQOd7{Sjj
zFcr;G@M||N!<8P|{yRNskWZWpEP8(y6;Q1W6rw(4Q$uy-00xH5I^ZU|@hx6eKW1Q#LQ{A%V#BC*GEvNIbQz00HR>9g;5&>Tg`>
z(E)jFp>MHPzG2fFg!AmxV`8)9S|3F8QZ6Ek5Ho_s&eOljd>bW@#+Apf$ZIawW0bx@
z20Hf|ov%6$A^qe<{!DmoyLR3!?^A_n25k;ZAC4gZPLoDremWZ>fN{>kk3rvg;O*KP
z#AkT~KK)iC9Xa@x?RFGTnXTKe6sYhwru{>G_-B~;r)mGH2>LtI{(rCIu>R9M|IkDJ
zs$u$nTgPGjL!A0|tNmY;VEmVk!%Y8gI?jeFgp-nT+UM2VRwZ$whGOFPIwj>e321RV
zA`meo1p-TdsUH9k7$h;@;TsVn$Xp_j=L3ZkI^~SW&Fvu2Nh9GYpnf6%at_s|A2bNS
zMgAB;qi>RL4|ikyD*s{V8Rb2d!FV*0+S+{S`S9iX_IcoQ#jOYM9mx5|HkqfH{sO7)
z`8|-?D?q`EaWv2Fk2k|QKqpWDDJ7+ir(bpQ(KMjH;-TNJJg;xUoG;)&j(rg)Q`?Mg
z`W!l)$H3>eWZPyW#d5bQbpZ9ygdO_gLU7dS+tO9zw1gZ^0}_p)0B6mrcF^PIa5Y-;
zBy@5$L>!<-qsl^1RX3_W(>^g|fUk-1_=B#;kiBSgmHXvfOT2)USW|*MiO@xyvM$jf
zisrbBJ!ktTWa`JwT~tPX=|;+bs0ON9KcDI1s1O4O7y~C?muUgV#+*g@gEeWeFdeIg
zG^8CYe(QGMkZTl%Q>=^+PJ5*_C8N~2JfjcoIxDiRE^c=oB2!e-o)0F|MKUFxV96L9
zF11>`o`{$+v;sruu>vv`VbjU1t>2#98{VQ?X5YK?Cg%NFPZe2ucph7yrl3IM?5Zmv
zZZ0LJx0mXtt|r5kN=DwYe-J1M4j*#_tJtWK!#r=R&MIU{KP41yJ^NkJS9Xh92!w=(
zwGPZe38ztXZ^lD_t1V3~deiV4jhiI8b!a#IJdz1={g6VnH+Q(RO2f
zzM(Z)ec)lUdQf#D0=25^>vLgRHmjvcFawEuSJK|!xSr0$*bss+z#gDZlm--e-HtR@
z{jko+1VPn?tdwtX0-y{6p>IuVP~JcbtntLj$5BjQo|1YSM>Au~ih9Df33)T03@j>&
z`Z8h!2ZGRpp>FQZ6tz_PU9wT!vHpfOd@tqgrF2%IROD6+Mj^97ewETZA+n()(OSL|!FY_(NX3njDvUPmZ9@H(ASNbXQXIYuLqmm;(V-C755V3x$
zM$+i+Ft#DovcKW(<`1n^-JjB|Uc5syg7yspNJ_1U-}0OI>(kbBOgoqp8sW?vp9PnM
zMOTO-rGa1K2HD6t(3WNDi9P9BlBJhQAGJw^+c?=-iztRr@8qRyp{Ikik|+;W9rE4E
zJOWJuS(pnDDAWs;%*!KYlc*FGX3@uOjPnIU9ZkSW0?f;jxIe%J+Tp0VYfH}a!G&;x
zSX#dniykH4RBUaT#h?yx+379jG5Zx()KCQIyCvUC9W}=>+Y?%v0rhZJjDnq-l?xRE
z)I-XleXK(`gbD#CjlxU2>q!H4#f~{;eRBY8$-k{(lfdWoG8#m&nywBZHe7$3sF#)8
zxUsObl+pBFzBaR}O=*vMx8tMn&d-au%Ym~T2{CWb{nnDxpNV9?By0wA?GaeEpy$H0
zyq2fAcTyq}C;$RGW68|HX;Bf6FdB)QaXC6dXG%%F;NDuD4LfFkTgbkaQTcqUdP09v
zd-CWc+Q!ID!#aw+7v;RR0oy!>t@>T@yQUtk9TFSVE@WI;+^M0;U{zhULxscQu(jAN
z@dL@=W}1iPY$ZftZQ-MWXlXq~)0oadiNoUH;>sD8^AtWYFT3~NGMb}Tk^p?DdcKG$
z#|aY!{U~Ic5Qjsqx$!}GrH`-8@M%#Mt_|JEf^{J{6e@1&mvnW4x_o`f>t53S32%i}
zh1&B}R=+59mT3r_t(3$m++lhO8c`hNPgHTRFTY;@*ci_NvO>PA+|D
zYz{-0y0AarNGL
zjA0~7qWaN15JpPGr}MQozsBaf1MGFiO8
zODkUPbbrbYHl{4IDu!VDyk*r1Q-$Eit54pa$~+A+_!;Jc=y>#CFB}
zE;U&UT=Oo9+&R-aJvK8{qZ$|#KFilavK?#IjCf9cR)J_lIJ%x1aSg$VXgE)o(T74;xO&fk~>tQ#FnBpV&sn-&2dh1E=m{^A`OaRUFCyhWk`s*DI2RC{lk{
z(Ms(Kh}7-$e6p}`@f9GLV;o=iOuY%8R%Af8Yx4OAf)A`yIY4s@cwb+Jk{oc~YeQI=@dkY;JLNpS{d^rOlqMAoJ
zladg_1jrIJWP|a!9wQA=CY?J?tg*O}RAa9c$2e9f+&P)EfSLJ9rd2UEn4@*i|B8cNaD{WAf1l|v0Cqx|e-$;(55t}3V|0%f|Fsc7wr-*f
zlNFSGsx4Hm&wH}hovo_EVk@J*lA&#V!Rc*%@v(N8M4iT3U4bR~`g-(s-p;Y=dSzoB
z&tl_#SX!x>?cq^=Ue>DR1oxg-()<=RKt
z{4eI-G03)PU9dc9+qP}nwryvgwC&83wolr&ZQHhORo>V2x?k756@8;4Dyn|%zdKf}
zxns_;$2X?L=VoGIF}MzvC+1WS6uFd=0UDQ(i*v8*4Ku1Fu4IsOX~0d+-^MnJFPD;J
z{~QAX`~u`T1dlZ6R56{-vLa|Ihvyv#mNdyH(O
zM~9A&bZ(R-IFDaa20WFWI%)Z3`Y{QYl9dXoDYywz8bsO&Qj3x1m(R$N=F_Mas2a)u
zI19K+X(L7J8a!151(J5qPUZIp2+TRE^2_myzmifxq)zoIjqg34G9Pf9_JzemAYVCO({-Qyx-wx)RkVxH^u(Q0(@B;a?o6L22!}@v%{0%Z
zg+nDS%|ilAKlfq3d-w(7um>YE+?|-(m?!I~zV_&xb)}^y>Bt?Jzv(UZCRNCiWQjK~
z2;a)Z3rIf;!h3m5=1s5iwj1V5#a0oAHRsn}G8>BqIV=K;bu@RbKlZuIzE|CboAvPu
z5|!|#U%r+;-|Ii;VFopWS(9X0Qx6WRLxrKeQ^K#OK}|6u?9RT+PsoL+4j|P@^>UX0
z_78B?L)>Rb^@1^NgH5;rRTbMywq(tWYNQK9-)lGl8&e!2yRdE@32_{#$vVr@T%5_b
z(|R|Z)WIogg3z@IuY42)$kq#fw~hOhPVxK}((j4zb==isy78p*G3&7dd4l*D3if5#
zS=PO9-c_@@KG1{cxEiGETtVug1N?_HezL^*t*0kK}X-WEA*Y@6@C>#UgfE<-$=19-{olmqG^v`hzhf_$0A_cy!79Rg2NGm{X;*
z{h74VvhAM)-9YY%!diP3^~YLDxq-QC$(7ap?ue|W>wUC+bw}eR`@LD;{{tAOVTT)y
zkJh;CCoOUGj0P7URs|wd4p;cIEq@zyV&ovaJSdrdHS`ouv?%Il@yGB#_arnnen|K?
zHogdREFrJCMM3@GM00~#B
z^|wC$QkJ*8h?KyzsOq#e(mRCyP>waseo%t7!aF=a&NwwKO^UGdq1TM>0MAtxRot#$Z$sZ3d2A+W&ySnO!xEz=@q*
zbl5MGS~R!-Esb%sM{&qbz1kPrO1~P=Ow#&d<7yZWg`~roZ7!Sw`(unl{b9;WxNy>(
zQHXx}H53m~dx)MtY<{QT&{OgYHp?%LSQrvpF&g2Z6x@H8nSvY92Cx#aA6V1ePvmc!
zHH#d-5)J0~EWSJ*=F}sgkcE>u`x$UZsyvmvP(L%^qN;LIzH}C&i64waWWdVGKq0d+
zDX{;<^w@ch5ydweA5wiEJVMt$Ovn%e_PU=o$?BW>+cq03${j5YR~C%I<#pTs5BssaXj
zf58IoaG6T`Gb$i+>dO~xCiRJOqEsaB>2luN>HIoYa-fDACKM*NFuCiy?zNA6%pbb+
zvM?Um0uH-co2=UrSsf
zWjO%+!Ztl7p0eY_r(}{kNtF8|F0NXbh|RKMACo(WQr>Ut_rAD$dDG!@Vr$S}NdCT$
zld>|Av+_l=4vexa0~>!06!_J1LS|GY^5Qw#aO
zK5L!W|43mBUvme?Y~~V(d*{~us*1CzK9gv>}|)9(ii>b@r5pJ0&P*3cjvZ&?lp{rZyVB?*CXnI6-*
z@dx;aoA0=N~1r(e<)*1a}lZoJldhIDO9f+0y`^@YC0FL<13*>f>-{gD
z=)dr~+5eCBy4nA875;DJf$aan>t_FVyl!Te|A7ZCs(QL5E~fcTKXV;tyiYvKkU|6z
zON00GAR+<=X@!o^49xukfM8)35A*K>6h#O_pvE$9K?lKR0nA#XUh}&$rvMJ4p*Ali
zSlLIXr3TQ{(=r$cBvI65JA3|z{fzs`AxFyW%GDGH8>ilI0RRD01omU*)=MZ;p2?U&2B
z#uONOt-9A~l`u`l7-Ot2<8WTilY0(jG`#oudJlcp~7@g
zGs>~lwX}M!qQ3gE>XBtmRV=W)ck{&Jf%Q%IH}|>6(&mNDQ)7$f23QA}7sI{T5lQ{9
zwxR$^-*`wJAj(oTee$*b>snP>JKlEVM_1hkHOCdQ)(C2L8ApAW``ZyCZ@nj5vR3WF
zNde>uCr|9ia;`!37tt4IqgB8vhfE{Z=6?H~=*$h(rcSFt$}TvUBu-Ma3T!WB{2fwS
zl6Rd9i>^CY8CVsmLm+t^7Uw1`T+k@UvUCxIm48vfl=LHfB=by6FzsK4-cc8_FUpMv
zlM^Y!(Qxg*!XK3_}jFqzMe{GgnEvLYthFYFO@7PsYDraD2vVw-nr9<#}uZdE*F(2lMN|+#TQPJp2SWOR6{wx
zO4O^_GOc95tD;kEbJ#AJhiMJtlnmd`7p7a!L&2j6wWN5@uzFWLr4Z$E!=Gq0m#QhoDrndtfDRm2H&B601B0OLnTjC$c&H(){dD@Xi>Qy-}P}
z_a@t@{H8r_^2t1ZbA0@&Vu5XrB0hFyHo4ZspT1HWpoz(tiiP2|5S?GxxTIX3C(qn
zCa0MrOvn}99((D#^R;dHLKODdn@whV`7IvPT{Z++62+;^CsElDdZ{MgC|IqUTJi+S
zGLsMK7~xzaN+Y)WH1Et=%-$>yrpZx@kyu?Ld<_w0Tf@j%V2oV%i>l!?^F`VxZ2HLN
zgJ?@4-<{_AAgLqyaG!)h?m{ge-p<13jpDJ8)g|2W6upWN@6wC$d5**>FNs&VS$+2W
zFR5iNXQ7l|WdTeX^|WegPMEBvs&`?YYZ*09aRb*7>nw-|u6Bm(`wEDO8rWum4Ea23
z3G(Q2S<)AuLLKMgt7+LGF)clrgiT2w#pR+79O)7CK^RoHk4|SDCuKfrrwrUm-6Bo$
z@Ke1~h19l)0%s^#4JMif(DYID&FO;EFi=SWDM|Y(XTDm!^O#Hdvc_EFup5b0VR^^g
z)8F{dWRtkI`&d>j4P}{2OYS19u_F5lfGA0&$aI0MCJe6@&T8V7v!q2~Dh2-Wg{o-X
zd^U101WUzu#HX|TK^bQUxb6yTTSKmfjD_$~=G3xRmP0E@c#*K^6{p@su!Inhs8m$S
zs)%5-Nw{o^=`oBaGX0qv5F=&G`wFP0$A`qJV{c)1>4IVSx?wl+_q!Y--6;%JMNU5S
zcf+xRcEw_4S=APf`^BXIWX;`TY1x?yDI>xHpTVTsoxSuORU@mXmCB*`S`OE(hNc>u
zkvgRF?p>^JjK@YYhnEdcCOhxeEsy4RUc1(P?>fqv6czr-CKSfN5h}Y*teiud@BA};
zme8>oON75h9a*I2!A^6UB9uByO|v46S4u|XI$NWb+6oZ^SBcnLdQqE}4dvfwF=P=r
zB%A(>n361IhE`>&-TD^&3602&cdRx>Eyqp5+;YBmK4`;sBvsLa-6*?6;oAqh{Zx(vp$OUvf7Fh40`=g~@CI(r
zcU!1$sluh)UzUIQVD!EtqJ6%I@N98K`^LGc)pl#eKphu{Lp`$d!5sT+iDf3dxZ{1)
z5AaERNblj1a1ybv$5Bj4IvMX}aepZ9U4klgWJNbC{?^<}9N-hrOk^jxH44X*=%ART
zwb$ND4bRUI+A9%WkK50a*&Eq~v_D{vwmt~;MMn&!>f>R@KH`JkjU9j^bQ9Wh4o@A}
zmg-OqR_kPU!zYGS-Q_RW!v@b?jJc*N?8Y0WLZp+rNO|Gn(eR>~$eI3c38
zUBZWcbzSzM2CpavPmU>N2$|F0HX~+qnMBASZZqB%42XuqAns<9ot+ONAwE93bwE0s
zjONh>JtCeHFL~UiVp(OnDeuLx|J0P(qZjQf;?*f`*$~I;Z)CzvOyks9!K6qm&u(J@
z%Se*Nl_jW?-Q*2t)s=^8XQCj(tEH%8$#bre5A7#h_r4Oh_P)3$5>m@;v$cZij3*32
zQs<%Sfl^tBBqrj?op-GenYt~*(h&7ne&+~>=Ov0ykh2c_Ax1WH6R!0?#g$G-#q3Q4
zCzaYLKMeESC+CcoAOV;15;5EZ?oLJT3A*KF=#9DE=Qi|e84k6_{gXtVh|a``KQzGL
zkw_p4Mqk!LB8ox&+rXIgj%NgG7ttM&NP7h53b7Rz+I2S@JG5n(KN_h2j^0UJ9J;bE
zw%3P&IH=bL8WSBckkmjQ97vFsp(ivJ>XW37A4H|{r;
ztt+H9qAU$%KDCrTvVv{y+Y~|0?FgVra@@%w%Y6!tq0SOqkeNSs7W_4Sr$)tOg8B3~WrM
z9E_%{Y>Z6*F7x5|CpnDqN9_48CEEW#7RUdhQUJ&Q)DGkLPyOV7w8J?5r5(od{|$W>
z6}ja4`JuP2)!eK@wJ$ukBL@0VDG-4S`4KEYHO2b_24aT0fRn@oRLH_e)^ELiypkbe
z3kg+0bJxohSm-Gs+Ng6sd9?dwHDIlKfv2DRZDxAGBp@NgwT>gqax;i({Z=GEo}<}H
zBw;KD^@$pjtxsG2D%^3gCg<1#OlTU$b5R40nwQwT?zGo$^LvNZr12u1L5Y1GzMgj1
z7^~89WdHyY*J$@FHSk$wQugSsa_x<3m7rT8Ma(SvdZFP
zJllz{KW%P}ioStVea{n`wbxlyxmBEPHSa@O#aa83zRhfk@&F9~2SP
zvYS%J)i2^8+!pamyGF-8cLihHbV58S2mj*f{|keR
zf&Tw!g^YpzKNs=;MrOo7|6jrVe^>7q=>HvyjFo|j@gLv(KkqvEM^;u{Ww8m*F^c8+
zy>`je4t}NQsFr0LoG{OnYtBm_SBAOfMxQY4RHk2%sDButPb`cah42b_a)#R+7X(j7
zN)f8nS@7L%i|CfG1q2Ep#
zgX>#|BN6L0NX-O5Y|)gPsXrKQj5t6|7N9<%>z0w@F`SnvtDm6F%HvArU~6-~PMq>K
zj6N@`)zJfXx#NPxFK2*9m~;`GC7QRwg(CZ~3>MekJc`vKQ%hg*OMA!cOa>hNT)dv$
zqNkwNd9=xdl(QqHj3=<^j$+d(tg`RuvS^lHUZ~=+RAYzQx-uJQ1QTX)cK%nWOgDfM
zAzv_NnqYnoMUT=}Ua^>!9{GzW+8As1^c|mh?Gsf23duYdipLf-rO
z&w7t4jzc)tF
    jgiB!WOW-k}=ROf6J*@=$U~CqXlasMvDkb|D-EtVX94rd>?(W6Y
zOxzdMS!P)>Nl5+5#A_KgS9`8%88}mz*clAq$IGkn>e#-Sot!eKwy9wLBY4TY=I$9Y
zrJTT|gN?waz{{BBJ@5AFK!iX50_uw73*x}KvTC{Q?Gb3K+-s{iN&2f@rZI4{Ota!I
z3TyeObzO;RJ;kCWE2aLCh}(iGZ{A7;YJx(je$BW`eO{(SIZI*jBIX?4R0$Z<3#eJq
zBIkUg$8c?L8Vro3cm!x%Y#D`R1Q7|Zjbe!I?)DihV_Xj_@j7aja>rL;#CWX`ruVh
ze(cDEpK8D}^M=Vo`rd?nGVYRYldellIexG<(BeRcGSlA_9cP_PhyqC
z+UBkR36u!Y->B0FYs;)d5~KuZ`YlW5)W%LNAkr;gbt;XPGw@vRdamav
z6|PDRCI=O!JAIDgtJY)ItEy@_@B7ncIq}72ytuL^U$kke7XrK3t}_Q-1Xb3JEr1YaTO^=SWdXQd@*k?XFh_?FNpJFeG&i3*d|p
zv}mNg+unHyW$9kbLQP{jbd|2BUK9A>Cc@r}knaz`6AIu@fi%n^}u&_XFTqtzZ#cXQee&$^a
zMy&0A9Cvw7IKT$bnv*|_3y<8r7+51{m^&jwN?`@Rmw=>Gdz_vT{MVgJLbm=zW2P5c
zkF83QJeM-zPYYf$ffy;%%xTioJd9Pz>sPVD>>FDcsZp2P1J&
zKYeze*!^$~s-?3BAQtkaVJ)=>8E*Th2oq8>((5XP&A8jOA0C5-a1Boz_};30Y_Bdx
z3o(^{ebJ{=hbfq~Tommd89jgTwo3fxaa{CufP0tE4kRNAWd%Ku@KGRsqd1)ypd#BX+(A14rh_Y1Mf}xYucvQ0L;hYLdtiMHyB_izneVLRpiw&|{Cj~F;{a=O>~AsndV!^2_c?d#hQ=WWM!=1i3!
zrcftjfO)T4hg4k}Wx~D>k77NFCdmS_b4+h%V%B04#QEJ7E5Z5ZONhn!lj2>uAY7ATvWwnV>r_uM=jAqXxs7_ArBYONX=F_CKGu
zQ(r7O`Lu|Z)-U(Ymbb(4xU+`s4R2}Z*}>aJW6}sNXv^&N}H~kYRZPKO=mamq)9AvnCcQ{4FLYvf{B$sDvoeB
z@b0A;0zq_M7Ahp*5h@l^3iEGy`DNg_@CJ{~r_1xD%N5!tI=bNK?ku#z@g+MXHoGlk
zwsNtQDs^4eCNGiF2U`&Zg~6h}yajB%n|`*GtNVdW^4Ej0Bsodhnp3D`Iz4{m
znV-LZl!a5wysX{!~+8@l>jOTepO0G@h`bj
zO1&_-*FiW?d`G;fx3b1UiCshX1Gh;)5^AFW?GC`J;!?59@Q7TGLd|Wo`ozId`;_zI
zLPAfIui6`iV`$K6lur?n`;@CUT$+CfKk2C)rQL&8yIThWM6$_|wFdg*=A?8u7e0;w
z2U|)H_(*SFwM$P@Nci-Mz`AGQ3mu7s8R}gepjU}k&mC&XKAH0
zMrSGI?no`!KzfHF)K(^*S680SFgfg;Hcy)BSpYCl-CtD{Bf4al5{3n+0m9GCOc5E)w&58QBV=Ku_UR?zB#O8rh@Su}
zB7}7M+0%86S+fWN?|U_V)KSHZ@!EL3pdd57q_wBk2%g!MDYD`@9&Mg`JVM;<`9_?a
z4R!!G^`GNMF&M+f2a<3Q0a%)gZYizvXGaP7$R7IRBzU+X=xa*WoOT6<)nA?58~S
zO1hmkz)z@o-^n#ZJY(vqG%Kj~uD-J;_o
zUmi_4Bo$A-KOp7MnlcJ+Ns`;;3RAq%83ni&KwhZ5j|B_8p^_dT`k8qKJ+6hY+9ABm
zvuHw){EK-Pjz;E*2wC8DDsaXzn(;T_E`fPVSanT$1ILhRhq~iW9W!RxibmfeIA0&6
zbPD7MI%1*r-ZydOqVTmEKklaF6eALNDcd8$bHj4JzZvk;p&8ICr@IDkflyK`S-$>l24n!@jCRFPk4zB6HGm
zhl)e%o4oR~DkSV_gN{c$%wZRNRxnF2HKZ;{T{_b;A7Q2dkLtPj*#hJfQ4r>an6%fr
z?64nq1k@7{WoIoHF)@C_h%~~qc0gchm$eu!>f!@If7=$XMX@67N$`UezDr$?>B`v
zP2}VYsX-D#O&-d!6XW@}GoZ$|2A-iAbgACKlc%Wmb5Ob}Ld@}!Ds{$}M3e-Xv&=H)
zK?#evE@2BS2-aJTUcJGqD8*vRI6?baIRyhQ25<=*y|E13vHvo{o|Qw^ms6_2Ec)a_
z-eCow&t;p)3zNj-xcT{wcai8-9&?^k)ElPpw~_szqx(wqV;jE}!}`L%3F-NM*n4LE
zsKT!Hyj?5vd}Z-h8^2w5u(s*9Tf4FH*MsS$Ds|J?DFp6VVGP%!9!5=HVT9=Z$m9F2
zgXunrK?C-oz3~G4nheiL+Ajv2=D6WY-XROU-3IZIp6AmIFq{6fXO^;)rm*s%z;1{7
zqQL&8vJ(o(2mfLRm@#(iWJJtIQ^SDxQ__6~&Q>qIL$dW^L&pNfMf(ZdHvhw0tOndh
zbW`3z@DBySRjlor89xVE!r`7c2gc=&9fZRj3Y0no^1ZzS(&&Qa-bwi08~g;^rXKbN
ze1@z*c`@_%bhv@Ry4pHCYa~*PjKbhtwjp;{v7%wb8UV)J(FY
ziq(}K=##!jH%tRq&Z^~>)H8`%v4K2B<@j4ExQ{K^FgTz(^~S`XE=lWE3UIu#B~Euu
zJsNAw+N)nj-L(JFM!oHdo(`p@ia4^G>(6=e7zv$+y98?T%K=(vi|S7L;^zydfBE|^
zWkBnhF11hZL}b=W07hg|*kKsx7
zPymw6PbDZZYz8N!_K`XFgJrSXTf^s&{|>~Azo?qv-h
z9bR+C02$r1NACZevOnU0O>o0oO4nTtqXf6#X>o$&7Sprq%JuS_Y>Q`N>e^+eCRder
zV%cCgSM_JES!8F&m<(?tWHb;t`(i*q!jxCMmzW9m&wwx$DKz~(us_fQ`u6t3e&x#c
zpU*c;cRrAJ%vw3Xr>n!mPRANGIk4-)!ED%$^3arRXS$~wL)Ypw*XI1?KlXq|AVVt*
z>Ayv}W)cDwY|tg(2_5PCB5dRTYU#USg%lc+vj~E?jQ7IFD~I*ydr+_=>i}i}1_E=M
z2MGO@R9{q9PX5aS_G2+7>)WE3=dLE}{{(I+%#qFiT7dd{kexZm7YU?M_XICQ2IRH&
z6?Tmv1N&D*A696OdweqyzkHkS_{t!B!-!fa5dAYSV)%d2>;Dcu7#SFu{@t5hJJqEe
zH--?p&ee8Mt&?29p|`puY7g>=#Iy*MB$5vM;nA;TA)qQ4ex*%T%RM{o*B->z5i^lN
zdu)Bayq!aIRHC`@bwc8LZR>Wox#5B75=1B$Z9P_^4TY2M4M-(OkC5M1QC+KjCqM@-
z+AZ_R-P3M~?K=D%dVz6lZ}=+P7#dI2;vQny&-Xf|Q3HV#kO`n+J7y9DAble@pK5wM
z8l&?TzE@71H8LDXpuU;Hl{GA_YO`LNb=t{J4H}bMw_Q5RTB|QhhMB2OPPrCOwz`VC
zB+r2!mx^Ak(`m-x#@1MHmvL%#fI=i_^XMNHb%O5+^_ETTFc&kL1pFUV
z`gtr*)_I%~%c^1)mQO{u`?HyQEZZTyp_phOp3a!6Do?9fo70OdOroyDJ)lzhl|mws
ziZDv(BZP@Hf88J$XeE?vm-<-WCTcos*=Uqu{*F4UC`=$kvX?a5YPJneXE>&G;}kq0?y+lET#Zl|L!(P3=Dsq<8@l!h%ibIAfKWO!JkKBgNM5
z=P<_R7H3%}$+=(@K>*@-4~c|rLJzl-+wItlws(=&`m8JJ=n$P0{(4u5d&`=YQQ?b=
zyk}S(t?`qG>?9r&PN(~WW@02RFrLoiwqJ}Np#$8)ENNlc0L8p9WVD@r?^4{F}Hd9emEMxPimd_Ki9pf45A}AGqmY{H0ASt_C3rQrHXnqg`b`CTq86Es$J&7oz;^uk>eoKEw$Kczb-%ml%0;ZYcql*f2Pb$>X2>hpX~#Qx4hlNRUIRDXy^$(
zV6adaV1hO0ycb1!leO@9&#};eJuC-Gs(4-QV*8q2z2m
z{SY347~YKsuqTSvR5f5i>Y{zYlyscY4CgqtA9Ca*}tyOg3*1MzDvC3_yzsVCpj&5-fBEC9b|5CMJI?0d4xoyCLKa
zf8p*ot0kQ+{^5V-+AHEd<(4-hrsh8ZXp@z22#@!j9|qA{h-810t?*8tQ*W#$Il=Jz
z)Ls~fbwT2Q)nyt3ykGE?rE%Eb_9<&5Z3yiMa%%bl
zBm#RQbbQr;BSFpaSYqKd;L#HWK%xuSNN}g^W6oLCit`J1mcz*Uo
zOT-Uxf=Q8-K1Buzz(Vt1W6)FEwA%bbWp2s7O=UPmw&57vH%g7dXsjCEW`*6Kr}+37
zE~e!Fr;A0JfZ-#$n(u1aX;$5^iAIjT&DV!ekZ~R1y!wc7
z6UquK4^-IY768%LHkOxk&k}O&Oa57#h^V+}sknFpqBtj#9&S6+I*!{6PV{m|YCRgO
z8^#I_IB`66-s7V?5vigu0M=~}8BUH6K}6Br(T^RWN5u|fP5Zj4=xl98yNiThQY4D(
zqv5E-)l&DlI-Exi5;lg%Kk`_0xn|H_J}lL035UwAr%(W&$e&S~N8VCrYYm60nC17mwxb7UtLLy
zVTSg;m0AR-SAU=IM3MgO34C8JR-KMF0kcw}B%dTS!Get#
z4LyGdAr@1NtMxoD-}2`bv+08-nLgRy7;uZtD{GvJ*5QtM#}FP&=fSjk)uzlqBL`2J
z&1Cje*SvpbyBv30D>?M8j~#R`fT|h5yXR$i(sQ
z?oE=^r4rUz5xd^iPHMo)#`3`ZI6JA&B+Xq>O*td^P%zy&Oc`y5WXu#7)LLJFqtyybB*!@lLkp
zPRIC!3u{X~*9~=(2ZV~!x#LQ|)E-oakhklehNwR9(9FQXTRJZ%Z6@%k!A^rCGJ*HS
zbFf{`*DOb=KOW|G;ZH;y$C6Ev{yST3`Eu#zDsnBW*o!ER
zPB#}8%za3F8q$!iUU*M9^B9O3CU{5OtNR>SVQ%e?Sn3-CvO^>5cJp)l+}>=2!k|v6|h3<-5S-dmOTyN(XP9ycuPY<
zs;aIWr&W5*rq2WZOHMf#%Pd#aDO9M?i1|Kls^Zf&nLUd=Hi|(ERN4(4{F?T(R}TR(
zB-U#RD^7JJPusCHdc>8t$Rocsc5)LOy#JC_hy@|=xkjW0+h-%P@mXodfq<{1k{}N;
zNCj425ywdfVMS<34uN;$E_2KD6Cd4&b_q)?xUM(a8dtiO)dJcFp~(e!>ZsNA!@3as
zAw?V@J-Rpcv0qgl*zHwsS|3H~p4Kl}2DzaJQ11981dwrMo!n0|@KIsup&}9SqXj&X
zSz!<++h~>BSkw#x+iI&vb#G&%tflb76Bm3s%z&^XxH=W(I`Z
z_4cs_za?Ot8;Jq%l>|Bw$(%RZ*Fx(vv;fIsGQ^1jH}iRa{N_9ciX|`O;Bqr_T|sA?
zZ=!9UL+AQnP>j*fL?mH$wJZ_*d*WDOT_BbjI1r3EFO?bD#cpq}b6*+uL}S)LT!fsoZ0
z{J@tX1kC5gVM|EiN#rt%bHGQExgCkjG
zrP;~=46Q8{+4VF9to=2(#KSHEr)s^aywV1-@ad#D7u`g({U&7#mdF0BANEvK7o57v
zO1VBMM|u%H_Zon(Z%~cx?5bQ<@j5jqZ(|=P$3MSf&@mXqxCvO!uVF(IB_`MUY0&WH
zQ}6!H9Z*jVa}N%p5Iuq3`lm(Xh?^dA0>GaX%bSHyQ)T)PT@}Ca?o~uwW?Nd(JsBih
zlprSlTDGkYg?pl08(ujOdIK=!TDcO`gvKv#e0PmMiBUbd&b?|Q3L&v%-3%^pTi2Ej
zrR^q7p1;0cu-TfH5=2FJ$h%>Ao7RIf^mX5U9(-wP4=43kCN6AUsqrDehr=uGpn+yh
z_j4xI4A$iy?ux}2eNd_IBtgq4S{Xyr$UZ*t9|H_Hs8nmz$BfQyCt-9m`1Fw?vGj@$
zNE8m2UjC`=-i(2L7+-*`3f1Sf^)VH)>5(X1j$Z2CvP)({5L75e*5}?Njo*#cTLI^=
zrbrWz@g%*zDI(a3I!sU8$Fwn9meBwm{KH8c&~A1Opxy|CCIZ2IfV6f>>Z}ri7ltnc
z-bbq+f(xW${R1khZqkgCvP~vxxWq|=Ztwfuc5DOdS%=bdz>gS}`IK!_=_7>v(hR;k
zQUgTFvgBOs?*M`Jz-Hr9=*%P;BY{}?D1LkSXE<_lsAbWcA|r@4w}Imr-fopBI~LeSg9A7b4;whp
z3=m^&%MH@}Vhf#Xm*-@8K>Xl5<`y&A9ZFT(y%Tz3g#_UArQri#e?Ge2gezZzt4X>2
zy+4)%Dlb4y&M5V&QCTrbSegc3y!*V+{dQfx+JjE%Ee26dxK4AFto0B||
z$yf<+w)Lgp)BTXas}{<4EK#H)>ZelPCDphTpX-IGLyfO-fHmT>myB;PTn(@E#?@-hm;cq{v_SBw4SqkVf4B1-J-GBR#ixR2VC`Ggge
zOCJ;@C-vs6cq?e9BWvuHr9l1I1_8PD=L`1x_y
z1h7zeh8!ol7W0a#avfvFK0DN8
zfn!KaZ$4Y;+<46;VW=t%&Y4O7q&ApGc)|V
zyQM`<3&(YK#Lp@{f4hu@M2U@IWtS$efoQXY)x<;W1ZmzGMk7b+ILi2lec$ft+<7rm
zi_rwnXTR*N`>QNByi&n8?e?M^y6s6G_V`&dnx0s-G52BN>bvBCqLjq+d9A5Iw=1E?|-v
z%>mU6dpNZ(h|1stc0_MMEM#u)M
z@&LR9K&T^vN%ztnH3
zH?KUl2lXvK003y041z&Wu%}yriCA{*hTq1YKE_tIiq7kV$8%_oR|>9dKcdj{BERp8
z!|>E+*2l2>BVf4m;l(nu{=wNL`FU=$%=*602E8a$pN?lN!%`9ME`&auruuH4aJ{sv
zE(RMWs0->&2@YuC1Y$ZX0%u{-SXzsE%O=GnSb?wZ1-V>$8NOOjHnP-|o^(s*@Id)M
z$*$<^yp1yp`YxRZ!&pRzAr3s__tS8~eG?8FU$KQXZ+ZQ#JA-+A8Snf4sgkFJ}k({PO|#J4N}VY&c~@&^q0GfW}+DaibNQ6c^lspXpcGFw<7diejtuz
z)tM4w7+DaM4ha8Bxu}MMqGN~m7m9iIUQ;ERd&ggUUqx7PtUL<93U4Al9a9qQ?}n5
zy4dz~cA(A-w&m&K>>hph4)SqX)ZS`|>n2JQSRUr=Hq)c5BqIV}Q#prczT?8v%$x(9
z;y@jCyIZK#1UMGvJvH-~jT*83QCD(&C8|f5QcB|yw>%}*}`LIy>sjL@QrcMBwZolZctn!NECS(ur
zn}T&FR#5>l^L`N`nI}^7TGtyetk6z}aP05onDQSW7laPJKA1`oCKtA^zKG~%W;NH6
zHSuS}Y!OOIThSTPlqo|y4#=?RabP&XCEuek5gk5;*~VCzbCU{UYYU{b05PceI#cKgHIVY$qKpwB?ol-$XX?Vw{|P&YPxWdzA!WgE
z_9Ph5$kXc1{1Z`U8G$P6{mZn2FOoy#+g1&=L$Lc@VMK@bCY53!mBSjcwRK_BWmOVaoTrXncqeEi<`fX)gR##f^q)%WuA>uNC6_Jibu=BuuX%a_KTDAkT}
zjHc)f)zv1}ZBx8V_0@`k>5!`Ppc0GP#M>;nZdajZL5J!yRbz}MRgm*G>*o^#aq2d|
zKGBz3BUz7boYSk-@#E>UO(Qwwyk-FhBl&l8U3utnvE64;wR`zQ%b4a)F_-(8>vYk_
z{z%c4=K1i1l20$n+}QPml0k1=L?~W%ao_%EQJ=@^!g>Ftp6l0URPh5%Hsn?A7HBoo
zVtlP_)5qooi!Yw`*5_eP$bVJ|%NW;}#!0?3rO0g6s!**KV$^E#s15K0%
zJZuK7{6{383)#c?dCa`Cv|d5zDXpzA_9;1D!$rP4qrEI6l{+G!_dG(l(2{MVbO4!M
zrp?=fiGpsy`gHan#@uCz@tWK=HqP8Ph)6cd
zGbvrOeuD($#fiS|nkzjrXI0p#Zw|oS!^bz%*tLgGYuk{Bv+>7CbiJrZ<1z}6YByh*
zdl-B+f?7=`BAdJdGsRS4j*}|wfDR`jzOped^(>Ub4KdbvZ1
zO{~PbuXJ5qUD80hSBouE5bhx6A)B`Mr`P0zJ{ySKLMgUqQyK+H8NFdM(2@c0_ZQ?P
zQIc%l1R?wWO+bS}|CS`I*FKBc24{Oli~IR;?soE@!A@=H-o?|c_D>pP{Z$CY_{z&R
z8s0$T^ao@0tb+M0aY72}1`6-NB+-eV{{!kn4yKDJ+4Lw#RQgx~q+-Jh=Mg1|Bi`{w
zZVsEzp1XbZXKByV_DOe>lM;4s=9`IC5*tw0aaYHIA~|6c5p;y3oOTE{B@#;{T`*My
z0j9X3BGB@JbhX;UBrl+rZIlTJJcO20ediSdy)p0^xQy^&_O>djPM{|`{u^WO*d$u8
zZ3~ud+qP}nwr$(CUA4=$ZF`q(+eYuc-8Z`9y%X{7`jmfQ%{g-9fZVBp5$^Wl>o4bf
zvQK&^ejEt1a>Wqh;BJI^ymv
zST@K`X4)3{Zl`%TEiG)~5LNi%qq|Ep&jA@x)){D#y~t8x0|ia5ZvieeS=Xra^Ggu2
zliH2ILA!A|_H418l^@8A8uB8pMIHDW&4QLqon=
zYA8JR*4(Q+&aH%8QO_Er5>;`-Vzt)CaiC0R2Hntxy+K#xQku!e=HtdK0CYwRypJKEO?#jO7Qn@_jZ5Rv!ef(E;zcgT|^$l5Mx05
z6hdA|A#t!2?TR!m;q8unEB{+i9o^{HsXapFWe}qiJz{s;YV9yS@ayuWd*I-K72H
z`-&~WzbJSvP+BZxD-%dg)Yqm?y%)jWc6>-ZSNE7#-gq0aC+!{~QBoyq
zjhbJ4KZ8xb&4J{8#!BO7x9qYX3foIM5kwQk(;amDb>fI-H_R5W8t>}dY<2N1tYeww
z%jB-K5%h-T{_vKc{!l^VC;gU~(TQ=3%r(I*%dSfcV*Y3f2xct>RFhjYZWGGm1p3l6
z0|@n#Pk+DnG;U2U0U1m)Ev_2RG*7OGAcj=)J4(eWkX|t08cYU}pE}3etf*-Q|Djgr
zSoOGjp;vBurEsNd7G|Y%k+tzcwu@%GJZ$TR6D%xMr1|fgS_JV9tXsA`U2#
z0%@30tsEEwX!*>-$d*>7-0W~(R<(l?{OkF6ROPs6UHYlv+`k^sLy+6RM|rndJ>Ebz
z#Rdy^a`$M?WlXS&5>X;CvHsG>q_xHQj+q4cV2S5uUqIoE4g&=40pmABbg9g=p{uu=
zil~i^EW4H(pGsJ4*oExWX#zqC(ED+9qr>1t^$EXyX`|k;9uScY9e6_FgZ{e~=O^zz
zhjCL8p$76p+gz-K(_E98_ks5|uQUMg6zvRQBJ
zIV;k3Q)8)i&r2C3x+Kcz*KT{wW8=>@rrFjKs`D`jR7wl#my+8-ur54=6ZXpJ1pjOB
zWFvu;5fc9{OBWVwxSA5BCZr!?QBx+Xd_7>`#ux((#$O+_o)Xk$j0`W$`V0Yd*i>4-`At0^@`&6>PBpW{_GpW%n^KV#5x6DPGOQe7Ye_AsDd_k*4m!2sHYT@&k
z0mW=O4ig1Z9#r!{sgBWYLV7^L%iX1uPEV@K&rKiYiBIaI*2~rI&Po9marUFY?&@t7
z{(4WQZ{DlxTkXeR+;XD;n&{}Ew7@VyV^(3wuwa{LZ*&j^M9)^M4u}%+|Bg
zzw24Ov@;wduqQ(b9AO<4&=`*VwKM-Zy-SnAqm=cUQbL`esx1bC?E3%&o2<2&0nq#~
zg3~|iTNXh_Fh&pnYWA;Bs7XTN&KgTc2-Qx6rbq&QLWlFnlM;6z;MlGcfEj4x3MSlq
z*U4wnV%x(rxipG7sh!0Mnc*AdOIuuMMUjdj_-rWs7M7^mR@P2^Ypmv24njN}causei(redYY*mV>(u)aQg-**C
zEdBj$KW@2JdjuR1q6f*ARkit2Ze#xpRR+x+!FU5-riuNZq4B
zj0$O=l+}U7&Ox)Jn8&%Kc~J`1C=6kAaS}WN$XM#vb&$rjQPs+);HZ}{RZ;p0Kz5Mf
zm|@e#7WzWQ6SnxcQA?~TO-3<;w9GeWo$*d@fZbqH2hilwS31fj!@N=zdK$Yc%1yQ!
zjVOuPl@0fTYr&3Ks`K@&;n9FIjb10YTt@jQckU*=opq$@t#eHCLa^+VAMvQA%!5l3
z^Nc{voj%?pZyK7b`2IBf4y;njB`GEp3WcEbm0Q+3%cdNAHRnisELT~iKrk-
z?unpK;DTZ45$s0!x3+86G>mtoSmGjEBf&(%s?kcr_5xwubFZ_#L0G&Zz1i^N@4=)s
zrXzKU;H1(~;#F8vMwFBqxh?^@47@zc;0A0_HDxN1PstS%+%=sC(wBI84(aMR@A#}5
zI8p*#Tg}$i%<7XSAqgo0&mn_
zW$=oCy=&J$w|0eB>I_sUD90)h_I?f|l6K#u+V`pM6ZtlIjPSSxg5leiSqrbS60_F6
zupAENik)KZvxElW$%^74jh@EwdFFscL6}$KS>B$kNEVPUU1fK_C9P5`Z~f`fwy^lq
z==eK!t{dM*yWK0<_S$eh0ID!r{mSAu5gPcNPzBOV?RL)4o_{NO3RO-c!NmCul=1#W
zL9guvX!f*D30&S!Q#cZbFf8(yn(Mjiq2dI1Y4SkWVY%1N6MxjllDuaVbT$~h$lXTl8}h-C
z@b(o`Du`hrjssjnSX4@>-4OWVsp!sWI7cLbYT~BFKKobfAt_aak$r^{g>{l!`9$2G
z+nsOV=9h&qFJ;4Ok{G
z8HRTQunZU&@dBE$)KXFk?(b*C1r-~-vQm<7;>S(pMP*&DU07APYWv5z?D(&Lm#_1;
z-nuH)f`n+*=BFyf0!Zgzs*YrhC=O}W_^6O&SLb$(A3WcdevNAe*mFaHP(z=R<(&%K
zvtRfz$ys?3<&Qf}c43K@Hs4i43P{VJc1t}to_1b5ICbmLo^5T5B(}3w&}ZAI(nHmo
zODcMgAG)C#Jr9}d;j>03|L3vmIf8E)aN|%Z2~aJK%RP3(A(Uvam-ZyVMMcuhQyE!4?|LR@PL!`V|}$<=qqW@UA#Gcf;0K
zo>a~^SFNs7BRrQ(SQ-pciy{`7@+Ln}
zd1td@ve{Zr^D7v%Haxi#vtE|U_T|GttJqo5C*X^}z%V~v`qrW#us$LDyI&9XZWYxN
zZldZew9Dry(-q%CC_r;?dG*DF5ozOo5{jt22@yZ-!o2FlQ3FU(OYIecc}}PKV$wX<
zA#&P)bU0NxS+Al4B{4q;NsTvack^EIGd|Ny0isPi&?KTtUDvB`F>#Mf*?>QpXM41&
zas-K@U6bYEg^i|yO=-D42>L~DdnKwjgdt#kVhqPc*aMXwRF}rl%$$2(!D-LEdm}h7
zLp*&JV%MJsnHSA$l?Zae`0ie94ogzeBBbApFDuUZPao4o5+T9b`N;Hda#SwWdbDrt
zXSIj`awZ=G2P6s<)JCaE@4t(Au$a()!Iw0tR8L!
z5IgCW9+@`9fwlJ!h1E2fx?Ai9eypy}&CM0gxTS959aRmN?&uzl&ijgc?{?UZ7X5L(Ls4)I;UdBX#T{Q&@>qm_xOoS9Bl*5no+6Kl3NE2}uUD3)wwYDLC
z0Z_0eOqJ30{XCgHcV#z;D$h$%GYAgSoyQQf3&SP`QVWOSe>sfR4N3
z_^iwnaU|2oWJD;;n$W#^-mBv1(baQ}Gc)DN+k&sJ@$7Lke~wE?42gG4{ZpmU;#szm
zms#L);jm;e^RbxTB#ff1%_p9~d2JQzCEP2GV+Qa)3xB{y;W}MF1*CUv)Y?JuL2vMU
zi)C2}0kauijfGk+KjP(KAci|}rQ5{-DbTkJfHy1nNPE@wA2zo?8EQP##X9B+DyX_V^B5n}nQ;kGo0UYln1M+iGFc31^N
zq8K^x6LmPfb%$O9E(gyeE2d25RolWcjofR}~4UjKm{#=$m)VVagX3?m(yZ2YR9PZQwth-Gaod93(;FR{({sZ;Q{?<`})
zywV5#!rPXG8aj9}=W2Q6)+#7UM*`nzzX-k7WMn5qp@&Gw&
zKHLrCwG5LqVBfV&@UafthU(DB0NMRQZM6qC#SNChOi-2%%bd+2mX(7FBs;m}tNK;p
z-YE9sL9Rqef|77A4>4Es0Ssv?u@sDX^W4J+klY|BdZLafq(NWiUU6!0uR`8_F)5#o
zszbEHKz4^4&?L!QkQY~Va~_5;yKxDrk&F)jl}t!n(w;n+YsP^|*2N&}7OU
zBOF<3TsV{3C?0i@x&|kVS#^wpD0evo@s6=D@CTw48F~k!@t8;;^IBjhd~JR|D9dml
zqU1OvFlN8=y6r^tWF9mvxIRpznC$7Nim#)0N&a@0`lj@b7akbQ!u(Q`0|lJ?a9*e|
zb%O&8#wp^VD%(?x0F90}8lN82&v#!qQ(?^@urlYL|=2S(%#!|{<*-1%b<1d*>fbDK;JiXdDGLr4lJp=yWe*WHO}&j
z-c6u3n$22De*CUp$>-Cyl%=~wU9H8w^k!U}v+1z9YHq2L_XaAh5D3d){b-t7?rftE
zE^eMlJ$?L~d=G*A!&bX4B6QbBhurJis5(plHAit_xZ`a=XG}plJ^R|+<${U6lUAe4
z7-0nF?qyFAC_zYv3=p11b7?oGr`tCB9}w1&+5e<0WB*UeGDc>O|0$!^qOl#n$pPno
ztB?3p0yj^Qb~NXE`P}N>v=(nf9z9a13&Yc3HdWHPm>^u!kbxpY4cdBB(R2G
zy{CT>tzeuv0gvuTl0Fw2_hQ5hoLrBkUU@XoHl2w=R+>1a$P^``Z`$n)mU)}9-xM^!
zRil!p9yr?K0+`k!hO#WkN;`#_@>O*cUep#V#Zf*PUe*6JJ&^B&1jKGc^Ef8SIa-Cv
zB_&DJ!PQrBRSvkjD6H4TTe05$dPg_O@^Z+X;^s{17u3HpF?w)Bs+0&k@9}SM(04=B
zw;+oK=0`6I{+-v4kLT#BUILk*=n&Ndt$#8Tjj{jP?fkz|7Uu7I^iSZ}oaEjmLsTeS
zb7ewoD12CV;~Q#j7Z+vMWrp7ZA?8G@@G#<;+k$?#qgY$>WO(;hKJ2V2il|`zw9L}8
zz>>`%Qgm1IIh>O(Iw4kPUmVLsk|dp5SIKTV0hFinwe!sj-6_tZ-)*{9pz_uwgwZ+%ZgYiu
zucmndw4Ymw_rW!p^PINrEWY}zZKsuY?NVlm5XLY-eqo1;?Z*JWI`$9U&QxL}49MuXS97l_#UUVocoE-4wfhK;f=@
zg(gg|5iz1kpHAaIPIMdsDzLuXUCbi3(X;syIu(SI>2%PO`G7{%{1B9srCBwGmbgbH
zXp__-n}Nr|6cYvvxUiQOO>?g8-JP~kct@@#|7_cI@1lf0tla%9n=kdZ)SC#^p2aaO
zIe5_W95r}4bSF_E&E8nx@%7d8erTsRRSVOV8mGYF0U$aSUDOKcmSB2)(Swc#)DklH
zDkJeyVNJa8qlP(=B(dmRlA5!z_J1C2Ub0iLfwO20q`qlRV~6jf+PTrTksSCTi~BX?3&AT)-1K$P{Dn}(a*
zU&ZaVig@CH4K=#=f)B$)qGLt{W@b>mphc#kgcdvrd!|Ma9d6
zabAkCcgj}B82|Z;)^9cfFWJ#-6a#7TfpeSWX+tWhk@dyQYD)jfamRu-kBVT+fsr=k`bW=?qr&kE8{
zi?U96s!r2!XCQYVpi!IOl7JDjrB%JU^s2YzP`1^!oYrN`g4vht#!%P6+sizYNObUB
zKDVP$tI3hy9HL@9E+_#HTWF*#$Nf>qFxtXl&N8+}JP?zESWOJ9)m7WhY9lfN=5;--
z?>%3^jn!m4x$v4*V{A%Jjys3wpN(k0#V=_5J-fSezcPpIo>TfN4i`$U*nGTH5_>)N
z1J?cMt_f7p(hBdvZucf{5mq%?fCg9arvOerg~!7h5a^KPk`(0D*%lV*Ra6%+;F0gF
zCU=*Mhql}dvEtMv*TIkXQykGMFX4p#98Pa`7-*FDo1+04PH!OG;AIRYz}&ylM3)Sw
zOqvO7t^tWF#)k?Z!mw8}Hq-ScRhs_(nVs7$jYX{@>;rfPcj-q*&iC6_*uRxPH|ugg
z&3G|wS|q|c+>ie)-0WYo&o-h^?z^oYc~2X@a#7A^MByH
z{!^SaBh$Ys&;R=VkBMd*$C}sjhin+Xv-*h7Qv!u{dRfI4a_kL^cDe1qsg3kkESbZW
zH6@N_-1QeOzn?i9a>)r$6o@Kg>7$Oer=EU&r!%dV)3A$gE(RCm^}0hKLj`a5IKfdn
zUUN^21N2S71DVFyfDk;J%w`RS9m0E{VW%JcZaT(jnC#&_5Zfn@JAYT#@l%(>OB>!b
z>+~)WtD-9oM@bf!fHb6vwc;~aI3A~?c!cpYdWp^INcUO9=g^7@3T%V=Tc4xGVvlnY
zLB?nlH0aeYHR(^mQjb6K;Dh>EKU#r-r0KXYaGrHHdAo(4;KC((b(EaKiA9b#DUTFd
z-+-LfJJpE^RbwGcAvO11;INeVW^IHm7tgfOAarIZrnvGK+cl-%W!?DjJ6Vy{beUkc
zNrWiJ7*{+JHHu2=J33S5j4{;_39C>piersy;pHNbi0wk9r
z{dwqOfqL5Zc#IDR_JF5;;>M8HnIbuQ#Vcn9BM`{gPl|54n>J5@6)N@8f?wzEa
zY(JojWARE8ZD_`QgCF6^IrWQ`hnbR?o)q2a5RDyb#e8~uvr>=v)pKp36o#F%h)B`M
zVJj#;*u`Ury{b`{fa{ewLu6t}IhRj1JLH8&5sov8`=DGNNDHaHuA<8}ug~=4=S&ZC
zLh2EI14V7#>=p2p8*N}RMX2bu4oND)1CvJM9Oo<>!Fzw1Vb(W0dsZDjljow=Vvyv7
z3eWp3NtCp)$?kNAT6vIh)LeTt29O)XoypqO4Ey2CL!dO
z%QNO6yFU2K8PEGXWGAF;7J)HDX)Mzfy=3QxrL6{+v2ERSl#V<AdxvF*{*&F}!K9yks08u#|ON)0iSQNdM9&|y5Kr7MgrISu|{n4kt#QwJJB
zfd-aW(;p6hF6FNogKHelaqs)yf*Qe7(G!M_36n$Tl*E5UZ6)ijXnY6Cb)@J<`!36p
z$&UDmF6!Wm?$+OPDEN40G-ckfGc8FH@0>J&mn)7MDiI6Y+hi7zSiqQb*4mW3SSh-2
z0sX1jnLRsfLQsU8LLbKy*s?>aZwc$5?#3%uK2Sy(;-N$)p>)B>@l+dez}*GD8DDJ!
z;h!L6-E<4o-I3Oyl}7p1me(}^C%)khgthTsf-|?bo$hgrHpqkZne(l%il1p~-LB{1
z-h2K=#DL1S-!hQ+q&~Q&Hutl2CmOhydts7)YhJJYrZgfP(QL5yG(|9z*lp}4*>njI
z(e%klF%@@@ye&Pe{)1n>R;7G^Ok&q{a#2!e-)298V5W>&P}J5T^nz=!Y1$oaIH>0r
zeg!zy;vVlH#t#v2_(>~9SheDAgtc7xo?EW78{vXc*}LKeZZ4E0MR*gCNUT(j8}QeH
zMD*So*)JRS3qFJHz2ra4*#Any{9oP`82^=o{7+}>wWhZHCL7AXcLjup#^!QY=i&_^
z1On0Y*=*;)YXIO*A_JO@6QX1)NmA&r@7KQz1t?Tb*yK`|K)wyM_fB@ZoTtRsTFz4~
zd{^yv-*%0MIPShx_OHVH&1B3|w=Y*WoAXe?ZLPbo)si;8Tc5YfWfQk*WA4|zx7xUK
zO`m`;zEoi^yj^X(tlZdm`<{&_Q(K1$5i{D_KhrlB3+{zFVViESyooJQ>dnBoXRf;YL2>swTw~`Qo2dzw9dQc
z7kxoHuC0~4L(W*6aRzTto&e%w4=ZT60PwIoy#6TRPsvC;jsqLEW56!8ud+E(qF@Z~
zw#U;K%ZMIvP{`W)_BNE+Wd3o)(Y4D3=5>RVF#bv!4%Z%896Myjo#HSRDFZ8DZsq%j
zJJb>RCzk@E22msnvFFP&X8%Sic&J>n#-7rNtEULDSfT
zxj`!M!J0({q?>0%$#^AaL4|)m;b@f_F-jV6Tf7@YqIlf>PH{FG(9(>1_#K~+I|7dh
zcEkV7H#ue4>~hRx@A_uR>Q_TKRI~PGiVp>cheBtJ$HfKrp?R9i4oCQqEU{o#|-Ig&{c
z895qq@v_wan{v!Txe27zdYQlGN{elb0xp$#yPWkMf{!)mtw>7xHN0H90%L=f3w|HR
zo6Gk2_sphh^Vlq{q1fve8dOfFhm3`OJ%_ZocsV3Pea@+ZjBa5n_}a344Z+d@{)+Ta
z|7v?RXik94*GcM^^vTHLIt(1I>5~np)-$qe9rlmH2iv(SR}}X8sYl#?
z6X4=zMae9zeX-jKs~X3OIE*fhqz&RBv)Smc*7PHjfNiUKGES0{q?0kvnRiXNt_*(Q
z(u@9TXU8d}EI4axhatKLpB(nhT`X|vzY~D%0B#HVfXkSyfh8zJU4~XKVbR>Vej1He
z!@=CJ7zwTm>A;626i{r7grNO!1blxX#O~_-LIJG7;)$d|)#w#jxZv;Y6tVk_V5r-u
z{i@WOrNA<8pWP{4z!5_k`3ZswW+9(}%z~VxPEC?ixz)G^pXxC^fO=s*@T`-Zgkc6iL}=0#bsB8Eg8AU
zkldtHin=f`>RA=W92qcrHCDlTXhi!fL~fVlE$gE__g`(TqxlC<=0pWKeK<
zlSbK}X-ywFXD;hEDZQh}_^(aPjiLR|+_Y^@uX%talB_7q?c0sw=ei$3a{PaF0
zLFET0Z`E~-G2SiF3;81OQ7h-dS4Rzwx;w;zKfBE#xQHR(h(Nfol;<_@7x1-7Rid9?
zW&4v~Zh(6<$QX6lQzR4k(kFg~{t5AU$cysC80BMc4~iP*hVUSSV&rZwB-KVQeugHR
z5b^St*5xn9*5*cC$zeS#Ej`7X8GnSwL~KUvz>8}z4qN8dkOG+RWeJr>LtnPex}fxO
zPhbD>+P&hL2>;mW&F}GJ|C6VE=-w+D>0xb0C-NXJ``xIkV*8_|3!K?n$E>I$$zr6j
zA+$H%8c(AGL2S)8G0WZwSbClmQ{xvYVAGPS;$c`J4*-B3On+Gs-wQaFZk_#xv-HaB4eA-ALia-KS^ioM@E
zgUil6NHHF0T!*Hw7txpf$UgLW;`q(VE;odHEmUI1bb5|FjnV
zLrnF*&cgp^D-isjIgRT~Mf(i~gn-?5R5W>7s!_N49Pj*}!~2qO)e9X;kJo2s^fYVGatg3fc~?8lQ6&
zEZcBG{LdiBrE}uRY>hVw2XyA}B02bN9F^27xkH9bRd{>u-82{$NUt9WSPdiwfF|t~
z5*Ovu7w|2_?S;$Ole-NDpsdUuXXCTf@2|KWmmN4LAwMD@T4vRMt7#J$e=`?
zPpj^6SU;r!3l2-zvEX}_j-n`4wf}=<&(R{ORY#!p}@>uv>8YBjcoGTo%=6R
z9Go1S36t~DNd~fL0M(tm7F=e%am2pwZU0V#Ni(XfR&0LmrwxjY`}A$?v4Pq-HEG@o
z+*HCgn4FPm!BE{0cGdvJFUQl
zKOk+iTTw6m6Kj$hV^rf^=fE$&W36DHk4m~aW8Y!yv!U;l**>+yKqo;@@rOs|I=ke3
zfR%h7k@5KLM>>^}-8X>qZ`>PT2#>%ROFr
zv!7s4XIx6*rysBTQ8Fz)%Q+rRQ5lbB8;w@ukPh0~PTIOD%v`DUV
z)n2XfL6@$FX>IU?m%{I$gRh^HjirlGw5h}y=mxFhn>?5oW+IQ#38yd)%Y2S$qYicY
zYgt{SppR`^|IRZ)xc10VDJ%_qm&O-2@K?{JnuLGiday-7O5+-J8d|H1Lt-=WTg^S^srui*`o|h==Ml7c0cHAX&Pp#A2Odl;E-6c5O<$
z{FTC`pmo_M4RZZvMxf|8I+#ww(liMA6&kgUqyg=o(dZQ{GQ1`K2UaZNOe1~$cx`yY
z>JfqxgV;nJ25kESaY47a;4$X`GnynHdqJ&9C2Yj#3rhJ{uoc@!SK-HD=uLh}A=*#5S39;B17P^)ZbDC`z?n3N=Zmj0~9{AbR87(77=?W$f!V93{hFK#8m%K$4$ijb9wc>
zdY#HeV2Xr+>_6uS5dBv5FdU%k^&RF!MqF5f>La+YDl`Odla^5xYC)@6%RZg|tmm?h
zf0@>FlUiX}R-GC>HZwMrl;%MHl)j=S`y2b6vcQIUsa9{XVg_EFsK(_+dE_u)PCCMT
zOf)=O_e+;+OkUY0#)go*|7e>}@e(WAReC;jD_F
z-Oavk3uR|R4&1O%Sp9vNQ6)0~ai&+ZDVVN_qJjo%R_h{Yo+{?llqiKOnk{*v$ojg#5YT#)7VOIHm_2pb
z+wlT_it8=w@`I@DK6u5a`Oi+IyL#AbcTYp-Y%-5im~(#TFU$+{v1Ix6ymC{USHSp9|4EJ*aW0)0IJLN{!%
zEU8mToF=ktAxLDfZ&!F#+%1Yf&8?{Ws#fYs%G)(&6NN^TRH);f^$R22HsZE9Vv4w`
zs^_|9kuy=Y?sbJ1u2PXeZsb!w%Cp@kUu61a^hK!zEi_0Dkg-0Fe6Z=7m)$zKtyx|K
zi^o#gnMOvi4ZOuKDF=+Rem`f~lFg6bY40=W7Gg!jj1W)cYqeVMFrVh?D5%-6@F8D3
zsGixsy2JEkXpXWm?hperb3Hh$dbCE}xm_!vg^n!APg{
z>i8yIl&SsUi1=bxS>i(knvD!Q#r3@w5={hC6dL5&v9$OlRVjUsE4>@3H`Ol3VqS()
z-1aB=_RhXjE{e06qpERS@?Y3=Vtu8nI>Q3rP9S}**D#hZF46>N1O&HWTBVhV2$BgO
znZbBONKVYMP8NJ7<2mU4IFx8IK@`3_-s`QwFyU^uHe!z=0e$rDX=_xHh1m|)>5R+T
z$ym;qvxl8N2$6FoA|uPEswYrRUv~iw)D_%ZvOsf~ueL1cQZ=JRf4zFdtbs|5_zE!&
z5nsf1(-Z-ux>1r~kAo6x?NU6(-L8JvW+_q*m$v0p!&jN!>Z~Ni)|Ry3(j)h<6cP%h
z*LB$1#7%jlcx2+LtM{{h@l9!kUe(=xdGksey}FnVc}tZBsHuDpY;${x_AImoz-Rac
zIl`Te8O~2BBR#<>k>^C?mJhkHp=6T`x#h7td0zByN{wKC_FpOrBNLA~$BfFhS#+{`
z`9*OR=6$oYDnO6nZoc_aUibAlejp~5e!!&JcOp@96r5!U&rXKpqGdAd!gIXSZ(^6>
zMb2GeaKp#LYoS?gTo&FSo++9z{
zgUvE@v$$K*f{%$@xMJgpI(j)jjXavXv5sVKPb89Ar{e^c7bKw^lBga6=d_Z?SzQ{l
zM~;Z?#Z=Ep=rGvX%PFa>^f=V&&OtmYJXqwQT1B!-*D0yR-rA$kz%;d(eBe%+QVGb)U<{8>WsqXoH#{L#*BC(V38s$Nr2@8PYf6|ub}(HhG*ruedej1qR5hQ
zcQ^ix1&P8h|5Ltyxd6VoRBlb2X%zilt)_3<*#WVK%U{qioAa;*&_!q7VE+j^KA)>J>-ZdMu}
z53sBA{2RSBVH_?=r9q+t7c6~31n^I4BR)dvnj@(ez#Wrn%2=5
zZ}I5T43Bz`gAdc9zNc~ZdcawLr4CFLI1S)CN?>?dCUFYZ&dL=u*%(YyE{zbpxK1n;
ziMxib6+qrYq+I+}7>J_9!L+w)!+K*>K=xx)NhK>!5KQV|Zz6DiUjd+`AVQM4$v+=$
zStx1}i0#MYT2>4!b$#B~ZlN<1$+fj&`#T)mLig=$IcdOIG!3v4UPJ)+C{!@jx
z2Z+aEPdQ?`K;9AqSgOTlskSJ~hxMGBb{At899jQ`E7npM`}HMeO83PQICdJ8D0CJ!
zydRT0_aniiULO<~e{kMiT1|yi*%pWmg|~^*vE;lvYvh8igzEW(FlN5KLJM7@1glDs
zvVcgJ_b-s(kyMB_&Q(MfX%4(N604Fi{$3n`*}v%7p{4%TR^j@ZllCmoim4b7*s$6S
z7u8cW-#Y0lR+%uv;<>*RjIew64gH+cOq#42Io`Yl6Djiyk4*eb<9cnNNDkY^58G2|
zRc+Q+f@BfinwmeVEEJFmGO@*bn^+Z}`Gf?#4ibL1;fOSUy*AJ3p-5{oeQY9&pGy!I
z;JNS!VjU>KFN^jK4`j|)^gtuiMLT9>DXZLU*UvLZ^=Ww)YHl9A7HG<{cm?urAiTkX
zCni5IeRlUJ>6XVShXNTOX1FYcUiZ`f%|>=+7U9i1zCrZx?&VSod-NEF`L9vb5N
z_yMG!bFe!;NB>31II#m-W{%DE6v>Y=Qb;ghIXXR_(D#7`NBa+pfbsty$MfG_Bt{1I
z|0%Woe=mZgR>U8_J|T$!G3Yg&$R+ClpLS}m0aWxS2e$waNyB-h)e}u>Thd9s*H!m0
zVJr0wSDe>`R)Ic^qXZnd)8oucSClOf#k=pSasNz;pa@f--xNXkCC=l+*SZ~@Uadaa
zseBXD(WX5oP8BBCb2Tkz45dFGY<-D+4E!$?BC;nvtkVV&-e|aIE^CxLy
z!AxRp?7*KaF0_e1BKVrSQ>{wR%aOF$+aA5yy_=oDPZgsB9t$lvD6wt}TaC-R^uJs^
zp5JPB!DAu=o;Xea9_0z>)U#_VROL@KkU&5A)x?>h&M4kS^j@~F3M1}O+)0Y%y&c5f
zBL@53>17Bt)Jz;UCLdrMwIi~FMveOned#}+hlYkae@Hg7Z+uqW|EQRrt;IM_@82|L
zIQmHupYl*)#xHgl9YK_S68Ul*>}oytcKy9x4&7q=x?sKgW|b<^`#!vyPf)iQqGs8J
zw&U$|w3BZqciYN){R~~C{~GS_UhV5|>lXe+wCZ-~R!seEf;tLHb^Nm55AART)V-Xf
z4QkuH)LN#8y#38V_cqpFUKsyH9^-yLdDaH#0VXj*1b0(J*yJIaBtT`HBG%XnD(A0*
z!gD*k&_VIkm_P&9)TpXV>?wro9Asn|jiWr}49-5)F%SA~RR~C`o__!8wtH3Ap74tm
zS&(^<5H5mxK$#OJcIBpl>t8VVXkapFFTrBSEp?o5O4!;d=c}?}!9xBsUfprscCL1c
zgKCU|xEDkl+q_9t0~61ZdDINuVor2<{&dgByB$fH@Z$Q^qiE(hA6Dc$|G=s^`>=2>
zU+aOmQ>TO=#Qw0cLn1-}{=v7`SVC$*)n+jgK(7l596;c~cjW`1ykPdMY3CmM@e;ys
z0C7}}5+npb9j<1#jQ?k0d!Q~)V%8eGyy@bkYJ`>^3=&b0!gTA@9ULhgk41j_T&;7Z
zgF02IPZj-5+H5VT+D1dSAgWKL2k}PYUj7Jfmf|ybTdrkFB^2T4+UJDC(-9KQoD-Sz
zcbiqizi?v^wy$c5YwL}aGib8Q$?%8sLUuj5XKP&i?R`WOWIK!yq2TWc-w|rVw9%t(
zwN)qJt62CaJax>kQ!V(&X!HZQDJT&U)N3$P(likiVsD^QP3iuhF0_F+v#XNO-{c9X
zs7K${s7DTo!jO@YDO|QIP=I5#Ol>I)R>ULL>8N^Q4zSKm2zgA`c+w02BB+t6dd-mn
zwo*s$CG*88;&S-|ffSsrHNu|IhuS{pwQWQ>dqzsseTwXpM76NoR1sCLLyCnAJ^gsG
zj^aI2+!-SH?kfIj0mYdAi?MfL5-i-BHOsbb+qP}nwr$(CZQHhOyUXaRn*Jtc;!eyx
z5%=tP|HIC;R_2pt7Ln_0&4ax0udj{erP1(l%XaG*Q&rCQ)HO6CN4TCt17GC0uUFV8
zq>)0}VFT)dLqNG3H4w`6drMX7DFo2+mX;$w%XqnMUe3h%^Qcf>(4K;W%t)pNGBa{VCBX(TCC^OA5ecFm+4%gb+0(2zyC!zgXa&rS48z$)c^bW{2#A
zyK@K|P{fg$n%qgN>Jxg-l(d|sH*yAwR}f5
z2}=s={)1&#^e4BL9M4jza?iqt6-_p7aJZHXnuF4s-oL#AK&ow!qJ67+tk0xlmD{Z<
zN|+o8R9eIlBjO-kP8o8iWwka;N&!oI2{1BBM@Kjo!Ey+|y$@@U>G=t4RiZAhy*c*$
z1XH(Tx(>H$AR*wSLIRn`Sn}|h2QxNv`-YQ~4Bn-vJecK4&Y2
z05POtgM?H8GBn`>nZgA4Nto1~C9})Fve4lyq#&ndG&q-WRGtvkfo2%4f}E0&BV1#(
z^%c(m>5tExf^WyF6X&W|eDsR%Clwv9T?lL^l#IeYwt?utS*-2(AW27uI|Cu)jG?_F4P5v%9jm4{Ih
zX&k*CKi|WS8#fWJhn!X&wam<#WIv%1QN|1i5l~`#g%Duu}3+6Ud
zAl~=xKeH@$0;lCWW54znaYJf1u)5|-n3a=Y=>ZoAX7u7w=
zPUEISQ#-#Ahqal>tdR5uMkJTbrIl{_`~By0wg=L*?Mv
z48sPY9z~MPrB8kF-ffHBtY+*!-Fn^oI2xl;Qj;37;dLu>Z>4PI3BdIW+N`H^Kw2VX6?|8Nzb8it*96O26#+`R
zoaS7_G?}DAyuu!MZM&EFkw$>=WSjP4o61y-Q^HB&JHS1|a-y(t-@$fRZyRv7Mk_tO
z!9#(lo>&5*vrxbBRT?vF-=~kO{Q&0;dvgCti~NUs3L_iGe?640{;xB8Q~0ES%u|(g
z0AGp5l8ME7!JoXXA!VB}HFD`X5pvjn_9fh?6k5ur;}Ob)-i;GR&-Ywv`1nR<*M_G%
zfbIMC;ow2cVz~&Rc(1vKF~S(aeP|r{_Xws#81gxD_BcCbf!J#ACkZ9O2*S?7e)(ebr`5FjTvl
zn;g>KEDowD<)MWrk8R?<>Su~Z5KZDcD#Bz#p*^?_VPL+=sBI)gpT&yI-&3n|TKvsrk?4E4;^czHd5Q*~|$jhT9i_d4`C+H}Q
zH|?iDf_JbX8mQU?H7h}bs~M{KG_($kmmHbFgFJd4lo^}O#U_;T+;JD%t-eRa2qiv)
z9(Pb$Ax8HtXB-)>ubWFUO1O-s467Pr&bZcuIb|`80JGT(nc=?he>q9?}6&5k&h>F1Xzz|cstU9(x~L~>u_+213~CZbNQ$#;Finf
z2Zc46?BS*`PXpg1{q&}Vc#;ViPzn;4I_6G@Sqa|VG0Bmg?~Vsz+I1>a97lk*cJ&AT
zgfZBNQ;Mj7*@FzXXEmd=-E_zg?3`KKf&wEs<~#+W<~+iU%LEX&+*<0Q~re
z3^rUyI+KVxolN&#pN>yU^`?p&&F&Pjv
zSX!LII(uL?w85EkMM-njDf2toG?GlY>-RCIfhsXCK4j;)tn%L+)I0&+h?~ESIs$we
zaH~*2=(L?I6j{)qzlAN9^}@Q$v1XcuaN0Y&$Ge=^6yfk1IJa{}su{RhO#UfBqK}EFcbPRhW<>Qu}h7070)$N
zjHe{p6&%vhV;|iF_Y*9(^z?d}gEc$Frg;5K@ZdTh-xUGwwp_lZQr)ph7&$s|Q65=h
zR+-a@b-H5v?Aqxmt>P7!+WEE$YXb8{B?9*M
zw|58!1ur25pL^sZZkj~SiI>{39qHBK(RX?RRDH|1AvC|+33aZ2lru`ZK#OiRc49Bv
z(7@pkAT^(EW?RK@*;cG006H64nQ5_gKX5Q%TElT1&lNwQs>z^%`Rg9kc00lAsilBX
zAilbo>Q%tLRyC>(&C1+gZztAX23IG;-`Y$jq;#su8Qo9gtMW^rR<51tcHWe}O{L?7
zw9rJ^+KIPkDB`YB-7eiiR;g~H9vg=2RCSR(n_HLI^Gv3%Md=E$ni$zW&`OtWOlD1}
zX}C$e2dh18=?E*9clYDE*ZFJxWb!Y>fGqR+l>6Ih(z&>JaIOsVS-E(!O)A*q;;`2V
zJ{`DtKK|+y{snMsbmsr?;poB1_3y#5Lki>9%%~TiZx^39$eqczNYKjNSRHywH2CXp
zk~E!s_;GO*-yHw-h3*NMtpGEsO^|1iTqSgu6j%^&k4tW@uEIDOXz2E9IXW@CPRf+*-pK)-8g>`
z?I7Lw(?S7&XlDF$BSb{};UQcEI$$I$UmzF(GX(GM{Ix`oKV&9sUDnxGNe>w$NpM4+
z{KMH1@uFQkfFX`di>=XA5Hc4LzMP%6LGl4w731ypUBh4c?6`L@b|#dO%4hC<{35}f
z%lF@n>_o3eE$R9{jmiclK#ub#Rk|&sgxl*LwS9wV-A~n%}R=RuWyV3T$K0~xByGa4L4=N$*E8V-NJCG|OQki%}
z&!ADOEh@Rg-SvH-Kw|
zSm1F_XJ@TY7j=DGuY#bk$6K>qM_HYP#1-T%RjMxzNmeOAAOzH`iQ_V&^ny0FN`Skl
zXxIu;?b}5o(>o=-YvlNYJVJyX@zA?{eploM|5@?n6kU&B!}4tTA^~`qLMRyCW80fC
zX!s}6=&XXWV?A6**ESa&HI*^8Ut`1FQ&V7T@w%-e5Ml3Y>$#oW$Rvr9h$Pps4#okY
z=V-Bdw=@GJrAY(qTurt27;`Z-GFA+chPFN$tTJ5
zAyj1%!Bc}j_Y_?yPsYPz1<`TFCu}U*)7${RC%FsZg^6CyL%WA2vLIymB5*W?l@G#5O^oN?(vjazQQ70f?{1OF
znjLKeA5KE9dE*2aA%d$2B(Tdm{pHpZIKB{hM(5S9)pt9{A^<$u{1LvikQ{k&ezdG|
z+iU&s`XyeyL%@j%GqsiQ5l^|eoC4W6N=Z7g``b_7X6B67u6vfh3&$%=3hYY0Bl+q;
zcPycnWK=N;qM0lBoQ__~_*+M$x>Je>+z+4mr+YiH5>!oe`*n?fnPe%{Q6nUK!+(&8
zGZaLOoWxHI2uDMPR5C>w1Pnd7!Nq-2mKkhU2rKWq#)qM71T7m`h)%scNBC)e7};D&
zFaScS+5lNbeS$$NtSM~}1GMIcbnNVENdp^!?;`&bddnpj*l3d+W_lxg1UqS0VMoHsp|kCBE&P%
z;X&#MqCn6S&~k65FMw%RL?QZE6|_~^4w#8#==5j{p*
zZeji`Kc-M*y!S~2QGiA$z+YTS5GeZ5u&Gab4!;jTsP4K;_S`=#zzoBPPc3GaXw&WL
z9Te9-+eb)5vfz%zq`%hJ4nd!kA+n(75{;gNbZzc#NX>llW=7o5^Eg_dyi_3?-gxsV
zeIjm{D(XDB5q74{)tZ8~t@XHn-a;ey%w7uVr*1=7*`37*_<{-y34i_Gwyp`>3uN!$
zd>8hmcKTohn%Y30cXHiK+*+4A+oOOG3L%|^^Yi+o(B1Yui1Q+U7We|8xxAQR`1$$HGn(%
zJ(Dzqa`4S)$WN1mT=0z^Jo~*;{-SCuCj6BZ)$AhL^-vOI;S7v{Ov0T8JoZUN_U;y;
zwMeTh#@x^wC6U#L5R@$geTq$gV|(g-BHtN+R=X#g
zy{*80p5b=w+jA>*LN^yT={Cup_l`y&S(~NTwUPXd?dHm
z5f{bfoRsK(R{4c!t(CI$xOd&Y8e@fx+UD5b-?|z@5$)=vX2asgOx2qQoQ9XiC&qs}
z07m}Tgg$8!0YiQjiH;pwa`@Rjbb4F)M~NcYxD*c-g8GR+z#6;!8wm&0ivS^5vHR|q
zzw8eq2k0<{C0Z?}hHJ+hy&Hx?kw7KhP6S)?E9m_uATl}$ATsQnkYubz;~|@hMkKVl
zJe2-zBuSGeq+xg87KiL0xJ~@c+79EP4K`mM&Xs3k5O5deLRnkc1y~7g7IHh_W?B<@
z2+*g*^5E(IC6m8~o1F&>VlaXm%<(VQ<8bIhd?F@9L^c;}-qbIqtZ2hIezmzj5Qa_G
z_k9BBWOw*te6fg!2!SS}U7XWDgJ5aiY-0dxzz98$35
zQlplxqu`$H-xtPPN;BD%Gwb?VNGkK-RDb-ED>~qd2->G3TL1BK|8qoZE-2QNF*>+Q
zRFIQQA{VSd7UGDxGaJl5%w~V5%Du~SdcyDCuP-7ZGWgSf#`iD${MQZfuP13HjQ$~z
zKaJti48nu{jH97F2wI;9^sQbV2cagIvO4fBWi0O9S%QQOu%9~Fs9ctz(
zwa(Hu%QS?1(q0)iCV030Vn`y#(Ly0f@*KfOnQl^3AAOa4Vhq-*U6$3>+I+*@0243q
za2`r2*s+U9Bt&{;VuVRfF@d`@Yv)l;xEjVyol18NxjGH(IS0e^Ejl8bRT&uzO&fAr
zh#jGO^p)6QiPtWgE9mkg68M^D@^D_&B0YE-kSSNcL=>H-pw(ZkDk~DM3VmXd2+=R=Ewkb|9Mo}=
z)Zk*e!44wm?NTmRgRBG+#P8Jgf*pKzt0&pZ*XKcdteiYL8kie%FD_L?r;*ba;
zAd;p{0_1gL$YNA^G*rwb9oc
zW=is;C;>A_L`QO)x{R3`vax1KpS5NKmCgM#%(zeil;G95dPfwi3GQpHi~O`8a|cE9
zZ{Iyj^Kiv+rXk`Ve^;95Ly1Ek>|fA%p$vKI4xgwG7v1#H8^@8h6p!`ur<%$?YwKbh%DNg1CHnggNp7!jt~s(W)}G|=hq
z&2b{qhLX(dVR^ALxwbk-_CaR{5}1OUb^a^GGmVtL#qrZPxx{(R(GUKn$AnP
z2jPcobGiF$=E`aeQXm_yDo`FTwqKil9dj&O8@P2S)^5mB;BM$SBaEZ9P_}BN4?Os6e7&hUZj6`(AK;D@T?1EXVOQ~YBCSWMHv6O_j_OgHXCMuT{xJZv1NNQ@K1qnPe+
zW}Y5)Pm?|^=1oFso|gRCzvGC@m;;$Fj47bbU|y-6cIB{Ic3LyAE!)D39hltRAP*)2
zQPXr#(w-h)i!C%h%CqZY*9~9_V6xTmA{%`21g?ZjOCw|5tRt~h&Mma_3qL&0o8Y+K
zC~z!x6mPh3vW;5X1vS}hf1EqVI#*PAmdVbwWcrqLhV+PeZ#)dpJCh=5Y7ae>###rByR0uI4lE#w=_o8
zEWmwXk9_(I5c)@8{MM{^3;#1yepHz#JAZc{$K%!-9=Vtg;u8+vLA`Xl-Oug*fdj1L
zLi}x)zqY_qI
zx^8x^%3@+hUg?^wVyki2H$=UTrq~GBpej)lub9&gmidRd1-nFPaaJepeEPP*kGy?M
zH2KXjcC4UGVl~M29d9q0Ocs?9Qh
zTZ_$rAmj*X5is~T4Dd?sJrhg5{gYMM*_ZZDblrGWN(vCMG;{x4_^yFH9DzT&yx2W5
z0fSjV>Wz&=qf8~I1!@o<#wCEqyQv|GkJ|ov+8!WJ8w|^s
z7JyGCrhu7c+pX{DBHOQ(VYYT3-BTuiJjpp5l%p{^DU?
z8C9=%8y*Q43j~Og7LcUdy&w2@Z?#LcQ~OBxfLQQ9XtN8#)7Im@+oc&%|8J35?J;ot
znRoA?Dz_XL_$#0Fw0OV$FD6IQ6ENb}`^;e+V~zW^ptj#nHUHI=O6SZo=E9p7E9)e)
z?)h!g7c7!@xAEq37Ztw#E-Us+OZ6y6bQ$FX^0?}v=!~+HKIu_S_zGqgW24y!pg08P
z4ywgfb7?09DP)QJ{X6kgPUVuLSO^Y9)0go$hH;^!5YZq!W;D4D(BmjbDQv9K9x*ME
z5Bo32n4V5g))YJy!xSF8=gfak$qkny)$)hXmN1M{wYY9`2>TFv^rY01BHb-N%
z-ag)+X2Tz+f|i1i&#aL09Ls#CvO^>sO{zCr`Mdf=)2yvDH`Z_|YJTWyw(gJ0b_KI4
zG5E0a^I08tXoB2M4FE=9+1^h5xPQne(}ya~@LMMArlvnIerjmDSeJP03Qy_zB4Fw~
z#FQC(Svh09lJ<9WKhU+rlwto#5dDV(4im$F5BZqYvbFz5`2XiBESxUnz?A4HqEJ$b
z!fOcMrd6`3AGJe!BZP$+Ei>MoN|H}%MsIoB=RQejDw(KfT=I*Ml{}fTILkB-bKyB3
z{F8G(&-3&hpWV!UpLst*g4X9?X9i~)6GG$!0v|cw;mqu6x2yEy?&AJ5oGA`8uj!ux
zFLysTem|eHEq&+w#;s%UoRK}PM3<}-C%7l2_Tr(Ia@WJ{x!1=xN+uuuidGmQ^!tR74F`L!UOfC&_BI477Cj?}HZL9cI=X7uOr2#m!W7S91$E30XwIhu${6
z`Z$)aBqt&xYgx45@|VCEsvdQKC9B##Q~k1}(sZS3Dckg6z+0U?44x#YqI~quQEI_q&3Z8dIr}h=>r@Q+p|yd5zNU##SH|zd936*(;E9w-QKvB$f+_?GxZ{DYK(p
z%fXBl*UY_os}CaqAsf(0%H6=};NCsZ0l9kr6wSxyN-!Om_nfZ~Pn(T%@gAno@S??>
zv#(m56R&Kk(%^r-nn0$a?R2}
zok<%uy;RM5AeY*p2MLrXI=3ILCBR
zcSoL!PO*LCq}rK=4BlqYr_ysEYIpheSLHxE`B2)VJFr?zpf@qZ`2pGXVDD_!i;@;5
z43;@+byOB6k3S#B;7zF*-v~m;W4m-x>Mqg17h|ySeFWde2KyH#E2FP+{$50PT!zyQ
zAnv^tsgIzfIj>0yW~n=6ecR|dxfaHNE6vK5+3iz~c{C@DQ{8)f4aHugWWNb``S@^n
zkD`34xwf&cWN!S-rme1dZffggR-KdT(0T>XQ6x;xR&p8yjNx#CFHk{>r#C
zvv;la@xAU1zf@O>
z&K8R}pD-dcQ4%u4!Njjk!teo*uz&67UxTE2dAar~fq|dq_bZuspC8sccV{w$mstD<
zuI26h{~EM&df0fqMA>|CX{9j3nb}p_A&cYtx*&XfUixu5F^){nzj1*7adMWEr5D>3
z9;T_BVSMdKkyJftQ?*Rq&3=0bqqPPYu3GSbTjiGnS%ECjEL`c-3|PZ%^);Dc7BG(K
zy7KV@$;MSLgtf1OOd&5-OhNYm_7xBt80zz`b)GG(ZCBuL1VNz)0Ds4mRJ$yl@m0wp#n340_n`S#
z*Hf@K?J!;gMol5aAvH_#jSShNRcAtQIC#3kGtzEir;1*h0|&8;DmyRh%#3PXy{FEV
z-f$03>^dN36c8BqsePKgl?5?{3G;}z5CXYK`xRQ1f4Ja$r(W?ENT
zc9DKn6+T|ztZ;!m*V&kWne|$^uDuM1;ZRja$;HA$M05fN4f>}TL)e)Y*ceED^wpDz
zRWP)rxbULx#vXzF>P1t6sJ>hsoK;{U$R2OG66*FD=-zL&VB}AUhN&`+nsWxuu(EIH
zVrXC>RE$iFVTo}Kxu$G+GE22SwU7z<8#01qq>C+T*O
zJLDp?_jp@(P`ESq&`Dy#S9aSCt|1PVl7DYx%>(S(o%lYr#!>RzW#*WBkcy$Y
z*`$ckl|X~>+O&THhz#vQ=0Z&g@-6dXNtcDElE8N5tcG)9!z48p83J1m!w`y{EK_F;
z`Wx5&3Sc2nY8SfEPu66wJ1`@t-@LXN%o5g9A;4%@9(ae9ERz@#x?PglB-f=j4?BXq
z1&}WuKB7XXov;ZD5=oRsIz^oN
z`Q^yUTD=$w&s0;{&e4ESX);R)Lba2*^hpH7P0F>1dic7=pBd+EUxsa8k*+U-*cE4V$FS=dE#T2sxyF3X{CxSxr=PJysP3NaU^aOEndtMRyI1~ri#8UsYZtxTi3WePM-n&9
zaN2PmOW!Y{aK>5r9m%ZO4J)aN3#;))0$bu&xVc1tN+N{;m^75CazM~j`t!SGx!GJ0&|
zGGIJIUD%pM1Qx8MHWp#aOdW}nM!W5E1;ADGuF2_uBnpNaiQ%~tcXsoB;5KRqssErs
zSpL&ehJpRRH?(T~gX@bS_`TIDD1#INSPu7kbX*7{jR-=uL(+Uu!a`{2XxdmPky4U>
zyyfyzL|IF&8FB-DB1CK5&dtny%re;Bcb&iP<#wDsy}X~CVjlJ)gyQ}2I<|yYj>5R}
z+z}6X+~c_PbsA${#8;BawM;Y>%?FuVXX#Iqp2K^5fercQUEteCi
zlUE`Cl|Sy^!&7V$ni)+2?5Jtw
zl)L`|=*--VL4SqWh32}l^u2vb_jlNP!QJnA!7Y*6|MW558qQVigb@8MRB?jWx85`J
ztd+EoSkw~q%Y+2T`(Lo%pQkF)T`k~!n)%&k6$6A~gbzVAN3TYa1>BgeU*4&=P#6f<
z7v5ch26R{G`YDRYePI%zn-Gd3BS!(@gKu`HF;|CIMKYsn;>|B4sU!}IcXKgJ2WWc-
zPc87=TQD9R$7Rgx7@Ol$OD0+=42@V$*Kb{sJRkZSa%&OZ(T)#W752n^KJ%H7!`z5S
z_#s-SNRBspw$RH=f}Tq8iX62+3GQMK#EvV{IHG#S!fa
z8)JzDWa$HXG6T%L68;&@75W{8{i#b{=)C(Ut0Y;A-&eL-hF@233lgWWKcz@7rSrmA
zd~&kVc@4fp8Ds89+lP5R#4t$?w$@LWz=4c$f%Od%_=^uujE4mcaCZL%XD7!1Cv=2s
zahA_I#~_uQ5QNcT84lE0{TM32^q7_j0se1}D`bU4R{E%jimFPKmEK8ehd9!e@XhC%
zE?8E7;}0051%wy$CL3+dnSpdzVGjUohGc#j2y0mR*xIM&7c}z^l7)Zalzsx)>_?cB
zFzYU2hzgjNX$I%HFCK?ze)ybgW5vssL`wUmNL{8Z6)0>YGZ(&X*8mpVv8FPHYA=jT
zZ^<0ZT(V5Y{#Dsr9=aBgXFD`SX;D=+G`V)WnzL$bsV8-d_Mof?nHAz-AQkPSgxHWO
z&xe!F3u~vosj-ZDm0)wxQ}g!ZJOa02GIR6$8C7JvsYcYGv_$i7OMMANYg0leY?fKH
zRoj(~gZsSr3i<9;4@Gl$Ft%)gswSc4HdNmhxW|SLTc))qe>*mN5l!@CU|~v`{X*qsekAr3|>5Wb>Wm?m5ud9)F#}IY^{0gZy$Wl!UxvqA?valD5iWp?t2F15=K)$%mQLjL1zB3T%Yk?OWTh~+aw>9|*0US`ALoE#NI9)w9P
zD9K*1vJ$F>6YYyC2`!rdFQ`g_tP3vnFa`mO3j=9f{O#;pVOzKoLp@)8n&5&$lF&k
zUEbHGrQ5Nx>vOlLH~wr|GA5hc3Fco#94I$rtp!NlV;KoF^PZBGma4u5G3I+4GXOFYpdGkkhS)HQW56F_^lbWlBk
zTialeOwP|VeW{;+3&d-_=vOa|QF?Sku6;7znnAt6#xQ!yDC%mE$2q}OeUtK+S4YR5<}6y6WqviX#M`Nm9p3$JQj
zpu7&nR+@=6&t%lJrc!9Rc)u3~eue13$9gYsJ=f%taBWs4dpc$iko8R_}3M#8459
z0_We&nOJ0X#bvQQtcrq-I$y9Q6_=fxIrJBMmv%1c{cHH#3;`@ibh~R_SNJxNCw5|r
z9JZq-Xu9oX`Gas~k~}=2qOj`N%W?9ZWnK<>BJiKQT7+gG^t@wwN5az!APO3Uh&@}
zgG{GT24cHW`Ao^W9*(D7a(Thgv8x345`0o1$%5pBgza)6?K+Wm;j}2-dQJ-O07=O9
zv}_Hc$yVPAAVH0}nK{f18?o6%=?m?ljhyOvW;$rT2>54hax$Z|_AJQI0^cLY{{nP{
z1FK=18&e3>T|c-f52%m5!~<+&!{et!Lew2ieb4|gi(c}{8g2Cm8S>+}0oi}D?6CIo
z;aG{phj6=t$zZ+F+1e>;H4FI!sZjn2PiJ^1tZ-H?FV#2VWdO6~u2cQ{f$_cm3%FqS
zXb6+;*lX~Mzyp`z0G~+U)3A7fi2O1Ri|YiBp~bl)N@rj2sLk%+KD*EOB>Q)Jq$sa`h_#Bsqt#eI-s)am><
zp!aA&Q4iWrL9JtSYn%1kHI|8}VXN9gz6R7Y+KWR&KF88SgFy%+p{@euN8`47Hcg+R
z&p4i_b=9`rT`k&_>RYxEYN}L)OE$-~7|>ZY9eB4$MW`W#woi{`mq8C9rV{?uv)>au
z9{f!A=wjAyC(xh{CCjpF_XR50RLlcQzFOt(0li(Gh^#;6r3!_3=MRXC#G~4Pl;rjY
z-SdSRgjINqTD?j}Vwz+G?K|J6oBecj;CI-N(G*d{`WodIF)Pc)w!;)WzxZb%Yyk~|
zavi9~NO%!?2zZ2aJ~tgEn70WdA
z;*WW9lZ^FVX?#gFX`O1>EwcN(=)NG%D2MNqxOC%Wkn*-&B&E1i?3-IBJGj=6)`hSZw3V|T0++_#o0aAet_+%F9A%YAB
zNkm!XY-ow-M%TBw?D_p|b2`8T&=t#5;*J`U_`-?)tk;5-wRBE(&e%`cFe7UJD}bIx
z3lqN@LOEZ~d*T(i>1B*ZjN`suc4BUCy=@WK=I7pg-upWrGXr-TDvCkM^tp8kdc#d^
zM|NWj(in1Qzn6|d_XCz_vD{?4aQbM|`gc4tccMguChixAj%L|STi&r5{)>M)I{dLN
zPv`Ta(h-bm4)^7xUbcMCTbJ?0;B$NXBPN)*;r&SWC1z&bTc&R76Tg}Xn_F?UO!#V9
z$f07K=#SY5S1<$4&TKP;Xvmz~lWW`LwasqU=EsAgUiy8JmhJTr>K*um;~tkMFajou
z6$$F}Q2l({ckSC}mk|0auo0GO?X~BLib?Jn8d4#GuE*ow#L%q}kWGajg
z5cH=SS21O{5na*5e$AfQ6P42#;1%(g4h&0eQe!(HJx1939M)Kd+E1Ys3Ph%BC-*&@
z>aWNfjg5abE~=dzIS4(8fh^GSxCE1#-iLkKu71T+cPVF$cjDAB4#yq*vaNSC7#JlA
zHRxaD5ndIKhHqeRu$#u@0sFDPVt?J#0kyY+>z|nHokg>t(;6H+|166H7)5nlRPA_L
z0_m?_fh-yb7zYCT73MBeSAH;s2cDgg%6I|T0rY?Hf+X~D?Dw$JA_7XqfNdOuWI$o$
zkc0hm=fQFz$hUe>XNUEliW=7OSy61B3-V|GTJfvSrU+r1$9r06vz4tf-
z?ztVg@LMr!)}EZYvSxD07>tlGf2yxHS0)oIruVu$QPQq&mf;8ZS;F*)2@;V6^3`Ss
z;%dfY;*v*(x($7qYIE4p^%ELsxZPNsTiuFOQNG(R;BCN?mGK2
zm{w%j;d1z9S>#t&-_F){?)SFX0tA!ztY+k26XAzwXvM&?X$C<@+i;1XSdUxZdYckZ
zHhn7hwGpWL>FUwAN?BpR2V3I#d&6Xg;3S1_2MA-9NsOe~{W|9;#L800UaN3}09R=_
zGm3wRFi~{QpquYl{rY1J7q5p1@eh_h?1y^UxVe%7^k`+H9*f-2jG(cL-Co;v+C5EO
zNFr5ZbId7@nK5-}>C?pk8}TLSI5oAvkDaErsv^CDfMfFmvbB`A*^
zB&NA#I;NdQ?i%wzcVUG7L1dQim7!Big&1Cc#kXeRs-R>fy!_
zTJ*a>BZ#ZohdFnlg%~)(3rJFgQ;Ntg>EhXAkQnM;uKYlk=#dZcCBC-Oe&?*St2T_U
zn?^;Pi(+GEF1p}xcg4;eDb
zXaOgO*3b%*wI4wn@hsNbN~_sm0+x;j5en8v8x)4dFHmxFCkRflzQ%Rh*c-y|lc?~Q
zhFQIBX;ilq8G(XWbw(Y)90+VUr1eLf;lO9g;}_xFHJ!NhcGPZlV^PKid>HT+z8x=p
zUU3J0BkoCjv#22KYzg$84a~zKU++~4?_r)*kFFUr6G*BkUW%Z6iIl6Ws|3??yCDGvJH?c{A7Rtc|dZ>vA_`KV(-OF
z0Y0>dLED4gs>H9KpST!D1NfW1Pq7zQ@g0$(^GR*z5gYZ2miRyGvJHg`IOuFEr$sO;?C|vtj#^AH
z$U^i5vX4n-uH}3;NG?GL#OOEWCSjdgEWo-=ZvZ6~VH+{QlK0iUy0||8ljH%}e-JVM
zkYx-6|35$y6Z5}C%K!cSpJ5QY|IRi$|IRjd`i&Nj9JC3hB1$XL0bdE-YoXBkM^9ZB
z;Vl{zNVd?cQrf*7li#1%P878y*8A-4eLfAMN=Fv&Gt9$>7PphbBYA&a470EI@9FgP
znHV7@4w&4X-1!Sf%p9ik79dY^JnHxzL&Y)Ble2@6OlLb6m;U
znM37m$S>w+hDvov80EI#=K##0w(>Jm-se_Rv_$z#^IlR$nEXn`LREREXsa0J$>6YQ
zj=20MuCLU7G^d-k>JZ#1{!re}|E82sR-pt+d6ubE4Ur5tIz)5D(MB9c^mVug%&fw1
zzc}DzGhD&GRN$?0djb!QkOkiVBhx|vL0n)WxxCa;Rj!;yXI*QjE9+}`Ho{Od<#Gm5
zV%r0z1gW)MNbcHf)$z#)%p3M*T4?QSQFeb?sN+B~??SXO!#^As4&B?
zmc~e0`!lYDK@9<~z32y^(-$b0ti4C<@(9las;z8YsigqI?)Ke`)lRAAr8)sW#JbJA
zMY5~hh3DP655i^@$;VJOPPTV*Q5-|dji**P^-z@ni)?{A2LJ=|K_DZD2J)dX+sfhG
z6^;O=hd3gEHc+u4I0}p?AvlsBmf<{OsbJQg9c$;qU=qhtS
zG28G=K;2tqJR@j{IO>7cvJ-Cz+Mo=Yi18vh#O0x^tr7zoMzhdViv~^zYP`>)vHevf
z4s|P)F_S^ycTgOP&mTUe0{srTwH{YlN1&HKz>oYJg1e&9nnY8X)R1KAJUo*(zh50@
zj>#KC16pgvBSd{Gw^RpnT}Xle)Ji!}3jk(jxu3IAsYGh6PiMgsrME@VG9$
zJAs~$i0whtL11SfbWpFHPe=%4jJ4iQQ~=!PvsA(5VdwXaC!R7HX0jd?T*G%kfnX)hvIewl14
z@Q}Y=DS1u-^|~VTOOP5*+m-T9A_dLt>{k~6ZzGv2kw6
zpEmMilB%q)j?|Xv9q~g$lMlZKx?pg(0H}earnjWPO0(IdLP4M|xPJ4-jW3y@vviYa
z&kmW*BiaepG_L;Cx|X-{$^KJ-q>tFnzVCC^wxpVxA(|xMXWL#1^P-YsqF%(>2y1(=
z`GWKv_!FTAHYFY6cJ?4APxgUo1G(&%Z`YAwg8kE5U{lMc8(kqeO==VExb3K5jD}E^
zZ*}ZX5{#=$)sokuW
zO5>Ao>+o|`LEOGCCSF{fnbH*o;R)HX4cUWY(|x#Z!=6!~J_C2{nssl-e5%=R%R4X$};$MFrl(*&6gY?`+Cj@glq>5m4ER@K2IO+LIr460mC?_{d(!fYh5
zL>kps8+w}vmyF>nWpqo$ogm``gF%4ld~2%6_gJq7q(Q)@eIu{6GQ;#wQsoO(ztgub
zmxgxC!1IV_T6F%*f9SsLZO_0(xZUqmQ~;5x3(3v3o5^hGy+GN4m+P(c%x_guB<#2s?M3$R$VKYp-}uYC7jTVh(p^jlkQ`fad^BQ&jq
zc6~I(|5#I#ep{%5CO=sa_ewL3Rqbr?Sl3Y3MKL2jez%@`d>wSBx4Qi*Tz+>6FR~5A
zv#mTHmL{5reyRy%{tugPnimt(D2SigJw7tfl(K4!$G&Oefp+x%@&=4D96OXLG&4?&Jd{i!xSmi(c|Jq-zAk
z!I;6SD!g~aNR!X!`!O%`eYd-ZGt1rZ=kB0h+dEbCxB&{AqM9gCeu*G0TbI(hMbT~T
zf_L5a_ToHFor$*HE~3k6SLuBAeI9f!nJu2Ale_6mAAmOY{z*rC-EMRd^C|On_(l9z
z`EBHn%lVo@)y?}}mg{y;g0h?s!wq!fNhg(n{$!ko$i)^yz;M!VG|)peO3)l^F{dx=
z0*mSzI_SCIXyHNVKvjG_t^}s*GkgHJ`TH+ziFaC*h=a-E+f7AQQ^2uR
zP=|>lz(1kkT#bH9e~))Z{Q)}QXiENf-St03eg8{$sdze=641*VSt+~NLea|+FfuUw
zkMeSIb|K*4V1c6lf1+ZHZ0!GaRBTmq+YXx@!FOF9;X?XLfsS+du#^Gl1gIELsX#)h
zz%~I~b8ExOb~3?)<>M<)b33*qRmyR&lo?2T@-ilkyr7s~gSyfnNVa*Zlp`nV?(n;i7a0TTmDyZ^vfoJ9&lGi7
zE-<>sjGSxG)(zB&EN0FB#n?MFiL$W4nr+**ZTD((wQbwBZJVoY+qP}nwx-X;OiaYt
z7vDdqo2txsEAvUvY)Xv7S^Ej$ILv*fvdJ{#>9k+23l|JF8j$8}F7X4zIhG6;Fb=u4
zaxIk*If7m*KZWip$VpN{6rc<_0+tiJZUQ6-b$sAd`oESyOyD;}&RBm1AklzbBZr|N
zh`uoqWTZ
zD1rHOJrDyu<$iuxpuIw5;B`rIu+an=7`Nm?46*an1VWU);35!Q5ajH38XQtCJE_)i
zJpO+7I%Z;1WPNfs{{j9tf7=lNF%`-J5_Tdt*QjwYwrB~~VC)ebC)5=5Wie3TRb&~X
z1Y&3EK7MVmC=yoU&GB9>1eorOG$SVmCJUW3R|wdkZOetv_l+AY54OIe!8+R7$)fnL|;&F*%bXou3ATxT@qzIjy%*?2i&xTr*0$|`nn98^IpBcy+zI4g&{9%85t?Z
z_4G%VCCcVPCqA&XJDW-Fe5)rSWMM)!s4Dei^O&;3Of+l^SuhZ#m&KJ6Aa
zhCjAqQ;s-m(<{`4m~%%3$IcxZn>6HCl+No^HC{vIvs=ls8*X_g-EjEihnlvR>_1yhkwmw!mY%}(OD33b98T{Ci
zYocy?g?hjNiQ!e(xau@S*sbjBrk0m$of%Ufsjptm-L0Gri9^Z_X)URd4{M!m-;LdBlW!kOujlog9a>qe2Myw;HduUi
z)CZ8!8=Gk9jhixOLTH8hNLb9$nM)4$?)ciWQ?Dl8`Zavs4-urWsyP07tbyQ=Di7Lq
zN-PIZojKh$O@U0bmqieyLMG(_G@JIpYP^6*BpF%5z=a4
zX!VmaxTx*T;_+zAJwNR`T5lB8-%QRQjt=c~^x
z&O!$i!8*S$23ZVSqmV-M?$a~0>N&q{k+eWmSbPu@ugTZf0om)%@}dFgbKE`|eU
zxuZS&+*@S%8oM>7)jCqQ2J2tlDHgSUdD{xnbS
z)$=ZzBzdqAV_GzLQd(LyM|b%S5p7+|c55!{JEQrN0S$d#0_;Cl0|q^RNA2pSWgM|KH-r#K!pl6Tknj2hIFH55g^JX#QqJ
z(R^}s_pIltqN3H~lPDt{%So1R#e9N|Mt=A>{2HdN8)#
zQGI`eL}EeG39F#7FTk(xb>AUElK+7MdL1||1d4bbKZ57Ssm8raBSK@|tt|DS9pktZ
z(p%?2KcniI$Dxk^{VCMl5vyIY_PYl!;NO*P=aU4q1Vu^PoD@Xz*wILuGH5TupG{b4
z8K!ATPr6s-d)&iM;U;6o5upI%G{Gn!VL3+O>FL>0daDq>tKPMpFjm>r@oyWw`rw)f
zj+b
zEW*DN+69zj;MJ?tS7HPtRf!;zycjoeEzQyhN+7YJEEq5j=Dbo6(taokJhkX3SyMYY
zv>KilP)I$uVa7f`$d%?|pP5$<1@VQaY-`BR2Ug-HV;cX7KsGV_nJBBDaW1PlQ%t9g
zYIM^Kf~Ys!HM5CtVexG_4kmLOLsuUQz?iFuE`1aHar1pci=Gl<7CcHE#fWF+EZ$ZMP}k88zB|iWU4o*-U&)ojAuhBUvrxqC|$jyI%@?xn_i08@UlBaCP&-p+5PsVuMKg
zPLUgd`y1}mH*Dj_>szSblRvkAYr?4?B0|khkV_!;Q=O&jv(4rh5>jrzVXpOK#BFzs
zM%IP3D>QDS>Rol;%t4yR`(sA2C8u|hQ38RGFTX>oeutf|xyrFu)tk4Ts$9A=I~(dH
zOt1n459)>Q`xLMZHx#^O__T$Iy1B!zEaLe{1u|B^sb8}Ep+3XS8!pHAA;qhTjV)lQG`
zln&GWl??x~f~j_@6N0^}(WSXz=f^F?
zEFHTw&`f!7IAGb0-5xXAEZ{q~M|$VRGko70Pr7Ae!kF-AvN~mD_3)MKXp0QPI*CsZ
z#7=8!7!-k}_VHI__G69I-RzD|Yz8Aa4UIt?OZH
z)GFUnhZ|s{%i~8mcat;5eXi**ukJy${aCz_b#m%~3Oxbg39(;GE?#OP+=_f}?NH-GSd&y)V=eDGRNu!K`
ze0_Ft`TWdaU%-cA2!_=ED8-hNNVXr61`$SY1K+njBKH0%pW-_J(eA8PmN2){9FFSH
zmR8c)@>i#_4Tezb|Ms5+A}>m2Wsf_{LqUsu!pu&sSaUsG?FvW$Y+_>k{*lLNWLT%^
zCjG-8e?FdO_;;p-DWc*3bH4CzcUU-@6zbcazjYb#j{ru4p_G3C#*n;`t@IE=!(b?G
zUYF2q`*cK6>sg=EjGCPpNz)%18ZfaD_6{=~sr)vWG&fWV;-B9BDB;jpjr+SR}z}XuMgn@&I5@>I5!OBPN
z3IrU9jusf+H-C|uvO!{rzc$CzNs0Yl-0s>mQqS*cOYmIYRYuF}htAC@!XO*438Gs9^G)
zv=9>N_{*aCD(BscXaLw0jG2qt@dMVRhR^1Mmo<@_rLoocijS%7tqb!WlLZ{!PL2eq
z1QWpMkkQmA2?$9>+*%r%%>jh~2V?U6(TmCzZqEX1CMLiqHydOeCWo0}DwHh>k}Y~z
zi$PJN*)M-9mqzlu%$p4cD-SRg-X!Aij`#03_+_~@#R5Px&(TcDBR$X?h}BK$CXY4Ee=H1veN`g$dE2e_E|+?LChB3YzAfr`7a%cSo*<(q1sMd
z{?g`5AWu_EGX=yVn8p}T3)tT(c_{Hj*E007p|tPRPtrC!>=
z3VE$rzY4veSeTI_VC^Oommze36gHo3GXqTY2p%*-D@RA?QLnKHgB7hHTH{@8MU^$S
zYO9|`Z3CqlNHPNp3&Yb6RA5XA`AQ9W&TQie%%OBk6nVLB=^N{H}UEuTt>DAr3ijChP&B-_^Qf&JH)
zO37$QijEBwF3Q*A!=QDgvUlF1O8EVAbiB00jaG$}AWo&q?phJXm~YgXAc#0Vcy7}1
z?s}`vhjs>9(6=x|8mS)FY@Lz513xw7Yva@7AvP2T0!b+cuPQGaJw$SR>jb}8{r6x0
zZzM}oJJT4aF?mChz7*=)@>}U`*?Q^OX4So4^>XX>BhMX{nAgM^a%e+FP
z!`QQCYv7{A?P2S%?|mxt#m2HGlWfbJIyIgoLsF15JaJSa0j)`g)(X+_laH5?SAFO~Y62wDLaoSD-XoAmmR~%=5lww7l?AVtYlw1;W1>GLk~=yAJNi
zv|u~lft}gjUn#ek-Y}u}T}vtHD&P&kH?>C*B|r#=bb&RfKexyj(lxFkUXzeZQs~X%
z`8Wco=j;e`=4HL5mTUg~md$Pgp@h3TXOi(_1!Sb$`oN#>bfQQ`6(u>4U=%YA)jq`N
zwd4lZaU?4S&><|pt+J`-a^+Ds4f%PkD7ETr?^K9UC=jt6%=&5mWZ&NS%2(Z~stJIscaP|&w4~4xyy&sWk4--NX+uXpu8kzMGs@cbt
zY1myrHiOpfWbEWxQXUf8&iLDo;`$U5D&!k(Bt^n(Qwac--th<>-9J`luavHLk7L8;
zp5Br<6-A>JC+?E3HDJlffAZtREJ%h{$(P5Yhl>&($eGDT3%j1XkALrwb!(3@T}wa6
z_}nKgg5)=LEGUbJSjYHt<#@eqkI_dg=G|0CZ)~q#fD-Hkp%n4iXoG;
z%y#PC+~M2fqYV1-fDqVSMS%3t;bN*R4={0hzlL7J3}i!&#i17)iwRswQ5%9j^3sVA
zn4jc;;`xrbYjk&<_iQKOc3BsEYd2oTmUtD#4_mU*ZLl|)5&Mzr2+!hby*!z|Y{}yE
zNYdHI=-cYSC%Y;0In2Ot-CP9`PJ{-YSP*&f(iGN+V1li>+{GezD6dYLYb4+Lv6OCe
zpV3+>*}z9wlrmg7!dq{=dRehlMm}SKEl}JKsEhip*5<=wZ$b&p>M1quPQegxzd_8o
zl-$hN8pew4YNqM$ww2WIf^nv%DL6&FXhx)?aU?U(>x^eMW~fIm#mr5oX6tiv)bBQU3x(akX8KgYbAK+c7HwaqHB;in%8B`^xa?WLeHPbD;bB73nXwj(q
zB|~^i-m8UxL8Rpq{zdUPOim*~j!Kzvd2Wlyl(k2yBNbn6AlL5Sf4Esf
z{IbHxL?l-pO~tuDIJSjmK#b*Np)1$V7dNe0{?pMSVkdR{x}8~}a%&K5f2`Jv9kv7;
zZvYL^s!t?=;)V^O$YB=+7*HA@!68D72!)Phx>sdfnD%C8AM43WL|MSf(s6b!FG(qN
zExgoELGbWIJ-_6e@F!xQGPx7uWaOY9RORlx89}7G
zAhRFzG*_yrDo*sU*P|%1LOT{;!eR59GbL72V6oK(g%=oo9>TusxY!>%?w^0_%dS%z9vJwMKO-O9a9!$sE_sv{|+Q7Tld85%u
zcT+3Q#&6`vGdO)A%Kol#!o-{E$Fe-SNpf)G*0s<xBcWBZwvn=pGe73@j-mFsr9ixTFIa%ckBb^r|{(A
zTSsm`I9+gE0;;7p6PUJN7`}zE)?fn{3rHY2$I5E5DcNifT>g5tX>T18&M>jIF@1cu
z$YejWu0ybiOD8Si0~#$Re6iN0;m8f(Mux&b7F?Jn7eD^P)kc{5C9eD?tJXB#_=Pry
zCY$P~^)FfoZ0*S6-r6$4kR`q%tj`yM>ldEx)%jfIxFv19c|+Vr#rX8TBcZ%cUR<8|
z%zCCfI2KDS0LK4-i^c|w5BkWj`&gpZikxRVCTKRs!K`R~{6Jh(;Og7u{^aYfhywLr
zM(DrF&`b>f^X%BruMs+EMeLrb*^MvP&<|sGAMIOPTXV2rPOR51s~Rs>Vu9S4lq?hq
zXgKiAwE-v;4o~2b=V=RrM}U1?sj0~$@rX(|J#m$2{eHXN`iPYh#T-LXoZAu-mgv``
z2saZpmQ*VyB4yRr5_Qcy#lNfZ{W7jQq>8q!`OJ>dT;Qcoks6WS!sL6^BuX6OyZOHV
zCN}Np4>T&~*i(=tE$GEYI4W#y8(|wxCrYY2d&HNi9N{G9N?w5MVTqNt)osZaN0Fe&
zh5{g^RHrGDI=BF@Y4K*#bV{Lc+yu@qW4RO%?^mGT8zxSL8@0#dJ1XiKv-D+kp6lk(
zWbVA?T39bH^SzxZvLC?x6W*#ZyNaac%5wJ+OSC3$Apr;lhc3wk8Ie>9Q82cR!wJ|g
zE%7-LJ6yf&ZmN1EXu?PZfWG-tUJk#rb{s_sN`4A~gA)L%b(1qmsY%5UJX)++ebE==
zYKn%!AZ==8`yM)^U?j20^IGx5&C!Tk5M;?`y5O{&`HwZY3|&v8!{^S#%?2ACA^7)Z
zHxTURKbN`X_9ipD-Yau2Rx9t0g;$K3hiR5!Bs_~7NE4idM_$Gwb8GeG7oiXP$n#^z
zJO%!mr-}z|Pkc*xX^f_yZcdb>yIhdwfub+-=25vwsuoS?0zz9ZP8OmLhuuhT5V$O2
zb-M-!OyNlH@^v8G(=cxAH}lhv+`PUNt=(5-uKE_pdX>(foKOfET^QmQeCsJ)Xd%*Q
zv_P4Q_0jgdsgtcM4*^#5BGNNG67e8rocsBbZC%%k
zvds5Q$>Fhq-LiL+FzOP}aN$A2MfY&n#A^r%XPoL!+Db-+T63=p=?_=r!E}VB+Ev~0
zKn*o40rhCkT3Anx;JfmZoU5eA}~)Ba2+PzQPgKHST}DbBS7#(^k*
zw*DP6TUrWeXcg0pq=`=bP8fiuxH#VFI`dPTeRc0M|8xMeOhy8%2%{mUJkj(3XG#yl
z)G_i3u7=yMb2(pC5%D>lRI60R3jd`e#}D+FK;-sl>Q#F9N#o
z+Je%ltSwoH9)TEmPGaDwLB<9J=rb-$N6~?4m8uy|UGy&~>ZDp8;3>eoA%{~S2MIuB
zhjjtX{(+^)+C;Up`d8(_l}+$T)!ppF{Nmk2r`v#jtC;VP-{+F2%~e0EmlT{fv!GTRliG6IAU^2PxJ?ND%deQlhFISnp+
z7bIey(Bcq3ZirZ46NVt=%d=1&K`s{6$cf?7@#Qeo$VR9>4Ich#SD(2A!KxHKE%0d1
z)CFg<$#vjfYNc^}{L_$SlV?Oj*lL!04_2@})nY-NwYew70|w&191i4*l7FuAznu>1NGK@Q~#f(Z?3>|YDr
zvbTA^S)HC-uav*dy{9tYdmAw1P60g*Mdxk@2o5lmf(0C-d5B)%Iew`r9uC;plr1DW
zKje0+09}rj_3w@)U_pa7d+Msf?X-P=Y~Zy|#S+F>po`9=j0HxQ6i!xBo}Zn=!jp*q
zVkh*B^uE|L{XxTMjW^QQnnp^9@+o;_mnntd^SEzmNmD4}XsigK=ua&o9rK575b-nib
zOC*1zAb;yP%5oAXC;?Ztpg)^lK;hS6K>aIERoApGaCUDB$<-Tyb)GAJGGwMg+j?jE
zpb+uX3Zh9UVpP3oBXejgM?1~ZX3(ryUVKUBjEDa9RF|%2G`yRpGQ${VVf?_3@@pt&
zVc0bon^F7|05y1f$!lyIV@}+pz0j_nVy3U-`s~o0T1^O^YplEDVp=Z(LuB1PpLDe@
z2ueFXvmk>It&)R5L|oasStefp)JtTt33LM+$38WC5}89~d%NP7Zg3lVMBK+3U-kr`?NW8d<$^{d4gaZZ!Nn7^w*e
z|3+uX%XJ*JLQmm<_VL}>SbJ~AKIS(s1A57mQ^U*+;lwsbaqqXn6|(6g4m4v&iG$G1
z{U!%?zcDJS(9cD-lgVPDEM-?jH1Q^pP_zq?3P#gIF8$uPrxr67h*#dSZ8mikvx-st6aYY{8+UA*w0oZ`zh?-)bIl;l{j8R0Bx5LS>
z>N7^RL(BuH#&h%A23F;^OTWiKyV!JVyvBRTH(Q^7fw)cnp}s{hm4HOulVv@f86Woy
z6S^;H!n}H2UK($_t}Hc=b<#OV$EhUBlP=;RW-%nR(w4CI6;G=v_IrJTZ|jNTRmQ^s
z-+oivfRVM1e>wPR3wRF!62-r_*m~2vh(WxwF}zIVJE#4M%@)Sr^E3dB`8KtrvKUL{J$lr57k`=721(B
z_P9*L8pU;o{iL!1l_5$rVHna%34Ullmn7XD-i1Iwe*b*Q`mSz-G}jmQuU9Oo{0oY3
zANP11Uf*u7yZb8f{3xS{vQr0ac|r*?qryV6sEO11u)MCgoBwrrq%FZnzVq29D)}|Sl+P^GkcAi@A1c=%n65;@lj~2;R
zjx#$XmZ`Xd?Bux%}e`!6{$#RGQXn);{
zl3JCXvu_P@Svo;D+)F!`*4Kzt`-*cDZKk))okybUTh?F{^3c0;QP210+f6oKs7$py
zbANDHic|uNV(axUb!utFxJl>e16Omv)BE&K+7F%-^qznN8vR|JBk=`T=;#&D`}H&+
zWVDp1f+A5eKLvw0=ukwUvvWGW;5y8sXCV
zxeU{^tj6_X)No3NPO9=+)e3WlAW7lBdbe}{fJQ1r2xB8`W=GjSeQhU1o0FRq)9<)=Oo28sjgRvh)gZ*B>G8^6h+Rb>91-m$a@LP2Y`;w#(AKffV`
z+r;*2${M(A)HSjL$2K*y_etoo`!32zXM3UqSoQ$|CulpWc>4rNd{1A-=`xawK7%{k
zT0$MzSZyz-E;oq+^F8BM+CMJ+l+zjFVeCYp(sz2E(Nn9C4l`!sQ-*3VqFpuqn>=O`
z^jwBfwNWC1#xc1u@_`?4lzjitUIj6dAP{%w^^t#fsJ>Azsd}EVVSCjoa!DhAb|-ma
z@Yup)jh(-;Pjxr&Opv>jdaDK&@d^>?+iN8|h8{XC!h92rNN5CINc|pbJ?tbhp5M#J
z&sX}LIm*>gkLee3?x>0&g9|`fw1_iTM|$;S>L~vS;6z!}y9JNv@*F$mQ1t`ekAZCz
zZ^M^#qykhnFSlg1P}Mq(^Ca_=-AhZCS*_%PZ?j4N1e7w|JVmdqrhS&xI23O?&s$hU
z*D;ckf#B!-?GYo0HZ246rDJE0J^*ue%twRu|K*kJ%Jck%EcnKXQ=o4XH(&^fo}#Xf
zKLB2wm5JU&C!TfPSghvR`Zu9gPw?9tF4*YYYg*iu9n@~bvS+^p8R|vPf|3@&&&gCRgVH--
z5{U$d6e)FZSSB0Ghsu-3p}*6>F?Le=`RdrqT#oz{XnN`SvdEk%c5+z)7ScS?A;eun
zD7`8H+vjO_#QAhdt3d$3#h4|r072LpokABYwNLCx*aFW;`;U;Wj%xA6Kdz8OlmzS#Gw+iE2v~GX`2-Oq
z$I=E23!wBL!~UVCyt@=i%zl#e(6R1Hugk6x*V6nTg&9|$9^i{dUt%pf1-yc?){v90jyY5
z(%x}tLs$jwz@TaCE@~;}o2n#5^6a0J%2Qw?9k&CEK)_a_+I7L%(z?CKqXG$@X7-K;
zA6?JqM0V-xZy+~yLvMgNXK`vaGJ&0w`^(VP6R_~9=#Tl%w?;Uo88XYM!7?H)j^qu%
zB#Z(@*`e4ZlF6?&z>W=H*vk+pspHRw`=K9zD0%&<|4?+!|5S9w|5?$Se#y2MY)C$Q
zJ%X~(n5zt(x_BGc#i#j0bRP90{x13yNCyygq`zpeoXeV>Jn^x5;=eLU-6Sj`3Jx<18x6<^8dv7}sy=OE*-gfNT+n*f+~Fn@U=hs1-PcoJrAKm%CkjUeNq
zt(Tk2ankCsx?qARX?}xH6oANb@kal6)f{^QzxXzed#;jIu%vuWWW;Vm<4Fkx@wQ9T4;4mGm-_2#Pzk1e$7;
zG(3Y-XP6_bog1a9^f0+MNYv*^3{wOU8H+W4x~yfa13)u(?Onk%w(O=4KCa(t_`Xij
zm0Ws=Zd<^b{O&Uf$0iJ>Z8(?~X#ieH*NzF2vx8Q#zv-!`_G^iEt*nnA4#Hka@NQUu
z96Jf$rm;QjOmY`px@^JqifRNX{&5dYgxNikDBoIARBvMtr*CUma
z)=4})3Q!*Y1#*A|UDfp8K^Drnnn=5mBROnkeMT%4n>p}K4txbDhMdXK=5In^*Ae9R
z^1}7;Ybc=wYz@Jx=aF(@V+cXk5jcI~fQR=p&n)>qiND(pmF+{Fj~!^CyTmt~9z)nO
z!8$kqG!eT4tG#4eW$Rhw$vGhMZ)Ad=YhUy^=OVPoGjqbbu9$a
zF+x}5Y6Sy8uFrad5d+>!FT#xJh=HD`ionQCcn-ak-iHcGEt&kofK%S--bT_wUDoPF
z>uSB>t^H+}JX`IfAn7Blp@Jrz5F^US08KY)>A%2qcww&C(?=1eGu~>fd2O9Q^rNdu
z9W`1BTUfE*G-=Gbx;(8_U=)BN{^*m3KVgwN=>R=CDV+PZ&B(IHWM$ldDEtINLKZ*&*Nv1vBW5Eb&`{eRGq{hweneUp|2)!
z)O2qStK}=|tF$V~!L`aiURFVg1o&&Oy6C-r>!apnk_d+USi8>aAoU-n`o1*m?seZ;
zm(5OFPno;?qw%(%J>6%`x{O#oQ7N-1`^E
zrat}pic2(c;SPn+$q0rwwf><(-BVVqCY4x>oZ^g7nz&z{O7C}6O}0b9dZ)<9-|fIW
z*4IFEi!>4n=U$3Z&O*r{5nZuix%y8m%d@QbbPzD!o>A-{20;ZKH4S9-L}I$m@pq~!~B@U#N&H31zan3ok@T`k^^FZP~8YneC$pq9mOtg
zBHSRG654wrdsn0pR(%QH-l>0n9bbDXIR&<6^ZyN$5wu_UqX(J
zP`x60;a)~$7zG7W@H0oZ^^86Gxq;R?Xvg|Y&~vs+>NZk9_yZ6fMQ81^qQp9reezb6
z24Xx6B94bEKVe^#q^$_w4kz<>4935h3O=$iS4t-FEh_7OLUuv^E+x3}{$=K8wTPpn
z0mR=^aF71Rvsfy9%6i9n3rtaa&O)>U^@DtNkP>z7ike9bfxR?4b7-({H%>EgiFdMW
zV-;u%btQ+dpyJg%C*+x}qf0SA`{;aJpHy_%d@~;`MfE?thjOu;f*EI&7IHt}hd*@Q
zu4IflAOI_R+wu%Xu~@*+axX_Z*}g5tgOaV}U6k5?!B
z5<+%ev)BLBCJGc&OLM;L>F^M78{>rz*D+-ybs
zg`w>dmna1YXo0+t9CE
z_z-$o*}}l0CC2i06Zv|mS*g+KF=ZMTFHVc7w#^r|$XCFmOh+0vcG4F9iQs-1DZZ4t
ziyjY}{PzB8vG-rO0o_XX&S6M!a3di}^toqGnGNK0uodGDe$O^xiiG{99=G;n+yx3v
zK+5Q4!6KDUFcyZuqa=h}m~)1u*51q*GGX|-%z7Z1-U4<4;6)Q!W2-ha`*JkaGTdrn
zEQG
zBnz#+lC*XW)08BcA`;m%LXO48<982S;7A)`A8%XR66wu%Klnqx-frXVxtZq+at;|U
z$pd~VMj*>6F;5e<4VVTl{z~Z4pZ`+3sgVG)>)=qqN9ejXqdHJ~O)iWUU?hPA)~%fm
z8u8qbx{eDmYIZb)YSrS160=3=GL!JC54+o&ES@v5o9XgBGVJ6k7WHSfQzk5dE5VLR
z!3bP*hQ!e{Aeugx&j1*ugY&iCRbzF}3RlzAX51izh6#@A5InwAoQk1SiUYDc^>{?W
z0pYB{&sd@vG`}&+6N-CRYrN|;i%}3YjE*Va%_WvmG|_0mz*8@VI*oSnee8
zlaezn^!fFY3mm^pgu|lk?EOM$}L
z0bdC*Sj9yIZX7UX#>3&mkRcGs8v&mEQO^k6?9;Wdu-S%1{hK`vl7vr%r
z9}-zX(_t!jB@?dGy`NA(WKVki#RDJ(zHb;k&AZNB>F~y|KkIKxnX>q@b~@$ZGU_Dr
zD1sp)H`bP4M;}qf6kWmc?S&G9y5Bx;OU}D=UjPJeE6cFG(reRU=ICfp21$>j!6JTO
z83-M}bfqf|*IQSel@k&BE{!jx6~3o1O42V(!H-nm@196>mXN4s6E`?m}73f|U!f9mGdaBrtOXduImsuiJ7P!lRQ2tX;Cw2dnivm7VQ7ak6SZq)r?V7Z0w
zG`|G<{I-nAnBG)dcwwjdP>uxp5NRFjP@YNv)wt6#Q^r_>0|}Ul2#K8u!AT<=1LG87
zqB)Yi??F24N~SHWa;RLZlWTi-P^bF_6&CxOT4lTlbWk)>eWRwkbSG1)*VD;K^0ljJ
z3nrcS*r`Te1<>XT=AV(wzQlv#Hti3Eo3y|)l;7n`RND=YY}esT(1#;_0^i-;VNlde!brD3j|{
zZfDV?StY(aw%d7nHdL_l8nv{kymzE2BU2fw}+*aHjMz|-s;4nI@6(u@o)0tr6EbSSxEev0$tApKL0Mf%b@_!9k0|LC}|PIZP^$734kce1JKF!!|hSU2$Q^_i8c
zB=s0AJ#;4hu9Gu&6{4!Ec-32DW{O{0K%{+%>?p)@{n~yy*-@`0D>^iRUzCg45{H4Z
zMv^z@{c-VopV6_4>$>vl9U^&$jr=yv$a3v~_}Y=Ij2WKRGrWys4u8M=o`QZC4PnL^
z;<;#FTnj|Q&Xp=$*Bk5eIC=~3VXd_L^%&WN4~VpmCtx+ja4p=NN;J(g(1#&yYH`tZ
zdJ%MKD#F1XZTG=rMD!8vx^%H5P+X(KW}*~}9WayRFBsq~@UC(7aBy^MYfAYo!bb3Ft<@0b)vc!ax9fEp8HXn~ZV0^Dg|9H31E
zPMz9HvU9gB^?-qV#T3gEhU1X(stk6#aDyUWuu!Md0oSD*N#w0b#z+kLJGDA(mRWxV
zkVB5Hp@Hs-;14RVR@>#r5yvH%^&?L0`kwdp*A*QA+=Z{7JaaCAhCvofDS1fe(%Hjv
zu^;NRQ>H$tYN*+M-p>v=vC3m?f4A8%$IHntFir2mJNTv*6BHgi~h6W@GfrQFwEXPPio=qRcCgIw?drzOgrlFYiQAXIm=lUqpQdVELCc0U=Z`DFiT
zjYRDEHe*s~eQk|6S=ayN#Ee9`Me1B`2+&Ed4s!g8y+a3z_PiF(*vj-{;2%1bo9YKX
z*iYPS^Y7Cz4(Vx1+ooq$VVz%bgi3q;qun6Y$4pEZ33BTdv5D!Jpw;RnIRwR#q5qM&
zs5FY4AkK+2$tTBLiSW|jyb7iL>g1z%qpccJ@sLTUyX@Hm9Mow%*@9C@PPYumMw=6;
z($`0pq=KmrnQ5@}wTWQb@k07OQ#;f0%pROv_7Dn*;)HMs*^bk(dW?XTP&e4wiremm
zIA2A!dZ!k1^j%2cs!O0;4R_AcG9gfIo<7+6JQM?b6@fA`FbI|7#YsOYQ$`9U^$osGe3aAy6YZ-)KgZfr3&`IK?6jOG|5?7;(sZ{O+?qIlZeprW5Z$&h*qiW?`!dlS
z4(=Js-K?p&zMfRP=KA10wL3?~rA%4b3=zme-)4&lV46A|q-WdUi23p+4)xDCCV_26
z@~zp3rtl)ZNa^X5C+}M8*E=$?d|$e;$Er%S772V7T#)pXILGzyE^ec*kUree@#}aF
zgHYi2#6A+hjP%`$D_}wvRh1hPksD0U{ETLT0~2BAp>EytdK>&Xda7tbjU3aiL97pL
zSBUD1pemi4C?=2x
z_#2?pU49mk9s9QJ+TQ#)*V)!J&}tU%(b0m9WZ^xho#d>Io8twX_t{ef`_kS9QXaYx
z%8$bQ(3kcFVlZ4b%{Uhx>$D|*?(26>fC@!+7bUK*I1W8SpXs8%ypTq~+pu1;yM#Md
zCEVd>&V)!F?HY%57F;E9lTY21S7F5L9T!|AI^!jt7oKJ-GGw^uM`QZ{K^9{ek3r6<
zbVHU6xCH|_O<(iH>pEOjHR!-c8qw4|9$aMloBMQlxV~sl;%PF()-_23X`MceL^~}+SMH&L&&adU9yA-f_cbRYtoF$XA>^*8MF4?`
zf;fByqUF{VTTXAQ#jmN7B{~m!wx4ftyEi^QS|{n*^D!zPuf{eE8D+kooC`vaQ-KpP
z(N?cg)i=g@W<1L&**zRyn6j=OB8BPc`CD{lCCG@7BgEOWpkv&4k
zc{XNR6gI1<#OaUOer5T&b2h4O81wa3DWM&N*wK)-fm{sF(f(01Taz+#Jg1|`xhB+M
z3J}BgS`<{>tisRi1alZS(fZCpKqAg*W*5%q`m3AOSw%MW-3)SW;Z}XK#p@$pzXB}%
za5v`ZK>+FgJV+7zwBraEKO{o^UomqHAlh|`oAh&vScbx&EF?2k0?#Epb
z0;Yu|REpk`rr6;HB_Az<%!d^xm<09JI)&s?B11I4Pe^-Z(No0^hkw!>YsvbdJ`-#S
z5apO^8Zk_A6sv80F~z)=QcS&I(iAwAHmwTdOC6*RBVN(&evy)>X`|MXB{eV0bow$*
znHIfz$Ar%sX|;mAz)I=kHr~`s<2FAH?J5f@>bkEKKI^LVW7nk-(#!i!(VK_R#%o3g
zu;&*|Wz!!J@;BB2(p1X>2rQJC^
z^N*i8DlMUtV-LP2o*n5L)7l!7)N9W=mu=@b7$B)z>Q!Z?;_(XIwH9h~HOwZK
z+cx$ZOC-_(M?R8LXS)r3p~e8^T6YR8@=-lhlH#RK#hY*z80pB?OI7k!t+0Fld@L8a
zgpXfV=l7=K4KQ1;T8+_@uyj2FR&+`)P*lWd3fWb10|b{D1I!|!W?dZ(Z1uaqAiuTD
z6CH+SLrAp(Jc)O^CK9l>a8bGgJy;X|)Z?be+MCx?Ova8Pf~})ekv~AZR|&c6TKZRxM=UoV?`IuX*7vWBo_rqYd=kP$u;uoQB@+{{cM}in
z)lH*FUpZ%0{R>W-*BySgq4uRD;EkCmPw@mGlEm(33zJQz_GK=;K(ne^dU$+pnd!y)
z&B)I)KlL44a?X?HcD@eroYhw^39+Xg#aZ?4Z}dJcL(^M406uF)J>#U=7$RNTH;>zAw6c>_W`*XWf9Wv=SA=xFt_foC`+#Qc#Fu
zh=>ri0A}hx-mbPc`~ZbTZ1jU$_kW%}eLcONYWFL8y7u-yzTT&lRI@EfvU;)vG3!YQ}UoySv)u(;=dLi4K+
z?5%}7EBpy9si*H@1`nwBhUN^6NoRvJs$P0m-l>=&$BCu>AIjb-Mzm;aw=Jx)ZQHhO
z+qP}nwr$(CZQFL$so&A*g-a81SIOLr>t@cVTP{igbB0
z`Ywu^{SMl9z>^Y1kJO>t(k)yI7NN@-VaEUzUaSs-@_CN9b=$j0UoWDwto=>0HdaY}
zJ?x<9X#D_-JK{Az%RaKmzh%4pj|_vfT0`eqVN!|c2m~)SXqBh=CO%L7yX`=3_AuhJ
zcd@8V&(6Q5;kjasl9u=Ob++41ktFYCO3cjp=Rti%vi8_O@N(t24qDQ{`>cMeU2G?d
zaTE&ulzjf?3(2{Q{IJtBuoI})eXK2(;IGxazgpGA_otzV3hiv*G@km0p
zTLoD#LkBxIHZr>n6qh<%aCeNe9`zs0Mq$%bFjJ0F+us0+ks$I_ZH`qaI{?ZGT~_x|3~vcpX}(JEpn-vbR=f
zRB(gLLAey5ht`@Q*MDK=NQ%KN8kSO|d&*egQu4ri(hXV~)7e9V
ztA$&`_Nw29#u0{P691!}%U*pOH~h!L8;KyD&H@zDS_SQGVL*&sp$$$2JfEV52bO`2
zE$(NkSI+nQ?5K~fAD_;%2S5W5{NF)MpAt8|xemiTWBA~V3bfHbMo^CluRcHUi3R!D
zX|p}s>FxSdOJVMMnZaodkOpu!Kfe$-Pki;1L<7oKM%eiEEqgpNF>#k29JuSLVPSd^
zxf`klY%C6YaUqtA@)DJU?8US4)ZoCqR1zbGn&A#K|I+CLX8N3lB7r;({=v`w%21W(
zcmjc>k<_2<$BsvDf4O7I2Q-6nEeISKp+39l4)ysI#{tW>=hgZmC;;ngxr3!%FzF6Ou@=EOq8IbB!&U1$IVOk(#PTc-mQWrn}hIUw>wjoz<_NWX*3>wm!(wT2gs*2lHAyoL)V{hQG(dX1f0vUBiRah?hy!4
zcIp{J0?`pGB*w_o#*U3%+-UQ1Pj&NWFHgTa8KcCA)yM0=T6proFFJ9L&$sRG!=MDG
z3HMK)+~*AnjD_uNvKNjDKfQX`>ikmV?Ep;L&!8n~4FpCr56BTm5MvnE3{?rpWBf7^
zW$E!<1;T5W)
zY|QsbNc^PMeXz3G1Xy`Dj)G3aW(-^3ZmiJMNOSfj+9k>Aq)37Hhm1&RcqUp|%n831
z(r}||q5WlDg6QBtC5{Sb=AX(O9trpph^&fE-Y9;UYVg@+88U$08{8qNH8`$d0IcpK
zhX-x?x4*cWA(b%)O)&|IA$?MlcUecdxoC%2`>DNi?gG{GXEtsN!u5A?oV#$>j&L@p
zJk4x9lh15`;DntFvQ8uH+4zhz(v;$O&)6a9e%`zO4R6lxiS8fFq~Asnrwt+Cw$NHV
zWM8KSTsj4h9~So@Hme}`X3?*3-f>9R$%D-!=OI$
z^cn6|f^;{ECwz`eB}}o1z;zUd!~6+*^`E5LtZJgR5vjrX{mMFkZb^I{l7(w0Q&^t1
zXWwIrM0JZYe|X9=fBoKi$(n*wqWrX;WP=o5
zsv4K#QMhuK5X&lFaMvb<(B0Er4Jcze&{@t_6H@cn22}*1KLSd4VF`FmB*=|_H6;BB
z)-4sI!B)m*HTEqW14&?K7ePoto|)vvrF755-cqRU59S9~ct5K1oq2l@_-3ptsOR8P
zR3KKnG$y)ScQvQ}P%oPG`HDzER?4#Xbls>
z97V6ADx%J+aBcRf$s8aNRAn97M8Fst*>G@fo@*8ErlXePNxd8ubE1?_3=o?DuRAx%
z5ZutfIpDd3rdyA;4d@-#qc+U$#dno8lxnl_@;HlVk1|yx5K)=v+F}rRlW#dnn*X>Kk
z{Re!RiZoQ)O1JW6Qv=3dQ7)9l_PISCA-UEzJ;=V{f)-=-ALVxk8T><+`@P;=uaJZ{Lkh5돿Tn
zsc{p@-=WQ19%?v^N}gkBrEd!
z@dd-Q7c-PUMh9ZP9NjG;7nI6!m&x;CM7g=VND4Ml98KRXP2ZasmnOtb%ALpx>!zf;
z#F0m+YsC#6e9weYMvUhZ=n&y8yG}xsPT!GGv6@4s)!4dr*D)-jGH2RVX#|#Jb%Az>
zom?b>7X~wc_=_e^1)#X~?>pJ&-Jw(@5Tbpb
ztg7ffF9e}Hzl&$Lx7Z18LuHck7O=hrZ*2g|KkH4mQvd0kl)CaKS|f>$sJmMA{NQ36
z5;1F)@7Ic(TKO9sUv)3n;4%^>pJD%4>ncS7v{%p0>9j!A`ofV=&_0H?l&p2XpX(*C
z-H8kC-JJ=9(?pmcc!4)Um$ks_y19w_&z3HKu7N;ik`ZKfK|CaUu``dDJYj^b;0e2Zy+s4!@!1r3r
z<)DsC86}utB`rN4_jOOGho;*PCJ47LhrV4mP;~GvbQwYr*4g!)qfzwJet92ngk8QrweT;+noKG=Lqsr___VEs#|vuoRcG#J<>w}>C(g7a7X)@*B=bTATT
zSvGWIkWHI|MSGbQ2+&p{e+Y1Vlm6Zw7VyTtTo+Ko(`D(&qY70j4Y?ozN`=@IN!^xr
zG58|@#7+76@kws2868wUbpXf90+Kes$3}v#RwuCTZ6+Oj0w{qUd8xDusu~yG+3aH`
zttAO^mkM9C;4x^c(FU4|7S(7(Ky$$$bO{`q*N+Wu92xm!Z3=t3#wzl0ecBU*#4eJA
z?woxJ;!RI|s;vvpGB=H7^erSL&)wyxw%nrkOZPYe`+J@7hM|^RrbrW}CB9aLe(qtv+NAI?7ZL9uwH4hKJ0aQ3O
zL{owfY$!SNm?DnLfh9YN&KtR>or*I)w?T5KNC8}E26GbyzH*)tg13u+cwo^o1X;-w6gsuk%D{eW~i05XU`>qAfbL|KfvvF
z&167?__`~)1q>PKZB#3qeQch<=bRsX%v0izcB8a5Js*>%i4;NvWKwzv??M3$?xmE~
zCvGMc*59$#83w-0&Ra6fO6_cDl`sUDG9(cT$>nhlr)L6<&k
z7^;5f-mTFOpsUCE%(M^DWND#ONm&NpC45h
z6(?~^X4ri+7>(=N+S;j#C7O;-or#q_J&C_R|29-cyo%I9$Q5&HYi(60j|<5oRW2C|
zVzhKrs`iq?$_%z{XIEvrj;(I+ydLhIU-PQ`w7b`A8QpG#DWg_2O$q@@3@-cT9Fv;A
z)?}PoSx1St9;MGF)V_}t43iA5E|gC0v^+0gyL5WGO41znGt4-pLJtmRMnr&*_Dz&n
zw_5Rbj};{u$I2r(6w|5oYFdyy5)xVN^wC7gg39uUyzCXtYX&$BzEzrS%)4|n8a&`|
zYV*kSzC&%c{B_}>O?s~O@>dsz(C%uoJHfZ9YK-tOG*6mT9T_HMY!o$(Ni&@Xe^bBb
zfcc)SKT~mh;8qjPo0w~_??%zK-km%>wm)Orwq2v%wR?X~&d`T-R)pu0-O$l}z04tnicpkRpacTF;W$(W_0k
zYX$tyh~e~BENI|Ydm+YTaJ*mU=Quj4npzhE*%fDKbu2@ql^GlA?Xrov
zme$O>O3!4qR(Ow*AVwdn^XXBy3{G&%Vt?}pTilN!iI=!G3|6R9W<@S<-hrDom+~3L
zB8%V(Q79Ft^g6O4RWKcsIkdK_DiltopWoAWisB+_%37i8db&SNMSvL%T6s0S%ZBI?
z>&+?ywctHsBiT;3Gh~BGB1FTP`l6S|<024B)=pxoKECDZ6CFcFlV6-+E(=jY3U+&m
z&NA3)ry!sST?P#QLe#4kn5ZZNcjldU?5g~gQ%(m9v3_G}YC*^_xl>d$kp~)@e>vKI
zvfwBlnKq+me}^8v=_L}tbCsM+0eb=(H)Fg72(#AOzA%zgy7SpfYwP7BV@hMCBx%gn
z>AD+31R%P);@J@3AJtbYysa~%m6`0Ms3WpO#vEbfOd;hT7xi`F1<%D)961
zeC@3`f8ccH$%U*ndzfFeBd>sOs#w8h&7x9>Uodd7i8|H;kOJZ1y{^mh6q+OWBe1>#
z-$o4~5f|9SkCi*?n8uHJ$;=gvlL9K17#`VTb9))k=Wv$aHn%8|$p2oD<9#upFs3+L
z3J-r(Y7zjU9N+-E%a*>ff@h>9$dj)XL6rRm6*Xk~wEFmwXf;{j=@o8FYqLQ4N!wVl
zrn-fnc)dtk>A6_M&v-I)v8sPS@O~YGoF?m3-u3?Pzw!UKgu8fn1h@}Poezwxc_ckh
z_{|-Eq)oGaLjZY2am}I-YHAIwCXGxgmVQFb$3NQ;@H|qqWSuNX$i4)sg@BUs-9|=}
z88Xsj1NoQ&o;EoWy!VA=TMW$B`p}-XbdQTJ*0^L4VJ(=Gd^vJ_W`9iEgm#{vsH1on
z>svEc#f{B$=GdL@2+9d!Q`{F;6rs*jqv6`EtO>QQp~~FFAeDu?
zA+c)n45K3m2j_?#Ie%2S`3)%1A{i!r-``&^%a%kjwD@08pE}Nv{Qd+F0hJFO{E4CH
z(wbY82lN|pSuGjt2szU8cbW&!k2^-2pYNcUgESr`?K7xxyyp7t^TD}r=NXp8z4#FS
z4P|YuZq&4Y^+<6fiRmc1CiIXl4N=(E-djs{kGBnbKbe>X+ZSW~H#dcUAa9&U+lwF%
z6TC2!CZMJ>-T&mSEoKzMg3sne6Q%@>-YNjV`s%vZFmnu7Ps>jOjyoCK7V7?2kRk&)
zHlAXsVD@MND$qFnTb-x@f2tB&5|QXlfWi;dRP*1is5vJ2M)PKNHzABwrrAC?8Jm%!0nrT{OwrA);7I%N4(it(=vsT$OS#GG8~?@?
zYwDa#b#f-3T5xrikMW7N8{6|&Fx2qt`!{OQc8oQa%1s@Z!?)xhO)atDxs0ve^rdcQb5*$PU(b
zklxUN$}bxL;Ha|TA{`mD{sR1x(OOqxFD5`~D#U}RhSFHw+4RAYgs)nI`R@i|#z==9
z9xglqiJZ7KW+d(O-57mjd{8k8t;~SB8E#9y7WaT>@opM^y;!hre)-!^kgGMQ)w)J&
zUq$(+rjdrC3|Cd-j0_^C+x*@)F~sI=>wRPvJ2)c^Y}!EZ#c~#Q47+vw#)m|jGbvX1
z1s*KKt$i6bJ$t3w(b~r2IZSf}-hasF_f6?W6H4p>S7JlY8UVX6e^M^bk^&=9%3v0`
z!gh#}V|m=?igLNoAt*hif=5Wqt5CSzfq1*U1#==1+^vBTxC3=>VhI@ppecz+-;#u)
zp|Pd`f_*D6ZZe&0ycfgyJ1a7i$1V5z9C+6(>-+aVcW!pEIsMe>rI75N$k7<_!OQSL
zdF?h~VZaB$Xx#6)NmIB)>jCc5v^v?YIkb=l{aj5gbiU_bug@B2m`w1KhP-e(7`F`O
z2SHQ;`%}j^x5#2i`D4`2Jv(q)dVGLmk3aUC*jWQnn(g(sdYz&Q9Qn;F40{*74zd}d
zZeaTh!%|TYb3kN49@`O@FgsuQ&g_Ny#EcI}U@gUYa=m`}rd?Mas{Ib>%$jeDs*Lcb
z8o_t9J9~#GWie>{tk~wAYdjDHP;gr<+AXSM1CU?fcc{hIDSON5&H&6aOM-7(xXDgS
zpdVc80L^E&B33$pV&tyhC3n561x%gs)cz!KcCsgxs)Q?0B=V>(_kIk(A`=|
zgvVo=e=yD|)^T2`I&H5Gb%@>8?6C!I_0o<=PS;Hj`y>FU^riiJ-?61K6dX2yXtLw|
z`Kon5dxCy5j8ESz{JK2^gUfH0j#1tf+__>%!e!j*W}?8PJo~FOO0!12nV4m`H?M|Jt!b`;GE@#Pop9
z*W>KzYiy+}Do?0oTo^U%!O*1(JQ!~1`HEqS*7p>Yh)nbTt#9hVy*;l6Xht|83-8C_T<2A0
zYAcUeQ?$yRa`IKG_W+tnb{OMxEL}ovWW!IQ#+s5;UFShb|Zt>P^-_H8{uNdlqMB{ZeWvMX6P)6faY2z1i#5lfhS5Jegi@SY;T
zMJG>f$bEMf`t?uqYGw55Wp_(1`J3Vs?&zOeBT;;Az3mok>UP
z$et^_zpf%hbfqK|YbsMwBO3cH%)}Tay0A+4q*Tbk<>xyb-hBDxdwPAva}LzT%mrZ2
z9DXucP4dDTjJsf#R4V%@ZSI|%i41NTuNo&WCE><`=vAAL2-HW?0V$~?m~-(EN1-7R
zorBU_D_*!j^7|~%6*W-(fIY7DLU!&A_E`o)t)i_w%0SihuRU`1s!#IG&=aB-6?yTs
zjr_tCOhQW?h_iZVF%w)=B+Fx%dkajS5Z)>Rb<=fMKF9nEZulb##}>~7&f_3C8f?$K
z4OC@ir2E_|hw?Dr8g;`-O=$$_X7IAee3|6EbdAoFMZ%CMCc{O0vx+7<33M5HzUL_~
zrbZqhNvcH#vBNR)Up#Qt%wbYttIW(H%V=z2v&~4$G?A<#2&Lx}Ky!@L{9F<}vHo2(
zDW-r3X{#{isd2!HLktFhaRS33QILRBbqy
zR5YCQGIdmi!?Atoe6Xs1_rNMhdo>l(G)Y4b4tS<&lIrx)+`x=e4AMle%xjj~0W#|EV>DWE?3s$Qy6p2<#+h`ng>6SfU
zP`C4U4WKoif7I5D@;PWA6Z!eYJ#}JYXPaoYFr*ErfnGpKE>{|QeL_RvAIUdkRP)Y^
z=!Onmsn5M&%X{X@$R~<&&F3KuOmeOg=Qi&$X8h{9bRoq+_;g1xzU^F`+_YBVyyeTX
zYIEjc9xd`%$XufYl0ON@kwr-pKmwlV4z|9b&;#rNZo_wRovlhqOKONtBz(@Gjr1(t
z&I;Txw=}e>e(q)jm?V;
z|12;hjp>Ri)XWg6;Ymy%_xnpxe!icSp}@R$E^q-`$WQI3b`k?d^$)tr;I--ou5?+3
z2df8Uts^ZJ_drIwf_s{OOqH}0LGM231-K)g{&v#Rbjk@0G%+@9rbWV^ST%0BNQ3$zHVREJT
zn7hl{$P9g48CaJ66D>)kaU}lTqD)J@Yn|g0s)Mma9u`KEj@H3G_T5@5k+=1kEuT~w
zV)%i^E2rx6^X5a+8}vp*-h1-;2$(n6_e64o-8NP)MaTMn$}s7ijn9ZrJJjS|tr@NO
zUzG)07#5Yn0B;&}HmI+}RLr8X?X>kD$9$T1_Z~#
zwd(dG#|KEn{L}0yxmKv{xZS|fGSuLZdfg|SllRyTQ$_KsFyy9HV0n%09GFPM_~o}s
zV7_e~5iN_fmf
zrxZ}sUXuL>i8--Cfoj)fdA`?99I<{A>O~=!mxXNkrB81bi53}rg1`nXGljkJ4
z=Tnpu^Ef$`h+T<`^?C#DZ{iDc$2d2iC_c-UFBqw{AOQ_CAlu(UX{t=jTFhTXScGAB
zNfj3%h4SLJ053KY$2%NtSR32*fvX%%3%cVi$P73mZ+yMlEk#W^rrE2b_FF{wP~F*_74!~TOpdW9=w$thSqqgbV}%(n+ysBt!kgm$
z`CxVN(H@QbOLmv3!T6;b!ff9Bgn5*P(97D_s;Jg*l#|7!LS{EC`!<+2E$a(g8LQhv
zpFj5zk<^Wh+5qCm(?o1j&@#}#)cHI87{$1)m0oaW5KF@+7tLsqi!0<2#ss7hI#3=v
z8f@mg%DJ-eTw=`@0?3=iJGvpnL-j4ZYj!WkO8*2CQ6*nxMgP~PnvRB0zx8d5JT~B
zG}nf1N(EzoPw)P<5bBUPzk$8uu(RG};-B282=5G&Ji!egKeb<BvzvT)9g7E_`xTZY$zvi(7;~arKRA5~c8XPMbk(rsJ
z3La=qLm%xiTLeCznlKWe1)(9o`aB>q@^MaBKaoL*9RMQnEDFFEiM)7~TMyp!0e3s4
z>dn929l?J|@mqsl=S7knTx*gkno-?R5PB;S36sEH@O@|;LI$3lppn^C@Z9n`I5jAy
zBxFUV@om{Za6@`~-iSeg2rDW=GwTC@fsA^HB2dCWM4m=@7*d-e9aXi*Hyuqi>fb*)
zgwrur8>eGqO^2fF2gRvE)(qZX+V%_#BSsQd4MXWr+0@j^n#klt?;ji+V8z4?*iGG5
zZgj@r{ik%UksOhT>;m^}v3Ro>tXN?j$l_q=;p$YUp4gsT*dd0h(8dhhxqh2r^YA`j
z>)@QU*}d5EVCE9~y&HN*g+vcG?mc~bx;1j<>c%4YTz|Ox+PS@2zma7TIT=5?&y=`N
ztwX#5x_VrM?m)&bd;#65`6W;dl4~CB4DF&oUI+(Ree_q#mnWh}hzw2L0;NFP;iQy{
zcx&%`WbP_n_{VHQ8d6s%@V<{yghpsB#H^tY-c6Tbsl|D=pTF|sfFk5)*jbjU2
zkg9uKT>~5VqG;X%sUinn7=XEHpZ)sc;8^&#Sop7){E0ox{aeETHqYlkUIQTNN_%5Y*|g7s
zoy+`(y-@7kJJqQLTo`dPxzYHTKJJ3V;@UUvtvfo?>qKXrIltMvv2%+8WR@$;9Acj<
zTGhX^)eL0$S|UaQgRo*_7=T|+Pvcn7!}4g+{9xtcVnzQRTzq^wcA)P<_jUVT`0e%R
z)$x7PL*vn@U1c>@eHuTQosS?(M=<1Jj>9HVd6}MLW>{o=oQl&%J
zY~KAB3(n83deHuXL6iQ*gt(&i37t`G&3c<~I1d=zu+6f*?#2B{(jT$5Rpc7bU)_X2
zEh+Cni)Pa;l%@ZwQvR%8c4WS-#!f+YvdGb|0@!L}AMuW{LnL$=OG<=$DNgp4vo*To
z)*zIjF-_9n`y2im0HdLP!dq_|K*lvdh^fK_#(oQubmOJI`I-4}@&&rHq7ApI{Wh;n
zW-{G?=oYw9cr05#C}X(^(Tc5f`KRlY^#R8Sa~j&-Y<9hCESoE%gR*}af_A=C4fzza
z#C|TVm1gc=r0RWaLsR=HuyDF$x;a(a?qM*yWV>N~ooz;rD2KB~DZ5yOP_=46x%xvT
zO_ifhiK%pjjc*eB@wf7oEoc)L>;JwQnArZ)ZWJrWf6d7+(YSKjVnzJT?GxN1oKXjV
zARPCV$`V_W$eJEu>&dv1iDfm2Vi36$pN#$cwKW3dJ)V5sn%DjZT)$y%kG5#!hETKH
z58>l1E{#sN2gx&`ks0;j@X>TYgIJ$Z^B!akA}U6Ac$1#s<w(
zYom5mvUEzvwFhzHk+!RaSzfK`SNredWe)OD&QGhLm8l`aPAgBdb(#y7rduQt1_bJe
zWhZl$BWFuXjuE+rE0$L%AO=(^d*1EiY1-O9z{~T?)YjA#+`q5Kmo+)NzaI}b&|Fps
z5~jx8>Q1wYFjG$Iwp7XeJ`2k$spqyWsfx6BYMOLSrQ@}dQ}$iDuXVc>=G}B?^)%ej
zQYFPYzwq3gnnh%V4pM}l?K7<>9uE)1rVc=dNTCuY=ZARmrrOj@p4-bNwpfK-GOGk6
zX=^My6jYV0(;AtdcQ282HcKsZ7eAo7Up&TrVg5X?CbGvVOaxMNU#p)7wW5E`Wa6zz
zl@4r5s<5=Nz-ay7(UueVE4}RD_d{lL|zOR(DoZxMc$qaDpr{=aQ;Iki;e_*6$Zd!BOlxe+`
zWYinyBS1YW2jok{C3q049iUdlg$B$WntM4usee;d+E`#>i`GQmVPTN@oJDN|6OO|7
zfO!S4_^uJruEy%_czwK|Uh$X=
z(Q#<|^Vy|kRhM4&ZOx&y!L$HWTQ?w=ee=^4p0UtD2sJvBPeO57TN{+Nz}Hf;GsdBM
z%_(S-$w}!s!o@gZruBG3TY{W&!5;(}3Ow%!&GgTz?Q%w^!Fgp2{3gF&Wj>&ng5r@$
z@)_JQZ%qDT)@BLsO2nTET+?T2Vb@Xj3=jx2zw|cIXw|R`U%;uTn+z4&$Se;5~r
z;ZYiK7%4)IWDzTY>dlr50L!1>{k1d|`^KN{<3`w;ZZHrI%~-}7g%8b+=;y)I^1R~T
zsv<*}ppK$!+q1att%pN1vxNYRrbv;V^ZHEHSYx@FZq=Ve;_8CNf!Pf
zi#B{$wPbp<;<%Eillfe<^1{C$KH
zUoWzKB#a5^C?fXsZ0dIQhb?=q^x9V_sAid1Ax~&Rfxhb#d^0^(D?wxnjjKBUFj|vHxHKRbBpp|I
zWzXEoqnNXpCnlES%#-w4nPZS~+G7_6AfTEp3k;-_vM}KXb{}{K9vfJ_DSOGG>
z1tx~OAfhw}$5q-~_zb~lKJD5@?VTrxuAkhqhkL=f(q>PYD0345V
z%!gfT;~1tvv$>z}Kyom+w*5nVrn71G%TOzM-lG{nN1}r4xDqcPK7$DUEb_EZ7pA=z
zAu|d%niUV?+v~)o412mOQ!pYXo)1M2MXFT6GSY%3ALA(bf05433qtM&t#-B0F&L;zB9TF}oj>XHUyRw@Z(q^bCJT4k<$;Mb*szB3LBZ(cg!uGVU15ODoeB~2
zRyXkbl;b>=qCJ!OOl`?DWTEndG=h<^N(sj0nqQrI62n*5
z7-h)kO3e?!e>1yYD_k+klcD5E@$;B7kT>uz0T7mU=YNKKpt@!Pb^%m?(yhEjl;Bck
zGVlyR<*N^ug6t-%d$jUwSHNlsUhDrLb7(~Wa{G??QSC}U5|S0Bw}E~$rI2rwS*Weg
z19Kw*Y#02}Ib3rnee~T4Am9twW1R^EYa8TmsHyN>Q3IL!waWOk@#W2X@unDazj}u@
z%?j)E*FvZ*nQ*18pL_~4xj`EeyK2Rz9+mXZTque^rwyWYBlG^0V9U7o`&j<^*bKq-X=e>=)ZaH@F2dEcB9_15{O{ND%VH9NBOgs))
zaY46bm=3J0E6;#4R=w~G|1F`LxVe3s&i%-50L}$Qw4-$j2)Da73p7#3qo31aGhM@;
z++?5v&?|6;#5o)}$!=G-_noh9_Yvejgxdd10;d1}vA`$wPwENZdsj#AS
zk)Tg=`x(@J?fkXhd+{1n*oAm{C%m
z)fl4TfvfNcospmw9g(B*{G9kfx-xkpnJD9`#;HW{Vp~Y5!dh3^Onay(Sfm0I>EoX|
zxOBM=105QQO_WXMWZC86PWYaa13`1$p0%xAZ|{JWqi|$LmCe19snzz)-55l*F2US@
zQpv{tE99Dmr9N4D#-YJTX0b_>A^)0`cQy@9avOOg#|fJ;je672Y}GDEwD3<7!^FE8$~{D~yXd(qtz(t@Z6vEQ?A7F0ksFS$t)}pY
zSvhb{T(tSTf4`HCnx2-nA{bB=q4p}&k1^*J@Wu^y`s%9)gap((cRcy9Wl@CeUN*A<
zp%G~br{@M%!wuCm(k)0Nbf_KU9Y2Lq4S8tL!8b+u-_D^E9j!ak179e#9HYx!M3Ov=
z*5oD0ZD$Ucx|JW(D_C{u^{8-&3!ecklTX;M(oOVVZT_
z-Av03^vg_GO~bquwyailtH?R~@}*WgYn`;6-+YPTUcck1
z_5fl^Wk%8oT2zTdp_J4G{K=FiLpR1a{>o6?@JB=Q9?a?!ni+LTQo>^3TTZmd<*q_H
z8erWAKsVqkzv`WXF{FX(tv7*pvbmw(b%Ee`)*ZAVe>weqQaYT$H-R*lBT1^D)k`P@
zyEc#jtSX_XLf$F9F=JEk^_2zkB5Rl@3Jk2JG8jVDIOA>66GsulG74VF4ppco7Qhed;*W5neXrG<
z_zn!lS?TRUg8;qbYKi(uRAvQ^e;#h^`VfHxRvza?)YDoGilH((s8v6^b@kB+NPpG5
z6AV@F{9)GbQev@4EzdK}8i3^N10&X0U_D2C8DEMzx1d48!+7Ac9c~b!b#%wrrTb&Y
z1>k=#x3Ul34C1--rz8u#u>o_|vA>sAEcxjOY@63zb7ku2IX5_XPr3&reX
z>|szvd5ik%>uZrE)_t?zdU}sgF<{cd(b=v)aEN;~p
zDw&=S@&a}$WO^d)dmtLdluF0e5ke}<(WBx6W5vA!v73)pR)F|YXJ&ZkWmm~~QiWw_
z0{PPBe6e5cG=0oowqB2o72z%|T|k^xCyvZb`wO`TaTTq4Y7j3!T_L{0SOuQF1?l!H
z{X5r^MTAg>b!(eV6QSeE3iCSj%#vbNapra)7J_fwO?
zqEKkJG2@wm?2obwmD2BDOsiQIsiwg?U<(eX?T_7NsQ@#eziEO^h12G*FKH(w$RLw_
zJJ<%fjg8>CYV@$7(oUtq5|teSGEs?SYj=L%!bNm+OPI&aM_DEXNXy;_EOE<~HeV$1
zxnkaONod{|ZO;pskhxg{vmTa~LQSN7D)iYtR-IkDan%$Gh8H5CL{_@A&J`JxC==BC
z!;R9p2|giyx}$FUh?<b&Y|EaK5mW+Qajb8qS}7v
zu^XEb&s-;hjQipm?o7+FRCi!Ad(!>ND&|A{q(D-F4s@_
z#n|6sXvNk3q>7SQo7Cqny@X5BXc#sAMuU;lw!WX;+(^~(gu0*0>1PQxy0c$-{Y9o8
z-O1F#Tv}0`4n0ltRg4hq>~t>E=s2Hmba!^We00gl6i6Bvbv^cv)qo@X#VuYoo2wB@
zFmI-wQRb4!(vumTvc%y$70Ia5Q`EYm>9erba8)g-)WFU4Pre$ciOb|k1K(a-(6=QS
z+e@070{rXP0mRXo-mN|=T#z66n^0=RUEzjc7K2^M%hXglx$o=hXDXfiTZ)|l4rbP!
z3#>cqWffR#cPLU;{*!_uUHP1Kx*!`l<%%isE*{gvrTDQQD01$7IMcGYT>SYXXQi0g
z<+KpkD}nxHiNl`s=y>&_j$^W$`n8vqmEqfa2rE9P6L2qRh4Qk=bvKCNZ;!X||s&vi)t
zT=$t~o({{``N;j_!6PXKFY-uHO%h)PqLOYx`w{P~F0n^VI;
zU)(UZmM!br;LCt>yEAkZpGDsSSS0SLvKjG&k^l#d*L^(Dw6QBSUgtMeLU*`mElCaG
z%KS`L7pK&O!cn2qq;y&sHD{nXPO+4|7_FzJ+*@z!YDY(Y4#~9@lB;0I)shzrT$W1%
ztR%L*3qC-IS&p^>0nGF*Ej*Vo#W_OnjCLRLa-y&h+IL1Zx==vHdQuNHvg2-A0aba>
zHI>%4TAkT!hT`y8)t_S+2!X(xhcXB%MAZfxE=#Fj?zv4>%9EcQAY`iY6~p2<;jm&F
zsv6((=xGa9PCc6+i=i5>JJ8sNGv&3A6brYOpX13OhSRE6Gs8KoLKrxx|D%I~P^2g}
zcfP?!x(G(|d2>|cu4x`8M
zU1_qcl>B&ilP3dmj~Wg(1{@RC2*g3?ibJZ3Sm5l5`Z-M1)g=3BFGvM#iW?W?wm;xh
zf$YDz)+g$v@53GYP5q36qNAxea;cCktDebkahOd-__uWY)9JZe3iZro-UK{
zNzE)vkMhXTeV-YX?Xa9oy8?!VuB%tMRvtFT<cRQrC|Ya&(45(pV%@b++tgu;ElaLLSv)?noaXh8_i59ssu1;cT-d;l$(tDo
zvCG~~=eR%(l0V%T&!H5wB5|S$%b5!xl4UYoE=gFE
z+xVr?vNH7&(r3?GGRq3g7QH$|2;F}{EupQsxw8cwR-_JXp;&%8EN@hK%y$Nm;P695
zXkC@GMbWOL#8IQd)e`I$&Kis{jc??iR~CN)4t1S!3yIXA@E@#QW{)*!u$pB{++Y`e
zy}N{Q0L>@VpUOs{f2|O0h9gRgDI`Ux-2HUXzxS`U6mwZxVTczdfZI!5$c01{K;>J6
zmNHH{KLg7irvZcnYj!jVonz{2+7EkXhL<4@!EGHuc;ud4dDXcwNzng0M=;fRyYpI^Zc{aucc)0avKeTzzD8@Y%woQ%{)#JuJZ
zc=qJEc{VOoqS1QkJESGto2uH_IvRlC!Qh>3^z9r2^10{1AFnaDigJh64X#);)~FQB
zHtpdO&?)+XfbT`xUc8uoci3enU+mlBAyYZMhdPkKE_B
z5@>tq{G_o>gEsW9*jG0y~!Mz+|V27+eWSmL*#1seM05@{L
zv5exw3pWaN;=hxU_UqHWsa}}h#
zM!v0q%jW6LiVztp?uqavOrkz~PAXgQyOFAD4-FWw%UZ>IS5Qw8iM8W$kuEoEgxY_O
zG)H0cxqA#5olf#rXZBBIglJ>wODfqB#1gG`;+&B&ygOpa=dqijtGUVbWN~>xkD#Sc
z=T{fSA^%w480qr2TcbSj8B2~i8VmvVZ{TTRwXT{S%3W{=u8q2e-N*h)^Yd&qe>ZMg
zRD@b)jl)u5$$K_Ymm;R;yFBlc?x5-I`A*5-Wd)I|6{d4L9n-1N)_dO3wOdmAEd}kt
z;PJ6N1NOSkTEuI1BgoRc*1xqwC}K7}NfG2m!#jTfk9Ms+PW=uf{*u3LBfrRd-FoD1
zzrO^?8N2032K@0Q4#p84&CY?3xfA0BN;Nivn95gRo=)_D=F`D>>}uc9U$$`(Tll5M
zSo@yYmM~BM#*dUv-oy_nUsRk==-u*u#(zLMF8|+yI19u76&}j@-?|_ID0(qVYiCnO
z0(voPLuXSFQ)4?5Qz$+@C?{t}Q$rgl_YK{6S>-_jgwWe>R4!X*I2bnQlv(P|wl*{%sIxRGgNg&q|}nPUO%4Vu}?d&+q2+lKL{NwEi6#!=7hJu2G~bMAHdbu2jG1K
z-v38%J3?R&Hr#1Y%^Khu+l61k%7rOIt%2
z9~Z^(7n4J4Ay6bHCxG`~9LLEsH~?{V2B>3TbRbRuCh;f81J--D4WX8x^ljnPOL-MZ*fkZfh__`*s
z{cK$T+mfn7*0_1f9qNm*|G-`RuygV!MtIX_IT4HXd!L}9ngFtnrV)@6h(jC$u|6|7
zI=X^j_>usK?oG+PsFjt1-N`R$A+U1ur<{X{SKL{FT7AH8D24{@Hc?H7)@B%BEWW-M8MSu-yk^QEjqkV*Kr_^qVZsitZDp2l+68
z1*sj=Cu-jP9K+(N+Y=r=cufb*GdDYY!^d?;ldTdE5Elm+-L)04hyNkhw?FhVhc-x3
zRZ~D(&il@Fc%PJjF)_0G1NZ@AV0a3E!O4NqPRtZw?jMqkyVnncXR4gHsV@vJarh5Yq)HwMoXyE#
zq|eU`B;}hJ?+w7X=?feL-Rc=0qUJ2uWY5IA`QM~>{e@onnBVYz$qhhU8tdPADKq>17e4}Q4hJuD?K?zU>u-I+
z^!2tMiyv+pX680+xL^Oh6^}9@04b
z4uSL_)M|epSl>TyelB|er#DCdp^n~J-%Ava)+eMM&OFH90-#vNf$OXE)iMt!M{8u0L0Y4`
zj=Sy^hk`?ymNA#U7LQJRq`4%@;ER}@nxNLn7PWes5P+6K;Y8auxo!(J#PsLsktLm_
zwNe@lbstO9u^DlzcH5^5_nQxA|F#Nqb?+FDh+w%u)6U6Yo`4v`OAfBPxD;3}k{y>}
zEvZi3WDba`x%%|AD&_+bmbbsF?idwM3#UpWHu$)lp^BLiI9xzuqvIGtQb{F#ix!%9
zt7KZ;z>+hi7v5Z@zn)uU5aglL4F~}HiIQ#%21O>^hF1=zjp3Wy=}ZG?^;oBQoqt?A
znbioZ${+zavMJyNfqhDm4FuSnJm~=wGRy0OfR}?fgOfHXLYx`pkAq`<<3#iL|Fa!@
zZ9^=ga1-el&B|!BF~k2BN}q`nH382m6<@-�zRBG09EJ>VuQ4h=LObNO=0?K*6qI
zj~D;#HS
    b}k`6r3|!nU*T9s)O@3SyJ;`8R0}!|LA39rPLHIh-e?*9Gi{nH`cdZO
z34pUU*!HMf&Bd3_dc##Divuv_
z6_qD6TMc;__s_!W&)ZVu@=Llzm6C9%#1is5@nCq2mi^MzX$8)Kkdj(|bdr{se2>=G
z)7$7G;A)qwf_~~JCc|AG^I&)rSZvF-?89Tx(Q;F>L~knBT)WAL{d(X2hG&fIV`|L;
z*#0#b%)h0>cQthF;bk=o58ct!P17D2*CJxQi7vU6T=SrBMH4TKy=;+msf86L)P1^Z
zR~+oxxF_PiP1dDyWnkbeE^(7-^95kMDG>uY%Lq;4psbTVz?lvuCb}5%vo18Jb#>S%
z-GrL4Q9+y^r{XFvsXcrACWXMzfeRM{^8=d67QKyfu~`{ev-OZ?M_`&?dZXI_x$-;_l&kBdgTVhgKO^AdQf^oVtL
zc8>>w6pP-%YHxaJ-#0?`(chJ@BiK*cAx1;U6UHOWk$Fp4UZp7@Gyv=_LB%hn+m{U8
za?8aNZsSPXk4&&S)-;Hhmxq6@*ZEj}D(o|BOgpb-VQ5kti)s;IRFHIDFbG+$Y!xP0
zL6;1<3o9D
zR7TXUo>=SZ)XMZQX7l%W!G$xbStBURFO-Jm=wz_4Y{tcG{aweha^M6%%Q97WnIrK!V^d!1^NvGhTMeN+4c6Oh@uB@^t_!NB_E1R6gSzHu}jD<14l`>oZ%2pTqA8~&1}Wl9VbcRA$`UM
z8pg||_ae^=5C4YUMf*7`?zxoF6nR2BsO=8)zI!&obRzrqZbkwA^RX+d=(YS@j+Qcn
zkX9-}YgyHK3AOBoy;ccyAJFyN)C$L)8eoK~w1Kcu`neD~=Q;d?kzY
z=o5(Z$ani7n+@a^{(m$VYW9gQwIO~@qBQ1G0x@Tffuz&BpgvrI*+m&$X{TrcMu#mC
z>`w@%eUmQ}A?}wt5)Kc3_jSK=x+6=9%~bX*kiT^7#P@We@>&_u6+hh%PX+Wr99d-|
z>9BY!7=U=@3u`@s-LamSFe>6OAKRp!$YZ;i0ui4iU%0x+b3sgJKxA#ZBB1#*-aDFV
zLG!wH=Hud`H;ZfCNkfKQlj0JY40^>!{tcoUbd`gKXjE$1VC>Fv9QEm23;iIKBr6o)a3W;kdQd04{^9uJLX0^A>Rz
z1BVAWIcR)QcDuYD#IDn;CuRzrUPOckcVm$GlPN
zwf0RBl&*W%+~0D^>-=IiVJP(
zEKyVqdWtt**M(*c8ulAVdeN&{s%7rJR?hKYQTQW)*w5_a(FdQL;p=po=pu<-zpOCZIcE;2!um8>T%=;nJOaq0^CxjlJW
z42cfMh(oTXUL?!$V5+X+-(K&Lw61tJ3R|R7hwd&N$TlB&Je--egeF7r1Lc$CMLBF{
zYA(|PUxWnxeTU{x|B0>G(b@iM59oGpJ1wvNKA2y@;+Vs-wJA04rO*{r0Q_ew@vlJ6
zR|>I>)mU@!&!MOrVDe>dk0|rTxm$4D72#;(_ERm@SI3UGPq!WLMWx}3w+?LwrLbmk
zFAS1kjPJr_!Vg_Nsr)miq#LQy3}A70J-%G*rwEDb=G=qO5~x%{7_2;XrzStSg#zKP
z4^9&u4{F%_(3tVxDl-$J1__w*&{SjbmKbC4`EaCTxl*vB@24*|IGt&aZK9Z5oD-(d
zdHcW%q#*a^`InUe-)~Bkc}!Q}OC1d#kBQDIQC6qSI{!~o$N|mqyTCjL!+1Fdh+@%d
z%t7OneXt;4O1~=+k>D+ae+VT~11C)kWCsfD+K)wZlW-2`fm>dj5fnC2Emo5`U368$
zIB~DgT*RPH2`_=p9%t}3t|WR%Y-UI=LU1yz((|HkY*)_k0VD6BgUk}%7)98VzlDYU
zkNd1`XqYtCfEG^F!eu7uuLN8$O%;1NH$e$p5QRYK9;~y6aip+V`yH1o0Hk0?IP6@-
z?n_4oO$bTt-EJ>UVUEFpRenjcunih!g9Kug50k3>O{*nqOvMNbppa1b8)n%w*2Trm
z>e8U0eFqtwD(pQO^GfKZz8H?U
zp2HY`rn$5GXYh=i6Us>12P#m|RX*De4U2H!aOB|GmXbpfHhLkoImM|z-{CHTHn>aj
zo$M_RgT9`GCiJH|NAvaOQq%R89FcIf8MU@ywJ15J5Q&5g}A7
z27XX%=eB^O?H_GllvJP_6_pe8O@x`fJfDwMIQA7x<39=UG=KlL%?t0fZz;LiTTR-s
zAV?CAxR3r6t1o!KOml~JqeG@*H#U!wlqsbm^-s3>0;)PHno~kG;J#0Y9e=N?7JRXySy;uLCfYh9S@|Bfp3Z#6H$I>a
z>wX$~@zmc!bTR76+Jno8aNo9aFpTfZMY(cUF5UI;5~9(ae-Z@KC`7H%G|Q%5x2|i+
zGl;Lqv&o?;oEkX7)Hjvw?0DS3G?@3G%W^GfRvVgQ?D{Vdw<(yICCJGJr6Z)kZhlz>
z8SWsy71v5~ji^XAW7AzFwrUeUbE4)2qrXsIrcb~ZMYS5&8{>>Z^qBia;O|r*z6|a`
zL{(GmE-#yZ*mWPDY52eJI*mRG-|vyU41&AMdxmFTnG`tgEFWnVrq%juAW<{^s5s*T
zMV1~ZDjR|mHyAgXkS1Tr?=rpH=QE?fDzMaw9^tpkyG&V(90LWpWSrpE7rOgs<0b_;
z;8S%B;w$Cw(CxNZtCUjNaLT-}X)ORgX;hYx3scGX+hi1F)m}pk=+4)q&JhKf%}cb|
zK~uJoq8?t=p^z@p^?DA7g0WTgZ~aH$6@BA;(Gk%Xoid^Flut$Yyw1mQER{&&?+-dT
z!|tM9onZL#WJs{-!MO-zCdyDuVbpvNDH@NxO-b7zbT8NTPaKgwT~}&^wCB_6^?w9WWHJ%$?r7+e7v=PaBs#z
zB+p1xt(+9p3p&(qV!|yiT3?n0nX_jCV$y0POi!`7NIhRvodVcF`}LbAgpa}RX4F?#+}2B}
z=BA^8|IsPedKe;Wt?{&N*CSlByuj{>d}O`DtP+-g(=tF<
zfaGHsX-(BaElnc7rCCHqwiRtbyBg98ua&K?g+B5j`LnW^^)8m|lS)Ny$e#}>Mb?)U
zn|;Q&DYFxP^073reUS}sNsBb#3pVvd=ZvERaPiDVBp8vTMc6K
z?J()TO-W-UobIyaO*A{dC&GM>Yl0esJNwS97JxZ0&Okj%w}|H{dCBOIZZJSfC&$Vp
z)^pL}S%iTsSKUUas7?#$J_xCrKdQm+t+
zhU2@PL}(tmvB+fu#q2wEG_4f-ss#BnY<-e?C93q%NU!43)+@qO)~|KP8*p+=gnKyx1Ls7YPyVp6BY|9u)+}~ciQ0sH
z*);2C7WnP>5Hm;wmm1-+PfbxfzT|RMB^fe!1?YjtpL8C^DjAg|Sg;804yI%%)A`<#
zXwF-Otw&6kGon;dekExsQ-qJMuKxEaHB5}+(w}Og(aw3RCNT9t;zTx1(yoaFhd(&I
z3{q(GHGIHR27aRp^a%
zF~A;XYO`^I)rRoq+($@Ba!sQpaQwVWrDVd@d2+gc|um;kx7f
z;V)1d-V5oD0yR%2aaU?$xz~>cu=znYba@a_eIwE9c5ghQln2(b*~Hf=SV}SghjeCpgZ@!mFC>B?l(r#F_aEhX}
zwY_^2_f!&3Nn_HHNhmeW=8^A^c9?KZt2=QLb^KWFor5m*1!71B
zzanh*lLG25QQE_2`-SQwAZOnTCnd3|MA9QNo!ta|CQkN%z)SthQA0)EbZNka4D2Rk
zUUez#$p_;$-9!BdQaE)se=08rv$xK5W;BbaX4xCA;vL+kl?4d4d5RQ!%vb-e@rg=c
zi?*YlgZ!D#+ElEiTWR=?VOEj7&5mp(!juQhp>!dUH;;J!er-D_rTcBCflR^E)~Z*<
zfAF)l`x*;!TCAS2MH|eq?e4Y--zWXhX^N7tO^6L+e1Do~MJ}8yyyEO&Pe}N41!e?X
zVOWgUbZW5-lS~JNze$SJb^S2pfeFK>QO`gY_oZnU;AIEqwf7csxIa06@mweFk(Ipu
zVLfB4m_^JtBld@?COAbJrxux#CJVNu1I5iq4v_UifgX)aOf;BK>cs7Kp>E5uhN~iL
zGnV#H03gc<;$l<9cERl+Fuf!Lu1L6jJbnsG8N2OXPImz7^Kz+~Fo_VYnxNrk`AD`y
zy#HXz#feOp{0P#wvuotU-5~3fsyIC}7W9>P-h&!a8rtJz51VOpdMUwDI++ti1=zRB
zDSfqHV?w|Px=K)fqw0t4x(SK>X(Tx|qf#V22^RIWtvIStMT;#n3H8cz{sZLveZQ}L
z82Pndev*$@p*s<>(_S0*nc8l@z}iMEg&&4-fWRPfUov*>$s15cqs0VaezJi0UQS=U
z`x?i1yIh%|J3YX-HJ{F$|VSwIoHqtpu
zKgmBi{OiNJd6=WeQXF$fa4zEra3NBIz#g|ugo5LMV`FhY`g|`M4mD@h+ASu-}
z_?YFF{zlU=sRAvkoD8psa|reaG0M{1wurUx=UAr@QSOik0_uLIw
z5B{MeuMczR#z9g3JPl_NTB^=KTw4jP)3M*r+NQ;0qS@ru%BA21y00MYz3{ej>y+lx
z2k38W6sLx@t+g>kPHD7l{Je~-FIP|&x24VthZ34-U{T!qSkI%fv6LWRX$X5os&D@$yKh$ToIal&fCh`4T@6gLY`Y0&GIG#OK&mIET|2^t
z6Qoibk0Svps}9cz5y=INUb%szIU|>a8`ll}pQhWw*?$qE6nhHB2ZT(^IQ1UfNU-*vSONx0dWZa`9zjO
zNHz2~Y3kS7Dgl0J!PMBXs1J~&@(FGNOKSWlr>c_J?AX?p+oYp1uMe3xP*0#Zm&o74
z35n!=?1{sxs|1yKY*9J^HedZln(~&+zHB9oEAUe5ur4l47t@wUVY2KO`Rf(Cz`Gb~
z^?AB3WHYWk?NDO$b;vAFVKcvUkk?Il|DNdo0${>QKv44q$9NU3dAqE^lwdEJjoZR`
z6^exK-rho-kq5^Ff~Hf1TSfA&9i}BNd3%by$jb6vqbpodbYSiF_0;<>*_Z
zLtoSpGrwNo-I^0|$rSkq1}RQMjPT@i*OEO~Sz&xYZpg3jm%VT)gfXz~cNn
z=+NNg&h}3w%WCd6LUH)4Nt<_OsOGV_nGJq|4)q!J_`>qJuzT1L{yF;ax7z&L4tFek
zu(m~IpcevP(9e5o3u>H;2m91x)Up~>a~r%LmgSctX*WT>&E5gp!xwL36BlKa6zw#7
z5p8K*0U~kvx+xBgIm7jLox&zc>|cx$`)838f5q$(sWI+nLe4B=6Su)$ZrJ}u3~
zpTq~1{t#sl+e!qlCxg)I6=Jb+o5$+q`|j9!!3{pcjR4!1UD$Sj65V$bTmj~9e*;9ZxytZgRW1W38=q+#E8_lo;rxYMvu$J(Et
z@?=JG<++VU-%-sz>w{PD2{LGmh*^?d&b+z7CJU>s6NY1DOSpM@&$Cb1|Y@#mG6mghIuWK-^C$+anP
z;SM1WpIyy{B4h?%(WW2!!sRd*w58jlcWY-hdimt~WMAWfuGwJSwYD$hBiA0x1;h${Sit+{V3+@KKkQo0;AHjBq7JH4;
zlF*Jput#ho8eBiYVvV7{O~(%E`E5G;(HSImE0$-UT0^~lNV+l_ihTs}&IOK=2Bm3z
zs)JE^c)ss!pWD>~{mv~g)KhW1L7ab?n`a&13chtS1)?j%L(|;d913k*a~u$VoOS)v
zw%VtH@~d38sQxIJ!c&aJMBC;
zMA$x|RhNY$MNB3xJtTU6bowSoWz9E%y~&&+TbWwIazGxA4I_6L%%@A}+FdxMf``VC
z)NWU#p0m!=3mZu-r?zNJWJz!=m5=qBXdU4RZ``jx)lF^i#eLW_3#Op%NGcu&6O0N<
zBkBqmY?~}uaM=jxJ6)xwCGJWhCp;3P*9!u2&t9?jO$fdJj4bno$(icR)7Er&`N7h|
z8!_e{4r`Der{&`fVDZ(@W^J4}t$&C{;hC_3Y1(s=8ZqM?YFgscgpYQ#?`!{;8xX%%rk_
z|Gw$O_0gN49H44}OXJc5Ew8WJJI6iW2Spi402R>3%)U>I2$dR^ZM+<|$&!$*8Cc!o
zjACl(rd~X_(Y%W;SC_Kf8!b4Ppr(7RNE*c4Im`Zm3iH}kpnk&yQ3)hnHXLLX4xMev
zbzV>|0luJI<+EUSpAsWe6iVx)@#|Resj4x!DCrPcb>SSu4!BSnI{3H$SH^UU-iLe6
zO|9%yi9lXF+fMs!??scB#0|oXbt0qXj?k3V3X%gl7FxpW9w`^&=CVFNdTKiOr({Dj
zS;T~fcQOg4Tp7dQ=KmFFZPc@eErh9TkuTV1!|?l4N;xiyEHZr7v+w3g*x#{S6yLjB
zY2>TTsiG3Z#7S1CW67|Fhhmc&7kr@aCoMmZYt3gdY{OdT>}zwaX&}z!>4hZL9Gk$P
z94AoNhly_}M5u5z-jeF~L4kPW>n9&;Ang~V9J|uwb*F2*p=2DopNv>?=YaSyx?BqU
z(^q@FP^hO(!VvJ&i$#oVL9pPcbhyjwiH0Aky9AFOHyHa{_Gp%w3gm6hThS~0!QcdC
z$w%iz`-`#ib(cR(NXdRZa{D>8A%3#9Slg~Q-Pw`eT2!r4M0{RtCuUmqA=mVf{Q=HY
zK1e7O%Hfm%WWm%7-!)HAw~1ebdyT=gvWLd;v4zXewHANx;O%S861-)EXIN51Wnef8
z;iXW7l0?ZXdpI!&F3~OXgkh`9X^4Q5&3I*mN{*Q|(qCyd()HAI#MqU={ZiG=;t4`n
zNrna~AhPGkAvMpIP0IF{J-L(mi9_MEv6@D5lZ=ie+b2ZX>cp-(&n7IEF!VmKkC$xt
zsXmkB7EWj!dYy4&c#teB&7raf;F+xj;Ho5N&Y)~h|FWK~(f?{^H^>kT8fR(S2t;sp
zYFq**ub$8C=R&W!pTTFby`%8<9-liZ_3&7SmRxGSOeynai7Sz#%>{NbtvL*}Xi3m2
zt5gSZ8ml~)N7>pK?XFZ2dew*JW%F6$dx&`i4f)o0gjGp2&S&3qvJAoKk5w}G+K>JB
z2;r+4b)m8!H
zj#TeIIIlH^kg=)C`SKKle9|pf4{YgM*x8~1Kf1ty6CcXf=!0NkuAKEd|3fNF;T~)*
z*YL`eqH@Kt?*tVK%dvXa{Z|GQo98Ez`7mJyY(#TLh(5+k3V1dOIHzde{^Qu$;yWU6
zej5G8H=24e6rTJkQq=`3Ckb;1`fC>)@XaO>K{nD?)1mIKtIts+m
z)>(s8l(0%fPV<_h?xpKB*WY7zl3M336Yy^)XGUcoknFYnM;IMZNUzM;!rwOGZ3H!vR#
za>H9UaW=}X>=}|IR2)>Kz|_{NQ9_Mz+U6Fj$Bc}}i8@G3pKn2V3JuH3k0Vil$Du+A
z?kG|rrXy7DEjY}QxQN#4McbL@F4%(MOtJ66+RHYU!lh#i>@e#s;9G)S*YmhVu}(=i
zJaJO~Nf;X~CPHf1p36IHM!5}Gh;g=#LTE+D*M(-Jt3+zzo5J|S
zkAwp=oY7UZq>9Ue$gB)*fkxWNLC#R4wfkidXfokUV6ib`zvrt3?v1TVoPVsc8+CW>
z^C4T_!@=24@GW4E%*{0M9n7Hy}kOS6kmiBP6KmLzrMbozS5msUKb
z+>6u>lRXcL8j*gmQ9t)z%Ub2Ex2tWJbc(wDh#ayvT`)b`+RN
zRKLysr_~NIfj~?e%I3u|{skcS)raISwRX;(QTQ^cSnKhsyI%x&ob^{^5!4L8d-=H#
z8=6;@($B(QK^5t%ji6w6C7JWn!wqF8YvlNCicQy0MvQoF3`lO!aeF?(zk
zyJt*QxLXD{FZ4Q=il}tTA}@-iWsPOltY}a?YfyJ9B`KJupmmq_ueQb}K(GVK$YEHp
zGT20EGX-f#UMZ8PZst0u1l@pGYjt?;&4Iye0k+6RHo!i%Je0)-;L~+b%f;$lJ&URU6xD94~!}*4p
zX7_oqfDB-YGa1$F;d_1!aw3XN1%FLHd8a~+5ZMfPEu*u~EE482(wPG=#xf*R_ZqFS
z*OaHc99;+N%9s#qg-NyHZb(V**L87K4tiu+JI!NIDI1XC(e^q7yLY=h^DR~&_1QE=
zYDNp2rl~Du+S47p>E#j?Ss_{Uy6CNrq?bKTl(-1J)(ZP-$3x9(hkrU%x}hQ}tWrEX1FDQPXHL
z6*X3b=4zg9`?op(npmVx33Vp^qYz%-s(=aSH8pnVhr`{t01lhdUE
ze`($IleQj#EUexMa8e7DF|c6XyMp&y7$}fO7iPF$^(iLzLirO7P@i#%9kZcv`iwQ(!&SWfzVR%N~^BxR~+BM4c`p(lFgyTaP3m
z4EALa{sZ}yAvH%MJeA$Jsxx#x80bso)k;X9T=pgJ%4cUtSlE;&^uO4Y7{Q{B>oKX<
z%Acc!X_V^v&;RCe1nZ`7KPZmr=sErFZVjl`y4^I3IwG~L*09w3Gg#YnrAL@mrCz@N
z)ehl(k`{PJyvxYK{%qzJMDN^ocR^E1Q^*z*_3%b^T7GRv)(7Xa&;YJX@3u1gOCmS0RyS0t`>VnF3$qLF;#+=>V
z5}Ql^ryv?)P3(_>J8gMwYzibqy1pRCsnaeAVk(PXnSiDj01c`G
zIUYkRI-6{2;k|rDM5aQl#z*k4=lpRWEAK_TL6E$mQOZ5q~ETvUg{2|-1a1AZX6k@`!M$DRSene
z`AfUM+?72iS>vSWNZ`{roJK}pH*wgfH?W!p{QGtqAm}7!rk~HrMsT0NI6^nOj!q8m
zC@YqdM*3kvJ^2AXVLJ6w1dZ`mR6;?p9OZ5V2%9}ne{EM
zqVe|0z1RonpL_ASHSLV3L49C7JlDJ|4xUDTDVb*|L^+5D#u17E+7Ob@9k
zqIAGB$H5cs%zZuuB-#g-`^c6e#?~p({-CCizh(d0WOrYFu#0v`F%_}MX11;x96h56
ze1x#G?P6S7S{^@RA7gz{eChd9$e_7jAu{Wj#RA>r&O&S#^?45GI
z#X3;zdjlsOL(SQ;^D$6JYe88;-Mw>i>#{~t2E#}Lg={YNcYjRr?$KRxmV%N~Z#vu7
zP%j_F?5!=jE{(e>NQX~@d0nJs-pt7IgW4I@nBY(Herf>P8CVB5(6M;PX$z&81qlr=
z-iVa4ySngLXA>mO>$TNNL#R*pb;h6UwviOVSEh%`*$2nBe=IBOOLCu?$}ovoGqzhg
z@*UR4-D-KA17P*0Q4=z%#gV9_49F%_u_<&|($9~O
zi<{ol{;)k~$93AAS4kMI_>9)2%fzE#6t|fXPOWo!aeo*)X)$yS8!(3^qf5tRiD@$?
zf<_Xs3ZHPFFjRjbx=UMs;J}7vjtltWW
zO7`5y#fwujswe%uy%Vjl6GbOu#LzcJ(qiH--%%zdk_gkCT*OmqmF6=HwFLV*@DxVq
zvNNiWxeAgRqU(z*_Il>qe3LG(1erT?=Fzlj3tmxl=@}*}?7Ij7)2`pFo%my`u%dW`
zm}bnMdL~?!!ub&oTnI6r6pbP_7beqXip2H~k|p#$C$|$y%O~p9*~Kv*MlK^3D>HV?
zcHYnMLpokr_inYz7ep6Hr|^~HvRIq|!Qv24^s5l2H`C^+vkM)3#Fge9H||$cwR6X)
z)A<6dv5@bbq|dGJ`f~nEu`={C3U1?iT}$Kf=qmDXh0`t~*
zRBDM~YM+rEG%f2^usB|*QZu>T^eE>OW=&D9PH~uEy}t9Ws;mz8(b*4L_BP@^G6Y+r
z^svyw9Cy`%8%g>A9=G#%Q%QiPW!z1^3O40^Jukh&{1qEff_SpS#azrtU84nXwvLnG
z^7y%JVjT*86jCUYXqGwB@IlLD;hngZMU*^6y(87p89HUah_R^#dD^_9A%54nV2t9C
z`qBdI;Win9cEHG?iEPtc4-3N}prXRoP#qg8wZ{CY3oXBWhfvrTKi1oSL3n+sRrD^%
zN#K3SJr?v=x@rjJ<1Vqvm2b`jg|}TQNVre&q9}^+!10~u<mFd93de<+iieSfW$6K>LOwxGW0W$T01+ohpmBuhg7@
z)LdFt7OvtyM#uEhm)m#s!)uo<8Nr>b+psMf9obP@Mu|Nb{1;>A5Tpqcb?LHg+qSFA
zR+nwtw#~O}+qP}nwvDd&W-$}9_!pCljL7wkjEubJ-1ESxW`#J%qp8{$Jv1PO3FL3l
z>-lCI1*bF(dDmYsyxoas%(+7!u1!zfq;ODHM{d!+=MEq(#niLTVgIo3cP159-gd7&
zB~Z#*3Lvq&gufA!9A!O<(*tjH^4<1a
zK>X6ks%afnJl)FM7}7JMNFjF?gtgkH765sHD>M5WkT8-`8-CAXZ0YC_P0>{z5@*jT
zZA~igRJeYo@m7f!907Ur{S%^h5Vf7`r8O+uWZRjx#PML{u|r$$VG+OJm78
zga3>5+R==6S5?VudrM=-xF8g&0ktIqmuI#nDki9G&qYVY4Cnm);EF_<$r}1*CGBH+
za$#1YKn-of31LiZ`LP1D+{|E0GT~0mb~{Z>4$Qe!LS|vi6gIUG1oY=8V)2OmnX)j=
zm=awfmZZv>inwm+=Fp+v?_cjn+vFu#9cqJj({=LX@kRPHQ7vPy$wRKLl+&1IcM0>H
z9=5WKHjSv(9S%3^S5;kKWZ-U@vd3yV-=aS$xfX7*pQUg!i5XG)kQZ$W+HB^J5j1XS
zlybH6bIbd;>A)NQ^`ta2;?id>cS8vn2h4}mu{mVm7xt~0vn=9UzS@jNg2JO3krv=3
zEh~LMbzCbob;&Z~NH2p9ZKq`wAC+|`2TNvq9FwJ~m}9(OG|=bb9-Jm--4*umfClfu
z5=0n0Y0v@6sV%E6h|D5&Vh^dF%riL!aD{_L{|6jEY$ij$yQwcEd<4Y7n)pSwthtbP
zyyOMJ?(6gO%Ir5e#*{6FL1Y~v)Zmaa&ObZX(?v2uBwkbGVXC=$XfbxTP^+of0k8~1
zr9hq(2Y6kx?im5tGh)%qT`%i)qU_+
z8OUkA5Q57nnqfdW`q}yczP_AunUHIIB8c2q((0;xE`H
zWbzo6JEdixt{G*S{2(7FyWc{2VtmSxNk+P@m&0hkuxB|*emds<6iXf3tvK&f^h}a%
zq9swMM`JR8)@Tj_mnyn>f0*005dkPYazl-tG}-ur+AP^s%AVaf`SaGtz$ON>TNNO-xxa*|qcY_&mBBr|{Dm7jA@ulH
zI<4H#{PyuK(}W11Vn6HADeh5Vj;s@$PSd?!+^0HUTiHMeV^PWhD94Q#LWIzndXevG
zk5Q2K;6QbRb3Z=St|F>I#@ffPi8VDeMe51bmB39Sh@)971?{4=tXjDD&%Bo>BN@LC2hK!YBmO`
zLLm$w?s*@AN$tD)DS9NK{?P~y)SRhO#K&~f(X<{_bduo8FpYL>dXG7IL6H`vnXf$_
zn7*hOsp7V9-h$3@|6sA95zqoAqd^&;r^_X@a$~X>R%=Nq|AzA>snrchM+%pZM2h9G
za|Ndx@JHl1MKT!}c}RPT_OA8~cCuCfPwDVRE(|`Ck8AL86o|f=q@R*%h&LjMHf@bF
znJ(jN)uFc=ekLqYuOBOTHc75D(--%x!
zt3HSReq>p!zbb2hz9KDh=-SwP8{tkln_=7PUQMIr%pV`aLypGb%6VFeE=%MqN33o(
zR60~oNQI8oV40eI7IB1G!bi^;kwzGz)2C@)P~U-i(oNEJcg=FvyBY=4=20e$woFK-
zAxiMkFHysNGUz19aHZ@}d=Ky&jH4thqgr5Dgq6TQ+?+BfQ=`N}2QHzVk<;(gVBdB0
zdA8QKLz?U+$jBI59;Nfy73Uf4`s-$OQrXPj1`wO!le%eQ-gA#$lg>P58Y<#
zf;#_Kwf6O8(K2Y-$!~tcO$?@QOP4qL#+h*CK)SUdwNuC|-!08hG`v?Oe6s5VC1a>~
zjls9TZWS-nFFknaj^j=S3D5!@(cY9tG(13JnB1mr*$EdrUuHs!npW%d{Y16E9jrKa
z(dJy=PM9#ME;6-cx~P>c(7U!rgHzX5)q?o-q`@;?CdW$r@!a99
z#ek;^p)M|w0Ebu8qGbkZTYiDs+CL`fkb!a+pEcDF>lJMBaqIvqPE|!TS#5QN=Bqy9
zU=;Mk?ONZ4#g#;!2|Dw@fTCK=)2RBU4V&2QMwB}u=`Hp#bHZ2WUKc*a@T6n$+UlE<
zm=(<57kP>MC*B!h0Cvk{Ea|cz9{RInL6~zyyQY2QgHsHX)4)?WWGCn5tZrYUerO8A
zpzxr)Z!4!&bZ5F^Hz+RNcH<&LDr{tMF)kP7Lie}PkwhVLjtQHCP9^4MZv{-eAIc%$
za5Y!TuT6$rONx`ws#t9m)wi3ILy?@BFG;rJ!zbvlk%6YwZCf3BIP_+2v>Vp&p_O4&
ziS?9h#f+3F;?82mS6=g{-ke(sO?$S<_%ThQ7@7Q~*|L)%u18zxWBL;WH+rqQO=@B#
zoZlg@EF&+*vpT$&{HhQmuk+k%J@p0w25_&iX_@$!nt}#0z}&i>diP@~QrNJZBHrk0
zSt0BNU-!Vat@@`?Ys{oJ2W>%{R5wt^!GCLBb0S=4Fo`6Umd?FAzeE4+ce6eGRu)YR
zdg#MwtJQX^mFK_BZL#5|*!aI=mOJ9z{&%E%4bJkC8kg{|`dMOawKlZmG|BDfK^)i|
z2{TNnwR4*Y5V-Dg!%#zhu@w8{j}nE2LeqJ?9osSp$&>gis}(1ZeBhgtm4&77e@2$D
zGAFJ#oTopyk8<=vm1*GdY_1#8ng_i0)&K-*viO^(eqkV#$5Fia8FQL
zm{I4DH<6b2xIg^?>3qb##!NE}KNXhcsKgf``c__>(P7}~GbY9G)24H_jgtDv{&A0W
z@SYR*TCs;Wd(@_|0(o3C6FVs5(mdTeVu(Y`3*IL`mo_9!t6_eVWmlt3Es@^yuHjkr
zVS*4Q(NKtC5GP#p>?{P6@PpGTIg~rH9Owa=T50kV3Sld|)4}u1z_`J$)giKUh0UGb
zqyT{aaf9j|Hwy}Kk>#U_oaNLTVN`|kUUaUtOY?t33*3cs`NbczjUIXE4n)D9rFFBX
z@h-4}TWnBZ&rHM6*YS|g3%{QweOR{l)yI;WdjD^HxCc`PkE{k+&41_MXuRc;0QmS2
z!)akz0KT&TE2%(ez)txFV-@@<5tb+cLv8p%{L#5}A<&ITrMCiSC31jNDgsiX0NOQO
zLmZLr!2Y>9#A#Z99Ib0??H3H}A*RrMpHE1~)Z&imgQX#v8_u;{x9nsr+
zqc*<-dKB!Iz{A|ftQ9AfvlPuoL<{eV_j^n<00fe{aod76FxGBABu7>dc!`+!Bs1&U
z*{{7EGb`-`f|VSO(WMJ}xSih{f%q%2bT)=RW>UHb
zF)!zHLdT1coO{V?DBK=pzjly($P%5`33+x>Mfdg=Uf=TSgeib|)U3Sh()}$)EeKw4
zcY((aVfnMnDrAb&Yh)MN3i#NzlGD+oq+VREe&z>SDmmSEj3AP71pxz
zi|BsK++g>tXL}*VN5gt+N@;`PGXB0PbSRZ_lSM+L-!L9Xs`GWK$hu-S9c}C{y(kxE
zCe5xH!mQ9q=KY4DaH^^s7EP$TH$!sStq{TQH<9Y#)OvP2g{gYT4t%=KS4N&h6GHu*
zpkK8O^1&a=oiQ#2>92{~2Duf~2T>99CT-SJ{q$>rgY9SFSv-n>7}6{b=63R#zhQ@(
zxWKLzx7(LSsUePEPx_9NzI5)8$8-YJu}t&6B_XR&S$m9e?)AGP`U1q$B(|xHIvt=9PkHU^9o_u
z)mUJdQND6EM*XUDtKe~qRumUr{jLU2bXaJ^AIVS10Wlv7GMlk^{MXH=4$9*z)cp+V
za;+7O=+~*o(y)W(LUILM37D?xIm&cqWJ=T*{tt;ep?-SYz;0~SZVa?0ja+o_13T14=1!JqF#z%v{nn!xBS2dSjxuL*mp>nYanbJ!J6
z2x1mEfJV-@3<={koCN6}7`nKr|uo}y0CcX{}x6AzH)9Zif
z`hhB~IKZtPG{&-R?ijKs&p?Wx(;iV57vC@{`%hJ%87I;I8cFYF9!~Cl-q4&SI?tg%
z5}|DIp?Yw=3*VNVY;q6Fszg=l9P_#B`>XZ_8|=E66^ofwe2xNVQx)P*tyNKY((~h#
z^p_JLJ&Kip3sbE&4lTKAz~fMdW9eCS=qu5=ZBV`d+kPU;j|uQGK`%rxX7I^_biB$6G~ein(LXlS~=?$l76X44Yw5)|_rK|i+z
z%Dd%PeQ{oj3^z3FBgTrLcTn&6@TV01nD_|>)7mZ8a#cbOqd%^|zwo3BIClJ+ascU!
zqk8<+995pe)dm?~)x=1gf!XM(p|x?=Ejoq;T-62j$n^sZ>!IZXjqp~dxTak+3T4|r
zCXyB5eaFqZ`7VBXl;d8`Qg>!=gMlM1!>ziE3f&5t)&DtDc-s%RaX%P!!d|JLQ_^hX
zO+d$bRiVw!{cDc&;w~a}1T5fS(;%aPMl;9LAZi-Q-yDM2@ZJ;Cig5?~4*2zHkV*p@!8z_j
zvy$w3rAQAP%LMr-=Mh<;IXGwjQ>J=X%WOqLZED|sk{FQz1R#tukDM`l=k;dYw?JOs
zVR?jgiTRX?0a5db*4>NdG#U~)c{WQ2^O(rl9v#7wKRlc!8q5sVvY>>~>-g9Xs|ccz
z)>x)lH@U6SBIZRT7#kwGf#nPIZ8Jj?!U2BC-(3M|vw50M14(py4{hj=`PzP=av>%f
zCvR}XP&oK;IsntGXVWbKOzL+eQ=y8wg!L55klFBt+x~O6+D2h>#ugRoZe!%?tD0G4&6CDrfseSgJAFW*W
zpQ|vq2*u8;U!3yVghn#SMOe&uQn{D^j@+=2UL7$}7$Ok}2H}q?Tuicl5^mtaiAN7n
zM;*7F=gCn68x-esy2F1$pEnzJ9i%|G$slo!R9g4odB36i9hi}1R
zhq^uRsHywjpJ!zt%slB!@4b$R
z%d_A5P2UN$SC1lx4JS9PrhkN0xsvgVUfrj$RDEEqp0yC)4skuH1?7Y?4I{PlYhTe+72VhpEu6Z>nejj
zAcxQ$#*LdV?|K0sH1B^R>r1ip
zc&1uM61duMCLOz7Cqi{ikf%wq;y5{>nnWQexKOTy>?$W~8Ns&+HSH$A;homM35x-o
zKtiHt(`L{8R#4E^@hG7J_njGk8@*&5nk8`5yft!bh|bKh46RD
ze2Ue|(^Bc&R7gg&WhO;luSdb{fkR)^i%-NERzwcO0IV`5HHx!wJpPIAEun+c6
z-tB)4RkW%
zAqJ-0m_-w&;j+Hi0*73Ig7Y_h|KL=&5fp4Z9giJ=x~(z?ca}JkQO}
z@!eR=&TVXhP|Z_6gm#T@x^{DOn0|X}vBY;qK?^{?G*$eaD8cTym#-1#Gk!q;%a}7m+VRNS5^^mGlE6VQ(n3@He8J{)IT;uaS@x43msk?2mYN(@YRD;V_p
zb_OkAd$9H;g&3x;oQ3*;9vJ#C%z;Q6r}QiMVhI~3$!8NvI4W%4ojR7c+lSP#A*(9l
zS-6*bQmI-hzCoHnxyvcoe4jzL*uFU6N-1ToskrMe^P-9If<+bY>{>eF5Rr;7*i_Lt
zaXq^vag9i^GUj+XqG6+~drA$Tg&s2&`DY_&lRqQgk5y*>s3qBctX74tn;rj$qo&Z8
zTJiqcZcoL({^OWaj!(}}n)Hs}7qyatNdrFmxXUwC%En0b)9{2+>i+%1FMIrCUUVoQ
zmDdjpi*n?ylpAk}8+J{Whm)?XH!fr0xPQimy@oA^FG!!b@2^I5n+{${a2`9yA=}sj
z3XiweznyU)ukyj{jTzxIm(uman$!U7V~(>el#;3k&1M+Vr#hT;SMB98QUSX~c=$>f
z7h2isAN8W_)4_?1={r3NNh30m?%hP*jZ4%DC@JuYoA
zxj`K5jOHQSxR0PAEOhzg+uF}MIn}_P4NENLVTl&0xC_g$g
zTfE%Cgp0RAGW=mU_>n@}Bv?2qf9bP=FFRjn5T~|l>PI^n?e9*+#$?arcSEQ+BWIr~
zUv|Z~RZphQbvC!nqnMZlbhUpI*U3U1Yv=C20KHy_3xhux&z>^|8TGM@z`#IL{RSX>SnvAw|H!Rx!dOqZWR>1f
zm#qJr&%|F(#tq3r*kF%-z_+n-9<#Q?pby|c$}~*>&8nG}c@g1+(2@|FT*y?cc#U(1
z6Xd2;8@rj!HM+|AWHAX`n6BXUQaB*itd+DLX+rH1DPoN#B1n2(`-=+R0=F628|e6f
zy~y_h|A=hoF)jv%dT(D%92-yQ6bhT!G`1=Ly2vQ1?IEq}Z&8g#nm3zTbBFtOahbCy
zP5C`J%V>kajN}tlo*8X^u=sV>t;;W5gf;JF$e1Z6|F2uAK8)#}lOWa(5+&SCE}+(z
zEhbj(vE7tOW%9|Hc5**BF!elKD6^K$;>$Zn3Sv&>R|0=aqyQ}9YGCY-h)f=dlO_l6
zsP#Lrmae}D>WG5N{Vp;wrkb&alE-l;0tB}45#QwRiYw*V0_K(lh%4gLZbJP*sMbvB
zD1ne@>t_mnTdghP#$mRu4d3&3@ZW3P=)KzyIhZl*-CX!fCy^s+^=P?U-&`M_P$umlUqHZF?M<+d6S6B=3ztTW
zc0Jy^4N%DPvraX`%hh+meOgbWC1M%~3E2NaNh!veX#yb%qX}}3YTH{xu?mUuX1*-Q6Icl7m+!$iq{>e@gOfti_=_g>2Jq
za9Zip%Zvi;xq^&Rm=p^U+2f{KJil3R5i#*)u~~sQmt*@r10f}vg>YFRfi$!keo)>k
zLx7*jV;}Y{>slJVHPZrq@0ibT^lxM99VX$dBrCU@3ykk!La$81In|P}`CVsjJoS54a!{`KPmYAkhj;*f{y7Z0sZxsyccmSoEDTnF1Y
zYP-|PI1jpd+#F!lZ-WQBLeK>7a=
z28iTQaWi>Ka&y;=Y1(ae-f`Hr225awl%)!_@H83IU&ORozp~={wlAe<+?M{KaCVuy
z50cip@|;UDlgko`kD}Nh@ytXiG=B_bS9(mkol>2$)(GXlW&WeWIYx;SsQwTR56C^R
z5BVR`<7pfka3wnsR#pFS;BwdMcAwt(c)YL)Z9R9WEyY#*O}28x>=fHxw%1^KV}QW9
zB{YZNR({AHj|!U!3@>QvnbVu;08`r3<;P4>izK5>-ieJE$8m5Sc^%vmKFTaE^{%fk
z6$f{Mmi~uaCHH;%02_8fO7S054;+W;Z>u%4Mw9`7$MtOdg)5G!4>j0ERH0~vW{+=2
zvcf{ZDJ3!M6%lWC8S=<@4V7xMyL^KE!7prq;ejc&Wniy_Zqj|AkkQv$_%Ad#4Yr-D-Um=&N`PEQ?48kHIzcI@?XBor3>Qo2<2*b3_!ext|gTn`6vLRKm3ocYQN>75-cDs!10hJ8>oyf
zRD*(Cs8_4^aAKrR!4B0&{$$t=a`9s-bMamk5t>~Pjh?(2-}m_fv!^Lhi?k&HM}|m=
z&Goa+7r<9%41PM^)cE7jL`)xAd%H%bpwh|EQ}s+Az5C%kx%JOd#))#cYTdtj_#96{
zDZKvHPmStzK?LX&?pkI-GK~Xw$@&hFwpmoOGk;RtyD{%yDK}pVj%E8yO!?B$Z+j3G
zW%bMoM$7?R?e*X27h3M0#nrI}qbHxmlV`4OsMluX6-oRku)KR|s^)2v_Xc7dw{im*
zV%u}_G8^4tRY_UX7XVm1_uhsmz+j$`F1P%>IqF=msW|XLir&nE)@h{}e}h_QZ^~!n
zR%n0cHY*&)IG-whXa0Vk$jKDbgZEN&14HB_n+zdCeR5T(eD_6z-pN<4XD^9m`*u#W0eR#l{j`<{2vt@OU-<8|P5SQ4I#eajDNKg2
z8V$M29yaZrl)L2aX~v6ad3Q!xfCW87Ohh{y|J0xR`vryE%7KyCvb4kFA#$Q{AK%_!DH#c4>?(*EU<1m&6u;NtF66YXQ@dCIUI~KqU+%Kx6!s|
zG?1mUl=R;03pY)wz=XNe7gyzHhote2dxN~~$Iy>;MC>NsptGcjucbXSOTTzO`+r4A
z8Bb=t=P{-GoWKy0O#+&lXf_{uzDYH@`y)<9Ph_|+LAPR&2G!e_Yb~WNghQ~c)VMnx
z-<;tD9|ZuzPUWKU#SPH#*)_1&@0Oi*W}0tmom;VO
z-Qf1%N}OXB9v!18HU`j9mfp$5FZ~W>qxn%JDI3!J4#kNl=d;3+j)G$)FT`tLUtG^R
z%AP^&u_S?@&VY~ghy>DJ8Uc<>P$IL;xU?JaqIxtDtG8uvda?wL&rGzR#7a%S4pO^(
z$Lw4k`zAXB3xCX0vtdkcDd`#meNlP%uXxuCdoPlAA^#
zVvDNOfuD{|4N?pmc!e%hV~03}lb@xUFKp>L`L5@q2&Q`xX;Zk3D+ON1GoAYIM-*w<
z5Zme6z3|5ebbXKulkl`nvHa59=-B6=dMvis@Kmqw4LF^mJkMF2jTQoY!T^h^jmE0-
zIaPvCdB5^S7F4mD+ok=LOEj`QUD^!$$>iAn$24BTNO`%Rl46jY6fGr0(P7D-h-|r%
zI>erxFU2F`LnWvP1qmDlSd70%?_*M)JE5er;zL6KPwH;T39;m-OX#qFM@guhib7YE
zL(UTU1LA4(5Tf#q8H;wQ#K~p!b~o*D|4
z`3o*nPlX+!rcw72(~y+>Ff~l52d66jIbZat!j@F?^FMEKvs3k4oa{C(LT{<#5?6nv
zdM6;Jq3F`Etzo(b&O7iXKR00e{)%Gy&Opi1HrTmciH1-*f{v1RpRK@4GZTy~4om`*
z)cAuMXF(fkEeUVe9G(e>w&B@|@UN!%K(nA4O$x>N@w&@9uod59xZ7>Exy!`=wahn}
zfR^;l+@WwQO{1b4ky%QL`m|H{;V+RQeR1MA;;}t@$z8?slsfRLYJBGr@WxhD@8au-
z#ufzEdsA1g0;^k-RJT^!|6;(9KHbtK4KM5VW=xm^GiSIrs@76)3vk0C6fji%T7Q-e
z{-n~`#ce=UFpeqX4!FBF00KFQm|>x%sPkFvQvNNKIV*QyfLlVidn0BK1RBi3*34|T
zi{@TMxW?^m&FwBLDR|gaVrB2IoQ_L7k*Q#rx|#{G}+9-cF>+g!|C<#!hC5s6@zLd91O@=CQnw6oUGT4@`%>
z7|zYpW*yUrMWH%BZ;}vltM&D|A52HhYfL#>N~;6Jhb@HHld*^ggrrzDN?OxkW7g56
z)FjNpB(-MHbBYLRm|Rno;c5v^`GPQh&a9UHR%(U>TsIq5)^a~Gg=3AZPdhmm*!jI-
zD$V%NOk!C^^s3xBP&wt>m2>wfz+aMc5_f_zJAw1O0+zqR;ZovkV?SD&pLCOdc^ds+
z%#Ea*M1#fP?}~}Te;l*5zk7pR93`Y7u?AHrN1JAF2mxUw!H9PvgB}8XzRtAOc&(XFR(_4l|smQkN;kwK&^CQwgtgqGrqa9L|Hr(4b_UZ%Ow60
z)(T<@*`?P8mEVqdVx;dgPJE?ALsCL+hd=kt^JoA^_{nmqL76UJlBkm&y-TjiMn-?
z3P|2e(lTZ)sY%kU5&oCa&ZN+;a&<+xZWH7UQuQCB5k>Mx>H
zEWJ(MWzeQ35LROjE7iMf%%!nOo30V{i89S|9wR}FZn>=uw
zKlyN!mlUy#^(c%?1g!3-!J$uTiTo)+lvmXU$#Rd}E_-h0d?+W;PrGdpG>7vn%C9b0
zN#D$gVRJ3hBiWcJx_<{^ue0`;r(75e#eX1v?g;(Kottv>pD^=}82GTdU-YNV#-(=K
zx;`WE<$anPwk&$ut3D%i_s__fot3Jz+1#HH&3b^n#CeNR3vWNvQw9;YZhhuq01=9u3?o{rFw}37nB^}2VpVw
zOguDIW&rH8UXMKL;d-fqb*<2#NB=5pU11<9_VaVkP3zb#!eBdvjFhtZfR!)8=5{3H88Fb}@$vLO|oWsq^fatm-N^BIWXeDzuK
z6jri0t56(g%+{V_gu^rKStcd4vPyG8qt;DZ8{A-t#{c3PROOHycBqdpPDh6(>MWxhTHu+Mwju}bWn9rkVKAtX1W5-D
zd&_c?dSA?}@t8=8^!ngxSg~bBW6~ok0~LU4k#+I6ni-orp|BGNHji
zVE(B7B5Gz)veR@F)LwqU`vHvuPIuBpyH{4_=fyiC^JZK@!r_^mQH)7JN_xsw#o7X|
zo~$hiLC=%eEpiKK08IQzUBwGy0kf)i+fr-LETlE-C5Y99BbV(lahM+>)!M?@S<_pp
zkwN=vV;`yg*@8(xv*oqVh;Rp5Jee?d9B^_I9s-$tUT;jRG}$r?D)dt@4EYq?o>gdpfc~gy9NxKoKki=M0ZUg4E%fs
zw8hh_U4x1>Jhm*A#-JdCSOA_0Ayq{TMk8aCHADK8`jfmBHr?OIeOLDulK6VQ
zP*g+pF&E@#eW=*|P8SFCNI6s(k8Qhh37FKe=aQ&_HrTK{bLAr(}o`f~hAzPFp`F$|_5<40O
z7?2#~((P25SKn&tjSsD*Z=p@p()j%lgfw5fs;7T)XuYh1+4aIJIwrmoH#>ULZ4mZy
zLJ8qvtMJ8D$9f+4;$LO{nUVP<-zriK>J`X*pYxr1e&y`QeFIWYI-
zpIE?q?#Nv~iY70jf)f56xZrW-ctLjkX0$Lg2n`=*LiJf)LSrQ&yxRn~CSu;&(>ZwA
zI46+wJdet2i*=GLY4Gqve`D4f&v=>A`P+CRNAIMq-j%hY{!LZDLA8=B64EI3wJjF`
zB2o%uLLZhWusmc{Z%zE*Co`>1W`|hEFE~YP#L6Q&zR$mRuyqXNig$Gxppq)lqYti?bA~Sv|o^}*GfB7r_dVm0KC>LNm(Wvo)r&D)@`6GL;^P7
z2<;K|gLi_ZB+a~5R~7w3%-F!|wX+S20lQZv8Z+i_4HFzV5D##KerD#WiDNbfw_Klv
z+>mCu%M&}P9IYukk{O_=d~=~g%nvLf#Oj?>Wy|Yl(U6n<&x@els$umS>`^%xh6>kd
zt?YzUZIsC$`ID@&$jqysx|}WSCb)E=zuAv5Y|HSK7`VrF$eqYV-PkUElQ@N<1OGzW
ziesw0d*lD9BC}*LATa;$+DF>iCQfd&A`CF>Tqo8Aj_^bh{o+ywyx*s$2;Nt6zv#m}
zzX+OtIuFrvO^#ZZy&S^N?bcO|?7
z9tzq}nXC$uH`A{m7qeay1(O{L<~PBanXUm^?(5cJLz{r^-Y;N1EAKMBeb=aBmN~6A
zMF77?ercNq43L5SuVu>e7QAr`CYO*1hz3c;Qw-N2!VvCG7O0#l
ztIcT)9;#;dtW8pzPvJ<>VE<7w3_UZ2EaP$tyQuN$`NE-^_18A3a$GL)`vwxEJ8%ao
zOp~4i|J7C78!Wu649Y>&CDvbhxGDtdB0(=ai?N}U)-L`w0HkJ!Rqnpv$I7b)4M}JM1i4t&2-X!~F6s1nH)FGZe^Qrj
zmC~beu*;O`GgE$t9+GU}_o{g2k_j=%g9?zbl&yyY%w|HIwBNyQ#(jY$wdyBix3-AE
zeIl1~1+P~Z1}Ft$Zr5HZNz=MA%Z_?hh8
z!Gdv_3$VnZT41^)42x5Kj;KkyS>VjAoCL3SG{Gtf9AwM43!`nz<2f@}yNMZ_g|vnV
z-t8}Q1?+xdJ!p^@jM<+j55gzyMykk|tX!}5LRdbRVE}}Kt6NRYM5xnc(>d*EAVEE)
zWN~n%1x|XP2Vu@huK#F9_w9MrKw5W>F>4IjlP1
zMcqRYH2lyV-V!E7fbsDz
zKDlCSm{4G3^jr9xo|sgULrzzh+KD7b5J>-I7__toCH-8sB*a01UBB#VCDw@ET}U;4
zUG-iSJ3FU0fMqG^-;J$F{ZQLRmRDmPfh=ET54+^NaN|yfUJvV=8)-sZ9lPKCFj#i_
z$MbP90y1;l@Tp~lAY1JDzro(eb$=!~i9t)67YKZR95ncu!7Y+oPm^AQJ!P~;fL#pn
zD29+jn=So!xZMYXwB<=IHQJ;AnkMZU&atasj8(;5us^||u8lmfi_O^(OyML+A;70y
zfd{5~3TzWreB)55J)oW7EX0zL;;S_kIHmct4#%tPS+HZrC%MgQ;~+p5o1Z$CXuy3%
z&#TcHhiqO&d+{#!ye(i1=#@@1j1yrYf!tU-1XxI#1>qWyS&PQE6vY-hGL@>_kb;;k
zFOHv^>-!UBUOq0TaAlC}rxI%738p;F&km28npNQx`b@6={PClaLT*G!NaPz!&YS;^
z!A@nG{r}dW__h`@E8i%l+JCHgS@^cSfk{}m>rV=ur5cHYmDjBDSBiW75uvd&nU1zh
zi4nQ5a2K*i3z#}TER*dL3O2sL$-yoS#_iRrE;mWAykx4J1i*>GS*Z^R^;h#lxYIM}
z-%nKa2xJ-5KKlv48G3o1;b2q#ou4^ml&7_Qc(1x3{1w7*VArevJAG;IbQ$&UzzDrg
z*ppzc5`0v187Vd%787((XDcPk^;I@-lnP3lXI2MvqCBdgE=9fjN5oADzFy^@1~uFZ
z_p+-%^28n%zo?nChULbqrD1blDTZ9m9%iAZY+Rg(^UX)YQf+~lY9%PyOj`8?83;$!
z!G{x)cNP+*V)E5r?8fsXcP*{hi6F6RIF{-6{g#oHi8T0Mz4n?s{}ye-Uua>^Zh)O`
zqMpC_6s)wsOVR`kuRre_Dg*;o@-KWW+5{&a&IhX93p0ZCH<|^qtk`fgae@d+Q~ph$
zf?}9T*oD5CD`rAEpO7$NMlfw@fb<@^cTuCUggNJyxdb--Ge%smr82pwcY(EDrEZBm
zFKR|&yU*qBcC=Drq6kL$zln8X4zls=scNNF@c7D#Se;?*3hw6Oa{nL`2tHgRq2({-
zgzrhMg$gn6`=!S3{sO7{U=^6KtwX1BEpGN>(|V6+H|TD%5OOi0hd-l6tM&}H?gI^{
zOSpc-h>*@W**^nH3~6nP+-4kXXO$Y+GC2!{t22eXwWy#|^is(e!%&+mKV`sxMtlTa
z@+JITTDTC+?QN|S#Bx@$veQSJP&*=1bMo~w=M2zPI@N}I7X+#pq$TqR+Z~b=d&T|u
z{(<9~&XATPyAx1QsxBrpq9gc;t{JX)ve;+SZ2IL>d!dEU4&j#CHitysyH5%9mo8ys
zsaf}t>bI8LSU8T?jKNnBNa4>j+`S#`
z(GQejPe$n>P+ZXCFFB2HDRK_YNKU-sk2b7}-?R1?HT$rW9v#U@bfZujVhK};$w`WwjS
zOe!>dMFO($y98()U118?VQ4jWoiYSPUcZW5E+|$xIJ$q6!TL1l;eC#-2o4GoaV9pG~!=v=S_;PKKmU0VoZ8ZA^m%t7O`m@GZl&PDzv_w~PWoagn
zV1<)HSqn9;9_4Qu%mYLZnJb;pvN|<~?lBt;)Ki?^2@Nc*VQO1nNVWLwtDl_sq)%E-lYF!}+qQv6K*;1~NU{2J02m7!SHhmZDA;t
zIwCV?DxBtuje(avGcqsRD5WJ(uNpJd?5YAz`f$RZ(GMymGiqrcEn}|oqYwjFLG3|1Qqxj;l@})QL*C4?EPP@n1te5t$cF!Ds-}5&rzL%
z>V1PR-k^2wN>57rCoZbbPhSs-4(QueQR$hUh;H~1vSxd*QygQ0_zqLT{rHGj1~b}t
z)Fl-t1xuImO(ST$)ER#p6U@mNxc_Wg&M)SnxPoO`aCD8wxcHc+AyD%}Sd}#5yq+XE
zU5crHEmc(w#G_=kmlst97NPwW;h_(9WmKfwVcd#oitYo7nun>*@1KaKm<1WHoH
z7@oTcgHvL`NCY~VAW*KszUf0g5=>5pn7N!?V#CL*m#lB1%Gu{XKOUJwB$QEn-PVWp
zKLe0`M+qFOUS4%TL()WJ6qi0m*QE|)dE}9OP4nZo^w?m^*Q@+5>>7qb
zDUgRmNM8rsr;Q30FcMZmzfRG06&1(iUEVh=G86T{Z4IEqClu;`-yPfolva#J!aH!7JorB0#t>c1`+2&%@O`U1DA
z4s&M@o(gC_oA9QeDZ`*ton%@DM!%c}orojJ8o=>T?yd4Is$>3Nh3Sx#0kw6~2?Iwl
zv-EEyY-&_x835!I3qLHjy^kfN>#aQ)y1JC~n=B^-WgCA!U9IvPz8tdYyhKyi!=T(3
zLY;Dpj|6gP<3p*z_2hsmt{~yTUPS?NL+N=CAUH=PzK!Cry1Zdpd-6goYyEpC*0fM``
zgy8P(?h@P~XmAhkkvs3qy)*Uu_p7d!wa=FI?6b~(x~rO;SW$&u*c51NCIPf}p=V}b
z;sMCYDFf|{?3r2UMS!-Z02T%&CN?;7a#1HUBNr>6y_k`U84rNd#S)-k;_?yb1Ylue
z;)Wv!NSfK3Iejde0*pNYa%L_@s-6yJ%m6B*zknjp*@fQN$oXU0%-+Jv-i-PqL=@=Y
z>11VL>GCHBD?R<6On;(97y!~nCN@BKXB#Vkk-aHEnn8{MAP;o^Fj@hqfc5}mGfN{|
za{$mBplYTGP*V|CRsl#VE2t@|P&0faR&jN306P627f}^eHAy;vn6SL6IKWJu4j`$f
zqWb4m)y)2bzXcsYUiD-BPn{3PKjCuXs=}&TisH<@eA
zKYM0n|CdcpSpKtwxQZ&h?1%8|>E(bQ-LYqI@o@Re`%gY$FEtGSiEsrjF-o4PtMs@YpPx|)3!
z`#;|g6Wrf63o{o06Tr+7VCG?B$@r(#UrPC7X8vRTXo0V{1JD6rZe;6h=4)kc_VEVi
z?QG;`25@n5HS_iU=fZy@IA%_Osg;S#hsZw;3fy1WKiiuF0o?yGe=zy?(*JEg)nA8{
z`s0L}0_|-*0j6f=aE$Ummk%*e{r_{u{->6NtF5iPk)0XUe>e1hy^QRvY(4+m?|)o0
z%>GcN`hNslIZIf1n3*bCxtLh~tE>OAe|9nY5WTRyg{|4gj{Id(`*V(LKLqU}0wmcr$-U+0@MAFOdKk8SH^BA0Yq-R~KJ^InW92&qi{v
z0~m$>nEr*h0E}Y)L7dD0M#;YsD}eFy--rXiDEl|!1Tf0|2XQe07#06UA8{&wBQ^k|
z>fh)iPUAm_`vV#MjXt;-|Bbi-j3)m<%uF98O#cBtn40|qvH%#({{cT3So{NiP_X<5
z{OEwyKi~%mn}5I$7PkL@A2jU#hRh!{?Ee8jXaN5KKWI4o2eN(mIv9OSG+Q%sm%pvd
z|7ZQz8Trpfd{F*4>CS(t=kJ6c%$@!LKbSlJ1Ac7D-x=6H61!MBnf;?JALp9U^&jx#
zTHODJEFS@$f5HD&q2izM``2_~`dgO&cVGGotGGA;ZOk;ROh4|)|8S8ra&fZq&|&%*
z4a^_*kH^11>HSv$^1r9rKcYoMfF9oTY#%bCXW`-oFtdM1jG390)Azq(P5yO@_-ibE
zoS%Q=Kl2%2X69jL0=KdRG~o@gPHhS;^%F0gDT5^EW;m6hgiv&>A=Sk%iAR}
z6D$gB3CN@<0?JD9==miF+JDm|55cs3+iXp$oW3wz5*HrNRcBBO%9L9U
zDC;7jK9pkT60KBTrVjXCw)k{S;RjNP
z`Bh<>_V#{fylDDlfLU3mNTvZTH?^Itn!B>xq3P<+`@Gf|s+}uqBhOg{#~JrCQ<`tU
z9RpG4-HcXiAB2Q2cwsw&3@S(=oJV5AqhRo*0nxMzD(-R#t(`t*e3!E|K5?_@(9qt1;?D+Aak2@@mTDaJX*yV*8J
z-501;kG_(h#j*avXd8N3YLx%dbHaVWV@|l=LJy2q&K4U{YZBSque5+6`woPn^4$wd
z@DIIANJ}Am*VqdZ$;F7{oL{|AcJ|{y559+}t?ev$YEq;B=vk
z$gaj@h)4yYB^Q(TZif!W+zvzHEnDfP;YsvWH8)|nXT}c=Lgr@WRQT8zN^UrC@Zbl~
zK((u?mUNI`*qj%EJc(U_dw#KShueQ{A5q^(MT@5J_WXN#$9Et#`%BMhbdUwcns{L%
zT|8G@j7S<(A&tv`DOL*k6$IA{RT!=n^zlDElG-qoCXdAJPww^G5Ll>M_)uL@#*-_eNN*n8MfGeCX81f{hn!8A75B
z2klD=t{UdZ6PB6@?oznKcHuj}0LEp_DlUeirQrX|&4E)UFC5r3ii-Y?Xy7E~QDoGL&+f`^VcHLBN}D7nFiP!f!EjFeQ(yceFqaMwcA&vR$<5j)NI
z-4=Y?0Oz+xwBca5O)Tc)!{=nnRchC7Vc{Gu3g^PZ-mBcbX|G~~s1_=23agcHz(sCP
zmPeV(5QMYr?USN`pL}02;^`Rx@M7QP#bQPMpAyo>;HP>b-qw^>=K`%we%=W?}xHelSHbCaC&XQP5XmgpXc#F5WUbcT4Tv#WQn
z?I0usI5YX&w}?-vW3amF^-Gk&DbNA+SczJeR?l}MHVusPN9eiD1x1g*uJr`EQ>Oj+dgt!n=_6$
zgR!n2y_6kg6WaM+Q_;I#+3XSQY{;5H-V?)%@Y9kE87b=cJuycH&&14Jy4=bQ-z&>I
zxs$pkGZ7v!=(;~Qv!_*FeIRVErWtC{ze-hIOxkv`<$X@XtEZ)R=ctMZqxQ_{`)nC-M;;b!
z&5s)}JPWBNJ)s9(aYBelX|7=RV*ef%4QFX6ZZ^~H`Wm@S`phwF+T2C{^oUwyJ_XS?
zrR^@iM-@S)Vby%j^!piw6mDts2$l{1?m%DjhAP%6Z3&Q&zz7ZItlZ&~f;K(wfK$&c
z{qW1dja%QMe>&5#3o7GqXaMce`m?={J2nr(D*S|mB_C-j$TWG@y=Cj&Xxt`qN{h_T
zggZiPO~Hll%pPeeT!kK~Wp3Fn+w}$M8%gyTPi@am*cA@TD>LL`#p3tjNat+a8Nq58
z6RnTAn4f8os
zlf){A`3_azL$!cWA{kHVTAbnm7ape`eOfxT^9+9ToV()gS(3
zB-$1R$vF`zU_k#Nw?w1~6G@%+D1!`f;^=K%c_2Bmy{eoc>b?GLKr}z7CalkzJr!IL
z7)geW$6RPAp!J&O3r?Sx@RTB7
zHG|)`d*^clwyWMbc*6`#hRx{$OQ#OLr~n#F?3JO{LP_!Xt85K{8l^j>bVP9Gy3OuF
zd_@#N6BcSDWjf5EL}fI26r~bO?#xa+J5Gp>_MP{~9QElefqTfW!LY;qbBHgmC|d@F
z$U+%zRRP2hdOcamqg68U5A4Ola%l!YPZT5v@m3}Zf25PlBft(zJUY!WD$c%l2umm4
zkJ8C_M%wq_f&m9@ir?-2G2-KlD`gC&F$vaBxo8=1(i%+;Sh`h2RO-
zepi@GVNwY=or!r@E_Q0xsO01SaNy2ie&OZ+0_?aa)u|*xkFq!^Lo*Nh_2p>DiFe%bKp`~E=
zEF<2u&%k`<^%k}zKE#TYjVAl99E*2tIfKpN3XAC{7Y|#6bIb`XDqfLjV&k~7(Q?3p
zoQ6&w0|L3_%pL~Rn4{VC^m~JiYi
zOr&)&)lTXwm>)j8_9(P1@f;ma{vf~fiJ$V=I!eSY4c<5m^Wb?
zX&n-Oe7R*~p&OX?i!O@TLB^F3aXzcCwyj}ZN5zD2>7s;!F~2z|Vs=<5hgf7*g_vM9
zYK-No=nA)-px}p2d{u(Km}!k+@|{B!uDm4P%6bC&7cxlcq2tugnzRF!k|uuQpcsZLG)p8h$F4e0T!VTYA*^aHSt
z(SF|^V+Zoq?Pw(NJf31Y`$|LchdDzKoT(L-C^TboqoZ=aX|Zm?9q%JksiGd1sNY95ixDh}%NXC$(chbtbX`?vgyn
z@YM>eZ5&Yf^?%mtO6(;j^3x$?+N<@NdeU^p16+}S`a<=wRg+*pU`60R6UNq&BCD=1
zm+?*64GX6?R(J|Jx_2Tl46J`%#%4lmy7hv7hcSJc7xe=eh1tI-O}jH3p5-2RI^^L4_alOEkCHa}8NbjQMyL
z>6H-PJVlt}mBB^5R&omzv}#;??T0;1Iq-gGE7L>ctn>`3=dhL?^!pqRe~(|Ny$SAL
z&>@}Rj9hJ*ls)T1AP0`<^XdHV=o+tf9H64^V$LXs?f-lU{4x~Fg=WTdSiTf<5c#y#`f36H2ng;CtrrOdt^|P
zIqN&xo)EM4DARYH={GfHZ0?rXTJ%IDBERxwQTgFuos^w%1*{vWqdW2CEn*gQmLW)v
zD8~U}?A)#ma9;{?hMEzV8<(Cei9oaJJ7lR*HNHu}JMRcb*a|oKQ(U8i@`3M*S6&Cd
z8s$jg+tKW%qZI~L8mqlVzbCiQm7k|K@z-)-!O@par9f$&(A{*V{MBwnBXZF<{j)Lx
z36@>Qm77wiXqJjKNg%|*`^osIpFt2Ro|!T@ONvH~Mu9Y)|OoU2WFmY8oCB6uu|%MSU2^_X@DiK82sprGi;dZW*5v
zH(E!!M{KrTzrki|PZ>3B*JdVIe3B=bENF&9z^kHW17OYe2ksCXztYQ+lEvGw9!$gJ?#Yv8E@$BC`zWF#TLW^%E&8(&WaeCSBucIucOU
zgJ!6|$BNdQS3HevDpZ~N=}_Okj@k~7!kuIIKI69{T?V#BAsNhC;p>5zPnsJfitVr{
zD!B93246-ypUl@Cm^N~!Wh85na9v~QA2K6SFiCUAgGPARGINF$ZCf>;zUc4z6%omn2-n9-3gJDI&lb3Jv_3=bj
z6qz4MLSC0zRT5%e$|W%2@``g$pmiZ1{jNKf8xPgK>bOrEa5QK
zT6T4u76*G4@Hg~qGcLf3z)50Ndo#17-hwlT>I{>^%)Zvq
zG7nT&jL2UO)Z}y2eods)FINspw$Uu%Iv`@X3h95!U|(+dp~}2MHwv2-cfBY}9|zQ?
zhwhAErc2b7fR;9CK{DL8N6WR*SPvPG{Grm{7EQguF|wfM`>79)S7u_aI8DAfn1pB2cUl0%`=Qo1yi-fQ2!A#SxC%DgqS?CMuhas
z2#ku*jRHB@5Gh(E>$m!a@`Oe3n%h?++lUHrmtQZ@iAoZySO!Z{Z-oPUzn-s)0OgVq(Ca@nH+T-z
zobln$sB>OvJQuZB?n+8(&K(hfam=BiSh2wP-*O^;B6q~_c$FU6=G`v{7S<9&ID7%o
z7R?LAi(@@^Yc~15W`3!y2RYry`#{V<&AI`JToVNMj8D_Kxx;KAqpukGOAS9bxy#L6eW%23!k}+%D~xHU=4^|S5S+!PSNNqpBwR44gKJZvD5D=5L7v*#Jr#0
z7&JE$?9Po&eJic)Rr#D@zK+B<_Ht!Fz@>Cz6uM9$r#6IcD;z{Or<JO>)-Sa<-DuUyM(c7@OiDgZ3XY@AOoRe4FzO52vI>#UQY&@%_}{21L|<`iY|2aCOWcBq>7x5Yu++d1uv*sgvPCEOV;*8DnI*{DxwRkm
zaKke7I{j~6rH_XpDU0=ZUVZ^ofP3PN$JFDXTSNO*LdM`lbn)*BUztzqZClBMXrn1l
zFE*fcN3sL}$>=+lt9rkc@rDySseTu?n3B1yZ}t6v#$AZ+$RX|^+rm6Dho^2r3gtkc
zgn)SR$loC>HHJN#nR;_t1hLVrkMc5+*UUP@0h>CyBPfr8gw|?_F_e>M!Z~nD!dr~p
z&5@ZUn
zGWtXz#D6DiIbVN|fZp3K+4WYjY(`;hKy$gCXI>bO@EIXmx?
zXYy5&IHOQ*NEC&{Svh5;FGoa>A;OaF4Vpvv8_#-Q##3FOpguaicy62AsVWajGq-}?=L(g*896kSMTy@R&s~5
z$!wpNU*12l2js$ASHEV#Z=*aO!?WXqssKEtzaGi5-Ox(t1JDzg_$LZkmxM_{OT+PL
zqWSbx9I3W`d7%{+SUk^JnM3hUho$c-Y7bwxl2YdoKz9B%*44mXU>Tk9j-jxj(m&(s2E{VAtr9nWa<%A@NYu!q)zKk^?^iId$EqINBM)*O>L4)i^c#c0l0&m~
zy>_ADO~q<^;Zo5YS;FNAz+H3}TyOEhZp1xSPhUIbUNm7B$;BWnaLN@e8gj1L#(6CPw!yCW#
zbh}P=KZoHBp^uEye2Nua?Jo`jvZgsr&q%UEs;^s;=cZRNC&M$O6l7NK0s$}V79oV|#>$`wW5
zunGx!Ax8PT)c{hX?hSU(+AzwJkCghF2gmGU5XMho*amOpSh*XSAF4u{YGjolJu>;+
zWcta?K#t^^24KQo6-X0MIx%hk<_P^4RPu;3$)#i=GTWJ8uqM})sZSF9ln6{!l2yKa
zn^H-sh9KP5og4J*FQuB0szlsT4UNN6Y$99`X$nCp3O>qeeMB&CiAP)BIy|fe3fKbA
zqrC;I*aUrWzn~pjFnpLJsN*jK&)$O?#4=Bm)x@lMa2#an?*aiF-3{}eR`$*K21U4~5$pYbO=cU1_nG4mrI#bK(^h3NQAA%jMp%=E{xEG?}LS4}Z*
z2XbKAp1k`(K6e`*;yUYyR)H4hA%za7o@f=CT3@%Y$JJd`@Cbg&iIz~?>`7GM36V43
zDtnjI{S1$JFpj_MWoED|)#1YWNVOS=vIt9Yw5&VG=K;1FMnCF#H{HrfAb3YP*qEX9
zrps!WH_|({O-jBd(KNaL1$nU39MzNM_orM9s}2cflN^eaP$_Zg^CHf)ALEX2k99l#
zmM$U`)D4*1N}-_O;QkB4V^X?w65lGQR3&KXnrxAuc}jUiy%&eV71tfVW7RC8fJE6`
zFiA+-N2?vkQ{R{eR^X87foXSF<07goj@D(fXQ;=Xx0-D+kKe?BCp?O;q_OZlm~G1(
z={sHDa}Wd{hHd0q7X-HTn7O!Oi=|K}X>^TEatO(#`ft=A<$cF&<_D)RsWm$++5`Ut;ZRcULf-%{dAwVE^3<(ZW$rAb+i!bd?#B~GsWP#g`UOqnD;~`AoRsqf
zo$D%_^J-l%DaRNxtO@vMexBi7>C@>s57Z6()p0zyqE$eEjGN$Q3Pxw$`72H@q5!b6
zKzIC??yTs!Octp4zH$MxV*y!t(Y)K1pQlpkgyem)ihY6A{I4WEHB9Mwa1buvUHh$8
z#8Ms2^wBq=?9T)ZB)ikRGM%xT?hbcLn>sAuqa9;0Wh+hVm3ZLkDdRJFTup6hP0&%f
zW0>kyEjxCTd`{6`7f6uRQ(9?~t%Ld=hKhy?nzT@)fDsW{Qi>NX-pHRGl=
z9a)?6N|dV<)BRNscfb207Lx-Kpb%|g*e)I(Y6bNpV0fMVV1WJ?EHiB~t)TTvo7duWu&bNQTO
z%2gg)=BYj}J6_4Y)=+f~DMoy(#%H@#^%`5^wd|EYg0~p`R6|fo;GuMAH}~D-)%o+H
zlW-Q45-UiaBeYi2EKNcQTzX!N>@$9V-BK6gFJ*ZN7Vvb9sw@@bT8YDh*IwtQaEe+3
z1!8Sl5kVEVGxUWZS)YBxrz8ANTHjDwYXjB+F8ea6)lLn@h-q!+Mm?3+LQ6Co)$5R@
zmOG_}N*vR41e*;&m&WgNmUm_4H~UcpTM+sI)7w;{oXs52n(*)-fVL}`tpINuWU&;$
zQrHnwUQsDGs>xCm0*~8x3yp56mKY*V@m1L1Z}q-%9ea`%(2Ioq;DW~UTrvoDX5PpX
zbIiUJ96XxIfXJbkQAs;?AvOhR);Bs9AT=yB#Ef+@udCL?oGlNUBU+IOvuHep*SoM5
z=>s`}&P^8=ee%1AtuV*^wU*+#1>Ox^vx}rvQ7cx^@&&91v;3BVs8JaGGo9I~*y6Z3
z?RH&sc!EcR(5*q=Av6p3g=Kq!t&~8}ytvi$ce94v>Z)T!J4TevL+2g$CCW^rN^T)?
zi8VmXZ@%4C3>_PxRf4-?d^Yv3&M<>W?~%$ZN@e*|o4*0dGYHDqktpfJZ#)WAHP;YT)KH58yXRN&Xac;v@0o5
zZM144M5C-^it&DGrB+y$rO-)~hS8|XC`%|9xDIxuL=z8Mduk!9uNyX{d1;G;6dx5{
z%z75v3>;ObVxA=396&PtA-;Fka)Rcui!u*s5zc{5|8qvch3iI?-V-c~fOR5)#aJ*G
z%UPdy3t{j#j#?NN;b
zw5ym+?SO%i)`$zR=h(@%1QTDnJ%0Jq%SxKCpvk9wj^^-%)wY3-ueWh=WOgC_2%4gq
zP!-tw{8fE2GAR0$1YdszJ`h`%)mV^f!7w|SXE6lI07)Xl!+K0NX`GeflG+U;<4CAb
zpy?FIIDbM#S1Q<-*nHUx<}#8A`(dgT@Kp>~EVy^MiCupPfZ|JEDa{Tc>icGBnI+6-M0NS2_T_d|z^QPqG@l8n`XWPx7~foij5)z
z?#Zu+P20p25iksXr(Rwc7bA4tu3`G1l3qh37$kNE1&Q*&it0x
z!V(=*X{}~1Dur3bWYTU^Ac$b+Wh@C5T7?^}=~0okWun=ZX|eAiGw^<67ZVmnJgRXA
z3xsNG0DZqru}AQ*TDn++IV+aFJW00uNL-F&^Hlf;rsj+VF^f=g_Y6i#Z-jQM9zOsb
zVt7Wdyr`?|opH|jB#v!U#V|ib>=F&Zr6o5_bAKx5MK;xzWE<*lo3rkl`Yr
z;IlotCHA3FvCc~>V^^8bcJ(htR5`51sfNvO9q?p0wV3|)V-pf;T}9<)mS@R){QKje
zJ>?-I)Boeg2`UV>9mp4|HiM^3ypwY6;SG{WOlQhh#Oi_M6I_Ef6*r@=ta@iBGFVH$
z@IXQMlkJ>x;wWmQx{aQ>kxf&x-HV2&4qG~$tUNcre8ni$q!_1(MaFjLiylSooZK!~
zUBv^k(zefGL9zU(!0#ao9a2i{Tg?aQath{Nl{n9TdlKJ`$qK=8#N5zew}&?4#g~uH
z_pY-6Z-?56>tS%oo0_Ol*Trh&^U=oxFshh*rE{GV0OuSXVnI#cSNE|U6i;`<&xB+o
zEkayG>`5FwOr+2ciV#B=Khc#x8;t17`RuMDha>?cYP_(BNx1Hs;))3|&fE)GS53m1
zjjJ6Dq(Jae1|Qc2SyIe%cGB)5zjeyd_yu(kB2jWv7Kmo;`{qCuXVyEjYc5#q6^;qT
zdh^72Y-s12-&-aJj>^lpe2T7oZ(7&A&j^>?L;=*>&i$6w@I`O@hW`g*Mis197etni
z?-}0!_q|p?`(+^Y?;Ou)Fce0UVK4Bnpsh7|TSnj0+d8K^gqSvKnR1fGDDF;BwIm|j
zdTc7_4Fd@d6C6{$?s>O1)<-wPZ(E1Rc)WF$3@K7{%PQ#fO8DqW2$P2j7m|Ajw%xbHux8CG>|OJHS$bx3c-h9LNSJ+m_a!BM!WM;
zk2DXQ=oaU5rr?Q19g^D17?jnUfK?et80Zf;3QhIMDP${|dhN%0v-7D(BQgD!eesLU
z7>G?biROWU0P4FCMRNf}*kC)?G5?6=!+GN`j5*i+v?}D0Hn&CJ)lGd^gbIScwg$9n
zGrFG%Kx8X>^C_uAh~&Her~&8gq@(sFZ|Gu;IM5D#>Rcn28e-X&@-1|}TqF!!x4Ib6
zSwOtKc+KMC}bQ2dFgzm&gn@}tf~w`d8okA
zmeb3>2x)mc5z!}(=WAo$rtqO%FtL|WKbDMUQL30gDk1ruJk8Obi~GJ|%65!r!lZCNQg~jGng0
z6n@eE^0Yy)tfXn5_C_cYBCp=CPvR@#Q0;p`4B4cd)_yazI-Cvt?MVq$oN!;9=u;uK?Z%)
zcgV|DL7p2@@pB19dIpvfN4cDSenJdtJjM{8P3Ioo)Of=a-CUiu5SSWTPkO2PRyg>1
zCj+g?0!t?-;bg>$BTd?#fJbKKvU$5MMDnLFhdi^s7oqs$ray1pOTHf1#-+fz21Nl*
z_^ytvIL6Hvlj9YN%hhlZ{=SeTmfok2J$~{Ae;7H7CLfulHIeA*Q#eQqVB$AWk+wE@
zY>DPh+yWPG$L+>0p^)A=6Sk}dJQz7vTNs+=!1`;
zL%wH#0n+At^E^>qo2U!HerDpa=KN>>FP)(A`Iw;Rmg`0uiha>U(~%sy541rSziwpc
z5HpJ)uBf9Zmxi)7?2!enQ8;rI6=c9l^%h>CcpCbnh@hv+pZle;ycWfKk@`g2wvAGM
zegm0k-2AM5#lNl{#Di@Y95yBbCx#m^e`IbbN}h$YVc*_%9`U(_@gZaA6rN-E)>Gke
zA(jsQ5R;c10UY`8_4;NnA~((_vE96d1a|@HAOY>iv%zM=vQIHXGR+ig;Xd0r@1SYG
zPzr&ptiqh|sgo~rk&~N$%n12W-9^i80H-R9P{=e>B!tg`p#S7|I^bD_cG>R-#o&7l
z;aX6?lnJ~WyQZFO7jOEt>&fD>6jyUbf~eysF;-#Q_KqSB5Adp9QH!3cv|9ljUA!QY
zc6SRr9@RSm|CKubI4s(qSl{K0SRnupiU$X;-R%mvkC1i&k+v+<<*7tJtMyzC1u$}o
zt&<4lPOms{Y{(rv3Vs?iLhHi4tQq9h`T6X5_@6t}h!QX@Al;%>f5Cp&Y~1*X#OE0&
zJf7tHf=vnraGEWYk5q_OL)8hvI1VEfD}iFI@>H>tonkEEl2{BOV|DV%Sx-!t0XydW7{QF
z$&s0kc$pA~$1iFq95${RUsMaRFZPxhl3DfNJ79=d$H5Oq@rJ&cql)+;+}k0@X+}oU
zU%#>FSKqT1eG?LyPAZX?sWVe@&Tn{q^Apr0`?MtHHIc74qeI@7mA%fW>F_(hK0n*qy6J
zIpf%KS00LwN_!V2kbg=parPw77u)c&s3t$pICBBMYKqtgLjLDpF{OB#Yr^J-Ct5|F
zOiwWE?HZWu0^J08oievp(6}ZC#cpf0xdJX>=?hs*CV^AC&M3NvoDmEw=vQ)pKBrkB
zLlxc#d=W0ch7wBX)&dOyyviGwO0;3|9|iV~nN=vUZ1M&OPixeY#wuPRn-G(5E}pam
z-=Cab9;(0MMjnd#nZy?1q7Wr*ZUsI#@a>k>C#ax8R94|cn18t+Or&c_J-`(clepZy
zE|`8w;WN^%G|igOxSW>8SSA+ld`Zck_e+uKnsKdN$9tv>UO$Pe;1Up%Z~>0!XA%VZ
zWXGPpKNjK4Ato+#l7kk)85Na6y-_A|Na>II<4dzfVHS1=@UB-K6Rn@^X1Zv))txdQPimA2T8XJQI(mqj{Yu4{HSpjL!iB
zrtyPuHI`7E0%i{~yEMQcpk~|=Dztb@@jkVR5bSJt56=GkUm9F+2upF}@OurZl5Ebn
z?%W5u=KIYf+F+S3q#UJ8+|`nIH?Q_9a(%B^dZ!2)JZ$fz*E}x8twKyW2K(Qb25_SrQ{n++XsR)Fg{zKM=LsJiLX>bdxRL4eGcC%|n0+O4h9P
zEZ(4LGE?zCtyt{vahFq>FlqGn$)Hvnsiv%WO+Q&+>*#YY3eX2aMO}j_H%lO~>MqCI
z2?)AF!Z1nk-OrsR24W1I;)d)Y4fAXxrT%J=5gbYbuhQP>zmXWKJn7Z$g5kEhCu+#C3Kt_y0^*L8>zeY4p+LUW1Cw65a5A
zFxS&^qKTe^-B^P)Ek+M-vKmaqz+0VgOVmPvqmK%5BK6-nmk~Q9Ikp{~{c;--0A3pn
z9KD&OWcE53xj3IV4{ZZJIjP)YM#THm>6S6l=xo#BqRtl2;>?o2eL?M-Q?yotY4I#8
zzSG3Zw0Isbc0d;t^@}@Slk|8hV1w8R{>-)RVH1B4bm#Z+_2PjMH#tq-CW?Rpj^tS0
z@y$qbD?QN@L(OE;J97Zt34V8`MI;X%I|N^+Lm$cdGEd9}5cl>QrpUag+P%Ow6(e-Y
z{(RYLlY
z@3#ZS8B)IJzB|W)YB_J)It&S3NF3tc%D-j`JB9s+P^xA|WZ!>#Y`HCRHnK+@gUbJ~
zFi#?aUouS2Xi@3KBSI2KG~Q)g=Jx$;!po>0O6;DXB0<^3Vnja`*|Si(BI=k
z=H~gWy3fa*(*<2>W{1wT<#kn(p|(Qxp7Asm`&8i0R7WrrJF5}v2W@QADwZ?~*Gj^b
zd)9%Q=#l`IkwVIBky`4VBx1mKiPpgJq
zH!~VnELDZlIf11%4JKy!>pR*0ku|mefl_V*9mTqYiDrhZov_TD)K5meSxnS~56|Pj
zZV6*&@vGR6sbTk6NTv*bYWOzq=b^#ao?KXF#v9ueI6WD>AS{z}L-8lzBSb2VsR0Sk
z=*wH^xV_-bvmBqP`3kAe+kBpvbDVZa29!agwwSN%Bn#9MG8R{2
z#gXMX-TAy)@a@4D4;3JsbNuE!Az-c+|#|9`l<4;1zJtBvR7guan|P?5qLsBA@lgDY3dtIfp4B1{pigp
z4p;r&o4tUGOt~n4Lb)G
z_U0XVKuyLvvEFOPorHI6-!Q>0!x|Lic1@wcthTUWRNM4T&a`4YSChjMrC2n)>p7<5
zm&pJL1*r-zxJtF&|ir=?9WFJgi%{4s`CPn0fO%WN%hvOdn+4B1~L;`
zwdRwktReKh467TvD&2%Kw;yp7!<0e|vkK44xO<44VKaN;(NfC~9;CFJ4iV*Ws9Vh`
z_d)QvV9POpqsqu>28-?2sMOPGDdl2)Hz$ll-Etdv)@}<0ABj#Y0Sqbdo!F*vqib_1
z{>67+wUL4Mb7Rx6Vi33E1giC!g1lt7X#nVZ2$6V^an^(%Ji@kNKC=S^=Usn365!Un
z;x3UtP{~D~$VfhptHS2dLuV52=UpOXqq9~-8P_j~W^3*_5Y7HE!|P9YeoQqS$EL-r
z@8i5Mhs37VSWm1Q>t6{oLL4xj^!Zn&-A(uLx3>8l4?|mRIkSD9F)A%+?
zcMunHhO^R7AM0gZJc!de1=xUZ3D32UZj6`cV88Cd=gI!UPcupdd%O$H!PE6F?|%Y!
z2hHKB)c+*Qhw3HxR)U18|8-J8=mcBC5I$|=RAuNDKY1k9ULuqLjg;-1Bf{#oVC=-P
z3jZle>{^NcfD9;c5bF?>7WGpL1X}(JT@HEg0mx+AsJScq{%H?ws+#J`47S60)S5D+
z`bAEYn~XvLG`oi{ot`{MUM{B2>yu++(M$yj9ewK0L>hh5-F@t#Cb^K>TpxNL3;`;y
zZk(QI@tOn+?iIrYBN?TY)KyK?Nny<13Q^phVBwy^SrBs4ZJAwpIB@zF9IyrPG8vd-
zZ=HDwTgy}^Rfz{PHjxexxO?_=wS87HZ-^X-E%)PTU1mQoPA#U)T$(p+RL$=(=%%p9jtR`mj!gi=;zQHQG1h`0Xp?E%
zh$mxiadjvyB-qwie*d0@1Z(U88YBA#e1_X&B5_Lz=Z@1)pf)}d*@-O^SA24U3@&aI
znb~hwu7rL;R=e*m3>cf
z#2^$__qJkvV6yfMyR^4Lq*>>;o8Q@vkC{3g(msr}8p0lxOK&-Gg3^82{?c4vr6TXs
ziOU70T57@GY=4SeOxUSpGEDjigD-`(#>lu-K4U7;diZ&eSXkduLU`M5wnj2*Z_z|@
z#4|nAw;jpO5kgK(HCMIY&V6_=Ri(<7dHdLBbU(%D8q`J;tc@PpEfG%Dvregl`b2DN
zU`uPNWArCemawUx9Q@$QW7*@n#s^^*&UD(y%w|rre?)#J1;K=%R@HXxw|diwBSc}k
zpU6~{CwiYKR2IcU)cO7Ud4bCq-Ci#Q$dJ=xYJ)ffD+$rVz}Pf!T}RA`!BSOu!xEl^
z4GsYwq#{Caeq0ap-jj$fAycq4Nt#uLIn0WKO#)urGTkPL7O>>Unf9%IRo=l@vwu04
zC9xD7RcVGy(5q;E=c^Pu?&}~}%+3}u*MOR$tGH!9MvvB5#%Wz7;ESB#vbEs7pSuJt
zRkrjEs?caA7ax^npP?da*}zB{UhGL0(rwYt_)pAVXKV%#f^JGqSCq2BY_WFw&}Nfd
z;UY-*!LB3V!^QK`N*@jjH@n_7Q$!1mVF9zE7o$Ftg&6p})kKOhGPt#br&Jo>MifAa
zi7LCM<=asubaR_RZ~O6kXM;m28xcGcdMhN4j*`s1kh}%;p%amYlu7}EhbV>3ET-;Z
z@IhB$`fdDtLb_4eeX#3!?Vi_y6cUQQG~gQTFbe?ER#|-{tsL~`+YOUFP;AeWYZM}1
z!<0RO8A%ceg9k4}%d##Wb)rn%;uGXQ
zkMo!tkIonMNVbgKLyRs=^d|7OZQkZ>-?nYrwr$(CZQHhO+veNWe3@i2ndHBiT2<|8
zRf|*SIlr$s<8Yo1NcTGKzRM%%2uS<0^yge6t@7w=-3qp_7eOzMKhac5C$<4B6a_Er
zytW}Gp=#fb6((1-W4*dpmpa_MtixIiV#DU&sbYKcy830B?kDi`4!1dg2%uY)u}$SDRJoKj@TMV
z@B>7;7G(o&ix)8}BB;NVs*I}Rc9%VoRREY;RC5#h+u2!_C1-^6MgbM17?-QT(xr|U{E
z{blpoiBsdPTjMR4L+K%-+VfCl^XS*t^%Fmo5FOOZr_
zl$HogRxAsSGtt^hhu$W<^^erD2L_rk@$#x0*d?c~6*OG^)fq*GsOLJ~!ZPmV@LiA0
z$Rl~UdlH`2%@extn`QjaVT=3}dR{gQaQw)%6fU$5xX=g=nv_x>t-8s98RT|Pzrf@M
zg@M(clK6oe<6v`QE!I|+&J;Cr0sJ={wXW7$#2_L(qShcBI#cHYv-7
z4WLWPJSA^z~is2M0~_3Bk@
zTPPv&-I9>2CIx>rITtJ2A6@qWqCtu=$_K@#no0R8&C*nG;dw+(T*6KI@~}@OpCXJPuW#^!{+`
zqQTdHJ~$G3(oaa5v?jjN7MrlyTu*Cgpsr;!vv8=b5II7iXC@%;YK0d388J}HGd~Wh
zAAbez37i?8U(QR?;p|!Ya7D46Y)JFIbqbsN<1C|WK18m>wRLr`>W_2j)saP8^=GPP
z_m4q>w5YbNO!ETN-!LDYxxcf=y$dDfYpjQroMlB9RI=7GP`p%bHG!?1R!k+MrnN;)
z(nagDCrQWY4rjqGt|=#lrmjg088-TcrTq?dWfnZYc3UO;DUFq<_+A{jjhncX~%ffeP
zztyse##224QFfO|Z$}nzk<`J#_2=1eo{=0Qde-K5B;_E6EtA6&+O*RQ?v$P}w>tVtB?M}&XxQ)70_&w3071gTcqdYF>|rVE-vUW&
z8F-XgQC&*(3roWmW?O6|p6|BZAJjf_sj;4*c4eAsXYx3iffVvb9;eEolA@s5L}C0%
zrUrJz%M`Ojvjbabi>P)85N7GHZk*;k)sf;-ph
z$!j02?~UiCZQCtYal1{QXq+Uu;M^g0(OJtblc?REmVT>KRO#J*0hE7wHt~~zr6>Hx
zkAG4Gfh+@do%&={>Axv!k0B&nRK#x+qM;fy`npsjtWdi?Uet#u=LBx8x~KDE&)lN!
z`l^j-N9-QAf;EdbEtU|mu_1qF!52Rs4>NA~ygQp`Z~VG+)P~0O6_{3la6jb<1)pL9
zt%}94_uW#g%R6B{4+a;FoCM|0Zr8uA7I%Ut!)_|0cb%+ZDR#%fl$)HLPEjTu1P$fF
zWeSM6ZLKQ^XOA=!l7x_*&?cFZpyG)H>VRyef1V@jZ9iJ
zH}LS;`7rI3z+i-F$+&?$eqS~VFL0q07(L^2GS4EK)c;c?u1wt5BOR=;E
zh$Wot{e6s9y2hPODH*N#s)*O1xt7m}b|Rav-WPa-aj7m(eaEFwCVJ#S*+jS^!va>f
z&VXD&6H9;L<DD$+cT}T;m(i*1ePbdRgKNk>9yN*riR2x3eC}5
zE;OkH8>=`3vtb!cK!3t|SnSq_i$1yk4r39zey}cbjuks0$+0
z1_j%DS#htgG6n2Sd5#2d$I(K{qFcp&EmiRS9Uhv)2-cO|jV|Q)7g!e;Y!s8JB7BJ>
zbiu!wTsSYHkF(%Ph%-Ww2$g%9bXxtpl@u6A6FVut6S6=0aL0VVQN^O++_~1O7eZJ%
z#04_{(2+B_mbT=&IuNwp(9s|4^)WmcRM)V#>~qX+@-MGBQeHFp8sr8DH9df+&@m_=4+xT$A3kCpLT%T3&E;QI5^-nzI8
z0L6j`#5Yh5Td=K!qN3cezMe#IbzpX`<&aWCG@8&kVD?CS-BXEb)0BN;kXCZiCrLt6
zUfz>;*i$)KsKJ5J4rqjh&Ry4(+12gvK5vlma_XY9yws@OtNUAs0?19-dvasj15_W^
z7Mo7oyD~_ourwasI`hH^n5*BXQVBKEfs%jYBsL+kkuVe@
z{BDRUqb8daqj~U7i}btS$4l>>RbCNsYuJ>y3P^imr6T(f6s?!%K9hWAho1{dq`7ik
z6oFvm_0jz(39!|QzI9)Q&NNo07yZ0WacUo_T?r%qr6ddLyZ4B@%rRe83>)2&nc@$B
zl@xZ;7Tl0I73>|QQ_ZrfFq$&GY40=qPeJnRigh=`ZKZ5;YbdOJ^aiY{19E!7+QU@uapytDG<
zAe(AM5g6PWBxt#lE*ik}P=`AdeMl?TGb(u>`zu&Jl2_FLJG75^6cM8^s$}S(r#X&E
zewg3>tf_u(XKB{Wuy4pr+YAe%Nc$b(8}68smmf%88Dt!6x}#0jB%gRbQ2>3Mmw@e{
zx_>H7M3iOw#~epAe~rEMW31hft7-Yj9Y&bdp%Pb+JX`yhCD}SoS+{?MWG_^xTd4xC
zs~A{ot;>K^Z!_a$?_0via(A=3lMK}gm7<@B5d
zX@dFU1lWYH=C->Ylaf|HSJ1%;chr>XNN
zep?7yJ2*7a9I}Q)rrjYZ*u~H82H2D0ts@hc=3?h!j&`?FSmy7|I*f5|QaOtf*{$C`
zSDSXqfDvQJg2e7+j8mp+r9e~&8n0~cARNvwV+tP&(#(yV72(|sQ@=vWK7O>@q8w}{
z&K?OB)K(FD9xU3C_ug#5F?A&uq3t+nWAPYo@R^b)jUDSv(T9eV92Q#^Xj
z3Ks5*0txMxp^-e=Xi$@4zU}VPS9n#xy%$z-=|b@LKUzmhV|Pi|T@gij&9uCH&HmfK
zW?Iy!|N7L$m|`dLWFk;I%a+LVQ@*24+(UQ2tr#>p&;BTV=v+4ayIWKA?Zc2BT~%Z4
zI}LW@ss&%leP;b6p!5Xf6{&74vxD)ZX%>f_suZ7b$*JOcLb?YoB~_haE%
z4Prsm0-#E*E8s#BaNENAhR#tFsoCQq*eKfm;aFq&ARePUTcqvz`an(@YOQgD&;v1L
z{3Ic{;+sby4(N}PT<`&N@JYGwc=A>XF$W6d#_jHetxgIO6#
z9*Okqu^4zoN^7Vb#lq-*8*N^{i&3Mo#16wJ+CRYkYw}gB;J_^_&>!lbwZoh5xJ&fx
zinWQl;lQ^oYJzu1j6-S8(jyftUj~eT(Ux+j9Wwd>^)AwFfh2?>t;YS!)7w225&pFF0=Xb
z3S#QJwBgEP)r0qDpwk!kUF9nf+eip2XLu^^2^ALWS-x3mJCFUAK_fvZj*9k(|iCj854E5j*7!3yU8f>se%%8sn}T
z;LECm?Ox4ViAFm2j;OEt5Q~Br2Xx*|R5daU7nbRZ9HzS;PxM^+BRN!KS!7O!|()Kr4Rui?Um(sS7Ml!S@ZAgl9c1r
z-BL+Jg_7>9sXn;tE`LC;EPkP1Lf#%=$VOC*2a35sun6`X*|<+i4oK0T$e{tLrky(hjF1iue|?fdq5YI^{-bMiigd8T(`R+hA%8p(K-&UPv*
zg&K@pRyG0DWVpY?&YDdN664)!bnwN%nc;7{a}+ox-E`
z@pQ|7hP=&c?4a#3)74~UAR;>Gso57$@v-e-!JLQ?UTdU1*ipf>b@5|;i(xFT7jZzS
zJDAYD!7QE}D~&3SFjKfvry93_2F2^diqPn7+J)5ZWD$rRyZo0e@}k)M107!WlB7$<
z|97!P1^iQgJf5E2VhJraZcquHuVNal*WW2w2bH37L}WfD0n{(c27AEnA2tIu&v>V}
zsk%!Hb5gMB2mBNUU4C~h4qeTdVi4-N4T&?4C2&v2JD=}r1XEYe4yU)RAfxjV}=DEpt_%`DT5^?
zkFqk0$?HKAYlIhb7sn~FssG+h6LQiPuOo1pT8wl=NjQ5<8dF;}&wE``OWyqJ(?v}9
zZ6!t4gd9%Xc-b7yMbZt(+ISCArU39vg3RoY4F7%@RI378HP_~0gxw}yIVs^MUfuN$
zChEw|wWk6c=T7|QsnBdVkmc^<0U()w2sq3*f0v&|hHc4x9NQx;k4SeIVQ*kTZ;*)U@&=^FfGp7ZPV>(Kf_S)cv~HABKR%S6Kzb8Qk7P~FHuB#8Eg
zKyxf97~~lhap0ZP(-_D?zi*Iejttyfq5fo=vkYs3zWOIkc#so`0Pvbb^PuA==qt#z
z=WB+N!0aK+G}$es-?liE?wJ0zF2@mxE4438bh-v}_2
zi=`ykPxOm(^`C07b*NDjBNTT`4pNj5KKPSnGWe1-3vMSw7PgLZGgEFCJK_5{hRSrC
z(3M5ZF;*Ym#!H1rDi>z>66hBcqT)hy`38yw!I*J&h4sIrXald`#FmVxq^ZELmtkhGCy;TYh7~ax>$X08T402Mwwx;583#X$;DXTjG)tE&)r&(1JH
z7H25(hC8Iu0o}qVfAvn)Gq8>yrlO|5r9*$kgshEIDyK7t2JEb+x2tSX=V5vxPtV(3
zNg%(U69O!olQkN=@1KX4WoMRj$
zx&lxo2evF6Q;JFBM4Hr^lXblEZ4%^k5e@}F=bU7ngKZY>RPwJ^T8iITJJ`JjsdwrM
zL-ruT5rG3wCnzn!V`W@L;W#v(;-ImcZ5Ye|;Mbi$^n!(|`p*TVBF=3BQyCk_(p@!a
z=88M=Xn;V0rZI~11~h3d-9z&E>A^w}>amrL=8d7m{NHY+l9gHOQTr1EcgZ!Y{5b2?
zlJ;Pj7?|(5(zChT&uOZp-b>H6f}zJeryCJ-Z{x9BNK_6KROT`o*mdzBQ#K3LQm}9G
zT6{PIrKd_$BNcQDw?dj>=Aau8qErc`P
zBiGL;O5}-IKAmeh%8BXFKc6eQXMwG9?p?2sM3TWCv1tGo)f3*W-8SP4kK1vl_zd-R
za5QKKc1;WqJ_jLucmLBCX{aBy?enlV@qSBC;_1Mnw=)0jj~aV3Ua3+-uHE#Ha+;Xa
zNzHk!jO;F9;%#1p%8h@c})8ZEx_+F>Q}{ma+2sN@Ky1^O5q+ue0Qi_
z7>Y#BZ~VP!V|UUd5{I!vIn{h(#!GN3BB&mpIL8!~4E^h3ZYqbqs#-*x{|d*vR3U27
z2dOHL#vgXmplMFEcyIR~UUUy$A3x$rV-_iaMB`XvCeAU^yY(?=^`1c_{1+5$5dJx>8YNTw%K&e8DcyxNVjVp~q`ys7++Y%t#
zTu?LVpetQ7t>K@><5n|bD9*n)5r0=(&bd~MEQS1TOYNVOAz1OSb}$WTyFHUYnw`Vy
zehhr~J9jOxR3{5Y2T&%y!ezNxewYy`aJ^o7UHBdt>vuxd9Pxuc&G!Q=8OgY;0NcUL
z7+4BI890rA2VBbmWaHhn{Z*-atJ3W)j`F|Dsk~9(X4gb_^GRzRjZ)jY{Pfk+dbs$&
z20|03eLL?(_2C}^c9c*h$_7=ESt-dgmf|6`<0sKE`>w~x7>pcVM5QzAFv{x)g#0xW
znW_W<%R-eqMhf?{;<-aFexrH+M#b(c-+c`q2%@L+v$Lja)UJNeXVp6^i0>4JsO-D~
z=H}hj(cn&<>eTp9!wdvOaC5P8b+*1M5R(PvmzY#H^{|Nt4I7jsbE~jlnHe6@0-2FD
z-X@MS@EUI%RvyZXVuf*Ina;QxAX&@I?IqF{U;VJ11gTd2erF0lnm%&2g5OEsaJsx6
zMGaL@Ecq}UncU4Mp-0W;h=54(wSsgkz%c$}<%`Pt=xHKKO08KLtz0A5tMuwo=!7qo
zO;fwC8jVe%``C?Ze^TzC#T{WA6Y75lz+)=;;BLRudO?bo2Yo@i9=#y@?m^J_y@gp*
zZ+*;OgR9m5*)@^ZbQ*{7H}ES9DJ*3;<(+?6b#24X%#)G!?d|n^@rrTXFkY8PCfsyU
zHY|JMWrnBpmcy`FTytARUr^LAODU|S{3NQa~o(hD8u0?RqC!;1|Yd$UWM9->4&zD
zkagslwW`P0pJYcB1XiN?Cit>_?##Ah=>T!f1LW7=-Xb0TTA8P8LdMe4csrRMVwn$M
zPTqOXaA_i+?MZeyu3|Szvc$rLO9it>u
z6`RqP?N}`3EKHkCMQoC7dw>Sjq^J4p6W))Q?o)#j+l-e@$!VuJ6{rZ~9#&~2cuVKN
zy8-I^%I=%K5cm`e+p&81M~!y~2F%;<4np)BcRD9kx;p-f5m>P7nM7`$zY%XXjQJhh
zCV+(ho)|k%?|<<)m=Z7xl}YnFeC+ie_+xNkgV?E(4s927Q&F+pJWJ;f?Djp`_iCti
z;6o!fBOhvH;o85hD179mlQG&7$@q?SB{wSl7d4j+-dS2P1HZ*l1B30NlcHiCK0OPX~A?nHz&=en1@>!zum4(pFD`Gh;XYO-n9caeZ89B^idV*cI6^+~B?BNM)8Y`7kc6xh5mYa+!vD3W<52
zz%3wn5OH=%OeGeLM$9=wIzX5jsQ0dw6up#0q2cu$rIRve;eof(vshT7s!Ixq#1b|&
zCHH`d*!tB7l1X%Ex}v+gs>J6Lj$fOhObD;Ph$w9#{#fcgF4x7Q?wqM}wmQASJg&v2
zuk@jYq7cz*Wr&C$;Pv=ISWL(yYh}MhijZXpd{KR}Senuf{rfbsN!dxnCYS{<+EE?j
zSMB1WR3fV*;sVa&x2>Rn88SWvt)N;_NDUW4v^`^oC_E2ANzUNy*YKBs`Z+dAGhBr+
zXb5sp^lw%Aq)aFY*l%kJhSC;N&7ZT+9=cP3YMF?{kH1O`VA+9qW9FiYF_OQte7;}j
z0)1K<_P2)r0e1Avs)s>q9~{W2w`r%;CI)*vXe)Y{!%@>F7u?@Z&;{aQmoT*k_t4Ci
zQTOSN7_J(X9+Rv&cF)sb(bX|g)6;AFqZs4Ux_x>T-0+HaI+X~qHLoUhmmsE5Suj#A
zQ%@&db}>^sH_pg1RazyFyCwJkHsA9sB~lfuV{=wE@4
zvIQ<5W~Vwms&V-wN7Pw`&)FqRm-kA^hX05%W)!#Yitox^J=?VkF&DJfqVU2C-lM#7
z9pRYAQDhY|+g^0lng$u<=YGzOwyvwjM4_K&qmO|?%S_E%E}cV>RR0wnUL*4s?k3HM
zdDK$MOUaFIgYxbQ6N^LC1UfeZK}KlGU}%^%Ql;voR(#~g2rVGX85tAYo^Bv>_vy-$
zNzzK3xx);R7}@h}?l8i&pZ^!;VJ>T2gyhu7&UTMN#f@DScvNAg1I3c#j1nmk_I&Fh
z%U5|%W!L%TqVm$x2Xv#N&Oy<3*}8UUqt|5t53Thmu7sc`_t3a|Bt~8*k`p_|xVj61
zqhl~9R<~mj##|w(<=zh4jf51SIP+UJ*P|kw5aXQ|Bbc)__xWm~B;TNEBJCo33Ul3D
z-pcN@m8H~TIgp75;|X8CR3y?ScuQeY!wW-#+s}R)pcN2=>_RrC`ev+4WPh?5_P9Gm
z`2erh@*KE-L3wEA34p;!dmepDhd_=MYJlqwjCL6L-nXn-?qf;NTAzNq
zL;hepQ;HbE;vxn})iD+B$Uy`#dq`u{U1f!P7!6#ZR-?w=lw7`tIO1ZUCFRFMN+y3k0WaLosyV`pcIB(70C(0&rn(+m%+LBBd)
z*yUuEX~dfN9LA~rjgWA7#b(1ZkD7#{-ynf;-~B)A4hnrrPFBiI^M#leNJjKmK8BcTZU+}&_5IA(qe}sw~dArrod^_0M{w?jm&i`Kjz`TxkGdeOf
z_V(J;=dT|(%P#Q
z38}fc*s;OF^BCo3b})@7i%pP@AnVsMK#dSDcDJoSqMn`z>?r;e^DyS0rOaUGT|mVF
zFP@RKtNai^9lLt`2*ze|MRjJcr4X9fS(?C<|J8B@R%u&HN6B9LjOZ8UzhVJfTK*V>
z1!npPj*U!g;O83HAf)Cc7Ql>zWo!kM{&>dV^N^Y68d$*mqCg_~RQwVGZ&e`tfU4@m
zY!L7pEq!oEE35dMK1*a}d1aIm2&jiC3K&rT$z>pgzu+T#eCPqHcF(vfWD`0
z>>t-O4Ao;bA63m>h4)hcS=+Cift~RBZ>+^b8%I9^)K?udnWwAYyX3@#1Tf9Bbj@{u
zs;4T1UFeJF3xX@qPM@*e9=}jyA1oLM7{0ZQ-&y=m+vE$M#g9%W(0L7$46K?PPuVXI
z0}nN1mz|&e)1D2kfAzKW&GpUCe>x&oh9;1on%(Q?v~2$Xe(8
zXKsVF4TM9Z<7bbPM2T9cXpda~TwkWl*u?S(2o3WiZ7d7wmLP*+{trJQ&?b=oECiWz
z-_j2YOWz1w--w-adzWTVHL$2BhAY3D63PA+WOh|fE(wyp-4&3t+qcrg9#m`qyuP`m
z{x9pjofPP+nzI8n36lSj-GkQOU)66bwDDg}^~g3G7BCHsb|AO_QF~`b!q2t=!r$K}
zyWb?K;ekOx(K!_HAHRigqK?&lK6kycTFZH!1E8k7~e7LK+b``0@l?)oE3ia
zS+XAl!wC6F?}&zFkni|F$Xd~
zFVA;-%|Fz@6MStC1iK(0gl1|usci@r>AR->0Vg(DyA&o)zjS&*eR&;ywM%U(zidC>
zqd@-rX8FL|hj`=uQ*$&0wE6Qw>}G{fiNQfH#b7~VD#VxHhL6Iq2&wX?7)0@}VQxWc
zFc*mN$yjBnV%cpfxl|DZog-74M%EW^F$LUvt+`>%kO+nJzxJVwHHmVOfIu|`T%wTz
zVbNAi-X~>ACFLbE|HbPZ#u0#k)0NsMBpTR0(}%o_0j@)(S+)U$)a
z)a~C_pqj$vx|qMjC(X95K%@0w$u4GGji&p^0sCyX{{{IWl_eLHN(Dm@zl4A;w~og8
z`N4fR(laFyCe5dJlxGaq-w
zDlE6_%+fCPQxQ)}fD`ZLtO&dRQw_hxOd%UGK+sz~#PlceFTNuA;DR5K299lPnETm0
zAIQpkrcV>yikJ<)f_Q@2m-h|esVS`2wcxJx0ZZ^1M>xqe+o;{UPi^m+T=>^aL4R&C+*m1
zhxC(Ji4GqZUcTKxVTf2^SDuZ|>*`x+@f$_RsQFWg53uaZy8>gx1V=aSFyy-CaLk`%
zJ#I>Nc;wUg--fx(u&y>_Hshe%<$8p(e!kb|dqcW1$M`n4oi2wUuW(hU-j-E2t49vpLQ51F4bS*M@d@|qK
zpy^##`GajeT*XlB;X{4xLj#_ORf2jcwvhoEd)b&aG?XBv$7;d@wMPw#=1J3HE(v4&
z5a&zOYR7+iF0*G+ZODUJ$nSHsl0X6@S>sp6v-5w~AW%d7JKLi%sboj9}4|wYPj8OHi|396OC>VM*8c@Zq|z_=NdtV34~`u9S02zyNDN|@?V*b
zq-ogIxGS_7rmNKIVwY!?#8q8kd7|n&gi=t>qau1c$6s
zZ^ifEc5fuMr+}UY-??X*WPVvNyi^9I0kzok1J|jurFa(XDU$=;Wn~=GOK%ZtNTZv|
zsclyjWaa!>$iHCUECMH_6d_{BYWH_G#26kBEdq^D8kV%AvXSmQa#qe07fR9d!@+9W
zjevkpFXfv?-ik#?vk_TJZ%QHf(Ie*W@~&xb91?g-z9(Iu?5KU&tKM*P6KruyigwcKkz
z#}`^k4`XjK2XKV$H
z5?s1mZHbah2Wx6t0dGW)KtQgl3(MxC^4)sR^0Z{a76O?$Vdbsb$p=d*A9Y29vs7}i
ze$n7^#G@NY=b9?DZ4nX_s^M4XKjyqTw>>Q9sm2E-zS8F+*ox8RNX28wm#d`23Afgc
z*D_1;)<(5S&zCw(wKi(8BA*qAi58^Ns5M!JZu2Bo`1a)!yVI7FGSvoWz0*df8hq$h
zN`s_AvR}zAIB<;&Pym0%xJ}`O5Do&G4CHBqCRw84vd>9Bejw17`F0t*9`dXx2B$jvCC>5ugvhj~pkvDG0+?+vcYW~ZNg2VXJ
z=n351HQShMq+zWHrcL|O#2K#r_g#79GL_in6+ungZ#BaiO2FKC3rHnzkQ)=Ih!;T_SfhlAKY)yw_4e){Xm~XTOx%?LastH8d
zq2pThCr#B|7&EK!O`b!vr@@<%4R$#$sGm_l@&icQvgRxDHxd5$
zZ+pmu^b8eiCMLVxoqJzn5|uZrx5lxH0=;Fr0Te&Mwydg|VXaCGMu9M2a;6#eU@PVe
zPdzXrg^0ZG^(0}>t+uf;G5yZABydY9&vI`R-ykvi&gjb04cb_W$V>EQ{dy+)jL8gW
z4up<+A>*Gz4<{1O?K(8?RV{k2aNiNcMutjtPs{;7exxtp33u(|2heSX2+^$8il8#O
zVTR2|7hj1FZ(OcmpaBQNJ&Q3{qZjc0Ylq3RDtYr)Sz6D?9tPjot_ijHi50#zdD@
z3Gw^Ru@?*6rFb{J8nQ+NxKC8N%-Et7eFJnIckv^W&mM=Am}qMHT_+FdtR0^kLiHI|
z5M`6bSu(|LaJD!+VZ;L7q0tCCZ`{l!Jh)8TwZxqqz8bhr|
zZ~Rf{OP@jTQtrhw6(TvB?y77q1hfTSZ5*VaXmxx}P5NO^oTx6=F-AjpEjojI3a;n4
z@IU*6WNOMf8L)sGH8_X(zG)?q6nT*&a=e!vSoAGoneb{NNcYU3Qywt1Hew)9uX3b0
zM4NKAAa*6YZC(1lUXzvUNG(4c4Q|=mt`8vl-2U>Ig-R}m3EVZ)q~aR8-{g6!4PJ7W
zVM;{{k(AHd|5@l&X+8eeotH}Zwg$O;rs(C~S*&2x{Fv8OCUzk_7tr694qQy?fna8<
z{xI~1mFsCpnZ^sC{u;EJl~Ui<=^f;Ko>5OVA?TJ9px#(}cNqH>{&C@8pIk5M&W0su
zhRxwz`kbV?M9j=cwud
z*|9-tg9V4TK!77EC)9!Xm}7rD?bO-Ahl%v5aMv@xWDsvEdw*jLZ-dHiJo{w#$H5l}FirH`A=0dEo_oafD0vh>_la^#>8uxNjKE;l38T7lVN4gofZQm}x
zV6*2VziKsjhwx@8@x<;6pY*Qvk(}slFn2*Oc?}6V7I`Ny=H6WJT|uPkz)($O(DuIH
zvfy5vf5NOlSqG31>hUmaSm8SiPZ$1z)R@~UP}F3gxdAoHSrZCZ5+d|~Nw|KVgrE8967S5K;kDBcWuBZ}~%IMFQa#Ik}4{
z8fcSZh6|}D{IDQ56k_6o!H^SbdJg{ib4fHK={cK;Et{+vGGb<*LF1mX7`pn((R~kI
zuG;yIu)!7R^BbJEoGZ8q`8!J;Y0++G$%E_ZX{oXpPqADp)(=2z8THx_o-XZ|cvE6^
zq-rWgMP3IRYD{`?q&;+VBt(>AsRtvp{D>(B5B0$&i_cu6Uh%_NbgN_7bjOdqwvU85d3DCf=a6mE~s!eK|5{e#!Gsu$@w~4F7qswn;>=X
z=SSK}boHY6?cSX|EFa%9S!sPFubfRqsLQ?Lu@#wShGAnJ^J}qBbn_eI6h!0`f%}Xp
zm_!Vo0#$#K)dzR;mK9Q8tJXLnCv|F
z_kwoFhccEPzxv|{TL5Zg1HAMU{4d>7{}4ookZOY2Wbs3}bq=iNXnce0kcu!PQ|>C5
zBi%UHfr~Zt-#pAFG1O==wM^n~Uc|_9+5)&zXOwnD5x~S<@z>}D|_fDDs_S#2|~yMQHqc~Ge1^5D%sGex;mkGSguDI
z)k2X?oSd)aNQvGZPPeyeQtJ~Q!tO9!7sPFw8kj7stVSDP>NZU?DF=?ATy$b_x4PTC
zcaoEvF+v*hC6+r6wf!t(Hh{w^Gs+t0wdkM$ut5W?VR_doGsLZpu(;S@^cgHtY$KP_
zf~u>zw0FE4xcCd#4!?Fksv(Fq0k5`_Czs!GtGe*lD;;fZ2pQ;tATL;lczm~T!N_AABeeFH2ND}`Bt{FA
ziKEyn7)ZmXcJB*u>#qNXKqa^rjr)H+Ai4F(;T>%IZ>RIOo{
zmyb>nXlTwk9gnpmjr@4n0%+w9GEvM{vEIw!S6Lem4D40zK_INE_L`Y!mix>1#n7w#
zU4W)x8)_f^3cF*?#EqUfgCSV>qI%;f=IJ%;KI7e3IzGheP+KXHS2w=tQq~-u1QB!^
zmn112arEI``IUk!(iOk!AI;00Bu1}9h*X3#4XvO5uqWI}+tr+Jo&}*pnXqSpqwfaM)?u40w%z=|!{Ei71Zkb&iM8vgwq3^QTGSj`rWi|gUi
zZ1x`{8LW4B=e+I}P>>4=k7Hma;fxVIhUzQBK+lV0#XCWPB9dt^S-)uW?o22T8+Ht4
zEg&Ze%rKCBTSj!B0|9`CDAQ{Ak>
zdS1(BpT-y%J@v_ZFyL0+jlqifOg=?Dti^XEOzKug49R0>?|btW99Xnl;xj1!jZT4J
z-kz~t|FyBu+n?)19Da8H~>q?yaA$9onYv32s@{oE6OL
zx4V=g7aZ`eVPjB*KZsmOwP)|FkFyc($r6K=kyL3{u{3vt#tVVJUEDDdC&GvJs-$d4N!P+}$TL;t9t8DxdpSFY=I}rpYNbbc-
zDO-4F0|s~GOIpWg)U*fXIt)BC(UGbSO~I>7`B^5irH
zSxx%k%|BdyU9BS#)-Xo>Gq>lH0&dqQcTKNM3nL6R%Cp
z%%^S&X<r<-`{sO!oB!A3MX#1o|F@UKFIu7oc3xdyv*PdI$=zsjJ|g6Ryu
z2!wvofiK2?-^X(r@c)E{^Ous=F)fiDJGTV;v)<(!!Qp?
zPIfdFq7gI-@}?3}It+gq=YAd_`6o5(&7}$}#MqB_S&>Dj-2NA1=L{?guqNSS+qP}n
zwr$(CZQHsB_t>^=+qU+;<=%Zmtaz&AwfiGj_e1ZtMo`#44b0H2rCEB-GPyHtZy5QfC+D+j)TVPHQ=X1|iY6Ow;Rp|Ua4_Cp43;RP53Fc;
zsl)C-XTrl2ec%X%haB%>C`Qsxg{PmVibI8VGDc!_&Xni3Jtz}!p5bvw@uXJEzoA4v
zbl6T!o<6p`zTD%b_><`z5^{O!NLYx^dE+
z@4Et`@%exJU0C2FN*B!7aFq-@z$mhce~QY*Zsic7UN9YMS7=U+-Ii<1HTPseKkiHh
z-@v^E|Hgg;r2SZJM)d)tQ~UaEC_ckq9vZnnNzTP@be>T}9^F#XARC}<@73|k8=DoV
zU(W)VS;^Or0eO{72U`^gsQe6567gBR-SCat+wPTTVp@He2-8I%n#t375t%+it)r&t
z^$ev?PDe?C#k(Mv`pmI@c+JU%W=V#R6lwK6U*ZPlSK=hhJV%?n$%p>UcG
zEfCh5iny0#_Tm%;JWl&5d@B9>ekd0gbeRlVGh^z7+M0*aiq>z~bsF5zaZD12*~dJ<*!IV7Db$&w}Z*O-uh
zl7Bc`Y=T9x!$q>Eak?XTE012XK&gW)pq#k(u3@FJA8(Z8j9F{$_gOzS->!O|JJd%D
zc)sZ+R-FC^sFOf{#7tOHThp>R-X~!q8M!5cY4xDu(0e96t=n#45fS6>9#c`frw?z>
zzSVlT)3}sTkjp9XLBxC(!U-V4fL;V5(ZBY-)#V8$2d42zUP%(z#LtJ_IEMse_Zv4q
z8t9&jW9#$LOC$^}8DEABlv%X7G)j><%5^_cGRzK6Y!CBnhwmSPQ1?ZCkLo0VhR*Eh
zqW4dkcRr6jsgFk05O~{kxA&(up9$T1>~!Mdpn0#ptI6`z7&u<#>oYcZFjgR0d6S53
zEFL8n1BwG4Pm2$|`onJ_-O6qmRm;$}8pzL)YD!=dXmh?IjzQURI5I>F*2Z@p&pyll7yR#YxX)ym)f6V#b_sNg~y59
zJO1nSotzQ^Sf5vYY-Y9sD)X)`kk!9>*1vk
zVog7HqbD}6lLx8N5ae97Vl$dpfeMAbD4L_+3#0w|2(@@ZW9>5s&Tx-x0ot(YUd4Tr
zvfwE;!&RXeZjNR6Q$=u!_|%5T;tYc?5e!futmV*imZtF=blqUIsGl2~N+M`s{P$>-
zG=oR(#Su#j6UxkLBYqy1?>2%R594GeCRd{uf>
z5ac6MThFh5JOVt3pLuSF_)|XqYJ(l=Sxz(khH=*{x}OOEm-hqWhUkkm
z~!M<_f0)6%9aG(
zJ-#lQx2GJ>pf!59Q@L|J5NF<#oUjaif$coJo@yJ5YLLJfwT1SX3{ZXe&ePx0s4001
zU)*hRYl$Rp6?Z%0b|uY&L?z_)Fr+VoMSL_2X9syrcDX7W!`*B*UM;|sMak`*Yfz_|
z>wGxdvYObV`E!(f3yD`fDOAF#fb2?s*91*{Msi_2LKlE+qRU-f>40eJH!(YOOI!Q0
zIas1VUnp8Qoyg#InQKN(OP
zBp%ScE-oeOHOdJb`S3LgZQUkagFi~_uf(jQ0LS)2dh(Nq2rR?1FBb5*}OopmkK
zM-<@zS_F%oAa0h+h>mr(t$imw*d`KA_998K=0{iDHV|vAgjZRNi+jP>$Dfor(iTDY
zMoZJnd>FqwvKEw6pz+?szavN0)D->31531y-F^|`Rx3Gsk$FyQi@P2aNLjz?SiWkh
zAf#mkJsXI5Y;Hft4bnQEVabjV-TURCaKb-jw>H1ytalEt<1L;}g3nw#iF+V$@M%Tj
zkU?O=P~$F+?Ike4TjD-fS8Wp+yAAph_KrSf
zvJd3mllO|n*n-*zD9r)
zFvr5A8Z&|QSBqr5y1Y80q4U(^Kw9TwA$h)Wd>O0N;2sAlHd^Li4oLGc)1^6VND5Po
zr3eVzqxoixlt>Fdi+@d}^Q6{s$G~pd`C2P9(Q|ois>Joo()vyxiq@OP3Hba&kWL$K
zpEG>s3ywi~sz^jI`o-()RKfNNB*x1m;HcIlFcUl0lqh?Jelj0oUh?(CD>#>210
z$e*aoOngayaq4BJrCHT0b@kd_cclpscC=~S+L~y>rzmF-5b376D_-TZ7&lwYN)NXD-2Z!y0%avq)@SQ(k66_eZ?_n>PL@b<
z3Whj?p+B%Do<6VtB2Rtk?8z_>o)P42obBxc+jt&(aE6-=KP@M30=*)I^(yMEZ@OZ3
zOY;CyKiy~V@!H~u`K)Fy@#*HfQ@_`ylyYRVf(f#YoX$Lvv!dP-#(_YTr@y0
z9Ys%XvA!uw11$_hYtJ&=$kt;D@i>)F(}w1*{T=Me_T@j@D@lkY8ksLgaAzUAed7#Q
zV2Y}dqNq0Y<4j6WSWnCoDBGSRNs#RMRQ5$I>~ZU
z23tY?gl|8CA}Qs}wA1iXt(PfhHBXhDW{IzRAc!7crwGfy2AOf2oc=aydh$N5#MWIz
zAzX>(KC{gchO0!=Y=)}ETeWcwkCK@YOry{MA3DD0}>_-%y3BS
zb>u`P6oZ0U3zzJocVGhHCsKYCaY4GYmTEy;1YBS07yh#UuLi8_VNY;e7vH|4_qb*_
zL`41N4QEUHOJ|<9Zc5?UAzW-a!eyue3p~P(a#QjWs$KY?n@UQWKDmA69VJ6U#(^%9
zjZ4CKr6O&6{WCC36~Y>JA8+~Rvr)<@{{%03i|x%*niQh$LCI2kV<-EnQn}!v<5F>hAe9S>fa^SW0_KE
zB%$QR0xv;UfWPRzDonqBYz8xg(!{2Woi%S}Z*A+L_lzesMlc#E`$J@>&K6qFU`-OJ
ze5DAVZ(UXzS@JOO2c%~+f=77DdwKAb%~Wr0H5l*qSABi!N=;idKtZvPBjE3B^u$2@
zd{;c;*xQw8d)l)=PhT4-Lij&HRJcHFEV5-C1~zDprf{XN(?NA;K=Gg763LYOHQY4a
z$8E#p0v*-3E>ZmFp76a10CMpy0#bcqT(Od8ME`L19q+Um-rpd(&g=+s*IS)&tkG(h
z)`m{U(cE%X-dX6g;htXzG&dD%H$@Vq!I48JW@>Lwo8o;XC8$5wC=Oie-!0$|X_p=)
z=Y2L&kw~Oc))ASiX|NSW2JxkdV*oljOrY_}HD6p|YjQ;7c=5$x>usqQxQ_>%D0}O~
z&=Kl;Jk+}$(Gx8xqwRkfd-N8%3+%pX$ec8=DI#S5jxGc34s|1l<|<=>>to(&*Ts&#w>m!-9p_lz$3lxmKK=BW1Wo3805Wv~IF
zwk%SYn90X|cXF@Uhk7%8{$zb#a*gsbzn6+A>;|k-Br7=#JuHk-F(kZ&y?43o<1Rnh
zS+hT9H|x44H*~XVfN%
z4ZMr-IeZD!$GfUA0YjFzH&RTyAX*DvcJPvns_DJh)kn{7n%uv|;dV!}>e-rMq<9y!v~|0BRKkfR%`2cJRke`WKF@Vn^Ds5~VntVN3=vljUhx74a-snIVZ>Y$!75=&
zk$cstmXv@0lZ#OT#|?8_r>5<}^E}h<-keGsp+vwlE0Mjb$EiFa-diR@!ay=pbp*CD
zV;G^x#7hogMd!+BmUP@VrCLhCt=;Quj7H4cv0$`OzjRqp4%}9wZ(?v_vH*d^W}OFH
zSi`n8@M_IaQ$}Mu5F#9ZjHV3d%4k_)8=VZ^G$p8ALJj_CbDLbk=-pYM|Bi>xJ&RnD
z(%L**g)P>mUtCh%Aag`Ie5|Tj`H4QVl?}xs)W>;zNU<-{k`qa%!KCpC3(PQ@^?)!s
zwL#E1nAwXVjn*+|TQZ)bwVDjfuSKPZDeANpqxBJCoz(w554DNCi+QCEH#;#H;vn~U++1`>Xc7f
z!MN9wEh~s8^|lN_EK%nt$M2BiI=AD8%lnT^dcUg4txTeJA5F6H0rXbA%DUW`qTJ_P
z#R5N&eAb*<@EfGgONDxt5u!Z0d1cP`XQ~?CkrIO2vdS{iCpIV0QFdo!YTiyz<)2kM_I5RJ)>}BlP=^9;WMoxVRv$Xr?JOAP!*CvOfc%oe3NoFWq{!8KeQ9?W
z%L54cUWa(YXWlSu@67Co(Mj})!vMM2y*bX`P`C1#H-xl|;L@aSf%sco52K&Sc7&pE
zGG?$!{1598mwf|+#Ma1r_7w$MLw&g9fLE$EETW~4tfr>6;YJP0AJYyqr#|j`^xN)>
ziQvd&I+Y5ux({8wmyVIG5{5_XX8FkyleLvusW<73d~6;L@7PBp%D5h%7o7GrGa&SK
z(#xf<%xY4BJnU?OrwMi63Dx3_W)gDv)K^n(iaV|R`gWMo8%A!=;<=rSY@Obu>EX|{
zcWqw$((tJT;TCnQVM*iG8)#w4GVHhHGCo+8@UlX}EKC2@K#hU0qm&$KSqX9T&9BM<
zn-9X7n8?!KzWM$n&0j|zXkl|yANavT_n__BxhJygibAKYR%h2mV0Fx0%A*RW$sBu0
z;SSMlzLx>;&-;1^;($5>o?}z<;pe*f7ggyEszJO)LH4jl#Uv=71J=9GDD=%kFji~7
zuI-=g8?HUYO|kn?bk+1%6X4RJkcI*2WpRFo_i|2bzAYc7iWS{W*_U(Np+4#-`hB6e
z&K8vOvPf5Td$G(+CqEF){z++awVaLn6anF$6g8iW1si^~cM~SlAZqbVL<)UFQp8&m
z>0_2t)PCiwoL3>ir!|%~LVKmfyC8AL-6&gWGj6LC{VJ_7NhVNAZIBs%u=4R#lP
z6Jhm@*C`i`2KVGW0~S%Xgc6nqpnoN|j;CTuxgw?-
zxRc3v3}s6-gvxtN+NG6fDAqhz=~@aLzSKyFQK0HNM(#R3rjFG&uKx_f0lIs(t%$+O
z%mo&uzj`w&h!y$r#ZBU(+>)LY6jxJIcfvk=${?hD!BHJ&$
z9U$eR39e}Pe(cec_q=z|H?aX7)5&%wF>(1N?-W@@BqXhDuHt8@B;ofsK8+;|QQ!(O
z2M>C1st@3LqX6&N9w--kW52SFm*z0ptI+h1FwOQ3DXV!)HM21Bq_8azossqrz8pup
zV`r|~$2|&rG&83gs9h_3nyN_>Vm}r73Y)O&eHV7E7gTWhG-!1n1@lig()T>|g{>M=
zP3bgUrLjV6`!<~|9DVo@xqMn6_6DwDnv@IxA#Q-4~z7F4S$`@PGu(P!Q4k?!JLI
z^ro+p+*~Xt$%y&lE>z&)&EgbSUCc2OMc6&MzU$|eS@CH~bkILU5?y~OS8Kb5mt&!{
z+rI|hc|R}3-J>fhv(BS1E+oB{O!_K^5BW2WGV=tW?LU9H@2
zxCe~!G7FpWjts*eo0B!IA}jA)AV)7lalfJgXgu?t8UAsP3wH0w+u5j0;}tIieh?(N
z_?2u&UiS=81Vt^rtApkhh^Vxg8!(Q&3&zY
zo@|TQsV46A4+53ZpI3pim=9UqHmjcVjGd;(_KjjI$bv!GLoJ>+xlgl&dh~`GNsjc6sw*ZR
zs>;^ko%a`(=~fy^lY=cWEw`wYnxPvlm%n%kdGQ!-
zUc-xm%-q6Ps8$lPGXBmFQDcP2JA#+z*AnzoP!65+Qy87hHsK&TeCQw3c?^V{JPvlX
zs9|@wdhY0-rR)@Nj3o4%22u$}w~J6NDD0#$Io*iIT#I9O5&y)vFh$*jMiecZaO5*M
zVcz1szw|Db-1RaO+|z|HX!Y`k0Da4caAEk;>0}IS*xJLJ`rAG~a`;g~Px)&Blr&2O
zKCf%h4^;l>54b>NTh-@&Eh$+>2vu`phn5F7lnR^Q}zl<|8$s|MS#u5li`TGu3Bt_34l^)
z7r}rGgIFnX_Eua>Rh$Zgi`;oF?=T$xMS7jvtdys;`c4S>;2?7j6Mj?^@f8#Ct;R5~
z(ECYV=6lAG269Oti=3C!<8}Q@Ya|BU1e}mex-@93Rj0now-`@h;Si4)Z!BA@sg-88#MTNBpGB-
zo86wkLWV212YRMOfb)>Y%FIGnowDgHds7jK}4lzD+CTk4*=
z0@^lR+SYT+P@Iyf+r1|k+a6gRVlWkZ^YC@cS`D;N8DZz@Lp+T7qiYYMqV?7enEqR0bNn?2pw^0XU^Eh9A9A!>6k<#qYyjl
zs#;ud7iCR6wf8N+CJ5C){TYxpd_!;sI{b6MVE}A@*1IU(dx_&>dPXQ1Nqac^t~96D=`mM)fJuVns{cC8MwcJ
zGqU(>Xj@r}Jdu9%+fNx7*iDn8pT7P}
z4ZZLE^-BK8AuZJhuy-flIp(!?P2bfym^^Vk>XmZj$Y+P7CqQfxg>iW@oMp})_3y%c
zDz!Q_a>YDjQ)54A0HT`NoGp&_Ckx|qYH+98_gc!cu@sEDcLX*k+iqR$hEAJ?*x5L8*GCDskg;sZ1iy0-C3E{?ZL2j7d$d
z0Qp;lEq5KYU`yn~MNCKq=UD9R8=!hdm-^Z^mlV{o$MKzh>anFMAz!Fzg_B$8SbQwM
zs?V5q1|RdKOjoNx+?03N?$>jIwIC|phHr&?dOOcZ>r<0c=0t(V%v@K{nn;v9#gY>F
z2p22}Rw=mCURVd)dccQC)=xnUDdkEM=#NkkZs@&tykV+~9`pH=bied$kkM9X
zZb*}g9j`)|#K}TD@bvsy=&_9S7e7W%&#|IBLpg*b5vH^pAFwn^g2yzKn%B{`0oRk(W1Ri^08Ip
zbQh-X*FbKy_@?WbI-!~cQ!uu7xp@#izRhYF@r~g&6%SIf^7g^l3aeeG0f;N>D+5v3
zoW9xY^Q<%2A&KG_olOxP>1-j3%~W(_%d_c
zvAXPQs*_AN9<6KP#7fh0lZ$>St78DP^+Z|cNCil`EWrOhz<78V6muy2%K=~29Aya^q);Qdf
zWR*LCvrz?~mCunGRM}>~S~9_?zfl6M;{@W87U~=MyOh5CEiP^R;wXAKF#=l{5
zsZHumVEHM3j$LOKN{O7JiZi=})M}y9Y~Vwth}vD06gPSYvh_(J6t_{AYp^l@{&;}7
z@Uh>*ftHt^<|DW~Pr4hEAt82HLh-dn?fcaW-~D+jODKEBFn9Mlt?8H_
zCvc%*{1==*{frwwF<@H_xyfum*nB5^ma}XjjfE)|4xg?%yJNyMk5flV0{Fh5+F}e2
zBm`|%+Ih9s_cr1MicotDMz`|N16^N6Wi;iohx{bn+~(42RS;O+2}kv_yaz;kB?g(g|RL%w!{Zp_y^WjIP59(Pvh5gRUOyO
zYg25c{$YJ!(`&8NN$tV}!Q+
z*;??k!C2ckn{|UHuzolih2RWeIE@Zq9jlYn$7)8H*(a`3fdIHc
zPSq(lhJoX+4Z%zEZEy&wEOkC1*G!M@m)8D
zsTLYlO83^6^65m7Cgowr`@%ClL?LUB=^yGT96w`78
zbREeE4VQX%tW^|SCU@sL7|=@C=R@^}NFT5@JnG^WXbsocjEef!bEH%z^Au37qK89qE21=suoD)1uvBzW6wG
zQklA;%9xm9<+kKL2v3+j0@$@fkY*ZEWSmPtdCfuR4r>@ItnR-bn9;tOoR2r<--3-6
z1L+KXK~z=58XjCsX@bWYsh#K?pO4k$Vl=g#C@shFNt)3I5Y6Z$+^FjM*S_P^+Mr;}
z=*}zoV@I~tr(yYLdNPgt(}Fg7fA5<&!j82t3(gFrrE(8mBvwkN_pXKDI>~Ho;X9wr
zM#1qIj_*{XI%ZH*>XQrG^vlnJT%4y-6NsPrV)=vh&LCpO&udaU$L8Fs3wgWw1FSS!
z(QY7$*9}ATw$_*G%-ZAiw;oD5Zm8`k_(a$IUl@w4r$mSH^~A*)Yqw`N%*r~nr0=CA
z;GnJyP%{YXM`$H^gwb=-GqL@~qK1Vl8b^Xz#vBVNjjOJa)8|iwK0&?hE|eu9UdI86
zPvB&)&9s>tYd1^0szG(%|1x-mxQ^&ZZQmK#@d
zR4!Z;z^%3SGmopXnNT2p#FKR4rjUix;`GA;%#J!P85!S`3-``1XMa~)G@Dub830nu
zSdx;8wG-lE>CO{w(&kHnh$tC^ggTTvtRaepJ20hI&ywtVs&8+;!B0PUP8CjO_1bdh
zCiZR93?!&u482l5NhwPyH{_#vtU?8y{3e1akt-ivX^HeD_>vRpzy6K)Y;$X~Kn)~0
z6>w~S&V_TIsD2Yd<{8-X6>M4z(3H|pXG{}tom03-#IaWiJlDq0S}&@(9;F(rz(Z9&
zGYpfg%K>@<&jxsbm;Y_YOT@lmI`aGmia+a1zdYlX3K)w5qm)$%SMV4lf
z{|(o9f?I{e@N}691^h6u!GgTa8Cs5Pi4jyvKCfS-HQUH7D{i@F9}CHMvx+J#Se!!|
z^U9sE`!`1n{8wU3B4F2S3rjK;y{~&-1Qu5;hVoS&YvKnJA_FE|5I8p|XS=C}(g9}z
zratnW|FfgxP+>7Ml1^OqA-Fu2_@`rnK!fqxaZj_Fll)1M%R~p~OR`5)*Y$Tedw-`^
zGd#pP&)8waf-lnUSE0a9<;jN*Eh+n1OdrXeCEbA@)7G%KMj
zceb}35y{TX!77uH`>LV`BknXi*g+x>r(9t@6f!OjmN2V~emdnk|Y_RK9sXUUX38g)a)VXWEqwX~z+GG15YPzZ4
z`t`pf!J|X?i^u?OOUuIef}bjshk>!VkoNu)>MM2FjUazJ8QYfjag#HKKhd5e?yJ)=
z6!)R5RS+Y9kNZ#%fC^rGXjZ)~5)Q{xj>NjgzJuQ$>SU${wF4dJx>FK)Vf8gD{K=Ko
zJRgFotlre>Yr!;tdd;1bP@iib`D*)HxUGWL%sqa<^h2406KUpsVn6OuciiY5Qr0eY
z^l(&_EkPx$(E`W0GzIZW6d23+BCSwWM{IWwydy{9q?L}=sML3
z7q}$7L6TjVo$9LmJ(F=-lTE1K-5S<3w7IhGX9Xd%wuDLF7!U}@Su{Qfe24ZK^t|Ok
zS0?r%N8vH#{MG9_TxOi%t
z%FD@bC+*cQvQ*11Q^q2{H@beb1m)9bac#IqWO#=!>GvQVFI70crt5o%z&aSkcs|;b8aZzf!=@qUZ6h8
z8>doy2w!#A!OUy)SnpsJNlkZN7E}Us<7++n@omO2>-3jIS)A6$kT7uzvHjArFH6|T
zhtt4b9T}uMF#){~>-pT}LI2lP%N`X4!Yld}VWCT%P^xRjHAKlO6n4FUWqZXn|L
z;=&bj83eXb*&MUZW}WA#F+_Q;TeTvatk!8N3kc~J&lUO6ES9`&Hs{{dD{Q$(obH>@
z|B{`VYd}IINe|;er_5LiH=h^3OW|5!>}amnw*7~5IyVBERGw3*LsmL*lU`rh(-H(OWl6h;?-iMS!!
zMWktq-MqEkj+Ok?>X8s&Zb7`cW8zc$f%SpWrMp*+rqvrJr4GnC%TVNv
z7$8Jvm1P!5e5o*M0M8!sIthd=zs2FoKqjaQUZAxS`beS=2*N@0WAJ8>cF|ieG%9(<
zW=Z;kx#eOiaTp6G+WSF#I$-=A&C1$znBGB*V>7iCYf?{YDgp74y>p(gy-p0ueZm(y
zeGt3UwKg#ohB>Gg-;cc8&B6r>wE1wl;VZ>(`_y^fT;r~6M@JTc@znp%e!>HU=hK{D
z{7dVxwZZqfQw%_rc3RT5^{(KE`#7(zg~6>^bNmKi61ezxvO0nqTASOvJ{MZ27P1P)
zwy?z|e<~@_L=O!l@uPqaPUu@K#~%lWBJig}Je
zO?t%2F@;9NsX-2ecq#lloX!h;4Rcjh*vyksmdNTXhA=H3m>OZ{JcC;YN|f8PDU1*4
z^A^QeemNkK9_AjH$(4+BzIVhpjH6Uggd~hfPAaYc-)}iRT=Q>2qGnonSx0~
z(#=ADlQmTC3VFp)wCY&C%b^3^Jx5um=VdysF9u6aKIIcifz1~sh%FGt&)QSX2OB*@nc(oWZCGT(wK(?-NX8c`uLK
z;$Toujx@7=$h6YyMZ3e^g<$6v{(gJyFTId=tl
z;%9Cgr{n_}3A?{&QH~%^pAS<*A-?fDiFo8)d-3O6?dCH#(z|zO(4Y4i)Zp;9tWjJ$6`PB`$enM9=etDKT;|d{k58<|oG$f`d#G=bbf@&R%X}+#G
zvTigWj@~MC1w#K2X`F%Xfz(2xYHvNz_g7)aX>IKs`1OFn&AnWzN$M}-
zoN0enYoBhFF-DEfRZ1(B)8%?5HQ7?+Uz03>u8I$m2sNR9@KvF5Q-S|WWUd|Y?sT?W;cR*79dvnPmm08m+9-jB74^6JWMOjcy2p5$Zt;rCje0k{Kv!ee=7DdPwtJr+EhVTBL?l!V4I#!
z&=_0eCF&~W0rT*v)od-38$+~Mi$Uo_2C}_(uxvu!KD1dWnWJ1?0$f%&1aeb-tUiW=
z?cUrTHw}YNVN8_ueha%Xy@8!Y*E(cd6Gkv@exz-S{JW`7&perf5243vu#{OM4Z&~e
zuEy_!_aOBr>k&GfCRnjY6=x0)R)e$C|`Te#JXP{bv!
zCDB`ro_#^sfiovlG5K#!Z%I>w>y{a19P4h7*zon~5>(WDpKLX>xYS2S%`qI2)5y*e
zYZS1$cxQadw5Drlkhk#Kz><5W?QQkt^J{%6yx)vc0pP-J&2%QMJ1yPtmB>ewQN4Ey
z$n4|hVcl#a2f;TVV+g?k~Qog3;1P
zb>H-6HhxK6Ip2Jd2fz!h+Wa|b&Feh%XC0_LICB7-^i%Qh#gsPWYRP<+*lk!f$M7DN
z%Mj;@;=z@%TXH_b6887o;|ztv(X}!uJFN{qs+_4utG0UzbJ$-yg^0V){W|5)Etbd#
zCVaQe+wCKt{a#fyD05Ir>o>_=Sp>sZimaK^a*^qP_p1b5Z&afzzH}p_>{C|3GCDGE
zfdZ9TPV{6F5z-_y*hZ5ikV*w#poTi!8D;hJJjW#Z2S}0kW~)%f*wd&kj%GHqhK5-y}08f5_B~<
z-*v&rIC53Y{6Z)C(|4W@W4g>0La-HVN|^F4uP_e=Cf=#T9_Gms^!<)$f7bxXQsA%k
zNq=;@f&(fTO=ri0s|28WcDptE675jAJDz;JkgQ}6Ns)G`zr($Z^%a1y*H`#_jU=VM
z3+Fu$SCxq%^i6KM@KnP*W@8>Tv0-L5ngO1jqmRobPy?WnuaM;v73nRdlxhvcmLl^9mf^z(L;J+{|&rc7i~p?cLb*^R{t^?4fND
zYB)eXxaK+E5}t0o-m+ti)u=M9>Zn@VV<;q2Rx?IsaAyFK;tJHt*i6-Y0eFI{f_oz)
zU{fbk%`HsN3}N=oOifHgN{Eu4z_2(ry8%RIw*kEa^3MNffca6gHv#~wJ~L8wFRUH5=dJkB*5Vio$Q?*+t^wje~^QN
zBQNI5_!o(00{$g4Yk|X~Ygqw6PT&+s(+vD)8tnnHX#rc{3IHe{=Qeifdsy5
zGXbG2_h0&71mOOLP)k%qS6os^*Ef8v0|&tF!MV6K{3yTlwkZZ@0_s%;3e)D`Uj0%6
z6f`@zx*nMu-rwCBw757snz}i(n7B24hUa&rHbeIf_OGJ>{M^7a0sj!kV2|O@lvktP
z=|leHKnd(@z(6vOy8_(G
z?9PnN4juN&Pk|hr9DJv<{kGdOgC|5cM^{hwG64ait+@5^U+MnjWU`*&X9qi=)9NG$&&#h<*8Q^^*;$XOqsM_CWz~
z0S4rmsnPgD{VdY^PuciS84!N?;Nao_qLI1L3GiD(6TD#;#YabSBkWyVfjvFGd++lj
z5@EylZEZ}UZe8p-3VxAy!i)_7_Px?GXN>>Seaj=y{V-R#>~XTX1FU-jP6eVx&_u!2
z?xhuc|C%rSRHv0>=jIkg@+Q3eT72xrk-eHVI6=+kNS@!MFU;^th-Uj0~4Z-_2z
zAY0VhTw9qv(_8+UraQ6%zVT0g}zkkm*I#
z?CBYt9ss@72V!sHoW0Bcs|L;x{I_F-fa2_G{Jw#H%=_6uCucwnk)Mp8&^ADtqPht1
zKBAW>4?voOx(N6_qI>(HK`4X7f5MNjra&?iM-QGGfpdWad(7t}z`ir)XE7ypqS{*zkt{FDCqkM#SW
z$mJ*Y?cb`8$T4%Y8v%@CZgdNgSHiD+*Q+MSAdGyMdt`HM^hw2*krjDqjptBu-iwG$
z-c~~Cfe_&D86a!+E2d-M&kWA(K>gDRb&4O|{Y{O{rpBQ9*h`?nzGn?~_w$PxuMSRE
z&);S(t5c(A`4j2r#N6P$O{`()@VK72_M3{?B^<3j23KZf_^lOr2=C%gJ3RtOXL6sF
zbSd8!oc*W|*-x0}FL<}3_pkPSc79@V9tz@P64<8k2Rew|{1F`_Kj~T@fhKQTA3^4|
zZn{2jyxZ&qC_Jd|@Oza@11VgcY0n`1R|Cv`|yrL(*~c8e+^u1-*3go>C8v^JOAY0
zhQQ-*X&*L+Cu_l4eu%T5^fes=cXaDn^*Dn_ovWW4EH*ZW(p4axz3UDwPT*fFzIvKk
zJUD;Q0Oz*u7p}Gw{#!;mGq@RlYiK@>*ME2A9pAeFm$URp4^eyZ{O?H7uhixaWcCG*
zy%=Aow12)%Wsmd487?oIzxnGNehpaF&B3(`(waHno}cN_L6OzXt>t;u?jDn2ZNUA%
zZsoy#6$37w=YQ3kDk_4@;gQKbm@?M-)nTy7H4q)>@87<~Yu0;r%6>fEg2|u#@AK6$
z0T9k0S%h`6+!>G|S|s1Gv@Yls88pF!hev&M0;wx#vBA4j_}1k@=<_;7;ZUexY~aQU
z=v)%gPuTC|p+Hcrl|c{JcBb^3#B4rjxCt1K};!Vz*1b37I7y|
zjxJLi8*9ggYPM_OsxmpS_YqVM98lQv~sQj
zTzuO{<04tkQ8kP58E4>!ag#$`ug(WH0%K^9ykZKr$M<>%lM1@swLS|SAA7q3dYRGEcnH$$>`c8NV9Nam#hjF=zdOfKb7s#@-E<9
zu3bkE@>}?>7gH@Jm7toz8+@m99+8QoL|V)94Jf-wItL|3lHUvVV=az8A(L
zZf^!ls3imegorhPy19FgII$Q&Z}*51Eq3-3JKJ#N8F6QV4v`178#WxD9Qe_tvv
ziJR|DejQZf@mvptSmpFU6ZZ#>WMoFJiY2{rA)+|!DY<@U`7((DJEe^}G{OZE_IXKS
z3-cWOF>maQ?PHSS=-3@WvMDWLU(gx6kPH4`d?CI7ESC8LZq#
zu4xm17z`J7NgSWt4Nz{0n8|!TbAwCZ1L7{^N`&Atw$jb8c2`-rNlXdC04GMjs*WPu
z$HmoTsr2T@nBti<<^hns_E`$rapg0T$$sa1HyhBdS*}!hrOCDG1tzVs`i6w^+*N>eD-Ow?bDDyZHl}
z`OONXgMY-Py!$a3J<(#lq)DOw%yKG=(Fy}&arp5*&zVrC32;3jv|*%VOK6RWZe=qE
zf=92?No?`k&tpT8^v{?Kt|;t_x5K#qPE$~VzvOX`=1f{qbBu1}*tzhdX+-5idyD^q
zSFlyc`m@sb{jJH`*jqWpQ+58+#112=r9#q4MmWFLEB%&(U=KbcP(bJTHKnN|^7d6R6-NPYd
zmaOKzmu##<*w`;9Fw$#U57hkSjAI6Zn8{L*MLq)_YFMIx&VxD~;3B;3qNEhJme|rAb=+;B7diuoG_rY3N|EV9c8|%~jpk8tJMaOQ8
zZrF1x>&Q(`+$9@#@_7@9=~0zQ_9l|`2!51~mYd1@z3f;L$aTc82q|x=UmDKu&O^|i
zo}-VOKqBtgd+Kk{IHz|s6*N9vTxS~E(A+#ga@(LiUWB8lmyplgG&2Vb3!*a
zMtP1;3(IaEJMmQ6Z15oTj!=H1JyM?S4n2u34?Ot~zqk4@ra&B=i{w53WiNZF3-(>g
z#iJw7Al*kC?75w*EN&~p;==dcLgMVgk=5deL#aKIdacjQc2T7$CNxQIC9G!@95+F-^5-RTpxel*-(a))=zR=e%I-_{KE&hdIqM{GxJPU@rfN<3`q%fXbE7k9+@cc9Atnwu!
z?JS23Q@1G=rb{$}Qe7-T)&COa-pBh4$8#$QBlEEDB|lff-e
zdF+csnz)TySM&`N6&CJy+sRWly2^xNrME(dSuMW|)6VeX@yRUlMFqor0uwp6AYOj0
zqQXMI!GV8LfrnEkk(FFmCxVaBSg>UYT|FdtYEkV7D1&TttM{8)s+m>WE)m=>P&z9D
z4n#gh+wn&87MSxib%)gY#ySpUZ&xk)e^V8U(?`lGba)+gm*Eix`BAW6CwW}&-Q+FG7fGBn@i`BgD(X4clC3Nm>r|4&__h4TfgaNI{foPS8p!dPe!33%zI$MBH}K)P
z;B@3O=|F=wr$rWIxkk?gOqX^WPcUt@>JJ;SH&~F9AKf@8rkp|K-O@>>A0V`$Qpy+v
z3=5&zN-}D76JFrAJy~)eE>%zW_n$M!IJeIfesAnc_QdJgc!iJPCrAXx<;A4qADx(AOIlf~A5e>J%ew_l+Jy`>Lo+Eq
z$vP!|E88&JuS)kGKQW8X?^&QnX_mWe6QCcJA=z4ABI|Tg@Nm7WH
z8h!2nGb**y=MUPxF>Zu>sM+*;tMh3a
zp;i77K|eIVcp{DC{7&>$$b>tt^ZnqOxI7XjjDFPR+ukmYNKY3hv>mTWHLLtWRChud
z(ej!y;eg&=4onH&ambz)W|qP}xei{5RnD7+7{Y`$QZ*VgG~&9MFfMF_nbL?zC8Emm
zklqK(Dp*N*XCwbhp?Aau)y8kXT?_fe1K?`c1hAY~bz9axR2@&ns|E`gq_eu5jV6?5
z8aG(m;xukX1<%;pv!}OLR%ag3ZKQiKa}dZ&MLG|OYHQK-u;3n8-hPcA(HUO_nLDoTJh{LGF0cNS%oy!KbaZK)JcI6g(HaQcPvyvBwplQO$b*orZZ_D4csLk7L;#(W;C#)z2J{68J%>e
z8cnD2oQAr=awpIS-qXIfAPhx4k-I#kTc?dCs%`%szL>tIx^YtFbD{V#H#l_PD^I4c
zd*Kv2GP6i8n<4L((N+o$vM+F(tCw5;@u*@IFv_LPPc&`)hFI}2Ry2|QA-sWH_bmlU
zym*u~VbTjmW6bR1AW`0ImIJ3aw{A}}`=)f9g`e9+97w}O{&ZDJ%kJnFRUg=Z@%w979nw~C
zFtXjq?Ass`G)vpPJT^gD8p4@y)r{`ju$EozvVP)|1`>4$dZyZu`xl$6!-56RVo5>V
zpIskY<&PSl&?s#1=-$&iBRfCpeC%aWI&ZjmSHI3BgdrgpARy7tqzVN-WDy_jX-
zc+|=Y9~N=)N8rf%Hk1#-m0=w^u5{Pr=ys#>{UPL3TgZA#Gm=)FijcAyr>(q!Nm)^`<30pc#&XQLR|BCQm|F{3
z-zmw&PwJB0&^E>5)2#+4oj4s={-~NN(v_C3*R@&o5W1V1PS+C-cuRcBrE*jmkiwl7M`paDrZ)RY`RnU9f%c%B;_o3a?l$oS
zC=;}WZETTZD|Hd4hE5)gpUCF3Fe+9zl4e;w<`=j3Ji9z$hnCPHDX~X!tzEOR_FN+u
zqOi^${l;xq*|P`JF9knTel^xS~%_wMa&S(;-o`AYVF-w
zQJh-;LO=DdnJ(U)9rqt{zJl~al0t@FCrHvV{dkKGRL{m$Mn+2f5=&-G30{|P*tm(I
zy5eqSpoh?H9U><^u1gsMWojO@8*b1^WQu2-$>kk?o(7DrJmpQWmmUVJcu6|(=YREH
zL)e^9i;bgbFIas*Tp|BBNU;`Z&8CCvxo&vDDUc-fS=nBhn+96Kf&@u7w?d3P-#EA$
zHI_)e*0JVYzmhFyyVPX?jXH8&EuELm`p}{F4yQ1a57#4mkKzr_sg1&(zkW?<7ePXK
zL!^SU(O9tRdg&+zrAQmSk;hix3w5UA@dj6$!-HBnv~=c+(dV@nXFS35IQ7a=>YV5U*3i6Ba%%PKZmoB)A`Vc*Oth^9cTANv$q&{
zK~ZpiDoce@J~?!x;<7CH2xZDcTdlb7WUJ749J2cniMw3YbuYBZbuln%PDPZSv-8Wb
zbV@8~>+QD_h|q-}W{GItH+l1haiv|5l!!|3@`pP3%|P`Z;e=(ea+H`EYlp14o^r5Q
zaae)e!7Dl+b`JyQK_^4rj;WaxWuGBD_-!L3W!_}LnsVqewG5+5oNf+fdpxuz!aokx
zYulU|$#_c%7MHX`QJ8o?v!V}$K=X-@#&xU~lvkkMuNYb%@UN`HRu
z8X+!x#8{DqtNtwG6n;d|M2a%*Kx{V1Ag%bFRew8Iy$m1CHYN{mvT&bLw7Gy953^EO
z8YBM*1@n>T)e{!P*rx#>l2#q3;Oh--My5IhsjLEofr`!uI$B&0O0ygBp=qswj|C9%
z0zN?OsuM0Wi6eJA*>&bF{Bw;7HLp#!$jjv2vq8`nH$7BJB{RM+`ASai8zo{!lNoIg
zS*FIZB4w0L{o#`tp(fV#@>U18J`{S=B*)h>g_ekFiZQmA_1&egq~D0}!`Syfs4Ub!
zOZv%lJJdstYf?;Q+=+JGT$PbY23c+nc(xOT+rhz#TK3do3gyeENEh)17Axex-LWUx
zjxvVotP7tpti@xkUsF(SJuSyi2t^tcYdGy@__a-+1I${hFKOiLrii@Jdq0zEn!2Wp
zyJk_pyiOtd(L%d{9(sAa`ga-3Y7K5%(F}=i;`jl1U;3i^jOl|N6IvJ(PZP6UOSLle
zEc9XiIRu4B1&te8-UMNqVp?Oi33A|rM)av6-X=fhqN!0eq-igIso&1{NNOhZ!S1;-
zlAzinmvtNoIwBP4I`$OdWl;=!iBIv39=C+?BTFwn)iq0w{UnZclaG<~_-+CSt8{=i
zFSYqNRK3#rTVpRmvMd7&+h}S^+HyRdA$gtP3t0PHX)DA6V4MK9VovUlstNlb_8H0KXeX=1WwCX1y>LU61R)kOq
zn%e&b3iT@HvvWT~kpQ-||0vFHGPxj$%s00DnAH1SWExS9jaq@*kkMCf4Maj!wrfwG
zg|JV2zUbz1G!+v>Jz%uvNY&>Tc^~WWlqQUO--e`9Kf-rS#^eT|e1nN!^g^Iz{VuBU
zomYGKTY_8Heb8pE)!`t?7x$~@5~l0{$|pAS?^O4BIhat!_kup#pMN(d(BHD>1m@00
z?Dm-%G9{?gMt3VP#7NcKldB0RA7dA?du`AdU;5)@rdTwVO1{VLlBdgwCk{k~Y-}cf
zfvB(D##^P>FhCdQ$OQ0ASaBYSCgb&STjZl9suy#uZ1NKnGrnlCW_miC06f>zRwhX(
zU=){=R67|pT>ZQ+(cc;o(i7cu?{2~o6nx_xXHcSOAd#*@?Te7B9jmkcQs`T=U*McJ
zXkYM-D4cNa;oUuR`9aq6&x|x;UOG@kq_&OJ1F2bFnQVaBBa{mv+IKA3a65CuY+3@N
zMx}c@P0tfcO|i{zhch$b!|bIeLwkPQmUecvCY07xl^aKEPOp6>)M=)}p&|CN?=MQXVbdvEzLbq+vk|J$=|Mb~CQ9$#6u`||K#!Hl5Yb&M
zdrB)e*ujrs&u08#vY?&KC{bJ|%!Jl0T8zmqet;I{QCu53{KU(9-Au8mBz|d^LjC`^
z0f;5SXeIhwL~ZxGOi9Vl&Ov4K;%un#Opj2{@EyYA{NDW4j
z(C|AT?!ACS7?w77=t)-6I~-Y7I!O2WjYdgppSkn_dlCrX0L?@|`{(?7gDe|Nc6xTb
zGu+w-G~g=#r$~fu5!cqUC=?IP&>fW+o#8|^`2p9pyU4j>8REggMvdG@8Ru}z;}QMP
zIR1XV8=Zi*Ux8ZmCpV(T>36Q2S8fNB#a!8|Zd`&bG%0KOUA`ByxmH;>0jVoX
zS=inDtY;pz^t3^bnYmxcn9sd;J-ZuV{l-Rt1_Zh&Ci%M)Lvc0{somzi20aHL0nv_a
zS+`;SbILfvSY%Pn$Y#cMZGS^*DoY7-XHUVoLZshb1lYtrA`??wDyp@r;)X;b_2d0m
zHmoSCN)pXl%$Wz_kZ-ElrO51Kl8+Xrj`3$>j_3}pS_4J+u2bCSjS%g#mBTA3l~YS6
zs`SJs;4`skTOcOo<9RWVj5)|bm#0CxLFdI=S++AbZ#f=wAZc!Q37!e%PH
z?f^KG;!;UDrlF@0%zl_FcVtRH
zRgJUs35DxEJ^S6QzG!lX4zgVMzYV&%L+8fD{8
z;hghA_Bm8gkAm3m@S<7Vz=YJR4LS1T0uV68do6|tKWN_J&Gj^Djr0&Rk@!WYKP%1F
zp%!j=lzuxynS;eGu8yvnD?z$m!w5~Sy`)8p&40LK5~2DjRH&8TNIxf1kA|Y}V)KU0
zHyWl61LX+DJtP#j7-5U
zz%e|wV&OO!Yvc&);XOsf
zWj^_f81ks$>OBpq9#X%Tem|DpXxxRF7Nd`!(`rd@ngM=VbBZ~uFz;mD
z29n$};|2&>D;ZGG0z|Q6-cd6rnrB+hRKX+n7r*-^hrpDs>Qa@xhivC!>~T(am$o#^
zgv?wr<
zgeDEDDEp=ykwxw6Rf;Pq72vj|a{v?-PMUF{if!Dt{D!ZXqEppbAk=j#iikn)`L@xF
zCn{3E>CQPz%of;;^uGUiaBd{Z`_`)FinjU)3i~t5Xa`Xa5&UTQ-Qj1scQE>pLGQ$Z
zoh9%`6T+*{LnijRluNC>Y%dSIFbcS|^K=&kZ@ELUb2;~sbqlRLMi~k1W*uP(iM5f=
zp#*}aG(OEW=9E)4#tL#1m+AGegP_BmK}-&o6sma!6pN$w!mW4&`XQ`+E>GjUVgBQg
z^=YKtB*D*bF4Ex}e~vRaS^I9r;E>o&#i;4dC}-u<>*gTd*fxpV&J5Oib{qF$ZEq+A
z6Yv>l@V}?8A{&^~=;q{$oQroq0n|6P~ZFhX_4iE;5FRHmFtzAGw-r1=7!%q
zm$E&dcTL&aQv74ZIq7-nz!35C)oQ-r9E$os7Q8iAFVD`CCOnK6j$c_U6y$V7!w!58
z%kvmjbX9=2Z{CckyO=qqG4T=kd8o!42gOO5?|lWS)n`pbjqslO-c9Iat!fH}UF`$E
zVd!ujpRLx*mLnjo=k&tCO+6-ib7M2%qu5~q#02xMdeq#PkrS(qACIVE;r0&mN6cXf
z0vqk2gW}hwXmKe1lzZA8Es96rA{Q`9ZR@@uECNQVEG%P&x8TN}h#M60KP2bG97EEzJD;xC){
z1$%Cxsn{!HFX!j!=QX=nNQFl4;yXebf@~j~Xx3kl^@)%R3d|S%+)?$iv=^E?%}b;v
zk{fR|M%&H#p*D8KHtpX;OLmmD)|o_B6%-?|d6exY(@a(zHTCOc!?y)rzcVuXI9F9%
zWBNli?)||QNcy1K^a=P|%b2n-7E{Qt3NLDujbr&H=%(h*$t?Uc46EfBzd(?P*N0zu
zb%fuAe$x>rD`H#ej)#GNw@fxgzs1;>s$(>CsgH2>x}Qpdp)X~>GVZtd_=Rw*^`k;6
zpUyV88Of)hsL6}lZqv}Ud0l?4YCI6JPP;Lt8zGaOpFQc~h_rugyd-SeJxgJcQ_H(f
zBy=LB+WB48vGa}8^&A2bbIZm~o51d}-qGB*9G_F(C06qMS2)I??eu!x8thSHxK;RU
z@xV}-WS2y>+yR_(V5AF&8PhMT9Kw{A8EX2Gsj6v4<_ac9ihKF~m5Gu$rk~3G25)St
z;H{|QRe&+1Ab~E~1P6F+S8+b_5|8yW-(U(Cf7q`#9<0U;RXme#&6SrY*N7e7@QiU2
zL?sU&*;|v%w^sw<)=?=uuMM
zN1S`+ZIU@gSP}>l$yeWe+ZIwY0R(4cZXV;B5WET9Oi45RD
z);@V-+^$mT}wz_-L
zR*yEPOVvroG4!X;vMJ(@Xni3kLeBx2u#Tl%kVr+3HC~cr<_sGEBvf$71
z36>u#`4qfffdF;yY3&M+@tAhhWHV6NSNDC&?|#^ds&Nm(czdop+c(V+w6S;J0>o2M
z^;Xzo`$vba>|G;Bo1I3yJ)d#DLGmS511&{}{B+K^UwE!$DbDo=RJ4XA11M2mT=Q?$
zpQn~8PmJNAn>_6(yxy=U_(m>I<4#CJh~L}1&A|oXIPCHq8SfI;jy9p8vKsiW`QHcy
z=|(0wgvZxMI|ZqSUJRHGFnW`Bd0)26ppcV0&psQT>F*@M)51h#K@NBMgK{3s1~VMo
zhSIKh_LWfab?5M#b|m|taYl(&2dl0*`?cMY=1UbFZ`Mk!c^$~VpEY}b3TMPFKH
z>!&yELa+_AJ>M#IUtd7z=EnbgXML~`_xygMZ!_0l?v06&Et?&-zlijekW~Z6KKJyd
zey0#tgLiB;t>{LDK^EL3p#R)yoU#xuivd*#KF2DQRG!-zm086&FY&XsG!e0y7v
zpv0K4AL;u!fi>!cC2SJ!v{ZW-VbEwMDjh+B=l1K*Q
zsMLIy@_Qg9uMt#;eC`|FO2PTo4{T8?-z{NW8cEG9;>l+|EW&kkMq?$BLC>GUQ8(nL
z-Vt0iF!?ctSAFBK{37N6W#HwcZ|#^d*WIButs=bNuf!^kO*FHi8xoH+2Yb83n*&-J
zuR;)TEmS`zyf3F#m#D3ais$#@XqVtpH||tKHVA91Zy}AG)gB6K8{Kp(M##|pZt``b
zHY48hts?n&eiMBDZ0U)BcunjO+fnn*2vh|tOb)b}CpMi>Nr%D2vDHcikNiN4nhIzf
zYo2ZX(1kZ?_Y6DIsYAzHPdxeq%=BX|0n~ZnBK5ojH`)-b;4cNMGW70*Ngt$)h^+M
zQ1!&ihIdk4n14{}+>K4vMcjuR9{zkf&*U8%=PC|A@_6cO>^!34qISRIEeJX&`EYAX
zXZSCcbdfpN7zb;F)bLrn0?S=Au(me}cQt#opMm}?0*opJ^@I$&OOw|%)msdqsNQ3+r
zbc#R@#`Afv>-KPFoS#g1fOb`FQ9fc{O}!!vzlO5wL(O9Y!1$HW|M?oJzK=%GEfS0)_lXi
z#xZ}2-pP`Fk+Pf2&ENcsy2y0PfD-;KlAh~_WKc09I`4{oCPGHrpr+?U|C{^@VxN!m
z1c>BV#5IcKEMLyhY}i_YkiDyYeRg0IebzjpZclvU%0wUv6V{T1ii-*Rc56tXjw%O#
zd%7@x#yn^>lHHsWx<#aj2napZ8gJE@Ni4T0>7OZQd@z?-x0K_~4;>5cQR>h~s1Dw=
zF+7e=Z!lMJBYUQ}`iT0xXpJ}U{Uv>UDiZBvFqAX-xp-cYbRcN|1Bk4I7?~|y(!qMu
zr`CGxVYR=F2uJk`X;=F)<&byS;%c=a+i;PrH({?GHj)6G+J^X0FeJ1v5$d|-B6s}#
zW;9#)8%jRN^9^2yyn2QZN4=MJsr@do-~oC0zR4s-<{7u|Lp1VXlU~jCuN6ErC{KE!M+;6*9pEUe&el6!Md^yY*=C#$54+vs*$_^+(&5J^
z7^7jAgy%UK1aK`(vsXf(E>Qs(;1)#t+OX!GpB9=zC*20hatR=Vy!?$n
z>bjynIg@|x(Mu{_rT+?4`*2h-*Y4|~p!UtI@q=$VJq+1W93JtvR&`~;3d#7zw>$7L
zf-HNjw4d0X%yfaGVi(K*`>&r{fGJL`Dc?X>lH(kT22f
z6-*qRg>CbJN3uh|QHYl+5o`3dtkj+-pIrNOrp_%WC2nfI%(lTYz{WoBp-AA3MGuyM
zTF~54yyH<8N*QQ;&1yZb4=`xZSQM3NxZga;7eWqd6@L_R`6aq)p!0@s4R1#%aNv8>
zBKs$g{OhH8UaZo@y!(SE^@DYylBFn!?_D&kiTwBg%mQzDX)o543YP^BpGZ+Jgz54oY7f6&s5s?yaHE2FjHo8{PUW@678
zHWadsBn1!c8)xQ^t_VU6KCx*t#JO7c_9u{qryxE5w6?JQ|m*b&e&nn3Dv+$NjV3poJ9}%9I
z3FrB)9}9WEpNkz!)~O3zc2mS&jJ*P=pi_ti>Eu
z+ccYs#z;#5o0}1kBU-GSml}$*WZJI?t+zOS7UsYBwGm|hDP2kI%Oc-b%{MgG`|fV=
zr2=-7oW15#n>|s-QUlD%2_Js8C#9(7>S5lAp3k>DQSdXzNWj|j
z`5nc)%qe4JCo;@1%DTtq4>#qR?azpErlj#lR9
zd3KjO{o#!B>l=zk6UXaSiymP&y^xMtzXwz-_Q*+9AWFaZ=Vi}X-aJMLPKW)muF!2~
z23jq2RSWt(i(9hLnQ0tr+KJ)QP+c?nhGLA-MOuU=GA|xbh2rrt(dUPETPzW9U;1NK
z6|i`Qm}N;-dXBrZI<6u@yj!r!Gq>&ZCa0CN2Eqmv=K~VlhdFkx0gq-ScxjORHP4H>
zJISNbYS81IR*{Yuz3z$U0T9N}KQD()1iw1U~Y**Qy>I?B~Qj-!`1+3T=H?Z^Z{66NW+=+{K*
z6pUT2)J%Vo2hE7QXRQ0D`lkq04Z)G@UJ4UqH3sR#NI9xS(wowBf!2jABw>(Y{C2T#
z9kF)oAmb0XPdo6c9L6U>1x1H@d*jPRxI{p}akrS1F4}y+YX10A+c1VG1NGe+&V!ESr_=)?e2{FOPK1~p
zWb86L?0mU}t@QU!uf+4lam=Q-XFOUMWfd*P(`^&wt|LD!;GCbESOg#6U*GrXq1euF
zJx}DhQ3r2SuVSn58shZ6a1!-kme{__{;bHJqL!>y`02q>Animz##ms#j2ttrO_l~P
zx16qfM2Fa}K7(-;mfs_kwn49`GR^JX-md4Wu@_g8%C*6W;i3cU!v
z6Fw}xx1ZW&cFM_xh6R2?^M34mcFXG76GmOzT!;;nWafckl2n`h#t0mBuU@WAFq={h
zK)e%gSun>C&;7bxn&&9|aoSHawl-YscoyJ8#RJ>3!Ah%^z{@TKTVI{EZtBK!iw>mJ
zWiYnzr)ogny_;yMW*8-|)QH445?q>JVp@|!DSivpC1(6w7;FA?h`apNStcXS81wsR
zm&~U_<>>x^%8&j(gEt3Dp2x}>YV|RPpb+M^%z{E7@EZM1%dP;B$v@@B5PlJ0^0xrq
zguaLPo#yfxv_N(NiR+M}%eS|xoNqCipewW`yGPomP=)dTTbFs#lmGJ(ENTETUy#SlKdg)du^
zfao6_{6$xzHRTJNW1beb?21`c816&P@~4cBm-$dUAN)vS_(QI^9CoGy7DyON-w}k`cO>n+g>IHr3JpPzIT5{a
zv7P5g$?5Uv;>sNwZEUTMcl>SVO*Vh;b-GfO%?WY~Z;@mfX6z##!peLn=#B#O(Q5!w
zI;iBgriyg0n!Q5Ts=*0t0+T+{O^dM#&ds#}Zg|cbEta&UfY(O|6vPfVvrH&Dgz~QJ
zr&xey6c4X#f#(%aD$GVIa<$3G#yFyP7~AuOmMO;X{#M)!(_2AdE&t7aBW{ofsgjKE
zDM;n3wV1OT`lWT4ke}R3xPTOzkhGl;kiGm?R5U7l)|;I$)C46J&Y%DXk1I8aG>&sE
zD5j4Wz!If|hf4o-UI>*VP&U2Ap7b!o458u#eU
zjOd}~x^tI$AJDImS<7841vKib!$!*(XRokuBo=6B{0iqu)25qz7EB4MQwpHe{HWk)
zEJEq)r88}N|B@p0A(9M#%8kH(izWA32r72Q_AcyTvwIm7hv<0+E!=sI2`Z{aU*7iROiST`3RXAr_M+
z&_5xz`_8E|PT_W3fnH&lrn&rjLiTPut*NLewi0yqK{9-WX6Dma0ve*22$|y9%>(bR
zCAw$_wFaq&y*NH0f|O01V&fxOU-t8YWXam!ijRSgg4Ho?6jrd6Pg8=8c30m>ixjTD
z&7488lTFg;;B0kca*Q2=)Sfapt<3kTjS<{9zb;v3h`424ICOK{uClhjP4FZ7)$+Ac
zhFkgTvKfWcW1o>3C9A1k4mA`5UbH>``xNv2a+wT@t(_dTaMSlqqcX7)w}?dxm)$x3@x{{&4PmH@R~B
z2)8@uH20oNO%FM`ME_m5%$j7K0-l%nMpfXkoO-Y7qghNmcg!3l@Ea#lT;U#X!|};P?OJ_{
zIqG_hJRlfkX<$u(`dHt)ncF2jGrX#ph;aI|B=NT=5$z9Y3S|qXn#+wkVk$Tacs9M?
zk`A3__gbh43fMiy+;yMQ#$+D`$_&@mvmnQQYQC>yPNSYfDqk0$vA$&b)?4L1wU^nR
ztrE}g0UuE!9fu{NINgUH3%fg&dP#P-#$`&xe!kQq2dl;EI<+wb`Dw>(qDK;o5NP*3
zi{#6El=1UkATtxrE{6`z9QQ*;`yvE647Ap`Zw1lDhm{%!1FF>E<&Z&9*o?@WMoHOu
z`vND!9B%JwRxO=6hINsS9)-`I=7EW~pDHWd!oFk`ku0&a?IBa3SJlJVJGZIerIjRI
z%C!QIT|VW^LW>{PO#~I*>YBQCKpwSQIeoK<;hYiIRY~CrE|7JhoM(IC}PoD#g
zSMF|T1tja4Q`=Dexna3Vsb?1}EhnOGHPrIdt`A&+Kl|ro^JdXzY_|4ypd6TDUV!}h
z^18MUX~#Drbb^NE4g?5DGp11D!K)G#zYMbli--q$l%RPbZZH^O+_2&B5HTPLPslQ(
z8ph2gX@?w-j=Wc@ZRIFp}-rJ?^{d$EB
zE9ojiobnO8j(q|v{tctSzKhztqo9CY$RqLsLaH^0H$Mc^=I$gbQs0|ZGCRX9svcG$
z8h6f1S@-A8>0F#^L$>%4Wh<^6IX=`<;`T4rq50J5lsJ~`Z)g+UG5U$fJk%&#Fu|Ik
z{@`v*j+Jf6p-pJkMC3@nf6>}A`wh2C&c!2I1N)25b#dWvSwOsCkw)H5w1c$Vc4-9L
z$%R|Eg~sFaWJRsnTT67K-Q+V3Wo{Dr_;qzFu*^TpXhm>4lvsuYC91^&FA?cFlXiCF
zPolxBTn(G!-Gn1BUvu$iAV(Ah!^4m`9iBIZc~K
zHZoYhk(ypEHd$Z0Rs!5}b|2)f$K&^=QiWJJnSIi2YORj#&H>3)%Av{1pXcK49C@EZ+2jwTU`~zmJWW0p|lRs
zVt+@cSq+P;Y6-mE!nOlR6ZkT3<5oJaKASGqLO2>V3dTa`(B`o&YNFFS5ANL*^S{+o
zl|S^Dk^yIo#6F~?u%{brU_=+|Vq=FKBxr+@hrXkg^Tb%VYSkJJZ%-+$-rNtVV{4!t
ztBV&el`0Nm)8sa(3^06h{c)DCs)GKBAxd^IxJ~Sz`^Z)EPsD_WS(K9?%ssWJ`vYJX
z^4m_46JBLfwb}85`l&XAdoKduDf+28F4My+z-f-@-kT-^_G;-UeU+R_U*O!7AxUdjz!^R2
zgJq1Xk&@{pYzHN40%Po;(!;GW7+2O;v4q2n4CtfAtRJ+0-sycrpP
ze&k04%eb+&x6R+rKhi4jh^EW8+w2QdSB$b{2(c3(e<@GzLp=MA<`U-Os^_L1&#aLQVnQRRt`ZOUc54QNe#kH%(%UY!n^zN5da8vLNLWl@o{u`BU#Y%+@U
zoKH&KIYV+ut#?|G-gRv}H;@k4j&8urhW$LC{zbAyR$tja=w|pS3s`TT)ZnSgc1DI5ifPs-mL-Ye
z&>0?nW*eSlVr08r3#e=SF4&>ym;gZ`xhGn^i11p5*6oQ5YLH9>tQkIz(*YRM4JNet4tg{4cJA0_(ERb)>0JR65A5kDeu}_{p~GN0^3I3o;uA30
zD#eNrbS+>*14f@MnCY68<4pL9lqL$3FW_B
zyA+IauF-Tu=0$6{%>~-%lB~csE&XAF|AHXQYkM2QArJgRMIXD?UN%i6@DKRC{Gfze
zr;80j&3S4jS)CjTrxJW1KgjSDaivE6fx(m%ytjr!rn(v5K$$hyvB?Liji@^o4Dgtr
zLcR=iQFhu)z##D(0i%7A76cqSE^x}Wr}4W19H84ToyW2;3@Du>d>fnB@eEu)%h&ta
zLE$?s3Ier92FGUE$x0Czx>__Zlrj}s&Bu#zYG2y&)sMx~J=2hV
zk7rm0UECiDXZRCaH?cCm#gr1$LC<3w?X6@{K5E)e^4bvrZauahi7o`@BVoT&VFafc
zu5{jZf!0McB%sU0cmQV>15m>?_0|;!+;hhH_c7n#(^F8!p*f_7qiOkdf2r9=TIrayM9tpFHeCQF
z89tQA&1&oNkqBy)h>j+qKMp5t>JMEF!7;60n^=F-0m?+1Otid%`Mt@4nTTG4yk)8k
z7AoE9S_rLF9#lQAZWmOg0`^ts>cl1*W~`H#3J0Q+jg(o4V81^);SuT%mXl4oGh~@k
zhxnIB;#{1`aP{=d29O2l}O{^jizm
zj}%-JWSufu+`S-nKbe{+KS;wvQjK;Y%*R2=a0x{xBQwHBM#<2VnwTp(n_eO|-39jj
z-1`zCltK~639xI005w3$zyEIRaJm7H0riMwxr+Pb#Adcs&Kc9&pqP?b-ZLd)IWF`V
z#@SdCbk{_Q=wm1RUYRtjQ~&eFX~XB6@GA%m8LRTvGS=~=|EW+D%tK{{Ni^c${PuR=
zu8lK7)l32*KC#^xEFEh$2101LarC=Ajoq%GT#m-c#9biXB>5@1W=Zj%;IZJ6nPS^<
z7B2!pQrTNAV++xIv^425BVAGSGdlL{hnuAiHRHz3M@$*$Lz8nFL&8{t{4rXFDgv0W
zQC0hjtUy&cl~+4=zBi=UMTj+h-h4BG=o{P3o_eyI9)DwZvVk~uV>jGMO
z15+Oax$lweDxc{MN`2uf1(B*KaFjsaFU$ftTyc=#-+xb4(7kqMg9wya)}8BAyi%$-
zY!|W5d9@yV4-q-}rTmlA{5-(Au7YXybv0H-Q3prydaO4~bTiP{q9BU$iknFQ5<>Z=
zTF#_XxPzZubu$-9jcLLqg;6B+10aEl;7Viz}XMzfi$Tb28t7D
z=OJPKjA-->73IayZ}f2scjj^gH30`#`IY~v%<>qvTTkOi_e)VVXBK-7;(d6-;!
zXP4sHVZn{NWf2)0NdAs8tA>nL)
z6u=Q+3q$3xvOu-+)i2Ik{7k*V(EK`6lyxve>WeiCN{G&jj|I9uQEwyB&^;eiGsWC<
zQfiIvM|>4rVGQl~{9=T&1`aTcvS%TD2fOyi0d6X}jm92ii!-P^`#TpAS-0xKP^E|2*&t4t+SC&bQ-*~RyMVwvk-81~Kz<j&_i+5?c%l>2ID%fy!9J{G;s06q-yn
zoqNpNi2&Oe+4V`g!pzB2|@yT3TMp7xVwxpYYT4_}x%JNre^8@Vn6h#?O~l(7jiEyN%wK}RRLfCAc}GjKTjvly)5`lc
zV2Kh{^c%P=;iq$i!Pjv>Oa~fD;-GD;DXj+3ioZzLCD6->S<82f^9!w8LJP^G$bPy!od55W$$=pIyQu25p
z4P%cBf#0MFLXGR1p}-)Ls_kBaVx;l1I5{4%^W24O=*`ljrnd6hexj|
z;E$y`WV<_MuGT9b7`W27qG|Je(PH
z#8z+`1429-_Z-8Sb*XQ2n9jMq^vwhYgn)l;<<20>qyN5iMjof>t&%rEgrQBadTq}9
z%Y0Ca4zOk#_6(e;qrx#XzwJ2J>}v9qMsO6H)OJy~==c6C8&XNoEeVQ%;Cu*SZl1V=q()oEQqRmIXH){!Hb2&r{T8*Wc9vA;
zs~Ma!LTA-FQj}CH%MF9W;#L*9s6f#s1{@LC@UQ^_cV0BMr3^Ut;(j_s-S`f!UT
zn=%5Y2!>qfUM_o;DXbhc6y?ccK^{d+{eywn#3)X4x&{R?-PQbU5>pBJ5rX7e^LO3D
z*{NJIw>`L7%AAPD?J~svlCKIR)-Ls4XBggM3q_nx#dS+&{0uJ%n#EaBx66II2BETH
zAt^H52y;X%gIs;ai@ZS^ncjH}doicE>;TtL%ZEC0BUmJ0P;e{`aXmRYD)-0x$hN6Q
zSbULaU@-hCcog>35qr7%T){mZS|TE~?S_51(SS2P844rWtp6RC?aD|ET^Is?V
zf26uq@wB}byLHEXZ+`Vl2Tsr}-LCp-r>A7W2|t;jZv`8t3`a7lJ%476ig{|LYX_T*
ziR63DfJ$OKF?lp~0P1a8A`8;c^^j
zAZo@4gP+v^3aXSbx*0{P0`>1bQxYbqNlOV&Z0>G(Xdmnf7O~#Yf;I@($DR+H;O%vX
z3PIYV?-D%$pH|bF8`glF<7^rv*9Q(j1NNDlF2^ledWz0c{?4{2IsXlqH2YQgD?tPW
zs(kB0#%B107D_kgIN}Zk-0VEByC98Os+qD27_Eph7MR%1xK}C(l4JDwZeXQFg`oO9
zHwreN8v4zy#O3Dox!&!7vm>|QkKzNJVS#7%raNgPWKd!3eSBSjiwFZzur>A!@d?4&
z^(EnRl%>?}X`v+gv-UK+;Jk$|@3G)t#op_8tD`or6S}QfR
zO-EZSUt!|9z?vO1srZDzT5$)Z*2wB)digF>j=w=<(ImUV4`Kzl90(dATPd0TkN0lZ
z!mEY`$S=>m84GJ7>1Vb|q{5eD;a@rbpx`zX4xSaD!m@Y&poabr9xmwXJO@UT1{|%C
z->eri>VZ*-afME_q``Spu_RsO3Yxm7-G`VzV+q+5`^Z{+PD_M-2@lhx3JX~xk+BuU
z9Yk9;`@qyTd*F*{R+Ad}vC4M>Lb#(oT9iUZ`Ectde=^7SyFDWg?uL(9igTk|
zKfWqzWP~BlI5WYGCn0od7c`BcH~*fVj%3qP7Gr7T>qQL#>QlHgza`eiwk*^_!%QcK
z;JMzXrru9y<%}NvH2xAtFBS4MwCm+O1vfh?w+0gOU>N5491?U6XBsfIhM}Z9vtl5D
zQ-?uq4m*=8P(*A=$KkMv8rXrtk;jM5yqkl9d(iUpPgD+Oqnk)rb!Jmq7+DS}W)8AP
z@S9$fJIGJj>6F;A%w^@S&Sy0A;_fyyi`Na@t6vX1#Pj`=ZAqE+3tNxAcEg4aCHh*j
z#}BJW1ogy_xR)I^>X3?j)2C3Y*;UW`o@vk|_O0xs!jqknQ&|QS7=paEe+|`AQ9A5C4U`k>X%7pyM
z8nu(EpcG3*i+q@rZm9_bb9DqcfYf0)k&vatm}9oK$10n4eBnCIkc$EF-fF}EXI#>EcBYXNwWWrY@`o+nWh(3}rqj3}$N7D{$L
zWd+mC=c$@z1dliCXXFcIxTqke?Jn!7AJb
zHvLOo(cC(u1U7{~aPOssc|r3#6Xi72KMqkkp(;yWXZO=*^l-bmKw%X!N2&24ovUL0
zB4%Hb9AP=jiZ_l`j9dX%s58)Ma5^uC8@oTsk
zVI1PGo{`FLMX2g6RB^gLQl&faB8?$f7LD$lXZB<}D+>Xmp_e5e^LZzU_v7?BbkAto
zkQaD)u8|4Vcm|PyWQ1!+RyUX9b5=}Y8&G5j(i0FIXXIZ`dW
znqKH+DiY0mumU&mN6p@|?vYD;RXKa#8=rvYfn2s>20@Dfy=%0Vgcop#JgMCh;kBqQ
z_E^^)6o`#+xyqWV3+ZU~w+{_`E-l}lfduzfv@!&z)+(yLIa7S>Pj$g|A+)EDW<8mo
z)hlpCsQ|W5#z+VRKZ9DI3YVehRyIMW{4yX}ZC5p#*cBa*Rtm-1oN!P;Jt!dRg(`8Y
z-Pwmg5>7=HhcD?M)j@rf8}{BD^e11>x0FnIt!!K5Vd%Z9Cup@H1>&br70BPCUbY)r
zn=DP%CI?5K%n}FCJD00e4F<;S5A1KZ7ZBrCMJA$+Tw5wC!gAwPa<#?pMS*hUP3r8!cKU)H*3q;r
zzeod6f~XL&=9%~gUC*@ot~j^)kOMcnZyH@O5OD}^v4hNn)iSkRImGe+?_#=gffliu
zhWch61^nmP?a?rWsJYL=Qe>xVG>N6*Nbz7@ouEbj%MfBRZw>OTbKe}HQPBnwdyyPF
z@+pm9yAi<1HXjOg{LC-Y#Pg?ff^v`f|{
z9lzPm{Sj;rrZ}iqcSb2wT4`;~ltS0Z%gzrO?t&lxS~3O%Eny2+lguw+x2|@$2L`4<
z#%;7|Gg1rcV}Sj=z1!%(LHtNncp+QV94^=k;i;Gp56?P)Q2(HSZ-OT%RPc$fDD7oF
z_?F=_11O5m6*e2i_LEW|z{p~#bEo#zs_VARq7h$Ts*VtH*qQl__}ry*2Q>SUX0xWc
z_T*RX4RT$|!xo0r`L|-}PJVSCu4TbFl89xydly$;GU!nzzBOXgz0MRrAAv~hBJI&W
zZE3u_g(Y1~p6kGemn$FWl3ZJKqydu!#W!iG$Ej}-CsykC>vZTB>&O6!)At%(%~Cn|
zq5AFYML$`NLem1GT=m~<+q(`uNFkJ(e(Z6(BsRvcqUYIx(&lhs#c{e3`+pDJADq>X
zr648rd#QCqh*k6XP^W+cH6X{Rk;AR5z4=GB0G;m8M;E!F|+qZ@iie|lCP{1VnvvpgSg?EY&^);iiwYAcc>*4fu7x6sQD
ztc?|86Nvd@F%7y9TYsoK1TL4jpy2{Y;wEWhX3DP1RWJp
zg1@YoLHLNmiADV)fQAV+%NAIq!=&50M3*ADTT(*XXD^+F*t6yR0!cb)PQk&Bh57|0
zL8=A+n}umAd|GlmH^a)%tSuZgf;oaNg!UT7RnPY8ja(j#N%2;z*!D9HtI+lXJbW{%
zV-NW-&ZI}^^A$uRpPj?Ev!9Euv-Hb&?9k;!cX|1Kif@_5>wr4d=s@oji}IYQ0M%5`
zUhON>JfM0xkDUehK9;@O0z(dg5nF&~3Qd6+R?+U|Ff^JnGg*ltRbz+)^Q55>uy^g$
zqD6X2zKl<602sdGG33F(L?yO<4TEGoCV2WX|hUQv270#b$
zATvZSNrBijIYA_Ff%-G^qvw`-u-+~m3$%;pqH}RBAa1=C=iIY$FR>g5j@apmRHJxW398r7u<`@RSJiv4RtBX4_
zSF27t*vvIxomzKDHb(~W0J!Z7hXoH_Lh9s!r#aiGBZ8lw*8UO)m0
zwKgexp(yztF(Ju&aea+o?N;q
z#z!%Q`rVod1l=N`r9$zQ1!L^+inlp3)nu%V%~uDhirPK7{2=IpZXkrh5a)raUZ>3;`i)fuPFnyP$d
zO657MUyM4TxpT6oe}f+T;8h&vSEdcw|5NnxTk}hj$E$>iLWcmLKiQ@-leu|mzxqo%
z-->zMH0a3egRcZ6(*`hfaL%U*d*fmlfvC>?rD%WhEj*?N(dWm6D~cA4GGbMw2aO&}
z$}fa1TX9wuUQUoHeLtHCyVk~|K=qf_eg-Z5||E<#o6H@*54;On9ey+pO2)F}W-95-z;MKF_)9C`sN5-m^nr1%y}
zgI2}#lxccs=?Pp(gn;m6ns@l~#@-57YK-
zbI_Y8D;}J3A(B?0Y4>=}#HV@rR_hovi9`BDDx_XUF)iR;?g;)pUONOYz%vF}0dMf;
zxb!iMqnXDVSCj-!?q{)0xg^v60eZ7=A*2E-W@hc^th?iJe5$cEjVNE+u>#<^bCl;H
zF*-(OAAW#JP9Qp0AEBBoYr-o;JJTxD<_C#9b`?4WCwC9ng_zP9+Xp~rp
zq0tG^xJuf98o`|J7~T8^l6#iV+GPwGF+Bn3mNdMPNS^YTy
z$P4&Yas1TjVS|LD{DYV1G}r<05H6+p&>>=ELUHE!Aw6r4*uLTO
zYy&@xP1wMs=h#nay-in!k=0>E*wmh>rE+_gDWY>Xh42|gx@}8y4+}?|E~vw9S%+|2
zeQL4*t54zTYT468H$y0~Jx)ThOoR?+Zdv;MH{>XJfff0e|46bT-*NvVPLQVx{zwxG
z2+8-AH9y+nW$(|5;*5geeQm)1gJr`wy+ZgJ=m9{Efz1G^xz267N4NQN7|F-y_>K|w
zSE$ysV%%yJy}-&kUH~Ig%g8V#2Nj-Zsy43@*h{9_h@vp7AV4syf-{Gw_JOB!+tPb7
zGyBbf>_O1>G(+pvpPohs5)xE-b_O}O3wYG(&h+p3$7nY&EYdt#@7=Hs4y(jjCn^7S
zO0N}K{I8I{3hz4T^zPIh4SvPD^XF@Ql8Ql1Ni
zfC_nv?n&164_Tj1ITQ8Q!5oP44Ng1_J>8ilassQ0S#pL#2AEM76sDk5r-}INO29cl
zC7eL(i7l!gSuOS?z)^-$zgwVpd!c&mu}&^Elop=Lk)bDP-w3@y;_V5Mb(F*WP(Rc@
z2$SLnRryf54a2t-JpN1`MeBAzsXPd0jm3JOHp)Sm0D4dt9Ae=OTwQs-c2V`mwTNu-
z&cD-fl)SA!KIl_F_Cyl>h&~tR_qA%exzFH*7f->fCC>-Qq?9|o{#*-AmFo({CpQUU
zC0Dyfn?B{7#!H(xXpeIZL3T_{SMi`*he;u)nNHugB|p$#p->(OF!PG739Jw8n&14+
z&MT#)jnH{gRnTluCI1zu^r7)Sn|N40`a=e`<{IdB=l3l&`+}8^v<0Q1%78rx0_+SE
z6*IU@=XIij_G`R(1CII@V?Qr8RB^~-d#*2j(kdmkxseJ3GjqK_*oDy2`c;O|Hq_&|
zt6#nN{VY^RGkuJd+)v--#fDF-`>Dr;p7U?1LMruRn!n>oaheQ>`Yvvtw_#M2S}z(I
z+O%?eIYT@{+J3vyvFtzZHtFKHNalYevzAgP0V@^!_~?$V?xz70>mxmuWq-CkiqQoS@jJ8+23_dAs8_s`yE
zD(44yL4Ee_*gQHQ;1iwRPF2R5KoXyc7+*efCHloLw^>?%h3-GYHAe|kE1eKa5aNH_
z{v1CmzNSqTb%{(kR9*6DrysLqF1}#0UFvv~C8<<1#%cq-ZpKKD=e%YNp5rv_@||Zq
z53c_XuE&;}Q4s)`hc>(&&U1&e{;jG0%)~I7NODL$hzM3EKBnRh1_PriqWME-BbUV;
z@u4l<(v{9nxvRwEg7chwNlC$WF4f1~XU%`%O4=g5QqOAfSA^8lN6NHeR)Bk7&dTyp
zWwI$5sM%~Xv_^{oC0vry-d+Z@
z0Pro5BXd=;ymKd479M+bcn_}yXp6*4zo?{x#cl=SdLirq}R&-j+0RXu#O8>cmLz{3GCEEcIXL*emOrM{iTd8nBg?M+0Zji2t$e(b*s)-x7nCI_>N*Q7e
zU}e;SkSDbujqobc6IMqX{bcjuH3{Ou%%@2h8czRAC1I&2P{eDOdyqaq(@5>q;%Ubv
z1Yf|9ukLpO9Pg9wFaD}i3ws|2*VZCilXtqy?4$VhZ=*&jk{A6+81?idgI{-G$4lanBH9C1yBQNOT(x$*p9PvK#m*Q`%Qy|2OsPP~
zE|Sf8v8BV5TjSyj-iWpV@1tpx77O+5%LX8RXfIE*wXX|9Q=uDLPw
z!vi!0ZeGOz+x~Cnef{)5J@KtSTc~{(Af`)s{GT3Xt_+5!2zpw&>*-q7$xDr0fe-@h
zs|M7b4f@FSJ0wV3iY;7euigc*yFUq7S=M4r^dfKBE^cDb?(LAzV9H4+;ec9hC>4pvg|IVq%bkN
zMR`EN!FW}pSve%}{sDqR9@DqW#o|=k5-I7Q5dim2KC}X=a>4<|i*zRTC^D2~okc^pQ
zaJ6Xh#bffHIbnCi6TRYv>+t#DYURM{7K|fvBj&{6+BmE!%>TqHH1O~#MIYJmCyU33
z{A=7n-vg5z6!L7QzGPqtXV9U@L0LojU!DLm~kl_mDHd2VRk_mA5daPcIw9*^pUpRUpDgvy*>
z)R<;$6nT13-5eq1IIzpvj@VEkMdh|-HEwP_p-ujQ*7Rd8GJ6Lp`ihG_?yBd)@Pw0J5c2R
z&uV>}(>+hSw8rMnXe|GRLcd$Jh=xAwF#0>1nxOGC9VUarRB
z`tJv@{jVz3OH7;cgx95m+`3Zt>`C1{mh2FXNJ5YDa%Vh`Q!@H6A~0+10;{9|p=cd=
zWSgWX>wMhKPJw>|7ec2hb?X6SLkn_G275sT5I-M3ylfnF!k9|88lDKkNC%sp))n+#
z!2KFrqjusRce4P$UDNH4K+JE(eH(~)oN~@(3w)@`)1p{cAu9eys&&MX0hzv*DcYAb
z@*fWLrmbXtx_FG&M`YBsetF$pbjLPN!HTVdCH?Blcno@mqUtHzL8k-$^>OE7dQ5`}
zzBgxF@0mk#y+Tqq_j$_~iHRC6k{Gz{;#Yd%Lm4T-efU3p&5w?`bE^Z
zStwwqE^I-Wd=MqOD(*b_x6<1xPF;+^
zclw+;odSBgm%mJ%(iso6`T~XfmvogG8*|D#{{wd+b@G|vc-F8p5=Gp_V?Ko1O5({`
zO`;`01|Gy1nkC**X_@64=l$*of5D$eW#^JSG7oDHNX^8w0|G|PGV
zk;OD}r+KB`COGV<#d5I&Il_olk_cJwj+V|vQW_ff6!%EK_I)!~Hu12}CQb!h+9#WK
zl{zu`z_Zn#+x=#%BTkkPOwSpuF=UZoxi_%$WfvRZ)G)blEZcr)LcN`^TaO-N+>PWN
z{Xqp6#?{Wdw*W1z@GhS@xB&kB=Inl?@3h-A`?D@3Wtn6yd@5srkfhqH1
zbRD?y2Eu@2#w&n82|cL?Uhn+4u@ENdO17i#6z&AsuBVlsjQXdkr2;2
z#ESop6DAXkLB(g)VDQwBrLr^pNW(`94s7xO-w1a~*U3=@vR*$;n)F042*H{O=qw$<
zsa+rul+vE$L)wsrwv>K=s)Va^uVAA;RPQjJHA+D3v`@_pNncD^wSMV+^5L#y*^N26
zABzOHjnuZJU(;CGZBoYP9cslN_B>Hfyr=8QhZ+W$f?t%%(kR%Z$?SmZc~$BUX)A#l
zGAnor-4K@QyaeNfo;
zx&MyYxo_me4hXhgbCxG>UM9C)HDh}di?odTkcHY`9KsS-M}aNaN)y1UDJS_%JhLOzn
z?4WR{f7B9;oVqKoa%<;e=HA2nje4FsNgB|X9H_Hs(keG0wEo6!M<@0>1q>Ijkm%t}
zSM<;mM56z?Kkbs9mgNzjOHsjo)Nfo$wQl@OScE}U2z(-Z#J6T9`APEX4B5Ch
zswoz1bk11#b7P$1jD5aFt`6jfIlr)b!*5RhA>X~tx>N9my)6&P5&vroPgCqRAqXbI
zc|y38Zq&Q~k8Z9R=zb=91i?il($Nuo`7L8YRm;K=D{WPB3l+U5!o
zc1m!aZ4)-?QS#PSM$5Vt7SZAx3CCn336^c>u(W6enF(tVw8S_8~3TTQe-
z?-9Xr=F2QwcW&QWmzbxDV3ze!xD>u7Uwa`V&OszjhhBNfQHf%c$I}2V(^4s9-OTwd
z?bLgsSy>Xl_l^@E(}~8a{Xz9z!w?@0IX(w`t
z*rwaj`voW?YZwfU5x8NmexVxj7Ax(qgw=k_;R2*q
zU9G97BBxGC8$Dl2naURDSFm#`RmkbPK(UGY6SRP|DQr7OqBl)Bz_`El?l2V65_+8n
zg9=rPB#ix}%;%3+zLx|h^l3iz$6cB<5c
zM<(5F8m`bI`;AF|M#WU8;oW(xXzTw(J`1iG
z^RjadE%=HCS$vtHaiOs#+D=tgfGCb{b!sZ~uMd{f;s>^tJM_yna0{`ObI
z)$5;YLx*nczO7OF193jS#v@ZvbV=5}4!
zD-fLO6FADkDcOv=W?JQ^7`AQQ^7#5#5*bOuB{0@6TX-6%Y3v{yU5H6=G8`Hgj?xbG
zL3iLiG$UD3G%?`AA!5ETz=zxO$Qe+&>=-*{7zy{!S
z_A!C^+Y4@7fYnPvjq~62CR*5k{FRnKg^T2Ge8^vSqYMwF4Uq;{m~)_XW52HedNHl;o;jKFH(m6Xr
z`oS2pe}~c=&r^o*tPdD*mf`h!qQ6d0^z_$3or+1cQZdYrpKvYuXYW^ihO2OCcV`XM
zVFw=r(kh<&hYzF2Tb;UcIpIURAl~Kpc>~n)*yV{l{86bAs4C@4SY;D@8)=gEccZ;W
zTfVe94!K8k0dmQs{-R863r-_Vvm^iIj^*;JcEPAA?d~>sisyt6i+x9bXwUQGO_I#P
z`Th$sOS;!OJ{_G#f4bAe^9iInG8M1$wSKkIP@rv^1KAKgV*wNuv>a3@R#ezm9tDGn
zQTAoQ9$pAo1787*q7?T(n)E#wlV;soQ;ZevtL4#~s)v(v*MHXm$FAfB!?B%OJ%}w|
zbvK5d;BBqYAGbQ@cSz0}kZLe-Dm=^?{-=;)^`l`yPbYTqfN~
z1cz$k$l&B=YoJ|p&KEmh0z!HFy>wVPb{M4!&qST?d0t3k(EdAq#110(4TEsebHO4%
zTYF27u3^UG_+y>Uy_r7(Rhx&Pz9tz-glC62A0~!k^K}MG1L&Lw4SVIJP+B(9lZoT5
z1UAgIAkGATk;h3}cniu?XVxtNyt^fa|9c*UCswZdr2I*VrlCrKybx0ntoquq8(S`x{n~=w$TND5V&Cyx
zGPOznUDxV2DUputfES6usH27`Aj|s8&gVkcJN3mbv>EkYM6H#7Gf9qzmyEHO;T05%
ze)&L>2$FwXqL@&$b$*me%Rx;wlA4$6i;q3WJ7?8?!@>r^y|9&Fab|{qj{3CNuj+2G1iOK|cBV(K0_>{XVXeVJ*uK)U{as)f_{^vzEL
z#9DTZAGqy8$9*#<%p-VWzT)ILhyrQZIoQsv!nF<|S@JDHb90u`jvoa=5X<5H`m9r<
z<5_4p9@Xt;)#QB;Ws;&*YcZos6bT2-P;zsj*S}x)PDGSdjdapE+_(OH!lU?gW&10h
zGV#_+Kso!46NGu=7HKxdbogA7J1dD)dX)QuLgyc+re$^#s7ka`2>EXKUgER)*DdQU
z9u#v%C;dtNo&p;c7>$t(Hm16PUh|;9t*x7&=Aq0LhXW!U%W~;gaE?mO*pB^
zgzkDO!o4HRTZoVd4a2~#q@M%t{MJ!`Fy|P3Vc$B!aWcx<$DdtTeG$!*yUkR)eM-A5
zTE@sy&_m1K204ayf*D)*-L4|q2i->5^|(}Ua}8ecLN^R2l@xa!#eL7}{R>fAvh6>G
z(K{Lx;xN?BIy8;o(?`PZcFDe(3Z@I)8SWfc@0LJZsVcGPm?JO6oi`wvAy@qK$db^&)6v~)K(Dc!?a9`R
z>VA}Fy}rri>^#_2_T>yJgS|>^`RoYel+jC2xLF|p8E7YX-%(vC@|bve$qb*W#kkZ_
z_6h$ZsjpQ143Vi=L|!uI1khKl8}B-Of@gxiAe~k3;j_VE;Fep03de7ly%nI41uF2w
zI#{C}@rgYWcR><$kvtAZp>?r1n6=K|fn!v}0+9S`*XC*zQTaHqFL}H{yvcZpsV=QF^06maC8)n
zt?-2dzq(ny?RI>mxXqC=Kvd5k-agOC8QTTVQkq?`FvC#{q0ee+L(?gf)0Am6Q1^I6
zwCihgczPf1*B9sxl2VHR0dAAF_aN$&eFuLRl>cX4&)yIc-wU>eLz!T@BJt6Yk=B5^
zXXIW6tgi-JJpX(5lHsO(MBM&tam3+(^7(^C4}mQTGHn
z+WcK+N=jbz7GyOa*h_$`xYdV5<-&h{Cxn6klLmixl@^PB`KltY7SsF6d_67X)lPI`
zY3`Fmz%SMG$X}-w|C*5A#P_Zchax18ojL77u6>XS&iD4K@Y^sH>qW|iSR~(lr;Xh}
zdovxIY&7VOPpki*F^HlC7EBpK5tX*%(C=>W0fcDVW
z;`9w2*5@}UmVydd<+RnY-Fwg#mv^D}#`*?>r+eIjt*5b-Nr7jB4TM<*aM40xd&&!o
zjlNLWKq`{^(9Q0}<<%8pjETnVO!l^ixVH3oR>{F-1%V$Pu=R;HgQRd
zesYfDlqoD_LMY3sq8o<;m}Xj=b~H_oNHJBYmXUmr)=;)}kHvW+6|b-aF<*o2nq9K!
zA4jj(EN0nW>7#NAfK8i(ZNS7CaxqxKbetH(`)qLUn>_BQ-V-NOHS59)VLr6WSlC(u
z4xqV&);_;hJ9g#30}$_0jWh_+u*o5_>K$G@N6$3@51>`{-v?{nz8Hi|PZ^MP>}1ld
ze^7!6XL4a}it5%~tNj(1p!tOKK)Jit=h|L;G(MW38CY->k)7WXsbC0dG}-$TJ;V!N
zi#&;_Qllw}rZ@!z6g1`J^6aDm1O%HajktDPL`pi)Shkv=gyV
zuFWZo`Df5#Tc)IMkU8eioAlSLMe`+f!a@)qmEl^VkuAjSBsvUb$%VX#i{9wZcK5Zw
z+fcsH9ct=)&ib30ITW4}Ojbz-bxK{*d*CI4jbw)q$jD5!4!m!pKG!{D8PxYwAKPR{xVW&gzn+v!u6qlBV`HS;oD26?iGePZ5EN
z^Xd~8#1^Ki?g<_>9PJ{h=sSFc8aXM$nnWo!D)}b;9KEH*uZ!&EdTZJ~6d&z@1b?d4(*oyrJB{vC+_`Tw+OlCdgt$f
zv9p(1Fij@m;D?y3mVHp9@dunqrFPt5b@q*8XFmFKlij-`mfk;wBwoqB3t00;#>$ll
zw3B=PwXOQPINx%L7Q*E-f>CMA$XF*iHDF#>I$oW%4%c+rLLgd3Rf9LV
z4{y00Exp;qZ`3!i1>2`Gi1mlfXIMwk5%Tnw*A7wZMiZ`+7_(K~(F
z2Lr3Psp&9;&3i2%zu?|^P6ojVPCQL7z{__*JIF652o*{>yXjc+!zT9-RtlTAjUb@<
zKqW9RaY@N>ioowY^kt&Ye7>jYf|Q=hX!pwRv49yES@-%arrx3fc>gBg(1qQJ)ESDL
zVDA|~hv&&eAaiOA6pxlw920%0T2vJXc+q!_gSOAEWx0K~3YH|&2Q@2}dhbSHRnQlJpM
zN38bP7%o}CP5X*@%6}8p8|W%D6|ag3OakqNExW29lqB3aE5T+bVPEM#x;i$uaj;E4
z*^DB@zL2!W?aBF?4s~Q$y`olIZ4x<}Im!kbWN%_>3N0rf#O~W?(Xiz-HK~)2!-J8
z?#11qxD_rG|9&GQc{88&*gMx;Ypi4>l%&dPjG|^B6W~XX
zJ(!V|iG>d!ub=?32g!q3Ss2AYwq^h}CKeVBBuYwgN1!p-3S=)~3?DRGaw70Ob2hzTUh=Uy5
z9jz=Z!GO0M?2L?mGX04bV*8cQ(PfsdKl)zy{B!r2MT1ah=sahk|H*0lFL!_w
z5cnTuERCK1ij`MZmIv4wTiJtw_Qv+6Z;oJNu(K1u=r7yb6KF>LuLgktac4)zKQ$Eo
zJ>>YmW&Yi|80hWJ^lUx7ja~maW5)K*P9A^b=09)S6lCvY=?{GpR&P9kL5}Xs{}i;1J;>GG^Z#Qux3V`g|HHePvjek+z13%Dpp3--
zIKP>Y{?BFs1Or$Az|R1no2e!9pJIP$<&T;5kNJ%RZ%+r11Hjza)(PlsWe$A1AbC0&
zy8r=TM`xh7=idkZ6Cts31I(;U!EZ8uTPjF@WtXux2LX8hWq#}A-$VZ+0GhuRDDB(o
zGy~b&x&zFB=19znAn=1J$aW$XSA$A9=}0sk~h
z^IxK^oIYB)0nL=Hz^0aek@zpO4A}Th_oDU|w!pV3`OBp7XDQjfY4&a3vHG)N0T@}i
z*#9y1CPz~nd!UmOfQRj`A>bPc|LFIP`9IwPn5DJllr)s+|0$Tiyd>>SL1tF=763L*
zE`YJ4qp>>@%bN<=I5`2HtZ#BQ1G@bs696-lJqY|30&s8!djrftj!1u|l9wC6Z2ZUc
zFT?|2Hu+z~%EAI*Hv1c71uz5u2H612=6{2n0A{Pd!M9Yle}lXLX1o7`tZ$j^{|4VO
zgZ>8JGCTYYasZee{|4U*IsFZC0hqymgKszF{1^OBHkJSEB!4Xvmj9#of411auo~DA
zWCPT)G6P%w-9^C|>}cht%krji);Igx~D;4
zvva&r!OrXbAEBoI+U)*XUT-q^H~zEJ0DwR@pefSNd5|f8kabF9NSTjh!Q@w1N?xXu
z3LK$NvhgrK(r@g#D$$biCy{>^?FRD~dUX+C|QB!BzjPn1E}wl8ZfUn(bV%v40S
zjeQh+2vH?PM{_ipGy*ad7X7|CmU-
zt81q(#%tddmi6c$!K>8lSm?!zryOovb=@y1K}{Q(IJxVSc3gKJMM=(6rhUw`AuuLMynbN)u@NCBdE)NG9R-XvWBAACQKjJNptw)
zu&%ey6GLk91MOY91UzT1euiFWKq+b6Jxd##+szphD7Lc2Ok@sG3gztmBeW_+XZJgD
z6`tij@v#YKBw8vj;z{BG=#N9{cU1un~-
zekwj5vF@rdtHRWZtpv7fQ0O-?{Gh!oS{vx7rR`xKd@fZ>wR84ZO8nD^r*guIyd2aW
zAwG)53i%{BSiT2LVsyID;rKfHzUnz1bMcOZriIimezJ#iq{ME%4+L_`*WJZQjFF#T
z7V4E2rejg!Mim0YcpJa;RR&DQrWkM3y4?osXt5k{_Lm6?ub5ByC6ObjIziN7mYAxW
z2e%#BeG1M8OoTvoiVdlykk8YKAEohTl6nT}+N_#Ks%k;kW^qaAmWy*nWi+tpNIa$C
zM;zb1rs#?~yq@?U)c1B<9_+{3Fs1XCjf|<7mC%N=E?thNBbdR9zdl%HA>mmIpdWay
zgqc9kUG;XVSxLQ;YMJA^E~2BLf8y;6V3N8atdG}8R}E_FR_gKQ`s^Kh&0Uk>FKwy}
zN9t9P!CHAOzBr`}0RQ5H|MB6-I=U?S0}BM4sxvJ!%J(%q@1D5VD=*!=nauw6CW|(|
zhjT(!t-}Xym`zE-fl^+@wC{bHEjDS&`^rq>coG@BnsX|e)K2aB7RhZ!JZrtl8R!<6
zdSG1HZ@jYTX~Pw;&%X05fM!J)WYb}SOftWA4W=J3TjHPM3~B-`mpTU~P(Fnc-NR@t
z5k{`JWFbi4AFxxe3oAJiHetmZMbhLLz1|P81?cAj7e=%bjJ(pwYPn4rCFzIr1u+D%b~U(=XJ&14*5mJ
z1zFwzCur`dUff$Mr(YFEBG;<;coZ9t`K1*_DE}UddG)CIiyXOovVIA~
zvvV4t)*Ug8j&Kqb(uO@Ym2-=DqNW`Zpq)PF|D*;){Yu40j7J3{hF!QjjTJ(71LDq0
zRaTb~Pl-zrpgDZkNC$oABiX55bd&9+`_f4gT#~y=PQLKoW-#qXAvO4je2{69;iuAP!j^_UC;xu0(&eOvgJ`<|Wvkcj&xFVv6etZfNg8+|{+(D;Pk<
z>qkb4kNKOA?(#apK<;jkb88JnW5DAQF(2eMz7^*L?_l3X5HJMZhi7x0@MgG|{Hy*%
zyz(`#iRq5n&boMPO#`P4}K=-X0x7DvU)cx$q
zfr?ztm=NVTaTBNMIDy8CYkF|p_VCDYPrkvTd@&bgV$=hZ8=E{Y7r*+oj#tNf>U&f>
z!m|ltJf7ve
z1IZF)#{MV?AuB`f3<+zftNJK+avM^8$ReInl@g9h&!u~xscVtwIgJYVb-w^Ts2o+N
z>WCk`9)wqsw-`ePKRLm1@D03Ivbic{bn)>)dxBq2;CmIZ_%)%j?VWcDf;q47mlkLD
z8I=W6=`vMU6H>}rqE8AIQRL-1fcfH2nl;k0d3sCcLtP_c)Q-H!n+)+W0iqfP(tRVZ
zFyXoVj9Fcm6B3~tWo$R#)A;js9((T=8IizHnGW-U#`Oi8HLY~0YOqBth`Weu@3~oE
zJWNJ8q6H|(0yUE%?w0~p;E@)kNze(|eiR)-Y@d%MO(ZhJu7JB3$b`ytz_m=7bK+c&
zo6}WN`eCKLSQ4~v$5E-Tz^XK+79Mmug!s%o?Ah`VUSVDt(#(D(OU|%@OlqWy;~$;Y
zc)f+bZ*<>BfN@0-ZZhT~@n01BfutZl;LcTj;#bUv%Fl`yXG%FZp*LJ8+?F@H&m-wy
zDJw0>>gY3vb2rJ3RqQ}xOQx8I
z0*YgW2TSLR64c#*4`+OzVBR{SG)ZF0$fL)5h-h4u@!%N?AKHX8l5q4VHf7q&DX0)6
z^~F8SlcO+~z~u828m1e{4}9?`_sTlsqm2*v6(`Z!p|9IMg;J&@A_)AE;WNMoQXju^
zF1SfrM!|rvg8r4WM-mp7wl9QuY}?OWxnKILZZ|hC=tiEV7Tsx+g!U#HdtdD$SO6!<
z%?(i+^OG$BP+I23#L7fg
zR3TuETK-W>Phf|{(?!3ZyAdEeOs_p~aQPxe>BhR?8BWb0i*WjkfyT~e=J
zDfa}U!%Mhpl51GE6d7KD?vF@|-cgFQt47zKF;HrW=#lXSs+|Z_xZG0PZl}nm;tqYS
zulbh`xdK1@(96Cb5o$D=a+Lv;@v4X>G4o6!O^+QjcQ8^9Kb!TuQgnVg(0noI6!81<
zIzZED?1(2>$-$#kDPb&uw=8!nHPxjhnK|MGO|vt!?C04y$gPU(B`UKTos7?=4g0L{
zgKxLJZshY!!8gS`sDw#pMJYA;v)8T6LadxbBi(}e7pTwdt32h87n`;YTZEXb}R?M?*haF_NYO1z_=QVrq{
zkTFh9&tvt)3X0@l{cJ6TAaMSbprOjX{eAg3y^Xq@h1yDCvAJg*Ll8lHX$5*1#z-4X
zcDi7u1uSRO<@CD2IU!bkIc)}lEk&w%dszHrzAd@>W
ztLU>1s#i(D9)$#|3PUT$3ahUT#taB1Y|Iu|
z;fX8-{W7TZ5*-Nl=iejACN>@&R~64*6wX@lkdu-2C)2
zo`@ZuTQ(_rzYTFsB;+-om0TMY7qg=pxvPPm>!4wEgZJ8=$`le7;6;nXsY$C&?%l$;j}U7t9uRUANNJh
zKW7n9-w`Ua@c(A-R6|zjpOsa@K|VY1@>c$>up+3)Cib&1pvr`F`6|DAhm`dAPD7J&6xWER%Wl{$)3m`n<5*ePBxSSAj1=q(a2_*b$QFr;GX$G_>)^
zzR`ZGP*Ydbx#sC
z1{0LFzK*0FF7^ob4i2qK-ZhSKeAhts#VS1#Z#KWw<+L-{`g%uin%C+)o5!=h)1*M9
zN1;OQ$hTpvPb{@BhOI^49h$tM=(CWO>W7$!T%s;s#?R;i;+tRV(53tL6#b7GNm1cv
zA))<*c{xDwngJHdCGKn8FfLI03+qsLcvFs(^^i2l(nSzF5dq6`vO5R>9`^JuV%hsd
z{9iTSu4w|X6f}dQzj=o@lG$Ij?4k1!u|gurb)d=n=ya=FcW9n{iYPsDBx6zehrSuv3Dn_C`2%53~s0Ik86WX@~c?@jYxFcgvOvpb6wdhvDC#<53n>RPJ)p9!#AifDUbi2m2#8qxw
zvVGw@)3}G@$0k~2TrbIDy=cglHdJAkTi2UADGRHtbze%|(}UEXj&}|#ed;`<{t75l
zirn;LG{*2FFX6tFGI}DfxK3?_lDL@JOjpu(;AZXd(bh+`@;$Llr|gO`79KaVk_P5~
zi;n6^2vZCVr>N_R4%uhEIgBrMh7tW07s^F-#(M$j!K0ZFZY}-7F~LH#mr(Mm
zs2Bv`^Gr5_Pk@<`^8j0h@>4f2=1^Q~6vxUQm>j|aSNH1SZdLLG&rLZs-;>m8K}83z(qp_A
zc#d&ZU+Cju@J+s#e`l&%j1L0k3kCjWWUe@>Xkr%LpxRip7jPkr+{rz;_TQb);k+v^
zO;JX}Pox9Tc4mP;;EBMC5Z>FLvJht>8I(z|pt{RdyJ>4gxd&IEznxBmOP6zJ^vjQ9
za2T2L%SUa8Clf{dlAvptgWlH|#Y+d!7N1)tJ2K})i6@2nI71OhL4J-!+Tk^Mt=2CN
z#2ccz@xS|Eg#ME>+4UI9!PX?(T^JI>Myw8g%|@Q@OjJaM3e7@{NwI%ML~?1K_mzu;
z{Kr5&NwMv>t#jESYX^r*N_)Fi)!OJn7CA!GYDdVBnH8m;Eu_HpDktJfXw#Cm6YeD#
zthF1xH3TzET>xX3dmubIOlMDB4l-5;SZ~w0h1AM7E9b(GQ~M>e@}AxXDm+Oq+}5eTqh2%RaeJvjpP
zbYs#R_E+6camn;5OU)H{bzdE=lXodmG*#!+dTjF1B4A``lVRsZd13U(zy6G1t$w}l
zQ=C=S^EHQGdJ^rSL?Ba^d&Ctuo84N|^)4|Ohz_%X`;{&#=34oMqIY_49^F3G*br*~
zeQ1Y}H{p(eP>{XK<2(E}8ZMn(a=!7VIrl5ybi9pb^~lScWrqE6bdt;CUd>AJp_av~
zlvtdT@w?!6EyjoJN7oKRm6^bzBM?rnzG2}?phu&#tJOJ`^5I4xOhP`J1U^mmUN@cE
zhkBuH%Zq#OXg!!>UW&&i0JOGbBgM)E(Ww~}4D$C-3JUuYp$jgmF(Rb3T9yzF4hv*Q
zNl
z?am=VAX$IuF0`7QCaB&UO{gU#L&PS`JMiAs-i5>^JsZobH
zau5~{b~Nfq4YLPci{-~FQ7kjfWr}{?ooq4O)+rBoW!<~aKWV!)JzeK5x3x_
z|J8$ya(tsbC8ifYp!UcVlN5de0fO37m@-F?w<6X;w4GtUs@cE%R(C`k#m0a`U@iW8
zaUGk}`T+hRR6ZKV%-NMqY;q59d`vzvQbhn=lHc3ONXe%gVk
zsjw_HfPIP29@`PEpwL>jyZ1g-c~BvQYq1(Li%SWoo}VJq*icq(gj0=m$W?549{0d|+
zg7b{LnPv_J#o<>=^c|?NL_p?%6xy4XwWgI}B%xU0cmm?wQ$@qOlDy^Q)%V;UMR}S1X;Yl>yT~jfxXF0Ev
za#8_dm%s-UD8lsDWwz0#RXd>K3D0-=QA4V!-nn52eVWfJKcjaa)o+oo$oA=65|qTu
z#uR6U$YawexQXrE;PmS7N2q31OpkvZ5MT89xda7gi$NN!ll3rWbdPuGBDQ>3V(dB4
zhXQwN3+C8_Cr1(lD;GUG6FaEka9#STS)?Kc3gbJ4ymvAOObuCU$>HZ|Yc~F1Nx0Jhx
z*bQPA;OS2HICExd@`fBQLPY^;1dEfuK(L`6pn}6ol(DP*8w{ZGS23><%y@K@>*rX961#wuDNKl(SqtB=7@3Rd&ZqyN6;Vy8QS=i2KD59
zE}=nOk`GsMz=&*_3fMj+{fdOxF_%^T>X
z-O6dQ{nJRNK7E(O54R%k(peTYR{Wl@I@-bq-uC=Os@}xt5?62zk^9Vmpj%}9T|iX$
zg$TW-%m&{!&!~)s2*cL2MWf3_HtA-npp*i2LN*Z017ZMLshL`c-D)v|?JWh2Rw
zP1J5@*R-M#`dB9y4cqfSagnQ^%P{ZqIiBw;k2UB6_FXjT$jg`4P`6AG_y%#4%7s3i3UfV$B_iWQ*CJgA
zP$d2LhZy4Q%$wU!@gedNNA5T!R1Xx@i*kF7^gr!U9B7K?Ma5dPLX{7uv*0;Gus?yh
zP)~^*izv!AGfpw5xYxHYh~j!X7O1(8>`JkGsCnF5dJg!)=~K8l3+noIt@#QmgYZ5q
z<@d|$_y}COEQY(B&G#Q^O`bZbc0EM&7*FVl4uP*RT%YOOwMqTgxff8S*~F3HCvSM-
z&)Ql6>q4S9xz3hHtG~m!9lQ=)lj=0=xZ)E3;xE-A8J3|kB08jX=>Z(R)v?}
zGu`X@jeJQj8MHt~Na$P8;5zX0J49LgFm&8ntFz~k%s^
zbeT^TtA(+Iv17%Wlbhkm=2>#d)O1)lbb6WeYPJX|p4-8q!D97q+6?ef$i4Xqx>piV
z{WQWAn&ewsUs^Wiy$qV)DNg_R9BSY93*p0axAyz`)bjDS5Z-p9bSa83
zKW0Qlt!%1dqxS}M(QRY@R`s2ZG5
zV|KfEveWzkeTxi2w!=DedkU)UFdm?i(&H>E=Fd)%9^Fu_@bc>}p%g5L^-Jzmu)r;d
zgM49(3eD0Kdan9~&oHGP)FX;L$oeUIE9ZOyI$p1KP*fBq0sjdq8af-&O2&QZhp~(>l5ti(AsAA&t^r->6GE9=->wW?&B^b$b0=dq$(E1;
z>ur++;kv1Ws5n;YHDHx+xE70^$>#3pbLb^3{EF#G6>~MoI4nm(d&2nrFs#`Utdelq
zCTMM7)giBxJRb8kjVM%P^lwYq;e%<(1I7C2nKaZ1B6<
zr1IT^j#4e8S{iO3oSa4Ka3wp!m|sT2vGTTb=^`2Q9C$PG^}DT$c7I$fd)>iu`~sY*
z2<38wV{LJ;)fWAW-7p@0cql=;FG!}b{tL$)V?
z7I%FHL!pGa2Tn0r;^qfd9nR3zG*8oM-gntqSZaGt%w_mqJR_niMV^eJd7;Q1NnOs}
zjG6Sli+30nhFN9`+}4mP;hH>{QbQd~7I$~mcNX7&GZ`wN^RH2T)Nrs&aNAS!W#
z_%uo7hKs}jA&uJ{Qi6YPTH9Jd?=qrw3cK_%tA_sW`#KE}i}_%R1-afeu9_4X<3Jou
zT&7;1^rZ&NtB|Kxk@*>()lkv`*ea>*WVRH{>~P9#LVMisjJ)JFsIiX*-9yV$rATQm
z{S2;!ccsuoDz09(9}z(dS_^0#z87gW@@N<80M=rUM)j#ta0OY>--W5pDT3J&D7vSr
zVRr&fmD<{;RD^Gjl{LCuHHx2p82WCV
zGLN{#OJgvXM{5WaHG0S{?u?BX^(NFYHFr(&Q9v*^*Je~!g8pK8TohggB1x)R-}9rD;bu=H3gkOMn#$Nx8ebEs$AFD%bgIedPOMp#aGes?|5UonQM4~V2=+pbio7uHE=L(ZCTB`|uVi_OF@Iyz>SSbP35v17*D>A-F!${
zlS}Fe#m7X*QU}{TY(dy=+cBY&{K$sAd_d3H{0oqandQPbu42A@Goz@v@bF^$c6NX|
zb5H9n^T3beJZkEYIs1JK`rV(sWW`6LG_SMEKb&&nSuA0$c~wq;%OOkg%R32Sr$SKK
z@@p-4BiYbtOB|&{?-k;%;w$-xh=!qUB&q0;1|eFZd+jgGBVKSXX
z1)2&Jn2;vJ1E#Q}Twx%*tILoSj1O1jJTx%Ozifm7u~x2b(W4;g+@2`Hjz9F0vm-|4
zL+oc{Lslweodx5)b%E!6kKI&?U6$BjO}^AsiRGvfbNVB(mU=>%y^>K-7Z6P@abrkJ
zz=2MBi0ouOF^(@%g9DY0!X%x)Huq=90wNnC>#c(?Z}+R7%v5EXwM981)}ml=CR}AE
zJ5demMdsD|O*UUTrHlp75h|ZQmCqM@(FRIvyxU8dD!tkK=gHNJ!t5>sGFd!Q+uHa1
z`h?x4>jx`%Xn@oY>wVv>LpDkvIu38a(!H?rqZUuhk~79G%Q%M}9vxtTl_p$Wt(r5B
ztx?Yj_|6y6Z*i#O`!A~=mzCl9{i~#Hwc<9**?~He86%tRzNEUU+=yxHSTIR}#06k}
zxXUntJbqjsTFBfkHaqg?(OVt6n)r{<{%Rx%IJqKZ&-13w3&MD$!+NH^45JPunufnx
zkD}Bn%6gdd4`C7*>}PRop7ZE?P1Z8k2eB4b2nVdtvU}tc-S>@YL`gsMw@rgd&5}3&1@!0a9s|@JE-UGrG^(Y5u3p>oS0~{%=
z4^$r#cvK{L9xl`@ae1S=SvIJZRSqELuGlu~ggO)j{1_vTe2%w7_lK5?@Wp|owwZDH=O4gk7eF_>$HK7~Pk2$F!`
z5Jk=WzI#2}#1)U$Ae7gRgk26o#p
z3K*T@xA}#(D{uIo^($^T3Lg9@jb~09M&*|xt)R-dAP1GZIU8X|bGA!YquKp0_^lH#
zudh5C>6qNVuZ_12jr#&Q+pM`x3i9hJ)gygudPq26)?4sRngI55NG~BD$L?U+n4YAe
zj!&PDvcK^P@tmQBhjoT-BWgLC?$^T+Hfm?Bv0Av<$}rk|q#x?E&z?*iZYXI|Mf@tu
z=$M@#W?o)%TMd9(#r=&af{s9eg;g{w2jT5~9H##KRE?;mdyD^+=*-TpG4p`z2LB|c
zVgvI1%(FqxKAceDdc%1E;S^vj7K{{zBRz4|LE(8eH&bsAufkv9bL377f%9veAds!Z
z*X^5Cxme*$vQGAKG>ugt`BPf@IgU%;`$F~=pdZ`41rsV9#9Dm>G8JBtzqF;7Ub5r<
zY|hP%apNzbJkM4+Dc4Qxm=14JHh1;@-Tgd`7mVe0Ra&p>33E9|zLRN=270n5)8wS{
zkf)Xd4nm_;!;ZzTWC1IiM4D
zYL%p|7>Ql;mM4~oQ>Znn$+n>u-bSaDy%Qge!j?+RzPiSgo{f=SG(3Px}+=n{duow$a;digM%K!jRIv*Q;>`JxYN^lZYvzZM*Bg>GcH`=I(;>G#rvY^PtMbAXMwy%7gAs_wu^*G7glL$Ho`AEGz)
zE+!UXe3{fnUT>#Y_XM2&N6}C9!By)hBIoZ{6?r2Y$71HB_VYjo56ivqr$;3W%-(XI
zpE0^t2@!Jh*`4n`k-J9qtIeX@CVgOEqV9)i4!^n@f}q^g#g9-Y)vGjMgn`I^#Yrao
zkcq8PSB~#ztHH(V^&3)kW;qRrUGsI%9lCj7ER80R{d`n=Rt5UgJGiq`k;v@H!6Y)N
zcA9#_XR5%p>LxPO6qolyUXRR!v%rVDWX6Q#Zi!A#Gh@_N>UbTfnMGY>au=%=+!q4r
zY1Gnz`4`&H96>Tw1%9Qa^lomfCewZz@xa^93wjYKu$3}GHszua)4*A#j#;+bgu;y9
zWlrb#5N3t1S?%~XmJ2XOi>ppJ*6QiGRJv3Q99e~WN=;?BG
zF_$EM6;_JWH;P}b@OquTGaVnxOjta&@42vZlf`98P+Tb3O?WW=kb+jtoK5LJOu5p(
zhpEOdlH`mm@uO?(`@+k|6@!gq@!2q~;Mu7Q?^SMrZyvE?R1WzB^9)ODVKMMxEk+U)
zY~vyxv=9hI$rm*LbN&IPor;cl|Sq%pGsNfyR9S#h}!Wmt=W*D*Jk#Fb>+
zxO)~{O-wBgw|5pww(A(v&pR#t$EgH0$E2vDKQzTz7s;S-6R#3XZG@vd=}6dLg;cE(pCYISqGwgKL@o)1aT
z>TrW1>T8SbJQ!U4K9WP3xbF*|zs0K}e9zK8(1Cp7FzdshD$h5mG?TFo>cYiB)oc;#
zb9*E9==dpjq`53^*Zf&nByr3hv)LhN$9RiR!P4a7EI-t{
z!lmDNxP>>Mm$SH_i+U0ZA(=ml=y2745idcXOzXnZMbpG)Y8Z4
zpRI&i?`rdTFKutIo1Cx(ld(IeD2WyKFii(u>U%Z3sG+&J^Gs^{klVgxZ=@2ww
zDucemR#P*ZT0U3dni)tYTk@w)ttp_}M#;obOLU2QD{Z6Q$=ge4pju}DBjo^GRuC;%
zsX~0kY_|4$_JjA-GX1qK;j}QxZ5qBTj7(o-`ZIm@%dX9lOnU6h#p@kbkBdBeVhL16aY@O)&K&RUByZsOB&DE&`sHaeV1N}UDn!yFJ+CQ;
z%*?N?mlGMm3RmH`96WB$QnDo40pDOja*^>kW1y%3>goZ{B+U%;9QIw!PPaGcp}pU-
zQPLkr?pz@_kdfk|zt)J;+$OkVLkS=!vp-cevF|p@P=fG?*@wPK1>ZpS_AW(9U`2+D
zw|W{>w3jVy4Bk`N0-yV5EApEAiYW_v5RN7
z9$Fp6tnNIuW!a;#{!CaGcs-y^^XZt8)}u@S4gx~xqcvFlrG
zo`(m`2MAvh`|VNOjptg6Ne#F%>vx61`li?7M&r5RhhO?^E2cLX=i>MY(_HmIA^m1h
zWGlS#P2X!_u9>f~jpUDfhlF1P8O?^i3|?kXB<}V_>EebE)11)EAr-&(
zqS!t-F*Dx>?~ax8+^=&lm+Oy=WpNQ~C}=U)C`j+6@jl-~-(+^md*vnMbtfRYdch>2
z+l+d%m-qlbwRf=yOD39y`7bw&Kp1MacT?8UlerB0cJAd87q&&xshn`ha6dj`V=a_y
zJ>eMe=^K-kS=s*PL(VXm^O-r5;9MYB?%IrKE_0|zrcB;lq9rBXifpUYga7QeN|ULh
zfT7oJTRXTQ@MOb{B&9u|Jh5e7W3FXZPbFauPY7b>VkD!}J61aJ9{n#LUKuJ5!zGBr
zk$2CDPiccsRD11pV@$@{UYZ`~h;P+RNQp+7$C&3rMaNy-^
zgpljlZoTnTY+)oV|0-96rT&?D*&jMc_i~jMKY_a?x)7?C6baGUhv_Q_2!f!@ipcrZ
z$~i&&VJ~`NSu|oG$y>F3FPw_i)w~v>m$+@r);j&`9Oa82nfb29R-@t!&f;dZ6HoWD
z23TK2lBAxoqB;Lbyuye(s+m?Pf|tIE{bM;8v)!Q4BFwM5YT|rznHw6>wTExUH$ViQ
zH>8f|*#g7A6%|^$b1*bG6dD~o{Ln&gEta#gf|JkmYjZA#sDBPuqEK&Yhi{mn(4*Vv
zw=_M~vb6AMOv-hJL`fY*azS?9cB9h@{aqsKp8A(Atn)TT7`jwa!9{ctuRWvpZ&YF7lTQWKpb6-yhf?x60^H+
zmfAqLpHVhjBkM_=E=Lo4n0N{AE?$@{JhiGy)<=4J1yg-4D^=^+!r_Q$_QWg1lMm9c
zg>h-lOJ9r^T+88yfy~@kpy>Ifici_0w4z1sFHFcIvze6L1ug%RER$1Q2hURBSN4O9
zX?bE=K5vO4GIZ0_clm97%CT^GgSIHVPFR66O*EG-IA$sH_|vb%z5PRe;;#)&%7Y{C
zU<1Fez#3+F4AgTY%H`N;yx&7W@|EILmix5fmU^5pjhlG7a;FwkFH2IO#mj|L2fiB_+`x2cf+%tRjY&|yjrYO0GNb**L$VRuEr)M
zJoZYOr;?`NF(l5kUSM@>cJ;8%43kT4NezI2d`I&$)4E|#o8P+8uL{4>%OvewoUPdi
z6y)@^6JWtEeVZe_|G^F=&b5ll_je+p!kFD>vh~VJ#3MeWJUMp!93JP~F4?NSc=1KO
z8HO)8g7I4jRbnaHiF?rnnYKjnd1FO~`@=
zLgL$7A50BRO$x>hXCS9f5MLq5bjb>oM0rgb_S4Q1u;|5Z4_#l#exDq;p
zkJ~SOD+ZD^rmABmBzqC_r5&_&KaIM!XnbC%^SM?uqKBBZe4+d<2X9QobW#DxyJJrI
z$>EQ%LLXT9qvG=J^TZ
zM3HCB{PwCX6xag69P-mhcnd@lM*gN}SLK1sQZR;WI4VOhnQ6u({awIa=A!e}G*}(4
z^Qo~8)xmttgT?b&fQ7W6ZyNr#Dv>ZCHAxMLO3+AA4Uxn%g{Sq5a8U5!Y#3aD0t-(b
zL)YbM)OZ}&XGyy@PHLadXVd*L9|9IlsY9#1r0mqxkii$d*k5E43$zx{^4MNh7Gf#<
zFv^6_o#^pgUCM7e$zwb>JWA~nF2oalSh{$=jL(MgiyqH^G96$6;T?EuzwRS3=Q
zaAQU0X@~+~Y#d3*Q2ZV;D%xg9^cp2V7xCm$97rbm9xu|CHy$JNGIW$O!Db-cKAwP_
zl43g5PM6Y5@ex+|6#WDD@g^-seIieB2iy3nVuVUB?F=G%S&X%4lkE2pg0CH$c<$Sk
z6Y_glzSm{tyi!|a?J^g@|{Q*EOI?UsFEle7mhBVqaP*AYhmU{}y+5y{y%Y+Ll%F
z9meQ#F?HO#p!N=d*#~5px&#TvFF}wcP!%|8Pt;WM_geh&m>5(vN(C9}SnJmgbYxNL
zeV$}LS}qAUwVF$}2}l{set~#uIseW`MQMp2lNjj!y@jt677UKpLS6QYqxX*$QpXbG
z`RmOXLt#MXqWb18~G#g44!{^Olil6-5*G#btF
zj?YnZKgW(cysy*du6M%V*2er3wPC!qj~|6En(0%&XALdEsC_eQe%99mjo@w-PL#eJ
zP0nClP-t@^(0U}3vb$^~@%
zMmxF;Sv(|5T(9;06`fj#g>Ud9FMtdxb-DJKC45DxI`xh8#A2tO+IEn{Jkv7~j
zMm1`>1+4yulkierCi`
z^hVLC`A+2zz_)!AI&kxwCZ138vO|~N6Y(a&P9Ne!`cewBVF6&sdQwcm$aStCyXxgI
ztVFXYwKBAr)h#udr@$@ct4kJmqdq@v^-DblLB38;aRYQuvi$qwKtK_df{htBhQmbs
zkF%+F`!)j_gRGd9l{|O09%FmC{x(fo2RB0LEf98{=#PY(=aE0JmkWRQa0f@rw0ctS
z#L3++YJ5SuSm!@0X5Qe1pn^_4|8aI&mg&sEJfP-`okMgez>wr$&X
za%0=JZQIG*w|M8wVivRPs#UMLy6Ug*Z}=7T2Db8CRE(tc1vAUI#3HJW+8ZdG`2rA$
zxX0sGetpzLWGtR7kscz{YYtFPGb>g-4aa32*d$kcD$N7c!}c+}CWt8r+QDFM>%^N6
z3a!@~=Y}<@R~GhBEKW)kh8B$!%+O%XI$lx-%{9E}ci`vquVvwVQuYHW!8xFGT|El}
zYzB}5zJO208QLvHoTT04#!NQ1bSpZ$Ok8m;A3opsl`4a_Usd{R#&O;
zLML5|B2iwG+$YhiQ6_u>TWG|Rti=2a(1wnq=zO=4JmHIy&!VTctqv;L8dDt8&3!##
ze|$u?KHd8*(O-Gpn_VM25k~g)NG7mHS*L}hO#EW>2|^O2em+_m%)!T#>XfTlU+^@T
zKysKS-{`?x;0&g;`IewYLa~n1UENk(Ykgpn7?Cy6*kKG(q?jb)kn=X2TSL{mYQX5h
zvTCYfi=hf1H(>X#)0j`Et9-y(V+cx`rrbju(_&F=oV>oNSSOZ$iZH&;t@$ZaHyltpCdJ5BfXVzc{%e64qf8U
z<}(0B~AU^r_WuzA3Nu^lSDxo`;f{}8kB1(0>A7k?SLI(
zV9q6BPigH2`RmR*xZ!0NbhI&q^ilNZvna9y`#q8Q38xZ$5gqo7(+~(E!Va{5OI#8^
zA`Sv1bfZ@Ta*}R&H3@;U$6mc%63eZ*TL|p01}uAeajJz^G;`XHFYi!*Rh*57q8M^$
zFkao0D|hc~&I|9Uc`%V5lWUtU>n$QYgi4%k=Kb(ztn<^^kmU~ccy#l?L
zUOKbV4o5J2Op1CfeAu{1u;kF(NydN6m>X!&9&qDGY5is8P$Bpam@utyIue`*wPh3`
z%T+Ir5lm@OZO<#3Bg4TTp~Iq!B@EEx3@(vzeDye8MO9Ub6J81Ahc?XK$iBvHU
z$(ZNdTQ#HB?EbZ6D
zlQ7j(?6Aa7QV3Lo%uZUtnCqlKG*cF<61hTZPMee0=cRVnf?(Dix?URAf6;5P6_5V8
z*K{JG7>1>Z79hs
z4xRh4MJY^!YJfEMQK)8_DN~+2<=F7{UXKo4)wg(hp`kBZ0`Io%qD>jm+8J8{xWqiK
zKs1N;lepkE2~1tluDj*;fiW}L6Mj1UiC|o3BPQdFJIe{t5}m+qbnD5Jq?1J+q|_l|
zd7Ls=xy``I0d}>-_=7)_&oVp;#EXLl7?nZdskv1UI>(S+|5w-5Ou}%h(o`%m-j(*<
zG6S@1?^j1mlRJqX4OakKoM4j4aC0qqwcf=xZU({jki6N@;S@jreRX!e5J&@xP+{Bo
zr0rhmXz)#VU~A(Z=4GeaT9&B#C??G`VF@W2$C1o_Eqn?CgkT*!m)ZUa
zB=^bIUx4nn;l@mdq=_~aK&YHIZ+E*YV$*V@21gObt5`iHr7xvh+hO&w7Gv51X}!kE
zW3~h6%vOYPtgkdPc?#iA`&@{FATioajK3Pt6-6@cd)B@(47!#?L!A=`_cGv8{H4%M
zGd7$pbk6gCfXJ1vzU~UKoU<1iqi*yZ+-M>QS8@=mxA#((7~JOP!60*dlhKPA7=%PH
zxubMWZj5Huztbac)K`dA-CF#CJ5W}a&KJOrou9;_#0nYkbsK@aPYh`aBdZoo#hp%4
z!@*DDJd8Hb%k~y^MKx7YflKoMp2fF}QL+7(P6)h|$n`k^3DqVdv1v<^6X#fexV#68
zow-fH=#lZS`?57id4z#%<=}%!bFbO=y+=4k&zX0I^DRUOU(d*v7Sy+P@*hU&w~x2T
zlkI&*>5A-(^&}M!%hL06C)Hp5Oyr8uO
z2e6TTLmHlO1w!(4uUcWTUx49Qem@44R}xnJj;TgwGg#*@z9o`N0l=xI?8mXgEF}ju
zRijz?h+r`7&tsn5Qb!;vMaVl
z)?z6!Eu1~f%gh9%<{euDcrre`Y=CAfI1sTQX>oU1KQV#E>8L^bGb8>0AE)PZZP449
zrXQC3ZmlaK&w&=SSO9)aj-*qXGHasaoV@+Whh`S{iwOcy4QPJ8(B^W9~vo$i@
z@+E1)mxh{R5AZ=!?n=XYJJ2ATLD<0sjTZ_HkS3)@0licc1*ly4baH6~1F?0)FDtKE
zKWtExi_vGelpdlK)~kmao;E3pQ2wGO9L-0)H$CnJ({EMWBx#g4><_F|C6fCM
z2nuJA-BIJ}(Rt6bpxr*djHf6un2^!B<$JeL=
zhQ$?_aB6njVU#4jKD?559Qb&e64247fStg23x_I54t`!llS~fkodW6uP{mQ)QnGURG9k=jk$5KU>;Xy~Lp{R%y#e9a|
z*;VSLBS{2Ii+eFdX*&rz$hC7PTJ6QDn|{c%s?SZ0Uq52Mi88L3YL|cXxKN@wAT}RD
zUe>hEoOewSTI0CE%vt`Es|(=7LYmama!&1>6+gGN4G=xriZ&t_hP^Ff4e3}GVkYP@
z8VEmDIZ4K|`17ze?Ex~#b7(5;d$m6f<2FO7?Ki2@!oBJn3%k5L26q~{TptMyEexlR
zpBaHxU3o#4;-ptsug}|1DYkK4qADL~ZM-;D;2SHxOh7%3uj-qQ@r7%l`MHluTHHDH
z>|5lip2M_cIhUP(D@V(cw!}dl)X>$ANih?&*1Xl_8(Ru6p2ZfPDexST_AAg1?n`MV
zRX6atv7oW$rCnhLjWQw9*e=EQ#7%Y4T*^`_t
zjyNn%%0{J{2|7ob^jz@2%Sh{mHYSR>E*;PcABym5@0~%LK0m&5c`LU(%f*{$q|qoa
zi>+XL@t1SoxcGWf*nBCp)VWsPyA=A{fhEM>O3X>epXYZr2OVEj%&cRNe^(J()8>TF_p=hBQ@z3A}U=^ADy
zk%U7q2V_pJ{#SqhTkbWuqSc3C(e
zjI7dhwpAOV$iK>(zW%L?-;(=ttHxL~rDIYv>wC1hVw3a-rGxKk+lkjwXyb1rGL5OT2_)))8DjTWAnhWYP*_-HON2`7(G*nb3Gt6-Q
zijHanS1n{Yl0#A)V1{`U=2q&7s|0Cs>m<1|d1qh476tF+3|1vUS0tP8$-@}FcsYq>yT)voo$|bnx)@Zic(}R4!-<*^r$G($Vq>+>e
z`jFuP4o2pCxCso4fbf$9yb9|Ju_73|)$J@k{A4|o;n*;}K7>;|
z;um$^FcU@Mr&3%)URSFoI1({P(Ot7CFnx!w(WkD@pN9cpRnvL)H7{vYc|J+0ay4kk
zlj!X;Skr@CljHF^F0KUOsM&;l%|-2Jt>ZRRp|eNMg>_Bb=4V?mW_2JH_Zr~^TTq7h
zwWbru(f|qT?=5+kFr_EUa9{0~db~(t*X;;%WVL;oYnADhamBFkKk^orr$%JW!aqd3
z%k0j8e2aP!C&=q1`Rq|c=zK3ZV4p$!7Lj=s`mH@Tq`8vF5)D-n`@~4St1*n5uw?Co3zl!(>;#*DW{NgL-)G}@A>N-0LD!=
z^+TYlGnqcad$y7uIGOfC|_Qv}6)M6vX$6$K^edujw2*Q@@Rd|I`Lf9I|1L6LYNlka2Cw*AM=
z8Np+|q-PWSUqe+D5upJiB|F_-aH;{#L#QcL#PtAF+HK1tqnrCdO1<2}W7GeOh8bGk
zrSTJ13&Q)9twGMJm0zBnU`My+3W=DNF)?3wUFmr;X{_LTi-xaFvHCUr(jas_$8y!X
zRI2cL#G?*SY;BI}NVv^axKxaJ%Cr~0lDvy_4}-Qr&5C=#NJ4<6zhc*6OgRd879&)W
z_(#OLG5K5(t6;d}cfJ8H=>>i^Y!0+fWG5D0!Twag63yK2g~8NWUS@+L8ucS8PQ0(3#xHTPYEJ5`!L=
z^PW6J#nBWKPW>8eU`hkhtm}ItaxeLBC
z>`M-biz0C+i7WaU#D0G;Q1!pM6QnDvc_cdEd7x1(Y-x@n*w!a@LNex
z)4f)Koy<#OKveQsnf)I84yTzKJul}pZd-1l`Q*>7-@D&eoiy1O&7&y7^V42ZyEzoX
zU;ddO(1~Gpqqs@015Jc5Gu&@Wvv=0o$+m=Z&t)0YfH=QL6Ofg*GJj%3;e4?LNFj1}
zLFWjDG)A9W-ZN~ST9G6is#!k~RgHCHuJzrJ
z>K~h3%r-t5>%oy<%tYAzXOb@i6U|meEo75iqQDz~uzevrq8ka%;(BM;r7^%Dvx8F$
z_X!5F+rPA*qXwvw6qKzicHuEh1dh{qg6)$tKagf9*0_#aL6
zn>riVC_$S=8@J1Yxp=hwDu>lk0W^Uo1j=%ETEZ`4GTX|SpGIsdj$$MZX-JoS?sH4k
z<}q(85b7tLIeu>=K83$(^nPd&#)vaG@7Y=L`ji?YCQF^tStq8C|LbPZOH3>
zQ!H=B?*5SnLu~D?=|dy_dCf7^p((Kshh|IKVoSm;O2&I3c{gA?xIrGm%p@oz(P!qT
zwF$Pp)4;(^&H+bEf&~~OORmZbCTDRmhap5Yh?%PzE)}Rg82{2Pd97L-n=YBdl?F)u
zJa)-8dE8p1x(Nzby-JEcqA7fAi|yD0Ik}gDe}OQy2;s#jMbZ8W6;X0f`tMQ7{2;-~H!^sg1;{-K%T
zRp^@kAZk2b%sd!3+@ZegGL(TYM!bkwno$QC$TUTA$k6s`QiEVbZ(m!$rb0lE6<0<7
z?)&Gw#`Bv?L=>qfYoBA7hHCJaw=%2eoK>DdjOAYFA61V*)?bC-@xF+67MjcG(Cyzl
zS%|eQKTa4a2G`
zpKvnrsA0De4y*fl_GJHMBD}Gr8jo?kjQ<8N%n+9-8XapZQ70%4IK&c)ClYSst$?Y2
z2G+=t^*4tANXSYEL7elb4Y|8lf(ZI^#JKE!ePUf|whU0qWUur2TCiQ+GL}BB9@Txw
zwA_s;#=ti~ixa$(i_DU_zHC?&w-}8qdp1dA#Dx}bqLn2SrlQEv29gVM(@sHZ)ayNp
z-#+g|aVAuTRWW?~@3oIdtwnU2H*|QsOe67FW`E&UID?3jT8y!v>KW#l%TtyHuhL9)
zKnD1G5T^E$7iGbSBlcr)!tCHCM54s#Lr=S@l=D+)Kyc5^v4Skj+fDRc0{bM)4IO!H
zY1H^{k}Z=7kJkPweWUb)fJ>1Ekh^pm|D>^l2RL^cJMIx`D^vKW6hhb^pv?SD10po`
z#6{%$m3tk6+C5ygp+}Gq9e`$3pBIx}86o>|NF__Z;T3GPEeXD{hnqj{_^O3%LLXMw
zF^YqI=m&SvUyf!nYkJ-2G+yjTITq1{5mzU+KZwlJB}>r&D4WJV
z+~naXAA^S!Q*9W$Yml!Y{e;fJyO2j_H}ghHVA5l1BBBA
zWh!z2Tkw{q-!b++zpc7*zK4ov!^j&_4L}9s9}{K{=&SWI2Mt6xUVL$K51lI^1Ixfv
z*#qr28KUezC(&iY+Pp_7txQ)I=f!3D(FXT#*R>b2mc6dXlM9jzmzR|W5W)3|3@~I_
zlu)@iB($7LPU|tA0Lm$Afp}C_P$uGee961zR|l=^66CdLp)4N&eh~pR6>(6cspl;`
z)1=mRgCrPLW4Q>TrSsY`E)JQW6zZS
zTN|rWm8FQG!Nuqot+N+PXaZ~99ad_`&@k+?EK;Jk=@R9zNh1M!Qf6){xX_4q%py^1
z-%5RCe0*DE(8D_)3j`N*+&S>Wl{pmHtJCOy
zjb&%HxN9GtwtLLSkZ(Av6YEcWwxMEBBYUn6~KNpXbg?ocGO
zTtqH%H;N!tUmCC>VK~M4T7|o(xAm%oV)WA0%O^f9+x%^F8!RLAuEKR&eCgI#Dse|1
z85788)Oogn)&LFDxh68LwUThUh)e8M6YCm=S-|udvD`Ym2a!k;hKMt-5l7=bs?SQi
zYB*F#w-!c8F1PWEl8A!nSUDIn^h~BSGL20Q*%v~=(xq;N4o}ii=OYg-8omPau)SOI
zSUh-?l*UQO&0ppw4e%g4E%9x2s=vy%xVZ7!x@jn!aYZ8JjG(i-bZmUTtyTG6*lqJ8
zN{CfnHh86P0^?N<9bIg8bOJi{8-DU1djw|dkCAQ4LgErwKsQl7bJsmUlKM6Ius?YJ
zb3TDy#onxd^)y^3=uiGCPk&{JM5|21tk{#Z@>FR^A~e2^Jw6Y;=yoxQpgAi7^kdlv
zWkkb(ddXb!D}7E`cBQ)*aY(|NPPYg9Zx+9UdveeW?_t=a)^fxN--1bmb>*2=^%~wcd3b;E-IG^@K7jNF|L0OL
zD4L^pc9m@?+3ESCIa{aL0r5h>f}7uu!>RwJWx?Fo~(J4yJ`p7pav+`e&R=7Gy*UL81
z1kzuX4nCAKM#Fi<5iOad$L^YoRTU{COMhAV6;)cW7#Y&j!|PKEq8*KbgP?Ao=RfT8
z^lg-Aup>EK*TR^d6?}TC;CevScWXuyu|+^Q`iz~-RJ*1yBf?uAHF$|1GYgTZ^1r)n
z&$A+qt0{7bwK~c#Ywzp^)E9>}P*eVY`$lk_<1+DZNo~hlX8pyRVS1V!Nkja@b32@K
zUyxYWr>rlp?AaHfXqDV&PmvMoR?)xI4ob{>8uZgO+p=58dJHFRZ
z8EsrMF+x(mw$`*a+OM6S3zW^9XIV;NteQR6r9GEVbROW_ntLs;Z4bZYrXYwjm-r~`
zm__bhB#(!7t^PK~Csc4jAu`9B_=CAhv`5ve>h(@_C&!@0p*M%T6xS+I6-`qU-)&V{{z3y#L3D0U&uNW0W$*!3&($t{~N!~%*4v_|HiMkx@aVC
zZ}7=TK}xX05lFZNIlD=}0tmxyZ*LQ96B6n!5D;!JEYNO$W9NPMXutaQ`t=3@hdxd?
zmLc84a)NTvv`p;*Ht18j0J)-y0Y0v#P4_qQ0JnS!C_w>LE>0Q;vTWMtrGBq}Wd
znje7xZAM~p0(t=I$e{sh{g638wEFmm(fnH!gw-i8|k%4hok
zrwG8!!HAB*A+*h};T%Jg0G31q-E8OfpQ6q7T{SQ=c+)+1Yk?pZ7#SOay1Fn21;SX*
z1Tw}r#sq{iP!C50$p_m6`d3Vdt(XGTV+z2QLn^4Fsw;v@R8mw@S1d3HK~-^Wt_R@$
zghiECW_FP93dm>(%HjYl<%3I9R#krgRDt~sxnnN_rzjWv>irY|@++H+s)DStpp0l@
z_|^mV2i*g5wg>sP{nXzoCzt~8D;HFn#_41GWdTso=HOhvXJTyc=wQm^=H_Ay#GS&t
zuKwLGGX-=6X$!=y28fpj&u6{EH_Wz?C3NJ{1o&0mdo2Yx5+D=M7T>!ifxPR@W<#JP
zltk!U?2Ql%w*Syw{LtSA5GT0f-_XF|{7IrND<%Q2X9Qa30NX?T^s{~#fLcI0sI-J}jPGwUi3b;6YA|tjbowCwaN{*(
zK)bTMeD}LHCD2xG
z+MUSa+GMQQ47|z-Sorgc49iIP+mHdA126@U&kJy7`ltV?bDMwhVRPzX6DFa5a}mxO
zoPoK~6~r@W%0C|7SYDhMouF^LAM@<`z4eeEkqH{T55@QZ1k-uUQ1GX$<8KWnM&Bbn
zbMW|Y$B!9E`7dWVOT4lrR7mwfnUxjjKgQa#pY+GB
zgBTlu)$4EgS6z5q->yytY9Ab%*vjuQFsGFNmVc=f0XcG%pUPL7=EgV#)5k!|$%?>O
z?w66$uTN$*p%JvllfN&2I{*w#w$ATykW6tz3hmrHV&C{<95jUDe(#%5@$WQRA4wez
zZ7Gr5tDo3O9)p86ay{kP3QpfdKO}>rJ%gjTY3LLnH8^-*5-8I`sX(hA7--*+IkanF
zF~C)JP8Xo50r=5w*7!J}0n(4n2l@dJL&T5Z764fTe>iv_$&cO8FpNRsTaX5TOrjqG
zwZG&A{2yQj$zQ=M0J02zhy~pj_yZ7z@ozx{x(7dm;HUw7kp03pyCK;9!Y6RSHj3YW
z39A1jF8-5v`4=kxPYCN@XmZq#81LV;i=c}m6BhBwgUj#nK`iWGGAzZdh{dD)v^6!>
z{jzX>m;}NxxiK;X@WxH${4zLyM!)KmpKdE@ewnlZbAE_(!>)H}+Odjlp01M24
zT0&(`ezn%t{j{yEf2t!xFo`P9dkL{c;FRl|pLeq}2xk{8vE7!1jF_G(E1?}M?PN1zYoL8KUX6)2mt-G90V-ah2*~Q
z5eaH+a%`gg`1z)P3x|LbpufUcipk#UXwcBcgsy+u2zjrf3F^jw*Zf>le;a;IZ<+)t
z)&OyTJRE+xlOOT1A->Gw)(HnTG`WA98PLLqe`W{#h|Tg3`Dg$7t(yMYfC%g5jjZ^Q
z3RU}EgF_pS`%O3sq@FC&5w!JN6Oi~_tuPF*|7ik(8~c+(gX8Zv4JCp?
zu70Nv8ILvN2L~8D%&(3sj$A*uJ0aAvdQ1;daQd-|7>wfb2`$vo@e4}Wd2k=bT$~6#
zx33TL^Jr1~^vU!%>y`OFd-&~V>+x%#N)BF+dPh8l;yCzCEwTgQn7r+rPDrnb7LNPy
z*!z3_Ee<@v{~FZWC@Rutn+tP=P=T>VaN*F<@Wt1Xz4M!3`B3+{!hh>FW_9Lwe>({W
z0O1UrNkIPvkaY*D>1zo?`HV=PP7zdgWcZ~TK%GyC4Br~hH!l`UpV}!1heGpY_cEDJ
z1u`jlfALQ8xrt__1h%ii|NE8sWb(D3qG`T3CcYB}A*voE5(;@$EnF+3&TQO~R98}D_U$t>HmSO!Rsw%Wj
zH7X)Ha!!)xLevCppO5=UEU=qO*o8`;i~lmIbh-~9~IRpC0-YBnqt)4k52pYB-()`7RD8=T}FWY-KK1?hjwT90mvbyi=J5-
z^gy0fi@DGxjZ=2ZY2T%{PQ0BOruG%u4yQB}mDwu3K;&*N)OD)DMC9|O*e=a8Kx({<
zN4oQs~p{4WlH^!Ou$0K@Uw0JZ%^UgTu~m9{1tGBmAa9JNf7hHkd|VJCo63lKCnWC
z3XF#aCZflrr|62vL5uq+IEYi(z$6akaNEtuf;_URv@Tl(YQf5RzFKN%*J4?_lY#U*
zxx0~XdFQGIVcRERD?u(mp7EVn#S^P123`7;?$A_<_q1Drse{$IcnD)Al{sch{eVRK
z6&|8WL4odIN>tl%<|V*i~Ckd5JHwRa>nu
zHldmX42yfFaX8cWOLKhr?xptJ)N#r}x4=pEe9WGOY*@a?+@$Y$E1DZTQioj3l-w~E}4n3MZ;^X
z5^YzqXys?5(sw=UV(gYz-jK+JjG3^PKPax??43Sq^>b=DV1vx^>USXnoEh)q+NsFU
zFX+j!{d}UGhg}WVdN1?2II=~g)nJ{VFevbPP9#tC+khtx400lJK{DA`bNYdTcH9#2
z?YHs}{$KN+9Yf5fYhVv>Tm_Ivf<66Op^bIXY=}s4bqtIu895xtWN12HjL)_)GhdAh
zA%VJayjTaA6MjY&TV`yZ?y?9VY%i+hgCJhxgsU!C~WZLF6H
z1&Dfn1tQx7tlveHg^te*Ys0UeyVRsiqu#y~#@@$5U`$?#9I3WWn?C(vq0mI`btc*~
z?})^+93taVsqojTgD5A&27s1$J|Hvg-A9k;X}LtgKQ-W5F2r^@;X34zjGU7@p1Aye
zCy*5!li^p*ez2GoIZ9=tl`7Qei{hL}
zM55>b55E`B41@?gUp4$=JY8Z+vU7Ck_nEVhg3%hThB
z8U-S5%*G{i>!;O}^6Wn4le!f~?gTim^pFPIk+=eXIlI4rq7;mignjhe&P
z>k{$gO$5K>(q-!`&T_6#;iCf?O&^ACc5A2{0f2@#45V9Hz0fav*6zWf{D~1)QqCQEr>~?yuspD1a_NUC=kw)k
zAHsgMZNAr6#VdOGc5SBoXGPEH!nY^Fr2KHGHT>+UwJtY45WL-zy)4*_=xOXz&7-Z4
z$4#^O*zvL6LcMmC@OR%pU49J&A1U<8>8+MSq1H=&O=zIuIv!(VLYj!W!Q&`eUoU>1
z5LLq&VB~t9nL-Ed$=ul$G)I9FH!^O=VJ`Ig(+bGDatMwY4%T+LW&2Vkf#PTfK2@f2
zcoS7^U{~3lE~R;F2*~JmNE#Cj0Kx&-^qPKEuXsxD-jUVNiDX?|{
zF|A63LoeCy-$z_)TIdbbmpU;wM2}RqiZQ6rX`&Fu+3P$aT~8}RRo2&E5Zn&UM^*0{
z;n>E+kYN3lH1upx-fjopF*@{5TJf09_)wW`**Rs~rjFbY
zYiowhIjrXaf=PN>Ou{><1KO?lXN6Xb+Uxkmyn%9&f9-x?mGrCD&Todadw?#ffw-Qm
zxj@1&j;s>!`@d$;>Xughvtx2ju_}?=Pz|YhBE;*`$
z!PMcm$5pmamqALdu;4H)xPMPV4waY?9Vp-QMP5XI!ox%LDZ4I%BpA!m`&(45DZBvX
z1OOEV0zVMhvB*3*;@}#&E$xn!hm!%>v=0&`<8P`3bQ-rFp2dqc}9zNRbCH5C*fBVz@USqnZewp|+C;HF^zS=kKg_Xmq
zL;OQwY}952t1JmHR_`btTw*~c%x@FbYWDme+r9V-O3lHIQQRDF9&|bx%sx%5fot5P
zKMA<_Buz~=hH$G(=gy6285|Qg|D$p?fx%@3nuj@fjwT7cA4>3ps>WvUSZE
zU_4<+dZO8rn+oES|!y55m(%ja(B@a*8?{6jVy$9Oy
z7G;)tU}RpDt_j6@7{_I84#-}EuUJJfIXjLt2kDsTO{Zaq1x?|wOZO3=JyZjYdz8(h
z0i(H7u`k%esQvzaa}|IDY*W1wDT_$NTVP#2oqWJ&febra@%91%=`xb+iE&&6s{yp(
zNg)N|cFC+FSX~P6=X_>5yX`dVgKbD3f9HUxRC_WDUx4zT>sE9`O`*;~6QjHbj#pd)
zhE2I{z(u1@cr9szfJqdC_jO#AyM6yg&issobEbCIJwP{0EHAS$0v(|}FC&*7BQcB#
z20@%lQlXNteKp+O*IZ8RmxAkC$|*Uu_dwb{r!6^l0M5U!2)vxaKhG_o;)mA4k5W^^
zVc~C(u?3u3g*FpGex}zCz^<1;B1bsYneCs3f9oKNFEOATFf(&!uh0$P}@8W*D~$5%ckkq>Q0#TwWJ?H5AZ+
zxsE9qwn!`vfo7G}a6=?L-ajLY>MH_kI3oS&paN)Au?aGp%c~l$lD@wPe|ocpjVHlB
zL|MDzcI^3jiJoGvB^qy=HZ-QoJIS}CPG6*tR1-wEuG`j2BVFC+;X|a>GNvyrD@>8W$>&Szu>?J4G=%
z^$>W=ik6pi<^ki0DHuDmN1~QWuw@+6ERFCS(ySZWV79Ds-(R|&PIO*2$c
z^#go+!>_HYD=Ap`?44%rH#q16WC6t2^bg0RX#ssLk9tN2cB$GMHyQw8B(95^Q`POi@glq)d5Krn@$o2oK7@-<6J^
zp}R*tj>=qgW50Po&<5@^ROadHgGMdglSl;Z^-N^L!!-(DhF`$g4HxV_@3rz27JJoq
zy{4ybl5hZ10fJ7gAN#L~bRUAI${k-7BKJkX{@`Nph@xAoSiE$Rn5*m}jUj5{8`O-O
z0m*#tKuf)#dHrZa?!GYS7?^Fr9??D82t61&Lcr{gP#DVaXDN
z(hBZW)UFj4eG*}5J(g`Bx`wW@>4jDdI2Gt0Ho|0ZKr%AkIM(0iYt@|2J21!{U$fE7
zm}W{Hx+TrX*=Xe@m=G0H8{;OaMl6NmKJq7LnmCNB+h`_;@GPL5h6SLb+a#a~ex7xR
z7C)MkeBqrgl92ST@^_zt$cGtXk+8cq8|l`6CCiZd8Y=>d%MKcoU@N?Pfo3)YrLwRf
z95gVmwZdfH4XNtH&WWRj5P4}8JtGRL2I`BQ6RWf1v>5ZbyM7Jz%5WMQEVZmdj!Lse
zd-hu8R07bq7C<%&SqR}s!{tFdQ}p3SRM&jf5*em~TFpHNU4LrhUnUjRKKO?@YK4XN
z^wB)RO0zD#ydN4&OwXBa9AL>k8<+1Nl)U-7se%Ud+_>P|UoRuxbUv~I?5ufMX;>?Q
z8iIQC@NYWb1H}*(?1sWf5%&oe*>sGGzIbZ)&cBwapJfX$8F^-*l6X^FS|=@Q`EE{P
z>XHll)HW=4-K|LciP7*WpQfR6)$9#@S^c)TJxt)f{_0y*lw1~^jU~ea^Mdi6e{R%*
zso22<{S^jdVhP4vW96D<^EP`;hiP@a-N~ul5}6xvldLLrYd>Z<1*?x<+fC{G+uK#-
z=4CX+62x+O^yh2~NIXLi5JpW;Mkqny_XgNG4I7(EO4*&YHiDorhEJWdz}0)<^ZBM)
z?UU|A#i1bn0@c$RNhP*}7_Nii3JrApsAKA*l*nr{s=zag;-XD|vYIn+sM8(4R-p*Y
zoC#k9RYS;5pN;DS^%V#$5HPi4)STUBK)XDjo?5)gBn?2P@Q2=JBIb?Cn19+D#^lQ#
z|7u%6Ry?Lu^Nre-0+AZfO(acNOPPZBZF^gUvaF{$M;AUafxm}x(?bR`b%=_sS`9BhG$p2QFW|UNI2|b_^YtHzngSjdi6y^bB
zBPSa^?A?0kj#uOuH4MJ{8IUd&ac}-g31f+-lyS6@{zOkW5(NZj6=7x#wsPq098b@{
z_5?*)`CMeZfNHshjEUdU3&_k;RP_+Y)jR#93WhKXs6j=j<)
zZ4V8#C-6!grnOSn`BE|``eI0l{p)R*;dEJA%D&XY8zyqWrUsTZgkH;qX%mu(A9XzZ1=7#UQghp?HtZIQ-V+G58!8><=S>x=a(NkBpSpok1{P(Ay{Q@LcKk10k2N&>nw0zFk{btAhQy*D9_V+1*Z&?p*duuxbh8929aNk(w@$41gUFZnK<&C&
zJKo>c!C?iu#$E+eYStsFIfnZWjaH#obhj^}OE6P+1G+tJNt0XZ)s$)Gnb45Bf7D13
z!iqy&AmK8g6Q-Rw+z`AzKc^(!ht^k2u*(fcDYgCh~lx(*!R4E~tn923cIy(?hrA|qC+4DWqUDk&9>`P{=OpjGS
zZRZHj*+bSY{APKkidZ5mTeopo`7x9OC|2@vPgvP5-Dzw3OFvXnt&ipU=LyG~ek(Jt
zFj2gA8~XS{Tj}Ck`Mf!hr^$3zNL{sl+4%f!#C=njBE}~^+WBZz%(l6BmGf(vNm-UA
zu-3o%`o%qB!$ATi-||GQU8OR*lv9OC@{#D<0X%d6aoS=3&)tneJMHz_dSU}u*luR&9afaT#0klL3B5GFXU4lhl|`ZmJC{#V=hTd$;c*4M^Ty<2*oecKI3V=
zn{QE!-7l-G$d#yNlGkCL#>vpq351T
zKpM4~t(ynUfd^T3D;NvkjF%v!uv+np738)VQD(4R?ve9p6kkfFQ$<9fl4Rg-OAHw!
zQ%P#Gm4xXni{5-oPzsq7GCGY<%7MZ@THXcZz@mLn%*z|%*-zhW>(!Q;18T1dBq8?9
z{ph{A-r5hWEfk9jxGHs~MpHg7u?ieY&@d_%@3K1&-P;rA{?(p4DW3_m0}TT!23jqq7clS@Tram|2b+fOnO8q6V|?
zQSoS_Tw&k3tBDRw@d~}$;IZ3)>CR9#@H&1w8G}@0P876~Sqr(Xz4uQhVjko@=66eo
zTFtry_t|IBrD%%LR9OhdPwa$XeHKkp0uK__#Q6ilm1HfPM!g*Ne{wj^Li<#<(QYXp
z*Vzi
z6yph4dF1ROVg^Qd{Ig_z*(EF)1m8_q)q#W;A&6IHE9=S`8qN_FxbI+Zkq0UQPZ+C{
zd)&GoKHO0%Ds*zkP`rZRwVBs|(|FBod=R_L*-IbM9Qwqv5iTEH^(mcGO77!!S#KX$
zrC`vT&EyQ8#@43&o3C|MVzn0g
z(d=H4hsg;OU-JrsG3JX#P(F>m#aEW
z-qUKDjT?yxFj`b!6$N&kc{h2;7WD)f#e(LePK3r-_(Rp2wF2Hy1tnPLmcuzOI?6@L
zKRjhoIEgcK2S?84?M7M|I9UuZ2(BTnvSQ{QY|kXht#Wo9_e`HZ?b_lF3S?je(+##}9
zj$HiQq7^9^$2q!4jS|xoI$aMXu2#{nD03{nhI*C!z#nu%OMniBTk54UOtGLfTa#_C
zAQA58se%FVOO|Ktt)9*GyieQ(kLZdFEv@TJU@l8-+prlP=4n*BxENI~_=Z(#XpSZOP|zd=?9)*m^Khp;K11{E-uaT8Lomp+q`@
ze_9e8x=xva2`|O41gd7SktSnB^kt(*dAyi$-@e}O;a>Xns{_d!c--N@?8QU*XJ`@v$0*r_1@pZ
zbfo<5!!0s-1ns~WXqakVVv#`57J6;rC%5Fz!F-~Fdv9i+`aOX6)h9VKa1(W*Knzz2QTYqcHzpk5tPy@-DUIe7oe7d#+nMjXnYt7QF{vJ>0L&nc
zkmnbDzeqtBRA$rxOtHlkPwzC%^kF_Y>|GW9quOLiDbP&?<@Sr*0j49zdqxXz?YAbK
zcUG>2e)`~7QRi?RR=h_?pFN}Afx~n0#8#Xvpf*A#+?TARQWCpy=x*XdJYZzb%wH%M
zN59~0Hy#uav7$)ey6F5
zT1ZT50q2M~!{F(}VmUqjnWx~~!SaQd5s6B3>&ThcU85q8E!))@&h?|?wwf6YO!N>d
zjO!b28&9OSes{#z(XCk_?8{QuC)!+l-vL#O*Tq)vV$NuoC-Zg0W(&7#B*v0+co>%Q
zLTeQboiDQb)>n-Mh*z4>eC%BN@N22Vjvr0ih@*Y&F+kifx|OjGfy9_aw3ViZ)Qy0m
zL-vsvWw|F+SWy|`<*Op2pqx{s*m*+I?+c`#Nu{g2eXM;IZhMOIMTn4v3FrexbKHV&
z1VSC27MmRwJ&YCC-J#OU3z(B!21#rG%izy
z!y9PE0_C4k!nlV&l?t6L^Gv#kIB<$6HM&MHaes{0$ESoZ!&}}`aU%b^>8(==pf4kP
z0dT}k!cQN+e|&H3iVdxPP$`0PL~CtK>}361g>My~T464a>@t^!Yxk`-Xg1JEfe^m%
zhvG!}Wxz@tEuldpPm&(}6FW*aeo#y{&G!pVx})h@8Jc4y14&P%{17<@eBY)aZste}
zWD5>m0K#4(TY&iNGlP|llk@XN+5k-O?vRNZri>mI?sXunKH*lKhd?@r+(Oj9C|Y))CJJC
zb#ey|7h~~UF2yhO#Yo5ASh#nrd9{;GcBM)MU@iX$+qoJv2A<^u5EJZOg
zm>LNUzA{9t5;zc558<@W15o;kC<`g89rwOGReJlxFLy0)9;yFT?(dmP2XaM8>b
zI`#!jba_1Vw}DU%ozb#eD6ktF2-UE+(H2-avMTUe(d}hVFWN3YN>JEq?)md5T3#v|
ztDJa(p&pojKJ4VOG6aIR8SydRG9W1Xf?q9^`^;Z2iWr?sTroS+o(%)=f^}gm9k(fz
z`!d}y`|lcMVM58z-}m)2KW`Jg{bhQGj=nsRPOC^?E$37VbsV}tFV5uN{83e+ix_hi
zr7=V_%@8-`y(x-Ji$rPn@Nq$#$Ay~N(oW;eeO=u551XLgs7$71#j-$A+t@|lyVE0;
z16}^83Kcgu&?Aw>=aw+OA?N3LC47=_;%%}lkqvm>OkC>O-`pq+$zjEU9D&a+Bp!qOM{-u5;5v8W!RRGF
zNa-~~4GCnK@J4zZGv0ubg6QH)D?7=G8xDhZCxVgG%AWnGtw`&4u{O&$MLv_@MYy?o
zuzKG-23t0st`!Nh-;sFA4DG7{qn_(t;4W^vRrmvuhec~m>uNoS_HjFFXB?GoMUbZf4fOK?^g;$xZyi@Cy)N4}mcMOrSS`v}pUQ@z*P^@Bu
zhVl)MWES`aRTc7D*|A)DJ$Z7-I2-qiOj@n4kKr=Dxg(oP+P$l%8+2$U+@4GH%n#eS
zxjNCdU@7D=Z$0Jw?gEpSXI4&BU$Vn4gDU6lrhem_>hN+x7-`%)LHU;Kg@xb5Vnj!(
z!yj(6vTp@QC>hF^$!|mJULSS-@~b~-%0_L9zDs01sI5m<5R>A3fi|GjG+-hC
zcUAT1m4BZUjmjs*vU3AZ0<<&j0}tn$ZtNWf3Wd@{&Ba(X9xgedZ_qu^rFA>nMQc;c
zRC@8Bee}uh2%-IPv@2yyZb-6O3BS2`iW?Q7)Nj{>st%Ld;y)pFLamWBN;_@9t)jlQ
ztouZcGql!@0VKc3QmF(95b*zhd_hePnap}Iw0o=QW!8w1di%;|CJ~l|P#57PdMv3rj_~!YWc<22Kfm8P(>LZ#xtEi07q;b^8}@>3vwgB#Bhytn
z7RkdnkR_WrA;wes{@rT8P(Fy8LQ;kN)8t7UT4afoaf_nYR--&c<18P-0fz2o@p#0x
z(8Q4$mX?@W*Pwq=bK3Y09%cGfyGDsB#-3mnSm;w&O7l%_y~E_)OMk5QiheSIO>HEh
zD*m3u^hs;nY|P1|Z*5`RqO=+5iXk)~ACE|2unTK}qn9dKYG|WM^=oaY@=$n6kC5#&
zRZ|9Q2Fj|Jb%uwmprabnknh%l4^VBgC9TW}ylSDBX-LI9nS{L)iIpiAI3G)1iwiZx
zT~Vnftg)I_lFySm=gRB^ij|(J)A-n%Wep|8;+gmsv%~i2%WXy{xMtTLpgnj
zO$-?gH8!n=8p9M)veD)1_t~;I)WTt=BjkTXG=rAH|t-1
zTst)2ea@B+3gaT+?sKe1waW~)ZOTdzg&72C5Zfsl9!xKjJVkVDY4-Z2o_f+r)*rme
zee_Wr12Ppvt&V@l
z4#AY)AQ{Q`k2WND#3la>*G&=oHTQG>rt{_P_6`SCXf#&`LBd$YDo(8+zK(zb@7eZ-
zkE?g(90FT>{06;Y)|3NUWCL=;wZs)k-^~TVQUGxL!FD7!%jn~slS=5j2S?%$rm&mc
zD1)x$BNj(sUdnOL0TIoQ@4K0B_snk^69%i$*1GAv@lAc
zo`0-akKWw*f4$}I=AeZiyYPFKN)4gOV2!mNfkJ3cZoLh3zr^Y=>>r}6j3QH$ppsIu
z4IK^MlT+LB5{sxl9vSXGz_-I?Cn*+6{Kmgd%4{g`1uB^MyFuN#5j(u#z|t*NsSTSe
zZ^aB0sy#OHnwe5wr-(NZ`zWb6=hz|!mYbm6HFIMps&|Vz|2M`reA!eivdm`EPdIZ8DcXg@}rg;`>A$FD|3nqv+5RI+|M-YIo*>+Wd>LB
z_6wO{Bz*LMa5o+4V5ilC)wfrg+E|MY=J8m5m|hEpXg=|s;wiQpD*4d@P&1YZ)&=)&AdZ4NaI9#Rzw0M%`J=V%8$>b7Ea>!k#nr^bea$
zsGzf}*z;>R*{}3d6eGRJ7PwfT%0e@0YWX@s-zZ-gRwK2V6C#@ly35lVNXk
zG7@tgbG9yuoTIMOIdAyUnVSX;p6ZmR+@aY;5yG4vv+Rb{D!g#sVMQ-Z+qPMw=xCSF;D!OxdW9`Thzt>$VIQAU#@*2c&&m@
zg*>bD27LBQ4OSp`0mDz%n_P)P63y&Tc7DGHt5kUmkI7)qNT)zYA*j5-DTH=mGde5_
zUN|hmj>j_lwe!_w6@|7-OOQJUBC9h0qs3|YeQ
zE(87S7S4e#G4*8w*QBmlHHN~sdpR6mohXe+L-?!IIPzr)K4-oNP+Sj4Of*AlbmAK=
z9LBZ0Scot;YDs&lEUTW#WQCkJDe})p(>IqEaa6wVnkZmceme0QwxPkDniq9{5S1`L
zjat$4v3Z2go@}~-$663{)f#QAI~6S(8icz#GZ^54kUi?<{!`-ODWVr8-avGE#$Ya!nR8#EG8F
zYy;xbNdi6s#1xUvJbk8XGTNMMwuFE)G@d*WxGOjJx*fe3$L$E=8P0kY7*u1rH^e$)
z)bB`jcLF@nMp&BLXVSP2Ma_g4Qekr1H=a^EODDqct8A=@@wgqh9+M;E%_|5IXs6~;
z$ukO=v@JZH7Q4s7zhdZTpcZW;8QENNtOnyOzPh5>Y|IF!9tPR;dahn~J!-Ls&V10#
zC~}YrbM|Vkc)Ye+SguLeRDI7Lyvqdq>hBphE9yNDEj-?zVO)A(#f*x$myl(LjTDH3
zQOo8+(Q{mia;Wbv9VihSivwK;1)9#Dyj+
znP2HOs1zkwDJ{t8obs7>FY`z!CDUg$HcqicEaLQ@iwg7(BD}{A?YfsHAwNFp*lj|=
zj8$VRGJH&QuI7=AT;LQ*eLmvLtYLhj;q0zU5%5E4O$sIw0(yxkZ}>Z1ekRZwxN;8m
zk%-Xmle3K)%L8|LYhHihs1yGhyNNx_gDVTnwFVn9UE~)tCYy8Hd_jb186Ns#a1y@l
zK#$$@b8f$EPX~Rzt8s;X|K2g3(Nwg3C8D`g>Qz6s$n$Wo{sSL3R#^Nxg1=#+48kNY
zU#8`5?5lx02{mEVhYfmS)pF_JqZR=;O-ZEc{@L0Wo#QrD7RP*~if=m%^>GV}Rj8lu
ztr*BcN7GgDbsPw{?akMjL=ykyPxM74wzipxG=yC{4evQ-mmOs`EA)@eH0Kfyjj>2c
z9!egXuLSlh&{m{{LYIy%_Iu4^Kq{MLnVLpSBVbW^R+tvE=~DxL>eBQPW(VR0wjLR(
zZ?tM?AIXvDj+BtlhMkw!Jn2!n?HJqQ*Nt$hC2lX#+4?xmHuY-|H->&;Va?5GVsxL9
zxACSw1QrsD@^v&C;w5d@eI2ZjE{8Pcq+tg9om*Vfh9zS
zgpK(P(@O;sMsePGA!%mi6oZM#nnpo(h)anGw(SmdF1b2kD`Zj^AFi*AaFLM?o~)+=
zZqqo(##?NSb_#^E&=fp(5vLOGbkzvlm1%|AGmgwWZ}kUTlhb`7YvO{PaJH4z!V2Dh
zmyaM3I>8^05g
zl!<5TFFmnaD?};5H7EEQNzY6-TCdP{5Q;69f3O$)s??w&sl2oWs!;gb$AoD}8YGRt
zSF&1?687~%(SbCzHeF&a$_{%}Nm2b_c5#v!cZPkw7UC(s9ng9&Z1hXxqV9~udS3&|
zF0!EKkdZDhDj7ON$Nr7g+Zhe(H5G(UWrH=1tl~udzcSrK8l$h$3J`Y}{R*HXixDG|
z>2?jT#SO1eux-08>RxK@=4wB`R>ed<};$>r8W!iaj>C#qMDAwvw$#IO$23af<R7BvKSr*yXA2<fe
zff0{6_Z5p&l+jTYH_E;AvTTf5nu0qvLB
zdm6*(x&Eu<+d*8v^d+Qk>i)Y?Kpgp)`6`$9(7#S|S|6S1NOpcqQ*7|6CS4I5
z^jAdf={0h6%k6XR?JP{IY1gfk3gSVZSlWU%cbl)7aKaNrjB{|W=j7dR&`Y^77~|S9
z9KOx?84D?ET@tA3%8HosdPJAm^Ms&_8c=$+!TMoMDgm=D5
zE$?e^z&|9k94GxzYhW@O)rYLum&qguUPxhadI|Z!&Gb{X2c;vA$eHYZ>Oi&pRj(0y
zbxxpEC7invRdRbTl#GDA{n23Y7L4;Hisdd>8l^x;^g^eUFWY(C63?_7^bNTaUhE)23YDbvueCqXSn|S)S{B
zHSiN0Bk@gQDsK%w*$d)cs_Vf@;dj6x)K7Q4N4^enzfYrd3B-6aqhp+tjmH@t
zsfD$`ji7ODqG^c;7GztCtT}7-@mHMp7w1LXxI*Q+h#=qEs|}8I&S8~;MxQMV@B8Vz
zUX$;`LDri(Ct!O(I`inNkS07RQt;E!C3tT3dItkk*1ldTxE03Qb`XjYraB58_0kq;
z?yDvG(xn`)XAG~9eG;StlV1gcZTQo+WRQeJW>kJ?aK>Z#H
znq}5yeeF&~k5Z=HT~sf|{rO!axiMpUyq4u@n~AX#|Kr4ECdD8nb;*LA`I==^l!tcY
z7krc8KrC6Pn_`%j?BH^aHI6K_8SlsewY`r6H9oTR6roFcly9A=0c>Z4*Iqf@n-xZz
zOdfoJlSP%1FgH|Wl})O(@KY}wAcDTT72|0rkrGTx
zPdjCK;ps3<1{0^b&Iy{{B_g<#wvP%?6ttsIxhGiHhA&8bM0;Pv(#XCxDo&IV>|H~7
zQ_`s8Z*&FJA?Z}kRqt&&zZJQ-&VDk9UTE%JUztX#Sl8s&vHzxzxrvE*H?UvlMZGb0
zZptLxYYlK5aC*hnX+y^?<{dKT`XGHDRf`kN6XP>-;r|gWE~^m}vt!K8Y_2%sHG4{1
ziG{CIs-x78k!8@@ZX-#D4I<5q;ugaTplGj~2^d7*?t{!a+Mp|2EUV>*oZD^;jXr`L
zvYO&_TZNVIM1#n3xc}v9DM;vm(Uv|bDz9^7{2_9DQsE04`ddIXb8p#mO_DY|;oWgm
zXDqLt0WR*3ax*Kbu@3j7b5p$Q0X(vv&;*^U54AGEE`_|}grL~dXw!!2^G|i>q$V9s2T>D3w_S3Al7e+S|CM;j45}0)t#G1fnB?mXvA&
zmHoYfB#}S_+)7k&9w;kOB)>M8FBPGo50z>ba23yeNgO}ZV2(p_qYfq;1?SbxYY%sR
z_7K|ui2^EwSZ6)b*~ILi)`?|eMp52)HIf?Xo^$$jE#}IOFaweK~F|U0Qu$E
zpOTHSlAS{sms0U&1!v8cw5_Hdv>crQUH4AI2ZR~8Wr~g?{bcxWLU|2~DakX_`L!h9
z(h$CxkN(-HCy^XO2usL)*?LQy#`lbQwT{$GEhzbj$G2zMh|%XcPdiy^O(3v@xJ!lB
zb&vPdf`6PY8EfydMLz#^md5`c&aT|$coM0H*-|F@QPKcdO=>-Lq
zx?1|;1LbS~y*hUU;g9%|4}0Y%!aOmZ^vxk#D`U)=_R6GiW2nz*g1DX35B(}RVG^!4
zpGwO{J<$tf{dGqD)#T63W2JigFO)S`d-=-Wp@9%*d|0^xJQ}d=gUuHUUmKGMv-Q`V
z6Prh^BHF(MU5C+hlD^l8ux3NO-SWT=uEy+&-RTcTvEPfJ3qriCw*S<)EUi_I^pOpY
z8Y_@oreLcrYIJl*7Z?lPL(lf0FV_>UnNtT;f{QV)l4l!_=(r;5RiB+`%Vbty`VXZL
z>VtT?8t%v%T4H>^&udl8GyR~}*+8o^
zJuirvgM=pfIv7VT8K=Iv>ZXeT-@vw(hTm;Lx8ZrRPt~_WjxnD9P@yISvr%|B_Wc_h
zl1KVPr(lI2EraiIm_3s5G2vgXop@7HB&xY|G-n0uqr;sD@U5lzwy}Y;GL4~!c%*_;m)LSZ=@PTmX7nRt4XsKikIqaP%*>6{a}DZ;X<+j$>+?(_19pc<~fsVL<#aAK9_vXfsN?SZCWNa
ztoN#XzU%BLP`-d=u_%JYlMCEA8XTz=jH)O3jM%TrUR^55sN8qLQzJIjwp6}-4j8~m
z=h1k8htQVMIP@ZA-ki-EDTmT2+`!4cq;z@=edDa1lF#(%L2q|F@I!R*n+}3>8RXu{
zrnBubVb69_AzoF=*Iu_K^cpozo4vaD7(es=APk&u9b-j8Tlu~wC`%sjG41Guc0U|V@{Wydi+
z_`>->PlY0L)TdyDOJ4-jHgYjIe1EoQ2Sh)AkMXwPdq*9T(uXif*m5Zg1T;W&MHsx$
z<_xbTr~@G|%@%r}92|_84~$hr_av~MvPSpQfR_dfNWy;oka%T}@rn6(`}^7ZW)x1E
zhv4l^D1!)kw)jc~e#d70f`R_+=p&$V0QZkpyMY)_LROi}U&0S`^Dc=2
z8`2C}eL@5DGFfE4a4!v1^DOF?Vo^Vg-w)Tgsd3kg;0CWxopDO|npLGW9MYXr*ens)
zP<}I^hdX3ec&f-CBfa5W^at!}v+;{yQ-t!`Y8D{lD7`Bl0r{c}&B
zrqb7y3^orWl_ZCR0j)@Lx-1wdXO)S;s+(B6OrVZeF0(1FJ&B5Jw;ABowA*T4zp4My
zo?w}#DLEL70dQg!u_7@j-}3Rk&)i<3ZGr?ijCP})+3`(?x?63#^HSO@)EbKV!c>WF
zgiAi4klekzehInT#PO*1EcCSd
z4k0y5F%zd4vIai9b@3XwQjOeuw|z>Qbq6q#$E%$*#%=$UqYH=F?tN0jJW$H#-Ln2Y
z^RT5)rt%nKdS>i`s9BpHi}e@A$hR;geTg&_99@A?#XTZAK?xY`CeKRCW?b`xiGMy(
zR>{H#^wH~+Bs&r>@5|Tdrw7E`?<*)^-INVEl;JK*_@IL5JXfy@p2O;BtKfhy>9%+w
zALJR!0vdO@ryALeNC-x2)^A>Wz-R5G5g)xP|2hm_H)Wsm~HUPX@RePdhhgA@3@FPMq?+BrOC7ZNQ
z$l+@f*wAVe-Xm;hJ}_SL^>a~1-L*j9ZfTZ3OF9(F*?HRNI(m!qAZ;o>OqF9+c#0qk%lS}+9
z^#n@PNQ60h+WXh>nYd&~D4emN)x>iJZ
zJcSPF5dIG($d%q8Utphp0*>$IQ4dY~Msu7dk}(XAtcitXelP-#lHo|UK^c}(Q)|Hx
zf!#kHi#F6mz09*MS*xymvL_AIL&*Tu3q)qJdD;5Ca!}-mRXgPAElrz$#NpfuGySzJ
zjhz_4yp#I^Fo5?ha_4h
z^Q;d}@uP$0ReKl>L%|jC(d1RijM9o3Ocp7*&4?&VNxY28zq|32=bAT~de_3y6jlQw
zSvZ;mMTNm(Wo8KlEe|MTC~~zOkf*YfAjFva8E(D8=oHSxKDOl6n)NnsF8={izaEby;H|E)Bk
zD3!KYfF|B_`bL{GrMSMMt+w-k4lD0WV1r-?{j~&+&}Iu)i>a)aC@(Im3J-IulDxja
zHtW;tU}RmHH_b;&pE7-5BDUX#($a{!GwX`<%!$s6_gNmnf`E!6yek?dV?g(Gz`)Id
zqf<@R`Fzd@ykSyJM7SvAylvhM7<1|$gj+%`Lv%Q_G(ti
z=_z(%ES47RB-N$k!2K}dZjoVm4+0QMud8$q7F@YGlSd%j()Me(H6j|vu52WsAyCs^
z#3t#hZ=6l`z2A(&i?`bqxF+Ht!gMgs?e+ZQYXse$A(3*oU5*}dJhzp(sqmc^X0i>6
zb&b>3FD2-NDZ>ivBbi~;QPBrOuu>Z2jmIAK|9ilj_SuMr#gTrf!_h2eq{?lT99S{<
zBKcUNFbU6aAWMY=`-r-gHk#PIo`}u5{dalqy4(4~
zmsUaqy5A%;;S5v?8MHshUT2VI0IXThv9kkAfr8@1xY42IsR*DmWs}6X<1fI=zvSZ2
zbiJ0M`~EGbHX8DJJV7%y%58v%ls0#lmZ={dwbDEAReab-a7U5rn;!e7^Bh+o&r&<-
z=+WS=ViXeHN~ie99VI>a!9))5%BZonlO-ni+FJCk%vcyST!_^wXcAi@ubAgbK427|
z!vVvEkDoQxkrh%6+*A8M~ZRDAK8$1`vX!=%J5z$XV|19lW5iB^YSBa&4
zwyIh@F$}pYI^6_<3<&?i|6Htiosg?hcuM4<&
z6YNhG;@q*)wklTtx4U}zg;vcr=l%UPe>B&48-4V%R(oepZrU)Ep3rd%4+YCkh9d_r
zn1twV{Iv|wdz@$q?vVs2%1GVB3$^@I7C*>6ES5YM`J
zP=%5ic)Ie9B^C@CRzUu*B^L3hhC=zV?NPP|AH$zCZW}7u=HgIDm6jbgF(W{9f;vhk
zTsm7m>UCetf~z^hmx+Lgp*h}^%c^cx3CuJV9f*;bc8q6y{=DEijy77x;Yn6;LV~Y6
z$ml8LlpIn$f=14K4Ea;wf%zlsa)_{cRpUjQ|6$pvliC4y%C~#5gY`v$1uJ3E-$RRE
zRL(ZUDo76^
zFRV-R7X=W2#Pb!-_qqb2tqDEULf~h*n9q=p%~LOz&eVR=@=Zn!w&Xw9Ml(q5*54Jn
zx^^R>K9kuy7Ci_A*)O~<$q(LfU15M9;fbqybuggE$szPj>rbW-cb(;LuMTc=i+`+(
zn+|57Btby0+e(#)vZgN+0yV(8;?xxrv+FJi94Ztk!EqM*o$R*z=JN7z3_8`rE~;&4
zX{JC-lrH{J%PV#3L%Vmxr)toI@
zdZS6od{dGEzTjkcgW>+o#_Yb*Fu}!ZH{yeBxK4SH)HHGFGXD6)N<*B0PpK@G~&d~^5xe8(3@XH)FwaNhTZqFfkP~iNHeO9
zma-Emm|=A~31N6tCg}bHLm8sATSv-yeCyZf){zxt`&}uN%AcE+1Xq1gp2Uow)8twy
zysFsbhbybOI(%_LEo^f~cB8s`U@2vfN0NqYcvVoG)pUvQaR}L!h+;$f5071#5&Qq_dh<`5Be>(+xKfA8U)g!
z7dp0p479-NlX`q2Xb?*IDJI6K=IK4elhQLi{00xgRO7eAbhldmp^l@o;modwO)NLIt)G{4
z&xgfukrI=N&zrK~5r_N(TIqV2thH6pffT&XQd
zAVNJn=))e-?Lzp?pt`u4&CgL9ro=h5rr^OR(^}#mot^~g4PciO?e5oV#cHS#i_T)8p6)$jP-hH5zPCNzwh5dSZ)Hb~Cc?<6
z3zw-UuKyn&r2j(@Sj>D>XtH_}#NNixaVrr^v`0t6k@a!b;O&V4`44N%Q8GL+QGHBu
z6ym<$K@6O7`HI|!6AD@qceCf7GPrAoh4Ke!@~nhT^D6{q4>9#*@Y8yn!3yA5?jAT~#^DDp-RmsV$}RPZ@qb`|)uV{4s{F
zK8@TS0fa(FPR6jbE%iC<6<2k!kK1Kq%HqX!NZ=SRX)ah-6Se&!|2~paq>1`)JDKe}
zNnktYsv;7RyGkUBK-o2Vv_L1UwNA#Ld*?of+=3eRJE`z#a3!~$-az*F082~DSww(F
zTwU}BVM=2TLRqVk2rbVu=L!meeOqCdhDZNP&EUcKc^=G*pCWDX5V&|Z~;ca?wr8JR>uZOtld|_@mJ+C!Wr80pnKdK;d*YieNib;=FFL10$yAvY>xFU@t_i%0W3Y<RG@8kH*K!>n)Wpy=<$X5y>
zfOROwR`@iWB$Q;+)OWyAcRVO5bzQgq>dEApzekk%GLvR%@^??lyx
zt6AP~_S-bP&Bhp)$-J@C+1HktR4sGVwzChJ_TXIWH-WsGNA>>NZe%G|=u?+_V#v=(
z;PXSD%opnbA%0UQ3KoGRr(vEwa*-w8zxu3$v)O1B+fL2(Lv;|vQ9sbUp&*!7FG_)-
z+Xc^A1u$yK6~o?iI0i=H2sj{8hr;Y>IelAQVyS!01CtXK=ZzVUw%tXXL3=~T@8hV}
zJtB6*BWW|r2*n(1|BtF0oPX)tHptXfeH_9X$Osa9*|5o!o2W!x$dQ#yoX>=0NXcY9
zRkIK;7l6H9U9*IWleQfx)|ndJI+hA0&6NAcd{@4!v+=#t)4z)1Y)JWdcHzg#F6^$l
zcRpD_1LGI`b*B~fOMlfQNBAySIX1Q1*jS#Q1JPZXhX8Bpmm7_9pt*4bWugQEtD=D|
zwDLXIXKuol5=y5X@UTN9c~P_UELj2DD$b6
z!{JF9nKB=?Nsm}-$m3${&SlvoG49s}b)=P-K|Ph~1Y@zpC|8ja>f?4zwC;I?n`R)$
ziovl9;D-?{dMjfg0~{MzAcuw={0!@-?>v}2w;X|wdTf3cGKp;3({-!KF05iWRu%923x@j^X@Qy6`X>k
z=WJ9yx=PPJ>a&K^Q=4O3R79E73Z~OTW=k1&M}zZ{vijxV2jWA#GH}t?m)NE;lvr)i
z8U~fqUh)Diq1zJP7rxP6VSu##Ng#PoZ3Dj$w;h60=J@)0$lV`Jr@NBwgc}~y0V4AX
z#(;ZqOP4Ln_u0W4am(L3oV?+htMe*EzHFT8(gkx+JBS2*ef)(6>}NKE?qGrN^SHHY{DN
zjE&0&(}bR;sz=iT_LQ))LtgNUk%iSa3TXJzuw{$-m|Wir%udAK82Y`PUT6H|}*`GikIurt!S>Bqg-fRCN1GPdBNE9FfFt7O5)Z>DI}}
zpi_p&k~$4yJ^+nd+ui<4)|WW@JB?bLW+z}lOaVZ=#=oD=5uVQhr~m)Z$B)QXxpUb6
zlgzR>U?yh5u0qcp&d6sKBdrBk^&k6qEg;5mrIf
zEWzWdcq*-1#X~2nQY?!~di+wVK1=wOFT|SzFqT6>JDPP_GnZQYC4%7II8#A%x4S%#
z_~w|@B8u;cU(eCq{5oI@HPbHpQ4w;%)3SxmFwlROW7$AQH3#1Z$K9V4iE+A-6ljB${(r$orj6y{qXXv{z~O-P*kk#Jtl2gn_w6P3eXK1&+GTdnagd!^9=Kkcr297frBW%;>56b)j7@011nei
z{W(;5Q$N?9(xdT*T#m#Rc!dfq>7~1GDM!IP;$xQ+|~n7OCUbWK=eb;
z??l$ctfGdEhld)Z++8+6uQ^HI-b??QqWU5c4&Z1#BU%jqAvIt@hAd5G-*S`E2%s2H
zT+&FjHw^Vl$FSs1nU$vcPK+EJ>Tm$|Jf*ujH${^ImG-{z5BHrXkNiAQz8a?|jG+)e
z($oc~rC@HwMJj3G&p6NJ^$hmsUDCi^<=d^==Qv+LM2G~(R33E~hjw%pH`SHeU)D^T
zYPQ~LP$TNQ{eK>0ZVmIVG$7eXS>-zK$S!Jc0`L1p%dA(arGwz}(B2Pb37!>t7B9;%@-Rye}%X-yS-zTtVyOx0s<4q7E(nm!!$35&peo83y_)_1~h^A
z-rR@-pP&U-N(JX=ZSX&UvOY(QTD+oXmb+%x_Jx~tl;UNA#yzBJ&-K;HLAv>ZsPN?s
z;aR~Erbdk|s|2&GtYMgI!>>E#G+HIxVQI3+8jf9&`Za}WihUW8iY3?=<=nL_@MZ2N%wd)6wO;o-
zOm8C!m!7|TW773(lh*0`I@?@(>+G^#jNAz_1KaJ6RnL#C2%D+J~;$Siivz{3l
zaKP~B9lr7nsS2d9lRO=Mzx6;9pb5z+YBv>=bY9dQ2;sMoE(Z(Y5B~!k;t4RqbLv}w
zT(5LLy-gvS*+OozAK!lXgo4j~HVz)tB!!eI+_dcMebRzsYCQ)8O7tIce$;RP
zRP&_SpOADc@Yv^Cb27Ac5E$Gjhqlch_eA!$1zG
zgn0d$6gnMn5K|t*hKs!~%-j9(c6!ccHNJ}7@<1l-9R`D$iTa)LK!-lv*46HLQ_lKz
z8A`Gq9a}U?J?%TpmURvbIo!7glp%ZZBRVUE6j2h>Xh@PY2qHJerpnQPkRVv0DOrZ2
z-`NDHrQ!c{jd@HVAiH&sqnuN+`^Qy~>Wgkm?udN$kk&
z^Jy_f%M`sVR#?e68Gm??S>+jIx}yV6E7e7!CPy#(iD)TVh*VD~TIq0`##HO#6E1yA
zW-|Y6QwM9xf)6oKGH}Li0zWrn!GH}r)sJ0709!z$zwohah_9ieKbk#^o#S{W8~j4J
z3n_X%u-X%fb|R@U+9^8)%6FKx1H3O>0Shba`)P{fg2Df{itmA
zZUZkH4M|25n01ImoQ0=(H1=a#r5p!Q&u%l*_P?O}6SOMq+Gn>6
zU4$Ct$7AZVIzTW|6bDPvx
z$|=r3LWG+POGhg7UdqVF3F3lc!F&s)uuLAi>2$85+*>sXDEqdm{3L|~sz3=6!)|BPa|l;8(<2~_Eo
zeq@6^VrllDc@rJ=8d0&3FJ-npLOHMIc=w_bd?#F6m4jeMYJvkO1JhA@mN1?I*7lhJ
zYbsCTD&U>-^I)#;!EV6>+W)Ghd0o6hk_&bKLXg{vX+cbGJV=7=Nw9@+MuT!AF>RZb
zYjBOx7Pr)l7M}*@0??k}jbNp5Z!Q1l`|gdjuI3fHtzT#u&I+RVnA^>~lV(uah;EEi
zHLF3A@dwH6$&>=VVas_R^0biTTsTN63AhKRa+UVbwkqJ*xUG@XaP&eMq=sx@t9hqT<48d|>yHhcw5$
z3`x>pPL_z&84F`Om}UbW?Whldh`dN}NF9%)Gjd+p*WJ<@NRf>LFXY%|q?+uuxI`Tt
z_$%=hP_iC8hjL@BhklX>CJN@SBoGcOHe2|dTW6QOqdS>uOQctPILOr6VNMl~Mw9!)
z5UIZFn35CN;QWxX86vzu-fhgpI12jM8S^#|QU&?sO+(wpB|j;U^UKF1f$({~Ac7Nm
zWz^(<)E=U%X*-T?^$kVSk@|uO+6KGlm)pg1*B&Uw
z3K$~6_kLact!@Os1S1qsm|x*PZ#XOMECVzA&FMC6-}$axqFyj8k_Vu1)f00(O$!<*
zKxpTekpQH?uMA9Td8AR>*%idlLMAccwzsl*hJVSa2K&W>Ip5wcbom{Yy-1}PRN4LL-nB6Kus(nL7-LJoDC+
z;ms>iBVy%aZ$I%kok#s0`PWByNfUu>M~uv`JCZ_SC&}DO*6(gyJ0q|1Q?yHkyP(%i
z&9mLO-lB7E5v>1OmAdk}9}NwOJg?kbbL`{ZxhJfqh;T{>pbwj$@y^XA3aGi`6Li*`
zA@BrP0Q&Y<2F-8qo#Im8U`SiIgd&y{6mI}3-&d&MkTVRT!s7#$M>!%;ki>qiU5L*_
z;#l*9KEhWAAc_*Lt%P;KbY@AM*UG}s80w?iC?VmyeMY?xmayqlxZgLG@h;$R^YuOX
zy$N&199M}l`)?e&u~i$N;fgSfAQxFQs+c_Pe0r~kTaDkpQFBx_vZ@>hRq2dZT;shi
zN)}Qvn6fVRh$8s#64AOAdhT_ho7xohJVtFD-%qadsDF`aM`yAK{<0|3E%+5vtsF&3
z44Jn~d+7fE8_pTVY-&>sJED6o2e+LhSEDBBrOA4fB4sstnS;8H(&c4Q03ilny3}b+
zj1Lk?9Rh*LB^B=mST>ZZUtEKvN^F;E=u49s-x=)PMYv
zF~wIlp}Kda0zr{|1YwrQ3*T!)-dCRK8+f1l;B%UR(1|)RU8f{b4P^;{C-`_5;7I&!FF@>^OvhpM|3OGVEuxcK^L
z1d6=-j=zZ#f@ji{#SReg;RT<0d(U`PpjrSmF*~6q95SV5`h=92VI=AquAO`6S|rGF
z*0s#z=k;OiAxz`%S9)h=wFDMXM+8ro;e}$6Ew}nA~c?ulr}
zN@>BDdcxeJV387Teyndm@!)
zrU3N|jmfylN&nY|ps(hCFsr$h!gStcT4;EFSHgbE^41T51rR$f>51gC6jOHVm5v&2
z$Xmx*3wT$_o~&o#vbih(#QLq@qC
zxibPIw<(}Je(HPG;}7~7S{LtluMJ(mc4#&pgHuB|zgCo!i71Fnn9ED+V0VdF@O!u_8jNK!|*QB=KPQ{5X`aDC0svJZ+?%McNl36+a
zRy?39=iBZBie@ANzk{(t?%TizqM>;bKHN~}jx$*Z7YfV0p{Q&5T
z^&o?4$Mvx!vrK#j7iSt9PrzMP1k|oGIla*~
zna(^wu#nIz;~Bkr{YbCt)xESe80bGT+wk>Ag$;JPmbD61?iVCjKWfsM-kt-cvh5h`>A=3D%6}9);of@^E{!bZ>p&ERIqA_gb*{1=DB-*joW6J8>)qDxM+6-
zvVFZ+LH3^3)FW~yko-)ABIrWOxk?y(p8b^cb_gL_aa$hrexS@_-;c$TJDXBkoFgex
zqep!>U-lYKxR8ngrsxsSF+c4$TM59FE@3Oa(JII84o
zmgj@FI0xQ^{hVJTHfAQ5ZFo2@!#>U`NKP~=EWZ7`-~xF^L8HwH&MRE?c(a;LX*owJ
zf+#V8`G7fORzrO)x)=RDLy%RUVjeqm9Rvn1b|0|6X%sKyi23SVHxk0N0vNm;tsmQE
zX%h(EU{_^VI3(^Q>BvuZtD`cwW#{k-dM5rvCz&9wNz?v&NAPViZDzy{$ZxcD#dJ+5
z0&U%8{#oq=81~Pp4G;EnywD~X|5W9UyY5}9tX38Tmf-@#Q6vLm?NJd~)KU~-TB(Q1
zqeyCfnrS|U)9I7fHSUGd!So?t8}{aL+|B5X=FU}5QWvc_iP0$jP{Mvls@%htmh1u8
ziWQlr-4@)tuF+7Rm$T8YYATMR7u7$pN*L4CagVFJf7#nz@4-j4~OiC
z>%+^lEZA|3EvFPM_ou5%hR;Ja&Qup_#{dZhwktnXhe^NQECXP$rLi27x62ldp-wk8|y5eSA$H(
z=T0oX6rvASqW43asnj6x{Y}&7D0Z6V}E~Lm?KdEGlmXODT
zUbdZYS^R^a0bh^sVcyFeOHS@o4OHAEMR+iLVv2U`v}Uxm$^V}r1;BRkh#SgdhQ8op
z+anqs81LjKOWPsQ-&5Y1qd!iFOEo@dQ$x*GXy!9*F58=JNUwJoFDuMTn&85H0Uzek
z#T+IrjsY1nBN30iyG{~*^}$fTjq6d>PIcG>KV*(SwKnatCNoZsh71T;cHBnQsteR0
z;`9eDL@u$6v{uIvfnJW8wx%V99W6@>
zy1sp$%}HhIZ>CSLMoR5%1WHds-RkBu7N?Xl8=d^2C`vE^BCXDcEtJ9#$Hw=0~-
z>=(C;1O3Zjp_g+JGN3s5i9yTg1y1T?p>q&QCyenHGJ@aj+bY5#SB!}Nm?QO8BO#=C
zD;B@XId%!!Up-Bnh?;$YLIqH{Wfd)u|VOJl2m*imUV13Lfsx|ZWa$g%;5|K
zXR>4X3jP-k-3x-&fo!#-wk%jYM4Uf9Ptx4QWsul^VXDIaIFt<39XF|sYR~AlYPH=j
zN;TWK@=QHn2iXR{_U`*;l%S?&@kaY-0DatLWM4;XGrgR$nAPxTfVXhSQA0Fn)|}k4
z9ONk^wuK*@A38@QfIZ|ZD;QUQq!jo~hu9rsbUU{v^4iBscnysLM5v{DGCFc0i_eFr
z#RsK+Z3Wtd*UU(kyo|I(<-X*D0}7JP$Mf;BZyq`()w8`FmKq`nP{Z_-KCDJ2&3aE5
z`PCKjfyQ`lbh_CM1NXnwncAq6@v^}o0VSw7r9nk^$I&kK4AtD9UC0hfph=fi8C1@m
zT$Gu1an>}JJ*9tAwgtG)P{j7fn`v^TZ
zhU78;=l-GLfjH6@y?>u5dh#^HOy{=bRAy|9yxz0LkW6H%(6(Y5*z$;ox}EF*dNGsC
z*d`+4Mz5tLobtERW;*{Z<7y&FLk-)*V@xefbcGRNDtIkMv^6hQ)3w`vBFs5tbheQ5
zR<3&4^jXC~f@imXuR_N%baZt)L2|=>x#RK+ZzIiG(}!4kCf1AC=JB;4=Zxm-$--a8
ziXR3v@BhZif(m1j8?jknZ6cSv8RfR>Z|q;*369_nspaNP!RaQflkv^{A?16;SDd_fx%kjPIbzh--Ja~nfzDw0(a(KMJ!&&jFSH=cT
z-2n4-j?P^t3EY1ayO-3Zw?vw26=&L5r`k1
zMu$$ey3Y|zmy=*CPpBz-n|tQXSzF|$JlK|Sw%&WL-6hZG+T{YlSsC;%lE8c#$5;#o
zLLe?)E&?nhuoJ7yJ|xl?@}YgYZ&lB~
zk~VE#h(XVctOjtUPrZDD&J#o-iu5q<8|reViGNm>!P}$)(@b~q9796Pkpp49R_$>3
zQ|s8Zg~&qoEbSWAvtIE^x`>X7hW%JDSW0znFnzARppmSj*I15}+a@;#mEKlzY}-Z!
z(PDp({iEL!skE}KlOg8JNdh45SgW{xqgDYEvDqM*e^5i7^J4zBKN_}G!fr1s>tn|$
z@p9P7Y2CNlyH68p-mAFF&qEU-cPs`kJ`>VR!{94mU_fx6Ju`ZU>abP8m%xKesEk$H
z8{vTp<*kNBYT+1vKbdrvvnoZ*MG$bekru`jS^Vr{+%D;Z*WK{BAqH-ml7P!1E4963
zYc_YPHdwf=SVLQYlt3)n23M&?&?);PvX+#B>y5#+1E}GR&|^pS5}ZYt%ctm(sn1F*
zC9}fG(jZc6^D3FYqj4O4z)4EyXbZ!MUCngw_f>WB4<9E68S!b~5h#>+a%RA%rWk;p
zI2|1sVU~cAs&U?>m^qrZ=|dp&Ljiv>
zE_6i&R>hz3*#>R%Y!_~3dP#YK`b{1<(Pl{)Qt|&}n(h48lV6|7g0`cC(^NoCCu)+4
z_tb1187_EJp@d;M2W8M5ESV6<(d>bNjl5B7n|<$<+cj-|siMqZb|G7cgs{~9-(hvR
z{ns_@*yttu3Hs%(^_-$%gH>5(KVp(15_6;c?<|$1a0@k9Fe}>$xjuN_t_Q
zJGrU;1z>5}-sp8sx>c{&sFVS*Q=gSW(@jIR()qZ=$RlwaHh~XF93^l6+t!1CUrOGJ
z4O52a*f_}>-V-Zqs(rIva~36IcI)n`l4+Obbs5!|$7G+vuc
z1K+O6odudaBsUn*GrzIVe{`8v9qysa*cwxB-CLrdDMbMYziybt;Nn9}{Ixb_%cki(
zh}}h6xtPEW2zvjUqX15a+(cm#=?6mUl&)(1Ecmgc4CYva;(F+M7%{Xo<6UF(>OEWCH_~G7IhxO?@L3qtC8zgJht0i+S6?iL78-V#Di8K
zn>`&O3H0iit3S=f{|$%+qNTg%dr7xUx<}i{FR_HwnYD_dhQu^QLT3>8-VwcB>_0N5
z)|KExzwfWB+hO55eNDGVH2Tp{tIZYmmT2zhDSSH!LX#c-7}N%;t4P>QEoIeESb+L1
zv?7!-wYsAYVeem8|3OG6cIhcF}21PEaIQ={Kt&<5o|Emd+2wa0L))tG%
zXTVn2v5wjAc5Vm{a_QaBumrwi3?#;SUdub-
zKoIsFUpq6Z^D3Amy5lWWQ&1~}vv}JS&T`V~{9_x$8CDJ#Lw_EK57`S`i;E;#B3!}m
zn*a!@zS3T>RCnYpl!l?|wzRjSj*yAf#TBdca5CkFO)vz6s?3}u?^JBMvdaNu5G#qI
zN9tho9?6l~|2`TPO`Ue?z&jlKbJSH?9~Anf8sNAcxCOEH4sF~L%9lEWBf&eE)O#hQ
zhGdoWl|TZnKz+-Na)vF3t~b;AQ&GHPR2U5{hpWkh9TZ)9Z(
zK0XR_baG{3Z3=kWw7GRu6x#beOm{aTFm!j9ba!_%G&6Lklyr9r(k-Brlr+-aNH>xS
z2>ix-Ki{kOzJI@q1;c*g?0uf|oLFmUDAY7r#I3*+fz>;fn>09hai=n8RK
z0W5p~%0PE>Egxqf2Y}xEFQ5i?b7!$IcZ0ZrAR9XnkO7h+33m2zwX?Bx|1|~|3(K#O
zeq~Fr0u;;JS!YHDfAG6ST^QyZx1`q^70>a5A?8
zxdTDwAWKM~ySclE8^G)@8{`*gMfbNrAVAW?)%6#L^8dM9|DpLm=@MYb%#0lU0?fVs
zyJF@b4>#XGYV+@DTY^Duc5d!&e~$173Jjtu!;XN{f&45Y!bf_AAn8rH{u7d
zN&Q9w05<7=5Fa~$P3AY^1hC2dMqB_k`QHe_r}!H|_>_Jl2%qwA1mRQpjUarg{~&${
zpW1H(;nVnyAbgs?5jTKM>oFK>`pygWm`eY5ou5f<&4-
zIYYL@uXg@FD>p=wIpkn*wR3a$od^lF_y=)tLbO?!yZ&K-NVjk`w}hO{*6x3pdH!eq
zdqe#*8pq#e2cY}E;sv<=vHvFlQbWss5D!F*CD;+tp8sg({$+7;`aL%ecF4r7{(ull
z;O`M2^#lHkfrA|~ZR_6w5GB@jo_}Qga)Ukom@+#g#O8NbLHstq?tI{%ArM)%zePfd
zVe8{;3k3ZU0kPTr0U^5V|A3I?a`*#6=I!{K5i&u?U)%7vA5tZ!-;e_m@SBPUG8PE3
zeSfb$gc{`GWbx}nwE0642c%Nq-=ZO7g8#_k;DAij`L`Rw;cO1M_x`nx+#LV2{(BX<
zA+v*Yn;rO%b>VV?RI!_5K4wSbhG0kkb18)(jcR7wG!8f`6Z{YQLTsf8C$#zYpC1y}kaz
zn(nS(2cWK<73AIdM~JdHWM6q3vO_LE4u~D{^MC&t|BHa;_r3i`wuA)O+mD4CvUyp!
zAl2iCtP5mY@do@W)$;FG&|mj1SEjGfy#j-7}DaS1v;$SuXB_agDX2J84eW+iuB94r*qnp+QEoa4{f
zm+6#7m2InU;k`;`IX>dKI^uXQV!il8vN-t(+Wq+sFCo^vSA2DUCt73tVnzG(2VX
zks`VlVOlsjpS@`u#z1=NtA?do8+q1bVRh7+a)JKqtz~f+#N@V6-@<=xzvbH)NF(LvtaiexC5odcMaZ^04`#UP!DU5yiv)a
zG}Vu0*o-h>)64UcP>7M;9Hj~r0JA@F-XM8s8GrZ~`-Eq?9yT98f?ZW;(6^G$MWIEk)#>46L4h%Y&1_Kps)8*(j-KWxKP9tGo~8Iy
zoY@}MgNIUF@%F0@C?9ByT!R-DnIe-TnA~N1@gB6EPq2Z(qNUIFPDO=VP923tjc)O!
zQu5+f@412kqS-xk&7-OwqA9C_`%6E^TyC}3mSHNv$pguY$ty*5Z!(qem?N59-}HFl
zhRiH`>}L*|sUFkPissf+cHLMYn}&4Bgqh<20}_r+5R|K+?m}-{)nDTchqUFktj|-jv2E%CW1rl|7lgL*C=X0
zClzT&O^=o`GI7L>j0*bwY7c2-G@}hHKf!!ET4O_V$>+({X18JeCbgO{X34wFEc{B(
z!yKy^TSKvI-IhyH=~GzlKqFDW+G
z?uE>uf@1q?ka!i;;k&*C3FYSV%9_{*l(*dl$NcUb&=13D*-(T(5pTmbOAxC14;G<~
z{rCsJ2jFxBfENax65^RX7G%)A^7MV36uFFiyYiu%F%lP#=iQI>B
z@J}O*EYS&^>VYc#PgqQqPj%r+By#n<@Qfm^{_v=Y&^cIf+wz(S!$?iFXkiY&Ghdgon6p9@vAlSc64^)L!
zbBc3%TaRTp~Wpw;TRNG`#>H0f%r!Sf5O!`sz3?;Ip914n<8
zdbNoNr5B*f>2IhXna|$(Usnhpgq4o~#Me6-ekQ0kb4|#*#l`a4FCTVeQ=M09qt3n|
z?B5zlau+ZvsH9X=QBZ|e+ImOjAtLZV8@?%gI7(zGWLci0l4&e1JBq|QnWeW6`+Z=6
zs?}57b#91@@XZ@#L%!3Y^~BjRMPl@emr(E6X0T}KpujNMWm=I(%RN(%eE30MQi
zE9&oOUYa!nZ#w+kAEh`xZVb~_JMlFpj)&N!(uH
zT_L(47vfyg$LmPOACe3*_=eft*rdd9(r{kP_RG49uKC)w
zfojUrjJ3ts<1P1b_cURtS?P(oQm>jmzy-VFbBgp2_6qW3#Muw!8V6t-1E4i&+nWpw
zuuz11xKmIg;+B5$mQhj%6%$(|X-3RTFPB02x`~J?0A77kV{z1RfTPjQNmV@&I7_uR
zlf896;g=dL%c-rb8zESIqqc4l)IUm}dVXw2(M_wg)D|wyBsj*zHVXeOr1$q*2dLL}W$(@{0>Zv4F%66KuA}}1bW0Bt%?0ias
zupYOSbkY6x?d9$DsM*x_IdLPtla20vOkewkXlK2>nz$#|Z8!YwT>@1=69=EgRRB}D
zhKrDXRN}HsNe6nLDr(gLrt3KK$JDt+&sJ#ow+(#qodT*Z_#AuIQ@7D)K-?FsuA&g+@$3LL~Lka>EhJ;Uj#Q_IN^5)Jng%
zhj(PeiJR_TkR2_~yuX~ziZ}1n+-tmjapWdH%mn2-Yqt+AS;GMgFv-h25*(m;vn@5fEOKk&wPBPA)O2#^PVfou
zkBoKH?UP@CpbeoJS*w4t&9e)%L|r`M-X3Q0+)Z2$*6}yU!n$?_l5R?}Z;y`TVHFC<
z$KZ&c`w|<=$_iGi`^xU5YQ4iD27cDoPpUgkcrSr%SW(l@nnCX)O7Vhrz25^
zZydxT8_V=+(lCAxR(~UKUiJcg^{f280lf^VEjW}Rs4@}AxA!x5Q^og)IZ)xXYOvOm
z7+u!psF%DV_q7$*$S}r-SApm>>yFU~F5a9&G0!UNL?^);j9L`v83Hi$W+Qs_0@Jfd
z&5oPg8mS8BY@@d(idQ_R`JLcphnjQaAARI_hgu&53?rYkSMk8>uUqdsDk>suMejyg
ziTP4|@6`2XbjR09k*ooBfl;ZKWyegW9>*V>p)hO5hrpfkR`LOtvBEOwTChm(KC*1w
zTQQ$`ndINd(&$NNpc&L}42_gIg(cOKnHR0mpT1Qzy*M3dqtO-DtJ%?gr&1Qa<#wup
z?}$hp-p}XlUWj&Rs)8A^!I>!ub4&y$M`}?EJEs+i7Y_d@-`hh)qt}@-F-IuB)kUR?
zI_2w>4>lXXcfI9eWa=aj9-xX*Ay4ig*rPR&?`SiO#>)Vk4$j>|{4iV9^4
z(~j8QI>``q-$XZ*!ilwngHNSElo`-anZUfcJ40Tm6i`j%4Vav$gkJtw;z1{|XYBP<
z5uT^Ud&}_AM>t`5JlQ{?6B+%v_Sq~{lqLL{jy;JcHMfJbZC7;`P7IaD(C1_3=flcT
z5P?3G0<9SD0JNV>U0Ok)Ce}7}591x$>U4M6EdKyGi~wht^)-Y2=q$erHPDtLg6-SO
z(TE_Jz_f3D;gU+boue)f85?94Fhb!IdrNg6TB*6-aIJ0G74O4Z*kb}zcspCn%*0QP
zRPF_!KCIDSq3cYov&YIO`)(?s73-5M?bC4f>hq`_qu(fBzibV9S3OSJ5@TNKWcFRh
zkm2UF{PL#AvU^E3Yb;XiODqfL!D~-_a@h_sOWLt~pZ(j$uwBEsfDwgV-?rIqogEg#
zh{8KeT^4CIeG~;&Xb01y^%p+fbu|i++}v$iSF&(#SS#!m2P^CHtLEG3n3R`$i|ik-
zO7U_UM2esHl9-LMw4ZfojN)P)V@xvb7AliuvaR_
zDpgA|9*^H`%iXsz%{Ok4M^2ugx+R=Nr$VkGIQ4}-Qu;{ujF;YAsPtKECCW8xXa<)K
z)_ak#tqq0jL7W-yxISF2J10E#p6;vi#v6|#4Wx=oF#~#567~L}(i3@1Ettqf(@B&Q
zo{%k%j?|N5KlQ*jw>S>b0&E3#D26aNSXo~t_gmm^g967loZVI=`$*x;>(^!2)?j`n}P+tLpQ
zJsP!^qra@tURsH}?Wboz8sRWads|K+z2N@9gEUDlkc;11U!0c6peA42+l;)KfBc5Q
zf7s
zadpMFE@@%nNCwn_%E=y_b3b4^KEV1X2WhD6qfD#fq5PovQS6*hjz08hWo@W!vL#5U
z1f6#pnbsv?#>2B2OXemYwpUo6-N=`bl;mA(coK7!OsRCdiYBU#*8OB7EqwNgz5sK&
z`4IxPYn$)Gb?}p_kog3YSwzYBDbDaW_sfaMpj||
zY{j_{U}qno3O|-}V)Z!su{
zWIMN^*KKtpTK8S^u;`%>BGfl7R_F!mWEJY1$|!m&kU46Ax-C1qA+Aawbol;UHml7k
zp`c8oOP*_R1x6WcG@E5&2a)LFNmh7;N`>>B?^#gR`wI3bj4j&&D($qpr=Z3yMb#l5
z0rhTn?!|8~tpPi2gL+VY)rTwC!}QGurW`x6jXELx==b;c`V|gr8n;=3cGx>0Of8j5
zD9ZE?;ii>APOOc36XN!u52Awhfnl{bk0!&0MnY8=m_R|~^iBmtfS=6QVULv5+nmJQ
zoC9}C3URwAvOe2%Z1o+r3J*RbM*Z)2qHE2z)G$RTRadVf@T9CaXAoN)_u%pMiRCBm
z8|2JRaOp8gLGrg^^sB_`iybTPw>^T*RzC{8-+@0EbW!j65tvM&NBb6i&iwiNwsm%E
zyLyudak$c8RZ|Pp4o!?k8zFy%1ns(mBfuzJ+7+Yf$e9kyOWrST={?k|V%?;v_W+dv
z4Wcb}44vBPWb58MP*n+aPIbvaT}OavC#)s3)jb{;tX3rOZQ#_QBjw6#MGQ7y7P%K>
zdN0gZdXh!vX7fBzuRVVxuc&?>Sv{H3dA%M-xXF)uKi}M`(!*-OH09u6TmeP(63!+}
z#Xwj;s{gBvv&16;>X}GxY#YI+`@|h1emMr@7U*dI2Y9jh=$IJug7~8z0S9Y4o}^pk
z3^6~78obZZh|Kn%8>bx3=m`TIPP1rH^?sc@
zp3l+_16Z9uT2^~`?tgZ4v-ipkJ`48pz^ZrwJh5*0O)wHMi&R8JoU%v8Z5onOIoz3O#V4#gAmdc&8_$gM7hU_zr-;HlE;aZJ-kKLMyTZOk(
z`KnWO*2fLqo`9yosSk&jO3+~v=6ZnJoPF~7iyTfiD%{uLSjSZuH@h{e(N5Lc5bxt;u3U8Gm$`)kXXkP?5Eeh7POJb
z;wPcwgpmd>(_Y4=-Q!gD9cxAeSk_b`(yV&y7WT7d4w|V&LyH&IkTf(ORZu^jqQq!pQ76t{4ZbO2t^X1=?{l(@<%Ira^az
z7VQD2ELYdifJm{rXdriy{lr;SjN3XpaSJ8qjhuP_&ir=_9`>zP*bk~NekK|Rw3uos
z$iiy-@0Y0K5Z858)hb-!=<2-QE4N90R+5VGM1AiicNJa|$vdbiC>q$cEtB)3#y9rUw=b+@RLNcRW18vzT{yljD>sPFw
z7^A_$MFRKxLBVf7^Yg9SXK>m|FkS|EM6sA7aTd`RZyIj#e}2E2lX)}i@lv546>O7i
z{9sPME_wE|H2qzq1W=xrXVCA(PTss+?YWL3+)`HdIY_}3hHy%(-m{PZkaI$spGfcrRd0s9MvZP
zshMr|>bgbX)gHXdU@fok>FS(`%Id|25?71kZ6f8!rigp%D+swdj`&(1*deO*JSv(NpS~O~tf9Kii6ODWKj`(AVS=J2Uj>-&K
zO#-@lqm|&Lf-GZPY=SKY4Ay8`-3yc$^At|U4Ls>jGUI%84JSBq+^ZQ=CfF+R@
zrrvO8shQ?r_|O(9@}F8#^eT}!yTRTPFphOkM@S|5eY237KRx7l#
z6MU~0k5x1SB}=3QlHQIbQ*MaZnbF;wjw)W$-X*p8^8oo}@AqDGFt+G6(0#IbT78Zz
zu1NclE&eTbF{Ga>a|`ZEE-)>^xmaHG(&+6+0!_O-&o}4F#~cwJA@aLE>edn>uR2$T
z%}77I&z2n9jf?3z(HYlwL#&LZfZ121b)ksY`Jy#|XYB{$KATQUX1&8&6SR`5ucl5l
z+w}zN_cKVQm!PTjDOSBUO(|4uWCkZA(b&GQ2J;!ukMtnS!}AIDWf1*fH;;ZUY+y4e
zd(M{0JN!XYMs(`Jd%nsnm;&hd`aCRrE`v=s*va{*9l)V7BYfoeTx_`rcmEE6TX#Pt
zMxyog)RJUo5Ql7{bIz-Cc;rGxcz0{<g-imbxE8
zt+Q06%=2(!M5P`P2f|nA{`-K6{))2QjGa@AC=Ae8*WSHr+qP}nwr$(CZQHhO+qU_C
zX_KZ&U-~xhlT0Rqb7t&-I_LT&D5iEQ-Z=yzFh+L97yWH
zuZ{LrViDL2uK#lv%?9GupGo{IWQoq>N$5Yk;I3^oC%x=EI5fK(t!3`zw-gh1fP&>z
zv1FAXdm_=}L(4JR7t`B-y5B8;Wxu1fJQ;^Z{qv&7e(
z(YS{8R=a}h`m*ljg|;L_avX^ar0P(z=)D&7fzzdr*PMfjq^Oy;6;Yms$^+QkiDE2S
zTw%ejuoRLyKx$ZWNR7f|$G9LNBMjC;`*>lYG0k=OO(xN;@dVwIqzV{`4STKR;GUST
z-!tSjANTU6lb&LGekQSv1|Z@1Hb_+cyn1}J>zA0gWTOHxjtGoi-YxB%2VG>CZrr28Dx`+iXdb>b3iV&fm`udXVvvAKv&{w<96>+
zI-E4~EG5tlk9ZPoJV=}|`3|h^UUVtgcdd-;Ks@5DzS{BPTp9a%d!bi#FA!0rmI3?x
zQnuQ$o4L0VjtN@%3PRJ5u2Shtitp95p4D`Lq#FqLW!O9SKB&#TOGpJ=ab|E%SeYkl
zy`&CTY1?`Ix#F>qDxPS`}u05t6F*y;bDlvzi3o3KtuNl
z%EB7BV;%R%PhZzX(@*GU=2nT$zr`(w?^N5694UN;cO;Fu7}5>6M+&u`1i<=ZFIuh8
z3EAer2|*MqcGQe7_Kpzq#~-B;Hljt%v#&lF*-rct0B+HVX4hG=$Bm!!`Z}aFLm@1*
zxqOxBW;6Vhlzox361R$s09}Ses8Xv-do5>1tTCDKjY4MwQk>mZPaM^}O&2Pa4Ov_(
zitQZ_3PW$wU17ZN@O@gWhe)FU`+l*8_2$bRcECY-Apl4q#M44GP;a`f08otBWIY*O
z%e==B#zNU|PUZCGUEz6UhR6;HrQo&F*-j+2iflZT5}Hc90?s0aBbNaLND5K$1mWb&b$Vuo+G{$Es{3g$L)^_=XH_0Czgt>
zZ6N61CTEUrUnjHbEOdUbk%<`Ni0&lKd*&j0(`LQ;4Evtc;oe5m>_vSs*ijNZsL$-N
z7%Vh1)b-D-EFYw#sID5m0o**q-PNoBQR-+ysS?JQwt4{X;3}_f;h^$sQ$X9XgMv6R
zS1$$kdh?8~m>+fwEK(=z@mBEbS2eApq1fvTcxdMf!e(iGgLqGxI*JZ;0gwWWuM6C^LujD^#So*%Ta}P=cSB5_Wq!ynkG;2|HTF7$suRfScI`Mk
z!^G3Kj@g&D!B_A0-0QQ%7-Hy{if)f8>2UUtA8W?UkpZozE-Q*Sgss=O^Tojt!7hr-
zYOo$!9SrRtSbjE4+-?)v6{Nvpce=^+q)|y)y9aW4&hk11!-lo>@2u?ob*)tEcMtCL8Ruw=RPTuiQs&^2Z&%*{2$*4;piqNtZdnw7Hn|
zJ-|+6ddJZ#Lt@fs6QwOha6+=(wYuqO*9t?_iV%LUhdUR7>J`~3lGhEF{W=6QjEwmJ
zsTXg#eZaZ1iPJ-%3{1>zA$1{)V}bGnkCwyL53R;Bw@xawXW(pf1FUxnR
z_Sz}docDD#-}J#A(`aMI7c2>q|rM5gBCO;0nM9s!gYq@@QGLHCJ@T&yWvY4
zTe2q{fg1(L-Uvmms!G0~$Ghn6P;rr{+g%(J
zj(B|?iYtSE%HFRFzff8*Wo6sgMxnefg=NYLvj-m@c-}b2#ecNvRX`reFWb`BHY!M}
z3D#?w{TpR7MoejeG%5O41;72no~maoH?uN6W5G(FcDkDtozpiBl5Qs~gH2-^VuMz8&K^#1^(#?!Ynnel!T4V%7&m5
zgir|327gsRKxS0dsr9Hvouz;|{BI_%sq|}8V3)FKrFm@L8T68uA~d&GS(MEn{|;*4Q4@jWaYhoTw%s48xmdz6_*m6e
zEf}_w1QRj~1m+mjUvrpE`jLjVm#nC7xQ8se+sacH>-~e660H0NiZebx*{y>4-mF~E
z@>4Sel1
zm{h(oCM-V|M}}{r>^UmKFqm7Ga`|bWP7u#2LrpB}zG)?F7CYxk%m+};ogcQ(d2Dip
z?f$7!I$sogbGCXGuK+OggkazajP`8nudl2AJTEgzDVf9NADIvU96G^nWne)IpHAA9ZqTcNWX?Zb&<+3tK
zuPv+Oj}R%}DH?_Td*k&g3`;zRk8T~;1NXt4*oR{>rWH1mg|8u`O#oH-f}26e
zlP>rkwuE5Nq!C|?vJw-&mH+E{L19C()RP$3x;Q3kbqlKag|5w*j$nozUpKi
z=|VU)b0M`8{O@)EU${J5++;ngTd%ESI6{ZoWLuaH(&-IjvM+hN&C%!s;f{!v=fsU1
zOzn&VyYO!9dYV0*t0HApqt7(ft00yp^PEj&1|hD|?d;Z4wy$xYW-9V?q%|*Onuze9
z(rgBj&LMvcrinoPP+0;7O^3wXdDxq3Kqwx@JgJ?V-}M4ccl#avUBx0s_Tj^(0HQOi
zL8&!2hYdFy|Y`B+U~o%MBP20=>~Ly#5cbpBP}0K{=BcRveycjcA|rw>-I
z5B#SiwlSS6Q|M`rs*^V`9Bd$V5S}&rEQKWV1}B)}EvkQJXq#%LJe|2Ro3iO_@
zC6oP{#)50Wq+h!WyXGCe7p!qJ)MLn;00^i?|?3-8)1B8zU`
zjO9mlKzhsbF_E9Z&V1d{eqw8yjNV)Y*O_SHQBzA%OW~RUz~`QLEdS7U1Ahl~@@lUZ
z4^+|xJ?DBd(_NBOWwilZ7{}=iLVmTM^W*5LC6;7*zHLZfc#XQZf2n&P+pS9~^5Z^(cb{28Xi=iW@L8ULPPkIkj-QffE*kDwwSO>g
zWndkNwk1I;Z;_!~+8+fIgWNt3af=}B7u=d?Fcv_-;m&2P-PP*FM{sRIn>Eo;0fmTI
z-5-gEn!1hT;$p8vgR7s6ia{j2zK=*;DMhO2BTv)M`@X6zPxa6IdIe&L+pN;`4b>MTV!jbfOG
zmV|o~bXo)YmB*Ou=tlVwJ^slpv>JlI2{7CqkIxhGhelh6g%_^CJe^&Ki3c$A72Vdo
zVDoXG+zUJA%
z<&Z6eqc=~_yx|vN&Ua3pMK&vFwm&QPw5K>5xkej)64x85>eub&Fd!@>lEabEEQSN}
z6{=+@uG2>8BE|)6C$g%#;Y?UMnB^%(c-^yKGdj<)60ggljXL`Br8nx~obeBTlyXxk
zb5pUHHqKUy(Bw6L|B9D_(0(b^d0j=#fVd??GG*}-NmrlzXG;aAOC2zDS+e7d;VUCQ
zjYOKceWZJspGYuqT-WU@=F2!4g)x7gVY$60d5BZwmDs-V+K86XnKQgJmc-ERVz6fs
zDNXCK`Mk9N&O0_*2PY$pF7o$h3acE@fD@XI7%lLI(_1#D=KEo7@&
zdUz~aJ3;z&!O}bIsP#tPU$d0s`#`o;)WAbhc4TU098oc#V_?UafKB3kD~=Ge`lhDA
zie~plfq`!>r|7UO#uIE77o*5yFD(o7ZKDB13QDUv#>4aj?Mc*lK%Ca8plW{TV+(*R
zczk@4{E&ocQa<+djiWM(OLx&&s!lf)_<@h+WM%AFwOTm2?2c*41GakKcR~@dSOpbA
zf6nixDe`AOfFA8&iSVDvDx5#ij$cd&ykt#@6QBQ;afp_4)iCy{D>PoQt|8Kzb5rv<=4~D~!oN37j%3V!
zB2I>WbB&8~$-RbGwo^GXF+ql}<>*A{7hEHC%7Gtq&nmq$GRki~zVif*Q2xS|R
zB|#0urp~Yf0Z0r53P6S{fszUjsMf85Mmiz*V1qUU>|NnY>XnvEKIsOm=BJ=1
zI%@e5akXg;+N(lfq!7$1eflMrD~N+gQd=4PUvE&A_aps&L;f=Qo)5>QCik4p-km)_>U(MUXZSClhuH)Ao%@BG@JmkF5;pa)e~Al(@#vyZ>V}&Fyy};(PSOq
zp5Chj9FRo2GtbkopbNf%VqMa=v!li2C5jIk>z@qj-`UomGKTLY
z3GodFbO$*CTi(|I%f=I(GAjt77O2IWS=OhHt57#4Ko5rid0cG2kkT<{A7JJ3SDiEo
z9~_!xbXA8x!WRW&wrCB65zJ$9`S7*A^ly;MYZO$i7;|VBs7(@xC>e;G${f#9nJR85LfqBsDk9)%MQQP~WJ1gZr1J5rEEeGV|@)
z)JQoXtdL!stcNp#pCAPgxz(NI;2_e&ar^8~CtY|zx@qRD%NWUr;vxHkx0Q+$8Wx`8
z6`N8T_*h=`TK)mNlFKu=bT@(mOHfbpgDYP?Y;Bt{q6j4+Eqc+6wJjY;53vQ?o*T+l+sMXTjeHQM-7Wj^_m~rP?GJ<^uFsSXG7}y!-#s<##AcebtnmU-T5O`Z=g_-#QmixI
z<}F?AQ(e^gdBcc}_LE8G!|_TP4EsBt`PpymoC+iM*2pfLbQ1Sk9y6<3@^U@p)*v;+
zsVH^eLKMtK@gka&RWOq2d)~ak!9G1(G&?Uudl@ORYwLe|;jboIz#KhvYv@ZC^vk#^
zKw9c!Th#IIPL%E=(A>Q4<|MWYJH%zytG5cE7on|{G&PcDNj{%-W0?z{YFEP}$1y=A?L2e7@dpH}
zCgnrkXhh%Q3)pKCxsT3G
z>}d+3nmZ8NEygn%ESx^-N;jD>2}`!|f5r0M{|NZM}f
zjpwim^s&8W1M&XV>E-6KmGq*wcrGbLI?E|IZ}Kz&NjbGwn-0kFG%I+WG|uqU<6n_`2IEnRD$o1%`fW`&-rM$d9b})Ys22Iu&kOlN
znMJ7-NQQ;QXU_q-oUm*+n!qgyU9Yf**81>w&~S%SOL
zkyI-z``5Ej;eFg@i~Xhdvzu;gtvPY{z@i4nL8l_RlNFS;$^m-ehc2xn9(Nt2)Oh!sD!>St)M!h(6Kr)O$7UB&v>bIC+*wCvWHN2AB>M_?FMm5qQJ^d&CTXS}-
zT^TM-pDn&4f21IusJj!`_9#!({Q~0^K2J)T
z;NVTSWMdm&kGHn!Ok>wS8cN3{%Aa*IgrIyft2O5PGsN(aan;1FEKo^V0>_rM*H0(pyt7ogcai3RFynW&^CFO8CU4s(Y
zpU0mdu|`R$$CtJqX156?y|IFgj
z9d|dvM%b`VR!NnJ;UeHi5M70E&@fOO!GfB@(h>owng*
z#r>)zn{dIK!9aEWRtBpE?#C|F?@W+t@EXIkVg>P!ZY
z3QG&hJut9&Dsb72vN-x2x7W`0V{sy770F5eo7q5)p0LD}R0IG4UAIAR4mp*GcC0hk
zxi6=?Jrz2>j8NePXW3j2i_C*5wg!w(^8DG>;8Y}FXg6fqdZhA=<>6=SKt~v`Ys+Y$
zqfKscz1RG31t(D#>QKEq8WA*x0Gho&MTb`?_>93r*;-1l{jiMIKgyaa#;<8&2~9W&Np@An8c^LiD-(zk&7CanLNO=*aH~-OaP`gr$TXh}45W
z7Rs;E%N-J*@)3n4UR$>89Da|)m-e#iw_;W1qyX=i_wg4h()WCtlgvzPzn1_i(B@_=v%eQ4SQ(0E@7-Fn2WJPf}+<8$C;H
zX1Rf1k@s>R0p$?56GF)#o!x^Z{eeP)$YB}lIK!4blGkBkD@biRmQT>
z{7t5IacqTr&2AT0u}pS78DvX?$0Izu0!W7<-I&#(uVo#BZ=jrY-F2=aRa=k4$CE3%
zgygePmv?HR*|y9r-aQ0M{#Iv+=G0r7x7%u1BE;w9n}gO56K$CQpB%C}?0-Q$sWpON42_R3tpJIYa~l3K|jJdC+i*91w1p3(?h3P+aJqJh%BV6-u83yWmClG5Sh*iFfDD2tLMHR^zSfLSX5G3)WcF7?5IBN*gUsCOH4+v?R}fM{Vf@=!8I
zRKd*GG8qP+KzUgco^-MsxF}T;d;8YV7;VC!sKq_#bW%rhy+Y?`Tv$#?GJwv5H8!=F
zZv6!j?2WDbO&lXgWcH6x89KsA>-~LVMaVp%eoFG$mgcJe9oA4JIS*3X{mtAjxFg9f~ATe2>%Iz_}Ty+deuP0ZdeHzfC;C
z&)Ke2Re5|D1%x93FHC$&|Mdh0U&rof;Xt)v!&_Xz&Sp*LQ=;E&Z@fY^0TK!{vrQCb
zdeyWdIOg$)^9Ua#=VW=%9Msb+%6)l{#OiO5i^R`&N)Vs0eda{|qnlT`)_)g0GFLse
zY6Lq(EpDP{pZ2!LhP0RfBL2Q?Fnb3lf)aNzz*;BAmedJLbUq^lBHcK2pI_%eK`SN%8Q8qlvH7b*WTj_|>=
z>DD_KanKmMn~vU#Gk3xa%)ilG{tVk-R$-94NNRX}|5X{(52d%k9=gGnQUYA|Mk!gm
zg&Yv{$mU(t9t-Fsb=g)Y9>o4*l+)hRB-a5@pjP@$zs&@{E7h54blDryD
zK;@CGObkIeUfk@$vMwnr`+Q-3)Pe*gJ`81w6eBCV40@nZ1wYI<`cZ4bP6@r#=j%n@y$6KA
zv*>BIvW&~(R5z#v2>e2Y8?S=8;eJ4?wxbVpy^7Vl)wXw3O=Gq?b(Df{&_DVe*flosY
z8PU)u{J(A*ZS2D;
zKnUG(;&A8P^YA?2
zkAKj!7vS)}E3r!G{}oKBdNrYJ;3@4~Hw7mwC-bva)J7hk2-@|;5J!g5U_QU8m=`nu
z;rgx}26L;-iA}BZ7Y@O
zMaYyz;i*z^JN;e+|IM!324|#q*fv91K-3wClH9jk9nZ{%opeYJopH*oXPvT~W|Gnb;!6Xf#QPz`-goIq2hO2hS5cEHg91GXSa)#14Dc+-wQqjsp^
zCOhX3Ztc;9!~e}2g{(Gfo6l!vp|%0xA+k9LygVXCi(+9&cyve#ar*APk7BFSEp#`(
zdCCAK&f)hL8bw2-Qqe^Wn^%SWh#=Slw~|x!-phOU`5JK!!EfC_I{Z~VL%X!`gz27B
zQOuiR3EE|%$mrtmknVWCSrs>#up7aq|GSx;`6RDU*il5NUJX8HRTfA`s9-m`u&{SH
zkYO|{`_UAfX9#4mEm||gN2gKyLf@?=l6dr6qxPNqycA`*8_?15DiN0L5LBmW^tHxR
z2^SbgAQtGN)N?xw_#@4hz20Z(vinqEpBZ%&YRpxiXg5_Ic^L1AC6osg;L|mRG#~uE
zObMzc*;WV7SMw>Q*x*KD?>wQSKhcV(oMzb#JA*yH`StPV?n12zL(w(!A8Q<^26LQA
z&uE}UsRK@=b^qJ>19(H9y+6DZm2A1-a5yJS2m-75C2c1c&KY%CjgzFfa>ZQnfUXX|
zM2l1u^H+r;Hpy4jO*qd%VquEeCi4{l1V%YcC7Z9lY8%$bh3E=?;np(>TB$AVRGK`!
zutCxAGh-v9*ahi{h{Q~EXy6p)!3BfH?+#7}lpC!}PoTz#Z
z$XGMhpLmIaX~$-$hDzb4C{|i+vimh1mIi2baorSvlOjlUqQGA*gJGt9GTJa?>)30X
zjJpD`8I=e_3IQ&ZuHZ2^TGa=uP%dmlBy9I3Jc{}Xf;p@#s3g3j-?!|ZachVH!s$^J0MRckH`NXYU$6p#zoRQA-h_=sE^i%{c&dJ!Nk&+T0}uLjtrmAP93j-=gX-;Tqx!W`7={aI=P
z(Zc3tv%L#I>)Z)k*q{qaaf&lJ2wsM)8Dz4JDrO>pK{C&y4opwL?brM|k8CJ9CIBxt
z+(YEgbQo3_5x8T*1?85y8T}8*UpAFY1qaJ_{nKS3^mB>xwebQL?$+@x;OhT}%Wi$|+>1okEIz%bc*M@iWp9N8r6;ON^_A^AFoV0adp9u7261qbrvT`qyW
zMGD#-+&gzvBP_d64
z0_&i)=tP-2vE-%FFl7}s!_QnvjDMTvGI`LH-l=1n#*s$+wCVD4=YWzQsZB}^UcX4S
zy&qijH$=0Owf81(Q2aU6cNY@>NC-8r1NEji6BKvLH!ubEpdV!zmu~BJz!zy(5KrD!
zr8>z?o9vMDiDvCUdoWXDM%tnVi4x!8gGjug74)F9qNx;H8zK|Yc^2@BtGFUG5XBIz;g$=O{b!1&ec=L
zdx3lob9g*wEx#9l(oq2KMg{OscbvrhIwS}YFPKm#jcNMr
z)_ol+eS|?VF>vN*jrVN^7l$G;bvX^4?9LM6Y@IH&{!g#g3C)sQUgSZ!rK%#g2oo8C
zTkd{vRFX&jtTj@q!;YXt5zP?8=hIAV|N+repPsfa89m4vfN;#3-G@}lCys2$}%;Z
z6U*$7<_u=E*Iqo1hlP%oiL^auN&y|!t^xg3QLjSJ7Yy0+KyY*CATpSx@lC5GGsPxf
zo7iktssw_TR*4-PV!FDvMKZ-3evGl{Dkp-)8@YI>eA*LqMKE@$B!QK#B2s^VQBI)jh2P{
zr%EbMug4JQ_yfq$Kd=%{F9ZMOdcl3rM`twjuY-Wj$FSsiXb#k}xa~TVaG#!KRD8hY
zwT&~3jY%va>7T98M88DN94vT9`*ly~R3fBOwmlOz(Q4s;h1Zn%>r|!GyGzp*S&6Vu
zj<~HZufbDWo-t|H$9;`i-Ig1Vcw4j0MCGm;&X}i*;t|XvbzK9moXq}`+{WQ?_`~v(#>oPSbja~I!|ALELC!*Gy(sBxR?J6%
z((Iz3bW(b)!|kX#Oa5O#P_D^Kl>V@Hd2_Ysy%8GG6EermD6I0)y@8vq?Vit;^V*gO
zUut*eD^O<)cnD4~#oS0m?XJvShXnbe)8}tlbRce`ST{p1a~vUbv*Svh=#3F49K+`I
zcg_Bs6K4+Ib~JHE@L~^$CisX%%&I`_dt{2cxU|poL`{^x^KA&F=%-HP>N`^D~F0m>us`jMl@?{!tmX#$`pShl?e%DGTF*zQ`tnnPvv
zucln0zHg%v7=3#RvatwdI7p;Y^ZVsoao{vjiRjnQhG
z*aBr&4*MS?p6B(IMRO}M}x@w%dIW0V^*8${B+8uEE$Jr9|iuK-Z2u3k#`l`vhS9o`>a>VW5
z`M_EECM4=Jpf?htr0^Cn)q=@*(n!e8^|JLUyJXfB^g|EV6Muc*kxKv8rQm3C!E|E`#e)SF*r$>^M0q*DZ49ZiXyAI%9YC_y$e@d&s
zV8<1~-`@0Z>QK8kqJjd?lusJk#~@xZY68N|orj*?Umo)iVB~xZW5Vws4BX34yF-#r
zQ;G2(8|)E>MWMY(iTGA*-PWrczk_$%gC)ED<`kaV7ZjBR_=7u_t32Cb$ng#@;D(uX
z?v{?3*v;>qVhsRs$r_<$YYtm%=7BQ-g#U>_5M|9}72{9$gn(-NL6z#s*=b%`mJjm6
zRUQBEY~vRhPd|M}~Ek4S@0BPf(KQ*7BlrdfNNAr@sv
z3utgAW4xBb6!#42PI`cA4M>R{&L*oIcitJwtUk!CqSlbE6An{lwWzTd_A^7ld};4?
zz9jgV{mjI~$)*k=LJAC+$a2z2lkF
zH|HziV*d_EXcS^u78&FsjgRc+B})Ob$Ge@Zc=q@z3mtOEB#*3mKQURmyXi5Hq;YV=
z2c=FD$hN0;TJj>bVplYZktekAn;REFjT8t~vbuGG7PEyu>`|_5>P;QenrJ|hXcRlv
z9uTpveigSdi4^(YpV_pC*+Gz^rC*8J%|~gAs4Y67Ph;*S*P7Qvm0q9LGY|+
z>o(l;%`Ow$!*iL`So~`bOjp8=_7pEhi)x&Pki<71+Qm01b1W3CMU6hQ2NF}r=?C`L
zyMhKt>UGGXFwAlMEtCVAQLwSVMu*Ko)mYr&11({WH7Y<}GAX|+Csudt)n0iy$y+al
z>rtmTOisy67i@cVy;|4R+nIjKv^5C?C!|6`>sttb8cF|`T;J6*{(;&Sii5&pHdOXg
z9W)iB&Akn;0T;VhHa6&n&G6(zI}8$$ZMmSbw$hmcjkBK#5g(D0C%PA%eoN71)|Id8_k1@O@y~4cQ0CD#61n
zTfX?>PCfd$`sNA*^;yCl{W?Ks&$Yb|2jJ}N^L7{N1131aR1Fo_ljX%(jKJ@nSNoVa
z1yg3^JnU%#{4UkbK%g`Csmnzg_X+60+~E7@Y^XQGjxYAL~5tVwNBfo<-QJT${LxV9N0eYo8D`Pds
zj1nKQc78y;oM*j$R*-C0@};|E(Y0N9`d1vej@Q_6t^u%DUxia|{nZz2LiVH{s$7zY
z$^Pe^?wQJrL`@?5%fFmYDj%y@xusMZn;b)8W3NlUWXgZ6{9TF%v-XhZ^*@P&LmXN1
zbJ)HJc&Dfsy4eRImGrs>0IO$PzwZ3XyT_n4pq_O#kA3xaeBbb&;HSuBq2(`xzmsN_
z!^nAE#npkflYRXgLS2Sev7%*PE81%{TL-dOdn58~%;a1mcN0Tg*tJcArL}Af|NU3K
zjPahebLuHI?_{1d*1HW8cjQaS
zk;UmfY$0bd+7m@u!Eysn3OhrtP?v;+o)%etgqjd^;tNVF@5A{b^vqg)D9%
zT&c|M!55NF8p%mM*UJfn$U0<|+PO5V@QXGmeS}Q4?G6CIau{;$8d6!Pz_z1re6@)~
z{dxuW#}oOsZj(NBw9Jy~xHav6W>yZ6EkR+qHudVMTD0BJe}BRgr6GKGtu#Oc4cL(G
zwZL~&ytxu=vh#dXJ-#bEs^4hElUniEf#eg;1sEgGw
zBVR<9Zg8@kcIR9irtw%fp_S(UJJT0)x^-0UFIcQSI?HLtg66uQ4@sMG78EcRc_
z1sg*N$B0{?$cumliwGof_rT!j!YC5_#}t`ioB5BEH|+XnkldZv?)kgX_nEv59f8j6
zPaG#9Nn_MBe^Y1sXV_*yM3Vxw3azY`4yM@1r|_y0j-3LIZ^R0!&T93z$iN^Du~`IC
zxYU`&jJ3&C{%@5bOjp&R-(^RsqTHq6N=ot
z-%VVLgzV%etOo(Z)l@VsS}rOZxGH8ZJeN3_qflrvT+!
zZc
zbr&X84papSRo|PmLbPKzpi2g$+d2|)axBTC6V`r#y;hI5s>v>3e$JJtHrbNc7(8#*
zoLf)qpfScizY{R(C$+al#$2JuRU}Bb|JQsXWTeU$zOl`4bS`kUps6D$M$W`h|*$Nj07I7npljsXdqU~47vGYTW1?rNNV!b0R@q(bVuvCs6hm@q|M!rGgm&^L>h~)YS*^I6R
zsmou`Nr~-jeQ
zznm^<14JZ;UI#6Nor^f1P!EgU|AqxJ@$|&DbXEiLxrR8v-XPp*c~nbe3=VDjHVdCy
z)f2t1x${oQfsI^{)ohBSEBF|cEMD!
z&*8e5JPU84QRs^_;#dyt!m6qp8@m@$DK&lChp%C0m-yS$(Q$2v*;H}=>B;$);g
z08=38qMGD
zPoewFejK75Y#i$Eb^tZo_R18&?5Or-wLT@`!V1c>5Ni?R;;(s6zts4eeZbdS)s6u|
z2lZgCBy-aaajSV)iYh;t9jOGMO=2KgM~j2e!Xvq7n_-SO!iZW5Bz1u`OFuwQ=e1O&
zIzY(5CW}QSO3ruPkRzhBFPE)AhOgqT(=PT(9^RI!=l1&UUPc-!Ewno$+B)kz5wDCKY^Riaia$jDL#{3S05KFJ3w!LOPYGdoC_7C-pal$K
z$811pa+7}fm{fTQU@H?4vN*O3>DAoo1U!DOMMsx=v|bP}*fXOm&dAT!#^sXmFf>xE
zMxf!C9sIcA-icI=6A>N}&bz8itsa5A-88L6emk*k@nG{MMMabH!5#vNh+;B|sci?h
z$HP)@dT=0ZVYiCG!s#*MGsiQ>%nt48bZJyKns{Na^(qxmuOz7}QAi7jD|4R{?^+!0
zZHMvkE_j3O#dd)Zn>)=~-UE@t68xv7Ob?=>LElg>j(lsQ@jhj*9{D($9vDZw_#FEB
zIEVn2kZbOh>@rIWI{pr^YD^jKo|H=n-!Z*@E><`xsbd~e31BGMb&$Ath8ig*RNqDj
z(L}!|dJP)_TJ!`JF(6G*Y~toTT;WWpKJv+v|meT8RB
zr}l9$+_Z=p6x8%fg+Eq7#$HQCUK&BzfsFqK`I?#c)!9Fwp7;3G$?{-iUKHQ%1Cll>
zE8HEtbbN|MU7Y?5QBo2WHMIV+foVrPIL`X^55E8PHN4s$rQ_6@#Q1;7`%G*M{}*{*
z*~8uhpH9xuQpwo{icS`vf&M?tzNm$xlQTX$JNy43?lUp5GyX5&{{IJY|3*{GZAl!_
z_pNT8=o)wVZ3}ny8WIu)#@Ii2ias8EOcn88D~feS|MzE2WvZ5^6_GAsrVkidE1K-P0m36m5t;gKQgp<%BifYmhd?J=o=GZ!(gA@Ti9Xa-`z
zpEM_>!6JC*c|hucTanZB!FeNxPMO{FK{^Qxl7QR_01*63$_B_t0I_QNbwID+2{(%X
z4j6$_3_4l%DGN;rC^e0g@u@Y9*x_Mgx0kO0Bm9qz>)f@^ShxwyM)aM$4O65!$z+?@pX;O-W5$$R_uZTw`Q711>5KIA3rctaX
zs=Yg25Sr%JS|;<1=E9U;BUJqU6c6c-kM=k!fzH|Pwl4s_^_!wqC9r?sI*{VsdUdrtf@Bx6M8sTWUEE9VdA{5dX3
z-}aT%J8s}B;nVh7ZhSMV`$w%Ic~l-wz33sDOjoQ!5!m5`&2~EP9Ph3|kflg$qX`%2
z^a{dpOCwqn8vncwe%D5Gd>C8EC~gU}2@NMci>BofVl^}|9iEZx0%ZUqd#t=R
z_cuYN?mM`-vMjL4-QxkG-2;`8NDvAB@DXaqwlLrda5lXa5xAAuPQBFWm(r3vQnak
zJw>i1r%beN%$T>Z1VXhIPW^mbjUdWT!l*bLd~9h&T_4}G->KUB&1-%salOJF#Z}Gc
z=%$yk-Vhi~WPY-6rIy~K?7jy(*WkTyLSYxsI5uBOqL#1L$ARJA%{
zHMhys$Bdn=hpml$)}}i19HaMhO?lbTXKx2J#S{E&kg{WJ)6`%%@mK-%vX>{iblSQ$
zw($ZVotJxPZ3{u*ACK1@7R*Dj%I+pc^J{vIiI!?yufeJ&P2!&q&NoJsz7eAAcfOL6
zG?y68f$l53ht@bUWiTMun=UeZyfd)r+8fESt0
zzm|Aoln!Q2v9EHnLUH$Z>n!7F5Rl`PV3;$TzBSIt*jqi~=FsE$Nwa3taWH>r+j&$S
zHbIGZ{phV>cJ`H|LW%bTZqun)(mLqHapg3wGy6qjjg{?m9U*l^
zy>0i4#Yqh_!<4;t|IvA*inFzssKj{Uoy*z}aUIv&h2CvDB6>^|oE0}SJ9vX@*}PWQ
zZ1(+^wRLZb%PBPesEtLxu`q+ovF2xM^{oY$%*w{~toY`-3BQZ|ea)9QbB3+?!_{sD
z-<0iOj%sH~G!m!mbW$guG&5(Pj4h{3SlmGx@{-gJE`SDJ(smzCN@ZIN8($&RZ6Tp#
zS80r!@v-Q(bn;52w`_H7EfY(*>*6-@=$AI#UPfrar+}x~FT!0|S&W(ETO{KUA8CFw
zRBUdDWtT>fdIpW+=d^N1DqtOfLTY^uAsb`8g|+ZRX48v5-5U`!9Q~k2jGDErgeOsL
z@?Np%_rr5=2TB}h!}o9}Z3|wKVZY+7$>i+uM)7f`dNEqU#s|_(_6)x{-;j)|Y{zS!
z&eNN!*d)k{;4-dg!y{y11RhYvLoponc;xxmP@wY&zJA4%H%K;?5x3T+I5vsGKLzdr
zFAJkh+Wn4}X6MUStzy*ERO*I|OFVzqNh$>e4M8g7MVuG)LJe>{U~~U46;2-7!sgBo
z@W&5TEn!i;#J0{Ue8dLXQ`cwMekjzYsTd2j5diD$2{Uq1;oNGZ1uU?(6LTviXl=xkcM2Kz_;vn-*Y0sM&M=B
zeMt$1!p*K}&a0(q;%=M|h4roEl2Ii{#fMR~Q7UAUSXLUW(-Q)N`l=h2m3AWqG$VO>
zcTKCzakY*Sk%A$eKdH^Cq|z6V5>MMO976gE=-vd@?lt8X8U@U|Fi627{?qp*LGK^G5z0TGa
zmHr*EL0e8akZ^8k9W^_zm2(uS1U04EF`ov_Y^ZmwgkvTe5O|mt;)3lhzZ_`CX_zaR
zGw_fany*7}oEQ{lE7D&rsY28K^=oSk=7(7
z!1((k&Lg%eRenV)KIBQYQuvS0O1FbK!VkYXiU@`-mDuLrg&>*mqY%W?my_n%D1CgK
z702Q0XFzI`TiaP1Pnfu#Za2@nJuCh~eEjq@FXfx}#L3%aw9!xd*K(2*@HbM2#GNqC
z3cYIy-OJ=(m1zW;xJWh&sR%^kPVZSra0;)Z9x-tG>%7SW@@drk`SDNWr-sA_y-!-`
zsqHUdzY{+d=D;w*5a7Jv2`aYr-7P{lO`$G|-i5!&pzY*>%}?TACUfd>PQr=mHBLCZ
z$6gJ6-A3VT6l2He2*5#Dzl{9-dL|c_!n0$Rc-jqd3|Lqq=?Ln&79}~&FgZa~45hH`
zrr#bMY;?2Klrr*JPQYm~qhwG0f=r_oxH+-XMxN-dW;T<1Cc5Rub7~{lHb5fm`agMD
zSSM`l#s-TE?dUy{6pM|h;FpKfl3_w2@8^p@`jOGA*mz+HJsLaFg~KiCrX6Qua4hZ-
z$Y?s`&JgIHA~PPJ9X)i0AZCOpx+R&ixD1~ymBtU}5MVG!JJPUV13X-bID83a*U#SW
z_Q%{89thoAi1{dd+!V<2V+M*Am`(`yZBGuI*xc^p$I*WnHU~5t{KC!mPC6jS7afch
z#F1L5cLKJGJ@u)2PA8GgJ*
zy2$i5eL>oCYzv64QC7oCPLdXy#|~=y4j3pE_aBdB33l`k>gjtcYy|46_#YXr>waY(
zisDf#;MFTb;V3P%1Im+qy$U1sk77eM8m1|gHu`d8Ach@xSdPeRygM{qo-x(X3SJa7;h
z<1MKe$q2v?ljbi|;`$S?QsN}x?HM@R#)9^VCT(e1P$0>DE|PhK^?9E_6+WbEbaGj{
z{;c%qt94)L3ETrV!e5bG=*yJBtUuEjavJDoez8K|d0bTO--jO(q~SJAj!LK!?Qg+116u
z-ieluMb*;92K0VbaW%FAnYg@%MBf$HT;A{LvT<>~A6&Ws06^|982ts+zX19RntwqT
z!2W&!0B(Q5@-O_u>tE3h{}p5RH)Q%3?EiuZ9g8f;)7{?5)S33ZI{zrs(%w$&U5<^E
zR*aVwz{>VcDuDo2RvsXL0l-QF0MNYq$=jR$Z!W4%Mh*@j(|2t*BO7NB5{sg$xF)lN
ztBsAZk)7S&wotXObS8b@|Jf#tr0O6i=l7yX*_eUsKn@;OP7WqkX3l@L)w@4PlT^;q
z4MfTc0P?Vifs8GU?C40X9gJKooIysUZvUB_lleUZy1y!N|0Pz(`QQ5D|E0{_tp8%n
zTx{(BX3VSrw*M<*9?-T;T4_Rm{cg|`*Xd?~&hp_STlzR+!>Je}a7EQiO#3m5-eqza=g^bz$;l{6JR&3-92$E9rC^wg
z0;vbM1H>e=>OaBL9ewej&C%RV;%tRi{-fR4!M{;~Wll
zyO;$Kl1f2C!6RciV@jt>1X0x{TI7)?740MlM!S7-4kI3@
zrWZg5Nb7b-z?XtVR31ukbs$C2>3ERdRD+lyzg9}&ZbGH}RPHZ~7LkaZG2uqT{W1}O
z2egJlB_v15fTRCunOFsJ`jeU}hh2uQDPU4&<^f^)?i0)xMC{@W(oIn-0CvDDP&yJY
zqlK$u96B7o0O@OyETs`(R%kd*8%UR+_zJ;`kBNwhGSQa+U@zE743*pCh6-k-+|w!;
z*2B1_pIJjtVU|`=r2^Jt6dJ-})T2d&BNvWYv^<{F&pi%>nGjcZ(R0l;(YjaOx;lDi
zE_k+%WF8pwR{8U(*{*NS3i_{eB42)YcfHH^Hx#Mf$i92(cyYb`vme{hr3Px(?h^Q6
z-7ZNEo_idt8nL9-?((^Q3_H$!d%T*_YjOePmTTyF1;kD;1log)pqWS>axvrN~c0;KoT)p3o!za!k>w}8(Ga@4Zj
zwf#8|i&HGGuTvy`i2Qf*nWs?`$oxdT+vV_ae10klTg@aJosU;K@avgA?#t%4$ee6F
zgQ>OYJ9M?aFJsL${$4SQ`f8wCu-+)AlxFz21rFY?*o7SxQt#V7t_Ax}@GvtsN}@Cw
z!fzfFLW@Hc;isX@<6Qj?+}eP{xP%?er4
zESY!Xd>B5GszS{kANKLJx)+x=ZZA5YEFw}IeY`AR7@4$=a?9OLU*Sw=aj-b8zmowq
z*PI_ei;9)HG;^LphgQm;%e@w8;(
zz?%h(zemBe&{|H(1N)$*IV(F3z8bjg8seZ;3iPu{Ak^`75AVjFXcZJye5_1zjp@e~
z21p)gbVFSx=I>_TTl4l!FO}4tq*LVtw47UZ()N@Ml3{ZgIccoryy#d)uM+hqseTY9
z>Ay>-x!vk!i~%Ray?|uTJ2D+N@%rtx`I<6lK=ojRiq9T%r2WW-z`d@`>q_r%W9GMk
zw6|yDS7(;iAgho19Gc?6t^A53LspxgIgn+lMq8`4O*kBYU2S2*`&YSff2NXT_gGop
zLP+#JjAxA9iaRf9Qp*{r9;P7XGGKD1A|_pfALneo0~R%L$61i2l&88OW$ZWOSBxJ0
zz7ZXybk`qSVRqTpxBZAbA=_W#vi0+r{C>e6-|}?_>E7W`8CR*h*r9+ntXCTOnCtL%
zY)i2r@MqxZ!beR>oQ5pED@ydQq7ak;A9T@sxM5;ocDKGnK#-Mu-somS8;%cr|2aLM
z{veA`W2htg*hgpfPf1LD(*);vCPP~sOth=tsyP~}lxyR<@)Wt|PMAv~#+
zn5v{!m^F$hpT`FCq3@Hp7_9Qh#EW;#!4jvC>gC;rR%_))^zN_AMv9~P8)x-<0;~+^
z7<~GZq8+H%xt>97nF4~dOZkfhWwYG)7k(;cIwIva$*bi}_c3-`dyJuULlxA_qZ6+U
z6V2S=EA51^s!#W@p8jRwwz25zd%GpWbXJTgC|5?0&zPB48})sTxkGcdSpy`I&%}*p
zOjaz*fIUK2G#gsK)N@vO|Nr3BUU8$WUj-c$YzYoNgbiuWG!keHT5;Itj}q^
zIEbG=KOGu-M`v~j5J^8335x`vKJ}+vt8NgQl6JB6t&c{P`EZ}E1OIX+-3GF_>f*mBnjwv1sqXj;s+stiL5QBr4e
zHTLfDS5NuVxs0_dpG0)`OwE`7Z7WSMhlDQ63mo_GK!Oga^GpBHQ5Q1J@MVcn_~yp&
z09cvXF*qmHju*})(3nI9w*klMpqss%f3nr$k2;$fC2I@fwf2_jS{yeKlBA6d%iqn_
z*eko-EhR@D9csI!P~*pLDmhO=VI~Nj#{gQ7lr!D+ulnBAN$>gIJQqXQ4e1AP~zmb<|hR7z&I`i`gCy!A3&U@`?Lxf67G4tbQv}Ko)Q$-G$geUTT
z`tm-Iz<_ZLiNCesx9&MQI>lYVBzm(u)9vKUijR&6l!ryFn(!kLWncRxzi#o4Y9SookCvvi7?X~eTOcLSo
zGIJE9MHnvmqED|PJ6841gMmPjN;3|JZNk3
zOd;11AIgs-rwJ>r025{H4*97@l?=Jwc$|$?f+H9+A#CIFN8CObo=3bs7{DWb-LTLP
zPReh#y^IdOi<=d{1tgi%7-8=$xfG=GXNGo{>x355kJMAUgi+Gqbt3B+{8=5VrShDY
z%Tr8FiqIBG`#LD)CC{EkAwh5J%^00_;>K2wkoAvBxvvd
zl`P0MZ0A~cb?HqvHR$H~n$%^nO|Sf_YtN~5zKOehdM5i``O^6qzc8CI;JNplNPQ{&
zvVu+gv0Y3Fvd(*fHE9F-<2UEX=Jn}_UMQ=}lI3*!58wUK=k*LNy+2W4f%bOqG_k0d
zHbpsdvw3Zb@7+DpR_(UW78kN&hbrtYS8+&)w@TV<6NE~M**`1P3R+z*6}(pZ*4pBp
zpc91bF$kfHEMp~Kc$x-QU
zBd*fvS+@zO+&x}DNq332CtKm;Tl@)`8EUv9gz%aGFXdhc<~{j>+SJj#hp>3g)J@#*
zxhT$tp6!sY4509h`wj~AXNFxDF4U9n$HilAsg`7Jf0=8J6rKC}m67v2eN)?}8n?<<
z8piD!qfmp~=#8=46y)vullEt|#)$lI{cUSq6!$o%yt|2MdbR(_PpAe`=~O{lcIF<$MAVkC=H4q=mpAbeQ@)a3JK
zN3EJmST*IQ4_9UiCS12*p+U#X&ASFY(tzylnf@6
zGg@=JHa+790{JkN*LYAUY5!J8isAb)IX
zIp7jP`fk#4!^P@o^J+~xZ9ieuycCx|_8>Z7AP1-z;*SSJZK?r4hj%6@?P8xe8uX!9
zg2y(IJYaQU7rJ#L6j|$2&sOJPt_>j>gN_XmSM%8Ppb&$L{%M8FRhP1^WXq(>!cn9f
zr0KL+4-cZQWM`!RX%-MW1pl;^2Tp-Ri(u1&k)K!Q8FBweUx@e7_TLt-bW-o~mO%ZU
z&$}H!!QjJto@wXRP>vncHCzRT-d>3^O>1D-5;onec$4$C1@nnbg{?F9PZ6Cl8bEvG?;O>YxlWlR|G1W+0&&?uQ>(N$R
zZ}G$twYGhm-;f4gW&l<;PEe@}5r9|%fjSUfJfyJk>39pHyH>co#pdu_=Mihd7+bgT
zW<#hgtRPU{aiU6d_I<3huIoNdB~FXf(dE)v$Y<8X;d&rTU-JxOl^Urn0IalDjnOMY
zS_^ZKmKDI+KsA~X*_X2o#K@Sa;xpU~^D3e>1;f?nG|zdmS-|LYs|WbcA~0l(ziS4(mwMvN_@Pw@hnCmt>%mg
zr>o=(YA{6}8X@dZx8pS0mjEEZ&}}y`)JPME5ZVpEg)H1;=Z02{ROyS92G})uC}KLe
zIH;#hB2B_>>jEZWf3+%(2hr7MHnSW5eKG>P#LHP_Qj{v9l|jk$g{pX1le#9dzRw1Y
zd)@rPB>#11>{k8H5pH(&=Gyp~3_c6Q9{0a3gU5SWX&|9zA=CG!gu0uMhG~dUlFc5X
z|1`!d_r8MUpPr$fn8Nsy|F(}C)^6wdW|puIiF}r1F%8|aKEgimJj4Xy1b7~Hfp7slk7VMTC0k9>%hL<0rkm%P2UW8j@f?Aw1zvdu&D_8W
zkk4aCpAhR)aWRQ7iJS?E{=Mn(PG+o~&o5fXatP88s(VV6l-rl3)z$Y?Mtc}|sw6g2~$$Ow`+
zO~e&xWEHIx83QcTFp{uj*nAFXO55#)Z#MGyJP$k5byC~><@OgweVbM#pGk_nzk<3}
nw)`73(T=jq{~QLKU5uPuJe=OY`|qDvAb<;rib`BT0_i^h3Iy07

literal 0
HcmV?d00001


From cb7ed14c711833cd6d0b557a708bc557c1a1f427 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sun, 1 Oct 2023 02:56:33 +0200
Subject: [PATCH 304/331] Remove old html doc

---
 docs/saml2/.buildinfo                         |    4 -
 docs/saml2/_modules/index.html                |  100 -
 docs/saml2/_modules/saml2/auth.html           |  457 -
 docs/saml2/_modules/saml2/authn_request.html  |  172 -
 docs/saml2/_modules/saml2/constants.html      |  162 -
 docs/saml2/_modules/saml2/errors.html         |  131 -
 docs/saml2/_modules/saml2/logout_request.html |  368 -
 .../saml2/_modules/saml2/logout_response.html |  279 -
 docs/saml2/_modules/saml2/metadata.html       |  286 -
 docs/saml2/_modules/saml2/response.html       |  529 -
 docs/saml2/_modules/saml2/settings.html       |  692 --
 docs/saml2/_modules/saml2/utils.html          |  802 --
 docs/saml2/_sources/index.txt                 |   23 -
 docs/saml2/_sources/saml2.txt                 |   83 -
 docs/saml2/_static/ajax-loader.gif            |  Bin 673 -> 0 bytes
 docs/saml2/_static/basic.css                  |  540 -
 docs/saml2/_static/comment-bright.png         |  Bin 3500 -> 0 bytes
 docs/saml2/_static/comment-close.png          |  Bin 3578 -> 0 bytes
 docs/saml2/_static/comment.png                |  Bin 3445 -> 0 bytes
 docs/saml2/_static/default.css                |  256 -
 docs/saml2/_static/doctools.js                |  247 -
 docs/saml2/_static/down-pressed.png           |  Bin 368 -> 0 bytes
 docs/saml2/_static/down.png                   |  Bin 363 -> 0 bytes
 docs/saml2/_static/file.png                   |  Bin 392 -> 0 bytes
 docs/saml2/_static/jquery.js                  | 9404 -----------------
 docs/saml2/_static/minus.png                  |  Bin 199 -> 0 bytes
 docs/saml2/_static/plus.png                   |  Bin 199 -> 0 bytes
 docs/saml2/_static/pygments.css               |   62 -
 docs/saml2/_static/searchtools.js             |  567 -
 docs/saml2/_static/sidebar.js                 |  151 -
 docs/saml2/_static/underscore.js              | 1226 ---
 docs/saml2/_static/up-pressed.png             |  Bin 372 -> 0 bytes
 docs/saml2/_static/up.png                     |  Bin 363 -> 0 bytes
 docs/saml2/_static/websupport.js              |  808 --
 docs/saml2/genindex.html                      |  940 --
 docs/saml2/index.html                         |  141 -
 docs/saml2/objects.inv                        |  Bin 1959 -> 0 bytes
 docs/saml2/py-modindex.html                   |  153 -
 docs/saml2/saml2.html                         | 2043 ----
 docs/saml2/search.html                        |  106 -
 docs/saml2/searchindex.js                     |    1 -
 41 files changed, 20733 deletions(-)
 delete mode 100644 docs/saml2/.buildinfo
 delete mode 100644 docs/saml2/_modules/index.html
 delete mode 100644 docs/saml2/_modules/saml2/auth.html
 delete mode 100644 docs/saml2/_modules/saml2/authn_request.html
 delete mode 100644 docs/saml2/_modules/saml2/constants.html
 delete mode 100644 docs/saml2/_modules/saml2/errors.html
 delete mode 100644 docs/saml2/_modules/saml2/logout_request.html
 delete mode 100644 docs/saml2/_modules/saml2/logout_response.html
 delete mode 100644 docs/saml2/_modules/saml2/metadata.html
 delete mode 100644 docs/saml2/_modules/saml2/response.html
 delete mode 100644 docs/saml2/_modules/saml2/settings.html
 delete mode 100644 docs/saml2/_modules/saml2/utils.html
 delete mode 100644 docs/saml2/_sources/index.txt
 delete mode 100644 docs/saml2/_sources/saml2.txt
 delete mode 100644 docs/saml2/_static/ajax-loader.gif
 delete mode 100644 docs/saml2/_static/basic.css
 delete mode 100644 docs/saml2/_static/comment-bright.png
 delete mode 100644 docs/saml2/_static/comment-close.png
 delete mode 100644 docs/saml2/_static/comment.png
 delete mode 100644 docs/saml2/_static/default.css
 delete mode 100644 docs/saml2/_static/doctools.js
 delete mode 100644 docs/saml2/_static/down-pressed.png
 delete mode 100644 docs/saml2/_static/down.png
 delete mode 100644 docs/saml2/_static/file.png
 delete mode 100644 docs/saml2/_static/jquery.js
 delete mode 100644 docs/saml2/_static/minus.png
 delete mode 100644 docs/saml2/_static/plus.png
 delete mode 100644 docs/saml2/_static/pygments.css
 delete mode 100644 docs/saml2/_static/searchtools.js
 delete mode 100644 docs/saml2/_static/sidebar.js
 delete mode 100644 docs/saml2/_static/underscore.js
 delete mode 100644 docs/saml2/_static/up-pressed.png
 delete mode 100644 docs/saml2/_static/up.png
 delete mode 100644 docs/saml2/_static/websupport.js
 delete mode 100644 docs/saml2/genindex.html
 delete mode 100644 docs/saml2/index.html
 delete mode 100644 docs/saml2/objects.inv
 delete mode 100644 docs/saml2/py-modindex.html
 delete mode 100644 docs/saml2/saml2.html
 delete mode 100644 docs/saml2/search.html
 delete mode 100644 docs/saml2/searchindex.js

diff --git a/docs/saml2/.buildinfo b/docs/saml2/.buildinfo
deleted file mode 100644
index 5e197dbf..00000000
--- a/docs/saml2/.buildinfo
+++ /dev/null
@@ -1,4 +0,0 @@
-# Sphinx build info version 1
-# This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done.
-config: e10660514f5c62e16e90878c60a15170
-tags: fbb0d17656682115ca4d033fb2f83ba1
diff --git a/docs/saml2/_modules/index.html b/docs/saml2/_modules/index.html
deleted file mode 100644
index 12fa0756..00000000
--- a/docs/saml2/_modules/index.html
+++ /dev/null
@@ -1,100 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    Overview: module code — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-          
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    All modules for which code is available
    
-
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/auth.html b/docs/saml2/_modules/saml2/auth.html
deleted file mode 100644
index 494ef85c..00000000
--- a/docs/saml2/_modules/saml2/auth.html
+++ /dev/null
@@ -1,457 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.auth — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.auth
    -# -*- coding: utf-8 -*-
-
-
-from base64 import b64encode
-from urllib import urlencode, quote
-from xml.etree.ElementTree import tostring
-
-import dm.xmlsec.binding as xmlsec
-
-from saml2.settings import OneLogin_Saml2_Settings
-from saml2.response import OneLogin_Saml2_Response
-from saml2.errors import OneLogin_Saml2_Error
-from saml2.logout_response import OneLogin_Saml2_Logout_Response
-from saml2.constants import OneLogin_Saml2_Constants
-from saml2.utils import OneLogin_Saml2_Utils
-from saml2.logout_request import OneLogin_Saml2_Logout_Request
-from saml2.authn_request import OneLogin_Saml2_Authn_Request
-
-
-
    [docs]class OneLogin_Saml2_Auth(object):
-
-    def __init__(self, request_data, old_settings=None):
-        """
-        Initializes the SP SAML instance.
-
-        Arguments are:
-            * (dict)   old_settings. Setting data
-        """
-        self.__request_data = request_data
-        self.__settings = OneLogin_Saml2_Settings(old_settings)
-        self.__attributes = []
-        self.__nameid = ''
-        self.__authenticated = False
-        self.__errors = []
-
-
    [docs]    def get_settings(self):
-        """
-        Returns the settings info
-        :return: Setting info
-        :rtype: OneLogin_Saml2_Setting object
-        """
-        return self.__settings
-
    
-
    [docs]    def set_strict(self, value):
-        """
-        Set the strict mode active/disable
-
-        :param value:
-        :type value: bool
-        """
-        assert isinstance(value, bool)
-        self.__settings.set_strict(value)
-
    
-
    [docs]    def process_response(self, request_id=None):
-        """
-        Process the SAML Response sent by the IdP.
-
-        :param request_id: Is an optional argument. Is the ID of the AuthNRequest sent by this SP to the IdP.
-        :type request_id: string
-
-        :raises: OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND, when a POST with a SAMLResponse is not found
-        """
-        self.__errors = []
-
-        if 'post_data' in self.__request_data and 'SAMLResponse' in self.__request_data['post_data']:
-            # AuthnResponse -- HTTP_POST Binding
-            response = OneLogin_Saml2_Response(self.__settings, self.__request_data['post_data']['SAMLResponse'])
-
-            if response.is_valid(request_id):
-                self.__attributes = response.get_attributes()
-                self.__nameid = response.get_nameid()
-                self.__authenticated = True
-            else:
-                self.__errors.append('invalid_response')
-
-        else:
-            self.__errors.append('invalid_binding')
-            raise OneLogin_Saml2_Error(
-                'SAML Response not found, Only supported HTTP_POST Binding',
-                OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND
-            )
-
    
-
    [docs]    def process_slo(self, keep_local_session=False, request_id=None, delete_session_cb=None):
-        """
-        Process the SAML Logout Response / Logout Request sent by the IdP.
-
-        :param keep_local_session: When false will destroy the local session, otherwise will destroy it
-        :type keep_local_session: bool
-
-        :param request_id: The ID of the LogoutRequest sent by this SP to the IdP
-        :type request_id: string
-
-        :returns: Redirection url
-        """
-        self.__errors = []
-
-        if 'get_data' in self.__request_data and 'SAMLResponse' in self.__request_data['get_data']:
-            logout_response = OneLogin_Saml2_Logout_Response(self.__settings, self.__request_data['get_data']['SAMLResponse'])
-            if not logout_response.is_valid(self.__request_data, request_id):
-                self.__errors.append('invalid_logout_response')
-            elif logout_response.get_status() != OneLogin_Saml2_Constants.STATUS_SUCCESS:
-                self.__errors.append('logout_not_success')
-            elif not keep_local_session:
-                OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
-
-        elif 'get_data' in self.__request_data and 'SAMLRequest' in self.__request_data['get_data']:
-            request = OneLogin_Saml2_Utils.decode_base64_and_inflate(self.__request_data['get_data']['SAMLRequest'])
-            if not OneLogin_Saml2_Logout_Request.is_valid(self.__settings, request, self.__request_data):
-                self.__errors.append('invalid_logout_request')
-            else:
-                if not keep_local_session:
-                    OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
-
-                in_response_to = OneLogin_Saml2_Logout_Request.get_id(request)
-                response_builder = OneLogin_Saml2_Logout_Response(self.__settings)
-                response_builder.build(in_response_to)
-                logout_response = response_builder.get_response()
-
-                parameters = {'SAMLResponse': logout_response}
-                if 'RelayState' in self.__request_data['get_data']:
-                    parameters['RelayState'] = self.__request_data['get_data']['RelayState']
-
-                security = self.__settings.get_security_data()
-                if 'logoutResponseSigned' in security and security['logoutResponseSigned']:
-                    signature = self.build_response_signature(logout_response, parameters.get('RelayState', None))
-                    parameters['SigAlg'] = OneLogin_Saml2_Constants.RSA_SHA1
-                    parameters['Signature'] = signature
-
-                return self.redirect_to(self.get_slo_url(), parameters)
-
-        else:
-            self.__errors.append('invalid_binding')
-            raise OneLogin_Saml2_Error(
-                'SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding',
-                OneLogin_Saml2_Error.SAML_LOGOUTMESSAGE_NOT_FOUND
-            )
-
    
-
    [docs]    def redirect_to(self, url=None, parameters={}):
-        """
-        Redirects the user to the url past by parameter or to the url that we defined in our SSO Request.
-
-        :param url: The target URL to redirect the user
-        :type url: string
-        :param parameters: Extra parameters to be passed as part of the url
-        :type parameters: dict
-
-        :returns: Redirection url
-        """
-        if url is None and 'RelayState' in self.__request_data['get_data']:
-            url = self.__request_data['get_data']['RelayState']
-        return OneLogin_Saml2_Utils.redirect(url, parameters, request_data=self.__request_data)
-
    
-
    [docs]    def is_authenticated(self):
-        """
-        Checks if the user is authenticated or not.
-
-        :returns: True if is authenticated, False if not
-        :rtype: bool
-        """
-        return self.__authenticated
-
    
-
    [docs]    def get_attributes(self):
-        """
-        Returns the set of SAML attributes.
-
-        :returns: SAML attributes
-        :rtype: dict
-        """
-        return self.__attributes
-
    
-
    [docs]    def get_nameid(self):
-        """
-        Returns the nameID.
-
-        :returns: NameID
-        :rtype: string
-        """
-        return self.__nameid
-
    
-
    [docs]    def get_errors(self):
-        """
-        Returns a list with code errors if something went wrong
-
-        :returns: List of errors
-        :rtype: list
-        """
-        return self.__errors
-
    
-
    [docs]    def get_attribute(self, name):
-        """
-        Returns the requested SAML attribute.
-
-        :param name: Name of the attribute
-        :type name: string
-
-        :returns: Attribute value if exists or None
-        :rtype: string
-        """
-        assert isinstance(name, basestring)
-        value = None
-        if name in self.__attributes.keys():
-            value = self.__attributes[name]
-        return value
-
    
-
    [docs]    def login(self, return_to=None):
-        """
-        Initiates the SSO process.
-
-        :param return_to: Optional argument. The target URL the user should be redirected to after login.
-        :type return_to: string
-
-        :returns: Redirection url
-        """
-        authn_request = OneLogin_Saml2_Authn_Request(self.__settings)
-
-        saml_request = authn_request.get_request()
-        parameters = {'SAMLRequest': saml_request}
-
-        if return_to is not None:
-            parameters['RelayState'] = return_to
-        else:
-            parameters['RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(self.__request_data)
-
-        security = self.__settings.get_security_data()
-        if security.get('authnRequestsSigned', False):
-            parameters['SigAlg'] = OneLogin_Saml2_Constants.RSA_SHA1
-            parameters['Signature'] = self.build_request_signature(saml_request, parameters['RelayState'])
-        return self.redirect_to(self.get_sso_url(), parameters)
-
    
-
    [docs]    def logout(self, return_to=None, name_id=None, session_index=None):
-        """
-        Initiates the SLO process.
-
-        :param return_to: Optional argument. The target URL the user should be redirected to after logout.
-        :type return_to: string
-        :param name_id: Optional argument. The NameID that will be set in the LogoutRequest.
-        :type name_id: string
-        :param session_index: Optional argument. SessionIndex that identifies the session of the user.
-        :type session_index: string
-        :returns: Redirection url
-        """
-        slo_url = self.get_slo_url()
-        if slo_url is None:
-            raise OneLogin_Saml2_Error(
-                'The IdP does not support Single Log Out',
-                OneLogin_Saml2_Error.SAML_SINGLE_LOGOUT_NOT_SUPPORTED
-            )
-
-        logout_request = OneLogin_Saml2_Logout_Request(self.__settings)
-
-        saml_request = logout_request.get_request()
-
-        parameters = {'SAMLRequest': logout_request.get_request()}
-        if return_to is not None:
-            parameters['RelayState'] = return_to
-        else:
-            parameters['RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(self.__request_data)
-
-        security = self.__settings.get_security_data()
-        if security.get('logoutRequestSigned', False):
-            parameters['SigAlg'] = OneLogin_Saml2_Constants.RSA_SHA1
-            parameters['Signature'] = self.build_request_signature(saml_request, parameters['RelayState'])
-        return self.redirect_to(slo_url, parameters)
-
    
-
    [docs]    def get_sso_url(self):
-        """
-        Gets the SSO url.
-
-        :returns: An URL, the SSO endpoint of the IdP
-        :rtype: string
-        """
-        idp_data = self.__settings.get_idp_data()
-        return idp_data['singleSignOnService']['url']
-
    
-
    [docs]    def get_slo_url(self):
-        """
-        Gets the SLO url.
-
-        :returns: An URL, the SLO endpoint of the IdP
-        :rtype: string
-        """
-        url = None
-        idp_data = self.__settings.get_idp_data()
-        if 'singleLogoutService' in idp_data.keys() and 'url' in idp_data['singleLogoutService']:
-            url = idp_data['singleLogoutService']['url']
-        return url
-
    
-
    [docs]    def build_request_signature(self, saml_request, relay_state):
-        """
-        Builds the Signature of the SAML Request.
-
-        :param saml_request: The SAML Request
-        :type saml_request: string
-
-        :param relay_state: The target URL the user should be redirected to
-        :type relay_state: string
-        """
-        if not self.__settings.check_sp_certs():
-            raise OneLogin_Saml2_Error(
-                "Trying to sign the SAML Request but can't load the SP certs",
-                OneLogin_Saml2_Error.SP_CERTS_NOT_FOUND
-            )
-
-        xmlsec.initialize()
-
-        # Load the key into the xmlsec context
-        key = self.__settings.get_sp_key()
-        file_key = OneLogin_Saml2_Utils.write_temp_file(key)  # FIXME avoid writing a file
-
-        dsig_ctx = xmlsec.DSigCtx()
-        dsig_ctx.signKey = xmlsec.Key.load(file_key.name, xmlsec.KeyDataFormatPem, None)
-        file_key.close()
-
-        data = {
-            'SAMLRequest': quote(saml_request),
-            'RelayState': quote(relay_state),
-            'SignAlg': quote(OneLogin_Saml2_Constants.RSA_SHA1),
-        }
-        msg = urlencode(data)
-        signature = dsig_ctx.signBinary(msg, xmlsec.TransformRsaSha1)
-        return b64encode(signature)
-
    
-
    [docs]    def build_response_signature(self, saml_response, relay_state):
-        """
-        Builds the Signature of the SAML Response.
-        :param saml_request: The SAML Response
-        :type saml_request: string
-
-        :param relay_state: The target URL the user should be redirected to
-        :type relay_state: string
-        """
-        if not self.__settings.check_sp_certs():
-            raise OneLogin_Saml2_Error(
-                "Trying to sign the SAML Response but can't load the SP certs",
-                OneLogin_Saml2_Error.SP_CERTS_NOT_FOUND
-            )
-
-        xmlsec.initialize()
-
-        # Load the key into the xmlsec context
-        key = self.__settings.get_sp_key()
-        file_key = OneLogin_Saml2_Utils.write_temp_file(key)  # FIXME avoid writing a file
-
-        dsig_ctx = xmlsec.DSigCtx()
-        dsig_ctx.signKey = xmlsec.Key.load(file_key.name, xmlsec.KeyDataFormatPem, None)
-        file_key.close()
-
-        data = {
-            'SAMLResponse': quote(saml_response),
-            'RelayState': quote(relay_state),
-            'SignAlg': quote(OneLogin_Saml2_Constants.RSA_SHA1),
-        }
-        msg = urlencode(data)
-        import pdb; dbp.set_trace()
-        print msg
-        data2 = {
-            'SAMLResponse': saml_response,
-            'RelayState': relay_state,
-            'SignAlg': OneLogin_Saml2_Constants.RSA_SHA1,
-        }
-        msg2 = urlencode(data2)
-        print msg2
-        signature = dsig_ctx.signBinary(msg, xmlsec.TransformRsaSha1)
-        return b64encode(signature)
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/authn_request.html b/docs/saml2/_modules/saml2/authn_request.html
deleted file mode 100644
index 2bd22b2f..00000000
--- a/docs/saml2/_modules/saml2/authn_request.html
+++ /dev/null
@@ -1,172 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.authn_request — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.authn_request
    -# -*- coding: utf-8 -*-
-
-from base64 import b64encode
-from datetime import datetime
-from zlib import compress
-
-from saml2.utils import OneLogin_Saml2_Utils
-from saml2.constants import OneLogin_Saml2_Constants
-
-
-
    [docs]class OneLogin_Saml2_Authn_Request:
-
-    def __init__(self, settings):
-        """
-        Constructs the AuthnRequest object.
-
-        Arguments are:
-            * (OneLogin_Saml2_Settings)   settings. Setting data
-        """
-        self.__settings = settings
-
-        sp_data = self.__settings.get_sp_data()
-        security = self.__settings.get_security_data()
-
-        uid = OneLogin_Saml2_Utils.generate_unique_id()
-        issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
-            int(datetime.now().strftime("%s"))
-        )
-
-        name_id_policy_format = sp_data['NameIDFormat']
-        if 'wantNameIdEncrypted' in security and security['wantNameIdEncrypted']:
-            name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
-
-        provider_name_str = ''
-        organization_data = settings.get_organization()
-        if isinstance(organization_data, dict):
-            langs = organization_data.keys()
-            if 'en-US' in langs:
-                lang = 'en-US'
-            else:
-                lang = langs[0]
-            if 'displayname' in organization_data[lang] and organization_data[lang]['displayname'] is not None:
-                provider_name_str = 'ProviderName="%s"' % organization_data[lang]['displayname']
-
-        request = """<samlp:AuthnRequest
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    ID="%(id)s"
-    Version="2.0"
-    %(provider_name)s
-    IssueInstant="%(issue_instant)s"
-    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-    AssertionConsumerServiceURL="%(assertion_url)s">
-    <saml:Issuer>%(entity_id)s</saml:Issuer>
-    <samlp:NameIDPolicy
-        Format="%(name_id_policy)s"
-        AllowCreate="true" />
-    <samlp:RequestedAuthnContext Comparison="exact">
-        <saml:AuthnContextMethodRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextMethodRef>
-    </samlp:RequestedAuthnContext>
-</samlp:AuthnRequest>""" % {
-            'id': uid,
-            'provider_name': provider_name_str,
-            'issue_instant': issue_instant,
-            'assertion_url': sp_data['assertionConsumerService']['url'],
-            'entity_id': sp_data['entityId'],
-            'name_id_policy': name_id_policy_format,
-        }
-
-        self.__authn_request = request
-
-
    [docs]    def get_request(self):
-        """
-        Returns unsigned AuthnRequest.
-        :return: Unsigned AuthnRequest
-        :rtype: str object
-        """
-        deflated_request = compress(self.__authn_request)[2:-4]
-        return b64encode(deflated_request)
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/constants.html b/docs/saml2/_modules/saml2/constants.html
deleted file mode 100644
index 1b0af52f..00000000
--- a/docs/saml2/_modules/saml2/constants.html
+++ /dev/null
@@ -1,162 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.constants — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.constants
    -# -*- coding: utf-8 -*-
-
-
-
    [docs]class OneLogin_Saml2_Constants:
-    # Value added to the current time in time condition validations
-    ALOWED_CLOCK_DRIFT = 180
-
-    # NameID Formats
-    NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
-    NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName'
-    NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName'
-    NAMEID_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos'
-    NAMEID_ENTITY = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'
-    NAMEID_TRANSIENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
-    NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
-    NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted'
-
-    # Attribute Name Formats
-    ATTRNAME_FORMAT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'
-    ATTRNAME_FORMAT_URI = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
-    ATTRNAME_FORMAT_BASIC = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'
-
-    # Namespaces
-    NS_SAML = 'urn:oasis:names:tc:SAML:2.0:assertion'
-    NS_SAMLP = 'urn:oasis:names:tc:SAML:2.0:protocol'
-    NS_SOAP = 'http://schemas.xmlsoap.org/soap/envelope/'
-    NS_MD = 'urn:oasis:names:tc:SAML:2.0:metadata'
-    NS_XS = 'http://www.w3.org/2001/XMLSchema'
-    NS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'
-    NS_XENC = 'http://www.w3.org/2001/04/xmlenc#'
-    NS_DS = 'http://www.w3.org/2000/09/xmldsig#'
-
-    # Bindings
-    BINDING_HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
-    BINDING_HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
-    BINDING_HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
-    BINDING_SOAP = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'
-    BINDING_DEFLATE = 'urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE'
-
-    # Auth Context Method
-    AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'
-    AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'
-    AC_X509 = 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'
-    AC_SMARTCARD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard'
-    AC_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos'
-
-    # Subject Confirmation
-    CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
-    CM_HOLDER_KEY = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'
-    CM_SENDER_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'
-
-    # Status Codes
-    STATUS_SUCCESS = 'urn:oasis:names:tc:SAML:2.0:status:Success'
-    STATUS_REQUESTER = 'urn:oasis:names:tc:SAML:2.0:status:Requester'
-    STATUS_RESPONDER = 'urn:oasis:names:tc:SAML:2.0:status:Responder'
-    STATUS_VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch'
-    STATUS_NO_PASSIVE = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive'
-    STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout'
-    STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded'
-
-    # Crypto
-    RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
-
-    NSMAP = {
-        'samlp': NS_SAMLP,
-        'saml': NS_SAML,
-        'ds': NS_DS,
-        'xenc': NS_XENC
-    }
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/errors.html b/docs/saml2/_modules/saml2/errors.html
deleted file mode 100644
index ea6894b1..00000000
--- a/docs/saml2/_modules/saml2/errors.html
+++ /dev/null
@@ -1,131 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.errors —  SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.errors
    -# -*- coding: utf-8 -*-
-
-
-
    [docs]class OneLogin_Saml2_Error(Exception):
-
-    # Errors
-    SETTINGS_FILE_NOT_FOUND = 0
-    SETTINGS_INVALID_SYNTAX = 1
-    SETTINGS_INVALID = 2
-    METADATA_SP_INVALID = 3
-    SP_CERTS_NOT_FOUND = 4
-    REDIRECT_INVALID_URL = 5
-    PUBLIC_CERT_FILE_NOT_FOUND = 6
-    PRIVATE_KEY_FILE_NOT_FOUND = 7
-    SAML_RESPONSE_NOT_FOUND = 8
-    SAML_LOGOUTMESSAGE_NOT_FOUND = 9
-    SAML_LOGOUTREQUEST_INVALID = 10
-    SAML_LOGOUTRESPONSE_INVALID = 11
-    SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12
-
-    def __init__(self, message, code=0, errors=None):
-        """
-        Initializes the Exception instance.
-
-        Arguments are:
-            * (str)   message.   Describes the error.
-            * (int)   code.      The code error (defined in the error class).
-        """
-        from saml2.utils import _
-
-        assert isinstance(message, basestring)
-        assert isinstance(code, int)
-
-        if errors is not None:
-            message = message % errors
-
-        Exception.__init__(self, _(message))
-        self.code = code
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/logout_request.html b/docs/saml2/_modules/saml2/logout_request.html
deleted file mode 100644
index ceb9779f..00000000
--- a/docs/saml2/_modules/saml2/logout_request.html
+++ /dev/null
@@ -1,368 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.logout_request — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.logout_request
    -# -*- coding: utf-8 -*-
-
-from base64 import b64decode
-from datetime import datetime
-from lxml import etree
-from os.path import basename
-from urllib import urlencode
-from urlparse import parse_qs
-from xml.dom.minidom import Document, parseString
-
-import dm.xmlsec.binding as xmlsec
-
-from saml2.constants import OneLogin_Saml2_Constants
-from saml2.utils import OneLogin_Saml2_Utils
-
-
-
    [docs]class OneLogin_Saml2_Logout_Request:
-
-    def __init__(self, settings,request=None,name_id=None, session_index=None):
-        """
-        Constructs the Logout Request object.
-
-        Arguments are:
-            * (OneLogin_Saml2_Settings)   settings. Setting data
-        """
-        self.__settings = settings
-
-        sp_data = self.__settings.get_sp_data()
-        idp_data = self.__settings.get_idp_data()
-        security = self.__settings.get_security_data()
-
-        uid = OneLogin_Saml2_Utils.generate_unique_id()
-        name_id_value = OneLogin_Saml2_Utils.generate_unique_id()
-        issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(int(datetime.now().strftime("%s")))
-
-        key = None
-        if 'nameIdEncrypted' in security and security['nameIdEncrypted']:
-            key = idp_data['x509cert']
-
-        name_id = OneLogin_Saml2_Utils.generate_name_id(
-            name_id_value,
-            sp_data['entityId'],
-            sp_data['NameIDFormat'],
-            key
-        )
-
-        logout_request = """<samlp:LogoutRequest
-    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-    ID="%(id)s"
-    Version="2.0"
-    IssueInstant="%(issue_instant)s"
-    Destination="%(single_logout_url)s">
-    <saml:Issuer>%(entity_id)s</saml:Issuer>
-    %(name_id)s
-</samlp:LogoutRequest>""" % {
-            'id': uid,
-            'issue_instant': issue_instant,
-            'single_logout_url': idp_data['singleLogoutService']['url'],
-            'entity_id': sp_data['entityId'],
-            'name_id': name_id,
-        }
-
-        self.__logout_request = logout_request
-
-
    [docs]    def get_request(self):
-        """
-        Returns the Logout Request defated, base64encoded
-        :return: Deflated base64 encoded Logout Request
-        :rtype: str object
-        """
-        return OneLogin_Saml2_Utils.deflate_and_base64_encode(self.__logout_request)
-
    
-    @staticmethod
-
    [docs]    def get_id(request):
-        """
-        Returns the ID of the Logout Request
-        :param request: Logout Request Message
-        :type request: string|DOMDocument
-        :return: string ID
-        :rtype: str object
-        """
-        if isinstance(request, Document):
-            dom = request
-        else:
-            dom = parseString(request)
-        return dom.documentElement.getAttribute('ID')
-
    
-    @staticmethod
-
    [docs]    def get_name_id_data(request, key=None):
-        """
-        Gets the NameID Data of the the Logout Request
-        :param request: Logout Request Message
-        :type request: string|DOMDocument
-        :param key: The SP key
-        :type key: string
-        :return: Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
-        :rtype: dict
-        """
-        if isinstance(request, Document):
-            request = request.toxml()
-        dom = etree.fromstring(request)
-        name_id = None
-
-        encrypted_entries = OneLogin_Saml2_Utils.query(dom, '/samlp:LogoutRequest/saml:EncryptedID')
-
-        if len(encrypted_entries) == 1:
-            if key is None:
-                raise Exception('Key is required in order to decrypt the NameID')
-
-            elem = parseString(etree.tostring(encrypted_entries[0]))
-            encrypted_data_nodes = elem.documentElement.getElementsByTagName('xenc:EncryptedData')
-            encrypted_data = encrypted_data_nodes[0]
-
-            xmlsec.initialize()
-
-            # Load the key into the xmlsec context
-            file_key = OneLogin_Saml2_Utils.write_temp_file(key)  # FIXME avoid writing a file
-            enc_key = xmlsec.Key.load(file_key.name, xmlsec.KeyDataFormatPem, None)
-            enc_key.name = basename(file_key.name)
-            file_key.close()
-            enc_ctx = xmlsec.EncCtx()
-            enc_ctx.encKey = enc_key
-
-            name_id = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, enc_ctx)
-        else:
-            entries = OneLogin_Saml2_Utils.query(dom, '/samlp:LogoutRequest/saml:NameID')
-            if len(entries) == 1:
-                name_id = entries[0]
-
-        if name_id is None:
-            raise Exception('Not NameID found in the Logout Request')
-
-        name_id_data = {
-            'Value': name_id.text
-        }
-        for attr in ['Format', 'SPNameQualifier', 'NameQualifier']:
-            if attr in name_id.attrib.keys():
-                name_id_data[attr] = name_id.attrib[attr]
-
-        return name_id_data
-
    
-    @staticmethod
-
    [docs]    def get_name_id(request, key=None):
-        """
-        Gets the NameID of the Logout Request Message
-        :param request: Logout Request Message
-        :type request: string|DOMDocument
-        :param key: The SP key
-        :type key: string
-        :return: Name ID Value
-        :rtype: string
-        """
-        name_id = OneLogin_Saml2_Logout_Request.get_name_id_data(request, key)
-        return name_id['Value']
-
    
-    @staticmethod
-
    [docs]    def get_issuer(request):
-        """
-        Gets the Issuer of the Logout Request Message
-        :param request: Logout Request Message
-        :type request: string|DOMDocument
-        :return: The Issuer
-        :rtype: string
-        """
-        if isinstance(request, Document):
-            request = request.toxml()
-        dom = etree.fromstring(request)
-
-        issuer = None
-        issuer_nodes = OneLogin_Saml2_Utils.query(dom, '/samlp:LogoutRequest/saml:Issuer')
-        if len(issuer_nodes) == 1:
-            issuer = issuer_nodes[0].text
-        return issuer
-
    
-    @staticmethod
-
    [docs]    def get_session_indexes(request):
-        """
-        Gets the SessionIndexes from the Logout Request
-        :param request: Logout Request Message
-        :type request: string|DOMDocument
-        :return: The SessionIndex value
-        :rtype: list
-        """
-        if isinstance(request, Document):
-            request = request.toxml()
-        dom = etree.fromstring(request)
-
-        session_indexes = []
-        session_index_nodes = OneLogin_Saml2_Utils.query(dom, '/samlp:LogoutRequest/samlp:SessionIndex')
-        for session_index_node in session_index_nodes:
-            session_indexes.append(session_index_node.text)
-        return session_indexes
-
    
-    @staticmethod
-
    [docs]    def is_valid(settings, request, get_data, debug=False):
-        """
-        Checks if the Logout Request recieved is valid
-        :param settings: Settings
-        :type settings: OneLogin_Saml2_Settings
-        :param request: Logout Request Message
-        :type request: string|DOMDocument
-        :return: If the Logout Request is or not valid
-        :rtype: boolean
-        """
-        try:
-            if isinstance(request, Document):
-                dom = request
-            else:
-                dom = parseString(request)
-
-            idp_data = settings.get_idp_data()
-            idp_entity_id = idp_data['entityId']
-
-            if settings.is_strict():
-                res = OneLogin_Saml2_Utils.validate_xml(dom, 'saml-schema-protocol-2.0.xsd', debug)
-                if not isinstance(res, Document):
-                    raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd')
-
-                security = settings.get_security_data()
-
-                current_url = OneLogin_Saml2_Utils.get_self_url_no_query(get_data)
-
-                # Check NotOnOrAfter
-                if dom.documentElement.hasAttribute('NotOnOrAfter'):
-                    na = OneLogin_Saml2_Utils.parse_SAML_to_time(dom.documentElement.getAttribute('NotOnOrAfter'))
-                    if na <= datetime.now():
-                        raise Exception('Timing issues (please check your clock settings)')
-
-                # Check destination
-                if dom.documentElement.hasAttribute('Destination'):
-                    destination = dom.documentElement.getAttribute('Destination')
-                    if destination is not None:
-                        if current_url not in destination:
-                            raise Exception('The LogoutRequest was received at $currentURL instead of $destination')
-
-                # Check issuer
-                issuer = OneLogin_Saml2_Logout_Request.get_issuer(dom)
-                if issuer is None or issuer != idp_entity_id:
-                    raise Exception('Invalid issuer in the Logout Request')
-
-                if security['wantMessagesSigned']:
-                    if 'Signature' not in get_data:
-                        raise Exception('The Message of the Logout Request is not signed and the SP require it')
-
-            if 'Signature' in get_data:
-                if 'SigAlg' not in get_data:
-                    sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
-                else:
-                    sign_alg = get_data['SigAlg']
-
-                if sign_alg != OneLogin_Saml2_Constants.RSA_SHA1:
-                    raise Exception('Invalid signAlg in the recieved Logout Request')
-
-                signed_query = 'SAMLRequest=%s' % urlencode(get_data['SAMLRequest'])
-                if 'RelayState' in get_data:
-                    signed_query = '%s&RelayState=%s' % (signed_query, urlencode(get_data['RelayState']))
-                signed_query = '%s&SigAlg=%s' % (signed_query, urlencode(sign_alg))
-
-                if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
-                    raise Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required')
-                cert = idp_data['x509cert']
-
-                xmlsec.initialize()
-                objkey = xmlsec.Key.load(cert, xmlsec.KeyDataFormatPem, None)  # FIXME is this right?
-
-                if not objkey.verifySignature(signed_query, b64decode(get_data['Signature'])):
-                    raise Exception('Signature validation failed. Logout Request rejected')
-
-            return True
-        except Exception as e:
-            debug = settings.is_debug_active()
-            if debug:
-                print(e.strerror)
-            return False
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/logout_response.html b/docs/saml2/_modules/saml2/logout_response.html
deleted file mode 100644
index 9362300f..00000000
--- a/docs/saml2/_modules/saml2/logout_response.html
+++ /dev/null
@@ -1,279 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.logout_response — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.logout_response
    -# -*- coding: utf-8 -*-
-
-
-from base64 import b64decode
-from datetime import datetime
-from lxml import etree
-from urllib import quote_plus
-from xml.dom.minidom import Document, parseString
-
-import dm.xmlsec.binding as xmlsec
-
-from saml2.constants import OneLogin_Saml2_Constants
-from saml2.utils import OneLogin_Saml2_Utils
-
-
-
    [docs]class OneLogin_Saml2_Logout_Response():
-
-    def __init__(self, settings, response=None):
-        """
-        Constructs a Logout Response object (Initialize params from settings
-        and if provided load the Logout Response.
-
-        Arguments are:
-            * (OneLogin_Saml2_Settings)   settings. Setting data
-            * (string)                    response. An UUEncoded SAML Logout
-                                                    response from the IdP.
-        """
-        self.__settings = settings
-        if response is not None:
-            self.__logout_response = OneLogin_Saml2_Utils.decode_base64_and_inflate(response)
-            self.document = parseString(self.__logout_response)
-
-
    [docs]    def get_issuer(self):
-        """
-        Gets the Issuer of the Logout Response Message
-        :return: The Issuer
-        :rtype: string
-        """
-        issuer = None
-        issuer_nodes = self.__query('/samlp:LogoutResponse/saml:Issuer')
-        if len(issuer_nodes) == 1:
-            issuer = issuer_nodes[0].text
-        return issuer
-
    
-
    [docs]    def get_status(self):
-        """
-        Gets the Status
-        :return: The Status
-        :rtype: string
-        """
-        entries = self.__query('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode')
-        if len(entries) == 0:
-            return None
-        status = entries[0].attrib['Value']
-        return status
-
    
-
    [docs]    def is_valid(self, request_data, request_id=None):
-        """
-        Determines if the SAML LogoutResponse is valid
-        :param request_id: The ID of the LogoutRequest sent by this SP to the IdP
-        :type request_id: string
-        :return: Returns if the SAML LogoutResponse is or not valid
-        :rtype: boolean
-        """
-        try:
-            idp_data = self.__settings.get_idp_data()
-            idp_entity_id = idp_data['entityId']
-            get_data = request_data['get_data']
-
-            if self.__settings.is_strict():
-                res = OneLogin_Saml2_Utils.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
-                if not isinstance(res, Document):
-                    raise Exception('Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd')
-
-                security = self.__settings.get_security_data()
-
-                # Check if the InResponseTo of the Logout Response matchs the ID of the Logout Request (requestId) if provided
-                if request_id is not None and self.document.documentElement.hasAttribute('InResponseTo'):
-                    in_response_to = self.document.documentElement.getAttribute('InResponseTo')
-                    if request_id != in_response_to:
-                        raise Exception('The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s' % (in_response_to, request_id))
-
-                # Check issuer
-                issuer = self.get_issuer()
-                if issuer is None or issuer != idp_entity_id:
-                    raise Exception('Invalid issuer in the Logout Request')
-
-                current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
-
-                # Check destination
-                if self.document.documentElement.hasAttribute('Destination'):
-                    destination = self.document.documentElement.getAttribute('Destination')
-                    if destination is not None:
-                        if current_url not in destination:
-                            raise Exception('The LogoutRequest was received at $currentURL instead of $destination')
-
-                if security['wantMessagesSigned']:
-                    if 'Signature' not in get_data:
-                        raise Exception('The Message of the Logout Response is not signed and the SP require it')
-
-            if 'Signature' in get_data:
-                if 'SigAlg' not in get_data:
-                    sign_alg = OneLogin_Saml2_Constants.RSA_SHA1
-                else:
-                    sign_alg = get_data['SigAlg']
-
-                if sign_alg != OneLogin_Saml2_Constants.RSA_SHA1:
-                    raise Exception('Invalid signAlg in the recieved Logout Response')
-
-                signed_query = 'SAMLResponse=%s' % quote_plus(get_data['SAMLResponse'])
-                if 'RelayState' in get_data:
-                    signed_query = '%s&RelayState=%s' % (signed_query, quote_plus(get_data['RelayState']))
-                signed_query = '%s&SigAlg=%s' % (signed_query, quote_plus(sign_alg))
-
-                if 'x509cert' not in idp_data or idp_data['x509cert'] is None:
-                    raise Exception('In order to validate the sign on the Logout Response, the x509cert of the IdP is required')
-                cert = idp_data['x509cert']
-
-                xmlsec.initialize()
-                objkey = xmlsec.Key.load(cert, xmlsec.KeyDataFormatPem, None)  # FIXME is this right?
-
-                if not objkey.verifySignature(signed_query, b64decode(get_data['Signature'])):
-                    raise Exception('Signature validation failed. Logout Response rejected')
-
-            return True
-        except Exception as e:
-            debug = self.__settings.is_debug_active()
-            if debug:
-                print(e.strerror)
-            return False
-
    
-    def __query(self, query):
-        """
-        Extracts a node from the DOMDocument (Logout Response Menssage)
-        :param query: Xpath Expresion
-        :type query: string
-        :return: The queried node
-        :rtype: DOMNodeList
-        """
-        # Switch to lxml for querying
-        xml = self.document.toxml()
-        return OneLogin_Saml2_Utils.query(etree.fromstring(xml), query)
-
-
    [docs]    def build(self, in_response_to):
-        """
-        Creates a Logout Response object.
-        :param in_response_to: InResponseTo value for the Logout Response.
-        :type in_response_to: string
-        """
-        sp_data = self.__settings.get_sp_data()
-        idp_data = self.__settings.get_idp_data()
-
-        uid = OneLogin_Saml2_Utils.generate_unique_id()
-        issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(
-            int(datetime.now().strftime("%s"))
-        )
-
-        logout_response = """<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-                      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
-                      ID="%(id)s"
-                      Version="2.0"
-                      IssueInstant="%(issue_instant)s"
-                      Destination="%(destination)s"
-                      InResponseTo="%(in_response_to)s"
->
-    <saml:Issuer>%(entity_id)s</saml:Issuer>
-    <samlp:Status>
-        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
-    </samlp:Status>
-</samlp:LogoutResponse>""" % {
-            'id': uid,
-            'issue_instant': issue_instant,
-            'destination': idp_data['singleLogoutService']['url'],
-            'in_response_to': in_response_to,
-            'entity_id': sp_data['entityId'],
-        }
-
-        self.__logout_response = logout_response
-
    
-
    [docs]    def get_response(self):
-        """
-        Returns a Logout Response object.
-        :return: Logout Response deflated and base64 encoded
-        :rtype: string
-        """
-        return OneLogin_Saml2_Utils.deflate_and_base64_encode(self.__logout_response)
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/metadata.html b/docs/saml2/_modules/saml2/metadata.html
deleted file mode 100644
index 6f3d0b93..00000000
--- a/docs/saml2/_modules/saml2/metadata.html
+++ /dev/null
@@ -1,286 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.metadata — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.metadata
    -# -*- coding: utf-8 -*-
-
-
-from time import gmtime, strftime
-from datetime import datetime
-from xml.dom.minidom import parseString
-
-from saml2.constants import OneLogin_Saml2_Constants
-from saml2.utils import OneLogin_Saml2_Utils
-
-
-
    [docs]class OneLogin_Saml2_Metadata:
-
-    TIME_VALID = 172800   # 2 days
-    TIME_CACHED = 604800  # 1 week
-
-    @staticmethod
-
    [docs]    def builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=None, contacts=None, organization=None):
-        """
-        Build the metadata of the SP
-
-        :param sp: The SP data
-        :type sp: string
-
-        :param authnsign: authnRequestsSigned attribute
-        :type authnsign: string
-
-        :param wsign: wantAssertionsSigned attribute
-        :type wsign: string
-
-        :param valid_until: Metadata's valid time
-        :type valid_until: DateTime
-
-        :param cache_duration: Duration of the cache in seconds
-        :type cache_duration: Timestamp
-
-        :param contacts: Contacts info
-        :type contacts: dict
-
-        :param organization: Organization ingo
-        :type organization: dict
-        """
-        if valid_until is None:
-            valid_until = int(datetime.now().strftime("%s")) + OneLogin_Saml2_Metadata.TIME_VALID
-        valid_until_time = gmtime(valid_until)
-        valid_until_time = strftime(r'%Y-%m-%dT%H:%M:%SZ', valid_until_time)
-        if cache_duration is None:
-            cache_duration = int(datetime.now().strftime("%s")) + OneLogin_Saml2_Metadata.TIME_CACHED
-        if contacts is None:
-            contacts = {}
-        if organization is None:
-            organization = {}
-
-        sls = ''
-        if 'singleLogoutService' in sp:
-            sls = """<md:SingleLogoutService Binding="%(binding)s"
-                                Location="%(location)s" />""" % {
-                'binding': sp['singleLogoutService']['binding'],
-                'location': sp['singleLogoutService']['url'],
-            }
-
-        str_authnsign = 'true' if authnsign else 'false'
-        str_wsign = 'true' if wsign else 'false'
-
-        str_organization = ''
-        if len(organization) > 0:
-            organization_info = []
-            for (lang, info) in organization.items():
-                organization_info.append("""    <md:Organization>
-        <md:OrganizationName xml:lang="%(lang)s">%(name)s</md:OrganizationName>
-        <md:OrganizationDisplayName xml:lang="%(lang)s">%(display_name)s</md:OrganizationDisplayName>
-        <md:OrganizationURL xml:lang="%(lang)s">%(url)s</md:OrganizationURL>
-    </md:Organization>""" % {
-                    'lang': lang,
-                    'name': info['name'],
-                    'display_name': info['displayname'],
-                    'url': info['url'],
-                })
-            str_organization = '\n'.join(organization_info)
-
-        str_contacts = ''
-        if len(contacts) > 0:
-            contacts_info = []
-            for (ctype, info) in contacts.items():
-                contacts_info.append("""    <md:ContactPerson contactType="%(type)s">
-        <md:GivenName>%(name)s</md:GivenName>
-        <md:EmailAddress>%(email)s</md:EmailAddress>
-    </md:ContactPerson>""" % {
-                    'type': ctype,
-                    'name': info['givenName'],
-                    'email': info['emailAddress'],
-                })
-            str_contacts = '\n'.join(contacts_info)
-
-        metadata = """<?xml version="1.0"?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-                     validUntil="%(valid)s"
-                     cacheDuration="PT%(cache)sS"
-                     entityID="%(entity_id)s">
-    <md:SPSSODescriptor AuthnRequestsSigned="%(authnsign)s" WantAssertionsSigned="%(wsign)s" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-        <md:NameIDFormat>%(name_id_format)s</md:NameIDFormat>
-        <md:AssertionConsumerService Binding="%(binding)s"
-                                     Location="%(location)s"
-                                     index="1" />
-%(sls)s
-    </md:SPSSODescriptor>
-%(organization)s
-%(contacts)s
-</md:EntityDescriptor>""" % {
-            'valid': valid_until_time,
-            'cache': cache_duration,
-            'entity_id': sp['entityId'],
-            'authnsign': str_authnsign,
-            'wsign': str_wsign,
-            'name_id_format': sp['NameIDFormat'],
-            'binding': sp['assertionConsumerService']['binding'],
-            'location': sp['assertionConsumerService']['url'],
-            'sls': sls,
-            'organization': str_organization,
-            'contacts': str_contacts,
-        }
-
-        return metadata
-
    
-    @staticmethod
-
    [docs]    def sign_metadata(metadata, key, cert):
-        """
-        Sign the metadata with the key/cert provided
-
-        :param metadata: SAML Metadata XML
-        :type metadata: string
-
-        :param key: x509 key
-        :type key: string
-
-        :param cert: x509 cert
-        :type cert: string
-
-        :returns: Signed Metadata
-        :rtype: string
-        """
-        return OneLogin_Saml2_Utils.add_sign(metadata, key, cert)
-
    
-    @staticmethod
-
    [docs]    def add_x509_key_descriptors(metadata, cert):
-        """
-        Add the x509 descriptors (sign/encriptation to the metadata
-        The same cert will be used for sign/encrypt
-
-        :param metadata: SAML Metadata XML
-        :type metadata: string
-
-        :param cert: x509 cert
-        :type cert: string
-
-        :returns: Metadata with KeyDescriptors
-        :rtype: string
-        """
-        try:
-            xml = parseString(metadata)
-        except Exception as e:
-            raise Exception('Error parsing metadata. ' + e.message)
-
-        formated_cert = OneLogin_Saml2_Utils.format_cert(cert, False)
-        x509_certificate = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:X509Certificate')
-        content = xml.createTextNode(formated_cert)
-        x509_certificate.appendChild(content)
-
-        key_data = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:X509Data')
-        key_data.appendChild(x509_certificate)
-
-        key_info = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'ds:KeyInfo')
-        key_info.appendChild(key_data)
-
-        key_descriptor = xml.createElementNS(OneLogin_Saml2_Constants.NS_DS, 'md:KeyDescriptor')
-
-        entity_descriptor = sp_sso_descriptor = xml.getElementsByTagName('md:EntityDescriptor')[0]
-        entity_descriptor.setAttribute('xmlns:ds', OneLogin_Saml2_Constants.NS_DS)
-
-        sp_sso_descriptor = xml.getElementsByTagName('md:SPSSODescriptor')[0]
-        sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
-        sp_sso_descriptor.insertBefore(key_descriptor.cloneNode(True), sp_sso_descriptor.firstChild)
-
-        signing = xml.getElementsByTagName('md:KeyDescriptor')[0]
-        signing.setAttribute('use', 'signing')
-
-        encryption = xml.getElementsByTagName('md:KeyDescriptor')[1]
-        encryption.setAttribute('use', 'encryption')
-
-        signing.appendChild(key_info)
-        encryption.appendChild(key_info.cloneNode(True))
-
-        return xml.toxml()
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/response.html b/docs/saml2/_modules/saml2/response.html
deleted file mode 100644
index 7f815169..00000000
--- a/docs/saml2/_modules/saml2/response.html
+++ /dev/null
@@ -1,529 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.response — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.response
    -# -*- coding: utf-8 -*-
-
-
-from base64 import b64decode
-from copy import deepcopy
-from lxml import etree
-from os.path import basename
-from time import time
-import sys
-from xml.dom.minidom import Document
-
-import dm.xmlsec.binding as xmlsec
-
-from saml2.constants import OneLogin_Saml2_Constants
-from saml2.utils import OneLogin_Saml2_Utils
-
-
-
    [docs]class OneLogin_Saml2_Response(object):
-
-    def __init__(self, settings, response):
-        """
-        Constructs the response object.
-
-        :param settings: The setting info
-        :type settings: OneLogin_Saml2_Setting object
-
-        :param response: The base64 encoded, XML string containing the samlp:Response
-        :type response: string
-        """
-        self.__settings = settings
-        self.response = b64decode(response)
-        self.document = etree.fromstring(self.response)
-        self.decrypted_document = None
-        self.encrypted = None
-
-        # Quick check for the presence of EncryptedAssertion
-        encrypted_assertion_nodes = self.__query('//saml:EncryptedAssertion')
-        if encrypted_assertion_nodes:
-            decrypted_document = deepcopy(self.document)
-            self.encrypted = True
-            self.decrypted_document = self.__decrypt_assertion(decrypted_document)
-
-
    [docs]    def is_valid(self, request_data, request_id=None):
-        """
-        Constructs the response object.
-
-        :param request_id: Optional argument. The ID of the AuthNRequest sent by this SP to the IdP
-        :type request_id: string
-
-        :returns: True if the SAML Response is valid, False if not
-        :rtype: bool
-        """
-        try:
-            # Checks SAML version
-            if self.document.get('Version', None) != '2.0':
-                raise Exception('Unsupported SAML version')
-
-            # Checks that ID exists
-            if self.document.get('ID', None) is None:
-                raise Exception('Missing ID attribute on SAML Response')
-
-            # Checks that the response only has one assertion
-            if not self.validate_num_assertions():
-                raise Exception('Multiple assertions are not supported')
-
-            # Checks that the response has the SUCCESS status
-            self.check_status()
-
-            idp_data = self.__settings.get_idp_data()
-            idp_entityid = idp_data.get('entityId', '')
-            sp_data = self.__settings.get_sp_data()
-            sp_entityid = sp_data.get('entityId', '')
-
-            sign_nodes = self.__query('//ds:Signature')
-
-            signed_elements = []
-            for sign_node in sign_nodes:
-                signed_elements.append(sign_node.getparent().tag)
-
-            if self.__settings.is_strict():
-                res = OneLogin_Saml2_Utils.validate_xml(etree.tostring(self.document), 'saml-schema-protocol-2.0.xsd', self.__settings.is_debug_active())
-                if not isinstance(res, Document):
-                    raise Exception('Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd')
-
-                security = self.__settings.get_security_data()
-                current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
-
-                # Check if the InResponseTo of the Response matchs the ID of the AuthNRequest (requestId) if provided
-                in_response_to = self.document.get('InResponseTo', None)
-                if in_response_to and request_id:
-                    if in_response_to != request_id:
-                        raise Exception('The InResponseTo of the Response: %s, does not match the ID of the AuthNRequest sent by the SP: %s' % (in_response_to, request_id))
-
-                if not self.encrypted and security.get('wantAssertionsEncrypted', False):
-                    raise Exception('The assertion of the Response is not encrypted and the SP require it')
-
-                if security.get('wantNameIdEncrypted', False):
-                    encrypted_nameid_nodes = self.__query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')
-                    if not encrypted_nameid_nodes:
-                        raise Exception('The NameID of the Response is not encrypted and the SP require it')
-
-                # Checks that there is at least one AttributeStatement
-                attribute_statement_nodes = self.__query_assertion('/saml:AttributeStatement')
-                if not attribute_statement_nodes:
-                    raise Exception('There is no AttributeStatement on the Response')
-
-                # Validates Asserion timestamps
-                if not self.validate_timestamps():
-                    raise Exception('Timing issues (please check your clock settings)')
-
-                encrypted_attributes_nodes = self.__query_assertion('/saml:AttributeStatement/saml:EncryptedAttribute')
-                if encrypted_attributes_nodes:
-                    raise Exception('There is an EncryptedAttribute in the Response and this SP not support them')
-
-                # Checks destination
-                destination = self.document.get('Destination', None)
-                if destination:
-                    if destination not in current_url:
-                        raise Exception('The response was received at %s instead of %s' % (current_url, destination))
-
-                # Checks audience
-                valid_audiences = self.get_audiences()
-                if valid_audiences and sp_entityid not in valid_audiences:
-                    raise Exception('%s is not a valid audience for this Response' % sp_entityid)
-
-                # Checks the issuers
-                issuers = self.get_issuers()
-                for issuer in issuers:
-                    if not issuer or issuer != idp_entityid:
-                        raise Exception('Invalid issuer in the Assertion/Response')
-
-                # Checks the session Expiration
-                session_expiration = self.get_session_not_on_or_after()
-                if not session_expiration and session_expiration <= time():
-                    raise Exception('The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response')
-
-                # Checks the SubjectConfirmation, at least one SubjectConfirmation must be valid
-                any_subject_confirmation = False
-                subject_confirmation_nodes = self.__query_assertion('/saml:Subject/saml:SubjectConfirmation')
-
-                for scn in subject_confirmation_nodes:
-                    method = scn.get('Method', None)
-                    if method and method != OneLogin_Saml2_Constants.CM_BEARER:
-                        continue
-                    scData = scn.find('saml:SubjectConfirmationData', namespaces=OneLogin_Saml2_Constants.NSMAP)
-                    if scData is None:
-                        continue
-                    else:
-                        irt = scData.get('InResponseTo', None)
-                        if irt != in_response_to:
-                            continue
-                        recipient = scData.get('Recipient', None)
-                        if recipient not in current_url:
-                            continue
-                        nooa = scData.get('NotOnOrAfter', None)
-                        if nooa:
-                            parsed_nooa = OneLogin_Saml2_Utils.parse_SAML_to_time(nooa)
-                            if parsed_nooa <= time():
-                                continue
-                        nb = scData.get('NotBefore', None)
-                        if nb:
-                            parsed_nb = OneLogin_Saml2_Utils.parse_SAML_to_time(nb)
-                            if (parsed_nb > time()):
-                                continue
-                        any_subject_confirmation = True
-                        break
-
-                if not any_subject_confirmation:
-                    raise Exception('A valid SubjectConfirmation was not found on this Response')
-
-                if security.get('wantAssertionsSigned', False) and 'saml:Assertion' not in signed_elements:
-                    raise Exception('The Assertion of the Response is not signed and the SP require it')
-
-                if security.get('wantMessagesSigned', False) and 'samlp:Response' not in signed_elements:
-                    raise Exception('The Message of the Response is not signed and the SP require it')
-
-                document_to_validate = None
-                if len(signed_elements) > 0:
-                    cert = idp_data.get('x509cert', None)
-                    fingerprint = idp_data.get('certFingerprint', None)
-
-                    # Only validates the first sign found
-                    if 'samlp:Response' in signed_elements:
-                        document_to_validate = self.document
-                    else:
-                        if self.encrypted:
-                            document_to_validate = self.decrypted_document
-                        else:
-                            document_to_validate = self.document
-
-                if document_to_validate is not None:
-                    if not OneLogin_Saml2_Utils.validate_sign(document_to_validate, cert, fingerprint):
-                        raise Exception('Signature validation failed. SAML Response rejected')
-            return True
-        except:
-            debug = self.__settings.is_debug_active()
-            if debug:
-                print sys.exc_info()[0]
-            return False
-
    
-
    [docs]    def check_status(self):
-        """
-        Check if the status of the response is success or not
-
-        :raises: Exception. If the status is not success
-        """
-        status = OneLogin_Saml2_Utils.get_status(self.document)
-        code = status.get('code', None)
-        if code and code != OneLogin_Saml2_Constants.STATUS_SUCCESS:
-            splited_code = code.split(':')
-            printable_code = splited_code.pop()
-            status_exception_msg = 'The status code of the Response was not Success, was %s' % printable_code
-            status_msg = status.get('msg', None)
-            if status_msg:
-                status_exception_msg += ' -> ' + status_msg
-            raise Exception(status_exception_msg)
-
    
-
    [docs]    def get_audiences(self):
-        """
-        Gets the audiences
-
-        :returns: The valid audiences for the SAML Response
-        :rtype: list
-        """
-        audiences = []
-
-        audience_nodes = self.__query_assertion('/saml:Conditions/saml:AudienceRestriction/saml:Audience')
-        for audience_node in audience_nodes:
-            audiences.append(audience_node.text)
-
    
-
    [docs]    def get_issuers(self):
-        """
-        Gets the issuers (from message and from assertion)
-
-        :returns: The issuers
-        :rtype: list
-        """
-        issuers = []
-
-        message_issuer_nodes = self.__query('/samlp:Response/saml:Issuer')
-        if message_issuer_nodes:
-            issuers.append(message_issuer_nodes[0].text)
-
-        assertion_issuer_nodes = self.__query_assertion('/saml:Issuer')
-        if assertion_issuer_nodes:
-            issuers.append(assertion_issuer_nodes[0].text)
-
-        return list(set(issuers))
-
    
-
    [docs]    def get_nameid_data(self):
-        """
-        Gets the NameID Data provided by the SAML Response from the IdP
-
-        :returns: Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
-        :rtype: dict
-        """
-        nameid = None
-        encrypted_id_data_nodes = self.__query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')
-        if encrypted_id_data_nodes:
-            encrypted_data = encrypted_id_data_nodes[0]
-
-            xmlsec.initialize()
-
-            # Load the key into the xmlsec context
-            key = self.__settings.get_sp_key()
-            file_key = OneLogin_Saml2_Utils.write_temp_file(key)  # FIXME avoid writing a file
-            enc_key = xmlsec.Key.load(file_key.name, xmlsec.KeyDataFormatPem, None)
-            enc_key.name = basename(file_key.name)
-            file_key.close()
-            enc_ctx = xmlsec.EncCtx()
-            enc_ctx.encKey = enc_key
-
-            nameid = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, enc_ctx)
-        else:
-            nameid_nodes = self.__query_assertion('/saml:Subject/saml:NameID')
-            if nameid_nodes:
-                nameid = nameid_nodes[0]
-        if nameid is None:
-            raise Exception('Not NameID found in the assertion of the Response')
-
-        nameid_data = {'Value': nameid.text}
-        for attr in ['Format', 'SPNameQualifier', 'NameQualifier']:
-            value = nameid.get(attr, None)
-            if value:
-                nameid_data[attr] = value
-        return nameid_data
-
    
-
    [docs]    def get_nameid(self):
-        """
-        Gets the NameID provided by the SAML Response from the IdP
-
-        :returns: NameID (value)
-        :rtype: string
-        """
-        nameid_data = self.get_nameid_data()
-        return nameid_data['Value']
-
    
-
    [docs]    def get_session_not_on_or_after(self):
-        """
-        Gets the SessionNotOnOrAfter from the AuthnStatement
-        Could be used to set the local session expiration
-
-        :returns: The SessionNotOnOrAfter value
-        :rtype: time|None
-        """
-        not_on_or_after = None
-        authn_statement_nodes = self.__query_assertion('/saml:AuthnStatement[@SessionNotOnOrAfter]')
-        if authn_statement_nodes:
-            not_on_or_after = OneLogin_Saml2_Utils.parse_SAML_to_time(authn_statement_nodes[0].get('SessionNotOnOrAfter'))
-        return not_on_or_after
-
    
-
    [docs]    def get_session_index(self):
-        """
-        Gets the SessionIndex from the AuthnStatement
-        Could be used to be stored in the local session in order
-        to be used in a future Logout Request that the SP could
-        send to the SP, to set what specific session must be deleted
-
-        :returns: The SessionIndex value
-        :rtype: string|None
-        """
-        session_index = None
-        authn_statement_nodes = self.__query_assertion('/saml:AuthnStatement[@SessionIndex]')
-        if authn_statement_nodes:
-            session_index = authn_statement_nodes[0].get('SessionIndex')
-        return session_index
-
    
-
    [docs]    def get_attributes(self):
-        """
-        Gets the Attributes from the AttributeStatement element.
-        EncryptedAttributes are not supported
-        """
-        attributes = {}
-        attribute_nodes = self.__query_assertion('/saml:AttributeStatement/saml:Attribute')
-        for attribute_node in attribute_nodes:
-            attr_name = attribute_node.get('Name')
-            values = []
-            for attr in attribute_node.iterchildren('{%s}AttributeValue' % OneLogin_Saml2_Constants.NSMAP['saml']):
-                values.append(attr.text)
-            attributes[attr_name] = values
-        return attributes
-
    
-
    [docs]    def validate_num_assertions(self):
-        """
-        Verifies that the document only contains a single Assertion (encrypted or not)
-
-        :returns: True if only 1 assertion encrypted or not
-        :rtype: bool
-        """
-        encrypted_assertion_nodes = self.__query('//saml:EncryptedAssertion')
-        assertion_nodes = self.__query('//saml:Assertion')
-        return (len(encrypted_assertion_nodes) + len(assertion_nodes)) == 1
-
    
-
    [docs]    def validate_timestamps(self):
-        """
-        Verifies that the document is valid according to Conditions Element
-
-        :returns: True if the condition is valid, False otherwise
-        :rtype: bool
-        """
-        conditions_nodes = self.__query('//saml:Conditions')
-        for conditions_node in conditions_nodes:
-            nb_attr = conditions_node.get('NotBefore')
-            nooa_attr = conditions_node.get('NotOnOrAfter')
-            if nb_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nb_attr) > time() + OneLogin_Saml2_Constants.ALOWED_CLOCK_DRIFT:
-                return False
-            if nooa_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nooa_attr) + OneLogin_Saml2_Constants.ALOWED_CLOCK_DRIFT <= time():
-                return False
-        return True
-
    
-    def __query_assertion(self, xpath_expr):
-        """
-        Extracts nodes that match the query from the Assertion
-
-        :param query: Xpath Expresion
-        :type query: String
-
-        :returns: The queried nodes
-        :rtype: list
-        """
-        if self.encrypted:
-            assertion_expr = '/saml:EncryptedAssertion/saml:Assertion'
-        else:
-            assertion_expr = '/saml:Assertion'
-        signature_expr = '/ds:Signature/ds:SignedInfo/ds:Reference'
-        signed_assertion_query = '/samlp:Response' + assertion_expr + signature_expr
-        assertion_reference_nodes = self.__query(signed_assertion_query)
-
-        if not assertion_reference_nodes:
-            # Check if the message is signed
-            signed_message_query = '/samlp:Response' + signature_expr
-            message_reference_nodes = self.__query(signed_message_query)
-            if message_reference_nodes:
-                id = message_reference_nodes[0].get('URI')
-                final_query = "/samlp:Response[@ID='%s']/" % id[1:]
-            else:
-                final_query = "/samlp:Response/"
-            final_query += assertion_expr
-        else:
-            id = assertion_reference_nodes[0].get('URI')
-            final_query = '/samlp:Response' + assertion_expr + "[@ID='%s']" % id[1:]
-        final_query += xpath_expr
-        return self.__query(final_query)
-
-    def __query(self, query):
-        """
-        Extracts nodes that match the query from the Response
-
-        :param query: Xpath Expresion
-        :type query: String
-
-        :returns: The queried nodes
-        :rtype: list
-        """
-        if self.encrypted:
-            document = self.decrypted_document
-        else:
-            document = self.document
-        return OneLogin_Saml2_Utils.query(document, query)
-
-    def __decrypt_assertion(self, dom):
-        """
-        Decrypts the Assertion
-
-        :raises: Exception if no private key available
-        :param dom: Encrypted Assertion
-        :type dom: Element
-        :returns: Decrypted Assertion
-        :rtype: Element
-        """
-        key = self.__settings.get_sp_key()
-
-        if not key:
-            raise Exception('No private key available, check settings')
-
-        # TODO Study how decrypt assertion
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/settings.html b/docs/saml2/_modules/saml2/settings.html
deleted file mode 100644
index fe2bf6f5..00000000
--- a/docs/saml2/_modules/saml2/settings.html
+++ /dev/null
@@ -1,692 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.settings — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.settings
    -# -*- coding: utf-8 -*-
-
-
-from datetime import datetime
-import json
-import re
-from os.path import dirname, exists, join, sep
-from xml.dom.minidom import Document
-
-from saml2.constants import OneLogin_Saml2_Constants
-from saml2.errors import OneLogin_Saml2_Error
-from saml2.metadata import OneLogin_Saml2_Metadata
-from saml2.utils import OneLogin_Saml2_Utils
-
-
-# Regex from Django Software Foundation and individual contributors.
-# Released under a BSD 3-Clause License
-url_regex = re.compile(
-    r'^(?:[a-z0-9\.\-]*)://'  # scheme is validated separately
-    r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|'  # domain...
-    r'localhost|'  # localhost...
-    r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|'  # ...or ipv4
-    r'\[?[A-F0-9]*:[A-F0-9:]+\]?)'  # ...or ipv6
-    r'(?::\d+)?'  # optional port
-    r'(?:/?|[/?]\S+)$', re.IGNORECASE)
-url_schemes = ['http', 'https', 'ftp', 'ftps']
-
-
-
    [docs]def validate_url(url):
-    scheme = url.split('://')[0].lower()
-    if scheme not in url_schemes:
-        return False
-    if not bool(url_regex.search(url)):
-        return False
-    return True
-
-
    
-
    [docs]class OneLogin_Saml2_Settings:
-
-    def __init__(self, settings=None, custom_base_path=None):
-        """
-        Initializes the settings:
-        - Sets the paths of the different folders
-        - Loads settings info from settings file or array/object provided
-
-        :param settings: SAML Toolkit Settings
-        :type settings: dict|object
-        """
-        self.__paths = {}
-        self.__strict = False
-        self.__debug = False
-        self.__sp = {}
-        self.__idp = {}
-        self.__contacts = {}
-        self.__organization = {}
-        self.__errors = []
-
-        self.__load_paths(base_path=custom_base_path)
-        self.__update_paths(settings)
-
-        if settings is None:
-            if not self.__load_settings_from_file():
-                raise OneLogin_Saml2_Error(
-                    'Invalid file settings: %s',
-                    OneLogin_Saml2_Error.SETTINGS_INVALID,
-                    ','.join(self.__errors)
-                )
-            self.__add_default_values()
-        elif isinstance(settings, dict):
-            if not self.__load_settings_from_dict(settings):
-                raise OneLogin_Saml2_Error(
-                    'Invalid dict settings: %s',
-                    OneLogin_Saml2_Error.SETTINGS_INVALID,
-                    ','.join(self.__errors)
-                )
-        else:
-            raise Exception('Unsupported settings object')
-
-        self.format_idp_cert()
-
-    def __load_paths(self, base_path=None):
-        """
-        Sets the paths of the different folders
-        """
-        if base_path is None:
-            base_path = dirname(dirname(dirname(__file__)))
-        base_path += sep
-        self.__paths = {
-            'base': base_path,
-            'cert': base_path + 'certs' + sep,
-            'lib': base_path + 'lib' + sep,
-            'extlib': base_path + 'extlib' + sep,
-        }
-
-    def __update_paths(self, settings):
-        """
-        Set custom paths if necessary
-        """
-        if not isinstance(settings, dict):
-            return
-
-        if 'custom_base_path' in settings:
-            base_path = settings['custom_base_path']
-            base_path = join(dirname(__file__), base_path)
-            self.__load_paths(base_path)
-
-
    [docs]    def get_base_path(self):
-        """
-        Returns base path
-
-        :return: The base toolkit folder path
-        :rtype: string
-        """
-        return self.__paths['base']
-
    
-
    [docs]    def get_cert_path(self):
-        """
-        Returns cert path
-
-        :return: The cert folder path
-        :rtype: string
-        """
-        return self.__paths['cert']
-
    
-
    [docs]    def get_lib_path(self):
-        """
-        Returns lib path
-
-        :return: The library folder path
-        :rtype: string
-        """
-        return self.__paths['lib']
-
    
-
    [docs]    def get_ext_lib_path(self):
-        """
-        Returns external lib path
-
-        :return: The external library folder path
-        :rtype: string
-        """
-        return self.__paths['extlib']
-
    
-
    [docs]    def get_schemas_path(self):
-        """
-        Returns schema path
-
-        :return: The schema folder path
-        :rtype: string
-        """
-        return self.__paths['lib'] + 'schemas/'
-
    
-    def __load_settings_from_dict(self, settings):
-        """
-        Loads settings info from a settings Dict
-
-        :param settings: SAML Toolkit Settings
-        :type settings: dict
-
-        :returns: True if the settings info is valid
-        :rtype: boolean
-        """
-        errors = self.check_settings(settings)
-        if len(errors) == 0:
-            self.__errors = []
-            self.__sp = settings['sp']
-            self.__idp = settings['idp']
-
-            if 'strict' in settings:
-                self.__strict = settings['strict']
-            if 'debug' in settings:
-                self.__debug = settings['debug']
-            if 'security' in settings:
-                self.__security = settings['security']
-            if 'contactPerson' in settings:
-                self.__contacts = settings['contactPerson']
-            if 'organization' in settings:
-                self.__organization = settings['organization']
-
-            self.__add_default_values()
-            return True
-
-        self.__errors = errors
-        return False
-
-    def __load_settings_from_file(self):
-        """
-        Loads settings info from the settings json file
-
-        :returns: True if the settings info is valid
-        :rtype: boolean
-        """
-        filename = self.get_base_path() + 'settings.json'
-
-        if not exists(filename):
-            raise OneLogin_Saml2_Error(
-                'Settings file not found: %s',
-                OneLogin_Saml2_Error.SETTINGS_FILE_NOT_FOUND,
-                filename
-            )
-
-        # In the php toolkit instead of being a json file it is a php file and
-        # it is directly included
-        json_data = open(filename, 'r')
-        settings = json.load(json_data)
-        json_data.close()
-
-        advanced_filename = self.get_base_path() + 'advanced_settings.json'
-        if exists(advanced_filename):
-            json_data = open(advanced_filename, 'r')
-            settings.update(json.load(json_data))  # Merge settings
-            json_data.close()
-
-        return self.__load_settings_from_dict(settings)
-
-    def __add_default_values(self):
-        """
-        Add default values if the settings info is not complete
-        """
-        if 'binding' not in self.__sp['assertionConsumerService']:
-            self.__sp['assertionConsumerService']['binding'] = OneLogin_Saml2_Constants.BINDING_HTTP_POST
-        if 'singleLogoutService' in self.__sp and 'binding' not in self.__sp['singleLogoutService']:
-            self.__sp['singleLogoutService']['binding'] = OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT
-
-        # Related to nameID
-        if 'NameIDFormat' not in self.__sp:
-            self.__sp['NameIDFormat'] = OneLogin_Saml2_Constants.NAMEID_PERSISTENT
-        if 'nameIdEncrypted' not in self.__security:
-            self.__security['nameIdEncrypted'] = False
-
-        # Sign provided
-        if 'authnRequestsSigned' not in self.__security:
-            self.__security['authnRequestsSigned'] = False
-        if 'logoutRequestSigned' not in self.__security:
-            self.__security['logoutRequestSigned'] = False
-        if 'logoutResponseSigned' not in self.__security:
-            self.__security['logoutResponseSigned'] = False
-        if 'signMetadata' not in self.__security:
-            self.__security['signMetadata'] = False
-
-        # Sign expected
-        if 'wantMessagesSigned' not in self.__security:
-            self.__security['wantMessagesSigned'] = False
-        if 'wantAssertionsSigned' not in self.__security:
-            self.__security['wantAssertionsSigned'] = False
-
-        # Encrypt expected
-        if 'wantAssertionsEncrypted' not in self.__security:
-            self.__security['wantAssertionsEncrypted'] = False
-        if 'wantNameIdEncrypted' not in self.__security:
-            self.__security['wantNameIdEncrypted'] = False
-
-        if 'x509cert' not in self.__idp:
-            self.__idp['x509cert'] = ''
-        if 'certFingerprint' not in self.__idp:
-            self.__idp['certFingerprint'] = ''
-
-
    [docs]    def check_settings(self, settings):
-        """
-        Checks the settings info.
-
-        :param settings: Dict with settings data
-        :type settings: dict
-
-        :returns: Errors found on the settings data
-        :rtype: list
-        """
-        assert isinstance(settings, dict)
-
-        errors = []
-        if not isinstance(settings, dict) or len(settings) == 0:
-            errors.append('invalid_syntax')
-            return errors
-
-        if 'idp' not in settings or len(settings['idp']) == 0:
-            errors.append('idp_not_found')
-        else:
-            idp = settings['idp']
-            if 'entityId' not in idp or len(idp['entityId']) == 0:
-                errors.append('idp_entityId_not_found')
-
-            if ('singleSignOnService' not in idp or
-                'url' not in idp['singleSignOnService'] or
-                    len(idp['singleSignOnService']['url']) == 0):
-                errors.append('idp_sso_not_found')
-            elif not validate_url(idp['singleSignOnService']['url']):
-                errors.append('idp_sso_url_invalid')
-
-            if ('singleLogoutService' in idp and
-                'url' in idp['singleLogoutService'] and
-                len(idp['singleLogoutService']['url']) > 0 and
-                    not validate_url(idp['singleLogoutService']['url'])):
-                errors.append('idp_slo_url_invalid')
-
-        if 'sp' not in settings or len(settings['sp']) == 0:
-            errors.append('sp_not_found')
-        else:
-            sp = settings['sp']
-            security = {}
-            if 'security' in settings:
-                security = settings['security']
-
-            if 'entityId' not in sp or len(sp['entityId']) == 0:
-                errors.append('sp_entityId_not_found')
-
-            if ('assertionConsumerService' not in sp or
-                'url' not in sp['assertionConsumerService'] or
-                    len(sp['assertionConsumerService']['url']) == 0):
-                errors.append('sp_acs_not_found')
-            elif not validate_url(sp['assertionConsumerService']['url']):
-                errors.append('sp_acs_url_invalid')
-
-            if ('singleLogoutService' in sp and
-                'url' in sp['singleLogoutService'] and
-                len(sp['singleLogoutService']['url']) > 0 and
-                    not validate_url(sp['singleLogoutService']['url'])):
-                errors.append('sp_sls_url_invalid')
-
-            if 'signMetadata' in security and isinstance(security['signMetadata'], dict):
-                if ('keyFileName' not in security['signMetadata'] or
-                        'certFileName' not in security['signMetadata']):
-                    errors.append('sp_signMetadata_invalid')
-
-            if ((('authnRequestsSigned' in security and security['authnRequestsSigned']) or
-                 ('logoutRequestSigned' in security and security['logoutRequestSigned']) or
-                 ('logoutResponseSigned' in security and security['logoutResponseSigned']) or
-                 ('wantAssertionsEncrypted' in security and security['wantAssertionsEncrypted']) or
-                 ('wantNameIdEncrypted' in security and security['wantNameIdEncrypted'])) and
-                    not self.check_sp_certs()):
-                errors.append('sp_cert_not_found_and_required')
-
-            exists_X509 = ('idp' in settings and
-                           'x509cert' in settings['idp'] and
-                           len(settings['idp']['x509cert']) > 0)
-            exists_fingerprint = ('idp' in settings and
-                                  'certFingerprint' in settings['idp'] and
-                                  len(settings['idp']['certFingerprint']) > 0)
-            if ((('wantAssertionsSigned' in security and security['wantAssertionsSigned']) or
-                 ('wantMessagesSigned' in security and security['wantMessagesSigned'])) and
-                    not(exists_X509 or exists_fingerprint)):
-                errors.append('idp_cert_or_fingerprint_not_found_and_required')
-            if ('nameIdEncrypted' in security and security['nameIdEncrypted']) and not exists_X509:
-                errors.append('idp_cert_not_found_and_required')
-
-        if 'contactPerson' in settings:
-            types = settings['contactPerson'].keys()
-            valid_types = ['technical', 'support', 'administrative', 'billing', 'other']
-            for t in types:
-                if t not in valid_types:
-                    errors.append('contact_type_invalid')
-                    break
-
-            for t in settings['contactPerson']:
-                contact = settings['contactPerson'][t]
-                if (('givenName' not in contact or len(contact['givenName']) == 0) or
-                        ('emailAddress' not in contact or len(contact['emailAddress']) == 0)):
-                    errors.append('contact_not_enought_data')
-                    break
-
-        if 'organization' in settings:
-            for o in settings['organization']:
-                organization = settings['organization'][o]
-                if (('name' not in organization or len(organization['name']) == 0) or
-                    ('displayname' not in organization or len(organization['displayname']) == 0) or
-                        ('url' not in organization or len(organization['url']) == 0)):
-                    errors.append('organization_not_enought_data')
-                    break
-
-        return errors
-
    
-
    [docs]    def check_sp_certs(self):
-        """
-        Checks if the x509 certs of the SP exists and are valid.
-
-        :returns: If the x509 certs of the SP exists and are valid
-        :rtype: boolean
-        """
-        key = self.get_sp_key()
-        cert = self.get_sp_cert()
-        return key is not None and cert is not None
-
    
-
    [docs]    def get_sp_key(self):
-        """
-        Returns the x509 private key of the SP.
-
-        :returns: SP private key
-        :rtype: string
-        """
-        key = None
-        key_file = self.__paths['cert'] + 'sp.key'
-
-        if exists(key_file):
-            f = open(key_file, 'r')
-            key = f.read()
-            f.close()
-
-        return key
-
    
-
    [docs]    def get_sp_cert(self):
-        """
-        Returns the x509 public cert of the SP.
-
-        :returns: SP public cert
-        :rtype: string
-        """
-        cert = None
-        cert_file = self.__paths['cert'] + 'sp.crt'
-
-        if exists(cert_file):
-            f = open(cert_file, 'r')
-            cert = f.read()
-            f.close()
-
-        return cert
-
    
-
    [docs]    def get_idp_data(self):
-        """
-        Gets the IdP data.
-
-        :returns: IdP info
-        :rtype: dict
-        """
-        return self.__idp
-
    
-
    [docs]    def get_sp_data(self):
-        """
-        Gets the SP data.
-
-        :returns: SP info
-        :rtype: dict
-        """
-        return self.__sp
-
    
-
    [docs]    def get_security_data(self):
-        """
-        Gets security data.
-
-        :returns: Security info
-        :rtype: dict
-        """
-        return self.__security
-
    
-
    [docs]    def get_contacts(self):
-        """
-        Gets contact data.
-
-        :returns: Contacts info
-        :rtype: dict
-        """
-        return self.__contacts
-
    
-
    [docs]    def get_organization(self):
-        """
-        Gets organization data.
-
-        :returns: Organization info
-        :rtype: dict
-        """
-        return self.__organization
-
    
-
    [docs]    def get_sp_metadata(self):
-        """
-        Gets the SP metadata. The XML representation.
-
-        :returns: SP metadata (xml)
-        :rtype: string
-        """
-        metadata = OneLogin_Saml2_Metadata.builder(
-            self.__sp, self.__security['authnRequestsSigned'],
-            self.__security['wantAssertionsSigned'], None, None,
-            self.get_contacts(), self.get_organization()
-        )
-        cert = self.get_sp_cert()
-        if cert is not None:
-            metadata = OneLogin_Saml2_Metadata.add_x509_key_descriptors(metadata, cert)
-
-        # Sign metadata
-        if 'signMetadata' in self.__security and self.__security['signMetadata'] is not False:
-            if self.__security['signMetadata'] is True:
-                key_file_name = 'sp.key'
-                cert_file_name = 'sp.crt'
-            else:
-                if ('keyFileName' not in self.__security['signMetadata'] or
-                        'certFileName' not in self.__security['signMetadata']):
-                    raise OneLogin_Saml2_Error(
-                        'Invalid Setting: signMetadata value of the sp is not valid',
-                        OneLogin_Saml2_Error.SETTINGS_INVALID_SYNTAX
-                    )
-                key_file_name = self.__security['signMetadata']['keyFileName']
-                cert_file_name = self.__security['signMetadata']['certFileName']
-            key_metadata_file = self.__paths['cert'] + key_file_name
-            cert_metadata_file = self.__paths['cert'] + cert_file_name
-
-            if not exists(key_metadata_file):
-                raise OneLogin_Saml2_Error(
-                    'Private key file not found: %s',
-                    OneLogin_Saml2_Error.PRIVATE_KEY_FILE_NOT_FOUND,
-                    key_metadata_file
-                )
-
-            if not exists(cert_metadata_file):
-                raise OneLogin_Saml2_Error(
-                    'Public cert file not found: %s',
-                    OneLogin_Saml2_Error.PUBLIC_CERT_FILE_NOT_FOUND,
-                    cert_metadata_file
-                )
-
-            f = open(key_metadata_file, 'r')
-            key_metadata = f.read()
-            f.close()
-            f = open(cert_metadata_file, 'r')
-            cert_metadata = f.read()
-            f.close()
-            metadata = OneLogin_Saml2_Metadata.sign_metadata(metadata, key_metadata, cert_metadata)
-
-        return metadata
-
    
-
    [docs]    def validate_metadata(self, xml):
-        """
-        Validates an XML SP Metadata.
-
-        :param xml: Metadata's XML that will be validate
-        :type xml: string
-
-        :returns: The list of found errors
-        :rtype: list
-        """
-
-        assert isinstance(xml, basestring)
-
-        if len(xml) == 0:
-            raise Exception('Empty string supplied as input')
-
-        errors = []
-        res = OneLogin_Saml2_Utils.validate_xml(xml, 'saml-schema-metadata-2.0.xsd', self.__debug)
-        if not isinstance(res, Document):
-            errors.append(res)
-        else:
-            dom = res
-            element = dom.documentElement
-            if element.tagName != 'md:EntityDescriptor':
-                errors.append('noEntityDescriptor_xml')
-            else:
-                valid_until = cache_duration = expire_time = None
-
-                if element.hasAttribute('validUntil'):
-                    valid_until = OneLogin_Saml2_Utils.parse_SAML_to_time(element.getAttribute('validUntil'))
-                if element.hasAttribute('cacheDuration'):
-                    cache_duration = element.getAttribute('cacheDuration')
-
-                expire_time = OneLogin_Saml2_Utils.get_expire_time(cache_duration, valid_until)
-                if expire_time is not None and int(datetime.now().strftime('%s')) > int(expire_time):
-                    errors.append('expired_xml')
-
-        return errors
-
    
-
    [docs]    def format_idp_cert(self):
-        """
-        Formats the IdP cert.
-        """
-        if self.__idp['x509cert'] is not None:
-            self.__idp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self.__idp['x509cert'])
-
    
-
    [docs]    def get_errors(self):
-        """
-        Returns an array with the errors, the array is empty when the settings is ok.
-
-        :returns: Errors
-        :rtype: list
-        """
-        return self.__errors
-
    
-
    [docs]    def set_strict(self, value):
-        """
-        Activates or deactivates the strict mode.
-
-        :param xml: Strict parameter
-        :type xml: boolean
-        """
-        assert isinstance(value, bool)
-
-        self.__strict = value
-
    
-
    [docs]    def is_strict(self):
-        """
-        Returns if the 'strict' mode is active.
-
-        :returns: Strict parameter
-        :rtype: boolean
-        """
-        return self.__strict
-
    
-
    [docs]    def is_debug_active(self):
-        """
-        Returns if the debug is active.
-
-        :returns: Debug parameter
-        :rtype: boolean
-        """
-        return self.__debug
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_modules/saml2/utils.html b/docs/saml2/_modules/saml2/utils.html
deleted file mode 100644
index 63cc42a3..00000000
--- a/docs/saml2/_modules/saml2/utils.html
+++ /dev/null
@@ -1,802 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    saml2.utils — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Source code for saml2.utils
    -# -*- coding: utf-8 -*-
-
-
-import base64
-from datetime import datetime
-import calendar
-from hashlib import sha1
-from isodate import parse_duration as duration_parser
-from lxml import etree
-from lxml.etree import ElementBase
-from os.path import basename, dirname, join
-import re
-from sys import stderr
-from tempfile import NamedTemporaryFile
-from textwrap import wrap
-from urllib import quote_plus
-from uuid import uuid4
-from xml.dom.minidom import Document, parseString, Element
-from xml.etree.ElementTree import tostring
-import zlib
-
-import dm.xmlsec.binding as xmlsec
-from dm.xmlsec.binding.tmpl import EncData, Signature
-from M2Crypto import X509
-
-from saml2.constants import OneLogin_Saml2_Constants
-from saml2.errors import OneLogin_Saml2_Error
-
-
-def _(msg):
-    # Fixme Add i18n support
-    return msg
-
-
-
    [docs]class OneLogin_Saml2_Utils:
-
-    @staticmethod
-
    [docs]    def decode_base64_and_inflate(value):
-        """ base64 decodes and then inflates according to RFC1951
-        :param value: a deflated and encoded string
-        :return: the string after decoding and inflating
-        """
-
-        return zlib.decompress(base64.b64decode(value), -15)
-
    
-    @staticmethod
-
    [docs]    def deflate_and_base64_encode(value):
-        """
-        Deflates and the base64 encodes a string
-        :param value: The string to deflate and encode
-        :return: The deflated and encoded string
-        """
-        return base64.b64encode(zlib.compress(value)[2:-4])
-
    
-    @staticmethod
-
    [docs]    def validate_xml(xml, schema, debug=False):
-        """
-        """
-        assert (isinstance(xml, basestring) or isinstance(xml, Document))
-        assert isinstance(schema, basestring)
-
-        if isinstance(xml, Document):
-            xml = xml.toxml()
-
-        # Switch to lxml for schema validation
-        try:
-            dom = etree.fromstring(xml)
-        except Exception:
-            return 'unloaded_xml'
-
-        schema_file = join(dirname(__file__), 'schemas', schema)
-        f = open(schema_file, 'r')
-        schema_doc = etree.parse(f)
-        f.close()
-        xmlschema = etree.XMLSchema(schema_doc)
-
-        if not xmlschema.validate(dom):
-            xml_errors = [xmlschema.error_log]
-            if debug:
-                stderr.write('Errors validating the metadata')
-                stderr.write(':\n\n')
-                for error in xml_errors:
-                    stderr.write('%s\n' % error.message)
-
-            return 'invalid_xml'
-
-        return parseString(etree.tostring(dom))
-
    
-    @staticmethod
-
    [docs]    def format_cert(cert, heads=True):
-        """
-        Returns a x509 cert (adding header & footer if required).
-
-        :param cert: A x509 unformated cert
-        :type: string
-
-        :param heads: True if we want to include head and footer
-        :type: boolean
-
-        :returns: Formated cert
-        :rtype: string
-        """
-        x509_cert = cert.replace('\x0D', '')
-        x509_cert = x509_cert.replace('\r', '')
-        x509_cert = x509_cert.replace('\n', '')
-        if len(x509_cert) > 0:
-            x509_cert = x509_cert.replace('-----BEGIN CERTIFICATE-----', '')
-            x509_cert = x509_cert.replace('-----END CERTIFICATE-----', '')
-            x509_cert = x509_cert.replace(' ', '')
-
-            if heads:
-                x509_cert = '-----BEGIN CERTIFICATE-----\n' + '\n'.join(wrap(x509_cert, 64)) + '\n-----END CERTIFICATE-----\n'
-
-        return x509_cert
-
    
-    @staticmethod
-
    [docs]    def redirect(url, parameters={}, request_data={}):
-        """
-        Executes a redirection to the provided url (or return the target url).
-
-        :param url: The target url
-        :type: string
-
-        :param parameters: Extra parameters to be passed as part of the url
-        :type: dict
-
-        :param request_data: The request as a dict
-        :type: dict
-
-        :returns: Url
-        :rtype: string
-        """
-        assert isinstance(url, basestring)
-        assert isinstance(parameters, dict)
-
-        if url.startswith('/'):
-            url = '%s%s' % (OneLogin_Saml2_Utils.get_self_url_host(request_data), url)
-
-        # Verify that the URL is to a http or https site.
-        if re.search('^https?://', url) is None:
-            raise OneLogin_Saml2_Error(
-                'Redirect to invalid URL: ' + url,
-                OneLogin_Saml2_Error.REDIRECT_INVALID_URL
-            )
-
-        # Add encoded parameters
-        if url.find('?') < 0:
-            param_prefix = '?'
-        else:
-            param_prefix = '&'
-
-        for name, value in parameters.items():
-
-            if value is None:
-                param = urlencode(name)
-            elif isinstance(value, list):
-                param = ''
-                for val in value:
-                    param += quote_plus(name) + '[]=' + quote_plus(val) + '&'
-                if len(param) > 0:
-                    param = param[0:-1]
-            else:
-                param = quote_plus(name) + '=' + quote_plus(value)
-
-            url += param_prefix + param
-            param_prefix = '&'
-
-        return url
-
    
-    @staticmethod
-
    [docs]    def get_self_url_host(request_data):
-        """
-        Returns the protocol + the current host + the port (if different than
-        common ports).
-
-        :param request_data: The request as a dict
-        :type: dict
-
-        :return: Url
-        :rtype: string
-        """
-        current_host = OneLogin_Saml2_Utils.get_self_host(request_data)
-        port = ''
-        if OneLogin_Saml2_Utils.is_https(request_data):
-            protocol = 'https'
-        else:
-            protocol = 'http'
-
-        if 'server_port' in request_data:
-            port_number = request_data['server_port']
-            port = ':' + port_number
-
-            if protocol == 'http' and port_number == '80':
-                port = ''
-            elif protocol == 'https' and port_number == '443':
-                port = ''
-
-        return '%s://%s%s' % (protocol, current_host, port)
-
    
-    @staticmethod
-
    [docs]    def get_self_host(request_data):
-        """
-        Returns the current host.
-
-        :param request_data: The request as a dict
-        :type: dict
-
-        :return: The current host
-        :rtype: string
-        """
-        if 'http_host' in request_data:
-            current_host = request_data['http_host']
-        elif 'server_name' in request_data:
-            current_host = request_data['server_name']
-        else:
-            raise Exception('No hostname defined')
-
-        if ':' in current_host:
-            current_host_data = current_host.split(':')
-            possible_port = current_host_data[-1]
-            try:
-                possible_port = float(possible_port)
-                current_host = current_host_data[0]
-            except ValueError:
-                current_host = ':'.join(current_host_data)
-
-        return current_host
-
    
-    @staticmethod
-
    [docs]    def is_https(request_data):
-        """
-        Checks if https or http.
-
-        :param request_data: The request as a dict
-        :type: dict
-
-        :return: False if https is not active
-        :rtype: boolean
-        """
-        is_https = 'https' in request_data and request_data['https'] != 'off'
-        is_https = is_https or ('server_port' in request_data and request_data['server_port'] == '443')
-        return is_https
-
    
-    @staticmethod
-
    [docs]    def get_self_url_no_query(request_data):
-        """
-        Returns the URL of the current host + current view.
-
-        :param request_data: The request as a dict
-        :type: dict
-
-        :return: The url of current host + current view
-        :rtype: string
-        """
-        self_url_host = OneLogin_Saml2_Utils.get_self_url_host(request_data)
-        script_name = request_data['script_name']
-        if script_name[0] != '/':
-            script_name = '/' + script_name
-        self_url_host += script_name
-        if 'path_info' in request_data:
-            self_url_host += request_data['path_info']
-
-        return self_url_host
-
    
-    @staticmethod
-
    [docs]    def get_self_url(request_data):
-        """
-        Returns the URL of the current host + current view + query.
-
-        :param request_data: The request as a dict
-        :type: dict
-
-        :return: The url of current host + current view + query
-        :rtype: string
-        """
-        self_url_host = OneLogin_Saml2_Utils.get_self_url_host(request_data)
-
-        request_uri = ''
-        if 'request_uri' in request_data:
-            request_uri = request_data['request_uri']
-            if not request_uri.startswith('/'):
-                match = re.search('^https?://[^/]*(/.*)', request_uri)
-                if match is not None:
-                    request_uri = match.groups()[0]
-
-        return self_url_host + request_uri
-
    
-    @staticmethod
-
    [docs]    def generate_unique_id():
-        """
-        Generates an unique string (used for example as ID for assertions).
-
-        :return: A unique string
-        :rtype: string
-        """
-        return 'ONELOGIN_%s' % sha1(uuid4().hex).hexdigest()
-
    
-    @staticmethod
-
    [docs]    def parse_time_to_SAML(time):
-        """
-        Converts a UNIX timestamp to SAML2 timestamp on the form
-        yyyy-mm-ddThh:mm:ss(\.s+)?Z.
-
-        :param time: The time we should convert (DateTime).
-        :type: string
-
-        :return: SAML2 timestamp.
-        :rtype: string
-        """
-        data = datetime.utcfromtimestamp(float(time))
-        return data.strftime('%Y-%m-%dT%H:%M:%SZ')
-
    
-    @staticmethod
-
    [docs]    def parse_SAML_to_time(timestr):
-        """
-        Converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(\.s+)?Z
-        to a UNIX timestamp. The sub-second part is ignored.
-
-        :param time: The time we should convert (SAML Timestamp).
-        :type: string
-
-        :return: Converted to a unix timestamp.
-        :rtype: int
-        """
-        try:
-            data = datetime.strptime(timestr, '%Y-%m-%dT%H:%M:%SZ')
-        except ValueError:
-            data = datetime.strptime(timestr, '%Y-%m-%dT%H:%M:%S.%fZ')
-        return calendar.timegm(data.utctimetuple())
-
    
-    @staticmethod
-
    [docs]    def parse_duration(duration, timestamp=None):
-        """
-        Interprets a ISO8601 duration value relative to a given timestamp.
-
-        :param duration: The duration, as a string.
-        :type: string
-
-        :param timestamp: The unix timestamp we should apply the duration to.
-                          Optional, default to the current time.
-        :type: string
-
-        :return: The new timestamp, after the duration is applied.
-        :rtype: int
-        """
-        assert isinstance(duration, basestring)
-        assert (timestamp is None or isinstance(timestamp, int))
-
-        timedelta = duration_parser(duration)
-        if timestamp is None:
-            data = datetime.utcnow() + timedelta
-        else:
-            data = datetime.utcfromtimestamp(timestamp) + timedelta
-        return calendar.timegm(data.utctimetuple())
-
    
-    @staticmethod
-
    [docs]    def get_expire_time(cache_duration=None, valid_until=None):
-        """
-        Compares 2 dates and returns the earliest.
-
-        :param cache_duration: The duration, as a string.
-        :type: string
-
-        :param valid_until: The valid until date, as a string or as a timestamp
-        :type: string
-
-        :return: The expiration time.
-        :rtype: int
-        """
-        expire_time = None
-
-        if cache_duration is not None:
-            expire_time = OneLogin_Saml2_Utils.parse_duration(cache_duration)
-
-        if valid_until is not None:
-            if isinstance(valid_until, int):
-                valid_until_time = valid_until
-            else:
-                valid_until_time = OneLogin_Saml2_Utils.parse_SAML_to_time(valid_until)
-            if expire_time is None or expire_time > valid_until_time:
-                expire_time = valid_until_time
-
-        if expire_time is not None:
-            return '%d' % expire_time
-        return None
-
    
-    @staticmethod
-
    [docs]    def query(dom, query, context=None):
-        """
-        Extracts nodes that match the query from the Element
-
-        :param dom: The root of the lxml objet
-        :type: Element
-
-        :param query: Xpath Expresion
-        :type: string
-
-        :param context: Context Node
-        :type: DOMElement
-
-        :returns: The queried nodes
-        :rtype: list
-        """
-        if context is None:
-            return dom.xpath(query, namespaces=OneLogin_Saml2_Constants.NSMAP)
-        else:
-            return context.xpath(query, namespaces=OneLogin_Saml2_Constants.NSMAP)
-
    
-    @staticmethod
-
    [docs]    def delete_local_session(callback=None):
-        """
-        Deletes the local session.
-        """
-
-        if callback is not None:
-            callback()
-
    
-    @staticmethod
-
    [docs]    def calculate_x509_fingerprint(x509_cert):
-        """
-        Calculates the fingerprint of a x509cert.
-
-        :param x509_cert: x509 cert
-        :type: string
-
-        :returns: Formated fingerprint
-        :rtype: string
-        """
-        assert isinstance(x509_cert, basestring)
-
-        lines = x509_cert.split('\n')
-        data = ''
-
-        for line in lines:
-            # Remove '\r' from end of line if present.
-            line = line.rstrip()
-            if line == '-----BEGIN CERTIFICATE-----':
-                # Delete junk from before the certificate.
-                data = ''
-            elif line == '-----END CERTIFICATE-----':
-                # Ignore data after the certificate.
-                break
-            elif line == '-----BEGIN PUBLIC KEY-----' or line == '-----BEGIN RSA PRIVATE KEY-----':
-                # This isn't an X509 certificate.
-                return None
-            else:
-                # Append the current line to the certificate data.
-                data += line
-        # "data" now contains the certificate as a base64-encoded string. The
-        # fingerprint of the certificate is the sha1-hash of the certificate.
-        return sha1(base64.b64decode(data)).hexdigest().lower()
-
    
-    @staticmethod
-
    [docs]    def format_finger_print(fingerprint):
-        """
-        Formates a fingerprint.
-
-        :param fingerprint: fingerprint
-        :type: string
-
-        :returns: Formated fingerprint
-        :rtype: string
-        """
-        formated_fingerprint = fingerprint.replace(':', '')
-        return formated_fingerprint.lower()
-
    
-    @staticmethod
-
    [docs]    def generate_name_id(value, sp_nq, sp_format, key=None):
-        """
-        Generates a nameID.
-
-        :param value: fingerprint
-        :type: string
-
-        :param sp_nq: SP Name Qualifier
-        :type: string
-
-        :param sp_format: SP Format
-        :type: string
-
-        :param key: SP Key to encrypt the nameID
-        :type: string
-
-        :returns: DOMElement | XMLSec nameID
-        :rtype: string
-        """
-        doc = Document()
-
-        name_id = doc.createElement('saml:NameID')
-        name_id.setAttribute('SPNameQualifier', sp_nq)
-        name_id.setAttribute('Format', sp_format)
-        name_id.appendChild(doc.createTextNode(value))
-
-        doc.appendChild(name_id)
-
-        if key is not None:
-            xmlsec.initialize()
-
-            # Load the private key
-            mngr = xmlsec.KeysMngr()
-            key = OneLogin_Saml2_Utils.format_cert(key, heads=False)
-            file_key = OneLogin_Saml2_Utils.write_temp_file(key)
-            key_data = xmlsec.Key.load(file_key.name, xmlsec.KeyDataFormatPem, None)
-            key_data.name = key_name = basename(file_key.name)
-            mngr.addKey(key_data)
-            file_key.close()
-
-            # Prepare for encryption
-            enc_data = EncData(xmlsec.TransformAes128Cbc, type=xmlsec.TypeEncElement)
-            enc_data.ensureCipherValue()
-            key_info = enc_data.ensureKeyInfo()
-            enc_key = key_info.addEncryptedKey(xmlsec.TransformRsaPkcs1)
-            enc_key.ensureCipherValue()
-            enc_key_info = enc_key.ensureKeyInfo()
-            enc_key_info.addKeyName(key_name)
-
-            # Encrypt!
-            enc_ctx = xmlsec.EncCtx(mngr)
-            enc_ctx.enc_key = xmlsec.Key.generate(xmlsec.KeyDataAes, 128, xmlsec.KeyDataTypeSession)
-            ed = enc_ctx.encryptXml(enc_data, doc.getroot())
-
-            # Build XML with encrypted data
-            newdoc = Document()
-            encrypted_id = newdoc.createElement('saml:EncryptedID')
-            newdoc.appendChild(encrypted_id)
-            encrypted_id.appendChild(encrypted_id.ownerDocument.importNode(ed, True))
-
-            return newdoc.saveXML(encrypted_id)
-        else:
-            return doc.saveXML(name_id)
-
    
-    @staticmethod
-
    [docs]    def get_status(dom):
-        """
-        Gets Status from a Response.
-
-        :param dom: The Response as XML
-        :type: Document
-
-        :returns: The Status, an array with the code and a message.
-        :rtype: dict
-        """
-        status = {}
-
-        status_entry = OneLogin_Saml2_Utils.query(dom, '/samlp:Response/samlp:Status')
-        if len(status_entry) == 0:
-            raise Exception('Missing Status on response')
-
-        code_entry = OneLogin_Saml2_Utils.query(dom, '/samlp:Response/samlp:Status/samlp:StatusCode', status_entry[0])
-        if len(code_entry) == 0:
-            raise Exception('Missing Status Code on response')
-        code = code_entry[0].values()[0]
-        status['code'] = code
-
-        message_entry = OneLogin_Saml2_Utils.query(dom, '/samlp:Response/samlp:Status/samlp:StatusMessage', status_entry[0])
-        if len(message_entry) == 0:
-            status['msg'] = ''
-        else:
-            status['msg'] = message_entry[0].text
-
-        return status
-
    
-    @staticmethod
-
    [docs]    def decrypt_element(encrypted_data, enc_ctx):
-        """
-        Decrypts an encrypted element.
-
-        :param encrypted_data: The encrypted data.
-        :type: DOMElement
-
-        :param enc_ctx: The encryption context.
-        :type: Encryption Context
-
-        :returns: The decrypted element.
-        :rtype: DOMElement
-        """
-        if isinstance(encrypted_data, Element):
-            # Minidom element
-            encrypted_data = etree.fromstring(encrypted_data.toxml())
-
-        decrypted = enc_ctx.decrypt(encrypted_data)
-        if isinstance(decrypted, ElementBase):
-            # lxml element, decrypted xml data
-            return tostring(decrypted.getroottree())
-        else:
-            # decrypted binary data
-            return decrypted
-
    
-    @staticmethod
-
    [docs]    def write_temp_file(content):
-        """
-        Writes some content into a temporary file and returns it.
-
-        :param content: The file content
-        :type: string
-
-        :returns: The temporary file
-        :rtype: file-like object
-        """
-        f = NamedTemporaryFile(delete=True)
-        f.file.write(content)
-        f.file.flush()
-        return f
-
    
-    @staticmethod
-
    [docs]    def add_sign(xml, key, cert):
-        """
-        Adds signature key and senders certificate to an element (Message or
-        Assertion).
-
-        :param xml: The element we should sign
-        :type: string | Document
-
-        :param key: The private key
-        :type: string
-
-        :param cert: The public
-        :type: string
-        """
-        if isinstance(xml, Document):
-            dom = xml
-        else:
-            if xml == '':
-                raise Exception('Empty string supplied as input')
-
-            try:
-                dom = parseString(xml)
-            except Exception:
-                raise Exception('Error parsing xml string')
-
-        xmlsec.initialize()
-
-        # TODO the key and cert could be file descriptors instead
-        # Load the private key.
-        file_key = OneLogin_Saml2_Utils.write_temp_file(key)
-        sign_key = xmlsec.Key.load(file_key.name, xmlsec.KeyDataFormatPem, None)
-        file_key.close()
-        # Add the certificate to the signature.
-        file_cert = OneLogin_Saml2_Utils.write_temp_file(cert)
-        sign_key.loadCert(file_cert.name, xmlsec.KeyDataFormatPem)
-        file_cert.close()
-
-        # Get the EntityDescriptor node we should sign.
-        root_node = dom.firstChild
-
-        # Sign the metadata with our private key.
-        signature = Signature(xmlsec.TransformExclC14N, xmlsec.TransformRsaSha1)
-        ref = signature.addReference(xmlsec.TransformSha1)
-        ref.addTransform(xmlsec.TransformEnveloped)
-
-        key_info = signature.ensureKeyInfo()
-        key_info.addX509Data()
-
-        dsig_ctx = xmlsec.DSigCtx()
-        dsig_ctx.signKey = sign_key
-        dsig_ctx.sign(signature)
-
-        signature = tostring(signature).replace('ns0:', 'ds:').replace(':ns0', ':ds')
-        signature = parseString(signature).firstChild
-
-        insert_before = root_node.getElementsByTagName('saml:Issuer')
-        if len(insert_before) > 0:
-            insert_before = insert_before[0].nextSibling
-        else:
-            insert_before = root_node.firstChild.nextSibling.nextSibling
-        root_node.insertBefore(signature, insert_before)
-
-        return dom.toxml()
-
    
-    @staticmethod
-
    [docs]    def validate_sign(xml, cert=None, fingerprint=None):
-        """
-        Validates a signature (Message or Assertion).
-
-        :param xml: The element we should validate
-        :type: string | Document
-
-        :param cert: The pubic cert
-        :type: string
-
-        :param fingerprint: The fingerprint of the public cert
-        :type: string
-        """
-        if isinstance(xml, Document):
-            dom = etree.fromstring(xml.toxml())
-        else:
-            if xml == '':
-                raise Exception('Empty string supplied as input')
-
-            try:
-                dom = etree.fromstring(xml)
-            except Exception:
-                raise Exception('Error parsing xml string')
-
-        xmlsec.initialize()
-
-        # Find signature in the dom
-        signature_node = OneLogin_Saml2_Utils.query(dom, 'ds:Signature')[0]
-
-        # Prepare context and load cert into it
-        dsig_ctx = xmlsec.DSigCtx()
-        sign_cert = X509.load_cert_string(str(cert), X509.FORMAT_PEM)
-        pub_key = sign_cert.get_pubkey().get_rsa()
-        sign_key = xmlsec.Key.loadMemory(pub_key.as_pem(cipher=None),
-                                         xmlsec.KeyDataFormatPem)
-        dsig_ctx.signKey = sign_key
-
-        # Verify signature
-        dsig_ctx.verify(signature_node)
    
-
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/_sources/index.txt b/docs/saml2/_sources/index.txt
deleted file mode 100644
index 50ca26a4..00000000
--- a/docs/saml2/_sources/index.txt
+++ /dev/null
@@ -1,23 +0,0 @@
-.. saml2 documentation master file, created by
-   sphinx-quickstart on Thu Oct 23 03:29:00 2014.
-   You can adapt this file completely to your liking, but it should at least
-   contain the root `toctree` directive.
-
-Welcome to SAML Python library documentation
-=====================================================
-
-Contents:
-
-.. toctree::
-   :maxdepth: 4
-
-   saml2
-
-
-Indices and tables
-==================
-
-* :ref:`genindex`
-* :ref:`modindex`
-* :ref:`search`
-
diff --git a/docs/saml2/_sources/saml2.txt b/docs/saml2/_sources/saml2.txt
deleted file mode 100644
index bf444d4d..00000000
--- a/docs/saml2/_sources/saml2.txt
+++ /dev/null
@@ -1,83 +0,0 @@
-OneLogin saml2 Module
-======================
-
-:mod:`auth` Class
-------------------
-
-.. automodule:: saml2.auth
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`authn_request` Class
----------------------------
-
-.. automodule:: saml2.authn_request
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`constants` Class
------------------------
-
-.. automodule:: saml2.constants
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`errors` Class
---------------------
-
-.. automodule:: saml2.errors
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`logout_request` Class
-----------------------------
-
-.. automodule:: saml2.logout_request
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`logout_response` Class
------------------------------
-
-.. automodule:: saml2.logout_response
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`metadata` Class
-----------------------
-
-.. automodule:: saml2.metadata
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`response` Class
-----------------------
-
-.. automodule:: saml2.response
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`settings` Class
-----------------------
-
-.. automodule:: saml2.settings
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`utils` Class
--------------------
-
-.. automodule:: saml2.utils
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
diff --git a/docs/saml2/_static/ajax-loader.gif b/docs/saml2/_static/ajax-loader.gif
deleted file mode 100644
index 61faf8cab23993bd3e1560bff0668bd628642330..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 673
zcmZ?wbhEHb6krfw_{6~Q|Nno%(3)e{?)x>&1u}A`t?OF7Z|1gRivOgXi&7IyQd1Pl
zGfOfQ60;I3a`F>X^fL3(@);C=vM_KlFfb_o=k{|A33hf2a5d61U}gjg=>Rd%XaNQW
zW@Cw{|b%Y*pl8F?4B9
zlo4Fz*0kZGJabY|>}Okf0}CCg{u4`zEPY^pV?j2@h+|igy0+Kz6p;@SpM4s6)XEMg
z#3Y4GX>Hjlml5ftdH$4x0JGdn8~MX(U~_^d!Hi)=HU{V%g+mi8#UGbE-*ao8f#h+S
z2a0-5+vc7MU$e-NhmBjLIC1v|)9+Im8x1yacJ7{^tLX(ZhYi^rpmXm0`@ku9b53aN
zEXH@Y3JaztblgpxbJt{AtE1ad1Ca>{v$rwwvK(>{m~Gf_=-Ro7Fk{#;i~+{{>QtvI
yb2P8Zac~?~=sRA>$6{!(^3;ZP0TPFR(G_-UDU(8Jl0?(IXu$~#4A!880|o%~Al1tN

diff --git a/docs/saml2/_static/basic.css b/docs/saml2/_static/basic.css
deleted file mode 100644
index 43e8bafa..00000000
--- a/docs/saml2/_static/basic.css
+++ /dev/null
@@ -1,540 +0,0 @@
-/*
- * basic.css
- * ~~~~~~~~~
- *
- * Sphinx stylesheet -- basic theme.
- *
- * :copyright: Copyright 2007-2011 by the Sphinx team, see AUTHORS.
- * :license: BSD, see LICENSE for details.
- *
- */
-
-/* -- main layout ----------------------------------------------------------- */
-
-div.clearer {
-    clear: both;
-}
-
-/* -- relbar ---------------------------------------------------------------- */
-
-div.related {
-    width: 100%;
-    font-size: 90%;
-}
-
-div.related h3 {
-    display: none;
-}
-
-div.related ul {
-    margin: 0;
-    padding: 0 0 0 10px;
-    list-style: none;
-}
-
-div.related li {
-    display: inline;
-}
-
-div.related li.right {
-    float: right;
-    margin-right: 5px;
-}
-
-/* -- sidebar --------------------------------------------------------------- */
-
-div.sphinxsidebarwrapper {
-    padding: 10px 5px 0 10px;
-}
-
-div.sphinxsidebar {
-    float: left;
-    width: 230px;
-    margin-left: -100%;
-    font-size: 90%;
-}
-
-div.sphinxsidebar ul {
-    list-style: none;
-}
-
-div.sphinxsidebar ul ul,
-div.sphinxsidebar ul.want-points {
-    margin-left: 20px;
-    list-style: square;
-}
-
-div.sphinxsidebar ul ul {
-    margin-top: 0;
-    margin-bottom: 0;
-}
-
-div.sphinxsidebar form {
-    margin-top: 10px;
-}
-
-div.sphinxsidebar input {
-    border: 1px solid #98dbcc;
-    font-family: sans-serif;
-    font-size: 1em;
-}
-
-div.sphinxsidebar #searchbox input[type="text"] {
-    width: 170px;
-}
-
-div.sphinxsidebar #searchbox input[type="submit"] {
-    width: 30px;
-}
-
-img {
-    border: 0;
-}
-
-/* -- search page ----------------------------------------------------------- */
-
-ul.search {
-    margin: 10px 0 0 20px;
-    padding: 0;
-}
-
-ul.search li {
-    padding: 5px 0 5px 20px;
-    background-image: url(file.png);
-    background-repeat: no-repeat;
-    background-position: 0 7px;
-}
-
-ul.search li a {
-    font-weight: bold;
-}
-
-ul.search li div.context {
-    color: #888;
-    margin: 2px 0 0 30px;
-    text-align: left;
-}
-
-ul.keywordmatches li.goodmatch a {
-    font-weight: bold;
-}
-
-/* -- index page ------------------------------------------------------------ */
-
-table.contentstable {
-    width: 90%;
-}
-
-table.contentstable p.biglink {
-    line-height: 150%;
-}
-
-a.biglink {
-    font-size: 1.3em;
-}
-
-span.linkdescr {
-    font-style: italic;
-    padding-top: 5px;
-    font-size: 90%;
-}
-
-/* -- general index --------------------------------------------------------- */
-
-table.indextable {
-    width: 100%;
-}
-
-table.indextable td {
-    text-align: left;
-    vertical-align: top;
-}
-
-table.indextable dl, table.indextable dd {
-    margin-top: 0;
-    margin-bottom: 0;
-}
-
-table.indextable tr.pcap {
-    height: 10px;
-}
-
-table.indextable tr.cap {
-    margin-top: 10px;
-    background-color: #f2f2f2;
-}
-
-img.toggler {
-    margin-right: 3px;
-    margin-top: 3px;
-    cursor: pointer;
-}
-
-div.modindex-jumpbox {
-    border-top: 1px solid #ddd;
-    border-bottom: 1px solid #ddd;
-    margin: 1em 0 1em 0;
-    padding: 0.4em;
-}
-
-div.genindex-jumpbox {
-    border-top: 1px solid #ddd;
-    border-bottom: 1px solid #ddd;
-    margin: 1em 0 1em 0;
-    padding: 0.4em;
-}
-
-/* -- general body styles --------------------------------------------------- */
-
-a.headerlink {
-    visibility: hidden;
-}
-
-h1:hover > a.headerlink,
-h2:hover > a.headerlink,
-h3:hover > a.headerlink,
-h4:hover > a.headerlink,
-h5:hover > a.headerlink,
-h6:hover > a.headerlink,
-dt:hover > a.headerlink {
-    visibility: visible;
-}
-
-div.body p.caption {
-    text-align: inherit;
-}
-
-div.body td {
-    text-align: left;
-}
-
-.field-list ul {
-    padding-left: 1em;
-}
-
-.first {
-    margin-top: 0 !important;
-}
-
-p.rubric {
-    margin-top: 30px;
-    font-weight: bold;
-}
-
-img.align-left, .figure.align-left, object.align-left {
-    clear: left;
-    float: left;
-    margin-right: 1em;
-}
-
-img.align-right, .figure.align-right, object.align-right {
-    clear: right;
-    float: right;
-    margin-left: 1em;
-}
-
-img.align-center, .figure.align-center, object.align-center {
-  display: block;
-  margin-left: auto;
-  margin-right: auto;
-}
-
-.align-left {
-    text-align: left;
-}
-
-.align-center {
-    text-align: center;
-}
-
-.align-right {
-    text-align: right;
-}
-
-/* -- sidebars -------------------------------------------------------------- */
-
-div.sidebar {
-    margin: 0 0 0.5em 1em;
-    border: 1px solid #ddb;
-    padding: 7px 7px 0 7px;
-    background-color: #ffe;
-    width: 40%;
-    float: right;
-}
-
-p.sidebar-title {
-    font-weight: bold;
-}
-
-/* -- topics ---------------------------------------------------------------- */
-
-div.topic {
-    border: 1px solid #ccc;
-    padding: 7px 7px 0 7px;
-    margin: 10px 0 10px 0;
-}
-
-p.topic-title {
-    font-size: 1.1em;
-    font-weight: bold;
-    margin-top: 10px;
-}
-
-/* -- admonitions ----------------------------------------------------------- */
-
-div.admonition {
-    margin-top: 10px;
-    margin-bottom: 10px;
-    padding: 7px;
-}
-
-div.admonition dt {
-    font-weight: bold;
-}
-
-div.admonition dl {
-    margin-bottom: 0;
-}
-
-p.admonition-title {
-    margin: 0px 10px 5px 0px;
-    font-weight: bold;
-}
-
-div.body p.centered {
-    text-align: center;
-    margin-top: 25px;
-}
-
-/* -- tables ---------------------------------------------------------------- */
-
-table.docutils {
-    border: 0;
-    border-collapse: collapse;
-}
-
-table.docutils td, table.docutils th {
-    padding: 1px 8px 1px 5px;
-    border-top: 0;
-    border-left: 0;
-    border-right: 0;
-    border-bottom: 1px solid #aaa;
-}
-
-table.field-list td, table.field-list th {
-    border: 0 !important;
-}
-
-table.footnote td, table.footnote th {
-    border: 0 !important;
-}
-
-th {
-    text-align: left;
-    padding-right: 5px;
-}
-
-table.citation {
-    border-left: solid 1px gray;
-    margin-left: 1px;
-}
-
-table.citation td {
-    border-bottom: none;
-}
-
-/* -- other body styles ----------------------------------------------------- */
-
-ol.arabic {
-    list-style: decimal;
-}
-
-ol.loweralpha {
-    list-style: lower-alpha;
-}
-
-ol.upperalpha {
-    list-style: upper-alpha;
-}
-
-ol.lowerroman {
-    list-style: lower-roman;
-}
-
-ol.upperroman {
-    list-style: upper-roman;
-}
-
-dl {
-    margin-bottom: 15px;
-}
-
-dd p {
-    margin-top: 0px;
-}
-
-dd ul, dd table {
-    margin-bottom: 10px;
-}
-
-dd {
-    margin-top: 3px;
-    margin-bottom: 10px;
-    margin-left: 30px;
-}
-
-dt:target, .highlighted {
-    background-color: #fbe54e;
-}
-
-dl.glossary dt {
-    font-weight: bold;
-    font-size: 1.1em;
-}
-
-.field-list ul {
-    margin: 0;
-    padding-left: 1em;
-}
-
-.field-list p {
-    margin: 0;
-}
-
-.refcount {
-    color: #060;
-}
-
-.optional {
-    font-size: 1.3em;
-}
-
-.versionmodified {
-    font-style: italic;
-}
-
-.system-message {
-    background-color: #fda;
-    padding: 5px;
-    border: 3px solid red;
-}
-
-.footnote:target  {
-    background-color: #ffa;
-}
-
-.line-block {
-    display: block;
-    margin-top: 1em;
-    margin-bottom: 1em;
-}
-
-.line-block .line-block {
-    margin-top: 0;
-    margin-bottom: 0;
-    margin-left: 1.5em;
-}
-
-.guilabel, .menuselection {
-    font-family: sans-serif;
-}
-
-.accelerator {
-    text-decoration: underline;
-}
-
-.classifier {
-    font-style: oblique;
-}
-
-abbr, acronym {
-    border-bottom: dotted 1px;
-    cursor: help;
-}
-
-/* -- code displays --------------------------------------------------------- */
-
-pre {
-    overflow: auto;
-    overflow-y: hidden;  /* fixes display issues on Chrome browsers */
-}
-
-td.linenos pre {
-    padding: 5px 0px;
-    border: 0;
-    background-color: transparent;
-    color: #aaa;
-}
-
-table.highlighttable {
-    margin-left: 0.5em;
-}
-
-table.highlighttable td {
-    padding: 0 0.5em 0 0.5em;
-}
-
-tt.descname {
-    background-color: transparent;
-    font-weight: bold;
-    font-size: 1.2em;
-}
-
-tt.descclassname {
-    background-color: transparent;
-}
-
-tt.xref, a tt {
-    background-color: transparent;
-    font-weight: bold;
-}
-
-h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
-    background-color: transparent;
-}
-
-.viewcode-link {
-    float: right;
-}
-
-.viewcode-back {
-    float: right;
-    font-family: sans-serif;
-}
-
-div.viewcode-block:target {
-    margin: -1px -10px;
-    padding: 0 10px;
-}
-
-/* -- math display ---------------------------------------------------------- */
-
-img.math {
-    vertical-align: middle;
-}
-
-div.body div.math p {
-    text-align: center;
-}
-
-span.eqno {
-    float: right;
-}
-
-/* -- printout stylesheet --------------------------------------------------- */
-
-@media print {
-    div.document,
-    div.documentwrapper,
-    div.bodywrapper {
-        margin: 0 !important;
-        width: 100%;
-    }
-
-    div.sphinxsidebar,
-    div.related,
-    div.footer,
-    #top-link {
-        display: none;
-    }
-}
\ No newline at end of file
diff --git a/docs/saml2/_static/comment-bright.png b/docs/saml2/_static/comment-bright.png
deleted file mode 100644
index 551517b8c83b76f734ff791f847829a760ad1903..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3500
zcmV;d4O8-oP)Oz@Z0f2-7z;ux~O9+4z06=<WDR*FRcSTFz-
zW=q650N5=6FiBTtNC2?60Km==3$g$R3;-}uh=nNt1bYBr$Ri_o0EC$U6h`t_Jn<{8
z5a%iY0C<_QJh>z}MS)ugEpZ1|S1ukX&Pf+56gFW3VVXcL!g-k)GJ!M?;PcD?0HBc-
z5#WRK{dmp}uFlRjj{U%*%WZ25jX
z{P*?XzTzZ-GF^d31o+^>%=Ap99M6&ogks$0k4OBs3;+Bb(;~!4V!2o<6ys46agIcq
zjPo+3B8fthDa9qy|77CdEc*jK-!%ZRYCZvbku9iQV*~a}ClFY4z~c7+0P?$U!PF=S
z1Au6Q;m>#f??3%Vpd|o+W=WE9003S@Bra6Svp>fO002awfhw>;8}z{#EWidF!3EsG
z3;bXU&9EIRU@z1_9W=mEXoiz;4lcq~xDGvV5BgyU
zp1~-*fe8db$Osc*A=-!mVv1NJjtCc-h4>-CNCXm#Bp}I%6j35eku^v$Qi@a{RY)E3
zJ#qp$hg?Rwkvqr$GJ^buyhkyVfwECO)C{#lxu`c9ghrwZ&}4KmnvWKso6vH!8a<3Q
zq36)6Xb;+tK10Vaz~~qUGsJ8#F2=(`u{bOVlVi)VBCHIn#u~6ztOL7=^<&SmcLWlF
zMZgI*1b0FpVIDz9SWH+>*hr`#93(Um+6gxa1B6k+CnA%mOSC4s5&6UzVlpv@SV$}*
z))J2sFA#f(L&P^E5{W}HC%KRUNwK6<(h|}}(r!{C=`5+6G)NjFlgZj-YqAG9lq?`C
z$c5yc>d>VnA`E_*3F2Qp##d8RZb=H01_mm@+|Cqnc9PsG(F5HIG_C
zt)aG3uTh7n6Et<2In9F>NlT@zqLtGcXcuVrX|L#Xx)I%#9!{6gSJKPrN9dR61N3(c
z4Tcqi$B1Vr8Jidf7-t!G7_XR2rWwr)$3XQ?}=hpK0&Z&W{|
zep&sA23f;Q!%st`QJ}G3cbou<7-yIK2z4nfCCCtN2-XOGSWo##{8Q{ATurxr~;I`ytDs%xbip}RzP
zziy}Qn4Z2~fSycmr`~zJ=lUFdFa1>gZThG6M+{g7vkW8#+YHVaJjFF}Z#*3@$J_By
zLtVo_L#1JrVVB{Ak-5=4qt!-@Mh}c>#$4kh<88)m#-k<%CLtzEP3leVno>={htGUuD;o7bD)w_sX$S}eAxwzy?UvgBH(S?;#HZiQMoS*2K2
zT3xe7t(~nU*1N5{rxB;QPLocnp4Ml>u<^FZwyC!nu;thW+pe~4wtZn|Vi#w(#jeBd
zlf9FDx_yoPJqHbk*$%56S{;6Kv~mM9!g3B(KJ}#RZ#@)!hR|78Dq|Iq-afF%KE1Brn_fm;Im
z_u$xr8UFki1L{Ox>G0o)(&RAZ;=|I=wN2l97;cLaHH6leTB-XXa*h%dBOEvi`+x
zi?=Txl?TadvyiL>SuF~-LZ;|cS}4~l2eM~nS7yJ>iOM;atDY;(?aZ^v+mJV$@1Ote
z62cPUlD4IWOIIx&SmwQ~YB{nzae3Pc;}r!fhE@iwJh+OsDs9zItL;~pu715HdQEGA
zUct(O!LkCy1<%NCg+}G`0PgpNm-?d@-hMgNe6^V+j6x$b<6@S<$+<4_1hi}Ti
zncS4LsjI}fWY1>OX6feMEuLErma3QLmkw?X+1j)X-&VBk_4Y;EFPF_I+q;9dL%E~B
zJh;4Nr^(LEJ3myURP{Rblsw%57T)g973R8o)DE9*xN#~;4_o$q%o
z4K@u`jhx2fBXC4{U8Qn{*%*B$Ge=nny$HAYq{=vy|sI0
z_vss+H_qMky?OB#|JK!>IX&II^LlUh#rO5!7TtbwC;iULyV-Xq?ybB}ykGP{?LpZ?
z-G|jbTmIbG@7#ZCz;~eY(cDM(28Dyq{*m>M4?_iynUBkc4TkHUI6gT!;y-fz>HMcd
z&t%Ugo)`Y2{>!cx7B7DI)$7;J(U{Spm-3gBzioV_{p!H$8L!*M!p0uH$#^p{Ui4P`
z?ZJ24cOCDe-w#jZd?0@)|7iKK^;6KN`;!@ylm7$*nDhK&GcDTy000JJOGiWi{{a60
z|De66lK=n!32;bRa{vGf6951U69E94oEQKA00(qQO+^RV2niQ93PPz|JOBU!-bqA3
zR5;6pl1pe^WfX
zkSdl!omi0~*ntl;2q{jA^;J@WT8O!=A(Gck8fa>hn{#u{`Tyg)!KXI6l>4dj==iVKK6+%4zaRizy(5eryC3d2
z+5Y_D$4}k5v2=Siw{=O)SWY2HJwR3xX1*M*9G^XQ*TCNXF$Vj(kbMJXK0DaS_Sa^1
z?CEa!cFWDhcwxy%a?i@DN|G6-M#uuWU>lss@I>;$xmQ|`u3f;MQ|pYuHxxvMeq4TW;>|7Z2*AsqT=`-1O~nTm6O&pNEK?^cf9CX=
zkq5|qAoE7un3V
z^yy=@%6zqN^x`#qW+;e7j>th{6GV}sf*}g7{(R#T)yg-AZh0C&U;WA`AL$qz8()5^
zGFi2`g&L7!c?x+A2oOaG0c*Bg&YZt8cJ{jq_W{uTdA-<;`@iP$$=$H?gYIYc_q^*$
z#k(Key`d40R3?+GmgK8hHJcwiQ~r4By@w9*PuzR>x3#(F?YW_W5pPc(t(@-Y{psOt
zz2!UE_5S)bLF)Oz@Z0f2-7z;ux~O9+4z06=<WDR*FRcSTFz-
zW=q650N5=6FiBTtNC2?60Km==3$g$R3;-}uh=nNt1bYBr$Ri_o0EC$U6h`t_Jn<{8
z5a%iY0C<_QJh>z}MS)ugEpZ1|S1ukX&Pf+56gFW3VVXcL!g-k)GJ!M?;PcD?0HBc-
z5#WRK{dmp}uFlRjj{U%*%WZ25jX
z{P*?XzTzZ-GF^d31o+^>%=Ap99M6&ogks$0k4OBs3;+Bb(;~!4V!2o<6ys46agIcq
zjPo+3B8fthDa9qy|77CdEc*jK-!%ZRYCZvbku9iQV*~a}ClFY4z~c7+0P?$U!PF=S
z1Au6Q;m>#f??3%Vpd|o+W=WE9003S@Bra6Svp>fO002awfhw>;8}z{#EWidF!3EsG
z3;bXU&9EIRU@z1_9W=mEXoiz;4lcq~xDGvV5BgyU
zp1~-*fe8db$Osc*A=-!mVv1NJjtCc-h4>-CNCXm#Bp}I%6j35eku^v$Qi@a{RY)E3
zJ#qp$hg?Rwkvqr$GJ^buyhkyVfwECO)C{#lxu`c9ghrwZ&}4KmnvWKso6vH!8a<3Q
zq36)6Xb;+tK10Vaz~~qUGsJ8#F2=(`u{bOVlVi)VBCHIn#u~6ztOL7=^<&SmcLWlF
zMZgI*1b0FpVIDz9SWH+>*hr`#93(Um+6gxa1B6k+CnA%mOSC4s5&6UzVlpv@SV$}*
z))J2sFA#f(L&P^E5{W}HC%KRUNwK6<(h|}}(r!{C=`5+6G)NjFlgZj-YqAG9lq?`C
z$c5yc>d>VnA`E_*3F2Qp##d8RZb=H01_mm@+|Cqnc9PsG(F5HIG_C
zt)aG3uTh7n6Et<2In9F>NlT@zqLtGcXcuVrX|L#Xx)I%#9!{6gSJKPrN9dR61N3(c
z4Tcqi$B1Vr8Jidf7-t!G7_XR2rWwr)$3XQ?}=hpK0&Z&W{|
zep&sA23f;Q!%st`QJ}G3cbou<7-yIK2z4nfCCCtN2-XOGSWo##{8Q{ATurxr~;I`ytDs%xbip}RzP
zziy}Qn4Z2~fSycmr`~zJ=lUFdFa1>gZThG6M+{g7vkW8#+YHVaJjFF}Z#*3@$J_By
zLtVo_L#1JrVVB{Ak-5=4qt!-@Mh}c>#$4kh<88)m#-k<%CLtzEP3leVno>={htGUuD;o7bD)w_sX$S}eAxwzy?UvgBH(S?;#HZiQMoS*2K2
zT3xe7t(~nU*1N5{rxB;QPLocnp4Ml>u<^FZwyC!nu;thW+pe~4wtZn|Vi#w(#jeBd
zlf9FDx_yoPJqHbk*$%56S{;6Kv~mM9!g3B(KJ}#RZ#@)!hR|78Dq|Iq-afF%KE1Brn_fm;Im
z_u$xr8UFki1L{Ox>G0o)(&RAZ;=|I=wN2l97;cLaHH6leTB-XXa*h%dBOEvi`+x
zi?=Txl?TadvyiL>SuF~-LZ;|cS}4~l2eM~nS7yJ>iOM;atDY;(?aZ^v+mJV$@1Ote
z62cPUlD4IWOIIx&SmwQ~YB{nzae3Pc;}r!fhE@iwJh+OsDs9zItL;~pu715HdQEGA
zUct(O!LkCy1<%NCg+}G`0PgpNm-?d@-hMgNe6^V+j6x$b<6@S<$+<4_1hi}Ti
zncS4LsjI}fWY1>OX6feMEuLErma3QLmkw?X+1j)X-&VBk_4Y;EFPF_I+q;9dL%E~B
zJh;4Nr^(LEJ3myURP{Rblsw%57T)g973R8o)DE9*xN#~;4_o$q%o
z4K@u`jhx2fBXC4{U8Qn{*%*B$Ge=nny$HAYq{=vy|sI0
z_vss+H_qMky?OB#|JK!>IX&II^LlUh#rO5!7TtbwC;iULyV-Xq?ybB}ykGP{?LpZ?
z-G|jbTmIbG@7#ZCz;~eY(cDM(28Dyq{*m>M4?_iynUBkc4TkHUI6gT!;y-fz>HMcd
z&t%Ugo)`Y2{>!cx7B7DI)$7;J(U{Spm-3gBzioV_{p!H$8L!*M!p0uH$#^p{Ui4P`
z?ZJ24cOCDe-w#jZd?0@)|7iKK^;6KN`;!@ylm7$*nDhK&GcDTy000JJOGiWi{{a60
z|De66lK=n!32;bRa{vGf6951U69E94oEQKA00(qQO+^RV2oe()A>y0J-2easEJ;K`
zR5;6Jl3z%jbr{D#&+mQTbB>-f&3W<<%ayjKi&ZjBc2N<@)`~{dMXWB0(ajbV85_gJ
zf(EU`iek}4Bt%55ix|sVMm1u8KvB#hnmU~_r<Ogd(A5vg_omvd-#L!=(BMVklxVqhdT
zofSj`QA^|)G*lu58>#vhvA)%0Or&dIsb%b)st*LV8`ANnOipDbh%_*c7`d6#
z21*z~Xd?ovgf>zq(o0?Et~9ti+pljZC~#_KvJhA>u91WRaq|uqBBKP6V0?p-NL59w
zrK0w($_m#SDPQ!Z$nhd^JO|f+7k5xca94d2OLJ&sSxlB7F%NtrF@@O7WWlkHSDtor
zzD?u;b&KN$*MnHx;JDy9P~G<{4}9__s&MATBV4R+MuA8TjlZ3ye&qZMCUe8ihBnHI
zhMSu
zSERHwrmBb$SWVr+)Yk2k^FgTMR6mP;@FY2{}BeV|SUo=mNk<-XSOHNErw>s{^rR-bu$@aN7=
zj~-qXcS2!BA*(Q**BOOl{FggkyHdCJi_Fy>?_K+G+DYwIn8`29DYPg&s4$}7D`fv?
zuyJ2sMfJX(I^yrf6u!(~9anf(AqAk&ke}uL0SIb-H!SaDQvd(}07*qoM6N<$g1Ha7
A2LJ#7

diff --git a/docs/saml2/_static/comment.png b/docs/saml2/_static/comment.png
deleted file mode 100644
index 92feb52b8824c6b0f59b658b1196c61de9162a95..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3445
zcmV-*4T|!KP)Oz@Z0f2-7z;ux~O9+4z06=<WDR*FRcSTFz-
zW=q650N5=6FiBTtNC2?60Km==3$g$R3;-}uh=nNt1bYBr$Ri_o0EC$U6h`t_Jn<{8
z5a%iY0C<_QJh>z}MS)ugEpZ1|S1ukX&Pf+56gFW3VVXcL!g-k)GJ!M?;PcD?0HBc-
z5#WRK{dmp}uFlRjj{U%*%WZ25jX
z{P*?XzTzZ-GF^d31o+^>%=Ap99M6&ogks$0k4OBs3;+Bb(;~!4V!2o<6ys46agIcq
zjPo+3B8fthDa9qy|77CdEc*jK-!%ZRYCZvbku9iQV*~a}ClFY4z~c7+0P?$U!PF=S
z1Au6Q;m>#f??3%Vpd|o+W=WE9003S@Bra6Svp>fO002awfhw>;8}z{#EWidF!3EsG
z3;bXU&9EIRU@z1_9W=mEXoiz;4lcq~xDGvV5BgyU
zp1~-*fe8db$Osc*A=-!mVv1NJjtCc-h4>-CNCXm#Bp}I%6j35eku^v$Qi@a{RY)E3
zJ#qp$hg?Rwkvqr$GJ^buyhkyVfwECO)C{#lxu`c9ghrwZ&}4KmnvWKso6vH!8a<3Q
zq36)6Xb;+tK10Vaz~~qUGsJ8#F2=(`u{bOVlVi)VBCHIn#u~6ztOL7=^<&SmcLWlF
zMZgI*1b0FpVIDz9SWH+>*hr`#93(Um+6gxa1B6k+CnA%mOSC4s5&6UzVlpv@SV$}*
z))J2sFA#f(L&P^E5{W}HC%KRUNwK6<(h|}}(r!{C=`5+6G)NjFlgZj-YqAG9lq?`C
z$c5yc>d>VnA`E_*3F2Qp##d8RZb=H01_mm@+|Cqnc9PsG(F5HIG_C
zt)aG3uTh7n6Et<2In9F>NlT@zqLtGcXcuVrX|L#Xx)I%#9!{6gSJKPrN9dR61N3(c
z4Tcqi$B1Vr8Jidf7-t!G7_XR2rWwr)$3XQ?}=hpK0&Z&W{|
zep&sA23f;Q!%st`QJ}G3cbou<7-yIK2z4nfCCCtN2-XOGSWo##{8Q{ATurxr~;I`ytDs%xbip}RzP
zziy}Qn4Z2~fSycmr`~zJ=lUFdFa1>gZThG6M+{g7vkW8#+YHVaJjFF}Z#*3@$J_By
zLtVo_L#1JrVVB{Ak-5=4qt!-@Mh}c>#$4kh<88)m#-k<%CLtzEP3leVno>={htGUuD;o7bD)w_sX$S}eAxwzy?UvgBH(S?;#HZiQMoS*2K2
zT3xe7t(~nU*1N5{rxB;QPLocnp4Ml>u<^FZwyC!nu;thW+pe~4wtZn|Vi#w(#jeBd
zlf9FDx_yoPJqHbk*$%56S{;6Kv~mM9!g3B(KJ}#RZ#@)!hR|78Dq|Iq-afF%KE1Brn_fm;Im
z_u$xr8UFki1L{Ox>G0o)(&RAZ;=|I=wN2l97;cLaHH6leTB-XXa*h%dBOEvi`+x
zi?=Txl?TadvyiL>SuF~-LZ;|cS}4~l2eM~nS7yJ>iOM;atDY;(?aZ^v+mJV$@1Ote
z62cPUlD4IWOIIx&SmwQ~YB{nzae3Pc;}r!fhE@iwJh+OsDs9zItL;~pu715HdQEGA
zUct(O!LkCy1<%NCg+}G`0PgpNm-?d@-hMgNe6^V+j6x$b<6@S<$+<4_1hi}Ti
zncS4LsjI}fWY1>OX6feMEuLErma3QLmkw?X+1j)X-&VBk_4Y;EFPF_I+q;9dL%E~B
zJh;4Nr^(LEJ3myURP{Rblsw%57T)g973R8o)DE9*xN#~;4_o$q%o
z4K@u`jhx2fBXC4{U8Qn{*%*B$Ge=nny$HAYq{=vy|sI0
z_vss+H_qMky?OB#|JK!>IX&II^LlUh#rO5!7TtbwC;iULyV-Xq?ybB}ykGP{?LpZ?
z-G|jbTmIbG@7#ZCz;~eY(cDM(28Dyq{*m>M4?_iynUBkc4TkHUI6gT!;y-fz>HMcd
z&t%Ugo)`Y2{>!cx7B7DI)$7;J(U{Spm-3gBzioV_{p!H$8L!*M!p0uH$#^p{Ui4P`
z?ZJ24cOCDe-w#jZd?0@)|7iKK^;6KN`;!@ylm7$*nDhK&GcDTy000JJOGiWi{{a60
z|De66lK=n!32;bRa{vGf6951U69E94oEQKA00(qQO+^RV2nzr)JMUJvzW@LNr%6OX
zR5;6Zk;`k`RTRfR-*ac2G}PGmXsUu>6ce?Lsn$m^3Q`48f|TwQ+_-Qh=t8Ra7nE)y
zf@08(pjZ@22^EVjG*%30TJRMkBUC$WqZ73uoiv&J=APqX;!v%AH}`Vx`999MVjXwy
z{f1-vh8P<=plv&cZ>p5jjX~Vt&W0e)wpw1RFRuRdDkwlKb01tp5
zP=trFN0gH^|L4jJkB{6sCV;Q!ewpg-D&4cza%GQ*b>R*=34#dW;ek`FEiB(vnw+U#
zpOX5UMJBhIN&;D1!yQoIAySC!9zqJmmfoJqmQp}p&h*HTfMh~u9rKic2oz3sNM^#F
zBIq*MRLbsMt%y{EHj8}LeqUUvoxf0=kqji62>ne+U`d#%J)abyK&Y`=eD%oA!36<)baZyK
zXJh5im6umkS|_CSGXips$nI)oBHXojzBzyY_M5K*uvb0_9viuBVyV%5VtJ*Am1ag#
zczbv4B?u8j68iOz<+)nDu^oWnL+$_G{PZOCcOGQ?!1VCefves~rfpaEZs-PdVYMiV
z98ElaJ2}7f;htSXFY#Zv?__sQeckE^HV{ItO=)2hMQs=(_
Xn!ZpXD%P(H00000NkvXXu0mjf= 0 && !jQuery(node.parentNode).hasMethod(className)) {
-        var span = document.createElement("span");
-        span.className = className;
-        span.appendChild(document.createTextNode(val.substr(pos, text.length)));
-        node.parentNode.insertBefore(span, node.parentNode.insertBefore(
-          document.createTextNode(val.substr(pos + text.length)),
-          node.nextSibling));
-        node.nodeValue = val.substr(0, pos);
-      }
-    }
-    else if (!jQuery(node).is("button, select, textarea")) {
-      jQuery.each(node.childNodes, function() {
-        highlight(this);
-      });
-    }
-  }
-  return this.each(function() {
-    highlight(this);
-  });
-};
-
-/**
- * Small JavaScript module for the documentation.
- */
-var Documentation = {
-
-  init : function() {
-    this.fixFirefoxAnchorBug();
-    this.highlightSearchWords();
-    this.initIndexTable();
-  },
-
-  /**
-   * i18n support
-   */
-  TRANSLATIONS : {},
-  PLURAL_EXPR : function(n) { return n == 1 ? 0 : 1; },
-  LOCALE : 'unknown',
-
-  // gettext and ngettext don't access this so that the functions
-  // can safely bound to a different name (_ = Documentation.gettext)
-  gettext : function(string) {
-    var translated = Documentation.TRANSLATIONS[string];
-    if (typeof translated == 'undefined')
-      return string;
-    return (typeof translated == 'string') ? translated : translated[0];
-  },
-
-  ngettext : function(singular, plural, n) {
-    var translated = Documentation.TRANSLATIONS[singular];
-    if (typeof translated == 'undefined')
-      return (n == 1) ? singular : plural;
-    return translated[Documentation.PLURALEXPR(n)];
-  },
-
-  addTranslations : function(catalog) {
-    for (var key in catalog.messages)
-      this.TRANSLATIONS[key] = catalog.messages[key];
-    this.PLURAL_EXPR = new Function('n', 'return +(' + catalog.plural_expr + ')');
-    this.LOCALE = catalog.locale;
-  },
-
-  /**
-   * add context elements like header anchor links
-   */
-  addContextElements : function() {
-    $('div[id] > :header:first').each(function() {
-      $('\u00B6').
-      attr('href', '#' + this.id).
-      attr('title', _('Permalink to this headline')).
-      appendTo(this);
-    });
-    $('dt[id]').each(function() {
-      $('\u00B6').
-      attr('href', '#' + this.id).
-      attr('title', _('Permalink to this definition')).
-      appendTo(this);
-    });
-  },
-
-  /**
-   * workaround a firefox stupidity
-   */
-  fixFirefoxAnchorBug : function() {
-    if (document.location.hash && $.browser.mozilla)
-      window.setTimeout(function() {
-        document.location.href += '';
-      }, 10);
-  },
-
-  /**
-   * highlight the search words provided in the url in the text
-   */
-  highlightSearchWords : function() {
-    var params = $.getQueryParameters();
-    var terms = (params.highlight) ? params.highlight[0].split(/\s+/) : [];
-    if (terms.length) {
-      var body = $('div.body');
-      window.setTimeout(function() {
-        $.each(terms, function() {
-          body.highlightText(this.toLowerCase(), 'highlighted');
-        });
-      }, 10);
-      $('
    ' + _('Hide Search Matches') + '
    ')
-          .appendTo($('#searchbox'));
-    }
-  },
-
-  /**
-   * init the domain index toggle buttons
-   */
-  initIndexTable : function() {
-    var togglers = $('img.toggler').click(function() {
-      var src = $(this).attr('src');
-      var idnum = $(this).attr('id').substr(7);
-      $('tr.cg-' + idnum).toggle();
-      if (src.substr(-9) == 'minus.png')
-        $(this).attr('src', src.substr(0, src.length-9) + 'plus.png');
-      else
-        $(this).attr('src', src.substr(0, src.length-8) + 'minus.png');
-    }).css('display', '');
-    if (DOCUMENTATION_OPTIONS.COLLAPSE_INDEX) {
-        togglers.click();
-    }
-  },
-
-  /**
-   * helper function to hide the search marks again
-   */
-  hideSearchWords : function() {
-    $('#searchbox .highlight-link').fadeOut(300);
-    $('span.highlighted').removeMethod('highlighted');
-  },
-
-  /**
-   * make the url absolute
-   */
-  makeURL : function(relativeURL) {
-    return DOCUMENTATION_OPTIONS.URL_ROOT + '/' + relativeURL;
-  },
-
-  /**
-   * get the current relative url
-   */
-  getCurrentURL : function() {
-    var path = document.location.pathname;
-    var parts = path.split(/\//);
-    $.each(DOCUMENTATION_OPTIONS.URL_ROOT.split(/\//), function() {
-      if (this == '..')
-        parts.pop();
-    });
-    var url = parts.join('/');
-    return path.substring(url.lastIndexOf('/') + 1, path.length - 1);
-  }
-};
-
-// quick alias for translations
-_ = Documentation.gettext;
-
-$(document).ready(function() {
-  Documentation.init();
-});
diff --git a/docs/saml2/_static/down-pressed.png b/docs/saml2/_static/down-pressed.png
deleted file mode 100644
index 6f7ad782782e4f8e39b0c6e15c7344700cdd2527..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 368
zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`jKx9jP7LeL$-D$|*pj^6U4S$Y
z{B+)352QE?JR*yM+OLB!qm#z$3ZNi+iKnkC`z>}Z23@f-Ava~9&<9T!#}JFtXD=!G
zGdl{fK6ro2OGiOl+hKvH6i=D3%%Y^j`yIkRn!8O>@bG)IQR0{Kf+mxNd=_WScA8u_
z3;8(7x2){m9`nt+U(Nab&1G)!{`SPVpDX$w8McLTzAJ39wprG3p4XLq$06M`%}2Yk
zRPPsbES*dnYm1wkGL;iioAUB*Or2kz6(-M_r_#Me-`{mj$Z%(

diff --git a/docs/saml2/_static/down.png b/docs/saml2/_static/down.png
deleted file mode 100644
index 3003a88770de3977d47a2ba69893436a2860f9e7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 363
zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`jKx9jP7LeL$-D$|*pj^6U4S$Y
z{B+)352QE?JR*yM+OLB!qm#z$3ZNi+iKnkC`z>}xaV3tUZ$qnrLa#kt978NlpS`ru
z&)HFc^}^>{UOEce+71h5nn>6&w6A!ieNbu1wh)UGh{8~et^#oZ1#
z>T7oM=FZ~xXWnTo{qnXm$ZLOlqGswI_m2{XwVK)IJmBjW{J3-B3x@C=M{ShWt#fYS9M?R;8K$~YwlIqwf>VA7q=YKcwf2DS4Zj5inDKXXB1zl=(YO3ST6~rDq)&z
z*o>z)=hxrfG-cDBW0G$!?6{M<$@{_4{m1o%Ub!naEtn|@^frU1tDnm{r-UW|!^@B8

diff --git a/docs/saml2/_static/file.png b/docs/saml2/_static/file.png
deleted file mode 100644
index d18082e397e7e54f20721af768c4c2983258f1b4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 392
zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`Y)RhkE)4%caKYZ?lYt_f1s;*b
z3=G`DAk4@xYmNj^kiEpy*OmP$HyOL$D9)yc9|lc|nKf<9@eUiWd>3GuTC!a5vdfWYEazjncPj5ZQX%+1
zt8B*4=d)!cdDz4wr^#OMYfqGz$1LDFF>|#>*O?AGil(WEs?wLLy{Gj2J_@opDm%`dlax3yA*@*N$G&*ukFv>P8+2CBWO(qz
zD0k1@kN>hhb1_6`&wrCswzINE(evt-5C1B^STi2@PmdKI;Vst0PQB6!2kdN

diff --git a/docs/saml2/_static/jquery.js b/docs/saml2/_static/jquery.js
deleted file mode 100644
index dc2f3dac..00000000
--- a/docs/saml2/_static/jquery.js
+++ /dev/null
@@ -1,9404 +0,0 @@
-/*!
- * jQuery JavaScript Library v1.7.2
- * http://jquery.com/
- *
- * Copyright 2011, John Resig
- * Dual licensed under the MIT or GPL Version 2 licenses.
- * http://jquery.org/license
- *
- * Includes Sizzle.js
- * http://sizzlejs.com/
- * Copyright 2011, The Dojo Foundation
- * Released under the MIT, BSD, and GPL Licenses.
- *
- * Date: Fri Jul  5 14:07:58 UTC 2013
- */
-(function( window, undefined ) {
-
-// Use the correct document accordingly with window argument (sandbox)
-var document = window.document,
-	navigator = window.navigator,
-	location = window.location;
-var jQuery = (function() {
-
-// Define a local copy of jQuery
-var jQuery = function( selector, context ) {
-		// The jQuery object is actually just the init constructor 'enhanced'
-		return new jQuery.fn.init( selector, context, rootjQuery );
-	},
-
-	// Map over jQuery in case of overwrite
-	_jQuery = window.jQuery,
-
-	// Map over the $ in case of overwrite
-	_$ = window.$,
-
-	// A central reference to the root jQuery(document)
-	rootjQuery,
-
-	// A simple way to check for HTML strings or ID strings
-	// Prioritize #id over  to avoid XSS via location.hash (#9521)
-	quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
-
-	// Check if a string has a non-whitespace character in it
-	rnotwhite = /\S/,
-
-	// Used for trimming whitespace
-	trimLeft = /^\s+/,
-	trimRight = /\s+$/,
-
-	// Match a standalone tag
-	rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/,
-
-	// JSON RegExp
-	rvalidchars = /^[\],:{}\s]*$/,
-	rvalidescape = /\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,
-	rvalidtokens = /"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,
-	rvalidbraces = /(?:^|:|,)(?:\s*\[)+/g,
-
-	// Useragent RegExp
-	rwebkit = /(webkit)[ \/]([\w.]+)/,
-	ropera = /(opera)(?:.*version)?[ \/]([\w.]+)/,
-	rmsie = /(msie) ([\w.]+)/,
-	rmozilla = /(mozilla)(?:.*? rv:([\w.]+))?/,
-
-	// Matches dashed string for camelizing
-	rdashAlpha = /-([a-z]|[0-9])/ig,
-	rmsPrefix = /^-ms-/,
-
-	// Used by jQuery.camelCase as callback to replace()
-	fcamelCase = function( all, letter ) {
-		return ( letter + "" ).toUpperCase();
-	},
-
-	// Keep a UserAgent string for use with jQuery.browser
-	userAgent = navigator.userAgent,
-
-	// For matching the engine and version of the browser
-	browserMatch,
-
-	// The deferred used on DOM ready
-	readyList,
-
-	// The ready event handler
-	DOMContentLoaded,
-
-	// Save a reference to some core methods
-	toString = Object.prototype.toString,
-	hasOwn = Object.prototype.hasOwnProperty,
-	push = Array.prototype.push,
-	slice = Array.prototype.slice,
-	trim = String.prototype.trim,
-	indexOf = Array.prototype.indexOf,
-
-	// [[Method]] -> type pairs
-	class2type = {};
-
-jQuery.fn = jQuery.prototype = {
-	constructor: jQuery,
-	init: function( selector, context, rootjQuery ) {
-		var match, elem, ret, doc;
-
-		// Handle $(""), $(null), or $(undefined)
-		if ( !selector ) {
-			return this;
-		}
-
-		// Handle $(DOMElement)
-		if ( selector.nodeType ) {
-			this.context = this[0] = selector;
-			this.length = 1;
-			return this;
-		}
-
-		// The body element only exists once, optimize finding it
-		if ( selector === "body" && !context && document.body ) {
-			this.context = document;
-			this[0] = document.body;
-			this.selector = selector;
-			this.length = 1;
-			return this;
-		}
-
-		// Handle HTML strings
-		if ( typeof selector === "string" ) {
-			// Are we dealing with HTML string or an ID?
-			if ( selector.charAt(0) === "<" && selector.charAt( selector.length - 1 ) === ">" && selector.length >= 3 ) {
-				// Assume that strings that start and end with <> are HTML and skip the regex check
-				match = [ null, selector, null ];
-
-			} else {
-				match = quickExpr.exec( selector );
-			}
-
-			// Verify a match, and that no context was specified for #id
-			if ( match && (match[1] || !context) ) {
-
-				// HANDLE: $(html) -> $(array)
-				if ( match[1] ) {
-					context = context instanceof jQuery ? context[0] : context;
-					doc = ( context ? context.ownerDocument || context : document );
-
-					// If a single string is passed in and it's a single tag
-					// just do a createElement and skip the rest
-					ret = rsingleTag.exec( selector );
-
-					if ( ret ) {
-						if ( jQuery.isPlainObject( context ) ) {
-							selector = [ document.createElement( ret[1] ) ];
-							jQuery.fn.attr.call( selector, context, true );
-
-						} else {
-							selector = [ doc.createElement( ret[1] ) ];
-						}
-
-					} else {
-						ret = jQuery.buildFragment( [ match[1] ], [ doc ] );
-						selector = ( ret.cacheable ? jQuery.clone(ret.fragment) : ret.fragment ).childNodes;
-					}
-
-					return jQuery.merge( this, selector );
-
-				// HANDLE: $("#id")
-				} else {
-					elem = document.getElementById( match[2] );
-
-					// Check parentNode to catch when Blackberry 4.6 returns
-					// nodes that are no longer in the document #6963
-					if ( elem && elem.parentNode ) {
-						// Handle the case where IE and Opera return items
-						// by name instead of ID
-						if ( elem.id !== match[2] ) {
-							return rootjQuery.find( selector );
-						}
-
-						// Otherwise, we inject the element directly into the jQuery object
-						this.length = 1;
-						this[0] = elem;
-					}
-
-					this.context = document;
-					this.selector = selector;
-					return this;
-				}
-
-			// HANDLE: $(expr, $(...))
-			} else if ( !context || context.jquery ) {
-				return ( context || rootjQuery ).find( selector );
-
-			// HANDLE: $(expr, context)
-			// (which is just equivalent to: $(context).find(expr)
-			} else {
-				return this.constructor( context ).find( selector );
-			}
-
-		// HANDLE: $(function)
-		// Shortcut for document ready
-		} else if ( jQuery.isFunction( selector ) ) {
-			return rootjQuery.ready( selector );
-		}
-
-		if ( selector.selector !== undefined ) {
-			this.selector = selector.selector;
-			this.context = selector.context;
-		}
-
-		return jQuery.makeArray( selector, this );
-	},
-
-	// Start with an empty selector
-	selector: "",
-
-	// The current version of jQuery being used
-	jquery: "1.7.2",
-
-	// The default length of a jQuery object is 0
-	length: 0,
-
-	// The number of elements contained in the matched element set
-	size: function() {
-		return this.length;
-	},
-
-	toArray: function() {
-		return slice.call( this, 0 );
-	},
-
-	// Get the Nth element in the matched element set OR
-	// Get the whole matched element set as a clean array
-	get: function( num ) {
-		return num == null ?
-
-			// Return a 'clean' array
-			this.toArray() :
-
-			// Return just the object
-			( num < 0 ? this[ this.length + num ] : this[ num ] );
-	},
-
-	// Take an array of elements and push it onto the stack
-	// (returning the new matched element set)
-	pushStack: function( elems, name, selector ) {
-		// Build a new jQuery matched element set
-		var ret = this.constructor();
-
-		if ( jQuery.isArray( elems ) ) {
-			push.apply( ret, elems );
-
-		} else {
-			jQuery.merge( ret, elems );
-		}
-
-		// Add the old object onto the stack (as a reference)
-		ret.prevObject = this;
-
-		ret.context = this.context;
-
-		if ( name === "find" ) {
-			ret.selector = this.selector + ( this.selector ? " " : "" ) + selector;
-		} else if ( name ) {
-			ret.selector = this.selector + "." + name + "(" + selector + ")";
-		}
-
-		// Return the newly-formed element set
-		return ret;
-	},
-
-	// Execute a callback for every element in the matched set.
-	// (You can seed the arguments with an array of args, but this is
-	// only used internally.)
-	each: function( callback, args ) {
-		return jQuery.each( this, callback, args );
-	},
-
-	ready: function( fn ) {
-		// Attach the listeners
-		jQuery.bindReady();
-
-		// Add the callback
-		readyList.add( fn );
-
-		return this;
-	},
-
-	eq: function( i ) {
-		i = +i;
-		return i === -1 ?
-			this.slice( i ) :
-			this.slice( i, i + 1 );
-	},
-
-	first: function() {
-		return this.eq( 0 );
-	},
-
-	last: function() {
-		return this.eq( -1 );
-	},
-
-	slice: function() {
-		return this.pushStack( slice.apply( this, arguments ),
-			"slice", slice.call(arguments).join(",") );
-	},
-
-	map: function( callback ) {
-		return this.pushStack( jQuery.map(this, function( elem, i ) {
-			return callback.call( elem, i, elem );
-		}));
-	},
-
-	end: function() {
-		return this.prevObject || this.constructor(null);
-	},
-
-	// For internal use only.
-	// Behaves like an Array's method, not like a jQuery method.
-	push: push,
-	sort: [].sort,
-	splice: [].splice
-};
-
-// Give the init function the jQuery prototype for later instantiation
-jQuery.fn.init.prototype = jQuery.fn;
-
-jQuery.extend = jQuery.fn.extend = function() {
-	var options, name, src, copy, copyIsArray, clone,
-		target = arguments[0] || {},
-		i = 1,
-		length = arguments.length,
-		deep = false;
-
-	// Handle a deep copy situation
-	if ( typeof target === "boolean" ) {
-		deep = target;
-		target = arguments[1] || {};
-		// skip the boolean and the target
-		i = 2;
-	}
-
-	// Handle case when target is a string or something (possible in deep copy)
-	if ( typeof target !== "object" && !jQuery.isFunction(target) ) {
-		target = {};
-	}
-
-	// extend jQuery itself if only one argument is passed
-	if ( length === i ) {
-		target = this;
-		--i;
-	}
-
-	for ( ; i < length; i++ ) {
-		// Only deal with non-null/undefined values
-		if ( (options = arguments[ i ]) != null ) {
-			// Extend the base object
-			for ( name in options ) {
-				src = target[ name ];
-				copy = options[ name ];
-
-				// Prevent never-ending loop
-				if ( target === copy ) {
-					continue;
-				}
-
-				// Recurse if we're merging plain objects or arrays
-				if ( deep && copy && ( jQuery.isPlainObject(copy) || (copyIsArray = jQuery.isArray(copy)) ) ) {
-					if ( copyIsArray ) {
-						copyIsArray = false;
-						clone = src && jQuery.isArray(src) ? src : [];
-
-					} else {
-						clone = src && jQuery.isPlainObject(src) ? src : {};
-					}
-
-					// Never move original objects, clone them
-					target[ name ] = jQuery.extend( deep, clone, copy );
-
-				// Don't bring in undefined values
-				} else if ( copy !== undefined ) {
-					target[ name ] = copy;
-				}
-			}
-		}
-	}
-
-	// Return the modified object
-	return target;
-};
-
-jQuery.extend({
-	noConflict: function( deep ) {
-		if ( window.$ === jQuery ) {
-			window.$ = _$;
-		}
-
-		if ( deep && window.jQuery === jQuery ) {
-			window.jQuery = _jQuery;
-		}
-
-		return jQuery;
-	},
-
-	// Is the DOM ready to be used? Set to true once it occurs.
-	isReady: false,
-
-	// A counter to track how many items to wait for before
-	// the ready event fires. See #6781
-	readyWait: 1,
-
-	// Hold (or release) the ready event
-	holdReady: function( hold ) {
-		if ( hold ) {
-			jQuery.readyWait++;
-		} else {
-			jQuery.ready( true );
-		}
-	},
-
-	// Handle when the DOM is ready
-	ready: function( wait ) {
-		// Either a released hold or an DOMready/load event and not yet ready
-		if ( (wait === true && !--jQuery.readyWait) || (wait !== true && !jQuery.isReady) ) {
-			// Make sure body exists, at least, in case IE gets a little overzealous (ticket #5443).
-			if ( !document.body ) {
-				return setTimeout( jQuery.ready, 1 );
-			}
-
-			// Remember that the DOM is ready
-			jQuery.isReady = true;
-
-			// If a normal DOM Ready event fired, decrement, and wait if need be
-			if ( wait !== true && --jQuery.readyWait > 0 ) {
-				return;
-			}
-
-			// If there are functions bound, to execute
-			readyList.fireWith( document, [ jQuery ] );
-
-			// Trigger any bound ready events
-			if ( jQuery.fn.trigger ) {
-				jQuery( document ).trigger( "ready" ).off( "ready" );
-			}
-		}
-	},
-
-	bindReady: function() {
-		if ( readyList ) {
-			return;
-		}
-
-		readyList = jQuery.Callbacks( "once memory" );
-
-		// Catch cases where $(document).ready() is called after the
-		// browser event has already occurred.
-		if ( document.readyState === "complete" ) {
-			// Handle it asynchronously to allow scripts the opportunity to delay ready
-			return setTimeout( jQuery.ready, 1 );
-		}
-
-		// Mozilla, Opera and webkit nightlies currently support this event
-		if ( document.addEventListener ) {
-			// Use the handy event callback
-			document.addEventListener( "DOMContentLoaded", DOMContentLoaded, false );
-
-			// A fallback to window.onload, that will always work
-			window.addEventListener( "load", jQuery.ready, false );
-
-		// If IE event model is used
-		} else if ( document.attachEvent ) {
-			// ensure firing before onload,
-			// maybe late but safe also for iframes
-			document.attachEvent( "onreadystatechange", DOMContentLoaded );
-
-			// A fallback to window.onload, that will always work
-			window.attachEvent( "onload", jQuery.ready );
-
-			// If IE and not a frame
-			// continually check to see if the document is ready
-			var toplevel = false;
-
-			try {
-				toplevel = window.frameElement == null;
-			} catch(e) {}
-
-			if ( document.documentElement.doScroll && toplevel ) {
-				doScrollCheck();
-			}
-		}
-	},
-
-	// See test/unit/core.js for details concerning isFunction.
-	// Since version 1.3, DOM methods and functions like alert
-	// aren't supported. They return false on IE (#2968).
-	isFunction: function( obj ) {
-		return jQuery.type(obj) === "function";
-	},
-
-	isArray: Array.isArray || function( obj ) {
-		return jQuery.type(obj) === "array";
-	},
-
-	isWindow: function( obj ) {
-		return obj != null && obj == obj.window;
-	},
-
-	isNumeric: function( obj ) {
-		return !isNaN( parseFloat(obj) ) && isFinite( obj );
-	},
-
-	type: function( obj ) {
-		return obj == null ?
-			String( obj ) :
-			class2type[ toString.call(obj) ] || "object";
-	},
-
-	isPlainObject: function( obj ) {
-		// Must be an Object.
-		// Because of IE, we also have to check the presence of the constructor property.
-		// Make sure that DOM nodes and window objects don't pass through, as well
-		if ( !obj || jQuery.type(obj) !== "object" || obj.nodeType || jQuery.isWindow( obj ) ) {
-			return false;
-		}
-
-		try {
-			// Not own constructor property must be Object
-			if ( obj.constructor &&
-				!hasOwn.call(obj, "constructor") &&
-				!hasOwn.call(obj.constructor.prototype, "isPrototypeOf") ) {
-				return false;
-			}
-		} catch ( e ) {
-			// IE8,9 Will throw exceptions on certain host objects #9897
-			return false;
-		}
-
-		// Own properties are enumerated firstly, so to speed up,
-		// if last one is own, then all properties are own.
-
-		var key;
-		for ( key in obj ) {}
-
-		return key === undefined || hasOwn.call( obj, key );
-	},
-
-	isEmptyObject: function( obj ) {
-		for ( var name in obj ) {
-			return false;
-		}
-		return true;
-	},
-
-	error: function( msg ) {
-		throw new Error( msg );
-	},
-
-	parseJSON: function( data ) {
-		if ( typeof data !== "string" || !data ) {
-			return null;
-		}
-
-		// Make sure leading/trailing whitespace is removed (IE can't handle it)
-		data = jQuery.trim( data );
-
-		// Attempt to parse using the native JSON parser first
-		if ( window.JSON && window.JSON.parse ) {
-			return window.JSON.parse( data );
-		}
-
-		// Make sure the incoming data is actual JSON
-		// Logic borrowed from http://json.org/json2.js
-		if ( rvalidchars.test( data.replace( rvalidescape, "@" )
-			.replace( rvalidtokens, "]" )
-			.replace( rvalidbraces, "")) ) {
-
-			return ( new Function( "return " + data ) )();
-
-		}
-		jQuery.error( "Invalid JSON: " + data );
-	},
-
-	// Cross-browser xml parsing
-	parseXML: function( data ) {
-		if ( typeof data !== "string" || !data ) {
-			return null;
-		}
-		var xml, tmp;
-		try {
-			if ( window.DOMParser ) { // Standard
-				tmp = new DOMParser();
-				xml = tmp.parseFromString( data , "text/xml" );
-			} else { // IE
-				xml = new ActiveXObject( "Microsoft.XMLDOM" );
-				xml.async = "false";
-				xml.loadXML( data );
-			}
-		} catch( e ) {
-			xml = undefined;
-		}
-		if ( !xml || !xml.documentElement || xml.getElementsByTagName( "parsererror" ).length ) {
-			jQuery.error( "Invalid XML: " + data );
-		}
-		return xml;
-	},
-
-	noop: function() {},
-
-	// Evaluates a script in a global context
-	// Workarounds based on findings by Jim Driscoll
-	// http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
-	globalEval: function( data ) {
-		if ( data && rnotwhite.test( data ) ) {
-			// We use execScript on Internet Explorer
-			// We use an anonymous function so that context is window
-			// rather than jQuery in Firefox
-			( window.execScript || function( data ) {
-				window[ "eval" ].call( window, data );
-			} )( data );
-		}
-	},
-
-	// Convert dashed to camelCase; used by the css and data modules
-	// Microsoft forgot to hump their vendor prefix (#9572)
-	camelCase: function( string ) {
-		return string.replace( rmsPrefix, "ms-" ).replace( rdashAlpha, fcamelCase );
-	},
-
-	nodeName: function( elem, name ) {
-		return elem.nodeName && elem.nodeName.toUpperCase() === name.toUpperCase();
-	},
-
-	// args is for internal usage only
-	each: function( object, callback, args ) {
-		var name, i = 0,
-			length = object.length,
-			isObj = length === undefined || jQuery.isFunction( object );
-
-		if ( args ) {
-			if ( isObj ) {
-				for ( name in object ) {
-					if ( callback.apply( object[ name ], args ) === false ) {
-						break;
-					}
-				}
-			} else {
-				for ( ; i < length; ) {
-					if ( callback.apply( object[ i++ ], args ) === false ) {
-						break;
-					}
-				}
-			}
-
-		// A special, fast, case for the most common use of each
-		} else {
-			if ( isObj ) {
-				for ( name in object ) {
-					if ( callback.call( object[ name ], name, object[ name ] ) === false ) {
-						break;
-					}
-				}
-			} else {
-				for ( ; i < length; ) {
-					if ( callback.call( object[ i ], i, object[ i++ ] ) === false ) {
-						break;
-					}
-				}
-			}
-		}
-
-		return object;
-	},
-
-	// Use native String.trim function wherever possible
-	trim: trim ?
-		function( text ) {
-			return text == null ?
-				"" :
-				trim.call( text );
-		} :
-
-		// Otherwise use our own trimming functionality
-		function( text ) {
-			return text == null ?
-				"" :
-				text.toString().replace( trimLeft, "" ).replace( trimRight, "" );
-		},
-
-	// results is for internal usage only
-	makeArray: function( array, results ) {
-		var ret = results || [];
-
-		if ( array != null ) {
-			// The window, strings (and functions) also have 'length'
-			// Tweaked logic slightly to handle Blackberry 4.7 RegExp issues #6930
-			var type = jQuery.type( array );
-
-			if ( array.length == null || type === "string" || type === "function" || type === "regexp" || jQuery.isWindow( array ) ) {
-				push.call( ret, array );
-			} else {
-				jQuery.merge( ret, array );
-			}
-		}
-
-		return ret;
-	},
-
-	inArray: function( elem, array, i ) {
-		var len;
-
-		if ( array ) {
-			if ( indexOf ) {
-				return indexOf.call( array, elem, i );
-			}
-
-			len = array.length;
-			i = i ? i < 0 ? Math.max( 0, len + i ) : i : 0;
-
-			for ( ; i < len; i++ ) {
-				// Skip accessing in sparse arrays
-				if ( i in array && array[ i ] === elem ) {
-					return i;
-				}
-			}
-		}
-
-		return -1;
-	},
-
-	merge: function( first, second ) {
-		var i = first.length,
-			j = 0;
-
-		if ( typeof second.length === "number" ) {
-			for ( var l = second.length; j < l; j++ ) {
-				first[ i++ ] = second[ j ];
-			}
-
-		} else {
-			while ( second[j] !== undefined ) {
-				first[ i++ ] = second[ j++ ];
-			}
-		}
-
-		first.length = i;
-
-		return first;
-	},
-
-	grep: function( elems, callback, inv ) {
-		var ret = [], retVal;
-		inv = !!inv;
-
-		// Go through the array, only saving the items
-		// that pass the validator function
-		for ( var i = 0, length = elems.length; i < length; i++ ) {
-			retVal = !!callback( elems[ i ], i );
-			if ( inv !== retVal ) {
-				ret.push( elems[ i ] );
-			}
-		}
-
-		return ret;
-	},
-
-	// arg is for internal usage only
-	map: function( elems, callback, arg ) {
-		var value, key, ret = [],
-			i = 0,
-			length = elems.length,
-			// jquery objects are treated as arrays
-			isArray = elems instanceof jQuery || length !== undefined && typeof length === "number" && ( ( length > 0 && elems[ 0 ] && elems[ length -1 ] ) || length === 0 || jQuery.isArray( elems ) ) ;
-
-		// Go through the array, translating each of the items to their
-		if ( isArray ) {
-			for ( ; i < length; i++ ) {
-				value = callback( elems[ i ], i, arg );
-
-				if ( value != null ) {
-					ret[ ret.length ] = value;
-				}
-			}
-
-		// Go through every key on the object,
-		} else {
-			for ( key in elems ) {
-				value = callback( elems[ key ], key, arg );
-
-				if ( value != null ) {
-					ret[ ret.length ] = value;
-				}
-			}
-		}
-
-		// Flatten any nested arrays
-		return ret.concat.apply( [], ret );
-	},
-
-	// A global GUID counter for objects
-	guid: 1,
-
-	// Bind a function to a context, optionally partially applying any
-	// arguments.
-	proxy: function( fn, context ) {
-		if ( typeof context === "string" ) {
-			var tmp = fn[ context ];
-			context = fn;
-			fn = tmp;
-		}
-
-		// Quick check to determine if target is callable, in the spec
-		// this throws a TypeError, but we will just return undefined.
-		if ( !jQuery.isFunction( fn ) ) {
-			return undefined;
-		}
-
-		// Simulated bind
-		var args = slice.call( arguments, 2 ),
-			proxy = function() {
-				return fn.apply( context, args.concat( slice.call( arguments ) ) );
-			};
-
-		// Set the guid of unique handler to the same of original handler, so it can be removed
-		proxy.guid = fn.guid = fn.guid || proxy.guid || jQuery.guid++;
-
-		return proxy;
-	},
-
-	// Mutifunctional method to get and set values to a collection
-	// The value/s can optionally be executed if it's a function
-	access: function( elems, fn, key, value, chainable, emptyGet, pass ) {
-		var exec,
-			bulk = key == null,
-			i = 0,
-			length = elems.length;
-
-		// Sets many values
-		if ( key && typeof key === "object" ) {
-			for ( i in key ) {
-				jQuery.access( elems, fn, i, key[i], 1, emptyGet, value );
-			}
-			chainable = 1;
-
-		// Sets one value
-		} else if ( value !== undefined ) {
-			// Optionally, function values get executed if exec is true
-			exec = pass === undefined && jQuery.isFunction( value );
-
-			if ( bulk ) {
-				// Bulk operations only iterate when executing function values
-				if ( exec ) {
-					exec = fn;
-					fn = function( elem, key, value ) {
-						return exec.call( jQuery( elem ), value );
-					};
-
-				// Otherwise they run against the entire set
-				} else {
-					fn.call( elems, value );
-					fn = null;
-				}
-			}
-
-			if ( fn ) {
-				for (; i < length; i++ ) {
-					fn( elems[i], key, exec ? value.call( elems[i], i, fn( elems[i], key ) ) : value, pass );
-				}
-			}
-
-			chainable = 1;
-		}
-
-		return chainable ?
-			elems :
-
-			// Gets
-			bulk ?
-				fn.call( elems ) :
-				length ? fn( elems[0], key ) : emptyGet;
-	},
-
-	now: function() {
-		return ( new Date() ).getTime();
-	},
-
-	// Use of jQuery.browser is frowned upon.
-	// More details: http://docs.jquery.com/Utilities/jQuery.browser
-	uaMatch: function( ua ) {
-		ua = ua.toLowerCase();
-
-		var match = rwebkit.exec( ua ) ||
-			ropera.exec( ua ) ||
-			rmsie.exec( ua ) ||
-			ua.indexOf("compatible") < 0 && rmozilla.exec( ua ) ||
-			[];
-
-		return { browser: match[1] || "", version: match[2] || "0" };
-	},
-
-	sub: function() {
-		function jQuerySub( selector, context ) {
-			return new jQuerySub.fn.init( selector, context );
-		}
-		jQuery.extend( true, jQuerySub, this );
-		jQuerySub.superclass = this;
-		jQuerySub.fn = jQuerySub.prototype = this();
-		jQuerySub.fn.constructor = jQuerySub;
-		jQuerySub.sub = this.sub;
-		jQuerySub.fn.init = function init( selector, context ) {
-			if ( context && context instanceof jQuery && !(context instanceof jQuerySub) ) {
-				context = jQuerySub( context );
-			}
-
-			return jQuery.fn.init.call( this, selector, context, rootjQuerySub );
-		};
-		jQuerySub.fn.init.prototype = jQuerySub.fn;
-		var rootjQuerySub = jQuerySub(document);
-		return jQuerySub;
-	},
-
-	browser: {}
-});
-
-// Populate the class2type map
-jQuery.each("Boolean Number String Function Array Date RegExp Object".split(" "), function(i, name) {
-	class2type[ "[object " + name + "]" ] = name.toLowerCase();
-});
-
-browserMatch = jQuery.uaMatch( userAgent );
-if ( browserMatch.browser ) {
-	jQuery.browser[ browserMatch.browser ] = true;
-	jQuery.browser.version = browserMatch.version;
-}
-
-// Deprecated, use jQuery.browser.webkit instead
-if ( jQuery.browser.webkit ) {
-	jQuery.browser.safari = true;
-}
-
-// IE doesn't match non-breaking spaces with \s
-if ( rnotwhite.test( "\xA0" ) ) {
-	trimLeft = /^[\s\xA0]+/;
-	trimRight = /[\s\xA0]+$/;
-}
-
-// All jQuery objects should point back to these
-rootjQuery = jQuery(document);
-
-// Cleanup functions for the document ready method
-if ( document.addEventListener ) {
-	DOMContentLoaded = function() {
-		document.removeEventListener( "DOMContentLoaded", DOMContentLoaded, false );
-		jQuery.ready();
-	};
-
-} else if ( document.attachEvent ) {
-	DOMContentLoaded = function() {
-		// Make sure body exists, at least, in case IE gets a little overzealous (ticket #5443).
-		if ( document.readyState === "complete" ) {
-			document.detachEvent( "onreadystatechange", DOMContentLoaded );
-			jQuery.ready();
-		}
-	};
-}
-
-// The DOM ready check for Internet Explorer
-function doScrollCheck() {
-	if ( jQuery.isReady ) {
-		return;
-	}
-
-	try {
-		// If IE is used, use the trick by Diego Perini
-		// http://javascript.nwbox.com/IEContentLoaded/
-		document.documentElement.doScroll("left");
-	} catch(e) {
-		setTimeout( doScrollCheck, 1 );
-		return;
-	}
-
-	// and execute any waiting functions
-	jQuery.ready();
-}
-
-return jQuery;
-
-})();
-
-
-// String to Object flags format cache
-var flagsCache = {};
-
-// Convert String-formatted flags into Object-formatted ones and store in cache
-function createFlags( flags ) {
-	var object = flagsCache[ flags ] = {},
-		i, length;
-	flags = flags.split( /\s+/ );
-	for ( i = 0, length = flags.length; i < length; i++ ) {
-		object[ flags[i] ] = true;
-	}
-	return object;
-}
-
-/*
- * Create a callback list using the following parameters:
- *
- *	flags:	an optional list of space-separated flags that will change how
- *			the callback list behaves
- *
- * By default a callback list will act like an event callback list and can be
- * "fired" multiple times.
- *
- * Possible flags:
- *
- *	once:			will ensure the callback list can only be fired once (like a Deferred)
- *
- *	memory:			will keep track of previous values and will call any callback added
- *					after the list has been fired right away with the latest "memorized"
- *					values (like a Deferred)
- *
- *	unique:			will ensure a callback can only be added once (no duplicate in the list)
- *
- *	stopOnFalse:	interrupt callings when a callback returns false
- *
- */
-jQuery.Callbacks = function( flags ) {
-
-	// Convert flags from String-formatted to Object-formatted
-	// (we check in cache first)
-	flags = flags ? ( flagsCache[ flags ] || createFlags( flags ) ) : {};
-
-	var // Actual callback list
-		list = [],
-		// Stack of fire calls for repeatable lists
-		stack = [],
-		// Last fire value (for non-forgettable lists)
-		memory,
-		// Flag to know if list was already fired
-		fired,
-		// Flag to know if list is currently firing
-		firing,
-		// First callback to fire (used internally by add and fireWith)
-		firingStart,
-		// End of the loop when firing
-		firingLength,
-		// Index of currently firing callback (modified by remove if needed)
-		firingIndex,
-		// Add one or several callbacks to the list
-		add = function( args ) {
-			var i,
-				length,
-				elem,
-				type,
-				actual;
-			for ( i = 0, length = args.length; i < length; i++ ) {
-				elem = args[ i ];
-				type = jQuery.type( elem );
-				if ( type === "array" ) {
-					// Inspect recursively
-					add( elem );
-				} else if ( type === "function" ) {
-					// Add if not in unique mode and callback is not in
-					if ( !flags.unique || !self.has( elem ) ) {
-						list.push( elem );
-					}
-				}
-			}
-		},
-		// Fire callbacks
-		fire = function( context, args ) {
-			args = args || [];
-			memory = !flags.memory || [ context, args ];
-			fired = true;
-			firing = true;
-			firingIndex = firingStart || 0;
-			firingStart = 0;
-			firingLength = list.length;
-			for ( ; list && firingIndex < firingLength; firingIndex++ ) {
-				if ( list[ firingIndex ].apply( context, args ) === false && flags.stopOnFalse ) {
-					memory = true; // Mark as halted
-					break;
-				}
-			}
-			firing = false;
-			if ( list ) {
-				if ( !flags.once ) {
-					if ( stack && stack.length ) {
-						memory = stack.shift();
-						self.fireWith( memory[ 0 ], memory[ 1 ] );
-					}
-				} else if ( memory === true ) {
-					self.disable();
-				} else {
-					list = [];
-				}
-			}
-		},
-		// Actual Callbacks object
-		self = {
-			// Add a callback or a collection of callbacks to the list
-			add: function() {
-				if ( list ) {
-					var length = list.length;
-					add( arguments );
-					// Do we need to add the callbacks to the
-					// current firing batch?
-					if ( firing ) {
-						firingLength = list.length;
-					// With memory, if we're not firing then
-					// we should call right away, unless previous
-					// firing was halted (stopOnFalse)
-					} else if ( memory && memory !== true ) {
-						firingStart = length;
-						fire( memory[ 0 ], memory[ 1 ] );
-					}
-				}
-				return this;
-			},
-			// Remove a callback from the list
-			remove: function() {
-				if ( list ) {
-					var args = arguments,
-						argIndex = 0,
-						argLength = args.length;
-					for ( ; argIndex < argLength ; argIndex++ ) {
-						for ( var i = 0; i < list.length; i++ ) {
-							if ( args[ argIndex ] === list[ i ] ) {
-								// Handle firingIndex and firingLength
-								if ( firing ) {
-									if ( i <= firingLength ) {
-										firingLength--;
-										if ( i <= firingIndex ) {
-											firingIndex--;
-										}
-									}
-								}
-								// Remove the element
-								list.splice( i--, 1 );
-								// If we have some unicity property then
-								// we only need to do this once
-								if ( flags.unique ) {
-									break;
-								}
-							}
-						}
-					}
-				}
-				return this;
-			},
-			// Control if a given callback is in the list
-			has: function( fn ) {
-				if ( list ) {
-					var i = 0,
-						length = list.length;
-					for ( ; i < length; i++ ) {
-						if ( fn === list[ i ] ) {
-							return true;
-						}
-					}
-				}
-				return false;
-			},
-			// Remove all callbacks from the list
-			empty: function() {
-				list = [];
-				return this;
-			},
-			// Have the list do nothing anymore
-			disable: function() {
-				list = stack = memory = undefined;
-				return this;
-			},
-			// Is it disabled?
-			disabled: function() {
-				return !list;
-			},
-			// Lock the list in its current state
-			lock: function() {
-				stack = undefined;
-				if ( !memory || memory === true ) {
-					self.disable();
-				}
-				return this;
-			},
-			// Is it locked?
-			locked: function() {
-				return !stack;
-			},
-			// Call all callbacks with the given context and arguments
-			fireWith: function( context, args ) {
-				if ( stack ) {
-					if ( firing ) {
-						if ( !flags.once ) {
-							stack.push( [ context, args ] );
-						}
-					} else if ( !( flags.once && memory ) ) {
-						fire( context, args );
-					}
-				}
-				return this;
-			},
-			// Call all the callbacks with the given arguments
-			fire: function() {
-				self.fireWith( this, arguments );
-				return this;
-			},
-			// To know if the callbacks have already been called at least once
-			fired: function() {
-				return !!fired;
-			}
-		};
-
-	return self;
-};
-
-
-
-
-var // Static reference to slice
-	sliceDeferred = [].slice;
-
-jQuery.extend({
-
-	Deferred: function( func ) {
-		var doneList = jQuery.Callbacks( "once memory" ),
-			failList = jQuery.Callbacks( "once memory" ),
-			progressList = jQuery.Callbacks( "memory" ),
-			state = "pending",
-			lists = {
-				resolve: doneList,
-				reject: failList,
-				notify: progressList
-			},
-			promise = {
-				done: doneList.add,
-				fail: failList.add,
-				progress: progressList.add,
-
-				state: function() {
-					return state;
-				},
-
-				// Deprecated
-				isResolved: doneList.fired,
-				isRejected: failList.fired,
-
-				then: function( doneCallbacks, failCallbacks, progressCallbacks ) {
-					deferred.done( doneCallbacks ).fail( failCallbacks ).progress( progressCallbacks );
-					return this;
-				},
-				always: function() {
-					deferred.done.apply( deferred, arguments ).fail.apply( deferred, arguments );
-					return this;
-				},
-				pipe: function( fnDone, fnFail, fnProgress ) {
-					return jQuery.Deferred(function( newDefer ) {
-						jQuery.each( {
-							done: [ fnDone, "resolve" ],
-							fail: [ fnFail, "reject" ],
-							progress: [ fnProgress, "notify" ]
-						}, function( handler, data ) {
-							var fn = data[ 0 ],
-								action = data[ 1 ],
-								returned;
-							if ( jQuery.isFunction( fn ) ) {
-								deferred[ handler ](function() {
-									returned = fn.apply( this, arguments );
-									if ( returned && jQuery.isFunction( returned.promise ) ) {
-										returned.promise().then( newDefer.resolve, newDefer.reject, newDefer.notify );
-									} else {
-										newDefer[ action + "With" ]( this === deferred ? newDefer : this, [ returned ] );
-									}
-								});
-							} else {
-								deferred[ handler ]( newDefer[ action ] );
-							}
-						});
-					}).promise();
-				},
-				// Get a promise for this deferred
-				// If obj is provided, the promise aspect is added to the object
-				promise: function( obj ) {
-					if ( obj == null ) {
-						obj = promise;
-					} else {
-						for ( var key in promise ) {
-							obj[ key ] = promise[ key ];
-						}
-					}
-					return obj;
-				}
-			},
-			deferred = promise.promise({}),
-			key;
-
-		for ( key in lists ) {
-			deferred[ key ] = lists[ key ].fire;
-			deferred[ key + "With" ] = lists[ key ].fireWith;
-		}
-
-		// Handle state
-		deferred.done( function() {
-			state = "resolved";
-		}, failList.disable, progressList.lock ).fail( function() {
-			state = "rejected";
-		}, doneList.disable, progressList.lock );
-
-		// Call given func if any
-		if ( func ) {
-			func.call( deferred, deferred );
-		}
-
-		// All done!
-		return deferred;
-	},
-
-	// Deferred helper
-	when: function( firstParam ) {
-		var args = sliceDeferred.call( arguments, 0 ),
-			i = 0,
-			length = args.length,
-			pValues = new Array( length ),
-			count = length,
-			pCount = length,
-			deferred = length <= 1 && firstParam && jQuery.isFunction( firstParam.promise ) ?
-				firstParam :
-				jQuery.Deferred(),
-			promise = deferred.promise();
-		function resolveFunc( i ) {
-			return function( value ) {
-				args[ i ] = arguments.length > 1 ? sliceDeferred.call( arguments, 0 ) : value;
-				if ( !( --count ) ) {
-					deferred.resolveWith( deferred, args );
-				}
-			};
-		}
-		function progressFunc( i ) {
-			return function( value ) {
-				pValues[ i ] = arguments.length > 1 ? sliceDeferred.call( arguments, 0 ) : value;
-				deferred.notifyWith( promise, pValues );
-			};
-		}
-		if ( length > 1 ) {
-			for ( ; i < length; i++ ) {
-				if ( args[ i ] && args[ i ].promise && jQuery.isFunction( args[ i ].promise ) ) {
-					args[ i ].promise().then( resolveFunc(i), deferred.reject, progressFunc(i) );
-				} else {
-					--count;
-				}
-			}
-			if ( !count ) {
-				deferred.resolveWith( deferred, args );
-			}
-		} else if ( deferred !== firstParam ) {
-			deferred.resolveWith( deferred, length ? [ firstParam ] : [] );
-		}
-		return promise;
-	}
-});
-
-
-
-
-jQuery.support = (function() {
-
-	var support,
-		all,
-		a,
-		select,
-		opt,
-		input,
-		fragment,
-		tds,
-		events,
-		eventName,
-		i,
-		isSupported,
-		div = document.createElement( "div" ),
-		documentElement = document.documentElement;
-
-	// Preliminary tests
-	div.setAttribute("className", "t");
-	div.innerHTML = "   
    a";
-
-	all = div.getElementsByTagName( "*" );
-	a = div.getElementsByTagName( "a" )[ 0 ];
-
-	// Can't get basic test support
-	if ( !all || !all.length || !a ) {
-		return {};
-	}
-
-	// First batch of supports tests
-	select = document.createElement( "select" );
-	opt = select.appendChild( document.createElement("option") );
-	input = div.getElementsByTagName( "input" )[ 0 ];
-
-	support = {
-		// IE strips leading whitespace when .innerHTML is used
-		leadingWhitespace: ( div.firstChild.nodeType === 3 ),
-
-		// Make sure that tbody elements aren't automatically inserted
-		// IE will insert them into empty tables
-		tbody: !div.getElementsByTagName("tbody").length,
-
-		// Make sure that link elements get serialized correctly by innerHTML
-		// This requires a wrapper element in IE
-		htmlSerialize: !!div.getElementsByTagName("link").length,
-
-		// Get the style information from getAttribute
-		// (IE uses .cssText instead)
-		style: /top/.test( a.getAttribute("style") ),
-
-		// Make sure that URLs aren't manipulated
-		// (IE normalizes it by default)
-		hrefNormalized: ( a.getAttribute("href") === "/a" ),
-
-		// Make sure that element opacity exists
-		// (IE uses filter instead)
-		// Use a regex to work around a WebKit issue. See #5145
-		opacity: /^0.55/.test( a.style.opacity ),
-
-		// Verify style float existence
-		// (IE uses styleFloat instead of cssFloat)
-		cssFloat: !!a.style.cssFloat,
-
-		// Make sure that if no value is specified for a checkbox
-		// that it defaults to "on".
-		// (WebKit defaults to "" instead)
-		checkOn: ( input.value === "on" ),
-
-		// Make sure that a selected-by-default option has a working selected property.
-		// (WebKit defaults to false instead of true, IE too, if it's in an optgroup)
-		optSelected: opt.selected,
-
-		// Test setAttribute on camelCase class. If it works, we need attrFixes when doing get/setAttribute (ie6/7)
-		getSetAttribute: div.className !== "t",
-
-		// Tests for enctype support on a form(#6743)
-		enctype: !!document.createElement("form").enctype,
-
-		// Makes sure cloning an html5 element does not cause problems
-		// Where outerHTML is undefined, this still works
-		html5Clone: document.createElement("nav").cloneNode( true ).outerHTML !== "<:nav>",
-
-		// Will be defined later
-		submitBubbles: true,
-		changeBubbles: true,
-		focusinBubbles: false,
-		deleteExpando: true,
-		noCloneEvent: true,
-		inlineBlockNeedsLayout: false,
-		shrinkWrapBlocks: false,
-		reliableMarginRight: true,
-		pixelMargin: true
-	};
-
-	// jQuery.boxModel DEPRECATED in 1.3, use jQuery.support.boxModel instead
-	jQuery.boxModel = support.boxModel = (document.compatMode === "CSS1Compat");
-
-	// Make sure checked status is properly cloned
-	input.checked = true;
-	support.noCloneChecked = input.cloneNode( true ).checked;
-
-	// Make sure that the options inside disabled selects aren't marked as disabled
-	// (WebKit marks them as disabled)
-	select.disabled = true;
-	support.optDisabled = !opt.disabled;
-
-	// Test to see if it's possible to delete an expando from an element
-	// Fails in Internet Explorer
-	try {
-		delete div.test;
-	} catch( e ) {
-		support.deleteExpando = false;
-	}
-
-	if ( !div.addEventListener && div.attachEvent && div.fireEvent ) {
-		div.attachEvent( "onclick", function() {
-			// Cloning a node shouldn't copy over any
-			// bound event handlers (IE does this)
-			support.noCloneEvent = false;
-		});
-		div.cloneNode( true ).fireEvent( "onclick" );
-	}
-
-	// Check if a radio maintains its value
-	// after being appended to the DOM
-	input = document.createElement("input");
-	input.value = "t";
-	input.setAttribute("type", "radio");
-	support.radioValue = input.value === "t";
-
-	input.setAttribute("checked", "checked");
-
-	// #11217 - WebKit loses check when the name is after the checked attribute
-	input.setAttribute( "name", "t" );
-
-	div.appendChild( input );
-	fragment = document.createDocumentFragment();
-	fragment.appendChild( div.lastChild );
-
-	// WebKit doesn't clone checked state correctly in fragments
-	support.checkClone = fragment.cloneNode( true ).cloneNode( true ).lastChild.checked;
-
-	// Check if a disconnected checkbox will retain its checked
-	// value of true after appended to the DOM (IE6/7)
-	support.appendChecked = input.checked;
-
-	fragment.removeChild( input );
-	fragment.appendChild( div );
-
-	// Technique from Juriy Zaytsev
-	// http://perfectionkills.com/detecting-event-support-without-browser-sniffing/
-	// We only care about the case where non-standard event systems
-	// are used, namely in IE. Short-circuiting here helps us to
-	// avoid an eval call (in setAttribute) which can cause CSP
-	// to go haywire. See: https://developer.mozilla.org/en/Security/CSP
-	if ( div.attachEvent ) {
-		for ( i in {
-			submit: 1,
-			change: 1,
-			focusin: 1
-		}) {
-			eventName = "on" + i;
-			isSupported = ( eventName in div );
-			if ( !isSupported ) {
-				div.setAttribute( eventName, "return;" );
-				isSupported = ( typeof div[ eventName ] === "function" );
-			}
-			support[ i + "Bubbles" ] = isSupported;
-		}
-	}
-
-	fragment.removeChild( div );
-
-	// Null elements to avoid leaks in IE
-	fragment = select = opt = div = input = null;
-
-	// Run tests that need a body at doc ready
-	jQuery(function() {
-		var container, outer, inner, table, td, offsetSupport,
-			marginDiv, conMarginTop, style, html, positionTopLeftWidthHeight,
-			paddingMarginBorderVisibility, paddingMarginBorder,
-			body = document.getElementsByTagName("body")[0];
-
-		if ( !body ) {
-			// Return for frameset docs that don't have a body
-			return;
-		}
-
-		conMarginTop = 1;
-		paddingMarginBorder = "padding:0;margin:0;border:";
-		positionTopLeftWidthHeight = "position:absolute;top:0;left:0;width:1px;height:1px;";
-		paddingMarginBorderVisibility = paddingMarginBorder + "0;visibility:hidden;";
-		style = "style='" + positionTopLeftWidthHeight + paddingMarginBorder + "5px solid #000;";
-		html = "
    " +
-			"" +
-			"
    ";
-
-		container = document.createElement("div");
-		container.style.cssText = paddingMarginBorderVisibility + "width:0;height:0;position:static;top:0;margin-top:" + conMarginTop + "px";
-		body.insertBefore( container, body.firstChild );
-
-		// Construct the test element
-		div = document.createElement("div");
-		container.appendChild( div );
-
-		// Check if table cells still have offsetWidth/Height when they are set
-		// to display:none and there are still other visible table cells in a
-		// table row; if so, offsetWidth/Height are not reliable for use when
-		// determining if an element has been hidden directly using
-		// display:none (it is still safe to use offsets if a parent element is
-		// hidden; don safety goggles and see bug #4512 for more information).
-		// (only IE 8 fails this test)
-		div.innerHTML = "
    t
    ";
-		tds = div.getElementsByTagName( "td" );
-		isSupported = ( tds[ 0 ].offsetHeight === 0 );
-
-		tds[ 0 ].style.display = "";
-		tds[ 1 ].style.display = "none";
-
-		// Check if empty table cells still have offsetWidth/Height
-		// (IE <= 8 fail this test)
-		support.reliableHiddenOffsets = isSupported && ( tds[ 0 ].offsetHeight === 0 );
-
-		// Check if div with explicit width and no margin-right incorrectly
-		// gets computed margin-right based on width of container. For more
-		// info see bug #3333
-		// Fails in WebKit before Feb 2011 nightlies
-		// WebKit Bug 13343 - getComputedStyle returns wrong value for margin-right
-		if ( window.getComputedStyle ) {
-			div.innerHTML = "";
-			marginDiv = document.createElement( "div" );
-			marginDiv.style.width = "0";
-			marginDiv.style.marginRight = "0";
-			div.style.width = "2px";
-			div.appendChild( marginDiv );
-			support.reliableMarginRight =
-				( parseInt( ( window.getComputedStyle( marginDiv, null ) || { marginRight: 0 } ).marginRight, 10 ) || 0 ) === 0;
-		}
-
-		if ( typeof div.style.zoom !== "undefined" ) {
-			// Check if natively block-level elements act like inline-block
-			// elements when setting their display to 'inline' and giving
-			// them layout
-			// (IE < 8 does this)
-			div.innerHTML = "";
-			div.style.width = div.style.padding = "1px";
-			div.style.border = 0;
-			div.style.overflow = "hidden";
-			div.style.display = "inline";
-			div.style.zoom = 1;
-			support.inlineBlockNeedsLayout = ( div.offsetWidth === 3 );
-
-			// Check if elements with layout shrink-wrap their children
-			// (IE 6 does this)
-			div.style.display = "block";
-			div.style.overflow = "visible";
-			div.innerHTML = "
    ";
-			support.shrinkWrapBlocks = ( div.offsetWidth !== 3 );
-		}
-
-		div.style.cssText = positionTopLeftWidthHeight + paddingMarginBorderVisibility;
-		div.innerHTML = html;
-
-		outer = div.firstChild;
-		inner = outer.firstChild;
-		td = outer.nextSibling.firstChild.firstChild;
-
-		offsetSupport = {
-			doesNotAddBorder: ( inner.offsetTop !== 5 ),
-			doesAddBorderForTableAndCells: ( td.offsetTop === 5 )
-		};
-
-		inner.style.position = "fixed";
-		inner.style.top = "20px";
-
-		// safari subtracts parent border width here which is 5px
-		offsetSupport.fixedPosition = ( inner.offsetTop === 20 || inner.offsetTop === 15 );
-		inner.style.position = inner.style.top = "";
-
-		outer.style.overflow = "hidden";
-		outer.style.position = "relative";
-
-		offsetSupport.subtractsBorderForOverflowNotVisible = ( inner.offsetTop === -5 );
-		offsetSupport.doesNotIncludeMarginInBodyOffset = ( body.offsetTop !== conMarginTop );
-
-		if ( window.getComputedStyle ) {
-			div.style.marginTop = "1%";
-			support.pixelMargin = ( window.getComputedStyle( div, null ) || { marginTop: 0 } ).marginTop !== "1%";
-		}
-
-		if ( typeof container.style.zoom !== "undefined" ) {
-			container.style.zoom = 1;
-		}
-
-		body.removeChild( container );
-		marginDiv = div = container = null;
-
-		jQuery.extend( support, offsetSupport );
-	});
-
-	return support;
-})();
-
-
-
-
-var rbrace = /^(?:\{.*\}|\[.*\])$/,
-	rmultiDash = /([A-Z])/g;
-
-jQuery.extend({
-	cache: {},
-
-	// Please use with caution
-	uuid: 0,
-
-	// Unique for each copy of jQuery on the page
-	// Non-digits removed to match rinlinejQuery
-	expando: "jQuery" + ( jQuery.fn.jquery + Math.random() ).replace( /\D/g, "" ),
-
-	// The following elements throw uncatchable exceptions if you
-	// attempt to add expando properties to them.
-	noData: {
-		"embed": true,
-		// Ban all objects except for Flash (which handle expandos)
-		"object": "clsid:D27CDB6E-AE6D-11cf-96B8-444553540000",
-		"applet": true
-	},
-
-	hasData: function( elem ) {
-		elem = elem.nodeType ? jQuery.cache[ elem[jQuery.expando] ] : elem[ jQuery.expando ];
-		return !!elem && !isEmptyDataObject( elem );
-	},
-
-	data: function( elem, name, data, pvt /* Internal Use Only */ ) {
-		if ( !jQuery.acceptData( elem ) ) {
-			return;
-		}
-
-		var privateCache, thisCache, ret,
-			internalKey = jQuery.expando,
-			getByName = typeof name === "string",
-
-			// We have to handle DOM nodes and JS objects differently because IE6-7
-			// can't GC object references properly across the DOM-JS boundary
-			isNode = elem.nodeType,
-
-			// Only DOM nodes need the global jQuery cache; JS object data is
-			// attached directly to the object so GC can occur automatically
-			cache = isNode ? jQuery.cache : elem,
-
-			// Only defining an ID for JS objects if its cache already exists allows
-			// the code to shortcut on the same path as a DOM node with no cache
-			id = isNode ? elem[ internalKey ] : elem[ internalKey ] && internalKey,
-			isEvents = name === "events";
-
-		// Avoid doing any more work than we need to when trying to get data on an
-		// object that has no data at all
-		if ( (!id || !cache[id] || (!isEvents && !pvt && !cache[id].data)) && getByName && data === undefined ) {
-			return;
-		}
-
-		if ( !id ) {
-			// Only DOM nodes need a new unique ID for each element since their data
-			// ends up in the global cache
-			if ( isNode ) {
-				elem[ internalKey ] = id = ++jQuery.uuid;
-			} else {
-				id = internalKey;
-			}
-		}
-
-		if ( !cache[ id ] ) {
-			cache[ id ] = {};
-
-			// Avoids exposing jQuery metadata on plain JS objects when the object
-			// is serialized using JSON.stringify
-			if ( !isNode ) {
-				cache[ id ].toJSON = jQuery.noop;
-			}
-		}
-
-		// An object can be passed to jQuery.data instead of a key/value pair; this gets
-		// shallow copied over onto the existing cache
-		if ( typeof name === "object" || typeof name === "function" ) {
-			if ( pvt ) {
-				cache[ id ] = jQuery.extend( cache[ id ], name );
-			} else {
-				cache[ id ].data = jQuery.extend( cache[ id ].data, name );
-			}
-		}
-
-		privateCache = thisCache = cache[ id ];
-
-		// jQuery data() is stored in a separate object inside the object's internal data
-		// cache in order to avoid key collisions between internal data and user-defined
-		// data.
-		if ( !pvt ) {
-			if ( !thisCache.data ) {
-				thisCache.data = {};
-			}
-
-			thisCache = thisCache.data;
-		}
-
-		if ( data !== undefined ) {
-			thisCache[ jQuery.camelCase( name ) ] = data;
-		}
-
-		// Users should not attempt to inspect the internal events object using jQuery.data,
-		// it is undocumented and subject to change. But does anyone listen? No.
-		if ( isEvents && !thisCache[ name ] ) {
-			return privateCache.events;
-		}
-
-		// Check for both converted-to-camel and non-converted data property names
-		// If a data property was specified
-		if ( getByName ) {
-
-			// First Try to find as-is property data
-			ret = thisCache[ name ];
-
-			// Test for null|undefined property data
-			if ( ret == null ) {
-
-				// Try to find the camelCased property
-				ret = thisCache[ jQuery.camelCase( name ) ];
-			}
-		} else {
-			ret = thisCache;
-		}
-
-		return ret;
-	},
-
-	removeData: function( elem, name, pvt /* Internal Use Only */ ) {
-		if ( !jQuery.acceptData( elem ) ) {
-			return;
-		}
-
-		var thisCache, i, l,
-
-			// Reference to internal data cache key
-			internalKey = jQuery.expando,
-
-			isNode = elem.nodeType,
-
-			// See jQuery.data for more information
-			cache = isNode ? jQuery.cache : elem,
-
-			// See jQuery.data for more information
-			id = isNode ? elem[ internalKey ] : internalKey;
-
-		// If there is already no cache entry for this object, there is no
-		// purpose in continuing
-		if ( !cache[ id ] ) {
-			return;
-		}
-
-		if ( name ) {
-
-			thisCache = pvt ? cache[ id ] : cache[ id ].data;
-
-			if ( thisCache ) {
-
-				// Support array or space separated string names for data keys
-				if ( !jQuery.isArray( name ) ) {
-
-					// try the string as a key before any manipulation
-					if ( name in thisCache ) {
-						name = [ name ];
-					} else {
-
-						// split the camel cased version by spaces unless a key with the spaces exists
-						name = jQuery.camelCase( name );
-						if ( name in thisCache ) {
-							name = [ name ];
-						} else {
-							name = name.split( " " );
-						}
-					}
-				}
-
-				for ( i = 0, l = name.length; i < l; i++ ) {
-					delete thisCache[ name[i] ];
-				}
-
-				// If there is no data left in the cache, we want to continue
-				// and let the cache object itself get destroyed
-				if ( !( pvt ? isEmptyDataObject : jQuery.isEmptyObject )( thisCache ) ) {
-					return;
-				}
-			}
-		}
-
-		// See jQuery.data for more information
-		if ( !pvt ) {
-			delete cache[ id ].data;
-
-			// Don't destroy the parent cache unless the internal data object
-			// had been the only thing left in it
-			if ( !isEmptyDataObject(cache[ id ]) ) {
-				return;
-			}
-		}
-
-		// Browsers that fail expando deletion also refuse to delete expandos on
-		// the window, but it will allow it on all other JS objects; other browsers
-		// don't care
-		// Ensure that `cache` is not a window object #10080
-		if ( jQuery.support.deleteExpando || !cache.setInterval ) {
-			delete cache[ id ];
-		} else {
-			cache[ id ] = null;
-		}
-
-		// We destroyed the cache and need to eliminate the expando on the node to avoid
-		// false lookups in the cache for entries that no longer exist
-		if ( isNode ) {
-			// IE does not allow us to delete expando properties from nodes,
-			// nor does it have a removeAttribute function on Document nodes;
-			// we must handle all of these cases
-			if ( jQuery.support.deleteExpando ) {
-				delete elem[ internalKey ];
-			} else if ( elem.removeAttribute ) {
-				elem.removeAttribute( internalKey );
-			} else {
-				elem[ internalKey ] = null;
-			}
-		}
-	},
-
-	// For internal use only.
-	_data: function( elem, name, data ) {
-		return jQuery.data( elem, name, data, true );
-	},
-
-	// A method for determining if a DOM node can handle the data expando
-	acceptData: function( elem ) {
-		if ( elem.nodeName ) {
-			var match = jQuery.noData[ elem.nodeName.toLowerCase() ];
-
-			if ( match ) {
-				return !(match === true || elem.getAttribute("classid") !== match);
-			}
-		}
-
-		return true;
-	}
-});
-
-jQuery.fn.extend({
-	data: function( key, value ) {
-		var parts, part, attr, name, l,
-			elem = this[0],
-			i = 0,
-			data = null;
-
-		// Gets all values
-		if ( key === undefined ) {
-			if ( this.length ) {
-				data = jQuery.data( elem );
-
-				if ( elem.nodeType === 1 && !jQuery._data( elem, "parsedAttrs" ) ) {
-					attr = elem.attributes;
-					for ( l = attr.length; i < l; i++ ) {
-						name = attr[i].name;
-
-						if ( name.indexOf( "data-" ) === 0 ) {
-							name = jQuery.camelCase( name.substring(5) );
-
-							dataAttr( elem, name, data[ name ] );
-						}
-					}
-					jQuery._data( elem, "parsedAttrs", true );
-				}
-			}
-
-			return data;
-		}
-
-		// Sets multiple values
-		if ( typeof key === "object" ) {
-			return this.each(function() {
-				jQuery.data( this, key );
-			});
-		}
-
-		parts = key.split( ".", 2 );
-		parts[1] = parts[1] ? "." + parts[1] : "";
-		part = parts[1] + "!";
-
-		return jQuery.access( this, function( value ) {
-
-			if ( value === undefined ) {
-				data = this.triggerHandler( "getData" + part, [ parts[0] ] );
-
-				// Try to fetch any internally stored data first
-				if ( data === undefined && elem ) {
-					data = jQuery.data( elem, key );
-					data = dataAttr( elem, key, data );
-				}
-
-				return data === undefined && parts[1] ?
-					this.data( parts[0] ) :
-					data;
-			}
-
-			parts[1] = value;
-			this.each(function() {
-				var self = jQuery( this );
-
-				self.triggerHandler( "setData" + part, parts );
-				jQuery.data( this, key, value );
-				self.triggerHandler( "changeData" + part, parts );
-			});
-		}, null, value, arguments.length > 1, null, false );
-	},
-
-	removeData: function( key ) {
-		return this.each(function() {
-			jQuery.removeData( this, key );
-		});
-	}
-});
-
-function dataAttr( elem, key, data ) {
-	// If nothing was found internally, try to fetch any
-	// data from the HTML5 data-* attribute
-	if ( data === undefined && elem.nodeType === 1 ) {
-
-		var name = "data-" + key.replace( rmultiDash, "-$1" ).toLowerCase();
-
-		data = elem.getAttribute( name );
-
-		if ( typeof data === "string" ) {
-			try {
-				data = data === "true" ? true :
-				data === "false" ? false :
-				data === "null" ? null :
-				jQuery.isNumeric( data ) ? +data :
-					rbrace.test( data ) ? jQuery.parseJSON( data ) :
-					data;
-			} catch( e ) {}
-
-			// Make sure we set the data so it isn't changed later
-			jQuery.data( elem, key, data );
-
-		} else {
-			data = undefined;
-		}
-	}
-
-	return data;
-}
-
-// checks a cache object for emptiness
-function isEmptyDataObject( obj ) {
-	for ( var name in obj ) {
-
-		// if the public data object is empty, the private is still empty
-		if ( name === "data" && jQuery.isEmptyObject( obj[name] ) ) {
-			continue;
-		}
-		if ( name !== "toJSON" ) {
-			return false;
-		}
-	}
-
-	return true;
-}
-
-
-
-
-function handleQueueMarkDefer( elem, type, src ) {
-	var deferDataKey = type + "defer",
-		queueDataKey = type + "queue",
-		markDataKey = type + "mark",
-		defer = jQuery._data( elem, deferDataKey );
-	if ( defer &&
-		( src === "queue" || !jQuery._data(elem, queueDataKey) ) &&
-		( src === "mark" || !jQuery._data(elem, markDataKey) ) ) {
-		// Give room for hard-coded callbacks to fire first
-		// and eventually mark/queue something else on the element
-		setTimeout( function() {
-			if ( !jQuery._data( elem, queueDataKey ) &&
-				!jQuery._data( elem, markDataKey ) ) {
-				jQuery.removeData( elem, deferDataKey, true );
-				defer.fire();
-			}
-		}, 0 );
-	}
-}
-
-jQuery.extend({
-
-	_mark: function( elem, type ) {
-		if ( elem ) {
-			type = ( type || "fx" ) + "mark";
-			jQuery._data( elem, type, (jQuery._data( elem, type ) || 0) + 1 );
-		}
-	},
-
-	_unmark: function( force, elem, type ) {
-		if ( force !== true ) {
-			type = elem;
-			elem = force;
-			force = false;
-		}
-		if ( elem ) {
-			type = type || "fx";
-			var key = type + "mark",
-				count = force ? 0 : ( (jQuery._data( elem, key ) || 1) - 1 );
-			if ( count ) {
-				jQuery._data( elem, key, count );
-			} else {
-				jQuery.removeData( elem, key, true );
-				handleQueueMarkDefer( elem, type, "mark" );
-			}
-		}
-	},
-
-	queue: function( elem, type, data ) {
-		var q;
-		if ( elem ) {
-			type = ( type || "fx" ) + "queue";
-			q = jQuery._data( elem, type );
-
-			// Speed up dequeue by getting out quickly if this is just a lookup
-			if ( data ) {
-				if ( !q || jQuery.isArray(data) ) {
-					q = jQuery._data( elem, type, jQuery.makeArray(data) );
-				} else {
-					q.push( data );
-				}
-			}
-			return q || [];
-		}
-	},
-
-	dequeue: function( elem, type ) {
-		type = type || "fx";
-
-		var queue = jQuery.queue( elem, type ),
-			fn = queue.shift(),
-			hooks = {};
-
-		// If the fx queue is dequeued, always remove the progress sentinel
-		if ( fn === "inprogress" ) {
-			fn = queue.shift();
-		}
-
-		if ( fn ) {
-			// Add a progress sentinel to prevent the fx queue from being
-			// automatically dequeued
-			if ( type === "fx" ) {
-				queue.unshift( "inprogress" );
-			}
-
-			jQuery._data( elem, type + ".run", hooks );
-			fn.call( elem, function() {
-				jQuery.dequeue( elem, type );
-			}, hooks );
-		}
-
-		if ( !queue.length ) {
-			jQuery.removeData( elem, type + "queue " + type + ".run", true );
-			handleQueueMarkDefer( elem, type, "queue" );
-		}
-	}
-});
-
-jQuery.fn.extend({
-	queue: function( type, data ) {
-		var setter = 2;
-
-		if ( typeof type !== "string" ) {
-			data = type;
-			type = "fx";
-			setter--;
-		}
-
-		if ( arguments.length < setter ) {
-			return jQuery.queue( this[0], type );
-		}
-
-		return data === undefined ?
-			this :
-			this.each(function() {
-				var queue = jQuery.queue( this, type, data );
-
-				if ( type === "fx" && queue[0] !== "inprogress" ) {
-					jQuery.dequeue( this, type );
-				}
-			});
-	},
-	dequeue: function( type ) {
-		return this.each(function() {
-			jQuery.dequeue( this, type );
-		});
-	},
-	// Based off of the plugin by Clint Helfers, with permission.
-	// http://blindsignals.com/index.php/2009/07/jquery-delay/
-	delay: function( time, type ) {
-		time = jQuery.fx ? jQuery.fx.speeds[ time ] || time : time;
-		type = type || "fx";
-
-		return this.queue( type, function( next, hooks ) {
-			var timeout = setTimeout( next, time );
-			hooks.stop = function() {
-				clearTimeout( timeout );
-			};
-		});
-	},
-	clearQueue: function( type ) {
-		return this.queue( type || "fx", [] );
-	},
-	// Get a promise resolved when queues of a certain type
-	// are emptied (fx is the type by default)
-	promise: function( type, object ) {
-		if ( typeof type !== "string" ) {
-			object = type;
-			type = undefined;
-		}
-		type = type || "fx";
-		var defer = jQuery.Deferred(),
-			elements = this,
-			i = elements.length,
-			count = 1,
-			deferDataKey = type + "defer",
-			queueDataKey = type + "queue",
-			markDataKey = type + "mark",
-			tmp;
-		function resolve() {
-			if ( !( --count ) ) {
-				defer.resolveWith( elements, [ elements ] );
-			}
-		}
-		while( i-- ) {
-			if (( tmp = jQuery.data( elements[ i ], deferDataKey, undefined, true ) ||
-					( jQuery.data( elements[ i ], queueDataKey, undefined, true ) ||
-						jQuery.data( elements[ i ], markDataKey, undefined, true ) ) &&
-					jQuery.data( elements[ i ], deferDataKey, jQuery.Callbacks( "once memory" ), true ) )) {
-				count++;
-				tmp.add( resolve );
-			}
-		}
-		resolve();
-		return defer.promise( object );
-	}
-});
-
-
-
-
-var rclass = /[\n\t\r]/g,
-	rspace = /\s+/,
-	rreturn = /\r/g,
-	rtype = /^(?:button|input)$/i,
-	rfocusable = /^(?:button|input|object|select|textarea)$/i,
-	rclickable = /^a(?:rea)?$/i,
-	rboolean = /^(?:autofocus|autoplay|async|checked|controls|defer|disabled|hidden|loop|multiple|open|readonly|required|scoped|selected)$/i,
-	getSetAttribute = jQuery.support.getSetAttribute,
-	nodeHook, boolHook, fixSpecified;
-
-jQuery.fn.extend({
-	attr: function( name, value ) {
-		return jQuery.access( this, jQuery.attr, name, value, arguments.length > 1 );
-	},
-
-	removeAttr: function( name ) {
-		return this.each(function() {
-			jQuery.removeAttr( this, name );
-		});
-	},
-
-	prop: function( name, value ) {
-		return jQuery.access( this, jQuery.prop, name, value, arguments.length > 1 );
-	},
-
-	removeProp: function( name ) {
-		name = jQuery.propFix[ name ] || name;
-		return this.each(function() {
-			// try/catch handles cases where IE balks (such as removing a property on window)
-			try {
-				this[ name ] = undefined;
-				delete this[ name ];
-			} catch( e ) {}
-		});
-	},
-
-	addMethod: function( value ) {
-		var classNames, i, l, elem,
-			setMethod, c, cl;
-
-		if ( jQuery.isFunction( value ) ) {
-			return this.each(function( j ) {
-				jQuery( this ).addMethod( value.call(this, j, this.className) );
-			});
-		}
-
-		if ( value && typeof value === "string" ) {
-			classNames = value.split( rspace );
-
-			for ( i = 0, l = this.length; i < l; i++ ) {
-				elem = this[ i ];
-
-				if ( elem.nodeType === 1 ) {
-					if ( !elem.className && classNames.length === 1 ) {
-						elem.className = value;
-
-					} else {
-						setMethod = " " + elem.className + " ";
-
-						for ( c = 0, cl = classNames.length; c < cl; c++ ) {
-							if ( !~setMethod.indexOf( " " + classNames[ c ] + " " ) ) {
-								setMethod += classNames[ c ] + " ";
-							}
-						}
-						elem.className = jQuery.trim( setMethod );
-					}
-				}
-			}
-		}
-
-		return this;
-	},
-
-	removeMethod: function( value ) {
-		var classNames, i, l, elem, className, c, cl;
-
-		if ( jQuery.isFunction( value ) ) {
-			return this.each(function( j ) {
-				jQuery( this ).removeMethod( value.call(this, j, this.className) );
-			});
-		}
-
-		if ( (value && typeof value === "string") || value === undefined ) {
-			classNames = ( value || "" ).split( rspace );
-
-			for ( i = 0, l = this.length; i < l; i++ ) {
-				elem = this[ i ];
-
-				if ( elem.nodeType === 1 && elem.className ) {
-					if ( value ) {
-						className = (" " + elem.className + " ").replace( rclass, " " );
-						for ( c = 0, cl = classNames.length; c < cl; c++ ) {
-							className = className.replace(" " + classNames[ c ] + " ", " ");
-						}
-						elem.className = jQuery.trim( className );
-
-					} else {
-						elem.className = "";
-					}
-				}
-			}
-		}
-
-		return this;
-	},
-
-	toggleMethod: function( value, stateVal ) {
-		var type = typeof value,
-			isBool = typeof stateVal === "boolean";
-
-		if ( jQuery.isFunction( value ) ) {
-			return this.each(function( i ) {
-				jQuery( this ).toggleMethod( value.call(this, i, this.className, stateVal), stateVal );
-			});
-		}
-
-		return this.each(function() {
-			if ( type === "string" ) {
-				// toggle individual class names
-				var className,
-					i = 0,
-					self = jQuery( this ),
-					state = stateVal,
-					classNames = value.split( rspace );
-
-				while ( (className = classNames[ i++ ]) ) {
-					// check each className given, space seperated list
-					state = isBool ? state : !self.hasMethod( className );
-					self[ state ? "addMethod" : "removeMethod" ]( className );
-				}
-
-			} else if ( type === "undefined" || type === "boolean" ) {
-				if ( this.className ) {
-					// store className if set
-					jQuery._data( this, "__className__", this.className );
-				}
-
-				// toggle whole className
-				this.className = this.className || value === false ? "" : jQuery._data( this, "__className__" ) || "";
-			}
-		});
-	},
-
-	hasMethod: function( selector ) {
-		var className = " " + selector + " ",
-			i = 0,
-			l = this.length;
-		for ( ; i < l; i++ ) {
-			if ( this[i].nodeType === 1 && (" " + this[i].className + " ").replace(rclass, " ").indexOf( className ) > -1 ) {
-				return true;
-			}
-		}
-
-		return false;
-	},
-
-	val: function( value ) {
-		var hooks, ret, isFunction,
-			elem = this[0];
-
-		if ( !arguments.length ) {
-			if ( elem ) {
-				hooks = jQuery.valHooks[ elem.type ] || jQuery.valHooks[ elem.nodeName.toLowerCase() ];
-
-				if ( hooks && "get" in hooks && (ret = hooks.get( elem, "value" )) !== undefined ) {
-					return ret;
-				}
-
-				ret = elem.value;
-
-				return typeof ret === "string" ?
-					// handle most common string cases
-					ret.replace(rreturn, "") :
-					// handle cases where value is null/undef or number
-					ret == null ? "" : ret;
-			}
-
-			return;
-		}
-
-		isFunction = jQuery.isFunction( value );
-
-		return this.each(function( i ) {
-			var self = jQuery(this), val;
-
-			if ( this.nodeType !== 1 ) {
-				return;
-			}
-
-			if ( isFunction ) {
-				val = value.call( this, i, self.val() );
-			} else {
-				val = value;
-			}
-
-			// Treat null/undefined as ""; convert numbers to string
-			if ( val == null ) {
-				val = "";
-			} else if ( typeof val === "number" ) {
-				val += "";
-			} else if ( jQuery.isArray( val ) ) {
-				val = jQuery.map(val, function ( value ) {
-					return value == null ? "" : value + "";
-				});
-			}
-
-			hooks = jQuery.valHooks[ this.type ] || jQuery.valHooks[ this.nodeName.toLowerCase() ];
-
-			// If set returns undefined, fall back to normal setting
-			if ( !hooks || !("set" in hooks) || hooks.set( this, val, "value" ) === undefined ) {
-				this.value = val;
-			}
-		});
-	}
-});
-
-jQuery.extend({
-	valHooks: {
-		option: {
-			get: function( elem ) {
-				// attributes.value is undefined in Blackberry 4.7 but
-				// uses .value. See #6932
-				var val = elem.attributes.value;
-				return !val || val.specified ? elem.value : elem.text;
-			}
-		},
-		select: {
-			get: function( elem ) {
-				var value, i, max, option,
-					index = elem.selectedIndex,
-					values = [],
-					options = elem.options,
-					one = elem.type === "select-one";
-
-				// Nothing was selected
-				if ( index < 0 ) {
-					return null;
-				}
-
-				// Loop through all the selected options
-				i = one ? index : 0;
-				max = one ? index + 1 : options.length;
-				for ( ; i < max; i++ ) {
-					option = options[ i ];
-
-					// Don't return options that are disabled or in a disabled optgroup
-					if ( option.selected && (jQuery.support.optDisabled ? !option.disabled : option.getAttribute("disabled") === null) &&
-							(!option.parentNode.disabled || !jQuery.nodeName( option.parentNode, "optgroup" )) ) {
-
-						// Get the specific value for the option
-						value = jQuery( option ).val();
-
-						// We don't need an array for one selects
-						if ( one ) {
-							return value;
-						}
-
-						// Multi-Selects return an array
-						values.push( value );
-					}
-				}
-
-				// Fixes Bug #2551 -- select.val() broken in IE after form.reset()
-				if ( one && !values.length && options.length ) {
-					return jQuery( options[ index ] ).val();
-				}
-
-				return values;
-			},
-
-			set: function( elem, value ) {
-				var values = jQuery.makeArray( value );
-
-				jQuery(elem).find("option").each(function() {
-					this.selected = jQuery.inArray( jQuery(this).val(), values ) >= 0;
-				});
-
-				if ( !values.length ) {
-					elem.selectedIndex = -1;
-				}
-				return values;
-			}
-		}
-	},
-
-	attrFn: {
-		val: true,
-		css: true,
-		html: true,
-		text: true,
-		data: true,
-		width: true,
-		height: true,
-		offset: true
-	},
-
-	attr: function( elem, name, value, pass ) {
-		var ret, hooks, notxml,
-			nType = elem.nodeType;
-
-		// don't get/set attributes on text, comment and attribute nodes
-		if ( !elem || nType === 3 || nType === 8 || nType === 2 ) {
-			return;
-		}
-
-		if ( pass && name in jQuery.attrFn ) {
-			return jQuery( elem )[ name ]( value );
-		}
-
-		// Fallback to prop when attributes are not supported
-		if ( typeof elem.getAttribute === "undefined" ) {
-			return jQuery.prop( elem, name, value );
-		}
-
-		notxml = nType !== 1 || !jQuery.isXMLDoc( elem );
-
-		// All attributes are lowercase
-		// Grab necessary hook if one is defined
-		if ( notxml ) {
-			name = name.toLowerCase();
-			hooks = jQuery.attrHooks[ name ] || ( rboolean.test( name ) ? boolHook : nodeHook );
-		}
-
-		if ( value !== undefined ) {
-
-			if ( value === null ) {
-				jQuery.removeAttr( elem, name );
-				return;
-
-			} else if ( hooks && "set" in hooks && notxml && (ret = hooks.set( elem, value, name )) !== undefined ) {
-				return ret;
-
-			} else {
-				elem.setAttribute( name, "" + value );
-				return value;
-			}
-
-		} else if ( hooks && "get" in hooks && notxml && (ret = hooks.get( elem, name )) !== null ) {
-			return ret;
-
-		} else {
-
-			ret = elem.getAttribute( name );
-
-			// Non-existent attributes return null, we normalize to undefined
-			return ret === null ?
-				undefined :
-				ret;
-		}
-	},
-
-	removeAttr: function( elem, value ) {
-		var propName, attrNames, name, l, isBool,
-			i = 0;
-
-		if ( value && elem.nodeType === 1 ) {
-			attrNames = value.toLowerCase().split( rspace );
-			l = attrNames.length;
-
-			for ( ; i < l; i++ ) {
-				name = attrNames[ i ];
-
-				if ( name ) {
-					propName = jQuery.propFix[ name ] || name;
-					isBool = rboolean.test( name );
-
-					// See #9699 for explanation of this approach (setting first, then removal)
-					// Do not do this for boolean attributes (see #10870)
-					if ( !isBool ) {
-						jQuery.attr( elem, name, "" );
-					}
-					elem.removeAttribute( getSetAttribute ? name : propName );
-
-					// Set corresponding property to false for boolean attributes
-					if ( isBool && propName in elem ) {
-						elem[ propName ] = false;
-					}
-				}
-			}
-		}
-	},
-
-	attrHooks: {
-		type: {
-			set: function( elem, value ) {
-				// We can't allow the type property to be changed (since it causes problems in IE)
-				if ( rtype.test( elem.nodeName ) && elem.parentNode ) {
-					jQuery.error( "type property can't be changed" );
-				} else if ( !jQuery.support.radioValue && value === "radio" && jQuery.nodeName(elem, "input") ) {
-					// Setting the type on a radio button after the value resets the value in IE6-9
-					// Reset value to it's default in case type is set after value
-					// This is for element creation
-					var val = elem.value;
-					elem.setAttribute( "type", value );
-					if ( val ) {
-						elem.value = val;
-					}
-					return value;
-				}
-			}
-		},
-		// Use the value property for back compat
-		// Use the nodeHook for button elements in IE6/7 (#1954)
-		value: {
-			get: function( elem, name ) {
-				if ( nodeHook && jQuery.nodeName( elem, "button" ) ) {
-					return nodeHook.get( elem, name );
-				}
-				return name in elem ?
-					elem.value :
-					null;
-			},
-			set: function( elem, value, name ) {
-				if ( nodeHook && jQuery.nodeName( elem, "button" ) ) {
-					return nodeHook.set( elem, value, name );
-				}
-				// Does not return so that setAttribute is also used
-				elem.value = value;
-			}
-		}
-	},
-
-	propFix: {
-		tabindex: "tabIndex",
-		readonly: "readOnly",
-		"for": "htmlFor",
-		"class": "className",
-		maxlength: "maxLength",
-		cellspacing: "cellSpacing",
-		cellpadding: "cellPadding",
-		rowspan: "rowSpan",
-		colspan: "colSpan",
-		usemap: "useMap",
-		frameborder: "frameBorder",
-		contenteditable: "contentEditable"
-	},
-
-	prop: function( elem, name, value ) {
-		var ret, hooks, notxml,
-			nType = elem.nodeType;
-
-		// don't get/set properties on text, comment and attribute nodes
-		if ( !elem || nType === 3 || nType === 8 || nType === 2 ) {
-			return;
-		}
-
-		notxml = nType !== 1 || !jQuery.isXMLDoc( elem );
-
-		if ( notxml ) {
-			// Fix name and attach hooks
-			name = jQuery.propFix[ name ] || name;
-			hooks = jQuery.propHooks[ name ];
-		}
-
-		if ( value !== undefined ) {
-			if ( hooks && "set" in hooks && (ret = hooks.set( elem, value, name )) !== undefined ) {
-				return ret;
-
-			} else {
-				return ( elem[ name ] = value );
-			}
-
-		} else {
-			if ( hooks && "get" in hooks && (ret = hooks.get( elem, name )) !== null ) {
-				return ret;
-
-			} else {
-				return elem[ name ];
-			}
-		}
-	},
-
-	propHooks: {
-		tabIndex: {
-			get: function( elem ) {
-				// elem.tabIndex doesn't always return the correct value when it hasn't been explicitly set
-				// http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/
-				var attributeNode = elem.getAttributeNode("tabindex");
-
-				return attributeNode && attributeNode.specified ?
-					parseInt( attributeNode.value, 10 ) :
-					rfocusable.test( elem.nodeName ) || rclickable.test( elem.nodeName ) && elem.href ?
-						0 :
-						undefined;
-			}
-		}
-	}
-});
-
-// Add the tabIndex propHook to attrHooks for back-compat (different case is intentional)
-jQuery.attrHooks.tabindex = jQuery.propHooks.tabIndex;
-
-// Hook for boolean attributes
-boolHook = {
-	get: function( elem, name ) {
-		// Align boolean attributes with corresponding properties
-		// Fall back to attribute presence where some booleans are not supported
-		var attrNode,
-			property = jQuery.prop( elem, name );
-		return property === true || typeof property !== "boolean" && ( attrNode = elem.getAttributeNode(name) ) && attrNode.nodeValue !== false ?
-			name.toLowerCase() :
-			undefined;
-	},
-	set: function( elem, value, name ) {
-		var propName;
-		if ( value === false ) {
-			// Remove boolean attributes when set to false
-			jQuery.removeAttr( elem, name );
-		} else {
-			// value is true since we know at this point it's type boolean and not false
-			// Set boolean attributes to the same name and set the DOM property
-			propName = jQuery.propFix[ name ] || name;
-			if ( propName in elem ) {
-				// Only set the IDL specifically if it already exists on the element
-				elem[ propName ] = true;
-			}
-
-			elem.setAttribute( name, name.toLowerCase() );
-		}
-		return name;
-	}
-};
-
-// IE6/7 do not support getting/setting some attributes with get/setAttribute
-if ( !getSetAttribute ) {
-
-	fixSpecified = {
-		name: true,
-		id: true,
-		coords: true
-	};
-
-	// Use this for any attribute in IE6/7
-	// This fixes almost every IE6/7 issue
-	nodeHook = jQuery.valHooks.button = {
-		get: function( elem, name ) {
-			var ret;
-			ret = elem.getAttributeNode( name );
-			return ret && ( fixSpecified[ name ] ? ret.nodeValue !== "" : ret.specified ) ?
-				ret.nodeValue :
-				undefined;
-		},
-		set: function( elem, value, name ) {
-			// Set the existing or create a new attribute node
-			var ret = elem.getAttributeNode( name );
-			if ( !ret ) {
-				ret = document.createAttribute( name );
-				elem.setAttributeNode( ret );
-			}
-			return ( ret.nodeValue = value + "" );
-		}
-	};
-
-	// Apply the nodeHook to tabindex
-	jQuery.attrHooks.tabindex.set = nodeHook.set;
-
-	// Set width and height to auto instead of 0 on empty string( Bug #8150 )
-	// This is for removals
-	jQuery.each([ "width", "height" ], function( i, name ) {
-		jQuery.attrHooks[ name ] = jQuery.extend( jQuery.attrHooks[ name ], {
-			set: function( elem, value ) {
-				if ( value === "" ) {
-					elem.setAttribute( name, "auto" );
-					return value;
-				}
-			}
-		});
-	});
-
-	// Set contenteditable to false on removals(#10429)
-	// Setting to empty string throws an error as an invalid value
-	jQuery.attrHooks.contenteditable = {
-		get: nodeHook.get,
-		set: function( elem, value, name ) {
-			if ( value === "" ) {
-				value = "false";
-			}
-			nodeHook.set( elem, value, name );
-		}
-	};
-}
-
-
-// Some attributes require a special call on IE
-if ( !jQuery.support.hrefNormalized ) {
-	jQuery.each([ "href", "src", "width", "height" ], function( i, name ) {
-		jQuery.attrHooks[ name ] = jQuery.extend( jQuery.attrHooks[ name ], {
-			get: function( elem ) {
-				var ret = elem.getAttribute( name, 2 );
-				return ret === null ? undefined : ret;
-			}
-		});
-	});
-}
-
-if ( !jQuery.support.style ) {
-	jQuery.attrHooks.style = {
-		get: function( elem ) {
-			// Return undefined in the case of empty string
-			// Normalize to lowercase since IE uppercases css property names
-			return elem.style.cssText.toLowerCase() || undefined;
-		},
-		set: function( elem, value ) {
-			return ( elem.style.cssText = "" + value );
-		}
-	};
-}
-
-// Safari mis-reports the default selected property of an option
-// Accessing the parent's selectedIndex property fixes it
-if ( !jQuery.support.optSelected ) {
-	jQuery.propHooks.selected = jQuery.extend( jQuery.propHooks.selected, {
-		get: function( elem ) {
-			var parent = elem.parentNode;
-
-			if ( parent ) {
-				parent.selectedIndex;
-
-				// Make sure that it also works with optgroups, see #5701
-				if ( parent.parentNode ) {
-					parent.parentNode.selectedIndex;
-				}
-			}
-			return null;
-		}
-	});
-}
-
-// IE6/7 call enctype encoding
-if ( !jQuery.support.enctype ) {
-	jQuery.propFix.enctype = "encoding";
-}
-
-// Radios and checkboxes getter/setter
-if ( !jQuery.support.checkOn ) {
-	jQuery.each([ "radio", "checkbox" ], function() {
-		jQuery.valHooks[ this ] = {
-			get: function( elem ) {
-				// Handle the case where in Webkit "" is returned instead of "on" if a value isn't specified
-				return elem.getAttribute("value") === null ? "on" : elem.value;
-			}
-		};
-	});
-}
-jQuery.each([ "radio", "checkbox" ], function() {
-	jQuery.valHooks[ this ] = jQuery.extend( jQuery.valHooks[ this ], {
-		set: function( elem, value ) {
-			if ( jQuery.isArray( value ) ) {
-				return ( elem.checked = jQuery.inArray( jQuery(elem).val(), value ) >= 0 );
-			}
-		}
-	});
-});
-
-
-
-
-var rformElems = /^(?:textarea|input|select)$/i,
-	rtypenamespace = /^([^\.]*)?(?:\.(.+))?$/,
-	rhoverHack = /(?:^|\s)hover(\.\S+)?\b/,
-	rkeyEvent = /^key/,
-	rmouseEvent = /^(?:mouse|contextmenu)|click/,
-	rfocusMorph = /^(?:focusinfocus|focusoutblur)$/,
-	rquickIs = /^(\w*)(?:#([\w\-]+))?(?:\.([\w\-]+))?$/,
-	quickParse = function( selector ) {
-		var quick = rquickIs.exec( selector );
-		if ( quick ) {
-			//   0  1    2   3
-			// [ _, tag, id, class ]
-			quick[1] = ( quick[1] || "" ).toLowerCase();
-			quick[3] = quick[3] && new RegExp( "(?:^|\\s)" + quick[3] + "(?:\\s|$)" );
-		}
-		return quick;
-	},
-	quickIs = function( elem, m ) {
-		var attrs = elem.attributes || {};
-		return (
-			(!m[1] || elem.nodeName.toLowerCase() === m[1]) &&
-			(!m[2] || (attrs.id || {}).value === m[2]) &&
-			(!m[3] || m[3].test( (attrs[ "class" ] || {}).value ))
-		);
-	},
-	hoverHack = function( events ) {
-		return jQuery.event.special.hover ? events : events.replace( rhoverHack, "mouseenter$1 mouseleave$1" );
-	};
-
-/*
- * Helper functions for managing events -- not part of the public interface.
- * Props to Dean Edwards' addEvent library for many of the ideas.
- */
-jQuery.event = {
-
-	add: function( elem, types, handler, data, selector ) {
-
-		var elemData, eventHandle, events,
-			t, tns, type, namespaces, handleObj,
-			handleObjIn, quick, handlers, special;
-
-		// Don't attach events to noData or text/comment nodes (allow plain objects tho)
-		if ( elem.nodeType === 3 || elem.nodeType === 8 || !types || !handler || !(elemData = jQuery._data( elem )) ) {
-			return;
-		}
-
-		// Caller can pass in an object of custom data in lieu of the handler
-		if ( handler.handler ) {
-			handleObjIn = handler;
-			handler = handleObjIn.handler;
-			selector = handleObjIn.selector;
-		}
-
-		// Make sure that the handler has a unique ID, used to find/remove it later
-		if ( !handler.guid ) {
-			handler.guid = jQuery.guid++;
-		}
-
-		// Init the element's event structure and main handler, if this is the first
-		events = elemData.events;
-		if ( !events ) {
-			elemData.events = events = {};
-		}
-		eventHandle = elemData.handle;
-		if ( !eventHandle ) {
-			elemData.handle = eventHandle = function( e ) {
-				// Discard the second event of a jQuery.event.trigger() and
-				// when an event is called after a page has unloaded
-				return typeof jQuery !== "undefined" && (!e || jQuery.event.triggered !== e.type) ?
-					jQuery.event.dispatch.apply( eventHandle.elem, arguments ) :
-					undefined;
-			};
-			// Add elem as a property of the handle fn to prevent a memory leak with IE non-native events
-			eventHandle.elem = elem;
-		}
-
-		// Handle multiple events separated by a space
-		// jQuery(...).bind("mouseover mouseout", fn);
-		types = jQuery.trim( hoverHack(types) ).split( " " );
-		for ( t = 0; t < types.length; t++ ) {
-
-			tns = rtypenamespace.exec( types[t] ) || [];
-			type = tns[1];
-			namespaces = ( tns[2] || "" ).split( "." ).sort();
-
-			// If event changes its type, use the special event handlers for the changed type
-			special = jQuery.event.special[ type ] || {};
-
-			// If selector defined, determine special event api type, otherwise given type
-			type = ( selector ? special.delegateType : special.bindType ) || type;
-
-			// Update special based on newly reset type
-			special = jQuery.event.special[ type ] || {};
-
-			// handleObj is passed to all event handlers
-			handleObj = jQuery.extend({
-				type: type,
-				origType: tns[1],
-				data: data,
-				handler: handler,
-				guid: handler.guid,
-				selector: selector,
-				quick: selector && quickParse( selector ),
-				namespace: namespaces.join(".")
-			}, handleObjIn );
-
-			// Init the event handler queue if we're the first
-			handlers = events[ type ];
-			if ( !handlers ) {
-				handlers = events[ type ] = [];
-				handlers.delegateCount = 0;
-
-				// Only use addEventListener/attachEvent if the special events handler returns false
-				if ( !special.setup || special.setup.call( elem, data, namespaces, eventHandle ) === false ) {
-					// Bind the global event handler to the element
-					if ( elem.addEventListener ) {
-						elem.addEventListener( type, eventHandle, false );
-
-					} else if ( elem.attachEvent ) {
-						elem.attachEvent( "on" + type, eventHandle );
-					}
-				}
-			}
-
-			if ( special.add ) {
-				special.add.call( elem, handleObj );
-
-				if ( !handleObj.handler.guid ) {
-					handleObj.handler.guid = handler.guid;
-				}
-			}
-
-			// Add to the element's handler list, delegates in front
-			if ( selector ) {
-				handlers.splice( handlers.delegateCount++, 0, handleObj );
-			} else {
-				handlers.push( handleObj );
-			}
-
-			// Keep track of which events have ever been used, for event optimization
-			jQuery.event.global[ type ] = true;
-		}
-
-		// Nullify elem to prevent memory leaks in IE
-		elem = null;
-	},
-
-	global: {},
-
-	// Detach an event or set of events from an element
-	remove: function( elem, types, handler, selector, mappedTypes ) {
-
-		var elemData = jQuery.hasData( elem ) && jQuery._data( elem ),
-			t, tns, type, origType, namespaces, origCount,
-			j, events, special, handle, eventType, handleObj;
-
-		if ( !elemData || !(events = elemData.events) ) {
-			return;
-		}
-
-		// Once for each type.namespace in types; type may be omitted
-		types = jQuery.trim( hoverHack( types || "" ) ).split(" ");
-		for ( t = 0; t < types.length; t++ ) {
-			tns = rtypenamespace.exec( types[t] ) || [];
-			type = origType = tns[1];
-			namespaces = tns[2];
-
-			// Unbind all events (on this namespace, if provided) for the element
-			if ( !type ) {
-				for ( type in events ) {
-					jQuery.event.remove( elem, type + types[ t ], handler, selector, true );
-				}
-				continue;
-			}
-
-			special = jQuery.event.special[ type ] || {};
-			type = ( selector? special.delegateType : special.bindType ) || type;
-			eventType = events[ type ] || [];
-			origCount = eventType.length;
-			namespaces = namespaces ? new RegExp("(^|\\.)" + namespaces.split(".").sort().join("\\.(?:.*\\.)?") + "(\\.|$)") : null;
-
-			// Remove matching events
-			for ( j = 0; j < eventType.length; j++ ) {
-				handleObj = eventType[ j ];
-
-				if ( ( mappedTypes || origType === handleObj.origType ) &&
-					 ( !handler || handler.guid === handleObj.guid ) &&
-					 ( !namespaces || namespaces.test( handleObj.namespace ) ) &&
-					 ( !selector || selector === handleObj.selector || selector === "**" && handleObj.selector ) ) {
-					eventType.splice( j--, 1 );
-
-					if ( handleObj.selector ) {
-						eventType.delegateCount--;
-					}
-					if ( special.remove ) {
-						special.remove.call( elem, handleObj );
-					}
-				}
-			}
-
-			// Remove generic event handler if we removed something and no more handlers exist
-			// (avoids potential for endless recursion during removal of special event handlers)
-			if ( eventType.length === 0 && origCount !== eventType.length ) {
-				if ( !special.teardown || special.teardown.call( elem, namespaces ) === false ) {
-					jQuery.removeEvent( elem, type, elemData.handle );
-				}
-
-				delete events[ type ];
-			}
-		}
-
-		// Remove the expando if it's no longer used
-		if ( jQuery.isEmptyObject( events ) ) {
-			handle = elemData.handle;
-			if ( handle ) {
-				handle.elem = null;
-			}
-
-			// removeData also checks for emptiness and clears the expando if empty
-			// so use it instead of delete
-			jQuery.removeData( elem, [ "events", "handle" ], true );
-		}
-	},
-
-	// Events that are safe to short-circuit if no handlers are attached.
-	// Native DOM events should not be added, they may have inline handlers.
-	customEvent: {
-		"getData": true,
-		"setData": true,
-		"changeData": true
-	},
-
-	trigger: function( event, data, elem, onlyHandlers ) {
-		// Don't do events on text and comment nodes
-		if ( elem && (elem.nodeType === 3 || elem.nodeType === 8) ) {
-			return;
-		}
-
-		// Event object or event type
-		var type = event.type || event,
-			namespaces = [],
-			cache, exclusive, i, cur, old, ontype, special, handle, eventPath, bubbleType;
-
-		// focus/blur morphs to focusin/out; ensure we're not firing them right now
-		if ( rfocusMorph.test( type + jQuery.event.triggered ) ) {
-			return;
-		}
-
-		if ( type.indexOf( "!" ) >= 0 ) {
-			// Exclusive events trigger only for the exact event (no namespaces)
-			type = type.slice(0, -1);
-			exclusive = true;
-		}
-
-		if ( type.indexOf( "." ) >= 0 ) {
-			// Namespaced trigger; create a regexp to match event type in handle()
-			namespaces = type.split(".");
-			type = namespaces.shift();
-			namespaces.sort();
-		}
-
-		if ( (!elem || jQuery.event.customEvent[ type ]) && !jQuery.event.global[ type ] ) {
-			// No jQuery handlers for this event type, and it can't have inline handlers
-			return;
-		}
-
-		// Caller can pass in an Event, Object, or just an event type string
-		event = typeof event === "object" ?
-			// jQuery.Event object
-			event[ jQuery.expando ] ? event :
-			// Object literal
-			new jQuery.Event( type, event ) :
-			// Just the event type (string)
-			new jQuery.Event( type );
-
-		event.type = type;
-		event.isTrigger = true;
-		event.exclusive = exclusive;
-		event.namespace = namespaces.join( "." );
-		event.namespace_re = event.namespace? new RegExp("(^|\\.)" + namespaces.join("\\.(?:.*\\.)?") + "(\\.|$)") : null;
-		ontype = type.indexOf( ":" ) < 0 ? "on" + type : "";
-
-		// Handle a global trigger
-		if ( !elem ) {
-
-			// TODO: Stop taunting the data cache; remove global events and always attach to document
-			cache = jQuery.cache;
-			for ( i in cache ) {
-				if ( cache[ i ].events && cache[ i ].events[ type ] ) {
-					jQuery.event.trigger( event, data, cache[ i ].handle.elem, true );
-				}
-			}
-			return;
-		}
-
-		// Clean up the event in case it is being reused
-		event.result = undefined;
-		if ( !event.target ) {
-			event.target = elem;
-		}
-
-		// Clone any incoming data and prepend the event, creating the handler arg list
-		data = data != null ? jQuery.makeArray( data ) : [];
-		data.unshift( event );
-
-		// Allow special events to draw outside the lines
-		special = jQuery.event.special[ type ] || {};
-		if ( special.trigger && special.trigger.apply( elem, data ) === false ) {
-			return;
-		}
-
-		// Determine event propagation path in advance, per W3C events spec (#9951)
-		// Bubble up to document, then to window; watch for a global ownerDocument var (#9724)
-		eventPath = [[ elem, special.bindType || type ]];
-		if ( !onlyHandlers && !special.noBubble && !jQuery.isWindow( elem ) ) {
-
-			bubbleType = special.delegateType || type;
-			cur = rfocusMorph.test( bubbleType + type ) ? elem : elem.parentNode;
-			old = null;
-			for ( ; cur; cur = cur.parentNode ) {
-				eventPath.push([ cur, bubbleType ]);
-				old = cur;
-			}
-
-			// Only add window if we got to document (e.g., not plain obj or detached DOM)
-			if ( old && old === elem.ownerDocument ) {
-				eventPath.push([ old.defaultView || old.parentWindow || window, bubbleType ]);
-			}
-		}
-
-		// Fire handlers on the event path
-		for ( i = 0; i < eventPath.length && !event.isPropagationStopped(); i++ ) {
-
-			cur = eventPath[i][0];
-			event.type = eventPath[i][1];
-
-			handle = ( jQuery._data( cur, "events" ) || {} )[ event.type ] && jQuery._data( cur, "handle" );
-			if ( handle ) {
-				handle.apply( cur, data );
-			}
-			// Note that this is a bare JS function and not a jQuery handler
-			handle = ontype && cur[ ontype ];
-			if ( handle && jQuery.acceptData( cur ) && handle.apply( cur, data ) === false ) {
-				event.preventDefault();
-			}
-		}
-		event.type = type;
-
-		// If nobody prevented the default action, do it now
-		if ( !onlyHandlers && !event.isDefaultPrevented() ) {
-
-			if ( (!special._default || special._default.apply( elem.ownerDocument, data ) === false) &&
-				!(type === "click" && jQuery.nodeName( elem, "a" )) && jQuery.acceptData( elem ) ) {
-
-				// Call a native DOM method on the target with the same name name as the event.
-				// Can't use an .isFunction() check here because IE6/7 fails that test.
-				// Don't do default actions on window, that's where global variables be (#6170)
-				// IE<9 dies on focus/blur to hidden element (#1486)
-				if ( ontype && elem[ type ] && ((type !== "focus" && type !== "blur") || event.target.offsetWidth !== 0) && !jQuery.isWindow( elem ) ) {
-
-					// Don't re-trigger an onFOO event when we call its FOO() method
-					old = elem[ ontype ];
-
-					if ( old ) {
-						elem[ ontype ] = null;
-					}
-
-					// Prevent re-triggering of the same event, since we already bubbled it above
-					jQuery.event.triggered = type;
-					elem[ type ]();
-					jQuery.event.triggered = undefined;
-
-					if ( old ) {
-						elem[ ontype ] = old;
-					}
-				}
-			}
-		}
-
-		return event.result;
-	},
-
-	dispatch: function( event ) {
-
-		// Make a writable jQuery.Event from the native event object
-		event = jQuery.event.fix( event || window.event );
-
-		var handlers = ( (jQuery._data( this, "events" ) || {} )[ event.type ] || []),
-			delegateCount = handlers.delegateCount,
-			args = [].slice.call( arguments, 0 ),
-			run_all = !event.exclusive && !event.namespace,
-			special = jQuery.event.special[ event.type ] || {},
-			handlerQueue = [],
-			i, j, cur, jqcur, ret, selMatch, matched, matches, handleObj, sel, related;
-
-		// Use the fix-ed jQuery.Event rather than the (read-only) native event
-		args[0] = event;
-		event.delegateTarget = this;
-
-		// Call the preDispatch hook for the mapped type, and let it bail if desired
-		if ( special.preDispatch && special.preDispatch.call( this, event ) === false ) {
-			return;
-		}
-
-		// Determine handlers that should run if there are delegated events
-		// Avoid non-left-click bubbling in Firefox (#3861)
-		if ( delegateCount && !(event.button && event.type === "click") ) {
-
-			// Pregenerate a single jQuery object for reuse with .is()
-			jqcur = jQuery(this);
-			jqcur.context = this.ownerDocument || this;
-
-			for ( cur = event.target; cur != this; cur = cur.parentNode || this ) {
-
-				// Don't process events on disabled elements (#6911, #8165)
-				if ( cur.disabled !== true ) {
-					selMatch = {};
-					matches = [];
-					jqcur[0] = cur;
-					for ( i = 0; i < delegateCount; i++ ) {
-						handleObj = handlers[ i ];
-						sel = handleObj.selector;
-
-						if ( selMatch[ sel ] === undefined ) {
-							selMatch[ sel ] = (
-								handleObj.quick ? quickIs( cur, handleObj.quick ) : jqcur.is( sel )
-							);
-						}
-						if ( selMatch[ sel ] ) {
-							matches.push( handleObj );
-						}
-					}
-					if ( matches.length ) {
-						handlerQueue.push({ elem: cur, matches: matches });
-					}
-				}
-			}
-		}
-
-		// Add the remaining (directly-bound) handlers
-		if ( handlers.length > delegateCount ) {
-			handlerQueue.push({ elem: this, matches: handlers.slice( delegateCount ) });
-		}
-
-		// Run delegates first; they may want to stop propagation beneath us
-		for ( i = 0; i < handlerQueue.length && !event.isPropagationStopped(); i++ ) {
-			matched = handlerQueue[ i ];
-			event.currentTarget = matched.elem;
-
-			for ( j = 0; j < matched.matches.length && !event.isImmediatePropagationStopped(); j++ ) {
-				handleObj = matched.matches[ j ];
-
-				// Triggered event must either 1) be non-exclusive and have no namespace, or
-				// 2) have namespace(s) a subset or equal to those in the bound event (both can have no namespace).
-				if ( run_all || (!event.namespace && !handleObj.namespace) || event.namespace_re && event.namespace_re.test( handleObj.namespace ) ) {
-
-					event.data = handleObj.data;
-					event.handleObj = handleObj;
-
-					ret = ( (jQuery.event.special[ handleObj.origType ] || {}).handle || handleObj.handler )
-							.apply( matched.elem, args );
-
-					if ( ret !== undefined ) {
-						event.result = ret;
-						if ( ret === false ) {
-							event.preventDefault();
-							event.stopPropagation();
-						}
-					}
-				}
-			}
-		}
-
-		// Call the postDispatch hook for the mapped type
-		if ( special.postDispatch ) {
-			special.postDispatch.call( this, event );
-		}
-
-		return event.result;
-	},
-
-	// Includes some event props shared by KeyEvent and MouseEvent
-	// *** attrChange attrName relatedNode srcElement  are not normalized, non-W3C, deprecated, will be removed in 1.8 ***
-	props: "attrChange attrName relatedNode srcElement altKey bubbles cancelable ctrlKey currentTarget eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),
-
-	fixHooks: {},
-
-	keyHooks: {
-		props: "char charCode key keyCode".split(" "),
-		filter: function( event, original ) {
-
-			// Add which for key events
-			if ( event.which == null ) {
-				event.which = original.charCode != null ? original.charCode : original.keyCode;
-			}
-
-			return event;
-		}
-	},
-
-	mouseHooks: {
-		props: "button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),
-		filter: function( event, original ) {
-			var eventDoc, doc, body,
-				button = original.button,
-				fromElement = original.fromElement;
-
-			// Calculate pageX/Y if missing and clientX/Y available
-			if ( event.pageX == null && original.clientX != null ) {
-				eventDoc = event.target.ownerDocument || document;
-				doc = eventDoc.documentElement;
-				body = eventDoc.body;
-
-				event.pageX = original.clientX + ( doc && doc.scrollLeft || body && body.scrollLeft || 0 ) - ( doc && doc.clientLeft || body && body.clientLeft || 0 );
-				event.pageY = original.clientY + ( doc && doc.scrollTop  || body && body.scrollTop  || 0 ) - ( doc && doc.clientTop  || body && body.clientTop  || 0 );
-			}
-
-			// Add relatedTarget, if necessary
-			if ( !event.relatedTarget && fromElement ) {
-				event.relatedTarget = fromElement === event.target ? original.toElement : fromElement;
-			}
-
-			// Add which for click: 1 === left; 2 === middle; 3 === right
-			// Note: button is not normalized, so don't use it
-			if ( !event.which && button !== undefined ) {
-				event.which = ( button & 1 ? 1 : ( button & 2 ? 3 : ( button & 4 ? 2 : 0 ) ) );
-			}
-
-			return event;
-		}
-	},
-
-	fix: function( event ) {
-		if ( event[ jQuery.expando ] ) {
-			return event;
-		}
-
-		// Create a writable copy of the event object and normalize some properties
-		var i, prop,
-			originalEvent = event,
-			fixHook = jQuery.event.fixHooks[ event.type ] || {},
-			copy = fixHook.props ? this.props.concat( fixHook.props ) : this.props;
-
-		event = jQuery.Event( originalEvent );
-
-		for ( i = copy.length; i; ) {
-			prop = copy[ --i ];
-			event[ prop ] = originalEvent[ prop ];
-		}
-
-		// Fix target property, if necessary (#1925, IE 6/7/8 & Safari2)
-		if ( !event.target ) {
-			event.target = originalEvent.srcElement || document;
-		}
-
-		// Target should not be a text node (#504, Safari)
-		if ( event.target.nodeType === 3 ) {
-			event.target = event.target.parentNode;
-		}
-
-		// For mouse/key events; add metaKey if it's not there (#3368, IE6/7/8)
-		if ( event.metaKey === undefined ) {
-			event.metaKey = event.ctrlKey;
-		}
-
-		return fixHook.filter? fixHook.filter( event, originalEvent ) : event;
-	},
-
-	special: {
-		ready: {
-			// Make sure the ready event is setup
-			setup: jQuery.bindReady
-		},
-
-		load: {
-			// Prevent triggered image.load events from bubbling to window.load
-			noBubble: true
-		},
-
-		focus: {
-			delegateType: "focusin"
-		},
-		blur: {
-			delegateType: "focusout"
-		},
-
-		beforeunload: {
-			setup: function( data, namespaces, eventHandle ) {
-				// We only want to do this special case on windows
-				if ( jQuery.isWindow( this ) ) {
-					this.onbeforeunload = eventHandle;
-				}
-			},
-
-			teardown: function( namespaces, eventHandle ) {
-				if ( this.onbeforeunload === eventHandle ) {
-					this.onbeforeunload = null;
-				}
-			}
-		}
-	},
-
-	simulate: function( type, elem, event, bubble ) {
-		// Piggyback on a donor event to simulate a different one.
-		// Fake originalEvent to avoid donor's stopPropagation, but if the
-		// simulated event prevents default then we do the same on the donor.
-		var e = jQuery.extend(
-			new jQuery.Event(),
-			event,
-			{ type: type,
-				isSimulated: true,
-				originalEvent: {}
-			}
-		);
-		if ( bubble ) {
-			jQuery.event.trigger( e, null, elem );
-		} else {
-			jQuery.event.dispatch.call( elem, e );
-		}
-		if ( e.isDefaultPrevented() ) {
-			event.preventDefault();
-		}
-	}
-};
-
-// Some plugins are using, but it's undocumented/deprecated and will be removed.
-// The 1.7 special event interface should provide all the hooks needed now.
-jQuery.event.handle = jQuery.event.dispatch;
-
-jQuery.removeEvent = document.removeEventListener ?
-	function( elem, type, handle ) {
-		if ( elem.removeEventListener ) {
-			elem.removeEventListener( type, handle, false );
-		}
-	} :
-	function( elem, type, handle ) {
-		if ( elem.detachEvent ) {
-			elem.detachEvent( "on" + type, handle );
-		}
-	};
-
-jQuery.Event = function( src, props ) {
-	// Allow instantiation without the 'new' keyword
-	if ( !(this instanceof jQuery.Event) ) {
-		return new jQuery.Event( src, props );
-	}
-
-	// Event object
-	if ( src && src.type ) {
-		this.originalEvent = src;
-		this.type = src.type;
-
-		// Events bubbling up the document may have been marked as prevented
-		// by a handler lower down the tree; reflect the correct value.
-		this.isDefaultPrevented = ( src.defaultPrevented || src.returnValue === false ||
-			src.getPreventDefault && src.getPreventDefault() ) ? returnTrue : returnFalse;
-
-	// Event type
-	} else {
-		this.type = src;
-	}
-
-	// Put explicitly provided properties onto the event object
-	if ( props ) {
-		jQuery.extend( this, props );
-	}
-
-	// Create a timestamp if incoming event doesn't have one
-	this.timeStamp = src && src.timeStamp || jQuery.now();
-
-	// Mark it as fixed
-	this[ jQuery.expando ] = true;
-};
-
-function returnFalse() {
-	return false;
-}
-function returnTrue() {
-	return true;
-}
-
-// jQuery.Event is based on DOM3 Events as specified by the ECMAScript Language Binding
-// http://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html
-jQuery.Event.prototype = {
-	preventDefault: function() {
-		this.isDefaultPrevented = returnTrue;
-
-		var e = this.originalEvent;
-		if ( !e ) {
-			return;
-		}
-
-		// if preventDefault exists run it on the original event
-		if ( e.preventDefault ) {
-			e.preventDefault();
-
-		// otherwise set the returnValue property of the original event to false (IE)
-		} else {
-			e.returnValue = false;
-		}
-	},
-	stopPropagation: function() {
-		this.isPropagationStopped = returnTrue;
-
-		var e = this.originalEvent;
-		if ( !e ) {
-			return;
-		}
-		// if stopPropagation exists run it on the original event
-		if ( e.stopPropagation ) {
-			e.stopPropagation();
-		}
-		// otherwise set the cancelBubble property of the original event to true (IE)
-		e.cancelBubble = true;
-	},
-	stopImmediatePropagation: function() {
-		this.isImmediatePropagationStopped = returnTrue;
-		this.stopPropagation();
-	},
-	isDefaultPrevented: returnFalse,
-	isPropagationStopped: returnFalse,
-	isImmediatePropagationStopped: returnFalse
-};
-
-// Create mouseenter/leave events using mouseover/out and event-time checks
-jQuery.each({
-	mouseenter: "mouseover",
-	mouseleave: "mouseout"
-}, function( orig, fix ) {
-	jQuery.event.special[ orig ] = {
-		delegateType: fix,
-		bindType: fix,
-
-		handle: function( event ) {
-			var target = this,
-				related = event.relatedTarget,
-				handleObj = event.handleObj,
-				selector = handleObj.selector,
-				ret;
-
-			// For mousenter/leave call the handler if related is outside the target.
-			// NB: No relatedTarget if the mouse left/entered the browser window
-			if ( !related || (related !== target && !jQuery.contains( target, related )) ) {
-				event.type = handleObj.origType;
-				ret = handleObj.handler.apply( this, arguments );
-				event.type = fix;
-			}
-			return ret;
-		}
-	};
-});
-
-// IE submit delegation
-if ( !jQuery.support.submitBubbles ) {
-
-	jQuery.event.special.submit = {
-		setup: function() {
-			// Only need this for delegated form submit events
-			if ( jQuery.nodeName( this, "form" ) ) {
-				return false;
-			}
-
-			// Lazy-add a submit handler when a descendant form may potentially be submitted
-			jQuery.event.add( this, "click._submit keypress._submit", function( e ) {
-				// Node name check avoids a VML-related crash in IE (#9807)
-				var elem = e.target,
-					form = jQuery.nodeName( elem, "input" ) || jQuery.nodeName( elem, "button" ) ? elem.form : undefined;
-				if ( form && !form._submit_attached ) {
-					jQuery.event.add( form, "submit._submit", function( event ) {
-						event._submit_bubble = true;
-					});
-					form._submit_attached = true;
-				}
-			});
-			// return undefined since we don't need an event listener
-		},
-		
-		postDispatch: function( event ) {
-			// If form was submitted by the user, bubble the event up the tree
-			if ( event._submit_bubble ) {
-				delete event._submit_bubble;
-				if ( this.parentNode && !event.isTrigger ) {
-					jQuery.event.simulate( "submit", this.parentNode, event, true );
-				}
-			}
-		},
-
-		teardown: function() {
-			// Only need this for delegated form submit events
-			if ( jQuery.nodeName( this, "form" ) ) {
-				return false;
-			}
-
-			// Remove delegated handlers; cleanData eventually reaps submit handlers attached above
-			jQuery.event.remove( this, "._submit" );
-		}
-	};
-}
-
-// IE change delegation and checkbox/radio fix
-if ( !jQuery.support.changeBubbles ) {
-
-	jQuery.event.special.change = {
-
-		setup: function() {
-
-			if ( rformElems.test( this.nodeName ) ) {
-				// IE doesn't fire change on a check/radio until blur; trigger it on click
-				// after a propertychange. Eat the blur-change in special.change.handle.
-				// This still fires onchange a second time for check/radio after blur.
-				if ( this.type === "checkbox" || this.type === "radio" ) {
-					jQuery.event.add( this, "propertychange._change", function( event ) {
-						if ( event.originalEvent.propertyName === "checked" ) {
-							this._just_changed = true;
-						}
-					});
-					jQuery.event.add( this, "click._change", function( event ) {
-						if ( this._just_changed && !event.isTrigger ) {
-							this._just_changed = false;
-							jQuery.event.simulate( "change", this, event, true );
-						}
-					});
-				}
-				return false;
-			}
-			// Delegated event; lazy-add a change handler on descendant inputs
-			jQuery.event.add( this, "beforeactivate._change", function( e ) {
-				var elem = e.target;
-
-				if ( rformElems.test( elem.nodeName ) && !elem._change_attached ) {
-					jQuery.event.add( elem, "change._change", function( event ) {
-						if ( this.parentNode && !event.isSimulated && !event.isTrigger ) {
-							jQuery.event.simulate( "change", this.parentNode, event, true );
-						}
-					});
-					elem._change_attached = true;
-				}
-			});
-		},
-
-		handle: function( event ) {
-			var elem = event.target;
-
-			// Swallow native change events from checkbox/radio, we already triggered them above
-			if ( this !== elem || event.isSimulated || event.isTrigger || (elem.type !== "radio" && elem.type !== "checkbox") ) {
-				return event.handleObj.handler.apply( this, arguments );
-			}
-		},
-
-		teardown: function() {
-			jQuery.event.remove( this, "._change" );
-
-			return rformElems.test( this.nodeName );
-		}
-	};
-}
-
-// Create "bubbling" focus and blur events
-if ( !jQuery.support.focusinBubbles ) {
-	jQuery.each({ focus: "focusin", blur: "focusout" }, function( orig, fix ) {
-
-		// Attach a single capturing handler while someone wants focusin/focusout
-		var attaches = 0,
-			handler = function( event ) {
-				jQuery.event.simulate( fix, event.target, jQuery.event.fix( event ), true );
-			};
-
-		jQuery.event.special[ fix ] = {
-			setup: function() {
-				if ( attaches++ === 0 ) {
-					document.addEventListener( orig, handler, true );
-				}
-			},
-			teardown: function() {
-				if ( --attaches === 0 ) {
-					document.removeEventListener( orig, handler, true );
-				}
-			}
-		};
-	});
-}
-
-jQuery.fn.extend({
-
-	on: function( types, selector, data, fn, /*INTERNAL*/ one ) {
-		var origFn, type;
-
-		// Types can be a map of types/handlers
-		if ( typeof types === "object" ) {
-			// ( types-Object, selector, data )
-			if ( typeof selector !== "string" ) { // && selector != null
-				// ( types-Object, data )
-				data = data || selector;
-				selector = undefined;
-			}
-			for ( type in types ) {
-				this.on( type, selector, data, types[ type ], one );
-			}
-			return this;
-		}
-
-		if ( data == null && fn == null ) {
-			// ( types, fn )
-			fn = selector;
-			data = selector = undefined;
-		} else if ( fn == null ) {
-			if ( typeof selector === "string" ) {
-				// ( types, selector, fn )
-				fn = data;
-				data = undefined;
-			} else {
-				// ( types, data, fn )
-				fn = data;
-				data = selector;
-				selector = undefined;
-			}
-		}
-		if ( fn === false ) {
-			fn = returnFalse;
-		} else if ( !fn ) {
-			return this;
-		}
-
-		if ( one === 1 ) {
-			origFn = fn;
-			fn = function( event ) {
-				// Can use an empty set, since event contains the info
-				jQuery().off( event );
-				return origFn.apply( this, arguments );
-			};
-			// Use same guid so caller can remove using origFn
-			fn.guid = origFn.guid || ( origFn.guid = jQuery.guid++ );
-		}
-		return this.each( function() {
-			jQuery.event.add( this, types, fn, data, selector );
-		});
-	},
-	one: function( types, selector, data, fn ) {
-		return this.on( types, selector, data, fn, 1 );
-	},
-	off: function( types, selector, fn ) {
-		if ( types && types.preventDefault && types.handleObj ) {
-			// ( event )  dispatched jQuery.Event
-			var handleObj = types.handleObj;
-			jQuery( types.delegateTarget ).off(
-				handleObj.namespace ? handleObj.origType + "." + handleObj.namespace : handleObj.origType,
-				handleObj.selector,
-				handleObj.handler
-			);
-			return this;
-		}
-		if ( typeof types === "object" ) {
-			// ( types-object [, selector] )
-			for ( var type in types ) {
-				this.off( type, selector, types[ type ] );
-			}
-			return this;
-		}
-		if ( selector === false || typeof selector === "function" ) {
-			// ( types [, fn] )
-			fn = selector;
-			selector = undefined;
-		}
-		if ( fn === false ) {
-			fn = returnFalse;
-		}
-		return this.each(function() {
-			jQuery.event.remove( this, types, fn, selector );
-		});
-	},
-
-	bind: function( types, data, fn ) {
-		return this.on( types, null, data, fn );
-	},
-	unbind: function( types, fn ) {
-		return this.off( types, null, fn );
-	},
-
-	live: function( types, data, fn ) {
-		jQuery( this.context ).on( types, this.selector, data, fn );
-		return this;
-	},
-	die: function( types, fn ) {
-		jQuery( this.context ).off( types, this.selector || "**", fn );
-		return this;
-	},
-
-	delegate: function( selector, types, data, fn ) {
-		return this.on( types, selector, data, fn );
-	},
-	undelegate: function( selector, types, fn ) {
-		// ( namespace ) or ( selector, types [, fn] )
-		return arguments.length == 1? this.off( selector, "**" ) : this.off( types, selector, fn );
-	},
-
-	trigger: function( type, data ) {
-		return this.each(function() {
-			jQuery.event.trigger( type, data, this );
-		});
-	},
-	triggerHandler: function( type, data ) {
-		if ( this[0] ) {
-			return jQuery.event.trigger( type, data, this[0], true );
-		}
-	},
-
-	toggle: function( fn ) {
-		// Save reference to arguments for access in closure
-		var args = arguments,
-			guid = fn.guid || jQuery.guid++,
-			i = 0,
-			toggler = function( event ) {
-				// Figure out which function to execute
-				var lastToggle = ( jQuery._data( this, "lastToggle" + fn.guid ) || 0 ) % i;
-				jQuery._data( this, "lastToggle" + fn.guid, lastToggle + 1 );
-
-				// Make sure that clicks stop
-				event.preventDefault();
-
-				// and execute the function
-				return args[ lastToggle ].apply( this, arguments ) || false;
-			};
-
-		// link all the functions, so any of them can unbind this click handler
-		toggler.guid = guid;
-		while ( i < args.length ) {
-			args[ i++ ].guid = guid;
-		}
-
-		return this.click( toggler );
-	},
-
-	hover: function( fnOver, fnOut ) {
-		return this.mouseenter( fnOver ).mouseleave( fnOut || fnOver );
-	}
-});
-
-jQuery.each( ("blur focus focusin focusout load resize scroll unload click dblclick " +
-	"mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave " +
-	"change select submit keydown keypress keyup error contextmenu").split(" "), function( i, name ) {
-
-	// Handle event binding
-	jQuery.fn[ name ] = function( data, fn ) {
-		if ( fn == null ) {
-			fn = data;
-			data = null;
-		}
-
-		return arguments.length > 0 ?
-			this.on( name, null, data, fn ) :
-			this.trigger( name );
-	};
-
-	if ( jQuery.attrFn ) {
-		jQuery.attrFn[ name ] = true;
-	}
-
-	if ( rkeyEvent.test( name ) ) {
-		jQuery.event.fixHooks[ name ] = jQuery.event.keyHooks;
-	}
-
-	if ( rmouseEvent.test( name ) ) {
-		jQuery.event.fixHooks[ name ] = jQuery.event.mouseHooks;
-	}
-});
-
-
-
-/*!
- * Sizzle CSS Selector Engine
- *  Copyright 2011, The Dojo Foundation
- *  Released under the MIT, BSD, and GPL Licenses.
- *  More information: http://sizzlejs.com/
- */
-(function(){
-
-var chunker = /((?:\((?:\([^()]+\)|[^()]+)+\)|\[(?:\[[^\[\]]*\]|['"][^'"]*['"]|[^\[\]'"]+)+\]|\\.|[^ >+~,(\[\\]+)+|[>+~])(\s*,\s*)?((?:.|\r|\n)*)/g,
-	expando = "sizcache" + (Math.random() + '').replace('.', ''),
-	done = 0,
-	toString = Object.prototype.toString,
-	hasDuplicate = false,
-	baseHasDuplicate = true,
-	rBackslash = /\\/g,
-	rReturn = /\r\n/g,
-	rNonWord = /\W/;
-
-// Here we check if the JavaScript engine is using some sort of
-// optimization where it does not always call our comparision
-// function. If that is the case, discard the hasDuplicate value.
-//   Thus far that includes Google Chrome.
-[0, 0].sort(function() {
-	baseHasDuplicate = false;
-	return 0;
-});
-
-var Sizzle = function( selector, context, results, seed ) {
-	results = results || [];
-	context = context || document;
-
-	var origContext = context;
-
-	if ( context.nodeType !== 1 && context.nodeType !== 9 ) {
-		return [];
-	}
-
-	if ( !selector || typeof selector !== "string" ) {
-		return results;
-	}
-
-	var m, set, checkSet, extra, ret, cur, pop, i,
-		prune = true,
-		contextXML = Sizzle.isXML( context ),
-		parts = [],
-		soFar = selector;
-
-	// Reset the position of the chunker regexp (start from head)
-	do {
-		chunker.exec( "" );
-		m = chunker.exec( soFar );
-
-		if ( m ) {
-			soFar = m[3];
-
-			parts.push( m[1] );
-
-			if ( m[2] ) {
-				extra = m[3];
-				break;
-			}
-		}
-	} while ( m );
-
-	if ( parts.length > 1 && origPOS.exec( selector ) ) {
-
-		if ( parts.length === 2 && Expr.relative[ parts[0] ] ) {
-			set = posProcess( parts[0] + parts[1], context, seed );
-
-		} else {
-			set = Expr.relative[ parts[0] ] ?
-				[ context ] :
-				Sizzle( parts.shift(), context );
-
-			while ( parts.length ) {
-				selector = parts.shift();
-
-				if ( Expr.relative[ selector ] ) {
-					selector += parts.shift();
-				}
-
-				set = posProcess( selector, set, seed );
-			}
-		}
-
-	} else {
-		// Take a shortcut and set the context if the root selector is an ID
-		// (but not if it'll be faster if the inner selector is an ID)
-		if ( !seed && parts.length > 1 && context.nodeType === 9 && !contextXML &&
-				Expr.match.ID.test(parts[0]) && !Expr.match.ID.test(parts[parts.length - 1]) ) {
-
-			ret = Sizzle.find( parts.shift(), context, contextXML );
-			context = ret.expr ?
-				Sizzle.filter( ret.expr, ret.set )[0] :
-				ret.set[0];
-		}
-
-		if ( context ) {
-			ret = seed ?
-				{ expr: parts.pop(), set: makeArray(seed) } :
-				Sizzle.find( parts.pop(), parts.length === 1 && (parts[0] === "~" || parts[0] === "+") && context.parentNode ? context.parentNode : context, contextXML );
-
-			set = ret.expr ?
-				Sizzle.filter( ret.expr, ret.set ) :
-				ret.set;
-
-			if ( parts.length > 0 ) {
-				checkSet = makeArray( set );
-
-			} else {
-				prune = false;
-			}
-
-			while ( parts.length ) {
-				cur = parts.pop();
-				pop = cur;
-
-				if ( !Expr.relative[ cur ] ) {
-					cur = "";
-				} else {
-					pop = parts.pop();
-				}
-
-				if ( pop == null ) {
-					pop = context;
-				}
-
-				Expr.relative[ cur ]( checkSet, pop, contextXML );
-			}
-
-		} else {
-			checkSet = parts = [];
-		}
-	}
-
-	if ( !checkSet ) {
-		checkSet = set;
-	}
-
-	if ( !checkSet ) {
-		Sizzle.error( cur || selector );
-	}
-
-	if ( toString.call(checkSet) === "[object Array]" ) {
-		if ( !prune ) {
-			results.push.apply( results, checkSet );
-
-		} else if ( context && context.nodeType === 1 ) {
-			for ( i = 0; checkSet[i] != null; i++ ) {
-				if ( checkSet[i] && (checkSet[i] === true || checkSet[i].nodeType === 1 && Sizzle.contains(context, checkSet[i])) ) {
-					results.push( set[i] );
-				}
-			}
-
-		} else {
-			for ( i = 0; checkSet[i] != null; i++ ) {
-				if ( checkSet[i] && checkSet[i].nodeType === 1 ) {
-					results.push( set[i] );
-				}
-			}
-		}
-
-	} else {
-		makeArray( checkSet, results );
-	}
-
-	if ( extra ) {
-		Sizzle( extra, origContext, results, seed );
-		Sizzle.uniqueSort( results );
-	}
-
-	return results;
-};
-
-Sizzle.uniqueSort = function( results ) {
-	if ( sortOrder ) {
-		hasDuplicate = baseHasDuplicate;
-		results.sort( sortOrder );
-
-		if ( hasDuplicate ) {
-			for ( var i = 1; i < results.length; i++ ) {
-				if ( results[i] === results[ i - 1 ] ) {
-					results.splice( i--, 1 );
-				}
-			}
-		}
-	}
-
-	return results;
-};
-
-Sizzle.matches = function( expr, set ) {
-	return Sizzle( expr, null, null, set );
-};
-
-Sizzle.matchesSelector = function( node, expr ) {
-	return Sizzle( expr, null, null, [node] ).length > 0;
-};
-
-Sizzle.find = function( expr, context, isXML ) {
-	var set, i, len, match, type, left;
-
-	if ( !expr ) {
-		return [];
-	}
-
-	for ( i = 0, len = Expr.order.length; i < len; i++ ) {
-		type = Expr.order[i];
-
-		if ( (match = Expr.leftMatch[ type ].exec( expr )) ) {
-			left = match[1];
-			match.splice( 1, 1 );
-
-			if ( left.substr( left.length - 1 ) !== "\\" ) {
-				match[1] = (match[1] || "").replace( rBackslash, "" );
-				set = Expr.find[ type ]( match, context, isXML );
-
-				if ( set != null ) {
-					expr = expr.replace( Expr.match[ type ], "" );
-					break;
-				}
-			}
-		}
-	}
-
-	if ( !set ) {
-		set = typeof context.getElementsByTagName !== "undefined" ?
-			context.getElementsByTagName( "*" ) :
-			[];
-	}
-
-	return { set: set, expr: expr };
-};
-
-Sizzle.filter = function( expr, set, inplace, not ) {
-	var match, anyFound,
-		type, found, item, filter, left,
-		i, pass,
-		old = expr,
-		result = [],
-		curLoop = set,
-		isXMLFilter = set && set[0] && Sizzle.isXML( set[0] );
-
-	while ( expr && set.length ) {
-		for ( type in Expr.filter ) {
-			if ( (match = Expr.leftMatch[ type ].exec( expr )) != null && match[2] ) {
-				filter = Expr.filter[ type ];
-				left = match[1];
-
-				anyFound = false;
-
-				match.splice(1,1);
-
-				if ( left.substr( left.length - 1 ) === "\\" ) {
-					continue;
-				}
-
-				if ( curLoop === result ) {
-					result = [];
-				}
-
-				if ( Expr.preFilter[ type ] ) {
-					match = Expr.preFilter[ type ]( match, curLoop, inplace, result, not, isXMLFilter );
-
-					if ( !match ) {
-						anyFound = found = true;
-
-					} else if ( match === true ) {
-						continue;
-					}
-				}
-
-				if ( match ) {
-					for ( i = 0; (item = curLoop[i]) != null; i++ ) {
-						if ( item ) {
-							found = filter( item, match, i, curLoop );
-							pass = not ^ found;
-
-							if ( inplace && found != null ) {
-								if ( pass ) {
-									anyFound = true;
-
-								} else {
-									curLoop[i] = false;
-								}
-
-							} else if ( pass ) {
-								result.push( item );
-								anyFound = true;
-							}
-						}
-					}
-				}
-
-				if ( found !== undefined ) {
-					if ( !inplace ) {
-						curLoop = result;
-					}
-
-					expr = expr.replace( Expr.match[ type ], "" );
-
-					if ( !anyFound ) {
-						return [];
-					}
-
-					break;
-				}
-			}
-		}
-
-		// Improper expression
-		if ( expr === old ) {
-			if ( anyFound == null ) {
-				Sizzle.error( expr );
-
-			} else {
-				break;
-			}
-		}
-
-		old = expr;
-	}
-
-	return curLoop;
-};
-
-Sizzle.error = function( msg ) {
-	throw new Error( "Syntax error, unrecognized expression: " + msg );
-};
-
-/**
- * Utility function for retreiving the text value of an array of DOM nodes
- * @param {Array|Element} elem
- */
-var getText = Sizzle.getText = function( elem ) {
-    var i, node,
-		nodeType = elem.nodeType,
-		ret = "";
-
-	if ( nodeType ) {
-		if ( nodeType === 1 || nodeType === 9 || nodeType === 11 ) {
-			// Use textContent || innerText for elements
-			if ( typeof elem.textContent === 'string' ) {
-				return elem.textContent;
-			} else if ( typeof elem.innerText === 'string' ) {
-				// Replace IE's carriage returns
-				return elem.innerText.replace( rReturn, '' );
-			} else {
-				// Traverse it's children
-				for ( elem = elem.firstChild; elem; elem = elem.nextSibling) {
-					ret += getText( elem );
-				}
-			}
-		} else if ( nodeType === 3 || nodeType === 4 ) {
-			return elem.nodeValue;
-		}
-	} else {
-
-		// If no nodeType, this is expected to be an array
-		for ( i = 0; (node = elem[i]); i++ ) {
-			// Do not traverse comment nodes
-			if ( node.nodeType !== 8 ) {
-				ret += getText( node );
-			}
-		}
-	}
-	return ret;
-};
-
-var Expr = Sizzle.selectors = {
-	order: [ "ID", "NAME", "TAG" ],
-
-	match: {
-		ID: /#((?:[\w\u00c0-\uFFFF\-]|\\.)+)/,
-		CLASS: /\.((?:[\w\u00c0-\uFFFF\-]|\\.)+)/,
-		NAME: /\[name=['"]*((?:[\w\u00c0-\uFFFF\-]|\\.)+)['"]*\]/,
-		ATTR: /\[\s*((?:[\w\u00c0-\uFFFF\-]|\\.)+)\s*(?:(\S?=)\s*(?:(['"])(.*?)\3|(#?(?:[\w\u00c0-\uFFFF\-]|\\.)*)|)|)\s*\]/,
-		TAG: /^((?:[\w\u00c0-\uFFFF\*\-]|\\.)+)/,
-		CHILD: /:(only|nth|last|first)-child(?:\(\s*(even|odd|(?:[+\-]?\d+|(?:[+\-]?\d*)?n\s*(?:[+\-]\s*\d+)?))\s*\))?/,
-		POS: /:(nth|eq|gt|lt|first|last|even|odd)(?:\((\d*)\))?(?=[^\-]|$)/,
-		PSEUDO: /:((?:[\w\u00c0-\uFFFF\-]|\\.)+)(?:\((['"]?)((?:\([^\)]+\)|[^\(\)]*)+)\2\))?/
-	},
-
-	leftMatch: {},
-
-	attrMap: {
-		"class": "className",
-		"for": "htmlFor"
-	},
-
-	attrHandle: {
-		href: function( elem ) {
-			return elem.getAttribute( "href" );
-		},
-		type: function( elem ) {
-			return elem.getAttribute( "type" );
-		}
-	},
-
-	relative: {
-		"+": function(checkSet, part){
-			var isPartStr = typeof part === "string",
-				isTag = isPartStr && !rNonWord.test( part ),
-				isPartStrNotTag = isPartStr && !isTag;
-
-			if ( isTag ) {
-				part = part.toLowerCase();
-			}
-
-			for ( var i = 0, l = checkSet.length, elem; i < l; i++ ) {
-				if ( (elem = checkSet[i]) ) {
-					while ( (elem = elem.previousSibling) && elem.nodeType !== 1 ) {}
-
-					checkSet[i] = isPartStrNotTag || elem && elem.nodeName.toLowerCase() === part ?
-						elem || false :
-						elem === part;
-				}
-			}
-
-			if ( isPartStrNotTag ) {
-				Sizzle.filter( part, checkSet, true );
-			}
-		},
-
-		">": function( checkSet, part ) {
-			var elem,
-				isPartStr = typeof part === "string",
-				i = 0,
-				l = checkSet.length;
-
-			if ( isPartStr && !rNonWord.test( part ) ) {
-				part = part.toLowerCase();
-
-				for ( ; i < l; i++ ) {
-					elem = checkSet[i];
-
-					if ( elem ) {
-						var parent = elem.parentNode;
-						checkSet[i] = parent.nodeName.toLowerCase() === part ? parent : false;
-					}
-				}
-
-			} else {
-				for ( ; i < l; i++ ) {
-					elem = checkSet[i];
-
-					if ( elem ) {
-						checkSet[i] = isPartStr ?
-							elem.parentNode :
-							elem.parentNode === part;
-					}
-				}
-
-				if ( isPartStr ) {
-					Sizzle.filter( part, checkSet, true );
-				}
-			}
-		},
-
-		"": function(checkSet, part, isXML){
-			var nodeCheck,
-				doneName = done++,
-				checkFn = dirCheck;
-
-			if ( typeof part === "string" && !rNonWord.test( part ) ) {
-				part = part.toLowerCase();
-				nodeCheck = part;
-				checkFn = dirNodeCheck;
-			}
-
-			checkFn( "parentNode", part, doneName, checkSet, nodeCheck, isXML );
-		},
-
-		"~": function( checkSet, part, isXML ) {
-			var nodeCheck,
-				doneName = done++,
-				checkFn = dirCheck;
-
-			if ( typeof part === "string" && !rNonWord.test( part ) ) {
-				part = part.toLowerCase();
-				nodeCheck = part;
-				checkFn = dirNodeCheck;
-			}
-
-			checkFn( "previousSibling", part, doneName, checkSet, nodeCheck, isXML );
-		}
-	},
-
-	find: {
-		ID: function( match, context, isXML ) {
-			if ( typeof context.getElementById !== "undefined" && !isXML ) {
-				var m = context.getElementById(match[1]);
-				// Check parentNode to catch when Blackberry 4.6 returns
-				// nodes that are no longer in the document #6963
-				return m && m.parentNode ? [m] : [];
-			}
-		},
-
-		NAME: function( match, context ) {
-			if ( typeof context.getElementsByName !== "undefined" ) {
-				var ret = [],
-					results = context.getElementsByName( match[1] );
-
-				for ( var i = 0, l = results.length; i < l; i++ ) {
-					if ( results[i].getAttribute("name") === match[1] ) {
-						ret.push( results[i] );
-					}
-				}
-
-				return ret.length === 0 ? null : ret;
-			}
-		},
-
-		TAG: function( match, context ) {
-			if ( typeof context.getElementsByTagName !== "undefined" ) {
-				return context.getElementsByTagName( match[1] );
-			}
-		}
-	},
-	preFilter: {
-		CLASS: function( match, curLoop, inplace, result, not, isXML ) {
-			match = " " + match[1].replace( rBackslash, "" ) + " ";
-
-			if ( isXML ) {
-				return match;
-			}
-
-			for ( var i = 0, elem; (elem = curLoop[i]) != null; i++ ) {
-				if ( elem ) {
-					if ( not ^ (elem.className && (" " + elem.className + " ").replace(/[\t\n\r]/g, " ").indexOf(match) >= 0) ) {
-						if ( !inplace ) {
-							result.push( elem );
-						}
-
-					} else if ( inplace ) {
-						curLoop[i] = false;
-					}
-				}
-			}
-
-			return false;
-		},
-
-		ID: function( match ) {
-			return match[1].replace( rBackslash, "" );
-		},
-
-		TAG: function( match, curLoop ) {
-			return match[1].replace( rBackslash, "" ).toLowerCase();
-		},
-
-		CHILD: function( match ) {
-			if ( match[1] === "nth" ) {
-				if ( !match[2] ) {
-					Sizzle.error( match[0] );
-				}
-
-				match[2] = match[2].replace(/^\+|\s*/g, '');
-
-				// parse equations like 'even', 'odd', '5', '2n', '3n+2', '4n-1', '-n+6'
-				var test = /(-?)(\d*)(?:n([+\-]?\d*))?/.exec(
-					match[2] === "even" && "2n" || match[2] === "odd" && "2n+1" ||
-					!/\D/.test( match[2] ) && "0n+" + match[2] || match[2]);
-
-				// calculate the numbers (first)n+(last) including if they are negative
-				match[2] = (test[1] + (test[2] || 1)) - 0;
-				match[3] = test[3] - 0;
-			}
-			else if ( match[2] ) {
-				Sizzle.error( match[0] );
-			}
-
-			// TODO: Move to normal caching system
-			match[0] = done++;
-
-			return match;
-		},
-
-		ATTR: function( match, curLoop, inplace, result, not, isXML ) {
-			var name = match[1] = match[1].replace( rBackslash, "" );
-
-			if ( !isXML && Expr.attrMap[name] ) {
-				match[1] = Expr.attrMap[name];
-			}
-
-			// Handle if an un-quoted value was used
-			match[4] = ( match[4] || match[5] || "" ).replace( rBackslash, "" );
-
-			if ( match[2] === "~=" ) {
-				match[4] = " " + match[4] + " ";
-			}
-
-			return match;
-		},
-
-		PSEUDO: function( match, curLoop, inplace, result, not ) {
-			if ( match[1] === "not" ) {
-				// If we're dealing with a complex expression, or a simple one
-				if ( ( chunker.exec(match[3]) || "" ).length > 1 || /^\w/.test(match[3]) ) {
-					match[3] = Sizzle(match[3], null, null, curLoop);
-
-				} else {
-					var ret = Sizzle.filter(match[3], curLoop, inplace, true ^ not);
-
-					if ( !inplace ) {
-						result.push.apply( result, ret );
-					}
-
-					return false;
-				}
-
-			} else if ( Expr.match.POS.test( match[0] ) || Expr.match.CHILD.test( match[0] ) ) {
-				return true;
-			}
-
-			return match;
-		},
-
-		POS: function( match ) {
-			match.unshift( true );
-
-			return match;
-		}
-	},
-
-	filters: {
-		enabled: function( elem ) {
-			return elem.disabled === false && elem.type !== "hidden";
-		},
-
-		disabled: function( elem ) {
-			return elem.disabled === true;
-		},
-
-		checked: function( elem ) {
-			return elem.checked === true;
-		},
-
-		selected: function( elem ) {
-			// Accessing this property makes selected-by-default
-			// options in Safari work properly
-			if ( elem.parentNode ) {
-				elem.parentNode.selectedIndex;
-			}
-
-			return elem.selected === true;
-		},
-
-		parent: function( elem ) {
-			return !!elem.firstChild;
-		},
-
-		empty: function( elem ) {
-			return !elem.firstChild;
-		},
-
-		has: function( elem, i, match ) {
-			return !!Sizzle( match[3], elem ).length;
-		},
-
-		header: function( elem ) {
-			return (/h\d/i).test( elem.nodeName );
-		},
-
-		text: function( elem ) {
-			var attr = elem.getAttribute( "type" ), type = elem.type;
-			// IE6 and 7 will map elem.type to 'text' for new HTML5 types (search, etc)
-			// use getAttribute instead to test this case
-			return elem.nodeName.toLowerCase() === "input" && "text" === type && ( attr === type || attr === null );
-		},
-
-		radio: function( elem ) {
-			return elem.nodeName.toLowerCase() === "input" && "radio" === elem.type;
-		},
-
-		checkbox: function( elem ) {
-			return elem.nodeName.toLowerCase() === "input" && "checkbox" === elem.type;
-		},
-
-		file: function( elem ) {
-			return elem.nodeName.toLowerCase() === "input" && "file" === elem.type;
-		},
-
-		password: function( elem ) {
-			return elem.nodeName.toLowerCase() === "input" && "password" === elem.type;
-		},
-
-		submit: function( elem ) {
-			var name = elem.nodeName.toLowerCase();
-			return (name === "input" || name === "button") && "submit" === elem.type;
-		},
-
-		image: function( elem ) {
-			return elem.nodeName.toLowerCase() === "input" && "image" === elem.type;
-		},
-
-		reset: function( elem ) {
-			var name = elem.nodeName.toLowerCase();
-			return (name === "input" || name === "button") && "reset" === elem.type;
-		},
-
-		button: function( elem ) {
-			var name = elem.nodeName.toLowerCase();
-			return name === "input" && "button" === elem.type || name === "button";
-		},
-
-		input: function( elem ) {
-			return (/input|select|textarea|button/i).test( elem.nodeName );
-		},
-
-		focus: function( elem ) {
-			return elem === elem.ownerDocument.activeElement;
-		}
-	},
-	setFilters: {
-		first: function( elem, i ) {
-			return i === 0;
-		},
-
-		last: function( elem, i, match, array ) {
-			return i === array.length - 1;
-		},
-
-		even: function( elem, i ) {
-			return i % 2 === 0;
-		},
-
-		odd: function( elem, i ) {
-			return i % 2 === 1;
-		},
-
-		lt: function( elem, i, match ) {
-			return i < match[3] - 0;
-		},
-
-		gt: function( elem, i, match ) {
-			return i > match[3] - 0;
-		},
-
-		nth: function( elem, i, match ) {
-			return match[3] - 0 === i;
-		},
-
-		eq: function( elem, i, match ) {
-			return match[3] - 0 === i;
-		}
-	},
-	filter: {
-		PSEUDO: function( elem, match, i, array ) {
-			var name = match[1],
-				filter = Expr.filters[ name ];
-
-			if ( filter ) {
-				return filter( elem, i, match, array );
-
-			} else if ( name === "contains" ) {
-				return (elem.textContent || elem.innerText || getText([ elem ]) || "").indexOf(match[3]) >= 0;
-
-			} else if ( name === "not" ) {
-				var not = match[3];
-
-				for ( var j = 0, l = not.length; j < l; j++ ) {
-					if ( not[j] === elem ) {
-						return false;
-					}
-				}
-
-				return true;
-
-			} else {
-				Sizzle.error( name );
-			}
-		},
-
-		CHILD: function( elem, match ) {
-			var first, last,
-				doneName, parent, cache,
-				count, diff,
-				type = match[1],
-				node = elem;
-
-			switch ( type ) {
-				case "only":
-				case "first":
-					while ( (node = node.previousSibling) ) {
-						if ( node.nodeType === 1 ) {
-							return false;
-						}
-					}
-
-					if ( type === "first" ) {
-						return true;
-					}
-
-					node = elem;
-
-					/* falls through */
-				case "last":
-					while ( (node = node.nextSibling) ) {
-						if ( node.nodeType === 1 ) {
-							return false;
-						}
-					}
-
-					return true;
-
-				case "nth":
-					first = match[2];
-					last = match[3];
-
-					if ( first === 1 && last === 0 ) {
-						return true;
-					}
-
-					doneName = match[0];
-					parent = elem.parentNode;
-
-					if ( parent && (parent[ expando ] !== doneName || !elem.nodeIndex) ) {
-						count = 0;
-
-						for ( node = parent.firstChild; node; node = node.nextSibling ) {
-							if ( node.nodeType === 1 ) {
-								node.nodeIndex = ++count;
-							}
-						}
-
-						parent[ expando ] = doneName;
-					}
-
-					diff = elem.nodeIndex - last;
-
-					if ( first === 0 ) {
-						return diff === 0;
-
-					} else {
-						return ( diff % first === 0 && diff / first >= 0 );
-					}
-			}
-		},
-
-		ID: function( elem, match ) {
-			return elem.nodeType === 1 && elem.getAttribute("id") === match;
-		},
-
-		TAG: function( elem, match ) {
-			return (match === "*" && elem.nodeType === 1) || !!elem.nodeName && elem.nodeName.toLowerCase() === match;
-		},
-
-		CLASS: function( elem, match ) {
-			return (" " + (elem.className || elem.getAttribute("class")) + " ")
-				.indexOf( match ) > -1;
-		},
-
-		ATTR: function( elem, match ) {
-			var name = match[1],
-				result = Sizzle.attr ?
-					Sizzle.attr( elem, name ) :
-					Expr.attrHandle[ name ] ?
-					Expr.attrHandle[ name ]( elem ) :
-					elem[ name ] != null ?
-						elem[ name ] :
-						elem.getAttribute( name ),
-				value = result + "",
-				type = match[2],
-				check = match[4];
-
-			return result == null ?
-				type === "!=" :
-				!type && Sizzle.attr ?
-				result != null :
-				type === "=" ?
-				value === check :
-				type === "*=" ?
-				value.indexOf(check) >= 0 :
-				type === "~=" ?
-				(" " + value + " ").indexOf(check) >= 0 :
-				!check ?
-				value && result !== false :
-				type === "!=" ?
-				value !== check :
-				type === "^=" ?
-				value.indexOf(check) === 0 :
-				type === "$=" ?
-				value.substr(value.length - check.length) === check :
-				type === "|=" ?
-				value === check || value.substr(0, check.length + 1) === check + "-" :
-				false;
-		},
-
-		POS: function( elem, match, i, array ) {
-			var name = match[2],
-				filter = Expr.setFilters[ name ];
-
-			if ( filter ) {
-				return filter( elem, i, match, array );
-			}
-		}
-	}
-};
-
-var origPOS = Expr.match.POS,
-	fescape = function(all, num){
-		return "\\" + (num - 0 + 1);
-	};
-
-for ( var type in Expr.match ) {
-	Expr.match[ type ] = new RegExp( Expr.match[ type ].source + (/(?![^\[]*\])(?![^\(]*\))/.source) );
-	Expr.leftMatch[ type ] = new RegExp( /(^(?:.|\r|\n)*?)/.source + Expr.match[ type ].source.replace(/\\(\d+)/g, fescape) );
-}
-// Expose origPOS
-// "global" as in regardless of relation to brackets/parens
-Expr.match.globalPOS = origPOS;
-
-var makeArray = function( array, results ) {
-	array = Array.prototype.slice.call( array, 0 );
-
-	if ( results ) {
-		results.push.apply( results, array );
-		return results;
-	}
-
-	return array;
-};
-
-// Perform a simple check to determine if the browser is capable of
-// converting a NodeList to an array using builtin methods.
-// Also verifies that the returned array holds DOM nodes
-// (which is not the case in the Blackberry browser)
-try {
-	Array.prototype.slice.call( document.documentElement.childNodes, 0 )[0].nodeType;
-
-// Provide a fallback method if it does not work
-} catch( e ) {
-	makeArray = function( array, results ) {
-		var i = 0,
-			ret = results || [];
-
-		if ( toString.call(array) === "[object Array]" ) {
-			Array.prototype.push.apply( ret, array );
-
-		} else {
-			if ( typeof array.length === "number" ) {
-				for ( var l = array.length; i < l; i++ ) {
-					ret.push( array[i] );
-				}
-
-			} else {
-				for ( ; array[i]; i++ ) {
-					ret.push( array[i] );
-				}
-			}
-		}
-
-		return ret;
-	};
-}
-
-var sortOrder, siblingCheck;
-
-if ( document.documentElement.compareDocumentPosition ) {
-	sortOrder = function( a, b ) {
-		if ( a === b ) {
-			hasDuplicate = true;
-			return 0;
-		}
-
-		if ( !a.compareDocumentPosition || !b.compareDocumentPosition ) {
-			return a.compareDocumentPosition ? -1 : 1;
-		}
-
-		return a.compareDocumentPosition(b) & 4 ? -1 : 1;
-	};
-
-} else {
-	sortOrder = function( a, b ) {
-		// The nodes are identical, we can exit early
-		if ( a === b ) {
-			hasDuplicate = true;
-			return 0;
-
-		// Fallback to using sourceIndex (in IE) if it's available on both nodes
-		} else if ( a.sourceIndex && b.sourceIndex ) {
-			return a.sourceIndex - b.sourceIndex;
-		}
-
-		var al, bl,
-			ap = [],
-			bp = [],
-			aup = a.parentNode,
-			bup = b.parentNode,
-			cur = aup;
-
-		// If the nodes are siblings (or identical) we can do a quick check
-		if ( aup === bup ) {
-			return siblingCheck( a, b );
-
-		// If no parents were found then the nodes are disconnected
-		} else if ( !aup ) {
-			return -1;
-
-		} else if ( !bup ) {
-			return 1;
-		}
-
-		// Otherwise they're somewhere else in the tree so we need
-		// to build up a full list of the parentNodes for comparison
-		while ( cur ) {
-			ap.unshift( cur );
-			cur = cur.parentNode;
-		}
-
-		cur = bup;
-
-		while ( cur ) {
-			bp.unshift( cur );
-			cur = cur.parentNode;
-		}
-
-		al = ap.length;
-		bl = bp.length;
-
-		// Start walking down the tree looking for a discrepancy
-		for ( var i = 0; i < al && i < bl; i++ ) {
-			if ( ap[i] !== bp[i] ) {
-				return siblingCheck( ap[i], bp[i] );
-			}
-		}
-
-		// We ended someplace up the tree so do a sibling check
-		return i === al ?
-			siblingCheck( a, bp[i], -1 ) :
-			siblingCheck( ap[i], b, 1 );
-	};
-
-	siblingCheck = function( a, b, ret ) {
-		if ( a === b ) {
-			return ret;
-		}
-
-		var cur = a.nextSibling;
-
-		while ( cur ) {
-			if ( cur === b ) {
-				return -1;
-			}
-
-			cur = cur.nextSibling;
-		}
-
-		return 1;
-	};
-}
-
-// Check to see if the browser returns elements by name when
-// querying by getElementById (and provide a workaround)
-(function(){
-	// We're going to inject a fake input element with a specified name
-	var form = document.createElement("div"),
-		id = "script" + (new Date()).getTime(),
-		root = document.documentElement;
-
-	form.innerHTML = "";
-
-	// Inject it into the root element, check its status, and remove it quickly
-	root.insertBefore( form, root.firstChild );
-
-	// The workaround has to do additional checks after a getElementById
-	// Which slows things down for other browsers (hence the branching)
-	if ( document.getElementById( id ) ) {
-		Expr.find.ID = function( match, context, isXML ) {
-			if ( typeof context.getElementById !== "undefined" && !isXML ) {
-				var m = context.getElementById(match[1]);
-
-				return m ?
-					m.id === match[1] || typeof m.getAttributeNode !== "undefined" && m.getAttributeNode("id").nodeValue === match[1] ?
-						[m] :
-						undefined :
-					[];
-			}
-		};
-
-		Expr.filter.ID = function( elem, match ) {
-			var node = typeof elem.getAttributeNode !== "undefined" && elem.getAttributeNode("id");
-
-			return elem.nodeType === 1 && node && node.nodeValue === match;
-		};
-	}
-
-	root.removeChild( form );
-
-	// release memory in IE
-	root = form = null;
-})();
-
-(function(){
-	// Check to see if the browser returns only elements
-	// when doing getElementsByTagName("*")
-
-	// Create a fake element
-	var div = document.createElement("div");
-	div.appendChild( document.createComment("") );
-
-	// Make sure no comments are found
-	if ( div.getElementsByTagName("*").length > 0 ) {
-		Expr.find.TAG = function( match, context ) {
-			var results = context.getElementsByTagName( match[1] );
-
-			// Filter out possible comments
-			if ( match[1] === "*" ) {
-				var tmp = [];
-
-				for ( var i = 0; results[i]; i++ ) {
-					if ( results[i].nodeType === 1 ) {
-						tmp.push( results[i] );
-					}
-				}
-
-				results = tmp;
-			}
-
-			return results;
-		};
-	}
-
-	// Check to see if an attribute returns normalized href attributes
-	div.innerHTML = "";
-
-	if ( div.firstChild && typeof div.firstChild.getAttribute !== "undefined" &&
-			div.firstChild.getAttribute("href") !== "#" ) {
-
-		Expr.attrHandle.href = function( elem ) {
-			return elem.getAttribute( "href", 2 );
-		};
-	}
-
-	// release memory in IE
-	div = null;
-})();
-
-if ( document.querySelectorAll ) {
-	(function(){
-		var oldSizzle = Sizzle,
-			div = document.createElement("div"),
-			id = "__sizzle__";
-
-		div.innerHTML = "
    ";
-
-		// Safari can't handle uppercase or unicode characters when
-		// in quirks mode.
-		if ( div.querySelectorAll && div.querySelectorAll(".TEST").length === 0 ) {
-			return;
-		}
-
-		Sizzle = function( query, context, extra, seed ) {
-			context = context || document;
-
-			// Only use querySelectorAll on non-XML documents
-			// (ID selectors don't work in non-HTML documents)
-			if ( !seed && !Sizzle.isXML(context) ) {
-				// See if we find a selector to speed up
-				var match = /^(\w+$)|^\.([\w\-]+$)|^#([\w\-]+$)/.exec( query );
-
-				if ( match && (context.nodeType === 1 || context.nodeType === 9) ) {
-					// Speed-up: Sizzle("TAG")
-					if ( match[1] ) {
-						return makeArray( context.getElementsByTagName( query ), extra );
-
-					// Speed-up: Sizzle(".CLASS")
-					} else if ( match[2] && Expr.find.CLASS && context.getElementsByMethodName ) {
-						return makeArray( context.getElementsByMethodName( match[2] ), extra );
-					}
-				}
-
-				if ( context.nodeType === 9 ) {
-					// Speed-up: Sizzle("body")
-					// The body element only exists once, optimize finding it
-					if ( query === "body" && context.body ) {
-						return makeArray( [ context.body ], extra );
-
-					// Speed-up: Sizzle("#ID")
-					} else if ( match && match[3] ) {
-						var elem = context.getElementById( match[3] );
-
-						// Check parentNode to catch when Blackberry 4.6 returns
-						// nodes that are no longer in the document #6963
-						if ( elem && elem.parentNode ) {
-							// Handle the case where IE and Opera return items
-							// by name instead of ID
-							if ( elem.id === match[3] ) {
-								return makeArray( [ elem ], extra );
-							}
-
-						} else {
-							return makeArray( [], extra );
-						}
-					}
-
-					try {
-						return makeArray( context.querySelectorAll(query), extra );
-					} catch(qsaError) {}
-
-				// qSA works strangely on Element-rooted queries
-				// We can work around this by specifying an extra ID on the root
-				// and working up from there (Thanks to Andrew Dupont for the technique)
-				// IE 8 doesn't work on object elements
-				} else if ( context.nodeType === 1 && context.nodeName.toLowerCase() !== "object" ) {
-					var oldContext = context,
-						old = context.getAttribute( "id" ),
-						nid = old || id,
-						hasParent = context.parentNode,
-						relativeHierarchySelector = /^\s*[+~]/.test( query );
-
-					if ( !old ) {
-						context.setAttribute( "id", nid );
-					} else {
-						nid = nid.replace( /'/g, "\\$&" );
-					}
-					if ( relativeHierarchySelector && hasParent ) {
-						context = context.parentNode;
-					}
-
-					try {
-						if ( !relativeHierarchySelector || hasParent ) {
-							return makeArray( context.querySelectorAll( "[id='" + nid + "'] " + query ), extra );
-						}
-
-					} catch(pseudoError) {
-					} finally {
-						if ( !old ) {
-							oldContext.removeAttribute( "id" );
-						}
-					}
-				}
-			}
-
-			return oldSizzle(query, context, extra, seed);
-		};
-
-		for ( var prop in oldSizzle ) {
-			Sizzle[ prop ] = oldSizzle[ prop ];
-		}
-
-		// release memory in IE
-		div = null;
-	})();
-}
-
-(function(){
-	var html = document.documentElement,
-		matches = html.matchesSelector || html.mozMatchesSelector || html.webkitMatchesSelector || html.msMatchesSelector;
-
-	if ( matches ) {
-		// Check to see if it's possible to do matchesSelector
-		// on a disconnected node (IE 9 fails this)
-		var disconnectedMatch = !matches.call( document.createElement( "div" ), "div" ),
-			pseudoWorks = false;
-
-		try {
-			// This should fail with an exception
-			// Gecko does not error, returns false instead
-			matches.call( document.documentElement, "[test!='']:sizzle" );
-
-		} catch( pseudoError ) {
-			pseudoWorks = true;
-		}
-
-		Sizzle.matchesSelector = function( node, expr ) {
-			// Make sure that attribute selectors are quoted
-			expr = expr.replace(/\=\s*([^'"\]]*)\s*\]/g, "='$1']");
-
-			if ( !Sizzle.isXML( node ) ) {
-				try {
-					if ( pseudoWorks || !Expr.match.PSEUDO.test( expr ) && !/!=/.test( expr ) ) {
-						var ret = matches.call( node, expr );
-
-						// IE 9's matchesSelector returns false on disconnected nodes
-						if ( ret || !disconnectedMatch ||
-								// As well, disconnected nodes are said to be in a document
-								// fragment in IE 9, so check for that
-								node.document && node.document.nodeType !== 11 ) {
-							return ret;
-						}
-					}
-				} catch(e) {}
-			}
-
-			return Sizzle(expr, null, null, [node]).length > 0;
-		};
-	}
-})();
-
-(function(){
-	var div = document.createElement("div");
-
-	div.innerHTML = "
    ";
-
-	// Opera can't find a second classname (in 9.6)
-	// Also, make sure that getElementsByMethodName actually exists
-	if ( !div.getElementsByMethodName || div.getElementsByMethodName("e").length === 0 ) {
-		return;
-	}
-
-	// Safari caches class attributes, doesn't catch changes (in 3.2)
-	div.lastChild.className = "e";
-
-	if ( div.getElementsByMethodName("e").length === 1 ) {
-		return;
-	}
-
-	Expr.order.splice(1, 0, "CLASS");
-	Expr.find.CLASS = function( match, context, isXML ) {
-		if ( typeof context.getElementsByMethodName !== "undefined" && !isXML ) {
-			return context.getElementsByMethodName(match[1]);
-		}
-	};
-
-	// release memory in IE
-	div = null;
-})();
-
-function dirNodeCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) {
-	for ( var i = 0, l = checkSet.length; i < l; i++ ) {
-		var elem = checkSet[i];
-
-		if ( elem ) {
-			var match = false;
-
-			elem = elem[dir];
-
-			while ( elem ) {
-				if ( elem[ expando ] === doneName ) {
-					match = checkSet[elem.sizset];
-					break;
-				}
-
-				if ( elem.nodeType === 1 && !isXML ){
-					elem[ expando ] = doneName;
-					elem.sizset = i;
-				}
-
-				if ( elem.nodeName.toLowerCase() === cur ) {
-					match = elem;
-					break;
-				}
-
-				elem = elem[dir];
-			}
-
-			checkSet[i] = match;
-		}
-	}
-}
-
-function dirCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) {
-	for ( var i = 0, l = checkSet.length; i < l; i++ ) {
-		var elem = checkSet[i];
-
-		if ( elem ) {
-			var match = false;
-
-			elem = elem[dir];
-
-			while ( elem ) {
-				if ( elem[ expando ] === doneName ) {
-					match = checkSet[elem.sizset];
-					break;
-				}
-
-				if ( elem.nodeType === 1 ) {
-					if ( !isXML ) {
-						elem[ expando ] = doneName;
-						elem.sizset = i;
-					}
-
-					if ( typeof cur !== "string" ) {
-						if ( elem === cur ) {
-							match = true;
-							break;
-						}
-
-					} else if ( Sizzle.filter( cur, [elem] ).length > 0 ) {
-						match = elem;
-						break;
-					}
-				}
-
-				elem = elem[dir];
-			}
-
-			checkSet[i] = match;
-		}
-	}
-}
-
-if ( document.documentElement.contains ) {
-	Sizzle.contains = function( a, b ) {
-		return a !== b && (a.contains ? a.contains(b) : true);
-	};
-
-} else if ( document.documentElement.compareDocumentPosition ) {
-	Sizzle.contains = function( a, b ) {
-		return !!(a.compareDocumentPosition(b) & 16);
-	};
-
-} else {
-	Sizzle.contains = function() {
-		return false;
-	};
-}
-
-Sizzle.isXML = function( elem ) {
-	// documentElement is verified for cases where it doesn't yet exist
-	// (such as loading iframes in IE - #4833)
-	var documentElement = (elem ? elem.ownerDocument || elem : 0).documentElement;
-
-	return documentElement ? documentElement.nodeName !== "HTML" : false;
-};
-
-var posProcess = function( selector, context, seed ) {
-	var match,
-		tmpSet = [],
-		later = "",
-		root = context.nodeType ? [context] : context;
-
-	// Position selectors must be done after the filter
-	// And so must :not(positional) so we move all PSEUDOs to the end
-	while ( (match = Expr.match.PSEUDO.exec( selector )) ) {
-		later += match[0];
-		selector = selector.replace( Expr.match.PSEUDO, "" );
-	}
-
-	selector = Expr.relative[selector] ? selector + "*" : selector;
-
-	for ( var i = 0, l = root.length; i < l; i++ ) {
-		Sizzle( selector, root[i], tmpSet, seed );
-	}
-
-	return Sizzle.filter( later, tmpSet );
-};
-
-// EXPOSE
-// Override sizzle attribute retrieval
-Sizzle.attr = jQuery.attr;
-Sizzle.selectors.attrMap = {};
-jQuery.find = Sizzle;
-jQuery.expr = Sizzle.selectors;
-jQuery.expr[":"] = jQuery.expr.filters;
-jQuery.unique = Sizzle.uniqueSort;
-jQuery.text = Sizzle.getText;
-jQuery.isXMLDoc = Sizzle.isXML;
-jQuery.contains = Sizzle.contains;
-
-
-})();
-
-
-var runtil = /Until$/,
-	rparentsprev = /^(?:parents|prevUntil|prevAll)/,
-	// Note: This RegExp should be improved, or likely pulled from Sizzle
-	rmultiselector = /,/,
-	isSimple = /^.[^:#\[\.,]*$/,
-	slice = Array.prototype.slice,
-	POS = jQuery.expr.match.globalPOS,
-	// methods guaranteed to produce a unique set when starting from a unique set
-	guaranteedUnique = {
-		children: true,
-		contents: true,
-		next: true,
-		prev: true
-	};
-
-jQuery.fn.extend({
-	find: function( selector ) {
-		var self = this,
-			i, l;
-
-		if ( typeof selector !== "string" ) {
-			return jQuery( selector ).filter(function() {
-				for ( i = 0, l = self.length; i < l; i++ ) {
-					if ( jQuery.contains( self[ i ], this ) ) {
-						return true;
-					}
-				}
-			});
-		}
-
-		var ret = this.pushStack( "", "find", selector ),
-			length, n, r;
-
-		for ( i = 0, l = this.length; i < l; i++ ) {
-			length = ret.length;
-			jQuery.find( selector, this[i], ret );
-
-			if ( i > 0 ) {
-				// Make sure that the results are unique
-				for ( n = length; n < ret.length; n++ ) {
-					for ( r = 0; r < length; r++ ) {
-						if ( ret[r] === ret[n] ) {
-							ret.splice(n--, 1);
-							break;
-						}
-					}
-				}
-			}
-		}
-
-		return ret;
-	},
-
-	has: function( target ) {
-		var targets = jQuery( target );
-		return this.filter(function() {
-			for ( var i = 0, l = targets.length; i < l; i++ ) {
-				if ( jQuery.contains( this, targets[i] ) ) {
-					return true;
-				}
-			}
-		});
-	},
-
-	not: function( selector ) {
-		return this.pushStack( winnow(this, selector, false), "not", selector);
-	},
-
-	filter: function( selector ) {
-		return this.pushStack( winnow(this, selector, true), "filter", selector );
-	},
-
-	is: function( selector ) {
-		return !!selector && (
-			typeof selector === "string" ?
-				// If this is a positional selector, check membership in the returned set
-				// so $("p:first").is("p:last") won't return true for a doc with two "p".
-				POS.test( selector ) ?
-					jQuery( selector, this.context ).index( this[0] ) >= 0 :
-					jQuery.filter( selector, this ).length > 0 :
-				this.filter( selector ).length > 0 );
-	},
-
-	closest: function( selectors, context ) {
-		var ret = [], i, l, cur = this[0];
-
-		// Array (deprecated as of jQuery 1.7)
-		if ( jQuery.isArray( selectors ) ) {
-			var level = 1;
-
-			while ( cur && cur.ownerDocument && cur !== context ) {
-				for ( i = 0; i < selectors.length; i++ ) {
-
-					if ( jQuery( cur ).is( selectors[ i ] ) ) {
-						ret.push({ selector: selectors[ i ], elem: cur, level: level });
-					}
-				}
-
-				cur = cur.parentNode;
-				level++;
-			}
-
-			return ret;
-		}
-
-		// String
-		var pos = POS.test( selectors ) || typeof selectors !== "string" ?
-				jQuery( selectors, context || this.context ) :
-				0;
-
-		for ( i = 0, l = this.length; i < l; i++ ) {
-			cur = this[i];
-
-			while ( cur ) {
-				if ( pos ? pos.index(cur) > -1 : jQuery.find.matchesSelector(cur, selectors) ) {
-					ret.push( cur );
-					break;
-
-				} else {
-					cur = cur.parentNode;
-					if ( !cur || !cur.ownerDocument || cur === context || cur.nodeType === 11 ) {
-						break;
-					}
-				}
-			}
-		}
-
-		ret = ret.length > 1 ? jQuery.unique( ret ) : ret;
-
-		return this.pushStack( ret, "closest", selectors );
-	},
-
-	// Determine the position of an element within
-	// the matched set of elements
-	index: function( elem ) {
-
-		// No argument, return index in parent
-		if ( !elem ) {
-			return ( this[0] && this[0].parentNode ) ? this.prevAll().length : -1;
-		}
-
-		// index in selector
-		if ( typeof elem === "string" ) {
-			return jQuery.inArray( this[0], jQuery( elem ) );
-		}
-
-		// Locate the position of the desired element
-		return jQuery.inArray(
-			// If it receives a jQuery object, the first element is used
-			elem.jquery ? elem[0] : elem, this );
-	},
-
-	add: function( selector, context ) {
-		var set = typeof selector === "string" ?
-				jQuery( selector, context ) :
-				jQuery.makeArray( selector && selector.nodeType ? [ selector ] : selector ),
-			all = jQuery.merge( this.get(), set );
-
-		return this.pushStack( isDisconnected( set[0] ) || isDisconnected( all[0] ) ?
-			all :
-			jQuery.unique( all ) );
-	},
-
-	andSelf: function() {
-		return this.add( this.prevObject );
-	}
-});
-
-// A painfully simple check to see if an element is disconnected
-// from a document (should be improved, where feasible).
-function isDisconnected( node ) {
-	return !node || !node.parentNode || node.parentNode.nodeType === 11;
-}
-
-jQuery.each({
-	parent: function( elem ) {
-		var parent = elem.parentNode;
-		return parent && parent.nodeType !== 11 ? parent : null;
-	},
-	parents: function( elem ) {
-		return jQuery.dir( elem, "parentNode" );
-	},
-	parentsUntil: function( elem, i, until ) {
-		return jQuery.dir( elem, "parentNode", until );
-	},
-	next: function( elem ) {
-		return jQuery.nth( elem, 2, "nextSibling" );
-	},
-	prev: function( elem ) {
-		return jQuery.nth( elem, 2, "previousSibling" );
-	},
-	nextAll: function( elem ) {
-		return jQuery.dir( elem, "nextSibling" );
-	},
-	prevAll: function( elem ) {
-		return jQuery.dir( elem, "previousSibling" );
-	},
-	nextUntil: function( elem, i, until ) {
-		return jQuery.dir( elem, "nextSibling", until );
-	},
-	prevUntil: function( elem, i, until ) {
-		return jQuery.dir( elem, "previousSibling", until );
-	},
-	siblings: function( elem ) {
-		return jQuery.sibling( ( elem.parentNode || {} ).firstChild, elem );
-	},
-	children: function( elem ) {
-		return jQuery.sibling( elem.firstChild );
-	},
-	contents: function( elem ) {
-		return jQuery.nodeName( elem, "iframe" ) ?
-			elem.contentDocument || elem.contentWindow.document :
-			jQuery.makeArray( elem.childNodes );
-	}
-}, function( name, fn ) {
-	jQuery.fn[ name ] = function( until, selector ) {
-		var ret = jQuery.map( this, fn, until );
-
-		if ( !runtil.test( name ) ) {
-			selector = until;
-		}
-
-		if ( selector && typeof selector === "string" ) {
-			ret = jQuery.filter( selector, ret );
-		}
-
-		ret = this.length > 1 && !guaranteedUnique[ name ] ? jQuery.unique( ret ) : ret;
-
-		if ( (this.length > 1 || rmultiselector.test( selector )) && rparentsprev.test( name ) ) {
-			ret = ret.reverse();
-		}
-
-		return this.pushStack( ret, name, slice.call( arguments ).join(",") );
-	};
-});
-
-jQuery.extend({
-	filter: function( expr, elems, not ) {
-		if ( not ) {
-			expr = ":not(" + expr + ")";
-		}
-
-		return elems.length === 1 ?
-			jQuery.find.matchesSelector(elems[0], expr) ? [ elems[0] ] : [] :
-			jQuery.find.matches(expr, elems);
-	},
-
-	dir: function( elem, dir, until ) {
-		var matched = [],
-			cur = elem[ dir ];
-
-		while ( cur && cur.nodeType !== 9 && (until === undefined || cur.nodeType !== 1 || !jQuery( cur ).is( until )) ) {
-			if ( cur.nodeType === 1 ) {
-				matched.push( cur );
-			}
-			cur = cur[dir];
-		}
-		return matched;
-	},
-
-	nth: function( cur, result, dir, elem ) {
-		result = result || 1;
-		var num = 0;
-
-		for ( ; cur; cur = cur[dir] ) {
-			if ( cur.nodeType === 1 && ++num === result ) {
-				break;
-			}
-		}
-
-		return cur;
-	},
-
-	sibling: function( n, elem ) {
-		var r = [];
-
-		for ( ; n; n = n.nextSibling ) {
-			if ( n.nodeType === 1 && n !== elem ) {
-				r.push( n );
-			}
-		}
-
-		return r;
-	}
-});
-
-// Implement the identical functionality for filter and not
-function winnow( elements, qualifier, keep ) {
-
-	// Can't pass null or undefined to indexOf in Firefox 4
-	// Set to 0 to skip string check
-	qualifier = qualifier || 0;
-
-	if ( jQuery.isFunction( qualifier ) ) {
-		return jQuery.grep(elements, function( elem, i ) {
-			var retVal = !!qualifier.call( elem, i, elem );
-			return retVal === keep;
-		});
-
-	} else if ( qualifier.nodeType ) {
-		return jQuery.grep(elements, function( elem, i ) {
-			return ( elem === qualifier ) === keep;
-		});
-
-	} else if ( typeof qualifier === "string" ) {
-		var filtered = jQuery.grep(elements, function( elem ) {
-			return elem.nodeType === 1;
-		});
-
-		if ( isSimple.test( qualifier ) ) {
-			return jQuery.filter(qualifier, filtered, !keep);
-		} else {
-			qualifier = jQuery.filter( qualifier, filtered );
-		}
-	}
-
-	return jQuery.grep(elements, function( elem, i ) {
-		return ( jQuery.inArray( elem, qualifier ) >= 0 ) === keep;
-	});
-}
-
-
-
-
-function createSafeFragment( document ) {
-	var list = nodeNames.split( "|" ),
-	safeFrag = document.createDocumentFragment();
-
-	if ( safeFrag.createElement ) {
-		while ( list.length ) {
-			safeFrag.createElement(
-				list.pop()
-			);
-		}
-	}
-	return safeFrag;
-}
-
-var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figcaption|figure|footer|" +
-		"header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",
-	rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g,
-	rleadingWhitespace = /^\s+/,
-	rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig,
-	rtagName = /<([\w:]+)/,
-	rtbody = /
    ", "
    " ],
-		tr: [ 2, "", "
    " ],
-		td: [ 3, "", "
    " ],
-		col: [ 2, "", "
    " ],
-		area: [ 1, "", "" ],
-		_default: [ 0, "", "" ]
-	},
-	safeFragment = createSafeFragment( document );
-
-wrapMap.optgroup = wrapMap.option;
-wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
-wrapMap.th = wrapMap.td;
-
-// IE can't serialize  and 
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-
-
    Index
    
-
-
    
- A
- | B
- | C
- | D
- | F
- | G
- | I
- | L
- | M
- | N
- | O
- | P
- | Q
- | R
- | S
- | T
- | V
- | W
-
-
    
-
    A
    
-
-  
-  
-
    
-
-  
    AC_KERBEROS (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    AC_PASSWORD (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    AC_SMARTCARD (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    AC_UNSPECIFIED (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    AC_X509 (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    add_sign() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-  
    
-
-  
    add_x509_key_descriptors() (saml2.metadata.OneLogin_Saml2_Metadata static method)
-  
    
-
-
-  
    ALOWED_CLOCK_DRIFT (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    ATTRNAME_FORMAT_BASIC (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    ATTRNAME_FORMAT_UNSPECIFIED (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    ATTRNAME_FORMAT_URI (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-  
    
-
-
    B
    
-
-  
-  
-
    
-
-  
    BINDING_DEFLATE (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    BINDING_HTTP_ARTIFACT (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    BINDING_HTTP_POST (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    BINDING_HTTP_REDIRECT (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    BINDING_SOAP (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-  
    
-
-  
    build() (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
-  
    
-
-
-  
    build_request_signature() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    build_response_signature() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    builder() (saml2.metadata.OneLogin_Saml2_Metadata static method)
-  
    
-
-  
    
-
-
    C
    
-
-  
-  
-
    
-
-  
    calculate_x509_fingerprint() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    check_settings() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    check_sp_certs() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    check_status() (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-  
    
-
-  
    CM_BEARER (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    CM_HOLDER_KEY (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    CM_SENDER_VOUCHES (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-  
    
-
-
    D
    
-
-  
-  
-
    
-
-  
    decode_base64_and_inflate() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    decrypt_element() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-  
    
-
-  
    deflate_and_base64_encode() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    delete_local_session() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-  
    
-
-
    F
    
-
-  
-  
-
    
-
-  
    format_cert() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    format_finger_print() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-  
    
-
-  
    format_idp_cert() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-  
    
-
-
    G
    
-
-  
-  
-
    
-
-  
    generate_name_id() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    generate_unique_id() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    get_attribute() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    get_attributes() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-      
    
-
-  
    (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-      
    
-
-  
    get_audiences() (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-
-  
    get_base_path() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_cert_path() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_contacts() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_errors() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-      
    
-
-  
    (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-      
    
-
-  
    get_expire_time() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    get_ext_lib_path() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_id() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
-  
    
-
-
-  
    get_idp_data() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_issuer() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
-  
    
-
-      
    
-
-  
    (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
-  
    
-
-      
    
-
-  
    get_issuers() (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-
-  
    get_lib_path() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_name_id() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
-  
    
-
-
-  
    get_name_id_data() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
-  
    
-
-
-  
    get_nameid() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-      
    
-
-  
    (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-      
    
-
-  
    get_nameid_data() (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-  
    
-
-  
    get_organization() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_request() (saml2.authn_request.OneLogin_Saml2_Authn_Request method)
-  
    
-
-      
    
-
-  
    (saml2.logout_request.OneLogin_Saml2_Logout_Request method)
-  
    
-
-      
    
-
-  
    get_response() (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
-  
    
-
-
-  
    get_schemas_path() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_security_data() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_self_host() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    get_self_url() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    get_self_url_host() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    get_self_url_no_query() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    get_session_index() (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-
-  
    get_session_indexes() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
-  
    
-
-
-  
    get_session_not_on_or_after() (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-
-  
    get_settings() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    get_slo_url() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    get_sp_cert() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_sp_data() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_sp_key() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_sp_metadata() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    get_sso_url() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    get_status() (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
-  
    
-
-      
    
-
-  
    (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-      
    
-  
    
-
-
    I
    
-
-  
-  
-
    
-
-  
    is_authenticated() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    is_debug_active() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    is_https() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-  
    
-
-  
    is_strict() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    is_valid() (saml2.logout_request.OneLogin_Saml2_Logout_Request static method)
-  
    
-
-      
    
-
-  
    (saml2.logout_response.OneLogin_Saml2_Logout_Response method)
-  
    
-
-
-  
    (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-      
    
-  
    
-
-
    L
    
-
-  
-  
-
    
-
-  
    login() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-  
    
-
-  
    logout() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-  
    
-
-
    M
    
-
-  
-
    
-
-  
    METADATA_SP_INVALID (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-  
    
-
-
    N
    
-
-  
-  
-
    
-
-  
    NAMEID_EMAIL_ADDRESS (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NAMEID_ENCRYPTED (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NAMEID_ENTITY (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NAMEID_KERBEROS (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NAMEID_PERSISTENT (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NAMEID_TRANSIENT (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NAMEID_X509_SUBJECT_NAME (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NS_DS (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-  
    
-
-  
    NS_MD (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NS_SAML (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NS_SAMLP (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NS_SOAP (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NS_XENC (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NS_XS (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NS_XSI (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    NSMAP (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-  
    
-
-
    O
    
-
-  
-  
-
    
-
-  
    OneLogin_Saml2_Auth (class in saml2.auth)
-  
    
-
-
-  
    OneLogin_Saml2_Authn_Request (class in saml2.authn_request)
-  
    
-
-
-  
    OneLogin_Saml2_Constants (class in saml2.constants)
-  
    
-
-
-  
    OneLogin_Saml2_Error
-  
    
-
-
-  
    OneLogin_Saml2_Logout_Request (class in saml2.logout_request)
-  
    
-
-  
    
-
-  
    OneLogin_Saml2_Logout_Response (class in saml2.logout_response)
-  
    
-
-
-  
    OneLogin_Saml2_Metadata (class in saml2.metadata)
-  
    
-
-
-  
    OneLogin_Saml2_Response (class in saml2.response)
-  
    
-
-
-  
    OneLogin_Saml2_Settings (class in saml2.settings)
-  
    
-
-
-  
    OneLogin_Saml2_Utils (class in saml2.utils)
-  
    
-
-  
    
-
-
    P
    
-
-  
-  
-
    
-
-  
    parse_duration() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    parse_SAML_to_time() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    parse_time_to_SAML() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    PRIVATE_KEY_FILE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-  
    
-
-  
    process_response() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    process_slo() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    PUBLIC_CERT_FILE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-  
    
-
-
    Q
    
-
-  
-
    
-
-  
    query() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-  
    
-
-
    R
    
-
-  
-  
-
    
-
-  
    redirect() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-
-  
    REDIRECT_INVALID_URL (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-  
    
-
-  
    redirect_to() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-
-  
    RSA_SHA1 (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-  
    
-
-
    S
    
-
-  
-  
-
    
-
-  
    saml2.auth (module)
-  
    
-
-
-  
    saml2.authn_request (module)
-  
    
-
-
-  
    saml2.constants (module)
-  
    
-
-
-  
    saml2.errors (module)
-  
    
-
-
-  
    saml2.logout_request (module)
-  
    
-
-
-  
    saml2.logout_response (module)
-  
    
-
-
-  
    saml2.metadata (module)
-  
    
-
-
-  
    saml2.response (module)
-  
    
-
-
-  
    saml2.settings (module)
-  
    
-
-
-  
    saml2.utils (module)
-  
    
-
-
-  
    SAML_LOGOUTMESSAGE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-
-  
    SAML_LOGOUTREQUEST_INVALID (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-
-  
    SAML_LOGOUTRESPONSE_INVALID (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-
-  
    SAML_RESPONSE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-  
    
-
-  
    SAML_SINGLE_LOGOUT_NOT_SUPPORTED (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-
-  
    set_strict() (saml2.auth.OneLogin_Saml2_Auth method)
-  
    
-
-      
    
-
-  
    (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-      
    
-
-  
    SETTINGS_FILE_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-
-  
    SETTINGS_INVALID (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-
-  
    SETTINGS_INVALID_SYNTAX (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-
-  
    sign_metadata() (saml2.metadata.OneLogin_Saml2_Metadata static method)
-  
    
-
-
-  
    SP_CERTS_NOT_FOUND (saml2.errors.OneLogin_Saml2_Error attribute)
-  
    
-
-
-  
    STATUS_NO_PASSIVE (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    STATUS_PARTIAL_LOGOUT (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    STATUS_PROXY_COUNT_EXCEEDED (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    STATUS_REQUESTER (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    STATUS_RESPONDER (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    STATUS_SUCCESS (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-
-  
    STATUS_VERSION_MISMATCH (saml2.constants.OneLogin_Saml2_Constants attribute)
-  
    
-
-  
    
-
-
    T
    
-
-  
-  
-
    
-
-  
    TIME_CACHED (saml2.metadata.OneLogin_Saml2_Metadata attribute)
-  
    
-
-  
    
-
-  
    TIME_VALID (saml2.metadata.OneLogin_Saml2_Metadata attribute)
-  
    
-
-  
    
-
-
    V
    
-
-  
-  
-
    
-
-  
    validate_metadata() (saml2.settings.OneLogin_Saml2_Settings method)
-  
    
-
-
-  
    validate_num_assertions() (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-
-  
    validate_sign() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-  
    
-
-  
    validate_timestamps() (saml2.response.OneLogin_Saml2_Response method)
-  
    
-
-
-  
    validate_url() (in module saml2.settings)
-  
    
-
-
-  
    validate_xml() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-  
    
-
-
    W
    
-
-  
-
    
-
-  
    write_temp_file() (saml2.utils.OneLogin_Saml2_Utils static method)
-  
    
-
-  
    
-
-
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/index.html b/docs/saml2/index.html
deleted file mode 100644
index 1015fa57..00000000
--- a/docs/saml2/index.html
+++ /dev/null
@@ -1,141 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    Welcome to SAML Python library documentation
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
-
    
-
    Indices and tables
    
-
-
    
-
-
-          
    
-        
    
-      
    
-      
    
-        
    
-  
    Table Of Contents
    
-  
-
-  
    Next topic
    
-  
    onelogin.saml2 Module
    
-  
    This Page
    
-  
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/objects.inv b/docs/saml2/objects.inv
deleted file mode 100644
index f4df5df0cf8a1203e12c4a54b64e6f611ff0f28d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1959
zcmV;Y2Uz$cAX9K?X>NERX>N99Zgg*Qc_4OWa&u{KZXhxWBOp+6Z)#;@bUGkUZe>hw
zXK8LAQ$bBkAW(U9Xm4&HY-wV0VRCsOV{Bn_b7gZNVQyp~ZDn+5Z)9@{BOq2~a&u{K
zZaN?eBOp|0Wgv28ZDDC{WMy(7Z)PBLXlZjGW@&6?AZc?TV{dJ6a%FRKWn>_Ab7^j8
zAbM?s|2V9Tf1|@6!eqtX@uVz%yH4whi=+}}pI!S5+dIDwDmJfIc?DEG0DJqur|?K!B{31A&7V8LW*>Hi?r-`~
zkfqjEOaSLKbZyaZjfr)g9g~9G6Y*`-rh2^}idyuG8Cw>KV31T9JSUv}@jI|8t+QT#
z@>3#DPj7WFfkWX$tzL(bdvC=AzLF=nb>{^9Acosu;X9~pZ_M~mINhu(ofi2sG|A{w
zla*?D#C3r9u^T_3_PFn%hmz;R(`bCE_M2x|&7zLa(={s-j#R-3Lr}ulOOv+@L|&q=
z|ERq`cX^R*^a4CzRf*_YHffJ7%jEu2f!!S9#%&L7h!v3tb=wGmG`8Xe1-h_pLg`fZ
zT-I%w2uN9rKD4$)R!PY;%<_1wm;`1tutIaFz?-ekF1EIeDIDCOq5{ag>cJALsgtq`
zCQ-Mj)1&~-IM3?}D|Vy#L&?$3jig1w`GgC(aec@2zkow-=MupUJ4ZzRS`Zo|o$geG
zp_Vs?dGIAz#GZ6F>x*uTIT^2iylo=5SaBSw03&x7c~%SypN7PCZ(ZV;((mTlj5*U;
zTS9r`4o#dAo;WL(ia$YBgM_d4)qo>@Pl`NK1n8wKOi&(5;#l4Qy@c=RI1mj3-$6PM
zR;}xrn+&c0v-ilI?C&0lEys#2pdq;ay)}0o4VmX-)md}SIdJ){bXsU>l9mrV3q%bH
z#3u8tO(Y)z`Dr1Wr1emcw^@%}d2P03-C;$o}bb#r+D)5=uc|SWH6?Y51(}1Y2+YB~uA{o6-*DU=8N>qo~-l_YK
zh~q}Y-rl+-l=JE3&$NAQWQJ0(QhI?YIG>(2jcP;RD+-2HNd#FbM0v|txRCjn0Qpn5
zkSv8EytF;I3+6J#QPtz0Q;OYezi%B49&g0tdm!nuoK-0XM^N&HNTd_x&;{vjjGIh@
z6+jQEDK%c}A1k4GhOO*rFhV3P(NV35BAg8Ip+)IK5aD$AMlaGF6~ZDo;#?7x`TL#q
z!DR8m0AE^c2R(#Qel@CHGqk(QpHrTd|6@ijH?xF14u9OgPGF
zHmx3+y_gDqbtPmT&5d4$XSs8*94Er|dhn@D)s-OeLt>qbQQRam53MM6tqqs{Ik9y&
ze>AjhKj`7my(be*-vl;~1`tP+p7qA*wnZw!J#+Tkcw!%r!>q3supM
z#@K*%3`xwijn(9Z!PzdlZM5O(4hr1Pp7to<@;bx{Zr_x#GWaNK+qD~iK
z7)02tLW>RVdeFo?BTb65>&F#)EM7`=u(oOQN*Ehg8*Wr*UQHLD6#2fjY?JIpD`p&3
zLDSZ$WOe(KU6;>(E^g+o-SR=9_99ybN?&g7BHp>vvb?UvaaY4G+V75MwTV7}(YqONT$4;}cxgG8?2
zL8>+IEZ2v>7V-d!2ZDNTlnml63*93e3(-d1Y8aE&89TqA)`~}9P2qi%n>I!w<>^++
zjf@D}9#Eo2-rzo1*ms0Z?y

diff --git a/docs/saml2/py-modindex.html b/docs/saml2/py-modindex.html
deleted file mode 100644
index 5f2d4393..00000000
--- a/docs/saml2/py-modindex.html
+++ /dev/null
@@ -1,153 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    Python Class Index — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-
-
-
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-
-   
    Python Class Index
    
-
-   
-     
-       
-       
-     
-       
-       
-     
-       
-       
-     
-       
-       
-     
-       
-       
-     
-       
-       
-     
-       
-       
-     
-       
-       
-     
-       
-       
-     
-       
-       
-     
-       
-       
-   
    
-       saml2
-       
       
-       saml2.auth
-       
       
-       saml2.authn_request
-       
       
-       saml2.constants
-       
       
-       saml2.errors
-       
       
-       saml2.logout_request
-       
       
-       saml2.logout_response
-       
       
-       saml2.metadata
-       
       
-       saml2.response
-       
       
-       saml2.settings
-       
       
-       saml2.utils
-       
    
-
-
-          
    
-        
    
-      
    
-      
    
-        
    
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/saml2.html b/docs/saml2/saml2.html
deleted file mode 100644
index 6b9631f0..00000000
--- a/docs/saml2/saml2.html
+++ /dev/null
@@ -1,2043 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    OneLogin saml2 Module — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    
-
    OneLogin saml2 Module
    
-
    
-
    auth Class
    
-
    
-
    
-class onelogin.saml2.auth.OneLogin_Saml2_Auth(request_data, old_settings=None)[source]
    
-
    Bases: object
    
-
    
-
    
-build_request_signature(saml_request, relay_state)[source]
    
-
    Builds the Signature of the SAML Request.
    
-
---
-
-
-
-
    


    Parameters:
      
-
    • saml_request (string) – The SAML Request
      • 
-
    • relay_state (string) – The target URL the user should be redirected to
      • 
-
    
-
    
-
    
-
-
    
-
    
-build_response_signature(saml_response, relay_state)[source]
    
-
    Builds the Signature of the SAML Response.
-:param saml_request: The SAML Response
-:type saml_request: string
    
-
---
-
-
-
-
    


    Parameters:relay_state (string) – The target URL the user should be redirected to
    
-
    
-
-
    
-
    
-get_attribute(name)[source]
    
-
    Returns the requested SAML attribute.
    
-
---
-
-
-
-
-
-
-
-
    


    Parameters:name (string) – Name of the attribute
    Returns:Attribute value if exists or None
    Return type:string
    
-
    
-
-
    
-
    
-get_attributes()[source]
    
-
    Returns the set of SAML attributes.
    
-
---
-
-
-
-
-
-
    


    Returns:SAML attributes
    Return type:dict
    
-
    
-
-
    
-
    
-get_errors()[source]
    
-
    Returns a list with code errors if something went wrong
    
-
---
-
-
-
-
-
-
    


    Returns:List of errors
    Return type:list
    
-
    
-
-
    
-
    
-get_last_error_reason()[source]
    
-
    Returns the reason for the last error
    
-
---
-
-
-
-
-
-
    


    Returns:Error
    Return type:string
    
-
    
-
-
    
-
    
-get_nameid()[source]
    
-
    Returns the nameID.
    
-
---
-
-
-
-
-
-
    


    Returns:NameID
    Return type:string
    
-
    
-
-
    
-
    
-get_settings()[source]
    
-
    Returns the settings info
-:return: Setting info
-:rtype: OneLogin_Saml2_Setting object
    
-
    
-
-
    
-
    
-get_slo_url()[source]
    
-
    Gets the SLO url.
    
-
---
-
-
-
-
-
-
    


    Returns:An URL, the SLO endpoint of the IdP
    Return type:string
    
-
    
-
-
    
-
    
-get_sso_url()[source]
    
-
    Gets the SSO url.
    
-
---
-
-
-
-
-
-
    


    Returns:An URL, the SSO endpoint of the IdP
    Return type:string
    
-
    
-
-
    
-
    
-is_authenticated()[source]
    
-
    Checks if the user is authenticated or not.
    
-
---
-
-
-
-
-
-
    


    Returns:True if is authenticated, False if not
    Return type:bool
    
-
    
-
-
    
-
    
-login(return_to=None, force_authn=False, is_passive=False)[source]
    
-
    Initiates the SSO process.
    
-
---
-
-
-
-
-
-
    


    Parameters:
      
-
    • return_to (string) – Optional argument. The target URL the user should be redirected to after login.
      • 
-
    • force_authn (bool) – Optional argument. When true the AuthNReuqest will set the ForceAuthn='true'.
      • 
-
    • is_passive (bool) – Optional argument. When true the AuthNReuqest will set the Ispassive='true'.
      • 
-
    
-
    Returns:Redirection url
    
-
    
-
-
    
-
    
-logout(return_to=None, name_id=None, session_index=None)[source]
    
-
    Initiates the SLO process.
    
-
---
-
-  
-
-
-
-
-
    


    Parameters:
      
-
    • return_to (string) – Optional argument. The target URL the user should be redirected to after logout.
      • 
-
    • name_id (string) – Optional argument. The NameID that will be set in the LogoutRequest.
      • 
-
    • session_index (string) – Optional argument. SessionIndex that identifies the session of the user.
      • 
-
    Returns:Redirection url
    
-
    
-
-
    
-
    
-process_response(request_id=None)[source]
    
-
    Process the SAML Response sent by the IdP.
    
-
---
-
-
-
-
-
-
    


    Parameters:request_id (string) – Is an optional argumen. Is the ID of the AuthNRequest sent by this SP to the IdP.
    Raises :OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND, when a POST with a SAMLResponse is not found
    
-
    
-
-
    
-
    
-process_slo(keep_local_session=False, request_id=None, delete_session_cb=None)[source]
    
-
    Process the SAML Logout Response / Logout Request sent by the IdP.
    
-
---
-
-
-
-
-
-
    


    Parameters:
      
-
    • keep_local_session (bool) – When false will destroy the local session, otherwise will destroy it
      • 
-
    • request_id (string) – The ID of the LogoutRequest sent by this SP to the IdP
      • 
-
    
-
    Returns:
    Redirection url
    
-
    
-
    
-
-
    
-
    
-redirect_to(url=None, parameters={})[source]
    
-
    Redirects the user to the url past by parameter or to the url that we defined in our SSO Request.
    
-
---
-
-
-
-
-
-
    


    Parameters:
      
-
    • url (string) – The target URL to redirect the user
      • 
-
    • parameters (dict) – Extra parameters to be passed as part of the url
      • 
-
    
-
    Returns:
    Redirection url
    
-
    
-
    
-
-
    
-
    
-set_strict(value)[source]
    
-
    Set the strict mode active/disable
    
-
---
-
-
-
-
    


    Parameters:value (bool) – 
    
-
    
-
-
    
-
-
    
-
    
-
    authn_request Class
    
-
    
-
    
-class onelogin.saml2.authn_request.OneLogin_Saml2_Authn_Request(settings, force_authn=False, is_passive=False)[source]
    
-
    
-
    
-get_request()[source]
    
-
    Returns unsigned AuthnRequest.
-:return: Unsigned AuthnRequest
-:rtype: str object
    
-
    
-
-
    
-
-
    
-
    
-
    constants Class
    
-
    
-
    
-class onelogin.saml2.constants.OneLogin_Saml2_Constants[source]
    
-
    
-
    
-AC_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos'
    
-
    
-
-
    
-
    
-AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'
    
-
    
-
-
    
-
    
-AC_SMARTCARD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard'
    
-
    
-
-
    
-
    
-AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'
    
-
    
-
-
    
-
    
-AC_X509 = 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'
    
-
    
-
-
    
-
    
-ALOWED_CLOCK_DRIFT = 180
    
-
    
-
-
    
-
    
-ATTRNAME_FORMAT_BASIC = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'
    
-
    
-
-
    
-
    
-ATTRNAME_FORMAT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'
    
-
    
-
-
    
-
    
-ATTRNAME_FORMAT_URI = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
    
-
    
-
-
    
-
    
-BINDING_DEFLATE = 'urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE'
    
-
    
-
-
    
-
    
-BINDING_HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
    
-
    
-
-
    
-
    
-BINDING_HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
    
-
    
-
-
    
-
    
-BINDING_HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
    
-
    
-
-
    
-
    
-BINDING_SOAP = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'
    
-
    
-
-
    
-
    
-CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
    
-
    
-
-
    
-
    
-CM_HOLDER_KEY = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'
    
-
    
-
-
    
-
    
-CM_SENDER_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'
    
-
    
-
-
    
-
    
-NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
    
-
    
-
-
    
-
    
-NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted'
    
-
    
-
-
    
-
    
-NAMEID_ENTITY = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'
    
-
    
-
-
    
-
    
-NAMEID_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos'
    
-
    
-
-
    
-
    
-NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
    
-
    
-
-
    
-
    
-NAMEID_TRANSIENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
    
-
    
-
-
    
-
    
-NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName'
    
-
    
-
-
    
-
    
-NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName'
    
-
    
-
-
    
-
    
-NSMAP = {'xenc': 'http://www.w3.org/2001/04/xmlenc#', 'samlp': 'urn:oasis:names:tc:SAML:2.0:protocol', 'ds': 'http://www.w3.org/2000/09/xmldsig#', 'saml': 'urn:oasis:names:tc:SAML:2.0:assertion'}
    
-
    
-
-
    
-
    
-NS_DS = 'http://www.w3.org/2000/09/xmldsig#'
    
-
    
-
-
    
-
    
-NS_MD = 'urn:oasis:names:tc:SAML:2.0:metadata'
    
-
    
-
-
    
-
    
-NS_SAML = 'urn:oasis:names:tc:SAML:2.0:assertion'
    
-
    
-
-
    
-
    
-NS_SAMLP = 'urn:oasis:names:tc:SAML:2.0:protocol'
    
-
    
-
-
    
-
    
-NS_SOAP = 'http://schemas.xmlsoap.org/soap/envelope/'
    
-
    
-
-
    
-
    
-NS_XENC = 'http://www.w3.org/2001/04/xmlenc#'
    
-
    
-
-
    
-
    
-NS_XS = 'http://www.w3.org/2001/XMLSchema'
    
-
    
-
-
    
-
    
-NS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'
    
-
    
-
-
    
-
    
-RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
    
-
    
-
-
    
-
    
-STATUS_NO_PASSIVE = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive'
    
-
    
-
-
    
-
    
-STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout'
    
-
    
-
-
    
-
    
-STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded'
    
-
    
-
-
    
-
    
-STATUS_REQUESTER = 'urn:oasis:names:tc:SAML:2.0:status:Requester'
    
-
    
-
-
    
-
    
-STATUS_RESPONDER = 'urn:oasis:names:tc:SAML:2.0:status:Responder'
    
-
    
-
-
    
-
    
-STATUS_SUCCESS = 'urn:oasis:names:tc:SAML:2.0:status:Success'
    
-
    
-
-
    
-
    
-STATUS_VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch'
    
-
    
-
-
    
-
-
    
-
    
-
    errors Class
    
-
    
-
    
-exception onelogin.saml2.errors.OneLogin_Saml2_Error(message, code=0, errors=None)[source]
    
-
    Bases: exceptions.Exception
    
-
    
-
    
-METADATA_SP_INVALID = 3
    
-
    
-
-
    
-
    
-PRIVATE_KEY_FILE_NOT_FOUND = 7
    
-
    
-
-
    
-
    
-PUBLIC_CERT_FILE_NOT_FOUND = 6
    
-
    
-
-
    
-
    
-REDIRECT_INVALID_URL = 5
    
-
    
-
-
    
-
    
-SAML_LOGOUTMESSAGE_NOT_FOUND = 9
    
-
    
-
-
    
-
    
-SAML_LOGOUTREQUEST_INVALID = 10
    
-
    
-
-
    
-
    
-SAML_LOGOUTRESPONSE_INVALID = 11
    
-
    
-
-
    
-
    
-SAML_RESPONSE_NOT_FOUND = 8
    
-
    
-
-
    
-
    
-SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12
    
-
    
-
-
    
-
    
-SETTINGS_FILE_NOT_FOUND = 0
    
-
    
-
-
    
-
    
-SETTINGS_INVALID = 2
    
-
    
-
-
    
-
    
-SETTINGS_INVALID_SYNTAX = 1
    
-
    
-
-
    
-
    
-SP_CERTS_NOT_FOUND = 4
    
-
    
-
-
    
-
-
    
-
    
-
    logout_request Class
    
-
    
-
    
-class onelogin.saml2.logout_request.OneLogin_Saml2_Logout_Request(settings, request=None, name_id=None, session_index=None)[source]
    
-
    
-
    
-static get_id(request)[source]
    
-
    Returns the ID of the Logout Request
-:param request: Logout Request Message
-:type request: string|DOMDocument
-:return: string ID
-:rtype: str object
    
-
    
-
-
    
-
    
-static get_issuer(request)[source]
    
-
    Gets the Issuer of the Logout Request Message
-:param request: Logout Request Message
-:type request: string|DOMDocument
-:return: The Issuer
-:rtype: string
    
-
    
-
-
    
-
    
-static get_name_id(request, key=None)[source]
    
-
    Gets the NameID of the Logout Request Message
-:param request: Logout Request Message
-:type request: string|DOMDocument
-:param key: The SP key
-:type key: string
-:return: Name ID Value
-:rtype: string
    
-
    
-
-
    
-
    
-static get_name_id_data(request, key=None)[source]
    
-
    Gets the NameID Data of the the Logout Request
-:param request: Logout Request Message
-:type request: string|DOMDocument
-:param key: The SP key
-:type key: string
-:return: Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
-:rtype: dict
    
-
    
-
-
    
-
    
-get_request()[source]
    
-
    Returns the Logout Request defated, base64encoded
-:return: Deflated base64 encoded Logout Request
-:rtype: str object
    
-
    
-
-
    
-
    
-static get_session_indexes(request)[source]
    
-
    Gets the SessionIndexes from the Logout Request
-:param request: Logout Request Message
-:type request: string|DOMDocument
-:return: The SessionIndex value
-:rtype: list
    
-
    
-
-
    
-
    
-static is_valid(settings, request, get_data, debug=False)[source]
    
-
    Checks if the Logout Request recieved is valid
-:param settings: Settings
-:type settings: OneLogin_Saml2_Settings
-:param request: Logout Request Message
-:type request: string|DOMDocument
-:return: If the Logout Request is or not valid
-:rtype: boolean
    
-
    
-
-
    
-
    
-get_error()[source]
    
-
    After execute a validation process, if fails this method returns the cause
-:rtype: str object
    
-
    
-
-
    
-
-
    
-
    
-
    logout_response Class
    
-
    
-
    
-class onelogin.saml2.logout_response.OneLogin_Saml2_Logout_Response(settings, response=None)[source]
    
-
    
-
    
-build(in_response_to)[source]
    
-
    Creates a Logout Response object.
-:param in_response_to: InResponseTo value for the Logout Response.
-:type in_response_to: string
    
-
    
-
-
    
-
    
-get_issuer()[source]
    
-
    Gets the Issuer of the Logout Response Message
-:return: The Issuer
-:rtype: string
    
-
    
-
-
    
-
    
-get_response()[source]
    
-
    Returns a Logout Response object.
-:return: Logout Response deflated and base64 encoded
-:rtype: string
    
-
    
-
-
    
-
    
-get_status()[source]
    
-
    Gets the Status
-:return: The Status
-:rtype: string
    
-
    
-
-
    
-
    
-is_valid(request_data, request_id=None)[source]
    
-
    Determines if the SAML LogoutResponse is valid
-:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
-:type request_id: string
-:return: Returns if the SAML LogoutResponse is or not valid
-:rtype: boolean
    
-
    
-
-
    
-
    
-get_error()[source]
    
-
    After execute a validation process, if fails this method returns the cause
-:rtype: str object
    
-
    
-
-
    
-
-
    
-
    
-
    metadata Class
    
-
    
-
    
-class onelogin.saml2.metadata.OneLogin_Saml2_Metadata[source]
    
-
    
-
    
-TIME_CACHED = 604800
    
-
    
-
-
    
-
    
-TIME_VALID = 172800
    
-
    
-
-
    
-
    
-static add_x509_key_descriptors(metadata, cert)[source]
    
-
    Add the x509 descriptors (sign/encriptation to the metadata
-The same cert will be used for sign/encrypt
    
-
---
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • metadata (string) – SAML Metadata XML
      • 
-
    • cert (string) – x509 cert
      • 
-
    
-
    Returns:
    Metadata with KeyDescriptors
    
-
    Return type:
    string
    
-
    
-
    
-
-
    
-
    
-static builder(sp, authnsign=False, wsign=False, valid_until=None, cache_duration=None, contacts=None, organization=None)[source]
    
-
    Build the metadata of the SP
    
-
---
-
-
-
-
    


    Parameters:
      
-
    • sp (string) – The SP data
      • 
-
    • authnsign (string) – authnRequestsSigned attribute
      • 
-
    • wsign (string) – wantAssertionsSigned attribute
      • 
-
    • valid_until (DateTime) – Metadata’s valid time
      • 
-
    • cache_duration (Timestamp) – Duration of the cache in seconds
      • 
-
    • contacts (dict) – Contacts info
      • 
-
    • organization (dict) – Organization ingo
      • 
-
    
-
    
-
    
-
-
    
-
    
-static sign_metadata(metadata, key, cert)[source]
    
-
    Sign the metadata with the key/cert provided
    
-
---
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • metadata (string) – SAML Metadata XML
      • 
-
    • key (string) – x509 key
      • 
-
    • cert (string) – x509 cert
      • 
-
    
-
    Returns:
    Signed Metadata
    
-
    Return type:
    string
    
-
    
-
    
-
-
    
-
-
    
-
    
-
    response Class
    
-
    
-
    
-class onelogin.saml2.response.OneLogin_Saml2_Response(settings, response)[source]
    
-
    Bases: object
    
-
    
-
    
-check_status()[source]
    
-
    Check if the status of the response is success or not
    
-
---
-
-
-
-
    


    Raises :Exception. If the status is not success
    
-
    
-
-
    
-
    
-get_attributes()[source]
    
-
    Gets the Attributes from the AttributeStatement element.
-EncryptedAttributes are not supported
    
-
    
-
-
    
-
    
-get_audiences()[source]
    
-
    Gets the audiences
    
-
---
-
-
-
-
-
-
    


    Returns:The valid audiences for the SAML Response
    Return type:list
    
-
    
-
-
    
-
    
-get_issuers()[source]
    
-
    Gets the issuers (from message and from assertion)
    
-
---
-
-
-
-
-
-
    


    Returns:The issuers
    Return type:list
    
-
    
-
-
    
-
    
-get_nameid()[source]
    
-
    Gets the NameID provided by the SAML Response from the IdP
    
-
---
-
-
-
-
-
-
    


    Returns:NameID (value)
    Return type:string
    
-
    
-
-
    
-
    
-get_nameid_data()[source]
    
-
    Gets the NameID Data provided by the SAML Response from the IdP
    
-
---
-
-
-
-
-
-
    


    Returns:Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
    Return type:dict
    
-
    
-
-
    
-
    
-get_session_index()[source]
    
-
    Gets the SessionIndex from the AuthnStatement
-Could be used to be stored in the local session in order
-to be used in a future Logout Request that the SP could
-send to the SP, to set what specific session must be deleted
    
-
---
-
-
-
-
-
-
    


    Returns:The SessionIndex value
    Return type:string|None
    
-
    
-
-
    
-
    
-get_session_not_on_or_after()[source]
    
-
    Gets the SessionNotOnOrAfter from the AuthnStatement
-Could be used to set the local session expiration
    
-
---
-
-
-
-
-
-
    


    Returns:The SessionNotOnOrAfter value
    Return type:time|None
    
-
    
-
-
    
-
    
-is_valid(request_data, request_id=None)[source]
    
-
    Constructs the response object.
    
-
---
-
-
-
-
-
-
-
-
    


    Parameters:request_id (string) – Optional argument. The ID of the AuthNRequest sent by this SP to the IdP
    Returns:True if the SAML Response is valid, False if not
    Return type:bool
    
-
    
-
-
    
-
    
-validate_num_assertions()[source]
    
-
    Verifies that the document only contains a single Assertion (encrypted or not)
    
-
---
-
-
-
-
-
-
    


    Returns:True if only 1 assertion encrypted or not
    Return type:bool
    
-
    
-
-
    
-
    
-validate_timestamps()[source]
    
-
    Verifies that the document is valid according to Conditions Element
    
-
---
-
-
-
-
-
-
    


    Returns:True if the condition is valid, False otherwise
    Return type:bool
    
-
    
-
-
    
-
-
    
-
    
-
    settings Class
    
-
    
-
    
-class onelogin.saml2.settings.OneLogin_Saml2_Settings(settings=None, custom_base_path=None)[source]
    
-
    
-
    
-check_settings(settings)[source]
    
-
    Checks the settings info.
    
-
---
-
-
-
-
-
-
-
-
    


    Parameters:settings (dict) – Dict with settings data
    Returns:Errors found on the settings data
    Return type:list
    
-
    
-
-
    
-
    
-check_sp_certs()[source]
    
-
    Checks if the x509 certs of the SP exists and are valid.
    
-
---
-
-
-
-
-
-
    


    Returns:If the x509 certs of the SP exists and are valid
    Return type:boolean
    
-
    
-
-
    
-
    
-format_idp_cert()[source]
    
-
    Formats the IdP cert.
    
-
    
-
-
    
-
    
-get_base_path()[source]
    
-
    Returns base path
    
-
---
-
-
-
-
-
-
    


    Returns:The base toolkit folder path
    Return type:string
    
-
    
-
-
    
-
    
-get_cert_path()[source]
    
-
    Returns cert path
    
-
---
-
-
-
-
-
-
    


    Returns:The cert folder path
    Return type:string
    
-
    
-
-
    
-
    
-get_contacts()[source]
    
-
    Gets contact data.
    
-
---
-
-
-
-
-
-
    


    Returns:Contacts info
    Return type:dict
    
-
    
-
-
    
-
    
-get_errors()[source]
    
-
    Returns an array with the errors, the array is empty when the settings is ok.
    
-
---
-
-
-
-
-
-
    


    Returns:Errors
    Return type:list
    
-
    
-
-
    
-
    
-get_ext_lib_path()[source]
    
-
    Returns external lib path
    
-
---
-
-
-
-
-
-
    


    Returns:The external library folder path
    Return type:string
    
-
    
-
-
    
-
    
-get_idp_data()[source]
    
-
    Gets the IdP data.
    
-
---
-
-
-
-
-
-
    


    Returns:IdP info
    Return type:dict
    
-
    
-
-
    
-
    
-get_lib_path()[source]
    
-
    Returns lib path
    
-
---
-
-
-
-
-
-
    


    Returns:The library folder path
    Return type:string
    
-
    
-
-
    
-
    
-get_organization()[source]
    
-
    Gets organization data.
    
-
---
-
-
-
-
-
-
    


    Returns:Organization info
    Return type:dict
    
-
    
-
-
    
-
    
-get_schemas_path()[source]
    
-
    Returns schema path
    
-
---
-
-
-
-
-
-
    


    Returns:The schema folder path
    Return type:string
    
-
    
-
-
    
-
    
-get_security_data()[source]
    
-
    Gets security data.
    
-
---
-
-
-
-
-
-
    


    Returns:Security info
    Return type:dict
    
-
    
-
-
    
-
    
-get_sp_cert()[source]
    
-
    Returns the x509 public cert of the SP.
    
-
---
-
-
-
-
-
-
    


    Returns:SP public cert
    Return type:string
    
-
    
-
-
    
-
    
-get_sp_data()[source]
    
-
    Gets the SP data.
    
-
---
-
-
-
-
-
-
    


    Returns:SP info
    Return type:dict
    
-
    
-
-
    
-
    
-get_sp_key()[source]
    
-
    Returns the x509 private key of the SP.
    
-
---
-
-
-
-
-
-
    


    Returns:SP private key
    Return type:string
    
-
    
-
-
    
-
    
-get_sp_metadata()[source]
    
-
    Gets the SP metadata. The XML representation.
    
-
---
-
-
-
-
-
-
    


    Returns:SP metadata (xml)
    Return type:string
    
-
    
-
-
    
-
    
-is_debug_active()[source]
    
-
    Returns if the debug is active.
    
-
---
-
-
-
-
-
-
    


    Returns:Debug parameter
    Return type:boolean
    
-
    
-
-
    
-
    
-is_strict()[source]
    
-
    Returns if the ‘strict’ mode is active.
    
-
---
-
-
-
-
-
-
    


    Returns:Strict parameter
    Return type:boolean
    
-
    
-
-
    
-
    
-set_strict(value)[source]
    
-
    Activates or deactivates the strict mode.
    
-
---
-
-
-
-
    


    Parameters:xml (boolean) – Strict parameter
    
-
    
-
-
    
-
    
-validate_metadata(xml)[source]
    
-
    Validates an XML SP Metadata.
    
-
---
-
-
-
-
-
-
-
-
    


    Parameters:xml (string) – Metadata’s XML that will be validate
    Returns:The list of found errors
    Return type:list
    
-
    
-
-
    
-
-
    
-
    
-onelogin.saml2.settings.validate_url(url)[source]
    
-
    
-
-
    
-
    
-
    utils Class
    
-
    
-
    
-class onelogin.saml2.utils.OneLogin_Saml2_Utils[source]
    
-
    
-
    
-static add_sign(xml, key, cert)[source]
    
-
    Adds signature key and senders certificate to an element (Message or
-Assertion).
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • xml – The element we should sign
      • 
-
    • key – The private key
      • 
-
    • cert – The public
      • 
-
    
-
    Type :
    string | Document
    
-
    Type :
    string
    
-
    Type :
    string
    
-
    
-
    
-
-
    
-
    
-static calculate_x509_fingerprint(x509_cert)[source]
    
-
    Calculates the fingerprint of a x509cert.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:x509_cert – x509 cert
    Type :string
    Returns:Formated fingerprint
    Return type:string
    
-
    
-
-
    
-
    
-static decode_base64_and_inflate(value)[source]
    
-
    base64 decodes and then inflates according to RFC1951
-:param value: a deflated and encoded string
-:return: the string after decoding and inflating
    
-
    
-
-
    
-
    
-static decrypt_element(encrypted_data, enc_ctx)[source]
    
-
    Decrypts an encrypted element.
    
-
---
-
-
-
-
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • encrypted_data – The encrypted data.
      • 
-
    • enc_ctx – The encryption context.
      • 
-
    
-
    Type :
    DOMElement
    
-
    Type :
    Encryption Context
    
-
    Returns:
    The decrypted element.
    
-
    Return type:
    DOMElement
    
-
    
-
    
-
-
    
-
    
-static deflate_and_base64_encode(value)[source]
    
-
    Deflates and the base64 encodes a string
-:param value: The string to deflate and encode
-:return: The deflated and encoded string
    
-
    
-
-
    
-
    
-static delete_local_session(callback=None)[source]
    
-
    Deletes the local session.
    
-
    
-
-
    
-
    
-static format_cert(cert, heads=True)[source]
    
-
    Returns a x509 cert (adding header & footer if required).
    
-
---
-
-
-
-
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • cert – A x509 unformated cert
      • 
-
    • heads – True if we want to include head and footer
      • 
-
    
-
    Type :
    string
    
-
    Type :
    boolean
    
-
    Returns:
    Formated cert
    
-
    Return type:
    string
    
-
    
-
    
-
-
    
-
    
-static format_finger_print(fingerprint)[source]
    
-
    Formates a fingerprint.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:fingerprint – fingerprint
    Type :string
    Returns:Formated fingerprint
    Return type:string
    
-
    
-
-
    
-
    
-static generate_name_id(value, sp_nq, sp_format, key=None)[source]
    
-
    Generates a nameID.
    
-
---
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • value – fingerprint
      • 
-
    • sp_nq – SP Name Qualifier
      • 
-
    • sp_format – SP Format
      • 
-
    • key – SP Key to encrypt the nameID
      • 
-
    
-
    Type :
    string
    
-
    Type :
    string
    
-
    Type :
    string
    
-
    Type :
    string
    
-
    Returns:
    DOMElement | XMLSec nameID
    
-
    Return type:
    string
    
-
    
-
    
-
-
    
-
    
-static generate_unique_id()[source]
    
-
    Generates an unique string (used for example as ID for assertions).
    
-
---
-
-
-
-
-
-
    


    Returns:A unique string
    Return type:string
    
-
    
-
-
    
-
    
-static get_expire_time(cache_duration=None, valid_until=None)[source]
    
-
    Compares 2 dates and returns the earliest.
    
-
---
-
-
-
-
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • cache_duration – The duration, as a string.
      • 
-
    • valid_until – The valid until date, as a string or as a timestamp
      • 
-
    
-
    Type :
    string
    
-
    Type :
    string
    
-
    Returns:
    The expiration time.
    
-
    Return type:
    int
    
-
    
-
    
-
-
    
-
    
-static get_self_host(request_data)[source]
    
-
    Returns the current host.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:request_data – The request as a dict
    Type :dict
    Returns:The current host
    Return type:string
    
-
    
-
-
    
-
    
-static get_self_url(request_data)[source]
    
-
    Returns the URL of the current host + current view + query.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:request_data – The request as a dict
    Type :dict
    Returns:The url of current host + current view + query
    Return type:string
    
-
    
-
-
    
-
    
-static get_self_url_host(request_data)[source]
    
-
    Returns the protocol + the current host + the port (if different than
-common ports).
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:request_data – The request as a dict
    Type :dict
    Returns:Url
    Return type:string
    
-
    
-
-
    
-
    
-static get_self_url_no_query(request_data)[source]
    
-
    Returns the URL of the current host + current view.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:request_data – The request as a dict
    Type :dict
    Returns:The url of current host + current view
    Return type:string
    
-
    
-
-
    
-
    
-static get_status(dom)[source]
    
-
    Gets Status from a Response.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:dom – The Response as XML
    Type :Document
    Returns:The Status, an array with the code and a message.
    Return type:dict
    
-
    
-
-
    
-
    
-static is_https(request_data)[source]
    
-
    Checks if https or http.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:request_data – The request as a dict
    Type :dict
    Returns:False if https is not active
    Return type:boolean
    
-
    
-
-
    
-
    
-static parse_SAML_to_time(timestr)[source]
    
-
    Converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z
-to a UNIX timestamp. The sub-second part is ignored.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:time – The time we should convert (SAML Timestamp).
    Type :string
    Returns:Converted to a unix timestamp.
    Return type:int
    
-
    
-
-
    
-
    
-static parse_duration(duration, timestamp=None)[source]
    
-
    Interprets a ISO8601 duration value relative to a given timestamp.
    
-
---
-
-
-
-
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • duration – The duration, as a string.
      • 
-
    • timestamp – The unix timestamp we should apply the duration to.
-Optional, default to the current time.
      • 
-
    
-
    Type :
    string
    
-
    Type :
    string
    
-
    Returns:
    The new timestamp, after the duration is applied.
    
-
    Return type:
    int
    
-
    
-
    
-
-
    
-
    
-static parse_time_to_SAML(time)[source]
    
-
    Converts a UNIX timestamp to SAML2 timestamp on the form
-yyyy-mm-ddThh:mm:ss(.s+)?Z.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:time – The time we should convert (DateTime).
    Type :string
    Returns:SAML2 timestamp.
    Return type:string
    
-
    
-
-
    
-
    
-static query(dom, query, context=None)[source]
    
-
    Extracts nodes that match the query from the Element
    
-
---
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • dom – The root of the lxml objet
      • 
-
    • query – Xpath Expresion
      • 
-
    • context – Context Node
      • 
-
    
-
    Type :
    Element
    
-
    Type :
    string
    
-
    Type :
    DOMElement
    
-
    Returns:
    The queried nodes
    
-
    Return type:
    list
    
-
    
-
    
-
-
    
-
    
-static redirect(url, parameters={}, request_data={})[source]
    
-
    Executes a redirection to the provided url (or return the target url).
    
-
---
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • url – The target url
      • 
-
    • parameters – Extra parameters to be passed as part of the url
      • 
-
    • request_data – The request as a dict
      • 
-
    
-
    Type :
    string
    
-
    Type :
    dict
    
-
    Type :
    dict
    
-
    Returns:
    Url
    
-
    Return type:
    string
    
-
    
-
    
-
-
    
-
    
-static validate_sign(xml, cert=None, fingerprint=None)[source]
    
-
    Validates a signature (Message or Assertion).
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:
      
-
    • xml – The element we should validate
      • 
-
    • cert – The pubic cert
      • 
-
    • fingerprint – The fingerprint of the public cert
      • 
-
    
-
    Type :
    string | Document
    
-
    Type :
    string
    
-
    Type :
    string
    
-
    
-
    
-
-
    
-
    
-static validate_xml(xml, schema, debug=False)[source]
    
-
    
-
-
    
-
    
-static write_temp_file(content)[source]
    
-
    Writes some content into a temporary file and returns it.
    
-
---
-
-
-
-
-
-
-
-
-
-
    


    Parameters:content – The file content
    Type :string
    Returns:The temporary file
    Return type:file-like object
    
-
    
-
-
    
-
-
    
-
    
-
-
-          
    
-        
    
-      
    
-      
    
-        
    
-  
    Table Of Contents
    
-  
-
-  
    Previous topic
    
-  
    Welcome to SAML Python library documentation
    
-  
    This Page
    
-  
-
-
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/search.html b/docs/saml2/search.html
deleted file mode 100644
index 933fde97..00000000
--- a/docs/saml2/search.html
+++ /dev/null
@@ -1,106 +0,0 @@
-
-
-
-
-
-
-  
-    
-
-    Search — SAML Python library classes and methods
-
-    
-    
-
-    
-    
-    
-    
-    
-    
-  
-
-  
-
-
-  
-  
-    
    
-      
    Navigation
    
-      
-    
    
-
-    
    
-      
    
-        
    
-          
    
-
-  
    Search
    
-  
    
-  
-  
    
-    Please activate JavaScript to enable the search
-    functionality.
-  
    
-  
    
-  
    
-    From here you can search these documents. Enter your search
-    words into the box below and click "search". Note that the search
-    function will automatically search for all of the words. Pages
-    containing fewer words won't appear in the result list.
-  
    
-  
    
-    
-    
-    
-  
    
-
-  
    
-
-  
    
-
-          
    
-        
    
-      
    
-      
    
-        
    
-        
    
-      
    
-      
    
-    
    
-    
    
-      
    Navigation
    
-      
-    
    
-    
    
-      Created using Sphinx 1.1.3.
-    
    
-  
-
diff --git a/docs/saml2/searchindex.js b/docs/saml2/searchindex.js
deleted file mode 100644
index cf3c42ca..00000000
--- a/docs/saml2/searchindex.js
+++ /dev/null
@@ -1 +0,0 @@
-Search.setIndex({objects:{"saml2.logout_response.OneLogin_Saml2_Logout_Response":{is_valid:[1,2,1,""],get_response:[1,2,1,""],get_status:[1,2,1,""],get_issuer:[1,2,1,""],build:[1,2,1,""]},"saml2.response.OneLogin_Saml2_Response":{get_audiences:[1,2,1,""],validate_num_assertions:[1,2,1,""],get_nameid_data:[1,2,1,""],get_session_index:[1,2,1,""],get_issuers:[1,2,1,""],is_valid:[1,2,1,""],check_status:[1,2,1,""],validate_timestamps:[1,2,1,""],get_nameid:[1,2,1,""],get_attributes:[1,2,1,""],get_session_not_on_or_after:[1,2,1,""]},"saml2.errors.OneLogin_Saml2_Error":{PUBLIC_CERT_FILE_NOT_FOUND:[1,1,1,""],SETTINGS_FILE_NOT_FOUND:[1,1,1,""],SAML_LOGOUTREQUEST_INVALID:[1,1,1,""],REDIRECT_INVALID_URL:[1,1,1,""],PRIVATE_KEY_FILE_NOT_FOUND:[1,1,1,""],SAML_LOGOUTMESSAGE_NOT_FOUND:[1,1,1,""],SAML_RESPONSE_NOT_FOUND:[1,1,1,""],METADATA_SP_INVALID:[1,1,1,""],SAML_LOGOUTRESPONSE_INVALID:[1,1,1,""],SETTINGS_INVALID:[1,1,1,""],SP_CERTS_NOT_FOUND:[1,1,1,""],SETTINGS_INVALID_SYNTAX:[1,1,1,""],SAML_SINGLE_LOGOUT_NOT_SUPPORTED:[1,1,1,""]},"saml2.errors":{OneLogin_Saml2_Error:[1,6,1,""]},"saml2.metadata.OneLogin_Saml2_Metadata":{sign_metadata:[1,3,1,""],builder:[1,3,1,""],add_x509_key_descriptors:[1,3,1,""],TIME_VALID:[1,1,1,""],TIME_CACHED:[1,1,1,""]},"saml2.response":{OneLogin_Saml2_Response:[1,4,1,""]},"saml2.settings.OneLogin_Saml2_Settings":{get_contacts:[1,2,1,""],get_security_data:[1,2,1,""],validate_metadata:[1,2,1,""],get_errors:[1,2,1,""],check_settings:[1,2,1,""],get_sp_data:[1,2,1,""],get_idp_data:[1,2,1,""],get_cert_path:[1,2,1,""],get_schemas_path:[1,2,1,""],set_strict:[1,2,1,""],get_base_path:[1,2,1,""],is_strict:[1,2,1,""],get_lib_path:[1,2,1,""],get_sp_key:[1,2,1,""],get_sp_metadata:[1,2,1,""],is_debug_active:[1,2,1,""],get_ext_lib_path:[1,2,1,""],get_sp_cert:[1,2,1,""],get_organization:[1,2,1,""],check_sp_certs:[1,2,1,""],format_idp_cert:[1,2,1,""]},"saml2.settings":{OneLogin_Saml2_Settings:[1,4,1,""],validate_url:[1,5,1,""]},"saml2.logout_response":{OneLogin_Saml2_Logout_Response:[1,4,1,""]},"saml2.authn_request.OneLogin_Saml2_Authn_Request":{get_request:[1,2,1,""]},"saml2.constants.OneLogin_Saml2_Constants":{NAMEID_EMAIL_ADDRESS:[1,1,1,""],CM_SENDER_VOUCHES:[1,1,1,""],CM_HOLDER_KEY:[1,1,1,""],NS_SAML:[1,1,1,""],RSA_SHA1:[1,1,1,""],NS_XS:[1,1,1,""],STATUS_PROXY_COUNT_EXCEEDED:[1,1,1,""],NS_SOAP:[1,1,1,""],NAMEID_ENCRYPTED:[1,1,1,""],STATUS_REQUESTER:[1,1,1,""],STATUS_NO_PASSIVE:[1,1,1,""],STATUS_PARTIAL_LOGOUT:[1,1,1,""],BINDING_HTTP_REDIRECT:[1,1,1,""],NAMEID_X509_SUBJECT_NAME:[1,1,1,""],AC_KERBEROS:[1,1,1,""],NAMEID_KERBEROS:[1,1,1,""],BINDING_HTTP_ARTIFACT:[1,1,1,""],NS_XENC:[1,1,1,""],BINDING_HTTP_POST:[1,1,1,""],CM_BEARER:[1,1,1,""],ALOWED_CLOCK_DRIFT:[1,1,1,""],BINDING_DEFLATE:[1,1,1,""],NAMEID_ENTITY:[1,1,1,""],AC_SMARTCARD:[1,1,1,""],AC_UNSPECIFIED:[1,1,1,""],NS_XSI:[1,1,1,""],NSMAP:[1,1,1,""],STATUS_RESPONDER:[1,1,1,""],AC_PASSWORD:[1,1,1,""],NS_SAMLP:[1,1,1,""],NS_DS:[1,1,1,""],STATUS_SUCCESS:[1,1,1,""],AC_X509:[1,1,1,""],NAMEID_TRANSIENT:[1,1,1,""],BINDING_SOAP:[1,1,1,""],ATTRNAME_FORMAT_UNSPECIFIED:[1,1,1,""],ATTRNAME_FORMAT_BASIC:[1,1,1,""],NS_MD:[1,1,1,""],ATTRNAME_FORMAT_URI:[1,1,1,""],NAMEID_PERSISTENT:[1,1,1,""],STATUS_VERSION_MISMATCH:[1,1,1,""],NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME:[1,1,1,""]},"saml2.authn_request":{OneLogin_Saml2_Authn_Request:[1,4,1,""]},"saml2.metadata":{OneLogin_Saml2_Metadata:[1,4,1,""]},"saml2.utils.OneLogin_Saml2_Utils":{generate_unique_id:[1,3,1,""],add_sign:[1,3,1,""],deflate_and_base64_encode:[1,3,1,""],get_status:[1,3,1,""],query:[1,3,1,""],redirect:[1,3,1,""],get_expire_time:[1,3,1,""],decode_base64_and_inflate:[1,3,1,""],parse_SAML_to_time:[1,3,1,""],parse_duration:[1,3,1,""],generate_name_id:[1,3,1,""],validate_xml:[1,3,1,""],get_self_host:[1,3,1,""],parse_time_to_SAML:[1,3,1,""],format_finger_print:[1,3,1,""],decrypt_element:[1,3,1,""],get_self_url_host:[1,3,1,""],get_self_url:[1,3,1,""],delete_local_session:[1,3,1,""],format_cert:[1,3,1,""],is_https:[1,3,1,""],calculate_x509_fingerprint:[1,3,1,""],get_self_url_no_query:[1,3,1,""],write_temp_file:[1,3,1,""],validate_sign:[1,3,1,""]},"saml2.logout_request.OneLogin_Saml2_Logout_Request":{get_issuer:[1,3,1,""],get_name_id:[1,3,1,""],get_request:[1,2,1,""],get_id:[1,3,1,""],is_valid:[1,3,1,""],get_session_indexes:[1,3,1,""],get_name_id_data:[1,3,1,""]},"saml2.utils":{OneLogin_Saml2_Utils:[1,4,1,""]},"saml2.constants":{OneLogin_Saml2_Constants:[1,4,1,""]},"saml2.auth.OneLogin_Saml2_Auth":{get_settings:[1,2,1,""],process_response:[1,2,1,""],get_errors:[1,2,1,""],build_request_signature:[1,2,1,""],redirect_to:[1,2,1,""],is_authenticated:[1,2,1,""],get_attribute:[1,2,1,""],build_response_signature:[1,2,1,""],set_strict:[1,2,1,""],process_slo:[1,2,1,""],get_sso_url:[1,2,1,""],logout:[1,2,1,""],login:[1,2,1,""],get_slo_url:[1,2,1,""],get_attributes:[1,2,1,""],get_nameid:[1,2,1,""]},"saml2.auth":{OneLogin_Saml2_Auth:[1,4,1,""]},saml2:{errors:[1,0,1,""],settings:[1,0,1,""],utils:[1,0,1,""],auth:[1,0,1,""],logout_request:[1,0,1,""],authn_request:[1,0,1,""],logout_response:[1,0,1,""],response:[1,0,1,""],constants:[1,0,1,""],metadata:[1,0,1,""]},"saml2.logout_request":{OneLogin_Saml2_Logout_Request:[1,4,1,""]}},terms:{represent:1,code:1,queri:1,issuer:1,privat:1,encryptedattribut:1,base64:1,ac_smartcard:1,specif:1,send:1,binding_defl:1,must:1,sent:1,deactiv:1,sourc:1,string:1,fals:1,parse_saml_to_tim:1,util:[0,1],xmlschema:1,public_cert_file_not_found:1,get_self_url_no_queri:1,settings_file_not_found:1,list:1,onelogin_saml2_util:1,sign_metadata:1,pubic:1,sign:1,past:1,second:1,pass:1,port:1,index:0,what:1,get_name_id:1,compar:1,get_idp_data:1,sp_nq:1,current:1,delet:1,x509subjectnam:1,"new":1,status_no_pass:1,"public":1,metadata:[0,1],redirect:1,keep_local_sess:1,gener:1,windowsdomainqualifiednam:1,logout:1,path:1,valu:1,search:0,sender:1,datetim:1,cert:1,is_debug_act:1,redirect_invalid_url:1,extra:1,appli:1,modul:[0,1],metadata_sp_invalid:1,is_authent:1,unix:1,"boolean":1,onelogin_saml2_respons:1,org:1,post:1,authnstat:1,from:1,ddthh:1,nameid_persist:1,emailaddress:1,status_request:1,type:1,until:1,keydescriptor:1,attrname_format_bas:1,iso8601:1,"transient":1,get_sp_cert:1,cach:1,status_proxy_count_exceed:1,none:1,endpoint:1,redirect_to:1,uniqu:1,descriptor:1,time_valid:1,root:1,status_success:1,request_data:1,objet:1,process:1,onelogin_saml2_auth:1,unform:1,indic:0,ac_unspecifi:1,want:1,unsign:1,lxml:1,secur:1,check_statu:1,status_respond:1,write:1,verifi:1,decrypt_el:1,ns_samlp:1,ac_x509:1,x509:1,after:1,validate_xml:1,nameid_x509_subject_nam:1,callback:1,date:1,data:1,domdocu:1,footer:1,bind:1,element:1,onelogin_saml2_logout_request:1,authn_request:[0,1],nameid:1,order:1,alowed_clock_drift:1,deflate_and_base64_encod:1,process_respons:1,paramet:1,settings_invalid_syntax:1,persist:1,get_slo_url:1,"return":1,timestamp:1,auth:[0,1],authnrequest:1,get_respons:1,get_self_url:1,format_idp_cert:1,namequalifi:1,authent:1,onelogin_saml2_authn_request:1,mode:1,request_id:1,debug:1,found:1,went:1,oasi:1,authnsign:1,"static":1,rsa_sha1:1,our:1,extract:1,check_sp_cert:1,content:[0,1],validate_metadata:1,rel:1,qualifi:1,generate_name_id:1,envelop:1,given:1,base:1,get_lib_path:1,format_finger_print:1,get_session_index:1,earliest:1,get_name_id_data:1,ns_x:1,could:1,wrong:1,domel:1,ns_d:1,time_cach:1,validate_sign:1,smartcard:1,arrai:1,messag:1,attrname_format_uri:1,kerbero:1,saml_single_logout_not_support:1,differ:1,construct:1,ns_xsi:1,parse_time_to_saml:1,store:1,schema:1,option:1,sessionnotonoraft:1,rsa:1,artifact:1,wantassertionssign:1,encrypted_data:1,vouch:1,part:1,is_strict:1,holder:1,than:1,target:1,provid:1,defat:1,str:1,get_nameid:1,initi:1,argument:1,packag:[0,1],expir:1,onelogin_saml2_error:1,tabl:0,onelogin_saml2_set:1,lib:1,build_response_signatur:1,destroi:1,contact:1,build:1,soap:1,singl:1,validate_timestamp:1,decode_base64_and_infl:1,object:1,nameid_kerbero:1,logout_request:[0,1],return_to:1,"class":1,sub:1,ns_saml:1,saml_logoutrequest_invalid:1,dom:1,url:1,urn:1,nsmap:1,uri:1,determin:1,saml_response_not_found:1,add_sign:1,session:1,nameid_ent:1,onelogin_saml2_const:1,xml:1,onli:1,get_sp_kei:1,timestr:1,activ:1,set_strict:1,should:1,get_sso_url:1,dict:1,folder:1,local:1,valid_until:1,nameid_transi:1,get:1,authnrequestssign:1,sso:1,expres:1,get_nameid_data:1,requir:1,organ:1,onelogin:[0,1],binding_http_redirect:1,common:1,contain:1,xmlenc:1,view:1,respond:1,certif:1,set:[0,1],get_set:1,respons:[0,1],statu:1,ingo:1,logoutrequest:1,check_set:1,someth:1,get_organ:1,saml_logoutresponse_invalid:1,entiti:1,attribut:1,signatur:1,accord:1,kei:1,samlrespons:1,old_set:1,wsign:1,sp_format:1,delete_session_cb:1,rtype:1,get_cert_path:1,format_cert:1,audienc:1,instanc:1,get_error:1,attrnam:1,login:1,validate_num_assert:1,generate_unique_id:1,settings_invalid:1,write_temp_fil:1,status_partial_logout:1,header:1,rfc1951:1,reciev:1,empti:1,interpret:1,basic:1,nameid_email_address:1,partiallogout:1,convert:1,assert:1,get_id:1,versionmismatch:1,saml_request:1,durat:1,defin:1,calcul:1,slo:1,error:[0,1],ns_xenc:1,cm_holder_kei:1,get_attribut:1,binding_soap:1,toolkit:1,sessionindex:1,cache_dur:1,sp_certs_not_found:1,get_statu:1,status_version_mismatch:1,welcom:0,saml:1,inresponseto:1,process_slo:1,same:1,decod:1,document:[0,1],get_security_data:1,http:1,context:1,inflat:1,onelogin_saml2_logout_respons:1,rais:1,temporari:1,user:1,binding_http_artifact:1,extern:1,get_self_url_host:1,sha1:1,builder:1,relay_st:1,calculate_x509_fingerprint:1,exampl:1,thi:1,get_contact:1,protocol:1,bearer:1,execut:1,private_key_file_not_found:1,fingerprint:1,ac_kerbero:1,get_audi:1,get_sp_data:1,except:1,param:1,proxycountexceed:1,add:1,is_valid:1,xenc:1,match:1,logoutrespons:1,nameid_encrypt:1,format:1,add_x509_key_descriptor:1,cm_sender_vouch:1,get_sp_metadata:1,password:1,enc_ctx:1,name:1,like:1,success:1,xmlsoap:1,nameid_windows_domain_qualified_nam:1,page:0,yyyi:1,is_http:1,www:1,some:1,unspecifi:1,librari:1,xmldsig:1,condit:1,get_ext_lib_path:1,get_expire_tim:1,cm_bearer:1,build_request_signatur:1,logout_respons:[0,1],host:1,get_base_path:1,x509cert:1,deflat:1,idp:1,get_request:1,disabl:1,encod:1,get_issu:1,validate_url:1,samlp:1,support:1,strict:1,encript:1,includ:1,delete_local_sess:1,xpath:1,head:1,form:1,spnamequalifi:1,saml_logoutmessage_not_found:1,parse_dur:1,ac_password:1,"true":1,info:1,binding_http_post:1,get_session_not_on_or_aft:1,"default":1,ns_md:1,otherwis:1,constant:[0,1],creat:1,"int":1,request:1,decrypt:1,onelogin_saml2_metadata:1,exist:1,file:1,check:1,saml2:[0,1],encrypt:1,attrname_format_unspecifi:1,get_schemas_path:1,get_data:1,when:1,valid:1,bool:1,futur:1,saml_respons:1,argumen:1,node:1,attributestat:1,get_self_host:1,x509_cert:1,nopass:1,ns_soap:1,xmlsec:1,ignor:1,base64encod:1,time:1,custom_base_path:1,in_response_to:1},objtypes:{"0":"py:module","1":"py:attribute","2":"py:method","3":"py:staticmethod","4":"py:class","5":"py:function","6":"py:exception"},titles:["Welcome to saml2’s documentation!","OneLogin saml2 Module"],objnames:{"0":["py","module","Python module"],"1":["py","attribute","Python attribute"],"2":["py","method","Python method"],"3":["py","staticmethod","Python static method"],"4":["py","class","Python class"],"5":["py","function","Python function"],"6":["py","exception","Python exception"]},filenames:["index","saml2"]})
\ No newline at end of file

From 325833137c047e3a467a5559cebf2ffe39d7a925 Mon Sep 17 00:00:00 2001
From: Sixto Martin 
Date: Sun, 1 Oct 2023 03:11:48 +0200
Subject: [PATCH 305/331] Add updated HTML doc

---
 docs/saml2/_modules/index.html                |  116 +
 docs/saml2/_modules/onelogin/saml2/auth.html  |  865 ++++
 .../onelogin/saml2/authn_request.html         |  265 ++
 .../saml2/_modules/onelogin/saml2/compat.html |  166 +
 .../_modules/onelogin/saml2/constants.html    |  218 +
 .../saml2/_modules/onelogin/saml2/errors.html |  228 +
 .../onelogin/saml2/idp_metadata_parser.html   |  380 ++
 .../onelogin/saml2/logout_request.html        |  465 ++
 .../onelogin/saml2/logout_response.html       |  321 ++
 .../_modules/onelogin/saml2/metadata.html     |  365 ++
 .../_modules/onelogin/saml2/response.html     | 1054 +++++
 .../_modules/onelogin/saml2/settings.html     |  961 +++++
 docs/saml2/_modules/onelogin/saml2/utils.html | 1173 +++++
 .../onelogin/saml2/xml_templates.html         |  256 ++
 .../_modules/onelogin/saml2/xml_utils.html    |  276 ++
 .../_modules/onelogin/saml2/xmlparser.html    |  285 ++
 docs/saml2/_sources/index.rst.txt             |   14 +
 docs/saml2/_sources/modules.rst.txt           |    7 +
 docs/saml2/_sources/onelogin.rst.txt          |   18 +
 docs/saml2/_sources/onelogin.saml2.rst.txt    |  133 +
 .../_sphinx_javascript_frameworks_compat.js   |  123 +
 docs/saml2/_static/basic.css                  |  921 ++++
 docs/saml2/_static/css/badge_only.css         |    1 +
 .../_static/css/fonts/Roboto-Slab-Bold.woff   |  Bin 0 -> 87624 bytes
 .../_static/css/fonts/Roboto-Slab-Bold.woff2  |  Bin 0 -> 67312 bytes
 .../css/fonts/Roboto-Slab-Regular.woff        |  Bin 0 -> 86288 bytes
 .../css/fonts/Roboto-Slab-Regular.woff2       |  Bin 0 -> 66444 bytes
 .../_static/css/fonts/fontawesome-webfont.eot |  Bin 0 -> 165742 bytes
 .../_static/css/fonts/fontawesome-webfont.svg | 2671 ++++++++++++
 .../_static/css/fonts/fontawesome-webfont.ttf |  Bin 0 -> 165548 bytes
 .../css/fonts/fontawesome-webfont.woff        |  Bin 0 -> 98024 bytes
 .../css/fonts/fontawesome-webfont.woff2       |  Bin 0 -> 77160 bytes
 .../_static/css/fonts/lato-bold-italic.woff   |  Bin 0 -> 323344 bytes
 .../_static/css/fonts/lato-bold-italic.woff2  |  Bin 0 -> 193308 bytes
 docs/saml2/_static/css/fonts/lato-bold.woff   |  Bin 0 -> 309728 bytes
 docs/saml2/_static/css/fonts/lato-bold.woff2  |  Bin 0 -> 184912 bytes
 .../_static/css/fonts/lato-normal-italic.woff |  Bin 0 -> 328412 bytes
 .../css/fonts/lato-normal-italic.woff2        |  Bin 0 -> 195704 bytes
 docs/saml2/_static/css/fonts/lato-normal.woff |  Bin 0 -> 309192 bytes
 .../saml2/_static/css/fonts/lato-normal.woff2 |  Bin 0 -> 182708 bytes
 docs/saml2/_static/css/theme.css              |    4 +
 docs/saml2/_static/doctools.js                |  156 +
 docs/saml2/_static/documentation_options.js   |   14 +
 docs/saml2/_static/file.png                   |  Bin 0 -> 286 bytes
 docs/saml2/_static/jquery.js                  |    2 +
 docs/saml2/_static/js/badge_only.js           |    1 +
 .../_static/js/html5shiv-printshiv.min.js     |    4 +
 docs/saml2/_static/js/html5shiv.min.js        |    4 +
 docs/saml2/_static/js/theme.js                |    1 +
 docs/saml2/_static/language_data.js           |  199 +
 docs/saml2/_static/minus.png                  |  Bin 0 -> 90 bytes
 docs/saml2/_static/plus.png                   |  Bin 0 -> 90 bytes
 docs/saml2/_static/pygments.css               |   75 +
 docs/saml2/_static/searchtools.js             |  566 +++
 docs/saml2/_static/sphinx_highlight.js        |  144 +
 docs/saml2/genindex.html                      | 1223 ++++++
 docs/saml2/index.html                         |  139 +
 docs/saml2/modules.html                       |  135 +
 docs/saml2/objects.inv                        |  Bin 0 -> 3433 bytes
 docs/saml2/onelogin.html                      |  585 +++
 docs/saml2/onelogin.saml2.html                | 3780 +++++++++++++++++
 docs/saml2/py-modindex.html                   |  200 +
 docs/saml2/search.html                        |  120 +
 docs/saml2/searchindex.js                     |    1 +
 64 files changed, 18635 insertions(+)
 create mode 100644 docs/saml2/_modules/index.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/auth.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/authn_request.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/compat.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/constants.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/errors.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/idp_metadata_parser.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/logout_request.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/logout_response.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/metadata.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/response.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/settings.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/utils.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/xml_templates.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/xml_utils.html
 create mode 100644 docs/saml2/_modules/onelogin/saml2/xmlparser.html
 create mode 100644 docs/saml2/_sources/index.rst.txt
 create mode 100644 docs/saml2/_sources/modules.rst.txt
 create mode 100644 docs/saml2/_sources/onelogin.rst.txt
 create mode 100644 docs/saml2/_sources/onelogin.saml2.rst.txt
 create mode 100644 docs/saml2/_static/_sphinx_javascript_frameworks_compat.js
 create mode 100644 docs/saml2/_static/basic.css
 create mode 100644 docs/saml2/_static/css/badge_only.css
 create mode 100644 docs/saml2/_static/css/fonts/Roboto-Slab-Bold.woff
 create mode 100644 docs/saml2/_static/css/fonts/Roboto-Slab-Bold.woff2
 create mode 100644 docs/saml2/_static/css/fonts/Roboto-Slab-Regular.woff
 create mode 100644 docs/saml2/_static/css/fonts/Roboto-Slab-Regular.woff2
 create mode 100644 docs/saml2/_static/css/fonts/fontawesome-webfont.eot
 create mode 100644 docs/saml2/_static/css/fonts/fontawesome-webfont.svg
 create mode 100644 docs/saml2/_static/css/fonts/fontawesome-webfont.ttf
 create mode 100644 docs/saml2/_static/css/fonts/fontawesome-webfont.woff
 create mode 100644 docs/saml2/_static/css/fonts/fontawesome-webfont.woff2
 create mode 100644 docs/saml2/_static/css/fonts/lato-bold-italic.woff
 create mode 100644 docs/saml2/_static/css/fonts/lato-bold-italic.woff2
 create mode 100644 docs/saml2/_static/css/fonts/lato-bold.woff
 create mode 100644 docs/saml2/_static/css/fonts/lato-bold.woff2
 create mode 100644 docs/saml2/_static/css/fonts/lato-normal-italic.woff
 create mode 100644 docs/saml2/_static/css/fonts/lato-normal-italic.woff2
 create mode 100644 docs/saml2/_static/css/fonts/lato-normal.woff
 create mode 100644 docs/saml2/_static/css/fonts/lato-normal.woff2
 create mode 100644 docs/saml2/_static/css/theme.css
 create mode 100644 docs/saml2/_static/doctools.js
 create mode 100644 docs/saml2/_static/documentation_options.js
 create mode 100644 docs/saml2/_static/file.png
 create mode 100644 docs/saml2/_static/jquery.js
 create mode 100644 docs/saml2/_static/js/badge_only.js
 create mode 100644 docs/saml2/_static/js/html5shiv-printshiv.min.js
 create mode 100644 docs/saml2/_static/js/html5shiv.min.js
 create mode 100644 docs/saml2/_static/js/theme.js
 create mode 100644 docs/saml2/_static/language_data.js
 create mode 100644 docs/saml2/_static/minus.png
 create mode 100644 docs/saml2/_static/plus.png
 create mode 100644 docs/saml2/_static/pygments.css
 create mode 100644 docs/saml2/_static/searchtools.js
 create mode 100644 docs/saml2/_static/sphinx_highlight.js
 create mode 100644 docs/saml2/genindex.html
 create mode 100644 docs/saml2/index.html
 create mode 100644 docs/saml2/modules.html
 create mode 100644 docs/saml2/objects.inv
 create mode 100644 docs/saml2/onelogin.html
 create mode 100644 docs/saml2/onelogin.saml2.html
 create mode 100644 docs/saml2/py-modindex.html
 create mode 100644 docs/saml2/search.html
 create mode 100644 docs/saml2/searchindex.js

diff --git a/docs/saml2/_modules/index.html b/docs/saml2/_modules/index.html
new file mode 100644
index 00000000..decb1d07
--- /dev/null
+++ b/docs/saml2/_modules/index.html
@@ -0,0 +1,116 @@
+
+
+
+  
+  
+  Overview: module code — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
      
+      
      • 
+      
    • Overview: module code
      • 
+      
    • 
+      
      • 
+  
    
+  
    
+
    
+          
    
+           
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/auth.html b/docs/saml2/_modules/onelogin/saml2/auth.html
new file mode 100644
index 00000000..b202bed0
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/auth.html
@@ -0,0 +1,865 @@
+
+
+
+  
+  
+  onelogin.saml2.auth — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.auth
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Auth class
+
+
+Main class of SAML Python Toolkit.
+
+Initializes the SP SAML instance
+
+"""
+
+import xmlsec
+
+from onelogin.saml2 import compat
+from onelogin.saml2.authn_request import OneLogin_Saml2_Authn_Request
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.logout_request import OneLogin_Saml2_Logout_Request
+from onelogin.saml2.logout_response import OneLogin_Saml2_Logout_Response
+from onelogin.saml2.response import OneLogin_Saml2_Response
+from onelogin.saml2.settings import OneLogin_Saml2_Settings
+from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError
+from onelogin.saml2.xmlparser import tostring
+
+
+
    [docs]class OneLogin_Saml2_Auth(object):
+    """
+
+    This class implements the SP SAML instance.
+
+    Defines the methods that you can invoke in your application in
+    order to add SAML support (initiates SSO, initiates SLO, processes a
+    SAML Response, a Logout Request or a Logout Response).
+    """
+
+    authn_request_class = OneLogin_Saml2_Authn_Request
+    logout_request_class = OneLogin_Saml2_Logout_Request
+    logout_response_class = OneLogin_Saml2_Logout_Response
+    response_class = OneLogin_Saml2_Response
+
+    def __init__(self, request_data, old_settings=None, custom_base_path=None):
+        """
+        Initializes the SP SAML instance.
+
+        :param request_data: Request Data
+        :type request_data: dict
+
+        :param old_settings: Optional. SAML Toolkit Settings
+        :type old_settings: dict
+
+        :param custom_base_path: Optional. Path where are stored the settings file and the cert folder
+        :type custom_base_path: string
+        """
+        self._request_data = request_data
+        if isinstance(old_settings, OneLogin_Saml2_Settings):
+            self._settings = old_settings
+        else:
+            self._settings = OneLogin_Saml2_Settings(old_settings, custom_base_path)
+        self._attributes = dict()
+        self._friendlyname_attributes = dict()
+        self._nameid = None
+        self._nameid_format = None
+        self._nameid_nq = None
+        self._nameid_spnq = None
+        self._session_index = None
+        self._session_expiration = None
+        self._authenticated = False
+        self._errors = []
+        self._error_reason = None
+        self._last_request_id = None
+        self._last_message_id = None
+        self._last_assertion_id = None
+        self._last_assertion_issue_instant = None
+        self._last_authn_contexts = []
+        self._last_request = None
+        self._last_response = None
+        self._last_response_in_response_to = None
+        self._last_assertion_not_on_or_after = None
+
+
    [docs]    def get_settings(self):
+        """
+        Returns the settings info
+        :return: Setting info
+        :rtype: OneLogin_Saml2_Setting object
+        """
+        return self._settings
    
+
+
    [docs]    def set_strict(self, value):
+        """
+        Set the strict mode active/disable
+
+        :param value:
+        :type value: bool
+        """
+        assert isinstance(value, bool)
+        self._settings.set_strict(value)
    
+
+
    [docs]    def store_valid_response(self, response):
+        self._attributes = response.get_attributes()
+        self._friendlyname_attributes = response.get_friendlyname_attributes()
+        self._nameid = response.get_nameid()
+        self._nameid_format = response.get_nameid_format()
+        self._nameid_nq = response.get_nameid_nq()
+        self._nameid_spnq = response.get_nameid_spnq()
+        self._session_index = response.get_session_index()
+        self._session_expiration = response.get_session_not_on_or_after()
+        self._last_message_id = response.get_id()
+        self._last_assertion_id = response.get_assertion_id()
+        self._last_assertion_issue_instant = response.get_assertion_issue_instant()
+        self._last_authn_contexts = response.get_authn_contexts()
+        self._authenticated = True
+        self._last_response_in_response_to = response.get_in_response_to()
+        self._last_assertion_not_on_or_after = response.get_assertion_not_on_or_after()
    
+
+
    [docs]    def process_response(self, request_id=None):
+        """
+        Process the SAML Response sent by the IdP.
+
+        :param request_id: Is an optional argument. Is the ID of the AuthNRequest sent by this SP to the IdP.
+        :type request_id: string
+
+        :raises: OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND, when a POST with a SAMLResponse is not found
+        """
+        self._errors = []
+        self._error_reason = None
+
+        if 'post_data' in self._request_data and 'SAMLResponse' in self._request_data['post_data']:
+            # AuthnResponse -- HTTP_POST Binding
+            response = self.response_class(self._settings, self._request_data['post_data']['SAMLResponse'])
+            self._last_response = response.get_xml_document()
+
+            if response.is_valid(self._request_data, request_id):
+                self.store_valid_response(response)
+            else:
+                self._errors.append('invalid_response')
+                self._error_reason = response.get_error()
+
+        else:
+            self._errors.append('invalid_binding')
+            raise OneLogin_Saml2_Error(
+                'SAML Response not found, Only supported HTTP_POST Binding',
+                OneLogin_Saml2_Error.SAML_RESPONSE_NOT_FOUND
+            )
    
+
+
    [docs]    def process_slo(self, keep_local_session=False, request_id=None, delete_session_cb=None):
+        """
+        Process the SAML Logout Response / Logout Request sent by the IdP.
+
+        :param keep_local_session: When false will destroy the local session, otherwise will destroy it
+        :type keep_local_session: bool
+
+        :param request_id: The ID of the LogoutRequest sent by this SP to the IdP
+        :type request_id: string
+
+        :returns: Redirection url
+        """
+        self._errors = []
+        self._error_reason = None
+
+        get_data = 'get_data' in self._request_data and self._request_data['get_data']
+        if get_data and 'SAMLResponse' in get_data:
+            logout_response = self.logout_response_class(self._settings, get_data['SAMLResponse'])
+            self._last_response = logout_response.get_xml()
+            if not self.validate_response_signature(get_data):
+                self._errors.append('invalid_logout_response_signature')
+                self._errors.append('Signature validation failed. Logout Response rejected')
+            elif not logout_response.is_valid(self._request_data, request_id):
+                self._errors.append('invalid_logout_response')
+            elif logout_response.get_status() != OneLogin_Saml2_Constants.STATUS_SUCCESS:
+                self._errors.append('logout_not_success')
+            else:
+                self._last_message_id = logout_response.id
+                if not keep_local_session:
+                    OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
+
+        elif get_data and 'SAMLRequest' in get_data:
+            logout_request = self.logout_request_class(self._settings, get_data['SAMLRequest'])
+            self._last_request = logout_request.get_xml()
+            if not self.validate_request_signature(get_data):
+                self._errors.append("invalid_logout_request_signature")
+                self._errors.append('Signature validation failed. Logout Request rejected')
+            elif not logout_request.is_valid(self._request_data):
+                self._errors.append('invalid_logout_request')
+            else:
+                if not keep_local_session:
+                    OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
+
+                in_response_to = logout_request.id
+                self._last_message_id = logout_request.id
+                response_builder = self.logout_response_class(self._settings)
+                response_builder.build(in_response_to)
+                self._last_response = response_builder.get_xml()
+                logout_response = response_builder.get_response()
+
+                parameters = {'SAMLResponse': logout_response}
+                if 'RelayState' in self._request_data['get_data']:
+                    parameters['RelayState'] = self._request_data['get_data']['RelayState']
+
+                security = self._settings.get_security_data()
+                if security['logoutResponseSigned']:
+                    self.add_response_signature(parameters, security['signatureAlgorithm'])
+
+                return self.redirect_to(self.get_slo_response_url(), parameters)
+        else:
+            self._errors.append('invalid_binding')
+            raise OneLogin_Saml2_Error(
+                'SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding',
+                OneLogin_Saml2_Error.SAML_LOGOUTMESSAGE_NOT_FOUND
+            )
    
+
+
    [docs]    def redirect_to(self, url=None, parameters={}):
+        """
+        Redirects the user to the URL passed by parameter or to the URL that we defined in our SSO Request.
+
+        :param url: The target URL to redirect the user
+        :type url: string
+        :param parameters: Extra parameters to be passed as part of the URL
+        :type parameters: dict
+
+        :returns: Redirection URL
+        """
+        if url is None and 'RelayState' in self._request_data['get_data']:
+            url = self._request_data['get_data']['RelayState']
+        return OneLogin_Saml2_Utils.redirect(url, parameters, request_data=self._request_data)
    
+
+
    [docs]    def is_authenticated(self):
+        """
+        Checks if the user is authenticated or not.
+
+        :returns: True if is authenticated, False if not
+        :rtype: bool
+        """
+        return self._authenticated
    
+
+
    [docs]    def get_attributes(self):
+        """
+        Returns the set of SAML attributes.
+
+        :returns: SAML attributes
+        :rtype: dict
+        """
+        return self._attributes
    
+
+
    [docs]    def get_friendlyname_attributes(self):
+        """
+        Returns the set of SAML attributes indexed by FiendlyName.
+
+        :returns: SAML attributes
+        :rtype: dict
+        """
+        return self._friendlyname_attributes
    
+
+
    [docs]    def get_nameid(self):
+        """
+        Returns the nameID.
+
+        :returns: NameID
+        :rtype: string|None
+        """
+        return self._nameid
    
+
+
    [docs]    def get_nameid_format(self):
+        """
+        Returns the nameID Format.
+
+        :returns: NameID Format
+        :rtype: string|None
+        """
+        return self._nameid_format
    
+
+
    [docs]    def get_nameid_nq(self):
+        """
+        Returns the nameID NameQualifier of the Assertion.
+
+        :returns: NameID NameQualifier
+        :rtype: string|None
+        """
+        return self._nameid_nq
    
+
+
    [docs]    def get_nameid_spnq(self):
+        """
+        Returns the nameID SP NameQualifier of the Assertion.
+
+        :returns: NameID SP NameQualifier
+        :rtype: string|None
+        """
+        return self._nameid_spnq
    
+
+
    [docs]    def get_session_index(self):
+        """
+        Returns the SessionIndex from the AuthnStatement.
+        :returns: The SessionIndex of the assertion
+        :rtype: string
+        """
+        return self._session_index
    
+
+
    [docs]    def get_session_expiration(self):
+        """
+        Returns the SessionNotOnOrAfter from the AuthnStatement.
+        :returns: The SessionNotOnOrAfter of the assertion
+        :rtype: unix/posix timestamp|None
+        """
+        return self._session_expiration
    
+
+
    [docs]    def get_last_assertion_not_on_or_after(self):
+        """
+        The NotOnOrAfter value of the valid SubjectConfirmationData node
+        (if any) of the last assertion processed
+        """
+        return self._last_assertion_not_on_or_after
    
+
+
    [docs]    def get_errors(self):
+        """
+        Returns a list with code errors if something went wrong
+
+        :returns: List of errors
+        :rtype: list
+        """
+        return self._errors
    
+
+
    [docs]    def get_last_error_reason(self):
+        """
+        Returns the reason for the last error
+
+        :returns: Reason of the last error
+        :rtype: None | string
+        """
+        return self._error_reason
    
+
+
    [docs]    def get_attribute(self, name):
+        """
+        Returns the requested SAML attribute.
+
+        :param name: Name of the attribute
+        :type name: string
+
+        :returns: Attribute value(s) if exists or None
+        :rtype: list
+        """
+        assert isinstance(name, compat.str_type)
+        return self._attributes.get(name)
    
+
+
    [docs]    def get_friendlyname_attribute(self, friendlyname):
+        """
+        Returns the requested SAML attribute searched by FriendlyName.
+
+        :param friendlyname: FriendlyName of the attribute
+        :type friendlyname: string
+
+        :returns: Attribute value(s) if exists or None
+        :rtype: list
+        """
+        assert isinstance(friendlyname, compat.str_type)
+        return self._friendlyname_attributes.get(friendlyname)
    
+
+
    [docs]    def get_last_request_id(self):
+        """
+        :returns: The ID of the last Request SAML message generated.
+        :rtype: string
+        """
+        return self._last_request_id
    
+
+
    [docs]    def get_last_message_id(self):
+        """
+        :returns: The ID of the last Response SAML message processed.
+        :rtype: string
+        """
+        return self._last_message_id
    
+
+
    [docs]    def get_last_assertion_id(self):
+        """
+        :returns: The ID of the last assertion processed.
+        :rtype: string
+        """
+        return self._last_assertion_id
    
+
+
    [docs]    def get_last_assertion_issue_instant(self):
+        """
+        :returns: The IssueInstant of the last assertion processed.
+        :rtype: unix/posix timestamp|None
+        """
+        return self._last_assertion_issue_instant
    
+
+
    [docs]    def get_last_authn_contexts(self):
+        """
+        :returns: The list of authentication contexts sent in the last SAML Response.
+        :rtype: list
+        """
+        return self._last_authn_contexts
    
+
+
    [docs]    def get_last_response_in_response_to(self):
+        """
+        :returns: InResponseTo attribute of the last Response SAML processed or None if it is not present.
+        :rtype: string
+        """
+        return self._last_response_in_response_to
    
+
+
    [docs]    def login(self, return_to=None, force_authn=False, is_passive=False, set_nameid_policy=True, name_id_value_req=None):
+        """
+        Initiates the SSO process.
+
+        :param return_to: Optional argument. The target URL the user should be redirected to after login.
+        :type return_to: string
+
+        :param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'.
+        :type force_authn: bool
+
+        :param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'.
+        :type is_passive: bool
+
+        :param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element.
+        :type set_nameid_policy: bool
+
+        :param name_id_value_req: Optional argument. Indicates to the IdP the subject that should be authenticated
+        :type name_id_value_req: string
+
+        :returns: Redirection URL
+        :rtype: string
+        """
+        authn_request = self.authn_request_class(self._settings, force_authn, is_passive, set_nameid_policy, name_id_value_req)
+        self._last_request = authn_request.get_xml()
+        self._last_request_id = authn_request.get_id()
+
+        saml_request = authn_request.get_request()
+        parameters = {'SAMLRequest': saml_request}
+
+        if return_to is not None:
+            parameters['RelayState'] = return_to
+        else:
+            parameters['RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(self._request_data)
+
+        security = self._settings.get_security_data()
+        if security.get('authnRequestsSigned', False):
+            self.add_request_signature(parameters, security['signatureAlgorithm'])
+        return self.redirect_to(self.get_sso_url(), parameters)
    
+
+
    [docs]    def logout(self, return_to=None, name_id=None, session_index=None, nq=None, name_id_format=None, spnq=None):
+        """
+        Initiates the SLO process.
+
+        :param return_to: Optional argument. The target URL the user should be redirected to after logout.
+        :type return_to: string
+
+        :param name_id: The NameID that will be set in the LogoutRequest.
+        :type name_id: string
+
+        :param session_index: SessionIndex that identifies the session of the user.
+        :type session_index: string
+
+        :param nq: IDP Name Qualifier
+        :type: string
+
+        :param name_id_format: The NameID Format that will be set in the LogoutRequest.
+        :type: string
+
+        :param spnq: SP Name Qualifier
+        :type: string
+
+        :returns: Redirection URL
+        """
+        slo_url = self.get_slo_url()
+        if slo_url is None:
+            raise OneLogin_Saml2_Error(
+                'The IdP does not support Single Log Out',
+                OneLogin_Saml2_Error.SAML_SINGLE_LOGOUT_NOT_SUPPORTED
+            )
+
+        if name_id is None and self._nameid is not None:
+            name_id = self._nameid
+
+        if name_id_format is None and self._nameid_format is not None:
+            name_id_format = self._nameid_format
+
+        logout_request = self.logout_request_class(
+            self._settings,
+            name_id=name_id,
+            session_index=session_index,
+            nq=nq,
+            name_id_format=name_id_format,
+            spnq=spnq
+        )
+        self._last_request = logout_request.get_xml()
+        self._last_request_id = logout_request.id
+
+        parameters = {'SAMLRequest': logout_request.get_request()}
+        if return_to is not None:
+            parameters['RelayState'] = return_to
+        else:
+            parameters['RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(self._request_data)
+
+        security = self._settings.get_security_data()
+        if security.get('logoutRequestSigned', False):
+            self.add_request_signature(parameters, security['signatureAlgorithm'])
+        return self.redirect_to(slo_url, parameters)
    
+
+
    [docs]    def get_sso_url(self):
+        """
+        Gets the SSO URL.
+
+        :returns: An URL, the SSO endpoint of the IdP
+        :rtype: string
+        """
+        return self._settings.get_idp_sso_url()
    
+
+
    [docs]    def get_slo_url(self):
+        """
+        Gets the SLO URL.
+
+        :returns: An URL, the SLO endpoint of the IdP
+        :rtype: string
+        """
+        return self._settings.get_idp_slo_url()
    
+
+
    [docs]    def get_slo_response_url(self):
+        """
+        Gets the SLO return URL for IdP-initiated logout.
+
+        :returns: an URL, the SLO return endpoint of the IdP
+        :rtype: string
+        """
+        return self._settings.get_idp_slo_response_url()
    
+
+
    [docs]    def add_request_signature(self, request_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256):
+        """
+        Builds the Signature of the SAML Request.
+
+        :param request_data: The Request parameters
+        :type request_data: dict
+
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
+        """
+        return self._build_signature(request_data, 'SAMLRequest', sign_algorithm)
    
+
+
    [docs]    def add_response_signature(self, response_data, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256):
+        """
+        Builds the Signature of the SAML Response.
+        :param response_data: The Response parameters
+        :type response_data: dict
+
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
+        """
+        return self._build_signature(response_data, 'SAMLResponse', sign_algorithm)
    
+
+    @staticmethod
+    def _build_sign_query_from_qs(query_string, saml_type):
+        """
+        Build sign query from query string
+
+        :param query_string: The query string
+        :type query_string: str
+
+        :param saml_type: The target URL the user should be redirected to
+        :type saml_type: string SAMLRequest | SAMLResponse
+        """
+        args = ('%s=' % saml_type, 'RelayState=', 'SigAlg=')
+        parts = query_string.split('&')
+        # Join in the order of arguments rather than the original order of parts.
+        return '&'.join(part for arg in args for part in parts if part.startswith(arg))
+
+    @staticmethod
+    def _build_sign_query(saml_data, relay_state, algorithm, saml_type, lowercase_urlencoding=False):
+        """
+        Build sign query
+
+        :param saml_data: The Request data
+        :type saml_data: str
+
+        :param relay_state: The Relay State
+        :type relay_state: str
+
+        :param algorithm: The Signature Algorithm
+        :type algorithm: str
+
+        :param saml_type: The target URL the user should be redirected to
+        :type saml_type: string  SAMLRequest | SAMLResponse
+
+        :param lowercase_urlencoding: lowercase or no
+        :type lowercase_urlencoding: boolean
+        """
+        sign_data = ['%s=%s' % (saml_type, OneLogin_Saml2_Utils.escape_url(saml_data, lowercase_urlencoding))]
+        if relay_state is not None:
+            sign_data.append('RelayState=%s' % OneLogin_Saml2_Utils.escape_url(relay_state, lowercase_urlencoding))
+        sign_data.append('SigAlg=%s' % OneLogin_Saml2_Utils.escape_url(algorithm, lowercase_urlencoding))
+        return '&'.join(sign_data)
+
+    def _build_signature(self, data, saml_type, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256):
+        """
+        Builds the Signature
+        :param data: The Request data
+        :type data: dict
+
+        :param saml_type: The target URL the user should be redirected to
+        :type saml_type: string  SAMLRequest | SAMLResponse
+
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
+        """
+        assert saml_type in ('SAMLRequest', 'SAMLResponse')
+        key = self.get_settings().get_sp_key()
+
+        if not key:
+            raise OneLogin_Saml2_Error(
+                "Trying to sign the %s but can't load the SP private key." % saml_type,
+                OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND
+            )
+
+        msg = self._build_sign_query(data[saml_type],
+                                     data.get('RelayState', None),
+                                     sign_algorithm,
+                                     saml_type)
+
+        sign_algorithm_transform_map = {
+            OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.Transform.DSA_SHA1,
+            OneLogin_Saml2_Constants.RSA_SHA1: xmlsec.Transform.RSA_SHA1,
+            OneLogin_Saml2_Constants.RSA_SHA256: xmlsec.Transform.RSA_SHA256,
+            OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.Transform.RSA_SHA384,
+            OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.Transform.RSA_SHA512
+        }
+        sign_algorithm_transform = sign_algorithm_transform_map.get(sign_algorithm, xmlsec.Transform.RSA_SHA256)
+
+        signature = OneLogin_Saml2_Utils.sign_binary(msg, key, sign_algorithm_transform, self._settings.is_debug_active())
+        data['Signature'] = OneLogin_Saml2_Utils.b64encode(signature)
+        data['SigAlg'] = sign_algorithm
+
+
    [docs]    def validate_request_signature(self, request_data):
+        """
+        Validate Request Signature
+
+        :param request_data: The Request data
+        :type request_data: dict
+
+        """
+
+        return self._validate_signature(request_data, 'SAMLRequest')
    
+
+
    [docs]    def validate_response_signature(self, request_data):
+        """
+        Validate Response Signature
+
+        :param request_data: The Request data
+        :type request_data: dict
+
+        """
+
+        return self._validate_signature(request_data, 'SAMLResponse')
    
+
+    def _validate_signature(self, data, saml_type, raise_exceptions=False):
+        """
+        Validate Signature
+
+        :param data: The Request data
+        :type data: dict
+
+        :param cert: The certificate to check signature
+        :type cert: str
+
+        :param saml_type: The target URL the user should be redirected to
+        :type saml_type: string  SAMLRequest | SAMLResponse
+
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
+        """
+        try:
+            signature = data.get('Signature', None)
+            if signature is None:
+                if self._settings.is_strict() and self._settings.get_security_data().get('wantMessagesSigned', False):
+                    raise OneLogin_Saml2_ValidationError(
+                        'The %s is not signed. Rejected.' % saml_type,
+                        OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE
+                    )
+                return True
+
+            idp_data = self.get_settings().get_idp_data()
+
+            exists_x509cert = self.get_settings().get_idp_cert() is not None
+            exists_multix509sign = 'x509certMulti' in idp_data and \
+                'signing' in idp_data['x509certMulti'] and \
+                idp_data['x509certMulti']['signing']
+
+            if not (exists_x509cert or exists_multix509sign):
+                error_msg = 'In order to validate the sign on the %s, the x509cert of the IdP is required' % saml_type
+                self._errors.append(error_msg)
+                raise OneLogin_Saml2_Error(
+                    error_msg,
+                    OneLogin_Saml2_Error.CERT_NOT_FOUND
+                )
+
+            sign_alg = data.get('SigAlg', OneLogin_Saml2_Constants.RSA_SHA1)
+            if isinstance(sign_alg, bytes):
+                sign_alg = sign_alg.decode('utf8')
+
+            security = self._settings.get_security_data()
+            reject_deprecated_alg = security.get('rejectDeprecatedAlgorithm', False)
+            if reject_deprecated_alg:
+                if sign_alg in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                    raise OneLogin_Saml2_ValidationError(
+                        'Deprecated signature algorithm found: %s' % sign_alg,
+                        OneLogin_Saml2_ValidationError.DEPRECATED_SIGNATURE_METHOD
+                    )
+
+            query_string = self._request_data.get('query_string')
+            if query_string and self._request_data.get('validate_signature_from_qs'):
+                signed_query = self._build_sign_query_from_qs(query_string, saml_type)
+            else:
+                lowercase_urlencoding = self._request_data.get('lowercase_urlencoding', False)
+                signed_query = self._build_sign_query(data[saml_type],
+                                                      data.get('RelayState'),
+                                                      sign_alg,
+                                                      saml_type,
+                                                      lowercase_urlencoding)
+
+            if exists_multix509sign:
+                for cert in idp_data['x509certMulti']['signing']:
+                    if OneLogin_Saml2_Utils.validate_binary_sign(signed_query,
+                                                                 OneLogin_Saml2_Utils.b64decode(signature),
+                                                                 cert,
+                                                                 sign_alg):
+                        return True
+                raise OneLogin_Saml2_ValidationError(
+                    'Signature validation failed. %s rejected' % saml_type,
+                    OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
+                )
+            else:
+                cert = self.get_settings().get_idp_cert()
+
+                if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query,
+                                                                 OneLogin_Saml2_Utils.b64decode(signature),
+                                                                 cert,
+                                                                 sign_alg,
+                                                                 self._settings.is_debug_active()):
+                    raise OneLogin_Saml2_ValidationError(
+                        'Signature validation failed. %s rejected' % saml_type,
+                        OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
+                    )
+            return True
+        except Exception as e:
+            self._error_reason = str(e)
+            if raise_exceptions:
+                raise e
+            return False
+
+
    [docs]    def get_last_response_xml(self, pretty_print_if_possible=False):
+        """
+        Retrieves the raw XML (decrypted) of the last SAML response,
+        or the last Logout Response generated or processed
+        :returns: SAML response XML
+        :rtype: string|None
+        """
+        response = None
+        if self._last_response is not None:
+            if isinstance(self._last_response, compat.str_type):
+                response = self._last_response
+            else:
+                response = tostring(self._last_response, encoding='unicode', pretty_print=pretty_print_if_possible)
+        return response
    
+
+
    [docs]    def get_last_request_xml(self):
+        """
+        Retrieves the raw XML sent in the last SAML request
+        :returns: SAML request XML
+        :rtype: string|None
+        """
+        return self._last_request or None
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/authn_request.html b/docs/saml2/_modules/onelogin/saml2/authn_request.html
new file mode 100644
index 00000000..b72bd675
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/authn_request.html
@@ -0,0 +1,265 @@
+
+
+
+  
+  
+  onelogin.saml2.authn_request — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.authn_request
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Authn_Request class
+
+
+AuthNRequest class of SAML Python Toolkit.
+
+"""
+
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.utils import OneLogin_Saml2_Utils
+from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates
+
+
+
    [docs]class OneLogin_Saml2_Authn_Request(object):
+    """
+
+    This class handles an AuthNRequest. It builds an
+    AuthNRequest object.
+
+    """
+
+    def __init__(self, settings, force_authn=False, is_passive=False, set_nameid_policy=True, name_id_value_req=None):
+        """
+        Constructs the AuthnRequest object.
+
+        :param settings: OSetting data
+        :type settings: OneLogin_Saml2_Settings
+
+        :param force_authn: Optional argument. When true the AuthNRequest will set the ForceAuthn='true'.
+        :type force_authn: bool
+
+        :param is_passive: Optional argument. When true the AuthNRequest will set the Ispassive='true'.
+        :type is_passive: bool
+
+        :param set_nameid_policy: Optional argument. When true the AuthNRequest will set a nameIdPolicy element.
+        :type set_nameid_policy: bool
+
+        :param name_id_value_req: Optional argument. Indicates to the IdP the subject that should be authenticated
+        :type name_id_value_req: string
+        """
+        self._settings = settings
+
+        sp_data = self._settings.get_sp_data()
+        idp_data = self._settings.get_idp_data()
+        security = self._settings.get_security_data()
+
+        self._id = self._generate_request_id()
+        issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
+
+        destination = idp_data['singleSignOnService']['url']
+
+        provider_name_str = ''
+        organization_data = settings.get_organization()
+        if isinstance(organization_data, dict) and organization_data:
+            langs = organization_data
+            if 'en-US' in langs:
+                lang = 'en-US'
+            else:
+                lang = sorted(langs)[0]
+
+            display_name = 'displayname' in organization_data[lang] and organization_data[lang]['displayname']
+            if display_name:
+                provider_name_str = "\n" + '    ProviderName="%s"' % organization_data[lang]['displayname']
+
+        force_authn_str = ''
+        if force_authn is True:
+            force_authn_str = "\n" + '    ForceAuthn="true"'
+
+        is_passive_str = ''
+        if is_passive is True:
+            is_passive_str = "\n" + '    IsPassive="true"'
+
+        subject_str = ''
+        if name_id_value_req:
+            subject_str = """
+    <saml:Subject>
+        <saml:NameID Format="%s">%s</saml:NameID>
+        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml:SubjectConfirmation>
+    </saml:Subject>""" % (sp_data['NameIDFormat'], name_id_value_req)
+
+        nameid_policy_str = ''
+        if set_nameid_policy:
+            name_id_policy_format = sp_data['NameIDFormat']
+            if security['wantNameIdEncrypted']:
+                name_id_policy_format = OneLogin_Saml2_Constants.NAMEID_ENCRYPTED
+
+            nameid_policy_str = """
+    <samlp:NameIDPolicy
+        Format="%s"
+        AllowCreate="true" />""" % name_id_policy_format
+
+        requested_authn_context_str = ''
+        if security['requestedAuthnContext'] is not False:
+            authn_comparison = security['requestedAuthnContextComparison']
+
+            if security['requestedAuthnContext'] is True:
+                requested_authn_context_str = """    <samlp:RequestedAuthnContext Comparison="%s">
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+    </samlp:RequestedAuthnContext>""" % authn_comparison
+            else:
+                requested_authn_context_str = '     <samlp:RequestedAuthnContext Comparison="%s">' % authn_comparison
+                for authn_context in security['requestedAuthnContext']:
+                    requested_authn_context_str += '<saml:AuthnContextClassRef>%s</saml:AuthnContextClassRef>' % authn_context
+                requested_authn_context_str += '    </samlp:RequestedAuthnContext>'
+
+        attr_consuming_service_str = ''
+        if 'attributeConsumingService' in sp_data and sp_data['attributeConsumingService']:
+            attr_consuming_service_str = "\n    AttributeConsumingServiceIndex=\"%s\"" % sp_data['attributeConsumingService'].get('index', '1')
+
+        request = OneLogin_Saml2_Templates.AUTHN_REQUEST % \
+            {
+                'id': self._id,
+                'provider_name': provider_name_str,
+                'force_authn_str': force_authn_str,
+                'is_passive_str': is_passive_str,
+                'issue_instant': issue_instant,
+                'destination': destination,
+                'assertion_url': sp_data['assertionConsumerService']['url'],
+                'entity_id': sp_data['entityId'],
+                'subject_str': subject_str,
+                'nameid_policy_str': nameid_policy_str,
+                'requested_authn_context_str': requested_authn_context_str,
+                'attr_consuming_service_str': attr_consuming_service_str,
+                'acs_binding': sp_data['assertionConsumerService'].get('binding', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST')
+            }
+
+        self._authn_request = request
+
+    def _generate_request_id(self):
+        """
+        Generate an unique request ID.
+        """
+        return OneLogin_Saml2_Utils.generate_unique_id()
+
+
    [docs]    def get_request(self, deflate=True):
+        """
+        Returns unsigned AuthnRequest.
+        :param deflate: It makes the deflate process optional
+        :type: bool
+        :return: AuthnRequest maybe deflated and base64 encoded
+        :rtype: str object
+        """
+        if deflate:
+            request = OneLogin_Saml2_Utils.deflate_and_base64_encode(self._authn_request)
+        else:
+            request = OneLogin_Saml2_Utils.b64encode(self._authn_request)
+        return request
    
+
+
    [docs]    def get_id(self):
+        """
+        Returns the AuthNRequest ID.
+        :return: AuthNRequest ID
+        :rtype: string
+        """
+        return self._id
    
+
+
    [docs]    def get_xml(self):
+        """
+        Returns the XML that will be sent as part of the request
+        :return: XML request body
+        :rtype: string
+        """
+        return self._authn_request
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/compat.html b/docs/saml2/_modules/onelogin/saml2/compat.html
new file mode 100644
index 00000000..0497cf19
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/compat.html
@@ -0,0 +1,166 @@
+
+
+
+  
+  
+  onelogin.saml2.compat — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.compat
    +# -*- coding: utf-8 -*-
+
+""" py3 compatibility class
+
+
+"""
+
+from __future__ import absolute_import, print_function, with_statement
+
+try:
+    basestring
+except NameError:
+    basestring = str
+
+try:
+    unicode
+except NameError:
+    unicode = str
+
+
+if isinstance(b'', type('')):  # py 2.x
+    text_types = (basestring,)  # noqa
+    bytes_type = bytes
+    str_type = basestring  # noqa
+
+    def utf8(data):
+        """  return utf8-encoded string """
+        if isinstance(data, basestring):
+            return data.decode("utf8")
+        return unicode(data)
+
+    def to_string(data):
+        """ return string """
+        if isinstance(data, unicode):
+            return data.encode("utf8")
+        return str(data)
+
+    def to_bytes(data):
+        """ return bytes """
+        if isinstance(data, unicode):
+            return data.encode("utf8")
+        return str(data)
+
+else:  # py 3.x
+    text_types = (bytes, str)
+    bytes_type = bytes
+    str_type = str
+
+
    [docs]    def utf8(data):
+        """ return utf8-encoded string """
+        if isinstance(data, bytes):
+            return data.decode("utf8")
+        return str(data)
    
+
+
    [docs]    def to_string(data):
+        """convert to string"""
+        if isinstance(data, bytes):
+            return data.decode("utf8")
+        return str(data)
    
+
+
    [docs]    def to_bytes(data):
+        """return bytes"""
+        if isinstance(data, str):
+            return data.encode("utf8")
+        return bytes(data)
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/constants.html b/docs/saml2/_modules/onelogin/saml2/constants.html
new file mode 100644
index 00000000..299831bb
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/constants.html
@@ -0,0 +1,218 @@
+
+
+
+  
+  
+  onelogin.saml2.constants — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.constants
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Constants class
+
+
+Constants class of SAML Python Toolkit.
+
+"""
+
+
+
    [docs]class OneLogin_Saml2_Constants(object):
+    """
+
+    This class defines all the constants that will be used
+    in the SAML Python Toolkit.
+
+    """
+
+    # Value added to the current time in time condition validations
+    ALLOWED_CLOCK_DRIFT = 300
+
+    # NameID Formats
+    NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+    NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName'
+    NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName'
+    NAMEID_UNSPECIFIED = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
+    NAMEID_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos'
+    NAMEID_ENTITY = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'
+    NAMEID_TRANSIENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+    NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
+    NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted'
+
+    # Attribute Name Formats
+    ATTRNAME_FORMAT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'
+    ATTRNAME_FORMAT_URI = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
+    ATTRNAME_FORMAT_BASIC = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'
+
+    # Namespaces
+    NS_SAML = 'urn:oasis:names:tc:SAML:2.0:assertion'
+    NS_SAMLP = 'urn:oasis:names:tc:SAML:2.0:protocol'
+    NS_SOAP = 'http://schemas.xmlsoap.org/soap/envelope/'
+    NS_MD = 'urn:oasis:names:tc:SAML:2.0:metadata'
+    NS_XS = 'http://www.w3.org/2001/XMLSchema'
+    NS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'
+    NS_XENC = 'http://www.w3.org/2001/04/xmlenc#'
+    NS_DS = 'http://www.w3.org/2000/09/xmldsig#'
+
+    # Namespace Prefixes
+    NS_PREFIX_SAML = 'saml'
+    NS_PREFIX_SAMLP = 'samlp'
+    NS_PREFIX_MD = 'md'
+    NS_PREFIX_XS = 'xs'
+    NS_PREFIX_XSI = 'xsi'
+    NS_PREFIX_XSD = 'xsd'
+    NS_PREFIX_XENC = 'xenc'
+    NS_PREFIX_DS = 'ds'
+
+    # Prefix:Namespace Mappings
+    NSMAP = {
+        NS_PREFIX_SAMLP: NS_SAMLP,
+        NS_PREFIX_SAML: NS_SAML,
+        NS_PREFIX_DS: NS_DS,
+        NS_PREFIX_XENC: NS_XENC,
+        NS_PREFIX_MD: NS_MD
+    }
+
+    # Bindings
+    BINDING_HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+    BINDING_HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
+    BINDING_HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
+    BINDING_SOAP = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'
+    BINDING_DEFLATE = 'urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE'
+
+    # Auth Context Class
+    AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'
+    AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'
+    AC_PASSWORD_PROTECTED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+    AC_X509 = 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'
+    AC_SMARTCARD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard'
+    AC_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos'
+
+    # Subject Confirmation
+    CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
+    CM_HOLDER_KEY = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'
+    CM_SENDER_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'
+
+    # Status Codes
+    STATUS_SUCCESS = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+    STATUS_REQUESTER = 'urn:oasis:names:tc:SAML:2.0:status:Requester'
+    STATUS_RESPONDER = 'urn:oasis:names:tc:SAML:2.0:status:Responder'
+    STATUS_VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch'
+    STATUS_NO_PASSIVE = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive'
+    STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout'
+    STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded'
+
+    # Sign & Crypto
+    SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1'
+    SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'
+    SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#sha384'
+    SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'
+
+    DSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
+    RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+    RSA_SHA256 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+    RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
+    RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
+
+    # Enc
+    TRIPLEDES_CBC = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc'
+    AES128_CBC = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'
+    AES192_CBC = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc'
+    AES256_CBC = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
+    RSA_1_5 = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
+    RSA_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'
+
+    # Define here the deprecated algorithms
+    DEPRECATED_ALGORITHMS = [DSA_SHA1, RSA_SHA1, SHA1]
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/errors.html b/docs/saml2/_modules/onelogin/saml2/errors.html
new file mode 100644
index 00000000..77b1c1f7
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/errors.html
@@ -0,0 +1,228 @@
+
+
+
+  
+  
+  onelogin.saml2.errors — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.errors
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Error class
+
+
+Error class of SAML Python Toolkit.
+
+Defines common Error codes and has a custom initializator.
+
+"""
+
+
+
    [docs]class OneLogin_Saml2_Error(Exception):
+    """
+
+    This class implements a custom Exception handler.
+    Defines custom error codes.
+
+    """
+
+    # Errors
+    SETTINGS_FILE_NOT_FOUND = 0
+    SETTINGS_INVALID_SYNTAX = 1
+    SETTINGS_INVALID = 2
+    METADATA_SP_INVALID = 3
+    # SP_CERTS_NOT_FOUND is deprecated, use CERT_NOT_FOUND instead
+    SP_CERTS_NOT_FOUND = 4
+    CERT_NOT_FOUND = 4
+    REDIRECT_INVALID_URL = 5
+    PUBLIC_CERT_FILE_NOT_FOUND = 6
+    PRIVATE_KEY_FILE_NOT_FOUND = 7
+    SAML_RESPONSE_NOT_FOUND = 8
+    SAML_LOGOUTMESSAGE_NOT_FOUND = 9
+    SAML_LOGOUTREQUEST_INVALID = 10
+    SAML_LOGOUTRESPONSE_INVALID = 11
+    SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12
+    PRIVATE_KEY_NOT_FOUND = 13
+    UNSUPPORTED_SETTINGS_OBJECT = 14
+
+    def __init__(self, message, code=0, errors=None):
+        """
+        Initializes the Exception instance.
+
+        Arguments are:
+            * (str)   message.   Describes the error.
+            * (int)   code.      The code error (defined in the error class).
+        """
+        assert isinstance(code, int)
+
+        if errors is not None:
+            message = message % errors
+
+        Exception.__init__(self, message)
+        self.code = code
    
+
+
+
    [docs]class OneLogin_Saml2_ValidationError(Exception):
+    """
+    This class implements another custom Exception handler, related
+    to exceptions that happens during validation process.
+    Defines custom error codes .
+    """
+
+    # Validation Errors
+    UNSUPPORTED_SAML_VERSION = 0
+    MISSING_ID = 1
+    WRONG_NUMBER_OF_ASSERTIONS = 2
+    MISSING_STATUS = 3
+    MISSING_STATUS_CODE = 4
+    STATUS_CODE_IS_NOT_SUCCESS = 5
+    WRONG_SIGNED_ELEMENT = 6
+    ID_NOT_FOUND_IN_SIGNED_ELEMENT = 7
+    DUPLICATED_ID_IN_SIGNED_ELEMENTS = 8
+    INVALID_SIGNED_ELEMENT = 9
+    DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS = 10
+    UNEXPECTED_SIGNED_ELEMENTS = 11
+    WRONG_NUMBER_OF_SIGNATURES_IN_RESPONSE = 12
+    WRONG_NUMBER_OF_SIGNATURES_IN_ASSERTION = 13
+    INVALID_XML_FORMAT = 14
+    WRONG_INRESPONSETO = 15
+    NO_ENCRYPTED_ASSERTION = 16
+    NO_ENCRYPTED_NAMEID = 17
+    MISSING_CONDITIONS = 18
+    ASSERTION_TOO_EARLY = 19
+    ASSERTION_EXPIRED = 20
+    WRONG_NUMBER_OF_AUTHSTATEMENTS = 21
+    NO_ATTRIBUTESTATEMENT = 22
+    ENCRYPTED_ATTRIBUTES = 23
+    WRONG_DESTINATION = 24
+    EMPTY_DESTINATION = 25
+    WRONG_AUDIENCE = 26
+    ISSUER_MULTIPLE_IN_RESPONSE = 27
+    ISSUER_NOT_FOUND_IN_ASSERTION = 28
+    WRONG_ISSUER = 29
+    SESSION_EXPIRED = 30
+    WRONG_SUBJECTCONFIRMATION = 31
+    NO_SIGNED_MESSAGE = 32
+    NO_SIGNED_ASSERTION = 33
+    NO_SIGNATURE_FOUND = 34
+    KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA = 35
+    CHILDREN_NODE_NOT_FOUND_IN_KEYINFO = 36
+    UNSUPPORTED_RETRIEVAL_METHOD = 37
+    NO_NAMEID = 38
+    EMPTY_NAMEID = 39
+    SP_NAME_QUALIFIER_NAME_MISMATCH = 40
+    DUPLICATED_ATTRIBUTE_NAME_FOUND = 41
+    INVALID_SIGNATURE = 42
+    WRONG_NUMBER_OF_SIGNATURES = 43
+    RESPONSE_EXPIRED = 44
+    AUTHN_CONTEXT_MISMATCH = 45
+    DEPRECATED_SIGNATURE_METHOD = 46
+    DEPRECATED_DIGEST_METHOD = 47
+
+    def __init__(self, message, code=0, errors=None):
+        """
+        Initializes the Exception instance.
+        Arguments are:
+            * (str)   message.   Describes the error.
+            * (int)   code.      The code error (defined in the error class).
+        """
+        assert isinstance(code, int)
+
+        if errors is not None:
+            message = message % errors
+
+        Exception.__init__(self, message)
+        self.code = code
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/idp_metadata_parser.html b/docs/saml2/_modules/onelogin/saml2/idp_metadata_parser.html
new file mode 100644
index 00000000..a4ee1098
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/idp_metadata_parser.html
@@ -0,0 +1,380 @@
+
+
+
+  
+  
+  onelogin.saml2.idp_metadata_parser — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
      
+      
      • 
+          
    • Module code
      • 
+      
    • onelogin.saml2.idp_metadata_parser
      • 
+      
    • 
+      
      • 
+  
    
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.idp_metadata_parser
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_IdPMetadataParser class
+Metadata class of SAML Python Toolkit.
+"""
+
+
+from copy import deepcopy
+
+try:
+    import urllib.request as urllib2
+except ImportError:
+    import urllib2
+
+import ssl
+
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
+
+
+
    [docs]class OneLogin_Saml2_IdPMetadataParser(object):
+    """
+    A class that contain methods related to obtaining and parsing metadata from IdP
+
+    This class does not validate in any way the URL that is introduced,
+    make sure to validate it properly before use it in a get_metadata method.
+    """
+
+
    [docs]    @classmethod
+    def get_metadata(cls, url, validate_cert=True, timeout=None, headers=None):
+        """
+        Gets the metadata XML from the provided URL
+        :param url: Url where the XML of the Identity Provider Metadata is published.
+        :type url: string
+
+        :param validate_cert: If the url uses https schema, that flag enables or not the verification of the associated certificate.
+        :type validate_cert: bool
+
+        :param timeout: Timeout in seconds to wait for metadata response
+        :type timeout: int
+        :param headers: Extra headers to send in the request
+        :type headers: dict
+
+        :returns: metadata XML
+        :rtype: string
+        """
+        valid = False
+
+        request = urllib2.Request(url, headers=headers or {})
+
+        if validate_cert:
+            response = urllib2.urlopen(request, timeout=timeout)
+        else:
+            ctx = ssl.create_default_context()
+            ctx.check_hostname = False
+            ctx.verify_mode = ssl.CERT_NONE
+            response = urllib2.urlopen(request, context=ctx, timeout=timeout)
+        xml = response.read()
+
+        if xml:
+            try:
+                dom = OneLogin_Saml2_XML.to_etree(xml)
+                idp_descriptor_nodes = OneLogin_Saml2_XML.query(dom, '//md:IDPSSODescriptor')
+                if idp_descriptor_nodes:
+                    valid = True
+            except Exception:
+                pass
+
+        if not valid:
+            raise Exception('Not valid IdP XML found from URL: %s' % (url))
+
+        return xml
    
+
+
    [docs]    @classmethod
+    def parse_remote(cls, url, validate_cert=True, entity_id=None, timeout=None, **kwargs):
+        """
+        Gets the metadata XML from the provided URL and parse it, returning a dict with extracted data
+        :param url: Url where the XML of the Identity Provider Metadata is published.
+        :type url: string
+
+        :param validate_cert: If the url uses https schema, that flag enables or not the verification of the associated certificate.
+        :type validate_cert: bool
+
+        :param entity_id: Specify the entity_id of the EntityDescriptor that you want to parse a XML
+                          that contains multiple EntityDescriptor.
+        :type entity_id: string
+
+        :param timeout: Timeout in seconds to wait for metadata response
+        :type timeout: int
+
+        :returns: settings dict with extracted data
+        :rtype: dict
+        """
+        idp_metadata = cls.get_metadata(url, validate_cert, timeout, headers=kwargs.pop('headers', None))
+        return cls.parse(idp_metadata, entity_id=entity_id, **kwargs)
    
+
+
    [docs]    @classmethod
+    def parse(
+            cls,
+            idp_metadata,
+            required_sso_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT,
+            required_slo_binding=OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT,
+            entity_id=None):
+        """
+        Parses the Identity Provider metadata and return a dict with extracted data.
+
+        If there are multiple <IDPSSODescriptor> tags, parse only the first.
+
+        Parses only those SSO endpoints with the same binding as given by
+        the `required_sso_binding` parameter.
+
+        Parses only those SLO endpoints with the same binding as given by
+        the `required_slo_binding` parameter.
+
+        If the metadata specifies multiple SSO endpoints with the required
+        binding, extract only the first (the same holds true for SLO
+        endpoints).
+
+        :param idp_metadata: XML of the Identity Provider Metadata.
+        :type idp_metadata: string
+
+        :param required_sso_binding: Parse only POST or REDIRECT SSO endpoints.
+        :type required_sso_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT
+            or OneLogin_Saml2_Constants.BINDING_HTTP_POST
+
+        :param required_slo_binding: Parse only POST or REDIRECT SLO endpoints.
+        :type required_slo_binding: one of OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT
+            or OneLogin_Saml2_Constants.BINDING_HTTP_POST
+
+        :param entity_id: Specify the entity_id of the EntityDescriptor that you want to parse a XML
+                          that contains multiple EntityDescriptor.
+        :type entity_id: string
+
+        :returns: settings dict with extracted data
+        :rtype: dict
+        """
+        data = {}
+
+        dom = OneLogin_Saml2_XML.to_etree(idp_metadata)
+        idp_entity_id = want_authn_requests_signed = idp_name_id_format = idp_sso_url = idp_slo_url = certs = None
+
+        entity_desc_path = '//md:EntityDescriptor'
+        if entity_id:
+            entity_desc_path += "[@entityID='%s']" % entity_id
+        entity_descriptor_nodes = OneLogin_Saml2_XML.query(dom, entity_desc_path)
+
+        if len(entity_descriptor_nodes) > 0:
+            entity_descriptor_node = entity_descriptor_nodes[0]
+            idp_descriptor_nodes = OneLogin_Saml2_XML.query(entity_descriptor_node, './md:IDPSSODescriptor')
+            if len(idp_descriptor_nodes) > 0:
+                idp_descriptor_node = idp_descriptor_nodes[0]
+
+                idp_entity_id = entity_descriptor_node.get('entityID', None)
+
+                want_authn_requests_signed = idp_descriptor_node.get('WantAuthnRequestsSigned', None)
+
+                name_id_format_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, './md:NameIDFormat')
+                if len(name_id_format_nodes) > 0:
+                    idp_name_id_format = OneLogin_Saml2_XML.element_text(name_id_format_nodes[0])
+
+                sso_nodes = OneLogin_Saml2_XML.query(
+                    idp_descriptor_node,
+                    "./md:SingleSignOnService[@Binding='%s']" % required_sso_binding
+                )
+
+                if len(sso_nodes) > 0:
+                    idp_sso_url = sso_nodes[0].get('Location', None)
+
+                slo_nodes = OneLogin_Saml2_XML.query(
+                    idp_descriptor_node,
+                    "./md:SingleLogoutService[@Binding='%s']" % required_slo_binding
+                )
+
+                if len(slo_nodes) > 0:
+                    idp_slo_url = slo_nodes[0].get('Location', None)
+
+                signing_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, "./md:KeyDescriptor[not(contains(@use, 'encryption'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
+                encryption_nodes = OneLogin_Saml2_XML.query(idp_descriptor_node, "./md:KeyDescriptor[not(contains(@use, 'signing'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
+
+                if len(signing_nodes) > 0 or len(encryption_nodes) > 0:
+                    certs = {}
+                    if len(signing_nodes) > 0:
+                        certs['signing'] = []
+                        for cert_node in signing_nodes:
+                            certs['signing'].append(''.join(OneLogin_Saml2_XML.element_text(cert_node).split()))
+                    if len(encryption_nodes) > 0:
+                        certs['encryption'] = []
+                        for cert_node in encryption_nodes:
+                            certs['encryption'].append(''.join(OneLogin_Saml2_XML.element_text(cert_node).split()))
+
+                data['idp'] = {}
+
+                if idp_entity_id is not None:
+                    data['idp']['entityId'] = idp_entity_id
+
+                if idp_sso_url is not None:
+                    data['idp']['singleSignOnService'] = {}
+                    data['idp']['singleSignOnService']['url'] = idp_sso_url
+                    data['idp']['singleSignOnService']['binding'] = required_sso_binding
+
+                if idp_slo_url is not None:
+                    data['idp']['singleLogoutService'] = {}
+                    data['idp']['singleLogoutService']['url'] = idp_slo_url
+                    data['idp']['singleLogoutService']['binding'] = required_slo_binding
+
+                if want_authn_requests_signed is not None:
+                    data['security'] = {}
+                    data['security']['authnRequestsSigned'] = want_authn_requests_signed == "true"
+
+                if idp_name_id_format:
+                    data['sp'] = {}
+                    data['sp']['NameIDFormat'] = idp_name_id_format
+
+                if certs is not None:
+                    if (len(certs) == 1 and
+                        (('signing' in certs and len(certs['signing']) == 1) or
+                         ('encryption' in certs and len(certs['encryption']) == 1))) or \
+                        (('signing' in certs and len(certs['signing']) == 1) and
+                         ('encryption' in certs and len(certs['encryption']) == 1 and
+                         certs['signing'][0] == certs['encryption'][0])):
+                        if 'signing' in certs:
+                            data['idp']['x509cert'] = certs['signing'][0]
+                        else:
+                            data['idp']['x509cert'] = certs['encryption'][0]
+                    else:
+                        data['idp']['x509certMulti'] = certs
+        return data
    
+
+
    [docs]    @staticmethod
+    def merge_settings(settings, new_metadata_settings):
+        """
+        Will update the settings with the provided new settings data extracted from the IdP metadata
+        :param settings: Current settings dict data
+        :type settings: dict
+        :param new_metadata_settings: Settings to be merged (extracted from IdP metadata after parsing)
+        :type new_metadata_settings: dict
+        :returns: merged settings
+        :rtype: dict
+        """
+        for d in (settings, new_metadata_settings):
+            if not isinstance(d, dict):
+                raise TypeError('Both arguments must be dictionaries.')
+
+        # Guarantee to not modify original data (`settings.copy()` would not
+        # be sufficient, as it's just a shallow copy).
+        result_settings = deepcopy(settings)
+
+        # previously I will take care of cert stuff
+        if 'idp' in new_metadata_settings and 'idp' in result_settings:
+            if new_metadata_settings['idp'].get('x509cert', None) and result_settings['idp'].get('x509certMulti', None):
+                del result_settings['idp']['x509certMulti']
+            if new_metadata_settings['idp'].get('x509certMulti', None) and result_settings['idp'].get('x509cert', None):
+                del result_settings['idp']['x509cert']
+
+        # Merge `new_metadata_settings` into `result_settings`.
+        dict_deep_merge(result_settings, new_metadata_settings)
+        return result_settings
    
+
+
+
    [docs]def dict_deep_merge(a, b, path=None):
+    """Deep-merge dictionary `b` into dictionary `a`.
+
+    Kudos to http://stackoverflow.com/a/7205107/145400
+    """
+    if path is None:
+        path = []
+    for key in b:
+        if key in a:
+            if isinstance(a[key], dict) and isinstance(b[key], dict):
+                dict_deep_merge(a[key], b[key], path + [str(key)])
+            elif a[key] == b[key]:
+                # Key conflict, but equal value.
+                pass
+            else:
+                # Key/value conflict. Prioritize b over a.
+                a[key] = b[key]
+        else:
+            a[key] = b[key]
+    return a
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/logout_request.html b/docs/saml2/_modules/onelogin/saml2/logout_request.html
new file mode 100644
index 00000000..bdc48e77
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/logout_request.html
@@ -0,0 +1,465 @@
+
+
+
+  
+  
+  onelogin.saml2.logout_request — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
      
+      
      • 
+          
    • Module code
      • 
+      
    • onelogin.saml2.logout_request
      • 
+      
    • 
+      
      • 
+  
    
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.logout_request
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Logout_Request class
+
+
+Logout Request class of SAML Python Toolkit.
+
+"""
+
+from onelogin.saml2 import compat
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError
+from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates
+from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
+
+
+
    [docs]class OneLogin_Saml2_Logout_Request(object):
+    """
+
+    This class handles a Logout Request.
+
+    Builds a Logout Response object and validates it.
+
+    """
+
+    def __init__(self, settings, request=None, name_id=None, session_index=None, nq=None, name_id_format=None, spnq=None):
+        """
+        Constructs the Logout Request object.
+
+        :param settings: Setting data
+        :type settings: OneLogin_Saml2_Settings
+
+        :param request: Optional. A LogoutRequest to be loaded instead build one.
+        :type request: string
+
+        :param name_id: The NameID that will be set in the LogoutRequest.
+        :type name_id: string
+
+        :param session_index: SessionIndex that identifies the session of the user.
+        :type session_index: string
+
+        :param nq: IDP Name Qualifier
+        :type: string
+
+        :param name_id_format: The NameID Format that will be set in the LogoutRequest.
+        :type: string
+
+        :param spnq: SP Name Qualifier
+        :type: string
+        """
+        self._settings = settings
+        self._error = None
+        self.id = None
+
+        if request is None:
+            sp_data = self._settings.get_sp_data()
+            idp_data = self._settings.get_idp_data()
+            security = self._settings.get_security_data()
+
+            self.id = self._generate_request_id()
+
+            issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
+
+            cert = None
+            if security['nameIdEncrypted']:
+                exists_multix509enc = 'x509certMulti' in idp_data and \
+                    'encryption' in idp_data['x509certMulti'] and \
+                    idp_data['x509certMulti']['encryption']
+                if exists_multix509enc:
+                    cert = idp_data['x509certMulti']['encryption'][0]
+                else:
+                    cert = self._settings.get_idp_cert()
+
+            if name_id is not None:
+                if not name_id_format and sp_data['NameIDFormat'] != OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
+                    name_id_format = sp_data['NameIDFormat']
+            else:
+                name_id = idp_data['entityId']
+                name_id_format = OneLogin_Saml2_Constants.NAMEID_ENTITY
+
+            # From saml-core-2.0-os 8.3.6, when the entity Format is used:
+            # "The NameQualifier, SPNameQualifier, and SPProvidedID attributes
+            # MUST be omitted.
+            if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_ENTITY:
+                nq = None
+                spnq = None
+
+            # NameID Format UNSPECIFIED omitted
+            if name_id_format and name_id_format == OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED:
+                name_id_format = None
+
+            name_id_obj = OneLogin_Saml2_Utils.generate_name_id(
+                name_id,
+                spnq,
+                name_id_format,
+                cert,
+                False,
+                nq
+            )
+
+            if session_index:
+                session_index_str = '<samlp:SessionIndex>%s</samlp:SessionIndex>' % session_index
+            else:
+                session_index_str = ''
+
+            logout_request = OneLogin_Saml2_Templates.LOGOUT_REQUEST % \
+                {
+                    'id': self.id,
+                    'issue_instant': issue_instant,
+                    'single_logout_url': self._settings.get_idp_slo_url(),
+                    'entity_id': sp_data['entityId'],
+                    'name_id': name_id_obj,
+                    'session_index': session_index_str,
+                }
+        else:
+            logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(request, ignore_zip=True)
+            self.id = self.get_id(logout_request)
+
+        self._logout_request = compat.to_string(logout_request)
+
+
    [docs]    def get_request(self, deflate=True):
+        """
+        Returns the Logout Request deflated, base64encoded
+        :param deflate: It makes the deflate process optional
+        :type: bool
+        :return: Logout Request maybe deflated and base64 encoded
+        :rtype: str object
+        """
+        if deflate:
+            request = OneLogin_Saml2_Utils.deflate_and_base64_encode(self._logout_request)
+        else:
+            request = OneLogin_Saml2_Utils.b64encode(self._logout_request)
+        return request
    
+
+
    [docs]    def get_xml(self):
+        """
+        Returns the XML that will be sent as part of the request
+        or that was received at the SP
+        :return: XML request body
+        :rtype: string
+        """
+        return self._logout_request
    
+
+
    [docs]    @classmethod
+    def get_id(cls, request):
+        """
+        Returns the ID of the Logout Request
+        :param request: Logout Request Message
+        :type request: string|DOMDocument
+        :return: string ID
+        :rtype: str object
+        """
+
+        elem = OneLogin_Saml2_XML.to_etree(request)
+        return elem.get('ID', None)
    
+
+
    [docs]    @classmethod
+    def get_nameid_data(cls, request, key=None):
+        """
+        Gets the NameID Data of the the Logout Request
+        :param request: Logout Request Message
+        :type request: string|DOMDocument
+        :param key: The SP key
+        :type key: string
+        :return: Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
+        :rtype: dict
+        """
+        elem = OneLogin_Saml2_XML.to_etree(request)
+        name_id = None
+        encrypted_entries = OneLogin_Saml2_XML.query(elem, '/samlp:LogoutRequest/saml:EncryptedID')
+
+        if len(encrypted_entries) == 1:
+            if key is None:
+                raise OneLogin_Saml2_Error(
+                    'Private Key is required in order to decrypt the NameID, check settings',
+                    OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND
+                )
+
+            encrypted_data_nodes = OneLogin_Saml2_XML.query(elem, '/samlp:LogoutRequest/saml:EncryptedID/xenc:EncryptedData')
+            if len(encrypted_data_nodes) == 1:
+                encrypted_data = encrypted_data_nodes[0]
+                name_id = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key)
+        else:
+            entries = OneLogin_Saml2_XML.query(elem, '/samlp:LogoutRequest/saml:NameID')
+            if len(entries) == 1:
+                name_id = entries[0]
+
+        if name_id is None:
+            raise OneLogin_Saml2_ValidationError(
+                'NameID not found in the Logout Request',
+                OneLogin_Saml2_ValidationError.NO_NAMEID
+            )
+
+        name_id_data = {
+            'Value': OneLogin_Saml2_XML.element_text(name_id)
+        }
+        for attr in ['Format', 'SPNameQualifier', 'NameQualifier']:
+            if attr in name_id.attrib:
+                name_id_data[attr] = name_id.attrib[attr]
+
+        return name_id_data
    
+
+
    [docs]    @classmethod
+    def get_nameid(cls, request, key=None):
+        """
+        Gets the NameID of the Logout Request Message
+        :param request: Logout Request Message
+        :type request: string|DOMDocument
+        :param key: The SP key
+        :type key: string
+        :return: Name ID Value
+        :rtype: string
+        """
+        name_id = cls.get_nameid_data(request, key)
+        return name_id['Value']
    
+
+
    [docs]    @classmethod
+    def get_nameid_format(cls, request, key=None):
+        """
+        Gets the NameID Format of the Logout Request Message
+        :param request: Logout Request Message
+        :type request: string|DOMDocument
+        :param key: The SP key
+        :type key: string
+        :return: Name ID Format
+        :rtype: string
+        """
+        name_id_format = None
+        name_id_data = cls.get_nameid_data(request, key)
+        if name_id_data and 'Format' in name_id_data.keys():
+            name_id_format = name_id_data['Format']
+        return name_id_format
    
+
+
    [docs]    @classmethod
+    def get_issuer(cls, request):
+        """
+        Gets the Issuer of the Logout Request Message
+        :param request: Logout Request Message
+        :type request: string|DOMDocument
+        :return: The Issuer
+        :rtype: string
+        """
+
+        elem = OneLogin_Saml2_XML.to_etree(request)
+        issuer = None
+        issuer_nodes = OneLogin_Saml2_XML.query(elem, '/samlp:LogoutRequest/saml:Issuer')
+        if len(issuer_nodes) == 1:
+            issuer = OneLogin_Saml2_XML.element_text(issuer_nodes[0])
+        return issuer
    
+
+
    [docs]    @classmethod
+    def get_session_indexes(cls, request):
+        """
+        Gets the SessionIndexes from the Logout Request
+        :param request: Logout Request Message
+        :type request: string|DOMDocument
+        :return: The SessionIndex value
+        :rtype: list
+        """
+
+        elem = OneLogin_Saml2_XML.to_etree(request)
+        session_indexes = []
+        session_index_nodes = OneLogin_Saml2_XML.query(elem, '/samlp:LogoutRequest/samlp:SessionIndex')
+        for session_index_node in session_index_nodes:
+            session_indexes.append(OneLogin_Saml2_XML.element_text(session_index_node))
+        return session_indexes
    
+
+
    [docs]    def is_valid(self, request_data, raise_exceptions=False):
+        """
+        Checks if the Logout Request received is valid
+        :param request_data: Request Data
+        :type request_data: dict
+
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
+
+        :return: If the Logout Request is or not valid
+        :rtype: boolean
+        """
+        self._error = None
+        try:
+            root = OneLogin_Saml2_XML.to_etree(self._logout_request)
+
+            idp_data = self._settings.get_idp_data()
+            idp_entity_id = idp_data['entityId']
+
+            get_data = ('get_data' in request_data and request_data['get_data']) or dict()
+
+            if self._settings.is_strict():
+                res = OneLogin_Saml2_XML.validate_xml(root, 'saml-schema-protocol-2.0.xsd', self._settings.is_debug_active())
+                if isinstance(res, str):
+                    raise OneLogin_Saml2_ValidationError(
+                        'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd',
+                        OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
+                    )
+
+                security = self._settings.get_security_data()
+
+                current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+
+                # Check NotOnOrAfter
+                if root.get('NotOnOrAfter', None):
+                    na = OneLogin_Saml2_Utils.parse_SAML_to_time(root.get('NotOnOrAfter'))
+                    if na <= OneLogin_Saml2_Utils.now():
+                        raise OneLogin_Saml2_ValidationError(
+                            'Could not validate timestamp: expired. Check system clock.)',
+                            OneLogin_Saml2_ValidationError.RESPONSE_EXPIRED
+                        )
+
+                # Check destination
+                destination = root.get('Destination', None)
+                if destination:
+                    if not OneLogin_Saml2_Utils.normalize_url(url=destination).startswith(OneLogin_Saml2_Utils.normalize_url(url=current_url)):
+                        raise OneLogin_Saml2_ValidationError(
+                            'The LogoutRequest was received at '
+                            '%(currentURL)s instead of %(destination)s' %
+                            {
+                                'currentURL': current_url,
+                                'destination': destination,
+                            },
+                            OneLogin_Saml2_ValidationError.WRONG_DESTINATION
+                        )
+
+                # Check issuer
+                issuer = self.get_issuer(root)
+                if issuer is not None and issuer != idp_entity_id:
+                    raise OneLogin_Saml2_ValidationError(
+                        'Invalid issuer in the Logout Request (expected %(idpEntityId)s, got %(issuer)s)' %
+                        {
+                            'idpEntityId': idp_entity_id,
+                            'issuer': issuer
+                        },
+                        OneLogin_Saml2_ValidationError.WRONG_ISSUER
+                    )
+
+                if security['wantMessagesSigned']:
+                    if 'Signature' not in get_data:
+                        raise OneLogin_Saml2_ValidationError(
+                            'The Message of the Logout Request is not signed and the SP require it',
+                            OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE
+                        )
+
+            return True
+        except Exception as err:
+            # pylint: disable=R0801
+            self._error = str(err)
+            debug = self._settings.is_debug_active()
+            if debug:
+                print(err)
+            if raise_exceptions:
+                raise
+            return False
    
+
+
    [docs]    def get_error(self):
+        """
+        After executing a validation process, if it fails this method returns the cause
+        """
+        return self._error
    
+
+    def _generate_request_id(self):
+        """
+        Generate an unique logout request ID.
+        """
+        return OneLogin_Saml2_Utils.generate_unique_id()
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/logout_response.html b/docs/saml2/_modules/onelogin/saml2/logout_response.html
new file mode 100644
index 00000000..a403dc35
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/logout_response.html
@@ -0,0 +1,321 @@
+
+
+
+  
+  
+  onelogin.saml2.logout_response — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
      
+      
      • 
+          
    • Module code
      • 
+      
    • onelogin.saml2.logout_response
      • 
+      
    • 
+      
      • 
+  
    
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.logout_response
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Logout_Response class
+
+
+Logout Response class of SAML Python Toolkit.
+
+"""
+
+from onelogin.saml2 import compat
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_ValidationError
+from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates
+from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
+
+
+
    [docs]class OneLogin_Saml2_Logout_Response(object):
+    """
+
+    This class  handles a Logout Response. It Builds or parses a Logout Response object
+    and validates it.
+
+    """
+
+    def __init__(self, settings, response=None):
+        """
+        Constructs a Logout Response object (Initialize params from settings
+        and if provided load the Logout Response.
+
+        Arguments are:
+            * (OneLogin_Saml2_Settings)   settings. Setting data
+            * (string)                    response. An UUEncoded SAML Logout
+                                                    response from the IdP.
+        """
+        self._settings = settings
+        self._error = None
+        self.id = None
+
+        if response is not None:
+            self._logout_response = compat.to_string(OneLogin_Saml2_Utils.decode_base64_and_inflate(response, ignore_zip=True))
+            self.document = OneLogin_Saml2_XML.to_etree(self._logout_response)
+            self.id = self.document.get('ID', None)
+
+
    [docs]    def get_issuer(self):
+        """
+        Gets the Issuer of the Logout Response Message
+        :return: The Issuer
+        :rtype: string
+        """
+        issuer = None
+        issuer_nodes = self._query('/samlp:LogoutResponse/saml:Issuer')
+        if len(issuer_nodes) == 1:
+            issuer = OneLogin_Saml2_XML.element_text(issuer_nodes[0])
+        return issuer
    
+
+
    [docs]    def get_status(self):
+        """
+        Gets the Status
+        :return: The Status
+        :rtype: string
+        """
+        entries = self._query('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode')
+        if len(entries) == 0:
+            return None
+        status = entries[0].attrib['Value']
+        return status
    
+
+
    [docs]    def is_valid(self, request_data, request_id=None, raise_exceptions=False):
+        """
+        Determines if the SAML LogoutResponse is valid
+        :param request_id: The ID of the LogoutRequest sent by this SP to the IdP
+        :type request_id: string
+
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
+
+        :return: Returns if the SAML LogoutResponse is or not valid
+        :rtype: boolean
+        """
+        self._error = None
+        try:
+            idp_data = self._settings.get_idp_data()
+            idp_entity_id = idp_data['entityId']
+            get_data = request_data['get_data']
+
+            if self._settings.is_strict():
+                res = OneLogin_Saml2_XML.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self._settings.is_debug_active())
+                if isinstance(res, str):
+                    raise OneLogin_Saml2_ValidationError(
+                        'Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd',
+                        OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
+                    )
+
+                security = self._settings.get_security_data()
+
+                # Check if the InResponseTo of the Logout Response matches the ID of the Logout Request (requestId) if provided
+                in_response_to = self.get_in_response_to()
+                if request_id is not None and in_response_to and in_response_to != request_id:
+                    raise OneLogin_Saml2_ValidationError(
+                        'The InResponseTo of the Logout Response: %s, does not match the ID of the Logout request sent by the SP: %s' % (in_response_to, request_id),
+                        OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO
+                    )
+
+                # Check issuer
+                issuer = self.get_issuer()
+                if issuer is not None and issuer != idp_entity_id:
+                    raise OneLogin_Saml2_ValidationError(
+                        'Invalid issuer in the Logout Response (expected %(idpEntityId)s, got %(issuer)s)' %
+                        {
+                            'idpEntityId': idp_entity_id,
+                            'issuer': issuer
+                        },
+                        OneLogin_Saml2_ValidationError.WRONG_ISSUER
+                    )
+
+                current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+
+                # Check destination
+                destination = self.document.get('Destination', None)
+                if destination:
+                    if not OneLogin_Saml2_Utils.normalize_url(url=destination).startswith(OneLogin_Saml2_Utils.normalize_url(url=current_url)):
+                        raise OneLogin_Saml2_ValidationError(
+                            'The LogoutResponse was received at %s instead of %s' % (current_url, destination),
+                            OneLogin_Saml2_ValidationError.WRONG_DESTINATION
+                        )
+
+                if security['wantMessagesSigned']:
+                    if 'Signature' not in get_data:
+                        raise OneLogin_Saml2_ValidationError(
+                            'The Message of the Logout Response is not signed and the SP require it',
+                            OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE
+                        )
+            return True
+        # pylint: disable=R0801
+        except Exception as err:
+            self._error = str(err)
+            debug = self._settings.is_debug_active()
+            if debug:
+                print(err)
+            if raise_exceptions:
+                raise
+            return False
    
+
+    def _query(self, query):
+        """
+        Extracts a node from the Etree (Logout Response Message)
+        :param query: Xpath Expression
+        :type query: string
+        :return: The queried node
+        :rtype: Element
+        """
+        return OneLogin_Saml2_XML.query(self.document, query)
+
+
    [docs]    def build(self, in_response_to, status=OneLogin_Saml2_Constants.STATUS_SUCCESS):
+        """
+        Creates a Logout Response object.
+        :param in_response_to: InResponseTo value for the Logout Response.
+        :type in_response_to: string
+        :param: status: The status of the response
+        :type: status: string
+        """
+        sp_data = self._settings.get_sp_data()
+
+        self.id = self._generate_request_id()
+
+        issue_instant = OneLogin_Saml2_Utils.parse_time_to_SAML(OneLogin_Saml2_Utils.now())
+
+        logout_response = OneLogin_Saml2_Templates.LOGOUT_RESPONSE % {
+            "id": self.id,
+            "issue_instant": issue_instant,
+            "destination": self._settings.get_idp_slo_response_url(),
+            "in_response_to": in_response_to,
+            "entity_id": sp_data["entityId"],
+            "status": status,
+        }
+
+        self._logout_response = logout_response
    
+
+
    [docs]    def get_in_response_to(self):
+        """
+        Gets the ID of the LogoutRequest which this response is in response to
+        :returns: ID of LogoutRequest this LogoutResponse is in response to or None if it is not present
+        :rtype: str
+        """
+        return self.document.get('InResponseTo')
    
+
+
    [docs]    def get_response(self, deflate=True):
+        """
+        Returns a Logout Response object.
+        :param deflate: It makes the deflate process optional
+        :type: bool
+        :return: Logout Response maybe deflated and base64 encoded
+        :rtype: string
+        """
+        if deflate:
+            response = OneLogin_Saml2_Utils.deflate_and_base64_encode(self._logout_response)
+        else:
+            response = OneLogin_Saml2_Utils.b64encode(self._logout_response)
+        return response
    
+
+
    [docs]    def get_error(self):
+        """
+        After executing a validation process, if it fails this method returns the cause
+        """
+        return self._error
    
+
+
    [docs]    def get_xml(self):
+        """
+        Returns the XML that will be sent as part of the response
+        or that was received at the SP
+        :return: XML response body
+        :rtype: string
+        """
+        return self._logout_response
    
+
+    def _generate_request_id(self):
+        """
+        Generate an unique logout response ID.
+        """
+        return OneLogin_Saml2_Utils.generate_unique_id()
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/metadata.html b/docs/saml2/_modules/onelogin/saml2/metadata.html
new file mode 100644
index 00000000..cf74b78c
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/metadata.html
@@ -0,0 +1,365 @@
+
+
+
+  
+  
+  onelogin.saml2.metadata — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.metadata
    +# -*- coding: utf-8 -*-
+
+""" OneLoginSaml2Metadata class
+
+
+Metadata class of SAML Python Toolkit.
+
+"""
+
+from time import gmtime, strftime, time
+from datetime import datetime
+
+from onelogin.saml2 import compat
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.utils import OneLogin_Saml2_Utils
+from onelogin.saml2.xml_templates import OneLogin_Saml2_Templates
+from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
+
+try:
+    basestring
+except NameError:
+    basestring = str
+
+
+
    [docs]class OneLogin_Saml2_Metadata(object):
+    """
+
+    A class that contains methods related to the metadata of the SP
+
+    """
+
+    TIME_VALID = 172800   # 2 days
+    TIME_CACHED = 604800  # 1 week
+
+
    [docs]    @classmethod
+    def builder(cls, sp, authnsign=False, wsign=False, valid_until=None, cache_duration=None, contacts=None, organization=None):
+        """
+        Builds the metadata of the SP
+
+        :param sp: The SP data
+        :type sp: string
+
+        :param authnsign: authnRequestsSigned attribute
+        :type authnsign: string
+
+        :param wsign: wantAssertionsSigned attribute
+        :type wsign: string
+
+        :param valid_until: Metadata's expiry date
+        :type valid_until: string|DateTime|Timestamp
+
+        :param cache_duration: Duration of the cache in seconds
+        :type cache_duration: int|string
+
+        :param contacts: Contacts info
+        :type contacts: dict
+
+        :param organization: Organization info
+        :type organization: dict
+        """
+        if valid_until is None:
+            valid_until = int(time()) + cls.TIME_VALID
+        if not isinstance(valid_until, basestring):
+            if isinstance(valid_until, datetime):
+                valid_until_time = valid_until.timetuple()
+            else:
+                valid_until_time = gmtime(valid_until)
+            valid_until_str = strftime(r'%Y-%m-%dT%H:%M:%SZ', valid_until_time)
+        else:
+            valid_until_str = valid_until
+
+        if cache_duration is None:
+            cache_duration = cls.TIME_CACHED
+        if not isinstance(cache_duration, compat.str_type):
+            cache_duration_str = 'PT%sS' % cache_duration  # Period of Time x Seconds
+        else:
+            cache_duration_str = cache_duration
+
+        if contacts is None:
+            contacts = {}
+        if organization is None:
+            organization = {}
+
+        sls = ''
+        if 'singleLogoutService' in sp and 'url' in sp['singleLogoutService']:
+            sls = OneLogin_Saml2_Templates.MD_SLS % \
+                {
+                    'binding': sp['singleLogoutService']['binding'],
+                    'location': sp['singleLogoutService']['url'],
+                }
+
+        str_authnsign = 'true' if authnsign else 'false'
+        str_wsign = 'true' if wsign else 'false'
+
+        str_organization = ''
+        if len(organization) > 0:
+            organization_names = []
+            organization_displaynames = []
+            organization_urls = []
+            for (lang, info) in organization.items():
+                organization_names.append("""        <md:OrganizationName xml:lang="%s">%s</md:OrganizationName>""" % (lang, info['name']))
+                organization_displaynames.append("""        <md:OrganizationDisplayName xml:lang="%s">%s</md:OrganizationDisplayName>""" % (lang, info['displayname']))
+                organization_urls.append("""        <md:OrganizationURL xml:lang="%s">%s</md:OrganizationURL>""" % (lang, info['url']))
+            org_data = '\n'.join(organization_names) + '\n' + '\n'.join(organization_displaynames) + '\n' + '\n'.join(organization_urls)
+            str_organization = """    <md:Organization>\n%(org)s\n    </md:Organization>""" % {'org': org_data}
+
+        str_contacts = ''
+        if len(contacts) > 0:
+            contacts_info = []
+            for (ctype, info) in contacts.items():
+                contact = OneLogin_Saml2_Templates.MD_CONTACT_PERSON % \
+                    {
+                        'type': ctype,
+                        'name': info['givenName'],
+                        'email': info['emailAddress'],
+                    }
+                contacts_info.append(contact)
+            str_contacts = '\n'.join(contacts_info)
+
+        str_attribute_consuming_service = ''
+        if 'attributeConsumingService' in sp and len(sp['attributeConsumingService']):
+            attr_cs_desc_str = ''
+            if "serviceDescription" in sp['attributeConsumingService']:
+                attr_cs_desc_str = """            <md:ServiceDescription xml:lang="en">%s</md:ServiceDescription>
+""" % sp['attributeConsumingService']['serviceDescription']
+
+            requested_attribute_data = []
+            for req_attribs in sp['attributeConsumingService']['requestedAttributes']:
+                req_attr_nameformat_str = req_attr_friendlyname_str = req_attr_isrequired_str = ''
+                req_attr_aux_str = ' />'
+
+                if 'nameFormat' in req_attribs.keys() and req_attribs['nameFormat']:
+                    req_attr_nameformat_str = " NameFormat=\"%s\"" % req_attribs['nameFormat']
+                if 'friendlyName' in req_attribs.keys() and req_attribs['friendlyName']:
+                    req_attr_friendlyname_str = " FriendlyName=\"%s\"" % req_attribs['friendlyName']
+                if 'isRequired' in req_attribs.keys() and req_attribs['isRequired']:
+                    req_attr_isrequired_str = " isRequired=\"%s\"" % 'true' if req_attribs['isRequired'] else 'false'
+                if 'attributeValue' in req_attribs.keys() and req_attribs['attributeValue']:
+                    if isinstance(req_attribs['attributeValue'], basestring):
+                        req_attribs['attributeValue'] = [req_attribs['attributeValue']]
+
+                    req_attr_aux_str = ">"
+                    for attrValue in req_attribs['attributeValue']:
+                        req_attr_aux_str += """
+                <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">%(attributeValue)s</saml:AttributeValue>""" % \
+                            {
+                                'attributeValue': attrValue
+                            }
+                    req_attr_aux_str += """
+            </md:RequestedAttribute>"""
+
+                requested_attribute = """            <md:RequestedAttribute Name="%(req_attr_name)s"%(req_attr_nameformat_str)s%(req_attr_friendlyname_str)s%(req_attr_isrequired_str)s%(req_attr_aux_str)s""" % \
+                    {
+                        'req_attr_name': req_attribs['name'],
+                        'req_attr_nameformat_str': req_attr_nameformat_str,
+                        'req_attr_friendlyname_str': req_attr_friendlyname_str,
+                        'req_attr_isrequired_str': req_attr_isrequired_str,
+                        'req_attr_aux_str': req_attr_aux_str
+                    }
+
+                requested_attribute_data.append(requested_attribute)
+
+            str_attribute_consuming_service = """        <md:AttributeConsumingService index="%(attribute_consuming_service_index)s">
+            <md:ServiceName xml:lang="en">%(service_name)s</md:ServiceName>
+%(attr_cs_desc)s%(requested_attribute_str)s
+        </md:AttributeConsumingService>
+""" % \
+                {
+                    'service_name': sp['attributeConsumingService']['serviceName'],
+                    'attr_cs_desc': attr_cs_desc_str,
+                    'attribute_consuming_service_index': sp['attributeConsumingService'].get('index', '1'),
+                    'requested_attribute_str': '\n'.join(requested_attribute_data)
+                }
+
+        metadata = OneLogin_Saml2_Templates.MD_ENTITY_DESCRIPTOR % \
+            {
+                'valid': ('validUntil="%s"' % valid_until_str) if valid_until_str else '',
+                'cache': ('cacheDuration="%s"' % cache_duration_str) if cache_duration_str else '',
+                'entity_id': sp['entityId'],
+                'authnsign': str_authnsign,
+                'wsign': str_wsign,
+                'name_id_format': sp['NameIDFormat'],
+                'binding': sp['assertionConsumerService']['binding'],
+                'location': sp['assertionConsumerService']['url'],
+                'sls': sls,
+                'organization': str_organization,
+                'contacts': str_contacts,
+                'attribute_consuming_service': str_attribute_consuming_service
+            }
+
+        return metadata
    
+
+
    [docs]    @staticmethod
+    def sign_metadata(metadata, key, cert, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256, digest_algorithm=OneLogin_Saml2_Constants.SHA256):
+        """
+        Signs the metadata with the key/cert provided
+
+        :param metadata: SAML Metadata XML
+        :type metadata: string
+
+        :param key: x509 key
+        :type key: string
+
+        :param cert: x509 cert
+        :type cert: string
+
+        :returns: Signed Metadata
+        :rtype: string
+
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
+
+        :param digest_algorithm: Digest algorithm method
+        :type digest_algorithm: string
+        """
+        return OneLogin_Saml2_Utils.add_sign(metadata, key, cert, False, sign_algorithm, digest_algorithm)
    
+
+    @staticmethod
+    def _add_x509_key_descriptors(root, cert, signing):
+        key_descriptor = OneLogin_Saml2_XML.make_child(root, '{%s}KeyDescriptor' % OneLogin_Saml2_Constants.NS_MD)
+        root.remove(key_descriptor)
+        root.insert(0, key_descriptor)
+        key_info = OneLogin_Saml2_XML.make_child(key_descriptor, '{%s}KeyInfo' % OneLogin_Saml2_Constants.NS_DS)
+        key_data = OneLogin_Saml2_XML.make_child(key_info, '{%s}X509Data' % OneLogin_Saml2_Constants.NS_DS)
+
+        x509_certificate = OneLogin_Saml2_XML.make_child(key_data, '{%s}X509Certificate' % OneLogin_Saml2_Constants.NS_DS)
+        x509_certificate.text = OneLogin_Saml2_Utils.format_cert(cert, False)
+        key_descriptor.set('use', ('encryption', 'signing')[signing])
+
+
    [docs]    @classmethod
+    def add_x509_key_descriptors(cls, metadata, cert=None, add_encryption=True):
+        """
+        Adds the x509 descriptors (sign/encryption) to the metadata
+        The same cert will be used for sign/encrypt
+
+        :param metadata: SAML Metadata XML
+        :type metadata: string
+
+        :param cert: x509 cert
+        :type cert: string
+
+        :param add_encryption: Determines if the KeyDescriptor[use="encryption"] should be added.
+        :type add_encryption: boolean
+
+        :returns: Metadata with KeyDescriptors
+        :rtype: string
+        """
+        if cert is None or cert == '':
+            return metadata
+        try:
+            root = OneLogin_Saml2_XML.to_etree(metadata)
+        except Exception as e:
+            raise Exception('Error parsing metadata. ' + str(e))
+
+        assert root.tag == '{%s}EntityDescriptor' % OneLogin_Saml2_Constants.NS_MD
+        try:
+            sp_sso_descriptor = next(root.iterfind('.//md:SPSSODescriptor', namespaces=OneLogin_Saml2_Constants.NSMAP))
+        except StopIteration:
+            raise Exception('Malformed metadata.')
+
+        if add_encryption:
+            cls._add_x509_key_descriptors(sp_sso_descriptor, cert, False)
+        cls._add_x509_key_descriptors(sp_sso_descriptor, cert, True)
+        return OneLogin_Saml2_XML.to_string(root)
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/response.html b/docs/saml2/_modules/onelogin/saml2/response.html
new file mode 100644
index 00000000..5babc977
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/response.html
@@ -0,0 +1,1054 @@
+
+
+
+  
+  
+  onelogin.saml2.response — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.response
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Response class
+
+
+SAML Response class of SAML Python Toolkit.
+
+"""
+
+from copy import deepcopy
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.utils import OneLogin_Saml2_Utils, OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError, return_false_on_exception
+from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
+
+
+
    [docs]class OneLogin_Saml2_Response(object):
+    """
+
+    This class handles a SAML Response. It parses or validates
+    a Logout Response object.
+
+    """
+
+    def __init__(self, settings, response):
+        """
+        Constructs the response object.
+
+        :param settings: The setting info
+        :type settings: OneLogin_Saml2_Setting object
+
+        :param response: The base64 encoded, XML string containing the samlp:Response
+        :type response: string
+        """
+        self._settings = settings
+        self._error = None
+        self.response = OneLogin_Saml2_Utils.b64decode(response)
+        self.document = OneLogin_Saml2_XML.to_etree(self.response)
+        self.decrypted_document = None
+        self.encrypted = None
+        self.valid_scd_not_on_or_after = None
+
+        # Quick check for the presence of EncryptedAssertion
+        encrypted_assertion_nodes = self._query('/samlp:Response/saml:EncryptedAssertion')
+        if encrypted_assertion_nodes:
+            decrypted_document = deepcopy(self.document)
+            self.encrypted = True
+            self.decrypted_document = self._decrypt_assertion(decrypted_document)
+
+
    [docs]    def is_valid(self, request_data, request_id=None, raise_exceptions=False):
+        """
+        Validates the response object.
+
+        :param request_data: Request Data
+        :type request_data: dict
+
+        :param request_id: Optional argument. The ID of the AuthNRequest sent by this SP to the IdP
+        :type request_id: string
+
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
+
+        :returns: True if the SAML Response is valid, False if not
+        :rtype: bool
+        """
+        self._error = None
+        try:
+            # Checks SAML version
+            if self.document.get('Version', None) != '2.0':
+                raise OneLogin_Saml2_ValidationError(
+                    'Unsupported SAML version',
+                    OneLogin_Saml2_ValidationError.UNSUPPORTED_SAML_VERSION
+                )
+
+            # Checks that ID exists
+            if self.document.get('ID', None) is None:
+                raise OneLogin_Saml2_ValidationError(
+                    'Missing ID attribute on SAML Response',
+                    OneLogin_Saml2_ValidationError.MISSING_ID
+                )
+
+            # Checks that the response has the SUCCESS status
+            self.check_status()
+
+            # Checks that the response only has one assertion
+            if not self.validate_num_assertions():
+                raise OneLogin_Saml2_ValidationError(
+                    'SAML Response must contain 1 assertion',
+                    OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
+                )
+
+            idp_data = self._settings.get_idp_data()
+            idp_entity_id = idp_data['entityId']
+            sp_data = self._settings.get_sp_data()
+            sp_entity_id = sp_data['entityId']
+
+            signed_elements = self.process_signed_elements()
+
+            has_signed_response = '{%s}Response' % OneLogin_Saml2_Constants.NS_SAMLP in signed_elements
+            has_signed_assertion = '{%s}Assertion' % OneLogin_Saml2_Constants.NS_SAML in signed_elements
+
+            if self._settings.is_strict():
+                no_valid_xml_msg = 'Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd'
+                res = OneLogin_Saml2_XML.validate_xml(self.document, 'saml-schema-protocol-2.0.xsd', self._settings.is_debug_active())
+                if isinstance(res, str):
+                    raise OneLogin_Saml2_ValidationError(
+                        no_valid_xml_msg,
+                        OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
+                    )
+
+                # If encrypted, check also the decrypted document
+                if self.encrypted:
+                    res = OneLogin_Saml2_XML.validate_xml(self.decrypted_document, 'saml-schema-protocol-2.0.xsd', self._settings.is_debug_active())
+                    if isinstance(res, str):
+                        raise OneLogin_Saml2_ValidationError(
+                            no_valid_xml_msg,
+                            OneLogin_Saml2_ValidationError.INVALID_XML_FORMAT
+                        )
+
+                security = self._settings.get_security_data()
+                current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
+
+                # Check if the InResponseTo of the Response matchs the ID of the AuthNRequest (requestId) if provided
+                in_response_to = self.get_in_response_to()
+                if in_response_to is not None and request_id is not None:
+                    if in_response_to != request_id:
+                        raise OneLogin_Saml2_ValidationError(
+                            'The InResponseTo of the Response: %s, does not match the ID of the AuthNRequest sent by the SP: %s' % (in_response_to, request_id),
+                            OneLogin_Saml2_ValidationError.WRONG_INRESPONSETO
+                        )
+
+                if not self.encrypted and security['wantAssertionsEncrypted']:
+                    raise OneLogin_Saml2_ValidationError(
+                        'The assertion of the Response is not encrypted and the SP require it',
+                        OneLogin_Saml2_ValidationError.NO_ENCRYPTED_ASSERTION
+                    )
+
+                if security['wantNameIdEncrypted']:
+                    encrypted_nameid_nodes = self._query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')
+                    if len(encrypted_nameid_nodes) != 1:
+                        raise OneLogin_Saml2_ValidationError(
+                            'The NameID of the Response is not encrypted and the SP require it',
+                            OneLogin_Saml2_ValidationError.NO_ENCRYPTED_NAMEID
+                        )
+
+                # Checks that a Conditions element exists
+                if not self.check_one_condition():
+                    raise OneLogin_Saml2_ValidationError(
+                        'The Assertion must include a Conditions element',
+                        OneLogin_Saml2_ValidationError.MISSING_CONDITIONS
+                    )
+
+                # Validates Assertion timestamps
+                self.validate_timestamps(raise_exceptions=True)
+
+                # Checks that an AuthnStatement element exists and is unique
+                if not self.check_one_authnstatement():
+                    raise OneLogin_Saml2_ValidationError(
+                        'The Assertion must include an AuthnStatement element',
+                        OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_AUTHSTATEMENTS
+                    )
+
+                # Checks that the response has all of the AuthnContexts that we provided in the request.
+                # Only check if failOnAuthnContextMismatch is true and requestedAuthnContext is set to a list.
+                requested_authn_contexts = security['requestedAuthnContext']
+                if security['failOnAuthnContextMismatch'] and requested_authn_contexts and requested_authn_contexts is not True:
+                    authn_contexts = self.get_authn_contexts()
+                    unmatched_contexts = set(authn_contexts).difference(requested_authn_contexts)
+                    if unmatched_contexts:
+                        raise OneLogin_Saml2_ValidationError(
+                            'The AuthnContext "%s" was not a requested context "%s"' % (', '.join(unmatched_contexts), ', '.join(requested_authn_contexts)),
+                            OneLogin_Saml2_ValidationError.AUTHN_CONTEXT_MISMATCH
+                        )
+
+                # Checks that there is at least one AttributeStatement if required
+                attribute_statement_nodes = self._query_assertion('/saml:AttributeStatement')
+                if security.get('wantAttributeStatement', True) and not attribute_statement_nodes:
+                    raise OneLogin_Saml2_ValidationError(
+                        'There is no AttributeStatement on the Response',
+                        OneLogin_Saml2_ValidationError.NO_ATTRIBUTESTATEMENT
+                    )
+
+                encrypted_attributes_nodes = self._query_assertion('/saml:AttributeStatement/saml:EncryptedAttribute')
+                if encrypted_attributes_nodes:
+                    raise OneLogin_Saml2_ValidationError(
+                        'There is an EncryptedAttribute in the Response and this SP not support them',
+                        OneLogin_Saml2_ValidationError.ENCRYPTED_ATTRIBUTES
+                    )
+
+                # Checks destination
+                destination = self.document.get('Destination', None)
+                if destination:
+                    if not OneLogin_Saml2_Utils.normalize_url(url=destination).startswith(OneLogin_Saml2_Utils.normalize_url(url=current_url)):
+                        # TODO: Review if following lines are required, since we can control the
+                        # request_data
+                        #  current_url_routed = OneLogin_Saml2_Utils.get_self_routed_url_no_query(request_data)
+                        #  if not destination.startswith(current_url_routed):
+                        raise OneLogin_Saml2_ValidationError(
+                            'The response was received at %s instead of %s' % (current_url, destination),
+                            OneLogin_Saml2_ValidationError.WRONG_DESTINATION
+                        )
+                elif destination == '':
+                    raise OneLogin_Saml2_ValidationError(
+                        'The response has an empty Destination value',
+                        OneLogin_Saml2_ValidationError.EMPTY_DESTINATION
+                    )
+                # Checks audience
+                valid_audiences = self.get_audiences()
+                if valid_audiences and sp_entity_id not in valid_audiences:
+                    raise OneLogin_Saml2_ValidationError(
+                        '%s is not a valid audience for this Response' % sp_entity_id,
+                        OneLogin_Saml2_ValidationError.WRONG_AUDIENCE
+                    )
+
+                # Checks the issuers
+                issuers = self.get_issuers()
+                for issuer in issuers:
+                    if issuer is None or issuer != idp_entity_id:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Invalid issuer in the Assertion/Response (expected %(idpEntityId)s, got %(issuer)s)' %
+                            {
+                                'idpEntityId': idp_entity_id,
+                                'issuer': issuer
+                            },
+                            OneLogin_Saml2_ValidationError.WRONG_ISSUER
+                        )
+
+                # Checks the session Expiration
+                session_expiration = self.get_session_not_on_or_after()
+                if session_expiration and session_expiration <= OneLogin_Saml2_Utils.now():
+                    raise OneLogin_Saml2_ValidationError(
+                        'The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response',
+                        OneLogin_Saml2_ValidationError.SESSION_EXPIRED
+                    )
+
+                # Checks the SubjectConfirmation, at least one SubjectConfirmation must be valid
+                any_subject_confirmation = False
+                subject_confirmation_nodes = self._query_assertion('/saml:Subject/saml:SubjectConfirmation')
+
+                for scn in subject_confirmation_nodes:
+                    method = scn.get('Method', None)
+                    if method and method != OneLogin_Saml2_Constants.CM_BEARER:
+                        continue
+                    sc_data = scn.find('saml:SubjectConfirmationData', namespaces=OneLogin_Saml2_Constants.NSMAP)
+                    if sc_data is None:
+                        continue
+                    else:
+                        irt = sc_data.get('InResponseTo', None)
+                        if in_response_to and irt and irt != in_response_to:
+                            continue
+                        recipient = sc_data.get('Recipient', None)
+                        if recipient and current_url not in recipient:
+                            continue
+                        nooa = sc_data.get('NotOnOrAfter', None)
+                        if nooa:
+                            parsed_nooa = OneLogin_Saml2_Utils.parse_SAML_to_time(nooa)
+                            if parsed_nooa <= OneLogin_Saml2_Utils.now():
+                                continue
+                        nb = sc_data.get('NotBefore', None)
+                        if nb:
+                            parsed_nb = OneLogin_Saml2_Utils.parse_SAML_to_time(nb)
+                            if parsed_nb > OneLogin_Saml2_Utils.now():
+                                continue
+
+                        if nooa:
+                            self.valid_scd_not_on_or_after = OneLogin_Saml2_Utils.parse_SAML_to_time(nooa)
+
+                        any_subject_confirmation = True
+                        break
+
+                if not any_subject_confirmation:
+                    raise OneLogin_Saml2_ValidationError(
+                        'A valid SubjectConfirmation was not found on this Response',
+                        OneLogin_Saml2_ValidationError.WRONG_SUBJECTCONFIRMATION
+                    )
+
+                if security['wantAssertionsSigned'] and not has_signed_assertion:
+                    raise OneLogin_Saml2_ValidationError(
+                        'The Assertion of the Response is not signed and the SP require it',
+                        OneLogin_Saml2_ValidationError.NO_SIGNED_ASSERTION
+                    )
+
+                if security['wantMessagesSigned'] and not has_signed_response:
+                    raise OneLogin_Saml2_ValidationError(
+                        'The Message of the Response is not signed and the SP require it',
+                        OneLogin_Saml2_ValidationError.NO_SIGNED_MESSAGE
+                    )
+
+            if not signed_elements or (not has_signed_response and not has_signed_assertion):
+                raise OneLogin_Saml2_ValidationError(
+                    'No Signature found. SAML Response rejected',
+                    OneLogin_Saml2_ValidationError.NO_SIGNATURE_FOUND
+                )
+            else:
+                cert = self._settings.get_idp_cert()
+                fingerprint = idp_data.get('certFingerprint', None)
+                if fingerprint:
+                    fingerprint = OneLogin_Saml2_Utils.format_finger_print(fingerprint)
+                fingerprintalg = idp_data.get('certFingerprintAlgorithm', None)
+
+                multicerts = None
+                if 'x509certMulti' in idp_data and 'signing' in idp_data['x509certMulti'] and idp_data['x509certMulti']['signing']:
+                    multicerts = idp_data['x509certMulti']['signing']
+
+                # If find a Signature on the Response, validates it checking the original response
+                if has_signed_response and not OneLogin_Saml2_Utils.validate_sign(self.document, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH, multicerts=multicerts, raise_exceptions=False):
+                    raise OneLogin_Saml2_ValidationError(
+                        'Signature validation failed. SAML Response rejected',
+                        OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
+                    )
+
+                document_check_assertion = self.decrypted_document if self.encrypted else self.document
+                if has_signed_assertion and not OneLogin_Saml2_Utils.validate_sign(document_check_assertion, cert, fingerprint, fingerprintalg, xpath=OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH, multicerts=multicerts, raise_exceptions=False):
+                    raise OneLogin_Saml2_ValidationError(
+                        'Signature validation failed. SAML Response rejected',
+                        OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
+                    )
+
+            return True
+        except Exception as err:
+            self._error = str(err)
+            debug = self._settings.is_debug_active()
+            if debug:
+                print(err)
+            if raise_exceptions:
+                raise
+            return False
    
+
+
    [docs]    def check_status(self):
+        """
+        Check if the status of the response is success or not
+
+        :raises: Exception. If the status is not success
+        """
+        status = OneLogin_Saml2_Utils.get_status(self.document)
+        code = status.get('code', None)
+        if code and code != OneLogin_Saml2_Constants.STATUS_SUCCESS:
+            splited_code = code.split(':')
+            printable_code = splited_code.pop()
+            status_exception_msg = 'The status code of the Response was not Success, was %s' % printable_code
+            status_msg = status.get('msg', None)
+            if status_msg:
+                status_exception_msg += ' -> ' + status_msg
+            raise OneLogin_Saml2_ValidationError(
+                status_exception_msg,
+                OneLogin_Saml2_ValidationError.STATUS_CODE_IS_NOT_SUCCESS
+            )
    
+
+
    [docs]    def check_one_condition(self):
+        """
+        Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique.
+        """
+        condition_nodes = self._query_assertion('/saml:Conditions')
+        if len(condition_nodes) == 1:
+            return True
+        else:
+            return False
    
+
+
    [docs]    def check_one_authnstatement(self):
+        """
+        Checks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique.
+        """
+        authnstatement_nodes = self._query_assertion('/saml:AuthnStatement')
+        if len(authnstatement_nodes) == 1:
+            return True
+        else:
+            return False
    
+
+
    [docs]    def get_audiences(self):
+        """
+        Gets the audiences
+
+        :returns: The valid audiences for the SAML Response
+        :rtype: list
+        """
+        audience_nodes = self._query_assertion('/saml:Conditions/saml:AudienceRestriction/saml:Audience')
+        return [OneLogin_Saml2_XML.element_text(node) for node in audience_nodes if OneLogin_Saml2_XML.element_text(node) is not None]
    
+
+
    [docs]    def get_authn_contexts(self):
+        """
+        Gets the authentication contexts
+
+        :returns: The authentication classes for the SAML Response
+        :rtype: list
+        """
+        authn_context_nodes = self._query_assertion('/saml:AuthnStatement/saml:AuthnContext/saml:AuthnContextClassRef')
+        return [OneLogin_Saml2_XML.element_text(node) for node in authn_context_nodes]
    
+
+
    [docs]    def get_in_response_to(self):
+        """
+        Gets the ID of the request which this response is in response to
+        :returns: ID of AuthNRequest this Response is in response to or None if it is not present
+        :rtype: str
+        """
+        return self.document.get('InResponseTo')
    
+
+
    [docs]    def get_issuers(self):
+        """
+        Gets the issuers (from message and from assertion)
+
+        :returns: The issuers
+        :rtype: list
+        """
+        issuers = set()
+
+        message_issuer_nodes = OneLogin_Saml2_XML.query(self.document, '/samlp:Response/saml:Issuer')
+        if len(message_issuer_nodes) > 0:
+            if len(message_issuer_nodes) == 1:
+                issuer_value = OneLogin_Saml2_XML.element_text(message_issuer_nodes[0])
+                if issuer_value:
+                    issuers.add(issuer_value)
+            else:
+                raise OneLogin_Saml2_ValidationError(
+                    'Issuer of the Response is multiple.',
+                    OneLogin_Saml2_ValidationError.ISSUER_MULTIPLE_IN_RESPONSE
+                )
+
+        assertion_issuer_nodes = self._query_assertion('/saml:Issuer')
+        if len(assertion_issuer_nodes) == 1:
+            issuer_value = OneLogin_Saml2_XML.element_text(assertion_issuer_nodes[0])
+            if issuer_value:
+                issuers.add(issuer_value)
+        else:
+            raise OneLogin_Saml2_ValidationError(
+                'Issuer of the Assertion not found or multiple.',
+                OneLogin_Saml2_ValidationError.ISSUER_NOT_FOUND_IN_ASSERTION
+            )
+
+        return list(set(issuers))
    
+
+
    [docs]    def get_nameid_data(self):
+        """
+        Gets the NameID Data provided by the SAML Response from the IdP
+
+        :returns: Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
+        :rtype: dict
+        """
+        nameid = None
+        nameid_data = {}
+
+        encrypted_id_data_nodes = self._query_assertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')
+        if encrypted_id_data_nodes:
+            encrypted_data = encrypted_id_data_nodes[0]
+            key = self._settings.get_sp_key()
+            nameid = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key)
+        else:
+            nameid_nodes = self._query_assertion('/saml:Subject/saml:NameID')
+            if nameid_nodes:
+                nameid = nameid_nodes[0]
+
+        is_strict = self._settings.is_strict()
+        want_nameid = self._settings.get_security_data().get('wantNameId', True)
+        if nameid is None:
+            if is_strict and want_nameid:
+                raise OneLogin_Saml2_ValidationError(
+                    'NameID not found in the assertion of the Response',
+                    OneLogin_Saml2_ValidationError.NO_NAMEID
+                )
+        else:
+            if is_strict and want_nameid and not OneLogin_Saml2_XML.element_text(nameid):
+                raise OneLogin_Saml2_ValidationError(
+                    'An empty NameID value found',
+                    OneLogin_Saml2_ValidationError.EMPTY_NAMEID
+                )
+
+            nameid_data = {'Value': OneLogin_Saml2_XML.element_text(nameid)}
+            for attr in ['Format', 'SPNameQualifier', 'NameQualifier']:
+                value = nameid.get(attr, None)
+                if value:
+                    if is_strict and attr == 'SPNameQualifier':
+                        sp_data = self._settings.get_sp_data()
+                        sp_entity_id = sp_data.get('entityId', '')
+                        if sp_entity_id != value:
+                            raise OneLogin_Saml2_ValidationError(
+                                'The SPNameQualifier value mistmatch the SP entityID value.',
+                                OneLogin_Saml2_ValidationError.SP_NAME_QUALIFIER_NAME_MISMATCH
+                            )
+
+                    nameid_data[attr] = value
+        return nameid_data
    
+
+
    [docs]    def get_nameid(self):
+        """
+        Gets the NameID provided by the SAML Response from the IdP
+
+        :returns: NameID (value)
+        :rtype: string|None
+        """
+        nameid_value = None
+        nameid_data = self.get_nameid_data()
+        if nameid_data and 'Value' in nameid_data.keys():
+            nameid_value = nameid_data['Value']
+        return nameid_value
    
+
+
    [docs]    def get_nameid_format(self):
+        """
+        Gets the NameID Format provided by the SAML Response from the IdP
+
+        :returns: NameID Format
+        :rtype: string|None
+        """
+        nameid_format = None
+        nameid_data = self.get_nameid_data()
+        if nameid_data and 'Format' in nameid_data.keys():
+            nameid_format = nameid_data['Format']
+        return nameid_format
    
+
+
    [docs]    def get_nameid_nq(self):
+        """
+        Gets the NameID NameQualifier provided by the SAML Response from the IdP
+
+        :returns: NameID NameQualifier
+        :rtype: string|None
+        """
+        nameid_nq = None
+        nameid_data = self.get_nameid_data()
+        if nameid_data and 'NameQualifier' in nameid_data.keys():
+            nameid_nq = nameid_data['NameQualifier']
+        return nameid_nq
    
+
+
    [docs]    def get_nameid_spnq(self):
+        """
+        Gets the NameID SP NameQualifier provided by the SAML response from the IdP.
+
+        :returns: NameID SP NameQualifier
+        :rtype: string|None
+        """
+        nameid_spnq = None
+        nameid_data = self.get_nameid_data()
+        if nameid_data and 'SPNameQualifier' in nameid_data.keys():
+            nameid_spnq = nameid_data['SPNameQualifier']
+        return nameid_spnq
    
+
+
    [docs]    def get_session_not_on_or_after(self):
+        """
+        Gets the SessionNotOnOrAfter from the AuthnStatement
+        Could be used to set the local session expiration
+
+        :returns: The SessionNotOnOrAfter value
+        :rtype: time|None
+        """
+        not_on_or_after = None
+        authn_statement_nodes = self._query_assertion('/saml:AuthnStatement[@SessionNotOnOrAfter]')
+        if authn_statement_nodes:
+            not_on_or_after = OneLogin_Saml2_Utils.parse_SAML_to_time(authn_statement_nodes[0].get('SessionNotOnOrAfter'))
+        return not_on_or_after
    
+
+
    [docs]    def get_assertion_not_on_or_after(self):
+        """
+        Returns the NotOnOrAfter value of the valid SubjectConfirmationData node if any
+        """
+        return self.valid_scd_not_on_or_after
    
+
+
    [docs]    def get_session_index(self):
+        """
+        Gets the SessionIndex from the AuthnStatement
+        Could be used to be stored in the local session in order
+        to be used in a future Logout Request that the SP could
+        send to the SP, to set what specific session must be deleted
+
+        :returns: The SessionIndex value
+        :rtype: string|None
+        """
+        session_index = None
+        authn_statement_nodes = self._query_assertion('/saml:AuthnStatement[@SessionIndex]')
+        if authn_statement_nodes:
+            session_index = authn_statement_nodes[0].get('SessionIndex')
+        return session_index
    
+
+
    [docs]    def get_attributes(self):
+        """
+        Gets the Attributes from the AttributeStatement element.
+        EncryptedAttributes are not supported
+        """
+        return self._get_attributes('Name')
    
+
+
    [docs]    def get_friendlyname_attributes(self):
+        """
+        Gets the Attributes from the AttributeStatement element indexed by FiendlyName.
+        EncryptedAttributes are not supported
+        """
+        return self._get_attributes('FriendlyName')
    
+
+    def _get_attributes(self, attr_name):
+        allow_duplicates = self._settings.get_security_data().get('allowRepeatAttributeName', False)
+        attributes = {}
+        attribute_nodes = self._query_assertion('/saml:AttributeStatement/saml:Attribute')
+        for attribute_node in attribute_nodes:
+            attr_key = attribute_node.get(attr_name)
+            if attr_key:
+                if not allow_duplicates and attr_key in attributes:
+                    raise OneLogin_Saml2_ValidationError(
+                        'Found an Attribute element with duplicated ' + attr_name,
+                        OneLogin_Saml2_ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND
+                    )
+
+                values = []
+                for attr in attribute_node.iterchildren('{%s}AttributeValue' % OneLogin_Saml2_Constants.NSMAP['saml']):
+                    attr_text = OneLogin_Saml2_XML.element_text(attr)
+                    if attr_text:
+                        attr_text = attr_text.strip()
+                        if attr_text:
+                            values.append(attr_text)
+
+                    # Parse any nested NameID children
+                    for nameid in attr.iterchildren('{%s}NameID' % OneLogin_Saml2_Constants.NSMAP['saml']):
+                        values.append({
+                            'NameID': {
+                                'Format': nameid.get('Format'),
+                                'NameQualifier': nameid.get('NameQualifier'),
+                                'value': nameid.text
+                            }
+                        })
+                if attr_key in attributes:
+                    attributes[attr_key].extend(values)
+                else:
+                    attributes[attr_key] = values
+        return attributes
+
+
    [docs]    def validate_num_assertions(self):
+        """
+        Verifies that the document only contains a single Assertion (encrypted or not)
+
+        :returns: True if only 1 assertion encrypted or not
+        :rtype: bool
+        """
+        encrypted_assertion_nodes = OneLogin_Saml2_XML.query(self.document, '//saml:EncryptedAssertion')
+        assertion_nodes = OneLogin_Saml2_XML.query(self.document, '//saml:Assertion')
+
+        valid = len(encrypted_assertion_nodes) + len(assertion_nodes) == 1
+
+        if (self.encrypted):
+            assertion_nodes = OneLogin_Saml2_XML.query(self.decrypted_document, '//saml:Assertion')
+            valid = valid and len(assertion_nodes) == 1
+
+        return valid
    
+
+
    [docs]    def process_signed_elements(self):
+        """
+        Verifies the signature nodes:
+         - Checks that are Response or Assertion
+         - Check that IDs and reference URI are unique and consistent.
+
+        :returns: The signed elements tag names
+        :rtype: list
+        """
+        sign_nodes = self._query('//ds:Signature')
+
+        signed_elements = []
+        verified_seis = []
+        verified_ids = []
+        response_tag = '{%s}Response' % OneLogin_Saml2_Constants.NS_SAMLP
+        assertion_tag = '{%s}Assertion' % OneLogin_Saml2_Constants.NS_SAML
+
+        security = self._settings.get_security_data()
+        reject_deprecated_alg = security.get('rejectDeprecatedAlgorithm', False)
+
+        for sign_node in sign_nodes:
+            signed_element = sign_node.getparent().tag
+            if signed_element != response_tag and signed_element != assertion_tag:
+                raise OneLogin_Saml2_ValidationError(
+                    'Invalid Signature Element %s SAML Response rejected' % signed_element,
+                    OneLogin_Saml2_ValidationError.WRONG_SIGNED_ELEMENT
+                )
+
+            if not sign_node.getparent().get('ID'):
+                raise OneLogin_Saml2_ValidationError(
+                    'Signed Element must contain an ID. SAML Response rejected',
+                    OneLogin_Saml2_ValidationError.ID_NOT_FOUND_IN_SIGNED_ELEMENT
+                )
+
+            id_value = sign_node.getparent().get('ID')
+            if id_value in verified_ids:
+                raise OneLogin_Saml2_ValidationError(
+                    'Duplicated ID. SAML Response rejected',
+                    OneLogin_Saml2_ValidationError.DUPLICATED_ID_IN_SIGNED_ELEMENTS
+                )
+            verified_ids.append(id_value)
+
+            # Check that reference URI matches the parent ID and no duplicate References or IDs
+            ref = OneLogin_Saml2_XML.query(sign_node, './/ds:Reference')
+            if ref:
+                ref = ref[0]
+                if ref.get('URI'):
+                    sei = ref.get('URI')[1:]
+
+                    if sei != id_value:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Found an invalid Signed Element. SAML Response rejected',
+                            OneLogin_Saml2_ValidationError.INVALID_SIGNED_ELEMENT
+                        )
+
+                    if sei in verified_seis:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Duplicated Reference URI. SAML Response rejected',
+                            OneLogin_Saml2_ValidationError.DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS
+                        )
+                    verified_seis.append(sei)
+
+            # Check the signature and digest algorithm
+            if reject_deprecated_alg:
+                sig_method_node = OneLogin_Saml2_XML.query(sign_node, './/ds:SignatureMethod')
+                if sig_method_node:
+                    sig_method = sig_method_node[0].get("Algorithm")
+                    if sig_method in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Deprecated signature algorithm found: %s' % sig_method,
+                            OneLogin_Saml2_ValidationError.DEPRECATED_SIGNATURE_METHOD
+                        )
+
+                dig_method_node = OneLogin_Saml2_XML.query(sign_node, './/ds:DigestMethod')
+                if dig_method_node:
+                    dig_method = dig_method_node[0].get("Algorithm")
+                    if dig_method in OneLogin_Saml2_Constants.DEPRECATED_ALGORITHMS:
+                        raise OneLogin_Saml2_ValidationError(
+                            'Deprecated digest algorithm found: %s' % dig_method,
+                            OneLogin_Saml2_ValidationError.DEPRECATED_DIGEST_METHOD
+                        )
+
+            signed_elements.append(signed_element)
+
+        if signed_elements:
+            if not self.validate_signed_elements(signed_elements, raise_exceptions=True):
+                raise OneLogin_Saml2_ValidationError(
+                    'Found an unexpected Signature Element. SAML Response rejected',
+                    OneLogin_Saml2_ValidationError.UNEXPECTED_SIGNED_ELEMENTS
+                )
+        return signed_elements
    
+
+
    [docs]    @return_false_on_exception
+    def validate_signed_elements(self, signed_elements):
+        """
+        Verifies that the document has the expected signed nodes.
+
+        :param signed_elements: The signed elements to be checked
+        :type signed_elements: list
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
+        """
+        if len(signed_elements) > 2:
+            return False
+
+        response_tag = '{%s}Response' % OneLogin_Saml2_Constants.NS_SAMLP
+        assertion_tag = '{%s}Assertion' % OneLogin_Saml2_Constants.NS_SAML
+
+        if (response_tag in signed_elements and signed_elements.count(response_tag) > 1) or \
+           (assertion_tag in signed_elements and signed_elements.count(assertion_tag) > 1) or \
+           (response_tag not in signed_elements and assertion_tag not in signed_elements):
+            return False
+
+        # Check that the signed elements found here, are the ones that will be verified
+        # by OneLogin_Saml2_Utils.validate_sign
+        if response_tag in signed_elements:
+            expected_signature_nodes = OneLogin_Saml2_XML.query(self.document, OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH)
+            if len(expected_signature_nodes) != 1:
+                raise OneLogin_Saml2_ValidationError(
+                    'Unexpected number of Response signatures found. SAML Response rejected.',
+                    OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_SIGNATURES_IN_RESPONSE
+                )
+
+        if assertion_tag in signed_elements:
+            expected_signature_nodes = self._query(OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH)
+            if len(expected_signature_nodes) != 1:
+                raise OneLogin_Saml2_ValidationError(
+                    'Unexpected number of Assertion signatures found. SAML Response rejected.',
+                    OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_SIGNATURES_IN_ASSERTION
+                )
+
+        return True
    
+
+
    [docs]    @return_false_on_exception
+    def validate_timestamps(self):
+        """
+        Verifies that the document is valid according to Conditions Element
+
+        :returns: True if the condition is valid, False otherwise
+        :rtype: bool
+        """
+        conditions_nodes = self._query_assertion('/saml:Conditions')
+
+        for conditions_node in conditions_nodes:
+            nb_attr = conditions_node.get('NotBefore')
+            nooa_attr = conditions_node.get('NotOnOrAfter')
+            if nb_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nb_attr) > OneLogin_Saml2_Utils.now() + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT:
+                raise OneLogin_Saml2_ValidationError(
+                    'Could not validate timestamp: not yet valid. Check system clock.',
+                    OneLogin_Saml2_ValidationError.ASSERTION_TOO_EARLY
+                )
+            if nooa_attr and OneLogin_Saml2_Utils.parse_SAML_to_time(nooa_attr) + OneLogin_Saml2_Constants.ALLOWED_CLOCK_DRIFT <= OneLogin_Saml2_Utils.now():
+                raise OneLogin_Saml2_ValidationError(
+                    'Could not validate timestamp: expired. Check system clock.',
+                    OneLogin_Saml2_ValidationError.ASSERTION_EXPIRED
+                )
+        return True
    
+
+    def _query_assertion(self, xpath_expr):
+        """
+        Extracts nodes that match the query from the Assertion
+
+        :param xpath_expr: Xpath Expresion
+        :type xpath_expr: String
+
+        :returns: The queried nodes
+        :rtype: list
+        """
+
+        assertion_expr = '/saml:Assertion'
+        signature_expr = '/ds:Signature/ds:SignedInfo/ds:Reference'
+        signed_assertion_query = '/samlp:Response' + assertion_expr + signature_expr
+        assertion_reference_nodes = self._query(signed_assertion_query)
+        tagid = None
+
+        if not assertion_reference_nodes:
+            # Check if the message is signed
+            signed_message_query = '/samlp:Response' + signature_expr
+            message_reference_nodes = self._query(signed_message_query)
+            if message_reference_nodes:
+                message_id = message_reference_nodes[0].get('URI')
+                final_query = "/samlp:Response[@ID=$tagid]/"
+                tagid = message_id[1:]
+            else:
+                final_query = "/samlp:Response"
+            final_query += assertion_expr
+        else:
+            assertion_id = assertion_reference_nodes[0].get('URI')
+            final_query = '/samlp:Response' + assertion_expr + "[@ID=$tagid]"
+            tagid = assertion_id[1:]
+        final_query += xpath_expr
+        return self._query(final_query, tagid)
+
+    def _query(self, query, tagid=None):
+        """
+        Extracts nodes that match the query from the Response
+
+        :param query: Xpath Expresion
+        :type query: String
+
+        :param tagid: Tag ID
+        :type query: String
+
+        :returns: The queried nodes
+        :rtype: list
+        """
+        if self.encrypted:
+            document = self.decrypted_document
+        else:
+            document = self.document
+        return OneLogin_Saml2_XML.query(document, query, None, tagid)
+
+    def _decrypt_assertion(self, xml):
+        """
+        Decrypts the Assertion
+
+        :raises: Exception if no private key available
+        :param xml: Encrypted Assertion
+        :type xml: Element
+        :returns: Decrypted Assertion
+        :rtype: Element
+        """
+        key = self._settings.get_sp_key()
+        debug = self._settings.is_debug_active()
+
+        if not key:
+            raise OneLogin_Saml2_Error(
+                'No private key available to decrypt the assertion, check settings',
+                OneLogin_Saml2_Error.PRIVATE_KEY_NOT_FOUND
+            )
+
+        encrypted_assertion_nodes = OneLogin_Saml2_XML.query(xml, '/samlp:Response/saml:EncryptedAssertion')
+        if encrypted_assertion_nodes:
+            encrypted_data_nodes = OneLogin_Saml2_XML.query(encrypted_assertion_nodes[0], '//saml:EncryptedAssertion/xenc:EncryptedData')
+            if encrypted_data_nodes:
+                keyinfo = OneLogin_Saml2_XML.query(encrypted_assertion_nodes[0], '//saml:EncryptedAssertion/xenc:EncryptedData/ds:KeyInfo')
+                if not keyinfo:
+                    raise OneLogin_Saml2_ValidationError(
+                        'No KeyInfo present, invalid Assertion',
+                        OneLogin_Saml2_ValidationError.KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA
+                    )
+                keyinfo = keyinfo[0]
+                children = keyinfo.getchildren()
+                if not children:
+                    raise OneLogin_Saml2_ValidationError(
+                        'KeyInfo has no children nodes, invalid Assertion',
+                        OneLogin_Saml2_ValidationError.CHILDREN_NODE_NOT_FOUND_IN_KEYINFO
+                    )
+                for child in children:
+                    if 'RetrievalMethod' in child.tag:
+                        if child.attrib['Type'] != 'http://www.w3.org/2001/04/xmlenc#EncryptedKey':
+                            raise OneLogin_Saml2_ValidationError(
+                                'Unsupported Retrieval Method found',
+                                OneLogin_Saml2_ValidationError.UNSUPPORTED_RETRIEVAL_METHOD
+                            )
+                        uri = child.attrib['URI']
+                        if not uri.startswith('#'):
+                            break
+                        uri = uri.split('#')[1]
+                        encrypted_key = OneLogin_Saml2_XML.query(encrypted_assertion_nodes[0], './xenc:EncryptedKey[@Id=$tagid]', None, uri)
+                        if encrypted_key:
+                            keyinfo.append(encrypted_key[0])
+
+                encrypted_data = encrypted_data_nodes[0]
+                decrypted = OneLogin_Saml2_Utils.decrypt_element(encrypted_data, key, debug=debug, inplace=True)
+                xml.replace(encrypted_assertion_nodes[0], decrypted)
+        return xml
+
+
    [docs]    def get_error(self):
+        """
+        After executing a validation process, if it fails this method returns the cause
+        """
+        return self._error
    
+
+
    [docs]    def get_xml_document(self):
+        """
+        Returns the SAML Response document (If contains an encrypted assertion, decrypts it)
+
+        :return: Decrypted XML response document
+        :rtype: DOMDocument
+        """
+        if self.encrypted:
+            return self.decrypted_document
+        else:
+            return self.document
    
+
+
    [docs]    def get_id(self):
+        """
+        :returns: the ID of the response
+        :rtype: string
+        """
+        return self.document.get('ID', None)
    
+
+
    [docs]    def get_assertion_id(self):
+        """
+        :returns: the ID of the assertion in the response
+        :rtype: string
+        """
+        if not self.validate_num_assertions():
+            raise OneLogin_Saml2_ValidationError(
+                'SAML Response must contain 1 assertion',
+                OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
+            )
+        return self._query_assertion('')[0].get('ID', None)
    
+
+
    [docs]    def get_assertion_issue_instant(self):
+        """
+        :returns: the IssueInstant of the assertion in the response
+        :rtype: unix/posix timestamp|None
+        """
+        if not self.validate_num_assertions():
+            raise OneLogin_Saml2_ValidationError(
+                'SAML Response must contain 1 assertion',
+                OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_ASSERTIONS
+            )
+        issue_instant = self._query_assertion('')[0].get('IssueInstant', None)
+        return OneLogin_Saml2_Utils.parse_SAML_to_time(issue_instant)
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/settings.html b/docs/saml2/_modules/onelogin/saml2/settings.html
new file mode 100644
index 00000000..70185c17
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/settings.html
@@ -0,0 +1,961 @@
+
+
+
+  
+  
+  onelogin.saml2.settings — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.settings
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Settings class
+
+Copyright (c) 2010-2021 OneLogin, Inc.
+MIT License
+
+Setting class of OneLogin's Python Toolkit.
+
+"""
+from time import time
+import re
+from os.path import dirname, exists, join, sep
+
+from onelogin.saml2 import compat
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.errors import OneLogin_Saml2_Error
+from onelogin.saml2.metadata import OneLogin_Saml2_Metadata
+from onelogin.saml2.utils import OneLogin_Saml2_Utils
+from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
+
+try:
+    import ujson as json
+except ImportError:
+    import json
+
+try:
+    basestring
+except NameError:
+    basestring = str
+
+# Regex from Django Software Foundation and individual contributors.
+# Released under a BSD 3-Clause License
+url_regex = re.compile(
+    r'^(?:[a-z0-9\.\-]*)://'  # scheme is validated separately
+    r'(?:(?:[A-Z0-9_](?:[A-Z0-9-_]{0,61}[A-Z0-9_])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|'  # domain...
+    r'localhost|'  # localhost...
+    r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|'  # ...or ipv4
+    r'\[?[A-F0-9]*:[A-F0-9:]+\]?)'  # ...or ipv6
+    r'(?::\d+)?'  # optional port
+    r'(?:/?|[/?]\S+)$', re.IGNORECASE)
+url_regex_single_label_domain = re.compile(
+    r'^(?:[a-z0-9\.\-]*)://'  # scheme is validated separately
+    r'(?:(?:[A-Z0-9_](?:[A-Z0-9-_]{0,61}[A-Z0-9_])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|'  # domain...
+    r'(?:[A-Z0-9_](?:[A-Z0-9-_]{0,61}[A-Z0-9_]))|'  # single-label-domain
+    r'localhost|'  # localhost...
+    r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|'  # ...or ipv4
+    r'\[?[A-F0-9]*:[A-F0-9:]+\]?)'  # ...or ipv6
+    r'(?::\d+)?'  # optional port
+    r'(?:/?|[/?]\S+)$', re.IGNORECASE)
+url_schemes = ['http', 'https', 'ftp', 'ftps']
+
+
+
    [docs]def validate_url(url, allow_single_label_domain=False):
+    """
+    Auxiliary method to validate an urllib
+    :param url: An url to be validated
+    :type url: string
+    :param allow_single_label_domain: In order to allow or not single label domain
+    :type url: bool
+    :returns: True if the url is valid
+    :rtype: bool
+    """
+
+    scheme = url.split('://')[0].lower()
+    if scheme not in url_schemes:
+        return False
+    if allow_single_label_domain:
+        if not bool(url_regex_single_label_domain.search(url)):
+            return False
+    else:
+        if not bool(url_regex.search(url)):
+            return False
+    return True
    
+
+
+
    [docs]class OneLogin_Saml2_Settings(object):
+    """
+
+    Handles the settings of the Python toolkits.
+
+    """
+
+    metadata_class = OneLogin_Saml2_Metadata
+
+    def __init__(self, settings=None, custom_base_path=None, sp_validation_only=False):
+        """
+        Initializes the settings:
+        - Sets the paths of the different folders
+        - Loads settings info from settings file or array/object provided
+
+        :param settings: SAML Toolkit Settings
+        :type settings: dict
+
+        :param custom_base_path: Path where are stored the settings file and the cert folder
+        :type custom_base_path: string
+
+        :param sp_validation_only: Avoid the IdP validation
+        :type sp_validation_only: boolean
+        """
+        self._sp_validation_only = sp_validation_only
+        self._paths = {}
+        self._strict = True
+        self._debug = False
+        self._sp = {}
+        self._idp = {}
+        self._security = {}
+        self._contacts = {}
+        self._organization = {}
+        self._errors = []
+
+        self._load_paths(base_path=custom_base_path)
+        self._update_paths(settings)
+
+        if settings is None:
+            try:
+                valid = self._load_settings_from_file()
+            except Exception as e:
+                raise e
+            if not valid:
+                raise OneLogin_Saml2_Error(
+                    'Invalid dict settings at the file: %s',
+                    OneLogin_Saml2_Error.SETTINGS_INVALID,
+                    ','.join(self._errors)
+                )
+        elif isinstance(settings, dict):
+            if not self._load_settings_from_dict(settings):
+                raise OneLogin_Saml2_Error(
+                    'Invalid dict settings: %s',
+                    OneLogin_Saml2_Error.SETTINGS_INVALID,
+                    ','.join(self._errors)
+                )
+        else:
+            raise OneLogin_Saml2_Error(
+                'Unsupported settings object',
+                OneLogin_Saml2_Error.UNSUPPORTED_SETTINGS_OBJECT
+            )
+
+        self.format_idp_cert()
+        if 'x509certMulti' in self._idp:
+            self.format_idp_cert_multi()
+        self.format_sp_cert()
+        if 'x509certNew' in self._sp:
+            self.format_sp_cert_new()
+        self.format_sp_key()
+
+    def _load_paths(self, base_path=None):
+        """
+        Set the paths of the different folders
+        """
+        if base_path is None:
+            base_path = dirname(dirname(dirname(__file__)))
+        if not base_path.endswith(sep):
+            base_path += sep
+        self._paths = {
+            'base': base_path,
+            'cert': base_path + 'certs' + sep,
+            'lib': dirname(__file__) + sep
+        }
+
+    def _update_paths(self, settings):
+        """
+        Set custom paths if necessary
+        """
+        if not isinstance(settings, dict):
+            return
+
+        if 'custom_base_path' in settings:
+            base_path = settings['custom_base_path']
+            base_path = join(dirname(__file__), base_path)
+            self._load_paths(base_path)
+
+
    [docs]    def get_base_path(self):
+        """
+        Returns base path
+
+        :return: The base toolkit folder path
+        :rtype: string
+        """
+        return self._paths['base']
    
+
+
    [docs]    def get_cert_path(self):
+        """
+        Returns cert path
+
+        :return: The cert folder path
+        :rtype: string
+        """
+        return self._paths['cert']
    
+
+
    [docs]    def set_cert_path(self, path):
+        """
+        Set a new cert path
+        """
+        self._paths['cert'] = path
    
+
+
    [docs]    def get_lib_path(self):
+        """
+        Returns lib path
+
+        :return: The library folder path
+        :rtype: string
+        """
+        return self._paths['lib']
    
+
+
    [docs]    def get_schemas_path(self):
+        """
+        Returns schema path
+
+        :return: The schema folder path
+        :rtype: string
+        """
+        return self._paths['lib'] + 'schemas/'
    
+
+    def _load_settings_from_dict(self, settings):
+        """
+        Loads settings info from a settings Dict
+
+        :param settings: SAML Toolkit Settings
+        :type settings: dict
+
+        :returns: True if the settings info is valid
+        :rtype: boolean
+        """
+        errors = self.check_settings(settings)
+        if len(errors) == 0:
+            self._errors = []
+            self._sp = settings['sp']
+            self._idp = settings.get('idp', {})
+            self._strict = settings.get('strict', True)
+            self._debug = settings.get('debug', False)
+            self._security = settings.get('security', {})
+            self._contacts = settings.get('contactPerson', {})
+            self._organization = settings.get('organization', {})
+
+            self._add_default_values()
+            return True
+
+        self._errors = errors
+        return False
+
+    def _load_settings_from_file(self):
+        """
+        Loads settings info from the settings json file
+
+        :returns: True if the settings info is valid
+        :rtype: boolean
+        """
+        filename = self.get_base_path() + 'settings.json'
+
+        if not exists(filename):
+            raise OneLogin_Saml2_Error(
+                'Settings file not found: %s',
+                OneLogin_Saml2_Error.SETTINGS_FILE_NOT_FOUND,
+                filename
+            )
+
+        # In the php toolkit instead of being a json file it is a php file and
+        # it is directly included
+        with open(filename, 'r') as json_data:
+            settings = json.loads(json_data.read())
+
+        advanced_filename = self.get_base_path() + 'advanced_settings.json'
+        if exists(advanced_filename):
+            with open(advanced_filename, 'r') as json_data:
+                settings.update(json.loads(json_data.read()))  # Merge settings
+
+        return self._load_settings_from_dict(settings)
+
+    def _add_default_values(self):
+        """
+        Add default values if the settings info is not complete
+        """
+        self._sp.setdefault('assertionConsumerService', {})
+        self._sp['assertionConsumerService'].setdefault('binding', OneLogin_Saml2_Constants.BINDING_HTTP_POST)
+
+        self._sp.setdefault('attributeConsumingService', {})
+
+        self._sp.setdefault('singleLogoutService', {})
+        self._sp['singleLogoutService'].setdefault('binding', OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT)
+
+        self._idp.setdefault('singleLogoutService', {})
+
+        # Related to nameID
+        self._sp.setdefault('NameIDFormat', OneLogin_Saml2_Constants.NAMEID_UNSPECIFIED)
+        self._security.setdefault('nameIdEncrypted', False)
+
+        # Metadata format
+        self._security.setdefault('metadataValidUntil', None)  # None means use default
+        self._security.setdefault('metadataCacheDuration', None)  # None means use default
+
+        # Sign provided
+        self._security.setdefault('authnRequestsSigned', False)
+        self._security.setdefault('logoutRequestSigned', False)
+        self._security.setdefault('logoutResponseSigned', False)
+        self._security.setdefault('signMetadata', False)
+
+        # Sign expected
+        self._security.setdefault('wantMessagesSigned', False)
+        self._security.setdefault('wantAssertionsSigned', False)
+
+        # NameID element expected
+        self._security.setdefault('wantNameId', True)
+
+        # Encrypt expected
+        self._security.setdefault('wantAssertionsEncrypted', False)
+        self._security.setdefault('wantNameIdEncrypted', False)
+
+        # Signature Algorithm
+        self._security.setdefault('signatureAlgorithm', OneLogin_Saml2_Constants.RSA_SHA256)
+
+        # Digest Algorithm
+        self._security.setdefault('digestAlgorithm', OneLogin_Saml2_Constants.SHA256)
+
+        # Reject Deprecated Algorithms
+        self._security.setdefault('rejectDeprecatedAlgorithm', False)
+
+        # AttributeStatement required by default
+        self._security.setdefault('wantAttributeStatement', True)
+
+        # Disallow duplicate attribute names by default
+        self._security.setdefault('allowRepeatAttributeName', False)
+
+        self._idp.setdefault('x509cert', '')
+        self._idp.setdefault('certFingerprint', '')
+        self._idp.setdefault('certFingerprintAlgorithm', 'sha1')
+
+        self._sp.setdefault('x509cert', '')
+        self._sp.setdefault('privateKey', '')
+
+        self._security.setdefault('requestedAuthnContext', True)
+        self._security.setdefault('requestedAuthnContextComparison', 'exact')
+        self._security.setdefault('failOnAuthnContextMismatch', False)
+
+
    [docs]    def check_settings(self, settings):
+        """
+        Checks the settings info.
+
+        :param settings: Dict with settings data
+        :type settings: dict
+
+        :returns: Errors found on the settings data
+        :rtype: list
+        """
+        assert isinstance(settings, dict)
+
+        errors = []
+        if not isinstance(settings, dict) or len(settings) == 0:
+            errors.append('invalid_syntax')
+        else:
+            if not self._sp_validation_only:
+                errors += self.check_idp_settings(settings)
+            sp_errors = self.check_sp_settings(settings)
+            errors += sp_errors
+
+        return errors
    
+
+
    [docs]    def check_idp_settings(self, settings):
+        """
+        Checks the IdP settings info.
+        :param settings: Dict with settings data
+        :type settings: dict
+        :returns: Errors found on the IdP settings data
+        :rtype: list
+        """
+        assert isinstance(settings, dict)
+
+        errors = []
+        if not isinstance(settings, dict) or len(settings) == 0:
+            errors.append('invalid_syntax')
+        else:
+            if not settings.get('idp'):
+                errors.append('idp_not_found')
+            else:
+                allow_single_domain_urls = self._get_allow_single_label_domain(settings)
+                idp = settings['idp']
+                if not idp.get('entityId'):
+                    errors.append('idp_entityId_not_found')
+
+                if not idp.get('singleSignOnService', {}).get('url'):
+                    errors.append('idp_sso_not_found')
+                elif not validate_url(idp['singleSignOnService']['url'], allow_single_domain_urls):
+                    errors.append('idp_sso_url_invalid')
+
+                slo_url = idp.get('singleLogoutService', {}).get('url')
+                if slo_url and not validate_url(slo_url, allow_single_domain_urls):
+                    errors.append('idp_slo_url_invalid')
+
+                if 'security' in settings:
+                    security = settings['security']
+
+                    exists_x509 = bool(idp.get('x509cert'))
+                    exists_fingerprint = bool(idp.get('certFingerprint'))
+
+                    exists_multix509sign = 'x509certMulti' in idp and \
+                        'signing' in idp['x509certMulti'] and \
+                        idp['x509certMulti']['signing']
+                    exists_multix509enc = 'x509certMulti' in idp and \
+                        'encryption' in idp['x509certMulti'] and \
+                        idp['x509certMulti']['encryption']
+
+                    want_assert_sign = bool(security.get('wantAssertionsSigned'))
+                    want_mes_signed = bool(security.get('wantMessagesSigned'))
+                    nameid_enc = bool(security.get('nameIdEncrypted'))
+
+                    if (want_assert_sign or want_mes_signed) and \
+                            not (exists_x509 or exists_fingerprint or exists_multix509sign):
+                        errors.append('idp_cert_or_fingerprint_not_found_and_required')
+                    if nameid_enc and not (exists_x509 or exists_multix509enc):
+                        errors.append('idp_cert_not_found_and_required')
+        return errors
    
+
+
    [docs]    def check_sp_settings(self, settings):
+        """
+        Checks the SP settings info.
+        :param settings: Dict with settings data
+        :type settings: dict
+        :returns: Errors found on the SP settings data
+        :rtype: list
+        """
+        assert isinstance(settings, dict)
+
+        errors = []
+        if not isinstance(settings, dict) or not settings:
+            errors.append('invalid_syntax')
+        else:
+            if not settings.get('sp'):
+                errors.append('sp_not_found')
+            else:
+                allow_single_domain_urls = self._get_allow_single_label_domain(settings)
+                # check_sp_certs uses self._sp so I add it
+                old_sp = self._sp
+                self._sp = settings['sp']
+
+                sp = settings['sp']
+                security = settings.get('security', {})
+
+                if not sp.get('entityId'):
+                    errors.append('sp_entityId_not_found')
+
+                if not sp.get('assertionConsumerService', {}).get('url'):
+                    errors.append('sp_acs_not_found')
+                elif not validate_url(sp['assertionConsumerService']['url'], allow_single_domain_urls):
+                    errors.append('sp_acs_url_invalid')
+
+                if sp.get('attributeConsumingService'):
+                    attributeConsumingService = sp['attributeConsumingService']
+                    if 'serviceName' not in attributeConsumingService:
+                        errors.append('sp_attributeConsumingService_serviceName_not_found')
+                    elif not isinstance(attributeConsumingService['serviceName'], basestring):
+                        errors.append('sp_attributeConsumingService_serviceName_type_invalid')
+
+                    if 'requestedAttributes' not in attributeConsumingService:
+                        errors.append('sp_attributeConsumingService_requestedAttributes_not_found')
+                    elif not isinstance(attributeConsumingService['requestedAttributes'], list):
+                        errors.append('sp_attributeConsumingService_serviceName_type_invalid')
+                    else:
+                        for req_attrib in attributeConsumingService['requestedAttributes']:
+                            if 'name' not in req_attrib:
+                                errors.append('sp_attributeConsumingService_requestedAttributes_name_not_found')
+                            if 'name' in req_attrib and not req_attrib['name'].strip():
+                                errors.append('sp_attributeConsumingService_requestedAttributes_name_invalid')
+                            if 'attributeValue' in req_attrib and type(req_attrib['attributeValue']) != list:
+                                errors.append('sp_attributeConsumingService_requestedAttributes_attributeValue_type_invalid')
+                            if 'isRequired' in req_attrib and type(req_attrib['isRequired']) != bool:
+                                errors.append('sp_attributeConsumingService_requestedAttributes_isRequired_type_invalid')
+
+                    if "serviceDescription" in attributeConsumingService and not isinstance(attributeConsumingService['serviceDescription'], basestring):
+                        errors.append('sp_attributeConsumingService_serviceDescription_type_invalid')
+
+                slo_url = sp.get('singleLogoutService', {}).get('url')
+                if slo_url and not validate_url(slo_url, allow_single_domain_urls):
+                    errors.append('sp_sls_url_invalid')
+
+                if 'signMetadata' in security and isinstance(security['signMetadata'], dict):
+                    if 'keyFileName' not in security['signMetadata'] or \
+                            'certFileName' not in security['signMetadata']:
+                        errors.append('sp_signMetadata_invalid')
+
+                authn_sign = bool(security.get('authnRequestsSigned'))
+                logout_req_sign = bool(security.get('logoutRequestSigned'))
+                logout_res_sign = bool(security.get('logoutResponseSigned'))
+                want_assert_enc = bool(security.get('wantAssertionsEncrypted'))
+                want_nameid_enc = bool(security.get('wantNameIdEncrypted'))
+
+                if not self.check_sp_certs():
+                    if authn_sign or logout_req_sign or logout_res_sign or \
+                       want_assert_enc or want_nameid_enc:
+                        errors.append('sp_cert_not_found_and_required')
+
+            if 'contactPerson' in settings:
+                types = settings['contactPerson']
+                valid_types = ['technical', 'support', 'administrative', 'billing', 'other']
+                for c_type in types:
+                    if c_type not in valid_types:
+                        errors.append('contact_type_invalid')
+                        break
+
+                for c_type in settings['contactPerson']:
+                    contact = settings['contactPerson'][c_type]
+                    if ('givenName' not in contact or len(contact['givenName']) == 0) or \
+                            ('emailAddress' not in contact or len(contact['emailAddress']) == 0):
+                        errors.append('contact_not_enought_data')
+                        break
+
+            if 'organization' in settings:
+                for org in settings['organization']:
+                    organization = settings['organization'][org]
+                    if ('name' not in organization or len(organization['name']) == 0) or \
+                        ('displayname' not in organization or len(organization['displayname']) == 0) or \
+                            ('url' not in organization or len(organization['url']) == 0):
+                        errors.append('organization_not_enought_data')
+                        break
+        # Restores the value that had the self._sp
+        if 'old_sp' in locals():
+            self._sp = old_sp
+
+        return errors
    
+
+
    [docs]    def check_sp_certs(self):
+        """
+        Checks if the x509 certs of the SP exists and are valid.
+        :returns: If the x509 certs of the SP exists and are valid
+        :rtype: boolean
+        """
+        key = self.get_sp_key()
+        cert = self.get_sp_cert()
+        return key is not None and cert is not None
    
+
+
    [docs]    def get_idp_sso_url(self):
+        """
+        Gets the IdP SSO URL.
+
+        :returns: An URL, the SSO endpoint of the IdP
+        :rtype: string
+        """
+        idp_data = self.get_idp_data()
+        return idp_data['singleSignOnService']['url']
    
+
+
    [docs]    def get_idp_slo_url(self):
+        """
+        Gets the IdP SLO URL.
+
+        :returns: An URL, the SLO endpoint of the IdP
+        :rtype: string
+        """
+        idp_data = self.get_idp_data()
+        if 'url' in idp_data['singleLogoutService']:
+            return idp_data['singleLogoutService']['url']
    
+
+
    [docs]    def get_idp_slo_response_url(self):
+        """
+        Gets the IdP SLO return URL for IdP-initiated logout.
+
+        :returns: an URL, the SLO return endpoint of the IdP
+        :rtype: string
+        """
+        idp_data = self.get_idp_data()
+        if 'url' in idp_data['singleLogoutService']:
+            return idp_data['singleLogoutService'].get('responseUrl', self.get_idp_slo_url())
    
+
+
    [docs]    def get_sp_key(self):
+        """
+        Returns the x509 private key of the SP.
+        :returns: SP private key
+        :rtype: string or None
+        """
+        key = self._sp.get('privateKey')
+        key_file_name = self._paths['cert'] + 'sp.key'
+
+        if not key and exists(key_file_name):
+            with open(key_file_name) as f:
+                key = f.read()
+
+        return key or None
    
+
+
    [docs]    def get_sp_cert(self):
+        """
+        Returns the x509 public cert of the SP.
+        :returns: SP public cert
+        :rtype: string or None
+        """
+        cert = self._sp.get('x509cert')
+        cert_file_name = self._paths['cert'] + 'sp.crt'
+
+        if not cert and exists(cert_file_name):
+            with open(cert_file_name) as f:
+                cert = f.read()
+
+        return cert or None
    
+
+
    [docs]    def get_sp_cert_new(self):
+        """
+        Returns the x509 public of the SP planned
+        to be used soon instead the other public cert
+        :returns: SP public cert new
+        :rtype: string or None
+        """
+        cert = self._sp.get('x509certNew')
+        cert_file_name = self._paths['cert'] + 'sp_new.crt'
+
+        if not cert and exists(cert_file_name):
+            with open(cert_file_name) as f:
+                cert = f.read()
+
+        return cert or None
    
+
+
    [docs]    def get_idp_cert(self):
+        """
+        Returns the x509 public cert of the IdP.
+        :returns: IdP public cert
+        :rtype: string
+        """
+        cert = self._idp.get('x509cert')
+        cert_file_name = self.get_cert_path() + 'idp.crt'
+        if not cert and exists(cert_file_name):
+            with open(cert_file_name) as f:
+                cert = f.read()
+        return cert or None
    
+
+
    [docs]    def get_idp_data(self):
+        """
+        Gets the IdP data.
+
+        :returns: IdP info
+        :rtype: dict
+        """
+        return self._idp
    
+
+
    [docs]    def get_sp_data(self):
+        """
+        Gets the SP data.
+
+        :returns: SP info
+        :rtype: dict
+        """
+        return self._sp
    
+
+
    [docs]    def get_security_data(self):
+        """
+        Gets security data.
+
+        :returns: Security info
+        :rtype: dict
+        """
+        return self._security
    
+
+
    [docs]    def get_contacts(self):
+        """
+        Gets contact data.
+
+        :returns: Contacts info
+        :rtype: dict
+        """
+        return self._contacts
    
+
+
    [docs]    def get_organization(self):
+        """
+        Gets organization data.
+
+        :returns: Organization info
+        :rtype: dict
+        """
+        return self._organization
    
+
+
    [docs]    def get_sp_metadata(self):
+        """
+        Gets the SP metadata. The XML representation.
+        :returns: SP metadata (xml)
+        :rtype: string
+        """
+        metadata = self.metadata_class.builder(
+            self._sp, self._security['authnRequestsSigned'],
+            self._security['wantAssertionsSigned'],
+            self._security['metadataValidUntil'],
+            self._security['metadataCacheDuration'],
+            self.get_contacts(), self.get_organization()
+        )
+
+        add_encryption = self._security['wantNameIdEncrypted'] or self._security['wantAssertionsEncrypted']
+
+        cert_new = self.get_sp_cert_new()
+        metadata = self.metadata_class.add_x509_key_descriptors(metadata, cert_new, add_encryption)
+
+        cert = self.get_sp_cert()
+        metadata = self.metadata_class.add_x509_key_descriptors(metadata, cert, add_encryption)
+
+        # Sign metadata
+        if 'signMetadata' in self._security and self._security['signMetadata'] is not False:
+            if self._security['signMetadata'] is True:
+                # Use the SP's normal key to sign the metadata:
+                if not cert:
+                    raise OneLogin_Saml2_Error(
+                        'Cannot sign metadata: missing SP public key certificate.',
+                        OneLogin_Saml2_Error.PUBLIC_CERT_FILE_NOT_FOUND
+                    )
+                cert_metadata = cert
+                key_metadata = self.get_sp_key()
+                if not key_metadata:
+                    raise OneLogin_Saml2_Error(
+                        'Cannot sign metadata: missing SP private key.',
+                        OneLogin_Saml2_Error.PRIVATE_KEY_FILE_NOT_FOUND
+                    )
+            else:
+                # Use a custom key to sign the metadata:
+                if ('keyFileName' not in self._security['signMetadata'] or
+                        'certFileName' not in self._security['signMetadata']):
+                    raise OneLogin_Saml2_Error(
+                        'Invalid Setting: signMetadata value of the sp is not valid',
+                        OneLogin_Saml2_Error.SETTINGS_INVALID_SYNTAX
+                    )
+                key_file_name = self._security['signMetadata']['keyFileName']
+                cert_file_name = self._security['signMetadata']['certFileName']
+                key_metadata_file = self._paths['cert'] + key_file_name
+                cert_metadata_file = self._paths['cert'] + cert_file_name
+
+                try:
+                    with open(key_metadata_file, 'r') as f_metadata_key:
+                        key_metadata = f_metadata_key.read()
+                except IOError:
+                    raise OneLogin_Saml2_Error(
+                        'Private key file not readable: %s',
+                        OneLogin_Saml2_Error.PRIVATE_KEY_FILE_NOT_FOUND,
+                        key_metadata_file
+                    )
+
+                try:
+                    with open(cert_metadata_file, 'r') as f_metadata_cert:
+                        cert_metadata = f_metadata_cert.read()
+                except IOError:
+                    raise OneLogin_Saml2_Error(
+                        'Public cert file not readable: %s',
+                        OneLogin_Saml2_Error.PUBLIC_CERT_FILE_NOT_FOUND,
+                        cert_metadata_file
+                    )
+
+            signature_algorithm = self._security['signatureAlgorithm']
+            digest_algorithm = self._security['digestAlgorithm']
+
+            metadata = self.metadata_class.sign_metadata(metadata, key_metadata, cert_metadata, signature_algorithm, digest_algorithm)
+
+        return metadata
    
+
+
    [docs]    def validate_metadata(self, xml):
+        """
+        Validates an XML SP Metadata.
+
+        :param xml: Metadata's XML that will be validate
+        :type xml: string
+
+        :returns: The list of found errors
+        :rtype: list
+        """
+
+        assert isinstance(xml, compat.text_types)
+
+        if len(xml) == 0:
+            raise Exception('Empty string supplied as input')
+
+        errors = []
+        root = OneLogin_Saml2_XML.validate_xml(xml, 'saml-schema-metadata-2.0.xsd', self._debug)
+        if isinstance(root, str):
+            errors.append(root)
+        else:
+            if root.tag != '{%s}EntityDescriptor' % OneLogin_Saml2_Constants.NS_MD:
+                errors.append('noEntityDescriptor_xml')
+            else:
+                if (len(root.findall('.//md:SPSSODescriptor', namespaces=OneLogin_Saml2_Constants.NSMAP))) != 1:
+                    errors.append('onlySPSSODescriptor_allowed_xml')
+                else:
+                    valid_until, cache_duration = root.get('validUntil'), root.get('cacheDuration')
+
+                    if valid_until:
+                        valid_until = OneLogin_Saml2_Utils.parse_SAML_to_time(valid_until)
+                    expire_time = OneLogin_Saml2_Utils.get_expire_time(cache_duration, valid_until)
+                    if expire_time is not None and int(time()) > int(expire_time):
+                        errors.append('expired_xml')
+
+        # TODO: Validate Sign
+
+        return errors
    
+
+
    [docs]    def format_idp_cert(self):
+        """
+        Formats the IdP cert.
+        """
+        self._idp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self._idp['x509cert'])
    
+
+
    [docs]    def format_idp_cert_multi(self):
+        """
+        Formats the Multple IdP certs.
+        """
+        if 'x509certMulti' in self._idp:
+            if 'signing' in self._idp['x509certMulti']:
+                for idx in range(len(self._idp['x509certMulti']['signing'])):
+                    self._idp['x509certMulti']['signing'][idx] = OneLogin_Saml2_Utils.format_cert(self._idp['x509certMulti']['signing'][idx])
+
+            if 'encryption' in self._idp['x509certMulti']:
+                for idx in range(len(self._idp['x509certMulti']['encryption'])):
+                    self._idp['x509certMulti']['encryption'][idx] = OneLogin_Saml2_Utils.format_cert(self._idp['x509certMulti']['encryption'][idx])
    
+
+
    [docs]    def format_sp_cert(self):
+        """
+        Formats the SP cert.
+        """
+        self._sp['x509cert'] = OneLogin_Saml2_Utils.format_cert(self._sp['x509cert'])
    
+
+
    [docs]    def format_sp_cert_new(self):
+        """
+        Formats the SP cert.
+        """
+        self._sp['x509certNew'] = OneLogin_Saml2_Utils.format_cert(self._sp['x509certNew'])
    
+
+
    [docs]    def format_sp_key(self):
+        """
+        Formats the private key.
+        """
+        self._sp['privateKey'] = OneLogin_Saml2_Utils.format_private_key(self._sp['privateKey'])
    
+
+
    [docs]    def get_errors(self):
+        """
+        Returns an array with the errors, the array is empty when the settings is ok.
+
+        :returns: Errors
+        :rtype: list
+        """
+        return self._errors
    
+
+
    [docs]    def set_strict(self, value):
+        """
+        Activates or deactivates the strict mode.
+
+        :param value: Strict parameter
+        :type value: boolean
+        """
+        assert isinstance(value, bool)
+
+        self._strict = value
    
+
+
    [docs]    def is_strict(self):
+        """
+        Returns if the 'strict' mode is active.
+
+        :returns: Strict parameter
+        :rtype: boolean
+        """
+        return self._strict
    
+
+
    [docs]    def is_debug_active(self):
+        """
+        Returns if the debug is active.
+
+        :returns: Debug parameter
+        :rtype: boolean
+        """
+        return self._debug
    
+
+    def _get_allow_single_label_domain(self, settings):
+        security = settings.get('security', {})
+        return 'allowSingleLabelDomains' in security.keys() and security['allowSingleLabelDomains']
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/utils.html b/docs/saml2/_modules/onelogin/saml2/utils.html
new file mode 100644
index 00000000..623a06f6
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/utils.html
@@ -0,0 +1,1173 @@
+
+
+
+  
+  
+  onelogin.saml2.utils — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.utils
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Utils class
+
+
+Auxiliary class of SAML Python Toolkit.
+
+"""
+
+import base64
+import warnings
+from copy import deepcopy
+import calendar
+from datetime import datetime
+from hashlib import sha1, sha256, sha384, sha512
+from isodate import parse_duration as duration_parser
+import re
+from textwrap import wrap
+from functools import wraps
+from uuid import uuid4
+from xml.dom.minidom import Element
+import zlib
+import xmlsec
+
+from onelogin.saml2 import compat
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.errors import OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError
+from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
+
+
+try:
+    from urllib.parse import quote_plus, urlsplit, urlunsplit  # py3
+except ImportError:
+    from urlparse import urlsplit, urlunsplit
+    from urllib import quote_plus  # py2
+
+
+
    [docs]def return_false_on_exception(func):
+    """
+    Decorator. When applied to a function, it will, by default, suppress any exceptions
+    raised by that function and return False. It may be overridden by passing a
+    "raise_exceptions" keyword argument when calling the wrapped function.
+    """
+    @wraps(func)
+    def exceptfalse(*args, **kwargs):
+        if not kwargs.pop('raise_exceptions', False):
+            try:
+                return func(*args, **kwargs)
+            except Exception:
+                return False
+        else:
+            return func(*args, **kwargs)
+    return exceptfalse
    
+
+
+
    [docs]class OneLogin_Saml2_Utils(object):
+    """
+
+    Auxiliary class that contains several utility methods to parse time,
+    urls, add sign, encrypt, decrypt, sign validation, handle xml ...
+
+    """
+
+    RESPONSE_SIGNATURE_XPATH = '/samlp:Response/ds:Signature'
+    ASSERTION_SIGNATURE_XPATH = '/samlp:Response/saml:Assertion/ds:Signature'
+
+    TIME_FORMAT = "%Y-%m-%dT%H:%M:%SZ"
+    TIME_FORMAT_2 = "%Y-%m-%dT%H:%M:%S.%fZ"
+    TIME_FORMAT_WITH_FRAGMENT = re.compile(r'^(\d{4,4}-\d{2,2}-\d{2,2}T\d{2,2}:\d{2,2}:\d{2,2})(\.\d*)?Z?$')
+
+
    [docs]    @staticmethod
+    def escape_url(url, lowercase_urlencoding=False):
+        """
+        escape the non-safe symbols in url
+        The encoding used by ADFS 3.0 is not compatible with
+        python's quote_plus (ADFS produces lower case hex numbers and quote_plus produces
+        upper case hex numbers)
+        :param url: the url to escape
+        :type url: str
+
+        :param lowercase_urlencoding: lowercase or no
+        :type lowercase_urlencoding: boolean
+
+        :return: the escaped url
+        :rtype str
+        """
+        encoded = quote_plus(url)
+        return re.sub(r"%[A-F0-9]{2}", lambda m: m.group(0).lower(), encoded) if lowercase_urlencoding else encoded
    
+
+
    [docs]    @staticmethod
+    def b64encode(data):
+        """base64 encode"""
+        return compat.to_string(base64.b64encode(compat.to_bytes(data)))
    
+
+
    [docs]    @staticmethod
+    def b64decode(data):
+        """base64 decode"""
+        return base64.b64decode(data)
    
+
+
    [docs]    @staticmethod
+    def decode_base64_and_inflate(value, ignore_zip=False):
+        """
+        base64 decodes and then inflates according to RFC1951
+        :param value: a deflated and encoded string
+        :type value: string
+        :param ignore_zip: ignore zip errors
+        :returns: the string after decoding and inflating
+        :rtype: string
+        """
+        encoded = OneLogin_Saml2_Utils.b64decode(value)
+        try:
+            return zlib.decompress(encoded, -15)
+        except zlib.error:
+            if not ignore_zip:
+                raise
+        return encoded
    
+
+
    [docs]    @staticmethod
+    def deflate_and_base64_encode(value):
+        """
+        Deflates and then base64 encodes a string
+        :param value: The string to deflate and encode
+        :type value: string
+        :returns: The deflated and encoded string
+        :rtype: string
+        """
+        return OneLogin_Saml2_Utils.b64encode(zlib.compress(compat.to_bytes(value))[2:-4])
    
+
+
    [docs]    @staticmethod
+    def format_cert(cert, heads=True):
+        """
+        Returns a x509 cert (adding header & footer if required).
+
+        :param cert: A x509 unformatted cert
+        :type: string
+
+        :param heads: True if we want to include head and footer
+        :type: boolean
+
+        :returns: Formatted cert
+        :rtype: string
+        """
+        x509_cert = cert.replace('\x0D', '')
+        x509_cert = x509_cert.replace('\r', '')
+        x509_cert = x509_cert.replace('\n', '')
+        if len(x509_cert) > 0:
+            x509_cert = x509_cert.replace('-----BEGIN CERTIFICATE-----', '')
+            x509_cert = x509_cert.replace('-----END CERTIFICATE-----', '')
+            x509_cert = x509_cert.replace(' ', '')
+
+            if heads:
+                x509_cert = "-----BEGIN CERTIFICATE-----\n" + "\n".join(wrap(x509_cert, 64)) + "\n-----END CERTIFICATE-----\n"
+
+        return x509_cert
    
+
+
    [docs]    @staticmethod
+    def format_private_key(key, heads=True):
+        """
+        Returns a private key (adding header & footer if required).
+
+        :param key A private key
+        :type: string
+
+        :param heads: True if we want to include head and footer
+        :type: boolean
+
+        :returns: Formated private key
+        :rtype: string
+        """
+        private_key = key.replace('\x0D', '')
+        private_key = private_key.replace('\r', '')
+        private_key = private_key.replace('\n', '')
+        if len(private_key) > 0:
+            if private_key.find('-----BEGIN PRIVATE KEY-----') != -1:
+                private_key = private_key.replace('-----BEGIN PRIVATE KEY-----', '')
+                private_key = private_key.replace('-----END PRIVATE KEY-----', '')
+                private_key = private_key.replace(' ', '')
+                if heads:
+                    private_key = "-----BEGIN PRIVATE KEY-----\n" + "\n".join(wrap(private_key, 64)) + "\n-----END PRIVATE KEY-----\n"
+            else:
+                private_key = private_key.replace('-----BEGIN RSA PRIVATE KEY-----', '')
+                private_key = private_key.replace('-----END RSA PRIVATE KEY-----', '')
+                private_key = private_key.replace(' ', '')
+                if heads:
+                    private_key = "-----BEGIN RSA PRIVATE KEY-----\n" + "\n".join(wrap(private_key, 64)) + "\n-----END RSA PRIVATE KEY-----\n"
+        return private_key
    
+
+
    [docs]    @staticmethod
+    def redirect(url, parameters={}, request_data={}):
+        """
+        Executes a redirection to the provided url (or return the target url).
+
+        :param url: The target url
+        :type: string
+
+        :param parameters: Extra parameters to be passed as part of the url
+        :type: dict
+
+        :param request_data: The request as a dict
+        :type: dict
+
+        :returns: Url
+        :rtype: string
+        """
+        assert isinstance(url, compat.str_type)
+        assert isinstance(parameters, dict)
+
+        if url.startswith('/'):
+            url = '%s%s' % (OneLogin_Saml2_Utils.get_self_url_host(request_data), url)
+
+        # Verify that the URL is to a http or https site.
+        if re.search('^https?://', url, flags=re.IGNORECASE) is None:
+            raise OneLogin_Saml2_Error(
+                'Redirect to invalid URL: ' + url,
+                OneLogin_Saml2_Error.REDIRECT_INVALID_URL
+            )
+
+        # Add encoded parameters
+        if url.find('?') < 0:
+            param_prefix = '?'
+        else:
+            param_prefix = '&'
+
+        for name, value in parameters.items():
+
+            if value is None:
+                param = OneLogin_Saml2_Utils.escape_url(name)
+            elif isinstance(value, list):
+                param = ''
+                for val in value:
+                    param += OneLogin_Saml2_Utils.escape_url(name) + '[]=' + OneLogin_Saml2_Utils.escape_url(val) + '&'
+                if len(param) > 0:
+                    param = param[0:-1]
+            else:
+                param = OneLogin_Saml2_Utils.escape_url(name) + '=' + OneLogin_Saml2_Utils.escape_url(value)
+
+            if param:
+                url += param_prefix + param
+                param_prefix = '&'
+
+        return url
    
+
+
    [docs]    @staticmethod
+    def get_self_url_host(request_data):
+        """
+        Returns the protocol + the current host + the port (if different than
+        common ports).
+
+        :param request_data: The request as a dict
+        :type: dict
+
+        :return: Url
+        :rtype: string
+        """
+        current_host = OneLogin_Saml2_Utils.get_self_host(request_data)
+        protocol = 'https' if OneLogin_Saml2_Utils.is_https(request_data) else 'http'
+
+        if request_data.get('server_port') is not None:
+            warnings.warn(
+                'The server_port key in request data is deprecated. '
+                'The http_host key should include a port, if required.',
+                category=DeprecationWarning,
+            )
+            port_suffix = ':%s' % request_data['server_port']
+            if not current_host.endswith(port_suffix):
+                if not ((protocol == 'https' and port_suffix == ':443') or (protocol == 'http' and port_suffix == ':80')):
+                    current_host += port_suffix
+
+        return '%s://%s' % (protocol, current_host)
    
+
+
    [docs]    @staticmethod
+    def get_self_host(request_data):
+        """
+        Returns the current host (which may include a port number part).
+
+        :param request_data: The request as a dict
+        :type: dict
+
+        :return: The current host
+        :rtype: string
+        """
+        if 'http_host' in request_data:
+            return request_data['http_host']
+        elif 'server_name' in request_data:
+            warnings.warn("The server_name key in request data is undocumented & deprecated.", category=DeprecationWarning)
+            return request_data['server_name']
+        raise Exception('No hostname defined')
    
+
+
    [docs]    @staticmethod
+    def is_https(request_data):
+        """
+        Checks if https or http.
+
+        :param request_data: The request as a dict
+        :type: dict
+
+        :return: False if https is not active
+        :rtype: boolean
+        """
+        is_https = 'https' in request_data and request_data['https'] != 'off'
+        # TODO: this use of server_port should be removed too
+        is_https = is_https or ('server_port' in request_data and str(request_data['server_port']) == '443')
+        return is_https
    
+
+
    [docs]    @staticmethod
+    def get_self_url_no_query(request_data):
+        """
+        Returns the URL of the current host + current view.
+
+        :param request_data: The request as a dict
+        :type: dict
+
+        :return: The url of current host + current view
+        :rtype: string
+        """
+        self_url_host = OneLogin_Saml2_Utils.get_self_url_host(request_data)
+        script_name = request_data['script_name']
+        if script_name:
+            if script_name[0] != '/':
+                script_name = '/' + script_name
+        else:
+            script_name = ''
+        self_url_no_query = self_url_host + script_name
+        if 'path_info' in request_data:
+            self_url_no_query += request_data['path_info']
+
+        return self_url_no_query
    
+
+
    [docs]    @staticmethod
+    def get_self_routed_url_no_query(request_data):
+        """
+        Returns the routed URL of the current host + current view.
+
+        :param request_data: The request as a dict
+        :type: dict
+
+        :return: The url of current host + current view
+        :rtype: string
+        """
+        self_url_host = OneLogin_Saml2_Utils.get_self_url_host(request_data)
+        route = ''
+        if 'request_uri' in request_data and request_data['request_uri']:
+            route = request_data['request_uri']
+            if 'query_string' in request_data and request_data['query_string']:
+                route = route.replace(request_data['query_string'], '')
+
+        return self_url_host + route
    
+
+
    [docs]    @staticmethod
+    def get_self_url(request_data):
+        """
+        Returns the URL of the current host + current view + query.
+
+        :param request_data: The request as a dict
+        :type: dict
+
+        :return: The url of current host + current view + query
+        :rtype: string
+        """
+        self_url_host = OneLogin_Saml2_Utils.get_self_url_host(request_data)
+
+        request_uri = ''
+        if 'request_uri' in request_data:
+            request_uri = request_data['request_uri']
+            if not request_uri.startswith('/'):
+                match = re.search('^https?://[^/]*(/.*)', request_uri)
+                if match is not None:
+                    request_uri = match.groups()[0]
+
+        return self_url_host + request_uri
    
+
+
    [docs]    @staticmethod
+    def generate_unique_id():
+        """
+        Generates an unique string (used for example as ID for assertions).
+
+        :return: A unique string
+        :rtype: string
+        """
+        return 'ONELOGIN_%s' % sha1(compat.to_bytes(uuid4().hex)).hexdigest()
    
+
+
    [docs]    @staticmethod
+    def parse_time_to_SAML(time):
+        r"""
+        Converts a UNIX timestamp to SAML2 timestamp on the form
+        yyyy-mm-ddThh:mm:ss(\.s+)?Z.
+
+        :param time: The time we should convert (DateTime).
+        :type: string
+
+        :return: SAML2 timestamp.
+        :rtype: string
+        """
+        data = datetime.utcfromtimestamp(float(time))
+        return data.strftime(OneLogin_Saml2_Utils.TIME_FORMAT)
    
+
+
    [docs]    @staticmethod
+    def parse_SAML_to_time(timestr):
+        r"""
+        Converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(\.s+)?Z
+        to a UNIX timestamp. The sub-second part is ignored.
+
+        :param timestr: The time we should convert (SAML Timestamp).
+        :type: string
+
+        :return: Converted to a unix timestamp.
+        :rtype: int
+        """
+        try:
+            data = datetime.strptime(timestr, OneLogin_Saml2_Utils.TIME_FORMAT)
+        except ValueError:
+            try:
+                data = datetime.strptime(timestr, OneLogin_Saml2_Utils.TIME_FORMAT_2)
+            except ValueError:
+                elem = OneLogin_Saml2_Utils.TIME_FORMAT_WITH_FRAGMENT.match(timestr)
+                if not elem:
+                    raise Exception("time data %s does not match format %s" % (timestr, r'yyyy-mm-ddThh:mm:ss(\.s+)?Z'))
+                data = datetime.strptime(elem.groups()[0] + "Z", OneLogin_Saml2_Utils.TIME_FORMAT)
+
+        return calendar.timegm(data.utctimetuple())
    
+
+
    [docs]    @staticmethod
+    def now():
+        """
+        :return: unix timestamp of actual time.
+        :rtype: int
+        """
+        return calendar.timegm(datetime.utcnow().utctimetuple())
    
+
+
    [docs]    @staticmethod
+    def parse_duration(duration, timestamp=None):
+        """
+        Interprets a ISO8601 duration value relative to a given timestamp.
+
+        :param duration: The duration, as a string.
+        :type: string
+
+        :param timestamp: The unix timestamp we should apply the duration to.
+                          Optional, default to the current time.
+        :type: string
+
+        :return: The new timestamp, after the duration is applied.
+        :rtype: int
+        """
+        assert isinstance(duration, compat.str_type)
+        assert timestamp is None or isinstance(timestamp, int)
+
+        timedelta = duration_parser(duration)
+        if timestamp is None:
+            data = datetime.utcnow() + timedelta
+        else:
+            data = datetime.utcfromtimestamp(timestamp) + timedelta
+        return calendar.timegm(data.utctimetuple())
    
+
+
    [docs]    @staticmethod
+    def get_expire_time(cache_duration=None, valid_until=None):
+        """
+        Compares 2 dates and returns the earliest.
+
+        :param cache_duration: The duration, as a string.
+        :type: string
+
+        :param valid_until: The valid until date, as a string or as a timestamp
+        :type: string
+
+        :return: The expiration time.
+        :rtype: int
+        """
+        expire_time = None
+
+        if cache_duration is not None:
+            expire_time = OneLogin_Saml2_Utils.parse_duration(cache_duration)
+
+        if valid_until is not None:
+            if isinstance(valid_until, int):
+                valid_until_time = valid_until
+            else:
+                valid_until_time = OneLogin_Saml2_Utils.parse_SAML_to_time(valid_until)
+            if expire_time is None or expire_time > valid_until_time:
+                expire_time = valid_until_time
+
+        if expire_time is not None:
+            return '%d' % expire_time
+        return None
    
+
+
    [docs]    @staticmethod
+    def delete_local_session(callback=None):
+        """
+        Deletes the local session.
+        """
+
+        if callback is not None:
+            callback()
    
+
+
    [docs]    @staticmethod
+    def calculate_x509_fingerprint(x509_cert, alg='sha1'):
+        """
+        Calculates the fingerprint of a formatted x509cert.
+
+        :param x509_cert: x509 cert formatted
+        :type: string
+
+        :param alg: The algorithm to build the fingerprint
+        :type: string
+
+        :returns: fingerprint
+        :rtype: string
+        """
+        assert isinstance(x509_cert, compat.str_type)
+
+        lines = x509_cert.split('\n')
+        data = ''
+        inData = False
+
+        for line in lines:
+            # Remove '\r' from end of line if present.
+            line = line.rstrip()
+            if not inData:
+                if line == '-----BEGIN CERTIFICATE-----':
+                    inData = True
+                elif line == '-----BEGIN PUBLIC KEY-----' or line == '-----BEGIN RSA PRIVATE KEY-----':
+                    # This isn't an X509 certificate.
+                    return None
+            else:
+                if line == '-----END CERTIFICATE-----':
+                    break
+
+                # Append the current line to the certificate data.
+                data += line
+
+        if not data:
+            return None
+
+        decoded_data = base64.b64decode(compat.to_bytes(data))
+
+        if alg == 'sha512':
+            fingerprint = sha512(decoded_data)
+        elif alg == 'sha384':
+            fingerprint = sha384(decoded_data)
+        elif alg == 'sha256':
+            fingerprint = sha256(decoded_data)
+        else:
+            fingerprint = sha1(decoded_data)
+
+        return fingerprint.hexdigest().lower()
    
+
+
    [docs]    @staticmethod
+    def format_finger_print(fingerprint):
+        """
+        Formats a fingerprint.
+
+        :param fingerprint: fingerprint
+        :type: string
+
+        :returns: Formatted fingerprint
+        :rtype: string
+        """
+        formatted_fingerprint = fingerprint.replace(':', '')
+        return formatted_fingerprint.lower()
    
+
+
    [docs]    @staticmethod
+    def generate_name_id(value, sp_nq, sp_format=None, cert=None, debug=False, nq=None):
+        """
+        Generates a nameID.
+
+        :param value: fingerprint
+        :type: string
+
+        :param sp_nq: SP Name Qualifier
+        :type: string
+
+        :param sp_format: SP Format
+        :type: string
+
+        :param cert: IdP Public Cert to encrypt the nameID
+        :type: string
+
+        :param debug: Activate the xmlsec debug
+        :type: bool
+
+        :returns: DOMElement | XMLSec nameID
+        :rtype: string
+
+        :param nq: IDP Name Qualifier
+        :type: string
+        """
+
+        root = OneLogin_Saml2_XML.make_root("{%s}container" % OneLogin_Saml2_Constants.NS_SAML)
+        name_id = OneLogin_Saml2_XML.make_child(root, '{%s}NameID' % OneLogin_Saml2_Constants.NS_SAML)
+        if sp_nq is not None:
+            name_id.set('SPNameQualifier', sp_nq)
+        if sp_format is not None:
+            name_id.set('Format', sp_format)
+        if nq is not None:
+            name_id.set('NameQualifier', nq)
+        name_id.text = value
+
+        if cert is not None:
+            xmlsec.enable_debug_trace(debug)
+
+            # Load the public cert
+            manager = xmlsec.KeysManager()
+            manager.add_key(xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None))
+
+            # Prepare for encryption
+            enc_data = xmlsec.template.encrypted_data_create(
+                root, xmlsec.Transform.AES128, type=xmlsec.EncryptionType.ELEMENT, ns="xenc")
+
+            xmlsec.template.encrypted_data_ensure_cipher_value(enc_data)
+            key_info = xmlsec.template.encrypted_data_ensure_key_info(enc_data, ns="dsig")
+            enc_key = xmlsec.template.add_encrypted_key(key_info, xmlsec.Transform.RSA_OAEP)
+            xmlsec.template.encrypted_data_ensure_cipher_value(enc_key)
+
+            # Encrypt!
+            enc_ctx = xmlsec.EncryptionContext(manager)
+            enc_ctx.key = xmlsec.Key.generate(xmlsec.KeyData.AES, 128, xmlsec.KeyDataType.SESSION)
+            enc_data = enc_ctx.encrypt_xml(enc_data, name_id)
+            return '<saml:EncryptedID>' + compat.to_string(OneLogin_Saml2_XML.to_string(enc_data)) + '</saml:EncryptedID>'
+        else:
+            return OneLogin_Saml2_XML.extract_tag_text(root, "saml:NameID")
    
+
+
    [docs]    @staticmethod
+    def get_status(dom):
+        """
+        Gets Status from a Response.
+
+        :param dom: The Response as XML
+        :type: Document
+
+        :returns: The Status, an array with the code and a message.
+        :rtype: dict
+        """
+        status = {}
+
+        status_entry = OneLogin_Saml2_XML.query(dom, '/samlp:Response/samlp:Status')
+        if len(status_entry) != 1:
+            raise OneLogin_Saml2_ValidationError(
+                'Missing Status on response',
+                OneLogin_Saml2_ValidationError.MISSING_STATUS
+            )
+
+        code_entry = OneLogin_Saml2_XML.query(dom, '/samlp:Response/samlp:Status/samlp:StatusCode', status_entry[0])
+        if len(code_entry) != 1:
+            raise OneLogin_Saml2_ValidationError(
+                'Missing Status Code on response',
+                OneLogin_Saml2_ValidationError.MISSING_STATUS_CODE
+            )
+        code = code_entry[0].values()[0]
+        status['code'] = code
+
+        status['msg'] = ''
+        message_entry = OneLogin_Saml2_XML.query(dom, '/samlp:Response/samlp:Status/samlp:StatusMessage', status_entry[0])
+        if len(message_entry) == 0:
+            subcode_entry = OneLogin_Saml2_XML.query(dom, '/samlp:Response/samlp:Status/samlp:StatusCode/samlp:StatusCode', status_entry[0])
+            if len(subcode_entry) == 1:
+                status['msg'] = subcode_entry[0].values()[0]
+        elif len(message_entry) == 1:
+            status['msg'] = OneLogin_Saml2_XML.element_text(message_entry[0])
+
+        return status
    
+
+
    [docs]    @staticmethod
+    def decrypt_element(encrypted_data, key, debug=False, inplace=False):
+        """
+        Decrypts an encrypted element.
+
+        :param encrypted_data: The encrypted data.
+        :type: lxml.etree.Element | DOMElement | basestring
+
+        :param key: The key.
+        :type: string
+
+        :param debug: Activate the xmlsec debug
+        :type: bool
+
+        :param inplace: update passed data with decrypted result
+        :type: bool
+
+        :returns: The decrypted element.
+        :rtype: lxml.etree.Element
+        """
+
+        if isinstance(encrypted_data, Element):
+            encrypted_data = OneLogin_Saml2_XML.to_etree(str(encrypted_data.toxml()))
+        if not inplace and isinstance(encrypted_data, OneLogin_Saml2_XML._element_class):
+            encrypted_data = deepcopy(encrypted_data)
+        elif isinstance(encrypted_data, OneLogin_Saml2_XML._text_class):
+            encrypted_data = OneLogin_Saml2_XML._parse_etree(encrypted_data)
+
+        xmlsec.enable_debug_trace(debug)
+        manager = xmlsec.KeysManager()
+
+        manager.add_key(xmlsec.Key.from_memory(key, xmlsec.KeyFormat.PEM, None))
+        enc_ctx = xmlsec.EncryptionContext(manager)
+        return enc_ctx.decrypt(encrypted_data)
    
+
+
    [docs]    @staticmethod
+    def add_sign(xml, key, cert, debug=False, sign_algorithm=OneLogin_Saml2_Constants.RSA_SHA256, digest_algorithm=OneLogin_Saml2_Constants.SHA256):
+        """
+        Adds signature key and senders certificate to an element (Message or
+        Assertion).
+
+        :param xml: The element we should sign
+        :type: string | Document
+
+        :param key: The private key
+        :type: string
+
+        :param cert: The public
+        :type: string
+
+        :param debug: Activate the xmlsec debug
+        :type: bool
+
+        :param sign_algorithm: Signature algorithm method
+        :type sign_algorithm: string
+
+        :param digest_algorithm: Digest algorithm method
+        :type digest_algorithm: string
+
+        :returns: Signed XML
+        :rtype: string
+        """
+        if xml is None or xml == '':
+            raise Exception('Empty string supplied as input')
+
+        elem = OneLogin_Saml2_XML.to_etree(xml)
+
+        sign_algorithm_transform_map = {
+            OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.Transform.DSA_SHA1,
+            OneLogin_Saml2_Constants.RSA_SHA1: xmlsec.Transform.RSA_SHA1,
+            OneLogin_Saml2_Constants.RSA_SHA256: xmlsec.Transform.RSA_SHA256,
+            OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.Transform.RSA_SHA384,
+            OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.Transform.RSA_SHA512
+        }
+        sign_algorithm_transform = sign_algorithm_transform_map.get(sign_algorithm, xmlsec.Transform.RSA_SHA256)
+
+        signature = xmlsec.template.create(elem, xmlsec.Transform.EXCL_C14N, sign_algorithm_transform, ns='ds')
+
+        issuer = OneLogin_Saml2_XML.query(elem, '//saml:Issuer')
+        if len(issuer) > 0:
+            issuer = issuer[0]
+            issuer.addnext(signature)
+            elem_to_sign = issuer.getparent()
+        else:
+            entity_descriptor = OneLogin_Saml2_XML.query(elem, '//md:EntityDescriptor')
+            if len(entity_descriptor) > 0:
+                elem.insert(0, signature)
+            else:
+                elem[0].insert(0, signature)
+            elem_to_sign = elem
+
+        elem_id = elem_to_sign.get('ID', None)
+        if elem_id is not None:
+            if elem_id:
+                elem_id = '#' + elem_id
+        else:
+            generated_id = generated_id = OneLogin_Saml2_Utils.generate_unique_id()
+            elem_id = '#' + generated_id
+            elem_to_sign.attrib['ID'] = generated_id
+
+        xmlsec.enable_debug_trace(debug)
+        xmlsec.tree.add_ids(elem_to_sign, ["ID"])
+
+        digest_algorithm_transform_map = {
+            OneLogin_Saml2_Constants.SHA1: xmlsec.Transform.SHA1,
+            OneLogin_Saml2_Constants.SHA256: xmlsec.Transform.SHA256,
+            OneLogin_Saml2_Constants.SHA384: xmlsec.Transform.SHA384,
+            OneLogin_Saml2_Constants.SHA512: xmlsec.Transform.SHA512
+        }
+        digest_algorithm_transform = digest_algorithm_transform_map.get(digest_algorithm, xmlsec.Transform.SHA256)
+
+        ref = xmlsec.template.add_reference(signature, digest_algorithm_transform, uri=elem_id)
+        xmlsec.template.add_transform(ref, xmlsec.Transform.ENVELOPED)
+        xmlsec.template.add_transform(ref, xmlsec.Transform.EXCL_C14N)
+        key_info = xmlsec.template.ensure_key_info(signature)
+        xmlsec.template.add_x509_data(key_info)
+
+        dsig_ctx = xmlsec.SignatureContext()
+        sign_key = xmlsec.Key.from_memory(key, xmlsec.KeyFormat.PEM, None)
+        sign_key.load_cert_from_memory(cert, xmlsec.KeyFormat.PEM)
+
+        dsig_ctx.key = sign_key
+        dsig_ctx.sign(signature)
+
+        return OneLogin_Saml2_XML.to_string(elem)
    
+
+
    [docs]    @staticmethod
+    @return_false_on_exception
+    def validate_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False, xpath=None, multicerts=None):
+        """
+        Validates a signature (Message or Assertion).
+
+        :param xml: The element we should validate
+        :type: string | Document
+
+        :param cert: The public cert
+        :type: string
+
+        :param fingerprint: The fingerprint of the public cert
+        :type: string
+
+        :param fingerprintalg: The algorithm used to build the fingerprint
+        :type: string
+
+        :param validatecert: If true, will verify the signature and if the cert is valid.
+        :type: bool
+
+        :param debug: Activate the xmlsec debug
+        :type: bool
+
+        :param xpath: The xpath of the signed element
+        :type: string
+
+        :param multicerts: Multiple public certs
+        :type: list
+
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
+        """
+        if xml is None or xml == '':
+            raise Exception('Empty string supplied as input')
+
+        elem = OneLogin_Saml2_XML.to_etree(xml)
+        xmlsec.enable_debug_trace(debug)
+        xmlsec.tree.add_ids(elem, ["ID"])
+
+        if xpath:
+            signature_nodes = OneLogin_Saml2_XML.query(elem, xpath)
+        else:
+            signature_nodes = OneLogin_Saml2_XML.query(elem, OneLogin_Saml2_Utils.RESPONSE_SIGNATURE_XPATH)
+
+            if len(signature_nodes) == 0:
+                signature_nodes = OneLogin_Saml2_XML.query(elem, OneLogin_Saml2_Utils.ASSERTION_SIGNATURE_XPATH)
+
+        if len(signature_nodes) == 1:
+            signature_node = signature_nodes[0]
+
+            if not multicerts:
+                return OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug, raise_exceptions=True)
+            else:
+                # If multiple certs are provided, I may ignore cert and
+                # fingerprint provided by the method and just check the
+                # certs multicerts
+                fingerprint = fingerprintalg = None
+                for cert in multicerts:
+                    if OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, False, raise_exceptions=False):
+                        return True
+                raise OneLogin_Saml2_ValidationError(
+                    'Signature validation failed. SAML Response rejected.',
+                    OneLogin_Saml2_ValidationError.INVALID_SIGNATURE
+                )
+        else:
+            raise OneLogin_Saml2_ValidationError(
+                'Expected exactly one signature node; got {}.'.format(len(signature_nodes)),
+                OneLogin_Saml2_ValidationError.WRONG_NUMBER_OF_SIGNATURES
+            )
    
+
+
    [docs]    @staticmethod
+    @return_false_on_exception
+    def validate_metadata_sign(xml, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False):
+        """
+        Validates a signature of a EntityDescriptor.
+
+        :param xml: The element we should validate
+        :type: string | Document
+
+        :param cert: The public cert
+        :type: string
+
+        :param fingerprint: The fingerprint of the public cert
+        :type: string
+
+        :param fingerprintalg: The algorithm used to build the fingerprint
+        :type: string
+
+        :param validatecert: If true, will verify the signature and if the cert is valid.
+        :type: bool
+
+        :param debug: Activate the xmlsec debug
+        :type: bool
+
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
+        """
+        if xml is None or xml == '':
+            raise Exception('Empty string supplied as input')
+
+        elem = OneLogin_Saml2_XML.to_etree(xml)
+        xmlsec.enable_debug_trace(debug)
+        xmlsec.tree.add_ids(elem, ["ID"])
+
+        signature_nodes = OneLogin_Saml2_XML.query(elem, '/md:EntitiesDescriptor/ds:Signature')
+
+        if len(signature_nodes) == 0:
+            signature_nodes += OneLogin_Saml2_XML.query(elem, '/md:EntityDescriptor/ds:Signature')
+
+            if len(signature_nodes) == 0:
+                signature_nodes += OneLogin_Saml2_XML.query(elem, '/md:EntityDescriptor/md:SPSSODescriptor/ds:Signature')
+                signature_nodes += OneLogin_Saml2_XML.query(elem, '/md:EntityDescriptor/md:IDPSSODescriptor/ds:Signature')
+
+        if len(signature_nodes) > 0:
+            for signature_node in signature_nodes:
+                # Raises exception if invalid
+                OneLogin_Saml2_Utils.validate_node_sign(signature_node, elem, cert, fingerprint, fingerprintalg, validatecert, debug, raise_exceptions=True)
+            return True
+        else:
+            raise Exception('Could not validate metadata signature: No signature nodes found.')
    
+
+
    [docs]    @staticmethod
+    @return_false_on_exception
+    def validate_node_sign(signature_node, elem, cert=None, fingerprint=None, fingerprintalg='sha1', validatecert=False, debug=False):
+        """
+        Validates a signature node.
+
+        :param signature_node: The signature node
+        :type: Node
+
+        :param xml: The element we should validate
+        :type: Document
+
+        :param cert: The public cert
+        :type: string
+
+        :param fingerprint: The fingerprint of the public cert
+        :type: string
+
+        :param fingerprintalg: The algorithm used to build the fingerprint
+        :type: string
+
+        :param validatecert: If true, will verify the signature and if the cert is valid.
+        :type: bool
+
+        :param debug: Activate the xmlsec debug
+        :type: bool
+
+        :param raise_exceptions: Whether to return false on failure or raise an exception
+        :type raise_exceptions: Boolean
+        """
+        if (cert is None or cert == '') and fingerprint:
+            x509_certificate_nodes = OneLogin_Saml2_XML.query(signature_node, '//ds:Signature/ds:KeyInfo/ds:X509Data/ds:X509Certificate')
+            if len(x509_certificate_nodes) > 0:
+                x509_certificate_node = x509_certificate_nodes[0]
+                x509_cert_value = OneLogin_Saml2_XML.element_text(x509_certificate_node)
+                x509_cert_value_formatted = OneLogin_Saml2_Utils.format_cert(x509_cert_value)
+                x509_fingerprint_value = OneLogin_Saml2_Utils.calculate_x509_fingerprint(x509_cert_value_formatted, fingerprintalg)
+                if fingerprint == x509_fingerprint_value:
+                    cert = x509_cert_value_formatted
+
+        if cert is None or cert == '':
+            raise OneLogin_Saml2_Error(
+                'Could not validate node signature: No certificate provided.',
+                OneLogin_Saml2_Error.CERT_NOT_FOUND
+            )
+
+        # Check if Reference URI is empty
+        # reference_elem = OneLogin_Saml2_XML.query(signature_node, '//ds:Reference')
+        # if len(reference_elem) > 0:
+        #     if reference_elem[0].get('URI') == '':
+        #         reference_elem[0].set('URI', '#%s' % signature_node.getparent().get('ID'))
+
+        if validatecert:
+            manager = xmlsec.KeysManager()
+            manager.load_cert_from_memory(cert, xmlsec.KeyFormat.CERT_PEM, xmlsec.KeyDataType.TRUSTED)
+            dsig_ctx = xmlsec.SignatureContext(manager)
+        else:
+            dsig_ctx = xmlsec.SignatureContext()
+            dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None)
+
+        dsig_ctx.set_enabled_key_data([xmlsec.KeyData.X509])
+
+        try:
+            dsig_ctx.verify(signature_node)
+        except Exception as err:
+            raise OneLogin_Saml2_ValidationError(
+                'Signature validation failed. SAML Response rejected. %s',
+                OneLogin_Saml2_ValidationError.INVALID_SIGNATURE,
+                str(err)
+            )
+
+        return True
    
+
+
    [docs]    @staticmethod
+    def sign_binary(msg, key, algorithm=xmlsec.Transform.RSA_SHA256, debug=False):
+        """
+        Sign binary message
+
+        :param msg: The element we should validate
+        :type: bytes
+
+        :param key: The private key
+        :type: string
+
+        :param debug: Activate the xmlsec debug
+        :type: bool
+
+        :return signed message
+        :rtype str
+        """
+
+        if isinstance(msg, str):
+            msg = msg.encode('utf8')
+
+        xmlsec.enable_debug_trace(debug)
+        dsig_ctx = xmlsec.SignatureContext()
+        dsig_ctx.key = xmlsec.Key.from_memory(key, xmlsec.KeyFormat.PEM, None)
+        return dsig_ctx.sign_binary(compat.to_bytes(msg), algorithm)
    
+
+
    [docs]    @staticmethod
+    def validate_binary_sign(signed_query, signature, cert=None, algorithm=OneLogin_Saml2_Constants.RSA_SHA256, debug=False):
+        """
+        Validates signed binary data (Used to validate GET Signature).
+
+        :param signed_query: The element we should validate
+        :type: string
+
+
+        :param signature: The signature that will be validate
+        :type: string
+
+        :param cert: The public cert
+        :type: string
+
+        :param algorithm: Signature algorithm
+        :type: string
+
+        :param debug: Activate the xmlsec debug
+        :type: bool
+        """
+        try:
+            xmlsec.enable_debug_trace(debug)
+            dsig_ctx = xmlsec.SignatureContext()
+            dsig_ctx.key = xmlsec.Key.from_memory(cert, xmlsec.KeyFormat.CERT_PEM, None)
+
+            sign_algorithm_transform_map = {
+                OneLogin_Saml2_Constants.DSA_SHA1: xmlsec.Transform.DSA_SHA1,
+                OneLogin_Saml2_Constants.RSA_SHA1: xmlsec.Transform.RSA_SHA1,
+                OneLogin_Saml2_Constants.RSA_SHA256: xmlsec.Transform.RSA_SHA256,
+                OneLogin_Saml2_Constants.RSA_SHA384: xmlsec.Transform.RSA_SHA384,
+                OneLogin_Saml2_Constants.RSA_SHA512: xmlsec.Transform.RSA_SHA512
+            }
+            sign_algorithm_transform = sign_algorithm_transform_map.get(algorithm, xmlsec.Transform.RSA_SHA256)
+
+            dsig_ctx.verify_binary(compat.to_bytes(signed_query),
+                                   sign_algorithm_transform,
+                                   compat.to_bytes(signature))
+            return True
+        except xmlsec.Error as e:
+            if debug:
+                print(e)
+            return False
    
+
+
    [docs]    @staticmethod
+    def normalize_url(url):
+        """
+        Returns normalized URL for comparison.
+        This method converts the netloc to lowercase, as it should be case-insensitive (per RFC 4343, RFC 7617)
+        If standardization fails, the original URL is returned
+        Python documentation indicates that URL split also normalizes query strings if empty query fields are present
+
+        :param url: URL
+        :type url: String
+
+        :returns: A normalized URL, or the given URL string if parsing fails
+        :rtype: String
+        """
+        try:
+            scheme, netloc, path, query, fragment = urlsplit(url)
+            normalized_url = urlunsplit((scheme.lower(), netloc.lower(), path, query, fragment))
+            return normalized_url
+        except Exception:
+            return url
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/xml_templates.html b/docs/saml2/_modules/onelogin/saml2/xml_templates.html
new file mode 100644
index 00000000..13dd9b94
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/xml_templates.html
@@ -0,0 +1,256 @@
+
+
+
+  
+  
+  onelogin.saml2.xml_templates — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.xml_templates
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_Auth class
+
+
+Main class of SAML Python Toolkit.
+
+Initializes the SP SAML instance
+
+"""
+
+
+
    [docs]class OneLogin_Saml2_Templates(object):
+
+    ATTRIBUTE = """
+        <saml:Attribute Name="%s" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+            <saml:AttributeValue xsi:type="xs:string">%s</saml:AttributeValue>
+        </saml:Attribute>"""
+
+    AUTHN_REQUEST = """\
+<samlp:AuthnRequest
+  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+  ID="%(id)s"
+  Version="2.0"%(provider_name)s%(force_authn_str)s%(is_passive_str)s
+  IssueInstant="%(issue_instant)s"
+  Destination="%(destination)s"
+  ProtocolBinding="%(acs_binding)s"
+  AssertionConsumerServiceURL="%(assertion_url)s"%(attr_consuming_service_str)s>
+    <saml:Issuer>%(entity_id)s</saml:Issuer>%(subject_str)s%(nameid_policy_str)s
+%(requested_authn_context_str)s
+</samlp:AuthnRequest>"""
+
+    LOGOUT_REQUEST = """\
+<samlp:LogoutRequest
+  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+  ID="%(id)s"
+  Version="2.0"
+  IssueInstant="%(issue_instant)s"
+  Destination="%(single_logout_url)s">
+    <saml:Issuer>%(entity_id)s</saml:Issuer>
+    %(name_id)s
+    %(session_index)s
+</samlp:LogoutRequest>"""
+
+    LOGOUT_RESPONSE = """\
+<samlp:LogoutResponse
+  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+  ID="%(id)s"
+  Version="2.0"
+  IssueInstant="%(issue_instant)s"
+  Destination="%(destination)s"
+  InResponseTo="%(in_response_to)s">
+    <saml:Issuer>%(entity_id)s</saml:Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="%(status)s" />
+    </samlp:Status>
+</samlp:LogoutResponse>"""
+
+    MD_CONTACT_PERSON = """\
+    <md:ContactPerson contactType="%(type)s">
+        <md:GivenName>%(name)s</md:GivenName>
+        <md:EmailAddress>%(email)s</md:EmailAddress>
+    </md:ContactPerson>"""
+
+    MD_SLS = """\
+        <md:SingleLogoutService Binding="%(binding)s"
+                                Location="%(location)s" />\n"""
+
+    MD_REQUESTED_ATTRIBUTE = """\
+            <md:RequestedAttribute Name="%(req_attr_name)s"%(req_attr_nameformat_str)s%(req_attr_isrequired_str)s%(req_attr_aux_str)s"""
+
+    MD_ATTR_CONSUMER_SERVICE = """\
+        <md:AttributeConsumingService index="1">
+            <md:ServiceName xml:lang="en">%(service_name)s</md:ServiceName>
+%(attr_cs_desc)s%(requested_attribute_str)s
+        </md:AttributeConsumingService>\n"""
+
+    MD_ENTITY_DESCRIPTOR = """\
+<?xml version="1.0"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+                     %(valid)s
+                     %(cache)s
+                     entityID="%(entity_id)s">
+    <md:SPSSODescriptor AuthnRequestsSigned="%(authnsign)s" WantAssertionsSigned="%(wsign)s" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+%(sls)s        <md:NameIDFormat>%(name_id_format)s</md:NameIDFormat>
+        <md:AssertionConsumerService Binding="%(binding)s"
+                                     Location="%(location)s"
+                                     index="1" />
+%(attribute_consuming_service)s    </md:SPSSODescriptor>
+%(organization)s
+%(contacts)s
+</md:EntityDescriptor>"""
+
+    MD_ORGANISATION = """\
+    <md:Organization>
+        <md:OrganizationName xml:lang="%(lang)s">%(name)s</md:OrganizationName>
+        <md:OrganizationDisplayName xml:lang="%(lang)s">%(display_name)s</md:OrganizationDisplayName>
+        <md:OrganizationURL xml:lang="%(lang)s">%(url)s</md:OrganizationURL>
+    </md:Organization>"""
+
+    RESPONSE = """\
+<samlp:Response
+  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+  ID="%(id)s"
+  InResponseTo="%(in_response_to)s"
+  Version="2.0"
+  IssueInstant="%(issue_instant)s"
+  Destination="%(destination)s">
+    <saml:Issuer>%(entity_id)s</saml:Issuer>
+    <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+        <samlp:StatusCode
+          xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+          Value="%(status)s">
+        </samlp:StatusCode>
+    </samlp:Status>
+    <saml:Assertion
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        Version="2.0"
+        ID="%(assertion_id)s"
+        IssueInstant="%(issue_instant)s">
+        <saml:Issuer>%(entity_id)s</saml:Issuer>
+        <saml:Subject>
+            <saml:NameID
+              NameQualifier="%(entity_id)s"
+              SPNameQualifier="%(requester)s"
+              Format="%(name_id_policy)s">%(name_id)s</saml:NameID>
+            <saml:SubjectConfirmation Method="%(cm)s">
+                <saml:SubjectConfirmationData
+                  NotOnOrAfter="%(not_after)s"
+                  InResponseTo="%(in_response_to)s"
+                  Recipient="%(destination)s">
+                </saml:SubjectConfirmationData>
+            </saml:SubjectConfirmation>
+        </saml:Subject>
+        <saml:Conditions NotBefore="%(not_before)s" NotOnOrAfter="%(not_after)s">
+            <saml:AudienceRestriction>
+                <saml:Audience>%(requester)s</saml:Audience>
+            </saml:AudienceRestriction>
+        </saml:Conditions>
+        <saml:AuthnStatement
+          AuthnInstant="%(issue_instant)s"
+          SessionIndex="%(session_index)s"
+          SessionNotOnOrAfter="%(not_after)s">
+%(authn_context)s
+        </saml:AuthnStatement>
+        <saml:AttributeStatement>
+%(attributes)s
+        </saml:AttributeStatement>
+    </saml:Assertion>
+</samlp:Response>"""
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/xml_utils.html b/docs/saml2/_modules/onelogin/saml2/xml_utils.html
new file mode 100644
index 00000000..3c26761b
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/xml_utils.html
@@ -0,0 +1,276 @@
+
+
+
+  
+  
+  onelogin.saml2.xml_utils — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.xml_utils
    +# -*- coding: utf-8 -*-
+
+""" OneLogin_Saml2_XML class
+
+
+Auxiliary class of SAML Python Toolkit.
+
+"""
+
+from os.path import join, dirname
+from lxml import etree
+from onelogin.saml2 import compat
+from onelogin.saml2.constants import OneLogin_Saml2_Constants
+from onelogin.saml2.xmlparser import tostring, fromstring
+
+
+for prefix, url in OneLogin_Saml2_Constants.NSMAP.items():
+    etree.register_namespace(prefix, url)
+
+
+
    [docs]class OneLogin_Saml2_XML(object):
+    _element_class = type(etree.Element('root'))
+    _parse_etree = staticmethod(fromstring)
+    _schema_class = etree.XMLSchema
+    _text_class = compat.text_types
+    _bytes_class = compat.bytes_type
+    _unparse_etree = staticmethod(tostring)
+
+    dump = staticmethod(etree.dump)
+    make_root = staticmethod(etree.Element)
+    make_child = staticmethod(etree.SubElement)
+
+
    [docs]    @staticmethod
+    def to_string(xml, **kwargs):
+        """
+        Serialize an element to an encoded string representation of its XML tree.
+        :param xml: The root node
+        :type xml: str|bytes|xml.dom.minidom.Document|etree.Element
+        :returns: string representation of xml
+        :rtype: string
+        """
+
+        if isinstance(xml, OneLogin_Saml2_XML._text_class):
+            return xml
+
+        if isinstance(xml, OneLogin_Saml2_XML._element_class):
+            OneLogin_Saml2_XML.cleanup_namespaces(xml)
+            return OneLogin_Saml2_XML._unparse_etree(xml, **kwargs)
+
+        raise ValueError("unsupported type %r" % type(xml))
    
+
+
    [docs]    @staticmethod
+    def to_etree(xml):
+        """
+        Parses an XML document or fragment from a string.
+        :param xml: the string to parse
+        :type xml: str|bytes|xml.dom.minidom.Document|etree.Element
+        :returns: the root node
+        :rtype: OneLogin_Saml2_XML._element_class
+        """
+        if isinstance(xml, OneLogin_Saml2_XML._element_class):
+            return xml
+        if isinstance(xml, OneLogin_Saml2_XML._bytes_class):
+            return OneLogin_Saml2_XML._parse_etree(xml, forbid_dtd=True, forbid_entities=True)
+        if isinstance(xml, OneLogin_Saml2_XML._text_class):
+            return OneLogin_Saml2_XML._parse_etree(compat.to_bytes(xml), forbid_dtd=True, forbid_entities=True)
+
+        raise ValueError('unsupported type %r' % type(xml))
    
+
+
    [docs]    @staticmethod
+    def validate_xml(xml, schema, debug=False):
+        """
+        Validates a xml against a schema
+        :param xml: The xml that will be validated
+        :type xml: str|bytes|xml.dom.minidom.Document|etree.Element
+        :param schema: The schema
+        :type schema: string
+        :param debug: If debug is active, the parse-errors will be showed
+        :type debug: bool
+        :returns: Error code or the DomDocument of the xml
+        :rtype: xml.dom.minidom.Document
+        """
+
+        assert isinstance(schema, compat.str_type)
+        try:
+            xml = OneLogin_Saml2_XML.to_etree(xml)
+        except Exception as e:
+            if debug:
+                print(e)
+            return 'unloaded_xml'
+
+        schema_file = join(dirname(__file__), 'schemas', schema)
+        with open(schema_file, 'r') as f_schema:
+            xmlschema = OneLogin_Saml2_XML._schema_class(etree.parse(f_schema))
+
+        if not xmlschema.validate(xml):
+            if debug:
+                print('Errors validating the metadata: ')
+                for error in xmlschema.error_log:
+                    print(error.message)
+            return 'invalid_xml'
+        return xml
    
+
+
    [docs]    @staticmethod
+    def query(dom, query, context=None, tagid=None):
+        """
+        Extracts nodes that match the query from the Element
+
+        :param dom: The root of the lxml objet
+        :type: Element
+
+        :param query: Xpath Expresion
+        :type: string
+
+        :param context: Context Node
+        :type: DOMElement
+
+        :param tagid: Tag ID
+        :type query: String
+
+        :returns: The queried nodes
+        :rtype: list
+        """
+        if context is None:
+            source = dom
+        else:
+            source = context
+
+        if tagid is None:
+            return source.xpath(query, namespaces=OneLogin_Saml2_Constants.NSMAP)
+        else:
+            return source.xpath(query, tagid=tagid, namespaces=OneLogin_Saml2_Constants.NSMAP)
    
+
+
    [docs]    @staticmethod
+    def cleanup_namespaces(tree_or_element, top_nsmap=None, keep_ns_prefixes=None):
+        """
+        Keeps the xmlns:xs namespace intact when etree.cleanup_namespaces is invoked.
+        :param tree_or_element: An XML tree or element
+        :type tree_or_element: etree.Element
+        :param top_nsmap: A mapping from namespace prefixes to namespace URIs
+        :type top_nsmap: dict
+        :param keep_ns_prefixes: List of prefixes that should not be removed as part of the cleanup
+        :type keep_ns_prefixes: list
+        :returns: An XML tree or element
+        :rtype: etree.Element
+        """
+        all_prefixes_to_keep = [
+            OneLogin_Saml2_Constants.NS_PREFIX_XS,
+            OneLogin_Saml2_Constants.NS_PREFIX_XSI,
+            OneLogin_Saml2_Constants.NS_PREFIX_XSD
+        ]
+
+        if keep_ns_prefixes:
+            all_prefixes_to_keep = list(set(all_prefixes_to_keep.extend(keep_ns_prefixes)))
+
+        return etree.cleanup_namespaces(tree_or_element, keep_ns_prefixes=all_prefixes_to_keep)
    
+
+
    [docs]    @staticmethod
+    def extract_tag_text(xml, tagname):
+        open_tag = compat.to_bytes("<%s" % tagname)
+        close_tag = compat.to_bytes("</%s>" % tagname)
+
+        xml = OneLogin_Saml2_XML.to_string(xml)
+        start = xml.find(open_tag)
+        assert start != -1
+
+        end = xml.find(close_tag, start) + len(close_tag)
+        assert end != -1
+        return compat.to_string(xml[start:end])
    
+
+
    [docs]    @staticmethod
+    def element_text(node):
+        # Double check, the LXML Parser already removes comments
+        etree.strip_tags(node, etree.Comment)
+        return node.text
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_modules/onelogin/saml2/xmlparser.html b/docs/saml2/_modules/onelogin/saml2/xmlparser.html
new file mode 100644
index 00000000..7058367c
--- /dev/null
+++ b/docs/saml2/_modules/onelogin/saml2/xmlparser.html
@@ -0,0 +1,285 @@
+
+
+
+  
+  
+  onelogin.saml2.xmlparser — SAML Python2/3 Toolkit 1 documentation
+      
+      
+  
+  
+        
+        
+        
+        
+        
+    
+    
+     
+
+
+ 
+  
    
+    
+
+    
    
+
+      
    
+        
    
+          
    
+  
+  
    
+
    
+          
    
+           
    
+             
+  
    Source code for onelogin.saml2.xmlparser
    +# -*- coding: utf-8 -*-
+
+# Based on the lxml example from defusedxml
+# DTDForbidden, EntitiesForbidden, NotSupportedError are clones of the classes defined at defusedxml
+#
+# Copyright (c) 2013 by Christian Heimes <christian@python.org>
+# Licensed to PSF under a Contributor Agreement.
+# See https://www.python.org/psf/license for licensing details.
+"""lxml.etree protection"""
+
+from __future__ import print_function, absolute_import
+
+import threading
+
+from lxml import etree as _etree
+
+LXML3 = _etree.LXML_VERSION[0] >= 3
+
+__origin__ = "lxml.etree"
+
+tostring = _etree.tostring
+
+
+
    [docs]class DTDForbidden(ValueError):
+    """Document type definition is forbidden
+    """
+
+    def __init__(self, name, sysid, pubid):
+        super(DTDForbidden, self).__init__()
+        self.name = name
+        self.sysid = sysid
+        self.pubid = pubid
+
+    def __str__(self):
+        tpl = "DTDForbidden(name='{}', system_id={!r}, public_id={!r})"
+        return tpl.format(self.name, self.sysid, self.pubid)
    
+
+
+
    [docs]class EntitiesForbidden(ValueError):
+    """Entity definition is forbidden
+    """
+
+    def __init__(self, name, value, base, sysid, pubid, notation_name):
+        super(EntitiesForbidden, self).__init__()
+        self.name = name
+        self.value = value
+        self.base = base
+        self.sysid = sysid
+        self.pubid = pubid
+        self.notation_name = notation_name
+
+    def __str__(self):
+        tpl = "EntitiesForbidden(name='{}', system_id={!r}, public_id={!r})"
+        return tpl.format(self.name, self.sysid, self.pubid)
    
+
+
+
    [docs]class NotSupportedError(ValueError):
+    """The operation is not supported
+    """
    
+
+
+
    [docs]class RestrictedElement(_etree.ElementBase):
+    """A restricted Element class that filters out instances of some classes
+    """
+
+    __slots__ = ()
+    blacklist = (_etree._Entity, _etree._ProcessingInstruction, _etree._Comment)
+
+    def _filter(self, iterator):
+        blacklist = self.blacklist
+        for child in iterator:
+            if isinstance(child, blacklist):
+                continue
+            yield child
+
+    def __iter__(self):
+        iterator = super(RestrictedElement, self).__iter__()
+        return self._filter(iterator)
+
+
    [docs]    def iterchildren(self, tag=None, reversed=False):
+        iterator = super(RestrictedElement, self).iterchildren(tag=tag, reversed=reversed)
+        return self._filter(iterator)
    
+
+
    [docs]    def iter(self, tag=None, *tags):
+        iterator = super(RestrictedElement, self).iter(tag=tag, *tags)
+        return self._filter(iterator)
    
+
+
    [docs]    def iterdescendants(self, tag=None, *tags):
+        iterator = super(RestrictedElement, self).iterdescendants(tag=tag, *tags)
+        return self._filter(iterator)
    
+
+
    [docs]    def itersiblings(self, tag=None, preceding=False):
+        iterator = super(RestrictedElement, self).itersiblings(tag=tag, preceding=preceding)
+        return self._filter(iterator)
    
+
+
    [docs]    def getchildren(self):
+        iterator = super(RestrictedElement, self).__iter__()
+        return list(self._filter(iterator))
    
+
+
    [docs]    def getiterator(self, tag=None):
+        iterator = super(RestrictedElement, self).getiterator(tag)
+        return self._filter(iterator)
    
+
+
+
    [docs]class GlobalParserTLS(threading.local):
+    """Thread local context for custom parser instances
+    """
+
+    parser_config = {
+        "resolve_entities": False,
+        'remove_comments': True,
+        'no_network': True,
+        'remove_pis': True,
+        'huge_tree': False
+    }
+
+    element_class = RestrictedElement
+
+
    [docs]    def createDefaultParser(self):
+        parser = _etree.XMLParser(**self.parser_config)
+        element_class = self.element_class
+        if self.element_class is not None:
+            lookup = _etree.ElementDefaultClassLookup(element=element_class)
+            parser.set_element_class_lookup(lookup)
+        return parser
    
+
+
    [docs]    def setDefaultParser(self, parser):
+        self._default_parser = parser
    
+
+
    [docs]    def getDefaultParser(self):
+        parser = getattr(self, "_default_parser", None)
+        if parser is None:
+            parser = self.createDefaultParser()
+            self.setDefaultParser(parser)
+        return parser
    
+
+
+_parser_tls = GlobalParserTLS()
+getDefaultParser = _parser_tls.getDefaultParser
+
+
+
    [docs]def check_docinfo(elementtree, forbid_dtd=False, forbid_entities=True):
+    """Check docinfo of an element tree for DTD and entity declarations
+    The check for entity declarations needs lxml 3 or newer. lxml 2.x does
+    not support dtd.iterentities().
+    """
+    docinfo = elementtree.docinfo
+    if docinfo.doctype:
+        if forbid_dtd:
+            raise DTDForbidden(docinfo.doctype, docinfo.system_url, docinfo.public_id)
+        if forbid_entities and not LXML3:
+            # lxml < 3 has no iterentities()
+            raise NotSupportedError("Unable to check for entity declarations " "in lxml 2.x")
+
+    if forbid_entities:
+        for dtd in docinfo.internalDTD, docinfo.externalDTD:
+            if dtd is None:
+                continue
+            for entity in dtd.iterentities():
+                raise EntitiesForbidden(entity.name, entity.content, None, None, None, None)
    
+
+
+
    [docs]def parse(source, parser=None, base_url=None, forbid_dtd=True, forbid_entities=True):
+    if parser is None:
+        parser = getDefaultParser()
+    elementtree = _etree.parse(source, parser, base_url=base_url)
+    check_docinfo(elementtree, forbid_dtd, forbid_entities)
+    return elementtree
    
+
+
+
    [docs]def fromstring(text, parser=None, base_url=None, forbid_dtd=True, forbid_entities=True):
+    if parser is None:
+        parser = getDefaultParser()
+    rootelement = _etree.fromstring(text, parser, base_url=base_url)
+    elementtree = rootelement.getroottree()
+    check_docinfo(elementtree, forbid_dtd, forbid_entities)
+    return rootelement
    
+
+
+XML = fromstring
+
+
+
    [docs]def iterparse(*args, **kwargs):
+    raise NotSupportedError("iterparse not available")
    
+
    
+
+           
    
+          
    
+          
+        
    
+      
    
+    
    
+  
    
+   
+
+
+
\ No newline at end of file
diff --git a/docs/saml2/_sources/index.rst.txt b/docs/saml2/_sources/index.rst.txt
new file mode 100644
index 00000000..020156af
--- /dev/null
+++ b/docs/saml2/_sources/index.rst.txt
@@ -0,0 +1,14 @@
+.. SAML Python2/3 Toolkit documentation master file, created by
+   sphinx-quickstart on Sun Oct  1 03:00:42 2023.
+   You can adapt this file completely to your liking, but it should at least
+   contain the root `toctree` directive.
+
+Welcome to SAML Python2/3 Toolkit's documentation!
+==================================================
+
+.. toctree::
+   :maxdepth: 4
+   :caption: Contents:
+
+   onelogin
+
diff --git a/docs/saml2/_sources/modules.rst.txt b/docs/saml2/_sources/modules.rst.txt
new file mode 100644
index 00000000..529aa5bd
--- /dev/null
+++ b/docs/saml2/_sources/modules.rst.txt
@@ -0,0 +1,7 @@
+onelogin
+========
+
+.. toctree::
+   :maxdepth: 4
+
+   onelogin
diff --git a/docs/saml2/_sources/onelogin.rst.txt b/docs/saml2/_sources/onelogin.rst.txt
new file mode 100644
index 00000000..33f8a252
--- /dev/null
+++ b/docs/saml2/_sources/onelogin.rst.txt
@@ -0,0 +1,18 @@
+onelogin package
+================
+
+Subpackages
+-----------
+
+.. toctree::
+   :maxdepth: 4
+
+   onelogin.saml2
+
+Module contents
+---------------
+
+.. automodule:: onelogin
+   :members:
+   :undoc-members:
+   :show-inheritance:
diff --git a/docs/saml2/_sources/onelogin.saml2.rst.txt b/docs/saml2/_sources/onelogin.saml2.rst.txt
new file mode 100644
index 00000000..3ba9d62b
--- /dev/null
+++ b/docs/saml2/_sources/onelogin.saml2.rst.txt
@@ -0,0 +1,133 @@
+onelogin.saml2 package
+======================
+
+Submodules
+----------
+
+onelogin.saml2.auth module
+--------------------------
+
+.. automodule:: onelogin.saml2.auth
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.authn\_request module
+------------------------------------
+
+.. automodule:: onelogin.saml2.authn_request
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.compat module
+----------------------------
+
+.. automodule:: onelogin.saml2.compat
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.constants module
+-------------------------------
+
+.. automodule:: onelogin.saml2.constants
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.errors module
+----------------------------
+
+.. automodule:: onelogin.saml2.errors
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.idp\_metadata\_parser module
+-------------------------------------------
+
+.. automodule:: onelogin.saml2.idp_metadata_parser
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.logout\_request module
+-------------------------------------
+
+.. automodule:: onelogin.saml2.logout_request
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.logout\_response module
+--------------------------------------
+
+.. automodule:: onelogin.saml2.logout_response
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.metadata module
+------------------------------
+
+.. automodule:: onelogin.saml2.metadata
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.response module
+------------------------------
+
+.. automodule:: onelogin.saml2.response
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.settings module
+------------------------------
+
+.. automodule:: onelogin.saml2.settings
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.utils module
+---------------------------
+
+.. automodule:: onelogin.saml2.utils
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.xml\_templates module
+------------------------------------
+
+.. automodule:: onelogin.saml2.xml_templates
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.xml\_utils module
+--------------------------------
+
+.. automodule:: onelogin.saml2.xml_utils
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+onelogin.saml2.xmlparser module
+-------------------------------
+
+.. automodule:: onelogin.saml2.xmlparser
+   :members:
+   :undoc-members:
+   :show-inheritance:
+
+Module contents
+---------------
+
+.. automodule:: onelogin.saml2
+   :members:
+   :undoc-members:
+   :show-inheritance:
diff --git a/docs/saml2/_static/_sphinx_javascript_frameworks_compat.js b/docs/saml2/_static/_sphinx_javascript_frameworks_compat.js
new file mode 100644
index 00000000..81415803
--- /dev/null
+++ b/docs/saml2/_static/_sphinx_javascript_frameworks_compat.js
@@ -0,0 +1,123 @@
+/* Compatability shim for jQuery and underscores.js.
+ *
+ * Copyright Sphinx contributors
+ * Released under the two clause BSD licence
+ */
+
+/**
+ * small helper function to urldecode strings
+ *
+ * See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/decodeURIComponent#Decoding_query_parameters_from_a_URL
+ */
+jQuery.urldecode = function(x) {
+    if (!x) {
+        return x
+    }
+    return decodeURIComponent(x.replace(/\+/g, ' '));
+};
+
+/**
+ * small helper function to urlencode strings
+ */
+jQuery.urlencode = encodeURIComponent;
+
+/**
+ * This function returns the parsed url parameters of the
+ * current request. Multiple values per key are supported,
+ * it will always return arrays of strings for the value parts.
+ */
+jQuery.getQueryParameters = function(s) {
+    if (typeof s === 'undefined')
+        s = document.location.search;
+    var parts = s.substr(s.indexOf('?') + 1).split('&');
+    var result = {};
+    for (var i = 0; i < parts.length; i++) {
+        var tmp = parts[i].split('=', 2);
+        var key = jQuery.urldecode(tmp[0]);
+        var value = jQuery.urldecode(tmp[1]);
+        if (key in result)
+            result[key].push(value);
+        else
+            result[key] = [value];
+    }
+    return result;
+};
+
+/**
+ * highlight a given string on a jquery object by wrapping it in
+ * span elements with the given class name.
+ */
+jQuery.fn.highlightText = function(text, className) {
+    function highlight(node, addItems) {
+        if (node.nodeType === 3) {
+            var val = node.nodeValue;
+            var pos = val.toLowerCase().indexOf(text);
+            if (pos >= 0 &&
+                !jQuery(node.parentNode).hasClass(className) &&
+                !jQuery(node.parentNode).hasClass("nohighlight")) {
+                var span;
+                var isInSVG = jQuery(node).closest("body, svg, foreignObject").is("svg");
+                if (isInSVG) {
+                    span = document.createElementNS("http://www.w3.org/2000/svg", "tspan");
+                } else {
+                    span = document.createElement("span");
+                    span.className = className;
+                }
+                span.appendChild(document.createTextNode(val.substr(pos, text.length)));
+                node.parentNode.insertBefore(span, node.parentNode.insertBefore(
+                    document.createTextNode(val.substr(pos + text.length)),
+                    node.nextSibling));
+                node.nodeValue = val.substr(0, pos);
+                if (isInSVG) {
+                    var rect = document.createElementNS("http://www.w3.org/2000/svg", "rect");
+                    var bbox = node.parentElement.getBBox();
+                    rect.x.baseVal.value = bbox.x;
+                    rect.y.baseVal.value = bbox.y;
+                    rect.width.baseVal.value = bbox.width;
+                    rect.height.baseVal.value = bbox.height;
+                    rect.setAttribute('class', className);
+                    addItems.push({
+                        "parent": node.parentNode,
+                        "target": rect});
+                }
+            }
+        }
+        else if (!jQuery(node).is("button, select, textarea")) {
+            jQuery.each(node.childNodes, function() {
+                highlight(this, addItems);
+            });
+        }
+    }
+    var addItems = [];
+    var result = this.each(function() {
+        highlight(this, addItems);
+    });
+    for (var i = 0; i < addItems.length; ++i) {
+        jQuery(addItems[i].parent).before(addItems[i].target);
+    }
+    return result;
+};
+
+/*
+ * backward compatibility for jQuery.browser
+ * This will be supported until firefox bug is fixed.
+ */
+if (!jQuery.browser) {
+    jQuery.uaMatch = function(ua) {
+        ua = ua.toLowerCase();
+
+        var match = /(chrome)[ \/]([\w.]+)/.exec(ua) ||
+            /(webkit)[ \/]([\w.]+)/.exec(ua) ||
+            /(opera)(?:.*version|)[ \/]([\w.]+)/.exec(ua) ||
+            /(msie) ([\w.]+)/.exec(ua) ||
+            ua.indexOf("compatible") < 0 && /(mozilla)(?:.*? rv:([\w.]+)|)/.exec(ua) ||
+            [];
+
+        return {
+            browser: match[ 1 ] || "",
+            version: match[ 2 ] || "0"
+        };
+    };
+    jQuery.browser = {};
+    jQuery.browser[jQuery.uaMatch(navigator.userAgent).browser] = true;
+}
diff --git a/docs/saml2/_static/basic.css b/docs/saml2/_static/basic.css
new file mode 100644
index 00000000..cfc60b86
--- /dev/null
+++ b/docs/saml2/_static/basic.css
@@ -0,0 +1,921 @@
+/*
+ * basic.css
+ * ~~~~~~~~~
+ *
+ * Sphinx stylesheet -- basic theme.
+ *
+ * :copyright: Copyright 2007-2023 by the Sphinx team, see AUTHORS.
+ * :license: BSD, see LICENSE for details.
+ *
+ */
+
+/* -- main layout ----------------------------------------------------------- */
+
+div.clearer {
+    clear: both;
+}
+
+div.section::after {
+    display: block;
+    content: '';
+    clear: left;
+}
+
+/* -- relbar ---------------------------------------------------------------- */
+
+div.related {
+    width: 100%;
+    font-size: 90%;
+}
+
+div.related h3 {
+    display: none;
+}
+
+div.related ul {
+    margin: 0;
+    padding: 0 0 0 10px;
+    list-style: none;
+}
+
+div.related li {
+    display: inline;
+}
+
+div.related li.right {
+    float: right;
+    margin-right: 5px;
+}
+
+/* -- sidebar --------------------------------------------------------------- */
+
+div.sphinxsidebarwrapper {
+    padding: 10px 5px 0 10px;
+}
+
+div.sphinxsidebar {
+    float: left;
+    width: 230px;
+    margin-left: -100%;
+    font-size: 90%;
+    word-wrap: break-word;
+    overflow-wrap : break-word;
+}
+
+div.sphinxsidebar ul {
+    list-style: none;
+}
+
+div.sphinxsidebar ul ul,
+div.sphinxsidebar ul.want-points {
+    margin-left: 20px;
+    list-style: square;
+}
+
+div.sphinxsidebar ul ul {
+    margin-top: 0;
+    margin-bottom: 0;
+}
+
+div.sphinxsidebar form {
+    margin-top: 10px;
+}
+
+div.sphinxsidebar input {
+    border: 1px solid #98dbcc;
+    font-family: sans-serif;
+    font-size: 1em;
+}
+
+div.sphinxsidebar #searchbox form.search {
+    overflow: hidden;
+}
+
+div.sphinxsidebar #searchbox input[type="text"] {
+    float: left;
+    width: 80%;
+    padding: 0.25em;
+    box-sizing: border-box;
+}
+
+div.sphinxsidebar #searchbox input[type="submit"] {
+    float: left;
+    width: 20%;
+    border-left: none;
+    padding: 0.25em;
+    box-sizing: border-box;
+}
+
+
+img {
+    border: 0;
+    max-width: 100%;
+}
+
+/* -- search page ----------------------------------------------------------- */
+
+ul.search {
+    margin: 10px 0 0 20px;
+    padding: 0;
+}
+
+ul.search li {
+    padding: 5px 0 5px 20px;
+    background-image: url(file.png);
+    background-repeat: no-repeat;
+    background-position: 0 7px;
+}
+
+ul.search li a {
+    font-weight: bold;
+}
+
+ul.search li p.context {
+    color: #888;
+    margin: 2px 0 0 30px;
+    text-align: left;
+}
+
+ul.keywordmatches li.goodmatch a {
+    font-weight: bold;
+}
+
+/* -- index page ------------------------------------------------------------ */
+
+table.contentstable {
+    width: 90%;
+    margin-left: auto;
+    margin-right: auto;
+}
+
+table.contentstable p.biglink {
+    line-height: 150%;
+}
+
+a.biglink {
+    font-size: 1.3em;
+}
+
+span.linkdescr {
+    font-style: italic;
+    padding-top: 5px;
+    font-size: 90%;
+}
+
+/* -- general index --------------------------------------------------------- */
+
+table.indextable {
+    width: 100%;
+}
+
+table.indextable td {
+    text-align: left;
+    vertical-align: top;
+}
+
+table.indextable ul {
+    margin-top: 0;
+    margin-bottom: 0;
+    list-style-type: none;
+}
+
+table.indextable > tbody > tr > td > ul {
+    padding-left: 0em;
+}
+
+table.indextable tr.pcap {
+    height: 10px;
+}
+
+table.indextable tr.cap {
+    margin-top: 10px;
+    background-color: #f2f2f2;
+}
+
+img.toggler {
+    margin-right: 3px;
+    margin-top: 3px;
+    cursor: pointer;
+}
+
+div.modindex-jumpbox {
+    border-top: 1px solid #ddd;
+    border-bottom: 1px solid #ddd;
+    margin: 1em 0 1em 0;
+    padding: 0.4em;
+}
+
+div.genindex-jumpbox {
+    border-top: 1px solid #ddd;
+    border-bottom: 1px solid #ddd;
+    margin: 1em 0 1em 0;
+    padding: 0.4em;
+}
+
+/* -- domain module index --------------------------------------------------- */
+
+table.modindextable td {
+    padding: 2px;
+    border-collapse: collapse;
+}
+
+/* -- general body styles --------------------------------------------------- */
+
+div.body {
+    min-width: 360px;
+    max-width: 800px;
+}
+
+div.body p, div.body dd, div.body li, div.body blockquote {
+    -moz-hyphens: auto;
+    -ms-hyphens: auto;
+    -webkit-hyphens: auto;
+    hyphens: auto;
+}
+
+a.headerlink {
+    visibility: hidden;
+}
+
+h1:hover > a.headerlink,
+h2:hover > a.headerlink,
+h3:hover > a.headerlink,
+h4:hover > a.headerlink,
+h5:hover > a.headerlink,
+h6:hover > a.headerlink,
+dt:hover > a.headerlink,
+caption:hover > a.headerlink,
+p.caption:hover > a.headerlink,
+div.code-block-caption:hover > a.headerlink {
+    visibility: visible;
+}
+
+div.body p.caption {
+    text-align: inherit;
+}
+
+div.body td {
+    text-align: left;
+}
+
+.first {
+    margin-top: 0 !important;
+}
+
+p.rubric {
+    margin-top: 30px;
+    font-weight: bold;
+}
+
+img.align-left, figure.align-left, .figure.align-left, object.align-left {
+    clear: left;
+    float: left;
+    margin-right: 1em;
+}
+
+img.align-right, figure.align-right, .figure.align-right, object.align-right {
+    clear: right;
+    float: right;
+    margin-left: 1em;
+}
+
+img.align-center, figure.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+img.align-default, figure.align-default, .figure.align-default {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+    text-align: left;
+}
+
+.align-center {
+    text-align: center;
+}
+
+.align-default {
+    text-align: center;
+}
+
+.align-right {
+    text-align: right;
+}
+
+/* -- sidebars -------------------------------------------------------------- */
+
+div.sidebar,
+aside.sidebar {
+    margin: 0 0 0.5em 1em;
+    border: 1px solid #ddb;
+    padding: 7px;
+    background-color: #ffe;
+    width: 40%;
+    float: right;
+    clear: right;
+    overflow-x: auto;
+}
+
+p.sidebar-title {
+    font-weight: bold;
+}
+
+nav.contents,
+aside.topic,
+div.admonition, div.topic, blockquote {
+    clear: left;
+}
+
+/* -- topics ---------------------------------------------------------------- */
+
+nav.contents,
+aside.topic,
+div.topic {
+    border: 1px solid #ccc;
+    padding: 7px;
+    margin: 10px 0 10px 0;
+}
+
+p.topic-title {
+    font-size: 1.1em;
+    font-weight: bold;
+    margin-top: 10px;
+}
+
+/* -- admonitions ----------------------------------------------------------- */
+
+div.admonition {
+    margin-top: 10px;
+    margin-bottom: 10px;
+    padding: 7px;
+}
+
+div.admonition dt {
+    font-weight: bold;
+}
+
+p.admonition-title {
+    margin: 0px 10px 5px 0px;
+    font-weight: bold;
+}
+
+div.body p.centered {
+    text-align: center;
+    margin-top: 25px;
+}
+
+/* -- content of sidebars/topics/admonitions -------------------------------- */
+
+div.sidebar > :last-child,
+aside.sidebar > :last-child,
+nav.contents > :last-child,
+aside.topic > :last-child,
+div.topic > :last-child,
+div.admonition > :last-child {
+    margin-bottom: 0;
+}
+
+div.sidebar::after,
+aside.sidebar::after,
+nav.contents::after,
+aside.topic::after,
+div.topic::after,
+div.admonition::after,
+blockquote::after {
+    display: block;
+    content: '';
+    clear: both;
+}
+
+/* -- tables ---------------------------------------------------------------- */
+
+table.docutils {
+    margin-top: 10px;
+    margin-bottom: 10px;
+    border: 0;
+    border-collapse: collapse;
+}
+
+table.align-center {
+    margin-left: auto;
+    margin-right: auto;
+}
+
+table.align-default {
+    margin-left: auto;
+    margin-right: auto;
+}
+
+table caption span.caption-number {
+    font-style: italic;
+}
+
+table caption span.caption-text {
+}
+
+table.docutils td, table.docutils th {
+    padding: 1px 8px 1px 5px;
+    border-top: 0;
+    border-left: 0;
+    border-right: 0;
+    border-bottom: 1px solid #aaa;
+}
+
+th {
+    text-align: left;
+    padding-right: 5px;
+}
+
+table.citation {
+    border-left: solid 1px gray;
+    margin-left: 1px;
+}
+
+table.citation td {
+    border-bottom: none;
+}
+
+th > :first-child,
+td > :first-child {
+    margin-top: 0px;
+}
+
+th > :last-child,
+td > :last-child {
+    margin-bottom: 0px;
+}
+
+/* -- figures --------------------------------------------------------------- */
+
+div.figure, figure {
+    margin: 0.5em;
+    padding: 0.5em;
+}
+
+div.figure p.caption, figcaption {
+    padding: 0.3em;
+}
+
+div.figure p.caption span.caption-number,
+figcaption span.caption-number {
+    font-style: italic;
+}
+
+div.figure p.caption span.caption-text,
+figcaption span.caption-text {
+}
+
+/* -- field list styles ----------------------------------------------------- */
+
+table.field-list td, table.field-list th {
+    border: 0 !important;
+}
+
+.field-list ul {
+    margin: 0;
+    padding-left: 1em;
+}
+
+.field-list p {
+    margin: 0;
+}
+
+.field-name {
+    -moz-hyphens: manual;
+    -ms-hyphens: manual;
+    -webkit-hyphens: manual;
+    hyphens: manual;
+}
+
+/* -- hlist styles ---------------------------------------------------------- */
+
+table.hlist {
+    margin: 1em 0;
+}
+
+table.hlist td {
+    vertical-align: top;
+}
+
+/* -- object description styles --------------------------------------------- */
+
+.sig {
+	font-family: 'Consolas', 'Menlo', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace;
+}
+
+.sig-name, code.descname {
+    background-color: transparent;
+    font-weight: bold;
+}
+
+.sig-name {
+	font-size: 1.1em;
+}
+
+code.descname {
+    font-size: 1.2em;
+}
+
+.sig-prename, code.descclassname {
+    background-color: transparent;
+}
+
+.optional {
+    font-size: 1.3em;
+}
+
+.sig-paren {
+    font-size: larger;
+}
+
+.sig-param.n {
+	font-style: italic;
+}
+
+/* C++ specific styling */
+
+.sig-inline.c-texpr,
+.sig-inline.cpp-texpr {
+	font-family: unset;
+}
+
+.sig.c   .k, .sig.c   .kt,
+.sig.cpp .k, .sig.cpp .kt {
+	color: #0033B3;
+}
+
+.sig.c   .m,
+.sig.cpp .m {
+	color: #1750EB;
+}
+
+.sig.c   .s, .sig.c   .sc,
+.sig.cpp .s, .sig.cpp .sc {
+	color: #067D17;
+}
+
+
+/* -- other body styles ----------------------------------------------------- */
+
+ol.arabic {
+    list-style: decimal;
+}
+
+ol.loweralpha {
+    list-style: lower-alpha;
+}
+
+ol.upperalpha {
+    list-style: upper-alpha;
+}
+
+ol.lowerroman {
+    list-style: lower-roman;
+}
+
+ol.upperroman {
+    list-style: upper-roman;
+}
+
+:not(li) > ol > li:first-child > :first-child,
+:not(li) > ul > li:first-child > :first-child {
+    margin-top: 0px;
+}
+
+:not(li) > ol > li:last-child > :last-child,
+:not(li) > ul > li:last-child > :last-child {
+    margin-bottom: 0px;
+}
+
+ol.simple ol p,
+ol.simple ul p,
+ul.simple ol p,
+ul.simple ul p {
+    margin-top: 0;
+}
+
+ol.simple > li:not(:first-child) > p,
+ul.simple > li:not(:first-child) > p {
+    margin-top: 0;
+}
+
+ol.simple p,
+ul.simple p {
+    margin-bottom: 0;
+}
+
+aside.footnote > span,
+div.citation > span {
+    float: left;
+}
+aside.footnote > span:last-of-type,
+div.citation > span:last-of-type {
+  padding-right: 0.5em;
+}
+aside.footnote > p {
+  margin-left: 2em;
+}
+div.citation > p {
+  margin-left: 4em;
+}
+aside.footnote > p:last-of-type,
+div.citation > p:last-of-type {
+    margin-bottom: 0em;
+}
+aside.footnote > p:last-of-type:after,
+div.citation > p:last-of-type:after {
+    content: "";
+    clear: both;
+}
+
+dl.field-list {
+    display: grid;
+    grid-template-columns: fit-content(30%) auto;
+}
+
+dl.field-list > dt {
+    font-weight: bold;
+    word-break: break-word;
+    padding-left: 0.5em;
+    padding-right: 5px;
+}
+
+dl.field-list > dd {
+    padding-left: 0.5em;
+    margin-top: 0em;
+    margin-left: 0em;
+    margin-bottom: 0em;
+}
+
+dl {
+    margin-bottom: 15px;
+}
+
+dd > :first-child {
+    margin-top: 0px;
+}
+
+dd ul, dd table {
+    margin-bottom: 10px;
+}
+
+dd {
+    margin-top: 3px;
+    margin-bottom: 10px;
+    margin-left: 30px;
+}
+
+.sig dd {
+    margin-top: 0px;
+    margin-bottom: 0px;
+}
+
+.sig dl {
+    margin-top: 0px;
+    margin-bottom: 0px;
+}
+
+dl > dd:last-child,
+dl > dd:last-child > :last-child {
+    margin-bottom: 0;
+}
+
+dt:target, span.highlighted {
+    background-color: #fbe54e;
+}
+
+rect.highlighted {
+    fill: #fbe54e;
+}
+
+dl.glossary dt {
+    font-weight: bold;
+    font-size: 1.1em;
+}
+
+.versionmodified {
+    font-style: italic;
+}
+
+.system-message {
+    background-color: #fda;
+    padding: 5px;
+    border: 3px solid red;
+}
+
+.footnote:target  {
+    background-color: #ffa;
+}
+
+.line-block {
+    display: block;
+    margin-top: 1em;
+    margin-bottom: 1em;
+}
+
+.line-block .line-block {
+    margin-top: 0;
+    margin-bottom: 0;
+    margin-left: 1.5em;
+}
+
+.guilabel, .menuselection {
+    font-family: sans-serif;
+}
+
+.accelerator {
+    text-decoration: underline;
+}
+
+.classifier {
+    font-style: oblique;
+}
+
+.classifier:before {
+    font-style: normal;
+    margin: 0 0.5em;
+    content: ":";
+    display: inline-block;
+}
+
+abbr, acronym {
+    border-bottom: dotted 1px;
+    cursor: help;
+}
+
+.translated {
+    background-color: rgba(207, 255, 207, 0.2)
+}
+
+.untranslated {
+    background-color: rgba(255, 207, 207, 0.2)
+}
+
+/* -- code displays --------------------------------------------------------- */
+
+pre {
+    overflow: auto;
+    overflow-y: hidden;  /* fixes display issues on Chrome browsers */
+}
+
+pre, div[class*="highlight-"] {
+    clear: both;
+}
+
+span.pre {
+    -moz-hyphens: none;
+    -ms-hyphens: none;
+    -webkit-hyphens: none;
+    hyphens: none;
+    white-space: nowrap;
+}
+
+div[class*="highlight-"] {
+    margin: 1em 0;
+}
+
+td.linenos pre {
+    border: 0;
+    background-color: transparent;
+    color: #aaa;
+}
+
+table.highlighttable {
+    display: block;
+}
+
+table.highlighttable tbody {
+    display: block;
+}
+
+table.highlighttable tr {
+    display: flex;
+}
+
+table.highlighttable td {
+    margin: 0;
+    padding: 0;
+}
+
+table.highlighttable td.linenos {
+    padding-right: 0.5em;
+}
+
+table.highlighttable td.code {
+    flex: 1;
+    overflow: hidden;
+}
+
+.highlight .hll {
+    display: block;
+}
+
+div.highlight pre,
+table.highlighttable pre {
+    margin: 0;
+}
+
+div.code-block-caption + div {
+    margin-top: 0;
+}
+
+div.code-block-caption {
+    margin-top: 1em;
+    padding: 2px 5px;
+    font-size: small;
+}
+
+div.code-block-caption code {
+    background-color: transparent;
+}
+
+table.highlighttable td.linenos,
+span.linenos,
+div.highlight span.gp {  /* gp: Generic.Prompt */
+  user-select: none;
+  -webkit-user-select: text; /* Safari fallback only */
+  -webkit-user-select: none; /* Chrome/Safari */
+  -moz-user-select: none; /* Firefox */
+  -ms-user-select: none; /* IE10+ */
+}
+
+div.code-block-caption span.caption-number {
+    padding: 0.1em 0.3em;
+    font-style: italic;
+}
+
+div.code-block-caption span.caption-text {
+}
+
+div.literal-block-wrapper {
+    margin: 1em 0;
+}
+
+code.xref, a code {
+    background-color: transparent;
+    font-weight: bold;
+}
+
+h1 code, h2 code, h3 code, h4 code, h5 code, h6 code {
+    background-color: transparent;
+}
+
+.viewcode-link {
+    float: right;
+}
+
+.viewcode-back {
+    float: right;
+    font-family: sans-serif;
+}
+
+div.viewcode-block:target {
+    margin: -1px -10px;
+    padding: 0 10px;
+}
+
+/* -- math display ---------------------------------------------------------- */
+
+img.math {
+    vertical-align: middle;
+}
+
+div.body div.math p {
+    text-align: center;
+}
+
+span.eqno {
+    float: right;
+}
+
+span.eqno a.headerlink {
+    position: absolute;
+    z-index: 1;
+}
+
+div.math:hover a.headerlink {
+    visibility: visible;
+}
+
+/* -- printout stylesheet --------------------------------------------------- */
+
+@media print {
+    div.document,
+    div.documentwrapper,
+    div.bodywrapper {
+        margin: 0 !important;
+        width: 100%;
+    }
+
+    div.sphinxsidebar,
+    div.related,
+    div.footer,
+    #top-link {
+        display: none;
+    }
+}
\ No newline at end of file
diff --git a/docs/saml2/_static/css/badge_only.css b/docs/saml2/_static/css/badge_only.css
new file mode 100644
index 00000000..c718cee4
--- /dev/null
+++ b/docs/saml2/_static/css/badge_only.css
@@ -0,0 +1 @@
+.clearfix{*zoom:1}.clearfix:after,.clearfix:before{display:table;content:""}.clearfix:after{clear:both}@font-face{font-family:FontAwesome;font-style:normal;font-weight:400;src:url(fonts/fontawesome-webfont.eot?674f50d287a8c48dc19ba404d20fe713?#iefix) format("embedded-opentype"),url(fonts/fontawesome-webfont.woff2?af7ae505a9eed503f8b8e6982036873e) format("woff2"),url(fonts/fontawesome-webfont.woff?fee66e712a8a08eef5805a46892932ad) format("woff"),url(fonts/fontawesome-webfont.ttf?b06871f281fee6b241d60582ae9369b9) format("truetype"),url(fonts/fontawesome-webfont.svg?912ec66d7572ff821749319396470bde#FontAwesome) format("svg")}.fa:before{font-family:FontAwesome;font-style:normal;font-weight:400;line-height:1}.fa:before,a .fa{text-decoration:inherit}.fa:before,a .fa,li .fa{display:inline-block}li .fa-large:before{width:1.875em}ul.fas{list-style-type:none;margin-left:2em;text-indent:-.8em}ul.fas li .fa{width:.8em}ul.fas li .fa-large:before{vertical-align:baseline}.fa-book:before,.icon-book:before{content:"\f02d"}.fa-caret-down:before,.icon-caret-down:before{content:"\f0d7"}.fa-caret-up:before,.icon-caret-up:before{content:"\f0d8"}.fa-caret-left:before,.icon-caret-left:before{content:"\f0d9"}.fa-caret-right:before,.icon-caret-right:before{content:"\f0da"}.rst-versions{position:fixed;bottom:0;left:0;width:300px;color:#fcfcfc;background:#1f1d1d;font-family:Lato,proxima-nova,Helvetica Neue,Arial,sans-serif;z-index:400}.rst-versions a{color:#2980b9;text-decoration:none}.rst-versions .rst-badge-small{display:none}.rst-versions .rst-current-version{padding:12px;background-color:#272525;display:block;text-align:right;font-size:90%;cursor:pointer;color:#27ae60}.rst-versions .rst-current-version:after{clear:both;content:"";display:block}.rst-versions .rst-current-version .fa{color:#fcfcfc}.rst-versions .rst-current-version .fa-book,.rst-versions .rst-current-version .icon-book{float:left}.rst-versions .rst-current-version.rst-out-of-date{background-color:#e74c3c;color:#fff}.rst-versions .rst-current-version.rst-active-old-version{background-color:#f1c40f;color:#000}.rst-versions.shift-up{height:auto;max-height:100%;overflow-y:scroll}.rst-versions.shift-up .rst-other-versions{display:block}.rst-versions .rst-other-versions{font-size:90%;padding:12px;color:grey;display:none}.rst-versions .rst-other-versions hr{display:block;height:1px;border:0;margin:20px 0;padding:0;border-top:1px solid #413d3d}.rst-versions .rst-other-versions dd{display:inline-block;margin:0}.rst-versions .rst-other-versions dd a{display:inline-block;padding:6px;color:#fcfcfc}.rst-versions.rst-badge{width:auto;bottom:20px;right:20px;left:auto;border:none;max-width:300px;max-height:90%}.rst-versions.rst-badge .fa-book,.rst-versions.rst-badge .icon-book{float:none;line-height:30px}.rst-versions.rst-badge.shift-up .rst-current-version{text-align:right}.rst-versions.rst-badge.shift-up .rst-current-version .fa-book,.rst-versions.rst-badge.shift-up .rst-current-version .icon-book{float:left}.rst-versions.rst-badge>.rst-current-version{width:auto;height:30px;line-height:30px;padding:0 6px;display:block;text-align:center}@media screen and (max-width:768px){.rst-versions{width:85%;display:none}.rst-versions.shift{display:block}}
\ No newline at end of file
diff --git a/docs/saml2/_static/css/fonts/Roboto-Slab-Bold.woff b/docs/saml2/_static/css/fonts/Roboto-Slab-Bold.woff
new file mode 100644
index 0000000000000000000000000000000000000000..6cb60000181dbd348963953ac8ac54afb46c63d5
GIT binary patch
literal 87624
zcmaI71zemx*C#x!Tp
zndIaoGr4k-bN9U&_Lhd8SbF`U&{aS5&tGC24eIF6>x)sAOb&v
zfVhIZGKkgz05Gxu09p-Ln#TZfWmRDSfawxMKLh|EoVkQZ`Q(-Vma{B@>M4POeg`;B
zkdcjnJpjN;2LM2A0syd<0h`_}My}4p000*vh=&mrIB6Qd!%gkYY(O+#0043i0Dy~+
zMDP?cGjIac*g%2((WW-Z
z97F_wef;$GNYK
zfxA5bOcYe@pSr|Q_wavg4Qxz6G!PGXCa5nlCp;7+_I6Ir05EaTdqH{!{e&2vHVd-7
zqY0?4Du@P%1cew_u&6xu6(fCPef=#1e*gtEa_Fq!$Vh2VDfAaI9A$rFawGD%3Zn{`
zgy^VfK}VWhXJU_#D|iSpz)(AE6ae79l9T`z{7Dgec+=K{^=9K?!wUkQ%eaTrpjIC>
zLC8Nb@pFsd7ck_Sk!=816dlWeVYWSNRMZzZ%}6%bZDUA)+~NZV;g9^cr|GFKyZe`}
zidYTZm7dU!k6>K<5q`*>Dao$Y2>XfSh@4lX_chMROUufP07Bu;w~|>J@*~h
z8aP=_3{}bwwX%57OdFGJj?3eh?_+r|_=znRWSa|kViSC$RK)Ok@HyQrquqh1QhUm2
zD#axlDzU|}+qJuj4PN`wdW1Q8w#UyVncX4X1;k;KqNy&nG-avs3m&sQqsS_7#K?e|
z)9F;OQ!VEQ%1Qf(Y|eN+2lxU}?rMDt1nhIO>18ni9TBcQ4`8!U*6eXw%5OuafEU=M
zwS%l$`22YQyA8YF*h3ZaT_6lZIAm*v7dFfhg1$5=H^f)z%E@iat(7w-QOoT{3(4)~
z>cHV9nMzvk=|x;0r~8FU5u%2{?xjU`UU^#WHgM&BANT1*`K1sX!83!8KiG*V82yx5
zBx8pm+K>F!(2D-b6Co81jUK2|S8E@zTp#2Ufm(hT5V@_Z#HZsaf1oaKyOv{%w0H5_
zF}kq>VThTK0kHmIOHDSb|MS6asI}pF(lz)h3>i=(L~5xZ5%ZO4hJ>e&6bqi1`$qxf
zPTr?6Vz4nNi~<%Q37jRQ@=rM?^5Z;yB?B2Iqyy+#Lx?6~f+hnP79({gynD#{T|p)o
zE{8-e&8OK-0s?8KfNj9tEK4B8RC$x-Zs2hl
zAp%2Vnc`G2)ij&Z?P;4h&
z%<3zlRmIRw#E=zlj%7Z@PCA7ZOO6$=cqgRTid)aJ*mNh^)QV8gDgbk<6Vn2X|4&Ik
zY*WE@yAd}X`%_M8*u61)~Lr`Cu}mS*kN&o^z+?JT)oEtJwN%`de{
zVV>CI9!cW0fy3_Tw4QBdHKB)(uvSlLu?{uzk2GPAejn44UHjTur#xN#)V|xzS;r{v
zJ#o#?|rTB2Nzj~0wg0)B;Y#eq$=S|I=H05;jlVrq)OouufyhCVv;G4ikyye
zt9q-1t4$@If8|ZvNPa&3zQx9AskF&!-ihX(=c0qn&$u%+orBbFAUaBYypyzpbOL_c
z*PY#7AjL9BvkGHSftjR&+ZpD8JnlJ%7|jvtVNhYUmpHpEvYE-CD(rE+XuXd|Z6hJS
zvLj?n&L%}=GSS(ko?AI{$pWil$->0!=c5EonyH#sgUWN`B;tY^#&}h{imd_c1B(QD
zL$vZnQa1XCB`RWbX7Y;dLZFM`?oO-fi%eE<8YCS1DAQN>V61MQONDas4iiV=ysO`y
zPFV|%GlZ;SC>gCNUrg>lX8F
zy_yfLhE{;u%TviO#PqKJrbQVu4`B*EUA6-0De%WuSFgR)+}qiuLfrYt)hnrA~eu9CPLJY7CI>6paS
zWnopw;$U)dp^e}K+3}Y&a@*xhfM}R|{p`3LBacr-0@@jdb$DYK?&I$w^NSzRrP_ObwH`u$VHUzG=(mgYH-8BkFliqhRIf0BGd
z#SQg;0fKNb#@807bm?Drgy!lpM{LR48+WFs5(5dCRWWRk+F6%u!UC!_e|G-NAr_e&
zkhjKs_ucr>s~%Vl?bq@7jQ0$36KTUBuL?@_DYrCJsOXJ$Y<%D<#UD9hAiKhziB?l{
z+@3`ziu0ITPg|%c2ncA@g=VtiSPCbJ6n%WEhX-?xw^!rQv@vT8nwRq?U+&teVHix6
z?zsBZFV{XuCaJAy)0DX&{jBMtI-uo7(#+pMpP{GQ%-HqM&}N
zunOPt%jUEFRew`XR|b8$R#@!TW*RD)Lmyx8k9~^#iXhmW%OvI9{o5gwvKwbxO-Pr9
zrHL8uC0;lh1-W>*+wP)oZXv-n8PSUr9c@>~L*?3tB`{h`R5jcBC;`!sC*ay}P3YF-
zOHx+}f^xY%^qt^rl;*2M-0sVu0O`#xK|d|V2Qchx2z-oqKg=uf{9PTB-=1CMHOX}w
z5ik+PI%J9ATOLj_NS9a6sqdVXRmc$`@|{FPde3Ld@i=>DCcZ9vU4_8Pt@60L=3{Ddonu+Kt8=A&#Vn{1Ypkd|)aXDP#76Yobb7n%}Flnxrd9qH4-
zWI~QjPwDfrhjA9no=4E%bL6QaE@56ZdTHg}5v+wEZ3?%SxQv=RuOi0^w~E>&huyhO
z<&aJvb9)GNqf>5R2$CP~*2xmZXFtOc67KBLCroJ-^HXR(Q@yh1Ym~M$BF}dXymZb;
zk>B~hz{vA7M=mt7RyFZ=*!h6O412ly#z@538Xo1Q%QXY_
zis@n>*p35+Jl|D=G8Wpv4CII7V^V(+HiL=1WJu)d#D2=;A^ULM(34*W-VzRN^APY1
zkhD6f&96yS+dXkE;QJKLjtK>wH@ItlmA*cE0+Tn$X1zfoxOK#8Y4e!KSQ016l1FTS_y;IU~
zH0H@KQe66>d{J0yJF!U30V2p|jjwpP~RQcZ^;^$KDSF(j~Z6
zm9$oU#i>!atd#+3?Gb6T65}nLkV@-?ZE6^KF87fk5twD`FPTW)uDAlX;VGsO6izN0
z^Zi9Jr}G(4_W~ix1M(=E*;L`Y@`9b|Z2{J5;X$4yw4?MBL<>5=7ipHZ#He$Bqkw_h
z>4)%&V#x$ZWi(mi=BQKlg!ONdCONiu3p90^w&(fiDJNQ-2N{i*E`OJRb7xXANuFPP
zVjbTG#N|@OJ2&oQu6BsxlSt>6I9Z#v
zu$#o3+v4i?$vn9P%7?nx1O>)%-!huKh1e5ei4WyQ{69$o*73?hEi4^L|PM6o3OZtv{obc
z&^9FkXsSNueb?fEWGBaqZYg-?9Qn2HM|E(mEA%4SDm-WRD+CQ*>BTHu_sCe
zEtvvN11~9xQ;IPTSwyAbnKP=K5s6$OK;z-+S*|Q88@U2xmolu#**gnC5nKlfGY9rV
zdxpco&ZC=Fe*_EMZh4N~d?JoQ#(VzBeWE?`x)AH5mQ+t&+GVY#cpDR*Wj)tIR^67U
z@gpgY)%J11x{_0J&>yI)?jUKBh@B%W@(Jru-XOn7F{-F=h%yW0k~4%?PM?xFNV_3@
zQBO0A%1qcBMv_GG(4vz&9`2MBS?2W3&B|N<#-pA?r2R$qY_ZR`(%eS0Df&C*ne~Mr
zCAXI>*0SuqQO#R*?R4Wkk>x9HdeV}K4-Zj$_{=(WXD)GN$W#jAL$20vwPD&q*&
zK6rc#Y2OZv}J>(0U_y@);yb6iiTJo;V=z!?!ju|Jm2_o
zeZI|odXun6**3LT8a}ZYBi?#LNzbO*)~oWrGO0CemvCPDZ
z1(^{WXJFJ+&azKH<)Mk2kSY^
zs_$-lh>7D>*`2%tSFhX~ToY9-EVe&G0ec~2T10UPwF?%n|KQT*k>M1Ur@yL($D8Or
z)F&&Q#7w$_DuBlT{iTg?5>b6
zYI7KuM$~c#OI*9xvk7l^EQ^^VO}s~>Vp=v4zEY&#-xi|;?RGi;Uw&cd&HLDA)S{sP
zLl=9j5^2bH^Z0$FOIYKAE;p%JVi&ebtG%nIoo|6Y?R;51!W5
z4I~R;7{UWIc#X+n?>@7NeJA#h*Ynkmm!{kFtik21{?@1+x$~ISgwU^f5GXgWP!$J8
z{M)Px*Ib#q><@;GJ4AEY*9kVy>MKsQ*YWO{TclTJc(4wN8)>!f7IE>_Yv%VIyuKyAL;H1Rq5w!h1
zZ3dp0Cd~Z8wS`U4=kabMC9TDrQ8r;rZ8iB5-o;#yOs)j(4EtM1y2|z!xr0x@nFO_l
zJc9Kv{y7B*P}H^thk@Ac1kxpe%J
z?z4G+@&$3N#InXh@s5(_Y-?iP@G{mVb#9muk>f`e)PcufO+CCAn~ZE{Ev->nohPzA
zlx4J+d{4(6Tz^d`8ycfJq#EX&LaFt5Ce3hy`&{dh@GGeoG^PiaoHrUhiF7+SIVQ~0
zH>A>&yH#=faF(iV9xT895kg+G`^8ri?7pvWniK3zG7KE|c{-ysM&i7YaB~j>HMJ8(
ze4R)A`qw+1W!|Bzf$>**n{P1x(GhyQas0UmEpf$HIL07TCx{)F&2+-ZVT_
zbJ&9`s^g||GWesGPnS(}}GYKk(r;UoZ)
z6}B*CNMKeQ!>V>1^_kNMYD%T7US;bviJKM*_+9+&q|}#SzPjMqMWs!pNLuyZNU#V&
zr9x#;O7*`*f{jwD<^Mz~$?z(rf+3(N27X>Kj~l4`lLiW?@Dm;sZDAxoe=FiwER$C`
z{$I&0jL(nXpnBU7bLy{~-PF{dihLS7rkY4z?-{IG-#0fb=IXmH;zbHxkdNjUUgMpWGnm6Db@C4DYp!#4C1!9gGMp3NT0*>ixyB&R
zBxMYWeQVdI!F;)%Ro|}{f`JXuqP|wL4sR=XI^7eNshR|^B72VTHjJc3FKW5BCy&{h
zgqL2{Khn>yGb^a(19;`vZg8ex#fI3D7dg~FoLPqk@^3kZSXUqMjjCKEi8JvJ^O~$r
zfu4C|O);X9ct+WGAAh_GGEc3%1dfh;S^NXm@JqflV~^LOT`i-$38<-)I@c6fQ!|L7jN(7}5EZUu~;6m0s|
zrqi%14?Y3i18989elP}u(YTUBcw`E%E)Lcyd||y`&hJze?Y>9!iamRw-X<=>&yOm=
z-wlQ@DZ^q^xOysESRvT^Tt}%s#A5bSlO}gNO5fP}0I?%(O7+U%pOrD%9{)45wtwNHWt9ByY
zo#Zu}_4iV``Kb(@Jw=s0MVBiDCJ)AHe=_0#2>gu;zkG_XjolPWw(^XnH_Ur31cU_kp_LQ2fz5B%l*`Fo_a{Vnln~e>#6}#BP93D9^)@Yw
zs_(KRF#8{kXQ0k?VWdZOhZ(ok;@p?LW?r`WB-t;yUPuy?5@^R9xW+zwEeoz3d
z7Qf&*q3C8uyY&O+I}-wQO8P`JrdFRrny_lcy#&bd3zI~W9FmN(!Z(X%T22(7+>|RD
zc}8fBryq5>Q;W}IGMHs}{tl0fHwRzL)dcfPo9Tu|Q_Ka$StHMk=7)S8?Rvutv&4&-
z?eD3>4@-f8e?-0QA5lj>0lnd<=^LeaPK`exYra?Nywd@yzl|yr5%c|Cz4gGl&=Hg!_dL#Oj(iKoa^q7eX
z11JO35!+{3*s)a|FVz})_8NO$wRx+oeV3~2W?T4PMq{eNZ1k3_;YYskJ>u@6Q_8gB
zANpPM>R-k)wck-cOjVpy@0y36X&c|Wn%}$Bx1;{asUAg1nW=Cay`3Q&^>gK*W|er#
zT1e8qqBO8xRv!Cdh@HrT6z*v|$aqGu`Ci^B*Dm1|c}tImJmUCKoe9rXMswZ=9ObUd
zsfDgXE13;W8Cn@dzLt7Hn&BrM|BpUXX{iVHNoGw@s}!Y}m1BiuIXf}r71jRl769|r
z>OZpfGGP*b1%H8|%IMCX8JtxZ>e}RLlX2Yq%TDy<(Pn0GN#AJkc(cMUvm={#w;*bB
z)clP(s-HuWW!~41nLm?@cZwJD@=K(9sF~)(O~;6mnrE!4_W&+`QJl-C+5p7Nr9Qoz
zC2_bZ*?kV>kk@ivwC>3DO^!f#`=^%K}HM`PYgIBz{T
zbh0iz^YfaVr5Qy>AmG#VuG8%TzP!h2XycLB-mtJ>hWFO>%rT6T0I~%>zz7?CNE6fZ
zzI)u&`w)>Qd7UxWBdh4GPh7pl5wvRzZ-x{%6n;Jr7k2af6cF%IQfB&RVWt@D~I23E1I$WZhcfCB}R>nOS&Es=nE5-K9_M6eF
zT&nEIye;MG_{Ob4+`ImhTdnl5t5oSFpH4_3XS#B!6yGN2zj)AeEuBBIo-53Wi}74C
zcN$7ZVzz~PJt}2mSE<^9Tzj0ouF@LRPKN7M_`wT*M&lsm1pq8WMDeJAh
z(*GM=yIldV)+JXTkKG$~jDG#*OCyjN;#jFeDUd4a*tuvI_kAR4jf!J*vdJ!9`>y-?
zse7BJsXlT2G;fLb!O0)~h7T=w%2NOA`$Z=2ONkXFfk@>qNe1S7^pKU4C{;byeaxoN
z<7Br*7;DCd$xQg=GD{7cvJ~g7F$G$e0S%me{C(`mmEB2r_@
z-V!O}rU|&lgq3UIZt_gr@(wlJ6Iz&)O}ZOwTkE8EkX86r`bNo;KCCjXN}X=-$~e(9
zjZbJsh~S+cA6lB~Odi$ymkLx%lYM*3ktvqLU%bYH
zYYNFt4tY|C!0QBsQr!W05G+<%Gsju%-bEglutKx9`4ter*<0VTb3(|c=6Ruu=u-!7wkn7h8
z7c8(wqt^NsS}5_uy_Bi7#2!v`aNIJEkXhGr{x&{LVA@6oXPk)fFTYXKY9jly&)p4n
z)f*sog*|?B;@1a4{jMJCM*L|(uwykJrkg30BPZKA+YP}s9qXp)LHUGdrsf6HiH&LJ
zScTgw?}=eO1N-0HWW^+>E$gn0X~!g@`WtV%jcGFt&J@I}uUh$pWtisY%u#k$O%sap
z3FENzPhrodiWRP5lle=C_|eF<8a~J+!z2Gp&NX*VIAi6^g^kAQ38R1EuGumn102N8
zf;~AzD+wW@-8kPTtBchCrctz&Ewr4V_;weZ8Tv=eILUSv3K`ChMu>KM_dseRs3jh4
zh;Z+(%5XM4CQ32EUyO0EQllZ905Vu5oISp~Q86H>wlbuIkkG}Nls)ean*3{OJAe*L
zHQR8UbY}5p(`|1H{B%-4BhmclkTpP3CNJ#`-#)5B;hcIU$R
zMVs)BsQ=Rk`mLODM}2U~##|63KF`iGZ%_s1mVy4leD(Z2@h$C2{6
zqMjF}+wgp{d?Vf%MZ@elG0!LiV$pROTepwlTaC}qnE0OGzJ*J`o7xR??j?@ZQ`RQ`
z=tjkbg{%9-Qz;J6F+{KV(f5xWis$wRU;q5|;$hng2t_--C0`4!mCjt0fS0u>Ha5TA
zTB{5E3wTEn*p&Yo3}hmc&P`JL_B4%L(cE)Idfo!MxzJw=(LRPg`rn_|9t^9WAn04>
zx+*QCy|`!68FYsBor`$*j%2_4-uSf%2tfFDUw^pL=7LF=_uzPg(jGjcV~0K0-*X@q
zWk7b5Rersd_I|zoUx2|AwK>T53|c%;yt-?z(Vkw+`Yv8VSJNgMKQJcDNaU}+e)I@j
z<1^L-r@Akn{4W51MfA3L>$%#kPnLPtJhsUzet*`+oOOL;HxyKsw8^ea;LubNN9nzo
zWvR_!1^nV%0@K-&VKHHdLsXXlk*CHJ3;2=DCCC_x
z{txVgC!H{BE>79Tl%$O_#J4v57G(mo%Jz6kYD`Go|Nnp@sgOm_u40--o#d*>i!c(p
zlC_e$zFAp|A^c=p8MC(EvDzblVRoO&g%;i473~e9c5kud0){rXi?Kvw^<$z$>2(t0
zag*0Y;L(oP#m!{fO@94Om)7rNZ+%(L!ID?!$tDL*l`npj?5~MbSc3nC<4-A^{84>r
zLsiV{yY;w9LFOJ;_RPBPK+_;UfYR~NoV*y5Z%p&q-B!n=Av&gsIa&NK?2+(ee8cJK
z@jIBn)!%{-{4>{N6V@1*p=guoa9sMsDpTm6Q|zV1)P7^X4?;?h4^!6`r$`7JrDAz`
zzfn#`GZ$)VQPD3j=er2UyReq%hI;y_#TggaeKCWw?m}5#a*jt1u^G6`Psn)DEDcS)
zO4n$2Xbc8-==65bD28-jj3oVg{7~qaIW}JCvwTaKq47Y#aYBw6aC*p!H>9|#Br&AV
zR=zoLhRD~QuE$aRZ(rhSc@D7YNfc{V#z`ENUP^-jPEX#fN4jPFjQMZ2YrUGR
z1MPj6pJjK$JBW)1$;F_6PpkYENRf)e^y03{l0kRagIX
zeubVE=Zo`?#?$$`xI|*`jCGx8HwY_7DqJYBgYAT;@x{9wSfb=r8Q!=;SRRb~N8p;}
zKEDSogq717k++(ycA#drrgsT8rc{ictlGKAmMD3L>-=fDB<{SPdKDReJ1dmoo(f52
z0dT?nWKuFq`6&2{WDDACpGUq&dqPXd;e<{_#k>nXlIidd^O9nZthovvG%H2?iKxT(
z?6AbD_Q)mR%!ps`8pMbm7$9WZ>EdF$`L7rpn%Y@3oiPn8H^nn&8jRGtaXV>Ugq5#F
zG#@@hf7mPyg!}10d71XbYZ61E)qMM!K%xsaMJ0sOq0n1M+auo=D4?au#QiG*)wux6
zAg;=vU@4jk-@t*hcgG=y{14K>HyxAFmR==$1h@DfFLW3vnwW(3*1RTM?o*Ce3H#e@
zAe!V&O;=%1y?X_6#Ws8UN6$QAR{@`ba%g?RpeC;P1*#Ws|uD=b_R9Bc~@
zxABJ=VuEfW&bLPIx!3dvX0?#WI@PyEcnVxmgXXOao*wTFYopu*<;N-@TeM$@j}bQ;K2hj0MOP`2v_
zoCcEDA*75kXppq)7o7&GGDRzCu=p)8`z_T2IO_nxED#10=-U(EXcO?i!vi8T7El}}
zkgqCG(Boh+BqzW}D;Q_e*;q6LjO*S<3}Z%2??()fM@;0X3>c_PY^jW@O7+i6O$k9e
zeSVo~lo{!n>|4>u2SIWNA+`sRga;vd2PLX41~B!#45oQD?iP52E1{W9Xr(r3E1`V0
z%oxq-1m{c`Zt3+4hL-fj3+Sbdke2jKT9MTYJH?HV+ZYIaW(UQSkQS^$I+1w1NN)WE
zZ%8N%!;#|=JFLIOzFJ3NSBINza8wt{TpesBImFe(
z#+!xT=Wq)@&I+!dc%}JeYGBI6dexOgOZ4<~XITsr*Yz!=dTPmRO@e|DeL5VLLP(4*
zKw}I(Y1V+L)bO)%sZoZ-Tv$}X*UaT8MD3*jI-cbqaIfVsd>GCx{xHrx?mo0d#Te32
z=9s)3IaX$Q`@T~djGIp-6LRd#)AmEB-WVg|kG!M|_Fxtaj=wtw$ZuFuCuwzuDrI79zZY#UZ>|
z^6ta9p_ZRC9_uTT3!qb}F<{}lTQzFf~9F|^Moi;*E%F?zXS
zCZ$|D+fW?8P+`hf$u&t*{7(eqh7(+Q5bTscY
zHQ%wPv|(RxK;LY+aYIbxar;J@&
zJ2dFap_C|1{8AEtwjXVte6PSfx1Ya@-~)!eMc&>$;xnb8n;F0N!BHevC}8UR3UN>zvy~$n;Aj)N?>07Uu*G
zgUg632*7FbA>GKRLw~J6bpYh7BUAaxC>Rk70YNFIQLh64CnO^6(
zIpsL3`|AmpPg7y^iP>tv)J9v;X1MWegM0IQBAV+-J`Q6K^gy@ny>(0u_->dA_+(O(
z6q`Y&h)XcUg~iLGDOi6_(nwG${~47bNKaeTBt(EvChhYx;H_)z*AmOuJg#4T!dkcu
zb#V*OHguxe<0aYqzc%WQ^hKQ;9Jw{mb6?g&as(NrXIFosyoLXjB4O4pfhaf#g=AT(9inJv;j_mEz>Y2Q|CXb7C}u1j;TF@o&r8jXWS}Up-)~j
zCak7CfE(1P*2B#Xz^hD>#jIPFTJDq6PZd37UoryoT1N4c+94kH-_0W4DeR@D-TG?g
zU!O9~g}`OE6WA*{eu%E_U#>RAW((kuU8_U4b%JTJ3R&9)yZp7o%i?aG>|uDBWH#Vo
zJJ_+6{9qNtfqAvC(@~Fo@wD|8FW+Mpc{8|GKKL}`7KbK@KKO%LOh*%5Fi%+6gcfD*
zzC;BI2oU`NyI)5l&45?;Sv^Y-jvO{w1wBb=jHmKzJjzCpu`zAGrA+t5Z+PCHn;Q8cQD
z9kJUfpV%`;=~+S%W-x#}juf^Z+V9wJ(7MeuaOA-KgALlMLc^$L=zmWPcsLL`W)U5h
zGlnC~VGV^GNA8f`4La05C$xO?vCsi_(b?*4nCU5P4OY>da;K(gM}JaTx1qJ5ZPM9T(LCm9rD>OZw@|l1b5hAc7&{DxS7p;r
zj#stLw00Z1UHoCkc^7$wj>Ll^w5ksSi`yWiFx?VZRrTjf
zU8WuFO|a5-B#=f<(a99S7tXWwS0iXY1zIhXa!wfZOp%${L+hWB$2h9+4Kb^v5OMXw
z-4#y2WZKOg1WhhZ7j%a5icJM&r+U<7!SFDydMKZD#AI_A9)8XlQ&!aWYPdfRy-#Rd
zY`p)`sD2}p6Jd}u=mf|acT!yS8+||7hw1>-fO~nMF)ED*9!tB!>7zB#_Zg$fZ6|lY
z*C3QEh5XbVIVt^I;=*Z2V7f7)4LGT}WZwwQXud)2QR3}WlIh5FE4U=w2%7NnAkybK
z2qjo;GO8mm;BmDct~!IA%2&(B+=D%Ir>7AI9*)M>kRf0>py|tETGbiJy0&J~f>rI%
z%;`+dAG7HMt&B~mQMBfq%!3>^L-1PBmd`TQeBON}nes~GYCJB%@?P6CmB8G)8C6qNfs4WN
zJ)rOJarGzFw>qpErHW@&MgtSgyA!+I8UOos!y+YPUSSDg8Q{
zG**gjt+T-q=Kmuh`2f)~G|A3jvu3?J^Z%b{P1c@YZ9xiIZPo1z;+f-VRql*zpCh^!
zF}6y3O(QB7*rudPaTsT*qT5X|(Q)8#gIMe5JMLU7-x&5eep{>N?}0cD;w|ML5IOGW
ztyq9ZOIBTP0w(^?2%|dz*lYJhZ@G&5nllp_!j~*?E#5PAzO=0S-uIm;y8Buk(r?%9
zc=L&;?>+QQcXgBCr9G2W7D_3ZW{#ah$?jNHdgJ(gu9{E+;*VsI+Ohi-LYYAa>BgVr_ezF+Ga?CQ9Y1q8aiH9MWxQc0
zx?vNzX$BxP5F<40VjAXQnr>qn#ABLJo)%`;&AL+L>V7|~$V$9%6k-@NX(d(P&(KN5
zb5yn+wP~e&*z4kr3%iyeT*Uyn-|w|{#HFIsGo#ZwpfkcHP)R1xQ76z?TubSV<9X0t
z>~(s_#a>JDk7GSqZtk_e#u+gs341gEei4#wMa|CutcplBulR7U3fKfOtgLlwmfBYJ
zE1C`13B0U}>4Tap8&o+htj>t#u-w0I@#UDjXXI;59hKxUNja8Jov#&lVo~WjzQ-Q_
z0HN<|G@={o+$%2Sw6U+)u#`zqbyg95YmiclytQLLgZDCy3e7=YDm~akEVw{nQ58{<
z261u33DqNiVHrafj5306dADtCDi40jXcrftaW>L7Z5?a~3rG$KaKS8RhJYyG4L0o>
zi5nX5MUuv;Amn=>J;;WIY&;R`DZQ;kNgEuh>8
z9B>kis{2=VqGBOFtxJ6poz6~IUzMSJ>i#be{C3?^o7FLCoAya*JDbx+SI!l{9;H!0
z4`dk_-1B8s;2xMg4j(FHBLFryG{QD5fL!CpxR`WR5=m}O35d^fv>fA|*KxcQ@?|YF
ztz+ds%C&&4$ED9@BF7DmbF4&9eNUvg#>O1axUo@`L*<;JE)oQqcq=nk&hXhaMCPS==>GO03P_=zpXcgEg2INif8f+D94i9{r?_yBA(|5dE
z$_1f=(X6cwI8FK-F6nmQPk_R7IGVL{bQw$8pi*dw~1y4k5-~5XRi^Zq2(d
z_9vVhxWLW8Q9Ogw{dMYKXmFEF?R^gWJ#&bg2sZ+6(~+#Kbc400T}HH%K52FpQ302o
zD>F@YWXNo{rWosYLCIL#R_WZu68fk
z^X2&rVe8D&m5V1Vd+279Cp{MdusEg{>Fu&OpQ=u)>*LE7tc+$a#W|RrFPB4Gn?}
z)aqZIrOycVDXOun7P%|nSP|hB8hCH+dV&Narxx-@C$Ih0age8qhA-9b)lxXvBHMnWX$3-
zMY>@Ij%j+LwC#bWemr@~etha@HBF;zB=-HpTpQOVlUN_*PYQ7&F`Ng%${`iJii%6X
zANE6BSUQe_jrnW#;{*@9mm?U{Kd7e=synWxU~;{w^S*4pUXBxea3(3?auB{k!lKt@
z%vTO$;?(Vp><)xr<-*g$B
z-Ekj^?*YGodmEGgkmP+CUnj3ps&tdijr867ZqiNQ^)`}%zWXgtHjIJK?}%0Z4-wgr
zOxp8wl)R@@DU^R7Q`^VQS^xMNWSxx{c(W2$*l#c2mw2&QRw?($m+w5nwpR<tdPs!!
zX+}9vY{1bEudIyuo$fc3=C!BqA0=ujnuZ~&3mRr3HkOAuFilHpVcg3Gix_;8x~Cp2
zFZkw4$~ni>TDuZ>E58}|ZndaTSwR!^luvVutLaT<`ec&coCHC8ARp7~3oIcrKImeZ
z|Gu9XNU24?4O{F?wxi^BdB0qpOn3YLjH?MRO=}4*OlpX#$m$5pPpJC=%xDWOPHBp%
z%IONoi?59+OK%M+N^Xp<%-NUV=6&ukAnED!P&9AiT4r}93h
zAegU#Ybm>4JXCK_xKQP%p-WL0WWm#vhU
zifUI3YG;vaPlmZcx!#JW}j;caDK1!iq_xMJvXwtj1XlmoM)!A<_;qfT?jSUB^}a=+wslVgq~^QWGqGEs-rg
z(zDN;t(;@_1*6^J2kg;CuqWf3SA3gA!j~#+0ZEMsTkn)F0ZDXuaz!a%!fY$iMPqqU
z_J2I}Nab)PmRT-;St#-$OS&;oWGnRt;VH^-jeU*;W>Lh2RvJtYp0z3ykukSszQ2`3j-vCIvh<(JduLoImwdDV(tKBr`P
znDzU}zraBih6HOp^sG>4w_?8AeFAgdQah{S^GJ(mxWrIF>{m48un3tymPF-n72xSL
zx7vgFC)04aqsB=}Il^9BNX9e1-q=_LaAt&`#!ro*xoVoWK>9F6fzwedXFu83+!mHCWg?pj`G;M{x|
zU9|u4fmv+%Q+aQ5tM-EIS?+_?Io}nwVF}kc?+Kz3dX}5qs#iz_9TVeXLJX_jaJN~vm2p9{5aH$69``7IYg0Jf6pcFn~weNhR9C3%e
znh=i8n44#Xo*_E$NNvwj^hQM9*`nhhF!M#$CDgnfI^CX?j*oBhOW{a2=M%3SR$rYv
zU5tYd%MeXC=33c^^rKTuUn7#fyI%h?m&k{yIMr!=u3tkYV*w0n`ADM?J))N88k2J~
zqGQ4G1;Sui;9%g+wL&!FxNr-i%$6t5{QP7^KSUamY)Rjb<)BmY$FlSIaXp$ZwQ~<>
zh(3a`FA}bD0>R&boFUJKxQ1_7-LG3&Z749?LQ0D?#~kL6xUlSmh6Am5n&Hh>!GDUP
z^%DH@1BJr;C(Q{qACYrZXkGDhE&x+x|GP$U@yx~6Q$xc}d;3DIF6AgEm!Bz0UOqxa
zg^o3K&9Ww~IHshbCD@a$}USiQ)4(>4Fj6C?{
z!amQ;OQ_jR$#zL;L?nEe%qP|b=cq72MbLzn8iaF)n(MQm%Od{nL$yKt-Mjat4Ld)K
zq=2=?5lh%ViBd(QM!`nRpvmh9*&e<(hN`0?e+uCbnjB<8Rf^H9=vmdN^{Un
zaIlXL01C+V)q>GcQNQOuOyM9laaYDZ{=m4_G1rhEt3PK!DAF;jf`L(CgtupTwkzk>M=Mod$@BAVV`Hp+vTODvy
zDWX@gjJ6c;5DDGkhj3s$81^mud6h=a4h^Xg(Fp(`Sz3uWTIu`+1syVmz6%FNOFAkt
z)j1To
zT?$Nfpac9x3{DQc;WrT^*>j7mPS&5
zR|RZQLCEf^_OvFZzD(q1ajFM&wtP`YI!=1*eKz0T!m#Kdo-t-);n(wEFjP3`{GgR|X%6QJ;C<{3vm>Euq(><=7-
z2t-?n!jHAoV&zax32XvD*6>281ds|nL8X|)=(m;9`Q(ve!tCP|mUs95Zm{A8a_IqOa#J(tbk@@erDy7!iqH7PMPTiDsEj`!QC)t;i;e~uMjt}Ff
zp9SAKxE)WO)N?<93n0kRe!5tK=(0+LhabATL^)gcL)~EavN|jD66bR{A
zK34!Wu8sySJX|b}#CcgUD9K%_kFC81gsgVW$FAdgBE@4f3Yzr*4f$qw!;fl@@_82ED|oCyilg-*VCoMT1#
z=hv;7@N=2kR=N$|U*)wg$n-6*>1HV~jRZSXIMK~$cKgqs%)+m1BD~~ca=O}*j+d?&
z+TSgV~rEHzD}$&)>AC^Ctt3o6ATWOCn7;7TELAO
zmvxaKAgKdx(JWkR1ON*M*$NP8m4s@v0#*f#Iazsbj=huDmfJzL0t^(j!I>Mysd^ie
zl`+=X)GNHW@Uh0LuDW8(^|JJ6XnXxUCe6L(=EdUFh1bO?PB3%sq^YxRy8bbG`HU+k
zOslKVww^wI;EJu?3!a&M;G<)Ew998)Uw6}V*KKyYnUaz$IOUE9OM@OideEc$E%eF9AKwspVq@g5$)pzZB5QDzmPXvW
z*1DUT+-uj;y)DBhg2f{7FlI!6lavF12Ryn>`ZL$7x0BxVduT~XX^GA0Acp&V(tR-pTYPqpP6uR&
zxg9&+IPk5HBVQg6=Q+W&YpWaT8?UaawhM7N9mKAx7h$&_sc8B1EphSv9X$EU8S7^*
zy7#i6P7B0y%6~O-4HYsDGQbbRLqjMcFeI2D*%)ynXNnS7P;nd;08pi&(J(nTV!=tv
zvoaC9o=kt1-)Xld#c7a%8FAJEEJ}4*@(i%964@~2I$~LFmybDPt09k$Sve@sZ`#0R
z4N2nrBOX*;M#TQHa7I*=j7qng1x|N3RPiB%T0EsTTd7CVR}U+>
zxYd^|K1j|vyF1dFaF%g)M0_do#M5`)iTz3XxpjDh!7s|B-@MXqF7QG(=oad1rG#)C
zpjrXtqy`xK*MgTTe>&x>&})+!!QWT~Lt}eQ=g>CSjLe)m^N-@oQ>Vojx6W+1Q5-#r
zAjC~IHP>HXTXREB?Wob!6Dvp6u&y&UcPo5h)@vtDyf*v!!fu;q?0WazmS^f`&#u4f
zrkUjYgz48zteHL?WLuH=v!nYyEHv1Sa;1nY4FO$9feo-A0~HH3zrus|FV7sVd&k=WPX{dT$w-zx38@u4T4ns>`a0BCK6
z8US3xdO{A%l$UvsauU!2DXk}I&uH&4cHUanw!g_A<}NVapCxD4XwkxcC{CW-YI#2uJy+HVg)-!%5$
z4ShmAlhGi12o$hRL&|~jhBh6Fb5;qAC9!eiSSdn16
zM2v&5^5(%~ubepSYLrciB0YMx^{(st<`Hoc^YFn{%W8Z5v1(G|gt6L=H!kd6e0*rP
zE2>2OuL@(4=&ilYS3m&D;PO!AWqo^TjJ5Nl2Ki{wWTT>_9iiq?rxw$zBa){K33QiTTd9u_7RLu%dO=VoE
z4Lluy67a}tmwZJBup1Ad`E+qf&~B7BZFl^aUsT+f)_M7a)%V!bzuYo&)mX{{mQJ}h
zt&B?%N5oEXRNP~=;b1Hp`+WbrvLjQ(Oi`uV@Fd=f%W-3~XxB5;qb3(SySk-aHz_SiufOp>9cuvLS+o#HdaTxMCnckdcXs43|-J*4A~q-EPyIk_({+
zjlSsjSmZ5wsJCMy{tXN8rACo5H6-#wQ$-3%!HUPUCM)~4IoaCOWIJ%c)9rP
z0C1K2BGmoC0O}sIG5TWsf^0{`4$~W!FBhLjBE=gvY`|PhnmMoWdU5KlS&J4g
zI>5sR_D|iEpY_tsZysxMGp9S;@{X7^b;|S`UaOllwGJ+Eq;oPy+C$G!Nqa=i
zi70~V>jWuj07PRjb}0BUUgY!IeO`lPc>O9&h#Z4$DsCic)0hkgu7sQ
z^|nKAyfSXB-+f|&_-c!IU#!5H=-+}V)pYN!f+F$x>A-1mv8Z5|INNYD-i?
z{!}xUm9IM+JueM2&iFiHTk~nVLo1SD?wt5^>Z#j{=F(Uo^7QCdzi0^>{~
zLP81F0R_d;s(}!w1jAVd8@H=A;ZQlDY)4HyJ!($qv0(%IKWWy7LXeG-$A2?=-8pf+
zoEi|i$@uxo&>;GS`XnJmDQ8i}0f8x&O*tjJ5jdlqH2|eCzQ7nO7=<{5tjsi*!=7S|qsn6nJ+g_!
zh$)W7ZrSb5fL)hB?Lm*zqI-;u3dk#?jL7@uZ4Xkjk&M~65xpBXN|#BNE&p%e5DvS=
zBz(**Z<{|;OdHoJ7b=%3T%`bHy~LFO?L%2|nAf<83kR56WsY$=(GBx4qot(AFv21B
zvBt*%f?Mv(Y90nB$Z5-NBgl}(BSAIJCCYIw4UiHU6$~jg(k8YanW1#`6h+ebFV9tn
z5{wH+j@`#)Ta-9{KlrEsVyicbFW!>#EGL+CZEfWZ8*w|A@LJw}`=`^#wVSS4ID>X^
zht0j<_eqRd&?{7$oX}3`7Z!vRWSEhj>a-zPD5L*rH&X5PSkxLG37~O{W?4sXG=NFf
zor^JT9O?g{xF6TAk8GbPK7I7gh?&u9Q|9A6iQ#aj$cgMsZ)!@!$Hfd8*|D5jZ1kAo
zP+_}xMi~KuMwZ9Y8z7p|%!CC1R
    !pma|lSQ?8FBe{DRl|@FzhU7Cb>&@ataZS{g
zrCQo@Lushkm71KyL3$%QD?KeSADp!x{f
z=8g-xggQyFIyp&U(+DO4!2ygCg$vPu1pqEc^*Qa)IPstXB!i@fDLx<-```)5UsmT$Yl%a2onC
zAFmUqUVZ7M=U;sB~=#ZhJ
zS2lbGii8+5IZ#kxQUi*iaRi9X
    #R4x5a04mzf2YJ>#U<-Nc81}`=EFMdUjIP>d|
zG57p9Z{fmuKgy=mdh|^p{vLBqr2nl~Uvs`o<0(=ordV4cwH1`u!(29-sxfB~U?9oiFvwlQ~h
zMtU+gNR!Fi+Hj^AdqXJb=<~`-ovK?Q2R#<$zZh3ihYT*KQsJfd{QuUW`+mlZ**7k|
zA+K}pJ!@y)aP?O)&%QQq-p#X*@bHBL*FI8|_w@2%-GiKm@1IvS?Pe;LTypfH#`^kM
zfQIh3iSL1qiZgXY5~NUv20JiatF#2(>ujRX)dcQ^917nje3D-C>7-LO9D|Qr2Cw)-tt>dQFl~e294@LmTlbdf46VkAe*1~
zyZBW!i|uL`RpE%lty{b14)U|xxc)&pr`-?go~fAw@C`=J=7)S%*=`Utg#?VnlSZ}r
z*t%tNu^Wee=n9lZJBvr%l9KC?*fbsKwZt(`REc-Qn7PEk!O?Qh=n6XB5e}y`r?9V6
zOq5wG?G^EldQlJQp(*LT-5;TjsQ~KE`=E|BEJ*H*53j#E&bRx)^OO>avtf&Eg4ANuBcw@
z0pJUa{U`|K8;6dzlw{-ZfDuShv4GK(Gu)6WW0Tp{xD-WVZ`))kl{cRGxK!Lek93=J
z?))rLI8WS;w=a$Co_X=JS&_p{X~ae1)5GB;u>q$hg~REQpCT8HK6|}bmuU9cTmU}G
z;3|couJ$<2jD68ltnyStBS8M`21&8SW^9l>5XBUYOJkFU&pEH1pH2J=#7xDH#Qgch
z&p{VCcv=sK9TA5(WN@$nF@mKjCL>Hq<7GEjOcIRMC*
zOBs>`N$QZ;rZU8dve#2j5M_SY*_=ozHm99VZQe=ti9*+zR32X6yellOzn7JU@s8+O
zmI#wR+J>k~LcusO1|-Bd+fXVA{-%=1Gc9$>Li(&;Ek@zfeD^PVk6S)7J}0qtIbC(>
z>;eImn3EVi=dgRwlZYKiojA+Gzr3wppCH2c_e*vGC;?gx1d)scLaF6bq-$Pz#k3z{uaZ7|A27A7BNZ*ymotzA>JCQk;Q9_goe1Sd(4ICW{YBDkH2xns_xE~
z4Y;k_^09}Hi&M4Nmru^jykg)D6S4JMaeCD7Tlp~AHkOj63W=fyF$^xxuldM-}a(rbpFuYmT?3
zVjN5{Bsg=*SHhFgq2HT_xs-F<1N{G}-O0?Ki#tmf;nc
z`?V7RdkyZ7x46T)ek@X);8bBuIXuA+=GW6JGMHqtI16sIyCo%y$S73Fs)+f+(VH%Iq?yw
z6vJ7LjLB>$P*JI&2EJUvH5W3TqEtO3ln;>B&3rLZ#}vcLVnEZ0%psLUITDxM+-o`d
zIau_7An@DSf#-KSUwP(W&5A;&5Z`?^=B0{~L8~gJPwT$y^8IHpx9$&RwOLuU{ijbM
z4z=}_!*6T;_`TLH{zGo>vYCVXhS2xbnnw$};d_N8G6WDh0I;8A%x0@uk`jUj<&fVo
zvgyf52(lzlr79#V)X^|tX1jO#oL&ca#H65T!7}@*nf>Zcx7Bh?3*0&J&pTH|-da>W
zp>Iw5MUl58>02nX{odhK=ROm|jqdv5qH8+mM_w?-Y4iJ0N^E(X^^@^iFpe`H86CUy-&mlopl&gn;DN6iEUyOiyz<^pqqEW$com
z0RSeJwxWg}m6-HEsX=RKlxlgSgMA0w-hcBI#Ia;I>eq?HK2I!^zF*B7!!2{ako+oJ
zs+Ch+O-=1E@n?gGF9ZM+8=0YeZ=Uw3(rJ2LVKDt|kE%<0%+L;*E9#R~l~JD*?N5g3nx_fn$&)F%K9{y=mzAiX!ErdvVeRU=W%
zbIU%gBBpV~Mt0XFb=!$Cjl*u7KswEX=b-0z-#_bz)~~)stN7;2Z^Sp4+c@)vYo^_J
zV$1W3_@7q>VB=Wj;e`1Z<
z^Ca$#61Nk)Dl#?Xkex*sw<2Z9Nm9HcRHBYi9ivCn%hfTja;k1rZG-u=DcUC5e^;!_
zP9L0bTcInW@}v9GF$Ydzu58kiva@SslQxTV#gJvcey^}%NuR#5X|H{}TUR{Sy?Fcm
zWTJTHf4Iu7KWt
zZs_vVRgpbrm_2y;WD6HR(xR@BZ&iGm`UO47M*NTZh3kLPFO0(JZ=+wR<9-w4Gke;*
zYf48>9Jln~uI57v->jr>9fwQpOM473|vZ&RXhO)SWp9P8bdWAaMM|Ym>Ww?4bo-M
z1U*hd))gl(H_~PDbHy8U{Bqm2;?C|aS?Ps!J??pQ(EyN0!P&AGY}KbtIeihqb5lkqdU!Y;BJ8t{TtFsv=N()rdfpz7J$Kxxkf
zC85CY^$XR*8Z~69LNpjP-Wt;}?7E>C+0@CFg?f!&Q$Gk8zw%leIOF{H2epIWU6_Fv
zZ)(t9+w+DtbtYbwnTOT%~RG
z3%^C)beM{H;=`%<$&|+)o{Imd7Z=gjAoMAlw~m)mRtjE);Pq_Y*c7crqks+$8a2D@K!n|AB+eil6#t25q^0_DO;Jf}Lo_6~sLJC~j$xao
ziW|E<@Sv}M=bU7B!q5t*M{Jo&Y&YL&)wa$fHoC&vd|}pui3#r#HaIwj&QFnoh8SIe
z*y=DfrwIV`eTgYa@xLUbT>B4N25@d|D`m(XGr!5{GY=!t_`Z-6cVXAW|L5#G;G#OZ
zx97~vy?2+sEK3(ymSquah=5{S6?;Xn02b`nHI~?GOt+<|38a`_Owczm%^1^TG^W3)
z8jWeDnqHJ0zB%{aEf`|n@2@{#(Jg2CnRA}!IVT%eQzrfhKgA}Wk^s9sbk9~;c(49>
z9M?h}(0O#-5{e9K4dZe2(Aok=reS<|MZa+qCXDM>(fRp%MpsvlzUTQPx|O%LZM%CWT6s(H
z*$0nKoBQg#DMugtvDmPADy-nour4GC@c`<)x-xZ^_4eL0hO{W2`K6F+2&cXRZ@(Kpg-*>HU-Mc)w5Y
zww~I7cy4YGSHr!$1Ti`-;)oEi><>Me&|bJ#d<<^=>uUDo?*Q125l!KoDcK|oqbZ4w
zSZ3Vl!!48&7J98$fJ`S$&j?qmfcxceynbSoi_pG6(q$qb&W_nOk_B18yS+gkpt9#<
z4R%5E8~y-!!?!YaG=H+>*o
z2;t*p?j#Elf=QrRpf}Mhibbm-zzKmGD<}vU1cg@;i$yIbsv6gaL9;ku7RhpDX4>T;
zgDLe03BE~?^TJq51#a)qUYwQtYwth4-dkn6N;G;snHCi@Dy(;sje^&u8A}pj9T?T}=Yra`$;pn7%j7ZUY30#824Jt)Q*8Pg
z#R<4PbtV9W;52#1p-)bo_Qc@zo3F?(=v=sM^Oiw-C)NCC@b)b?6m%|Vf6bQ0WoI9J
z;OyB49y~j{d+%P|FWYw2kVhs@dvf^o+qM^X>)!c>?K_7(K6TQ*!JD_!l}|K@Cm$Dr
zfR69Me5i{I^A2`q$V4bn!>pJ-;2b^jFe|Z!ky;B7O-H|0sX!HAvcZ+%V6{f{F_2uY
z%=EOBWSemu*G>`#Q{OiZX8h^omKFOa-CtJURySB
z#arBpao`ASW@c93Wh}HBf}KI96GidEna!b2A_&s$uf9Jcjwlq8x6he<>GJ!3`=(+<-@cIY
z{jU(KQ1RvRIhQP)zxR)CdOfg@9--hsW59?d7nOI
z9lZzkjJ>*T$IX-Xy!FXpb?l-seFhKh;5`r%79Sozs6*MvPGNEQpnnyiWE=mSZ8gUu
z-fIt%yzq<&f)Mop^H%Yj9PbGH&Od+cwbuw?7&BJhQ(nZgo)nTX-ij!o3=lXRK)Qs1
z33c%=F;0leNj1?l9k!}4tU@;Q6oN*>F>$3Lfv`GyA78<^xkbZsuMQv0tIBIOi9f|omWyHN
zTAJx3#N&46W#-A(XJpH$xm9+33sG~2$CDihnumtW2U)_HbN;YPH{5^6Rb9LE9&k6P
z4_tfsEfG=Tih?<|D+iUA(B~cPliPP+F>C&^f*!p(wU1OMZ`g9Vc)4I~?uKrz8Qykz
zZ4npC$znE{U5~g}zL;dgk`GRR21{T{(+TuuWEfQ8pnKR1^lSvv?-~>^A7PKR$LauE
zAeX>Wwx79)Lb@A#iFnEP>y`Z{51X`se%O3oLAML$-9w^*jl6PA$(Z!Cxq~{l?&XMal;sxnFTK25=K&=I
z$aP8to2%^m2Y(N{ajwrzKUN~{HumFL>@Iq_@)Gu8Fs>5d#$g~15Wa52RZIdLqGm%*
zyIHp{n0Mj9G>|{C;Ep>MTyo2;3k&=AD=Hc^$oMS0Aibxg$K^&#>O?kuzdFtUUv>
z&wchePNs>pj((`TLXt6-5Cv2xuyUOhz!9XxaRQABa9f}hX*V%S9QKhrK)jLORDkrC
z;G`e=w#(3kt9^cP=U1t^?}lx+%w9E@LKUs6YwXykwWqLKdv(^14NFI^o-tlEeA$t7
zEB#jH;d04H@9=P-5CEY1uYUXLTffp8Qx848+DP#!0cwO&@?X)xOXWcHw(ZlJzALHoqsT}{k
zTol3wL?zJ}*8rdlK`D$N`WQ($rdMLZQQ~azXrnp&9>WtUhN0o!(U0G!6?F3sOIN#u
zj~p?3-R{=8t)0piV}4GjH^Jj_{VOEV+=b2bI+X+K-+qxJ2amtK7Ru;Nbm?sggp#@R
z5teCU&Qc_D67Od)Ca`@lGZ=eOqVU|OZ@u;4)3@Aquwm?|kz*^%E5`7pHyk){!;%}H
zeDcOoGiHohQeInIZg4%kWGB0yJw{wS1s{`aSo#+M4VJ=ILNE>^*M-Wcekv)9GrfoL
zLGWa3Fltiu!08N9C>6ffPm3EC
zcJolk79Y|2%^Sy+Trsk$cJwIq(9zQ`to~qd+liy#*7L@>Mznk6o{~gbAzvjGfF?*J
z4pB5Eh%{HjEQ+cF&ckqmgb|ApW@!#Q*G5`F(;~G}ls>SVCtz%NB8KX847yz!YR9W{
zC`ZH7`$~Eb`|D)5*bxK2hUj`-yK=hvxXWO;?}LphT=CMXSY{Clx=Gg5(SH;Ziz
zsXOnEYM}jSE+99Xyup6qn@PCj5m}K(WCth)NC40PxQ23x^wY&+7
zpeuB}OB{isyQHV`(p^v_ju`xp0ZqG=1pyYZHFK6AZnJz>Y42^bR$MMlbZDoFwAM3wJ^7R`J=3Ma
zhn{hrp4e}IU)#31^Xyc}*{1_J-L8fEr-@geq6?nx0gW%YvLuvq>iu1TwMjs5r-?Zr
zgr7qUmoaxO8lxPDJr+})6laEtH%?`o9*f|#+L#BpVlhUW7T*dzPR?_(`m^kDWn~=i$S1A3pX&gCp(a*Z4LklxsQP#3&Q_e|7xFZN3VJIE%D3#k%P*{
zA^W-M-Rbvr?SAK!cYpRRrF_+@ajS+6?eSh?UCA2vBa`Qrv&@MTGzzmuIm(8VR_?#$
zwmn^kR}bzSt8RO`xKpQM@#pDV)dib!T0hZY;OpIU_m1t^wJ&{i+l_zL-DTg=5cl%v&a2`t}F$E<}7a_{xqvZdl=0!=7;sbdMWVU;5_IvzhD1F5h(3
zB}=YS=o0bL!66c?`4A+%c^YhOJbdtm!gUL0+S4OHa`ekzywF#W)9Kdr^KX9tUV~G1
z7w^U&(_<9jnByRZ6I6-Yzk=*Zg>z-7c?>8#RDGe)={7l(yxaLk&c$~0u<(m^|Lmc!
z&;RhXv2P7&TEqwPL&m;^SOu#}RU$Vps!&s?f~$(k6{LT$**f5bn0S|9A~4bJF;FgM
zhZPtXL}K8^FeHS#k_+_tV(dzGqZ5b7#B|$=)_v}nJZ-MbP8ZhX4Z35_gvs=yIJ+v&
z#kNgeI8zLYj8c3tnKmx;*w1La(m
zDQrqIMGfDgCSv{?;}Qvk;`z+s!W6b*A|L!fsEektZU3Ie&V)nlH;np+EVjf@`1X1G
zUYN#KQyY&oOJfsCvI$Wn#-GUD3eVR}Cj#RUF|8pxN#}x4J^qQrP*xdXrO2`mS19^^
z7L|rz6bNaZkE?;ygn~DCk>)JH@clq77Wt~6QO|Ro6En!chTgIOB(=k4X%uZ;4mn5tvgd5~QTkNqCtQ@7_ZHhzyi$v8Yszba9
z^6pqDUKm-`@p=-_R_xFMtUs+#w~bz3fBZNSgw8)%clFh>!xfSyc6nd$iq?`SB)fTs
z=LHWujevF_NrceZh;>38fM`<$#;_vF(42uNQwbnR&$<;GY@p!B!H3sfhaiTvYvrlR
zuF8KQUugPh-jw@7E_Ir?`BE`hjl)Sa&8K43UWeZmGfWu^E1&$@7E&s0Bl;>eB|{
zv~l#f^?k(8q5+0ORNpPb*?k80v@xt?QRl9Uy4-NjeI^YxEF6Y_6*|bTArV%cj_R9j
zwX$C<;RpAN*B^TZ&zo`5ulY@mM<(e&x}esW3L0?$qp9(fBNow0D6`VaFbmZ*KR`zX
z#(22`I@P#ieoa~Vk1|dkKZ_3Z@$Q==5v$83
zVs+l6b%RIresANFgME4*SlkRO#qN_ZRthu5=%>)oe*K4p!dQn47%(IhLIwRySSye=
zgwQi;TVltxX#tSoR3HX9%#3D8r_+RzWwBVCYR&MgII-GXt0PwvQ(LF@A5!PrFa5|b
z5ViWgqLvM8Ou>Dq>3cDlX=+;o^^^>%Vg*VpfJ7?4npwP_rsQRa`i&06fs+6MDhQ6z
ztE?G?vs@l(A3c0VbZ7E%Xj$ys>GlYKlH4P_PS&K5y>L;AK_FlOCDx!&tXv;fuvk}22K=gPap
zg*XpqMq)y&P1XEjW4*8$3ZdgvjxoMaIU9$&&?S#7>AQh$B_`KH`BeqYxL3+hb=~lT
zls$1$JRKlgx$Ej~MhX@@%WnpH<6X)ZKUjRf2l-Z^Of0lj*Q%S(cabd8)!RAKnGx@>
zg2tK5=Q6-vMW=j%YJiB)DXX9c=TFb7yIgKpyhCT#_`4O?ho@y=6)#tNaC95EO`mB2&aro{^YiI#xMT|8C=X8u!me(1IAifYcEaxYSZ2>h5=U#oZwYg5b
zGESRw=ym_fxIym^D)+?ixQ&nSWAx*I5j>ahGl;^eQfUJ7agGJx`VROfj6N73P!BQ;
zoW=TzMIklRqwzQ~VHW)jB#J*iIq?&{95MQn*A0?8-mN3XM=()0nvW3ge3kQyI0~T2
z-EG!2IjtWp9N4&e<#Z)^!aRNas$}l8n~Zf>kmI8=yp`xsD@tbL3Z|v8u{MmK%ILf%
zBd7(e+lO^GzYEFt^YaPUU6=f$9{ZK=(L?z)_#UPn3(Q7$EsFTxqqxAKxS+5Ap1My1CT3Zv47!xzYuV#tJVZ`y#fKr_D6nk~75zq!RPAs7qN-QQ+o8<_YjVcFj
zy-nr=UM?Njzf{?)uHC(Rty(f{e-|*F-9T4ROJ!X%`6oCHU|2#W1U|qq9@0)UeAM+kNge<0cml%1_CQ
zu-t4AZ!Hu;VDxiN%o1nat7f@K`fHq
z&y|-}_uJPgE5Gj2s?LWxxeAomYOWa5t8MOtYsPrn6ROXthvl47NEqhh1DRD41#&9H
z8u|DHaCw+Bfw}12ph-;3NAw2Z^v4s*52|QXKv9Gqmux3$;O3@#aSU*FnQS(MxR^cT
zAB2Q|7=(7Sh7GB$9Wrdz!kqNf?CjL^9MONmg#P`;jqlsa<7t)Q@#tePj6VcVD_>%-
z58i8)(Y^2x*~t_m^&4|x&LgGSvnneeF%fC30G{4=@GJS2UGRD1`G4Su@?CSC!YDBL
zdj-t(`ImJ7Wd$hk0i
z4P-6pLwajZ
zzBHyM@E@;YX-;>>rrK)n0BbKJMkvSop5S;l6WNWm#Tp{JNY|4+BRP9R=r`gs3JG-3
zw?9&dO@9>#A*?bK?eW*Ds1p1mJ
zN#;5R@o#TaCyN`f)#Ng1^WEwJBOZeqizqHcxKh~+JrWGUNWV#uU-(As?jL^e9sA*j
zrI57udL2Xp;o?A3lRrO(V~3BKN|qARVmoX!)zsgTJ;=8sKNY}qwc}*
zx_Rrh1@Yp3-gYmk=rTfbwyT3`E?c)DWgEvQf)M2Z;$s3#RE(0=62Gv{Nd2xJgvx-N
zLg1q1kVm_pD}&4FUE)zy*?VrpDYlg03Xx}it@4t5WFzUA*9*k3O!8q|XhaDwU4cNB
zauMwYwpv^UtKi#Lj8d_BeYM?(z%>3nodLxY_?+&I#Xn0tm2r~Co=SsE%SD&E=gDxo
zBjV)w8+o5o5xxh)Pkk=gF;~NaZ4y1G;8;s-Ki}>T19M8XDSHi7Nn~SjDz7Qn5kM@c
ztfWt==Dpwu&Z$5!!9TN*pfG0Y
zO`8&d$b6Fhu=W06DXw1E^CnhA_})b`K}m?5B4vdyEaiVTWsHtELF$$yGt(CH71
zbkzL@1>)Fm*n8rat;-c<`Bv6-^D;%bbPF)`+|f7X_ugsu-=Ef76HRX%ZB)Cb-FIIa
zwai)$6yBzE-Msm0DHZJ~tT42MRLs%kVEovfQh$^XGgAhSuuV1a14=eTZtJeJbM=G|ZjA^aD)Pq+|^9YrWLVuR)u
z!2v;1iYee0pKVLXMzlmxta+2dZ2?Vnnn|$?f`M8M^PKNbU%Y+8x~)rQ2@8--cf%mC
z$iGAH-Uy1&e#?Z&U)sO=_B)5$|0aHQ{`Oflw0p2EB43=s+1>IFAQm(|Ajyks(wXnz@Zbm-wG$RBT
zn?&I3PK9PXhC5wZYB*0y?~+};E~CR$;|_oF$&rfn?c>FiiL<+nN`=&ll39~^7hlHU
zZj`Ac@8zv`cgnZequ{zoTBG?TP>p+sNs@|p7~q`LWJhj%uG}iZNgTvkLuFXv{2-Q2S@r;8#}*$1
z=g?7a1FIRe>WZ^(47{$pI1aYwCyX6GYWP&ooIcZ*Etp=Ty!8H~lXmClJ+<+TFWlLp
zSh@YVKYTl8P8mM$(wfHeY3a)+%vt-o$-S7!2k^cmg{<*LB_&1@4pgC(1T>3NjH3}L
zO@uNs-Gtx}V$*%Kh<|uWg8wNOeS^x%$KvALS$2$2Xdqk60@p4aP(SB}52zOJi{sx!
zWC?}1<2}^{x#`i<_?r_>+Vu(xSJ#nDw
zB2LnttoMei03=&GMfp-jf@w5km93J_MXHOp$tmq%?xjIh40#J2M%nDoA<2a$*YZX
zYmDp@4<9OLak+OyD^OI#se}Vi_BZuC3!wa7wO`Fyjx2yl5Bo=;Ss=}4ASbf^0pMIv
z;Gn%~X4He$I(J^mah3Kd^XA6{8GZp;BV;_X{Jd{D7^$DW3r
zRqLEt%LnYZ`;qNxk#|tX;+_ZfHVqc5*kROJ#yc&T92!Fz9m=TTWf}s?8R<+K=>P*+
zEuqz#DVkm+F#u?1Y_Yua7qY`**W7WEIZ%HkY#)0=yLM2}W6=J)F1zL!^))JccZ*T$
z53Q*j6`$B{@`4dBbe)?&HpA5+#@>G4j+-FyfuEIAdS5pQF^QL>P6J}v!`b~r&a
zn}4UnP^}q2w=uLajikBka>v8-*$k6=nsI%d{^0pN68e^yl$O1sd(EY`qFX23^|&}b
zazwAm87#bQmZH8Kms(a{R`uprQktxA@s##?jo<5M_a$;a9<1ZB;!VHO02QF`^mmyn
zm)#T?Y_7o$PIHvOY3@>daC04YF&9)-V;6r^pb|T@9fq>(`ZziyN3kIo
zJ5m`+O9S!8jtGGYBamanj-WXm5o1UHZPUJ0W@cLZisD=Dm020+)vKcx{&rmSgALSU
zdlT<(iBp>FAFj
zLL>vjuZ-H*K^%wh&%Zb?
zj!&LBaXdiExYF5^ph@PjyO;O``}AAL6t9S;n-4v44KxuWlP$YMa>In4^BLp~XMoqL
zcn5`^#(@;8s~b%ulo~=Q33v+G2vC?E`fruq2q1E2<|Gp`Il37^;*?1%G4?)_i6WhE
zT6*|rPQ@Q%%jZwJbklv8DVxXcYTvd~r>{Q&l@B|4NF6orv1`*dT%|*jQb9^
z{1QX^(PwFo#sEk_x4$#Bi)T)rGHc;XHn#WvDUK83qzvjizJb=h5A@Lf6%RakxiR0|
zlB0bOFEL_qctH%)#XF5mj$&kT079ho?Zl4LO|{Fj!Fl0iD`xkIqoK3x1K=emeP0IW
zSNuuib7N)utNBnvK`;dvKySaI69<4G?9jNe>j@9D)!EeJl>R^r#m{WE@jKv?(k@e%
zv%+=|U*J7|{?$)iS@xvFwCt7LFIf${7fw6AbuG}1wZeCkI4_?1=o6S{?*EII5=tsX
zrt&fGPm+n-&<&xKq$EZWj(61Hq#^p8aXFKd>^6BsDp^FHh1drgUR^M~mOizH<6uZy&n+YW1-Vz#v)tB90?$M!kA9T{tDv5#fTtKh!~3*{;3^CTxE$
zh0-po9ukK>JSkqx5FO|tn)v93s~cRcLiouE$R2T^Oi_fvO^)~*H#sgoF33$*AcUC=
zCNDWld^rs=A!cWgm;9MHeyhPtu7N7sUJ#cZ)_KVfin^EvxZ+);CF?pJB2z7r>#sG&
z^jyG5W}-vm3T7AraUHy1b6uiCj-@9d(P4~b0^aD29`fJ>*SpM?Eu%5b$Ml<(b5z+!
zTQ<@z`4HV@fZV#?6UTkxJ6Be0Or|lobnq=w0*;k6-ba&Oyne~g8>jrf{TJ~_n&<%U
zWf*}1XzCT%)EQr=ifc&>tiEJdC3ML
z*4=vSsvRf{z2mB5x2^-WUZ0}Bi05a|m@ylALc~pYHz0@+m$9yJ8amf+SU^x)#e2f?0jZ7GtF3+_EKhV+tEn_W8Bf^XEm=
z`+FWdES?d6iQmP3=v4PZ)iAZSC$HeYd+VdVduYa!Cq6vr^U3A(A`JLTB7S}Sb{(QW
zm0x0^FuYgqK3*gK#eY@~6Bp|4C8-pMEy}=vDL_Fn!~_gw?Km@8EiXKAhBH+Zaud+6
zKk&Ef4=e1xb3;Z)M-p>IxI4#+({fdvv3Jgj$YKd`9i1C@bh|NDwev@AT4f3U1bC-B
zUyX3VcXWGRCk~&4TbAw;Ypbe^d(ap;FHXpL5l`BnN>mttiVR(%5>2gD7$wAnMPsG4
zz!hB1ia47i%dH>6uK4)o)1atWp1^>!9QO!g=Qh1U^~Acw)K^X~eki}-p-Vn{B_-)n
z^>T3?Yn9Y^C^?n(88&PZbeuSRXkWH);4PzYLd=^rYaULB(YFkE)z>)m))B*R9d_Gm
zSM4}9MvfGSJ(PgF@4i5*b%oB}XyDEm=$fPBZ>pR|wjF?1LR<0UO
zMV5^6IkIBoTsA%2gh5^GZZ6lT+vCC69x9mQLiWBACd0j-^o$uMY7s5~Sk9p5+VslLF*T>~C&giiXGZw6g2p5Blz@1(U1c*)Ext@`H7#GGa
zT>x4}(AUY*4i&Y~r2Qt|z;rtkoH}-+McMdgblLd(
zUyWhZ<~z%xU%9ts`S_QmeEcW-)zj(|r&^GYr=%SrmY%xiWftaIlM*R#y^aaN95m78
z{gg6`F6^l4xmGjWnVL#SYF4V0=$EfecDig?uCO>=npEB(@Z3i)P8#bfl=j>7IJ+OG
ztUOb9?i}QZ56<~ci#0L~_HACyj=A-G`neUGHmyM9oOnz8@#fp&PyU7&B&x-=r~ZK6
z@T$y3XNsunW=%KsczQ|OuQT;>hj<6tVhovV3nLlnSf51Y8t&*;uqezjjsQ_KP)w<8
z+5cS59D@k$a^<;lGwl*(U0{z3OYp~VgF@!PMwubqAn3YRoeupgLzUIKx^w4cyWT(N
z>tE+SnrlmE|XGPZ4)2Cd8H3tY$A4EJE
zjs^#=%UmZQy3vXV3oW=7P;01K1prGKu~-7)-_o;20VedV1B)PoJIsh>r@yTM{*w#{
z|K4?32MC93j99MQ++k&B1e84`=l?;R{|Bw%-~9YL8vgs{dEr)(8Jzt_tX%BE^=n`c
z5kndo0mQ0F(?AdAHRD|9A&^Lpxr`Kh
za%PrOT4rgc`)@+-gCp-X^F7X$(e{KH*f4?Q%4%5LUVr9U0-?E7dt
zR6UvBFE`#9m*=W3oO9WL(>o=Cq`rRVCw(uQ+o>vBVvOSQ`n7)wM(*^zQ}O|>zG-_T!?tZXOUG>4?
zsrR(cduY|GpTBoZ9kqB#^`hAy>-kecR0qb?&|^S`l+FxC@9cmal=
z%R=iRYy{hw%jXx2b?0X!#I+k%{5f2IlkZTu`0>H!brG&wF+olnO_9^)u#6W>p%1(onpq?UHb(m2v#_oQ+GFZ4F=_>1=voC8
zeL0v``Do#5cZ|Y7iIXTqnSHV6RC*Izw{~W<&TrkJO|HkC
zk>kw4gFh=XLT1h+X(t0|F3tk~)OHv*W2cUVx0?Yso6~;?P+Pqw(eDqy7_ezZWfKNA
z7%T1-KQcKwH{QH=@68&xl$-YMy=h3=An^S9C*%)HyW@_uVdAYne--Z!O1pz^di?&o
z9;W~C4cm9;{rk-`b+_7E*=y*zVTKYR4Hm+z785^DV32X5@(`UJyS>n_k!~ws{`0h;
z*@606wD|6PrmpQDa-jNr&%?wEk5dDytDHg~3vrZbt>i8d9TjG^Qr)%9NC!O6nT{~y
zl#F8l;Fp(i6iP%gO1$Yhff-qa{?u;}jp(1*Y*SsIyS!4J^J9HGU$>>ly}gZkAbPeO
zrpDOL{PG7{_Q#evwitNRKgS6%_cBWg)(64)ot)$+gD@I_ctD&(Kznma{mFV|q>-SO
zHEX2L=f|=KJL$p-Hhqy-C+(@Pr&V>Z%dB7XXKrYBHT#K{p+
z5fP>$2f~i099rvlpv?LR0Y8epP+#wNq59Q}_2DPkX5EiMlf@(GLg8Mv6&Coo=}B?i
zW3?HGPtk8KIhgJ8WaB0)u?mDHCE|in0WBw1X);mAg=x&fO>_cOaN|gGyYU|5&T;1$
zcbSxAxz?jeRF*T`mIomwV+TVBv?FLe(*J)9*e|=Bd+Y0s+Cz<>>+P6Ouk7`GVYCCg
z{#;WC0L1Sd(ndof0BcK{K5R5eB&o>MN=c54;DjPZfnkd@;EeEb7DZ)xgBXJf!&6L3
ziisg4DK#lICNU<#ZZq0qZJ{lp_EQ#WKV-FNwU0M96z}cd@i&y0jC(Hul|+JWpQb9R
zrqmM3QF97~S2$I8rJpMo7aA_sZ@qS-mbi3(%pzpLdLM|<4WM>4SNlqcc>uByzal<)
zK>S$wVOsXqv3EWbO$7rVjeh37>W#T+AM!7!tq`-tv-#pVF=yFy$apTVd
zbj*7W{cwBJH`)f}MdX!WrYHqFR3(xM#N?eZ*+G#~4}@#Lt8}{qx5hvcL;AInM`AY>
zdvSip8UPDDG!^h%p&35QE+@t{4wwoK$N>YD|ChKUYr9^kYOf!oWmLo(AltbV(OL02
zUaJhE#ASwmBre2jG19x~52Z-o13e@US1$#s@&o`Sw{{o~l`(Ti7zWLa`gq(V
zXRj=}ZFa#JS9V;hxV-+JOLp#n)bsF{&%SEefB(CDCA6(q{L|khUR<;~IpMgb_DilynxP>UQ&>-YQJ#5KZTgq
z3hM{9%1z6SwOLdm5h0q11UFL>v833K?^pF2wFyBXDHLvB@HtTN)7c-zPXKWzCyhVN
z_*17AY_jv>>x&lF)-IA<1SZ5+CmmmkQ;_}THF8Whw23L~rar&MWxsl*lHcRg`jyd_
z-?Mv@V`aUuuB!>*PxF%hpPGo#|4U88P`wxb@^+ZZ+fz_vR`@ya!B5l1uUz}Zd%h~&
z3IA&7p#CGi+BbB-$nxF1WY>-%OVblKRo+x@kg|MNebJ?J=WfqHr-H7<1V}eR*pIx#
zz*y?igouS}31b-@#8@IK5Iw|TWt{ix*rSg}h}SXDz~;zH^2R#f5}edH&iUeL?$i4x
z8FP1GR)up-ufRir;@#MMf7PNe0KcdOA;~gAf;k?{DrQ?HO}QlGr?2N^}EDQj<`gcld(t2hq{L$N8ug>zD60nB%5iVl4Ww^Dro@g7~!5$j0E
zTd}UVhYlx`{bFyPX-@DnP78{gU05_bdP}-1O1G?D`=*$4!xw83d#5>KQ}R6{3Z`D!
zb(_p9q^()9t>nsS9Y^Hkr^d#m_fA;z*^Oe(8ynX6PB)|-7PA}TVeO0VHi~v6F?HgE
zA795tzy9NdiK&T4G^LIEMX^4<0d733b2)oAeaAlV<4G>2TlBZvZ-RdNtepvT|1n6K|MRIge;PZiYNGJH^`!Vi#k^}p*@zM4_4M){T{;c$7OC4G
zxohXZ<*tmi<90o~=MJ^=pkZD5^?Hf`8HF{TYJHRy3kBHFd8xLrsO0JGF`6Ymc6Iyt2#=>dh8z&F=eUU+`u
zexPV_PG#b*mKn(zQ5bQ60;uVjptN|qjSk#yZFsx2A<6vWGX;&Trlp&v-qHQ?sU1gn
z^3$T@()uJ`d;WSc|GNd7d{5W2tAi83!rQrC6W1gf69A1heC&aQa9sb1m~)M@M@MnO
z5b|c^841x>qq$p|zLi6Q=wpowfD@AoE>AJ;t-%W|y|G?2zVv-No-wssJ^RY^_USd>
z%Jc4>FX67!O*k{L?})#@)SGyTQM*Bk&_}9@N&st9>fG9(a`M$Stubc@L^vl2~J`TQ>bUBDo_?t19#=Ppx
zOaAxTnb9rR&U84N$5iCM83vA`-Pgd>)vJwL(F?0Z{Tkm3#?YNPgZ*S!_x}6ls0HWx
zzhjuA{|5~7DCyXKA$#V9HR2}u$@m$;Po>x3E^gN9viH&2mwqWCB%5x32Bla!qwa
zQP2efI0dD57${1VS*eKY3^EI78fG#UWK??W#4(M3luwFI
zi;ij)T{Buu6v>g%etCqbi1)GA-;0R!qgkUOAYK-vY`p1N&U~{OyJySRyD6hP8GEKq
zuc3WNN!N3O$wqz$dqVDagjuwZ8>p%&9M^AXFd-p9c29CbvV5%rZ=p7Mw8B5$K@0h+
zJLToGu}F6=Hf@6G^6S|;Ueb8C?-cY3%$LRVTK&8+YV|9z(zXn&E0)$u--s!y$;SgD
z81vxBoj2)9;}lK-LZ(dyNtf%|jp4G;paM?Y;LsRR2Re84gaz(_*=uNzdMwE29-4Vp
z_+&Y;?d>aYIvZ<9>x<_FVw;jMwV`la*SM;KafRsSaRrxj
zM4ZNoHo6G^HVfp9!Z-(bAPYQt$fN$R7+lNPKdh?p9_%ADC%BeJibL86)ON@HB`LAR
zc#xqp-#mo7T^a7^QYIZgHLnng+7&Opdw??^{mtejH
zv$v{3IY_sb={Ikxa!gfW%z&!ZNYymT=bMCEbNeF%Q!epw@;zd+WY?kIDQ2d0nIpeb
z8w?jftkhYbUw`!YU*|sdEs?j?qg7+aRI{;LV8PzBtuNhm-)p!ZiT{ZImh~>JAcW(&
zp@r#tQWD7|*`&-n%$=1aH$s(A9LIl%6ht?R6u4Z;$%MGFUD?T*$<9_O7|UrEDF}7H
zm4I4D^LuuR-)b2pe8tf5Xnan$zkR*j-|jT6$BquDdx%?&me3BkYW(+z1H9yaj1NTr
z&+&oK7W|{#kkz8SzBfay1k&5AVU~$XEjEN-f(B_oG-e7k(OQD>BSXPKqkyDdv!({R
zl4^yK7YBkV6NeqcNt$Y)-K>ZPxgap0r;muKv7>vAAf``NnfM-JsddK8HpAnb-?5$_
zul)m}#JQgjHc5l5r}hPX3rZk~MWtHw@7k9IDHl(7VweiDN@)>~?ebE9<*)hrY^
zpd5KC1%-&1VpJ2eBDsiwMyiO#(p-e7%jupqGxI#YM{$9&=dS6S
zR^O!W(K1e<=yQIocNEs`O97Q<0B8yj;3)L3DqO9_77;+9R}JL51q=CEnicYsy^$JH
z%n#@NMT`0Q;UaX5jWz()aqE;_R@V
z-3Aas_4B$LFZn-ULZbg26Vlv44>rK`(gUrKzH*4S{@TZX$yQu%cCpmGVg(`OJwz@uY>p5HZbjy|OfQ**-hOVg7
zX<$Jx6QijXCeK-gbK`UZGCQF63nLBk8s=i$Cd2hY6i9I6sS+ndIwC=2$4+0fM!yP)
zbObjvb1#FJMj&gXeh}6o&p>@cO|SZ`sdz6m05hb*sP1Vvlo^Ou$Z{cA(kx4;`;bAv
zWblDz5kGxA|B)_T_s{!C`~vP7)itvrd-nJVwaVT`+v#6N3>!A$w@=yGM%$_t%U1_~
zqD^b%xl+SR{%%wBzu6Sv#$~r;lUno3;VHLtD%w5e6)Bf8WWdO=;2u6=&`@6DTYmhz
ze)7+E$LSTmo}5)PkHL
zeXjYPxP*j+^n|obxeI4GCHyYIK=lXKM{wQ+)_GD>lU&{BKa{Jx9;H%_R*oH8$-jS8
zeE31bK3N5h&3SZ!6l+cr4^13AU=lI#08QU%`4VSWAoWBi6y&-YSo5+dfk;r8D~)m`
zGd-TET=^UFE)1v!h`p;K0M_zA5e&850=k!x-@a{|)-s-Ng76{|FABo*$M%EZuvi_G
zr{(LQya!*6V(^WyQ_HIl2SIsf#Fm&XegH&${q`i71F->!-ltEf2b7n8^+WWQLTk}G
zts#Inm${Sa*Ri#HVPA
zs%kYH$<&HQbomsJodBSR=qwdsV6iwXrS03wk`^vkte%m{)H|V|=z=3g4l8y>@D%d6
zLLnb?n**$$2Tq(>wHp27PpV9s?mv=F3K6#z-ClGg>9V&#F;Ab%XDN>=^DZ~eCFR{e
zg0U4!I+@&iJ4rAQ6+t$-334SW2MQ{!(&1bRqb3<&ueF7DpCC6~4xaqW49#3urv-2b
z+Q8Ebgjzki>bK#e#|f1dL*i9xLp1;Sd{lHpgAFv%1zr(<*&66JxXsiKe@OSg9hjYu
zM6N5^!c{J9q2R~cV(&tk-{A{0)49qp?v1BFk2zAT=cd_YKc|r_%$B4i({R03XpEwUwoEgia#lU$
z7pB)s3N+0n5m#xc*eaY1`kZ#!^)|7<7!)^ak3JN#IqOfEgD}?|m3;ARVB+pH#^oD2
z0>>jbJ{vCa&s*PKV~k2<8)hndQC}Ccq>fl>VYxspo@^W^j9UVUKzE#*LQ15XSS&^j
zoIaXjP93}3AwzSHOlzW{KCcGwoLO$O0DpXZ2*y+2pup~=Z>*WWei4@bga|C0^RTkA
zK{Wo-xLKa+i`R`>9V+c;fZD^-IB
zz-5MB86j#PO>^wy-`Hfh^CTSZlUP)!gQi(rqAeK
z7C`cHTj!wWZc1`Yw8Du8JSNi=TjNN`E-Gev6PcuQ78hb0v4v)1iwo>7x_jzaF?pq`
zy!`BK`}iGuZ-4w*uC5f5Dkn$C7OvT@uJXZ_nw5_4zs9C_a(cQbS~~BcTRm2?O6LN2r&M~(JO2|&Qhz~9Mc>fUBD)a#=noI
zf3)Kh#AR~nsjYEv{f9^?ywKvfhK_!}#T~>ofuSapBoJcRCC9px?2Xah@(3$q;e-N&
zqqb#oCD^)ITxZ^9)Ep?XpmRi?iG1k
zT>)G_dxV!~Yb&v?40;`1iVB!TGjO1)oZvF}%X<=w#xx77wPJvPXtWYHA&evia$!2?
zB$x}s34v1gc{#28XwZ((G2EXI^O$JRqGo7NgX4+$9h8v@&Y3x9z>NDCtSNK^;Be
z)n}I8+cx*XRYyK6XxnX2@`G82HgCIr_UL&FzGgT06~++1Jd7Pue0qOO@zz|lKbm)g
zKR=|Ep}Kw4|Di_;i<;Fo`S%`qa$IHggbvk7Nw4=ly84r*38UvO@x7bhr~BZ-ksI%U
zhi>jXeaWSl%&PPE2c0{lXHjoRv0eXX|DiYESh3peTvoB`e!V+x$vv=oUIO5G*X0m=GOh=+)U{qvE6EB?`ut
z2hG%dK#z0D_S(_=!f=mx{kD$H+8n*wQdmjm>^can}P|y)!B))IIeO^(X
z|CZaoKBOqme52bx4Ef@Gm|;J9S7!aeO247aHTGJzxp}2!@SDo~#t&;&ZCOm7VWDt4
zwa%PaGs8;7Bx<>^@G?|iF-KA6T;ZFrah{^g+erKvb!D9L0&$>riya8l#qEgh)YO`p
zN9<#NVA*L3P$1t5*wqe^Hg+s5z2iBm3Hg^C2FrrpXn|dR!Nqi?y1e)zec=V#;h%-2
z_!M~gui@|}Z2DJuDc$}}+{+*J+mCn;g41k*UPJ|3p{m#lMWGYXY(t>}n^Ga0;!rMZ
z0Fz(tixm8(TX*hMckJ*z^$&%=&%=}F-h!8p|8xCsMi$Du*SA_eX-B-IAF1_D>(_@8
zYwuq12!ajQm12m>6|O3^B!YxRMTAvHLu5EuNu;%!L`6mQLC}=}`IgQdC`y2g*S>w<
z()Ql=J$oS6qM&03bQWSASu!LdJ=WqP?r0v5=#-U^fTdOc76OoswL9cf^aInSlO=fp
zc#1u8OXTXi5Gj8CaL&Gxu6t);)FR@)YISWbMlRxKO{%J`t(upxUcA&gzi89)1^uAY
zeBml9fyb2lC~y2q@H35r2MrqBcm^83YUK384I2dCxPJL+IS00{UcP=KG;Y`c-(0?|
zpdi*gcg`|VUOeae^?JXJl6&OO%6n$N&GpVI?IruIPw&uvlc3_TC~K|1|3dmLEG(j&
zL`1}ebY8-Ro!77LMLJKqR-u6t*(un0L9mz8|DeUrQ#9;7o~6FpboROG>+?HaSM~f4
z;)pt;YEbXK!@)7EU$4Q{!;dAb6EC*zP^@=c;e7Gjts}d_W4t$G-+y%M;~xg}??2#&
zkB@!yJ!2m(UVLoH;zdjDzkkW1#Y>JYUJSnl`s|y>isx=J{4PCirD;SXIT*)uf`x+~
zJDU}bXnmNahx=qsg!!3ymI|wJkGEI|vE*2C5Gp1kg>kwTk$fk)S|VffK;GP)vUQ3r
z&L2k#KH#z+^l-VHV^n2JLG0L1FRz_2ezy2%c1`sR@i9bxG;e>`E|1Lr7^2mk3l^+h
z`&FZD_3{;~*xBIEPk+Pk*RQ8_ZV@%&UCO?TwMC(`jJ8DoU)lmKwFSr2ANq%{SZ7r<
zJW5lC4jM6Bd^~pKfFa`ePp?ebUDWB8DTjYidSOe%Ultu=R_+vVk
zd9^nzLPx$K!_CmUY(*$TT3&5)&1SPyu&IEV9C(shd(Qt{R+@70cR;lvi8wXO)7i3V
zA?meckbv$3HoAaSh!gMp37rH`Naa*~zI@|`Yp>n#w73o?JE8Oka6&kY6u$4(%~!sC
zpEz;V))OGR@txib_i`d0yyzf%Iv0pi5|hEK)G{@^|$J{btEC--~~?jhn7
zJhx}v1L8T@^5D7$q4vQI4?;gN`@yvj=%0Tzzk`ied_+SHb6p8^qA4O{()J<{nP^T`
z9X;kLc6t&V&~+csOxUMntbrfqz;S%94N3xAr88!hYn^@7=W!x(!^o`pS|HdE(%PMCF!cbLP5Z3ksH9jyf|+5=>BM
z5{1~jSdD>jT|a4(4Pqorp+HN}W;_EWWy8IwFtZVkJ1VR1f>
zjOyQu+G3U78I0=UhP>7-Z+4oZs1{YR)Mlq7Wri!(u!t~gL~WK`KGilm4tP9Z7OgrF
zEXg28JghnuBGN$e)}pHAz{{Bs8z|l!(Z`eC$`!3d%0HzG-b+G$fpOdK(Be0Am6QRUv@-r++B4;;|9PluizdUo%MCrd{A
zjP`BwTFcESCOt-S1!M%kZb~WV$PxBrH!Dhe;qUf~|Np=L{x9#xVyLoUQq4k6Yx6sH
zY!6>jWnoRtC7jOeP|&em8UCjKr~IwGc)QuJzA?>S>Ki5hH~6dgve}cnH+x_Hi#mM9
zjNxitNlBjgRvlI=AGhfuA6tWueSd}g`{(M2>C;EZ$6eYe$^O^=^Ye*5x29<0^m>z4
z5=HDJiKG!1$svQh{WG2MjL{rdT2g}C1dzQL775Ig-71w6(7CG2B-?Qa7HwCMNM=>!
zc0oAdv1&}7k|4JR=8?Ms6e|w5+!|1I#GRljpeY_V^RQw&B-k~^)5BNP^ec&w-)LGS
z3>EjBUmPhOfhtx{p;xI}G&TN0#j|}OJI{7Qua{Yk?Z)0Ob&C=Y!6bf16pWPMP+P>R
z$^Ea2@DtI`|u|DVVS`}EV-%tX#pPs!BWYnaGUO81M6W+LbL
z{W6nr{$wDL!}PuTG-~N$MKsK9+G8mvNH^lRkAp%1k*@%~2t#l=pzfl%6Poxhg{P$^
zN-A2ol{=I;H5w_3#SA(6+!d0Y0e?_{zc)<`npSxZoZ{rU-(_e_=fC~FV)g13ztfm;
zaB4gp5>0QuCB#909NO1w(~Ox{Nqd`q6*as@o{bFIB6!D7(YRhWg;B2XI8;c`GqMV!
zp|w+5E}P^)V1+ameV2bPoy2?36zgXAI>CKW9WJl@hZ0Ju-h-tYwf$yu<2%AuNky6yG3>%pxYR-rvyS(Mai}>3RHVEiVvJM+FF7H4As97)v!;IT0_Km9Nvx?0AR$zs0LfFR
zby6t(UYzsIG_CK1c<3w6$t`-v47h#QouL}nVu^T1e0EM+Mqht@*Aq{Pc}6b3i+GJM
z#{3K7GiCM#6pVRutV|LSj&Z(#76tOWFv_QwIE^+5pl*Af(@5!KSD^?+Jk?BD^w6v!
z`~I;AajX;w6wzlNTQPO|_VuO4V6sGduv-CQf
z0a=2=0!K^I1mKd6m)^sA(Z$W1%kOm_>wD$APE}d?4rg4OzWEP8uQjq`f9i5?`DWiE
zLFRa4V?c7CV1W3`Eh(rO5#xq
z&uRU#SRW^O1G{z|PpiYWxCqgb<@k88Ey&;JkO(TxcI*6oO;Hit%PH5V5JE&NtrqH+
zn85&vU)9<}JO-KHX$wm*z@Y{I!sf@FG*U82huv^-N`D=H9f6}4qx8$M1ASk^yw@N(
zHg5Dhg6+X%P_lCI)HwFvl;pwZ>d&j|Dau3?J^}GmF$_pMPhRrJHCI2Uzqc38!w9l~F735h2
zZJveTEtY>W;_e{T0@K*ML}y!|!M??zbPH)N?(O?5g{WhNdwZ6_D0O8TWi~Aej|3gg
zuJh4(wXQr$#}HLDw{~-aNGnmqDo87BX4N8b6fo*ZqFiG@u9#x#J6bH&%{Py#p%B1`dmLxw71F1!Nxv4aO<-^gDMSIeeb7Nx*i!`Yn`*$3^4g
zoByn_T50&QSG?U1E`0aFx?AcAB@>#?aMTXXF{;H$;;2Hqw5F=!PM}=H7W3Xjp(<5$
zR18)5bY{qQhqSn;uwC06c{P@8)?x#tZ3#9|wprENtfPMQ7-+1+-(uNR&6SP+Z8V*W
zsSge8cI5z{c;Wj4YL{MDFHrJ39=!Rsm;3c{4a*g;7PeM%JGF1Cwk=3ZPEJgMu0M`H
z1`(Wos%@Atar0g)E4qFBjgNjW&b_>K>fTaKgT>pcF6Deq`Az+o<++yjCqPogZmk>E
zB0vO)QHOv@hgqdGs0*i1WsnBwGlp5IA&Eh$I+ExoAt6}%TSo$6z92l&BpEqvp$t(!
z-)Q`)@MTgH1LYn}os2ibPbzY~Z)uFx)e?eA86fvtV~^JHx$uqfinI=?Hs}9acUkyJq(yD@UCF8>v}TdXw7F(0EF?6b
z-N8sUS?W#Abf%`*W96m^4C_&n?-EE?9#Sj=IR2gT8X&PRvY;qPpivg{@*wZS#QJnKE
z?vk9OY?+mkmpsf${VOx6@!osa{sTGbEY+a&-}p&|(x|VMy?zcA1+EvqA-bTG&Zq*a
zbEqf~T8-jE{(>bYhsxphbEqz&6o-~>tLuHY7e(Um6kop?hXkV;1lX`(*L{`Jqs
z$ZVc#j}jg5A$RCCJoB2qmieC-5l@aaJe}cG1rAJ=vyi12JC;fqS6QV6f@R)uM)~V4
z;HH(H2E-+$Q`55(ar>RB!%$v6;={G$^Xwxq;Z@x>fd*MbFLl~&QfT>BqS+db2P*5qQ_HRu~Xx1v!
zDadrTa;Lcy(4&dabgcqxmBd!+jcTcmC-c|qq+fh4zSfqkd|VzV=bx4}J6B)@yGiSY
z4Da*bTV#1o2GhqlAnj!K3){MmO+D~wXoXI;!K}z>)Un;COjY(8y6H|Ua*=_AgQCL;
zxvInh(;Gz;)u>d@I2&W&ob+XnchW>#fRBvMxsGd!^~-PKgz_K$rL?+kIxK>9_lh@9
zHtCKF?5Mqcr#O#O%J5lM)3UwEqC7)YiHT#iZ4<$&KiH1Po9eSRC_sF4#Vd(NzR
z%m6!;WA#)=99~mF8VhV3TI*k~_VzY=oDvsA^%vL;?9qiTi>JO`s)CLE0VZGn*d342
zLyxVPG97Ndb{^iJP0ac0P`@`(eBJI;!)4;nt_Rz!o3MHXlIKkwr@^{5q8rZ!Ta2Mg
zWWkw?%ppb27d0`oYpa5N+Q(lCDoMu@U~yM1K2)oy#cIKUibJ@IVnu5CQ&uK5xh>vi
z1&Gl5zMxz%-6R(HZLbi6l_Fm9|7UyjzuWHjz6<_td*J>ltL03&7WUQEnYQOkUXHj$
zI<{u7o22K)IRR1*y!O6%4)ksMM#)lM!k8)YSM>Ukk(A=8r?9^lk&OGFibxvDE^gdw
zoW(_dFCsY|M#3C%i=51Fhy(0V#$NpIrB4sdFFyI>)_bhfcgb$$C9z$+b%!`Et^$}1
zJ$9&1eeFs4G`0AA!fU&g^qZg5`@Fl{R|e_vp~2n(fITb?SHeLLi7K3NrG_xza$OUk
z9O!g}v6rDfo18R3XpvEBLf-vl>J6y_3DB~t0_fGTcpiuw4jvO9e*cDe50wO$Oqwrq
zhF8D{Cbpvg^SGFi{>>p>LvZw>CDmIuJO(q=fc|G!v4ju6IFZg%0YcL(R0SI-M$vIq
zCp&SXa%n6Ew5Ah6%m9o@e!}P|nrgG*24WcH{3n~~TU1;tIiOF1*mdA&(CDQ#X!Mn=
zT#@e26QVZb+h<<+;{Bs)#iAvZTQ{Ptnq<^mDyH&pP?L+NTuMkb*;6UM!`nZ`g9guo
zr|G}Q-9qp%!N4WA@D$MG#8EYzx}vX5#fw~~J=2|~
zyLFDR%sf5zJy~qzy>uNF8*$=i1+`QxJQ*~Wbg|EhZuzsYBBV3cDL)IZxUm>jXm%mT
zs&UM5K~eFX5GfY;!`Fu%Z1ebCvVw7xqho4LTQ*lJtX@`U+;X99o$q|ZeUDkJCsnma
zw*~_Puf)oJw2@@e)7vd7QZ@i6mSy3zw|~dg6E7Sx{eTv
zv1j#OWv`#RX4(b42?qtR^aBuufnu0uQ7O`GG(T|-OyXKXye(R{uN5A}LHo@8wm_Z_
zMY{gGrgB%%)@r}4Xl&o=DI7AShvLklT%0)~cK+S;CYU*4@IAw)?C5{&ct{%tG<~fu
z(Rp7*sN{s0O2rAl3$iIu)N=@dc+X61wY_PIIoZL-{`0v19X^
zIhPDv=1hEV=-C_o0?W0VwyuG;o~o&e#X1wJGBW|Y?%pRYux85g&uZsRn8~s;c7r;8
z>c?*_z9-*x&#KZ6J>Y>|on{wB?Y;bwD(pIT=RP7!iZq>8Ch=jU6VB=s;H+a71!@Hq
zbV9X;;(QvW1*a2AK&4O}^(%VHM#g42-EM3pPG1#G*IhG@+1{WQPfN{JQZnUq
z{&DXU`@^~viY9u~gzD11y~m2*sPfYzZ+%`-Ryz*TvwIKZTv-5>^z`)W`oI4byJW-Q
zj-3w=@7HYr^y{MTeBptcDpq-tE*+KMHXp8Bk=Dx@jXWR83*N=IDUT5k$;Z<#3V#;B}yp3T2*-&F~fcN9psy2x55Fn$jV$78B6J2JDhTgV;_K7
zFs0CWYX9cd%?5Jg>Pu&4=7_g*5|+-Rzb-1@=E((>Rv1H=o~#3?KYnY$-5pv#w03#7
z%hTgCZs@yY&I;fA(?1_Ltly2}KEid)#WG&W2a;^k0i&6CDUAo*WUzgCxq38``&TuSz*=>d%k9@#W<4S1z^1iFabH6DsKq
zX6xXJ!y~-ihW6{M?s%c$<}vHCleWzt>Kq>%Wvgj7cu1MJEZ8&xq+Qb)Z4uU0L|+_b
zGB{zaz$lo29v7`OMS{%m3{{GE(mP;#ay>eb1
zuc@oU&1p8bSa5|Io717U!}x2Wlek1|`OF6ya9Z~juhTcBg4xAUd(CZ$J!5DUoKcta
zk`UV!w4I>sj4*`+Y>)m&+g&=pxmZ^?YT0(xuw8xal`{i*>#Cu3>|yDg59~RloNL-_
zsKkXO8V|kvQ5YNbm3Usf`7`W2D$sCYk%r%RS-YD2sJ$!qjQ(BxW!POR`}{N6=k0J$
zXcrxYnOtJwBpFnYe8wEv44vi=gaaOYDg)JjzhF$Mz=*R0BhIoN^8SMn=a8GlKlguO
z;2wu@GCIs)G#W>Q#Tp!iXWkC;{U>;%!^=i+7;uXV8HTR|S34jTay)*Q$Ds{9x^i3&rJ%9OP5ooXbX@U>C1m9?;%;Ju^j^xY`|$IFpi@_8RZ6OJXn>@
zze&60A0!FY%S6(V3l+cs}FU8n96f8KivR?N*Fo*TIrF@VzEMAR=p9)RE8
zjC9(P!3m)TJAwu~)Sxy&z+i`AFfI({i;Uu5K6zf8fW)82Z*AAE{j$E7EMC33Z!sGV
zV`);i+IA1_gObm3PeX|-{dj8Hfz`R|o`SC36TT72n9Eu3jf~RS*$al(wXJoS-uND
zh2?@bH{KVV$SV$xGbb_|yV-v)Dv+^yoX6?tA?NndUx5KV
zd-dZm8y3Xals_Jo8_8NTJS?gQa?M$pB+8co)gkD5jCL-Fh6NdZ{kzO-%
z*tVS3zw`f0Io@BMyyKt4yEl6q)~kucia1StT~8e-Q;M$)ocIN>e%26qsQ;!^PCe0Y
zc;6c*9MbU<;vifN>A}zJ>Hkc3@Re8Tul&8wloS2%v_B!+StdVor<#cUqd)EsGvRGQ
zo&_&4(4_$@k|4$Gn`!JP>Qg)8Yw$72hFXPy2DLC63$%Hq45Pw1@d8K_l9B>_I*`3h
zKQlfHAIsOxjKbH=gvq$~cw>#%^#m|J(0C=qw$YFEw%PIBqar!OXX)>rNNpi4RQ}dh
z7;!SJc1D&q&z5Pc&6dapD}|?8EFAkM3PuOZ~gkYbJw%%sq5BGtD3fI)iiyq5G=O|2#ys#CfOv$g0$Zl_!R5v
zdhHAV%q9fpzVSL`^o6e@9^-ZRdiEd8;&~GkM)3_erRF=}A2lP7sHBV3h8U*f@;#)G
z^dV(r6vpK%Ae@hauy7SLQVyy%(oU(W^d@0MAz?~206~!bu#FzMXq@_IB;o6JGH@IzQUmt;E}_YquUhZlSMifoW?W
z>YSh7`JuH#*X=2mbxQZFW9!yF{Ls3gYxnF~+jy)?+2Ec-yOaP&K)An^br~9XM87N<
zKD=aTNm*IR`Tq{)mkcJR=KoG;VviA(q^!K5lzY&GNI}w7|R6CO!7C69VXFwrQoH=mzEPG6>
zu!|KS3zgzC9b_(>rQ{+w?h#5LC$Cuc+@09=xu)@yU%+3A(q-3+eE3WLx=isM`2Y$s
zvK9_nd*y$FvMc7NNq^)5hjz``%|x?1w>w@P)FCZOC|URV%QD$^WYcG^B{o(1ybY}P0Y%I$0ANPri689ckk`|wwu^bN8bOQQ}Nlj
ze*H&qm?m~}sDUGNz@oO>#I{qBS4thNrF&+-{o~2U)tc(1vuDfS^cZO`$rpOsj4gIV
zo*gzJ+=D?%=6sKa((sh|Np*^j_1ytbLN~g
zXU?4X_b#gv?@(G)vNP!F
zxPYLmE9xr*Tns@|A84jrZv)_1kP5l!>Pmg(T6RB`R@O}}b=;K-U|6+4gb|lj{M0tt
zW%Qk0i8E%7=}@My3LO{GfG>YR-oW>5*l^O_V`%$PGhrvrfSpjUJ8iz1*#i?(Fn*}J
zV%Z9#SKwr7Qg3RpdXCA8Wi;QD>SsQm;NwIv3T46>qbU9GjzMibT=iMblgNU#IyX-%
zr9lGpBUP%lhUh
z(?0&U`Kr+QoTpG)wS98RPT+T7JQ>{sZZ0MWd3qBGBiHzZj6w8fDj-i0
zobP+8X4$tlzRevG)yCP)Q;6?kjM!IKSzX;@dU{ZG>D94SUJLQb0qw?*WtBbwVLdbO
zT?pOSgVK<&hVD1~cZBQBXjMN-L%FMirICObN<*^mYi~gcExNH{xrvtbj-`GUx>Hq0
zQG#m5SF2Zl{ne^9U)S{Np5Ci>w~U^5R^nT#{emW345(H#
zyB8LAAK9&_s2fBQceXQo6&l|+*KzRymKXbqB(saTG_jwB4WXU2xh|z0NY$5VdOM1-Kr(0RMuV@G>Y-J%If<74{a3Ym-L$
zP$Y7xG@F2oZ*MJ*?XmwhEkN
z?9dGIeKeR;n*}bgv}gCOC>uQhqz@d}8zWvF-C%KzlkR^;jb*{I&C8b-_mz87ymFcvba?(didPQB>ojAEmWX(r
zk?;~rm^nnbwgq7Q3=slNL$pW*(l_!21AQORHPBHb7^Ph#UJnFA;EV(=i`Z}a21fcV
zd!^A5n#N*wFEPf%t;$GOME(DG94j);|2ZgxT&)oF&Fa-7y=!t}LR^RTEjzmD3gC^r
zP3+a@mOMhoAijpuF^|&mETfC&Q#vA6q9f-*z8gik$N`wvfIt8NnFG(Y^CV?
zLBM_d}`+KQ4<9r1P9`cBbyj}4D2pG08?L2
ze#=?!4+qaJ@8=z|YRZrmQm-Ceevf!&753>PAoEh)DK_X5k~^9pmW&}*
z1@_Q#O-l8GWs>P_rB$t6O?jQS_`$0c_Y#xuRlUOX;P7I_z2wCEU%mh*d~;OUq)o;~
zTP6${{eH)YVdYzm%{ERf8;Rf~&B!4@5
zFQ-n)p5LBV$L?^~57rsz|H2E(E+54Q@Gn15`Lq}EWy?`)-7yV
z5@)7Euf{(6pNW3u(Fxf-60>5X%Ki2I%cEkm5_@DPM3?(ne)d1?ptw|U^>TMfiN6+~
z;^OY*3aN3wed2G@x{qi2vmdz4j0K^Exh`FI1qpbQkxviWi8@3^K5f{9Sf{!>
zWoXtZ=sW~>M(qa=W$)IXu74J{nSA{*j_8oCOlx*8S3z}1*VarSu?no2yHQN&m!Jc)
zo9?L25Na6c>2Roxx2UTJk>{^+bLsPg=<}`&&oq4Qc|zCLghy$=Ii4{g|1r{KMLCuM
z&}w+Jke>zR*~MT3L-9iV6fZ<|2P_23eFw=GzE+0*Ist!VrO;T;)`xuItQePB>?z&?$0(s=5v
zV|8_C5|NT^**-+<D0H)C
zf$*xw*0P;yjhjj>Ycd;|pL)L^@w9YrYc*@jd#+i9owm1t}@zQT{9YInG
zav*0>A{zv2g&CO1h{wV$h-M{%LR}Rr2!e>*s6Si&Y@yEMmGkN&AEljJi=Wx7$prERp^{KYx`S9vapmyYcl<@lB^ynfQj{a>tL)9nyd7
z*#5t!CHp2AnM8ObC8=)w8lRdPKO`C;IZhd541ZwzP*U@yE53b*%|nmVa!$`nD-E;1-E
z#W5taSD)>wWKO@5)9981TqWZoo-^HD4MpAZ&yD^+_xW?M8NW0Y<(202!QXjW
z_ekGYt=hF@$r5P2y?a*QZri!aZ#Lx4^LANK6lqptQ52}`nsH5(gEu7GxuI)(bdTox
zhnydQ!Gy6SFpvV|0uuGHdPeFW3z7l3B-UYPZP_9wbzL(@;UHI?1`EL$-hN*|hb^c^
zU$Lq}$VV2^e)l)dfjvy5sN;Fje@8IV+VY4LsQUC?FgUW0yp^?|bC8>VU}U?wN%=$V
z&A-$&^mg#;q+o!VimPA?v%aMrVJ3qu_$IW*RmecZp^*ELwH59Y9OMKCxgE=(W;a7f
zi27t~K_?d_QSxcgzp-W@99_Nom<~GFMVXc~CnvuBTn{JrvDuxxmwGvP@U=qTq)B-~
zKv=jxm?oCS1-6!T85A4Pn#@_monc*c^vIm9WKKI%eQ{1L`StK{BXaH$L;^@dq(#+1
zxhbjXNr#ZmSL@au6#%E0b_(bDgczO8wHXn>*ZPNr`3nQe%LfQfgGhj~;9y(WH6gIQ
z5X>;*oTpd^VOaB8eG*R(TKbH&1mW1~HOF+|V3IN|c}N}FzMNn)prT@c5D*y|@B@FC
z_6^{kv);lfT6KYp=V-12bUYoo2l;SQgnWu%-sq>*Ykoptw|ZZ4N5849Y#s9xJGxc2
zvUcHK3xv^c{SwhP+RMo?A~&k7Gozm4rSJop!;Z{ht|!4P=gF=~K0H1mkQK7ug?~ps
zty%pO>S+`a#BmX!I+e@11o77%3iIX(<43Tzc7n4*S@By^UG5nL^Hh;Q9xnC
z%3<&Zu#tvg{qCVVTL?gO5Lm+Fza%{8uySGl|6pxMTPzvti1_c3aAB`ieF-v4FTLu2S8@Q2&tJ$;#4zVO!{^Pc;$oXjV{FzrHTYoiK%TAxsl9
zD&HtObyB|Bm7byOzKg5eu%_FTR<;ZKZ`h*NO8xQgkA;G1DRIvA{T^&55Lsor(je6+Xn&RM~0cbiiZp>%266ZrEu~hSU=zN5*#l6
zDCB0ZnZ0?&s-BWhiQ>7O;Aza*68f2%(6gGRf20OI-b~|OLyPW#JHCET^`(f^mi&r}
ze6A9|y?pr!{!2pTj>><*kSk>iq`Y-bLB_V!=s|@v9*x+QF7D{*DwYhzX52NvN8t<(
zf=&i^q=E3t=}pWL{B$~Ar5>v@8Ow~GAvo}CSrCA_aHR}&j=y7wH^E)(O0>0lm<3
    b(7>T&1{%W+D%3_gwxcBR7_myM-&X
z?(#}8K??iQEr-2D<8PjWn8=_qrW=k*CGBR6GzVHu=Ah?Doqy(N9>rZ(Q9WcG8_39*p#SVgl#Svp*p9=^>1)As3kcu
zwYZy2O^rU7V-4VHKCltxU7M#UJvHnkg=u*k-lne-$>#C}UdU)(FHDx!L|p&>QLDTx
z0d%08F36ctVyiq-6oAe!2D-EDn~BPSsx3MW*g#`uXy)SQleuijT&zgr&$y=f`77~F
z+(FP(5r-cI5?W0u-58B7Aj~vdFYORCioWJNvVIc@9~&_aL~dpd;re){sWk}e%+*9lQwRgB-u!r
zP2SvgGLMDm%W<+c;ibKv6w)G+^ZD6E=Ja^>HGb(7>iEx`wFFU
zE{I1Gns26kw@2bfTjXGfHX6b?6Y9^uyK?g{o@mosCWTBTXe&D!Q67vi7+rbp@R>
zx$t2)UXM@Ub;IBTd&@#K*jd&?M~1`;t>Yo)q$RxF`_T3boRO5OtP`r
zC93Zs%kcI%wjE)Gk&Qp9br@nw$sX4J-(_E71L`8+G}5T%6s|pf``b
zDMRhlBUz)r*grRgVb}xYdCI3IYMg>U5v{FbLs9Gt+oEH`qm$BUm)kezfBda-!+Hcd
zc1Lc*h`3V!j_KK*h0VWyvtz>1DOExR-YBg{=ceD;8)ObIGKZZJc>XW7)wM|KlpG(Q
zK__fDeCbVYMs6YgaOn_!&l6$JN$HZA-t8>fA0HEx8W}7sKe%&k*Xi!9<_uVOsCJtW
zoYbv@GT}Hq+dae!;5@UEG12IBw~zCU&bP=eTG=w0s2PX1+;v7qUhkqO@)QlzrI3p-
zyJ=vi?piksLM#@(v2!noIC$ali_`cug*Lxi&t6%|_;fS;z7z7YxZ}gtys>fwbb9~Z
z%Ujk9rX3Udb?chb#?c5ZO~KbBp2;UXV?tZZ82Fkg3M|xK)&AcS`Fe;ZLh?jiUA@l_}BhEg&me1m8SF6ajYBj)nNgD_Z3^WstO{N%E-vHG~^Q$9UT;skRa9HB5QkDq_GE~vCP4O`k~z@Q%Io{
zR5Te)g=4}m7SzJjfCMknhkBKS*4+c){PzI(&8ei#iT>fE3PUpN3sO3D?|E)mkN8&d
zOSPNtH8Cgg_eWpa+g`FThgq#%y5v-pbW#>F>X;d*W_=i5V;{-nRBoaA@bZp;V(f%Y7YG+jK=@i~6Y2S)P
zUkT`BWLW#SgqR`lTR>ZPg^!DnKYsM!kUn;{IdMbECkz$5{QP|agQqi69}?D%l@WW`
zl&k^CZsU+=i+CsMLn8hhv_C)p3NA2$Emv^%MS;M%YVO<$WR0*60HU$4SxpVBK*n*Q
zd@7wk$uXmathz^{mZCbo9g^c^W)4Zd)2p`bTzp)BQ(eNNqhs2IMjAsVDUr6`)Edy-
z@e`K}AIckew+#yp?c``B$>tz3mksNq;hT?T(@NdJtl3>kWz$MCIXnp&5ZKB?>7Uro
zEiY{5yl<)&|M2rfpIA#}XjoJ<>tk+OWo+6rsg0BCj1l8k?3wq~f*KraYiZW0Pgr13
z7^99%L)8RVLxQV;B$HBMXmffUfvP7KUtZZ04@EuD^yS~}o;YzA7^JQwvY1QYwq|`k
zFN+l5ma@oxMi!AOIVvgh`^76xWu?WZ9$hed-;tEy@bvVEkR2V
z#{rQ;CQKL-k>_Zi)uDL!a2({_zP-1%LID+S-d^tRer?4bUxWu6Sf9_!p(c3blXCb)
zc!sOeYySF!3l`U%SspY@(b_8`)i=U4xqWbC^um)c&5Xg&
z(bhR3yK`W0{6Fg%K<3xppS8T*9$MBi8*pOvn&UsLSzUJ}B{n7{IW9IC6kqJz`Nh#i
zyLT^wq+Y#}j-__*p2`3-6D?)qSpSdi7UO7ID_UAD)o&lqWuPO%VOrCcaU$ztZ)vQ{
zioOel4Nv?!6af*0^B?l!eQYj{!wa4Nov=E
z!ZeS701pp^Lc(+G-`dQN!-D1`f>GNG@Xfrw^e9
z4w#>L2&Q98#!bT4>(Ag@JOYO?S%sto@J2RcP`_R!xv9dA+rOU7+2QZKcht%HUrq=a
zgNEb|FO~Sm2PcYgMt)2Av!eB%ZBogoVw;U75c?YhCuBtSNf{Hr;>dX|EqbG
z8fGqWnv)B$BxD^N3=Cqz=N>+Tuf2JIah}rFwqsy!39wgvyL-S0Roej>%Kih=yY=sG
z>uq7@G_YXol$a!TtyjNb>s6OI!N|$X%XQ_#nfKR@=sv;SCc-l+r**)(e%2e#8tCB#
z(S7%Mk552Y4O`bZ7?~qax^{iZ+WC>OwD${^?iZvq2>N&1t~`VFRUP;A
z92S51k?Pe+e4j^PH>h`EzoLSS-WF&&>-`MZI(q<%8=qXp&u)Cj8}}QuXk^9mh#(4k
zF_|xmulwAdVWTdlVyO`ztvv(nNuQh0F1jdg`Z|FPSl0LWZT#xDNBA}*9#al;nNXBD
zXfR*r;{3CZ%T0VALct0g!5Pw3e(ikw?K-+?X{B2e*RO>Pw89S9w4ilm7wYRT4O|su3ovjvZo+0cr33Qxbn^R`^xv47qsgPr
z&D^ZIuX+eg3pQ<@96o3Nw_i#!8A)PCuXCyYb7y-|+iA}B-}bHe_W1L<3k^KN_36rl
z^d6H>{qW)3uO9>ihHPn1We@Q3PjK*9F>T)QAC?Hw>GACXqU}7ZXMJ(x=3Jp?YLtj~
zBEh?>m`CPI@b-|~Qr`%1AbK=!GYU29yQxhdGXf0B`lm#YKtq2Rn)B_J=B_!`@O){v
zuAS5HW2A%6AAbXEk!nNCKb2>YOI)x?fS-PgCM{1Awa1dtyRCf?Z+j(0W)f^A?
z-j@{{93#@BD}jgQQbpgEu?~2C+(q}Ja`dQkYBuPxT+>&7;t#;TKG{HP(q}10P-%*EZo>Td%q~tMIp^Eo3_AgADW_gS3KF&v}c?DQouG
zYRy2pHfljY)5f@4vG~nmiwmiG=VCL<1VEn0IIkP&`_vACj9zz~8uTOj<<
zaPoqwU#_1sW1J!UF8q#P|Ffj{b%U^EDP8X^*A^^gTCT6_C)U@M`*=z-?d44XhM;L_
zh44$uDbr?b6xa7C+|gQJ{Hri#s%CY8F*~B^v&7c(wJq#kgjkXYU@qFdZ2h&Bt|s`V
zvFq7Asy^&D+y(p!yWzd$o;e!X-MhzVVzIbfzV3hSJWBcIbLUYma%}OKx%k1O$N2u7
zv8AIy@3-H;0ON|hyz%1-^U7Nl_U@gRpV>Q~YddIL+rR@OPyhDY>5&Hm{I(AI;o7yv
zz5Pdx>Yq1!1iIg=v^cX*X({2I1Ogka5AOD|r1B^2;Kt#L0%oS3c?y=-?tnEu
z^*VW7e5>e*6FU!-4ax0QmVai)n$8hXpm+Z|$nZJ*3~$AM9r`@|nLKa8{C9I6
zXcIdq@n+nh8d`n)cr{x3^Y^Rv?p^i$&wMT3fg4`q
zw|G~LGn}o4-6RVADeiQ2$DiA-;{5-D@B)qb=dJ#~_W)0+ymW~K`=2`XsUF~qtJ9oo
z@q_Bx&-DQJBrta%G`6AfUdAL7nB!PzE`})(8WTz*+7=H$PpPlz#%#oCN?{UUTb9C<
znQ29PnNf!r-+>eqetY2py%0Qo8aEiyDxKvU@Z4%_EJF0A8b)q_X%rsR^cI+@S+=f5mTg&%V_Bxr
z$g)hzSb9;iUvV7fEQS-4Mz*A6qc~{2WyrF#kSv6mnd6Xyy7RkEAG$qfW@Nwk?T6=p
z>D;2O?yjmXxPSJ?ajDNwX73MbeQ4i}0f>9mIOQLX0UL$^08}uEoA5T+TG>nzlxXH1
z3*aF5OgQ&=3OF$2X6$j)*0F)ar~h#KCt}$B7VKmADcrvhY)R17dBfgl!9I=+xQjZ*
zb+ncp>Bbn?B)HPmGN(ZlF|sTq4GjhhWlbmYnX>Slg74!&nm=1c&+S2}x)EfIjZcoE
zTZz%Qpros&$+ZPfPG_MV9@M=&3}Rm+j`0>Oyfg5(cq3_chU|jA>1q@oxM(>gtibKAtPRY2pc7mC1{)a2w3x<@2?8@FRFX4#RzwTndj#hhGO$>19%`
z(re{$&j>LGZZ1LSd9c^V6xxo;rtF{j>7V(2(+>LWo;1Z%m6D$RIW{yf80lDkfOKqK
zbuIsrcpuTdj_4i=rd*Y+7uWwb~s-{xg&;Xqpxqy#NG+*EB@lC|X
zh}q-t1-y+a{PH;_IrRoc7WQ1AHnT|ODxSvdxl^D3n1ZRO5m3-`*SXph8??8PVhz#%
z(R#=D`Yn9A?zcYpzz7NqlF&bg*?1MfDlU?Tu~v+5&Q8xvT^;A)(n
z4~r2rXCYW~Uk70Ssy0}39iMv@UPhJ5jr9eG@f1Wx-Cg)$2N|%#X`s64Y=h{TAejFO
z!2U($EtoTNn{YoYuZ-8wN7p;r+-kvT8mU-6S~KaYsd&v+nKK=S@F1;O8!9<~T=XO3
z+F78%P9Ak1%>(0;%TQK80+qi`g96SJpLQKa1vqGW3m}e9gP*!;j%~0EdG>F3uOu
z1`Ez{Eb6sdS6MyK+vRYHG*^_SH*w^Lvq3gA5lq#Wz`VhNc?!ObH_;6GE>v;^xfn*|
z&g3dfn5c!BiK1_)Z-{WX{Rxh|g<}T(3is1wA%#NX!jhyTK7lo&VSUe>jUxnWW4I
zP>Z&4U~o9EPfAGm{=CKaG29BR)Um%e)xY}gI~h&I|bZPIixG&
z9oMg+f!YbUKKETdGmjYGPs<`7(2+~gL1Ww3thOjA^d##q%N8A{_H@GYE6-VlIe!bf
z-e%-(4K;Fd2l|x^srY*hHLjc63%OicK81j;e2T8^dKxg1W>HqGmC?Uhw9WLj(Ny~-
zR>((ElN@^9;xug3VVkwOC?_r2*@GGT#j^P;p|a&hIN
zEt{5*hn%gY1wR76p8E>?cID-omRy<^&-Go;pMiXV^ZY?zIVVTsVUZfnr#2JpEe15~
zfI=ZyzMvjBB(g3bvX~;0s;Y_14CSsTLh0VAu5}*cSH}0w&d?v&F;|5@uM`_mI1&N-
z&}ET7a3OGk!n6w%2#0(m@8bZtOfmOh)Pb5dndb$^rR5M@l<|83-l6jZFjeX9?PW;A
zLsu-PW*qH$2t}#RcQwc!){}3a2<;N*=i(bNUzY~@IQiT@xT^A$CUjUC!7q9r-A1MdEC0Wx;jQ)!EwH*4v;DZ%<(hYwOiK9K#
zlI*yE)
z{%AGykx$T=_yoNG{4sN1^b)+QLc8@P&`F)rd(c&5DC8)DP~34G(0&<>cwy)=9fzEj#-E8Vp9zvS_4_J6+`Z{1mWkSZS?Xsa+K0=>{
z^?tKPeFW?JaE;yz{nWL$+|=l~lmps^j)pNwH17#$4yNxBT)2j#@s%i;OX5i2e$j$^
z3~z+?Ot?}8x{yCVxIeYv9*28CQ52e1PpDex&ZI=4Pzh?YsWK^VXdo1UfMXmVNaG;+
zPIgda*QQ({iG~?}Z9m?ej$Wb?2Jt3pH5hXGY$*)P&
z+Cj#G?H%-nZ6m3)HV+MvN~hqyHw~9)UY#dz%z~Oy5gV?dm>|3TNqkd2X2nsD!hhk;
zClEs~C2{W9R{SH&Ry?`}m$v3(k799aKEq1P_auC&X^XEDSjKnKJ>A*NT$Kv3`yNxS
zs}7_B-x6H8Ka0t7xja~=?kk4Z+(68$Y_WJf@tmi@Z&i+NT+MvXavf}ji#ZnfPp)eW
zz6Gt)RjY{eWV*V=e_hCb^#-ZLS&RRZd<6ha6&*FaD`ed$u?Ll2f-<#$S@?lrM|4M&
zl%B|3v(D8U_*s5sns>s*J^=tvtK1ebzGKw@=O8zu3tP~0#XJ#YuQZ9o+Y6po@`5!d
z|0H|O*XcF*k{YvO-pBCY@m4xJOw60>)wUzm5|of?DvnXdvM+PGT7q!2+aKGTkBQG)
zcJwj45L#hR<;uv8W|Jx77w|x01tw;%i%FP)X-@ijYb{)l%&>&7i!8p5qrj_Z&V{i8
zBkr8|xk$*vHlvvgHZ&OygCi{A@yBT%>Hd7SpnW?$(5taUd>Wh6aiue3F-(?c!mC%q
z>*xp>ytUl=?Wr}~Z1MU4p2Qa}zJ>~@abxxxma^9H`!)O#j(S+L=o-ep!$NB~(7(hQ
zUTyI;3%|evv>#~=l}xRnl0qsm6NbNMT$BKggsCN$Fyc=tYyD;qH^Ow~23kKQcQR31*dmS
zao9z&XH+z5BX=WpQssjbz1
z4>CU2A6q`x(R#MHKf9=RIXJMOKWq3?(-wax;Jx@xxUF(?R}1sK^z)PcYtQ$+0~WKs
zX4ZH2FUo9lbMsI$H4Et;jF>JA#6GTUwRk>p-3(DM+Rt1SySOpqd5;AjEaY+a
z^^pYVVR6N>@v-4STMmU9Ijphd@Br?`XFrMS{DU;lgb%(4YoB=JVxg5L{;Icdnqghb
z-${HC_;e}+{EapH9(S+@U8fg4m)o2!%whVD9_$~sd9A*|`8j{8#p_88YYY5crHOc5
z*H?DH8Ak~ds3Z@A+G7#(nJlLbk}#G%oJb3lRM#&cs*dxAOo8im679<6qr(}ZO>}3s
zCEHneH(npT;d*X*6ZzIV}Pr;0Nryv6pO{+>F%tcD<2mOEB*v0GD1y6d=YfHNH3Mt3gJC!imOAELwpqNNIC=-g-q)>Qp1T0+IiCgQm{P$e
z%`eIQ^5x67F5kLkQ{!+bgM6(FR$DT70Pn#&VOQmnTK1hun{5RW$x6#&yHqm#y8UT>
z#iKR+5-tJj=uFOJR#0EG;2mh`H7+$8?jqefp}jnZ}O&Rn&?YJvh6lsmN)d!)cIdr9uVhWMNs
z5B-Q6@G`PNhx&UQ>2{lWNa!MTb+(a_SMNI9sYya3_K}Apk%VbBM-k3OJr1@(V+&)F
zKT}8InB?UK7yLH9kYKFCKuJ#s(%ce$$addoS7_mDLrJXqZa5(W^nWq@W!egDr+*@DK#C!WQN^e9Y7q+bx
zo3Y&ANNFmxul}UEo82S65$~(}!kn{xbHAWGlD6hX#}V~)u7;`tf1RTvDA|6-ysTK!
zU1KhVdb8==8F7Eg=3gG(XOC2mlYDgo3<+2vl#pXbyN)3m+2Q20|9u+AmgpF;6SPe80qLtPztEU7SbsVo#)=do}QBVl?Faks`pYJU5ZW`pr(N%JCabUrP|;S9Fk`io$LyJ
zlFr6*6HzK{iE><=!1!I#nTTkFm`3~)p`fp#4Gp3)JhvFy!~wuU^uYtV)!sK_If{fj
zPSnwAGr{*|tanr6{PlKjv}h#wZ#nl5^zP^*bAYJi^hyv;A~Q;AU6QeV)oXKhN;l;EcirU8E$bz>p+p80ZDFIU
z(oM;DRj32JI-5y%S0||}2Yy6Yl=t_AbSFA+?ya2iPGY*_eQ-aWZ&`E?^fR#y1QSQ*
z)7?g7)4iC;d$%R;S-cRhr#!-*&NfGIi+UCZ9GN(*Eb{w$$;S>^&&%%As
zNOcB*%`E0~;b`d#5E5pTnKW&4V%xCq3Gg%%9!SY)?nWU=P6G&{U!&pk&{)uIImNlV
z@~2kL=~4IqUc6-PZYg?MkKd*L#Cn%Ly2eRf`xkzdo|n73&!Xo9mhc@kopP|7Nr98p
zeOpR#03>jfe19f+U0q$vx|Zqdl%RWksrPf)X3=@#Id@RzX9_w=j`QG+KAY+c@DS5~
zxkdkJY&1E%61l>REaoJl5xvjHw0ah;r=J(R^(&sUZX%NDMz~aYFhO1YtSiWqWBByOF4fQy{`YH4t
z=GZuwq;hPoG5Fx)&<7H9;PbS1yL(Gk0UKjeG|jiV>Nt9IQ|ruUIA=u^wug|
zDQ0Y3u3OCH&q7G}bY0j<@rcFWU3mXo6%JIU4K9x_3-Um1G~Dxeoc|f~=VzvGPE1T}
znb@MMxeWeXf?xO8xT1z%!aw*#@wYrq{O68a{F`&-xz*Q@&5-EP$`y2+*b2+!k<5kd
zFj(}4FgPq84G#XeakOOPi1qYxYaM6d5AiyR<&own8DXkpht;T{B;6A{~{!
zrK7Xko9QH83R8*|fapOv;mXD}dhRV$15LO_3D<^Dc5kcROSd)jbw@NKu}$fS$HwG`$o!e}{w2MnwIQ~Rw&@&TDym6@R|w;urUqVJ
zZpm*JK9AQ?ETN^Tg26(t7<$x!cGKVqIWG
zaRKRq)&h{E5R8;s9X1N_ICR0(AWc~{NT;yN)as?{$x`)5JhQYct1@ZDGMdQQ*ORJD
zf;hiXwpjU%r~a>Qn(W(!t{OohHC9oZ>nJqh%uL{nyhq9ePUk%uUgcvJuScPZJ0Djq
zTB_1Y)$k+!#Ny}ZUT3ik*34|pIMXztSxs9spTLXpopiDVo!B!jssWsRq3U)80d3?pYFC@4e8B0v2)fJhrZ*(St8^#-w-Z?Skd=^O+|
zt%F9Qxe)pT6flBP@JXA49Z}kPN$OXKn*GuRpzbksn_Yxsa~MbeCGMj0lHx7WZ7vrJ
zK1y_wz7>w7z&JPvGlDaUjEAGl$&DyC>RlPi3PA1@KaFKI6~ccSD0=TD_^zLVPt|vh
z?^5oXL&0P6R>0wKD5!T+^hi_}p`ul9AXN0f+(4>^bE8$mc^mbUA8N
z)R`*gB(|uUQ}xy4Zhynd2|o_6ocjgIjbcb#*5q(IL3sj`oXv#E`19lZl*Fx3#C#Mi
zK4#!uW`8VJi<*?arWv3F6XGEBy=ZRsNi`7X_ihb+uiNlOdh=)K2oD3O+(CyQH0hGD
zcjq`_k8AGZWPUbcV?%u%7O_}rAO(ng``~cQv@?)i%X7f|Z;^zvB
zpILZ4-at2gxuMQcGUCcf8%?!H36(dWu@>FBsZ<}crmd%lFX`3rC1G|~nQl&lG2$)p
z32M+8Phf%dYBUU*b72xdoiXu+Ny7DFqZ7^*I1L9YH+CU1n%;*(2`xut4#R^WeOJhX
zkb^wr@_NyL`wk6r2UqwmMdqS8t3s%&sc5aBE*_w%w7O@7#%?;!nEb?Ddan9Irsi)K
z;eUm}&u)e`cyZ+gU7F7p
zlxZ@lu+ih@Nc@#UUj^^g^eI?hPE~vzN?E2~-NRVq6?4bpw+<&k6
zR>I5+I%zt3M_Wrk1lJ$OaIdl8K8SnaMfCO9Kvzrjb&8G$Yrn^j;PrD~r-^|p^$!e_
z!oa_^x-OVaMKi(a`?rNY^O3o^U}k)d2QoJEpNx!m(06YSW&B7mtFEnCV*0x;S>GMQ
z+o2=lyT`2Wj)PuVnoZME``y2%zav>)-Wh01tA^(U-xX~CZGqVJ9!?XUoPK!v})V*u={hCY^jcl;ruuBjM*H}_Ql_7y`PnD0zI=`}zU
zHkRr%OeeuDUX$cn;~#}O@}JP7p)Tv^hG#Pm$k2EjefP(qtp6*}(cZ4sk{|1m`Sw%R
zx5x0A(73?2-?zR!4qB%A+rjR6-^zOH+f(pLXwl!U8lDgLk@UB;M%OlxhU%PiA|ljh
zGXqC_JF;W(FGAja3WL$_uk4|HaH_cQCe<62f;pue@>{YUycqVf4%
z#Cdcm{v9_3cUL9soK=`cmJTxpLwg*4`yrX}(jx*}L&~zqYNRFrBaK_p4L+iT-a1*RgAkuf$gEZ65`tBsI3eKRh{u+4Fx4xT&H$Zcs
z6XADe9$iY#?+oR93W@}8z;{yL$zJQb6Yv&zCh2T{&39%!;_rx$Ex~#WCf}W#r8#)D
z-{BkZ_Udc(cjH6hcV>oN>dbwYp$~h(4fLRa(RU_y@pI;!g5>Nw^$I$rdYhB8?`Ht)
z!?bSkcP7X2cA%A`lh5F-17QDT)~zmqcjBFg?Xy|u3Krt^h~S;XbpV99Ere(0D{^qnf(th@IVyfc^`uzIBS?)@|CyQBL4
z5wx#s?{e8;eRl#r3`geQ`SM!py9e=VcrmS?Zrj~t)+GKmXMKAbJ_>a6j|>vj_}l9B
zG@sA<_9UJNP+Wywdxca>bTcq_
z%?$veQ{HCo8W@I=+lZ&PS3dy^&KR#cpDq;asMO`r<2jUGSok$%zFK3q4&~B)N>uyh
zVOH^1M`i8&exq`UexsCkZIvDpA2$NX{~>RU`4|uR_$(mBJ!$9;SI}KY$(gFA2!y1C
zB(1Ep;8K$*03mS&c=iLZ$5Qf|2=ROd80ATEWDc0*brUXT;2?7{Qr9)CZ|XOI7t32>
zSgV@?SaVMUpuAkr!1z-HE}FtdG+hTE{#f1=!?_@&>0@)}DEF+%qx3)&jDbi8d?{Tp
zY~2S|>%LOlx{u($4?w6CoqrnANiDJ0R94oZhD?{g1M(>f0fM4}rXXz(_lQ{Unukj*
zBaz
zgCzNyKG9LH2uH$zp*5@bN9Hb}Jrd__QQ!3_Z_AN%chNgXLy5ARsD!C5sQL!3Fs!=~
zuvgk8-{msH;lbYSa#y*twYiwbCf4Y-$Mx7L_#*(6Q?YP;?xOo6+8J8XQ5@C4zMNoh
z1)$oNh2p^!xs>z6rE#EC^`v{Yrf41qpqI<+N-H**xw*{N(o&AWMWk2bo)`yJ6CxzCPc$N$EpMRcKM2Z`(BJsUe#^Q=zxCc@-m7mR_{N@nJKjC_
zL(1pwMCpto$U2W9IPq}`QaXD*&ZsX2tvBvv7@Vbux&zV5W#j$5*o9p~gF}OUAQ!lP
z?z?=%#7wUzJbxA9d7kcmeN$zBHwsxsP@KuHTJMC4j@JeCk$6oUhe21
zy;-!^7jwQVae_@yaW=)ct2gt#hEE{;?+x*v(R^w-YW@H<5y0X*oyUApTN5D)J50G7
z25n8S2YUt@HGiJb!?M1U9ya!GIlPm|&U(?0DQ~&vMsk2NdU>&LA-aJ?PhiXHHJLW|
zTLZ!R=K$6_R(_hSkxq0FH53GNsCFBC;rUbPu3Vg6u+#7SS}qe|7qs#~_|`j4GoH=+
z_&DkM9{|9H%39jdjzFkGjxEh4hQdDg>f&>+q&G#mrpKJg7v4tj_L%b}GmAWZzHF=>
z6hlNucy>R_oCPh-<(w}Z*3qtz(^1LIi!Xr_=2;%GgcmpJwA;q0zKiB;|CWK(L$GcD
zpnU%NoU4L8f;C4#UAQ3{8=IPpP4!QD4gXPmz_Kf5=GH<7bvI0};!^fRnX&}pwIrA|
zYdN#LgR+2X*K*M{jMtBhlsHfRTB|?c+wtjhKPH|d!)&SA14EyI6VpdfFxr6b$YrGKg18bDs
z-&iuc2Tks(cm&2sC&my(lbyM}U;=fJDq1hg6G%hatZ`{0rL`^5jA=7hZ6ghg`~A-h
z55M8+=e#_em-g=Jw{HA$&$4@Oe9jBQscOr<@(?y1aK7-bt%J8;6^%?gdNZ#2ufdhK
zTx~|G{m(Bshpv61w%3zzPf|_ms|_99M8`4!(B59EiZx2}Yz<3S`TWw=wy0i}&#za_
zA%>Nz#-@twNBPZ~dQ#GdFJnL1;0xN3ahXYW`~DJnykDpZptH`+<~%TJ)ztZnXdV=w%#`hL)QotG0z385syxL*AC4UArbv2O{zue0_3zp4NGRsiQw
zlTWafaDFR(zv`p2iXmg>tV-W=rl>S5RNMopIz>wNjqYZ$JL9@6lF7B^tXjBsFfLuP
zEzsnw8UbL(!X73BbGKP5)462fPW759b1Xjz{ov=mP~DB+H8cUybOivcsw_{sh|nqT
zL?W}aDDlfl?}RdMJ<~+j_rtY#FSL_QGf)&9g%dPq>F?|AY86}rzBB#feQ^SxQ2^sg
zOQdm?)F-2)J3)rMqKv*v-^!0Z0ly3T2#>b;q_EPX=ap~UyCE_3Xj|yg?KppZ+{#~{
zWW9JB#RB5Y@)~DNI!aDiY3n7EwQl0`QQrDDt-SR~)USAS(xl;9iR$s(94lMBtFsj4
zs?(!QOnbjY`!V(pxPKwqP15Fh(f-96+6nFoXkUuAF$}3!A9tyT<%5aPo~k>9Q2ZL+7WY+AE=2TdQb@k^^G((K%oAfuj0+)4LDGKtn~h7QIh
zdLmumd>CJ9c%#2|B;El4rAkq72HOBYv($zi6R|&$>Zhi-t84v>
zh9=`-1gu7T<7)BwcyBy4#PJqrCH-CJbL3nb7dqHGJfttppm!2^8_D*Q^u=CA80tuq
zgPU*jrl#^x>ri=cpn-NuWLJrM=kDHxEAqu^o*vt%YyzV4-+jA_v^rqRzD7(B)f8?mm%*$
zfoyU(=m?0Mx(^~l!Dcd@v$oV=5Yj0CH!qhHeEpZha9IHVjqH~ILC5q0bJz%?bKzFq
zuYcX@RqbsI^Aem%52;%tId086g1&3CL43s>3O5#VjHXaidEZ4{7hSMr;|9`#iLrr(
z#-PZwvEInq;J>*RKa9X-gdY`LDSiS#eI_P1j}^GXwpT9Px?z2HS4ah$^aCo29wRdH
zN;pJC&NWoj6$};IGzFVB(pat)%SMJujW!McyXUl;7{hpNjDhZ4yp8te0^x;Nv!`TD
zSiw{VhT#NLcly77wv_SF#5XM;Z4y^NKfOcS?iq0tkJynlewpbt7y4r{KN|t$nN;lZ
zPmE8X&2hS3%KF-(QbepL$PQyk>~VCgZ8SXNyQ=+igW13fo$?73Kj(SlZFQl^(#;)P=-Bq
zI3hO1k>v($=JyRY#XU8e0QgH~kzh9w?3Q5N-u9th$^mLEFyv{_$umT8M-05B2KZ12
zoP65qZm%QqX(4)tnC34qxdNLu>P^}u9T-9`NDvO}QIZ6ZIJ>E4h2*o1#G`*qzTIyB
z(kMnmc`gRNcnE;>I)X0^{N!{}C}mxIMlFtGef4hsVuNEn>Dea;2hQRpb5(e2rC308
zno&UyO5seJ#@g$EAt0kC5haz7GvIRf2zhl%fSLxxFp-5~9Z^`Pqq2G4&!p$c0}K5a
zqRG&ldId0CrEfi&ZQa+~)j>Y1D{&cHmWz7ZOjcj(e3CyUt_%Ba$cLEwIi0(CWLQQ8
z-2oqll7mEuK78gOH&Ggco$j`hyXXt6iG67~+B3EZ|DS0&zRt+aPXb{b(cdV>Ca285
z9-lXfgr^&fC}b=V=1TixrW8A1{REUsMChjmUj({!w>1OM(A%Zy{l|)*%)JPSv&UaB
zjVO+eD3>MSkq-0Jurl=vMHPOa6j(nb3ge$uR#`Iwm--2{V{cw?(8g~#Kcc;Q6Tgh_
zjN>qW0RS(m6x-X1$dO4pJtA3km{0_*4OxGO!slCn5*XoRf6@|tvKRo(^Pe>}=`$!e
zJfHX*6rH*54z(}#l|F9#Z1zli2RyrS?9%P5SQw?=BJ~p4DwlcAMHg<_ykY$sdTIfW
zPnPOfL6v&0pGN7jbf(7
zvPAA9AcuYRn!18M!}Iy#UMLoItP-hdFImJiWYS}SG%mQ{g3B+s{IW|f-ch-Tm|M42
zlhdfl(f;1R6PEA)nK>2nU$FR}fxpEY>F&z#FN~kR&@?gagO^ISU-92Rf7a9^8~xBY
zB-JC++vH+($mdsoTvL0TOKOkJnZ1i}y#jz%_xx*)>(Z6R#jw)2kghads>-;&y~f7>
zKeJ+X&V5@9%CAMf2VNZN`Acy<`B`OjpsC21(-Cy6PU$!U!I_wfaW*BClyRxxxLJe!
zIhB-^_Ni43L#C<{r}8&M3~)RFEd+1_vVmg=N<|9lMTcz?`N
z%j01wzLWCSoixMRa6iqCTjV;TM(Twk=2;;>wbVs~c}#@i7B`0v!~?&)_3HA=I@v
zp~h?}ZU{%*^EPkwyq$r+GCgk%$qRK6wr0})Cg9AZV_wY-X=Hyzv{4Htb2c?K*0t2PXvkq4{7OydZgcluNwCW%XB3=Z*vnK5#5!RY
zf@f$|Ueu=pn?f1B7pKU6NYiXC4H}gbQJ+hw_buvcPS_Z0zH=ht!NjnxB%Ea<>+X%z
zP0w(WKFNzQaQh@*0?$f)cl?*i$Fp<38uE4#?x!3@L)SHCv={h$qIDz`VFLnTbugP@XE0#I~R
z1?GriI8}3AIZpWEn@6CQ7gCm`KClQmF;7QkbCY%M7s+CGXj+*L=-$=z7YyR)i$)7&H*P&AUIuz&H6)c)(;GghD
z$^~1PW)qHEi0Y7TdfR>S<`x^;cU!cd#?B>a*YI7GOh}vduy>nH`!Cb96At)&$f7=J
z)}7t2E2iG`o&*qIRE4-#=jTJ&{}^witoNR7eKXY8%ID`FR
z_<|nRO)B3*L50tXx)@=?AmFf=T|`V{62q9L=SWlJtF}%5*R(Sh1A3}q)&;Ep1KTr
zh#ER91_u_Qr|;ZP;+!;ElPyFC{-g7rx!b7^)yHGvft
z9KcHHfN{S5DlMzOH?mqq^nW^()sHm&x?gldsgUP9aJ#v}ew5IMLQ?B=&ey7}W9{1G>*>NaY%33!f-)W;|69xNQNAVa{q=(of4|00UQtth
z9S5hSnITt9<41!Z0D`2Sy5vcru*22p&0kyS3Hi`qnR=>veNhhFeHm}H5240SZ{Ul)
z)l#apymo;?X7e_C#(JAIunSP69>q(&&3fQ^?zK-~EPE0odY{GD8T=AfC`LAbo=k=LgAR{@+>4KfW0|aF}8T?Wp`T|5Q0HeNBtKIa3=u!#BU^D>|zE{PpPNZAs+yLg&31AE_RVADX8Lxg6{*
z#6#NCLA7EanLKlL@ibhGYe+7wD7~~?^uqYAHv?KYo;;*b
zf-e`6i|<=<4gH+N`B&1MxZj&c1-8psF=iqlLuej(!mdjtZo)v5N
zlF;jvE9Ttd3=|-rE99qX_d4h~@m?xnv6$Pd6{#sDtNK7zb)l>_ZzgGN-nDrb#cwXy
zlBq-uwKDsmC9{)Q#!-r!c4Iy_ik?4$uGfmvjU^{0S7WXMt|vWL&X7WRq)@gL^FTXd
zI_vmZspA=XSZ;5uUxk{OwS12yyOYoP8oajhs?As|?7&=p68)UkHNQrJYVry!RH)A_
z>DWxHW1%>q2syu)o3?c>Q;sCX%XL@D%0(Amkg0bil3{%JsEuhE!U!D42HX|hL1a62
zw3eNe1X<09Pfx<`&+Nv2OjXrCSeT39leq#D3qQuyfAMDL2`SKID|2n+jigrn7G`
z8oC_6_QZ-5>(TQpJ$mq2EmR#O~t#~)pI%mnncU^UG!G|y3&+UO+u3^X0f{Ep#ge8}^Jbw?o
zu=2c2xuo`ySIEbwQT@X2VNXanv21o)vUvb=xRq{~@iFG-)}itTx|mFaq)C*@RWcEg
zUsou4TuDFGswS7q?}dE6fe5ZW%7?T+Hne_dJ-H(z!z8nThA=~~J}on5$?SonzkvHH
zckjHINPJ*j-uhly-
zxe4=?VxW6|YERPX;OF%jS^!@a{OQH_Cfz;yZD^!M4eM(5=VvULo_O{z;7yg+SFo;l
zIpzzyv{>isq?+7|#Y!y2I>>u<`ROJ0Z9}kcEtwjL?s@8!SLg=9lMAY6V^8d7*l*S_
zV&1Hyvz{iaXYJud->!4u=lpAHg*Q5~!2YeCvEQ*_nBKADGyesZ=bq1dHtpv^{@Ta6
zjdx6*#~HV&`ev$^wB9}+!u!Fee#T4JO@?k$=4+?bqsiof-AA=xHSe5+Z#w|Zp~}cU
zG;ZG_sfSsQaDMIE?)xnM&fxE2gcIyR57tCSC2rKR6?>5ZWw>uvYt7SCs}
zf38Ze`zz6tsmI;eCCsCT
zbH+u5QsJRcIQxR4p}ZxHTp|tqL^?i7%hH#jC^U1P^u+k9kjUfo+%Itr$)gS3T#Y=)
zWuznVa3C3S8r{b$51LKdV98_dXrLoUV>*mHPQU32~&q|6&_x0B3O?^slCgmwhZ%$qNd3agn#d;2#=WiZn`FJPs*pYTo6If*i}tCinVgPreNeYK2DMw-!i_1p52#CWb0FXN`61I7}MIIW_7Qm^jIq^sptz
zlh=KnK<0FY;&i%IG$y
zyb9d{)RAtoQ)5ZRk}>Wx9p;N|(&ft**`$!t1c4Gp2WAzUyFSCYr2@gFtPaS}2vok4)mR&o)lccFVsJ=O_*(Er;4V)RDx_+c9
zcLi|4uU(*kmr8iUz7ExUsIP;S8}Sf+YpzPYDPu5;_ok%Uf_tc5z9uh%;Owb^vv`Z6
zBv<1Ri=H$1Iow9|P7|m&PR0Y~I9-igO)WBCxzyA&f4=f7EIKKsKDPjTAov+{XTvA@
zU#8wsOFzCDTX2Zr_oHw%e8p*gjmr;%E8L)9OB~MRp&^=*9M^CJaqz=6^iv%CYm_aM
zhVE*4yJAKnNgfWFU7x{*g~Gf~(;5WlafX}A(s6A!(}6`FtX0##!z_q)cV{ePh0DA>aH)4
zCz^#-Bk{o(5Tn<~{h&IrDSK{qHtK}uM=hRDVhKlrT0Zo>RjAyRD3zA70Y3v&aWgf>r&E7g|@qY3--yq(zv1_c7)^^55yYO0P;x^})
z+K}Si#C?l+S#+M!9iiKvJ6vMT6f_r8+GZB`Uy9kGr
z#Z0DZ5fPqC^;*7NbrYUT3D29t{skYz8>o*@5gjZeCm%ZO^G0vdane!Ed?T$TV{wl=
z%Bealz7XY9!QCO;NoXVaDCAH?(-BC53`+5(Nyv#o26uNd%xFkMC*Y8xd)T6T5?A6u
zi*7Tp@$u394U6tcI1PO^-2w#B9nR7$J|4RN!J_*NeiFCROyc$Eiimb+G90Hi4Z=g0
z33m}DMn*<9jBKDwf_U-!V_xLTEnd#x<#Sc4HziyVKTbShss<+#&MdZKbi^H@OL)81
z;_VcC4fn&#d%_I5$*LTs2
zXo3-AP7TI*^)e>8W-)9K6R(7rc&(lgZ0&SEpvgz*0n6vp1>zJ$3p0Vf8k|DL^_*pYo
z^FIE5Ypy2I>;q8dojn^gl*rMgBuAgw-6P}O1#A(Xi
z?$?nxZPhDU3Pix|puk1tP7yBx*nY_kYhnFgnaXhWbH;$atm8Xmxt8BE#D}68MR0G3
z;~9`6esrj_rP*hSJ0wCRodV@Ja4?w^>6)G&z&T!%O0XUo#vvTk+%z|PJ!yW%EPf_&
z3UAHk#|4G1dIJ1>%Hn4d{u3G(;ztrcQPKJ1=jRcNpEHc%HnQv1qOTI3nBl3$utVi9
z!kj)!)(x#&vAn4vWRi@lm`8c1#p4;gYwl69t=6F@Z9XXx(IY;SaBt3J0QvLT9Uev;
zUOybXdX0|6Z0CvXgzpw)EVJsWn{@E`1c=ZA!&=Go;cn?+3-j
ze=tSOVaP(H5NIsLoO#deuih)aDn4q-@FCVbH%C_6{Jjv$D74<@i>j2`3M8ZIaq$d(
zpCzM*a0D1!QrVHU4>W5B!q<Bn7tC!D1_#yD=E?T0O4_zM%&VYdS
zb04SvZC2j!L+r(K7ung`VqPD&9Z@&4MjmEsTfNcWXVH8H{|hT*^9-Tl^XYaHx^0g?
z%|S~`%W%uEKFNs@a>V1lTz6W0oWX169;Nz~MdLc7ItNAg{9k?*KrpJ+_-#DN8I>rcv7=zj-R8f&
zKlCx*NBqS7EhtBL1V4;#!cU-r?Q=hydoksK*4HtWkuz+j$M1_%P!~)gUcOATYVwHv
z0TUO#H=cbF_b$d+=Z64vu4MNvR-9DYq5cZMRovPYlyde&LvNDq#U|HW<57HfP0u{S
za}z*z&pcN+L9~f*2p7e^q+K2@A5|2X)c%^DdBl%&Q~Zn@Jp3lp$2Y4-t>SDkZmbbL
zR9B{X*~GWRb!9&cd3oLA#8I~hj!}&x>h(%EHW(aigXwn?^n6ue&sT+TFz5_HyE>l1
ztrXi6l_cmch^4p#te3=%@8ze7k1%fhV}k>KaDF)I&Id=I=EKhECs}>e^dO#>XD@;ABR2p{IIQ00zcdJx>KL;xc9!n1wS!8o0ERu!t_BELGOKsAF1gq;Ov3u
zlqw~&E4Eheb*QGHrpGGI(pgp8V|5|ebv3YSdaRCA?{#;Gzpbt3##uQFKsg)>)^is;
zdL)PZ5rGc1r6|~?+)yaMo}`{TvzD7)Db1Op8u{+pT5g=BHK6*2%v$aO5Pr-bF$LWP
z4*SwY+=L$YM3vn0tGMGl=?SePKN63`^JXs!b>u++xTSJaf1XLC>$(HE(}{F>19x1P
z(=(%@LF*2e&XkYIkafi1B7kc=bG7yMFf=7bJtMs%VOwGsyIFUx-MkI_xcVT!k6#(j
zMBQd+z`q4Wd8#>-$kCDQ$ej)h?o||0pq$C3fyTkm)f(d0H!_+On(pDA;a1&+xvt|$L8zv(^vGuayV9=_b1RrIa~3LVsKF7%Iz485?@EQubq?BM3GD(e9l<)Gn>L+^Z|
zSMP;p=z#%>B=+|;HFA)}0&^72CIODf0QUj&(N)Zy)(a)2x!U#`E$!`XY3Uv49cbxk
z>F(D?&|qJwKHoBdYc-m+Yd8&%=v%+B6xl%~Geu&+DXaC&`P$chc@BrGpZwLiOHTaB
zpJ)TuTFpd^C!-|_2F*(*et$PTaK@NUG?Z}b)x%WqCo+OcWW93sY9jKHM*=7
zvQ~5j*-!0APOUTPAaVqOunz>dO1M)JiI}jliq7S0Htk#+wC%ewmQ`7m10iDY*N81;
zEl3RLyJGf>Uz}xo-}IM%`C@Fnj%|OidK};IhI47#X0nR?)pd>w(BI->+wug&B|3v@|rk`xhK(4vg2`6Q;uiY3h;1~v+fpYNYlKaUM
z_;>&KkJ}%*i8a0CpRn|dYJTgP7ryA+hhNQSW-ryE{?2T5^m~P~XS=FDsovi5@WVdl
zf8PDD=503UUr@b8P1MeDfDtpt0TmR*@wxw`D(h&T1GO@U8yVEQ(Am~l&rvVV#tjU&
z`O#bl7Z6;WiRL?a)_e!b!=E?dA=hQ>(OcwIwLR=%#PqNydidXIdh{I=^|CM3n~n!L
z7s_>chbUROLQ@h^;M+Z&Q2ShmN#;meTPER9ZR^`k)A=^ErKYv~9wwebKk3mB
zPq)FNZ-}Cj60og_@IY%><6(v)M)#RSAUq5uJ0y_qNHU4&=4jJaRJpGd;#s9-_i?L!
zl-6md#-rci)Agei>+J5*Y{;Z|RA5{^3c)0_s6JFh^`RQRwCY1?ZSK_Y^_`cl4@E}s
zNde>HP&2TU8-;750#IW}Vcf^AgI?y^Xn8>b(zVIClf&x=X&t@YpsQ%@vKdjH-6aV@L)xUT?8xc^d_T%SEXU{gB
zyLYzwH98WoW0u{~L}R~`zIbq^Qt0XIsOMZTM2MQT+K+7
zW|*02jFa{y9ZPSByT+?&fmxUKS9ltaE<2RON^(y?cS$4~4w}YQ^^Ob|=
zzJK9`_~r81v&D1kqWhA3Kr^YJyMuhQCdGxeq+KN)MFLXD9n&s|5+mYckB)Wyzj|7*
zf$$J_!pmrVcsn&l%gDQ5fKx9$_fOCI_IK_)_n*(lt6%;6>ieI^R^IicFW<>lKd<`!
zBkY0dL~s*5v--OH!w3I^#2UKsxhE+MA4tLKsCi1M*><~%(bLi);bSA-TB&~YU$R8-g$ks`}VIn
zcOGRQxgEc8>mQ!J9lv$U2c4(kr$zPK^$$Ok|MX{a4?SFu&0M3z_tLbAT&{Plb~c)d2rD_fU4Q0C?JCU}Rtb;mzLE+Y0C?JCU}Rw6Ncww~fr0be{{{a~aozxm
zpa2$W0J)F{rg+*klw*{n$r6U2FEcW~8rx>Id&kq->8fgvtsb_q*4Q{>&)T+a+qP|c
z>&DfOIFWqMd7p^P;1>YUtO2$yJLMXpGM!QG5X0mjGK2fsVXkJbd5i+PpMg@ru;5p6
zZ8jTCOV*pOlAp_dme_3^Da~Zc97f6p21}97moZ$Xyx<66O!`)Z0|omHy@+Q8PRFuDq|~UGxu+Q{B$=msO0D*GN^*3A>OI
z>B|!H7a7WKfb5~4Z&aR_(qA=uN)~g>Zlb|eY%)7&<jOrL|QrQ>$#B|f0
zTCLep_Gt>;W=?X~Q|qfJx7U*yCW%W11#TH-uBWm~CF*~pT<#}dj#7?iFhSm7pzp^}
zbB+4?g*4?qR=xM|M^NMplftK{3#Ti;@5!)zl3%+QDAjY5{5K4A3&=D_CBK$MRN58H
zvyBwn2KAf4Hf3;p@FFSp7Mkso%nR-%%d}^bX~6<}^Ix+~HEZoFB!WAYmtnnhR9@;y
z9wp{(qP1J5e(q$5yv;ZtCnjf5;yz@If0!|@kO^`xOXXVD$XsQsJsbo6bRD_S?dnm+yhke|p7@1&DkLR=0q*9FX%Lh@Y^!@^urWGHdBjhSvZ^WA95{YRR&
z>Ri|4P4)f~6|PC&(jq;t>)~Oh={t^w161b|jnTyYtCYF{RJv}-@0H86uq6dylWKHL
zCRJxvSjifH4Qo|zPPmM*zL~gtnUV4Vqa(fP5YC}rxPx5fQrhAdQX=otO&S?#KO@a)
zFDbK0ZiD*2NEzvyl=URSERORj%>0k`MXLQSwUWwgnLtPT65FLE8-nMl3!dYs@Bw;<
zE9ouIli?=OQGQSUBoC1<bMc_C1GO$gNO$q%kJ?K`@-$JOP0ZCW!!4s&Hd7$m$a8HtMUG>s
zo4{!QG&%lu%6ui=-Bro&hGfa-9
z*xbu9`z71l&1?(TlVftpFol%bfAW>
zkwvDwNV;sKO1{^uJtSK-UZTo9r5v8o@j_A@WJm=GexVxM)VS`EV)qx7oQH)gqkWPgUUwc5_|=8}#36nm}r6zXFi+U3yitmmZCL*qnWrKd)fdfLCDubSU8ol-vyMK6ttUP`}=6+N`qud*JJ
zMITAc^Pf#u)jLDcH>09&BA$V3ht6|xzgUMQ2AjhZz5eX*20cH{VG(%1#w*{RZV>PKd7^yAW+_^}!L{DX{3et5=Ee?0ZD-!1-TA22^+
zZq{tb+N=%c6|N>Xcnx#GSuhrS1w+A%tWCHS7Pk8w<#Rs6;VSM2*Rc+{AJ-G-!%V7+
z-|$
zFf8K&Q^J6}4l_{uNErslz}-my)3vFC8sy3kv6~zgg%_Cvo;h?FHo=+381NID
zf_LH5pw7Vk3cdet|6`{6{PbRaR^0cDB|S-*9h0qi{q%)?Mcnr~_x#DjtkgN_Pp)+r
zy6u@>h`qwvWlwM(U>|TE(41(l
z&B4>b-ysD^U&vg@cF0}Gcc=&Y6vl#$gx!TR;T_>C;T4Dgq9@`w5`zpN=OZ7Yn5fRE
zgJ=eNAbKad45Pse#GJ;0us&>O>~QRA>_zNrYz?j}?kFCI?~XrBfDpP9_7gr5MZ~_u
zg(LteMw&=^OLmY4lkZa~l%|xKl!sIfwL5h+^*yzQ=An(Gt)+wL?dew;Dn@}(RzfLR
z$}D0Em<8r@W?8ACw0-G%7K$Ze^=55mon@7=3G5iVKYK6xCnv;N$f@A6xNEt;c_H3w
zeuO`m|4|ST>=xV?GKH;$vxT2UKGANmLflroSAvqXmh6=xqz>s^>3->B8A8UBHI|K+
z9hbe8)8rv}OZjN|e)&^*nF6PaIGiCaC+XpKCIj$J&5)
zruMN;qHC_(ttaW5>$e(UhJ<0F;kHp?>}kAc5}1aY?wSqex#r)NjODPEWNmKUY%Q~m
zwtcsI>`U!$9R|m7C%{>7u5?zoQm&(JoV&OCz9-<>=!JMK-tj(wue)!jAL5Vr=lfp<
z7=c{ibx;!=9XuZ*ggS<f
zokFFCrUB{E8AN7w=65!dotV9zQ{^V+1^MFzL1A*Cfi8G}tt$Wk0N5;?ZQBcG+s3zT
zKijiy+qP}h4r<$o-MdQJ8rd${16ii5QQkwbNbycNPAMpJRsB>})irgLdY$^2W{_r!
zCR@8edqi8Q+ob!ZU!XsrPd6wH|BS$qytj`
zEdT&JfJeYDa2SYz803YXLG|z`conRNkHG)nT4WreMJVJ9@(oEv+n_5@3cZ2;Lo2ay
zm>$Ehb66}^iI2n8_%8e#UPw$J)({MFg@`BHk<&;exs5zWMpHegDO8wxM8(p>XgiJ2
zm*`BU4Kt5nm=jDkJBpRFPWBZ0j;-dpaErJtTs=R8SMz81WIkEwCs>6;!XL4nxJH!3
zH)6dsK=Mj=q~?a;0Frav-ElJnXwf=NTT7O!Sw65#Aq;+XYmn2D&
z1kB7ZGxN;M%*@++Z_nGz%xuieJi{f`jG
zeK-B-{pJ0g{YZasplm=nKnzj`YX${_*r19;e4Z$s=$ODJg5qp3TPzm)CNm~0Ci^B6lCP3x2`Gt7
z6;3ryDW?3=3@J<6B{fLH)7jJI)7)vvv}5`epaGS@7~q(p&Xmuz&VVz7EJ;R}v1Q#d
zrR-GpK3g#ReYR&7oejz}<^RYV)5E6a`b!s!%J4dFp)SJbxZn
zep1qv^-4gAD?b)W7JvnhDp^&kYE!9Hp2gI~vc;A~)uLBTQU9%OP)pUGrIaPcQvDLJ
z*P92=hP9pIGTcHqjZ#s
z{y-biE>wi7Q8OA@saok?QLo@D9~ce$j&)!l=GUj_zvx-|7CoT1>Ip-Np~z5UXfXf=
zd^KscY_(}syy{$y8`F%%#u{UXQEkMHi8b09XHBpcHGMYGO${c%K1FOYs;~f*k)|EZ6n*HJXu
zIm`}n_scG8SG*h8eRmc++nt~@wwJ%xum|qNTt%**E|JT(pSk~QUtK+QP#a3~!QE+~
z5TLjg3+_(w;!@m7DehXJ6u06Kq=r)hK|*mT?hgp=7FwXV>zDU_zi;N7_s`AU&g{BBUpz+wueMqk%8n4XDsqp*YOc>jKnymrMu5#OW+c=3)`GHxgz6C@=-C+
z$zUH#7leSem4qj*z<;i1>yG9h?r4US?&I1z5Ut^S_W3lWkDutOZ%I0&IO+jt001Tk
zkPQF=tN}Oxbihl11;7oZ@Ne)^0hj=^fCbGlM$#^8>i+fB+fcA$cjC7%q(I==6z<6q
zUeMwFS&?e~kI(FF-1cn}2MjZXR{*f2EufRqp4pL065VSaT=Ee^Z^kP!tpGH+$t0TV
zoz1LJ=%tz0n9sk)?9V~iq~R8oKO=L$z<$dh1yt%Bx~LVXP2YE#*SerI8bkvJ4-$=y
z4Kh;rXXd#qD<;1PVe2QnSJF1QDqdP&^Zl&xn_Ijp^rk`QLeix@O1C#{kDoMOCwFN3
zi#;xTcK=8~79-4=ZkUz(>~b-yO;h-Nmz(dPK{9xovb03Ttc@4cA?j#>1jS4oWveBE
z?^+B7x%C|_96UK&e$4c`E_N)5EEs?WIS4lgJqCaM{Jo^^TEHnJ#&D=0&M+uOsVhMz
zZKHdV7`4secuarKn1G?m3=F0xG`TwzGsB_cT+NFyhW5y+aM*b))^E!l
zyM-?rlldwv_a8bn)%AOHV#zYaUa!;@vR^#h(#xJrbQ!CxtZsrj%^n{e=ytezn&Mjw
zoH^{S661RdCTgUNcGz
zhkFY64jD{sfhARvZGge}=UXLsJkI@2OEXQuN76)#0N*;;Jq^Li6ZcNzt-pu4!jPg?_dCH{Rym
zk{0@)-Qq@>o88h5G;A9C8pdcE#~)-WG!FFweKfCI@z@~twVWjo$L6Pw5C^z867sqo
z3utB!W6d&iYau%+ojw%+Dv6{n!P~6GjH&_XpyZ22MwU`Pxnv
zB*)v5?l@w9a>Q?N#7%M}oRq~5mBsIt#VwR2+&IOm>`3Ci$H73=XaHCbKmYrl#=BRi
zrPSNQ%2Hh9V86Y^9P$2ZT5Ws)Vo3X3bxZHg++Y)GmqXp8)oUYAgr
z*Ai2j-I!ASDeMKQ6ty@?AplxzPrDsBBdk;l0Biw{+N-Lm71Au{L(!cN9`CZB>89Cp>J_VHGwNr#h!?RzQ(NvDF*F@hwSUMr>1y
ze}W}lOJG`PYLtJ9r*2eWR_gS5&0kCj&tV9`;i{TRuF5LdjKrR6%>-MXD{NY1@lVYZ
zZ_6LptjsN)$4BlM5ZhYpw`9*z=F27i!HiAK(-A@vspBz%>Q;eaQHBt&VNlrJ(XbRF
z(9}BaNtUVadtnii*Xhsw<{Y!7FT}UPnYG1`iTYzr&qgdhJPY9W0N?@uexD{*;8hFo
z7Vo4UsPru{NCLmI#&5r;ysl;*Z_MI{&-OynEB^!OfU~W6jhyIQWA~NNtF!IJ6sxcY
z<^PeNCzP2Ph6d9JVWEb4U!U_cBEqD^M$9gZw7(6>=YofK|L<8Qkuw?Oc#ttE#{nr&
zmC0;-vHH8>0`SOL)v}ljAwEw99R{cadLy5k)Z5R;8@`=!ovU|POtuKV
zpcC`inv2ta{V#qJ{>zN4{84zg9BK!@yUoL0Zy(3i7um0{Wf^VIn7-O>kf-TQ3f6j^
z;K!>EaaB0)(m>1>B$|V6u%lJ_*h(Ccz$~K~5xCz4akBOpFVyXTzR)u4{n~mbigCak
zvt7a8LR<$Icc##SG&oI{Sj1>sG@t*PE?o`(uLyon(=Qp#5q`b$URfin%A~<@Ia=!#
z{Lfs&>(vNF)#L&(U*uAhhB0*chwsixq^eF~TfjMTIY!5-{r>8F$4c(y3lk*+O>+f3
zbu$$sZA*DwHB)6nEsMx!0dlA<22h*0&ch1}|2a%Z3$!RoT}`~=3|(!kOaomlq6UPn
z4n~sDgeE~%{e(77fzN~%N!!`PI3SWxUH4FqG@f4bX92WzI*oNS$|by%d@R`Q<7&>V(OS@2Mt7XM?R)YQ4W%Q=tQ8m9ILXB
z#4d^-@XpfzdJn}4!q1u8G0yR$YJxr6MwTVix3z@|5`L!WKL=94Ca4M6gib0V>LuWK
z0zt9S^ZhlYOMrlki5bmiZdNzPV!SJJeOk|2t8n9ba6h68!d
zYW-5s;^0N9glLV(!Z3sNfxuBxwvmj=M$A-#AeNWer08YfGb}`2H+r`uZc;=S6;a`f
zwltz=g`l`nP5h8OIS~`N`GwcWP-Yi!VDbqAL2O{{2#(suywIx7Eo&->2A9=%!IN*kbazL~
zOh7A%Lv^o{8%82
ziX+fS#E)2;*Nxs%2C_&2Cg7$LCE;V(PU`#{cc`yxa9H&k%r971bMkTwKauCV%RUJ4
zn#u@;LJtWRB#^xC2#L4}1zvs<#$@|nV(%W3)@LadtnFpb$@Q?+{NUsZjtN^285XpFZnndCu~
zLza819`RkrV){?gAo8V(GGQTAtfn?8sb|lU^*D{V!1oAlJy%0>{KIC8jZ4VTi4&){
zaOH2Ma;NqIs?m^CuC%(o(6b*|d8SXrOm#jq?{5hTv1c8N?0)-|DoSITtb(!eGCyoE
zYrVp+Isu`6*qtpDzsVt_s`LHewC_fNKFa-2Ga_%Z+#yC~B9XsIyjLblmj*a|Ya;DV
zC}T7`5MQ~@vD6Ot#5ttRB>CQFup?;v_4O%Ls5O8Pjf5J_ZVguqTRU8Tjqr*{6Toma
zyWz?+)ucX}mS@&OnNB4KFh@7;6!ySaGDBDzR#cs-u;VK{eBkzNSvGPxaV^g+h;ar=
zD^9NfNdLG3cGQ$)==NGo#Ead#Y0R@HXUJVOUuNZ$67K+cqV#Jisbv%&ME)u8%C|Xya{6Yez_c
z4ih+3NOr!k-8QXz-zKsGdP^ocy!b+2Ru-v?vsUwL9M$(p^1eHwKh@!>%YG?yeBh6L
z^CLfxIik^{VyK6{9*p`V;}kELHbBCj^xxp`f|n4owAFV|Y6HEB63L
z!B8sq-!|g536XVzNAl(mv3UCwb2>jlfBs>w(W%LgGylz_bME{F^htf@^O0^X-03=j
zDR;Quq_1}16(prc+_p3}bj+?)>H^j4q%_J^wi`0yS)89szD>VMm}9?b-U8W#@_F~+G22#9Qa;$ryfD3#(bB$f4Myu(A!7A;$cLG2Ia5}5-Iw5JJQIO7-qwfqEprEVs8l++S
zdZLYI_3LAf^ldP_qRO$EX_`cetvz`c7~f6w(NrS&*JM~IvoBB83hE!Z~GxdUXo1uRM=?x&|3}Rn8}zjgVmck
zA17wenISJ-yobjt;)`KioWASza`URKl|x&1JuynV$B-|VeD>=vbMCvCoaw={hfcQA
z(BTT=-o2N55=>f?JLspVe6$=EP}0%W0)k#vyy;Zy6%R&vk!Afw#W!+T77
zEP0G`%Rc26HB=+`LRu{#@JQoNlBhWna#dS%V)u`hM>Zw@Z8~E32)Jec&$8@}
z{~J*KZ@}Td0iQYt{-FR5dwgtX^e>&WsGNCo5SN?2CqWJ-*z+YG+vEH$5ru>Wia}Rf
zfo*;8K&aKuU#|P+OChFb=$q#*^s_4~v)^bGZl0!Cs;SY`#ASU-%{4{`xbEK<{~ecc
zy5hmaVav>HXSJnGj7=PEA4QZn#7mo#Ngxv2!o?BbzD97i(g_4TfpsYbMXJ~G5wK^WS&>9{*oq31A1bu;7HcfEfV9TS0I@CLtn1K!r_+
zgx1hpzl
zQhj|_-|{JM@f7O?WEf<+iyc&y(OJ#X*%6l#-RZJ844WwSXGwX6(HI+0t5~_DrWF11
zLJ@CCnWBigwGmv)f$S7e|)i7pBD{4|mk~{i3ax
zYII4~OUt%Hj`U2JZCn1HR!9YjA^rYX+Ydwp3#>nvyC{Mt_c6}2H2_267ts_&|NZ(|
z11?umN<5sV@WSW?QLLpg2#WKs$<_l!g$iBOj58!=wlpQCw8VscGOcpSc`fL59hklk
zziMSnHd0=z7AmzGaj0DLZ&>)j=R0ls_^3P6=S0U*A(DzZ?0yWW$Jqf((8&=?<
zTSAzw(QaTgz_!L<719C$vjqxdAQD9=S|?edf5F!(b_xbeuY5hNNR8x|7H^K)H#>*78p$e`W)iAC#U6CC=whVPq*YaaSK$s_uV)>&d#?zP_s1qAFF1R+0fG
z(TG4o>Lb~1t!n}NJX=Q-=s)D%BN-!TT;dbJFieXs2c86UIFo}1)?!tZM|I=1Fq
z&c@^65rYFj@>n*>z1sT(#(P6n<`QMesK-$MN~HH|gg(I=lUxAPbf`9WG7Mpk>CjYR
zo?c%o>wH}@i2eAi-_r;{LNWo61qetpaKr@r)e2>C?N+*`^=_9+Y&hlV-WhNr|Hcg!
z6tc=O&~3@(2@5yc`a5scuUo#0-Y^mg074~7?OY5=UMsSyzl8HAfCGgMMg`+DMqk0PonGYT16
zI{!>>xE~B~am0=rNm%?47MJ!GUcedI(uoOc#f&zp^s>P0-u53<1OuX8x9z!ex0?!4
z6%r=YC;|I0%3i|9J|H1-c2Iko+$7yyhXTCEDD{c=b1e5j>C<8ePl76yR4r?&J!rrblz4{}h#t7>y
zdeh7h%+Z&MvW=@+$Ft$t4VYV&s=DZ7O}#;DkYp2P3rq&>X*)Bm_d}aO_Yo^N#&)9J
z3qPSnfmpr2=JY4O9zrSH&=3%0nE&qXt>VsxRapm=*gw{tG}_Noh*cj=Ly712x5R4i
zRo5Q{aPx)?$MP3)F>W#LahO(8@rN*E=h*h3*XyNHuK=JPDqq0An9@IyR;iU#p^!qM
zRiPXR)IXk2bb`0}`j)tBsA1(6Q|j^AaZETc5qRaYwLG?wdt>iOxa_^@CeP$eo{-M`
z(Qfwo*NC?(V}vTWeZA(FCe@i$_QLYV&1}!_Y;!~j`URwZ5s|CLWsjtTf-8;w7Pmyj
zBrF3Aw7*`Ut$q)k%6=YEP??dBmpk>
z_or9y=7&2eS00*Y*#MqH0MX}evC8Vxm3dpmIMh%Haz8o)@CdI@p4FBUA3CErU!*L0
zc1=aD0EsJ&J7@6f1n}%Nc!)|zK?06&1q4NaYoYqSwR23a-ua|3M&#K$XZASt4--U5
zlH5m}RodK`Hr>>Q*ppYab+!6(>(0#Aoo`c`eHY$I|Vsfhg-g)b*8-R5S
z1V|;4(c%;?Q9&7|%?cipZe*>?Osuvqz4!gC@M)^G9De%!)C~lbp0|wzsmuqfG@dSg
zxAyevwUfPv7u4h8
zP>}Z`Nb3Sxg3gx^kZ-*8`kE>Lc#&W4<2#u!-sILQMId~1i`Rw|_09%7Ch!oj~YkqdUTRC-Q~vmW?9iIW_M%^3gwtM#l=
zB=wg1S$q9ai8ZOTbyHb_6*9_7B;Ed!(5tE1`9o<&FANM@vUGlZHiQL0SK^a1c
zH^BjKX+&ntHCpjP-G;A4e6ZO;V0|J>i8p+R_lGb9hm?-VfD3rCdDo~Fp`lvL9%iNu
z+hzW*w}bpkDNEJzAflu#Vaps|yR1r&LXIG!5#|fuGKZJ38mQz|W6fCA?E|`*?aNW?
ztcwc&c?lX38Iy|Yo`mlu3HmELm)U(cU5M6CSHWje=OpjUVv8F!@uo(*MeZz159l1!
zzP#LdM4-3M*LxplQ}ZUuq-yBv!ouJ}cMjJvWG&okIjjlUmu3n!n)&^z7z98U$Y05Q
z|KR3{R~LRQgHWcQ36WI@oApHZbYRff;*^fZ{6T8Pv#izqu{}C=WLnTYOKN4wG3YuB
z4`))bUDDCYMVLHa!$a>)nHH{7t)RJb(SXFcyMy04%mM7J$Y73!gRaHw`GOe0b)pK64tmYM!Wx2F<)AC%`
zY>Q`X*|g+&M>qFWj&QGOk#Vg$Cu*;8m2oXgFJf7@WXLnETdOkdYpu2X*Dla9?mAPo
z&r8)bE^^d9c4)|;1O~2uz9Up-qj1%MHi{VPd24_g&=U?{J41uNSu`8$z-XwodD{S1
z2r{!r8IM_GNc%i}Ky9m37Fj_(>XZea`FKtAt3q$PvKhV=kfmr_3RbjX#!}sZn^2kT
zw6e2yvOQS)^pBSAzH`Ub+K3fzto0YU<^zh|%Y`S-bNtYCgay59znwQd^P9Mx?w_cNaO>%$$=0Npr|GZ!-{Dj
z{WE3jNn=ILx(M*0M^2)jg(s4rj)^L8swK)J>tetaQ2d#WmPHikVils90J%(VFgFBA
zKvT!fXeOK_%P~biIO5~m%rii`f&Cx}i%6#OSeWbUp&9r|J{+X-)<-(_oxLX|;KB*p
zfb@Oww#n-Q1+$!gavgC^q(^uDE?+Z3msNakCoWqB5hr?T?1wpAWE>^KWjf78x)m?+
z>yHgpr0jOmg%#&FW~UEU>8b0Xe#PrH8Jr-W_>My*B;$iKFjQ7gzab-e+Ph3AJ6lCN
z0n+}3lLn1*atZ*yCzYwQY-{w3R)BNjiQECiM*hOY(;vtCpwG0D=7~}TtQ^1Yr5M~u
zM;R_LT54eO>iGn8aJjz%q;3g>p3MJV+M+9z>Kle{et$R#$WFo_1*ZIXQISNIor0yi
z8zWd&m28pK&{<>_tp)JS0h8YCX;;1L{6?tVpFyp`s;=pKX&MP5n7v_8PXxm;3PY4B
zXqFNvX}1i&2Us4iApQUYfGSt_hXOXu2QS2S58xbCRM&!FAdGje*6^-rcX#ByDy^npe!BR|I-4Qx1}bm+$ukg=kUcNW00
z&RyXE50523_V^q)GldpBMDRz<0>c^?2!PT>2;&&;qdpp3Z&0H@<6xCkyIVcKhN>2&
z6~$fv%k<@X_;uhb21Jbc;AYx|temRc8Nm)cNszcc0fA%u&ocnGOOyn4VOWtU9d9U9r<7wGo(a
zk?k3td0xbDR$6ehvK)jN*<>U0fyx-G{g{uYj;Rapn0c&O#`@+^nlW;jUAb;#^
zW?$aOX>8|(1eLVbGT73}aiXm0aPMM{&_tKM;H>#RpSq$xr@o|S*C>!FhU%?OVx`8q
zW6z)*1Tv{M-A9%)J}8J5e;eQsg^n8>eAlGQ_9xrW8g~n)k8sAT`7Z4+=$@*AH<2wh
z$F!0W2>!)2P5JIaZ5#&t!iXd-b2Q`hTH`RuRrF)BHG-7xQeVY=>{WN5HVOHws?6pe;9**t#31dp{OjhWgzZY6!d%?9~Qc`v!B7kG{35rK6V2Qa>4womql#0Whi}+jTj?U>IXsurq2J|y(U
zP{c)8K~&6$=LJyIaV^Jmv`&po>Wizbq^@
zHP~!H%y;D20ymB}KTNjFn9yP80k1n${&T09X{x>vh2sJ%xZh_$P;LX9O*Gt4;QkYK
z9)FoX9@9w#uZ5B?(t#;79L*VZTFz1Cann6E@{~C5u#qy#Pejmcwi7x-#zYnfLV_|8
zidr_35F#!hVr3#qS$;gOELbKLgt1XwKyi?>=x+33&xy}p|GXqEKjZ9&%
zj}WggfFTD8gd|liBs|tXJUEI8HPTta2Yb4IjP*Ssh;20#TQn-GWouR4wtW!gH}-q?
zq)O|-E`@TI%#c_uAT6bYxgq6=94~N$k}BjO>?R0|z0HFffmKVCBeq(WSRVc-PLOd`
zB`SpW1sT>cy@@qK>oDS3O8?W8Ajr})bkBq(+I&+{f0z4%QX(W0g<7#vrUNRaQl(0<
zO0EYiCX>Z_fos$6yxETT69$8csoK$av{JB!>jjI&YOz|hitUEW<+Eane#h(iaw(1*
z3>9m%+%c(ihAmeII&~J3(8IqU*rWEaO85vFL95BG$VScef|;TaE1J!|VDN<6WeRsh
zYUgd?
zIuUq`;Z42F#HfPJeAftF?(qWu1Wkb-$vU3~sKy-gn^>E9$P&$)v20>}#v>8oU|H`!
zrtqOZ>CMWk!;?6tv~CBUTtCzn#nPaRsw|X?ChwBTG^(A`iMm^+`7qz&%2OE(0Q1Jg
zb*GYw_0TbwZ>)XEcKb-eZNJ-h-u~X}-w>p>ALlzqIc4m5Wg0gza^TB1u4gsPh~`PQtt)@fbzQX;EB;oy
zLL`!)LP2*)R5ct9OUIYPzyLvk{l}M}u)x#~mJ10CRTUWPEfxoj`pv
znCJExk6q(3qS`a{xPSpBr{O@*nBlt@V6sgsViz?|V`wEDAUld%L%B%%#EfTRot+u!
z)$urWhr|+5EIrUB7qKM}|18G-3F5e;YAZR#sI0
z)6WA408u?$##KJdk>-OX`*~-20AxSbE%qDjBeV{ZOEob>Et$?30aon=fo2gJJXl#~El}#0j+Lv^g)G^5P
zf<{x1S+wGIQ%f`Urb-wfC@|Sj|56SM3{5uMwfl0rWR+}>Rvr3^?1(LCjXzTbNC!Cf
zKmt@)<^hw3)n9_hOA-7aV?`V3q*M=v_ygV|j5!v#V}w|a(_rOUj|DRxLYsv|qh!=8RBjG-bo|K_ak;hn1QJm#Y!&PE|0addHPe8`W{F3$kxy6M
zm5=~`%T<*34gaCf5ov(5mnlNZXdnk|XBIR98^J*7adtNYVNpRYl?p}sP5*_D*RH0s
zW(Ck8-G7C!_7=J}t7eLm!)+tLDl^z~KDQZ61@u}Tr|j(0kftwBw*H+KjF3YoVM#7>
z(qiAKSbEl{Wyv5i+D#Xq7;G8+5nLVtbd^-M_|drNs^Th9yR@#Bo@ww5R#f=
ziA^P19?kJYJrzE-;0v&`H9}QLNKsqbGahbCCGSBwz%nNd!5v
z*^W4CsTcJthzr-rG-gbG$Ol-*JqV5XLDi%*-$n#n(2r3I`cg~)A_?*}qIM}ANRqjJ
zoXi|llvGtbc4~y>ybfbS-Q3~i`E1+fS|SA*~B@O8tK8cPM4AZxgP7yj_WrV#gGSbW;c&S
z@)JJIlI(gue@;Itx~Mso&lins(t%Fv1Xoqey>To-h?1g$%SngsIlq+H@a#lXXd?_)O6HB-al6Mmoe4#PkL{j+%Tu&0#b@pYUlJIq4XyFQiXBrNGny2
zf!M@W$({rc;@3}tM9nxx>(O4eD547nE)s7vbq&?BDTKsO6Bf0knw+4b1sidT!RwGU>jY&lHDuj{xxx-<^y^;yk>nul5qXdn3DfT1{7sY3kBZoyb
z;&PZ`;Pt4A#N+_k&IFk_l$wf?>v6lzvY`A#>YRdGG-{N|60V0-G)I*aD}xOPBwj<~
zXjrhr=YN(@xa`~e+u{jj%ZlN3rj4u)i&Wz}tuNFqh^20%ehyR5>dbu2z%L!yH6%hs
zV#SiM2=SDLPKHNrKD^am}+}~50JjD5M
zg;=*|Y#RljiTvRY1?Jcb53}wrJ}g0`cVvz9Es7YZ1fSO-E?6g&;B;)PVX;&U)A|?#lfGecZPrZ^to%PwgLJU5vKU^F3VF&=LaIgUc;hVPjyI>4M3mood^P(?KiG{EJ+&+{ikg{Xf_WPzD4@
zi6V3}F9Z&Z42>>B=R8da#ZKa{SK%Pm;Rsu=ObHN+Kr`N|M0LDCJ9ZHS~dt|(L+g%661y$LqDUb}@z<^avaFUv{zO
zF{ah%M9|!LwdY*1uP67n&kD)e=XK}tuJV_!@}C8f^xJj@PbVBYvV}bj7`oH;>Qvd9hi5abq<|*i2=b36S+w|)kzyJ+h
z*NuzzXT~MygQi{HPs$vA(rg|Id5!J^hr4lZc79P4A@x7m6{!)OIWKxAT3m>u1ziES
z{(jBwRRK$RXvEwZ6~1h6voDsKw|*wUQ#<-zmd&++)cY@f2{=W}G)yv#1!S-wgQA@A
z<1s2&#L9ftoJ-r1-n0vo8?zqLU`3BVmOm~B^FPl^j3dl}G}9olIH8i{A;+wksGTr&
zK*_vfjvIm4OL@5gXs6qf9m_i*RDjBGQ)u;vkqKm7aNS`@2p6KADOA8O8l17i%0f>9
z38~UABXpYVK-h|R*Fo)S*gG+;eY${}Vr`(&Nkg5TyS
z#2=03T#HBor7=;t2FXNNw40ygs)R^*%;|+;co-y*V0`$W{*4fU1jxw9|9XhPG6a|c
zCrm+=*1Q71cHezhn*YFt#7qcvKhNuEHw--n2ijoFFcDDs^X!j3|#{Iep3-Y#E_^M`2v$R@hocUiE{uPt2udDMZG9MwJ%mPJ2P+)MN`nPYKXQ+4R{p5Tz`;H1@
zV@6;)hQqbdtMlJOGdpB1>eK^1;)CR_nH2;!c>mK1_k*J){&-|&GplCGy@7dp-MaP%
zza~oP-~9=Gp1DP4fc3X}p`XGjq`!AjZ%*>|%ubQY)R$Wg+mdn$rN#MynW+=On0+^!
z*q$EuzK#^U4weZ1kOEpt0fU2di&oVf4@e|bz(M|j0m=dX!GWOxsvIp85*nx~Ff^IX
z_ZS#SVoS}gDY<9=3pwvsg0L65qHHgwas>j+Mk7l8ygxY|mdchL+b;}f;+mH=kV+=3
zGVjVfw4&9cDBf(LJdAXqk4wMB0D8sL-2^A<%
zpg@Jxo+k|k5Y+4l)83>|thbn`aIz6;`DR_jQ*ZeT5WFE`z<>n}7%-%B>MKTfa-;YI
z&-3dM0K~P6!^W%L4yA3uH{CY9yPbA^wOOIxm071giHG6rN16~BwUZxtX5yAkTRNr?
z9kV0)h}oLv+Be7Iw;0@%W6Z;BHkFs_iuoX6w6sS7I({
zfPcrWLr$5JA-la)&+@@TPx>1F@DWez(a*dclD!$a7>PVl*Qd{U7*;Odc`qnA?do3*
zB}cn$E96!eSrY_nkRm&$|MtGPin94UR5_BRw8zina6&l%B^pd9lhW@Ii<7~UMf~h~
z`#99Z>%zNxcx@;it+RdYVXa@-$^k`_$_<}$x>W0Q)XKMj>Rq|HX^l?T%)RL`dZ2oH
zhm{1>TkazOUj2yo`o^K9!*Kd_Yh&du^i7&2?+NDTqrGX83J=|c@>0HznuCLf9j#?i
zrTI3m`m;((%+4b!=d%Xvwth71cB3m&s}8JYc?y$a{ecKdYv;j01|3qisWM#VEFRtT
z&1lZ*Y+w>if8(`L`Rtf`zn*JUqB`+=)3`+T8YHpRefB5iTA_305#8lwRkLfZ^J(ky
z>z5-zg}`IS6U#yWtq9VNqNsjwaL+zS^
z;)AYl?&M%kB~nc0J%5Y$Qc|A!O7lcjW#dWjxl!Hs%A3Ek)@euJbc`!
ze7zUY4#po$JTi+sxX#&><9yQ(R--E6qCDj89-Afc5|bFxlV&7eQEZTM$WN@=XeF
zffzvM)Z_>f86sOIOyzxz!E`WdE=@KFn}l`3M)6Y)N}Y}Z2l11D;i&E+3!jOHqW-+>
zBa|HxC9n%ShB&^Ysu9X$i3$+ibZ-C8=;Ap+UqE|=WkrRt3XC!%w8=G;`vjYO>J=MHVwF(MwHj>A-
zUrLXkh;-=Off+~0Lets;tvKFg?K3z6mekR}bn=ZvKUUP_KufannZk~I*0@vQ+7N((
z5djJi2-8v}!(uWOhUH*rW!8j29oc4^lH``n6R8_*wS$8z03k%gD+Hy4gef%B6QYAc
ztUmHvVUd4QK@%>R4>cnJQf-o|M^DS?30$sql?c7`hD|*9%vFAT6zXF55d0I54}!W3
z#wz_Rd5DSVJ6VX8q-*J9C1hthUZwg-J=LRCl<$Pn3NjVynVSAM(jq7mVw8bsmZZT3
z-6Tq*9rAIH7=DAK;v)$I=5Q(i4KcOXza7dt&UH1fX-`~Z+;0O!oF%jgW9Alzm4&?Z
zUHfWwn(B?0^#zmBKQW?TkTz=0+TJqLQK{;({TxF
zBzX(WE_7?!_N3LByMxn?y)A8P&UcvBDZ*O#MhN^8rBk8JK!{g}{u23f!Ji>KG}w@Z
zD4i57BBcTII(lf|L{?
zO32b35Idwv1&~}w5gdmv5lk^C$5YTM98HKX{QNQ@+kST-1D?a5N0|cIK$eVPN)wq7
z^B1I*ovT
zp1oVWvG#%u6ZY!vVS@PdvAh8KZG5AOGt8;~-5iH9XX5$#;kT%h6R62>It#P*n~bBs
zEc@H}J2qau(ITirkK<3>fugj%*cyROzJTK2Pvq+FzD`ne16(7z)I7S@T^XFpG9Z*i
zR2oic6xj~#g&0{th=yP!5DrKP7L38rq=b*4Td(lEXsw7jLerF*ta{yOt;zY;kpi6T
zt5Gni2J9v~fC7T3fe--tKvvy}mk-bOXdAToIhg{zoxbUkDQ7R&Pzlm-0BvNmCE^nY
zbN4GEfbPwIHB5NDabTQ{w2BKQ)M3k$4C>ghT$JE?MCtA1gqg2x3>c`(6Q3@UKb{z1
zmKG?fyXt$dxvzJ-uW$lOcz31`bcmV)X832ZF&BNA0=H+qnVh_^?*alDW_ZFtX5mE|
zkNgu@Moz}S(a7C^LHqH^J}`v9aJQ@>4UPjlRP#)EMXH_pa^>51MvH*4E&&s7xLszd
zxnqOFwDp*PmeC+e8aS$`E4X?D6~?j@I8kvktKeJCA^!@@?#>`|=s5^%+@LJmG&FGe
z_+Lwq-DjZG1l7BXERA7+)x4VG8u3blT@7*8M?(z|AW4)kVG0o{S+sEB3K}qJ)UaU-
z8#>uddWG}p6(B&_eR_p6df;{9rcsw53_(%)PnY^i?GUiVsceQITW?ftOvG~_0
zSThTIOv*MNd%;Iue-OkR6U{so)m)d{z8U168pX2he}Wu(hu~MNmMhot6_dv!$aa
zO@LW=B)-v`S!CyfwfAEfW6F()HeuO$VgRxlFaV{}s(w_(q-yK2BIx^+@gs{G*w7|c
z89*0C{p-C)#R?#87)>~N5+sA`hGmla3rV$#{)_*YT=i4$w+kzYoVRoB*N^r(`{VLQ
z@b)JJpvg4f(7`3$01DTA`(sU+%koFQ&MIOmAg?1xt6ouI9>~YFs&@eY9og@|{`Y;&
z?`KT89$~{mgxUKrBMDMQgeWN`QN@h&5PLg)rlBIU(=vTPlNJOlNOG{Ap@odKM3dIi
zbni_XdvkNvt!@;ndZ+U?19q#*+gQ8JTwL8j5TQNl-Ya4;D|z7Fx!LayM{J(}5Fi^!
z4%|G5(0~F1cr<|0fV~}?hkBmmUI2k|JQXb~H8(X!ExT0m4N(Y^5wf9_ytJ$sy_k8?
z_2RVpivLeIOu${V!5%;={d^Wx@^+V#{)#2LZ3YJil4PSK9VKbvxzP)V6;N)QCRKF*
z5g5P}qnCR(uyARc6SQj`?;*f3=1RQPCQW)wld)Zv`gGIN(Z|f+F`${22Z0NuTyFV?
zr>-;p&M4rNqIbUBGjMv2fw6tPtFjljDY!dM|NdR|i%f1@Xn-U0gIIOKSU!R?;Bihs
zCpG_UOoA=|PDBE7d}IN)A4f+F-u~BBcY)nMCclEK-;q>RPE1Ndq
zLL$vzbrs8>qrww@0r)?_{ygTh+Om>C9OCfM?gWcl9w>;%Rbr$`#CkPv1AYc32TAw_
zDLQZ
z>p!64M!wnh`XS0Xt3PUkAezx$Z6IX4g*eAP>Fg7wIn0{p0Z{nu5>6z;z&}KUtDiJ=Qnm_HS-5H%Ty4bP+YWnIG;Z-bERif6vwC}fkV`<~s@>dF671eJ=dA^IE
zwqh-7%I(d=?UB^6CbN<6utWlFfyFDQtBN$Hj6C)NP2tHgs+YYAv79EFTYMbPJDfa0
z;_I+IYYQ5;_ag8veGL=A-3IrMP}?sOL+Rob7WHK1Rr#fnGTIT+M
zdc>cALEBrf3bcs`s0%lR8;_D#S#3`&;y7d;Q6T!Xyzk*I)0B7>!%
zk}5T8JRFipB-21jM5AI{~J0gj2&~gklCf#HZtSv&M>Nlz-qqpgjwNxkr&bkwSpq61HWyG?S
zcuMmT5Pndl7Fj*mc~*_NBB}Sp<>oi8diW
zSwLFi>2f(6{E$jZ$sY43Tuz_-uD6`7L6GR&6a$qcytl<{`iRuzY1!|d^w6rU#qnv;
z$MTevE=o@uwO}J!B@@IDp(0oG9`8xWCfm=p<*P|&IJlxWUsA>oPE(Ga`-d+8RK=cs
z^#n>l3%%Hp&~)q=HTbUtKJf+Gh7diSvQnk4<=0}rME4wiLzXpO9np(O#(3!Qm)Wk}
zjII{mSnag*IQ#@Suf~cnR}H4Zd!H9%4N_~6te68$hv51}gIHlEszqci6vGX0Nj$*>
z+mOeC8;~}q1JB*u4ayYf9-Ln}G
z3cc;4m1{YsKC6d3IEU)Ky4A}}B88xa?~pES{?WF%9@Dk}=AI32@+;Hb%5vr4_qe04
zspxmXE1!M(Yk;1Q7!d415esuJ;V=+Z5Q0_K
zs}o3NX*!56tUE^IubBmo%yE&R@*>lwVo-eBMqaL=`VzhVy=VpzDmTufgbmpny7cm)
zkJ`L|6zKv4dci9L78jo+KCxkZeCX)(0@C4$)ZzW89})IbmJcnTelJ8|51+I^Z1PBv
z!7GLqm$ZUx@BEJbpyz}X14T%f0w8q4TVi-X?!(*jqn$;C
zILluiE*X=mB@bX({KFYp)w`-fGFuJitbvoELg?Y5-9iG`l%7fbVP+w{T7lc1>q~_8
z3Bu|3At)-<4^-*5U?n-Df*$H*cObubcc!_Y5;VBfOiUJ%M`&S5sx!16&D4$C>TBtM
zB#R1Pvd={r!_CA7eYL9?@0j?qsAwve{?axZneMn+Y?{puu~1EiM)R~dRH_tT3DWz)
z)R03pnxgoQj_jz(R!jRk!>3_I*0fS5Bjn8Se>X~ij&4Uvh`ZUc?sS&vNU;gcWD4jO
zTfxp#%ob{;P+7|yFj-@jySqAM>b9FujuX5tWwEoJbT1t8IT2nSQXzR^IoczSQldj;
z7JTd)z3yXPmaytqHsIX<;UKfLFr!{eEGmfA+-i^xSBes8LBda8NyOD3Qn0!Jz&~oN*?I5sGP~U7giG
zWC2K?*b_D5U7a|d`f0@YmrlpV!nr<`Q%Q5Ko{uGT_}`VBTYLf=JA80+S!$&~furwb
zNHI^2y*bbypXz&{d%r}r-rfMSPKf@*^1$yOXJlGOdAt*d<;l?dD?o7x_=Z?W-f{|a
zH>CUB`li8JD#F1+Iv^g=lZhbG(GMv=@sCr~RE&lQY($_D4N9Wu>Gd_@21fR9Fd#(q
zHRfSOKqDT@^YNK=YA%2f+?C9VZpY8CAP5o&{WardJegRhCC4m82g-`6M|ea1=_+L|uDJrt8e?T2HKkNLV8Qd5_PY6{Ocjfg7;T7&AO(~gDN(i;E>jNhV_r)-kcr)&}a
z0%UIr+Qj`_YNH92BPZ%Opl*Jr%@gy&*
zrv38(Tdj{!JX{0}@(pHokkiqxLNAmCEfP^++YIO~e~_1w0W8v~Hw-TaYrM&$;`OO3
zOm=i6MbM^qtw*-kRU}*yFRKb-h~BG7xwOA%=sPv(P6flaebzL)Ob*Z3YG>!L^rnoo
zxwR~6;#_$C>db26iWOR6qRFR1rq;VLA$UEA9KzqB&nSiM-$Y16R9wWGz)nKa#w5G+
zfM{9RmsJ#xY2V!$jpfh%<{sYMA>&bG3L!UHv=4i(#VlQxFQCZE9ub$d_yUwzzNjf7
z;S?ZA@`fHfKDywK+4f1yHMR~0T0$)^@!WVz4iVJH0^MvZEmd$bnwztuZ!yK9gQeD|
ziJ6TZ_+$J`D!O9o-L*;+C~cJI^BlnFII{aLdDu>OOHpO0nPX&2-nVdUBve1v@0zJ4
zltrUZRy99)1iA+jNRn~4_=?rYwWy30xq1&+*(90N$%A}eE{U;PUuZWx*c>a$rEx?*
zT_8XsOXU%hJErzv&4m$=2At8hmS~^i&P&rghYH=wi070fGYRG7%uwb5Cg-#2eLQk<
zlQ9zGG>L>#W;S9W?|@?v<`G2;fDdAJWa1HW8#qs20}Q|{`U>d{BP3MKOwsSv^G!$z
zDG7oMXENlpHIKHrN@{LQ#9FxM<>b2gy*N%?zRd5rJ5MJI>Gi$Sb7nvQdM9FM
zeoy@D#>u(WlIp1pK0K?xmu}fOY)Y|RmL_P`2||*hT2*Kh&);MtzHC4k*A&Z*H|;UI
z>`^`znuDjZV8TMS#vSP-+#d@8Nk{i^Vpj>On%feY@O9}f#D;+D>ERdcE)%R3p>liQ
zO)w*nAQTLZd-2X2zR2%ZK9i<8LlOr-(S~T$s4S%g^9$JVZQm?W>pytaOB!nM&T$+sG$%zxaee>=cd4hUSf7
zY2m}(P>;BU_D`7Be=Id-ggl?8^jNS4Cwvo6?ay`8+wRbG*eX^Z>@Sd>TqG5I1#lOd
z+87Xw03nhu56pLQQfw~g9W@Z4p=~r{fM$zNOrUrkVICb+6AB63Dvm_ESeT-{MOE|W
zw!cmsl^T%RVeI0{H}piUJXw@>ejNrZg05828lTom=*#6jN*2I*2@cnSv3Leo>uRRu
zjIyDA?chZEEVbl=eHI!KKq@Qy=o{Qe*k9N907YaZQVbMan12;5
z)ZefMj1Ec(Y2PVibRIx55KOQ$!p(AhQBAk-XQ$=Pdt&fi;
zjNp?Y07eE?l1ySiQDnR^YKiQLe?XP^QAMDt{7X^RXLcb^yMyi72=4_NK!)VD04(L8
zzSe&m9;>HXiYv3*%5dG7{G3F~+Py7JK&de!uDrX9?3N*VgPWf=k5z-Ppy{f2rpiY?
zaOnzPGhAbQGwTqoSnxV(%*0PiJQ5sa2lj>V_;{6PCDP`k{TEqQr=}T=_L`?OZf)
zzEXGV-Z?roUiwg=ocrJ9hn+zU^2$l-C2B}Q;6##SxE;4P%hp(=;AFW^g#-NzT|}Ra
zTD|3vLa3IkR!+aziTgVUN~r$E0pvNQ{SUvgyn(;co{lBqF|LBJ0P)-3Tt*m#jz)8O
ztq+r;;%_s#Ii+a70_f~~eBK*qHGtYVIrJlGGgmiwvWbYPtN1j$)eiSH`Gv1vtLH%-
zmwr$#M=avi0e2A$qY2MCRN^zC>+>qLSK{lRRyos&^a44C>kp5Sui$sq$2BJf&MY-{
zvN7UgS#b=?mPz>Ae^3j$e}q$WyR_tfqQ#mlFGE_`z%jN}mD>Ki&c0|j@Oq3sBsp}U
zAhinIqkcoCLl$b$yP9G}QwVJoz`{;)#t}AuD%Sx+hnf;p>dtuSu3eDc#9p-eGSaaN
zl?s(bc8a|pB4rw1s({xWTSbel*S@0DW;%Lrdz@Q$2o*yaXbGf|5YU$L>IGIssQ=)p=-X_O+V2^JnhY#2q^i
z^F)>%woAX7xrmYxiseYa8%66x&7dbk@*`hTJxdYeV3@2E$_nB5|Hi>Dkn@80hF9NL
zpv&Bj@k~Js(svC}!aF4g$A%p!_(I~2p>&{N;HZMT_6!|%EsLt*sj2=S05(9$zsQR-
z`0e1g^1OR_(X;CXr&B&?&v-@upAQ>@ll~H^!Fv1*^)9t
z;z6{q1*{f%l`T-;i}pDveduxFdAj1Mf6D)kIjJ2wc(tJ`DJA8QAsLfV?SV-R_MDQp
z^Sw%Rmm}RXz6>0*PE(_%JDt$<_G&^tmbC1d7nD%*HB{%rRy-sK(RB6N$6cPQipK*7mp=1ZzdU>_8vk1ptqWuw5x?t&Wo?&N%ye6v?
z$dN0`qB3W1g836NUys-`-!nLKat?*aO=rF50=N1IU4!z$XgXba
z^*FhEvAj9Zjkzr&-*fFLVox55$V%UGA(S7-$058{_^pupj1gualw7;D$C<D$0TGFv8XkUtZFrg$XQD#dxUBt*FKancxX?~>12wAw;*q&ZhIQQ
zfgCMeH9{_G$^HqSeF@!mFQ`RZQK2Ae#M`RYcvlZk^u{XQE@~;Rr?ghyVo%=3j{J%3
z@R>Sq)}WvHS?lmkemVmt@Duo((jR;n*^UZ9E!(PsDiX%1gPC+EP(_2F1Twu)W<#Bi
zy=1s!Bx69v6buHuskpLl!n1f_LnZ}PbIkR=%$X^xrxNz+-wmY_SHtoDyKi4Kl)71b
zHOI`3ER4*VP`gVNhaW2d0G_znxr**p>=y4X>OvvYYW>3dGIHkRrjDQIn&|fvVOp|p
zsYQpF{$8$(wLH1nBWDqmvmn^QeHgZaNk83Atfz9IAdD{@`4Za_O71-RhQY=Id*3|H+cj*&=usM-7$z!mpySYE7vn6e
zbb%3nW5RPXT2xrEgV5s!k1q$Pgc>coIKqo_H_Z_Y?G$;B95H(_&iE%aQdbHkBZNcd
zLR@~nY{TGDXS7>tU#{d*{l(XKuCvVIaxETCgo%r)pZ@dJ+->wf+}Lj2b(ZC(1ZP_>
zRQ83Yp2`JCN4=s`db4utYlh@p9z^?kq2NQ#39>Q6dc(sU
zH@OA|bCqv@(ld`)800Jzg$ip>*Jkq>@>3D|&KuFqsm%K%i@69!>t3%yN++<}e^1ho
z=F-%s##NPz)4&xv@FK%n{LVW-q)#N^l7!A7&PHg!oEZ+l69UKqSN+_w2o+`U8+CK7
zxeP%Ss<>7p)Y{nz7#-3A7)%wq%o%Y15>7z!ZtS$KDQ4;+CB2mOnQ;8ty_P3MWp_py
z81JcWDY#syhSrz((-)o;%8Vt+{&w)J52&5xT;7@$S}S9GVp*lS&Uk^Tr~v1Om){G7
zDnR^W(Ep%Snd-%TA;uX2n22{{4bv}|nLhTSdcc90xYXyt^yBc_l$jO~T1vG5rRudRwF#w4If7CLf*
zPPsZ}MA2OZG^mi*p%(0{BJ8?db9f%Ucp|PGB-&ddKqZeSH5>_zI
zCSPfJv6`U`5+o^&*N}$%UvY(BWp~+HGF}0NbE5$&Qz;BpFQ?O@ifpV;82vlb58rxq@tCFUMwc}5ge~RM_rBqj{tO7RM
z!%5WyTLIO^$;>vi8hf$w;cAkcr)tjz
zs#?FK4OG=9WcXXu<{^j`G>sg`yaI_`4!ChMc4V-P<6r?n?Cg-Wt+QMPllL%VjH;Z~
z!MUhm#b|Dr%Q}yxMCI1;!s}Elsy8h>NYf;}F&1;3c{-RFs*`~kuI;Q`$(cf87dx^6
z5*w7xA2K_~GY`zs+ceFTvZmYoYX_(Ab9k^Wwh8zHM$iIcF+?!^n;@IScooE}Gaebg
zm@m#}YispqFL@=UY*@`WJzd*`=AhifO{pPpc3AR9x}4guj!YO4zY3V^8k1I+*^
zE~uUZ2|7epq!>)5d-}%uSSZ3x!56!tS}IXSztYe+tA;U7EIFR9q?Rs!28H7%BBv&7J!>5u$&ch__WX(=BkRgs+;%*+Y%@iP4#;%FZEh?ULW76Cbu@4v(=wHVHAiWJR;(z7#eF$5DQ
zIPN8HCbyJ$WASZ
zFYJG?U%V2r{8Im)wWXhd4~ny#
zwBTJPm<#|@CRR#_O9=8j#dJWv^3pg*;;cY~uY55jDHa6r>&`JreM)qZ
z84Z!Kj!-*=u}i$(-cmbp!;(qEmXg-mU};dk^7jF80f!h~3vdDPWHXD7gjpk$k{zF+
zZw|Ut;ko(Hn;O{Bu<3(*^g@GANaabg97zMoz)*#37DK6l4B<-)!T~>X)DL33rXhcV
zygtf!KG;SYgMO%;~>MYiuv7O*`NJ0Bn9UoeoSv?UaLmlG`;&pKJf{
zI#J%dh;)z1x`EBR7m*e8G$X9Q@caS6-*KMMGc7C?wqp~p4m7R;Jw3qckNKzT$U0DU
z%Dd`aZ_FCxAD+K8rgidf_@_)jdjYUtGkP$cKIlHVKwX-XD*~FGguYgxt%$>^C>bmD
zeWjN8o8`?*JenTX-(d|)B~lopmY%hjyiAK+!CSw}Sx
zoq0ZJi0T@UtI8N%b_w+&XZevAjofBg{a%*Epv-+-oF~o4xNWm};t#NIp6!XUIhbGN
z)&1NEaRySGej%#SZkUR3zi8X8<=*)R<0tR4_kJ5!&^2){;PLzC<>nox++H3Osdt-j
zWrL~)^^$F73@J4^OYieVxKw!64T_eR7P~B7W#|!v=hm$PS6>55oZnCU57zW0SOD+0
z*Ujrw{Lq%G`>nwJ6`)1sN2`={&A7Gez68;d?mV-V;053)x6~`Esw={{yydXAW`u#p
z9Z-4B8=LmSK_a-nNsU)eOQfo|ub1{eP~~q+NXIPJ3wUW%2@l
z0C|Nji)XX?kZ(ZdyS(fXOHWv>9Y7kIx~Uy@=4SHUMwrU4HzzT;g7>1L#=uZSEgkSh
ze3mhxG7FjlKiMZIfJkw!`%Z{>mu0Tu7KIh{AHEHD=q9UXR^Rkqx4zQIvC
z&K&JwN`_UdLRblu79Bb4T}s_KQdAZ)To-Vy)xWz{Oc~>w!q{C
zziLAoS06LldcISS+r;y>^UuVamj4@l$DB#$`7Qsv?)M2omDy47!s^jTSM&067wby(
zT07U+G2}dsw^`pUmPrgEUX`x7___U~;l~e`=ek)(s)u`6zm37TXx`Drsy@G4GvgDJpJiNghzY%)_O-!f-JJ0Tx>!z@!?XJxvWCsQ7+svU#7cxpgKr
zJpqb{WZ}7Jd`EEqcM|&RpQ(<8Zr2!#QaBXRyD!a^tR$`DfArZ*SM|tH)^+`M2~I_f
zB4Tq!ES}!g{Yqbc=Nr+MQzbzhQucXDG4T;$;+GgG;Zj(VsVJ7$xd0E6CBzlGq{zl>
zc2OCFizQNJ)R?RweePb-QBFtxiV~r7RzSu4lxqhL*(8b&98B?qjidUkO43$xMWDN}
zg%>P=N;yf_4jmyT3XU94Fu=!9{g&9Gu7nuh5h+KMS2QLj-Q?5@@*f;+aM-@3{u`n#_`MAe|
z-bIgDb$1{I{l$0pX>T463}k2ST05cNU;C)zgjG>H+tgY&%_f`fd|+u^#aVOJarK2(JwWG?;7gSjlO1WLgSJ+E_Yy5NKU5&e+a-#ODcuWcUjk#EurrFqVdJTSsBMG5cUbH#@2pe9pwDC
zVAyhV1ZoS<@RQdBx{1*;8;74zJ!HBjJA7Hzx;NB|#X#FoW_LJ;0LogelXqL%V|4z6
zxss)I6&9aL-Y2B{(L|{B5l{+P2GxfOs(a-96=z7}dE49tpHQC8QwiF@sSgG`2G2#{
zue`ZD>KU5Z#&tO@OfilobYYV>$jLV7gkEkFluLL9?DkQA<)g*6Z!OauSE_1}dVZ)`rhm4X
zlT?}5%iVt8WFhzmJ>=q1i@y=ixY-VRLPzAQ)DF8g`qPOyF
zFk;Ioly5i+FJA|wG9E$i_e|;m>yOR}nn6Slz}r}7RSO**bw$1x>T_c6r
z)b&NK)X9yHgOvg~JWCUqVJFiEDpv>LV7pk{$4gegx&n73{22NrB4vN@7NKr?u84g*
zA-2M{Ge@+3XNAy`-RE3SpLTNWbH3~5eDdrW=Q}>>N6@(dn41^)w<)wCGds5TN6fzi
z7F)-Pwm&S*x24_;wHO2Z{B)J;w?4c85v)Ho#U#z%zqrQ6f}6HGOMCDnZ@&pdau^1c
zo}!WW)IU?5H?jh!}(
zPY@CHbO%FnP;`8=e+H1m30?xj
zfH4v3BraU0b!t&KqR1>{1`^Xd;BIBhO){P
zWP5xlzPu#9eArMC3cSW!v8^YkCx-)j>BVOz7)d$u{RgTUcFI_{_2h%1(r=CPMgBaw
zw5p67+a1~X9JXW$zir%h?Y#O;9~T|gF$grjs8fS_+F0bKm6aoD<$S8}|2osBu8ipzf9s!4
zk)_8_XS4Hohe)u8h5?Hy*6Q{^Ph54PT2@cuEsSDnYNu%xB2p
zGCiM7uhe8=KrJOf6ktKMWPzA+|$Ja@phasF~!Gl)_v}Exv
z)JB)1V7^IWv93{OsY+#A^|jlMukQ|&qcWh}#mBLHEx$s6*v7^kdLEuPF@fP%kK!8y
z*s8*-Mno^K)|6hzJRh?h1GUkYE7@#T8fK48udj&qRV@zmX;7s?j!_nWtJeft6qc>X
z{sjX&I>tc1k@%RhuP2zYGxZ#wgKnqw&>A4m?}*D~IWoxyFSrXeGsMeK2ifv#8)`7%
zcu;NBuD{~5S{4Sn1Z82g_B(7apRtit@a=04T}vo-!`!%*PLzYp<~YQK&|`c5!Ju>{
zXbmX;8)a?dKrfSey8CP`L0NojXVw{tuhE~~sA<6I;~$xa_5TG?8!uu~Z$J
zi2*gGvFV=-@!ei=PDOI%6j-U0&=Wr<(qEo&@BC>?{9Pjf+2?dhGpoocx>T;hBOz*P
zXX07mfzq^$t)bb3SGvDhD1D(D&^z5Lav5Hja;b}Rf$=1xYDryVr)c$bHI1SIVI|ab
zz0k1#!rEb91jrkiIT69D=21lO-q67>`h*M=~v#r;+viyBM)#t4n84S_yFH)6~`q8d7fCc9CdM`5wv
zkIMWDo?&>8B&jLfd)RV4sD8F))-$N(19UAsMw)3fhk-}U*Mpi?Ti5IZn|CFQe@!|U
z%DIn`c5m8Tg(n2{2rkVp(j76UQNY5O#&%N}#0o`4tpOR$t@iyFP4KdcUD%SQ%iSXN
z&%@hjXw$Ys4ZD#9%SGjeqqa#8S)KBli>%gsqpjiVfU?RayA;Zn<{Q59ZSq2Sv3y(g
zjR?vXX-ZC62na)c23cvxi7C{|<&|62h3Z1(Hk16e?zpzee2l=t
z^`vIy-p-IUEjxJKj6AMrF|qpnF0%8C5sMnvbO&%I$jJh^i-KZ#bL3G^eVJF=EoKJ=;Iq^T1KOl3z$ErHmTp6X(91$qpjw0PZS}tJdX^k=gZ}#gZR2e~_ma
z7Ofletz9M)BCHd7p#df=_!ff|l{GIG!N`wJ
zzpkl-swfMALU*}Dp)sy>dK!%@G>R&b?tL7}-uHLD56hp*$NM*-_k~uVMkOdJvIW%8
z-1CL)bk$qcTA;@7h
zsuvo7_3_DIiSWe*oAh(A!se@p>uuz6=3|_bMPpn252RBf;W|;mx`*ir7__WwGc1sW
z$^#M#!^vrsR^kXciOktNm|>{Lq8MDXzK@T1M9*z}%Zh5~AZ^`Fs^7ew`Lifl8yZj$&a*=@-g1
z0;j9&3XTzRSpF&%4H`vXg~FTm=j5@v}KfA1n3qx$;rXPM^8m3M04-5J>KF3@VAC$F8N?y$8K^C{$%!)%m
zkrMr~*gS#+=YnCRd0)MZl4SF?DWC(~mH_%#?z;;O3N$+=?|uz1x^oUd-cuv4%hXLL
zIwoz0TTO$A9w7>n%&85llniX2Zw3+k*52_<+aqoTS|jPLOn|}S)HTuqfH$F6xPL>!
ziwoLXeM3s_40^%Sf7eU)?eE)&ZR^r%+j`q^U-p6Jn510_!Pe`~y-=X-q8=(garEWE
z^HuXHkTLvoC4VrEBV`lm1;IJabyrO3JQrtN*pF
zc3D{p6)d5Wg-VQw@yoq<-sQa;Q9oFx?D6mf`KIbFKp7G{(4lJ2;pTFVy?kwi5ZqRe
z$1%N!uGd!Lu_8)Y`r#|;HlQ!so~)77JJDvJpqnk2GiE{RHs5`f;Jmv_hdVSKDqx33
zvADgIFB7?rGuCuQ3P<_GHhM;%47n4=ar`*Nk)+_*Imd)sTIEsqMCF&7LmU`R;V~BMKhGdca7qhG3%Jwg>1Ve04Lh>UP
z`oiGYMZJVeaBBwTJUD=i@qKoA@JnBze=>SqU8P&WtXCwck$H0FkX)VD{M1Jw!}Uv$ZLH@&n`PU9S5Cpjc4
zp5|rOB5iLv)PHZl%Htm*!X6p+H=Sma=tTNSwj1iD)RPUMcq7^}j8?Fai8+Ab3*=bt
zyv1wC7BIgk$AG3;g*$`pzz9X7u$-vQGF8TP{a8|wp58WH1Kk(*;Y|X6pX2cb<|giF
z+W!(9e~(Jpbdd7D6-oB}xWMichZ3X``y!UqTGHmj`rh=$aW;uko7zyh*kd&>&ihH=
zo)u*M&Xu-(SZ>w5#G-KaB^ti}Q{N^^tA^DZ)Hxz6GHh3&Sd`9~v
z4A&XDbC|hP@$bw=0eh)dsH
zm$;xgKMzq*h|J6PB-tsY%+jPlMc(~B=^Nx7;>+uX9cHd_SPxHuPfuNKUaq8hWw1;L
zp=hI+d-JdYb=Dr1QBnfQm;Oja;`Loa7a$PCBg7!P)c@?+Y97a;rqe7+4$r1?P(aP8
z$ubaFmYmw0oOJ2oqZg`&gi!s@?|RkRS!Dwhk1;EZeEtb)uv1CEv}Z#;N`j33HS9o9
z=A{qlkGzxs2Q%Q)5rW7X+vAh>UYioUd_DGFz+{}dJ$E|nt$Xv62uerNZU6xE8yR0|
zj=^oZ^cG56e?spBwuCM8C0%-*?>8*|zkHF(*&>nkK0lFVznj_>;6IS0a!^YjxuqPV
z^P5B&Y<5!q436vo9azw#-+(H@pD7swWnnj}5|1`U2;EO_Z;-_D*?D?n
z@Hd%;y!n)*oP{x&?|(@73H-i34&t0=i`t~PnbrQ(Oz*^^`38v;7r(vV+J~aiuS^Rv
zfwgj+cfZ~hcIg(Ric0t^#HyIM0weGe#rGMBtgtZ`eF?039>XV0}H1`D9pQk$q;rzt-6z#T%3e;5m>%eI5
zr-Wd{c=1lln8|d$RZhWi+g`8^TLLf2BG47!Z>_)QnL~eNllkG8p!E&90sNLiSFbA2
zFW(h5={V`AbDW$+2e+ToN7uWK4<{3@U9HAbkrtj>V`U-}W0ux(w7uHkZZC1Rb{oN!
z8F~+6t$)LMKjH-<58y(W@qBp|vka-Ms62Ish#Q1zefHJ%D9?7u*%C<%H*Q8M{TiS_
zFnQ4dvnKGalmpmDX3IG8uyj3CT$ajlw`J;t2;autr<1~FM7ak+!^GC4a$U0^Tm%zH7uZHV*4~pWutfwl`M;#e6#@X`)0}Jn0KO9aA{Px{Wx!ZN!@G
zntz4*NI)O%v5S_5DFxN?NsKzNd)?Q$m37I9ranh~ye?)+D96tQ5KLTfz)l7Itmowm
zNWM_}v1egmA&dO#p0sb4V@TumnR@HKJkB`2gfxq}vwTOWQ(uMoSWKCwb)U*oypq==
z{vT+yQM*3eZ)oPuCtCXc!MQmESAOlRO{+RK0;2%UE+v#2-Q2haj>5ZoG6ee!(AYWD
zi5qlBM)^`Ah6aS2q*L9OhFOnZbil3)ej{myHOKLHla
    jiI=RFx-*f&Bw>7%s$b1SV7vaeky%jd~E)ILvdSzVPp+1T`qy=L-36#ecT!_7r
zARi_OW4c~^{o{ikqrG?}=ejy-xo<
zbCsEy2fB+}`b#I|gbqpKG9!PbD1Oqlf3Gb{i^i1q8Z3cFRxxf8>6I(iIzts}Wh)pW
z=FKX~L<65oN$ffnkxv=J)TQ^qbN1qDNcF6}_M0g!`Z8-DT_5O$rNq^Xl;nN}AU^at
z@#*@5w$V2)DUk;?meD#I{{7CFqNlXH_sg;8F(-GKwIwl^m{U+jBA}p>L%7o7*gh}^
zEB=K5HW(k42->=V`^=Fi9+nxbAQ1aPog=NkC>*=4Fp0$p$m&#D_aL+<&M0YGRT^qKY1|KQ=;u$y_Fy%s=2cV{!XIjE;Q5wu7!>_-`-
zP2UQAX3Ty&5|R1Vy7%e^(q%N%v@Q$wz0rVYQQX@EkgL^2O2l`mWSHuHl`40bedl=P*{wWsv-jiDv
zvzQI$p`Ap>^JHmMXnrhEQT(Z}a}vC^Uqko2&M3JBqcCuLaBh`sWaxSNHFYp~k}UVB
zUTky$6^txTdpp8hyTEapNHw6`kv2E;^Ee+tqa;nGJ$H+1es&4^1%VL+omXuSBd(qm@
z<6QYayI?56(j9q{!s?j`!MMY3Yg07W&$P&z@rwJ*+F^6W`5-!xlrWr@(Om&2>*96c
zrSQmLR=f^?NbVZ>Yr>ziT?%s#0t3dl1ozOyir!0F2M71w8!^{L@nOtvCy_R1i-fxW
zS1)hQP4$C#aQb?GD7m>bZy_tB^R%22x7BWH~$6Hhkcc;
zIp*YeOOQ?;uGPL
zAkZRyP>eI~ywG%&GO^2_bLU&BI?`!9qlt(>YD#gMp%jUDhkIxpA6Yn^}F>
z{BFs@0MjYEGczvqOX@B=qxi$LCk8MAdkad#WO2FzbCnwwcm-ESo4A#&XocZMJ84<
z(+;b_H!q_NE{>x(eM$mNA3VD>8YCTH8d
z4_(@~a(bk!(m|Nq^)j_X3o-b`RJP>9>jkzAhAsb$b!{y7SL^YFs=Y{XE~&>xUWv??
zjDNf#Z@fmN*n58aQ!4{zu6s#E$tv-D#5D`2%>UG^Lu6bs$GPab2&R7&g1O2abRb^yUeW$r7dn8S{%kNxy?)v{i7E_(tuwruUcXeq)O7v%f
zZ^y~R`9|DumT~bo8C^lwbh;`oc;NY9uyX3{uOG#uL5mB??>)cQ{VVmHKe0^Rr*qiH
z^h@$fT@89hST@KTFJj6$`ta@E8P%`BaSGNau#N$;iV>FcMwdXG(1C>2iKMm1hJ
z<_)Cd(j(YThN#lnJd~9l$#V!;oNoR?!Kp9*Uy;b;wckAzkIq;7R51{^>2QU+0QN!-
zi8q`oHEc$uPEKl!!ncoh|J7}VxA>3Gzo4mx$G(;Saq#%irZCZ*UO0rk7+R6f$y;NH
zM7_^iza%m*dX5@CF>9xL(J~11L;v||9SskLsY-qiC@C8SE`ONy=7;1h%Q7bh
zme+M-*<^yN#ht~LH6E35yFDJ{Zs>KH`$rP>_aXC??lA%a|M8F=a_|D6c6Q34Q{=y^
zbD3F7X5*36FmsR8-G9aLvp^ZwQVaC9jd@mT+YfC4V?dF@rQ^eseJoWh5Ia-{f$Y_+
z-RQn4%4(a4Hqc^qM{JeW5ZwQm3Z5Rqg}hIw>y-Z-G#6mbQ~TnI??9uK!478`#56W^
zG>wXBSks|SyDTH}R4-3dGIk^a3?OHjl}V&UU4KPkNrxS6E&NT^Ub#`}tg%#ytkpG3
zjc%s=MJZlJIoW;hw)z|9vEGQ5U3G;6V%e>6*V%U8scDFcaAM{O;l3@{re0W9-t&7c
zm;KxAvigyRp`j1-KMKXu-&{|>t5sF8@dyP`4S+Z&_Hf>t`E~H{b+gXTFA8#P)g98z
zTClrCvi?JJmz?fJDNPoWDcsa2*4P7!>z_|6SM_$2(d1^b%YGoB15xGmoIUEZ@9PAM
z(9PW+>As<-(KP*?A8F6A?SA~8_Vepu(7k;2L5I8V;%{Vc`<3yIiwf
zSKa3ygx-p#3i9bgV5tCOWZ2;K2mz4U{Qf(|ww9)B(vnZS5_b*(gu6uIz)@Vdmq7x%
z=5A25>ov0jkm;yPQ_1$Gx?}+kR@`%0))3)|p2I&B*Wfq9jz9Vym-wrk{p)v%)O5k8=l79DQQ$cR>hy(}~n!(3$9pVEuo
zZ%s>ymSFCyE|%WDzo~&e=IrZrLu^B*&7)UXdiwvS1okTGzPZhjtR9(HDuPB1;)6Uj
z4jQzj;rRnA1iA*Wx;xpIL?MZ;!goIRPrv>8rQc;W9YQOmt)eR~e);ltdhOqQ1KeZP
zO5W(c70zrVQF*SWy)iA}To;YVYHYf7Q_;x3d3J-6q!F11F;q@quaSyxD!Z%^m|DO<
zcM!OGoue7hVDCQCJ^1BOyv3tY+gm$+5`HYPdvwa`f6v7q?a=erLJ#vXTom^pzu_6<
z>h6+RN)yq6@(Z!qS7g1u$|3And$4tygH9?Cgo56|o8HW1;KW!ET=@hL0gC@Z#=KXpfBYbk
zqr%s-dtp^-fdX%E#NTwE0|Px>Jvz{`SCDu!`zG1Q
zHH4d#M_ziWs?Hwx{AStC7MyHVc3<*V+-Ny&HB<-lr^=A^s-u_8T^-G^u;iUO_w(7l
z<4h;!sou_h?YYs?@=`k5b@|V(!liRMl-_nSSdP(3uPivTo?WjH^bdlA_O+fV_Pzz<
zJgt6KT7R#!A3AEq{g>Tz)mZ|73ZZ?JSHmM
z0Jn%A9&HIWXXtr`H1#lf5(4s64~UkeltJiw(+H~0$i+-XqS}k54dT!!1~li17r@f5
z=S6I40=)^GZ<|k#`$@rdrM4O>NTfrquk4`(u4IH=o=NDATFh!FlrD`~U;8{9G^1n|
z{&0pib&JHCl4f!iH)1Hv*rKZLdxFIdlC?ypNp34Y^!#VbPI^U`7U07KmCH=BXVn9-
zKU+D{OS-hiEC%@3m@EZgaVE3Ib3#7x-w5tR&&lKyt07GlyD`DhcfC06<=^v=_&$bC
zjhNGh!s-FQ)vlTTOz|(Yj@R@r+IC&-UDnWBLQd)IjCq_pwCA?)7?py{D}?**wTAnR
z6Js;yFNlIZK3D5~O2i~a}?fj?b$@MCK1^>V($4_kWz`ur7&WCNpjY1}O
z(n2}TLW(m9R(XKndDpye~&2TJRm+k{?=c5EdW;;)00t9F|{{Ni(Y^)RwF
z*OR(PAZK%d;>wMy6tL!gV1Yt_cmut-_(dKN0(#q~(o6edLslII1^HKA^i;t+96378(
zI#~<}31)vRF{FW&5QKk!DqPOZsZoJr0aoo0E1wwD+xc|0&gjinx
z2qx*_@Gp?DwdHHCWqQG-LDGRNqa?^HiDe~*!uNUPS;|{D<ncw8U*d>P4fK>C
zWndg9WK$<(KOcx0#~;Yoy{kF8*lVS_wm^#1UaBtj=+lM*b2mWUxuJEm{;F|Y3D^w=
z+nBotXnn+h6^7{ekdn~g855yh{)sFob8hnZI#WD4;iZL%b>N6HdDG*w%iwK;mTkUl
zQ&V5E19!dI5B9#Ey<%-A9{z0b{p-k6*=C85R{@_ZGa+Vk8z-rY(K-C(HBSvmN4&7^
zfc2;OrattI3-5iI6;lo`C3Cy<4ZSrcMv}AAyDh7;oHFw)c2Sf#+KsE6{RH5N&$^TR
z6CZm=h4*(fEh8E)lr*_?L_SYSRz{b8Rb+qAMiAH;ce^#RF4MVx=zSu;lt6&Z-CYf$
zh+oKF=_P$lIcx5z0ru<-1=sN=p
zR$n(5D|L?70t7Z>Oj8(8PI0`Q@XhpK(+SP-voK?V5~&B&?DH*#T}{1?@dl-Jr5~qo
zrle8id5}ucWnZi*ldV=6u53WQ2TWVBe}>NoDBsu>BJteH`aSJ
zclL_2<1KZX8mrUCI5I0tbblb3u0MKA{Y~|B{^rPBnrx0x{9FemY+A$#VBEX3M3Kt>
zmNf)&P8$?_40Fo)UHm@$X&n_5FFg20&?{pVg#qRA(L3k~yfZW)*|cm(iGrf8%w55w
z;mC9ffK*9E2LXuUF
z;S+Ea4wYC%MFj!KqLYDFvj^?v4*G6Y)(~g-L<2W1TvZw>#q57Yn$1xQIbstp5$}!N@SJ?=DUBI4Epz@FCn!N4H(F>n{Ni(e~Yn0wR)Ebd_
zZ|r-L<5c;{}SC#SDATnJ>Z^d^x)P4y_OW%}w`zaDcbv2&s
z%FJ^8}SOsW3$RyGd2+{(f8I2fAZEYE-o2}
zc;R7vW=@;n=1_B|+%EjU#shMb?YSv+f|pInn{q$*JIhTS<6mqjsV}zo8Nn9w?6Md5{>G^}t6BTzibo4wmMZMo(_LHN(`8ne
zd)n*jdfLsAv5An^UfuKaxh5{8j?jo?P0l|^6QW`AFowc|@`SRbyuCk&zM<~mXmia*ME&T)(FYyES6
z=8U61HvgLQHCMPUFnR-^w8udGzW9cC-ujyI`eN|ww}gD*8wuGc_yT_n-a%t^4^3B|
zzpnDaSK>=ad46Kcf(mih;0{<9?kIfxJ+&p3K=f&PP(vABJzoa*hmgNqzW!eGTHo-i
z^XlvXLqNR0N6-Zim|EgNUbtJ&U_k%Hlg2*GSRvQt?sg68)vg}*;$GfOvp9IgeAO--
zJfKdyogIa#4+lrT$%zir`mQgtPn}hEuQ79nYD*eW(-PpYcmbM=N3cjJO4k!oFxq~<2O9F1fp`J+Sy-Y(o~2TFuI%YQ
zRx&^K1uX9EsT9v!Q|Y}9Yu9?*ODWwYOGo(dIWh@YKtVBf%KS6rat)?vtz3NZwfbDk
zn(m)b44V57t*nX6x;#N%FQz)e28{IE2ul9e5%oClae{5!Uvth~hB&2u<*A&}*Sk8r
zYqR`HU&+9XOrt1s?Fp=Xd7Q7f$tYoc3~!2f7)Sl^KVNVu3_DO&S#`^`34qc2?hwm)
zckdtewbfYRA&!67`s8DA283h4>YJt4^81vX8=E%uk-FCVy8wW43=G+S2tza_ByyLxC8G5(HV!$i3Wn
z?}rz_=6(V&QD@0VUWp&ewn5{S?BQ4KC11HEzE%FfE%klbcAM!SbMSRr`Db3KZ*X_R
z_c!#+zGraf3%0%gYkYX~o-sQCU@UBpt7G@C3=+O@(ax_D8{GScX&)dEi6}8T+bcFf
ze+t<|_+?XfVNnpj9`+Q4Tn*YyZs!uI09C3qkC~-RArsm;C6s_A8NGH6fviknW=Zo@
zsZ;>5om)(fdYtf{`773MKRS>LxmJ51koNfZY1yu{WRcmtd*T9&?x)hJ(
zyf2Jmn&Y@;lTyx_6ri%r7Dq8Pf!n5q(Z!kji`2(lmJFx~xg6?js4IEjvV8RT8Pgdu
ztH`;p_PbMpljmVbb$IVTy{{1A7xi>KZPnG?Z90dc+ha9%dkm?cxmtOgA~^L!#HSq7
zdY1WgR@I6=lZz)Yxl{**$s-V0JPLLjS<)-FOjRt2@iX%kD1|m9zfEPl^hhK0`cSB-
z2M~H?A_UutNCm;&ms;G5wUgmYPCU3;VVOx&^VId_bE)*bBz?-~n@
zb2wx<)Vk~7sfmAFy^r(CaoLGZ7#Y+ek
zVrg6Llzb{tEfw$cS4}=^`qtzd$pKy@^6azjEn9jLfgZq7IU}r)&%!}gGMTvBsi617@mf=>=0d`AND=e_uViw5ORqqXFJ&KX5-
z(mbM;8;0?|_p6$^hQ7DeOG+kWE{92m|1;6BfM=ja<@^s-gJo#^iqdPh3g)Pv*W_3;
zXA=Sr)ai$bMXte>nPgJpf3peRJ&bap_&6rB|EQ5!ai0edoLT%a1@Z=2Y+g
zE?CKO>VCL_$e=NVKfixwBd)+v1vu$Pfx6aXG04&Lww?oa;Jd~z?A%|hp0^=t0PdhG
zPO2(f!tOwu7fzSXji^t2{BoCdnH``!q+uU)gvwurir9SRq*INID#8TspX>sTQ5(I@*<8+kW^Y7>OAT&;s
zs2lI$!hgCb4P&w}!m+>Bek}g{fp`n>iqrxoNvabOBvA>?U`*2v=j-xbA01tzS9OhkTRI}&vHnJ!JLahG(n+rRB8J!;{t@rgwLPGCWzHRKtAp0mt|5!QL(L
z9*>cqlCZ?i?X?YU+j<@*#qMmV?bz8vZD{>I^29AW$~Uzy@>nMaZ}BE3LeK@R%OuC{
zsITpOvK04pQzS-j1$?M~+NK(MN76fq>8jd-U;RJVzt_MY0o)7`S0fh?p%^)NGq8d#a0?@>E3
zI0ZAFo#X9nLP1R!M&g`PFmw+69jo$3y_!9F-iQjIj9|wssO0uLz{!n;=#iHh>gAFb
zQx|{V+k#k956b%+i2!(Br+s_<*1A~TUsM|Lg?`8#CDdIdgAnKfN=1tl-yDZ0Rs^w5
z%8!lW$7Fo0C>xl+6*|?F@vG(WQ#?X9d1i=idUZYB^^n8IG}G&A^wWb_n5(s3q3F6)
zRa%};ZmHM$yR>h_jJLm=7no!C&TmzZSkWg
z>XK`V0V>Y;6DlBUhbfIhg0s0)s<;AC^D|7zS=YPylc&X2+5vHvHm!Q4ar@Hl`6oya
z(F|}SG%PMtF2V?fRPoJ0R0~;p@Kqnhvj=jXc%4tW+eI-m-ud|5{O1YAhlpB$D@?5i3LiHkSfd#LP{Sl%xC4iln@7s>{pt1#b1$L!g@tk)bx$Qi*d!t(iX?B4YfQ%
ztj|qT!G;PsM8QYXbo2!S6!CuTGL}q5=kqK5RXi5t3=zE^+tdo4D$g*XWQaDCp|Fx&HTR;0XsyzHk(HtWR}y%-;aSW
z*8Q4;xDQfabAo3(hq7MezHU!AU8oZWji3t@XxzU>
zCIqa1d0N6c>$!!*`-vaT(At|%Y_bRbwX|d_{&A$q4S2`-xHTKb;v5x9BQJ@Pz*S;w
zCtMRNAKy5BUBV2BC>J6N3WQ}9NLE=wXV!H|c~V|>Ho3U0;1+FW?j<6py!eBgLjHJd
zLA>k8#@vFT$C-;M6ZNG^q2b_+b$P@Pb2_QFKa~!%RVYLSy$nI1_$#nLR}Z#TRS&e?
z>&fqbSY0*rFnK
zcmkJMB6C+ecsbylEP#lJ4_+iakTWeK8211;&~lAYRLMs;*&^}QbXP*W{QnrD<
zH}8>%28BeZR}f>#hDwoGUqzDK=d8mfO$w{lu&P^oC9q;5k{zfalrp>9pozl?L)!6!
z!y+Qk)s~S$i+^mIpRPpFx0gito&JUhCkedJqMK~;S4+Bq5>xElLEu(SH
zKj{+cj^`o6d9jNAk?pL?joj%d11=WZGxOKoDdtc5K|Zip@Y*KO*Y
zrA%FQV5VNav2`}ryDi=S-7NF;cL`)|TsW2Q4jr<)pHK95;3olY^YV_irXGth6w7Q2
zr+R*0JKh#hFH6XF}k`1qoiEiLzq0>gM=trTULt;8&+GXA2zNQ6*sLu
zq&7QQBGG^4VuY9Vhu38yAV86k^^BwtRFG7dn_9Nih;6D}x_di%JgBhxr>}1Y2qF9<
z_5f^AExmndx9gwgh4nE%+d}QLy|ctZUgI|p4KXz%Kj8)^wB5MVi_$&om-Fng7PXWP
zcP{3A^X?FHvGA2gq9FF-=J%oQT3w}G(%ED(wY_(%%VKI@Qf-&ZjeRD&LY@{B_-EqE
zzVAj}F52+<6(o(NU4{d6YJlI~2fy9V$pFRtm^t9?H
zFYCw4ZXd*nAj-lXqVY17(wl*ogQwy9N3t7ljr{y?GK7lVVncke0=M*ZjQf*}NSt1UbOwG$H$Dzr2
zc4|A8$|B?ta?xpod^8S?rO>gt`4#xWVjhNvmQ%@8u0W%qP&hn1L9v}hkV?=f9-B(S
z;}|3YpGv?p$uf(Cr|Wj}0%=ibx==<2i_*}F{iXa+jyb;%wy>Ak?@G)Kt?%m>=2Vo$
zpC~gZ<)~B)vM2=uEiEX*)3x|wDk24%3q$8Z@lsUiqwlY!7Rf1+GDa~)hD4E7v&OC
zo9j~rPNGrbG@0ZinMG%@5Xbh=lPT58assM+HV$7TM`BQL
z9*fw0gUi(Fodg;N&ZkTJy#fvFdO%*(<@aw5%LsX-Ixx_TrUDv+LLm~7NHSYLN({!R
zFldlq*!ThYz#U~jAbgnIY0IeM-@~pni;L#Qt6o1RKW{`f4BXo!Z@#`Abl}+QR|vc!
zZ#!FY+yb1X82$P9cBa=y|S0Fu2ZAP<>%`EV&
zvv{tOGYzflZ^f5TcY#p=!gbG)TL-UMJw9@fbI9pr_I>R)m2p)M!&-d|9
z_<|oSDS!3?FqohFLo(k1zGf1jXBZ9#*ECZfeg7gf&HZ@iLOl>8CdF<1j{AUfi473%
zIt{3w0HnTik`0^z_dP&1XpH^|4M-qvZMTrVECPi0Gl*8ZC(UX4&fs#iH^#9+Z8Z+y
zd;`t@1(|)Bu${m~U^iFkc0J9s;6gR$zR~5d6BOyA2}B{Nb6@LcUh9k;T5@9|0t2s)
z|5H?}@7Q*}T|W@q|3zRMWLC8bh<$nF^2wZ`?8X3`k^6rkXBj=8oa0|9M|@DH(6aKk
z@I3E1Q=smmWW|ByuEp
zXtW)AUP}yqnwyE3jdm91H4^N~#nyDNgL0F(kzAMGok)P&-kB<~`u=sePEmZr{DiIa
zCRDFZ>YL1|I5=>dhUCS3Gw?T)r-499$VM(@@e;jv*%;n$I>kv_1;VdAwg17nd3Zv>
z0$m|GJ0F{iy{s4fTmaBBpw?ZN3W}JB(|HmVXTnODoU<4m=ldKtrkSGjt)LIGA;O42
zV+Bsh^Wj4;HCr1Pc2H1{!x#ha9kdN|9*A^PH6Hh9Xz0>BqD<*BBc&1A{!p!1?&&`X
z9;`GhKM2f)F$Q_$Fh)O&Rj{17Xr*T214M5|AxlgY*7Z-}Otizi
zO_x$cCD=MRP`g%``y*ai?%E0=|75u$R@1ucB8YozjT*5%up{znAp4tFs0Y)7wA4<7
z9OYPaU5POA$)hex8mUjKKB};(?|A(vw9Kn-g^FNgjt1Vi-6M(uGAG^HYpBK!)AA5Z
zBj18)B?v%+&mS#JRW4SLx&oGw2PuW3%fRLRv)UX|lqW1YxAYu$1=>O#YbZDmgg6_3
z?9Z|f3bf)`8bIPfS0**#B{y%*QfwD02Q|euLDH(O73KkmmmQ@#@e+raVMKOlBPZ5Y
z&fbME`_ZoB;iq&!58&|c(Dl>*1*t>I8U5viIL7?p(1aX)RaMBcH(*&&h-sF1nFYoh
z7bgMQj!T89(mp+N7Zc5PFqPF!IzFFZ1c`;WvJ>3P5dF_~O5%RFqfh`C3)ok8+3$W9@^ODg
z@N)hBDEuCqqj0Cbss~i#g4R5a_}d)0c4rlo;=)`am1!s+p^3a@BVYkqb621#6s2wl
z=Yb{UG8u%$VGMfEB)BAOMD=p=5L%-V`;9w
z*H$(r;DvQ>Qt{=MDC5{W6b)L6ZB)i+ZDsE2sJB`=ZE(;)nQqheThZGzXdr}xhW7o~
zBggR4WJumLt89`bWaG0$<2ExK22RNp5{JYo<^ZWkLpcbj+**veX?{yRB4H}*H{|Z4
zl)wdcVwV+M7iQV$WxvEb6ku=axoOBjLx>CiflFc#HJ2ztAH$SgSr9jOF#Fgb9_iP#rFYrcN!nS>DPXcZKHbnr3QFLh&NPeMO
zL&t2k$zoG?25qxTujuD*FB|0vO9{7So84PeoIi!A$bT;}3peYWK!a4I6$j;;rYa;J
z3huBy3AR<{jF`w~xebC}U$G@67b}k2{|6i?y&Qu`Cy(Cxrsad&@TQS((IaBJpf|T^
zlBP;Ma&m^{8k+fWGGKdYiYm7-)!f?o5Hiy3J(D
zZo{J=9DzV=b!T*V@#|f-y$(P7;Pzpnzp)`~l@Ihs_cw!3ZcaZlL!mu-SaSp(J<5y*
zYmR{#3&~7`V5Y%GQ|nfTSLJK45xq%UQ#4jE??1$&m~jfkRptE@^w8(ty77qB7dol-
z^%b|DlPe6FE08g(p_x7KHaE2#e-0@`D;V<6PFrd1Y)#OptFej3wrNb7Tf3x%5tVi6
z7^50gJ(Gp!iiW#euI9e{Ch1Pyb6qoWU#)Ope8Zh0D)RYpFZtIB$Sp%2ZTJWGP_3Kb1PtK|<=*4=nSzm}BT6#50&;nOx
z8En5;CUly-zwfec^1Cl^s$gR3QW>L~!s%X!%F-={yr7?5Rp{~)1={R&sbmvVYws&h
z5gtqqBu~dwlEZ``Ii$lt=ESOiH!YL)BSmBk)|=&>h>;(+XL6o
zPSgcy*8UtzJYs|gz;Fe9xb4=vKLHRqSU2<>xXUgFIll`lmfz|hTAb9C9U7}!y-$iT
zRVjulH1i-hdQC^Lo5ZGv87GpuH%VNv(c!Q1`!fKM`<1P8hfI5*G>nsFPZ8bF^9F@6
zxRJv2^VCNE|DRQEjveV9J5Ug&O1a^h`KU>#h@$S)mXv*vJZ}zZVIuu{ufz4}tp3@g
zFiV#6%o@u_{hi5>rfX
zJ$r)L653BBH1~C7w&wpVXDvDUx~iT}LcwJO2|wxk5%nX>Br=llN_Ecvx(7DK|1|TLb>~NnzT6$v&kHt0&hJQ?qs~%T?!a;dJwGjs^WaOrxZl&xlFR~(
z`2KYB3oO4xlwKipJIfIu2r=?x;C)K%|DvbNw
zI7A|s!l{%H9jBC_+iBheCzx$g({?7K>RRD$sQ9w8EP@M#T*l8;eO6W;Ny(xGxU|fK
zkf!k(|KX4FQk{R|55;pR)IbWHiabV6X+_}D!f6(lCUP8eE=;tObK+pRtnA0)t}G&e
z`h6?QJhXsm;?RmqGaCYz#&#TA&OmfBu(?}fe-I!dd_?YNDl1)c#!q`6WJBR}a%+;9
zuB=k2gLp>8tRzz&Bx9OX8JbyDrB++lJX&&4(5~|rT9Z^A6yM;V@&Xe)sU{3lmf$04
zW*1oW*n+`Ib{HdB0w|b}ilkM9gy7#!FXWwf#*#aHV)rjX1#dB<)nV%Shz>2u{EXvY
zQt8SGNXnz1G6umV?0`
zEr(aKZaw2*z;zpiKa(fPT_1`a`K7P7V@u@w@88Fhr2k(K@hrGE=lu69RD%mT^OG%G
zpZouxH!c>IyQ#KQSjtk(Dy)8~`|W6*o;SRu`KRm0+U50RE|q@du{ZX!*H1i_!JoaH
z)z%!iwmLtYQf+JH`>(1jb$-W7^%R)mKLAe#7M~BmZ68cfURZr_kjqDGJvd4M9Xy!w
zRG2J5k6(n7C1~j-+al?Q8VKk|lb`)Q`3?&d7S8GHpbBPi3}hhp>q8=IJny82UYOsV
z&M!~}vuc@9I;mNwO|wgnKGv>3(>V)uC!Mm-irU;5d!mCb4WNT5_|`}h8x~FnRKaYc
z456^No>+N?gP8&h@l{h2c!R9_lSSAnOh2AQtr@N7kYEeW3KQyjYRQa({Wc@}V-H5K
z!Gj0VgfGm(0y4^3PrLxz{JSWJGtK$PHQED=fZ*yTu65#WI)bVZm71zFxD#g-l`l_ptcsPuSz&T5>9%6a(vo-K+l0R-wPL*nS_kevi!b&Pm=TV%WEEhQXG@~r|o~m?lI;`mbN{p$*ugN@@EABK=N$W1$
zJ^DVQ{)`4NWkOtqDAiElV^)0S1cFZGjz3T|>APpkK;-Xsx5fssR$@)C;9$w+_&UvY
zaBLRhQi7<^x@w#iyDa0{-%!lVuj<#uVLp&_$x$
zm=oNq=4GGxv^n{IN>C70p;G-H8IPN(B{xDXum?-szjkL{Ys>#A>EO$hB96YcLV7Y0
z;gi3+{H!rd$qF-HBb4LoJ8?&xt0_87a|vi(Zi?S8gc1t#>kQ-fK*>8!6opZyXFIU(
zxQg+sq>0i{Wj(M|>w(L4T&^I}Ez1LTj1Kpx^M-X!uckR0O@?Y3O*BX^KjD9g)&pwJ
z+>CeIdL}rW*$mxXp`M#tSc7|Za|#vKbKLvn$j-F!vL|OF$lB7)`W~mjUEYD|a}
z&>G~~k&nI=C2KHCsVkVcId(-g%}NabMKwc0p4A|lFUh}(*Wfd(Zg2wR)zkcw(5&tL
z-`#jtwTGp;qTV`>h<|ep73L4mQZu)D7PLKO4QbvJxzw?->ABz2B&D3fb0v{&f4rF&
z@-f!VnWx$lZwW0WoZ92+&XBzCi|5Y~&CTaZ%S$6oTya8-*eV-fku6<uep;{=3T91~LiWefu{%JXf+P?ZRiJX6>)abU}9P!MT$}TL(S4b3gq}Q|WaGH5r#&Ja46Y3T2mVHkvtPhuPtGX&LFBX>L
z2XJ)r99_(X>-3|kENA(%PmSp25_xTHZmxQtvq*(em4TjtV*+ZspP
z`_fet(gFv+Sd+4uBu&v0;nmKRjx{m>#qUBwghyAcP^Q)+kX}ax-~^3R2LBb8%AvZRFDyWx{2kBglyH;Gq+yt%ZaT{
z-bw1GYro4o63D>=SP#f4K35Llo%{ySB^yhiVQVtS=ld!5Sf{3l+4&YZ;pdY4{vVa!
z0zCWrF9pV`^VUO#gc+%~n7=ww2_GoA=m!+?xB)VRcGxVw!(nSW>~GJqTV&&3{1)0o
z@F&>*fYInb0K)5#?9(LO7mnuwDDaQpsqjv4)6Q-OaN
z%Jupx<@I>fcdgPyOmHgF0-tY4=Qq+ZD82+RQs5Sc)-d!pt)f0MNH#Sv|D7JptkZeE
zFVH{vNaJsnwP7R<)@q5*6M_$MM{&$$Fo(rW=VH=eveuz9w16xkaKZ(z{2It?pvcY{Uq!?uKKG4Az|`&hb-sdlfVO()rRMwK
z?6*EbToQPShYgUR_PDYl4?uCCb`)(xnrSD6e1Zrpm@#H_#C+~uk)ojfKFO-ZWc5e
z;+x;bcL=9A>g9Thxeu`DA>UENMgY|mbI7ppr9I9qp;xDN-|Zz9bxWM^Oj}sc#n7T}zyCU#J#@E%g^npF
zIs5oKgs0NGCZh(Nm9d8)wPyfR*pk$|7+b&xwy(5JOjrY=FD5mYuMm=22M?ENk|{~U
zvxaV=u!ap95X9&@Lhw6}o5A>O-@6(hg82)lg((i$E&PTy7ymiY~+Az!eLI9;g{VE-0MVQJevjVv|X}
zfT~mBB-yvp>6h`K4N22Z=>J?_?Q8BZnW+04)hYz_=TRO#}q#d0aT@1W$?z%;_vr
zuvRZ$t*Sc3?>VG`Y4o`q`O{rf=Qd+rYRj3g&hNs=~eNh0&!oG*6+*(L3Y9EohqV=ancY^ToiiJUo1|D4f1|B8e
zT&d*>jeCgCD2svQ_)t~Jo-jOBXC0fMA*pe>U#LdghkQx-XkBy2Yoe3c0F<56*8b4F
z?r%6*sm1QhAr{r^=^hvYB2yEBLCo({V3yr1nldUE?GtsAWE!IY6I^)uq_j(^ua4U|
zEOZ%0jp#h?qyUzMxx0XFpoeX4Kmuk~IdXSKx~=-mJ0`7{XgX`*mv3&@i#7AqRV#9T
zs0-{#dg^>ii@xPdwzAS_aNu1{Ulz)sAR?SpaFv~M!k8(JwD5u~6}!K1r*z32&-T>(
z9vnwC2T$a~ja7y?6fWqjjhfqIS*6uId|53YfhSw4F{Al((swTNVN>YsT7e6)Oi}a6
zW~)RF2!J>Z|kuLBb{fpApCdJw@xUsP|=W>L72f;8ohb)VKT&>Ys
zN4f(!^BL>sMaf+oe2`I-V1{@|5H~b#?b-=t;X89o)+3?6x$tb))Z7tgIr}vq7CbJI
zXdIXpt@e}y?2`y7gYxjVY|9PF#dODS*0}1!Wm!;zz|p?+eqX(&;>;7i*c91iFB6AD
zHq1bAb_vFG&_vs91Nqy?w=RcOiN))<#;iW|UF~?^!4u&``AdM?q3dxlC{p01P|#eq
zExK-ePRE8`mT_ns(5)b2N3L0OC?LV_M^cR2{7S|d4uj3Z&TpxeXq`^k(L!n13yKr^Q
zAs}+>m4dIe(ntNfGBT
zo%B9AOhd4Yw6}WX7-S)F%_y~YO#;lUZ#)V)nw~~%Lef>;2lYPRy3#DW0izBu1Txa$
zGc=oau;tF^Msks>d)cf93D!MhexB~_iVlO~50etHPJ5`56&ypgQTPpwX=uo&$)jU1nD|9qv?~9UB
zFA}8K2DY-=o;PtH?YZ#&|0KnidaB!Sy2TXxCb`+kTulgfd;DS@)n9)4`gnVNx?4Ss
zeXF*@HW;f|q%9watX40>P`mOHnT3BaFDz~4-~?JV$dku;%*tT;7AdcI`a`&A(KneT
zx4tG-llsi;Q^5sIGfAvpBf;&3B^6TBGc>vs-1vqtniX?!=#=^rFs?(dejx*4{Jaw9
zP1b+UFSuXkvshu6oOnS!@KT+ZG*a4I8%&
z*S?}Y|9;#Fo&Nm(oAWpA<^J{fI_{00hNhB&v#hMZPx-YfzW-K$QRWLo8Xg@V#!Viw
zQ}B#}jN0)O$T#$v)$47Hch)M|3IGLdD?J`xbYNn5V&JH5wu%Zb!
z5o6k9ETj6Y$^iDXNe(DX3uWTsWD&iQ9|=t(JONJ6Vd+t(qx*l~x}?Z(j2#aUzYm)Y
zw?z5L0q_r{opl#*60jhJLqe7~UY+MhFnoc;1K8+~d}rMTCSCWb#;QhAJVPjG2%RGM
z9q9n3!?tKmi<659F=BDM-~e;(Ih$<~5gjQZhohO-H@4rXjF~Yav&3BUu+-
zUX+1(bia60NfTCH7X}IiP07hFBehf@h~NPo>}Cj8Y}phX0_RxvZi%e&N|bzoK^z0(%!UM%wdj`OT3Wpwv}B62K(E%
zo;|OiJd?858oOmCNp=mymo~@2_ntN3C;}c^V#D2tQ$r>ARO91Qc1Wh-6{`{{)bZ
z-4@gM*V&$kGOc@nOxU&=t01v2xeAHD8*pL1sic)1>Io5kwravdijWUIs_sE?QW0UW#Rw&n*%$B&lgL2vk
zke#%RW^u;wkYVFlmn`5P^O&wjdw3ts^*`ltyPxtSs{xShHh})=d#5VC~(-tP}3c!l_x%{px227P^k3TfTESPXeD{&=6)C9X*2{v(4=RwAXY&hk9%<
z=p472L+nkeVd+=&ZGTD{R3w@ps3x)O*j@~(lY%QGY&hA^v_eesHk-oaNu$o*2wY{x
zyqQ;fF-PM;$Ux#9M`YgC2M!1>rGC(Ql(C|-5i$&E#}G%jJSG{IdK;BotVoq;8U-38
zUvw8{*bqA=6+eG-K-zlHzos=;`=X|Bp~H6w&I3mRi`2
zcjuE@0Rmlx<0V_re*8^%IO@Qp1J0(Wv|R~~XqrI1Pe;oLsxD3}?ovsXIt@toCEF{B
zkV6CvEgB=4+#bi}lH?dA;Zc{98%N$ropaV@ZfXP_GHIDi3RP@z+v9U?l&B?YB6!)!
zKm*QjuYuN652=T2eO~ruC2PK!JQ79J(y!G!iw747v^LPFFIOuy+A!unIJgWS6!8gu
zI0&=$0iX!n&4S`~R+4edBci-btM-|gXW`U(Qw%;`J|qDZ?L)UUVp$J#V=#r;qajgw
zh)Doh$AfgtUebjyC_oy!jOH8O3q9>CSL4Y#7xH3QYM24LtL+rotzl2QZ6o>^y=ttM
zh6@Yv?S&LU9pN5xrJ>L7bi
zF4g8uN*0*xg}M${jQ*+r-@ZTIl{K{bN}Uh5MbP%nb>eW@YjY7U8a=Q~W7oudf-UKf
zd{3jY=FlIUQ56eLh`TDI7Yn>`Mo4)SND=cJ(wM;%zfwUi8Zcx%uP(rEgi0
zD-+?ifaxuzuRwhBDAWRm9S1=R?#@eX%mvk*NlmtO?%gW~hem%muSU<#r1zjf#wWj7
zNJtz#t~jW)
z?sd?L2(2$GGE90HDfydV7dv7g1b5~dxi7(Sm=6&1*?yKV{C6Lpd>{!Mg!cp;mqxOU
z7BZBAhdPbc+I)FFeAA6~O=(uWjwls2z1~&*g_~cZAsbt)NWx!c;?(H2bkSZU?+M$;
zS~4{#SYo<%&*ko^!Fj*~M{5c!8iyU#1m{_h(%59N%``CCS#yIz)NG!4B)GGZO24)P
zU=Rmq=OO9#OtVNSXLcmBO;=2)-j;KJ^sXJVlRVR!QoMu{fBts6dXdYF$!u?=Vhnko
zG2O+b2j;E$Srr+0SX&$X{_6YV`EfovpM;+=(MwSlmN9+NHCQVPs#YdmKC|>SkEKKH
zx@?@QF0TS~RJDm}K(5$(}baFR|kyc8iaPM(W>23?GY}^A)I7&Nk`TLt{@wWlC6!Sw@V_uIUh#s-c84
zXt-*Cxc1UZ#?&mUgj(yy%(tF3Uv$$%FSnT0EX~}vUTaLgT>`V?Y*IwRSbPeVrH(e$
zfg!-ZCrjjJ*|8wp?y=|sb(<~#D;?3!WU(5Y7)0$0FJFs?buxTK1Y$OBUkG&rp+TR8{kIty^s_i^cSs7P5da9zPtax>v
z<#>aHx~wG%e`gbyNP+hQidLW#l{J9C*T|6_p|Y7CwmbDfc`3L93B>qSQHMNP$Vx~p
zA%H$h2Z)C>35w$a4N5P0u}lZ{X>^!uC1z@%2Px%rB7F2ma753MVaHZ#JCf54)1a>_
z%ds3VfMy2PBKQ2Qaus7nNg-I*_Tjgv)rhfeYc*GK;Idd%s?e
zEAq)I-d$g3?-~IcKf-no(vpa8hTir1aHA=6fCdu|Ok~zRK*uP=R^TE<=i_$%c9FHV
zOpdp&hrQ97vo>*A;JQPEJ}F
z$A39Xa;ESR2ci7v)O%@2jYn{VLxwBu5Wy}t!|-&IR^1GzNJ}Au1FWGXSoAt<=X63k
z0oBvpSkHJf&L-=!Oykhez^2gp*9>!%3M9Aax^!pC5&i&1zx{B(wFE_sH6A2%FR-((yDLEm`rim^kvWrl+C@C-^Y71(
z*B7Zvsv|CLVLN1)jUaL~rSq3>F6YxxY|;fnRNRBzW@T)tbsj@$%A^*y?EB>7{Y^zn
zEL{He42}r%Gkj?2r@yNI2y6
zAC+JDOa9HPe^0#-OUA*OwZ?nwk|}*N=ppF+i<~m38^`l`1TDmxBrtMj(c~h}ukJc5
zp~jw}9gS@~2YsbuhCv<)nbA?l;5QDUCl;r0453+K-z1dj_@1m`RcEsehayWTcD60M
zhVJ^&pwEoY6y&9}3O>-3%hWWT>gv}xCCu8G>5IVFu+di(;9~b>m~P&dxA}e{;O3qg
z$sQC@5cfs@D#b7c11Tn5jaiW)a|flAmJnaRg|!JoP$DKy2e*_ymK^qqqU2;e9Kg#+
z!}A4y7WV6jfZL{srHZf=W<}+b+ZD05U^exx&DoFHoq7ec4)WHpL$z|~@b`P&T9Z_%
z4ZG)RQ4Zih;&EMW>Ms
zEGBH@Esgq8{71vjAO;`1InV-xNxCK23QD%pK~F8`5}CZUwY$}_Vj+jx17=Hd=yU=B
zfdGMk!9shK)IBZN+1~1DYSc9>S65@RnvDYOa%!c#N-8Gsm*cXT3@RCdH_NeoI|?qr
zazzDsxwYi7nvI+FZCyzOIKW}P5jiVY^!_r`C2~-K&ecz7?{0nP5mmK@sU}I_knjy+
z0m3dew}Kz!e$@F55wGNdcX+hpKy=M*aWM;rphnePi@cp*&kB+p*NkKWP&zOq*9m5P8qR+`KSA>zNQXR3Q2*OY
zj<=fu9W;v7PvGdvqJY6`D^dgD{fNcY5wY{Xnt@@m4ZNJjiZXI+!#x
zT4)uE@C?b6De3nw6S#Az%tu?Yse*pi-XF=yVS3k7EwigW#+Y0A!I)_iLA_XgZf7{^
zB~k6)xHOl+yuHMpLVtKrk2fvV%uamJO2t@dz0z+607m|7tB>Ap*Ta77jV~BN11wCJ
zEvq9XGJ&e@J^x;B>pY|fX_Ar-I}-q(>9`B|E0I(rSo4(A?&l2JoSoC^Ru8WfzRX>V
zJg*z=1Z7hG`m$3`_)S{Wq*)rs1K4~-n%?3Bqd&SGJ_Uaa4ir`Y8@Ha
zWK^V))%Hx7l8Rf=cU_64o#2`8PFC#XFd0Jj&Ir)>@PySq3$)ae2r212jS
z!#b{&LSEFZ@Pu)6m)t`)hx{qoe?!Il@NRh2#h(xf*>
z>hJ(D!pmip=W!o#KZFu%zKps3;K`>5Z`iR4RN`y2G!k@d8uJj2jm=Dgs>Kv>ag|AF
z;pljusr_SjFU7QNr1@W+50-I^=EHnTE{o&tz2bPhg4U^E#)v_?o!$qKCYP*Xy@xOq
z>B?8;_$J>WhAl?qA?};qJoYr*ctgpl8|1lGnZ6FZ8-^YtxdgHAb*S0jR!uO+5l5Bz;>^wW;!fEe^}DeN}JLD*&9iwl*2){{)Bpr8?YayE#m
zl3<>A0sL1tO1Xg1tf8LHJeYwa4`8N0sb;Ogq851b>U3~E>cfDx5fNhUPdkGB!-mpw
z4M&u++$>b`2KUJ=;bq5@=miAJ;^MYi%&`LKwLNPzv(EGweT=C6@=BqONohPObx-dt
zE8UQ6*kPR%HP|R_mF^==h3+Y-)
z>+ycVvUtLS4=`AueY14GRW!W$d}xjnoIiO!9z3%a?FQk#x+aZzy~3He;7mNr4`NIE
zg0n8((}mG^jz5gncxFo9rV~;NiKKRy5#}7#OT>#_ER&nf&j&w+nza<(prp9o=LfoI
zwOTX@N84d?SgkQ)?@5Qm3~Ox=V%&Q#s30eq#W~tiBYDc*qEXuR&&J(iJv-|FdM>>8
zE>>dW4CZ!sEK;&K;$v3ky@`b%Yd8y|{>V}pJ}+rhi_^y!Z<@)A+T5&joH^c{>%2ng
zzu^?)$onP9ymphfO%?6+>NUdjdMpZ0JfH%{tedj)XfaKwI#bQH)FMk|jU@&%KTsXS
z;RN`0ddJVpLVM={yVt68VJAA)6QUNl^!dw!yV>6?|K80}vaoTrzK)bL1}*}9>>PBg
zMD2K^(}kLhxHh-W?7tV|VHnu=L2E9l$oXt~0s}dm95RwVL+zL^S>A$pWl4
zB}neCJbm?@J^JyA8Z)DEyA`vkWx92HOX$L+<5~Z;j@kKed@Z3zZ`tstNEK
zW-@gj^Iwm&n7pLyUv$bSKS!l!`NRA!3BQKOQtpx%(#cVVPgCD-`SF*4KJWTLnWgpItr8&wMHMKTl#}YOuHPqMGE!9SYR-=#z`Ai0tRF1>I*`n)M=UGSNc|$($
zR?lOqLcI6CuTx68rjg~|tW`U@C-b|m-RFC17Dvl}UexgbXY%OGG}WgpN%~jM@hQN3
z&i+&PQY6&Pjq$J_D;$NH%=^+9`9>fR@CfA>kJjDFT~xA&)4eK;jn{AN!p49`bo{BY
z0nmuMGcvI;uzn4nZ7eYBZ0B{&F-maJ)S{zjgJ$E)IyEAcH8Pi`O<)-@@p~1U-i6!O
z&+SNf1x!lR2Wmu~49$6R7ObF`nN6PTgZwM4=TkXZ=?cS4jh$p&lKFkFt8Qw{HQtKu
zWKo>pE5x34S>4`>$FFjAAB0bIOVTqaB?+QgPK61u3Shush7^^-L88T>QxAk9N5zot
zcnUin&ZGOjs4jJ*5;89!j_lM?lEdOK6(kZ)UNA@!a}Gt1{#Gfof%RgYR7}js%%&68
zz86F=J*2`ae)nW(Qifw0cN?PAYOuT^7;f1_mOEEu%N|xq*IQ^sl0gF>|q!8nL
zfuhEp?{g%#XLvn@lFb%Ayh761+xO(6vek}*M3*~?>t8Z<)=P-T^J_(o9PZl0cWz4{
zbrt=?K-aR{RR!Qk;|sigG)A|CI=F(=(>>&ba^igHey8XIhzDf7BzgL%=mwaLvfK1svtN1J2fxJrEKhK`
z?28;PXnsESzr~_Ij9d#38;hEc0i)FIeh7k!DyE{Xx=r~L1}w#Ygk_!h-v*r
zx9Gfe)1B~Ixv8f}?3=0E`rD*=yY-%X<$d2aoGBz#Zc8c3bgalm%RbzBSs_iaX^BG>
zyizG{c%|ELw};$>1AY@$m0?{49RZ?f^OGQF4?!6%SE<$n=E4)*pxqL
zef~1q@euURMI8WePN_)V{I=oP8{v7ssI|Z=Qo(gE1BB
zjG{>>?2!DlWon)A^sw2R>oSkS62fvf=e)X(XZytK%Q8g91w<)RL|WV!h^DdotX1k^
z^IhA~zzBRjkC(WB{XJf<0!A9PsB$;htF_H?lT3NoS1(+j8Q>@^XW}<3mf2mFvCavn
zI}0hTmf+X#o*w6;y{~ujfe+qho7Qx$bgfZg>aj*-cC~az+)_Sx^?WjnlI&5*a_A&p
z$d8NJO{59l;8M*45sH(IM|;RWe9sUnH$Z$Hp7J`Z*tC#AgJSZQG!f};s!j8Tw6yfS
zyZddih2~J$8C~m{f~N;@%|+0s*wM=4HuMx+&4vrG7w+;=rs>ts><;_k{o{VUYzFkV
z(xsS$SZZ4K-hKe5l{zz@S9$+S!P`O|J)hAor78nfxHqh2i9LV1bQ&LnACC8X0
z!51WnAeFojnu!b(AfOVrB+y_`QizP_XEg)cVz)>JD$_)P5HoLA)gOlYnh}bkh4Y!2
z7tijXi!2c>gCFC69{}rpP0v#pEqS1gb{>^7(-!FvKa8u@%M#|}?5b&+n(N7UQmJfPWR#=s!RX4uLT7z%
zjZgo|jNbq(6pMrKoXD0P$V-#QrGaXdx_Qi}N$0+oolzGd>kg
z8Dl}^2%GvC-L5Sa5~n(X2UeqnO)GaaFv8YmB|V0%bPGqA6-J2Vn6e65)FO!oMx7J^
zAN{Z1PP@PrO~p#M-8@vS)in#?=_XoUVW>{QG?FzfBkD``gMM#3(W1k)ZBOi$dP)_r
zY0MRv?>w$~`oo2eP{bxY;-m(j;(X?NMoheLmz)spb%x9*ENdk%`W!uf#}Iw?|3JbY
z$t|#VaS&5Iz{Z-V)s5tg6X<{i;Ot!{9aM0D9KFm~4X*;Q)R&XDqaOl3dbwEpcL?6=
z%REi1kcOtymV#BpSV|DZy1>D{3vX1EHT=rz$@PYxJPHycW=9mq!h9TCznJguQ*40<
zW-coZpC$-rSn0}133u?(zB+p*kB{UA3KX+D$o_f;VH4Yu^PJC$r0EbNCQE_yu%ZfJ
zV7p>kZZ+q%zH!YbV;R)MX$0Nh$sX_5C+U)XgX1HS&QJ&ocspZj8y&)3
zrpj|F^`DZgA9hhs6`2O2Tq&Q;&t4o>#^n4+xh1mZ|LWaxyo1nXsLJnh5(xP$MZ3fo
zM}DT)!m6bcFM`JBhr!h#;XaiBi}f!i!Q%2v`@<&Xan-tm_YH3cYWWb2IpX(V%fVEK
zu5jSc6yuY|`tX&=Mte>o9;Xf@8k!1GP5>49Mmh-SjO|7jt)KPtB;$;5o4i+VG`Ejb
znHu|;P4k@_W39d!)E{}x_b0BnLs~jS+tGO&PKQ8ebYm6p#KZV=6h%nFDQl|8N{v^%
zKvZ#r(*a*zsh=W7GXC9LXg=Wtao8*QN>gD5xf%^+i~0J9O>8q^meKY0R1b3#HsZ+Ku)NvqqSKIRS2xR*SbcLpq;@@(X<5@TW7AEuU|
zo^bG(7d!PSL((OWVAGdGS8b7>zA+U==RLL@^R*g~VPG+fcxdrhbzbb_II&2mpcpn}
zPUjN4PL^R-aT<$e{G&TH9L?R_`VwV>kD}}d+-)yKz{1Kk+FZr|@#J8BICrfe9yWQo
zT+etc$L^@o=ZUoCjxa9K(3RZ+Cb>>==3CdvF&!eXNZ8pQZKiKZS94Li?6lrz43jbt
zW2qQt#y4gZ;(+3>xzSsmp
zUkYlJt;wylxyCJFT}Xkn4bStS^yJ<0?pfDo2arPcLwzHR@EqtX!(-o(e#qDQ@HnR6
z&V87EJ`0{omX{Ra-Wlw!B$*BAJeQJnQrlTp97so(5R7ASAZ-jV2cDw@
z`i0<-p?TLe&w&(v7o+&g(*gVynu{+BwbM^Vai`BGd=3sRtai0){?Lf#fkc(`Q@jx5
z8qFC(y+3|B@m}Y&fdnFPP%k4#!g0LIGBu%ix#qcW3OuHB0g93(*H_Ndb;si7!e3#%8-S-GZ>%}Hx3%kh5k`gXmX=9AI7lr-7Rw%m^!8OuE(
zEM!`WFd5&pu!lbhL90nP<6yn}=rMt|s12Ruw;v9WRL~!fO6(b&_2#u9R`@99lW#Zc
z$7Mw2M5Nybqv!*$eYTNMI6BGwh7HU_G$roAylTLQI6QD@ET`&`9DY)U_|q2&V(AEx
zu?3y|;Yz?rhAN}@{8NeAwHiL{+|I7IWbCZKVjc7%;7x{#i-ZtJkSO#;KUrGsTZLYw
zlFI(A=(1n}{pvawS=x1Zd1Q
zu-@OEm6&{-6=~;I5^vkt$BHg?YL-quB5{aa>8@dgOEOc7lDJ|$ei~e8fn?i~p!H*g
zmcXcqhjYJ|!N$<;I8A17Psv!_`37YZs(z1}c(mxJtk-q8PjdJH9jk3Q@@7#YSht$g
zs6a43!ZZ#RP&rnR5@=Yj6S7&_i0KJ#39?`G?YU92ZjYq4f&7UKF2zs&l)f3Uo;Fl}
zI3us=@|xgyjOKn-+R4i|WSfr)0^G=|kEk~!QNXxoc`E%ajyolh=M!Shn@!3_5NZjr
zx`nZ+fwHZVR=z6I_^z+zsFalc>GS!h)RYg8%!VMT-eLI`gw*i*V|Yhm>?lD*U@&Id
zT_5rJ!L6iqMdKD#pOF}L-L6WBR&gi`$(aOK-{}xvCJZ1x#4$b4Nb&1n>dGtuS{6>g
zX&2ofCE_v1UI|J-8CXw1$NKp*{_4&3ytfsD3Sq1(ly5TMRStNl*N|5mt=&9=$}w~E
z-AxW=S6r)T9dMYE2OBqn=san1=^)#hKi^TtTU75bVMw8yjay(kos?b5f)eQX`OXm2
z-kuKp4iEQKjLoBLf?u_)Ekt;`l6PLGA4H-RAL_kP6Gqc#~aVuhR=
zQz+o!7|YY(ZjPxuI23UU9CQMSF#tMvwMUGCUdQ6#Vq>6MJ?89cm?+783^;Z%%2V#|-l80ewgRc9sGVfnH
zKQDbbfc&#}A&aTs?U?*4!VhZYqe%9p+kRc8{AQLVy#gtbPyC5cWR|sF77rhv`U+yP
zWu+P9V_n*y=hIl3^PM&GAYLhwcBG32mMOEOwJGy>S1G?d%;xt+n0TEEF^{Mxg2AEH
z=Ps4FnSF6wWK-7aSYo>rVDMx;Dixd-Cl$huLP=D1gL-PHd^AbTU$=*D
z=MLh&QE|^Pqt3>+%e48=>uEn{s2qI0Zj!gND|+kY*hlf>v=H|rUQZqii7=KN>Ynyu
z$7CcT+jdze5$(-!UeMrFY7!CGGux)Vt;;;l*6|`jCtqCysUlLb)_hf
zy}b+>G)nl7*0;olosXEE&^WaIqGEUL&05d)<+8`*d_8?rw(G1+qTr#B&cLIM(BbsL
zQBO<2;glbiJAekoDCdfuFYHu$A^cNe~-3j6jlO1;M
zAfUa;&kAf0ML^PfWa4W1vL)}EK6(ndI*Qph%PMC^4?)!}>e=>U-~}<$`Q1!)BNQ&4
z_iWtf%9Boc)7G>dOUA#bK2F@;Lpke2*y~447>t*^ahi^qlbp+GnaId!Q6?Hs)bYBa
zpLH_Sl4JR2UjB}oBVhyfzslAq+
zXmCK5H}#}-1ZCJ=R+ZOU>W4lERb08`Qy+qQV`SSk3-$8$cPu>-k-A7R?yr9zNN=J(
z`gWqBin_n)s!C}xMKft`TlTSl_^4jkd@rUinn1ztJBr8caz3nNW9j5qJW>HWgqkUe
zAP`db8gSu$-lTgcI^6zZl;nf1tGbV2kX%n{@E5vc?8u1n`O1^x_lm?<$P`+s0kIw^
z$QB)P5vs%%REC8lYe{z0BMce~818G`G;L{iH39m$$oYC3ee@K~!|I@AfINBB9Q&fi
zOVg=(OM#HAd_LF15PQ+)XPfZLesz53$O3?gLuFS8@zjL>f(XxZ-xd#Av;v45-|kVL0*|yL+{}
zaL%2BBg0q|SDlMH4!};-gCAd5`^DkL#~
zu+qTfn2zAIagr%mxrfPfWZ#FBGQ0k=kMJ2O2gjnk|Ii}}x;g+^C6;sYn9j69KcX6U
z8i>z~%Y&0W)t&H1a)qB>U_`f?xXN;(nrf_c$FJVrZ&ybRdaoi%M|IvYoOgoN^XaE}
z*LfqmCd!yeB-@6@$89TU3~6V+PKVr}k@FVJHB;>Nn`?@)Z7{d9pD6qZMh!1%tY1OD
z6>i?0NtTj%)$=v4Y{sT{z)|;HkEW&=Cu~R#6TqyaNmCkIL^?OOSy5`cWFbtw3)auQ
zziuq|{_|1uAjX=I>Ej+F>zJwO(>LCa?{7n&>^T~8ayN8NBP|ThEd9*=Hum+;9?iCU
ze!5-u7VztDFH1?)_=G91|J}AikTMxIBSazi+sZ^jWt(g<_^RWrT<8^9VVlt@5TyCl
znqdOHOruA11r!g&~4hy$Wr|0zyq*H`WD(>$0RtF+a(|PR!B`ICo?w#CUZJ
ztIC*=zkpvgJ-@H@s?N@3e}23?-+N#1CQvEav$kGy&#AC{rFo=s!h0ReuphHN`IB(f
zlg!!k;4b!Y&@E|41fJnxMo%lM-sca4^>&wC&`)@A-gn=uIJYWYm)9}FF}qza8
z`1z~b)v}p1X8IP28Nr3$njiD(uAyb_J7b@!On=Lt*mv#qJmH7Qg)M>R9O3>ah|v1K
zDvRr>%Uqkzdh*4}pkn)n2V#}3e?BEPmGd%a3vmmGWn6GAv8Is|%~PJb&dm5~Y5Uit
zG&@gPh!xEF*JPV)W2LB{;~K*%@~f7|nx9M1e>~-IDlK%7Cr<2U7Ed;h>&C~4O5W4E
z`&l(lpgT)BuI}vCtNCo4sGI=%rq5h1C4UD6%oY14VATr&VZXr<=*jFFxQn~n&2kYA
zLX$34cg=bGz+)9%k#N;n+JV2e7$+(GQt#gUJ>O$4=hA{%c?+dj>+f8>8PqptG49vP
zagTQAbmIH`iP410|KHthIqX>bk$?M}imG0yPEx!YiCu*RvMW_z{O+lk;z&_SBmbbl
z*S0SwGf=@)=Jdt2YU4Cweoiwy|L9oMI__-;GLg5z|_%~osb-Ef8C
z^C%ZIm+f=ECdsq?=;7^pIiHRf5Y?y$vzFC}f@XPGBi!_4&sK9f9`?KKrWXTV!9>aw
zBt~Sx160-9emX3NFR1eo^6fU&o4rSH-Zz5f@Bz+b3CWK&#r_d@{30mqw(TRYl&hmW
zSQdo>RH8_Bu)rS==@k&{=8Y;*gzDq@SU|dX)0ks#o9cOtuM{cxY3U>xwQ%L<=9`$V
zu~}~UDz$WQb4RK0k*sF{R36?!+Y01hPY-e-Iu^FRprpjLLoulwrU)3J1jWH#9su{@
zamZdm46#cNYEZyumbY>6m~b`x0{iR2T|bouhhos<@UVm7D@nZwOEx>jfSa^=tz0g{
z;$t<}AZ?lTVdLBDSo;sH5TF2S}D
z&{6xDA5x@hW!E<}yorZaA-MG#q4!WVGiS%}RuFmWOA#NO;#DiXgIYljYZ>SD_5dkt
z67ez)mZAr7zZDN)9c#WMgRImvv>NqFsaVJaE=&L`r%GLN$Mv`vmcfc@JTiaz&WFkj
zSw?mOwh3;FCSigqT;^NujbwvcsfbU;wo;hBC+oP@skLM-ky=NKXD1Z2&s6+=V<}%$
zSNb^9J)Ju$mT&_R)&mD0mv)LH+98bn!F|1toQ&UJaDfZ0xK!X(%a~6YfzX~2;vJV9
z!$UP|68hve5HV%PfJmefNcqDKcuD%6u_g!Q2vwsPrYKf_mNX(vzzIg016Keu4)cLV#5C#n`HO6yfi2gF$#^WNKQ*}@)xlM&@HSi9v(4eW
zp)GUP?d^KCm>a=$%+qJG5qT*R7UB+$`E4~y7(pU@R3a_p7ww*aG%5Bwk3CzI#*Ad0
zc}1fli{fmd8Q~#VRD)QKU9y%Ys+uB3Ovyu3VSRa(4mhJF-r{tkL2T_#T?uNR&1N{H
z@+O1ABQW6aNbT`uDs7O2rAUiX$RfH*S6aU%j3&cA8U&YT@eY2{*kq4%?c{%h!0kykpSJTeLXYd?9ef+o`_q$DPgV=RES0J|(
zVBvvpvh`Z4-IY#b;u{&L>3i4y@-e-&si@>vf!$0=6Mb(kph@&I=c*kY8YHuGuOPqT
zrp*m9TmH=07^mwW2LM&Y!=>|XY{s>DU-^{XZ%;=i7Km|G1-f-Ylzw2tJ#R&H2&xm8
z&lR@WS{q^hyj9s_&W(MsPQ%@9k?18P*(_7cq3}V65X$?yeW`O{pQ5Z`kVYC5g_yvl
zKwl%achaNIB2rmq7!>zhB^B_;V0y41%de2_&XOqSBt8^kVfq2Ydr^VgqCmEiYj@}*
zo5*_R%xxCjy%F`j*x*1q}OR%5H4IxSd`D~fE3AEe1gUAg&JcoOjs0dpp?TO
z@erB$cS3y^i>L4QLWA}Qk$$;NU_n=QK*8{Rn81eM_c7(~$5}uXD%hYJrAwP+!OX!*JvU$+H
zMi15zx#N4$?KCCuN7GkT@;=n|AUY4fT1Sk{1>^yUlFEVw)VVS^Y3sh8Q)m5NAZ+%!
z26j5#ZJ1sH%S8}x!H34M*xZH={Af6k?Y8=FtF*}Jo2%vAXp@UJ0BlzqoQg5x*Eyei
z+NgKvoijNIVI(^CJFeUF$N0E=ARb+IOHAIunDNjqCWpymYi{%0T*xcTnwU<`@d`r_
zGE`aWp}m$%++ylM&BlI(~hw{eyyE!qS1bHriFK`!RpI<2VJD*+A$;cQTSaTM2|j@bWn`m-?+2gJm+NZ-IXOp_j98C46o;C`tT{q
zXQaF`@69Zyg1&h%=8nI^8|T3BSyu!kRh$#%4r2?!9d>~F=`@KX4yH7nLrXRrUNNRELuPnr
ztRWBx?);`WxN@SA6qyo}jj%j-cerCyw1=xN2lbt?XFw!;@h0Z!D2RXs8k#*lpd&u{
zNd=jLZ^dm_zrgb6FnU|W@EM7-T>iKI9c?jEk-0uWsIVWXvy2l4TZ(*Zv*Xsou~m36GaRp(~jRccyYs+biPO9n00
zC3|~D2j)%ra+-_)<7704zO)j&{jhS!Rvq@}Lh8FRx7+=UXg>vL*SYq|
z?^U)@1n3fTWHw2PVU6&JlPk&X=Xm`L!hVw&J|*c)4>a5=Z8mpqxo|2<<^JQ9n2L1`
z2~KgiIORo$q_Wp>l%laQ%OQ_twdJg^7bN4FDdYV8QGFP9%2-h&QLFFUQ7gxmIV#_+
zTSw~Q>C71to?QzoNZr~pR*ykl*#co<4Wa|}nLcE7$oT_&3R#`I=|Z$ieBed0;1bCz
z#tw~3HlkYzz4hj0WI-{#h&!%}Q%2Zi?e3dU=T)6jC3ZmftDGReM&
zfjTAFNp7Y2#Eiai)hF_}f9D{I4u9Aaau(<@^sMU>WyrJ|M;|A?(WEC$3J=o1ZR8}Z
zz@h6cF8qb#x6^GOF^M9!xX0pz=&0I^@r70MNAN5*yr_qypbEWvHQE)qMyqIBF$Sik
z(0tXXWK?HzZ(84{xjD~j^LRk`i{oiIC-CyY!#&eA0lUQh&1@-NyTUUP7ej&0+Ddr@
zw1mQ6%yD3dhhB<%2|ezSd1y9#{7!K?Gs`i2K{OuBbF`f%|MRynB;ofM3=+wq>`}wg
zRVLm4_DzvmF>9|^PM8dn|N31RlCt6DN|L#l=l-}C;7QWPB(m7uJPDI}8utjDgMT@K
zbu24#C4EiiS^F$`+LLvf9dq+lQ{tSk2qwYJUZ^?{9{$yqK8Y
zoAaP6T#e0Gkzq~pxDwA}(m7GQq%pKsh4muPn6Q@=HLGFeSR^j*qw?be54>O!Y}qVh
ze(gl9JjC8Y$;n$kLvryNBNER&G7fX>|FE$`tpBM00ck)=J0=#=U3~0QFJ?iPyD5H4)Dbf
zPyO=2;Vb{M|8)id4S)h50RKiZeSmPqukqKbaA*BvdZvATVCQ%2KSL&r7b+)06m=1m
z3(D#DoX;$Fy_D|pV?sSY#UykIEs)$Ku?+|Hl9>mF#eP|qwG_|
ztut{vTnA}SeZ0fyg!=?+Lbr^FQ(3}G=VY<5P_$?1aT?7$etIHMbnf7b^fGS7tPd?D
z>Mevd>po2i9nmlNrxWKYK1UFkQ0_yXw~uD%g*CzMN5O#8p|YG;=Jw_=!>BT``4>`e
zN^sAV$@nfLw!?5n@tuvIP@K_t;$(OuKnkW43Mg6cEixB;4d^i^Vrdg6NbR
zV~9WezU+1dgobFQcea7Z${A{Wn(dA!r&q|rOm?RtLgQKFw;QE{CUcUbYnF6TUTj;f
z=PA>iJ3mS4cBCdt=ZoQHHr|q!_4;>ZpL1K?*!gIoq3#Or0kyqV9mB6QBOWB{j|SP0
zi4KE81&`A*Of$h4Uu;m}7RR_qlf%I}Z+h@h2fvhE%ZXF!A_k`DGcK+{
zx^;%pB9HKi$EC`)FF47L!TdCzLqbODxUq)s2qUc`(P7wEHkyX6H<4k{=*#;Z-9L;t
zk(6uFxz30z`Rd4DPx&+$okAnF!r%+db6vj1B*&s5Yz|0Tk2>lkgqcoMu@T#*tW2<-
zpc3CbT$-1Z9pr?sQ0Me7oXIooT;d3_nPOwgOpl`J98;!2G(Bjk2~aV469~%O9Cs__
zZo{=O|Iic2^e+*1jb2_IsSHpJDHV;#$mOK;Mz3Q-g+MS&5+!M>qJlPgH`8_^El3W(!;a}Gh42r};h53Qm
zx#o*xD_&_z)F?NKG3QOk&Z2Fs44pfm{;-mLg%MTJ;03KS!<}-p5F^9zd9(gUo_Hzl
zNSMK8F4-{CXr{&TOex3p`@xne-3oV9Bj0B@gUqWcH&$kiw8mlc{v}{5VWZ3(1QZRs
z&pZ4cLvHAgGI^Tco#1@Lzqc*N{TM4h$%k`BteqZ-bAh##DIK&e2bQcbj!+@V_ZL^h
z^VF|BooKOECpSS+m-VQSst(WeTseFOn&K`H)28A3R|EXp#z--d^ER_=b#!gzh6AdM
z`n?b*LR|4yG1RMLp=(z|xr?~Cu5FW`okWvxPE6T?-`T_hJDF}xrWW|G2so3@r~Pb<
z`+eQ6BJJs4drId(=Wuul4q7~(KqEZ$ZVHQnq}pVKku4Yr7+oymW~^J6KS44KXT!vo
zj~#x$&)#N>UzRk?MF{^UAE80}GX3w`*QAm3qsWr6iIbfrEp1}h~TZR;fy
z57QV+Hm|Z6Y&n_GMR8r{h~;GW%j+L&I%z?rPU@4#yyv=%o#VNaQWPRumKX*RWNrx&
zWQAn=RGBL{|?c-bO^3AI8wz2HK9jNCLp8(yOP#T|z
zo+a;~b=d&k;Sk6|i~Fds&QC`02^zW4YZ(O`MG4=7_lOc+2tQJbOg`^q3<$@l8NrJX
zUJJhifcISZp6HJMz;6KY8W$_u`J1^#11b@^AesD(X)W
zszm`om-csz`#GSkM5hWE@%w0t=w+Z)AsCzlO)Dcbj$Q&RwC)f#|G!C^Zyqc_`kUjb
z&A5N|_L{A~?V0yx1{jU^+h6#p&qfxE6i5w2qDev*|OV*NHlZKy?R(iC>b8YG08EA=iM1PzOo+x;8_4FGqKgT&f0?9L{
zXc4|1PsO#DZ`fmU=03zd=~fF}?vP!!XWHRD5H#uf<2hVoiJKh0W#0}S6;Ej%X<_$I
zRp!qVzlgsJxxUxG>
zEsE=<-H~dMms}J%YuMk+39@A#xC<}?0vm@Pli!&mr0-=Byzo_aysZTPZuU=oo>B+@
z=ho$7rI9)Jjxb`AsIMg&aIxYDls)XrTtdV
zn+~^oX`_{vZA4pOg1Gp?IFRCFMM#d`L5!p-8h>9|VJeza>
z)TbBX_C0Egg%0h=W9GTFwPzn)yfikZFz&Tv9z*(??M$ipG>UuJ=;7=YoQ-_2yqKU`
z?VWKAR>~rEw8z%XF$;t-%A;ch8ht#WajlZ#!ua363AcCi>W(w1X>e-zqt*Ld=jWMr
zTn|8v|hM#@$6aQuUq0lMRgOg8&r-?gBF<-1Q
za(IpuT5{IvO=EXg+w||PSVP;;$*8-$GokuWC>?GJjs@(LiSWPf{FCu`AE)YY8BL!a
zd`4Cv1Ht9AD;$sM2pe`>c(S7p3+j(Adfdf1RK@?v8Khw1$E3yn>*Tb1;>7zT&x{+=
zB)jc@_a%iA7s&S8s#F{|gTN6h?s!6gPpDLeWtkQvDmLex5{vP}CjsJw@hqbv?)5x0
zNJC2%s#1+Ss^e3mxCRUw(Puadzm&9$%k~FNQArsFN2sW(sUt70hQ?rdwpjGSJqvBJ
zjxNf!pT&mQVo0!kD?vg=K}AEyz{JAF!NtQTAS5CtAth6(ikyOyikgO&j-G*$>6n9s
zm5p7EQ+Dop4IG?Y8oB$uoE9Ff+O+G?sY|yW(b5cXBpQn+lBskio6Fza-rYYuK0Uv@
zzP%TUrE;ZOt2dg^WJ#OVyV&`1J=$`twXMCQv#YzOx37O-P_E-c?TMj?QkP+{0mPTU
zh*_T(-$Y{(Ume&UjPdDs!d1C4M=bYLXp*Z?k!L?vlQH!d%Xs6QVyRpKAp6R04c>d4
zeQx9{7=+qS^dBos7E
zI~smu9-Bvyc^WvhoZ%7hG-;_ZZUJ6Ce#lTz;xG72ghdWak_v9P-bTs(XNLLy=kQZkjQ$ji$4Td)Gi
zUmNlFq&0GD(yWC?t2XUAbn4>$BKNm9Rvh^EjU-W$WGPZ}T4~a&XI+pfOST-j@^IuU
zP^ic)x7~5q0gP1VPv1@4t(g}&12B#NfC&Xa0ssI20000;?52no{LO4J#AIg93r-0V
zM^TAf6GgpngeSghd1DsRm
zl8G+edX)PcK%lVvi2r#&p)pt--p1C>-oeqy*~Qh(oj@d!DO4Jr!DO*HTpnK_6p1BL
znOvb%sWn=i-e5GDEmor}##q_dIXJnvd3gEw1q6j4!Xlzjn3%YPq?B=KI0A`6V`Q+h
zI6Q$!B2%aUp^OX9mr5H8=x_WV5Ew|2CPS7Sc?uLMQKmu_fP)Amijs<&hL(<=fssi+
z@hn2DFX2(F{V^fF3FnKQ{LMBp@Miivd4$Lz?VY)J%o9M5!&w>68Blu<~slgQP6rMwjnLsh*pe0
zqz+y+SfXp*D5P??^0csU}xgB
zIt5?X3qF;#xTn#tFnGPe`SW&6N>h!nh}uHn|EB#yugG
zHa1r!BBa`_UJU?ZLK*jjRNB~FoiL$NX=8JJ01+mXdBWIS10W_;XPN*BW!y`&gnB~i
zOq&Vc!5HX5u$S{%C;-BQGVTefw6VD}gi8W|2ouV~-igb#VSO(n
z-d^O-J2=*w!g!!=gXveo@#iMp+r?U#dwqTdD^JF2t1>R`dF_(;m^HA~Vb6p1RK~>#
z^Xk$_zP`n7WdAQM!Q(x`at$9V0Nf$K8X+RYNN|r7&}Ack1k$p)S&j%r#js3)u*D90
z9Ne+5Mg=I(u3gT`EXv2Dfi|@)7mP`I>IdEGwFJGy`1&L^pqML0$qgiQ_bcbS7^s|=
zL)Yw_GeJJjIfLfB(VS~=E|1K!fW$e}Wk!n{?NHKHbJawD)YM){CF2hwok1TN7z}v%
zOmsRPHVc$}6^=IydMK|_xK5w{R}VM@p?{3&@xyD>@DZTcfGzj)U0|wWtOop~zV@MtAVl9t!sh#`nw<#qQx8Q(||I349pK4n6
zaiD$k_+EsZE@m(HX5?;;P&9BN$3k1ngi%jyd_@sOy4tdgj`=Gw4`n_?28Ak6p@5v4
z3)C;>Lj79xkffffBr^O+`32pjk6U^m&k>F?yO&HKJ%GGK4|r(At!7?8G0@sJtw6BNI#w
zNmjZgs}%!i5Re4n)M|aBsl%v3D9AD3)B>r%LbTFm!L@`<16$ZhSsCa;d9+mrUo%&V
z!FY(lQO|6XH00{5fN1W~L=UHFs!b0PxEK$5T9xJm!#T-wEIOGM;yZpZD&~waT+%W{
zn)VPu10Bee`!E`r@TE+Jc0Yy(XAd06F$qGKl^c@`-EPO5k)|RWh7o?1BzJ_O0XJe~
z=hy|Z>L1dU~A)h=omQ6s(KRDeSk;h+uK*=2UuXrxTmv4K$r?`Y;I|H08z9IRAegvakPqkC_i_CF{r|uJ{PzN6I*up0
zY4MCJ$-2lDV2-~h^FDZDINW3enO6na-y{M9fpL*{6p3akn`;9^xeh>t31wUgrH$RC
zv)uqDlyOf;rH#$?03uANC-j&!xa(On-MGSQLJAQklyOf;rH#$C03u8%OYh=0~
zTF_w7nHFIdZ&!L;>P95uwKj1(@Ggw*0_^^tyWGY)SSeQai;r(R&$Qn5_B?^^zbYnL47L8^KZg2UEa(9M
DnuPx&

literal 0
HcmV?d00001

diff --git a/docs/saml2/_static/css/fonts/Roboto-Slab-Regular.woff b/docs/saml2/_static/css/fonts/Roboto-Slab-Regular.woff
new file mode 100644
index 0000000000000000000000000000000000000000..f815f63f99da80ad2be69e4021023ec2981eaea0
GIT binary patch
literal 86288
zcmagF18^rn_bwdlW@B$`+qP}nw#|(;wzaWsCmY)~ezEO*zkUDjy>+W@-TJ2H)XY57
zXS!zQoYPNtpLUlQ69WMS0RaJ3LJ0jVLzJ^=wyjYx2sbQV`u6#@aFEd}C7ARyo_oPtEW^2+o~ARzQ{Ks^Wuf9D
zVY~#*4V{6yTr0pbkpC4#a~n@HAhrVna(4p)y5B3c1xIONYG?uiO1A(k!vYkxXSKRi
z3m^yrO8-xf04O9#BrrcMY+XEn7zOZg?jRtDc1eJfWUnMs}RH1W`cKc
zG6m`?05OnApu|9eM&)^|85@`w80;7ZfRI7Jht3O(jFk44LXZ$+DhHU58k5FV8dv^E
zh>nUDaH86GA@B^jfd(fA8R~$H0s-+@OG*H*1SlYee!Vr9O`V*qHQTN?+uAquF-`qD
zga?i7UH)3$eVeagvz-!O-VtRIn?WmB_vdN};k4wT;nno^VbT8d3T{)v
z+JsFD>ms^(OgV>fQP;+Xy_#xrfkNBZy>4Yxb8_LF^(G$DK4SVaGe-34t;;()
zIMQIfF`J$AagyuBAdI+k-{=)5_`|(-b$U>CuQ-_yrz79gHec-bxi9*a8&>6TM81g$
z6N5xT5+Wf5(u{FkM%7Vooa$7L=vL7XjKX^RhnY8
zTX|XvKUJ1%o(%K(74YH+RqWM%$POLfm^^G)WDR|!2JV-BlV6c9;O2_u`Ml<
zF+{rcn{s>7I8!opE7g2ks5L{RbsJhkd(IhiW@amtb8GrKa|w4FGfYQ?cWvpLH;A;?
z@37j&Fi+TVk9_jF`Vvq4iq`;y+FXPep0~I58s|#;7qsD*m@9`){byS8=OBKE4E`6C
zlDEhnhtQrEZu3`p0w=dWUmW}jaRPm<1PY}Bd955XUtBuK6heO>b+Bp=?0F!QKlyeO
zdfo)+1TioOk)S-0KwZBW)!+pZNCh#bGBDQ7*B>|5)L^H8*3sQ$dmqiaY`uPZVrlJq
z*-5`uDU6M>SVQ%4l&i{_5G3o)+iRa)Xvis#y=n?=zBy@MaEbKjF(?`Rx@syBgCyG$ph2
zCw*$G7*x6VO}4EtQ%aJV^%;Z6w$ZO-4=~eoj+XA>n!&sv7`i=a+dh6j*Hp}&UAtum{esr7o|W~tMwr;*F^#WMXsT>rq>hR8jBn2*aaL3e{U&RG
zn0ocKR;!`?c!+CrvTSwj0-3(!Ij9n%%nW}~Y^MlHKZdBXJ{T+Gg&j)5{S%Kfn~U2Y8N)$TrycL`LN}9d#a_5NlcgWmcq2|N|fW3
z-E+fmDXP_elM=cqM+-aAeSvoDGVn5C*mR+U-<=6mY6|OU_a8H{3|%*uK;t>ok%cMdKY@
zQdB!VaxK!t-DfULy!tln72qs)by9?W+InLIx9FaTYYU6WMo&^4I*2TIpY~F7{yd-jB_I-uJ
zfjJnpXzR>FPwZ&%Dcl|@;ev=U+iR1cdcZAP6fY9wC;i)Rf;S55^$YtkpJvIsmpzcq
z^tW{8$$~|Gk4VWD_^M9(L-YGMUwO@ZU5nr=UHXq8H|A{b+$p$XXZs)@yiIJlBm2G=
z1rC4cDedFEM3sB+iOD~i_H&c4rUj-S=db))Tm6fvAPcM2KQhKFon}t3L1n*OFbEsJ|!+Y(D!HP
zIa*;iaJ0IvDT#!)HEP-0@ux?RcXJ3*a}0WSabi(a8%=ijO6Gad&+bI>)!vF$>;Euy
z*hZ;*3VP6PosL^8#lD7Te_un~3f6
z<=Qyv^#$7~>Gws0gxT=}UiSHdZj=OFL$zMXb(Q_Gv0f7+UeLC07Z-N$huheOc^Y-V
z|8ZJTmc0yi3!$(kXhQr3!K4;vNQbGGXh^7dQaq@`teApqO1UL{4d0gqbGX5{6EL)z*ex6i2TtmUB?toj2avRbW^P
z3USugtTZ;GKC>!yh>@5&<=r}ZW;j17TaC(n^nIyvgC^2*aC-ix&mgOGzPDvU#@yaG
z`Od9EV-X9P_=u@5SbagvFCrVu-E(8%dE@zSa4K@{j=kZY9piBVz^F~DI`ItPre|P(
zLL4G9(ouG6cG?<(WtZraNZ-bIlJLcE{s^k8ntTlBv+WHoC0j^}+Q$b$jVwXPL|23o
z`gxCHwz@<|QlQHk13{xCoDrnxsd}henNeFVm6cE!%LlTo(Af&1
ziNk5^&)s_sw0h3BVRm7J)x@nwuW)J~|K(s%SQ7?f%*mpu1=Fc94ztsqIMKD#G1K~m
z+r{QCG2bd5z4ge~Zqnt3*;}T!6&ugCN@r4NmYWOvPh-*iY@3>#6Xj{8OA+%2x_au(
zB=2Cia2)^-zz0C+L}A<*o$Mchi>#d1ms{4b>4nA7D+uqHHl&eaBcvR&?~xIY$1iK<
z0A_0;&Am2Hs7A&-nopd~5uV5yqRbgRzyEoF`5wbO8sjhPc2tQ^onXE`#d)janZu+1
zSi22VxvYE$q>n8V$)5EALa$Cp=<~6kDF|`k00K@8_;_K{_|ErX_Qb^G5(@d``2!bD
z;i=onjDDR%&Y>3?1HwqnF{j~9sV}i%Ok+)|2V>FlA{%UK<#b2?@`7`muM955whAY9
z&!JfR;`#?}{hpkIXR*ha++ru%=@NvHr4#D6al@#^udDkum9Lw%nmM31s^-bRlO&a;V%NAk_+Am-8H?7tzLRiDPZ`pU8>!Z-tVcXcQpL$(
zI~j>u2~ahUA?LL=xH~D`a
zQgnmo-9`RWq6Ci9QMX(|k23Oq6ssFbyoJO#)^*9)mq;?_f2B0;Ioa*IUGB)C)sZX}
zPVE@;HC^_`nNd$(S3rSdj2MVD{5Iv8)~+m>N@kf!w>w}A&WkGIFd>mj8zCVJi!%Aq
z^DI+;EJ0335Vm!oC_w1j_B--q7zBbbm}tAU`Cu-r`<>9FFqAps=2V?I@T@fuJAINV
zXAd)H|GVDaPrZG(W~Dwiw>NEi*biTS2!^=6C^MvSkDL|_`RrNMKg^pW#*o68XWol}
z|Ib=_{!>fTkrkN(F3?gMG>4RV`kgy_r91yxclN1KtxVbZOPgVwl&-I@OJ+?_W{p|O
z7-BKsUrMOowuNY~_L6Pw^70ul^>-;SdU@l3MdoTp+UP6L?rE`kHILy
z8LK&FI)|fHI72SsG7-@S(*J(X@YUw5zl58)=R4tIy3i{#EVFpoZqy#t1M(qb?spX>
z*(%?Iu=$T%Sp+Yp#1I-&xJ+C@l(l$K^7ffzouQdyiHw<~eU2Qn`#N|4nY_P
zPLEsaY6g#VPQPbTdCi~MF6x1*vLu;Q%sQS$F|&#%B|0U%3LP5qa(Ts^A=xo$jq1(>
z@7CBK8iPSR69qg|iIs*u7b=SVeHuAvwZIMywcv7GUs+C`TEkL)PLo}fB0Pk`iRPBZU;f^Bqj>H;g*rjJpHxKiJ
zw*|p~AP6)1MYZQJwx0v7jJ`l+{q9!O)_(NCWZADV$`xt>jfNlvZOL5$ce(^{;sI*2}f=J)99Vg5Upl^EkVXoHZw+J
z(jd^r#5{9(O&wQms2-Ldjq}wjXzQ=)!}s%OT5%L$)O=9c4vPhoj`iUD+%m#$08}~U
znBHmj`kNKD_Hku;ggre6O!|z_i^p>>x{ph(R~550UZ3dNkvZ@r*Kv8WKRNkV%IS`f
z*qKp=8M$f+@mpgEMwQG_?Al!d{D=c#(g!AK01EGXw0ZjM+fVHU*3pUk1&(2j%~w9U
zOqrK7M|SSV-fdsUX$5quzpIL0#|?Evp@tus+c$aT=z)D+Son4dFE%w2O!sLzDeG@$ZxSe)E?MbFFOMH
zVR<0IlO!?M*U=;6{)Bg#$a(s5i_H1k$ob?yA8@}z{3>~KFRyS`q@Eik>0kIT8@xTh
zIaDgYa`N4fRt|JwdVjDrdGi?2+{ombFG=0kTb1_CX$FIC(m%#}@CNwZtJBv{F2xjW06KhWDP=cYnKv8qbt%x}$OK129kXccP}1ThiB#
zYWyw)b*q|$#d@)&G5q_olD-?fg{Qdgu&Ot9Bc204-6Q2HS?j!w2$%P&q2{jrGd|H=
z0(zxlJv@E)Lu(XX6F;9#%qm$o^OReh!+M_fhBy>``JZE-u=`X}X~RBf3X-f%EGvF7
zU6&8puVkpt#SihR9r>x2)aIGZn>p6}u2mH-Ay)=N%Mw%Z=MR|viCLsa45>;FKW{Qs
z2(n?f57};IriVDEr0E}EbOR$BbtM^5nq=qP5<4}wimxs<`m+6wq#NlMyY;uJtSoA)
zg4Pf$`75Wl_w=)sdy<}YGd@CA%`%w(p2Tou;@uB$7sZL=+Z&pd)0t2
zQ`;-jsc(^f7ztI`TrZLBzI23Fcsj4jxy_`Ia?gfT-_N8_-vJ;$hA5Ut{}&AuQ$HqS
z0dT~WU{>v$k2dg}<@S5t&nzYC9n9qh!kSSerjNOp4NfOIr%9JxR2n2dimiuFY5dMD
zQp&l~rYfOsA=LixdB`~!m{t~D8?x$9`H*_BK4?O<&dvA5VqP?7{LvG$AoOuLr#JS0
z@tMk&=;+SLj!t<@ZHgn}=DHx=b9Wrog`Eb@R~YLg|3vY-dt!ZP(l=uVVP0Mb3PFZIj+&BAxj{Z*ygC|M$BO$ppH@=#?C#S3h!g
z$9645F4QCqI^}nUuhaBob8F=LsaMKhv~)&bVO5@K#iNbzwdTcARLO5<;`or%D}F8egX1uX)est10g(>dc8A
z%cNZ=uPEEq?%wx4y)R3JyP@9=;E^B}?-YcohLv0;@r$<*e`_6XvKA+jZbQkYy&~$E
zljRiO{zulOlYTIYcmnBqZ1UGUcBOS$9;09Ue<}KG-y(S;4cA<_on!9oLe9Zx*59(M
zp_8@g9rr9rw~hGom^E(I#y#vn+^h)jZU%VfHE{i{e0g$d@
z-m2%P(l5HO0$4Zdj(-Cn+b)k{x5j@}Y=4;-16o#wX*jjtfYkey=i{g$AmoO=Z19z?
z;hi#Pms4+tRBxAc%b@FlUBka%gJe79YQ!Djee3%YNRyZeKzqrfN!70Uim!}YKX7Xk
zzHIbK-KhEu-+zvxe~#ew>F1-uwPtO4|Dz{gV9YNR^){z96X8<-&h{0?E&D3}Bo8fg
zHX~lW)SSWupj{gSu(d^Q4prp77AR_->iPklAJ^%a$S=H`aS=Y^7`&U*QO=2I{bHsV+-xU$K={T$
zO^g)qNnPqzGt*hBS_DBTMy4Y!sL4~C2zfFo;@X7GscxB2zbS+M1*^&NL@&2Vbq4a=n!W))U;OI`|m$@X=OvJnNX(iXj
z7qvgAkvnprpQ~Ig?`Gb{?O_gmGR@$}T2iU^m*=n{K&rf~DYkKDr_G2k8t2A_?Qprl
zIEuxcO$#scr#G;hFkP2k`*;)NZ%uZtpZ&l!+PU>VzUA*eWF6sJ!bt4r;1XIfHw+^PC$ZdT29+!F5Y5sR=g5%%t+W?k}XcXTXg-ll3XL~8ZX
z#fj4^0Kv>;2U7sxpT41>-}ls0(WkfG*E09gC5roPoqb`;KY3T`P8>@JYf3Yirwplaf8O3E{TSFG9c-weQP4Ot0K3*f-|$a#F={6Ca{g;l_(Ax
zat|P)E5--M7(k3jGxDBK>yy6|Jo9l{_sc*?=>A@&WBW4ZYm(=-{yvzcP_f`3cH{mU
z({g^?8J8sxeyegZ-zN6~VRwMGo=Iz;+>?Pnr-rp$taj`Vdql-o7!C2&VFy7UNb(E3cybrbKtwbL~@cYPd4p7=jOb)#p{*I0
z*(8bU2+Gw~_W0BG14C-sER7N7^c~t+8JuRG9NPeRIHJ~?ky`$L$?J-NUflnyv*zq(
zJ6eR`i#fe0v%_V#BWBjXfG0tlSVTzukmM73>$nSp>u2_yO^+u2nQ-kmTr!KGOmh?l9^+L
zGDMyv0g6WE+pQY$v!WpN{8z<`u;@Q6`qKlqat}>a3Uftu`;}WiviWat)HX>c3)3&V
z+x&`H^6@_S1HGz>-Sj8qJ?u^;SMctj|+cHz+*{Gk6
z8|0hbIqmM)bQ1S^@yA^Nq%MztasiZmpqv5a2&wCN2PmgVU8uc38$06w56OUsQ~+EY
z04@mtmkfwb0Yt|GqKg38)&tTv#S%Bgk~e0OH-{28hf+5w5;rN5H*zU^*+hff+7a$C
zs8>3aTb@dt(uE$WQa5yod%ARk9ZC`IRj5~7lv~kCotcFm?ENfMyMs8_=J3G`3STxpBe2|FohXdpxoWp84U`=OVqf~Rlhc(QA!w0c96V+cL1(`4Tshaos
z9$ge_^bt#uI$rT*=pj33%#N8a`|!+;siMc~#eSxz>U1AtMfxu%>TDlWT0Ktt_CRpj$to6_A{2!D0{&&mU?cN1>3%a~$cYa7@1tqNj;B!{~~jcW|5|r;5Z&>tb=H
zwng=)lx)YTv=SXivCv4fRswfvWWsL%}*6PMn((vCaepI#$JuC!mU>46Xd0*E3v
zpS4OL-&IwSi=ZhK-1#?y`r0#ny)iZt;z}vYNHEjq0S9h06opJ>0G2XWI?9jriqcMP
z-k(s&E)mhD}lLt%;5`4^}jI_#$2`@UD)3NfSq2i;dyqs3my}jG_N!#tPVM$s4
zhrxxt{X01DKDzj4W)lPsWD!shk;H|Y<)M{k+cz;~LBMz0r{!3lQ}Ud9=IPfUgrmFB
zlDn7vY18kJD~N>Hghs{#Hot;p*uCCz;>v|KcQeUftH=!E2Gt9U@?eM3A>V1h&?3#DqytU&H0cPb
zHJ~byr>&qgiEGu6D~-Wx6>n{jr_DwiLb7}5pjK&X#lary@jqRD1>u0lIRA=E1S=uw
zvz!7kC!ONF$wJ@%)hinA98TSL*tu5
zm0y~O^25yc4L6lu`)wXMeuR1kcY^{@H%grYQ{#0JFQ*!lz)YADM+9EX#CsK)22PZk
zxtc-i2oK(^!tIEbg@N@Owvwv>b(!uM`vsKkp%xaixeccI`d%3pvwZd;Gs-xWE?U1l
z|7iWip#0DLuNePD#R#iC|M$XMWo5q%Wk0Lr+}E3VkTJ{&q_Ro*yW4Ib1sG|?^wA5Q(^*`LwX7A~R%)L6Q+#}Q)c
zEbaOKpyQ@CHQDNM*L#ncc@$1T`9l)kWaWDoxp`(z;pxLSB}r=v{sASchNLx`A~tDO
z(=yNSA`2Q(V@fRPS?!xdC-=)CRqq6Hqsz&z`|b_#tLcyXKpp}7iJ<#D9ufSh{`+_y
zA!B+QcbZtq@ZMt-&tF4^_hmey1&ouU%${N}D2cO2w>Z%g$1t9OL+1BIogxJ+uTpw>
zby&W%HM76r^tVQ^mD;LQ?Z%z7D>jxi?XV>_#P->+T4r0LKl%LQZin9$Wj~X?=Dq;_
zrz2nSSyE22lGOkQsly_8mE{=^xoi(R!sy)_a9Ev=%KqN0DtOBZsz-N{0dBfO`X
zuFF9^-^+qJTtBR9km&0qyjw)xb3?ZoypjUEqG5-eF;8ItPx4*LGa$sb)-zUF!6N0;92Ppo^Xnv~8V>jmw@
zai(pbSnn*(+X8Z4$$frcd}o1HsX$FD>TUCztYIGh#e!Bi{>yLOzM?>6MW4v#J%>L@
zDp>b(1;61goIhDAEK(}$g#P_|iT^LE>4@FcgWur~AAv5uH}ouQhNE^-?WAf?D<7Wpn^raD;aS@y&Dw&d
z-60vZN_X~prSgm2WxW>Qt!+9Z8UK)wTHP;exKjVcGN(QQaO63qm7;%0O0DIWy3Jwx%m$oKTTQuKLEhf%Ru`Q+?f`8rM2dAeYL6XczcQ~
z?U~k6)Bgq<(gAG~nx=eropImwCWz=w!}*VxsSUpTC)Gbw?6)cmMc;_|%lR|XQX3|y
zHOt1V)I4deJ9AvOMj-6X5?ksA*H;g-&#&#=G*y=k)E9Xb7c0v(RU66=x69ja>A$SF
z)-s;zhoL)Oo#KMZs~g1Ir*bA7W2`C2Im-@MN_Ljeue+v86G
z7Qle2P>2X!FcMXkIGjHer3qu6zxAHJfAnYc{l)b(Kl#z?_)iyKyQO^q9|*;o;R*NL
z6WED&-+huxUgFZymb^$
zs_BEa&bU-$T1I4QM`U`a1PaLn8p;GJ%UdbEacocOtAj3|xY%1szH#&ytL=l1_c&vQ
zBq7g6kQqGUov6h*5bGjB;HVhZO#!O_inWby?MnN)L1l{}8?LuaF>O#wRii40rS%1Y
z9J+`84sVX>XGXr()JaJmgOpRn)a6ET7dnNm(`W2y#2qO9EfW46W$q29a@rUR1|)gX
z_j>E_zZ>7AmU-&N{sbRnoD^E%?5Fo)3^8Gq3yG?T3O9<2!%nE41PI9(F`<;SHrk?`u
zzsB;7AbvoEe))4IeCnAR>_`~RsTmk#T}_Yl_8JYggI2~sfou#SN_ebA#e$=5N}-BQ
zXQ!*L%aFhH{I5*j4&74Q^)YGNj!9{I+w&$jjx~@2a^t|>Z)KoRuh-ST4nQ3+c@e)g
zfj|a_hTEkDk^<*CS3>$*V}3v?Xh6$5Qt}o3nN!I=Rc1exE3hD|`V)2#o<`JFO2PJf
z)2ODEB1a-Y2_n@H;O`WNLnJ<$?i8X!%|70B8^=Q?U)D<1HdYZ)p;g{?TKZZheA?)=
zz>NR$_k{?{#Dx77D>jOJsDeY(RRUKNdu{H<1v*>Hd`{B^Z&S>D+41HC=T^e7!$xPFnsq3bM`@jMdB&m@
zZd9O?<&zbfRACk+;S|CaFNIi{~(VSf&n#
z2De$&J{K@PGl#hFvBI&porudyx0ri7WJJ4Yljhf96|mSiGt*>8hRpYCi_vEbdgpuL
z%Av>|9v6adL-c58Z8Z
zr{}_eERX3$`nWDHrm9ox`ued3D6y{9WfC1Es!Dc+X8B`4Cp~oqnf(w;JX7)
z6=B{X${#I7=mVafzsVZbfDxf)MokV~8cx@`-+=#()hCGYxz0tDzD6oD>LiAwt409<
zMxbv0{mZjf;EeCn49MjcXgyd&zb-uUQf+Zlr7iB+nB`BhbfXMRv-Cu1yF*Qbc+wO=
zeCkg%P2+4hHb7#ot=o!etS>yOLY#06$6>H?NF|S=;!1gh!w@IBj?-XM{)WRi?i0`T
z2+DK>#S10m?S&{T8k
z;h@4|#?YsGV!-t-0Xt-w&hFmX9p2P4#8cQ*y||yPt^#R9W`2<{bnPM|rs|L#r&vhK
z;q8JGvMs+mWPcTMU$!50|G@J)V5F4iCB6s;ogVcNT#~Nod<@0$gxZ^0|($
zmscrOx=ZJR)AxCpbmxD+k0hh*`N)$EqvQ2IVKz9%CmxbXd!3Gw_mV389`Ki;{p;?c
ze|+Oxy{-4R)gfy;#5PN_Gg9klLtJIq=xhb+k_ASAF5Ve}f_SnF%Xn18Mka|&9l;Qu
z0mObOm4t-kzmNq{%*8B4-V^?w3YcRmDfP+wh5#!07dtw#w1YI1pQSUzc&hOcoB$b8
zD%JEc)jX-h#kLAPI6Q|m}Mj@(88s@^bR!2EMnpf1qxK<69QFtYF&pnyma4eLRb51F>_9d{_X6bnE
zwI~pofsT64tGUD3{2?=aHc4wi2%|lakLFDRi3g7ZY~um|{$jvJE&5~Fa&NK&A-CJ-
z?dEK{C*V(9?eEgG*5JaV#;D4y&R_Wn^%3P6?V-gf%`w$E-GO=Wb>U^{Z6QU;P0>}^
zT|otj4UrX@9brcmL0$r546ywaK9}U|Bh7W`Ho&f#e1Q&(#Riy`vfI^D&F+LNMSdEx
z6lFmcG*wxC29{M>K@J3#Wj-cP+3Q?vBG#TxD0d>#lyRY`cIBXU7O6%)sdhq62>3#@u=A<;S`Noyne1ZM%*ZC<@L2a#kYH=e(*D!
zItiGMHGs;Gjrrlqq3ijEEt-|Y(+A}qh=nRVHdmt%w_?gkYoSCvSvcl0Jvb|!n%Bk1
z&wE=YX8wL|1dV_z&b)J{DcT^Q*|REdIQ9?nW8(Ip|7$Y@eu!h51u~pLKtQlTp;1GG
z`a|JJ`q$LseSBrerVd_xo%wGO@PWWiAtL|d5?QL^-Wy`DxOR%EN()BJ-&q>1%{g`4
zwY%c9=L%kZO{mJ;#(9UcUaSR*@b2bsYei`{*8}y17vy)CP;+N@ROm2=EVP&ynVAWyb}
zz33Ob)5<>;CEJ*NS;WEco_!UrB<{$6mjuANS^)8I)%gb!22kE%3*JbAN{ys=!1#
zex&!ta=^$0bYP>yC-qf9-eomjc=Q|Vu-$Kd^3nCRpi2rAz+7*lzUoS*O#4;RktM^Ll=SMe>BR?2F-
zQB?Dyl9tNq=ui2Yr*>4SZtY;{ny7YEneRB-zSWfm=G~X^RmZXKkLA|msz=*&;YLkZe9Bz1HJTsO
ztCj7o)2zc`;Mgy4*BTImfO>!c*t(7mLg5Q~$DRoJhzI1&giv(G!Xh)o9R8taYDbo$
z4=nuN4h=i5xgWePp630~`R=@Qe0;Ni3VXT*uXxq4`uf88avXG6hG@bm=h{}JKaFDg
z2EO#e?Iy`WA}^ZaRF}=AK`pV2WqDZZR~nV*38ggWn4G&Y4HLRw`44nUOcbnzHt;4)
zS1tjB`HJMZKd9EULqs9TRmKR;^c%X6n5I+Z$BkF4`B9<@}d
znb?}O`aD+MyW(={|2Pym3%(}eH@%6+h)cgQ->8VuqjZu@Osud7H#vYdqLcUG;CB{2
z$^pk&E8C>9oD{AY|D5#9<4*Tk-z_n-N#ZxXOT3DSEb`8lZ;F;@aivL=>7)Rbb-Mi9Q)qQPg4$Sy?akik=*m8E4Qs#(1ddTHEyg;4-
z@!Z0_Ge!S!>;p`CFZtZ}CQ@qHY^&5A95pPRTHG9eV|uk_O*{X+&T6wShyJ+rOlTX3
zQOvz_@c7Vim--dU|AXj&G8tmlCaHb)5c>OmFZ(E7(j)M@tfU3ZR7$lFRt9eOpIK~hyYt?K426v(r1$dD$ai0SZuxnOb-H8=iX$E~v)b~ha&P!ihyW>+F18M$e`
zUH3sOn7K*JW{60UpjvI-=<4(#$Ehm?hl?2}K!8&ABK*U)5nl6F)~haKP$YALv6u`;
z`snI;gBO3)=yn(_vns#s`nk;rBj)?AFOCt2idf3;#JjZtTZxurJX?(?-729z%v0LZ
z0G)6}mQGygsDX(d{xuOJJpM1-{H5i@P1q{
zb{neKC}H-YzkAb)5rtoO(qP;d4Y@9c$8?E_mfX|NHsRtvRRitP!7z*Bsn2*22inDn
zykCVN2oSNujcilogzH^}NeNJnhRR<>P6>33M%-S7$`Rr=ZWHSZpsR<$u1B7Wh6eH4
z()c547!(B*+o6<+08|DM9Rql6BLk>I;4l+OvG)XZ3gA<_xE;+DEsn_EBsQJaH&MU8
zM%Nkk?o!)o@oG-5pWqd=ViV};g+DvRG0APvW(eh@y6egtSg+hhAv9vdh3m}=y*8Za
z=BvarR6h{oPeahiYBDD!+c3bO9TXKISfQ*}YoX*G5M~DIVjTAa40F9i-u6cXahz3U
zmJYq=r9ndR-V6@P{J-*VA5v0CtmD^UyCn56I*}2
zT3qNGn&?)p3Yk;0uSHiYUZJ_g5Lk&7kfv2@>@dIWk0{pE
z7Az<^n8l+>9LygU22-$9Pu`f-b7g;F^-IB6o3hbe{K8dZikd2u+D$mLip`y;zV|_7
zcm0mvFm_my^so&1&^XzkV#t62CrO&av62NRkR64&YP+uCZ9l1vhW@eZjzD(af2K^fNm;P=nu@79IDP(O1r5LG%5F
z0P07T
z@|~<+M;aP3*X!7vbtNRwBs~eZQ5>tE&Icn`mKF!
zPyP&Y?gH(9w8}4%ttf+ib(;qqOB6@6Ih}T5LCA6}Ig;FD9S
z^Jst5QsX+2Em6zGLFg(@Qv{9gSW7`Bf@THbn5;}=g*>S_-PGk9dBN8Bt
zN{{T7?_JLyJe}CQ*>!ku;__)EXg#HJpSxkT3MQ<;bZNJlh4x&LxOFoOc3=El4?$lbFEvEd5HofMfP_ID2kYGa
zy;}xMvjQUji9eKy0xCcOL2dPob})^C(12AO1hl9imZ%6apclq8B#>JHXHUr6975&w
z1j>(BHUT|9U4B!+z@nw)bvrC
z;mSL`)FF^oQPg26>)Q9*-taQOUQL?dMm2C1&;B_*wW5*O6=tm_p=4m02K&$
zK${3Gb=NL!AL<9nNzC`>1F0U%1yi!6u1SK|d`6r}gNvQAdPlQg
ztgcnq_Bn6W{*r)jf?V4hUu{{ubuKBbg_ZC7w877$ZhKS3bdB&e-J-+~sI2eu(vM%)
z%J7RY>d76?MJ!e0SL1h2{R~^Wn>vo!-?5q*VC_UJWv-j6G5ODv9{(>HT
z;2wSC>X%11Q5~MeT73h3o%TOp`vm8c<@eb%2+KJ!Dqo8XZV-*gE4Tzk#R
zIsGcBIV`3=nT%gQ6KtB_Zx_*Mhf^ZtZ=t0I6TYrr!YZML@MuxirPR?zO{PDusT<5}
zYsM`L8?orQNl=+r2|ltZ75A5Vshz+D}nhdlTOTxr;FkwH_*BYiM3?q75fZ!wh3LYs$n5$N-S7_QBT
z37sf7lLcPY0*l>z+=S#8)pDelultxS~TjGn~2+xuunHL_|qt
zj5)r>pDWBWgvUTY`t7@I(m*>UK&8gGRk)AAg
zU8d3n#@bUZKH(vm2QWH_(W)udxC+(#bpWu+GVEXjX{oh^NaJS;juYx*JHS|DpNb2#
z#WrcCYL{ROySU1Nmd7fCms^!;ufuV_M@MEt(wg8r+WmA);SzHKr-O)oNS9$jZ&;kd
zgs-{#J-mW%0gQg_O7n)JxrS)L{PZ?FNU33LCC(DX=N3VY
zXb{Zfu$iXaP^#-V_qDS3F@*0(f_b>G6n?Y!pq$9Sm)(zV65>jJaaI7uDylFjk?(m
zSt|w9a)=E>?kq8cP
zxSjTN;r>*cGR(R@4_Z0tV5CChKUw$r(CKf}%m<32Qt_q8Y2GaHtpm45Y3=gnfgomeafPMHxlR;g)!EHtwlO06B>2vu9``1(h;8
zjuJDDIMep4Et$;}!b{otEOs{-m5mfeJikzXQxIbH@3f9VHXi_PZVirvQ1q-=mi4dT5
zVsIk%u5hM&inBvhT4781T>Y0gWw5ZdL6ay7sf~dOA88d4ohKWKt=I9qVZKalz>)Yy
z=rap-uaX}Byw^be~knmc*=Mc8FDPuC1)z4%M3_$I)xj90-aEhcHdx+v(x=e
z1E#JqnXhcMK8N|p6HD)(;yMAx`?{Njm(>~RRcm#)!Bs*x9R47AeRi(__L&Zx3?PV+
z%jQ>HZw_9!jC={|Zr93zT^EE=t--`A#}z0(0f!FXKf)gb=v3fewdu~nx3>9kLcp)0
z69kdlVMVsvb3#(BV&$}b;jf!W7!9t3}@EMjtgkwXnOxtF_->bq8
z1+fh^a0P;DrIHc{3tHFsOc22>6U%EQm?S_jMq1WHfpnP_*a57Eo5@5h5*kR@J=5io
z=&Ku!L5CgFhhps#CM-a@T!G`#DxZGuV1+EZLP?!~G(598GtWa>IeDnQ=Td@an2EYT
zlHbGOho8yJ_WA3^+3c@S8)<xOJnCtbHusV2*pvr8kapw!iFOLHVyR;OtwX%NL*jL+jo&_#x+g$7OS0U7&2`DCf%
zWa-3YDI2#qRqYO$+HGQS^B@pgfhuK8LKM?W0A+cg%}jNbV(>H?EgYN$d)pAW;F+AX
z5##9^>**Tf$=ClKzW+N>-q9L|>CKy4*Xoauw>Nny{$<~HZqOU~x;=iX8zJp`XfAXT
zrmUi>I>NuVhyPjcFJBM+-t`2f`Wx#ye$pwx)GH7Vht=qC--f}o*&ol=um?Y}G-(c-
z_2F5QIK<@0U7H95^K1L3+#{$aWzkY@8#L2
zCtx8?4p?_a=y5djY1?jd?S#klFsVI3n=hi+Oj%k-`%<-RHldhp6;T$?o1np3j5zp$
z-%YO+S3XN*zU^^()rYF0t~{gqHj&o7{`%d*{piB|U~Lx8Aol^8hX7L?uW4*=GMkYs
zzp1QhC1pA*>!GFezIq&0BGAnAl2eg)v~e=G!#1PCR^Qvl)EiaNom6gw+sY6MFohnX@C!vFVgcV2UG@4Hr!QL3d*h
z`mLFU7QE%X>$J=JB!Re+v{0xP%DekoqC`48Mw`Og(fYoDNh1@2c~6#-0p}xyscU&@
zV;a{2hhUeZAByKwMv4hZd>uo=LnRojmiz*~@I9
zA}ZB@BRj?93sSg4q@o;tULTbB8EdTGGea;%Rq~h%>%7fT)%-(NiT)&T%~X8Itcy*Y
zw)W1el7{~9cTTO&zuw`d|vT(_ek
zA}{Pj7r`l8uh~ug)iZJ;%HXWp^Br*O+U-(`x#Nc>^7|SLR%GjLLlKG7oXogHqn)8j
zq+W?``1*G7PW@Bn$OAv0jHIM
zQaOpp)C^Xq&qpWwpv%q5Zx+y;7PRj}?BP1maS=OL5O5K)_1WIG;o>5#>+@EuQHrrK
zf!m*>%E#GWD~pM!E)Q8ObE37D2nN_Ay
zAqWIzSLFYa2bfq_2#EJEf!=-{{6Yrl85QyhvsBdo8W+U~`{LxZB8_)y?5>tv*a>;m
zlkjOrgI?zZzcAR{Rlf_IKQW@Ra0_K|G_}7NiB0xddyX53qT^SMbx>y9A{s2W|VJ((Sq$E4m#-uPC
z>}Ui&nMY)1^KH1j^~F5-9ljQf^V4G0XUpna{AzdJg|D?wRMpH6A33f=6Ez#qjbWh8
zY9y}Nk2@Zpk|a3uugrcrP@Qrb@}78r@H!^*um7ywby-RnxHoGQGi
zfGCmfb%j$-CEiG^DDv)g$$ym4i~V$wcKMcx{pSn2NDI4sts^ftG5__hbZUOc_Y)8Z-PB-8L{m*v9;Zy)O_d+IamP33Eto;w}VEY6I24pyJJPpEv_cqW;4WeS5HdL%bxiEE%@xo)x?
z_U?V5b&jJVU8xHnpj>AX2Nn{!ZS-M}b0YCAmQfm}6E$c5WI*qzIlM%jUOUkQrY5z-
zMFNL1X093abc)-OQ74Gr&l_7FWT&M}j++QsRQq_n%#oMjM%dCxVzj1XG`wMv^K|O#
z^(Sw7D|_sHHP<<(IV0I4jUv|7|15h-)wemPxgwn-jZ)YDLGoC3r`E2GXxf`~cDjBG
z=h5m-wO$)hbubHE(4ajk0p5&g1|F9HT(98lL&#C>yGSEByD)+|*U%*h)Q}{Gi8dv8#06|XYxNC(pN9-i`pLg=A;_emF>&zXme9s=g)aQXO|XH?!1*M
zn#pX2)@DnbFY;^z??y$wfLr!tpE8wF&A(p4?PlWm*u-q50)z+F1*4}y2FGM|+l?La6t4mUxj|6V)I+wk1#TFjq1@5CpJVQpq
z4XnvGn5}1S^;%{U6b#AkWJJ?LOB~5&k|OxcvPb8JO!@CpBKR@K%wC!{G{_chL>d=8
zoSIN}UGm3mBXWLv``KJ`H7@2lHDT_!Y>yqvW&BK)n9`D+x))Dh)US*jxP}EEW6~`1
zaxcL;H6s;#YW;C~^{m|cHRK9&%!iE7R^%c*&Amj`7bxmL
z8lx@AwiR28ma+Y(834N7=tig2nE}Twla^j4DuHFA?(k=`?7}&7ix+fX2i_kvvc80~
zn^d*?7we_^@I|Hk49syyb)<{7B8|%)POX64zQ$M|DKMH3T`eqU`$M
zk3Vwc+*?at|BU|gh?j*>XVU&pID`u5|&t+XG+s4UZkQ`{aF-yBy=YoW<2+hQhgo
z=d{oBGwQ|tdrh3QqVQ8eyrpy9=_tqTwS3l;j?~7e@tREv*6%xL!zIR8hMu*-M=YZLf$#ibtlD4xB2dTy^My~TkbcjTsz;nz;Z_l1m%O5aA~WW{
z|LS%1{`SE3Y;Jj@y0zcTH*WNaGW}8ZSA#td{{j}V&6^`kq8s={DP`W0cSO@zXqKR0
zYowWr-qQ-4lZs8ZSys1M8eSRC>#9GuvUhhTuNin3#QBnE=j|WIaNC{Sao#M}yV8vi
zhB?0PZTPxAPj7#?Rez;7me^Hm+xg3gAJ*>~);I`mIUc_r}|2eBO4JvJ4Wor7p}6?1*fdPb{M@Mm5kz>#9_yKn}Fpuo!K
zk=gqW)`1_s!rM`-hz}g()%^IS_qYQ(GY{H|_ViRuM8)5qaY*F`KCgX|0laf4;Osr+
z
zZ2-<1Ybj>ry=wB%#OeUdiE+9`#Py2p!LG*2hZxR@)SJLuvvvK@WnguRj>04QT;@=p
ziSLxKh|ITPEFvHIo%1R_G|1-+uM^@{W&cq*)=vd13iD;jjTtAjBg;Dw-Q>TUYZlJSeBkv-?$@oFicPM?|XbM6TTo&Tmo@-5-m{6m`dN8NXC65~W^&+l3KA3kf_>ISBJ
zQ^O?*tey6*`J7W3*1Ff$&oqluCJKN*Zq=?)o^xw_e3GeQ_sz^poas!cN^tj2v09=|
zXZ7t~m#x5S39{8kdi%0VmHM#I3}{J^PxM{6{cW>KpdA&@VCfI-R#7Bbv@oPItMxlq
z{@joy!^e?qhm-@UG$7+BbisOnoYKtt(Cj`z5oEx?SFA#)60E#JJt0S3Aw92)xm9Ip
z6`bXI**Ls?hi40rqmIR9d1AryjSsI|9l+M+N@!W9xQk5ayCAD-epT)fh1@C=q}Nk@
zc2eTC;1O?7;aB%ViU2Jua1(PBAgMw>(p&LPXWcH#VtM
z#S?fSO?t1?*Me2W7{IDje0uE3dw<`^y-{bG
zEtqgz1*$_Hw@XR-U9Uo`!xBr;;uS?_A|@3^Cn3%iL`VGY@Cp)lp@%O%o8AesdS@i@
z|BxXz&qHIIfKUDxI6dH$36iqoZ6fl8?bfdgz(3yvK|@V=8XWCRVXX5v(u`ui#5fgP
zQXT88S~VgytH2OJc=S(SnmKc8p|1%h2RUKo^Q8g_7ZLW_4f6kQrrYUkuUpo7)fN^G@s6%AkFF3~
z);1%NPQYGAcQ7qg(0cDyN9r86U5=X3_1?9qA)bIoPXPEWN^Mdb0p1hq}PvRVJ`WrNT9LnNgLo1L^^gPc
z&tz9r`pqe(fX`a5{KHKsvB2p%mCwTqtUtwk@3Yn;zi<!uynUmOh%uzZuzs*IIoAd!~*@j|E-idiF^H!10(RRUH*^BuAubU6HI&`
z!%lgtn@|*i%2g_khkp-y6D5?sGRV*}~WHgQov^tBEmGgQlN;wu57s#L?1E)iRS)+URCh26*
z7KB=yL{vyitM$QmGO=aH^e$`qLe#qN_^n5l>V>fE@V@BV?+QkbW@omhl%%FgT{2}%
zn6#{wtZ~AohP_iILwNyn^_L6ZnEh!lFvK>TDxFy3$V}IaC|$}H0*a?rEu8D;C$xvD
zBUh0e$8ocM~0yC^rqLyv7$);#CN6=EPQ>tE3Gn9ESALKH4qaY@J*2!C^
z+Z|eYJ7UTCR`Tn$a*a$?yK5jhp?d3ugPj@876+M3E2*?P7C3{K7?f*`u9*k1lJN7?mR|zEiucQzB+%d^Lp>eDKfot?5YSpsP6;IzU
z`1U^4xHay;HTF@iYWc$zPrnbCrj}OcKENCJ)1
z*9OaC_ZeCHzm#ntq>Ye-9cqR^9*`F|NZL41in4%Ok7D^-=92}MUeH>xV#C$B)$T$4
z#GHNp{xWoi_hW0ZjLCMYltc`%53$02Yk9UE<6fEg;*=BirV}YPyVb4F+V
zQ$FhYUF(>E_Oo)ZJ>P->K}IL1IEqfWD_*+&gJXVWU=&3s8cRA|p*WbPNJTLhL<3YQ
z%#s2Ciwcy)UXWrT-iuR=kQ!D{i~w1vSOop1emPk>b`df5-@CAjDt>L#3D%n~85}CZu16hkYkz>gAtSg1)!AH?{FIR;Y5&E95SR;HtX%j&i5CJ`as2`3wBYxJ`D|8a^P7~{Zt27vCO^E
zq*N>?*^>ypQ{<(`lppMxU^%T};Vli{Nmw&U5*0|=p~8GL&PtcLfc{H`nB=biFO`>;
zxKJOKF?q^6$Y0%ltDvDj8hbIug#wj_ieo2>n#1RdwDc^2O2(zGP}_cDu#
z2eCT)A02IXf=716_?y7p78Ov3RAEyo1cSLZ5-@w5XP`hpW
zkN~N@eWb7O8t$mV?~!^kN|=vYCG*UJ<}zDJfaWqo3GKy=pzmF*5MwtR@hmBRcD3r|
zp*e{}Y|e%{E@*`@=>rl16*OPv2A))*>tYN4jy2a!NWc84
zlJKiV>O7lGKnf|N2I4<(FC%^%_FuR#bFA#Di9tkPocyP!miibQCZvelA8MrY4gow%
zP>qc;dyCF5_W1p@{chuKrf)vlm2Dcfdt8MsPS-CW?67E=U
zNCNJu*G-d}qtD}$vN!@0sDs+(E*#w9QQ483OFpYPPS-dE8Hnb7A)PzSG
z`nYhow#k;YH)5u98~aFcxHiawwKt-}2pnQW7##Yi0VnyT}`aYm?
z^^;O@ZTyEYir_3pgx{f00`<0!l$dLSJlJa^8tpJ4HW
z@@Pi(;2pNLY*tma#&cB~N&OORbWAZVwh+qqFjdLATJC1K>}lPpH<;+2bOU$khQ}O%
zfyQb`N>gNPUDR=3q{Hb3Zpj}PfAA)D#+qS3JkFL|oBvqX9-c>eVdcj0FCk7U}duVxrKF2n5pQ5H?<
zVXfYY)%#$S=>_cL{E{uOGj%I>*xJi}`&xG1NM*L|m-K%eUf>)fVHP=M@#BEbKOP%q
zY$NT=Wj*t@zj9Zd6ua!bDG*U}S39f0zsMUcwf8wJM&3<6xBSjvIU$8Cc8dBXEo|KX
zu8E54Oxl4mq{I8hgqgWvxmlScS>D)nOMcxu7IOGeATai0eW3l{ztjyGh$zu+I7FZOzRw`iU^
z8)|EUHBxJWH{Zf3Y=|mpu{(IGS$whvkxYF3KA6z;>l$RgY7y*x97n+qN!QZhaE`^sHS2rRxwoX8$x~ED!is9`G6RzM|w*8
z)+ey5Jo*OkkMQKVBKTo+{Tk}~Je@vOkTk4aAp`@UEf=a@1tI})MF~=y=F|Tdt~{R~
zbw@PS+vB`HTIwqLvG1}}T)$_B|-x-sf<&WEzjsgl4{VW77^s4==IMpn#w_@U5T
zl08+Bolu6|Tj_1p8zBPPK9D&e7lsgAO(QjnRO=m3bS!hmWpUj9)4ovHTRyV^EI)xI
z2aHsPwNFPc!!)j~NmDZD_9{t?0-RSG@~aN@f^OBBiD|ct{t3i3?)EEDj|L!B849V=
z^?_hDDoJSnGiaVqaQG!V)uBc?(q&*wj%)s%1ka{?b}SF)
zn0PS9yrZP))?Ahm#j+5isLhJywg+?DU(Os~kO^zbGE#DPi{>ZpU||v-5|$WdDa$y4
zLgkpp-u;EAzQ70H>4u|d#Nxt=X8LdM%ms9O
zeXC4cwcjj#etz<9eO_q_-R*wx*mlv@#z3)~BG6`sR~v2zPS{U5X#
zQ>RgQaETuCy60UI%!Nn4dD4vfHbGAYau;QeqTa&j<~>Y(E8g0%gDO6ACjy_%6LMfe
z=BaUvd5}$7hs7NL#p@c8){~P(x^y+0pY1tx@w4nR*JjII6E#k!z+(!L4`ZHR+Qap=ZcVwdwz%}1c_9q_$7P^Xkm42V0Dois
z@$OoSSq<6uD1sqf?*iT-b1K|Jp2j+BC)=ML_YUmMjL&-Bw&Kfi@*+tZDt`L~=g50>
zqN&@?-rEimx75{J_jwjemF4br{Ls!8$K6=ZSM140Rmi~jU4iV|;_Yzs%L2ri&f{sd
z8J`4QPc#09qlP;@w`*P`plRj+ok~(5O|^mvcF~Y9SfhaDKZL?68X+`DiYBB*bfVzE
zf+}<%cGiIKt+^hP5#<
zdwJ^BHkik4F_qxhkJGE}-8J6m`b#qZ!?A9pZ{U4jj48o!FuZYDCf7D!-#WJOmdKga
z21XGcJ8Nt*o`&Glk77~mEY2gEaZ*N!@p4h@&q$!nQ_1%dXkR`h%zzy(`okp!U~<@5
z`YeSn+7N%VipFQJAr@?$0{ML-)}0I1&Zou+3&#nil5i-Doxebmt+Nvo;&Y7nr0>W%8}DELf3oFJy?&$(8sDB^bbYu;tzTqB{GEp6;Pgsy?x8A)$S
zL>G+{F;+D$33z{$jW7H1^c2Ev)x0_k5uu6{!ox(!zdwJ3Rj1>7o(6&Do5WX5>Bxg6qP1D=O?
z5Q`wOr@v~=dG=90Y^v}a+zwe`B4hi~cVRSjUsdFvO{6SfN&#O15~%PPHcTG8Rxb=z
zFJ$h?uK_AmM{G|as^-EMpOF+R8tzeQRzp2DoJ$@#V7Sf(^USv$B(R)gnI0KzrL&$V
zB)R*ZDVkgp2FmR#+U{51+Xx1+fp3Q{v`lXaH5|Adf{~dzj}uqxl3lVI!?=fb*2-Ju
zzZ3(LezM-VxPKXo3c<&9rpmT9sd;(O12o2OP;(i6hLBxijD>dH@Nzw~92XDWi;FAb
zt{x9nNGfv(mB@uY$zMI*x;9*k}|Dle;U17F05JQ>yHprz+y$g`4
zJ=P6a4A<@0p$I23bYdjOW?pj^r!(jxlN}DhjBgQa;-?@kz7Gt+C(KA8!k$sx`nsbw;0r@5GAEb?ERqIEv1o8zDl!|3j!#2
z7Zn?}}V2arw_fV8U^8Qiq0dqd0Sf4>Szqba+I$ov!PF?HGH>@DBq
zJC6e8)n!+E`iFaln(L2I3X4(b!30>2yLGM~XFrM`#W#`p#x#+?WS^&O6+AGX;YN*C
zhi9X+=O@mDIo>hKx+<0&Yy8nG$SREe$SV?5;}3#P7DV&vS9feus#g9@i8>
zJV0CsN>>6vt8_yEnFWE!4`D^P9elzn-RMAOQ6TbE5s0+NQ1V=($dDa4=Eq+=yuHbA
z4l5bAYZ~^@?}b-I3V&wu25^Q9sQQAqn=9-w=Ew}FN=DR>4J^qMR#heyQR%f{JCgW0
zwOUm0RJSkP)mp-6Dn2ZDteNkUgz>WWXxyc29$hBLMne1(l%^Ski)<|RMO)aEj*Jz1
z_h?QXI~LOCi!aKiUN++d!R2v5gCsub!~Je)fh*UZH~b}o#P{Qs3W*DDR=-}OP0x$W
zD`TG^P^$AJMcjfR4~H$@fpQMC2F0P2pY
z*ALX~FRmct4J;j*RKo>>ryZEDet<~Z1nv7^+B15g_Eo)0rlHNQqM<3ysv@Jg&D)H<
znz%i#etqmX6E>EACx3K@>*^ie#NVSsyk3S>ZwYQv9m@ex0@(_)K7auVV>zn5EwAbA
z1>U>vzda&aOZ%|EYTu0L;UvrDV|Yw@#m~08YBSiNby()L0OWE7j+CUDPs++$XXk&z
z_=$X>DWlD5AB{*O$yGT_@-4TE1JkTx715p3&wth<9B!A5zs!U(6?Jd(sAM4(+*Ix0
zs(LgskjmMBNp*UT&V!a3t^5#?#FOOyDan#2GHmF9jFr)>XLG22@`tz+dkugPg-{G$
zglcTzN0Jdvq)w>D`yJXlT)42b$>yh^RRW0+$e_xsK!X(Xb{*LIY^9?Dm1PR;ZnNS`
zo-uB3T32CgkVLi?bZSLmt+|-b@HPWS;$2we>d1U=>PRY-k6fY=n!F_Kv!O>HG{qXSY_0jWH?)Z%gS*~#5zaP1^SG{%Q<7eBm>gIS)PH?_)YY2`Qy=%*aE*!*ky+8_vDCDyTS!}b
zAvB7o(viyLs7p@fU?DV>r*K1#=2D$azejU4cTdycyYa^mIfROtKAu&d{bKU=HkE0?SmbfGrgUH8}+
zo4j}2xEa`LJ6m+fJEpit(vJNI=j0~`&gHE?O@`08_o_k-}O<1YZJK0^|pE?G$bOUydF(nRDVbQ
z6K`&yPtE6X_;t8;K|_vtUxAP~@3`9mln;*O<4^&$hXkRWy|4lHzBgM4Zd`C6{t@d#0G!0yg0<~2)fPk}KYC{;EHnz*=#bPgL~G&nl_J$T
zNbmCs2N4*2fe%2~gPx!-!J_k$
z%N0!Y1Jgsu)(z`UP;UqR(Ex%M4tn)puZjH1NlFNO`7xVMfhTZue(zW5)sdz3lO9y*
zwuzQZ>RdpcJQC%}G`%3Fj{v+gk(gXx#sq2g95L7jQ7q&MkJ>77M-SCAGUp-6{>4pJA9UP1`HcLF5jAJjeT
zmUGT`_B-G2e_hXY=brn0=6#=;OlIb-*)x44GxTGQ%phKyinOqX~&+F6df%OR0Qe}2^-ZvjBp1n+J
zSmALWx`KL4y2Hw}#CLa){IF2+`Uu`>3%w_mY}dOL_MtPUzAKK8mgKYH9@GQ(xiUf-
zD*&$v+%UtBDpOW-0DZPGE~0#Jvu~5p474w;n|t<=#1&&)*Nre0hnJ-NuGd0SzAek}
zaeXk78;Y)4hhaXs4yM>jpRXI$oum2nkE5Jil=_Wo2SA53AcoOX!m)>@8be(k%=W`X
zTcLPw#U$~0-(D=~G3W3~f=MvX8v){8E@W=irsbE1Y5}rI9*pv-jBwv#&a=F?{XtPc4}SYkIJ;zm4u8*
z`hvAgZv4}Q6VUu_gLfc=+zVWY-xlssru%i_o}t0tE!^XUUgdXl7xH7prMpfV>
z^Iow)g%a-vOMbVA55*GxNv0Ti&P{sLW_7DmsXw#T
zcj+#4jQ4(yNG^JBQ}n)}@GVE-TQ{y13$DlXiDp*-X1o{Hst~-Rb}K^zp92J;6M;oh
zKx6ko9j;^Z_32JCRiX=GjC+irv8!VZ6k|34>oeiSd2`k}wYmhLq+pvoxb8{q=)+n~
z0#IVCja1NY0{vG(FSE6jZ(g&>38*d#xS=#cRbU;h*BGdm(Z;C>r_>Q`)6Fp99Vnx=
z)Q%J^>7W~(C$e!0slv*4kyq(_0*I>PTiouBE8$LkG?t*V
    msZ%O|+*Z+LS;;x4v
z-E=0=tRk)h`}Z=E>@HIEZmkeqK^UoplpHv>w4?Sb4=MCG!m~AUHBlz%rw=o=6@lRAWeo_@yy{|eK
z)|Go3-$Uan8P3&2gWLE4=G-dO6YsAdJ-hVoG0kWNfvig5Pd$p0?C&>!?C*P?|K!Ev
zhp8Wb6#N(@%=R909DiL(N?%HATWWcBA2N7$a3U@Eg#By*gZ8yd>nnvcWbe$NE4H^z
zAPwm!TYe+%$C|JiJzsYjiq(pDYqo{r48Vbqily?>{V5agjWGWym1tp&T$|>5W3Q$R
zuH>JKOsYr;Ys3d$+-yso88hg(@|9}3itG%}?|XjchE6m5a^P+Q=(s6YPfjJo<}k+?T-KzUBX
z8#t7;R$kz>QN(ui8Rc)Rd^oNyMd7{XgH6t&KO-dMrSP^MYR?jPF;(8Qy0A?13)>Vc
zFQA@KAGEJ1xKUk@RrAHl3$n0QQ(*WdEpnqsHr|iUP}++9+)m4`?juNdPs9z7X;9S-
z0-kX<00%(8%Hp*Rpm>9IoB_a6Yh(i8fKL3zTrWJoimq-WdKkinwNj|dh0pI&zIS5z
zKFjZN|2MS$cmt@%#H+V?5y*yHfUFx}23A*0zX_CU01knyKm5m3e$gtXXP7b3!CeC~
zqk7^dzc|J8ZNn3oyQd+)SQOKv&Xic7v;q9a#JQARHL}(UC0$LmnAQt@e(`o2`R0eA
za0kR1jF@R1jsv9J{vXg0gxiIYH&}-oRJDV2O|^K-i<8Cy3LC%^w-KKPYlwjm43y@e
z)n8M*GzHk-{0kW)G6Qf`JY|W8bie1nyBg^>lI1qCFT@IGwksB&0uEFID@)gGFX&LU
z^@mb=yJER1V4UyqIbO|3&K&;IOmibcKvQdSAVmN=fDJwv5aK8N+gp=SiFZv-UEaA2pfvcip<^wKX
z(iU@|hR|~XU@$|Gxuekwx@MOSQjE0&`@?~e<7?$wt0oM`!&|+X{
zAXtv$jB~;lwLR%CaXK=`I^-KrntO&LG~`bVk=S*Q5F82&?9WZcVUC@pgOK@(BApI)
z9j*Gc0-9_XvH95hI-nvl?6yprTGQ_dq{LH+xs8R(gZTzWvP(UsscN;3MQhJ1l1{
z3rWbuUsOGU82fnxX#}?01@z(?z|~vUXXQn_Ix+l5<3dYM#*#*FGDGHzPkt(s_PIyf
zDbb<{0Xozk9Uxcz+4ov@R=Y!6^I|STV{BJZnkF_2ZSeVS`PS#pZD7H%AvBMqL+n~*
z9#tP6xQ)*)x;dWi?qY)XG#29d&Nw%slo5jP$!>=_$k;w#ms5Y{^KK#OF6I?}syX>bla8PH02txEE3
zi9Mi_jh@7|teRVmZ};p9SZRqdDs=+-lAQS2S(Mk3m4Nv1@myUPQj_KPAG2tP`BO9~
zgq6j+_etGOeHqtILg9{#4ARn`1v_~kC5jsd3!4pgCdxebmRmdG-Cg}^9J6wFRO6@G
zMn8gsm6f-gPEbfpw60{`+-gl3pT6c{U0IzqW@i@YfcSwiY2MOgA=7eAluX^p8L2&@9Oy!|hG;yc1<&fa>N>{g
z`UYriFOGP7Rt10kJTx@)EwQd26B}F4SVo;>iL|Zj&$;rwJZE8sbs&THlY^jz^_0o*
z;}!$JpqxF}i*L_(ggL+lcureax^~i?0i+3_D5l0e-r0Eq=rypAUC07HTDT_UtqzFn
zEqz%x+Wj!%C=ICLs0$GHsNh04>m=(fI&bog!Ob({8j1~F>P7~Z1GBlN<$pB;*eGq%W3>WAkot0S-&RN3jP?xqnu
z++;0(4rj%~`*C6;Fk*b9ftOUzv{Yr7Q4AEkpc8wV^iwgLuC2j>`)2C?&_XKHg7
z)y+;eB+o@5Fd~vNFT>ayWYv%S$%W;Wo5NEgvgau?BC=m=vhp#2CmWMIMaO;2oMXqJa4r(1K>=3G@9)o*LzhZEruq$eiz)DWMo>zZ@
zRxB~_?f1{UPD2}PO~q}GAa%6R1tUIPy(AGnHA@YA?q&Nh!t9chi{FnZkxVmO^s-EQ
z?2Z{@c&_8Un3i%;k}d=XcKH`mE~VCwNKU1eBDjK(Oq-P`lT6pWjMsur)B_}1dY;8L
z`45LbXN2wxTuIAc!rpcxcM0_a6rAYzx~PzBpms(5;9}KC8%JIcq2A#~5o>$r(=8)@
zSk;o|vO^m5gQeGlK3|>?@AgrKR{jMpJ!`~
z66a~<4!afO#nVa7BYTB@mn-cTYFj}3ed^+0^2Q90>s%4hj!x0*)?dsjdfh6zR25NQ
z6fj$&L!+3r_iksEQ?FSwy@E=bNYAck6nPtaci+*dwe6{RYts|at*1^-rJjEe@1eSG
zKnN!{Yj(yP0=fJW0vctfzL}Db_D#3PIrXj5!9;FDKW10ayA#vk7Q9GQ-#vyc|4a;G
zz`(4zSud9b9)hO88UbE3$^OGl$=hJr`7{w&rgIsrld`#
zIC#?e75&(dF92fW?@kXK%?}5i*e@P|F)mKN+D5)t?1}V>4T^ydoxF~vK(|sLL_PD%
zPk%acA|G)r|LjKmxB>UQ!Ie+n{3P9!$m2OiMUW7V$ysA
zd>S(oGF*r}e|vQPR^4!n)1YOF4-=C$K`SiF0@puu*K6;hpWtca+mp7v;U?#{S5b~B
zs&p5f60)tf8J_`}xZ8xwJW6nQFN`u+=yZJeJbG;XnvqL?y3sDNE9zMR9`2czPuIyq
z$CQFtq5=TpGU|y*u?_q~gu21(@@iTNsFrK|!IM}i`;}f$oYh$O%f-e!dEDZMkIWXc
zTi3bPC7Zfex#2>IP6dbX>7EYlwMAm>EuYBVg;pA_Ncest8&Qa|Mp9dT&#e;ms`cHN
zeG}y9do-Z*P4-LU6nfa{#XIJ#FA5XYbS5)pbPbl)*wc&cKve`7MC)oL|fCx`DiWPG{5(ol`*GJ!;q50c->}?FwxK
z`j#_8umdB&zK0^ayhxPri8rF?+4-yo@YL9c6h_*$RSX$WK5?}^uU`{%{PjvPMCu;?
z;f6<)jQHc-?sP{@K2Cv2cFUcz4yL-`Cm(nA>&El6-0pkwaaJ)b!$3=TmT|!vOuUJv
zQUK3Ifb=-nK|>}ibmz{J_bjW&J#5G48#j$762SLNfKM@8R`Q7-a-UABF1q~2**5>u
z<$om)iUTFr3oAaWniu8vsL3bh#c(Mw0g}XlJf%hWMxdhh9~I@OfMl}7`No2cq}yFf
z*cG_LD%fT84me>uH_LPVdd;9b`*VYSGrl8#Q@>Esn2Q
z$9dy8O&p#_mQAUyZ+4%+RTdt|19jyqY#2-J@i7axD_h7GVtST#`g=5L-B1`fX$(eq
zA>>JX>znLzBjhS{Tp5FFKAYFq@cE_Ih;my_+WGsmEwy0-K!NA!fw7j*OkO@VDfx?L
zU9a%W9q`OO)um~`b09mGE(_AUuD^mZH<|aZl|eE$L65iV!0yh-;xz}nV@>AkC7^Sq
z9pl6ME$Jg1p*S*|V~{fsBD0zqbTsBn=*S(2X*v7sb9|J!=Yd>G;JD-FKVsAX=A!bE
zD#Xtb6~iydVhD^6=xAAQIc!P0$t=l8$(l`?73CwgN40zuvB69vM-s+JYfHp3SP<~U
zFqe@Nz?c1@7mwR5c*xfux~*^qnsDgxYuGrBM)OTLjQT-k=H6~&R^`FW&=KY1Okumpc*_lEx!w;P
zgOW&8#6EwjfO)5qpml+inAv%hD~)2kaXKN?4ZcA*#fO?S2kX1G1NaTxM*#Br$De|Y
z8vNujd=2n^1{r6By~vhpuUidj?v%+vY!sUAaDwLTb+CdS_SR(io-NflxcBzg`0pK=
zIY76Ms;6MJ2pjjlTC*)C{^=pF<%jOo=N6F?hRA+0cj=d71ziI(yR8OYvqA_E_g4K0
z2sZ2TiXwEqOXY3GszbKTE45_9O|?DzEE
z(sYrLIyPFm@p919B{oCCcPrY(vOiPec&N@l%W68nD(DVC(mG-(StM4gY$E|06bxTTv`
z`>1RwVf5}3<&3>{{l+u?vjv25)6T(-!N#49wPpMBHmxjJFO>Tn%y=mR(?a%kT}u8H
z2#Ub}Id;ILmJE0uUNNJR29|)qZ%e2P6v&xZ&zhDeBb83X>Sh`zo
zZk5brRy9<*xsPrQOwLRgA3N&oT-0ujX)uD2F#ne19rF!3VH~3tt#Yjt{G+2rFx*2q
z`})RQN>!!Wl$dD$p~KfIuKBN3+*oWCw;8AQIt`qBZ0!3NEu1s)!m1hY>n5vZ%MH|_
zo1fb}8E?|m37rffH^)}7w$*mQCfd#0U*~6HtqIg>IJ9V#_GPG9EGRj{Vl
z)iFY)dy}D&!bgSh{k@+?j~pU>ZrVoqTxTYjV$~BzKTZj^-9Dg5n~NXtC*TsUs2s*t
zW=&k4(-dTPEZ=JZ@p&uNKHzTmwbWy!32jR=+3?RS{X{qs7JI8gxNjx6L{rp|`#CoW
zK{cR6<`dCG#KSfKl{~Ic+ATf!x{iR9EpW%Rr1rMHu2Z?X(ZkJO00Qdj`b@S4s_Tm)
z-sg7kyG-Q})1==1#Qixtcy
zM#ZSGm`QO)5b8y3i8F)Uhtl4S>mVRXBLzDU^@LeeYI@Os!&%`ma!1`0x=-qr
zDW54FQ=qbJuF&RIIs&S!NVIY&AU5E`h}TQWEc+hR*$(Y1&>lD?wk4k0Y@DZQqDO#G
zO-=g))SYo3wd=x45kZ^rT&;cYKMrg&TL|fB#+!36EqI1{&6PxlS{2o_Lgt?I6zlLh-CyqV-Z=2eE8e}dv;e78|A
zozmoy{}gHr*GtE+JN^3kH3!#{ZJ^_W=s$dtF)Zl?_txL^(wd27c}n{e-NT(G
zuwm#SElG9p?A(D})EtxTBU)iO1Lj;Zjko0Scf=UOwy^KGOvgFd?FD7=%l@6Kd`KP$
zr7gpZ;J8e^`_AghSOBTq@$LbnB^29G+8~P&LaH95x47rv;W73UyFK=(j@^s8mVIrUHWOP@xG~U0r2mT0iHxt4-|-q>
zhxvW;1Lp#*x#U`MK_@DZ951M)s+MF7fjb?R?kH&AQd&z4Z3R0?Y&B<^7#)ZxZ665?
zw0>(ssAVRd!?ratl4Wimkcn!_W1BjEtCjgNyIGy^@xt;J8$S3XCv8VSt}Bl2$=iId
zecCh7g(&p8|IYD07iFi~6hB
zTD|gi_-;t62DX;t;wKeSe#yb?>bCK{zRwy#>o!~h*Wy)!tskida*h*ix1E)XNxveU
z=WbcXkV-%8=}F6m-^+-}Hv4j4CbSG)O>?=!v^+1F5ldJ51I;{(ew5K1xqd{iqZp`}
z--*p)o=gAB`@Knelni+)I|f_md&Q
zOZR(IKM-=B@j3RV#2w;vJElBydV2A;>vP*SqXNgan-klfP{vkZ8y!1uHjb+t(wi??
z%1nKAI3Hyw^1RVrSW!s_$9}wo)0P|q>VIwHa%aN2wAv!K%rAg6q^(81>{~aVve#@u
znZnL%<1u5Gb?EFVxaNGl6q9nuTzPIb>fd)7tAi0(m$658m11fSVb9TBB^QY`=gO7m
z$7L60CwzpEd^y`!KXo?1(wm8W%3!nSTXPU>4v$(-OYvAi~2U!H)ITCTwrFzixAdEAJ
zD#APUX_##FUInT5DXR%fMb$oY)t*ddoOct(OQriWzO@)OUP*YFsqllM%x|ud|MM%{ElU
zX)p*>#f2S&GR2vW({V;8%U8@#jW&$D|A|lY<`bN~CpgYom!EL`T#g~Ds=NF|2?Z`p
zAqdyXSa-GXn3c_fj2CSekXsei>KFBWSOAkqzmuD%8mrBqDtek!{KgAV0h%XChEDBU
z1V@fMi4?a|<#^&+Q9JL%*5<)w9{kiwgHs@pT#NG=SKgDndqoK$1oA)Rk%N)Bv1gvi
zp0^k^c}gS9Wji7bF>K1vjZFwSdqOY4;wPYfj4I#92)5ZSHSqAJZ#z?ZC}wU%Xff+`HUv|8$w+>GF7l
zh!2q&Cby65;qH%=%DMBNvbz}?L(7P*igc
z_(pS8NB7*;`0+k1II1v;K*RKnS1Ka}pp(Z1lwtxf3z?KSM^sGk_{iSsp!{?<`1AXp
z(@J)(7c^zk@w*dC$H91Zmt@2u_^8(rpEIwsixeqlc4?V
zm)1C%^$=iTP=qcpCka?c#bsR{@f2A2J|d#1ke!N3T~*)$KK5t@5U?cz)Fz%D7UsXP
z<|@tqWX<(1pWND7HgDa|oOJdT*nBa)+Y{ndvLSoPch&+rY&xD(tILJgdI&6j;##U=
zz|B>9bum%Ru&Bo*xzdLl&7&35JXY=e`D{|uEmnI+Rft;MjQg{;=^F&L4}&*#!xNGp
zZ{7M{Tme}51=`;SX8JLQ*7tpRuJ1l^4_;54+*zg-VapuB@}YTPJ4nzQ=7sUC1#N!7NOa!Mh>F3(i2X#5S}EOfm%
zK{+uS4!rWt2biEd;_h?@61t7J&PbnBOyY8Sg)xS8=OGGTrZY~IKpsKM7>RI{^b4SH
zWXYd@j-o7>(?Agwz+a*mFa9i~T}PB**;sra7@;}xtubP6*C5JB)Ia=b6Sl40I@|K=
zb4X-PuJ2lCqLo@I`|lx3XN1Y8$@*ED13-Ca0w@wd$~{t9>=noaJPlwf#tk$8_Ou)U
z9=2E(qZtAIw>_W{&w%6a{{jpEwrU;h{~#y>lE8*sp5NOi%1xJ{_Q>=Py_T|KQQd;WbEsZ?CWCnpd@Vds?rB1t&cc2
z>4LO+53TDAdB=(uzZ1cJVktTQ%Hd+K6W1zK#9wC+Q?!_(`#Y%BjVWII0$&oa>`yLV
z621p%9p0|b&Wis8_PnYXwR)YtLFCrPNp`2DWD}uuJc;{I~t{<|Jek;TR;=ktYj
z%;eNVF=lWEY0MV*B?-~2%Aj}QvU2gVRF1sItZEC0%WHi_pat@@p7%8VP7(G37r%gd
zz%!1KmumkE6rXi{e)%uq;J&qZe!kh?gV4_}dAyQicQ1NTS`t>8lq}6imIB-pT-9_q
z5?$|}z6BpYRAMHH0gUyI96Gx;=^OBC{S~b#T&H%O$pPtoc8#pJ4~Ja0*BI+6{$5iZ
z<6WzlHTb>b-w}iAl?vDYLoft^DAv3Z>kack$wljnYxOz?BE{<#t}`W|^byy}dixmr
zgG1s(=U4b#t*+MInUjVE)nn*IeoyQ~sIM}~=1%!Cq0Xm1{J~Ws
zkPzQ8{-d_BT`&?C67FE)KVBt-H}{hdo>^=^+JG@?oAcwvtpvLY_CM|;AyT<(G{vVK
zK)-UJQOUoekozMdg{Qax*xNM*4c|bZgUTT>5G(SlANFdX?*gET{|nlWz?|*k7KnJA
zvKNRTsHY>QcDPaWH3*XFaM&E*bhJ(_9<)P0Pm=T)?kD*QZ}<9*P9Mo{y*_2@05kyr
z`d|dCa>%XWtN7Pp{$=ccDRKbNqd-3!0JI7S(;evopd-@8no1aKGW@Uj8EW`FSmgKu
z)*F5FGWYVGoYSD
z99kerlb`<~nBlX(8d{_X!+yxDj@j)`3Qp}gdS-v=@zoI%_ApZy)QLM?jjNx8Z7kF7
zlfg4ew`=)V8*qhMwyck`cRW#>XBhfG@LVzS_!uLE%W;(hui$C}PQm;=HfiiXb19aQ|82IUbqy6pOLBe$mF5a5yz}sOM4C8Q_CI`FO{7}s!g;X#gV4nDr+LuKPYxOkP#Drg%gXSSO
z`_`C#5%%|q<^n*Uj)2t;p8%kSBLx@Ru#&Z8;OTpy5%A*o8+j3EDexQsfa+iP@d6=$
zk(y#`IyOftpkE$P8F*@PaTM4dE}aXHYXBKH=!?pWV!lZHTG-67Hv>T+#BLrklyp2T
zl17I?SLeYQfak=r*{TOj5s-&N1(d!|hd8Kw-R4#AR76M@uT&zSCaLa|k(WESWH#M(
z55(CT^$xhHe2a4&00+gCzH&pBl)jonP~b}Cg?raIiM`qoSmQuXX&RcQaZvOu0;2jY
zHFrfYLOORvJ;HBe`?V#^1!{vpqCrzJu;Vn9eFcs!Z>BTYyo~1lRMAOPn)0*hzrXM#C{0GSAFQ$OB$TbW&nc9R#yIwKeD*O#VNm)^7N33O`YnHh
zPJah9TLFKYEB4=Ezo{1U?vuxw`$m9$iJ}uy;E9#BAA=AyGYylFhDk|->GYFwoDXqSFYb_w$A=9E#l8|1)oaiE_?xz+b6_N{Q}>>-Y)!!M!d<+S+Gg)iGBlC
z-4l8Wk^7kZ{l?hs6M8nI+^-%EDtp9FA@@IGGr?uUX2y`<6ZqzLA~WFMc|djl$?hoS
ztz&zQz38V9)sG@vCn4cyO$->3t>dgy(%Efv(i?|g(_&!TO)jD(3!#ZVxnI@u$ftf<
zZ2mj!Y*6e$KKST=|08qW0<>VE@+m~&<97anOwoe7`koFO#)=J^_XY!ev#o~R$_9J|
zx__|Wv@Z;sfQHo?p_(!CXB~K*+cePLE)Nk4__sI5>Cm&?A8s5}`E{?hwG44VbUH+e
zkrq_2lKFIiPi2II=5GHtk(vsYKR>16lOExqzH7$?;XQqzBId;G`Rn$xj+!E*@E@H1
zmUtcm<4{DmL6t?XSD!Ds6NLH@&$fyW>M`d7d~`bsegn+Y4h$G(dH&8(yMweCX+kAa
zG9L;+l|?W&$e<&88lHHHaBj0N&b)6-PjHXlvsasa_8*HDi!&vS>51-@d-j^M{XGpj
zo+8}aSTUzjFTp)>&t7$wx2HkYv*z|T^?xR+_nb}jNaS7Q{nWD{;orl#y8rf0s^dq@
z>$73O9&d%kro6pbHBX14MutT9J^t9~Dt7&%MlG)GggqtB?Q)o`A}5v(aBaW80L{fr
zwOMpegPf;jg8Q#<-s!uEL2PqLubwF5g>r9mCmvgB9CLMKs!sDpcrUi2H=`pOI6jru
z+EBTd&P%^+tf(O>h)q7)f?sB9`soS3$|ol_Cav#)F!A64Ta(HYezgmcG=?y_Xf?Pc
zyyb|?>yd11;R+d*R89_pOB{p+tirD{#L6X}m!tj#2#{)rdc{68&m_scEgC%p2}IWS
z%wmCKTOYXfOPmp0A|QLjn%ld2U%i>?Sd3lPA)Knk(IXh>t25FG*z^LN1p%XrCy9Y>
znK?|VA4E7O(<$wAhhlC|lF2e?ePE4ndo;wSR?-$B1k#qLwDDcY4%ke5(KtT^pQ5tF
zWdRncwJgmJk~YiM@;P__w}*R@}SqheJ@t;oRIh2
zmD+!LGFI<^mD;yd*2rdPO!uJbFDdlHiVg3nZX{$h2VC_ZQE#4q?Die~eP%a)%l8Y#
zhAm)DDR
z&3pRBo_uAJG{2YMo|=C)`Ike&?%2C_mJZa8(A9_|G%cssqVzHeO9z5Ammd_nyz8K=
z5v9@1aEcVPck1LFsJ+-mP+LyVN9p}R9BCVWRU;7KUPfj@`$wN#X2N9InwIKuk|{Gh
zA4Z7~!qTDO(Uk`_FW(8#*F2!neMeaOOYji?)hT%>eWU;Uw$Y|lu)Wo5tZkY3-jLaK
z2j}Z#uu?CD1&f)Q#Av6mjxL6|ikTY3Xea-Hnv0q0bn^Drn$y+rAd<|dE28w0oO24L>bd5AWGc@_ds3cn0uty@kEqPrh`*7k;y+~*iqas#!B=`5`-$g{Ei$?
zRJJxXYf?v;xqzuo)W4;l`$%ZU`sgssZkyEi8)Sd6C;Omx^>0x@jMoyZ8O5OO&(s#%
zcy>G*a9ru0(S+DwvfLK+?ke~Y>>%jO!P-UVY2tYEN^IG7H_|9YkKC~RmEZ(8^3c$%
zI+<>hMv>aG%#zmX8X<42j~L1sJJeeWJJfr$TP(_rPoc^CY?UpJ&V=3B0LiiRv2wsB
zo(9Lr{ZZCxnB=hP%lzCGMfstsm>fYSSxfPVftQp9>$k=Kk&yabLgwo2`q5waz$VyS
z>|uICZIOO8%rk*?NdO_=D-|#pjfu{L-+4*-Vk9p6Fdii<^KlCKWOhP%XZhZONar@O
z^iNthXnB5#X*eySKV$GYtLt=&g(w)WmO`Y~Su^aspXLBizP7C9^UCFn#d?-TU
z-8))T@;FnP*e@PF8KExeTfeV`11qc**OzhY-OgsVG2i2cp90Z=zQvH}D~>lIfq^?0
z^=|kb)DNKu{4d?uPCv%94vFG+&5JU|X3t&C2rI%4h`e?Ls=qhh;H9<$S>wvMA+3RS
z$q27>BFRVS>oZFmUW__p06Mhx*W%R73s2whDLy5craK3oiqsOiBfh<`NK)JCp+&Qr
zw|6MBNUEd#`rNGALxO9`K(o@_3YJg(irSEh?67u7-#AP#CK?5
zu+}iS+HjJwJw0wFL~_O_wJfopvE42X3wMPODELw(opSLU0<_nP%RXzF6oFgSjDnT0
zmc8gA-Mj3QGCx%UE$=;aLaogdMKx!}`_0L31Fzg$!AoP?K
z#%&UsdE`*=jg}rc6r-osII2g^H$V7GY{D|oQ`YNlll7U^_63>gWmFP&?Me*gBf@P<>BSLmw2G-7&^rx2e)7edif3!^tdKO=1MK1iTHUG)@y=z!;
z@W+kRAgTB=OY$Sd)~qMvg4ewNxtJ2f6kldW?xxrp^JM%^rm$iG@vv3f%Spb>YK7v>
zPu2||CizO;6pCj)S=GFpbjc=<+)R5j5F2l&!?tUH-}@ajhr7f
z43pV$pXCfgRzC2HZ$>J8N7HkL^H)A_iZh|b?IM(Z-TJ50``xhN$_E;8CMoy%Or_b?
zg>L||B4*!j$ITjVrl{FzAK%{MCC!Pu(mLMG`bI>S#NA7Ad`WwPS}gSm-)AE#!-@fg
zQ9JC;uj`
zcMyxiruXcTD`J^lTHfLKhvivc#gcNc?8LI_QFRaESar0)uiS6GjgRW4VJm+G#Zx22(R@oFv4@hqe
zP7f??bPF7dLNB@$?|s7MpZTO9vy?~J3GEC$N%3MV2xYo3?+JHy}a9Ymufc=FBTCnXrk^4Tp1McF1OnlA3
zwJ%UZw
z>gext)f=}Vi`GPSE@Hcmvt*{GGO;6jL(d##ZZrpa;FFp`YEB+&TQotQK!oG%2_@Ja
z$dcHhwA38XAlU)v+J|esWsKZAy5n6jzVZ7euU&IMt
zWa4}nxU6e=sk9g(<&%rOw|^9cwiwhhd>ig=^15c9$S>A%m+}0S%)DpgtAE;KP5wfT
zP&0>$Gux8ht~_1d&6xt?%HZ!+kwuguC!|?)%{D87tTZlOkBh>6tsa
zT1SW)(oD1jH>^Vp`pb&x+=SYW1Z+7d+w36k2S@}crJ
zaquBNn_EX>AGg?+YsR3!U0=q4hfcJ9ubAiMkpeO8s-pB=bJ~ogT@i(5vY*RYPSr(~
z9x-v`#89Yqg%=_oeRg756D4!a2s^E-#6RT;kdAyi$g=Xkp^$Lc#75-ortcp{WJH}L
z4PZN$V&T^$!(nhvNvZQf%Egt+|G}V_GNRt{%h&GZ;&2Z|{HXRgmzeH(Il(5#l4+&g
zMmw6X5!(SUM=Z)N2YW;k!#`BsMaB1)6n#4<=zf9#WehNVXyw$=>?JM3&c$R7IkFHN
z>&qHJxjmK|CsAD4s*8d^AGyTA!aX{GG*O
zLqv8Sr(aS&QYURsz?OoVw*m54f*WkM=vvYkl88s=DZsi+E7sL5CU?Vpf$>*9AmAJm
zw;z>ZxgdEV9s8qq(_+j95WbQ!yH44!Cpii1O_z5S`0B|*(aBx1x(lBEn@(|t50z6aXYcOE+}##mGU#et
zPjP432bs;f_BF(Kj@{X&Ut)Sbd;d4+H0Z01q;nTQ@L5cEL^Y&1(FkstUWj6y{Q~we
zPA*aDX48y_C0dcLzbUyVILXst;rpCCJNpIgvz+#$(k=g9=7?D9z3fBU2h4=tbT!FN
z--F0t?f2PBB4X}t-Twa({tGAZUmSsboKs|!-t%b|1T|evcdcwE?_I1!7^P=CeHlSb
zThm;N)5&|s{`G%V>W$K~n7)fhqO0kvHSgpVv`=;Vw-S@_^rcSUP$!tlv^(uF(?6&?
zE5iQy^!-kz{}HJE?yCGgfPE^V`)oFftx2|J@fNe58<_X8BD-GCQ1n-@b7}}fwQHMO
zaj5yq9Cw*F=I>MAcn<$B!WesfZFj3IHD85eTyP|h{&P4BA&m}JLVxAQm5wrm$Iybv
zvkMW2ddm`C#nYG+JXW!z`z;hx_$}%ie}Z?<>OD%r8)!Wck0{(<%#%EueiuG<&uPji
z4GHt|Fz-->t8{2&%%fJ71`kk`I}Uc!gP&xRwk%g~CEZASffy6ELR9e>7_Ub27(8E{
zf5bpqad1=NFQNS4mq!dV95dwhzjPI|qs6D2$7SCqd{lb{xU83aQMm96Xgs$ID{MAPITTKt&m#G*854RCh
zx8f3-1O}J2JQz2=Wm|S#*!I)XI&aV+b*mSlNmFpy>;r9ZztQj#Scia{H#jk=^{IkM
zUS8QJHEk=-k`I)cx&++C%!Hvp<}L~(Q&#J+_MDjqZcGyOqn3c%+ShRibBym(@`MH8
zsFvL%_?secSPqUV%Hi`yAa(m&9Dx`2iFB|3&**L%&L3?O^L`?d`q5CpZQbj#ggGzn
zQ+~<*!_A2QuINXY0}EKGxp~SP_Sf_rL)bs-aQ{H>I-2?s6ldtqv|X3bv=pa&G(g+t
zeo58MQQhk{ykS+;7jkz1ZN<$Hp0Hd0_w*g6)dKe7ew3?ca^f%MY_=cBg>|nnlm
zw#spv|8Vp-
zsbE~D|}u|Y&`$TXkh
z9PyX=zeW>&Ey}&jAMfn1;JDIX=8WT>M*+^yWj`e8{Q$-j37zPM27T;KZUuE4!i(dY
z+FmZ$C>=X_y&8Vl>K197C;M|aBivbfIc!j;K}1f8K)xjCP2w-mkEM%jk#C=q5h+gV
zN*j~C)V|6@-Lg*ILVqDP+LKZ81mwt;`NZq>8r9&dQQz-jd8~7lGxDZ6*?XRV1lgY}
zzKSbl_~JYPpTZAcZBTUlaN_@6$&NVrXA$mN!sP@5p0?~<)-0O|2v72J6~I%
zBZ5;?vD_59fM-dHX~#d2oQSzWCLKa0wINhvW%Kl!`fY!V;G6;WMyfgDN{Q&dfd75e
z|0;JJO`bB-*HnZh+QuE1xv90wnEH;g+-{?Ea(!%uVLKL*7z(+67aYimjdGeyM`
zuC4{3tM{h91(%#V^#@XV>0HFViYMY`kbxAi;L>{3S9&E%
z$Fz^!EQz+VJ%z1v!?MrsAE5R=PGCPO)v{00EQwBVFvYX8PtYRkt7O=@Vcuu>RS=9y
zHR&TVv!E4hOQGxRyJHa|@HZukdChghP98yvRDs?o9gDuZ*n%tjQq2D>eT(Ib7dAXh
zPw6POXw(&`|M{|^VQWh9#qk_QO)yNiH;V|)L0>HL2ZJk@-t5Y=oTd$z%d?8#)bB|!
z!$>@5QwKfo=};7NQ*ifdEb!e>)UoK1R6n|Fp32#)s5858T;k1P58pEHnGMJO-L9g}
zV1ju*kDxifx<$&}wgkHTzB}e2oPvs}COt$K(*826!=lIV!X=e6+qj40s~2|jd#}NS
zCW;yTi-ML??+zw-=JyGjXL0T;rds|@2^;iX^`zhBHPM^Ur1&fR?GpZUfPZn!UnG>W
z{cG%5GR)uj9xj5a==*xgzMRmnasJ;+fBS&{vE#Q>`sYwF1A1>Uo!d7|Z=G*rw&4B%
z89tL9HpRLKPA!2&u6+HDgyIxuDs_-)54n0$N<|judg@<7GN*TH#c$B}-DQAbu$y4;
zOypEh)G_V()Xv-MU(Ab_;{1vePuQyWo_c=j-Tnltd__U?G|pkgREwU!E!pQYdJOXR
zq7^3w6TSjP4G)b-oq1h%f^0qyq<}XPDbbog-VN1sFe^?whvexNO=uNE%=G3ZO
z06v?n2xqJ0nP`7Av5Ud+48sn0PqK?jHSN1+mQPn{6%Rt~^Y)t=h&3l+-zd@|(_b!H
zS8rJKUaHpbPinH&G3`xyW^ZNKpJY|7SZSWdJ8YY3(R)uXf8y>J$>CGt6|dSc7~l@zOJx3
zZ+cNuzecYG&|Gk&BGr0AvC8(J$md3)Q}pk2)9B+G$~uG%zpLdNo(~SE?gd#gnV6slv-$m_((~
zO8_*-8L0@c*12C*^7fnj$6e@7L{57&hx87TGIL~z;#38mRp-MxKv4Nnk5F4d$YWuH
ze50D8VPs{LMI*0`pvVib0zM(x&5of~IlR&I$p^C3979sXaZX2{O=@3(UcgQs(Ri0w
z#7ZC0ip-Ntn5lckmPd)?B{zu+&L)neUO80iP}n-O812>`)%PHsEw~~|Yu`-FlXzIY
z{k%!^84-C?yD{y9!#abEN5N5%BCAayVU@(mVY?v;6Na5f^t(+aA3U1xXz~b6--HM&
zQ8q=nUxviR-4lGX0*MO?rgMlix;snND>z8zA~=Xs8hT<0OFid+#Sb(xTGFu$ROz$u
zmFsiGR78=7V%iuzX`M>C7_D5LBwQ9uV%EI+;wGim9eS*n3IoLU-Y>tvbNPUfNy+`e
zh4PM1C<6f^q_y^)HPL@1kyaU36F=^W{{8{u5Y<=R`M_T7ODdvhU@|6Tgd
z0Mpqp!y+}iIXe8U%$u7bAKV*)hwX2NFhsyZOl#lKek)tQ_7;tOcQAu9Jmin`b`S#r
zJcJSJp!7meiTzdlwL=d}y_@KP>c^*8O~&zjQvW1fySL)^qi~tVUY=Jr*XDFD*Czb{V%t%kHK%T_y6VV#NnhcIG4j7hzefGt0sLFq
z;K=(&J7@Myp1?%?7Tb4W{!O~$P@hB#VhgbehwGZw{+@OO+c?2>^=qkVK>rUYTae8)
zxbB16r0bynoHEu@K=rXie^q1Hqqr(}`&2IYCKAbZO>xrxJW_^k6nK$m30Yc9}d2zo-5B
zj~79`^gKnrI&SIw@P^Q$>wn*sFw2$D|;&*3DLaNzB+O<+(h
zeHUkjfx9)W%9YPX9?(9Kb}fj%j#v-PHy#!TgdhY#@#+)su5-F~P2L8W?CIa&l1uPm
zaOpKg9r5y^=)XOyN^^$cJHzx`cX;eF1Z!Ew{r%H6~Tl8nBG;uzXp$Wb<
zOjb={Yj?&FO#ic?-qRt7Q*_Zg>J7~Tx736w8q4H*TmLo3cw!`D(S011;4?_j>kaj;
z_#o^_$5cMkpP}^ivLVKz3(lz|34sDbU5bN~#NOEF3}}vedMBP4ci*uz#6Ud$9-HZhIYyV|~vKx8x{AJt2xNv#$4m1k16hXc$-H|MwgQPqMcWSL~kMJxB7dElvJC}#rF6+$xNBl+#(`mjuVf9Qbb?y=lT@);GGCouHep*fA~lcrQzq_m
zmlUB8>1_y=4fOnrLB-<-<7YZ!PZH*_r1@5uIOjLiHoivK)F5AHzv6qK8grZ!haZg#
zMp2{)S(Cp-P4M9r&%7Ci9G`bUs=yR&E^>LLe(O7}+RWgeOx=gsmoj=QbV!EAj-L^q7Q|UQ`knN4
z8uif(){`|v=W1Q0`BsVEb2|7>WcQp7)p6MP!yWh5vERVzyzOT2WDL%$VU)^@!A6M#?4M3f7
zHcvvHld^Cj505Zw((T~-bxfbnUgqf)UCBU0_iHaClm=ET0RuyFIG(||^eIOO+^Z06
zb{ja$&OPr^8AD7EaMB`5Zbgti$1UA`7cT-&YK>rj9~>TEWQj9BI{|}K?f3WEn)dM8
zkGj}|*gY36XYR+B35BvVtmpp4=6b-8F9+}OL^~+z2zokzb+3Cm-`-L$!Jz4(O8F(N
z8rMNu`D)f7TKQ8lh&}6$e5X&S)NMFqSb=BOCF6#vTqSZ=nn}>{zS&g2csTt^LoO2=
zMLyUcwYAxAdv3_#QjyH9CY?&d?lt%n*Wq-^^Z1IdL#E=bjK;S-+V;uV)z6ZrRiw@f
zsN9yYsWpGM-;Mv>^Vy{%YLE;#M$K&e`{Ms(t<}$+&I=5wY$179>z|tqq3Kg+f`8$%
zvpRd~OlY3N#^+^2q(9t9fhNOuV3fo>1IIe6|1Gwh`TQIA-^c!!Zbz`+
zX(myVX+SZ~-w=i#_b*6X3orNw
z{e;;Ow0~R17$K^2CGUi!@7elF(=9vw^YDYr2vt3zLjR>SQ?o*RbrEWtK>GBNr){Nn
zWBBIHR~vKyeD9=3+N=Cfsxd(f8+piN#n{yd5EVi9?+aA8elITlK8;b~`h{~!
z+E}IU5H5iyU#G;AbI~nhN9mxNdYZ3mg}^wi@`{d6ATBL^P-bk4eD@s9{tmX`@vWBU
zx8L^rL6xYjYA47;FzoYg+1C3Ww)h@u8|BBrGPzctNtmrTFyNA{HCgF#`5xKF6L}k6
zr+da+iOnB34!CyoT|~`O_wOz^oFyAxyr1X($Ts`)BsRTLMpn`(w^;>$p68<|a^!f-
zkXgd}B$d1}ilYxnT>ab974=aT$Nx)Y4tD8xh1K>`S#?l_FxSH`_D3v7Ve5Z8@5Mat
zRe6VQh5SunjRhMauM@|HEE!^9+G51}V(m@cJGyVddN7)A;yR3MI1qgGY#_^_wu@HH
z`o1n24!LtledT(^XWoK#{0%&(nsYeK6R$h9M*as{#Yjvlarl^QUx^7pQjolOvLY&Z
zOqclohxp+mDXhHsH^cS!3BZqJNRffw|3D0;AA)4ceO*U}`o2=d-vj^lH(Y{h`!K%n
zuSH-aLZdcZU;f8hf7!slVBHEv$V*HS7T?%LVcW|%#@DN&*PU<)=@2qwU&(jd(Ck-X
zIZxl>JAXss7JyFu|Ibz~C8Jh}iYe+Jm^R!ptFUENt4}P}{PcfhKRvi)F9|6B6i_bx
zK&=uPL)||RW4I+zVN0quZ$Q$z&{xJrJ(rGk8TU_{?lsMlIYfNY3wR7IF3^hT|I|B~
zt+Qp0YxM*Pa%>2m85uEO!O)50knO3K=ByO$sod^xJ8cO`LiWQm1jHO=%+&8~tY3ma
zojSY7+efomTB16Re|(WNVO83vZ4fo#JN4dbLeDdxind>Uhse@H2=N7_Ye5)uOMPkW
z2xUO2O0{8H{MF)!Nas@5RW!;piIq;cbwAAgL}u2-9P$&}v1&2CP)?oi#{j6zxnq@Eg)IWD=pvM$f**SZ-
zgLi8%Y97}=#F~E9(rq#MWNnO7JD4H2P{334eB=p~B%{SF|Ay$={@Ug};4QR}^)7@*
z1|i^$zn~Wop(^zrhC}V7DBO_iUDflwX-#ii>x9XQD4_@V?E0L3we0kx8E*{6#T?@=
znohgkB0RhCEr+Qhc(S(O^B!G;A9KC#wzya`=fIC+*E(5iHG06O@jh9DzC}@n@!m2~
zg>7x4qWGe-#;%I!_?K%y`$;)Y4L=e3SBRjDw-Ol$1A5dJ-f%V@jy3|Mbs2DuU!V&G
zxNc-gjyAct?nb0rDx*#g|AGs5u;(c$?k40b^Ziba{|0G6`|@}n^w_I93FhGO$6)2j
z`T}8#0;6T*nytA>xjJz
zfl-J1Gf-v80x08d0n~9f!zNB;)g<1=r89EFSv2o5*=(jq%({C~JtM0>VeNE2Yg!{?
zT(M!6Lb>zf>cS6kq|aJ*>M`?+H*tlwUWm
zNtv6t44#H416zIr>_l)CW6o^Y8^VAH~2cO2?;*03_B_M
z^!WZbrx*k_)t}+mJA~ukMy-+6;aFkR4_(G(Vu{W7%Q@OcmjK#-gsjVoj)j|WrJ78Z
zt~UmlaI{6zOV5r56#50P>VNbyQ;Ao#K4NY%TEJNBDtv+G#Ys6l`@HqxNh$J~O57_Z
zyH#RBhjgzj@=`_oz6fl~Hxc6%M2W1kKGCR?43vt@`%*Lp7&zJuaRImS{fH($*9p5K
z##Js#vh8d~WeB5#~pGQjYYb79Y0AHYO{G
zTi`0j%Z~|t>B)`3Ii$h&O>y
zt&_X($p0@OEok2KGX!OD-=c_emPL8udkCiXH_GJ#^uSk0Q=`Hxk+pdJi=mrGqUVkz
zE{!PUtiq$#+E1GM&P-kCd*o3_WWl0+nR?1({R1|a>o(?s2*eXD<7LwMT9f5cfVPcl
z?mcmx-tt6`4|8IOKjx%p*wBLU53>?I6ffq|d}G9XoV!Xd9iXe7dVK1feB8w9ZnTf9
zg}ic%Rc4E@3~M|4t$L%D!)8eAo$jCTl`{G2-Js#3BLYkUyu{u}EI!{{{=gDvEu4|cMQ)lIz<5$vF
zPwXy>QOUEaB3KvtaozfGj|@Y3{Pc!~V(ydUa791165;h+v{D)-rh6W1HTDQB-J&)j
zo-o+GWJZnDC1~#f)H)Gn?HhMIMmWTcKRR;lc+8TG@g@&qZ2*t!T;S0KQGn^#61sn0_--#oH+qL(=R;e%Bc86jxIDfD
zS@A!xZP#r9fdtZD6m;Ju!@V@}@Z&ax%DUJuO+j|XP~ty?#mRi)N(%07BAFPtrpvPpzsK---p
zD3ULFhR^Ldt!&ASp65fmOf838WD4m%oA?E7^R-+rGjurota0SUBm006UFdL%$=NW
z96)ZDK@DOP+yh8F($(h5)@!w>Pqq4l$V)g2O8LcW|sa8QauT?!Jj-vKJWt
zJ2S@KKSOo{gA*YJNhqgNc8@{vKVmn$Vz3L7VBA^{n&P-oRd%=ppCczk%m{xDv#Gcf
z)Iy$k)k%$I#x?bnr|&|U>;r~btKgAJ{u5la&L8HlNZEo1I0v1KW9lgn--a^T8;t!H
z!4idh2e@kKj2X%)PG9vr*#mU5l>giu@R~r$w|`58|5ZXP{r>{W;}sQzPRC}4s5%O9
z9e!;dd!6z=C&{Y)(^GM#r?MPhQGS}z)F{=y3C2}r(7l?-Z+o1!YV4o2yKt3b9w=Fs
zt)j4DmD{tN|8kAl+T3nU?^L8Y=`9oaZ^wYl%*ObWY=RhGAY
zrP!1jG^=ptN~JB+eNf=cgYn-s7dj8R$ISpGJ^xyy<*i>Rx~B$>DxA3#Uc-86*-bC+
zaEczNq^#s|d`gOWRPM6gYOo^DTGX`X5`WRLTu`vY!a3YG9^gc*VtSHOoy<9CGTeI!9
z5b$|v_3F%?%{uIDjE9Xhu8dpGrqySgUuSn%FCr|EGgYscxjvI^Gl$J$_e$P_5brlY
z2QOYiFRj;eM|&4=i&qgAdLJ~f`(ux-`F1&lROUVSEI)L+YO&^;*d%#Mx>>6xwZzHH
z4-#KjQ1H|o$6$z^Kh~Z{WZ{IvGvReF@BYTwM<SNaXEbcv$<%OdMN&Dvbi8NTMqvzqtr&c;&=f=iVjY}Sr>=U`zvzklera`HM1^}nm
z{0ogKq!@FeW@1=e2)hyK4dtdB>Ak1Dh@t5U>qTkl!?-=xUZvksZNN+M24B+6qNJKD
zy~w?Gh}OzP#!4P%Nt(p*hWLq7BQLMDtNYRYh1m`0TqE*@{7MYdLF84qeRi5tuqTZc
z3DtzxVuv+e1F?uotPo$^^wps&pduXiTCR{V=K2UXSapWt5s!GGk4fWV^ZUOQf{$Y
zMr@DyWKUUCS=~~LBwsSTZ90YM`g2cw%V^DU{XtOs_2tg2nTx%WtB3g&#`Jbcl|}@P
zmYR%PUWF&2r3})wVpnR=gj|jowHuYBd4-f$vZocpQ(fYdzP`DWG18AXSx(&G1}zE8
zn=9^@=d?_#mkA|FfYw1??=*DR^h4Kl(mnIE!%nMt7p6-YMI^IG!P19;92twKB4OW0
zS>P6=e&eIO;(%6WkhY6|a<A
zd=EWo{CHmszIT~7ZbqluxZYxjUhG_jtBYJI`&P7uTNm4k=#OH9-)d5c51XYr8#6Ru
zYn;Om+&z_4jVP%|O@L))#vhU>vFRr>CTknAhe3{MQg0!$`Is5|FwJPdi-X}AU9Z3v
z@aizKgt$*RB6LVmk!1j;@`~)>3KJ~mnxB`x77QM=Jh|4ou(fd=$Q4AB!Dtpyh(o5Y
znbq4uFd4EShfMMQE&e6oHSn{7IC+1($7tOUC2y;}5CCi#gAcYid=5yHi%L
z2dLP7OXD<)@{nFwo}O!vGycyncc)}ckk*}Cr==F<+Vlq{91OTUZK~MN>}}5Rue^Nm
z^oXUt_1mB=A=I{&e21@XKVpD9{!+kzc1&!V$X`ds8s72xajSmdnUPtuu9&{ZaYxc=i#x@j@pJz*2Po+&
zEsgJqE{;1gUt9Po+Ujvhog4M>&!EQI^z=PK~q@^j{+uo-k2DnPP0_
zt~xmjk44dX2}+^c}<~8QM}C!{=~1-lEVdS
zv&QZy?0Ml*!UcE!6^F$#?kHFYeYdm5+|d)m1ux`GdEx$>radW~R-m9t=2#5HUopoa
zcgZXT61lyT0gvFT*cziVAoUB!=?88|nNH?YnjznvRTt;i+CFisM$VAi;#?@Y{~CKl!OV8DN6e;0eZ
ziSpV-n4bXUe}t*iwA96JTeIuJiaG%cQ4~DV&!s|Jp6CPu(^k=%sn@TkwM?SbVzQMU
zW~%*H_2Lo3+p`u9xUeR|*o-&!POmalThcHoz@T?xDC-o0hr&Y(tX>4(y=xB65Zj&L
z`9{IFjctvFz6VC=%VOgm|C<7^+&k{^AByDa@E_NVGrTqKugeyny5Brw~X1Wj8S_e
z3*0lb>}8B`!{js?%rj&pQG-jvWL%Dd54|RW
z9Lt5+%(2aDALUWM9KPt^_hn61&3c#K+pp86!hgdx{L5?L7|ET-dqDS7n6VoIpw}~O
zr-i&N@NnZp4S6T!qsO~NaCgBqdwg&5$kV7UpGm(cnmU8h7agciTtx4ma$Rwljv`+x
zd@p%}_%8BOu4oMvivV`s^iYjbO?>7fJ(*MD`dCkkVZz}3XKNc8*oB_#R!ICSAr4rUNu(;o+(TrCe#qfGBivM3Qve
z?MFAOLRMaHfZ~$P2aId`
zQ`#K9R>P>-(m!Or3AmJnfOF2<`Sn~$ajaj$W3Vt=HO4xyKtjLpTl_sGKH^c=?J
zIgj$XfiZV@f;3}R^^h)&L3{|a0;4fyAHuYm%JV3DmL_rp|tXTmJL2={jI%E2TLMzb__;iB)CK;UqyEfdMLyUmb`(>NA
z2;a%GIsx|a-bfGWf7Hk#{v_jT&h|hY{4g7op4ARMuC)4mhqoU${WYg4aq7
zZjD4873yiHnqstDi+q3N?FpT+!h2h*a%x>>*z}%n#95AR)H(2I(3Yctz^C*f-P~zL
zHzAHyRC>S_d>PH#QZro+ogvS1U{`la${UEjt5wXar}6!%AYK`~SY3hadgA@_A^nD9
z_sRb9CvS03N4mut*8@Sb$Yw=+7j
zcfZ3)STJH|OK?wR_GM>aCGx#Oiqu0-5R9OliWdw`q4)to>X_Mv4tFU0HHCt~_YIev
zE;*c3MjI0P+}AfrvbxZ4hx}h9<^HJuh(Hv|j+3ZbwxL`cyqp~yZ2SptqW&pXgFGtt
z%7VSmA@`GoS6ty|X7mXIOaYu)>bh_p$Mhbg=(#{tE;)U2i9_MQl>Blu49Cn4X~lR!
z-<14Qa>ZLTxW_k;Y#D82=yRVX`gn3b9ByC#dVc>{7S)?`8DGZlOQ|^b^pLNzFXcub74E(&Bu9xJBg`Wn9VN^me(_}3NotF4CY}+C{+D7;
zm@9>R09M5S;ddEc))G{)B(|VQsqS@{s9;M{MLVt!d<@k=8}V0nLp1{yp7DC9y+(#@
zz&mp?X>#)rAmstbSuokqQzf}4q}T*%Au!IfOLQp`wHF0qMPsmge5R!Q6Tqj33;T`}
zgqt<2Th)wH;2WWiy$2`C`6a@$_oE8KghPnE-OWcYQLZ9kYf-N6REf9-lDQ@faEuaz&bS11A8Bj#Nz8_e(C9KJVqB1&e
zLA-t_oSYJ%!QV9>2;>s0`|>N$k+?K4KtsA~I%*@h??hztO7Ps32u0aqA*h3Tt|3Rz
zN+p1dYuu2$_T)q6eqjCw6eStqX*9VjVMU%laWF97mDr33rTV+6IzJ1oZqI&TrfX(?
zDn%iA5av4(@k~=@lqvvWMHEE^n#kbqW$_eLWI;iJ#9VTUGU(I4-7Vp9TiYw#-?HA^
zTj?8zB{t(gQIZnIK$GhhR%C3+dbc7Ma6-}LgpR5hTK?+Bw1eg)uV49uy)GGCp5f@=YT8O?L6d}|~(rS3jB4a(en!$in8%8oI_7(f#GC;%
zT~0u=m0=m4kDR7qADbb(Ufs{{BnWz70Mr>k(fEY|!>-bV2rL8kE+J0lS_3>-vDhKrIBu
z5eDA(emI0IydO$gM%Z}CN*Q_e+yymF+$V0M``CC5lBq>;(%4&wMe%mzVzOM9@kaZs|fzi!0pafFCJjqIoqT0iJ3W(nU96flEWu$FBW5l
z{MJRXwPe!VwJc0~5>bZ``^dxY#K*{W<>4|7`TqVMaqmX8b&4pDP~LI3(w}$n##_j1
zpRdyELeGSd_vy42iGG8C5I__LJPP3UL|r)YK-!a`F$c~X%l13{f7;al4XxZm+wk2V)mn`l7~FrI8O9F7AWl)eg7Cmvfr
zS#R)dS2iCCkNNJOB~QFI{VE>Vmvum`C(qjtT*jAapr0XwCL!^R9zCC@;<7
znu!H1MCfDw%*6C5fYj4ef-Wue#(ih3Jkb9@Y3m;3{_`WR^#^1`5@fA!Xbn+KNyH~~
zWWTk&ixuUBwPAKxhs#yk6IS$N!))feo5JQ#^m=xY<4=rSdgrAxpLwWk3(7->B#0_2
zg4HOEm9^6s*qE5Ze``@~_Pr8&Ujx*Y)e8ksn(bzHThh(`qNuU)uHF8iXe&!`RMdDw
z?w7LS=P8WYh=)Xd=Etba;bW?QG*Qx<{a9=$&+cx9e(UoHEjp6@A8sPlav
zOV~hw1vC2|vcMT!PjOlpyF)U!e8bUc4=K~_QDNBd9dagO*6s_zV%q3_8PgIoESOPK
zSXR%s3f=ty$pghoPPSsaEg48$!p6$Hc*4Ahg>ye}k#N+Tu*IA(-nb_~|2`-cEaD(u
zqM)BsZoT=*g6PXbAxpyOJktIiP;$|d=q02+IL`H2C(KrgJ1Cy1BcTmIj
zm5EI##LjUe?5HCyNJyT(^np-0V4vWGr)}v-nw7XmKI))~-=)qWQffvbsyKd69yL7?
z#H$BZG~%3zUNSWHTao&6cB+0o||PX|D@wW9nxPn$A%15IaI16!;;X
zkIijC=ThpRQi%0^-;
z$Ia-95`(#tLcua#=?+{DCEybZC(P>Q*aaaSo3ptldmpH`QI+Y(;9wBEa=i5A+!)|kKcrJ291R{Hdax&A-UklIJlr|s>dlv8W
zxF%2B*Rg-*xHgGjIY%YCAm5!6JZUbF)wD_ya!iVqUNTlp+oRy^5wk@SDs1+myT~1+
zoNNP6-q$V*rMYv}oALZ1l$KP@>Qqf7{!*&geWOvLw+)^$^j@diTFg+++3eP147UeKY;yRZ)g{Y1hn)KaPlF{X+p31U1#W2
z0)qpYR0^zuNr#ub0dC-m=z49$t>p(#JTNlZLYyt~KeC~=hIUy)oE4=^U#ZF4%c|L;
znAZnXYj&yA>CG9~Q3&*}e*+49|WCR_PWKkEN-Atu2{P-zV
z%pQc+zblQdAxwshq6Si~^`1WZK)_b1o>I(zL|Aq!72PenWjo2{IxT_2A4;j89g|?5
z{j6xDNeO|YBFTPM5$#++rmeV6TD^jiF{$F6OIJb~#->rFGNjUnbcRl{FKiAgI+YwY
z!d5loHIx{eynCRJ^k&LSlw*APX4Kh7A3lhRhR2WZAbhM`e*Go(+d6^s-
z!yIFp8uu8`N6h)+W|9+CD6Mh
z{1bBAY+&4;RO=hLpBoqf3=NlAgKSLFj0+Y*NyDZJB1w+Ms$B46qL!4iI=+3|CksVL
z3)Dykw-2gy0yP=kwpDYYv;|qQQ*x5~Lni}lRRR8fwl)H^UJB_L`W1+@;E)=EGNvkU
zb*zH3pA&>xZS{gxbqlZl2ub_=4bw{?c-R!gs;(J|IXIpfgsD`OpDDunwEu0JQ>ki~
zKX_}m91*`J(6{(L3mEJIme($Y_6!%?k){`+i&{fvpAe);=C>%h_P2@*BR0+h*1$JV
zeeLv|%oZNZn&G^4=wGP!SQZM4P>`EcoMLfk
zEj?ua{PY5!N%w9o^yc=^#rlho!K11BVyKo5q*Xd-rH^eef(T-I(-Tm-HH}&rWt0
zwT*k^@Gq-2_Zv20y=w?bY^hESqLx{6R#rD+kCdF%H$Y8kv0KP$eCE2ZC=RcU23rft-Fyh)~*
z&D=9%(Hic9AG2poEEOHaSddGfeWi|=KJLnbn_hU&K@1TyJvxp(X2z;sG80ZkLw%VQ
z)L*@8UE*nvZ&6KxUhyVHDXR>wFe`0;H;?mvT!mG=kY5sGVcf*@#6Nj(CCwkpkVkz&
z`=L0U^S&U=^LL;aSBzn{1d}}JLV++BhH2iLBgOO-xGIIOj#LdMC$Ltn&{q|>Da8Wh
z=41Vdm*%|YmkCO@IuI=1;85x@KPetCH>*I!A4wFZ6Y?m+;7y-=enL2P8QQ*M&@9cK
znEsr?tz?D@RycN*2ah0uSvSJ0~FDW1ZgQ9BpAt_W)`Hl~NquiDzXafq$xg`V4ZbA5~CR!m-j
zrZ^3QvLtwUKlfmH_{4TiFxBJ-jBhq88_JznncL70H=i?LcnX^!ZGr&&t3<5bs&
zLL5{Bas_tM`^jimraQ*f)KL~|IJM=rT&nf>#Y;%aR?yV7-bxdh4rROD0O|$>Kxu2R
z!wNe^NUu})WNW*amqP$!(S1BL<2ELNoS6L-Dt@)FXvwiQ^ntnBSLL3>^
zE7q_`b2$)gVTnj}^`6R}xr^Vs(RYF+)!dTIqw?VrPx(`S7UpuFX{ky?a;o#IFk@yi
zN7Sd(2B~TzK-TCo8&r2
zY~LW8SM+xQ{=5=|S&RLdy13r0@D|4>x6Ce5!5AD$RrJ25{rCfqGt26(K0
zxlF#layex5UjR7p*v&4P_EL?k|Evb+Aoi+wleiIxU2|8fa?RjgukWau%ep;zo&+=}
zFAC|!7aJl`6=dizKof1hkAAlIz1H448WKXJ+jH4Z39rxBqcgMNA7v(F9TG#lkn7~0
zVnA+X{)bq>p%=2h?Z2bV5K&mID4_GqZ_ERu;RSoydS->3MOa$o#wqKeVE5T-d+oC*
zmZ81C6cBP*M(Ad8?7@7u8Ln9+qik!}oWr$D@FeW`F@ls&qLuRrh57lHT+8&|3XF3t
zlh&La@>SNlU(fXXT$t1N)=WB=v<+2T5vO!$gyE*vt*!h6j5(h+%l%(bzcYZ$Eas1f
z%V?efd}{4k68GKR#2Ltcm!b%B!~?+l1Fp6xdNqd_vFwHG+!RH`qv~}E5_;WDqmZVM2rQ;^K~e2kPug22WjcwiUBjzP
zMffAu6^bG(qpK>J40_#E%<`adzO#HeWyS$2QMGQ0B5Wg!tYZCWr4V^o&X>#N>P4nPesa4O=BGqUMb(7rSC#1eNvx(9&@6RiPdIPm2)t?6UsddTIhF+gKQ`vE
z!VlTJ10XcJRAGK%yq4`J*q=!8MBUNtq@A;YXUmirWWiTwSwpgz$}W|;K%V8(T9xp!
zzDX^WIk2-n(h@>pWbklY!y=IDB4Mlic2n^U`OnfHxq%n4ogme4i$H&iAQQ@6tfwaG
z$B`G%+XidY2J0W4wBVlE^c2!`$Iq;SlM5g~KjjiH1Y(Lv3otzO$bCNbxdn7oNx*nC
zDFc3mUMlT3UiHgLijB*I!^ghL$3D>EHgKVzNDf5hCcS@E&3@^fb*aASC#bkvo!ld@s9;BOaU8$u#m{kM
zS7>ySZ#>9fzS2^0(?fc*z}42}vRAw~bmq_T%+O0X6aFIXfz&)vfhNY)PWOn>3vUOYvX!C0Az1O22>?}PlygI$@?Ui{RIP6
zHju?9K+<(;BU#udEZREjra%;JE2Ep7sCU|hS^RVZQihBxP3XMLjJVLf8{IdN
z=nGijimH3jz9wM5)OULY@CiN`*1Xn3c$y>V@VIW4sr2>a5Dfh(@k>Z!^kTblBts4%
zV6PRhrnasahDjv`e;+Kzp`H(*<*t<2GR?59${wBS2FIxzvy^1Q6_b(8c8cOKS?V9?
zYruMDdXc}qbRrPh^~G>qgK4($(FO_<0y2=p#-PPiN3lI@e0YHYVFtUZZe_-Ak;`MA
z*#%$l1V$Mj`M)@Xk3Trds;TdKcnc?7o5>=0mB;*K7tHybu@gFWB046DVA(Y$Li40O
zgw1ng<+`wZS=BgvGuXWC1Y&!^hGw)!6(avzk(CxYHYhqKiO}4&YeaHcfkGt@?@@d$
zAqRanF5qteju5{~%)eSwv_xYq{Dk}bqBX?=qWq*efmX2$vrq+oy2$q@o1jH^zAo)T
z0=GR5np04K1ylVuL
zaf7C3yP1dHGFfmj#^Z={aY*m}H;Md6Nww~r;&pjtP(ig{>-2ybqyIEaB`Ww9hMIaz
zg71Xn8};6f$KFzT%Iy#dZ*9(~$uvsZV!$ZVdS&#jrl30=5w8kLT27Y<pGm(WBz{R$
zDi$@$q05kxQBC3(=KP7w`*Te-+|~yqFC`ZN|8&K8Nr{J(`82aS5y}*uBq%u=~`veFAu{mCV{F&@iywx
z#bHzxMTkZ5&e^*Wi$n3&UPRg>LAvnyI&X;yo%v&hb
zUn;E{?>u#~r+%8laIV4J%DT#dY+^08OCVYFp3<0i#DY9w9LS72I#yaL;`A~0^M^r}
zNF&^SrclEK(d8e{=5j?M@|>jQd9iAt3`Ho$tOG;UK?dV3LB~p|88IfNB0KoI
z8q+Is4Dqx|D8mKZlGKU&{0daK@-Ae6x!F5c5s>
zMIfkfW!2nbs#Po(@_?Nk6x44osKDtPtMoQV;0f>B?`&Rc!eF&`+rVnV#kFsNA3U{V
z*pO;Ms&um2&?5XA`()Vp5gT$=2r0ymkpZ)(9g%^6tW9T4G#(~OmucxOduPe-0aj~z
z&TqEcs0~wQ?XRZOTW~cutTYX{N+iYkmdI;9}fK-=OEm^A`MFM
zS;R6Kq3FIM0YBz2{0dq8XRZ)*d;1vPJ-^QGAL*h<-kocz={L0iWb!sj1{i5b76Uyk
z+Tx-uB7Uye`BNBfIMcrK|2U%Nt-YQLj`mlVQ>rGYlTPUJSNY#!*(#`;Tc_XRe24v8
z!dCiW6$t#~aJc8kJdh2qH&-jA6w6#p48(J1{&H|YU|BDFDXF7#qdKUhUvA{nR~drZ
zOmnAS4ireH(7`0{FYA6^FP%(f-mP2T2Ncva9YWc`CAWQ$uJ7a4YO!d+GH#P{erMb+
zbXurs;)$r8r{eOraVmtTxBv8Bf_{b%Qqdw<8qT&bAcQwKGuwr-C@&Wss}1K%IwyKa&2o{O_D45=c^
z`*8P9G+>YTOEFG8$JU@Za-DiLBu*;UDC?Q*F78h
zCFq+@1m`bLzsCW#^1Vf7PMx+Vsh`2Jl($~K9aQ?*1=l&X{;*u`7W+H
z#=o&!702m!h1(t&DBi*Dyf}T+M3JIK-#&N>*Mww!dh_?ug9PCoguJWQZ*Jf5e)BzL
z+-xU5g>;A2Y1i-bFI&S?eY4Ube~Z-OPq->}3mfZ=Kf@4KU5+%<2{i|kwCeP%^A?H1
z50wIv@6hKJ!--nsdl)zte&+Q0VoXzCimvx`QO0P7ePni+@%5jc85X}h>XCWH_Y)dF
z=HKb6eLfzJ{cSwFzU!14VTfWL+C;dBV0ahy#@6pn^}SAfKbG;i@0~CZRysoZ;yn;U
z+PmF`Gx@bi2Zs&auPio58=_xnLhtI{()kXq+G4|j$AP}j9RjC{eupq{83BC}VqEES
z{L45ME|p<9#caSSNxGTX{h@Dy)J5*thC`)+HX!F9`kkV>fYTb2Dnjm
z@nEc{!hvLb>+%Gb6o`%s{@ZrwKX1e?M=E|<7Ls7EO`O9<9w|8*f_$q@9AhIp2qfPP
zEYMF@WRxEG8fCkh4FFO?{|^x<9~)XR1cIvPHO9u5AP|2yFkK)1Zioq6+Mjt<3J9NX
z7i+i54b%ac)_*?|v0+5`D!D3Ohw!W2!T>i|-)Zkxxx%V8ZSb5daUcxz0DmU)g1^(;
z1D`Cc{WQL+f6h==&yR`yY(u^TIrR~qbwV(-N|uE74=iaL=CH9tT1tjs-}&ETxqFu#
zosY;VKi)tASHF1v_jIw-By0n<;Ta@zUD{&r
ztMb=u9b~uoY@L`CKEyV^o5E-T4hvsP+1Ju@NObvc*%jN7PWf4#aSRZr1o3a%khzFn
zfzO>=NJ$8vFAbmNz#Tzj2q>ms!KV?W!FGv9o%P>ZI)doN64-?DHC9XKPe~XSWAI4djcOp)-UG2+g$VcBzH-^D
zA_3|kppVP1;*@GSS8c#gdE4;Mc^BpPYCNE=5)MT?I&-js7j5En0%zAYzjyx
z=mu=mgj%c?-t)0oMiCq>dtU}f?xMsQZuJEfkApAg?J1cmGg=lW;9=bjyKxTm
ziw~=w@vo8pY{0m;^=iPwx}BqYxqGfZ*ApF>$VFGnD;k&RYqZs9S`02wnN`*VR#qfG
zT5{EDEnT19m|3~iYYiT8T0PXIyz^BP|G{HkTgPdRTzeCgSd0X6QI<$HABiqYD8ndA
z^beN5a9GE;tI20sA=hDPB{|v-@8;MZ?bf}(@+%tF!5v}sB28tb$IMH-=)PNUh%Jr_
zP$`ZJGCPp1=@f3hf@7R>EpZ;?Ol}Q*2d!FJ&lA}ij_RFo20K*ek8?98(Opnu+X<>E
z@q@Qm?CPw68z0<87qW<1kM=T$bbRuvdxM;-vRd`Bj=|tm*4AF!CTiUH4gAhCi##e!!W)%x>~o`J6H^S6)7=$SKKg?llcxn$K1*x9@>+I8
zHXOt7v>%>u2eWPWF%_OU#c63*7nPo#GozymcWPXG<~t_KkHtx84i}YHo-@Ov4R>nn
zdvum;Yu~y9jNQ9AZJTf8!$9$ziBAh6v0_3wUk9}B4r-CrfBle&8?X8lwG~;O-7Vf=h4-PJjfLppCl|+}&LQ!68WS;O_2DXx!ah`!(5npMCs4_x|UN
zH^$8BS#zyU)qtk@Tc1^v0-^RBo^
zzff8chqn5=;att8W~U60vPQ^-^RHTUF!$1QM365SMb5i3c;Z@{Z2cUb{V^OEvp}5C
zf-H{gPLF9%H=p!b_!X0!@&hnIf=uz9o01PXt(+)y=-9}s
zN0h6jmyCrK$Dmf2z+^TWz08$Z1p}1=lOtcZuSSW|i3xf2{&`|Xh6aXVhhc$EDbre}
zDqDw(i|LeE+#4+{q_j|M@T@e-3qroJ+Jpc_xxop&HSBQ_9M62
zgWLDFBX*33M5F{19X-M2EaVpC>M9|0nFwWbFu>_m$MVHaKECcp*ZK^3J^lEfNm0|`
zm;~oPcvf81u$ZNc*vyQW%`C!`cyU=c#KR-F)rSd7j5dBk8kK+aR!_!|>piE;5$yv&
zA)U$Tym;v=e}wQ>5|EjE4-P-PnkU2^($5P27ARjs!5j`UAKnR#Zp1a^#Wih&WJ*x>
zAu$Vbj~UaE)-|Sr)N9QmRZ~NW0j97`2u9zib@?46_llZ
z1JsfK8)mE{UsGnHBN*WDTMVO4enEolpVKss?4eqgUt!Nz1?ou9S0O&VKw&JQPj;UsG@#6eIw++$J6GJipL!ZHs&KGZ_|L;B0?t+58c
zNQ22}UM?=|!!q;w9qamC%7B=)k(NZ9#9QMnBnr2iBo7XwjEFg7{j0e@>228qHIVh*
zVn~3XaNk)xLiG!S7R$fT
zD%`40qzuWn)DvFIvTix#Ou)8;{QwoE7{h#SxrP7=w@!tU8NIQ$7kpcJ5ATs@UQaro
zfqDI@%gfOu=v_^~QoTL@h(*z|*W~VZ#=KU9cRC$@V2+qO|0_D|+
z!V__2=N#H5d90=PDH?M_B^FyM9QJf6xADX714aUdY#9~FvU7J1sRX5sE$T1jh7n_L
zJaHjKba4@b_H|x{`|s;wh6fVpATGSpf9^Ta(+)0V!dS&ldRg0H$&6ypk3
zS-_tEM8zfZdK*qIklsrm^t~Lx@wrpUy+Mf{Bs4uL;&3LnzaYY^
zfJ7TOe<7|a-x*Yhm@$}^IER5}GyfIA3iS;hhcGx@`g=JXM`u|%ba6CHYrD!%n0Z~;
z1Anb@f~z*|pRo62L>AEy$u=)4R!9kbJEM^tqghAESICbGaj~b`1
z-#MG8D-YHhdmToQQyCxG){iulYg>@#d;fqF)F}QA#~)W8shxefGW;pqcJ#4tlAr~Q
ze4^A=exs+p^r+xE9o7syc`9wg`>*t*)GmktO0J!`L3|rzAZNKqR=X(JOB#gt@nT@J
zk=%uRMZP9%&hCSFW7N1d>IvbzBhQy09)
zPSV?evx^AQTqm1#?qesm3lDl&BWrc;Vv
zhe7Lh?K#*ZM;gYw3vqoZ8pCOGMUZ`du`Io<<$(05%x1@xzVl=))
zV&yrn95LG?$$!efYbm}z;do^NNj>ow5O@lBr)G2m
zTmm_i?&%7yR97DJ*RIV)>)bI%0Td1WCFIx*oz<+;7yjD6yqa9sjd=57d{IdLjbmDe
z_jo8aUJ&3C{z?+s_d?Kb3P`*4<;XIy3f(1@`oAD%aYZMlPE%F@QK>lbI_j6zRq%j)
zvWS*hX`W)Fhbd3Hfw(RMV*&Sz--v=H34VjbB!R@_JhPG&8)D}ulCc}nJepmJ?%R7p
zD5q8Tf>9UvK;JlSj5E{jZ|{zYD+(}Z
z!GJ85yNV;8XdH+E3ZpkW@I1$74lGn`exJlMC5?9`UV44v1Z#f+5KxyTG<)S-W1
z&cZkHNWG!7_vQN(lj5-WEzM;&n-Rvm^@hrM?FrGZ%GGiRPu~n(if?U9(eNocY!C1n
zZSbZi1mGQeIgw+V%unb>U8V!S$7p1ZKJO1)FXmVWErJO9roCEI3`Nr*kw7r!9DHJVjA%L@zYr64J;PYYGXMx5+f
zKlSZKoco!i!0qb{_gJr`?anl3&-KyZ`w$(_b$@pJ_!@hFOExoc0{EuNhZxmH?u?1u
zxqkAJ4^DdJjWd3_kFo9>KG@MtgcI_nmrR{>VE^=QHN5VOjH)vOW}66~U_suOC$cx_
zPtbt&*$SW?re?)}0;8-Ntr(qj!~&*!$Phd-)Rwsooe7fTW9yh>qfx;0}Wv=4QDhE1D0rpuk^qY98RZM_zdQU1&@yyZ}jY-B|e~
zgTJFLME_#qpD+JSos~}l!vNC=9-a+4Ao;8n{`?Cj6-q$Ai0+wO65k*6$-Co|Tv8;>
zhh9*5hvpRy7S%%(O?WWQ{07+%5u>oQv*4c$_F@h6v#M$X(U-oonsPq-Mf7u<>M_!3
zJDJ!H1Ms%~_&=gSyd(P528S-QWaHKUZCUv{NIi7E1Yy$#dQ`thyB
zvEMxz8nHL@2`RmQkn>2V1&NQ?35^$Zzs0!+>u{6s5pyfk;Be8Z;tire5Ywjo;5_-7
z(@ZEb=LMP;;%RoAE^0WYZJ@kfomWIxjB|H;;F~r4PNk$bJ*kc2wL2J7(ighc45J4n
zs2*3@quLj9VFHcg#+-Kt;u(uOl>{D+IlqZ+<3^mo18hH=BtP9(h|r%E5Me(ngnP%>
z@Q3@3+dzf;5a`lBM|-$%Q80AKO^T#sd^J`%l8Q^5AbK4xHuDVM~t9(CmToWB0Eg`
z^LQAe>$n(G!;TovzZCf|vV*iQ#=?kQ$3>Xbcf=7EO|l3WKIiyZeI5%#b{!WgQ{!!2
zxAE-_%fzh$Ts8c^)JNFV-d&=<3dh3SO5>DuL86mNfPp+q$VYDcXK8#
zx&%jxwte0$}w_L-jDI35%#kV?jSXi}7)o3aff-tjj
zoaW*^gb&F_45)a!;z+0g`PvQyp`-MYZ@`g7Ba)=;6sj+htC0f2KrmH{tS}n=1bNg2
zN9F8i&_t;4C;3-&@Va7T#Wem{0p;1KDwrK$5o)HQjA_GhU04kt6Q=b&9jz|XopNFh
zrb>KAsKO_CcseOvB-+^AJlx%$xq2H%#?&+fWr4EdmX$Y#@9nWv@jL?CyCnb>=R
z10S&=AXuRtWQ5Wb<+d@Wxc`>^Sdn6=Q$Q%4@};W=Q#8Sz%BcbVcC?DOT9>3D0(>nv
zJV$io&8rLlA;9z`z$8k7gsHThff2n@ha={7aDF$TZr#}N&Jed=-K{^a9wVB_u+_-Z
zHSG1xmiVQ&4yTE}I(9@ErQmXV($cqFQUXP|s9FV4_=p!G>lIT78=8@TME
z3c=3`#Mm(d5~6q9qy1>AbTYKTq_zyk^;&OnY#Uk!ugYr8C3fjfoq$YbQrv?IBNf;g
zM!orSe#ZUBV*BsT;R{QsxsD@Koj6C_$hY~U&s&nuCr7?>Z!;?`n@ga5xExnV$3(Nq
zt+K}~tJ{9q^P?bwOA456l5mA=iKm2E9%%4B&fQKeO4Tj|K*+RCn97x2B&GXst}^Vh
z1a&Y>U^HnHBRu8vQK{dWXHz_VEeQNtpljKtnJoKJ>Ep-GQiPMLNhRa^SxXZ}I}~gt
ze%1M^*?CAc`wnQ;A;IVnc68gVDd(fFbC9tIb?U?4ozJht+?7pcurDZ;X_;Gj>ozJ%K8LZLoYuw8JC@L@{%KgI1JLQLbsp(IVu*#>uUrm=i&uOX*Up~g@
z?%&gH=Mg{Lhh_cS9UKBjdEDiPgAPi1j7?lxCT&eDuO!RYir~=DMkJ#^t4o_aKY}O
zXdrx1$6fp`TzZvT&D328q*dT3R+^s#A-ifxvhJb)?vkxNXT(F2c0ns
zow0Wtd)>bJSmpM^uM~zRm_OY@d0up5#x3}zKDaxOT3G~L!m>Ni&%5&g&oL4hLBg(1
zLEM+mW?z7=U`k4vADRu@5IBB*PKJiv=2wnN>>G4C{A;%myTbAb@oT;(WV%1)$#0F0
z%Q63GbnFX`%ssJcKNy~ypAnqzmm?;25=0|f558=2fn4H)uuk{plx<6)UKz$X*@AOE
ze|gSXvGBm)4!himazbI@ov~v4-UmR6#nEn*$;e_2LHDiQx*V&f-SH;`uP)9(;P3mT
zzF1lZA1STOua$-&bI9D$2ohvb+Z&xMI`m0Vop8iVzItP&jhlfATyTaf&?HK}@XB&X
z`I#_gS;XJy+e
zMAX%haq7L2CF|d2Z2vFHZ}MjT_fV-aA9pqccVmRF9w9bMHet>VsUEk!`;T)o~Xq|7D$jDP2MR%|4HzY}Z9aF3DsU?b9>M`U}>Kc6?u%
z+7S&5P0nUrG#-c_%W-OcQD~G2GC6E*uuTIEM1PfC9MqnelMV$9xbQyAk}r`2M`8rvs)3bKvreTMlmQrq
zG@F>SY^(>VHi^wmtzM
zBo;=;2@mG_(}@n|@&Vh)*g8zWvU1G<9kg6TG?6)JN;hzRjF~^anZE)ExJp|sl-%N2
zSEGFc0DyQjL8Z<-)j>$h=|ZwbYeJOkmW3=UgiMy@iHlyM#<}{3JQp+8w${V7I$N=$41mebkSz*1G}zz$a$!N0_^^qsC5<7ZRgO(bJa@1^;(t6o;u$`S8zCxZ(PM5Pc9@ehXH9
zdXOSWX=);0{PssyvZkpC^65l`-{*B)EiQ2!#uLSb<$Rwvc7`iuF(JiVNNObz!o@
z;HGDKzPC^{UO_0Uzxn;ujGi#TDImHGQ63Qc8~KSMcCDMt27X#c)Mv(GoWMiXLS_=>
zPuyUXoNyf`$(oaN%C-h(c;dfn2ELOfn)192Z)zRSLq7bPc2{kZzy8IT+1z*l+Iibh
zDdpCc0KkN@7UPv`b}sL5m3=*P?^gN})DUl08C^K+bf;c@vE@q3Ns^EfH83o(xs_vg
zE?<8;*3&BAoS@j85GJC>n`4b~kTBRS(DUFaUK=6*g>2cViUb4pTMC+&65+ROF3}9)
z#ASp96bcZpxF<2iJHW;%=+@?gCnSsdl>6JS
z+~Tc?S991&IqF%k)r(*}2Kla+@RKLf_*Ln~V>7ghQOIQQ4ktj_mWYt6)#?%-K&I
z8&P6q@Hdn*lJ@To?@th3aS{xVhRKx3Fzq_H$g}OQaN#)HK34SEvHk9S{x{A(`Xr=h
zFLaF6pk^Ho*bQ9=ZYC(|`~v%Z&|lqcUppff&@d>)CsMCSeu9*3pFBb2LjZqsI}>Yr
zgEy*ecxpD{iL<(Ra`Nh64?OsSpbiHr>ZlM(`+dzTnh@w#`JG7wyrVYJ27lii{q_-Y
zhuB{sDJOn{19Y^m(1AO}`5YUjZ-N`@bF|5xuvz$H-asqpVps$MbP+z0A$j_NQ(S90
zk$=K9>TnWv{g~?0w9E@Z&h|xAiV`5$R18GDWu3E%0!f`w_c<2zIcBi(Ry@)%6r1o7
z^i?Jltj4x|_P{Db=?gxNL7Fv5MolX-YN2Lc#u%zJtk2DG_p_*r%3;KSAm?FbKZ!>5
zxoRUE7dRN^bNQdhnQaBspNXx8sj=!k8#)A
zb%pgXy@peVbyk-7o4`|~7#&SrO|mWAW!4tTE&OHn7P=!Ocm#Nib6+5=1M0b7wl5=2
zh)|kuDJBYx7S_~9KFle$f-j#4_Tz;BB8N@XMN%Q
z;JYg_F@z}fT);6GsRxFF5d%!RkF!Y)!OD3tdC7VarZuKMKgkgvm#1dlv0os4`h3K&
zBR57iIc!8x8?qIZ5>$ON;8kQ&7vPAb)z_LLyR6<*{UA8MS7!3rygqjm`-=I;?mCXE
z_IirT8f6^g-24r;5#m1Kl|oY3;qJV&*G>;xr<*?$B8YUs_D;FvYf!y919x+VN^eJa
z2`}K{vXohMzrIAZN?_t@E|OASpC|F{LaE8*&5Y|2mbJZS#OO#t#%c0BkgfD)Z$TqJ
zNrpwW#`JC{z#3>zuv}_kzu7PnR~p*52X&aYOlRiW=o$;ESsQAWWU16Qa&pPKHwV_N
z&g2|t)G_S*SOKO-SeZ6kdH`)wW^MNGzdG_h&hEC3F5O*Q;$64SoqAQSgN%AX2;i4@
z&8}R=CK#25Sy%PQ5~ntp3C+9(>xJCDaTJ95*2wk=#Y%S}CWhW7WnCe1l-gA}HT(JD
zSS9h4tU=A#6}7JF?4qrVEj5XWHI6DA3@r)R?*z?>Guct(JV^4zDhpbQOr{YH%P$mM
zB;;LG$G*BTV4c;~aCYYE(J5bZxIlInqw&i1r&TB%to>Ll5888P!a5OnvVP~4FU>@&
z9vQlol}$^#CnlzhSw#rVAL@HoFk2~#9JPIx-9We#r48D;lsH`m;;wK
zQQv^b)pos(JEdinv*X!m47sJ$BtHUt)rpZb>6(22Z9K#pC;)I8ZYBP7ah`9f-ob{P
zkZN|SKzt=@L9C;)VFa8qYnBw1QkQ>d61qY2f8enF;UQI6U>~t7QuA9L=I;SoNJ~o~
z!oBy^+gv{+R`3ha3*h8uROEKuJ{aB&LB_E>Dr!O>3^_!Bf|po@nfNk7&q;h!e({BB
z-jHah(2IshYPo^M3L+}t2MSF^E1UJvvKu7eS4e^79=^zJ8Q=R2-E;VgJ~v>(X9GCA
zEgaSlaCmwCh>F62Z^$|ygadE8A99Py2bE~!a6Kd~Nc_ObK%Za+SCQTaVhJwCn40yy
zWlwa*edVXajOdfaj0oul9KMb0cAq*
zx7Y-widd=tsn{>Aau%D=WI)NJ_BV9qL`@rQxF27jA~33WmBRd{@0pICaq5zq-_To!
zycnEcBOc`K5S=-RVRuiwc3!-|y;8MVrl(B~qe9uty)^U6cqg47qt3+ly)fUZgF3Uy
zh^Nb+g0wW)@F)wXJo8EFgaD`QST{wUC54Aimx7w$e|!-$P^WjZQ2qSI{LvV9p)C=!
zFTan?zT|!*4K6T8@20z(#W($Qxp$#X
zv2U2})r@ATRjUw&r!GiS<$rwQ;OsK!=>aZiNqkN~uwm{oVhg24Hs!hdI()G=5=1V|Wtzx>&ODqXUF3G$*e?%y$uCcj-
z^3M)WKv%_-C}9@SlZu_joH@xt&QOg}T}>tUeT5(stDrS&n;oklN<7GJ@Sc3^%*W(AZ(C&DieKuzTb0y{
zlCyvr5W8lWUij$vs&Q+mEvOFYTA0vN~R3Nnf~$$r~PrX@ut
zC5YmihE<=;)#<^HE*w*bs*aHiGc9fP7BES|s&+n9yzslKk8N?p^N`;q*{0_5y&mF<
z!pVDgGABj=oDrGFo~Y?H(V(_Wk(l3_ta0IzqCV6RzQ^8mxJ3hAB+=)2L`~E%0&Ajc
z_$BAJ#uH0STaBs!Y(Q(|L*u-qLhKk&oW$6yB7bQaJINNn`ib^To|Bj&irGy%shM&}
zJF3NOA)*5Hu|yZ!+}sT-`@8bc()!Sn@I~*kN??p$lCCeVRh<~38PKX{GdqYy?ShR}
z!PhmkFH_s5fx(Yy2H2F%U&eJm)YIFLsDHWsshQEHn9gNWM;ovA$5-28Bjc;F;&Ec(
zIT7hARQGZ1mW$R&*aMHG8SIFAU;F)$`iQlK(ng)us>fze-6)Zt>)xP3FD@z0NY>aK
z#C+%uQ=gNttK^wT{yFp6u&Q{^ehy5w1j0uExIbUo^E5^ZW?%ImmkF_R0vQ
zefy#zj(;i>Lc%$BfDXagkfm&BTMbyt`+5{{yl9+lbi-K@Xpe3
zDMDXnB?;)($v-+bZ)=Or4i5hoWCHkU{Jz|Sza|p!!L1bPy+U~^0xcOr)kjrgC0^nh
zG?RH-lHwYskp-8)4Q1NoVLvJ!p)cqX9hFCFGi0fTT_!j&#^m1Z@s^Ao&0N^LjAV-K
z1@;}=1TL>4p4$ZGa&;
zaav795HNH{B(90eu82$9=H%9mE2Nsdk*UI@Rxd1*QX05=UB)yy!?w`^i?a_+a$S_E
z?iqAX-|dmOCeU0r%C}$~&=MLWl(@#X$Th0q@v$#ZIijW0B@sWUPko)a4!K}Fe9A<8
zk4>|H09HNpp5C(Q4vko-n?h-o51~3C+Ly0_qfc6kUpsL{P}(MwGB4k-WY>`RKIzcx
zz0aW>q?KAxS!5rVo+B}vL`8FALqf6z@#v$5E=TE>r&^GkvTd1zmveP)dj;mKdWbm#
zfAbl7X*HOK!eg$fFV@W{XcmQR!;&H(
z_wy`R5LwkAb7~m($6O|A5<9iYU!_pXu9$#uDWnJrl3rN^=ltzx~z%IOgydRhY@v*g%07+F4Q9xXSQ*1H>ba8EIJg}~ZJp}Vs
z`gM64)b-krU(smn4howq-m2=g=PeBcg~XqZBA?+&h&qs;N$#*d4!C4=6G6SG9b
zyX5^%hTcC*&RbkN`hcpwY{laj$oI{pL+?)Z>4a1P8$>KHfs4JNAu&}&)OAo
zbGe84mW(+?;@{&}LW60x7VEmCh`w2Z0?MWOyuXF8oCYcWD#eIT?m5LsfMy8xpQae~
zX~HKD@g#^3gK`p`aR}3Z1WyKFs)cw
zV)8qkaodOSaQp*YWd*f1`)nquQ?g1=*h+!8RF}^ikfV%`OR8AoO%8;f*$~@PWgMAspXXdk`8$$fG~G1DgY+5U89X{t6XW8_HetU7gOj3)+E?B(`j-P6|)Re
z>N|aw(k8nxTX($av;VU+sBB}l$9O}1UBOxAY4WCtp0lOxN=%J7p5jnQ;MO6Uww0Y<
zY|As@Fvz0yw#QBE=eF{?lDoJ8{+OM}20jYo3q^U<{N#)xc#qk#dt
zf3Lm^VktqDPANfE%fVif+9E;PWNf_(_B}e&ut&j#n;nESyMbi06d?i#5&?8tV(!5O
zL!-G=93(LSx;Pu8zq6N5IB%;rsp^OSC+-8a#OF*8zuV{T_#r1R=%a(^pM6NU#LsCS
zuiN#@afyTex%0qT4fy@1_$O`S#t)(ziDB)DoOKz9bX_lK>*wjM?LZ7@671Jh)0!lM
zjStNVD(p=dj69zNP-is+66YCy&yo9;G*W#6UF_%8=6XZz4hQlrTQR?ZY5B6O?&(dU
z3-$2wU8ndTe)k)!8gHzL70#dV^WH9IbHDlB{p6sk&j6s+nf(pwOXIuv!t4(4=ZqH
z!X#$q@nSt$XVJD?Sog17#+-9Bt(zo)5$gp-R0DVRcU{XQd6ae-4ihSSU+fT&1-nvb
z&$Tx0mJc82H}BXeNPX@>5%M~o8l{}AP~a@h8(#NUB<;QBQl;wcSJ
zQ=r9tgLU`5KfV!{GC4ffRlFZIJX%5gJzCB>Dn(8tjaB=iS4p$^E(woED$`8#NI-xmK1#53d1`~fLkB=ZM~ti%|(!S@A*ucuhi&4vMc8PM9HXJVO-C2|eS
z;ypPuTCd@q0!%tzN$P!0H87ZBVMS(TT{18r)G_!p8uD68g$-Zx?maH;vLWVyA*M4P
z^g1qdb+|Vq{{W>OBflpBzo##88OG{e8P}-i(hs#ERQRV{aknqcr)WEB86YjK5}8pI
znBWnq)GL>uo%dx*lXTPBMC-kSOHBtKi-hLQ{mJNcoyEk6|0#9E|6JbA{Fo6fF-0aSx$zdbZ^wY7*
z#_hYD@3R7aI>)yKnl!*K)Wq1Acg7K$Ps<;s@Jt{&DJS$_8P7|#Dx_T9>U{@kebW@t
zFu8F*y=Z*z5V0gy$SGRc49PRDs#9~wV2
zU*``o^>>YI`YQ*G%nm(pHeto*UPr3N_)O;?quTY7%bI6RmuU8f-E>I^Uj!Ai<(ru|e|w8?t4!Hi=!sJrtn-^M>?2bR1ju@m!ZuOuLsE4d2TzTZBUx4Zev{pnuvmd3ccm37U3wY
zj|Y+|9>mdJiqH?-5)Ir!a67)AyI1aQ7l{3V5|Mk3I=4o?9tFb{#*2LCuc+1*-u#k%CM|!PTL6Bak
z`?by;;!h1h?lyOdeQpZ&FW8)d1p|Ee7cw^m%`ye8Sb(7SZ$ST;YZl`7_l_6wj?3pn
z8zg2JEB_xhapAcm!T&w%h@_1N@#LU5^q}sA3ryj86tI=%kNl=mgz)@Vub&qwS|5lnvP%u}@fkiV29)6A0Qs?T%TW40GD{m&-E`7ZxE;J6GdebEl+
z&*Ex=PyTQ5LdOjugZ~lu-}&#WqJ^FtJag4_7t@3*3bpk(wf&PDGS1SqC3a=am_V_DCNe
z9>i|;#37Zg`#n10P7S!pMsxReJUfQ2AKX~&*h$5nBN^ycSzwzEVq?jlkX6Y^3MkM=
zFf1-c=kJ3~ahYb@@qpF7B`$Lf#zj6K_=1!p8VpjDLTG5kSsWET=FPcw8@o^2@!+xQ
z4%jlbi?8JxC?Yh3`+5uyBv;1(@Th0_jFbs(1H{+khLy7kfX>7B_NcV$E90gfmV
zjg8rho$*=O{KhwRo&kxJJGYf*@{i!hJ#83?6@BpAK$B*x&`Vm7G(^n=_*@Z@2b21i
z1+Q3=(~$d)a_{r`IX-qP6n4hRQOVl$0F94(xz~@m*V$7~X-8%{=F(Rzoa_SAxH_Y_
zI{Q;~iH&iG@oF{^@9hJD)Q_`vfx}##_gtMdsk+R@PVtrVeRG!RDy+T872^1K6pJ9d
zBUOX&{C?aw2H}LP;v9GsVc|d0!%va%)=B5GeJxH|h@1Swf23K+%htRn)A$z6kQm1>
z(TDxUAj~V4;lLowx)1xiL4cNlzm|b-$uAHY_?Gp(d}H9_)CYNK;Nw~$2(LyOKp!oP
z{hkcrTQoFBECfgP6RbQ4Gu{h!pb5%w$%pk=Fxe?{NIQNm?3p&xRO0-uD#~ra$8$p)
z$_OQcDds;=$w~Q%&+%`GC_hU4|D&*!!$OkwaubB{Z~vAGOIFHF(8s?;pd9|+QU2iA
zD+x)I>~E_yrcUt}q*AV^l!v~tk;2c~qTIw6xe0T*2|pTBG%2(4CMNalZ;$d5uJKjG
zlpjSTC*>yI#=k}SA5bjHk7AOF@)Jt&Z~u4nGptktRs@iq5e@6ksk~K;zg3i9QEu3y
zU~5@!NcLgb2oNZxk{NrP6WU7aC-wsVC-U??P=RddPFtO&Q}HrE3i~~EwKT-jWF)AH
zEk*Wbnfj==_$di5Z6ti8$DY`js#YI6N^h&iXhwS^JWa}QW9qt~ekCH}vpr0y6Bhmi
zB2scGAk658dl&^)4t3>Nob`B|1pXU6X5bk`=nbWD>|pXnHk)b=n{^f&-B@y~y%7-j
z`Z$NJ)=mYAyC_Aj$HU~K{lWV-WpfV(XJ0|(6Dh2e25fg$q->7kzo0<7JAH_
z5w93b1%KTrWlC+FC3{S#+RytyYbKVVes{SWDh_`aA4^K2h~2kaw{ki_?n0z)DE#qQ
ztPFmv$SX^gAf7O}0CPZ8>5>ie5{JLiKSp_L)pvWv8)Lj8f=lOc@x0nZjaB^$Q~ipO
z$B__8BOq|N7k~)d(Bf
zc5?9fhb|YYHNG&L^boF5(Ntsdk;+$p${4nPk-@9g{C{5!mc_V6yV&RqZ&mv{7_2&<
zk>2r)zvh2A{73P(#p%LjYh!8OcSbbdZmYaCCRQ&;WJvPGc8|jD%7*65fnLsm{%+Ea
zWFiEq9vzCk5RUC0gdHx1kS>O>S9Q%X=KEyQPQL{r-vVI_9bZ0U6I$ImpTTqLv
zHmzc#qp=EmX|K=EFI>2ho%;sWyl-d&om+=xk9`}%T9^qsvbZe;r9W8@GJI*8vtgp=
zv6$elrF@!qdMa7JU}%EnBS^*U7uS*#Z8M`dI0CGNPsB+7C1c@^lGTlgNN&3Wy*`(dBMa`W7(*>eoEI8xH$bZ&2D
z+njIb*6lSvRPr|#poVv4lHgJXS2&iNQxTT1bci29xK
zN?F*+EXPB2gytpt6Ay-$<+&Haoa6{Fv~{Enpt@dGbUHhCvv2WmDQ`EU0$!F{4dbQd
z-^$nlnE&-YBrnU(XBq@XpLzX_xn=WQ4%H!T^I{fkxPN8q2Y%qrm+um%vtWQvgYf%u
zF#Y45e?^fWs-e6N+W@>Lv;TsgCH#LZ`1L<@02=%38P8G?ybj4{>-!uSpHF<)0oYzC
zvp<>TzS$>ya6o?If%QuBYaMC-8#z+!et790v)U5tH>NcDzJo_OJ2O=~Ge&OqFRA#_
zGDIRW!<6|;f-;Z(sXVEvU!|W99jWqbsPlV%{b`ngq|*?GQ1_Mk=pKaPoo=9{hZ|HT892TT40I3ru@I
zSBQjQZfQ+(fmcBVYx1n+aeuKLxdc+X9eD7&0Y+VB
z?U$&zkAp7E^-Wc^=SPXbeI>ZgW>|NvJ|D8>gRWb<`8sp8?myheC+nxK;j$BojMn9s
z`4%6hJeJn4q>nU);=5I7>B!z;O?x`Ysy*=&-6^`=U2Co$UYA8WW>pSfAK$;eXFSU|
z{DF{K;u+A$W_-V0`f{PTKj8v7wIz0G_wkPX{2S}bfCv579}UPJaI?mPpKF{t5t9(W
zH6DB~jg1u;c`%HECufv&1P~2)gAd=IqPyB7*`M%it>g@~2VKswgL`#at7mbtY!6q6
zqD5}`=WwqA!$q7r#?x#*Qxh)2NjUXn^XgaQ1z-8+@UNQ4ase?S|98~WC=lSG)ixFM+;GGahI{5prdh-8@BNi8>C0W_gcbK9Ib8k~$qvC;DO?DN6cdbCg;}
z`%+5fwaP&=v|E(HF#}SZ|C-nF?FBKOGN``Jr(WnNSl`>ybjnyaNZwcPgFqAsyCVT?B)djspyRz~GZcDvid
zQ^=Shk%%O&(%YOHHZ_&GwyVF+?sv1{oDOaBontMM1u;(wCz+Dn@j~0{5)TCh?Fj}ot
z2&$3st4cQiIlPVoL|w-~W?qq`G_qgv`*qx;2(qCbR3rUYl`Q^qxE&UVx*UPb1S0=L
z)_w#2u)Z7@N44~S;@;Fu0(V^@`$W~FfE0l4U{9MBBf69-W%7EQllrc7XiSd$NVep92>W`?M@gj0CF7%YQP6#`RGI^ZEYULHKjdHUl_V82FO4m$0TR
zOfK8fYKNhe6o{LRL=C(WC6K8)45{JuSd3~pk_4cPdFo4F5QVf*j61!)tD~aZaG-8D
zq6rb(g#%X}n3&UF1wo*~s*6I+A^T?C-GyQEcgR~*)AW`T4c;ya0|F*gvo4frJg}rN
zFIt-zAnOcjWs)j>Z?gM
zp5$Bp;5^vz1wnu~`|hCJ9cz3GVlI=&ACwXpBgz|VlC$%VQ-4{d5|XW)ZIVEvP8s@(
zK4di1UU=mZi4}>C)5<@ogq+n%VV0nG
zF=FTAlm~9RZ8*?}8J&{{z8areeUkRjB*C$2Ah)V#^Wz;ys7cPqc&y`vkTkH7+fBUL
zMU2E2%gw5v#;kKmgEbVmV{a6{GmNJ9*otzLMWPE&VL?0e&3c4iK{ayfGL@p5qbpQ{
zTNvEqIgvuMXNgI_?CX|;PT7~8ubd%lNgeX}p@|2%2yVM}J>vj6D`l9lfPyXQ0i^8u
z?(X8uBV(m&-PgS=1F#)5R~(VeGCFPuAJ9eS^l`3!2Jj>6M|EB_Uv^L+V@Lg{-8?8s
zYbo5Aj(DpuKPh*GxeX$6=X2W~(&oW9+@TuZ3$>A{iW{9QNX}+kZ+V90lArDJE#IQ6
zR#iTUc(xWp@IH)3+91~++|>t*Sz99p?#ibpo^||@gJxk&ha
zXi#eyKFZb8E|}zxK4S1XZJw7Qq->MBS-+?Eu+GGjNc>oI+)4gI3)3TiR}u3OQ|z7C
zxUBqzB5rTmhj-Ok8DA%5OSpqhkuFK+16}0^gcx?HhtX=XyaFfRb#k{NU&u~km1pl{
z(A-gnK80j^{Z7wGMs88^t$|~l@)sX5Jut+UMaTb+D#f{Dh!IGP_sCb-Vpnap5OpP->pcc-Ec^xHtSl6D!jx_b_FH8h16=M3Z*(Y&?al(x{_bPY(q4E
zd6Mt}<*fhnIa+clI5>HN--JA?1HOau)Z!tK`jNH@tGU-)q+v~rr0d;DB
zn}qyq7{Gz+5Er1}P9#c^Zks><`#_@(?}2w(IfA1|#L%~6$O7Ic3kTGJq=;z%yH80T
zo!8d%mlb{9HGSSaH{9M}Yq=E_FEb{FhhA$NTCc4H^`X|s-K1(WFWBiPnZn2aL)%+G
zwbkrx-vtU3FHqdtVg&*eC~l>=yGxK#yjXDwlw!qNoMJ@-1a}VyQUo(4lm?ZGuli4$w-Zv(wsYCZWZ2hI?*{q4X-&yK2uWc@G
zXJ!BqFF$D#oAvNCYm#|v`Uf78vA(6}S8oUHhiR?F@Q!#Ve4y^@w*oV=IBX`^h_8;b
zjQJ9{o_v3n)$IOf5b@bhW8gJtI_vdF+(cgX^QExj@48|XPMBjj9(y0uIBFf-x)W%J
zI=|A=7Be4DK31ob=XGNWK`DgN7Js=YM`d1cJu8owoJ>$PcHGQnU_6uOL2B+E5|v>s
z4HJ8A?b`6~nHq0eu=>GdL5UL#WC*_|IYTuNZH{E@D1+=CQvTwO5vlnaFluQpoKrLCQ!ky|~GTbZG5wKg^?)Xwe
z*&{!DzhLq0Ys9atH^U1Pb9Df&_S{ePYQ1P1=YKGys(C8tU#RtSSJ@{(xWa3~_xeoL
zBJUETmR%y7d~oK}a83W<0(2imc?EW$2BcNZn&R{iL=Tg=P#kzZ*2}W7#i%!`AnW`b
z0-ISqRGXT(pK!^ctluU}Rv`6H&&LaR8S3Wz?wVf>M@mi4rvo&%WXF$l_bN<7
za6q1Tnz1YcV=_Lhccq6-@)V?zAD+)K5i(2@AJT+h#&q5Eel;au4Ip@%D%9#syUaoO
zm+i6oQ^eI9Cd8{wyDS*HM+%l77xLV1uCYd0?+IR6#W7zPSl%ah-Six0By>H4lSCDt
z32UW|=U3?Gb2#>2e(~H=7gagGnJ5kfiDY?hjUNp^pjUDB@eTOg7~|Qf3bHXL53CzY
zdszCI&NfQa?hg#+b2*%dm5sZ{$*XE*0e?yaNGdNXu!jEm
zx|E3@IjFVWnTrYikNcfzDtSHS;2wI1-*D7?a~(tE-GIp007+rRfNxwoyYs8BvZRKu
zzLqhS*n)J%WXP88Meb*o|54KW27CTe|G8iIPx`0T*b$}LdAdG=k4;~V$&&utgaa6%
z9Qk=ZqsTIXJ?uW&iIE%lUN$bOWn7S=V0HVo_pzNyf`V1VtFV7gYN^y~d1Pp$|BGZo
zhV0$r0NSw%CWLzA9fJ&te2kS}D>N`rH+5S-^sNzN*mOh=zol&q<$o_nCDNLdK_Dky
z;s)CjoS_%P&%f3f{4xZr07!(QL}|{Y&?|adPIp9WFYRnwrtj*b#`T5Xo2a7LjYw@A
zRvlF{%I0o(p$G!_BX{8+?z9%f^4^I;#`k%kj54Ha{YJ!$eKre^K#1_kQZBQ6ds<#7
zzwn{Wt%w_qpJ|7gP4$c)b*7ii#dxszVs6|Xd2}%OUKyre)H`Q#L~AH?#CUX*^V^vZ
z9-E|0nB+3)HXrw7H@80_krtm_8*xkdk>Qqmi$yO-$w|
zt}lJ%H{bfPjM+Pw(Su8BqAv;bSCSE>!x=E8>oD4EBeK!;tp@8{D^N
zuH>bi$3v6LAbn;P5r{t)_YA=!BN?{U_ZUg}uV#$M1Q+3ruri?KixHU?2iS|{mB^uJ
z+XSD}T{1Ro>73!Z&^3ew(xHe!F!hd`EAT|Am|_Ul!Ny>zjWg6G6+K
zh!4Nbris5lY|#8T$kr*G2!EoaG5%Aed@bdgy@R{uz@uF<6L?M%H>ynb3ekgea}|SM
z&%U_k`%VJ+RUP!Z2IfC6A-QyMT^n#`=9I0zusQLEmiSBhN$h8-w`@)vT-W|b$q6fb
zLieJFEwPT9zqR^n==wy~b*+uWeww=9#(ygf3@88qncWP|wL;ez`l~^QN$K@54DF(+
zw#l70_8t;-?2eOohj(!f7h&BD^8Jl$xq7mbB@sqTtN~tJ3Nh&t+pgM)<#xpUob!-E
z*~!|7Z{(U2&+Uz5RHKUQh}Q~f>Ns=jWhd(+=E*e|p4%JCI7JmX5&vmMr@#LjXX|z`
zy+bvVce?hd2X)Yot`jk?6P)7jn+y6>1&!9sjPfF;U*z(CwvBoI?ypUTI8Kp->(mJd=nnOen-$%DS}(U{hI1`47BIVXPQLoMK<7FkA4Q)
zIzD+P4*m0%!zA#iW_daCya{&%ycUZ0V*inn-zMmp{>sZ_S3iIJ>3Zsd!sk1%0+fK{G2(3%#*dB0=E>Ml#85j>Ns=i
znJ4Q%%_nOtkk}i)`O`#BCEV>Og3j|dY$kx>6N_7>MsO=5IHnO?4*_9CPVp_>yMGk&
zjnHGu(N(fdA~7oX^lxN$b;ehhX*0%W;UtUc8?q^d*RnHmj4J|xhD`MNYi9JnWdf&6
zv$U6#WoeMBsp2Ou51H#*wa=omBj!ouypUgcH147%G)*>yQKkKXGu5!VJui0z&b~vW
zxjkm)Mo}oP}MyTq5GbdyBH1UX
z&L#I&v*+qB#O3sVCM0Z5f}~rU5(4%t8Crhhu%X6xGu#Zcbz{JmOSemmub1p)J-d0UyoI!eZi
zp+?Ye8{=-TN?kwwtj#_>P|0aVy&&7NX86&>b3?~WPIW^=XBnxia-MHnRdU*+Dj@UU
zr%exD*`&W&Hh!>KELb*IA0uXA-8M#Ei_HvwP`~>E<$06lR~R@zhdp@idx=}ARpFt(
zMeRjqfTPGaz8u=SMYl>dn6
zNMv{U!7xf4d`Db3-AunoME`*3V|YgwocJZNSc${F)tQK&kPvzFgTCOkP8@S4A>xdO
zYFOYP?M^%R2Nx_M(hSUDth^3k^H)L?8Q8h)q2iWsQd%B5W_ro3EfRD(!
zUa6Zn)FcYCoVR(KY+I~8%`SAR|H3FtmZhpYzj`*oonq3y=Y{K?O)&7+Iz<$-ykmY=
zftjBCOLpH7iSOK7*oY7`^QS^2_~;>>k6%8)$B+-sLrVr%iiNJT0n{yga0j&wvVNRA
z`OnrQ0bI_7)TTSVlN0U?*K?t1q+3K|2@>sGn%tt_@yxzWPfI|x6y@lJuecL}`TdRq
zAKov2Lk*tbvJo1oQn21>5=xG;YGT>JojJYwO3@JoXFlTf##F(o_&C!c*|F=03VTa(
zx3ECwUpV6ggk)KI62f_|>l;z73)Mf|vW0=oK2n
zYM&%JLkJt3^vL;$Efu#gc%)+!j`xx-5q&fA5*S<|MRkSckM}Ow4+Y@H6i0WY?~6b&=zx
zbe2)ywG`Q2lYFlpl75XnV;*APHe%MIlr^upZPKl>_UL8mx{jVEv19QpWpV6FwQ%Rm
z9Fb{;p%z7Jh2HQ)>Ew)KA@%hG-On2_N@D=i&#@@ir3-sb>%%!Cb_ByAkMyvJt9Z(3
zcf~e{*@VTb0Y5C1j^mnecuDB=enepV`*f2ecQ@{Kw{nIOT1IU8REXdYop)V-AV5QB
z;PqXshI4!Q1-_-gFN>N!0zQ|lpSIg`l^jYHT(g$9Zb8qOjbt--e)k(m
zx(^%6-LJn}y}r$J__ifbN_e9H1q>uCF#dAU?XmNka@s%_3=K9_<@@-fvON4)Hd~^KBEw7^XbYI|3`E*~4;P%?0qIh@Nxw$$ppmejSxlg=r
z%OcC_yya!*MLWhBM!WHuRH1(MyR1zyR2kR1;o=1>_ib$V?MDuVR_DPLl7-Q>fGR|NE%i2yB
zB~4kjX(R<|zsD|yXl~*DOI_)UGgWB^A?y2P2lCRBkIOgk(JN6AIrGv_FQiYRof&>SJ`!59Xmu-g
zJaux9)Y{;!(emKePos(47EEuMd|flluGLlMDYK?;j1l3=P=DV#I&lUek$tR2@}&C`
z76hzV*>7WNy>m%zEzE03j({MQX_M;Jax-Mhr&fSQ`=)F@DWXiBC
z%klgg
z!rI!U?j3IJxNi~V%PjznD)<{r&Ony%+
z>-+uOl&W*y`tqc*Oh#1Vg@`+i#89GoQ>_u5^)-J0tavTJMmx)A&&OyDR(08wXhX3+
zCkt`PEyzI8E$-d=(aC2F5QE*ib=?F9vZ2mBx*%@+JfVESe3ZL48T3XtAbUfr5B(HKsDcTq!hiz-suLqj11M47^rXDLO-3N+=fv+
z!zftE+$10=Tp-;2miy>)3}Hpbj)Xa_*r%x}t%amX&u~}%wG|QZp2jGiBd_@r3GtXb
zkdhmQDr3o?mD5)<@4}#Fybcg?Gk$3*d^&8
z&vc(*wz&_^pt2z}dOd&O#7UP2CQvufV0u4ZR5mm~^r}_6>~dd=(ci=Vv6XwSu!6V^
zq2A!HoE=^FRHGrPK!UrigG9+yN0nE0?UosKY67vmKwYoYisG&zP?6bHLC?j?4pmEv
zkxdtPUjlHcYrG#=(jczTW=Zr8`B>MM$m;sVG((y1gnJt@BlGq!h+&fWPPo_NuBo@`
z&SwV=<)3tj(xf{C79mPf64NCv9#phzTJO4+C_rW7K!x+WN>fsxe8SPg;@HYn=W}U;
z4km!PDEUhoysOaVyY%@|a1p0(@O+`O{z50$-eAYF7{ait8yy|N$tVq77mTErw&_9_~zF_pTK{8u@Z399#*u=B)2
zEEmQ>!EKrV!4TuKm_qruu8&;20jhd8y7_NwI6_DI5_jq_73tV~+RH4-Gx&e&eMScJOvq8*^`4dhL`hUN)s+y%AJAuC-sAJZu2PcoMo#klg;UqzJXW6Odo~QYhc3WwL2Z$*{dlPN_Qy0
z`2#=iFIxls59k$2liuwNY%bD$X~(`FrV;qGr0o=#5C_3Hr<}r}eMmU1U&8gBV+)HA
zZK*TIH*p8e_hZ-fA|7oHMe*`?qAff`@SXXCjyMQo=hK&z_-N9dFI}DpQPX0Cg;;ey
za-kKX&v+pBk+f40{?-Loh%5t34cjJ&?|f(nFyQ`-@r1;MjS`zH&oL#0qr+PQDBD)P
zfut6fGQ}&$m4;
zC1oAt{whEAP28mx@A1I+?#MN;fk?j_;Fp5!HAfvDyt|eX?>vv7U;9=xXsUjE?bG)2
z9Nn9^^`RM7MNmIn_lWum+dDI$Eoakjcr;I}VY^1$D+osh?DeDNU=?}j`}OiZwob))
z7tGM%_!1j1rSHpe{=zvX>tOdg*gQZmoneb-1KJS|XFTFbMVCNBVP*gSgyZI1sn{DK
z44vqYC-lF$et94nvThzqZ(aV7EU5Y$M2dgc;Wg*|G@c(l%*AIP)CV!m;?@W6!zn5;
z_8zvprW-{lDWhRD24Q;#t8-Ta%rPV%1>rw_`0NYLkEeJtuLXXhH9f^Wc}+U119RlZ
zxc>g&6?W)%Oxt34!?M>7qgb^V`%*ZR1z>~CpfR}rODvNIz39E+9>k55FVz6Okseg$
z(FU{W{PZR`<>>k$4jpxW1mlfVi|BV)?=c&K7dq+8(Hlt@G4EeDtji$3&H%XU(Zke-
zS*xk)A)B3eaM>dgZ>m;wmXJSVZQqaQSl*3zdKc{MSCQFHdu}tcStI%)2#hNgQW8C`cY!R~FB&9rQTwhTr;)DFK)Tm9Bue}5rtfNJIH!An{V
zRXToC;GLt@s=;Pf^n_dIGX?vf_Q25_Yww(Vn^v>kn4pmlY-Zp|;}XGDAEjfl0`Dv>
zF?F^q@RN~*?o%PultI*HaWJ-iM+gVJlk5nN>+OOm)`(7Tf<{yxbZ-Z6z}v}OV7QIW
zn2QbQ2gYcZWkEN3|JFX5z!iFjNn3;dKJAk+%Sy7Y%OHEBHQ8b{u7n|GcIiiTy-rpL
zJVDpHS47N;E~|=g#30mik-LKX9md)(n+9n@U{xkpSdE`$?Rn!qa
zpz93&PAc@sg{!)GD@ISy<&n^nvj^gx7I2qQJX$ow$3XK3l=xvm7I52_8Aw_@xuCU<
zW4Me9i4au=x*8@pc%qXE4tS|F18;LUTITmYq;B;hSZ={OG!3~d@AUguTQu@gZM7}I
z`;ck*e=q-=bNprN!`nEHmdU&iaa+AGms`*eO@lAXJN)kL!J}ns??c{JFRJAh{6o{Q
zORg@zl$HOdw!`sqo%f+pt5@0jZvy}}M~9LIPRWB!tyVA21B@w!g~V
z+tY4$Xg*O{pD+I)t56&tj-%+YFfaVOG7jN$dTde~{QnptT?_}zfT8cW;N{om$BT@<&_ZI@X
z&ez+mI(_c{Gs;z*n0DM4xIAl&7@;@~#A$pIjgb;O*hywC))?TxSH+#o`WiBLu-zV{L{XVW543Lr>%^tz%cn28$@kkAwHAK6k82-vdL
zD5VWOdh;~NA4KNl#y>c-Rp3(n7eW~TLRRIDeiE1JhZz90|16b+44E?=nKMdp)#}mI
z>Pgh}>~ywYux8RuP#_xkJARiM>PAES_vGQ}x?Mx|@OM)#
zH4hg7Xo8SW>B1<+N}NFQ@NC^5BgsET23Bl1R&4l>YN)RanQsAvl2KhFt4B3L|5=h8
z)qL7DZIeJkU+TKl37M2(mFr>XM|DlDy3`pRrudTja}olhx@K07>V*6`4`OzQT-2EuBcX`w?a;p;BiGoa3l&*|GkQh->S?-~aq=p*Meg4}UyL
zM~mwllm&n3BD94W`=CvVVU*$wqqar(0sh0T&Ng2>TIVPqN!pEnbQlv4H=zBu=o4;o
zgr6pLT@S4Iue-Fn2?2#ODrkrQFW6Ya`WTy#;L{$sKaUU)f0!cV59xZpn&~h__-W6|
zAMzjWKNa{tl>b!O|4cH&{c(hV=));Nr~ib$meY5!kIVO0FTR{UR`PkF`vzvDkP-#@kF{{xxi(yk-~
zWX`A{8P>797CGX;AJ?ktX9g4TteA7r4$YraK?6uRwP`0aY+JR2f%4ZDCs2v4AgDDciIY7|wq
zvw`Z&)(A)FU+Y6UgAXwzi*g36308POh7hkE)n+4Y6^;RT?>X^DgH%=tP{EimKaa`BM&L#j;UiH=O
zN2hbW&BkKbp-pz8oU?noMZ4nRxTqmQ>*5qWLx&jqg%3&>lqa~8W?sex_Rn_kr_Rps
zIMwcZUpv#-d)hy434Zlbs6am-YWUR*`e{~n+mtYad@Ow&S~dZhP*%R2-INheA%;(S
z6yANgbhF_;8Nw@uRUalHbeAFLX>dhkM4(!Bp5&;rRv&0<;#|@Hl94edFz&uz4KQT{
zs7Sap<@GvXQ*f&JwCtk9I=Xu`AlWS3Z5)`ZKOP%Dq`5{a*=5$5)B7oDH0aj;lH#jU&LHuR&Msp;SOm3I2}lnJYJsV-GhK
zkXDn|cmPL&Yyqti24U^}Iq8Xu(u6aaGK2L!IoNHtL;^zWs3t3#E;^~sW6vXBBCKv<
zVnG<172?5VM;YSk<0ZFgkHmrH4`U4f52tWEQr
z13isok~geq&iQ8n_4=v-6ceN^wvoU|3GO95SVDO}A3|)yE7N1N^_C+y{yM=J7qvTw!XGK<^@q%NDTLb8a9}v
zkr%U5b=Ji<2xuOhkurLTXZ>(^a^&QW|4OF4X@Kf-&+6F?HLJt>hZH+EY!hj|C4mX*
z>JFRsHMy|DnQYY6+2j4K=(;*uq}68hO6_-lX(pCK-AVY@$$B_3@>`%LQ2IKU_99a*V|5p#wkDO>q;eehZe1z+y_vldluCa
ztftAv>*>SQ;LVIf4+=x~f>Js#k#(#1^X%dAymQ-S?uj^IE9SP5^;$2x=I$u1b2YC<3vf-(?ODW?uAJ_GQUjYV3}P4MRveP3PgXriLO=d%s&7iZ&i&k-Kx5xD#3W=A
zt^8SePD$Rb?aWw7fkI%b0Q#~GqyDC#d{PP~=BHbSCyU#s}8aj->
z#~zVnmMkx4w<+r|IEOa8IX_LhQqlpzRNK?19>AR1Tc*CY-vp3O@wE5(j}(7x*Y`gx
zs_{R(zANB53)tY$Uh{`t2Wre9l5g}N>HfR^#*+^xoO~w(3P)Z|VH7%T6ovm{d6(nc
z>u5&~Ng48d$9mp8*F#&hEEt~NHKo7dx`DIfaQgPt#CX)f*Kuizr7H<@J|y?E33fPNY-O=hr1cuva!GqsyVU&CJ@b>nw3grb`HJ
zUTF2~6_nY7f0T%8C$n38?r;{VoWV$S+bW1<*GKe!&qfpnL7)(*TNBo(&HL?|2LS>y
zKBm&!!r5mTsv`vYg}Vj_?x)BUDO6^zn+bS4s%bn*!q@fH;O2OW1>(e?>_d!ej72)0
z2}R|*QU`zo*9X&|%Uro&_X4o$_IA)&EzozKQ`|{O-EV6fXW(c_5!AAEc#|dx_xt3;
zGJe@~hFk+k24i}6ql;Oh(F5Ro>*oOnH%8a~)&?PL)8?P~Q!NP!4MIZsuToF71O&cz
zirK#7fTo267+5l}TxfQ;QgT#vE1_F5qgBNR87N}uxz*!-%d1R!T<`YmG^#RHr7Beg
zu%Wb}pLSVP=~Lm8J-~a|7xsL1bd7z%A6bW;PW!oC}XJe!7-JN$g&VEcUfF}Z^+gz)VXKOLLG
z!X5J|I!MT=m3TPB48V{x+(AC_mR-Y!$GW(tYPZn7Rzy9^#|`bYN=0=lRK;mh_JlTE
zc~U5uTU);}{P^BTy3f#6q4(g|rn&DzqE~L0TKakCtmUOu(=rLGx@t*tn-W*i^x)Q3
z_Fza*UmBSl*s?g&>FKp72CLD8LxRRQ&VSpjJxcbY3DEgEHnRnpr$R;tmb8t*wnk1K
zgt*7^bW`TO>3wNMc{&lpmuRO$NycueL!H#Eq$`&+z^6wANd(G8DEG?A^oA+-O3U=V
zmgx;r?tN|0``VZagP01#$r_*15@}HtC=F;YbI91`otpFrjS_H;@ruzmEO#)ODH14m
zFrBHs!dLxHPh>amdl&Oy@*T587@ly
z?Hdo1Soi(xob81S89Q&@C0IYtSP_=C_URQJ88}+pXi~NIJ~&$J^#5q{ao~7yyGc9A
z``~1;=L9AW@;WH<$|_nx{<>+ZZYz*+C~MeQ@=#0ugspoZ@|HhD-%^oK_l+oi~-V}8G#=XkkzV}zQZdTKx$*_N@
zqUo=x4f~C$4XkNL9xtAX8WZ-B69cmii9xXAVD-0`&h~X0n0m^Pn1SkfL*`$Zo80_$
z%?74A4ud}Pat^y1tE{U;T{KFM1^cyvnymq1q|$a;twQTf5K{k8W|
z@)P&@l+%6)B+xABr(oyVrRnkh%}H02%sj+4Zhz9;U4(r0O`G#-(W&7nUbej*gc_Mc
ze@C-kmi)7_dF9l1Wlim2y|#oiORix}deof-GKJ(uD7sdR%&)&$_iW7&TGiGyx%s$1
zpV4`sS;K1`$vGgdZ28fn`v5etuSHyaH@1>~wzGjui5O4bzNp;4?_g1nJkzt}QMN^q
ztbTFY+jUs|SYR+JS3FgMJXo`^44oR6k2{Uxt_qz)_)F~1I#1v~W0R=1Giw?rirkB9-TJT
zFA;(C#wmhEm(lI9dai-jxHs9{jH7IzDKlt*F|_Ze>oAF0^l7`y^;tx_-fA6Cd!J)$
zOcc=w6Kc20Ua;NOX+6{mSy2@?6fwy}CzYg=&_QQt{zB}J^J_yxXb8EZaExGGIq!pL
zcTZ%qWZiu@KC_7cOAdNqXWcm-A8$s)F~r1W7Y+BcNEQtDRX}rkoA1^UDa}f^h^bX@
z1+ioRU7&Aa^Rg(7b3n+|c6zru3=oJQKb`=citqU8EZJ{-YuXX0DVx(*UXy#w=ORO;@e#$3Bqm%_;b4xo&#T!oFK;Ch>>+hv)sHbD_=pmB($y
z7`kM`_zSoDn+QpWQeMdkw+{)896R;)#5(hFdHAQhhThNl
zdFs>zBWoel!!*rtDyCm6yu&}_hyT(KfANMPD_n&*xPD|3B!R9Xv@E2CTa+A4otDnt&Ryx64
zI>D)D8%aiO87fuv!?E;;FtwsfB)~Fi&N7PXhoJNiK}Lh$OhOw8m1@ccHuVNzw&`t(
zUHnLoZ%l*PE$LQ!Ts&0w*!yZz7)MA!x2cJtPJfA
z5+=cr>-kpG^Ub~I8>8jWv#O0s8Biz*GK~b;#Dw5uMz|}UrLc|x+q(m
z{0&KtsYs47nN}UxHM5?TgmY?UjVYX0GOzM6O}i_XZl)NFxMc2&q&sIujBpbJU+WMV
zuSzs@2cXT&VzqT~GgcNycc4>wXi|AtP&ucOtdspL!W%4dc$Qb57Tx?My0)_0OPB;E
zYn@LP5oS5)J$M|rj{I!RYCrh3Xy~zSPqOBWPA!>nuUT-zym6W1n4x1N{F}nV8JXve
zEV)gyB%M_Ev}5~|8m_%?s^0?qoo=tNzx2J>7Fha~xi!K#mJOD2>bE#}0jPiBQZEx4
z_BU)f>hF<>kcfO70408g#q{Ramq%k9#JSAGxyH|B8e}2@BOfD4o(Uv8s!EfI82SyE
z&>7}cT?c4CwMj!49(U^qQBV
zPS0nE-W8O;d$j9W{;E4-B16bI>uk-T7?S&Phv9bsrsgDt%N51%8#*^kuW)x+8R+xq
z0K%`b1jMrx!&8ZJ@`%E*YWK`_NjnLE&6nVuZ)(N$hS?1mgik!-agycQ=F_fD?cmy;U=i~sphk70OQ!C7u(J1
zsaxbh;6xTpiri`iH7oo3+V?nR4ZUO3OygziH`HU&p4%isG<&S*+$^ze*wMC4JyS?o^6Te|vlc`#%%N?Pf8*?A39jZ?gui=3;VBrw6Cfe(
zC%)TTLJQcOZ)O*N4g7v+GdMDP>ExRcs0S=?&UrFI8kLo?Jh3Y0XFAp>PhG~aYfH3k
z9l1Z-RiIR!D$FfBeoSB-H^I6E-No@$LD+8v=DLEd*E1C~vcV%x20(ofXQRcCyjz_!
zBTR^=n)LjAj{eRWYphfLFh?%OB=P06=8dKr&bd3{{*K$9VMxG&19WOz!BcTZ)Y0+l
z7TWnt2&e})P&HF^_NM%-2m&3r!p4n@6>Ps-v<+Za1Ge=wo1Vk=n#`uBjfZdBpkM2h
zy|OJbIa>Yv8{+0SY3)$dvG(}_dxuJ1h;#!h)tk3bNrF6~TQW?s;6_!IA
zGszj#s^c@FVJ-=A4RQ_Iv81)7Eo!F5rot|Me?YXv0FhqIZbX&&HiDZa^~0N>o}fJ6
z7MteHqQC=&CA`U}m(MSs^LMu`wrLS~=r=Tkig?ot~yr7uv6-$YShdeFAY(sh?K^J=~7V1RPr8j`BfC`W;xZ
zrCvZByPO*D7d6)zJ)$<7zS?T~erBTJJDi+_r!-@n$bN6J6)Q+rO1
zG!JJ`HKwq8WhmM|8E>kfR&c(i@S*5W
zQc>IIo{xz|e|8Z{=+xgZUdpp?-BG3=S(0YIm_RxMy5g)=tnSio_}1M)u}R)l@w~~<
zPCZ9QYnH*9#TtXVP9(-)%~FkFRtUj$cUY^Xw17aZiR==`B8Skb(jFVBUx|)|7nxpC
zjIJ(UMQ45P?DV@0D=5&xvD|m@$C+c`^m@;2`l}RK)sv#JX(v2|ge$VyPYb#yt|*)P1*T38LR~
zu0NS~-)kDE-JCm3v>s^yY1OwqZaK3`aqWj7)A(aO-kE0(>K3-4(-2tY>9P-+g%-$F
zP8w}ERL(e7%|y&X5^|2z`BVDAdPPaIMOMXyC6-EakY@t(vW~SJdQGNe#dIoEmR~cw
zpA+$V7Y}0*d~c3ix28m6l%_NP6!UU=!@$geapC8?xhklhB?!|J6j%kN-K$`;p=Qyw
z{B7kUEa#plyl_|#y_f~k)N}KGej*Toysl~`*`SLiEHMCZJAQa2QXRmWM_RvStA;j~
zA@X_SH}Oz$o~;`FScaRddo|PAQ|&}n<@>pYWkGI{cfU!H{kwrZ$j@#qun*AwTc^u~
zUobD|$YRw7*MZ&aG1|fQ!8UuB=?<6mwen?3NyrVyrT&h&Bf?=i(PAQViEj~B%wjnw
zYdMs;Z5NSD4wnTP-o5YyBgga<9TCx^mJ^Cne~lq
z88!t!r`@%{=K3Q1$I
zqVKxZI@R(Bx-Pmd5}Ea%@YnWu3I3+7+b+D2(RIsu%DSQai<#Y#i!X((A$qp5X>9SQ
ze@&BNC}+d^yMySJ%IFm_2xLl^Y(QbS3SkgnKyOcAokcx0V>rXn;1S}1u>f-xA2_j^
zwgO1niT5{*7>*Rkx5G+mc65vvY|^89ztFu4j24%>e)~I}_k@7z)b#ByuO!#yNY^Zl
z%zfqyk||ZW8!6s-<3U?z=DfDoaxK6=@FUC%XtTF+Hve_AA9Eq63t)t{+3IkiZtgCV
z_JMoAQo^&8n?c<$$%8mZgyf2PQ6(q|l!S}WztM+mWTYTOHZ0W78g!rWpTtrAL>Y4<
zo9@z=*}hH-BJ`326IBK;Gi-wtt}U0;frZ&C?nzk?&?wzGp(PU0dIP-L*mJgnAj!2vq4Tu!PQ$rI
z^2h{?q@QbY$-`zkumWa*_z_uy`W{U{e0q1FeANYXc2E2aTe8e+k4tXjLT*b00J{Wr
z&mDFb;9i%fR$ctaxtnWG>#p&;Q+%a!$U
zMU+vM!mC==b1{H}?2gxs__#cQ@HH?pb3g4=qM?)el7?=(?_7J>bv&CIz(R&pl-{G-m~PI0)d8s6Z|$UNfu?V
z7xEBy-cInY{CQP$jXG1DFL=4M<&f)Z=}o>_i-mAfg?OEryOOoY;av}ES@|GHAtrpg
z_>nqDb)VU{Z04DlgKg})CL3Abw__j0_jUOiow;_u$awfw3X*3VU7b
zaRgxj5gJNEZR188@yO6!#y6ddz!(VcPCKXmR_Y^!3=Bjd=>sa1))V64?V%wy+6Le<1$39j&6k0Bv&3ne`*j{6a#i5*8&TtZ8ONq3+CNM=fVm0D
zbfcK3zm`5(3j2^e%r)gwF$(hkZK{O4hR8ud%o`1@Nq6QAgw3J}E?(jj*%k3Vj4_cC
z#9a9>SiuliUbNtQXSH@s*$B8$ZW~YFd;&NB8bU;+rf-l2k87MPgJ(VvrmO
zg;&U~$M%b%i0(pn9$d`IT-YkeSSiS?#YgmV6356tr*4pWMK7GCAG?{fcK!QvGn@V-
zXH)Kbuv<~VLo_z2u*9b?m>((Ow7Tg|BtpI=n@rVe&lPGFKIoHF)se5vzFzZ^@lQ-9=Mo{_hKWzMqR)MfO4iD)j6ndFKrGFFmVdh>iI
zheVSoC1ReD*n=aoD2gdrLd9}Bk2(20bJbZ6iLyL%GNA&1F3F(Tz;c^~M0rygkjYwA
z%USiIuzTF+&-~$p7b3viEh!S&P30$<+?pSh`l6JcWU^|W1(V1MCcHpAtf~(rk(SAt2bS^OZ6ikmPlQ6THlh-nIM-d_}sYMt8GIX}g
zI~|WTv7hG>ddtxLr0{t9bmw(e5k^lg;qOS1FRVMS?~f7F#P+>E;7buk$o&EAe-@}O
z!tlu@#3%81sy!KekxM8eOZO;3x0uJ@VrvHYVh01Ckn$VH2rCIj7>b48&dCVru1qf_2OBz&FSsv
z`@cQgc)TH>CeP>fDoQV2Qv0beU!T(Ouc~;y31DrsG_!jl^zHCj%C9uEcws&RUYq8q
zaUPiyo7niFk$S^0cG8w5Tk6Gr%Pmz+yvUqsOxsO?&FpX3+{l31Rf09AjEfCOujiVF>6diki
z!aP!u`TM#q!Q^{ZJl=;-wj$VyavBue}1DXR1f8?TF
zk`pvG*mf}IqNU7^EO5V&K6{$7CB-R2M9uCy>f-mcO`(oVw@5)Jr%Q%R#OUmM(3VtB
zE;c{0_zU3KcmJ`FllziPz8dXYQglqDRZZTP7~L%t5nc>Wm&KWu+cLLg`mStlY#?j5
zc(;-~Ua#^ba;fS_hKky3<;D;#YPU0rX4+*Tt7zLhNV_hqQ1B!$
z{q7c}l$P<6|GYG4$}MH^^V!6s<%3sk$$8aPO+!rZ%4f=0v$=
zp|Vskheo+Hj@|NHYF@o@F}j}RsF8s-LwCnebtkVT1(!l-
zCekQCC&T&BovBeZ$-~Uu9N;pv`RZou7wEJgBU{i`-T)=ZnAy+Hc=
zd!uS~{lu(RJ(?Q+KdRmWDvn@@8V(RbaEIW5#ogUuad(#h!Gi^t#ogT@IKgEhxCHlI
zB)Ge~%g1}~*ExN8$9X?PgDMOma=P1!~#-spW?v(f$gJV*m}ubforbmj7A=qQ+OHl<_6*
zq5}tuWbN*N!~2Y>0|&cmX*jst&50=r_J?3ia#OTKlyj6@lpA6orx!}yzQ^W-Kse7C<-~KFd+Hqm
zMW212pQKNxe)!qxmC%`Y&t1Wp#adWroDbPk$-VH!%hFxB!*7SoGorQT&V^3C&X!Kk
z&WBDiUt}MV2fRnT2fU{dUpC|AwDXr^{Z0Kt{oRV&*?Svb*)^>-?lreHmQIq+oKC||
zV_#QcdwLF=rrJy$8a*0a8vRn8QoT~$Qhm!Ij!A>V59JY5u61SOcl7Gx<|B#WOO7@J
z%Pm-E&WEMTN~kH))q`!@a_#@hD=zuKnk9mo-HAF&ssBwZb#9{H?7R9FVM>{jsVV`(Mg3x
zE+?+jx0z^m2h*mnBevowR>Lpv5xrd9hBYl~oC!#P%Ew>5zC|pPX)^x)CeR}CTc@$#
z%^9RoM;i_NPq80;vi(~2O_gYA_(iq9fUgN}ye`HnmPyiu5of$Ewxbt$lb`M69|O?fb$3&yJY9)Bg{Ip{TwbOA&B>FGR`w3w#>I
zI;jzD>|%tx)=NGiN8DO+kK`XvE#^r#b}2w!*(IMwaZXqY6IKOvG`f1;Pln!W?N`Aa
zyyTfJjh8Vp6Rw;eb^{v^FcEsz(I{
zb6nWq>XtIsamlJ9S{uXa|4O6y;8RxBqf5!Ecd5GJT?ech#RXSal(~8q%vnU}?fpm|
z-CCnb8?;Lvoi?0l%`bC>FPOWrN**=i9ND4608ik7Cm3vU=xlQIXIdFmj{==fS%Fm?
zggci%vB#@hvISZroc|e2e0_hoq=A*0%oMp*SoLG>teXrc7|)%%STdCQ}6Ev(M@-}F;RJy}4V
zv&|@xiK|hyX+~u@m5`p^s7s1Z{rzHa085Ez`Ey#7Cp1#`ZN(rny#*y9KK;)%A5HOZM0_w2*M76u-d_`YD9rBR
zD^^UVTi^R#=gL14um&d*ZwO8XLk-lL#dy}X@FyA^2KFs)X!j!c61lh%<_%-@K+3v@
zWt9(+0P2~u&RbC4)Yar;!a;ei<^m3
zxy?k%X)5_!0+f$+)7C~7U;d{3nxM?AR1*mQWdH4tmZT-gN>WaGNcfIDMIuXta2Iik5lc!qmu)hMw#H2abKSHcY%}8xyS*0^+dhy6Yo`m48ycc}>v+X)E0#RvA_$T^TV~$l5?-YVL}L5ENjsXc}hN
zlg{01kN4MP({InHv=a-}Qs!eec|tY0Q*Q(c-1S?+?uIq_6>x$`3%+~=vdOHxVB;L2M1I4->CZ2w{q#`qfExAzyhqF*ePF|AtWM9?;cTdQ&Lh&-l~Xt;d1db^kNBRA9H|I`^@xW
zma2%Y?^X?sK<@uV5JSYBzO2ET;pQVLmc?EC#j@e%5h<4OUHpA(SoHZRd*YP^B~McLJOHy!`kQH7
z^xiIeZq|^;4~ngpi0C~$_S_(>x2Aa26>%w7WP({H%2#{x3x`rEcVyfXr{;L+LrA{vXRl
zjqwEjj|dP`1js%Dq%Zfpq_w$5iuHy!#8;dn*~y3X5K46!!`&KH8zb3iPkG6dIMkf=
zE^R9$GbK2D=a1{-V<5m{;M6
zKNwNH5x^!jMx;J}saQkr{fdP2zKEFgC+teMX+F!BkFlQygVaA5tbj=Wd^SLp=+t=n7vU`yW(CORaTL-8bM1E2m_*ir0aB=pz
z%%3G5GyG%bMOq@()^C?uY=P~99=TkODYT3mJ_z1??^}aWb@25kk
z3Z_^uTY_V65{2||(i*92-olH-^Fdw)gNa9!>^AOqEinb;&
z{ysL8o>TV~kXpxBNN=V%P!fGY;3}p(MTUY<*b`{-{#Z0AHECWq?dj|h>nRKxL{LV|
z#T8`nP(8m~=jzD{Y(_Xk6aM1Ec>nXff8DmHIf(3|2%;b9GylD>;}1tuR!jp-0}=!L
zWvpdPHF9HG01hG-B5r7;IEi?U#EL|R_=|*u_+JTtL}`dr$UrbNVhp+=ek&Cx`A>)a
zjVbJ3mJ%#sM(74Mj(T%zMTpU)|H5y~ZQO1sZT#5y+w1!`s8>2H
z4m}S`n8C;BzTkXk!?u?v!~uPc#Eu^y=*vYy}Eb>c90mZ1VP7hk!d3usUpB~0O>K1!^-(EVqz
zlE_7Vv|1U~kUQkXeY8{guVHokk@aZ0@<4aZ{5?=j9+=lwRtu=5I2T%3rQ1eP9gd3#
zbfy@mU;@|!NC1WuLKGbUIKW>D00j+jB0M@aIwm^G0JnwQ*><~n=p`W{fd()sO)b3|
z-A?wv%g%IZVJ>CvW-dmFr;Aq}Ss7s$X%{zR;a&goPAhNaCgyf@e7lfS-)2FUy29hF
zatm1)w9HHN)w=auz_&2Y^;Nu8Txhmj%Xu-mHCs@&>`H&pyIoo!GY2KUc;5b7ShJiQ
zH%iYLGD_&+_cpvuJtpC!A52S1z#g_vR8Ln=o+dAKQM$`E;(Kuk-A0)t$Z*k{D9dK!
zOWTf~Y+>F@%|_(A+ZD{dlALJZW7%uZz4|c`#+SFNF!?}jsWtJO-OnfQOz&*t%)M0(O>Y;d_rMtH0Ycev-aK)hzwvY&oFiue0=aZnC%3>HczE%a(J^NC)}d+;W@q
z*PEOlbp42wRW_owU(~{+r7FSi}88TGqLP((1
zk=2t`sa5m7DWnr31}Q8Ylva+&#T8=lQoX+1=YnJvG)tew3V-oseEfOczi$g^E+mr_
ziSQ$R;eYh~`QxW4C#E5$A&DXW3f4+O>7|b+foDQHwP(mXH4n)p|DNmQQOZ9N2btCL
z_5{z;otP1#BzM`>`}U*DAH!Mk?hdPeJ(ahGvhJK$-)zqG^NVP!?(0h+ZXU4=j2p4sZQ)kUYJ*W!R
zjeCCD1QaBJ8q3WKS#JyyIF4P6^+GHCd-R#NAhxlvt}vr8rLd|nsIZ|htFW{%uCU82
z-Ynd#$gI*V(5&7p)2zfS)-1rR&Md>M*sRJd$gIJv%`DBVX3Kx8b}N0WsPMN6(+u(v
z&K%26{6{2-kc(ag)1+R!kSgRQTsOvJwfT-(ZPT@0n2;dkFx*&XVr||!N4bsbUfqx@
zBz!z(Is>CWza0%X26~x71d!bEPZt&yLNG%+AgB%r4B1&rZKD&sgIc;_Bmq
za?Nq|a4m3+b4_y%g1f=<;4v^1JO}OpFMwCTqu_t8-LCVlW3Eum9j%qtw%E4LrIXth
ziPJv;_ZP*r(xdVYFrdSrTTx@US}dVG3%dT@G;V~C@V1IjVS(ZjL8
zG0ri~G1$=EFyAoN0Bx9S=xJDZpV2Vd@Xw{&W!`1X1*)!DiFfp$)hhUHQNI1ZHa(n5
z{>VB-ZO-+dL<-=!)14YESNw6f@Zap|{~IZdAIFfZ^Uk#3by2zL*^eBRhQq>Qq}g8W
zVRn(aNz&gIb%#sFD6HnwexID?$>qT0U|93_=;E=%)B(CQv^28>T^d+gT^e4RUHZGU
zv@|I&rGG%OL9#`1mb0C6n6r^{l5=LbZFp$7VYp>@wz9o)xN@+vwQ?r3Ep#ZfA!OJq
ze@q3IKTP43Z>I`Kw32Nta*}OG)S|MN=TH90e4qtwC{mVvOBAD$kdsP{X39`uZ!y;!
z9!un-LYBizV`R|Pt#2}y7~V}hp=y)6O(mw~GjOilHkVCNzB%aR?|c+)p4>xz*zAn1
ziKq#w0oUZz6xKx5wAG~5)HwJ%)H40SWYw+!Hv?^XHdUl
zIC%zn>Eu{C5@Y`IpEd{4(1qeFdHfV+CPUTMlApc@CD5v30r|V+Qx+i&uf}W118Wf;
z1<2y7mtX1H5&C`MYhzbkS4LM#S5;R~S3_4;S7}#VR~INA6b>o^Re}OR^`J~p2`Cm6
z0ICCJfQms?pde5Ks11|`s(JH&t9?s
zhB%O}MbZmU#+?Lz5vuks2mLkI6<}WBi9??qVDvvobT9e4=L?HSP8|HPWx4<7&p~vL
zG6naH>-g!?A8;6Og`SKJ^Md9Ghf$a>$UOU|`Bf_N?UNNkDVtRza116_DuYn&zBqWF
zVTT`46|~dbZQcE#<>!aQ=@lvh`>0zEVn)bK*7N<$i%X2Zzf|QKYTFw*J@50-nT7Dpm=d*wfNx5Iw>uJK*0{C1r-)p!w;{@{=WYIWI1OYS>p$eq-m?FW~F|~){}e~NU+3~`}!Ie
zkW=;iEW9qY4(|T`XK|GfAAWKtub_#hr9WbP3q!Tra3%yZxov+5`zpds6=Tf11*PrlU)_TfpNYWjFxJBWI?l)v&r0dNFn
zij#R~U69tvKr7>!+JH*dA5C>CYf40InfHuMpQK{m+8lY-Q=KJ|!?J);=0{z+U^6$6yDL>9T*PuntYtin^DR
z7lyZ%w^DtD%>_1i7i;JX_Rj#-hJU7Igzd6?Px_;lm_$=$c_AbU&Eu4i-5r!+m)%L)
z{l#^ycSPSMO^AH$U;gq{8`djDBIWDRfXSEWh#a0z1D+=v6
z`^8x)7U*^J$)Gr+9!SVic~iuJOM@Y#%#nQ7Sfu)^H6a(L8|Pf=tL|r=F00(jM^R{<
z+GN(fDOxGNARs28tR(yJTzo`?C6oOYJj&*j8m#fEf~;tZ!Hv5R>_g`$gBJTymhm`X+P$_rLS%-VBwPOzIX#qxc99-oYA;md3BhdMt**zmHGReS)E-b1^j
zrcVP;#?fW2+xGf>`R;RrXDJgJCnLmJcviLEKtAYDF=VBAN7@zpddgjFSEi0~ZB8M@%sN;%`4M
z_3_2o+nts(-BiR9riSP&Snmyi9#i7o7)T?ivvd9q_cKsFrv#gC9FGqJwkq&4E1oOf
z+QMVB=rV)fqc+vicQ68Cp38E?_S5e*4$
z_U18J+z<9xFPklA6r3me;?aed3kyRIB0Ot-99SdI>U$mX%peags_rZ?VS>e%9Js7)
zN3}hvdcCf0a($dttZDBg7Ski*i4e0VoBPITO8GBdMs@P`m7f$Hu+nO^(WIpgCr?Bx
zts2p}+zV&mawb>gdtqAd^(7YfVqa48)JWcEFM@V{tcPLcL`~`qf#Ux{sL&oBYY|ja
z^OOnS;NPiHvJDVvUe1TR25k1u{tb%gy(lye|60M&CE2d?!M;{zdSuv~T?29oRU2a|
z+TW6hy3m{^?mM7*ii-d1B2rYo7wO`V5q^kLZQjCjzPvoC`ZW9Lgxq#o22WK_b$FGN
zPDyx4DjyQO=ye47b*uurbkC~Ss_)+6UY8sAN23>qN0@;Hq&_wCa23MuX|>dhfnSOc
zCCL=)8Dfkh!5n_p+56Qd&9zH95_3!UT&BL!YZkm)E6FPs&zTz{SlpI>W7cqw@$D#V
zhvypp=`!4gUf51H5p^BSqiy{QI5BsqBdcqUS-Y`A_YQOYM)sv^;uuiO-G;fgwi{cp<4h_~HGhl#WAfCr)W#E$T{ggY#?-p3jlT_TjY#xZH@Yw@gjh7ogQNC`TO6>
zJ+$eD{GNUr{673$&8f+&=l%MjzbaoV2KVQucE)x0%Q8ptY%04qYEkA8to0YgDW9nzN{0<00ZiYAHr8
z?-)^c2W^R=$yLsHX{kv_4z%RAuPnK
z%%ZU2GVaQ4`y~aGc=uyf_0@B=u05_F=$W_eOU*n{F(LpsT#8u=0X%ih2M>}q88eR@
zkDq9V%QvWM0@a^pZ{0SXy}h4qHszjBZ%;SFZb@(T`)_WSPDC(y=Fe*Ha1HC70)X02
z9k<^7_P3_D#*sz~Zw=H^ir(`-*&V*>em2!KppS)DjRlCK^Y
zy0=d{v$-N1poqgE8AE55ZUj4W
z7ximu@P7wgFI_Lq$gSL$-yKTa{5r(&O%|3T`5gxtEc<(naDy-z0hM5HXKeott27(NThNS(|~
z?k_*;%e^r7#BsFYOpi=X%*?oqP|VDr%u5XCkc>oQIoF!WoKKMM73%kKp7j4;WsWD^
z0(mqwnTbVTv#Hw7Y$3It#G-BVHid*yK+UcFSi>K_QM5{Q#UHSacn`NB%05Lq#W}@3
zMLi`vMK{GY1(*_;Vqs-fA^3v%1^WwGI!-!aI%YaaI++fR4xtXF4z>>2JkC27NHC8*
zPsaPsfys->OR_EIUF%kBG(~Xz39iSAmBfzN4$ltPj_4TUnD`j)nBW-un2Z>Q7>k&I
zm?#?~n>ZUUn;;w80KK~_XjL{vl{M;b?FLSaH=La#!q
zLbgY-M?Cp_f_8#TfeSUPktlqQ%a
ztTe0=6iy0qPXffCh>y3S@vh#VDYH;)sF>pidz{
z(FS;;KmbTn3<63E7=Ht8fk#p#|3i|JAX1PLNGgOIatl#{R6|H1s}Mg(0Ayr8d_R5v
ze!pmcWj67U>~|4xu3cJxL>kAw?DC;yZ^fXYag;7v48L-Zov#}cJpl_od+)*
zXm+5prPH8Op|hkDrn9HhtTU;Tr}H+SKOa9oG(SHdJik5PI6pR@Js&u~IbT0NGQT(<
zI=?%AJ6}D&Iv+50{vY%}371%SX${$j8)2*2mLF)5p-q%tziw+Q;3;_}S!H=Go&}Bao_5
zvPyC#7_cFGkG&zu4xxo`Lf9eH5Mc-%gbMv3
zjz7*mPCd>zPCCvbP9{zy&LGapj?d1{PR-89PBMr$$Tmnd$S}xSj$h7R&RtGf&Jv6l
z%oa=)%&3$rrxVho(G=NHdQkhNA($e|B@31TD}m)*67*u+i23pGC5zD;gH;f@xGrO{E
zq>MmFokm?`YvP{$mx5r@Fz0aNP~$}7=+CjA!#^jlN3O?FhEOI@Mx!U9M-|2th7~5q
zM#e@N#~6nhCo4xPNA1S!hL4AizmH_#PgV~3k^J~|X_@~vCch`{r+Z6ZW9ZrtARzh=
zHWt?H(;8^^pDqgx?*py9LFy!TU;`}g$9omLh)KT~L7JYyj*&BeTYqJ9RS!p3-daE|
z7xJ~?pGUNj1ru@*jwcqaDRZquYGFI#qr~D6@iy1+#A()3#@hxf*UZ(
zzsa(j@1sFXw(=%joQ$#$+E3{UA9z3k4osV_RqTOgH$11!A3b<4+88veAyyDfxYM4S
z0ZAyoD19<`9R+sPzsU|fkV%pzbz-tGfls_r`2p
zS>;l0dm#-_L93|HJNs0LcR||C>vdzZzNLn~9Q#aJN3gE24(IU=JK0m@RD3c@bKR^Y
z9I1kO#A}(0@VRL{8y3OE0LMR+kq!h8EprupVIxaf`$`j|$FN=6@>V~a#*ZC||q*UHMIjHzppzY{a_LL{cFqGy&HIatNZ>
zBNMBU$TeMO6q^Xie?t?#u4PA+sduWIL67Hm;@~w}_9i$-SQj-r7f8Uq$}vWIlv@Al
zXxCj`CR@xI)TGO&O@1c-od4oc?ky$O})q=dP9mfuKGO6~@7(oELb&7_T?qZM`m#Pth
z5p2=y168>Kl!KC-?1QX?_!eDM)grx4P0DI_l)t%p0+{uKg}50jlqN?^J%gxHaHLAq
zN{@<~d>nrKkO3NYtUl%H50LrpUsS_dxM0PA?oD>hQmiY>fIJYM0~5BL1Xo8*ucJ>O
zgo#z~Gr%r;pyQ=@^^Y`ELr4_#(TivHWA@`*w25?4t9^r)Y>UnzTcz!>a6~QxB%b0^
z)hJohqBvE$(3P)ks;Yi6)-v#f;%N?A!Hs?S!tl@hd4|Y_-9}7I`3{6jYwe0c)fB=txQeU{^4ENu0>4_
z>uw>wwx0UuPl^@{&OiP@)|#2Lf_x%&TdVWIkL7D)-c&&I*GZIfHf4BgqQ$IiSTdnW
z`Qh(y6R^-#Bo5VXBP`$eJiF0~0Fuh4aIbEu^>}#L2#U7Aj<_a+sEQfwe;f3bENG+B
z`63Sl2K@>+I;eaHc=etpv*$-DgwB}^!q({Zw6O^}CJSRlaD0?np3{03_v%CFqcLX)
zd2{6fb6(@d@ZWqXJxhep4j5k59j7WrjQ!OEvWipDV8VX>v(LBm@5JG({JG<#7otk7
zn>B^f{+TNJBdW%2V5p*%UV3AJsT8sfd*E#gxI1j(mk@HPFT%;tkT{V=6$I(FrNoWu
z=@~6K;z68UqA9}z?>eu(4Eh+@5zUVZ?$@K+mAm>zyg!<7#dTzqC?sa9`;lwS|8dGF
z)DC@KFWRd{6c^_8nl=0;8%^e1c9)hnMfueljD{gOE6_(ukno4V&R?_+RQ+Pw65ovPQ4;Sna)K43P
z<&E+cJ&SzG$rqVdMlUuu?HKI?&|za(1}BGN%|QPXF)Ob+<^oToA`*(ZucVTQ!G>13
zux&Cj*^gL?eyl@r5$HNlnX+$#rBK>7N)0AT2BqC>I9UhxM5~sM^%^cCf(Wsr!-!}L
z=PeeQ=`Lvzp0kdWov>LW*9gM&rVhyuR%m(8enqOHkKLC$5pU-lB|h$7Ulx_ZZgi#K=HH49`Lf;ED+s#2=9Aco=+C1R9k%lxFjUzh=!U*knH3ze
zk*}_Z+0Tu^^ZFSAgDZ(E9yIaKl)+cdR`p+sdBpZ;!_HYTw93B5JvI>=7^3Dm#&8OJ
z9yX@gThJTtNOp+?yX9^D&fXi(#;Q#--QM!5BlMvNlUU_AR#adJ(aICTlg?m(tYUF^Ys{XWxq=sk(9NE^wm=mJO99U
zP!UU7>N2ywLHb$z9NFbWWnxysaxeJ;nNMV5BR*9p{CR!}s^4Ja)RZ#Vh-Z!(lmph)
zL(4pis%Y^Nlj-zo7hts(zvRN~t&kEnmrDKQX>mclQZ$^0$bzj;>GZoua67E@?(2C@
zy{cNp1s*h+_VPNhEBU!&JBdcPs&|_Qz(VU2RMM~1sdx-lT>ISdM7?$<9`S1P*@2Sm
ziVBl-%KCwh^!Xn>~Cu9{3vknsPa~Oj<$ynDM5`Pq(3AO52
zb;^>9(0B$-cBzT>?woOsHPc+9#db3GX0d+~5%itzt!c7?U$wq6vUL&;-A(BT4`KTGF+$fA)*O(jIfAK
zKdIZz11e?psz-+gH25jdE0r=AJD6x
zrEc=K$=Pn&w?5h2wBEu>Z35neN<`U0sHH1~Z)$JFTIDP=Y1Vg#MAstLX4i_3-|Z`3
zOFH$vY2V$vi%j%-I8PvfG4M6kNvI1tMaL!!(~iEnaAxf^gw~M>B}CS#3A+SzM8B*f
z5>kn*QxfV`E9xO7O<(AUkm-qT=!t$Y5-|u6anTcvA8Bx(Cnj(LX4%yY3$JnQV%QF|
z=C#bm?rL8Kc*!hi=B+~*+=`pjl%42}sPZLK8lgJY-)D{|7vA{oHjnUf%WX|(k8OA>
zx_&4TEU+2)YWMPVzme{Ti5eq${YlBo8ERoD4K^rZ-$@+5%pw}fC^?&c8%TdOx-I(2
zJqNFj{2gb^1Rh=)f6Nk$gope7!iZT$jegMYX8yir#*AlL6GhW_tA}7;!Y!{~WB-mM
zq3zLm3bG`mjb!CEe|=LcDMHsq85s#s%LAJqQ^X}aOCb@_Srtk5rj7#=7kK#>cI0vP9p`T&^Np=y9CRwyB$iU&#!u;+p*
z0Z!PUegG17s45_b6>2?T;{sTS(O8nXiQeW+{3ing0LGZ_S1!iH%#6uYMbFI1kVMZc
z$gD)qOw0I2&#cJ=MRWGa0Ae`jWU!+-7i6ZRIj3b@8lN*=a=G>dZ6`eEvac%n_HE4
zR42NGsFN2&-XQ5J#H33$X5x_ak%V7XjE5?m~>2ruP6NWplTM&h}Tsmb(r
zW<}fcYD?XNl^c}S*a-*~DLS7g)YkR8<5UQLe(k~~j+D8ffhOe_?`sqddbmJuhtBGX
zY5(M-lV1R;IBU^!y)MFL5>4N{9j?@;wg+Ss1xySHg)Cww~AXny*SwLjnfa#
zgta);pXaIKCZ-CUONv(#${|#cDOAOJQs&P-u-TTRt0svuT=_EubRi^8ti@%68CMdC
z0-_#u$&rI|SEX&>e@2-=|JXw3PwLG@J+pJe*+m+QVkwvtBvs$kHCT+k#gJ4Tlr+%@
z#ynHlywygKlLrrlmwkp4Wlnk;BJRePA^kh
zmo8@V$#Q>!0igy5(<liimu06`Q+r5gNLcm07)WG<=+||@()hnwm=%a=;nsho6P`gW)Z9d?JU6Q*|+eKRbOZRSiZ
z;x~bee3wV3CDV72bKK^m6Wa0DEQv^$4jj2ont&mJd#UCc9osVsdA?^^D1u3br({yI
zmo?6T?ffQm*K77S!nWx3Ai$YB;0N-v6kyOvPt)>)bx!Y(91#X2$JceLuT`qZbC
z>K5*tEifI#hWMg_eN|1pYp6KZmYMF(#dc=%ZFRP3#r|Ca9y?+H&zIDsKA9Sc-oVrzQrI1#n?a6Moung8AQG;Nz)a537DNdHD9vg
ze74w6l6co%tbCcAzq=#bu9=_aZqxcT-s!SjFi?3VNNVG+#61sOyB+IBBoUpVcYfwL
zT!YKsC}#zHc>ieBIVf>I9Ub_XytDm$0pqeGJ+ZK17fZksub&$R!jw2KN*)9?F|!NN
z&-Nj3zIa2iyUITYAqhqX@A^G=G3wwE}#wG=DE
z3w!exH$X*MbI(JZ6W^}<7Q%)!?mpL&fFz6GgX|t#76RwoNcIiiZ-a@upRLG+{VkU_
z^jfMg(<+qMfod#0R4rQE5B=W5yR4njdcvjvFVi7pf(%>>>&YzWW-8D0yB}PXI>)XD
zsH&TjwEfLBt+(Ibs(g23;iZCpq$>2Q^ctz7cvZ=v#<0THw0$
zn(vY0vEfnbW%AMZ#{Js&(fg6^h2y31wZ*77kIn?111Xm|U7fYr#Hfb@{t6in_qoKx
zsRtQe9!U$gl37Rn9BJ#ggvE8F8s9eb%C*X=vl@Bg-%GksH>v50Q|2jJc1asi=|O1y
zv2|+#uj1X;2}sN!Un@MXbhGM04Y4_BSC!OE-y^WpDYlw?sVD1da9-(^H?O?!e%hzn
z88L5ik3sPsw$r#Jnhe9wqSlJJTE&m18pl3)XH(Cqs$R~3hM%qiXbI7LDBP!Rr6U5m
zLku4p{zzP_b4R=ubkzeAt(wV2~$#NA7_mKk$Ch;9jZjxgu$&D&4GZ`_Lz2Pp?*Rx6V75p%0
zhuWZeYUg07e7fNFpDgzKEm40p?)QKeeefNOcC`%&Z7za6Yig8AT{VogD3zv{E
zh|}8luig(bN9jEo>ef+^MEl8j|1yU
z3WH-qu9;_*vHVuS#`&nN`2uQ=$WT@k?D!bEKTqvUnx^F8nPoAb!lhxc5`sIwgd2aO
z6d&r-7!$|UDW~(@nz9x>RCMy;77YDB{7Q+$_J{Ca0iRw0;D;p3^63uPzF5|1`Pl3ID-SD
z06(iHuLQ3?FN^PH5n=$a*P>Um7u>7ZYu{VSQ6CzIa*WkU{@hm@i8X-ygeb9m?#N~Q
zNAi!H4n`)gMIb#69%3_cRLFnFTJNk29%Lp9_Q8#!_25Ya?nyYCCEx
zYU5Z_7Ua64dt;Y|z}c>_nQB5t&qG
z%3V54`GsS871MYk)v(SynAJn34`$PCnuRinOR
z@gS{Vv0SOk%)NWV5u?3?QIprA6K*jy_{r|C+i`ysZ{WXkZlx_apFo$QGFYHGBUgUO
zOenu9J8C|sTq%ZP2|=E7R4fL88GB|Ax;;914+{qovRE`MLrV>j-04{E)B+_&>E7Eqa1#p6J7OsjZ#
z-*?cX<0t?nyH(Pg{XRy|E7vogC@V9agQaXx(QeCN}M@Uw+h^YcSVHDu#8jsxt4RfNr8fi;*^(5DSr-EpMe@{4u=fQtZZ)Nuz!?oQ&-XV|UmGqu}d(UOt;IEB?csC!CefRwTLo3R*r!LpJ
z{$AeyHexnc7t61RMP=I-$5ptWk(rpzmCquqK*1HZu53H&^IjpG%`w`-KhWxn?YGbwb?j>DCG~=OQ5{z&)FE|D9ab-^->BcJ
z1GIrQ(k9wWg|vmX(&Or&dQLsBey5J8qx2a0HC`QVH~E~y-x+SUj487RQ*-`O?{|7Qt#2jw45HH
z6||C8@h)LCt)aEFPJOKYu0EkWdh`;r!tYrs!XK^&FRlhJL(e}wTP~&N5L(h`wO(yd
z8)Z_Nq;4vnu3Tdk)v&)6^FA
znA)ngsmHmuC)AVbDelX#Z5f=DWBmOb+ZTdj8#CFdb7>hgTelC@ed}-y+ZT;%#m0u}
z5w#AD`2JLWy^b=}DwU`5)uR+rE6cstSgqEmwcMNdChP%jQL{zk*rE_kU@I~y7moBF
zEB)711*(v1eDRW6r=BY9nMbv<%w5L?*3bgB#P|0zw4HX)PI{Jh(QYcHJ+znhh3(;y
ztvK%~@l(W07uu8whog`Sm&dgXQR1Z-vGO{xvaxuniP+jS?4`1HKNsf$$BXYP^$7b?
ze8S!>IG+uEJV%R{?xg8#(Og;x!`D?sl*FVO+x|Fv=?RYRHGJL67;c_5yXa%H+Z5B^
z%^tJY>@)k#0dvqiXP&ofm>1|1^CEp}UNVR1tT{}d(dYC9uSXB@{Js>+@G!6LkMJtG
zl2@pFJc`v=gSA-4tLl1Qu{QDwuo;EeqW-M@qE4!5>MoU|PN_H5@6}uCZS`M2c)-bO_<0)6vz-48Taf2U|GTxy@;ga1uHw3|7HV@v5{IjKeres9hy&ZrX@rTcyFk$KUv`a8#=GLKUi9q)bL;WYcsk>aen
z_`vb9j$qQak3b%eryBbz1<>hw68rN`or8+(t2MYvZ`XTJojr9Jb@efQ67}?(`d#+z
z8GQ!L^`{Qdg1r`xPEL0x883dV?)
zW1WG{K#X%jP6*?jCC(CrIC}Y*Aa-XuMNScN#QJG$eKMv8PX(X|Nj)qL6i1CHo_7PCsTcL9K{Sl($q-i=Ib2cXa`mv7_fYw~w<@F}u1t&R
zARVG3R6?id9Xd^C=tDY7=Pb)|tx8t36=TI&4Xvi!zi(YUx{BU`TSP}wo8+XxDbD`0BQDtBSTpU(vR1HPHn06K#hS(e_-=
z_}T$Ci+1E{*VjZhTC}sZL9~loU9_vUS+tv5Lo~^~O0oF71o!JgOnC;P%*#W(n9nqVa=vH8Mw$?DaxRsb)tpa8@m-q2(e??{wYaO$v
zwU*h-{v9*ft;xLAKFS7r*O8bjnr?0Jl|FJ$`N|%6-B-7@dsMWodrUOJJuceLEfH<+
zo)GQez9QPueN{BkeND8B`-W&&_oQey_f63x_xGYb-M2)0VWuBHcdtA_vm}1^O8jQ~
zak2{i2)QpyY+mxC;_j2E?DwPM9`K{$KJQ1xJ?KZpea?@H`+`K}MTy5DKOXL3iN|jw
z9>4V?;rcP?B{MJQI%^Loexe(p1v;{2{{In0qorh3D?fYC+P6o3eQR_6)hIv5d$_iFbVx4s+aUgtJ)
z8*_{P@3=$o3eOVn;7?XA&%t?4KF@>a>w2fq+2Yo6W8B(qtXs#e>(+By_`d|wD>4Jc
zaL=*u%I?iyXJl4~%&Y;quOxC`>92{Zw0HUR)$^^^^uLi*X%|^ce0GSH`)!NDJ4>YV
z(>2>>)6I2D-CDQR?Q{p7sBhF=^!rY}+k+$4
z*VHj_<{Hz`G&0wlcyFs|W!jk@rmyL5ZZU(*?PjPMWyYC_=1w!kOgDF%S!Ry8&)jbo
zng`7i^RQWI^357kU^be^%)92l&7aKs-ePZwx6WJZt?^cSk9zsudT)cb(c9#0_6of%
z-ecZ2Z>jgN_lUR8d&=A4Ju5rQ5uB45c1^psuB@x;8oH*grDJq$9joi;t94WT3mvap
z=vKOoPSEXjN8L$x=6%R2o<~}{eN3#WXX=}4&2^@UX=a+6mL|b;H_0Z&q?+5zU^B#|
zo3Uns$uyJAG&94@G_%cIGtVqAi_Al2nOR}-%xbgFY%p8QAIu-k|Clr81M@fYsX1#t
zGoPC;%$MdXbI$z3d~Lq*;E`u}0q-GinYY|4@SgOxdprLLQkSM6000041StZ%00jU5
z1$YG%0003P1$YG%000BJ0Am6&0006H1p)#B1OoyC;Q#{vPyp=z0000900000ba_xr
z0HFW?{{IF_{(1qB2etvKAOHcM000001Of%70000W01J4W)tF~=RkyOoC5<$rk-;|2
zG~4IcV0!4icTDfSnchP)y#@#&w9rBg1ky<8)pSDdErHOD>Am-oz}m
zpS87TB%QVN-`e_VG(rdvNw>--q)5C%Jx?b2s9a)&6dzmu@0XGVWDD6#cGmr5OW9o3
zlC@<6xmp&M(XyzlC@0Cu@+&z-PLeG_pzZla)s;1$Y7*-dK7O8uxm#ftV~g;*=%#7410Y!u$2m2%aS^RnZ1^vbSrTrECt^K|IGyLoQoBi<-
zCL&ct+6aF{WJH#T+!6UBYDKh;7!xrk;^#;e85Ef^GEHQLNMB_3$efYUk!>P7WKx-e
zGeuqJpDRN2QBe6ty(!NYwGDn^{Dbl3BWB9g(Yht^v8zF3zwx;`N7j
z`hBMNA3l6Y`a1n$A;iL97~^S~4Bx{EJm@Y!mNazNmiySAwnd)PqY)VCHN9T6VfMyB%Dq1mwUZJE}gp+68|XCKNFT%
zCQFl8;^-tD2jm!vq|B5{2r5i1Xbp!awz|9lOT3;}lg~)LJ^6val!2jtk0LO0U`*hF
z!0UnUgKSW)pu9n4gJOgT8XhzIQ$
zPMvrMhkW!>Ci;obBs-HY_egs;
ziM2&M+Ip-N#XZ{g@_5_FV{NQlCwh6jjZY*lgXqf!tI-CmP8)?5x$$#4k7MZqj-z<|
zf-d4DQ50v0VmOZ;;y3gN=hI`6Oq9eqbRW0d^!TgIfIDnP+-XB`uZR)Bq77cR#qp*s
ziMMPiky5n7+oC;z%}?6aAhNYY7fNm$QlM=l(u!{8j!7v(L|4jaJ5adoOrf?TzZ4n7
zr#3_4CZfb}8es0y
zAbXhx+bcB0UZtV-n#d}?pvm?P&1Ow=XepRbKVR
zuT=$AQT0)MRV7tfRZ-C@R#jEiR6kYSgsK{9fNiV>s+y`6_g1y#b$L_OQG--nHCWYC
z_0s(~7&8p<2;mTIILt0ro=YN|%4W~#XwsXkLPR0}mqeXaWQ8-A;1^0RgKZl6*+yOg@wb#A%(91q$YDn^Y}
zZPXX4tr~}I=`b#*KdF=*L#6HKRK|{_vi1vF$N}n0HC{~+ozz4%3ESa#N}wR>sV1wh
z+*&mSKU3|v5U!xV2yHdhUQJaU>>|}sO;bzMQngGiS1Z&?wMwm4Yt&k`POazbDo$-M
z8PrA_r8cR}YKz*cwyEtVBTulEY)kd4+M#x;U23=5qxPzOYQH+54yr@ERvlJH)KPUz
z9aksRZ|Zk-Qk_zNxYg>kI-}02bLzahpf0L-bx9?t%j$}{s;;T)>V~?hZmHYq4qsMx
z)jfWw?yCptp?c)jx%KL?dZM1HXX?3npNO@)Z`51$jw4|xXXczR%!>p@a9%Fp
z4!DE-f?vTXZ#NwcpTk&Z9Kshc&WkHn!IvT~U^b>O*UV*e#a#8GhY9AL`P18XCwV*X
zS0AH}-ChK;9j2H=yjT#6x=<{RWwCI;DlCbmF~9SZ-XKt~N#l%m|q2-ne}3P5`({PP)vlxT}XDnASCL4OIr$
z*fn!4T`kwz#ke-EeZV@`(RFfNTsPOl^>Te&tV!nvxIu2H8{tN|&)qmT!A*8k-3&L|
z&2tOH1M$#QajVP=^OB#7d*VLUb_&16{dkw=aZw(RwQz*kC-&n4T7mn-0lY(29HbEP
zi9?h}9H!dh2z95q;wViM$HZ~GN8fNw?!>+LOa4xr5Wk6&;*|J9oEB%qS#jPr5EsNn
z5ic&;f#R~bBCd(6;<~sYZi?IDj<{<4NDt8oH+
z3oGCkv(>yZuW=E6Cj
z>*&h5uCAi%xm)hGj@I=}V;Aod+*NnOG%-zK9bAF+aFrU``QnL832|@@Ho$e*2sg|#
za}PGbP1p>#U<=%at#Ajn!Clx6_uyB!4?Ez2d2a5*PIyR5;1TSC$FLioz#e!Cd*K=E
zgXgdxUcdo(2?ybo_ll15RX7B%;V`^`Bk&fE!aFzyf5LJ2ixdu`V>pB{DAKOgM$D_2FW21
zf*=@DKuSmjsUZ!7Kw3x#=^+DTgir{BaPWa2A|TSmK_?_IUpzGf=?hf
z?Z~PzK6EIrc+&j^eCPfwMtHs05Wc
z2YIJrpQWL45?&&;S}j
zqky9(j3?T8&={J~Il5`dX0i26xNT=Ywcpqu?HaenzGTU1>8M*_e8z7g_=Y=g3!A^7
zseJ;?pgCuR7SIw}u@72v1jIlaXbbJ2J#>JM&IeN{02hRTFvvSM4RMRy52}P)jOj2vX26UXieYZ1`^7EAA@n%&7fCmy!B@QD2cv)kNw
z)aJowwh%tI70B5-6kzL8GFy*=Z4*jin^H>Kj8fU=l+MObdfSFF*tQg5yHcd>Mwx7P
z%4~a3IXjNZ+b^kt9ZwbQ1gdN2P(3@BTG;QXrTv~-*&nDi=AaICId!xvsFPhuo$V^>
zVpmfy8%MqE2I^xsQeV4Cb+Y$qtbIUV*oQREKB6z}V;XOt(**m1CfZjt$-btq>|2^*
z-_cb2C(W=Q=xY|Vh?CJuPED&g4Xx%7o7Zl(e{pix&aTC}v=!^oHmpzEu>t*x4QU59
zqMg{7c3~6RjZJ9}Hlw}Roc3W0+K=DUbNqo`;E(hYf1+2om|o-0^ag*Sx44Af;X_*%
zAK8MG-wvSyb|@9J!>EuQPKE6VDq=@cQTv%Am%>?>(y>eBoJ;KjTpAi?Z_sdi(*F&PS}k*
zb2skFJ-7>Z$91>?<8TwM$Bo>F`*SQ0skf@FbqfU-5LF
z%+q)Z&%hV>24CSje2H)IHU4QQ+OOYR}Qx&R4m8mL!&x`p-{)Kl{fGf-o)FuIG5&=);*mUtNAPI=j6cV77>^e)0ng(lyoi^1
z7w_Xee1LcJe%{Lmxe{09DqNi_b2X0U8r+PVatChC?YRke#Gd#m_Q3Ag%TzQ~Okq>p
zRNyao7?0(lJPx+sqol2YhNja!8rhsfH8_61`wH}@r51Pk`
zc_{N#7BWvvjA^6Ka3+0LpVQ~{1$|M+>)-WBeM;Zbx5a$gHC;{qmqZAP>po
z@`OAh56h$SnA|JZ$eMDu+@T|7oX(t>tJ7I^Hr>+nG`&o3)5r8Rv8JEtZw8owroGN?
z2Ad&rpS&aQnt0p7T%!7_Gaa#8+!-}Xby2fbS2ah?RXx-QLpHT<^004NLV_+Z}d@}+AJbzL
z`6}jVC~BIR`%u&&+jj=lRX{%6T>z5;PzQLNtyXDs(^eFfyd+LSmXd`Qb$Q~&X=*>2
zltM6ILXa%G;4aSAN>ExUcG7);mKlD7f6bL?XXrP6TF-s5O(01-!<1os&$~K$cfSf5
zN|3P^_@NN3XU5D{i^g{D1$5b>)i62~y}f`k#rW@nQ7}3kxo_Dv86g>-toIGm@FLeC
zQ;~=c9m*)t74*DKxs`kURddqwJO1|lz?Qbv3k0>>flZsCC8)}%8ipcCNpY7}p&Fb7
zt?~0UWW4euuIp8+uRlL=Sf-YxyF=+6tn!6>o=u
z4DobxC%_|%gBnBf}VKP0mQ`;;#^G_C|YIpuYp<&1s7
zH_&DjG9{{OCkv`SK4o~mTe3&Vo=`6*e=@zrEW-s45l6!B$(ReFGi6wuO%fKI9C}IF
zqKxaQiK$awr)9ilST905`qCMt1L{vrX8pjnq#c%Qho)7M$@tWb>kiE*5QU&K-d%nj
zK)NAK^JyEWX`CFI#Wiy}B?1}fz%I>rk?2K&W{@<8=2UApNOIkJxJ=Ur@`*!lsMc1{
z+DVm`4gI{+J=}?5sy-?9yzRn-s0hsrpvG4<9qP&UED3;
zBTE}Tvb+EvSxWfGav46dEW$^YEAWx!`|y$FDtu(Al&I-ea}>V%h_&b*x29^tx#-F2H^jTV@FZg8!OA6JGhCSCK;0dbsP_
zi^rmp-a$Fs36`LU=Y4Z4c$yJeVLi>PWY32#@4y1Ksnl%Q!1Q^qj#9*XC|&j$FX~Fl
zdT|$zGhS=~N4$exeJ6%XSj@748cJAbAT9`P1^1m`M5fy=hXF_K^Ju92v0HH?M^w~K
z;J2M_xfixj^6Q)f0Zo2okONsmYHnyX6)-$PG-Q*FakXkXWgNgDqsDGf5jA`p+2esy
zurI@uj}>vcbM)(*7V4x99#lqh8{Zsw;0;R?@#p!~5QnAQP*PMlYYi;sT3AUc<^l%r
z)=1qxs@{B=eInh9I3Y*4t(@E8N>J+9KS6G2^hpN3b~1p7t`Uy*Bx^>U!lvG
z#g9+X-@(o`7v|{-@Lfe$AzGX@A9)oGe9DG-`b2R%QVZ}?)yJLz_zb{g@VV-nTGIy5
znl0w|0Nc!Au)`b%yUby*$DG>$UoeNkm&{=hFo!|N91q|ga~Rxb4uh|l!{7mP8USB2
zhru_@VGuEgLChQ%V4pb*I?Q3vWe$S_Mb}4ZKI8*!0DY^`EuimoKjE;6!}p4AjMzW$
zL9>6Y1J00IC101tSaynP3JTh;lf&K(-o-g|G!l5NSBytll!
z9ow-J$1|}VXYWCF0@(pVNJvP-NWvyzmqH6Ilu;l+DU?+@pe>_>5uha2^*i@o$t!jU
z|Nnb0zu3B0md>}w`ObIFWnc^sgMsPrQw%F3%*bNoF&NTZ5DXX)xlDiwfz|2A#nMt8
zR*L|!TAb3Mv*yP0B=r_ZH0(4;bW^A25&k^a$3fE?N>^4Q`QhS=$?hab5i2{*8
zA9d;iGF^GevBfL-;2|$2VfXZcxV1Q(gavaDEOJ{2H%-U+*B*r4Fiq4<_)iK_%`c-R=y^3_LLQ!39Q_P=oalXlXg>!AXlUmc
z43tp~d3z%qKY<}-xEKsOBn|3;7obu!7zmLn5soPW%K#{SFiVj+k-mIm@6roto6?@y
zas9jns@3-{NHv!XRjylIvFD|Y1p3g+P}G^V9Yi%IBN{erX>WWnsd;T>?vl2e?mMw4i^7FCM&VMyVBmgqI{3jcG=(6>6R0HN5PXwn
znG-2k^~A=)DM*b8Tc9r;ERM9_cu+4Zk(t&i}@+C
zqC`iIN5SP*D}_3lMwI~dhLkH_4|&XEs3B=Ggo#1HnISoNsvm*kC3P6DUw)4G_%0|e
zKwlgR_A@#HZ!sL=xN&fH6*&Fqm=cDzf0K6LMtRcM@vM#zEKNa1JETi1TBH-)
zw|i53#7);qt~CMNgmjU=cVoPF-@SB!92?^u1_(irKQY`8gc_gW22wL*Xv5DEMymGuzAfg2Qs1z*M@V9({a_$MyJWh6&z~f(5xC
z3qVAn$5m2F-~@i)rPvQ1O}D1V!0qZR=SKuXk*L!9#9;9!N|RE^B;MxxyfrlhaRy*$
zkz54`vod;z&d%kztYD5C1+btP5$-Oum?dPP7jth0A0VAOfVR>@YaR(bo|SfiSOwFa>NRh~VfF5|&(r
zexUZrhU-ZXBEhiT5LTi`=&^~Tct3uU%-!t5@tQ{2e;&9DR1kXxUpw1XTY!kW6bJzpFA{}(S6@%JISm0@apsZ-6xjjw%-2n?(P#y
za#~OPgM^PV^dr~fALIXoen?4XuXY0n(y2-kv<(`zLP>{XjN}ugTT(xuQB)|yxo8$Z
zfNM?$30SG}};wx-P5To24|`Aap(s+cD3iD_n(shXg%JD0ur=uIJFh1xPk_hKriw#DhD
zGU~BJnsn<EmFM2v)cPgNLGLAs~ybg
z7$oG#!)bH2)ixen-KG|}bkR>z!JjnB=e`zld8J=x~q~Zu6u4x-rAvAmRVejSOg
z&GwY)#SOFX+ghti%&}AW62~Zf+or^Kx&%AyM}HO>`K#`oKUI>Qk=D~%rTf{m^_<-`
zlN-1!@7}^PCFk0%L@;0sLfyCx3X4VMcu@VrW^4zs;xIuRB9>_|J@&?>BwA){KNffXx^6-|_C|&A(e85cLCWFhN-`@Ab5<>l)F%
z;iH@0J3e#f@%J{t>tl^OyVB^`x16|>8aqhhCqP-jsS_;pIl{6y@RAiUqJ%sa+8+e*&`-%kpo;%Qe%$14|V)dOvg#ClEIK1kF<;3sE|AS
zH{`fxn4N%#5>Rt=gBtx1pCL8~FFkRt7QSE==b*o}j(m;2iHYHS)CETwO$R7-LnlU7
zGKWe-UKgl&jr-utno^p6zmg3Dk_r?Cf+HYwht$Qu(ex_%1V
zXsXvp*q32C5zXk^lT9Rhv7h7CZkvofl~ZBRH|)n`FeleAI;go!9CHAvVCACF)yC3J
z>Nn|Q^FSz8C4`w5HS1B16%tvapnA?B7VBi{E?&*R2h4p@UuzBlatB1OZ
znsZb1JS7Lbiks6Su8a(0VP6UOy`!`@mt#r{>3x~enQ1ivRnOc|Rf=-s>Y}X!#khO0
zS8vg)CDrxy4drEZ?y}C1y`m&1NsqGkZnJu4puYFg3r-b;
zvq~3Mxkd>=t(W6h6(~tkVV4)Ww)4w|_RokD#)$EfHONe7bio^1bmSC?)>-l@UP4hQ
zr{S&)JtP?M%L=)Bfx
z<&Zl`W(u__Jb0|HbyH`lfrU18cBJ-PKRdb%+1uOdtz8_6{u3{d+Vx^@d1qSMe80sv
zh1jYliq=0bRCrBSw%KLI7^A#61bH!kqF!YJ^XAq3Wi;-
zj!Yg-5_hz(dBdDi1A^i6)JnYwh{X>52gCz5k5tQzzOA)!U*M{BmW&H`GS$wIC0L!N
z)$3jMt5sx>G&f9=YjTXo*%H3ue$;8lLk|B8-
z-5>dixr}LGEFbR!M=Q||XDaE-;YA)6qKHQoO30<3)E<&Ielin)Y!-qb%ZexAOcdCy
za=lW_=JN1R`u5@l8!><~nV}A`66GC6D^#ejFTFJ7OP70Tx6^Q{ZGL3hGTD<)ssratitxi8;c{0Jw>Q=e7Hg%
zz8FZd?hnt*wZN#=-Ex|YT7g7FL*)(-519Lt^*jS3b7DnLdR1uQ7A2o7_=#P{oL-{l
zYH^%U5{wpKCBih{Zld@WzMOB?sW2p${_;RD9ApKNPb|%z@#y_(npMA0wv&hMN{Se
zH@3IjFpyQg`AmPu{$xDA@SKm!6|5+3atXw?j(f`mu{h|qT4XTS%S)R(xH8gqLw|;~
zuyf7zjdg44UE#eKo`a@8|2PsS
zkrHilL$1mJlr}|5If7x*?b2RUKsjIV
zOjl5t8S2?ut2AJ|T^w%df_)A7AqDQ&yNZHl7W#b_t)14~a
zq~s`4YBP$@(EKbPVKHyUKVjrBYDTlI$@SMbMC;`U8IUZ1PRzD3)0BzyZSFdIusP4g
zO!!3hmmUi99aUN*#@myS5LtdlfByPKT@K{P#GD)rU!HC!vxT<8IhnO*hX49hatJFB
zFtwWg+J>8!7PC04OP2B81kzVF!eW08>1$;STs3{>D>2?2qgxrAL^pH!)O5Q@y7QgP
zg!77j(sW--9PJ8-;KlYD4aopDH!`@pz96K;{W@oUvWdk33u&h0te8K?A-;O1G~7M>
z0m+n-;SWi<7YT5kwlgOtceXgOA|uj3af;0XlUPOT9zFy5*Bo*U>*sJo5r2b)nZHr|
zyE`b#fO<)s=prwAchFR_Myd4aV^j`sxurw<8qAqG@=bSPikXG}c+c?rB<>~jON1n$
zD|0*vh3(`WhqGD9R;1Kr#O;Q~To2`(HQk)yr?eQeOgS^S%~@@Q;&U-M)2eN!15BCw
zr?3UnD=LXIshe*?oSUy2=d09A=IZHavHdSq@k)gL9OaA44AVe;vr%r~W@X%=_|
zsagNcJmS8txDX5|cQ3}R-uBcwXNz8i`%P^d>J!=MkHakJ_r|f@-0_PQg`9+SN|w2(
zuXtpH)N?Euf1Y7sR8o1+J>U@rgMJ?en+;xr}8Tm}Q5yh1;{RD~o@Mx!>mBOY*Ts`IWw
z(vTCzv1t9P(Ix&XiC;I&8Vk&{&x3fA^!$_#GRIW#ioB00;54j_`>KVIS7fzu)M&?Z
zWE6`l*gM1qEFzim^g5}>?GQk=7~5&KRINYXPu$x*YT#G&!sw3_gAkmBkFf}?9e$7G
zVA-@zIHn8C9Te}HXgk6Z;yS`=82A1In0fU5_Hpk&OukRs5vwg`M}0rjj;=mBFBbhNkrwB3ZVj|g%YmL_-cPL%uQ6A82?ho
z@$WHAG5UVtxc8sH)Nz}n^sIe4J)6F%=6|Pt)+uu6n(FlbrBY7O%ySibO4~T(!}C;L
z^FP%c%<{k13(7J4T(Q$~JdCNJ98>8vy3rOAdMWTq-W5}AWCv%gsdc66RJhh+PBKaH
zLE=nI3biEaQ#n@j$4egSgKS7wYHa1%%Q&lQM9iOTi(DA8iT(I9aTrJT*ovOz3)A{&s8P+M~tH_Eo
zfjM4=+bc;K?qVhsF8;;b8HcKOK63t;x7pRZhKIi^pC}_AM7M}{u>xn}oYgCRXGoZ(
zP^W$kVdjs@VG^7x^BSdj{UTU66$0NXKJ5w8?(0|=eNjOg$+c{53FKvdNP!CFT0xAP
z$rI2^p2)Id{y3I#`Ak4Djh;g$%X!e)2A)@
zW)j!aroXM4BxW~R3EA5K6$23{v;ucwkepQlwM;=geGic}P4)K8@wQ$yN)|%aN@6jD
zbsh9?bAKjXSD-H*V@B!4OyJrkmQKFS^`qjyae563NG~5x8&B_UIy2rv+(ut)rwHFQ
zg%mlUpGOsja?|N|U4;S2j_-jEvg66SiJWQJ@p??kQ`kpb*pUwMUb30IkI%!=k!Oh`
zD1k{BLWYsiO3nqS0*TW>RcfWA@2ATp@D8w;vGoRwtdPn_>x!sC2@{dA^>wOP3Kpl&
zDzu@<%DV;wT~GUplT@Iz$XD!FmLMy+EYARr%k&n#%;K_u;*C!%?>Ib|nccf(&z@|K
z$8S}hP>jK42ftDv@+OjR#xyW%(@r=aEI%h$Xueu2g*CmUzGM~y{
zo*T}{bGRdA4WX)?^Rk^Kb23W$OFa@S!C=iS(dZmCD{3nDFDce&sX7{yxCQ+X(k-Ga
zcXIKZCT*iDmgRTava>
zELQ1M&Z739b
z0VmddyAA}jiRlJ?$fMSH!g@oxSA!v!2n+#UQ@Tg3_N1FknO^vsN$nwegE&o%sV93R
zr|pIhjy5R9!2!mU-SJrv0V4@>91c_D*Ca;xA0Q6q@i>t@C22f?A!Oe^MIlKMjX&M%
zTLAsQ=MY~hBZKUv1mmbD(ZhoiGs3tzgdqt`1+_C`G9f{Ic#KtAZ#oz{zn+`gdDEb^
zP^)5^?5Sl*8a5|qdnA7@)RyY=)qG!Ju;2Gt?Bj;m*RdPMv6dq1z_6@&Z*Pd3uu;yI
z`fIaGL!s238)hTBqbvGa3bV;COr{?hsUQx6w<-FZQ)K0r3H%qE*}>*DHRJQ}&A>f{
z0=z#V@5bzxYXhKQ{{k{vIu+!pAWbnYDMJT?fia<7ke$6(%=EzPSI*WR$6uR1<$8^>
zLC7Txhd3K1!lE}wOayi$MI$$efk^Dsy-z$WaVW%UF7YR=J>f;JMrY3ab|Z!mYxpu6
zn!?H#xRhhyX#E4^$|^DdVUs;+a+#1En3a~A2cUi-1C||a-`3u2xW4*A5&DmPZhl5o
zgY3zo+*Pc;xohj)k1E2j>-Z=PG#B7pnR8bVpf1Se}2O
zhG)rem6Mkk>hLTXn73iohE=29uf%-jCYyE@6&ZJ*rTMdv(UkDSAJSOCU68M$g|SB!3J
zh=Ej&YpbA?C>(Fzq4zX^h0gTcfhsSCHM&FO1sfS~xFGa}8S{Jz`g%wEPKTRBYIz%<
zuTU8kYoF8>tv=bKN|f!_7Opzgo8(1O(ss=tQPQaSF4L2tUCkt(sS=4=#3KE%XXI;q
z81h5R&{6(4_5*MZcr+ub=Gyi)(wx(&{N3s_~T4%WCS1Uk!})0hBEA1iv~3HGj1I
zFP&`v%UHB^Z0RlFC3^4%QsH9oude?PjrAXn!FNsQKaBTDxUrz;$X~u4*MGRR3e@$k
zn1H~erT|M%_Rm82bPucND*9((pdH_?T2q>(NGd!rCv$GREwyA<(Ww(kqZmiVnp4x^
zJcGEgV`zLA>c!W@T9b(ObI3n2K7f{`yrzCxu?ep%ys7nx8!u}NDV;(J4wapgqb;>tu4TT+gvwkfM^URzey
z!lPZuvuX>KIb4H6Zt)ca-Fb-$OGa5`X@(`W_r^Khhl6N=h%ZyiO4Hl{hcjz-dBu*t
zEUCq>?GQ^eMvcM|&{=$Dwayl<%_!d7lUbuOW+2D9(I;7hs5?QpitB@PKe8&T~z(@C?LmA)~mInn?&ljFPq>%t?r0?3s*&E8$Y{U2RA5!5=*=~UoWl5|s5LvJR
zLs`sFyF`g`57y~%XKkotakU#s3j9pLvzS>MR?V+XN}s)^;QT#A(=@Z?Uurb7)Xx_U
zlsQscmaJKuO6v;6%fnOga$2RZF#rFs*;dq*qn$#X!U&H1|73s0{I(KV$z>|J0sOy^
z38Qd?gI$CFnp`E3(wvOd9;Q=pjC7gtjcBa#m7M=-dw1Q}J$HAD!<$!`=XGV5X1j`)
z9<1}!m*=UAxF&_d<_@{^sSZVAQFT$Gzof3jFLmYlvb)QZIrHeE%`9^H5dFUGvx`&wDQ1JulT_HAKj%PCfMi0uP@*wuRNhRpJHzkIsLm{!9ZAnB4eHXIs^TR#
z)C@mBHTZ~_T1_{DrV&LUjRtbR?-f?l`{~}HHWG(h61YVJyBn<;dL^EycjfvFEYH}e
zwXM6mQ@IIil`KWDo@^6jb0qHBdFK|H^+1
zPf(q-FjSq5Z_wg{_QG}
zoVckOxhj+aLk;=%8su9z#MRTBti^llp&t!qdbszpND~@~!-{Zn|PmEKiRkM^`h$JBk-<
zL`iPXk|`11kw%ITuseZUvS43>DN9E-ptuWz78d$_yzo4Iu~My`qX8PSqFLR#w>vdq
zv^5A}6cVSgvv8hXLG6x#L|tLg^XljXlL`~qfDFu&%iTtqUL#frIk*^Ao96^)wANKt
z_7hE4ML1G2TBV@M0U?s=hq*>aqDo`JnYgG`p|8luUf@HkuZ9cYPnVZ0pnUU3zQX#U
z{`naUGez$d#p}z(ihllOKQV(YM~`>&WH~xU2g*C##MH^RyO1MShae-45AK5aG)(13
zuCB;F#h*4zMhdK_i|XIWznid#FsZ1%Z%Pv1xSY8^RXV@?FSKp3{sL`lA(bCbSfss5
zQ@d(AjJ@D5O|T`hC6x8G{L{-Va-6%M6qDw}PaEqsvDZCV(FCiD{ItPdl@jY{O`&X<
zg+Uu$$k+m-n(}{Sz(1FJ=p-v==5nSir1tg`^Zsvf61lcvyc
z?<1JMgf`i91s^fJ?M=^5X3m%Mi2msp@iK`0SLb4&H8b@x=xTQS-{AwKxnSgL^hXS#
zPFaGJebu2bS*XA;
zf_aV@`GdxY&1WZ|2G@5SyOOT#Yh=+60-ed7-H1)5A$5hp!2f|^3?IF3*@-%+gV&hU
z(Nv?`ilq~`Rg*CAe-N#|F|xXu(C@LomDnDC;3>5U%SJIoXcm9OwkZcRCS(Sai*dEW
z7g#n5d?HfsaLSyr=-EUX6JLYJ)8IoKG7Y?Y&)4X2H~A>UsJZMJ1_S*B(x@BVQ%#~q
zt?;0+P1SiIlm(D$0PC-6J^MJ$Wqr&ys@?@R|L3o21$z%uz;^+h@%^RJx`o0Lv}t5edb!U0J#Z&g282^jqQk|s_wDcFS!&qen&7p
z$)QfxcsEq)l^C^_kb(FvYin7cCRNEys#7Z1ELEZ}U?^=cH|!Zg0VdQbjBc|*DwQ*_
z2qIKlWE#0v4+esMM`24cu}L7e%M7xFiio2s&x2~^4y{Ni7D{=fPv3^-AfMuoGo;i`
zhe^&>N}pO6TPFS}rzc`hZQoEqmT6OGZxmJ*rX+ha%=`fUxTCZ;r)kHWprf=euW@@v
zkPxpL%quo$H3ssFs5!z)v;uh=KN&lB&`B*m3IR@$Z>3lKg5V1UiXwOdGaY1amCAAc
z88cHS*$ym6u+*Jgl|Z28UiX<)P*=y7A?ufI-ynR6N+1zRWE9Q)5Wo4%eGCEBSv{^6
z$z;*x_zAUWX%LusMzO@I6YJCpn_OTh@#WV$i)IGBekqfw5H9XGg}KE%nZGhU#UocN
z)tHv`m9B0{v1wEi9`aw>r_6^iL-_sVI>Y#S$GG@_jxQ-A2wTYKi6v@TFw#{BGin+P%gG`=;OZF~83CS)^3r1AoHMpa~Mi$tsp=t581zw>PMjc
z(EOFMNJ~=4;>t9kQb-3k`k(}Qp#zlVDK+`Z7Of|w-s-t$vjwC{(~ny;PR#@|6TMbX;HzpofszP+w%1t%K2>4po{Q
zmowAG$K9vgm_luJ_)mA7!Z*k@hERor^tKcpXu_Xy0NeX4`GFUpSl3@8h90kordUk1I>q@V;s?S~jA7^px2
zeV*SN;2PU}Emd64oi0vTWy7GDaD~BONIIF{uSfAgy(7utcMf!tqAIgnX^Clx?TFAo
z^-7a;uZA#D?0H5VdT7+1Nj#>BMWpkj-3r(jY{)eEY6f$I4O#GYeuC1W6Ba9-IuU-q
zIlDQnY+1b*zJ|({)_aLgnXfdpPv$EN_R)T$3Hcfsgmxt$SKcT3W#`x$8|9d(r4uDE
zLvJOq>BL%v&L+Xl)oG?Qhum36xhmD^8T~>jg1JOInXfWE;E~JbSiFXe`amh=t$vF<
zA`nn;=R>$d5H63RkLn~GbCKZ*4l*1HQZCXLGAPtG$scE&(&%A0pxk3(ij2iKk`A)H
zH_fY%fx&3ipEYLMI~rADT}-CnGYCr&lPNvTb;QI;5f#?w*-TO`#^29%i*g`H>rqGHtN}V_0
z)fux}GgJY;gP$bQ38ZqZLQlW13pb{RT9mjafy3c)WKxktBsC=2z2zZ8f>NhNRKv<>ULPyJ!`zZA7ncr3T2%2{5>
zHd*;Xgk6)AU}%vn6)eNjg>tsAL8)ji1DIG`Bw3?9xC)NH3er6U^Oo3|gh`k8#~?!m
z{W>;kEJ}8b`YVmpCQianM!(i+byh>D+zV=nvu1}_0LU@tLET>h$COZGqEuL>l5*10
zgUFJLhga_wD-kV&Bm8ac|pA^ep
z)~9KL8Lx;XQpwBupl0Azu>=zKwb&|=*d*t5v=2#xH0_1Bkf+~CDHjG~AYJ#SP>ZGc
z;H`}(#4NRJ<*8Ip-M5+hQJ=DOozmmPnMxFi#P
zOSL}2&mUy+(Kl%ru{jXTNYFQl$K+4)fK#8k~j0_&$%X6CD5MZR`M7(2w(2EFRv^=K%#R{|_PTc`Osvr4t{A
zIXcX|lLDtW4`rgvgch|+a6I}Nlh4%-GP%qI{-Bl%q|_L2Xta(#BX!g+6mjvQb>IBy
z;adeNW)p|ahh~{pO^=!H=L!
z1Y_YHVz+>0BK`xUY{d$ki^KoR6{I-9CTt~g27jHwpR}TZ>{bexnt)gAHMR8NuS>Zc
zO?pqgUIf}`KD>$DiDu%r(WgL$!a+J4CEc!-Ug|=Iv{rmK%b8K`Hi!LgiPnPeVY)KO
zyCf%GYxbtM7g#k0jnxA$Z15t^UlhHT#by{8)G3H#14G2(Bi|u2DFnzarZv6FpHz^V
zsFuS-1lh~9WmNi;ih_yEJ0x1OD9~Q&G1*NLokf%~yVMIW$=LJ`ei2>E;>G&tero5}
z=L%;~r%iDv6pj?FF6dN%{R(?fuM5}}3i90fpk2Y-96!8X7bHIy)J?jl>G~)3Yt(?x
zB6AZdoL>KcI3>~d@L9)68St1EG{QVX!1Ph&V3
zKNAl!27FuFmo8$Sz;I=v&6;cwVZUIy$`@lheKq}=hGeruVoo+>_Sg6z3??%H9b##z
z9=@@0D8V6y$WWP)eLu?9CfUpLnGdkSEz6k+=AwBe2ER#Mke%OGYKOc7L97>f7rz9@
zFvhCNFq@5?3`hqFGJRr#blj6$?e>%f)j00StM#}`0_x4U-EB|7ahJ`Vg!}weA%h`Q
z<@doUfj+Im=LiNJo|F^_V+cQwTwo3UB#b4vGqcq0EKXA5xFfT|X)pAvmST3dEr4TA
zyDOP_kGC|S(*;Vsp5lO38z}ZT0|6%q0|lwreDq#cCk4ZOB`9Ow2xN?-$(vUbr^)4j
zG&$|=Wbh4iS7yz1w~AdhJQdQX*OT;Brt0;nl|Bk~ax#KIKPI|B`!N(O!{0^;b}fa6
z_lnfwG#+RWtitT!VyitbQI6rZaIxK%lc*TPtqxl29@+Pn*shs<
zK;*WAw;%~-&CoMa`G?^j)+t22q1otJ2h*6
zD-YUPrt@OyU(~wu63JgwdfLw~!frrrr+Qv5vsC2vaV@q~FDvf5yp0)-ahQoBe_-WI
zImRC*_ro%OVag!K$S|2Q64h#NY~R%>;uvCw^CUHcflt#&5d_DkXm6<5m3vvQ!5MnY
zlf-Exfj((}!v5v4)dui>yb?RJb;D)bj`Nl!@y2Z|rpA1QSP$MCIYs(%e8TGVV@f_-
zX4i>4rk2JwSpwIRTA8X70T1NQ0c<~V2YwIbdtkndG(ER%Keiuesl0)~z{+6WfRlcS
zJV+EviavRS7(RJYVZ{Ro3(et5E7)6q3-)H}cQ=$+m{0Gyn`(Kkmfgab~lSY
zo1WtMW5n>0=y8(i*!&pNse1Eg5YF}RhKynmU9zd!KsLdW7?Ul(u@Wu^kcAmD3#ke<
zdi)W^QK6hHX>epl1@RwkK<_CrAeE}&1RiElfRBh9xIBc9ey_$pWV1E74&s8wrd4qH
z8iP|yJZAEWaQuZ%eTEESB6^`iw&+E=_daLj0L*Zdj06~^sGeNvgd8We@=YEyZa}H0
zI|zZ5IvYn4vgN@PrN8~?k~~k{ii+>sZy_(1SAg{!U)o(U@0Y~LEvoNTn_k*o-v3Jg
zjwrteN~C`0WBoO|2cQPPt9dnh;1yPk%sO^%#X(~Dw@bk@&w$yto?Ct+z<#?Fd5X4&
zxeNx=0C{AmD;zAyQ1V<^YRb#i&8~%rXgR{b>hQ4UgDB>=L_rnqWlNkPArWp
z$Qo)|0I&tk>l*yrG(6yeIrhbkuN`V-6L*4H?AAl)HXzKPji{foZFU+9T|Im)D{c0+
zX7Hdb2;sw&5pTdBrFwMDH{gXwxhEt1=ec+WYo)s~>#I&mTNGP_??z
zo4x$>VChgzGM7;Lt=q3xHZR{>yZfuNef4{u9vXQ1$YL#BBXEs;jkRJDhJcYx_AQ6P
zxuZo*z(iO~a#v=&w|dgkCCG4eTkU~74ojJpo;6gTjAjLP)B={$YpqtHLL&@$SxzO^
z`BG0-PpQ*h)Uk9+Nk&UyqCle4>7@@J-BYo1Ag^@Y$vGdOb&nD+ZuFL=>30eYDxo^m
zm^rkI;mlC#`d8EzCY7ezc;zRBB}?yE(7e4pY59`HD~eX1?k(Kl
z7m*tmJL}Gy%qcUL=S+8!aPWqZgr%6EgHvuPJl1*$a@>aWsyxJv6=yBpEBufCyLMD^JOuTj4S0
z&n;1vbmwY=>A~)nQWe;e*IQz5+W++6yhC07uKPaSS+_W1G)3kk{j2XDN=fh8UX#`2
z#q^KpBh^jbl&sM5$2a8yU;Wa^mNyR8m2H1!^c{ESBVYg$7PJ>~jVWYXu>D|V_{$K&SJ^_Peq92})B0?)H`bbgx4JMS=Xp&S
zvgG_1fA1p-!P)Mo@7~{^*&;P7`E#EnE}keme*0||9y6(bj*)NC*YJm7d@dS0>)uIw
zjtK>r(X+_YMD{UrQG&NZb4pzL%pn%o_oZT3@1GdI*`cGec?mBoEK+k$PyF09Td6U)WPW?e8XyR>D&
zwM|Q(-CLKp`0z}yb*(O=usS)Xx75kvi^#bXLkn@w!^Dh?Nox?$V#Y5VHDSZMU+CC_MUtUoM0vS3a{S*SeZQRw)YzMkGW?y}8Y87r3ia_pk?fy12(?o39r
z6+DGnQI#1iKH5~CQK`4-<*iA14w18>zi`$*lPD=Y$B;4D5GYBfWa%J&g?2#yN8+a-
zlL4G^I;1-$D}c0@rZEar55w>y&>5k#5RNX*>*?$3C{I+SlqW~pL&}`&2NP6sKHr*?
z92qFHwchf^+O%~wrCOVejR=uVc#F*D4LhB47OdTVpfV{Ea*H(?dBwKMgY~5%mnTss
zG@C7ARsM{j$hwdI{LT`tNTAg6mq8qph%@K~=zlDuD_hfSRq=vMEW0qVGTn?;J=&R1
z?$BFvel0&xU@j@nRagFJCOa|UN1rq&t5Pac2j-F+H-@d~hrKPP%%;@nEyz2O0@5Da
zp}&KPE6i6UR8=%qnIvb;vC?SlX+&{n2Tc(ap*$s+xm;-t}it`|(QptUK&|
zsOvmNA%lAEfRa3~kBL)R8Z!owJS>^cl&MudYLOmD#zhDvl4^`BtYvBwvmEJJ$Z0O>
zbrs`PH@909m`BN`s@(A$+?gwD?I~V97iLPAsg>l8~L1wY{b{9mR0{y3_#k
zmLDp(*%c*&j`|;FvXheU?G_o70%dY}puRQDJ;VN0S^)bjdi(6fjg`pWsINGGv@Zhv
z67rI)xiS-AJQ#O8JmqK6FWsvT+|hL7kI!k$SU;PKB{xJeRa}n>1KWr%i68zuhyk@M
z`kJf8S$Xdxk2gDv)VOxyNwfjleIez;y?|b#q`Xor?;vAh%mp~&9)Mmsqff9jqY*@=
zw@R9`yNc}ddpZ=?=eK8RwHY&W+iP-i&Tv&SzB^pDvdO2*AFQq^apX58?F~6_E^-_%
zl$(`2XJmG$qWYKi{MJ-wPB2;Hm>;P*)Kn&NdcAUMSfVO!Us@VmG%!=AA1DjAm8Hv4
zJS{X&tPuA)h|Uu2~(
z?MtA_4y7+TIka_^t!jBK=K?@-mz|uq@uO3nnE|4a-V2944Ckcu+4`dkSq
z7MqMC>t=0ja?a`8wUYzsK}3AqpYq4lyxRTGt(bGmP-gobAMZjd(ua=ETeIoYckCtE
zNxaAU&A#Mat=GJLtTkupZGG4N<#pxoPEz(wLgFRUUI>OHX#`wa=}ee@h1H69`p0ReJaK>f+WMpIV+2%5zj7YJyQN
z(XSBcG-{rvaPGkct6smQwLC)ZRUG*NJ%A2Vby9K$Fu`R?%~Wj!-Hs8SH^9dXD#l@zYRoI-##a+v&dH0_R#5q
z<+rx){pX$SfOrPvBPDC^?i+aYrls~yzFwnXhMwPEFjV6scZVlI{5qlkAfHX?8^w^G
ziz?`;=mZQQpSbngX9w*ieR&@>Y@Z$2zX?<>d}MP;$Em+>cYfqt_{heR*(d+LJ@Cw5g5Z8NhG+_lvt>7Za^I?IH=B486mx60JhTuIi_~T@
zQL*b*1@`qN9w&3fFRyc#*5Mf+TOTYr!h
z9GhYxP6sq`yg;B7bBflS?#-H6;N>Z^t2#2O*ED){fnwKDky(Pt)d9C!VNX&!vb;LB
z@jnJA9#yi#UX$+;NaZX}g383hki@=$e*fMt?wLb=&s7}I6|TI!v;Nqj0}-CaYjAWd
z+tXA#kf(K(_h$d_Lw0Yu%h_@3%D_NJr3~gCWGM*Thpk3l!vDo!l52-l6$0EhXOBrD
z+KH_Oi@Y}CuXH`-ci2XBFMb|=PDA$2$37c7jz6X?_=G!fZ^s^!Shy3+LgXfwTy9hG
z5L8B8sd)q&zUh|Bt!f^M%8gDL)F~de5iIuFiN79DIt^m6!KqZajS`8`t(tUC_Au;5
z4}y>J&md-BGB#uDDA^>8s6h`{MD4#+Amp*q;ar67AOQ{HwL2m*z%>T7s6v35&0x`;
z#Oqu90=vLjR$l8{p{1XLLe>|_wNzgGM1a^+xVU4z3DgrXZ%uo%q&MHF2-Ig?m-5F|
zcMk=s_P?@;NIZ)kP$OH2GJA1%wyV&uM%swQq1hYC7Co`83_tl2BVNM{O{ih&qpwgk
z%#2t$jsDDR=D)_CuOtn|KZPuDzDR!#6jJ+sPY|c^%~XvJ=2~_s8QWu3La8~n(KZ*=
zfUp^Q+y^%kw>jz>n!V^Vc))hdGn`|_g0^Etd$ig4g~cUSwDriVFJOvyi8IlMa|o~5
z17;H6m_3L|n7{f7zyT$S7;!f)wiVI4}RfpNpl62#CNYc^MtR$
z8Q0Rv3zf_5IR=oYDs#MsuJC1xC8gQXTarECZLdAL3E5=#5*|-7GB>+aBF^?9DNZYq
zoTx*(qsMiL;B~7L;{Nf-Hy9g#gv@nEwr3kbGuKzFc`A^2
zq_^kHmMUGa#JffyrJk_0bK}hZH;(%+s1_(GOMqzP+~2CmL%lTgoN+8kV%7oKAqzFVMI3h-0I
z8v_e+LbI)Ci%_Q&jKOSxFbz}5lzPZ%TyW@Jx`;Deq63^SY>DDON&@~HYl!GsfL5-z
zXXrtbGQ;*4w9}Cy5SQjfk2xLS3%4P<2|ope-~jI#opinUS0i8J*-&rQbZt2Sq4-N>
zq!_8L*lyy|5#o-d&c4AVtMemSsH|L>l9ryClbdfsTd)s_uZShYzaQ+es#Ul1U6mW2
zfXPJtyYyaoI5uk|WydKKp6v_9S@C56QG99Ks9y~M{is#@r^lk=<+!C2WyqGerB8=j
z^mOdGdaQe>=LuS;#clK%wfJ!grC@#LD}?ILH?3@vgD=SSjY(@B
z^fLx?mfk-1nK`#C%*q@(+J&qpA1yd}#Urk7nUmHQc0!TUZVt;Cx3<7&gSz5?H)g88
z0*#9eM%T-piROsb*sE&lJXNK*xJ>JFJLE+~-+wGt?qfnFOPZ(#T7I$#KY7WL-Rl24~#o6gq(u2CO(D@eLv~&YKupKqmp1l
zQuN2qiNk-exR|kZ8SL!^^KqeCc76Y)J@`qpW_UgQL^etmWpMmQ@qbWj6v1iMC&`3
zS+r_q8bV&R7OiSaL(u2(8GE1XZ@GQ%iWvd)zWcD|eNPUw+y?Jb(7P$Qz<5H|=%8D$
z)A3_e89OrYpzWyp(s$6w96^Fd;O`gcC_yq5`wI*X^!GFA?}OMg=VK$_nP-VsGaj@a
z^AIy*L*OSbwv!Prq&wpm!`_PY#BqHD(Neg(LLMKiO
zg$zXx>m0ofH;EtQ59?ee8A-iAZk;gB<(#3oL)w2IlzVYJ$C$?cp)*3macA^K2$;uG
zjKjn>4YFYx$Mg0%=wo1h1nFhYfMskr{RQ`b~j-&?Qh6G?CSXP;I_AJtQ~xY_~y=&pHwU-
zpI@xa$gfGRKCrSy9zCi;I*{b%wUyO_RjCS@f`vtA^vt>Y)7_5}ul#M}ih)HUsllt^
zWiGnC|Cu>Q=4V(4H6+IDbTVI}BS5|0|_{8UimUZ0qum3~Ze*nf&
zT#w`U&6X>=qU(FT_oh3Y?oPd*dY9E@70b5Vi`;w1fIF^WFb2~M7%;tsUPCXTgap2!
zg+M|LgkWp$H@kbMW&`>B{~_}2&hE~<_vX#an>Vjqw*EsZ!~O8IHGC?+eQfTr!6%Se
z*DcNyXgx*|PfpMKa80@e!Xu+Iq)pACn>rn$sTDv97_kqiN9i210?)k18zS!G;d~tsFjbH2;IKD6+SqQfWeFLXI
z-+4dz(kGkyPyc-;Zi
zVo+u_<$<;2Xw4SF?RF{1uk>v>&wzRHf#SYGL*3q&Hi5sQR`8&$Y%t$lnxQ%WSEP$a
zxQyf+PY@&q-Lj%-vvP*dY^+F*b-b3D+s9Mt#>P+4n0%oeI3o6}POg8An)-@aCG@iR
z??#e5M&6)CKhTgnLTFuzC&w6dbR+iOE3c5tnRz9Vz+;Te0q1lBeE=H`plnX65#-8+
zj~!o8tr5k@bJ-kJmp5b2U=uky)&g3o)A6(BUOz(SgJ*I&3#}Z5dUS+pfgWEoAuc+a
zp1;1f$LNOOe`xx}$JrM0DHSMC1C$ErMXps}e5h+5d->(ZsJxNwiSMuy{0CM#Esc){
zy`f?mQIaj(mvP2pJtW5gJBDnGkF*9l8j9!Fdg5T6%SnE+;`odZ-`u@$Q)S7bCO_=F
zwFg>S_sz}Y63&8-6-WEgSl!xVwIeGUHr>!ZYbNsO24@a0ARD;kM02F0$m;3X+1qm6
z73+Jla@Rk#GxyT{2X}9pQ!AnA5`Zwi1L-26q;8rnsUuy;`pMzwoS-ZkOSOeMW8k&I
z`AvRfOR#)NlUL<0Lj7{wV=**#_4`A0nVPOEUtKwE@0?t7e#gRXHI<9}!ccLYOMGYL
zkuR>(m`j%*?<$?1ufu*iV6}0D>73|_?MFIpA^-L4{Me!!7S1
zMN|x0GusNS1tX`1`>z-ZPdoC;n)sZ!bs0EQIHTN(0Ask+W(b@4X$OQ3e^BL&c^ej$
z2~a~;U8sD=+~V8?$NIMX})h38rm*C@p(Z@6|>WaGZ8nr(=A*Bg5(t?t=G`oxz-0g%hy2VWAKuLTI`!R$`SQQgv(jXIzBrc!`o0AodO-ViEaP}EHW{>2zt#5V`
zk=FdqzSz>+SI)SjsfeQyE8Wrhyl6|dPU+6I8Qbh!sWwZS+nS}WoR(dm?GTHVB6PDc
z;#9iII|8<0Gf4kx9VMA_vaZqMy
zow=qu+lxv}{=$$K@ov0(B@v1K7{Ax2O4uNJcUE&Y$);JmZGEO(as`k>%Pb4UA0RRPtWbGicWz^
zYv|tj;D+yhc1FXEgBgU^EDO|54*+ev-dft1J9x*|`or6ilF9HcT7UP_C;$|{eGAv<
zW(=b<4?=oS`$pQ-fL4Nwm^c)LKtqWjv==kuGK@EG{HPw~bIEN&8)5Z}AHn$?p;Bv6
z3xf6|w(9ac;#qYl?K*jyga9r@mI}kpok!-VbM>Qh|xTmG;
znAxd-6Gb37P%j880koi_JJebhN|$wX2b)VX)4_e$BtuUwPKKfc4|7G_t?RtCa|+IE
zTkEPC$^(z40#K#`QqsO{sTiLKYaxA~iam<37SJ@#hVrf$6Vck;1=MfJXP4qt$8v$)QGi~)^o^i@ZV-Bv>l
zdn!L4z88O$MYU2tIT9k94JK9#rj)kW;W?9sM3<5TN|QE7uI>`(q?^-DSbwm*0lAe_K_inH74Yz
zE|F(EF5mPkW^e!D;l*|>`5ECdNWpRUgfg&K3Coyx4p=edHPhH$_~OAL!YEd}829QA
z&uG4Q%!vOCpCt>;PSAC+z!B%^ysV|k*bzq7SWF7$jEXq}ni818(c*Vf4Z3rCa|!;1
z;VGhxTJjm#U@e|Aw5w}UmWf6bxO&}xvWky&mk;L4dBOh#xxRdB
zd45RZrpM#ivWm>!P4!?ixw)uWl@a%YG=7x3>eI+iYACO;-f$i*m@y28I(ztQOf
zc*S*{{R^i=zqMDF#N;J(^jl|5NmNlnHP6JqUAbY^I2~Pe3*(5Hy7DwFsYH}4rtjDh
zCKkt7-~CSj!K=s;jOxtB{~50DQ~mot07rFqQl9&Uj>(Zdb$_gsU2G3S=@F>IY9yG^
zlxyZGY+BE>xVLyn<1#3@rmDJnTjsPvi$1$${Azyi#np%C9s7+=qot_(6IN>lH7q96lVY<%5&mRaNc0bcI^ssF+!JYSRX#S|Jy(CghjT
z{H^@*6ZJXa%!}rjuT14Z&SIYngm
zmfFouGeP%*6OQdJI=-@Z^8UjBz_=XCD08gzvWu>WbrzUGMOCb$&;;V-7pm@cN2WFG
zn33JQ`=L4Yn|s6eMZVtnb=I9#Yp?5Cy|i-e$?nx7;EutQ%ZqasoS3!a@3+m!UT|Wz
znry%T*-Pnf{tWk6l&wV?D@b`uq|B;Pa$fqluAH_fOzClumv799yCu~{w*u|PkHh^2
zk3q>_sm>`bx90c|so9Z7)M`q+xlNhM;H+yFp|h>gVqH-&cepivB!$&Qp^Qp?|<%p>5nJm|&##&g}7g1C(dk@~Ug6m&_4{E>G0wY0wjPhH$L(?y5TmHr8pDwQ6_~CPRw=NuBF>mx^
zEbrbAKfD+AMG*4F*LXS{6M^3!6EWC2B?Q6NAN!rb5fgo;{LK8F8Ke{B_rEz#z-ue-
z0YdVJduSTGk8MM9@tYW5MA|AqnX<55h8gp918n3_5E@lCsz!o82;?=)VFF3C>NYk*DN)dv)OFP10xa+|Y
zm3$S32zA)UlormRwCA~%N_U=J=`gwo9;_F|&!a;e>2Ja7v1XX0_zsl}!aHrGtb9SW
znT_aFm*6O`}iu+&MIKXAe^F%g4rSmrCV=Phu{D
zaK)%`csTJr+KAuBaxf>lW2*#pa#Dy-IJuQfY4xzJW%}H_hBYl7f4sG!Q0Tf52btAv
zRl(}&teU7ZT`J>Iz?fnbFfkJijKvUf6aI#|`O{Xm73LND58aU2P+Cyl6e+2N+eD${
z+=~}LNWpjqgz;hg36_kufSej%VG_&%;Dq9h0VR^KvniuJ&@)aFH$k|wZxefiL85d)
ztvkDI&Olwd^N`di9Qrr{FboBng1o3lT@X~cxf%i(CqQGOpu-li(>S=bY-UN{hR&kG
zn&`Un>+6xB7@05hW)&DMS$=P3fh&^Bl~Ex=SVr*1Ng
z4!Ob+F*$PVGPvkQe@s`1oLQxA!WA`94yf9U0!wh-yqO*-m&ak9kE36(EFkKj{0_5O
zOOO|-wjjSW!nR~AR%}Xd86noDiB!1s0!pLQ_xL*cdne`FFtrZ*@7!O|2BQ4^lBsZ*
ze&?Q|=|1!w@G@IL;VBDH6EmTtG&>?#yOPa$*v1LZt1lA^gc6??(Q=h)^qu
zrAhfRk-W5XUY^{_gLK@8J^&uZe}WV&WZjOvPw#nP-N-1c+X8ZFpUzwmqRZjC$XD=P
zYw}(A4fred4P4*fBtL|Lpq_@uKq)GmwCf*bKLf|>Ck#C4e4*5?=JF)GUdT;AXV
z@{?*kCOa;Xiui+kiKzu~8OY@}QP}W}Rw&YaqYn$=qD0XG!h?{o9t$X@;VcFLx*XPz
zd`Xv=(B&l{BdMdh7QKv)2gD+hb}f0}HD$eh7V?<9!ZVBG3*e8sm|Q|<$g^Mpn@{^y
zhb7iCk3Y`l|9lfO58Mu)&8MGnn5Po>cl+ayQ}3LAm;BH9_n3XdHHmAH=b84Hh#}Pc
zbV(JAJNS$^(=NgEbxejI<+KV>4$B9e`zbhWMXNLkbHT!_1(v_AWllBhGR8Or$F~(k+
z5g<1Tflwl2b4u$uI0`UsPgPE##-xcwxg3dziwHxF%WLg=i#`yP)Z`)n2@W2b$>z-$
zNCkL*XSlDc%{y(aLOxWKyLj=^g8W)sAQjH_)Xpg?S-E6UPO$Lub(_QKo`&C{2!sAC%j~0!3Qi;Bvo
z3NG>*tQdcX_A^RF(l_&yIsh$`jgQh%({YQCH!PLq#d1E`ZeA#%!6z6s_j5Ge`dtw|s`EnqnficVKpT4q-1O03m^c1uOPM5lME
zxJVjUZgG;kd8mYeR;wwoS_=sDpSVbv1ovt3>qfZ)g2@w#a59>nZUBE|o;u`>Kne;aYGH-1l`PXCTT^i+0qRY~Rnms9oWBoTl;6aBzZ;1nc@TJoZ3M
zuRrKS6nvFfY769h+=V`+v#6=9smR&hZ+7J@xOR4MdULs|j7o-Q4U|TkyUS*;m|Zr#
z-|UXeJ~A+LWdM26nUmpDtIFK2+<-@|DFXiz3*i=4Y0uQ^18#>WT-+MzI^;7=%Wl{?
zGe>3)XuBm6jX~2~8Y;@ljL)j;+2gi!6;^B<$c|?-{JbEMf&T@{@svFdwU?#-Qc|E9
zf9jpP-@E&(yWbn`J32qNX6K_L=u+(6Upnzye(6Ljqy5_(r{A=pimvA_l!xUeAy)B3#^XGr<}tA1B+64sfLWKR3B|~dBr4<@2A%=17qg?1u~;uj
z5>q~o)>JHozvmQy=iT*7sv?6O^~UVN7u*d?sX1vTO6oUs1$AcK*afWf6uKWA
zq3!gUT&MJ@n+zPWx%h66)rg^X{6_NsUE>J^Jl6mdBS*k*kbl5$ETD&$7kWS|z0P|Q
z-(ugwJqeFhNzdvjeJ|r&Hm>0v;{e*Rj&giTWoV*=LTXN@>^`6Es+&DnwIdfnUe$X{
z+VrgH@2u>-Vs$}7O!p&_wSrmf7!BLQ_=dIwxdf+v$~cS>)2wgHp3>j>32IPBqpUUf`Or@?H_j`s905ZX*hKj658?}HjN9~mIXo~wb
z`lMc;zqmc@b`hZrzw{wxn%J)Pw-h-FmR>hRX+LUrKDMlC-K-{^(oBdj$sF=OHy-=>
z&Vl>|#~yfd$?89y=&f9H!}P*#e$m#-aBZf_R5X3<(Jp&IR)9bq?84dG;^AD0ry{B<
zX$?xtSKlzO;O3>dBY!0SdHtoY@2M7REfN97mkY|v+lL+i*!3I!@$${9OIweBc=^Wn
zuj?(Us4TD*cVrf9T0OThz~+l7DQ;%sd$t?DpXG)9+|OcSQBBt0U*zo9&ftqBRhd{!
zKAvs^zK3D%G%33!cH6R<*DouqSby`3CD%qv*mAMN;4Kd4_mx9LkBA@kqb7WxW
z4Uf*A{f8TN4n(NyKg^!}D0RJa`l-Kc+VtTKecpyeJFjkQJATQ+1`opGaXTt&D>s}T
zntkiK@|wIZu2`;;JFDlEl+UTOisjw1b_*3>|VOArfJz#8JB&mfOURot!0)7-7WE1eG`X8;2mfM8_OMYSy!q!ak19Z!|H>befLE(cp
zT!<%AHERlP7FI5+eF|<$W^$*Fa~Tuq{{_j6tP;COV9pE7pZ~}my@P~NbljYYhchmN`_S7sN
zbJHc396%iVs`o0S{1!f&E9M^-
zDHXV$41hN;9lZ%er<1Q+t-#w!{t@X;6O+GKO%k&Nuq8Zdj@gBl;WP1jSy7ta?B7hl
zG%4DleGE>=1VG2*Z6l#{WtvQFCUh=SC_7{_7j#55(XcN)$dU1dN}Ww(v6zC{L6a$W
zS|rk|MFlnc?26mvE|pZv9t4j4HG7m&elyO)7>wk&TPY9%>6@ynH%^b-rpYLB*o&!P4A@H8W^CLVJkqk}K5J4$^B@0m4UocJC)1Ldw#YEPVWP#e!S#$m#l
zq<-n;2n&zT$4+Z340*v?w8ggW)H93XBh#yO{d}cdZVWY+ZF(YvU|h^;B11eB+|5JX
z2J$3-&&p6u%x%(%_#$p^>*sq%?p#%ZZxgRT*!VK^n)T0JUZV?F`Fr?ci`#O`b+rn6
zPGJ>czx{3*lqY03zklAc=7TS<+iuKbbQeYlzZqLY`4KblD=!2euJ#k)M=keZ9SFbn~`^yQCf^9Ez}IbMZaBMMi%ux{ws+&uPD
z;YG~pBNGslnlh1{Mcp}Cl_%HAUbjW<
zFR+1wV!b@wkqKqo;*GNkt1o?etr2r;JAKQZEb8D}WJ-TtV|HKBx`F(P?T@b1P>)=5
z_GMyUa2&C?!yIv&g`@SN9kVSFmqCbh%Vlz%o=bKqLUoIpXWVsJ2lpspe^)$EwNNBA
zdAv}Pmt{6AZ|}H%Q!~CvWq(@ImQ9U?;e;9UVPCPh)cGSwdS|APqxy?7*h--{6{Sse
zBenLn2Jju9kcxEnpm|TMKIWDg1li8+8N*pd+zHWX+};;yIQXZXX56Li%xGAXfp&3A
z=I(8uze|H`5Q#)`1!r^`t~aRU(_FbuC3b|czayv~xvGEtyC?hclZ4}QQ7N5MHSrx>
zpe~2aQH9VgFya+7zcHmVY{~WEEdu%YU
zzDAkZn2X#h6=cjf`urcaIVkJooc*+p3rgkKdr8}3#^{zZfT2xrW9A8I3Ya+09|N_R
ze2fo@#pL7Wug&D6Qcx-&{~!ix@~sz4PVP-=j=)R+y)eW4BC=}xzz*_zAlfmo9SxW@
zq_DNZR^tUf5H{HEGT3eoHjlGU3G#ZOe4NAw!nkegIFN^HPGv}6x9O}El
zc~M%?jMJ41YaIpi_O&*Sn5x;5bdgNsvbf@zdWAi#cVy`#=u3r*j&|0pZ1EK?JknLO
zveoxUU2Ui?qN}eB)@SMPP3goho5XVTXjF&XHMP@bIO2o((`MM?Ga%l>EEabq9oNXp%A=z-OtOVWr<_`V
zFl}y0ZLnx@fpWQl9b%`ts?w3?QRe5`^F7Lfm8Em5ow3178cXNUzoV6(p51A1h(}*W
zFm&;!ckh%C(sUjYg?C^-vP?d@2iF*)^}*5x>ff^Z(L|teenG=!v-1Lt3*hgpJY@GT
zJ#sbrnju$nekFb*%99As2TVoUeWz(TKm02jQaDrG$|pMC(+je)
zR?HR_I2LVwWAl8QQ!oo1BtHeu4>>I4r=DmXIV{%NJdP=6O4K~8V&J;BM*2>!DD6M_=1AZ5E6V=mC~on_miFd4
z3Y)#Lk?DEJ<;Q=zttY~oc
zxo8YdbQu632X}wo!xo$|=Ss@K4cLNnhmdcwVmk>;KLWRgw4s{hX#175`#VXrFOvrOdg}&pQu2
zHGkT^xp^H2pPWDKz});VHNkSvC3|PI77tfDk!x;Cux@S3UwzNY+X1{NSbfi;>bY_A
z`E&br3r;+`^30ht
zNLXKF+OFiNhJo#T2_u7fVLf+3It3|<2TDsF1LN`IQaY0fM!Yy>;T?6laPj#^#Ne)+
z_FTQxl4G|Si8Id%eIgn=yPs_Jx^9SPc+&K+_#!^p7$Sx9U
zG;Apw`I!c&b#d{ATYY73bY8!%#@oK3H6)YkDN);A+Lz-m_YF_r1d3<5saA%daQJ$~%4dj;&m0E@eJiY#%_ha)`I>O}NxIDN6saf&N?gouF
z$Jj@RW!B8h_L1VAxw3Q@vYVEtzDGZWV?;vRrB2L0Za`#{L83Mn%qoQ-x&7t#;jWzi
za)&xt<+e5Zi&u6>>o0w1VekH-@XT4DQ6KleLN?wUYFSh`b7`SQT!&G7+5Ac
zLElGti+mbw%QN=2gjx$MN^i;OV0ETiY{_=z)CXizd-jsPj;hUf&FR=P6kT_DRb|=o
z6TJlFx0W4e9c|-Ts;EkqnF|QlTJt17+WJLBp7FN>y*_p=?T`=)fVk2Fb_6|
z+X^gymRZDs1x2|FriE*^-7}~2vi?kcc58%ulPGe(g51$F=&2rzO`qkio=Mgc9)-p3
zowlK6*4>xXXV1L6wQB3ejb&si?!xrMx7bN2&l0qy#8!lR_{4ZX_%{jv=_IBs&~xFhx7?K%9@Q~UcfYL9$;^ze^QGgp@^JlyRp
zzn=W@`Gp7J#YsT<3f4d%9>H&Bd{$|jaL6SAKrJPYoc(4q%EeEm+wCS^J~)Hl{7V-m
z)?{g~5D0)s)COk5_2IveF-QnM0`|Q@&G)9nw`hXC-~SGE57`h)!*7E32dMQRF$$l5
zMMbLxSNwrFk7i*R^!>rRsQX@6-w*Wnhn}M7(*x;KN&61Ee|^1RluitRD*La0Z%xn9
z1^Im^-(A~tbWy>N#z@@hYOE^stBqN4NB;8O9CYa?!>r_L<{%
z-+edQM}*XOi8$0D&}ZA*sER1TBgIP>E-CKl)&z>|
zemz$?e9fFlxNmz?&(WQmO37P9RH%AZ4Wz9b!c%;4|C8TYL7Y$1?YCbtJ!mN%EF7NI
zzW?EwL;HpbC5wC&0--5T7A)v5wWtc`PgAt7s$l^4QGjD|3LMD36-{fp^JR|xb5}gD
zu_QdWx5p<*H(4sOt)b>Q+0N3S?p9ze8z^k+N}@rXFF+dFAV2-)`f+zY<*#5wfdtVL
zBfi&sqi+&sBn|oO-eMF
z6~*B*$abYyJ-S<=N96d8!+{+6xxJPQtk)7#SrpgN^UGDRt`O|w|Lc5raG)ozztlFT
zld}B$r^J*VTAW|FygS;s>+!|Yub7pkk2ZwJW3qD3U(jb~EbuqZE0{gvYg$bD^0DDm%v63Ie%EEL?3_%y-f{oYNf_Yz;iZ_RYs&56&FWpBavJP3egw~W2_Iebq?mz^Ff`(>=`*2LeE
z?WV(TYv{7u#@_phevfM7_Ea0JH29v4E;};@b9!O}q5xZ1DE7oynVD4zYkLfqJ(rA__@5G6pktXD;|7~A^G{t(?
zmSuGo+akTI%d@(R?Y9Y4X1ONItr4n>Qe(_TfQLp-FOE6tM(RgyrGA&?_;M{mqGHQD
zf4)Veuh{~5uK~973-W17UJlDrvmM;MgI`4C4Dl{6zf+)+r(@p4{<`(+*MnK1VjhO2
zv1^_jJx1$1et^IiLAZSr=DDKOJjb3g&81V*9QeCdi}6Q4<02BtKXpNy!e+7tBw~xT
zH$A6eAQowk=?vjg+Yxe76O!+$0%({avlSnax{(mcW^r&k%^1s`{m?^gbJ|1lqOYA%hK1I>#|bGizQ
zIXRCBGYyB=$jkwqFBFe?B497!S4))&e`RJK+>cNvfmLgZKM*U&_Gid!2!nvOkF$==
zmdI=ox%(kdEYeEIKZ+DcI`YZ#(F0&qX%`deD;U3L34}ie`Gn6>GaeYxaReqrOmq;F
zC0fTsfmRZY1{@jrt~n|j!M8fX8TQ7g-`B99IM!8UDQ>9uRL{r`Hsu(z*A(SAZQ){b
z2KY&$v&(JH?4UOAjj}eF-BWDSWmWsi=4jo$lwhn2l{$-hskqD#w_*ri8YMx<@{4^~;>dGi0pHn&&
zLV-FM_lNqb{ifWejMi=We-^1|x{`1{Kt6?Q5gbv@ar-|*fpZYORbS$pQR&g+txhjJ
z*YzZR#`EwqEGxJJq1=G1;3n1_o$^FOUh~;bCPSrPlw6%O0YfrR2W=}RFX5miL>Bpawh%VB}gSELVix!^&Ll-
zDbMdkem={hnM@a-YrCO0kuTgi|105e#;7&%Gax&gG2
zr#FC3P`!bC090?_P|)qC6i4JGFkQKdo|IpunsT
zS!A7)3W8P{1QXn5$@gm%wxG_M=T*zC!O_+!1&|jOgDWvBdP~xd5<)=zU4o7%&+jQk
zM-=DxAT?)^^t)+#JjuEpeI46L=aUEnD{8-O^y=HNo#*Yao`YaEI*NY8($eQ&luDYI
z;7gKBNhkT0ax`Yl3p;pezD*^OS%bY^Q(@S_l?Ap{X2CmSKD^=kHRTAG4ux|qEeF^)e%F?2ig>3gc#Lv0g5fXOKuiC%$IUR%18JX
z`CZ^dEfw~HbqdyZ4%Wxm&{A`*9gbqBoie6H&k4@oOCW>>YzgIMd&%3C>4*Y(dnP&K
zF1dyOh*BgZ9u}D8cTw}5k=2AXU~faZrYE_8GtQ=2=&Qu}EG$DwuJJtSA=fLw4&ReL
z0M4Suv*azH^DLM}9%uB1i(x%7>?tVcDKCN{go#R2A(NwOE4f>nYbpwWdZPqUj4IKz
zN>r^n{{{BcEpnUiM4Ff*l3ypZ$!`H0)it9}JOJz7!fHZ)hIP~VDH#~2U<{6-YU2Fg
z(S_*whvcZn3YKM+=7q_7Okz}yd<8fUAb07=tyBZo$wfl>395c_2Svy2z=u)EU#U2L
zG}`D}FIq=C6zDSG1KP7RZgUb}v8{A`?F`0>l;R&f9A8OgJ3*Pc*&L~@E=HKK_aZ}k
zyE_gH=c2sx|0!H?^SsMHZr_oy_Uflr-9i52*?F10+i!Sk;i~7aUEShC&)tq5=-fY?
zlQ-{Br-6K<&C(;czpH>}oYDXKGd!x-u-Rp4b9ptj2xz(1mw9P>J1M64Jx_rbc)V7c{%QG^C^YLzDOpLU%7q!sNP`fRZvPt8r3M*kjC*G3=G`
zq{`sV!1VSy1Ez2l`ip1RWTc5|gzn~!ft-#@yDVbO;#)u4*LGQtOCTCL^ziJ?l~x2p
zlzn~XqHKS9KDs<6)pQXs
zGbd@BRPeXnQSJ-ZZnlNkJkYN(V{tAAq^U%Rk>^yiZ~Jc>vcnsx(@M!l+^t?qxefau
znJb;On!FP~o{SG>O*-F02^8Oc+fzS2N!C5}<5Rb)uph9${`XCGfckp@(&1I|ERH7g
z_nF62lqd7sU|){vz$V`4$H=Feb2sr3X*#l!ED&(eG^`tYcXV~-=<3(nrA{&O5%P}2
zC2ddIfFy3j?D#o2qtf|wlTqlCXN3@J9+ZdszvN3e95Mg%&-r2wN5Thpk=t%3w}B0}
zBd>!WwE=<%Xh}ZFXRg4H=l_IyQE$?2l9kUH!d|Ch+Q|TIIiEZ@R+#COJygcNbTEL_
zv}@8-uj|7^>HcbL=eadCSCpzE`Zv@(O*^s^sqWN7h`0298JGXpG@dM=dz*-AsDnn<
zLRJB13HAmRUkM5q4#w$_(ji2so}zOT76HzZ(fgD2t4a@4pId|NtT|8`%wekEG5TPK
zCZc+isy^+ne6Az*HWATuGVq^D81QVinU2XvpI<-_Y0$ciS|4;w@d6DA`|iZaKEQdVi@ZtbbdTrfEZJsrtzq@NC$p
z5PmxpjiPiK!~lp$!V)U*3Z2T3z_Um19etn+0{ME5oy-3y*+NY7_2~UbbsNO&tyr*h
zUp2P--11}t5HlKnd*TOt9v-FPmpG}4X}CGSnIaV15pm-4*4vFJ=I+Zn|H=t899a}G
zRJh6aEItH}oPQPopBZ>u<%X;U;qxzEjmEP2+!zLowsj1RMqnEcFm2d5DFRUvvBb`i
zvz<&w6Zius&c8x^i5l(e(IUiWA>VUX7+_obV3pwoS%z{K`HmSb*=QbEXEOqff``Td
zj>CC)IfDZp%Zd_I-%?RtV^qG!BvSai^H0J`fs3h>MkLuBnh%i}s}hY}bN&UUJ>Y@u
zC2>eV9LlJE2up}erGg=U3{VysoM;TTs31lll`z!RpM{1YF0hfpM&N=(Lh}*7nS6()
z5Ul>{^Dn@Lxk&;sV}RmO_f#HDu|JO)8Enq4^X&PLVA!l#dZZf
zM3CC#*zp=CGB(3^Igqct6ihVRK}t^KY2GAuXBg24kbfolP+=EOUy!uzrCg=s*y{AknGd;N#=?4QfL}ex!+LJHoLk6gqAiSCB^YDOiaA8~HaU
zLdS0&15>S7KbD35*U;o009)H=G2zp{ncW1Q2l4L$23*;i9-pcl)-iYQ4>oY2fnlPa{*
zDM?u`V_Ff)L>#J}#6485ScnUsZiiwBN;WV8`~tK9ZmclB{1>TOD&kZkybCbHhip90
zhfq=$Y&bs&F}j_<(79x9h5KCXSUXC(nJJh7zoEkN(qHT*VI`uxFvaX^R3lo=hOefk
znoaf#%H9BJ7PwfyBvmvQW3-EORHrlQCWvDGmM}b2$Nh&
zv+U%KzAXt;qs+6MW19pMl^=K$`|og{6{79YrY4@xH+_I=55&Sa8R
zCKJg{NSFFU&#JhRbAnUZ-QC7H$qBS?1$ksbX4PDJt;A_(GSueBU-Hz<%FQn<%+H-w<6$Ln=waV`Q5?|m1lJehu*YtuQeGQG&riX?n@WI9^U`x{
z9Nmz@VLS^qZ%R|(J~}D(p|u*bi2NLMUIYt-Cl-?5@&Jrq8pGKGc|&(Bo$^@nye~TpITJYKZx@oQfWZ
z`L&!t+tx;UAYcBg1AQ_tfM2MAbKwwA(uW$){}*@=!v$>7Ob_DAe|3t0bP$9ytkq^YRsS_)IpIx~K_79!U&@D}Iq@xf
zKRX7$FSi!kNl%PmdoLB
z%4?qQJo(A)iRoMMC44)-YSZjm+1@*+20mXlQ&{8{sZ?5Nem=x^IfVCZ2rm`AB?%om
zmWc;VCDxXiIgFJR1tR+mfJ7JGxTs7#=hXXKwmiK)Q#=P?^U{ct;mV2?ojGaq0H*eo
z_z5lr96JVK={T~u7>s_r`Ohc1x=#FgGdk=1)vcEeMk0fkwxY9M19FQ`lL9H3E9p#P>Ryx|+3ujh1rlCCuFqhA*%k<7M=+QLvZXC
z#_z0Lb)sX#%8Jz|IybC9ze%(3OIHoV#g=N%#L#ZNo#};Ep@Ps#!!c%$L&epqhA>W~
z+pk0-n?O3e67HRPcJ=pc_?4h!3Uj7K%1h%Fm18F$EcH8P72>0^i-jn=9V1LG#RQm8
z7D%AjRrss$N=|8$2};{IA=(?I5TUgekx8c&N`lF6M#aMk%h5-r=gW{UEN!0B1@)ea
zBG+Te~h~Ruf$U)`03TsHAB^&4M9JzW!zukDUx^{l0`ZmnPqV$WiC!u5w>
zSy>sZJXR&EmDSIh524w{+Q&N1x|wwk>v2j)O69Ot$f>9&#Q*Vn;NbZJiW_BU2~ZS?&{?4rsVH6$zSmP@4RqT@>f6QdFrof%Dpi8
zOOM++IBwu?Lq<%B$YReqWCf!NHvXruy3RMYLY4B>s$fnCG2QO>Z3j8YFkADgF
zISIB^BJz1d^*J`K5%}0VXH9Xx&<%gTj-;3Ym@G!8E$7t9>zYW`Of!3}Wl9$r5j!M8%gnf(0$};>T~7DbbHwcfPu-(v;m0
zSfLT9Y+jq{#;fk5;=3gNjXr}(8QL+qGLQ)%S?JS_B4j*!Dm7rh+PZtD7xw2V1q6>D
z?!Kf??X*}GGF)NA(iD10X(c~REA-`98*57xIe%Zf$mv6aBTJ|>s?XMT9GH`Xu(|Bn
zdKH2qZG#P8&Fsi%Ut2>03{CcDJi(@6${33mH`b3)sv9T4!bzogMb}RTMP$&IR`Gc;
z29Q!kHVp{7?(RMs^6=h{1H(B8&Sekl2~OK!BX}PI(y^wNL?}SEG4PUg5FSn9C-kftQJ$fNWmupC4E&{bzwbQBoq2`tPPMz
z>7O+$a(YulI@9*tYbtk+dAVHR$Z%-0YBLs|p@_7m<}zeAL!-ps$eY1K7((p|%(TbT
zSbktY=ZcKRsJL}NtZ*4+T8&sC;^9(MV;RV5?`o{iT=&B|zR~VgsSOw#6Za_fHMw~U
z{ZuSNivH`+y~tcZnvK~rZZ4lOU#=dfreHeR+X#t0z6;lz$dxi02dDZHe
z=-<-Ybnu8ND8oLaeN*yjKNWHfdxGyueBu4MFG;CzqpTK4r}ePy7;93_=HGRBMdE2P
zkwB%lsk|;{ZamlNte#t9Dk;p87IT%tbe+jLymY!d2-`~Z2$~1!C}qxEra0B2dE}u}
z_a7v5Xc>o(3$&uExMqUAc2tLas+5uk^_31sr5-FySJQO`VO@S$7p3oGR0Jud1?}5n
z1e8`Yng@`Ko9~m#@aYJK>|(3Lrvdwh`z7gkKhDM1iBxysT5_F~|2@V*KjlloIxv^V
z|0h?>eUYZ+V%UZRwjpQic$s=>fRpAnf3w_Y`NK&2n&tLg~{yCrX|R#UUR(4(k)qeZ!pb!0oCzW=0-B1U&K>2unx*$wOseF8PrZ0qm$q
zCmeymNi#
zDRvuK26++~;4_kb#z{V<{+dpOuLlM2AL=#m2kKSGzrEOA!!b|6COrjU@`;$t7NxFh|wh&cwOq1)%0M@Z9q|@#d%$l#!ORj&~
z=9lbSr?E=j;+S;m4`q^X^r{b~(r?Cf8c))8@)ztaC+7;hP_Hq7YTaR-#&1kVQLQUe
zs|}dMQ+Bnd^;u4((wU{#Guy!N{eBoiZXeT6B^#NduR-2JbuPG{ge_pGhH4?hl>Ubc
zcD9^T`Y_c>SfAW%lI4@N9)R@`b_|u^_t7VI)DmKij_;QdMdPe&G3Nw|6F!?YXcVK@
zvR&0n@cSrC3_*)jY6;Rx3&;!CV$+dp*pV>}P;zajgR#ZvXdp2}r1j|pC`#CZI+I_^
z!+5j1bwU)Ru_X~19-!19TE9i6_UBt$uc|PLBpeY(Qs8Fv?HghJdtv=*7L$Y7Ku2Gr
zf@d*qqDtgaTEoFja|v(`03usWIS(W3VN-TK{-7b#uJGj36^e`%SG8L6{pw13jO33d
zkj%vERNNGtV@lmJ{%8LX6s`{gyehh
zeflHdB(J94znXskAhrs*gk8hfSxC$gGjhpYUp{#?d_RjC!_=Oy0lXn4GhU``Kv^boGlcD*EEQ}sJXuJi7d1aD&MdYSM_hu{0x{0#3*g)zV9SRy`>K6XS8;|92U4XpOobF|0?ktDNA0%H5x8|8O!7^87ORh;1D9teWasyT$
z6}OA^C7A&pgYZ&u9P
zh`j!aE3UYd@gM#-`4auEf#NX=TPHh-F^3(?q<_N7B7j_hava&!?jCP`x4YCU<)Eig
zp3BZfPa{0Li;I>kb6TRB{CrKcB}b{OK+2WMa-@Q>olLw>9-`ae(R~F4Y>JtXjX*lO
zz63D1Vgxd@e0bTRrbG0<_{@Dn
zd-o3QrT>NBY{xbux3fp-xhBfYHPl4IW{hYcgMyC{sZxyL?$XXIiNlT}QUcz2N;}}4
z6>paZqD3}eZPa)KnDz3Ebo$J*${gVwa{lh!AYcbJ
z@=f~vVQd+4mfcRzdvvEFXMbrrx@s7o_5IL3*o)LVi?Az@1?)OHo>p?r;8@rkI5i-7
znT-*G&GwYEWeUw9HtsZGR~U0!!r|r|!p=zA)=yq9$Ja78y_Btk
z%VbEa@fzTgtZ{}kaB&v(_N3bwbqf*E(kt2$&ys)o
zW?Qvv=cDU<+>8l6fV4rdDF
z95%|E#zO^A4$U{^r|U&Jb!Iq|FXwP^SdMTwX@s!A{D_#1N}QDru9&Yj)Ys`XX=1Lk
z%E?VbFsXws))*S<#X2Eh%ym^Vy2y5N2Xa&5JzC#JTegnda$6@{+bc5UxXTh&&*ta|UVdbKTg8~1Kwa0O!<
zY-4&S1VS+oS|B9!mJnJXq(MT!7ywaM2G;
zUmD*xvR;vf>UAb-M2jH5z3lT3-dyf{kq{H_gFo(v8i$|#{XdC6%3KBZYg@<0TCcSi
zxMb7QX}?5wF^aGc(h%63_7JU&s>l8f`Whnx+YWwai~o$on;|yPH%;4<=emX7BK`Kx
zx9+9>?R9h`qXzpfktHYbon|M_lhKz5qelAmKL>6*yeRG)y@X!NXvDsa>oZwt95(57C{Fhv=n-mtju)WM
zAR}ag-gu}1tnU-7T;?pWpKco)YddW(aLT|lMhGq=2iPq(Ww*!ya3SC{g%~oC7#vQo
zeYc&qJ!zpHS_y2xZ_y5T6|D^X|6p1I_k^;b$(g4};;u#o1OU%N#?<L{m@yu2*`jqexr=UwI%Ux=y>F4_(7rCB+)sADx=8gqNNi>
z&=WUHj4HlYCow7c9_mi@8d%3oU>)MrDTg!o-&C+69t(lq@l=L1w(`DAPgNLv?q_K&
zQhI^LB4g4@wBcG`;b^5*8>#gbj8#~PeQHmhzDwcCGbQBbP4J#mv}j_ENpjy384+sk
z8hk2y5swG9A?h%N^c>85%*^l$4MICDN|<;YsXSfnE3!gf;`IVP4{8L@Bxzp>Xt&Lc
zPt1mjQg;J~ix^xEnFJD1~O#kLZ8}D)Rz~o)?mM8GFWU@eWNeL
z;c>VTY7fG-{_K$&m)R7*hrR;d`zW0Y?%pI?>72Pa;?%Xxro^N1870POqetfuXs}0k91%FIyk?OYmQOYFI9iQS9jI^@Ow_r=f=|GDUq<`k
zE5UmuGjTdHNJxr26)c3VRzys3)?H=7WVpd-Kh}JVrjX#OjAASCJII}G&=5a|?@o(9
z3)v5NXG+#M#R0Ua2PQ@#gp)H7C>YTFc*yARu{F)ks#3P;n3?X!^(grwsZ5y8a~#X<
z=JGKbAJ;mK4pVO%`MN^Aj{Iau=W&R;p+EA;e&*-F8q7earHS|AbTT=S`l3CGOr1s~
zr;8XWrb5p%UX|UB^C9e8lS8mtjH>0tpP@erDg1YG|E092skz{!49$R2kyac0g@kjc
z7#p-3Q}H+)Iu90Tij2j%42_=6hZz-irlL+b&K*a;(Q_EAY6)Ij_%8u3DqM>1Sxi3v
zJwWS&KxPG$%*I1DGMp;Q3&0QlZQruZ0tqB%Kw@G`YCpzzyB8S
zjAy_zNPCP^vXQ7giCE`^mei{c^MzO#W0ugQygm1=I4s~`nHUqxYSSb&Rhk&nqN|j5?!*1S8tlB(C0_02088a@EOPyhoN=-9A0B^q?(9x4ZhZVw+
zWQ>3!0Gj(<|1flV_&V_R45cFeN{f%8gQ$=DZwXJ%rvP;DQQ2nb&}QPz#QW37cx<)>%6)3NIq*?rq=g?zO7_^cSxN#TnYS_Uf`SGk?_qa
z{}mRkAA9CPJvMxJ@XId-XMEG=lfG#><(y*Ve~sk+n)FTK3)9aoU2!z`bJ8`&B|Q6@68T=sQDqZ7E0psR>rO`8tN&#nc-s^yIYVxUFtZOGD2Anz^KvNSS*}
zPZ@k`C417}Zd{VD#Qlxg(@_knU3d42aMht#c1?Xd@g~&sMBWPpeapP|x~Q2DSmD1E
ztvuGa{8xvYkWDv2`v@|;GktFQJbD^?knBwt`{y*}&#f{_nL2$LTgp&{3v2w{x9_O-
zwQsJe9k1|9rBZsV{rr`C-aKBv^cmvwn{WMd@ftBy$7X1qDo*3+zg{_b?L>~rX%ewF
zG>^^=QE3owq&8^+HJl1kjIJp>0%kqR-2>6Y)&URe%co8uN%96cU7Qkb49eX#A{OX
zxB~3erK@{y|7hQqKRtGQaVDfvmhK$M!&rRgUXg?W!L0s8E0=P}Y1A!e{<`jDtm{UyhZegK1HbIufbnR~bZYy-;@()fnt$CIB`|SjLu`s>b
zeCET0{b!cte*Z1{hefykecuDb8}DvdSb|{k_KA*AGEdGW7snGIZ~#K|i32_d66+)I
z3*k2oY?k^Pa^Q*k2=qP
z-WX41mLrRyNA9ax-&>h(6T%fOheoo(Lx(%yON%VCPTT@$dfpWhH8p>a@8v*-pBu4v83FPp5K!n?JV|7**IIq
zdAq1REb|Xu(O158tX?IK6jfN7Pp&J+9l7RV4G-9IQ*NEJq4g0@}q@br;TH
zY{w(8iJ1w=45CWd6j(rw=~z~WG+U#|E^W_V`ryu3sBd3W{pKvg4GIM!f_@cSHg)sv
zcTcvgc>^-uTe~L{vo>t+(FeT_QkMa}K$nZy=yz*XJc-z>6}6uE@UpR+S4DMd;MGWv
zPCZ&*-FMfg`_DrD4>l|Ck{!d*IeJXl*l7Zs3n#E!fjlZGs{^j2qzg=sKzb(SS~BA)
zuIK1N7BnK}Z0Bgj=b?`8_dwqeHIqu54TYimd1~Qz?=v_wp7e9MNAk(kDR>nU6iTM9
zhR1~BxGyy{{Wa{0W3-bsXfkSgEpnXdCnprs$V!F};Pp4-__OHADdAxMct2Tf$v`D7TAL)#@1
zGa-cLwG+=7T|AD{G}Wz=!wQvRYCBjFl(u&IJpB(n%Pz@Td8$(>SOTF-*uspuKxC*c%pQiYVHRqNWWTQ2lQ
zA3wa!T{lrsxxC6;clDo+Aia|}OkCaTEV|^@VZ<@{hqZSt4+R$Ayb8&Q=L!j8EjAA5
z^Cs?Zad^Uo6=VjoP>hY=w^wV8BNC24ELO06M;j16rz|dfTmz{r%sUcDg%JovCjfCX
z7=%y6DBWSr=nmSqD26Sfa0%VId^NH&EslG29{U-vJM1(WRZW|;Cwg*V@I@#J$z3=S;X-PnF?U9%MW^zuKRY@An73133iPDWSVIPz5Q$z?g&OHcK~
z>j&=s*JbldD9Q7piMWj(r0|fU3)Fcg;skMrbgo(_?sIzh_|Q#j@*H(*tA=h`oew@E
z@1P8&Tjy%Ao6X+N9XCC*Y|kqPD#m{W@o(AmtFp@5M;g|}lcp9gJw}~z
zp0os(xMk+ZC1V)K4>)o)D=LhuE_tvJ;%~ffb)@3T_pW>(pP0P($c10>G_EcgTsL(d
zekW)Aiq^Hy9t)UYAdw0h2RA46lMY*JS5=zUZMZu3
z(=GR}3VYkPH{cc?1b9#$Z&{x
zo1A5SRp!wCrm-tVibLLLbG{+hsnA(;VhM>G2llK0>>1hrq+fV{^q7TMbAp&Uv7a25
zhyVtfPcfKz>+W2NDA3ow_o1&z9L3&?_z$HmA=aWd#-B~)@@6mAWMYeSPr%s-_p^P)
zN-K}2LAkz;;J}UwDT{suv0900RK%L2+O`pnP%|nKXOA6e^`bYw`R4Z|bWPeY(ADq3
zv-82TlMX_%6GBfn(&HG;N$1%r)>GJ`WM?1=;*7#~Y=84)OX4P=B}kr-?FF2ALj?4xfs|NU)t>4
zNO-@&dFYhu5E`iYXOs*wr&DpVaRcnAHv#9w7
z9!DkK6hF;Xd@l!_SSsH3T)Ka$np_Ve60!y>U4rW4CciK$Xz-`@--*3SeA
zhR~@*U&(KeC?t|CCN2$O`FvA1O}z+*kQF*5A-2birkD-*NFM-y_-e3!ve~+ml-d*W
z13dtXdBj5yQ%-Cm?u8#zPBOTt23kT)%AswLe`-XD{1GdY*+oRdQ$)q9BNjdM&Qs8l
zSL6Qhm%xY21<&^-o*&2Vo-K7uxmi&{L%kOD!BQ2mx#K{8p#R3-t=#mdz9oE|!IMe3
z83nbj>Xj8Hed$Ei8K5CJG%)ps0=Wzj;FA-l8F~F%%67eSuySC@N&(802=ppppmjym
zSs6)RF0o6Xs#gDm`bKO=XFn78}B++PHKJ_vr6tQ96BW>#{b(-wXykK*o
zPskPVICO@L-8MG4tM~3*wV_qN*h0L6(_jvA8Soh&1n*sLiw$IFbQIeZCcA*eropIS
zXQnk{{W22FNb)+mp~W=NbSd1mLT>_AOWNkXS#Fb`L86TQHV
zK&QHZ{AN4i=5$jJP!&)5)`tF3^Gncjbl--Sg&}QrMXy9bR-g0#M
zV!hdNU(<>m2TL3F_c{2AsWY|2cLCuPwlpa;y;YEsyPM7>jIv
zyh>Ut@`*@
z;`=-PTdnbhm$2YPb>cz4X#oNs2!^s>h^
zB7sC{iZ*(~y`?q=jj3_}Qdhd9D$r0EQECbrMvJo=Lkjd0q0M0vwd@?O)oIJS*HtZl
zXh&IO_(03(iIt6db#c>Zp`$n_qH$`Bb#8BEZa}Wgt?AFl{X#7@mvQ<7aPPbZtkaUT
zsqqr!xz*kJ8Dn=45%DJ9fL{|rG*)EM-gaM;)5_NIcxI(OXqKVK058UF>1T5@dCmK#62y6>vtpd#3qH6@8V
zE~cejeNETAd+BRX#b4K#c2?_*7tR#4lAaC8HwickH&A}F?Wg#uBoE>0nw6ENwZK#T
zY|AfJg}m+C;-2b1i{-!Lm`uZE#8lZnd|wOv)m&G#iE>qK>Z!j4p*NNI)NkPIN8$U(
z*;l|1SOaKar0GaYipNiU655}9C6WO3PfyHYL>m6%=E)cW3l2SXzl=CXyq-@?<^7WQ
zTz3C5;0Z9xpyQi(9^FUCAC5R;Mq`B?DnCn@2@LukdhaYG*C{{vKx(G)(rbuIureSs
z22yI%5a_RviqhFK;#zbC#gnWb=Sf`B=DC+}Q7t&I*KD|kVo`X8MV}PONoRg2kB-q4
zZUeb>YLu7J9wIlHjokSoEF+lN&aw;@SEMGL($OQW>DT~e%kIS*!8%O9!USfZ>u2x&
z2vrP6g)gY7N@(l-Sy;e$+HN7Q`)~1FuA2CDzbea^A%<>HXIVca(mXz`NAz35ueU+<
z;F_-nI|i=#Q)htxF{P7F-4c|u9ma(2-%IJfbjF{G6S080+tGmOw0-j31+<%ZkbKjO
zN>hH+dGrRLSI$H{8v5~g^g)i4;odpeefzd*Pur%Ns>RhonIs;K-u>qBh9yrEU)*x$
zqsn+RI+%M=Ec#9=7X9J2)l1{CXbOAy>o_(Y;AJAXiF|$E;9|I
z*;nEExL;5WbV^RmdP+;4ugLV&b@8LK3hswDQ|IEDIA+ur$XD1aX@ay6*u50s@HwN^
zsnyX_h7yo9lXN2#GPFD6y=-=}m(3o#Z-{JSGZl6(-&Rt)*}-6&Y
zmxZsKH)|Vr-$J&s_3y5R>W0^Odye$C-F|#)cQ8L}FzV3>s+a95DsBvD`w#XqxI>Y3
z`*VP5lhlA~6qG_V@Y~M@@{jivFRix6w%v2x4m!W@zY1o(zH#UIyC;|~dx
z(w4%Ox?;J5WXm{UOHtQ~S+=Zy63TjDh8>v$dupJji`ap@b0stYk=T!bjvKIJROjp5
zoO~o@+R(*0iR677NAd%U`WEMR92^KV9QxHtW1fn^a8<9Uw%5C?Y(0->Qu^FXRUJdl
z6ROM+SJqg)cc?Y1GGvo;amGWL)gEzl#hLysfBo4gn^l{?zB^Ma9RcTHRoU-)n0%>R
znz!ou{*{~bRy~(R^34wD&7k<^o15P!kEBGSWO5l)%7hf`5d4n>=gJe!kz)_<^6Hu9
z=I+5DC0G;(OIJ8NQ}0M&E4YoPNE34Z1;5vLIMR`4AX_8bZX>zqcR?%efZ{%19yyl*
z`#JE1N+_>uPFN|m3xhV>5R&R0S)oredSWiAyVMr}zKqsiM4V!1HG+cL7IR+EQQF?!
zUh1gW_p9{-SC59zKBmudD!jdidQI(%I?eEitYqlY4u5Bf&DXxAHn+DnpKxiV0*Sz@
zSNj85r7cT#H?9566%F~zu5SM&@m);r&na`}jn_D7Y(6u7uj3JG;eTOIqy-XKuQS+O
ze2DCVq0e=A$S5K;Lp$&%R`K}$CVjR>g79T3o~?XLm8k4DJT
zYD#K3+@2a`I?CCPmbUL72(p-$@PtfQ;;YS$-7)!}veqMG*<#B7>F!?&6Ff|<>WkYP
z+w^%F9qcz*G(Xei97t)yLXy$Bc#*!CMz3c_7oQv%I?$|T8zHVK&(c_3gcpAEz&ABj
zKkq6W%*QzfUT$%DBewyCrq;9`9?i-cIot-xhuWQWD@vz6!d{u$+t)*NVEtq1=;%^%
zF2VFPaUb$2DoW#0r_n5ycbs9Qs?Id1IRP_cw
z-C}hfa<91by6&p>Owv+iMmh@&cik}fv!h#v8??lqutp2j9{^5nlmX5NQp)F_bK=Ah
zR0_CzzM9gZBW?$-7D9BPUGom{pwTT-vA_O<%EEq#rBny9Ki@R7I~KN9$V*p)-9bJk
zuHcHHe2I+MVN>y~IKdOkp?x@yupu9pwq5~tM+$a_+ucvf%R|#&AwS3NC$WLe$sjWz
zCqzb_sm>g#oY;dnlar*lQ;iZrG=H(?bkk<&$a`||@D
zo1E1q(g6eGsLaYQ*k3UDevlmTlI8~f!wFOfY(?ZETQRpB3{NT93C068QurNVeNpak
zg`;C2tJ;fW=a?mHZ(cldYAn=r#c$Vi9m~$!-%>pu6|y&++lY#+MqQo;{?-*PUUO~d
zrpr8K%@(No`1;EHHMfp#e*f0~qMY2q@X*2bNiFghYgtIAl0j5{hLo$Xz&;B|Y{mb6
z4lJ=%Qn7R??wewL71ctkdSPar2kKb2nJ
zyEwCUW24hk**Dl%=_$&y7X%z)o`m7Z{rR%$wY4@+Ro`%5m4|N#T6`rz2W}B8Q+W(x
zYuP|f1@Lw3Mtj)m%9JQ196?J~simYRt8%
z8@9NZZ046mmvo24l0LxK;@Skw)92yOfDGi%+}US#IBA1Z+ANcGR4EHXAU~d2)*9ql
z9Zr#ksTc4xYPne>qqDx9rCBQzG1wd|oVlkYb#aFv^tGanpbTYl7`?y%OT2YCHM116
zIczq2z1x$zECDSo(Zg~tdJxEiDK*ZSv_h2Ak{aoRpB9Cy`f@YMO&YeI&r@j>PU+NZ
zJd@!U9}{1{u2ErI=}d&J;3C!5SXjpwk;Eu%-#?^OK&O!hRidd6lp&QW9PhE4{wMHX
zyHS{`S)|Zmz^w{NfGLXO-9$(?7nbwxzDhz6Z$QuBQ!*|j6aMZ_DTLokl;bEoqRbG!
zeG~EB6Qe?(1Y+Lw{^Q`e-w-E}P81?NLkb~S#)sxOJab}+!01Iz!B67Eq7OAR=G|oj
zdFmxY8KnV-%+7b^-MMb@b>pFop_60p3#BLuoh9}uEtRh7#nJI~xEeQfhGPX2S2lJW
zUscJ0S|xt+k~sYmaW#U2_fu81U|I2rnaTRvIl;_ue53@hvSBg=p-0%LTJ!1dEie2o
zRG?@1eMTF33lsR7!$o5;>z%hnn}T>v#q~_oI7u|i;3ttY=^n+)(!G7RKc%LNoZfSF+u}-_^G>t=-DD@IL%tN6D
zZ_cj~*jC=3J#e%?qoJpg#{{RAN|+ufHWig|xfW;y;z^a9#gs2*0lxiyAd@`m-a%UW
zL`-THHGgLNsPb9Lv_hBoTT27{%_o{vT$PjfduU|wy0XqI$Fgb}J
z(r-nlPY~CjI^aKGz|!l;sn2-al?qc4FavqLoC}&l_Snr9$Kk*TBu-j#q$euFEur8%
zNRU^Uk2bGY2@wPyxn^-52g2PYUU^xuyTpT+!k4h=j&Tf=Xbc*O-e!P$#4D98Yp!T*
zJ2YOvtP{85^+T)It@bl@mj06L@p^COvKyCVjXLWmax*fxJf4apl)Ke%nxmw}RaI{-
zYa)}
zS)x<{Ia*5`M;IuSKm)rdk1(5Jq8x~LeHs-1b
zX#)Z=@ROnSXVZ{0J8=?y6x<2fY3j6kvd=2f?*RNQWUl8x;_`>*&LgMBGLU1MtfAE5
zK1S4=wiKEDcr{^uok9O%fGB)m!gtCh`LagG!
zkvaF0qH}L}3`&DW;jtlqpSjx&?yVuBLM_ju4wO3F?Pbn@PoNWOXp*e_G!(`1${R+%^&pl5tz;8E12mot(<+sn0d2efe+{qhqkYd3mn8slZac`_a|C
zM~6d^?)3%s$}Bxgq7>ev5^(rpr6FM{QB``ZYgI+4HXz5+
zcxH>4-?3-7#-J_hTwS&Lm%C%(fqjjOPp)hVQNwyH3vp7z4#uJ4CEl4aXO%0b?_V#?)5mz0_0OM;;*XWsj5o+=s+5xR;V6_dF?@8RrmhMNCLd9y#?E+-RUn
zj5Z)A0R_t)f?-HsY6`|&0uZR!y-or~+sBE$9B=HptDmBF^ANkV&J%mP(^F-zg`>H#F>Eh#0tA62|>XxsaE|^+fHh^~KVxZ#ID|53TlzVG1}2
zP_8t{CB4u!o<@@t*9Ob1q}qfEB(oP4Y^bJ#!^fs6QU+8)
zCcCXiEJrveTe+@HwhPh=m*N!PJrK-Oq%gjkEnzEJQh%KB@UIk#UL~Zq6OY_M*1*`O
zzo0czF$+CuTjqKB^UMo$QSis;g)cTMN9P7KUNW>f;@?`EYKrBMG#N3AhlVyem~0?l
z(rE17l-ohcGDqQ;a|34{qbB}cxMzD6WWFeF1cweILu+QOiq8q-RGp8JxQ`Y9az?JP
z_J6p>#I1hr8j&@#D{QJQkv{_%-gIa*rzFQ-Tb3&$S2*XQ;|N?Y*9tK>QglOa_HdQc
z)3W~9&-zOD7tOuttc9TJ9e4FE9Rj!S8b~sfa_{jwi9w-CCxGthS?cM!th@W3Yqoa>
zD6ns6`W(2YiNX3B)6(W1QnZWENoHU;=-T+m#8kJ<>cOlIPP$BHaOVf?`7W6uD^^vW
zWe5%(?H#x}kk6I~geGs)S=XG?Iog@y@7htzmN1PqAq5#z$G91FUVn8otX5`t-EKGj
zoIoVk%4HV6+ThkJ)TT&XR>_XR+~Q!TfD3L*@5+TsZZ0Y_L2S%5^C$Je~$4-j;|p-rW3LuVzr-k-*2!4k~>7spa&{>gIAUpoP3g
z00}}OD2J@=Oqr!dV%f~ZS%5<0#=hknb6fWhgd%;rYt`qRwcES=J-wODg?_1;i;S3~
zE_p`hma3+s>$_Bchq^fa`iZiJ5w$@rrSh`J(R3;nka=<3aDFN)A%U|=EckVvG9i7A
z`WTSDRle46&3IJ8;0TIt>7OHStGEo4Q(-4}3+YQrTh7Sk^^^Og;!x*?lD-}ND^ulb
zvUhb&371S;k^U=jA6gI2Ejm@{Dx)w+jAk+>PF<)F;Qd)sl14Cxg|Tr?*R#-9Ilh7CQ19jTq6@Us~W{_d?YoXvp7bIY<96&WJ~d+RDzRcTp!
zIGoI4jh-h|phQC?>ab?!*oh~kRQj$QY1ddw`?6|x^#*-idz!z0YM{THBh+A~&W1o{
zcRdA=2a&U$Pzksj2NF3LvJ`1{{vQy|#N?@YBLHdi03H4dPs^u9`$45ClK}4^Hp*aa
zZtgZOqI_J$is{r4t*Ghk!pq&4HOS
z$ebJtM2D9vAs)^M(YcvTL0Rn*_LpVxw)!l&PUcxoAZ<->1305qWwm)Bzt{AnHoaLbrhTFah1B
zh2ozn$-rb76nb&oIX~)o<~Pe3R?V^g*4g0aS?uM>yXHnZpCs~hHmD;R@5EkCi~Ena
zQU0T3#($if`B5!}KUzb(u@pse|
zsSem%J;AXs><1Qtsw;z^1ZTsXTp|4Awy85RXp4?`28W^)T%4d1NTuazF9O)7Sj@Xe@vEHJyGs#1XSx
z<$krMa3uCKPU*yv*1X|zYh_2r_C{;*n(Mj_{Qc(6k_~r`EPm+tDsvxKtCpgwnt`>&
znZ2O=VW@gd3@x
z{O~bf2rVEJBqJ*uc653%+D;L-se9!lot|{PNkLqpaekujQvA&P3H-bW(&?x16GrMrvxM|pQ4Dt&3|_4ey^Zdu
zTKOYfEp^w7W@$5wB9Spen>AVkE}kgKS1g}a25s6ecDDdbL_Sgdo(
z6)wG)TI1aPNL}MwznAcTtxyu16;7Qvj){@(NfX*&m
zyuYC^jAL$%wZNyNGoclLTg@v=0
z7m0Y?hu7S~Q(_6Lp%$J&zPo$!{{P`REs%89l%yr>9qkLS=F<3@FESeZdA8-hFe25y
zybeu}wq$eCmZ;JN)qw(FOL%ZK1Z@VqxP#jBp*_Uuem|uR%}Oo8IXcS=kDB5Ix*Qmv
z=6;odG(H#Gnw6wIn#+VD{zXiHHYP1na-S{KJ~#hw_W2@X_5Wg@q5ss40aJF{tSP&d
zZYNFI|9rC-FmRN8qaOwKEiWyW)}6NEf3^M@!zca`!-wkO8tLelW5ivvicW3%MT|*o
zdYmzH6@BoZ60`EqE}_G+eZCPSekIYn<;kDO-FnIY6~BJEv4ql!fNwL7<&v}Pe-O(R
zxW2IDzvUkjiB&z_h#+sL7{^(kr)rF7&ctX4m4_5E*jy|W*;_KP4I%T8-4bxgxu%Jx
zk?yv^*GQnz1q~q){ehI^Yt)rT2|W5o@0h$lz9!l)!J3vY;II9cmHgyoCRdwsw9xcP
zgxlJh@E9>VvsNnS8j9>GO{|qT^pn^CZElXU<5KCEX%||BW9%g;S6^!LL~?
z-n3+G+*?$f#P(zL2#IPJE*X~_%PG#a*OlkUG{tuhC&MB4^p@@~-n`RmxQPsd+}S%Z
zm^HY!25KJP?CH9!tNWglRQLn=tJfGmx5%2o52zTTd%@Z+FC3X0p#c|c_;8h<(r`E`xfg7GSQQLd#9&|;fQ!y3C#;=Xe06&@xF`wURB
z>z1a8@o?|cK+$+p7IjFC(m>M*#h3lPAi<9LQS6KbBY%6)GV;Y
zN}EaCC4;!or|oqzxgcF{5JOEInOLN==eUa(S6G#DLs>!BcQWQik2q
zsZo!vE#LR-*72)zuPY8IO(I8G5Wa#Zz}0xc+M5Q7d(vyi3st&Em7{1?vk!s_>oj7F
zw{cO%GY7Z*?e3viF_oh^j%H)8q}i$Ys>%3UXr8cxD>R*!48YA*4m8`>6e%By%IIu<
z?17ZPf7uF0(U%X?L@i`RwiYJN8aiC@n7X~Cz62*@aT#qJD;LwYj;>Eh6}n;71;6_k
z7bxe~=JdD(WDoDFi`QRbF-jiuFVa!*MWVM*L1qO0r=i`I%w5zK%Zu3w!Lza`!7C}}
za5gVco(UF1M?{un^0R+W4a}P(eUpld%QW4=cpv;{Kqil%f;1i#r6Yp}@qPv<90y;U
zgN2aPD5zLgaoH-^kX7T>`V3;?oLDC@njE1Lm%Xke#J}&Ib=Jtx;kNPXmV|6&y-U|*
zZTesc{!;02*u?QTSqV=~A58u9Ls8HYDN9wo^
z&~`PDT?X0XE2bqtUgyt#pAQ-FHH~L0%^2CHoO-_f&54c^6M0paJ+-#+(*6)jtQNvW
z(CXoEV?l;Y!-fv{+X^i^mP3DSsfn(;d->LPuI~yBU)dclG_n{%#-RhGLQ%8mzrgH(
z4pv%4k`BNYEGdxmIay(IeD7z~8IRyHJ~Y!cfS*VBwqjpFe~ATycd8r1+0`x{3Wciy
zk^Kic9Snh72$zeNG$n}40gEWxGE^z~K)?bgB+S>~N+p}8q(MW*@+@N)L#1<(dWds-;C4jfFm;$QRC5=PhmUi1nUC
z9_Hieuh6C7+-V`B|0(QD=8qzw)WYG^2s2p-6qqr5bIS4P5#;AggpMG5HLg^#cxsHN
zY7Xbu*jVUG<~+BecFU<6YiDP(zFwe}8Qlc|cbQMo(78miWYKU%%vTyP@r6>hBYMZ0
zmK|*_@E6mugHJr6ey{S51R?hU)udH$}a%#znIGfVxV)55;>UKZ0I)8CXu{@8Rj!VtH;!w1&
z)IpP$-Z`8%SZ>khwT^ErE?a3wcn(Yb_Ur407X#&JgneZjIs+m}pIXEzt==?Q(|`Ty
z0*T41Y7z?NYPq$zD{%YBDsS(>p5~jb*x2q5d#PB7XZma8VU$DG;+SW8IrT_tb!@yG
zF{SAfA{-^@;x?HS7DCM-TXXkFcJJxsdCkY)*qS@sRII2M1(XV>+pjHNQSZ{{w%oq{n>WQa;V%(EG?dY1)Od;_nqr-~EH-2-T-BUm&TsNMii=|2wGjM?QcQT*I9nlw
zUKcB;q%bKL>gg|$f1tcHPFgu-RgyG%p?La|gprHiH1SlD0e7t)D5WTxA{@F&iEDA(
zsSrM`2t_O0PNx8d*#@oGW)MB##Rb;Nr6rjynQE7>XrsI!$H+!7nb+km3E4%ZECEfT
zf@(~Dg~sA=*+LdrmG09CcygVnl_k~7zwETN>wtannxgft%yrR@uRV@dvQk>0^QGS`
zFiPxXn`l}gaWC?1qLvcep)VeXg?xM4H~CdR>na>AR&r{-spWX`Ee+L0co7O;xCff-
zT|^DKIxw|nm`dir%9$Jh@+Y7_jB+s-3mn_PZNP0CwZfSKky!(d;zN$a5CQ{DGA&>84FQ>_`y=+3C{p)!p|M3{H!t*Y0o#9^P0ToOlj7+wgbdoI)rc(VvE^nfqSQJfO}P;Dj%?y
z2B`@8!&G)AS0&{-HEJz|JAWMJfcME~y-4m4#txAvxE^;#e_0vUS~-OUSJy)nus6
zR<*1Y){|d3>Q%Qy&1;r-+{V2Q|S7nwA4y|1+T5
zwV=(pn0AWJiDY?Ne6Al^xF*ZsFnp=R0)6ML2CPOr@p3fE?8K|oO8Q9cP7;UwifWN3
zXI22&uK={TQ*L!XR9KhNFkRtm3)hV2Ntm3{AE=@$@$*~P^Cf&P16m3pND-Of
z6-nViWk5Fd4hkU*9%t$rO+*gssGegN@a297)(S)MIu`Hr*Vtj;SBS|Dri-wa$VvqA
z&-|f=dOGw$!D!5)^jCWGM`KonzY?z1Kn5A{ffm|=Pd&oPyQ;bK@L;HB-=oW#FAZ?v
z82*dw#aDIa4wPGRsLy2<`08`N`0Am7Kz7;2n|n9Ed&8pq$kK-su@r1Mpix8J252c^
ziJ5j45_26%#psy5yCMa2M3G_DSLHjNd-7l3;?{u17`CaI@^fPM4If=uqRpxwUSAw+
zD)0ytc~zakhRw}RW7WD_-+_LaI~23IJNI>8b<=w<=k?^L8=@`2$F73g+K)WkTXFe@
z;R>6=m1{KSx)dd=jyG0bb9n2bFp%YEr@w}G0(&5uwM~dMA|urv-btzm!`j(59B@UK
zc2=q)z|u@v9Jg05i?Z>5DLJ)QEr*_q-zmuFJc_-t;By{*AoV$26{_XfD;F|SpL1+E
zay0QAa6UW^=rPR7Gd%O8Ip@UVzNT=+V3wH17Fk=n`!W(Fez_J1u2pFwYokcP&0KUz
zLH~);{xCz9qOf0?#6AQNnQ;liA70h!N7TlgBVO
zS&LQw8GH+Q2CGNo=knCLI9?`_4fLNyRn;um|1X~D|2K-E8v|tyQCU@^`B2ZEW{Wnv
zDJ(T{j=hpCUd~V|f}X!`g>~tHLSt4T@f!4J5`8>tq@`HOF)E2uF32es5_`bQ67T&5
z^w
za5if_CsLx(@q|hg{4CJDC5E#$ut=BDz!S0XjXRI<
zw2in5sR!?7lb$>7C*!nnU-zPJvjj9Gon|2?YS3nYwPh6GMtTI7xRo|CdOq8jtQEvt
zU)QpoIFKu!D;u%h^0=t)~fGTp=Ctap1ZSxlvS
zfQJk05U_u*0y<0!P|RS)cuVa~HeYR6({jZ#6FsMvMcwtw3T=(nrF_(5fOT
z)=;_*g{tf?1v_f9+^gK5*mjR+g`*bMU1y
z8Vy4pG$i!EFk0GBGXy&?d~Rrqscw>u0)}b
zz!rD2!_n-H)8d-C*J_nmC2(Ehj5rI{w+m||@m(%nA6cf0?0Qk9!nR@zgpISO*k;KK
z@U5!Q*}tj8uvC$uQ2G^9pGp*%Hb{_t@njSec`i{iN}iu{2Vdquu*vr~FY(>;+H__c
zPeSJzrPs0Tniru3kG|kl4XUWoph|pG?F|fTlT^ouyiq^FGb>&tvW9DtK4hZAK
zhKy6xY^?te`v~FbXTX`IqGP
z8C%KVGjs-fVWT71QDiQTL~G_Q1@Lz_5QL|&d&y1&WOmz07d*8uW3zj7e9XJ()XMzG
z_|*g1=PD;o^w^g#&TOLkGBBpMz$%Q4pB(DH_vmsRp@-W9H7gD^tlz9QsN*yA(qiEG
zuf^X3r2>-EQqnaz@N-AYm&Q!3N1t8c8R~1(*9kRJXI4$*zzKcj>ZZzb(1)sy6?@8e
zzj%4M&|2Vam4O#Lcu&q)Q#N;ss)e6^diramDuE%sKoTV!KL-M^E9E`yda^FxnHhi2
zn#Rg=$gfrHD|W|{?`e~144Sj?_rR^xdNPO`k!w*Qb@tDspCNb_5@9ykB#IyZND~Ja
zi?r5=qhxJshB8p)bLYCvRD!9$uiM&ua3r(h$nWvIRH&bgX4)QsG|zR1Oe*Vmvn2M@R50SqaBJT*Q=`WCvsaz15
z1D~4&nuVlC=C^Ri#Ra;@S7Z~3?M2>}jkV@2o5C@-xVU(y*tPz_4bl3m|G0nX$Rd|M
ztHxys>iPbWYoX^=-l$&fHA;$BpXuIm7`Ft}-t5zGtZ?0}BYQr$p~F-0S!*bfD?#r@&o7J#zhLSl1ri>LBf=vO&(DqoelVHhX)vOi=s<Ykt~fq4Wxu?dgoUPzIa6E}e~H*;#4Gw1YSXmt!vg+eFp`Qyz7q0Ram9cMp0V
z+hJV2#uk}aL%L(6&CN^*XTA?i`d%o%E9o>vw3C5ZcwyMTSw#Lw6n
zsEK&{b#m5p4kSkIy6y8$5(tO*mTU=us!T4iiv87FDhvAoHrWe;LKp6Z-{Fagr=>Dz
zyIsMv%AqgCa$-HsgWjI$Vb}=Xg^@Tnq^AmR#HW6}_3xvPKaN6^k0tRw(J!bRVct)x
zhnUytm<^H5WwWh~~S4)B@_uUy>D2qpSae}}ySzLJnWiy6|h=T}?N6ZpXk;AsUAiMM`)by?gW#(osf-~`FYNC903VX>ACL)f
zQlL}dZi}Z?&BT~#p26EF?}~7~|-A&T!eC?Uu3&DUl)+MIZbA&x~2fwyu6thC5)d8qbHbX1WijvhuS+COAs^BKgw+
zY#8hl3!LubsnvPrnYoei`dsXXiuF}C8G^lDqT9OtL&j8ivIz(+<)
zj#61s{5jG+3qe@t#ifSwsye5q!mkRCT{8$X#Vn@X(#chFi#_^StVBBjE?#7$CArTU
z$sQZ@Vp;v@@yK<>5ly^{9;CPl8SeSElJv`ERx
zXR);$R1+}q?K$4w21w2fn9;%L)siwJPO>oTzXfV3MK(fzrL^$ixjl3iP}N_jsBduaNcX^X!2(iw
zExxF2MtMDBcWoxM4z2(GaZ)emC@UF?Eedrkq^WUQNn7(KpcS9#2c^%@3_MeCV?*EM
zpfcgqx6n)Yl)hno_5UI5J>aV<&&Tn+XWYHlxqI(Da_`MeZgR8t9)u)}BoIgldk+Bs
zNIvCXTPF}6MjxBCNHLA9?#;_(yjq^WOlr5Nm|C8BfMOY2a2~;3n<^8tgwG$&4e&7;DdtU7OVuq
zP?CQ?^gjW~zc|85BD1o0pThqWZ2wv>;#_hSy5u`yZHKUGE|gDQiXxLggt)&F>UbQw
zYeLQg#H0;b*o;dGX^pT&xYQ_GkAxpJSlK4>WE0P8cno~>5x5RO?&9?|=*Yj58x5+*
zA6J;*XvpMa@Vxwn)*Y#63OPOK)U9WBU<(^*V9DW~WEa1!LFDCks8e1wv(4TyrK
z2a!hPJpxYfb8oGQd=dPZy4C#faYBy)`rM!eVQAw$gDIdspv`FmbhRrLn6l5sS@&yR
zK0}_9afTln&6z87e?T_aUD#Rb;ji4^ZYV-5V|%(R>A1f=$7~%vxCENfntYMr!}DWFa)8HL{kDj?RYqc2E6aBDtbJjdS*0ZFO6Pyyn8D
zhm4sUt$+0t8U`m
zB)XB;Wm)RV1k@!NMgNr@4rQpJ@K|Ee&2!1COsj;eI_{^e#bBy^Ne}V>`K82_2`3`=
zS=V$qcS^q-0UE-;`|jr#ig~z!431bXIM;Z}AmxAM0;UkMpR2`1pbY
z{pBNd4!u*H&0Byt`6=zU)6iBwwO&is;P(Lg`=S#!*QwlF8RIxs9S^F1!4}hzoLdR
zQlpxGFZsRs^N|y)(%pw%gHtBQBxA|5aLj&cbn-tt$*<8SIN2aIEqHz>_+c(ifeq*4
zXKNNv|52UY))@iR%>PJ70vy|h46D#aiYBu304Bek{1P={QcAAm)e&J|&N9e3+hWsE
zr#34*0#rC}^RD5fCDj_R7g{B;TsUtdt5QTY*6k<*t3Da=sJJeE^*f_Ovig`
zVp3ToS)wmn+8&ZyLi&N}Kw$aN?s|R1uAoAJ89(a>WH-1819X4Z0_sKtGr@U#cROpTa#e@c32(=};-bh(ba(
zV}KlzNI{!c$;eq=w$^}@vANkvI!FgiQswYa91+~uP$icp{;aW#xALETr-!$_dt#uYZAeVT+Z6CHF8VE8uMN(A(HU|~`Oqkk
zLhU#H;)+ElRus42^y(Fhj;|<2T?cme@9Oa!+)a5D!4G!)`fz92s^ddD-#Xj{_1QO8
zUg7Il*RYEEm)@gT!A+P5{SO`2l&wNJt+YcXJKg3gTZ_fzL_QI4m1dQ|T)m`W-mY$^
zLdjNrl
z_qNtih5X=k%bSq7GL-;9_>a{8c-^Ao%ZtOos8lIH5z+VRo>~skRpN6aw>Pa_b%l4K
ztv9yv3iHH2gj5#XtfSTS5KF@&57hVtO0`kB_Re%Ug}!-rS21vgCO>B(kS|f*&6b(b
zP*C;3A@Ss-_H>-xbXB%#Unj^lGegf+k2kp_&UB!9VU3&3ZJzkY@b&7AM`l~f$^Rr4
zkFTp9ydzluvrS!B&hpQ>?d7EluJ@EbzKS}=$-SSP#m48A&&ouN0)l%_?e@o)xf_eD
z8MuHA*9valC-p^>dS?oGm@@L`FPJ-0y6C#5Gm{U@?rLi4a#YVxRj%r*kYBac;<5;M
z@Z1^UnWyST$tkPll6r#R|6Wg!?gImEuvf<|8ehuds*LJ2-XwT~&$Se{_$(!UZSjiZ
z3ww6<1>9A$!=|KL%@(P|XEYKKN2qi}491vCgCYQ7Yn}JVyj2l%q2D1>_!1RfXUr@@
z`&21qaerMAp)9QGj(1!$uh7%5sH|aWXIiZY71#Rp0k>1>)M%q(eZXlJOYHuHMQRmk
zoz(pV0x+E3zij+X?iLK{bc)%l*Iupomw3+gPmV9Sdx=ksfO{T&^qx&G>}hP=^TH;Y
zUXoM}A42oAT-WayW1^#9i3j$bT{3=Z+%Nu@V)nY#S1A#&`Gwt$jk{mieD5QV+&d-H
zJ7^u1$mU7phwU)2I?wbBRMxFa7*2ip+d;7~~;`84<@(7L3w=fGGA
zc`wG)te^ZPT|YM)lLPX4=Q2K3l*(zOYv<8)jFdP!=gg*}a==>B-kRAlW+OKh}I#n?dqn&bLf2asX6UTzg~tVP50}~x^S}|
zTtwvPiq&{!HBI2o?c~qs7^GBpTxk>D@_Mm+B}b!;1s??wQ(>hwRe`pjpLEv^6{SXI
zRVoE`Em-I$-%?1x7KneykI_h8EgGs;u9iH%_=Cmdw*+zyt-0_FTJr-&{#3&A{0e+l
zN&6`%>tw3vJhWKAE3=k~8b4?hG;cgUfBwNa4gvf|)c*A5WmL93Y{TqdMgifpdsIMO6S3
zeU!EDQ4;REte}7@#x(QlK8BJc`}GTt8Lg~wu7oAF%07kmAEkp~z@VD=t*s{%>aihC
zxtZSc+JXZ7ex`;rHCEQ9oE|i*EX|w(zn`4{##{_XI70UMH%>igv|}k0M-=KeIetU6
z!NP9CIVeZY`2iGJr}v#dNjk*PJ9J^L`*pNh?tKE$=L+*68eDCJkfr3Kxz^qk7af1k0!rC
zxl9a4cE6@C+Y^^`{-fd)P%aNsC_X72NEq_?zw(ZQC-(UHKOLK&AD&(1&MP(V&(^2!@)gYW`+7TcdTPU1RUka
z%rTG3ZK5mA_fsY6oi+1PZ3{CF@nW`E?}uU|SESxiIVagPuf)on_xC5iKp)0LRIfTm
z)`?4tb^!HTCi^r`W1?kd41JgfSx(U3`&ie4m;3!b35xJ-hU)qjXX{|`%Db2JUDF@%
zHjS2=tE$QkC+H3crO9L|mHpF;ON{E-Z?EsZex%6XvLw^6Z`Z~`LMO(j^m#UOuf^~~
z?Il1rZjx}Q;U&WPTE{FSvi>r-MPJ;Z?V
zDcQ08YQa(!lm5{DmC)ObEGq$}3
zy#;*>jyvU3f`ih&ju@n9Th6BhzQIH~;X+V{yexYP`AAM~LEcR9?V8=-B%+mJkAq@!
zf_N1qZr^*y!8_K;RLJ``KzXte!u$ptn+GMID=#{jEoaa4qp+sjDBz^gsp8lIL&_pW
zjoM?BI6bnec_q5C#^tW2r8VRS1DH)_bSbr#GvJleY^B@c)LpL$mb=nJI_pTRui8Z~
z3@w@{G45iC%=_9`y0D{K#o&N8)G|o!S3b(}dc)aiM$_(;;w0A>8
z_X0BGtXaVDEegjsz%gmR2DP@VUt@#(CFx6Yz?PDg1K@`;{2$cTP}>6EnGN4roqdNY
z+X&Z86>mgTWF>q<{u9|ta`NAD@I&;LgLmw`{RVoTE71L@gte2-BZ{GyxS*!u7F4;g
zg(UdLq`P=$cg?DfKzjMDb9%3^m5V$|x!Giv1sW5^Sv6XZTo9K^5nNCH$ZL=FZK@qO
zy1Kl?)2-l&g;Fl+tQ{)uU&P@ol#8a;ipH~W(-#%ApFobr2hKYGmmvDic2FBAVqEFgc*&@8j(
zL7HYMUltWZ5R{X12cD?M{BTthkLBR_5I$pNa7A?mhU&M~h33+8X6hmz4xES}IQk2<
zU+ovI2M7|rb6}5J!&$)*u>=~?%R((dV|Jg&EG6%BI>DgSEF#w;?{gI7?TP@Q4l2R0
zf-`fU6uF!rxc=OnbVg8oV4h0L{|3SQcMi-al!E^N6!lT#3#H(8pOw5Bd7mdE2MM1X
zEQaHa!SUe6(mnH-wJ?Qi=>QW-3Zu^cJN*b7Cr?R?%J~B){0IjJ^CW5p=A}}%l3XYi
z!Xt5;!bgA;G9E*ZSD@FUJ@8D^{*6ohIr;t#w5M$O;n@^TmO%n-T;Jt?rnxE79M`ur
zg|3Dn!1ObHACs{VMom{J=a2XKk_16gOsvZvfSu@n6x0@
zq-FLh;Y?B%?FN6Phak;82R{1-gLMn^KF6_JB@nRdA7cBDV-CCvK_487Xz9hiaY1L}Q?^t;8=g
zw3jK&dY#xH=cuLb7@;ci@s%8fk>O{^>u^nMntGyH-achQvY`oiYKtes2JmU*(Ma7A&?Dw+2ebn*HbCv1Z2l0WIGw)And~Fp52AtFGnJNNy}m1tKxc
z+}hz%eS4GCz?*+JVPIFWWO9QAPGPP|I0CPNeq+4O)4tuzH7Ncqll(#?Apf1Cq4jXS
z`)Sy-S+J1*-Fmj+dks&@5i1Uf2x+~AdTt*)Bev|>yNvDjP^y8G_+Elj)Vr>>c1g94
zn|LC@Da3pojo=Bgxn@mQFxa)GhWgytLC?Dfy#?C@$NMflJ{Q+ZeXGimC$@=v^Hdta
z5L|$tIkn+7LXTPz6yZp@*Kw?>1fgX`xF}o1-pH~sNB$AMUM$x0$#&#@m5e;92xzo^
z1z0H75K{7}EkgKYV4*}!oy+y`T(;m3LwMp-arHC9`RVVb?r_8)nN@rZ
zJRvkn!+&be8&w~3COErGUa_^F2E)bgs)aw
z!+d~Rqa0V%z~9eHsZAOkg+WzxaY?LFYVM4BDuY^#RT?mcaF^Jn*{6V-zU)~C5lrv&V#N-y_I**_tt0t|Lq(y+tK$+8|%T=Sk%{h0ao%6lTHI
zsGv27cN-`u97%h)LM|`V+R{O-%Tz95bNO5);aaLQLTJT85xr+s$Pv(npMfV-UQnQe
zqL0nsBMaA9#i@#)%S;}XJuEZ1l+FlLgC!H^?xtiz%%O4_r7?#8jUn$NbK&~jd2t~Z
zH!Wi>*cs7HfKo$M&|Pd3Lc7RZ)R{2)G&+ug&*Sn92Hb@c8o6B>I#V%f;NWYtR#T$U
zNB%C2>B0`9$=!tXRHo%xhA?Xlj@6^R5AnMM&S
zaoGr+QZ7=mJ^JEQTsKb_`XGEE>BzHjJ6c&PPv^<`zd<7Rgg!m!%t;(yc{p2
zS&@^LPmBsnM@2wxxeoF|7OpGx`l5W(K%lpY?>XgR!}ErD&UkT+&R`DWryw^}X)GaE
z$Tc<}w2_b2Ijqzdk5LDk?@w-$~MO&d`4&M
zLB2%Bq0XkE5>gW9o27QF+6`GtnCHDsoF-23aQHD
zo<=;cI1IfT2__Z4%U|R*$gCQP5omFxobT}YWnw#KTKZXb*k76fha4xMM@1{V#JTI9I0l1VP~-^KCr1ue!IMA
zUX9CI+8MUtfGuPjyd`0bgY?hQ`wU{eJJt|T+Df~^jq5sm;OJ3cEt{Q8%xNxGRPvN^
zF-kP2(-}HvtU!-^fGmcv1?ZDQb!nv07NTnFs48trt~TgcV^r-CNx+H|CV84V
z+@Z4VX621SDY=iiFZnUK75oVlL)`}2A5(X`&Wq4RXAs*Ch#XRxT_?5ZjB(a!wx?=-
zX`r>(>Z$QOtrz&
zNXfDPfsxZuaba|^Pud|7VkEyd`31DQW5fTsNx;kXl+33bU8#f-uxIr{t{%w9=}&i
z+QBE%_GyV$yTPXl5AOg(Gx+I$DuUF1Lp41_@s#WXG&xU1YGmM2NCbD%G3{L!UR5n(mC+
zwPFYeSE{v2m_hQ18fE{2?QHeA0dKRZW0ZGgicG64V>wcz;F;X|D+
zh?a}mj#;SSeEa%)#v_9Zi{?~1&|`UR3&|kevd}2Ex~-sk`%`P@-8!C1FWk9rUplW-
z;ay8oi+$vu`D`z;S%KTr)^tW6t#*sFWRbWQnS`76YXN4mTvl=30TfV<#cwfJ_Y|Y(^4TT={Q>T*GwOw7}V)1?i
zt*65Bd3Hsrp+8|txCrdW9cq(O$a1tdS7}t9M?r5d&^Zc!_oo}j+|
znWcPj$luGz2G!)(SRaI+vGFZTh-T7Z%f=(m$lpf(Lf*;}w$18UE(BxSSc0aFchZ-m
zeAYJQw#Ww&FdF_KybZh_T)JiRvS2WGO&Yux>><}vf9d?MbJ$u8Kpm3`W3pW|OZFU<
zWHTsZxukLnHvekl((8`2&fh!R#^7xEsJfD0bxp5Og-%8mkgw
zau<00>L*u46C(%v`|kz2$qja6ZDYMfX_Rxcl~rklx7kik3@y=Duj;1h{ZVoax(k1t
z&eNtAKb>$pZFbx8gR?Ix&Hz3JI4{(>sf$Zx-@2L1`c@`SR|o`{Lnd+?s_F!sHr{k;
z0;$MgxJC``_jc`BT!y#SGzp~oA%(nX?#9e8Q+}WZ*`8Or0mAt@gtH3bue4ygZ|rwf
zv_NJQ<(;~)v!DsoqJDqJhSc(7i~IutDaRbv&V*QBMzt>U#OewQn?kCF**9`frT7Bb
zMWx9eGZrddQCzdIYwt*rR5Y3o^p6LmQpjQS(F$iG)1)wnsD`pg!6>vVmO%YfK>G`_
z`XSRcb|#O=R#+y0U1&7ef;O$xEXA}bzq=x&v6eJ@qZMk2&@@^(YG7l<3T4k=Nk||W
zQ5$WUo@m|L4!_fE)gxj(738+`F7+FJQ&#;ntj66U7#y8#AbIOt(FOu*iyE$T^
zKuVi90GO)1Ccj=pgc_m(32xA4grZofvwlf+y335Qaj#tc8MJi-{5cDGQclVvGkVmv
zOjuv85MbQWn0~aOd?ju3AO(xi>yag_bvd0e8}dT|CBL`^CK05XtUH;Kf*GokAk@!T
zY|tUKnl&7*(;7}WKe4+#tt)H8Z7GwhYEHbxj~k3DG#sH+Bv-=yh|G4(*Kq`5OdztC
z#|-wSR5%Jg2&`@F+cy+5rrKli!3JN@mLf6x%52nGi$uwK
z9icR+WIVo@gO8b9&|20>Y*r&rTc95Dr-8hIaF
z3+-=pmUeTczY;WGNkSeDHYRkqHr!ZfGl>zt)I#98B5{(qTb0B%|IS$*GjjX+0*(83
z>mgeQ1skB`%34K`3`aRfaKu45g7GJ?uxoW7)?&_^}=W!vcMo)}QeOoWj35k%!Cw>2qF=uhdA
z;-um<{swj3OSox|f!iqk)B3;ub^SdM*0tyjU^QGjw12ZH3R%vbJblWCiBwS*qILKb
z*07$3;b+L(b^54GCxe=B+Ln`fpaDNUbq~Y6v*I`ugA(d@;}GukaBMz}*DR0_nd4#Y
z32jIa(w)$Su;uT(GxxpsDF56fiTnk853Z9};G|Brd^+!x0xg?%3N`zwq*Ed(kE-$y
z{APiIE0RhS;%%p+0ta8tO%hrj8cf+E20n_a;gKL@$UV*o2AwOhrCQ@5uDu_XP-RmIU*07o{gSV&8RG=bdEDvw2
z=81n@jJIy&4X}ZAfIf4V*5#ot!N3N{y8@Md!mCztlzfhuD-~hrin*uTFxg&9WuciT
zs8;ZCt=@qAd*Z6xUOWuX-P9ctcvwQdQgJMdX|6)VR
z%({wZ_>9upQm-$@H}?g4n*~+?D9=&SKzWWJkbJ)0h_fu*q{fDMPkV5+PHYloT}bOR
zmXI^(8XF=%ZhRZlYL;`RH6Tk9{tPkzdTBNMY6;PV#Mf05Y&`vX%
z3t?GiV8vj-Sw;DNG`L#YclJ}|OjP__Kkdsq4dL)j*$>Hh{yvzdpo`_zR64B>8j=lO
zAJiQh4j8EsLiu60*sxEPRAnC`TCrWP$BP!F9N4CkPvK(brzcgtxL*coh9(=IJSCC
zCe@orr4oO%q-VwJ*L3*c*F^p54j<$1UxIvzcCfZU-Be2Bk-p?`G0iv#Ide5P?YPK*
z7&OijZlWxFgeo{t7JjX0u-0AJzp+YwL|!yl<0|aiP^CG7aRK2k_og!lAbjv^IRZ{o
z4vIwW$~MMXk)b}f`oJ$J*@yfE;lcIRUt|YjISos32~GXkzAo841~cO^BVNYuA;1`Q0fkZp*!CY5rV
zLl1urS)0y?qt6A~ifxo8j_|nk3IPf~AR0%20A~vODxFYO$E1yNKI*4jqXnCg*TElH
zX*v#sMq$Zi*eJ_N^9m|R2c;gM+G%DGo>0K!)ypwW5HeSfMoB}!6Ua~$<6!ABuEh?8
z0jDjZXdPn*Er#d%CdjKeObuRU
zTQii{%ldG$RthBmX(9N~78HXt>X7~^qFZcYv5b{LS|31NLbv*~W{di?I)bgxSe#N(
z#k&+`QhI@A)l2XX6aR1navaLmSWY8IN^5N!+T+tdAm|fUaVyaIQ
zez}v6nAJ}Sc|si_@;O3jqk=1ZQmsL`4n>Fvgndnm(HkH~@Yb!+p;(7XKiYyQEJ3|5
zR-1N5u$EE1ssqD_o_Kstm6PFHJJExXzE9C{0+-yag1KfF?mXsXc`AAf3)`Yf7W{^X
zY5hSEAzzPmr!AIrcZ~YnPwz1tYXE;}N>Qi{k`r_H83MCf+zJgxoD0&!K!{|)_oo;|eI~Zfgn)8P@?Ukxf6^nz&4b3c#1V1xz
z4v|QOZ<9g8`
zCXj3BJkoH%RDV(S<+G?~!UKM5uyHx6{c@K#s5SWwLTJszBsd#q>9plI5C4n{M1uET
zkbrGm3NTECs8wuUMYz;1g7yqyD-Y|%W+`RS5FU9gp8{}ujm!c8q;SeXJ^<$-T#id@
z)4b9vl>;?1FT=pLG?aTM2#V!ct_DLl^@yhR#$lfgLz)LpqMr
z97~H{NDi+Fb*`+4v=^B|U8}Hn`D$TD!z%|n8VCD9>ed@p-oGyGYF=5t^8U3{s%yc0
z@XQ=z?Yd0OVOpr$G9Z3QC6E}n9$E@6#!_(ODviP>3!W(h7-Vim?Fj>OW5?xD8U_OJ
z9ZJm%^
    pTFXL$Z7ImS8WeoY;T7b3Rr|n4Q#J}C*D1Rvk-H}ZA5|>SND)+5YO_kU
zY$eCU(c8sN%6}zO*<3;Cb_HtEfigJO7UXqA4$rZ(U}ipV-e@t@mZzr3^+Aij)GokS
z7?H4=}UD;20w3(84JnOTYPDSvRm
zQK*|7qRW6ir2C!*1OqC0rYcr{|D)B%07P-ZuPWDwkR(_|F!x!Ua0@n?g
z%xRVB)_tvn`dWqCQB`O{#1C-zSJ1V|C(-AT`=G8**)derekQtAjtmnP2`c!CVu3Az`+FX8*oFz-`#T7n6?
zq(t!V-C-Pex`p2Qm>S2uWvyQ9*DTZtE{OEwJ%94WAUi6h^G`2TC=)5A+i>EU1zX;mW@?4WA%2n!eJ9LvNeN^J9Out)oL@8JTrQ{J*W{+HpBnK$nJs+K0gMd$T0E)+O}lgc|?^GEe7ks_0&@#>Y3f37&(ai
zi;lliTH-NjOo|+w_|H90f_Lt?1DMD^U-XPk3jd2+kc0O;c@M%y`p7>6(;a!w(0&7@
zEpCg);xT26eh&T*UO9O1=)r>wT)V+5@YzMwdgT_SWjDf}_z$w^DE+&;!C~Yunkvvy
zIW@$0bjf)VD8xKG+w(@x6X`LrzKia8gWiPvYH_YhP_BbbgAoo0arq4L0rDc`d34>w
zY)0XCwI7+%4k-UAegBvQ+cbO*M~>s@N~uucsR-DjW-(i$ks846JrXtU#c%`{u)Ek&
z>Fz&c=<^Z1NKTkU2C*O$h(S3TF)AGqo!V}7>!SdS$prWD6wo~2-6xQdw@`IMPe34-
zLc5K^Geol`ZiypHe@b2e7=HTOe(bZefWhCT&q?#1Lmxj2O8*bfAsfyjoBj{af%IAQ
zi5bsP=PCOX8D}0ki=AU&+gz{{xevXPenx4bPSbr8Z#)Ul2trOA&-*={uLUQINiE2I
z&|)t%>dU-M#nzZbwX`K51>+@f=B>A-94fcYXWxwiXMs
z-sXY=tRC_Ky26Bo3AgY8s&j`0r31kKkpSYdo;YFjHX%Hn-$I^mATKCjuti=#-G(0u0-D{?YfOgiOLc
z&zG|K8ZlTPP{`F%{M5Gt=zE508(E>TSTx|r_FBUQJAMk~N`+(}R3t?P2{=UstW&Ve
zfp`?--=ph?I_P9aN@HU=^COzrbi52@2t)927l3dA8`zT?4tf`rj=#Fl8SRS$U*`vHqf=Qd||mtZcyT+HRai`r{h
z!cO0Xl*Lu`*6!Q7>m+V}kPw>;dZB*#UB9{Zap3yZTCT#X=1XLp^!y4N
zq_f`1&(Ux3v+y+jiiR}=zwg1MR0li9rOl(V!kJ2VU_vKob@5AUQ$v+z1mf8Z~7bYXm{u-9pT5FEJr
zuHt!Bc1rtoQoP7F`8oDG{Bek*cWE4PCO^Z%n2gE+gO+?=R0}+NRCGMt)gYLPLxMk{
zNB|2r4@P;)pfM>!5)~yw|rR%e4@;=;A?7u*@Y=xKG<8xRaVeAlOEMvIjAo2*%XIb~)i{Iopa}EX_KKuc8}C_I(pTXV5G5`1QZ1W0ed*Az1c*dyQ=&XJ
zstGwAtrZ@Xa6%)uYQ-vhNaHN=>p8|xP3VOcCSUQ|*sc%m8PZ3qU9Re=zH)fVvs19
z(fu>4HRSj)Q=ted4{YGG4uum#4c>We-j<3G?=vGn-|4<#EZw-{fdw^N!W_1{xy&^b
zOf-fRdRH|TEb_KRhwoVIl>iVZiN{9o7`tkNy?JdL_bY&utvR)L^V@gMEsoXAO%go9
zmvI-TV-8+m$-_J7*xt$gx4!=cGkfY<2zadvaxk`51gBwa+WE*x&4z&DfO5a!
zGr@A@GN36<6sT~wm6DmW8|;mm$G=bLnViF2x&Pd2*b5~*ebuazyVb#~7x8-f3J
z6wRr$&${Ww6+I9EHJk39=lSg6x(&yAx2~(*aBTM0b*B{#i>_+F`ont$Q_JsMy#AMW
zEt8XH>29<_nRvKGi4cml9FYTi9_HH>JxbZSwcP(a)a|I2)Riee3v92!5+cr
z9LH%{MjH$&R!)>n>xXCzdt}?&4J@sMJf{j-%x=*$2+CUX_L+~RYMGd`nJ3}!wUQ?U
za)nw-C-}|{Z!9G5)SAs&Fu!m^_(B)nfpR6Hb5gxXXq0^_l2B5NzUPE^`wA0KkrVQZ
z0Yn%Z$;|JsMw78~j|&Dp0mu!S;lI9U|2
zvn*Zli7xOJE)|eCc;bCqQem`43!xla);G|)|CKFcKYHO;TUAz%TvOFKwC1WNdxPai
z2f-3^iIzM_!51Z;L9fReXs;A4!@!gbbGmXHn@CQda}feOw%XC!{?>HaBYd?&=t(qQ
zGm@^~`^t`n4mK^hJk3k1`ZhOPz`5$a^03x5Ufp^N6kIN^UtvuuG!-K^FWvOY4IQ>9
zUo2;r&5EnNotr3Hdz`!#{T%-_q_vv=-A_3igu-~inTRv0jCagB+e=l&tYxZVdUE}g
zE9R`&UR}S&tKkN!X2tk=l?dSwW~C56%?;J`MFo07$ov5N%$_ZPnHb#B1R6)yP4`uf
z2Vbt6S45yZmAo2=%n=*jH2uBU6tOXT&LIzDm5^4-p$>EDHRJz~DFh>ZFfYg7y0Y2R
zNcEo-iR{{Nki#Mp{bf3NU9}-jOiWyt6ESiqVp8+Ub@KXZQxSn+*JXv$ZN|*TIYn}+
z;;gW_CM=8gAAIe4Yq2t4+$iF6Z~oN*TUv#9s2`3ND<~a*@>}pEvf(oKtWUfXLj^>J
zgIdB#wWru7U?CgG0fVuEuo41uQG=J}^UdTL`~X`9Z9uB}0hM>fyiJ*5xz4q8;-Nf?
z2oXv-Y0xYNs8}KtTdS6%titZqRnIC(wuP
zh%L_~=i4vbD>4uw{PczG(PgEHxi+*H8l|H17PyXHs7s%Qd{;o-FXYwLnku9YfMZ)`84zf*1ODINd1_V*zJcPIh!&Juf!v$U8ft
zi+w8Gq?Lr7&D-Y|YNGWadt*(xri3zhQkschATKpFrZzme^&axvbBo1_ZAz`E>YAVK
z>RwxK(M4;0qzOL-;h21yJi|euoe9ssBimaguO!uUS!kLax^k@;NYBPidk{c
zVk~CA!&j7Ql)ox33hZn9s%=l8(nvmU=q-8>9QX9b-7$jv`c+p({Hi?RT;23l(^^NV
z5oFZ$&ezCsOJyKjr+w_Fq|f37ePJ(n+vk|L61mdhBfZ`*vM60Alcobm#APGHemycg
zaZK+AZ`fQDuLsgnSzVgU_Nk=KbSGSs1Fk7{@uDCmFM%9e`fxEGwIB7C+5OTtWzpbG
zt>na`0ByR$kurd8B4z&rIZI#TO4jPLz`2~@V~=s-O8hhg!U=wBa!ow#jEJOl8OAol
z55v7>`c34ugL1K{3|<-nDi0qpKwvy=#*wO3fADdw?jfPiYC3Bg%+5b#J8L7{au8CM
z*xyD6;SA!siix8w;A6W9odg9CfKwC4frb1lZqS2w%}#p#X*mA{xPIr<{9wlVDYc!+
zchBJg>tt33xF6?XUG3ZWQP3*Qg^pXr?Xi~XrNOX;`2J%iHcP?R3DH`HbzrJuizhTu`G6!}TxcM^M~#zz{k
z-=DY9T4~qhIs63v1k??wD?~a>FE@Ku>0)I&Dp2MyZFQm-*IK-|#0FrThD!7rucfz}
zr?hG;DX$vQrLNATuPi-q$Bx$ywk-WQus>;v$D#%uE>r8oVuLMU8ou|6I!b|++ob+j
zeDv^e+p2o2CEZg$>AF2NoV%UW_7@kFDMH`oZSnh1WFCzVpDA7>
zBlQsE1QH~l{-;*W`8_URgF>|ph)G5Er0bK(mrD>YSOR;ir@3dwhH2_Lz8$``o-&L^ko
z+K4g^PwM6h;s-pv;>D9!v>8N@MvM9C;inIG(JTU;tB3H9om@jYzTKHXH1%}c@QycAl=rvh>kS&F0*05EpW{WF!WG8O)g#fDCAYv&*Q-JRp*
zI#X%?g)6l(mDMV~@)v-6>)J;*mYF;E{f2z=XR^m`?btHZX!1y^D{eS+OYNGM4$Twb
ziAAkpmWYsHe`>t$`Sl!gAXU@mcT^V|$+vNnP*!NSTd+HU_$MpMm+Wh*+PZvReVF&y
zUEZkIFkIE2P&Mv<<61>@R;4BsEwV8E1|G?-tM&i)y0S?t|1T?xtysIh*!`({?j0MN
zc>gbpi?<{!9P%m9D4D(Y*>!nKq(eYxv2<$5!7({^$E6LXor8snm*-
zYaib-e`B?V(FdR~e3ur(RPQm!N5&YsaL{VJg@@2C5V|Z6rUgkT702G5*njLc@~+U}
z$dXkX%PB8?0}+WA6_=Kko6+9eeo86fP=h^3t|I^b@B*7geNyOd+V&IxpyS>1Rt5)$
z@liMrb<>Pqu3&0TZsMbNiCVTkv@AMU$dPd@WNzp42C_Xffror|qQ*s0SGFrwe$@{ant{n{xGHQ?6%AV!F?w3zYHo^=n!?cQ0vF
zT)4a9;LV3>uXyve-tfTAyMDZE?GLW07wH^obP4$Wqb(cfH=5j1q@id3qEuqxfj;Eg
z%Kn6U)~U~LU;ob2hsTSX_P@HbsV^+zs|9cU7SfoJzKi-|@(V0YX(~uR9i!L*;d~JC
z4}O7))}gX)(xk3TNL=zc5IiT0=U9DnPoW>16P%s1!!8H4{*vv}z*RQv8J
zVE&ti0VbgZjdw%%EcBgz9yC+}%}jtSZ1gk;{A0%a;4SjkYS2vn?jj%{S5+f>Ce}|+
zj_i33nVUEJUC%LjSx|m=(R-*Tqkn={WNrclrN+GuC71$+P7fs(NsX03hkKs$oMv5CpAppJbC;=Y2`vFQ*zIyQUi
zLZ<{UdI^*2n5I*f9eI_MGXTGniu6njUE8^IkJi$&U`4wB;DUJP-Cy6etQ??QIf&Aw
zudKxYNcbn#%-u5()W#aZfzHYhPmgRMV$pzP+5PKEw=NBLrmZDQZkVHBZ%d$kP)|dy&v}#LLG+@E4>P@@Pytfp
zR#WJVQ*{`}Ao%Ig8+uzd&k7(!a$fxn>Ib&(8y_uS(43Sj2wr6FpSOiN&mDoZnuhBL=joh@i*n{?EP@i;Vt}P7#rAg3n?as9IxF+6=6(v~
ziUmyx1q3P3@CDbw#&(5Rvspui5P1WbrOolZW`#^)@Bkc`A#`~4U46;5}8J-
z<`GilM^>wHD2xo>ybvA!4*C5=yvi+JwMh!G#|_6QJ~#O}>olZIH+_pTbq1)WY&jX5
z1rdq{3c$N*07tU`n(_oWl)Ma7zuQB9aKRC@^;zRm>X=r1pyeQ@o7qgzpIG!)nNmMneZ
zs`{eQTjm{oQAK{N)}S)PCsHgu_4c+CU!3ejR&D;>(}%{2Oo@8;QoT?icNk^8$N#u{
z^zPNA58S0!-n8`i$9J?0-uKU}O*HvAZ9m!>U%(U&T+T#EKBC~JCb1Jba{aR0h9J~_
zTs>nO$Do~wpMLAY?!1N1zzy2{7M!yP%EK{;huRtU!O8sgjx(D5(1m2C`3TMO2@FkN
zwdX)X`)wN=e9cSBqP0GG%fVN#Y}hi=Wvx@%L<(Q!!j{T;Y5l5YzbC$I7_YOMGV?N}
z{Z&yVpWv$mzp0#^P(>HqFj%*3v|T4pRyH`hkF2jFylKaXL1eHS?CCaN$E@!M8|MZC
z?P;sd=@WDK5=Q?#Oy7qEr|Wgjkb0L>M+fy;f4Vp4PY-ZdU;H=y^!*u<=f7#HOmC<&
zSQ*?$UADvV<$c~+n>&6{ej3wi1>K~Up{&B5)z#JG^;Q;YAg;wR!e_IFO>!JGt-yVT
zLkrrc`!Cbk|E2D()=E|8o5lEPpElN&GMQ3cF|999=8#AnWr6d2vdrQFeYvL0OtQbf
zb4?v0zVI-FJ2m+^dI}>7=$mf`Yo_aH=A}zgo{gnv+rT=!Bpqxkv2aulgR8aN&$49>
zSI1{(Y|iSzwO7~OwpUWNPq|m{h2Unzp?|v)v9_TQ;j_qtO>=`lTiar*oL5}2X$gG(
z&@KeIcX;?-iWdBnU!WRHT+m2IZ&G(rR5mujc1#7EGv#cFta<9B;-pNP&)jeb=i7$US@g<8o|jHD{5I;-R@Xaxo+T^*l}n5R^9+WB!&=K=a8gKd%4q(N*9
z7+gIz=cl78$jMsU`@d#oy(>vJC;zHvWGP5u}ji5Smb#`HeD@Y
zMtd4Y+?7#9{Lz=1PM^3j5t$oE3$-GiOi73w&804(+M$*jv;<$M;Us!7c$nv@m8m%u
z_Cil*U6BNPy{Pf@$s3d5dGIxzkO#%N$k9~h5@_hx)I91nQ*}+HAvLGcuG4rr>QfT*
z4eBk5A&zo81KHJi9s3yMs;L%P?HeSyKX&c8-+7_n_DLU1hc0ilJlphVA
zM>Gg*wBdzPF-gcWS29_XSggS{R<~l6vDlw!R`)%;g5x&aJj6B!tZME`L5ZU;{^{0F
z-54NiIiLKNt&-nU*c7GGE9stG%@D5eC2%>X
z@HE9v*h%W(P=GaSX~0&}*dp${K9i9{B-vNRKbd>G@`&IQ0pu#mPKYcSe~l|yRFel<
zm`{V|by0Xyk?qJg_YMu+`~UIw-tkQxS^u!+-YdzLWEHDdOIEYGWLc8C+rO}@PP
zvKw@{FZZ9Pcslqao(xBR3~U*HkQSN?^yMKeaSF|uEC*^c^d5Ym|MFBJ3dm2;s__TI
zMZ9;On&$`Td*S=j?+>RlCGSk;MOAU!JDgF_pRdb+JSnlo6i4tRt8uvfzpF#+74ljnOO&wt3{3B24ebRpzJsbJc*
z0pTk{`aRqTOOQlyiSc;UYOhZ_8g16F6r94r{CG`jLo$QIusXc0t4ebQ3bf4VfhxI1
zsvvCI5KW~mXT+1XBC~e)Kzh+FFRnI~#3NeU-XQDyAJRa=eKT4O`#LNfLoEfa?y
z7M7DLtt5XA-YGm^{V$Hb3CT~|CF&pdPg{b%y8tzn$Rgqyq{t|KOfkT>R+iL=&}
zgSGhDV71JZ?*NUkB0%gf(L1SnsQ8711Ml>T!Z#u4ohyD$QY34HV_ZSJAX1abn=ocD
zWr!>oauo;Xm3G0M3lTJ2Razw-6yxtn%lx2`7Pf&vZ-wPh`v4SC8!5~Hgud}nZDjIIn2
z##E#1EN2EgWum&o#{4OWuHRp@=goxZYTnzQlGK!CAnpVjWqf8dGtnVw+j6eAYOFdT
zu#-aO>dzEd+<_Y*b7joGvojV|xJ!IWm&dP*Wh!D=5~WsTa$)VKR~0*pTWt9wEhIJ<
zO%3Nf)u)=7eIl+o$ob$z|3i1g;qFUkb_^(O)pd;?9aPiyTXF_U5^mb1X@hW0?%&c%d>B&>fOM8AYGJDJd*Nti;{G({_TjZSurBK=P1B1P(~
zY$1T+dNrYFDJfA6b%#Dm*;puZ#_iZswBkgIDaS0v)KI5>`h#~;$~+1>Lg-rnubC#Z
zL(*MukKx_BZ{wvS_0jAlB3U$LuXqaTVqiKS5K?$zk(dR9w-;gER68Gz?1AoQ`=A8M
zatq^Yd&Y{BZKy!&$n@Bhnuhg{ul+X60?<-*{-VZX@2v|6SaJUZ6fS^|!QHI0ZqEc?|(AWo9K8}2*OFHcoZ^oyi6WRI>;6-WDj(zJgl1O5e1F}cijW7d-1^!wH?GZ%KI
zf~N`7+>KwJ=_LLVrn=;}W8tTepW%KzgW9jddS;*vQ^Olk!mw*L=@&8=)_ZM*t!=G^
zw#;;UQJOPWAYrHUMVZz62dy>Mvavcx*~rF`vha>v$|85IE;}2lh@?JTGJ~@g04Xev!r}eJ!S8
zq{GQ!)P%!*`yxlCq}-$eV^fE=6ih7g_xNTTVS`*4OsKESl_7^wI&oT?+PAAQyF1Td
zp4C5^P8ucWv@Team%qT8b7czy5t-w1GBM(Q#)b-wAsgi6?#<XwxYLdrYB^M6
zkn7qq9G2tPRuAiUPX35qguK>9c`RM)a2CFA;gc{##JHgsIf^ge7(O$aPQ-c*_BZ4z
z3SzwquHKbq&Y4$f`*L6*`f$DB@n3)uZdk&7?)
ztj!JJr}O7=R!7Bxu~?Ii>^YRz%E|vmgM_@My&LjhIfymDHYEPaJ;kr+h7F3)RkZ<&;n`?@%&$z7kRgICfX`}P$50Gb>x<~+L#(#)}E!1KE#y6-zyafM516E5W?(`=5
zh^W}Ld;c&x_lT=CS`r(pG^cyhd&_J@RBVM!l!$br1>cBb@;bQn*pGC*$Ze#(Y{d)GF&J?rViSAMQ&i=qSQfC)6-A8nyz8
zBOyyj3?9NIgxc}=l48R?-%K)=1*y8N;Kd80cv0^=yoRiS5{uV~EDFvs&0#4;1i%yj
zqNmo*ma?N`nJs0{FV|rS$|k$V6Hok2DVkqyZaVhi1`QoPCB#T=A{FrqdmBN)I00ew
zsiuF|!-KuYQm{&SiF=G4%i@dK<7phXIf@+>wV-Jz_NdhOHeel>8Ue>RviHHR6F~C8
zZuM@d@hKG9AT`48(mMGqokM?&iWf=R7E*^lQl^P;>Iz|LPbpK^UekddeP&}))gnVe
zRQ~B^OUmr>Oc~E#=+O&e`1IB`{N$!LcbEEmw%_;S+{*O>_3Ob2fnHC>W&N^c!p#j%)FEc(Ks(e~3{ZC&-3-yIlCRworZhB&bXo1y;b
zU&wU^_vqOD^pg}OPiQ(#`79K;z@HVkUJcBA{E{BOs(*z4$Qrbc@SWcD#@8G1&wyql
zhQ2|>oP_1PVPWz56il_Gr|i
zZsc=nw>&x8uy%H)s6Rek8mqIWSbfcT4kjNwE5Nh3;8_-G(cl|cQ7)^w!i+S;AVN)o
zbUaI#U%`$&jPx%lmKry-ompLC&Tmi76kuw(Ny#@v?tcD$&i*J!tj>K$
zAdTfkKLA9z@8<5~qo8x+WqrQppPijwey7V){j0N3YMS^$BnMX}zCctPI}2ncL`%A0
zvk>jXUpEqKu@ZiZ2T4prDq0M2Db5t?DDM{n|CjRPAU-i{tr~d2FPrXC;Y(C@uvMMa
zQ`mz%zed=6>q~2T(teoN%kTAq<`oZ(`qv@HhL(K+2I$GP0VRHW=i#9gT#atn1n%_p
z?3pE{_`uNQe=|OVbrW%D+h|kq<{}|=r@20mR{u9bc)JeSI|Av3q*aU*8y1g^rvGu(
zLnA&{)0%3jiTl>qxzZCHy)jsTPn@T3VT*bEID!J
z3(hzCpWlf(VIHL;EV{rTz(0@PYkPY!2DzNnA?Uux_8vIh2~ai`Yvm#zdM1cD`2NfI
z-;Muz1piwa{$KoY?w<+TO6RNbHbe-pF{V#@OS}U}0a(QJYoEUJ83Ee7b5m8yj*`+H
z$?xujKT~&?mhMh{cjv|!=koOQ<<31j3#I0XCy_$p-=>`fQZx8toC+TWJEaEduS}08
zZ-f%I8?LoW*iN|4lr$PK5hbBBLLEw&TbV*f2RdQ*F2wuj9!bXg87zMuesT;uwrk?z
zW4px}A7sG&BxqfR?L2c1=YwynE5@zZ&a0zm?g!uE{F+LXu(2U5r|D0H?Cd0zzX{==
zsSoow)EjpDAw1~OvtBI_eC14t!N23^HNBPiMCIesCrSZYT9yttyYZ!2YpMk+xGV3}u;?uk1YCNQa$O?;Ffd6v>+cEYvzeAouv2tTTkjPOc0iv$rS
z$@WN<232bTQ-uG*2h14MD1R**pYZ%5`h|ZLJ}I7Y5e^6{1@c4O3znUp;k
zb!-}Pj)u9Yof9vlo`*CaI0+5s@!L!Z31_~-zrGERiEmruS}iCn*nLb<8a&Z@_m)15
zI;P{P-L8tfjLaO9*r?*uUzIkv9gP)P5-Ap!X)~7>rV4RI&(4PjTMl%@X;ky~oog-}
zG%Wa$e(&68@Slzy!+*LkxD0#r_W;icPOR%Y>aE=Mhowv3Jkr7y%fwv1(kR+A;L28TS_s*%`q;`i%_XKP{h;?5EYsKtMFA!lJfFp`%aBzZX-%4qTi
z8xY()#M22TN*tR)hBC$017X$<`3!17p`L%1Ogn0@Y
z-F|dI=KNle4K@}oxU!xf$I}uDTw?F>`KfcC2ZEDI%nUWSwU1^ti&HgHr!T|wada#z
ze>6qcBaYXgF_LV1hiC@b5ml!y|2hqbIMU4FQc96YQTkUq&
zYVo&kKZAE^m7p8HQ)&Q5&)j|*QBQn+n&2H(liy-as8f|gor*r?lXZ=WqLfKVi>Z^a
z8L`6PiY89Iprm;hT(bK_)}S@HA=fJuNuxbge_GPHzsKvgE^+@}n-dQVPQ1#Lnqc{sM?Wop?{4%`eh&-(c;
zat^ur?wXh4ZQFd$g#jh;jJ+4teB^`8N8h$!e-O^fhC07gr)Q5NAVz6blUo1aC~}+B
z_=#lr`0GnoeDu`8!8CL=)bxopDTF!>F;}8#Sy09|l53Lm8-;6;aZ_bxCOqwpqZiXF
zxCYI+tD{__{2}ZMkupZDw<_HZM{Y%~!&W&`s4vM)6Xi$AV+1<0N9VEIVS?RKJ})Nb}Av
zvf2$G|3=Z00c{%`ggNMk1jdw+#F)b7j2rJdb`1S+oWxnJf$0vc4Qf1uohHR+1$sdk
zNJ*ft$zS)_$im0h=HKOPTv1-WvcY*A+1~z}HKnC%e$zg&7};LDtlsIYUsgP^n9wO#
z(Ef=juon1>N#L6asnEVUV!QG*>J^W_mQDVjMgEVBKZtP8PyBG6vg;dy>v|Xc9Q{yz2~|D3St`>?cT2B^EYx`wcY)E)pH9k*8E9
zO8yxh|(F`tfio~s}6F_7P?u7d;bO91Qj$%isv)$K;_d|I|s4`f>
zgd1G|$rDG3GKjii`4Rjv26ue-UC61U*pYFRY8zR91j7u?9N&$+$++k0oTKPO$fpt?
zVG@3O)!{p_kU3){z-8DT{+g&vA@keJsh?1?Fn@aww_xw($4yH&ZS>~Vd&F3tLac8*
zFk)H0c9CJp{zg-@#7KbMq|PpIb1eglS7prE+o<9%1lR($z*FT7^i=v;1AsBWVkVTO
z)gDe?NI&_@OY=|7PmW?mMG52O3R!wniYh8PN)nh=_*8JH(veWqlb+vSs4v>_$_8}*
z_)zPHx`d3OeGTZW@p~%QwI=S`gWgVIWMPlcAE2<>bwUO<6$>LgheVXK(IbS1;=TCg
z7l-Y=r&np*;uwT4Rm6Dm?IQo!g>4}ZMO$pa*?q$=+}1>=kBHv$taxZ?dY2d%AoXH9l38
zizV*(?ctC+V~biHML0a+OWO|g2e=7dg~CynZRU#H)#+ec?TDY1Ksh)9nt$?J^c^VQ
z;J#Zp!+-dOK`%2IVJr~_Wi50?ZA=^9u|ab|nHZ1|1+$F*<7R&&gajnCq@zlsj~2s3g^&KP#`Mc1m6adbZbg
z@0e4N8YpPbPcM>LeCk-0R2VH%a0vYpE*R`{5~IsZoN@!Yj?iZ!U?6d!@M*k|Dvj>`
z8efXO^vk2jKBmZ*nXfMtp;`Iv_J(2widoybd))ach`3N+TwI`wxrpqTSacDSijoR!
z!V_|t*jt~)WMGUL3g04x(+Q?9c*!xFZVyJfa!>8A
z1IX5fZ5>JGlA-*Eo;8&WA#bQ+xwAIz6^3tWV@+28A>{;=`mZF~XKkixg;^zE<
zJAQdYT~Sx3cW0V~*hO#Gp4qu`OB0?sUo=u>r90z=nQg&16hq_7SGQKy7py+lxAF6P
z+iGrqfAb3<|LgTIB}yExpw>DeD=I?1cI3emwa~*JF~ngnmW1zKj*l-N)Vj1ntdu~g
z5vC0{k7@v>0SnR3#x>|?(PD#=#TT*sEm?*iejsgYM(H162pMI1CJ&*CCawx4BoDbJ
zLPF%aI{b_N(Gb_)e{w}dUqznHo^BGNHDW0TRhF#pcNOFmC1y3H#6@v)_EpUqVi(=l
zvtgCA{D<-weM)?OreB=>Lm5YxY$^=;#OW9^-aB;f{M2X;D@v@FM{{GNT#dOV1hCjF
z0Ak%W!O_{R%SP5LedTG&%-dW#HxDsQtm|pA*DfvwI5A$y_$l;5j7Og9pnBm<6S)Z2
z2!(g}@bs1Jn)UwDrFC{^$8EiFZV`*%8yq6ISzDF0BUpohU+zUjBEGqPYv;O`w&c^X
z*&0phbHr0@*<#H5OBwdb+r{c^7GRgvpo_M-x}B0H=0(nw#n%%?U>V1>P)hFvJnJBWCCQfvRr3x
zEp?l7XC)Q&m-?(mTfpo}Q|eUuex=JGN+{|J7IYUTT1>7ir`;W}aFtO)5rf*--VGI^
zzhhju`s2cUXBr046y7F-i9C1@K8bvC^(io+ZgeH{QE$2~Kj;@}atn%dX)aU{aP`@q
z2Al8|Pa|JtXRH;AIT~L=f=|N{i`Qmkll7<{kSaVOq%Vor8H9v?)B^K4njhIYE*KqA!W&_nneyD#r9(GlFFL@VS5hTCd=mwg}+Ex0;}
z9UxeVL6lPMlYw)1Ex~6CCY8(t`Z!HVpz4P_kFZd0v4Du2>_j*|VgXMZASQ61;18-jOax&0YVv
zeaWK*&95$*fA4~1RmSWMX9oPuC26t(zD&SVo080g_ntbfCB1M(AQdoDZNr6?o4W!7
z-R2ZWJaJP?_ofuJ9C>}wMg07g_4SpN^>v3o-ZJv>3->O|73y88wc;3wLeg^fUq>5m
zX-iD@gZFT&Ke_D0#QBGQM_%BPx(e(c1L_9p*Z4b7Oa@AY8Qx5htCb8uVd)@uYc@Rf
z_l-MW&w~3x5m%ux`HMWITZSt|h)p(e$yGO+=Pb?52yYWxemc7LkGB+Et|WDsGBoqn
zzn^UFtApD@fkLeiBo7?wxWMQ+HZP5%v}wrg;m~N?sV}#xCf3tWPTUUH=E@?0Psc6=ZY>)0O)S)l?Qi|Yl6`Ns=h04#haK*+KPTG
zBR|^y51}Qj@lxOB66YG)H
z2;ZESgbzv$;J*qM)cV-S;_$dd-A=YSg>7
zu;~h0j?XE%pZKKzC9U`4ipr4Z<9U1~(Fc8+-xn9>^QY;5wGX_6P#?bZmMcjBhrP%=
za{u)jK7w9>>z+8<^@kVl^j#5L(r~-_>kh48N-Yc_aEFrg$U4-WCDEG`jTc{VHLtEx
zdtDA`a${QDs=0*E>(03YA)nW1Ps67h<{X=!Hg|5>?CcGH*rah9H9VUovpRjHBfZKa
zR+{kIdrWY
z3cjO3(KRi5dIQ=FxN$3YxT_Sc`}&i0!C7gFQoFkvIoE#QH#-$Aes6FD$*dSXJVH_@Z?*Z9w69>0kk
zD28%?N6G=8xqOU}1I-!TyZq0o7k5=|?hN#In^Wz29$(C6EVCq9a&lI05@`$?5q_&A
zDoUjVz^-;=1U=T0K%Du1AtZ)-dWNS92mt5CDLP8|0@MG~a1fH8T+hh6QU`bQTf{~B
zj>ttiTQPN!?rm9F63DV@#3ez(;+}zk*(bla(cSrW!sQ$4?Kq}0hxak``4}Kiz(e;5
zKyrLA$-qp!Tdzbd+{9FCWu}P}r@$b)^f-9?zI*k78m=JaP)qaS6h1d~+rfM4
z!2LD_ety*-N)0W&3(~-T`1IuH+tt>gZD$9Aby7tFX>ar$HV$=Q0t}CK;Pg&RN
zNh2gLC6lqoV8ey8
znD|jG0e<`-7{Ff<#leE9T|E5^Sx5X$>JU=BhjJD3n8~_$L|qykqdFbdm3l|CP5snM
z|84(j^;d*ZvglVUh5sMK5Ih?E4EuKh?t%XX=MIOAOhwA3AhSRBDLCOSOfvGCo`N0s!u@rk0rh?0(|Z$if`x3W`pHwuwA`vh{3C2T@?RRS)1_3p
zoLPo?{*i!<~Ba5*3%Q=b~w?1_&!L|C0g`?#ViYKt{~ln-w$Wa
zS3dA5{yEX=xI`DxYFA?1ja$u9dJ?Es>wO};91d?SI7`UPXYf80p^In>rq*V}%^)lV
z!~4GJVAa!3#KIv~uaT+&^UNStgqlk3y^`ET9=Xt7m{eL6=-=0B%ol5oZimnp2uKJ4
zsW9hZo}i=ImflxtHRSi@sM4gCEQhSRd9HBo?7re+cfQxi6NuP0@5cJOw<@&k0G&gR
z0WqdsvbfWo(N=5zUyVT!yw#d`YQm?97S?7Tg)m`RORV!*e{uXd4f7v~4
zl$EkPv_n~1y>NT!8L!!u1XeA1^X_>r4A@ipt6aSeur+E%YbxP-!A6jb1xGt;kM3Ah=PD{{i{^=C
z;>?k|I+v~?q^U(`f^CQg`w$(HPTo;4bpb>t#w8*o{mdCic?{c(mM~7hUsBRO6$&Zo
zjOfi8xYB1n12tk2PJHx?#OzfmJtm37xdDJSeQNlQJ=f71R
zgIH|vsMKB}r&oQ=GcDAHC5&&N4re4|mtW(f5uj}SBvYYlq}O_JWD@mHYtQzFk8-7q
zy67kdhdvyoCk3x5-Z&<+xQvjOjQK}G|s-;fe<=FMEL8e@9Osi^G-e_v3_
z5vV(;VC>V&$tC@7ua8vjDASQF37#kpFv1keB2=RM&Ozg
zS3jJ8$m_ahYgT8DE;GeaU!EntcVX;SRr9igEy2P1Tv;YNPAW0FbCb&E>+#QHK~`M;
z-L1j7<+l74r+X?^TSY?W-X$p4YD(!^ThP!EU%ISe;<<_k9K4wr`gBL$vs>UAC6kbI7`#h4agqaqcnuxg%k7~NZ&}(jmVc29n7RB
zATQjIZbdHLkZwnwxFOww{CGpU3HjX(=?>(x8`90l#T(LX$Qw7L8_+*OI_w{4ykWW#
zQ-#tWzH$H2*KYd075(U@>2~y!o2FaP4{n-nLSMgWx&wXbrs?MYkZwaiy=l4uizCw$
zfG?a*BQaROJM`BH*+AfB+aCGhQTpq@B$7JHoXKx7F^RwGn|>cgZ3Bgrx$!kfhLr6e
z!b|NbwW_%I+yM!?>N{WQ2MI;V3DZE`lpA9^Fv>K
zn$}&nD35?jLq6xJxI&S8_O{lt9b?^v=HSTDj+|91SLK3tq&k8R*Tc3M=#SC_P-aAK
z>r9cxP1~yyjTTOihc**jnSsP)wq@!1TK%)~Ofq-zlgTxHg}{{QOs@4Sg_g|Gfv$?}
z&n)OTJe;=uKy`J|nsYt%+q->Zzp<4M20Od7`EyHcC4LRoXepSTq|fojSqj_zhAfYI
z;)?0u;Lrmra(x|J>kho(G;g0h`{?2v-|W>z>winyN9RmlreCB#Ov*hMpGa2hJ9?OwgFFZGoJL4^YM7^;^cSJ>2ts-C$UOHVZ-w#@HZo57IWkWPndcO(
zFH{Z@v4+@#|2KXdIg1J59xyEw6@$_Y2~-*`Jpw?KD7|)ckh6yB*#l`M%jz7?{JQc~
zmgNKnoOzYGc9Gtt^p^TfJRJxBMrxTpau(@DwJ$-IP&$-bHBytFAJJ^QnUA6OqiH+GN
zckP0pry<*jw7aT@Gs|!3O?TA{XI5QVG0lBtssG8z18ZNqwJc@$&hGa%>7DNZQA}{|
zk^Up6(??GY77kZZCB3Esows(p@HAszCcMM$LL#(PGBfwqu&zG
z0r*VZuOir@&xr2|KQBi4st{qf^{AIRwGNpRgbeKTC>iO8a(EPmJf0}$6Y4x0Wqnio
z4Y(S|PV&~)tuZLLk{6cE6Das7v-O+VOu5z&JGiWuAfK&$LBmc;YHR0Y8i$vCvux04
zVs)UM_?O@h-6lQ$rOjW8_wtnn5eVSFlj_7Qa2S$+5+;H|lMU|&huj7-q%iCYcQOte
zU=VAipWItyP3kZ@_7C_xaEZWO_zw1M8_`!VNbb+>fZxg#@(J;VT;B9l2$X>Ly3h@%
z_9s662?yu}_$Rt6@%W$lK+ncM;s1<3_inr?>JEW~&Pz}M3CFE_9~s*`dlP;I2sX{$
zjN0RrIM-8awbr@8_tH>oDIMu2_iO%kX>Rbg0(Yr_g^#}%k6(>H%0IRS%~oLV;p^V`
z=SKW*K(-N!egpQADCa5i`^8!b{c-9lg0H~fqWSpkT}Mc7uT2}l9lkmH+KA@E
zasHkjq(4IVs0+PeU%%-ADT!qe{(Ie3f*CdkjkZYx}mXxa0
zgMacNUKV0e;~*LZUqvGp4L-y^yt$+!$En~dVv0@u%eNM;cxp`^;|%{W!l2)d-nrtX
z?WGELfg@KYjWfiZIbJL=rDPO~P3IocTlH*ip|2)IUA^z(ijA5yHOb4Aa13SGARN6E
z(&9ff=b6*yd@y8|9h&nI$HvH<=K*BRfx-jeuPTn$TUa=3Q1HZ$HV?r$k1^Bl$cV`?
z4YxHI6+GFUh3A!US=3~+GfhLSN9+4dCUz!r;v=vH&gqYAzEb=PV!l85qALNYtp3uE
zAo&%O9sdHT+=f4rXF0`_O7ul~Ih47S#UJIbLOIyRg-*5!XeTEKp9x5X6t^L`@ifDF
zL`dL^raF}g0X@%aS?%epaAyu5Y_@H&&)VzB;2CASIBSYE=;A
za(HSHPpZ(#*4Q$fhFGDLUgzq>1bcG%-p!4md$>852vnTe*|9()53W>
zorh4MYy=PC=)hVDzE%tXf08D>uR)
zfWh=nbs#XqgZJ7Vha7mpBeC_3wUG`m*K^m!tf#}iWnpC3S01{i>lnz3!Jp=UTsmq~
zgQctLrDUg)=gzT9&03=8>qn=0t{a@=kebPP-v;|Dg#D${Vn{rI5O4c+ch)awkBIU2
zg?eC=I0`&XNY)&F;mFb6CfgS^ZTz+bklwv}mc1Xr@>-4pjU&y#!@sN;tF_^GBPZ5^
zB1_ehvKV51!n&~b|L^?avBwG@1>Zq&=WQrl30Z;o#in7BKcqYsw@{2}OO@5CBurc_4
z9}#|=)(v;FFJmGy27O4Pk_LAV<4?GrbK_4+K%whd7bpUs;cLLUhX`;diVuKv^eHr*
z^zVpxcie(TNyq;kB>xAOA3|v7$-H|YH#m&Wr)=?vO+`RD?aJCru|4!x=*Ztx0jG|^
zvMf$@G}Toa)$obQw=4}ho9im*>VQMXoS7!D!nCHk3RD;)5=9+!+thkBS0s(z<8#AV
zil5_&B+L+145@y%Mz5jP)*@O5`dciTj0F@~pCJ{4>186PW`iOrK4-&y8=jQ_NgIAl
z0v=g$dii})Wc!^Def;r5cb>m^@jNW&F4|^vH~Iq^UxGl$l+u}Sg#sp`lqM>DW?)lJ
ztU{xaFO*0pTfmGFKLB7rpTGAfutio3Hvb8Z)dKkaPGf$!Y6P@!#I?}t#4<+wV!KRg
z5dx=TVp%kb{8cgjFXUm#L^<+gR1BTLjXLuuFiCyHpC`tC9V~BWq&y}FPytcR
z#y~U~`)U(9p;drJv4bcTe_MfUnP4H0NG8gVt#bU}pUy;a8T6Q_``*S6Pkc)B?HKIa
zt*~!ga&=8B4xpO>I-yp87HN`7;TGZVDv%9`QHGDb^Bn9YQ^0=aPxx|bKLXoy2`hke
zhex9k*5ZIUHTAO5D#`eR=>1~+ar1L#{3$8Ow>+D0{yZ{q9)A`D&x2z8aoCQn;4}0j
zvY*)J5;N~8%9M=%8`=L5@g29&K0xn*X-rZprl4ha0qrZgiRUCJ6VBwH0P7*bSC6&|
zeHHyXG54bhgFG`p141B0b^+S0zu-^I2bDkUyaN35kaYaQDv*l5unKPWJge|`fn^23
z<9cYb(N{1<_+E<)?Rd?G4ZY@hIoUfdX-|t&I<&F1a(jv{LU3whVOPMx
z_*A=Gq<1RgQ*CllymMleF3m;~bg4F(Fy2W+CVzngI)Ho*+Yq4mopCz9W0EY6Vt0Y-
z*&WjxAoGE)3T*{2i=&Ksh1M$?>7g$R6!M`sL(+>0s&%($RWGVcz9C53u24VsoJO&YJpXM+JV-amW5P(J
za6uvQPs+B)9_Kv)|9=7)UVL%o^UqV*rNDq_z+K^QTLIqW;Vy93N@DJKX)hrbfY0PR
zIp8e;?lFTmxG-P#3Xr^tJPVna9H3o*JP7hgsfmKy2U9o5Oh&Xwsf^O<19qE9Y)Ln*
zW^h>&g;tC@v}RwDUKz~Flv9{%aFkz!W@s7+#{qf~5C@?Cnd
zQOS2w{6q#DoPbCPKQrMpOw9BbP@&i@zz!Yto?U7L#UnT)InbDVvucgD6F5GXE@1CR4`dNMtI3nMxYY;~*+whSZ%S
z@vwzlu1>XqZnG&=Y!IX;XcStGnk6>}68s${4kVeY7+^cK+hbmm`iM#?}G*<3ZNJ{v?vTm(XqLGrd@^Z#Jp$N2
znzLOBOZogl9s-{f##EUnip%Ay#93msRKyWQgM-nv6?PxT;WE*ad5WGWa~jm=hiVhi
z9G+rPltGcoj^;D*uh5tn78lOtA7KMKkbh87o@{^uVxfWrhZVr<;9CHx{CUBL%*3Nn
zm{6efDZh;ZF%mT&*T(4L>D)plrjZG`3|mo8rX$}Q&n}W0gltWm%}0-U3$*%jG#)XN
zS;UcxV*2Su{X)N5Ht255F^i0e8ao%^bEN@CD9#|%`jB0a4^jJb{Zw4`KnOiPVAiQ+RCM(ZRyL0(x(`N&9lN*OpNiTxth
zDwkVhzu?KK`iKuU2&}8-{UOSeFvrHznEDDY~H!|n}3Zq2}+q)R{
zmpCiXQ2I21Z9|+D(Dh^kL)h+#5<;66re?E`bHv9Gzt;jf(#88WnAOJvewI)9%Bm$9
zpxx$eJL@)|>>d6Z{I24IdEJDloE)G01z7~gBt3jKAenwNK#c>5TR{An=IjT;M*{)9
zBu|*tFqmF6D9>f`V`5^(T4h?P=-+fiA^sBrz#DW#DLKgQi8Cog+^A?qwsl=mR(nu~
z7DQ(-(!s}>J%y%JcQ%v56>xLX4P0f6l560~Hw%OUl$oEBW-XqRUP_oe(m0c2Ab?ho
zyp=eqlfbVdbj$@_BLHY(rdoDs7MlJ(4)ag*{dD?;yZ46xll1SPMkvdkRtB~I_
z7SK>|PvqU%uq}^}cT%S#w1qI=DUx<3^6o}RyO*T>hBi0S=1s_-NZNgoch{2nh&s+j
z-rW!L-A~faMe^-J|AL&RzYE*Yt!1Y3HgG|cQKN05M6_OM&^4xl5aVJ
zgOiMRAnlC^Eg$&>EMQ!Ov^T@=PJS|}LCO(8eBa40CaL&$pW$0*Cnw(^zR~2DA=>3h
z8SM;7dm)^U#+)Pq2KpfF#mOrn8aBBMZi(j+V-+dyL;Nu$73m?yD)MeDq)EUrVyq%{
zT!Q80A<@KGMe?yBZIo=^E0Oa4327B1?bQhFV@N9`-+e9eE(U4MWWI}$e1DmgA&q3d
z*C#&@<*P=XLoN_!(QuA8BF|BGov04kO3vpC5!!9&SIA@Q;61yJPlMN?S)9bd9dEq*d=28XbmA+AMzA(ihhoq_u+geVLl>`HE|ak
zrjmJe%n7XHyG70TV0sH}=7f=SBp`!wy!0ZbGo!E;~@o3Eff@8A)gNdxH-_Vh55=hKR
zah$ZaTtmUOH*NtJ?)UnlwE|J%NM^^{3T@A_9)R4x4d%>B;8Qu7l-4qq*R2CIB^%AT5_xNTMW9
z?G{NtMc|d{jZmeh!+$``^a-I_kHUXIZ}!rmYHx)9fG;3M15&0C{zIpkqmTfFnyOo#
z=+d-
zJvN$ucV*YIo~`&7+gZo((WTYf@p%P@s_^%yl(FuuK)sE16zqU0U|&8=36^Z=N>1+D
zP*Sp<_)B7m#?TC*@e=;(h|#XyYZGwgKnl!8DcwvL8-2uShmeT|h`kov+e4~RYV^^?
zAOJV}Fa>GWB;}dS`Cg62n{PJfC25xJP&9#oWjJ1r&bP(0{qkX$
ziXU7Ckn)ME1>lr@;-BCWK2QL5I__KkUODoDInS$Bdtr%rM2UH*7&n1~`S^(a?6UVu
zhqfyk@qXr7skQ&MtkhHHQcDNM2rFA
z9tP;Ahd(9k8wu?jD*Fg+nLo-^yP`hcuaeQ_@$oKgEZx6Rv?*{Uc^TM;=jSeNOk_o`
z6|s2nfduf|GXzjH70VNm(_ex8jl01;wU=`BBdP#HDwkfQa;59k9)noz&g71X#}dEs
zY!Gb>T)_@Xj2@Lf)1{P{ysG#Nr*h)t8GIP*gVj)b2Rf{05#(j$dBhZ`9MW}PHU3NW
zS>f3VK(DwD**7ta>^q38nAim0fjS|$f+3-I^x>|8Pv!@{3M>%J_y3oFK6n-nf@imY
zr|<%Dtp0*81|QHb66XLn#G>`0-~$a6B9Dj;OPb7joKexQJ%0K4`EMh(t}&$rHS~+W
zd_kk)a37!-l0LTOGreq02tx{1AJEeVVi?zdUX2l7(26bK`
zhqHnaTdy#4xp1DjYXgNn84@O&SM*5FGzjg5R)!+J$xeZ8Tk0$GWSD*S-Z{Ql(STAI
zGpn<6T<*9nMxlqk$qe+`6IRhu8RyBjUH|-Hw12=
zgS%(Sxic)3%mip8k32V_HdctJ?Z~_gN7cOSgj&-O7jwpgj#v<5smwI%QYu|3edSK6
z*%zk;?eRv8H)N?za90G>b$g#L|P_biClY+rqq)pgApOMkNB0r@eMQy5FR^x3g
zbkYHupj{Nj5ErxzrOkbMM^)G#3Qd9SWl^_MH%B_v3&9C*fiI>`FUs#oqvFgJ5&ZSvman{mK_*WvyT1wp&A|~`x@~ob~^702Dr*Hxn0Ep>F1S#Yi
zO!2HN;6Xnfk3-6p0d)?C4S3utz^CL-*5r@Kx9De(=Mi{0AwMc&+6t%p-caVQlt~FV
z;?2(SBn8vmBB#vKTITVzuBoVA+vM~+PDqRGA6~tX6U@mg%}CD$XIbp{qLIqNHC-uz
z&drrody7Go*@WK*b-)5x@7HjwVj$N|n`U=QRvq?$h7=(+ha#)QG$k*Msji%)VLlKYHhMWdV0W3!M`BV=nL?YX5Fg=VYM;a(9v#$N
z%Smq@$u6E>Y%I#FD7DqCs4kjYohq4c%iuD_8k0hvpy0O5nO*I2YtnhlXn|6W{GJ#C
zN6BnY=deOCry+Y`ojX2nPOeM9SMjt;L2R5w7IdBmDQPy3!NL);Q4G#wC@GQ8VH?@h
zC`rPj!4OhzWiu5G>bMsqC)->pDGqze|KsjG;M*#)zTrE!NU~+ilGPD
zS!s1~Nm)6&UaFAB+ZtxH)Grz7%^$L)sc`s^LD^qAlTkZ@?GIW?|Acl2+HyroLfP=G
zMXjUIhAt%nw+g&UF@GcF23@Z=*atLD#sKcS1nzh$u`Zc?ah*Eh!i7Zr3Uavb0FwD2
znCaIrzj)-YO@rgDLxR!8O}n!kkYB5#*{_wQ?k7RA%Bg4X)7hwhPRlFS`i9!_$W4x7
zqg{Il+b92I7ZVmq6Fw{IRyizXWs;_=x!fI{YWVCW=|n`k8qPjo_W|b}aJu2uw~Xvx
zTsFFT(a8QI7FA0gn%Ae{>Okq)5q;*)?=yEUa&1B!Apy0PJQCQyIZM8*@s*HA4x?vV
zsjc7%i3G3P;&nRM;i5Pa*(99XEifwMljGx@S~;!h)jTA@p3A%`%SbGlH?hA#?uyMR
zzxR>Dy$OB|XDj(R%*W24dju4d5AtxIH5m*h@1Vx<`$H*G2K`$CzK>^B`QUpMs{-H6
zzjHpg3;sd*03$tz{7o`|fFlw14Y-Z&PwrsO;akhXy~AvhZ%4?A19y=+Q;Jh6kFjMK
zWTd3dW6MpH(@aX$&=PueT)aePb5N=Tr^a1v%qUCF=~HZl`EI8NkoPhdupKGk^TPp)
z(}4?%KuV4&>6ahR$XaW>1q`K3%CSkJ8IWW(#*_3wkW$%})3de4t#Kx(fYmOO#K&QJ
z_tPWD7nqj_3H-sG=L7qPZ??wAZJ8Pe-9R*J^OMNouxkj)Cd)
z$(iiETzkGi@1shX2eEyRu1yBqaG~p%xOtP)%?@Ux)K%P=X7gsJ#hdNSCP``u`jz8i
zdfPIJhE+RE7Ly|#eo2O3@K^%k>Hd@#%hlGoWI2b@Ko13+?2^jmwoEKwuPp})xN>L-
z_}Ln-T)S#mCxQmEA;&*}G2Hm&hh-8sC^N-@r2!beQsuS`BP_GFh%XaXDhXCL%FNbH
zos_8rs^m<}qZ*dCSn?e#&(k@N9R!L!E_I<(;F3fTw#mT>JJs&ZPK{5nGo8>x?!dK>
z6s!eXI#&;|^Z+Us>!CG*CTes@69e_|52%o8M%KH=TPPuwNx3#An!)-A60EAY^{a+Q
z)=N-<)DBGIWikNE#E9FAo5+Ry9gZ*3FTNPDAYr?cpq-$5Cr>8#G~mj$C_92}CW&oHHT6z^%hJ
zS=GvQU>#+2<(W+x76nC_T)8GwrbXfV5q`}#83Ulvlx2yd$AK}Z4LsV7JF(&PaQ#A;
z^nB0=`;3jTz;zS!z~;g3=?*=w&}*rQP*=?O7Dy-k57h;EUV-5Zd6_B8rle`88fNgeyv&%5e!;3R)4N8iYTWRv8Ql!CyBNLB>a^DWi;DSQr%Vx%dQOP%6n@IO8L
zO>MXe+#A_agD+?6>Xz@^gA}
z?SxwU(bS?M=TUp@_?nPkzBKsLb_D)(9kJDpmn^6q51+c=PxSQKdGr+jL{I5ogrDf?
z^&MS3H8^WW78SVN1w|ukosx8C9sC9VD;innY`-jiCjQP=qF?TU0(am^;5)Ulvv-ik
zbauLIs^lIb5zdwd6Z44e#N))@i0@!6>(Fe`p`fJrOE&UlgA|I=1CJhiqJ&Y9>LKG-%5FimTr%
z)H0P+ZcWQe0KH0Jzo0gz7bRtm9y8qeoA^ySE#%Dw<&VU~$s`N_RFo<%eNuXIn$hEN
z>yq-VF;cQn87+%WNHj`{djO3+H_={TSDD<+d9OxGL9{eF5k4tt0BT2WqQlKSAzh;E
z(k7?J#{-SlAmj*oDl`EywaNL39GzZk#u!K^{X2Y@VE`GWQl?G9uWF2i@KsB`Ek^2l
zQxzz)xQE)F1BC8oOCF)mJ%bR
z#sH<3F=q5|rz}bqCl@_5Wr`kNeLXZ+BvVZ=U-A)w*2El}8c}O6;HZUm(ZlR-OtHj<
z_gn}7HHSL~l>?%HRN_Qe1Yy^yRdEM;k{}A_`S^$ruxV}NGPz8hm3Ut7F%2PG$i~4Y
zkKtTmwpu1vrfARWy{5sw6TZ_!OofKGwJA!rh3m)q>HARa(*4~KWg6f+MK%sFMH?9sLHzefXp3#?_{b?W6w0iYW3!Lw>R1@@3UcIDV&{8_9xLtaclz=`$vyX
zR0i&As2!A=a-;ji=%<%I6`~WJaI>jx_yiWYqjpS%Wz_VyJZlP96s{?lFy)p$ZN^DE
zMrPU?rZ@l6W8K*$8WhSbfn9eD+^RxfUk9o6Ba2%{lE@^GBh>9{lr!`Z#a7yD0b`s
zipyu$x3sK3dzrnmV+VWX^4Sf|GwYTdz3|hjRX<%gx}>%ie_we8ey<}p!St743i$RV
zoc`y_FQ8v9Tn4c_SK&11-76^l5%m4Yg)7Jo3epJmI-IsbOfx+;A}t)9k|U8y+`&`B
zohu9YZb0>m_f$hyqQkp*suMbxf8TJ$dP^6Sk_Q5-*nw4TeieHRzp72`?~)Z#;6s7d
z_@dx2MS9Qt;X5Vq@b5hq$
zdNPTg$cmLnz1&_FzS^MIc{n4KyG^P9cSVSLPN*
z%Zn0n^9*T4*8e~|^_eUu`*RmOfCu6f54n2vA6{57y-#*Z^PFB*nK3Cd*^^-{Ev-mq
zujoC7es?8jGjTUinjmi_#6V=b1e}Ix;jCO6bYTx|hBzRs{JMg%aHO5FNj+vXtD>ZF
zWtQBWz9S|KRhUwZCZ|O!Rg`DU)Rpv|*0b-Dwv6W1x}GVGGaIYt3@M8N-Y!_ChSHQ=
z9g~)vmr+^_j%8OG(vsp;W@}u6Qk7FXq0XM$HoJP@1e0mTn7k29Sx6>SahKc&+Y4ID
zMW=+-sPfz@2Qt9iHm$qRo$o0JopSih-x%tROY8&#T<7*ARE>%8>;wILC51wMSd4*-yG^K6m>rXBz7YORIGzU7TuaV!lh~
z8NIq!%`L5&(oIE$;hUFdBM)ec^QMv7uBoF1+PM9E1d)jEJ-Q*cwX`f9jP~fh@2VoE)#ss2J41$5jkfKwDk?M4
zwq3=Yfla!dl^wS5XtJB_Th6zh0-^0VDST`r*o|}CdXX>h&Ulp;XJ!=_=VTN;d@iG>
z?smwsDzo3B=03{?=j67G%*sn=vh&OAK|_WYHZ2*F?;W|M
zzGX&(EncdS((7-aY;?#N??GN~Z#2q>j-Q=1BdPU6Eo2Mruf%}o3a>gl6pc!e`cT+cF&6FUhOegyJb_fmvpxVyK7*O
zzu&YdM6xI$8nK_0o3}c;Cl>nXP1_*s>h6l@4;UoCakJ8*1z8~*B?ZL+>BLIurbPbH
z!DhMsO1GPJ1OtW~@?W%tbl8#ybl0j$=@x^MiQTht+8eve^^FXkDSy09>7F*5I@nL`O!wlVRf@|hu?&~)jqk~75zu7FYw(>ic75bftKGbi>#Zn(RRZ=^A&fyd%v-@M$Wxy
zg$c?4*>7#wBl->Ox9(aBomzJDZfx0o+b#29<$q)Hv3LDnTC#xiEoeW{Lue4VH?FdI
z;lDvNd7a%$zUZr^CUcZeZZ@nMf?8o9LlvA5R^&3OccM-N{LlPTkSkddI0rlTNN{B_~fhwXU^w
z9rp`9#XdI1lkZc1<<5+T=im*y>oGUC->j<2S#7zwZL=z?X7$UxPoL_sBze$+rzgn*
zKgmB;&g!3woa$B0?4Og745G
zqy&^Ob^45|w1);w=6EFNdubJ)-b(AG*<`W7CbwQ?4o1}{+H%pR>o3nFj
z-I=l(>_1geK&ep5NY)c?wkh+6^+>m-SmP7y%DfRhGT>K813EjfOL898Pi%klCq
zv5WPqAu|uC(vsN{e5gQj9@4M;#bjnT?&jJJK6?;&U+_dONAH7oQf%1UxZ)Kl|8~Hk
zIDFgh2Qd;mZIfja4&o@$oA?&yb{gmTj>JyYLtKtd8vyL`3OfM64m8fjo3$$0q5Y;r
z6??6TOjY_W%HUY1RIoouRlv%w+=A@^RHw5f?{|Gx#MRYVk*?}_OyI0Y90kAS7)@FD
ztcb~#i_VI~ac4!$nHEJPC13+bLlU^7Aqio>G5tucV6jn!}g=aF!QkZ6tu>S^XnQlHKXW;+m
z>7uy4dKTS-+Q$q>o{{@b7DKoq{Xp0ML;2=$~b50Tt;DJ)-e6xN?Z=uk+7dvsJ6zTm7{%OQQ04Z3K
zkWIsVWjPE8!9Br_FuAwG}WVU^09+dPJiLw=jpHLXvy)Q-y`(DUnxy|`*#}rS91KG
z-FI{CZ!tTLEb^a5_Z%6tzwafBuK#7yoSjF0`f1$Gom`r!?07QOe+I{NN8W<;;DtFm
z`(AsA9lvA8*eh4KcIx{YT=2hw)8K;wpkT?gm;G(*#ciX1{9zPMv)%U<_|pF}PJ?d<
zz+Y{<7f)l~`*HNPZKE*l$Jl6cmj6NSUS~%;Hh3T7SaNxv%&dMDDJd2GvNHRWC$G)P
zOwG+r&CFrnK_O%bj1C%uqdD`~p`ycEdLBrb%_X#5qq*snv78
zya#x8?+&IVVOl1THjoe};%I)5jU~T=a>Ks)q$&6eRtnUy^L`?R{aqPLspCOfECB4{
z8M~s*38tvKW)s|*=021`G6mnA4ja+YWoXh$Te6BRa7*Q$p9B1$MJc>;gU|wg?~=Rtd_%@WJ)B#S(H58`g|f6DG9kfPMK7?*c<=)=+?ZKnP2#dnvX*2T
zzk7g_+e7rNR26d)-*u2;?|oFJ+P6L)oYOqYDDS>|Kh}p-`b)_=+>fVd9fjzI3qya&
zHk|wY9Nm|GW8#sIi`gyYC_hT;pFw{~u0&~5v?)+G^o4E}{pIz?VcPWP{G^UuSo{@x
z3Af*m=}FWe$zj65c>H$}AH&Zg;%@j!5~qHBlz*<_pWlw37Zc~ho)3~d261l}?{m)=
zM|l5xI-eRL`5caOXMTGWm+}CJCn%T;{N$foL!Pg}&x?tF2+x}(UkcB?{tf*58_{$B
zcm5ygUC4(qS&d_xH?sH82IghF7j6r`4{oD4N1Lu}fIQEMZYxWq;7zh+xy(J_*50W_
z2?oY&N3ormsqAB8bCkuN@oRgVlIWPtif9yS)sU@Ll1aJ(kDU7b`j@o}hPb1m*J$K%
zHcu)wr~RX6a|`Ku1(RSNGrRBYLvt9(%J|s+!#Q1OWbc;Dg!J|5ioOVRa%7^@UA9oV
zX&c$PT$VrZ*50n-1cSt6x921wx{r>_i7WApTf^Qr#*G|5>8Gg*nQ
zs$8oy3e1E|wauI=kFbkrJ6i~=z=mt(3y%v;IeO=AnxEA%o|W>axZ
zD5oUUi?viPb5G>^r5)l#{RnM>#DGDbh-`u?JVnSyNIsq-+|Ur<&fd+WcaRS;Z{X26
ztQ7Jgb4HOR(VGru2CzdY$}llmC=P-#y~t`UfjvQb3GM^@P3%47CguQdlZRIl=wOzE
zJ-5r;18;2=E6(lU(+*}iOW;GoKNS_HRj}v!ENFGst$uOYoP+MFm?W*vm0OipIj%lgU(l~~H#FO2
zaj~G39jzyyXFAYKozU45OmXZXdC9<8Rg<3H+`rK?L=~@3)Mxgc-!rqZ(Bf9Al^P{j
zbQS#9d
zw9M`0Oei1Ia9(;)xzQL5RL$8uWNzvuh^!hyW
z%+xe6<$8J`{`D;cK|c;|+|u^)LA3C98|`BMoRuwkQ~$bk>-5Ad6(BFw
z>i-_&NO?kcdiwe#wx1^0b+Hu$g;2>2_alswk$048X$VGn@LKP
zPlsq}^RgD*X9@TZpryI3X)WVCO4+f?4b3r1&L6l%4}lJ
z5wUzkJuMgb5_b9^!XQu;83R+t-x|Ywpk>Z!qNB{kV|ypYfx*7T?VmlH>!GU^60>P?R=+>Zsg1eT
z1Shdkixy-(foWb!Ph(z$W9|@4^Go0?&&yIKm-#cqhjBPr#`6-z+>dz~6wZr{5A7gz
zP(maRp@yC4;D5wXS&wB7b75}P#bQ>|lFG-o{{yV*FHO*_NxiE1y@-)eAjP3gge_ej
z!+46;)Xi8<14<$(VYiRPB3a!F4S5@*|(rVl`X^1@7bYRrz*yj$h
zrD?flIqA%l$H?XKMOoPkrb*Q)<+`7eA@Vg*8W1tf5%P6D%~Y5si;vUP
zNN{nQCh%pQzhRmq*qrEBaUDuj^k=xOfpfb!NmF((3yRe*6>pl7xAE2J^CV
zd2y=*rO4E@;4N!6*U3@TXE4jY*(I_UqTGF_S1TF;)yBw~90U~fomL$cAC-CWBDu4=
ztZ_kG7TL!)1b~{drUm`8;Jj}aR~MP=Bh))|JQ0U>#zUgi>C~Y$5xn-}4ylQ^D#kZB
z+XhxlfPepu>!7Z-dHL{yfjeKCIbi#gvZ^_|h5~JBl3J*O$9pW?J?OUi4GVVb
zt+<<8OJH}Css5MIJc|)xo`P9UhkX1xvsL+WsnPTcocWvYh(Cd9oie`2CB&8Y2$dV>O7Xa=Y=-eABu>^6!cycF77(hA@uzu}4QQJIQ}
zCaW<$)cRF9wy2c0;o}NKuA*k8TdXdgdIpkjaWRxyOgQC6q+Nd^$FbErq{1$C6ZIo-
zWN`G8_H?d)f^#`)5w15a?){5M1Gx#})vzvpXC8+5THG#hev}nEA
z>55giXMpi3)B
zP8yIRi#HdTOZpcWd$bkxDsn27I)yuF(8M`q1D5u6=?nXp4IY`=f7!tFOkt7x1-!_u
zcg2+T93P`W!Six!oc8R5*ceInpe$NyOwBW7m+2FXfQ;4*NGf#cQtJj~C-ii<3u08aiW`vpg*cW&C`6;mJr5*u47yhyI2{hWO20U@dKSDS$2zA
z8LN+~aMaY)C1>RdjKmAVk;TbEB2H5dA(Hg$B}%#K{9!MZPr9nEihNFAXe>Rk^F{Cw4fy)#R0nbCW6<$^=g($YK1
zQdhTP&gkUfa+^wJPtB|B<6d`{wQQj0IpdLKo2N~#8Q1L5s0~p}V$a_BLzXtp`?EJ|
z)3BlYRu5I`8`3&RHZiY0eThPirBG4K4gZ*BIB-+1`tX}woY8DJk8ZPw^g%g6Mde0+7Yd)U&(@}YG(
z$q9;BB{QtoOG{GII`AH+QI0zJ)g8Be`rKVpixLYOv!=(yCubxN*!}57D78|x#b!}Q
zGqVTJh}SoyhVZI$#c=hR0s9Hm4(w|3`*|
z{M*smJHmn5_nc@g%#PQ>P(Dh86RW@rB+Z-bw2XCPsia1H%gUg;tK0@VFPZJcg
zn@DKig|Vez2AD|EPzzW45Bs7pwh>|rFt&=rpuSyXS5Xa+J~+zjJGzT=hxTT?KIH)M
z&0*J(j!~?&BxsD$$Hyn7m*(`C(%={~EU&&GO_vZ`GWPlDt!u{@H>~~3ZH?u%VxMqF
zz(7SDY_S!y?i+slHnY{N8{DtCeD40qD?i;g61gSvKkJX8;^5o`MWvun6jnU0h=)Kp
zl0;l@b4$Tn_M|j^fMe3})M6kUGPv;r7<%h1aN>n#8C&{Qd2~#6Vrng%W5~YJQ;qCp
zV9P{f33~v}Ajot4;CEKRBqogKXA=4-G>@oz0@r07+V_LDlN^pEaB2%YT&HgV`V?-5
z2z^6G{2gj!ji6Z}`s;u!A@?0xDHmRWzw*z_iA^a==~?a7_PlGb?~53Fv1hcac~u#8
zE@u3&^k0&P-BX|bi>K$^L&~qDJrXlvSoShk22=mg;E}gP^?ZC%)tCx>G`V^FAXoGB
zdUFbRbo`)R^|VD}n00>!oFeC2_3Yi?FQydW^MO9IcBg|S&h*(+CM{dIY+?TB&3KOJ
zPhgKx|H1Lc4Tzs`iv&`SMsKlYf+_}fLV-%bTmg@LaC*)3R^-_cjqW?j#yYi0sf?!S
znJK|>ovR?(kMY65ec5fU48bHRf+IUCXY!nffIWlCp1CS$n-q_zO|HG0AKGcT6FKJc
zZ-WfP(6M+0vx3q~oyblNSV>Um9EqIV!A{qZ(G%TSWmASWnt?TgSC^RNE7=JSs46*i
zgK~?Zbg7t@8Rc@_cgE*32j!M2_%Rc^)f5!i
zAz1QvN0*G*G{TsX=F++37L~%1Sl1e(u?F;3n)dGkYZ@;W3Ath5w#g+-lrnl!f+}YC
znEe4QeFE%rpl|pt?+gAP$xoRwd}3Q@GYV4EaUNd=(3+#rj!xy8woMjFP%>uLG@{iF%n)u~stq9)|ZHbr-woDT~$DU)fe
z85qz+{t15WbRSJ}QQ=^7(dD~^V@}ZY<-(MC)ts@(?U+KF5=G|OLK+mG(^4whs8>-3
zrLKwr9!FKuA@CQyPZtYxs-NX5ncQqtQ%^~=dyMd;H9K~*J@n*9)cvMB75f#CsV%zV
z5!K0Y@^_z~q{`KRJc^FeBx#X~X%v5b4)^)~Py9CGD>4bT_ZSlO016F3OLRS?ujFc>4-
z8fRKD73KgeBngeo7?_8$M#zJr$cNM#_GnU(*;57vsWdM3aAJ|!1g+>Ww#)EeIi3s{1H6b-x1LO!g~ut(sl2}Kq#SfzHdhZ4Q;-9$Y0C9(M+%KsW3
z4_kkK3uD<3Gh%F20Ash20Bj`>!|}Dz_ZDZXb;O`9m%{NoN_2va0xu=o(do4$
z#VgDyv+3tJ4V+j4?tBom^>CcN@D+ZlPsgJ_2f`QO(VhHVZDs
zG(7yUCXQp^{`*a4Gjb8sJ{9J@kIx%$+4A}G*>d^s!xDTvPynV9=UY2jkSABb&nV|T
zd+=EtsCUc2JaQzt0Q(Dw>{4x{G`)IYUPeQ?*KBl39+GC(49L%@FZU)GTnss@ctlMy
zwB=G@?~lJ=w{}o}X!dS$qyI3pDG1RSIS;q#wei#+
zIwvMp88rvB2SUN_Cma1QAU$RRZkz(c0B92Fu_FiS@qTG)^PDP9jqPf+omXSnwx=+D
zik9w!^RR1p9(E0K`U~u1Nr>-;xC0{h@=s0@zi{zM=%JLCnMY7$9I>A{gV${C_q|S2
z{-fMk8j6o0)=Fn+um8Oa|7Djx3BGuOTjTZpPFDI)!93gj)xVFyefr;hAA-N4_elxF
z#&NNweV>vg{ud#p@z?&&%_Z~v7O)vm5G(XgzV;lJrIfv&nF{+CyweE_rW|2&CH^#w
z%j;01eKKb1lkBzLzCEqwhL-Y_n&Dn&RgyJIr!bk4EM=7yrB4E;7dg6>IdE+#@>E`-
zsm*kjr|abMUi!EMjmZ$bnK|IwOwL7g``B;Eub_QpN0Eo&4EeKva`T}A{}ph8`Uc9i
zNQ>7~hzaCtP~Hl9i~oM8uM}~}XXW}=-*=K&|0mLVh#d}K?0rzL=i+on1nh()mbik`
z9Tnb%eJg=ua1f6Pm=C5~C$&QCaRK`krkjP+Jt5?$h3O99bjO5rSLl7jQ076j9w*9=
zA|8>-Aa+7j?pk6ha}NN6KzzSJN$LdbH|83#OBw^yofOKD(9aVU*w5N20n3!wi3w;u
zfH*B+dU`$4i0L~cU`|Oiu}Nx%*i!=5pC0f3ow*LNrv+>i^8=xgqWGlG2v`=B-w#-R
z&kIsKnRoDY7!(zt+n0tZ$OffT)Z66)sgJ
zC7~qIgN&()-M+U-EBL`aw6JifgN^rnW;20o_JTf{IWS3Xo+^<`qGP9;{hz`zPeAd^ZbCy+@aisFfapp-Z+Fxc9h+XSH;s>u*P7$Ir#S2Xksg(t
zc3Z4kA?0a?yd1(bTk+|s$TVZ0TX@7}Zc4w|4VDJ`8y}}wV|$RgZtFToOO8tahuL)7
zSD=_OfvdigYWt1W5~L0R~dOSe|X5fpCo6J%4}Eqo(!!*#3O1~LO)t|
zGd*dz8>pMAxK|Bn1!i-;Q?GZq&E^7^p?j6}+t-!?7ksC{l317uKMMnWz
zoDcR5BK#jAc&&hc7J`ov@P7tyETcf5?0|jp$9y03o2U=63jN_RaemVGg!fJp?ZAo0
zfX_wc(W2+SfHpL0i^qsyzRYgol}KX*vnQmyQh|=M#5;Z#jg|iG%sS>9IJ(DR8&m4G
zA#ajgEvva|=Jrb+z-Gp`9jMF)Ut{Nhig>
z06T{VY7d-f&&2h2i_h`IKL7P$>8m=)zcM8Mmjt}16TH}8(aAXfK_}xpkF#^d;~dii
zd?>;La&T~R!_PmD_#Dem^n7dBb1cX3_XU0(oIE?^e?fTe4SW7Ld>)jqgOe|Q&e<>P
z!``pDLHU(o`6Junyfhv?r%~I>=j|m9j|t$gZSi&#n<$ne8B2VN@h1sF@-?<68P1+0
zzYgNKo;dt8KKVj&ILwE}XVF#2eS!+k47q=N-zcR9I$Z3>>QZF^=#)*IlUnLcf$Omp~amloYX+kXDEIP&>OnT
z?69fHQS}q5lP1jmrEo>zpV#h~G{dmy@QecFN^;4frcJLcXUXHQJL|`k^d8CfqBU&4
zWh;mEe>G>|;^vCkqg#wg8>fvwd|MA#W}y6?f1v!Tr15i5`7f;9-m!e@$?lf#hcj~e
ze)wGh<(n%iAD^vJb0olysRIq@5Dqz+r$cc>e?-}gNqOt5a9Ywf>Nn2e=~-}Q4LLC)
zIiU9$Y7cjgfZi!BhI$|&xc$3V!7T`fW57mgGdUi5
z&Ufp%ffII75=31~71f}0s3Ezk*!DLnYlHkW*6w#&!IYNMlR2*RI!oZ*;r}MN5`EeG
z85h)dIrjg^U)3#zQlq+YG$0N{Uhkql(b@txd)s}cg=d!6bn~1*|M%CcBdm={T=6mx
zr%=hrtB=Vi?f+=SjgAbAniZSZVfl}e0!w&9ce`ptWb{qhl(?6Xh(aPM<%
z4}89P%;|tHS#JT^)6{kTo?_wO*gFKYOj{JzI
z$7h@1dzYA3;EY60?B!N?*q#1Qai8-?^XynZ$2yS#kHhh{3G1_*Z!gb_(iaN&1>#W=
zE)()OfpE^gVJ1l*#r2$aqnZvb{dDBV+Vz4@=L#TRaP9^Zkk
z7IVbpT#dYb!_o4-jKs1jxshzTShDGku)18R>0Ef7EY5JW4}^1dTWK(Ao`Jh^ZifWjbtCb)Y2V+zZ<^5(z%d3EUI+uvzXl>eU{J%F?;at
z8tfO?`*C|s5%JR5E>?Jl!M+)BAB&wY?nff-Vx7Ztv_@#t#X*~nLc5$%z=l21a7G()
zz>mxjH>8Nn2KDSRcP}Kgzgn?Lma&~u0nQZjeR-#m{pJEy2JT}g_;#L4gJ#zfdKW;}
zmapxv?0-b#j4WH={|@3Y0e@P+k*9`l;EWUX-GTmWm$*NJCyOv
z~n=HPJiV$WOHhu3^?Uz=y#
zrX#Q2GI;B};mK{95=&x9{ovB+Csy_>9KEi8zoo^ty+$JmZtFM}o%cP{r)Biv%NrMe
z^z@&m6eW3jrcO_Y)u>Y}@q_k!x_Ekm6gN@8O9lKa
zsKmBxUv?=|fX}{i_)EYmN^ceLW1zPPuNUy6{JCt5V>^e#PowmlZN^L$*=Bgt8~y9J
z2rX=dv)B1u@3aoG3G9P&o8FVc`(nVAC)hMXX&v(p%?az$v+&({crPq2nzNLY&{F!Z
z@)Y>DBVSlpjtL^XRKU*y6F;|Dh|A(}@C9&*(#HttPXeb1ZxZk`pbhNf+AqxKTmTo^
z@7^%H)VBrWo5S!j4)^Cmd=_5Ii^J`!oNK?RT{E+AJB
zAw2&|KL0~F|Ca>3h-EOoKMXHsoB6(Xu2^nN4-#34AQ!Ox|foX~SYP7Y2^!RPFK@Oe;P4k)ic{sbpCT>b^2d@Q#v%C8K~
zAH^;s<+#17I9uJ{8qgc6MuZ>r&%*7s3I6#zK9`_HH-FU;Hj6+%_WBcmxe%docGyeD
zv3Y;PwmetP2~-ZmdqDgW)@Kes$>S*fleiz@@YDVo0{#W=*Esws|3U#T!tIE|&-!Ns
z=1U}r&v0Nac$&HWXE_VJZ0RO@-^b_RIxS!ziImYqrKMCysV-@#k6BO1Sv-?t~I}DWs@P7hnKz=cF
zktyKID}?2dMw7lQP#)be_h5b_V15>KE>;?zV80Nw0$fpriu?cfXIr@+307-v2Mi9#Q}2&O
zG7#O5B#DULxM_pP_;Z|w!BUeD{FFSvM-T#99Sh8;!(
zXbZV>`312hh~svGa0iFu_Oc*AyZAlkGh$<4jwGg0qF&CI_Q55mNixy5dBuBAs7l)NCXZt%3U3n5Aj&i$tMRw5M3Sdg@*gEklJe4}m;n`-*I9BQJx*Fx%S5%b-DM
zeVzn%dd7UL2%=oipo*#;4>YP3Gj>9BMx)?p*3!^|dOZp773A~&DwIV!5z)ylvK^*rhW`4fdUzFY~;7@@8
zBHSwAe+D^3U=J4gsnBEZwl|PecjeM8DRAo~Kg045Vq4ODowFr-p!1XeujzvG`h~cB
zUS3ewOGI)k6z~fGwibd$xI`{}l-Ie&KcaQP75DD)qw0Dc{*NeQ$T3WgFUap9%omD>
zd_%svTDk8oU%rc7t><@(EjlamO25F9jO6QT=pU)8E_ML^c;$7uFYreyv$Nxzf(*uB
z88j0kx*>yZ?<90r0E2FNf1z74V4mvU&I8T0abcY3`$zO3d^h5cSN`SjJ&He4;T?~J
zM(X>Ip)moClgLLAzPq94A|ZNhf6P-6y~}q|MW(hN`=btvB=#-W|N39~EDGb1*)3X!
z6^)0?o{(|%Jsx+!@pA$ZAj-C_Vt7B{M
z`oK3~c&YC_jPDM^%Y1vdeFBVM5O6Px*Hzh%Aby0y`Sl0x?&&>Y>8tpBzJ~atcs;?~
z&aE?Gdi;BF`j>?C#cV?-_Rk=UC;GQDUt-%Yfw%oKiNIL~WLw5?QGtc?7JxrBhbOb-
z@LsbT9SJ3a%1%@R#gb!lyp20P+Hs;1PGQN{v-{7f&+Aug^?gTvTsn38pm{HE?aLDQ
zh~EEn{`~&R2F#a*pZne?!b=7GEV0YaLVD2oguC$h5{H-`d}J_$Chm}+K$q@G{V{DQ
zZPVB4*JKCjd*aLyF@e;AGhmUJ#svXd7%%ZE*e8+=M++BP4&A>l0bZAv;@!XKr7i`x
zq(J3mq;WDjDO1UM985#REL~dr$N)!k8Wt9%Nx!w3lNH!L7JP%Kx#!3F4dWh@O0dYd
zGN8)puF|iT*USEQ&zlakp$k(?mxFauTN2u?+5b3(ka^q&VOlZ
zANF_VKzo4SS-4JYe4T6|g1A+{g|jT|QhFAi-`MyymS-cRCz;*D2@!4<@I6b#c&U)j
zS>m3+JWQNF_=0#*I43d-&k1b&TEmOn+(4k~Tk(6$XZ)FcpZ`a?9P?+#I(~E-)^&ta
z*CD;tME@|4NEV3@PcXz=k0dY->Rla&%A*RiMw4FBr^wS*oS4%xcEZ?}oTfWoy0vog
z^x^j5a=S{Il#=1?ku_&UcFUOYV_LH7Z$CY^bjHZuiQ0}Q4Ia{{tuCvzs3kMIJUcnH
zpk-Ri)Mq#MH|IBGELFr~Up*^k=T~LgQu2Du>Nn!Zs@{go@)WkiU9|v@0p5?z=jJ6o
zb}4lo`L5ydm#Vlmx~nk#uMn@kX^Bve#$o<@7kPvHH?IH7;>ufR1o6?^Fi%`lhhh$jLHP}aDn_5}c@+CTZK{9PHSL$p2_yx5eWcrTyR$XO3
zby~@-?=_r1q5;22BA(b@*)V@_ar9I`Pg72Q_=DST|I5;R
zF4|fk4virjo@caG!*N-V=$~)|rarDRpI!^$(
zi2fJ>KgqAVU>x_EPJSIloZc+pPle!91^gKx5#d$=|1**g!r>gF0n6FRuOq~W(iaN&
zg--H07J|RWgeQspIn?UC_RciXp7LHXa3CbXejSx
zIR8|>9ejiFSp*^d2J3GczlQj0MEoeJ!FtW%Rw9$AKX-vIQ~P>rQ)+6Hm0GAvLBEoEx?DZruNbW|I()NA;4?QB^cyV4G)|7B6_0;MpxiSdj!&22>v9rwSkqyP!hXK+qQ1v%qpHBPZ%v7^
zYf;hc234A#^^w`^)0a&K*(Xel6ciX7AdXVD|Cpd6YgKW+PmCHUkq6`ASw*x)4qi$A
z|F$fsXt*pahjf0NJb}ka4v!J=lf)@3w^0~JdXvHTlXphM181x`+)8M0Y%4fefp9(Q
zs5#_E4Xm$$UH7%!8TE8*yi}Q@171b8^&)$zwxKSdn+AFI2M
z(7Y1sF*mP1%Gqr^Zsl<_=h-g8O9h-ichBLFwm3fC0`KSytu@gbsW^H2=j3ivyDXYi
zMpHK5G9&c~GeBjDyME?eZ}>qsorCsNpv*XIy@ln{aiY;lzK?e7R6|Re6n0m^{}HsQ
z?!x+*$?GGxhVc=!sYE!msSe`$arl3tF5o?bEG&aV{5gGy(^(??2=Sqi{+~D>4u6b4
zAB*r`nFj^@I6r?x`DmDX0=T4(cwI>U4KrLwe=3O6K$QO(;(ZaF*9H7(;$0#A3h8J8
ze-`1e?s0lr1?Tmt9sD7O9Q4%bv1erRZG|zW|CULmb){*&dz9)D>kdySnb4e(Jz&wF
zj*hP1ShHkRj*S`(K+EliM@=7JJZ^0-_Q;f_*~8WkAO6_AD~7u@ruM`f2S*c}UtGYx
zNVB+k$}&R4!$$#H!Fj%oL!4=nR0#Mxd>?|+e$;Oy%f9#lZx*#+_<(nx^e4P{ecHN#%8%;mBM*Wct{qWS6cE=fLD4zur8_VlDz?5
zphPK4mqj}8hM=!65O1ST|3<%?R?=?}GD1ZZA=@FqJf%$l_0%W-aT>Nd$n~O25+TU?wILH3t}eGAAH
z^
z$~Nrz8B=acsCZ;b)h&IqweEqdPA!@~rgmUOUSfqStEucB-k*O(7ykUo
zxUd6po=PAI`uKNu=F;C*+UAby7^#QWCj{L5pSTjyqksRs+iuHQEDm>*Kx6;@%v&5k
z$fxxaSa0$$A4f(6@$FcTIsCEF9G?hBcky%3N?%H-tN)P8y8-9$`i=pws7m*U(Niiz
zoVxe!%rX3Z9lFy~MJ?HCv0L|%9sR-69pZKIJk7=ZBFEDUoR3JsuXj#2Il3wOyF)Fs
zLm8p+K<0q&dH^-m<63(DHry1p+HXrJZXNsz0=SIS#1M`
z6-2s9URFP&IaOefK88JS`esB3Uy$D;$3S(wMZQ+iW5$-Y0M|%|)1XZdj4=XrSj)B7
zG-#8HVvj)kXEl$1E5@NszKh3qiE)XV*oyN@WA|WOiS;ma%vE;?Ar=^ZLn<6j(8Gd!
zymCi`Fk?(v#E2iYS3*O4uy=(->vBa1^+B4rz9}FZC7OSP+Y6Cmlc>W91(VN2jzdx#
z7I)2US$J)xmiBlKU
z58W}j*ike3*6scK+}bzQyZM)A$(0@L+wo~llgd?TIbKVg)u>`CuBZ$agDNJv1r5sO
zGane!_x?=_2Igir4$Y{aGqhSw{njzeInVD=Y$IWQC3WM(au_bi;nb+e@;Ng|jK3k^
zFANWkU0Z1-mRt9w_6KBi(*hwP>qnm;en2c2et$Fr+9-%09tU5{5$E%ffS(^B#vc^&
zKR!Uf>3`ulAea6fu3Z0BlwO3tTOUl{6VDAf{9+KN&f&QkhkwvVM5j&KWXdTv4RXxuj`9TUKbjiK;fN3VlO!dgLcE
z`5k)b)iDjzw+#%d&e%YG_eNqJjRi+yai#qG8FmqLCgvO-abu
zA{WWTC=s9WT99gOuzN@MsWSMTVr4Bj4M+U4qPs_MEb26e;N&czOOo?}x@Oi64(h-a
z5xypXv%AE)Dp5}e;LnI~bhmlmH9hL%pib<t$qwWU{aLZ{{M4m}RCcOa%z={0tyx*ElS?eQw)l8kuEqC!h&HwF
z>{4r5I?=TVeICed6SwV?0h|N_h)8`3@D*`*qd$rQ(!LNc=jT1iU@Zas_rQ4!VE&9|
zH|p^CDsc4Z5Mz^%2Kilts45@#wS*7*jGS4*g<+xVLxZaLCX0r704P6>yu#B8Z5tCF
zPir~b23+8AbT3}OiQ_;CbqAoBo%BqIBP*bbSkgF1Grq^-P&>Tj6&rhG3=SHzw#96r
z}mwNVW}w?v(u=2XBsP8!D5af^4kc3IvJdAFfDR=0nM>bPg;
z5w&r}lZ=$7o2m1^L}6%I7#WG*I`F
zGZ3%8N%=+62_(HkIE?zZHSDe%NpBVxj@*!~j)MwQ=!uSllDl2I0!nTPC%K!6MLs(q
zH7pw`a}MvZaB*#q0w1b!dqPFOsntN&(pGgQkkn^RB^-P9_jIPw8c@2)c&wFTv)
z>(eFL`a=^c#`SR8%Lh(fT+_NRU8ByX6zR@BEB5xDFx5S3O+WBzd#^Ej=T>QwbIko!
zDno+7RXfamaN?YtQJY7$J-mJK;QT6YN#_3_XlG(E?E^c~9%0F#JKU54Dx4p3V1%gP
z%-h-lD-KTTCXYL&hH}X+3SC_2yLzPi1{}9@@!tYEi0Z4~AFZ*Dy~2N4hj(Akm|
zzOy@9W_MP^Vl2@l3N}>O
zXa4uz=b71=-C4xM{F3+m@L^}>``qW8bI(1upL_1$2PV|dYOqM#za1hgsPT_nSvY%Yw9q6RDDYR9s$PW-a$(K==Viy
z@%nQP{PAauXUqq_P&&d!_-IvYvE+?r>7Z{1NyD|i5kngE)n~5TtleZhWBgu52XYRR
zB~y8Ew-F1ckINgjw3!oA^KN
z-=URX&D_|tsYh)~kMjc*w&|G`RB9V$$6;9$m*O=YjMGmFIJ9MA4z5dl`eX6INxmyn
z=syzY&kV!SH8Gt}e}+%b(?RhpmZi~eOwa*wJno#%k2~Z1T969N(17+u<7iP7#D9Q)
zzNZKr8;KvCMsN_U4=*kJs&I{VZS$MVvD;l7@eQOjEAI)_UH0E8<
zw|;2cy@g4rt+`hPxp8Z0AE8QTX=lg2jBV{(MY;huC`~qSjMq95uZOyL@xpbnb8R2C
zYeC>&(FH6YSPrmmp*k^3sB=TH?M#Qb29~o0+fF|k;m)H0XjmEZ8%KA!uc8>-R?o)u
z=7g}G;)88IgZsMKLSI*tf;T7egYmIE4(IqObiiL%3Us(nQ*ruz^Z{+#$L*n7AP(!V
z3%h*c_#?O-OvE1n_|jQ)V_mN`8gl9`i%0UT#AMAW|N7ytW}6H)B~Yn+wm)-+Jh>W+
z|*UDL%$w&
zHPO{Qo9Nn4+}O>>RXYvqa|$h3pZT+WUvbNc84*gS-I
z_PuyGZJd$#7Fd;by>NYJjb1wB>mf34nGao2T=#XmG^ac;5PhY{pqg&beu^^UPz`jk9VMA8HL7mnT_@-
z9zG}xakHVXu#@IX0D;!^*X#6sOUuliMVkQN|Jv2ahokper!Sh
z1((?Zettih->>2EdqieDM$2SL_@?E)1BeCfPt2&B2}j*S&J2--tAnG5HR{UGth~Y>
zA}agNT*Awi^hj1P=CZ*YfdmI%W%8BdW!jsR^}(4UVV`>y`4?
z^GW>p)C8U7DRg?y5e4CxJ_Uzk`UHM!D$Zy`*YaZ&*p3f|IP#OoFg4C($4I%<;0!iM
zz0pgHOhUh9N7CoD=^9+mE0*(MIlJg@llg`12Ia)^=fzKxuVMWx;`K8{lo3CWhToIK
z56w-*_a^ZN7o_4{37lzKnu4sGNm7QtkNYpk0PXWNY;TMB@kB?eY;Py=S1<3;+ZnvK%j2&JJ_kCK
zJ_UcHvnTxwyywf~Z}#BiUzlXx!CRdv@+8YE2mEy|wu(+^F?dgz8wHVhh-B7~}LEsW@%}c>6tmd8YKp&-gHCN`Fr2m@`RwSEtbXg!y9<
zzb=jct4aKt9-LC8;Oo=mdRf3px=HY9>Wx>5)@Q`4((sc>Jk}3hBb@c@jn}26PuMys
z`gbVj^>QbZJ6Jl+sgZwng%^Sr^nB!Wl?VA)IG2tNxG7jAy?A!MOPzN(lNil
zPEH|i8a=|7i{!%mv0O`exhi>idHne#e!QHQcS};<;vbV2$7yi$L+lHYTX}`<3i&Dd
z71}G-{h0jg_Ag$%pDOp|3Od{)$W+_EObnaJ^DV|)fMz=e6=d>#ix8#d=U4Z2KTJvQ
z!%1~g_bFws7exfQqY;11fc>_6I~}9g5`AQ4q|BgSG@Alec`u2*jg!iT-aFdoPL&UI
zb#BTTF>z{Px{zb{?_3?ebJ}5Xk7&aBZV|SNOL)6@m+ub|9>8nnc%_pxus-H|qecI?
zDKjJamp>ef;gK$QsP7n2+P0utqW?#v>piYK^WYGga;l>4jEoYRQMVk{J@8{&o@
zX_B)$UZ{1v2(#}lTdCVz^kvZ;?VK2tB*8W`^%j295%{kP
zPMRVEoRfAW=CH)4c)Ww~9MQ4olQUT)WBdhf5AhLv&zqvLOvcE|J3pzioNbu~j1R3!
zksc}SvveCnDooAC(L_E7@VYQQz<9E3LHDD4{yvYNA}3({QohW^J$OAH2k`hICEpex
zd^E%>Q8bTa#0W;GwNt$UMkL}cG5znQ60b|NO0}n;I(O)(%JH+tS5_|EHMMZ!&;~=b
z#ID!n`mN%`LR@GQSNHVT@eh%jx8ax)`^L*k7zARCm5nlOIbNnym
z?Az?=MuEa7VB*TycaE-F~j^8
zYs|d~Fygd=e{&vMUh94w^vU6XxwgB|@)|LD!{XEGx{A~S-)VN8dr{siHzmb?vpC7o
z$N6%ri=U!?jmvoro;w^TEJ^%I+@E4xbRR(^aC&A6et^&<@pjzL^7tXbmc%FGIS5bx
zNg^+aNAb9WPk)RsCh-ouUc=)L_Q*pwrOka&taI5=z09;Z)e)
zKcCHYltBf99t}s!);BF!O(7eas5Ow%u2GCtw?07J@>Sn9dk9zEkKw#xGF@Z_W>_ST
zfx~^;WlTn1078@kRsLSFOz*2j`WJgN(-s{Peiruy?)+-$!5+&Y^<
zl~R6yWSDYp^Mw^IST%~VX<;E>)BTgG^#xUUYsP9X;_Ef@ZL+N0q6f+A(Afi6=A%T3
z=TGB$FX$dU7j%CL*L(iG1JrGNy{G0U%Yel7e(_JP_y0=CkP&8Lua@EBtBO7^TBW_h
z^)r`G^s0ZU`MB_c;)H!NUWZkpi9g!D{EHg<{6D6l3uvZ(qCNzhTaMeY^?W;)(moXS
zv_GJm8jbP#_-XQcj9-Io^1gAR3^?-PTbF|0lT3eTS!(*O1kNe`lqpe>;i4DxCRC$b;kXp+lgFU=cA*
zgk*ScO-tX!C-VDMSBz!aADx!6T^ShJ-k`62G^77h$E6GBmrUC>iMXNrk{M(2Ml5S3
z6n#CS5_00Tc`PT@k*a6hrd-3fDWV;)O@aDG*93_u;rTydKJrDiIPPfXyl6mjP|mkI
zvGkll>o@dD(SKgK2dojlUhj`sg<<;*58f^}q-4G8%c|tqy~wB2`HK2g#*V}wJu!N(
z1$s$RH*mIG+dDyuUb>U|8nZNE2YXWN0Qrr*_k#)JkEi0I2jef`HoKm?H7&hHh#y>!
z_a4q9=+jrHmB$~G`1M!v?NU8=BXu0o2`A_2=nQnGf=KgFq>d*Y5{okH`pm5LJzk33
zLxN9YCRHZ96jSW}XhKc`OcQ0Q|Dao_|8V+DQFuJD0oRWQ1^=ZAZaGC^{cI2=_YYxy
zqud@!1aY58%jpj&DuIK)f`*jzXOrn4166qK<}m#65!8`28IKR$MT4i3q!5s=7Qh)ZaRp%C
zH`&Cu(-QVWnZx)N*!j=*O?vT0MxJ$4?|h%g?f!#B4dzI7+1zhbRw5VtQLf@%mKtT}
z+-NS3`Cxgk=hx;+_&Gk0cO`J9seoT^JOs-w3gs%w>}$}!pg==KGnL{4=MkRkdazfC
z_Lmhdz+H>=S;ZZp#JC)9;QOc?QAYegYbt(E5rlDi15v!S
z;)|5f{s<-R9xwM5rAA;?F1X<7xQWB>q@yKXd~9
z=qiv|=TF#p+xi4%W;(_<@@1jI{VK+%;yrvEIXFG|T!#L1yo@l)IT3i;(5;sNy^5f@
zRs-=thR$@Rxk%N0Pq=%?4Hy^EeOtUlfIU9Xh|bRg;UG?q@Ih0=YTQ8+Il%_JNlnhkX~kJ%)WqnOPgWe=BO`GQL<
zQYNA-xug!2+HF-?O?r<`Zg0u28}4r$7YT(m45L>po_r4#R7thr!DU6cI{i|!bJ>j6
z6=RA#W}{k4e8;yf^B~VCeGvPcr>xhf%s|N0^M3>(R>-6(wMiSP@VN~Zoko$RAcMAw
zSkxG7Ep_+?%x$U~>7<=m5;!FoJE5dfrjm)p)pn1DbySUx)-N4Z6bQh)BEHw*yt>m*
z9l`z=ax6$(Od@QRfrn&vr3PlzZq>U~rzg#JFr;fpq;8n6aeTy`uX55_rBstYI2Os(
zXoxZ0VyoYkd-03`FuPh6p!hNLT*$Kp=2eWx&{3RKmQKqc*076LeWcg`9wJDYS)WrV
z1uAP*MVTo)tSTosXlBiXxr|gT;m#2GK|_wstkAO5y9%dCnH&Dv=F!5ej;pL)II?iT
zR98U9mKRGEGGV{)-MAV&3W|9dycZ;cAIYH0De94-GAB52R?UPty<`wiLn4Ioze$R)
zXk_8S9uX9F7jJoL1h%xB3_=8T5r*>pPO_+LWpx!b_XW^ccODRBP8{}%Un{d_2m9UGD
z(s`{#767uOaxp>a3-bbPl^&ftZ1hDG`ku8o+8xRUlB|meGNG0<^)X^{B)5OuCo8Qg5^d
zQsH(Y^$-MXD0cWb+;f@l!F*7V|3WZ3tA;7vdV19{Su4c!It(va2dZ#ga+zySEEFhF}
zoAutw%qDJvSh7hWeb}XxIe(C-9+a~mLhS(2%}_U8kbdH9PuHY-VCrshqCK8N?jRSy
zHY#z3j(7gn;{p-N0~HMKZejq%w%Ty0SmGF;Kc-ERdsiSUX7o_OdxEsyZnqcQT{qiC
z(sOOT0$UKVaWp|B_0MZ{Bs$3VSi)f(Ih@y#>X6d6(B%x|At6B$tn
zKj&o|d{#x1!EaU42VGU8O9w0)9)h3I0ZWI6xGCEF){+_8`~i^}eB1X)6eT=8W<=-iEV#Nr9p69U~=6^nYcj9i;0+7Bq0UH2fe*J8#m~=E21}Z!<8X7*O
zH)}kq0{ZUm(^iYsZI2ENfuYKnrcjwAKl|n+PpKyk{`NO+@LZL
z7Lq2i_0nOqMS(~W3WfX)SB>3K<9Z$SRG7@
z>7@8
zUV`tddd{r*@l6FG0O#H>y_Vx+pOUCqcZi!IDR#a}JpXr>nOvXS8C}qEZl%Ek-vsf`
zAdRi?n;+K~KRV!MCs{d($e_~^!lW|`paGbRCEB7RbHmO0T?!rQ-m|n0J@-#bu`Rd7
zP7F4l%a&3(dhi~%O(G>^0iYI)UO6HxDW!{Zq3(ZJ{nC!HV(u<5Q9O3X%U2Ri#KR5m
zSU0JZC0CrgmMxvMZZvqn6M^&9zrp$F2z+nA%Xn<{cdjb_9)EU@9!noZ?VT4*OWiIF
z9~mogN27ss!Da?dT6?*wlY2m?k}CCcdDSheCYI(7TRL#k&2!4V4HKeOTz()(D?z7v
z;G)64*^hENu6ki}Tls?9rvG8RI}ARR)y>^Cr)|Z^P}Rlv&TXCFUMS%VVfXs2hSAG5
z4ZY#ikr~4`{(AnLU*EFW!q2roz_P!bkezPg@cCu#yIy!@_s1CD(+jWaz5~-)f^dA7
z0FPI5{CV=@IQ_{a9^>#@9`_Z#za8VkT?IV-TY9Ch6X-YeqF>9?iGPLDpGe|mTzg{e
zEe$W{MhpHp%OHL_q+UaJ_ZiAr`L0=7ySGiOn)kR
zo|NAW_0yjEe*8Fo|77wx)>8`ozr*J}`f@{kCHQ~M>#f)ObxHpJDPbTqLKX}cRnen=Q=+~yv=`UX=
zlIhFS@V!aAA`PFIq;o6{zbA=5lEArT)L877`HGNV|o4%VyicE;yb
znVu*0kc0Ky_x+Q}=dmAoj`V)M=XF2AzcwTN6UpagKk~dh|kmJvg=#K7IAYsp(H9)5p^2_uw^XZ8!s7*AM;Li~G^zv{d{=l1{nk(G+}d
z60hLzkAe6y@@uSjo_=eis0UBx*Ujsv-{(14PxxtucdPh)qx5%^dCI{$OMmxd^4(ZQ
zzCF)tgthhlp4a^d@7g}RPb8m}^~uwTBwei6K798kpJV-|Jg13tp#^(PS?Tg9!o
zKl?cT4RM(MB8mSa?#A^2rT>5eXl#q8Rh4|8D>%!#{fqJ9K-riq(i>}pbL~>Km;&9Q
z#^!-0pIMeSY(c#U#{z)we+}O^CHCgiGKs}C)0F|`Np?E{0>~UeENns
zjR_!r6a|L~{cFDG!i
zsVOsF*_;`#O2u(m@_2Px`jbgK)(>9Ok{Pe-hkk7e{yeq`9C5`T
z%hT|^NxUKrpP1D1u{8XiB>o7(;b)jTLU&Rskqqq{dK1$=6k4R`_#f=1`H5f5px2@+
z>H$9~WI8rXF4pB%`AY_8zpwx8u5p`ZM5p}XqxJsx{R@A2WmENno#SJyL@OCT%iT1s
zZZBwFvG1bFDUF_C<9~T?{l&LUxbfq=CIId@s3Te~-#=r{(VLfgr^sw(JrjLqef|9Q
zd;->q0Z_ihaL$aP71>FAQ4AIbO`FkJfkF2Lki6Vz96`?o1Of7gFW#_gWZ?6_wU00K
z$?NY{7*#A$s#<;Z?tktYxn@j0O%VhgHc^DRp{YuH^G64k4+)C7$3T;0=-OW{BveY1
zOT`Vk{x&^z`m8jo;*v)<1Y7E=>>+%In;Fe=U9*Dd0zJ;{A)APKaqT1_9M^B
zGd|y&d|r|I9M5RaKS9@Qyq`v>{E
zA>)sUMC>^hjWfSOI4CBHQgCSk7ab+4F#ciuOG=FKud(b$g?R3eK0O=L`G%(h+$nf-
z0vFvc_-tVu-|5KX52vM#Eq;}_k!u(D$QuBpU|&I5nHZpB-V?U-BMdEhhrZC*K&aeVwV
z?ZY}a$Lm1!Yf%!%c|FJHRdja`j`PanN7Ha;5`R*(4de4*8U7lj2S7-Fe?m9RM2s`Y
zzCYyH{$muL!GX{e7do`9J-qiJ`cuElM5-ONCEA!9O{&@
zqZ66PBw2sYL30{6>uKltbXo>j32mq;9BeAKplv3qX=GTLTbe(rC8`7?i#uxE)l2W3
zbgYf
z=66kA^XZYj5Q}C_?&NLw$
zj>$iO`7MHdX^XJOFLa+N#{<(&TjGAUBpOQ(8o>DclO1DbF0JZVHQa9~9a%MYa%{Xb4QolaXG$!mB
zP#;xl7j@LGo>^BlV7gRmc9^Y&4ZfVPRVHP^WAZ816eu!=s|;2XAhOXlr|}QD-DCvj
zVM69S_>(TFj->nQ1?Ou@hJ5AcQd!nQlV2{kQEbtWVB55qLM(AR|EMSbmkbTy^}|^)%lm_3}vvg-cTL6d(DCDL9U0cTGyV6kqf-AN3U9
zcwvqYhsNZG*d7hMJ>qykAbtw1MN<@xngs_z$d3%|h2&s2OgSI3y#|;;Oz={~as49n
z@GIXNLQ2Hk)iRI4ov(bHmasCtCC4N!^zQHsY^pRoV=BtttIbv!KtNYwq^Ps!h}otJ
zTlZ|OAw+C-wOVUetXkLR_Fw!xpn&vRos$zc6z2vAvr{J$;%1U(gjky-Ix>X93c57p
znU&v`a<`OzyYkyYFsl%Gc7rFl28!Sof^8_DG5FqYtZxsWf4u)li;Cl?sW`+@Ovnn+
z5PYV&*C`lR?mV1OuWdRZ!fhvPFDVtY0UOi-j!(?j
zMHbbq^vlvU#k`AzpL8d`5&I04O>IGEK*y@AzH&9!^~WE6Yj#nK#S&6xk+*ttvd2v_
zyQH_?=5@$6%riUXzb9L3hvX?(iIl!NCvffq3YazBFZl*}J%jv|)?)rjp#`+?fou}C
znP4BR6IuLN0~(;)hg`@~$^^9zU|)+QVA@A8l9tB}!7`_#EMPPS${fzJpn<-p`{@Y}
zOq=$=1fu$f50Xz}0fQkBL-x_keF&Z;{|0pv^`Z8+OthHzJ+!y|UnS!n$N
z>Ubjkt;h{(L_?{!V6GOdM0~F%9|liCoP_uhhzl5TN=S<^_zZl2p22!~hPxcRK);yu
zEqUSNFFvMU{O%w-63?;FbMhE|&i2$0oQins<1aqplj7t+G=%{4IO2Xp3l7y>mrx(-
z&RU84??d%$3wbqt9hH}Ob~k=T<>AEbFVP=nGW!mk6*rOvB?HzTN
zO$O~kZ4C96+-pB{cB$NF{3SRm&#vv<-@0J1uX^t0kwcd{2Qn&!Tw@O81e%L&I&Z}0
zE3vA`7it#n96RXJ5qUKWc8nWz>Bzjt+Xff4m0E`kE*w%~rB^EqKde@2$(`9lmluz@
zv}y95i|fkrI>a)iTIp%*tPV97np9>fM~u7m;)arOmo<;u1wY4MHh5I0uX$?Ks7`Nl
zC-Q?4og_b_mWY(Xeml*udIN0-3IJl{XL`bD;;t;LjOKw3y@JqpTcp&I!&;a0F}+-7
zcwCaBJq&K2j>>Nlr1NZo4qBa$d809(-;1`$$!DeK9)hIIU`=6VEX3WfSCBg5_32#a
zVQr4&alKrwe@yDq9!7Nrj;Wa~XsiuB!&MjxQ
zFtKF%zk+IvUkuZ~j_H3S@Kt2Q?-!j-!Alc3>2
zaKHUA-*3+mWyJ4G!{1Ke;MHZR_}*mt2ZeD#9=Du&gStJLKIQBhJ&=9};-Bz*7y2{e
z_tmE043WUWt7++fmrVa)0_T>~12NxE`26y5=earTRm7*_BHZr5_J~_e&DEdXAuc+C
zp3!mQQ#e;if5sd>a{l+g%Z!P*ll=pJ79rtqeqZrE_77Ym{0Z))x`-7_N8%ay!@lA>
znGXJ0|L+lC5Mv?(_!%p_iTQExn%%0`Sf|zWu158R&G@cb{RN`)Tk1M;0`rteg}qn!tJL&D)M1UVbHR^Mz*iHN
zH|yEk+1BynJJ>te@aVNuNJ}tcHRn4NBxwm0TP$IxlDZCEa8}jaT!k(>1N&_yXarVb
zgP#V2AN!zw%h2Q%;s}%+@l0bvrb|Hlk+cR%EEdRtBF%_Hfm8A8370nL*sbFB2@}SP
zx3ZxTSFv~6_;H@i&U4|KatF<*sH&-{s+chdU4I3#88cbM#;^x1YWm$#VMOV!A&EM4
z-5Yy5$r$q7?m~x>+{5|@En;Kg_F2iR+A3zXhhZD~9@Ryv=%bnG=ma|awQ-0Jx=fBf
z%3t}GqgLlYI#4VBgYrB_zf1g{eHh0^PmQnySidg@Cw;K9Aj&Nvo0KFC-a@N0-;zaT
z%^GLR2H9d|RKpzBd5Z0paE`{5U+o@wYl~B=X60g4br90tLro%XV@fmAuE8AJFZSqy)he-^
zRZ9`=E1~S0pzJ1Gi<1-;2}XKi1Ef}95oZUakQ$JC20=~+Z^T(vML%LM_Udx0u&{Cm
z;!>4wYW+{kEUM~`6UFgYMA>M3i$Y1d;J*mrPy@|=4fmEB1T_0!=(_E;uH7Pj4h+*f
z`1G((bE9k1BCLy$aesvA@k_wZ?MCT$W7#eAIf7$fgtJ}b4*`i2&+PXhy06mbKzSFR
zhPoW~8EqNTP?v-9TYgSDA{Ufj3*|?>6CBT@ePlwb;hdUXKA3iAR~IPfo`va#3VMO*
zXg;oji*Rm-X|`*?E6;Mj1r<9*3H>2`;CTFeBu;b(4I$eORk2--|EB0eRK@Lv=}S=m
zZGdBfcJQj2D|i9RFLH8MLD~L+?n0p>Z10{^prDWMdS1%|TPCQseC
z5)C6eva%=wsQ@~!pe~@!8#uXm7VfV(8$rYm!+y%qcg7Oa3IW03%za{@epDWuz1RW`
zqr<+&V%u7`J6Pg#<`;4=MMhS-%!Q4C;t>^2bGV_vnO6~Z=b=!4qR+Sj@C1|>&9%^|
z!3swhT0B+&@wY`DVjG;3iqW1iEDRPFFtJ9xSH(S`+UF*=AKkijE8x$Y#NX!j5!>Rw
zLTLd`S_@pnqP=SF0rft$irCKW+qP}nhJPXLPmtkj?s-htj_MV@rIr!2&N8uL{1MUD
z0%9A<`pO0dCxoiT2OC0amfTNf1-xQ%Kau4Ph{+~>`G}~ws>&Q4QLfjw5KVf06Vbx^
zugBlwwqqVy*j`*3m(#kAHH%BQA?ShHVHJlS^`7q*VeuV@)MDik9c3x!3oD){uQg)b0Sq>+Cm8YMw?-^C8&Q3Ghdw~AXK%wNpZJ4MEQ;orxN!sB
zy=Gu>$lMsYp7E6r3fju8GpAi7)n{AW^m@i$F)-+?w#}J7HA^M7x@p#0Hlg0FlJ2P9
zNYlBw@P|hu-&M1jq=IP7DLO*s!m+glpUz40Lx+v}aGSvT%LfK+6&A?Nsw$JLX95DR
zX`R`SmzSn@@w|4{Y|QQuI8|?foI-p*^?#hV_*a~a{35;=%|2*5^0}vB`{2c^c3xO5
z$yb$fQmf|PlyR3yx$hNn3U-zO8Q38EA6|f$BCu
z-HIlvH)x15<$lHVBl>dLY;NAhjUem=9_}Pgzm5Kec!&KX?)$LO67QTH*0o|5^YLk9
zs5s3mY8i2a8J&{m$PdGIE}uou_;T9jP17!z&aI4w=we?&K3$118VmIbyBK0t@z7EO
z!vyO`7t5T*G~;tJ8b`&5NMv}08e@9-)9v1FmN}q4_%o(tu5ciT6f3d|Jvdc-*>@PH1@*IkZ
z6EAPpiMP?RKvU7QnUXEy;&JPk5!Pa~Dqd_A*4#lu(b&sc3))I;izc^THns@zeSm5u
zM=%8!#CIi}-W4If3dFa_3@4THi4!hw){D0>nD4CYt%xu6inSQ=Lwxb7JZMCG!);O9
z;zjMdxO75
z-G2Ez?hmJ?Y}s-VUROTY{V{PYegdYEBvbh@JyCqrZ7UZL@+I3k;?Hnzd@*J7mW#OA
zn>Jna#TU>{{>bQwH`!OQouKtjA8arAb`yN!EJDU16U?PybTPBNps=XmN=L=;NMuBX
z1Iczjbu-w{48y*Q>F+;^Y|HPI7Y{8lFmx`oHd@o`b;$o9bu)24|9)@&kN-GgS^UFrLf7Zrs7DkM9Ye4h!ZTEZID&F9#=A?%HQe}D+|K7*JTKI*i3cglBf%7M!C+k#=w
z`VWg$r?XmgZ&)lkt<9_h0e94^u@p7u=2fZ;&0%-Ur?C{bA`vGc~QyT@H~we+~|YxHZ=)?MSSStns9+;_|oE)6?IPTK#lBODDoMor?!25>qk
z9zuWrFVdy|1nK5S^AX)g(&_$();jI4s}KnBN;hb-~?ZXU!VBJ6IPoU_Hy(aq%wHf+oi&@E=z>=+28*;SlDxcRHX$i`?Pox^X%~27xRu{Vn
zLhf^AOS2V{14On`FH^~sYP{b2EH#c;%Cx}zl;A#1;7VSQl;Gtg+uvW1n6wpg*J19!
z=<^{tW!%S7wZZPFgmMg|e+-f14ho#Ly=`NC@=A2jK`(X4E?JB|n%;
zOC$Q+K~V>~`(or2CR>^P6_M-JIV}dc3U&l?t3mDy{@LPGGuG(v(z5A;^QMipd(=#%
zP%4wkFn?HXYnY~=pTC-+H^^;}f9~5B7vvwq{6mnxTf;;OByx%Dew(@#W&&m
zl2T$UN8#txY`ag#*4cdeEcUndSbJgp
ztbu-e6n@Sg=;yArhHG3CP5IRx;ZD6*p#9tl?dRX&!!%*~vj+JQzdFQc1L8Bmlvm@K
zB>F$h4-mZp`Rrn!NW>uU^$tQ1(-6BVCduWn398QZl)9v}_hv7pGr8PB_6g3Tkm!vL
zOHqR#gt?QB96K0}XhI$BVyZLKm1q85@qFDQL0@grAcdctKJ-i%9XV>
zg>8jyt-E?e*qN)eu@wrbI@nYc_Ng_5se7bC;;^|bk%9Sj3x?)t6rUl!P|uICvY(eP
z{is~3h7-{OFXU_N9wnFBZEkCVuky41T7H4(Mfw9`8{~^x(v&zyLNp!FWr}(Dnz7xJ
zRg~in-aP7Nc9+&*Eo$_0uYvq}8}|Tl5YeHg65F8Ow4&belKK*&^#-02W6~Nd0wqTd
zB6UFYbIL@2K;8gt7n-sK2$4AYjUEKQyjV3+rl2WfsXMn&VjC42+${0j>}87$E(%Gl
z)2kfvT-f*gSs~FF?0N27@02l^q05Or+;+K?JHYFLyaCo#kLbMdih3g8++a8_%bT%W
zjKW|KxpO@irSi;iAf8B~|6+cB56jC7$Bv0uSvY)JS_apf%A7W}kyVQ=Stgg^syJh{qcYSL=t{sR82LZ&17J+vb)93%f!TJ(2_mWE2B^*<^XYEyOMChVPwXUu7F
zf)Xy=44BbaCAPUF3PL*xL1B^772
zg?jo59rGI;hlok_2=B!UtV>d}HMmolWtlKD>I|fs-KI6PLq_sy)qKPHxxMA@5%+xL
zt6I{tqMR+8!>r(CPRRwN{WdJKqp;6bi9~%PjS@#c+^}$!QVWb?kZq6;q>OUZQ6mF=
zYDlwtfd458is$z>EUTk%ETK%J5$!`lV?`9u@Bvbg9v{-u+IC!`k)03$ERT)|7F@T-3EHnIfZ0{Ouj&(_~sL_WL=W>e@t#tbcnu~Jj}iXzZvjs
zCI(o4x{Ff!ua2ug!v%lDE3OV=%UK3ha250#-W`4EV2fyXn6|8S1w{+FCgwuCo
zc{$%&T=_ybk5KK1B{cFpx>74eTwR{%hk5aNG3T(Skpe124S$cztlg5^`Wr
z(8tbIVAD$Ob%CE%5D3iZ0kA;)8tX4$*-TC;n;(;9>I|@Z#vWKA30X|O!d|i{ctt^3
z6qFvyvWk177i%!RmvFo+|2ujCqSMq0GM|11_d$$s1}-9)2e^fj80-p1MZSaHBd(Zo
zReQ;>5^WZ}))~;V`cQ44X~o1+Yt4*7KOY@%J^c;whOqC3_ezNB6||Kg6Gz
zzxbxAFVJ>M&F7y_*|Z7!-^Ra;e@RuL^KZm>Jg+!%8Sf*2ar$miA)eQ;AaT$w5f9p6
zPoB}lK~Qj5XsVFVS-4f>HcpL9-S^s(mG4cNr!a`+dY!DOu05}9$v}^*dBNb@;mF+p
zI=fGr$m{49eW8)tEv}h*Ma$JM-8iUo-V!C1rB%8ts>tZY)uBN#$0BV|3kJUoWeajQ
zQupKgY8%q$0I+;gE+i-*V#&Dxh35iMeE(hYLIUD-=Llcj+`+-dO7E~i^+s?ec|k#2
zI4g@GTJM`uGh=|?Q#WD36^#Rz<*GE{ZL_ZLxuSs7yKVffwb98}4L-L|xUe8^wM;f`
zNx|eTon!7r_w81dMDorZPFz?3;-})L$$CnK=89>j&V&`i0+1ePvRrCVs~x$O1+8;h
z+*2nMHJ1eSR#`>o6Z6}znO@#<&C^%Rx})Z#Tw$;nY8LOBxMqvRY0-}zF}Ql!-Lu!e
zch}_BCKN*soeR5go{^t}r=7cnbkGl?v#5!9!9q|=7GFcyHy%H_;^q@cMd!we#Y1v^
z61z%nx2-qUU7@?ePfIGMLAWi?FR`f)hlMmNi*lK!gu+x^^A
zxub8ISFOgt#Hn+D2c0e9{=(ftd;n#sD7_?x-TKW&abEl4w%mca_QZVv
zV*0m=>dy6J(&f6OPZoMz3(&r9N@-F;^6``$p!N#|L|#K5Mype)=NHj&IWk#d{^tBy
zb7zMq?OIYBn|;gF%FhQa+&MY8cy8Iq`XaqeLT44!`Bkwww@#mW_@+fp&P9w-4q3cu
z_=;859IN1C^akXkf_#E#9+X15Amv^|9NZcEzFp>A02wSo42pHo7V>A!nO%U{&*|z^
zt9M$Iz8r
z6-YN5_CkJs4-kvXYS=^tjtTd33&FoNV4vNm7rXPP>dLgu#-Ls43#uC@S6XTYE%Xnb
z-^_h9fpVk3$!6ER;JJHPUBKnD+-M5d`KzW{a%M!vHTf}f0`Vqokhc`;NjQ4XpCt>)?CnOb1$&$v-yn7*xTB=vj!|1dz?>MF~Hq8jx&(
zVleT3ajXES$(nB#^li{aH
zbbv~e3_p!mhNc-*Ht}wi&wTrzELM;H#(j2+cnWLM`MpOcJVcL@%0AU9xwl*jMUcB+
zt@vIc<(}v5kuSe6$bvY`~h`D0iy3JA6JcMdg%p
z7ZV?fwcIXkzQGvQfljSBy_~edTDG4|t~?+?P=QU>nCTXlJUQN%QP
zY_Q6febHS88{5dJH8vMy;cSk2^Irtx?WL{3VXK{4Htlz6-g7_{V61RmcnSS7x4{n@#
z56xxVYj;->6hTYrd+%O;i@{3f5F{a1Wo;1W=%WTRQHHO1~Dn
z46~nN+F+BY=i~|-aRX}m;5(EZzhg*$%hewRLNENt(WjG3Aq+(CQ`5oo^jUttAN#ej
z!mJfM5iFo-Z$O&c8Zj|+u(myy-cXe5i!8R44$2R=MbR?Vzy1E>*%|?w-AfZ3U@!%$4}9AtfyB5J^dwdhLk>t@sm6bCgOhD$sHk|
zgkyU#nh$9h;XpxRBGhwK*cC0wFyLntAUPxYhLH!Fi)OAi18*XZ1sKpV;@YXD*&3^g
zXaLJ*L`T%2@nz-MHx`WBxu9l1gFYGi0&FZEQ}0`|sJo31S|K%-&e%3FTJO#ltHhf&
zqA9|djv>{T9$2*M^txWL9OKizgCY<91$BUMigmiaeG5q
z2}39y1uiC=b~sHMf_@Wt>qZp}7}5}d6<-CME-|C#*MY%Ss)M)%){RVb`IAh<)QSfM7{)&E`c!C{{*KYZvXTqMhu#qMw
z{opCWVD|VKI-7CjnZyL!7;_caB^2YW9bduF3N<5kx&csGecDKaDX+>?Ftox6Anh&G
zNMalPvdEmI&7_ldgB^t4?Deq{sVig@L(7i33T+aK_STKBpw=PEE;oq@*PB9+@UU{{
ze^O=~XXzB%1qTW_R1I$1HWQbFyC6OSwt0(C+!tyfkAo=s>^?=U7ClCPA!1-Ik>fTW
z0p6Ro2ur8^;@<4s=ujzc024`_GpN(KjS`a7Is7`k$0+5pNSzCVQj*j={aT&ZB&Ak^
z#UU^E{uYDZu2R|k24m2nRy%^mUcb@&UQAsrng!bgs2dWm)A3fqYo`(|-<@<9I@Qd2
zql#ooJC-&z&1-csq|I;*O&UTpqx9C~hs=?YpNH;U
zIfV{HS52}d9ZMUV<_&PMq}6y0LmBdz<#KmbIL{nuFR@rk+9T$?aFtt*=+5JQ0S#J$
z<^^PgbRRtQ$peh!yW5a$cE7>h7M~LTEk65`JTJ}N=gpB!Ut_i_p02Q%zgFVY(V+W!
zn099T8I+d4RR9^ot=w5nj(NjgRnS|>oz*J7G9#1W=EwIEQmPWC#WPZrgI`#hJ+p~N
z%~iqKWT=R0^cP|o26A2T6Y)c+PhqqdNb(EN9B+NpwSv~^YQ72&*(=wKo
z(Tiy*u4mnTZdZI?{0JJakizITaoL3?GPz4`l(bV~ijmN>E%w{KeVyBtEuT$GSyoEV
zHUfT~qI(W^OMG|y7#^SUXQq1=W4USVGh#~i4vN(flY0pi_WI)s7dUnr3Kup)TH?5aE!zx
z>oWK1l#Nc6{6=aLn3d<@KE-9hT@TZZ7t)cwXeH2aZ?-ZP=f*6U&fv*ImkOXVi&J;O
z`nZ>`H<@%j!|b82WBnBa1H7u;^hP#NIWUkDE%4JrGw7P&s;QBp8CajL{##al2cK(9
zQ7ns_!9uH`Sa8OvQeL-qaz6?NOJHul08{apg9|~Pc|XF_>&BYkiux~10<3Lip_cmL
zsRSxd9_H5w`JuSOW)#b`zdZI)CK~Xa&z8U`-l(IzQDaR9bE09t+M2`kBNMR=7lEUv
z2wb_mPO7L5(G+Zd&VDUWD2Hz=hG#HDvx)$Ar&_sj?Uc+032KnVfmu91ALQpx@atz3
zKnrE?O~Ufa5JP8TFrX$t-r5#i0vQ3qu1C=PK^
zX5EwBcT&?t590cF!Ts*t7i~la4>sVPKXb??r||I~bDmw+eVViciY%sFI|R{IttHPP
zr>23as1EGU6cjAwcLsSR0JjO}ljkfhhAa^H3F5%o!R`5RaiBb3QP+r2JZy`oK-Ab@
z+e4m5yl77s01HfG#_dwYpg>M6>_34bf0)yy1B)rVUzwN4hb3f}Gq<{OdzT=$^vC4~
z+!1bR{MYfv(S1WS+Nu&_s{3Nx%l9i8lix&YF1wU`{aNlc?kOuz)=e<=All(|kHiU%{v2
zw{QF)2E0fW56c4vtxL{ztpk2Qp*N|E_sZ2$38>n@aUYe661-CL=HdxNu#D$~*N6TY
z^L>zi^=(j{@}A`XwRi5(Q5AU}@4C-UI^F5pk95+VekJL=g`|@v1cD@i5X}ZK0cK5*
zM@9_d%7SP1=(w{k@)$v81Yy@120?UrijYNM;$x1Aqq}-Mq9{9ia8Qpj_*{h{&WH}V
zm959UeQ)3HbcZ>|-GBUpLwCA=zpDGIy7l?~s_Ry%bp&`$51Ywd>%c917I&OP@(E`C
z2KXwHPLF^QQ?gwaGE_tI1l)%#9hS#QC|5J{Kn*gry5SjSyD8Z=rnlV-40{;4n-{h{_0s^QKEbe
zoZ~MGdD&wv@-*gfrzyQ3Kq~!sPHjN-;~yfS`V~Cm2~alRL^;BTI
z>Se+^>I$A
z^&pt*!lnziad#5imV}tc)R^x$v4;*UA4cUDm~|%gyJ`CMqx{6ONP_^kp8#eWaptG;
z$>Q;qA?}mt@M3mLcRC+5+_>2kAMVTKQiou-zl^$wG8@7A%sz0FDL%?RB0d)279&2c
zdnn|DwOMU`(-_`!u$rHgmW?;xZQ{
z_HVHa;Boo4>%a^;x*psBf-(9%{ry*rZa;i-9S-ul@aQ_Q)E0IrBl1Ofb^~a#;P#jSwNIM`LX+CUv7U@u=c%aGwlZcqhL$5Q3GwTM$nCb@5
zL`|PUBuZjGDAmaZTQ;_$ssT~R;>2bTK8z@2oJj1^lz3j>F@xUuZ{w}Oy7)@dQ#7&SK!eBa4Q-`R4&Pb
zz08kYUXY?smnCxPGx%TBRKwCq`4X`vSW2?b0*Ndbh8L*=9g|*#Vd6o7Qj!nACi?gc
zQWqMNnD<~SaiQg79R?;De7rYAeZ-l>Lio4Dg)TQs)&P=D1F#dZ22l08%0O#;ycLNO
zCjjF_4(>n@j?Iksw1YP)e%yHj?gd|*Aa0Rj#Wo!
zNCcOuj?lQ6K?B5fM4XPHcZr8MB9ocS>NEg`9?}3+phW}TAX7IZopw+`r)dWQIiwvF
zzGc)7`IR;mQzFt1m{6HCK!SE?Q=|g{R3;68S-9aKDI$#q@WlB<0el72XnaBtp1k2K
z8|=)aBh(=;QAbcd5hqAT;A~0rVdPUp;ZvfDzizRD_
zrRb*mwL&Ot_6jRHXGoxz8cN=r~c
zsaoQFnkQYYmY{fwYYBv>q%ki=o|K>_FqsrJagyXos(o^vlprJ&8A0=;=_#4CA0@F$
zx4gcE-EGL275M<
zNki}t)Lw_A1G0lS(DJ0|nYi|6>O=>n!}2uZM1hjgM-r1R$kc_#q!V&K@t|W;vIdZJ
z8UWqFZ}l>Z$wY@y<4G7u6DX06!ktLqSsW^lcF0?MnU!uUrqQU{K~lBD64V=27RgT`
zLr;LPXmsr$soDXXYA8A>4-sn>MPt+tOX%I8vWV!1mH1{LFv`e&tRJw8IE$F~v3x)t
zbop9(_5&HQKR_h7j(tj;Sph{_nLo_7!tLuo516N7D>oayvH^@|elWw7iu-Sl&nwC
z2+F8aPk(+OQ*}wKj~Q5BkJEjUPo?KP<`0GBB``_j4@tI9bDiCpw1SjMD^UIrAMdgu
zB|o}atw8ys%sE`9^K=VG<4;88Poi3QQTG!CNsV+qk{OgB7L@4*%Al5%4BB%7EFmFV
zE58usKIl%I7fr#Sr{SR!;1;2wRAtbWIZ^I>xEko~QZwjH_!2eM7&LfgFR@k_WSj?0
z9M?XA?@)UkgZ|~pSHywFp!7a2!~dZ^bO_ow93?)qyvQ(@nmoRKL!D?4+A`cne5epg
z#e7M}eAK;e5E_8H5b!`&o=Tx@!wXy3yQdzXp^Y_8Ghh2c}ggF>U^IfJ+ly>P%jbTB#~OT>wq
z8Ksyr$TIj*!~=GuA!$HvC4ThzQF`{HI})>>OjIPXpVioZnEWIJIMAyyNxmP^kK>rd
zhPi`8-5@3D26m#R8%FsZD~)zw?ozZv!tYoaw1bAE*W=n@raT!{~}KLiB=w+`Ma~cIN6`0%*r5i1syoouVlA$rqc^#oV7Txt)dq&zT8%9Tf@v#
zG~HDLB*l&=L(gHX?Tx8hY0Kg
zT^i*ExktJ)@jg)}P_hlO%VlvBsi}-!q
zma%Lh<@mWxBaf3aXmlsgz^_V*vinzigSMCBr_G>ppF~KE
z^S(X4LJ7)Z8+9MmbwYR7(l->MQ2lSy$M5`*ufdgkj*H
zT;<+>d?~L!!v5x>yb
z+%TtCv{;3#P+dn|p&j6bP5&Qj`@V}ciep|MIp+12-^E(b?`U1B+`}9+wX;V?kLRyL
z6~bY0+>D-R`LxEGyil3&q*&A56Rnswv4)*rR6S|ov=U#?S5iG`(Xo32nHT!?vx=t33L;OD^eqsumYRSG3x;<#rqtD{o>Xa%WOgzi3!WnSq
zFsu1seS1~)wb4qC3%v(xxo`}tM{y<3IJ{v=^1HKYS^CPA#juh$BuN2R
zw(z0N?X#A))rSfK1vZb*8ksQxzdYp(7uaH@&Y}XFt)K|>JHiFIxdmYd`UCpEh>RZs
z|B~sncotp5)X}fNIm+MbTtSbG`I!)D>>M|~rLMZb9m=yZKNljC(EHZ9s!6U8`h25M
z(l~S6xR!eKdC;T(Tv#IcitN#w+ABkm5W3^-wF}y-f~7&=K$mTg&QJI|dTC2+rUIYt)}De-RG=Feab$xj+#&D48yL}zu9U7Bu)b{ATB^{v!xip(cXNwJF7aoT
zzDGtqfH(9D0I{XmOE=p8P*e!{P|9^#lrJ@3Iem5VzWIz_=Skv
z7n-xpIoVW4Jj(ycR4T^E-T>-|n(X`0@QS8I^UZ8Qq{i!6ZjDy4Oei1)^4(@jHZQ>Z
zU}uxBGVC$euMmBbGv916=UAwg8iE_(w<9~q87YY|`kKQxEe;14Kkedz;eZM1<0*a!
ztQRYA&W81FG2X-+tK{|Yn7gPzKIs5Mw_99!g$}U-{=s2>V2#a=lrn(3xQ9kwL-#By
zJ8@*0#09Tu4ESq{>>L-Up6CxmizU7`)L2wU;uuJC9eR*~$z2Uru^+BU2ppwd*D)Tk(kbP$mm5fKmp=^`Z{O{6yo
zLXr&#C{;lPq(l@10SSooK{nz`Q>)K>^
z=E*&?*35b)$*lWcW#FLWtcL^%H1=;D0b_H|s&*sKA|xJsA14j$8IHM5iozk?FnI;3
zSiD;RsKJMe#zeU(GZk}lbUsL}P0l_&mX#yID>R2^$4htk3E$%9N%2h{nV4pbq+drz26$$nhZe)GwNt8}2eXa?#Wa6>{;s_=;(
zk?FD*u=|3q*z~q)n*Y>P?`58{k@AywmC2{NL9cF6BP>oz#Qm5iM|^*w9ub$q(f^6>
zoI#y^a7;aVk6d%B;fiU&=q0RB$B{$pMy0U>Uqm?+`>y(G`p+LTdPtD8{mxZT9COdw
z=uWI@rkTVeZe{*YbJQ8A*6)2$ik=7#x%I<1GlKWT;lT;husIX2X|9DV;(
zAy4xC%~Naf_oukMADcHV=e-@AI{qf<`6A%TUT@Nlm7%HcrnQ589ko2A?oIMjrMjR9
zv6Ba%6%b6PXLT#`LwNGq)dKkL@d0E}{4ZoreYkT11@(J=|K1Qv@V&0S9NOEf;A^2)
zl!tlUL;9G_^Fu4M^ykett9;v5n(0aTrnPg{>s)@|BOPWt`Dggpfw|q3mxW2nHu+-
z>)BlnS1tVOmv39=-8}dtqAifL5HheM7C*7`{E_?fw3Rq3tA)o%
zQ#-lShF5weBr~{;jG%0@RmMkcj>mlba+pV_o_jo2^QlVQLMvxwLukgU&ki-%4a*Y=
z+R9(fc16C4E>Q2dulJ*tOXd*7;vAv5sYgKX1BOpb+4O=Ek?&x>ypfY$jpf3bwl{h_
zsgo>`Q$C2=bczslh5;Q5
zPTeBmWhyg8AI=dW-QTC?;y=tyekwEUv_GwA_|7xzI{0|Dv=UE7;cf+Z>BF
zj53}pWWC7)=DRX^_mI(Wf4q2|RkCpJf!(|V6)7K6UDn^VhYbOdN6>&@mP`&PH&j75
z$hEH2+7QebX?gu^(MUDR2R2hrF+#F#UwMT3lPSl#7!~EsI;WYCU8(Y?EwaiaPfv;;
zaa%2TgT%W+0-Iq(C0~`;X4h?K_YbXpcrgQmLf@NX@2-<
zE`Igsh$%l4;8R=Eu=_o6J^A~tq?MtMjkQXGjq3N$f!7%VV|t<+g0hy%P}e&6e7xst
zD)mN%74P(d9U*gz%+VFM)?~2^^cN$!J
z;kDi|sZX5Eyb|(2-~C<`Zq+reuk*P8p>~L*4d@J>ZNeoszKj)sN3Er1@B;$)sfVNj
zXGV2;G@8tTAG3TWfmhzfV9ecL-M!;*$K?%)F!ew>U`i=ke$(e@W7ZGOOuUMi*#VU%
z<)sHlEUxSd6y%3g0ICTkKs*&b54tvds5{9{Qsy!;$0J@k;E-gejNl6wdmn2*JL%HU
zGn%7Mv9D0+m&>pMxN{k@(+9UlYNt&Rh(MLg56A0uUrL9rPb?mdVCsdTDvCT7*IhT)
zyZf>!Ak9q#Xl1o)V@}B@%*}?jVxep()3Y%fu9zMBOUv;B!qVEymk%=vwcpfTyu|@0
zs7S_ctj9`bYWi|&2A(q?e}p=4VGkA(;I-U~T7tbR4IS24_L6k7vU;mmg()wtBcvQpMh~`Q{+ko
zh*N#*04qyB9Xar2z98i1dO_X;lY7-P+n2Mi03b)^kJkF66q1D(R{!efp9A1Rc|$
z4zF6^d_N?-dp!Qdx9XegE&8x?3CM@Z0@)YduO!WJK~f$C8cML#O!DG>G56z0tFWwP
z$;&RsTr8`mJy%$PN)*-Vhqwu@TC}0W?S~>FOzm;X9akliUl;LXQ><oIutP=_^g)2l{-aZ1EVU^l&2JPiG{`Z7rIZk%$*jnXMLq7oZruN9vv9<
zl7N6yCoUN76`HRYzJT_zezTEu?;BM}Ci@0`*z}hq04mNs2{fKiGhBY&QhH}OP$W84
zPxg^l=@F-O!Oj)4QQ!;HlGb+{l2=J>hHYZ
z*rPL)icPzh)`k!?CFYwsOWvowCn4m*^DDqYz{~ZOQ|-``^hw6B@&*?kuIioJVN&e1
z5lg6tJ@%q`j_jl>nu%RrmGg1cdljk>o9aHnhL8g+)Vd~l<)`v7r=6S1D+S&TrQDwEsGdbBesIXed@A;_9O_h{mRbW7cBct;PYUVZ=_%CPcG
zWY5U`^Q*#n=;<}@b58;`(hX~q&DmVi>Q@+DtAN2qde-A(&e1n=_{266mCjCleuG*<
zx^RrvEM>oN_R;VN$^>HYb)&ft3qF2hO*jL;0{E6^{I11dE?3R^L_NQ{Sr0GdE%)~>
ze@V(SEz}H))$B7>Z}E^}JDGqiL(`k%QtX*GC3s^~?)Jf5-fWb_oAN6hzpkR#t6IUa
zZov4$>Ox)c4aO?XkCDS4ypvT5OMB?e$pujZPbwjJh?L#ntgete*d-GD30
z0s2MX)VAs!d$;r267$}jh50JSOsPo!{zE5T%OKeh?-%ACy)r`GRL+<>P#jb58@;~x
zRQy@Z8+VC=Oj)jT=ZjB4G%mjF^UIA49t-k|jIh
zV(D%;L0^vJ>y-3)-seCLr>k~(Ro>@kkz$+r8Z}=G<$M;TX8_5^_X@1FvpSkFA9une
z8Id>JrEa)`Pl+uD+4PMWL>OWfcA?YvO*}IOCFa;8IM;!w2?EDyzRU9PM%{N
zgbZ9cI}meeq>^_Qrh0YMlZJ|1S9ahI)%JQ^wUJi;hCVt)%i3$b&GEJ`?cfXd%H|`T
zghkg^0E=j|G+cam%{S}UpVP6mnb^^jwu?Hul;`NTR42Lg(79Weba_$+yn&-)`QBsf
z(`~cQ&Xp!_Zgp0as(L>e%kS<=MdI${AADH*BJ8tB`IjfBGP(o?^%@>{bPW}6S@d~!
z7j{{03m1Kb{}QZo(`iP2wzi<&>iV5U_NAoI`JJ|&EQ$Hlb+OML1{jQVS8crC
z{0{FAo#R{Q7eBqpjpCH!Md+Nd%#YSJklYLir5t|vL+=PAI_TR$;Sjxt4=o>@#dLTM
z8TK02oK{Sb-V*M0cDBxOKq)raEr($-^FGLq4h=j+bx70l=ZK{rlhZp~N8o3>*D-Z+5L
zuQos|k{>QvObD8G*<7Wdd-ycrdjk$`JSLHO&+zCmNWvw<$ZoN(*7V2O6f4J>3!529
zE20XR2K0b!u;7+NRndeow(?feSh2ryn$B3tQl(sI5M=K$H27<;+x;B=w{v<OmJmA-V5M&MW7@BnxZBnlv0N-|Kw(@XK?yGRqb}!s*b(UQ;fc*V)R}_(z^7Z>*i7
z#Ar0N#Ji!YTCmr@9)n!53q&axLkXZ&ogEQl$8EG@m}e)48+W
z>H6y;epu&6U$vsu0)B8_da4;YK{|H6qXdr?d(8-cDuUNvU%g@xICXkk!>Zj0p?S~C
zsOnc3W5mF1ZOLb#&~9t;e7or|=v-rjQ^xc(y58_(hS^~R6V
z*fO7PqIq+}f({%QpY74Ze=j5bHPuK^EFH0RZ>iq>1aTSSa`4cb~X
z0UUF6zIduL+sK0-|9qA<>c9zfIMeB9B<{Yf-dlc0%V6Y7XK|(1wfwEJZN=sJxU8?8
z@9$BkdRiW=h}QRSwYV>GAvg4bgfHz_PUOesZovHRAGj2%wp+Aul(r#5(ve8-Yq)Ro@@`akD$E)bLODAVbXkg-C3E7;afJbyJjQmtE0^y
z%1&D+t)z;X0h;Dk&PI)~$`UpfX6G7lMloJv7%x)`0a6>EAeJ
zpEXRF1cG%N=eDSA)}I93`s@^b6y0-;vGk=pSjdO9YTlM{|6#qxi_i?>`{@0_ivn>_
zOg-(jb0n~CoOSH$^WYa(?KKofi`*~0rX2;7@?I+gNO-L!JddmX{IMPNghWs)>>~;s
z*K-16IVP$!Hh~SbxiVF!D==-Q+Qs;^BU?AAQ9VJ8FTu%dREC
ze5y*%f~wge$z64_$r)RBt6%N;^n)Hi#y{T~J*|ZFn!gu#?jh{C%x9QoitVNogIiaP
zYL#_dN!$?ptyzbokDEgss-xaYk+P61IyyVdw<6KG&-)*_v4kZNm5B!pl^r4UGOg#*?gXdUX9_8vz(J%nsU$Sp2Jpaspl74Lk4X_Fig+Jc(g1iSHua~k
zhf4p*^d3|2+;K6b?X*G#9mt^rK3+)djPV=zyU+D<+%M&D*@WmDd_J+8!5L{-KZG7+
zL`fucjj6(v*$*?cbfl$UP-D<*(=2#l;XzBE!Lx(583Mkj!kZyho8BRtj%T(fj=8^y
zPLnR=B01=mx7azmK58EL0u)Sjw#%3205zw?YZ-=KpA>Q`?E*Afj$Am0EGo@2J#Xx4
zf3DokuQFVrY4_|w)kU}5=cFey4~F!GJrlxIb*|$D&!S+7?+xJ(QqK;IM}~^G+yZkk
zH(?3aedqXDj9cvbMK34)P;3+S6~rY;<)_1BBo4Jj2HaqpL3e&Urn?vDyDSxin94Ss
zAvG4s3A&nU9=M(?!j$D87k>mFAD!xOrk^>Td3;LeB*zZZ(B67{%BOK1GUHT8VFyefA#qje*<
zb6Zlnv*q8eer0;aGIVFHXXRGYU=Ky)OwOSiN%O;XxyPK^HKqI?@CZ2|gx_V!Gi4_xC$qp+>n6
z>>*bk>W*gfl%Y*1Gwj>8Q=VpM9L8oRsN|3ayk1F1TF#cB%SpzKZg6IWmuO~E()e>p5G`pR`FzmEoF{CGZbcxGb`*rJw^94O`Uw0
zrNT|p6s(_P+eDS$4RwmkEwdU&Nb0Kv+Ih9Vr$4Lfd@R4`YB|PVdfTRi{s5lPmM=xi
zj&hq@3yT_TJ~v=XQAQK2w;1XsL%-)zII5ZJY9fZ6z4%9bx#U2(;pNBG{4;Y$gR~mr
zOI#Z^hdLj0FYSCf?V3dUK$1^y$%LV^?mr0eYMqC5hXqSvZHLIOtMm+Z`0?uQ9Irt(
zKXxp-iZNLVPeZm3-)ww|DZcb7FDEj&8OCh_%+Oz9`;N0NZ>HRdRh{j<l>Aj?3xf8E5m
zNF#X^nsEwovgM2Fmz()x*=XgbtDV*jAC-l(cG9~{Prtumhj$acY7~ijHgU+>H#rPC
zW2`mt68~h1CG|!F9?tK4L61
zp`vG4@_n$x^|WsWpq9QOp%6a%Iiwn&`-YhwiZf1@0J2MT4@cjBY5hbj=mVv*-C8A=L06(ee9
zo*bfePG=%2Ri7_fA{P_!r0}H#Gwb=qR~sSr#@j;|#J(mdk6sq^EN@WvtO%4W$C7rW
zzQZdOY$owF7@bLLzoX;
z5=oQYHYHMrmu`cWb>~mF_nU>nEdv
z*xSirRNmkZ=81d#Iw~wTLoLjw^;22Nc(-R!jeEmyw;DDOe5@-q2S;7ywxHLu%Z8o;
zOznU9X!2dt{K&fx<-^w~>uxtWF|u&R@5mP}%hqGV(aYwyV^1YD`JFuU!rV-vF!2@F
zN_&AUjUhYYm1)z?Dvg)xoMxcKF-8LX8I9(<`r;Y994aMqy8G<-0qb$v1ACd+;mBS9
z#{jBPzM{LBqXd`KCQlaAP!Y`c6)Rg~PdC-|TFc8jP&so6I5+jk-O)+7uk6$*H|y<9
z=G(yyJ?+=Y7mfy22EPAg@}X48bnxt#4R=Ar)JCNFhGvRtYRk~UgAX64FLpd2=Lag1
zWV%$#(Mgx<&SKoKKgCjQ`Zfosb
zM&78^eA;eViSc|Jl*Amg%8nO_AKY@%q|zVD_W>0Ja2l{!*_;JD(kS=m82fyA&{Cu4
z2oR8WtuoNB|7mWCPLjQcSkuDBP_MP~>BmEh=em+Y%4|Dc5wi$Rt`WD>fyuYW5)!Iv
zPR)s_g+PE>tb#rP2X%Ad08om%(T~fSx5@F8IY3;NUyOer=iPh$cb)FvExUNhvOOs&
zWH{5mJU3d=V49qkn!e6gf9u96xOv8`zMIBSYP#8_=r+<-vG;~^?5u7p0YrJ}7tRg^
zDqaT9`5YYz3O`lXBhRI)9B**s^Y_Iit%XR2OM(N2PjyZ|9XP(Ee70}q
zl4es^)L4@eD4EvXF8Q=7%;ntf&eOLC+)?ADF>b2L&(P7&f0=6vGVnXeONIl`S3u6V
zL(bP$H=G1b!A6dcyW}0PLX{?N2T%3-b)P68F?{4hUKzF5p5R27q~f~OOV{PodNeLE
zPpi2_{0L5C#F*HRY#*GZbPh4)0{F@}YYuHcqe{$+N>VN#$xTW~Ep@qM&#>Tx6}vm+
zMLsmp(Qa}I;;GI=cPug`eZ)MTYF_Hw-!6UET`)LYJtm>)axhGZ27!3qWFCm2rp1LZ
zcmlnzG_VSKW-<@7-;c+Q*ENDijiEwOdEy(G_5<;kwnzO2V2D@>LwDVrW?qyJu`tIl3ko2N6L8p#u=Er|}e?qz{?ap`Odz8oq
zA72D_m8SBd4_0McO&%-twkeTfI*}AIDaAgJ;yJQcP`s*tcJaK27{}6%?3@-aHbn<^
zZBNuJN2;{sV_K@U@Od2nv)RVmx&^5^B+)AEGh;_8B7Gcl%O{RHOkC&ntxQiB4!W%>
zDjTsb)*1I&ohjt_^P#U^veD}@od#>V681&6v#naIbbk(r>(hp5CUVZ<*5|`|@57ijzV>-+dgk8Utn+^PLHWc4TLVevOmFrv
zYnIOrK$koRrZI8fTsOE1?AB*-v7(S4&~R3-24@qp+Tk#MEpKb&H4UgusR2fk}dm0qU?V9~!8x
zNoZ(%5?=L!nXg1f_-L5Z!tF^LFO;+=ZKScATE`&Eu8s;cp~W`B@E{Se)l8${9tu!h
zh!XRySpMvZ!Y;v>>_<@-3H20ZX8WYoRRjn5%FJZw^f2>hVi&c}0EY%0$EeYQh_}WR
zkxC7!wrv96%fbyk9R=0GKX2CDg#W&Y`5ah%^Pd=EM8CyryzH%6rjkb1%#G&op&i5#
z+hLgQWF9z#UIe9ZS;<~bL_=|)AFYZJ6oqIX+6Eo3W{_P#DfphVk1bjPC9E#e>?c7n
zcVs0$bg-vQUhl|FbM&Se7KU|h_fkGHC{F>~H5gH`x*V!dxg;JIpF|RiGFEqut88V`
z%f7xPyKb7Fc{R~ZqyXsim3rqHmMY1Qh~x2uO_z>S?yAp_Rx
zTSf_=!Lk!EpeEAVLGlHtFe-d>ErWPU^AV=m2OCVEBS{9ziAn-C0;ZD)$H@{@3wm;bTH6Ro90SY|Tv}N6te8ZWK>XlN
zs@s~JNYh&|Thb0j0Q`~G*JxI0jO9mUw?StjPH;?~>TB5rYkj-d#QOF+tNkO{cGk5#
zu=Y2PrUW9C%qoQiO@ngWZ3$Y%ue)p=6!<)^Db_T`OLvwvX56K*YC4l##~uONlP0D2
zcF#lEfQhgn5Px->JiO6(+6$~U5e`eD{SrK#?;U$-nlSg6G>v)MiKiOg-n
zDlvr206o6iB&#E1E0hGP=7uNXunOwDyU4b(6r6NZ9x+TExDKP7zxlDL@%Va+QqfdB)!6_SKW2m#fX3m`j
zrLg{@({G#WuAb4Ehz@RZy2=|B93>fGH(B|#hc8NUBXL0IbQFE_(J0Xti=!GbMcgOX
z#f1Rt;_LtH(jLXza<98tOzvOb5-U^;rUNj^xu#1zOy#Bt)?JQC>Oh~^Oc;v_B|IT6
zTwTAW8Kvo?m)!|T98QWM{B{+w`sz{nYi#t(=d733c~Gb|qo6u(StYYe(b^6Z`
zSg_Qoqhe`yqg8mT2iGi$9fbvdwDMM#aS>nLqD(i^ckYA_J;Fbm?YyP2#5pL+byL1Y
zh;*$XoVO|9ds=g}r+~4S)h;<^{U<>t@hC&m!VozD)heX6(cKYC3
zvC7hftVW(f#4Sh^UeX+tvv+jRs-WTO*6%>w^dH6*$q#R+7x0LG)7&4lDr&g1HCTwS
zgjC>*EI=Rj{xwAT$mGG&CsBVK!>3wv#y7;dK+wABkXesh#~A{;xeh8$FXT6v-2(b5
zjUEu+>{4K+_&+SBpgBrw>)$mdTY?s-f79GZn?R&~Uv#V&`FBkuUeFx#dXITfxu8L7
zi@nh27UW+;*#&>})gW&U3z_ss7SQVQ5^^3ot0%6y1GPKb!^IDZnA?w7z?2Ig&E3RfZ#QVX%
zJ4Xx6?hjD^+Yl(fZ_wW|Ec7vjq~J5mF}ZtUgTDg-?0xkYvIlgpatl}vMp
z<)6EKXkyx~3Opn|5fm3Z{`c;~p$`*5MZx2EyQ;r)y-EgtE?r(F|M#*y5mXmEzG7Du
zI`sFhE_i5^F;zD@_`iz%wQgmzM6G_&Xtnn5T&g^Bv9NLW*_7Qgo||%QYynaX02zof
za%XB_#|!AcT^Bx1En12Yd9nqO^C)o
zJ3%{26OgPHQFe$Bl&7CI@(A#eG8S`Sn18q1P
zR)$+C4`l?ppi$Rl!gS3Yr+A2c4mR>UC+<|x^Lm^$9V
zD!E;}ijwlxhPgQ0MPI*(<(8)Z)@Bg2!HV9^s3uffFVT^Fcp{=|T6fKf=tou?i}>sP
zy!SGY)#fBEYn{;Sm)WSlePUGocyd>(sf7`@0}`s1
z%H5j^=i9`bBrduEdB6u72us6_e8aT6VNW(}?~(F|sK^dZPICLOT{vn%9Tg?Z+Muak
zI=1bDUEQR~5rVx?LZB}wIl>uSSYEkZ*n?mPvdENgXF@QueQfFuM!1?8b8>wjXw1>o
z9uX3G$hOlOz@ZUt+-|J8X|9gzm&J+;@4Z;gU*jJWTwf;iYmSoE4v554*o5hWY&AG3
zw8%wHP70j(Bsy{O3w5NCD^Z0XG1xCLn!gtBlpSZ~Gw(^$38zqP3}SFErqglktrK(X
z?V33DwheSf%tn3fscf%_W^i_hPdpql0SH-D?LaLrM3?_h+vqF0C|Q~6~v
zG;w)jrPzN`Av{L2^^vmsC0(zqClL~)42!CK;Ts1n+{0ezD32yB3w
zvJL0I&5h6IzkQ+voi2w)9Yr1hot(qDNQ)Igx&91^kIZ4`oDD
z5ZpUG8A+_uR9^}wv%Ndo0vx1{MtV$dlNp~)6;h!KJ%pj=+6S)04k8zseCJs1Dn*>A4^C`^bE4!uBD$pYqY;I87<2J_4K_{C29D^hKo
z`&GZ)Ar^rvUr$;vZoIi3UL^YVdbrlx@PH*?2lb}`mD7fnX!Oqez0@I2woNORh8&pR
zWFb|O(Q34zXFHUH;6&0pEvv0{=ESUZJeyLdsS$!G8!Yy)zWThZ@SPXgN069p#=QD)
zpo9hwQO{Nli;!Z#-93@DQB6@>!g!Hz+W<)o5ioKyaFYIwGeC17p~Me#zO{H`ym2jj
zhslTy={32vX2l!sBPGllRyz!7Ov69s;D(Y1*L)AJV~5pakV2;n~1S
zBb`fE0;*s!%j1yE@`*>qJ(_I3YsU08h8QXFA2M>V7uE1(5+pU
zYHas<)f*fcUgQ!6dJh@z1gi<*lNY_?BQr)Mcchf1EP<3!ie0=%1SL|a0u
zIEx?j4ffTHs934tT>3)N1MKHAQ&s-IuE;0i+eVA2w9hSDN%2E8{~_ACFQuhuYEPF+
zFCWeKW;Hc@Y9m@>YNH{GoeB6iA2-SH{{fPxx=6
zStk6AYBp;cIbUi5ZvU8YCeb-1E7He7fj|wfV+5SM$3%5@I7@gI4!$`=tqFhMsA~W^
z95z;@hO7;JEkX=Hh)DM`iv;vx`$Fhl$iwql-Z7$ICbA)2h@31XtYM2+LUTh8c4o~iq*0@Vth0AaeJ-Jisl
zLcnxW?>0FynI*|m!oKnt$>ftDB*K4NfiOY9t3~!9I2Fkglf`u5&EJ-be?l+v?QL8VgaId|WdE*hXuY>6^l?nX#=lW>vH9OmY#=(y8_qL9v=|X9}wR3(MLu
z&A6Dg!y;`?U?JnlzcTK>6-+#uSl4ujcf*d@KbFwLrOzf__)vAP6aB+svm
z8#DEja~pn%_i$CamicEdg7)O#l62{XY02=*G{u2AE{8jGuc9~ld*%jiw0yEjkLlG^22?*v#@7ZGG+CdsvD1o?WuhvG@WW8tU;}3|#dPu#Sz#h>
zXUd8I4Lg8}1$FpLJ|K%}KIWXN+VeR~egON|x(7Xv7`Uy(-9$@hk>FZ#u+8gk(aO0^#JOe*FNwMwUb^=k}Diij&2xs!z`8iY!54wmNFpQe+VY=Li?)-
zkquFRO=^E+|wu-g5L*yhHgZZe6RMv?Ecr&aG)?$pcET*fLM1G+r
z6VK~;yp^TGFYJCa$yNm2
z44T=y(k{+|_aY&HlG9jTRz>XfoXjRZ;nh5jMiKPK0CjfrcxgJx#qN}bqaUF^YEWZO
z$r*inz*VvD5y;dy#?&a$st(ZcL)5)tVG_*Xg;XMgf(KQmvTNMmFfoG2O5XumYP^fR@3
zgf7X0(fIP5GtzR+>QMM^a)a#8VqmxT_r07jx}Rap^zQx&7aF9cZbQ%6A+vq?onPp0
z-hNs?fuH5HU#Pcoq;I4{+CNk7$C;iFU1d0l3-~nwdU@`rH%XTl_P2>p;ovO8g`dZR
z#o4vd!*xln55NCDXW2EV&U*Z3jLvEbV|eJns^;8zy9j{k$bA~$^j5B?@%yhQF<9wF
zXNEaVF76dYi?FHe#x}O)bVo88?4kIGD5O^GGMc8WiK#)8NUrb#pON(ukVoc4^&}Q4HJB}sO+xy{cp@0u?
zwr@Oo5<4nRa9$GcxjCkpfNq;;{)7yfZ+d!XiYOUd
zOWH1IVLH)K!%(?<0)0Xk*()O6JzGoBC;u5?&B<+B&<5;YME8`}Q7#xtebQ?jT*b^a-)vvD
zPiy~m?@jvN3Vk!SX=F-i@n(wl^&01PtRmkLb%*PqcO1ZXV<)=i9xx
zq;k`41{xUE@-52COxX=D!df&_5nkl0WFNiCzOea&E-|PHmAAJ
z(U!w$sLmV&Hj=p9ImI3hNJ2e1ibQMz!*@oZjoZdIfb3zppVUe{Xqn3$%NWPd
zs%7}7rsbaf1-lj5X0ZrhpRM$7X$vMW&^jjVEt>8*#=Amp3OwBxP2}EOFi=MTV|_e
zHAmU#txj++=HIG)^B`y+svY+z{Ie)Fp!qMU!ZD9Axh(c0upt6MCx{_ZH9T17`u@6Q
zEjZhcq%f+L)%e=T;g&ezAshY>^prv&y|AzQe8~y-z&_^Ugq&(|I`Y?^9`tlL{Dv(g
zy9gby6;h&!9>mq`sawJSTVS>(`YSGEPu&=fTi8&CWapzdHbee9VBBVn9{hi9wrXy}
z+oOkYYt$Jj}KT@eQD>qm;LLbvWC?3V{UkPj2A5NmiP`}+2x
zp@&;{5cZ3M9`z4DSRuad2C1U@o(-w2tLob0Iv1&{&s0%HxS<8IY8Fh68dX3SFi^t3
z_THd(M&beM(_Vy2u9@1p(C&wU=*kgIwP2%(sMg;2&wB8zA$r(hzWrn#>6
zD4lgI(zw-FfYxn0X*OTpK|gqP6}<`%7u{h=g~(9{5si`b+BxSiO-iI)6wIA8wMMmJ
zG>(3<=Rp4KuwTKm`l*G`Pv$TEKm^+8nGnx}$rjl3*?}gny$m&;Hr|Xub5nm#xF^Xuh9V?Wz5sps{>}I4~!a
zE+Nt1?Q1B2)Ty#gqSYKj>ZECyW;TGI);;E{6K(FS_ow+^jDdi8u9nUpHpQ|U127AR
zDjG{TkQIIp;%-a}W`rN^pyN+a%@B%3%VJDBcDw(YI`p2Hh|0w{cm*v0Y&=7L3ziyF
zE&)(=#_S2o#42La-;w16TVmo5T(cx03w(}F=&(v)Y5SPf=3s0nA!*H+P!HB<;G}WW
z*nAoV*C@n;(ZU2U*GbUti1U
zUv)_1-;_wgC{Z}NkmM~|T(thPd`nEiDal;#zV8{LTT)vY}Z
zCGpY;Mk(#pZ%xdKKbx2Zr((SxV;Y$3X9lfCV1Bf%7QyK%pK#+gjkVFLM$j-+0NwtlM>59>ITt|6u_!7swqr^@92RMZG+&3+$%uPj5v2
z3H|>TiLHyL{@L>4^m{ga7rhJGru@m>PtBuq{Y760z8}+@y?#O2wB}iNg1PrkD1EGR
z=DL`&Ld~pP$v$0bj=*`Wrnll70u;2tw(i2!4{Sg+FMfy+*E0&2-SO?)d
z(MpOgg(t=DZ+S^)6jBUTQ>knA|J7=u3T3RqDz9mU9Y*ndbnzfd@`huYV%F;HDI!n+
z>=$4wU`mu|M)p~n7Sa>}8tiYcqfgFt9B8-i8t0$|X|X#0yv3O(?yoE>2n+H%@{?of
zsJ5g0j^Ca%JZ(|A?|}noz2O<2u#>=us>z?dC;z7JmK&_fxqqxwZbuz*~AOM<~47-h5v;9U?c>Bzg53&7gky+@Y79D
zyFX@vP5cx3gOSKm!;hKZ5>69V4t
zhVeAQ7eutexkc}@z>vnTlf)jECGiWSiqJpBU9
zW1lcISpgPqV8tY?HUZm#M*^tnQL7b@e@u-%DhPwc564}QRX-_b%ENiF9yih?@Bqug_EtCi$AEX|GabLc=bG$aG
zAM$8LG!T$OIy|mBulb({y$uB9kIF3VW^G
z3((C_8yWjDmv|}o)1S~Ei-hXfm#IXK;K1s)EyBVp^S-(vxrYUvM|$z1u5gtT^!)Ef6gB38Hp;jc-D#>M9~{}Z8<
zKzJ_c?6~-Xrv8q8t?>XPdF4M6(%F%yHU0vLT`>!Uzaept=g({YCqiEX;qOQn$MY97
z4R_pYjlV)(t^7wq+B^KU=zd7_ieex
z0+ag#)`&Ufl+V#XHTw8TwBX~8o(!K*Ep^w47nO)+k26@>mE+)3-kh)xwB$wr)|lW{
zJz8Y!BHXIm})J(lLwMsR~yiEa~+S&p!(&5!+FRiEhH`cYxkYD5t!T@IMs
z3ZTRxfa?6XKS!WY{maD
z@1#O%0sh}LY51h~)PL7>(2iXEIeEnf0lNlcV3*Qurz8J(w86?PNDN-h9Fw!hF&JFX
zpuHtrxcWO#VT0LLR^h5SBp1Q%EZQcOZ?z
zRTD@OKGYoZc28t*r=UT1>vtfe@fDGilFXVRe1^g-NK(w|~<$-hvda
znnB=rk~t=SPjhhReZ%iSh&|}wPEiABi&D611wr9S7MOnx0d7%#!LyhHU+*0p}d^h{%a`49GJUzdXV!yRBubW5MWAqivJzR%>rh*
z^=}$r@t)%#XA$)FR!bqkl2VF~vG_g6gz^}#YYu#~cYH9Z0D5gpv=Hz+P$ATO>un*x
zf>MCjwE!0GnG7cVYpBB<_-;>rFzG$?=9W_-z>JcH{~ZWh2(Y45<2x*XC3}8@NkvfG
zt>1x;3>p_euWoS_!f#O?;l<5?IeWhY<>JLHfbaM82aOA%rduh6aC6Gz~6yPDDikVbKu)O{y}sB^!k=!
zA^dlsLa60dc_G|_QjB-A02b|857JPHE9$ifq$X!+g=5$D&O}^CHaEghkT3S^XG0^2
z%(GWsn!P;zC|&=C@*QjQx|!RdkuD)Ad|m8E4(Ti2cVoS%bz;O6>4stKi+b*>nv4`&
z{Xguzd03KPxcA#^WoEOPsSTEyrj_$ZW@csTuR%>sDND&5$PodR(#&$qOw9pFO)V!%
z98y41b40-*QBy%v1Vcpu2L$2exA(jEyU*UIbAErk?{&@}oBO)%`~G|{;Nn{FtYC;4>$Ljg;jQZ=q!hc8n1+8vr-iH6j
z@R~(e4=^SAR-6}KF9!|121(p$Nc(7oMM#IH;cr&!q%_Bp|0c|-{unT|*6os3o?K5H
z(~@@#wj2NQkLV6NhkxgGU8_*8FK)V-_a{v6wVp2E-Gr&(-@0AXD)=MDyIt1GPwycz
zJ$UC~^7ua?SY7<2XSjowj31wH@*`^R<@%&zC;f(w8hbdVDOBn`^6mclzRKJ?in66l
z##tgf_WkkmW7Q4se9Gmr1ZRaRiO~D=L)BI96w1jm8|SP_Juit+TIJ-8p?H>cIcHVr
zdHYf%f~9vHzY#-?&{xe{k$o
zpHAgngZ&9hnD)HWu>JU0H%oM$W6vMa23_dbS2EqtdkoXXXS)3fXLdRWY0o)Jv(kGRN#
z!A$WvZg%LRfj-vspAh_BzgvMR!`lMeh<`@C@JBq3Po`c0f6(t$m`>nbhW!b%m^QqV
zu)X+K)Jxzz{hmMKb#S46U)FRN&l9GN&!GMZ55T1H(bS9J+?s9|<{91}vDam~jOPGT
z$EQ-SfeUK>gbCEk;QX4NVWuxn52k?s6VCENV8(bP)fQY-(>FZ*C!`_8qi83;l+&k_)f50_^e`?{+%`PhECUsjekMnk~Zv7+X^KPu33V&;M
zO}QYc*J}EYn4i?s%6z~(w|X!<-t4mSpD>P(>LLbYm1+nd^8Y2TI7$|hr#${Vyg_>y
z+A0?%^|ek<@cdT|!n4i(gj%3g!M~i@mDR)ng$&8CsSt!B^GyCUaFV>UIqJP#w<>cl
zZ`i;nh`@@Hb{xQ6KDjRi{&Uf5e_5<}IGu>b~$;GfPyS-JdYi%m!6x*H<*%
z$Mag%3I7vn^W;}|gugJeK;@FVLCim50l616jo~@1YJ{hmS)=}hhr<)itWf#n9tJaz
zXSn)DoR%zmT9vGSGP6S!NmfMt0Y&}S5oSbRsHa0tSwQ;88RLgVGaa1glx<~uomDGs
zA0fMqa)U3jo>Q)tr8uir**-@8F!~gHll4I&+;T3ewDm&v8WjXzW4)!Q{Vi14dLt=D
zWx>v@N{UxmpF|)%LiQNt2VZ8zQ{>CEok5inq2H(^*nw3_aVo<&gQ`f6B|=fKEi0R1
zSQhBas3dtI`y@hx9dR?@jGWNt?mWi7f!wkgpzy!IvMkP7u1fQ<>yNsR!8cfW6w5Me
z=k!WVFW26>55ZSiZzw1J7OFJ8T`6^?!A`6SibokyB9uRJ?WxNPwq(Up_Lr$UJ61}B
z{<`8|dsZ>UzO2OAv8w#BL?{flVP#Tu%evDrFB!W#@ma~49-{a9Ab)SN7u?i)Ei*rq-pVw$_T|uxlD~)pI
zZ=uT1dz4aF7VN^Rrudc(ON6;cqdj%`!B(t9iej0uGo(@?^w*UHJF?0tu4PzfNY&h9
ziBJ@5$I79YmcgBuE9bmM`y>L8RZj^o6F4td&3TUw)S)H9Gs?y?DQDSArAMaSu=k4>
zB!Wd*jI(T&(qq#fu#by>v2rDXm2*<1l9y>O?8D*}Rx;)I-$Ip=wF*)kmdv(-BMXNz|D
zPewUiX75~5>EKn?>s(NE%{x^h^gEYSIe3>*oXe`5y{jmXC4zS)CnC1*{DYu;My#7P-
zUyl!4Z#)H7w&={NqIj1LIHRlFBtoCFowsS(VKylzwo2b}8h^ADWLT}94mtnGj|
z^wq{f4U}e>3Q_rV*jXZ?Lde&k9o5&+0@d~~^xM1Y$p@6dsp87{R~m>=zI&RubD7WJ
zSZ!Bs3&=_mM~8vNX`XydWwAAXt}#tRJ)C@+RtDqWOk=B=py+UE0E#Y{6iA~wIU6}q
z(Wov?5m$qch(>jAf}y(NoD&0+i$X_d4pInD8)-unoX`&sv!vr>F2S=L^>L9!(6bqw;GIXtW^uB8qcS#7#{lHX5E)d*Y
zC8S+!4u-0O?MKoebkpf&!Y_Z(La{U_WXT(WKh<7OW?6b;fNa(fnbGz4SMm@bi-=?*5gxn!EBT54>u1)S>aM-t2
z!$kf=YbF?40jfAOoL<{Vewfh#ZUYmo`2(f66I@i<01a7O>wlM{&(NXurY;2H(0M?*he$-EA`IaO5x=Xx@TP-Y&Zn>0zOGCBnYAGh
zP8_f#n$aE-V8{=>QxJEjCWMaue?NBt!{M7?Qrk);&uVpx7$R!H`5sz?Y`lrMsAdwv
z?F>0WCbwx#X1KyU?MFHZE+GW6!=zZ5Vyw;)%c_$*e5C#*zA)hetZpZZ5qF?-Z?GOQ
zGjCl3ehehF%T2~{PVg(jEbC7LiJY<;S@b-z7GHQm8Mwq}m)+^)2-N*N_#2f8RljaDyQl*ye_cyc?jndgv<`%yCTi_B
zy|v)bY*!lkjxOaGrbU$HuVe@(>`|IHM1SV~{%GZ{0BmWpxOhIrN%T>u&%txTIjwZN
zHoN`B7$42B^F+NNO-MVCqx<(~=JEZmB_+Y7#YV(>lQ_RA;H??;IAag6NS9A5$)ex$
z+poO9Cr<%^!dju=tt$y|E95v?$nJEl@}z?qC?Fp(=}6xOy_xf-h%OIx5G4v-`EbrM
zUAYbL7NH`(BYGvg#RqZ7bYL6dEieU`&Y=F|xj
zc_nU87izNPz=8tJUdz&t^Y4ht!fr*_MF2&T&W68{FX=IAHKd_w=+~ANchWk}^Am+M
zNB)-D8-8!H=m%=;DN|w!hhV5rG;-2Xc$n|=CZhLW&|$i$e8kRGq|fl2W|WQC-Ka(7
zaWsd{z#pP#Qs55>BkEFAy;Lcf)`E-s_0^y869e
zwcN~q@m0xxOaG@@f*`d=Z2EeI{p>qJRz(CqvOwGT%HxWLg}eM7;_EvvzMoe~JNjkE
z|BZywgxQU6bgHkJpKz+Tt0&BBJ4IZG_&k3-4R8ja0muY3yEuvZW5EYHDufQ>rcM#q
zc?&1a135&_#c{p{dY@Siz5n8kw1Mr-PHyQmHKBW&{&un_v=215(t(YJl&_Y&(V9Z3
z@dK!*GhU~darYahgNCB-s=>9zq4ZP}BI2kVQH)JOIEiHW>KqKmk&bRBx08uLGUgY9
z1GH{#rIU$vZ6JCe2g;Y`$k7QYsJCJ_krZEinu0{;{!d)M$}l7MRY{UVuiWh
z6rpCnO@&i+o5Rq_VY(*YI^dMpwfJBf;TS+2VK2%QW(#q`VE*QRJwZ#RyIbkvw_@x1
zY;jg`sAYYoIIAr5-%i#vjy@gSu0`Bts8%%TI9ZvUj0vzM5ou|v98`8}3g@lK8FCwj
zlPy%_V>!!{Y$D(_;*|J`=!xa2x!E&FlS4J&=
zYu9{+2uzyuxa#==pcWn5=Q70DYpV1%j>0iu!>
zUaeafnw>fTeU}(40L-)M3vQp@cIM_=(+>x4r+rC69($;<|Hku~hY81ydZ6U3wpuHaslWMaRn$j~%W`!+3GZa=szyDbv8`T0+rq51p;Eq}AEN3?!-tdZ7>
z32oQNF(*EGPCD{e-lezmrJE8@6mBuUI&v*>FYN8jTiZRo$ktlBE8n)1Xb3BWr(Mo%
z&6#Kq{Fl37m4Agvv;k#gY<0d5&DI@BYNT(sGQdr63V-=Q+@WRL3S
zY!#Md5UuH(G_@9{JR)$NF^(qiW>E05?xT%)7IdyQUxII>t>$ww`gV(HU@f?9u?Qs_f?K
zazneqS-3o_U6tq1dXI<4ICZ0;id5EWw#JsC@#*m(QGRrZ)ojiArv%bgycEk!w&XAwFdA{ptK$EiJ!wFp4t9Q;rEsn5*M2p8%@pLqm`9cGkg&SYy5K;MC+C}
zE*|_SK4K!(B=4gYGiLOha`efIF|+4sxtth|&%4$8bAS(Yi@KNzqr0T72FFK|&eD>X
z9(`clSV`#hek<%*O=N5J
zn|Z_a)FRHw%$`feYZ;JV+JVUD11j*dPNNSOZ-weK5A6%R^&`xd#t5?2C4cgqk4B0v
ziqfg+UeqD4AUkfv^%&hI4baDoX=K)?Rt-#MfnQqP&^%~DHzv(64B5m!hUN}INNtusjJCLNtw}Ogqq{?
zx)`$?!s_#;)fa(8*R9}OR;YHIeo83Y0+($WbmFUW!>CJxkx%k+;TV=$ng-lPg&(uOAonJ+a0}c}=D7
zRCV<;Qk<^GYOlP#Z!5oaDoRV9qdiZ24~SaY;RgCf{+uMw1BJ%u8PnqX4zNcK(BxcZ
zCmasdWK8I}`ApapiZUK+FLwOUk4w~8ankW=1z~^AhK=k5#|+JU);I2atSSzvqk1{k
zr;5vdvUw|RqsvbqJ$NEt^KOVS&DUyaFv&FJL6YHIKL|a74;z$%DBCRw+y;{ndI>{1
z9$bbLA282Yhua7{Jjp+rqkNuh@pvb9`s~c%uz)e8hQ*gTR$eBtjW>KApQwZn|^Y4S$oUqO^1!%)Uu6xTIi=bYi)h;vE6F>&4$
zj?1klkg^8Q)HtB4ICdEgyZdc95+pb2HZR;j*5v%ki;!dA?F&n$SR1%jc&E<`Y`VZ9
zOnpqP#&X4IeS9n3TAZN1#EV^3p9*PSvtM?k1MS6HLNT4M8$9r+{xVT_aUk1uqKl0a
zkBWqT=<>cGq$*-eEM+Htx~Q6i_!Yd7Bt!O_A3s^9?@H4dMl{uW6xPgz^+ph}TxBz(
z?IO+$*hHk4HS8JaLPN~V0W!=_ebf+bznEKo%xr7)@#arQ-g<}bs#8z8B6G1eE7sMV
zIalAvFfC~Qa^!7mcn;T`Nj)_#sy}MZ6vZA>-AbQ5p}9F%%2_H`szlmA)_(6m)L&-M
z2*Gou7vd)YyE@oV(I<0e@`eqR;~OLYdKTsm+r?2hb^9;!Mc2sge9O(*t-oJ=IKm6H
z_SfEOx?Aq~_7e3{T8eb!U&$fAF6@F8XW!ZVJSSwS5|cL(`PaGd95toqIbG^c)Dl7d
ztJcgL0YSS?H^=nO6Wi1_mdvD`}bg_;g+Q
zR>5YR+w;Xd)-|5Pf!(0UzxIo6H?vRtbmMe_k=^Rnk$(l>>0kWVFmQmu6+*J1URvM5h`lQ|E8VwkwW<2~
zRq~`RSN(L_MOSIJs;_}%cGjRX`cke_F!yoX
zEtlF^rM;%laZ9V!MSK}I$P?aJpze}XuKw(|tW|uK
z_EvmZy*hIA9>KyIvI?KCmMT@k!5q=c%rM!a<;kUecpl4=E#Oe?_8BbcrBHJg&*huV
zuQF+lzQBXZ^Ya^n*LX~{c%9+KyOL^27qEui*-{ISUPEPmv5sgTzRul+Jum5ENiTlu
z1_5^+@*FVxF1Gjycq=%X(9{L`iW}#}|E0ZQIhkbDsOU9!e75nF&}v-w8tIWzqJyzB
z_2AEzZtWM!%Fx!9pW6s77a#a5SPvNFB;4YjJEIIo0Fw2U(ih5A-z{%~qI$WXkZW(J
zUai`G_s?5qXfsltAU`ZWG*u;Lx?(_YimbDf@mh^Se<&)QTQDvEtLqGev|McTn^_a7}V)d}XStbNagC%1J~r3XR{
z$dJ~sItKT_Gc!rSsptVm4&lXut`?y%{Ag!1>^oe4qAO&#)`9Vy3)UN`+d@x<*5B!J
z50@MMa>C^9#pOM#Y4eXhnOS?e6ffW8-sy-cFwnS#xh^`tLZoX9APnQ_1{wnoYQvp&
z!Z**V&)>=QJb_gAaw-s?77#KM`=2-xt$%3m79GNVZdudExq8b{IG{7^H@tac)wj=6
zXyINusvbP;Y_1KJYh!lH-=;u!|A0=YS7ia$pvld1EIXIx
zN%eX0W%Jwt<9d6lo=Htl)+fkGYQ_`Hq(={4kv%(w-`KK~9P+Ng77sBJIMBddY-4i0
zK8oGto^FPv&pBYEmXwTZ(-Xs2XH&4W2+xU?jcCN!=z49FQ{p3?Q80nxZlmYo`!HD|
z`HO{N(BWr@OQSa!R`-QW(Lq|`xc^~_ztHZR;d-`;qAJw?Ch01>UyTodMmW!UnMO>p
z3w3zwWz$HU^w(_P}7>6CGz7?cpLV
z0i;U_n9qk$-3G))XAmy|i(Et~(@q!B8@_QsL5KDf+N3o46wxF=>=oHyp?lGY60trQ
z%*WBgSCiP0ghy-EXo9~m3sAElXk7%fMm{-fpS`Uy_o%tSh~`#C$MMxzmibEg33G!Q
z7B;{6>5(wI<|ElwRD8f(*N(>J;Qhu?^J|OW3yx&#n{5Srw#$}nlx+-e3$CYZxNH_G
ztF^U}uO8Rq?zn3S0a@8SxH&fVab5xQXtvzDGkZ1*HxzyEI&$|c>Rax6T;y5l-#7lU
zH4oqJCes+5Ef?U{20hA%KDl|^%369vDSvU{$}{o=%*5>O7}r2CX+p56v@u{ii~AwR
zZfYwT6$Dg4fBSMJxFP@8@3{HgwoT7KyYZ+)s)f=@CaEf8X2BQcm(&j0ac8_D%#a#m
z0@vM|rwJd0d7QX$*Bzec-ZhK1Hz7|`_54l
zt!DB~NKT*gwQ#TOwUgV@rz|pBFUcJx#B(do5;9Ivgx=$q+Vv^G
z|Nc~J*7lLpeU2GR9R?11eI1`qXPJA19p7-@@mS~i4a-}(31b$U2**}-Jp*srxjQUj
z%=|g@c0p`lGE?
zuu(C$Xp67z56ZW)Ei;)p{Q-*Y=~vwP9bB@&!9RZFV#<|*{mU6RCFJ5_F`2gItNxf*
zl%`lANN?=^#t5D7Uyi!U+}FK5{F-uV`NmxSJ^egPvRi_e@3ER~z^q2^SZi%iS7&}k
z-PBio@TyqeK)7l~PqCHwPKXP28{UqLQGv}f+i(F*9MtMFphwh~n|
zym)$ZzFa;23F`!5pkLe~Akk`~@C(0Z>-4j!VYB%V;K=IFxcaY%_j4Ns-AT(4(k}!H
zc$C>1oi|WK_$hk4IvgXKmtyKZEnGjPv#w>`$d)$cM{-*_bSq}|k>-JHw64foXCn9_}fV8tQAjiwa#UAW#*{7II!
zd{H}<*j_JH$Q0K)h3^Cvi-7aX(kS36b>&TqSLpR9W0@8mT+u@KA=kc6SRFpcb~uOz
z=-r)H
ze3J1XY3d`&0unFZJeY7$JAMIq(86Lz=|OH%gWBaJ$%*SpY{Sts{V!oJqvfQv4!CLH
z?u16z#XNxSE`gLTpQDJr_bOUJ4k!5IUTTYLe^2$A$&qX8(Tv~PjtMmCIP?jlN1u#=
z=5%p=>PPS1QziUjI2s^)#r4%7U|;nvR5VZPJL0IObhz>vo~A}6Sh_3dD0N|_nWcxvEuhJZ|#DyjFuqrS0n3q)m6Wk@n78f75E%
zae(O5ncj?Z*)aeX&fly{FLrs%PUD2ADMbv#r1#Wx3M#LU28ha^VtYp%ewL)pI~KdP
z6H}+^_r#=5)pbzI1Mt5|RfeSwgiK2RRAnZk1X_`)`f5olIp>l=1UF{yxJu*I+gTq&
zWOjOYPAZs{7U;ebsqn8Fs5IPRz>uuq-vgh3MG>a;tVI_z4Yo#M)wq=tWE)vs_oC!|
z&PK_2RyM#hd~Dl;PL^0Zq?c+sxmI8jaD#1e33K|5Lt9&Ed&d)=+#Hi!>pV-j2#$5V
z{>4#kD#JbJU)>5gFEB+ZYtomq(>Jo_D(NJ=W}8DX_cl%O)6%j241!(bCs@Jn)ZZpH
zXdTSeCRG`f&Oxswjjm;v%#05WSGnTAL!@cmhl#i4jz+fA1_hD?_&<|e(2E>-nCD>g
z4v{AlnY-*+?>EKptj(hPor^iM^e7HF;(owoX7T{Gx_NG8_!Q0_U1s3h?4@q&;{P+Y
zPtUkc2JIW_@hi1G>be<-W0*n~C2j}(EYT3W^H9dj*r(w;&XYCPFrC^&vxh@c2w-##
zk(Njcq53eoLZ~y{keGU7Xl0*C$S>|0U)rx_BvnM+&aPO-hRwBj>$_o1X~z+=Yj7ql
zimbE(U#X0-gHO)XrbI2f;g)~l<=A-6Qpa#ytDDKvuP=7wa1&}#2?Z|C(i2loZW0s$o}Cpu$T;yUM@aiuk$M>ub??PRp`R
zebMX>FXQ0Mnj-p|j~}3KNxL2}0dHAzS|xQX*Z8lL3NajV2Y^V#c>3>LG8`m)6K!77
znnU;_sB6%J3@=eCK`z_%v#eY{@HXPcn&qNg7v~LwFodFY^7RGWta`$@e@09?G&Dm*
zG;o#dnvGG<;Ts!=Ng^a?+CLiY2n|ZLlDPdOLYSL&zPHZZ{P9CF1CLe|V`%>W=2&OZ
zO}L$0*+4Quin{p=$0lcl|d-Fg+iKW-K~Ud%GZb*Ar`V-I9D$}S*LpQyW|qn
zG3R$)RkwbU(sD7@ku2ch>`37ObHgV{lKHv2%M(ukLIHggaiRO2Tsm%bs`-SLCe*(@
z&f4t|w|C{+gS@<_%jqBK5;k&3&H#Sf#zM5SUSX2U@Th)i)DJ{?Vy8&+4e2X|{)@J_>70q{g
zH`S;kSIEEmGgh)^R_RO3F;c97`mfThoyX3iBKiAf?K1lMLIE;_M{Y;aA8~n{*beoR
z=!3M_42yI4xbeH!+3qla1z8&hr|dvA*M5yS(V71o`u1$no{;kANOgbHHv2sxSASaf
zy6vfX6JY(zK@wnTk-+T{YKsMnr^>9nOs^GfcT1bPC2yAc%ymnM{Gi9Z^k=S=(vD1f
zC(LOgqarj_w}jF8+YkfutCS3gqwdn3W0e{)0XeDMQj-ymP>U>gSdz`J^&bSTaVbZd%L|n?W|G>RccWm*c
zPSO>_+5A!DC-r;VKrA}O$PIWIfHPZoBBMH>9vFga-Sk7gIh<%ic?79_q5QR>Qil%3yydE#(FppGzcCFpt2
zjif|g$cLKactx-2E7n%dMwvj>cgQExD(JnMl5iDJ}`dh)>~gY*TxrP`hc#8l{Nm^byJegtWA-*c5u^!U29R(N;82k$wzZ!bAz{%
zEV}NW0>5aGZ;853t&&|7@1j0gX9W=8@elkP3R>|9{h4Z9zR32nDv0|KM{(2cO*X-3UH`HsH{tJ5%|
zI(EL{?#VXs+kw4&lODJ5En;m{3NzzF>qE2aEuih$Y9?757=d8`{S>l4>al9!FOyVR
zAd?^MD%`Ln_k{3a+&U-hYLgDRXaSxHc~G}HU1_&WCC!Juz{v-7zW3jvseP~OwXua*
zzMkwkIFUgmW*BsR4=;4;d;_o+Y49=3cQPP7Tg-h@L-5Y>z)tlR?m^vi0g@p%9bW1h
z8?0#Ma=6og`x4{g|Fx?Cq?uhi$5?w6~K1TtEGSHI<$!%?g
zUb&gkyjJ750aYse>lL!4j@J2fOVWX!xA#DM9$o1+en#5lra9H*elU(t7*smb;PJ}U
z**(H~rG8&}fhX?A+Rd-T(27oz^abw>MYru2_1h`
z_xhDS|FXU1G}pzW$RUG!+OTA{{qbGL5~o?S8#c$vU-49WYg^V1QPB+#Wa7b0!Haa-
zH(|?~^E>Zp*Alk#LGLcD_V7K*DJz+mhK-yl3lWNIteIArwu>DRw#?#xQCgPy3V!-!
zJ^G=UYF}FE$qed4m_AHPua3qvesDZ~ANxYAscr6w%`GP*d?LTRO0y9Tes8*+Q<&*k
zjK8iMqZ8hTqj?4NKC#xH2s$`@wwFCJ{Ax$|`Oq|T@C!lLS8z)(#&qO5`v9!wUEcwQ
z%LusnfjXf2SN;BFU*S+8TQA4ADOe%?`n!y;px!sH;Axo};TT@~uLo%iCj-wR>@2Ce
zuikYngj~b=(j=Psc3%ogY5#M)rlyj^%H!EP^2`c`7>kzQX?ECEqxm~
z4n{-S^k%a|OBn+ZIWrJEs(x)1)I?0n@|CLaCoUy=WRYc8#P7xHL#1XG%~4X}N^cNt
zSjaoFVR_)Ba*y~FEwMw~qqO#sd~PHWo^IP69KaQ?v#7>KuUo%voiusf?7Cg+GS+Qb
zw_)91>+Y?CtXn5J%GRyhxNd!D_N=2Fc%)@N%4VO_n+cr@eaB{x9%QN3@Yo1<>@kdKUaO<>N`~}7M%k7hGF~pxUS29HTYYarxbhi6$jan&R#R>V1I5x
zg>$=q1eS0bxyYb&<@lC~qhX2*?b!mpcD`lm0%q#&S7{ORV*AX+g0Q0b`g#I^R_*(X
zp{sV{liD%_S`yZPvR0kF?kW88$pmriT6+!ox&H7rz^zZEhY#!8pFFc1J*j0&Ug>jo
zFgHFuvtU;c+;KZBJ6>+R>tp*_*I#dKmgxsrzjL)`}O|QOP
zz6@MCZ+(#rRXZwEuNdZ&Z+*(Kc7qY*_xfWe6l3CV-KSUfydJ%@?$GN}?F-pIFPwJU
zW^%FGV9J!4m^p4b+=2fEx+kY4*Z
zq7*aeRv^Q)nA4{JxJ2C9Q&?VLvw4rHqxMyDCC}~Wr!NK42{#)#7YBQ9bGr|m3A}W2
zTs24IaAKO{iO>ceWEv-IDA>2tP^;N+OdWK3lonn&+Souz4foB*;jG;
zHf~2+GS=IrE`&X<)I0NG(;2VQ6Rq>e%{ti{{oR=_w!Xcp^)}?Y*z%R;kL%-`QP)0w
z$$!70QZxLERH(Y*S%2ywgDC5i)s}0Q4thUx$G=;5$?QVZ{;U@JUUNHJ^}N%X6;1d%
z+6zkFU1j@}CO5Z29+m%9^17}?ryTXg)x9)hz3g1#<$PIaIU{(z$FG!Y_HSzTq!&wD
zlswWhI2N|K&F~SR`}@MVpBr`-$M$XNBr7CaUl4CiRBH62+*|#v7IV@0ldc=!%V2OP
zhc~nhEq&{%UBhSj=jVJ+?@amDyrb^u>zG@g8=d<$OoxpcZ3({RhF^zciyo7)|xesX*hT8)2+rsO^f63lx|r@StzW2mk7ZMxR|ZHM#crF-o|f%8*i1P^Tv
zap*yJiDWQ&&!zDesrsnwdh(7d+dQIsPB3d9_5Zbx*VL}>-i4Be+w%i11-@UWwn2;EmR$qF4Ho)l_sPlVD+NOF!In0W3|JaYb$CK=Rwl{w*zCCuF^~6&<
z^GG)5G$}GKQM2g%`q}fO%gmXN=>-pgPs`)E+@=|}rd|u^wz22v#U$0|uJaX{>1*cL
z4**8C`xc!i8+qJ8w}U)o^QM_4n7i_+}o{?cntwn{10qSN1^6VnDIK?nOW2-vKKI
zHZzC6V~_cL_Iw8Zh}aN;`HHnrU2w7(sFu?{9{;#Fr2gioSM064nBb7TA0NFTXjK<#
za0gvy7B}}JyKiq=`tX6y)JYKSR=3zXY@mFHtAu>HqEXPfpgCriFWmp5u$_I{O5t;<
zT9VHBUHJPp+D2?%H)Ze5wCdE&J4QM#sl~p^vh7xz(gS83;3aDrq;zY};}7~RP#TRo
z-dV>K9*19bndOvvzXUONKxoiO^oQS=wiu5OpLf@(9;+XyL-y|3Gr*4VJN|sZBU8L}380ZA1UbM1E>TilQ!{tox4
zsd*q1yg`+zc{>s%tLA6}{&Fk?)A#A4{+r@AalqpHte}h%Dtq(5@VxzGc3huw^|qgh
za{e2Y&$j%=s?7)wYiyoHe_P9cw0KtJM>+R9xY{J-!wH|oU!uLg|9ZE$lXxri0df~&
z`>*u)VZUH+O(;%i(>!6k9*r?jaQ`A(bk1R5K*#U1$y}>4mt_#D|NTvtcmr;lCZ(S=
zFD3+w6hsuhzJ_?S7SQyRyyvxUmyNYLTd#lyce
z#`iGpfUbhnK#`bAZU!da8tH+gXVYD$O2+~~mY@?L4@S77fv##$xN1ORV0o}RLtWMX
zX3?B*?qPXQfTLkFCKgkS$;8z4O>ZI9+D_lLB^Wmn*bEOlcsrUd8
zgzhnG
zT%co+V}N4_CD@w;^J88nt@_R2ew`$3@%!z=q#$KSI)~bZ2D^|p+1zYawha=E?8-hz
znj$ItjhFvAJXQYNXS{r>e6D=Fe7c;jH?p&4I>gAOt^kvYslp^+$}q^lw7_bYT5l}t
zYyL>^=;FxYsLY7WXwTf`xt6(;bA@xBa|a=T5NU`tL>=M{QGmEWj3IDHDK<*-M|F1o
zh(D=hE|g&ki5#BAP1y#i)~1XqF=QZCj583`ngQf5+{BV0xNeO!Ov29HhJYa76oX<$
z?nC4tnb;C+78Z+*!4_fDu{GEvEEe*RHmuv-OR<;x}CL4={XA`rD$f4{nq#{x#NrSXVlCg~md?`rWYj8YUH@hl(
z7O9w>OcIgSNDZW1+otJ&w@rtqHRcYF*Ru}K9iFad93C5?*RvzWwlXd-jx1X+9xfkW
zez3eZ28*gg)uOP#ufRHBEf7olN~@#Q(y)N9fI2`e0898vs3X*h0}&AM6LF9@K)iIA
zyl9eSfH4j<2s8>b3^e8%a1EtHe>_lHe$IgR-f|mDn7<6uhHAqxp%@qjih&1)2EqcN
zfpBgp7siEh;nD^Wm^4gUvI8m2fM!%<6lc(CkZvGt9A~6zplYOQCVGT4676*-kTZdZ1tfAI$Vki+tgc9NEq3SSos5)F%i+4WpicYWz%JJUEEIebTF*I5$X+Rh34ae@r$@cybMkT-$T7jZK0l|7E(Q_2f=}0
zX|Od|9qbKO0K0&V!EkVCP1FEAf!hM#i}RC|^k~nTSqwFX8AI{ZeP}Xkxe#Uy-$;G0
zKPdyphW6oH@uRp=yeZBUkH_Kh;ka=88g3205w{T^g^R*l;4JV>xF-B@+;Mz9E+78@
z_W(bEo51hI?Zv0yQt-EMxA1+qKD;(g8;`+Z@PW8MJQv5sOXH;Rakx0VHO?AO#1Zk5
z)rI&HTnXMA=Z$CKSa=1T0zM0ug?GWZ;D>R;cw?L~9*e``B|mb!E!74V-Igs9CXUoFi%slPA-t#LhDp<*eR#}G8
z=O*t295&3!zF@1Onw-+EHhDYXkRdYLoTLIu#cOHYub$`T{%in
zRM-VG73JilcGbyS9C?1Wq)3YjFd5yhKk33zJ$WL_GBLj+Fy6t
zHKE*g;JtTm)uX78?vt}0PLwf!1}PfFmRk?xv-)J1FM@PNU;16w&&}%XVjiqB9F6q5
zT9fC}=gX`PGOjaKw1&KQ4LYo7r`qjjlx&-q;+4de9!;LR1fSmb(@HRXyG~p2eN@oP
zoqeuMojUc=ggM*g_wZgklNzL4r!|^1XD9n!syB++z}p2oWg4$!oAlnQH=o(VI|$P-
zO;ob8d#~D?!ffa5gPk@_$gw5A2lZl@L%hQZND-X2Nat9UnC^n1tN
z5@x@okkT1Rr6M~?d7<7cW|yRpkGiD#j;*8uPA`@@DycQ2B`FYNC#k^F8^dgp)X_K<
z-YGxZ$?9aUkT#Q+NwOpe$&QpnB9r)}CQ0>*O_C}SmZ(BWHHYayNs)yO;mP%vfQ9I8
z$7yd~@amTElzK~AA-fwg4d;cgu3vi{aS2d}>b9E(@d8&juf2(|BoxxR!P5{Pe0Aem
zvgi_`kkAdB2J;X+$g0#@ipWyzxic`Mb!&e7InpL>#>3dnKARNUJ>9i2PJ^XBdV0oL
zQC;m*?tvKSAkN2358(3jOxpo>X^iDyp3k{z1DD7%?P>1T7>~gUAH!-BmuF>d4({rh
zL()#)-P1n5?RRPkaQJLLSnQ))ZR8SF)=qJkp)_Qcrlgj-dt-tJPgQHWB$bi%?kQCC
z_#Cf3H~ieUL+`J!7UzFpP#hbv|WmwYsap9O#M_c6)(RyTA>@0E?GsgG6l
zUY5tLJIXB3ts#=nQ<;jRdYvKn`v%K>^s9}Bqh{Ne+~Jt;!FnG+HNg0(V%tu4DU8Kn
z?#$T`1LH`=_C$9p%!9!%GX^0h#?O##w(hE!TZ5lwbV7`bqmb<+cMv9Uuy)2I#0>k?
zwN2Aq4r4u7Fmpb{5F6>*UheLQ@gA(2F$yuoJ{xWGbJxeX43^F4g&1R_M%(AyAsF}|
ze#R^W0Do%QrsOV*u^P;uIk#j0k2G!1aks;O1~D^+OD6DV_%=6pEsWz}$&Buj5j+at
zPIU)kAcNQ$(;`5Pp?!7kuCtwuR|+(I*dPuSJ^eZWkurgS=SfzID9Sx~$Om@yFAc3g@3ya-3q
z&f!L)8y)E-3;p~c
z4;My=)*)U?HglRvGC**wkOck%p}%Mo;tik~HAS8W@dJfW(FRFR`W+aO^P~=G#aAay
z2<=6O5J*A;Z4$gt!#5VXij)v2#5cgC@fmH-9XLU4jR6bas9g+du
z&-G=Gk&L~v)|z`wSs_3cP;7QT!kSvBI!gn=zfI~D+tI&d%_LNxrG*fnepBF4;9WpY
zD6JJ2(cfoH)>vt%&dZ-csuo+;KWRJrF<`pN)jUCC0v5ucJ
z1+%nKn#9x&h+CU9=Kl))Rr4#)D?#KXSYR-gQ85$9H5i9qVxmr&+HX6-=1VCPV=kn0
z784|-cfgC&Uj!uoVof8Yalq|M(G~Z!zrb3c5jLlMz;i)y6Nl9wvhm2HK~j-{8$b~i
z$JU>+@z|q962!ohNbxm}B9CMsW`o_MNm40~Ta%(9PNYA3gV&=?QaO)jlwv22us>pS
zcr&|w_A``aWx78l?CSu<#>>+*KVw<80;;i?odLoPrPB|7
z^S=#0v6@rW$IK4Uk0xp+HK&RU>`}SL!t$P-w)rW4;#r|Mjw9)h+F(0vyiyG0z8|S^
z0{xjAJg2Q!pg^8(iq$yg{-h1A)8;FsKiokSXbO0oTz}!H#fHEv8RRDM__{zV5G7K0
z(|7rPkH^8mp-N;8ceF^Zk9luwYwTcbV+=L6J$5v+XB*Kim)9H{JK$cifMY&flJN-47Z+Na*UJ)*09D)LSNqGK330
zTexxg`}R&3;sEJkK8yNe1)+iDz^mc8@Gf{1yaJvHhryGYtKs$VLO2`}3@L&nLmD8_
z&0Wp8%~8#n%@vSJNEW0W5)SzYNrSXN;vqGVJjf?VD5M1P0n!ACg;YUuAf1p%NI4_}
z(gsO{)Ika$-H;GSF(d`j2#J9}A=!`)NCcz|k`8HwBtU8*`H;_$Fi0sR719iegH%Iu
zAzhFtNX4%dNG1dZNrKeh4`etx_}*`ljBY?j--mT%q1*2xUOuAJ&@JeAbPYNW{Rth4
zEcj?O^0p%c+{_d~rK9fB@Kr=T0rF=!|{8{L79K$oG@o0FPh
z&G+sKbSpXmU5m~~e@2I)OVO$5W^^378l8)lL%&6nptaBfX!ku8gMbez+}T^&Di*3x
z+egaZQam}On)3#JYmcIq_#IN4ho!diJo%+ydCH?aJE^~hA8v(?a(S|JG?*&#bJL{8
z4RdUL@O;wIVhZBt$xIy{rrL`2wI^0bF$15(2l`=+t#VHhDUcgKEZJnJc5CL|z^z@<
zbQAbG#Autz!1Z+)zsW>1Ep^Lwp6zX#%y)AsrHk)DQhG!y;SRKY9JzWR(ke#!`2N3AZACvidiA#ePyW=N3rK9Ol_d|Hg6!*R@hIL-wlC^&$yXWlZLsr
zQhz@A-4Y18uLqMlHvE5=<4CO^me|Vu$@jZ0P`R6DHT8IyWGm_?+waCdib34>OVO~v
zR_0Hh->rW@K|J@X%P{j+(oe46&3}~cxFMRZ58G6IeA4mdcrPdF|Mo8UCR;p^nvZ^}a^lJIq5`DdDC=yBMtkIg`TnRwx=2z*a
z8=KUYf}lRg0O$9uAq%e(^y#4qNKR*+)@-^`aRZY|KBT_0OKZY{zH3FBfejK+rIw(x
ziNr?Ma#p=`ZbH45smj-_&ndaqh38cH>SH;-B8FPE#^sdz>UBYvkxb57t(glZhou*K
zH_%%oChECQva}&%2|zCj`UOdbQt?TXHfAhM)cXqEMB<|qeLhGV<(FvcRY0eZv?z6-
z3~7`6(oww~=r80$l)O($r=eL1zg{ME7)gav^-1qEHY=^un}zNpiBTY*)J~)25;r{<
zbP>sj()7vfG+8b^(z}G-AhA#{&XWTSpO!G`B|*O;DNrxZ(*lg2mKNxZL3faZD5dic
z0Y;xo%=PM_vq*ZB#(747$>-7)y<_Ml5*MX#o^oyYzT}x+A#@B$gHk(Bzczkf+I?R^
z{1{1sQa(?;Ho7ed(t|_M&{ZTeO6xrHTIS6IiIWH9wJ%9K@kQGRaphPer
z$Psi1Y6KI43_**aLNFpI5cCKd1T!xwFOZj#mw}g@myVa3mx-5*mzI}`mywr(m!6k~
zm$`@f5&tg#pH!a$H8
z$gGan85Yy~(b99A;sAI+d4{7C+Fc}A?h0SEv906u^iKnNg7#7iVfBuE4#;wKU(5+;&p;%O3T5@-T6@imDx
z2{lPZ@kWV82}S{<_@l(5grg+F~C1pEMge12knLVl7uygH&ff;vDQejRZgVI7GZ
zo*R)Hfg8XL-;LOf(2e8>?}+G#;0SPpe?)vlctpa4$3(+e3mPjQe$kmP|Q$%ROdIJ
z*DbL%<%Al7Q?4Q!f@up);Io>-k>
z&c`k>E}Jiv<#Ea97nd5&%UTE?>1o!F%ntXzVFKk0+%Na2j8ma$1Qv|)#Q3D_vLcnt
zXy~3!?8bn!#5xNOUyb=zI>@MtfvSWiJCDG+!`x;QDo{|B%g0X8WHa-On6??)-X6*M
zy+36HRR5xK_R;hdGb)=zWSM;!!QNk7xBDIND_Lugu0Cr1x_0r$c6#{-7w(Sok{wCj
zvqkw|kA>TOXVadTxf(0=iRUgoogSDy&JlK#&xF|}!CsRrwm3|t@i$FuF*QwCYIRwa
zTAF><;d(paQ9I)erkt5$*ND{EJz_+WFYDmGGybLd*8MX_EgI}7ykOT-0at?0j=N8x
z90T5eS*hbAi!I3_Qa^GC%VCkQQ;F=19C(w}RzAa-&k+m_c?o{>lLsY6$JpGE`5k)XpaP;)lMHii=
z;Vj9yOD&hp=hrrWrO7|iZc`mLy`V$Lc$79&^U<*EM@wB
zP@<@VW=UV626#=(X2ykITGj!3Rd|c(#uGKq()}q>3
zOpzWOOI%C*xtW(NfCAD^n9n1uP;<-xS4_8FPD`#wyP~Ym*TjNnpUctpxCBFRuY54-
zu>xhZpRf4@yW^gyjn_YiJHz5i=q$14+-Nwc#qWE*oY`vrnP92?Q%qir#RZP=3<8^$
zFWF?%Xz{K)qt(u_a|?%*n>G^61Tpk*JM
zck!&Gf#TPLII74Ol1W9yBt|Fk9IVm|{Tpsypk*44G-Ot#EU_A5
ze!JEy%$XPJe+JAgQ2Epn?iN
zwfdYr9WY&6O4LTYh?P=dv3aun-~xnw!>THDLFtv(_LUCVOERdXi(4ptHQieQcy^!d
zssP$AGJu^4UefONCB|BwDK&Vp?ndG@(b*M|C_Eh+M-$zS-HSkxlaU??EQ@b}wmTxY
z76&1C?;eE$VvE994`LqUTI_zrlYY`?9@AjJx?71S%^jK;TU1(de`-uM>uwd^JKoUI
zSb~$NqkAz>5Lfi2Pgn9^MJYpl(%1Le6cvI{rtWg0P}
z`+mkju5>H4Sz-gRID?;9G74fLFbV(ZY6{Xn@+XA70@(2Xx8ky&L(PlXEB646_lNBy
zspmhGK(>>F9*GC5cz=~%37l16pv`|MgY7maNxgD7XyBiJ6ioErNlU9o0&^8RkYZfx
zxg6&Ed(YOB-H*Ev0_ndOhx^Nk&Y3`~_c&bo+5mT1de8(nU;5fgBZcUXFhVQxf_A~7
zs4yfb#hsR%ih=&8pH@@4k5
zG-X^{3_0J!Km$&W|EE|5oE&0U%wdp$i|`x*uot;dj*PbcRs@c~Jk*4@y5k2(zS7o{{ugAz0RYYtHh{1JlzI4aerUPtV3?5MwhT0l5;^|>HLe75PE0JHk|Q9YNDWIDF2ll)4+^VB
zxLgZu_<)$4!9G0<4VZJ-*g<%INH@dHl6#m`2=DXj2GycxoP%oKY
z|NON)%{Tm9#A{Y^ob7S!b4mC|toYzVY;o66vusNP&bjw5DSkyPXNn5BYamQ0_OYzg
z9|hw3z7Cbqc(AU{eFEi1m=I+>un&HCKi_aYI$85pSMW2ZYfag_FqR``;%t&|X0sAF|!;RFg1UzsoDv_7mBKL|dq!0IjpTm?ywhy9gna8+qN
zbkDf$;jbeU<3#DQW!Um&RKWF3=uv*uJKsIj;Sv4n2vc4yIv>F-9;ZH_4msxaI-uJ->2>r7_5s{tFA2?
zQFUw-#tCl=t&4B$^l;Jx=xWDwgvP4AaZ!1rrt(Hc1(jSb{ShA)jtvWA|8j!}czXH_
zcJ|1w-G{y1mEA|hY`N3fRqhe8osYepgT0-R-T&KQ+qS5LUGZ>(z3MO7cy-!bVIe!`
zp^NwYPGjcb6QEr)Y-JC^!C-t#0=z%I$7~4I@Yjl2`FN!XP!@+g~DuP?tA>T4S%Yj>C`i
zk!SY_Snz_xyaloG<=G>1!`$!F=RCW-@Fi|xqU>fGSFOF3ux=2mTbX%dLdEvn
z^>m2Mf~RywflaG}_N5#96A9Cwh_pygH;@VN2`^EARRaNAL_{wik(<>U!Y~uylKf`d
zbnp`e9Z-3^Ms}94nB8((_7g81I#agWl$5(~DiGU`a>A3$w0lVigko{8STk7!j)ZW#
z{aOmG6D94^w>8k;W=d}Yk(=!sn=pF%rMb1i@jBWTFB}(MmmFB6JdpMp;Y2OI4(lX?
z1HZllbF$PKIZ&#jJAL{WhH3bvr1-fW@(bOgoTrhjZw}8294;s>52R;_Paqux;n}c-
z|C>&H1QZK5aW)(>j>?%6acVD1HI99=HTvb&SnjZ7?9g}X<4pIhvYq2G^`VIY5_7JN
z)uiFQT9vA-`>Lxk>2a>#YX6Oq0y-pyCE*mk|Fzzt}7b%ite9_yiPs3cQc?=~|ZR_ZtS{
z$P*9h5uf7;4*b$}&!5Bd$y=8M=f?B-*JIfSOIc#x+vXVH2fhz7f+fX0deu}J>Nyf;
z$-nZ%=X~rtHD33tee+3Qa-}-Ferhtv2r=sfJ^x5NIUX#jf2-4Vv!I+i&uh0BHXX`x
zzk{%DAGznsv&XBWTPG~xv@c}fmQo@&oMID?V4%UJYMtWHhCJoFmE;5b7
znKO}aCW9a7`Gsc%D*>Y(#v$>yBvI&nC!>+8Gv@2VTb(`P!mLsjA!P;YM4VhUGHYsu
z$9YXX&rm(~NB3|9@+y2~pm3d%5c;ZUofy;4KoKLwN$#c2j%N|&^kaWN9l*bdc_i(`
zVj>XlBucB*M5d66+j)wJEFqK9r0?x7FgxfX3#+xd92svAiyy?xpRi8VBGRYW_Mu>j
zCe2L3Gq|gCVtkogb3rA>yUxw8z+)xpihAROl-axHTmSK8a2(9j*k@jCOb+3qgCZwXvo4G^t^EkBO5Pf(lxynnS)_r!0C)!{QsyTkf33I|{R+SzYz1Xm^8
z`%``8yWuorOj$mD>!_1EJ4rzihOB!tLh_Y}-wn#o;_Hp{r%<1k>P6p-q=W~eSXeSc
zGYsrkX01V+LBQDxi^s|76um+e=?j)>Q`2caIt!Iz{3$bHONtITyXqAAP9-85?T>Sf
zV|8qvmkkE1T50t+>gPk}x&A_^SldRvY%p9k0YBYZUbTI5xaC9b;syWm=1oQX)bX!Z
zbR1Hj0q+KZ(@#PbJx1dB#y+ML?YVlq6p!?Y4b}o9j$0bM)sG3)Dy*EdGL564M%)46
zKJ0q~-#lVXZrxhMh~0tb#dKJ;aZ!6BF1xnEc0-U!7%gn1oz76Mu26@rdpY!a%$4!b>*RY#W|$VBGx|QYd5be22p{F+8|kn_2O3{r3NxDsIqOswO^*KZuxI-*0Tknjj@
z=i=-ZJ)IFk^EPN&GPH?L=ZD<#m4d7t)rz$X*+BbAp#Nbi9=2pb0<}5H7bEqh@
zz;PLCP;^1Ri!qik>b^KDbJP$Dph1TE-1V~lc$K+&Ew_2LPN`5twrxph{6Jr)cyZj2
z>Omy(Y=?9eZ&~?KqkM2<>_K`zfWl9bj|aQGs&D3$DWtXv!wmZqH+D}|$wuh{?(So}
zvC6iS_?%}iymj|8rz2=DqhF(?HcW(VbfiSSVa$-5?~F4Yp7bf}j|<_KG0K+YQI%w;
zBl#NNC%t$yWW;i9G;nbj5x{jKeIJoTMOv+zlP=-BY`F}fre21z#@@J^I_&#sC)J`aPhpMK_PyyDoMQhndjNo`izjMpllh;#joEq4X%k?_KjiLjuEr)$c^*o-T33`(Jv3N|>fP;K$xyQ0&IJp1z;9)n0tNZmTO_Pf
z^vcftOojzFb6YaOsk9jg`}0RAN*2Nr^;#(`+85KG)YZD7#pK{?=IjKpzBsw4D)yvW
zRxF2lKY6*8(b#W$^cgz=y=^mpG~>@1`CJ~`f%?Rio)i9karfH6uPu6Cfp`-@HbroJ
zn;j_ecjjZ-c=G%g3~UFAgS6H?EY@(A5^WawVlwSXws-oEt}Tp3NGH(33R)s(qCCH;
z2l=;5S}NS*Amv(aLZtwgL$~oEugScnFxuXaeS?pGajp)H6Sn18F_IcF3E4+B``GK=
zjeIHK_AS((iR`mBqQ{x1plaf%qSTHB$5bhP4%f|ebT2JS_~7n}Q`2^*9Oq8#QtmSx
z9^WHpKpnH&N8sC<4w?0KY0(&WlliEWrV{r!1@M}cxJ2<(bv06shtfpMZEpDVuoffDZ{}()GevR!Z{O+o+Awx5?vLLx52_@n
zugR)w%M@A?v2`kTD&yli;N#lP_xpJ$^W=*AP_5)(??<2UNUEEVo>|$Z7ZcB7!R?C&
zz6|K!a2b>A-}M(Xg7mVS-G<~d&vWjLvz);Nn|bcko$?+9`Jr`yFdc8RCoUCY^zcKw{MQ*wjm^5lu=3VNtp
z&V*tF4^^|g%SMnYGM@?aM9!bkb8!x
z`92$B>dbd4pM!6scHcML(a|N4Sf`nqPPG2E{p)uA#!YH_Y#1Xt+bIFxLO%NA1*tSt
zanK}29X4s-{sVvUCB4C?x1i1M<-R6t_-rwJLI}0RcIQ1Tup)M%!l8*{K6M5aHTFw)
zJ8KxT=}to0Wh==}H|^n*+!^8ml?0x{6_o=o`tyd)>L=HYlDDolRcH$?OSyRH9eOOQ
z374;rkfV>#j_aEE^0iZ|K39P7ZB|QxSgvKlKpdEH8)ilTl(T#AOh4{Xc75n)qu%%$
zau;2e_z+sCU?J6qBX0UT7}QA2<>D>QEgGovs(2>3FH4(VEwo>YL`^ra=ragQgznXv
zrE(}%bN>sY1<@~iCKNmJz@NQs9D-M9T5bKwT9$~HA$A5chhFO4BkC<}AtSp=-`MjK
zqxg{%dRKo`ul@}6F}WJUl{~r->e;#4ao!*EPiuum?QDnU(qf+I=+G_ouW{l?2(?3d
zHHh7u-{^$p(k)G|mE%Z=wS(l8|3R*yqpfvuN=yWZlbSBu(2=tBUER*Z4Y?(8tf&N9
zN!d-#lPHH*x_mOEUdF~Cjelp0cxXWD4r-W6^qE>@KxTf`Ry7m%;T0C~jChLNYbT6ZQezpqMG=ykdr3*4l;D;tfXiyBg
z@q!lw0%7O
zrK`65q2J)fQ&~XpeVXb+Of`VMylpHbv$P=00ua?T0e{S6zJ_$H(o(@-jz=%#GI_b`xy(Td!Mj>+UZ!0MKC?A3k$Ic<;O0>v=*9t@
z^3+>+|B(Xo$?xY8akdXDbRsC=p%Z#9Qgs`uxeckQmc;Zb7`q~hrkq%Idq;HER9}8!TiH|uDmT*BQ=SqHwFFg=WR~f%`g)a
zT&5=V6vNjF@=Amy%ihd%SM%=hgU0lQpm~+JTYKWDgb}+aibpYgOn~gYTa5fk^VmZe
z=pvUpmo4!!{i(Rn3WDwk4>j*TA}t--T?f4lQ^2~tcWP|X{z)#ojU)}Z;cW8uHdnTN
z@Ud1{q>R{^HHrpe^+;2A9yu#Fy}Yu9gfE;lv^GZIS-&
z`vZ*p!iUHY)m)4X;k-2zw%qC8Ot~BRRKXRKD=TYG+$rC67Zf8@O~Rer6bkImq$z6c
z#98a1GfvJaPh96(M8(22*6ovA(*0v|My)X)^eqN_seAa<`^vdEjgbU&YOtcGA
zVV}P-310X=ZEKHyxFPVeUtAn0p}|9+eJm>Ws&6#L=4q0T7gyyM8Y(V(?3i@nGg&8C
zKW~|9{8AdQw1Z~)wKcVoI%&@0#~zy8bOnAFD@dSn|%Ye|0pR!o=f|3Ll#Q^KV|3Z^^~pfLAOF3Ii-a)gqFrC-a15#MG+)7MPnSDxr60g70_(?f
z-18iw6CaT^*-!QuU&N2>i#CUl13^b3n_Y-<8AF8nyxd*tyns~E-opOt7Pacsn$ea{
z8c&B-N^4)CB`qQAw~fd^X%V5JguBs%vmNP|<$A`4wG|u^JI~!jAxv$B{pITFP7Mi5
zJH@?i0n6VsnP|bA^CJnE$%s{)l!=eDAn#A9?^gMn`0~54&kQMiWeTKy_YhvmGh>OW%ClwxlII^XdPS
zzH;&`CHC5^_?|$GNVphI=pIgp98S<2PM{u6SQ$zvA4(Viz$urw!jtrnXI)udc6H;<<4n}*(mjEaszFUYw<*AC45E1&T;5lTH_N6
zo$~UUTwxJAH`OqDx~1{8NE`{#_TpY*VmHS(3h(qn!YB);BE`Q7yX@+}K0{-acCGvS
z<=LF9^uA$zY|X}IW3h!Zn9o4OK=l0~J?&gx+YhCV>?e)FjveL&+Z%BMY8&x~`VFM8sb?`b>o|8fbvWWUIQlr6MOnd9&v0-hvEzg)+QGV32YB&w
zYvW{?+t3idE=f8d(1=0$gF;Ve%Ja3JRK)t2)mZrm%lFZt($=t3$UaWSN`g8OKfRHT
NDMp1hFB${m{{V&DCTjoy

literal 0
HcmV?d00001

diff --git a/docs/saml2/_static/css/fonts/lato-bold-italic.woff2 b/docs/saml2/_static/css/fonts/lato-bold-italic.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..c4e3d804b57b625b16a36d767bfca6bbf63d414e
GIT binary patch
literal 193308
zcmbrmV~{1$wl!L|ZQHKuvh6P0?6Pg!wr$(C-DTT;)#rTo#uxG4zn76abMMH^Scx&m
zm~*U^+eJ>42>=iP008J72LSPB4e4_M0Cd*~00g}9^XvaLVMm?7;LMtU=>b%bK=_$J
zrl2E2K*jX%M;-_PvH_6*Z*wCD`T{|3^8ef76A-T=D!!K0uMUtyCfbipnb@-6~>&vo<=5v&El{-By6>L{OV6
zw||(fG9&(2G32VVLaL}&V;soRBk|UGrXV;Q@4hqz++ES86zcsi!$pOBmaPXk>}RS>
z$(yRVKUiZ@Ywu+rI2x8d%2-|=3USQcE(0I-vC}|TFL1SG
zh8RjT1O)~p%^H&4y;e*I%RH_~fq7)k{-oMK>?y}Rm=5s!QOvPUm?bA5TLMuGSw19L
z0tF}LLlNg;9wnO0(2yrq!)YYERts0XN!@9!vuKYy)C|mA<=Wu^_MigiFKG3d{KCh$
zd7O0Y0yjNxpo17;Xc+rhK?{LuWUB}!yT;a)1JbTC+td2P@$?L-)R_Pn%|6fZ%1Pn(
z_#Mhg6$K(uy7Ms_-7GnU&fwQZ6@k$*B*j9qC^{Rh7H@_r>IM{vXXidJ^ym$8dZW1XKQ(OAR|H(~DV#0HtO@y|>qAhz
zZ$+LQmpWJF_8a)hYbf;x`QFZqcV$qNL83-at%*!$Q5v`uqLLl4dmt6;Qp`P3BV#W5
z096uniju@dI1C%5hTbrjBDj?3)Qa`uQEwczH3bFLzoDK2-Um7rQzvs_+)e=g$QX#A
zt^tSamwn_0=${}smMRN;_EKQgboTl=7gDm)7SmK&sSAbFC4KVqhlii<_Oepct%_XI
zIoh#P(aSyUg*5n`gu2E%-)SWZg##grz>21|6SHGhBXy4F`lSrmN9C*hnc}Jq10_Q&
zv$7pgpmGZ7o7-D)A4!FcJ6gcd%5CIG6dU4Io~wHo86y_yW*r5vyj8H|V!bI}e&Iwo
zKR}~)(awps%)6*HqQ+&k-@aA2GmVnWVxUKrbk*57s?I}@iII=H?l6(+3nRbHuEc%J
z`znQ|taoIRmq*i1+A*peKsy(@*y$fq1A}=)C^f{
zA6*wLgh~pJ07pNFgfzpbQnGco4Q4GL^edQC1Dg>x=lq?;5is0O7fk}hIdSplweyTY
zg@ANudQIdQ4uw~hH!2NM%567J3Az%PRUCIbHQS{-{I@IMRKglt%e!rH^=S~&5tcT~
zfZCx{=c*n{XCNBpA(kVfa)VS%tgiG_KRsKwQg?3v-4tV+^j{Y5HezTHT=5hR$NI{r
z)G@%;U>D~zs36rnYW0#&>FV}$(9UO2BV1i;CKvy4K8X*21WPlXCYIU&TnphSSAQEc
z`@ieJATZ8)+v`{sO_TGYxhvWhs=7U^J7s-MbFUR=z)<#k?g1m6S&Q961zLP5G!99e
zIC)R=7;=gNq)Q8%*ae;;ej!J(`9$Rcl4vdd3)VpUp0?|xSijMntCw=wrE7F>>8$uy
zD)$t0_Cu|Q!rjyVbgm78(k-ns(ml!4QsLDJ9<5^fpVayw4UD8GA37)C4;~6`r%n`lhr}*l!ZQPk(
z@?v-pv1w%6vdEknx?`Srtz=ptlDGRzQbZ1OokXwTCD+{rJj0+ybSi(BHm*aIbLCJd
zqxEKSdO3W4cu%Dt^xObd0OW0v=Nom9f2h=subU9}XQ*aP(!#Ojg|4N~pdfX>tMp9T
zz1MHtP>rC7nwqFaG_8XZK6BZl+EmJ%+$tV<82-uUgh)ej34TVrvMftM5>P1!d9f2v
z6CA40!Wo7#NGQ95Wu@L<%+q}_W3-btjirP1>Ydl;PuDT+-ac|?5RdgS+Tl{=xC(Yn
zg7XqiDnIVDfB2C+T3JHdHf(NVHQpe4mhOO4;<;i~yy|(-=<{evX#9EnBhPs}744n2
zszj6bkYY~10tVZvoS^D>fSlHWoz&}j?M#EyBe`AcLU1^K!`
zaX8nF>0IV%3B|TUFpDL(B7tzDs12@W_h(n#l*=nDw~`a4<7U7XT{>L8AdN`TV`Wkbe61G?Y!
zB8}K|Zp${C=P{eznK*&PJYZ9Ax8|@aRaLsW>xz*#8J#Oe`OukK3`8dX#3|>O2ElYi
z(OLWi*c!|01Cc|CbD+X8Y7aV&==s?EyK0+I;_+3CPOjzbRH0fQ+dQqywmS{|CTA7L
zYaiKobqHs{b#;0}*~cB3t9+Il@Y5|@s+CnJ`*ri8ny%|#!mkj>c0>z^^8UpB4DNj`
z&kwPVZCk#tz}N2Uciwxi(jSDE-`)btdtXcZcHfx~p@a7)fB-@Z<5&LKBqKKv;(hn^
zCdc=l`JV&c4WN~R%H@|HCQej4!{?>y*)p=kKm`y$1bT@Oe-6;6IM@_S9W!D|gMl9m
zv>iDbHgr>8)*{^uI^(74d1a&`RL$i3wapn;#M!cdx1OVpCRDP`$1`OrncmW96ILJj
z+NO5v7VU&H1_v|_)pwGAyCLwcqsw(+N-iHNmx)1sh^Jcp_m7HzsgdXA*`nkVruZWI
zInfhjB;}$_?a-NCZ2C5PKb@mByUKl#?fATr^Z2M!7DZ$V*2v-}r!A)DD}zH;hTl>r
zzBJk0^b84gyJGaKXXO#2EBAF6bLp}XHs|yy#Vd`-Q{NfG;hiHb?xi2A4$jbXp}d|>
za3eDhT#vD;trNbO`2_8IIC&f1WVgerC3RW|e3%1Yo*9G4`~KXtCs$>kb6bAnU#ggP
z=AwR`ZmK0!w`{TU>qo~^h^MCO`WtUL=r$eMKUz##LJds2v$OiVT6XToTA0aI+5O!*cH!%5EYKY7%^WKUNN1
zUY61<6mX+VAumY2mB%O(3(-z>N55siZ0>wgzC%9b4!t3RUm*vEWS
zx~abrUVk5IzP3#8DSj2)kxzVg1ib8v7wr&!^SvUz@{N59d{N##r^w|ha=K*jKO37trUp@^jhRp@GRRZ$1t
zVf1RwhwPd30n!#8uO`!|qHku&Xz#q+&5llPm1am&P8lWNq_*AgWkUbvXB{`s=`uZ)
z4z(KBs`=WNGy7Puw%}NddQT+eo5aQERV`xmUsQRAEKf-)Li;MBqLAf+V9h$E>3N_l
zgz3jm#Xjm-cMUnLG-+Y-TdZd7Wsq@yKD!`fg~P$G5%#5v7OI`rh`UeuwWXOnGd(0E
z#(V%cfU9gAfDgWJ@Xx2qsgGCs2LvQYlDT9b>N+BrLRpYp7>o@{;E3;>6?3wRu5Il&
z3V95!JuTT~qb5T^Kx~p`k_ie;rtfcE{j*Elm*Vqp)hn;-`|#Cj2NfJ$g-Li&`fjPU
zA;+RrR5NJJbs$>QBEROc5``?1f-w@q!>tn-RyKj
zgLptg|9k|TX|VP<>-7CU-q|}xIUYNff+QLO3gdLb9vp`4NW>+rO$rgw_?O;F)%D#3
z$O0-ezOFCF@1IaUF4LW-Znyxoy&8oE(vhJcRPd2hG(8MGXLPAT!oN;g3-ZwxEuOBN
zJ#-Nu!UUy21UV7~a^)#dpqwy4AjEE>*XVhEh-Tl?BGrNs~@_|DUQb%G5Ap9jbEuwLj
z{;9mu&xl56Px|aA9*ZEHEFMFx=&s`?2qAaknoX4FI*%MpEmysN3PBi%AZSaY#gYAB
zx4#auRU&0PM9Zp6GO
z3+u;cDlK0CY)qdsZvWxX!!JR%P;53FfG`H1Rh@1(^u3b*ze4*s!sr~H!8k20T?`&(=b
zE8S?B%bb^nnMSFf?-(0a4|F*Q>3H8v=y(s;KPhNoQz?-O85p+ocPP&Kt5Kq(1K+>R
z>0p>`xL$AYL`Rrmb#*l~xjq(&p|78Yzf#bP_`GVxd#H5fTQ&50L<6!hw}|=kFhQ7X
zume~Uq3-iEH6--Paq#8X^6}fsSUJ1$ePdN6KP^xoAEh4&kGOWAkO6ByRl8?>iJJ#t
z0}LYEfg>tIBYES*l+JrPW&I_~%`G7$#DPOK+`-i~Bqhe7^%uL;I}fJ;HCYJ_o^3p_
zdr$QiNiKtZC}bTiK*#if@-U#KfH-{LCMO9PHVu(JHfDdQKulyGMr1gGKrMqAC@L^Y
z0fVk|<*++2@Zt(R)VZ`XFKWL33vKlwq>brNB1|#?>1Qd2o-QbHJ`}mL0-ikFe5+%C
zLqtABdcJvjG5ImT#*4&8P?=2Y++Ms)z!L$lULraQQ!T
zRP>LQn6Y3*i7F)eZ_J;#NK4D9#P^%Dr0JnZ#M4A8Kz+MAE6QQ;=)?0-g06$D15(Aq
zCw3Bzn@VZ;CvdzqrClix*`mtl9XL1@CEhS7JrItX
z03SQ)uF>}Ua_eFi2{uIETh@c%?VLf|a)RSK|7ghBuNtxl7v{$DK1V_rSBo888OLP=
zaRk>(IB`}H2*^NB?=Z80%}`-_swv`QL#uW4nlDT8hQXJR#?{ZVs6*LlmCnx9w>>QKwu>ifCs-$fweOIE-3zNn
zLUX;~3#fGc*fremBScv6a=@9F4mMiiL34swXr2qYBAIEgg)7UZC0Mx40<-jdv+#WS
z=l8(;OHV?}H7o)`iKG!#pku4%DH_u2g)40;m{|G5j5~N|WC)s2AV?b9&(#KJXidu%
zJ$(bqf)35WCQ~FiAJ}AXtxzdxlu^K*+~6>#^N3!9Y@&?GS15@jK@5cec^L>0A%9%`
z?*j_}&Ej9vX^QKH+%LJnPIG^Ts&4p{3gcR$e
z&Gx-PLsDy%T0c=h-u-=WxX;l^d&lm`VKhj>&r=J!eHSVvN9kW&cDQqo2g(NtN-G>%
z2E#TqZ34=p1_7PysL>bH2;`qjH|q?I?Q6NBRCN~QaP|KrBNe!#QYkkh6&8OQPeG7y
zpJdhD-rFmGS(;k7zI?m=g1yTA@;K!8uUxx=8`xuaN
zc@)3$M9jhr5r%+t9g8NiQF2^t-PMZ#zsXfK6Dx{mXB1?q&0{GYYb%pgt_zxqYRYSx
zcLB~ropw65Q3Q3$096!=MA%123gP6mN6vktb#-LYy$li+{sql_Hbl7f-6iYc@vIzm
zVYNL3$=m1Q+V%NlZ+aC9IH86CD0!Or9^kXD8%Bnd3FMVh*wI*(#Wd6P4GeDu42I$A
zdaP#C65PwD6!vb)h&fy)aEkGSxO
z%Uev`y?7k)$%~fzyay&e5Hh2KfvU}k0H@;?jf)oaXF+vgK4fi1$p@EC8#Gs8QQ);2)Ht;2
zBBh1P(x`p_{_zUiiB2v-3kf`9B%c
zk1m-11ibQ3z$Xr)|9#elfuEa2!6K&o_?{^?R-L*2qE`>I#Cg`vkg0M1nnw?Xv$GXM
zTEE=4SA_Tiv#DC(;s+WFb_D{*v9R^0CL0K4UZjzSc#&%|9yJ4I#$%3NfxjN8kx#q)
zFst_FKvrf%$rUpN}m##es7w;TzAfs8{FenoG
zC3n$m5z*}tH^e35OAx`uTn~_0^h)!Yx%Zg`4OzqsSmZ0_>yxueu9uWop1)FVQ~b=w
zg8PDD*%AgP9nqybfu)a(<5<6#?t`{KouAw`po_JwOltrq}K
z@`z_C6OAx6>ND`X()8AFNd&-mA)7JVZ$z=MIc3AuYt02atwKk(7N)JD4aq__+Fa;I
zcpi6KL+-C=m%ZE&RxIb#Vw}YJY!&PP20?;0_l|757
zyDqAvt=5?kgAV*iE(#!8@3#}2NLM-xio~U@G@Fe&^*OnU8fh0&^(PCbwTkM0Z+~cR
zQtq7UXSV-I&Z+FxPR!5p&k{>QO-a0nKt-=KB?Wz#vhyR$zig?SSghlo`QCmrxyIXL
zu8yI34aBC_U5YVfEjtK2XgwfXIjH64c*dD34W`jF;JNwuuD?!NR=F@qC*?n);v+=O
z1(J?bUOI<-U!k9Ay#MUV7UW%!EGltCB_@DFRF^kldw)Jwq~j@Z_MQgrf)Nj$U4_9~
z_a#yV^1Zp~dek^QA|w*&E&QcZ3C>7JbToar4gYP-RQKr)jDJHOZg
zBl2`7^AH$B0Kq6OnXH^+qB%WjYaq2x9@~VzD#Oq!f^-3-q^Y)?)-9e|su*Tq84vOX
z-ZAWyHx;EX){65ir*WLoQk8QwYz~+8<$6PP%K0EmU;TU{8Df90YbHLfPvvo~Tq@PP
znYd&<
zrDU^&WHaU34}Imr_$Nl>8@2dXXe6J1G=C;cJpRtlq;jn18h*@Fm#ePM##m`spTv=?
zUX!^dvsy6VQIYY;@rd+Htjr>Oa^{-KBM;WrEzp+G{(X)BIS?--c=EoalXOJ6!rK9wB|I*ON(EGq^a>_X1
z#w@BGDBVLSK&^$GkCTO_6GjUG1;7WY4GL^Avxc`dcAlkh>N96^+B;ha_4Gzn?m7UaMpfR|2g1vsN!!9d?zl?u=COcGdGj%s
zop1nY1c`sYcd&2pgH%}nGOiS`VS%f(bU4q1Q9-@F@0rU~(bdVyJ*~_z09HHgyw41_
z%my0&M90~=x~Bj3crM2xRK6cc*~JHF6}AAZxaq+EuNMrf%C!*L<5|H{cjUORS%;XxxOfK3`d#j*7j?
zjW>fu|0z#nmpkZ70>R;k$)407gapj>;~0+z?+mzbb5Y~HVHeG>*QZ(OkBJ2UFhqk&
zfrQ(e#;sl7aJ=K+X{rCv9H=gUk!}~=p;kgi^PL>!rh%^`Y!|_5Mn3+M0}xmc?+lK
zn=MvP*=kB$#1TG~R;pekBN>SPPuUwf!oYoGe{}MFbtS8^V}n!sjU+ngQXLu!QxvEu
zNm0ZXctI*M$n#0}(YLARnbFGX(;
z5;t>)nLNTl6E8@j(;aN6gD~;KSYP4v&8)H<+|x5(U1I)|Ht7ow`jHF)jMEGlyDL|g
z6G-dD55`q#%1Pz;*J(U4`4o{1!x%s3CmKou8Bf6Q!PP(|i5u;7@q4Bn966G)AA>m3
z)pMAw;yT62Djh*s7>ZI@&^2XXQulNE;GQhxKGVIl^tvJ(<2KTCQNu%nac1vZ&Yt5q
zQAoL}+_XxgDW52x_oL+7vMt~RU9*x<`#jv>i;2>k!7ni{DMah_S`aP}_7DDK(KKLp
z5#WWNKxng(!|v^xjl2e}a)ZFLMP(>!Xb1{DAoExwuMUyoG5)E}fi)d-_FVNw}vP#bq6-FYKoO74!o%m{S9)W6PE
zfxW&P-q*mNS7NTNjodds|F*rKqHkV%XMOIW9b?Ad%~9;`e8%y~7RJQfw0=Woxb^#-
zH0C3=uobc>xHW*xeE}KVMRN>?yI5f%5CoK44VduB3&bz`Gsm;M#c9
zpSbz%r-*U0bn}!v@s@ge7C(OrKMQ+tUCHU*YycP7*3k{jcArmQ_w4|e9K@u+`#u99
zkKwj0JTsWSweu?F5NZdY=Bikk
zBn_le$<%Nk$z7=iRESnqX>AlfE^B6NO0=}^F26+Bfe%be`nLV_|3&#n(TQ1nANGn@
zZ5utUJA1Cbx~`0YKcBAxaHKheY^o2{=
zWUG_uOYNwZ@@PJ-vf_0fewH6lmtv|C*PQyH@oUr@&XkcqVws2jm&wQ3A}ai7r(>TeMVkah2rqNV!6AoTeg
z33-GQ0&+rvq%Z>dK~YRnklQh%C@(}!$T-QvTZ^6Mw`sHWSjvi1$Ae!&6N9Rltlpx7
zoIofc?nicds(#@DyfheCQvKR;>3SJR_k}dp67L0sAf^aLCJ|w#8G+6xp}v}+f)0)$
z;-@+2YlTqdPa|nr)O<|0PDSeu4ht5#+xaA`Gt~B|i;Wo9T_*FyqMERwPa?aT;XQfr
zHo3s}3}hlIvz~%XmR@Sea35QKrI=dV`3&mXp@7)CqQ6@?;Z2ct%YKiH6LqfKj0yMJ
zcYh;3C5M+=f6;jzeVI&N}FLvn5DN9D4B{u8aI9ru7FpnxO4&o5U2;T)l)aqS=QCnHvCro
zx$$Pza=gv6b>3C<=vDX3KjJkj^n9PVI9gWRQGz*Sl7nr1<@RvoQ4loUGn8#c`M|Js
z2;reAP#deVFG~W+wEHC@@1&O}Dskj;cinW8>%Av`U2a?M!Mb8nn&o=CpFOdh;^*u)L5=sl7JiNztc
z!|pph$aS&qgS@MYvrmaj@80p=A)7~qo9?=$J7+G5Z*_B$56LT^JW
zQ{wR;X@V;?YNNN0Vo&UI45J7fe{_Hz
z2}5#Bx7iz?iy<2;MEh4Vk5LT(d~XbeDr(v{m4+>3VjsG((aEvxAOqqKPeOrZz#fpB
zh=#hn_?RcgpUv>VXZjyi01G4rIkaH>>R;0EF*?
zNUWI!AG-eRXuL=YAc$qvZN~ti07EVwZlXruZxEI^aZ@QhO`TZ2_t;~eh$+Z-lz%)p`5e+{Wf>C)Jg(NushB94s-7r%Eo3o6{eUY0T6Pqu?Hg;zPvAa(Ye0J*j|>5
zVH@BlfYukGz~C`EbIi9+Cd`&i(LExe8;u4-3=UzKhU(
z>$XNHk4tQXjFcd#8dGFi?sVTKvNjIviUW|bce85Y>%vTq_iUo(J1F6tWB+of&t_!U
zWDfpE&FKAuI^qdG50Xv~52F9)o~!4W7|Jc00&O3lfVm|+ax?j1wt?$X9r11D+*Iv&
z<4<63f4q$~*u*G4Q~UXu_t6$wr>Zp9kcB-?{ehr1l8;FmSjMvY4H?T26|HD
zYW24^ec(BXU4a7ntEbiuv4wGF5fdxy2Bj_AWT?094Y0+QhyZwpmtUZ>bsdqT=KYos
z2q_|Yo%4*doGw?`JZk<;2dk|S=@bR2lr$})KWn=#b#Bb%
zE&Y?#gHLGX?_>}cKExbSp6I+iPPQm#cV!s;LR0PYn^?`-F|p
z=RMyBygwq!0A#$0S~R#n#aMW`#4rFVs=lC12COcMAE+%sHb2S#;2($M(*I6cZ8qi*uop&qyG3Vu$}i_>F3Fvf?%1*z@F5HG
zpgkLpgNhy_4EZ8F!HNsp_@GIctR$Bc&3{$skzvS%t{wvuZ_1J;OTeWc524&XCQ6Cr
zQYXTQ9C#zifijU5tg2uZ6`{jeMI_ak$6-|!?>WMDv$ky8vYYd#D&g4}aa*b4Ied^g
z-!c)aEg-Z&ZcogrVFh!Lms*Igi*qP>@4A-7-|S3W@*K>(-Ll*Grm5iWuI5AU_=-4q
zgX^e!ez*OkT|4*cV$W!6(P(Yatc~%ile2wa{P0pSo<)Do59H33m)OSQgSdV^OHJpE5#GVtFuH1<;4Xgx@fME2>cUEeMg+s6+Ll
z5SHds_tyhiihd0Jo7|s_l?CXFP+3_vk0h5zXuf+;kh0~EEfRg&YKXV}ur^tRp*0s$
zA0N%&trs-#tQ!qA3$rDJAYlZRBx+iCn)%qVCd*araCyhEZ!DIybm3WrXSJOjX^)rS
zd%CCG{PwbZ`mxY*H+ttIPAckScL^Gbk}m#tSqXm33aN!VuQbKJAQk^ViL)b2GGB{6fBlFT2hTSP
z9-;c-O%?Vxk+`B+3>shH+y7h;zcgCLz~L>Z#yV#^8nAH(5rzO`CV_b{k5isIpunI1
zvS;$vu49|-tG|(h*ttAz(im975L8aP_UQ)?ZcTkneU!;6{8^x>+j71_3IK$8qt9Da
zo96UR7XqYscywC?C=o@nxUTIx*TrP;;Z2G429qY`qX9WqRax2}04e^bb!#lB`k`HA0zB-7wx(WxGrAZf-L&;THQ
z370dB96)I}$M&~38Gkji$=(Sq16r|oNURhWO6WnLhx>=2o1Wx?;1oENjt+)WDCB4g
zgANOuBuhFSh^Pby)qbZHuFfTMw-3uwxmY$=u`YAF*gLU%2zerd<2U>T-Tb?0IMQv3
zxfK7!xXCD*
zE*2Ii4@35#S#K_gD?7AAPPbY9mqa~(>QTPem&#b`MIUUKxQRLG!sKeewFK)bSM$9T
z*+BK+zUvo&QAJxeX`7bjU&+tE#P=D1e4M=8zJ1TLR86bG*pk{J&)C>6^8BqTZLVZb
zM*10LbF5kj*0$mq-!@N0uRGSkn_9416_sYtq-+Msy`RBu560+sD%$MoINL1;H0Q)L
z*G4pr%U52w8fv&YTR6L}HQHP>KVz@8*GQbi>TZiGeujEPd~VkbNFCi)UgGLd^g8-9zgIWE!zRtr4-KUf8oD9rzcPqstpUp%=62$hv0guLG(V*@6`j;7
z&>na)*eqGLw%V&t!N<^?!P`>naJw>6S`pa+`w
z3m%pXv&K3WtnAXw{PPJ8EC-|ls)=zMVb)j;Sa}cm1oo}s8eh@+G0{OTYSFE%0roal
zzexM@Y4dV}dkEU5t%HTTX~`P(-bUpBcmjm1LB?1ev?2Ykh7K)a^HeTvCdf930iini
zZ}*c*wQ1!rA0o)hM_>|tZ&OUBtv~tV{7fhAt-sBug9WzL2evq_=Ur2m6CAHdXAPeA
zzS5BROqfz1^qj@DRP9_OQz|@*5?nj#oMcN8HhCGB_C=??54Mw9J&Zn^iVBU54i73!
z;mFkR0V*4iB$v}5h0THy57nCmYd8(_ra3LWGz}JE$Rd7{-9RE3bX9tfS|NL}O&7s?
z8}ELs@afnA^?ubS-t^nh_L4hzb`XqMctoGFs+hJ=ktt#+{&V11wMFjwqi;TAU8WDj
z{1JYlo$ZWzj$xn-S}tvE0mTN#f@G=LC45*rm}*feg85ClhuIYI*p-n
zF$7Y#M3MC}Kmrir(srS_6%GME6STqaZcqnBd&e!k
zM}EJQytyQk6aRtRz*2~x998+OH<~QPkVZ=xL5C2*p!42tzW$XhiWn8}OSk%~S==@DCCxRe4om0K!PrAj%oslI>j>c^zdw!CnLox%V`Kv`aGFzuk
zUSl}Qn6j6>B9!Rk3%7gcWJ+|;MGT(j*F$gcqR}n-GJNN8@k@vliAuc(C{VObm;fD<
z>$n;@1V9ey1Wb@LX!vO`^FRZ2L$zR*-ibOn=0s#wxps>ISFlt_CtfDNF;Jk$oD5R*
z1(_f7--=RBznqV^%IDkLTY(42ZML`YAHx>WPP|^O7q->CLzh+kKoO4n*^e%0qAha(
zmY!Z+Pw9WbHM3`4vGmxz9SAoY&8$LhTA6LhkGJGQl||gbC=lMVdSG#_yW)Ol$_^B9
zEAh4~_iIE6ke*=U#!FZ
z1|&<)>zhA1t0Pb{#s&AeM8!*$wctB-To4l`!3HYFux;=d`R
z=*%x^QbHohVb?{EvaIMoA$AN$HVX!Dei0ZCdxIt>2pum*YuUEMl%h%NVJ8dr^TO0T
z8s+VN!}Q1Kd(o|Q{r0Q~ju)TT>(f5_S3W%WGRuD@(~FIn%Re9o##9@GHcbt;jDfP<
z0&;PInE};xbHA7~gIve`*KktOu_N8KdqqNMiQ;TxhFStWYfhE-dDgJ=-qTpAb7#B1
zT>V$|BTcE(s!DFtTVZp#H;y;nrj|?9FO6g6f2AU{z91&LBBWV6AVGg16I~%w4f?hv
zax?)@*ne`BO{T{
zy8iicj{p9Ipp}2Un?T}$LNc2of$)E~_(6n|D$)(yGySTOFOMJod_aQ`F@XHvnsdND
z9)bU-bO!!O_$N%X#K~vLECR!ZNEFkw@}!fqQyOF3Hv~m&Xo^j-5vYm9UJ2FqV8I`3Ru1
z%ax&9v{lY071tk^y0bhYY%E$Qci(4Vf}f3vFjy;(Mv;P@<67!roi%!r6W{S+NXPTm
zLLLqNniE*UN76*JB}<_tQ|t*r={Kl$bj=2~sF^Nx6t`qm9UkeZtLeP`5+kQ?)?)I{
zU%&rqFTe#IRnOZ>5r@Uw(5RCOheOt;d9G`$#o3@J9d04rRD_js8TJO{&%IB_v4cPer!U#Q1`qkvXKLPg73IfEy(
zo$Ejk8Hz)7-As?RjBf-~Vh(2F7RXopf6SHlU)mn)f(-K7g}X4c8>H19+*t&q%bz$#
zy?`WwRfDgxN@X9BVP>^xs~22H_G~xKkSu%20K)d+8bdU+OYd;f6VoHm|7y*Db)p}^
zf8CLJ{N0Wk>nm)fZup8Xtv#CxsZ}Ggs!tOkQ6q(`m^ObQ2o^{c-$YSm&LxU0IG#~k
zn7vFo#BnPu*b;RG*~nv*-U!qzX@fv7@L42cW|0gB{m#|JnX05rIF7#UfbHynJk*2{
z=R28fpxL@pZtI8H#0UIevY9c`FY0eG9eF0X$A-=DG3q}<4p&i7{>{xBJH>l1NmC;=
z#yUHNAM1L@r4E%5ApC#95dPKN1#r@h!2CZ+etM#D#6Oqz|Ej=;4po{Q8~+(Tw{QJ!
zVD0}xvu)pD1|A?(SmM71(RAID)JqPx$L-lv2Yin66I?e=*2j$$&a4)mE&)my>A%2J
zDr42q25?3AZ(*K~88BzmtY$@5ZSB|rKRs^UjE&MUFx??RLj}sAWiF*C%WsYWT#}&n
zbdD9{h{7|*&$74HX8i%S&E@lb@a|NCup5`tMGA~FZGxxenodAO@PrUqY8E?+a?Thv
zZ988X#GGaDku>o1mVPtN&UV3(+!f$2?7M+uj-wMUMx_4
zs{g*?S^>3N4&(Tr@4kicO7SETNGDB7%F4?BS^TV(SDdu}GfTu5#*?(qkU~E1YB@Bc
zYJ(*eC^%12&`=L=Zur1NXv+Y(Fd4Kin>uBX8Md=`IBlCOv_*ha?pHb;!-|Eg5-Wb3
z56zXQ2@G)&0Fzx@GR))%4REzKj~Pdbh4B?{mHtDfpNe5V|M$fVN}T$f1N8nR^|2>2
z*2FtPuCItmB7#X-!x?Vs+EWT)RX6YX_n?f9r;5NkoP&k7kgZhnv0NLW<8Qi1EOWG(
zKS-O4Q&OXJd}44-d;Ahj)Rv3Qz{De-@g7^aq@BfNT^|J(ed!kj!ih0IT`8jq;CM)X
z5dXK5ti_@Ku@GA~%aiG>Qj;%TJG*U@`{@6=#>6RNRTVN2iiz!I
zz(!If^M;T(M0g6|?{T1@b;)vykZ1k!L_vMlV~AN&ng22Q0I648tPk#8%
zXPt}eGh@=MWJ6bFcV9QHHgyTGmfw^zKuiS)cLeimw{bK(6$_`-{G`-8#>c8n|6aN1
zDQOk6)C6t>@Uv0n3`*TE#80UjDbd|)nL+c)O!j`moDsVMLqAWVYiZP>q-VU2?CG|L
zXV}ZwL}n6S`L%rLMSr86yAu@&^=WyZ(RXq*Wb{Npk*@zs2LX3P*CQvWwn3sA#T|~N
z$<`A%UlR!7$K*N5eEHf+yif>tkV
zhJzgN#_7sUV7z+NBAaGxli{@0MOR_UZG={%t*^7gI;&cWjlrG)-6fhn^z|NDC~bd&
z4!+X~I}Z+q!2sY37(=;#xr=2G>*x3HsZ>ti|26slqK$kZ*oAuBn3a}QR@Xr&hM~sx
zVjc5PUQDZH-e-Yr?<_8(w)J_O-s}Dj=Uf`;gT&lf9cS}{CUf5@D>in5E
zqGT)W>d^jD3JHTIZS-jJb#RUhEngDr3G?Y5)IT8P#A#V}Owh$)@h#!_U1<6(z12f<
zuY>+Q_3di-Kz2A&icOw!?*)U1`=7J@!H`-r#82my{C|z|X!IW%`_T$1@*k{l;nmQi
zUI`%m_}@R+iiRXj?3Eo$@<#{bg43sqp+^WGL@JZ6mM>q#s-gqn`+tLD!q|QG8Ky(a
zAQIWxR<`PMC%Aw?A5|83L1N$vqaQL#9xHSm&4#sIUjE=(^bI9G8ur;UuqzpllTf^j$pe84EwEFqvF}ZvHPMPRzewxT2=*r(FPKBG6u=>nkH`U9+ZV=1
ze`=s8Q2#E&<;<2G+Ly!<`JCaCM-Cn
zWHGvk=>v95+->=+4tEA9x7
zbU>tec0)(*VhYn!`)FR)vifjZLhtio?rvW011J7|GV{~0Z*Dmi$G^W5V8~K0kcTUe
zD%g1j6QEqFZREQ5KlzdAJ0uMNu1Li(2AKa|;eVH%K8Y32>lL`w2}QOz26deYVcwDm
zKqUd+Be!Fz)i=2)qVN7ej$Q^c_wcD6L6)cX@Wk`2AObA1`L`Y25~
zxKOLw{oX%4ecgo%Y4A~E(o@q4Ozt~MXuUDWc3Sni<&h?z=vov%t%4PV=R^H#-ItX>
zQ6lDmsJaRAE3v@p0=@q?2FY%bOIgj40&BOI=q;F4{?Az#qL*Hi8E
zz9Q_Pca&c1q>yN?$5zVIovfx6o&!CGXzCv|qVCef;oUBH$TSFy_$TTAH@3XO6C<)o
z{&TN#LDS)C#(~P{Vyk6gjDawqp%)eJ+3|lbKH`k%7vKioC_(W_mLAnyii>#{H%QXY_GW_+Ihzy@{lzuL6==_H
zQG0RC$I(+PaIrfpt|X^TZoi_-L8zPko=OKcYXY@H)&bXW8!B_DtThOTT?pp>cX`eY
zlWP064dWwy!P5dyi{)o)%k4bIp7QSB;a%gJzFU)Sl2?c057fJ7{c7+1$p!*s2;~&u
zBzwWf;w-f5lI2^i`}~E9hL{KIl6-a8t$kJ8XYXMa|F5D%Wu8^5-_ue_q^JHyH#J^Eq2|fp*UR^58NJGbPxf{LOtJ)8
z{EH1CyNTZ|yz||!-~*bxi_J14xRD8yBsHLpqT`d!59&F6P2(dF2A2$?Rs((
zMu_AGS!6Xa`$RkRE<7cqV7=1e&d6|X(`z3>oq?%&#Hu4<|+yx
zLSdewGM>FfFpt?`_T1cLbQ>Gj1iM2%4(f~eh5zG47FUw({Xzo?0%3-TcN2yFCo2D)
z+W@w-C8^ZMS==u)Go7xe8%5Ax1QOh%#F7>0^u;#zcCz_!DLvMBk@s$d+_8os!s=eH
zX;#zLH^u$*%T)TaO3oGtc4|NUY`Bu3wK6{Tw=5XVsBpxLC1SBX=BaHtuOW%
zbj&**zCcLSWiUWpCN#_}441=9kpMya(Nl;FECmV9?3UZAhb0ajmNGSqZb8aozGljr
zCo#=fD@!&)0{KU`U2{;8lS)OVA~XuY~oBD$5VJ@D3Qop
zal>19gz@jsKSY0Z2Wg?3P9wrE@0Tz^Eq&VnPtKIGT8ZvvB>3uDYJAv|*RMSg#m__u
zPN!MKAA}nGfyuZ#vLe=?T}wdzO~`=4w1v{7>z-6g%s>nDSz
z4T_OsV$z_JWMpJeondcars@HF2>;l8u(VvUe2SDf({VwVl&yiU85FNn<+
znMJVRLRy{&K1RLBLHddEllM?bO5tf?p<*;DQl*N3N-@Ym&y%cMo$XP;>voA`+shu0
zkuYsouzr%NE@;l+o#ukx8jGN#ia?;{z0D=Wv*z|t+5Nyw7(QBoJN(;~5c3d6=(Xz`
zs6(Q^L8omUzM8#S{Iw(z_#kO%ZeIU+Q
zG*;$XCM**yGeu4C*Q70m`C-#7!DJVBi-!DI^rSBu?3P9+sN+Q$2%d71%DCO-9w!Am
z@wr^p8w6Y}D3iFb`k$whHS7pSqan&ty~PXNt&d|tiV&^$!x>Tc
z-z8RRosl(|WQZjLp(27%2<8w5SY%`ux#!gGtRJSu&7xoIaz7#Se9&hv->la?^iIe_
zl}#K+VE%kTcJqYLstj#LvCSWY>tPv(zR$Mf*PmNWcGd8WZ#Qu-3Y7bo)gPgWKVLuw
z$C-S3lAxdQ2MR3Lt9d>9FF5XuBf{Ma!IRbI&5PJ+lcmj`v|8kDb#C25;R}DRlvVS2
ztR;H>a!)K~wA;$^Sw|H5yyCzSgwjJTO?iU}_qN6bwVTQ!Ia%85d;=mXjsE-*g_Rpl
zV^O$4XLoX;C3g=Vgd$Q%b)RC`Vdpdw(Yp$xvdqW2FhZ11HhTfzb0JiXx7y|C!>gp!
z$GDY8ZR{+kesgO5*6v{enJc!$XCoD~c{fvg>RPM1Dhk;>zhOVnfXMtnDV@l@FA!cY
zGLPZMzTd}9DJJe(_`ixL3BC)MCq0@QAUL>Y7jB
zsC}gk?KfgZV9vpx8cpoy`4p3S=|q?B@Lc=Ei|*
zXxB5y_=Q|m;8AgZ${Tk?&SOmuMG}^Z1Oi)|GM~LXz#s}o1~<vz{Z#kTZx3g?okvM!cvR1cph1b
z0c3lpi~tc|vPe(KJ1CkY9N$23M=IUN07Fn2b&!@^sg4r@vYS9wp=_keX0gXgyHT_e
z+&N{#SLGVFkOMv5qvf!8PZbh=E>xRSRH%%LxF1HNX-g*fBYe&mhzhs(?V##Ax(M#e
z1d0Hi%bwr!h;Cq2&K+^O@NkiOTVXznPsW|o`avvHs^Mii@-w=fOCx;J1P8k~T+~h6
zv;(x|?az037&V*uvCXg7=pj%0h$(Txlv}FY#ka6AG9wGeK^;yoJ1hC2j|i!3K63N7
zlFjHJNO}jGMt@9%XJ8wVN$+ITmopA-j!JHtz`$;?v%wub_UuF|uQc@sIDxKRj5ed=
zqC!B#Wx>katIw!j_>u7)gy3
z>Nzo%Mh?z&l@AyHiw1X^O$e?rvrX~qXh6ahSwF4bw>1WjWT^OnFEvYff!;i{S=I(O
zX+aH66+1T;N?OKk#hxvSS24bCgZW0F*@R_;;Pjex{Gou4ELU&#>boM{u$5Xs%v7pK
z#3y2kSn$V)Jz3mA+)&RSkV>d_m=q3}HJ)_~$}}BEf=>@0%9GlZ7J@RDZFf+fhm((=
zRE3tyod>V7|A2p5BRZ+q3Tm;IvSKU{ZzZsP{*oYji$}pjM+p|(E3ia4p;mM!u3T;m
zUMZ_vxe!BtpH$`OvoxSaN5C`m*!596bNQe#qcKK7eA(}|WndHXQyMcV)`y~^v&t$o
zOrtk`xlnPDl2E1EpP^8yuktmK}YAzE)9qzi)b*)of;da=5mU`;rXG$cJX<0
z`%X?tB}{h*u^JhXKQ)xR3hGgc#ZrpF2*AJ1+S%9!xpWPvy#z>4O{qwZM4@KONrbUk
zW2#&ff8WD>t7+Sd98HOE`>lIJBTVD%B_qR!8p)?Fs!9
zA%U~mYtR(7d8(pyNg3r3Z*7lE&h2u+dMS}m$fRI?T-LRTe`DQS76)bp2Z|
z7K)k;9HaML)lt3N&GdrQv|7Xpc@I{0&^KSEP@)-!&U-5df>!dhDLwP2Uh7}xv~IFB
zli9un=2nrC{rq4P-2FRphS$A#mH6btWipr!a+C3Auk^+<=%39KMpI>B!8i~Sgg<}7
zsbRbX+wNb#nzfi(x1Razt;fH@z-LzK$+3|0)`9=vhlm~R8Sg%=vz*1r0QdAIsywNs
zm`EZQT@Dsf#x*T`)1ZF%F4)3ba@qLmwE6pdh(Wt@sht7-N9o%Mv)hh(rFPXg(M=uD1BbK=f#I{14Va7jZ1Ys;OBLh3H^1J(
z@`vXbe|Cg4jP-{ooqZ8dq9UOrfB-^@BSNh@R15~_a{q1If`F<420kcMi!F8|;cj5&
zy8x{QH?TK?a}Znw6l!o#0p~GQwhe+2k6gKV2m6KssREJzr_v-{)4>9uXT{ZA-yd4{
z`Z_Lwy!?V7t^;SvUbwlAK0Q+S!%DktyM*5lQ
zJUznf11`3vC33q7xGBK|OHg*IYfwjL;t^3#L9cJjMgCjC8(;Nm?NGVZoNCi^rPiGq
zp|^u`hi^+RcIvQ=D-*<|fpi6+<4-S4PIi8-`U1}bS5@Yzs4?~86;08Vi)6jXz5Hl#
zKbE`nV8}b#`MR49{k@~$m+VM^<1ckh8Vj`N0zb$4_`t%gDT7{ZL^*lZ(N|EugDxV!l$iqe>!hZt^PQHQ=RS#*43$Nc8GM-ne?JS0U2-VS#rUn9nN*>jFVSQR!bQnN>|(aFg1z&yml&
zv~;6j?xGw=GBXo}QR>FR1Hw?NmP(j8&lnrDrU(vzsvqJhOesN}7PqCY5dk$Cu#Evc
z?nAZ^AJr1T0K}%s#A9#l_vkbgAihaQ7lDYMFzb&>DxPHt@TkBsHesqo36$ke26UL>
zFsn&rQm&Z+PXP}#nwn&QvNLu`+DW*>>k%R>27?|HT_iy4tHpT}b@@q6Em5=AUgI^X
zu(UGWOf3Ws>RA1Lz3TMUxo~+~2j^Q@(d24?tJTlfi
z%=`Snh=O(4=VLKjp2@4HxuI?sk5KhM{fK!xjjy5PCYRoyFxl_;xCrD`$$G|LE(;Ya
z9|gztDq5W7Y}eUtZnJ}%it%%M203DWU!Gi-YGy+QB+SeVK7C%hlHyR6rJESL8Zl|b
zo70KDCv+hpritmW-hA1)F@R5wcjxIAwyhGSqaiTNB8=A;a`Gdh3z(fyye#u&iU@2A
z*tC>GycEL3ri*vW8v>tb=v<IOqwQ`+#&Q+_L-%atX#M+uZgjH
zouH?TZ5`1ZbFa6z@7l&Ab$sEr=bO-6nE(qb6S8vgXQ;LK8&0IwJg?In!o~3R*-S0`
zM#}^pk&5Q0K>RlKB+1aur9HoFL+vXT
zJx+W*?UA-4k)fcLd3--*X5N&^YURM((I98>x}gVW6iM=nrnsdjE6sgN{RBB+r#rIB
z%fs@`);vz`w;rgbi+Yz1br3=wNtz_@AdXr1U^%SLi4FF*Tt)0|O7&Q)8zuQHfdeaz
zAj500I
zVwhXv^|3(c!0Er7>vmK`j*2`qIW?!!!Z1Nx-A%^c(@It4Ka_DgyH(?-_YU&H++8?%
zDNxwqyB{K`;GsJbKgn$7(Vcjm(iQ#S`B2uHq|6Lma%csKRB-U|=yG04JxDG@5_L&Z
z2jzlACK4_$^z4^mxFY8bns@=W(C;>*78vHcwnZmcL$CEViMF!d0Z12BpPxN$ea%m*
zA0c3Z#l*Gx1>I%U^GJ=!qAOYE@5jb!>N2<@`{PTQL4-KD8-!L#*)#lnsfrZ&Txkel
zl`Fwte}!45>edX)!j&SmG{qO7WmaWu2rSw-9vHQiCpo$!+-{KUlS9}jfQ^T#Z6|n7I8o2O+Y5`8vA_>^xuKP
z*h0HcD-K|bydGEoEP={m*J+oak!0P%)P&p)GV)=B6309K7s9ko?J
zcQo%!u))FRisW+Brsv+>$ou$oQqpv(z12pjAXLbZp46ON%1a=A9AAH`<)Kjm1t7fo
zPx6Vey{eSW@t;Xua`5cmp*bW-^53k{dMz{Z_eT3wuAdbn7b#c}3;2E~28chjc8aN?
zmTq0;N3f)Jup*i8t$++
zCSbKo!jNn@IKcILf4L~}cw{|+3i?!;0S>ygcw_0bnwXMu)hD;LmDx6d@wyi=717gN
z{dVH={IG^T{R}`T<8IX%J-6%6BUR&1aoste!&$L83sxNu6LN(fj<;kPpZqP
zdAxK+9ws%60{;1ghey8UNW-8Y+yqFGgAdnV#?5jh(e$Xbhf5@zSSBJ{q)jD+ZjOC
z%zxbH@3haGGdaD-dQ6F`nPej+5J?qV8WvN+lOE2m&D0`@H~l*&Pz_e)Vc4VgUMtnC
z5Z^U*lS(Cq(mG;PN~2Q6wxw&1iH;5c+kg^8QD>o{Qeog=tB`I2FctnjVL4qX%`5%7
zYs<)RE`r9a$tt%_dc706JWFm7$>1uWO#gqbB!xP$I-^9jdH^8+<{=uE&j#7qge$Rh
z%fF)}n%pt2WwIYCKn7I*@oL{Y!=zM2u;9pB#4bVow{S>_iV>A+BvsnnWtaw8jiGW5
z*XAQo9-+Qs6z+=P@$bdSl-?xQE-_{WFnUVIC|b9!x)}4Ir1z=zMc2BT(%2
z4eve8!y6K&9fC8W=S)c{h}vJ%M_d`>dQeKgZxrdiqi
z8C|2xO864xqm@M$7W(#+(8EgWF;SS{dxYiO&f}`61Vs@OGwJ}T64khJLUElf0M2o+
zpOIYfR{xn&^*w^a(Y^wsdDj3(-7&nP2X%MT{dnuJJ<$Zj4m<4GN4fX22VRVxUqGnT
zy&-}|dc8bm&xC%6Xgntd7axS#gE+o_RpFi1mt)V~u6j3(Q+euxqWZe8iB+$IgngkA
ze;(Q9Nrm~vh~@cqk8GEZ)Ho{N$Dx1?5-DedqwZF6SRDV>A(Wl8wSe+Pi
za#(V7_Z2k;iE}2VDQ#jVRmgPOHzfa-H=!3}SmsN9z
z(8QnazZLG>W{uBAQsmItv^vfWWpewcRd5tO8HE%d^(k(k6^Q=C3T`>NF+FjZ)74o|p_GPj1O}nMH
zO8tvx;veYZw~ra}Pe^6QaSiI^wFnH_JCK*uZ|zdEnluR{r=*WZN;Sk0@#)4r2|vZJ%V;e?
z!q^z|t^y%z3xBblf#I)o@N~IL*ipB8BHs&0Blr3Zxz?PDZ<$-v<+PtodUnPl_Ydr`
z!KPt|G*Z5@BA_*rLX@hR+n!AJbKn}hAY3o8Rp;`tfO^13B9~r2&QD+$`?zG}!K%sHd@wM%NQM+N
zdWb;g(|HEZZX>1SUi9TVtP4j|Ne!Mf2cXTYW8c$CchkY+b%AWjiaB6v~norU{lYxmTgL71*p31JTw8iGcNBt8_eL`!u?^atw++SLtTS`>AW?}8<))-4xhU%dIRtX7%(gBo5z|4Yj4CoUHc}B~TjMga5b3(O
z@%1IOf2Q*|(j
zV>A_3$K%XM#u3BglF*tony&MUDQvV!!ZecK%=FkJ`Z2>;MJ#a~G`Rgl1H>tkY1Q!Z
zlc}bkhH9xhdq$4#jF(6AxIn`nTg0Vh(_uGgNIq1cjD#na8j;h+1dMt#tM(3h1k7Fk
z+|t>kvEsCFrg6~8>1vQ9>)9SZbR>QA$a~8+j3-)*4DD2lgFj%&H3
zy+rplB8H>NPBw?sSc{U1ah^I5uVdrChwYa?wthnJ+SiX%{Nuyx>w=`=nx;0Q!(wUe
z;B@H^;Q}vsifV*I_jwVL(ZlZLQdIEGc0=3t^CNX=AN3v?Qq&D&q7pB154mIuv{RwYiS)X2!%4NxNE_qUy3?
z{WODg)YUL_lXPGo)bH#%q10oQsnur}zkOCNqn)r2#+QGlapI1PUUkF-DyRXp
z#D)=zk7H36MPdeVDQ4h3s`2NITrP6WCE~HJ{
zj-k_P(+7rW3_5@r49YU>D=EUHKN%PaIgQ$FS5c)&2{(mE)5qX>@oaXvHywQZY1=V4
zCf5zX4G=c0@GBcjibvuU^FZ_*zeP%3G>V->iI*bX-oc(*e6uN8YHI`JC?Dg`%)&JI
zHguZ!nW1}o*P4)Zg&R>A^6*#^Sm^C7WDmPUXNapkf_^nJ5RGvsY{>rfnH$Wx1@8xl
z+9|9+@}e+4!v1GrC=BniR
zHs9(dAD`li1v3pY*G}OiwwN3LjDB%oTLxeD8LL-2+wPVu4Rov08q}8KLcsbO>@|P^
zo?d|vE?dk-LiHE6X0RvJ@AWj7FC;`;cN#L$nDm_PLdqtsW3j
zxw-XE&1!~tQ$p};R;`F}$RRf1FHix5~MU{mD!~Dn{4SipRRL%SriCk7say*mJnW7*8#b%RJG%o&s
zMB*(#ByRfzl;Z&+ahBJAMB=sJ-<11N3oocwJhuJ7>a`!Cl8kY0Gf6k*U$Q&_Awc7q
zl@{EW__Ycy`QNx9#(&|4a@r_>9pD|E2kug4%W2<9!%;I$iO|hO@#5LaQb_>y@IiRDjjHgmdvl2LN|apb~K2B3-U5-uX-LB6L*5?nuze^R|OkeZB>JGGj-{IH$NY234MaR
z;rRW*Mf&6V%&%#sP8i~Mq$t5t@DL*Uc`gIZ^lj>^qj^ftY6o_aP%o4b7YZ&80DM=2Yw&9jvY
zbiyBmXavp#VhVYT&&Q{O^(PKLl+>+FrXWF(@xSsyLwxE$F-Y^{1uby0P+pFOl?7o=
zrI8IQNfYfUqo9d((HgeVhOPWu)j6=#A``l3RGl=jCr+j}IyyviPAu=>A(QOFF9=4Pc)KWzn`n0`O{9)@R43
z43)>@CxK9D7{mKC-1-j4qwr)jBkM#M^&#}|&@y-BH>yLB06ng_OJgqPzcQK)zEUAD
zl=r$j1*+oqZbi}!0T{x3mA<2hW({Iv8H}@_3}Bvr39J{E52-5Zf7u(r&V|bixpfQ2CDVuSLg`l0jOmb1`Wl#$S429iA_s
zmj)19n&fk-=Jx=XIS*4<+yllDKZsnsB?gsxhQ8id-->fdm{j+kv&#U{ajmG5EJh|
z@;yA4N5d!RRJ!~YKJJ9QA^u~cIFDhO2;1akQmzsC2pF&}r!99T)54Q}E#gyrNTz;R
z2o#7vWbDt_Mlpm@2&T)ME?*9pc%FCki-^QpJ?rGzOi#p(MaV8tO4S>XvwA7{iWqxP
zQq1z=LSiBc5MEI%HdqHZXQDwf)17g02{P$AMfIY+c{Xm@Jb3nV%AHPk3nrbAYPHgo
zo}#h+tup<6TwTGx7OQ$NDXwjaIYQj|<$2HPeYNm#q}lcf$TiqLeEM;~^Sm%enZU>(
z5gLz$c-VPtlWl+nJ}-d3<*AQMfUM1O$BO=8RSUfBS8}>n$#ud{%$FG0{f#p^jN0aS
zt4LYsn>>3bPY4?L(-m^kImRlb;p{qN{iCj6S9I)eFtL+mvN8$l4GtUncJh4g$P>1q
ziX(+4WWq26WCL2yIMkE~6!PjN`qbpjx7!i%lS_>a;4xqyRu1A3vr*@i36Iav4_#NS
zkaO$N62uqxR#n$K49e?~YpV-KKx#$ABI0rKD@-lnaY``$Lr%VVYBzs^lkaxdws#VX
zEQO<>Mx@HFN)OBml#M<^k`8sV%&#Bo?`1qkY!tAh3`WQn@Nqtn^S$`_GbfJPaY6ip
z%KuA>nko)LSLHzRvBH|NFo9l`h#)^M`!<(h*_#t7G%W<0Sg2`&zAKRV3GnI
z&&kC|N%IvmJxyK3ysE5@1=bT#A(^VsV@j7SU^MrcxZxxR7&Y|Z5!EarsdDEr
z0xA@MHNl5G%aPIl)0s^;yC$nrEa>&RJKTy?Z*Byla!0~{;*RD&oPFL1njEIr`5uiYPh6|2h&xp48fQ=TntU4slLAa`1AAZ-#HWk50MkIrr>=
z>%8-A72K`sOJ8X`LDae(bF+X-OkqkCQ&bnVs>OX1L22(oqEHrFIf`cgw`UUKl1xIqEys7Dz0_qcd;N#YX!TH^i)II4yL4d
zLPCDey~Iz%x?czF^0-=EuS9>M^po5tQnz%t>!S)8a|oBs!k}4Xt*q@fx~7+wb`a?v
zV3tg^1r*|$QGZlej{jgtE>#X`%ilfK8f4l-i61}|NRNyID~c@l-lO)@h+v-t6Jpgh
z1p=0!pi#_#flDR8nn!Q89IIWwHL)Zi)DfCgY_#^}&!bh7mi;BF&b>4zz(*)E>k+0S
z24)f<%kVb8{5e{@%0s!=9V%bfLtB<((S>VK_a?mxeku?L(c$&!!M;oIV{_{>S7$v=
zf6OAjHOUW|Y{7UoA=-kTbU|-;7cSQ!#1|Z@*rh`v&`t0H5}+|nalO?5G@KmPT4GZ~
zC5ZQRJiuC_Ov(BdCj=!G6MrllJS_eDQr$_b-sabh^sklqYvkOxQR7po;Crf}eEjB7
z^>V?pM*Ut*mr1}WQe_a(2Vx{#4Ve8MEflosw+8kgAqhH92<(LZ1=IcmwA1m3TsWA)
zt`dItMY00=B9Z(*e32Yr{1LTyuPDK2Tr0xQNZT`nJL{r)0jEi;O~g
zb&@$Ml6*L_VMqcKQ}<|i>x1Wq=m3W
z#v*AW>T-2;tQyG=kBm;Wp&1n;o6cvsPun=ci+A%c;NQB);Kk*%PdHdY#-4WtNptGo|ny51#!6vmd|~AxopQBu}H;s75lx#ZWAA0v9u3
zDMt5&gx12m-W)oZ)X?xn_xr9`7&{iu7Fxg6zNPngaw~>pV0Ri-%z71eaI)&_SMj_58hUB$6OCb1h0KjXc(NcEbRC?}
z6jI4L?Bcz|9aI@ta^0V%Vymh$;36{FH4E+pjRlLQBN6n((C8UMh6Y5-$&=i83FE0g
zCy5h;NS6ySI%A{rS|z!@Mtd&MIbeB`4WD{x#tI}nkQzqaYR>DslN8HiRZsV#sQBKU
zGXT;$JL+wBz^?2yagA%-mgWy(T2jYY4A0`Z@#oU+;$6lLB@
zarjTsp9mEW$R9DX6Lb>l(!ixYf>FZ{@Y8`H%a%2L_tU|&I?3X&6e*Mk1#C9&pgE7o
zU)lqJs@4A>5Q}@S(Ed#b1Kn-P@_WUcOZXaB34jn-bSwmQ`gl5BtEBF&)xT-ke>@O_
z{>uY#*Wwx;I8A*wp*o2e|1io>aEptI)hPeYkzuL#)w&4(KsE&&d-LJRwRXLLA#1p4
z%H*D<$X(=xiPxYoTh>gt-jGrlSkp;lWlbBOls+~Ia)`5N!cidn^!p_O8E{8c
z>)x<01f$M92DY_#{IfSyhW;rpQuE&TdZ*!$53Mfs4^gdl$oa!W40pq#oZB)fZbBKk
zX;f&@;$+Fv6lmj}FR%^|a6DR2z8V#urA!1rlZr~FQPBI|juJj!8_`O?2j!rD#D2h`
z@{ReIo0pgVx6H(t9F8F7Pjdd9kY^hg9^G3C)HR@`qBK0e;YxLi8F+8=@7`OH!1ooZ
zc-*dWodmL?0?;1CdJf$CqIi22u@A_NAwU``PTY9&6^;(_GR(FA{lI!(1VGi$t-~4M
zd66K(AT!{>eUx{zkKs7O16UIS~Ykl-;&`rA%+jQzS(;+L)Li?jvV${r5uC)$NyACb@jCnT9&T%^3(&av$jws6>V
z0STf@Ki_%w5Fm;V`fneyf1*XVnW1wd!%o^WBnrDsR9F+Fa0V}E5G5=n@RtJ+zoTe9
zfSUzmfPm}*{v9L=QlzE+4)c8D1|3pBL!F8Qr2s)OOQC>8Doiqg0`X4KO1J%0q7wEu
z99Th7ODnWgCR6UTA%3MquZB+c3Tu@nBYmISfJ3sFlJhtZw;Wagz4x%*eHv8O-N1nz
zaXo2sL5en0dq{rZ`%N+4^kKY7w?pgWmbc!_>F*lN1T=oJ;auA@jK=d-zG;fIHk9Er
ziq_&VMMu^!cEQ17i1p
zG!irn2)+C)|5RI&@jGn(zxQ;;?>|V_Ea*Lw0r6DpBTaK@*A>=BktAT#&Ab>m>Qzoj
zuc?C+mM&)K8~!i7;#TOh-2qyVF$lFrBIH)qcRB;GDGQRTuC=WJX_xe~TW5i@a?X|nr{=_o_@-IeiTSq^iBDYv+dIKn!CgDLa6X&YMW^PgER;+@}j
z?BPIy2G4bBK7X|Q0RI9q7&R9PJf)$F&Nllb*5d-QEei1TIL#0rbVIIK{C!j3^>U+t
z5C7}-2;hHA0VQSDTPx2@#tk^|JDnUgPZe`mLL6eTvF3y(H5)R2#wPz95_3CEf_>>!
z>-}xj^vc
zgu^k8+=o0rGyJCLV$Wg5T1;v2#G*E
zz%v34V~YzAM!+UGHTC|AQz$^Zm^=tN0O3u#6NIQd8yzHz8xZ6GhwML#1_Mp|HV2v#o7SDe*j`uHTpPtiq?;M+v6vEosPzIqGMylZULe*E!1}Z8dX9
zle3f2IxujN!-`UqYN`Api^Jw)?pBEM3k{J{CdUnzwYjDeBlV~MsghmeBbH{lj63b%
zY<=5ec&~dCU7wTxrTo~qwF)?@!Q_q?mF5v$;f$F4N{(RPpDbGV7g-@W=??>gN&bSh
z0s-^MKTfukdYXcKPz^rXd(P@*8KO{!n&m+mBZBgGoRU%#4TO_LQ2gDPQG&C=8TwD4
zLFoM*3rLs@_|a%6RAkFi=A~6p>#+x&5{5gcj&8X8sm~udx7=|kcil{8DC>6PO=TSE
zy{u8&g1=2^8fTs@#8rH+w7ws#^1HAf4(RIQO#Q$@M}Pe}F&U(;NSnllU>sXMgC^ov
zITbD;`m%FFe==C)YBBEWue`aCe6`pVh-wm(Z|
z$gXjK6z!k&e7~;V692E_6;QhdRnh*fU0Z9*>Vid02jIZDQ4~p1D%qii%m6iKa7Kc*
zE7om#6F_~A2Jo+#Xb}RPqnUa(#fdQf-w(zoWfQ@|*~AnGs=%@WzL3+-9R-0cUpHqvUcg
zlW;B^930akZ((mdVhRe0e9G@CLJfuLl_|70($o4nId!wJHC)IyqhcbGO8#o%ho$)+
zDBj6XUfQVk!}d1k3}PoM<=uFdc^ws__PCZ2@<^C@-0hRPPLZtN>1Oml+44H|T(BFE
zf(cN>DGWF%W+c2n=D3IYA3iVMG$PGAnXxV#R@O@lYG{0n=vmRozaJ{`Kh9>q{LK
z$XlN@Q3`LvV({KwVA`C51va*bD!otJxI`UV`g9Lsb`5(1Lk)9vb_)KiM8E?*909;}
zFu=rUzAL`~`KWy{+48YM_lyQJ{jziTGS-@v$JyC^l2CvgPFT%fV%21`mGVkLoAm;s
z+F^EZ+zA#rV5=^c%p-YKuxjIBj6A0$A7J%bfb!RIchH6Zy)XLTp1U)ZSIo`FLJ-EH
zJR){F$v_KV)@tYneSYs6-C)E!IGM@l2?rBcL(armc&pyzAGl=FGb@RDZ6vpHP&`;J
zJJ-!W0#HYO2-xiNe$>2#$L1OSNWOmX^F_eR{2DhTI-EkG>^6x?vO=E%iwyVE>nz{o
zYLOgu3>3fOp?k+9YMnThQ}@IMH?he?_r)p)@758tnFbmrhHSYWezH51BiGNPF!=s*
z^qXteYlJG4QYBt>gc1
zilRnXUZ?#Y0!>N9Ii%{XNXo)T?=~dmTBy>hpZDW(B!kK(cug51F184t92uy;HuK?C%BixsPw9Rl};)wn+{qjOCE_&1FH
zvq;p=X&pT+vK1Mw3U3Kv+a~HPRnirwzn@OoM^fO;ACFzx<9~?({ciqq@Gkma^?-0T
z46N!wh^(4E$KM>)6dqtH%Sz{Z3B42-c7Z_LKESp29lThP$-1t&?RHoqJkLj0Ft1rj
zfyp+FSa`7a4BLjUYP9MnN5=t$@SUj08}{f6uk=W6gCaZ>tG7zPr>ZB-YDaxiU78lI
zp+DuzkOvxTducy^i0ZSj1`|s14*M8-hVyO7W?kV(bj^E?y8SZK@yH##-~C>Fj2wXY
z36p{=HQiN}W5cLx_Io^oh(IPX2q4o2G`oR+{4Rd{Ab6Db<@`^_Rs7eVnQxR0N))N|
z1{Jt>_36x?Zqz7k+@OGszph^MIu<^CZuy0Ima+9yM32XXx|MHp6U{tP&XJPTWuhMz
z2jdB=;3MyajtK&Do}@N9i_h2*gWz=udJT~Qu5#`ZZ@MRKc`x8K7hq6_qz{!UPxQk$bkpJRH>~A;ORQ5){4mydg`+bo{*RJ&1
zUZby{2x_1~f{cV4jQT?$;b%h6P?hSE*w)_dHL~{g#PqL1Nbh0>z1NJVc!xsK8GN@L
z6m-9|59vFgm)|9?ji9Rcw%u`64%KUY06k|)3Vyd&`fI92YyWRkwcJBd(GEE@xNy-=
zN`aSN3ms)rr_sxkmh97fZG(ah?qY)WaB*f6mEyo-bI><5dyODZZ!_D{o?xFm4HR3&
z8eAUGIlLmu0i}0;&#AP3%1YP?lL2R*pC=g7Ma`?{-mMXJRwG#RNZ6=l{I;u}c+mQ{
zlj7Ql=EXa?U>-NAb2UA@da-q$K~d4MW~8=Hv)s!l{TE|%tYT5=6<&xUC@WNS?L*^5
z)7S5{_qqh-f32|~?;I6{*?14ejnEXgeR+a-yH`5IWU8~4_!6trEf+NCTIb1JC2Wqt
zk3olO2Ds5G@D)~M3?L|d>dS|7u98kVe#0E@bS48@{QQsB6VRKUVY;YSE4b#*B?}@|
z*s@|;gd%r4W`lw@_7p19C988CS{qgRJSD98863y#mV|?|I3xa)!~G@*&`cH@sf)XJ
zv|-s#De=PpZXSd$Ku*Zj#@|a4L`A1@rv={h4BcjJl^YDXVD2GG8@b2vlSb5Z5hGdj
zK5=*#tlK6U>M$abO=Xs*kan))Til_YUs^yg5jhU?L3p)vn}-7Owz6>G?S}tw;jP{U{Ib(J3hS!*7qW(0T}&}B
zI~>6_tlKp^Xy#l=YTBKHGfa#K*6}_x<>^V>Q6pZ$>PS
zMv8fU;PHVLU`47&^lG8GPSlyybK1jX+4FtH7LqxS9zTP#jBs_MOi>x#v
zOhFi(xmK5c;OaDdH2N;jKEDSJPeu_%`I1=iHb9EUN$Ih1pJ(EvV2lJFUX|vIeq705=j
zySdjXgEpU8jzxddTH{DwZg%HTf{?U!Mw2!7i9z!d81Ix(uA0~PH1<53G}ywXS18LJR&Al?0aQCKE&@{Sl8
z(+za+i$~i74q7#Hu09*4g+RswhZ$i^!*%U&0OHTdaK@~E8wgLf78<7EQXY5yiBO|Yo0ZWj-sTROA
zi&ERUQ=MTe^{*in_6+NH_`lBX{}V=du;?m^-fidqis?#WVyyWRIRCfplQ81HWOe`J
z3Ff&Xq#1Z~^)?Qvd{1mmX3sK{G^M2PCW#8#AA)Y@9umodj^UaO=+^(<4u&~|x1_jUa)RK}o`l#-Lv(_t6$
zqVYq>gG1dq@1pH($>ZM~hUf<(Zzk6_J1nk)pHWSNsWl
zPtefqXpm)k;1pN24q`z{g7g&1q>&@N&*jlaxvTkeGeH{Q_DtjwEfn
z^%Op&cBs?*cQjOgs62RL1kpg?bH|)ZtGS%q0k(lG|r6OXBD4NBM>?$Y16~)RqTBCU1c4>IIC!MqiV3^>g7#)-FYy?YBDEI$?
z4@Gj5BEs=cuJ~Y7Qrbi~as&dZ82i{6r6gqu;Jp-cYkYm)5b%41-9B4sO>|FiU{utH
zPTE(jrzmlmd(^e?JW*(|@LtJL+P5{kh98G%R;?Ra;740<09vhZ5GY%-*)Z&U{(aa~
zZ_#3XfG)w6(AKhMh>2r5#l06EnjyE^VEL8dtJ5MM#tFN8Hpd+)gg?}Z1(ZDz$tmL+
zC5el)L(UlGF@$vz^Rc~d2Fv7aIuoi1Gly38Lnlj-X6iEuoiB0&Iq*0lWbQj4cRe3!
zjPzXmx8!r6_}PfyhO-$#Z^wk>KuJT+$uXXxPPh*9QKO8aj?&KurvsMpq$I?L8PeDO
zh_F{xi}#YG4_Lh+%=RaC${re$pE2+7hO#Hw)8+L&M~oP#bN()=^Pa>Hm_)11EC*ve
zB80PY>oQ!U=HiU!a|?!JjEm9NYYe9c;i(aI4#Nk|p0xzJ^S>)o-{3VCV{5jP6PaQT
zXt5i^IzlRxWi~m^LKVChy%d7Exze!vKy&^mT$iE&Q@P*{5E=LpQI8&~OqGnO^yVyZ
zCt}>Oow|*fnN69Q)#c>o8sa(0NfvN{aTOZqV`YD&nj%zgvvi@Cm8UJhd2*cRwq4u`
zE;x_x?b|n*wIsDUc|UeTA%TR1GWB|st
zT;&2X2e2~>&kB>ufAQ*x5)D(#;=5Eg;+M1>-G%psS4wgm(~XrXr25S&
zZY&_Elee)6x=&j6wo2&z2f8OG&gk`qoI+#Z?xL)7eb~n{aoC&byxn&Bc*LGH2`HM-Q(`$oae06kh{D;k#g*YE&F7v
zF(*?n$0J@_GyIS6^OmO+n)+pKb&olZdLhd+`*gS&-n}xj++Qk+2xb}5
zY-P@8wHZ;YEi+XH)-&fC#LGy_W6i&M#kDb-9{AGRy!aEd4WOX9ky))4_*u7Y$a2?-
z7ao_;SZc1=iiB^Fc0>PBx>lTxQkdQnnuwlu%ogtw>!RMu=J}279>!O@wooR@XcVmxVJLZgeB>h-Vj9O&
zQB!$JehEU!p(GL%S}E+|`GJ`H^tr7H;_=jPhK76!=B!amUSdeiF7@^LiKD{aJ
zYOMNLqmBA>51CdqD1z_uuvzQJ_}lBSNBza>HKGc%%Ov&dr^=i9a&A+a6Xxe-+Hjfo
zX`BwhDWg|krA+T<4ANRFM)lvXEB*FprA^P6>??Hl*lU0vS2~f0CGJ=E_IiWN?%qNm
z%gQM*dRY$|E7?&q?z4g})3uD^_Qa;yr#5<>e;aAKZc(cVS~Z1h@wOimZr@qun0
zUo2L8)*4$({&soZ6ItlbdApyp%GGeg_B|#-z?f>*t2wuQ7h58HqH+@Pnl?K6v8;zq
z<;!Wqa=H`p#0aeW1!>xpdDPBd@scQ+Wu$^(;16%LQ6*PBgU3Kc)RK?fv?&#<;TZJT
zuyGA55Ed|pAh044c!58h9pn)3q<^DeZswPkx2&=jnSO;W>+$`pzi1ls9fnQan6bMPeUR0>^s@6)xswq3l_S_wqozb1$0=?yb=$T;EdQ|A$
zPnB+Z9GRV`7oFS~@h94u+t#j25sN|y8F2W}mW8WNAZ!rhugF-JC6n%xR6EK{>E&mJ
zn(i`H2Lf4AtnJy?=+BuwJKY5B_{P``v9lvuBC%O0%qY;g>VwGgmGiFX(?m^RdMp;k
zV;naY@X;Vkc&Zb(gaqzIV~jIy|XYnUqF_ywGV)Crt1TBv+;3n8tBnc*0%ih3ZFxauXP>fL%28qp18BTDGmQ1US8vmFB4t1s_Kq_2P+
zcPB2!Oyf^iX4OG!$<-ye(uR8qAwX%?%x?6RePpk#8i3Y?V?W#zbby%c^;D?Lx&|BO-ZXh6N0@`3rMd
zTrjT_bEjrDR2M1YMrs-ATR6AikL4_~R?y`Kv+U!7q&`9>dRA$;Bu@rtAUjAP^W#`8
zup}@o%nZwd>>lnIdH>Q{eTeXFKHuy(_CMECl9hzk^fOw|81eY(j>D4M$ltw1@mwwS
zo%am>Bul8`x{G2Y9nonzSmr`cf^aTTL
z8GaT*`^!OoRL4>4arI}09THGh|3c^sgpCNZc&MNYK_MoZz}`1}
z91&T8E**qo*WgGHrLHQswe2E}plFp<%E?WW=E$K4(dwR~5o
zU|kr#D*)r;*S&Eu?#_vH@B85CmZK(`^7au!6_6$blw=DK?zq8hdfk-nZTc`=(#&}_*YWT
zL7AK85goEa={jyNF7IC*CG<1-$GWQg0B^6Ew39^oWdz07rO_
z#k(8c-75=Ez;|>|0C{628f>6Hf{Xz^5W`{?+cS$iJ#p+W!e<4glIvKsIh4bz@=kT=
z>pynseWn_|4K59>nwL0~0s)s;I}(lQEK~ejKAYdW6tT>f2!5AI3>=(BaU+gSPeG{2
z#y0w(R+%5t_+4f0U8*cIvAzWQcF`W$SE%%;?1u%s@kY+thmt;Z5{6Jw^(xj;w(siGfiyvi;pmbo5nY7pf)jrJbFso;=yW7s^owMn3p&GB
z=NM0!MawvT+e39dC@7e2~<1zA&D7Fr1|F
zaz!j|9{9I}9%Y27`_%9c5Y`s`OhsAJAdG#OU1n@&uIj-!K&u$j!#q{MOk@Cy!Gs}X
zG>PuLsvi`&J@ytmY6V#Z|E>37x;TNgc-u{iCZ(CuCpPkw7)y>~i`}q0J@Yj}i2e3n
zaJP}QI5$&ml~#wr(Y=djgEhUD<_iZ>U>B)Di4lTk#|mNv*Oo2hHP>SZ$8qWtu7p2c
z1mgJv7`|k`Zx@f%9#5XGNl%I~w6V0DKq1}Z%g}BoI}sDG`*)csoMWsZXd$_9djROH
z2A;Z52`ylk$y`)r22;FyhRRS(xXWm_j6N`4=IJ!Rp??IH3ArE&?RbYS_c8(9SRhc)
zPx41yQhf}fpX3X2uOR9+g)^}T0xTAk^dj8h?||5s-#%bSjshB}M&sQ*I1}!AIV>J$
zf`HP_vvrH;)9LQy7Osq$UZ$U4YzZ<#)sM+Okhx7`=+v$YHIi;q$MblYs#|=7Eq0+r
zD~tv2VenKwk4i6h5LBUt+OCUx``)Ry>gZ5EqIgLa6)st4ts6&aVI`%?t{FC~Ve*u~
zAjC!5U8yauqv{-esad%U^~rd+-K-0zDLDKzpF8APw4K`9t%@x?P*@f5-}sUfv7Z#M
zt2xJEX5I`zhHzna3C+v
zYUvD{FtoyP#W=JG8WIUE&i(U1lcNQ%CM~th@~K79VgZGNhkwPX*im`Sk_d8mArN*0l9LjupFp|96BfM
z3`IPDcP67aP5NPb{M)spJg;oWZE`YNiVHrYxV{T={sC)DMq+iHWC41zc)K4huemfy
zb|fg)gSKg`D~Jos&`D@y?X@{EQT+%nr&Sl1vi`vJ2w%_*(IM(_n5mBV)&fc?Zd+;n
zmcp2d^7!e(C5K9=%Hr%}-JB6it1L66^YEgNNTBv}b9HiVCg+>|UJ+=W!Z@u-Ah?11
z$jX)4BY#Mrg{8*mmP!f`;<(r4?t=CPR)K&Oj^56@NFE9QsG=B2*VO3cf`FjOUqm1?
z9V(inP0=Pug}N44sCYdf3gwWLuw5gD{UJm$L)MBZtO|+jdc6*Bc#b%PZG?nD5u5Au
zi=QDkjLjT6)4(5z0E?7Zx$-PEolmHLzYJ;F^9vimk(&SoO`5iZjAyNz%|Bcr
zb|>I#i{j?Ah%^jl*W@@cG(ENLZ9=`MQob1CGi~A(+44i$_D&oSaL0?~j5qdQ*J*
z0PpFVa4&49=`o%}Ap!`jlq97yUomDh%?Bd{Oe96~r_DruVHj|<9n2{qX+fIn*MDbWk3-Qzjhab^AS)1!0p5xB@_x$*sH
zQZTUtqs>OI{3IMDa^b1%Ns?>
zC?Z!3?;q+n$$WxFTlL^os>1CqH8&mWvpYm*am=0TO)e>h9)`*16HXD?WZ$2qg|
zyzwe)Sb$sxjpN4_sL2WLaOygOX&-?XBc@Lg48|IW`qMZWJ$Ls$5yXk4zZ?AFfB{Q>
zM(pyWQVT(+a9tSd`Nla<7yOrL7$H~5gBcudZV;ThXQXp(i1r+)gQ>fo
z>4z<@RA6FzptY3
zL>MqN3H0*d(!P{KDpWZmTcb^+F#2`g4n}hubB=_m2$j0zn+Gy69^urt_&Q%KQwF&h~i3v%6)v4&|4J%g&{ReQT~;K
zrTH5L1P94$_$`z*RzlsJg^rtR0k*nBW$H`F1EQ&T2Ax`lCo$XwajtMLKpcAhS9q)W
z;jrAV3-W^(^IQOFU>2JLPEEv=1!9F$G$cpgsUUZ75!*7S_ON!k+JzWXHYZ_gtf}o1
z8BKcV;Wk`aQ5@a5)I4wg(X3PKJa2zYqMql-o7rT*8dg>@#R9w1Pr{ppRMg0UEmEX$
z)H!f=?_T>*^hOazEb&vic`g)p=wPolL#xK^NjlPV1wKOh*SHszYFS;iGi4@Z&75Hl
z(&3#p4HL9}xqR9%)xdSuM=m{GoyeAj7vSX*zRReDDOz|jH_fPWAXF>t${lh7&t$yfXQO&P=C9wM)
zUuvwrg^YbrZPj8Mi;XA$;Fq&_ii^Ppomat+-+@buUmT=&J)#gTVb)PTV_jgN{uT9o
zruFh?1`sjSF(}Za7nw4#(67?kPK7>y+UMIIZnRyUVnjOaoUVHrJDxxQs*KOjMSym5
zo(nY&MD;VomwRXXc>i2|S;Y+h)6FqVw`xDA)!@qOn<-)$tpEd%<<&1xNzo$-O(;+t
zpi9@IMlB3+DhK=na#1c};|4XT`Kz9t;`Wg<%pb)NVyZWi4Wcbo{nxj$tpor<)mok3
zZ_@$N*uq=?Cz1YawaPJ(lh#^Ns?h!K?4QN0dGqfm+vqe9VCRhT%*AM=U
z+hqJZL+VUOt)@bd;NKir`Pog`9(JOCay6Et2SW-BNc3=e98D|KVx+V{?aM*a!?v*ba)ktg`zV3Hx=~>dUHI
zA#Cy3t+U!D8vU(CR*0`9VZsKZ&gh5Xg~YKIiku16{S
zdnbv^gG>I)RbK6j09A3YTPz4<8PJb|gM-OebaJNmFbjB5zZSw
zp46U)etV}a?VN^+3YcVnh|zK_*XrWls^|M`PPqveCa)LWsV&di#4eiLk11MTfL-p6
z`(!8Ufhr$QCUU!VRkv8Dd}uv1f7_o`Rl^)5x#M8+RY&#(y}+#7T!dVdkY2Mm@bN7z
zJrL6BXwd1-XgEHt37@Csx41^9NHfgL}G~=r!i>
zxugIk_*AX)37a9>5q~-XP;8&QHAm_Y0imM@$`$Qw`y9Y?0ueAlK|%9d*%3!6sA*ST
zq}fL8e~i{2&>4Qc_$y>@X)}7%4N3B+VI~*Hs+%`VhDi1K^M0rP&h-@>72Qp3QRX(-
zv1$9(&(s^!RjA%k=8}9d@j_H)EWW0;xY{hf*3b}zCJ2X=iI=|yo?POyw+|R`X3Q6X
zG7ichV2K*EwDh#bt!)3mIGQyml7HaA{KsqAsIvVxbo?%v$St8puR7<9go(RYbhjR_B(_&e6lS1K%=ZmrjSUS4Bl>=r1xocvDpI6c+A-R~!*=UI@QPD)l+aovo;M
zVUp2-aB;ihMf#Kes18#iX;9!XiuS=SDDpCn9??izcvw0@ejf=QfWnqfu+o9&I*iIs
z1+93LwXA_X9B9eNUmaX|)l7*6G$W}%ftWHob(ZgP|I34SrZ`JWg!HL{ixH&xD^9nc
z3i%iF@lQ;y+SSj5-9R9Zf?%WwV54vMFLI9?YC3hDTv$LrrBi|0ZK)a2&+$1+eF6g2
z=MldkUr&hj`QoLRPn&fq!x^kU^>d3)Q=N=dy43%-gB9(n8kfXP(d`7!)#M5wK|D@h
zn+?P#W1sXeW&G?XHi8kw|28t0d>Y&oBR#x3=hEPGQEkI`ys@P-jX*Ye<_YmMfrRONCe{
zDHZxmsm^Sy`9ZhOE_;$mxkNCvP*y-~wSWzmaesDoMF;~ub)Qjp|I!9qSYtn)T
zoZJEFch!q(YW#t8qA#(9qQoIXyQ+?SI|zC{{B|t}Sts(BHTP+P4^jba&;Baz01h=?
z#2i8Hf2bvH3*h<92*V^+Zbb2#HujD!*yXe#!1lEn`lL2eovPJg%kd^0WeW$YT`md2mXs*KoY7J9YH6E?))L4DC9G?1W1smf%PrE`k&wz7ON)
zh3g$J^u&m$4N<^rZ&~tKkw^#yXrMiuzk=AOf>muhQrL5jUfV#>?jRYA_`#Oe`G1<#
z8g0$LWV41=b1^wZ@<+W$ff4`zO2KBSb4}30)cR2@a@4~9S@1#8L`IRDJMDzo2py}&?Cq?2R>XI@bt?DcF>zE@owf2mruUkA!b5A9OHk6v5
zA&A4&E5MubyHZy0F)}NIz3tWLYo)CJvX>e9nhO!dKWA?a=G1P}!C$H?5C!}#AQ(=5
z?oQp0D1zuOVEXTEeb>piCz;bFYAGDqG#m5Y`1bfQBk$lbb}za_^N;5W@ILX608$nO
zxTNH7!nEoxe`TCI3e@sViz`oW5+e}M;Uh|)o*A<}v=p^DwkDU1ng$OB5N;@F3uILn
zUuEzn4Q2Nhd>*rOnb|2X-{+T#3Q?qaO?q
zrUjUWe%LbyJA7nPEo&tssn@N|ua7+?Ixe@(Xu#Lr&!RE<(;(HP+t2p|w6!bmp&lZP
zUsLHE`&#ycj!J0PY;_xCBq4ZX;d-;P~9beW5J03p1?g>
zj(@$C`yN~@P57%@V`7K*mp#UP5UEUG1DT;!P5Kv}{HRbHfJH=rfcW7#)fa`;zxs{h
zCVVfpiqqeBdCjwBm1&!*jb2L5sHm`hO0dIl6nZ%QJ;3EPPb`SvWf4lJIM76+C~fM!
zG|3#wj5cD(`Dv=u;Zn1!B5ydR<~~S^QWz2^({vBrD$)f4s!|mE?~WpCn-(`BBA&2a
zQXsKFV*svi=rr_w6Xy)n0t*OAu^u|XU>haANT#>oGk%!gX}55A1roqV0bynd|DWzI
zfd-(e0Hnx2faEr~QD~`Dz_9=ru5y@MH#yws-dXgiyvf%3anP{hsO~epUZ)Y~JmkL9z-0RX-Ff+T
z&S4mx9H_g?(R|dj_>0Y^m89YKX+=z=^PubVbSs#rh!{8T`D9lsZ^NzcMl4?*9C!D!
zs;)}yj@l^%;)a{j?s`C6Ab)jgRlxRCrpn=Zu!aOOuYNkY_$WJ+;ayi5}Evb3sq
z;-7}7(Pg;G87u##N?Qy8UWY|GyiOW2+X{_HGxn*R0r{N*x}QG@d#08T_I_M^f!
zk%B)F+21_N+*#9awLXr9UGwdE+Li#jN*k
z6i-w~j^i}@bIG>4$aORp<2YQ<=w@=HzWUN*;1w1>2aDlNk2Pa*h7{3~XaJUOICsLg
zDwjeVVZVP?_0uF!e+i)7P6gL4QTBJ}(zlb5$kD5_A6>7`vp}H!f`9g1SEapiBJrGY
z%2}X+SKSN@M}xc}7rlv)s+f)GKY5YRvAstipKshu>$_328_#|TaFjz-ZtMVqyj@vw
z1kr!ME5GIO&(|mzh@Amy>}EfDBz;XqcD@T}L!p1Dr2yo_KS59lqQEpXJ-cxWeYh__
zyAwX}7Ug|t!(4&n8sD+fiZ08Dikg7TN?EJQ^1|zZ1mnq$$^*$&xIZVfI2{_*PhI
zkJ6M29K5A@xYC=dSSv3rNs(c;7saex+ZOgXyX(wT=vP)+!q7e;4a{EZVsy*O#=DB?bKqNc%emJBC-41p5$jiED%4*!exbw;q=>rC`R_S(jUO^NOHP4DDl
ztC`zAmtgADi=fU8$_2dF-LivUa%)7BiNNxdE6nV&%-!L`wg6PiDGxMc{S}#*$t(~=L23&e6A&WFD0EKXxMeR2y@d~KQlvhPc)W=x!UmQbZgKsh&hDM(5~!3z0gJXV@r
zrn|Up%A2W6QKTl#AwLY58aR->oXyRZ)>9VZe0rfHERzfTN8a|C$(3C&-!6vDsY@a$
zcRB-vN@od)-zw4w$=ZiM{8IRmyy|X2{m4TmoE>e)MV3irg9ve+24VbN!(a0=W|0V+
zF8G!?zPrzcmly@
zAX3Wx=lguUaE+++<=2%aJDq_7Fg!#DAT
zISQ9(?!n3f*T$iX$^xioz(cFZuU6IJj}zc!2jJ%%}b$
z0{Ct}A9-Z7006T$T#vv&LAV%HS5=OFcfNTpcC_i2Kc9;}(9&OL9T3oovPaft2Wurp
zA^h3K<+9R^02l&FmdLR}5tLlDWoJxt=pm45>-9wcww!`@8rh!C^;>FlA;G|`X0`Qg
z=JMVfGqp^SfAeGUjuX+vKcyP$)Y(#W1VG*fp;3|Dd#vnS2_!vY;lPvjmIm
zH>mDrF|z1(?G2JG14J;{x{f#_ZWGaIZf}NMNHUCdi?0V9{d@!`!SbwF`%ZXR{Gzbw
ziHI+IbrnhkAxN=dDf#?F28Mj_!u7S;C8u+8&>Xy4h=044u(TyXHPXDes2Kg1i<7p|
zCFVza-$yC-M?74X_B}OA@1rEJQ(-V8``HXJGeZ%PI~}SiCBoN-yFQMLrcS@kDRJY9
zJ3m~JdCcz9UYl@zbRVTH$NLU!G*Af=S)QdW6F*p^69^MG*$OWH)U?(SM~$fQ(Xb<;Q;KJ}
zk;cU*O7Xd;f59#so}oAh6Id)_D(of!f;dGZ<8&h01z~)YhJqqa&ui{qDOLTmrxj>qhaAmO6DLr1D!is`}NKzY@gn1XZ4*&?4M3U
z+WBVK>Z3&KHr?V;<@9E*2gkD~+=cS1AkKY@rT?qJ8$b(qS}`G+4tdWV~ZZvt35zp-y>
zPJu~af7AP|izsPH`AV9HK-X=v5BTOc9UOTkwZPgF$$gFZxr7_r>S)!(V7)HWUm-A0
z<)|~pTsbqmEJj?+-nvVjj44m^rzf5{
zJMG=7&Q{{67WHQ?h8xf24}{Y1`7QD(Z8`SqX7T&Y*ZrPFbL87W1odYpqui3NZXU&n
zlTc_t(a@^5g;$!?vVblT8%~sXKJZtb=|OnRH3P%nXQ7I7GfkE|-ZL~El=Yoboe--I
z&Hz=jyP#o39b`R7J6o9ty_U`cM9&oLP!UDpQas$kFpg-X})L
z>zmX_70PNzmhcXYy;`qn$4ACE*%c78A8KHT8=Xe?f{Juzzp-*;yT;L9X;rrRQ(oyM
zWUVD)FuL1ZV4pdds29Nz4er2@k8kjNIVWWUtkf@`G!2C@5cB^Ew$Tng<0|G8fbHog
zCoBBibnG(cSJA=h1_e7EZUlIUef6GM-Rw+$Ly-K1M;9WQFU|8lEpXCi&xO#g3nQ?h
z86vxY;h*CVSpENv7X7clYO8;VfZ<^}pIggMWdDCC;&L8c_pz*eWO1?Xl91;12hdE0
z_|C&hbmSKdoTfRnv^8j-t2G=kd&$4@b^@q>v#!M!Tfj4}p;Iu@WX~(w0L;x_3yiC4w#r#2>Se$l(sor<%)6iI3POy!5
zcFw?Yg31RoVp0$g&p;_EnfRoV!E~EG6^edL4i|sfj4#$J6~BQ$uJ1e}94_K6Kxe#5
zMq^6usg-p|J)@M7NOq<|kozi0XSL=BYElIha{|5#T%5Ylnl{aX7MZ_CCo>b
zT?f(ekmh~8)eG!ogprXuV-lB2O-U_TNmvz;*p1cT^Mms*6%CjmBD}z=%POE!7zx^t__n2~8
za~saXVVn@n`gh|3xlu6dl2DG3yBrIq?0!Cyw$-=~ogmPpbkzkl+I-h~7w4b!@ZwPm
zZ0@DYwDfA@!nC7_YFk#5*`CU=l;rB%4R7C}XA3LJ7N!!It@=W~*0R^i8xK2p_vLq7
zv}`s3)G;vG1m4N}{j5Cuw?!jgZ8khBPaVFfU%s|*jbS{*h1w?V+Dxr;()?QNSiAQ)
zOS->Xr@aY2S`#9ND>Hz=t{I`RM*`wggkZAQ-t7yKq||ArnLhN&fO7jtF>c(tIyWO
zFO~=xM!ygPfJs?tLE3Y@O`Y#!!mV-f=3Us4?(BR
zdQ^-g#PW9_V?)}=93TBeM)2rUfhH((wUNbks)qWxbC$O+KOJMV?O&gh1uH&Mq@8JS
zEs3~Y;aZ};6lNN}5f}S6nt*>C54-N6(GX@tWo%Aatl4Q0o;ED^%EqA8AS;|AQ>dnr
z(f$J5k4_d9lnk0Ncr`X)iNA&kCp4#3p-M`u>t_AUlLlA{r0GvWUrszCfjYx*N^JJq
zB;B0irbOqzDzhqCowbg&mE@>f@tMGR@Y%tWD-_##=dxBg?GH>eJA9S20;>>MSKLfRvz9D9Z`LlYyg}iLweQdneYFSFcvGJ7>gMMEd
zn_k-74zq)Ki)({l)vU?4(;+(eXcjw|Cmh1YZ(~konw5%k3#FgVL0gZmpd$4>kQdCQ
zk9%t1$9Qma06y)-w!#t!sNtwq8PMd*X+qeXjzeix2{tOkGN)z;!F*B_imQq|i8
zi|oC_ugw6N$i)C2gq~xb?!j`GFZLlAkYHlAzsBXRres2lY3otC@2*yKg8>%f
z6zhwVKKh*?TumwI9C=W}M$?J8PuxFX71WZ3(8?(kNmpvCmu=!@2q=l6=gL_Ee-Gp8
zKIF`58k8}pU({bnJH|*=RQ6{l(DNp)61ZFpyud~4esCy%yn8)ZnhH4Ri&tVA;wP!j
zE*$Q5?@7S&ake4=pQ$B;$VN&=Pi8bv#xV{J4GiUeYRscLg%;IKJdly!K#K~+C_iTW
zjk=DhTrnJtYQa-4FFR}Tf*L4+Iv>0>3`0rBZ`Io`d9ii!UNhxQLOR@FO6Ed#MN9h9
zLh2#RJ=`a^92=b;d^P_w>uT(qDf=5#GK{mP!@-7?(HClW`yg6cPi+KO_p9ZD!P?)H
zmnBuN$_
zQeY6_;rDGlmy-6%mG8KkrgvupD_n|DbEG;=w#}~d8|@XH4T*J;6`5^6zKrPAe8!4U
z^<2_rRZdr-4@QOvo)Sl<#|g5`eyJf)E7m7jTV{%{r04FdLu
z2^kp~2(LZn-28!A&k6i3x#0U1_St40*H7W^yTxc47if@QWcBKDST|ZNsV9k5qIKbH
zMDfRGsFAgO78`fBXfgS~_iY~ZB3%}P_OTc!8I#k~SHH_bnt{A(kc43N;JxdOnP&b@
zf7mub35LiD(j!q7j&E=Zt=Xk=JS-Hi3PD{m=M04fE?Qi6dCiH3dEg
zt%F_q94dF#B-+LA)@~zV+?{~pH9{OkrKn5-sK{2#!!jr=+~9RN=o{$oRW1G(3q}%_
z9@jI-X&sI9GhgfF!L3yDqG0xzKw7n}nG1NZUta9fuv=*Qa3UN7nr#HQLVfOZikK^*
zSoa{|!eIYQio83{v6@9^pi||qX#SvWz&e$O4E<6BUvR14)8Fj%g3>z|?JSxRq3UlE
zk1{(?RGa#c(S~B*;HzOK-%}STt*4d(Ib+x#hoeqarl(
zl|^saxrHdx6Q`MP@`e5izdMw~7j6&sW+u1iqo4L6+Oh+r?=ZHLm~n5rKQO$W8^6{6
z^S+0koFbrs%MTMUynX!$k_*+_?^~lKJz2d&j8uveU$^6I7&b&iS0F&IZ`4Md8W3q7
zeUnc~_bY`MQ|gb$00#lQ9v@JZq`HEv0TJZhPZ11e2y8NZ37A_VBJP9Wm0Z4W1l#w)|
zYN*(667tvr_FEw33=Ee3@0J>q7Jp{Y#lZ7GQ#>SmtuQii!?y0v>jAfNR}n^y4LX}F
zsEEfS^dWG75lnrvo&22h7o4Am=)>l>u{yY1IB*mZqdTyHByf}4^lEO*lF>?GT#6h7
zfjo}tv=U?lJdJ$QholU4YU2C}xT3>dhe5612tr1LOV}ptNbc;H7v?RO7M2`rb)_Zh
zeMB$kyPJPy<~ic2V?wpgkK%8JA1ULDF{^0T3(cFTvVY*ljr}q+C5Ma%;S*TWdS|B>
z@s(8O6yBUu-WY?^iioaEEoG@KYRdOB0YDlj{unNOSKX1Nn-61Wp8r#$sy7sRptb?0m6&v
zL6>yu7l=EHbOMNO2!mxFMs2yk%*|9h_L>Xv#~WA83+=ef-}-J@n@~3FOByfl(u`EMy@Z(TDP1
z47%XG&(6rfK!44T=>$T?O{`P0(~BTX;S^^nt}4tB<)eyBhDAn>t&WrJm&cKf*zIha
zvP96Y&K>G5c{aDpO9^~3C6}XFNZ6eRTEBN6E8aAvABKPbN&LY{sG4$=ItGm_XTX&t
zH|hCe-50yxS7a%{`mv-LIkGvS+pp({27t>kkOR$+d`j%b&J
zku=~t%ri7C+gTj;lkS^IoZ=W&bDT^nzwMWRb9
zr%L?tSQFRU9li8?(Y7?Bbd$#2ZAC}=c|hh15N0b9BbTSUE1DfP9kJ=cXqQ^m3)z#;
z;#V$)8>+*DqFM7?erQe{mV+ypk=6adCD`;%eJ
z^Wa1TyeuvF_X6gCYo3m*-d+bkRmH}}?sxJKL%t%o@*S2b_n{6dy>pdD*+;$MJeNSb7UU=_}
z5G-*0HOf%s!jP#7nsJc*&|iB$VRPeBF$pcP;JUdYEB)t2{@ty8obu`BjGGGH(~jnf
zqD|AOm`d<=Q?vxZz-0K2OzJv4q}_uG&`gS{AtFkFay!nyAdt%%&2TVxa~-CU82_(F
z?w5{4bNRakpE__Pd#;-c7rU}3V$7mtLI?>w94(!XCQ1$-8|okX?Mt6*#L>Gp%J-<63piIyzC7L9_-@6nQHc)L{THMkbIr=S*
zXtO66w{`w<2|usbRNfhHSuJZt!A>iM-X{M+bFWPJeCYyemoML<(n%&n;qdl!1Z(eZ
zz+SlwC(!QakyBHF)K&jxx@{f7gGKy|@Ebn)Z1w`ip}yAp(CNtj-Ue^*Dzc^i65&xC
zVQ_En9lRUMTg5l^lj&#zY_bB+dihn17n_djQoITYVgR`i@H>p0sIW@D{eHUK=}+@#
zW`clo6GaCc(eL+Q+0Cw_1QFAGNinHE(=d6arNIc(4=_!!@pQg1XB4Id4Z|A>+OWfJ
zi#V>d1j%lX(z9#G-?zdW@e3Q7q1?qBAbj>qU%s84;V7B~U|JS?$q>7L1BbNFVw2q@
z%Xdv~|9Ma40ySjxo$Pw(z_B?Cz+WpM0$k`Iqy~w@m%B6VNG#&E&!|^2?CF;B;{y+^
znxkq8z{8;5h>^kUt6a=o3kJNo%s!zuR`=~AnT-vE@OrCW+MxM4bdLz^4}(*f5c_9a
zlpgQEeP5=l<}P?eFQRO3fGSo^mQ`3UO*>?&NqveU#(5|_G5eHnj
zqNhy?JB33C+!3rR7K~Z-K-@o!cO?>&u?$qKnT-@XmL~c?d4j5=zr;p0AfUNVhqXBl
z`>~?2-gRi6H4#>PO+N1B{MjVr5Y>zF{Gc?lKM&~s
zfksj>n>%|ncD}XXQ$rLdxs%v7k=%x*I0AW1+Cz`N>c^7M@fBgNjPeIm?s=-T8xqBd
zzYk2R?`?Q$#|ost!I}HgV$DnE7K_uLgi=FMT&w;9ii*rZs$c20@I5WV17>f+MN`S-
zvW1Are5PIiE&UG#dBq*9D{T8kC$0Zo)aG=>sqNHJm@c}zA
zdD+%AanW^kzxj?J&?685dV1sBh2s-ez08i(um+NJcdhs+em8A~#-~sW=65s96sQB+
zw{qFp{Jo`Qeh&nMZlL-c=`B2Nwj#0$!RZ!8vJZc$Z5&;OS}PdwfMCc)8qGf6^2+wW
zCU8(Pz|6ctN00|$f0p5?f+joR0o+FS$F$6#vpg*Kp2`-TXiKa|{6{+pdT=ZZrTmMA
zzG38&g63YZw0R8QLS^GzcEx3BbVsgo_Sd>!)kC)ksM+TP-sffqKE+v+Mr-vc`IcS5
zzksVkx9O1oO^^CpG1B@Ol`02mqHfER)$w?lx+S{DEXG>DeSEQi1itZW&2F&%8Rpbd
zdUF>q3%hqb;x8Uh^5V)P;1J480uaEs#h9+BBKrX}gnYKb;U3i9OV{5vL9IW3+G?yi
z`y-Rw``PsseIr7|mGAw5%A0GGM;dH4#5ADcPk@3X%@81RP6um2Xsk!A+r2x@ots;G
zkXZSyAL(0axWg{P{!#g|lKy>f+9$9W(3%icN3nG-V#Pwz!E>FQb#JbfqSUff&P!d^
z!mxB#zGGX#Mpkm?`kkSp41%}NQ-=Rb(`9q)(lvA3elgx7pP00ZSm;J@j&nw8`kf@0
zGz`>W0~)Az6JMZ{?_CG(@)g?XXHKNv_>${+fM+p&bZK*A3jkdS7^1tcBLsF1_;4eX+`ZjPy
z5bzPfnmhnT7X1%C`#GI;f-WyHupe2CInn{8{46~n;u4T%lf1(K9G;
zeaRR%q20WSj~YvR@eiU}jn?ReuCb##xPH`}%BC>XT8#OLn=B^SNVos2_&BbE!$Jn5
z2{_>seyLV+TR79{`TuS4(gZAC9PQzsGCztzTg;+0MZR7v)D85gTDb%uDK1^z$z?sT
zrvHzzcZ{*L>%wl!wr$&8w$-IBTV1wo+qP}nwr$(4uljkvlaurB{MlLA$xc?XbKjY3
zu4|6LkNm&4ngOK7)JMyi`c2Bcc7
zy|}e0f&L4-|1!tVV7;fjL8#{-}hydzuqX(ZdDfmHzvu05I%4
zEDPlRKS{#=>yd*F!BVQTEaM;DPCWIMuj#I*7<4E7zmofZ`Ivv7Kmb1D%g`Oa073qr
zp6dSv!RY=-8vbAHTQSPDj4~DCPd2C!NIj9h1f`7Q|1#g8(;=Emakr;ghWvFXWs!6)=F<8i7DOjnhso{WEdH58^4hHL1Zc2s
zxQ&#WaPG1Jkt96O>ns)XPZb1H{gq}i8tDbdKTIK9wxH~=+;4-6w4)-6F;J|yP7$#6
z>&VI)$`N^XLc~%kwNBvEcz+C>-S1|{x{PQzDL5?9A)bvR^nskS|Jk
zK%B#^h!?vy%+LC7)Ys-~wxRie|5k_G->%ZXd3YHQW^D!&>}v9y-(`Jg-+eHn_GCtb
zT+mOMN;-Y0+DG9Vlf)AnR5_6G((dt3r730WQjv3a6@HdTtE+z?lkj+@g!}~kfAgQ~c|D?@C!GE?;PjV3RN4oZ9B9NH5
z8a_I0dwGy`4>T;(IsAu~%pXod8v%9%jx{X>q^~hW;m#)HbXe{h9_`8{#zO#>H*?ka
zhyq`Zi0~=zwbR_DV0rGin6c2WtbqmsHHRaoa8ocdxH{070!_Nith+i@bFiF5^)T~A%iZw#cnuAYa3!n$Q6N`EPkjWmbDDC+haCkc`aNzHVJ
zbZ>39G<)q_{};4V*93Q~0`kGJxvA|D@-tzX!iee9;q`3`ztG&eQLUH1*LY38(BI1x
zuVvPlOD@$t2J}EUl}(!`BU_OZ+1-=_;V2ck(%5fLOA
z2SA*gF$jb|lPn4^R}6{#)iFO)*ufy8F?wOa2j>;M;56ylrxqC$3T-BuVz1}iciF?9
z)1oDm7hoc-H?4@fj%B!|He?Ik7`oT;X_1CS`61!6<3O!$vVYdvI9Z-Vdcvp-T}-yS
zglVr2EyXuWyA=8)8XArYl{I0+Vdh0({Iye*Sr0pdfN3^G!#6}f=sND$u5S80?t|DT
zt3Q`#(JMO(OUAp|SfQZl6M*z=mJj=l&?_a(_jCFUlUC~|sZAmH=hp9z*P6OQ^FO|+
zT-1}uC5@bEbWQ$%y06s-lVF`Q?lLtwnEu5o%-Z$)qThwi+V?g%o;+|~dHeGfHEWG&
zTTq9)d!|nA+tMmzVoPf~{2=)O_4lPj7()c!lh<;{fh`pAC
z#Cn`S@bZY^{I}q`D3b4D+Q8vz(PXH0hdNNX-Z!j&hdue6`KH2Ce8n>1%cE(tw|&e834X%lAL*DBE#wk}dNBs{_OWyO`5;I<2#2v3
zyvFE{jKpUVKmC%_GM&@*f=50&
z!P0=g^Pt~NB=`YlHy=r4I{|#EYpgbz1435Hd9e6l>$`-({~Yr|UEFlc^4(i$`LnEr
zsr5qVsJw?i72j9n6|=c4qo$MXle(N^c>}nGk!(d7Q#txIb5*@XJ?0|cL`uO*S(p-o
z4ppRvqgmh*!2qQ|2w&vlA==hyq(Kx8{BLo|lq$`&*p}sJKmO@5TbM0b
ze%a47G*DO~S}?(7y#2s{Lyu<78U=|jkq#nLESZ&67!FQxINPmO!I$lBrMRCM*0>Q4
z3{+AV&L1qG<-mv;Ac2&-MJ3_E^xIRdBZ;rD9m^15*FpT&`8JCAlTkwCU_xcq$z+*eiRiln5_>guId}t5u|v*;RgY2i-V*EIRc}r_(C1
ztoe%BJPxI#U=_w-L$s+i@YtN|+iJ;c>$zNR9k$N{vyVU%{JO5F@yTv}nSK+1m*2@z2M
zf_H(0WFk7{75B>&U*zez)5b<8nn}zpu841-DSS+m?orx^P(dmX<)G|B>5=qW?9q~bgi{7);h+3Leo;uo>AZ*eY+6KIK
zG97-l!95izcT)xx(KIP_nQq~n=3rWYSn7sHK0n_xd2s9T
zd*dcbk?~}^+0I=1FkIV$FL3n{US=f=L!Qb0F-Z9of+9F@nL`|kURDKt7I@1OZIHqm
zd0Mjei@QfVFpYLpRnE6ZVG#%TeCL*C|KVB=!lBGi=Z){seJH?~u30t`7Cvcxj}zF(8;X*CY)iN>jVzP1XK9+$h{VZL
zA7={B!i9XW7<(3tf*8!qUE`7$P4Pi1%HrK%5)k^?805XvGe_F1EHRN~qzslSgI+92
zZxCyhf~#W~?4?Fy2foqED1zR-llk5ILe!IW{>76ja!sTu-5iz09w0`#X)wPgIGcKL
zw<_fjHPDi8eGs*CklhyMmF0pS5x{W7nG2FNwa9r$aED^jMG{x-sw;puLUrrO&(UJf
z@@m&BR&_J_M8Z3WmuFZKtfo(e$n)>s3?kx&`WaR^=3+8&&kmh3MzjQBaUkw3ai9p+
zI@2YpAypov2Mr+Y8_O4QTHh1iaW39;HCvb?S`x@{<@jis;|TUdhii&i
z8@A=6&K6JYO@gbN0Q8RehZ=2WQf8}+iH_Izi8gfig^Re5)+XKWFw*Dtt>!uy{rFBs
ziT?KUU?pA*Q|YdBT_Rr;)XrQYJL$?r%m|soC_Pa7T<#V6K)QDo7Cau%Q-3-#Au3zm
z2z^S;!AY@d_R-?HB2|b_Ws{5u40g33g9rws^0@R6%>4sP93}uZJlCt$8og7an=re5R{jyP-Qbh`
z;snp=Rd}e%?Cuq7GVdh~?{7vGJm}FdGp1%adi@NgG#~D`A-ipI{-~fNqUD6)4@4c7B$Cbjsm_-~&|qs^lD*Ut*=(~^-zo2)WfnH`(R3Gj&G%kP||5buq%%2GPFN@=|3)m!Pw<43p%ca>7P%J3~YuUfWTR6iLgHWgfy3FENB4yIatRox&hn2MNLDoE2{XR
z&aepr{HlO9w%KjPg_DX+1!f-If@WFzXINy+69bh8O$-5K$_v}iHT$mC-PJWLD8~Ot
z9QldMp!*R_Y(*6}seE?l{NS_raL+-OTfhV4c04zG({>s@Tz#ghJs*-p01WBZJqkmC
z&9w5_!Yhvq^o+UGt39whjCh@e$=6#vtj@A4SjO${xw_trtINNqKkDg6D(i;5xn$I&
z99O#EHlU!FoFWF{GekuzN~B0NPnIvC_J*0qs}SIT
    l?s7}*4vp!2W|88=L^r|
zt2BB;Gk6qmW$ADWZ*Ook%T1pgtq2LZHLP+={dil^+W219$KlB@KRvJp;ZndOV)bL$}-H((Hy`%s$TZ105GlR?xM{hflp;zt{7_M|H#Or>=QJ>8_YH0NDP=Q|sO7$=={sQqc=94{3l=xWHW5p6mn}gl
zrF$)+8*V|Rc6(`~HlM9YBxiM1^=uX7L8KktOo`{|xU1YZG=b5-0~F;lDEG215#%>Wvs$*q44GtaMYS{^g40cUbN
zZYX1dHMZA+h|8=LH2=N@0yBgPk^Hst=e4WYA^=g3ZCTKsB$-Ztf|vL$bN!`tlfb#<
z)`JW7QKcQ^y}Dn#_#735OilW(;Kf2wBt^wZ+frSz*gES%eXQ$I%)Vr*{cb3)?Wk(d
z=5v!|y`^0-%Kch^J9;C3AnPPQ*6sG|_fevI;@tT&StIf`DG0Z7}(4hmPeI2ZUjtbVN=YihA0j0`&I`dRbF)qWYH4$
z)tM{zcRnqSg$wAvP6ge~o%x^5!|v5bPOkn(&X(A;mrG7&mtSyaS0z{T55>PRg4a|m
zQz8Qzhgi~oKn!SzsKGS_Eb6kV0-9>VWwOyG+?_KUZ)Vi@xTD-5MFC>+iok&|JTa7_
zO#wLxc^L~rT&8LqPXkRAev4?g3D1!QO||=@BitgU%tlw@#}GY$M7XP$)BVF|H%$H=
zV=menNI`kD-6Gd0z;PS9Qo=#F#YY`95L#I3d$J#EeEGWg@rF0b5zscE>A*Ee@Xt~51ecI5BL
zgF^qvlsr4M%m;nY<`yj?p(p1*Zv#GB>%KqISH4Nf`ysp#-y9lG-F4t{-<1whe;uXL
z25q4r+CSI;!K1OO)jfn(WkjKN8Rwzb&+5O%k$J@p2`;xC&|70l{h~!^O3UzWfy9AE
zpy5aO+q(!xAP;~S^9$(Wt2);RMs_Ntj$#g`jBv~)2}pHNChOkvXdSPLM(
zb8ZMTz&#=~(tG_rDW%L>3S2eWKX|zfBD0CCJd8T?KB6o@qLe!{TGiUxM4`$PhUb7Qn+xj3R=@-4w+a~`8ONFM;qIsylG8Ook$NF>GX6QC)uIvKLv30gK=j;WR
zX{eoMz~7`V8<&M%iB7AFRLPacY&=NpfgpU9N?RKq1pz_?;C8bk#QT);glE)M4MOj!
zPU*qDc(c3~ZMwnXL~(&bzRMvoXCFp#OcgrS_|5U!d(IDZmETW3lq`g>t$)=LH>OUT
z>GIjkk1F7$A@)&Of{hVbA9o4Dqq9=5zu1)0K
zJu`Nu9isldXH9%WE;4-W%8aehO4rhns2y!1ocPwkgxtuI87wA{C
zL5umMa|R_B1?l6KzRfm+Ub<54nkb(YQ9`}>gKI>-w7USdvU8E`PYMShk{T-eG6#_*
zCr(jvJ89*WTZuUXyqi{OS+LeStmCtFZ-MEmgscM(K?(jE48Av$VoDnR(YX%e)?H~8
zOYY_3xx`Lw+hbJO2`!4YZoLq0P3hh};AExxcq>X@WbLghurgPxqtQI4&Gu)IM@KMS
zcOx&V_5^-B3;dzn$~Su1Uq=+Jc)Ms6bvh|b8e|G%`-Bbg>j1(*OiMEB%GF`oar&v&
zyb5Sqk!thv)FKZyQ|0jeXl?Lo8k*9on$JAkZ(lZSTY+ssVvreL_L3F(@>{JiUJS+l{B|uQnlzF6PYsR_UqlJ
zE0acCOV{>xJ8&XkyKxlAkeeP2-bY*f$;%nwl<1Sv3#
zZJu%E8Hdl4lM9d#aW>})vFo^fhYr0H|^KGchE1$UK7mOf%-8d
zG7T9TW80p_ogU-tFcNan4ow=~$Akq%n0lgMpg}~S9*|?6zJ|DyhZpW(OBBeUI5_#`
z`X`*`eC!TLdKUs@mSDd`xg7^mmXQ@{FPWf|Ym0zd^+*Ei{)7?9Yj
zsw`^92|?l6OXvZ;KR=Y<NQC!Wc-RG
zZkY0j=!|u0I%1J%B9)ZCw1#%
zIGRX}6=q@_iY74?!oEzslG00e$@#gPQT$Ta5{Wajt7!}
zH9H=L1ZdvOZArE+G8+IAcbvc>Jdps|-~)zE-e%TCch(iOmVJDl`-1S}Rxl8R7@Pa!
z_zZCv{$|~5m={T&dF9>wJm}dTI(@!EGX>MAYelbT&5BQ)tKnW6zu`zXa^MZ;j_^Aw
zBjrp7&ueNL^RZNo81B3-Uvr^Jt``_Kn?2ARkM|W(2}oC&y^4dlQSI&}rkZA-eKvl;
z+?qrVWdWTvuqV2S#4}4I^FSyj6OV+@V;tQrLSGHo%-NiSYQY;s8rX*>y}
zZ4rS(coTk$@=9?&3X~QUs)_&yC*b6|vux3I2S;p%C#^Dpm{!S?NUPHK(dvMKZU$ZO
z;9tj>BF_AT86vN{2pgi;EZ{IX1{S0C1>iTl_d(~XlCBC(aqbKp3W-=>jM5dw-flMb
zwCe|iS(^jzO@uPe8WhS})I`6-8$HXogMiA;fuRPwMF}vzPp9i^Z?n~}o{he_
zB|HcqA(Sfr9s~-SZf5&*DV(Cy--}y1d$%sSwH(|$|Ea25jOH$H-#&bGDR4rEd|Zei
z1sMbspmI%{x@ucd@f^$IG>OH8s2ra9c->b#d-
z@()I`?V@Y1gU;fJQ+L@mmN;t9Okx^XHL7O9f`dl`ctJMp_Lv=_o$jNR?^Zk7FcrJT
znCJ*gb%^}sEpnonTwZkf?1-8?dM1@inevdKjaYwN$zu?19_b9
zWC;l6gL1>1bW*UP!5<7x!Yv2Ba4KbV#gq!ONY)73&|u32^NX-?g3(apz$NNe(MXt#
z^sjkt0hOYVnq1Q@zXk%CXmSKYb5TUUSacs^V
zexBQcV~Of2a=3!1pYfLE!jFH>iJyoufIcGtKmkHdLP3E7W$N7wAOQ;6F27}L$S|tO
zEvcv|5;1TlCjmpHq`$Z63OtpNCt(M8V2n1zTA+;nn5hyT_kEtuHY5fC3$g;o15ks>8QOzg
zGx#T2Q+HJZvcv5@k#x0pJ9Tn(&WKtmNjd9Y|NJyK4SAl~-NeE=*0`qDp8k-QIJq}l
z092t+7zK2)k`1fcLeo9&T+eBU1|6i~6q0a!fTd}|X36zcE~!euffLjS3qaRryP<#I
z2+X!f7gmoeIpECb&PBwFJ8X-l&=W3kS*=pl#PMh6@f%CZ5%%}d_ek`0!x(k1{JKR`
z#q*HH=6N#Jx{-NtlhEw}yxWW{_U}%?zOtd~#UYB&0540Z9l||-evLjjZ-vt|u)2va
z+qj%ulg~|nX5U8=?6x)FCG&BKy&_D7k;QaoSD&2GEbnCnVx4^>FVBION42A+9Ijr#~~Rj-hW>a1E>%
z=eTKXDz!>qGs```M&|jN5R+Uo<{l-liHah^c!@71Z+wd;ZqdEK)NQ+G$S3_Ku**So
z3X3c!qWqgf^Lgs^o-3MsS>5sXoDCTL8&o<8qqlYAfOOV&dpRy~%;=7`r)Sa;gvbdy
zKA1n&;tFfM&EHW(@x;P6p1zZk)HVysJm?{g?xdeMdacPx|t`KN7*T
zKwcEvpu+Yh=E(B3(CKZb?+kxq1DAUu-9yp(2vO8m2+~=p8~2Y@e9O@cnN)WSQ9
z4NT#X$q7{7aur|SAjqZbV^Yw?{x_bElt4s-~t1N6<
ze~^V#Xdb20^Pr0DQ1jQwte7o{W5XhqL>ra_%27)rDnRCM9U_KpB~dnRCDCYXNO;I4
z6lk0KBrchyb(MbwS5}$<0|{xxreUClyXxDrB>KdN$Tgcb!;6|1#bK?^ggUswf(VL;
zbYHG!osMe@`oafQTWzJgLh#4a8B-Lzl$(BMJYHTVN2!14c2z7sv1*Khh`ocB7na{Lzf9~sizw&M4npv%*
zB`GhlH93*FgNu>>MOXRd4F8+n8Xx38?$O#ZJ;2uIb((thkLT`B=?|AIAA#I73Ek*V
zaEc)R&@=u_BWjQ`J47JyECvl+^g!NG?BY&^$Em+vTmOnMg+HJGBh9cmzX5Ko3%|bn
zn(8rNsL15)5riEH8tXJTiE>_~BOc&?!7(rrwCba~QV5s`Il9K$DdO4^S3_2IYMr;7
zjH`|HKE_^i}_w8TgaJk+)QvZ~T@c2K1oWLALRUAAJ
zpZ|zw!nyyH*xX@+Fqn2klpLh2u(Y^5|C4`W&8X^=pZ(hoVy7LhZ-6i&35NhtC}C{G
zXxs&$4=^1Ff)F5v`iX7;s4}}xFEC%*OfZAKxL+_3GTj*jf?kBTTnfbxhJGyvS6xnu
znzPXSiYz_xKwg|OQ3*LWi;Qhnlzfu}Ll+(#LocJ4LV=jbI9}_C17LXf9*-6$4
zPn*~4XLl(79E*U4ssS8=uK$JTnj%UINhU)eQIuF393D;yCJgQ6GYi^^R{U-VsE1J@+Tlp8O%Ra;iQr{Dlx0U!u1bY4N
zcj0wqLKbTY?F#P*igZ8OflfOuKtVa57+^mTV8o%CfKCA0fkb|NN)RdP%!s-Xs$d4!
z1C``A6lH0NTLr_hKU%&-k&n?~$bUC%hOj&Op{-m8i#;wkjoatAp=lfE%!rrP56IRp
z8rB1VuWo&aquvul%teQ++RnR*yF5sMLIiSbNU;0|cSR)rGr^6c&0V8@IniBWp8r6n
zYNz^%3`$rn$!TI@;$joytjZ_Q#8iG~gT?4^1VF+Q^acEjCH-fJ6&N@2_JIQiqA&62$$OQz<52brc*@HH9Kmh@<(1VwHU?1SH
z8YLPryQ9p@KwuR%%}J$gm>0<)p#;O!Pk^*bfHbL>%q9%JHd4GcEi&4SfJIaOc^03}
z^)@V==Q}QfZPSt$-Rd_l|1BKX|4znEz7`p&x3^?vcmE9jjoZ3+@OF_a1$Hd`7;L>
zcZY|^=LdEM4+s2MX;vrrp~G|0rRMYgsYmP9)g~X#@8k0E$H~jh&)MCVg9j`=Fq5A9
z<@I82N3_p-p7wn&+)pzvokw{-8-iKlbtAJ@TkGkKMM^Ducxa}bwX64=crG*ZBSC5-
zGcYX7aT5vFxT>;0?h*^<{X1Flsx2b6SkyfZP@^ZM6X)X*P>I}h33C2?G3f(k1(I4u
zfmxg>yR1hdn>@brFSCn_ifIW{Gt&B=5vFX8JVMfBWTqc-^QaxddWs)MM}xtSnZmawEN^d45Ncey;3b23;W7J|G)EmbI&U
zv*Mgr`T$a(W?DcCYPY!B5=OamJ}R?h^aIEflO8`@YfD?MSnS2$whJbzUfO04SWw{S
zYTZxUiSs7dN$QY5`lZAm_ByIFSM5g6L`0!YlConyV-iEjUN<)JIk;%noD9o%4Vqco+MAT~GpQwh~F6V3z;G(G0SK8E48?Y*T1u
zabjeFj^Rl8E)Js1@RM!U_qI7|R(;`ej5*q{Ap-7$#oB31Z9?aXg83l#xi7IKAP?vcQXxLm$MGpZ0O?{5|cZf`h=-4F@UK
ztVlF#=J_LeLHD4y2%O87m(k>AEfnzi|rriYhhy
zM4g-%0;uEh;9|nk>pgNbzYY*
ze_@pn#9Rv5Tf{Th@agz?*LK{GH1DDZWQ1*v$M>V0*mh+aaa=5**%pLamQKE_DMs|Y
zQ)wC%E1Q7{0<9Bs@jsCmBTCsau{pPRo4Zt3B>Mj&|NcZleWicwq0{ij%hcKnGs3{a
zWyB05QQ~^g9@O$~e!XfkCC{Uz`6t191?Q^~75rWcfj1^}OR)-`$&Aldh2fS3jgcC!
zp3Sb!T&bSV76Gl>nMr1khV6~!9>m^Q1-jlPy9lhfkc~LZBI~1a%b52MnmX1yS0w;J
zn;O?=D{juqYwp-}rPf{|-&Ng6+V2~v9s5Qs%ytsYIg?Q#e*I
z>cROy?1M7!57;bK@4~VTMT}&U#_Yt(n#Rl;moZYsF59m}{HI7U!jtM!+Q8tFCds61
zE+**PIWlzCGn$;0Q8`;=GM~mdmmIr`&%3^%cyvm9v~O4~-1nQGaCjZfC#rL7GhcRp
zM4&*Jq%$?w=}}psoRJU4zJNjX=*E#aiK`z{9K&8#><1>4spF%I3e5f+mMhs|a_%c&
z>2#7)f`^of4P=g()E6!xVHGRTpKyI
zgf(_Fqz1r=oW9r(1wHIK6R%g1d1u)=3Ei(hpRz|+FDE!Mj<2$x1F!!4V*AR;zw3T?
z{!;&Xxn7dV40xlsj8l(Q$E~#7%w4kA&&xN(Fo*(Np*MM+$qbU*?vrn1Z<5UVW5n$FI|
zNU2qjG*MnYa#7(DHpQR{6iq{KMg82OVNjVXV%4C#edD;sKsK#ef4=G*4#)N4w^bAl
zC44^nrd-9m8NU(6S@?aV7tv-$t9W5
zj2^}gX5{p#2|WBIdVEBmLT_iwT7Z5^dqNnhSZ
z$#IH43;lBb|FZ$8
z*QLCmKO))g4|CY~pDXmAUHlw}%5t`-f#sD|L+WOg`KmmR&E=l3zm^PNsaVgOwsPc$
zKNs-xqbEVouyT>ZbcIlh^g1^Us_i-;$usTF25U1NoHr?`am&ddJVr>UP}w8(m0ZtMy~*RcCY
zNVQkdsWI9AtT*1TfBIJ!yKcI__p?uy8+EQ;J>~0hr%oM(ADZz*%x}Du-$CBoSpwXA
zJaV%(Ha_#(X=OAxh)gI}o=8jsvKZoMb{
zX)r02R*OaF^c-Qq$xP!rk&QR$1{ub=(y2cL(eO(pQ2wJouLIT0Pl}W0^(9y_ODDKL
zs}xRecnKK7g_lzH-Y_S$^=6Yq%uaC+M-r0+7zLBx(au$fTXGIXp%UB$ZRZN=!?ziv5zKZSJv|)f(OaS@@G8L
zYRw}Pe{fEY7gQix(ahBn=e#(OFIT!mOPSW^6b>`zKzHS1;tRVc=l!CYG}FwLFOVsWlC~jTPfsE(6x@@#&9}`iJ^`(AI*e(|G+!^j350;yOjhN
z8NX*xWX&ykTV^fYn#=)w{04;NnWi1$=c3iJgQdE)5$>Z+7jDp)2YKN<1r0=VqR;Hi
z+NhmMW~`DJdpu%$q|}4tzLF)SGuX+Ad=(9z)wy*1qhD~p7oJC4)<66vLWW;2_JUTC
zy65niL{5TKC-Oq~}@W`SAtwPRh#}&X1j}+{Ts+tK;`Zn@yZ%R=7X01L+j?kGw?2S-1{t-oMpgV~LoOh=XWLrQh
zExs#Rx8-1#MYhvSf9!Aq6we-^m`(VZMd;R_wAHWvO`N~9sK!PlGdb0m;|_Uetdf}7
z5FQ|q9+qzvE>%j@E$KDR?R&$hvf{od_LU0#(3dDfx9aN;sMG61di311C3=LG9*Rs0
z!xB{E{i6G-eWZ^I-i%W9hOObYIeiy#m)9IqmZ8sz+%}I^DifQ`{lPeW
zm#ZQR+mHBff>tP;Kw4L>*lk*WCMw=X7Hk}zfAz~*u3jokcewu@5mlLA%-kS+6)3;-
z>RYi0(*NR^?rh7l1DE4EpAr|ZPN1&>r&WZDJmTMFs-pf$@q|w!^tnJ5D
z5n8x#p|({)TfQo7(@cd-lE(@J*5#bqgl$2r!7&r2NRW^9U0lo+-ys6x)w|}TuaH*q
z+1(MGB~ooVGd&5C(!yJg!?Be>kT32%IE2#=C`ehR+fvIEjn{}A&xcIKpHNCyG9Qff
z%pEx|vA8HR-Ou5U8%r_DgRczGWJZD2cTefq&!2$NlGh+6HJ#Q1AdwI^lz?ESdsd<;
z|I%Hc!ocI!xE|9c!8l2PDRYn3#5$hVVeNPdQL&uj)wU}GUz8D90=o1wI)iEO7!U_6
z{mu3Kdbn$%8>Bx*L4V>Y%33oPzuo;9;$bNZ!@N=}H!Po}wqYNgntIJ<0YqfvMc8!g
z5E%@#Agw~+e70Va56C{FQdZ7YS#UxRiog&&{&lWB3x-#)J&$e8?rYAZ9x`A>-X;?BDJ%+fU=pa2f$ytM+*6l%simG7
zJtA%oJChU*NKg)aiRgh(C$X_*#VW{^eNx4EB-zEPKATi_e-g@k{$qpHPupD8aXdk+04JDYbdZqVH=GcVI;xy
zWXJ+c^a!0C9Rw{D8AzcvlKp!5*Cn>ElPBB$YEkz_>Lttf)2EzCU6)%rG$pHvOoGrB
zT7|^dAIa0dzc&D=rYW#2lS%XK1a=m3ufqt$r4@V3tBYPH?}Qy6mAEw*w1q}aKS{?}K2BrU665aop_2h=%{-}_PXbO03P#qO
zm|Z}Hf*;%&7+g{_?#j{-ZSk(Lf@7kQXGR=8*|3H$GQ;J-5{+Y#)&w@Pw~PTYDzDj7
zxV>(s_?4R}wJR6hE6z?K&3j3{tx*UKXTZYB
zEszpAem44|u-zhx#|$~0bTQlx5ZjjK<#-Xb&Tki|!+C4}PVX;9Y}LFGsGVG(yo(Du
z2CXCzWVXs)e_p)8q`e(2EA@n8eYjocyKnKkRUL=M-ql41YpNyZm!C_r`46v_%y7Jg&GOa9O~!Fk21O+`~E
zSsBsqs5=tEodGY@l@`@jXZ0Pw@y|pFZ?^U5Ol*|)x?RFtl??dO`vHtwWUdO^3%v6
zvA2)5{QF>go&0WNrJtBaWSt!4W;nZawYGRenB$Ss{#5K*0zd;?1J*+Zzy;6&s|(Om
z4A2F3L+rB+_yMhp??VhA3)lj%gXO~ofCuOThyb7jZ~_bP<}=pp^;E0{$9^RKXN7LE3
z0@mmKEQi_+N8%js+-e3EnIU})Pr8h6pYLn6z*J};5{+JKQkSmV41xh_KX7rvvgO6<
zv;Jh+kk00WxWq1H^Pi}K6+>Ig=hzv-xnF(>TH~fUwCAOFFhu?VNb-3NokRIj#d?ja
z8O;BN^4T1Zh9)Yx?4Qx_xZUn9=98`YlDv+$+ahS<^oA(@7`L^esp)0XIsw_(K!#BE
zG&n@iRNydV8Gny+1MFCPfJQ$MW&!loLe5r`ouB6hpNHC|S1B|^xx@Kl+VxXAqqY!W
zg?9(uzdNoDeS7Hi3+tX;GqNQ{7)pdG_}2|;*bpoPUQBe)t|s#fpg75|*830qWicT#
zbN0XC^+D*Ubmzmk7GuV+IZs7NQ-6fdC(!bwm@gfc9)Yn$qQw_-l*6T`m<yLE%UJ(XQo1H<#X4Zs`5QJr2i&{nYXrvuFmSx0&qaPKAgEPDT|9
z>VjV~GU2jHZAB~Q!v52h$-kZmj2tTNlvjk;W@~jx&zHisuS6!3}H
z7IWMnm+ugvDm#qclZbgEsiGTFa~kc?YVJt1HGUER5ySUibjZh+QbnV)?)l5HV&?Xl
z*0bxaL8XkRO4(VzJYj`hn1e#-cWh5)r=>@vb+ZIlx=@pwC(eCiVp{`xp9COo(`K1ifHs<^?v)<7N6fQK=9N^pdn9$kP43)n0lCE3)ZI^f?`S|{b
zE}z}8Zgw)1t!PaXR``Ts7hHR{M?>OGF0Z0Hf6Hq>>uCQSV86rHPb2Mk7I@BOEl#cm
z_!Qsg@OnvVgyzdQyQUeN2s_}txo4rw{a$`5YX#G`!MG!`_wXvVC{!Q*5LVe2xBsvi
zR+nJR+YiNsqu9Bj_+6gE?MpMm(WlI9lOCOl
zz8AKer}zCiT*!SH=kv3NuV4FV$`ae!Yrkqt9h8;@`%4!0SW7cZxU!D~XHVyIyp7d5$=1oQ34^j5?8`u>b@>J|*{t
z`q;Lix&r7Y|GyD^DM#e6XVq^AAm7{!ZsKy?BoNg;x-G9P3x9Xn>-@khaGV8|%MxQ?
zlw#~#{oohwmnfHC5jGRDFx}kmb8&&tGcMRJtHQj6S_N8|$VI_-Q76@hx8fLaQOD6RMaKH{FP@A9t8^N0kwe-=1aqqAwtd
zqo9cq$TtWePyhuEA&t;D@ctJeginY0qx!a)PW~+fEav#s{W{R@YNmW>o#(D!p5C$Z+?6KM>3~0ene%Lg
z(&1enS)P{dvW>c%wC@@QKX$9^a->wb0vQbN;Ryi8v?#6HPSjub*7x$`UZ||f*6nM+
zVH@-eqc@?|mbiPBM5IaJyB@&!O>=jYb@0E;+#RAO#n
zb_F9#617FU+F5%eK@{E9IF`3w+k@*_KW??kuoiDYG9GWCR1np5cn}o{=n5p8MYogT
z-a1|FrFsxV+udn&@a+Q^ID`NBT?OqF5)VmMT?Q$)x&|;18kOx3jQRF;1v#>*i9$l9
zj>^cMHibuS*gqa@5697w)I^>8{eJ*qK%T#|a~soIqokz8WqlkEmy-}U;Rqtc)rA?}
zjI!ne2z~E09`HVIG|?5~pE-N^`hi?vH1uH1V8<~|2Ns2>R9R>2B>*JZh
zC`Ave_PRE8gqLk98dw6EDcFLvYP)HFx>;20rjWL{G)N_r&9=xYn{GRQ)X9q3D)9(O
zDeu(^bm(9)LeF&Hq``0Ms0i6i3{O{6U{!8E`{AeIB5^S~Nr5;ci>*_DNJpHU3_0H%GWQ
zsj?NR)BvZ?D1v3%j?n}IDS-6S3^vLXb5v^9smBWIZMWZW<4iRhAOO^8CWYZEwp}91
z&;VHJyw14i=TYtc-MQ&3$3Rd4-kX1a;zTCC&jSPur>-u>?+XAS1_%(KQ~(eT;w@LG
zSgA6Vs@1C3to2p8e;Zi8{;q#RiYT&?jcRmb8r!hO8)%ThA`CIKiG~$rxDg_aG|FgW
z>gY_JoNag`woBFTdLse=5wTQ(A|)^?VAZJ8q-8P+6e?1#LZxaoYSpRNpiz^#=2>H{
zb=KQpqfIv3VykVo+hM0&cI)SF{SBydJ4W0IfBxP;01yfc@4va6D@#VR&$SvE
z%dD{4+w)Hy!%vSYmwY53#i#R5E>XpWkKTFBtct{3;I|AYdJvZA+#WJ!Hn#Gfar+xWaBLG$hP5wk!9R~JCU-ixyzc!Fg@IZg
z?WP$W+-GJ+W2D|#$^G#X+UbBr&We%ogc9+OZtPp1RM
zK^!oCR?_K!SIG58ZNyE2f2~;{Mk+LnI>cJB*EI+kejn_dY`*&9
z(5`m3r~le)wmG8BHP3ttEpAI&+t%Lpwci4ZB+-n**`3>R1q&0v)mNM#vn>HIKkE?W
zr6Ws06B*dfK@b43Weww7GvCm^x83ZPfBf5>p3H9dx<3cAVY~?@iZaP$Q%yI+OtX48
zM{{h7X@nr0a@e4rt=2ZDZ#hJi9D}R+UChdQpxMpwNB8sSyqY<*CqOnuthB{?QAWkWq=^lN-y9mECc!73P|m&hTQ^<
zgV-_~VMJzP+A}zU@%1vlh0WqAjL!8Bo7Gx%sVPlun%}!9Gv=l@qnX-;g?RsvV2HJ{
z4DdBpLTP6|B%O`k^<4kArg^XhXzHzQnNu`S>mDy+0htku?7Yn}Br
z*w~?=5~v{IR&G6br0P07><4NDh5+Uv3tM)aJG1l4tm2eurNEmapU
z=c2X(7eRfIw~S5M)J@xrb*x~8D}tcj1ly;nw0-ZYd%t?%7kW3@M;mv!1@CQfFWpsp
z@4_l{cUy+Zs`$th0{Um=hiXza6V>)aic7jAW&Onk{A*85Fw}7*Tiqavf)w46%t-H?
z%V`XhGb^u`{{YaZdY6I;7AGp*?9EcPl2vn`SL(1vv4;i!qYlGEn8Ba+0^(1%o%joh
z4Emm^<^s|hS~~J-q@=9rMj0v@e86M}{i_=jEx?s-`#ALVE_i2yJO{FYB%R{22Xf}o|{L#;WwNpbt0YMBE
z>IkIN%YtJl0*I8^mH>h*ugNf@&AU-hGUdUj(W2XsNekBPlNSIy0BI!2l4G1{a+Rw$
z$9%n3SZnil6E5sG)F=~7^^bX$SZSRtcG@T2N#|U4(|u39PFDs6QGw_~2`izAd~QZ3
zveQ>`dY<7$kj2z`WoM{fo78re`cBilUZ7vkXXvw~1NwDT4^+GE2yX=0D2h4Yc}2_u>iIy@
z3hDFt*t;ISwzsqf`#v>*Zr>*c(CwULpg!bHqv%I905XVX2y7U#8Om3e%I2tEPpEC4
z`etcfkI}D3w9b20cMkV_#5`Xv2K*>
zg$xprPFTVF-1G8S3&
z`f9As)dx(%E&TGZm=6($NzF>QSgS3bC}
zR!uL#udWBKol)iGR~WwHN-M9j&=3uwvmeT7M+4InI7))yjQ$i?5X2*!1OA!BPCAyA
zI%tu_R!xmleRrZ=6@*iD^`qg6N-t{6PsTiwCc7f9N>^u0D7%ue7_9bfqu93Sdhu);FCz785sxb(3c~Q*Om23>g#;C!k2
z|1|Z5wcsxR`WOJ1K+piVhX4TmGc^wcA;LTIis%lbLk9SN4mX)YF*Ux@20qlIB@7%(5lf5G;xzPRns-|=8gJ~
zb*z`R)?PBV5yPj<&I4^u=8T#%E?6F{4t`D4ElR-^sFsXi{>|K~{Q9oS*vLCw|9yV0
zOv&7Szd<8p>|HzTbi3aHesqhx|K39z5e9z0vb?KnX(m9!DNvlj`9x(uj0ocl5Goj>
zKpN){-8zgo!TD_qsiu|$BR#YIKhCQ2&(jWVN8V`#iC)rQ9(&LC^LO5F*XII>)T<@6
zz?LKgG3yS!f!X@v-&w6OcW0Ra;_Q;9xS3y!N7~(U9g^4xY&UP_~e$I~*zpNm~G
z^KEpBWuhh*lW#8_=Mb$I@gp6iQSVcoJD7o*
zp$qcbwAX7bdZIxaHEVgDw8<8&rgUy>ZoiVD+wi4k&1=UY3xsgREuo4$p^je!`_goH)ZY%-+|{w*<~gA
zrLX&yQe#f;`aD3yMzfuDLBbB5FHo`-P_e`3UdeCcgN?leOcujx3Cw!$bb1@`*#N(d
z2-tLVR|!MYd1od@X7I^8KATU8$;>Pu#l8jL>v+xM_Hp?(adQE87x8cjPyf$-w~$_d
zIxw@5!lUKH(Q*7>bNzu_iFe)?rQVg9TgbnkYOEAWYa3fTl|4WWywB=uf2maMoOwJ3
zroX0icVAh=?ZwA6d|k)S4Su_czgzL|2YULEfAwNC3{|6TvJk`;`$sObNZ9v^zP7Km
zF^y%t?Xo5>A7Qt&Z>g&%BWRe|PYm}nLoF0S4+y63tK37CkaV8c&hg${j71aR5rH03
zdcPxIaRS>TPx2F#&k2rM5H+K>#att0KW`jB+CgLtCiBSg!h|Ml#w0uuHE$^MP%{&P
zOysLbRQ+Op!ad0i#B5!xoZo7uYEY-cCy`Mp>9sciZRNvAJn)-9NT}`XtYnb9JWYKjuH@
zzvc%0i+$V6?g?5U8#~8;>DixmB`D?MR>Y%N{m8bsPf-ggwrN4VoVOJCx#Xf=oOhW`
zqbz5)zgX|mp|Rv=A9J`oz92uP^E_XF^qQv@R<{0&Dq6e06|=B?>`(ofKUe(nr9D6)
zNb02`-U0tRtbzo%G&Irl2w;K{Z;9`w=Vd*HW~{5G-Dh5+k*aUO}knt
z)Udl_?6FtBd1d|9x7E9AQO}Q*$Kr`(MP>DcP*Yo1e{ra>siirUZq~)+3peW7`tE&q
zbP-BaY$MbqGjh}dJzK@q@O9U6$SK*7GqNQ|vLokYPcF!TT#}dMia7Fpy7C^?A>Ow>
z8H%S>{w@RQ)rI_MI}|LsX>iu+HilvYMrGi8ER!&o)w4jHHJG{leKGT
z#?Cw^4aZfVW!9APuhS_Y6?nU~x2JldFM2PW3)LDwN49GRnw)ie=!gc&Q@`%)f%ey^
z?rJSu6!1{OM}+`2LNwphTdEAwC~3UCMjyRs5u-zb{%t8oYcRy(X#Bz8doxz=vddd`
z?`xmsMIla~B$!A_ES*gz5;!0O%0dVjiJ(w4W|nQHxcR>02usq6vZieqTh@-VmvY$W
z`@3yvM;RwsXE_&nR|U5k0Eq5kpzaLTo3S=1o3zN{_tdqox48{AzqRlDw|f1yc6i&r
z55Mo9g&zg|Uw_9oTxa#v_8O_3S?h2AyZCb`wYP(t_M%#7R=RDjSDRs1b1ymP>u&}&Yo;5bln-5=pWTQ#zfmHBx-5vJW(&(aaB=
zO1UkDyIu;QKNU!SCW!t)V)}R4`l7sjNxr@;f05$)ih}(`;XYL!GPVSAwiF7s3>tHw
z)eg*D=yY)3d>&Z9LkoFi861|wX$4$XA}azpLy$KV1;fxb2_2I$@eii{<%8LLEDyyN
zV`T}}mSQ7@FP32^7JI94um(qKW9>FU?hx!Q2=@qapHPnp^Mr8Ei13_9FNyMsXs?O$
zj>!R-*N%eu=;%3p44gSe2|nY^QSuE|RGWtC&{$oXsz-D6X{iCNHKeUZwD%pjzNe$c
zbk>Bf{^hvYoHU2iqB(0W=gs4y`CPVutL`e(J%u3I#w*(qvIAi|5wQzVyAiXk{A(K^
zn@0=~*DeAf2
zJAT}RJp8yO5c5U3pXy*!o2t}s(5Q4uty-Vo1ER%@8Y6n3>qLtb3n@mFxSS*l%|=Mp
zlV)?*E^^34FJe)Jch_x!Zo2oKTsiV(%Y#00i&dCkF0{FPePhh4}iI-a3RD)Buio@bDN{R&E
zx3>k_0PH{nJe$bEagruUoG95_z3qGX;ZNxHCO5kAO>KHZ`Sv+wmpyj-&q0Umv)6tH
z?6BOo-nOM24wnnl{hMRu9?sb3U-fEMySmk{VU25A^E^ea=Cygp4L3LYZL*KPbW`&6
z@^}4bB8mBuJ^7l&BlC+Y1!u)4SGPM;!=7-K!>3w0HdX#4+=C;;-@
zW|eb50|ac;QwDl-@E~Ax7aj~P#LqC^r~ZLS#_@c7^f@|nRX0+U97KmBRU+|gCh?q9
z0P^jE2Oi4@j)=Ulh=h`UrV^lTQ7rg<%qPrP&G@grcq#sHPI{0EWGNYtiOZBc1VrNj
zNNpE_;z49dU?)NJ`h?Cy!epw}qO4a?C1DJ2^(;4@)5ujFp}Jc6aned;cC1pb!bgan3KmslhaQ<%+lCTRr
zC8v5jkIwGLqG!s9-f`G-hVH__@ET9SL1tA88O<7Z_lcc=tz-eyk`DKb1ynBQP_=eM
zz8wLo$$c?8V5;T0lZ2qm&rp9Vr8m)4=F*8pt0Njo~(4+;O
z%1);h0yhP5-m4S<%tlCX_ej`JZ}1<;uu_zZP9j%J(3q11Hi2?M8ROsAG*+JwpeJ-M
zDA(oYbnI7mlShsMq?l`6(P_8M;Dn50^Xy~4-uOJ31WW!)<
zG{#U>0O~LJ@%K;nnLRAg$#~Bb3pJX``VSHW+J~Mv)HfSXJXjt%2YsCc6r8Ycs@4<)
zQGM)n_r9G~r&Ubp513Fw|ET2C?zKHnA^<9+KI8hH9J#;j9xhVT(FrBh*{ZLn1t|d{
zEo!^^nU2HwGmG`QYH#4JXDI{|EY+DHZ_y^1VLO`10$HN(fteQu!FExX58LV|%lStL
zU*DPp>Dk18)TrktMBg!oRkJQM%XALO{E>&!_C*MQsDUs;9VdIvu9kV&C25D5^SS1oD;T8ibmc+0wv01%~Be6M`xU9bQKe?y=8qYiQ347-kk^hg;Ai~ru%v43L
zm!mFhP2ogAzFtjn;o1~#6hRoTzx94yk?Wt+8k}0&`aodae<#$!Q0eM`(>HPRw#LpU
zbkhNPD)JbX`?vs*29US*l8xSJ=0O8c6F5AY+D{8T4S4iL2ecmwckOD_J0c
zbdbfI9>mhbS|?1lYS;aC0E?XGs0E;;+F9YRB51Y^Y^U0eoYp&&0*l92GYzdSm0pk(
z!9(R1A*(})H(DUj4#v5yF4n0BKHQ#y&w)SK=4fUYp{bXh7P!KJ*W6Go6cw9~D_#t^
zLZr4OiX}Ez4h7eQX8twgF=Q)QCAQ;ar`-tA8PmHcEkaUIzE$=bQGyYWh>=+~=goT&ZVm?!?CYA<*
zdx4j7$D?T1LMr$eQ?dF5JLy6buuiQpMO7DAZ3&jHf;dqo@%zZ%y+xC}&A`;(IP*(4(FV7Vm+XiclIg1H_#
z`zWR4L=}knh<08CBW<5))Q@{&+z19NA0eLvH~PmYDF2fHA}R#Oj1a#FU{I7II3&>=
z)KuFjZUpb$PHd!Fkt5E;MMjntn4egf;1ePh)g{wGDlt&aXvFr?v4s}gCOBm~Ba(Fi
zh%|+3*jUB@5F}T)OX`B@7CsW24_(|;3sY`^cFncaGnbj9A}~=q_c^NvY%O1qR*j%S
z;zH?df|6%){6?uIi25#>3dIB?9C;=qN6I2L^P$-uKsq62)liZvXUP=--9WZvd6-n3
zE1CD@XV1|mEm??Ab}NBm?EyO~=0?VY|54iR+TVkb5US|xMZ{^mdpjnr6%)1-1WB2m
z1fYVMn>!R@hLzOPV#%|IC8Ws?(bC7pI=fZ!6_Rbo&n8E`Dr%$35pFInTFOwK!gA&w1G|l^
z+xxNVIL(fm0zRJzqLnrXLw9jmSD75kRB#tIIp?L;C?aX4-t5pz-()g1J#e<7}5zgC$(GbVM-!2e7QHCPbQHc#c+za_NZISh@~bah-InNeY%?7C*Mec
z=j_IO%6TWX^D>Eruso}g%twy_hF;Lk#kd)>9*sdq$SI;gW4HIib_pHOfeB;{UR@bfe>01
zin6PQIxwLkGXx}hvld&^ZHa9Wg)HCij=RmS?3u}qQ4woWgNz46NPNb5S}O}O9HJn!
zVj&p{?;B(RAO^58*a%T8ARdJ1XiE$#*J&4zlgj$=`-rb)XnsXbJ7rg|#Tsq}?_aOK
zGNEC+-w5uo=OgZK^88L})9wDw+?ce&J4z1YIWMW>>v6JRp&jSi`n#zbw}-h(w`X>0
z`|F!K()BOT^)%q-b|>rs?+DTG3$eDgpWX6fy0Nn`n~B32R^wQ%S*ZH!*3Ma*v<&eJ
z-@Z0}o7|3>x33{MTPSqdiPPTg$Dn6)!f)@+u)MvK)l^=(`E4qPhsEM%xpG*PO%%1!
zB#n8--Fwtb?3ZJfUtdJ4Bp%7xj$br#mJX@tD-#Wti}@uGJF;)bp4%&TxTPH4J>hX-
z*j-T-L{dFexts44R3Az>tN?M2W);#2@Gaf|P`j>p7A6kS^--@^_hJx*6UTUfbNIPa
z$%R-5k`_T5CurapYB~&)z85;B?1r|-Gh(_9AZ`21*J>`hm5%kTnthiv=K^+g*s+Tn
zIUKCj{9>4Z03x^t7zW2?zDNcGq%?bz-_raLA7LDJ6B@!YnNlYNAXwE=M1o*>@x7dd
zfK0#9IK@F?UW&(gT#Uw5<$nGfw;i`pa}aD7=&7we
zd*1zZw;1ntj6R%+50QWbeLz#5T@b1Wc1pG7Hj2&5Ajj79jL`DEu>(7!D#(b~7cWAW
z5K>Pad=#!<3ypz|FZgD@qhVmIJ7VoR0l
zHX}&5YoG_hgOS8IRSyQo!Qy2LS3wY6yG-eHM8>-j7xtX-D9TUM@Y?FjPduI>YT=b=
zmh($d1vVm@03mrc82Egk)$`k=oNG6vw8s2O2I
zkgYQ%{aykQFe*tY*vBvv18N$8g+iaEfk2{E3>e$LmqLFa>|h;|ai9J)s*!rDxlT^Z
ziZDj(+U|br7ZdKIU~?PJX3Gb4xnd9{UezT31#Cjd1d%E*pb`kG*klk2RvSfp&W8JU
z)JE%_xq~f0eka~0azTI)s>Je8h+2ORC&WQ_BTImNzP$_|M$R>kO
zu-Z5Y39h9sgEsn}OZzbWFd8<`;|!MIeGGAI3|JRcKKv3=d
zs2L%HIQ^&vCbC~+s!4s5c1^1j;g8q-#6ZB~3_D4kr5!wnF^&OmE6S<_3vF`v^Yqh6
z639Q8t=)Cq`l{)Bs;S}}B;Rt&yKKBgEz}XcSewztmiD>d_?VC2P7x%2^F&P*Oe5uA
z9vUgk(3mPkXsuCFikCDG<$%~?a-4o0mnP7OO|XXq|T*F0ojy_LmZfobR+;8
zMZ%a+-Xdo5fgcRA+y}QZH#J~g57PyzOzy3OY8s!D!5}A@p3g|0Ow1&Mcv8YZ6VQlj
zngr#00M;9LZz7UW-Q4!yh@l@tjrBt`pk#4>%z*lv-PyxLR|pU1XuXK@`q>2B6)KeM*nbS`FdA
z%;qNeGX3sFCsllloo<8DuHy04`v(&f06Y1$Zulp2~myuF4gWa}Qxa+ed)ovQ}9a}LS2wxOb8tOW4@
zE-`HITsI^{TPXxpcJcs7R4FFrzrM}ya`J^r1$L)IJ5&gYb<#S*nItv8C}IDQlP;C6
zyI_b2Kuv-bbSW?*@uD{nviilHkJHQ`J>qUds++PAG^}7yiK_08
zMge9S8c+n6YU8*<;D1C3%D7rR&ZQu-i(8A=btK)0u2&fmJ_tFKEq9u(?8emNk((M7
zusH25606#Q{6Uxk-P?_!?|`}CWFgz@_&}*{hOgQUV+U(tCO+LQGeUMg3ych>J4neh
zaN8$Yn-MP${#Qv)|O
zpwY8WB33H(!ppZkWWz5|dyuS^#0YuVx;e6e>-ptTJM^a+WJxYO?hzI!
zX)vfx2M-aag^ZgU=O}stP{yiW`rk3hG48fl$n*-G*lMZjG;q-KG
zWLL9^zd#1k5
z1-pnASp;08Lzgf)TBL;;Ajr?yjf^g%W{)HvGq_RE)jxhVu?JSOLUG!ATz>;6VrVvs
zIh}HyJdk#thJN8~LUr1CH
zo^4CDb?uhs*!#W|hOsuK3YlZcNHsH(OJ;n`{T
zrql!U?0B7%xzPA8RT0Mnoc6RKgfbg}tx5gDY2tT6j?Y*tM$L5~Kc!T09WPQtVc0Q3
z{V4I{C(o)a67fhH>)5MmVsWjE(kZx!^Z})EQ>7wRf1eE4Xm&Lx$y5>2Q7Is7{o>&e
zc7|$9k
z`&v9zKAx8*(^Uh0@Nm@L=+R!|RfwL1MhQVb&VOv(#}#GF!fr***7oE0Xuyje9J)jH
zgq{Z$db%}7YvGP&FKhDW!{qtTC$OqwfF4C!67>toO_4m9UzH?n!r*-$33?d1#Qb_m
zLRdoyJhR>eL2a^N6rd8J2;jz%hndo(J(-ZucHpO90BFL+qK0W|KHbn)PG6YzRmU-v
z-7sLl8i4RVJ>yAx6~yf4_lPH0_P<$IA%I9Onr96H%e%gVcmR-H<(d$GSQpxHVZ^x^
zAi}Ott)BgQ17_D|m3S(VeRL-YFD(3`#h%^KiX%FkUR_V+Lp(j0NrbLSQjD&0BFwhwBz$YG;^c_uHEoHX8x%
z*2tqRMf%`uUu`*O>e>LZ?ZUk6c^VU?bKJJ<*b4{!_kh!!OmcBKQl4SFrUel87sGl=
zD8UrnEG7|~?%PEw_xpPm;lb!WXGUjf*#td7t6V=LPjCmrWD`o_?QstBuP6;H85-fy
zkKF)xCNDwQxrg3{jY)RCV|hd)_(*MuD7RWo)%so7hrYI&4tbZPzYkIu&DFgyV7DbR
ztNi}0#8(Zu#H?1;hy7z#3b6etxD46^;wcO8=6lvvD#~j?;4(t*1%keT!bx^$CD3OYzUciQ|HH5JSt_9)1_dwQY8N)zM3YKmN3IBAyyYQ}bF;kVs5tAlGe;^BUB$gDAm
z^66%V;`OKYS3eg}TdPX>d1W{6sc~G#P~>Ko2lR)GO5rlKz-*N2RtVbMzxZ!a$v(@c
zmGt(5$7$Zm6Kk|{yWQ1CvR=nO_kr8gzu}!As4Awa=eT>cTQYa>SVzj=3o-2Py*k6a
z0b8J+evW!$I%GRU8|-8~E0sojC0P;80g2bM;zB6)2)yAkLP@HYA7gPvWI`GbD44|de|fs+vx&X{-PWUou?EZ1M`)Gaza
z+4ZE~57S!ddX{&VyB#~;4Ew2?1Gm#@R21_)ZYE4>vlBvso#ek@o>sPkMnahZRmDc4
zR`ZRT>~}RYvEIU}c%vpicwz#e9B{k<5={J7VNsDmkbtSqfZ7Gz+h(O4=&rGlUF^a!
zEaXJqD9L_>_vhc2E&`EA2!mfS6hV2G!|aIqWf?Pm)+NcO?n2bqSh$S*VujMrRTd|L?pFGPC93281V!<
zLmP%jd6G4g
zpW8wQDsEbI*{|O%q8n$rrms!>?G)(q<3&SPU)(k5nw`?qbfz?>U2QoRX(V=$**k*;T4pWP_pE&qR^YOR0>t{ShfoKN8
zl;qndHdOY&*YVNtIgXE)=`XIUo}@;x_GsjiEEY))ju(&ng7B4QMu_tC!BA^d;+rHy
zonkGc&em#L8Z9(bE=Q!wwJzpCma<&{id81HJpzuphP$aA=f(D7c8jPo$@TM`9^=Jt
z&q3UlF=%D40kRhL+wia%p>e<^((hj5kZ5mrB{k)VEz(>^A&Gre(Q3+;(*;i!Mt2<9
zl1Ce8pZhUxrIiQJ*`IG93n*^gENugxh~m`5<<9~%VKSh7r2D9|V&XiaQ2V&)K@NXi
z`>|XcH)O|PDU`pKhP61b-wbg*ZUYhwh^I3oN9yW-e`nENXWH$Xo8Of-odJt2GQBoo
zGozO+iumr&lLo(Fk62sDr(Pdm~8r|{ZI
z)Fg9_nq)-H&2CC4zN%W`d_$`Ci$}8^1cB*A5O>_8-d(22$c{q|>^`Pa8kfEa0Rfm9
z^Hep(HgWp#X3Zd96~2o3Du?leUbiQHHc9C?Z;l;|Tu`6$b~+eik%
zEg1(hstJt%pypxrM)+oD%^MMETG96sq9*w|Xdy`C_M(rf7Fj%9T1Hd&
zEKN6Ez+p40i=4Ws>#h|1y=_D?Mzc2%MCFGNby^YE->0ONVhkuADBSpr1Q;Lc4sBFe
z&)_5MaL1Z?9s`lD@Ay98S?1=b_gkFVf4tYA702|-5v+~_;``@L3byuq&x1l>iscSWoD>2nn@m+M5|8SCaVvWfYX6%
zYnWF_I+@JdI9|=OGx~k2o!R}3Ft646$ZCyPN#c8D)2SQ>_z+?9_-9g|z#DsXG9HiQ
z+gQc^CveQ>tlFIsNfJvRsoBo>69QF)=egx
zjsugO*&{9ksCMs1XaT*CtGqLntbh_S(Ct+22a9eABLgQyI49;$(N_gJpo_IoreI0)
zf&eVx!K5y!_tdJ#OhE)-QxD^WR=5H~T%A}a#LOJ0d5mP-msy2uH@({*s`@q{+8iHh
zYjfSN&u$Z!rjIUT=>J;1K@j?J-&^W7DC!<-DzmvHG6qxsQuwS*&BnGHAx|vJ9{~6pT1V^RP!5l~X#;H9)v%!L
zA+e_ma5jlL_ijENkbyYh=tYc%PPJc!%4h_0W2_g5J&C!E=zR7*2O>p2y@*1?u9{HL
zcFS8)^@@ljuZ&BOuKRkW080`%g#cnl%9cRR**rK1)@BU>g@ZcCy5}lga>M=Q;*rOQ
z;vpIVjL}uq7M*-V2PaK39Q_EGH>S!s)iozw+AsCpvt@znW~j?IeECNR5ELX_0Cms^1^6uKl~fomek{~
z#jW7&vOVq_-^n9WlLr;;$&wBdvb!qkYND32UEhxa?Soc5H6`G5@AR07)T%n9-?q)&
zTF`kTVeQoo?A=phD=KvZX!g;XgRf@5l!%3_u@?}dRmxK&&1NT(9=S;Nr{UC@z6fO3
zhFsi(8+@;D&M6)wJXypV)qP#mf#<>oFKcKn7G)#p&wOJws^^9hz$H!m^UtML+hKWZ^K7>_B8l@1{H)5=?yl*ZtCdCN6&F#UBACN
zuzH3S>asdmvSS3;qV>|;zpr)+LfEy7`!ArWhM;c}DX1D5b$6I+(27oT%DqCL~)(wv2+`z=0_UljwC|1M&z6ElCg;d
zJECioe9U*7oZOGa)GX|{V;?iT9Ha6XJcd%F!4#zc=E1i6a#pd_Flc0=Q
z(#QqzzD=xZ@a`$0OrD4ynuG(yO1rF;ls1P-(%`;=Cg*4Y}QDw$YR0(6PB
zeMhseS>)rZcT)fjoRaz5hwh|74CR)0OHTa}g{ZDaJxD5h9($q5@;swbsQOqZ9UrwCOD5K?SfbU3B24`6TV*H_!A
zPh^+1@^(zg2lo;c%>d-LS-T42Dh#u9ay(B$xb^z9>eU+mo~RWb)kNfl)I@FH<=G;~
z`Tbq!`+T1l;0OV-sWlO#U@ZVP>A#se=Ao)Ooq#$v`Y+LpYcRMs{I~AK$)4O%%di`A
z)$78pVJDrj*&vKR3_&8IA9q<8ze)J(;FJ`m$g>ZU(a%zCbdcaHY$GXx!Ipa~Eug_r
zXt7+s&I*HJa2~^pR!#j4EBsyQw1ir}Hy$3ZHykSzEj?H-NzsEp3JkE1q1r5ONJ7Hp
zJdT0Z^^wqQZ4^c|j8w$J=o&K!2uJQXbKY}iO*Rxlb;_4Iac4hw
zfyTsZoI^jNs>DSqLM4!TnqsaH=%IdXa8Iq9X7Z~89v*i&@+@Hjn+xA(>Qb@%X08W#
z(zqjJ^8TKkUgoCg_d}vV2I)ZZy{2?-ss$p>u%|o|DKYe8g28Gp;my
zo}%d>iA_FLlzrrmbu>0wQ7`XX5<}>pW|F3adV8Y7u*FT+Z7
zh$K^>>cS-k_)ujEw_Tbk_@cRA4Z^?&(`K~Pt$>kR{YtKf)adv?>q
z?C^8zI(3WHvbT6ZTpt9+GKy;XbHGl&07pQ$ztcFrYf)5JzLdSOpZ~l#vANb-`V2vT
z7+ie%PQUNpl7-dJq4AifbC&uwr|uw9zO#j~66Ie!RmDa`d>8&eQ8C}wgS3Bya;g13
z$TjD^xrEz3_Su3g{jA9vNrP2BV2eFZirx{`y^(Wdx<7H{o#x>GEi2Kg)Y;8l_g=Iw
ztGRCU>~nXat(5eNeOLbK9fYq|E|Y!zvI9pJg?Dwf&;k&KKKFSJZt+5*du!kkS`#lH+pI1lOI;iLre~;
zmRobV(iSVDkoIAB6ZS
zYx#RdNO>jeht?Hb%4F{>Qp0(nqXdnYh(3vo_6uBw07vD>LW2)AajWZso)PvWmjidf
z80B%^744;WbhLy7vIQ31#A65C+EczhJ{{`$h7Wd;Ua|{$T(p=5$WktBrc)lksyxd@R^*%oUb=?8AS#$oaOFp*Bxv70c*O(X~=?XNyuXUt0BqG
zyH0Xv0!vW?_Q17Kl<hNt$p
zupJ0+w$sfj+q>jqRq)V_w*$z<6E&ObuZwei4l!sKSLe+uD=fM|G*t8-W=fNyKp~3y
z`8T$hdG_l+DZMUmgX};&y?Oj)u=rUz1JSIUsL-g4RF>^wRgx@tn89}9$H5!g;o1G$
zPhY!LIC3!J2}?U|
zPi1m1kq1HbtPM?3qZDZ?^R-;m)K^Pid9I#M*a53-Y^A|!Y%p#z)XkZ~lDV7gl@9B%
zv*kjYW5KKg+P%A$6}B9$A1{AKn&+Q+>a(?C9W7Aa%D(O4hH7)Ce7l|9xwCoSKgHkb
zw4})Lun2E(o8%wX-+hL*?*EtkYmE|XH=tf9C5PpIo98`6>7R;^Vf<6SBuauVu$KYN
za+QyoS=9H{2~a9|GNe2(qqhh0`2E(WS3R73Ji$nm6>rz0c}Bn-Ax{>FWvnr6n_ngY&61%meEg}AtErQ2a}J!n^78D{kQI6uwXbhhh-f;o
zFN6~ju6aWr1JsO?Z!qG@G+0sFcF0Bt{l+8X0W=+XcPru7x}af2rM@`nPWx+Ol`P|_
z5zzamvJZOuZ2zd$XU8WZR^GIGHD_Q5F1EV*kUqR7$UcWDRr;DP!VcOWt<8QFX2)ke
za@Xdb6#mswCpoSw1g#3o62jkFJ$HdKMTJz-Ju9MO&r8huQH>F%HqzK(|NLxOOFu3~
zDraxXT9yVmIk8HD>6`5nzO60YsqZKj(e=tYP^TWdb{AL^R;+3v6tP6QRubxqG9hWB
z3IeuRmWI^Y0bIs~D4!Js$8SMOpKvs3*L9acUM5aM=2_I)6zGRbyZdsmkSI8u@`DRo
z{^>%#1Ihadb6&ap{=&{iDVg!KcNwHEU0xznnb4Jv^7sV)y$&qsvB{0!SSg8~#zMN4
zLA}p~(O(_Xz;BDzDYfRt+s!?_UIbzgFP(Bs(5!Sp?uU_ifzmV}F(c|x8hs-Dzt5rV
zWJva7H*_7g5>B}kZ^yXX^U(<+Z(j=2U#<2tY&M}sxuw*G^rw0VyQeD}iA|bJwTth_
zu?gdK0N0KiU=4bB!>;2*Zgfr7^2
zWh2$!U&1NpYoLRgr$A)Lrp0zmO`O&v_VkMt=+x%H#6;0&j9T^dH{~f0W|BCvrR|CJ
zMIZu=C_vIgGG+^t0)E>d_IdZtbZTo;`CK7(-TOu&n2kPCJ+pS$(IAom6JT0;&8FWE
zS8xbUMiG^LJ3~w+%xU7h*-GAp(mn>{&2cFH_5a_b)&T^{%|hDDH38ne^sZJ_%E0O!
zV$HZD?rzg-H-cIs`oJ1Q`=E;pN=<=|JCW06ewjB3w3w#BAuISS%aK#dgk++xw@B{z
zR}tWE?7$maiQMRPx(7#MO=FqqX!u~LH|$%HxCBj7&t%uM(d!o2%+d@P_DGxa6dRqs
z`~y=Xd6exrnFx}C3bPj&a_6_RuV>z$S<4MZVyQI*(DQ=47V0jnN_o|1mdMMWi}e8r
zP{glWJ|$#&8A=1(uT#4~r?cM7%1gyNP@NgU?Rnr=1}08e*o7YCuoB)9z9MLS6}?`*
z0PgIue)x*UQc|z{SfZNT4m+Dve-Fhi@MWgEQQUb4w(Q-6cw`8Z5w=3Xf6ZQ}OKTxz
z0?XmRBbONn1Wm}fi;wGvDHNDZ}U!+;9M{X*+y0lhPOz51uHvyPuX2V
z*%rrljt2KuPr3dnaqG~k)-#QetB1rwC9IpS&xqzdLuh(*gv$Jh!~mlA2@Y)^V@_+WBMAf|BhB814IQ@L`&`tyPijJkNj?Dr
zGk6uPR#D8=&XTx2vOR7AcEj{LlvU5G+e6QrhMcV*E~iyfRs{GR#&l7*b$PN<#%dS3
zCt6+)WMKb>S(4XNwMe>gt%~R&I3e&Ge#ueD9HbmV^UuT?0z`j|52rCrPBPgPJW8~_}dmM^(96#kp_0+$joiLb2H
z^J#^Pv=9q8VfHrkdV1lSXX|+Ct41Yan^N~C{5Pm{crE)uo;TuZpSj@_`h&c{@Tw`#
z5b2!w^|57hUx8cZ}oLR@Q2D)upG)Ct^u
z;^RJRpxG+on)8dd>*sFs+e#NVsd3H?hf>q4kT)q#)~wfmBR2`t+xaV7J9g)szZ6{^
z*Xn2|wK^ZX4PJ57_5ZXk6iS|{BBYnSpi4Chxz#)@J^HIYGG8&po5gDZhnN?6{(y8c
ze==ADQn*wu+kKI2uSt~4BB$&1LLonCd2{29*ztCkLx-*OPk|z!eb%U>vFFj+46!9^
z)mgyvTzF@+6Jup!`mU8(jesQIb77|u^%p|!H>KKgn3fkY
z-Kifcu))%0*+qIpMY@?;JhS7DW{8q3i=dA2w)^-
z?WOXdbP}U5ASZ`TH&X(#weMW&!+h_>5jUXqwzV~>wo9&~WWS{&Vw``Kz=%XV%jAH6G1f{N|fa0(|P
ztYQ>j&2SkJpw@lY3&q#%ek+0G_jvqAW^Yx{)S9`J2FBQ%fO(KcdKxX41d1OAno}UV
zu2zzV4;W&4jVlAVv-O>#hGBW>_s
zrIg;297lA4skv-Ki8rx1{<
zw6UqWdU6#h#0MMZGS5FzI8Rw8v03K0B3`tCQ8F7kP>ZYVLesU9vYR}vj^PeA%Q7|Z
z#aP+eh5qe63|tM8a$F0hf6>c@-_%9LH{0sKeTS!~P8JlIu-?&qwKyi7YPh%R?b&2S
zw3P1S2y%5@ui!8o>5894GEeKa?=tFVTChtR@mv`8Ej9wI)kyrO5TYm$_Wk&2vSK!w
zRpmleL=3Q0$WNu~diB*zb>53}iP%KI4osM=Tvhcb`
zSmfRYA4`&KCF*f2k*Qndo{^@N=Ngc&_*{CdD{6y>eVhFu^;g}xc*k^8Y~v=s!p%Wa
ziJfL$A@E4B@Y|$x)h4@KCw0a~TlR-hRq&jqC-u`AoTtvWk;_~LgniD_93)teLc}Qx
zXo2g^w776~(O@3BF#*@g7(OcDJcg{T=LL6eiv
z9dxy)a%SbPej>Ez4Wh(}+~cTJI{FaTO3(Dsq*%>#jS?scv6NXJv%A?RR@0sqYT>hW
zv=4#37%m*Gz!VU=vQ7;9Cu_k`fVL^p&>3q0EF^y{B(m>}Tm5jYVU#|*CXa9TeYQz{
zi=5;wHZjG$7h19+IjT1r6v&o^mZq4yT#?0CA!B%d}fjH9;aQ-!gWU-qDqa>`o*`1~PZ4KkW2~RF#eq8y=tn|fMLjQLlZ}=6Dq!3sdOL|f%GS1DkP#%KARQVt
zrIwy4tW;du&Q8|0pS*vel3ZLeo|ej){<7%LpRjaWXX9$ef8kLtq2oPF+2q%ySSST#BBn{Q%k$RwB!mhmK98(!|Criebg!Q
zSeJZmg)U-^d3_k0BZ#(emyN&TP*$QFTon!2^zL
zzg`VRGPn|ZqdD;(GA3kr4?0jOf;+(~cZW-xm%B1?B8C$4GPc6bH_H4`+zgq$>bRqe
z(na36-^WKcc&Ln>74`3~$sWrAjQWHJS9hgUiot;S#Q3j0J|5?2CNhYAQmwxxp4$Wz
zX&M_bTWjVa!R5tK?S-1<;R&(RlSA8v?8k?
z0~J}Dr9Ey)nSx0ynScn_l(1|5Q1%_c1?L~Jc^pC^u^E{mpOm;iW%PK$`Pmj)4_o$@
zyI5YQ?O^HaFb2XYQ;C$hHAB#l^ZdaFPdu@oygUK;x)Y%oAz&ss_uGExWarl~Ko>byB=XBTMYS+YDt1-fq^>=`rKzw^;U))~Amz(Vm+?iO4o
zIlsXDfFS9$$7jcY!ZUUkBhihg!IuYIgT87Bcl*;C6qy~ZVb=`Srh(NZw?l03LaEyS
z%Kqw;w&umorrU1ME%{7kcsCp_h*1^zyqiToF?a3GF6U`YaHr1(UFJrDGD04U3VY{l
zXv#`l_stb63k?&?gXO`aQZrX$@e~d9hXE`wq=5@521M|W*2Zm_N4KmyfybQxr#SJa
z(`jV~R1Tdu(RN1eDSY7q4yWHFgrIHSi^iwN6arZ2M8v**EWoSW*E#+nYklqb>~;{x
zlniv@!$RR-4tnS@l`1o@{EpKo-CT#mM{LAhsG5tFz$<(01(!6H`2D5z;Q;r~FdLgO
z5y7!$N-SJ33ex%$^YW@Wy!$cPeQ5th4i+Cb=0NvcYbBEZUN4fBI&WKulRx^bOnIDh
zg|cu0h9DUjzy!H1?;9j&QaeD?L95DXu%aOjq)h!1f+bV8u!Om}nR(X^8j(}b-bbAd
zO_n5N9*N-2Z*)yE&;bcz+uXxC?Egz~cG)~|idF-S3;R$25?A+tQXjb4Xz?C(nfD|~
z#}hQn(lq$0u#{s%kK#mgOaUyANApFS1Xgr_eJKD&Le<
zwMS4HQe*%KshM>0pk{W~NXK(FF{+noNyI0no+YScaP5R!W(nKUUB6IDMcmCp#DZC=
z*|0DlOb^%O2+a}0#{kKB00`zZ$~$Qj>U}c>5nAAKE`?PQdh}~DcFy%N>;{d0=0}tW
z?o?c2*c-tRkoqTuSkvk^qs-0#)RW7cDW=h1aJe83HlSLx6>V?6Fb6>Govj
z)SQhL$BB-V={omyDsc8IOZ>hze!F72PB
zUWBt60C%yOc<(~7DF_ro;I)kVCi`J@A+^sazi~QV4O&oA>#lF=q8DjrO$3%Ii3a55
z#??q<_84qTF(*C%2X4?C`Rm;#oCuo!KW*RfzM&DgHOw8Vd9FMn4-`V*cj}jJbVBfX
zsSpT!t0lkj^S3mJfA+Fu;yyUaFpIT83~KN&Yy{N}F4zCxXD~`|V3A_ZQ@>=P0(75AC
z@;`QH<)!UNQs1Y|A#-;H%z!D5sz1GH1nyo=w5t(!3Osnu9TgI#;4&??TKrH5a7H%9
z!gq3(gEY$P7^+Sp26Y-O-v}86l+Es_9eDF>_mVi_+rp7th0_>B3T!Z9&1J}%-T7LD
zqpBpmb2Xesw^}=B>}KYstxcFxV{kQ9@1uk;yI%HNF>(cJ5L4
zhv67z47fr$#$~vnyyiDnd@e$Yq+ZP?85QRAx*yMPY(N2O0#*-z>0oRgbc^@3oW?r8
zKox;YS)M9!VjhBA8QUGl`0cub!7$;r1?kIKc7@nLflsRV|L(Rb5da+`G-L1(U+)ZT=s61(0X#ufoH085`mDHE)|kPiWi7Dtb9m*{ASQV~4ot@3Ds!=Aw{U3X
zHYlBVAd^yS5E+w3ndoWqcAaO%l1x_36`t=+`a{KTDR@jN+TbM{p}T0L^}baP
z=&;`imz(yEG}#!K(vnf15uHlo1KNww5X(%cYfS(4T*?2Rrg>gzvWQ8tT?vYs{XyAL
zVq!W{(hPPDMBWfe#o&CO!OH%mIl_yN@E;+|tF@Y~Mn#RRnblX{qZ)soW%X9QRl`NE
zX_wr)S`bW)V#WtqRbF}t4{E&^sPOjpc`-=V`1y;#O=v6tm~^7EUeed8M9b}Zr~Wy%
z7;DDnWAk7TKD-F}NSBj@{#Js|y~i3^pKNp(YIu-SqCPV@S|EM~$t>~n41qT9fu7aE
z+$viRUQ$M@qU5+0=&GP#&RET&{Dz~EwDf99_KxDDHs&iZ1KX5jglyzdLuYlOEKu84
zjG22u{o~3@w;icOBtcebkxyp~y6k?qjTTm|)#=!Im5R;SSimCs5}5-}xUpbQn3SQ`
zW8rjr@!_Bn=vHizkkJe-MGx32;}g@Z$}R1q&h+L@&Rn`3Ta2XHzjY72ZT_%GkO6EF
zr@g|D!hk+nfZI~5H6F9`^6u2GdKiRJ4P7Jz96>OvEHAe804jr^n{04lj*GF1Zyq?K
zLG%-Qq?hGBL7|0t#A@J3E)o~EO~9#MVXF9Ip2?f)O9M5f(rk(&H!7>b`?Y01O$O|~
z#4qY7E+Oj2mA_6oM&%xpzuvLDmV^
zBUER#nhHeIyi(;0s~7=+D0cdf
zb&HHQ79E~I3pQ45W%gCcH9r`2fbT*fp99T3Br(QE!B`yxBSpyxAumujYI2Q8+!^=1X&$IYTk3C+t$=!eZ>)Ry_3cq9
zbl(Uk_LDw?YUF)d-+y+zKlM4)k>??z)Jx7oF9>XokwZ@RhO+KhV+D%JRIijv*h7()
z&m@+H=RI}6rLnrZ#wm-|QJHOTyC*j%hH^{eK1$FlLF-`CrQ01!27a@h%W~E_
zfxuNl-m6NDotG0F;f+~EFJ*X$C&rcl{mOp@uyIFkxj9H{MBjV=MZO~cq42q9x1y+1
z>3d(NpoqT<^=Mr9v};B%%@y3Y1v?&vSP#s#hjr^{8-Lf2CHAqokzCJYZDl>Haq2Da
z^iqLL)Gx+Smw?uDU;)IGD8=;O1Tol`XelaDz(XwXsj(qAlZLP?$dzHv>cAqdG@GjO
zN{~C8%Eh@ORQ(a~#|)Hv$49wpU94=6H`i_{pAvH6cw~bY`bXio;W+aXl33J{Y^t+7
z4y18ZACk?t$Ig=`i#Za?gs2v=rWy}pLv1@5nRw(Bl~*gy
zsZ@RtMyx47Lc<9%@QYf~p=%X0CKHYs7A=2aOfK6~dEIc{p^IEO@oFPP5D?;fwcQlp
z4^{cNUPzA+_0BEtQjvWyCJ@*p&HzCOro09;z=>n%RfXhhWa3G@3$eFE8GHE;3vzIB
zw)if9FpEw)j*1N!eP=GC%_R8(O+#p!i9Z?l7>bqNw`zC<9uqFT;9QdUkt*j^dxV*S
zJ)pzGc`;{YchQM>=8f%vHIM(-)hCfOY_
z^4aFL5HI!XsR{x0)G5)@9_yMU=v2{4^{j0*%!??oC<|AiscSaIaNvK@R)2)ayUnw)2y`#GPE44heXETY@s4;nN
z`?RtLwo9~%P!}KiudKH%-kSFB^V$-xd`*gb8)7ARU0uZPCn%NrA*V}f-?CTNXgE2_
zWbew=LEgjTj0voaX4`OEK}$d~7*Sm&*u@lUVb_f3YUhsM<`M}XqOT{*)=QI&!z8o4
z(=4h_jeCBYi(0tnOw8RZ)=h9>bx~jZ)IpXC5y&MO9|rpw?O#iDiYAz;75wx;JU8?a
z89cnzI;R}iZnPP_TXm)0Gg~?{S{+>8dMj=_1kbGqqfR^3(HX!^mo*X3TjmCf&628ol23k4}vlE
zAWQ0w;V|?WR4J4T3!E>FZ5)Y=@}4h39k4gc%Z9<9U5pzW5;Hu0*7+grv4&iAA$+Fo
z@R1bEV@N?)1!~{(GpYhxAbaV(kTW|fMJR6z3Q8{apK2m0t6es>L9VNzWS~E5=D&^?
zsP=>J>iV!%vl~HVd+nRn()FXBkae4EjM~8DJmiCZOWtSm$$ujcPx`RO1eEur!Gl5GX5#c#^J^Lw<`GZZCVV|JRJ*k?-XO8{fkjD{>=F1O3NW1-tRZV(yQ9TDBC&{~so0AQz#;JBtR}h>z^N8U0k-N2c)^X_zS>p;sXhTB8``-jSDC}Hutq6Z!q-Pl?sz`#
zyvD=5WOh8nXK|P>Z3~#Qir@zIqrJCJ_va@^J&=EfLFEAy@;b^#JsTG+U%Tg5C*Isy
zsBWCAezYQjA0YA3)gMZ#-qd`TgYs?W0uKVRh>Od0g7uj|RU0%~vFx+{Mg|pUklR>ap-*%*S_u=}lO!+!NrbMHm3}
zkiG);mxek2UZYPkD
zmdW;X@jJbWxM1jONZoMlBwF|1i&Cl{c65J<$GNru1;k{I6q(lL%*#+f0~NhA%adP!
zOFb6{$LaWXQr++%B2itBJ(jC1Hn*!Z1(DLOMpK4)_+3l#CR6
zmF{9kvXA5kT0L(}!}%L=
zO@tRdH+=rI#xymCJtItjN;%71?axB;+M-{aJvs)>DqFp0gh1rmz;?
z7tYVj0@zTSloqLvGgXG3BY)t9Sf>KL*>o19rB7l=YzMjv6LoAhhwvA9T
za%lw>a-_?)u-DK#n;bInNeV)Fs!^
zIGD3g4S-5>hPZqSb8F!TKk^NJ)yD0G9lLX6VyKr*s`$xsQJ~cuY78Cac|2?$TNR*W
zHqtrYQm-I_BtoxQDi|3K2Z}pAE3zCnTX2a$f-yWAPVxjH%P%J&TCpX>wfs)XHOLCR
zFi2{-ZQG8829qYmid}7~*D5TgMq%6XL`4B}oZ)7+6s-v*lyYx9dcyJyQ=%!Xj|$`#
z%bqI5y7yEmGvIw*`9h#U)ZE1;ByR(P85w!c9_!`fl%$n~*p_onF1)Aa&tz-@tBxev|D=vq@cee+-+KL-?>W?W
z9PXu1W_~#Mxq36(dVoecrsIWrokG{>gVwXT@UF(4di@RFmMN9S940D_#p)SKiG7b=
z8FvaDhcMoE`oq<3JKG9&5Y`-xlz5mN@k+V2e1u02PCo5~H}ZjA>G1s0Kh7!(%`Si2
zJ{!jB97HOqmL|n4nLstuVsEKsA+rjdS2~riUP$xX=us-?JIX#8>&XTwC-NET5RI?1Z?38@R|KHCEv!?Z3ia`}6_2Ou~>#w0cyvM+m
zfZvQ72X!D~M17CyknFZlp!X<($2Z+%Dhaxc6l9P$1LsGUW_5E*s!ax9!YVdybQp7MV%XSh(G_d_Y9o$Z8OAv(g{Mft|ge$KB+ZhvpSz-iJC)!eRRtUX;W
z3|YnGA$pzOUS@7u*ynq)Q_0_2e^YUu&-HQmqxuKv}r2WB`&hZROf1
zgPT#bNb!ALyl1k1pCL3s@`IHhMunrds}v1#OK)#wV|i7>$!_z)*EXa+ze0WP<4XZ=
zw$b^B|MsA08R!@-`LE^w+xq|iKb-iNto>s^H~2ieNEO%FrP;qcNZvTcDR2a8pCX`J59x&i`j<$WDaj+C^WcGbf$v|}5lqU1}n|*D#
zU#>pT>Yw741G`;jX
zCz(mh!AH36;BlKw0Da8`G@=#;-U?jIM(+~}4WKI%r{c^jb$gFYq(2;cL`b4eUw@S2
z?djElV|MkmLyTDpdmEcWixBh1d(2qMb
zr(#Y)48*ta$_~+TCO}nk#R)qGW>hhA#}&Q6%_51n*T>1i7;i3AXZ0N5xtS{Ln`P&x
zYUX8|eYiK97e^gfw~t(q^Ms$lK?FWeG88Mv2&1-7rV)>p5(uPoH0TQiFp)91xkx(Tdbg=Xc
zM#yaO{viG3Agq9n?a(?^_iGVYGLa`m3po2Tg(}mmonJ9!+nn)~G+>WOTEF#F(==J9
zj>q_G0k0Js?Re^78dkdL7mPtOCYTh>1~KMcNwzrqr^2hnWnXpdMzU
zzSue9JXWSIvq+rGGtHzq`9T&sqKrVw+4VjWzzZ(`c%*wsQ8ZQoiFvV5s7=1KKtDI+
z?P{qoK_4ZmA~B96wicAckN;T@EHbEQ(!yz?R17)%Afzu!*E>=7bVS%#8as$>*brCR9=l{n{A
zszH>kc2SJiyd4A0q^RGy#0sOkl*|_0%R4f?cwm2bBzAo8M9eA<1L=^vJ{HybD!bv$
zVM;`fUZQ=^*LOoutz6)6^zY);l`6F|uJ~RB?sf
ze>=AI_D|2a$-&oBczd*O?~`l*--l>=losyua5o-2pq&@M7PLq-tX+Q(O+J47W#Cx{-8z
z-i^i80D`PjxK2FMCSPP^(yhBoO^k+M&DEGiFD%?l$ZX=_s7qq4kH^s+Cm%PW
ztx_}5zbJpCnqMzm-K2GP%%H!bE|-(KwfVdX-E&o0r*SAcWyfw4VV?e^r!DwyQj!)#
zTrDZ6J*tdq=Iwi;pp&5~6*P=z8N_$}YZ1z0nbJhuixru_T9dJvSA<>T(~K9Ypa19;*+eqM8XC8
z!>S750_Q%c&Y?``PnQa%!HlE^WR6WGxv*9TNw$}1*87j%tkku;j*B09t$TIYD-L`W
zjV=-4uYou4>99*1BVU{qYr9!{Ij_lnh*eK9TUMAcD?UM#I6JmxW^fTk&+fh`s{2jn
zXZ_f(AF4yEo`sfa*VO5+Nr8sas#RY=uh*ghVc3r93}(yh=DwcAs~5&
zwPf31ThgaP&jQPgI^41eowM1CiNq@3*UW}uea8*~Isd={I*>VQH)TDor<|pj*x$c$
zsRE$pa<42%FCx&yB*a8*m0UuVl8f6IQE#PmcSe>wW2km(XJqkujC}L-*idHR78W0f
zBf?BbnL8H>FB1{VIL%4Loe9YcL1;@3cgUU-k|uSMUr@B~0SCEZt*qqc=Mm@(OXfnb
zW={vbqn1_+nU(T~)?~I9)LiaL>D}_@avv)BqbPkNXO=8WB5#q-t~V{0!IxX+FXinj
z6O`JzY7C_yhKE%Uc4l!;WgzbuR%7@Gh9B*4^n96w=kwGOEuLldPO?NkYg)&ZlL<}7
zQt-$?Zs29?WJ=G`DevDpstWhES-0@y>Mh2o^SO%aD=g=HXoi4x%{&!?CQ_H@esL6>
zURl|k%6)CtZ7x}GRoqVFxvOh>wOB-x?|f8-_*c!B>Dk`p9lcvYimTHgn06kgA}iq-
zQ)2#NpBu~QoX72@-Uid0Y}p0>`dq-veU)f^i??~qx*-dDkkKpi=}j2w9Obr1Im53`
zdVglUW+5){(`pG}mkl}JX>F**@GQCN?i0}5QI{MjpUGZRGqfwu^pq@65j6wMVI1+a
zkRfAAhN>vSBJ=Q<$@h&l8aK@twY$>wW~L`7NH&KtS+;|WK_-#4tm~D+d5{v0?@VH7
zAQNsp%}5%KvfCu4rz5ycttm!8ebZ$sSSC*Mfu1KqNtIJMTHVOd>u-oC&H5_LJx*x4
z4K+hi4ACPpePZA;v?o4n-MI3EJv*
z#NKsVNDlOG^-#PYBDu(vd55*xhM&RB75dvgXXGc2qVgXj8cx4!0uk$
zc6VatpI9l5)bTsHCE=wv6KxqVt+FV^{&11uyZgy~64(Q(Sx7Hjeovd%n7ps)>Y#d*
zQJx`O!!F_QkuzReW5mrmgd5$?-LAl$Hf$J!c3!}4V88&}UVj;q|6eUQx6|ee`f3V0
zgRCGkBS{&eA2v_6nWh;f+Ip?*EVrZFZZQY8KOsIrRa2+_(&*k0uiPys%)xLur>vHD
z{#gxdc{DnD`uJHFTCLK-c@2cpVSa?I798y&!!F|Y)44DiKB9-or?iyBXhOu<9B0s<
zXo7BtkV9{JL|Dgp{iT`s-Gt3lw&P;;@(R7_m+cjLyXM?K2)<0^l?nk)e`}<-
zY{H6&_R2l+=v8mp6EYUR4(N-)`>X>^GB|!8T=Jw>qv*%>w#FvU#chFKjl7J3Vt{MZ
z5TQW{5H(0uzD9uK^)6t_101BQB5BbIbP4J!`ocB5hSe|Kt^ea103cT<%$Ra?hx||tjL3J;
zsp|Qp8ypeEeLAu}?-_xddC6h_YsB@>-5e0~pZ^^y&lpRmc?*51Y23i}u!2kEQtIb^
z235tMxWdxT?~$(vO*6O!-vuJ9(-f%n^M{{IuQAWExl37C>ZIsFFV+Ro?m?aAtJi$4
z80Us4=8__tr5;veQi1xcRYG|}cD`NL<*I#}bO7p&P1<~9^18}8N3yXp
z;cm%pTy=rm66b>Ig6?vaGO?B2G*_-v92>2;qpqIyaI4h)t5`d5
z-?8~v@cZ^M%l8y>qkWSpm#k|`6X}g6N0@FJV(qRBe1HkT5DH5p0=h~9B||g
zvJJVm^f4A@6?r-q6qya0D!%Gv1)5gs>*b@I%-7Tcfw-;{d=x+Vs7Kpdw*mi3-;7>3
zh2i02VbR+z&;xRExaOD-pfnN40PvTF3JxA4i<8&e8#X;MY56tLn1#U;z=VrNF=`G+
zEU!jt5rX@-0bCzofW1>!|KBkvc=W%a;C$+|C)XC1RaLsXV
zVC3B<-9n43>gCsP8Q3ZhUgmk^X9{qqgWhiS552lg?AD!)+bsGwc1QAFV70tP*a`DX
z+e9dmY5y~mY3#BE1^cdBqNw{ehYeS8Zw*%Vefd}u%5@!
zF8Yrhn4KB8;qwE(n2GjhS!oRf8=9C*FGjGv{v>5#yI?CMoLZ+JS8~YrX<~5zb}>i*
zKET<^WS%Tk4Kr#=ltceolmE~g5w9KFmeOi{T3o8
z)AxGkE6`YDG0ylXVQzH8RO)4$QFHGXZQcz0v-Omrm>U6Uunugx=-%thbeXK#atAoZ
z;nTLtb@5WW!g#G9r=M*aIb*9_6Tbw&RZC$q^I%OKuK4)`FKuERv3hM#?0()Bie64=+I9CGAua9?%C
z>#wSF>$s|({mz07?(0La;+1+1MMx(uJxx4y$*f;QdR2_uWQqJVp{Z?N-h9~eO>?Qq
z`w_>w2KJ^OW|nNa+aM`Qyd%zE9&CEK20!g#!}p6*C$qn-&do&b`5@TdyXGc5@ZVgVNiSR(Bc{_Zsh`h1|!A58KNna
zxVJur1p<$xz@Uob$`WOYt3w_0`chsCSgvyflO4-XM4?eneTORCW3UaYyJ|=u`-t+n
zMZ$coDuMOqT;k2{x>;F1tAgfIXr0fKZ^1>p(_>nXMWh7>rq-{E*C=>`pGy;ox&%Os*+;2=c=oVChQfWTPlZb1$%MV5iLZfld=7uk@m7tDv$mg-K+hw%7B-tnU
zuCb%rS=m9_r9ocBsX&Q%124W9*Eqw9o%I?8j3A1z6ZM*WKIa#|W3`YS*hTaTda5Zp
z`aeqB#0Ou!c9xmHkk5$#-+Lu8Y!m4c<~F@$JLayeoInZ3ehhXg(0;kQ$h-|AyoLGw
zUehn0E0Qk#r6a@tyDb4HUzd342~dH~*K2eQ+f>Qj*&7@gq9PVjZIyOr58#!MDNu5(
zEh*chQZ}N7Z86vr#*IzYvyLf}GdL2%V+8Dc+GUJn0~LgB+)kvGcQLkMOpo0|qC&bj
z{I3@v^D0GS8cS~k38l=Tlqe0G%TsueqJN&Z(1|!=Y0*7??HNps;vp@18hucx)RYk$
zXwvq5h2mn0HC{mQQi=2CRh5XCy*(*^y6)XBt*P)8DQQY*9YH6(s%0u0_1E;7rR|0k
zxl49Jm&&h1=)+jI8H$tXB?WeG%x>D)a%g8&eSxbb>)kbUMAc@%_#f87Li2|V>ON$@
zAwyEaLmJGQc41$FLaGgWPB$p|KAfTjK3NnFKFr(l
zlCxp9xEotS_PtPcV!SbL(^t^4QWElR@BsqV2(YEatERjAZx-jpAlMOLct>qMhf+^qC}
z??E6}KV2$E1$*)pg1B?(P$=xE+_Gs!KUO%>*|4n=;mNhNQO^{jN~IyL1IZz>M-znQ
za-vK!S4Ov
zWM?$7AnL;UNH^$_aMH=0HJ;aZa|O}4lrW-pCuR5|T`ND4ad3`;_O8**ze&RBp1mxh?2*<~Q!8L6h&gaCL
ztAuyX7Z<2dCW=2KS2rP-sr(u}WT*~2QPZ04=XK>4`7NC|Fs!n|6DnCXQTDHQIWZ
z<-^&_Md|YAy1VxUr{qnjjFpwuo&!9GR~y9YW9#>ud_}P?#d?8e
z98v)YL}h|SDvpx8-;^WgIXd+QBjEDT4(Bu9u8IYC_>3?VE(I!a6>zbpG}FF{Bx#&x
zmyI&^76oQ4^V;2o&6X*=A=8Z2N8oma#9Xu0zQWxfO|d1C2TWcZrCQBh^ca*|KEGRl
zHdRdJ$}1^*>@24Dm+#F;00L#zSZ2ch_w%gW$RutmtoUPlxO*;8fwqK3D-y=Zdap6A
zEA)uQ;Zr~?b$@{1EBsdA2UAlxWf(qgiUuB%XcBOFlDvi>^_Q5f4}B9^jNtqieZ@Xi
z*ua}~c-htBa4IV?u~P6Y5TjhMBYGfz6X%<
z6yBb__>St`Ksb*Aa2NFhepQd7hKnytgs}|(Bt;Wwf8bbF9$<%H@Ua_g<#YfP_$7nn
z%D?&MN6kC2!h7*vIIL_N0cKCE_7xlxl*6sav&81m+syoxAiW>$K?nf5(x04xx<)1)
z1NJVIERW+P%5_v$Jh_DB7@4vI6~PjP-btYxpD(Un&0`Ro87;EJqcPI+8&tPZ6$
zcIzXnaT3N`ynu=5|8N$`dUOF`H9kDEhpHmyNh(nAo{rJYwJ2^dfp8>IHXm?2HDoqwljDOEC&ussVKE^wUE=;{40$8Q
zRYeSdjv#?$UqKa+vl&A;Y{oGx@#ojC`cu8%v2f>Buhg}
z=jmH-7?lpUj2oNG^}IBP>owhvRKn|9iok=`%w?&*i(5;kCR^r0RGULYH=g*N^zAokbBdQVg^W(Tib;&EvJ9MPrS~y_HQ!M
zsHczzoT3p{gch-l13?(hkITQ4?g*FcAFSA~dOfk|dhDby{vX&~KT^+4Rx`{uvU@c=
zWylJHYBw8O3TX`POW+5gJHz`cm^8%s?!j+U43whlaou5}Kk*a)q@HCkbT9hr{X=eH
zzgDONF4hGL+xC*i0JpU{<`g;+DC`fhPhg7f8cKIffy1Lj_MUut|NHvbJw^djpaTme
z;Sto)q{BWHf|Q^vr|a3}h5{K*Kr>?$A)N>-5@WeklS&gbHT(_pA6qLSixP=Atn^j<
z8OPA@K%qp&Gnj$6X1Fu?6050o0ag)Y=GmkUUzfB8*@N!!+Bbuf!4x&*r-^=}a%<7*Ih-zX%bE+o=d;n>WjA
z^puj!0-?IqWjy+rNRa%SPo!i!#9}`(Hy3+Ym~^xziCd_awnE1WLo)Yg%{G;m+FFRh
zR3mRbJu(K+P5n4N?|#YVC%_fc_Yebi{&RPE{=p3V^?*!DvhYRS!mT?4@W-L6lH~2D
z;9ychwDLDsC&aDFal>^ARa#gRCwBh+6WUkR9lK}-;q1?_^;M37YPwGYx2y(yU*u$a>}-`hp&;
zb5O2+$`1jQiQf${+E{F9=7q~{cFQU(^d^wDIN{YMITYbt2bZjSBl0Rc0>^|qPBy9p
z1!Rtk;(A$P>}i;6MxoUTlSue+S|wTR0e$i74RQ0VHiT5hPtmH$5>Eo4))=WKuT>{m
zmxG1;PDN#PAx&ysQP>=-wEp`Oa>%QdSvH`r3b?bNaSHZFRU_(9v2klZ!7SNj0wc4!
z{F?7=y{Kit3N~E{)!$_%_js(glW(4hsQwb)47~FmGA1@`b1Rc5yWr<)^dn^TH^qW(
zu4DqfcDF_`I!ovoi&z|K(e0##{?MG*&}#sawpF*dAmY5IEH!nqEj{QV#dz+2i#A=f
zWE72=43r+_WmBHG3aSa9@@ztL_2!(9l9_0)uFCQ}ktOT?8oK{%P+;1&gQ!T&9G?x%
z@=Mbhve9RHQ~NLKErhCwO9{(9z>;zv$%X)TaSwWruT&Qc;-plL
z3i0GC_&xRj@}wY8G}7^^DK@yeje5BNU1|$1*psMvhRUxj7t2ymns|(?E+VSS#;IFK
z!nR;0xYBRWm)s_cl>VnArL~+}uFoGZ9Py13*>!MN<)l*K9buarp%q%8-02p@2;c8u
zFA3_R{gZp{Dw^AUcRAPF0`VRc9F^%
z6zk{`J63E+4IcA%!>po!yc$0ZRaH0UCO|T;BVzVt)atK&iSsuA!`u)Ja;wHXwM)}zm1U1?P4MA!;+{iD_~IV3$6{TSaQ#_Ts597;|b
z2`aiO!FN%V=N_|Xv%D&G#%sBL$DJ!RJ&XN(8g2kQlqckzXKTr_V|23ea(UvI75N>X
z0<}DZUZKefYU8BtaIj>v6Q5%oH)79Zks!ab`+t6d0Nu*$_q>e4d7h`dHm?-apd6Ys
zhos;acD;-Mv?5z6-JXY;RULW@tmxhRZ)z%J5A2!e0rC%Xdv=tUj`0msSMxBW(UwpF
z{)q_@InjFC5sKlP3mmsC0jwCfGyE~>T<&0r&%x5AwMRY>@AezKz4x4CA0H(Yyw`E)
zZ$0ZV@H)0el(658pk8{q9GSTDGIayLGG;e_SK-`0*xo!WVDfq*k{H#m|9?C{IQRxp
z3bcXVE&K2X0E-d@O2dcHILb3hQ2xiz^5eaRQoTk*=25L}xUNisYuZzH?KYVq$tol;
zkRr<+4X-MX@J@bn3eTJgZqs4;O#rL$aJEY%4nc}sX2U>!Tn9<%E)q#XP>;uC=(ojo
zlEOz6&W&X}f*9ic>#c^2;cTM8pA$_l3R)U$b=+OZT$yQ29}$tEtbKW{MH--Ir6%JCF_W&
zYx#W;aADTCf9WBhl9+#7?8+
zcfiz=Uweea1|2}jE#$jYf~V&fv+ehCrb7%Q29mkyx?(xB$#1n2$n4{Q0|FeqO^-dZ
z9Ut`L1nTqgoxMdQoQ8chFweo`)I^QNcy7T!MM0+RT0Gp3c+`MMy|fj98wJ$xhhw>l
z`*c(S=DLP|NE;la%|w-A$8?bv2hEm^#*okup&uYSj^@g!WgtHmS5~BkZ=4&j^U50}
z#xExM*h^*`D}wz}1EDEqi(d~QWBpJaXAsEdt5Wrwv&5WWMKIeV;G4DNtX4X#Q$31g
zR;~LbTR)mD`Yecq&$$c8LRH^=PT2Bfge->8oIt4bW(L@yYB=foIS9zi6o(I^nI9Go
z;=|tM;G^G#Uq=&(58`n!EFd#e>|aSq;-BPn3g)v0G9SE(W|fDtzrJ!19|q_k&pV<)
zocb!s`*Q*I4_3?$`ZqX@`jmcMB=!@K#LD{d&SNo)0M$P;=I5aOCm_L&jWDLBs
z^0Ah9Nw7nvxeu;FN-T*<2_ib}H>aoHGiqMoAZlf_t?#e4>+
z-21X*e?-?^WEUZm{sC#`!FxI({D)(diGYP(=p^hz$II=r+74+^SwYn7v4H0PtwO)@
zc9@pdDeOz$B`pFHY(d%bP6MH1+1rhe=VAgWA!ki^_?kO8A$OwJMSz-ZAy7!z`rw+@
z*?{(qfgN@NgvJHT=Hz1VtrQaq}Mi$R&0K7zmUQhcyUJCE0p8BG}0H)Eypi;%4
zOkMuXuS^8E`ir7z0tBW1A#!tE*|BI~P|RMWH~pZWN?b0LUKJ<%UOon2@ezL)nC-O#
z$Vzlhg(z2KzuTHR(h6VkALbe`$p=5;?;OA_M~*L=s&;jTJuA+rYB&}SP!9JW^qrIF
z0i@+ww*p8mnNkV6>UK;;0-C=|Bd9j>N@sIh4a>{FCT2j2T*v(<+Uj
zaIt(2j%sT2OMOYMv0-TaAghqIGXk|5cbC#{{yR4;EQPd7=Tv?6%B!8{&X)wbROG!
z@o|XE!*4q2xAGLFbr66=Myq71cYJBc2nh>HQY6(##TPOvDqIA`l4NTzB0m!9DT-D@
zkdFZ^eS@4Y-6f?!!vxGv@Zy*PD%zzW!$WxB8w9}wlE#xk&|+J@2=M`sJV`Vm6@|K>
zlz03XF(kQpu@3?B5J&w`O>l&%_uVfBwfPvwF
zMN5zNnLXgJ)FN;ts(mBi!@5z*%6WN{He3g0UeJTHe@El`JHl-!Jl6n`U;TR}%aTI^
zB6P>|UF2E7FFkPAnfJgOjvG(_+N+JQE`E8Ks3C|U{)pR;G+Y8y%)kf0BXVAnF1@w;
za6WIT_!WG9HgPC6M_j105C?avo|`m=VOl`dvGlyvilZCif1M!xl(bl0>-p7N&<
z+yIACOzZCdt=D74~Y^5s6M217x+^8+S#CK_&Q
z)<7qBV-U5!kuCyrJ~6*+i8g1LySrS59MPoIa};IY@;w$$gEBA*>+B|;aI4yKrl4)v
z>sn!-SAFkMFmVo`J^Z#=Y6mZvwC(l0R?zFSvis~7!v1fdBQfga6HwLu%JvP9E$smj
z1yxjgQ@|-p*&Ox~qSdowOSsEG*#a}xc4gRxD5h%P#c>+BU5pRi*=#g4WBXtx<4FM;
z1#CsPT!?P|TEumSS5n;x9>)M>slpf8ls49)6fLu?@+ta8r3a+kr?KO6?O!h%wE82u
zi%?Tid}Tpd2OZP2`#v9;{CId&y{kxYOd!VxFsf6+i
zjLfQ#z7>Da@z{K)*7W=&YxSyNUyttNU=?jR`rTW4Sj12X-e_|V-783B6)L68urX&0
zTc&UV(Cm4s9L<|S*@Rs16+_wE*nbv+{ejZor>!>?lZQ$qBAFodpUTA9C@KXvq
zaBm_eCLDN_Q+;Q80f2LY$JP!-RYeHItP+c&6WOn}PdEHk;w6F-cJfVZ0nAZ@CIvAf
zEwRXCoswQmXkW{DoG6xLAT_~W(~Yj)3}U|Iv`-)%B~y!q2a^a7jh--+DP&?kD{6b#3A;~
zrNCP7=xhfswNGeab2vjbtGEI=Xv|aGXzDoWUsSkF#6KJ}xz$TgsDHZEJ9^cs8OE*F
z2YT7u=a-5qT=SZg8OH6l`v%$kXIBb=0Ns)P#Enx)(U#|dZiVCoEN$y2Wq)&R*KBfx
zm4_6LyI4|UUn5NR#;l-3Q?H`RYVR=C#UZK^oDMCs)Qb9iBKRP&Ume%R5hshq^
z)8o|+hEG(wRmnuSs-m_7txxvSi-!gKLn;7N+~d9VHiRz`TWv_GR5Bn84a_zvC>lZq
zf(tlx_lDTBubL+7Nq-rpV=daR2emBa$C+B!yZ7_FGVjqo561m=LQd~v<-*K_|0kqM
zU@E*&MwUGghJDxjB?Sb4v*bmb@dbmNFcH-)ly_w7@3P4}^@wdoIQ2=nMXV0h|K_`w
zJ=o^($E2l3s4_G5d)_sO;CmC`j;nFH#-b*nYrY#QW+LW!oS;Ax%XCd>l^HM39upsA
z4iilat3+VL{IP^nB8=IYFBZZOr&;+#_cwQWahK;vq9CUz79)I9XN2*)Q9R9{M9ZGb
zGF+7HYqWb2$DUl|k-d
zmWbuWJNXW_0;N7fOB)-iY_QuBY&`4g9Ite_M|F@=3qmQdXMRl|M54?luo9a(v{2*o`RjeqegtDQ8+<
zrS@UhmU&B|dy!o=!Q5BUocm;GaLL>T7&NMDg_!7h;OiP7
zSSbUQ6t&Czh-gHK>lJ+uVArboffnFzgZnGaY;pf-ts-xfYU$3Jgjv(0Ph7u3oY_(}
z#;HfDdONsWjdixd^csL-mQLW&Se4&
zZhq9WfJuMRka{yhj|dZeClG81{zIMF1KsXl#^p2l3BYTzyMq|oJWkw9Lt^**5(UxF-CkMlp2?AnM^vT~Sw9ZGP&&t4QKx|mGW
z5`nP+weAc|S&pAC=!OdqN5aV&s#&64T1y`_`p1=|z9ogOi;yylmZ$&riS|t`z1&Tc
z{~pRyiFtO}-Z5rjWA>30d(`1lojL3V58f$_!z6Wt6s-kV<}NI-eH
zx;d=LzBLfs?Psy)nm7@{6R-=M2t1Far?aM5O(w68ouF1V6FVY))uoC0E0UVG;P`>r
z#52HG`^4gyZn|`nE9&`z7l1u^Q5#2ah#vX-8~!ovIPTzalS_gu3(tF+=^qz9T+U~V
zZ8_yM)^|w+74>EPFG6SD!;7HT+7QZf-1zD)UJfWZ$CPQ17w!m~RAcJur*_E*mM47A
z@#f_)W5(tcN$pm5K{dJp9d}Xi;^o41QGvKNR`4`_N7O@KdgORH&jSX#1kiGtE%cRt
zoo6$#qC{_twX|JrHqBF%9`q!tPL0-HP?W1iQ=0YOpfb1l#8wR2tJm|b7DJvgx1~C=
z*;jWZ>B?kPM@_1#D7QrD$xw^C$gz#`@+NPJh
zqa8YW((oXw3GxtZfu!IoEW1&JW4nh?dZAj;l*JDofn!(82%!>-($?X;lnp#O&ZBTp
z-}}V{^=L0z?x9UAiZ?|q=amCA{L=&~Ec*gN^{Yh3wG}Fye}}B$#VQ+3i|nxzhV|$Y
zE2ZOz$8PCdZJB-9`qC_O^pI&O*7^hyFfB4PHk?
zDMRTJ{J4~IuO-@5*qC(gpLguo^}E^c@%Ax1+P)(>=)@`$xVT#})d$K-vStfC!BMjl
z^=cote)_eZ9tN%i)is1-yYUMcHX8^SZ;bZY(kY6sr!8AuA&r5YLdwk_Gcd3Eu)Tot
z27c$sQ5t)Vbz>fLCE?h0eMf!4gn5LRSB~5G)wb%?_nPX)J?2WovHSEL4c7Ewf~}!%
zpzzN{n;Q}X$Wl%oCLVa4#19iy!cc%Z=Fqg#5YwM418*3)Puh7D#KWVokO6N=#GiVf
zx&b;V(cG80?%!a0Uo+!A)FkkalV5-?4AtKYEaM#ws=NUhMVAE&t_Vn7kvwgCW3yXy
zL|&gQCk(SSY+sSU)!wr*yye$@tA+Gx)rvCbw&#v<&q%NLMu+tNZ#RCg=<8oBTz^FN
zu6-ue{Q6`6w)+mfYVs+8i%YIPV1D3GPo&!~e%vi*Ny2Xu`y6wmN779C$c)e-X^7R=mFzbwB
z0x;KblK0#dCxZF@w0tKL&tvNtEaF;r0=(ktNtimhSQfi*)@aN;k@}y|=|=nAs)42f|+~UpKzUCT{g>xML%}{D^d+++-BU+>(rx
zYt$vMCWE{`Y2Clxd|Na1c*+{fqx%!IdT~y=Zre7;r2w?atTq9~QFDj~vq|UG-Jlxr
z2PYFR0ZGhSG@&xKU>6j5)_N_!Orz{X9xx|~i(0RC2%7s-u}#D!N5TMMIZRt=Emm+l
z`7&Q6Qdh(b+JeCQ_&xdMExBvr4>Rf}nB~i}Z#LUOrVwU@_GR^$tLlC8%D712W{G2E
zNH>Rhx${pQlOP-u=;}~QR+j|l%OA{c{J^Z^_hvEFh`gFY>?t3`G_j97-!hSd-gDw&
zT9J92RyM*sP~!)h&75S;sW9|n<>5-?JzbI3?{UU;jS)2f^LskBNG=Lwy;0*zkEZa1
z=?O>Nq3K?;1-g3C2menBUyvMakV}%(N*q5If-$lluoXJ7v%fxNKd-E9n&}!MEfm(8
z-ffs(C@YotGR3wml|nZ;3NYh{oH~}-L9#k&5&0oiuE532HA~G$0$C3oq9pVacQELJ
z3k=I*2ct;rBa)R%pe7&2VOGQ&YTSLgT)9dNO%6{A=8|mBpkNhyD8(@2EDxBazbq>s
zqza>9T6kB|+%*&JCPnn99#pC#94htKM_64QC4DVK;)cz;%rzx}o25w?sGY?^R#%~}
z7PY+bFMWUs|EfcrhOSHQE{-oEUX}YdY-6
z)Jn_Jf4TC+Gy$5PULfWtz;&rL^7QV&O6dfBae&tFnl(!{cj(6IjvjYwf}MZQzT~;R
zdN6JZuOPXb6Bwdf8#-7H^>0SXXjCX@?URP&S(5NBeU)sIu{1!(eGLGRSjV#2qF7u*
zVVjo2^#Pbw4IxO3{2cYV1>+jE@Mvx0#hbh_ohMkDFt=!ECXz6%&^L*dqGNV31>!9G
zmc3l25hGFun4tqH)C@hH-a(2HJIq!!wXO8yN9%PUuCXgMtH;E#v@&{UtUIyJQGMvW
zm2)2yE}g5hoy>EX*7bho`7OLWJZ0Ai_*E_*@l#6;~0-?XKXK4h0r5|L2=$zUqi#z?7QwKbd>
z%sEVL0m|w@L9re3%KMR0g*e($v2Z(u$d3MbbhZR49(olw7Hs47krY>c3+ZP!M*a|Z
zWxxrOPm;Y?uKI~}-W60PNzxb-fd_vsap}iHJ;jZWi935_dGLjQA`w4=3Kw`~i>XH{YmEpl8bKjV%GF%wvDtGB7e2%!%`cYiXZ=6$kNi$gz-kc%tI@n_hHveBcxFZ^nw_K
zkS^m&#}ktYz@ocIw}ja(+>@{qUoYLhDa-=qzg&gM>>=o*kYK9Z!)jCn>4TMU<_%dDCD9P&lN
z6y;jaMSv50iNAwim@|g@5GR}y=vyh|L>;C1Au+Cj+~iI;bp-H>$8x^^M)8|XjO5`}
zO&z%g6v5@masx<}OS(#$tnw+m2CzJXQitGt$w{*7*cMmi7I=P;9kQFjESqTpWsKd}
z!~l)i*r?U{j2A#*e2&iOl$KCg>LnOM5?SIjD;r?5k)yGHydao6pt05?UKJ6T*|Gp$
zXA(q|3W|b}HxPk|>PY3*4pi3G%bcaLr*ND=X4ttGx~um4`fp!|E<;&LKcdK&M{m#D
zd|bCn75#$Wyf;d~UPmZ93qP?+I|^aa-!{&Yp?h4Zn?SHJzM
zXJ74EOP?;~zRb=74{=A+dZe6J%%Yc!z-SL9u@EHc=!Ue#`XuA~r2YRo01B7Iu%`j@`3mpfp
zh%#?UGD|-3`powPNsWmbBQ8M;4*)mXF9z?2vmk$yJ{D!%cFy#D?)5bk08hz{f<|U5
z<^^N|^riv4V0CzEMmyjg(S<3H6*AjMzhfQ{5cbu8q)rEshB*ok_Jz14@^)JMTkQ=%
zenNnuu|*c!m+kUolWRFujA|Dld%|U0*Om;C)8}idkQh`#8Sih!Pcg*C-*CfLNLtjf;VF*F#bvd
z{t~vU{n+PzOYEZjd8bgTllUfimni%_bn%2=p6U
zh^E6xaTg_Z+Z~=Rzt)>@_M`;PmfZ@yj1|=iYq%&H-MOM6CP+P<85NqoNo9u;|JW)iL!K$?mRwb@7O0`a+o-0zd`t1dLyb=DunMBhy=!Ha~yVy{#D~5$0
zwZl1dCqx6y!n8^d|?)XG+7pC(puXt3g#
zEUyL#&_TP2r`HWK|IMBD`isrXj+c}}O98s-u(Ya{_;)f
zFAO1{_bpMaA_SLgg12E}CL#o(w#37zZs)RRBH)BVPtvk#U6vkFugH8ChY0@3C!$;?
z;<+gO{{>{MF2HRP9dKr_H|lcsG2OFY*6+SwgxNpU`+8Hy3D10aYeX@qRB%GMPJZyW*;NWlzal@p)NPrH2(!-C!IcI{Tq-*P^>)xQHyC
z9bCv)b=Y#3#^w61K;N*EB*6>bU@{LOx5QMHRUW^(r?E29(VtJN{OZ9WvrA&uEZ_EX
zNvWcDYq7~7CcPI%AyIy2n>o5flboy{qr{^P-sboj6I76%F1i3
zRF|1bDcr17Q93ufNkNWsfWO!Tmd(#Y3VZve7F3AKCvqk%dts<`UX~@PNpb4s;b-%r
zj=8b1PqfuM(dz4mO;&kByp102Yb}O5pb~LE!-?M5yT8a(K`dYM_YNfdc5`%|vGj|)
zuG+o&qTT!}8qMn?x<=D;6LkRmOE%5jyEv9U%`BT*(p!jO$$w+;F(GF*7}V}*;8onC
z5*(tJTS#PE0=7Yi`{fO^70}gC-zFTc?^=Q=Xuca&UbMh1AJ1O#DVzwc>`oF`ivTJ9
zk2jILL5fhE*>rG9?6ad;ucJGe-GBO`L!Wi!7&gGb{7x0R@w7G06X#TB3+1PVTF#nF
z0~iZZx~X}JxAPE39FDSL#fc~^;qoq-u%+e2mu05zB&)7yldShu9n%+XC%0MXyeYY*
zLQWV7fJBT`1k`(#C6IA*x_LxH`mthjB|7||VAZ!{qtZ9Ea$^i*XR4vk&MXjnDP+cc
zvChMN%^O#{HcD<0$&xbhz5nW`=b)z#(
z=h8zzlY**6S3$DD)SoXbvCe{vTsILN5O@R%)s7^cyA#RKfNB(MZR*IHJO8`whW%Gs
zOo_mWd}qO;$4;8H%*Rwy4uXVG{nVXtLVBn6nSpecd3*rAI7i*lcvO}_R2HEPa2|WL
zB7cHsNY~K+_B7f;1K`GU+Sv%9fXIgmTxgsyjYtcP+Xv6u{>z%ZSd%|5h)_0=4JCAQ
z(9T(^&Yu%RzG21&s}CtdR0S%cN<
zROD1I0{rW-@)WGhr8N&blLoRiejh^1fiik;Pql>R=!QSouCLM3!+k%OREUPa$Mx<_
zMoz@6nfaI_jX(_+y%|AyfIG!-Ef5pSODQwK`)(2xA60Giqt<@16FaC66wV(z^I=tM
z_7w9rZ{X!mgi{_-i>{NBM)$~G_=8`&de0knx}593>Tv_$tdV8;_f;Ei<>%$Ci3_>}
zmuk1<{aCs2W*w|M(=9yw-S}W=qeqnmqf_hjj&bIhwjgMOOPQ&8r(W+I%RU8UNHy|A
z^_!^W;MwC%T5}PCz5_7e&bnta{QsG;JpUPS>z0whLHiU)Ojg
zm1x8P5Nh&_zyF<8)L@c$S@LDDtH9cOGj7up8a_g#$E+B2pzr&sx3;DCfDb_2j{^qd
zn}WJ@M285`wKcrc;?LAVdUZOEKww62q5pHrF7#7;QM}oBytZzvLA8)w5O2g8v*?2gH(o;8KSxE?T)D{Vk*5qo6rUNPe&a$v*%ze)
znuk(0MqJ35f!sojmtn}2Qq_ya_J0YvDBl$MXWkFA+-|_hRX#2AL!B&qLpFU#t{rS%
zLoqj_I${m_+a2vE{W4izhD|QBo>a%uu6G`go3iE}q~wve4)Bi%Su8dn?D3-0{2GD@<=
z>_UgVDc49evR-4kU__ko7@rzE4;CjCrjv}?%>Nk`Ql?Uc6%);pOp0=u|C?B@bxVOt
zcBm`=6t}#7jNodZcBMyK=UYV*k#v>KCY-CwSmD@GorK&Xp&o82KLwP2a75%=XjU0p
z%FVa9+C2ucS<063iat2RCx5w_&gErP$xU^n_FS>zOmE`>-;|tTdSMrFm%%f&C$%-#
zK@qA(Dqk901TnB+AL(nv(bDemxGgwM%K>HCob1KG2GcJQ$BMhh;x^B^@sP4&PX1!G
zv4%UFYc0Ttvb#jebr$S&4R?2rH4h_7XGKYCY#0FiV?lSXdk^(ShBwCcPk&HI{+*F&
zJXZ{0Yt3hI0qY;#&MbAz%hIP~TAlgd!rjS0f*=NsZy_wAO>?kd?T%4?&<133M
zNUnCyI4XYxeOd%Re3U7A&xK9MF4PJ#nLaC=$onLXVkRFofyI3levsR3DdYqKIb;{O
z%$)gJxVi3mq8e%{_B^3MQS_RBN2?PM1ix`=)4orAKTiYx#Hem@PR3Jr+Nk&aA)$_K
z*@Zp$5p7M*&5Z+B^+mi&(4|&8Uk_DYhmsC=`!QJ3L7KD$+#d3j*OcK42w5}3PtJjG
z;{d$0|Xs?fSo(#%%O|y%K$a7Y|)WPHl$>xZ%kNE-)>Q9iqRcm#m
zAghHYGTKBug`g%`OF3GQ)kG5;?RZlZ)}CQRoz2z7QBpV}Mt7y*OSzxW%xZ~(+713}
z^Pg}eV!{?w@ll)8o6*_Z|^W;SuQ`+vB6cqPe=0ZL`DuOYso
zxCPi(Y5FAH4bqdfP$5$y!_gIbp^w9xKjmUM0r0k&XFfr9faD|%d^7g2Fs
zqsUO0udp<2`7j{j%^MqWQt-$ZNiOWAXqzjLJ$14!!dD7km}e_lsE*
zwy^CDY7@-O1fz1V__O_uauBfz>l3p1&Vbc^z?{pi4uw<^{=I{SVlnN-~u8yp&%_|k-`O8pQjR%#iM`AJ^6fN#lRe#Vk2MIK)=SuJ(y
zkopL_fX9f_FuNH%2`{w(`1m9wkNiI?4l*?LP(r$BKcu&Z9>k~fSV9#s(w>l)VR)%V
z&QZEXV{-Mvhwnc4N!tW&Dn3{c6xk0ME=YtJ7vSG18ze119<1HCZQW)|k0nn9^Jk5}
z>}UWlWQa^#+ePNJ*39-E8&m$l&R2k=(yDe~^xH+;wu_T@vo~Hi%cgm=b7|~9?ww)L
zy)dzsa~4hFGus%Qx3#HM0S
zqyBIJ4^mG#g{|AtGuP&PH*>~(RQVN)-}-bpL|(=Lo{AfAxAEpS{8ntyeD_h!%`Ic5
zImdGhZYwYVHyO8G;IA-o+ol*;o;2%SvD+qzil1~l;6rX<*0H;y8t*x}{l~jS-yPq1
zVR7qTx9SJULcAp6FbNzWCKHCqDc7b&N%gDftjvvSI7;T#ZelC%`R6nH<~y1<&A>G>
z>MWbG9=EL#B#G$=i%D1VI3vG)D!X)mIg>{ZiklN_aV<3!Y>3iEKB*3E>CZEgF7+>~
z&*+c65MT4m05?F$zu8p1RpqAF3r6~yhU3qe*Ua3pUg0XzH_r?$5v?2pG-oFg0WxhqqP*aIiWiilu2vG*Nx)B<&
z3I3(XLrB>4Kp`|~JbB}#6%939m=URHOAd|~!p%GN=s85eTdXgS>QhNT3H@+VH#Fv}
zEu;81^1Q!5ibhvI~bDy~a2T_T`Jvn7HfST5h
z+?oMdNTcbx_f)zzk;m*V&wXwRGWP6$z$Hn
z%M=^;E$9@k7hTTV|1i)AAv@;VCL3ZJ6Dp^ssVa$polf<)L=ytxTVz31xb6N!=L#G%
zB?_ptMx?E#kqWNl5{R}XBvzFyO)mmjxfW>*iHrTk+e^Yf@tJb2EzeGD{If}=HTqfZ@Vm(}Z76%27O+DoLsMGdm2$IotH3ykiP=paD<9q|F
zdr*xbN*qm#*9R19qU=dOf
zjr9ynxA}1#O?FP(u2P{VtLQ=sOzMpYfxWWGe7JZaV41yzj=2%dVDJMn!vf~mPKK|5
z5@TaWonDdvZ2egL->Vs{I6isSBU=>J!ctAceQ93gUEp~Nz`fa^xg=r`I#Rk`GB*E@
zS~}a&q%23ZroS2s$>@mlCvQgxIPswscU>!&iXCtb=A+erW>BG~FUBPUygJReMeBdh
zq{2z!RON`11;^JsaXvs=@7WPeEt2xKgQz
z7H&IL1n$+b{a-iu7FDbwk!2gp&}@N235=xEVK}(OG*_K}X3NXf-AHB_9n78SfcC=#Y#{@ZfUSLQ6z8^Ij1qI
z2#CysF?mWOYsz}ol#Q$@3$G8Ig0ZG7=>GuWhQqAxTl=NAtrO`xGVg6{6p3
zaP0_CXtU3ELknk$qfq;n{@+;wsK)$tRPf;v$sa}aQ{Jb`AN-9EK=EcH;Y3xZW*8;u
z7*+;!B_Dy?m2TQ?%7fMA$0l}s0ky3eAB8*+8LtF)v26%0`wumdC>K~LmPavc?pkq9
zoozNwQ{9-@3dapjF9|Grab@LJQy!2Xd|!TKYOCFA0v~OB=n84DXZqX@TugbaieJyN&T4}4(6n-U|JNN!YtV4A!&teSWn;a0X0
z6=+t$PJOOwud1@E5ctYnB1z@@Ee;ZGy>0w723gxbvFq<)X5S4Y4(BhOM9l^y!|j{H
zxt+Zwd9{fbdUN?3k6@+ag3fmLxdqIRd?3U=926lDl~1fCMULSmR_zlL7DIU^W~e)&
zEI|vn{MtK-xZJ#@&ai;}-zG9R{n51QJwoh4sL)Ohv4>`hp
z*d53pt_T(fFC>dU-jq=lNCf;w%2@XdI#AyH6V?hd{b_z~iJ3?;%cC-5@sb803t1r>_bQ*HlW&1zyT`c~ATu9KAZL198#&xp*KrE7b~2AfIr(Nu9JO`~
zK81Sg#|lstt`+YXW0^vI)cK`D^xUKQ;>XhQV+a31JnVX5{jLM6SWQQ#7ymDa*?RNCMkWqs>3UFOlHvpjEH$?@3`os0r)h$FemN{85EmXh
zcquP!JuBdZ`grN<74t9)t}vi`ljflo&U;Iq2a+#uE=}+%=!DL|OS4El{v;g-;3DbbY;EximhjUy^El|rIn
zL@Tquv;~Mq7f(%i6}96to&JiteS_vkGQ8EK%&}wd;
zmIZK&_hN#^RX7Qg`bbtL=H#m+mJ`WJ36LO+7xo>P_@$*voEv@i#-#qjwRu~vpweK*
z*|H^E#X5F1WpklJ!H(VPP^vTrxKe-qbx)K|;><@>Zw#rfUi|u=eK;xXDynXiTN%JY
z1@x?k_Y_ZKjcaa~83GDr$)6uJuK9_gPOkzGaD8TKwt{NN8IgJ~!^|cjT6p1FZzTwj
za91MdG-*;P12>+CBKt}-DU_41Z$-N}S_tC$xMqZSw@X*CNR&!+_xgiuy8^_z=8~>#m3kTUggQ-5C=1-^jUT
zz~r$kh9*-53Tq9C2_`|C6Cw>>rX?tV)Sb1Nyc$@7m~tt%vV;v(UgFzQUYVACZVS*lbkl!S;;3Ha~P7r
zp@=GkEL7B5L=BvUW0#ho8DSI=Q8H~$-+$HOEI^B0TTRbP+#K{7{(AXfByBF(x&Y@6
z;jR(<1JMnqS}AJTInzfK2YgL6V+q{r(SP3Qy66=Sh$4jn0QslU@c~zy~(qqmNKjxdV^rLC$K}G_gG=kGw9JvH2Q*}HXtgO@J56o$fak^802b@HDDPN
zzP7dY({GZH7EX$tUy}j=ShcmZ2cSl(>Fa%cdT1Jk$c#Tjc%I5*M%=GMh$5+(WD%Lg
zD{4LxW^wH_TFdKcOkTL}K=o=P~z1~9TYw1aak5AGVqdj64vV{KvKyw=BH
z*ardYw9rVwl0X`*K;jK4+%QIroMkn;mM`&zi*a4Y8JNfIv)!#>vi7`+iWpkse@jc2AYi4C36fouK9
z@Y_L*dFl5f2#?i44*i`=4d0J|+#?4lo_5BA1r7~@3w_Iizo)lEA`w*^k~H}K3f+nU
zK(WO2*`t=sM-@meoOl?b1cGT&rYdqhyB!N^LTujOvjULbrXgjgC?i)JK55(Ps2APH
zJ#yu+5;GId0t7P(tSI_q)uEg7dray4=FHz)d
z_bQpP>-uAGzme9HEe`|ytrgpM{^6#?kE(7(msa{*%sEdE)IJr5K=1YR))07$E+tVA
zqYyqC*abgklQ4n1%_jnV`eE=x^XFGRuf=!)hNshMUCCVpbN;yzkL>{hTT`2(i=s8^
zm>g^|QU>tgl9>sg;?~z+A6nkQ54VrBC>8vf{oki^pVH<2@!g%kI_c39P(GaQw(GlG
zwZ9}CfPBH2Z#dM_T~_Z@=_?cOl}zHQ3nc7JY*Yv+<-a&Q@WAEP;vc_5ul;j%&@X6j
zRRj}~nkhX5YCuVOZr7gCX-AmVz-^)Q~}#{hNK)-S3m4NkMisbylCP
zywTZpRbL(=Z!99b$&b$>HQjl=W8?+$98Slm3r2?
z0`Tuk-sL3}_NbCNIc}c#gS{!H14SHL`}!4LHoraChN*+-v;=Ir*D|L~l`GLdYF@Wa`vIFva8abH{)jY63>9>{G?ai%@3X>p1y3hSTeu$@&T^dXd`o6l2psk
z=7y;iU5bgAJkzaaiSwkrmpYFqUh!t=#)DyBmX0xgJ8G_{e<VHmemeu&@uSyqXaMl+pi
zEJO2kEQ^T8zT6_00NsBSWC8KZ%i)#RRFbl*{l
zv{LtvqQC!vW7Dya5ABEZP2YIJo^VOqkT|ANAnw*GyV!X=%Ij^_0FMVJkoWrZ#LRZX7`U0620`6WZt0mPF@XE
zRrh`wJ^ger>E0!gZi2J`EThnk_|;RKJGLKCcHL-8<>o78DMH03d|78zrLqyis-M?J
zE+jof%<|po(0ES~T8&?bD@>utscxUPk$MPLTy2o=c;jeLQ^f{$ZJ5G}H0kvN@&oDh
z)m@pO81{&P$#l2&iw(Dbi=PL|WSFv~bZ1)%WZ>Qi)534}Ja!aPf}U?59V2Rl^7J_)
z=nD3A77yj*AK<*`iZ@tNPftaMmv;c}Oz-fZ)
z*}+9M4NVvL2;}|dYvlQ3wEny!s62cf5v$Y_7)26X>dsr_ZP~+m`C%Fn6Si~=!R>}6
z);BJR5AMwI8m6M80&cn6i}DCy7=|YNKvq<+o8{^v_KI^@b4AJyZcj|ByuiuI4;x%Y
zlgNwIXs?jaJ6auDAF7Zx6T3iO$zghV7j?vt!kQ{d>Jau&TGg96Ven*SPQMe8X5t7%
zcr3PIJ&-fM-l5a
zAxeMF!%$pnn9{!3Nk7wQ5UwAy@*9>8ounP$6m`c9%ci{{_o_?9Z
    nR1?qM=|aYy
zM|LKvB;R5NJdjnvur6290{d8I9Cged*NIm)9^$pFQJrfD+j+BC7Lz
zdBM+_sMrF-*}F4WJr3IY{|d7>SbJNQj;pep}-z1sQ24NzuFn
z$Tv*0O}NpTGG2eeIYtLxmU)<(e~_5@Cz`D8~v_{vD8|Z-~0|2_b=B
zZ5YFysc?Yv3}ND$Fa+4C+3ETJhVQKXS-mCE@_%^{iML*s-(+2k(Ly?=3%gh!Vccfd9z@eKFD;7)E0#{lEX;$*lsz_-(q
zE~Gi>GB|I53D$WjHaa5sP0hs$>u8g{$E>W=@H4RaA+ZDA5cg{@%+=fzwbbpSjqT=)
znpCX$;+#H%2k7r$KG!Jp`cT3A#+|lD(kTC#k<=B@P_qQCCKHO!m@C(1
zA2-Gu%qW%RWTD1QcNy&2;ah*VCYM|ww5lcd19@r5F=NRd;e+NIjh=U2YK`5KzeVh9
z4^gBGldr+%yRw5#&Cw_j7gcpFEIJK7!u^1P1S6fG-Zb^KYyO+J=d6NDg3N83YlaE?
zriM%dCg|1=ara%kWb)?_&;IMugK@){n0t;t)z|(!dJnxwcV-d}{mQ3_p7fVJxqX}Y
z0{BFA9Y!7%nDSrjEmi);B_HP4!D82Msq!77H7^EHs!0RjA=!b4Kg!#Y@2|IhlZi{q&;&Wu}?mdf+y|OCLP_0Z&6k(XqBzc+k#jErrcFp%
z`F_4{oT!|x8bmC*+GX#ncb}50tR+%Mv}Dugq~)-XVB8SNN)adM&w_;f>1)g)9fKdK
zuhiGdBtCvJP)yKmTC^R){sg7Wm`@38MSn6ir0edX9-E@8fZ?cLDImSdP^tg4bLw)Y>nBOx!>eDY!A^t?F@31F#oL@dG}~Smw~LDN!qMsCg5Ak0;!!$g?%tW`c)WW3WW`R;
zZoPjRm<4!3l>xqts+A`k@bq=`nnb_rT?K!UJ~+6F#Z#gF%FCoIA
z2ye%*gCXGcwr^==0ruoD+%CmmEhJgYgJM(GxbYP{)@{1l`6w8XnRnN|6~Q~lVNBod
z*k^;>-p9)EbDM{%KY%**>UJmQ^j%J{M!^g)1Mi=~{7piq$1kr#?#(aH87{O{sc<5y
zDfm4=&I`=d7avfhd6&3lQn;@5{!=5wsiRdm8!YD+{`*>aoM2N9jrya^6O1?ag
zaGPI#=1nv*i!KZ~LY-(Q@c57S{)TzHQX)gW6lMsb3LFYmX;kGV7fRiHh4i5yif7@5
zf7b8CA~V}%<_Au?WvT0-ngHBoQ>sd03OC6kcJr0;MuW#hhVS#FQ|h36U15G7;{uoRbmryhVGanA(3KA
zbPOM*0!SHG@H|USkZhq)knV$<1X|%%0N?&RjU>2C*mN7Zm4lm@vHd+1SgW+Ol)f1T;s%EOnI*Hh73)
zDtZAS{E5i=&MuFlvQ=LBFlAaFNtkozE-F+Zf11>J9ze^ka6EYC?}d77%WVF{{lmAY
z;-4T}P;`78dps67ofS~=vjIip_hrcJFr%q&eeW3hR1l3*E1@afilc#YGyLE8Q@G*7
zK(FwC1*C-8vYR3EW;(Kd8m`Jk@7K=i5W5~xNdO4tay$bT
zizz7Or$WQM?Kadun1z2amRC3Q)h-C%V$taYkQNdsxonDLT#{xKFFRi!aoDk=;*Po0X7eepMB3m8KC^bd((@V}xkTgqTBdof9gR)9}<`un^
zXBXAR>!i>0)z5k4yLVHIJ19f?G}>Z8PLtuMUYQHS!1el3K|;qoVhi=hiRT!dkU&=4
zUKETAv8YmkBa+Mx&0QRc>X76?x~FyE!YW{9G91f*!wO^hNL5=J;=^TmahTJ>Pu#_#
zgm%qcNQ$8o;h>uaNs_;h<|!2d0s`qO6qIFsG_w=HxM9Q4w_H|;i2ASQIFN>z4_rR5oC)42qC5cFAJ
z@kSh`SsGG!D9OaUC!QdY{)LX7vBPOL3Hm#6$^+Bjd|Tdzt9ayy)31J
zN@mS5g|7G1M0|pR^s=S+$_nh|xhrSWfhnK!*&lf$)rWRyOJA=|LXGYU{tXG}YiQtcznCyIRX>Go
zB{d@i7zeI{7k{uip^(f5uva4*5K4hak<{D7Cn*8uA%IG`xhG%v*wKbr`h(WE9bhG4
z1N;0co8hvGvO>}5jcwPU?+@zmSgtYd2{ty%bWs(kK&f<
z>~osX9dyD{zH16TM#Q>}7fPYsW_r|Jbo-hF+elLKFtP>UFMZ`=VZOXF}y%VkP1Bk!qJJ%#)
zC@?YRk8S@9VEs7pKh@MNr!~_j;(oUT!m0`nZ|IsppVa|Uf%
z`Adju_Sg9OJR+cw)F7s$pj>QaY|SR@&5oM^uGi#SUVZ`jSA6_|aQwnXpv~Ky4(k;L
zR%A??9n*?6(&w0Q!e~(5r_elCSDT>=rf!@RCe~3`3p&iN4h-Y0Pi=ZGSl{e%)SJe=
zP`hDIZX|^07!KPXJogWGUt$5XKEOyV^va3}G890MP6BXEp{Q<**>|b8pA--upFySjt
zua12Q{NN8YZZl-*6Rob$W7+J?mR>PjObRrXD^sVS
zk2himkc*^MVTvnJD*y}nky+9`wK1tbtO$O*&I_y`W##gU;I^3bSTtCSV{plAq{5j9ik_^v|ZiGkr
zN1e^tHD)H>ez$0@1}8e_p^HP?*Vi@i6k@HM=_u(B0@DBAavxjoqxl7xo{cyJ7PttY
zGj&b?AB!~bIc}^R>^IJtICdzK>A5&4a@qAGR25LIaJ?f_Sjb+?N+*BGCQ^WGV(uY1
z06*;b(>h~@SvBEPAPvSHFev*FG@A)w2@9$*DO&hlQC0a5kQ*L-F+I?>=2U6t(du}v
zM=fiCv3@YuR)wRTEQ;2$W;`QffbMe`3^=zR_OfIOO4u+pY?Ue`DxZEef+-45C3jwa
zRYfjYr#e=jXI69{$2j1YrD6gNB?IXclQhWOubLQIc+9Qwd=mA&en75olo-
zH{o1}Ldg<^2~PfV)>?HU3myGp^O&)upCcK|TC&yVcRNhQAa6Q>cGA|;VYsHu&EriJC2~aWbKMxb7UB8Jk!}rsDG-n+WoWU$#d?i
z(gm5l5C~iouIe##Nf&`_rnFSc&=u9l%CPrblalFH4*7|DdE}o(gNZiOtcja^YKvst
z+^@I@HiiMe%1EP4*DV@~R|9G{25(`#AV6@$2tnuq{xDdM1%;N+)5RfnJ(!5&FU5~U
zTE6nTfxn&-8$k|-)f2Y}d1Y340*YmPq#K|ip)6cX>SBp&cvQHWC2~>~QfCA%wtfCy832{odNO;*$mf?dx#dURMiI9MZMPO3JG%L0D-a*hCHRz6JIb9X}L;y7fR;ZeqQGH?ggSq
zrcZXXTbD2@i5+JZncU%;`lk$h)bW4J4MmK9JA+fSp4_3B<*HbZhL4jwRC>U@Uqfg)9N+FngkshorZbjR5(0q}AV9VtX9u+8xK_pUE*2Eq3cl?mFP4NDr3
zC{#_I0RKG}A*g+aS!uybiIEeH7N=T*5e~4pCc|-9lGV!Da8;Y$*)Vw1QpNU=jY6Sr
zOp_9i>FXH3PGAVe=(-;CxY?Ea^W{jMhXIR_({!^St%d;#UxEg|yz)_C`i2c;v=^H->D97p}ZF1;^EU3rJ}<
z3B>hLoNk|^l$o0Ao`~qk&EJ_Qn2DeMx&WE5^J7e8UxbCr4Xujm%W-0>SCa_1}x51vt%)bm6^g-wbIdfXCqpE6n|#^S5{5apzz}ChSa__!2t$
zyQ(K-xXlC84qJ}7FA1RQXBJ=-WVn^33t)huJj>s%Ys@+8=t^S_=^VXqD*=g&0Wr~~
zm^z^93w6htZD86($Ps)pj4&gQPm@qM1A&PXW5DwtIuvo=`{jp9w}79sz>o
zAJXJwJX{Vt-%+Ltjo8(T36--_H-`eu^j~_eJE9`_z-G!nL7&e_8JyN!31I!IPR&5i
ziG@~MWVx(Tw>SLkaQ6jM4a-T?@IG|phKm`>NV#y=G`B=0t%LFCY)F1mP^pukGSa|h
ze9ZzAPYm0VmaWg9bQa6F?b#X};XMl8UvXq!WkN_@mdl3C|CEKinvuKZFp(-DFvB>CiHM_`K
zdF{@mr0C`^tArcC4L)a>-H`etCPZu!64v~kexk#dtyyRB#I|)i*C~ybHJ-{ok8U<3
zU7kN8yl;0IXcr8?L;5$%J$#z0C1k5~$u`_*0X#RZni7LlcG77!?3mRNJpk>EkUr98
zHSW_V5%)umf6|n+u-lb3%C_lMg!4*Q)`0U2LCO(qu^gzG`XvBOvaevub4QF)sk+U>
zon{A|_75C2I}1_TR0fi5D<+xpGa=^Q@l!RDAO+N2C19Mbx{G{=%;9p9uVRwD(m+2L
z8i|sEdI4d0B-kRK{D;MoR%vvxvJdPU?XGyUzzBb$rzu*q)Q1gR3Y$y3LE+FrDT*3z
zQ{XL-qNC!@-#`*TU~9+CDagRatrbM`C6FHxsNjf|ba3KymTzGVUW=la&a#mjSBE&O
zj{CY~gIVF|)&KEX@da1djX#?Yq7=$tUf~MweTCKYW}*`#Rb4Ur-NuXG9aU%2_TllH
z+`wzt5+qKAH4P(;h|#~OL{vLe=BUVDooYL)&CFZkXZqRmW*KHolV54$C)Q^J!m6=N
z?zhHa*{hn7q(FZ($){W^=bUoCqHNKMZ
z2PQPgU^}X2h$dX7G$DQOr?bky`d%>Z*U?z{IO1s0#6Q?!DfUHS3Hw0uo~J8-z!^LF
zSm(>41XxAyi
zuvS~hRB4l{u>sRr;1t&INwqL3H5PdV!sc^NgcjwxOyQPvRFa(a6z?Gys_R;bEF_Yki9E$Ga-xU2MeYs_=62of!tL#0KB3Kx6l
z**vtuQ{X?#7F{E%wa|>afk-PAKWi#u>7&U^_(~dSA=(qt)6goVFw+*aiTAU-n-z?UVBzq)L6?j*2s!K0DjP;}l;DqP{
z$CZN|@7#=ca*G|fFymHs$r}3UwkuMn$p_a9+l%|<)?%Pe%^t6PFY;Jt|7zMCvux$P
z_>LpqZ<~*UqKXdb$72r%5%vUt}u`qhq5mG`;bk0&W)q7503l+
z?3@RzF!LnxzL0p(6SCHO0U~2H<8t)ix|NT&1rI^zn#WYY(tGg-vYNCK`!>SJJu=4l
zfg(+F#$HRTF&%_+^e8029E4Pm_S_Qlce()lP{v?a0h{g-VaAdLc5lQkU`oB~Ur9mE
z5(eC_iO280Fv{J#MZuFCx5$R(e-`ORvkB0ifBhU%l&sTN@#vmV`aD4#d{^PHd
z(8b?fRJFlmh=VG>sSaa#Aw@(Af%rZQ^a0qK|2mba$MaXDW>RNL2rZKLu=6DML;zStVh(
zz%is9OfoSa&3s=#?Ww9G$ViLP6lDJeoXPE$XdykVjTZ6b2V2^D5s|}{g>7C)(zLh8
zKX3_sVtItW84uAqXBlttW~xITB}+?3$4EKx6q#ITs_8TBA-Kz%Sh9a?%Y&PhSxV6N&4I}i+f<|ve3plshl^(hTHwe^4T1y_ss2cO
zHa&&FmdXG5;p-ax#TUaISD!@a)rA$mB0``#qXmhZf#7#ibVeXhx>K-(MvMn{k|s0q
zhIU!o7$^>k*ZfW-JC2m5xD=BtTYE_@czMB5pbdW<*N=BssJhGIj?r3xq+ttOVRd66
zT^9($k95VUsz7Qr+JFjPHbEYB{U(0O+O<>E0z!35NeqEg!7=Lf*P7m
zN&F3x_yon7b)fhpnJgrbD{7_DV7m0fLIQrub{egOeYVj1?94XW4o1Jn8xSenagNLu
zVOM1yKI-`{l&~G+`B{&@K=6E?kbmXv`;5)O{T_c3hQX$E3!R89mKL2yaR^?hXgqhJ
zTzy)g-T)HHn0t}|A0phUvA%{?c#BjtB{Yqolm4k?DVy}qA~)~@rInYteEn^Opsg0C2w-Z
zQVC;pDo9WVIf#KIb7GGdacm&`WqH7&ec_rmf&=f)vFJWY@!)9(sL487pzNj@#1e$H
zBTP6!nj^wr;F*7kiQ>F|_ZQ&UXC6De+4tT3hgbRdc`KCl8O+4worBSeo+qpbBsnhq
zthR0sJPjVJr?+ra&2|ZTHFNrCd*-dz;)<7&FiW``w#2Ygfv+#OrS4(h;DWW(yDrUX
zXB~D{7~k&OcEwua*)Pv)=Nx|Hd=sI>mT;7&>qbvn9n*@el04+Sm#Erq)C3rp;YO}|
z(|KuS23;3^+Toa7q!&lPxC9>gPc9n6DEE~6S*OG*_q-^ziE+rqMR!%(jZ3K2
zlkTW%Oz?W(8*0SNRJZ@~-~u^~X$f#kd5YFPyrBqfj>2Po$4B^MWZ5P1i0rljg!9K
zFFk{xDT5K09&xH>K`0M;#XcC&rg>o3S*B|X`cEG&_=YTLy4BG->y=)1K#{r&bqqcZ
z@XRPfmNwpMZ<+B*D?gZZF^oP2AO9P6!m_U+ulE#o2s}h;YIGN{1W}nEE;;vGK_|wL
zgq6B1`ib(C_3TljNbB^9y45Qx0&R`I;XV5%8Q|MJCZ_~2#BCIEKV7|#>tEEmLR)OztNW2~_qvUlvk`prm
zI$EUZn;-mQZ*3=G{|E45ZCFN2SasC>g{u%^kMC{DUFAC3CbaaQj{r63gu`m?y<_Gak_SBQ|f257Wp!Vrk>|NqQvpp>$yQ>8uwo0Oqfla6@T$$
z{4BjgAE*4ZpoN@TS^P`-3hTY7M0$W$u8uD0V}!F&&+eze<-$GX6wy`=DQC0$`jvXQ82S0O;9PpDOt9p&Hb<_
zggG`!d4OKoFo3ouFr^-aY*b$FE57~1g(Ad$p#u%1U$L`GzfmgD1*{fcQ2@(eNPf>U
zl)n!}6jr;5+3j%|^weq1)#ux?D;I?DEm8I8yufr->LRbGn*QmH-75E;mTMTyn1bc0
zYUaUN8Ue&mp?RR^yUhHBXIPw&dxWUTgCV&Wc%boJD)sjq^MD8~e@s(o
zS@DGbt*onT&t_4WX9@s^+DY9mnBbo-8IeuTP-hSqaMATY#TJbILF{%e9R(cx>bCSp
zqZix@?v`7YoIy|DtG4V7X4a(El&+^W9ix(`tzM#_X9F;U&Cs0O
zdyZ?Z$-kp3Uqmz%(TxwtL)3*zEA2*@iJEhhpiszDx#%S)QPWRimO)Un4qch!nf5=2
zo&~`yJB2>k0G2>8vkw8bhxQvzFP_LT2CGT>5~exiU@h0=F7RyiZP|!i!&@yf@sIDm
zp$%mss)&_u&n*;7l83_JZc~(J51(ksvfR&Rc?sVv82$$0(whKcP5*54(x3oH4OHrT
z{c<;gLrXdxHLF}JBm^33!v`Q@+oM@P9c`pVov+yPwU+~2y&JmfkYnCf^HBQgHu)d5
zJ#k^dNxSox4gr2#jG4dody0o2;Lgrzv+XqLp=-D=$qO-wQ8x?a0H;T6&#I`UHsX}V
zEKl7BVTZ?WpH7$`AVkYd9DeVrA4@3lkyV$SlM@t||5)i85fo7h=(CsEKieUy!u#Od
z?AGK&<<=|&DD&=D@N#9aw3lDd6
z(qES+-Ovrqig0Em^-!h9&ElIt07pQ$zcLktqW;$v)TRuLJ2rRey)BK{1AQJIQE-0I
z5|9D&hPb*i0Em(5*26mDq~N;+$)bGFeX2^u2`*2l8quam+LM~{EMUN_>@=Yndcic2
zbRi~ET9EcUMJ&^&JCzxM7v{$O>?a=0c6lk55<_P}NYl&6XTzR;7i{%X^!y+I#zpDU
zOn}UEZg)_F2racmV?9D;bUTV7_+1L4!H;?G9yw^A}0>W7tMr$&pG
zHW79Q2D(WY(s)eQl*FpU_!Qy-tx3^3Q0a#W#YJv-0wBcWqh?Y_Z;<KoyVz-8N7H-{@|+V`mXJSLy1@Q
ziBX4^BCs<7i{Wg6!l8dfPT(m%#IWo%|4Iu2#zdFV65i&-MEJc;ZF%&7;s=KPiT8$^
zk|dY_?s~|2y*YqH&Qgn300K6?G909Z2@w$~-?%1mT>XAG8T|L2FcKqEEna=J^#>fP
zEgZs8y|ZPeBC1e^$*veUt`(?uFO(n#T$kt8;t6kS@WG#Wc*47Q9Ly77;rz=kEF5P=
z2tpPELkc;%Wrj=|V|_1KI>`!wHNfd7JoyZMcM?XNO?Z-zC}*_+2#MNq4~h6qYr`dG
zSehthf`m;PaX7wq+qK?0cOpWof
z3a&qeK@1Hwq(&mJU<(<-E=TaljfhCb;7C3nYl)Qv7fQ7YZm88_V{&jjM|~2hj*O?!
ze;Sqn0tuP{L9e`{#TY=_^D$%seeY}>qMDq1{>vQGro{&;Z|G^bFdp^Y&77Q!@jq>y
zP6R|n^qPaHlw^%3<$<3fh~bX&8<9wp19AY5T^0Oi^vKRCiN_~%!8u71)@x!WZC7jX
zW=w*?Obp5QN$p5#Hjn!3Adm{9&r<5)W^I!v?b}iEBN~XeP~jDajKt__D>ybzC_~FB
z9?ZG$G3Q$kMFI+fh)PxYh%2Wl^qwCf26sqb+|)54vU69^0UM$I_PVeAI7SOAq%^E9
zL5qwA_Ap(g&B=C~dFMq!)kv;44lI&T0MCHrl^GhGsqguAg`nBV$LB<=xGRAslR#YUGv(k(fo^ZY%~6oFdPrue1VpSX
zOs`>vVskuP&V0LO$cHBT3@wElv+~2z@@TnK)>7`1Re~8jPN%hVBQ088y|6u2ZU1Es
z*}B4ppsF*c8x{}%NB)g5eeD-(hKI+S$W^}nk9gnXnbGWoGVsPOLt6|PXe*t=2?5|rg|d+N?L|i`CZse<70s*PTnipZ%%^9W}d_1K47*s1+Jwe+o;Wni$
zD!h;p?X2JNd-$
z7M5rm;*lbRsm`D!=2u>5LA@GK7$$
z)FylGT*}S0`IjCO2-9N33`&xm`3a6Irb*p7y949`waXpBo&~rkE)ligzD;9C8{1hp
z3i@A!y7Iudn8W4&Ks4%QygIu+jz%SLMO{ChXO#QG%UR_Bm4h_NV^FZ~Q%9h7y-Z{j
zbO(cx_X2$sbNj*jBzEoho)i+|H_!LJyKqaCRTkw#{eZi^l2a52H2rgTLx+h?NR!(L
zx^G@Ngf+(Oh*4F%pCr|4S;GvCfg0-Y%N;1H>QUjPyIGC{?F*1wA>wNAY!VAs-by~y
zdh9EJ)DDDO#hgeXgakPWfw;{MR=(
zSYp-<0<`7iAz`uoeSCtBu*92)4f=6nsTsh#7wnKARyJsItx3|Yon|$L+ce4dcY50x
zAm}Va{LBYvR1(sExixx&xD@Ub3NL1MxH9Lacn@uZeUESC1dr4HLLm_7>kjfgLkPro
zHF(Se)oC=LAeRSVik0JhorwFmME|@%!-u)QXWcBDkSyKgk1Gl4^I0z=o*TrSK2UyD%>uF%qE;o<-z+9#_>4^6`r
za(%|p7g-$rML({Nh0Fc-=&4fP5<=6ul^xWk$yHCySx}%yR>YGMvI~mPWdn(Fkc%)9
z%P-7+_6VXAPj|edN>1FmXcfmr5sm}Aqaojb=Po)lZ`N#pCC|Iw@f3rYO@N1^u9(aH
zDE7mzn;(nIzE$DT*Q=vB@=S>fZZS&@{swJRT@051d9)j5!YpYT$DzO63|IncuzPzj
zidthrH#KS_8a^5W&oomHkcm+%Kl@3vmha1aBf}%JHWGn^-R$Ug=E`Hx(s&5^$6YjS
zRFlQu37Q>GhEgO`j$rQt&iLsl=`%5W@}QfVV-zHz1zr%C%T!F}218%^QSUngl4M7p
z?~fRONs04uB;H#Y2AkePSh`~ghQP*##zDOuvdu^dcU!RkdlZD9ipGxHoNgh^Ht01?
zksp+@%MpYUMhv(15!W>Nj*8)^f7iJSIQhsN0*b!`
zLO(kA2z4CMwkl9a_%W5H04lIkRCKGfL5vjSIg}7bL{Wi}`3#WJ_g^XSw9G}glw^Su
z935rLGxVz$t{~c00z~u!D9K+Zk_!sJ`;b{Wo`Orxbktg(wn}qNE==bb9n%%~SpuC-
zOjoe|k@scm^Q*G~dboDvhrEI7ss-|p1G5pFKV_vp0Pab5*aurH-=4R
zhxqlXdQrB3GBbdJ&HG#ML4z0BL4a|fD=zRaC@tp=FB=dO#~ubo9WjScLG{#L%W?GgAKuI_$H+Lr%AXFh*yLlDcKX!|1)e@UmsHwr)={jB9T%@*B=
zEfE>R$7q>KjnbKOC}kjUL#!HLCRz+0dr5_ekWq3e1R=?qH3-$0el!%Qt-YcDNh;GL
zLL0!5p+xL$KMw(nGvvaddUqVj$h^zeny@6JRvBgeOj{ib6ZAwFdo)G1L<}mt1~Utg
zGkS$g!Hh_PD@n^r!EAh}fUI7z78g)`*>cS`i|!+~Kon>1BBumYi3~_hq3fypH-O|&v+em5!$!*k
z9=}5yfQ#Xy;s>Qhjlhoa<&fn=j6F=S!{{Ak7WHf@phapci-0jRuM8g#T=4L$8~g()Bw#z0l^>GvAL-X6ceoo%w=
z*f!%~mftS^`7di9z-iXyalZ~1fzxHBCYMI7;>H6Aq1~EKmqdC!?A_XvTo3GEY^P`ZV$2$kAFR3b)|lD`!byZOR&94cj*+6G3KX12
zLIpV6e}v^D%>ppnT8XcM9T3xIhGUSt$0`sO4mr|K08w|V9x&25DeJ0t4Htsq)o3nIxzXp~d*`
zh~|A2{P58tiL&m%1iAYJcFjQ&&2AE=!BpmT%j*bwX%*;z3l&4|Po{%@Wzo0jspz>V
zosX4I{+*Zzu9%+rZPa_3UsUHzZnn{J09sDd0!4Smr+x!&5A*#E1A{gH=w-Q&v3u^K
z8V&vYSHX0h%YIp2i2S^sW~#mBATZJCzH|Bn5L!EZrS>>4+G
z;w3v!$8cju`E_w6Zm38|9`KaN8?)%Bin
z9jE;9R;GAZvwboqQPRr%8RA}TTda!bhB;9&DKhG}j+~7BVM6^|HW6x6g6nQf=>YO%
zK!*olI@4TOsvwe}3^fOW#RIe!G){~en1x+E6IT4a`J=;qHJ}9G3Y6!o>o2&JiP|H3
zDMhny)9L2g1aTvtk;m@#)3)BTRTForytK#-93j1@Yk+Z3k@5u4?oQMns*9Ejiow0w
z6Prci*Gq;DWW+`zWZ#3z%;OVB1@W_r{6Ouyvih@15SMv~AUu3a8skoC`Z++}@Px%`
z|KMmGX6u-?fW*zWV576&p&IB;%=50jebkaDX)Bgw@?18{Dly#GE#Mp6ldnEW9&ZGxG5PxF2Kt;H&k_~JR
z{=MPc8Ce`N@iaJrQ+lr}0*(C)`(o0?)(Hz@@u9n=5XU3fwfI)}8#3yDzV9lbbAWuR
zA%s|`lZ8R}U>PXZ@kDdkkDC!Zg{PtxV9oQ>wl_?|gO^9-Sus$>^_c*w8vD#P5PEcR
z9~7h#hv&IbNX6}v!j-BW;HC37JXUo{+!Od;Bz|-!tIz-M_+B*Q*DT|AzAG^Btf;*p
z3p5-=D_()d-SHoV+yX%r-YL8$K_=VS33Yxm^RE16nbf;%Wcer3FDA96-dHe-T
z>dS^T%Ug)-hnr)jZ@XB2+(1TBU~jmUHc090Xh7v=wX<$^xeWGPE$lwx`?mE+y2Xpn
zIIZ_*2&HLf$j(4a>(PjS`QYOW*C}K9Ug?W&rSVE$W;atu%JPWh>CZGZP%f#u=Y15q
zYNo6!b3hpZTFabiEF*b3BT2kk8hu(A&~R5FUtou_3tkVR7xXPLNx1>O6~hpZprglD
znD|yxh=2~}JZGc!Za?j_spX&6d1*%$?=W9*yEp(&o*u#|MPQIBluR*^@&29$d&Ez^Cz`y
z57tlf#tv{s6|NcW*~(GZJr6Pdj1GGH_Mwe|WypNd;MYqH|If9EFPyUXQRm~uQ_p+#
zjmKVxP4-DCA!&4YlRqi%4HeSgXEaDvqK?|YT?mtWCy+HqEVC4iD31p<1^vXa6VA8#
z67<9rXD@T5Vc4v-WbeJ=I+CL%dNf|MNc;^YU?fzrf@Ys0o}C~kHf2Q>iP?yJ&B<%%
z{j)}~=EA9djjO9rD!H6^
zkY0E$QXpXYaZw7SuxXx>lge?%Y$2b-g^@1#ZfOwV_C(BZW!Rl?}%Dh=rXq-VgRvx
z)=30uTq8=&{0tObbvc0O`jqK7T2?T{wj^6{mTt`IC^Z?iV8E3i-<5D>s=B=4q%jQq~{e23Nw^qH#ye52R}Y9`$SfEQj=14
zTdbk#xhkuN?h=dzUyk51-UfZHTKrazC_g*49W5`|%`V7w5VRfXGjMnHT35j}r(K*d
z@8E~i6LMwE1b}j2evAesFgT-r=UV}7;WUxX81{cT6%0-?UZASl0aeBv)47q%L>VEY
zQ2}JP>opZN(l?cI5l(i@4agTGoq!!O0;2gcQZRgd)zaye-X5ZUuWFp_34l4V<5%pHP;+P~J~
zuyf)fO)v)gkbsM<{rL6OTX~-UnLYL4FQ(sY`VSAk#EnVLlgCK%J_&^OwugLI
zYv5Yt`0YgblRg9*fP?B}_rNb+dGyv%RcpwcUh{*q#;v1Jw!X9dSc)530&{+AA}g>F
z>riC5V}~;U*j3w=o5Z+ljp5xJ1SV`}5AE>Y=x-PbU)#OBk#0eDM
z;VCt+9H6akHjS$&u~SQ*=Oy*&&Hu|oPAa2M_326mIO37aJ^3zaWj192&hSM99K_5r
z$Vt=riR~nnzXUI-%c!a5Axrx&>pTY1i3_eUt~QTa^!qYsB!40$Xniw_+W;+`4;dh#OZkFZNS$AdRTEbjyMJpJ-W{L%pT^&6C*
z&NbUNz;w2EnYzX&8l6_cO~7b=1UGaTw|NA&c^Er13=!IzfcA6-c(=z#p_+hgPpP_h
zpaf*LpQ(g92JFnHLVC55l-t?bS@W?y7USWyZe
z*7>3B^c>%;Pso2~(Uz>(=^*hd13k(Wd{jjxZ6|_S2qqmcS;_^jh?@xLW}?(!rh9qz&CdXC!~;@)%fH6Ar!-*-
zT_E8jD|O}l4x;FR1o#l0S^p+8A1Tu>l?rm;%kz(9^tOZUSf7@iiqs{>lbxWFiHiNh
zbr~^1`SRSFklYkC1eB5-F=x;T)O4HjrdF2$K(~F7klOqbC($GmMM=e9V>Wa~7dr?B
zu_#2$|MPJFv4}oK6|}jG=2yKF=bd>uGw(@u5NdwiJAQsHKr+mMyN%wxU8=O%io|7u
zZUpYYxyV*D;2Cg3?ZU>mvkJcvs)rRRKOzwhWKx06GHlQ%7;E;Ynf{;s!-R|4GIdML
zR*V<0-YUydCOems2Oou0RW+vp*fO8Jc=z0MqSN4e?g4hg-)DOWPdKwVw}IM?6)>%K
z$ix%sQoEARB1;P=*cM+QMwA8DM_|&XdY`ct%jPLv<`eCvm|=^?Qo#|rh8)2m9u!E5
z0tmaR@l#RMumVgrx_t+C4eR)H3t&k)(o&U?oDw&W6(h3C6=ITaeFR#ufXw$%&+y`n
z9WaX@m7~kVN;RSsb6P_*FD?ZlWmrM1X4_cDHg0X4KmizaS(MSAK2P(8AS?G+uuC*i
zG*_9i#abRt>XK_E6r?b$O?MwM|7#yZE7wgV=~p7mFgjNU!iW{Z5F<;*Rc{WhLgfLa
zXrX3eTUud1T2@E`?Y0sv1Vb}q0A_Ukh|I$lJcAd43za&PDBAlvqu4Nri9iVyQz*}-
zwz`g=Pd^&sGzb?&t
z^sh+)e}t_aMJ?IUU!>-g2IrlRPr(FC1a4Ooei%vkjur&t4Nc(mCg-ny_|sF(SB(Ui
zT->Chs6W?sKCH(K8qXwM>>=OzK}He3T)qA7O1q_%so$~j+k)sHtMC`xW(TOru6?59
zM#{RQ*7&$*=Y{W?r)mw62&*R4)3B|sAscS>_TBC}Dt(sttcK)@KXFYw
zwe#*}3h3Hn${NnDD9VVsef8Wralis$%i+8TDB@023``m0j1w!cElpCyj!3kkkzk-N
zb=w1k=68*nZ;>uNp}rObbcF@ceVk!eK-VtF7q1XmtRtG7`S8()0;S@9x&_w>x95%w
z;!EExAy603m-q#RnQMS6fg4OA
zLggaD{1V^?J?^lary{y4g1%ql<>o5*n&mtl;$(iF9{eNlOpLqo*FtS?pjdo}uJxt7
zNp~YRj^KIBw_PZN5;^ZQBS0ic()lwU>>ih}_dD+7KlHXR6VL_zT%EK%ozgUy@>Ep5
zX-67O|C^g4>%Ns-9i3lV98W)Q)83u^>8jRJS2Ciz)NHS{{0ya`i#lZ^^Z>gktC!IO
zra@i)7xx6>-yqO6ah=Q!aL!6Al$W1$LV-Yym|ddBMTO9wNGWD|BQZNdk-O%ps6ZT&1E>zbrw$1{vbft3A&-M0*u=m!w`UKr**my@u`1o57
z)|vGF-)K}f=(jJq6CmP0c8ZDFVn#&wfBqd0prUiGZc*L6!rnr~^m>om>U9O}3c3U%
z^m;UI^#y^RU3T#>vI}&z{4yhP_v{JWrmXk(T&9lJq=6j)b8pF3XWWGj&zit)hWCSY
zMs3jEuG_%=q*m|~Y52mZ`FS{fIOJNgta}@*m+(i9cq_JfNlpD?=YLzL2%g;JrutOT
zZU9~F4ThI*6Ly79cfds7ZbXSlu;rz4Nw}BE>>nN2l|R}7I)ApGQ4-ESmtfSxYapr5
zCiU7AXa236_Z-hJY(@QMXh`SzVO+(&UjmC;wzXZu9c=v<QreCceA9hi!F$h5oJx_&Xf>5
zm9xOG8L!xiE9860wLTwl)l^mI6X5lAv4T9=1&rJvlnyb)8h&HFDnDECWo=MZ;LNzz
z-c3O7ZsPM`Mof`X9_(f*#~O)V$^Ien*AGZMhPXI#TuMEzWmU4Sp{v_Ij<3j&_I|N_
zYeTlI4k=oF(&I=2?AwDYFEZPa>e=uXKucXOge`YuFLSO|4OCrEGUk8V;4by+e(#Ve%H*}x%Llbjyyrvp
zPM|w5FwtbjC<{|eAH@MJ8}&COL$OmddfIeEp#HU7!}LX0a6^lO2JZ*Wl3NyD
z98>gzS?7)nc4LQ52{!(L8;|)&)v1P<<6J3
zhVE`5wFUF={c{SL_;HU?K07nh*;-ZW#pdAu-jbC%MXSIf`S4zjk}%#XJxr=-qV;GT
z5{hJcJ72yK5j*bxGM1Q=QPm4*xm$&h<$3u_yxUFNif$(ACmEklM9&qN^MO94X&n07
zy3XBtbAMg&(G`I2{xe>w`>b5@J4%0RSZOUu7&TCTn2cMi&fLeiSX@qeFLrLAe>nA2
zc6m9a)j}P}C#s)XF#vA?!MoViE&^tX|HZ)N)VNb@(ghcshAxz0_-00gJEg2a$png8
zKK($Fu+%ahhW0Ei4~*Z(p&j63H58!~Epm`KwuGz_DTy?r$+>6|3!mK~-P+otdpqnw
z_K4fR%^*&fWzBkU0hLcm>PVEqNx1Xtc
zu1#xSfsVSmBP>5oWEl=k*w0pWG&ZiCq4UZi6dHX(nz1>PDY~81cR0K<{iz$Gp7ck?
zys&to0i8!`g0}^i
z-;laM1!KXU-lS+}Hkn*7!vP!j3+;TAgzxmLY&%c;<|UCaTBvN2bTFIEt{^in$QFmC
zkh@1ls2-VSe;~FZ4%mQKH`-g;9h|R*Oan56=r&M9AG)Ez64E;7yEHD3Y|+c}Yp|4+
z_K-qS5t$&`n21{~;mC<{xg@yl1lZVTZY4Q7$WwM#SXoqA4wqcHacI9MuO_N1M`FGj
zQPJ2OhCRY=bzB)jqq494GJZd3)1OuFt+p(om?JlpkwsqU
zQ=hgFH`iu`i4|PEv7Rh<{0m%O4_IUVX9>nY>Iq0uEQXo#=%J!o>`8gktXp!%Q*#{~
z>GzCzq2Vut`IH7vV~baha--krb^xDNrUlxTj3(K^n12_M$O8+u*(>_^je7=3?UCB-
z`&s?#;VLYj@HgYbS1ba4e_X~@NYB#2at?97Ci+ZjqR5S@CQa#deW4F$ni|7pFo`G2
zprS>WHR*;3*6aw$v1@XczJ~%X1U|$nc^FQ9ow5s`;SNbAK7o|Yv63XRw
z1hGQ9#9;;b+z>+OCj-^L!i>CvS`tgY8g2_?y&kEmFeY^qJyN$wss7j~DmNmYYfhwR
zKrxL~;LY{J4dAZX{qFxfr*eyId|E)e5Rw%r#Jn?FzvE&dVaYIona{YWb_>4LiQ)p^
zp#c`hU+#ci{0hlZ4~?Lwmma!)1f^q5o+U|;kygJJ95nE3H!J{pX
zk8|gD?3k~A?%2Gnun+b$lRNMDxU`h}N$%Nmehn}WoV6ZPT1mf`yl=95Z}Mg9n&Era
zg=7CHN_Em9UqRBWJE_iGno9P-n15A!WnuNpFIv&Cv9h7Z2@Z;e^Gz5LgP72Ox@
zEgK%MTBswk%2LY1ieA7p>R(6fM07z96>cMTW8VF~!Ez2X1Uf>Z-y{O(Q|Opi;8mmf
z1HV9hgRM5Gu#w+4+1eWyhDE=M)mhhtf&r3%bVi>(WI;
z}JsOT&W7_Jdh2f~0Qc|8(2Rh+b!cB#@oV=$|tUfFlumxGPdC}#2zeQwnX
z{c2SpXgH^$NwL1>&B4TJrN?2|rM&zZMstwV-is5|niMt;<
zXWEV*LbUUBurpomn9}3<0B}tq9L8ODfG^cjE~CE&w;e(B{oV#j(dBBWzkbq_jE;J
zh{i)z*xWu|0IJ-#Aw^HXCttC3AM{=tc=vX+n9XSv0MM$bwEVgGE?(~bdoq4s28xa?
zo=g-Xpf~PA?75b`VS!^Y*+({d4J25VIb(~>2s&=o57jjC0^C|ZgXzQ??vn6uHMYfk
z$68L}S`Ebl{~&Q@EoVbGM_k*Wd&5?HNSn^t6|%9?Da1faen|##EA4Egy)OwZ`PP^k3rdR6=pdjW649+%M+=^7uK;q
z-J{4{q2*4v`!i__gMQ0cZ*o$wSJI9<8zpu`Gf=&~Z0!o#zCrilY@?sALwg#v)dL*S
zw=&c!GGoIf^^21kfc-RSw_)yA(qaTUfP$W7CGH3$PiH}z%I3~IQCqXi5JWi}nsZLt
z^n|vt2M9F({UwPBC5c2MdyR`pl5=E}LK&^K&$*jYAQB_+ER6{K%MiowDvW1q7~wds
zn6e;Ds1L}E&O=3Jm9mu%q}j$`J7K98A%r%F;XfA2*=()XUOu6SdKn6>7>Hb+)gO_s
z>f?q4ula8(<^P>2?&t+I`6sEB`7V!GUWLfSC;fZ^9u07F{Pf8^B|)4QdX#;l(w9nILS@1*^mv-@aVp1G3_{o0XgtZQcLMqrDD
z0Wr%FJ^VtKr4_HqR#1^y4R1!m{r%SbOBBnjlu^*3nnY2pif0Q$m8YZSK^dQ-*D}gk
z`y2Au)s}?pE1h~sgHG^wGPDO$SzIc`#hum+`}}?10^8e?(X{!1JMmwVRVH=_5F$f-
z%(9R}|A^xOsfZz5MHs9rHGKe*O7}K+_f&pi2c2ffNQsS4eDUiz#FdX{{
z^U2`B6u{`__=_2&^G^bq-#Mt)2|T@9t1lrXIJb)_&O?-#?b@(GeRpYMg~~`
zWlT1MiFSsd1Jo6=a@_GuX5^`3ye6_`fm2V|J@r&Xa+7=>maoE~yOg8ZAUe8_OaI5M
zXumz0SEg1spn8lc;=5&ohviCb2X7%GGN$h@afkyH+U9*pz*c0q)yg_lElf={HmWlS
z=|vh@9ik2?!kqj?N_AWIkgb
z1A1%?Y%sCZhS@&-zBTG={i8*JY^_P?M9cNyB=!?ZqCAdoLqyX^L
z|-dOW_TDEF%J*=`9A8->x`~%RQ@p7P8ZHlRDJ1z%
zraTu_EC5pnt9piRm*&S5v@T7ipSBsZG5fFYS}T(#BfBP84}4bW;=ZdCuShPV5bRY&F`Jh~_Yozv<-T@-=J9oGK+T@*V^*~txPR9IgRQ;?Cny@|
zWph&xzY|=y7C_BCm>2t2G?R`(V{fDW4@cw
z7^gjYfnV^wd2>XkXQ$0SxfhxkxM8FM9
zFatX9+dHrW9s$(=?cs=@rc2@Nhj$9(-x804tInwQyxAIWa`IUEdc!K$h8C|=@#pDW
zPvDQfeW8cZprIAlRKOv{0f4$&9(+M$pAf~`Wzoxn=poVhPfOwPd7k7FoGR2@V_ZR%
zmQcG+c1X_eCfNol-})6Qt@3u?iv0%3Nv1v2rq5R_i?mR31#c6X66FD4H%@ifqO
zJ*(G6JNsuPK3s6mE+GWt$Va_bInoQc7pxx0^I3cWeXFf3zPV5
z05lFpZYY(go8;?tO#-O&PUG+vFx`?IuTL6>M-P#&H>YSzB_Ah|-Z1Ihc@Vd4C$KKw
zgm{!fdJr}tyIQCmgGX;5Uu{bI&N#%gdcc|`+7k9x6X{yynKYA&3%+Cs50S6eH3F|s
zk1O5VeflqUTE^!dvnr;Z7U|2M6i9)4Vj=kL5H#ywsxke}vHWtdy4;og&HK3JSGtFz
zYK4~nOI%0GvM`xbvkX}3*5l4-W%F6nHg056udj)w2Ce^NfmPDFNiK;
zoYGI>IO2**jJWJHeLXIdSl;Nse!NyW&>Dh>TzP#*=!RGO-dzyKbF6V`1yTfDVcm<(
zCY1cei?r2ljzl6g4g<&Oy^i`6=IJCN>X$MEa@uGyE{ovqTVMSWpDxMhi(0^k#{uQitDsiy0|SgjT!(Hp@2!C=QhL2PyZ3)h{@C
zUyyQd$?h`6hLvsYg!%DVPgxc8=0A(-KI_sZ%mBX3=!HATuDgh`xd8c=h|Xa)N&%54
z1hFrpW&`@nkVJ0nC*X>F0|G|iW+~uNc)^HDQD$F<6})bFCDh?AaTz4UQ`n6^K|GlE
zT&0v=89-d~K&lb%Uk$U9H&-&u2BhOYHm+oMMLnGMdZ*Qa6hDn=T7r-`N7CY63q1iLel2(>pAG
zBv}brM&1t%jcXL!4WiGEjm72*N5C8FHcKpaQ7(OLF`as8OBf%W?DxSFa}!ff;W}4i
zH4PbkW^s|~y<(XAXU~7OK>OE(*!J#{KXm#m_=LD?4vTB%1jM1^aruH#|5}rP^(4jr
z(s0XR{}f+FH4jfKB~oyg&+l;f1zliCh^T5G-Vpe~T}*OPuix%f?Rh0)!~RiOZ-HCW
zLQ%jFirTYVXJuoDr09S?V5Fd@MOw75%b$v*YrndqoAm|K=7mC5+Vo+a6^-qT{d)hv
z_04Y9)*O*r_ZB5|)8)|~x}$?sxi`JXf%9X@FQUvIPzng>0=)==hpmQ1$3uZgFo$dR
zljs6O7rvK#HzH-e$!*IFrD*#`QSrvxk#bV`mPcgE{t{{9*p?{eneF3(Z;$(mDmDZ6
z{1=!d8xQZSVlH&Yc=+L1&RKB0B>(T&W%&$*uddHoTZtCF{egt`z^<&Ik*|0U(=*+e
zp-EOJK3ktC0o33Cq{ILg%!Dny{H3u+#+&Yb7uVN?8R|Yy4?0|%0qb{~^*DOLCcm;B
z-E9K5TC%NfykX5j4vwUS3apBw==Z5w$bwr+ew)5KxADqHfgDkR4P)Zu;Y6=_%cs;BNP&#
zotAP(dEM3N_A?sXEojR1#7VPSiPc;u6k`J7>$VVEy9Vs^1X}*bPX4Ki%5k-c1$y;Tc~i9#kM_(#Wt_C?f<2Kl>)
zBwByHwhg6Dw4-uT)7~I7jE|}v_j6}5V@k4$8l=$gM;fBhN;qc0*|pG%+y(oC05d?$
zzld>@zxc1TPH$zRed1`1XIDLcPGrKA{u;Nk2_lF#Va;i5xtkhV;4ntju<6xo@?W$FV=4@EeN+jseX
zmj8PJ{)aaZJgYm6FMz{-(Z&v!4GJizG7;Q8P=nx`P}@>=*5>;$Uj
zho`zB5$g;kbj>^7M*+3<^K?_hJkr32Rf#*;J)U{}#qnG48?Gc%kvjm0$}CVBS`(XZ
z)G;IgqI|~mV@C{M*Hr7OH|m_V$5r6#fF}yiV>g@vG|MZ^RoF1Il`H(Xa)ccEe`KEi2Ae@4?xcD6<>4~Gy`7x_Xi~e+;5ET
z><|*Ttph#t75vAVKjpAeJ~yJe^5X%#A($Wp_6+v(8O}Ixrr`>t$hxzj-UtnO-4h-l
zaC<*WkVQmL#jR3wDoO^h;&DbWFcnPUA+omrz-X;lBTLiGQ_iH2nIPH07Ur51Rb*T{PVLuQvAg)=eOk
zmni6l3jLWb>xrZWD?@KQkrrt83yYxJLnDZ205sAJKop2=q+ouK;5hw_T*l*REUB*@
zunQL?aMgJ**!bg7dd7)F_YK^Jyq=PHy-w0QbzCvofEMv@M}QgRPfFa3m=gSWH8HMz
z$=1?CQAfWlxt2gAS1g~xOiQ@+m|OL1$`vNmFZuL8z0loIWhguOm|6^--8nmlfpIYM
z^^TbPw=)9n-L}%r?rOlCf{lK8`t{flVGvT-;r()9vihQ=;!Q(AA!y5Yre=;0(=-gW
zecC=%$m}tjuV3znu95l#k+V>rXzWxngc<3DEqBbZ1JUBQuoengSGxH%du*MAL5XDD
zDJN|Hpt0tE*c8=D(6oRY!Ax_6Y~%H~*rd_b+GzSsp4@U!*X(#E+PUO_B(^&dVNOcN
z3jWXTA{*i`i-_Y5xasEc)6NIdX*nQ*M%iaOqlsy|dY~`}4cBURxs&!}mjkqE)NQmYF$m#d3
zdh*@7_2mC*J$^j`~UaniayU+D&^VO-To6TPYU46+u*i*Ia
zrpwo^PM1158PNL`Y@VpDUqPtf@zGB+cb^Q2Kx_5b#Lch5Z-rlFo0S0C1`lFkaH%4n
z4sd!76_zcC3&_>nldiSD@9vx$PgVW;WE@A~Ew1U2D}ie4@;N*CvINU0c9^))Re4<#
zR^e-cxMRYaVCCA3@183*^Qi=%NLKS)$I2J~COk?1@I3b-A9WM4YasSmRQ-NvXVtrd
z^ti{OOs&-kT(*qF@&m8;oC?<
zgrrflOqR?G-)gb*k*}-;rurIJ7SBt9+_c3L(IcmQQjhz4b;NjI1fTef6i8R&kpldA4sF~^y8~~
zVu?5qT361Z3U&1J7K!(*N$2(r(H0X}v_FQ7O8X?tcFisrpr2MVWM-7(5`$UNws&en
z*-91r%#;6HT)oyj_E=POPeytgSA%XoUU6L{5m?rIwpnOq<=`DArJ^;P(?nEdI%u{Q
zTx(E`uZT-rAZ+{`@g6J4ALcc0CQ}l^!Y!GzI(OfFT}(ZiBl5O5DcV+=^QtXBYb@?8
z*Pm*AZpCU6$-G{kC6lqqXlhy9f+0Kk8P%I@7I$Xd0QY%ST$h37^|q#>c%L^XEpE?g
z55k{Ig~xenaoc*{iZrjX`qVYAFXVBbH#0Mm*<#Yw45o{@3k?}*46VY;JZqWTm!Ca(
z79dPdMuyto(?x{ltgR4b0`%ngG#3V&4*4ZMhhES$4;J3@&x@RaabDA8`VcTl@nT11
zjeb1e<0wwxSFjKLHGSX{krg>Q@xab
z>~*tdnSG4JTXrnE=WJ1v)osOBL8XdW+~TCR;FAR-<1*Hmt8&(fdA-15gzpDcfI7!uR!b4B
zr^5#*r$ALN*~E@}{oZMm5q^lBP7|~%oPoxaoc-%vdSSeT{QRZGh%JiB{o`2&??%nK4-QO%z
zsv|wQ|5c1fl&F(O!f7clwZBF=p4ud!(jnpB0B`gTIyC$rC+3~qDYSG>29%Zi>T(G^
zq`=T-8zmI#ZS617M#GCeSkD;pH%G%=Ln@;kdl9`JmbN)fAz*$FyA|wmrfd
zm?pN)=x3llG(e8!|M+*%_47aQY@=q=vli&+IH5jjrbL$Nw^*6ieg%n`@)HIIDKU?^
z5o2xx!UN#mR5$S@{z>unxAEOTkM2|eZl?2LthYbK07&%4_&ph3CIDg(i|@_ie086z
z>#b-O7rK8a=}89pEI77%f_LF(*Mnv<(c|g}5d2IL4MJtXbkEqyG7~{m!Q&5|2oRaP
zMPVHX5HSjJmUWj`kn@;=jS8&zBo&>Ev+nWg+aFi5kwMqiBSmIO^s-QZ%f1?mUWmgk
zZ>AUEfaSZNAC7%VcGc`w%LR|8Bfz-VCG+q95)NJZ*_w{{NU?cwe
zUxQLBz}x$C^unJZmQBPJtfy;yod{kJ1nD&={x~NJPqx`sT^Xp$^E{6(x6tWOGIXUu
z=F*2lzr436^?5iDkN*1`e3j~8a^`3{Kjo&j$f~RWa2XptF!G17x{aH2V((rl
zIrYB}sIBjTUO-|Nj77~~#`doVDfFeeq^Z~b{L3cqHMunM{{T%xT{9Bmn_F*XZ?5Ch
zWh$^QiH*o0`Wpla4c=iE@kDK<^tNyDM1n*GmQmIi9=tO#Bx$I*W(+AUl8O4KY(%EO
z;Q<^uVuzC$FI7-CYlQm&acz_-S8Qv2C`B0YaJV(j`9ung(CBx(<&THmd749owfT@~
zsg?$0Jv`{Uva98;D4SoMRPLBw@P(+m?vD7dT%|Hmfgw4clkx;&^)oZNj#cxiIeqBdM{s*?6A_Qzj>FzE#g?o95;I&ZzE(MFu*J?{2$XKw?yshckCBb=-f&+yE$
z2rr?g0;Y#HU0SBSnXNbcRFr~re(!kENgS_WRwK5a4uW9aX{DDtBTeNHC0ncxMy)7-;9f)c*@zzVf#yqR&Y
zId>inUX#n~kXphQMvCQw6Z&H6*(qXyQ=kyB7^jS73d>y4c|UsJed;2hOFs+)&@g?e
zFSs2rpH+v07dC4*Rn@LUcru7-To0_J1|X#kV^j-L+iqu+MKww#()^uZ@h|Mb
zS-BMzPSUZPo?s3Wb9Hu#n*fS=v0@+B_|%~TeZs9BoH2!0Zz{a%tJ3fw9-(L>ukSm)
z9y%seA_nD|!pU>N762-}@DRX=_X-HmJ6uBW?-Of2N1kL$g+2-KuE
z1}?!lOMH2V%Ma-O)@dN*6+98r>C}>LcIZfojx{PDORgwmt!lX)La;fX49hQrC8tV^
zoB^Q~@}te2d>ak+i?x}bbnrvjpBlo^d~3dz)mac;;R{O80-E+0mROub28%2^L~#Ba
zLG7VMc@mFcs89fFZ0ir|+vw+{IEWXt*`*gURL*z0_<1mm{pV1Gyd6ggAg=rwC>#<=J{Djrk`~wjJsZ?rq%D|TD
z8Dm2E=b}0>tGjVIapUbAP*e0O5c4qc6$W#HS@~_Z|CeKV|^A*et7AZoj@UEw|xCIGCSW
zIaqYZ!R)_ob{MS?Oq3+hxb0Dyf3;b+M!~}}n$rO>V7~0$Ot@Hv8e!BMotF`}N}(L+
zX(a<%!S_8Q{m(2C%Q_F{D_b9Pez|myZ1laE)6vp>vC;Qv9vm+%bdA1l=b_)BV%6kK
z&KIdWmAr2+JEDK`VaFe5yVmxh3p|cA+lgFz<4oS>oSu*&tFJ2cJDf{=7c)V_K)A$E
z{tdfbHTQ?ZO+82ae{jn|DLv_4UaY8;)#C{GJ{NdnLfJ
zMT3)hwb)nOj}O>`S3`IipJej=Y`Ip9_;l@;n+dtc)A*Q^c!K(8@^xLD5PAiK4Sz6!=iqzU?}pr)^EV
zexsrWV4-%Y5Z+%5^bz5t*2Yyg>E%BGe`_^pR_|J{S
zcF4RRvzm_+TJssgYQ;}&swzI?esARG;HzP)I?}!p?%=ZLMYr93y!7htVTX*31Y{zcYzjAN$W18ak
zOfnn`7$Dqw&bWAhHC%wA>q1k96ZF3_dTO(=?Q^-CaMy++Q8agh1ah!P162Z
zpjHpOjXdKOtZCm$|GvZ=%sE*((=bh*y}dE#5ck$uU)PqO(4gQl=Jozf@WBlLGh7BP
z0}6vc=;CCbW=!NEIO@2t=6ok5px}*@CnxymQ7QhGg{$=u(^OSmT6rh+U;z{ZaqSat
zm05=alS`CM)eSF*v6AR6}Pna|>`{#>_IENlN#sTlNpV)1dF4
z?Yb8SGuOg`L2DVa3>CQW@w1x$oH>dhWOK#@?V6&WGk)0
zp@u#-jwC^ZQ;{x$y|w;YeYBE)yS}jM)!`De7fSms{~kON3}2tMAqw>J!MgS6
z>VEBm-OadM8mT!lCkgecL&^&HxbZ;e8LTCJHnn9=gSir7i^uaBEOEXE-mN4Y_V>BX
z_8`n}XZT2-yOUT5)pG>gouzllV55Vka?GSzt$Eq)!q>HWX$xvK?ysbUerBygX~}t#
zNs@?94|L>ple}u$`Cs?|i7+aX#X01j;Z|TJpV)sl@3+TQvF1|9<4)fU2W-sX>V)~}
zRy8d458jV1bp*EN=gc`*QK^;~V1uG5uuJf#b|AeTAJ1nM7qavBblhVb_>sj#pj?xf
zpWS|2f=S;epXF*WN5IcY#=psxo5a?oC?|TbL(|Pxe}b%af869<>_7~kv^fgo0aBBh
zpKVX&C2IG3N4AFYIg)8&Y@Ih?BH95b>;;gF8L{+IhhUE&HMYmcFt#wXfY=pX=yj|%
z-`5p;m{b=1A4H$;T5X9IWXb@A0fZ|ThB{o7D;as&G-8wcE4c@z+x1?56%?~*Cj51W
z)+~fX^}Q3YG!{hu`m`TaaMJ!Td=s-{gP>U)7v#Z$nCX5VQ)ImRvsou%hB_@zu8b%G
z4BQ|G=#>>qHstnbbo@6bX}6b&jTg!=N6M{U_+~**WTT+maQ8VlBy2AHcemr&bzA^s
zmhTEjvl0(UH0FY=dDWTDfPr5$3+pjQM$5*YYI^$s7{H)sbzz4(ZSStwJor$8oV-nO
ziuxi!cdkDJE}8rXVXrMX)nb+x7v@7~-cS=B`>AikR`%+uV=bnxn9vQTA@rwlnk{{y
z61=HZxKHs)YW%ur_^HgYY}FRpoSnd}=3g=gel+Ot$>n$}8P11J
zFFaD6u$No{KV6}tNLLd=JKA4ni4QURkam%*={%fr2!O<2T+n8>wKD8uWSpfPAPtl)M)8(~-;u+x9)=OYA-hdwFrFP%e3l{7*
zQ;vuf6;Uoh9s?sQC2scJYUdST8&$NTxWxs{_<*r5u<)mLy`Cd*(F*dUN|j7c!ne*a
zljo|f=)T7pZ$g1KVO1i$Ny=AAi|kiPD-UFn_`rcP^U{%wj4Q6p$Uh>$M3acK3=V(`
zf*nA8K{rEcBS!CC?63TMZvzOV`Kn(HT4U9~Wqr=_#NHC%niIa(`8|oTag6BEC!9am
z0UAFAZ(4gg3}iiFhq1o?LaN1pb1T~UN%9P_OeMHGcvooQlbzpA`>J*6^KWp0W_|tNX
zaoQk@A3&Iv=IW`tR&yM0fMZXae_GO}6E%^5(fm{Ii5yfp%4w>B`L@~A+R({7+yRFb#+YWx@=7dYtpGY}W3x^HWt<4M*&+V9|VvFfef
zOeseQjF|F=jnx(^`8piTroGM=DQWpUr9jnp-kXqyr9P~;X8-en_mxvlkHZ`pXFT*i
zZptL=&?L-SI|&eiy0waF3rQ{!A9qZ9QuZtJZQ5aQ7X*D3xs^{*tuibIDql-t$2SQb
z`8pz^xlj$dFPUmCZduPGAUIF_Ph{VOIkXT5x?u$_PCs-WtIK+E2EY#$^|adxu}-*z
z7=cVhC1x`~qih%Ej*r)!@JV0V)r;)5{`^$u75QB)9l)x14V6fviClQ|*aD1Ahe2{3
zzhTuD7_t$WL1w_lS!*?1a31t)41A3;BwU4;)jd(OJ_+Bwj~iPD=_UbfPy&XMH-?~>
z+_HX34^%hHRf{(S^sfZ4&FOO$n+!nG)AiJye)3bLPBzaB#Iwwus7dZfN8{XHaue(D
zeY0)Wd^Gn32EX;$a+n)%?mWlmk@c6Q*hp(e&4L^`y>q<9oo90AHOjf2ZqdzoMt5E+
zn)b9LvpcXht3~dvbLYL3>YX8MkqWV}G}zI81`MB{SQUJ4R8xgTzvtkHmISA_QTmT>
zH;kz9k>O#-uG_nqBYka)8f0+n7aIo^uV>F3pTRHz`A}+=$DGa24ryzSUKB>x2cA+P
zQ(I1ZWbO<+kDJ$Xc)j`aN=ocM>qF97rCkL|!?LO|i>`LqOA6^HT2qOdy&5@N=fhmX
zCeH)YYpd7R=N`qW?;>q_oyXYS89+`%G@+mg(0YRp?n5~Hk=CVSSQYmpRqN;5Qp!`&uymkwK`_}S2mFx0nre%@>`2{t!A#e2RInINdrmy#H
zK>g>a@joXSA32Tl4oZ(i1aRYtU-vir`&($}0Mjn8{bcd)R23Xu4Hh5=;tXWu9K{hp
z8}Z+)Bd7o!^~YtMITa&gNf8FnsQ3?9P_T^LZ7?;TGpTd{~7%@=_=+wcl3wNVl(
z!MI8RVEb=eVUl1TL&YCK_1#YhB5#U2eTrLOejig)v=WHVMeGuWK?k~ilPZmm@{OFj
z*6ZUvsHv3WzE?998M!*N@hM1>knlk#->W&A+$2
zneM<<&b}gfKgBY9i4cZ|r!NDQ7<~(t_Kdsvvh{ni;xn@SEB*X}5a#0&EWt7W6_;_g
zCQFwja_WN%3D`{|CR2WJO_J(ba5I0>LM7^RH%OfYe9XW^P_#+vNV{h)v
zFz7FR>-f{&I(9VBpLpx_3%c4wpR)+hUFKPe5DCqK`3zTh@&uqOu8=)&_K&;tCd)>8
zVRyeE&prqNFxZViaGe~O9U`$pTng!4^XR`i%NwLo+Qf2JXnmo{DW?8a~-igHQ_QZdW&CC|$
z*sfDRVLX)L;g|s1!9R=qxf0&u_rWUAM(reMgU|$0u9y|{UpFWR9GSo3Z%=D%xudyY
z@>AMF*5l?(fBkYe7?}5jk3X+bQQFMbvtpI+aQgCCs^D%bnFm9gIq1BPqsfFm{~uT@
zkeE8Rn99nZ^NmAt_Huxw0_!)cu^l4plzpod?DXWtEDHgoc*DBnjOGbe`GLtTUaIpl
zf(#&#T@J$Aw+6=L!1vVzZ}0<|BTBIj?-&Svy%)dct73PLH=PCbLQ8>aES*e{Z}#zr
zKto7_WLt|OI2A;Y_1jdyto?N|X_G;OW7c|!uo7I!NZorgxg{VXya?8og?ItHgju4=r@7tgz%5v>{F
zGY#N4w{-2464WXA!pbVL=TlhLxq@Oa$y*q(EBPr9A;u6`y`7hU5;H6MG-++BW|(_<+O=eE{ma
z^Hau-HBZJKPi0;#=lE8wA6uD*YH_hEspAPc_4^Vg|L6D#U%J!#rkvgILmSXEyYERo
zAr^kG%)W05-^1%wvKYHlLl`0Bez3M*^TxeV^+QT)(MHP7<^NAoCx(RB@sFcZ`-cQe
zoQfQGt}obt(bF@B_89;AV;+c#KVdJMfAg*M_yg*)OsOh9VMl(Xep=j(leTZo69-Q%%NW*Y1;y
zU0hQe6uo9sMHm>wT<<|>yn00fJ>a!TIiFzhgkad8A>Wkx{nzo%G5^o5dKTM{hbhuL
zIGKlbDHO-Z(Y4~Fyhn9ROZe-`55L~5O+e~11liZnZm
z@nZgX7(~jQ#T-<9zJ;t`uU=1-+~A7>%HbQEWCN-9iY85oDI4fv!%?Qwx*}>D?GW)l
zGCRRuGrr?CiW?UmV3AlQw9I)>aVAE|o1zPDiASY>O783v_J0o&{*1B+?INf|IlEmH
z_Ue3+(*{5J-DJJD-b1sf3jA}C<74{wNyaW26CF#}ZuHL*H2VnZD?33CdTmDaJ5hi5
zI*!T-Op*4{$)M(r;=tn{4QQL3*ldl;mr{Ar&+CL;)wG-3OukzXAq5eW>Zef;MG=$u
zKmR>}$j_q5zrGFy!Cq8LYlv_S(`KdmB8y(viG0b?-6$^Hh!i_Y|At7nale%H;}KD>
zSFJZHzk%lJb&3t54$r9*?_>jU_Z20&P$Q~Y)C^tL+c`k8Gk@PRtf&s=L)P63J}QsC6rb+mVLQJ7NS1UrBzAhV79vq=`zptE?&
z$PlCMUJCn{6`Ae4;$Uh_UsQQ!&?ay@WE0(A5IN$oC~_A5Lx-K<0LuSwhECcE-o%Qt
zB{qFiB8Bx97?*-Qq`v=ofaaBkh#&9YnXl|axj12Z&gwCxlSfg-*BViiYk9>*RbRi
zks$muh#omgqs42DUj(GXoOx~Ln65}7XTIt?7f@u8{>&fK&LI>hsy}qzF&5di@)dys
z)1Sunw8d!ulwj^zIIn?fz2e%IDTOLj>~ih3E$f-Axq1K4;a|;)w1^Co7?DM4JgUAK
zb`Zf#v)dy499G$4wrxwaw&5|0%e!$g`tAxMgs6K`?dVY={54irkH0R+Aa3WJ`n39K
zxho=!&G}i%yyS$kE>plfe7bQVJpU3^>@AhtNWtS))GBV1sMIROi0Tspx^loPfbLg$
zaWxI)t9}~z?^bnR33`mv@)eY)KuiMo@GO_IxCHzH%uA-m{-aK22DC0PhCz7}QaS7a
z?kHSER)b#}RHYeyr;I*%b4ast*z>i_ROm5gj`aVIL14z${FU_rYSsRGBPO1d>O&ur
z;31yy<@kEA^{FS}4p5+7UVAHF*GIcrpCvo~emh;CLk^;wtnZhjVLTe%D}@0{fx`bJ
zh|xEJdJ6WG8oGkQ959K)2Pb|KnC_-CrN((7VGe{8&IddH8tg0U0xu3=nwplMeu91A
zb~JUOh%PorIq0Z6v_(YR1NWn$T}doa@VCd`E4@X?%NW#FlCjN5}Q-BI4-XQ=7!xBfSWZXGg;xF#2gkZhiTSKnn{uVQqB(#R(i@--gCk{EwmL&7e^5_7U&9>9iHQT76O&0VI>vXu
z0-(|^AwtN5l;IC6w=V$V1jGm9q!vP&65ICnZUvnn`hS2>#3zaJbqodP8$7EqcDmHa
zb(x@J$ZsdZvF0cMXlaizT4*=0fRTCUiV2bSPb+h3IuEn_@(gMP{al@f?<`CLP=0N}
zGoTs1CF_cLNO*8Y94kN`9mv_%1hss^DlIny)rt?9QVVI_osZ+_^?5RoHu94Fkd1L1
z4GFkYI%(`D-y1NDcpLqNfyxCf1y{iD708b(#jp2bh-iksH!8+z|ID00Q(-e^53(rU
zJ@|c?&V-sZMdA&{$hU76^aP
zFKzg)Sr0*|@vIQ(Qy85r6-LUOxqIDO7F=;G69QNgddhlxGzi4Pd50R!6c48!lo9sh
z9B`rx5KV7W^?kuY48(vkh{eFc%ldx+76lic6t%NErKq}xnpgvoQpVL9d>H%SR`Lz_
zZ`q~vywr*&ko$;}&C-)jyd3L^(~n(eRd8wl0035JK7AV#tWTQY_YXo29mC(mm0Q$q
zM%GA6Oga
z`b`PeFQ&j=sb5V5SxsbOX%$*sV1fVmr3uurl`|4f&FV7Ti*~blqcI2%oDd}^XE{+!
zrMm^;oW>OeVAaaHE*NE0S(yw*F(yZ@Skni+40rLp52MoG*U>+9>@gj$>BJp6`IR!>
z(5J8Jv$tB=CFMM*)3;1J^B6!2eHlApvv}*a=PQQ?aoUBI+XF6wJ(^OSJx{I7DqGHO
zri8{V+C3b-!7`WKb~fdhR~CNexi^?fXu~(V!b1R<`OMZVn20o6_-}raqNo7kbO2tG
zk4;&y>7SN4ha-OrBaH2ed@LnB-qn)l9&wMhrE
zR;|xZ(+d0#KNJytx*u8;`*G6pmc)yB3u8~-g4mR|G*+J&c)+S$==
zM(bc_3O2Ua7RQpXp}2I0n+w%JmyF%BhpQ&Pbg)rdUxr)xcDr~O-z=`FJ4`CWgF`9E
zdG_Y!Fw!9B738wsjWVfQ+n>Z{tko?;a+_t+bk={mw6vF2v~{|%dhHs#eY>Vr3+dip
zAolw{i*72~{I1_Z?At?C@T3Y~@V1`{x7T=R{}FP?JL6P0b_Cc`c6L(YJhnHVGRjvK
z*tJT{(!$gUyGkoJTPecRifP&EY)$T3avfIne0Kxmb0cVSGt=VIFC>eKu}AT$%HLD%
z8g{LQI@iMuz~@G|=?m9~rL4-a8P!A?P3EQ`2favUPBM$qm3qBTY1??x^MGam*e-QTajxX3_sQI}k2eXKg<06%D}U&!}%s
z#sL_6(C`lk%bGLH6&6qJk*R6l?H&SO#$jf=fHg=T9#+8nO^4VuM@SW5T3xiaFnt{aHFRfYYi}3`7->MH$qD4%5{4CpfnV+G9X?$5jJw
zn$H3UC}wqx_M$QEW)+hEo0*UIzuqEKRtLf=VRIwDX9@?JBj<{u^wM{Ozjh`qV)SyE
z_P^xOm*Juu1Rc4PX@RHS{}kypMf3c+Vt6IVYp-)^A4fgGC#Yn*C&S61DT2$*jL%Jg
z`TA@eQwQi+Wg=~~zBr%A8_?@&Z!zrdkQQTMD#qD0Y`-CMO4R342xNiJ02S>p%AYGK
zXCWeG5P(eb3j!JX;G=>T&tq*1l&PB8(#Dnx`#(Rc?4T^_zru+hV5S!`mtFCpaRD|0
zaLItXuDM}Y+_Q)xcPq9Pwe>SB?nNU8_tYA`K<>DNc7NN
zF4e}da+&zI6eafoY)*Sbsa8mqCN^vZhMpn
z^G0xhMsScuCL*2Rf{NrHPiH35Zz!~*(VH$cE65fc=QZdr)71I;nv1qWcfDvGWgFe9
zm6js4{&E2_FpvOW9CW#%=9D4h?2V4^(RN_RBpU9ZNVx}B7BClISkW2UoLLzG<&&xn
zg6&lMOJa6DZt-2gwIa81^B~dBne?+C%28JD&b*oXU0~Hj6=@3F$j4z;mfOkdtQ`IT
zZ#nk-dG7xX5!NK~!kAn_zH#a)qGL-KByz%xG@W+P3*rxglC8CBVuD#zr$j
zdRvG!X}Fm7h>=l-a;J}kU8%krGAiG1A_@h9LOerEed~y*9?GVmj~Z}^S5aJ9
z8>3t#Mi~}%T46y1nf{0(2jc}qC)|9C_joe&1KpE~AZet%SqCa33lMhrg`IhvMXTTS
ze*nm(-V`Dp4fbZr(59`SSX0zxgh)j;Ua0JU1hSa03sok?9}P$uqKEfLoH$ttOG@;G
zX$37#DnsgjxOy2SoRnr@RxV@-pva-^xi<$knauWKIClBJfL+4!h|;l@QPj3gsv4&R
z%$Iv8qp_`hJU0%jWb0RJQ>QFdSkH%5_Kr|1mgmj5i=?ljU^}BY_S}q$loCJDC=4X>I3#n%0i1U8HjS
z?mqij34-EJu>s_a8)T=7PwbO3y;a3sH7w6?gBK^WNPY9wI3-^>ER=~XK+vui_UL>7
zGI0-Ph9L_MMOfE-w*i;(b+&PBMImt8itIwV#fh^!Y?SjrdnEYy{blz*$&GYJ+I~i`
zE+OL2C&kJO>pIz8jDkX0aav!AFXu|fima2t(PV!^=LfzVD1liB25h$E1M;?EOYyys>o|9Vyd*(lyUGUkf+F2#5O^0Xn8?iwf%=p(!$9-2ROA^hseD4yZYZCzCqYM%xoc8cA6Z{>0jBEROteu{-ItRNy@qJbMx
z9z;RIRGiSR?DD^lSuRM3I2|K~&QPEexr!@~HIalscG3}kdUx^~55@S`7DxxA7Z5UO
zRN&>wC?5O$aDnSg0l*FkcW?Pd9zhfO9kx{D#;o3v1xSv(FuKP)Ny*#T0|;rBNU(Q=
zn}f&h^E};!R5wY!-A}9QDiSCjBVOwc@o0ls?EpI$*xg$6=C75#q=Q?&;{?mxES&k!
z3)}x$Ar~H=7`73)Ui^e~^7@goVu0sXmQWd5
zBc`PEu>l2w5r~cxXmzE2s7~NO^$PP(8frM@aa-*$w{|sHd*zt&HpoAOJkQD}V_1~h
zm4x&>qyV8$UeeX}DDT7BDQBZNRWB~^+Y8|;d?HNBY~FxwcG6XmWar8>
z;09PNj^TY3MSfxFyx3dH*hhA!0j}Z%HqK;jQ)}lU(E(ClFQvh|eNW{I+RLoI6Rc*|
zxHK0XlO1L4UU-o3kP#goJoXsRR`@Dy){e#&ptwP5Jwcg(=#Ko&WRn*K+GY0neSn3V3F%ngXo@8
zVj2hVQZX?y_O#l5r
z6A&S7S=I%161odKR)WVK`m3i$z*l~DHl>4of#QLTTDLE{vdt^U6c+K@4URk1RmY?!
z*5=3Gntn^NZ*=r2?8!t`cstqs;eB+5pO9|!$mqI77BqRuj>Xrv8j^G~M*~5b8b9l2
zoc7o`{*0z*D~j*$pOt0W_F*x8dCy}<0ZRL1tiDLFXoR!9$9f|p(^j}euy{mc0$Zo3
zr;``n?YWVxgDc#NO%G5yBxu9?2wNOh?D~5Pv<2ll03H}ws(P=DE!P_a5_uJpIg`K#
zB;){61hcz$twv;KbPYAG!g6Fiu~<;L~ivvq^ZsBNBCn&F~fI)7#jXaJY;PYTEI@MSIt}Wo;lRP3(BP_=A8F`J-y*Hbu
z>yEu_Di@460g|*y;5Zv8|Fxs&FfQ{R(5*1`31OfA5yGFRkb>*1x7t_T{u&Cf%LdY3
z8~A7>hSqn(dm1x|{{Aks101K}D-M{c&Lbn&;5_UA_e%K&!`Hf=HEIcRkjO-t
z=Pm&9M``gdbl72t*GV9x)bPX;*ME2WC+`2-iM@k%jz33(3p@AU_fLbw?-)XgbNoxg
zf7hmD>OG(P_6G2FH#_M~FxKI2!|$n)&*?8Cjs7_Rzl%)5rpOy|BL^3MTsi-T^71aX
z?CTWs_^g9^^sm)a?%(c!YfAevbkwnDZZYm>m9BithRq*k)%Y6p{nb6C|K9cgRbirv
z|MzsGFQDvwm~Yhmo&CR^^RjPDZFr*vj*o9v%l|bV{2&nO9e@vHnMxY_Q~AHE|6;cF
z|K)#B;F2|7E#2y8~lBY>)Kqs>gLoe
zk6$;3!EUat6;I=zciuy_=qo#1Tn67tp&ZGcUN@Lx7_C{L@SdFp*2HKfvoHhUF)-
zoC3n3O1P9Lkv@JCo9X(VX=Ce4S*g5KB&V4Dh4`P>Rs274Gv^dTpBLk+ewpH+VNUSK
zhLu>abS$wJkKWq#${k+b>}Q!J_wLKVLVFHorUHI1^J#Jt_dc)ffpk4;({^m9rrkiG
zo@D7wt8_2F^EJzuz5GaTn2hax`<)^}`QIwwRWESBReXMGx93&(@;h6%J~n0*Q0WHE
z4H7DTxbP`fEyL@}&1$zk-F-J1jBY!&?UH`E_P4c4R(iHKn{J^0LF4*-t=_gaG{76Y
z8(z;nzIXPk+fKzvqIbR)ZsT@E;nk$*=(YQ5q_*;mf<2${V77o1v*l*@Q3x|vn@J!l
zUDp#+UkLZI&6i`#ak7DsH#;bh7I|heew$m%)X;e=H{>qy%#b&v1r`OU~WE^5}s{=V#i&tV7Owl|J
z*K}OAjC}=E9Lv`3;O_43ZVAEN3GPmCcP9+)?(S~Eg9dkkdx8YF;11yp$vNkq`~UB)
z_4ex3U0%C(?W)@K^-T51hg|D}$x@9LhP^1%1E=NeU%N3}_AGhsmVrl8o_4oCFLQi_
zJ6vy5SZ9vtQ%qNX8dEuH#i2(r6lyYKGAjcU2|;NIkYMTQ);c2Z+et*dJ9(P)m=X&Y
zW10K;ninb;Yi-Tq(Na(CjL=Wp{CF!=`i!xMQWrXJli26=T2+qYf^PEY1|VHL`^lmk
zM~sG~ig)6Zusdg@!iUj$sA~vhAwc~rPqx8zH;5sGOZQ(vmtbB)lini4w5KW<`ZRfpN
zb@BaVkzidHl7i7iA&H5HjH;$n5)wOqq$IuugF5e+?Yh8-ig=xK%_L>A>x1pe@Ta|5
z8(!eIC5xZ3J79IX+Gx12L8jSvrMT)rBqToY=m&GjBLc;#C8>vdFzm7dGtfYT
zap0618AoynsavkUj^Qt!I#Ya}?N3TV#y{0C>uVcTwVreLQ{i|I1-=qdUKpOeZ+ys$
zwW8v+Taf}wP@&^zCp{cfD!+9dgDUCzq4D$iqGonYFl8Pogc#TWcY4hKBVtLWXv#%e
ztcc&?BY(?w1?AF0rV386yHh8)$hn?AuXze?UrNT@stOwrrlmy*ykJMeDAvGDQjFdH
z27F1~`g_M0@geDnNkOSL8l0!}pEVI<_s%ro5|eVL5{%@h6LuD^Dk3xCdY-jkR5wiL
zAs?Iglh&4D{8CBhp&r$dseH)&{l23Qpk6ITOO^87B%4CaU!{T})B6D%cBmOrMIeue
z8ym?W=@1T&5S=VX3UT>1NE|<0n1zVW8m@Tw>y533Ih6Ev~or%9~TT3!yZFXX*yX!yOPdiG*qkk6g#Dsp=wcT
z02522OBNj=nfn4E;#0&OED+#_Xokg;3o~I-_VLZe&^=u=z?v#ibXQSL;Bh3xw&J$~}H;Y)D^KJ4m)$+k8ge!@?u<#{k-XjPk)D;Qr
zYu+DttUc*YTt&E);bhS;1<4;_QGGM7WaO=r)vs-Gd)}fDo~qU>vfsU>K?uVLKeLwT
z^wi}#Y*A!2KIcjhVG7nvFd^d5tX%3jYd|jX2d}u9mfO)%*-ke%$X8b?l4{aG5jPE>
z$jTWD=ZKX-<>ytiCQK(7EDZ3}eK%9GBH)7b8T6$o!p(dKT+DRv(7li|rlj@Kh~@o#
zxkY#d5?ZMQg3hC}1Do#-@j+tEAv~~bo8sYZxnJ!(gUVBY3mb7~XGXQDMc&b0Vf_T<
zP7Ef#YwM!Y_;g*H2AGdv4aHsoV^C@64G7+nnq@Ch%BrT&p3}sNC}nyvXCD#b9aLXB
zer=?2XX!snceHn6N*%B>-a{;$N!BdVY6u@bq=51J?6gOhr9a)2Z7m&a52ql7<}=nm
zmDA?of2$K7A*I<&bPs2{!^hD~g%?RH#1{Mxw=%7)o<@F8o~Hgz$JhFtB1=au5T6TK
z&TwQD260{3PRfw-d$KNYTIw)lM0jiCtYzYcr8jI%>hN$Kjaw-DjLOQO}>=$8C|nrVZ{0e(-Q
zJoXCz
zosZ#!HW_S2rVk#_Qx;(Cc+vr$#_29s^S<*}@O$n7d_K~Kn$5Xq8*ExLOF~<4%N{v3t=10d%jO2;$Mzvjn
zJxq2U4m^POLjW;ZZZf!ZcnucUqT0V#bD+ay-S@n^v~cJf1h2GR=I~7o`Rqnoaff
zt~miX=g0a{S{QMims#&mG4_s-u!Tgi^PuINRQTwd7Az3F#ZV{rP0ja^pycI>c5)0=
zu@$CzvjnA0*{7@*dmX-BG;ti{Zw9Gb9z^18cWoF|!@k8=C5n*$+@k1kt$M#o<1-eI
zJ5Se?<8C)%w3vKwVjMD8pMGd#<9Ils7B2gCaB!_FTGA9o-rRKB5wAFNt=zRPI)!3S
zdZ&>)9&}nk@hrRAmUwH4ojcXrciEfV34;gGYk}XRuQ(dclY!&m3k@E6G%Y)+pG3DA3efZrU
zP6!nUf$~7;qml|E4YW3yw4qDH4wiiffu?S2s0Sm>3Dz{HJ^mk50?qsR}V
zm|@ZEZ@j#iIJI!h1E&U077EB%Y}-G%V2nYPnV9Lz4{ru^&lP#$Cl2f!az>EIV3xVw<=$
zlBrUhJ!O;AS&)$)c%++eburO1ukNV#mWf){SjAdy$qf&M=i|1I9rX2Ak8c#;d8~l}
zosX7UMx)<|Z%~b6ZGNgBzWI)1ti*5B
z^sNiFhkF$jphi5^X|`ten+hcZ68&G3p(
z5h5{Wi|TP7X}>Eww};%`C76(a2Sd$|e{-)}6FowH^Mq{XH5FALQp)Iwjg>c9aW)S3
zwX9aeAE#e7P@E-9$I5no0rqLD?`Nhz)JSK`*nFj@Tg`K48wJg%*8w(abDoJMkrGn1
zx$3Gr49Mp)Ky1376qT=Y3(295t)UEqKph1tuv`uSYe
z(8{3E%8kAtouJ{^&)M8Sl7@DxW5h!}R5alFFr7%7$dtSIRd
z?%inL&!VnO8F0l@l*7~G)v589afuPjPCm!{+n&w>upDCD-$_hI187XHE}CKblCES^
zO&eH~E#_nFvhgV-c9iF5_9~n_GCzCpDDq~~nO0A5luphR!;RGr@M!1uG)rYm((jc;
zG{+*!e2Yc`m|
zhWeG0hWiA6M+7e{DFv6?lM84X+i--awU1pf$wM@#zJAa*Y{Gyqd!u~WFm)zPz)mZl
z=TW8QndKjb*3F&wp_w>)O$+vr{H`LwFP~YgtqrF
zRdqaGy8n(m$3+)LFdy4x&jqW$VeDA0Lgtgv`xN6WWF3!YPC{EYsJ{ilEwyE(
zbnu`6
zAX;G_HmOO*p(z5ZUN+?|onBVp@@$f_BoFT7K~Fj!Mhr)KIo8z5+c@OqgYWz({>4O+-!abbgO@R{{g`kbL>;s
z%L4Wgnq;BSuq|Q%an8BITiFeLZdOy9>4s)M0ZZX{t_r94VlIVixrXhU%;z=W)O85=
z^JoTY6&0oDAc0x)Q1gnmCjInnAxW{?l%xl;`6H&!ks#G!(bLs0G<6=5#x1HOCO&1G
z{9c#)6{6|Qh@A@aaaHHIyHq;h%qkQ8`%FleOpPy;$#8{ANU#@ggw>tkM^hQAIGNN#
ztJk0Gj+ENi=dQZUOvE?2zF`X+(oNvkYIQP}Oq*{-!%n1aIUX)$O~sTf1QJ1)(Rm`R
zdS-Cy@Bwx;-!^;en6_uUdjx&h7~)OOuax(uBR&>NRdeol=43`MbnODy9bShla7*hB
z?M2qPNkl(at1Oo&sM?tZKf%gk+03+|7I-#SjhWJMgTKv)t#{E@lJQwV&Om{L=EA$v2x!lX?p9*RB6h
z#k4BJ{vlES7Zr___;h@joLrZeEv){ODW%fdYk+QsjDM0%vUkY`%vaivvT)~8(
zonN%c-|Pg3QpGH;lWcHHffOfz#(nrjx7^T)bUyZ7UEEf`NseYiYBLqqm0Wi^mOA7)
zH^c6gpBy+@oN2RfT59l7^Or_uM$b<^DU+p|^l1#(pG`Jr2fQxI^<$L6DZmXGKh^i9
zDD^TThr7QaTquvM^K2txF&57l^t!rB_CFmq8XSin;#R3z%@{Bt|B6oGN?joN2^K)`
zcFU}ArXnPD+%aeQ*!h11M
zH+ccMliLTPyM2qY0^}5EMe38L(^7)#(p1HqekB6RqB(tf#ZI+(Rz(EDd4v-cafMs`
z7lZK0BvZy^dC{(}Y>g6`zS7Q283Puw!Jbz~Z)2Y*L@2Ol%56JQdtBHC10voCLSuek
z3H-({z5Z0Mn9N^1hod6RE-q0~ZJqGhR8}n0}}`FI@_$>
zXv2DiS313`Dznc32A#OUquo~CTL*m%~
z+$8rRol{707z@ITkFg?Fh-ub|Q&on5chu4<3N|xtxO%?s`h)9^AoCWDX*BFrr(HDI
zkIVEk3|A8li2_nVB+U94Ttt$u870LJ%lh`nW<}b|7U}O@pVO8swc2chcn}D4@wPQt
zTb5MWH6f3+F6#Vk$M;s!NW*y;Fg{1igyDuj$Wn@hqira7DibUpXqcMlhx+EIv
zPimxSD!xV7)z8T=VAqBB7Be4LoFkQX-Py>WszNRaTO}`(GYQP6e@7*{)qmf60amR
z9?Xa5xW~cmNoG@*_Isc5J#kSIUgpovA7ybRlnw|qgy^J4aYdnxq~_8)$5|HG%lm&E
zp@={!arPBq&bx`g??-xlaLfa&k~}DO=NQqFFOi)6BG~M!hk`t_0`EyE%;6VTsQ~YJ
zxYWR?T5R_g2&aG2>tm56WppU>tX3{<<2bA}8MlD5oMA|QvuMI$M~C~i_Bi}~vi|rF
z0XVc=`18SGrF`O*H7yaY>*R86HGA#%
zi%-mbQD|vkT{igAB!|ZFhRw5uiPygNbax3xKVPS=mJp0{^>HyeSTR@|pne8C&ZW^T5^~sVUfxvcjFAm9{d~vdYCtZ16BMVH~g;xi;EK^85Ez8Sc_8cIA%I~T0ZJSLtV9OkRJAN@K-I#hTFs$O?g{2
zg~CX9zE{cUE1L_3YIqb2Z0obv_IE!&R;f*%(65~>r`E*4sDx0S%dK}ef%jQmU|eoq
zREWfSZhCwqG-aMqC9|M}JqGtP&t8;10s>WU-9Epdh=EN;|l>wwx#R4IJ^a6gH~xwz0adBS&0!@
zHY+RaMYa>z?wzfZr^D+xx(w3*Cd`1}Pi>Tkx5tcHJejhZkDIq_Kd0M-u&Us)}U*
zQhOX)x`|N-Lc1TB0CsWo;M#)vV&UVRb
zJ$i?)nUTKTEn9c9qn?A}Ksb}A0$EeoPp+pLMZ>XhUIm$c?@@#s@^vAhH$cqjtUcq2
zk(Hc<2A)v=?$bAlE+@Piq+!GBU2h@F01I2VNf-6TNHdIfc+6`|eXg9@ZgRxfQgy*A
zvtJ=$PnP($5DQ-09JVFj2S0eLP?L*|O)A6h@q5;MZgnYf%_>Py?R2(zsk4D|cMVyC
zuw)|cD)521Zu^4;}h-d0NU^s%Y#>Lk)%!j@jj
zPIBe|Tc(7Nn^cW*B5aT^a%!=t=@BzqZ@!RC_sWr!vqGzk8TmprXvO+KOnkH6Cuuor
zzUsPXXP~B?r+z$b@)rD%ll}bg{)MPJjkxxcGcGLrK-4An33sA873FAYXM%9ExtwIM
zqZMq%5a=hfSY||Wy<3Uqk=LO=vq_+02==k;1O$rv?buE+;TmYDe`s>=?s?3}+`o-k
z!K4N|LdIl;xJ|TEUCVHAqSCDt?(j&1yZYquQDC^Cz}?uCAsS<9lG7YRx_fB^O`!E{
zcNGvjev#NK;n;~l*g76oea(VfgOBMbJncy(HC=p~+QH0-hfe^@_7JRdAFQr0?Rz$4
z;h@2zH1XD*emK;#6PyuYhJ1t^65Wd+%7qWzS0?{Fzmz;LbSVdB2!$NOOzSK~3oR9k
zP#mxPWr*v!7V`~$#Av9IdRnO1P9(>4UHM5;^d7qf&>uw|)04Kwa@aRl8u}$fJzCQw
zIR}J{9Hv^u)>QbgV&B7h1{ctn4Chv3(OITOt{S9}$2?CgI_hr|yg^7jTOz2Z6IJ&c
zR&s>)5;JVe&Zs7`tP>x&7t8t4gbnWd_%lwxk|ymyxO#J&MnAQ=?qg{N<*_`6%OqGV
z^c@F%;3&0(6>{O*s~lN8(PyF1NMhl{JZB+IS55VcI{ruRh12i7A7dr?1147D4E>~c
z6RYl(5c4#q6@<*ybmQx2Z{&=*9m4C3*Ob{GkfRkC>0P?sZgfWM}Hy8ne
zM+Lx7OWYZ7<_IRt|7@NC2K(qP5rH*WLgvNV2_z$Dr2ghe>ld{5aKCLEl{sB^4YCKiq{K86KTq`4dYvCb~4UtkVFPiI8SB
z$+%Gu{)7@df<^tj^mXL}00O=P^@@NEM&>x2``!xdCksHtFOCFui6Wj6RjE$T`b>rr
zL2e^m@ur(Mo{`l*lw3=wTQ;7NG~2hGtI$XR3@lc>9td0%(du@dRx$*C3HC~f)WuTR
z7?Q#!ZMW=60p~6SIBEJ70v0j536k$&0Rqv7ia@JwoAxD9Ft!gPgD*_$Hl~#V>#cL`
z!HN5gpPGy6EDVR!NEnVkli3}QMVP+P1^@)YBOybcuddQQ@bK4ivgyM~R+_N1kZMY^
z_ZlObIQ3l7W7|V4nBi#lW53UQS#4`O7KadGn7tiK$KuMZXq^p*zYqXm(gHB^11^w;
zKg3Ku%_W_x24u2e!hgu)v|#@hiXC?v2d}?9dxR3GcJJ_u!7+(MDa3#AbG}}1)7$w7
zAA9;BZQi9O)hAIr
z!!T(5N^_!x!8j)o3_*Uz=a2sRj*F{{Dt6HwJe!BF5q4Eo+*T^r(
z62H;qmLSRFyp;Qp&Qgfo^CG;}pQ}9+A*?D1fP^lxJJe1s{O#9EDy%bV4n>aeYFAg8HGR1?g=95r%aXJjI9hdsV*H&d$F@W?RK2;TR5gEozp
zyX5>>W(0?t0C0NRn!icW)il1r;|zKX(;
z-wCcSoD`A{)W~>Z>ot{@QItSwaj!MWFOfkMZr~SKRVQ~(A&IoH<;B+c03(rAt5r1R
zw{q6UlhI(F(Y&>v!`LV0RpC*o8>^d%$Xxpx2iHoQ0~cLN$VWLfR1PeVP^md9C;nvl
zDM1GSQMb<`PRC1Yi1Wp(4?vYbDgAmudi<#!8a
zIddf|!;s2ZsAp0X*`+NkeOH;od(ABLS7w)IouB-wS1_+(Wn~p00*3_v)KEws1`ub8
z!tul#(X9y~{>A0bM`0)c5X?cR=u6Z!Is!ll!p9a406^j_BZUq4*9Bg4r}c4r{;XUE
zf)p3-Box7oG<&AvB;)*Y4IFS5@?%B9l(x6Nz^d@A@hPH^8WaG)oquNd+`nUE
zJub|VRzhAv_c~+lsys$5=<-D3c8)bd?ozb@+4b~_M;uaqOb7(v)Iit>3;ALoj{cZp
zHM5J@S>FmoiIymwwzv|#8s5No*4W-ALB4E|ChoDu%s|zRC@a?0COI`{Xy?2#$aX$n
zI(OK33{|zRZd%ZuT#5}8q-F&Io}sk*(;+S4B!VPqh2bnX21~?4Kj!A^87n)<)O;(q
zyy_+!CsfC99~{}SOk70a?i-Kw2`I7%+3^4qqLcwiqRmMAhHg~drDl1qoi>~WHKHHA
z{Fo8Kx4OPYyl}n~j0K1qm52L24s!xGiW>AmV`oR#!Wp+0kFYb}rq1*DVBW3R_V2PL
z_q5kFiQEkDCbHdAVU6+Fog
zw9UJ!tyn20x(0t|$HtO=IyPnL*|vXk;I>=cJP}i^E7wXlN!H#mv-4rp-k1(702@yv
z3l)pl)XE?N|F)tmI6`1tl@aZ>nC{EW9%nLJgVp;H7KlMXqTq6tHZA#f|GKti3b(-O
z(s$CsbRP>lp}v0~${}7VZBFS)7Devsa_bjU(=#5IEl&Nl)o>yx>}OGU&s>BX6S?L?
zFsp5-Z=|)Dk*s3I3a563XMo@(k5|8T;O}Mb;-=2#RhQN`&ZJaRc+*P5x)-168qx}+
z#C+O1ew2FrT)XuBkYgiq**9WCpX*h_K{N%B;?HSCq%pBAU0X9cpQLz7Oi7@Yf1ni#
zBE>E|l;+|(Oy(IjQC-g8T}GjQI5m>bQ+=9wSjY{K(D=Y~v;THy74Y%
zbcRRE%Y~r4P%G$IR7F`?!m^Z&Xs#5-7u2-%H74zSgxSo
zFOCZ->F!I1fQZDTocgTY;{z_?#m|rXO`_qB4&|c&|z?Zksv|<
z0Ejy|C?`sf3o&XYiCH=_hDrxhi;(eSeK#q;$ij&BLXvO6Q%QJKB5%Ed3
zG)#T+bgEHjtX2}t7w~qMHB%<&8A`bx8P~_qHRM0*O~KH_cBoD=*dzPer=oNb2tME4
zx;DM@?@4&G02%qcruj%5V}dknQ_hH!h39LU6w$0%2XfvbeM?fsbdxc}iVN$|`Shmt
zV2MrfW1yRr$TtdzKe`6}MwdpXHkA_quxY;%BY;Ii3l_;oMMFbVDm(OapOqixBaqtt
z$ct6K=}DuILw^5!aAv7i7PHb|cXOjp%+~%WPO+j7={$p)!D3?qtU0lxG|NWT39n8Ke-jRyABAe`T1zXtx^JUl(F2q*rqWqHh^N4mbo9;iYW(
zlm0a?xrNT|e0&rcamijY@O(!H(DF5hc_r3LYV|o@o
zRB!7O5Hz(xp@t_^m4Q~sl#|cI?}9e_@d8}Kr8fFW^U^$eheqRic%m&?
zm8G{^y_-re%xJ3L-o@9E9gcCiS67m!%07NAO|Zh%tZ)=onDmaA!Y#P;PYj6#HulA{
zxv|ogxJkpnSST->A&)fWL5cg;MX2PeojW}^O|^n^3I|_3My%DjEj7u4&#}${@&EM8
zzwaiXmFJa!_>j1$f1LkychG_cq?#7?Ck(|}^cw@FWb(N3plBcdP6PiIw3ZqLM=-9#
zrcNf4{*acCU=snYc*5cZi3sHcC0u$qZXy4S1kiA}+HeZsBmGgR(^=K{;d2?&T!It(`6z_|
z=i*iIhzNY1Y|0_vHM6TgsED_%dn*~b_T$1H4_DUy=nVpOgdB+^?UqPQ+b#EC7Lz}u
z2y1{bx3DtEIO_l@@7PoZeQGi
z=Swlhk8Z;k%T!Mvf8=L~`H9Bao4jR*6y=wcHge$pBO!v)!HONN4-7HlAr~##MR0
z32(SIZe_JLjyu0#F3`PcD-Tw>^hwgPTLMBdIO|8t5*p%n?oSG~Cl8q?KjIqdxs3}R
z=Zf(&r3)AN?}&eV^uIBCCpcEmsNLZ7aLKw{)`DVD*ke`F=VJ!7<%z|yu;PPb3N@Hy~0M9;U+*85c|cypv=uQB1DJtuBgG-9&Yy*tY7`ARMPu2wCYg
z^RX;lM`2da{^*F~L7tH+PVo#C3-tGcNV@VX+7A-rGCMBumwlMn~{#AGNk`AV4
zd5G^4#KeiX-Y81ibJb+mN;8QxPF@zdbbacHf;w_~7&1mY{3T?+YG_>&c(agUR^zNU
z<8=G(uqV`qPog!b8b0<=ndIDIyiuRNd{@3iOnBW&!|iz0cig0uuhf{auGT71fqV#mYgf}Wlg
zsRO8^tM&|vA14CWa{0XDI3Bv!z~G^=Tm}f0>}9WcSVhMnNpJv{XTP_@y|3Hh8E~nG
zkPXo*GfP0B!W$I>y6D}NZlmT78n1OZM75kIf&dO$il9$bWh?tkq|u=5!z=Ya-IH)<
zZtBRDrxjo(LZecrsESq_tjf&H3ZJR)!0JB^$C|-1O5@%WiH)kjj
zEe{%0Kr6s1P6X*92%l9D=XK-Mw%|ws4%!6GzN#wlRf%7l@=9l5f1avpzlou(nQ!ul
zh)J!&@2QAK`N8VsD7LgxlW`%lI9F0U>;0E$jarymqVFe8t-9Z1Y*(9CPu$vxh8(lL
zP7UIIh+-S0Jkk?HQs;`WH6
zERR#GWWo9H;%yd5LmV4q@A@v6xj_g;SnkhkitG4w0gM!qf;I$$Qk;Wv2%&(Ifw`r^
zXu2~qeuRCtn%KkVXC%qdTd=YE4JDIU*58vQ;@G(mD%EcQ;6rsl`|Ym4Z(
zf&X&tw?hDkJN_@i2ldJ!1VFz{;9rUVaRMvARQ*`zm1h#KSvJt>*8;M*kYG9VWUNuD
zY6Twf9cYp%WM7{F0p~)gRFqlMs>Ym_l?AzJc(!|4AMs
zuH=8hKyV`fNX);T!$EI>o8}#Yg8C>Tp`~ccwp$NHnqVS6i!@tLv`CT4nguHoS8x!5
zcS^s|;dk80Q0B45A<*SRNeTa7g$sdy0ss^QG!v3&|LpMpf9?q)uRD5x6y|>w^}ju5
z-;Cd+QL78~?<9WqrOvsFjmy2#wdOf$-JJY}iNhXk6Zwd}KGuDe8cZDUiYDn^w}x8U
zApO1fB-$#}{_F**lz^40Ge1?4J8Kg+Q8%Y?$(G_bSA~=QC{L<3v@ZO&hCv7?nTXH3
z^buBSn3*B}hnckh=!X#Z72f}{yMjb<{#m8|&b6WVx9jgGQ1m~={1t}$mo@iy5&)3(
z(jWI9A0P!he-gdAgdXCjJ%l>4X|Jhv
zx{9sN%bN#dG1Ft!mh*3vV$CHLxOD`zpAvF>PL5bhZt)@oAfDa@R^6$hJBJi7+de!_
z3e;id*GeY(r5C1a8qXhufi{#lhKQ>!r!@kdj|A5vYcKcP9(+vu*GdC4ghu*K^~ohE
zA<$$%)_g77nAdsr!&|QAzc0Ut4gIQ5Jr(5n04QT~PebZXOA{M)#sjri9vG(7i1
z+Yrhi`jbtFHGq1tS@sD!Xbx!>zuf==1n__e2m)OGBFNV+v&ks2{P)#|;`ei_S9l)K
zYhp18?R{_Z@5qdjWqW_f*J8S5K$$y`)L$p-c@j|2sp@MmKIwh`=%#*6g8~~jt`29U8lm3RjD5Yio%4D^ae7ho<|Tn0!YMv6Dp|A
z69-UE;4>NkSa-sKsb5IAD4is^I5Up~>KNOmlUK{0%gs-H`VZ#zdwBx2?v=`tlx66O
z|GL3r{SJGD-zox#UfsaI#{9_mKLp_XvpoG?qi`>|K}-v@{N_6Duf)rLWYC=dmry8w
zSGBSBXL|XwIARNk33{-&w2c9>oQGy2U{K
zH&ees!GANzBk=b~{<~hPzdGZOxXXnJgf-PwtLNVBWjTL+x2No<2V)Cqq@~oP3~JY0
zUNk8qLxno1r5X5*zaey)d_nS8O8DCkVp}=zO#sNE&@TTi6DzAJ3DguUH3lw@SCU0q
zfqlgei;0{5ukH7>R`^Q-zgzI>w`MfkivAw^z~3dt1b}!U7D$33lTS@k5@V=~K^01y
zs(K^&M-s&H^nbPKuY!VzU$DrCi{2@W(-tIaZry?mmVbcTpCm%BCI1%oZx`TC9fp5%
z@wamR=EkG{j{x{l*uMe#=mzMgB{)F+Hh_
zED6I1W+bGNHke$U6lyV6-XG8V-=4TX9{Jy%Prp56*~amtG7KAZ*l-1nBGd!q!b$4G
zC7P6BGw`6(9|LHsh5mRLAOQ9-YHHUgfQ~=_;I(6k!GL67z;|HX`ypeze-Kw3kP6Aq
zj&X>yflB$z210xw!Tp6ueJ}x^$<8+WLQzNreD2Q9ty$UrB7Z}xzo>%vA3fH^0^IQf
z0C_shpgu1+|LM(!<+gO#5r<`r~_D~-)DuPQh
z@W((PAETma=*qZnueJGm-JQxCj)g4Y^1I^eYCbr8z38T;$*WGZZ}!x`cCRhi-D7q!
zWvh0s_I^*yAqs`T+3yJ+4qwfYC+XL|(l31FvdK1UlO(-b^}9Or-t=-Lf2#Iji;RMm
z!xF%kN&;Be|de8QijQjk@Zp
z@^3*fJzv+vUD^HEQ*a-6LIEE3KT!7T>mb+=jO0Ld;oqhvWPpj(>#LK+He0l)8$FXT
zQfltH?b|m;=8s1gEPv*|-!=XFcEpVGZ|^^DkB8oW-2ZXtc>n+)YxI9n-Xv&v3N@wF
z*mW?tTVH8+Q;X-(h$?nh&bkP&+^ylBm$IIcJrOmDH)3;S3~hUwv6u*JMKmiW9#qEU
zNqDb+>Gb3^yPOAa3PYMD$rtsbxnN0AuU*}@Y75`I>J%4>z@*Y1kLbL;!F6tiNB6hz8MGF8eLLdUYr+Iz+-tt^C
zrPqia6t1%GBOw$tp8tZoA#!W~Zr8FZ=-m4=WKr~`wvVt~-k1Vky+D1D1Ug!tTi|XT
zrYK6G;R{$K+C@54TDJjeFANX!hE(bcR^dU%)IFE_yrwu}LWOkR!b
zLg$^vKw~!NU2isokl(SPG{tde)G$Eq-5%NJy<75;&rOQj&Bz%qIYCP8e!UTVg&R?V
z?GaD9?@my|p3VY(rAobE)cVt23ZUsRVLy)e`R&}5M$ejBheNLgepq(9oq!Q2!+3aF
z<*^*F`iV(`>kGRWXbKh0?%a_-l(7|2)ZWB-DJ{
zvcRw_tv8w~;1DU$>%n?$d(NjI3LnA7qrPrcO>}s~yjYj&;iEue
z3poPC$u)dLQkdO0zY=l9E!{ne4Zfm^k};{Dp2i7Vl_*
zVT+39Yy2Mv`)r01-FC^_WlY7T_EZIIN7WlR(#Ww%VdKsYjz>cUtul2)lck~|SY)>s
z+P{-tL%w$}*q5(N(G>F;zMM2Wn=8qpk?0hhI2EG
zqynPyy+D`DMn^t>1AY7)W+M5!&j9xBZ;zo|uCakZE$J`MNCFc{iD=y5t2pN6-$}E{
zYALgg<92cLN`sk_0t+DeezAG54W6T1XsRsvP@vcnM0!7SNG8V20|g(L>7~
zeS~oC^WN{@8TskZRBKLT|9~j`M6OHHIjpB@7NcFcJa*^Qh*;
zPhFyJVDe{F9Q00k(N*~}U|s)&ZHKTYx<60#g<74yc^M{J&iQ!(nfeu0%b*9leo#*l
ztPLN}C#{IZe!V$#mBjB$i$%yiwn#zyWl;^^i*lX@%EQ5FY0KVT-&ePfk=9<9SEq}5
z(%7>mu7~zxQ`mQ~F5cO0HYRZ_dJJtenk%Gc{4R|FwiNqJS*p+|8eniIn=hj<_sGjc
ziT6#im+D0t;}TzfVrSW5%Qn>?^H^%4|J1WFc`N+p>8r+`Vrem1cB@{b>o
zl;oQ;gi#gm!HtRWMv1Mg@v=;E2bPzG?cK%#Do=-mTg-zeAiWrU*Q|>Y9fc-^d_s-L
z*6|t*StzyFb}uPmm2l1is7Wq(c$-_vnGxy5Y>a%25f;waxdg>#ll5i*It;{45i)A}
zNC^qka)}Sf)a@I*8r5r24+zml9Gt$rY;u@=u=^rf)wT$1{Olw;3lsx=4m^B%8G3KZ
zsjjb{_1IlJap$mY$nMX^6JRM|Y)I8rizG=9YxoHAmA>qz+sr1t*?!Vuxmcs}zKinO
zhDg0-j}?KInRmMFNe``BA^cUrN#^B$5#P6PCO4|K7mbsGZ=oVE+YQe&>17P$?${rH
z(R%iF)+aU_D=c+$8_BAyS1i}WyQ7(wy5#XEv(ZA*hlb8YOsNf?80o>wDK(?fzp>1k
zWjcZ$Mz7C$UpsBGGqVXUBQ(r`aKf0IL{1m=rovAi*cbNMDW(xha_62C%&{!|y1zN7
zj9y?S=6Z>j+N=a&Z;?WYbNnDX&j@|%-1uHNlZhe&MV~=6ckoQkmAs~6jUqe7=Y4Bq
zN$=`lnNvDusxNTq5!U+j2n%7ermv~SaTZ8da;ke2nYlw}`1iWohyM9M_
zg1tC8Sc3el=AE<)qt^FSTV+?g+Y4UKtn_)TmP3qQVBPMo982yL=ON8qKfk`OpC^(d
zYf4!eLMlCFaAD{UG9u;F%5;Y)uu@W+t!!jIjeJJW!6h4<%{?gbue-y_n;^Wb0i71{
zD;P$S;Ei`!pn*NNLckXY7ceqf$STzFs`vrdg}AHa{(Sn#5Y|m{UD%Ox2hFhNnIYqE
z*bMJGQqg;bjXk6i7{x0%m*M=0oYtm!XfVU$aPNim$+wO|p2QfW5W5TG%AOdfl9(Uv
z21pnsd_2>Ut))bs(SKEwqQQ%@Qud2E2OnDmVFp`SSTIYdhR?7jc}~!Tv=-_HZ|aNl
zjbNMELt+(>9gIxPHFX(NP_T_!B!8>0X=1t^HgVmlma%XXyIO;2-tN!&#{DCT!PAk(
zKpmb@ep7QiJ61e`C|1pfPP#nt{?MhXm^_&{(?3EQ6Q)fgAWY4%Vm6y-x-sIDl)HIR
z>5q==O33eOOpom|Ut8=7Cz@C6O26N%oaXh#B%z&nzvn&bh-7X*Y|FH3Kk5o4_C9Pq
zw*YP~iIy4d96@N#)2sCyOciN$fwOYe#8aP_!#nNT6Fbp*^yOctC)ZunDOXDpVM{7*qlDG$fJSryeL0kub7g
zLYcDsb6-XyQnN_`>f@BL0cyakYV2}d@Bn>THI-yNWz(YH+PtJ5g#VmaKAR>0<_DY@
zdb&vQG#+Z=z^;R*57<^QnJh!EY(HZlDJvv=V7nf^Sbh&PoM(-!PNZ0gqNNM;pM?I3
zlqpiCPQl8>3l^?kfzv(HBk5Pl_fSEBF4)B2&0&6MlHFkW&(5|a)!&oG;@oWPm(x_zS{BL7#9VaXXBclN+p
z=aw_#o1RUdd#YH|pWtuPG2D?VNst1u!T2i564E}|1m;)r!pi)TgjNX?%z8AVYOhOU
zJt8KmysUypp;yrxBHhyLE;Diq)h}%&nv=1C~mbO_4lX
zMCt@HGW2wpmkQl6<*F*$^N5n-z~9!~+TyKy4yknsA*7dI#V4D+FybGowJjjkDxW5S
zpI3Es8RTO9N%=&Bp}d#!sor_<`W{82!?s>;fhJZM2=v5TS^KaNcAoyfjc94<_A1ZNWbI8I@Sj9^>t;4P2s8tMWR78jco&6@wZaD^><2@MgcjKI6Nwfjs(bwuo;plEcXAhv
z9<@*1zN(a7IaN1TwWO`Y|Hu9VoC9ipaDIFpDh$#Ku^bM*7hxciG(PZZK_lp7jrkll
zP?}n$ODtA0pOxo>3FDAw
z*MNfX!zlip^J~|WpMM7h9ibY7b(DG$FQI~Y#I(6PpPv1v*&W`d>iXL24*V7tWHjs)
z9YNAS@li`Ozy}5_nay@f_txUY9hCSZ4-og34>CxrhaJ3P}
z!#m$@rZs4q(n|HSx8oM*G7K7bd>Ybr_s-;edbV$
zxjk}_M;Bcnz&s@mLTI!=rx(&JXsj}+5<`nKHT=729S`@}{u^~`$bZKxUhkaDh3^5;wQ^!K~P
zMHjJDw+}OsQ(MG*0c*MbdPa*m|lm7R7^FN}3x|uo6m*690)Oo1wK}Fl;R>`!ic{v&|sx~suS*4(0
zjjI-#S?tVZzrv>W6k!IlvONAtCSXz2{3053>0j|Fj#e&K7D_Cc|N3l2kn;It>b@|R
zwOY0L5f*uBH9hiG-FtTWcW745q#xO1{)?vmaU=cXH_D=byw51m(oaxZuGbTZ{IId-
z11pO3>;?XxoD9O&HdQ+g{j$iUa8YZ&RKH$%w>);XcD8rBb;X8N=JfgMEvvw6V>@s8
z$Mzx5iObT&8?uNnyGSxV+_bsZoOy;bl2f|g6F@{
zv=Wv~N_bCXyKNj)6FF*?q4q#}qJ>{=N^bz9L!F@vAQe$ape=Po&770kf6XLiaKz6)
zah-R+KrNIv15x
z1fW~4ppa&bI+I5SfhnvdjXT-(IQAIA`$g6_l48wmu*Zav5A)0Fc4>({w+PacF+-Le
zAEm70R4+d4lXO1EQOtyi8Bj;a=D~{J2oi`qt4`RqI&F;oZcVOFqOkZ;Rhv64Bt>N*
zvuIjG*lNWp58|JWq4a%ST7=lIbmAMU^|j|B;{tOCC#8#MO7YFPkmwY$gR9X#?|6S?%wsFf2o|Jw^L
zROk^hqZ;jZ})iIYW
zvwy8nblU=jGY>oMP)P|#7gc;-T)c*{xZwPZ0=RC7#2E2TUm2hjAL9Mh_dZ#1u+
zD&rOM+WT?q2FaI=dQ3q)7CZ1U02>G>MU_d-CT#*#1_c`XiC}!5+^*)Bvp=No+DKrZ
z_>p$$d&NAdp39ymI6(`FKO6f?j{Z^^v4l+A<|1B5j{Bc|17eNhSh0R&KsqpA(qh{<
z2Zn)PcYc5l%`u2(wuJ~O9J@e1If_(jI#mKmx=$SjU=iMf*jlr6u|a8FGfK{^<@!T^
zB!hPRU2KMQ-bWQ${w)O%FgTuOBpF7rreK35%Pu{Hy}P)le3yBHR*n8`WOY8Hxat=f
ztraEZ_;R;mz#jTeIZ=pSPV_qRIVCzSN+kR4fOaZ;Cqe8@Gks@&CrG7u8^PK7|AvRw5W8|v5Q
zn4wy|$K!QeAU4O7OhdJq%{_nRF!8xhMHQ&TMu*91fq$~aPw~;pfIh(oAi|;n<`r$D
zIT<<3`0eMVfACQ#p^$Zyk#ND{DDTZ>$!a#1+DAGPqG<~9nAIwBb0Kc2Jc
zy$uulR;0PZGjQP{fNQ84k7dVLh61E5XZ{-EU#$CFHnh%d^*V=GA6IJM&
zHY$Eq>-vs__g1)5oky1Z&H@|pH$~Wq
zQ+5?@eZ^y68HjS7>hJ7<=n2@^uY$47KrNg#P+Vr=(9EgOx5%eB>7@RvAu)s3(vu!?
zv;u654MH|+<0LXSo!L6ctCEzfxYoGkO;hS)_e>l7Igu>FVZFAh?4U3D?
zEvgUqJc%-&~EH42_9LZ&F8tzuHL|F3#Tnh>;uS
z@Rd6^TMoIkXz0Fea{OMnxl?<7;P*I*Fn^Pj04I}bW#p}@x9z6}udjHA)#A~ce5yL#
z=UrAPeo?1Z6bR3cZr=cE&H#3bGY>0$aI
z3c`sSZ;k1CMr}_-mAdrqJk)DuAEBQ$odJR^P7ZkilGp8Vo!0AtgI89wg6DwWPui-*
zM+4oB{PwAKp-09>i9~H7L#6r(4;>|o@_!Na6Q(xu(>mj3U+|qQdo*XX$Wp4ZCLZ<9
zRS>*FWKE>c8`8uzEJHjdBl{Xf@3EuAEexppynC0c8}^ZO)~e;R|4r)ccml
zm5Kew2~E@v*VXow*UMglrcGP(0_Xlwyq{R;JwxYpy<=!(chslBqtcfyC>Quf!^ulI
z2hEl)u4NHDs^S%O0eUP_?aSLozXv#8aAZ)H=nQ`-83(%L>MfqhV{d|ef$*8~>bfa2
z?mIKEZ1X+AR~2g_Tf09jQ5GSBLtJn9Tu6Dl-z(Mc@!
z?e1LzGaWJ`Y@AF?i6mP
zcSe~N6#|_Y9+e(1S-RDhwksw1GH3dT}%nzGC|k#g$(KGt&G_;v8q}nCCyiO
zq5e94XT@!2)&S4_HQ_I3muaw|`rkMAGx?VFD=KHz(>-P-8(KyrfEkx$Uc^@MW#*PL+PEcHzM`32W~;oa`dbb=CP3
zwe#Os6BFqI?U}PnRr>Ym;3^&aB*P74-giYdnH0$cHz8dV$2(4GMse|IzqvV&UFGQ`
zDbiY$-j0n@ADiBZIWTsXodK^;)Q!HQhWYvG)e{LGeDjK9=RkQ=w0dfi)XcJH6HEQN
zpW3USB0XO`hBKRv_1MPo;Czoq2x>M{_i=m+3lLbNR)@(Fp7n0qaPaBiA|@d(!=$gL
zVc0Sq|8xg|F$b^;sh78FX~i-i5b+~yvG7*G7kCGJ`~tZ()Rr);KgLBvL~SFQ2UX?R
ztw=6pw})w+#4k&n>!9<;Rvmc6}%&Z6A#Bl7P1QalEgRpNjV3
z{kg;i7m?MfKX?MI+HrzjnL(x!D>)HcM22bE%Aw6Thn<#L
z#XRXvoC?s0m`ujI3A|)IdUrT$X4&}>dB{i}Q>Ap7$15Om-=kO_K}F{tewxEAA%W5z
zWNM^KBV+v4x_mJE?S~rSiyLF^;;SXiqho=JgFL-ABfcpD*T#xg{5(x{FNLyR*=c1)
zE7g(r1WACI*Ok_B(o$}(qx>}r(%x#deXe;I*H+h)dCAc3o$GhD^x;)WIK%RtfL2b6Wjd1z(8sp;lJj7`>S*}UsOUTPbrI`%_0$^iMz;v$4QcSN?2z86)y_6o
z>+ZPwK0tKc(KuZZEnjXP6HqXe1|0RHHa3xzE8=r=-c;I$MURD1{yyKyc7kRKhs*}1
zF@oi#ZDFF?SxszcMcFq{r+?H-xwf`R`h-PEVZE9(dag+juYp!$JKnhuRhHNCx7
zMT}Xzp(k##-&mx71_IG$Iw-IDg~0RF-XRQU1Cs}i070*~Ft(%&L$KT90GqDMXvBf?
z+*}4{Q@kjQ9}|THZ3pm+pLWitKU
z!PS9}0ERn%3AgB*cacN>ZsDYL+HjF<{eYl@$!83iaYT
zJT&CjWR089j~)nTzTkjQyYV2IW=C9}U)Q9Jv5pjdAUmHZnkRqsXT96KcQ>|9l6m`x
z7I+67{CQA89i=}+K%Wy1E&
zzJM$Ly`Mqfg^Q^xFilXgreYCQ{0q+FEI|tU7yW&9F$sqortk0uL$-*LRYk&E#WFv?_Y?W6P*`IStrshkFNX`hAV25hTURELq(P
zN|0kYxdCgp-gvp?<;A=-)wA(Kcj)Nb{_hT+WH})?b{b>#RBWUVZ`J5#$X|`^r_-7*aPxnqLp8|
ze>ds*tdnk%hlatvFq!xX|C_#wk7U-fktGC)k}onhRy0N4_htxksF9P5nH7&A*&V_@%-_iZy8RbNi
zbM8u^WRIER=Kdt@?Tq$m5d9-Bd!JjM)VZK1>~mjdTP<&}oN&6N*EV6aQU)4dMy7?2
zwFx8@r1y^dxtpjJ?ejGNxU2cbxc6v%*}sjM0A&;Z`vyU2OM|jRpq0j2izszWQOS
z6F*9*D5JolCt0^q5$}yh4*wHg^@T#`XF+nL8gy@9f_z%Cz5AdZqh4N2pI}LerWi9v
zDEj9R6)YbV9#ke8OI4qU=@DdWdFvO{$3cZy8+kZydK#FbS+=&h1VKI2#@6n&jd%>U2Gb!!*K>OJXg+
zSTEoyL(649b;)v~oLKLU3~`TBI)5|4KB?D`776$@Cf1g8dp)K@`2o?w^gFWq)^K2}A
zUa0;jGh{depU-1L{<=<|*Y?c&g}a5jTC_RPDb9vToV_!B6>KEK?AI9s?@UdbB4o0krP=!}0!~@IjX`8>v)eC)zv&SXR
z6l0Fh^oyJfQT_Sj*e{q4b3|e3*qg;mx?9|-qx?Sh
zG5C;=2Iq=`X_B(O+lxZIcMBi^zo~bRqDTIG5AQC1iSiVF|8sxeD}12S4#5j<697QVJl`O@Sv
z#FOISh*=erlbhlWX_}#%z=@eChVg#FmdZgKVB+oILuBwDabcn)NB#6kF-X~HFQc%|
zk|Uw8*-}FL$KjQpfMhx8xcm6s^3F%^XJ)r4v&z0
zO+>@TzP!5+Ql;kG;~whHSr5~GJ5oLvUDg2!lpzwW{NsLr$A?-24DFp%`2d8c+S+Xq
z7XDk%$_xmE4+1@i+)O{3_o9P9{dXXdB@k$bPb+;~|4Aeu-!(D@wCf0bfp^fO9!nR6
z0KI~McM}RP^?p*TCj`>r>#>A;Xw|}Je
zInJ~7VxD8T#}7h#I~|9eLjj~?!XBTClP_N#>K%k8s!fAKXfTG!1WE1`H{)Kbls>#~
z9r6jz^ULEuU-<-twJrQ|$2o;h6yswsuHZ&H
zDu+N>Sl0a6Ow_D^5a5FG=$>6xv1mTi%-YyxVPOyGYF8?edCso}39?){@s!z#AIXRXT&e#5;0FUQ+*U7?;b(G>pFfQlyk$_iuG~lx_Gw8
zI{QuaH#l437K6FvHIm?V0jK_r%BW0%Wue^BfE`-mG)@zz+s$GXtD?L
zM&i`ut|bspK?OHVTJ@KA11`wC-)Ne&sBya
z=^{26O>8&iZ|qx(&s-|a4842{&nW6qhbeJ}QcOLRi(RcOk-(_+Eym7f^t#}Veo|JB@VTTSQ$*04^YEPc
z^Tr&t8YYW+PI%iSB7c!Mks#NE<5}N0J~u41$_obV!uMC^PSopvL?MukS)$=x9|i(xA625-gPX1
z+$Q}vsp_aHq>AKRdQRT){TxLbh-*b;e5Iz*pyJ@w+b#!Uy5!y#;z0?Js3M}$_D60S>Pp=Hq(xjS>q+qCIx9pI%~F7Xw7lyCRahlqN~%1
zcbBbqvK9#vx$0)ktWfw&eN9Td=cd#ERViND7QA1P-#qw%RQZhIF25r7eP3os$(Dus1G=dK{jl+isE`yC&p4P=s=#-*UHfo(XB$-o9=^*<+uH
zfz)E}jzQszK{6YFM$$A5%Y6~n2`5kId!UHOOczhz_pz64!)yI>bt+&0&|Zh1e$f)h
zNd^IjJ%wSxoqto6#QVePg0fGV_tDlpbV6Wnx8TZMs
z9}aw|7iL9X27L#mRgwi!88tNM!(gzvy(UviB5#rlPJt!bgg46flxv}GpK?heXzFyz
zw5uEW7MZBG#Cw-?Os`dz4#}}~(4^&*Uh#Ip#jY3*g|f+P@ItIql85pY+ir-ec+#+&
z1oxm-o-NztmlO**&h0_yE1uW(PmxoMl+R9Z3gHDH&hX`RJzcU1GY;9s5~5ey`+Z>#
zp!U(%(`a|i4M+N8C2SmnxEuxX^S3>vH3_j+1Qa5>a$3D~sAB`OCm1)o7bewfq-USj
z^!C^mX&3O*LYq-;B#<0S*Tg0#PeXRe?T{Arsq>RKj0j5iCe`B`-3hMv^RtYn+0_{Y
zHcx88CM!7>$}^TE7l*V8*6FXU3NQEiLhqYW^B~Q&_=ZOr%Ufy)W{(D3jFCrE<&Y*r
zIH-Drx(2QYJ4mK_uaF3eBMzEfbWNJ2T=LqbN>o}gh7~8c
zBd5wTf5vjwEs&T+fg2#pVqN|xMoFW#n>~0tW%y)TEAsQpi|DF5x#1L
zQI-u_H;MC1RNT|)A3zEfP#WdnT?PqH;N6S)gakseqQi9>;6q6m;v)xRoZ?3W{JedF
z*jRDG?*S?K|(ug1X&N%Ziuf
zzq1B=yd{+af8qX&$+W7s!N+W3s~4nUfYCBEi~He-+QN?hWry`CKa>Af71Z*l#41_b
zkeRBW5FI(GCi!W+11YMrLZ%5EEF9OoE?>WUIkyQ#d{~99@ETqV(iX`C*5n)wK+B6H
zh*{+IG_he``^2{wj0Px`TKyMa9kbsFE;A9r+OE~VUxRLI^PfEoh&IGK3=*osyYBSn
zg$Rv!K!Cx<>ADYMis{XLx7wg8uFyem`7Ht013`I}{c{%%>jv6vh+g^#aw{{^z7To%
zL45$cscWlMD(Q8ZbMR>3&Z>I~TC*YAVW3wP8LBAd{2i`n`~8m`NX`K13H-EaD+dhtx?Uv{V;_0L~b_VIrMFx>$s&b1g9L%yR_u9|j0Y9ok=@u@k
z)2&7mB=iVDYtr=m^6^E{DpN*$>b(gs8Xh?;^Tm~F0~F0I!PF|lX9@02QRWm1G^QA|
z!|XPQGDVnP1L(REH*o}=ML?6(g5`d
zIMN{3Pag>L2#Tnj{l+F>o4WHSpgqKqFa4G$;P1tMU2^zA9g6sH-G(rNa8!oa;H!;&
zNtA{&!vBmFlBVlr3bH~MCjhaq8#x7`cGVI9XC^^B;%jcmEC@f|%~gg)r}KM?L+n?%#!Bp)e~LovZ@(sROX^LYPa2Hnfax8e;y^gop~VY7=s?QcA=Lmw
z??9luhL}Q*QX$^dFbaMYbQuf;5f8v}Z2H1hgx&{1RVicPh_TIeAW%Dy$acb-Dt0y`
zuKE(K1~O=gn(Ep(%YLnfsgR&=$WbmN5^{iUQG}godBy|!YM&1J-2)&AXccJ{31%KN
z>Y*Bon@12f-v-L|O9UEk%#iBoc9g#Iz3=v~oVV{wcv0Yiuzh&Hjym?7#37`OTfjV)
z2bPh|TV0caJ{4e~G5(Q|^pI(Ss#X5lz2Icbf(7!-TdMtBxM_)2e8(iiCSXx<;sUR~
z75nQfvrA6t@f`jWNtfl={T8a3JGGK?_ojYT+8F?+#;c7IQ`HR;U|)W5pLL^$R1Ri)
zVCndpp4C(Rv=aeIjl3|?c~*-U*K(>=3sr4eH%`733kc`^km+>Auq5Lhb>fupq&Cgd
zu-0Wl^npjG!JU->_lAoK5T~f?q*nVbSnFNfo9EQg?b{P`p4j=wSu+{^rieCY0--&2
zk15m3&%?WKk|*Pt^J$;rvM%LnW`+Mj9#b#>ru&JPe->!TdZsyje~ARRT)tS}rK^z>
zip&|SaFr!znBfEUQ#`=D{Fy(95cZH*lxsud5}!@A*&Q=M9V)J1NIm8#l1lAU~MmEuXyX^Xb1@9bPSLGC9za
z5_r3aOF069h(bBEJ)$hTC|)@%m;TS_NYDo4$bLl~^k~7l$-!69pG(MI_#3by2O6>x
zOLrKvDyJ#7BV48b$@nnrD@Z-{0^9Mg@baIHru8H4!>=lbHtu_?0$yt(BAgPIec~~o
zF7ul?jT-shj^x~X-`*|qNl@l#C;$0E33LYpc~1KX?~9OKWk=tS{~6zY{s-{i)cfzS
zobWz1*;QP$$DmB>X1?CJ63ZPh)N@)=*ou;jD>gc9K<3?MKFzrj*6;Z7NAShNzpc?t
zg^og!i{%`|JV8PlNIHS_w}-L>6Y{4{R+ykJR(w>dRW^Ktd;`uL^L=bGm#}F5UYX4G
zeEBn_qFbPf=QO?WZ&?L8KrS8QLnz>?BQ;=FI4zpY(#2Hl12Ss>&6H!qwv)x(p_5c`1xMmCc7H
zr#rOF_ud0)!5?OV8~2w?h7l|7QJ!}B?M61Z%KAj
zYj#ulCpcVk%)<)FJp8?PQSNhjc5T07lp2T5p!V#-+^1OFCy%KLdWE)kn^eY{RN9p(
zo0nvpsftXhio|PeoL$1)OrS|lA_+<^t%Nm!*j;=W_n+0LpOmJbY(v8BL;Yc=cdd&j
zzvfKBTxv?{&T+o(FUh9BqKQGklElCN)?GeK
z%nc`|`q>F|Jy&Y`4(&0dOZofYaBW-O9kH!#W5yqT#
zd!;j;rnYIXr%f|mpQvhL_yLqA3a4y4{Ktx8t7+XM4Y%sL{X-|tRFP*i*%Jj4A#CZ+
z_|rIIk~-0-T&NJLhkjVL74mI49M*6KgFF%T@25{Lf^-aJW2Q;tRk@sEpq-5cL
zTY(?_r1^~}821#S4(8nNSu7+#9UT@;OlD%yI-K}C8TCtM<;f>-Z~2iY>Ke8Zgc-L=
zP8>w#fZgV6>>wWXJbEX8b_?!d8ejhG`iLT0RHO{u?DHEFj#rBFn@FHOGJa)R{isgo
zXH*5bFe{J?Q!%XT<1p>isBsd62!ugfT;O_nb=yFX
z%2kX$u^cPgv49xOwci2|J<`fA>Gvru_56>zTk
zr_?Vy#cmN%J7@paGyi%@;)y0Q0AT3+k0jBgV>9rHsd40Q(FL7&7R6U>2312+L6mfG
zM7-eB{Ily&MuEyoUl*LMsQ{eCW~c#^RBoFv#WYB8;KcNY<`lLWh?Ie5c`<)
z*1I-trEK#n_h#M3X5Go4r8!VKJVgqzR_+`p8uW0x1QLbv`E@9c;F
zEs1>ydSqkw)}rCZZf8dUN3QJKQ*^X9J)%%-ryLI-=3fy(M@TV`f!c27Zxb3?LonxT~HMvQJ*otf5di;@~N_71Ze4F{^n{PE4-y`kRAqv-8}Oa?}?
z@$Ei8GjELz1KZ__|4CY*`07SzjMc%3bKSCshB(6K?eVxwD{E2xu*bZVryoXL7ad{T
z7K59;f||WTno%y=Z<@7_*O(Q;3l}F1kGGqyIkc?`Y8NM6u9>2RhBr{3`^s8J7Phjl
z7$(!Se0s`+M))%c%sEPxMpjWPgndhs?|sr1bQTBI9vo+QEAXT6GH05o+2XDqGhE8H
zN;ZJI+>TrQJ;YjrYM@Sj;a-04PJZt({;@|SDe9VvA1O-+W^R-@K((?XS+hHu+7T01
zd$wlCk&0k_C7+wpeHqX~;lMl9m+6YLgf&*2i0M-5Bw<6_@o#=O(Y9)?WR{)Ce|Muj
zXvQiSHIMw7Q9AqP4D>S&hf%TTvRnB=^M(B1xB6kWn_e+v-sJ;b
z?4@0B8Cs}MqsoW&`Lu9YO7n_`yBR*$AX=@`t}Hy19}Tw8jFe$|d-Y^M+$-S!+o%HIGPUdVG^tE~yHh
z`cMqvW6l$26L(#H3;qIv{IK?h#a_vZzBjoYoKrbyYY(XR4jE`TQFeyt=&ds`@B`rXNKRRjwLU&_r7ndF}>4}d3K;htW?CVJj
z4Fg43_X(t12Y@1MC4ovu5msm;ll^JQ?B|Zs!eaw%9fJDTK3QFZK&c2T)1Hlp6b+9mhN5e9peCs!O3L`j3T-d3?s%wM6VL&5@
zGTvd+CJdhyn7pc{IpS_DS*OXk5aLp$=Zs6#qh764Hsyjn?2_5TtZRPeUl9y=Kda(d
z9KJRez9D+Xf9wK#)8zNDU`;RCWur%U3Hz+xj$s6Q)}^+m)J21RSE`!If|SW`H1ER%
zZq$3jU<=$jEMeS8e^yR(230
zP|YKwRO6JySOa!`!bCmT0KI(6nec64}7U8QmL3A&wzYG6FfeY6m
znp1-AZ}{SmftdDk;J*s^v6WG9RK~*^3DtL|Px+&%ZAjpPb{gP@Ia}zcPQT@p^1gXD
z!R|E9KgYBrM&__6CcJ<^*3CSJ^3j0h(ErIn)I%b=8{zjLN!aBSyvH7N>!q*Wy(o)U
zPO|WX9NBIG+P}erQ+oTivS3+VLH(2qPkmFm_R_oZ<3e>emD1+onWgD{yFai5+_hrq
zN8pUm^ggMTOEgHuXue?sc0Y+zeG_|9FWbUiv@W>zq>n%9uuntn+Ee(Wu%1sq$gpwt
zNp5WmniMw{8=VjD&`HF(@npBoB`ea5h#!sYM32|>3%9)RqO&b^kg*0T2(4mq7fqu=
zLuMG!d>`O~U75jr>2o{gwVu?pVw%x6J#{37%}gAKB(v6al6yu+tP#8+z1E<_YX?|T
za_FHWW(^tlK%%szyMVt-oa>;Y};@9ANREzlA=Jh-&7BIbP_{C2Fu<%KqJfcC%frKv}H!ZRW0uMrru)x3U1YLqFW{
zTn7nJgE6$5O@}$rYAwp?Jlx?8jk;(*;-xVxZVeQpmaj`$2aV?!$cN>Qc1&AdtJ2A+
z4Jsp6Mk50$6Fnmo6=zo9)n#@gv+_$A6TI;0hMx>0B35gbjnxTaY
zveT{B$7S>!c0&>A>>Gt608N8Fxzw{CBe$>2TG9wu4EoZ{xlu+MEDieJrJf;H;LFut
zCE$bLg_fz{Sf{Kb>at?hS*J=Pu=UMvG@Q)zU3clv=Ca3h22*u;Kk%Ek4WyoB+<9bj
ze02JX=J@rB!0=I|*Y`}paYEEtj5-$h5;IZKsnsVZWZ)AerIO^!Fd&FlN-{6xH8w`*
zZy-bxBNj*z$7>Ps_c9$N=HDx6jSHkG!QI3Sl73fMZ!mI-F2&?0L(C8SFZ~&<|n!Si+=CIuPKxw)XB~hhFs4#G>PA~xn
z!Cb0KE7n2%WyZg8m89HMCll1%w?TYxm?>vLqR19)SL^MezC7OHz6d_b=j77bW3P#z
zZ`u-K^@?jBta)p*Mc|~L_eN%X72c1mkKAS4A(~eJKbRrA{RnDCF%JlBxHUfi0V=LV97R75K-DlrFF68N@kqCW=J1iT^
zeXj4VD5h|XqzLxApSomyQsn$4m?y=*Nm7w=$BXi~izn_h@+HFwhw8HVZg}2aI3<*q
z5~r6E%-=Oh^GIDxDnPm$8F!lc(v#*5C?62|Oy~C}r9IRAS%2R2XCG=@wyQSowCtrI
zBf>A&;gcjWIR^aem*<#{pL#@nJ~z5jPA0#;q+W*zb-B+6lLY+T=s&mkQ{(^YcBAKM
z9mH~nUx1HZ<|
z3!~p{$O|R2M#KxZ(&ct4^m${AAV%tX^l$O}HCb2#9O%6@xT$WG&%s2m(RgA=?Z|}|
zMLimPFCBi{Kppm@7tRukXwS^s3*Mq?Q7rib-0WQx^N!3CZ^?1$xy|ZQwvp=l2&?)V
zCr1CaglqnjXH`NOIf1ddsM|)qeU|pf1&O3Rqt#03Y|6^L!mjrAu*6bLkVE2qgx+Ji
zTvVJ|gh!~74{C!cb-pUxBD>0>-$B7f)51x;rx@B9fw_rOpA?87%=z5Pyd%)3bLM2N
zOxBTcc3^|htU^rnn^%O{HP1?D$u|GI@0f%@t)JF5$FS$vqqe8Kh;>nR{kQRjJ@cc>
zTGx9mfv2)e@9+O#FmoX*DDbk51^nV>U}a;W7jq9?jsjB8f7XzIDH!JzJQ(LXPt#Ls?(UQ9B&}A-KZy>axw%Ltmh^GIM!W{=~ZIrvBT*!k*XB
zFZ}V>g-mkU;p$-^AXJq}Iwy~2Qw0Cz8}yF@Av%)FPS<+_0k5h|;W>FSnl~!On(-WLv)IGl)Ne5YhZDHtrT-yDuy;-<^vorZ)MEGdw?>1?_aNnaAEc-Dz~>cl
zkbN%b>jdciF6h-I2=_O9mVo*NWKJ%!8e{qfw^O-oEKn!2(-Zq_(e3b{7K5SML)
zGDxF0X4ZJ{pnCI4^W1~UT`1|1Sl*lTo%gYX_p!KlmZZ0ys5dFtk^0>pzx9?U=cxpX
zny2z5Pc#ire{A~3z^L`WXy!nF_2!1=xntQiDQlx<>7emoZ}sMPO($!n#w$ywgKuS$
z$al3!cN|GA1aiv})b@RGJXaoAj8hQfb}u4x*c_PoSdwPK4X=zeTk+LdXsSHed~ay$
zR#+qcKtX@s+NbX;{ja;yfhb1Ee3Ti)81hjsXk`N8sk#O+);2>NoFsXF;p0k%z<6`9feafCo*
z=5Eo&EJwO+j9@`wP4Jl`;`zoOPK6e9Kjyt!gy8FTC0E}v$~gRFTy(lW9O1>wN;G;m
z{z09=9LG^TR^$h9tUPG$UeqOPv~&ufrk;6|%uvtf!tW@LiZyti!OIdHg6*#SdFb1E
zSd(1JCihvbr`G4ezV#9vnklvTff#p6m1|rrr}BZMCCMn8S5Br;tiyD%v=4|#V;L+W
zxU(jVN;!6Tff2@mlv#Mgs9k-=&G+>V1A1NbKf*DufWe2P;0Jxo-I&g2}hgSU!ruYu`0^xwI(e%(_m}d
zu-kw)TBgHTkQ5;w@c8$1gN_^8u9u_=L9_rt*urx_mS9mk$?>P}6G3GYNyY+EM{C>m
zRoUM_pO4v{mP#r+=`4L=%Aax6nXYZNQ
z;^uN)bJW-^%;IrPE{}{Jg6kt?ADWA=>=k7hI~aBM0xaU)JL>t2g>Rif;19U_^V(Ng
zv7`Ft)-*b%92yXhZD0s`zjft`+B~D1G4s^9=8pP3!z$%PyaBr)q>2H9Ai}p*`V>^~
zD0sxLXpJBR#gP?0E0HSVgOtn$l2iPdlw+l17NCbWyPu^KYH|^urHK&l{MJwmzOshz(iNO23&ZxbI#3nrQZ2
zaCcuEsakpuR<`d1PMK}|Mo+Umx^MsK6?vH+$MJf@-vXX5yJ&xXm0jH1Z}R19jj?Wn
zUr(P57&t=0SD`vWZlp^v?Lw3~m!NFZo&(qv9XqYI%WIL#n%J(IW6U>YIfYl?At%{yC@gpABLkxO
z?{)Wg-9jCZF!b^C;NU+sgrh>FrY*BUt@(L^^avmBu(bd>zBTq
z3n3+%G^X;fk&KSqt;P`g>ri+@2LP!T;Lb{>=Ld_9hO}l1fW_@Bt-??GB;sMvSVm)2
z5}Ia}SC|GY{)_I$$C~f|{Ad1`c_#Ls14Hh_ovF;z29qtF
zLSwYg*JUJwWK9w<2oU*{C@>j9{MsKgnG*EmNNZ=GbeWu#3Hj(FGZLibODJe(V&bO;
z-dJvaCUjCp`5ntr(H6x1jyZqg;-H_k!5CcI3S3*V!}N*q9126x_nuMF2X?=5!aiyC
zv{}&+L!lvzHsv&+eFGut6YXOJt<9!93Bb?wYcIerQ9wAF*3+N10XplHz)f!?^T%lb
zrC{z01pt~t)f$3SSr3;WMf%Jwfr7&=$V^7TGY9YSjwR%6to50H{cWe3`kwh?&I^%S
zI1#!ow6Ifu%9@sVrjs7Lsk1<55behKXCi&NF1(6$B#pDc(%UXI&o!$Kyo&F?71Xz=
zJq_hM@U|ZZ@wQiyKAZ;TePY30Lz21`$7oXw_$Sv7THj$63DvXHmxcEf7QSt@1CRLj
ze+v=Ya#oT4$r$wFmEHQ`=vS>Hse5*Yv1p#bGPeD7xY~!ecr76V&8H;zU9=J&4UaqT7{mWdlaymwxg>jOjOUG
zvf59~Dzkc3AGTIF940+YD-=3AGfle$luIK@4rASqD_pl9$;;5fW(yZLi|uDZOp$`D
zty-0zANd@R%9}FCWoBefgKB1Eh#NSP7owHGj)YYEVq@s4QQ514Gl?-URK+)p0?B*;
zVey2z;u1w;sFNT==g1>R`}I~>D6a&?*ed#hJ^cIAeos>UZZsr-ZtmNDimB92dSXhv
z;Me9fG~as$ZJ0OEwJxFb?jcyNe7LTBTyppu0*F3ys3fM+z|jsJbY^!Hc^-Y>4Z$jl
z<8cTeT9jg0B+vBFf5J=jqgA8_Xj+fkCw3{YXIi+SAMHtgy4=PkXd69{#sojiWIkSW<5Z{db{GzJP}$U!%~q*_2K&UM*6=gw=5v0#zR
z4&1$v&uc~Bx|HA}Qj}-;jh4n*T&dSBEZ#P?*y+Fxn=&h9%T4cKUNuU3{bg56(hFB9
zTWZ=Iwxp~lEb#mGvkVj|#3`USr}&GAl5`5_CVn)8e}
zt-lui3{~Q9)V7mQ0^*=pDhNfLlZ4NB2cJ>ywVuvE@i6O#uIPclz#_3_s*1Qk+rgqj
zZxVZ;nsAhB#Hz%W0>ppo!T^Vb<6kV_YmoN`QbnfuGn^^Lf4kWiu8K@M82#|1*6kGK
z!WbMW=!2x`MOg?H=%EON|7Q~;+oq@#6INTiiG%}NO!rz!jNwlFm!Z}N{?2}RiJrN6
zIqcY~L4K;(pYzE7sEnu#ZvEe)#LTOZleu}4!$Y&!Av@j9(s!x?X{CCJcymk0t{N8&
zn1W-&%s=L~N)MeV1awv_?+`bY9*-!WU1Kv{*KP66zI-?YAhadzfexMB_)>MVM=BJI
zXN#&29!?u&Ju9Y8dOmJSxh_ZcyU#!6A3iGy9#fLKVMI5-zEY98lAwLrwC;$f)M=(#
zMSx=?4J)s@DhZqZvkYF#{|FvD7V;Q4W
zU9R+d@|*Ad<7qj4`M@(eE9X3E+P`kr%~Nl+XuOj`vrYf6u4$qw+l&!yn8sPP_L04D
z9sss?Ht$xsrrB@5GXGv%RX+^8_K0rZ9`EfR@f3=l)x6ac#u0-g)fkvW?Dbsgn>?;`
zl2!8Nb7@mMcu)e+Bf90D5@H{Vt>MtMKm|4{HXsEyL)Ev)4KLqLzo#^)Zg=Zv=cNR^uJGXfoh_>Nyz$2mHrnW2h8blO3;kL99A;olVy?#
z-J+`|rcTQL%kY6?zZ`hPk9cv5lO#i(KCTgdYET5ScQlz|(-RYGhRz1Izb>-)K21gF
zP#9XPV=*<7nucV3BD1CZPVdr3d24%xZTj4jFinM5?pvaN$nj`BNgf52jv34=<03Y{
zM2rd!aa1ZD#K#eGxsOFzwYnMQ>&;gLontSs&I0ZujPPnhGL3weGRLksb`k3yeJ;Fe
z*p2c-=BhA=v_)*Fn8QL4SmsyJ{}B27Dp&@q7fpB#`#46u(h=AgR8l=5k@(dZRNU*`
zLEE;wOF_&3Y|JKf$}*XxPkMJ-@muloZ;USWB9_A^KeBnS{4XJLYjW-l`=wsc^6=Rw+_WfA#=$iFoB)5BcPwgCh7HvI@b~
zi+tSNIfm~*?ulB`zBOz7JHh;i3=r`dg-Zj<*k^KXNE
zyMmq|ik%VWr=s*H
z_+GIJ7WO|e8o8?s*gAoJrHT$Xh!x_UYIF^Vuo~5%`a_>r5BkH;vo-%G*P0+VXu;$a
z*y>r6*AJSoi=z1dQd9hshoRomR+YlkP16R(cc6jgS
z@-2{Ri&QE3aBuKo<8@R*pi(kx38P{yzeByO^lZ%oz4VIqj*t~C;Y3Y`jBoaPzQ#11
zRvgD(9nM^b8OG=FPge;u!iI4XVa)l2M@yve73-pW)O1BK
zTM0QCm2G>w5;`_dS3tMhaaCCdZvP`7(
zjiiFB^PV&(*+4!rt@uPCx8k62(GO222UhnkwF0iLGNlnm&&0}fBb#CR
z132yITgmk+?IuNshjE#@HMMfribo%EMBWGpn3xA29>!#n)YMA2x(&HmbPEF_&Y{M+~
zmz&_di*QKOb%tMVo#J=q5U@0(9X&LG6WBAlJc!U90rno2gz9qLf#7!0_e?Z0bqaQ8
zORH+P`7@hRNw{mf&0Ob3P}AoPIRtFXf=3Ul{t-UwKc*^EvuVCTR>$;D>@oP0Ynmy)
z6iBE8?EF8P!K}i&l|Vj!%sMwO_Qz~2{M8e4ACm$V&Ao4Bm#{t}&B?RNV+8aWvFjkd
zgV8o&q^FFXL*opul>H;*nIEYg_ToMRbRz6SJQ3&6`JM_hu5l$tpReO_k8~+O0^;_$
z*jUHl1i=qLYNGm#3!fp02V~U>!9AaoZ+^-bjaC#IU&X6Md^OxbQw>TZ)-AegjBJG5U
zn&_a$M<`EugWVsT!)5$s
z%?0hE;gy%i$NeAQrtm!B#;{uP$o>0M73qfk%fWL2KY`$W@bQBusGS$B9uUic=cuXr
zBkD6IYjxTIbC4=G8)cGUS0Gp_i{qA8t!@MRxu$S+h9}_}R+4K3C0}z%(q2gT@xomQ
z!ic-;DKJnNdXCcBQe53>>sz7`Fz8Zr0|a%<0wY#$@mGijF%p9X$E;<#@%NAj2$u&2LnArbMt0A+Q21xLYmdVJ73pLDH;i_N}cme^9L9wO1~HKgdCX)M!mQ$JEsKVVibP}2;}$Rk_Vj~y%<
z&{SU)R?ne#dk)Vn*d18nW@{^T{*7iG)hwk9
ziJHNV`nz5H3VU~U>XNHj;_J_vb?w^No{~*|?ZMy9f5f!qQE)U8E+`cST4gt<(-T$|
za_JnEoH4umF?x^VFslfthV(@|6Xbh$0Y&!HLf+%MlTg{4OR`XTG>*?iTti=cXOo4^
z&oByLNik>6{~Z3H*-N;sG0eaaq1yF2v1ip(x=B9bGpjaztf$07^Lm7bzmh#V86p+q
zZjGNB6WSh&5C!zaf`fb3OkHhSs!sj-Z2On7k_D|9Z8OCVlH+29L`OI1`n=utj4^^M_;?teFq`wj-`PQa)*+>$x+kS2o2Gw2M`e|JK+Qx(sl1$!i{YL;6QzrX+-
zF{-r~Bh@jY(MSnR)S7luNJBd|qDg9h%-F{8C^=cHdt|;f=bw73g`d(pekg^?F=$33
zkov~V0G1JSnmU$xPISG2T}yAyjWhCDyv`JtrKUuLJ=}Q22&wiqPSdHHW`#W-|NADe
zqL!64pT1{G%jiw1f!P6^%1IRFJD2?4r>5#WdTXbcR3-zOvS5!`twSSR`Vpho0|H$@
zFFpRvldcY?Aog(c(0XJeTcPS}!s=_@YVJf`qMnK?itli2!-ga05@wANngZ`Ka`he2
z*uH$iCwh4~;z_|FGB^^=ana6kAZXT_rFCP}qh!QVIY-N|W!^=lB9$meS<(s5aHT+Z
zlPhy}rM2g9e1O{!>D>-FWdBM?S}-
zG7P*$Bq;Wa_#6|9T@x$Ltvn!!nEILmOP3Z)EhZG(OluWH@CJ`v%`M@S?$S)y%K$>Z
z`OYo^HFdL0JZ}x;&i9fC0{KnICdtOlQI;71fwd#7Uh3wm05pf-m$3
zRX5n&dv0HO!mo5AxTo5fQKr+Ia3IZ(_(>m`a0J>E#*AXuq>6K^445D;v_{!6PTIn1
zy~TlZPWL+>QqtiMV?3K>v@M8#VId3SY(V2$jeVq^H~Z8?-qftvIO!wZpcARC@!(bZ
zGu?Os#x6NP
z{A!cMvRqpdrP{Csc}h5uX8Dsgb;XuSQo#&_s*`DW_VPXHSd-~UneG#*@L==Zs;(dh
z2PYG_D_QEGdYPLSZo`oNL6v(4XfviXpOIg~7c9>(`G%TsK3e)ZKlaJOr2PzjPm+w`
zo=%c1aJM^9_-7+D953LmL_yGLE(T6y!vNAssMg^vz3bvwRHflpedDkC7Xm6vOV6_c
zk8d(buBYeMKCifH{#bH-*6TO`dG(O09t#x%f1Mcoevp?NT1~TlHCVNkKUE5rtLw~I
z#RABZ2h$Mjaco0a7|#;LJQG(zu8%8Y
zRyz}cn>9_1-uCw4m0yd}2}R$1xVQ=1Ek9Eyns1iecDUhl;SU@xlSI`koe?hBy<+!x
z)v0iFYX+HR*~fA*Y4HYsxjgz>V>Y?5v~+Ps?RcNT%_Xt9DXfouLKBXVak53a^aA*)
z9`V4HJu|8C*yy`k_tWN(x=Gu2&+=Csr0;N?Yn$i|lW5G`Gqgy}lkifuV9ng4v`CAB
zmG%r(&E9v}Af+DhnSG3!PqL_p{HV^>{9)u6xmKY2aE!H?34up=L+F0q(vt>r9C(llHpXG>-hT~V#?dEhg
z1=hlAtgU3|Qg6Xi9z}Bww^1RXMK9`7y}=S|A2B1s8`emSO15<_kT5QL-b^+la1FF1
zP!ORx7E<6#sQ=A%tLXOP{~h0{d+BgQRjdHx7E_VB
zRyg_CTnB+ArJ!P`Wvu2^QF~_E`yKltD^jOOMt!Wg!Ge(zSu}pKAvtd;>EZ{fG5Jy@!xA69IQ4ex
zoUu+SOMKQ0#m0*Lf4qGKR2|C_ZAb_Nch>;H?ch#uhv4pZ@Zc^9?yfQ7yZ62S_bUUh2r^vv}1%<8VLs-B}qBqu2t6etQnqIe}J4izb?@LIJX9#V**NJ=-9u7^x0$!*}S4%hiGfqaP>eiM<|ZJumEeo}+P
z^@PZ^a1`sh;zW;OLT~K!3D&0k*cqnTg!o%`wC?PJl}_Xul*m|jKC4~^D;>|>s3$l0*!uzt{FrU$>ePbYHm=5O$0Qbp4p&K68-*x~h=r+~Ze#Mx4F@v__QnI|u3gCh0r
zb}yF>wg+i;`}%5=s+F4S?q*&_8%v2C+ecMM{f6e)aYM=zhsn!t@CCL23Ss=#o>x=z
z!?#Q}+h6-w9T=~B`yQsX$E(lR5~Wf;92?O6Ex
zPO#mL&ac0$`iWw{1g-m#eD`UeMAAD~hojdkksc=1&sc}$Bliui6Z%?@Il6M=wE*rj=jd1Be(GZzL(LI_X=`?_uGYkn`o+gg`_{byH7aY>M=mp+gO`s
z1gf92%TU@{iy>FW_7XOpy~kt>nCcEa(3r$^m9xL&8fdJ|oa#QXzw@DmanB^|whZ?s
zp6zhJW~GjOIFs$4fvD_zkmn~3A+7a*`hFzm6yie;krn%}Z`-($P=5p-8xhK%aAhqh
zy%>PoiG($PH0e!T$}M8>^d2ktVF?zv07y1HQ|mVK7-sBOH-lu&@L*T);G&
zUYKp$=n}AN@mCBrb!XlohTn4F-=uS0E;}77A8w4V40*xNqw-7qcwu$Dt^EcJ|*nt;(d{U
z=zW5yecs4@eAyw
z-)|1&iJv==xN#zTa6s{<_*jXw#7FK+BYTiRHAVZ}#ol9Htc5IMAByCf7TE&>D(!X4
z^ux(Px1LWS$Q`1Eh;(V&~>R)w^Jnxh~V#
zmY?8nsUluP`Pr<$G{Wy{tY>c~7rT#g8|stx6`MDmauM`=b2o_Q3}Ufgx&$cHC}j0q
z#NMH=m6iv()hN%z9RU^3OcbHYKLs`UYo&c}G2)_uP4CK($x|O?u82C4D(X7PnKPe{
zW0iE@hrile;y%5~Ah@~#Jb4Cq;SB)aJ32t1kGVlOK)PzBPrex{ji=zFX3h>=m)y*#
zp^z|VU>CHAmg#?E79=z3?1#uK9U_MSC1f8wu1H|33ODp7pSaf4zFmImXzBT`(2%AX
zIsQ;mz=#@*tjzYC3)XQQlf?{#(7n={N}y#bq1FPg@7P^V@5&sIoCitQ?acO~fBB+c
z9=4BCyJXahwr1*Uk|`!%W|G1M&oj;HSj`%H-I>pcv3u6G0pR&g10RE$(6vOE7UPb`
zwgQ!=%9h}E*=6I^6_xYpuz_%FHyOar!tH!!bUJGoM{AfXrAGfZ)xfU8vKsL=GB|eO&&~Py_$UuZw}}>;UjCB6dIpu4Bt_Cz|XwF&)Q{Cz6@ILY79D~uKn7u
zL^Qq@A)>^vVF+5f%CPZ%N+m9@ZxHupb*9_i@Kb#^lXa}g(&tK9uKuIXtDcj}R(HHN
zTi+AK#%y*+s^j`J1SrPebT_!g4`2@%pDdNRxy6MK93EgXwlTVO@asl8`YPsFyUJ5(
zr>(9ztl7jUU&C-~YOS1qI`6wu5lASvhJ9r_z3b+?s@OzBvqZJK4uW<6az5TtzI#D`
zgz-5jv=~(5)~?a0_oX)Od)5bB(;3nb1`QuVg)rUzLk45##IpJfKaJLcRl~7E1~ccx
zih8b|&%we#BFEqypdUJeT6tSO(06>FL#>Bq39h{P!=ds}+|g8eLp>?SM`Dh2#@dfm
zwdtHLAIawU>5e<5H@qG9Y3BsAj|DtozrKcT(SdEgI)5T?@RFy6zD58x9ErugYl9cRYGUo1+1&p5
zaDgt!Adrh^-BClJeVeVpEfi;Gy$25W)wm#7t~>5()#|(u#d_=_LZfAkQ*!35in{u5|TTm{<=Nov$GT*U#?mHj^KRyR<9yAl_}
zZ+)_8z~fmxp{5_kWTTJYVeO(}Ws$AP0sNkz9$Q_+bd5)BObE^QW>nq
zI5N1ARi;+hn)&_EnPyn`{$h>W-kBZdl_O`gB4+Bf$~pemYXAY)#FU2Kel5eiy#ART
z#SUoi!`KidrybNV7ef}O5LA3(Lwv>)B4<%mYDaR33n#W*6Wng>)69wRxbYa8i6G22
zBKU&|zuk#6nE!&&sOD
zHw;pnU@>w%6WM^72LOxGLWl{{*%H
z>P~+jYb}}0Y)Gd~u(=4HWDgAYp|l>@uY~&=(19_o{Ms=G>2xKROffwI+HrOK+L3hv
zI9(~}p_43;SNtEkh0^<0RtM)-Dh5$R(Vy`bnh(50QDsAjKUTVh>(ao&a}ltFI_Wtc
z{J_N^WQxDbuG8N3AQYb0>0lVw1ygn13Jd=QJ`D=;#ASEX$ONIv8
zCe{k0yZiSY80-KHhu;X0-Uy-H2(sJ=!`}$30(D(&ZB};aFp8c6z2amX!ephx`NYoaxNpvFtA>F3tWV9`3p-2??L
z1?`WNxY<#Qb#~|KuMU;i$$uf*P;s^^0CFfbetP}oW%gLYwGEtmkHq}pa8>;=4c#Bq
z9v=pu#?@>q=S_93%eeUeKvlLNK_2b!n>9sgg{t^8@tK8j=gkKk>CZG9Bs49f}&(fFf2bsoc2F>u@#VN=Pj}cfsJwyZ0GI2
z0fDxMJ(_#Cr^1RPT^K4kRNKv{#%d>maLjL24>u;ii&vauy7$graoZmZ^V_(-#diq(
z7jvDEm_eYC+E15_r{jg&`^bzqmY`jrTM*zJR{wy#Lzjzm0Y(zsHoRjd6L1EUf9+u^
z4}jCw=P+8pahChg<$zuluJL_M2h{O4mYcy$(6$j#cOX*>RBxoy#JiTGo#RuLKpPaD
zK2y?%8(R`d%)jvwEf7Iv(IIBhWy~mfu8!ob()JR6x)_i1wY1qvc_j{%XxqSqcf*9g
zb}<3uTSWhTDtJ(H6G3&p)yOexS_GGVZ1lHEwH2t9pF}~;{>=+*JtB}g*&oiqphqG}
zL~Gn8(tnykz0SLiyqP}X`z;tTOwLK>i#Wt>?sVLLE!&A458Z5?(#A&vD~
z=L@JS9-6&=ucGfEtHs>ZW{6`m8DFzQrBR7QVAX5*;q7G34r}z#+M13ZD`V@2#Kpee
zeIp|$M#lOY=DF86^-zyG_n!y2M4ca@RYQ<_3!3%*jT`>Ahf&T?AoLLbs_ij-ht5&;
z_pv&bY(w&|IR!s4jTo)bO-dsNIhQ((a{1mA(JMmqjR?XWjqk{;GcdMgd~T9THcfqH
z+gp~+G=Lu3KyPuc@tR!B0rzYt
z!HW!y9RC|a8J}0st`qp#?h{(8DaG!7YPwA?tR_4JmWu^;2qNc-Nu0@d5<=jKwFMI}
zUv3TesgLw&8|%6GjBX2=D%3xd#mwK4EcA5>QQQN#oXx}LZxqp9<_F(yWz^Mfe4(w)
z5B{-*47cLQw6nS-w24la{xapNnF>sJL~Pbhjx}Xeip>7+RVile#5q%jrE|+iD0cr*
zrH$)OYiDp)qK=2$h@y2_L5rlQ8X=fH?kqeOW^EW!oy4KK{rtnecE!7iXEWnjtzeC0
z<})?epqV!pBM705r{Uv^H5<0pcGa17RcUa$t4abQu+cbhtpLRz%)K#Zuo4>)5{C7<
zudcLs*8S|LQdX5X5+yeKE2}X1S#5{50e&s#&uR+1QLbmrhW3x{ImLs^2KnSKPH^)kHN{)@Za5*I
zMB^bt&O~bbBxK#-60ij{h(sFw+qQw56SNI{-8B-#3-u^o}6vp`Jw0F2&k(|
z=+o?7qcyU{D60vcoM|`zp~vC~z^F?I*6eMkUDLy`EeWofXxG@$qjdn$qe*$bWCy6G
z-pgsfWB*CvpLG1x3#p-}GzXMw=|$JlyZ*PBUhgnNUOEvFcF!~`eXBsz2TaitpJ%P@xLCU!Cwe9#d5QQc;o)mr&Etw~EqsG-$V?cnT;HbBEU
zP4PHx&@ix?2BE}M7&A4ZQ{|-&)$#gZehJ^X{70T?1xY7
zdxzTwCuL2ly}P1YmQWF0omH!rQ_M!_X|sg8`5W||2&eTsUXHuqaA`99ly`T>8};p(
zBL|+#L!WMVo$WXjc{suYtq=1s2S)c7@OfM9-exXoAtX|U`|-RCH?_*3nM(gTnCxE!
z(d(BZ>V>Gh6b?i^sC$7i?ki)C((boLG&DH1pF_@2&UlPk1=j%E;LCKp$m_kxeJk&?
zxZ!}*VvKP(u$&DB82E*uQ6AqJ4zm7nZO;c^zm*Hr2Ruy4n|5DMp+#
zo{SI3Tnlkv9Fr;U6TR%X?u(u;PiD7YTUA9_vq)jLpS#V*h_6t$ci3zX*ka5T4q0v*
z$=6oBx!nrPH!ixd)jSHY-k#GKcbxrZ4>MknMccCz>U*<3y0M`0)cJUjHL&TY6
zh12*q7RNH`%2u-tC*Q_K3o)wDI}`L%LrkznXmUJz0}?0zw)#pP*Qg^jwN{dDy@3fm
z07t#piLH_feVmT+5O?lMb@RIks1io~_zug^Sv*(zQ^B2870;cUYLVrw4(70JT0ne;$@=_nhWYT^UQOnud|nxoI+sv?lk~
zQ~7DzN{pQsld_H?Rd}tAk`n;i^&p=}SK%F~dG-3e*oJn5+iBLN_$C5acFf!S^>0G@
z;L(lVV)M;edpg68^qZUs$9R&LXnWn70!;iUq|5gc_QMchpz;uO(V~615w^!Oi#G=!
zRw|Rn;ditBg%{G1oPgl?*zf*E6`&C}?2dgT32dGk=XdMh{AFry{maz;>V9g!7O4m}#^l31#jOxM*YxQ0nZxLs2xm1>n9
zc{|87+>X|7dvG%A_QfCKkh5wV`-{YfeVdy5$-KOxr~Mp1igkd^0jku>Q@A$1qi-x+
z;vbwO`F7kz*4@{j9n)nC;n8Jf8}!epH=V5$w4Z;*`@&gSTkGT!jY3
z6+;uW->8C8j>@dX+;Z6jlb2AVV{sEdSD(9Z&57e%?9}EJ%^>E-K6Ms2ux?D7mi;!~
z)MXfaF{3`y|D@`OWt!9Nhvtt?6X}-n}f8OdOfi%zlKZ-wncs
z+LXK#*Dyd1j{K2pe7!4r{79DNOopCw%(Sa&N!GClj1ZZ(lS#w61?}rRU7cxBh8ou^QVUhZsY+eI+-#Q^d`52H4lWYp9>AD=i1dLGY9jj#*$1eIf!5=!IpLi$^a-*u9s6ZixRLgZzc%Z}JcD3FuVXOjpSxSodq3JC$9UT8o7nEsun62VTO*d-^t8e9RG|OMm=xpb{#2EIlvhje5uj#Cmx>W^6R!W>(p;{uBfV{(C3?7pqq|_wezfg0)0n;(Grb(r3;iP0Eg95{R
zwhn{IcudBSeUraa)5i?NKevOvjo~{*C;b
zb3U1f`aj2F5UQ}bWj|${G+N{`uYST=YK;`X&}OK?2e0uqICnJPoO^*y;pp{R-uUA4
z#LUvve9&tVJ;~&X&^ISgb~d=f{qL!niqYBF+mSi%nZ+1;7_kSq3pwyxTAjd|+gjBu
zWSh1c)(F0D1^Sm8x5G@?W~83h13!Jou&;oKE&7C=!HinSd?;>4)Ndvw1XGxpmsz1R
z?RUfxv|jPWyzaqc>XObn2Qgs3i?{DKKKE?Exsc#e{|ST*j`I(*d(Zpwv*Laef+b?u
z*0*jUNax_h7x=;@c%d=?h%{Ylo=&!qPH?w(fjT@x2{KG;C>GG)#4IRt7R@9(Vcnix
zzGn%Z7I84OrN=m;Cx9tN3@*l$D283kh_BRG15)jCE9s$qQ`vW?$)^x`2MxGEU`^$QjwPvlZ{MRuzsOu4
zHs18*wx8Ak>RM!AuS%ZD@@V+IcZ;Fnil9f1$^T|b`=WN5v9H7%A9LU9iL
ztB0hwjk>o3*Dd%$WBunOpq;@-pIvFewV;hsaN)i!3)(rHyRS3L|L?Q$_xh7=f?S3?
zK_s}X6so4u5S<0=XuUCOb}A8IRQ>mEOu9lNoM{+_&K*RAM3`#nhfwoOq;apK?9(+U
zTZ(Rj$_t*`*NCeOoaV8TQ0g>u@an{kFzRG3J~!kNtxjKj@nThV#n?y(d?LAZm7KW^
zBIt+T@*`3fmUl@`8IW2q$d6{7aP?Kfr#6>4Y0aUW3`KMdzmQr{Opi!b=
znPi44=@4}^Fs{?&7Z{twi81w%BxQ#hnPjR?0pnQyUeyq)&nD
z#@=NJbx7o|>qTB<`np=)fp*BhTE~@b&6|7Vl)S93n#@BNuGlcH4jsxE-Qg^!5#
zF*ZqAH%T!Drfin?OR5>0es?8Nu3z_xJxvt6Dmbs=rYIj^nleV-J)++|g55pJs_r?v
zg-lbX-BP*@){;v`PZEQv80IfCNmo+Ki$ymrbfGbTmKqgDslZNMI{Y<^K!W`#RyawV
zSSlk@%_K_+dsFqEFwKt484@jIlA{V`@)b@JB(A_t>b6reVJKwkqL-RuaiiHAmX^UZ
z8WgVyr}CU<$v>P&oz4EFMNb_|+sdG7^dh&0cKsOol;9elHu^M4&{c{NwTDWvD7rq+
zF3zxgQZk!!x@v_xJHB4BOjEk7FKdz|dy+PL(rDP6F&0e2D9)h)Lrsrg_*TtE5AmG|%@VWZAwD$->X1)4|kDzAl@5RlgJrj@%>RX2r!Uq#_$%Tf+%=)vK$%c}`N0Op}
zeVxEQCABi&G4ph0V@l6`(AsKcruCv2-iunfoS~00BOeC_KSl!w6PY$7vF%9VID8@8
zr}MgD)$B-VE@5ddU(j&)qPxf3BZWVhM=F>{B3L?8NF6wo*wJJ?nN+@{w!_TDkCy{!MC@ZrVp(g4}x;D>bs}
z<5oH1#83CJAaOM^?MPyu5_i}+PXgbCj`iQjOjnLn?v`6nSxk#hR}NPeDi)4W4=hO4tS;w=FNdBcu31kIUFu;G~yPN|=SA63)F`w555Rp#jBv0HZuQ^`Dm@B``725f@7thf?^1v
zJWi0HV83LBz09xn+rS&C-(oEw1A#~o?}W@*>CZuxWR*{U6;wH3J;6x2`^A2f`qh3D
z+Y(FWXOLc|mW!Ya&wsGrl8xK{ne`U_{oZhe#3joi|
zxq943#68tZi&YqiNJO;dM=4thDXy-=adKjmm-NIv4
zo*R)pSZ()~hSHU+5s>#K@-~t$+yr^!AWO+?2++J)sf`fbI-rxqyc3>Y+oV@{%94Z-
ziB})tRFA-;*#q}0A8tz#TL>{*5Xs|iE4Fv{1~$F1iSb({twFho93r^QkD(@5#Y?yh
zk-kU8i|-|ecFfBR!yF=SB;I~g=%Xkr|LH|^$`a@i!uN=eFE^`(r?VuypMZH2_*MrJ
zp)R98t?sh`{ZGt&;3h*-i~gvdemqjSci@}rT5X=cG5Za!`ejC9Bhd2e=Hpx2?}}CQ
z5h)j^%;J3xkTg6I^x~>5DVDdGIpGx^Kuj%2l?!o}i$K~5lGzDk*af}_j?Ldao@KGe*NXGzi7C)(N{T$OSXC8hr738q4EP5M2NDWg~6MZ)_DE_EcFJ=UThL8yn
zT1N_ZV{*E^fW;N;d2O%?HS~f>ZwR$-ke@U-&Izq>A6rYrOzj#6=*^lfRK8m80HmV}
z{Kt6sAWXvn%jE)Ieel^J#?2tXGkQetHwTSCfqfpHuW#G}!s(Ou^nK3xLy!vFjn9+!
zte!T06?E&eNcQPUXxaQUb8BMGUi)06YGDH%cUBL5oLOB9(RQDvu~lQRyxol&)cP%Y
zi4<`<6ldcMn}~}uXFY~tD$O3It9yH8LLAdUO%`#lB-)*w)ife1KhG~uw+SVZ(jHht
zrtQUGr}d0qrcArTjbBv9cb-99T^v@EM_|3rQ9O~4HJ7C|
zg`u!eNWtSe@NE;
zlK#PU&h1&b_)6j0z9oLL@xAb2aylU1ti?kIwvNR&cV{k1qgL`Uf=JI!34dSAxXvFcWf(4bo9NcJQz{TJ!*}h7<(vDw`eVUkC
zJWS#7BcI=LTk0TNuB|hu=2m^i@5%hUg=Ht+shDlH&p?g8oTbPcNrmnMvNPWp^vsXD
zI3K^s3upGS+&ip5-$xXiWB%+GvOFa^!s^!*-LaMI5wPn${!%40+~!u_oM64y^c(du
zipHrG!*`YF8@0oXNF!r6@l@8aIO9V8n*LPeP)^dzhAoH{oxdb4BwBKeY`{o8@1
z+q-S&$Rmh-=Vz0*%O_A|p#V3o%0qYL=zOiT2y;pB@J|P*1e`RzAj50`_)aPgyJjF%
z+PU2ctEtQrZoK)xvi>C<&Jif@=E+&^&_E?3t8AM+y6qfIWB3!x9^_>_>APiSn8^+~
zT6w>#ox5gdzRFdn{aW80#Fvcxuo(^kM9~7(R`=jH6l>212uLOy$BjkM_iqPQ4T7e}
z_g<}dERa{L0WL5m@#VIm$?7&{>L)iE0ksWV2KHlTXUg(MNw^y+Eokm{kVS?-L{r1N
zhXFyS5XL_EG`+@c4$hgh{0WH>FumMwZlxZQm%9tTq0=L=_lpbYEX+dGUyNclJ)LP<
zFH8$$6^jhX3p;LfOi3gpLx;enhG2i4&vTt`iUn@|3+wCdp@8P~axU4coQGK6edq3Z
zeVo;H{POl-Bs!|;UT2asN)*;Duh+q*E0bDD4on99HF6Fe0Lvhm;^&CCBlup$L>$E`
zaaaf;TBzQ<8&M{)RIuRD_$ri=mhH4lym_i>bl4p3+ETznQl_{DeS*XVT`KfSU7=KH
z^&;mMj=7yM)=jnx`Xk
zvyt$B*Pg`hK*DW@N-Riiqaayk>L+^s=`bY859C*9c2-K(=Z&^N?{D>kDJI6ju!fS>
zcu0q@!pzY!+y)!aW=7~G-?DdV4#|jG{v7sn@LT~qO^sYa5j#zMS>D8rGE^q};8T?~
zq@(P6S8^e&AIk{fvSGX?0pC}+`@qq#dl^(=^wseY7InGaV=v(qRyt|s6VHKMWW}Ja
zVYJ8vPIMQf)E62O9&cVT~q>p-kWU=YIjL*|Q~*I$`m
zwnZH?`G7Oid-F@Goyje9GXZRk!Gd&Jb%tk+$O3*%4}VSnXRgt`>7{;93BSC$bN+O7o00FK_kYCg5LR`Ob*nt=<
z@Epsv7~^Um=5+Z9{1T!^`@Kt((c!cP#>qZ)YU@#6ID`|}%IAw$Ol>_*&qD_>r3O*^R!nSv=D@)f
zWj>_B1Xcq5PdB{6HhlUw-hbKf`?2vZ)d{8n*!_p`K8=OvXS(q6GuU?j^B1l3xCHv(
zJk6pZEx*q{D)e~2VS4+1S1{==-keOAA!mU~^6@!<;zKB9^f;hFf31i5=wCY6TCOuC
zneYB->QOODUGaV5k#|~_!H4jGskKbe768||n0O_7%^^29?FUe7rii
zF=rgWDH8x1t?8B_^tOV27>|k*X>}Wek?C=g65aa@XFSgiAm5Y6C+g-K*i4uLh|EJ(
zFe;_%aZeppK?#?=@SGYKmoYoVnZw9&B#bR#*6cQbUP?Sa-xhLW!593iIVBd?X*S
zgsFO8bgT62_@QB{IfM>N!dc)Xx?xnF1ZSl}<+2dd*Y;u6NiX88{L%~jh;blWTz8Xe
zcb1-kT>7R8kOMs_tQ{EJ17zj|A%ylcn5{@*ZAkDC`0|4Z-Z&5!9ox^>uOty&H(f{t
zh=i^th`#$e6AU&NOobBXb$b24ik0qC6@9yU!V>YnfFzoy^R9i39|h0*{}yQ!JRm$C
z{(Jo&PWby>KXnf{`D^T)^A|bi&5{S+iA%inG|1l*zp(<|5$H{&svcA!B~}_U2n`rv
zTYSq(Z2dQo+3}bM_w!|Z%z}I9q%HR&`2i6-GMf2
z=DeXsT6|1&TgvHm)e`7wBooj{C1Fr&wnUS_RR&+?dlWKcI+Bzj^
zgHFm06P@fU*55*6tQ%EE-=&(cLj5NiNDP3^JfP@UU<_$r$Mio)@S>wfD!}_wxqmo3
zu(w@sO^?VH5LuJ(O+(UvmXrYlB{BGseu^nqIRuKJ5}!Xl7LgGu^at#e*mK6By!e#)`PCMrt`{DgSrskh@$?2vbP}Df)05f0Bx5
zbdW-|Fr^Bm9N)2l(14zOSl;#ayU9Zcs#2{BtIw7_7X_8B`E#m8f$9D;z;l%~%toW^
z6xt@n-iWzw&+T%JRD=Z)LQ}z?O$WyHW6NDylOrii<_0AwurPP>A}}L;hE^+%tc@xo6iA{R(6J=Omy5iZ
zVbb1o$5+mAxyFz}Pb+WJ+U>kkp}PtzRx9y{m;Uv0rkJK9
zAl@1hTW^C$!X9<-Utq_vv24C()&HNNogt?m^8s{;9L4~X%LFEO$s`_9DT3&naIulj
zEazCUBg*JC#Z+hI$6YxR1S8quo5P)U&as>Qod)arrFGqcjxL=10=b%8BW}~Vi<#=jL}DY!cAH_nHKev_5niY2}EBQgft9;s=HCG
zW1*HPQGCLoS~|fO_22IU_|6ju-6RotNM8^{dxv*5cdjhx+w32}o&wm<6L8%m;dw|Q
zf4}FR#&(m0<4N89?p)dQwM=t)^2@=_mw~b?_S8uUXCqe9O?Q%p@T{}QW1grvk>M**
z7Xq<8;#v2sx^TO*66kYLM}o~CKer=)@C?t2)L#9LTse)L;fb2=gqDjIJd70OLGBVE
zx)3EH5VKSCDRqb|b)YqzwJWyFDKnZ|n+b9pbKR$%?(*X^H|}Q8U74Xuw)M3Yrc**~7YA;O^h;bnvQIIY`wl;Eh-Dq{Zs^=A}zXknd!F
z?0qIj$y|57gUG{Kw57QzULzQo*TH^vdy;bNSHg>{Uv1uA*YJa}p5hF1Dg*NB=G%M7
zs?4P-pU#WMZXdZ59{n%fJs36@>KeD`@s4l%OceJZJSvwoN6(Xk906v1%=KO4z+n8D
zB*?0HCFiTAb!@m9iVCiGvajcR
zl`n#d7-Am~?MfZ{0N?HT9{mHVGf~sk-3!k6>qv>)Z?BdwDA{A@7Z1BVuT)7tL-`g>
zstM!FMb!AQY`m9d?l@2E&Yo3|~bY9GB7)MVC;19qXj|}RdKCA_2q&RJE&BF!
ztb_W}=B0a0M56|IQjeZeDL)9Z2VpMvelEyx8Y@YLW98
zdET48s`r_t_e0_8^}uA9J|{lP#NGY6r!-!uXn^mC_QAoY9U1*QGo#Fh^r-0Yz83S;
z&PTUbZ|g5!FWNeA3B#Hf>mJ(u4!*}nd9g}(hS>$zz7U$|(Xy%r3ULg9H(lrA=ur^9
z-LR@zZmpY><`*u|+A@h`H+Fa1Btq%P{T@D}Vj=vbfi|zAdcKIDu8Wk-{vkiS%l=1H
z)#kbHOL;@N$W8)FLSUTsTsUCRBcx)7-D
z=?765{1FPq-B0b&jTkW=5>S50a@a?S5C8o#klz+1{LvWmW_z&2B1nS2>$8QSB=ZEy
ziwZ-_MS`ZvZ{ZWawKz|_1#>W1CiO`S?u7
z&pFqxD?Y}Vf3En@cVOl7_4D7S$8XLoRdKzK>9BcJG^NK;52x~5+~=nSyEvf_EIQYF
zVGJRHTqJ#iPm650A3d=3pqUutm_X>s8-4Ck6$Iu7b-QET;c-dGFX5bHAzsj`yTojo%5>x|r}jZY*l5rPO&8ytaJuQMRUjtK+tNrrAnYSRP}A~v*;8@%p+g-Be$
z0<|Q6*-toRkE}`dm*U~TanM;P@JZV3wdkCSER)|62Q
z!bN59$tjQt+5akFM2DWrm3yJm5DLMF%BG-x7yEx9z6W(~Jcck))1cT5cGla5$e^9r`
zgl@9((oj#LGd$!*Wr8lnWO*t6c5>(m1va73vn-$&DqKVcm>kpVAPCWai#$fBaFMW$
z3W>LV&i=MJG{0JSN(=OnkvC5W61c?1^r9*f3}{GIpOKh(8NfvpfJHICE`<;sBkcMd
zUBL0H_(?zM!X{LOL1pCTh{sQn2yYbcj*Bcc%-XS+J0<15#1=C{3l;MswW|lEeM4&2
z29(nvqwV$0J*0kjfWmd4@uC*q1c%V#S(b%YIb1{~*f7iMDG1T&C;toixz-N!r`qwf
zL>9rK(-}>6n;D+D5|ErDeHAt90t{}C
z=rrph4B#Vr!J^n-GeC;2J?X+FOngRS>-9+1Bpc9@B?jl$I#6g%^NrIMZcTy7alH9n
z@hr>ED+WGd7_{|T93ygAD9dh0yVil7LQ`W_tqt<~|lQaHHip2jw
z=iBY(OF|m{6~+_czcAv>7;sc~*}aY4Tp%53mdf$|V7F@qf+Unu4mg$k`&f$R?iigL
ztC?9SHx2uSyE{fP@n}^2*r%n${B)Mpe5lkfg2-QVD>)#7YovSi2pKk!e+YUCZ7C%F
z+((Z>l<(uWu~+5gVt$n-&$4|@NExG}K_5osSK+X|9bilu>qcw1^=xw8yF2h)Iq*nU
z?Ps^`KfAhh)85{=UYnajC>U`IA9#JFL3N!*v^3PhikI2(F)On8%spW(l0wZ8CtGo6qd
zHOv3~@tX*I=wSgq7jjXAzk`I8KxiFqEk35F=KiDTf7wT=M>Q^1pAuSp3f)dYkj3_!Z^y
z#Gw_%(kUqvUip5`dJ~KK`JTj#L4|nb%O|G$Mh??FaD8eU^z_8i2`NxXeBWoii9m&p
z;^&hi7lnQ#k!@dj)q_XGKRHBxO%As5+lJQDZ%r>Bi9rf5JMkwe$ggw3|5mkF=_$GB
zlXP%Iagd-V1cMcQ@(lT_*S+dFzapb6?jtoYQ~cq$ha3D4
znE$P5GqnO-UT*p3VPyQH5--qzyS4g;&fkT7v?pB){=_CP-t}m&DC_QKuL$=3Df|bO
zoH=LrjUA%2T~l1^&F@WAPGl@%FxE2cuZKqBL@arRv`)O_CYT%^aD-&dL)0(Qb`iiv
z@JMR-2IM1JqY-`KZ&M7YhDH()>?PL2M>+~f5NYEg@(aKu(hCT9N#w^&)GyG62-*#c
z1PBkn66__^gFs>oNZ@OOB{D(+1P7=-Qgw(WFi3x!$d_(Ahqn8*I&1gWcD}D+BM(_W
zvED75?GotnhyeLClyxM4dKwA>(GnpM{JmI10#zhBAVIK=goqRg5EvjPC`qJ;{78Wb
z;=XPpL$t;M9c&FxbV{se6&f%FC?UYZ?fW#eZ(zG7zX3a7%#|7n@dgkcrXry|(CM5-Kg=h%eh$c+|kl|bf~
zhnb-l5cHDL@6I5#dNXzj?x;=AJ@veUs$KU6$Iex@1Ox5Q!ZF%e4;f895AzOsMNeU8
z)*$uV$9W0*sLi++B~7Sf9O)qY^81q1df-9q;u6kUU_-z}a6p4S5js*ym4{(2p}h(Dof1(l&fvR>70njO~n-1|T?u8l_9sGB;0qm6c}?cqP1bJW)4XkQ)>
zAS6glq=$qQeD_RQB>IlE5pO>Y@qj=R&%Mm~v19wShx=>goR>@HI<21LvZxp3j!Id?
z6{!RR>Hnd)!&wh}=&7KQgH}o$jcz~gP-UsEeSfiHb<>BtBSh2_ip)SafLS`W+1JnBP
z+@}-zHH%b3#oX`{`qu>2>pS*=4W}WK0BroSq%px({X)jmD?70EJHR9-HvU;OIron#
za=d!73GN97C%Rqlh1}VY=vr$gVWBY8q!x{nz7T|*BOE1E8WE4TTkHj4(`|yvdygMTZd3*NfW^s7P13q
z^2h%l*4_iG$)#Hxe%%&qz!p%Xt0+wnrFTS1r1#!bdha!qEhtD=X+mfcdT*hJh$xX7
zLhlF>5(ohzNq|7$i@Nvs?sMLA&VSDN{_9%Yv*uoFX2^3r*E4-)j2;u~f7Y7Cy<8~J
zb%uYs(EX5Oo985-g7Xf&7;
zoRk=V483k<8I@3;b$mQ`+2u!?B9EA+Aq$U22|QrEL}0Oj@gemE2#YX_b{mLSL2oX9u+jRpNqnu)g+!6^iJrtiNL7Fs_lMB)9ki}rhtoj@vU;BV=}FQ=Lys+
zCG>&D)ROfz#7qK%#+_rR(}g=i?~U%HRlG1r*Q;RAFn(07!DoD-Sm6JSy!GDbc3S+4
zw;6h)3>p@X)HV6mB}4X1e`+p2iY&U5*7SGte}ja0Egryjs%1~UowWR`d--F&s~3v@
zEZ5+To&bY}>ZAW($uzxq1`Yj3{2F|!7mE4bGu=rmd|~i+@_+ZU{(L_F{6+sJ&;PKX
ze<8aLyq=Anki4Fq>oIZ
zxqZV!5%U{ag0Ho%J^o2EJl6kBUGs*^h1){Ui|)K8fCl^gx|5ZZ$6qE%zCXCmO$k?9
zdwD&?YQ@fR6F8=X6pDLBc=YU53^W%}4w
z={Mqux)Mv@rt^Z>tu0pT)|jJOT++eN$vMcUU?KbkAs@$q%&4Jp#P><&`*kyUwy(zW
zs}qLrdC`a4tpu&Xw;xdSM)VFpSp$UbZlR=fE?E%AvB^iT$-H|u>R}I#HI-L;*4kYeaq3_|&KF#*gL(rDwl4uoar@Mz1*wcwQ6#1!hLSNgpURO#78^c7
z#MX@2xRjc&V6N}T6v*sF^r0aj>@|1ZH)GqRl-BhUj5^xp;V9c{!nw50iyVqk$xekR
z^avjGsx@|!a^^Q3;HV?3o779+7#7+$uS7(k1fGzF}A8=c|
z*Su>4dDOfGqOT}1<(RQac7M#(wSdHZ#Vlemi(8n$K>K`T>GrD=MwZQrd~#9$i2aX#k(5&r?1jBz0a;<+f%YqV$i&ON`>L!Uw~nG@AM+?
z4Jo0?_C?;6P&GDz{xXI;5e#B#k~GwfCjLHk34RgGxQ)kw-~}*qbdc=FJ(XMt;#rq)
zsCwX5Ms9}#+H*#lSC-cSU9_2#mYdq(XAr0(GvMhogA=40i#FM9vl3v|Az7Q*sn&iC
zZaRTO{WazudFj@T4Q?iZLwz;;bi;i$(lg?BI!f%P(l)b=rqpM|`F})mOt2Z&h7DNP
znE=RUyG5Wi$6mf%b}GQHTYMM|r=DtNRUQ*j6cdp)t=N9g=N}wQ6r><3om`rhpJ|%<
z-L;041!qhua?(4Rfj0^wi2EUgYQFN=c8BS-%b?V!hP0V1S884>)_&g?_dKa0sULVA
zi1WhMSR)u$iHjmxVoqz{8*Da>)bD;9%dujO{CKk*(BUwWb2vV4?{($@jxwC}?njp)OoxDeb~=7e(?JoG#4>@4BJ?jqq%`Ld1yEx>&y|a|$gu
z0Yv{+QBgU+IC|aBpN~T=zf^c+8QH$Zjd7NVNiIfVf@LH_>ks6}jz*rx*TO+v$|pML
zu|4qc+9eF^yL2zMFf+Thlnuk|&%K}mOKf-8^_=OP!;EhJb;!
zg@%w8_eCL45LHzx@#Hpac~d_3W!%GlLqg==ng8b55TYZ2=v$MXk>dyPCONDB42>OI
z`ZrCo76ckC9Rk^KZyQ1kBy?GcZ`Ghh?s;P0?>OvI!?dB)U%c%vd;i+6#Q(`+HY`X$sA`4IHk
zMK?HS{uSvTH_wu}Yv|;#QT0!c{=X+nE%*D^ynd1zB|3fM{8=&%FLZx~cMMDIH`26n
z-V%x6jf}ZvBGH;U$!7d^k%J5Mif4SU;yrb%nAXd_{5tj~e+2~@affVFi
zIcm?Os7~Oeakv?Tsghh*L0_5iY{H<*B3@S$UrrCoc!tdW`rBdW@3Hp^6V@5p)9!&!
z3I^6`2+AL?%x_$%`PftG5k!0Kb6{^;HoyL`VjjOb@(CA3}k=?ba
zQ9Gqj!Nm1KPm8PR_*$Bij1}7@M@DeKe#`GC*H)Gu9a+ALyoC3U
z8n6v*-zFlf6taVg7o2ZV*l;@E&31v#x-zd6etfLd^HF{*`2+h_y=V~<-P7&g{|49U
zTK=f)X_ZO*8*sGFKCk>w!Q2Y>VS?_z4?PnKRya304!gXIMnyMSOBm8!Uf7iAhrV1n
z;pnX@f0YWGH!_;JI}=^63TjjdoS*mU->SqAY*ZR4MVuhQlAU0gZ<@vs14{y>MP@n8*h6C&SOqVp9xQvyx(Mc;K
zPmY4u=lFGN)#O`eqCvmF@m)1?pgVZBf+W3fe17l#TSE4bf3_X{yQhwzH3^=xQ@0J%Gcjkqb
zJud`lwpxB%VA#s|A5jxEW;stnZsn@*0#b(<_sXq5?^}p92Hrsl4m7%4%tc*C6z^g{
zTak14Nci_9u;Ji|&Vv)#&qv#7`x`WC8OJXXJ43zmGu_5YZr%YS>{iN(7Z;=25*EJ+
zXx#E)(k_A7sG7f(${jw>I>gPpg5Nyx7hknRs`$a74}y7)hv&aFh9wMg@lMq=Tdf|r
z&7YY2$4h@(q*bI}jOt17Zhg^nhyC8N_k~zZDXWjm40M@4sAAfD)Lig{8t`~19Rx3A
zxR&W^>V3^}vUcU`56`ti#v#?c-jx|MxyECbt~f}g94tN={t|UEHj%d!vU#mNedVqq
ztR=Dbc-}LFhVp!IQ)5Iv52U&`8cz6!{Nu=ySj^MVd90!m-WXge$gBrwYLT8?Tr&fL
z>~J2*kRV*VK_r*31|ml)q5Fqb2av;6kd#JEM<93_R)g|09aYc3H#}WYy81Uguu0?`oR5dVN-K
z7H;LiJ{-^-rS(>5F?XyM(hcImrcJzAj%0
z>1^jkF=VI9Gn~LIJ_DcL#3)3)cYf4`$<|zU;rnHo)Rjti+xjDc@T4xCrGiF`d-kKH
z;%($!9QuJfPs~u2b#BM}cWPzQ9<@>#U}|ZjtQfB|6TG@*(J~PoGRD8AUHVQk_t~O<
z{|Q`ClXNu)l;qdw<0&yb)Y~>ACCP?%M9sVBfUG-iwT<{*kylP|xe#E$9ANl1V^qX~
zv#FUd(qGV4oS6qkyIh4ntXx+OjhpP}3r{PF=tutJrP$*T0X=>TCflo@+f=1m&ZDm_
z&)>=cnRggiB=hu|Y7SlD&F0n-1LV94Xsq{?m>lYDpD~l1WB1wq>Os6)F(5hoZt#!9
zLIjJvZP}2B#Nh9fwgc>OjNf_*S9yi{DgxzCGQE7|74eZ_@{yHac^$o{vgL7C<=;4`
za0a=rf9gi!;a&3i%!^5m-&nbxZHx$e()JR^DC(RQT5(x_c{
zS~T_4Hu2V~5IT8{$P4$}SaiL>Eo0Zjo;Md&NAFrTzxQwf&OQ$;%5`=M<;6YfK&s5<
zE&{eo=|^HQ+@wZcoGOl>Kg-+Nx{4BuBNbCHj7^Fh5A!eIo9w4QgUYe)n@L|e_9n=#
zAK=)#18qFmYOh6tw#025GBezwg3j2r3Og+3hX`yKBB0
zW^#u|l@b>Yo?%;pkkiEH*m#4x=;|1w)(1p
zT|a|4X7%OMkf&xg*Z*Tx;^O6jOFiE|)^*+&q+a#(-%`E(j^u&grF1fV+7rhda_*u0
zSxN__tb5l*{*`KwR(007l5LpyABmis4t^7MzjVK2sq(73=lHu?cm}rmDrEaWt|!>x%LWCtQt7
z+<3HJ=B#fqg?{?v4;cYVyT{d=j6&ZkU-o7OvDz+rgw0f&+`Wt4R@XUa$tr)Cls6!e
zoJRv_F|*4PUo%6gD_DNRFpmRCM{}nko~oKcsYH4Kk;>b
z>W4iocBamry!@csUVcnMB&ON10(n}u1c82BoG);;UGm)t{bISovl>yVH1x?%04Daz
z$ehMY;0>TrcuK{#K2g4+>%U8~ep-qJUgpq*Bk}&feUUE71fCoN@*Bb1Z
zg3&1i%MOXdB9iRu6>6Z*OP*YU$QuANNlTGIgjbvLw}2^M7P%Yt
zzMOpM00SlnW!ap@V_?@%Bkh!mb$xO9ijx1743ihMr5~8;`A)3+OFaQ^v)g!vty6Dx
zo7Y4jcbnpE3MQH)1Xv6;deh!MD7M$)|F1nIZq#)}_5VH5YSb5&5`2$#s~
z=v^wTT2wn(4<0G$wf*|pcrsKa3BH81YH-v~f>|6^Es}+NoB7JI;v1n!LQXU&kF4fZ
zi&~i1id}bd93@(mk!Hjxsv76fWk-&(lbLyt`$U%?C@^O@lNV2_`}k`5cgpOQz?Fs5
z!GXGz)GL>u5t)#~ss&RvQ_e(R)C!gnFLgB~Uzc}fo9W$?L(3$?@Z_R_H*$uDF&o^4
zRpR98`blX*@ajF(_*Wh$PTtOdVTU+B^Jj?`PKog;7?ZZ9o9*_gJ~Ah^tfiD)8;?GVH1gbg9n_qCuhd3}8>`r{Caj?4TOXE}As
zb9Z?cy@!_?iS^Bk@JX%(>Vf@III;BaEpAKCaCfWaKhG`^ENDC$KI3fcfPfI!ohl(j
zM9&+}r&vpm@ak&eI^vXj_zsWd(z=zRJv~+(=HIhdIJNb8JK1b=v0)Zkx&Rc+Wr;4I&h8=SRL%cmy1^8P|zC8y`?84Dy8T=mRcXQFGz-4im%e5{VV@`8;L>WH
z9^L;6>ZIdsTrTh_F#t8W#gW&^fThUrrjTL#zlIT?>l6u(mix1Y$LW-cVzhp?!Zd8b
zwPTVPK^aiVNYFZvK$+!@pLD8(h*{|lOq#}q*mC#c0C#sy*)At#&n
z*|vYjp8b&~i@0s>XHzHqgsDWkHzoaLFqiHeAU52896m-gy|LmXBe&b+l($GQ%x8ly
z?Aru+K*c95?V#esC6L((h^@W{L72@9#@PaKwnsy+pb?4)FD*9wY<>f&Z}K<;f|zLy
zMEByuQS3Dm9f^^L&p!9UxfacMTcoq+IEHXU1m+W#cvR|i9GZg{O$l8S&O6Wy2koEF
zoFqXjZ0a>#Yo!s@$+M`t8!15)?V8F3!*0OYF$p6d?+zd=XgdfZp1;s)ebm0&xn)%=
zyXTe6XHz={Z4(duyw|=_3vF$lz{CW#jU%9es&#>3crWl^?Lue?iItYPN&Q@gx5FA1
zYBx+XC;h}c55OE~CiuZ=ct~IGZi20kKJMZ~Ky&AC#?%BwU$*yasAbs1HQP!Lq<-o4
z{Hz=WGjfVnZrDZtxkF02cz>sngW?LCDxK@>F!NLym4#{t(^J}tIn8l
z?W)cgPp**E!E%PQ1sZ9y4KH%vl^1Eii`(TZ*7vz7n7B=uHeoAgi4)pW6;N*19&YSh
zV9ynK2ok<4`7J&PE(s&GPr1~y6}H(dXU%rZM{ZuN!C#yjk9^6ikf1sl+8%K&!F3M4
zWy2&}+eH!0Td(mrDZn|+MKnY5Dq8mB+~ggr0aZj5k7}41_JNzcNp0tTW9&c`q^Yac
z$*uNn)t-hE6gJ7V8q=I_=@+0($^65n1{YL98E#t20*$-Qmm;RgeM#unFBS<^kTRPj
zY;MD`mTUgn93~$vK^l)Sne&z#kQc38drOO&JF>Xy(aPCeN77K-(}3-0z^1?Xy}*YA
z&b5Ol9oafNK5!4XEiSl^;p?{GPV$Wn&2U~E{sJ&j@jWcKr_$ms>6mfSqR!`V7Gt@j
zz!DkZhiYwFyjq`cGaY<3DBMB8W_OJ3Zg7ui%0%*$mrf?Zj;hdDl>T~OyCGK%amNv|
zgr132(80Dux}UC(Qe@?Kyw1N>#-WSoE%JXdawV5dFmaeJBe=K*gTKKtbU81nhBiZu
zG1>u1RMJhOGf|T~2SuLh-bHG5UqZ%pXJfj)es45sb|GY)-zSUs$Y
z1XNyP>2UHVO+zuildZ-jNqRDaIK&w9yh2X0_u*ri_~ep4{~v9=kmF#PZXDzK?H1h<
z!@@?;67y=d;zO=P-|9KFlon52*;XhwPDQrkL}$PnW8GAFNbNR}C1)4xwoCR#fD0|K
z$-Oa7{d@1KRUO^l$VRJ%M%Gtgl5Iu=SgJ+JRNr=gFVn3Q91~FP_Cx+*(k5rNdN6@>
z6>3x)xO`UFWiD;bjo+gqVnC}&x%l>YwraKccy^HMkSt^^_n!__TY^Pn*$)S*
zt#DG1>HtbfRLh33$xnv4h_xIvU?$d1>N@+s!wHP-la%~X1bB657c4FW1O?^Thlu1V
zqenvs+T>sJGMv>el!t^zSekWZ!c+2joH|fnwmfDs1-aNnAD+X5>}ui)k0OSf4W>vG*WWilHft6qsZp!
z{v4B7|E>M?k3sIyvPNRVY^?`pB8b$Gyun@jJlG1zga9%fg=i9%7R}uW{nQ#AhU@%e=khzgi)D^66`;GWnlU#Vn
zMX{~N2V$YB)csX}zR5k8L;c&vatQa2Z#;_WE|MTg+0
zH!4``^CX|i*D@VhzL%SK@+o8>P2Ug;|8zFRjs&%;Gk#PzDnV=o#Tu|P9
zRE5Oxu%eC~#U|~l^=-$bQo?!qCBrl5-YYLC3R;X2LI#9YYQ;G`LsZh-WJbwrPTBx~
z8))TVkrw$XQBlV6zJ)XoS3pt-_2fT~6ahQx!0_Ap;t)6TdF_PI?CsJS!g*>B%tA}P
z>1_kVwr1NExhRxhXgIHsf6x2Sfb5dynZ-rhTorfDLImk2WIjqKq%6iRKNV`1<_eW$
z^?;^uCJR*m?1daZ(p4319xe_Uzf$cUKI?n)*GMn`(aa;1pA-t0XJ3WO3xGOBAMnWJ
zR`$m=V|<4zHYgw>;g7s7L~C6W={PeQ+_8ZQIMRvJM|~7e@&kidO;sGKVHR#^kOIrq
zY`XYKmzf-sB+I521q3jFx{YEAzIiqG0V&bBTC`eb%oQu4-)(MeY5OXI^C$`p>qYyq
z_fe8>V;|pJ!LQ3L4x?~#i+S(#pb2nZ{Jz9bBF>{?jA3px(9=s-b|iU1B&B6{e>u*&
zg8P?y#P3uhxT8@n2R;|lnG0{x=|o6u2LV$yoL5eFt2jlT%a63FX}?+D(uU&&qZsq!
zhjrMU4_pSK3&#>|GOt7Ld0MgL&QEKWm*q~)g-~`o7l*N_!O$NODk%12aX%Pb(o5H@
zDS9vV_+&TslDBgXtZ{TJ2hqV@x#&4I+gcseL13O2`Ue5!e`NtViUqM&ICOcT4+Fat
zt#sKJf4m(NE@4YGrgW=&q>`QrCp@qtZzgtWjySxa4Y1helaZM%acNjxMW#0_(}QYW
zc{;ZXv_Ic&VM(pcAkJ>t(G;eF=;H*2#wxDl=YK(`g1CHuo{;&@ccIP>1P6tsnqr8B
zXNYN?k$UgzSXZ~P$|Q2ISowzj3^sEN!@6Ba#1k0zpmDONU$SyPB*BC7S7aD*os
zt$rjIm+!TPuHD&PJnEEGY}xgbRg8R-KX-6YVPY>DYBQ)UoCIPFPj2Bo!^|STYej58
z`n^KfYPoY(t9QO!WQ7h}8*f#3o4)K2urgk)xM*tJTK-Y{s%ORZ2bJ?i%O&e-g94I2
zITp_fZ^M_Mt#2h4C5;m^jCCq*^RPhn#K~Ju2Nwp2+h;4o(Vi&VLDBreHsn~+TAZ7wU>ehy@tiu^=P3pwNWe0u$gCei7RQX5st6<0U)Dpi@cAe}V)v-3d9#xim
z6=Gcs4s5o?Q}Z@}vXAO4Iu+gq>8YWK1=Iq)4L*M{U(LISHfk;T_~0toZUSQ_E@C1L
zc2%j8;JRAva%@g$Le{u8RkGqLtn^l+Dt<=1AAWW=UHwCV#z?B5aBph;fQEP!9eS)J
ze^QVaIr1e#vSBsJJ%rnG@r%T#3s>pNd>_6%Ex@j~{KrLViW@zrsC)dfZE81&u60g&
z7n{%bcMo?zzON8`XIddRy%0mauc{kJIJzue;~FsOZado8%aLAy@8c4;istIiJ_PAGj6hMg}c
z4&V$>xuUDMJ(xj5+ierq!x&4WwDRTC8>L%5{wtV*n?71A?+PCH_^yl>@cTHf3@G`n
zSjJt7p8S*^cQ^V%TqWbwIZK|=IQKg1XZIhlZ;pFE>^ar#Nt^Gw?|;93xsf*Z+_vX_
zSPwc{o|Vo^>el|l9(`KCSuR(pn&nSlduVOl_n(a{dRz3kbOYFQyre|;&3a5(hc7Bn
zXIFYcx=+zAx$f)il*jC{b#bwedq3@Y*?p6iS<;FjtY*0(W+1wUHDcOZ+dH@i!5VRm
zeau_A2N7+@=IPqXFV(edN(-aaac(VMMt)6;fwOX6y5}BTxZL-(Fs6;xFItoJnwTKn
zJr9h#8JpG2$kP4mS{{57muX;Le3FUhg2Xy!cS7%j-;YW?csCPlg!=YG6@^dYJ&O?6
z@yKDV@;tIeZAXbGjj?T?w{h>R#BbeLkZSaCeC^R$i|@KIwf~0=`+0_?HZkXmQD0wv
zI*QQ*b!~fXz2krnE^PMJ-^~{Ggu+}r$L4)#k~;i%8IPa5U|Cj@13=oNr7@oQ1A$9j2%V`T%0L0@DeNXZ9t?8nLZ9=lkN
zHP4Rp!&r9+su|z~nwMx>AmMS;&&e7ter~~i&aDL&aR?8RDkAMIaMUa$R&CxX(XSEj8*oMCXkf3
z6$sQ7Wnq}q*g*DKpvvwyl3nxORK(^nZ;tndP^oq29L|=!m02SlzB?wY5RO}SLrAS9
zb|B{QgUSfG<-yuK3b8RVB+#?J#?UjbAy9*ulcMdZSh|-pC@q{XdpvJFoa?`pIV_Kz
z-_8e4v<2mYq-!aiJ=9z}g(;;l2)ddwY!Zpa!#dVLCuf0Wo7d8z)%~8vGjnB|9!8`E
z0ibDmcxHdZBL`k1!u6~2YO1!?g)MqW$*H@cbD^qUrG+i}$hmS1&WIpU5z^_(3C^xH
z8A2KF22aSTi6iv;ss%!V(mOje7On4i#d_Nr@4gEaSA3rhuUs>)2(g^#takM@?sjwC
zj)a+IctcOaF+{^AL_qyV-B`N`&8E{k`TzYXgk$&Gw>^)eH7n&jtDI
z)o%`5wpZ^%?S8|DeBYO&=Aw0xnz86<2gicJ%OOREoa<=-&es6W`z6=(onqJ(bV+%<
zKtw7O-M1*6b(=T!oBcLB>(E0mi?i72B*y~eWwGq%YPC(9S7>h$!7VaZ(QMA>Nx0D+Tv5l*^6>X^zq
ziL0b{E$~iz{Npj+=$09*$U3l`0QKKw=?(@)EaYXXFQv>Kf=Tl%orl{++g=l+doMPw
z+C23t4<@l0;6EGS9egg<6pu(b^j;99P69Th@tyF9dp=IQ3+8aUfVW1vLHvUw#NOwf
z)2%MeH?oep?^%In6kFXqER8N0cw
z$`vi&w9u7btNMp3W|fR(%Uo%UT}_G|sbK7AyjoDfZj>Hf;j34fQ_9dN@Su{Rk*rX;
z{X-)+P_>B$3y%^LQ2B(TDw&%A6
zklNeL0j~25%l9C+S201gvMmcp7(fVmHxKT;b({l?<(5nJ^ZGjPMD)rB%gyR{@$Scg
zJ4J%;v_A+=w@F!(S~(qFcSvzvpnWMEm-TC@
zKNR9_<%?wh*~;bOq011ZkMmSZ0Wks|4*=BrQlm|5Kx3^^?Qb&IZuAMi`IebfIj>t@
z1sP|yPT(;dvA>wDrIgD5SmdmF$&EgyF3_MC^X}Z|FAvU2mxy(7dc5Q`9I?B&ZJo$z
zxW65|2%?76IK7UiYf|&0*ZiGQvCQb574|b(Q8x^Kx4&qsvo_EdCe5OB{Kt(J?k_lP
zQ?&&BZ={k+x9x{z;R=~vyt}xZdK}XDN8e{udW&Ag36E!2$cw%g>(l+z%KLgdd+%6k
zNT`S|95o}{`b+>@CCJzh#~mIjdB1;|tT7td9?v
zxxX+GTC?mjc1Y|s(s^z?G#$49k7iv&HJVuN%(kxCsG~X9cLB*E8?@?ZHBOlIN0(I3
z-pYN6b;nMBQ5#6hMCy?6M%>yJ7f0Y<5|)(Iac*w1Z`VHDW|XI|3BOwgW}}_$^tHwH
zqh6FP-E|D9Q0%&8*6|y&t$spn$!F8i1P}If8(BKPpNgb_j2QwhSf<=SadTO=Rz~9-#pjn
z>y+M>Ft_asG@TU+HCo-PJUR~jff45SOUcR;OWV%z70qSO5-OT((@B-15yrDi(<#5P
z3<$0|-ypwt#hF%9Dj>FynAz{KNq4^SSthHbxWWO(p0IwLDTGqdY}=tw;d*H7p)?Ug
zjZBavlavyMoU7oyZ6{e}WxfdlEoHukzuep2_tP4C@?mK!hV=rj8QbfNUo*DT7f-I}
z)t`{6UiP@{x_
z1#n)fRg)p(-EF!Zu-AF-KR3N-cPJ@ZZ4{3QDw{5h7b=^slVCnj)O5xvJu>Doa#+zG
zo0XOJtT$a>YlYZ2Kiy
zDnm=l7q1dGguKYsnBe`_SMdA*(QnQg$wf?7YkW2-Cz{KAqsh1YnYeRuR=)}II&mOV
z=Z|hk26_8sfEvw6Od0Z@C(LVxeFHKo0j)B_;-alGT^69#4XLHeKe)!(9nN1?W?$lY
zQ#eZ338zS(qQ;%HTUgO4D!6@FlGF-~GRT2ukomMJ$mpEBRf1rtlXUnwD##D4o9l2b
z6IgO0gi8@$2}(L#-w0J!Vz-%TeZsC)=B?MGW_z@X39~`xTE-2RQ<~
zBQkaybMjY@1kp~?k*}#b>@_M@I^y=b{-EBufXOR)+-+#SE$Meay0tuYE75X1apPi5
z)+h1Q*0m=!Sw^s!6IM92cc#wncN@+=^K-=ED!XWT1Z|`Nh4r|IEPkX;blaznMX6$I
zmtj13t2=nBoA@KEl{Uc2LE9%k`XHPbk8OBTN7taW?OKiS2`+%*Ja1cz?T~LFTkJmD
zc%P1(+L$8R&Pn+l8i|#!GVP&Q=FfWCY7n#7TR8eW;J$P9^MQgb90MNk$y%)LN)tue
z_pOQ>&a5^g;Asl
z(M{1(9bh?8OG%u2_qz8CDq8{!<0-aI?CZFm8uTWu`R#7=j2J(p>O$|t*ytG-myf+o
zgac}Q`>1vlYoNy@1gE5d!$MQRT2lQl^u4dZ6y48QeM0ZaZord#6IQ@$6Pf#jJI8`M
zPJ{R~(Z^3h`jNc*J5RZ%ZY=`eZF8=593E^%IHi4UJaluK_+3ckqL8o2g(K}{uZxi=
ztWZMY!-N%4kN73)kPxv?imJ!!=-deI(OZ{wo_b%5HoTrA@|(~vSxHjutp9Sp$=Plo
zXN7do^#0|sO-a0Em25j~(xS4k@S0_8F+Zh)FZfb>xb7t@meOnG-swiuaru!dP3S8)
zV|EIU4D=5W@7J{p)%XtXx#NlIl@pc8X7`#%-v-3&C5dpr#`Ljsne=hk?lltdB_$b?
zvSfMa)*AGY+SUmb5|WysFjq
z{R9B#Uk{I9iS+C|R`|Lv-+-9zQ4PJr&KB8BDb>Fd%)6Ah^JVww3c7Q@CE3=O{qE|j
zLP(pf%~onA3Xyr-T~Fxmb6foeIl{|%$q8TD>;DLq`!1J4*nO;6Aq0S|hK+7d`y~_4
z!pTtzSfrCYxeAa^#58hJCb*hp;-gTu#U;HV#l=KKU{M
zm7bU+=T9!q%$}Z%P`X2?h}yTNf#xiIKCo`K8Kl(uo>UTz8q-ifta@W+BT%|6GZom@
zn&}2?Ys%F8J2Ym>0;NR*7b}T`Nw>g`<=`nUY{M+Da49&)t8vo8EuHv~S5k25QXl!`
zOXT|rS;z`jJNB$lbE0B?$78p94YACd%SyH8^_l)drxw_E+~|UzpFaL@s%1twG*#Eo
z-}eKAB;t&<+MIa8Tq{3#irM?aQ8xG9N;?UIVE2}x$>}>)>h~dw-s!Bq
z7?WQ1*J=HO@!r=zE=fI6pczE}AyEn%Vbr&+@
z);-7ZnIrkx7yWsU+MsDH2PrfbN;iXj4efHT6`rGp_ZnIbakvOz$I{|fOUt1pYA*~j
zX%QBc*h%9A-!50=Ye(Ssrj~@Q4>x^K-gT@x0mK0cePy!-ObRd
zbI{C)7gOo!&giyu!$~hr;vaV|7KaC9cDW0K<}?$aP1Bn5`Owh9LN40|c*YZ65AQb;
zkKLjxHxQZ8=2Y=^8L@G1u;hnuh1`aR+vZKHG1rSYa0Wk-X>P9=rsUyLAV0
zEW>T^5)_m4xSp4JdN-;b@0AqxskOn+!-_??Z@Wx9@cqKzz>-tQ{Sv04^(*RRhYB_0
z35lxN7~{D*S2h!mo(c~$2yJEa(|<=!hZs?h%=iVLPM}FAcCuAYyyM3S^(F|qiN&V`
z`o)yBuo&0IKH?Oc3CmMMwyvc@g^w9g3s`x}K%KK_BX1oCv{7)QSBQ7sS+sdzp2MOx
z-t$N?v0+z8YANbZNQ{Hs@w+Ef!fByCQ}#9N(s0X9_!g!)-0~+3;3a9K(2qR)=f{Dl
zjYZ4)ZXk$UZE`S?pL7Hv@G5&oFa;1?2tvRMfMc9sU;<3vCu2WwMm
zlHNX*gDvh{^pZ)bLF9An4M3!~q$q?j)(eo9$*>Q1Pg;-rN~isFvETs${0ssN+`i2)Ge-@$$Wt+E4G^^loRd)g8+K5xf#DVV6Gphk)#Ye{A_loV9dq
ztY%-D+@dxg@zc#sxpQ-4bWBs9bTVY;6l#)!+MsuFB}2Rx$85N*wjj%{*u?=;A6(}W
zPQLK7W9dOJOa;rDUl>BR>nfIzkfj|Gezcn~a&$`!c78~hJor~k?eaU@7i-M#4^+)6
zKU3#(ChuA%?`#f;ZM02chKj=d!ps*W9=NO9&;9+Uh~Zk4bhPepH8Ug$hJ{
zBQDiHL5yt(l(c5am3+=($lnq@0wyq>3?-2VS*T)j-|74i%Ok&-k(`@iPUj~~x_^Xb
z)@+8uwDHI%_f>kBPBIJF7nl-NbkD5qcJoo!hn!^3)q=6@vnNls9-l!zxuujePW{Ij
z8GAvW%v?>(g#_v+a6Wv{HvMBEF$Ieref;5?2?e@6>>PH3)jjOj_8p{lQi|E|dw|yLg=XTVH$i*wZ(U^FG&};$r4}NCS1RHd)G(w4_B1P!0Nc&!c`{Q*vM|m
z@{^8|(}}71g}P%-iHrHg%9uLm3jG`MYQV>P#?Y`#n=Vb^C2`UK-hn53A3r}9c5+0>+Uav~J
z;APn8RVw66F)j_*2yJWEslXPs=atr=%ccu>7NXGJix%3cOt;%2N+lj
z8%~W;8DYhm*ieF6m^=iK0G~2Sb(Jp9_z6?xt3?(%6;v3m{7cI#$=G#mE2P4KG~_7f
zmpQNWSAu-Q0dX!Ba4yh5`897tdBT%$4d{|kun^`dN>-YfDO
zp%xakcbp#y>3i_=ZVKw-wn&`5N-(+mze8(kZE9^#BEox!o8*9RiGG7p@SmXN
zb|hrEyW+KWQi^(H1twY~Vg+i7TLYsw+|w&z`M_6^%Ew78Vwl#8ol@+Ktt6X`Q*iqt
zKX-hm=WDMOAL;-B>APweNB9>XlFTqO2Rb2nR~3Fxh?*x*J}S?e-6B=gRwgFKfAI$P
zRvJl*_k^(M40s#Fq>ALEu`oua^jiI#R9(q%E;hs*@qytYN^T+vy9-g-7w@9
za>8P5?W=q;7D{c%!%o$UO-Cy{b3p{0Z)f(>E@?Yiw&w(*WUBLd|f2e^wPp$v`t;z&^dV6>*a@YEx>$A-k$9CUM@Dc
z8ao9Msjebcq1(0(^NZY)oIt!ERNkEt?zTS(7-RT6a7(N6)<(Q(oBY*rKMUQx{Hb;`
zm5**alBB0RgHbc{d8hqm;8R(!n?ftv?`U?PK0i5n%~}6?ktor5dix`=?)kl4gyqX}m(4Z6sB6Ekqth~eNfaGBS{l)7yU*6uk<=IgLm{aDQ
zAiZ^hK(iFNhX@#E$mv#jy~QFY`Z2nvA=guq-WZ;q%9X0j{bIKP;Vt=c9d~zB1Cd{m
zE1>IA>T}}X3e=8&h7)|(<2GZ9lgmK&JbD6a+RO}m~xbVSG@*~g5!M5D2@K??Ki_JZB(-%6PNNzrdR_(d%>*q}krGF;(>seY5eMZ5G
zzrj`B9k-U1C@#ZHUIOy}fxda=-opyHO6sB+)8%ZrilCiN!H`G!J#wZz=cZC6qt_3+
zmq+w$=94e4*`XgiHqJ=UL^AC>qjQ%nAMy}o}VDpdV9AV6hu^C|_
zKeP=#$Mf+vJK;_Nj<&WR6jT0ij;&;%F^1*$3$@+u?|LYH%K^cs7hi0^-h?_IHm-mJqP%%y1XPh!rro-wI=&hhpJi@}ErM&joLSWiMMF~;{CaTYPF_`SIw+$${Y_Zlb-6)ZzxNN{SmWsMl7m#=XTR`Ql}FQhI+4F
z%^>&RpT%)1HvV#kolk9j>y+8No8XrCwLRAVL)=?H)v=^&ph>Xc!5uR-D;T*H{cqY6T4
z+EttodOMsFUm@utwt&XyLbbqDw3m1>qZf2IB)*P1#e9S{8jNe)6w|P!C~rhjUJj
    OpDP3|0?=Hpn`oQXwta441dM0dMX2+hksO6Y7us8oFZU@k_kwCJ@Je|93l?
zNOOkYhiuJc8DB%WZ<@s0KZ0`C%&MTcboBpL4ikV+3llJuGx!!Aa;%FK9aeuG3>_Xx
z=Yxb#f)2fecftmW6H0z3VbI*
zL4o&IxmmJn8$}*bQK_EOe9&8?-`7p1;!gdo;QAXDvg0xe>Cpe&~`V+BUnIW%qj63uzC
zEv0n)KtR~?D&ca#2xgit^pLvhvxYwXWBYjoCEn(<3EjXcQUkm_M?jy)?x)g1gD+d(
z2$pZK#@Ghk`x@O-mq?sOMXj_^rP0exY6BD`QTUS+Ek*XO6(uV-lJn#7eV39pZTZ6=
zhvx-S8JST&>D%v82_)N+QqxJNvrr>ag;8|Z^u{Ht_9`Y9^}=^cZJ8nHY7i_Yngwa*
zFK!CUKnf|QX}cA
zjEEOQewrWb>Lt&nS4ZtqvZO0-&r|BcBri5q~CY
zw>513k*W~d`2A}u-&i!p;95C*wIZUjMUU!Ob~{SPT*ZgdLLnTsNcPEM9CFL)h}rjH
z5|ERFNPK*?4RDv4UZRV>AGfPAg;mPmTk@goBxQ;%D<>@}?&M{fo$JX+V&Ex+JRI6;
zvob~&_zGPlSE!uGvQmiqjCK&k$Kq(F%$%|$g4O79eD_MLg#OfpI}iQP4b_D)(PN{;X~{~`3469F>$0iT1r|>g
zNvMV?C%{_g9krUh$L-KC`?$1%MUinRg?Sfq63yTJf9q
zN^YaUW2$Ft6x_zJccI_VyUr|We5M)XebVU+BaK|XB;o4i2Nq_aCmrDbYN1{^X}Oz-
zoH)P1ta^NzS2#zbvLT4R2;478;1O!_$p=MfFtr(3kc|FDZ3xo?5W5}5t
zE@WgNANlv7y^caM9{S(USTrkM_=kkn@}Rgv{#g{A$^MVxA?u?ZyN*V5D+u`$qObW1
zc3Nr-yFs?Vi|b-g2BK7A&bF)FzRNa%gu3u6%D+rD9P$^X02M{aw&qxDO|fulBH@JS9PxpP!`b}mx*`ipa`lu!)ck7yA`4w|
z^+X_q%E`|FJT~A0XuP!zxZ$+oS(qrcA;Z+dOinUL9__Q@3Ivs%g#~z7_TjiPNjPDF
z+UuqFw^Nu)-)Gua>Hd2I*g&-XgZWFV9*atUmrza$(4O?Re0`Ld0=d5h
zeEngtPVRQ&k++}kZZ*lx!W6TkNOe-S(^?m@O?6B@54zO&1m*^*-SKJuHHR+R_W-U+
zv~TgBFAdb()d4qLpD%^mVIXaA5jT8Vkd|du>2`fww36PC`hBqR#tPmbcFF{8k%4Mh
zXO8uT|IyDeXk3ZQ+%7Z^nxYGB;Xmf>E;A3||KDx?3st#LdFcM9EdtZVTk3*Bbs$gQ
zPGwEjV}ryg^F}K?%O!vPvfcVt&hN*wY9)xV+LT5Im}X-pG@8SP7d7^{KS;9;Z-NQs
zg@F9MD}xCfRW5&REL%28Z2LMRW5-~f&$s5hQv{kEuhNXk!PcC2oBbb$5;r^#D
zDO4Y;x2EjH$cR?mBua#lH}G~!x}!KHkC5~?rNuG&`NYu2VbDb#-o3_l!a;3UZ|VD}
z+G|3t&lpFSJcur77@AKnB#)6(6gr^*q>+XU0#x8Abn;p{_Q{d)`prWtVJ3aV?fG|2
zQt5rW*FWGlihv)oR30{zzyX~G1opKTiDQBO?GJQ5gXnx1i#yekvawlD0$Nj6>s4Wu
zK}$=yX$XeK0t*?x>?q?l;^BC*yr(UV{GQ8O&HGM#i-tI0ncS*
z9J_#F_(>=!P1cA6tnqTrAe>v-2y`wXeBH)`bjU~C5Kii#lT4E}54yl%Ba#|>(x1QC
zMg$G+pc7w{HFqdei|kZ36MoZ)8hgxttI38FEqt%@OrtRsI>CO!j#^{Xf2hfZ4UKxQ
zbLW2`hYeGyE<){fs9WHy+fyoW!`5D5=^|MKP*tLE2U?yI0UZUp5a0bYE3vNIwQe!L
zdAnEQ!L>J>;$Zvnzk}uJ(EZ}Ao!f;D-PVbar2qKS38b2@e}gYe@DjYB;}yDzlGw2+R5bf6AS!l_GVU)
zMer#m{(RnYe#5d*P`3l}v%U&OcbaKbla%93}_0pyxP)zBjG1{iYO64c1qv!rlM0J5qwG)9Owa~h2QOZ
zqq9t5-St5QMtt2}1!_o#t<+EP6vMLq&p%pSEVtL%oywIspW3D7!M^IkXTmosVpu5#
zsK;$68UC*!S=%5C5nOn?wGDE3hb`;tf_27J?;0Dp&5mF5$r}wnaUC$Md3@DXnZLUf
zh@ouMlt0oDj9dcQ6Wz&y4RFa0yBJ%#9
zAH^6Rz6cK%P|RHh?US{}g*}Q6Xevz8{mq
z+KVm0m~LivA1P`n>ylK
z<7~qWKf2qoz{#2dVSKS}fxCtF>o*-}^5v_u4Ga8_-HsK`#uSLp7wcBI%Ok#jCi`wd
z9^VGO$Mo>&dI!SOg<#sXV$qla`?&@qqKk}`YNYqY)#9D>fS8zJocKet15Z!AWtCvtFeD~unLT|0u(tj(DFa;mIcQN#z6va`*w1|41{SMaw~NW5
zF#vY1as!iDqbonu_l)*6&{3KcXg_ZQ2Q0AfVzXckgx#y$z-CVE3ivxYnDX;it3sqk
zfhPkmGe!2(IeO{&+beY*e^A?ES|rPW3Do(l)*6DMck9Y^#4$1=A8Clk*A|
zf^up*!yE=f-BfTcB`;ZKQq}rik3+KaqwPZ>jKenb!|xApKRedlw3S~!&&{j?w#`nG
zBSaK12#aARW2G6R+d_Ix)?z4mdfX)s++UpIr=EkDef?kb4Z7**H_27*V0?
ztU@-}1gzl**nMxqr}hS0*6-MVbHi6$yiII#iD<&uol9#GWhxTT)qUG35UZj5?L*Pow~<2(dZr(_YCk&}RHNh0wsD112xO38c(iiX^O
zs~`+$t4&F$_>mu@H?$vlx0&qEK+du}2Qfg>sJ(WS&-NQeSrV7kJv1W6BQQytKy*kMR;0%G90L<2W+yKE+PSr2G6iUddG)K%ix
z_0UAmEQus2v+GSgdFbkq6GX!{a(iv$^jVAOQm4_S%wR~E0%9<`{)tvr3i*^zNGBr@
znFk*XbR)T5(qAb1?T$UqDQ8faVa$a{FWj&8N^Y`k8C8up3WhRRp;%+^pj}M^z?gx-
zn4ULV&S%AEK7|%7q`T-;dYNa@Cc3r3d$GlvnQ}O0ypobE*EU{q>N(1Xz?E7ZnXck!
zB^mP4^BX3;`c9stZIR+<02EfEEqS{Ld2NaLFft`P!MImMGK
zt`8;=UwB;wZkGs7DHrj5m83XtjNXvZWCSt<3YiegBi-^i)7U*55W$mZ9TF%
zh8w<$Dc_jcSa8b461?}&fu@v=d~+yH9tAL>;a3_5C!3ahR^KQ9Yf6N+pehxBeAvfG
zFV}o2#}XfWWKe*$oKf~1z^9NGKWW~4Uy&9gzGNWBqnPVKFT;aTm{BaxLpCi9b+vt*
zsaaZ*KR&qieTe9~hkCZZUa!o8fIHUmanJXJ#Ml&kWneZmwv1_89JVO1bWM!Ge+jHw
z;sNH)Bbajt!Aaq(hLpbN(EOU-ir#`+gP7EuJ8;2J=IXR>WfnO+)CEbC2IgnzC(%7$
zRRAk@!A=SCE#mC%D}36Y$LB7b0`*omdRs404`vv^VPaTVxl11V3chT~BeQb1)kuSV
zj|th*-@47^v2iz4U%y4>vT=(((OgK{lJ7nv+q^}#bqi+Y7R1i@5H5}IGA?G|YycS_
zkOydL`>c6Ma8nLJt+m%Uywx~71r_csh;EQX`;pBF+w8?}zhU>`f$_|H4ex}A4v&ax
zi~#?kkm2I5A}exl0HmvxIteV-6wh=~IQcp%-~C@h
z*__>95>@I>XpUEBhJWyD9PpA@Ocy1SKgHy){4=C}FNqeJA0sk#c!E-TIjZMkjG&+C
zhpU!-@S%b(dy)}h_$%GX-bvO?g_xi;)08|k6P#-P^S2as)(Aqa%;O#v^jG{kp{WHp
zV~;;h>i6zE8@S}}MfSPPb~(*AU35(s(xnyH-P2@U~n68Mb-9*i%{f3{TXVdN#RE0*;
zghw<*>}cLMJ&63^j{cg0$vH-=8ISSPH@g7F|CRl
zRwWE>lE(GOl859dpb8gJhRdm9=Vd1f3j!A#11>ZMTz3q(f*bNhA?dEH>~Ie7K=Dn~
zp?j`NM%1(sVI793rI1`oRIL#w6?B;KI%TRa==(ejQBxtg_^jvG16r?Q&2h16~eXxzoncr*V0|Ih`%Cr*S{)G24E
z&jc;Fme)_yU}dc8B6fflOe;WnT`>`AN{4;eOT-Cwx5G{4l?hl}XoOg=Fws^{^qK6y
zZJ~ji0zEf52Hr0^ZZluZRz9z>NN!ny%&HifMKL&qyhrl?J37yc{Qn|?Pn;A%>q}
zxi(c6p$+j6sFpi5aChOIYKxiCTsn0-=Dah*6$lR#O}+9Cus}((`5FyYm0rH}Fcg4^
z^7(O2$LTgy#uPpkK@6A+Ojj|y9*5C#Uhe{?EUV6y^)_Jiwb-
znL8F^P!xb7b0G+Z@0{>XEt7MAW7?A`RQ!;woN=TlrllmU1*`LG;a)SPz9ks=mHfng
zb{3-4Hy$$0QX+BCnCg?rN_&y{rrg61a&;jB$B)(;H%(C@kpmy1uCxfhs%{(3B4gcN
z@1c@CLy>U@)a9Rfe0Ji&Gry_2Mrt{6T*Xgg^jw)2SfytUL_Lo$3TV+UhOEnEp7w5j
z2Y!{w?Z*#d@>ZIczywCRQ+^yY`6I)sykyQHMxNfn5B+7cF)fGaKBlxHFrTKlUMj2x
z3(gajOqQOawgLRL<)@j8ie>vw!15I54dIyL!?AxmTQg!I{bEcMyR8Fz*UDTf%p>By
z#d-qo-eViC@)(BYnf1gKZ-w-wwJdJM=u~0R%syb`7@0oqo@2b-nssK)?B0`QPR>No
z8L>9ZIBmxff^mh7n=3P78I9FirNxsHWzeEmmU*kc2h&P+X~uvPB}8ny^$2@LAl!^o
z*ikxjF9YtRTgIw3z~!t%h2tHLc-v^))KR6I(x8Um@@LtbPhB=|Thm<%WgXWjshR?^X-
zHfTFM_iH%!*^e2T;u(%mDQ#=)0*Fk~)tusMT$I!dLUPVp$;-lcpT+}gx=$`wBpRuC
zkl?J0tK58}wqnUHjYImQqyVc9akAU{g`SHgXggx(mtp|VHmijAOq_Fel*5fo>%@~l
z-}7dxpy636f5XXq_1A~#d9vaO<9K2x&jm*-0Nz#rUQPoDfX*ew*5TpVGZZe)KJ;Y3
zv{!Ia7Z?=;yO`lUw$vCphTq6-DR+qd99uQ4?bp^JkqB0!3peaPw*l+CGOfWbNtH=d
z>oYqJzW9;D1Rf`oz$RA`7{Qf^NGj};nARsgq(iz&400J3;4;d_Wsv)eU^dVnq0RN*$v_yEHGlS)dM^$L
z92;bRqL<}JDom4@mLfJIL8^-h`bjTBYj?3!!e9H|Yxjg=%kno0wze~wqnZv5M4V-a
zKii)vp+=PKiFCVunwXN`-!OkOM=$4k+sD_p1NCSUSPuVav_YUjpe0wmSe=achEFV>m8p~h6g>r6DtPjF@Z*n0?xFSKxD`Dm
z-3mYN*L0J(6mV<16}J_&5iuVb+Em`sH)`0hRk1W`+3=q^+L+oD-OirIZeX0HWwq(X
zveGc(AWa_)n6Vctx3{t!+#KCNC_}IIJ9Np6)t*jZdYdZf+}}>*3Jb@n+jtIA@hGG{
zXrHw!cv#&vb+9BdKR<}NulmZLhRIm&cLwICWfkyCE1UE`t~%WFBs&@TL!x{ueWxw!
zdZLKJpv?q#1xvwLdTE*`9;dE&pj9GWX1ShmSngs|d}+E;
z&112$a?{*a%1ux@h?kF|OL5qGEq(KRSG&0(>aN+kd5_k`Q5fTCy1*mZ^tk|B@duUv
z9yfmayRcOgdg-*awB*@m8i|+`DJ$j!JoyW)vQPER6Nf@aQJ)K#k7f>5%Ul}(bak#}
z8s+SDA27j}R4e|by83YA^(&2p#
z157Tv!~jM@RdC<>s^G%#tKdR)>9B_W)QdLHCTIh8fYHz)noiaOfu7*d3j=Dgc&}(@
zSzttYI0U$-r+H};Wg1Y&Qofrlh9K@w_Y8={yA8#LejF(5%D;g!!0E|@iwV2XhptB4;yx1<^04He@1kpvN
z0dDNDZ}k73+{rQEj-|vS8WJ8jm#udDGaNQfCIL^{g@zT2kBA2LL;TrE@?-#e>VwKK
zGtD0vif@!U$!}i)^T<@7@jfEEf#P+s--2@Igw1w=&%aI4VX*KnJ7u%*{goID@`NmC
zpJhUgJmR0-B*Tany!&xNgESdh(B9vT5UHDbBfdd^u63oau*uhIKTjCx12khq|A&#B
zX9_a|2Bno`sOdYDtY|=R?jBRbKuI!r=vwh|IXIwkRWLoDc=}vhw^>9!&{;Dn3-Uty
zB3nd0V`*dDYY8@qXM+d+?j*T)IK!_%#TY4lE_TPL&;mNi*%P_9e>qdzPdorzapyaK_!{e_cVf{q2KL^^hl3=w+s!)tbQq
z2oYx=#gvcOMm+FcGKWlb=RR&Wfqi+y&>A!B;stSn&F`&_cxk2_I|{#gKm5?bB9IO&
zfZ!gZn1(&oZjx<19A;bL-SvH(D;eVl89PLuY1XA(_B;;FekhJ6IlgyOH83HuhXn@H
z3XQ{ubaOA<0CkMn+x|RF=|WKxFrP%g3n=9zWF&WU>YT+`FN{tZhqf94l1?EzH|zXK
z!Qguo%7)E${JW%5q@au9S*_znSH&<*`M&Q6tP?$65?(xF;HKzs`|u@5)@y51Mr|G_
zyL~Yb*WVoRjYy*6wh`LDQQo44V)I>0fN#{M<5tM^m~^ZlSvMfMm7(T#z{DeOTodav
zq<)r%Yby#}bNF~ivY8W;C;c=n&!FmeUM!)tvze5{Spz3E16~j;(`i%TlKr8=;m()8
zttHY$wp}K-TQ;*@PTy=)+-{s9GQ8ZGSCl8NA~__KV1CF4HM~{_0n+vX`8yF@Nrk*u$Hnvvh3N7gFI2oj8>$n%eo6-@qT
z0Vdg$+=PB+Poa{1(>UMSFZW5uq_8Ny0m0t-RblQT`goJ`fiQOS$Gp<3d=!>St_)?l
zg=;#KVk0I*9A(qtN@lziOqp>KwQ`PXMObCi{z`)~s8bITEhR4b5Ay^`^{L(BT0;a&=d}9Aw0emgDh87wm__)^)+
zxm+_I&m1q^hI6Q_=@8060_4{a`@KbUC)Bn6U#N<ACfYur+yfTyu5u^3^qSKczK9UgyaqAGv+xAa*W2L=mO0!tVPx
zHW5QOIaP$B;ok?U9e%b1$?c;Cp+pP?;elOEhxsrcq8NAIhq1kR!SXRG?4rYbi1v})
zP$GJViZ_#@dOXqH*n~6?MMHd>c9HdyqUr~PWncRk#ynfc9ORVX$S4A1>w42l&(m-%}Yz#>N7LPmYq&I3NBx0I%hoqybIX^X$PiI|XfvH-cU_G?|fVOqv&u$N`6+f#^7
zatY65H@YgSR*6_Wv^TV~ad&28)i45QK~7$mbME4G*Ee}1nFajA5c9HrS{VN#J2c%p
zh*lF7YhIcknA-VguNm~hq*;HQ(pFCOya*3{e4tF>E0iomg#a@d9J5zX!y-HklVhQE
zS#aZPp}z`4BDcd}Hy}+w!!|@sK-|Zhf2Mf7KBeS@0MUIn9Pi)DMvJBu$g(b}@?NvI
zVVz+1g09rJt*hV^qqKl}@t-14uSb}E7<~Jcr2NZ@=z4vN`pwtZ=56){2`dcUDfA)2
zOD@ao0~WTwz75o`8Uh{fm&}UXcEiRuMUmhKyu?hCeW4hUkaHccRe9T3jQHVJ5rQ`r
zynZIUMpyu!rewrCSTQh*N?+3@{{bt
zXl7FUk;ir!oe;M=4sp-tiT-M=)1LMnc!y5r8`*#kn`=YRP`^E0I}kkhBQI
z9pbbY`RzleP%TjMx|kAyKTCpu84%E3XBGcce_{MF=Wo>(Z`3#J=fSnx6HZYq0{^H1
zG70giC;d|$OXtn$UxNQHf!(HVqUY6Q>ZmEdDldYazyC^mBae~%mH38N=)?aM3bLXwhRes4
zBmtBj?I1O>nBr=guMz^8yBS%F%5M~R?0XqyyLpIKVS
zV3orVjJNU4dRjMq9>ZGPy;`_pT5u>VrcVi9MRnIiH}MFTqa>VFF*f0!rW9>$e%4BX
zoZCU%h%^>N9b(z$HtQ#}yS@1!{9JrMCT-@z=V?02Nio8wJ;1+x4#LNgcoJ>y`%U*7
z9^4>*Gtqgd6&aS&m{~O@C|lzdW8*ryqW1
zM4a+X5jsH>HR4)M$
z3<`d-9LY>B&fd**G0jz>%~fC2&M3^9E_qgbP0T7)SgAcBt7XiI2G)v-&KQ%SjY1zpDrf?67X*0
zPFNSM-_-3`E{=<0#ZLqnW=8{tI}b^=(@xWaIt5@qJ#^HW_lj3sD<<_6lIkiLtf~{R
zRrtyYE0A;vjz0|TKN(uoh`OL#;{uw-v1k$52he-fp*&pDtJ1pAzjmNs(0)^A_-0wk
zlmL9alAAO77;|r8AlT5nY=Ob(^%_;0OO|lCm
zU~8%1JH$8l`(tnGjA$lFr_~kU{;6-@?-FbQAM*JQi}(odo9_J%{2J|@4^-0_6_Rgo
z(pu~SAFfQBYV$+bc=KUZM%5jxKc$GqMrA}~#m6Ns1
z10&SV4rmY8t=G_(KOk-qJOZ|sjlr)+5@DncsjstYCqTI30N|mT}^(@GB1y31h|!F#8Vf2f{<1DsE_T-21u@9z9AsaMGEVZP
zC=pk=2pqjsIHS~02As77X|wog^~7o4+D%;2T?&coWb_X+Ns62?WiL_-c1;CFroJQ>
z&@o9PnI&WtDejV&?1&kLEoUMReYROS+CJ!GdIRQ>W{~m)Y7BoR9Vy6$FCe@BL1w!y
zcNwnmTuIIf7ClKb@pRdpLU}R>+2G)-ycnCvhxpT3fg1KUc!7rzkqfVx86Ks^bbM8`MA*mSw8)+hvC9_4L5-0?zSytL>b<`R8>6F+5)w=#50yZaIuu>bm+
z(T^k(;f5)IWP{AAhAKaQ942{42GN5QvW*xLAo>D$V*RvZ{MM5F@WeXdi8cbGPhF!<
zv7%0wqE7imZ?gy=lL;S5egfb)Nkk9x--CeNPXs$F_+G?Xs`Etb4{i1%x~GUZ%s)QTg;(Jp8IBe@W;jD)oWaVJeNni@fA{e{e(ej}jPl
z*(GwXOZY?^?SU@J6Pk-BGzm{|@bA$i(U%EDQ18wW7QWKKef=onjG4fdMMjdwdQ6{s
z&9Pkfp_~;H!Y#F1PI~I&w{zi@8Pn}oazm7e;%|d?*rM0qbK_@ozt@&nJ9%fbWb&47tQC8s)ANd^dTr^(2Pa}pgw;H+=7!1hVt&#
z=>jX?d~?^>u2{cIuO5YZ3r+;@88SgTEE;|7m!G_!~X1z|vq_Wgk
zdLTT@nDSIzqkYJ-dcpYAO^}SA9c`3YSdM{DzC|N^mcVc;PW&7l)W+DMy?L6T^0)&!
zu+Od@)viRTPmy1&?mhN68o%7BJ-bB_avIxnJMfBg`#rARJ9xG)f!N*rs9X51rx8TA
zeGV=9S#+>zXm+?Bl_)eSU(f`qS&SD_dY$<6TQae<#=&Tuv`pWVR|SSFbfFFso}nl6
zV2!i|?Rp08wr#Z)o6uoYfw-O!ukA#goSXP_s%>bhWpS2Oa;%pIng)f{3ZPQirp3?q
zr!OtoJ4R5*uQ|^jL4SAr;F`AG_HhnbRRC9Ej3*NF7T1MJl{SKl<~{Uo6xc<-kF!As
zXSEJ4kfTf#78e*t;b4sL_U7u!o`^10{31+U^b4xs_f&MUs9f5
zB3V%P1xU;f?Z921H;Qx)jIQh1HYUQOg>>}Tfn>~3cK3L6_gFN}pERm)QrDxQsRxA+
zt?RI{&ZBvs+)1zN5jCnHP=9)b#^DuG*4v|JTLscM4|m10VpC;pTV;}Z$V%;q{aLI#
z4birM!F$XSZe4=HHvdCv(OYA7F9w|UBp?CFD*t9Qw>kPy1ji;9q;UcRdkZGq7QBzu
zS3k9bPJ^`<1G~##ztJX?;RSBJ3Xk&D$8M*CTStem2?b&8ef`4OzUpK3`b~3VcLnO-
z+Q8t2Z*$9jg#b`2PtqV|NAU&)dLYh3j_FS+EAc_Em16
zGh-9r_I>H2+q4aJ`j6r3zWo4w!gX|A?=e3_n@~{f9QN>uH+>@Qbj=&+6tl+^8Bn4(?SWw*gR0ffg6e;`ZMIgYB0m5pz3*c4v5AYbV5Dwoaqm&2>i^;Fz@-cSH!+n$N~9Tm`z
zY`jnu(8_GR$rR8)Yd&{Q!~@iv1|fv;-1f$$o=sZAV*^9s-dZJ`-rqY
za@0(WS~d#MTwbv3DBlI!fzOe}^Gvy%DZJ(HK2mtgPy`3OKVQdZG))e{8Ly}q9jTL>
z5xE?*^D;8?e2c*8$0s5t#z#!{(H-pZT~skzmxHz7p4-fA9WJO4pF;L`*Imnkn8QD0
zNfZ1Q4v~F0#CygUY4-K|@&4~e{?-Ku{<#;w_KHafmZf7()YtKTO%nq;Ow~{!)SoRq
z#%lC1N+E*JS-*~LQ~xGHCjQhjjBBD7-$c)t(Uz2b9vSDmKinuUz$M$0f4p^ce^sWo
zoD7o%H7q6I8?5k}Q6@*tc-qANsE0!VPV*Gr%0k4C@4TPYvN@i{({T1jO&pAQni-&0
zoJTI>$Fn&$_D84oM=2Q%kT9zuTb=m0s3oU+`J(QHab)<(-@p8#{g{tbEj)CNnsG`XF3$_
z2N0a|0TAj3@|=n;i|O>*`LYO!t!*obzJZ_ix}wdwpwwLvSs6
ze9N3FAWp8v+wQko4;A$)Hd^OSSIwPHm|AWy-Md0=v~oP14)C;qtyNdple*1TRi_G+
zm%UQUT=0$BnHI&Wd5pm`dK}qh2=cuklvdL37SOvP0_9E!
zRw2OE`VPyFy4RHx&OX*x$q3c
zE%agBOJ3aSDcnog6~nz0HD_X2TBcnTmQH!F6}202%q^1v%8RGJ$xC~zr{zDjo$|uI
zS$9#yoDLGU&_h;8bpEHXVk54>PYD!D2+4}afm<|%yIM}VnDd~V1
zA>Hqw_F)fU1t^v}W?3+b88_?Q=HzRda=YLejI9@A5hb3IN%&hIjcBQ$7oPj8+oJ&|
z1Z&*)2P=7YSvxM=jFOEUWK@Gx(3BM(I$~rM6xvvrad>@eNm(HjrR9mTP5e7yaYMLU
z>3!eI%!-+F7JbalcFdK(Dz>VHE#4G#w8-yoneKcvS1M<#+$CYM+;ObKbv9Xnm*AYe
z$TD>=dsMrt!zvo8L*xB{hug-o!^64aE|~W0_^E_SV^3*C`0#tVdd`pKX0#J2-QLQ#
z05_-k#mXsN^CQ!wiZYhvwo<93>9#A98SQx+%Pwn7V$L)E9BC|T>(uMqn<6RLxqx94
z`czcSSqHVL6-oJI7reWA)i9$~)DEiV2J8hp_o>)Oj55^1hz6~ddxN7*hyv!TSXB76
zi-@8}RsaJy1C>?HT^3nZSVLHYWotWQs_F5Q`e*A5s{+M<)s#j52A=66@dtjuz_jTk
zz}NJGNAfO>pJNB0oL`Rjc_b7agU0
z;AM1*0NXk5>xI>;lUb1;ZO$h%0hCF{Jm#ZQ*s%XYLk2E2YPvh*-@Xnb`Mh)+BH)0
zqg|*gz#YZW(wFl4`gRZSz>vY-mlz^ST-+~@^r_npoeAuJRl-6>zGmHr={Y|oBZ-#O
zka9N~7yeFfS)9jJ
zhuzfW$!Z5T5^`Q|ge?>C6!Lle0`5L=m9O=F`a``V($YQGQuCT;cp^nhM$!!j7VB8F
z{|#Gy`dHLWQ~&)I$kCYolXGbs<@lb|gt-*h?1|n}MsV=W*t)~bcS(R<+2vPy%}T(q
z2=&T)KvK%1c@8}LzAv||fBkKmrFgTaQa1N@dmgzHki7$4$uoq>W)HxDQJ
zjJsSmLXz5Em5uAaBA<~jY$|8kEQ~ns7W_~bT)<>U+soP>%b3Bnz`;?weSjUM8OW+Y@7WA
zs}w}q@V5lQ<+kCWHU>fV2HX3>&pS7&PqPo1aAT5wm*4kl>tnS1V^VO0M@BMSE4U~|7DK9wCN>|0c%ALHLbd@eHlK>fT;P`$zM5{Ho^n^mwKT?r
zB15r;BwwBhHcB$Xdo_idyIrBkfBm(9yvoPC(r0Q!T9Lt?ifK(FtoH-v*2De!gV4r9
z^Tq?XKEARJKAPIG0!e8uHifBa+L*^pQOF~OVn7R-x%QPjWZRh{YDO~*ja#WU@by#+
z^Wx0c(P6Cy`ZNopDYZ3K2^Qab3NMI{Ee_dJnn&}~Yl`+P4%t#%M)R#|MhapDpN!<&
z7N)J4uTmuc3V&3j(nk~wZ;@We*R5vbNIx0N0~V$|nXfV={{@^)Gs|VttZVpGa)0Vj
zHr-xfXiYuF-)lFkFsc?&!(6hFO`@^gE(rH~!}_uxm2K?z4#ED%&6mJ`=3e^QU4^+3
zkqN>Q8t=u_oNa%L?bf*&-+|e6by?`%0%=iu9O_l;yOEF9F+swzL
zsOH#4RaL^Sfp^wg2=1d-qt}QiQtGjs6W36&ibu&7ZBymb&c=F@PyH#gFb@fU)0EZ6
za|0D+&d)4v-)W!J(x$)d6*gfr-LMD&ni{jM8x{*)$l*qGF*Leh%5{6+&BS32WDC(3
zMTP3)T2sUwEnLuDr*@=Q6!FblQ(vcqJnibWHT?-rdz2@aA7W`JH<80_FRmq*Z0eLh
zl>r;Ozy`(EPOb}Bk(O}rT)%wJUZz~1Z;+WD&cj&Gvwamn<2w)9AFw>0ph+$K@`qBH
z33OAfuf`%D_3`_JPm$sr{dqXslW=yX5I}mFeNAhyXVt#yM&mmdn(NrVfbvy0<@2r#
zX8}pH(U1iHw3&P-$%demjG@`|{Fy)M|Do+Iz~b1lwPBnPEVx4icL@+Y2^QSl9U5;m
zxFirf1b2edXyY!yf=g)Jg44J(jq{V7nYri8%s2mi?svcEd0D*sUA0%y)m_EftGf2i
z%pM6zvE+2&8+sX>La*rWAV(^IBPG@Oy@(kW4iZUEkk{`2@E0S1tT_^pU|IPEgC*tP
z8MlA#@K61JHQmVNX*(p4r8AJkrNvH@UW00dit2JSr%8IRj4FLE;HE
zrbo3D?2>;x#=IY>uBZ}#%2b3BjDKgo
z0Vqp*I|1nu?OP>;+6sY?znQ3D$Sdu?8{*12OilC-fROe+MoE-$Ekh|^kjC}<5q<6b
z$0Y_PZk(m=A&`+uK_pE*hzT!_=9=+eOlSx6$u$78#JQ3j{ofj<%2cEhrd1xj0FVbp
z-mB6%vszVSUQ|sr%HQ}!|0(3ZHblA`DG8V-{>k`73{?M**J~I&;
z;Y{W^Tf-`QB~EVjZVe0B{~k*UXL`IG>Zv+P3vqSuL&ht)0q5Rm4sZT&(
zr?(_AZz^R{P|Mb@BsSHUSBfGJBz;UAqf4b;>i<#Yivr_H;^d*@*VOH$crz%=rP{c4ZZ$
zicswPS4tca-IHSm-qvOnoEp~$M@!Bd6-WM|^yQdQ{muJ-?Ea^q1{sLeHk@f_f0#v+
zI-w!=(Afjdc`C~v#(da+H+7iqf@tn>CUE(!$HL_9^IZqlGxoU6*v9;iW(;xk?N_#8&JLWvxLnDb%lkb+|F-xr8g+ey>S^($
z4>NC;>~P_4inK+kG|Znz8^tK|c#B4EnExrRS@9*>q>pc-qktxFzJxf_xUy{g+c0kE
zq&stMhOB*|>U{Cv>6iPs{)eQxX5U4vct;%|n2@TNU+`BtDHu+hKrWZxt6B_J2eAGh
z>4vOnyNFjZj*2ZyajgjB5jW64rkuqSVD1l)~~qJ-?Y^*Xf`2ZH3d0j3vDBM1sSe*Iw5UiUj?*f(`@6S1q2#DA;k&___`v&DW7y58jNR5ONx5Z
zA!GcK6ghL!_C_hNu#;y+=ZMmix&`45)ewavFsYMeMdOIvld1)A35BOa&zRnmq6OJ9
z@NMg3vHjWV51vEPow
z5`qj4wC-FR*Zeq4T@S~07ldGfF<(6X%ZN(ue1nbQbw)a6IHxf`Wszfi|d%g8rBPtl*$O*QU&TFXS)SV$h
z@%^5UhG}z`Ki7@pbI73#%=^NK15OX{=g7X2L;fZSX&zS3O|3uosP+~+Yxb-~5!MZA
zY4j%r_(cM+U1oElN1uhR1uk;vZ7JMMN{T>p42LOh<81TOxAW{`t2Xi$hTaP)JZ9o&
z*w9vuPGG$I9)Fv+SAU?6ZL1n1v}cR#f5w6=Ed&U5;mV()CvTS{_L4sXZTXC_u(4E8wsrnm8GMwx-mU(&abe(sPM!k4ok=;=W;AA?!Pe)p-ZFH{4slFIMbi{y{WFUrDuxAmk>gVCeUi
zU12LqT4vJ1RKsvgJao%~foVU!h4RwAGkT;R^;DVoJ>#)(yeGA+Fz&t^_na-#++g$@
z1{1lhudVc^atyz$5`!~pKRvEldh#asi4&9H9dSvAk1m
z{cH8y*Z5QAf%l9X!tp0Bw7lA4U1{q-6;2*D@QfFZ2T~i-Dak%j
zGoS~KMN{TY$J+G`KXs}bjp3f5BX_*!e1wH2-l6RDd?manno~s#NI%jPMsAyCs93i1cFY<6;mgIdB@%tOGtbCU5jWA=pF$=orF##4HWV(;Bb7h
zMf3v(_zw+S=!P@Yf)oZsgmDLYz5nDzCfh13(TbIC7^2G2Rg}bIoKII;lVix9ZRn8m
z3+(xZ?9R>(BwKZ4E+XYu&4%i12LF2YQSzwq7AVr>D$<;eys*R#x&)+qU<~H3pdY=^
zMsqJQ;j-5-tA1PivOdV(SZD^(J;=bA|5K323P~l&9`bc3qSF&fqy!LM9S_btS?GRb
zmwT^?&{}1N^UTOAJF9dT4hzbE=h~Hl%y>N(#?C|>4ch8BT|qtKIC}1h(Sl`&SP?Yc
zvAcqOM4ybf(iMceYk!23jJkw+7zpn~UlBjTyCC&J5=G4l9PPB@ME5~#LwN@2dmOAG
z5sYfgtBw4)Q@0X_Fc`n`4XmCo=n*4o+8co)1icQ;N(ERF@lPREYB`l-?z$#HdLG>C
zS~_R%vSxFqDZ>LCsxptoB1p3#{9ugByDwk*hDqZd7Z%R1bsqN|_Wd+$9cl`=@Bv)p
z>o&^W@p}#S>HaVQ)&oMe8Wj%EEma0sWm6=XvI^pL6q%|SEr|0YE7bnbez%5l;&tM=
zBUCL@MvJ6=lZPH^CEBv7k}}ndHpFzpIe9wqFERD%4q3|z@(z_JnBrZT>Glmu@_OQ5
zMtreUnPB~=ZT})B!U6;X@iUptJXV=Zgy|v+KTNA!mo>=N0^8W<2kx3!^P@dvsg#P>
zVpQvo;{`KS`_!PGzXc{YVJ)QV=uqD+j=!mtN?~hE&cbxjh26*TuQI0=!vBDm==NoqE07FbU-1Jv
zF$gp?YEsE>eJ41kpwf6QO#jX7d9i#zpSh>J`){~<%75tV&OJ(g6chGW}eDW}5ya<^(Q
zeuYB&&!#l}KtD^jYp9Gd(a2kMG$;*8@uIX?jOB39IILO;!yNk
z67|xx&U8{;`I;Qh#`S*fbr+48Y?O|FO>bUZrV8v%*}hg8`@6~~;r5*)Q=>(%$$`bx
zc6|!mqJtv=UExT{9adQ@l_r^!@+{2P2~m6=c9TF^J8-BQAw?}CSTc-F)=tGV0$(qF
z=9^TS8o)a}>d#tEH!)ouBlx2)U!Q22S=KN(TqW9f=`k|yw~nspm{zoFyJ%lNkG<-~
z2jBix2p*;s>)^rG0a{b=?{w#B?{A3|Y}_4$cMW(YAv{FpW_Kz9bSjJsE?!?De)xuM
znP75nEOLGs`U)3945BI-Zj8)P^7=23I(cGsn5{4hqy2XMY9LS}ACU(1(f)}e{KXx&
z!i7N{$Jj}L6BEqT6BTbto}aA9bcgYepw{hfz9@g`@;l;RqafFu8tS9ke{=_XCXKsY
zwDi4S9+q5RCkFyW1X5HZMn&_+q6zoTMHOEf?qB0(WL)D)m0jby2?%fA28;QOW(%Z_
z_&NGMzFK`%9#=L=w|=s(+h}*Bbx5b&6vt%1ZkY2i(wSV{mT-M1{z#OSfn>1Xjg?^<
zoUW-@Tp}$s#RjX$CEtyv-cJp;(gM6j&nSIiS#}3^-Jiv^P&0bzx`f2(_7S36
zsc6CAT*Z~5x##RH?`ZDajV*(pryyfr
z8(L^(C(&2XXg;(p!MiZLwtaVv1rj=>Z}8ml_O9)m8e$fl(X6Yt*R0E}J3Z2)dVUwE
z@3R_joqtLPp%DPQkhYJ%n^%Ha_Dc#2FmjV`lSJY)9a&4qrdejHT)hVp9?u$`jzAKo
z#G5EFi+s!dyaLB*Zql~Y4cA_72yP14#%LM3OdbyqK-hgl=gQzktyj-#mBh?Zio~y}
z_F&rdfmhjqqQlnjhIw-ozg)I+S?5TTE4<;EN(&~=&NsBntF#;DPOzXDBhCw!|BPA%
z!^x#;ueWLqzMBw9BiGNN0g?p4nz~yN?NIQPLH^E3-~|-E!6XgYh2Q@*Io$8R0mWWr
zOE=+G38U1oA2*zt#-!z=UueU3W2px=$S_Vitev>$l@JSedY0IlzBOxboV)!{x*9><
z+F=+@I#b$|UNPfDXB~?erhAH|8K~d|-awE4LH?+>+K;Ls3^wl;cJJHTcaNAndWCcw
zaZgdHtaZ`8b}wnnrHzyrw6Vg_`r;_xu+&f$(=GqXkVai>yGXa7UTFDzCP%aKuDV?L
z*&XibJ@XXiOy8a65_zivQI#*-b?I9D^Hz-nW1(Fg2L!yjq$<|9!-tE+#^g879n|`E
z;o6?t)Fr5&0gY4p*W82pGj_QA5#PM!!>CAei^5Z{)!QxqebwDkOJ<#WvtL(>_#xk+
zxj@tgvaz7&=X)BYbG;TXXz*!wxPUj?_foJai(qkB|XpPyJ+mD+953
    F}woT
zIx({Ow~?=c{IbPJ5zvC(7;};$g#;0Fa{7*mQAQ%X=w$qiu85S|NqUrZb+@qZm2{8e
z#ITitbb#a$T)aZfiM@b%fD8{t?{GbO>iI|*iyAQ|sIOyfMW(gup3swA7&#MlG;pgE
zbH!*y@(ACPtOdyswIXo3lVU}I6S)P|GN`^&$e393;?cR4%3w*+&(Y$ajJ!7jyp;JN
zxsy)u+p13y5
zRv%)$M#nwp$-1;D2}vU!Lq9{keeKVQfQ1s=Va$nwg~||QV*H8}Q7TB~DQ-H7R4~_y
zxzpoUMCoX~K|ealj459cq@!A+Lg@qC7)!-XsGxjKLJi0Z7zF{%9gD`~bd6ev8t`50
z+FnHtF2xnuB?_bYUqd*>9l+vzyz?acghy=Ku5)WAEN2Po^+&#mq}#IVc7*0hFofU;
zzL(eaf+g?1ueo^o>(fWm5o4UPME*nb@FmNcrVGmqT3s-eF~bb1dobe+asx2gyHm81
zh7tk2^O>^DuD|MGO(v33uvJI(iolVuC*loe%OgW1j$o~hl9h+40X>mhFf0)Uj8)M7
z8(D2@|3g;mRiS~P8O)pgq!e|x1Ff}l?$PsXLOZmLY$Q8Gy-q&pc-?;|m+HeBKuqN-
z`z5LxzR~X>)c#8v2Ij76!BI=h^V=-&i9P2-2B8--A*5yy9mpDT$*5%vT@pv1oalNc
zu=}#<<~ihuV`CjYpv4avsa4(I&YOcP6_U$^C+OSkd2r267gzdh0YB-Rv=yk!2>=kK
zeL1v}r)Q_za@&%O+BTDBZ%z^bk<7Y*%yW^=e~v*r5v{$dV*flKloI?~{a*U1DHk5b%JuP-UQD)Q<;Mzz`aL
zD1LG#^8PAZn2olcZrwep#baMJA4XEt7?Tb!S9mMgX8N)y9bmqlDHS>p6GaJ`+Ad;H
ztrE@+ZG&tV9|iXwSgxtR@zV_nqzXS#s|SF15aENy{M_ZR0U!pn)<^+i0$-p7HcA
zPBVIYr;qrqLyZoUROpSMM&E};(tX*BDMp0+H-!#wbi@JAAYZDeIa{u>PZLsss&j11
zxI?eY+yjcEy)d!%1HZQBHHE6f8?>PNc`X@UvywUd*L}>7~emq^G_pOdj7G3vGG=Zu$A)mZP}OQ!B`{h;sNQMR>ht6
z=O5vWzOgMz^ZC#;rBuv#?sndGEvg|pOKmqUtrR*?MPujVA`?wYu6>9mn#$^}W@17<
zb>$o$M6q5Fk3-aS)&oRc>!m9`88^jgi*>xsG_?jugym`E)ag-_w)SG&(ckGsaox?|
zR!1t`9$t#^JRh(Y8T70EASl^tbyE!hMp-tEW^5nq9c;BF?g+s34n~Fj3f#F5Hv~p?
zn#ZeW2u@0mEqhpB!nG7M%}QK`UA>3TyoS%rOn-D2^b_?bM0vlYp19cSP2%;t_+H#U
zSbnV!uk}jfS(pL1mk^ar)lpAgtj7|slbdS
zP3bOA`6Y3_KqzsRQpA0Ts=;dHmSb=2{j2iZ;mQ_VYoa(CBJ{?`ti91jozY3AQC%W2
zjP1A7#-juSIU14K8u}wd&xVM8`jtPbcb0sW!t%|t^jxB}PD~5sI!*rtcwwt@L8#$5
z>k8oYwZ?EGzWk=F(`x(pm%C-p=>{40@{gAl-+P3C$0(&0`IPXuh&E1cDW478^=H;b
zg^dGrK#0R@@55~Ib)aCQPk70t!#T*f!u~vNczu<4#PE$odssD9&Jz9wok}lanN#L#
zcH#@YD-C%eYpNf64_6~z@vyA;A{wAe4
z5rlLr1}MyD8`qJC`p_(AMd!=+!1Ic-CmqhU7U(&j~31xb*-<<
z4b%-b;1D^#aN{%Zmm9bSLr5rNYO_vemR}{0rfkkTBEX`QXWL>yg@?3>xe$b9GS
    8ef8K{ReTQT1j*|N=yGY3`pO&^8cVFIF5q8r(x&+80p#lAF=a`?4g(d=C!;H#LV#ibs2NtX>?Se4o7ML%Dy?bzq#UFV^!Gucrb
zr~|TD5iwI;@m(9~K!*-@go4agUO+gGiple-l^sOH-v?+dS3q}VK-gU7h$KQ?**&(SaZng5~u!~WUzH}3OLsy*#M
znHrsjUq95wV90I5UigVz{aRlcQgUHZE?BR~(vcKV%{q5husCt_EBv_}5%`1BI)=T#
z?=c&Q7Je1aw(U1FSPOrr1I!KR@@w_K6Q+AH6zVCt+r!<@_sEl};JZr0G
zYO4qHXqGcMYq3iEn98q^yCWtSH3=+ll{)&r!H2-#oh!))#0Pc9aLety%^Avr-eofWm
zG+3{Fu_w34gSBxi1tga3u%?ltVpsHU7EpZdQBOoV`+MnIzw^o{xyKq!!@M$gEnm0k
zuMfJRPbU<6fo#d!7yGWdu0*HJO2wjay%O(@CQJTJxiXJ8ZU${hSnW)HbkP`;d6*KS
zl~SnX9c+xD{n!sdEXX2TTj@LzTHQkAr6Lc?B>ACP5jI=MkfyYwH~i0cBL0$=1=M#u
z3;;aQhma0~;2qa1$VV6#gg$7Z=+$pNpZcS=p`E@F)qdx5MWv0>hA!8MYj=;wiagk<
zWQ=-2_Te?6HuhA&+e+e6WXS+v8l5rn%&$aE*=W;J8Hf1{@Xv{(AL5_#MvR(F0FyBS
zi4!vJQ4pzb^9C|~63d)?Ee;FP;q{A9Yb&AM;I}6e=Mv%6G9?lvk
z(FO#06q2Bbj-C~KC#D80eVlRxe`J63U+-%af>50U;(t|^QQ-mJoxUr6zF9DYWE^Ug
znMT+nPeNfdYIG$i@08k#%@LL-u`qfjI!AziAW5g(ip9}mPofqyLv+Ug{!Xmd-j&w4
zQ}ZiSoR}?`OUQ@8xE-M@FOIk_P<$SXB4-898sl6b`Cx29C8va+pcn;Kbox{x_#mHj
zzCHSV03$l_D+zB9{7?ovfR#u$SZ}@3h|t<^4O$X3F=jgaDBhsN2MuRast2$cKjhr*
zJ3UhlPf)!(IE*U{_l%0SE-_)R?;S*DX?|-QGle9V@L=SXr?2uzP_3!atg4L=8sOi>(hZg?gGh2A6QC37?yq-DYoH!E*E5fix>#Oe
z72aQZ9}Kf~L#ZI_WRX0Q#k(Gccosa(WTF|3kFgr)&~
zSV`GjOZnzm06&&@Ig*b!VpeI9MFqJcgIt4mnWrky;#_|pf%ry;mHRXuAhoc9Xr?7z
zW&w&4LC+7?Z$BiCUY;ibwi+@mmmfwncK#~p$FJT9D?W)K=w3tlXDUj~Kodg%lb<45
zLNm_9S+xmTy7WR{qW@Hnv1%XWnfCM-4O_L(@l1Q%qM##Bk!bJs&?lUm{Vf^E*T@Lv
zUP;Ea=kd;X0}YQX^glev*d$*=B9yx%i+(q(Dmr52*A~Q}RZ)!9R
zwUF!Q!jt1V%#U!L*cxyaida_5YE7}#PdU|3CAp%XpL+Gm@%#yfbN
zy77N64|BMFyrfIU3=#}Sk6L|`>p8|q{qldG278V@rGEJd9eef7e~;Fn;OYjUvvme1
zuDp>u%BJ%i!xy$D#3k`8zF>Fff52%VdjoNR@>=)j6#E{q>j6aEl;9CrWEn
z-QbsF#O49+*&^Q&GhVarxFQ<7;UA+qL+T4Aci~2jT~Ji
zNe{Ch96|po$E-qfJz#9m-IjG=3(#BM^L;LFO&-E&VQnpo-m&lFHu7gnu^RA
zt?4CHP7SIx-K(wn3FG#Z>!4P*MUU51w08VKNQ=vt(H%OV
zcmA&ryuV!k1eF4j=}7bW2(sL!web69$1lZv49=E)3_6`S-#VT}q2y|hA~S$R$s0Z&Tc)JE>nStN;BY{_waI3ChaT$h%%XiA
zp~p^wcPlhd=)p|T9c=mQTVBz~DPEXfrB6gOKT)$t#7K^rJv-BWBtrZ)=HuUJ9lppf
zsKO>}$IYL;)On;pEEV^0+}z})4(b1xYMy_O`bWKM1Z~SWbWJByZfO*mpyRTM@L{>W
z7WDTNO{Ihen&Ipb*@Mrws~$D62K^T`_y0j=K>RjIa?AqHbyn6@2gN}16FZAU5>d|J
zfWx<1q`=?J6W!9mJ+mgulrN*@LoU7CqZl+^)0kt~y*zrQM&l
zGpwth%$0WYzB_b{LNM!STwy+&f*60n`8uwdGydGV<`FqtkQB@7T%zo8*)eMtefakN
zc1^-|4Zf@HGeLVg!7|be;x~noV>Wc#HJpNMk&2kPKfe7dWqDml)UfnJ&mapLwOz~U
z#TH~3kv;wG7cHA?e(fk-{c+sRLE6<
ztvBl*o*5wCq21w>|M{l!(uC0PtAN{7jHh^$zb56e*N3)|E~ya|6}?;
zJvje$;D1FpuiqR8;MM4&lo7`|rYRtL1U7f7Ury;fwBM9Sj{S#E0aA@FqHY;NnPz|{
z%j*)NY{=s=0IGHE|1+7+x)#4i7eluUrA#wOljTiGLN-Kp4DjETiE<&~;{XfmTJ9QM
zGTkz)GR+W87V(mVuaLUjUwCl#Sl61?=yK_nk(OyjYO+X`{L$w@{+As;zZ>={Z2wy(
zUnag?|Ky78gCFMC<+t1Q_-A?;S7j)-nn8XnZ`#WUMJ(C}b0bXJ*|?Jdn2{qv+sXcp6e1ag8fWC|50$R_hGl6VtB4(tMpnu
zm2w}LX`!8~KX7=za9^!@mvEN=`q)0!u33BLcuu3*hl+-ZR?Hr_6Bw#K-SHw&S|g@|
zAdo?$qNB7U3FKjHVjM=Euir+pKhD0n5Kv5B><(=|FRX_ecrguTG)Xv4ZdBQe=+##)
zpt*0ec~Q)j0S`Fu`ZbHaxEYrW^v&FQTyo$R-@hVMrFb69DPZJBmU+z`*T
zgcfC6RT51qC;AToz_yf)H&$7}UQuz&Z|(gX`wi!fT^MZ90TXlH+D)T_C)kxp&2`iM
z6VY*x4OQ-))3sMcA^m6dPsoqP
zirH0rA(}|m5B5x3;2mpzx>4Q4z+UZR(gp0g>b~gQqvjv|W?=?=g^J-|L?Ht!e^33x
zQs)FGQXQ);!xN%nW{nKjdZ8WSdAB`I;-6UOTzVP4b(+&*_6$yrF4sJX;BXt3g^C~7
zwl2GS*TF+#$kk_YLt(-&{H^-K^o{x}g3YY$!r863)EBt7f)#Uen~*-@9YpPKs=gpU
z@tDa)m;^LXaC)&b-z)y%C@}ApHMbeYOx=$~*iICKQMT@J_fMc{u+VQ^Z*J=*=c{zj
zo8{(G?c2pDP1>7bJ__nFu)S;)x+ZzuTkYGRwvm5UPM4u54;3XfI%+O1GWu
z$Ce6#Ev$NI6bP^^qBh@>_FLYY>;~S_y}uwYF|gN5uh~jaeGZfnVy1^jP{|o8MENn<
zdV>bkM3QQcOaz2z`CK0D8mROL2!NUn)OGqe+6~z*@{>haI?>KKg7awvY-0siV{#|V
zQ&1en3kR=qy*?e#pSxAuv};UHi&dqUE9JTqob8|Ad3{lYyqNhiuv9O%pIOMU6{!ZZ
z6R-@XY}PDoYpP9rM^-1WwWJBb*+_NyWZTW%e@Sk4VO!k(R#wGRBHHoGC7p4mA^R?7
z<&V%0X`j^`lVo)LWuGaW%Aqn!I5UQ_P*yReVt<3=)RbGccc&1euV
zJ!!pfy&vYWwQ1L=treeNCIHXF0nuro!YaQCKbhrZ$AH)8V*QiG$^Jv(<_+fr?=at`1pDTay$w!p?WdNgY+GX+IpCbJDk$j&%-9i>b92ww71VNbR&X^aYHDJ4H~8A*t>>i&
zT3UMR_!YWlu*Ih8+luEX0gJJr`k{+`lyTVn8vD#(@4A_MuesNwm3*UloL@2n+B^+U
zCO`E42Cr$Fgois8Ts0pWEQdk`joKWGn`Z03X=NXr*q_*I!mpWq^d?=G`Ih})pDQNL
zimZl7d9n@p)`rla3f170{3V{|WP?ec>gHKBHcs!fF7-BnZ1)P3t3$MRg(<+SHTqvjwq`9wg`m)UwSVBp*mB+yr5eA3||7cCmil&#CvQ#{3-
z@N%x`rK(NIghtMQF{qF`<%>G8ns37JWPmQ9kX%-TZ1TrzA}4GhwkrFyF?5K{jrifI
z5S9vC6kd`SyjHU>A`?b=L#{C2-S(*ZTY=EZtBZOg9_G;}RL{x)t@vp;=#Y(QEiH`qqMO{u6k8OGmZcpW#;eY`
z9HgK<)2+DK>~kHzTu*b&*(2&R6PooNfrYC_7Ri(j5&R`UTZUDWTe~MkyfVSlZi99+
z7o3dp09H%NQ=VZKjhy!h?`uI;hQZi$CgS|XSDVAys>t(SlFej5U+sVY3|Q&myRWD&
z8}qmi&!4-dYpaTb(?U$ShLd$G9p)v(!6EYC5HC|~YH&!h?$nrmX(!v%m}YGuQ9b?J
zop-Vs>iiE^HfUHGWrd<~YrPDA!ypRsh;G%lA=tbci^0B1W`NQI
z3qa0+86f|_iW`C~Uo6G3=6S7$+KT~-9iQK}Z_k+7?(#Cq<=DNAyaPpXb&zIHL?NKkwZ?NFI9X(Y9W;Z0N8Q!nQXWV9m`?b
zFtT-Xl;wP_`4BRJe=~u$al3VNTo!2zBUHhyX&u)E_LvHKh&nEHwrUUmyh3j-^DoD4Xps@ga?^}L7b62@*
zlCbJE1S8d>_7EwTpZ-y9_3o$6boI?ujxCx!jE!XK@M;DI2EOn0E)p6wzm7o8WXfb>
z9(SqVa@bT8QPZf}q8=4tp640niGq2Hz~_u=V-N9%PSN)3C7+yFcYHFrxrmCSYpO(xA@{^xWt{Wh!=CI5HKnKq^K#6S!Z3HPwM+(Lc
z_4{ji8vOB^i^_8V@ny?7a~_+x;k8>yEKCk^8!`9k6q}yd)PZj>MJt&|AGIzuVW@V44jK(+-KbqHMcF*3NQLV4YgTcW(rc=1
z4u>UU58jzZK2r)I)f6(d>KXt8lRdt0^vx)ROxAnNF6&gH>4>YR3)A3RWte7syHVd|
zg-i-gUkRP=mQkcE+bw=O7b^8mUX~-Iwpw%)DN-#BE$d4Wv+*tVnbO~-AhO-i8%(LF
z^s}U{`UV2m4(Jx9YWHY{0W9n*WfN@d>*~0cE%r5v@oW3=YDqw>Ip<}dul{NNNhcQ`
z*Kkn5op1LsIPeg;GEaX=YyaIM|B{$y`Rn^wu~jy`Hz8vSRCH}=(Ni~gM5NDx3Q
z0{E8RoV6CoE>iMjl)1C!NY8SGWj=HMc{{?y*p4S`gz1tvtKl4+ko9fHb2P%z$Hiv#n
zjbw)RehL?!?@WX2B_bCA=YsS!?FA|cFM!v!qn!?;d!7SwfU3wv3^FY8J&LpXORte2&-)Jot00S^n0OuDozoGp)tQnLV1zPm0y_lW>~$fa(7!px83
ze#8+U8#-=E{*7s!#tgi8qyi4TG+mpxem&=2bI+4lKYwZ9b$*sRLH~Aw
zBKGh`)j2tejiF9gX1J_qR`o~lR{VyIjf^DTY5{pYIEKBU2h
z5ntKpfsEyn@;B21@3&+{mz@2Wrn+o5%u0NT#;>7gc8!yq@rFuM(OOp7bt7*(Epk@a
zH5#{TDU^NrbIZ^o-jYSUO(`9Dq5&)@`cf^Ckj@4&7Y3Pw1hwM7qo_RJ%9WtjBFTP}
zsX>w>Y6+5)@Q^27JjNZzn+}g|pr!&#EUw(*@jB;je@c^-UU)9JIz@WjDq9~G)F4jS
zozX_&!(YVIhTMh>W#^fS)bL2lS_2n`_hr&kU;7E4!=cZ7+}??>8(zIXo~T&MXPK10
zIeo^9d2d(Tn0T9zb=b|oL6UV7cd?$;!%%^j)uQQhB6!^2vl=JY%}`N~wh}kk&ESZi
zr5~syDks@Pp*6QO^QpcStTKAuE9KjA94w_ak4w?_Gqjy+!VcFiJscf}Vr#Z-I@$W#
za1A&QC-<-Rt#Gd0_m0}NTee*Y@-VPlkR4u>9o|?mu}^St>Ny;$)2DBTelssF-#+&o
z-**__r*`#rtns3OB;8(fz1Q&P4Y)-Ifs3|(fDte;U!~>R+0(q3TVj}7;+R_^w0F$e
zJ%eq%WV8~`YW`e@5?GUPcLP;cU_~tMCjd?Vu2^`
z$NrLow_9mBrvwsP4B;ac41!`Zu71Abm)PCJ*eZkUDuWK-cXF%~Pa+~oBJ7?D3Oqn+
zuPSiHBAsy^MddpTJW{B#H#*}OPmrO;2b_P
zN&DWgxyY`EW!{dbFs&8UURniNkD!dFW8?@BNV-fB45!ehR<~J?T;&K*eA+ylcXuq2
zg++I_M&+UR#5YVw@%Dmia*gWGQj_tK`OWG-U)nk6QXvPqX}bD0k>qDgR
zSyaGuD$XquJzV%i4DZwz^jCkH+h{4|8PLfI+f9atrpd&ov9f&)>#ixIP35IcRlvWF
zCb)JF^W}eXeIDjJo%D)Na&;!48%!N$hK%3mMH_9;YkoU4Y;0Md$7&
zx0lKYwyo+eaoFkMqBC@pghN)wRsmJ9}
zQ8VmUrkvrXOps$A@-I2&@v@sOMvE;@n3>C_$tU`~P}8*}aBQsCPnih)rF`K_VO6ny
z5%!ishH&oPRib>@+eQ43O}=qH)73o(DlhZJ`s43t)vn^?!&DY0vdm@uzcAg(6r3@n
zv?;VH4DCOv`zle1ov+m&pVfIr(rSLG&0^M%RxU4cZSUl{PV?-TIB
zV@fwrOFIyi#K<}DA71fH(<}Mm1W*|MLP&74Ab{b{SIN!DHrVr
z!ekOll&bW7vBDgqbdT+M8dqP&m55jAQ+?TherBBx(gd8g#24A9Ibih1^Fey6kJrZQ>}vY-@=|B%a##LLPnEsctG
zLpIrViGxGdXF>WAn|CB)7b?5J3jLh=m@`bpy`#KLc0HOY4txUkXW`niEu@pDxI&}#
z8Xj$cyXEKe-+)@vZMIib7Vlf=(Gl&F?A!e^J~=T_D+|DP-J!dCo`uXkVjae1Dri8l
zQ)S4zQ0Bqxb)kKs$QfVQBJ}Zqwp6;R<+82Y`P}nJI}!K!BC3dYK4x%*_-Q*PhDGi$
zFHjCpn-)i~yJg)PK5iR*U2xv2Uuf9&)zYqa$%C|HGY3E!Dk8h;cKg9F2&s~+S>=kN
zybSuLGDdVj=b-ZN6msQXC91V$Mnpp}dk(SPXmeIJdUQSP>b&8#x5I6>i&*Dd<~TmO
z!vXs-^KBVM=iWy9F=sAaYtc+}we(!1MRKI+2g{4&HMVoz4c*11gK=Qpa@pY|E;J2X
z%_Utx>%AA}7l_{Jcdh6+d_Dk5^qNT=wXXwR8+`Z??3GDX=CbcO*VZoMOA`tkgcP^xS5qwr#3YbL8aIWJ}nt2Ek@jO*-;vQCz{9=*<%3#JYXngExN)4uTp!
z-C=t*m*Hx$+{|89z40}*){WN|{%X*BV`O`L;xcNY!xpd3$SKmOhJ;Mm`}hd0KlMql{HI%_`VNRv3y@5@}+C`#e+c0%sYKd*V{ZmRa$P>LpN>>HQJEh|6)`!k5IL4zs#I_5tJ3a|6=gF>a3JdaPsiBwX6F6VpfBg8r4GeqKi5MJn0~Nz|DWxu&Ajy
zsUfM@@E~jP8DzS3pj8&;;ppV3j=Ye6z|H%;b+%O!+u6~>QLAgQc~OP;n{S8j>nI=%
zkVf^r!~PVMHfDZJC0FED*{u5$yB6jT%xz?Sm{j9a{@LtMy(`ehMX!9cJDhb4K!*atinN;Z+$Z7kin%!i|Aapi^vpIrEYTxptxTtD*
zq%pK#wVm@4Vn{EypNq3v6dYViWBOQ`B7r&aN}0Kr6U)@D%gj?7PHsqK)lJG}cdVl4
ztg3gcs+TyaNm;8A(Bro!k63=}GoBO0I|5>+`qju&U0E|~_?cdc%IP}zLkc@lyY>Dn|718m|_!8RleZ`I(F0JgTqu4
z*4ewbp=M+oLo5qKpiFN}&575gd4bw8BH%AxrgX4wS!h@SZFoX=L;`I@LPL)%ez&YV
z7+;q_>3s{s$me&{{
ze4)8PBnM?ooFto{EsRz}Pd4pwmwC?&T?-}BC7u`Y7Tlx#=JHkWr^EsD=hiD#k#zotj_2F*V6
zeO>G@tfTIWL~iSNCYyj14zU@$5G7BHPVPz#Ye%X7%N?Qkl^VIMf4E#PD($<9KYlHT
z>s@IsOw_MBw{QAkv%H_b0eQ^6yxvYmYu?)HW=*wuMhKPl+sxWWi7mP?@`K
zqpm3uf{FYF6Maf6gS}&~y%X5#Jkw{4(BVKh5Hi#Htu@H3>mXsTeZU|)wHb5q<6iX=
zRcC=ci`_>e2g_DU7P}}S2MgacZwfwuo{23S2d)U2XdP^otL=R5QB4P3%2i!#Z?M@v
zXg%-+m3g;&i|y9s^EuOWtKJ^SdeB|ZoI~L=KOdIZ+i*6it=qp6F;t2KtR27iu{-v@
z0fjNFU{tnd6=sE>V!_gjOhvkcyR>Nz$VRRnjXr|BwOc&wKV9dd*(V#mF&|~hb4uNM
zxq1F6n2^l*^Ya%ts}|jFM97?3Rz{Dr-tD&jxPMhP?Eul(Z_KUP8kq>09}n3A;oN156$#47IdHJeaVmn?8Jocf!(C5V&!Wq&82XY`8
z73Fm#1#)PZKHOgU8jk5ha-mqO%)V-Dvvb)|T;59ErkBl~Aw55j87uNLDCN1Y*q9%;z8cn@k5<3nz|U<9D!*3t
z2chpqBq!Pkoe!FOgZ)Bb^T|u&JTPp3CX&8}P(6{iIh*&4v1eP-d$n(k40qdYymW_~
zs#`5g@UxN2YbC2zky@*mx*e5ktxb~tg&mAB
z+-;V#k0Vz^vgJ$@qt3;4P{-x!q;{#=5!1uvip^!$I{C5bK@O5_Y3oz?M1j&>ZN<;g
z8;uxMu>p=+FD?xat67!JDHEY{!GTVy42x6UQuM2F&B%_|L+>STle3KLTH+@DE$kP$q-5NcZO8CaAE8Z``#QNqxmlXg&jT8(I`Cl<;pD-ac*A5>uAS
z!}=_Az60zN)jODhCkUMzY()Fgz^K%O!ctl%Xb4{1a^>cUS>~PfMJm(Dhe%9D(dJOI
z_N(K9dBLI`%$)tmxJL3q@{U^Cb
z0mm^uxscIn&q+|hzL*)1_BZKAIy7Rh*s?ag+?~r?7qz)+E3M274hNd1`q}-Y^H0X)y@BM6JFkOC^gy<3`P0Gs9q;fJ+YRk~PWCwlk_fiD~
zVG?_dty^3})YFm9YITXnG~48_$7G)(&H~RL&=(^N{Q^T$V
zj6z7iE%CrfR#3)AsV)<$J6#+{Z!X0QlB6^q3@ealld|5J>nhh0BBYC_rIwhssF1A#
zU&?HbNgeKb=2iFzB60VJ=cPx-zz+RRk&q(YgAp$|m3bxWzv3sFn=^zY;JW
z{Qhzdi0{jbMX1UI%_gj4=YUa4>HMff3Gud4vZ0^ggf^e3fe)OLpR~Q@<1I4fD!{m>
zim~$X7pb3qrvkdcgr|zf^6_Aj(~)0L2~HP_I53Ix?_Yq}i^@;GZ(cSv1#%k-*>f}d
zr808W3fW*OV#e*suwnj&T+Zo&vgShQMboF>CAi%et=#dVDW3=fUk;lhOjyXPd1rEF
zQL(H>Sk9|CSe(i!I*@qE@WwK6`JWe~xJ)TV9DoVVX+~pk_s#oPOHvo-x5Dy^ZMXO-
zCZj^W;so#)IJKXkF}ybhO17##9W12a?If#!btLzE_#~7_`6&9caHBZ);{M_+;ON<~
zF~L8FcKSGh(oY05y)g6n&Rbu>L^b>3a!1}ol@EUKJE1Fk+hTTA?R0FcpRYL5@rb@_
ziLDFt{o>UnS_iS0&Lx&F$xTS>8t$x~cTl>5s#-j_F0!y{*dlSPPyDT)*iLsz%u`>^
zdDv@Mb}P8Uq?~ET<|I}RZADe}z@@YF3U~84*if0ytbCT(_D-%WJMee>Mpa$D-eW@7
zc|c-{!NuW8UB~!d|Nf1*nC_a?naPO6ODba#PBFx7jEQW)uXkwy$KSSd#^!=K{qy#+
zJ4LMaYBqB2O!j2PTdo592D_i=wu3O?q<7yR-7rTKZXFi_;P%tF6ce_Ze+%z$3DMlE
z&kZ!Qvu=8iL}spsS6F$4CI-VV6TGAR@2<_4#gbBf9-RxRijGy?cGGIi)tBpcpC5&r
zfzF=FpDk1n*B(J{Y;Q5V5`Ez*9JMq
zU94XtZc?$mdDALM(g^WCxNUge%UP#Be#HPSzCh63D(s372Y@oCI3~`o$d?t@)v1pK
zmvcQoW1$R0Y3IE{zx3o$$zqs51Qd7aM2kEMzY%^T5-c42@*qtuoFB2HLIufC8uj3-
zT^8y8dhHGKPVo+)m|upislJt7-N}$kbZb0j-B{}??Xu~zep2<>cuhW_)g+eEIkA3x
zoz-bozhuvwL8CmwU64qnQSgDGFp-Liiu_DHN)Adzr9s3X4Sf0S#72AsFla={F-X6Z
zYk*&T1`?^10X9(|6P}k~6&vVAlDU;B$JbL2>)|t=*iQeURHkZ7Y6SFIGVmilaV)^T({@R_2kD1=hcLe()
z`zGaBWhR>4d7?#6S$8dW*Za8pVkN3&CR#Zf&+2PMN3-;3>iCi6)9DI0I$Ab$p)CqC
zg_R5Ic@C57We&4f^Sm~WGa@VqJpah!gbzomF+!Tb?X_|D4|wJlR|#TV**5i|K2|M#
zMqI+#_Vr#xmGrA(`OLHbWzg(I_3NBQW1-IS2ZO0BJN=!*i
z`G{tw@@lF`eBXiDJa3{F@P!D~U5;u3v=0JqRD7dtF?=-2)2lRAo-QDh2e;{UhHqBS
zvEleiugTPWUi+OYzefKaKTi#C>~xauXgPD#R${mJY93@Ew+D4<`>`gz>s=jpcnMOZhK+3JuvAW
z*uW&&<>vIaS1BG$Ee(QBHZhyiL_LK(frnebrs@9&WrQRx=o~l~Y1rpN*Zqo(uf86jNYkCRo(mL7eJJ}OC*{l4=
zF9PrXmhfyY-UXR|4l>{Ft!3z~J>6V9`e$e!1))#wWJA)@K;OcB7nU`q}lF+fM?
z5H41G*O+wn`tt-n?qgh)^DS1dn|6YMKReyO4mHC6xl#Ye|5NgT
zpPl7D^~LQ)_}7Gx!%Jl+V3xzXVJASy5mlrj|1a<>Qt^2UasCAjnqB+=Dm}n12k2y~
z?qqt=E=Q#;5~+LqDd>&s_ct?JV}!#Ytvw-^$haOt_G%*9GLfd;eKkPZ8j~-J)VPb)
z?2Fa>^RiRbZon_OhBa!Jn>~5DOf+Vdi4lz&RPzdvFG>()^#4bHQQkc989z%K&j4R1H^hLZHy-#dePhQ%*7^gN{q2IggpZU*7JzmUJn-l+Gw83%IBNiIG~fZrazd+2bAjW+v!y`up|t_jZl%)f&O28o~K(
zNF;NWnT`klwr^$U-a*RVlgy26mVA37YdP31uRTh2XP?{^
zj_%!Fm(}Tp+T%#RMg=EHKPme+5G$SWK$HvOydn90Y2ioVm-xDmsMZfT*NW@$NlryK
zoj>isu=euyZ7;U1qi@!p6+Twi+)K8J&F#vebPYF{5hxpYhAQ1Ar?KzI;GltPXPE?7
zF^RnIKJ6oIVrwFC{nefTVXsgh->#1f2T>e1SQfHqChU4N(V@)JkFWHyg9onr*D2gP
zD(}^R2N`>SsX$w@Q-(la;7fnOP{n$R0q=AuJ)Tc5W$PE($<*~5CCtc|hG~7N&lxv!AX-BIwneo5!toYCt#>8~{Xdpt?TA^M2hZH^1@~+%h1Shi1B$*>!hv|>V
z`N!j%xZH1#Mo=E!4Ypac+`*h2MwVv%4!`K)uF$07Y}nVyH@I=9-*iGtn~7|V+yV}eylZl
z_m@Y->&_P;%xl{QoX44^Rf5qqqiQ%aoib+S?;;Z!ZyQ5(gMc{1as@RRz<2#HI%A>J
ziOAM@fbT+#^JF*4lNn!Pq;Rw~M
zwV-F|j_S4kgFBYfdSklmxkIF!NG~NUTRJ=PX_YB|86mBEy+iITJ`u@>LR=)VNH6(-
z`D`{X@wSu*x;i8Jindazw`H=krLw|b#V@SI6RpL4ttqZ+lBW{xzf$T(g#C^BhfF;d
zRXz4~E%^0m#QP}}zw7nyH+|oK^#PAAq`+ybhuA^nG#o*%j60FDJMgnRvS-EF!e|=R
zMw|+0_vP>K$5=iYo!EnJs!%n!TtCv3rd4Az-;|VX;l3nNXx>bjhIJC%6wXr5^->qA
zI=i1pBY9=K?obx#P=52jOx>aU0^AN|t``W)iwKLnc@Pw_ofY4|5CA@bfKL*@CuiVO
zC-yB0_HDS@u_*9~1NdazAb}1I_z3Mrf_9TayNRIzJX8U1r~;78{0YpSZ2KR)`yY7w
z9~Al@n9cl&&HVAq{4?yOqcAuE@XVen{zszu&qD0|hRpzKCN+92K3Xj?Y7(8=jmZ(f
zV)i81|De+Upx&XAAhSb0;KO6np@ZA&!vk=7#Yg#ig8FqV*ntMv
zfd_ya({Jqp
zP0D?h+!P;d_ZPhiIO`zQT`m5?vz3znvQcEoN|<`@i{BzUuW%h610!&a7r15_(N+#{
zPx-gz*-EK@9sdQB9&}4~_E2^<>uo}c1mZvLAQg8Tdl?&A1Q_XT-t7)y*;2+UbsMiQC&q
z+S^F|$CCDheP5fuGz?kT>6_K@u<(LCh-KPQ^4FrKzDe5?0__Q9?U&GME!p~$U%f#0
zExDN@o7o7vnIf8*qLA5$u$khUJOzS01*AL$;yeYKJOzC9LX3Z5`63hBW5kwlMtf3H
z)d=xKkhw;Xl>fG5ZBgov*GgdW3lSY-jJw(n+``WR9atQHZGdJ1DIFOp`-nTV9
zDp(|TtlGi=`)hbb5F{ckA|WD2E<`R~E=(?4P6SFz^%#Nvi8JJv6IH(~!5~hWc!<~C
z>qwcmI5F>BBjV^Kbmc<4Zu(rP$|EXhrX?+Kp_M=nY)Sw|qz_?WzoH})VC&WUemX#e
zBPI5+bc^^7jub6B6(iNB+-4kS-1j(<0C~V~9Lm%5?0&{OQQ*tF572@h3INLB63SXo
zK^cHWxM|WBtk7E^K7g_|%pVCl2b>2iiHF>v-#Gw1aF(Pj!~k0Ze`B!)R6@Kky>V#%
zMy3=VQ%uVj0U;4#5zvUNh?EGqPZFOhb*Y#E$!O&vjgrwd@{5cJY>$M+=O2@dB)BT5
z#i1U5f}G@4kF={73@*R=30KXth7vcO)lCBTM63;JJ|CXvm0}A&?d<{
z)}^l&{a~}^H)@E;%sD8?x&u1)8;EPIz>z<%%erq-8JE#Vf
z3Mv4BK^>rYP#Gu;)C9@~1%hfpX`n(-45$;74~ho0gHk}%x8HATZcA=MTE~3neb;@b
zRxQNwb=$_aN(sBs^g64`#(88r
za=U;7iUYNScL!e&_z!>w9}e6Om=6pOd=ID&G!9S?Y!3tvkPoa5cn?$#$PWAuC=UP!
z&Ib$!ga-n4;f*tcOWeHqW8cn~fd+laO}qB)O)>^1EB~yRuCTAjt$bYZTKTl1xq`l8
zzaqTydc|yob46i=XvKR)W(9x6V}*6ac;(f~mlgGu_XZh<6^9*%d6gqoH3tZ*_L-w*
zS%kdLV0QDuN(SN)@#atp@$)brVSb2iL#;!uIXs&jzw5}Sj@b78wweKx^I7HDhgMRcOs;^?ogURd#h~t$5XX6}C!xq=E&T@&c2!4;=tR-m5MroX>)Y
zMEpeF{LdE#5p&^fkp$t-B3#1tBIm+r!qFll!b~D|!UrP6A_l@MBJILHA}GS)BC;ZM
z!VcN>+2`5O*{s!l<>%?0D%Bgrr?j1fj_U@;4rf>Am=~C*nAeaq$fe4O%9YCb_{I1s
zuMdHDidTw{4rsyKpd+Khpi`)$z4N{UrL%I~d_7@(X5Hf$>6nIm`}6IEX!*n;+MQWf
zBHKavCC|;>&D}lnZP=a6jm-VvE$v;=P0_v8?cUwqJ^pR-o%W6P{roNO4ex!^t;gNf
z&DA~TE#wAruW~znGkz=Ro8>=VeMzBP7x*58s
zyDh%6zOlZC-4fgo+^5{?+%4QJ-1FTv-!$KQ-d^8f-C*6v-l^WKJXk-%9tj?eUP+4+
zu%l$Y3ZTG|L*@+h{UJK};V;3*j~{V9l6}PcNc@uJha?q0l`s|eD<(5K^Lu8j3e*aW
zhPS*(O~@W^Jy5QYFp>4&485j%Q~c&I5G_zqg0=+pWf8m|LLbowgGx<#b&2iYUA@1;
z!bHWyfV_iXLeNyuRo<&$jiZiZjAOB)vSL)dtHP{8`}Xb|<~Ot>^rQDjSY)VV@5!*T
zQM2D?qj|g)k}{OT5H-7r-))3!)z^$h7*0V&bt{f%bPE%K|3N7$ax_x-_U
z=4~5c&6^9gu
zTZh8JVBrLzDPcMxI^heUd?9?{&7q!Q*CE&8SfQ~YvEizr6Co3!LVZ~P*1X7%)K?LF
zR5CbFw@(D6(cCh3GRQz=*)VAtnL*&7EUk2rj1|yIc261~h%cKgtt~SToR{U5X#zIM
zdPrZ%U;;5^Au=k!Wh!fG7&QU4k-D@d0gr5!dH^?$vJBUhZ-eOaheHC=kEA%HWTbec
z#97!`Bw6@bgju)_5LPg2Bx`I{R8>q9kWac<#uMl%do7J6V~{_TN0(ome>jCUrN}{B
z6a_b*PZh!k515te@@f;?MO;Q+#$rTa#Kc6zKw_em!OD@!v13tVF=MeTQ7kc)5tWe2
zXom;~h(q)t_%QM?mNbeqk~B6eDl0N8+Pz=@}7dmMEfLmoj6A&<$4Xdajt
zoETyoY{!WTVf~`QkNX7t1XZ%Yxdr;=F-);>uycIk5awXy;N_s?5a3|p;Nqa0%G6EO
zjn~cAP14QyDsQh~uZ)mGs2~(clp1IuG%B6GLX)gH3ri{PPeS^Ay>`6+WUHX`%^Dkq-9vpkv7D{s~xRWz$C
zbv?fP>5w*b(=v3@8taR1AW;lJ+iChIKwo?SP;ksbVe-mNydJX!kDs*rP|}<6Y!zMe
zH3ok=GA$IwyXpURKhPvdCgvgI`|C+$rC0SWWIHg?FcX&GE|T=qp7va^unW0Oy1?q+
zCpL-O(%v*qqE4v((RSND60W$@u@oX0vH`DR0O_;^Q(U(x-@~CO-mE6#MQ;`_RV;>H
zIggD>!#h^r7Noopd-K45QeH>24soR^F(ldTh`4y{k#n0XjN4E4Blh0W++;RHCc>SrrVv4mnEwM>a?gI{uU8fz$~yBINUpZZNZC#(
z&`o(D&}sQtgOR@RW`?st&Sn|ntI{U9Oy&E!Bwj^Ij$nKR@V9ZlL;JHR(8L+
z`E+uiQN8zd#qX`n1=G<&5APCBMe?rL_Xkfoni=nHCjx}pUpmQi8w#1X(a;f5w0>Q4
z4wogPo(%<-zFRfg&ax$qTQ|hyRBtE4W78s}#K6CBHfX?AeU+67MLWU=&4wb}S(9Yo
zs|hk_v0J=b*W<#cr;%Tgbh-qWtO*jJAEp^B5LBL0mFb601SZ{6e&2eWcgeS@!}@jb
zpWsP;s3@cX58nM+jPY`iD(~4fyg+-~#^lbibUn%(yRm;tTYSS@R>~Dq?r;ZtGd@0>
zM2g5^_zONgca^N-4=8#z5QM#U7$`Gd~oY8w0t~a`0BJ?WfO1wM;7ZjWA@x;rMAY0
zc|S(l;e!L)B`f>=iJNBLQ#98$SKU=Qbr#h9&HXT-;
zT`WlcQprQqm%8aWp<~SYScU;p1m0pdJ1CmtJk(j&Vl|vOzA&ScjRdt*;=jj9l)_PY
z(n;G3)!+f>I;&!U!hDy=k9co31IxvGLFcv#F{J=inv3t!Vu#TSaWMU1#OJ)gOL}kW
zh3~=@fvY(9(0g%pZ7b)hRu3hU;60N_oA;%${nNKwyn4}UWBz(=ALelC__{w+%aVyI
zaa`rzB;X)Q_d-1#Ne5&K5*8x4&lnR5tD8dt2&P*v%{d<$(2r9Jzc_qlmbYFx7}Uk`
zx_$|mAYuIpt;VGKx;?JTfXE+ZPR(qcSt$en30|dxEtHk
zbr2IUu3
zcgfn1l)O&~weXj)1A!}lYe#D_AB>w>9_kowvGXGyU&47q>n9DM7>xQDlBp6_goU$Y
zVni5CLc6;}Z!Qm#9=6l!^kg2~e*W_7>8#UqD&+>N$L!M+o5Yb7q4r}r)Mc{+CWaL4
zN@ev{T3-^fd`Ko7KtxIax@i^JB-+WXJwc^7^wBh7q1-i(_H}0n`|dXT47i1J5$wkV
z^K8jpeLtzbQ8mVB4fpPm){zk$a!yn(L^mMUOJ4_Al92)LP$oB!3MMFe7zuLTeWx*J
zSdk}0A0G49>Z5XXSJH;Lc?>>i>};9FFa%48&`SrRY^TPRDb4k;m#vqrd@SBqnR6P<
z7tHq#X84??(>bPDA~=Uyq+h9lrqsFogO^L$Hf4G2LMwchp(v*ZO_&R)_MUMsKS+C$
zQwr&f+%?wp19+6Zmv%AL2PtLKEDVj1^5-g@CfeNSJ4&{lwENJE(2O*wWbkBU$S3v+V7^?YK|P(w{0@3
zt{y)~Mz4J@0ZOxr$!1rN@EDJ)iB*$xtZOXSN^9t<HqB_2_DFtD;2ZHZ*B-$t*Q)F2`6^qh3Fm$5o7Go)NJs3~#C!j|ECgz~M{$jE
z^ywVOGuYfP58Tj_DB7NhRqXo}H!b3tu@^;Qw;`cO5fOe*$IQMy`!`o;7i7bxu}fAt|$Y%7(`YS?Z7`*)KP&^y$GiP
zwE?xOz&=m>MRkSt>2ZH0xVrb^)bMxCQGY{1ox#W)@0>HytIwfq%r)Cd6Aafi&xH?J
zXK(K}hIx1G5K_YnN!F1$7s++Oek~{Ns8_C`szf!hC16Hsq57Juw8sv{B88fIRFhX0
z-6d6O8$ZX@1C&Iv9--c0cQC~HK5Q<9Ut+Bk(6UYxY=!5UviEG`-}ll7R)C^}OcsZd
z4kqmvgolh~g{y6L3C93qBOQ9@QF~Y&TCNJ`vg`Q*m7w5jye_Yy@J1_#5LH|A<+lNf
zU!JwP)HCL_&pR7=mIa?M9Xgw^0*afeuQ2^fu6`~H-F{h){fcsWjd%57?|4D#Zr?Ix(6@EcE#YP22{bE%{6-Iq*ldN;B
zyWM$@MOPUQd3`B|H`TV+wkDh1rGDx@5zmmTnx>@Zsw>OG;~Spk4ZDDe=N~7QLjHb#
zMm&6@uiOt09%K%48b}{h-B^t>pIfUG7J7~sc=p3iWZk9Q^Kbav^WAZ86+@d_@od-Z
zUnYVmHfuKPL+2}}M9N!QYdmANjMt3ULj~iV6>Xc{BJh6AJB<8-Rsy^nDya|C7*1hZp;9JM=Uvt**u!
zDvc6e5n~sHFeS6*C_X;ghT15A_nnybOFocLhp5|7cbX`=kj}p94<-O(Y-2Uwm@htK
z`;Ap6ynMBUykQ)ppE$$ixS*lHWNbYZ3p{8eP(Q++sxIjlCRKYRg4!icjtOcGRKXFb
z)VI~O)V2G{Vb5vLgJ4JSBDhGn8;Br;Dnu&8%NPXcDPVN?H}Cwpzr4sX9OlERJo7}v
zU_bCE0ADXzUt3q(U|x?`m)D?4&qM!8_sRfM526b(P|+LL9oG|N&e9$)
zt0k)RC|_XI$DMEBv97G=)xXzA(M2%`*OS#B(j79O(<|1u*0nZ(=@IA>7^LXEMCs}-
z81U&g>oyyB>Rsz&>0%kg>Z|ImR9IKSDhVo$cte$~xmGfHyIIT>mpPj{D%a;N4y=j4
z5}Of!Beo>A%P`Hb&#=m{$uPHTVrgKhWofRgt88psdpCP$dryQ5!kxs4
z#Dl~=)2TsVTyR{7Rj@4+wRqgdLomzVxWSYTeDS71qC
zOkhS}XbEBX*Ko`5$Z*&2z~1?r%QyEUrz4LeS2DLI!B_!RK~09YX>AUF%>Bssz`uqBS^bhr6%bUxH
z<-KM2^7itv;Ev#y;E~|2;I<%a-^smApn1^2ZDq~4`L9aL%u#0h_}bs21F}sr1lb-L
zoNSxyID031Kl@MiVK&To(->jAXAC#qHa=eeyS}x4w7$E3Ai61v5ZxF3^UXEKJ;&3;
z%@g#2ENcki?ER1(K?ncsb(Za|noyi${lhxKy2U!ty23ihy3RV?y2u(*yi`9~-(SC4
zKU_aQv$eFdw7>Lc>2L`q@Ym*&5|0agzAFs6)@OvblF<
zXk|m_m(Z+GpU|?})4bR`+C1Gn*u366)jZI=);!X@;MwE3=sD}zx3DL4AavaR_u!1_L9l!2_~QN%
z5HOu{3VXbKq74vx7JtTmc6z3N)_s2aZ1K$ftn^G0P#=&R5E;-KkQ7kaJ<$ETd#?Lu
z_sUC8J-M+jwkHM`J9NA@IWa+Hf2Ac(UW2?EXi9-Ehg281EH3p!^+$lIn(0?lpsAaw
zp{bdvf~mKuw&^!he^Yf+8&m0*5PBn1DN|Qd15;~LRnve?wN1HAuT9NOrA@;h)c-Dr
zoc@F3E0%Y#89P7;#kIH1)V#*gN!-cFN!Q83Ny*9ANyEw3Nyf>;$=FH4$=ONI$F5lGO7
z{dh!7hD}C7hEGOFhD%1C{UMtu8<0(!P4Lo1kr?9}6B^?hldpeV$5|&^$6F^B#TF$I
zB@zXEL(9R)!7@Sjl>PuP>L+oQd4S4&BK!?JgWkz~E-?FvP!3wFqXyY=O2A#
zCyFl0Tl(tIK)Fn}EG9@V$Sp`EC@9D($RS80C?d!t$R{Y)M&HKWM%5H;d#NC|Sl-w-dgxu`hG~A5dWO}*!e({y}1^H_E
zI&{!#p3aCmI(-X!E
z#0ceS6Vfb1^>XYLt`sqqFy%2-Aqo&>6*(0Z6~%F-ad}=k0@{>MDReqC3$zCD8Sw@Q
zLhd5U-1wEfh>`INu
zCdRUo>xkC+D%@V2>Fv6Xz*5*4P4v6+eBE!`&M|Mw`v-dam?}YQ1I~cF!ONo(DI1#F!1p3Q1b}!ur*RN
z@;5R!ayHU7iZ*gI(lm-RGBxtKQ@HcHbGuW`B@1Q<=Cq~mm#Jy~WgNvDM-7lJpwfeu
z{?eJ%;nun+|ESARVCFSY5><&}-*UP~aWGt0FloHVZUzG`3V(u2z;odM_!Qh3
z9tmfF!{K`HR`@Mk8eRy;gU`X;;TZ5SxC1;3E&_jqOTnq(+wjkDF1RZk;$}^wQ(DTc
zz0A~^WM-MiX_Qu8QEp#>FcA3R;>7&)XsRVO;#do2x>S3S{m#w4WB0wFtu|=fmzMR`MI8yJ|&D=aNa8U6*0`P
zaj|oK;u7X!81K`d3Q
zRIHb|2sl&9QW>?9x`y?4t5CHE$~3f=%9hK*%0#su%aOG(Dv8v2+H4Ky`pX!!X3DL!
z#wycI8cS?#=Az2xv<}L6H65y!wHxbgRp*|{q_kwqAUauPf}h>1%JR#&Ml5;s%;&Q&
ztp@C=GRF7n+?NLJHxSe#bFJFj^fGS$&s=`l
zkhW?`wxLL+x7B6l{@#A*oMKsuPIZ~F!J0;AskhxFWPfe$z6?vdS)06ERL`%it@BRu
zvXCU<^X`R!-FOz-o>{9VYexAP&(7V>9SnIlY)@uK1~#}$yH~VR1hd-R+uMWT?FkneL`sRa8|}
zTjV(QJ-wIbr>)F9xRlU@tJKPN44l5ib8d@2%Uq?WU0-LVJa(5J!((9Ew16mEGI0H|
z=QK8zj?3e~V{JFSU|0bkW;$!@5I7#aKZp8q=KO}8U)~n^c0cqy#66rmlsqgxggop#
zG(3zxWcs@LfAN?12l;FHJ9N=>GrVLWq3#yyW(#27NEb^MOB2g-oG|%ivOjR~vgYb_
z-IdEVDn9Rr!*y*hsmD&!=KEorD%Dp@NNcJl?_24huwtWYF6IF8X%hyD>H^(KSF!yk
z%w9|WJAQV($$I%6IF{xc41S$>sx#lWw+pZ8dl)Iko^dHu0Sju7d>Cp;DhnG1=2NoOQJ8=G>BqaiC~~ly~rS2<_UG@ZJp=VU+F|pisoxi
zE*D-((!r@}N)~Zd=a0i3Auf}wh~^(dYqgz$Eh<-BJ=SXBR;wdAmX}Ug{zxL^xz^CT
zH}{I0!9CJFf_mQ2*`n2%8$5^WoY!=Uok8c+kLnavF~vMrB0oqM)X;$4W~#5*@{G!$
zF#oSIzw|2!WuGzqi2d&=4in^Nu23mSrItg_U2f*crwp8o$-MWlez}^+o49{Cqo3yA
zhptVL7XW(6CD!&Vd7O}GI-)LQ{%-dm8%_`=GHmJmHHwmMiGP;Kc9heRyw`I6Fk{Sz
z0q5w^a^sc|!?*4SrD48r{Y@_ro-g)&PfGl23%Y_h`L=PKH-+kPb904iow&#e-s(Vp
z!?WUcmTc@UdAPrjOOyO%&l8ZB5uWNt3jc5xKnNFHT6$(~M`poxmzL#=&F-0;55P|!
zOqU9CV
zMC77@cI!;RjNIswi6Q4ujoaNuDrdJ%K!2#(bIXl2?Ko2#e4+gpYqG6S`-Al?wetDQ
zsY|%M{dB##p=+a?;XkEXzzK^P`fy0sGhMx=N2Xtg1!!^YS3Md$XPcgxtDS_U4&!d)
zjZHMucXFBc?KCUW4zJtsJrEA1Y_*-vG`MPK#kql&=1kw+FeTp$TfMqM`ddoVAF0;>RmTQ
zWxh3ZjOfDOBtJh1@_KclvxPUxQ(hoiuF@odTf+-&+$EMoy_^)Mj^QugKOEa19PaDl
zGqGNE$L5DSRkezP`L7)1W^Soa3$lM_^c3E(G-@_fQqvQ{wpKNWIUKiC;9w=YJ#+r3
z`WeE&Lf${dI}eoOmpZ!Ry_4Il{9v?f{anz?PH#3|YXq3mUq}^-_K1W`dsB9z=!Vrd
zznMyDnV?#uYQ)TPX#MBnM82fE_esqb$+j6J*hb!?zW;mDu8X+vQE#7%8^^|R
zr<8zOpV$A(K?{Qhxs|6xLeiZp2i+m%cER*lW&GoBRB`L1_M`@EKiSmLzH@$YNJX3M
zfz-}o)@x+vVf_;jNs3wEM}{9?sQvZ*;ZM1rPxX8w{z*N0lj*bBTqmbd*~p|BfcHyX
zCFHkCF|A#TKkdGsgzGV3uhZUt@_uKf3Kbb+#|{8O~C>puBzK>
z%%HH`aubQ;Zy>riMR04_ZK#r}-6hTHfJ2>6t6tcwPph;Co2op|&q+PJb!wr1-r4nN
zzwZ1cbvRuOeJW?B(+>e5-N=?=mOlSPB*nSQ>tVx7rsTbkU66bfda4QLoxq$QKeW+w`aU1u>C_1pcX4zOL9#8ocHY;!
zk>&EROQaJr?Y0cUu%$uoZNE)
zCw%PePma*>U(oXT?EG!)gxyu{h`K#nPfKecmGT%7PUQPu9&?O&XUEHat+rEdhIaQrB5%LHt?vS
z8b2;tIhk6h{!{&4rV{}6B=bkQ#KQBGzx?@m<;h@FIW;9(JAIy*)UJlz9$aLZjZWJA
z(GFdqi@7Mj<)4M`Ppam+SA-AAchcM%MGya2c|Zn5YkJ&9>!Q~q(PJ(EOU``1AE@+m
zxCO=i>co1~iMnTgDKglh3Hq=mRmDAGLa4@OS~XBGvSKIcqPvb9on@JvL`njhFyD1U
zrK^jc*zFR=S*r<&05v%S>R|7y1AalR;h*ZFUq*cT=qzoP51KX&kIz=hVXetH-&H$f
znT}6879v%L4_=wSHIx9@INnB~f1!gb^|KV!<6s|ZL~$3f4jyxNX-{Uq_XAk^;g!5a
z%k8l@wwR{B>QeDF+;1MZumlyfo~_k$jjdMYg#=n+z3CX6?FaDJq
zS?BitEYY2VTA6T@$yBxSy~xIA)i^bYB`&98;Y;@FmpLhFw2E{unXEwB*KX_Av61n-
zj}0N*GW12epsr7{4YMiU(<54wGZc+`YZ}UX!YICP`w-WC{KW)u)
zBKRS(*4dbDK4o9sO7)hMMxgXMo8b{}?$=pj;$RS(8EmuUHr<)Tc15bwFi{(rR-|$k
z7+pbY6+V(3G`0ALw)M%+RJN3C7e&oK+-;C)u0~1K++f&IjW%4=u}&VYVZqQGD;MHY
z|3K;z@?=-YqpjhXVq&NhpW0X=IhD0#G#9rw%KjchB
zI%H5kFW1XX{;60&Jw2CoCUFmhCfCZt{teH@(bH976g#Xar<6u))md|$0e%Tk(7VJo@&~l#}?RDn1Ox
zgNjOI(9Ar{#H|3WEeNM!q|cJfgU%N$Xv3R+|Hvu&bnE(dzvd0;T2uEO3Lf7UIYCc6
zWb4}IXhty%7EWBzdsWbx*o7+@tF0)P!&$!pbj($~5Ovckm^iX@wEK`_GhHljVMFa#
z6n3o<<=CW@Fr7$a1<51REWrgj=!gR`F7$SiuxU0+`;)L`83??QLM#VA*OYfJsQX$6
zcL@b9RqC2w+)`)L)@-us3OnZ~=X}m3A!^<1%-_04KDlnGR*=hiavF*&a_084i|_{5
zz@)>-xon_sfFH!u#Ir?vo1L4>zG?B4ebc$ry8P@XH)nGBW$vFjzcR7%BwL9Ry!4Qj
z5YfKZVdh6xUbI8(qspU|O8DiXj(uelf_o}f6s}xci4SW*jX4;jZ+5Dow;#EZ;bUNP
zGOHs~EB5+SpES1kZs=(KsHDro%FglUQRFke>?OIUr)W^NK);eH=F6DgOsY=m1{YVF
z7<)C;q+|Rc(#C4}_r|vFW$X9G8oeSUJK^hk2gJcBnjxOfK*ujF*SS&3s^oHWbniK
zF>HT|3LO!~2f3TteU2~XC$4k8U#d@nYyof)pB6=3sApm+<>A^u9IF&iwqL1VzF+l|
zm!`qKnL=omSa-4OK*k7XUSZ7r+YODliCW2GjsYlm3KQ)75@n
zB1G7GkhOm|8f7)tsk2+WM96rcwP&pj99d%3gfHbI-Z#a3X-_}(gSFBuY6TT~e{IW2
z{_+{CJKp@%+9K*hxeID9ZjabMCae?!BWpU69?H25R88@l&;PL2)sIKL$|9EP=i@W2w
zw26`0o*tcNp1zeEsy-a}Fo+88%rX7=)0XNW!k(fo?H4bVP$Yt~F6S2|m23nFolDd&
zLMm8<8#dhHBQ?B71_MA15CX6PpmITS>F;X02L-8OfOj~A;uh@CFF+X_LMaPjs64O;
zCr!eF7YYL6W9und5JHoH^VoW-7SvD{U=!|=v<2JCMU06nps@26%1dP(nMvmYeOLRQ
z)(lsvpEfl@nH`W}O2yj?v=540e2e@4Z)k}8zit2LPXCvo)Tpqt*5i6`d5zf4)3IXh
z|4^RUs@MFm?q!wliVp)W9S6uf`}YCQAfGRRLUG%9b~5P!f#`~{tjq#!HQ~Z8B4=Da
zGzd7+lj?ENCB7|%rno4C`-Z4WL9&Sy9^cu-&(34`xTXDx?)Suj(tvnU~d-8E1(hP4BK8zkL-b+a-*7
zh4wv+o%ge2n2}xs{T3$Dboa0~QT~gvJou6&^JnPk_c-gNYcB38_IatUxK`-T01rch
z`{MP`{0?dQ?Nv99{x9E!jJq56wFUSCY7=me)zG{K%{{;h-~k!FfIKQ$?KR0XtgJsc
zC4CY9jq^+`X(MOi9mc}^$
zpi~3byVDx`I)3{v-)W6KiSzzjcUt2jsL397TH`8dFM=i|wN7!@wH?%s0kH!cSBCT-
zQ6{x`VA$Dj%WO^x8ay+Q@7PAI4c)hm>yJDSN_Lok44R!XyL23-!4h)+CG{)z$IxKs
zDEXdm^jGwbxI2*lywvA;^i^W*zkfL@Xy2o@Xq3$I&>Fz(%!Q?UDegd(m)&m``8NYG
zvvZ%4^-r0KOXJP4$7
z(?02{SlEiveeGyH(>CJhHQWyjNwrj*Q=-WErmXE=mHGg?3@F$hdKf#+E4a^N$x
z*CG7`@+**rZ_xbmx}ERNm>`~u1cvTe`|mf6ggkfyD08u)!^sE0EKzeRg-(|`sb
ztTB5QNJr(*WqohCEN8u}2crI|FI0S%wpJRUMeisgL)tEgN_fl*EG-RInx`|!MPMxu
zGc2`o+=H_7rX=gf`K3O_50lF0ZjoIr(rl}&htv8wEUTrjLVvwG4F;rEEAH0v5nRI@
zXk>F@(K3HX(idl2T4QMO;*3eXP+HFa`5g=C+$!I(kfkkXlIoE9DzqmQy_7FOPe&8=
zM$XF88Ch*p%S^4b8hL&Xq$A>Q(#Yj&C6xO@mw7eFPyHflz1iJTAE3{eIZiqk^^@to
zi^ZAlC+{q|c!juH_LtJpYu|B^+WBJ7r&a>Cx;TS;p!+fMuz1`zfPI0m4BQIbDJ&#=
z1lNC;R5Ns+MmlrR-5Tk27VGUXIu|1?-?>rd4HoB3YKyi5X_Nsh#u2Dn8j;C&bnK?R
zrKi0dX;gI$J36v2;=FIrJ_h}G$x;>Vm29U+YHy1>tiFtNKv?0H2_el1$v^OGsV-Lw2dr02cL-NKRk~j8{ys?MmjXfl9>>>FU&d0M$lXt%il#Jzo6gL&4r_1)hgl4T=FH3*9B>xrm#zY?a
zj7+X6&50*y|JX$nY07NVCumcVmgDNHjhCKx+PwB(mGl|;(W(+naa>Dw@7?y~l=2jx
z^2qn+r2IxtyKa`tk6tzBb?(^7{t9(V@f=G2U$%!QuKC})lP6`}KY%?sKbUglyKWYr
z;ods({kC!SNY^zDMuT|nvc>(aeI<aR1H*pL^Vitmuj%;Zq*RgM^!^r_o#-c?o|y}
zol%`tomc%ubwTx(szdd*s#EoMRhOz;&8S&5r{>iPwMwm4Yt&k`PA#YnYLnVr*hN$w
zQj6-aI--uMW9qm%p)OM=)#d7xzzIr0EocOtU=U1#Rj>Qb*%~=%QRv=Xg{n69gg*&4=|51UtvZu
zKP7+fwg$AY`txzD{`?_UfBuSXW6v=AxlD2OXP$Y9tL1KDe#_m)eVuuk`v$j)&2Zo2
zzR%Wi>$&ypEnExN#x`)L`2_nge;a>0yM@1lAHY7%-^Jg>KEvP54`X-o!}*cy9)1)*
ziv1Nonjg*X=ReI)Vqf4V^OM;Z`6>Jq_7MMB{{pbL!A03YMqmvZvigxZnMVF$Bn~b%j4`D6o6y@#8zT6Du4&_d6rt&%EFSsu#
zf2aHdH>a>qCW$-?Ye~P1wWMFcTGFp$73ue|esq0dS4{4Qg)d_LKId-6Bm@Xa2*^yB2a!ocKx8HiA_6jm5HJKx
z00EI1#4w5&WS(aT^E}#G?0b(^q_!U&r0>0tXIpA51w=%Yx6ZmZ6fk^5p{4daUw;34
z&pl`Fwbxo_@3rp@2tbfVxuc<4v})HCF$2bAq@mrQjDas6LJOH%U$)Ry~-!bSnUI~J9ZhQ`cikC4K6T;Uyd}lP`PzlvhA5WnrI-(1Dp)ZCa6C?53EnAAhf`<|)g>tBg255p7
zXpioA9s`hu;TVO9C;}^~WBUX&?V8j!fzO7<5P;@SA`pWzD34mGgT{CgtI;VT3S-
zS;r|WtRk!}Y$$9lY$Hr!)^&Oc`wCNpX~GQQXyN$Gk^M8BslqJbJYlwQsc^M$W9G==
znNE&ykMNN2gz%*Bl<>?5_NsGMcusg;ctLnkcvX0VA8U)B$=L6q#IN$pgnKY5pDf7F
zxXtsF<|p0b*~;+DR*;|hB0MAgFh8|;ZY!OKQkc>CW@NruEZ>Z~2aD&MWn@gb3Q@Wz
zBl69%`J}~bLAmdx<#~<$?n=B)<(K&%ZOMGIM7~&=*Uw(O+NSaPITf?8086nJTd@a6
z@E%U#Bm55M@hPt01}Q2)Q4~w%D3R(@Q))+DsTU!Uu6
zZWuaSe5}+)RQ!BczX@rnt)b6LT@7h$uds&gi4EHwJ0q;~!V(?t>6YjS@W@9sFO%8ToH}+yb4&pG5<6UY_Pg4tONo}Yt=Sv6bNS&xNB~cg7
zoo<{xeJPW(XC#fHS7}$HD*O5w<{S
z^^LlrzNQ^^gdJ&nc2PTM8@qsAP+e0uZP;X6cEDD)W4p9NeW|Xiuk1p0VY`TJ+nRRB
ztU8n)r-sx@EE+_qG=yH_Tu!Hq+s8|9Q#S3O-L!}Ht4I~4qSZ(>N@a8X8hR=N{1kP?
zJb6ddiWwVj`Tp(R)#?M@>-QeuBZ6z_EPn6Xghy;ou2sGrybs_ND(NA4D%7sUt+wNL
zNe^MHx7$my=jgrBc+?IG{JO7Ohs?+H_R9{k7jmUq7~T-$Z$9r6%fNyq=gd(PVie{Jl+
zyZJQPcW3<*t;pM+c&>H*y}bWz#AL26vLA^>dE1u2Rk)v#!!edCpE-C3s~@p-dD~f*
z_X?qG9*5~Xr!VIEEazXw(!6ah$Ge-{Ct(KWb4|IPD}zJ-f>z&czlCOqvx}+s)lbw(
z^`SbWeyUEZ|4{#_{!5)w@6vkOKpSZjZKf@>jkc>FsUNHN)X&t<)d#ed{J6w%8{dD1
z56$nPT?^n>a~AixgUif!)fwI~KG^#4_f@TXxcvuQL45me^JP=Ss?XG?>MyjG)~Ua$
zFVsc#H+4x}R)402^bRee#k7R?2+L_Dt)kVmMqN>#tE;q(Ry<%<_&rNSc>j9v?rQKM
z^!)v^aaSZ4yr@y
znA)f|sm)wzPvZ*wRkcNJRohgK+RnZ0RJ+t}?kmW)rE*dZp)`Ll$GbVjHfFG6U#Dz1
zY~680`_|zxwl5mx#l{M1ky?XFe18(ZUPGyBsamF%s}+>4mgIY
zqQe%Yu|?@LjIGF^>Cn=Dtn?qR)~d~1#U
z19XrM(P275N9hi73O_i-NYKT^L`zrqr}{+$2E&r?61<@|5hJf184@74;-?<7$u#&uyy
zl;Vmc0cCi8Er$x6mz7ZkRoU~^P!qNAI2xe|dgDc|pi+3nO~X(O<8^lgMshvnuf8+z
z23J)xF-xA;eC}Mom05W|*&}3M$ys%473dUR1uFTgims>I>UO%l?x;KI&N@kV(bM!2
zy;LvPEA&de%8hmt-D++Px29Xmt?f>7-*B_sneHriwm(nn4{o)ZdRwcN@7Jo{ruXW7
zdcQuX59!1Dh(3B}Kf#z_TrfUZI#?!HHuzYuT(G>~n>&#+>NE!Gy7xS~-*rs=*0D9u
zSo!pxfwf?9b=^`>1=b*FAG434sQsmV9T6PM
zdWd3c`f%R^^*~hBFYA|)$Pt`|YGP9jj@vdo&NiLI6C9fl(N3)Cs6W%6;RSs|-#{*w>fiRS&6RQJXK!WY
zzr(m5)%?_uefgbh5iF7KZNBsBuSQ7aPH_DSi>r)w9M2|v-_!iQzr?W#D3IeN8K$WN_HK1nHnk$SR)R$7YzRTeH
zVm#LpSzI?{^X_Ri?z@Gjx{D(RsQ+7wIb9uq?~93RzKBjFn(juoAg{
z-@2M;F8U(6hz>wk(PZ8W`kG>&5FLabqN(U5I?h_>D_urUU)2crny+@8d(~I3r2BG@ea)5(KTZ>!Bfl^(S|tyZJEjF#!Rt~GY8>0W~%*j=1X{iInMr&`I@zo
zciETmJS-mFMOZwx&tUP${>qF&3udhQH)b4KGUL&TSsKqU6VRGj2G26fx|f*ctyRnl
z?iFT5Yb~>q`#H0+dzo3)TEk4VRx_*FKV#N%zhO4CKVUYpPcs+Z@vGdp`}{6JhdNMK>KV!+Okr=0V}Ip{_UBf89e`<~$<`KM>9TjoS3Azz
z@2eN%Z5NI8c8JD#J4NHYJ))((U7`uzZqYK{UeU7NKG6!^0nv)yLD5RyVbRLo5z$2N
zsAx4z@Z;w#mnUeV#BY+sZ?YdJYqK9AZ?hj8Z-XBdZ-pNfZ>1j<&-Zw|=li;}=X*B6
z^SxZgTjxi`Tkpri+vvx`+vLZ?+v3N=+v-Qc+vZ0?W?s&9)>csbL{~y>G-k{E|09Y*
z9m%S?e)gcAZ;$-?R{z$kfqst3tI@a4)#4WV!{4Vj;GIVw`~tu6pLf+Ku*{z;&3?1P
z>@>T~ZnMYiHTyj6d7kSzUO}&rSD0J$f5+{OGx#-rk3U$`c@CcBPUd;=R$cGTap$@>
zJ$U33pX$HL^@o4?M;tPYu319IO-;rnubO;owP%csA*)oKa<
z8%fpYE{loJ_GUZpuqd>%L^3~JgX~gXWhWx|KTaj5ij(M6cWOGdow`nar-9SZY3w}Z
zeB%7k`NFyCeC}LvE<2Z;8_w6xH_lDXn`mw6fVQ1KIe&KkqN8SAtI9F1ZFtzmF`hA|kcrgF6gRQXSEjnDW$KzIOk?w;X=U1)jwZ=;H!qkz
zrk_bRgUk>!)C@P7W|SFgUNaNT6f@n-H1C@C%=@yl?9VxwV#nBVPEn_nQ_-pHRCTI3
zHJn;b9jBi2xbuY5$Z6&@cUn4aopw%pr-Rec>Ev{FlAJD1SErlP-FeRG;XLpB!MWgk
z>Ri*FE~pFZ;<|(`sbh309joJXJnvj4dL=o(YXol^%h<*>K~vB~m?#r%N|}nLnyG2(
zm000040tKc3001BW3wWH>m}hiV
zx3b42jkISp0^4*0w$HJ#P4B(;-g^sRO6Z~YP6C7wdJQ2Yq>>N@m@6-GC_Fh|iM$%bJ|E;5+Mk9m(k^HD^LW-m-!uMpd?fC%TLGL{HI2^b`HX05MFA6XV54VuJWsOq7je
zRoPg+BLwEf0)lWj0i~kWG?zZ1Pw6w7M_-5nbeIm&5jtigZG?@oL0i){wvB8P+srn#
zo9!n1tKA}-%8s&|>@J(jI`%(hzPk=Zj`^sO|l1%l-uMkxl>%0
z+r=a?nKO&LqL&`22g%KHhZ-Q)`IAveR+c4&!kn0g!bGI#Eo;hJvWzS%OUcr5wcKrQ
z(nz^Xc9s=nMNv^Sm(65dSx%PMqcAs)z+5;Ahv9DAgZpq7g;1zTPbsM-y+bWT2eCw~
z5NpIbu|;eU+r(zET`cowP^THSZ8ZATm%nP&?2x&^*vG&?+!Iurjbca4c{x@G$Ts@Fo}*j0wgE^92h9O9aaV
zD+SvGdk1F*R|VGxFGQQ@G|?HNgV8b3@zHsr3q;q6ZWBEwdT#XhF)AiBCUs1@m`pK&
znCvk*W2(ipjd?eV$`Y0(I<{}@lQngCQ`+*D@KthQoTiuSGZ%11AF)0*?dFf+CpO*OE6_AXq$D%Gc65*elpCxFERpZ!PKn
zp`~_o!{`s9r~a)am9HgZOw`|65@I?eYYE0C#NLU0`(IiX#qIrvmI1jEa`p4IWLOyV
zwTL&tWG(+#rFz2uSkD93-z2?nX8q@ayq(v-bNz2i^>Vs@TiyRtd$rxAZkLt_ajEj9
z3b&qKntr*|zgt!&Zb@7t#Ff#>zj>WFH?eoJ6?Zw@@1NW!F-Kx_VpL-0#PGzk$^KHm
zSNO$q7sD?+O7c$ylFAerl1guEvX0$y48~wA`eVc*_zo_&QAw?w&n@zMUP(DK<))Oo
zLsExC{56V@*pP&f-67XP-h@(UuF!m;E`WfAtT2
z@*i!X_d*|pd13UI7nU~Z2}}RCmpaK$dMDfQ|NK&65n)mP<);tJ@tI6g*uiA=9K7Tg*qi-+P_*C1d2kRkXvCpj*vaZ;shl~
z>k)dSPpDizaq=Yd)A$4(hQodSjKW=i(MPaP)RajCqA*G&SBVH}k<6jiG+YG45TCPi
zebUbJS^I_0!2&*M4=1xW!l$jzT2aEMZ6lwzO?=iildDB9pSPQnh-`cBd`agSO#&v=#e`VmL$;$I)~g-=`D!0i6^nL@69eNAVkai{Dy--&u(Z
zt->Egf(R3Bajy;FejAMkY>Y@P+T%gd0dLz3c*o|)`?jFyg1_4m_{5eJ8ALa8*Q6Ec
zMOTuxI%!*rl&!(1MJCaMQrqT~#qt13e
zb+HH3Sgb@#u`(^g_OxELQRDD?3;56$G8fEc3ffL?lG$#y;UFAL2k{51Rf1|uo~?}q
zX#uvQbyUa>!78){tI}$mMt5;K-N92fH=ee+DB2FD7(0l{*$GtMenegE3F>B#Q*}F;
z>f1SPvicC0+A!5ljaTi}N2-IGfYs<{oIzJ8i|tIY-b;$JT`1mmrE&JY`dCd=lSC&q
zSxv#}*o$`HQ);ZHs%dVfnvR{+yPN@M(p9`?^Qw+&hU#R;sLpDpTC9FjOVm=eO#Q5u
zs}*XcTBTO2HM~=;RqITIT5p}&pf;*s)F!oA{c0llJ)6UeQ(M$lwM}hTJJe3KOYK&B
z)Lyku?dMtQfI6rSsl)1sI;xJTa;qe&Z=|jyt<$+szh~3T~=4rRdr2W
zS2xs6bxYk=chp_ps_v=#d{{kD57lq#k(=datHVQdaeFs
z4I|j&lrR!T!Dvp+>D&))5uf5S{$4r`#=?g%o^SDO_y{KWam6zDSgi3LcxlXabH!XW
z*ZloBSHyfTZ-k7lv?$t*ET%`z{mm)*Z
zay#XWBgZZ!hPu=)y;$y5^eVYj^xsl?5cxbA-Y38|k!6(H%aUTowbsUR7;b9uhnYcR^!gs|ku^Y$G
zOk6DX;30e<_TpC)vKn-Y=I7oxUA#oUw(EFU1t8)YH#$&`0aa0@^C&Wo{
zN}LvF#5r4BoEI0wMUiOV5tqdkaZOwm*ToHSQ`{DJ#9ecdKd`O%eVzl~z(Sbsmbj&`
z7=D12@C7XKW2@!xIs60*U@3eBKkNLum@c4;>w>z3E~HE9!n%|$qD$+dx(s{|i)g3K
z$Lru*_>M}!3heDin#(ozjPipTJ-cq#snDS0ig;`LHu5%C*#
z6pzI3I8HnfPsKA{DV~cL_$Mx*4B|Bv!JgDm{3+hjU@4@MAhk5olPF2Dbo8YRm8oQE
znU+q;bTYlnz`>Y+gZ7q;v6o~P87JdqR+&v^mpNoknOo+e({x7W
z&S`@4+QJ3Ra8Wx*)G6SSP6?NF
z2wc&je2DjfgA|YwLLd~vAQhyBG>{h3L3+pl;gAtBL1u`6NQi;}1R)w?APdC0IS>c&
zkQK5)cE|xaAs6I^JdhXiL4GIz1)&fWh9XcDia~KG0VSanl(v6B87K?o>}&hRzJ>Bo
z0V=YBN{nowGBZ?xs!)wna43gCb*RCqpeEFU+E54TLOl;XfBW*-b6yIl4-LGO(9qmA
zcRb-qXyhpmJPnOK<9W~onnE*ozy!F59Rbau1#PDNbl;}1#Z1svwGHe@JKoN6Gwf-5
z)xM+^Zip)CWngZ9t?-i40P2|7a;=nCDS
zJG=)y{Igy!=nZ|KuYXSJ4+CHz41&R&-aj)9g<&w_Wd_SK5SqXczXQ-PoV@-~ifdZkU@mkoMs$x`wmqI?kaR_zB&_xpWJ^
zrhB-^8eC>m;mk!$xWNkfSTc5JpZj{Y-r|kAU%3*s@Q9F!^+2K^dj-`rr996O(
zQe`g-)wENomYqhm?R2VRXHZ=`lbYDM)YN`T&FnmCZa-69>_O^o57B$}F!iuUsHZ(j
zz3fTqZBJ1jdxrYjv((?7rvdf?4YU_&h`mfh?G^gaKA>6l8O^rOX^wqi(|PeW(LQvQ
z>})JbUtux&8jI66Sc1OAlJp&xqJ>zRzQ;231D2&lSdMvIjR&9%5L*W^0*DbB~w@C%%WpK~K_#!a{dH|FNt
zlw0CTT#Ku5J+8uaxCS?HPwvaTxj*;fe%yx#;5kgh3wRmN<0ZU^S8Pw)$M&}UY%klF
za#9}3P5CGn<>j&b5r4=Z^EjTs<9Q-|%%AXQ{3(CVb9p|`<1aXZgB-;%9Ldof;4EC6
zi*bFf$F2As9?C=P0NbCZ@l^hj7jPM_z~#6Sm*t9Fo-1QhY>CaW6*luvr!BBGCvXRD
z#~ryXzsv2p6K=+BxCM9Muecqz;!ggCzvu6G5r4}+@IwBPvvN+(&bc`o=i(fkhf8ru
zuF9pk3YXw&*ccmOLu`OeOchhz6f>nvW$walxHGrruJ|P`z+Z49ZZc&|X;YR*@Ngc)
z19=z^#v6DYui;fw!IU%Qc_z=`$vlZi@o1jTQ)miJrb#rBN|;KfqAAHg@z=bVzv3lS
zfbw%3$8x+WVTzlYrk1H~YM45vuBm70n+B$#X=DnRd?vqXV-jQyQ!pv(#23s%^C&s*
zRL&Gi&Owzog=JIOOx7`N^{AwH&^%7cLzySCi22>LGwt;mHu|hSr_bvP`l3$M$Mp$)
zQs35h#C$nNej?|}Pvt!MnVc^_mtV*Q@=N)Z{91k^zts=yD;DfHEzHwlI+aeX)9AFe
znog(F>kK+vXOwqjXPrrB))6{VN9lkL>S!HfcA8ygx9lz3=`3o#IVOKL$K`T!%A7GL
z%vp2NoHpmod2>{~=cdX%a-ZBQ_sb*ls5~eS$V2k5+$C4ax^joys$=C^9iNn|)7fc~{;uiMG7CM8#ECT5jjNwQ8>Frao2O
z)jai?>Zv|gUznfGaWz1>}R=H3P&40J_UiPl7$v^dE&)sYCoBjLNH)LkSx34F3#3UP+BQ=(tUxJ8GeI*&6R0q
z=r?{^&wa8@AW1vJlwo|&yE=MzzX};jkg*r|p%ATS#>`fW#&+%nblIZSFgg^yy?`>s
z`0s*IFghK%Z`n2(AsL>m_YKqVBG(~Pk%$f*$|%tl^t?^Em3#eFbJFuW{`URAmbTRk
z1hw0NO`D-5sLH4sh9XHxahF!18k_{J@$)riK5qvCPV{0ylkFgaM)0#qM(d2$BP$BS
z&?2)OhLVhSa1e$LWtG4^xnc~5@?JZjymVWQHB){(pev%sJU&=>*
zhq5IbdQbF34|gYP`69yF3Zk|ZZ-;>l@pN-1z$1%;8d!EHuV~yW_l-=NnlT)uE0JR9
z#+2DVB(nqilrK3nt^_+d<#nFrjD5j3&}I}eC8}#D3#vapWq7_@vPa3DP%kHcGQGtt
z!vzl!N5b#PmQ7B({lK=Q
z9hPi|rd5*3_|%Q-4$UYKg`hLuU49)vx*<*TX&a|$oE)0PHFG*80vYJQF3ot6=tY8N
zkTi$pRBJa#a@~5kOw$MQi9>Iw)>hEkNtKoj{k+znRf#d{?FGr~tVd?-(rlTV6s_wf
zXZU9tKV&YU64_!qNH}?j*6pFZY_?=eyf(yE`kY@u@3SUEBu)6=g!bi9ol?NWFyEg*-dywptRW8Y!=srw{`is-SG2z$foJ;1jbOq~G|qZs=}&|I)i-1{xnwRPqRWUM
z4xj8V8au8!bVXIp)f`&?FDja_1Nv2z#8@hdifHoiB9(V~y{2qp+5@b0tVK-px@j&h
zzPpIbaTkv>UTgtJyn|kSCx%N{%(8(RN?2$hE(mP}
z_nlxwrrR!u0Y~ohXsGtRMbx3x1Dae7q(FH>zo4tO@3vN16f0AZfG?XFg!vu
zWRs0?wQ4$L9Kax>#%@p%HGCV{++A^y`}z>ZA@HR7P?e-yC@04NDX8
z=lRtTho#(5QdBr=4J_tbSV=180tWEbNZmfF-h7#TBImZEYWc)VT}9W*Js9R@fw#vw
zC`*MZpn9VY8)lcAOQO{)7?Sk5I+g}@_-nLc^Z)8TcAxi4O=5){ska>teDpaP!}uE<
zzbyv|7{oCOxrvY$)8WL|9dkHeq05-Xk5AFx!Ok@o=IILXT}4+RTAVc>c@+(O%7%IR
zL~%P(3-D9b$DRTB48UaYx$2u*(+1F*E#~+D+st9G!yE>?%we#{oZA3jFo(gH%wZ5P
zhe60358xhi7~E$LgRhvw-~n?Q0ADkQ!8god5HW{A%p4bBpE(RV%wf=F4ub~j0b@SEcN1CxbKZvX)R0ssF14|trc
zy$4`aRk}Dn=a!iylj$u}GreXqlbOs+dhb0XgcL{uApt@sp-XQ9Dp(Lu>;g7WRInGU
zYk9WSRd?UI``mrIuDcdQjY{U`f6l!#$)th){!ccWDY@tC<$UKm=dcKtlf@!5wiN9`O5gm`uti1i)mo<`IE(tI5d6Oh%g|Jr9d~3E!q-z#uY&;LkUi*Y}jI
zsB>tXzEl$_zhA^wIQ;HpZ>l-XtQHuB4KlM&t4XuSWR^6I)@PPc_v7CU^9%7s!-t8D
zsrlB@x!IxmY^TL6?_OmIxGWC8$&|tu^0i@`#)lsBX|!o(narFa5agSrkSuB930vjK2a9}c8ZMXsF0~Y`W{I*AU8a_|Mdl*0Yo+*X9Bz*spxK!f@
zSSAo-M({uSR=>Z^KpDcHnN+|=eX6j+0pZvesgvYMdTej(*nBj4AUzlw2Lzb-xJ)Yd
z`w)8+_^qQLKQZ)#=Ji*Wa3(^|NS9i5VyjV-B;b-_G8U8JC*|51g`r;O7(&0ab2TQr
zTxTNKgpftk{vQ^LJq+<9SxE>#8aatUWCH(UN
zUb^{h>@P$bX2hQLw_C$Q*lB9{yVQb@!F=iywSheG2M7aa-34{yeF!6wC1W{QEDIzr
zke-T}3`$655UE8Vq6{2@RtbX$d%n6aSFJ1PEvGL0Vc)e|ufFchZ8^I9xy8U)w)>UM
z;me<^|w+ZkKaX&oSVDwIl#W-_8(f>
z!Q_7E<217-4%E5o$-Ew8L6Xl}!dscEi^6GSB&?@C}YZU^eSgYi2<*j`Q
zU`H-Xi-^`ABwO-0En6kzuoQy~hKB4T2c`L=T_8aC&gQ)#h}!cR0-NAzF#$`ValnRA1dCzDt;;)>nR4qo;0o^qoWu(h%y
z5!}i7qdXq{N6x3d3%60<0X}vT`6_H(_-gV*_y%kl)H5mcQzU!_XDQ%QkYI}`@)#6+
z0KSJmexf_vhMfe*4>JQDK8%I}{KG`zhaX=09*svN-WG=cjq(sYOpnQOKt#a92sU!t
z@Vh?hB=`!x*2c;dfgC4G@Kr>XGXUQuSkUSj81J!+
zFlL|_@+j~{VYAOiY)xbmrH2691&lW2N8wvqq2X%<~xm?6paQEbqMBy$q?+b_RkB>lbB9WQ(4;~YB*u)~_N$;h;JKx`b9`Ns7_R`(k+C9`)
z$m2p!UQnu7@~$
z!AgJ}&4O4k7LacBKvEglas`NbdB_(I%19(J5j>QKX9KLEYdr$&aj)}lEJvthW#F?H
ztfcYneYCDd+hFT|d0;b*_44yGvU&2PWcgk|q@swh;QoRYIz7T{;9L>DZ$9Lx?ibdsePK^U
z#UAu~cSYRCPj~e%e>KY2{_dxl01=JF#Qk(ER-1!&=pm>s1gzvKJ(VLsPv?<3l`HlmG}ZdIASfAH8Y)gyeHwlpL1eQ5Uw-wR~Q5kco(c~5S
z9jv8hWu^K0Ll5DzFP0`#?};4t0Z9H+H~xN4fva(CjVeWq{b((o9a^@A(uWg*;9ZqG
z{1$m4ciGX|mD~Fp6at5a_6eyY-x4gykK9Q78C5QJbkfAQ2py9`r?La|oJy|1?@3fk
zWoacHc^S=_n#|61o7Z(_7H@lcUFq(POPuuyda*LAVR7}qX86@r@T>fFkF47INeyv_
zOp{t~a%l{ss3`@9FYRH}Vtu5EmY!{=Dqmsyc!v}d&M>8ZbYu&kki!IL^h
zI_-{c!(08a?Fh!p0%HOzRp6xf$H0#z4GX#N28SiF7msVt-mQcXbLH)lG
z>H!C3A4uo{192l&LtUh5h}Fa!mqNrFe@1_Y=D~NszZ1mdWdZs}hW#64Qm?}&UWdQw
zr>JX=hD)$#kAlHJ{~11e0Oo0V@L6TVqrhh)vZi0^Fzlao8=KvL*L3S=`>*-z)+WGn
z&)oQFdgtyYeBSWw+x~P%TiYFf+6G_W(X_iOotDo5>Nq{7FA`fgG3iV4SZ0%oM?f$M
z2$@&3>G4$(qgptc&{*kACqHZ3I|plMxOE5@^2G4%gRkGxE9R;VRvDAxbfC<~-(}-;
z-TwQlqR22v((!I|zAa|4;(>|wj-xRf_{nwQCohJd`~*&Q;k+uDpQsUmrZ|rg1yS;Z
zQ9XQ}Ye7cF0vEnYVP)bc%roLFa6B6`o)t~8BjZX&$IS)^j9d{6p~^&@h04E3y~5+N
z6FJoR@2P_SF?r&Cj1$DgNw`1*q17YsYMF>9{E?kT!^Z#HoUTlf44cUl2F>st`f7)>
zN{`P~SRqPxt9DD!)q=R$<>c-(VW(8mxYy=O
z=pf2Qu6We!am4UxC}q->(dr#$!fsi7J*2ZVZDyVsJC@|D_AeaZ1OEP{B`p~inVDbg
z=;>dUzVx|VU0eUU+^TiW?n#8VonJF}lQr{!fmt^%%O?|MBJd8GoSI`OEzsr9FMT;}
zcDZxc`a?JFSLs!XW^bWQIB#LF#;34WE-km!RTcPjxM@LuvN;(tps}&Fwt80a=EqlP
zEV6hyci1p;fpC)VKz)Up8zGaXh|LMa(1Btmoj!{EV5PGsl-W^WT(PLU-I&akdn*RD(@Kr34W(z)}GG$4;N;iF03uv@$}%Px36!I7}Ip6Dmes4+e-1s
z1^iw@%u1OU|FBqQ(`;tqTN_sGcDrN^u8YsL(1rt()p+Y@OxSnzV{`#G3M}U){X&{Iv~Lr8Io%7!AMp3iTvBiU4OS
zEEV{@B@cG+I;%~EZ9zwcQ4T|_ktroLAMDSKU{p8_>PH)@<9(At>W;+5T~7`$n6^(M
zCBi$-n`|Ac3%-fS2~Fu}!NC{NqJ&%l{n?agPh>8f9Yre3ehyijb8v3+_F3+smezt5
zz9F{39nu7w;EzWaP)XU{_Fli4yEm@F^$RD%QmEG|H!M*|$JGEvEGx`D><11*d;w
zGcUPf8vUN0i&_-kL{XnESFmphUQ@mMz#^&U(FBPgLF#SDDO+4=NlD4_{yLqJ*(4&N
zulI1@`~w|MAf~?dIOKYTIG)Rot9GXz-i76=RP%J2g2Dogy*!wlQrVrJvC?lyyMpTA
zm~Domd}m)?R_BKN4<8AC=nZlcxm<3<2hhCP!Bob^sEH!XDY$wCXElz|
z%-pvW`uHE9!xy3qbF?nO)Ji3gx1NaQMp+}mC}&S*Mtgx#8?5uzF7XZ>PUFe)?poY@
zO>Zb~@b2E04PI>6?{v=G(bm4H-c*oH-2RKt-BaFLw(FJ6t6n+S7)-^`($vTZf=$-b
zb+8aq2gAKIPUSG>?WS?^Ou`A6ra&ry>ZE>|9~+@@%ZIqtdTW<@z@7s~(s@R-1rD1bh`?`wc{A@hu(jkOl;nwFj54^CiHkkU!(Kp{@_)`FJ
zv6DyO+`X8YxrD~*$v}rkgD-;#R2&<}W)0@UJUtc9N4aW9A!lEtmCI{vgxI&~@S_WE{O4WG#hcF#%s#QHYIpyU%&m2b6n;vQjF4z;
zNi#)x-jxk<2cM>+2+H{@7)#?=ZphQov8UO6p`$dik_UDS%qne
zWatq3mJb9MKY4Xs$(APu=H9!eILU~u_0BA?Y*=xq07yW$zkZx(U{m?!a4oCib2Sqtc%3$O
z?f%!d#-a~>kpmL(D)|B{nZ@#pY^fj@_#<-X@M)!B9PUePTGP=$&vk9(xg_8#bfT0}
zuM%*nFkZoDYt_9qt=G&;mt4gc#p4oBZDz?M!%r}}=78~%P5y(GiB{0Sl-V6)3=AC8
zI2>Tm^oz#jheYj^$)9zmyz`DilZAerGOF3*+9;U{8KYer|tTIkC{SL8w@yvLF|
z4T0zrQ=y)Xr5WfC7)qwWy#u|EkH1PQKyRBOSVr}k{UMZ5`b6BIKtxj|tzd$Z)0}SY
z=qnhXj>c$Mte!vyhF_bMWyY{Cf>V44#HsE#Y0Y$4UWSQdS~3Coaq4kJg?RmP1ks#k
z>Sn3r2Q2+WnqoyxG5e#khS9j@&mW|qCmP7
zGZ*(1M8=PWP1`nvMM}umSvnM-CsKqww2>W!%iv+PK|fC~Zun^mo%Ms&>J*tlk?mus
zYdg-@^5=0AxC!$Ub%F=~_lpS3)ibuXdPvS539qJY4TBAFkjr0~z~?6{QX7z{8C(!5rhM!AdZc`Rrj~okf4hD$yZEKx(Cq8Q#hL7X1_
zd`ZmbPod8l8|7e7M;m{mj!tj1zg~5fQyOyRZ&2uIEPE{8LHm2175EjjO_uePG)y7J
z-zX!R=SS!m>AkF9jBQe27OJLpho;(1?WUaMcuZxr_>y_kxxq_+FJ9B;k5AYo{uNQj+;W%7nvG@_fzf#;&P%y?*=+8LuFkj1^oI}F-$Yo1-
zQ)QFPMC7uCxoNUXGz%F%HC^3pT$UM$5%JeUyqmAc|KCK&w9?4j`0_qa)0K%E%RZ-*
z&TpeOCMFWqvYCgg@A)y%Yg)19;=d!9xMtiuP|5|r
zRFH`nd((jHkp4TGNRFIS0qQPfBUO@6x?&3|b$Z8_IuBCa(l)DV<-a`!O(Emb>J}nYs+MH`+I{
z<*7A;53S0WRpaoA3_fFBTkg_Btwn=gOr=c8v(&V;)tK|#%J7pqt1N*e*or)d+GCW+
zEPlc@J0(FB$gkPh;$f3obFwxOPf!NuRF-U=pX;uk7pR!4m6c^G(!4H_^P0|@jk8kK
zDpYHwZpD8fWUNG1UZk$cjx5tkM3Wj{^03?qML9(%=%=f%D|QYntXSY3LY+Rvt2%3S
znOvPh;Rw}cL3eG`=a$xcyAChPMAcYteQ~CW$4kS)e#gBhP9Dk6!JZhd>bzs1P-^z5
zJ4IrZPGu`<^VJ#B^n&u8FRWYo+%*j%eTpX2&FJI?D7c?szABq~9m@|^j-NgcO|g*l
z&dA8fjc6Q>9_B$^v@Se6(oOeEd{KHwjnsP5S)Vthk%m$C%!rY
z?FMWa4K0&cb@b(zkJ7Ut2mu@;--`6r!qFyXreMQQK&5hJ8T6S>rP7(HH)Od~1a^rc
zFyPW>pwBYkXXtkpQ@;dn!0{xkG!{!Tu3XB;Br(aDe|#tHaP069+(VI!tM(`PxJ-<=
zAqJiS!T+Tq(rJs3n$#za)lKsop~(_vvL1aro%QH=NZ#3Fz_V$2|7l!;Ls%vYpVrm05H{ksWJ<^zq6s0cq!Yp^
z#%1h@a7Xn0vRMUKdD%pPd}sRb|4tMR#P$C#90H@(PXh;z4v-YEbr2%z2}3R$j>z;x
z`$gC~4qMIi
z9iYrB8Ff3OwhcViJ@8{4#fHOPfl!@YT$?&~Q*u&8%iOe?JKH@&Elt+KG|f*<4Z%5f
z0&~~sd}i6AS^mmYdHVc=bC8Fc*P}|S@}gG@Is>U;(U{MJ@X@Z1@jw}$=Tm^W$)&Ze
z=`nr}B7pBq4p?O4eIJAx@uM*Ip)s8?V@_;`4onBb)p1>8q=!0(p4W4U4j+
z(j{7PVtW_1dkj2=*5QdP2wQ@(KM+%8M^++Xb}7-J2rF3i%&v-xUC*o4%RWKNX4XBaac?L@z6jB}DT+
zOJr5m1DK%|F^jG+#d3ks(9JYCgLB#STlWbCb2Db_*l)mk@=FmG6g5|=*FSzDyW6_Xc=p8FI;^ndg|!Gdt;QqOh&b<;o?nk}%&Hcv1RMrG
z$OHDxkOy3rlvRpW^2VqJ(>4)}TV#yw8cJESYSo%`t5y=6q_k+u(6Uftu2-SuSJEv*
zOPpIB`X6P@Y_ieKio&JWV=a^51}4Lu2sQWCz9`Vv^`4=j
z@gPqZ)Rpdhi3XV;q^ddE$htIjhR&6yS(g@#mkpg6Ip&XBmmbQ!r7yZD-M!t9lAv+x
z(%1*TJPh71Y>2K)7iDCP4c(
zbiGwa;tjJGB|jw=BqX^D9O0`8Ol@MuM7@I^sDH6N&+MsNo@wTeHVtF{Nsx=gj$o;$
zvdLB6J_kY#EIc|t&^xC-lJ^BGGg9&$5?6UgS4X+aH~0Fk{?l1_mXIe^O7naMw^6Nk
z{YY{dGKzO(vU!|{p3pqJ@&8Cq{tsC@oqoAmr`NClBW_Qlk=x>@)yV%h0YD!$
z@-4BAe1Trqifl!P+$W~qKtZ5J*oeobQ<*#r+r9e4La!~mB-`ezYOV6+FFDYV+TK*9
z%SwP8a{3C~`L)4@u7;p9zcSyc@YRKO>=~-K`X%y(lD;+mtQmQ!PPf+JO---vubsKA
z)jg(T)j6KLG*5neY37Uqe=yI9a_qZq9rog%^gp`2GE$4eUW2&9{7N#eoFN;n#=OiF
zSK=_QKBdU5pzAF}DP3^bs)(1T)n{IMIZ~8h{Ht-~TkOwd4qE>t$JAw-;s|(;Zs9tf
z&eUrrh+7!pyc#4;DrwMps{#7*`E=jXRU^#)y;2$nGsNL95C=$~#2=V|fovMJ&fY!_
z6EvxvsC?V8b2rA|bK?Wa?aKU&eIy6G3OHwiSFORX7py7-}y}+0Zhn
z&^3nUlwB?u%S4?dKBVVwGbYbUCF2$}u0X^1IX1zGozuZN-b4DxB%3l%ENLy2YVHk?
zYQ+}p_p)C*0iTjo4NxFb$E}AjvLJRrJupLA{0c&dT|<<4TFzs?zZ~eO?nBw@bqjdL6q>g&u%{D>`}UlGyCJRGmraieujx@uf-
z1p=z4Ap1q6@1^;qH&WiDOUjp{X}nw*CNMU@is(J3o!0xMzgF*mGxg&wg1v7-dFJ6r
z*{Pn&@Y)r6g(zOitB%xor!^7q5Tk`JNPe@W$bTi5#+whL8ypVQ=YnbN=ht$C!x@6a
z{$}Z8FZ^~{L%dhOxbQWBMXHTsU8<29S}-KSzdoGC6XhRS&u#O5mb
z53o(jr78>iI8VXlB^{1nkb*VpvUR##UHD82gN?hzEuH?)kycy`85bJW`i4z8blY`Yqpj;ow2(vvpwI?l%(V)CZ(hX49=1?wXylSB_6ji#i)}>lyO8c#*=A;
zdZk(m`urYqVQV_Il`pqQlcfoASH8ngnqkG1K{sE_mn9$!HD89!f#VtRYr!w%8OYDH%kYyi>PenlVKCHGXtL9cn9yN_j!Vp=
zX{^An#VXhbSVFX)Omf*;PGmpX_ad`YtWV-|B^t5HD$`c@?4^FKA*U(Lla+)MQsKZu
zgiDafH)c3({$!q1zFMs}m(I`6>8o^_HAxa4_6u5vg}expr|Dg6G4n-vY{hM?o&(;F
zG6|&6r^?LCRD0Ws?Z)Eyg$3O;x!LNBc~ve;$=uvvYk^6SMEr%XOAZTO*)+k{@j@C&(|wBGOI2t^?rfWKp3+c+zJWLTiIOcHI?)fNDv_J|6Wp$RKf-#zq#P-~UR%xa-fZI;QbS|PcI
z;)Cz*mzgy}p$2|rL0?&DT^jiU`y3E(JbK+rGHLZ`;^-G8?&^@#C}9JxL@ZAvpBHLk
zVQCO7m8~?OBgjrJkK`+*;2%=}X817|@=$ZwT;hHK?`*P!Z)C=1eGkXR84i8_
z5c@!wjo8P0hu1^fF-7FS)ZgjTV$!2kjF`oe&ol)-Pp(KkCv8smLwQ>BDXmdr5S&_~
ziz63nY+jqkzGyBIQHfcPei=*x9<>(}CDZfyN+fd#3nyM5`4Zw3wcQ%{*_Go>c1~}F
z-Cog~lha#iw^#P&q@|{&`BGEK)0Xo2`31e@R%>~0LH_)53)NFnSy^0MSy{sPhYIWh
zRte+7RK9pZJzvI@oqve>CW%_0w~K|z^_dZ8jQrB6B|x*U5`NkAWSugF2<)W9d
zvwQ)B>w<7y5H6pt=STVwMqOfHQfVD*7Fi??Zz2rX8Y|R!Z8;MHpf~j9C`qo4l<*Ua
z8mu%#upnIhsm2iXhI*w)8<8it6T*~_%9F#UYwGN1N&O$ne7i)$O(f*;dTz3XcWQx3
zLXyocUqakYIiXimuVW&yg7ItDf>)tz0*qfn47+^oi}7>E5~YdISS0~dAU9yrX3h+$
zLw>iw&XI})@+5tdA;}cX4VqMehG15Ymb6Ra6XNwEsYq%Jy6nYi>IAWZU(DrkVPr@Y
zON3HOZkj32qjBgEPRS6bJK0&Zw!}_I@&Qa2Wzg?3!JkItPJNxTuF1|9HyhZ=?OV18
z1cC%^Ts(#-+}iq54&#~RVSD`r!H_rK#ynzJUITBk@4v{5Hc+6%OQzLbJKMKyPZ5oU6Kkes?-n{I6hv&j31fP
z{vm79J`wC+6Sss+-1q@l
zen`^~9R1YK|L~Z=rI-PkpD;t=5piwlnloT4_8gX0{sRpb(I
z^wd{C5+`3xCPM8X2NiLM-(q47mQ22f&X|Mpq>o)R3;~UVTLal-s0FV(D@`s`t-&Ih52)IRE#G#$Px~#1GPSXb)H|X&`T4J
zYS6oyoOJd*Vzoi&>nL~XEqbxWC`_AE?t(9w*q1}>#{N$4tF`@#9Rm%M+W&8oTl`uL
zv-d`$^;_gu?CNLWrm|VscbtS@2{#LkuJV}WaTA$74({fMg$_I(P?z)9pI!BD)QOqZ$`73RPM#sc|vhM147ATKfb
z(8M#2L(<3!A5^(B=G=x9_l!J?C2xj1r6Je6+mmAVdhID5(w$lp)aimXsqU(PRvV~t
zTm62kGc66tz_zwV6g^X06jvm1$g?%8Z}Ne!x}k(`bCbzfJxDpAlD2!*^W)KFPqx{cr07WmbE6P_GY`+pT2*{W6!+>hV~eE-Z<9
zTWZog_9E?B*}LsUUX{vQWVaQjs#K|kHjBq&v8SejyFL)dz05dVjCC_{9lnzG=dxIj
zZos4PFzM?;tEP7|-(d&Tu-K#>JQFXHX{4i$p8my?@R@T0cR`xns3D7&yuu^eqJO{4*o7Z(gZ8SJQG{?
z$h6T`#7tD;&Sb{;nVpE)IH4)Wu)$}OwLwQxk|U^1hGVhs)CJJHfG#sXEU
z8D@7)_EKl!SUHv+6DX*wu=tS^C{~c;V#QxIa5|@v^X>XszIGTY^!_TpMhKkn88dMJ
zOCcYi`$bI>Klu5hrMD6X016wUXYP{l4Sld1krv)epSJt)B?o;_B3=6>yXo`3;VX-Q
zN#-~}PPe6pfC1QWF7-4&nGgSmy{Z4@Q9TBO+DCY*XcopaUihm{>txOvTf>~|YKXK)+9F4r0YACs
z3sVZ0dPt<_D~!~sIFIoStm2|cg%7wEWDc|rU(1|`j_kY!^6?OT?kR(a}J{yhv$qO9Xj3VY*>BM
zV|^pH44t0Sd3xyR2uQ}t*4)wFe%snI3@clETYLK*YsxSp2kU#}UprgxJ+Nk`2fX+q
zSn%+dyLSHTkv{BM#FG{li|vXzW0nKChYtOt>jelS_#WaYN)P(kuDVlLrnE{(0-WH@9-AXe)$?rhoKlGKdKP>NCMO6eJ~fg4Y@Ts&suvdinah
z+S~71SDxOnzBK%m)B6w4Ja5}g{n<-j1o+K21N?<$+5I=QdFOimyw~CZ-o%;P@9SEA
zd`U34CLYP^b};PM9smmZt%>FX(7T4gI(d!p}-?jayb
z_oP(!Wma_tr01pX%0PdQeb)Z@aaX;5O;vv1_Tv6Ktdg>>wZ*M>uCM5(nvwo@LZ0T4
zPp|}04Dl$292?RCrc=-odpe9bTFzmEdcsoBnvp%X)atBRR?IDE%TVT*XZAJ(6Tqj1
zePx!0ea|eu>g<}#nMZ!VdG4-8(>$zi?a756Z}VVDX>SIpd0d%OTy4uOPha`imWueo
z-d#0=&+IJke&nYkuK@Ski!xi6q_53k01jLFw90h5j
zQ8{b*_L3o?-IrZ9!(&ZQdo4YOmsQAYMFBfM&aNb|mEV5zzkO5{c)acGeb+C^YnK?5
z{Jy8DpYJTc{qDP}QuI(}`6Cwz9r*~1y(MF32HO~qFm;pN_=8;(m^ai>WOkIar+He7
z?b@6UaFW#OL}jx&?M0zr>xwliT7$(~o*Z2L+rWdUwbEE^GJv9>*zLRey2C
z^43zFB)esxCU5BsFHx+Q3Z+7uR+k>kt(vp$NY}!Lx0Y9Id1T>T|0q%h3+sKEU8OcQ
zR}hbKV4TjHd-&EOV{{v$K1X?ck_|erCqg-EVC%E=+*^m
z9>~t%Cy9jSKvkfvW8vK6$CvjgJ*6o*wIL@uRnA*r6{1b;&1;O3^z8iP%muZnWtm-a
zo?Iy}N)MIXRhFj@*yYS=a!8hi)H8S$^l=&RjT{AglJ+u4$JmV4L3T&nEjl$k6@%U%
z&&4^)G`qEr1@)(mQFNnGqvvVf`s%{GTvY&4rC>WX>WT9*CS>#z2S1quy+Exo1-
zb~hr9
zK5WMSn`vanJ}fR^MQv{uw7rDL$=;0Zg(9c?a{y9onG}mXp&DA8y`(!gr>odb0Jfue
zPF8kjiGvLi2bgB}fq`dtS61$R7Q1fq*?~}K;Oyr6);_o_J$>1OYq4#ePgDOndye||
zGhJQJ0NJ^-K>Bni%7swRO+5J+#G@Exo5;&U8lg}i^O2ipFn~fpBtvy#S{ozBR;Js=
zlnWEx^90Y9QJ#{MkNsqI)?--V_SbhUylqjs!B;V(+TUJe?VgKD%=mSm9cgg4Y^;6a
zf|t0dvV_R$EH-DqIyc#?&eT0fefesC-oU-R4+jGC^nPvevc`v3@66uy(JfgSm}|y{
z#+<%t=f{6!bZKDZ2P}ucP_83E<-_dJI1m^Z3g*u-1WQdtJ;g=>3#S&9RI6-izPoW*
zA^mL9$oE7oq&t<4dy(i7UBIWaB}kiV>>xknzKL3))~QNqsVkK4O5oybe*EikM%{;C
z|155j(POCP8G;Tc{8k2*iL$dEn5Qy`Ibu&^0q9YsNM$Ysg^4xzt>I*wBECanNa71!
zRawJHeh;&+;tcULq{SYK51nDd+(^q5Vq@AQ;0xkunIqHetSj{Kg8N!?I?V~3jp>;~
ztt|~JjY9<)55f?o;3uWk_?tWQ$*vCDw*epVW%%wnD_R?{9btD#0nLXvn1`_=y&miY
zz~;pCL@;iZt(~*(y1Jv0t_Z#&KBY8Z7m^O>Pq$NFQ$PH&i0MX1ndz)Lb?#iV4V7A0
z#n8@u(9R?0l|W0TTU}|d6Ui*5wE4(}NV?{1z)d2xNjxX3tHiQ>{rsc(9oZTfe(Q4@
z{qj`z3-MxM0$1a;)E!(_B=a`rRMu+JimaP5+}QhMf!vtHGv?0p&un}V&D2v%GJINj
zdTzO+W_b_U!F)cC|NX&4Z08wS@th-_?%rFM#-`Li`I+etKnu8P$uS
z60_uYWNGxJ5p1EaVz4zMY~|^#g^ex68&5BOTckFMdkZ@Al6S1@#csYLswwm4%urkQ
z_IKVe&)^0`0z)pHjD$?IejA7<
zY}PFtzFcdTyOW%umOa!b7of^+Ilf#e{cw>v;EPX7p9Wl!bK0RD=Ob}
zek0m^5%N-P%sFwy$8e6xV`dm^nUGmV!E6>rQaTX366VMDpFS4ewvnIgHDGG4R4e`@
zzoLBSGXtxh*rc@FP^wBu&}L2_{?gqQpOA2Kd|E2y*1^#URbyBV9&nh!gwrRlu*~6+PbCTB!2$U
zsx?h106D#UAxBD_8H0*P`4r+ML3g36Q#Vk_FLXxGjzj;dy5_vXk>}U
z4-HkXYj*R+BAhE#Mm6iEx3(81P|tv3Zo`hpmSF<1MlYc1_TM5SzPcoebI;t~RkxzG
zE+wjGfK>tWqJKl(E=PH)c+&h*96~5@7^yOw-2F2DM71aTGb^$dAMMQQs?C-wvTNsL
zb{<)rRi1T*r<0S3@iv>zoLOpcW?4mW`ew~?8cH+GI-4~
z-m~aFh9dj`*b4E%S>M3yWCOEqJR$>I!D@PqOb+L#sUVbxS#8L5fp%-_=2`{8)wm@*
ztE+w_w#uq{_galPayQC@(YsMBqZ9GbyHO(7m0?G#d-GJPy!qAt`Omd)
zY{@}K`%-cEN8yYQ3|V#Vw1$w5YQ{F_Exx{~@5I^y^2B@8hG^Z3(2lD+YQr~B-{Duq
z)V%1wVgGaNehQJF`77+9_n1Eeg~-S8sr%SQx`qZ*DT@dNZNPzEn@wM3LjUsT;VKX^
zhzLKmI?)j)n_B2>EZ!Q{kjf}(X#
zf_O0hUzgCd143iP&4jQr$LfXjc4{=yVXB6CXpgHcdTBv6U|MD(msdf=V5S&1^RetE
zCH0BA$bU3^)K{#cK2bJjJq|XQngS{LT5A7Cj#3%0s|y@k!do5r8eo%^IzOcLYxCT}
zCX?R@-c2!wcVbtWQ>ZkjAM4Gn5Q}nCu~fU63Z`hV&hXuu6!50m9{wOTS0t{;g?KAQ
zz9TZpbEu9udW+>)`D9}A1eCNbx-P+_8FkJ7yms|-JIm*E`kJy0mHXe^UUU7(c6i+E02qn|kyXy;M4`9*UA;C_FeHN2O-8bC?z-CvpiEs*#fMQja|RalBGzmb?l0
z=&b^?!?z|WeYeFv|BC#KF7xo+0-ZuYo)})^UzwlLZN@v%`zS1QznFehmJArfB!Q7j
zzPI}2)Z2;bWSjCXbobBIjvN)pl?JW^V(VyAAw9rWUc$m10l;R`8+T9)8y9
zHfbJ4b%Hm$8r0w!Xss(W+Qs=VInfB*a1
zH@0S%?}4Vvo(BGu);t|j;Rl%91M)X+E{&IITD(U8vFmA1lG_{WNjTBF^8kNJ492e0
zV_=T0FQ9zFHD#TEkd0q&06pBw!P~mKj}2CGaemdn(K&OD4p#BOOU&xR_$3EyL(j1#
znVCzD_57~$rUk*^f}1+AL1t}X!h%CYzkCyF`#$PI_!{av;`%W^H}W0S3k{=(@yr%<
zX1b9NMz20$`rt`T_{rq5#yNqCqB@xHI>njcXNOHrK2Rzwe3jz|ZVGgRmrRAtUI`RP
zTvCd85dYDr3V)r_;%=XbiRsHwz{mxN*LLy|7FzIUtR796IpeRb!T(~ualOf{ObE4G
zsksv_uOWWFVksNu5+@g4x*>XhO=ji-7bAmQ7K@!o{wLU-g!m}mJQdK(c4
zhD5|k>cZ-epSfje4iIGR`qN$X&5*@fO+ujmo&oS@%GA6(J;8?E!{`v_)5-Traz6d(
zcMvuk{=_kt2r-C5=rrDO_c8q~6KF>N;_icV|MYG2X~3UAdz60q3=#5$E93wHg9tx0
zRSrNc#EwtxHQxIJGFIk3MD{gsd?Vn{dLttK9Q7NK+(SLR-&rx8DIc&n=vHmZI)_j0(3d7Ru!cLveLm
zsOiRm+QjfY>{fo&itA^#tf=BB`1dAW}>fmkR
zN4vWp4c~U)tB02es9%sYgbVEj#w9p}vh(XL0ZM1@K!0)^m4RIKYx_DEP+hLcCz)b5cP?IyKVQrli#XO9K
z+rcSARxQ+;jO5`@u$Fj*Ety*C^n>AUhpb}m+LAfPR^&rjL2V>ogYXTk(azw}rK!|N
zG^4LX#Lq@GvZW;&)nI79NNp$FR43jLRm)Lb4R0sj|L7xX3!|gzkrDDlq~|ja&FoMj
zlnU6KC;;rlz?%>5>GDzE*_Xb2%jme38VwhD5GoJ6+_XGB-V$DehNWfchPdB!g;*S*
z2Z#Ug?NeIxJzx&tf%~ahQ`>dYt8cvV>hB;dRI6_#AA>&2GycRC2_NS~RtK20Gg7G!
zS?JpmW^diRar5S#n|{~1YnGc(R(34T?Ynm%w{q9BtCl}=bxqdJKimeE@(8`-_`SE^
zcJHmX-18uzVCOD4Fw0ixQB~}GYQ^BwJIX5V2KY0#0sdQ8C2F=hGBJox;mAcoPy6DW
zNo!R2w2M;)w7iRDq_-AY+|~1guDTqPCZ|)Lla}4Raofi3?227auUd0%WB#%0QtGk{
z-Z^__fp;9HQ`YL0HD&z`IVx#(Wx*yJ=6QJZ%Bb-A*QjX4&O`*|y8S&_?;@Y|nfwj>0)ZONs
zlq8`w-@}=E?d%kht18pqoMR|ldZ3P)eSb}nCe19RzQUfQF3M~Hy~1sh-DNH62pGzX
zfByFRUMRh1c?A;z48lm=fib2F33fTvLfL)a5|_3&9Da%U{_H$T&JGv>U(0R30s
zW8!CO2Ku`prgwz8kN5yS6q%dB9DrjPKQr^?;bNGM;@05=o!z6xi)_iagkeH{OlvC2
z4W+=$^@&HYL)+fHd!36zWgG2qV)nHv1&fp9tb7hg&kvua@qzPPHrg{8otNP;^D><2
zOQq*!c%)iCIxmwjH_FjzKD+6`q7vy5Nxrl3n;DJ*$q{Ku(F5Nq3w)OJq;Fp~W(rSB
z{LYeZ@|_{cXGrGgStjHe0B_yY1klJ6p(0vx7}09rdX`8Jwir
zlJ&r*Gf_M2X*^+eq&LqzaskgJ#0Y1}Sld5mtkOzHq{y7iO1qlaDOq0DL+iS3>J5l&
z1)k;wrK@hNOX=;KXD^4-8)v8{b53{9^1;Em3p?5ZRROb5l*Gqx%qVx)_5`*0IexMJ
zs*dWxMyJqL=xtYMP1@%Cyt2DWGWYL{W3S<(|Ez-P!=YaSHsONAj_7d85-7%IM>s}{~FCxBd
zo*{M=xX+zka?@-_de4E`RO3_-&omcl((MZBPvE2U)`9$r^|QQFAVKYn@QzF-2>Lz%
zMrIQ(lODIvVSAk
z#pD<0yf+`sGs84Iiw@%#5sx%CN$dsgC(bQ~yz(PnH83L&O~IZqNQf(ubHM1c(AX><
z9lv$-jp8O
zQ_G+|w)O~3;dc^$UbV~MOp4bzv-s3s|4J?VFSUj9nkXqA&bUhR>)gUPZX&tIWE=hm
zvjXYs^3ItLc~b!AIj9GY%@UzGGrdY+y?hD2{Lnr39Qvecpwa1U9H{#1#<#9-Xt@5Z
zjbDtuxS#vzt+zhLW&2w<*4A#EW9x*BaSU@N!hn
zY%;3%QIz52lKf@$5NLw`V>ZJx2;4G?Gcd1g=j1X|G#`#i+@m!r(n6G>*shPI=G
zI8XMB
zPj4x#+RP-zV*S@s3{gj6j!BiXUsU*@++q%tnPqqM5w+Vd+nzj}2!
z3Y$%Go>(E~?cILg;C7i(CgjuW_>sFa-7)K#Y4s=DFMO*`q@l{2R2&!lsQvN8J1&oM3H;S}W?b6RQfN@!LM
z53gD^JVYH6RIj4dT*T3uCW`o`Es1%t~${7d6L1IAd5RKNU-|McLQ9J
z<|vz+qw{tjS%3wBHz6skEv*Bu!XbDIU#63cC`<}I7;q#D<0IuW-RTQv23TP19qLg+
zK)y=rDvZY{l3C7}apqNm3O{zgIlC$Hd~%6jjm}q5l#J7-zX#dWGk98h$ya}w|HiAo
zZLe%TcmI>~EBXrz>8Yd3iL^)m=YJlh`4^5lqLz&Rg}DpXhDJ234|@gialZGZmj+|=
zeEH?ebmr`<4aAbifPnhvV~mYL1+f`>C+gQmyMLrAC#_X7QC4}d&z@=!+^E$g&stSc
zv1(SbMth^ckV3M>_8f1LHZUXIXiT3G&?b3v?6mLRO~fK>7g_#`F!!pBQuZdL!d}=B
ziL@8mmCB85se$-}r*at`N_(bTsdQ)Bl@6mz#iQ{gN3eG|(*FZI*(-(CtYnWiP!mi@
z2-XC&p5!d65Vi68v2Ve7NIQ>-W((C#E0WOoG#?7EM=HEiD0QmbX(nSDvguDVn$p}V
z@{ZAG+s=1)pKrsme)`0i=2EL&@J+;}Qn?~bzQJ$t3i2Y$i7WtR<70ym0jtvy3!Fw<
zmri%vD7DmgF3M}#+n44ks4WSQsL)LmA_?OP1WLttWdyo<88ju%t(HHnl0U})EG5}%P(JnCBm~B;`uA`X}EsPVO`;q
zjE_q?gg08@L>ObFDC5%y8;?%L1L6fNT`4tNW{1)mds_>*@rU&p>c{@PiIi}yEj1yz
zBWzJ8@e;HIFiyh7gm5E<1wv=dvg#R&Ya*d+@6pl|HQ1bVDo$RMn3S2G@7JX`lw5_J
znO|p7e+KJ-5$W+N+VKId6{bZ%;;fMJxqOo;fny5V6$(e#STuZ$Su0iHr@%tCnzpS=
zMsg1AXb3SSx*YdgbS;(Da)PgLh@>{DSc9LcJ$J|9Y+t;CuW9I8mZ4AL!8&H*`@k|b
z2SUwb$%yyqJyHl4dj!I@fGoPcEKo(4!*8*t;J4Q3x9~Th3;l++sd)&@0m<~>^cALO%hcIOL
zTq_ncu_~58IA28JC{XN`T&R2@m(Fl50AGwj2z<#d1YwtiZ>q-Or*Pl?IMlz=r1{)Mf=o{9Mc4rA=m
zpRi|MrQw{1%gpz&^Raj5@x+mLu=D5XcPlX#`Rv5Im1Ol#_s8CqQ6J##V{6bmQeh6^
z?IT}oJ9(19Z6E6t)Sn5&E7OJCzTy?fTU$@AC@x-cvbFX2iejw3_4vx7qLs&6TaK+L
zDq3+2jVo{%yoQUe_WN1-K#|i`955IH#V%)2K#$FE76Sge1^fzXDc4T4(n8B-5pH06D{tz6Y
zUWQ+jWAJx$Kc&NZlHhNO80$Rwlx;xTgfhA;WaKMS`9h3VGGT6M1z(m_2;v0_SGvuX
z?oz=ijN`l0itN7j
zuDOw_W_0?uFr{T}RZ3T9r!TvDZ*{h>qq8feYHe%EqIj8r{j)eHMGZhFu#4)1^d48#
z){^-YX^>dbRFrrnGDrb1p$D=;eQFh&FHJJ@<{<^vI=hpdW
zG$v=HbnojLIG>KaotT~C)ylJNp6pbQR+RxhF~~J?nc1T;`IB7Ua7lYs{brYaPVv;}
z&P7?S46i*gP%^uq?pnKZuqtwE&;a!5qs+gz}EZg0;nD)r9#chwYqjtW(h{7E~mV
zz0${Z<&ONOl;#^Vv9fO+K5cK;7dvO1T379{k)py^aY1!7p?A}VW`|&TDiS9Gu*l?
z$ISC-eO84&CEsR9OUtxSL%F-lRJtu+&xJI#jfvRhWFO@B*^nkjY)wvEmar#GFQ>Q$
zhLw{Jq0xQ?G2sn8-U@Esu^Xh%l(CjTWo1WWR*mLf)?Wcb{GgG3sD?|cyOVO<1w?XQY
zgD>58(?Dj|ePbsFAG@wLue2=3Q$0T?efh$!Qny;k>}f&$ovnrao5(7mTO;a^J+TkN
znQDEG8pBRgN(UGs&?$U`DMt%KbRtg>TDhnp?e3+$w+`o&TzjT_@yT#LTOpPhlJWvs
z9r+e(c4HtVH_1BE5SqRHwqN)4J$`!o>=3*^{diyBuWy6*+dFRkpY@HmY+qcHlvJ~L
z`z?))N471jNyJ!^rqasNwP$RF
zDRjgOELr}+!LI9Cl9F0?&F+5}xUQrE(RL-tG@jU-O1P#o!X+Q|d+?0EVNq`8!WpU5
zhxo?JZ(Me%tPFH4erpu5%Bc#hp56Il4j31w1PSo2?^b38Y
zKA7HT#)}UKj?k1Gj5~OvN+#SS=941sR-r;pI+aj6)T(6)smfgt@>Hgq1WJRniYE}s
zL}razEmgRS(`|)8qg|hh$nBxtfaJP6qvV?HQfri4l$Qh-VL#DvNS#-U;xSd47Kb|4
zmzS^a2#1+#=$zJ<>#*ngwD4+oz$?*Hy0$$OYF}Ggd@cIy+CqDtFCoE~XLscLbvi$7
z*Sv`JGNC0_z&az0zB0KE5cPKBIHNHYoe?Hfo+_fEl@~Tg1$Lq(n3Gw8Iq4;s{N}{&
zaIh=!@HIDU^$D88YY!%MheKV7hoaBeDF^epBf4^3Z~P5O{M|GD@S+As}q1iH48Q>+IHT*aP56Xxk9H>?hY3FmfmOpPr3}$
zaty3<8mPB}A7;%-
zx|7wePxThPTvk4-EqmzroJDbRJ}i%(ZJLR6_F@(na!U2MmyZ)?4)Bc8r>
zm5f<;MWZ=F@ffAniLD%1n2=K7>`tpmRY9h7+*Gz_s3d3Ay-NhZu4|Jnf3>VC&MZ@=
z<~5|*OLr|U%36NcB0gr*w}}Uiq-DkH8hceN{IMSCH$}j%OuJ;WoKkmZ0OIv9Myy
zLTHH3S?s8%7)k>|qSY8f)Xxw?FFI7%oOP>v+Q2uZkN3r6Hi&=A;U&3+8y{a2k6ZO^
z^4bmI+&G0yXmF;OGD4*Rr(7?_8zmR^Z@XP@sjK4bS3BR1Z`k_a(89-e&m@njoPQA(
zrZx$M@p3tLw2Ram)X_6=D20h`C=-!A2U^unQWPDurpS)*4zpwoFbgPi2nDII+TDqR
z>BHxi)voU;Pw27cYGqKRH_z(>haubClagpFb6^!Bol8AZV9xRBp1{snQoiUsyS~C*
z(iO>-5(cF`LAZU@m)&aD(*^T9TwcG_VU!)^>b==+fJ}KDrND%;rk;#T(WlYUN<}0FpV_yIn
z^&5~&{pJVe0w0H8wR-s{TxMmg#UMSoARx2SOFG6zEWr4AVUNEOcm@1X%JqkO1J^su-1zsa
zh9w3$kIZ;Elbh#URJGJ$;>JG_ct-|5S(44oa1K?!QoYEL%+AI;sV~5D^Bi{S3vZ-`
z>KE(m3Xn=Y?N0=Uyy03Php#|^%R>!-gDH0EDMt6`9Q%$qPF#ES*may~D>&l#tOL(4
zS@PWe#>V~6Em`vXfm#0!HZF)n24)6>GY2A(1&u*0vi;qIb#({d-M-_!gSE8>-`g?&
z#t>(d8SlKPRN?
zx2Z|}0^mmL>jpR>{T|Mt7+6ozzG-7-{7w3K!x(x_81oZ82p0nzwdmP3X2eg!v5J9B
zAED=ZI0wg*GvV{*IOe?{e}R6#oY!~%w(9C__xH_va9hnk?FAiaC>)|Kzb!4Tqri?uZv0?hS=qi1ZruOD
z4W*?we6at@wi<#ozXNF!p;!dS>>?O#tbhc6XXMYo$$rd`FRcJapSl13`!P#y(H13J
zI{+Lb#mu|`=WP4~*hYSIl1xX{0uw=nVtX1BNB0~ON@{$w%QvzVoJ*|<>(t&nm%rF=
z;>W3VY$@mZ_|oBH-OX_L+Y8$x)Q{l-=LZ4H)*YbPT~S`?wq$uU3BD||T8&}qhU@z?
zL!Fyyat3BMC%qCcWHB}jX8bLPPvN9f(Wx6^VWny!_>DC*9b0E#e96!)-5od0Pa7Ou
zvm$5NnfbH#FR9ZFCuaynN$F*YfteX5Q`xe{%>HUmLTZuQUz{4l9{T~|6z*78K6t?8
zxNURQ-bDq8jq7Ko$`yKhj#q0)tM)}2LJ4PqCQuV`7kJeP$=Nh9^jHCqzZ9@92qt1K
z3QtDI=0KAUM4j#wY>$wdgR9NjYcGwyE>J5(m>gUC2apPmDPtyiu%@YY-toam#g>Z;a))~xEhW-y
zePBsZPFKEp^Qz=-|BZ{VTYV|iTx_j0d%^yu!Sm~iwVrg-9F16RO?8*e&04ThCQ8Ki
zu5pD}(er8ohhsxF+0QG+&oU+q*p$=Zs1qAz&FsjtSo2#WnH~97b8b5(Q1TtEf$AHE
zib~f1YQduO*W}mKgNU{``K^21r5&M+_B^w@u-TtByTpk-1l3HLJTUKYU*{cb%Zk@s
z7@YIcLU79JV$OKs`206)7dbk=L&+y%b{=#XEd1Yb{Lz21)kcftA|{ZzRHHZOlZe6P
z8o%oDCqk`UfPZ1l)LN}K(0Xhw9NVA5v5oSC7se=z@maF|`53E{JxcaVneRr)cT(Y{eGkejY_O>I7aysue
zXVm%@4h=2z)n=G+$`~lNyDBrS*33$my*OZ`bnY`N+V;;&OPja9ZN(XP;-SInt#i`S
z=4`DVILyfDGAN5agtA9MM@Ngre2FgCV3SPVaEcCPMnMQIT@Y!^Fj}%^rUqwZ7=aHG
zo4mZFc>DbPqBVEV>p!zRSLMlfQ=iIn65qn!TfEeoJ;NWKnQpLT&!Cc2UZu^IGUvuQ
zttVC$=PkRnJ9ovWCx8;&QJ+0=?A0|XDQjLm
z7QHg#1}?3zwd9?QeI7H9AUiuWldSz7!|oJ192P-2IEA*I2_hk)-z$g*B4IO_$D+@0
zOW>UCfcRtJhM(y3Xh@Hne!h{JPvHB0@(g_5FGJ61V_)Mx!8slSH~kSkr^5Fd`uV`y
z=o!xZ1c(0p!M~zDONH=e{Zji}F=x!G-}}ta&~NtC)$RGs(9kn`>&KF-d&8lgDzCSy
zClv0jPX6zjhtA_o@L}6XCe0hs#tBFW{>UGI9ls>C8rAF?@W}5TdE^niGBtFski!=7
z2Eoe9bPQ<}chCdzpO`!7Q9oHAPnkQ=CJX*HoI6Yk6?iDplwmYPs{NkI3|E{a9M~k9
zweigC-aA$l_-Y3-s7HMriGTIlZ)(s)l;GjCzTSE1!P;S6|FkevGj@U
z6*^zGWxmDaFnMYh=B?Q3@L*5O4;9ekt^?9k6peAs$Yn4|E)zxaxY7TSd@{Rg
zv`S?m?-=xF$}b2ZEGKZAN2yOorHPheS$-<&#
zY4EoVblKVQG6no@0sY&%#(!G?zbmK9?j9S9mgT{+F1qX-)H9f}8u;5by6m3u-xk8}
zTIf3N9mlU2epgGEogbs3WesC%u?n!6g%eMYe>azvk40Ed!?I^4%EtbPMSu~OJv(0J
zqYeT)wg{HJK3=aImKo`?H^xR$87<#_fNk~Vf2R*)1K#TXtgLxeNl8`nvaAIRnrWE{Kl>Cx*MTL<|2SrBK>B$<{AqH=;g
zO`?hDSnCNonmvu
zq_A3GvuN9OtRJ>DiFQ5cePEms
zUTDW7D!jl-oOlU5AQffZM18DEAcUayZlJwWoo1juYmS$nI;9X-fj6lTqx=7WRX})2
z(`1)py6B4Oxp1gUWj0wxOO`RQY9OzCxjQJ+h!c!%qs*q01bymM)j&Sjm>jtc{0~l;
zGwS_WJ!P&;cRAE@#R82>my#;r>cO@OtDi;3ll%eeg!S{0mBUou!K>)E%#I(J;mHc5
zq@;yw6=97w&u*>AaymFF~$S2WDi1I!hB>
zW!;&Xiz4qyRLF)EBG3fuj_I=a6kQf;;*k`=mnJB70+v7{qFxqiu)lOkbb`?@;^dMz
z@Gq59q86=*`J4OzWx$tozNCz4l*GS<@=NE`7OavOTI06UDz4$cmmEa_)4hM34Pvn6b$+^O-p*}47k?Hn30;^
zqEXdHk}4xcW27=EQqSnDrSQLch-Vy~y;eRRj9hkA+0JaYe%<8_hTZ;@LWxzZ@M-Lo
z*$#X0oUH8Gg;t@)q24O+>rY_Z?o_`w5TG8D+vGg1E>s)v%qmQ@{f
z8p(1TS!L38k?@=D=r=o~-z3oA+>N6enYr;!!b2ROeKw-Ik;qb;@KD#jNUZ~#UIbgP
zBB~eM@(?&e^)bKMi51~v*yWgg-A;VP$aUCd#y@8v>jgqb^doq79&qwNga=e`cpj$i
zq3+rYW>JrB0wthm3-uV7`4X5x-MtYsfs#$sqo8OL^%!*y@k=}Fb|Q&5Lg$T2V(I|X
zPMIXrp4;))Mp8iSbhGE_&k#%S;#m9)9O!Rm73C9|N!UlO(L;{?E0()yFSWnqkTv+irD4j{o1>Y~au;?}HUuPfw
z{PTy;KJ?K?55c-_0dw%b<9}iq>G;HG7h1&_57C;SlM%VHpDD+c#w@>;tCs~b^G%`o
zeY2BHS*cczO%}{4vW5ocb|w9X_xJ{(Ld83#v8(w;hf$=^@DA!+T7l7Sq;C1SHw+)#
z%z6XAKn&6Ls>s%rMA0Teh?WbINlFt0h5bz?6v|J<+vInGbv@vkJLR@`MwUDc
zVSYFT=5*?wMljJol?lv7kf{?UC4%{V548yaIwcnhWycY0*iKu38@~+497)?QA@8`$
zZ;ZC#D}fs%ARg)%`<$&N?`H{UZ=0wt1Jwl(-BqVKXTp$0DOH(?S3*5|TATLuXW+b%
z?{k))8QAs5SzCQ;Zh3m;z0}`-JCNGG<@D1F?+5V@bdZ=sYWYC9@lnG&*3s$v;LanO`B5hT<2?@DXZIOai
zZJ|)xq!Msm>da0`%yvpONttF#CQ9&-X)(hqEKf{=7XOy{~L~jXL-3maN6cyO+Os)6C+0xl`J@z11sM%f)IW4_MS)_~-0yT0@T=
zJLA!a7C4jckBR#Mo{BG?x1-KB!y1oqr3Ot#ZBWPF7+=)Cy*^rIWXg!Q=G{EUCzAHZ
z%LJqw*)6T-S
zW97}-km^mnSH|Uk6vvY#>)uj@wM~pJkxH;>NgPhxR3Z;N8~M4NZZWdf7_UWOkkz>ftO|d(QOj4osSBv`_my27$vn-Q!tM+s8UglYln)hl@nk+n
zwJ-yK7bmtU5pOnAr=z^7aLVu-r!fBL#n`YY*jqNTK;}{+hHZp+JxI*PW{@8u-+g)?
zK}n~_wT5UP``CQ*pg1{_W9siI2`X0vZ8|d)?Q$Mp$RSS)6hdxIR;X4r>mbLbQ0TaE
zTmdq5X8nr%C)UmhF>qu4u2%s5m1%kYyoD%bnPf%K<21>P8U>FZ&tX$)V^vl{qFKca
zF6JaiWNI#-E8s)<86ox&Y3v**KbcI5Q4D<)M!gc{cZ2fn3Oe@B{34B8_tv>b~QdWv^br6?y!o)G#%v
z-%h3qCP5WOeTwq?K^pjo1{vynH0K*pO7AJP4eKisfBagmQ%HCnSmQK;$Q~On@neoq
zE?7GgOp;{s33F0|Z`sk#_Aai6mg0=F*
zNxX@h0r_1&CClfuTJR?7oZP0{{V1KA?tz|d^_Ju9-QDfSt@T^E8Pq2d9uNz~Tx|4r
zi4}7*vT|~=GUiq!GPq;ku^+fP?)XH8)2X~e|r?ABRj-%mq5DVF^d#f*EKO=4ff
zaG%J4%9~!zdvr$Br?=>B66!AS*fiuZo;aTRnlA*#X~?r!G5k3Mlm^N4uIa=m@PWw#
zWIRH2v|i9KF6`kj@S2A5gVm{;l8|BrI0Xsp87G%*;MkOMJuRd2)kcLq)ex#v&7#vh
z#z<%S3DR2lvv|bjh%4}@ojf-rPnt8pF-U&Tcw=ye+4Nk2Mr6LmP??pGWKwfNO4Jmw
zW{I{38mG*e(X@t^{cKjzY5l84!}H+PhwjuK2S1@PapkyWeJOkhpuzy81;w^K
z!cLnS$8LO`9!)YvC!v`dMv{p7xgmQ`+=UY4O-h)Dzslj5^1BPd>C=+y-3j97gd_3d
z_=4hhN;adMc@w$w$ZlnpDQjVKp|tt671ILW4$T#$*7{eq47~eQEY~-V37r#-f*@}qB@%5(=1|*)~xm-rerM{`2PQQTnZxEJ&f461b4t7<_t3nV
z8=Jk~H#MOsCWS>b9>fV)eZlhP2sx_qHssZ&_wSvB5=C^*OHalAdXAgx8b^VSn~V_~
z$XDT=7|pIKw0jrL5Kq?)kavm2H_d4(#Dr97Cb*Y>z|JLhM~1g9?Jw*1for$k>=()N
zj?8V@*O!*N?DX7OEB#-7`Tg9(_?Fs;GEXYcSZls<>!XOAy;R`8B#0
zuSRcI7Zyn$La)Hc~Ue>v?@~(3mH%Ae9Mg&!
zuTaL@h<(*2qT@i(Ewsr~Ra)vSThpBSoBPx*n?+{eszvcey*bq)DQ~D)5cujIxfR2A
zB?Wcd^x5l6s9Vq7M{ot)1zHhXXiZN73#w<9eWy{||MKw+epwm#W6b
z5$rj49}a6?h-$W^Ct>XqHD`LF=%IFK82dN=3B)D8DkT&*d7-+OpoC?Pq|zCa%D^1J%mfghnnJ%sJHYNIyI)EV#=LB|lE
zNPJ8ONEuIl97t7xx9H@@5AGpNZ~Ya)@APYQqm;S?p`jSv61uXm?Aq0;s?F=5g>x@-Md?r2dZm^&qlA
z$3=J##E(z=WlqlUO{?PUsi*2}&R57Y19@m*%a58vs)nSbnC}Lsz{X
z^psTH&YkR+(Q!1$;AVqu5`=YzCcH8K3ujC)D%Qm7%!%4r{<4{6ep_*Go~67vTbagI
z#*0l(zuE2em(3{iTMFjnl&o=)?DSf^$&Dke_lhk{6QSTj6o7fxpia4$;Zav$iVqY_=#r~?2
zQ6~%)PG^My%n{RP3ToK)Uqe{qyGAkJFB#4ZDHJ#;6X4j_zm_REJ1`Pk$5u)%eD=p*
zOC{{<2rfCq*FN|c{D4gGFE*e2y+8)mgLyo`S8=kqXVugx)P`eU!#bXYb;uc8RX_u#
z5suoKJp60wpLb~V+}V5?mn-GZ<``9X5_eOd0VTMkl0B*QDOJhZCq)SmUl)Y66v9G@
zMv(bk^h^VoLuPC#k4rrQsz!gqk#uAo65aH>?!fZh;vsirLx&+3CtrP3MH!z=tI$QoZW
z2O!q=EA8W^?{Hww={4LuWtqsi4Zedlpm%f)RMFJk0>J8q{qqF*Ak*pwwBVey@&x-D
zmz5gs;pZ>LTht}#1gU^Qmu0GVMD52k(hd(eQrNb!*AZuu62>79+jfC^92EK}@6lsNSyR6O$fG@=Fk{=OU!Ok@im1a!!J9|X
zH^fS88@pn{E`WjZ9kCLGQB0~`5XPP;4BGw>xqOU{p1nXFJ$4L)sh6hVVr9-Jv2C|r
zI0e3YnR*F8%ARit)2FR@2L2fjxq0g
zsC8K9*cT|?FB!O+Lii*S2P<0z*3J@rIiW=gha4H7RV`e6!jLE9$w>5ktn1X>GkKkq~7wb
zKp*7)3zP<1GKTUu8?Uz3nwYyT*s|+A-i92zJ*UCzsn51;PxiR{ewQbi`Xsq3Y(S|v
zy%iz7K2+g#rlvX*Q&MPIMft#|5LXm?EGnzyw5Wn~xT%xaKgJ%X`w6x`>}@mlk2BQH
zJF(}ell%4oJ^jr~^f#vQe0;GuBy{AZK$yO$QnLZ}4@0=ZqBX)l+Q^J_r7|DORVwp9zLJK0L#%!hDXfrJuz!qZ+zD0|Qf~pzi4(AWV!VVi
zoT3P*%n~#B>X~Owj*epZvu6*0H)&eDP>z2-_82-#Cy^TB;8;+C8;8|_>^*1`1I%7M
zAUcO9C1DqEw+BBb8mxlYrWMyVdc#*c=a!vSE4${O-ZOu|k5dAO`Evx8G
z#EQP{z3HZ2a_+aNN8y%yt2MtRZ1wxC#Er&`hCrY`
z-MH45l9G((FFR3+{lxbD%>2d7FpgM+B`iVd218DOx018u@SC@7yS<+Fux|!aqdTaF0SmN08G(C_nAx9p(srTD&d#QK!_I&#d
zL(d5OreW;4Ni;Wn+k43OH$at#tcf!+Z8ZxYS$U
z^gvFh=Ir0!^UXJ~4+@C`SeRW$w-qCrLNS2_3Q-%y+KZI={3*V5#*F$vpdo`^yDp%H
z!5_x{flh45Ux@8STdGeE?iS7kDsWP$6(%I)d2)p+UR)DF@|427#9W>fWrbKDuMj!Pp=3Em
zZNimfAJBVGk#V|c2Cz=Lw@)(0p1KW}1F#mYPNz-K>HZwO0w;2fRC^2DDJ2R;af-Vj
zS))mYPsIvF3H5_srP1j$Dt+wwNrErOX3Oy<*o{W}I)A|J!cLY#Jtw#sOq
zY3$&JwOSE3cVs=fZV+Y~U^;KVjh*T=7Af
zi0pj(h*!CdY7Wz!>YZkC*0M!q^}KWMbs&`NO~ej2a`0R7rX6TM>P?y7Q7$G~V&tOemlD
zljIZp%T+RR>BkN14KaCiaR`o`Mxq&Gu}k6iXh=ra)8R-g60l@EWEqphdeWgRm=E>J
zIHg+ckW=0T*`Csrgi@uF%d_Psm(^%;1{;iewNb5>idAeg1k(Pc}{DoR=Ei!$bKpZ(M(pY6uvsxrlo24?VM#MH!`QXW0q-Kp!
zsDVYyb)1%5NDHkKO^>%Mn|y9i9%)6c;;oTL8wym|7V#z~dXtlq*d>;{w)FJ&Jc}i-
zJw3fG&qD3YDJaN6{}|qx1N%_R&OtgHnCP%6yZxAUj!?|uCgdhNvl5j@^*Xs-!p@;A
z!gz(os7ony0w49d-Ygb^S_US>8~gzAcCjYKo*&
z(+OlUOf_03j5p|P=G?aQaC?D6CjJ7^JV?yOtgvncYusN2*|LrAZ~?YD!{y9&E05|>
z`yD;X*2p!e@u=5c}w}(8a753aER)$3g+qSACFYZ-HZ25v@FcXFL0Dr*!j|GJv*U(=~9CzKAs~Yh%E|LUBRbfQLbb_vvuM7
zCIOGf;Ftm1HUxQ8Ld$(TwjDy-dj+u2L)SmFQKG^lJRvENWngL{Vova}NbrcO(q2~g
z2wx0gVh
z$JT;<*KSurX&gfXuKAUtl+uwpp`WEXl!WqHu;*Ip?PztnC_bQfqJYMS-oNUn2-Z2M
zM-;JGoS2C=bDkJg)d{pxLc*6>$H#U8LqRlRoyqtiV^Xp>UIk@=)t4MewkBHXuk!=y0UjEbZ{l3F0(#|tD$&V(kmM8xL`L>z$&Dhmoeo6Qj$4RWoNAIIm(cx;@*
zvFg=YA&11-9KK8^H`tW%90AED01zuQ44-uqtFR}?-_m0^cDffkl@9@tB*84PWO=mr
zq_l6FnFeJkxyj^Ga+FEAuA)`#AzjYgXwIFtpst-5)wL(k81c>YzS>a#f4zU80H16i(z5IFYpwPu~67&cc%I&utui^9PXoTcE3%pQF|1&#R>V
zil49Ccvt7#d)JraLubGqiZ^Nv)OC4%ZKa;kf1)-wjD1b~nY>8nTuGhc*ge_uWNMbp
zd*hXHbneWyQ!9$|mYtdt&6>$=ZT$D~6M+4A|D1~yb@Bmfta(5J8u>hwI^|C)y(|RVcBhKq($1s5mC&bGc-zRlvzkFQ?y#HL~<-R9J+oNA=gAb$It=C{eY
zH_fo$#@q7h93~n#yCOGt#n}PsZ$NVz2%j1lc#8V=^yqt6uvXNnV{^#}o47RiB=zqT
zC#ZivHSja+1aZn^v51QCe6W-9Z_=Svn5f<;4`BA^O!~;VmEZ@8i_+y}ZFuqe&qveV
z0Ot&mx)g6shM9Qlr`Eiccl6D;VK4`5yF~XN>^J;f#&5t4LQDoD|0_h`4Ea*VV}^qVp(q(j+_)|RtYC*
z^K^bx5nCf0u0LGc`N;k@dtq04Zc|uYzWc?EwcD4?ac4;t4vAossX2Z&fI9p@&D40XVH%rN>%V#|(B
zXLiW1vA{v1VFn4lkGMq5e0TJNrW*${Nxq18olMTdNusljT>nlimd@AgZP9Uxf<8<*
z8_{|%o0Xz_<+gbOIhYHcx|{`G
z7=09wI;{}g0S@vLWB_|fsQ5M``9@(pI5B!NwgUG{azKv}s&(OI=V23C(
zC(M+N08v_Dk0rg_Rl1aJJ7yT`JTGJhsvH1T7{{P>*gQ&oF!CV_$PVg>9C~
ztbKeS<{O7!X%Z%haRuko-NjXNM)V9cy;EQU#&<7B1h5e^z6B1P9RE1
zZ_Dqz*+<^-Q)lkp(98^@CATFlzb!MNeAn+b;Ri+rXRdEdN@`p`6W!OWYxZru9)E|$
z@cnYK7vhu@U5`0|QgKz@ACGP)A$zYgCCNwQ+4lO4?bfuwlwokaL?c7->>#5=1J)I!
zjqGZ=aUgRF3z4_c0qoMOMS6Vk|6BR%F;+EoCuf+Bjgxs5d&6j6E!y62YSbKN?Sxih
zX6&b~Lj!4P1BbezSNsL3HEc_6bY$gr-Zy&kBz0eB=Y7=49UnKAoLSJcwKbXg=8Ck?
zc(*MlS!*}7|9LZ=7JBh-V@TGOmo$Xu?rZsJC5xFe$$!xE6PgdM8sGY=b0+>o#iBBs
zt!z=nOE2B<)^!CXyWhC}CF;8?CQR%#dvQ;8MrVO_^hfO7qBVEToqv8^2>?$(u)l?0
zea1xjvs1`8x-T6ud>jx5*j5umO))7%jtZMqHB@f9;lMe({kswabxGoOEk(oY-2OMW
z=Oxy!tkQU-nA1_%9$B=4GL6QC!E0J2b%eb5`|L%B+sii%)TxDT9X-afpk5|~b!Sh`
zg*UMopq#WDz@F^-*kASDhT#jVa??9kty|TZzGhzKU|qUaW{j&%TyV{{;#H4sEX<%^
zWoSb+!JM|DRJmLyAPr@8MMF2$&e_(Hne2|#WOjAH2~j58m{gLQkhkIbBn9bIHTB)GoCd#~N8o^`kli9vWGp#7
zfOiltUXBniN^B8_+RGQH6%uli!UAFFpL&{C(fu*9-AH0QI6pPzOn7jpxF{rps0$mKTq0K{>;0sT~>5Jdv~L@Woda
zv>#oP1LAe5rAe8qhkGlMc=}+H*dY>VVEdALWs0vp-bqoP{Caz3=ITe*<1dYbOXlVq
zLv!~&@Ybs2nYj*v#CdWwZ;gEe+vzdLgN|`~Bs6zBVo6saF0`;WKt~;=z8n4KOKYMKaFteJyiG;CoY#`3LAu3ese%V^JkIAIy?yjmEEQj7
z(Ng-PO1q;nkDb(WIxJ3(g*R6SC
zbMev@%f&>TTHkS5h}=h4`DJr$Dtr@=VjJO0xsvmC;({7ppZwt~&n16-$dZ
zKe49n`oSVDXxFAFd)}cQhlngSXEvlndaJx@t4l18qs_D+PM)!EhysXHHnZn$#$$mK
ziHQU7DJw=4Q-*DcCIK=N+JahYZ(D9;+jE=qlB)VvZp>@izjn~q5wD0-s?_OaZJG5$
zW#*)s1^L-)!-r1^^`car??11e>pC%BT6BM{hhB81i!>YkL+o}#8Aw>s6!*%MV)-Sl5x6Vo}rzk2$0q;uZ9
zf3-cPpjNMZbQ`IlI$CQ(s^?{@f4~p$`)fe+tErl%qOjJQu9RkT#heDY_|SktbeQ-{
z29>9p#fN)qPxw7!HSJ{k9qJDr1MD)Aod8X6bBEmnTf>Thldnwl+_JG|u8;T}Y6bU0
zso2>P7;m%|hq=;ROD6smJEv^&VC|#CrANA*D<9tZ#vHswbJt;OF6Hjq?%(vx&h7z*
z1HEy?#IN=aDGOOM(hc9vb7aq))`Z?;qQrZ=Q~*y73Xt}l*N5&|e=^$b$|2ftuk`1?~6FRfYBI`|4EM
zw&^1SV|Q){g*Mzd)_ZVSlSbVzw58cIriF@aFR_9b_}HKOy-jo0GkFq3y_I
zfG=FB_(7#6SluBR^m}!9xMDPe-j&=y9a$xzKS;D6yqMq
z9|96zChh8i*hNW0d&I;f+%qqxEQo2Ny4se$;*q;IRRyN5?krwD+H1tBT$H9T@bQ5?
z@7>1TlA^(n3~(G;wZhG#E3VNzSd{J(y!^HY`LADL+*uV@x53?sk@9e
z9orY`c%ZfyJ;U$VqxY61se$xeDVv34&>8x@(5BVL`*^2V(LAzlhD;o#Y;5|yPUBrp
zWH?Xpi=16Zvkw`I^1wAxpY>0K)aKB7#bEF!gd^VyTA|G>l8cbdJa?B+48GDx=kE83
zb8R}pO5Ncz3vpZ`Pu?Nhnp%lU6Fe(w&D
zd2adGGX!zxQ^Z{FO74H)zlC}N{$mOY48)v&Jp9L()?@qTevc`UA^jeB_&uzd@@vq#
z$=){^vFDD~9ed5Nt>kNUR|Yo!7pQ|+=x=9mNpC|8r8u0%`I+d+@IV^JugxL?O*a)V>Q%}XBVFT48KV3n`L2~dtq@LnVCu?^Ux~S?5RSQu>7u-
zOOC;<+j#e~?(MF*yYVjU65O*cv}diliXib*`*>Y%?V;CqZ-Cq8b$~Tg{{qeY7x+9K
z?!(r(k5ktC{S0-y_`@#
zydDJVg4Am2$gxMULTy3VB?UPIVH>!5%+m$WP|4%yw2?@kQg^dw{OZ2CGP+C2<~y7H
zHBVf6zUSH%L3C_+xdX%aIGdrAFKg;OHdf3hd2Tzj;Y;8dqS}!}5o#i|&x^UPsMJ>;
zqr|oB)|IPnUFPcUMa7k~r6)$0?C-HJX>aeOVRIY1uUYO#m6bp|G!-bClhNOvd!wY*
zKXpwv@#pFB@o5sM5Z!wyudOs;29xX;AICB^CAxQ0fqyYrKXUixs#OD#O>S1j{cBsV
z94jeZe&m*Wn`ckCI48^#+fQ_@Sy5SfS6y%6@Uem6)7NYpZ&47R(A(|Q`k-92LwW9q
z`+F1bPvUjb@fKVqu-+k6a^|@v_3wyR^UXpn2Xy~NX=M{%vsJ2+S#s~YUGcrgcCZ8>
zC=?L~>=KSyOtAS{DeI1~9kX-clzp)$8Ml#32#=hB({XS4E^zW|3NFS=jkG9~#=Z8J;jvs#u!
z%7x;Wi_QW?wn$@BJ~SrN=4IwN+bh5(nM3Sw%>5%zfuF3cytdMTI@b52bRV9rF;H23
zZPlfZr3OhZst<2(#Eymd#MWIn&slvXrc~OC|DOjxpHAmKjV}-%NP%wntnU{37}d?XTNG1*y-
z-ecTThbThc+p>n6HwGteYS|ehhsoS(C;N@lAa6Yd&rg?;z@CdvP62uI<8@nJANCt|
zVf|RBxW&px@2FOzu=5BzQ>T0W6=LLK@iA9(*9bq0cHckLynnnR7c>hzTFSP@%ODM2R88SCP>w$i=^{kX(845>1&@LLl1Lpk@R0^&
z5c$|ex%mCI4fXjye8XL7U{?gqW@NCaC3bs}vUx|h^ZxJ6O!p3)!89h>AI?o`OL*VU
zaYe>TZ+cS9$P-Cf8Y8q=*5+_>=$g=QXzK}HZd*+#Ozw|s{-1aaq|KkP0NXj$Z)r?-
z#ZfrVn}s&f@bMu>c*FHAlNZ|Sa)sGUVHVdB2pgR>cHznaW4Gp-&6%uBiOe9*!TzVb
z@h{kZ47azhtLi({Yil2A=49t&vDGpj@)JZ_Sh*%J0oWoLYfWci8TC$vppNwy$d6g1
zXDil(Hv#v(FraS&O1ZbAWO_&5+<;}-+8OW47p`il+56ng=sjDi=qwQr+sQn+t+cnY
zNTlL`W3H|W!}fLH*QBm@^sOsayl|wge9NP26$WAU_ij++D;{G04Quvq
zV`B8C4Tr0Z0p{-q2E_KT-BDu~4`A3nN!R8Z`er->nYF#UgM2hV5HMDl^A78$6DJeJVMNk;Su0@uhuD`f|HeT2O9i>bt~u
zc9!e(<(-bZs&#^DpS@ROJvP*|qsJkaEfve?JWr?zauR9a+r`!oaWkMWlnaMsNfN~zrVa{s7
zp`kWTKCKS)CSZrpO~N-~ZZ{=UmJlbgzma@Xkjgc9Dx0KmiHGL~bBHaJUK!svMY4fU
zL9xMs!OUDno>?0aIixbhzkW)dy1-=ycD6iv(CrnLR;G|CXNuj%dTsF9K6)^!%bldJ
zhw_byIvl0b5_Li@Mod!jaU4H@b|B8S%Yi;(g#JfD);5XlQkk5xT%h^D
zQ-_;-i;?;AP728afuS@;vxq6r5fww41K0I}Zz!XNhS}TI9)l2>HE<19;w0{d`V|*5
zyB77PNYkKAX@-1y$Ck`REPFS8(K;4L787Yw1Nn+bxp2=!ac9^s$09Cgy5T>I+(rpa
z+n6jduq6q-TV(O;n5R-*0#HyOd3c8L7>)OTSQlw1q^^l{=|aW)+ZXni_!91!Kud_P
z^X_FsyNhxdN=dDQ4d|C&S1nq_Yvj5-PGSVSRoNUq_!_yY`qHpMfa-(`i8J^vct^V8
zbqpp4J?*(+EDHF*AZ25;F$elrd{<#-QK-A7%&035c)ebwpQ#dyE#8Kbf{=x8s~Z>|
zsIwJ~UOPPfSfC_F#LKgI!_J0ITV4NPf1S8f+0Sf!5{7LZUW@?8v?5$dM|CXx4
zzMYM;ExUSMs?xq-Sznb~q~_qujO7Iq-?FQFnhve*l>QD3G99%e<*pW=no^)J$eVZ2
zzN85uZAEPa1k~kBNzsl>
zH~2@JfR)8(M!@555nGx0`sZK!#|I~u{{q@Qt)Qnd%OHMZ@+$1WYd){SC;vY8(loSt
z?!%0CeX7WNNq@Q7Og2BZJjLe3I*Q%!a>d^I#TtsW94dP`1N9XD1P{Y^hU$Kv
zgk|DQ76j3Pm&C&YE*3TRHWmd}o*eLPTs5ezXRAd;<*gn^*dbQB$|}lS$|->|@u=V`
zN2$|UGtu0Bc-$wllp6a*3avs?5Y$@&1$tvad1s(7^Ip){C*ar!h=rHt2;{rdqg6WILigVr=y0lsX4Tox3MhgCjmii|32m_4sKpw;
zD`Es!&nByPQ7;AHGbQ)Uf!r!4-4*D`18t5X6t!YyV;>XCKYU;5SE}h)mQawz$>MRj
z+UjN1RU;vlqPU?T#8?
zN+WaVVzvOjar989!BW*>_Er6k9eC2b~``$j$+;r@D1rUvA5Sr&%Bb)YUh@I&(ANAN$pxe*@ps$`p_1R*?j5x#g<2VNov#b
z`C6M)>c|%e@*UE&@4@PKdHnCo{e^$Tt+wU!dNmS9FW{eCQ1!=jfN
z-J94Yer+-O9sP%TVs|@VFz9Wx^GQa7>!sZphvK?C`Q&xy^2Y$rn7HofYCW5F&of8K
zGl_iXI?}Jrw_N^jJ&fogwk69065Q(FIg9u*7D|W=N=9Vf2W5mOBb3pZG4+4qvxL}4
z2N+8iF#k6H{T)e!$qmlMrRCKfwdY46{i3gY>SDaWbP~7XG
z%f)-JclnFsH{uP+5vOQKDymASJlYh!nFEmCKIBzWFHUlt;_qC=!o_5&5^}JOC~=v^
z8Zj?hz>1J-Ax18{I`FUu84K9?yu>13N|KAwC5oaeTx7-3XdsZLuN&RTwb0IagY*d&
zNAo%;BOqyk(XeGQdMMdycX-vcy~d_c(^^k&XK7ooP$knd3!eD8|M-}DtY|rZL~E=j&>hhXd=E25Heg
zS~z9H+ZM%jNOg;$>`AX1n@jQ^wXAYd2`_i9T5@cn1exrv)@r{D8tvGe+mhrK`tNUu
zWCs^dQ=stM>09UX=*Sf2}??9K;>b_G^py9Qjczwg}*ALb9)Q#C`m_44ag<|i)
ze=}F=KZ(C5GN=CSD10=FYC)O>ygx>GUROarD#*x4i_K789VbZLu=UBgQ~Ii*K(L`m
zFIJPeQ){T)sXZ@ln|U<+el%5TcWcL<hH+c@H8p~8z`7UKHpFnb|2VpH%o){OA0H8%ajE@2YNJ$
z++4cFG{WXqt!}cS6t9`b!uJL3YBSGV?Zyt01i$d$)FETX$_kmGvbQKW*<`~jTUC5I
zXWNisV8_k-AVG`LSNcKc3T9dJ)OctB2^w+uZct!CZ(m)h<%mJY~Q??>WfZ`
z+d308W~Q}|P4nLPu)p(mtSss9%J1WeSoEqb_l(Xwx3{L{suxyzXVxyW)NxdzqRQUV
z(((EN2DWA0c0)y%>twdjpji9pmh!g4FRZxot)q2ZQ>Ck44278?GSmA1qZl%l5rpUV
z0C^vfcb*=NuG3>2m6_W5*AOEnc1^`Tu}B#upFG9Si2@+^w0bLsLmKQ^WtYFY*DVav
za7gHe4fn70O0?Lx=D=WSPgS7^-Qr2Okmh5Xm#TgzVr2{SWl9ATu^;`O{2HIm-o3rW
z$&nRQG^%ic%%ebSXxe&Rtyac-r@srWfxP2}hE;XV4yDR3v1syGd;}zsQ9J(yz80=4
zn30Mz6a+$DK4Y=;&EyM?E7=krSMO=`^bIT@otarXE_H_Offk>YOxqltoU(V`yfHk~
zZ1L-Po)x!FZGI?-7mHXTsi>;hS94cwxyEA_Q9`J~$VGP9lFeGaCm2%urI$V3Yc_5io$BxNHWnMWJPEr*Ro}CseEigM&n-Atp)QeF)qJ?8
z_0eOf=Qu+xj>e5`7Ot@Z@-$qd$n4RS*WOv*{mI+Pp}ou9&}wzfWT!DFxNs^VXj-HC@S{rt5-%W_SV%;a@i*({40p&KymBw^XoUf
zdbCAoa4T0!bNP7^4#T-*OMTm}?t%<#{zQi>Xy1)E8R;z6KjPzRIaGTrM^XLwW2^##ya8*{wdsh
zA&C_bJNpE18~!QjrjK`IprTinjIx;d-|kNlH&JK%O>w5Nnz^rPx&e8
zdQm!LEN26IiJ}zo3TkFH2X(PrG9xkO<%Szep){weU~aH7lcyA!j9w?WaO-TKVme~c
z23j2E3hC^vc&3*n73AuqYVBil_hWsU(%uqxyH6$JgI~`1qx*n84CfNW-!V^$UiWY`
z&^Fsh#@19>#QA6?(8FK*sUTW3)^dt=D;&rDo%vBH5<)roQ8Wbi4P4P{tBNH_1#*;P
zF_|PaUPC5HT_a)woN&#~l6g|UV~0j|MTQ>Q*PO_cGS)3C_jH$On*}Bwn7s57{cWO{
z%9hHY`U)|4G}7mjz}Ya8FdN3$O3RZOm%+QKkj0e;t6S`2yHt|;o{_?bpPTLOG*lHT
zW|y>imzq)R!rr7R(hH}0-Stl4k6uCyJvJ^aYILEmmJb%&v46n1*AowrbDN@fByHve
z6VJ+gp?WJd>uBM_&(1zbPTJW{PWts}@FRswCrF<3!h$*BIWXk#Ei8-YvZi#wSis8c
zG^{{qI*z0)zUyGWGwG3GTa`tQ?oMN6q2gbiZQemM%BjH*Cw8NF;>2J&Ymbe~3L9PM
zI!+CF>~maXR%U?to#+liTCGX-t8rQul8a~?jc4yrcVFMM2~y_bQzb1$c0|mR5N#O-nb(Nuy(AQ*~z-J;iW_MNsYX~4~|@O
z&5`{FuDa>~_(9`UuWw6k+y&)R<@`nZTk!qola==Am?$U`jQ)7i@GiANtfXwDN~fzD
zDJvgEpGPq#s3Kkl_s(5adfVWtGrPj!U1wGe-d2ijecsW%Jrdd0<#cv!i$u0}JFw#)
zJ@?mhQ{K|H
z?#}-KuLdXTEyl?DNY9l6F4w>n-I4XpMoaxf@Xa@|4%d=(dyiHRKX#~9W=C-Gc3In@
z$A+tq>|59ABIQ!%{3qBt$OEa^r%5HqJ|4F2TBC~2aUJZhv+-zrE+?q4RJct%#0PTS
zrlr&B7x?TPiM_&tZB2{`W$^!DO#0hj7p0C#tD(k(cXSP;(-^-eWeZ15dNA-cE_h2e
zHRFsh|{Cy(Fw4jb4RI`+{ffp3gZbt*M3)AOuM3=!Y?DoTj
z8fchYw=rqfxqfmXgQc{5OzC;gh6YOr5!JHod9~yE0zE#U%BW`G3JNEYuhv
zie!+eE8*!tQ6!?#aq^T|^4Noo-80}kwXk$fl
zKn#B13fly|OGmKYpO?xWW~vmWpMsXPw~afd$HitYrj^+I+Nwt4y}94mfl7ZXPJ&=yluR4U5Ar~5r=tvV5Dlle2`x~P!6`F+T~PM99*O@
z{g}(ZWs>T!FLFdYzQt4PXpH5;d6wTi(O7NqQNo^I*j~`S9twz@)O5O`fjV2^*oook
z$NhL9JqfOH*MK|ERnw5*ki(bFphM?gLEH@Wv!_T*-ZaixV~njs~GFWRmE4M*g@Li{#-uAiP!af
z^C8KX(0t0;2aZa!}}=h##`)Jsq^urUX@jE
zK9jy)xvbC@(VBS-7Gv;WcqAYLK;i2wu}1XZ9kWXyG0T(&+Skd-`K6}b>jKqH#iATJ
zQ^agFSGJkV&1D85pCxA_{>qyF9D9vkPUaL*m3w4`_QF~(B&LMeYgCFA@hQl2nUe~W
zB2~+44a)^e(5fK*ED(X}C$IuCV3L!&)$TAguBe)OO@?}^*`VC|F};+^6JJp3pPu#g
zV!Cib;TuSScn?bQawH2Td?Kkpi;@jR^Z%gT2JdPXX?JL&J_MSb;t$nOrx2k%rzDNTsm57Y&rbWnl&$7)ncq2D>b*9b{FWtPD?|H))raj_b+R-X-gW-V3*E@
zS7gz}EtA`;M;_eW(6IZ#k?QS}En<4sHjRb2$Z)q$2W!SFHJZxtn&5Q1n*o>>&9*2u
z@BHWZB^r;+!AlKyK>83vl66DKxg<h7cCUM|3Lm@nxx
zv`hw9<}BBv=D2wpyIiSf@-%e(OD-$C{@TdRpFhxFvhMyhk!Pm7n=8yR_qb#9bf|W$
zT11n?dJfzr;45L$lkvt=4Y)-1`ElRDc=nJ+`iX
zij;!6CzL^@GN{5@qjeGhu1`wuK-g6a*GD37(4?`dyDUEQtt_MH4a~{Z>7Rc^k%tN8
zUb(_2pZi20qbp@{g6hpdhi}p^qxpH!9%m_@A#B+v#PN63`rK>tR7|FVcOu)UdKVld
zc7lW0Zk3q$l`f=Khjc*4&yUq|&}yk#j`%f6OZgKf%!u0PvoZI2QW~=qd|~w}t?VQl
zLY|Tf_&4&&pzdk$d=+gQoG+z^FH~W43HQDYBi1L*m#I)V
zDNN60pl}lWMC2ut_Oi>aF>{R}*XZ7e%23f=Sh~E~rU{!=0y@XJ#FSoaf@-DiBx|K?
zX}$n&qB{TEE2V@MvQTR0@x{xePVcDaYoYnCgVz6{UFkJaScU?=D@)+~ZZhgml^w$4
zg|A0UjKv<0g_IPms|4qa;vq;l1
z`soKpo|rv#<3FDm9ev`TH=de(Vq`YB`u4H0+tvhwYi=7GyM1+#_(EzeQ7gR`iNxYn
zs!Oa=?A;W+(hKX>y+M3_$F>VcBax#Qwr#&~BoaAtVY|wMe#4_u`_N|}ydU-RpV3O<
z@shMaNdl7@PlU-6(JSzwv&zC3yE_7%8|$^&hArJC%}!xg$L%{0zk4DQx&HmD-~M2@
z$rjXeos)NgH$|pmmBwolIs5i?cI@dX;A;z{-txP!NX)Hp%Z*F-<#P-D7j+nqDcOvNJ_>a)}N+-){@TV*sG7|HpQ?ip}L7bIUCEC|1BujScO^+@z8Ie_6g`HRUY~KvG>>l;ti1q
z?6%4{CJFeQFC}(}+2H4t4-DGl7Fcl4uuI>kVrFOPt~lPqcgOqF
z*a4eQMe0e4_H%TaNMtsifO7Z5z%J{zh5El<3Eqk2C0yNJ=B9cfgy%oYWYXV;^oyu$
zbO7Iw%(T3TXw%b0YUg-b{34!32Y)5#Y1L&k7O4(=b!l`#Lc%OAx+gQ2fgNs0p>`Gd
z^1hs297hyWHAts2E6BW#B@6b^u$ZGh`Au9TjUwi^Pfw@7UV|2|W1$~^*Rl8;&Rdvb
z0av6Dq;CE*DW%YZJU)Enk0&1aOD`>4C-v^r;F(lqnaLVgR1Mgdq8rh@3(tps8GY%p
ziw2C>T&Xgfky15xe39h~Qxq&&Zf@G)ZdhFBT4WEB
zYJF8Crf_M7IHNi4pJl)U)seWj3)~_!65$}tn54iE@Rdyig`8-Kpy*Xqu-lJ~#7hL1
z*y{R+`s-{gL&el}<3GRYrRBOrrRq^#yL0-nz_Wa{k*~3;WZHt7k#L!tVCw<}66`?S
zFQS!etfAg=b8CIMUFKf8yAgbz$c|*P!hUK^`B2CHivAR|cM$GVG-RSRe5XsKY;ju|
zJQ=V%2X&}zajIyzG2IpC-Vv#qsx>4QCIap}E-6T`ZSue~(&~n+y4LIFpm5uT)mt+e8F9zygV_$YnKBSR5AO6r+)TKBGP(
ztylYE0oO(Inek{obCDQ7qY1b479;;d`U#RQido{5*(9tiz!s}`WX|%Fg)IDlCKjW)
zF&Q}vyMl`1B;_SjC|Wz&ylkAr+9L5|HbCKna_6ehn+dO25PVmCE_vl>9v)bs3ikMa
z7NIU#lH<^~!1u_~S5Cr9w(Q20HAW8ot#6K?dz5myLhHNSVSoSPH%nYl*3?%-+k)tw
zf%KyIGKD)sJyEf^ZxE1p&~vCL4L(92bsy|=%$E8k@TCH{jD($mZ;diM(?z@Yn<2jk
zyYd`)KSv>h|A53IOsfQQ{7)99XH(Q0G{WatWgG|D;@k
z%eWqsa|`Tl1?lb*6jDKlM5@6{R0;r|N&37ds502OTy&t=pU62+(LSN#|LN(Cm!CK(
z&O!Sm8V&q5N~m;4wl;3lU-@lR#UmhSKeOQ(2}xfZLhX)uJ*bijZ6@W1!EPC3N|^A!
zrPzt*)yAA4u{D@wR=og@eE|*wwxY4X9#Ifq5?fT_M;{ev;b_?Wmk8JeenlfsABWl<
zKz$;`@Q*1vu2zU$gJ6%82t~;^xU{6M9&rSupai&)iqruMqxg;+A==9rg-(s
zWvbrkE#-|{m)KDvIJmoLpw4<|+ewqN)~jWCZSC#7&5@q!-A}Jm
z7(`h&9FeJIq9w@k8(Z#eDiRwTR@VkLkA!HHE(nDHegW<&H$#rb;e&()?VGuGD_|o_ltfD+-|lxr9n*
zKEH8ID|Q$04NF~Yst!J3svYq+Z_`QF^j5Cxbb*XD*bOoJ34esfBK`pP%onEeVd*nyiiEC6&DvK43AjCfhra4K(x0
z(U#`2wM@21F1B@SZEo4xVUroSRLqAahx?HW-#MyYO-lxqGO5@P+76n$>FDcQi4EZD
zt*;+#`rOpGs^*S6YF0IxFtGOQ;bt1va`^0;2t2B}t@b5bDNJ6PiQHpt@(%Oh4##_2
z#CB9rvoc~bMON0_@%iU>pz*1>Hf=fw$BLj)=Q9owb9fj{f~Etn90KPOxkzl%x0Vr)
zWTRd`E67OoeRHd@8}J&$_K4+?FJ=AriNC#OKR?{D-U%l
z^OYjFXT3xxxB;$(>8
ziqpuUkv-aCzFjf^iQ<9Dwc0e!&&)>lpL0!`z^9)YJ)(~VF5TP2Pc;U)jV~5~5dn{A
zp<%>$K4_GSi17k`j-HGo2jN+w{2Lx+V`h4aLy%#3KB0gEgg9^R)N1LHPiN&Hy#6{E
z@SavM3&0{)*F9GTTbRVm=@Murh9Z~%bSk9wsq@;qs`4nFKpfV+OeiD
zOpPmR!jPvScZX|MlDz%O@%Hv;0t5WKCbFf|ZtvUzd9tIRpkphf*#z(Ib#P8ALPiiL
z*IJ}Q31U%tr7+hO@#&xu5
zI6gw$E%qgV6{vnEBtlqn4Lb?nf-mJ7)utu;2L|>pF>4H2*^KNB;rhlSuWjE3=dTaX
zWHEqDkY`@%2~9Pa%?(o_&r)-iASaubIaT-U#?5CBgu@5UZr=E8-BczI-h{gOS=v`L
z9jT`v%m->kAwb>AOb~yNQ1T337Q-V#)QI7&2Fs04-?z7Ywfw2mtDA7~FTxjgq4jIj
z6?`ct^Vi{*Hlb~i%K`!gFB3Zz=sR%CIOU7%JEoY!?x<-*`_Xi;#F;CUszuxGEvrNu
zRlD75W9dv5K6*>4=09VcB=hA3sLIligpOfI&f<^5Z!T6ii!GBSY;OL6R!_>)7jts1<-u={il=gr9(P-K~|2Ozu;A2DB
zqtTQ!S`8I0x!O|$t`u=p?y$+$9L)Dk-#R{i>k6N)w9Rg*^Qw8WM`c1LJzL?bFsMC7
zQ5Kykv^>tymlhcOE)ze`>&k~4d}5KO
zs>7`-vznxAgIH5!(Ls4^E7s)c*)lUF3p+7DYlP>-i{)b^PzdnIj=lSL&LiB@nU@aM
zW8m~-kKebAx-Hu>$o_br(IOZie>b)PZYm#`7O6k@61qAK^E>zN-GKqL$LO}*_vj<1
zWBC+&Nxe`U&2=}Xc6ZY8z#j%Xy83tSTy@)ot8ntx>7AcqtnQYYF5)$Cv3OudUCZ93
zZsHL#?uVhCwD@Q|AA}dHU5NYs7&gGCu&dDWu$ke(UV$y_0xh4GDpbseWu-rVpKB3M
ztgw&Yz82F03zeY(e)|mpwr~Z+`*tuY)90FQnLw!;>GQ?Q|d0?RuQ1HfYh-ltPu3iR4?Zo?h9@ql+nv3EnN!Sty
zQ?s1-@KfSL+<}KKy^4okBhPa+3=KZi6Qz7{<+Q6`7;l80r|4$yFW2WfCF
zr&1ILk&!9KpF3H|;%RE4M(o9&-ii%Hlzv&A5v2c>9MhgrNk!%t8P~9&Nq1V(-!Exc
zeBv%N@lrIgg7{~w!LO3)r>ji+eo@MpkunYZ-i)<)N-IMtMZ5izs
zWNaoHi9`R7(d|fH0SViWe}HmHSM<0W9HJk+h{zlrlNQxe*`rH~9dmhb8Tdtcu%_8Q
zwo6SV=stU~dx@c{NO5sVyLZU^C8U?sSD=0&pkm|MK$jNgb<+gI#Cyc#d6g;W4Yq=r
zBV}L6GAWVzL&H?!xj*ZBT&^BHCKizS?oc?>KZawO$+4p0@aUMLc;q;B2KvXu>%Vw~
z4rLMZ_4kO^-&9*NkFj$Z-0af~tEyIIWZs+2$zcU$C$;7;qRipO>tz_ML|%b8QUQ^E-qw>f8DgIR@<=URP)%2%}aBI
znYkh%Q)Tw)oi#S0z*gtJoy|W_TuH$SHjlUp`)e!|jB>G6B2+R-8~{;3uD@kl^Qy|4UcZ*ToWYiu)UIF*
zN!i-8JXG1~QRgntsdNf$)Kc{(U+>FAc-Z3#B0+|q*2&zWkIXBIN
z37q!PpNvoZWCRs!7}Rx5t;XV>a-DDbds9=lPy2M`J;lb>raJWl1E|=d-0v?(MHvHh
zjzZ#Ey=6~T{kGnsqTX%wReQFqc1aW*dWyY5kI6TjO$_`U8YxYeo+d>+{22zk2mH(D
zi16Q1o3h_z%b7V6_8VDd8l7-j#Pwf4bt1mEODbR<5sE#`KmR(Zi7ajC%Ru<50A>`A=oEb;f3H&u#6!W)_H6=#9s
zE%-LE@RK-$u_NkpF_F8(0jWM0@W+xYes&f=s|5VwI*BUFKzwGPYs5DI#jCWZ9~1`i
z^Mk?%h~G-`)~(~p$O0E^{t_JbUN|nDw488qP%$)Ik>kari#c7uuMA8PvlA5M{pRgF
zKqCh7K5=I2WmkhqtcvzD2;>K(7eL_+CvLp)mUVnF_R)>x+c1Ei#L(Eea0jdzNgW@B
zJmF>i4&X|SNyx|&n^bFBrB)Tso`|EcUBYiJM%mAUD0?8W2V9`GFC_zw@XADs;NrmpKB
zI%fB=EMk#CZxGq*+;Ww-u|VY#R`B?AHF3_S4@@3u?>M^5Uux|Z2Pfgb#dbeG$u)q~DR5F98m$VH;S3Dp!?%Frw49@zE??egVJSO
zpJx#fH=E61QfT23yRnb5M8rKJhty*Q1EQ>?a}X}51rbrDAlTo=MM^gD3><%4BIbY=
z3`Zk#c;I@GHIKLh`-sUWmP?!hFo4!q56AmOd^|)y3FU~CSO$r1i2VZ6Ogzh0iN;Rj
z7-->$DN0B4tYTsnj{^_fP1
zbjMzu92%OM8XB5}x9rGNFgSIjwe{#E`FV0?W^!s~299rnci}LkmycqV;QweRf|#Ay
zE3xGZ1bUZTVpj14`8J?tGf_3G%3~3mTQ)Q_Y-lk{tUfi;aC7pG2)S7}El*>UTA(_V
z#naHV*%Gr_V$#T2xeBdOqBcviv3^OhFyC9C=j0Xm8yxPg^8EbrF1NkLYvyr{u7E*Y
zpi&F6MI514Az_MqHl`?Bs3vVIbhbBy!c$>KO~?S`FvQB=0%=
z17+FjAD;Um)=K|y?inm{E5d$+=k{Kd&la(lzzr33XYHM&x3%DGEv>Mn9z0Dng=dhF
zJrjmsH#eXZ{R}C7lGY2yLEVIKT}(3}L9bGBGL!XeH?8;gkL;mk(cpjkANu1R5-q)-
zo=vCcX0D`bB|fP#YnsKRXVLp<`C^i{AIMekc#2%27yC%eCms|yWiohQdbl!49`T^Q
zSX#gbJv=E@OO7AKWc0_NTy&Ej-6#%?FfDMA0z^Z?+Gqa7=2bJLGMPn~ua;}&asf}8
zr7qlBQ`q8Dwo0T~IRd@OCXaN>!<+kQ?_o?XpDE(gTchL;y_+MosIgq0kXi7*7E>;V
z#n1IyEk=z-Z>S#fn`MPoCX2}_RT%`CR;R<-QL89*>*D*Xhi9IJA}0J;a!fi_M$%$T
zZ=ecsb3qpIyewE6l$VS*+6*;gWuCqY9aju=SpkR4pptQfOxjYmO2V~TFRBduOnu#S
zt!KF2stpYU%rdW&#mVJH^#Sl6oZp*Tvl4@n5G{fv5pS#j?#kgZnRybmSef4x3>IjW
z8mU$);)t?~WPZO}U}`QiI&@Zzs-)dr(XXK!x!Kvd**t-Dtw<~_4h>Qv@R8x6#f4^Bs{gqH?P;j{l1Ets0
zV}HP$aGj<^pYX-<5E3P_AFFEIwraaXQrr>HI2C+4KQ||rrBRlNP5eh!shRW{dA{1)
zXd`|F`4?XACP6MuZvrLNJPvU+##53q_Bi+gp1C9Pj%
zla8W72knm7?=@6cBd~*vQv3m|i+(lv3dRk96sHd+iEh{#(5lJL;}9p{F3~4F#S^n(s0>&C|o6jd-FeUxPjw6$-GKnoEvfgL&YdSrRd?gsGpnh_R~?
z1egb~)GGIw-9F}4saZfMuhf|AYG1S6-t1G`O`1x%5dR5FoR_1J$rL$xVpb@Z=UCyh
zRJ-JISGC2r!oka>eCYMqmsmSve})`ID)@<5P|8&knoROV$qsw^L_EbsP8tj@}s{IVWTxZqKmi_hX~Z4#Y3%XC@UZl^+s)@+7+7GmtpV3C;_
z(HwCSE`uKvjlv`x?3gg5rU%8gVy;{-%r7qZCoT}=nw^CLjU(J1cAzU#K3;2Rh!_f|
zmx+A-5)qACUZQduR4iUysJI?{BILk#n8%juUE!e$&(dm>zH*=>vQ8&1E2`{cC+OWi_
z@RY6$<4)$4xzbrxTI!9y%F4cD=^kA3pqM#JiMA5k${8q
zL$3M;j69b=!Z+-35_t--VHD{G-3<-}=59h-qNkKmZ8<*4(Mi3$et!
z99P9&o;vq9n@1c+u~TU5L_jIjS)h+|(j=uEW}P);>i1$p0}pU*H8yYX@m$iVT|`T1{-
zk>`YPA9j-XSIA>dO^h6!$!}>~QHg^vAn_qg3art;C--*vR_^4{83py@rKP=WwUs1R))opM>tyRp#1IFPn(SLTkpMtx
zt(@2d{+ios?fx}g?Ie+JT>OGYPExHzhS(goz>twxK2jW~03numuzc^b
z(b1yrp2~HF`1OYm&XV8$%WHc2_`#c8>;zmvu>m{9u@u-iH=xX;-kY8k5kCh3HvAhd
zVFrI=chukfoB;GEunSJJ+v_QLD4hQX?GU7|FI87j(Zm#wIg6J{;AT$$YFhY~M
z9EZCdgTvaJNO#kCYg^k5T4k|4PjLj}7DP&M@A8``Jj(`KRnbb@#*%`NnXmQLw{;qf
zYWRclqae@TUV*1q-73v$sZ_zwwrV&E*I-*IM<77;w^8hnXwj|Os*y^RLZ(H-RTPf2
zm$D@CSotl~Fa*RY{6m@`gOi~nJ76WFONnr_?nE3Lk1uFp1JbA^8`qu4qAX0C)b8r6
zzPxjA%xQJYgF`jpiAvQnvb&YaFL(Nfw(j0K^@|H#Hm>d1Q1kX4heEbgBx6MNBWMra2H#uCSLD$_yVWgpd$8Ni
zy?^f9`{)(@@sBayGtZE@$8f*SkU1A*Zy(Z5jhXXk2gomJi`es2pMOXKby_Vs$Cs11^brw1%q3j-LdBGl^*|!Q$remf%Nv{u3_^>C3f8Rg1RJP
zZ(C)|b62(%>dKsQS{GlM$D|oMA|bxm;cu9@qPOja4K?0@O`(bnBTW)szR|9TJUz}}
zxNZHUuVelq?F<=P)lyM5lBLr-w8x5H1H{S|qodPc%aK@I@W_!*!O2gKfVZsETehsU
zSYqKp%j4h*Vmtbv-gOteLvNEgMvjdCkF)mxY~slN$343%$?CoLZp)S|TbAVBd#||R
z0tVB2@4YwELP-M>2nhs23Z#U8lC0f%
zGdr)&d!ILiSrLqnbWj@_20FtI)Q}NM0Ux+u=POIFSLS+R$u``+lh?N4cuU`1)6>?j
zy$bG&)p0SNOv8I1R>bGx+rh%5@)WJMU`E4=N9U&nC-%3uP$bkGtWy}Jv8m&FdXnLD
z<&g96PR1jYCZp8WjkWPev4+jxQJL1zhO1iEPSwH-%tN*CHi^(Q9nq9NN6QM8E5njoRO8Un
z9S4zp2K~meh+i%pq2r>O+K#|w{ih_(B+^JZ0+mT3vx&v(OmA{ymRavBjtf*7`CQ|)
zX+|!QE0gn$K8GvaEZ_+zLkU&Umz6uA#O^d%^vHccb_njlFv@2Q#tip`2u6uyL3>qc|fPf!SIi}QMkYR#khcDItMrvmNhP0j%rzN+=pHQUZ##?8YxTqJM
zQpuMECnR=SIcxzT;#+c3be7Dx>}>Eie}DJw_geG2v)qlj4wcdpRA#4%^lY5TjI(62
z&Fa)Np+1)Ob$5anp`9NX_5q{p>5)~7w68mSKIx1zwHKt+r5VgFYmy_o#wqiqWoUeC
z=!L6HDy!a=$t
z@{UXvu@KCqVz&oC74twiUu;yRn-r=Ef0(|O>N*
zK!oiay>Qgrs5N6&{MR*OR)nsNUb9l{ZP3i@r%otuXaJmzj(fzQSsI_8q;~803^`;w
zu2it-G@;mOE=)CZc_mN;s5Lt5_t3_O%>eepXE1cm0``-S948E0FfqB9j=A8qkl%b^
zev3o~ZxMKj0E0yWFq&*nQkGZ;-T59>YGZ~mNiSo_cx;})sLu&|_f#Ne0rKv>&Z#}*
z=iY`a3zt_VBy~=NTvAVS1PVx8s>{Xh$@^`raNyIQmA}SX}ncL
z0SrEjeT8{P#hR?)*wRfQ&%Q&kCd7&;xTNxGtdWpbB!Kg}
z(}wfH*n5x@+MX@4bskriq#KQUW
z+onzXo4s^GZr;RF2Xv$JawnA9sr$!aSMVI>a;nd5d_4os-P!^H2N{VjHlEXrK!-rPPOXOn}d3tNXFN2
zd1@9Z?xF^Wj(=F;^&IaG55bLl!5HG?^Ku_EoEdLIIacm<}O<#-jw9
z)TjVTSEdaBvA9IKK)ZYCKcUd3Y#RsMlXKwSrm=FuqvRr$G7>8XDHlq??AU42LvH#i
z2zi!`0-KPh-R{#n9}E&RRYt2=nDH^qMCA#p`7gm=^xjCscVm;GzCv-GaJ(xFj02|^
z1taT(775ks+u@{*7HAVpD2>bVD_l~KLH&x>lbMv1>CwKbGPq?fg+Dv4v=`rP&1&#w
zb!%{U&iXQml}lbfrcs9FDi-6y1K47!*3LU@`?LN4{AGv+@S?%a;j4EE
zEb(5g-ES2kTVIAVFkGuE#27e9aw7B)YD^}L<>z>_Z34N?t23u3s0Btb};;B!e^`I-`iPGLl}R#LQe|L4O0i2?Hvy!1yLWbW
z?dtJ*dvGo(1mLW=8@w5^mIi^w4`oDG}MPjnEFTQ?k+&l?M?Vf&iq-xG3?7
zAOOWyliI2Kgsm656P1CM+>6I~d;ue!9e03G800GZ?0?C0vC3MnCEKIL#P`Q?7b6_3
z$MI*dBxw60yB=kxP|1x_@K=>hj4#@6aJTmG|lx#xTQIA6FV<*BK=e
z-J)2N`YdQzgPT@cQN8L%JVvF_YR*>(O
zVH=bZ@;~NGeOf+<6|3NVjuQvL7-lo&llsKg45_<>oCIEA%_ocSrbV`>}I)4vKF`?aEtpsn`Nk
z3O-wA(dhNjO(zaxA54jA%MorNfn}gIO~k&&#zHyA4`)?G;qBkh8emA{51okxK{kgi
z;=(_%%$WiSmmzUxxm;OJXf#R%>KAv4b<7F|n;qQKIL1yJil<>DnD#+72
z3|f&nBT<8jD@7WkQz+^YzC4ToRJyxHvAt@XJs75IT{-^d;pDy&0qlz
z6|-5KilOca>VmSGeQT#!%v09xt0^m}_D$@9ZU%V;y0Be+Db2pm
z^+|Khs*8g$C&`sy?MV=GaaE0(UJC-*zY1zCh72taKzYU}IruE_R`+GAah^(1jpdY+
zpOC-d{lq(DlQw-!24ANX1{|SB7$-hNJ)$7pC6I1ubjEfhsf#tLcmS@~%gvj+Q&PG&
zH;>tb{@;``|Ecw*ohN_l@BiuK*s}Fc&nK^7d~e6vhK98WiJJcZ6ItJF7pEE_}KkASg8>xyFK$PWzC^)|Y7p*8;&D9N9K3h7&*vfe!2mjQ6C>FI@P^#Q0Q2OXdDMPj;OJ
zyz^c9yuR}L)Mh?MY^p0svef&@<#VtVa$9H(-ua`+C01)v12SM(>nTlAjem;#_4JrW
zo_M-PX-kkfmfrdFWXzal`1(9pkmo12P&8JM_YlXJ97^(ppQ@6seR9%Gi=F5hO9D2^
zWQ{y&T-tMVeqQD32f8OL$(MQD&$1;VPOPOgcg^?brc8bYuyL1YIgS693$kZ
zuEAf49L5E>3;#^Vyas>87ZDP45@nC>GD9P&g_SW2N^SahgF3BUWUZ+#)h&H#TV>(a
z_xG67gXtzABhe@{IenI;TczL!QYzlF)SKnh3Y`w7Q6T0LrJGTkv>kN>Tfpv%QxQyJ
z?fjE#w=h@?gOj!gARUuwI;0~r@1oMopf@v=gXeHon$ptJ&AUI?T8QB8bfwj`76H>9
zC)7H#l9ufekuvbTbjvbJiqj-AxEc7*aA=}#$MbVmzP!1V;EDz9P6Hf&%i5Fk*Ft(!
zag@xl3|?li8IQpA`Gle?Yw%}c1|g$*-Gq-U;I2cR;+;8IxI79`2R}g&U`hc7DJ5nE
zi?XLw#S>{+hD;U7y)(Pq$T0fNne@ku^ekhh3jF(yoHF=vzCt
z)#@WZ9G{dSM;``z4*q42yGD)aRv(2QrpqaNK|Xky`8!TRxmX@E0`uN!9xjeTnD>A>
zX^%R@7|tNHQjeL45j!$m=Hhf4SEA$&yv|ifxVH3Svn#_PzKUIQI`(QT8Pg7SWpr0(
zDwJ7OU1{A1r)5~QpYT)`1$ZuVLRp-?X46zhLtTZ@SXtZPn7XM(A6GUZ^NlyKocX52
zs>78FU+J&cxN~i`T(_pa|CNQ6w^vRU7&YkpY&toM@DkD(35E1Gvex~EB$0?+5G8pn
z^a&E^b^A)xSlsH!*E5*`s
z-D3h%&nznfDVaWJ!-_F2OKYswqKWxaPAx7d-SF(rg$2L1e0tjAr`DHk$rCW#
z22)RZO?RsJZ>8PoDx9m7m0+1gA6~_<^{=ci5KAGq3X)n@)w-1_RRNw>A@JEkx6^iO
zAzX(Hs#e`HvQk|+T8CM&yw%H=tzNrg1*2_eZvd4>qn;Ci2|HV_o;`g66-Xa{@L@^o
zhBH%8j|l`0Ipys7Rtfninp-S+mS98sm`~gB!}@M=G*9HEC
z6J8fdWAiSBG`<(cqNRHY1;hR>I$jPZ%?}%YxQ}@6GaQNqa!~5FSQ2IAAQ8*NKmV6l
zEfaIk@#GwiQt%K*B2!as7_eG(dRCT}yjN?2{`FXGR#v)tU_7H9XNv{ji46jQLH0Gm
zilSqs1CW+Zf{%2U^hVtkUaM%;B?Oe}`Us@@Cb;9e0?ild<5LvnxvSQ1tM30~Z-qXi
zExTW1;{3_Nwvq~=&EXVF
ztwuFhnvhX5ZF@)W1ItQmDU`lyNKu$`$D(~^Cl3)W#s@KinA|9SbKI=`=y0k=4hYAe
zQF0Wt|4|3hV0uTMW%iWPsotCeNYrVTE$9X1J+aS+QH}9kcc2O?sa+TDM43+xstVF$HBvw|sxRFN2PS?i;)YzQPvY
z>j%%cpp
zEJ+dih^;o*q?dpIy;Wjy@U2yLi6u$Y_-azM+SD4KCef2+6$q?Zp5LDdeGFRht-jg0
zY2CJgV?u*c$T%^u&^ISHt;dFUq4(G0Df*!w!O%dNO7-1}!WbHfFXX3Df$-SMi8&fg
z&V76tJo%nEqsE3
z3`Zcg(Ka{*-7luGi_CJkTjBNOZ$JKsFDE`C=e`zNg{^rF>wG)x3z7$kSK)Q8(ed-B
zhAfdB6v{C%gR_|{%cs7ux23lKwIzWm=|W7e69-*o3z|I1ZA;6`x}DHdSsvPhTXg!&
zEuS6R|MT%yzTl`_EAaFlnm+GPhr_A}9bue!n~s%}Cu1Ll@Er;rN-5Nke^EDOJPMXt8~us7dUD$b
z@x^iwr_GCB6AXvFm+un?A=KXtZ8?n{-%Rpw;IBZztM9>#^mwL^9ds!zN~z
zNyOP6%oArL1Bp6>)u2lRmuzvN_dMBRNm({Im0HV_jPr0V&QWurH>LSTf*I$%_G6_E
zpMv}oPiu6lkCImae{+1624u?uj&I0C>VmkeMn{CKI4Aflr5?0S@rKDK7N1
zBSj!C&m(6H`Sy&*APrW^7efo_MAia5KB|=lBS>I8_RmT?`7fEzad8G3e8xphycqgk
z>5k9IgUW1sR+FU`d}BA@*9YiPfr0#nq0@(lP8NvD3#f6?UjG!18yBt#kIZ^_gO8p)
zEBFWlH=&Np*He2Ai(Yeg78Dc7Kb*&h1`S9gi?ZfUaWV+
zd@DCcUCw$pw3qxXayev|>+!>v4)Ja*$}jNVz`G-0w8EAoD{^Z_O6H1T2A-Ubvj|)l
z&BC^fgE5JL-BC2F
zwOEt$#B6tGWzvd)s}hOPYO&6I35br~1B5TmU_cLVqRgQeLwBxt-7`y;UR+y@V|8B~
zoO*IzcIna+UAum0XW;w<^c)T3Nn$Tt1%#hL6~`uoLt%34Z*N1f^fg&UEFfMVVA8vQ
zc>S}_X!!^ECJ|nzqcTLz^p5pMJkoCw4!tpc7!37CAB
z<(JT}SoW*rRlMS
z+>4H8FBJzZzQYoyoLYhIJZ&i#q>vvn#a!&3A(>3PMaTR>z($9*QaylHsNn1w
zVEE*fSw4<4)X6wO`$rteU#l2T#c&WR1_-nDa1nxH
zs4syt;*}2_eP>1&fH9UPcWr8E-QJhWW5yOQxM$LsRpZLdauc^cYuBN>s(1b8nFSmI
zS$tCYE`ySn6ClJh9{PFr=C4n5vLr?&-rKNkVw%5q`iRo6a`^IXh0BZCe~f#wHXhQ3k1H>j_J#b$_lDAe!nj%-mGTg2i`{Z
zEwmIblk>=boEc};s88~o6)Vm|Sylfrt+U93j0tcIbTBwN$t;KB8u~Y5Le`>l3+WkZ
z#c8hemQ4MyLc8{tIghR^r01i_>Mh4&hP4~5TeIO9!l8K#E7ojex<3@9SrNsf^lAQr
znVEQ+IZr##&NzX^N`wQSnTl-oViRr_N@6j}y@0$_I(V5ejp8NmaNI699Jt1q#El?+
zQ0P}CcWp+TlgAriW$!$6clB*>PtNFhWH9C^%^e06eo_4Mn=Pw)D2~F)8@ElMSOwcu
z+#XQ$zDWN4nZ4w|^Rpp0+~M>Yc>nl@;vcv^=E2{HhA>Y=7{Yc77^tBxIoQ61_fPkY
zJNnM-UF2Z*6oE2UpjL^zMI9McbE_Pd%Ec`&h!mhYbQJ%yK!b0LEtg+r;zd`_BnEAr7HSI}Lo+E!delPjk^HZlj54Yda
z-aDqJr%%75_qDEllLCQB`?|3CzRnHzJ~wqlFO^qj(R+u`Q~uxx8$k}vzKu*p5qG8FxbAUQNyhe65B9${D;^;8s{6
zDU(1w`Fzyqt6s%=;P5~3)qL=&J#^$%>I@j_@f7O$X@{`}DR4t`n9Wch6Z>lwGs|qY
zvY8d&12SRv`&$c2w!gRIwbwA2vur|kMo*E0`21RX(bD@TPC2u(n1a+o_a6Kw(@NzQ
zWDcM5(BhOatXPI|88WFjNB9gHMSQSMG_0kdJ3GBK%ZPo!9X#9eSyyA%Fd!?5A;nrvjUQL
z{n^gOzOlg$t%J%75J8!98S+z6Omq(>nx&o5CFfBnYjoWMl#6tn4N=Q@p8@IfLHgSF
zO-VNvOf2~mcxuJ=4J*p0RQu&J9j~DAyB!Oj-cUNWbKx|BG0E&mH44O#>Uj||{V5X;
zPORw5(f*~ktFhN)H_2qH%j(i5Zfl%)+?V{yZOKJ$HB*yP<_VJyX%|BNdmYm5jj|vA
z8{yFICSHeL`nSfsiN$Z;oW`E+)aEQx*vbUUt0(8(NYteJe2V<$=>_j19Xc};`nW~O{!pwi8HA@}0qpf-C_`of+w?DHy6Rp#np>;~`+&BhbbqjU=aA$So;X?TY
z=_(7K$Bv+D=yx-#M0-Rx_)p@6
zu)LLzm~iIEHSrU>$?EW2w??l7S;aW<*}!c>lN_-O_|(s6Io1UAxsP`_QLM;+?IfpBA+R6v0_1W@b%qFH_5NtC|z4cTUe&CS=*C
z7=(JO-ry^=caDE9F1OCa(O@ceeE)v;u+}FjSU!ir{
zq73RhR?Js7F?HGP@;Cwu-48!WHeo4s6aC9>S2zbAqifut(efWc4eb?kbbsSfA!8qP
z3WzOeYLv$1xi6fbzHe-NYVWSGWap_<-+%DIxuybLYMhe%6nv1{Ixn|uNsAZzCpzhy
zN$ou}#@6up7rGIZl7;LCaOu*etEWz37x2m}XUP_D|5@YUDc>q5Tukp})F)G}I
z-y~RU730Zdo_k7u`iX_Rxayon4Y87$jI#oG!p6`=og%UFGt3U@u+w)ooGqNizBd4
zL-As11pmzdjDUH@X*}#GD3TqN=DO;CX^7909+VXoJaAc^mts#*A96qD=Q?YAsI^Tf>-^(e(IkoDfYl_BTn6^@U&5Xl%{q7vqeF?fGTu
z1F~FK=hdrqE}sN{UT;Gq2!wD1nzY1tnlu7KB!qLTVu*$GxI?&|RB)IY2W~2~K6r#4
zC9&{qBiuXhPLsj=b|JwJz!38=y?aFdGVcaJ6?U@fm)YOdPbUK
zdGWH!kJf;zFv{ua!F}D`efAJqWO@nEB8PLiV&S-^QM~{n@!;qI8L_9r%Q^NxL23)gc
zU<1YW^s`|+9_C4N)b(b@<7D1d`f9|N1CI?~8|F)9b{Kp2e_~1+X7xYrsd*8;bk!ta
zI6?EJ1@dKzPUkD5_!16_uf!B)>mPF_qKd|b#Zdka@fvl8UmwXbrt$P{?9W1_6yVk<
z{ILvhv*>RSMSlz3p5&y&L@#JHGikttE{Usk2ymWME#&G2`Q!6V
zaaFTQ85~Adfv0I->5)HbZ^@PfiKeKkuP6OzX)D(*R3is4LPKzMd4@+AI!7%O>Htate{afaLfOzy?s
z!z)A6>4%M1UbsN#$&u%%9y~J2d$>uT;4N3l`EP1%v9E|!v23;YjaaMt#WHdVID|j0
zm6B|Cb7Eq%8(fuX=sg1+8$wO@yRZ*sh4^o{Ex>lX{r1(j-@ftQV`6j=uds
z33Y!0?(2HG4{@}tjX?df>5&3d+h!mo>f;QD8?|Qc#|(b#b6k_^Gtfhx`58J|A8}<5
zDy;uUp8YPo{dE#BQEcFoA3;w`41N`g$pkc+`=a8+__3?1B<1n?bzQ!z
z{`BJt57hz%>}7C>mmdX|s--RH&ZTvHARvE3JsV#P^FRIx-CG3mF&#^yW5fuYbj}7u
zqze&w6`N^BNq(X-=AE_?&2(3vW&{V9}4yga5x1o_o9nKH<8}eYwp4ney@qKKVP`
z22G-xr6(r;7y2prOJTyNM9@h*Sd`+9(lVpPGB!3MY5$Mb;k3pP+Z2cH%$>P^q*Q*)
zR=;X&!>j^bM4!_-NFOH7eSa}_UshWzE?yga#7d{~w
zemmn#M5!W@N2pZDt58NC3-=ZpivRjYN&x)WpW*g+dPo3Jt%`oL#9_j}nqqTCNPq}E
zjBf}6`N#H%H!&*sJ5utB8Q;KV-p`69-&1%sUIqCUi~YAhX?)_}L^>W%E4nO6(fo;`
z9?P<}Izk^NBw%hwyDjt*K`6{*ouSZTDbj<7Eb;-AL7F@GE7UuPSKN_!Z@7EQ$m+Bx
zU`e3Y1{%_)E|Y{h;wM5bp7zA%nxfSg=8d~&Q2~W3wVb4__ZdN)6
z3c1S{&R@m>{AIJ}E$0uQyuGpwPt8R=O3F7p4PM*2YuDDb>o#v*2VRRbbw+K0P#zzA
z2205Ma4*#h4B1J;$`|*NdC$P7`93m|pythhEZi2xnU5n6QvQx5?C-$8H$x;C_JN*>
zil7RhpX&N7;uQV%?g+m$;vs<;26>RErR}g=#ZGUjIBQ3_#jZA;nG@Ec>c4_+^6XDK
zHPWJI6xJ`17JYYA&~#XviokCpwJD+vN-DwwX){M`;UTboltmg%3tSw+^V5jYB8`Hvf=lJ-}atO!KzFTYU=x
z#m>B>rb!XYD9@N|k=#g8ZkA7CTHY}q>7Kz~nRd9>0;6JxH>#kK51Yx31cV#5PDs0%
zVoEO>e!`1}9w`-D{PqTI6&gG0$x`xr@CxG}kT%x{+Oom0S{X?b<4wlUL+nipE1T$z
zHj<3V5e0PP;2#BCVwjys%ca0%i
z_#zks*U^$+iR81R9&Z0iTcR-0X22#&yai43#zi1OeUQ7LNsrAS7iBrzHot*
zbXHFs8=3InU`)y26?_)lk66ry)ckQMAAcsOGnAXk$D7$GKbuNs*Sn+6l>T~CgJq;N
zyp`#K>S&;iR?K(^^;rStp=ON#rJH3Cy5PlRN2Fb&Hp95!396^%oOust)}x-5X4KQN
zx5SxH(VLbTkL|N^W$W
zUt`*1)e51>ky6l-jxxfMTb7irb?BM=gy|*FHvN-C$WbQb#F6iClU$I*c{Aom62M-X
zF}Vp&K&&>X#VGx&@8rrx3AS5jozd2Z;A#;PC{Y#8>k$w2_Kcjx#(9s!>@3~G$h_K{C-r9#
zm_QHA_)2mzIOsHzXOa^t%CQQe&Z!#6H|KbD&ph*t)37*g?&r4RhNdA*Rl4NPa)izb!TVxO+%RIGV&S#4Pte2d}U?;CLJ;X}e;EyDJPu@e#wq
zZ5<9un#CiLPj7{F8WB-gZPlC#+n)U!HthTJrrd=3MOB(a2}r$CZ2DasA6G?QVRo}+
zBC*w#YDw{@kC`|oJ+WnVldHM9P!-_l6mm;^z-36#@-kZbS~BA5m)5uKb7TK@6pjtf
zTu7R*hq7lL8e6`0YMoLTuM2%20B>s)p*I*O2L4aT6N-g)lhLX-`I`!JCRMr+Tv&%l
zEQPv8t`V5+I#b%%Dg;TNl@!B5`z6*u?H3-^&qoi}V+_4#SXL$NC&6ta1d%sRU(jl&
zTQ)FQW@;1RX8O0^?4)-P9nv=sHF2O{;XXMt;~T?i?R-8*FNl?K$OrX@4WBOLapi2j
zp0oa}{#(o(tK)KYvAEp~gigbcJIK$Mlb2VLpYI^w0wVJ-afZ#a-m|7KYJju3&B>Eo&H~KBh$A)ZTMtN3==1I!kwr^J#@_oqKtwfgS$X%4kLppd}i^J
zSmz6m{JpH2Tt`d^-9xW5qd}%26
zJCa2o7D!@WBndiPeyL=<^t0C^Cf7+*lA6gYufGoX%|Sibr4G8jBMVI?&`<8tCo8lX
zOr=$X)?zDP!+JtTm=18=qz?TpUhx{wWuo;e9G7?&j*En%+%9LxDGe_~Lo@t#KZEM{
zMp+p+4+Xt|fGw2qJ|wS@A(ZfKR$U^ii220pgPV_UTCr&=SEG_Lr-uf>_O-{?u3S4+
zk;>}>3#oirJSK}g$KFNds1(MuBHl6p35$smc+BV+Zz$kG9g+rUMNV6J;X)tCRJ2DT
z413Nj8oC*`;)(tM)1D>&
zefQnuzn`1B7)u(vts9U9xuG?a?()^{dUesFcW!Uj+w=(0aQF2Exxu9Fo!z~g8f^B8
z*;S(Gg1rAEpDyG
zEMZFY4!O*(6ECd{cv_2H!Hxwv`E#3+m2p9%t2W2(s_4z=HUwRos&rRFk&kZNXZfN|jPQuyiw+^>t}T(
zw3@3L+dYjZS}N8|u8@E>@=7xHU<^U^<6ci;x(H$vsQWc4xXJ=fvs^ktTq|TqLqb1w
zSZ@1=WjC$>0FdjtX0Ftchrv`{VnJJa7xw)s`046>^2QbSPwgVN!CzqPoHHwGCA;wX
z0=v{2Gz9_SENvAIFyl#{noi}a+<4VPAT^E%xgO&HVI{f
zDc8KcyL$Y2fF0!lo4!M`{k@tRafU@3%q{m!;L5pmE3y`8^u(Lo`gP}~b{|>MrUsWo
z7wRhk*sFAYXIT5h_nYnnvCq$AFIPD(3dWbAJO`0cD`Q;01}u8Oq_P~SK5tM~Y!Az3
z8eU_3V^@Ep*Y0w^m@5WW%ru!@h8A!3*k4ar#ZE8(w
zPDfFS45jN-{blvshZg5LEqg8B=yOe=+DxiZL~_aG%4v1!8i|Qh>zcl7WAWlA*A$j#
zp0WV5rN~6iB($4M4FPjTg4zfzCHbndy4)$-t19Ov+E=7Yjl#y2OQnf{B3ENYd`i4j
zuqL4-MVm48wy|C7lM_~yi;coQv~OzRzEM#7CS!Qt4BPiN+cRN%9!H>8O6t5P1kn+mqrR$8oy}4SBo0rSJ>WK_78Dnxnj95Vi)%KzukX5L-$ceLq3YTyksQkv
z@C714u12raCe`HlI|`iwjZHq5BakR1R*Om}6-o`>a(_ZYt~1dFif__wk$u|87v{`8zoz)8XUy{I
z>SZmSBiOd?2Ub;9u6m$5v;f;yzPQ=rXZODLd+HjaC5`i|$mHto-56&-}JERUnxOIrd=qXVi5=eNCBykoO2a8)FaP
z#O-wM{9EYy@OQ$UosWdP_-y!b=q_{*G&a2d5H<}{FwlPlyYDXI_5qxxjT(Ol-v-Ya
z=*Qk+-g|xGU3iGLmG+TyS;&W~AIhB%S7${BglN2la7zh1l7u&u5E_07RSD}KS$ltf
zCVq8)f3R|_PXbD0N-nNzJh05Ye%ngt%sYDBrpk^Pg_|GoSbJtI$y)Nrf^;Bo6nAH2
zPb_l+fi|Nfzw1B}yR28eX72po4FPu8NGqY3(`Yb+ht2GPUK~
z-dKz8ADGs(syQK{c~uj7U9++^X~Pcu!x*ZEFmZ_S5anZ0buN-5jK<~*uCNUx4BeZjc2H?hTd7|*dZ#WLoeFsf}8Y3PpreACE4?S=@cwq#(!X<3k#}br~j(B&j9~Y^k3e;KYTCb5LLE%Y>bdYe=JW7zE6l
zDXAQ0q}z^+R%-9Ydy}W!GiU12>A^tjoP~2*14t>=W~ik`?yyn{w#{2KuPxZo8lRh>
zWOLb4IX=ZZudHx&Z&qO3#@g=9y(MX>*>&mNox`dqZ{E@IO^e&|0;zdTS;h4Vd$Lxd
zSIXEjEe~N&d<qmewDMjqEOHI09zAU^#LK5`ic`IC)FCcuPKku&uj9@HR_X+
zgkqnRvSV8Ye_`}7u0i{+e7HtBjMoODj*ciE8Bv^%$_SBA3MWKjUq?`l&OV#cy$S1+
zDY&@0XmOXdrL9iaxS~CcpML4C{_l^sk3IQQ{~cHEYZZGMH$1b()HJrkky;cd0`Dg@
zEUl|uF~)uSzUB>MlNkpM$udGlFjp-fTR*0D=SvF~zp=jw8fe5l6P`V_Yf1+E
zSuErkY7apFhp1&7r)o~9Ku|PaX95&uC2GlOIV>+6QTJ7%1yGEX7ZH5voM;qwrZ{2oho^J}
zg@yW(7Ow=9q6IQG^v}^`WoN3#F0V3aGYhKS8a6q~HO(O2P7yzvz3NAt2erNWC|Ozuo|
zW0%qTl#wU#UkDN1%h@^UqR!;$
z=pxHXyMuJJWz^XeVgm4cZg-rux4@oi77ERNEKi(jOHA@j+&@0KJUzkTP)IBWIq@PV
zsiH4Gy|%bCDIwb_73Li5Y+Tu#kl3=mt>b6`i^UP^wb*%=+vOH%3__t%Edo`+`RSz(
zPUt4TT?8H5DI
z4sRuIZV)%p3(vEwQ|F
zTxWS=u|H72k&Cf4riz5Pwn}ee_2lfl&f;XJ#o@L1@-+sHbq4Bu?rvOIo;fDhEQR28!lAvhwPzFN~8-oBK5!PgWPo4>zDUot8X=;0kx5tq?q1?mvpIXsz
zY-w5f#wX{jeP(G!!px_4yL$r`w}uDKCbujqE}m8EO01fgM&8SC@gxeir^KsfxhLPh
zynbB8x<{u>eQJ9{`+Yy`c?cwZzLLe@$wlGXgmd^aL$bp*&{KUq|z79=seYWjsbzuu=~JphC6L
z)!}rx*f3z2SSF!_f?14$I1;~Ts8t5>Xy!c&cD%YWqrCt9ZL8lM)BNu0Z6EZPXRLf}
z$NYOU(*!E9$l}gP*mT>S_tmZo0AXNl?R|IMwka{&Z4rr80){WWeD2HS)!WXH|9D|?
zYkhs|0xjbDR8J
zY;I^5*WWz1lwL13kE$ih{$J@uB^2S+Ll-a{qsac);$d%&BHNx+9Eg`}rO1}n_(MNZ
z6*`wm;r~i}K`KT3*U42Hs?c~JHZ3v%N@mHS{jG$1f9z0}2aUTPm2`aT`~zlG8}6{Z
z7lp@W#gnnD5|tw%;Jp0hsoQhQ)o^%mIl&|>MyXE9
z;g~Y&ynMBsA4B2!Rgvd76XBdKFOD<9Q|^eracgB
z)$I8Cp4PTwU+>Vg1_SMyZC@U3`J1S5^#hY9Kd`DnWOg{s!iLqSCr>%OszGRWI>7t=
z*PmM{b)_V`BrBe~zGwHqb1NjS6rW4B{JCq8{xMJ<%UH`}q%jFGb7QEU0CY=5^e6})
zNJWJ)LAq%P^<>f0aVq~%WmE|n-YJua{DnM%W>Y|mv
zjENIxL@NLgQ%#;^0J?sSfu{TiXV-`)peCnIwZ^Mc#79W-vGEiTCpx8Os}(|{Bc-4<
z9l>@ME;!nqUYKA~R5^`@nHZS<0^r~5Od3IwaQK{1$U@iu$4rEDyaN3N8rdw20Otq?
zc99%G1@LrZ9F#yi;&mkLGlzZ55WRL^XUd
zrrMh8)$@gXjhevP?y8&j(y9GL0&&Le9qqSgiUk>44jgL)k0ffzv&&yBv$Rf_l>rXI
zcaP6|tJc~vZ^xMI);zaFW~K9T{>7*v_*6Y4as?8#LVfMH9ms2JId}eIly#))7
zjU(#`jO^^WYff%;HkF^DTsZTg%(fgOQ=pbWYjyA%v|D#l{riyKjE-WC(3?K&ksO|e
z&((0Vu_vB0IN9qf{$8>^HqP)I_{&!qXNRHDo7`yF9{RUI2|VPTpqG44W{%`+FNJz*
z5;cb955|y&QfTI}`gUIA2@E7k#Wgd
z4j}8mLx8JIc9M|DlGK(0HxHaAD|zmM7Jp=oSTc&%tUsXD8bvHpmDGaKG~>UIqWO7!
zeC$}7W;Uc5Sp6=OpgT4W63tI@klTOx1rv}5A>lhx>+}DZaE>-Pjw0NeDkE#*0*?U?
z3=t1vWaMN#iJ_omYxopyC>K1s8~cqgq*1}E8@i!WdNk-9*;xd#32N}p!s0SJvP~#)
zud6e4LVt&=Qe}4Jq{-8=GS%fh2$K_GmS&cE$9YPZwx^o&$K@FcwFw1o<%F5@=Z~Az
z-WI4xwIkt~ma?hi-5pw+pgL9%D-agSavhpDnM7me6EQ-6QLT&0{Ijm9ESlHsjnx<&
z7N}!seJSIoI62nh2?f5ETpLU2NYNFSM@P*
zJb&erOXfXToX?fZq_&h|AF2kk7IbA=JVptt3u;n67Af|sC~g;slzJsq>$SSY&EauK
z8>K`+j2P_13|KaGjvzPtF+=DImVNdtoqs@V#J*x4qq@W(JdshUoQzTLQC=6QQ#gJ4
z|Btut0BoyB8rJT6Pm(QLvaD*^lGSC)-LfS2-n*UNoVdkFNbijhLV6$xp(G&$2!s^U
z$N@uFJ3AAbVN>JH
zSG~)j2DhtiE`3}khGfR+T{gAvMmW;<5EBuXVO6QD83<-qtL-RF|7WmdH=@CdX!uI_
z9iqX8Ps#^c*n7G71M0r;1DXLTp2b9j5HA)MymuayobhExIN|m9@E_e{JMLIT_50M
zv2w}iX`7?#7Ve$C{E6C(Fq2M|T0E|NY`ca%3EJZeE1J?LZl9KoP4_dJ%W`y*$c*hv
z*sacvoH?uYIW6w0p7h3|o|=RrPkVH%&Y<(A?cAxeX(V}b_fPM5Xhn6D-Wijg(pv*h
zCt0>^sp%?=^|-L?C}L-bR|*dcEQ}ql5@HF_(A>oPe#E|e5_`;BIJM}1nqxymNA>TV_JOBQvq3chb
zxMKcf>iH|aPo*Be;`=1($Q9owTqS=R_3{*1y51c21`4^ejf6qh!G){*5f1oRg&k1~OWYB(cz}9X+Fb)`=>1@w#-LycL7Ddxuh$;Y^!R+Hp*mC8<%
ztLf_2)e|x^C#-HAzP`=nYFj@%w=rF%N^i`~u1i%aQ|rJi&IknzM+sf7p%T{Pg!QN|
zEnts>y-4TbqLJcTg)V%U4f=WhPldapW&34v_JSrM+ZdmnsMRKB#~ZT~H0*Jx8h5Ot
zy%gU_He4^goKZchx`onFVMDdW@lNty$ciceFI
z(%i}%BWbQDX$}h1Jf1|}2Ub0MKh;Fz9*~E3Qvy(egV91qX>&zdY%cV)9|1>sYepytya4|wb&uI+a+?QWP&z4or#cWI=AL_
z;HZurxjF4s33$e>Suw%wp0J{Z|E6y-Ycz(LC!>u?G4_HeCQ5RXswa%u2ySN0&YI5b
zoUWRrq?)dr?9Lh|>~K$5URk+(yvH*he@}38V`Bjv4wq480R*+wMD%d`G8Jv(fW-W+EELn^B9LM&pCQ
zR&g%5!lf8AmmN3mH?hAA9FH&`OlNQRJ;xXZ4?ALe`vcWV#+_ThN3RWujNYe};`yR4
zaE%xIhH;0K1#$wjMNVwR!tthqu|>06(__=i94U2$SsHphoY|1s+L5^S#v9tKnSIdzj;g
zEaOZEYbR{$%xXV&@y(E3rq$
zw%;bo#O+q&rK}8CNYi>10c&Kl9W}ASLN32?7XKy%iQqydvKL)I3_eqcGTfb6o9#w%
z#NQg`$PKD6CXf9!FRa)xqkf*vYsl8s|FV86i|#%!cgjB%{iH8LrAWG47hVtNSh|;QX;}a6J)O!Yj{ge-|NeNdNY7{oBi3Z&HwiaMhu-!{Ak!INd!ebs6r*FXzve
z8_0*r4CM09!f+~K;6`P|Iqx*PZV7Mzj7VKq>
z-yYBeZ>PFKE!bhx=vtM{Wtiy9HcKnK>l0e)O44I>zULXd9f}?9s!Z-eeCe`0F)=@_>+YHB9?7hZ)JI3_G&*ah
zWnw2-onT;}Nlb7KO9r3!4lAhI3}ek1ox^u6s=jeycDPItXNptIozp#Do6u4+)hUrY
zduK#z{We5PHtMHh)K5d_3C^(;_Koo&*vF0qTK3C}M~+Yy>H+rGlMk#ueR?(JdNpznkbdw>{5%GYmzU6Zf%Lu~@$*DfA2n)U
zNbip&XEoT~71a-dSt(@wh@Ru|GkriqAB;-|~Lqcl>5N_2O6Qk*4Ds?>yS_oVC1diJnPIS^{qbLaO<1Z~vQ
zG>$?q0Qjg|WbsjLXPB)r^(
z+G`!1k9a8+2)y{@LKw`v3x4ZUf|ZGBnRYPUr-a|0JPFUp!y}>|_yA1p1U-L4`5#94
zca!`wK0nHe1Jl_ZHuuBuJ6x_$0j4Wcv>6HP?Fhp=o$U4x9uP}~lBfs&M(TeS(S8Kc
zj{W=axsimixv3*Krv@LwYS`Q1tS)xR2T!3Yh~$zdK15}sAxC{h*M*kd*M(ZB9lcYi
z9f59i@+8HaVxI?jr$8n91kZQy3H3DG9*8MTdJx=xio9DSc$Yej-r+ky+`W*~Z~8V-
zmG6SEQ~3RO!7}Ot>Kn{&TNrSJ0dE-4gaK+a`yBi1O`wo{>qd|Ul2@~Dfr9HnKKsln
zPzX|2p~vKv>|5+}cz$X@tJ*JVJ^H1==SrA{fomrDfaex!d+$`>)i^xHcn@CKc;by7
zhi2e2ss%V~;9eMv9=sCr_*Ml0?gX_ufjeh+pg;5B7x;vUo3Cu4^OcB9QQUOp9Xwr$
zTwan6EUc5)f+#6twrS*PI+ZYNlBq=#FI3g4g-NjuCYw$z3>zh%L=tG2L|v1q&eRYa
zPiw%w$)DH6>L#1)o@br<sG-;SPQ!c#R;!HdGlkB
z-Fy;Qo_p@bbLV(l7+^uGzrBGr?FMhLsbKGoq^{k9XQ3B@{__Tx0)NU@g2I&;M~%M+
z(1OSC9Vm^RbI}|yTqaAWi4oDL7B**w6Nj#on=?%-!lYp;ol(iSY?gF6nsQ_F3v;!^
z{@wpO5FuQMb}xVQD@2T}_Ba!~-UO#-RHECRnBXRM18A;=6)*;utKc`6xqITA7f)BF
z=6hppc2aqY_HevGlb|>>&KL>K8=di+=A~O3dSIwwW4wp0(&KV
zTulcm-yw2%QO&##FFAzPcr_wKm`DTa^$7|3*o1^<>YW)W35_G_)r!VZ4QTMDCNz#}
zR4bc6RH8o4>5S7SK8oJekL1(Ug-eu;qv{jWQ92@f-Tu2^8&!q$E*bH6&7Ix{RY{6d
zCGklv(Iz>o@W2&jFIFCcTAAGeI-RMBMyuYU5IIeqmNK`=Qr=n2#3+j-o(@x%OcSm~
z%#XHIcudxcF78EURZLR2Oe(X+trjL)?8@>3Skk
zV=Qs`JL1%Q}ih06j(6i{g?+QmIU@(ko(B$_PaS*cMh&
zr#l$8T-OzrTs|(_JFz;MDwXNxg;{m^l5m-b{ho@943pt|0f@ls;CI*_P2n0M^s*lN
z_(IK#sS7w6!FpOwrKx06QA$;|Q&uifgiF;iMr~r!Yp=z{dgHzdSH{ZOc$1+L+}@Ku
zx->y)bH%3!#d3w*o!m34FegbQu8GvCBClg?WhN$inoIB+mvgxm7_I0-1q@dL
zC)D7P>u18H=i_s=#yJfgJOqsz~~H7FL$mltso#
zA)@JKR2K$~R6TcN#iDY%@S>U_DyoWin~cr}m&PD=xZc)VA>#h6U?$=h`
z6jlf(CA!8RO1C~RWyZh2Q%&#B>p}H(`hSN@P<@L6>*x@J3K8e8MX1D;#=k-?tbxE1
znk=B5)e-Lcj=Y+=@r7ZLQZ)6MbY1!%V^pt#S9Ge|wVeiwHd-o{2?!2uMmexqoj-N(l~LXSZkBUu82}Z(W1({yoBoRf<`TZa&4OAUkprCGuD9=
zXlSX0GC(F>?D`WCeJ;r^lSvzDOG|4Tq%xU333Ro;I4sT}PMiDl+BN@~lNufuH{yBh
zUkBka^LWsNWA_vhlSrY+k&0#3Ey;FSl&qn;w6wYb{jev4u8!wN#KncD&iT)pwLi~I
z6C2`&y@>Qw2elf`$LAt65-j|=NGtUZSj&8cV9x|$-SmFwWfBnV*$`M2f~`TY=Yp_W
z_zhs_90WsD@~|pu1rQS03w}Qj%cPdWY2=J%Uofv4(K3Ua(L5wzcvvY)S3_Wjf_aM(
zY$Aaj4wlh?@{T32Bf;~XGL()x8#)>+qXMOCBCunAmWQ=aAHjO&T}0nY!SkXl$^a(_
zUqP@x2g@Bz>0zCaL9myD1()OVXVWrn6Hk-~y8F4Sz2WONG6_DtsHk-VD~)iC{(odn;Hshu?to9*S#UzkzEb
zb`4+g1sn+=3y=VMX(;s=6J=!ve;8_0@7OuuXxyK
z_9UzW_j0`AVc7`ZG$`SC#ly4+wwloQYOvf21e-`;ulaxDVYvu4o#cHzm>1()OVS};
z@i4nz3m1@dh*vz!37>(BnEiwY6nuv7<0jO{9b6yhVcpah&`VF|`gjnw2Em@?`Zy1(
zfr)^o77_jhU{&xbASAFC$oU|KO+w{X(jO510UnkKpMcYtV_d)IVRa~7KBkX9TO{ZA
z2sVzSJ0M_qSQg6LNMHy3EDuBP;CPbvA^*=jtQ4iIA+SS1d_@S>Mqr17$(N8ApTZs!_UD0y`G0M>7=*>lh{J2LYHHj)!f+Fx(GLU7PFmS$>{{Ff;L(jJWpP3jmvUk$Ny)sLbMnKVzyEN=
zh(%+|%@N-Dn-0&u3$0{hFO2kMu@9lyo_bfQP93{?BuGwuKjP=!OKrK2eem&@)+
ziXAQNJ15ASrCl58?2c8nHLE6NXHQyHQ@g4o8$OFrH8&&V6)R_tFSRzWKS_-`F|Xo*
zrjEs3>)FpYh2P80Thy|Nomsh~nSGagv!ru9&~FUC2i%O_fZHn2o1)sAI_X
z?3iS3jgUg!LV1NZAs)mJWf>5({q|7a?8#e3kJ>spJA3lhQKPp^&OSG}t*xi0t!*+R
zZra$Bm)EngscF+>@;!OpyvaTD=K1}XexP^Ka^`n59+NLUz?}zP`hht^%SG`V43Kjl
z|9{vWu$cE*Z|N604qpz(YBKr{7OyckUO(27A0I~PY_`n!$Xjo{xCU%yo5~iBafOAi
zK}#Z&CjlHk2A*g0Nd3^t2Np4}@bw#T7OMz^ltKT2d}EF?CdQd#H037gbV<3Nt+|M?
z)7xU4*$9T;<(iDy&Y0d_b}rZ)C<4bALS?LB_Hk?dK0jt~&1v?>)2D&#G~DW&4Y%G6
zm->i*(+reeLqk4&kOHV#_QNvtKX{rg0Z(rPkF)&!wNdN>n1bdo?d5!uy5um0Hvv@!
zeUM%}`4eZo*{N4VR97@HumAoP*X9-MeM}m2LJ&o45<>kRd%W_{?Qhch^1&9G1MI#b
z%R4~Udm7Ulrl%*3+uY$Ekr6A_M@y~7y1IepoQlFd*A2h9+spez4)udvoCkj!wQXvi
zLUkRYdhEnYcZOPiR*kJ1-RBpXv$tpOqdy%GOF$GPG?Y%x1HY-yWq;80R71&lxBS#z
zp2V!FuIo;%Z!Evzo#hT1vwW?Ru!~Y9YA-`>K5)y8J#d}=lqJchQu7J+&y(y&%%ee
zOT|`qt$WP4Ded#-&FYLvt4PUh^g1<$z6u1|1g(;sP4nx9FElCKc}4L#Jq@XqITOj1
zveGPX`JT!`yaT7V=mRwg8ua3`&tFKq9&8O2uCp!(?h6?PQ
z`Q(O1du4mRqs6fz$qJSy)?}NKYP)lCy6cim-r5AP%$l^q(UO2;05-0FN>a1p;H0vp
z-HlqIXt61g{h7&XnVMJLRbn)jbd~2#ZOLLlM51Z2NT_Y>URpNk;EEdVZVq)8(HKrv
z`aw^ZecmlCaYEw3xcF9V0eCFbh6O;tB^(G
zfc!xaMW~~5)W__70~;JRIAbFVTv-L4y!5Qh%#4i8+Y-DcX~yW~^$pjL$&i{oiF4A1
z%`GjR-I{hnVNB9`^YgtK6>yn1HMyuTCDqHmBTvgMvsKJ)N=j;)U12NBO_LYio;SJH
z>8zcccN_5ufclUe(TROS<4$bi7(sEwB3`G31UZo5t4{E=BgI#)i222sov6)7*Jp=I
zveH*cO4}EgV0T)M{94Pl#3s|1sn$DNwH^(SS_|{?j7c7Aa(s-~*f6)wmfAeM&^>-w
zgX4awjLaQ~S0AA^!oKkE7Kq3b+A{q-n<1h^4uuJxDrr2TvOB70)j6`-RyDfDG!)0y
zN5;!FW^1Z7v(!`OP21iAzNQwtvu_q9H_j|=SUt(3c4X?O$z^Jtx+KqC9+M1JoGfZU
z<$sHKkc;c*GZ-AX$X
z19p84)<142v$5yaDdOIGORrf8$NTp2HZkyHgfANJ9V!EXWbx%e;-T?lML7GfsJzTa
zfK_hSu)EYI>a*)Ia#X&trVMzqB`3zLdWh&LpRr2?24QW$R?(23FRcAFozr0o(YqH!
zlkwc4K&t>WeIWfGsr_EfuzAg+^M|#}pWiZXezWlY`OTw#tq`3Y);xcH^SpV@n7&<5
zK<$Rd0_PXIDA>!wW1O$Va%v0c5(>#VA=wo}v#SB(oid0PS;;Xnxm6*vt5BuH;f-};
z;>_vHtKuYm?)=Haw8E%pxiGC@=l(-YWG#nq!G{qpGehay(ZisPIZtlRa(CW@!7Fe4
zxB|)QIJ=#aL|QWpktO+7k6jU8&{jmRmPHH2CJQBxvnyRCF-iH>wB{Tm!8roqd<$C@
z0%7R&Ig1lGaQ%S_N{iYG;_IsOOCk*!R$&Cg*sO7CdL*zF4Nt3XEOjaEadKcZi-plL
zLT3p*0X8zv354i@vmpZ|IXf-dhdJugCQ*_nf0
zXspTXPA*+5y%)a8>>>I#8Xm3?4+oaO9j8kM^PTaYx)f`nCrzn0?TpW^OSTqyQkf=G
zQueqK3wEmGL_e(P2X2Q=h?nOHFHOWkWN2<;+AWIvhvX@^fNC^%bIxUW3+AATeh=DF
zS&L9vPh71mn}x7ovnJMIry?S(8S#;&s4SbpP}o)klef%4jM;ISvZ8?8%CC`Tqq4pi
zev8WTT%nf?!9hInT&DMcXNTgf(qO&}IdB`{czhqnO-@YPdeqncO!}Jf^1Y4cIk*vb
zy4vde(#Uw!=_Cwov&CvaB<@9s=RA~$=;8P!2y~2luYT21c$djJu#>QJuSWj=
zi5w7g(`Vq5%=qBBKDjzO{vI;_cF+K7K$X86;2CBgwznj^60X1+33Ci=9XYSca73cd
zbRacMa>P(IpWcwtI3?GRZikj(75RT8H~%l%)#(48*~y$FIt|5$Y?MP`^D^Y4
zLC@4u
z*++lF*YX8oq~FJgw+TxHa)AZSvQ>gHg6jm=3%1}D2O`(PEsO9-QVe(o1D;L)%kSyw
zW!+__BaZBB#}RW`S6RO&pA$jM!AIc&^wxYNAv@cC#8lSx`$IzqgmRUFogX
zUe=bK<#J_Zx0Tt2PJ20eLjSVc%I&@1guV;?%@*M&S5}rQ@Fwt^T6MWRi1#jby0~4q
zLtsFw&@qAqf^C9_1+NRfL#?dFTQX7#t#gQXnpErn1&4y6G{B=FjvF-nm&gu<9d|ZY
zA>}1MNbkjYQD4CeB%nfB&=0keM@M-9c3gyG1N3u~2t^9+ESQwuZ}|&wbQNsJ;UGUq
zXc}A&B?3YRaV_B(6u@a3C1aG~(xgncR;d7LRdh;vno6r+;?(h@rY>SdDw!E>t=mUO+v
zWtPXf>e8VjLMCQ}0O3NScZxGQ8Yop-j4nRY7$E}HQe}Wdl{HfzpfRZ((MbQMj^wFO
zre~(Ba9(AMJ3xx>RXGUf%EYv!p)yUFmUN#Nmq{{4CH6Q6WMf_dsOpMf)oopgJjIGS-Ff-k$TD
z=pTr0dMR29$6y5Zi#^|xq>s<`jnZ=kI!)%iYAqT#IjYVmtqg~>~-J{{QVZN<~Jv&)@A7dI~p8dN7FRh2JUCu
zC0!GHCW+q==60?h?wZh2swwl2yK8nS+@o=P!tC3mwFlPQ5Q^Fny#jz%)5Olx;f3&A
z!)W%cd@yBXgYdp{b)zr-Dy|q=F91Fkug|&kIEW}(hI=(4lOdmdYjnf8a}6WG6n3dt
zJi6}Ox%!d#e&G^!2RI-cDd29RqBXMSDwdd6dtNf|qT3&RelwoC%^T0Zgv|pk$PEUx
z49J4|b^$v>yh3<5;14vq5L#WCv;h(~ZV(6FLVCqOzn}$m8_#|Nq}#Ru={M&#*41r1
z_YHet+cx&XH)l82%_?7Z_^k^!t-A2m;pJuJOOL#DVbx9O_p)+$GfMw8m;P&#{wJKC
z;EKErr8%;!ynNXaJ}>@_@Q}MvK^l>sJCHUvp_!gABrP1B!ox$AxQ(ZV)29RX{&D*T
zqYn4&8V{V^smsv8e0kN~<;_>16z&V`I0ts1`5otWeg~R*@QPJ|!FovXeq0#d|M3)I
zb40mIemR=yeD-{CxY=%%Rzdjlfh&+l-^u>aER_LCM5*2z>wARy6soV0o@8?Vg;pls
zzUzk~joQPVt&zEdk^-{NYqwmsmH%yOO5A3t&3EA72qlZ#OC_t)vn1i!`t%HKVz%*@
z7zKPP#lik`g*t%UGU@$}hGFB~h0~i;ZFO@SjN+L1WUD91n3q>*WiMzv+SWU*sf_F@
zou;pDxg>&>I^bFgX%G$-uS{e0BozdLSL6AzFNTTea@C|B(#A!Fi)8tR^t6@<-D9M>
zgqRqIUL}$iB+XLiwp>@;vTS%#U1NE*t#)Qj$=tE|65zQ)m8r2bB~e5qS~HUJa=`J_
zB5h)Pv^>@*i;I${m35b!(}&L~8QHDV&1lbeGJ-ilMK
zqi0>Yf%@9VNjwXikP;ZMuO^G+zE&Xyk6yBabh&YTBdc!Np5`s{lxA8}t!9lpKC(Wx
zxM7T|aaCKEqi$BU!>&5gSi*jErQx&P_f2w4xjU~!ty9b7)6kMr?U}T?p>$?rvgqb)
zH@xB6=P3z4PxZOr6jBP}E*sk(hnkGwaLbn&PQyLHqoAr?CLC>ui((C~(1Wr}YS68*%h?Yf$;^uaG2sgKt}F8XA(c5M$KsoxVS@Wq
zIT_bM)s?BEgS2sHWuy9WTZ%*gZ>x_$3QymaYEAz`*vrnk9eJLDELTBftkaN=&(Jcn
zewv-uI=i%V?y$5ui5{~wW6bpp^~*ZC3l|siVe>ch@c(lj&_+R#88r
z(iAO{is%hj>1=dA8SfFaUR}!fm!Fp#MxxlO%KY9fp(6I5{}T-WZ25ySm2wRnIBq#-d97PHvJ)u;SW+T2%$eYFbc0ti@3JdWBzkZIz?~(wYK23Dj4v$
zKg@~{UgQdDuwUQ*LhHCTw$O+FunxkmxmFha7YYfm{84VvL0(}U#YSTD4XveIBS$_S
zq_bRl;hKl_5DE+&^FJ61PBfB7T&q@NyQT^XCtsV6(_3?`wZ59dGxfi3Q%P_RzZMPX
z8mEHESJ8)j&DT5$TwOZ?3;rkLKU!cSQ33{QOw6_Q=9oeHQ?Kya+jXEa1^#$lm|$Hv
z{i;?l`M=Y!uCZ~){{elgcgi(4^nas$fp7mHyF&YYVB}wuMs|(7QC)+6=F7R}>HX^3
z8l3lsJ4_!Bu>Lk&F#GEI+qG&6m(}d%UtP2N@|x6#RsR!}kG=DMY0CoJN+L#%p@Vmv
z7ee1$Z)T`)H&`cu0!-
zurCmt>>i-y@JtpgqHF1~+?~7ryP%UB*FDzLb7FmCtZQss$33C9
zsH|C_3%*Ug$k}%e#NZupKVnw;uvx{$v$41P*~P`PhNbV)BzO$*+#UCL?6V8rQN+D2
zLa)=(hRrGoyyd?U&6mEXccLlkckB~iZl=*la(Jw!JN$yLKbc$dCKQ5Prd*R$oOu7J
zDO?=|yzMBc4b^m_`2Q89e{;V0y=76o6<0_tbx19G>OllgcD9t(Nu
zXOwHhjZ5>3u3xngAz?l^^0++KsyL@ih(|aOA6x0Ylu~$65KE%1UCt7T_|w9}#Y7Zo^u54!ITS}d$&
zpHf=m9(gNVsnIJZsZFZz?Xm8LOjli@D^_DvhVP8SPxbj(;u-8`@-Pr3jS@rF6CG=c
z${bhaG}?^OaptIu2~|nxCwH%(K7;E0CTg2Ve2N^bpGjq+l)StXn
zyXhXXKY{HEf_a0UsEIEIdqRS2^UZoo^hF1kmG>r1vSOckLNm2OoGP#gjv#&gD})XE
zj)49zgl6~@f=jR^fr5BRBDdHv(l3<;jY9JNBYKmPJ$C~hPhuqDqNMDPA~`U!t2Uz%
zS4Z!KKMUWxjO|B|lLKeNLB=VUYv1()O;f-fYP%~gVEPf~va5$`cQ#<@5yx42#0_}n
z?N-jf&k^naC%)2!4Obz7{plV=Ln`9`1<_B}N&|yw$i*e;(yVH=HBE<02B%brngD)8
zoys>CH$_d2y&C+{E8OK*i=3BN^kwGY0N!%&t1*X~_l
zGro31uHoe2t2ucf_lqw%SMYd`hVuo_{E6J%$w`WdNy;(dyF3xtFI>22785BV&fg`t
z>?C0%{6$s
zZxx*bX=c1s8S%1ADwE!DL*L&&OVrrxUoZ#AU>m->id#?wKs2b|!#+wa^0AX4MDO2b
z_rp$s5!1i~LtsOTHzcTo*8}8?M5a}wq=e~GZHl7Fm3FenXcIn33+Zf!(r$=0
z8nVjmi4~c8y?PwyTQXHh!QaKjXl^-yNbw+UbACEY>CIG+?|y
ze~eBu5AVGrIxB8Cy*bYO``$PcO8X030>@F_U~GhOzPl*znKL|{0yNg%MRa1fICezm
zi2$6MF20V;jR_&}e0nXV5dMnbhXskC6u}=O@Fau>_a%$qcqktK^B6zDbIAW{2%aus
z1e#-MzTDvm&fiO>??ChUeF%OM!OIc+9GR1sp}x9XWJL8<^v(0AqXcGr8#tJd8MSdi
zoLO=H?Sw4l$<=X*O4cVb#>ITBkbke&ejFYBJ!?mMFQc-|y%eFy!mrazTk|xWIO8+tzX60!j0>?{nz%
zzev)M19))f?I=kX`|g&`3qN*}G`%QItN#U(hFHnN)(c&C+|k9p^JB-BEggjJ<7_yb
z?cc-QI~=SZ_T5Q1ZY^j|PH8Q)*$P`zlA8;xYtxbw($f=?)7ZbH)_V*FPkm}ity`~m
z*QPi!Gab$h>=aON8@&jw71s8}35RRhr;dT2m?P}V;4fT#Z=)9m(-419aP7nFY48)h
z5O{av_lVH7C~+`mJi-xqZ1-;P7xrbGe=B;wo_o*535V-hF{nnbQ+A`_P0FZdSJHR+
zpTMod;7gBatkHK}I=YzZsAOLNxx06Vq`_^2%TbXO|JaRQ6CCfbkyJ6_74fI0vZZ2k
z7DNzL%zn+Dk4FDM22it0XWSJY8>b7qa}MV3b#yblT{xB8-5n$?z1R!>0bO#gsqao_
zvhLe^n9;#!?)wMdzhDe$ulwmFDnhtnXnYKC0PwLcDHLCl4y3ZHXM^R;H+@Kn@abk(
z&jQO4&YS4jaJTSI9_IjAqrpB@w-~uB7$5r1{m%DKsAI;*Bl}
z_WX=F5o`}P{LD8B{KlMM&)&V4w08pixo{nsA8jg&8{gt!=+D{8^S_;^Tj*CNAO0|h
z-3%xCaa#Wj`g6Dnr?shUsO>dwmz@6m(lM0QdD;)v?4q21vS0J_QxE*B@Q}d5Wc%j`
zK1AQSf(-)f&FrM$ApibJ{{2|;K2PxSfcJkD9!2n+E9B?iw+@lNgU&?xKSlE6alt{3
z3J@)zFcuKazdzIO{b=$&PjEi?{#oJY!S^}-34Hzq
z>7PsPNCgGJ6}Xy7_BOCb$U#?>P4Z{Q=q)?(CCb=jl}VGA371)9nR+YwQ)%*qc#_lKZr1@27S0X
z9z1VX2;O?9|vjFvj=JS!v|{9R}GxQ%||~WS(?V2
zC$es!U3nT(9ZjLCB$F{<=#u;C{(bBYIGXr9?(t)NIuIP676+~FcAk)D&@P&xYour`@m~EKnbb|Iv>CC=P
zby^&!TVunp{fHJ3o=rJ_adPZq&^?lFVcXcB*fzT5(lNU9quyOqH!S(+BeEAFpc7FZ
zE1rLm>g!TjNZ4@=z8%Yjz~)2hkl!Xckv*K59r5uenvJvL-6}Bcr*b3vhCDIhsTbyM
zh-1y*bM2;uFH_IZUm1sGoSCpSL7HmxeeD6~b?Or%E6>ynd{HeWlPoicY`!o9Q;G>2+(f=Tl`uEloiIF$W
z-tt&tL_POdm4M
zVM-d3renx7N2#!oG$V$L6>^A@gru1{WSXPFm?Om~&3eA9?Ig`Zf;2u&S_q!o`83y&
zG=~IXJk6evG#iFYbCgQw(~LuD6g+=_A!&{X^7M)&QS-JZ3r7fDcmeS0&1kr-$
zfcUO^f$W7@t_f@Qo}G5+%l%h{npf&!fY8kKcp-fygJ(zmGo#C(evI1NFXtps)A1v4!KTDiMx24hOgP
z!NK0iz~UA~4mqvtJs$nI!BdwEBGn38;$ybbah}+ik3WW|q7z*sOPnH@>f01%PR?m7
zvkKWs9M4PHeRK{Tjb?2e7d&Kr5W?^N!4QaB$^f@Zmakg5Y}v|H%fb7`&g_n9#d%X7
zT2fN8=Bat}o?Kn+oqX$9g*8rYHz~9-31%{Q@W|nP`;H##bz$bZ+7d<08=jiK^HKTpyIcRk?^7o#n4cWjX+B<2P8X@THDwhW9UttiL?a?69q
zkF#aC5AX5)$~;KqGaiW)qy_K(whQ|j^ZiQwf_*(gW1kbZ_c=4^X#cr
z)6xsKw~yJ3!Q}0un>?K?=vyDkpwm`qAm?U*{{t7Dc0<
z+MBz%!JQK%E;>+0{S~8)=GA1{GzQtuidw0zB`rW&pkkK`K#EM+5%%s}~?wF63w&{;yjWoL*fup)GS*o+)SMy*)1PVBW^p-Fnm9lqN~MLRUC?$%u8gC)7?Y
zeib}%{Vi)&)J$z~tCVpOjG?+YyL;2H$q%};B~9bAM(tcOOr~p2?Z<1qOB$D1>AX>@
zNX$%}zc{1OqkpfnZ5S%dsN`bJHn0yOnSBCVt6!m?^oipkBf67HYZyht`?sZJ46csh
z&L0nqn{pZmNsxDOj9O;2XO@o2Y2P!yxMJabhlW66CpI}4p
zE&>|^W`Z1wK|K)7KfZ7R8wF+nFGVBR8Uza?ZIH^Yr?w*cN<#deaE&lT1XI_5wIA2B
z9I1(udS-gaki6lEC5|f7KqpL~-x#%)w&kKRYSqNcsA=gXj;N}2ct~z;4iguKx?p-}
z3_n0uG_~Hq4Nz`=u^`4cknW9^wWfgla=8cW8c_VM0a9qN6b$Gwc846q8cdJdOUJnb
z8wFJb42hmhwhAPyj}bGxI1@`n;5}$fK*GTGG}#`gC))$drSdQeZxEC}%>Ek$1Q}qL
zkhVl?6w$kgrx5~;pq5Bs4L=N3w!m+ph*1(x;;Fz9{7Vj}y>jdfi*pgowTK>g-1L%R
z4^0|5%wCca=X^Ri?>##$UF19|mZp-#`SyXIZSwm|3_3_&3
zk?k2HR*y}qfJr(V{a{C@E~7R*nKo;qd)nNoBUT@=vQL5(%A{d;fRnL_3@ZSCcTQP%
z)C?x1)EhFbs;Q$~HL2>XuB{WUPnsy8{EOJ*w3AjL86873=zw++uzdGmU&#&?6(Xuo
zGayw$WpVRz8b_){YTX=XXKwb`A|#_5GLVc$+Jjh^s){VSZ~E{}-QI%PdpeoKk`bAx
zA&_JyLOL8(4Qm$8kyu1GT1)bJzc(jGnv`3q<5)yLyJGG$TZX~R)|`0IeToy))K@7)
zzx@a`N*$s*lbo*v_LNA2h*Y5}5B6CXN~l@`UP)g)wkj!#QAEk|;u4Ep4tbz&&|>-`
z;8lo-TkQshY92o|{_$v8xHhFY@lL)^u&;r&ywdP$tcBCJA3|c~6BgTb)#GRI{faX20c$oSN>DL`b-JF#w;nQ!mgE&!#pUZU=j$
zvWFNis5N-shU_@0U3~@)b_ci({MP$rRMZzLS%h9IKWi0yImsQ)$7o1qQK+pthe6yWWPcYY#P_md1S{s4FGkMua~$7=9NJN#;hL;Zb&&+ri*
zb{G80e;m!P0`5fA?htZbyc7t_gHpY;LlQ0t?}{+U4t?<@yDMBeC0r^EpAr!PutP3E
z2fGuV@t?S6-y7`Cp?z<(vPa>Y{zLcPkT|f^`wtUB17=75--t3^o66GYM?6-vI7L
zy^?}nf#CNuq&*j~cQak6f7;0T8a`qfplkEHG7hhWyk@%C3%)V+^0s`e
zNKHnQsk$!R1Eg?2v+wt@aItTFfx0fs?6E5)k_L?|CR!gOxrN#1+XiQH>zk?UKjA-+
z+%*dp;QBM4(Hwj!yOa8r>}O2GJQJz~`v{#8=ph!t`Pd6Ce%UV%I@v*se0-W4ZAk#9
z?d9XW(u=g&4$eBt$9rfb1gUXmB3^tWq2HREJF(0LV7%`ZQl`rP1N=xh7L~c2-#`1C
z;2G3@>GWnlgT^@}c&PX9+45WaUrMg%)HM7oEAFi9}o@gOXd-s?Zk?7=$-A^0f&`yw%dJsO0?(QEzq
zTng1J2$Kp0{@V~k
zei?HfuY5xI9N`yKl~
z!kqL?{u3mYYepZ8>GhuwMI)Fi0AuH~2mD!RYNkMy?>wLGFuU7-qyGi8*7`>f6q0SDe@c$W)ZDCAb
z|6q3^*l`3?^|cAR(|-?|-_eNa>mTe<|8X=|Q$kH&8?*oP@4|bU%x6K^FZ3|f&k=4)p1bYj?a)Na>(G&cs%yak@IhgJsJ%K$zV0nZ4C6gb7U5CmzM#?A%!bTz3T?AGb
zgf%1BdEvJRRuqIyL9`qsv=oP=8{xl`z)JhUxV$C7@%lX7DNqpl%7%cI_a7r9Z$+@a
zXV|&^5B+%UT*FS`+K%k$y^Z<@j)8_PE|8*$MT?ty`$hII>^U$+n<#w@&wfUFskWZtK<9tuE?|>-1!uAozN-SH^9WJ<$IL&)b@x2Du5<1(^WIUamrE=wYHEuZlMfUO4&+?Uu
zUw`OXE*-%y95PscpcCvPQ?V
zt=vHt!0Y_}JXOdsPaixQXz=#2Tyt}2L-|St_!>sK*pbN8IMh+t9Y=wj<16(J`-W1d
zQ^Lh#Srd4vatIuKZR5rCJ|VTMc^t`K5fs@ENTUb_-;b|>If8z44B0k(_Qn?p{foG~
zC*YF7`LItOlutwQJuVDmaK5hNgv+ymfr${}tXp?cxgmLnt*HwSlJD
z_o#O{ddr9A@x4#%=Lg3FC2S2I8hlJwTuxL!9$NxTen9N87&9e+-T4HN@LWz|hv^+g
z9rZ|wuM8fk7hD++AVeRG$S?%(=r0gf?PTB67&tW1-~d?FA5WmYgaI_9y-pg^0$4nM
zBbD*(F%lfTZ=QiiLh?uUwUwo>u>zS}Pm|2~T-No}qy5Sb%oAKzzP+NwBxn0koHGl=
z%ak~4+YWjm$y?Ho=k5T{?>@Vin^->0^gRt%3j%4c(68@fvK=LRJ?1-4c1;80}3jbPo?ao{H7aX7vpI40m0BRDSo
z1h&C5gK@YAj4wR*@i+?3V;twu%*SDP@C5Z`Nd9o5bN7ub*3IV|ehTN~@(iPY5b!Yv
zL;APK0r0&1%xX}{&8`ov2k~w$UFi6;py7vu5@RNR$o^?H=#iR~{EYlP`@wpUFNpwx
zkbFE}Y+SyeXzOL)=koT6w=Y!XygtWo3J~(EWpiJV0bp(j-lSxEke+_=E912H>z7UW}{q+SRlmhw!5lVkV
zUx15veSyfN0r|p06bANjoGGX>V3~yTVWnX=kx5sO`~7r=iV&3{Ad{{v_fbPm8q2=P
z>lc@k`--4QLLGp;`zQ-EeFDj#fwRZ5rSPNrtLP4axsAgS&>c8"bt0}@AlIHaMn
zC`1(T7&y%VOCplpci~keiLRQi0pxR8Pa;V)NcIDJh}s|x$GJGI0ZAc=0%zO0
z3rV4Ya^F2b?$=U#OW5jw9(GxItq2MsURe4-be|AH0`t)lUpIBO^~$<~d}!T)6GI%5
zQg{@Lq5npA;3N@;Mh*^ONi-NwKo(g-g;9U)0ZSu-rT2}eku(a$AqmJMOHd&7S01>0
z>##%`qJLAIOgeHDj0?;HV_|#ckosh(TzZlH(@`+x|8e&wfKe6M{_w54ba%Gy^qzF5
zlU|Z^_N}w;3keYRecuBpiy)vVF1Ue!2q>T|g2V+CfrLT8WmG`i9T8+)#!+V&*BLi(
zoFJrcf3@6u``%7B!8h;Cd;f17P4cU%Q>RXys&lGtRUJ5sh<3?;cszZB$p*scv{z}D
zzU9x5qCvCt2md)-8k?ma<)eVo7IgDJ5&|-t^ak(36a=Hxg9c!fG`{5tiJ(oQKjj-S
ziQsyyHN+-`(D?K`p&{8MhUdp%60)^fPai-p^8uK0VaO#50c=R1goF6cX8BL{s4
z!M^qCJ0xUjMKh&_z5}vQz4-tN-=SG>9k7Aw%?CiXaMd1M#btZ|t7M;u0lowZg7yg-
z;i^@iFew9j^CQG5Pw7Vx`-F)=KLV|mf;2+yQ<`9(lwJffP`ErF_yQTI-{M1nYEtsg
z*gh%CmGtx>X2U^sNU%_-*z1g%eHbm2Lg&en5I>+9y8$wv;WB;zGEu~co(GqqA~Q<+{7smMV3a~>
z^sq@k_z8)iO*-nIg(=8vQcoX1FY^K52tGBQo{Bd*LVY|vGDxMwBK?lv0Uf*;gJ_Q)
z^4~w6UTBU()+nOypcj3IHmHrFE%G0M1+B^07De_Q^rG*8iUv*5AN=QWY0(s2q5sfE
zMuTXJu>Y_S4F+tCdbRz?e?TN8TSR|`+y_WOwqCou?FW8n`;)N?F0*}toEa6Aw6K2|
z9mj9G3ycG!M6;!f=3ie0^6AknR5-h@RuQ)W+b$K03X5I?G+rtO6|RC#1GHej#b=8#GoCfi-;|24;c?CsTee5K`#LrvBN-3>{nP@ukaCsS*MtMe!yFGJ#2kR
zh^;S1%YD3_y1bo7_JDa+gzW}mgBrrxpvR7aHY~C`{Vx}>e;Kaa
z7Y$>Bp5^x*1v6D;>7os~G@^+8!j%K$<-*&bll&{BXwU{7zVtXQE!d#YeNg4R_9g!@
zDKE1@8!!Eg2?TA>80ZeX5C(1~lJkbQR4S3YrqBMt+I
zDRPRI2zd<8*qqQ3g<0==g|gz9<)X;cfW@z2-c|Qo`FO|?l>SCGGp|lUyq51
zE2A)b22mk&1m^(}3Yw(-{zgnkzCOCV?S~^0*?#(^aJHWb+Wvj`lMrCRc+n>LS3~Q^
zvh>uDy#uA+pzq-~Fy%qNA;Nd8%lHoTQo(mne8=j=cL6ohqz{H?M=5se1~R*
z>wt_>sNF9KvHQo+k{|oZk!}8?Q8u*LA0h0@K+~0CKx_Rh=DvZK^B3?u8)HCa1%CmV
zFLN9!TR@Kze7Z>c40`!K0|WX9hKyB_eFhpN5qoy!J_D#0_8IVcEX3YN_8CNTDEnL?
z+QiG)dt~UK1-64>K`VEd-8sBBd$05ph-Ev>Tus(gSL`PcV+Q>MV#h*kzI;DH`7PoY
z`4oX|7doR7PzQ=tbA&T0`1`W|bfBHiAORrr3aRF+nKjsN~{J|6|**md;Z(VGO+UVN|dSNci1hWQJkMN#DL0?^V=vIXcq
z19eoq&*1OkZ|1)Zpz}ztUiQ36xN|9C&aZ?$=Mv^TOwV&O6zD!q?+Kh@I)xaMW#MAM
z@o$J{)N%$imM4g()N%(lmWij->?w9~NDcmi>q2)(*hAJx&&fpBeoO)*!imahXqqXSO#
z`W>G0yZ3VEsdAwm_$)GPh8LB#mZSIb+Ibu34}|jEdA0t&bpRE{Wv6lH13!?mj7u#(
zx8_p241Cff=)J*HSOCBXK$B|wdME@Pk^%C0FSWusV>O&JTw=YrJo3p2>qwNCjn#;a
z6R$&ZZ{hd*1YXvxAheV5U#d8@{y>L8gWmH)?Csr)Dk6-6OZUUNj>5XoeIi^-9xc>o
z6lxLbyUXOUAJUo)`si0*m+_y1>$vp>p*1QmYzY??^}9~7MW~{O9wPk<
zT}Drm+P{ZRE7E0TaEH-dX0UTKy3LHrsn~l1+hMs_Nzcex?3w;OR;Rw}>&y(TkIUW(
zXq^FYb{h)d()}*GjQ^S_9a}zrcDjA#e6jeIhJk0*bK$|F#NM9g}>HDgX^g2cQm`Ox-
z^k_+zg#OQn@Wzc$s`#Al?7$K7_E7gQ^0tuwYWNeM+YLNLiFvjQc`C{KLjFBr@*E*=
z5cNWb&Nciu8H;8M7
zNcc-2gF^2GU>y3L8XVJ|fnyh43?kQETv(}ri`mf`m!yqLitAvWc+Zm)Gtd9jJWZba
zG+hAW`@Io9VJ=i*)d&pbBZV$~9QR20M{*p_=OX?m1wKu}|19E&A4v~9
zL=Qsw(o{<2K2y*O;(t-#O%i@KLj7MT>bFbvKOe4snVud{wEqLC9Mn6Q5~7zHR*^mu
zc`1tW5?yXrc)jJ?6}Z$tkWN~Fr&)6@u3a_|14se<$H}fmj*+(-K}G;ISVCC~p`<{o~LeC%=kX-0;Na_|tj$Z+K}{{QM%M#
z50Ph&`cF&g6(Q-iko5Wx`gBNoV=whLgwV(Hof^Fj!1&SF^9f^*;L#!u$CfZA`9!%K
zX&u0CR0Y1HC{;JMH5{=uOhpjK{Y3C*nSOX~{}$rELOL9kK;gHz;gCU3r=fqPiPp?)
z9Ubq{U!v;@fuDC2(G}f)%klrZKCU?R9r|;&kapA0`^KjGyXgJ=f|LC04?!FMk=@1Z
z{s7n2PEqVByl-KKYfvgpyb$h66y9&}l!$l1@ncFJm!5uUz^od3a{bJ{{J9U-+UD4p!ueHLMgk7Lqyi*A|CJo)&IzFz~{FyZ}
z+$rH5U|U%HfC4X(@Z(?`oX>&u?gfhOTa*G+CQ;&tG!Q2@v0Y*@ruzRZ&CxG9SOyjNVHU-yOmic%|1x2%G8T!6c)M+cIQt(1U`Q
zZ7*}eHL4u3lH$0kV(sAI(;}Gn8{Zjm6*55I4;zhJFn)VeDltNvVvJF!G1@rxP;5M6
zao9Z-cNZ23uZzH@)K;#~aDu+m0KEk_$n7jbcIj=6Aquuk{eMud1Nn!r9>q{2AxF}h
z+K9qAN4R`?MGw6&*U2{!#tk{UEiTM8)tn7qKQj7?UVXufcDz{sb?uC6WAc04XuU0N
z>2Xo)5g&k&#vu1N9t%-|FO?v}OCUPa&0y^z_!zDJBPF~iUY=*ITwHRy@Q;N2X!+Tstx)fV+%qt}ZJ
z!?YdRnL?~W?p4DZJ4F@pa|
zE?c}FBKV)>d`f-lA$=|5cZRahxn1G=kZY&Nx$1WQA>8gXnQSB7u9pj)-x2nDJwGMb
z7h!MLe*o7+&p?}H!)qcHzAIk_#|EDa9_9jLoYNiqu8T(xijV@|Gp%{JgLoVWU`ng;U4HCxM8o#^qt=>
z*9DbX)CK-UIZhph3tn|7udA*{v2jgES_53f)G&
zW1QeSet~_*0nn%DkH>;m*u%nmfdX!q@aGkHiG&{qPhmSZfWMjRkKZ~Y_^V)$EPs&x
z0R^3A3Eu~{25~&UYK8UaQ_`H#hUw@8KCct!J^bzknfIiB$nzFxZ6AEef;?LRWryBn
zoP+nQbSg57#=%+izeKACUk4Ch5?&(V$H5Z8A6SL!5OC-ZES2StmhvAK>F`_S`BfG`
z-t%TKuO~%ZuBQrIrl$&A&{KXo!tuJ6;B`b#k^aK`rzKpbzY1KYzY4rD0{sSoekJaM
z6Jj4odacEDPDuHy_+~*4i{x^E>+aD+4j32P#`Rqpa!}tt#d;Kq*Z5~+{Id|emf-v_gk!zZ3*-K;
z82=Z}e_FyT2=4ze1g{t9e;9%{Mxft7=mgw2{|O1N6zUCx;8lF-Z`ZTS>A>angKCF%
zr&87*MtTv(ErFky-MC+k#O|PYNst!A={I2h1ksy8F`>nm>T#e8`i<(Pzq`KlstQKK
zFb=!EEURK{RWgX9>18L@w8m*OhGtmoT35ft!WjY~r-xaB2!f&V^X9=(~Hhudiq>~w-;M-dKvO&300i^3&f^Ctwth0dl5
zZG&+0zAwm+=Vu#>@<;JMgSfi%A_G{TSeEq-pO~HJDz(~ew8d`m-vv$NBW5f3)tTsj
zqRbkb?UC%U@xm>c(a7>1398EFXtE9%LH+6OOC_!bAmX}Fh5~BW-{+>r^I$E
z-f(`E+J)N<$1MxUxi{f$b@Hydo(0_pwr>YR~{a-NNBhLC>?ca(cu!e_CmVjrrGiR%=P
zzPJpivVq%+_F~|lI3Ol@v#tz1J*qnPy^0@@QlDO*!nZK&_ir0)X1xX+&^xr+WIcFV
zV=&wB?OA4bc|-TxRaH#6tKQx{p4&}p47%=5oqbZ%nw^YGXTV1v{ewCLZfSS(vR#-A4UoeV
z_>+`Y-c{)du_$6jCm)`sFZNMLI_|;78yefIhoi{$C3|fQ?qiWvoEj|c>SE&n*g)Xod+|hR?xLn;M
z6mJGQ9O=j;ocmGmZBurLY+;JTPre&T+HZhEMk;bd)pgxV>_Abw
zgN{q8mhTniFFYm#xqzKl6PbTgo34Pb)L=HhA5~rw@(248abV4te!=m_iO%-DC7j&e
z>IX2To$=Kv-A1n29LecFX;YZ^J
zRw{u(gPG)=Gu8N9eb&RJoB2G0Eug_dqP(cvM4tL=%}kE6;KwDt7>U;0kH)-8eJYiX
zSk>X$&O4C$t$Pr&LqYMI)hU#TzkQCLAc1u52CNhf*<8YL2P<&_jvh)ZnL9
zIb0ZqB>u8f3nU^yllC`CpGK;URb(z$QE=T(>G^E%^U<92NAtzX(s%djh?|{W(9y_z
zNdN)o=8P-}Sg6R`2%{29ZRobt;NXAvRq<7}hx?-$ndTi|;6wFZ{%G+gSuU0;u`^cH
zVb5Rg_ifrJdbOhXvp?1FPP^Jb%ed30?h5qMqo~J7!h8~p3glwwRt(~!>V%3;*dag&
zkO-2L1sU_i4tun3_mAKG4;l+f_6490{XRJQmrgoG+SJ;$`#hRZ|Muy0sUdTqBE5ys
z9QTi+(cfsadAIgtao-XTjOTQV@1eSq0|-35|H3^7e;8=-hy*CwK1JQStHSltHsT`O
zTsRX|Kkq+GCmmNpn_h#c?*me=eWd+Yy^fI!^4JiVa`q5s6?24tUsXc1>)z<_C-sb;gQQCNOV>2i
z^<(-pOsn%po^-Y4M={2(0>dGo~2X3JF*j8Y5?a6?kTD9|8eZZ
z3*z`Bj631z3J}5l%~>N)T)u-EYb>J5jE!$X??>HFX4XMNr?W$CjKai8dmlke*8oXe
zmgNq+P6{6*@0T9iYc5&dT%_k^*2(4K_U=1iEPy=p0AfdphFA-(K8)wq@JB9(%7+D(
z9bLk0UO{^ZcWy;J3@N3pKR1`*&mTv5eZILkPSt$?gsU1Le(xB$2`<|5AhF=lW*qI
z>D^)tkR6a`>aqEnrN2IRF{+Zqum8|?>C|omC*IMBt|~PLn&@Ocl|V<|Vau$Lfwu&q
zSis)2>0RsJ&U;y)FZXaV&NQzeysBon7H(t7_uAZjc<iJ$
zI)_#ZYHS=}MURIp$RB2lX$KA)go7Yd+(RP+N`Sx5Q{7IZd<)b5p(mi;XP7O%HF?@U1whCpNH;K4
zwgr3YfuVV6DE0m)Q!tRbcetC^?HdMNi-_le>*N&r$_>9M*wf_Wn@&G;sXDWRvtW
z2*sLgV0JK#J1og^-K@?@ay%)j)U`H_@`vb$H3@FN>p1M60Op9AGy<1;%r9Mu!;Jbu#Z{i0hN?InnP~AmccK)rYy%dBNLUdQ)
z*aSW1KKn_em1d|m$!D+~>Z$UB2Q&AbTQ
zM%_A4xh>b9d>D1Jo2N7HU#Q+r=i
z0N7DehMiizkf*Ykp|?N{Zw>H@nmAmRkfiQ(Q27Qxcd7>E6$i8OlMV@Xxa*0=rfMOL`KAVHn*oNFpekgXvlg5A|lvA1_Gyq
zAgLkGOywRsK|3D(ids0SeI)zON<@XNPN7jLQ2*fjtSzV|(RyI9c!|#P(PwU#qwrtO
z4GINYun2N<@+OCj2@BhvYa&u32eCo)irhx_{$apkd-Pt@%}YAiFQcG)pA^HjP^tiP
zGQP&pku(kcl`Z2~iLEiH9&g<-`W*YZW}lmg;uXfXgGe(2J$6^CzwQn`)>L0UY^d(A
z4>==Oq)IuoVg_$1E(|5}S)fnbgAPgy2>R_iQcS<6H6I%VOiW*I{d$w!0#`G{veWEy
zy|~C$?kbF^eQgUgZ`Qk
z!(S>$G5MMT{g}VBM^OgE8d~J}1Rw5QBjS!MMIDY%`rt|Oz{2Zu@~6Iy>x4&L0f4`_
zXi9)sMW=LO!KkIj`?RVa^2#7o@405W%th6DQUX(SI-kn8!EbgG*huM-nE&+jwsZNJ
z@+Z*fe$owdu(kCI@9%}u6JWS5ssefwNHGqM2n8q#koT`s@xq1NuTIx7%iV$#_E9S(
zpMQbEMR;wI9up8g>aqnNRS`ZS{!j>(bYI7J<2;Mkhnwb(bW;VNQvd}_s`F*}i)iGT
zXMV4)P3AP3D!(7R&^6HaPvAVRfV$Y+L8nFIW;w$u1jld|eQmiVCUgR^^=CmY+$7ob
zZrFjHrnZ9V#9Qg9(rxcB4!;7<_d6Wan5TZ)|gxs&Oa7y6-q(klzf
zC;cBX=-*v703}~H?6K%oNO
zv@(Sirz9&Bt!F6nIV^cOx}
z=npjq<7X7gx4PG#9}8S?PN!tAjU##OFuQJr8)9C`5g$Ktdb=ioUO|Q{ROPa=UnOzd
zYjx~;-`O;lga|oZtFT^50SkpPm3&-0u2TJx-yYIexK82fDkT#IG1uXp2%c7@<}7T(
zS1ii8LY@oc9%X*CNlP4&bx2YtE#JtT%KVyZpkSs+tSpe#NvfZm3LPu_juBqpL1hg8
z(t&kV7F#sJg_T#!84$m7lg$=!&b1{KHu#APXsF)OA%PS-HRAd6Wj&~}AOjdd<-WKL
z+L!AQ8p(Sa(+@+;H`w5-)a!S|x8hLJsCY0>s40+Sw-R6HP^Z^W17V$4!Y?lF;rM6s
z+-iepMTo$0mk$#@_{lpeEu`(6N8gt!;*Jny?L}jSlVzJvNHg)ch
zh^sQxQbT{#`l*cDP}W&u^7u0QF?ipVWTA=kY`0Tw)cyTZd(RVW
zGfC1lvtq#FcPw%%PMs^Ci50S08InReSpqn-O~Gi#|Ak;e6sE)S?0ZeTOTOweqa2)I
z4L|YtFC4o8Z(i)B2eg4%9wiKY@%x{Hv?t?CU$PiG<_;=HWaK8w9oy*}>=^taEUe-$
z7$miL24<#Z^rq?M6#v2b;-`nd9#DOVw@YY%dwckO9o&%vm`#7TqF>bGVUNq~K+|to
zExqpRjtY%?1$E8}uPFLo1UG6=Y%!ZogyD4^qd!J#x4*{MevkI@!EW{?Tw3Jx-SSin
z+>r0YM6{&ujX;5`9)2!pDyA{bp?Q8vdIMdmAsMJ*yyXYxiF%Y?XJYSdutI<_2av9{
z$e!ciLE&gmqsKxtMSE1wVDa1O4kEu!hXm;2tL^PQI6(fvgEnZsWict)TW@(9g-@KD~$u|ZB-NkxSC!9k|e@LnSWV9pBA
zuaHg-RGHel7F5RtLhSLc%G@Pbn;Y2;or&h2>C=jV>RLxaR_*@T%=F%2bP`AOlScF2
z$Y1!M;I@uhW-?ms+1Epl8)xT3@I?%IsB2I(!2Q3`{%TaV))tf+czE22VMPZ)71o~g
z7|@2t07Ouh6X{jiTgQ^Q54NriAC
zRVhZ8V9d`)s_bf1pRav!qZ8G=>GWpHiaJ`Xxc2l*X@|RW64Gdow|@!AQ5f+B-xyY;f&|z+UqlATOcG|R
zPqrI+N%@vsXS~62eeEYWmY7c?YkW~lk#|XB3Xku~aDVgH^^VyHD7Z#-+MEm?je?lA
z3>MjG9o87>5Z)yezZ1DFgWjrVDdq?flbE9Mba?4PN?hQmaZ565NcPV1Ea>dlSrFO~
z=Pgzcb&+Nq8fen?pC3#D%FaC%vLrvN98mQChk?+;&v^K@Ofx0-zZ&2?s63Di5YFTb
z=gRr?H8MtfI|DwHw_>YnlDA^tbvwI>?brs^=|ti1$8q?$qce?a`uL+5Kk6p#*B1SyBFXr*
z+E=kxFw{9?k^M|5J1T*0H2*Qh*stHmv|^*EvUJjH6u^|}zD_%3{JI*cHSQ>VdjEB^
z?{#uG@IOwFqpsAqKe0Ff@{{WgLG+CZB~{tRqLs|2_^Xr>F;5ZEX{iVv&cytVm{Tp4!33j>9o&3EM`qs+Nf7Xc3p*H`
zupMN_{aY9ftdtsn_pu~;9rw$#M8=v8^m71RNCoT(FC=hJwi1vd>WvA8zI6CKr<}68
z$!#nTA4b`MJ3J!5H(0`LULAlcumt|)bg++~H?ZMg&!9_*k4J!X^nlmRc2ROXmq}XHlir;s@Rdx~g$IfV&cFkSIdYzSr
zY0yI0B8yifkK{z(gvUM%5-insrMz8A>8lR?c6sgV#E5>K3GZ12Da5#gjeh+C?^y(i
ziqDMUFFI!EChjsoj$WE^?E(Q0|H(3t$u6ZLh4EB`d^^%WsnxF3{uDOl>XHZXbk>LP
zJL(L%)MDo-l`)VS9=Ru@&=axOkX73+cP2bdFjVNj(S8)8SQxpIP}#7*At-RIZF>?GUT5hWkY7FnqU^y3hfevaQr!P0fQ4Ovw^E6+vdU&`b4R?d1+rgdRB6?Y!>ete1=Zkz+
z`(^81_q|yxKJU$G@)2_Tap=a&L^+Caf6r&Us094mE&keDZu>!}H8=hSdKvRG9@V@I
z@1ZKmphAD>MGJ@$L>fQ%y~EQdDLMhZCwU{i+0QE)nP&Cnh5Xuwa206YT^^cT2a_h)AJ
zc}cSg%jQ!^0zq-`Srcs&%W=iy)B!=kRW%h%SV=(%_Q(G~T$2B9iUA~N
z)c;KpEKr#h`XQqIf&1$|FG|UwR4P0`*)OpX>1;(LRr08-_%Y$$T3ev=Ulsw>lDvvN
zbDD@NW(q}n*;cHZ%dW%1qydMB3jAUhx%I1n^EBu-ST0KSFBu`o3SAwRU%zj)YWyUP
z>mAlFwo;c&dBIs^x&XPn%)jgSIi*Fb>m6umJW%H(ev#mM7XMF-onpR;HGq@lMlS%VK;$Ht7y%H$>;9`4pkPSCL+G0aE(9XYI8=
zK1ozR7?S-`RRz+kuu7~)(R~mMM7U{`cUm-~_{)<@TOHyC^Uhu<8#2HfwI1x#QEwG19&YCAkyk1u}s#!tXJ@z-IJONT5_FTSBf2l$BGs&Vjp3fT()~sPf
z-WXLIDaLaleh@H0<{b(GBCe2jDe`DR-4lh+^ZV>8tv|NS;H{RpZ?*0yNTa`r|Apx|
z?8B_}S9%mQ6?KdK4c=cvA-q$eyEIS*P+CT{3nvc^J10LtHYXD_mM}w=KDiHe=^g0o
zjDT@1AN}q5Ln(PIe7!a^nlbPS`>E%N{y%?b803&}E%v`#ET)rx%GhxIH1V?)s7Cl@`EpJB>vaCZ7?K0zxW{#lGUL%DGs|X8LM!^Lq%KaGMXXbyioI(7U{rVA
z`*7C3emK)WP%I@>dYNMEp3nlHr2u#7{GHDRQ@;G3U9G(y+@af7Dxp`2|7b5u{1Yym
zM?zjMB{XAstPFXIb)iPEghA?+gJ}B?XFkwHsKv*ZtmxM(662{2g8$3qcZ>I-k`q0^
z^%<`-VquGmhKACX#mPVBMcxz(`XuK)*7cV>t41pj|N7&lnFJf&GstY~evRfrJGu>?
zGRRC;GcS$#Nh${V5{5xq;pq46gUVB5$gpDoC;|h_lX?c0HjiFMsC-aFzWt8~08s8Q
z>!IhMd4(msjzbzCgVO_Vn#=-Bp{e>kWIanEg+9^Vw|yYcZSQLY!|h(vL%2>24(>S2&q!
zyaS-qThrrionWOTXQf|TuQBVf^tp4x+)&6Gx92*+mfS@PiK5#3a0PFd=eT|@M#`EvYvnKZcbW-}b~@5>Oazp4YD~P{;!K
z5o9cX6ZKTT+OAdA!9RW`8^NYs-N2`swSHP|@h~kTFT*l4i#wYGxgz9mFC-YpygpDD
z3P6D0nzd}Ilc?xd$u!h6a!HR-Iu&n@j70S5ZT*Yvp{gtPuEu=yCo)Lh#?ID0CMs@z
zk)||b!HThgfZqImdTfI1VlwDrviG8^@72zT$GQfoc{$s*zU1U-QZ{0i8!p9y6PHI%
zog%W63TNs|)>-+8O!y=R!3ny5O8?oIf{los{bW7fOp2}=mo3{xu-#IA3rlE+ly$@H
zY27Ueo>mzvFJ@<3=D)Gdfkv~ADU5>#^+mPS@zNIa(uWKURo>>UB3UD$WonuMi(ivW
zlW~iKiN8x9bLLw-WdIDCo1igd!ZIN=#SUTg5(z%l{Zp6Y$s@-_)Pl%~VJoMdy0Bj}F#B&7;Qh$&=9(FU1o%rX_tI_GRnn@5e&*0YRnH(J$=?
z>angZTjvVn^p2XS;|>hQip4AEbaanDX#zxX$5~;;8bvCk3j|_x1WF@X%oYx)Sx)hC
zejlD643-O7V)X)Noxig`99c&0kst?^(f;ngDH}5}8)nkWtOw#6UqpVKZoU_o~h^owiE;r`h1j*r0
zV^GAdm{SM&A@+3pPVlbCC@5KmmAn*ODmi9rUP--W999|^EPov-w%L>GKetQXzlbhL
zT#u2GWvvI?y?eOEQ|9>WFC2lZa&96o$c0z49vA9WPZh^eCYuvz++1Fv-DEXH+a7v>BpRn`9H!2A1d
zwzIRfm%le`FZWl#g#|zWsd4q!^q}
zh)=#>vs7vlacMLm2H0cr4x7BsX=I%=5B-}U(3F$0-soQCgc^>SVEVD~%UJdN&8Bh7
z2;26Wua;D1Bs&@}O_6v^l3Lp;)}MU|3kj~UZa`HI?2F7+L5{y
zgTI8MghY3AW^N20g{dD8oA_WM>z>-f%3VUWKw!;ik#lfhP&kUfhGi&g&Kgmm=~+5s
zR0>s_l*`H2SQ@s;i
zdoK`U`3{^04uF7Fp(g4k9kwy+LGLYiH)hP22D88LEi0vLM?AX=qmzTHFw&cgl0yzsWNa~D5n(flQ&_byc=ca
z|J9$ixbwHI=WE8Pi)%U#wdN?YWX06!Mh}VCNf^QZ9JFoLvKSKgNO%?!+%699Pr)mm
z4l6K}ebJXkO`8XTp^Iw>#;sd#@m{BBK1}{>TC+37lJArLsT-PVbQf8J<>u5K&3ZN?
z)?O-d(0L{`!Kn0@@OH?W?Q1SC;|owRU3XthPCp~m-8lHdlkEQWRE1p7uVS^QFuKIpD(fIgorg31mZ_H~#U@N;$^gIs=u
zD9RKhWgh1U^(kWsE2NCe(WJ&qGU4sN&6q4ZRWgnCfyXmUCol6vYr0$qj3JqC!<=B7
zg?$<#lryl4>$>9q9i(AJEuxc2VH~m*RzK5!
z;s5(H&JN~YqVoDm2gJpmT7KTU-t8SP1m4Egg%e83xx)7z#>&s}K4MW6q}&ESG$)}(
ztKY?iAY|5|X6q?bM9n{=Q(R>$6`G{F)~I7Ewz^=gq!~na?+8JhEo^f=Z|&V=eDf!W
z1#sZ+(so;6Z_y}wIZoDdoslzJJ_;w{2x`Ns_=z(-|BEax`GI5p0&wVd5_JL+t`EmK
z016y#K!jQELT1>$+ALj08;3mV%bmz8a3o(Q#_uW)?Fry|6*Wr_LV{P6J@|Qk_3qut
z$Q}uF8;vD-L`NO~#}##nOWc{(9{Uyv{Xg_|*RTAy93PO@ad;M$k8|utEZ7Zn0pU-i
zx*!P4stHA;UYj>kBVQ$WgYVnS6hr}rG@isl(0NXl{m+WBo-n=7qvW1l!lhKu4$;B@
zk$eEe(SNEuNI{%kW$582vvSabC#n$^0RB*j;owRU7;&dK*t)`mnjprKlZTTSdq6Hr
zij`D$JOxzq6FLAN+f2{QZ!@se{tou*EX(^=hl?N&rY<
z1waLoMn4*(*ycdL*5Qdgqw&o72L6<${|Q`{>>;F>aZuWiTd2lV`Jn$#k+O*BTln+n
z4w>0X~!{f}j5n!@x`
z4#J#9VRFgGlQu(!`fI{?JxEiw{sDRTw5SV@R?{8de>
z^S3t(gMsV?(yo>eyn&=FEURRJ<%Hzh5y`=Ni7SJH_RDS$vn$6XK#}&`0_LxAN88uk^)^zfH=odc
zr=YtA_FJ16%V#y1V)4h_>bZ95>N#`8y=ZDK+1ERQSL9l+i?t2oW%lj*l-hGO9DrpW
zb?UdB)0tt7&Y7apNN8&LQ}4^Rxpo1J2rp2g$?*P=ph&l3ntL{GV}_
zk_lps=WV+|;~wXwUL%r&TRsglI+o}^yWDZU4f8}A;M)11e13%oq5R<*KW6_9LO!g)
zx~@d)l*xBN+xuJ<#_bwo-@<`ubcg_$y$-539uZWM@I4UH4qro~SK!j3W5h1mu((;?
z+z#_O?qT%ULS^q)ai@}sVFRF$j-RTN*K+!7KaOWR!C3BZmm>8nCH5IEYf-<)pI3@h
z;^)BkI5{0|cb2Zcy!BF&CM&_pPxIN)p73eAevjTRrRo&z!G-oWfmphz`D3q|W%hqG
zQ~}A?SJD-83Bh_m!A^{|dlsO>C^PiRfB-E}B4;j6N1vY_`hsIzW7T(Fnu
zRsZaP!ucgO%kdTdD!(IcqU|E*tJs$StcCfID<1#NQ2p=b9Tt{3(i)r|Pkp^DvCM@x
zTIop7VmBApj3^RAF}ddsS=XkqW;v(g{4Tnt@=lpI>k9fnH*m&cjN)11L|vT2C4poA
zh+dV*^gud>sdl^lNn(jx)>d~Bd1e3v`yg`H-8M(#RQ&$JO~}=%xj6t(yu2UVZaQYf
z{nMF&PU34F-1{f@1n%JlqZZy7r63E@?dr)w|DVOIvq$SxNC5xeE&E^o-tDK#ZVcWt
z;Bv(LB%P^shB=IEul)OE`Uv8EJgpJ|~V
zmIy)&{nEDUOnpLR4#bf+1VwagAHi}4KN#)~cetJx0)JvAOFBWbnY=Ksvbvp$$-WG;
ztSt@d(#Ws17po)1CXED*ImX`CRfMkgH?fy2l9Aq1-G?wFExJcq^jzTPMu)lojiKXIas7O=>kpW-DG
zoq_(xSYdax_?6zUeEr`J=uW3-eFg8*U$afE^ZhE}{Z$7mL$)<@R8ERebb2C}9m9@i
zQ+yoK>#fWqwsiA^oZasVV?tcar!sSAHPdV-=?S%1txlt1WK-ojtovFMml78|{en|h
zwYIoCW};Oj^_!-*JH7e>sru`8yS~EgRiVV0n(5og`s6tq7E#S&SoFRf+;*gQ#{+_P
zo@Jlt1#jZjgRbfsp3ZvfJ>={)$|zJzU96+~wB@hYb_k;
zIWD1)E*r$8i>FgzAS)4`GE(mGAIgzGiTVYS&>}8KG?Yc*=ny@fzbZEPO)}h$MO#ri`*z?nA_L59YFK&eJBW)Rc%Cf2-qvf9h;&bGW
z{>CXj9-XL|f_rOvjToV|M&b`SS
z!JK57YaOy~G_%iH+|kw9ZLmaJAnuhZYw_inE}8IW?N3ub&#q4LGaz9R#=}B%dP%5$
z4Z1TTKYyitJHE`Rfj~T8
z>LHh3!JI2kH!USK5=i$8U&BTMzx;{!1L+#??rUWW1M!IlRf;G8;TLO^6`V%}#O^!%a^>5FQ>aY@3c>b
za)e)-gOj3Bx@t_3XTxVv3`rd%8kl)jm$P>+_FQHtIwu9g`^ZoT*dZ{zzoSZN&dRu8?YFPYZZcoF
zZnDG1=GkMf;|;Oz%}(6;6$=XG2A7fBm}{y}8nBs-2sB(zYe(TuXLfnACOil%SRE=q
z>X^|4$=KC7TYiU3&Zntebk+0s@)At9;cyG+r%bQBw^?fCK0{))SEX55g>`q$)T{e5
zlotQnFyDB{;@_Oi_*|FO@frQz)yI$-j0-xIf5YO>JgdD@kIW5LW-^`W;dZ%weaQU=
zJF#vekj(YLQs`iw#x~VAl&QdrA9@rA0TR)YlQk-KswuM10IXfJn($|E@JRsU0v{#A
zMG7CehL>uHMzMXqQ<{8N!Q;H9xaI#mb+lS`Z1$rzkPxsSN5z
zr~Vjo7hQkN?!tM$$_H~qK=`GKBUGy*`A3z~73>%xERbSYz41@K_f^tCfY?}o(gf-m
zap2iI&h(Sv?lTFd=teIs8;y>3=AT_f*r3Gp
zME@1~yux@NlkPw5`|leaFo3yBn5HAP8}3vRi+3?Ju65f6g@k(=9uVx8fxmXZMr?Ic
zBV;G@tp+`whw3!KjTs);|2hAIpDIEN
z8Qf)b@5y6PWKGnpi!1`n=eyYa>qdK#lX`FDYWxjnQAu>T#pCpHAHgTkuknvG%&HbP
z`M1sXt69@j|Z@lK-EAGO6qv~lF3uj^zxc{gbk)r|gh
zU6pptEQj`q*g5%Od?Ko9KI`ap$S%c$t6VLStlAh~&r46vvv@Bg{|XlHQre8SVBF_H
z&jY0;Oi2v)&djNPMTyQS_DJ(gjN<>hWG&yRSQG->CJ9aA1M;cxNXs~^FqyAz}4{=KTy?r@9VlU
z$t7f$$~))a&ee82a=|T|2Sl?dA4Risk2gs2Shq+q?4B0@
zE>rM-jU~=c4)|VNwXeWdd@E(a2YM#{VEieO3I_m48>rCVWPDbj@;RcY?NXv$ALXx4
z03zO{e#^2BbN8kIWyJZ|z)5HI0%a6Ye8acy_I-C0CWAMpc?s8Fil3?;@Y9BlSGB5o
z%^&vD&7c3?Pji^DW9>UP_Es`8klh;u-lHJh?{ih-8xuk^Oxf12W#Uz+ufOkxJlqaT%^s9b(nOD{3_rX3&jl66H
zac&k{CH2E)XLfXOaCA2RhwWC+-2VPtkXKt36^f*^O?At^kt}tsKYm{YNqwQb#LtL&
zmsyN8#s1*lnr@44C@Os@W$E3=DPC9P6&vn(*sXja(#$?$%pQ(dQt5k)Z=^Bfe3rRE
zwNd_>A0WqMH%W(Q+k(n8V#O$bIWc`QG3ijR7ERkw(gR){lTg!Q`0AQ7sDetskpAdr
z@=ny=hVl^cF>CltskJtc2f>3Xg#3&4lu)d3^t_?{p6R;(d(CGJVXMOd)vSVLsmDfx
zQZTwFL=N5I%p9Hmg@#y@%u{ia={AlHT@I&ZtUYs5j=aZ@44w&t&5fY=_1i=8B4^nX
zned`Srb%LsfsE+SNNBT@(0q$15b>l`{X*Smyz|%6kMAI-_vnYSwWS&d-4_4fr?Mcp
z7x2B?+25ic=igp5jxEAcpRM$3k(ZnOhj{O~UakVFNw`~p5@+iE{F*pOE*%-ZN&TBT
zDoDb*CNd`0{R6iQag3{nB7oM`*}t80?F-ouC3L7?()yE`-|FyN#n;~is+O_D|LUp{
z#8#hbC($%;bClLFpFkM7rK_;{m9_c#Jx(Ij`aN$Lyx=~dbf!^l`G_fAdTv<9)v_}+
zl+S8|=YG7TCC@>$O?e*;3>GyZuyWl0POgXG$u(b29yB$LRvxv_SD??E*`6I1RBA}w
zljsAg#;jd5o#At`AuSG?&jS9P1IntCr4v3I-6XY>RED|5V4Rk(emNWaKyCRR6lZz_
zyOwbDHEnYy*u^ohU!6@yxZi20882D_3QQvOJ7C(9g+Lg>^VB3+U=-(}=k0mD@P>KW
z0O|F~8+;_kKvX2PJi~5R31j&^Ve8}k?Lyf-obgn||8lK~Z2Aj$IFH(88g+x&mGnV!
z<+ss6@oTojdSjXV!(to05{ER2JL{$-N4q46{h?QJqo&-^6+Hz=?VV}OCCL|uZ516N
zFE!TY+LK@?#TyZkpWamFz%kE3>(^M-a~RBXD}#>^NR6ZRss8-E*j9Xu@i{Ea3vAHE
zo-))WVyNaJp=F4s$fN(3udvQ|G8kK2$R0&iMLVjTZQo`wlsUVVGk-Ld)7{VaLb7;W
zT<97_)kRA;8h#5BHr-hvd{r>0HF5?L4&&^;taRUttA7M2`knij=p>>poy}2s
zRY*L2jcfi)>v}Vs(GFU!%k6nan+ip>wdM=xjsY9JN8cU&$#w1L?}w@xb+rOLH&14*
zgM@OkP-rwd1ufnKOsySr@mO)MO}zK&wq~Q2s={5L*|gq4R)kzr+#V>g3DhZJOzL@k
z?ZR^25thdym~#-yq-t5WNQie1@?}JacVBCMF5CR`IyYw#=fJwc4^PeskBY5%@;n_*
za~_H>{Ab|KrY|#Q(7ipDBkqFS2JwSE(RikdqM
z9EPu0gm?*Bx34>4ciSAFjni?X1JI4W(5AzIL&odgkKxpw?sZ~)U{idMQ+&>WWe#Y0
zRc+Lc%(F3S_rzj@?b&5p^=6sBXzU=jukx6!xeovXfHA-!0A%pKJN1?05zQy-kl>P`Hy>3@e1uDuLyb+QDp*Sc
z%@nv8y?gmBU8z}8@SgZLK$(p`p1B&=yeyzIU&t+e1AczGj5xJ5a~W^;Bz
zYDw_3*M@A-V&Z|gM(27x<*@ATfbKbWUCvh;SPKdx0+n3`c})0-By+YP?#BK2q_D)a
znfkD#Yud0|?yHoN>#+1ZbM%cVC*T~+lnxVRE6v<@cv=WU{q+DSv
zbt}RkR+4hUVJ(pFC#YLY-P2XFfNvXn+FC}o-?Ly)D#tWG5+=~c>5D@B&BmcpAryOD
zNi1ifQ^7#DnBcT{X4YL&enKri#?`s_>>kRt)cjwP@@-;|=9lWQ8l%#mHbpiI!a8{D
z^*BW`G?T`Nk%%$RE){RKt_sQqsu8MI@gpf3Ivfq(6HAon)k<(QWO?_HOug)!^16zD
zMTU#i-?XJCRJL8#N7%_A^^d1k?3ZI0xFe6{<}khbRC>@jp&S>#0?1QIgdFwkoX;97
zm8&@Gb#m5=Q;Bv>w%f=VZB)wSYNb36u8e8A(T*waTly)8^@!eHd%y4MTf8gjYW6jM
z3_I=4NAm8HD0UY8`^UC(L&+OeAJTiCUCA&iTdidwEp4%J5LvXG9@W96lk)GMl-mEp
z-g`hb*>(Ga3J8J}>757&sB{qNL`A>`h)RWy;`@HL&D^=)y)*yyUu)Kywa9*U_Vb+m9Cr38`*)g2#-Yeg;q{3u
zR10TKY}QvnNVA*MS<(0_0*CQ5lkFq#O>V{7Z%AxdBFOBnZlt=9wCl2I_s&76^Or(<
zAC88d?Sn{^*?f_Y({h|=Yo1;XdU-p~+f0goDCVKYzPEbcnZ?^@xrnbW*l4DNFmFY#
zoIP!`8kazkhLCex3kn7p`7+v~2DI7i#EywotD6IsdX?U^@ggyw7nsadt-5
z_nadFiPe7nuIPxDRZHEA9Gm_+)6CB|xRmc&@x|2ZaRM$r408={P_R@zYu%Tb@@zQA
z)B0EaE58D(3f~C>FAvZ)SKCZWv+y@!MHcZ3dIRznsRLub)gBgHE39+KsNpxtS;$y#
zoV{3=q!ZVi=T&DLBqt?wQS651q2STb-h`gMFV7!b1=lTD?=_EKloAV`KD(kG9i`ee
zU42+78h8G;`J-yTswhYCGE<$R%6y}NcnIOHSC?IaN~X^1
zH#UbCcddxkyxJ<~FbXufr5KQ8__J?A<&jzB`*NI?Oe`qF%3BPY6F`<91R#v8{x
zRM~ug{zC)%d+t-pS2^N2LWCOf8{+j=f5p_7ygNfeU6)S!3J*LC#apxGB?nv2rrikm
z_`~)2Txf~;Lw7-ArzD}Q>G{5IqcW+wXgn8(7Fb?gZKE
zP9^par&~9?iyY5+em~JF=RuLE&VnJZHtfB&u^^1ILkIL&Fsv5w_&Th>%J%jRa|fGN
z;@t-ijvtyUv%nN|R$|~7$^K@%JSks*LqOt~XecDl5|loSe_}$=|h@Qrl$%rtN&!fT&H+xqurI0&}Yi&w!vWrCsL3yr^pr!y$Xlu
zBEZVMVW$s=yk&Ap(`BxST7)9?q#cv;-`vjeU}b0+yisdKUBqBc9SLsGTG0||bw5Vc
zRlW?f@{$HkpEP{dc^E0h-xc}gbT^A(#FS(!$d1s)N(rfbVuL
zE~by&ALditXh=4C{pED}(#ebF_ICZ&QX0tP(3zQgoa6Vqiz5zz+FcVQN7w{y$;?K&L9110&PMWlE4-*|oyZ-g^p7un
zvJ|c<4jgZ{x~yiY*P_$_-X_ndnZ!9eY-{=iT&hY)E4^uIKKp&>n`q-Osd;I<4p^1f
zKA2`q(7yYSJoBw&fbGp%=uXjScp1E)-6Pce!;e>n?tWHHg-NR;aa-?}QfC6}@Z;qR
zK_}TL)Ak>$CP}t3BFN|QM#-)c#7ON-A!wIlLq}|D?0oY?yI+r=@mAh^1#@De!h>7@
zQPS+}uPE;`aW?t-HWzB-x-ZWr^Vzml({_Y|w2Epzr^>Cc%HVz-Bil#=m%9w~U*U-Z
z=JSO&eH^FdwSNWXQkSk$KQxVGymGmBK^fPn^SvGsqg|!s=<9V@M~MYROhe!AJ7vax
zRBwiiX*YO18g6LzzG>z>T~*Sy*uC9&_z*O*C6>pdmq#_nU8dD6E5ZXbcaQAY62@UY
zTU*5SFDzF?9Th&@U9cQ_cb9$mVc=S8$^D>QlPCG#eRfc*KlUOUs!g7l9orsh1Y-|Z
zTfznc_UA8D5Vm^fGp6%)+UKouTwj|juG<}HAbsS@S6@5oC;GxAv|i#W;o3L!hk_4J@>Ho22yBF<`GLP|ikp!>To6Pn|XuioMp4N(UQwk^kxR@4
zrx{3pH|k+B)M_O#>>jJZ^vE!S^=$-Q&V6!SD&|+a;oE$JPo><~odxaF7^q`gR?yR+
zQx^PR)GzJND5Og2$M5G#^}`&Wv-gZxZYVze_=_!8Y@msaRgX<5R=hFCUbH!|JN-z)
zxdF?7yIzx$E7PO3A)AGUVHo7f%v
z*%zmhiLtk{$_9Ot^g-V%?-i=MU(UW%6ns*j(@*f0<YS|RMX0sUm2pIyh0VMFA8
zwr{PKw&ojs#ifOAS-5JsFn(S<{a{b2o1sGe(H?eb4W@mL
zuJiMRvR`nlq2%`D>Nmd`r5Z#n-RAyC**yL0WzDaPSw}^1VLVMo7mqAH+dK%GfdVcl
z{bcPGTE{p`!}}o`GPd{v%Bu&{-cMpxFNVqD&%RS>ZmbOnvwZyZbC})&&jaDJ%$%#+
z!H)yFj_2I2T@-bDk>cwMsx^QG4D86s&9_g6zBVmPb4yA8;A`dZ+DSgA=#E?8PkBF#e|pJm{{5B5F|WGRaxQch3~^<5r(OZSmbx{S;Qd5ds^sYU@z8knXYMgN
zX)pvkpPbw~(HW6D%IjsWH;q=ElgIrjXn}{Bxcw==A}5sX6A%+<=;Z2$P1c04ERE}<
zm)3Z579h#l2Zp!r7B@-~WWzcz?=y0PDhZrYM$foX4PL*1OGFGM+*XfsGg`Q1puX_j
zQV75c07kl6F4vmt?klLT^s3~WMBMi2{W4PY^Pwy*@@?^v&xX%mvxjmXO>ju%y773;
zRS$djBuh@+`Bfv4bfft#ylKEK;n_5wsSkwQr<55}Q!X(z^~*MQ?yE|E_eW!5=k?Zv
z+$*I5ZF5LV(XLiQw)8JT$E`l``|;>f+1oYm
z`gcXWl#VW&Jd-0@LfNDEWS+8X%jlZsHPlXcy?uZB9ye{3S60#CrR$flA=p=cGf4;A
zRc(Hi{v~aeqSmhM-^E#Xudm(knsEA>?$FZzVYf4=+Sp$4of2*O;Rb9qA!`_wq{RnF
zF+hywLpnbDPPb-yDWdLJo$Y)9#YBaFoYI`E9s53B^_VNCq`i|X5bx(>8tCF_Vd3eb
z1p`9vF)uO8lTR735m=(N^npd!qPq{G%jJH#gen)KdPgsxGnB(a~QIDD+j}w9v+#R?wD6b&{|g_rpCs|4(B_!_rN?u|cFwVQLB`gr+|j
z4gP3*6mvaUs?BbPNkUpt{+&7I*!v)u`WYD%-_A$~wpCh7AMyT{g~gec!VY4|qdxhD
z*eF!*xd5237cRP3M
zjxQ7LgK~N4uGylko}6Bl;Rl;yK@YzhmxL7Ob44ZR-&I`dJ&7x#T%w6?_4R)J%7fR#
zME6^H!E313p5|}2_a3F~0}J}&C!W1j#a$>dP`E<@BJND_cMPe0$<{Ye0q2
z%GF9Mu}?yVFi_;JZvtbg0IJ_!cCe9m+=sn%hXanRoY|>ccV8uZW@8TVR$q52GZl;W
zNEno8+w7{asgfox9_Qmk4Xpg70T0?HIjB5@7^a$R?jk;X^MUO(knZ$xwL7DZU
z93zFc)Q5*kt5q)cS=NK+GJ+{W#W?neAQ5bS)$zu4h2u&0Z{Ih1Ig8dWW4Y`EZF`EK
z$S!0K63ADLl8=1j(6T#8iMc9p(^?nZVdY{gWjoa=b^FpuqsC16S*BS#PoJ5=D_7R*
ztuTGpuT_|0x_+psuF!EDBg-GZQM~XK(XY5pj(}obsXQw|`GxXz;@oqqcJz1#htx?hYIrJlZ-=WprbUc!I+hXC@}
zGJQ!K|EVf65p01?ep_?O=T7{l>2D6~ogcq&1$va{&^h&p%Bf^Y);QNaKApHjZa-5z
z6Lj6DTD^Nf=11>l**o)Njb~Vps;yPA)C^3ETIi(>VS*qfgqOZ|#0UeA;D7_S50m6`
z*Kbg0N2Gn%vSmE?bie6*dP_~G94BkvoaMipzju2uNw>Z#9ndHsAg#frlbm_Pv&s!mO1Zx0dm-6_?!Jyx#MusBun1!YnCAHhdyw
zPkS+LOV&aSbEsvx{=!TnCsC`#7OwnQg_UM0LC|PFTX9X6H|_n|e70vY1mj0lllV8K
zm(N?)T{<6OGntw)y~jZjJEhpp8bD-;Z-qzBcebZzAqw7hu~MqzUaYgwLNa(j;*l1Y
z@sG$hr*@1zBh^_YrrzPac3Naz-?_F5jhc7|h5M1Wyk?GNb`Kme*CFh@Rz?ZpZ3D$E
zw|9&hJ`Vj<>$X{Y>@!;{!-|X8#!u%Xxz`T1emPFv#5S}+;KQBbpZd$|VpzeNM_X(>
zdDP-Q8zGwweqMQOs?qFnFW{)Qc?+}N2|LiP=;@(bx}T1)gziA&I%f{TEF2s{$470d
zo^Zy9*;o!#oW581?vzqQC3_RaxR>DLANy!%jAq^)X%4)oDokz%a0$x4(t
za^%QS#)pY{-2ZmAqzjM1_7QQmFAT|%ufK{z{<{9Yh&#A`*u$Q7Jd5!x`w^zUQXC1+
zcEA7N{(anzY7zqB`2$?Fp3x*G@>Hhx>4CwKY)Lj&M&jV?nKvN;f+i>|dd6vHmsQ}(
z#mJ}87o%C2L~ilzC`F$>jd-fWQ4`D9uA2S$)d#v9DW^2gozjbv1rwOg?6clAI72wa
zt*3%#A~wyv)y|hqJTcHT_^M!b*LFtR@$!)zO%!m}a1jz=JvwR~SXLIXT~>(7S`WOy54!yC``iGAnUjC*Flxba%cT|2z*c_
zq_+HwZ(i@02Md18v1CcU+$g4PmCe@2-!`05=NtpHyxKjMtWP(G`DG!zIb34oeSkV^
zCi?|b2#cY{rpqMLcX8)TVm8Ab=&8zTPP4t1PQJPBT66R@>_YFY*!CwXtfeZwCs*38
za&ldA8;m&pNmg{ojly-hwBo8BAn$y7KlFC8K}KCM%=KkU0vV`g@FH*~rOVg7hv*yg
zcs$^4@$XPBT{ml2nZD{L)pzCG3#Udf
z{1Ed~W)lj9E3yRh(;0TS3oq4$uI)&7{XpjBgmX$xcRz!6KC&dpN%+K4zFe~
zP38xl$xYFi>
zw2YHsFX~4u*+*gL8g$Ug_+(k`JoHJd8WN;8qoabp{PInd{S$yjw(?bI(7X6IPj6Qp
zWlaxQWOgD3wsWe+914T_=vQllWD_40=X+TK01dTP!JJ<8e98qmKB6HvY-7yQGig-F
zuBNgn(${vG=&Z6IVymI@SoaL4?K=%BZ)e9f8&HPO3jaxM8
zj0hfwSE_WL0<&)(X3oWZ`4*nzfi~UolUN~6GknS6qWRbL(#c2Nv|icWXLWa~yY}Q*
z^>O(ay{A?|;)C^))Az%B!GaxUmhFFLlt~Kj{d}_gxB+mrk!|jtzPQJbQ`5^Ax;*)f
zGe=Sx+j?iP1KPdnCD7aZZm7-U{vxO!7WenqB?j1kb^B3||9&hiYwjDHA03jwvZ$Ek
z2ZbmpVFffsr=I<`IB^rIEi>N2q^_Nk
zye9j>h2U+v_)4)lgWOQcLDW@!TN)u!`N`kwrUwodZ}CLr2T5xFR?@u0+VJkDbpP8I
zHR4TTpSM2{5WVg{EhR!M@Kdrm<)G|-fV`-f8FzP-`RtR^-|Rpf_SZMAv9f1;{i&zX
zLDRb3tM)CfAbsI<6zA!f(;1vHoqc!P&t1{}rWLG>EJ!Q6nsJJLBwaX~&EcaKWQJz~
z{KGHs);fnqV$z9@j;g-!pKYfO*=yb^ZC9PdOmC9PQ>HX1OzY#cH
zNK3e>of1m1%x>u`*A(?wvl;3JJ{LT5_e8bDVRn)m;DQO_@brO?K+kP>P<_$+s1X*f
z9FeXm%ir!na(YKcm+d3YEl>7-YJ4tdwSC9(p846bY`gM!H;){OKuy$M!>by%G?AE}
z=JLzbnwudrIuUN88lJfmVz3>#k(B2wu{vS(q&i*9kzlhuvK6rDa`-7z
zn|XCQ=FzG%VqjX)syDDza(n4wAU|u%us^54;76@H!Y!7Y;y1_HR=DgIZzE%E?rD9iHlEiBDyCB
z00`3BxOxnCwSf-AZG?<2cJod=)Y~1F6eTUYj(3DMMp1ya%
z(bB8P0HI}`nM8YM@D@}m-=`(_@Kl4z@oTf!mL9pSB*jbUzuf}fobmK4IZQ`oKuXZH
zFFuvA1>y(38KJNm6Ac23=Ti6^`aFA$Du;VYv6X!KCSLqYhquQvJZO*-dtntQx5;Ga
zw;+O#DFDQ^J%**Go+y5MU34u8F{H2$zk8w>gHjI?7{`AYvx?=ZHdnM-IFy)2LsdHLB%&?ASBE+HIU}
z5L@Yq$BL^(5dhGBK4U;?)g_91Y*EBmT=|MaVaM+jqbK|aVBmNz*UGR$v(Z-j{i$5h
zp|@V+p-K1&)Em!2D%~cQ$?-}U=;c(mRwV%am3yICKzbMOsGmOmxtU!u=e47yysuNL
z$Bgo0_vC85J$Z5W3V%mW$;;wJ>LYLc
z!y&~7uZH$=hyt>cvymw~7DoD4*DxLy3MtshM~`>s_0EguAC
z0(2EO!Z%W0HGIqZWg(72)Mkd-ugsrD>5J#sftBb{SUt^h-8ynrk<<8z<}tn$r2f_=
ze$_?2MubO&#ttOb&+QyEW!!2}qg|Np?t16^&b=wZd*Q0WwR}VG$5S+@
zOrKs}>Zbj<1Gn^T&gF>Yy@VzkFeWH7cD3#-)*kA9zPV?ur+GSg`RmaL+YVYtmr=rJ
zCiHm1qvA2!YQU!n7k^bdwxMB;OZ)a)mEyxjZ@kBBOUsDB?3!UKxTVEkYCrX+bb0R@KApD+2Pt-?b$Z23)|3ysZ^EOTi;?g
zU4de8#fioc$`E^{0@s&&W5TM=wr4*=iMo|i^2po5t8TOd#vw@lfb9sSgX9Y}2N#g$
z9#hh^#S=}H4TRRmsjQ_U{fEk%)7K3rVh^2Y?dZ;ks#`GRCUE5NW%{RY
z_IY&q!@j*wPaC`yw2rB)#;42{_7Z5opRk*Tfy&;LhCw*jcDMYH`5M^KY4-cWJ~KUCph2b^82Z`Gv{
z8(LQEIaaeS^)C1QOwZ2D#pbEs?t%XMzrfR}TSmLGVQrSD%XeeeF@`?i0La_TnM)#b
zFMsXMU?0cLCNz8}&M&bp4YE&zm5V;#E9EJ(u5)o-gyLH{TvF5W_NYSQ+h2X3;Q}
    pHYX@BPJUn%&NYwee}$*_&Y?Nz<0qv+E0uy_#XsEW3JB
zYGAcwcTA3nc*NUD=y?UX2YP)nB{jm*hPtyStep0%;z~Mjr40UP&*Yz8jPXQ|uq!SbO&iS{S}f
z)qXtE_0GvSk}f^pbV;0z#rye%1(q_?bUr;F?wz)(+$@V7_L@{M}^gW{1JLc(?Y(quM%SY3!QIRrsWBFLYtnDDhxlDGY$EK(jrTdOj3FdE#qYmp-WA
z@gU?>Jng&LLPe|lP^!FxqV5GC0X2W}WZI4%W?z49WzLRu+#HX5z>7SX|9)j@Vd|uC
z1oG3uqT@)D<%7z6p9{`gKb)Op=O@(eE=m?BR{qv5d+_dTwDpS-s^DUMtP!LtrPpapx@-L`eL!yp>ADypusy(JxP
z>8pa>*#6u;neDPDJ*BfT1EaR(Wsm2e=&cTiF%V}v)=A*-DW3E~*vo~KPBH06@bek6
zO*2hvtc!I?sTrCV%dUgf!g8_2^sZT2Dk
z@RDxW@p0nP%hP>D3#R?pz6#D%j-^MuFEaUF9M)T!>-U>Q1<-b%>|EMb(=dEq@FX?0
zu43WX)Sb+)UsR+lLs)MP=NmA809oZ89T_=0{PZ{fnPpffR%;ow@F$J(3LSI?GDjpTopHn970Js3H>d1U#CoYuU6mdls
zS{rg)^iajGQZ(=}iSwMh&Hip<(ac;fbED$!`^CY0TxrII!V9gL%kGEkI#2wPZzqJ-6??=k9pCT!-)^e+{Da^+a-~{OqmWhxhUU
z>EkNj8YfLo?SFncF2XkNa%P>p-WG^F)u!>>xGyx;MOvBKy8oPBz7XwnR~a_w%exml
zSJjK8Hl-AOw+ifS3oUFB&h&5eIkUY!v23i>W4N$p$gP~@H5fRRm6=!Q?=y$Pj?b@z
zhv=ziyh1O0H>ByF{jPoZ4hH0ynGv^MY{Y|(eME5?v>IP-U)F0=PWNw_QLg@0#&z7#KHhK?M9Qa>e^
zW~J+k*gOyqsoV)+4!;T07&7g$C7O|Qr1pupO9}n@vTY$LgF;{bMbvrgzppmVSJ(;kUsN
z@)mZH_CQkIHBx0`+NabdfBK1bjC*(rN57oBOTEQOx`@8n`l9~rA=U$?wt?NuuVu1E
znz3>Pis#CSB4qQ+0!#d?ZK$<#V|#o-sp)(ZS}zht)c%=ge^OOD8>800x5K+O$&7rz
zxpARV4P{CI1sq>JOH9UDMT@mfa!JqP^PIdVikxzM^)rfq#6!#Z6EnQkOsh{i1Bnq$
zIcdY1G-?T~o@TzSzA7<1)LmOYSJn;ge;)mOnw-N$v=wyadqJ@~EPDpFX=_c)?XfJA
za#3zM)$ek{?%CX!@hcCmQJg5U;wGoMkprPhkm6-O{2WYiu0xNVKR?&voisdl#Zk$~
zp$BvwR@h~^q}TRUu`?LVG`_^Hm2vgxo+PpR#m%ZdZUQunxGmDG4RmoPLbu^h$@6+V
zJ;R>*dSZM0(lqxVXxq?GVJlBt6lL+J;YQF&;7T0V^3{fHt-WC#g_h-_-hrQTjr>yT
z5ugs17qk|&2u}oh%JN#*t~qS>{o(9;UVsj9SKbKxwYSY_9E0|*HCJ9KAe)Br7h*ew-b+YCZ5V9k%3MZTikZCz4k7rC8}#IU>uW|8YtfJ*|y(h_L5zA
zJp}3lgWL@+D~&9~BY8Vn$=dJFKf^KBXfR*WPo}5U^J?z-d`OKBcPV)19Z9~%CmMa@
zj3+NZ?z-{wVahoxu`W>jw^OJaFIbz)QVSAQ`3o<>-aHurr*I5+b6$_4=pFOcGP3--
z%1c*Ze7nSW9+2=2e{f~*JNp4nXKc%g#RK*#T3Ef8f?F}oHZ)U(Xl!3xv_6a(v9{G=
zfAkP`=?&pBnX%Z~Cwmy2@9dI{(MANO3Uw*8Cs*xVrXHWBECv4L?r}&V!CGZ`4E&nnvI)2Df#liwRtxaBJgopeXalI`e`vwOIt^zE_p=3scsd17qi)s~nerjzNX-aQkG^6#Bf8holo5YdXa
z|57|+?E&>}(^eVQ%r9h@uGG`uY!B3qg~@+oHvH_pyr1svBYB6tF
zO__G@(POtAD%NXJxc#Hc(0lZk+b*02iX;?5lS!C0mp_<}(arRTDzc8?ZTi6Xge%v|
z{cf4;8FP9d2Qb}-6*?&Ss`RyAtY5H#6_VbF#X>TJlwfGrj55g
zRA6&n44f6)hd=R9^yyrsaD&z`IZXrm+s>;wDY(KlDX(2s_7(iipBONqmQ^YqI}n5=
zdgQjO%#fQ0O#KG)D`;2m>pPFuSbW+2?!iBlz442Syqy*Pr9asQHRi(KG+yho2F&+g
z>OUYZSHX00Yd0Fn*$RfLC|X8J_clLG4>iI+E1*l6qdbYy?l~6)I5A`pNFpBEvd%s@
z(TwC$h>ylIjXGivn_RGjw9dT7r+mV}V$gEu>^H61scC5p&QsRF%DX#ON8%
zT<6vLb~EzFUh7QCv^BF;j`e`=vC6JQqIE^6pmStZcQQq9Iy#H6Oy&v}m2VOqq17@~
z-O^r0pHYK4Zn;R<>7n@Od^pCLM)ilntSI)XPVKN5^lzjPMQG8hy^+8;<*Z4taV`j^
zjbg(kO0<+Fxc}{R89Ff|U)jqRo@dy$0f0{dT|9HEUmMG4JZo6yU^b~PeX>KaaD+HI
z3QB~M!-9Ec6X~%yECA0##!hqt@w^5JiA@5!TkB*=F3FS`5xsBlhj=S&VpB9Wd(VYp
zMg>#v{EYuPC(Gw``t(E(W`xX{6n|cZ%k(Ga*)@RrZ&~^9E~V60^J!`WbM_BI{)PAZ
zzqdV6AoUf2w^rBfoY~F!XC)HqP}v2auIc1gExZtIw-i$ySahRVQ)o2Uj1u%OWGf`_
z*F-bIvtzl6TQbpr+2tEh*H<}r1Sm&xG~gL`z&*8%S$34XZ78*l$q8=L#0k!RU3&f#
zA>G&+dUfS$DyxaJh)7$T-f4(qvvjVghOQJ``Am!6BZ1-OW^`VSUV&e*&s8Gn(N(;!
z#N89)fV(F+OJfuP)Z?=vdbN6wc0Xa>mcy8UF~~Kf6h#z^>>MTvlK|xZvr{dzKQWc+
zY9aj~KQR_Fn@z@bhmjA4_KwneTPPoiI$CAMOjsgvZkQ|_450A|-vV7`GBbM0LolYO
zEy1tid$H93eE^@1zi1^UGuXsHLFb$XBXCzP@GwAWoa6hZA%*6xYWF0Y2TP(vagh$B
z3d#kTzE8JzlO!&Ay?vJuu+>xgx*BXR>8~mUxzXF!%Y$bl8>dNIcGO-@zoJ68{WJa}
z9TYA38^UDf8+i4pW`~r9|BVL|>ap9^?nyV*J0(si`F-EBE_am_pXd^5_{bmpu$cB8
z!|ON$to46bEY&QhahGQ~FZ4lz=z`t-`23-&f2;g3S%#-{
zo@Ya_`&3eOND2MuW6su-;=x+ZwtL?5)0wJeR0!T4u^jTyaJYQ&^|nE6E@*6XFf`YG
zSo5C?FBGFLZF7}^Z-qxKiQmP&+h-ls{;x%gRrl_Ml>19N3s(NjM98M)`8@c$Rq()z
zch=Gjd|7Pc(3ilR;{b-$S}p8&s`&pCTPTpkMysq2|EI+I@ZM&U}`Dc`@bcAyY%BO?!*3t(Z&*#`L=f{_)hpg5jkzImV#}=
zTb6!U<0|)qMjOje|FsBiR!pO_q~MpTnM2I}iJwZAuHOoeThhOa%iHH3g%+cXxBrRA
z;#$)kzO@(8`f_vsLv{eS=0pox-)IcWLeI2NS7+zJyDIP&=-!XE|H-Y2eVlomP)4+u99{~x!Pe^Kj*`n$K!FCH@&=yn_^S_sZT_{`IAwx&wU5oN
zQrNISNeYn!UTQfPmqJ$~;SPjZX{~5I5{gvS+j5Tn6>fq*%+rKgM+8zoU|hn+m?`hJ
z<2ukc*Gmn&=F@1$5UH%fGu9z1l&}3xYo@bW)hg5*im24?u-|9-=25rPz~EEqipwPCN_O{ac*9Y&gxE3$c_;w
z--a2=2kZLu2vlJ>A+3yNyDCM3I&SAN8uC%IjMh)Krf^UDQLza9RQfsJtjrl~3t}7q
zS0d%u%nIrTu;#|A#*Z7+HPC-zvhIb5=8n4X1_x1g51fn_?R15Q^&_D8PsLxq?9=GS
zr%zUae!)^1-BZ#V;n2^C<*iIEzqM3%-c;52v!kXwQ9Yih3wo}PWKos$X^goQF7HM~
z>ukSx2ikRA?9;qAUWGw
zHZIO*A)vOoA{69Y)e=9mWls_QPHH1FQmB$1kC?+3DzIAA(1a;l#AFNzuUTPm0-3A;
zpx?$rB=+Vscvs>#5J=ifae1oB$$!{|Nt8f~*zQ_#8hnO~+vy%sW-)=T
zYq`gpdG|QRL;QYjAbV`>XqwbO1Na^@<&;r0kN&213gAz#EjVWYzD$8qbZAC4E;OW6
zxD4fI{JbI6m_CY#s{q8Wd+b>`Zj~3(GMG~5;P!j&D-#>^AgY4F8a2Ye*-Dpo1%I)%
zL2$sWTX3MF3X}P9EJ0z8T}m>cs)2AN6(#dvfuFG&iL7AbRpbAgT!E;9Qe$bKFar`U
zYt3)fSAmA4gy7ZhlG2Mk;j)@}M8$)}zIm1t&-RFI%
zQnOLJ1RhySY8Gvo37j};NwxTOF%=m`ohB|y0e30Q*kQwnH8SM?iKvY7K2(6Cr=T{~7@)H!~;bPPW!Kn-?KPx)Uw%(4sQu#@2
zcguxe2k>J5PSe!*-ITaxYAR-~+Cg8c@`4nQ*>Vl7K@u?FvgE1qHE{IS;kFeYVz(7f
z=^QoXwr`#$KWvrJcqHbm>j+}pYLX`*{Zu3P*SCH#yajezgK^+VZf_nKJI+2%?MFaZ
zFK01nZy|+)Bk12TS^6jp+4@imVQZ#>R?Kat{-7N8W~wHFDh<}j?Sq_1cU&!WwNY<>64mMEK8_rq?iBT<^K)SG)QuZNWQBwKDbDhN{X}Ty%URg15e70-K~%R~U!8yzgbiwz-gw
zx1>*M$5eNp{Og}^aQ%tasbkKoOjSV$+ZIfj6Mj^M^yH5?>UI@}0nk8fOsy0m9jL;&
z6m1rzmxfDaFpx;SVL+2wE4G?%mNVTCE<64VRN2rI4$1lV;s^M2
zViAv{f5-CWVO3q%JM(4;aPhQIu>Cw15wrbm-^Cu?zi)O9c%s!0UxWZiQk?MEb2uJ`
z&sZ{n#exk;8JS^B^vTy@IeT27Sw~%g;KWUEAkAnIKGN?!LC}7O!PjNJ#_!x<1+k5BI`UCZRziMFGUp={
zc&1NMrV+a=xf&!IM))2)ZF{7=Dt=iZLMy;OKmNxf!i6_Y$?`t`O*S_Ez#jj4&gGc6
z`Lrp2qk2RY`2K&MG(!>hvtPS;!@Lsqzm6SX#hx=`RXI_5cptyn8H0yj0v_X06DE@m*qg}A(cTxqeIP8x;(aHTf@f<
zB!?L>oG7fRMrimqQao5CH*UECj48{eb7S>=6`a=xp)u!pYby%9-dny
zpP=wiOsISjqUcDMZg^MK9B^)&EFP>m8`(%OnqJ@M!Al08T<-v5cXcR|t>Wm!T>@Hn
z@qofim8KnsCpj5J13QsKRgw{vhbpJ?j+=+Z0l=`4rC}n!wJ2wdVh<@PHrBq3Gc^1i
z5sK=`i&dZgtplV@&CR9JHcpb>d)6
zONW%B)Kd{>{D1kv*1r6WmV~%{@tN#qeya#&bGF(Wt4XwNMf*eWY>GfmDqNA?;00+-
z75fiJT2;ByGEmvqBREHqxC>*l#A=e{4l|g?3A%@On1;JIecQIVg01N*7^u!HLZ2K8
zLX`peniMo5hC!2=Q8Ae}2GX)rj#H!+fgmDs*v`pb@6$Q6D
z_yN{Z$N3qG|2BNtpEv$(`Q4mNW@;Lg?2etG%>K#$Unm$poN~kQVop5cG1w8nAI$SR
zonnZ@`~_k#)HHG0;;*;L=#OfTyQlx;E;*RXIT75kO!`a_nvMi_H_rX=
z`wKtxf$^Y(i}JMzjJGUGKyFZTE%9umC`w*$9()~bMDm6CP#Y}qGAbrL-~*)}9dw7t
zA4ovcABPqG7l(!7xu@gDv5?5dPCrsmf#B>cpQB_d@Y&a42TI5ZAecRZdyx$oXBLI*
zR0o3R7L^TJW8xZpS6<>j`dX0eeqL%lftGZU4p!Rmp{mR#;-Eu3Bs1qdY)U@1fhD#3
z-vKyZMp;u${sq7>W+Zh_Yd1*~T@Z1qlWRI7WhU&+u9AQScX^WT!T6oyz&(w4A($eH
z3zy>HC+>rV62nMsB8RndO)`wBdjG&@z~nnCMJkC%H?zt$WV2F4f+PbzhThdn+d*_02xKa!on*Qb!Caj;^m)
zidd7d$Fg4d7~{RdlCm^f?40~RBzDv*TE3?>BHoL=y8jonBs!6ROFPa0ljgu?iVV4`9gFiXDF7+=tV?fQTIe!Jx-ji{}
zMkrI`l^*aqi~OtqE6}AtG7U#rA;I4l#kcqV13Nol6{h<{)ogXXxJ{xyD}TrTyK~Ca
zKNEhn8UWhtwUe<-owyemV=P^tw0M}sHam_x84RblVq7HQYNT;2;7@^E0dvBN8DM^=
zjnr=!F-q~G(HOmU9^gQmY(h~J8R$DBENj@XriT9Pr$1Y)a!kTT(Z!mVTJ4~tF1jcV
z9D-5huXW4>8>0AejHuNVW@Zc`-0)RK3An_9<|c!=a}yWm^c+*gNidkM^HX7h355eD
z=bTj4af38U5rcWJkiMA0Bz-z=khdwUt(^R@u$6CLY+!7E1_(|-iQ5zlnDAQrUuA&O
zsFPq_K6mi`wz0d8)VAc4`}__QJ=_-f(-w2*hww^6a|W|d|1I*={ZAuL%3~^LgwQ`~
zHoP$T2E~KQ5urtTiJ(sc^+|mc0oW2*mDNbOY3n6ojyA$<`FDtkNF$7ypzJPVs7RgzXJF*{H7%Oh)c9;&*)(WljWwKXL)u6Ox@S%71n{EkTd|c
zr!6yVdK7jXkYd|H{YOYi(?y^IsroPpIKTzImliBHkV<&J{cjN@tZ0D#gN!6KZ61(=
zO$vbmI$vDGo0L!s3G-vNcy^muf?~PO*M7zQw@faJ!TiplFi-rlBsveRLejuyg{?ij
zna`nE`3$QF7f!V`l1e2iL=AvNsXxgPcy01flTk1ajRo)<2-#CEt4zU`(Jr7iN_Xd|
zWTYxuF5;VTuv#VOjA)q7mNI9{7G{0UP^wKBE+Psfo@lLLgb3@=nTOWx1(Lq{g=Y<{Cr`U3Hr<;VnC>Cs)R
zWhL{U(0sfV7~wBTabtkU>ZJ3-PVVzt#4zUk{2j=58s&8$zB`Sqxr|{T0mQvO%%4_#
z;x(EviQOn6wR<@UY0pOE24Hd6r9XESBH=sO;c{mB7kD7vb=iy%7SDJ7~wMw
z0M>F--B;|WgL)*(;OV`?UF*nkKHJz!}s%##3r~5FltRm7&7)
zKU|#u#N~PrICU^|@2^Y}$*(kb|GXF-5AE6hlWj{<5u*vu2mU49Wiea*qXos2f8#F!
zoL^t)Pi8E?_gU-p^&JoyZ)JqyU4JzEyI6cL1PEMTT#UL+e#cl#Bgn&TP|pbT=V&*W
zENeCx00_+&uSt4slN&SKlW_o-qDWwexg?Erd=oMk?R5ps%7HlY36crJwvw~m?T8Tr
z&*aPzV=Q++CQ5^J-}m89V~RM81dh=e?xEW
zOL9geE@HRzMZSSg`<@C|$0vA@wF+^UenWk`|8mBw=%{w5ELIJj0Sy&~zd$Nn$?;7Vyh#uGz_cDzotaC;u%Q#6=>t
zS&T%Hk(P$E5lm5xsICB&nvKaQrynyqq@dZ1n30d??I~UcdldLFBdlM*Mjrkrkkx3o
zzeML7-1}c^Mw03m%t-5ym|_tCh@zgXk|K;6x0ksZ25W6x`cp5COSFom{(;&WDSuaq
zNFWb+F%RG8Yu%oamN*ojYtWSu7pXw(2M}AhbCa;}4&u-{*8Lyi&Sf^so^8S4$jm$n
zM|+%~+&<|fK#IdCN%3o3TqFX2UE9QrZr0kJyU9IN-
zyVT-4dy)48@OgNQ?;s*Bl9{2E&D4}lico3X?&K=hq`0Noq`0w0s;V_^xAi-eYGu@j
zeYSCwrCVF038sJgon~w{ED_UWb7o^im?XS&zanMV9=A?;x~(q>AJ|uAeR*tFTTOxi
zi4r)RL0OgTof*?
zz!;(0b>Y>S!3pU604n-c(rYr&NodahVm<^}*q^BpA4gEcy7aO$CPVoDAMCvcSX0}&
zF1%C_5djqur7jC1BA_DDK}AGGKtzp7i47t(^gu!qK?RkjRDl30O{D~+lY|HeC?%mt
zCkaIeH31U{koL#5_St*w^B>Ojo_qiOJZt}pZ}QIXeP=Q==g4HvF~0E)2In#AqmXUu
zk*4()@=@rmf}IwH`Mdx2__n&o=}!5*O{Ub)H2=3RzVelpn10E>8dy#2kdS@5Is?bK
z3y538iJt>ajvT4o@moyXJPp_&+fy83>3&;(lHwa
zol86yYkh4pM0{xbZh`P$*Z8i_ULW2R7Hu^3!%6(ySN!+#@fS?=cK!Ei@)iYy5u=4d
zu%Q0~J0th^nq~MT|KqkTJjwr9OhzO-_#xD>mWB1dOW5Y-?p++E<%vo~u2QA2$qu02
zs>yu*a<5tD!+He0COxVyRi26(L-`s(
z3(bj(lU0gFy_wV?reRDvwS!>@O*iii@=NH0Qj>U`>r5o`*~Oh7O8
z3egtxQ`y8_*u%VQ_lD~iP|J2N9ws$Vo(bZoy<_wi;TqLrKej{_U*N#2KE|+sy947E
zt%q~xyOyP6c$s7WDdwh>*91%!!)788!>80BBNb!aje>psE%ep^kwK~*n-}3GZR8!P
z$z0C!3o$7tH<&JKarAg^1aT`i76TkzPp11L#!({kKOXsK-~Tw4;KRpwjSj;nuc-Vu
zmd*B0Wt#Gy{Wu5Fnw>hMGhR}T&(KXe!%i=UoiDP9o3W=!`TRE@hrBzG-nXWfFK{e=
z>!@4;?pi*8m7vT@^Ky_khwV@$!jxy=`iik@Lt%ppq-DimO&|9kC3y7rN6&dw-PGhG
zL4kyzGoPctcp&>_26H{;`YjyE>!bT^kksu}>@lTa)>Zk)QaDCT4=tk-xbA`rg{@qKW5<&V(v&
zKm6j>Qz47Lq<^Q92nZS%;qtdFkMXKP!s|GWjw?ZY?GVwj(=cV
zi<;!H>1`QE(D?197=1=D&sRhfC+!oX$~b~}#0;0E7aWL&+bQ41Jz!%n!}1&5y)ommA5
zc|OA_RDW%rDZuUt@Si-UCR&5z4}4^WJ;DZ0!i(bs;TKx#?}5BwA*<0HR%2TTW8%vQ
z&M%0qCXbLZ+6t>M&JlzV_*2Yi)BISV6k@%}(~LUnG0=R;vL43}v5vnE|3r{EF$S2=
zd!bTe;uq-4IdN_{Zb5bV>vKfvSjDOTqG9_GbfO9TP{>$^nsaG1o#HZ$k;M_*>z#?*AR2>e`?vHmpz_;
zG#T-xvc|lB9LC9I1I%xGs``(%#E&KE+s;^5c#*A9Vz@II4404;E#JtBr-zh
z$0;II>^)ooiGucNfYUpN8-KZfmBatyB1jf$*?;{&?J?2B^Fw{Y(1yDhcK5
zsklJ6;zf(z^kVSf{d0Bc*-RCq^ef%%eH!5R0mLq(B^qc;c
zD$~C^3a_i9D|nx$*Kyvc{VVe^w2$!F?6YH<1Yz=4VkBNyX1UBOEptJpdOes1-X$-1
zz09&#u;9f*!}mFl3qR_ZH3Cs$KSrTUxE<%+1PohVGY%0{w^`PboXD}?^Jrq0wK*yr
zeZ&TEquuX!t;wQnI44?eoh8MX1IfT0@QcA-!R0GHN;E
zc8G6um9pUU|CYwFZ09SerEg2xI|gnOzov(8Ub#v@`ydh+c_`pG=MWX}=a;(YlbDMk
zKl;JT{&~#Tn9xPBH83t~X=?uufq?c#
zL^0e@z%h<2wO1G4xKg$(mmAW-*XE%YkWqX$4v@;%=l8DQ34DJZnt@E?&-_7JoJTkG
ziu^wEY6PWFDTQWj_STr5c;ope1RC9jM9HkioBPLI)=~YR0#bE)BHPpPzXvkl=`$?a
z=O8wdbrsPq2<4#*3?E32-5mik>4MCZK&&7$1@&X(h26>_gptqqUX4W^@fz?vaBSiI
zk8ukMl^Y=pV^+4oJ&e9B=?x$FC+K
zX-wF0WN#DtBLMmspjRUVj6yGLMn@U#9(a;8DhNBW?}&so&eQK8!+44&k%D}=h0Nun
z99{CGjE~l%KVqf3IfoGvCNaQ|$d8(%N%Jks(j3=sPwA3erOeq~PE7|5&h{S_{9BBG
z$Pahp75*&JSiC~+tgcg&s)1F%cXPCD0P4e^MJm6|>MVk}^x=-rI?4uUier+(NEY?9
z?0=F~#WC?=4j1Y*vTrAK7FoFTWgnltEF17|BgY+|JukboUmO-2W^}$jJ?pl0XOW6a
z-~XN*b$s@$Y`{Ko%!@G6xq8p6+d7>^axQ)0$7fAtm-dLWpNGNE#W7M*ly95^R2@D1
zmlaC_*az{Kv}Q?oBO(}fD9R{jC$&Ns->{-i0RJ0EJg0&0nq7&=%pWM=M
zE0>nE&P0Q3b;t!fTKta<$*&ScUH?CVa#7dRSO3m%f?A=6Z(H#ofPE3Ej6oD-g7bex
z3TGIgC?gyRDnu7wzoI~(dm;WI4b9C~4)%Ljl#F?Tn$GxLJR^WZn0z4JpFE{&W!~iH
zcky=s^<&2LTFxG|y3my6ckxdGl$2<^wgS>kpV#BZDVTbh8Lc<{e-SEW298=Pbbb9B
zNYU~xR-%uM)HFY0ANv0z+3%#HYH+^)e6!W%fY=Xl@o8DJe;Vn{><*{gg9c{(s?An5
z0na|z#;5&Rq^|h1oY~_}xvB=1{VvT`wgD+0{xnk92d((D*RxxkKnD#>`*$}JE(QE)
zq{{(`A4=lWvS$xFfm97F`foH7{w$JSGr=aH@H?X@DLs=e52sEVm{ast2_2B=8eeAG
zpF!$^q}MRw({g7Gov5k?*8M@v1lxf04}S(pZeu!>BNJJ5%Z6iyG#
zV+)3Ewk=F?yEcNa^VouhaLhuhbOLYsqm#E&gQ)I3u1{0y!n4oI{OrxahKiDi?fl)W
zQ9)-kRsC3ue@{#Nr(rc%%f-Pf`2StFig#EX{NDqL5iWR}7<;PmTmbZFt7Po-dZaxp4I}P;+IlHsWv#iHSb2-+dKbDl3cx}5)
zbFA2ttm*mL_3G-v%^iusnASvxy)Jj`2+daRGeudUp6{yno?;ut>K@KVvbn~*pr{EM
z9Ao(t!Iu9?tLg&&Kbg`S$&TV
zBaP20WyW+gP2Oc5UEKv=i;gk9S9ReiV=JZHn69R&wJ6^7XD#EEb-T)>6jO9n2p(#D
zYE8Ny9&3C)Bg?u|Wh#z&eswLHJ88>QUEKkHW^9)6#=2uoYMGH^-IY7l#dKLc4o@*&
zi|$_C0uM7b&3H|02Tf`**QA}GsS@Um)x+>aV~dPz;#xG?*gPYX*g>82W$LZU!`Gq=
zX3(l3Jl)tjBbV4komz_mUum|>Oo}muSJ%TsYEG_6_rhP)oC9WQcFIgeFwIuiqDhk$
zOy$+>@TWCrfNwNA)}$AKIhtKbQ!PxV)noAFnzg9(>Sp-kn$y77=yt%Q8gotB37E=b
zUR^x|PpG*7%to(8qiW6qGtnKrlWt7yRay92bcX4_st-@Au>$6zyLzYAqLf$QcAZH%
zrugbc_`{l0YtjSoxSI2nEO4jJR4UVQbuC&kX~$Gw-3gDVF{8WzcdSKuF)+pc@-l;@
znvvokf9}#H1s}paq6*6V%Z*um=^p)8t0kRN9kTy^3kXP{9wJ^%&ocxB6@IrLuWI&9
zpt@r6<_gO(1GGOn3WWic10$~Cd4F`O2c}$e^U?|f{@{$eCgnL422>6F!6(?8t#eX
z8O=8`9TAge%)QWUYtrz^pS1?&9q3WqOUH|vIWk=lQ)|-KN$nPs%FOLhQQRZP)0%5h
zRb0H|1fun1YthY6
zVO*%=DfBBqyV|5Qb4}W*HkH7<09D4tI-W;o0oJ0=9L>;g03CUgSDA;P(zvx~cnM!6
zuv&5;+=t%htII})=Ki?E`9jwJ?IrFC)yAbbTB36RU3pX8%(ZB5yW6BTQx+bSM2KT{v7fQxoCM`!kS%uKFHb9=jHrWTn{s1YvR(Hgx5
zUETK6X0!UUc69Y;&3pA{O?35V?fmM`n(FFL8gv6LgnSbGN~c|JQk=PQO={isvqo(H
zY3n5Zq{&T1G0#Hx;a-r>fwOcv*P@8%pSEE3S>ZB#}08|S1bWQ3E)xsr{
zFM@M)x>Bdwm}^nstDm+k;7?jbyWONZb0<^`_n3Sd{CZ8AK)wLZuIRLzDqvoNs^Qk6
z9?TO^Ib0O^EI6~GV{mdUiZo<1T&9fgD>dW5#IgPiYm17bgR{ike>}u-@F7;kpvr90
zY}}G6yAb1S+Ar{@G2K
zcXKZ&C|O+crcgXHihv)i2Xbe-mUgqw1TSO
z;>hReYf%|o1lf%K2GW6!P&FPt}H7Ixc&zccC?xPYZj(dLC&sJ^l
z5Uj7K@1`ASrVHND9Z~4$xA-Pc#sN1uZ3fV+hIVv20g@aX0{r{`=m6{;y!{)xr2&6*
z{QU(pH39$*4*zhpzqx+yexA1nU|JYvFJ2|FUejUBO9PS>)O{{ly@6YUl`^fj;W?iSLe+X7XFhHmM2%}Sy??Y{Rbz>
z0XIAC1kl7l`@35T9Rn6W=)*f~J)cquH8(?4IS^KC;fiUg*wfk+J4Is1dtV2|_
ztiM2L?S7ee6mYk&(LSn5)>nH%AXMgg1I7v)9ilL@5N(?4kU$UxNEIHix2#O@(jIZG
z>wY8<;tCHqSXQU_X-~O!c4y_C7YMPl)}FcSTjl*3Lsox(tgre3eHT;mdhKx&)7k)Z
z6|}9}tC|
z01$^iIEy)XIu5w0X-fdO8rs#JT1fU=bPh;BBFWsUPCrWeTr~1a00>b{X&X$1nOC!C
z5q4hmWIxGo#?NUnRB|E>zp#QYV^LtoNEL$_^Ixn7AblbHF90QM7WvM(JrWt^gB&8nX=>4h+i@0ifa
z9{1Ch!)NIwcL#XCVg`!u0OnF0SZQ)Kh;Gk;g4r?yUPmwg9`Zgi9(UV(5`DJnjo;nW
zZwO^lZ!izKWL-KY4(shst*Xdk6PNg_-+&*06$@qd+D*+^S99Zy
zP#6=^^z4iSKc4GIU%kDwXeZ}GC-7-B@Q~fP3W{TkF$La&pzus-A%4I%?in70#kslk
zC0%o3b0@d$Vn4%fsfFd->Cj5Xg7&ec2O00h3xHpY5Xua`9gW(h&|LT(?Sx;yqS-HJ
z9Mn%Pt(f&NNS}jmsEYLy(c;#~O`$)EP2uZJF0yzqlXI-OrH~=b9JUp^2yRWgyP`R}
zY_sIQ%8o@433L6u1{7BY{Bi)@xjKXSCD;Atjq2|HUJT-;$Ew@aSbiN1oW+mSoTXLt
zejq|9A1K5CBD!C5!uSO(sf+SXrn48Z7f&%@<4XQd!S|zq2=@OR+6_c-zW=AdxUfoC
z@k1H{5^3BT1P1;q>v}c4RC17&g$!4la_bVbyK^XUH7B_GaF6m8196A#A&HbbShI5BT!P2gRLx+o$qXYL&ONuf
z5>svzE7&8wm|jM=MtqJ=8Pw1SH6R#pX|XVS78Xzd0^-LrO3)BKVkr&7|HymIea3yy
z-N)8u`?H&ttYr9TtW`wOEmjh
z$jAoAGSh%QM&y;P`x%sxshwG9{`^xZH3QRhM(N)eACnuF39
z*WTIcMRpmi%d_8JaCZQuwv`OdNnpBYAHqxM6kCtKRYaZ`xyJO5Ej==FvF_gp8%Qq(
zd1M-ah=T_P-8K6n${WfDPO$Bl=!5AJgD#kSq$G>k=Qs$`bV}vl3`pfy!|TaqU}wQ;
z!(`s8Ua@_fbII~`%4zM#uA94e{3Wba9(%RTT%Ud2@lN%!ZC1`X%NHqs32T-|e$I8v
z;*>ku4X)3+cjT#Fv;9k0t2{1zjeo0ZWBVrOjOEjm?b^z&e+g@p$Ns#jnmVkxFI`Xp
zt1|E8KH+8$37$Sq?1iDGPW94;Dgm~gKx&Yv6;Y(Y3y{66Lcd%Z*R5J>3Sx}+&|r1=
zCHW{_fUJ;Rt4%6duGMM*+5i;oX5kT%e+D*1%>vRjca7FWgCUx9N{EnPH4JG%aD&e<
z1oICJIxzZK^y*YNj?KS^p_(RRsQBeoz+CPeXcjbw9whb?2Ps9s&nNh}eiIuWdzL*X
zGK(zbf8k-d!tA%)SKQ~^BEb>A9>S4fw4UhB`91*qct5d(-uL=Uf;i{fIr;%s5I+29>Jk5sNDyV64tBc?PXa=-KQ
zxO1~C9sYTCJbb|TZbljYF0z-G4krZkSq(bj-7y|9b7kj3r%nOy6x@0OXjblPb!4yum4N|KDQxtA61B
z)Rs#v{9w{+!{M*nAkk>}%P)ettP*;IUPdpnjpx}x%%}0O{yVa_G-|L@_9X0`=}Y($
ztK1KI{lXzOZSUDHCwAO+zxyR!{dNA+e5dnfHyU~H6@*FC0-N32;cv)-PT>tF8BX)xt~Ur+xHWu4-)ZsgL=n8bh^K5DU#+K*&;Z7YG>b
zP2amkLqT6n9`=@eXN)BP`P6FRT1KUzWW~vAM{Vc#T#h+sxHn1YRPC;jl1oOXOmFKx
zW{8}+lJ!7p9DB~CHup_o#6nSD$gc+r!J*~Xey{dOZ(Y?+oaTtV9jOJ19py-;*Q`Fj#5$C(Z#>f~GqIAg
zf}3FYBk-OF1Yw43bUGVaioNX!e*2C%w(2v}HSi06|9fB=r
zcFtXi;U0?-;~s}eU`Bo#Xzo5Z1_+ZiXz%RsH(#NDhK2W7G5x;N`~oQb1pknJGf#jc
zq?_-sOz-TA>Ltww6S=VC{=IqOLyFFWQq=V2rLPq#Kv;i<<5Fo72sg5ngOki)f1DG`
zMN_@~8u~K>GZwJVsCJ<@lqX;NKfjNZTCn_t&tM~hXQ;0-ZZMlh;6$=c=6=~YL+j4F
z4_4O&uRd6k^isU=Di`
zPnGZ%rP_*Z&W53YeYcS3#=^I~m+V}hoW5+;iKCAjRfE&+kZl)Nw^X>?
z(VrDu{vj>YN`zI5%rfHkgx139_NBx0>BE5~D~56`Jpy$gyehpdGbkN?Zp7vpV+SlX
z6u6nD%FOAT*@3fNK1yL5Q50LLbL&~aDVB5%uxmjZxpTT?E7ip|EP^V&va8~AvX5&d;J>b1=3Jh;^xpWLk1d>^Rd=r8
zs5JkI)_HB}6{AEwpffV@-HpN~pY+1#6`@LMbA$_AKu5)9`qjXKVDR!+_2{rj148~xceJl
zDa{iL9$MJ8QqPXNVrh0kWzxKBhWIfqWWHQ)aDojoFex9as&|KcCb`H2)KSh;HG&}>
z99%jDL-8;VXyMk9xwi^o-{y+dU_r&b)R=kXu{dtvT!oCtyvZxxuhtUZIa`sEwfb4a
z+nB&UviwBDHmbRo-d^e^2lM6ml7S2tc5;%rxA8N+%>bfyM23ib!4^}%e_lj-UF03b
zMh77-wt1(-q*AI<{`s#YJ
z3=?~+Mu9DIIu}j{L@X*kv-o
zM6;2LRn56>PL5Y*Bwl0z{5*#OLpyeRJUUGL09h4G3Jg!EqC$Lk_}JxotiW$J~cU#e+NN4~hDxaEM@VNur3O!9xp$WZK(GtDh
zzy0B*rJbiOC2&4xH}zIIZ+tyO*!$IdG9fobclV?8SVlZC*PDznz&P@=zINVr0OOkDklgkc1Gm&=O&?{P~Xr?ucJ=AJmniA@!!m6t#xSg?)wz%N>s(g<|RBKJKqvcm^8yQpJmbRnEwXb&V=ym3}(y&!2J6Fpu
z^{)4{!1TmI3R+)DM_!XGoIB%&;#h4i3n885rqU?Kh~=vl_M*miaB(hj%o_IOldLu>%@Y>m7+Yx*C}c
zKCEzeK@KF+*r6Mp=*^KuQvt2&&z?aqigT=c8yf*@kA$;L2_@vWXbBh;=HJ|tveI=7=W)ycr&|s=wI`Jr_
zDxG-Mq_^LYXgieq^3(L2yYRGlJktnv5?+6UB0CLNGJ!Ei2-
z$2*+1n;ckwS8S+Y)nk$LAwiO|!Xc2|>%j)-@|m&?F$%%`Q@*)rLsQVC8G0Mhr0q2c
zyHdL->BV|W$t2Sg+G7ZaPh;jrh|arsBmD=1>+B_=i@o13Ql!bt#FLEg9#_)d67Co-1PShMS~5k9;lEQ^5o?Z(JDz7z{TI|y|4
z-A!pBceDhrHZ7XeNb+p>Xvi3l3K(~M>}^SLTLq5I_-FJk;;hE}R}ean3K^67M9-IO
z@tUCr$cKe;mE`9TQ@UIw>3JMs#;@ceB%NkR3aV!KVf^Bv?VzMaR=HxuB3=+wW6&8Nx%{eK9(0SAB$3y&9$vR0D;gLwaPZzxpZvw?8
zO*lcoHY)psD)_vYI@oR2FG?Qx$k`O;Dd2!Q*X*<7Y~YvR?ua7R52kr5Pg
zrC>z|?S_Vdi7K@z*AjT*L+**wAdSOLwAMOUZF%zBwFV
ztVf*xwws065SB60TjIAOz6(KMQ18Rify8=Px{B~*%vXch#8A%RbI3jNo8PIQvEAb+
zqrs!J=N`$}+-1LuRR=Zy5;Y3hVQdp9Jz~2pIO2Q3+nR=3GI78mkhhlV2v(>ymZSM4
zDc0wLBAXv^xiWqfqO1K?~U$Niv%TY=2n!S$jtxNUv#`&3vYe_MJTL0s#
zNs^0Szdp1fqGmeSVH_QOz7DfMvZBV}EwO2pAlLV0W5DazyH8|gzX;Oy>FIOSX)G?D
zIe>Kwg-BsKgaV{sy+YTdR*rI_Yn2-f?|l6zC&&FYNNn|Hd+&BTUH?AUz7!)@W_
z@`~PppGE`@3Z-i}I{&18pF~Wc;poDXrhVz@f!tA-h^9U1N(+Whs4iHDU}DlhgSeA!
zp*If98`moCAI^AiH}uA;hmzI2L)cBc3F0`HI}?@bH#IsNSxLTQ48B-8!PV
zk>Rn4YkF%-$k9hhra`*#5YzE3*-pC(>%VUCHM!V!#6G-BYX}>LQ6eO53ygelG_+=0
zDRL9Tl%-V1c}{+@8vW>K=j_>P{u33Y1tLXtBvu)<-luooA2^%0+myZw+B6T3WEW2y+u3-%WS5)g*!|ricjZkQYj;_<1R^4-
zukmhmyh2gyBA`_3?a&&j*@iQEQr@ZeK?mwy3f+xmpAR5Xv`5Yxre37qW5s!AM9!!L
zj7mXGUbCcpSHG_0(o7o0Y!Mf0;hSl;%UWg>Rm0S0Ggo%m-d?p+;p|q=7~v(S{CI}b
zjvHG(G!iEt=UHYt{fI1h$SUQG7>b9x7^XREbj^P9!|%yqcvh!Ox#n~klTbOSbAIgS
zTeSK)u~Sw{j>(%z_qSLIe1^{Mo-I{c-w4lV==t+Myw>Mhri3joc}ts-(QGQY
zj5x&)?a`cVmO0+~jegPI8H#qU%Q(-zcoY9m4J_w7bC(xJ72QbUl&7Z7Tp!Q@9;56Ak2SPljWxE=E=sO
zz1gxAkDaUA6%T)_Jx%4&wrG9=ZzDu}3m!uhr$^k@2&>vPap&c4&L=BP?{cAD=dJA83l9@Es)=8d%|CwKbhN);eiuwZfmbMroPjaza9p?&?;0H(gjdX1
zOfN{nJMy3_Gvnwa{JL;)UHAEP&v}K4TApVSUT%Kq0d=FH4z#9&dH_@MB~mAO;eZzT
zUSn!&VBBtSov&7U>cUVY)!9&ItZFy0ZPl{}Qc{z;NXn=0gjY;r9xthvf;-$I6a{VR
z1b_g#J>AD^uk}%Cc~(5g_ll8X@feRl_j*_=jvU51akHYoM36j;;Zig}7}Q*)XOq7{
z;h;B31B}7WEqRB-hiXd{u#}O031R@WT#A)eNqIM3`W_$d4JU
zX*`Rxf@9HP!8O!gR*h!BU=_&~l1C~Cs2CtY={=wdW0UrUhbSelflR8RE^K%HUhqOP%GtR`jbF8J^=ZY=r)}1VDDgF4Yc-fR(WD`F}WHep8f2xSQza
zfhKkA4jT6pCL@p~MMsR1tg&oSp7k$mJj!1-i>xR~EGnOCu0WTnD$VAuZ_a^UolMmg9
zF;K+U;F!_C9Zf*5W#RCy$eM=w~cz-5j31OK6s<%
zKLG5^PVMJ8m*W|NJ`8U37~OD1fu|Qp9Zq`)ksu44MSXN{5J;x=Tj&b#2w!XhS+^Z-{Ouf*#T7
zU*P=>U>v*%OK}KhhzI4cTAAs|WUVfkGc+cVO|JN{)Q4`Vy}MWa^Vaw315ax1lvc{$
z+XULaVpiIBDEevMsjw}s$Id)+-FtRO^q671=?)qHGx_H>ALHaco>V=%akrv|%Jfr-
zy8imOhg)`M3e84-Ki1rGP;=~Jh;<`;H2C=*+h4stUpfC7wmjp|;Mb
zV`K5Vb6a(tXa^=+P=|Y-Za7WOoH`ZO6!0Xj&R;NL;r!=N^PS7TuM9s7zYvZ&9B3Hb
zG`8(c>HUNH5vT6FzrOdDu>`~WrS<-23wLVz4n_;@{xBLZotv-g)Sx=!Q*4Kl=D=b>
z*6(4L9ZncKYsI)vyl6B0kZgV;sQ;T2)i;3Jp9X@YlY#^eb(4NcS2FkV^F2+bd(p!%
zi5jW^Kza)VQI(`>`|my&q9yPVV-u9o&e)-7J;FT>PM>J#A~5P&T2iq`z9*X*r!YEJ
zBgw>%L5Xx?XJUr=N;fr$B@fKVoY6BjjA1Yg;f^uu)1{x=KImCb*gSdlfw}OkeO6k;
zar!xL#2fb38mWQ0CLSSE$g5OIs^WFU!ONKD&!0
zd+gze)gF3ezQ=I0z&8?WQFAYRyr_0K_lV=;+tLA!eL?YzgH)SUvk}F|uz1u#)Elpu
zI-?7Y+py1u9nZwxi<*TL}0MIgh#C8J$onmpyx3m2t?a=|X?;<<
zI|K4d6%NgjH0HR6=eWVOB{E*Hbrr`d6KV^#cshBhJ+#|B)I5A`c=1j(wkQVH62U-|PJYkg%cJ
z@QroE&82`>xb<_=b6#e2kXiZ_CN>sQevFW?_&(Ct38gl6T{!#@C$A2FXu|%n($y84
z1f{Es@7`Nq?Yjy$znY0lq35`Iy
z`{6#*W&OI3M94bZ)E{Z{k9PIm!Zv2~8Y0CfW?X^P
zl^HK!#Xj_yLz0O9ii1pVHS_EE4I}P!vagX=;0CHrD_fj1lUIN)H0G?%%gvXs<7}Ll
z?aSV1=yuM|lp3|%zUk~ftlUEBwxPyVofEl@hAyYwq+TA?ZF~vbV)F!%B;onry1It1XZs?rg;PjV0
zr%zg&2PusB9nXLS&PUgz&C}1=fr8S;{fhYxSTP5$nQ87^b3`H2|8a*j4^xDxotwY~
z5~(m_%-A4F9+Nj!OIP%QeJ@lIHwx-$k%v{$%PuKs#*dKJhR3#a-ofx~U_n=A1ovZXXG-*Z9U;4|s
zUw#oI{zCg@>n}0CZ2V>YFPDC~^$SFxPY8ZD{IV_(H3u*O%Qs19l(;<0a+le*URO1C
zo!a(Mb^5{14-L=W?0NX{)b@L|o|o@=LOdZK`_mR%XA5E+WGmh=wuJ_V_^H}go_hg)
zVSFxiFCCXm!bml=U%V_7;@>`pNoKKF2s-J-(WQt}4I2-0*b+REppPepZJ$%tt*{T`
zTbBAVGO@Mg{gh0OqJcC2$@c?;iji-EW1==@oDGVAAHQTnc8(FjKmAS!lj9t1X7!t=
zN@jA5+5Hni@g}z@9=t=%N*^*PY~_2$`uf7o;BhRMcoBEE8EYGa$TxZ>M*~*1m~;?a
zl;I93rx)LW$&Xv=@*U#o#XvBBPqUqSsjo@%VE%w!)OSJ;5Q0z|XS*|pD{K%M3PzJY
z%eUs|9^%bbOanMwOG979^1jzGaDEv|QH^7JuxayCq3i~WOtXZA^S-J>()`&AUuG|4
z2czd}5I%u@j8P>{rn9l+5ig
z;x{urjmnC>aoI&lL#>`d>Qz&tmR_Q@B^Tp4{%Y>douQfCwqpq+#O~}4WA$&ryUC&-
zTMlh;Xh}Y&obmMXlrS;NHc0q--l1Pe@yfR(oT5Kxa~drs>+EPsx7qmZJx>F4rTYpe
zTO6sUCl6~XXVpR;#yI$ijvoS?L~0nG%*q;j?tLg9r7im*b@Ry$vHlw;ZRE~1sD;S9
zd*^&J+wrO%y5QKgpd*O71Zv@tC_-i2hi^cg<_+jyIL+O|W#2Ja^#^C8#FQ;9H_C_Y
zT`66_Dz{v$x*1`%X>+>oRnaK%E93$@x7)r4d*7)|ZRg1jpD**W%6x(e3jIz6t9j?g^bac`8s=lDrubC3#Nh;7Niq;)JE+
zuZ_v;tP>W3ol8%sX9=mhA+8(DU;*zw}Jy-KfYpIMF_ntG)oBW)wy+r4lqKRGa_
zY~tExNgv{ZQHt8vLs^AKqXt3l8N1vjK0Y+h?3mm`TzsSP>Z0MhE6PD?-u~4`N}I)o
z3-;9k9-tmBZLpMA%2XeI^ZDKm&7!1R?~-pxw+!E_lMN8fkjI2t
zXVhZuZ13(vuEgdm
zpyWCgOtTj34*A^*f7|0VaZ*J6xS=>|!i&HD&Ba&E&q1G8RrkDDM?QasbNr6cx_4c&
zOVC_6$g1D%1=C+glR?|GD>@ry
z^fY~KUVRyn3aG1-VqdQ7S|6vof-&fdHLx3M98wk`4(~{ATsM>Wz4ceC3lN9H`JGbl
zKU)Z=AC$*@)^p^!=udOj4xhNlc`n
zBuT#Do@&3&E48u1oFi;=E)!{1cDF~J>3^Y5SaT+*U#V2)8Yt1W^}$9fhN~h5p79*O;+P%t-#DmTkAktT!
ztS0JvJl(VByHs;$9A!OCcGOVi(SC2Lo38B+5w$I?P0*Q_YG*0RWNB|XZKImkJk{m4
zQALTgPbFdLa~E18kGy|3&~P*R01d_r_YaVIdmqZb>TY>sq8QURqxRn5^}9{8=g+rv
zc*t`1T?^Y28ss};4kmT?sS=o7bY*ebf*`xRQBGT}#=dR?HB
zb=c#e*sjX5r9iiwk+%#9#oboz^x5F_Rppd|w;G!dl_A~CNa_}Aw!Dn5
z-YxDp(079wuyv(iZ(gDiGv2mHEJL=g`t=2U2?*TV#^M)~4G|n!w`xVXl-JJ=+Yepq
zZoW2$a8R&y&VxJB*oA04r_jYP#tbYNJkEa4xVm+(e@r8C4Can>YLcB6vTEP=RtPAm
z3b3TyF`ISHwY357zpBgzrrnyDeBnZtH;05pl`1E+I5vn~W&k~@Xv)IuC
zgjLUJ_hDy(h$qecoBQmwG)oi%HG{HDL#MT&juIva8J=wp{d%nq4gGZv-41OIB!_y3
zt^$mB#Z-Wg(bl%U@ECYsTKVZLNKW7)QpRnJuU$QINkJwr4cy=i}lAX^+
zv9at>_8WFA`vdzK`#n2_UCj<-=dcq^)67T}X~`(zG-1>Ylo~2E%?>4(mWmQd3rAtn
zV5k;UOWKXJVnQxKme5LAB#2wp>wSVZiK4a
zm_#3Z!xOomKI_#r$AY1rgzMBGPk7hIe21QfxZF!cY__MTBq
zb>I4^N|COBbOfbJ?-06D1u07JHGn`uq?b^nN-qM^yMXji1B5Ca={0l&lrBB=@Q?5B
zJ?H$-xc9^Ta>sZw_p|2O$%mb__MU5xHJ>@sGIGOkmf9!%^D_H1iOP$)C1LpmgbiW~
zp@ir`L?Ip!5{L$b7vcnAfS5sKApV;gko%BVc1b5OCl#(`wJ_Ic*NEEq+Hlt(*L>H{
zu6giyILx)hwbZr9HNmynHQhA>9uEHoPlY$aL*QTGN$@&&G`t+132%W1!Smst^^fHE
zj;;8PwD?Y3s&=MZl3R6KbX%uerdvf?L|U6?57W&)>3bEzzrY*B=8gM|XN^aVR~9-J
z#uoY)kPF=lQwu|M>)=1&pWtoqFYrEi9lQ(P1Runlc^pc#Ixl-cf@XhV(s#X=%;Mk$
z@Wk0&b<|ahKO_=fE4E7PBfkuTM~O`@OfL*CEG={`OfLLbSXk&=m|ehZBbMxt9Fy#q
zL`rr`PDu_)E=qovoRA!poR{pCoRJ)nT$b#V9G4uBoRjR4oR%DxT$1dPoRs__xggmm
zIV(9Txq|3Gj3N3FNJKYc3NeIOM0`g~AO;chh+f1DVg#{_=tPVo1`ug?a7_o%t
zLQEolAQljPh*`uaVg=d(9fS5mk2>lM7fDSexq4UsQ=nQlOx(w}vjzb5a
zbI=~>G;|oc1nq)OLVrLPpncF;=qPmMy5oB6y8jw^-F-cEJ#@Wz{r!64dhmMwy7zkK
zdgOZfy7PMcdf_MH~Z%oWbvdx78*rc
zCZR;b{&JwGpk!L`kjif+*F^9B7NCrvtl>xQ*OW|ziHiOCK!F;7VGy^<7p6CfHvKg~
z@fs<^!1C96OcZ3F!@F6Ya}2!JDE+FW$5s}vJKz9xufa7;oKguER(Z(rT4jdGF>xID
zw1(F(u3S^}8QtfY{$3z?4aZz`^z)2Fp8hXDt{RcKFwmO@=7q#+;KK=(-h?CIgKZ}A
z0hS4MpZ-`N`@|czM41WAqWG+Vdo(Qaz|=jtqR*xSPC(C^hjWR0iYT`0c)tOEV1Ua#
z@pyU#61GqA@&lF|A6&4-KhrD5vh~GV4>)glxjYb0$W+i^D~{J5u-|ZV!4*%;R2*U3
zjCURI-tcv~-xP16z{{2r|7O5u!^H)s>9dJqCEIMg@IY~UqN*Ph!EG8Vo*_Ly&Y{oN9;#Hz5ely0pt>tFlOl10nS2?Aa
zYm8!BwN6f+c083$xR7SpK6z$q(2b&*(=?`1V>Z`uLIOO-wx5f`vu)%CmPoIZpDo-S
zKikH2lW!(nN_CPGE6f-daC2?OS^Dgx2rpU~18;k{K_$NYc`3OKkjU1^HFaakQb5?p
zoe(Z1{84~z1Lu{mx1Tf%J=TJw1E)`XIHhBdQYZ{|&!Gn>c(8MStOk`{gW3ueIFsbnxm>ly7
z#MTlfo0|`lg00Dz`)K0RR@W&hMr~?nZY-@YZS*LMF!LabG4miZCzCNNC+j5Z6Gk)&
zAEVzCi4k4O8=ctPI>87SG5JMcgoN^{CT6#GF`_(deo<}eD|rVK=UdmOSXa+)!~NA{
z^KvFew>D1+uUKy*{ngv^RwfR%&QBj+G2cd@)dKR`Cswu&P9I&d-$tR;?<`4N)B5lV
zq6J2x}B5inK
z9L+QG#o|p(A#wsl)4**U%QLEH!BvxN5E{yDCGf^zQ1DAFXIXXf94AP(fz~*yqH_l5
zK4YOi(@CILQ;(bn2^)W^_%UO>TT6@#12H!UEQEjuMXjxozd?iztP7Fg;Refvntdb+
z#Jv#cUgHds%IIiDDu_n7*D_!xbHrKAKzZC*EeFU>v;%kUF`X>}Rszy*pj*h=??eHi
z)va?fAWW*pLeA3;65zw?;JN2}Z#}3bGoNe@N+JrfTG$sE%TULaL<)Ew)cmIn`e=9u^1p{Svm(w*5r&FbPgp*=$s
zJv6(u!wkq*oifL@r;DP6X0>)M10mJ$Imta!6azHJuR{jNSRFUVzNd|mE6DWgYy+BC
zSIvp-8Ka(FXWw@C17)jo=J@vXQFPZ?x1DHUKy~|^Y>Q3ghd6Q#@%2o?Kdu85k1#dr
zKF6&I9i?4z`|8Qi|9HC;;in#nNct(XHR$IwE-F-EEzHm}DolscW{*b)tJw>MPPFVIEvHu-np^(GpD6vf+4C
zfBC+R#5|>{Z+4UJkoZ!`*SZaVB?;2ocQ|}W>HDUQVkI3@GxOKN(f*}D8`iseM`LE7m5t5_~Xlz6L$bbH`RKV(hp#Q37(
zM$})jJ$Pl{V9oOcdeM3#<1ZWVQMR9P?a_(yMZt{#8h}wg9LQPIJh8i|y%9%C1q8PD
zo3HVm=wFm!wqQ#H1h)^YtU*pZFAz7gP(4@2uDa
zYEu=5IBm&mqr|&2t#}3CsmeoKzsXOcaJqx6o>#*R6u3Dl$)loJyFXiTRM#0OadUkk
z{}Dye9cjh-jx;Y^ftxHLQf(uj)4|H7I?_P5oK26)FS3_btWH51
z?=hn&t|M-H?ytRcjt3afGm%hyisDaL;;Uj=y|%Pv58;&!&_(ZmlW?G%JXn&kKdaA(MPYhQY;LVapB56)@#m3
zAzoTitl5;K;dVW)Yu-meUhi61%qXkE^?MxG+>gS%v|Cu0DG$Oud!Qp#Yko(87jJ!8
zWGHjOHGAyVT#rI8w0v3HC|ANEJ)UdOqu`5oH!S{?m>QKmkTuVvPZ!!ZtZ2%+i`av!
z?33t|uO~^GnZq)zCv|Zge>sgx*8bqchPa=tZ;?x&`fv
zzCk}g2chNA-_cCye6$sM4NZprjMhR=pas!2XczP`ngAV%R`u_BblV?y+pT#!G(=k)U|C9MeVf&Z%2HAP@KJ!`gQS+6R
zj+L>M{uSg(_sZ1D5aT+gV9-yYFg<#%3#hrN`O5S2NKL!M?{L(ySzg+T<
zYcFU|T-nt`UElZzM7Gz;u0FbwN5k5qWT#iASB5XgR+d(}Rwh?|tSqebt<0{BuB^y*
z$d1YO%OYjFWv66^WEZ{XyvMxa6Od
z>Kt+iIfWcUP>>_Y8RP_VesFl;CWAUSK0qBD9h@Dwdbs&yW@Qd&R0Xu(eVp8s-ICpq
z-IHCD-I4t*`$zVt?6&ML*?rk{*^km7XinSD0}caD
z1C9ew0Y?F6n0vta-QnHo-SHjjE+N*fkUiq-XBFPi)50WGT$d1f4&{NgjUg9G@v=D_}US3S(Ias(c;X>0?Zlb}H+r-@InOG9tK+G>T7wx7rdS4ib-u4k8@G8v)!^*L?lJLY5$1u%vyyNyc)oFsiLmo-Ui)*)
zCgco`ZfqVCUKZY{`t!6WtPCD(oR6d&Kiu@VEVxlYa|a}}53Xz+96!1&zIlV@xpS6z
z7weK-9G)M^Q5kZatfPwK5JFp`RFXC|maaZr`TMPFY17oA1A|Cay5?{dDE6rnGQs!hxo~+(?6`O7AUKX|j%DD5qAns!pk3a#?9=lHlp*J8w6ixTi{(Jk5*MQ7$Q%7T7Ux
z&y+CB%GJ%k9FgMNR)uAehnr7Y6a!+eEG0m&g
z(Jv{R7TGa!&uTVX%5~BaE6JGV+0k>)Xf|ES`=jGof|!=xF>}vpHkZz2(0NqyX_|TG
z-C3%SiF97Jj%G>mw9t;>S*DL!Yp$6NUrEX|*N*O4x{qmV-m(s)1U@afV|teDWA2wL
zqr+GdH_g7IeU^4*;+NN^V_s4%wX`hx2
zByS9)ivNhqy&8yj^AeX6FNn0W-$I99o8OiH4ZkD5F+Y@Fnct3IpWl;TlOMuw&L04K
z3A2E`g?)g%hP{Uwz`S4zFd$3^<_1%PfnX*uUzi-s3a0fI|NAq7wP*Mf&j^omX{Umc
zgLQ*+gQtV0gGGWwf_=vD(qAdR#kPUz!94gS4A>3C4EPLWkcY4#|MyYeAdX{_@WWe$kHg>
z$lWN_$kZs<$k`~-$kr&@$lEB>_`Fe|k)u((k+o5zk*86*k-1T*k*iU%k-br@k*`tK
z>zNn7*9$Lz7mJs$7iRa37n7Hu7pIqm7n_%;7q6F$*K;ocFAgtpFGZsBGaaKlh1LMA
z0P|Um{P*(BsK$}|0?oG_vve!sV=Ky$Z7Oa;xBf(&p83Z}RoWe<3B~fL5KVpn5C7PT
zI7@TU^pIO2Hye4M#+0ma8qT*F7Al}6^El`%>KBntLghBlL8$P
zRo(wFaP#SXeG#R42cs?UZTa@Rh$-R=_R=~OxA&1|Hgch!Yk!7$ulkmlD=)3!#fb8r
zuzhY>Srxn%A~))_ypWw(Ig=SpToB1CH?y!JR`M$&RnzU;bi9AoZhmQ$o_?2sevG`S
zLUVY}p|Fukd6WWG39q2(`%{Gic3SD_EuRK?>4m)Peg0|clHS)sOLN~or(C^aE~Mp{
ze4VB=QOjuim-$@DOW#@+4Qz?vozaH;ZJk(FmTfepg#e}=`P6hdbhCTL&US%rXVkY<
zNXnW6OPz9yxVE>69j_eK#mviU>Lu7U|A64SZ;-Z2rt(?7ts?{LY;HcrC@;D*m^zeA
z{SOPB`+0l}MjC};S7c^RvJjCN>o{FxUBC}abQ1!}=^wl;-bxolPNsV{LwC9CZ|&rl
zzUdcA-&UZY>eu@XwCYt5%(d!~dzTa+_{U%L8@`Kn81S2`0TFzGS-aW20>HFxoMqo?
zeVd42t2a70*kz;_&ntG!b%fcCN!4eJkatXVun^r}7cJL4%)Dp&QQU$8MuL3brAqwx
z-~?~whiLSe%ock>==*l7-9Qa&3DWtPF(+)FcjPdvi-y(*kN0)Q;s_1}r5u-ILG0Fq
z`z#h(R>HIei2@Q-1+D@T6a`05vSP-YsI%Vef6cwc9A3`yDn0PQ-zsci*ka4g_^1)&
zK|ZGWQmony3{6eK-Y?88gBzHrxF>8gK@NU2T2Cca246+FxSe2hUmWNvZ3pnU6
zIS2o>Vvv7<11$IaU@}SVL)Rw~^A2;A@2hu!8cY*d;8EZ2{fKWtfG42aQ>O!#6zPz#
zz=Gi;?;DI&t326eno-P;(xFP@bura(AE#Bz$8n0{_%$|#&ij)ch#$P~ttK=l0+sS^Y2cTqDf-75ISpRD$D#XAwPq!$tNAOr
z5p9Iy{>*|+bBbsN4|Z#QgxR=4)%$#X;c>3?DdB3PCCj$05v6YeaxtV1(QmEaS0p&JsmuS{s83U(mFKf9r4pKsO55pCJF_bC5zuZ;EioI?
z!MIt~O6%=t9it7byJ?wcsH=O!MU)nohny!S!tC=C$YQ?MgG&EDAl)Ha$ND`*hQmMD
zG5t$+Zgc)x^~}HaO!Mrj*ymQe6SI5KM6*cD*OZfep2m2}S+d;EY`2-f&$Vw_!%9;BaABz|*$FrBerLle#>1c4ne_r^V`Yc!I
zJLm6;NPqo(=qWrBt+y{V=RD_Kb>GT#=Y4Ukk9(aqd}Uk%YaL>7LtHo6AtCm*3Jdlg
zP8IqzmCB%;pC})1CC{}0DP#9hw}aLq;;G1_-lcO
z9KWC8#1*CzBI!u?qF(eMwTGPN861-W8KQGuU}X`x362fCWXBMx^t{%ghEGkS<4&>8
z9odl8O$N6n!
zSZp6TEO1k?^zJ)it`4pR`QuZ$F~V1T*scHX#PLTuCHK8ovJY7^Vfj{zsKH`bK#m-{rL`Bf@BYmxK(HJ?kc&Ll7c@*hK1frY_7RY$F!LZA=M4#oTSm$HPf+a9!~
zp_m-rt;N}YQlFn%k7dI=Db#s*7mxzqdY^hJ9jpuD3^n4f=Qh=RS3m8MF+zUTZiaFX
zki0aweagxy@^WIP%het+BgpMAbMR?dHMfdvD-ZjMJ#bki*Y0zA#V5eMQ`HB?;(=x=
zxte5K3D^xT6EFRc{rDFwf%_>Pq8b+0ti(|debl?9JBU@tkD}RnClzk;BN}mLm^*LS
z4VJJQJc7xjlr(8u$T)Y?)Ik*zZHIb
zZJ+z_A8yY2v^2otn{i)@Bvkoyiyvt*dy$uoZp(Gt{F!Yk0YzN(dRG5I|Lm+xz%oUg
zqBM7CR^~7QbYIXo7u9*ckpMnz}-)C|o
zoTIYV?+#7Yi?_x3YCwu5XY@+1*I=m;#`KV>q{HNu0_!0ynHN5OOE3$Tn9VBNe`w$N
zqLTDctHT0TO6TtDRWJ)pBX4b<(ZZt-A}yiVW^xY>o|S}wK*)3*?S=s5qG*sSnljw~Ijn77tP%U?Pua^T8{za}oUMc(qR~bx3WwzHjBTJiMhp
zC4KaAsPR|&v|H7rg8PAJA)*Y@qsppd>PIf|5MeCKJS{>ayKcxve11xTI#u79e*S$X
z12|(3QTqlv*p8tmd#o@pPKe201CM_O0)mz$EV)
z#)T;IP>zGCxG=LHyYzc=^=C;xcy-Fs&qYM?+Tn25+_U`OyZ0-Q^8w7b#_Ky^V)&Uw
zYKa5#Tl$3&b-fwwa%uXPvarO`qWV%A%i#}}!_Q{ahSOhF(eRf4#bSDA1;+G(!G79d
zMbTB677CS4@dT`jgv;Wy~-2lj*wnmx7y=a%7v7
zvka6>1Ud4@n_$pnO81S1y1CY5%G4>Vh@T3E3dPzh$BmJDTQ1Yy46WLs+;W9Ai$aI$
z;?pRJ9x11#MGUP8Rp~k!8JI8ZgFw-H?EjirZ;chjr1MNy@=
zaEA}XeTrf0OkK_iKO6f$m;eF1g7j20u~9_-%dJy3zKnk>ua~A5o0(q@r;mq%+omv&4W&lwH1PGyGy0~J5A9zx5${`zxFn!ceE2s-lrzaMlkEZDt}`HDyAL$9*hSaW;Szo-uR4>F-(RKl=c$kb;YnFJk^6y`s4x#HQB(!ns8omGo^esO}UQ
zk+*%K^B;VnUPML1x7l#T1R8ry`=b%@G@j3eYz=G|Lx&m()10XU*Li^@og$gpG#aBs
z#dcwnLS5U2wjW{&;%Q_?iE`}1MuoaI(|(>b5a!S*KNnJc_Ag@PZ0SRX00e2yPXyOr
z0DIr{N2@2(bmsgIFlS><0{Z{O|2mavG#c~k|LOj>L*2Ct(d4Y|T8nU5PycP(zR@c(
zJnS?utkFMQIT+)ZPB$woR%!2KGP#(l*d!3;Qjq6jP5G;rdoac@iLUmAnC&~Kq5OaQ
z{?kEh{wu7?rAxo*XW8PRuG0mlm~S#&+u;9iZn(k~;AzF{aw2}H`j6-t#N+m|ik0|x
z`|nmi$T-FIG7O7VJP*T4ofxbHHT%AP_Aotp<^b5ttunDK$Tm>)Bbz0MH!;4HdciIB
zb%spS&*7GI%@j!$aPy)H*W@n^T8$J*dtuW*Uyt0H64@}0bc}=JYHIA@1l6)}HUklw
ztoOj5d&0_$xW4w>p`VpiuhQWf5C1|cP+0~K*s0Thd|DLY&_l4_FIB&?jZ;o*TZKVG
zJH{|&i7I)hf;6=<#%9#t@3Pgolg~Ftkhj``mw(>buQVu~G5fk)q+NXZP(XYxEA
z#veCL%Qs)~WVIxJSi9%c>B&CxI_XEDV+s;}SR4L?9l;PZ@azTu9Zu{LA$C$EThRl#
z+zw|`Y)kT2Lkciv=C3wSUdM6BT@(4d4(5nQYpwZ-@6+tY)TNPa3$RYu4zevTtbZq2
z@Fy)7=_0E*J76U!2(J~9-9Ywd^#RorxeHk0gJNxMD_S8_RkL8KS;cH^f
zgaQIBL%zbu$eOsp6H1gI0CGVb3I3e{npj%#XEc$6fdE&4{r^jm)2{@?2rk$wum2YW3sKzri&ORzu
zz#?BDECNXl{t-=o!lx%ljUy4&+G$mZ>V
zhl!9=iX7sR)JGaINmK`Afq$-u57UCh-ou}|;1h0;QT9LQj+ZoeW(Rv&X%R@@`JgFK
zv5S_fLz%?F@__vrkd`Trn;Ycs7YoLHWSuVXiJORD3-kB58Nq5DmDWj`UO&w>u1010
zh4pDwV6WTpQ}*8VWxpwx{&b;dKm5vZ*75@8PKay_RVP*&^fao*H623CXVehxj!m0=
zs=Rxw)WP%WkKgC{OKeN(aU2&G!b}26Ks{GFHJ?;{zWo7o70BEv!DL5M9L*DsvIJ7(
z4Lf7CN$b_0ymw7<_bRrzv_W@gS1akH_LXutHcuU8_S4@e{azIleAr$gh(C0@zHJ~;
zN}jg9(ocWapt>YiULa8+C~WgYE!}dC?RK^|>hdcMSjtUQurbe`9ds9qS@=wt@x6S3
znD@`fsButLGkee6mI~yOj{jiVQO5Iv#9d50(Y02_s^68+K4im6-
zh$)9VetPP&okEe5{BCkbUGmL)5wjgLc2u*%lGGedNO!%M?Sl-Evm|x*X+6n4HL>5=G2qhCH_%|6mHJ(SF2S{Ccb{nX=!F
z&r<&jKh=+JT1~)upITCC9~sSd;c!f?_YVrkWl!we$r!e9RY!hH?h^I7d!IBVYxyo;
zLczGU!bvYXW3eNvKgw}~NZMKng9%sPQ6G0U^fKNA;3ob8VZNee(Mgf!7pDTZzn;N`
z&6>t*KGx`xPZ4yZP`1F)`k5~Axsv?&zZRjW*~KJXZHE~Rw@hilPZbH`pqL>`$1>r@
zrp{qvr+?RdrJWVDCd}c(_Z@*G2F!j5x+#AbeK95)(f
z*{`0}?@0~WSnf;oN0K<+8A9%%Uw^7!;4cQSaeolWzlTLB`lgTVbOA_R*3e-R+A26+
zvryEq-%$dtOqB?J3OJMXc=lemqOM_fx`HR%z0zoAcNI|&{=S6X)npod)=8Z3os*u+
zeh>VHi>VCNy=W`gHTY_g-98N;0UvH&x+|PBqPAG0H7YfqU2p|%I&Lo?nuN(
zVyOK0SS+u}Kat4mQI;hKtX#Ah~P_TR<0ou3wmh-rUEaQvK3LLRW9oFn{9ZACi=
zeWE+K#!1#HZI)!#CD$rh)z-<_obkz<%2P^D%=4CE-Rccw<2_{Ky<}oDss?b@@(MCN
z5dLm`hzz%L*SBusj2cT<_#Sjs_s9gNm2<0;m9wlvUdzO=-YfUhV;6kh7j&25m3Q4V
zU1UeQWX|nmGLVQ}S5}l0jggJD<%Z`lwKE}Dfw0mm;JIv-2_6t&e4)8}@N(g?&*ANNb3h)D!x0Ir=2QA-G^b728UjF&u4UYZl
zo;oS?+p{};vRp^Jge1JQB)sG#7?G+0c45pBuz?Uc;8Cr*n*8nIPs6p4qV5Rwh{SZV
z5jTAH=5k}Hy14hR@DFOZ_ZgqV0*HIfUe{>wTWJECRLTp3qqriZ=Q=2&zgo5GUlU20
zw7zVx#4!xx3HO<_0_NKBDHzu$&->3MK7l6C4fdKH1|{ZnQ$A9)HIg0Eu*@=p-k&uS
zZlEeYY^`%3Umvc>i{)ZLJ@6^z;Rl^kh!TAEB4jzEMAGAk>RS4VbSDz9TvCda5MPo{#$sszngxsDARE
z5VaPm5myTJuGu^neN-Y00r$S`k@{7nK)eps2gk-8X_ZNA=IL7L#VDKA8!D?@51?Di
zyQMlciNP5~cA_cI$}`xZ(coPsNe+b}%7A^2hV{;EQ;;&S@A2HEC(Agi==Hr~--|BQ
zYU#76jC3E{6NaIoIU=FGG=Qk9oo^6lC1+2>w!7^KY;2)>s?M9VBu#UjPG{e|Pj%Rr
z_8`~cuGGNcH+f2Y`2oYarf_#jiE+IW%T-RgZq1xcNsmZt>3ngRf9c$EYQp!|QQATi
z=`@MMyl>PGERFjlW+h7J%B&;;zMefvBLf5X*)x7HW)v?bz3=kU7U|L#0qUhE9nB<`
zfSZtBM)fdLE4}CyU7;4O+A^mWm=SPGsex*rwn#TKppVU8D{8)8fG#aNCVgbyKH1=B
zxqUXMG^8^UO!xHnK%J#HU{XlujT+sT03jjG2%3`C-^;?x8bf&HG%LaeVeAelAL!&z
zQ0snxv_h4x>QmpJ-WQ
zAv9?CqE@7QKE1tZdF-h5SfDL5
zu{kSw{N2sDVqbuH(w+A^G+fE@OMeK5WBpEmg-n~vN8q)oOiT-j67Pf
zHi`R2eJ3rNGQLKj5g#qK;uEQc-&*2#-Dov>?h36Yb&T1qx19X#hfG>*?v2d9!+PLg
zJAuhZvp!tz{J`|WikaEkd;_;Pi=K#{XaI+f2ASFLOR*`9qgwENAb>cLjV8(

literal 0
HcmV?d00001

diff --git a/docs/saml2/_static/css/fonts/lato-bold.woff2 b/docs/saml2/_static/css/fonts/lato-bold.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..bb195043cfc07fa52741c6144d7378b5ba8be4c5
GIT binary patch
literal 184912
zcmbrlV{|0Z8U-4g6Wg{k$;7tpOzdRhOl;e>ZQHhO+vu0M_dc!n^L?xObl2*xbJkbu
z!`}OJxyXq!0|5g80fEfP10jFEL(^aafy^EQfq*W5pZ$LfC-Tz^cg6%lAE=xZ%GU%s
z83P##Ch}7_e3%!Q9fTBg>laFZ4+!iQKM)upcoi0;?}9Cy?@z6Ky%%>tw~NKKJ987+
zBV~BtSYfP`gDMdo{o&nFop4
z$oXL1NPsIf!3NQIe%V|P5t^GcXU(bIn+oI0I-(Pi^QdP;c44Z{(p8IrT9|(o@c+{e
zgFiYyCq`u`THS?5MRLK*ACtv@7{O^c1iE!ygQLbBi~POQITE#|&AQRahOEN*6Bviu
z#%`Bd5HLp>&z67^M|l0_dyNq$5JR2#J5fad3AW7A!t?I8)8oR9TY~KYyU3s)D_i@a
z11yTUQ)MCg5_;oAoKd9dC}wRJky=DZ3=JvjJxLW!MJ5+ov)_-j=o48=R@V7<8*chuFk$gZVlS)hW+XSPcQ*yv+
z=dQ`KU~~{yCXCLFHNap)&|4zIBLxaPG_@r27@b>6$c;ER39AK`c+&{~)fCy+)Ig^PvF=n>)aNXs*}#Ju
zC`&4U5IMy(qO#`8Y_#Ys?CTE^s`)AFmSH$sYFB_CNIC+A8b(OuA5gYTnteGD*Dim|
zm`<
zP-qKPZA-Z>wQx%4dq;`5MrqV1Adlz@(6rq4=p0eJHO(2$x)v2Xv>#SI=tgjq_mNM9
zSeMolu4dJTrum0spvic0|>+0s3Ne%cRrmsLmeIV24Ar2*cj6sSplOh!8
zG?K8l$+r+eJ3e#MsuF?ogYl|3*}@g6HCUr`vfyTs(`T%XWXiE)ciE_NXF^HEffX2?
zI$||g1S7@f6e1;ke?#WV+Y?yfl`LJDJ^rTN`JFgSy+`z^1NpRMKtVR^P4P(gusxb<
zBNolQ6$;!~r*uw}$^R~|`5ehLYe9|kOv$!e;!ly~cxQk%%-d3`>u)YOc~*SF*S!~6
zW)&%G9L!Y@BK^~0?R1zbEB7)rzc@PjTKxASy0iaM{fLMlNCXk6Do2sS+v>!#gUz|3
zru)rL)JLA&2MA~f9rT#M+j{u8Kk&>TA~~dg1NUKq=e4(HYcC>L>6Ce+_fGzr3!%8`
zgw16sXLJy)>yov~W|G(|%lM_$=E6pSw_9#H?uyuLhjRp_`*G5STTn6z_|X$ZAB9uA
zD?!>G)@d3rSBLjjf?2zi3M2`V8pT}v3`}~&@zRK+@AlIhWmu0GR0$^)KM{AN)D5p{
z(*(mCsm?v1wWC960!6B;-z5$swmZDRzj_256s6!zjU
zKe^e=IL+RdZ9Q*kxKk;H!%=tziX$o0|hyWToE*?^U
z#qZ5^`)PPeKeI+GpJpWz{$eb?OjW1cv0bvE0AEaWH)?UQ$in?tCw#irr)k1UPC0CUjx3q$d#}W_Qwj#)I`PN>ta=2vj+$Z7=E@r?z94qmL%Th^&Z}Rrs
zEJQ=}m_OoZe>7$ztW)M6q=-5DWNp*UOhoZLngnSoX`K>k~HciGo)FP1fR
z@m2nMjWP{ikro4YY_MZd&4={`p+u2}$j(dD$rV?U$avGHlCbAOYKcX(q)PC6
zOGH+&(_`3gxfAb%CsFTnpL44XUlp}PSJije9yXeu!IC$A$2$=JCUHz{=bXC%lC=ev
zV=nBxe(@Pxt|Yg-SL+wrLlm|)E#uO@qNxd$%>1WM^;|3%7R6Iv_4IJ?j$Gj
zXgOgvNu34|YteFA{4}KcU)EAdQE15(x%&aHOEG8;qijYzBu4O92IC%8WZMrs{aMD#
zS!&g;4|EnHixxi|ao8_VolB35+rlsirm=WC1aqbPmKu{4Po})->pS##s;e*PvJw2)
zEp!16e1E(nBC~cBG#mSj=b95%y5Qwz_v@m-xBj2nY{dkPZii*OvbGot3Y
z6rX9(KwkC+*QwcaIUl*O^v-%J)13B6iV6Nwt4H8h%`!UlCAMXcn$&b9h?oQgReeRD
zW*b3f7rJDBsRA_9g%GVPtaD{mZ`~L=2MC79GA6lnT{s>C?AhC5W#Hi69s;5mXmJ0a
zbsr|GEjv%QB#Ds7gQ7t)TKcD{0(!3_GyF
z%O&UZVGPG5wK?kAAnVvIYZ&1s2MX1bMm#$$@S
z!*`2Ezhg#xH!A_eWEKb&bg=a=4Rx9!6D|7av*-4+=aVj!$oC}n7oUjebT2i&Zdn{B
zZWT}Bl;4FZM9Jnx0SQ{@$Sv#Itzy%kSRO2l^O?!&wIDyA{-BGuyj+zIaH{V78Uy(j
zQ5Ix?8Dua5s>5!{l}UaJs){W}uentCSLl}BQY`EZXvAUQ
z6=y$NaKB@`4S3c%c0y_fZ?Fjde%KFv65<|}sYc$OFe@_<{5^kaNiE8iGO+dhGM#%n
zollJY*0;_uolCuCz(~jw!6~5jYxt!5fJVV=Gu~k#0PLFNg;ZsirpB`emkXxBvJ>Xz
zjvOmt9yQ6rEn`S4r&>V|Jq%rp#yc`%%tCy`sX^uz=d*he!2Q`>4dg{x4#8DX_>up`
zcM7Qg0{`S&e1&oR;l%k6AliKbDF4bn1EhapoB`Uuyjibc$<1$2bn|#i0NHQP=YWVW
zhI2s37snZ(>FfF2yZmeV6d)bX!a*hN;EMRL98~?Q;Gx2u1pOFc79jqad;$pn3V+Zm
z`o1Lngiq@jZDyObXj5UV{ghzVTjUck<4u++v>>P2KEBYs0KoqQ%&v+p&siWWa=*mA
zxww0LY!|0gt7-7emwV=ab-n?LodN)I(blMqG!|%oY}A{z#8=ub5NM~W_j)3#YunM(wy476!s+e2E#TWTr9oYk~bot
zT~9|Ce-KLWULX$(*HB(CNAxc)TzLa!SNG#M4hYcr=vdBEo8wXoFGRk5zFNcZ-RT}r
zE$&!tz>9P(8L|7t*gtpEX^DUV383e(&--e&PvjaztTt5C5y*MwH#*ZxOwg;NKfOv0
z$Ur>b#mMc6G&FzqV{Sebeo+G0`cQTkz9uiKNV%!vm4|RY48MQ{!oa9z4}EIvdQyg-
zzWCSAw)ts9=`qE}_{&R#rx+Q9!$J&6MRP4Trm!#$pF~=pf727Y+hs)gzZ3y$9>2OSR|Wp4hF3i!
zaZ!OvlmB_cSU4&_EPet^=zlbF*B&~wpDwDsEz=-D$A(DwiTNygcMfwaCI6ct92((D@~+`GwfPTw`fCxYPsQafqzQ%%AH@2@-|Ta
z{L!Fh16HU_9kic;^qi5T4r2n3VhOgJB6betC@m~4G&k#|U_=h?lpDxmG9|xm>l{^H
zmAhQ!^GNlP3qu=EECXC^?LrwoM#zwZ${CA@V(QCP040kJR^<7x<}&W2biGx~2{AU?
z`0I+WVA7!Xh(?K*qM`^xE65`&Fv5bO)PUyedVYHEUwV7e5Lkyf{8*}+iZua+lHmcq
zsNH=BeCqZ;T?2I@Wu_u+GNP%gD*~%I_Jr{htxC?T7{I{DN-nQ1D~3Vg?P37g*zMqp
zD4>eWv*JB{2vvfwTwiToJXk@g*M~_K{yODM5|*t&zR25^ZHec+1}vL*&P!gB`ePAO
zb12&=T)m>{&ymxO_JB0)rx+Vb483oC0?h!yARw*ngOY+7HB!#Ys+Bz*VKRL&_Finx
z4SeBCWt3y4-jm$qwm&9z-9-Bl9J>eidFFP@10q(*7XnsEb8ar=quK0O{Mb7q+YwVN
zt6Lw~;BRF9+B_+ThU0I6pR+NXz_Zwg#P_L8YADi1qUphN-D|dMb(V_e`%LXS!tnf;I5KgpwtDDa8QK1Yh?&%S-X
z%vi(nD8uqjO8D>>ur26O5B8qB$$ok?;LxdScL39i_*UH9@GT$f@T*!j4}((KU1(`&
z>?Q|RmC3`!OQ-WOh$F_A{77g0XkOFjTfe8EZ4-_upe9=pkU0T&R^qd^rO~@=_i7w7
z*n!Ew{X>P`=ZkQPvR9GWq7XXd7s$9`*Ao~16#S&VwryD$sLdd}YQ(0C>TBkzC<3iR
zegk3u1;%(*v-7Zipb1@x-q@u{@LQj$2Zufa5SZ`my?w8UD)P?-?0?>TdqK(dA7}o3
z3Jdd2i7#9_0ENDLrmrXyMM@B$l(MVbP*}7%lJxX$H07gBzWj8o>e(6E)A
zlpQr5h8TUA2k7Z5qeKxEW*8e*R^<>DVKY$ZZJ8cp**7djKEo1tz!AN&QDPsk
zgDrv-$J+>c)Z_XZidYf&Yk6B<8#O%@5{oJU(Gg)WZys2?PywasRtyivz^=cB>)vWx
zv%Er6VlW6t^RdHN6|7cn5slCUBQ_oX8bxb7k-h9g9SB-set@fZ(IwhAt>aWm^2pj4v
zw?N+4U6tUdkmx&gZvfC9+@44#D($xyd}R*cBPA3B)lWX2f5qVY_-|B1iRS1odfA`*v$Se5O1;{)Qp73QF2i
zyd3Yod&m&>0lynj$?z2cLsI%w$~V32)44cLU3?gh7ybZ$e&c>tBZwI|H^=
z?YWn-hJX$Z+LZ?bzvXFs;*&=A7+@fODXm&1NtN)6kfU&c;U`43==iW3{g#zB80wxT
zDI`IyE6;N9T`ljuF=Qo0sDBXh1KIQ}@lX!=C}CO;)9pkLDNt<%s&B(aE;9^31o6Y$
zqL4Jt?a%$qaSb95i+}9nV0(lVPt2;Jx6l3QiRr5Q{G}O5nuR21^DCL@eaQw(%lA`>
zXAc=WH(G&`rD%8#9fO!8&%lhn&Rys7)|_Po7+12+TXZp0EaVI#$5%MvMu@l^b~1_r
z68lC7v6wO=ld+1Z;4rYgGJkOKRLQ8A6J3|j9Kk3j5&UNhFpg!oWNTL5&r!2_<)YTO
z+$Kq$kLXY3Li|Tjq+ndaKfPbT#HZyxW_a}d=T+c@7&0RBF1Vhh{OioXJz%}oWQWNQ
z#7%#UWZc*eIGWJVadLUNG53UobuZI2yR0R$9p=Akr0CIlh*b1g#P|9l5FCBwM6}w>
zw5um-detMc5CbW?<6eX$0|kB&ym6BT$mcw)
ziZ`&-6E(9o8mRY$Qr^KlrT|_Y&jI8m8jHM8b
zVaTAuoR3Z)qUydfi<*YW=f__`c}EAw+x^6$_4c+2asw$!K(~Q;%&@OeXS4@J*ZxHG
z0UJ|vIz3#6yd}p697+h#ER0*x^R@LeHRSX4gjR2_z~leb_v|raG-q}aDpeH5QCG^P
z=n=&P=yoC9$-jFPK=Vqz;=on>x&fIK{cu?}!oYSNh4sxaQM73s#WPb{0BLLjPMmGA$g>T-s*$FMm(F4PS
z_XPmBdhs1=dSrWHx{~BDK&n6Gi}noqijlp65%A`_$YBQTE*Otp3H!TOHdW&V=#pkB
zOKP537^&5+?8z1SF!t?Q7I3&n8c&h~&{%SyHZb@YJZIPy4cdSbBS
ziJwDb$H(RDKx<+bGQ%W_77r6?9`_cr;CtCLa2kI-Bm1jY8b$<>Ug!@Wy4El`M`gZL
z5}L8I48O+1)rY9vz!2|wB9rI}2!9-*b@XK!izkr*Oy2stLPM52Q0IjwxRI;%)69!P
zExopn5Gz}cYl0Fpf-~@fY9GL*keEHT7st5*{~W!FVjtuMV4K2Uk9Q?w+CoVJZdCmGgT@f15ni
zUz0)5q>$(RoFM+lbuD&9`t5UI0AC029KZdWNm2>wh|-x+O1$4(K{&-(?MElT(omZb
z_~P5YdaUh|h7JXQeQ|JGM86lGXO)?6YgI%Qo@K>9uybQfeeg-=D@;(7^zBfmI@D@{
zmu2GYfnRYtIe?(>s&jN;mYK)5yD$I#0Tlv=l>Ws931-SD>7Y>^6*H^qOEX5B0R`SE
zgotG77F|(y&hb52W*-P9D(uaS9_-c^Og|o??KY^dSx-Op34t}BJ`YUpPapWURWL)6
z>CU#q%z>7I(!#n*{NOn>OsZWDXG^knXM|rIOnD1T#Yk8eQbaEy+<ciatH!D%$#@mh07a$-mRg<)SS0wP
z+lX>B2;URdY`n;sP6=2D5{KHBSS19Hc@f1h2>Mjn<2-F1|9NG26Gvt9b>PXV|Mb_c
z!|HyG^Tg!8<*{GZpQJsK&kQ_Mv50cSQ_4cfXh4$ES^$F8g
zg!lZuO+$t85HK+pNXhjJZuTA7HZy`bPy#eP6a@s8aEu@jaW7w&twzyxjY3M5RY)ZH
z{&Z1&CE+=dDP=mf1X?%XOpVQ!uk)(3aN}6)GH1EF)Ovy!4LiRY!q-O6%0YbePb>4*
zgqW{-BBk0nl^mr5xp;<*e-W)IyaUymJiRiKaM%F=FlXE@l6T(k3wEyX%2W86`z5cb
zbU3NbH(NS3nGYl*8IUm+KQVY~PGB)c#!8s2+`Rxs0
zT)B;di($ww2xP{`Gm?}W=}Tql&~)n0@82$*rydb=YE}7-+%RzLa4>Xekb!mlnq?~W
zl2vznNGY-rPSfKNDY4Y!dgh-IQ38BAXGzNQXS1hQ$K)YqA5&P^NNONHJ@KmPd_Y4!Rq?FTPJSnFQiMUW}4g!Gy!Mk
zrf1CTFtLS>E|?jB?X~jFQTR)muAQfa6dy(rXX^S_p4Hdt2N#fcm%bHhW$~&ZWivv>
zlCh?$A+@wOKxL;Uh=G*8qasQELiW2pvsCWt+!tXfYZ+_(YDRsxcwel7d7~xm&2y1v
zA$;7N{E>~*P#R%^TN`2L*zNZF<|M$|n|~7?2~oMQUdMd~?3mUck=uWdh~S_$GaH
zhLZAe&1D3uDEzn7ux^e{eRZsb1Y#`(#A7rSVJy%DDhq@Klp|u?26Xj+V-JkSu)^>T
zA<>x`A4ZkN%ZRsJD;96m7r7W<*rHw{%2WaB<(}@wYBhTBP6R`u0W>2JKcC;5YO4+s~aF6G2j)ThX(O=f8NEsY9FP&21;aS8#=MR*k7Lw-ZI_CLPpjR
z4-gIs2@&oH7ch!ZPr4F1pj^mQdDRLDmyn^%UHbUD8QW8d=YWDpbg;DC@5LR8v`3sF
z72Fm0G|lbwMiK1#v5{heW(>B32h)HMW5aoJ$U`i=5PUv$GZ
z+Lr@CkA`Bo7EfF8VPtLBdGDW_=(N4{FZ}%HG%|E@Ka<+gvqn$r0Md8Fvj4^=5heZk!jKp3ana@R%@W8BZtNg;pFk&MCPhY_V1Ow
zAXUrU7&f(njp6?WgL73)lNUJ*D#P-mEiR$r)+bd#R&gacfuXL$J5{4!i1zX5?7^jk
zI&|jYucUNf)XD7!+kkDkPu&aLDB299UNmXa-$}oa|Gd4U3%8n#u8_(RIzrpF!2%4q
z+$2wGB7bg}4cJe3Y1QnSA7PxTHD+&bIOho!tHUTj5d{!O>~Th6r4^-WO-T)`g($7i
z;ir@l;rq?r^qPJ!r+aoTO~}f2YiEK7auT8rV(!Cth$p!)2k%E?fW#DKFB?35(#8d~
zO(!4zNsvR<9@HEB
zg#)4I^t4k=fE9#m?{OEHO}>5Se)ow%&i8I|R~}5-?c(zqA5EtPwy1;U|M&j*W7@}N
znWr@@zv6`!hop<8c!`a$|$5N;u_T^H87cwNqg%CGJXo!g9b%1UjePWgQG{SvMA!mZ9O
z(`J@9oS{p+_lXP*HZO9WCC7>_p4|NQ7uhcd6WMYPPm4csHN@;80U^?ei}WlC
zsp!~v9}`H%C1k0Jb#>?A=N+tY
z3j*g_i~qP4yL&UTD(TpUN&x-2U#wJBzotk})k$ngeQG5_7#^)!o`RtR!uLPOB$9|9PmSfSZ|<+u0b=}Lf_}%A^?-eaXIdPkEbjG(jl{QA
z&5e5I@EGVlyP`|p@NC
z^GEm%1QRGl2|E!wL-KRYce~<^SQfojoyu;S!$Sd`ZJtbTj7Qrk3|e(C>Wl*ydJZOk
zGarQnZE|n47eX?$ZpRC&uH~K!!IFqGPI5z1N)c*oR*+zEy{Oe+MRb6krp*MzkLd-3yz`eXA821en>_z
z<-VI)2T1xXqWG(#Vxe`BcS;0gt${F!bjIo1CFM^L`qNWm^dU3Vy<_bz5i&v?qndj-}JyxbRAV?nQ74bH;5Y$e|UuyO-d9AJ9AK7(j;+U`CMgzDGN*iCT*b@g}2#=Eq&Hn
zT!xhIi#B)TEOnBgL4}M2iC}Up-V#=yc`GB4FNh6Oc
z7Fe6|*F6q6gbZ4M@K*8GtLqp)H;|2qD3N1rf<(;`$2bGO6Qc@sq|7L@L%FVugTpPNs&KtAWCGvC{vGXsH1iJ3q+kjP3bhqSujQ!ghE=FpDN8ce%qH)
zZPy1yvPy}Em+sJ^-$YASuW9g`BUt@>yV_R{5^2}cm>C2GA|TY~7T{D
z&-hd_vQ|xg1CBcTuM%h^DO`W9Ciz(Z;(>-pgw$PmwQckpc<+Vql@e8~V_bC>?9p){
zFV*0npWS*K@_rr=3UY?r^{ccwVY11!iclO0b6YHvk`Z$)U
zzzB6VdSebj)3qb%&s;K&>)J!Ec2B^=;#s_LR)zG`C_Nxz-p_0e?NvPvx$&bMjdZt+
zfBIK)K|MnlbERRUPiQxKczP^mc8EJQxK=d=>WnOHpn-1KrNi+Ddj@+NsaWFi!}4ep
zc}A5O%s_Y4sB?G}Bq`*TIJF&g@r{z`GR(>kxI%c(um?$dx6?U=>{4&S5Ji!0Pkuqe
zl~Nh4#Y*Mq%ZDSZti479UinxZIwX*4yE92OW=}+lMX}2>M;{#L>QmY_O&)fT_mR{>
zU`EA-j7FGQHoi{PjrExO7rPwDh^ccH8V1B691f|ZSGCI$-xlI^le)s=8$HO3M%p&y
zMcb)u>RkW!f4oN2vRA=(qm_J&Hjk91%wP?-Y4$AgdrpY|tg)_k{49
zK>iu>m4NS4(+e6i*BmjE5auddC|?j!i4t)nb(uR1_7R{U
z;nbE&>+pkXwO{L$g*Z>15*5a{C_?FiCop=(-@7<8bXRfY7U_w1Zu!7uDbWU@H=|Qf
zj@xcEnj`*dYKebVC3~x-I90e%p;+`>d%plVEwX74L^l78wvT2{*=prw5_;SGp);OB
z^QhVBoQkmP^Q5z4SN9fGGq1`;^>M3?SAA0q*5kB#w*rpfw#PKY%B!}F*ph@OzrgkA
zRKXLs9~9oL#h&jnTtr55Bf&${(L)OTN$2A;_e0t1@-Yjqvv>XZt29@SG)
zEHhf(8Y2U&yJN_01D3ttE3=TeJQ)HDaSK1Gv~(jH#*%=C}OBpGW-<&teshW}a59S|g=bu;7<^Hx_
zo(s(;ip4&l9Gurv?+O|tqf#=P`
zxUP~NeWJSpihREflZ@HRt(-L!*gg--Mvg>gVKrBke|ECc+h}!o2z*Sg>!J>B-R^B9
zR&U&QXUEAu0XjL~L&8EyNaeeKo_3_L7hAg)7#m61c{$v{gh`H3GgNcY_0T=7Nv^=!
z8)3C7a%_b=APCRhKG$L#|1JGnnB64qBBhOk$KweqMDiO&iDgH3#nymn51;iJgdhV+
zG;fBFY}QsH0xnQ8pCyHsy;$2G-@6(enk9B1uG5`V4W_fhQBq=V;fiM84t8vl=hytz
zFf`huhL2pOrral5J1%UexR#JYCYvP14#h_dTRa9cS%kvoBEFVHxj3$O#LBT|}W32_(
z08#(o2=7yD1s#&k_s^}&+Wor&gLsdXLO9cU(Vvl2n9m)CqyC0tF64iw(=-Q-+!%VQ
zSO^Zbi3Ay#Y!98dXJNFojI}xk@kFW`$W|n?-^37|`AsRTufw9_R%2oVU;HaVE=@Zl
z>WMivD=_C1HvOe+e|bE_xW75z#}tchPt=*?L(5`7?lL_f
zm!YsCU7OUU+C!tA@~euP=L*N7=T)t&j;$2G2=q96aSzyB1XYvp+V?1nGtovs(xb?a
zJ`uFuQrJC1xDZ@$Z2BKN6lXq`IOWn=6;@;0jft$oJjn&?7OmvqnvX$^oo?Z69O$N*
zw2QoTJ*PVvv`q+&n}jH`8iR?}&xf#+4`zn_9430~gPmACGs+NDJ^02Z_4jx~Ar$eC
z`Z1beq`#20=Zkr!uc$6WOMMTJltUcZx+lV;6wfq@;@7ry@9B0QI
zEz@)^j0l(z>Wp@Yx+4|5nyL`5{)kPxj=>2KF9_X+=dGK+eDwQ>&5QM$S;L#N>GolJ
z8=9%u6p;#OOy?Fq**@GRaNW79RV*my5#-1s3!TFkY!l4l=rr^hWLh>Ecen$JaH#uC
zv6^iz-wKRY4_yyMP+7?3n^K*(nL=bAoe#~y&acb6q$lKFfdyZ)qM=;u1z4*3H4m_)5mrY)j!reNKo8F^36iRWk%b8h95O(mUd+}2pUoYdRahdXH{i@sjp
z$3B#jF?_9Izcxg$+8WmxdAO?N<)K%odz4!nRt|QC^?POpHXyPv)>s*FNqydOcZjPl
z>p_)WKVN42h(<0mE0m#gbN(i3xaP>d+PtWV0@YevhrA8f7f}L3l~JB?m=FDmg#8%nx-Ee
zfxg$1T}0PIR3y!&&kTAON9hVk
zc?DIcdBFf^<8SN|dB`S1-qDUn%5|73p^vV?VZ3Q<($drxXe10NAY&l1m=LQ}y&@p4
zHw0_}5o#|K6uDx&ka8>2!Mj^fUZqjjaXvj2k%!gUYi9UUmr<*Nz5REx(pZv8|859V
z*e;mFsaese@lRbO_zAxRA1r@#l;#tX4jS`6%uM@Z0|pq}VR?hDgixubPlmq{|E7vL
zHSBZ0BR#P88#){=7y9(t8x@^r&P)uDlO-#J-7&vl^WE3}t{?rQM0)zI37D75-Mr-1
z)%Ic`(+#>Vv`?nAP-t?=2rbFBl`yeC!S8q2mW7_`vk24eaM1ONs`KQFWV?;r@7~Q`
z!OF7EGE|0bMN{VG)t@v1Nh+{PSRHI`5OD(*b*uiu+`rfQeE2ODo~LZyW@}2NHzZ1H
zaGjLIPqm$trC+(@HlN)v9-E%i;W0umqBBm>457&6Q25EnD&fn5!$A1hLP2~#)8zxv
zt~8(p2?XQsE^iCeSjiuKs0Mw
zdt}P?@^Iu>){76drYwi;l*@=6m5hO{oUU#S2+0rmJ02Zg*v>aS2E2iKirLr9KxY_;L?b`aTI5v(7SX5RuxuS0(yUR95BqDmgdfD%D7
zB~wi82&bo3O2m#t{|`a`hZ*Q|^IUhNZ2swU5<6k*ulC&ar
zotBuZPRyZiIljGBx0dIu1-5R}bsC6J1iHww58)SqEz)0u%Mc>f)>k9kO;H=`vdnE%
zoZ&Tc8Tn1}r?6jhLDp4Y;!yB5N6moEw0ypHkH5ShX7$`};!A-4BTW1cD-zQ4T;Qbs
z(;=?x+Kj%blFRy#;+%BSFOYxrrZ8$R26xcTufUP@cdm=gE53E;3=vsdAhMJ9mR2*%
zo4T=vGzZOe<;c~Ck1z1|gEHbf{ScJM1myz`6^XUB2bggz6GT7cT`dF{D}RHeGP9=U
zd~YgJ#%j(zVTPbaoJvYvFs&7u8^UJQ!T-b(2aZbYMDff`;K!FsQ~nY_41iL_2y+lm
zL2!}W10SW9@{IANwL3#POZ`t7bK)IHkm5OnBbKJz7o@hfva@lH-LK=XXiDGQs#+&R
z!2A|n{0dGGFAlWLICg5g#H22)pO;IWEp;p7*xzR3Ua|ke^&%MvrrH=;Xp~oUOY;P1
z1Jfkmu73{xQhVO4iL
z#t_woN!E*bR`goy5Xiq*pAmDxbMj$Lmx}(etN82Wcwr;!+}BS!7fpq!{72!KiZWTV
zMgO8j$Gfy$TfrGRS~!z`2Itw2TXNMTu(@{gz{A>0s%FPDm0(3={6t~c*G0Y*e
ztJxXH4s%Qc+8%owo2yDgs_ctLx}{g9q3fx954|BYwPOx&v1NWmv#a>E0*UQPJX!L@
zNq5SUljTH@*u@hIzeF}wb&Y@4J>>2f+z(@gs|_MZyjMx5$m|d{No9U4b(7%jpe(Ho
zLKZqiTZ(k)K4E*RU+wXgI_PC!$;l~2Ni{cxpF>Hn90vnsvuRa
z*vWU}FWFGX8cnjT1a7jHBBy-}+lc;JwcexC=y`a|CJyu;##O9@O&fv7*
zevJK*cgvOe%P&8#U~1MA3$~tMTE|}o-})&yX*R6G2iZQCZO##{}&gB8U0DZ1JMhP_$n_Md)<6Iq$v=;p#IF7i`m)b83He`LY&f*VrEbla_U%K_Rlr_^HLXfSXxn6QM=8~
zu1@sxyIDD}kqKl)kz81fTUC5EC(|wRp0d)iB5%vU=o_iWF35{>^cWu{6@|&1gNky_U
zKFP9!;aQ(>;D4Rwf5PLp>fx*_#_n;VuAM~!C3q~MAA$5EOZx58o{=N3h1YwFN)s^V
zOd}Mqw63BvIkcg1WDVUkC@%PqQ(Cy!fz-5
z3d@4FVKeye19>=)npfSdJhGKSD$cco*GHgZ$(bLn)Gxo0Fhj4AJNn10>J
zVgDzurpsiqat=;!4=zq_o*yJbEIxl?F(pD6`;W|2gi{3my}4t8gSz`)77ow<4aV9G
zG@JI*o&`J)HBvuy5RrMP2EmEwCGXQYmus|(?aI;XZ^mWn#NqkdcN!6)J2Sm5AN4dT9qKD=~_EcnW##PoV2X8l5RLKWQwxK
zyKwh@=QghH7b?Pyom6nHO+X|i#h4~ns7x4823`}Fn8%lPhv3wJ8ob4ML|34t{<}YV
z9Neonvd5MS2dkE=VyJ!6w&MqD;6X4oG^E-A7W$_2jsWuwlJtRqb^<3s5&i=Je13w0
z0#W_@&)I*5Qna1_;sP&w^@Fa93sFl=Un`=bkmeP~P*eeV6o+KF1v|pY_Rv+9&6hN8eP=DPUTAZ_Y;}^ED%WQ-0KH6`>iWMqw`)#&{GaZ
zl{>oy@G!R`VS_V2PMKd}LK%$9$Sf3`Lfl&+T-#_#Ip|GKz$rmS%%)4Z>|h{W4O)t;
z^$l3Ed=g*=PBaP}Q*s4>`E+uSgl9!E)WafK6v7I$myej^R@0_^(_<$8((UQ`&><0X
zVt|viK|=8RF^t+t#tl$uiEyv)vu37;7Y3QCE3NmteP>R}S=pDD5%
z`uK-n2%Ep|p#NX-2mXJ@Uzg7YHvT0gTaRzg=W8w5p(#Q=
zM`3K6(X?#fEn|6EYN2JtHC}26uLjd8zXp
z|Cd&?bg9QmTQrYparfanm4Rx9x9OA1ofEj;!03^NFSwAYB)>7UmTJfk1f7Q>nVfAA
zU!v#xVF4lCXSaQhzm9n7tEbcS7fr*u?-wpTy=@oUX#WzBOv9GZVYL6$!DH;iWPbH{@85$NYS`oRLue=i&6P*
zU(U$s>Adc`EgatmuFHo#v4XbnpU@lgU%6nNKZxQM#GNVE^k
z58{0UNns$-beINyKxX?;j{YBXeFan;UAAuH?jAI_1}C_?yM^HH?ry=|-AQnFcXtRb
z!6kTb$ZO!Axijy+SF6#6Ue#5n&e{93qVo75D>NA*&7)2Zao&ff{$o`A*ExeQ5Mw4G
z)Y!(>CQcU*GY(|eJ_9yIOu&w)>+~ISd!IJCGu}_z^k8<`&tp`SLG^$eRcwX+hqS_x
z)Z4-CzL0&+`)?L&_2!vd6w*;16n
z_4D05+06ad=0;7%FS9Ge6t+Q$BK&sJQ-wUKu%1*F&{aRQ!%K0Kd4d(CixP}PYc3IO
zc_~c0JqWlo=>BH>at!-P*6k~7E%8A5C87K~wkFcH8qRJM7k^bJ_fnN|-`c(=(S}^s
zQK4Jm&-QisYzDvDmKYHa_7LFQp5zH3_EB6iSNVq-WDMTFi|5@t*y}Lh5R*-QG(pbo
zG@Exe%a1P1Ao#C=*kD7v2qcGw!%9G2S&dgPG9-OPW%l<=NpJrFEK{p~cqO57T0xwP
zkUSE?j2(t`8o^eHA4fpcCm8Jz>3Vco-+o21bmQ}Y7et}rLdrfmc3F{M5eL-{lc@Nm
zo{8q=$ken#0pO-uzM@$o*r__roXDFOiJB{ZU;`K0B)UU9S^A@f^_}NKMb(jE5`_sE
zMRUrQTNlu!2*}n8#_3awV-5PMSOW3NZK@KMaVUktyHD`rB5l4Yip3DLP$={vGumBg
zUr30kf)opjaQMyNTcEf+oTP0U-Os?Y#`*Qsy}ZfhNM~+l4DcV62JrHmMrUD0S|?1>
zbWKVZww7xp8Q@_+ip4B@87qTUaWV3iR2BIwT|~e9d^%hMj__kh?T3QnT2Uj*|?^@
zuY-fpaCpqTBN2UQQa($4E5Xh>-+kTEe0Zymc?}oue$S%<0ARqG8WP}JAM;oM=J!9;
z&D%6%vSV)UyIH~*P|`14QKCGKm8iV`lC`NbT}Z7$({c;1H}RGWcF3<3MAwgrgB*!`&lsQoKP4UUv#IXe_Bj-1`D^m*mSB^Y*Q8
z4u!F@L@P*qiTs~7`_C6ik1Pa~SJ)%-Dp{pRugXf4g?-Em%;QfQK5u
zP=34qGg;jui9cy58Fd7`G}F#4?M_q}H4${>WK#=`HFvlmmaZ0;*&Msvrv=<(muBVA
zuWCL(5#)-+$6_5#{(ImFsl+mb&nW5(s=>o<%Wilwkq{uzRbj_sWlKtVU(da=3bgz>6`)N`BIKiHD{9W+EpT
z{O$3%srKNP{Y6SfkZQd;#QG=pKUsbBYX@}fFd$)6@PHh{JNm(FVpmyI%E`-c=YIsL@4Y4IP&>Be$9Trkz=!mRpu%4XAgiHEP(e`TG2|hE
z*Cwk36mpt{5ESrE!e2OT2vI-kFAa>hIs!KTqEd7N7$7zQfUbi|j^voi+GvO|Ba49Z
z+>)Q^H#Gp_&0yU=W-iw86%UdH5jpyapbA(T4W%hwz?^^SmaqFWyFX(F10pI$R*b+l
z653`STOy|<*~konYlK>aIrDODb9`m8
zsOj^h2Xk@OAh%gun}@Mn!4r4RSuCKEFeC&Z54GF?08D|>)sdry*-AB@uul7Y0tccv
zAOK%bmS3S83EhI@3tUCbV(I!OC^tvKiGP$>bwiS0EKsz@HeEZk@`cZ}L8bxxs357A
z#;SoogEP2gTS~`}vWG49GgCI80<=8BC-)rHcN%tZePN7YY2?(<=L=X2>&{zLdB}tY
zU_q_@L+#yrg8epAz_}%8)ISu_T1Rcb8wyLCWeqF%thnC?G8z`IQZGx!1b*jfyAkQ<
z{6q$7h|1DmM0&vB7)Is1lF{VKNmnYpp-~3T=HR;fgStTdtD+)@(#QGsLbmE5^J?`4
zRFP$|y`e+S42%`fgfcv+ErMRxHh00*ctdl`786p-6u5&cV;nZ7^dz(3`|FU;8?=_*
zI;IoMd;S;}3*ATz-?~xIwTDI_2G}0V&sP$sV{^mI&}(bNlh~~U$^)ueYotPGm#UhA
zvJG*vzx3rSr6`}&DUnx%;1aOgJXT%Acda*panM{Ld)>4!V9@Oa)Rb{1K)M3_M$}k1
zq8~>1kG&n$$i$e$D(AU(ak3ghO)PioFfhLy2uShRd2uTdoJWLbIZ1^c3lKc_=eM!u
z&!3APS)WDGHr31L^epTZt+jg7{cJd^;vPK>RkHA0m*~nmftIP&EX(RJ^sJ;8OX?Rw
z`~?D{JYa?@e9Y3`f*q?TEBuo|aFyJ6H9(?KV~h9G9J7nrhTJOVQGx8YS!>Qwa{KJc
z0{vkPRYvMHmQ=EyRZ7#GpJre43HIda8Xk$b-HhM~0sYhaHDwfBabe>3`pP1*VxdAo
zd7*)6NOT|YD+57@AV_3>QbNTg6ZB}{N#RcixFW@SrES4{lI!Lnan?_Ao#p(KgB<-;
zC;W-CN@D<>uO^ITI7d}5oIknAWtvzNKTci)!;l7O$pWEUDG#M=8OxbZE`;hZK~k@gy6({?ZjjK6^wzbP$fr+ntN-z-1uF6&`8)fK^&FE
zSQ;fUnEIQ3GM+MrlHL!VZsO8q)V#vxx)Txm1(9mHE&-Zv0<{Et*Y#=y2JRVIwtex<
zCI&?~CIH+J$aWLsh@;6MFFWstLfzSO!Xm
zg1ds(+I6$-$>#>}P*xxmvagRhR3l7z@m<(dFn2`Zo9CmOcV~G6nD%HXxk@b}srU{e
z-YI0OSp;qvZ8uu{u%RI17#)dYfM2MaB{}-=Hf+FvVS&vv5@P)AARGf~5xfn=eMw)_
zxY6~`oJoe~!<|u4X`0?J4xS9$ahXqW#AdzLxz=2=Q3o;w8H=*E>B#kia~;4VnM=$s
zd7^zKFbq#8z1T5}I`X|19;O0MNyI2odAkTwPP(YC;j<)xbt+4{TkP_n)1Oe*NH_OO
zE>UYY{??6B*2WKeM~;krd4=O&L&?~a`hH=)NUBOSYsEx$mBrjcGEp*Pv)nWs_Vx8g
zq(e=t@QOaAcC9zxYM3jI@5OY*t_TH;vruR33!ACsBQ37(u8r;vK4=*{qu~0MfLxSo9j_4#ZmZ>>7GZik?pQT{$JMjZlupk)6zT6^}f!O#Gm>l3IbRbNg~*
zm4H`+trv(QIupyk2Z~E0UJqh31(H@nH0iP7N`_PqI-XaTWBP42cS06gPCU=4#``mV
zl(v~H%~z_tRZ{9t)Ud>=T+*N&unI69X}-Ij6+$=%8|^S|auRN$4Q6xUqhpL!17ax*
zdOc?BDW)eKzl4V)gxW@pdQ|4&Rm&Hn@`V1#Dw%3XfxYdq3yrd)(5}2u%+J;{w*=Zy
zB%@WJB;kdJ#(~H!LmV=_CD}8Kx
zSRVB3?<#)j9la>EN2AFO6Mgin&Dh=XtO&~K$U$2`*#2aO=m~H=b8Qb^cb^X5>&HaR
z31Y$D>VcPrp3oeoKm-s;)yA0JAPM#Nq#yUh*Lf%nCB>%B-b)V?9QN!aJFj&Bt4ODa^_$r7Acs{#8I`e1yZ)n{E~R1}B>@OGQlwhW
z+k$pKN%8C!s+XqY;ev6rS
z6&qJTkL})}{>%RQ@>v*WU=1+kg2K0g-(8{;pKfR8N-*)1{1&!ZwYOHYZ+AXETcJF0
zV%!=hHX!zc%ei=%o%fH)7xA$MB+f&|KR8U2YQOewt(ypsAv6iUp4OICDSMHXeprPK
zVW{Q*tp9m%U@!AHAOSq~Kqj7h&GWZvf%trb-H$a&w~*ur#qtkjqcy@`U^NVuKc
zOAxk~bw8$9K~hK3Eh+q>yw4XIvS$+H-Me;UIe27|;=c#V5{h~Bn0
zt8l=h(k!Z1PcHH*F2ZUGgy#B_`bQ9agyq>2oUu8hg(Br)Fgf^yf+vV&7q4Y-_?P2N
zWwLHbrTlV*Z4-U5B#W0?1UnN+%?>){O}CD{{WWd!Zi~moArmijxK5$9Fz4uly}OCi
z6VEBEE5T@!duw5TJI{3)f-@pS#wvH4=dJ582;dF?I6klvoTOv>6*zm01Z5G;{qmUX
z;sT(gLLX2mJmUpL(o8bHwQm3Tk!I<{=#04S5npxjspDxD?BW+bZ=DayHOfO6Q6te2
zvP0_FnDibYF0Psyu7}5$FCO1=Ku$0KClG+AY`phw8Ia?7D?1N3{lrJW@%Ec0sW?Mp
zOx;Ezy`A-TWI^Z)pD-|BKgr|)K!*(yL>XV(xg2_yi{1d2+xia174+w@j7O`g9Le~R
zEv5M3u1cjYOkQJ`(($-8oAAuswjFop#qz?%U@VZNFE&g-R9O%+8GUAmC>+lfG*(!3
zNl65uMbu0(oG%Sa&i(jhToYo_?Qp+jaw2<9iFXoTc-z`ScMcKlly|6!;wov9aG2Q4
zePBlxYhsRz@uL!YLbpz`-7zUElKG8v1htnj?B8i_=uQ%7a$eYQ7S!47FV-?&j9g$;
zTYk#1IQ4v@U-1lbdvSv1`8D=nIr1zjaHnCiS~VF7~e*>
z;R1=Pg{k9d5~%A%;r=Z|JX&EsJ7PKD76c@f{9v6Q`FS`9GFs3jO)pu#c#=**)Ay!w
zAQeg8(m(Tl*7a@ez{}#^WYgnD)yr?!zdxr|?U_&Z4rpV+NCnEmiZawZ
zbIA+z6vHb#c$s3V{e9DIAq&YFGC~S4sDS;Y2(Z7D4$X*t5n%>I!YKDQr(Gy{@U8LzFnOZ?Ub5aWgweiSmwaN&mGBz@w)MQiq0RQSFd
z7It77;Bdev`{DaQ_(#ZL)dOx3fZgoWeVF>mv^JeTel$Xtv{C3&5(B&J-DV~YrWls`}>4i<=
ze`!$<+ItPl*n!Mq1k_riPIv|U>zM|_#N<)_X&)70Rf5@AuqG_%^MGF@^m|yRlxGYQ@eX367gP1Gy
zq}js+?zJ5(=nrPNtr=VRIBnhrLLDBDN0|v5_428O>DkW=EKF>StYDa=gus8c1)m9T
zhJcMUYv5^uNAeRVR{GAu8DM5+WMyDsa<(~Sj@z3nr~ZlC<_VEf5cOk{_-?ugSm6xN
z^YLc-D2tZXB=|=I^iOfYl=dH5lE%R=8}KBz>RrK6jh%!j!SB8gOWJj5!^~;(rXo_H
z&4Y=L3=>yn!PVHEW%L`$Xc&%7!bY6l7lw=>8tXQV+_bAd1b&T!8L1K}B;>K;0~fgE
z6&{6);o<25KfVQ8za^~T*_5-{c189%3^R6
zDxhKTDYlQcF_AJFy%aB)ky0c>lE7)v<4mQEG9;3SD0Cny&=V7qNAS-aW^d1|dH-@f
zW|cbpa&xQWt-L;HW^>Q_c?8O&jzIWp%&YOKBb*U!6*Jd8e`&|`2|+Z(dB>BW327W#
zk;*MkX^}Q+X++t>nBv;!o4G5&hsv(i7z}+a@!1nDwBK6=(BM_hF56s))04Xw5Q1+*
z2m|Pn%Ksnkkmn>8IhyBUj(M{Ee1@j7eD5dCUs;W>g3h(Wza?GaLk^H1{WDO41m_}5
zO>ZKYCJ?N`pyV_^oY#Hi76r%M7TVsv8HNY9A?Wq~rV~?{UTk=bVVz$?!h3pfLTc0s
zqk%A5gPf#B|2IOfJi=PlR2Whe*sv$HPQA!WXX86A8(hFQ?-w>LJw>@LMc|Cg@Ny}q
z@hSRIfx{tkgNJzLiWekG88XreJ+AR2=X-##%B3DO7Vjj
z2E|bLNgOp*5aN}vw>*~_kK43$BNY*PvoJ|x|B$X=P$`-FP@X!mDrjR>RZG!LmOKsy
z^kbosV$eNzT-Muo(xAT^O5Pbct0gbKL9jf~((+G#pXlRABVUr{En9uVuN3)^YP^O}
zmZ^*WLpel}d03LYYzg3p)|P0Y#O8(gFPGQamLre}JG74e>~mCIShM2|>kC^53wvRN
z-pi`_D!a=69B~n$rW$ky`rk|vkTyY0FS!j?CYk^??{>YzcM%kfh(V+ul&B7?*q`FO
zTX7q%h|Uz1U@hdXntzG~I0Y$xK3kVURz64X^{E#6E|Wv1Pku$?;5l;hrz4D^Tt%4r
z(ME;Ii(JZ7q6u}Qx({3Z8}gI{)(ukvbdEmORdU5!c;D5Xx2o@w0}i=MfXV3
znoQ0##T|&JJbpmm+^v*8XO)!$_Ru>P%18{LZ>|ba9vO{Vk)67|Sw;Wgo7~|e-CU_M
zCPTGt1+HI&cWxUTh4e*0(6F5d;|!wl!(dRa7xJ?iQ`s%>aq`^sh}x*I#W2Qy&JDZh
zF2#95HIuMIZK8*a5&L@wHukWwpkse15pUAz;(0rE@zJizRdtMWkz-+$JXLmy@8D?I
zy@C6$39d(~vA|!Q7kYAc`l*6*4a3`Sm=ryP<)4n_ev7xq2A4jXT^5No8ts;i2knO0
zH+BS$@gy~pMQ02S*_=M*5H;JFs`=`DVXWOjAUG2R;SBGf7n7GP1YdYI~a(rxjRwSJ6zv$yMf_JdqyC|vOmBlEE)9<{*W|LGsx|_B~uzmtZ
z3m@<8a69~54IXVp>_^%Z%tf>y!~i*}d3=V(*d&Mt%xtt^`e;>X{UJTexEk?~mG0_8
z0nD9AliPTyM7t2{?wJKm*7NVKQW{zqS8@NxRD$VnhsEB0)KmOi|1NFQx!a9{O2%!*
z4H{eK!9at01EG_U)M^p~q`}Y8@q?Lz)7u3X*B6%;zqgAA&!Rii7TLQqx@68N;wUa%
zKFh+GC>1q0u<6K8SMGSn5*QdvIuNckgA
zPee*=l89DRwns!OWype*##leL5Ha^3_tzUOBWsWNZyxNA$AsKW3|5^`QbHqW8+Cn=
zCT*rSo~w-O-bv7U*m#GVx!-racfB7|4{fqVIRT&S@FTyUseik;q3iyirpEe8t?z$$UPLC6Rq2C(m2&s#
zh?67JEEAuxIg-2^L)4+xPf;|?^<@i?qDGSb?KQMB{aARJRKByHp-UTieEnAt(JLT(
z7S;bzBAO4&}krZl=0w`0F;
z)b={<3xC1>;O0_s$W)Z8JkZcjJ*uy$E?qdv>RkU(iIg_>C|Dks4$#PgVFx{+-)F_&Ap6!o(^4n=9b-6Qg#W)qHr)xO
z?Cnm@3Ls`ukvh{JHw`Eu^u*cNbEw(Q*I$KwUmJyxV$7P+^k!6*FELbRmHh2}RM$5N
zZ69zU^x&=NU-jE8gVMh~rm>2+cED9}9VJjWeh8iVt%kUBlWl~nnX^3o!r^Sa@ASP&
z;MHg~eTgJE*!5~Md|wk9w%t!c#Zyk1W5qA)l3j4dQYrw%Cvzs*pJFJbXP*y>$FpM{
z4SfOss#hAR`g;0FfPw(S26d}#?RueAiBCJ9E|lvWR}=NrKyW#El|7-2wym`N4U5DL
z7DL5pV@GxX-{n;kP30#FAc45gPt#BZNl}hyw*M>(X_IMa@%5gm#H(Tu>qYgU@u0=O
zyYz1M9R+dt2tG3i~moPoLlXmdyFqje?mSZ<>|w
zpVKuxUd6FAX5=5@{oWgce|ek#XVufe89RRUW1USXGl`U>jFuXvGI>AWn^39Ou8ka_
z|A8d&*PrI@w~b69qQW0PKrm?QkyyR;*g0uuWdSxH)ysfZuz&C3?j88{yLEG-w{A-7
zzY9|!>Xn`u5$y2Q&62}~d5r4I8OTTPxzVfg`{mj52m_q
z7u|x~OFSKlgT(W&p;x>ez1VDp&`sNNjFj2H*>_2XU?lW>@Ra=?n?;FuAawTGzz?6*Bs3a2tZ7-X-&uN;
zCunhhdD@n`;<-sI|6wrRl=(L+Z{r5c37PmYbsZ{6kU`wZLB`lnz4yhS)T(!RM}$tR
zffMa>!o7&|-i|BnkPhD0oXT)(>(;5APfpplT|&_nOSB4^{hf%9BuklVljz<
z@~A;jmhovJM>-#tJCVJl;cGz2n%vjttG<2#aD%{W3uPs25q4*Ay^r6kSR8U(*T@dH
z^$p(bu9y}!u+Wemi2s^RftW*hqIlCj`VadNvPSN^p+Vk@ACs5&^`0MfE>$|#FJ&(2
zHtyGJ<3%(-WRAm;`w6^44R77~`Bi4tekyE)2s)WOE7Z{p%MJ9OkMI#b2KzUvR3QGZ
z!3}w20SDNx!3_Vx3M#~;+BgU@ulM02Qq3C@3K8F*tA#hFeVg_7-S@=uQi>j@<l0znYo4E$sKR}f#eX>u!qo&Jj^{z6s1!f}%^?#u(ZRHjyVd<3>
z(GOK7hvE;aDGf&6pL^Yt$fOjhd&<8ugVDT$Q$Wi+(478eZ%rD-FcwwsghQn*5Gv2Y
z_6zV0eCT2)$vcW6=fYesW=l(fz&WgW7_25_diYkPAOm-ZFs(Un#xoer`Bbnx8RQLC
zUsk^D@^2$9po++e0US1fBu0CTPTo|y*2$p_mvflc@%2ZvQ&kJKbu&hiY)<<9=NRWYVJjw^06ZQ@k&G&fjLqfapsr&-#P0_>VzQ
zHpjN-c4+B5hF4?m;YLG#zhfR{xnTrFXTl=|a*p5+|DzLSgpDVk8YrezOR0P^aY->|
z_kauIG*`RuZHTLyJ_^Q*Cm(v#XJc>{B^y69LuhVqe=9ssP`fAc*}P-z%8ze$V6YR!
z|J3YZqXT8KnV(#EB4D2({zJC;uDq&tz_BY)Wo|fO|L-M(gZu6If8@1}S1PTH!cDJP
z0T?P^Z=RBrq~A?fx8@$ZtDA5MXMwmh1y*&d1nqbb)vL}`gFo#3el_%i?U!?TE?E
    %B(P!1;3@XzqXU{_LB)TXZF4iD`l?3CZEtLuvNHIQ2hi|&y5k8&`(n}qnxXZ0S!L03&J1g*ZL~eOVj{&
z_o{a=Qng^nx*y{b2)ZC
zJ`JL|;3Nhe@P_kl!etFnDkznZ#XHX)3!6;)XHz`z_&r4eR-ItJFA-0?CN-(WLHW6P
ztymg4D=5AsNax%DP{|neCjbQajPEQ}o2N1=eRD`uuUPNR<+>2_ZUDCV^!M)X7pFlN
zmU{)U#G%rH;FJZ!e+xnd6O4ztQh3Cq%^H4EWk%k#1p64gMynabSVxo)!F*>g?^wmJEyq7WJLe61j9nT{;I^mr2R*c
zWO?(fp_d0TRHLjgA_RP!EVQ_dG7DG^M+E#z_^3b8rk$&MF#1h!zA;y$)<}DyMrWNjA5VC!wNZ==VB|S5M@8>>dX~FhdX1bv}y;&C?etHCd
z#WS&LVh_@S;!ZcN(oCLtMPyreR-7zS)5rwvs61y76d3?W0PaT;00$oa6&0&e=kpS7
zw!*?l6!{XBRbw^@=izpO>~6a-whJSSihEzi6g{LsLjR+Av*>cl_5Kb5{7?{HuLvAv
z+9C8RvQPQIAW5a7oG2sU5{6d(Z#d@%0rl?2R%FH4cEEIEN)8UWKQ?k6B^hXZE+f1B6_H10>=KvR#3{0u+q`
zs^DI~dEMsl0d2r91fCUe2|7QWzW)4k@5wuP#r^&WL=FVfSBWLS4fgHN0Xc7D?EO^%
z#ycplMg`x0)RM0k5&+IvVPhHds)Mec{jPxAe6)!H#;iLe|0#v`|D
zdczT^WgD{5e5VxE*)WfgsPH473!PvZcC|45?^8STZ0h4fyWg5rfe*!WbLRn8j9xCQm_vORFSu+dT4XjRe=!
zU9%IDb7x;TZ>`qo+Ls1+?~l~3a%Q3KMsao_Ogv``w5dR7qMjt!9x?^JA1Hjf@zYfv
zz9zJ<@^wGbHI1JFkB1FV5$KNv`0h^)$bnS}tH-YOdAT=#+2(a)>|Cf0A-qs4h4n_|
z5#_Kz!2X{K9avQV6Up$F3dF@{hzOI?G?UdoLLtGRYIx)Z{`LDmRWT>oL{k*gwo$C7_%Z?oEXztDT2oNWGI
zle^*Ps}Up>XA!qfTN{`BZ`vD;B=YRrr$j}FPZ=xT0$@JWcDPhWM;g4AXqA&H(HmJj
zM%{HhBYTS{PKzAH8Wdx5R(->v*IdmVCxSh2pM_|y1Vn|2!h_;I;S3W)c}GJU7k%6S
zx>Fq^XA&^y`=$07i=G`%d)FJ*yo#NWWG&nWALa*74rXw_GWt(T!%*lmRAC;5TovDy
zz_-(6Wm+wCxXe(i;OorgbFnZIuHsrBa(~Za_&c!q5bK8BrVa<1jB?Dc|G{jb?&hQ1
zB91brlCy6f;XsM=r#=%`32{$Uz(eXJg$8qujkOUq)xpW*KAp@#)>cNVM;y>
zlKwxlM=JdZU!-srp5ZlL#kH&7^Vw3_fQ|@{=rtaQn^y(9Of;7R31Rc4?v~?$;`z*T
zkNKpcNuqm#J^kOnKR0}doR5dm4g~hF-r&pVLa{hsh4GW@jW+jzBWLGBuDLEbH1IX7
z4sn(HBA#?FvZ0#7EO~G!>msAF1k`bips}XOp<@|vjp`T;G9wVFW4_|&Rj0Hf9peo@
zW0iz6>F^zWvRzlOn0h0x;Qxz2@K~S$dA2><{mxgRye$Q_h>T%@IU-ybH4_{Jg6#j+
zir$@8e2bleA59G;>sSze=7>muJ!mjC?n4(77GWscm3dSMh6jHger9j!Bd>ni-a5{&
z-ob^LPm=C^SJ?Gy*Hab`mo~X>%-|6)EDk5t0%K@e6k>SnCE8n6^pnr8#5=aQidhSHk$7zqDuAz`8*GJ8lhX{OQ4WCt?;lzKK}XmjBtciCOxC?5
zSqgI5brI|!KZ4s5*5-8rkRH8uN1&brU<>OAH5S_kM_5YLix}ZYevh*vpUd0F=4`nS
z1Jk*3YMG!!^ori)bT<8SFF>+zj;LW;K*jQGV{l*K+_81*r8&}-ptIJC)4S_v);MUk
zPaCsmB2ps{54NG_#2$o{R!`1j&by|@zfDZ6u&XUwz17aPbhms
z202cD76XEBs;9Y9<_RRrN^Nqzb#-^9ud0S-2Ap>9C)D3mG8*HsF!%nu>}>6)wNR4o
z;*a0^C_D6O(L*B$A$(DlGtKcn_;OT^GXt7qB*EZp*te!Am;>Ozf^mpo&?Y!sn6N?Q
zH3kK6Dh6!xxjEdYb8m0lp7~0b4$J0hiEz{vsU#q|sM1dL
zTP*t$;m~wk{&Wzs7)+^whh+u&^noCZX_{%)+<6M2al
z4fx}RiW*T^1D-)>z0O+O5DrP}=C#oV_YzmKx8lthgjUXFM8PD}4G~}vh-C8(X;F}V
zNv~IBgm{k#DXO0azVK_n+`s*j6dVEn_Kc{xR8w(92iV9@y($UF)c`q)g$o6{Q-`dT
zkO2c(b?LQOYe3lIUT&3S2O!!~v8R`tl%$o{efL2VIs*{~C)
zn=rt(fTqCd9RLT~Vh!KVKipmD2Ap>yZ0BEbx*Gu0D;0P+{owmgT;8iI6xav6^>Zgc
zB+#9p<>zN#Ea2P`R1arFJgl(nOAtz?_^O49sr~SZ+93n!ANPRiK47F>N64gB^%DN4
z=A?U;KqlJcuH;~1s@(*&j~H^mms-@X=W^y(q+DyT@@SK9uv+=&@m4zl0IxspAp&R<
z-hK{{2LP~(orkKe6Pa|0LX#UMk%jf&`d7^8bNngdVnT`ImF)g
zTsI0Z*!RBdze1fxfxOx6-QN{00swy|CGaKa08=;TO5@TZiJ*1!55_T7oH-rFeCQ3a
z??zL=T>}Sg(%a$Md8^{iJ?ly3<4hxzC8+;u&n>kALpwa@nCe_oJtAQ?Fty{fm0$}c
zy`qn7f`;{5G8I0Q)9OnDguHz0Fn6
z+)P<{C13&on(lWx%bKN9R;s|#6giIc^?9OynSMxNUJp9}0JK2GkV?3BLtDG-=HX`X
z$Fab@{>cnfIc1r%Mg=_hclnZ>Id7P6cU1q3D5cb0SG_Scc7?J%;DFj^N~2+WWVcom
z;sf4~>Bqczy=M8e>704*YaQ;p$ME4R08rqa@`+qYy02$uW(Jie7|VB?J!)H?Jjk3G
zx>qBC4R!m<_F?-HT8a#B5+ucRW5c4)lvF{7Uc`gLx&!ua%fc`LJ2nHm6b4EzIFUL7
zHd&y}KUc#rbB1bp)ru91uyCDLHm&`s&vX0lZ>4W<4EU*`Tp95Fy{Om41_hiO6S#(0
z`a{3&SY;kko#cBl-}NQ*)%(K#+EKi3Q|mx85^&?De-X}Mzw0qE25yi5*Jy(2u`yB!
zQtKx~X)PXVd{i*`o-OeKok6z-UDlK>3L@
zB86r@%s!z@$l~ol$BS)BhN28b&p!a~)?`YeMU;UF9;*nF7QjGV
z&W3_wXMf_c*LtJ-HT8&GmMwpyBM2)*9-Cm^3+O(joE81cr$>Dmt9q?O>qT$qYqv7z
zQ12*HzMN8j+%(viY9X^>m44`~wy6U-7<47U3}|meGl?VZ?X|Av^5-gdxqkGV?_7Km
zFaJhwiB+aMLTlK@FpWR6W^rQw;AHegI=S43MTb3)&g=>A=^BmhLHTEpo{@+0L`Qml
zFfRG%;xzp+!EBlz%zGR0UpkXdK>TQ9H^1s7hi=@W?P6gND&+~3k}q5l0{{p@S5f&x
zUwk%@`K`GH!uN~>6aLlj#`1pBU&sBwwl26Huf=d1$Cje!mThbx!Z297GInw?{Wee+eBnDNE^Hj
zrKjV7Jn@Ykdvb~rX$NDM4V7$oYP$`Gl&%;vojC`2!WwfMWOS#xcb9w>Rvs_j7T@W3
zba$|V%n!5rh=;P+k862J>NYvDzXKB(Yg=&8S?hPL9#Rt~|MXjWtF?S*n<$BNFyC%l
zZpvZ%R7$ob7I#e|aUTorP0GO+*G4GO9c`%e5~Nt!-|*zwv(dP1$prCHwsNz9$Y~HeCK}uNL}5j7MtpeDcQd0I+bsrI
zVHLrWmmG{zgH4a(N?odseN;M&0t>L&mKB*eytd}Q{#6EN^a~?f1d|m&%N>B7eiz=
zVLioMY0_ayTwuf&^ulXS3oyfqnYOX5^bscHUYm&m8s4vG^J7`6IJ$2y8nG->Xr#1W
zv;%7M4;F1+ZxDeN2BpA!R?T+C+H##TwtpmF5e=8Y7_VuI#iIy%49GaIF9A&o8`=Hq
z92^L6<<1buS26~UNM)pYoX`UyVlE`T?gh)t1C1Z&X7B{3yiio@38So
z?mW2C;Wa3dY9wgqH1=WEe?n>by7^l)TH9+rdKDxfIB9F`^8gg$CSQxfb
z3?c7J3DGD2k2ZG37UrfHEeut57qU|4;?+YilAa!f?HL#
zO=0q4!Rr%$T~rihns5A@VN&4mzlNt;Q4a&}PEXS(syDSMW4a=DZ3@Q-=uF=1>qzf>
z7hAF7&c#68K9gC?wX;!g_sG^(h<~;rBeh=JizIPip)+dJu9m7jjRM5w3*n-g5*7^uFgCzt!NB?q2Z_
zKM-d@c&v%uE8ISpnVtOO{t{3^h8{{^y`BifH8klUCv>n7~lR>Nw
zjE2)-DjnyI!p*_DLaG`4+qY@MN!rD^AC)N|SYSk>TCOqqaT$@z{v*NyOmU~iS|}sWYgNweh}W*e(FOtc_}9K
ztBI%`F@8NaaEqw$9(w3wF=0V4M*8&eE#RMT3l)h5>#?LHnECxE6FipCg(s?8uRsEF
zusb{=p+J^KSeE}YQ~TmPu7dLs$p!*=Uyh~A(~hT+H_So$9ADiK9Pg;#Cmu)c%y*<*J=Cziu|km+}+
z3Uqh3!|!!cO09BRws0;;lamGxh7-*wV5>tzbbur{F0JWL)X_j9=q>**@wJHp5+B>w
z9ygC#10=LprJ0_j64|x%VKZQaFnSfcQl;Y^czLY#n00qawPU?@?w-5KUq$|sfbMVVH*UgDgkSIJ>VEYnuXi;5eo9!q
z&3E&;yFA<48?wJ-GOrw#T$2ZJS9+H#*v~Byk^pI|uI>B;Gk!UJ-s%8J|9fZ=S
zAVdh^Cqjk>2lW&0|MYw~G$ILYuhMD%asI*7i0ECm5&xP?4aBtGG#jruxjZWhC#Isn
z{9RzO?wjg$aW_HHXjkyf`chAsVU*_$y8c6?JO%Xv@?e-}OrmQ(ZjOa);@)B
zeYfS>9FN>k2I`+=s1IXKl5=P)5$RJmdQ8h4QQJ*6ty~p;DZ}o!B_7TjU~=4lP6nhA
z{wkjuj(-IO#gN26*AIKm73Tc#AthV|7Oh;J<*5>){4NLz874xgSveu$8iuNaoUkDUsqEBRu4>wKLYLKMN8-$Q1_(x=wVS)1j3H
ziCX12fLRd&I5LpDJ~T<;kAxntFi)fhpE(H@yrk43VI_r-g+q@LA*FW6h5Kb}N|Ey{
z4Yiq>6nOyN73V8dW^X8qmFh|xf1m}3lU+k*F%_Kg%ae-c1q+U_js(MOA@7=F2KjvLk>>t!;?(X`#XkxH2};WO`_SdHh*RBaR~WznRNf2}&(
zgJ8wg(T^~oKMD&Am-{!QVZAH_b$0uxnYk48uI<{+8L!Qu9I8z*AI46_y0X%JUd()7
zh~9yt9($|bxQuVA@_$K5Z-qeHVLeC*e=|2{PPHUXHIE=Jnkw{fN6q~8`8!SbSY^Hw
zVm5GBI{YR5_u|QMKCjm=?v08D&`j+;<$mz(=zUWvu*ijjDFdRDAPDgTYV1$Z4Yz9%
z)XbVIgS1G&Mr(!4FjHD~Nq79M=F2tO#uD@t8BQxcGHx8FkJULzadf2BxIhZ0=Ks+3
zj^UYhTh?}L+qPY?ZQHhO+qP|1#kTEKtg2M(q>}HhdiL(_-Cw`!&T-^V{v^4swdR_0
zjB{|A9ibYk3icBfdi1<`$NpXj2m3#IqqhYIC&!&Vb+1tHc{010vvc&kMEiR0&-c0^$5
z7Y4H(zlTTVunsG}>aqKloin
zWg`j4sb(V*b!pG~W49f%-tA}lPjFVN1iqS$4-ay
zLNkhhV;MVID$=YB941`fn5wn
zu(TK#6b7w`llzN#%?!?$8pJtOH(a%(`w!&qI{`vnb6HXpxpBp$DG_2$={czQo7Z@p
zhWX8D5?1ku=csTgP21x2_WY3AI(LE2pz<0Wm$i9rE@EVYM2N6xDqST}R1rF-KM@T8
zE>vleg=#qgU5)!!8WtLihqU4kZCY=vP-yjaJ_H5=e=sBzvF
zGj#8NI|%-fabzVpAYc41IUGbL&yvGg3-1TWYN$$B4%Rt+y@!AiExXdJ%7C(!MA{1u
zm@igB!Xg-sSV}yAkG9F`-NL-Ju>{6uW4FJdxjOtvg)Uly6r-(BAXS`>fg(im`bQT;lZ`>1guI&3>pZTNnyBW
z6^M_w$JEX%qsK1(+VZ1jx1Q-?#=S0x$m9E{WePFn*5>(Pe(oc&bSx(rS(KzuDi}_=
z^i2v@4O{deR!cC7a7R=0aB}fv6->3bT1{4Fqtc**l@vzuQ?*F69R!s&_MD+FhB!Nc
zlkjTFc|Jys)dAdMxK@z=PHnJFkB)&b6j`KHZW5u!+p5jL^DhEs*Y`zNMtNpC|qnBOgJCc
z=rQ#6V_-aod+5=*PjoOcgh9MP#DX6E`d_+(SA%&_TD4GlrBKjiESZ{3xUQKUQ#chmRqR7yrWeXh5O$o7f)0;NAE`AmjCEtm
zuY`>p&huONV%i8x@|9xgE{Tyzh>@wEXre3)vsE%oHRq!4s-MeUsYTM;M1|8^G)FXH
zMrcIDR+6fEzLUh1!%9d+*0yF$XKlOGrx@n|?=MVpT2_rM@i}Owv{NG3WOE)C!?S|m
zTkIH@=zrLC{jSgRpHm9hi?H3KpV37Ld+tc9;T#U8#n4p_g&d%{&?C6vL@G`#XG-Ek
z(CRM#NZv5Sl#!tsA9nF??aJ2~tdV*3)pDReZSf0cC~J?`#+w#t>e{GcXSf>q_2HR)
z-PA2w;Bhd=|7~639>*gw=2TCgwVZA$1S~-}9zqL;PqoUqgqf*!eXx{$1p@I7DgmS0
zGS)F4BQ6LyK1hgCoJn&*4q~q4T%}ZiOKUm^Sh)~ht0*3;0xvqplWSsId2`WygfATM
z9KnGki^J(ZgsbSz;K)+MXa(m!&SN=`rCt%z8@f+!v=7%uhD5=nj%3FqjP2ws%gh8=
z{miR0WM@;hpmv_&?$h+hVtC1C9NzX39_M-zOu?0$xM!l0YPz6xes5UOI
zlB<@Viawh!$IYj3EO@UNap;x^F}(m~gZ(7R4rg-DSa28NBQF0b`ypih!A{P&w=pJDvs7$?!8*~PwQjIl``%dfFyK06ZP9RUc}vbV
z=*eJd4_2RVd2FZUKwa090x?i*h+?Rt43zqXmlxOzI;|PGf7o>Y^5Cc8La0e-fKTc;
z*=E$zunHMtRaR@xbVf%;ce-zQ@;e>X6jep#@JdGzR9U&w?xkSKSOn#~eqqn?L;Yp>
zTnV9t=Wi_@6F!qZ-I~wl@1%?$EeE;#dV9YI5QjrgRbCjGxwRF1g8F)lRajkIF}(*a
z;uQxInXhn)*K^AGT`e5-5&9gsf;UPMRj$#|R*(T7^yrl%cD3wI*`;y>l?JPRHtS83
zO$TmMZaFTA4t$gg7?%(|Q@n)ftAtrhj1tVy4za@#ni2XDgA>T-_1I)mX47f3yRk_d
z8k?`n-O|Tvy^3#S52sWLm=%{Htrb?ExOjrt+>WhG8igzIWPc!kHp9b~v{07qOU_t~RK$Kz8jBvFAJ-@NV<+
zCUkkkw&U*WUXUV05walXcP3x~f=q8=y*W2{kROz*7>m3%?$B{6^cZgYzJ#opdj=vS
zsT!Gmaom)RKn@l;5m`aixgjB0iH2vB)p~S(XQ$MDQYWk)8^#;z{Q_g|Tf9|!OWKx#
z58;}y8Dedq3Kx`WIjK$#4PUO(IbxsFqQN_%YGIcscw7jG+AhVBu`^C`8${Vjr(qET
zHY+fC(26zho+B$aS%-x(>6tn8*uBpu4(K=aLs^Tx#L(Q0VW?PX(iWP{c5^i9gv9&{
z&?2z5T(+pR-?sYS=Y=A=8jS(m0MO-!nyS1Jr*wZ0YeRf_jHJtN$ioNlxGug$j4
z!C$f$b)NQLC|!0Ran${6o#t?Ytj%esnumDo3keDbFu&Z7$e|JQ^M@Cz2t+uq+M(4E
zdn0|(3MkqNR6KCByPfoM9kOq68#Zxp{h8KBDgYw(dQ)yd9l9<%n#N93bZbkKTaVK=
z9<4QP4m}vHZUI!ljuQgXjK!GKK?!s5B_p?USP6-mfs~6Qb*Ja=l
z5->?M~GI^~W0ArYXk^D~(@pUsh
z2ONUSrf*DkKw`5|o)Q(-(5AI&>24q*hJ@-4oJlTYBlfP-0m_XloQ3SSZpfzG6`P1k
z+7eC2m75hEUfpMhspd(=QC*Q^6uFb^T&=i!YgDv8?kHGHp0H9$bU8WB@6(p=l-O)+
zY>ca7HD%!&`C#Am+sZq22vC;;SX<0R0-gAcxTYj1^5`yH8&>R{I_2_V?;V5kC#Ieq
z85YDar+$gamf&^35?xl!Pii)9DV4v<-d9gHc5eFX`V}Y&5T&zrtMq0Wg=3p%8buO^
zV}XoaANo!v#p{~+s>hcX$LRLFv8vj~wKvn@KC}ntH=_YlQ_E^K5VHZ<
zRfQmf#e?CH=d1&wo1&tjaU4E~8P2KM)4(K=wUwt`Ipn|1$bYRU^(!7W#v=xiB#%tZ
zlLny=&lHZ?8D%S!9j%3iR<^GtNv*2vWN*u88uzw^-du#ED@g{OwxJGX$sc&B#ai)f
zkjhLqQXm@5WP@i*aX@yw68mL!tocS8ft6Bn8n(`zb4f*1LUG^jYpA{
zZbXJ;lDohr!Fp5?(feYKfpfy^qORDostGyEbh`%zjoaMQFB!64^c7}fk;K2M$GX^E
zV;6-^1_opHnl=O44GnqP@j{eRLbqpo4|ojMPw@Ty0=T{f1%Y_2!uV{{3wZVM2LZ;V
z__#=Pp>4gk$czcj<#IT8bMFcq4lp#T)KkearT(x_AeB_{ffV3(_DUZb>;HAYd;YjR
zqz6N5MWe8u`Zf30ox5V}tqw34l2B~|^l14S&8}imrCC!JTgR7|(fug=MgVO4nPYJwTow}A;V8~keCI-bInAEs7rsVWHpEI`vZ=+=GD>P9c?x>g>>?jf*q^Zyd3V0RXghshB=G#%HIUc
z*U{wCZsz#ipQ@ZUv8raxFG`{)uo$zflR5PnF`0fJ&KqoOJ8bV{ibEeWk08DTSAV%_
zMwW(9LDahhdvu)ds$SAu@4B%EwUmSGonp*oqMB=zDA63XX`i3UxYnjj`e9Djou`@V
zl+I2hROW;Z_byB;bZO1}tRDPo%e0B;ma*H6dvU4naQK^H_KNxiv`o;$4fs_*RKA8w
z-Dn$l|8;*Cj!RSUw}3QLnD)<4r$@UA-A0;%AOThE0py2}!iL9;Lk9cOIx(9s+<26w
z^LNY#%Ch+$Mbo*AeoCDQK0OMad|yZ%Xg)#K!Y+Ex5>r1^LXQL>assUeib$5Ir95KR
zQV&9Ty`Az6qWz@rEs8`{-Iy>xqlC4Q$f;McDT(#7qP57OO}&uO8Px1FW4kHNA6)l-
z<_**vpcN=DR0HW_j!=iLaw~|N0aIjA(p&U-iJoKq9!6ps!&11*1dE_RSOg1shkNTl
zPL!20kg>{4wq%(KMGpd=$HL69LWGb{Y$V=-H5|OauV6^U{g#t-jlu~&3OZJZ)2K&C
z1CqCjik*vPQD7+H5PDiyJcsj|k}?ZX!R-iXvx}{Q3+pHz?
zp|d-yw3OyrHEA`GU_jf-Aeu@g-2}gU2=0)bm^sf`GPt-gXyJU2^`;3(D
z)HM_fB)Ylt>PnNqjX;4hW_&jXv0M}Z>vLeY3G%q-;YDp0GLlP7b3QTrwC4))+Y`5u>MT@m1myl2VWzS?}9zsBg+q&9cxOE9B`&wf#Vru`x5Pkf4;3>xsX>
znT%$kMw1&I^ZVMxH8rP%TLE|90@O0m%BKfgBi*dC?FXhG!Gf-BA1&*VJJFY-8$37MJiD&T0#;I(~Yfl73K_+lJ
zXZqmGmRHpmh0kU{Z>F1{SDdHE0q%rG30;8DqgsehCxxZ~^SMAJS06y0b*8hP6a_RNR@y7vKpH
zn}eY7-;j*CL_DUXxW7>f@}bY^Mih2vtE^;JX&3%DOE_3jED<+n*Xt|&6J!3UbjC|0&WBo9e^fZ2!^UErEXK#`v9tU=R#XF6FQwjNCoY@~dRDVT@IL&TYs$J~
zjRR|#{nlkJUUZD7@h$-V;4I<0ku{-rOiRw0f%Jyqd-;=q@NOFdfgo80ahCI$PCNp-
zf*1B@#dAIeuc7Pt=Hp3(2B*YbPsWSj$HDG9$U$VzBs-!D?dzmVE=UjiX`T)&%_q2i
zd3jy0F@=ras?!Sl8tfuLCVFztmW!P+B(qH(R<-q+T0#xy)ee<*I=EB6$#P6F*rbpE
z)Cn<{C!b?+43@RX8ZdlW5HQR(pn-}yJi{g3&~3G+w!WvseO>$
zrV-(SxxG;=v5{5+s2HMKWL%Y{M66Zxl)(i02jDFU-yKJPooeH?)(MK&7eDxMj6vYo
zy#N_iz(VxSLG>#2*3yi*&hVAYwR0kb+sv{JZCkGhrs;(PC?vi$OSIz0B^^G#no}~B
zS`&l#uFZ;)yF(}(0s;cVyS$_UN7Zxk-eOBe1VfoFPDd+tst0jm%l0AfFH7zpbFP6H
zQ$`@%w|H))KurvEvNVOtQH;4VyiCG~-73&+&VVIgul@|6uNGa1)J>W=B52K($5)|k
zqrgDy8FyQrI5V{uUh_i%m5+4$XnpY%9WdZGZg^#->wS%YHCtCUI;Ao0El!kn&gS>A
z<$*s`G+AI?KbQu{e%CDZ>!6MQ2u(pMkO8?wU+*=V;`xvLloqa+g(<;D@d|t*y@GQI
z73qmM&bdOeDAyg?1O$*GIZ2w@-WSl;r*2-jIt~!5z4$TXzVP2r5)Hh?UEMK#>HPv5
zU|{C&4t+C0f~TG!N~?^=Lij8I1r1$C&Svf;IU<8S2KyvPy6RBreCY9Siql`eV@mFS
zxgys03=3rb2n7NprIzV^*&I@WVS!Yum$O@e^7uhBoFvlw#pLDnukh-K6Znwu{}rSP
zC(z}BmqDaL@1T1T;4hXS9|%cYwV@Z&sjg?YVvjEeqVjIjTpRZNWKrJ1px&)-<#>N0
zb^S&$@-DYAlIwDqO2{C3FsMEGEaNbPfq^91)QJ;F9Tb|wLW<=J7MVwGepMvbLo@QDdtPhm9%rlF
z{${NSK>q~wWJ8TH42UGgSG7)Y
z>2%yW2)f&JTGI#?9=s$@5$roEl`?Yjw8}CKD(ZtIQviqe%m9Il1V6@@wGL
z{bowt{yb>B2i`Exe?@-xknib~_Ju;|K!Hubs-#boAc61;e7lGbmpzLANai?!Fj)NH
z#Q#ctu+v$g4|vX9U^X~wimUrUIL)=ssKbC^Ark^ao0U5jXH$StVR0cd0uwWH4@zic
z&7n@1?l>^jasQ~;Uh{!_ZR#RQN|lfj$NutOzERMx>e*eHixoyVM%gUYxM^
z8?h5${T@XBeq{<8ks&{7+YH9_g7ysXVVaw$ShXAFT&WEDtv3HWa#7edu7eKKtGbg^
zlL?R#HPx>(hDhY0k&O`c^gsR?-5q&-FQ#a!uU*p%7hOx%XIK>yVj*GxFXmAe`07pN
zoQw%BNT4s4+VIg-Cxvp{^HAdeva7O)mwAwI!F)1~tu{!h=}@izKo$VJ%lUvA44vO<
z?i05i6*Iil^Il}Q<;4F5IU)U|u=VzKV6Lk8N`i`9OAL7u
zba<+yTu9pd7s^x+F!)WPsXsA9N4BY|tN?2rAZ&Z){{86NTDSEwn{uLkW7bXqECCuIJr+yJlEhUMlcSzOrH1zX{&-mvPbOu3pOh|Kl~>(FwM
zpy45;dK*@sla}+a==vsK5>||OC!sZiMQ*8yNYw1+(fWiwI;MdvZts)
zVE#UIe!jFwL$_4oc=R5-Pc8{;{(V6zeItSqfW1x_hvBoqPUgpCojo1cbRH)nS)|nT
z^~Vqi5mC(Un`@<|uoO{@pya{DoGStt;h-4_SvMOw=rLC-nAH3h8>}|1DqI6+ViHYa
zY=0475Etq($;q
zur*C#B(EcfN(XR|pvK)0OCDNRrFk81IzJI2<;%E#cC7y$L8A|d<8tfVCJ?p<{_p+#
zd>GaSlAWoJBO+%u_?P?h=(pax9zyr5N~6papYjjKq7BcssS@lV5u)VvakNK0@xK!I
zTu#JiXCycE0O1a({{YHbPuUkP(*#2C*cJG-laZxbaj(1vDfs?i#i(J$yCQBdV!W)v@w8+aw2y_h6lAgo42`
zz%kQYbhVJ@pjTg}8DQ1qR;V;FV}!+-z+yCMBgK=wz*J6i?O$0{z!j$~?aZbE8XUFm
z+8S(breAye@rDVPfz2J2NP+DtykZULT%!rbDEJ)Xb!n_Em(m$;5bvGf_^^?O*i&9(
zIvQrA9MCd%Z1zCFRbdV@3D(wD5m|{k1iGnOaL(Jza{a8zLVm?U+5Ss>4g@6I=8y_h
zC|U*FX!oiPn7cU+jex4yV?vk|Yk&d#pno)`Kv?GeH%6+!qU%;ax8H@SmhQJ&^H-V|
zYc}TY7&B((o-{u9z=;A+Oyq{W2-DOt?TAZI0t4PVf03`s&&$&U+Esq(JLxbG=
zI#G3`ySFP%>_ccwJQpwDAVsotNi%0a4$Z2i5CCrWkGlqu?{*zkf$we`ma%70H=qu@
z>_9l|l3UP&aM@{!3ox>FV-*tU{*V$BwPAr-i(x2^$Zyr4s*jQUjoZ}BrO{=Y#*((I
zvqDz>@UK{mj5NBw0*gM266FL}*{QO?w5jIKA{YYa<1GO#I2454a1ekz=xQwJbmLmO|FY}{#tI+9}J>DUgLYi8vn}o?4#cECT
zT&4poN^7&kz1sWMd62C0JKwp`ZG>uzHZ
z5$6)+4u>Y_^=}-)*7CGD9)M{ip0WX`Qu6+WrpvA6PZqB7K!R@;0;Mt(O?gqdDQpGk8;WVIgL{BV@i*xKh9PT)sb@^c4^?-WTtQ
z*B^5GKO(0Ibp1A=(!K?K1wIS}g+##PblmIjAdF`izIVhfggulD%?)FfGE8wl;*)np
zQ#^r%PBbR)Fe*?y;L0IGvWN|WNY6HlQPA@_VC7pg_27rU92(n*;4+T?iiiWJ>G*Q7
zhqO*zW#pLIb1&V39m>oSWom9@W`fD?@-8=X{u}h<`flpk1=|CDv{lJjtaN4SdZ$tI
zf+g%&-U$9rP;;*CcJWB$aS{G(#Kj0loC!RtCCLceJ}JOB!+6p0<55a{PHv;|6aw6B9`k+
zy*t`Ae|%jwndks4^o_hxP2TU>Zl(jfYp|_T*nJli;ckFC$#(xR%Uyuv`w&-xCEgAh
z;Jlfd=I7ZRmYF?O_us{6ADCjS+OJc>ibGGeqz0T^AI$6~qhdVVcEDAx69^+uM
z7On-fOHk#uRNmthWX^tl@n%XbJ=ebx=8u4`*FB)ZeyYG+2HIxAfl?4c_h}YLI;OEZ
z@E!*Sa)whzXpJ)1!UdG5Ktsf*QepK^h+(F<3@EgoCXfGBHp2H(kNop+{!bUR?bt*7
z0HV4hV0*e{uVY98<1$?CA;q0}9#It84`n?Fh%o-g9FPuu73S?ULw}!$z6V*!
z#)3W2qFDekt~n5|Gax*GVVg3p)ST~nQp8NIo3BCj#GcNvREH_vjl}-
z1J5f#Hw{x+kPoW7h>UEXRoE-qVL*d8aZtuM31rgQq1;e2MG3%pgG_XJvlako5efyq
zQJi|-5QQFh0_syjOnYg)C(<>#1Utet=oqIW)K_PJQ+RUSoI*`U)TaQQEOt*|!(UTC
zpdYF<$iLNHC_x~?A%8$Hyj3#>w-?PoRnyTr5FE_9P&6-GPX(B1(VSQCU4hZa5IouR{-DCyF3>7Yf(!z7;5ke}Q&sUVM3e>pOh-!AsYXG+1
zHKYfG{IHF4{O}hPB!Z1ebe40TX=%`dYSeP^PUie|@E~27AxROB4Qe5Rr8Y
zD@_FILHbB|oeY@86w4Zo>UmL#jhV4d_}Q4&b!-UWZWgX6VJ}Pm)|vsw2#G~4Mf)|3
zF`OMw^yrpm)}%g;`WoyT<&uKeijGtGRJd2rV@ogg&v)3eEDSq{&-=44j2PQ8ha_US
zOn4H9_qP9iXmXeSyp+8*Z6UKm5MOw9Sr$a
zS@>|Lzh;Gt3@Y6q2wJj+fMA*=p5OdkK=O+?&U(^Beg3je!D8;Ag%h$$HpBp0xotg`
zYRX#T{NoSBzLmgHAZS!*>{QNy!?46s&fEn>Q6eC)K^U9FYkt=VkhUhoo77!4=H1Q%
z+nA0S1Ty(Xx9T7(+X!VgPz)Y2Ta&q|D3OXY54>^dVwHPDhcMMr&d33Dqgo*%SJ&E`
zMl$QLu@SN*mRK;9SebLHhB>yo`%1unk4BnUJ;k4lq8~X0TleqOS5OaB2j4zIxm@4e
zs;PC@J?5Dk&3$bKaUl5b^jnkZ1u*@V9$uM(2XwthgrIHRf7D7xj62e*wlX~uJ-6#;
zeh0rP5-U;eh{rRgA2p!B+D0K-Xk$;r{}y@EemLe1rE}+Xhs%prwH5=jv{sr^_9lU+g;{AccFtdY`qq%JczUKok?;6~vFOp&59XrQ=r!7v_ob3xqR#5cBw+{mU
zr@II^*Tr=_hhY98fpXY+K0_!aS65q$brt;S8~)+w{rgCb{f}$v%?YhO#DDlMHOaO|
zFiX8|%H3m^HA$t+v{MESpyZRK6RFGnXS5T?4}tDWfUYZ1KHjIEL
zPsu5y$)`+%gUcg8(UoiVA^7tYaHPE|?GT}}i5ZYf1RjLpZ3ifVU6hE5afho>DnxzF
zMZJ_oN9NPX;2AUd2Nl`M!_V-n&qfhXDBq!@imt)&KpBEerHsnm@i8DzY(jX!NG6VC
z=n#tA$7%k_q22uVB@U27i%Ryd99oAb(p>#WIHy=5(2Z6>qz!?PL?ZRw@(M-o9r?^Z
zRr|kI%d5isN!}cgvQ8Y@k!F*Mn2q2JwKdS=QHj}zSm+fWOV9TF96eEN4es~K=am;<
z{MP*?`@~`UKJnB_xI`SyGKwdm01C^ZP&O*jB1bV~Ik=|b0l)yE;-V}$JYOlxyYV6)
zB}fV)gqgKGoa62~Eyrl5>)ZOaRUshfK`VX_Bc}mPQMs)|I*g*J0-jOS*x$|&<0Yr9
z2^w~d*Xato-Fmx3r@B%^c
z?eeWUuq*Bxj0R>WSp2kK$*S@<^E5)+%M=(38a|!lDC-WKgw^VrwWYm%@y{GrHEFkB
zE3soOY91dA6Ff654t>|rADaDG_MkSTTV!c75A^XZD`F(cl9>B9RM?_ZKnr<@lnUKh
zP=jQfv=gfTI*d)NnnS8AJX2-wP0J=2ma)Eqi)U3>-W4MeQ|R|(XL>$Z8!N|i{>VH$
zUa5(S(rB2=5xmZ~-S9U1$xq6G>At|o4=?6XGkfym3D02BG2
zP5{W5O>5_UC*0qb3h;k0f1u69{u;#nW}0foj>1~@3GQqbeG{2QWy9Zk@SU7T6J$uN
zw*F}R0bi2;`cBq~)?g5x028^N6)M^Wk?5&MRLR4AS19{XdX4t1{8?J=#$8KtY?CBv
zGI~#yST-wzZ!kS?&vU8l3Eg&>F(UaGp{MV?nKT{+mPh`a3=zhJR!>zNMV!w02e6ge
zqq;cHN~409Zqc}0Af{|^e9b!VuZSkj4K}lE0@zrESev#upTQ0|<;ul8z9l6^rKQEk
zu}cCQgWQdca*EyE4GXCo1PpLCQM{d6MOEBsg+~KU$nq27=SYSHp4NL^&GGjvaeeuE
zPOW#5i9u=H<=nO2+a%q;&2j-H@+$`
zEsfOM-U{S!U#((-KP8hxFG{(oDLJJOu$1*l((_@m*HH0mH~(t5UtzLmy$>>U68DuL
zx3GY)wCD73>!j;_Qv}ycRdp|BtSQ4IzDc-~I%R6SJLvOQsMMFE?|xwAC)#}_2DgND
zs+bK3xIr4YA8d#PLav(+l5VAk{7UUe#o}KB(DTh=o)kamglA<+ZUedt1YHHpF&>fm
z@%rFC^BQ0147a3;j&PhQU*OSF-qVE3S+3|_QXv;weV%yA56`3SwO$RV0)(C${S^teuyIn!|YM;D!@wey_
z+!M#V@x&=p6{+J`MpH6bcySR`2M)zGh&#+-{WQw*IT_+>T)y+g<)@0J~@
z#su+#&&&|(f;&-iO6Bw+0YBEGG&=Lma4LDS1)P-DphF`FuOaENG&w!N{?H_2Wl6HM
zG&k18v|5~MORvd((7|{5-9hA2zAlKQGJY*rPM7Bpfl7A+4Ia@(%e2YxgYimzXOh`y
z4_yaBuemzvD2Yio=KfwS?`yTq$j1q+0RQ}%(udV{($cNkCH;kn=XWa6c%Cx<_}&=8
zVX$YjL@_rfuWw98qo?fa%G1S)ba30P0w_8MEl
zGZ)BboH2WjC#kl1knzA&_WIXRNomFy-*|BUOPGZC_T#tNvRGQbj8E|!;mxHGP!Go~
z=fn-|_59&Mb*{g>`tUtM6p=a4n9~X(b#?V+}Hso1ZLt~N1g(Cr^&gqd8UR*F7>am!Ix^>GfrRh(=t?w5u%v4u7wsjxa0e?zgK%Ew&{f
z;B&j4&1+@pzyE1-pAJ=Q{jWCnkOy=gcq5=8OV9ncF$?(V4J*6FS+t=SESx)@eTJ7`
z^b^ifDWaIc_GL|$9EF(Ti5rc>J+)D;SRu(%anme~Az%yl(2#3o!qoG5tPjl;TgxMs
zS(o`FJANr=m*m85j8i*u-0W!Jk5Mq_WmrN{%EvUy&|+=-*6iQUN#^s=ycy`UYpdYn
z4~Jn&PbL#Osi#V41wML|Cq`OEPp5G@4JOKFrzg2G(u>)l)Q6z}!_sL`DU?M2tA3s(W^ZN7phrc&HY}7y8
z0qE;ONMH-Ei^)V##pIj*{7#>>C}RDh$yT^Q%aY;5(5yh5uohvMP6%YqOX2J4rNMNL
zTBth2v+&@X6mr<6$HZw@-)PI^C%0O;U)a`vZ@N~9fP`f-NnR6!e=H#J*qb;U5(!?T
z^!7$WjGkE+&GeCufsV>;
zW0@VnYaB)mPzkTe*zHJ`aC~A$L%)kyWg?Wyw%8k^7)Znzs|#F#1F|dvca$l#>J^99
zS_Xp&7LIN<7AH@AEWwLU1FJUTY-9Ug7o-2hfR3zeTi#DfT&Ni>5U~>vWr3oco{|1|
zKMTE2($kp_2m~lY1_eL`WRY8%roQ2?$STKXEw>s3wEX+IQzQFC>BfFyWCb-cF)=Th
z$<1hxlIca7CORBuSkZ=TPQq=$8$g!e60??S`sGlD*&=q}fvI9W>EUgrmsH-Mg#unt
zHQajj!-k*1#XA0Up>UA^{!@Aq7QapMBXdK418G{2c7Eodw-mHG;++7?tU;^YC|rKq
zZ-3ZWW}wQG7MHpqBd|a3a3IJ5KukQ7PyV9+CG9F(aHoHbKEE@stOKW7SbHbU21u#c
zEuaRnyuBl|Zjv1P$h6%pew>MB){~K8{M|t;3{v^hfe#$SI+z<02a?M02MIWiTIm=OBg=A-GlsiYb;hEW%#gqK;_F1Kk8)sllean$fd4^Q
zZ2;*IUolT_wF|7nIzWl_82Kv`=cIro^*H6MrN&Z;UQ0%+M>L=Y+nHcmoeK_@3+F5;
z_C6|9GjzIVN}eQ6eP7=$-654jvJxK7dfwNUNvC__a%0EOwpmR};nloiO&A$vh2duf
zK_HqYlg*5aT!e<8JQR;KSaebjSz-^LcKZ4;`n(7BS$UBJN2k2)dSCUzGnGR^z`3=O
z?N0e`H$*M|ZRM7Hd0hhEmtGTUIn+;o-3;29cS@;{uk)d;!XS0b@N^5n1bb^@Mhc|&
zVe_iEgZ*QLSN^*MMT+C?P07@T&U_;VT42r|c3E!OoLuwjm*?mSQY0Vs`t)a6W4V?3
zOsd_+SHwTmrS>qZ-{eYm$y=PxH`ve+qEGNS-10X`+BcF0?M1e-_fmoOk$Qvm-HOwx
zl!}Kx(<^17?Zp6h!xb7;8mV)Ol*Q!ZeIG!a@1*6+?I(Xx=5q`N_Ey(x`tS?etw^$`
zb56HFklQn=bgCxOt;~T>l+(0yZj_`irPJ*d
zcC01=V3HtRw-Eea7)u-)ZDl&0Kl>d=4ih_RPUQ$$N}Dz7i0TptkLHZwve#2qu`BeN
zosf6_y7U2+w5dA=vs5y@_II_p6g~C8Le8Jb!r3sasg*S4&bc?h0;D@b5}
zo+|N^_mE@h)$hqM;)pB}#IJTwLRlc1R=k*@pR9J4xT}``6F-zRo7q^pt(3qIuS32Y^NAl
z!}gr*>jUpa!kgzN(@8EjbKVRM7&5GI1skjrU)muiELKqr{_4SXeagBQaLFPmLE-cT(6ru~$zLsdlmJW--EM0pZW%4Q2`&Iy8HEC;D
zRfTxXz=Z%n_{ux&onV{w%FS@NjJ?mEl$w~EYK{A!-A7Q3x`BUl)K-t}AxQ=A5_d&!
z$3ADmWr4Mwv&TLi&NlTjLXC_D-)=K24Bm7X3}y#9Ot?r`FbwQ(4bjBVT>i52m?R;!
ztLM4gQ2v+LC=3N0#=&-bUn5m;MciEJ9N$<I^=MOjzNu@*khGbrNjTTd^b;@8885dOTvyvf<~
z)Z6zlsVP3P$`?O-F4&N=_N&Cll>e#q?wtR}PA@H{e~$;o&*H#KVZTKIk~DpKH2!B=
zTj?m3ugCk}PG*I3?ZCtfy1Onq6VaB19To)2&oN^F)yMrrXbrrOM`lZ(HQl_knZ-qt_)J}xP6el
zPTiS+P?pb1W)}Uy7pl0;a#HC}!hE43Q#LeQX?dcR?W?*!6(BJD-2dkdQH3!wm?D&`
zm|B~)**|L4Ow({M<)^^Pe2dGm-LFWgF&uRJygtAgb}XVELp>fyxQT_;(~zvo;_|c(
zEcCH~Y{A_Y%f_V%HFu_8CkVf;S
z;s|1Jj!?QhB+qc{HJ@Xl5v@|n*`HD{E9!~_OJ0>MRj5EF%r9iB0EhIy4Ht+bH?_4I~tRYcZuyB{Nvq8uy3Q6M1`
zXBilWi*Trrq*E)SsnWHKAmd6TLQzrxQ?)7_(@nHO69l4foEFGa6FqbF7P3ZZXfjay
zHH~pO2HnB_U7)}e^A7jxZwi}^Rx?pmiVm98XmK?{&gI|LM^RsXeW2H2*A6*C&+xRt
zSwErG-VZ!u6&n@5Z5;PiSg5dmQzF&;#izH%nr}f1c(MPbi$EOq|K!meiKJ|YpZm$$zp5Ha+
ze%~d)j{kAkFj*V7m^F~7&}UzdOqk`pofN=O5yZz}Fn_t*1~o)#$;?^-99J$k`6iVq?}YrBR`*_o&uw4Bpa(+8Sb>i#s#X!N}{^Hn(*hd{U!BoNVTVJSrB*J
z646OYKIu`I19w^M@dG}<8DYTn7Jp*yjDA_#YmI(wY@@ETirBOCK^_zo^>g_(xfY~s
z8?^5z_wzDJKetW&lk^k0WiKjCJpcCVV`f3$z4LujsfsT+#VzdXra
z+s?eORFuPdU4(VkOh<9wnW_&D1}w1X#JU}8TI^|G4rs2|28A7asC$;HyMEeM7+sNv
zp0)yt{99`%W@D(CLsYi40$(*)s2pkCklbpy!IjexiE$LiuSds+glJAI0S=7;456=r
za}9cxg-|O%iV;o6pof`%^Bn*AORz1%H{;^M7LVkI
z49Rm?pz6;}Z2x7YbQL&Q6}yOHw%xx>cyIpesIAU`zc@)@0mf{C3JZ+XH~ZtkK@Gv?
zm5UvmC33HvweHm;_pQ@bdvwlg>?NL1ByczM~@IWg!C;cRrvOl(*BnkF1^(q)nsyA41}dBTT`KiBvQ0u
z;UqDx_k99?ja{BA9Pi&mU@yJbeZk->V5ASv@&xj$c$H4a9`nt{1xf=9r<#5JtA!C3-5#1q`Z*G!G1iuWIt3`)n+mhy2f#R-a%b5*M&-ml55DwsRa-sVp6=Xi?Xoh6|dWCKj1}MafBlNEA6?i
zEbueqKR*NiCrZsfjijCsikl=kqPTb-toqw`_YdSSJB|Aa{2RKZfkE&wh59_M}5o4SnQ7P&d%a6U^
z9Kqyzgks;bzW@SK9a)EKGV!7W=C{m9Oex`gWPi>~uz@&l-y-uS`5Uk@FsQWCLmREq
z&;Ce}GEtxGv0g-`bHfU5B!Jb!>RHbT>~*K#`-^_06M=JLf@Bo5C9pHZ-ELtz!t^PX4eXpGb4864gpVq
z2vwW6OwPaaO8-EVzd5VltnzPKHj>6aul#%S+}imP^`%sW`WG_~P=6}AAsZJ;twF|a
zLS*mwAXyfDF-46zArix_o3T8b#562k>*g;gDp~DLd2m8YD1g(+y>r63gA1
zxNMYyPL3vVXlPs(whU}b(z?7*9q!?#iv?W-RYd~|p@?2!%fsVfxHhduol=AI{DLE_*PEw_n)jrD>Mqy_FHoP
zw-7o_%*hn(_7Es0%-O7APKCL}hZ%g&uvXt+XZ*vk8*y%oB3lGw)P=pn<(nuFHambc
z1&ZlPq_eY$;dZ~pOdW3Ll?BGCwHiBquGTj=9R<=Tu}7`$4i@Rs=&Hv*r!P_`vk!yN
z3EXlR6>%_!n{g@xx&z-zEu6$c+16vVpO6r!ZIB{0qNd4IYE&n>O+{1ROOMfN=*i>kv?i#Goyg9
z)FUtIL}J>S2jj7R>s9&YBOE>;6_%)R*NBm9V)NB+Tp)nc>UsX=`xT6&sM_B05nM0W
z0WSJ`cx(XBEhL@U|IZs5sq^*$!!%)`V17$DNl{c$sto$mO??#~WR1J1B!
ze9sp#3hKD1a52fydMq|UCTe#Bi^WZVU)wH5f(D`x
zTMY-qDlD>_b5|if*6tFjvi8ZbJ8{44;LbdNv!%~L)pBtAwR;-(^6Pht{}0hG*>sQD
zVB}$UM`>8kjER_+TlIu0wYKifMqBFf9oRZPVz!=Cna!7oMjQ4g$Dj0_Q!VBbZp#_A
z8~T1~mp~BBs8*2yZi6C}6#?Lu5aryAgKEf#i4X3#%XC6av}}C>Xz#LeXupd|(1()V
z1ZclU{-@kh+CgnZ~dLtq(R1
zu>`Vcvd@GAo#QsJj5B`c#M~7qG&FCKw2tgrjoNNXm1>Jc#)fOi44`3V=9ZFTWtps~
zrC5SE#>J?z8(jic>^cc^2RZ@Cp~K^2&^a3TJl?1}R9UB1t&WIpr>`4$J^Bk$a#lf-
zG$eA`AmswsJ-o*bZ)3Z7F!WHwMgqgqT!tA1u@GiFA7;Sa{6{)oS^!VF#cyg1s5v4E
zDjf6L(3&&EBfI20b-a;MeJM=JLh{UxJ3-pW62J96ex(m@xS~%sGrOV#o3Nu*O8B+}
z1QPv-Y$|T5$*t;*WTF_l-+eJO!epwck0`jVg{SAJ(TW3lMerjrjIlP}%pPVnf_iLI
z+|&1;FY0-gY|}V*<%dC>&>F4rs8LqVdMTs!kQ1p}F%6Skg)HH23;ibuWLfWpq{^pPhH_FR(SVJoO?bdFMi!P(}X((a-bX91$)32_pR%NdgvJv-WCfS
z^IxZx30!D`wT;=qvVspN2$Q4(2vV$LnKm*TzY7~rvZoD)!z7@$ESm4$N}cBoZ>-aM
zq&JyjbdfS4G3`SyxyGCN^uO8QP^dmmu3>|I-LWBig#~Hx>F^Qp=Hx(XV$D&K7BE0Sb*>HEpvT^&R(3k5-G2oc4$k{dYjuS|sBNnahpLD}!
z7VKvUJ#$i@)&zm9${1}dUrbZp4+KDU=uhCBkcXoM(nSi9$rRjzCKzl&EiJ48R%i|N
zV(@aBqQ@(39Zth28)S#RZsJ;Q3uet-)YY?je1$@|J#5#Jm0kPhG1-j1k;UM;m{4EA
zJWjHy@}g{46*-~JHhLjE1^HT6Q=nw(HbKpp@t{dzDRw>(LKJaSYm_&N8l>v#Q!3Z(
zYtRO*?aznMxB&+olBPa#a(7sD?uWK>`z$3gi(mhnEfIx|`kn8Xf6+fa`s`s(w1bW<
zpc6h&5q3gIm7FZu3%%`-hRHCzCEktJnGU*lcSM3_+$xD-p2n(+EyYs*R>H2XU0XBR
zM%XJw|JN2nDe{lKU`k&r%+Q@{@-KG=ZhMMXje9Kas4g9q&5$$(ng$ECgTfr^_O6SG
z9i+}~TnrqBVVcW2FjC+@O))L|YNsIzJb!B25uh9q;Iqw5Y1tq~a5gHKhZMz^^GOV^
z4WM^*$~&i{20z;6<>>6l7Bh5?cTrIE#p6}Fqp-e3hU^r5zu-9}x9v=H-cX8aBSmA7
zQY}*9+kLe8%%9|9^r%~o2f1Fp=q-tn)?u98vXCj|OQP
za<&Im{Sh=0KLon~q8)Isoy3;QZ(lo$=|pI*MAkWXoQZsFI9Z*x{Gq}q5@{$Lb%&-A
zCCM0v)uYtXIM&C7$gXOQ#*R}FvsN=To&dZ9qx4p{3kXs$fvR^Kh}77QMxE_&R4rvZ
zfD5w>p?1trB*o&G^i>XNI}nZ|oizqNJ+GOjMK=JPi8`dsNU8UMi_iYU%W^uy@)oAO+KvqH-r
z{V^0%A*d)gPNeS)0?YtG3a;;XU%)z`#+pDqzaM}ij*#Oxf=nq5;XW2v#RG&0f)HYL
zpl%96ih2QYQ9s7u?PoNofWOjpRa}@sAecmE%e@&=74A=ynm|iq66Hr2gG$T8ZC;eV
zQPCt4>LpH@@J7N+u}}sz)C}pVVy$>%$7JiDr)VQ8Whfk20MR&9<8(7v&P|m-@ghMw
zSfwI~B%F}99^ELNo!LTb&wj(e$rem`rJCR6wEv_Ea2D+jN9>M=VQ^jqV@nabi!#dJ
zcZu}0H2>7SSn;UiS_ll8FD%V0tF-jfDX#fC$qYeiU6eJa1bthL~#hfdisXYE|eJzN-3Ju
z-&?&N46ParBktkGwO^yQwzgS-f862SJ*%6#F9QWjP9k-+5-1Pp<7qKC4ke=qTh935
z%pbopKJ076J*~TkMB-Nlk*Cm33qB0jGlr#GNgMLp!iqpu1AYR}e8{obu;?Fe^2~3D
z?ow&lU$r#r11}-HA(u*r*5T`qEe%x9)1v=gb+4~Mwdtxj_AqV3%!U+-3Hdp^CiqNt
zo&fYMtIr)`*pnBk{D|G*p7~K_dwm*oVnc{Q02At(wFsNCXRhWz2c{pDRkUxHD`t=;n?HVa}<{TTmWjB@*t(Z2$
z&;*t7cvzju)|AD?X@ycbDO@8rjObAhevesZ|TyD2$#P5M+jaD;oK!P~ObZ3o8D~u!3%f6xPV+9^171Ct4Zdyu5
z>+)WR_Vp|8%IL;p-sl`@25AXhDOX!nR3>mNu6yA7D@J&Kfm%Nr60z<1%)0Nsv|_HW
z5mRf`$r2XpMz5E#f&T&swYN-K-R7oR+PXj+@-pxfL=jAppO72mSprxo4naWJB-{W}
z!WK9+0`Ne)5?D_h=QCA
zL5TS#!Cm|CS(KB~Lf>M|b*_EUTHD1ye%kwG3;(eC)q>RXc&An|zU_m#y+u@NyjDW1C8iMM<
zpprX`0aU;hZv|As2H+Z?)(1Vry2ApR&&i-=X9yf9DA-K}74VY*3l0GtgaCnLjf{@&Uf+tG
z$psd;YL_*>!rL9@F_(rogKKjvAPuC~8|5C#q9t3Qio%Ot*NyqgCf!LdI7A#!2?wGC
zhiGQ6U5TEKK#?>JbEb|G8j!+iAyabyNG@!fvx18xVUgsl!8MI}{@`!D`~2BmY=kua
zq6&o`5*l1*LX^;unvhgX$m4o$;j;)5L!roaCA4FSiER9mb1pF=4We{jC1e4AgnR`z
z3XKg#f^~VAN9X}JBCbcNS3a%q%cP&J%F${7L~ks`7yRkovl(t`r+nLV5_=4wtJD>5
zum0BCItCj#k4L6QAs2ME=!P#TZx@J}0+6{W1==0QEl|Jl*pVHpdh=SJyt%=mb*D`9
z7CzC}U2$Bh?Df;T2r*?X9j;1++R$jSKmlqH^2hl}go)bP=BZ;5<8O!=8L@I{)Tg6xb=eSxE2IW6^ahUb
z2Z_Bas71)6MC;AM1a4;%)QK>EfgsqT;<$z!Jg3eCk4QW$4fn{zr+E{pb%T+{RH)tIyEyN2}?)=4aa>{lRxZ*P79H8Re>dCcusrx4yBdRf@&BigTNgzK-mp
zl;%?So`Ua4vqdguS`&C%PkCQ52Y9Jm>mJ5)%83V~m5Yx!Y}@VZn71H}tx=?RW~yv<
zP(e~?1sK{y6Ft6K@r_MBna-ebhIX`u@Zra3;XP$ZYO+o?2F{wZzB51#NTqDDu3Ozf
zfes<>lb%%A5lJ!vUOg*;n*m?KJbKy2T6KKn4yK)FeqZ^pr7GfPzspwTf<1+Gx{s@H
zGP>)auuEgCl}UBeIIM6y4tvbBAjG=#hGl8P4rfZFdeJ-q5S>f_$t@ed8vHhtIA2-kxQ{iOcuw^V!5qit5`Ea%WvQQ$O+)j9UBkxS@Gaad+zK
zML09dR)V!W!d-g%ajpz_#sp`hb(&-lW@{@Arld|)=
z7izK2fzIkycsBen)|>5VqJFNg{+X2T=Y15vnL4uciy5?bDEhS|fxXf1E5y?<=e3QN
zDPL$+D77;F0fY4~@kdN0q6G*0K0F&Z1vNBdv)4ZJ3NHS@B?|1Pk2R(AsnP34IPe|g1!00ascC}3gawIdQL2s~x{fI-8%
z*QG(~s$<;0fer*APEX>PCX+D$LIAJr2E#=>ZU>XBd&v3qdS|_yvYz(w^kceLxoj65
z&eMB(vrT$TkFf$#Vd)zHJ42y+Mk=J7W5H7=!2;LF>Gwx11|qfO?$y^!lBgmCb?m2$pXGsw
z*bP3^l#t=>X90rI<`mRS68Tng}<(XYur21K~ID*WZgCKzu`jiql
z;>?>PAVm=wDB%R!!jSZf3~``I|1_Wrj0s6HU>hzHZCgo`JrX;qwjG{%|o%L22>#Q1C*FT+c5ss4bYEVJiITc9?f@-1oGc
zgzxE%?XC8}4AgPpJqn!Vh|oa$#y^^uYmIw_xvF}40g{*vc+#6LrXJYTpCC?MRwqnY
z+4q&uRQWNjzIytSaMKp`H1UPY2Y&=&>-+}|yTr(nq^vT{D994Lk@$Jj1zG_5`fWrDN4?PNvSR_l=_TVp&@-D
zJdxb@jHx`Sx+^9nL+4P{<-)4_VRW<1=(E)YL%c(BwTD;eM6rh4P`r}9;bg*GdZ
zx5AT&hY4(IXQCuqYuLN@mOMY;FIq0&%BF9qS!j5O$mj?eDLZ7ZX6vuR$Lzn}0-D62
z(N7o`@JZPx;X7-h~$j0Oav$D()?{2kJ+FX&`h*BM$~NYP3)R
z%SpnHI&GsUvcx%e(Gu_J*`lPEDUcxCNH7v11IUf=r}PK(UNr(h0@z{nA7AQHzta27
zHK=v83##|2Qx-qHGY|_8BCLS15R7Bjegf=hi4X>MFo3RK^JDSs;Sl6jm@tZwP{GCl
zg>g+J6qpB?4*+JuzaFFC1%SHJ+Unl%MWoN@y?4R$RRU;V#
zQ?+E}v{@2JK-MH`3xXCUW|}_B$%7Y0zT=i~k-idZc#*!y;3YOOi%B+Uiit3xuu8?I
z1T;<>YY7apVE!zf7f|Ql4b=K7rpljinqI~N=jO(hQ`EEIk%|Jx+KNPusR^7L0U!W$
z-KGL6?>-)~edQ-QmzYjtWJGDHohoq|{_(|wpzy3p;}RiUfpW24{OOe_5AB
zSQU63&n=MmosBJuh(ZKokK*A+{|+*<=cPY|HQu||`P=MJ;5L>jOAp+d4U`t)Y*M}7
zd{K-wUi0_`*hyE2yckqg4N$9z)+I@GqtiDPogL6o!D-vE_vx=Sd(=i1&hc)HO1>w#
z$@=@(BpoaE{%@BazmM8dJ5I98h8Pcrs3%u&0?gx0AT@&u;zc
z%s*@g7<8Dd0vRUVN&%*l;)`e;PqjkyTTO%~D?&BX38T?V<@13Mupa}u&G@3;qPTm*
zbfl_5C_!#|yx(hdjWMM30I+*`Rd;-NzTU~#Opz{>5<%(cw>(#1_l@RS7B@}Dg9ca`
z05!RS1A9Q23sOMN!}D1*WI*)2#4fyqWKY}JP2b)DG;bnNiO(NIt@BT5?j@*o%inR@
zGE-ja{0XdJBx>Ziys{0BpElcojK_&AGu4AAN55Ri{8g7_JRYJNpF@an
zzo9I1gt!XsPRer(B2Qny9QD3|z2)y4Fxvv;6M)=d^y`R#+>Mz$QIKb=V)RdV!^|ls
z4HTVgWY0pA-T;I?@NJ{v_ulvOs0
zva*^bHdd)3VkkKn4zdV^=RaRG6
zSz23M-zOj=EN@XMtybIFY6dc7Wxr`?4#dw$=KhrU$7
zKW4NW&GcHkl+6UZ_i}tdP?=b;0s=;g&S<U*bg4mb%KYg!Q`
zqka0fMKc$EJfnxNFdDjkIt*g`6VJ^!ct~%4rNGM22rycbn!w&WaZ)}t*DN;Xl*{}e
zLWE|jpaBFiNz80i|T9PRFZ10rBi!Z!c}|5#zam9GDog>Xh@gW@$;
zIomxjz26BizW;9lNJN3Z!6X);2kw6(;f}?1(j<`~LEp*YsX^-h#(DmR&Qyz*PX4tH
zrSx7I2m}vef*4U0grVkMg9i{gfM5lYBM2&B-~bvpx&tAGjO-W?g~VncMft0<$TW-~
z{_uvDp)JWxanr(=vomrQpH8vjZp-b?%I0lO>^E^;^>T5FU_Q8Wk$qrIX<1Rd`ng{*
z=oB-KkfxrBLrBT|i;0R%__1Rjb1ah@17A{ZLSB05UNOcE#u)F6V}!R?beQx2b&2%>
zHb%6>^Z+$vz4JA6r1CVg)5%!c>-UAN1p
z+Ipv(D=p^4(13xZsjV?~@IOyUR{i@(vo5~TcuA|?g=H1v^wZVu$-%{+GxP7m$i16y
z<=d$EKS@29g+|hJx#nk`fdM;QR&Q)rD>h_)V{F%Qs6+6FJ^ubVnm4lBIFZ
z%B6sJWr?k%hp4MX3LdNV)B`|85&4(A}#=)
zXsLUyE6t`WXiszTx$q7|4=QK;B8i7(8r$)hn+^7wlO;N$#=tnQ_d8$jG+M>^Ai}&;
z3Zui#x;)+7+l=$FX`W9gJJVca8nVrMp0ta)NshA$-(6@veO(tH76yq#Qnn1U03Tiu-5Sdcc%4g
z@5ahHgAi8@TQGDXbsW2_KT=3QJSM5F@6A4lH7ja3N0TdTht5({p{8)YFVw*|;K|~Q
zr7^S8Y(l-yz@33mUWswXnI?jl&ohZK1om-an=Bz(!bI2CzB(x4G&?4n83WhSmh^is
zHW0Ab5S(~Obd&IgtK7k-87x{G5HpBA@7o{`ws^dC_ljBcGDBGB=%}1(2hu4E@%6gj
z@4&4jxz?>w^R0GsFFR3tVF(ggPi(-H(JqrIteEf_lvRSD+wJ=4d!s%{7QUf0O$P6V
zMeMb+Hd2R!l@L7bMv-)I?
zp<;f(&_pCx7rLRmkR}E$0{wWTU;4T*qd_b&pv`?*tw6SK&fd^{a+u9b;Y<9(BY!%w
zq++m}euYCOphpZ^2DqeEdPr5YunZ(*iR*(0LKkR=@V8{*@AA#!g+36F6%^
ze0KeW6_1QZmzY5VzGpggQh26RZZo8O6B$r*>q_PRQ(1GfF?E!OF{WK{Cr;I?HyZPy
zOR{UJV{ajqgPsEW%5-U&@^P1;rz~4OolaL+I>ymIwJ*kVEp^6ViR#P@>=Vs<&)7-<
zn7VEA%Jj;$m2$b(`3AQ==ap}diUz-dJ7jNe+D8pfhu$7!Uc-cqw=G{>!GSj)9h}vY
znfONMWq8;?9`Dn_yoj9#HvKD^*fQ?0!)n1`rT>FHEbGjF+Jqxx2_bi`L84KQ>I+*6
z*mjBAczb4>+1FxLyl^fy>ohz~8`b|~;|kcGpm5hzN34GwPT-Y6jN9k2#jyZKt-OG$2R(*n
za2)HD`hl{Co__%`<&KG_RyHfQ%HRS}Jah(+3-YAHiN*#nvLH~ZPCuFtj^qTcP7{8`
z{u&SF_O)$)lVLO0%_YM;6sPte(Mp?mhx#)Tb@+EdA69Bw*mcpdw332wJQ3kleB%9H
zAG!N^FFL;CNj#nRTRZpqRq{Oa{ga=N2jNA0R=?H$+Tkxc0Kl9EiswWSwUqetE}qer
z!Axbwat*~LM9*Dpc@tgo?Do*2A;JV>+qf`Eg&3RWHr-WK=q-vrO#v>m09LePKsP~;
zBr*9+X0$~6A?pV8;>Al_g)E0s@+>;TP#%C!EV6bZ58@QyaFO*Qz%Rjy>924-`o0yL?fyzX7nAsAvMi_(rB#4m{!Z<4dwjVk&=N-CB$^tw4#C&vvW=~
z%|Q4yBtlgZb5>X^#vU<2XF+4Drfe~=el(Kcpv)_v{
z<+U=S`E^e$fM(8oEC>^|vYxwU@|j}ie0$RSbh5c*9$P>6F=!1g0{7fEZ90wh;2bfc
z$=wn0>7~POw8HO3>;l`|vq-Kk-EIK!6A#a-nBOIah2&}7wdx+_-mKc8Sp|VdXLi^d
z8LeCFltVwpTJfHc+kRlf{5YI>>e1%TVQnhnMz3_nt9+W!8Qgp?nad*>q2XjSm^bs7
zl+4pNo*MZT&FmpKK>4aDsLYrWQEFwCD6_yqo@cv|;N%8UVV0KU>6@ibm7U9hDtq4rT;F)F_@0CG36Dd$eJ%2KTRM+&OYbp4p4#%Y}
zDtA=nw~M7`EZK%>pP2dny5R4VXC=!`8lM&pkI&*=O1Hk-02kEQM#T!`e&<^
z;tS_a>BE#D%RrzrFu%7Pbdcpo2-Lb4N0{}(HosrH-WE`v;+&VoG|lIT%i%SB>m9KC
z2@k((*Bc58h1MnFgt|M?k)CbrgMzcoDGdMR+DDc!oFKW4EFVq9yj*Y*l9z{P<`CkG?)r%}T3
zs|D}A(rP!W>=)1Um4T_-Lc%C2?v>0FWzO_Acm&7SS054XyZP0I{uB1XkXQdGnJX{OYm|juJ3r>QFAiK2gJ%Y{8+~;ZFpZd0Dwh;GQb`~
z#>;TYb0|BmPcb}lQ`AJ@h`I4gBEAqsK?xZwU=TxO63c|?+?>}%`Kd16=-tD2dRC@m
zad}iHVX5h;7hjXttIunFT;uICW~$~Q=Qppy^!Wp#sgA!ZpNN9okGjnUBfU{?`LP&H
zz25f%2NJ9(@<0LjUSs8%ss1}Ku>u-yE=(dQJcqNEtK
zu1A5Hbe2w%eU!!K@0Ilbwoxnu4HUN3cmCf^i-!IRKzMMVfTXCbF!X;`ll--J*5knc
zO~A{YpHLA-AIJ-^A({bhJ!XjSC)4
z3=12b43$Xz+1ZMc?_ZK$q&CZ1eCmTLaQVQ>)LQ52^!y7)5vx*u_&y6rlQ6#jy)F@f
z^xIIbiXffkxcpKNO6AI!eZaSV9vx&O@(+o9Ac3|6BWW
zeu|ZSw6}YGfBSd?`mI*QL{|btio!bMA!sP?IR8oq72(K{q$o}F)H;#$L%;wM&u9GZ
zc0fY<5dr>ks=gEaaAZoy>68sH-ll(&|9-1&KNpowH7&~?cK6BHe(dX1d=npjb^Tfs
zrpElnNS}<$0ue%zrm2~AOt5R{;htq$jXhYMgsZSwW{k5mU(GXHTtMAPb}ZL5O|LXX
zj%ZocRq;LWW62*zJ(&4%#FjR_7_DADhW)YXS(_T2@agjrFD(aiYdODPw8FM+`+xKS
zuTROV3*s+ZGr;8Vyid#KeQ*EoRzO}@SfX#I+8B+PnVOrNogSiyL}-IQ$c7cs!HclC1Cg&qIjjSai|7Fwi}
zv526gGPyiXY>3c-1Phv6iPFHoBQ$C1;NOv|+}lMRJdY~%Jq(skz6UCct@;~5^d8C7
zZDF<0-*M|q{e!|a&i#UM`{n)p?}7Ax9yb>@IZ`CDjg?|CR%xvHjI!UT;|?oE-4d3u
zlM>Oea4Fg5Exw*RpOfYc)RJ%bGaw?v0qJkY)ov7ZS}1UKO9(?
zSee@xR@c|KIkYr4Rx@yQH*M|hXV&pC^U`y1C#SLwO@BWcXRq)ct{-*gJ-v$babVZ{IZa$(b_Q6J=(n&@1+eEjGB!upEWU1s94as$uvvL&wfjhlssiI0(&
zxv!psg^P`kF+C?sUn4s+Hv^l#wt8mcq}`13Y;DSs&N=JI8?XI-yyyp?$L}?-O_z<`
z3452jq_VoMi=0c}lSA%lJl%GehY`h%%ctJ==jWHRr@X$fKmWF9M`s*$Zyx;H+h2e0
z`@TNBu%s+~zGA0qFLSqg3#(5{7cN>p=tzFT6*`q@Rk3H*{M~o)+6m6Kstpbo@)Oa5
zMyM#S!q@%(+QR?fQ^)n${CfNHL3=Ul&zx-{$L!L;Js;}cU6Yg6n`_--c#1u4BSxMUeQ52SWwx5q{aiI-jKSmzIy!5Zh4U
z7uK?elbXM-sAyH;NImq0*M$G18!ft)k;^4<87%Z>c&xvHaYdb}B53x<+>TnIZYaNa
zBGo2xpO-^A*c>E`D*J
z*HtTZ6rtc?f2@P8dFvhCPO;W&0((&5$?`k{Tb$jNKYHgqzi!%1KqCO0K<}>J4
zSwO-Dnca(2pDpR+nfNMq5DnJs6KpmiHP!<#&r0@B%yQL@=2@TI_U?I=r!V0d=_X>GX`a$KY
zD^PKW_f#w-zQVA2a*G~J?3LQSE8uby>iF1_*hPTD-)tCgiorj)`hfOnE7qh~kLP*z
zMDE@tQD`tsUW+Q%Sqp}h;M3zxKDf}En-$!=HY++V`Ap$4_*i=WqOvyGiUpOE$I+FW
zSvMc)>wvT3O(1f#&eDXjMSPhANUXBSvn)F(roAh|26!<_?}hF!7i#bB0fCO;6NRUi)o|sk@MA^
z&|TAxjvEKk_zolZDBq$VTnrVjv9+m^0%K@dxSV+`Efu5`!oAc;x;A*+7(#X=d05^}
zv_&ay?hjP3HoVw6-(1)4wrym$Fk&4-Z#go#kc4yK;XG*H-dfTA?Qia)4ilL=(`jOn
z2-#6Su^FY;$E`GGxyt&umtQhxFueNJ!@P_iA|@y}PdkyrSQ&yW+sAtDjnCxsc&>s%
zC7SkFJ>2n0J<1|H<0Ow#R{*DzvO&`Qv)S^8gZ$jj_;k6#;u9^cPdcT_`3D{gD)1jY
zDS^yFIZV*Cc2dSmz3{ZGk>wV(TVwL?XBvK}3MK8{>vpG@O{dx}q8!52i3>&-_#bMt
z(-O4xi%2}p6v#!r742Wz39aMx)Vjahz2;UMU7qTHEa(6X%?W&6HWNxF3-0f@07*eh)V_RAs
zO}vn`EkDcQ{4xn;stWX(%|Dk?!p8Jtc+(_E;hWgaWeFQ(MT-^mZB?Ep2eOoFx1Gt(
zf>X^0s*i6=pC5FLg6#~!l=Z)y8zt25AN+J5tB_98qVJVUJjKN#dj}q(%&=+B-Vs--
zMQ)Y&gA!X?i~72Jb>Vo0*C6b=4yrokoRMC$I7tU>%VLi9g#C_w7WxLYq`8@rZaB@7ftP&BQcV$o
z)zcE|a@#ixTyZd4+k9B-3f{AbpIcIhWJT{gasbz`5Jg|EK_ph%-S;${V3p5hkbkey
zY$uO_AptU}J!XcV`KYLIP*hWLj+P|HY_D0>viOZ4kVcgwPV~#2GMiR+FnQGP8_7!V
zkvmOaz#nfjPJS~|rh?LkrZjBWKgLW;WZHRQ-z7ofC%%Be>|(v*!Xi@-&;5$XMlJ#!
z5fQONIPjXDv@g0Nyub#_(3FC77t7(%yz?{?+>VKUA$Ym{foTrBCG1(iYt7wMlT}a4dR^=e#Mvb+y44@nFyaBtBsACD%vCLp=jn@h}?IY$WUhV@8bLQ$v
z7DG)l7&+cVO^>hyF&MIN+egGgjfL&+=qWbUQo+y!QhNbPTDr{@TWnm|rGR}QWo1Ju
z9$T+^=8O(R`zA9tV$JLkw&Z8xhDi1#V=DE;fMgDHyMtxu;qmdri7CN9u`-Nu8xobep7&vNN&Se2)Tw1dbebm)%JHVyG-N^?7zQIDCMX
z&|9f25a%QP*yWjTgaq3&Jl1B
zZoQheJ0MWFFXk16=7d!jjKeH>d%l(!iVhe8gC7yTRJ!_B+CDruE6KD-e9^E1@;zRt
z%4QX2;4?BG2USAsA?i?m5flq$C|I~+k;yzZBZ~k4n?bSg2y6D{>V7=}uT%W&ubE#y
z@5lHl{=wCBZ)>8-E%WTK{qkjg+Sr_%v&?F`BA4og$NVXYxq8Cx{EW&eT3a6`Q(^xuKK
zDxeaZF9rBiyBIB#&(7azp&6xK^tB`^7!WC~d2QpGD=Ke;v=5(d`b}Y|1*Uaujx4J)XUnRTVxmWLl
zzu24%TxRvsp;LO*Vd?Ohyy{1nj`;nfBR~E}=6$KaPkw8E>zw%8n9j+Uy-wBtDC8&N
zYXZ?T<6j`axlIS;55NK-4SVUd{7|_o4qy>r1z;Uu3t$&uKj0|f9>7C@Cjid@UICm0yaV_M@CD#Iz%PKm0-OmbKq>&B
z@&TyIK-C1QK2VK;YKc^F<<-_)XKQM2R`XiYs@Auq?d|PwCwtde(|zk_YaqF!!XJxr
zczgJ-V7plRPLvqzFj)Rr@7!ZmM)CG!KT&}vUO4k-Fz$F1-1G^j^dXk@*os9q5!+Yw
zI3!{iS~xn+V(Z1}-*JfDhp>|mR|P_yIVi#N^#UgAfn@v&N*Ig07I&up`FY>LFNx}V
z=KGcg1QI`BpuoHyo_*eX_2@!#0Wf^mKDx8c65=+5rGA
z%aj1)-G9b*2OW2xM?B>PuQ}~KpZLlTe)CV6fQgEfw?}ViYH91}>X}%!V%3^;8}{rw
zaOfOBgb8I_Nae}17q8yD`!M&}f7yZ`zedI;re@|AmR1N8%D4cjw6%?`oxOvjle3Gf
zo4bdnm-hnw&pZI|+3<-E-PrEf?5OJ;!M?g&n?}P*!$vt+%>ip}Pd4Dw5!pDLS(3SJ
z)_CuV37d5N&$a)*k+eAR{uZ9P5;Hiwqtx!euK#2S**KR}>sFt_ezBW_S1-T9fn
z^%lDG>g+$x;(ADpJqNJKL$KkQ&ee544?UY&X%PC|$5RL%qk%KPPx&?~#P@oH+nd&F
zjSzGD80N}8S-V_4Ou@P;F3(bi75hvGYu+!&PMg1t7Iv7guQ_!^4!ifU`C;0Qd(G@x
z1{u=bO%$`JFm+}PTVQ%oK6M$v(yZ66!n5&TP9W=8`2^8MEt$J2i(JRfq};n>@mT`h
zfpde&sia_BYum>8`!xuKl}R~7_lywiG!9CV&OUydk+wzuP57umJa+b!aHH8&(t9+(
z`@fX3)@~mAcj4jk^e@JDjOd6a@qA&eZE=XWM&FFLWo{#-ZZbLmlHf1&2H6D|Jk#2w
zG~i$7%C-e)a5s731DeElgR?asNwu#R2+YsCHyw~S9rRwClRK5^_e%eXF?&XK$?Q(5
zBky?!6Y*oyr(E6FRJPWvKI0|dWRVljkhOk?JjaTS)kpo!hVq7Afg^oF2D;#!;3;$N
z>>-mA$z~rMYRB-~Ogn{G@j1EP?q%cGd=g??*L}rS{M$l2Q}H_2j-fT1ba0P?zG;oJ
zfe3j@{uirhlk+5nXMWzepQ-)}Ajfv4tn0+tPXmz`6r0m8xSGiT5QOHs&*vgfgF7~2
zvhCW!E%h>|6oK5J+Nij}Z2}L%Czw!5-0oNpIe#f-&;%p4
zNiDZIzSy{YxK-KA)^?^Q;`nKH;0H12;%1m#{!0@XOsH7Jq6T$C)AZ9Y|;Q>uk~zcCVR
z5gIR|cUC$r*<(8_#;&ZO0yVKzSv^M;@`>}Su?PwnjmTOcHNr&+87EciY^aT4At-HUA700cU&k~B{D-J`B>Rn%bVZ
znKG0*iN?VcKtI7EvIub)<|Ug`u`}3ih)n4H8sKEGwerbwR+es_7F
z(zuLJKegWl0lIssIAK?C5Wi^YK)
z(9+Mskzdy8U?CzhDmo@MEMy?^dz^8{8-IccCz^PYmCB@`X2WV1rw2SD0RBEP@9~-_zo?{gf(cf0L5HNnvB({D
zB35DPWN#-*=jxO|m+Nu`U8!GEb+v&BbiKiWZZs^=N+a%}n|+c(-Rg_9YJPy!Qc*@n
zK>{a99q$?>VEnNfI7W($nVAzian7H3Adx(hnDkfT7@0Q71}VrAtdU)#qh4L_X1FJb
znB?1J3K?}D?Co|NF<8oXwzt3qBFK=3d=#Lp09QKOy-!*h)E?0#eI(OqR|bm@>=
z95RiejFHA1@Ev{5(q1mej^uHF?MboE0RoVg33tRN-wzR7Uh?wS-~f44P=yEy&1f-W
z2O~s;EIIN_v%qm|Py}-2SD1v>BVU5RMnE+UsL|05PLL!i1{h_EB`CJ{7|yq`S{gw=
zrGBsDg&9oo)DjCjsk0(Ksk&nK95RpefA)1
z`<(k`SX#v6(;9T5P&%3p$?R1vT*MN
z^TwYMtlj3soo@#II5$1X3>PUbF+VOW&fkjYW*vGB7_}$&|L5*pA9A~Y8HuL06O`Rt
z{(r8|7pW#!ahAVV-V`;OwCXZobbb1hw<{*iyzf?Rp`71+?{|h#g3w~di7(-OcZ{VZ
zd8$Y2gI~{>xWWX>q-ORw0bRi
zKZ>7w-@lF$s8HCV&d(AqDJ>HRZ>7wyk{pG~)fj6+wv62Gs|2aC;XGH~YTB$xt1bgZ
zecF>>ZZ&VdTeXGaccxz1XY6)BD3$h0NB)eYn@*q=%KwSW!Qcoa3P5A9I6RT`pr_#J
zz%P;9TjOYr+#36IysdHeg7abBLa3N@t+BO2f8Tuqch1sEg*98e8L?
z_$0Q2K}fuCzj-lTX8*DDLx6D0AMKU)e)XR!5hphI@-yfm21bS
z>eN;3>}sR_tGBTx*LA;MvRC(iNiOOEb6@`tvGt&9${RkfgZKU8+a7Xd6+x+}HFejK
zHv{$yewM%M*w?I%{jce9m*Ps?fqU>6o|4=<$GZ@MhmHQ(J%;D4e~!9_ij|o7!rtzo
z5)eY70%{BmE7fcCTC-L}9lG=w@C@z1Kq~hL2ul%rOR3I5fid1RRE0R&M
zOj)w!$dxC*Fxv{(S!P-L|67LQV;}jF?&`TZ4VnHXi6)gLn@o;edGZw~RHRsmQqRPRmmpD65tXdVzyH-8ZX4B?a6dci9AViPw;`_5
zhPphL@5Nwh~~cu4<;r#j;b4m@u@=-6tq$H9+AZ^5$s5xDy&nr{IrjFmgSIN6sRJqcbyXJf@qnk;UTc<~b?jDet9jaqf;
zHG17p%)p>TiBU8ii844WEq8zN4=h{Zz+X>|{RjiBA0?Z--obUW=o)E_=dQTM`}kMp
zx$5>hXPt1W+7F4+L5Cf+?X^Nhij{corBY?eRdn1*zrFB^2-m7N3@T32N%vI~Dca7z
zcNn#)YFGHG1vD~5XXOvjU$g{CwbomI169@@v5vaysk5&7s;Ra*@e(~&&}0oY*3|1b
z+R>X@1|%JW#19bHNgk>gu`sCvi7{;qG#0`Qb=<3exEy0Akv8Hq!4r~fX%!<)T`@i0
ztmEDGUi7k89@clrC|_Dx<$`@tna?;Xh(WkO+$3$FE7t0v5$36@UA}(ns~cg5CbzB@
zRm!8emmD`dL5gL_^m_B!5Vh;jsY|yWz54XelvmlsF42>Es)hqH-D0}xp^cTW3)t~#
zrbSsyVtV;=jmI9Z9GI%vqH!Zf>Wx*ohlT_cOUB0`;e$CT&
z)G}hf{P&XEkF0Xu9vA5Sal=0P~8;p+#Qpyj3^aWV0={X0*c)Mm-q5t0SJ(2GALJ-E!MK6j3o~)
zy>CfJm+8uyH*AZBJ$bFJuHlue@v{;X+%nt|=w7f~AYtYTLxj_qh(%x-N{FjpKjzx~
zMOUenNY>R_8cVdB$g=VaiH&X`iP?R%Vp#@^=K=3b<$J-eK+21Km4GwCMnoV!Nm@UR
zmCJdAVaP+i6cQmwCM{rsgh^YEo?%)hWzV4W6MFH{^B2=
zx=Z_a5Q2dc2$FbySQK-D_HzgjEdMhDpoFTK&14a?FKsMO-F^pFpkn!kL*;_L-@)L9DH@g-*ka-E
zz}@c=j5P@NM?_;i;{6H9{(x+(Lq67`n7^UfKQYZKM9!QsJftKKE6*cQVI>3#EuS48Srt3vtJUeUXG?TU_S&iJw-KTI
zobn6GFDbWEent5;bX$2&2Hf^-ziq#7JGWii
z?k7RzB?$~h0RnJ<2Ld#ygnO`za$TW+6hG@91rx1B2Y>(wKmi7D-~=P$2KY?71_%vf
zsTcw|(WMZBZjs&86cV#A%k)b2tsU3S1sMIych&&|M!8ts85OGh0oug%!IYPl(Sw!J
z{^zs^NGNC+SU7kDMC3jZauhO&NT6$ujuWLQbS*ZX6v><6SyC#k^fJoq{(GzV@-Rv#
z0b6F_BxweLIH>aAxz@b>
zn|B$585$+^n%hS)YH9P$*Thttclnf4B%-A(b!kgq#xnQHoBHv7)KB&QdZ~m;SZG9m
zz=LSoT?;!GzmTY6r7Bdb)2Ky$gVD=NSGnzV$qxy2ImsO+?`TK<;wFwdcuXUvstljgXzMjaYU20SzezFkP`WhX7MI
ztt(;NfsrmIE|-OSv`Wj~>Tq3wKbvZU}|>frDaF
z5HUrfPTggp$z{o+Yy}s)_mBb1_-i+9Xv5{mQxf^~P)IS)DdAN*auqRBYc&{2D8+uo8Xtv|j-9PG+g%G4k#0R&N{iFp@6aFOACR
zr}t^^TBk>N7bPmp2N!~dvZdT;3}cG)9g$?qoTa^;JL@~96IGV+wNjFuH3V8cVWB<#$g5};0_Sf%S6H55TJWtuf$?3(Vy=W^cbQECP$caO=WatT~2m&KKEW!zY9AveZb%tP}y{967~0T6%$Z~)>c_~!2R
z|9qafiY0mXM_A4Oj$LOCuNv!p6W#*(4StbR7tnu^Z<*ZhT#m)6f6POf;RTF8G%x+X
z6lIB9-i61MUJu&6KOzwde|Yk3j(^iQ3(tl0&94J6Wp9Bh2VWDw?w|V5k<~c%;6B73
z^1+@@KO7#k%@p?iAAQytS^o1yZB@sIem&n}@`0|Vtmty7n(4|U8t7@k&OCL|tf!G%s_5&LL!{sD6Z5B@
zjolKmE|2vTnO)XT(4Cw}a_YC#YpeI#yiQzO)=6E~
zlY2@}Jv%WjXI|DP_Le@mpE-G)&;zBo(`OV)98&C|(PxlQ{+P&b$z3u&JZ166k_4v#
zz9JD|4JcrB0GuXq26JS^UUNZrOy2JDp#}Zd)5oVhV|)gadS;B{edajPXOF=?Yn<#0
zv^z_*Kl$TkUp;R1HRCo`r?YZg>)VG#QeU&^X~z3vr*N2lA)x>82ZII_45*t_voAJZ960kCH3z7<
zXLnTi*^0hX(6bFw8!)qxBxWVpL=^j+63awIBGK^v-f+y*9Cwiup5dftlaORW{fE0g
z;~s4uk>?4y9%pLPi@DPcYG5;qEw0iPG^qGyHM_wjlvq+_C705iQvZ-mY@WVtEWM1&
zY{>KMY3qR&l-a_DHM~Vvw+kCxR!ho$oo+IualLwPN4d~tPZWeXZ{|GE0U
zxicUC6MlmA@4rSUQ!L0Hmc5%b7?$OTy~tTFan8$}_X=@dEoLT656#T(bEM9#UX5V#
zu`B9F?zH@F#n<#l`eW|;^0>AlA;{Rquo(=V3q5n=FzPlA&-~1oTMpZM#@19W+)YE_
z*nqJUKwFQYb@+OVi{2#Z-7CM$ChxVZEpBb^x32E3-xc;Pk7WX^#Pt1wgjJYZO|`qt
zZF(~@u+7cd)unTGZtU9HoG-t*^Q!pjYym5Cy13=tS}!Z>-HtZ2u}ytlLYu$AbGK`2
z+e&Qv9c@iJ{{(ta2INqC+S|VNci``rJ3{MM&=Up9ELc|A<&;}q`4v=nU-olF6<1Pe
zWtD%qCsDXV-?PqFQ*CwC*HB}d+wvu!0cxqWw%XhJMW005clrhDZ0D7{(k+J5NK*jF&oH&dfZq=h@5t!almz!FTS}ob;1)5>N8M
zyc@6MWS>-$;Y~hiy2E?+fs7do*7NXWaPBTl=E*wQC+EU($9eP?J#cc-Jb5o|x_r9I
zZ{x{7*n>L-r|=Y=VsldYeghAlYHFzUK7#?pZ7|^KsHcHOns^Q2vhPr`+IuNVb*!><
z7yfz*S9CTktvjWa*sTu)c2N!r+RbyA5EeELF5be%>O1c~BUp}rkXV`|%MSiu{FdkB3>~Cb)n3Zp~a*mbaaqbn@4bmq)y=oFCTP
zGy(U)DCcAtWyW%Pui({o#|4OOhHPtoO-E_-scl@c)U$ytQBKQ2$EB=FR
zd*Hr@9w}C;O!<4S*5s&atM`vlNseOOnsV`BPl+e54f<%j^~O^vJZ%x_GNmsvL*~M=
zWXyVPy6T?McgZ<$RbBW8b?v%?uEC3N)oiO
zw$p_w>^i@#=Nu3>X^zR1zjaP&dww@P+>?14_o#iVb
zg@11FLqs~~eUE~M{^m1$o1Qa%f1mpEeIS6~31&&el!%9d^11nFEIxxm-`OwE%YT)q
z7%%Z$KK$1qkZoTwRcT*TlmerMjTSC?K{3J?a`euk`9DIF8||8>4Gd+=Vqv-j#fdY>D@
z^+4>8#TC}>;&3CdUGj7vXj|WSH-otCnK0cOJru_hZz92@fLlTB3G8+-F2T8m;I^0C
z4ap-E&j4Pbd57T>mTx$I;rU0f=U%|z2}BYZ1{Mw;0TBrq1r-e)0}~4y2Nw_jw|M`Q
zkcgOsl#HB$l8Ty!mX4l57^83zOd^?C?(2Spjs1RQR*Mt}TREyKSVP?{G=dSTVw250
zNYxOBf{KQY@f4(%Mq25lrxp4j^z(Ac9y9<9Pfj8W##6XV&+
zV@)~ii@DG%x!R7Oqs8w2#i#!qeBC|V;q~nAPz&Z)fm`tk-u>Qh6Nv5x=E}1m5=%@X
zPP_z(k|ax!Dowf!nWVC0lgW`QuP}`Y6e=Oz`XxTPI+k~-8IfKx-Z=9)OrI-<=FPGB
zaD2WjESU34;=+=-xD+ncf&ORRyT;|cWOc6~?=@?C!}{K`F)TYH2_=7%Z98P&PB~t#
z`0aYdcgr7l+j)B{V(--0do}mJx*Jk&pVi+N4faQq{apf(DntPcK@ki^2@GQk7>y-$j3T=M}peZ(#QBhx)z`Wu|56!=HjEA+nIUxc00
zWbL$AH*MArN$+&nFccf7%ckkEdHQUb0h2Ri&y1K_3g4E)!g5*MLzec4@5|%I9`kcg
z_%($=`_msFTY#R0=v#z=#lS5AVJS$k_Ox{yn{)JwVaOTM)A
z?!}(()k^mA+Fs6OUG5FP5tn@H9jz?I&Nn|;%7*3G=K{j=s7W}1F2
zGtTT)GtDr|bfws!M1dMPCqIYLsYo~)hC*PDW^h!pW)g6v$U7Z^8V9MU^O0s!&X^vaaANUAuJKpE>8YrCYl;T{?Q4Eo+u-
znQU^iWE>U%B;k)g?$~4Q$9z*x=sK}Rq`U9eLP_D)I~1;IBQ|a+OI^~^mcEP)+0bQf
z*gCIzHCwRJNb4dF<*aS@euH9RUsqN(QR^lX2W?|2{j2?}+e1dM`-R4SShp2*_l&n6
zq)VTHE=1FT5W#5S*-kgaFJ#s$NmCO8@4W*DNN?$?*Ya4u?if+1oZi^9BQ|{(#dGJ=
zj}|>f%viDG#N9K?S+01(Onz4Gl(L;h+qu=Oavug(Q*XOpx
z*h6g3u=n7HYdu-;Ka1)xFlm$O+|^=afj`*iK!2OY(sVMOm9?!;4|aWP{K+tJ
z*^2n&5KYt^HIl-6>8ZbRpcBxY7Fl}pkJ98Dg2Sgo=K<)koNDY&sMr5diU(sycIdnZ
zdI7ij1Oj-80fb1-rvV0aEFO$aK26Qj1YaC2c0MO>-i=w2*h(HxcEU2AZ8>JOz7)Y;
zk7>TE-m(bO(u4^MJcuQL+x{wwwyEstB*nU-cS#56FqW(s2ZEdpNTidT1564+1k3BO
zU~4PkED~50-901c0E;G*vyPj)Mir_Uqi1*Ad2xgZUz8_};oi88X39rY6538>%hjEn
zELT`OyXj2l6jF0-Ex;yR-I;)47QoSR>9`4y$BJH0ksETxMSx2QSgBY?|7>bh#6|Qh
zx!hdl`Hk^7ajSqY;%#r}Meu2OeGz~KffZH8deLG`E>57WWP*B2T4*>BP_rtBajSFs
z4Joe6(wJZY>eZ@t0R%{yUYhbMOd@$_KHv6%5;jJLps3CRr35)k2=uxx^;TjrQ*H~U
zV2Nv>jH28eSlZ(;o;MriRWuHZQi~QS=bOFM?0ufEQu44LfeOCaPH%P(u+E=Lt1?!y
zK^eZUtuURDOQZq<)Cu+2@}FQi2huj_VBJd1a1N};(Y1)BCA`(qeCk~lLN}{l;j9H-
z$&ObAUfkr1^FlNLHb(@m36b{GnfO2z*IF3FUZR3UEy%M-+F+lf3Uc{fv9*p$0gK~p
zt#Tp3>K%6_2ddei>Q11B4SA)u80;w~!eSvRHg(0JzPL0LkH+G^sHq<0BcNIFeQ5c4
zw3us*A)lHgmZYK0kJN!4S&zI&(WC5X?osuiee3RkmN5IH|6Qnf*37=%nJc!XRXNi-
z*8bcWh#u%8V5GE?7phhtSQ{3+l7!K0z~q{}q>V8eJ6*F#Z4fBe(P9;!vbk33uB>lB
z8`rR8uss6CP?Uk%|5)pvpZC-rwAM7c9WYaaRlP{Kqng`
zReMdnRv?e+Gq1)aD@(pAwdo&cMl4QU)41mB?SO?qEi8Y)@;yoE&dJ!;q+x^!S<7to
znqa5=tZCS8Nqq9XIXzBN0s2m$i)#I{?
zs=7~Jx*t#c=4ukG#FqYJ23}dB{(>Ba7A+0y=<+O;*9vT}kDdqw473q00C_gHIyeWP
zY7W@+pOQ1MldQpp2Lbz`3OtL&Q%ismcuF|T1;VS=Y$lz04d&gRcFrY-W^Oa^t&Ud%
zFLjb{^r~JV^34RC+*5K3FMYG8dYT)TTr~9-`)JFZq#^gskfwJ6?nB3HMR+j%t8ee^
zuz+F>)?vlS6as}v>XW|+EcF-=z@tmEECkk~X;7aal-8TKuWP)VGKS%QidE!+=+L#8
zgS8({UuS)mj}wN_bRY9)y{%LobafK}qb4y=?S7&O-sMb>IRa$SBG@%Ro|?2ThoO$n
z7lbdNc46wZ93{xDeWVM;CKq09M7s$|Gn4{he$4Nc}^oP?I
zSe)na=$80{<3>{bWM5xE0N4MgxBM&bUxcE@Um*Pf%4&jq{S5#61T=d;$3
zG_&XE(+aqLB}eTwjnTqlH5)nnU!=@C>QoGy@2Wtl_M3PiSz2d_P$x!w1vJU_OQA)J
zUIW>KaIJ|q0hXw(4WViqa-^bfHIyD`xrwO8cLV?+Uux$zYC6cNkqIPN`VA0gI
z$VrYf+v|@$_!Mh80^#8pxc`SJ+r(jVC)PVHc;wK79oE9gcpTn`76Vg(lzbHlSq|B;
z7oxd%k86tV7N7a{xS-&bfSlAM{1pBoUQAX}#+&d4PzfWT9w%6t^~5;{$qVy
zewYHaL0llUHw`aFB}_wA=|G}vh}<2QnTP8b6`G(o1q0<{^ErpgNzy>LH>^Bgx{O2h
z3K$bA#Ycqak!uF)Y)ceX6j&f(?KTi+WpW7swYV)1RktPQ-s`PF>!)^n^i{onUv{NB
zWg@+KScB-~IrG-D;!%{ts@Pm41DQ_y7eXok<&5GIyR6CmnW(UD!5G($R$MRpJ)J;o
zzU%k#6JXfIPFohX$5I|eeN%XJ>JaDQ(i3UIBiPlTS%oyB@oh`dz2P3%RP_1=JsY^`
z3>l_j}stx)8?}T79?yZ+m)O
zwAZbd|J$Y6zcgwW1i>S(;*)SxP}MJoz0ynMl~dAXlU;PBn^q1cT47-4rJ*=gDIU6~
zsR)`BjPQzrdaa}dx^F^ktJ62SQ)775S{jkWC=ib2a?Qt1!yV&#;P8TsGH#479VxCH
zEJ1vY?!pjkdr5v0Any{gM-syTSTrIQ&^RsCyA?pWv=q$1iUNgAb|{?!$Grxk9^gw|oDN=3kErB!oGvv$SBi{Vs%*(ArxdNU}Jy
zR2#Mda;PyCu8^4X{eXe-@BLNucuWm
z5%c@}a*ufW-D&vt_{ZYz_FE6HVi#ltv13~tcrtI5^azYL@UV;4r;U4Q|FTE_cg~Pi
z{SBX*r$6D}UW9{Qo6v&=0(GF3(OibCGT14afrq2GovC`f1n-broH)nW<1B#INa_k&XM1#%{==0YSF%v9L)@R
z&Xddb+jxv9g|sM*t`EgD5se732Xs2A>W1qgXd#8W-Qz@l3C~*|8bjFFA@(^cl+q>*J$9BL8sj*hKesGiz3-?DhX?Ps
zy-9?d7!kB7G&^U=&Z)n>@%eSUzP43kcL)(6AtywE=nbDndWo6uVWA2{7f}r_Be~LB
zZa0_18K!6|;f<+PhcrK%$336q&sGR*A;D{A$F2(wrD1`*xe$Brz
zSFQI;-}NMRqUPo?jc=P-I1GDf>ky|J2p8qX{&p3#N@PRyK9IyIeJP9w6S~e{)hd
z`xKmP#HYW(Tu$;{>Q``-t?by0HSlu#bDoH&t=BoXV0ICqf9Si%zKcDbXWOo_s=>W|nM6w{!UkM)DG!*bSU7-*F+OvkP-Z
znmKQhhs!RZ!&icFst|jG6{Rh(0dGn%mx-MQNmAHLdhQOdJ4@3xVveN+*OG;T0jz-p
zsZ|C60$$PYE;Lv`Cu0f^tU6x^c5|hoYGIPXS-^ZNeRe12fAjDj)Q-ha9iL>(HqPQ~
z0t7|Ca8$8%n0B2%8sV5FUz$CeY=eWU=)C0&o2X?G2-KG=OQ{Gg0b-o_+fK49+JqQ7
zv;BFq*;X?>=(K~-S?UpJ|!TaH+m7W;&#|^}5$Z~J8;O)S9AgZAh
zuIxV#$JtPQ-IxUroy|+z&Zl+k@Wu64Aa-YGcE2~37rTyf5L(2hhtI>g-!!WoA3uMo
zd?6OG78VV7awY6u{CMX$bunlkkIbSKKNFVyf^Y3Rn;H|M^Jrv60U@!z-F{bZzI<%d
zW%9H2o?n=$+)a%6dSQwsVkw4y76nFMhv(x?+Cpsq8`+ZYn?_(%cnRBK==%qk81%6C
ziXO}zzKw!NScGWxOnD)vN{uZ1K~9XF#{FL1QHtaQgcyTBH~|4ctU^R`fYca4I*^Xp
zdAuAdb+IhNirUr$vAhI
zWSp3sMSK8eJrfdmNt8@bEei8AGYDt-l7yU)altuez)(+Zxn^bVjU`QQz!=TLVjwTH
zxW?U(1Kg)s(ltE>M3Z(avAe?VDtBc>4~Mp`l(C_(iA{hUrdt;y0kk^yjAU?SvJn+q
zcP51A5^4dG`!beoZ@yq3X+ufVg&bT3DXg&LL)?QL{_r^y#B74^C7bQnx7~7SYZ(|L
z147!&7FjCw1PD>j69TA|p0h_~R!+r>s*)}yk-DUM$d{vz$QO16Nj?SfOs%MzUW!@a
zP#{6&)H4Nu)`hmA6n@VuYvTyVF@`y@eYE3I1$ACVvSjcl|88<6?zmiMpqRiunjyA#K9_O>?N3pwi
z`?k#pVhm3@bZ}cIz}4%XY!DC#^y8DaTrPDoT|fTew*H8#6@LG&@5~TZ(2gb;y3w3V
zGPKbL8MP9ty7pG7q=SAdB%izSW
    x{o9f|7gEmo2*wv
z?7&s&_B`qFUY>GLIw{v9To*&gMh;QhE+?bNPT0R?7!`WA618s`CAQKeiO`;^lCE7l
zbz3bz(~KSUi0*_@EX5E7Q;9_AOU#0)g9SQJMW>@d
zY+IpgICVmz?J?Un@WIW;+paH$Ls6Yy9uVS(MLkv>KF4lK$zKvam&_6Or)9Bl>emu$
z428RkeA!X%k@vI69SslFI?qfJmKfenq(ge{M5n_The>b{Z^oS#cE~}Sgke5ja@QI9G
z8|1I34v{mkaQWgI?n>CBQb7qfL_bflb>64hs0?jpaU)4;6KgCw{nY?l&!%o58h!zb
z<1V8idvq$r0=jqd5KoQUPec-UMPga8R!HR)41iOG-E)<*`G9nnqE
z;EX_&2+!w_gjL^*7V~Npl$dke48^=V09mo-!N|(Nfcd_~zMcrcI{L5#e%v_eTZkc~
z$j)BqhI!a%a(rJY%i|sAz9WX^uPR)1(y^v`H4QaOad5AMcG6my*LWFHHl^0NDE$cH
zQ3iPx<{C7trrDrJxg@YqAkD2nCF@+5RH9NT6x`HqXM{+aXFze7kR29dS4;#BDR=aA
zM``BZjj@FhtZB+iQY?l$A3TrtI_hq@E-Fzu6IsmxjXg~;eP+6!y-~qJO1d+B9irr|Anq{O&h2Fw
zUj_S7xKJj~9Or++bbEV;xlZx`nWx={GcO*l&My%%GIZek^2$Vm%hInpzySYatsGL5
z@?zK!hpSn2DI>%IVS*I`8YJtw4aeKeuhZe{QXEGom};$;NZ|^cP8vmwT<~UJXqqb&
zNPx$eo*Qc*%`Mu|(Zk3ffHv_4`pGbH@l1rUH<562Cg5g)@L8|VE3iOnVCD>4z(hwDq@Aab5vNFQoWCs9pgJRajQ
zdfvPHC4PZa5L-4-gkhM+>#2Yyzqk!&BMOrJ96>wEZ*|xMqVFow%+o7_w;TbOsth8-
z{xIc!i92<|ksx-j-^N12(SVf$Ernf1P{?wlc*zbHDV&v~bdO|z`D$CTGE_Diy)nW#YC|7$+eEyl
z>mI-D*z?ez!b8|uKhqTGIcXh4jOJmIjsSalr>4}xeO#3-?6=V)@tJWicKfXBt1vr~
z@-M(+P0r@Mos3Y{BxQv8m7{X!NrcfE508imh%Z6hH`(+$q8JV91;qG)HU-0p?zhSH
zR}&EX0p#?<>0Tmtqaat9naqi2=n&13pMw+5I4-jGET+?&eZFSQTwZ?c+~$>b6&RZk
zy9#|~%pPblsnJgPSPFw~j%;|uZWYV<^YfmS1=P1T^7nk+?-Hs;NsigEP8=a-7spzj
zll(w4386N}<7S6^GdM2d{4&zVV?Ewu!=0uqtk3v#T*JHhgz{b!IwbTmF|U<+mC?!l
zNJKfwoQ>u|JK7+ka$HMJv1vl|cz7ri6jj9;yIni#he!EK3xBui%ns8=vpj*zpNhQ9
zJVv;-@WVNp@@&uNv?TVaV;v5SDdioD_SzjB7sLi>50Kbpj%vYgXbr(qSBWXqUDZ^i
z$^~_CQ+%+?Tyn*
zMaz1gquS}L15xs!g4J6_m*qW3m0powcuGF&mW;Ph!)4+$$wCq5!q^;
zSwJWdtwi*vGUObe%!ehjr4M*a6i(DLFsYaR9r~D4A|W4@p6(g;9J=4$^OX^l|&{(g=Fc?IuTy
z$i4=SNQnvgvFndhq`&o;3WnTEh(JoiUL`@+x#rcRxbuhp&b=y`*4t!t+V6Kf)B^1x
z7t4|gaC*stWQ)DISIIQAJ-SbOGerwh_0`zFtRN(
zp~U`RnqFNz8W5myIOoV;%Def28=V!S!2FYjwPFmyC)RZz`B~}C5UVuL1Rx;`u%IZA
z4+7IePhn@{LrEP8ozz3FPCg1niYGPfi*L)h1oj6pIO77hMaQPzBpjB3fxJ|Nxc5C8
zM2Pqhfh9KgX4M-IEyE+@ct--0l^d589|z}>GuGIwE9d$vZL8?S#foiHsqkV*{kEEj
zZId((k|uCz*Bqvh^Gn3sC?*AL8;RmoNyp}AC9wo;p?g=AkJ{TEDI-~Za;N?rDGCiJ80
z#Q=;RF;pJSeXzC<(Z0@JFGvIu*ECJB8Dp4KX+iOR;4Q6*eS?Hrl~U;`eeMO?d@Yj2
z8p|YdN_nDs==*8vrL2}G=ylVAucdB&&W8Nz`|!5?>2@+De~1R6>H5f#n4^QuP~zP-
z{`%bILg*W7{X;9Gq0z;P%J@Fkfk!L!YoG$WJ-RzC6wHl_tF)?56H4Y9BB+Mlp3l;-
zlq?H#42oHQmH2`!W3dePNmZlaPD$HEP|3XDLBgERniw}gE}4h2iO=%LF(4k3o~Fnl
znL5WM7Pe}R%2xYK8H#meF^H}SQ~Ev8z6pXTk&(Vs7QPUZN1=j|BMBu*sw)4O7o)}7
zQHqURjnDE3LY`3v7s^G^02wFDkz$7`vEQ=QW?r>ar!N`lfi`iBz5)(nBEfJ;!MBEB
z|HwB^6Su@P-=;AorwA~}Pjo%dQiiLZwnfIAXXfnTtbSXR=Mvd0_Mw&Qk#@HF44$iB
z!kA0ae>qFo4Y&cfpz_ksHhxOLR_6S$u`L>}{1(J7w8N9a7MD+2<6S*umhOx?mco<5
z4580~N@)OM5ofifNER}VD)-`K1kKFkBePhaA-G1uH3%=7q1zS*`@2i_B5U34o3twx
zm8x=|r=?7gC`@riaVq?`k@ORg{x9B0N=a%BnHO8nO6#E%&@$hqYEEWIbU=cvuFzJXsYOD-+OL@XH|I+OIi@f}NJrQ=&3j#K^#3
zLRpY}?JvdfMFxq+i1y4vJ*L?wq3G1HPqh5)V!^I`;obY=gI`eI2uWSk%6}OKv!q^9
z78=4@?$G%RpOyofDXlu$y30(iq6AhfuH
zqd!mm^CS{qWTg+>#alta
zyot0tZtf}SpofZ03_wn!#xBQU=#Lgv$F&uqITMPVI0qqkQpxQ9q}kPD2Fwcs>mL7~-;ug&rgneG^R8MTpePS(MkW4&;k;Y3onw@O>NvmmGkD4#9!xO~yjE1E(s=V2{}{8{QzhxQfk8FpqCmd|DKzV^2GZ`d
zuFl18AP=!}@^QLkyCTy(CdYf^UgmuYOE3GNk&jMrkOIEw`QRH@ue
zS*@Bpd+E0hnw&4NcpR>8;#b)_F%3lEk+d_^qg%HPTu
znB8W#o&$vTlSRP}g6-XTuAsZbcYs`7SluI-^LU4XtkaA3vbn=ikaaIpd
z7o?%rQb02g2)w^!SzmHqYNJ*?%VEQ8MKr2QHLCzUK*GOAqcnfMel(8SlSV8doJ-Qd
zk9Rq4h?x!$k}3iV>9CLisr|B$NXqP5fq8%AY!t1{0NuK^4bGAsByNqoWNC-}OI9Fk
zJ1C_)rMxxC{Wm+3zcPzNa*rg2Bp7ntKPd+9g+*c+$;t#Su9Msa7R;KLoGcAxG?5&^K=#kG&Z3&0i5G3@7ItzLhX{Y8h3_?HOL;tl3XBUXH_e;
zw6^_((WG@MFMC9iyV|s@Q7-oW%K{j0lf1$z5k3I)0Xe4`f`Q!CKrxE*x+sm)3Hw(DK`%sELtU~(k1^VILd{S0fOp{g&rwR~U?9XpY$YrTS
zLS>A57Ge}@_Oyk$Tlw5EDqN_mq+2(O=18$1CPc1lt+z++U|}!eGoaAmc7Ly8H+oYo
zE|RMOP)F!}R%EB{FB~=(}Rw#*h^`UTwxCL4_Y__bMx=!E;N>r#Skwy|P
z=}MdZZJo*Kmjs2aEXuP>jsy~W#pU@em5x&9aLPRy^b(1Mp~@-E%5c)0-~(m9NoR%I
z`^)>3U4oMCoxR+_jcc?h3)$NHxHOct3{JFVWr16tIA$lQ>XZ8{3EX%gu^R)w}iPHg_Htle)QSfBt4Tpozs#^r(m{cSIsiRBXz`m!RH
z>c$_~oIiUi*#s-I#znN(aW7Y(p%s4)dT5i};#5^w!y8Rd(bSILS&|@aQoRqRtEc$=
zIpk`90Db-p1y%uxRI7)#NOK2dkHni1wALRpGA%j&^+0Ixp=xWvX2JDa1({Ue`yxCB<
z-ikxOd0%)gp|rPytHg!~%ouJs8+%qoJ29>PpypG?k5AvXhMce{Is
z=(4eIuf?*Xz*`kWQciTnO*K$#k??D@shtoH!K^?RCxc@0R(LSqoV*#l7prr#2YF=u
zb&l|*Ia3g!PE|n~EfAU)?dI(>F?TD;`TUdoihaP_f>^$RHoGwM_6|L&Tm53uY&$Yu
zZMV^!gO@ROFK3f#&dcfTLP0mB_O&$?PB6KF()eK}QB5k@8MW6FYc?-q|HccuPh{~PbOZw6KyNL38jKQb(b_&dXfSc#|$YTf7Ogu~o&)Gs2GnX@reRoRtV
zv{bXkLiR`;rg1m3}6h|!S()J`e^$apYizZT<$96gT?#X`Osv2dXn
z!iSI2S7~_(yc+eex0%2zAhQM5ibUzSXdY2
z7@F*uSbHqFDW?(~-r!^nh<&AqCqNfp)1CrB*6WYcVWD>ZNhQ#_XWZ1sH*_kJ))Q(Z
zwa?YeqOe|(?jpUdO*}=?amon3Hx%8`v%nHBVeG*gJo-_i)NF0>DAvWeP|Z#Ik4I}^
zoG$5gt+Fy)gYfyv72~_BWoL|t%Iv-r+cXSOjIURXoThjiN!aDk#_t#P!CuX;cZx+v
zQ}KE@T(v;Cz>@A$|3A$eq}C|n`uGlXaN=q%c02)@zr>N|)~kxPZ}w)n8y~MclEzdB
ziL+}t1fn*1XI?2IHtZrxR_?%HB_?k64#S>?l)W7Wh?Te6Q0PYVXv~qcWRh3@Iuy^5
zd=NfE+IGMje!_=>%Jb^2029_k2ns!YD|eSk47lvuRoXkBvZ+Suk`VvM9?Y=!p^BqC
zLZEE#B4)Ozz6&V_K}Eeq5N)2m^`(i&61LmKo=$}1EPagmsDI-J?2J)UN|u3)59oYJ
zPzaaD&rZLTNLC@15h53pFMc$CH`5oIe=YKxU-MVZUlw^U|2fS!izkljytt?D`fcLd
zzg;EoRi$glN|dk?`ezXzH`SqM^$00>rf>wqX{-Z%t!&c}OE!1^+k3tBKtk3{pG4$>
z2ugNt1XYV*>ORMhH5>V&nyy3OpO#e0YRV`eNwSW}`8n-iij5!JyPh%*gvYIt0Ef&t
zhwv>rTTls4!X+EGF3!j~L^pv3X??}(Y%4H_5B*b$qNtS9z+#f8r&G8-M!#SRGUheE4*i*`)JwH5
zWvR#7V+BYvIH5P$ag{+sB94S`Al>dm=wwIcC*RJC)kp!*L
zF;`6b%3$P8d&v5AMA0$E5=`eu_Zhbv2qoM$d*gZXL8@>hkIGq#yBK)v5B$g!Vf6C-
zrPGM{hnUw+FB*D?>y2QPM-d8JfTY>B7rPitXLRagGDwCRF3U3*OZr(%QVw@D2SotMY=jVA3yrQ2I6hu6Zdd
z@^8gA8HE+MCpgOH@7QTG^Dy}+y`LhCkfQ-;`4FUETpNXkgHH%tljxPHmHM;Rob~_n
z)nEQ+s#@k4pxZ>G$$X&}s<4`3a;mng`Ty59|CiBi>Ob%;tR#^P{uSXj<`Vji!};FW
ziAHE-MQ(QAvrIQXtN#SDdG|L%S371BR*yqS6zfB|tsJ)8iJbR21mXFt!v!aiJ-}N>
z1(}!}xz-dxNs5JtWUPNwejhN`<#79-_dU<5y-09WZXT)5d-8y`9NTrg7GB-#N=KBsI@7w6`MLbMjt$
zcMzFgfRL>ghB063VVk@*#9{Jf?8W}?)p4+|9^A*C3ES55MmBUz+wKe*QjNwV&=)d#
zID4|VrGELxlOh0hN@RjX(p(Q?g}~!bhdH*s$8^Knrzb`@CryvD(_Y*mtDXX3xd&E@<^NbF
zvwMxPj3R-;+Q}vF0C?60n3TxuuAts)?Kw@KH)C(b7uBI+#p38bBSjsm*`kuo^c}RM
zCw-D0{&Kup|1%)gvn(9WqUmgCaew%){m{dQQLutsuoLvEZHjXK*i|Y&KHS7raiCaf
z%-1zut$YelsC=QQ5^4bO#;pUP$yJM}EwdF*kRu15U)5^_)F_-yfMbJlYg&7>ilb0O
zZYZZ^8&w`-9Wi{v>EdsMfup}rc``esH&Ur&I)
zNcGNf=*vjR=1gBs!g5{0Qtmz9+sRWRW83X>sj@5H8z?BqZ^DG`QQ0!exV+sb6qc>t
zSCF?RnnDe1`ze7?9MwpRPLu>mb<^CW!=sA{)|D(i#GQ
z%s~>V+F(x)1NjF9@AmkF&i_gY{8nn^jt}oELI>mxR1g~!$Usj#q}^-B`Nr~xALPi!
z-E$1xd9`>)7zWusa1ma>COzPN2x;t({fS{y)0C;D@MZ*W+YJia&~+RcBjq{wdXjh=
zwvA`1w&0hz6(yCX8m
zTN<&DL_T1veO-oSl*BYd9HNbM^gbkmg)yN<17{n4=7xxpRN-8*4Ee=?p>S-byxU2q
zC{k}QdrlEph++7-V^|`!P>zvhkfKXQ3&^Q&oYGxqFVZBQ(v^V#j*ZHGpy2{B-s
zu9inTzVxh2ky5cEd3r}p)%4q|g8#i`(82X`Kt8B7-ncW=%sabiv8QjUp6kq@Jv?uNBY4RNX<9VUhnc}90vcZpc6HD!vN-D=HKR}`+W^iM(G>MTXTVcSVSbZf?3)d21Bu?Mp0y~0ZFa|(_B;-_1$YARFU!Uf?
z2#6_%mty;LKU?pssg>g#|HTu;g}1je2^r0?bA}TKgPmB@33>xV^#loPq~Sve>xEZE
zDlhg>Nun;OoK4`Z`F3JsZB~rM^8_sSmti1|3H?6@
z#`*JvxVus=KwwIs0jgf+9A70NJdt6~C|dmP^bHCGN{rX>)|J9W2*XdX^?`5sKasez
z!gB51m(lCC@i)hU(_^T?{I!nE%K_P|ge=F0q7vFoHca|bKonw1mlg3IY7}W7_$*xPQ&qQ!0g!W>
z`WS+L)7^vjJ~6(jmH!NPYC-&1tOrs09>D%dQy;v7e5g6QFkMz+oIa|_u;j1i>ebyh
zX-}P8JJNHBiC+{vG6E$qBzT%u;0?ND&ha~cK?w{CAjd>B?x)xJK+
zT$$`*M+*BPZitWO%OUz0_VIXDRwP_17>60V
zCg?Pd#yoD-vpC^n9=D@jtsh1-wFzM=1Cl8aCN&i3tlu5O$?KO1dKBs(R;Mo^MnB
z^!MM|f289;dhFpG;QL@_qBR3?;MZvOPK;MDKg>~cJu~;zYB9&3TOjpE>m5~S
zr12w(+oOa`KCf%sl4jtV=cp|j-YClunnPAm)YgTFoSqd@Z@!!bQ?FVv*(Es=vVo;W
zf#pFZ9a1*aV~@Cpg$IoGvhg33N5jfGt42-Bxea_mP2*tJZj
z;;#?MUUL%*feY=)ivBI-0`?I3^LVNHW42G^3~=DzSPmLmy*yOP|Dt1Uqz>KsJDnH)m{0l
zwcTE%t5tVUHyi(@li{@3#Z-4cn@Fu)r_H?Q$bOSdMmUQPgUmy@Y%0H^)4^BBOLD*r
z(RniIt4SUviv4zUKr;Uh-}HCLn>Lu3`05rIA4~cM>>n|rU}~Br(E4fXHP|EHnI=wM
zRE!t`bO}QS8TuwNQadZHtNRSCA*|8x(R#{09+aC`i0^iPfvq@~rz{pW6nN;I`lkD=
zQBk9%jYa5?cQNZFDrGzv#QNYDo82HB7#UZ}JvGQqf8o_&RUE0ylij?lfNf+zfnm4r
ztPJtTV$|jFD$=DtP?OGWd(+38-Qqp0ia|GRGtTlm8ce5d*s#@^n>OtUOEJ*SQ`fiI
z-WJ~h0ex7eI{d^Gv1EHTrjhIKCO&W26?E=UcYj2Q5xf!%(R)29TK!yHgpp*5;^b?I
zo2Y#xyL48N@R`X&*l}*n9$hecq{tNd$;H^lrJc8id8@apt@_m2jHQBdRxh^lg(B_r
zy2O&;?5nRWsF|Kpa2`iJH
zoZO5o(90?U1_Gn(vO78&L?Mbmf<$mmD_*aJj|eMBsk8axLnuo_8^=+UFyY*tNHLHS
zq!Z#yYhfb$vRuCxW&po&62B>ChH`q%Is
z2u$IY(H4LvI?FLYC5?Cg?&4upAguEGx4nBu~A|RFhm`tj1=+H)pxR0xy
zaZWjjGk3Bo=j@5`?fFY9RVtEP>G;_D;`;*Z+J@&c>y9YCW|}JS2n9zLG7V-uz66uB}TAuCW8?op%LS0cp_)`u8j
zNb@Dt2V`@%me2>DBbDnnus6d{=UZ2ep!Ydv@~)DDf!1<)SxZUF(->AUE1XdGHq%_#
zsvSi3?3~W>q6T86+egrJOatW-yozcb`uXbpk$nSrQ39dCHfdHTgdbKBF^;#gJ{7Fq
z#yjIPifBD&?L=hZP=|WCk}t9hPmv0~Jm8X(pZOk2p_8kj0-AZD)^xS0#B>mDRCh!)
zPgvORhcs1sa{)SHx>Sl!BSm>?oC!MV)HFjiGE#Qz1Xe|t8lt-%w5q^|Ax8griRyR_6|YCBpDySt+uy`m{=cc+Dd=CvqYfvDP$m8jcn4kQ%VbIO<~eG%;d2-(X@s$UwVm1O4@~Iki)yEcH*fJ6wkq~
z+#DETg}6tk9_l?nkQMRRChP8)F{%7|;(}&!@p&z%7@nwya5-HfEZMvRj*_>^ZVNNi
z9i~|Q(8<<9FO$%D_+yW<`GApAffvPFV|9KV}So3y&>O9S$=4
zTx`yBAPfKcf)0Jm_TIbfp9!-q8y7F}UpDX}{+;gwxQD-by`EbQmxJb^X3Q|Pi)U~AvO!Iw>~%3v
zrrQM(85{<)aB@WXaGC*LLIN@jjJxVM_C$XT3>=h3gKB`qx+$a<17pF5
z^HCnv9yEy*iMg{<(AoRN3urZ@0?v?^73`omf3{+MH$4e0N0+9iQ|*`lU=)JZhh&4WuqU%7+V`P}L<
z_9NYRp)*|^VpMdzk~@vff7Y%_qlNx9>o?xJD4OHHYunA@KN*gKg)%{ovaaS&slhrL
zI6Xh*C?BBm4B%*q9t{K;>ohfuL+-;usE+WV#?puy)b^_eb*VI1<`bX}iJ2ufB6{~+
z8;UZ9@^wvA-!0u%b>T?CAG_e;?UW=MW?LT<-ag6?O_Bs0#9iz}@d*PE3`1U^XgeCT
z^hL?=D8Jm|%Oy8#ifz}CQ%`YPpysAnK>3LJli3gUL}DUia5M~x%d&_5BVqUq|4Ro53*y1L8o-ZWQv4C=Hx3BSZv#4z^dhwfyiMf`zLmi#f@C(J2jK&XuL+D)
zqq4ZzuAL7tVShwN`Ov5NTQ)PPfol;b->6K@2qJQl`{s9)m|}hzX#|
zL8DIMsMA?ybqJPRvBwD#petK1s2O$vVes++ZJ?nJRfP?IR|v!PSC1kz_>w_eRJ)Bd!9JT7*S^MDDD*UY=kGPyLknG0C&YJs)o)Y2(TW9
zVkVpD9{+1#-iWisF+gZ{)@#i>&@guqpnqQ?^g{wf>^|v<
zv%WjoH}_%gdvx(p?pCxoRlz=KjvrcI$(g}a1mv#_A+>(Em}sc6aHnUC6r`QHbCd$!
zLJ1*%#Iq7}kd6--{)`qt=u2vguq%Tb4!z(JYQ-kvMW{(0
zP=DAnFh;p~_2IZ1iyp)!2G6UN#Q>0DmD-JR(JjZ!>rFhzO`>~Sq<_bd&N-cfKwu%C
zf+B2aB;A|l855P&{mwaFK$@v5*VnuoS8D7cp<9ONr&m^iFw*MvE4&?qYzmOKFSvI=
zETlp$Goq=zNRMo%o(T64>EPZiIC6O2AmFeXT^$&R@ZF0vtH-UxJwbBcYBLDId2XH|
zdHDiY1>SF~adJ3!z<&v~&TG{0OdyXd&Y+LyTF)Yym*(MwO*CBFp)OJhQrMIx%l})c
zQ~7{pZS-bhV9pr9@p{p^7-D%8hB&5ZB+BG`ZDsL7RYT30y2H7?hmKQYw*c1#A!83>
zJs`undC*eA(>(-INIcHG0zpK0_G*QBSYfSQ?~}owognmx3hU;WjtkxIY2&`!J9C!e
zx6A4VB7ks#XCPm}h*cm#ByP$+@cP!j5Jsl^gK{2W3nQ267RX6RdgPivItQS4^a2BW
zx{6cQ!cG$+b*dUtty^1q$dk-N>-M(V=C;qRNou4Zf`vO*A9bFnt3}isni$Yy>mG|{
zhw?^AL3d9EO{UrP$kBSmS7|(e0s2fkJ4dqR4c13xaxxEVO?E^BdhFG1!oCXP4}8Q@
zr!`R=0+ulEr=LjKw*yd9#?Y;C-~(~SCsHTuDlK<`qZ!iW&Fx1k0WBIqTiD)lF}8H>
z9nBH@Pl4D8v8ccVtaQP9$g9RRDM&C{inOu6m4N<)a%z@88{yU8`T)~#zNSQUbvvXR
zdkr#WJ!SjdqI59YlEI9Gq`NP9oVns)UuPh!2a-Ac$0sS5^ikz@RP6+3yX|eY65xenTL{s-hDhISVgVhv
zCH0ShZe&T)06*ou0V(cTSSr#;+WX3im0mKu(fGQn(+uK#SOz_@7P?J|qZIYV%RLI&
znjaxej-Yp$@G9%~*yDISg~b5934#P{>8d?)=KW4?LJ6}~;OqFHaa-@j;T=bM8(J}=
zMZl?~>dshhR=NP>ID-e`mkEJ^L{=|BxUZ`~rAB(n2uw=!)e_atlgI<>hZeP!Z1rGO;@|R7b-{?2ERKWinmb&{SwS
z5q@I;fwM?j5MEsxHJ%7|;6xH`jfR@fMZ?Em9GXE!i;8dq=76lJ9;J6=
zpay5Gde=KVH=`1$c&8Larl+VMX=zO@KJw(ty6g-@R>e(9U&}Ge9f5uSjSsu7v%3IoSB~m@ir~RIWB>|v@RxvB!vNZPwo-1rV@pC|G
zgil!Tm~2)kM!Lo^Y~4$c_z2~2BNA=^n5{Yjk%pTDCam{iSVZIsXh%kxq2pO2=$qgH
zbtF0%j8Eqb@M9&0!(DxeNvP<^vk{7O7GE%yO9ZIc(Kl4J2qNEH;;%kP*Z`~V)8!8<
zoK$$}Dwq;lEYY^Iqx@1rH#rxvWuPO}p55{N;wb^n^4Rd3#5Q+wG!wBzz@?HVDn
z0rZv3>$hM^%+BSkX?oOk0h+=17YmM5=%HS#uS#=?W#6n9o{1r9Eb~6Q{vmC(i&}GI
zfWX^*m}2fzgO#d-Gt;e;tpca4P#E=2Axrx+;kJgSwng72Zd3^Qh@y{&s(`wPsb2}&ff@`1kM!rLLTI5rFg6c>ULFIp7yPS*aM0&3Jg?C
z2X`snCjrDU8-5JsZn|02bGi{#QXc3eqUn*=JWPiKFmEIv^~v?3GPD{#0Y8u~gy2U9
zGQT@1(Uq3=<^ySsg~*~LU||9Oz^~BZ6abzhXLC2m$QtHX(uGGZy}BYRL+G)hVdU_I
z{;pM=GTqgsCMUO<9Y@2-1eknN!G(HU@@lH$m}B#ln%c?Nh`e6LuUbk>Fco5c$}3=V
zJPPLLtVQ^6WBN@wgx7b!^Insi-@ovE3oKlRg%DGpp8GkD)G`HA;g9(!D?l08ltSx5
zO1?DYoAt<0P+Kk_lIEQ8scbm+d=2INRv~ldK530vV)_>Ttn1Vuku9XgF2VMJHRy`@
ziPS@ZQjf&J8Gk-XgQ!(?H=BJ_wua4?^JCv*B|Y*6b62X8HF?1GuDWKu6~BFlApb>(
z{fEddL%7r@2QV%H9(4EPp#F3>NePr8Wob_y1iOD|i6$%1hB8_@2Pn!kSyAc6(ctAC
z3;JI|#95D1Y;ob&_@=^WM5qYVBdPSL(#3D<%V8KeZ#7bi_GsuqO&Z9QrzP?Z+C-ND+SXZjAl
zh6P2OS`t>lUQ#len$R+-G_ap-!yK~op%ylEblHE2Zsas)oyLQoKFIxkqWOJZ
zq~#Z(h@KxOp)dt=cV38aOAGJqvK}wg)ue6JpOlvGTix^sWsz4>;m!(tvQITZGtCiN
zR_e7LjE;rx4Pw^;`-JJXRGqb+D4p*)e)6t}SCRa5tkaH5<
z_EBIB&;}sj6eLth9ldI$j;!hW7i7!01u#~wo2VPJkkKzSkR>mXceM5$#JLg5@oyH@
z6i4aE`&H7S5?)aS|IYcCpWeOXkR;mTFSg?;+o3HdNPk2(u`QvwFhH9%rMC+bOl*Y2&&kB;MCU)X3DFHgG#!x`|^PFW_HD`5n0_H
zOieZuD9Bamxc0n>3o?G1U?r;_ga84q8Dq>2bvOpB17)fR`#hu
z+#-&xk1s*&WjDXVZf~AQ!aAzs7Tj?29~qH(K{7+JU$$uA%#4v^%cBCejy4xVZo=bC
zi%a*0$Cl>>E=zDp6IHnK1SPcm>1H^ro80O>P8G>8yFMDtgS*sBb>9>+?t5@IK2Ex4
z-8-=l_6O-l)fawN!s;$Q>Ys)C6K!ox)rp1A4cG{se;qLrM~I5cS?X!qy?H-Ap=qKc
zTsBCk+F;fR^50CnBA9*8Z>ilBreN
zM|w5x&}z^QPf)AG-LUB0zZd#(u|*r4i}aW88?%ype!J}Y#-MIiswmQs?2VG2JrR^|
z%OB&C%*~N_dG!$a&zUksFm=eErz*Zy9sdeuGw|29QId*8MW(83tUf#VC85uZvvXea
z0#-+_J8G*Yt@eFx%R)~Ov?A|sHX?So7WeqN*MQ4=#P#oiNOMs)w*XNO
zmG|Ud#`3A1Ph!wspj2+V{wkubHNT#QIB%5AnQYv#nQ~BSc?OEse6tI@XpYM)-bi4i
zM!c`36#2#2qFm9Jsk44Z)9Gt-CB=YsjbFxW|s%b>NZ%AmjG6;|&B
z%RZXcbQH_x69u|uJy`h8&xMv0`pdXkl6lqMkM$c8u5H2!mZN~9wweG#>*Olo*>n)9Z(Bg8BfL8iFse0=;Qo94&S
z6tB~$n4r2C$2F-~&FmNtu@llRs$q<}n_m~THY*>%3N%$;NE^y@5J|+Z%hV*q;JF
z2=s;x5Tk27#M8Uru-Pqb5#fQB2}aTB8x=X9T5-!#(8w@Ng43XJV^+-k!q{^SH57@J
z@Z5b~T=}E#AOFXnYd9|ohgga)=$7=>tD2UPt47_t8^)JYw>yb8YTci3E})S&D8YX1
z6$Bnthl^9xe8)tVV(nv;;P%{Zy8b$Lwyjk3F(_lN0ogswd7^3F=xhTh0vO^#ZF@UapFLym9qT@bBvzKX0f17XT#-rVTMlu#(55!CxF;pnr?3vYD5_{s>IE-yBjv08V_tH?N73TsChV{2&x3Zvzk^`-1S8
zmF9P0kHYWIm-S(Z(fOIw&Me%+f)kSO_YPDUwA_GTNIcN06c>L2}vBP~m@XpiVFLcu-t74Q@
z{YaPS9-+D3R}R$x-;f|{?2*LCkLia%PH*xd)Ws&eyVl{i}U
z((+=@Hj4=RACuE0eF}8%M13dbxzdff&f*?3wQ}9t+;O4;%{wdU>2|48B@81KmQ+Zg
zZnp*#c*{a+?5eyr*YYb(SCT2`sR5HD04UXnWzWaO;P0hUe>866a7?e9#AY1K?0UMR
zlun3JpXq<(F*RxY^%Zj6uABO5|B6GeN(B{&{aP|EeY|SM{8{|25)WG-Y1s|a_Y@t3
zML!wszHmMbylXAtN)tkNLf7Sz))vbV4!>$3#Fip2uyDFR5(|t;A7+_DR)QYVt3tOB
zUD<@szr+~fmB}<#a?0|kh=iJRQhTN&zU}5uA~FOS#s?od6xWXieHYX_H4d2JxELW=
zmlmas_GGn*h{+|tOsAX8F>$T8S0-ZW_WkTGXC^jW$A_=x%se|@uYlt`D8?%hiyu!m
z(|oT*XVeRH>0X#Eac!^-hSbgbjf*69#Jm#yYcbm;j_k15Ne35YV*#ixJf`qzhPo#7kqzF=yQdY=|
z>6FKB9q_ngWs^gJJY2#bYAnTE+C=6V!TdIDF?}zKv|X4rq!VQ;Pz*P+W6>?PFj~Hm
z;MZSJnl@*L!8;6ayB3FFOi!&0nI4}m#rmLwgrDQOeU_L9_Nnx+Y6Mpoty
z<6b!g39$ejH9blL?lKK`o`im4X;QR=-^sQKoeJHk?Evh8tcI_y{a?R>z$*e>Aw|YBxOw^-l`pW`?W5-2jpKAGLQ7K^_ciktP8?~Dk4Z(cG
zH#wVp@!sP+SnR32+J7ee$}(WHl!y{nI@ZZzTp#+}Fpdd)lw`rj4;b?X`=!q2h51=G
z?L_Qs^mS@#KXZy3-Z@nY;c?Za-!!Bw`G*p3?lT64&Mc**xK!QmN>DFq+q@p<`>Vx3X-Nt)!ef;4?{sRE_H|Bw#!J}gI>
zxz8{!y@>%D*FJkI1F$nKP{3E}HK)fSmy;Hl$sYtPSIS67GDkn*8`o#~AfX|j$E6y4
zFL9WS&iOusOXP3U4{5vwR)=H%RX2$18kXL)5p-RaA(G7b6CUJJ9U^i(D0BouDg#w0
z)Z8L@;y2K64I`dR7)%tVJ()ORNS$;_tf}W8AMz&8_|40MGH9`>h1QTi;TD>!kQyuv
zc|~uR8x3v~gfcl&`J6%|T7msB3L?VCO8L(rngBo}so$1<;^pkg=ZqF%t3g1BQV3Uo
z3x&?Lq|ATf3DM~G8W$~58SiPUnoPLxxeMafO7mqxm7!b8D5$8p`QPNYth;IVgiONW
z%wtTE`{8y_DUB9^7~N%(
z1eCghiVMFeMrf2LES~dEPFI;0rHBIU5Yj^3Fi1sIA&U^x3E2{vAs~`7hfG#|v?8^D
zeq{Pdp6y4?{G%bvWThO5lf)_=2LQbtwFkxrI!l8HKjA@uWEsI4!`FRb+
zBpgthvh~^{B#;{vK@$p?c@UvFACQJNmk2;a)ysmQ71bONFQI(NVMpD?QxzQ2Fs!sn
zOFEwh{G>p%h@UGXDn-+lqSKI(m|AH@MR;oGAp-goi-Ib=idd-ps&93-PI3!!`uvJh
z%w{(Jo{q4JE+#;w<7M6f){j19O~|qVk@se2B`g_3#>{1S{>bVyrgju19GQU}s}S=_
zpr{k5;1U#B5$co=q3Ub~%8qRTH@3i`qLW&{>0qc@!{dY@6l=tOGC>DWGMSu#eU1{)
zK^h~ab;tv8ay$hGt_zbC;99VkwJW>#JL9qGFWg?uzqgTXWS2X+C7Hvlnq11k-dCj)
z^zH<&b@b?9x{^(i8(Inh1V7DnrjGPc;O946Q!xuU!c6*G^M
z_6Hox%U4~=F58KV;&N7zD1kUgcMk9=Ur!W%p5C+N8c&;SU>TdC(GltHR`_^p7{#5f
zstPw!)IlWZ22X`==;jhu1qOiM`oYcwr4z>>3B497L@3$?Nj$cYpro}U
z$N!kDd^{*I_kX>_MShXb7I6E|cbpAl%*iPxyJVIC73N<%Nt7q})wr<3+
z&2!W%gl>?5UH~gW=5EYYeQhUoV=9P-s8s(kHnP&Ca>z}kU}e{D)!$=}wl1&@qdC|S
z$jyWvpzP&U;(>7%k{`KPU$>7aJzLnSjb11C&
zdrQ3aizl~7Z!43={yy^7@zs|?ZEJ0Z@UBFv&Iq6n+`DJ-ZoL4aRvlD3kbT5>Z6WnA
z1YLG&)(Vc@KMrbOdWd^9>bVI`W3pe_&C%Z(411yi3`XA;ZTUsbw%`rLG%XV~IQGF!
zL0q!_0i)v7;B}h%2kJzPcsjV83BZKsqHd&1quf$`%0cw1u{@TMR{fDBCKKDriXZnD
zvcu9g>L+&H)KIfAA{%@Woc-q$wRj7S9_)-)J#iY6+B;JA<7a(T!-7>kx!uP4)Kkub
zQKgj;!}cdM6M_g&8ju9$EAnnOloLl8U&=`%=fi?gH!S7PdSKX#
zof1)f#wfF`5%062V#(#N&VLiH&WM7IQQ?70ni+Nv&svsMwzjye*~{~@8h<5TL?8NLc+8K+M7ARX;*62c=d
zrrj=!+uj59W26)mL4_2Gy-j#pc}+g~HH8beb5^i*d4UJT3F>1FMK^+)F8=oE%7gk@
zM9HSBLVO4LlP2+(W3opn9V-6Bk&^pqWm6$B(c9R)mKcMbA@wAc;v7Nx2_+p(P#`0@
zscW;h?Rn^S`u`*1sl&C9DzTK!^q1=oY`x)Iof6O;MI@9l5?ZastR068fJuGl!6B%&
zDptUS`g=0-S_}elE}qyBH3wZp$l>waydr;*;!tVvVM4BYNI##Rq~1y^?f;~y05L$$
zzt>H7O2m`$__?=9UN*)zv$zLw)IS`wXYOO!;Rl9>2kLI={
zd&l(WZz|nNqkPFw}OElX@@Ll@{s)mm(>S)dO|N1bL7S&NZno(eIBK~JlGLiO6NGwPc+
zc+5;Z!$G&yvr&=KEjgVISDn#m0QE}ig;rd?A18GqhWQh9ofW|qvcCrW(3?y#zG-!A
zKl^Z2k@)qob9T{1G;^995uJ+1Wxu314C2Pt0sFbt6djt*0jsi@@-Y(VZzCBfDNS>mog`>4+Yu0tB1pl=MRe?ur{c
zf+6LgcZ4=RFEbIkuf%?)@(d$kP&6+kUNV`F{|`q&n#=5bOHhonkH;z{O|zPwHSxns
zy|Oxf>f<30cgGihGoH?Iz$-u&ih{lRtL4}ZKp(aGpfg>*NSGO*=~>;e;0C5ZRhHv`
zD01L{v6`jRQ)$Lg5zDrL6}g`UZU8Cvxo`aQ)BCB|@C$1pxXrTsarnFYjP^U5DsQhb
zJ>S*u&wSgr>U;ZuiUDKP1erWM-C5Dv3HBD#GFs
z>rbuyV2)i6|v&}IJkxkXJ~LLNfzMWffN$W=lSqbC!#-s3+`fD
z%=t8PmGm#QtW{|epDvXvc%fJ`?@4k_sAC5?i!Ectw`ynaVu;-x?0*r!f5v%k7NqGY
zi51bE*2dPFpzTykz9UOTGfCa_D>$KK8Dd-(+snC9EEQkPtlLd#p#2%_&ZDKvmp)&b
z4Uj0_F?el|I4hU%Q7M1oGhoRI@p3()kgvzoDvW+ix-+dWvQV}ue_z~I#j~=~6U@T$
zlZvu#(wU|x*}m4o1N!)D9aR|#MVnoow3V;)A%ics`Hwf
zaq5*CAMAym+H-Vi;T~~ztKvwVXKOx{*OO4aLm!$*Aog|#R2GeUcFV*%n`{51_*RoZ{LCcbLb33(z=tyFe=tx5--DL7da
zE7icGL|H@B-y2m?ylwgEHv;M%n9E$j;lQK|o8D$zX^>9S4G-U5+3aY*V7Zkc}Y=+t`@a=blywY4&N`
zdQ&4gqRGPOtIUche$M+V7#k7x>GiEy`dE&P4RHtx9D`uk!f=C*rTB!HBcNDXU{6uF
z;#RKmD=XoV>d>k*fcK8`OIH9Ch^v}s6)H`7&CDpCSOsr(rsbHU9jHrDl+(ZJ++@>47-A@M
zV?yRGRjO-KJPEYS#*S}w|G*ek8i%ZJ>1rbWHuJi(%Y?Yfz@Akhoy*Mb?B&&3dJ^q-
z%k1waPH-H~)En%ed>sDnqi0yU%ClLeSj`irLNpAbgU>3UCz@2JujJV!SW^zKlQ@*=
z2Momj0QW
zY6K5D1o5+hWWE$L-a8Sl`%A^u?pZQN(UkWm_;;{fXvwc1*fTno*;P&`mHho}ZjK-H
zLVxBlS&p(HJ%lt-J_zT{-`CL@OQGZnlqDF29N}eHo*Z|vEJ?J;CQbYRZy`5Dd|BGC
zi!P>FQWUU>z6)10AlqlwLCv3R**-0$32T(8&qhi-J@Lv=X6sz*;`$<`M-OD<o>__~|4;hldXM7c(-7|)3&tIE?jD3axjdGhE-=N6-y8=y28I;1Va;Upet8!}H&F#=`KT0*ovd0PUnreQ$~j4cRzBR`<_<=ri~Zr#GQI87yxj$~7W5CwK_!
zxbagbLNlf>$*bzRp(%m;8z$rBk4tNOQC~R{yqMQm#>$janAvnmzY7VA`3>DzncQ!E
z1!nP@&dG(*{HZnNg?snyD%=B{9i6r)9Xl}UqZWA_J-)#)Fn(|}2W2jjNtCLqZ4g_a
z>j4KS4`k7s(z$c@FfR4=Jh1T6wY6Rx!%2PfAFxhU!
zfcCA$hEhFjpc~(GAn(Rz|BzG*38UBJTVuQR1!F2{#i(x;PCrIW=(-g13UhqtD@#1H
zrzK7)o<_j);U%saRjS#9qz97y1>fn9-|0zqjvq(i(=(x>TVrSM&Md6|M!c`HGLw&l
zH#)G?Yc6q)t6~Q@r`BoScF9+JEXxI-&E#H)auNIOI_0$;`rVA4vr1-hj%c6U;g=yLurI9wk!KG964lx691aIWa
z3&MOjjfCKl7+76p{w<7Hc1cAv9`95K%)`T9{&$uzhMi-u^Q|`_)QWqslyUE_a}Mpl^BoPIb)5k+M?+kf5%f
zC{Rb_U5@{j~{AK?5csFvV1Gb)o<17*4to%b)s1g
z8i?2I;{~EICua36$g;D>fkY8pBv
z^Hs_ekV{qrR%~UPWa-lNal$m0owi(ljh*ADOEm$UHz(`XD49lt?CZ9?LFz9+<;ePp
zz#_JMonF|i`d6o&tNSZy%S!x9UapNFuxHK@X5Qk7Keg;yT%Qg+qdc2+;#>nH*5c1X
zDD-3;2km>)l~^(9%FnDIO;>aoR~5lp@KT?E-YVyl8@!lukwc7<7J5S$QvyHu;=4rm
zq`qYGOUiZausr~Eo>vl)3rf@%<4d7uxEJ>&cYT+T_e0Y`+9CW=d>ZsLEjx8RvJah}
zb0{bM&V(RUk~@N`Pu+{YM9kQd5JvJXN_&(=?$KatZkF2LEIfwm`Ob5<0BwK!nzm}r
z?esOYK13MrQSxKZeN~S8iN0CN-+!!6@57$E4A_`kT3a3upP9AgH*BpZ8!)u2(8s)a
z()y)Ow*vFuM;&jDgaVDzxyA@TMMJY=d6+Gid}WP8l*9-hPhw|#^lMVdQ@sbJM;~}N
z1ScVWK*Hg;Qn^!t;SfsLO9l4`<}Lv@wF!tM_It(?UCESYkAc#f?obH5r=93dp|*PU
z)aDGE@#&sp?M|OhR-n{4_6uZLl<%ILYI^?Iju7~2F{L4H|oHLT97#ONzu}e~h_fEn2HQjHRZ!TkZt27-AQX;i4DYMC`IiT?(GAn%^X1n9;Rg
z`v84}G2ylcSeVk|P&4)Fyh};)Wc&bY<Jd@*7%Rqzl~4iNnCuoJ14@Vzq>F*Zr?KCa=))SQS^UV
zb-tlu=mmR9+`UN@tXs8m{o)2%co9z@O{j=rq4J&DC|(?v$^MUrKjs1T$0+ht`_YI%=##}CL0?ZaWyj_B}@kC2Y#5I7j7DaXQ
zC(OiT*1wG7IHH3R#ifqd9?n?RxI0O%@gWdQXaCjkKTwW5{Lmk&sw;s5!$kDFg7U)h
z^qflq(Xo^It(==&9P;J({?r;~52$Jz@Ga$Qqp`&{nW!X2Q-T(m8L2KBTVj`DOJX%8
zDB%i?!s*eI6&i+7Ua=CC*~(4=Vk`Pks5)G7$wQiqFLv=6ZhFZLH9v2bz@JDPA3bGGj3A)HL|G9GHJzZ)5LM}F#C1ic}5$_}3VctX2j_g~s4?PF8bxb+U>^_pJ2XRk?fi!&E9y;pq(q09Ln
zrjDLJ)#3iCh&BQQt*ZXlgp}c~&5p71hCos3T))PKpLosSoXm}a`Z#XM2GFVv-+;tp
zLrTY{a-Fua8%uYV;e2tr>x}s_#~FLfWz*yoz(5p;UO4ybj$RUM$NRU?8&g*RT-aWG
z&D-xv>m;L+{Fk~TUkI^wf7q&q@*wC`n1_72J~ibC4_FI@4AXy
zsUCj<3Y6+t{xo~UF4XR7U&Rh>%nlc-Jd`~7mi+-p#coI-BjT;7iTbKq)e(2}5mjYv
z%Zo`M?H2n9_Nn#pE>u?lr%qLcLJfC$nwD)u0l&vp_&IpULoYhW&|WHGdo4cD)Rx3d
zku3^m<``t&d@}!5-ZLlzDqZRW#&{t~{AYQ$Kwx$q5#pVbvRF&a(QD%I44s$tj*3Ql
z7daQbR6`r~00=iUj&;Tc2v9|*bi;TE{rh8bQm`X{D*P0K0%tmy`j4)F21?d{MWqv5
z$>;NENzNrSx}PqI2D0np=(GTr9pKmvbHCtTM-kKQ-fk}tL1tu(C20~MWu~LdZO1Vp
z5$5kV+1gHjrO1$q~iEVf!?<|}q(NxG&31;AhmB`@wYok3Fg
z7!UbzN;2Q`M+luPPom%Ed8UzskL2R_Lg`zv`~hI8>tvkhRy_?bji>c-qGbe*v(-c;
zNIcX_WoJDe`@3BHPDF>V@|5Z!J%OI=y{@>$^O{8u0sP{=xeNK9C99f&7sCm|3zB81#Tt_*x)-C6xA)dUU^QL~VNgk3T?ziKS)b
z_vj%$d|&$K7ytiNxf}Ms9zN{;$877H=J&rp&-#NKEgygFJHM6PhIdY7h|0M&4__<5
zJ#j*HfByk$lWKdvS=rqUxZ(52%I+LP1bZ|KX($_IBMfu4RD%=d(~&j!OxFWOm!f!0
zLT0rYU$ScN#0u_bH@)aBt{D&=AC{olbSuEhZ@HDM-v^wWt8J?~ao?K{gwrsnh;oA&
z^WI${!9&|&m?6z-c76upufjs$&=Z<~Gwgt^68%f#^|9=kF2K_^mtnNAP4R}3_h6X_
zcBYH8U5W0Zeu@C_*eyIDKEQQcaDuM;vL3TQh5>+_8!Kl&8U&pDRS)*^vCkCGPq%3~
z>)!;csOmi2$5Hb8awugNVWVN=5-}EX$#CrN8#UKRP^tbcU@?S6E!yTzXyNbRa{1d6
zWE+E`7X1xlr~4#3FRLnfFQ%ryiMux(`^BraQH9ckYdzbZvO70NA|n?mJZ5)qqh2dfI4FB8oC-58
zr*r#U`Egmutb(|59mAhr9zJFMSOyA9*D8J<)JgoYPN%6>wWs;}m}7!8&EEE;c{bNi
zV@{QNs!qV%&n;^YQ>~(<6aF(Bd*%?c;*aYLH)JHt363PRR)0FSPfoOG6F5gtrhJ-{
z5IiQ>y&;nW`y*PB3eXSSy*Domn}wzMuqqdBB$}PyAvBl~B%%=}P-APCn|Ba}Ddx5v
zD05BvtBC*W+hi`BHzpkN~cS1uwCux)nFaFvara-He#vntnt`yL4}5wN6tJ*%&OTY
z5ydEd*u>ZiMP{nBYPCL$X;pfqJ7u~1w33|>!I5XcB3{zUUkHfvPG$B^oWiglVm3pHeEm8Ejt>v#U!`gOn`mi(?f>@JU@~BH71z
z>)mI<1R8n|gBrD#e3~k?WBaN*%6N>G7!&zhIjbE^MPo
z0rS%q4L!Io#g_3cKQV6ub!>$vx=<9->Huh#gyy93-$$3py%Xw`{kMel=
z;NGVbhTVEMwhU%r@JV66Y8)f@+&$xpLyM53fYZ~{5*-jj$CAm;&G;;fs>$dKx0n$9
zTfJ3bd{$|>X)8Id^`Ls3%YRsiNnz{snQWh5&f=CS3-|5Xl_pe6;DgU`1d_-EF50dS
z^RJIiX_r@zER&`Ay}lA>y}T1M5abPUycwlulA1hX6Ld}Ag#6a6sd<0?
zb(5PJ)WP70Lh>3`s_u>Q(fy=^vRG&8Yh
zISNke{q_55Z6J?)(c|woovXP{fTd|kk?0IIGr|#z!W>1TB9Jcv`=K)Np}>?NQy>g6
zl{NNR(Iy#ejr2&U@?x;o*|}io;E^MIY15@})r$n^xmkkN(BY#zfbg9q4k_oBTr}r#
z6&fT-^xe>zB36W8&C7uvMr-$-Iaf8Ue7iWlk-0}a&ECk+6~XNcBhv?#E6_Fe<1K=L
zLf;aBb`X1W8PZ~E!PYPTIonH;{
zd7e7At=@yM4m?|N{o;Wvb}_gwN~0})>IXG`?nv{V`wuZ}j7U@+Va;01sxhOda{*(e
zENjtzTg{Llj8KYDPNu8RmREAUN1qGXXF#S0-0zsIm_A2yD8(|2mF_;5;l%aMaz!{
z61_#+W)?Do9=j~hhH{No@)hekV~#SC-jEdZ-T>E($wH8Kn8C#I{%~&WI*5~w!;>(*
z(vi)lAQjrQ*L-2*qKxj@O2eU|eMjsR3*pW133;}8$zhlr`l4%|Tx$hUlTjaPRQ743
z_zKFb;k$szrFi7kJXBT|P^^E4ejSc=Rtrl5{+SVlVyYAA>cGtR!y;ql&l3E1=jNQm
zWEP*mS5{L`7O00=$9S7265qeXEkS$xCib9zm*wvocZ0++IaExt{*i3uas3tSohN4F
z(sa$GirOP&Y2%Cds!HNQZh`G)SM?oy9Wcb}ez7F<5v;H%0+;GC47f%>XG5IpiXn)e
z#3;=sUpqClhOTYRjd9izez;kjh-iou$xanl9j58cIos^8Icf!m%A+hQ8B-jOe47MV
zi!}x?PeXTLWr@;YnQd#x&6?U7G{1C*dr}Fnh5HT0(ZIogfC$dBv1TGLPJC0c%N8L@
zh!Ht57o59PfTqFzak+!X_meEMqcK~
z{1&_b*3vyf{T2)!jwq#cO(3GohNz}f$6KeZsj`Vau-wy3xQ^=7souo1WEinzlPN5QEd!1`kfPJN$XQp;>Nj?8;
zbxSvcFW~1=NPC&0W4QyOa=rMQ8HqDqXX{Hei@h>WLheNbUuiLCVp1W6f<$DsCshSD
zvhFeqP7w(|um6Jh6sexrY;A-Cds30riQb4pOe&f=b3B;%oeJP|Z|9|MG08ujZfL{R
zOL%GEOvtzy9oXB+Iy$9mFdbdp2d%rX?47RRCBB4or}9#81MH?Hk^KX+FN*qs$xGo7$6VR%Ig1?&
z?igkcW!_9tU$pE+*D9FC0K0rb8Fd!dwqi_NdJ2CR_BaP3`}(Jt8BAyIgL$!}P_6vL
zo2#LAwOU?0JDEWx$N$r=WcQiz*H{S`9e?sS2o(i`(8`63m>4*h=5tCW&Tfuy?e
zfAP5j3zSlBEan&D<=Favnzn>iWr5&8kOc&;#g>~)w3m9o>CO{
zk6-e(ySf@lsPK>UB5+|(HMGUwLxAOYMJ#Q7avt*R%&m|yBNrW)`z5t~yZpUFApp{_
z%e1H@GO~nGO{35lDOOp^qQ41J9C=enucpvEvdGvTA$5`3(L%NSBi>Mdpl&GzOREY+nyWGqR202%w
ztiT&~+f@{{4t$$-M5#xgTp=8iuBoksd8H1z+zS~H4ugrt?y|_Ab`){4+}tEZ~>_HH`T*ZpY5e$%hx?REO8Zs2v>KkkWHN
zPMTR=+4uwo6D0s-@f`dJ8n`GtPv*tqS|r1c)m&TP}B6PBX8g5x{cz<6CWE*l0_;qm234b?BFC*JT{
z`+ueGJ1cl3Y20^8t@gLPiP}4s^jx(*FhP!8fC+3l^?5mxP}=@qERqbDw}h}3=w4`-
z+5c(Z>>Qex<9_-Gf;f7HOlyv!WvY;7TXotQ|6%|LZEV78!TmOCNxH?7ixJn0Z`s{i
zTLz@}^^Ks5wB1{(_52F@ko2_bBGV$Znt3|7hhI;z(jXkZFzvd$mw4tRU7I*NaRKC3
zmKF`~=+7T6E*|LZ9WLChQc2>)Rhsv_KdX>uwG+^ON@A{`WKVGBfbXI7EZxP*@}ohS
zbuR|j43g!JuJnRbT)6dgyK*v3r6l}&889}uve9S*D&3?ZB^a#5!iYUoZy!c}qFM$@
z6EZ{84Y63?jR@qBz%id$iq0>H)Cig))3s+Riw|QnTh9jP_ey3G`}>xf{AQ^xUKn@?
z+rvQ^Gz{Ca@9s3MFah)$8rP@*KTJiZJ0I3M1R3HVoXbM#{0e>Iuz8@U(JWF<dW}gM6L5E;kQ!oImys`^oA$pmjO1?Uzz1;~M=X
z7Y*9y9AcrCzhoQ-+sXlHKdwSDR
zpO08u{bu^uXpK^#2V_w6>oM2aU^rPnkPV2&(-*kLg?2QmwClmz$h^(>$JL
zg8kJ9maJ?on8fEsHjrXXtRfC1sp|d1R95NgfKk=dU|Wx;kxG(d!a`ZE#`hShvt39A
zpZR_36i6jS>bmA#%`s(49@8)PvGticc1mj3LlA{qym;tZ9gR@jn9AT;wIxb-XU*1k
z&NI5gM%W^Y=s@LOyY=C11|avH+DZTN*y-2J(`i)bU)$f0)?kEFa8pUJHs
zU|3UN00Rm71v}=XuDasPj7Vb{EN*`4Rv#mI`p3ph%4HLcl~)&lW#D93NPz;JKJv}(
zoY}#f$@7_!9$ceT$80ZhPgA3gPu~ZH!2ZR5<9%O~Wu9?lyq}gw^V3PO6+XV`Q~xXa
zX235czYP>8PwHd;d9#fTng>YJD{6UR&S(+c=eJe?BRFXrnmK`N`?B+9vp16x7}+Pt
zB3~~A>}p6&ZLKt8cob3t=2=Ut%2Lxu`f5oO59!A^z;lG$+E~OD0|}O#YJ3)#a{g@~
zPYbeVm_H(!Aok$q{D!z1r1kpSn(}#{Q7YxG8W4+LGTD$Fo=J;>6a%dP56*5G+Sk`N
zw14p3AqF&RZ6185+04jn?nZ__F3GR5aoHW(oDurb=4|U_a4*ptml>XtLLfc;SWA}m
z5}>(nd;#JZ=U+0;kxw&saeDScAcaTZ7R!S-!e
zNBkZb+PP?=y!CjlzLKoH{i2ywvGMaAX?umSb*J?uBWfuzmZeBAseD14+ho|cGVbC&
z8SC5KV6B?nu*1FTPgHH#YKy%o_jGx3h;bV
zRbjy#BN@o{;a$+^>++>jZ=Y7N@0+h?oN|wRnWXTj4^#K+EF_RXWem9%LOgfOnOOJS
zdt^i{a*pMQA9$laS0l?J-w|BANnrNCdCkv5KUH332`J;231IIWQE1n%*LNX1
zT)Z}@!9a(LM|Lp%F}2$rzo`buuK&m{h-_FtEGP?YP~d`@Ty7w9cP$Q`<;vlJ
zHBm(DLj*H>QVi3?2me(Ik`!Ww9x@npHB&aGgSzlLfFDkop()&R38Tnuvh_1i7ZLNI+HH{$Xfqn+Sy3!%l*r`!t3o
z9pS7_hMcrK3H+)qC)#32KL|u8SdhpN5Hz&;+GfzS*LvC-)Hj7KgKa1>z#eEHfDVA!
z46bTNwrmHM>)(kjchwGVglc9R~n3s2L4(wK5DWdjaYsHoHE{^0tpH@j5)ye5uQDZZxHToy
zSdWRjB^JRC&Gy-&-d=U=mdGH9WU4M@2$7oTlSc6a{`4Mwdt-6jj$vLRMy>z6|D??!
z**rAJcJ$Vk{#$2*
z0NQEk_9#awsZQ!^YFp@|rxWvD&I1n-s5W+oruC4mNtXF=t$
zpjwbwxq2H2sJZ#2d*S_LFgSicT2?FDz>Jh_lqK!=iEjWL)(2;GR$Gsk7^0UJR(^V*
zB;%RhLgTLi@M5~BU$FcYs%4?cTSq0Zqd_b<8H5Vq2e^|_ly+Z%zqMKMYWyb;6u7&N
z?n3A%dzi6hA{N|5BO1~QAB?VG+yEb&*CS$!_AuYmK;k>wi$>j2l$^p78ier
zBrVy6&*&15izMoU1^EkDVckwrgv{%)rf95e{OsZzg+c2OadK6DoCxnkxj4P=HS>OW
z%hUCkV7R(^NO06uQhM2SSWsOp7U<*?w`&`YjEKaD%&dbCHmK!5G
z?Y9UPTbo+yT5ar-ZHZQPMs9_9F1P;K*lJ%Xt^BjBr43jkqFY2|?p>}PA|XdBYZneS
zZh>LjB1og5hHmhqRdz;}WF1i%(gfYXF#DjVo3jfC9k;;oP2qvXHmIwY7^ULMU_@@T
zR~9a{%VqdBu@X<&u49@0;Zn?h>7lMbfxm5umQ@%G^stC}3PuIkg<3VcAQ
zf~f>P2QgwSNrJ)vwo`Ci`g&()
zPYm4Mm7mwu-IZUkXI(5poG(BX8
zMs#;=!%C>KDg#q6s2@mxB##YY#+5Owl)^C?6>gY>xZFeEd~(|A5S-cMnqHvp3Wvl)
zIfX}QY0H#z1M&38)LV6GR|UZuWBm(qS}^4I5UV`Y0$!`$E!C?Wkx+!KSs4e3DNDCR
zk=ziG$%_fdFOpyP8o=Sfc5xYqFMy9X
zF11ejf$uq7V8c{9*avdtrSg*mA_
z?dj1>-Gx4d`)_)zHZ6em7opQC32~cCV-DHn_gUcZmblCSBdW)-Cto9pA%0C`tM2*l
z?@yC0_;@Q^rT|GTOKUWr0WT(K)dvWqbpZLE~j`QuJo32?tqaa{k_1i7GP=y7H|c@Uj+sgc!BUDjG^$FNG89c3S-7u(#a}
z;;Tv)JWvO)W@RUE`iJzl_CYR@7_^nA{eruS&x_Hk+n34d7~;(Qo1n2&D|bvRnHF$7GXilbcZ^Qwj*G>zvAxr{;7M9}tT7xe
zZ7eM-^+>k?dbf-A2sRjwcseL=qwMqAe|Rfu)Xe1dt`qVVXE_Dq`+MGGzuj*08T6#Q
z5PsTJ`!B7S8R4hrX|(iwBW0&qdRX{L`5Fy9FS0@5$n*%1P32#8*1Gy&giX@&)GhX@
zcbd#qWN_*&a#yCtzmb(VFQ+Rezmh*KQjMFX=D)I4Xh)s3Ze!_q(nXlIZ5A1(jaQ>{
zspiXRz5&3q>`@bbyJOoqdV2j!^!9CGw`*#{R;$ceT6+DC^B77RJ&z<-vhl=zv^(#a8s{s;1gWwys&v)`1N8{ME02x1_1^
z{`)!5l>=XvS~!`lVvn9|h}$j@dS_VT5Vw!!kE&2a0-nlcZ$wokVu9E?Jj6X&AGb{)
z3~gY?2f5w)s><0)iw<VKuec%f^3f-yJvK^wtD$aU#lK$90(X1+2+K^jJbn;;8XwF-M+%&pM62{52@DfpV
ze`_wKFzvrKtCZ>8`IcX5`apiMPZUn7K?K=?{D4gAgLCn_g-ns}q4D4mi8_E;bnbZM
zlp`XYXlcgv1f#h71X)Ntn8aTb(!fbDcuOYY85)EOqP
zl!lEj}t+
zSIAYq(2;XU6<59>&1#bD5(Z?o5bI@iquEtHE7F@FVgG~U&anB}WzLv}w>YcM@?lpN
z_}airFOl8j^qduF|Np)hE?2V}nrU)*6V1~hyb{QPn?Tu2^V)$(x#{3GhV_jGS>XN6
z|3oE2uMpVtr9drwaNH6$J$sss<2tA7ES;^9u3h*fWW34gKFiSlPuT8id_ysf!!Dv3
zJ4ja~`QjRiXlza~&D23gAKGUw9!4EDBQsEM^$VJR)skhdywH02J+SP1Z23me@i3I4
ziJdzi$BOZbp{0Bl#1b>*(MX1z?FDCdzKw|bV5(*5+tf56F35Mu}*I9t17tn_X;sAFgD7Z?bjYNcw($Y|SouPGP|mB&wRU
zi=>{MMo^xyp?J~|P9lfe@T^RyTG(%tdcqId3^hEEl~&qN5h3Ywj+Eguf)o<)3hJ&i
z*mgYGJ(ICrw=!lmrZ_jO$?YOMn7>sG>S8Q3p*g*{E85LzmS`&dF`P%iZ&I6NOpDo6OW&;3_dSUGToafX>z
zuG(52qdnMHGOJImJE1P@RvfRuX0_pKg=@zd{-=Ot6CZ)9j6%{BC8~@p5|xsTLBdo_
z3}KqgD+0A?FnCNsNp$B&+X22w8=<)FS~=eB<%PhVnp@=t2eV
zhk;}G=G4LvkoOt>mXZMBr@r*-0;P{W0b~bOBN6p?Z(+<@7#(Y{57Tl(c|3t1@hyu+
z!RIKad{;|a&vSGDopQU-1hYykviDH+l5YB9pkD8Qu7&tD!a)usJz2D?W6)S<
zZve!Y`1a&SfYEVX(gj}lMI?hJ!WS8}6jr_-r9pt1_E
zY^aZ9@~LqcIEqLw+PPxs^bR`3Z<*5Z$2WX4L+Z0nnTHD4n2<(Oj2FvFuxc%;P$
      <&@$xJ=1*qibF8}O9UNvYAY5E=Ynx4^B-^`#_rU<
zE((dyI8^kHU_k5bEB5FeznIW*U~9IzLEAN-1LCLJIIb;1$&@E|&+0RmxC;JO4pPan
z&4DfM&B|K9CQdv|4(}M`+v7Xxwoy)5<{X2i+&=9C8K`tR5jj#(Jsf??CFQhA-mc40
zTQ+8=0d4Ca*F<}Gnsh=lHHsbLNh@RxLU(xg?IiVjRLB!UV|4z66E*L$+JGJ&E{NIW
z5vFNihjfq@LD%ZlHNl}ShDJhyIQ&fNOiD*t(l*~vWeEvmh9`(bkz>CY$jDpk#mI;libY%(`y#hRd?P1bjVE=iEEQ2dc>ZA3QaOniKAzNZc@BySxyEN_X_BcN}O|3
zT=cMg$gR>?MIw0$9lH!9;C35J4lTcVmS>*Kp+~{Qf*9v6nrXBr;pXd_UgvMvC9?(%Yrwk~;Crb}9S
zZT7;rw?1>M#~_qHzgurnwg-^A3qe5=k>K*ob;y=(e3BQ+m$!rxr?1tJ+LSQCnF+5i
zPbF3LgtLJ0pej$W%RSeTvvmEFe5QPPYX}LabqglwYxOm#jF=6i#;>x&=D4!EH$F~E
zDxgDKVjCYe54e4RIzx+
z&w-38H=hE)zHMY}DTlRG@RArVE*|}Tb`;o}knTZ{yp^T;g6W2QkQ+D?7T%dxHQ*Cs9RbEEmdD3D3afGnrL&NLWmwWT^5Tuf)a%&q*YP4K_A3upnIz80%0VnUi@
zJ3e`Y3uRAXhXF9V^*?VuSVhGbnMH0v7LIm!>n3*>ZSA8*nyWKBl#~||08H}F`U(MqJ;9Ac+gO!v&CYp*A8N`&=UOziAwe?V7UDx-uB9h{wVpQ{l
zy#BurT}RH;)sm>X36u?z5Zxjw_WW`HD4cUt`G#SI&c7L72n0zkQ4n&Ci;I2-K9uSs
zkACO(aD=NRE=~KQ&^6f7^rs-3?WzNP#Zb-hWGktBOep5U`rTbTFd>ef
z@W#Vx{kEJN&;zcbAuEO+5i8i?8z~kR`Rm_zhqrO8O+RSG@$5CJW&XFlK{OX-3~xv{^9XVyNFv=`V9;YS#&&uLZVMA_(a+M67#1Z1T84BBvT8EITjvp3
z_!nh972r=Z-6T*lgOgx~ex8MpP+*vaBvqL6m#xsw$G@lqzR!+X=f}cnT<1c(WPn1w
zsd8q$^|{ozuDQtz=)3e77aI=O4zf>0s48>axP=t~+SuC{q}6m9d7tF_v{+mP_cctG
zc?uQsR5v#7T74&!?*fjiq!*S1%1~ODzYp=aVpu`I2uaWI)o=>4A})HnXFNdaYt^H-
z)YTEJwFGQ?3G%WffhUKbt55!3aE=2{p|5=x*-w9dP
zwVT0!)YYBS9pr)dESIO>J!0ug!{ix<8UhutR?C+dGu>D81Y0lO%#E?~$Q&HnJCNBL
zPbibVA}#(=RF!lYj2^~`q=Y$^*f)b0ukn~m%a$zGHV#w8?pF4nwcVn(mrg$bV=x)v
zuXJ>r56@^IS)}}B;C%N2gP6HqUmFvr9>xft7pm3FysFT~3R1N(IetV52sjg;f*b`$
z(UEe$atG$KppbrgY$ps6m}85BcSAw5)@u7itnUs_s7s1D)lIfT)2p@jsp-LhL^qwl
zq&%bJ@Vas^jguBxKdgfI?>;s_&42N)KckYAlwB5LXT>>7B0h5kn$4A=biwT9#exDOimvi_x
z93_R)svfB*^LUV`Nmxc>QCW~i)w3L`|EX~i;QA%gF-052`-P3pcfLuHYIV~9llXM_
zW9LVmc4cMzq3+I}_m>6YkkOLV`5mPC(2iJN4a#2v-akw0~S3cT&GR%q487j05T(I=6i
zsWUH&A4-mCDn`zD>y@dmzcr>m`-Bf@36rp6Fy*CDy>nv)S10VVTOkwGi>a@4#(_w~
zRjr{Je~;1`Ku)S{#J}y;X$yps2hPl&0l1{_nd37cH2m6RbZl&*&KTELE&e1%(0)4y
znLPaXuK4y(*>HQUpBn++TehXm_qw%gxTfRP*E2G{9&>9|@G_?j?{+!c;xdj9wX%^2
zGf6Q7Au7cnknXZ#fct0BGC~Fvnri^$`O+gdDChtc&nQlZXyfpYAX;RQwQ?k{;Ii`s+oPb1X
z8u@~0_AA@_u>IIRFinEnHoY?4hXZ2wwiE8y9iKs0Y`=W}X7?F)Fzxb?iwA>crb&kS
zX8JZBbR0uq-o?*ox9HV6Byln1%XP&h90s4dszp;}q>&998NWbVbxdX)!Pv*N855mW
z=ymu;s@8F~4$kQR;Wf;0#UzXl#%D?{fNcl^SN{ydSqWpIVOwKZlaXVdMgF>AtTm@~
z9B~f3cEG$4p>BPyts@n>cQ3;^+7feFkWfBs28N;T3veCi>kgPKA`!OdNXEZ%+HnlY&$=H!l&(2m90=nbY4pUoWpU}3}4S>t^0<`=^1wlGq
z#)t#~bEmC$+D+|@L7Ru^tQCNg-8M7nu&58O9Xd1p!Y6KKDf?{*n-c{%+XZQBf=h$&
zmu330XNF9akh)udiOXNQ)^ICbhixenDGohW`r{ZgCNjXXj>bccDZO@OgNU}WPCLLy
z$A0-ZCfv}xwcMcr#`HXQ4iwEd4q>_&Gh{q;$h`>p$I0op3E;FY!$X{G1Y8?;=mOLc
zA>6_puoX
z>$^~7k3PkRGR|22EJOVA#F^_K=18){+pEF#wA@OTvY=T;rJ9wv>X@{UBUNgwg8XMA5M&$rPawj5@_$DzL84q&7enL)Ye}Y$EMmd~P27VC
zh}pKH;{i}`(MBIfW<%yg@Oi%+ap!Q2IUKnSnTsgIC$&5
zBIJ*`g$I68iVn@uc8I9URgB|wd=erFG_(z7o>zhKnwAnYGN)OpcF1zJD!w7*u5;CF
zx`8ZDV&CQEMlzY%W<@qy7?B}B0*9d4?|x5AuWtY^<_jn
zaSm$)mBsYjIeip7;_uXDpRnyWexNMub6Oq}mJ~8hn-M%1%7E{uFTXd8l%fL^^{J<#
zh?p3URq>4(jD@nrqrp{KAp5kY5l!!-n5c`0pp9_Av$vkR+Z6+>6*E%C**_gZa;=KN
zS|ct{Cn156U$`LEmXk1!F9;J?d8NsnE5GBOEJXj8oiyy6$IM-j-L>dn03_BoHO)*F
zH7zTq+e%SjntxjI(pot^jz$-hr7V(NYL@|D5wv@)emnJVNIZA6^oLTF2?kx&u2KeXF)MViNOyGlo+h{~Z(=m*Um3`a9dTacf
z3G=yBU)5Cpm!v>GUJ2A(_MYgiS$f5<_pkpw3UmItC;Su1y7t@sd~@K}e-;1#bL5Ua
zY2W<^LznUIwNp69wm@Kr6~^;}{xvEw0J&#k4MWo$U|6=LUn6y_
z37iOv)klYm&k|b68P7KOH=SKK_$aZGA-3j*$yBgkrYR*F^Ado5TZn&&kqCcaUX|Ua
zI^LNly(}$1*)jGZoPvlhXTk4=CbCUKqt(vJ&wyU6Xas=XLEB}99fr_qelUN~>Q9ex
z9cH74eCly5UL_0#N_|}ueK57pj7NYcE9#!;WaX9CvKIy!H}NDf(^I{uY4`kwl-;*t
zY*4`F^2W;SQ6T#;@`MtD#2pd-%N5aBMw-4Jmpmewl52h2h*I#*WoW9ds<+3i-qKq#P%^F$+Dws(Rh
zE|N|thuhZI_~NE~-RvFO)J=RpKXw8BCN`H;Mz{^Hf+
z-!fZp5xNeC$b2#dbc_$(vAy0&cDFV?e1X%R%H3D%i>gxi!rFrdj+Jf9b`s6HsfnZu
z=vHfWmXr_`4*J9=N|G{3=KKb*QxS&Tqz9rylZBN}P6m-{uxbh1ie+Lw7FiS8tcvES
zQ7fri5>r&;Rw-I@4}KjdaYVq!-uC|NFscib_fk$h5#^8-h>LN!wD`(DT`C1HQr|3^
zb_5?69EM*B`pbiUNUUfT44L(4M!XQ8a(uCdn(1n{MWrMr5F*Tltt56nu;Gl8B7M!+WnTri&70*
z0^%xYlMW*rJ^z0?I6}{5!=Or>?|{%0LiV93PEZ)*H{&(ueyilkQ
z#M$2;;?XsFnog}=uqS&4*%2k=nFtVW{rMYRdK$!)k0hi4W>
zI)Y`!N}QEGs;~9M%A2KITVHh2hxCKmFG@=@1Luo4{O*viP25dwBZfG99UGggu$nUmrrV5-GvW^RbS(sYq93j-F+jGd
zslA(~U%51h<(1C}BFk}W*%urJt?wYf9F_7)PIT-4waLWh9!|0Px8!{8Nq}F^oI&;qgjL4a^s0_iaBfAe~=x(Ta*xfx_eT7sL+$uUxa?+=Qt;(|UcwRu;3+QIC|(b@C`SlI
zeRr=zq#U!+JNeX59n4-%xfaW1Br@Q?WxciJ+){=AxLm_KXL+OwKv$)--)OxHaej-!
zZsH$j(`&Hv>o}^(f1Y{pTZdZ|4q%h27!!>A=#}~MCEVy4ppoBF-u$U3IBACT@3SRi
zf40EXKr$N9#aueVZVqWyC7bnT$Ryui#;B05WwwpF1pxgY#^BgzHDXwv%e=hNs6^sK-4a=
zO2CiV4gUOZjMZmxZS4X3Vi<%`a%#-g%3p&(d)9*s`IYYPqN?u_L$ivT#k`p*)<(h
z&XL=OhN4(js8Np}c=qSrBUOEfT;EpzA=W*HwSXd%Kd1Og%s`t+6$1_6r~LA>lPAJs
zJ#!RkrSeeMIs4w9tOGb#S!kX`P{h+WX4b88y~fA5xfn{*_fKt&GQgf$?9>XE8`6K;V|_kfWiPpxYqeRXDb|{kZ0;kY*4iXS)XMEvLE(n=Y{f9tPt&1ct`j2ZhK4
z+i3j1Um;)f{+0E{_t0d{Kv(?e;pfy===n=^^(m`_&##6_Lf;YYu9
zgKIp!Fx`R1u%&8ML47rNwgM5W8{SaMYFRyE
zl|cp6LVNfU!A7875l0>=`)Ejfl62-xO26$N@3|pyj!R>^Iai7^se6Q}=Cog8n&N{z
z5A}wUpx!AlJVoSFr@+-H1W%`2C9G``uHV?
z)}{{C^Xw#VeOad~5bk)L%30D9d~)bedq*+FM%zJpv2dmM93tp#cHQ7
zNq>X5@;v;JVrqpDprmqfBg92mq>6~Em
z0{+p1Q>6HU6azuLrLrpur?p2h8n-C5Ve4BFfVS*uFVD>=9eeou11OlSDuIkYfXZbo
zIb}g575i33$#FrDWW3IwV{c`fOVBeBYwK%5CDra^bCeAHKS1}U#YLR!ZqGbk`vF}M
zMbxH=gVRKjg;}eT5kopvkQPA);X3p+V@IdRNKvNi_N1$sR&zO9P6lQB#|V5gtx6#$
z1$BxbC5j5dbeNlb9nv}sl)};Gn&)yX6u@$Du8eQ)vZBZe1uC|4^+y}5T^+0-57m~w
zB(1pX7nIsegfm%gM2LO@@5{4(mna*nNoSdp`!r&@7A2uzY!2CI>4Ml6BKHwj9SK@a
zAzbSFq_vvDu3tI;ek};WQXV9jTsW~^U;fNpZuDsJJ|HMO
zh>A2>_f=hKH)bJBCHL`!Gt!t#s7KTy^ua~A~D(@efLySNP|jiKop9$
zT-Y}PGn1vN--Doj_rb016Yf>W+K#&y@d$G#%q5|OrR@td{py*kDw0%Ek1B8yXepBq
zWeFxpJR7-A;ZqGZu-6l4rMDT$5sm4pPHB~A{J-~>ny6!_%A7l~Y-6Q4fN>@Ky}~@Z
zIGVVeoM(>BC8qwt)O_T94(Pe0W2tr&uX38yy1gH_xVtKoUVzm}y>)53#j;lUZ4Ou6
z=3u(wcXVvc^Ywsa2v8REF;FKz9phTt-)?t!Ln)P<*N`x}DKN;k^nj{M(4k2-*~!Uw
zh;ZbOtoi1HVZ>0-HKM{ID&J}{F1o40~XmV1;idXi~YVuINnw<%9xlmNG%6ot;9c}3(tDqnVBP4R-hSXPndMQ9QCyLbbp
zyNN`|;z$aSDiyLw!UlQn3b@LPX3G_X`n&n^KJAPP(1AD1vmkj~0@O1I&B^@jLNonc
zjcZ7Ff>vbXIZ$1Brsc~h)}0YcwV{+2oJuUFbp9Uaa?OkL$5Tqg4Q0Gl^Mc#)-M#x6
z0F!M)^1cy7NEEnImBTM5Zzp0nHfXU#fewBjLItb-s)5$fb)*`jyGT_#Uri|}qmM>O
z
zszDMPcOXcsJmc55^ndeO7g@Vzt3hi7h|_rvbdL8^vuFU8Q+Al0X-FsB>Z;N#pKLqs
z@%UfjhIRxPbum)AiaGr@&QI4Li$pV=h7tied(NMcO)QqGx?SHe}w=kD_n%u+*SbOltvK*Nz+~|-#X%o$X@(@2e
z;Tasa;7fOK*{45|IJ5p6SifpUvsiR=vQHoDd!oYKTF^>W?k!zB!Cpie-kJ*Aa*5r_%ZvAYe(olaOm9swIDmx?EE
zZUijbQ>Kwr!laZBXmk|XAwOgV#){)YmIh*Pwj#E`k(J1&JQUg>
zCwa9)pYz2Kj~d^l@TjQ~2@PUC=S2#|UXUC?%z{0pFnKh8jo;|P3T#b0V+hqIo24?T
z++{%~$(fJ|wP?ipbGgN7_p?pHL!?uCS+43%L!}Q+pmQN)syTNQmsP6X!aMZ
zq0lUAsF4BsQ26!;$!|mulT&Xr1NsBX)t;rG_R;-%ZuNpv
zNIRcK8jRX;6~JPk6p)_cq3D(LVzXT^nkby*L~@%lt8hVKoHqNRAq;dck;bN|vOlcm
z<6rx>`04TwxI;iMBjTuDRorI_SE$F#P0yNsL*Es$XZ0RP9!*_oV(uDn+lf*Bs_7AE
zhd&{ekkOaXo(!+rqMtSrbfp=!m_=uM|uI|ZFp&UG;L>`z3JDr09_=XEY)!UqX
zoT!zq1g#W-QJ+Jmm>NO(e=kw_xK8vjCC=cE(1As*eSQ_8yW*W-U#;$pp>x-2L;IfE
zE`U&;mCjASTG^qyu%D2@Lc1nq5Mtlz&{433$>{ZaddSbzapOu4L^*uP&-$NoIe6R&
zT?B9fn!{sOWSJTro0s?EXmPEciG7kn*$GUy!UEY9he3`do1AL`Cq>kqXeouF!0e(@
z1|b%6&HWqdYpiMYCvd7)mh)HCkuL=>T?$YL$~5z3Xm$C58!6!Mxva~VmH$Sym)3Ab
za&NY0kdm2y1WdbHn?B_wg_7QIA#a?r%50`fTujWy4E0nnncc}@L)Ln88cuDkT5@Wd
zo(WtNQBD>RFgW-+WHS32gHi1Co8HqC=k_81>Sh?l?UGkhZEKMJYbph-T&92oCQQ2Mlz0Qkn2g<7q@zczmfvX
zbW=Xt0`Btr5dHpPK0HrQgkP_
z;MgTcJXVeO;^VY@QT2CuF`zpM*&`9?Mb4Iymr#>1oLk%lgwzo=U>xy>2*|K(c>Nsju+)fxXaeZcW|52D(oJJbx}f^lb_kD+D%NG0_ZM2yf>
z6~Y^#;UDcJ@RJN(*V$3Uv!fz;PTJlM4bE*Gy-t3lRkm9k({#>SGO9dOQDeSRlX?iB
z#A!^f6_&_mpxZEPy!QtJ4@e{`LTL@e#yHE=@s@cvZe@r{U#YR=b7WzX#0BfHoTXe#
zqwtj;A~iz~U9!i^6dZ~`X5)e}wT-N8R7ePH9F#u0U<+OfLVqTBf93iB
ziBHPwEYF-Vnr8S5>1ZRaee*>eNg0NiDF%I0n{^A0PAW={38K=(?1ev=*^{AUFrT8y
zTt0~MFILw!&o{@ED)~&G+{e*p^3-T}1J8s1VX)E-FHe&cZz9K;STSDQoEO;Q73vgo
za*dx+usnAQQSXNJI0|5Ef;mkTr@)qpiNT@BVT?9)$6#GB84+0%?EI+bbIUw&-WZA3
zL{>B{$v22I8V9IiE2WeJ`PcIV_>WcAxBz`H!DZ6F;WAX4G1SDf30!;`G&X#-)UbMI
zf7UTMG3fDYKM#ymC=otJ;O!?ao+b4!<0K4l>C*Q(RB#`IlnmJ@hHciWPCj7vy6jR^
zf6dY`Nn2>hG+u8^Jx^_x)n$ZH7RC>*n&+~&cX0a;nPMv`h5}rx&PM98xT=Z3haRL1
zGbFA4`DzWszjoMcJpi;+(as#}G2W}$3G(G(Kna3*>rGW=$
za;FO^n*wWR=F{mt=voD@Xf|;MVk<(o-&EI5y4VIwg?$=_rcr(jS5Nn25G$I&GyGeh
zu#&t|0yjUR(w5*A@)DdD*eSyRAf9
zh%hnd=ph%UH8|SxnI6^0hOl9s+ZQ~2AtaY^scE}0n0@r*o)Vd1YxnH>AVS@|;D~v%Gj_
zkfH#y>&anz0|eY1y0|>xzhE3;4WrW81_i&Jr(Tn?_!pGwa!%#k
zFVUekt?LQhsb>~j7Dio7EY>8
z)TODeb~T=0B!{+%X5(|O06gglP;YRd`${y|fUGxq*u$CJQ`DmF)6`5qXNW~c)^klN
zG@Nh&2D}Ge89LwS8+qWclbKeh?uCtG1^lB)m2oN&%i4vM^*MAPa}m#AB^HX@ORDIcbg6W
z3-@jNNscyZ8%1a**U5`3wiTIGH~tA;o_FBr6$svoI2~FP-}8-9W^*yRVp}nWTvue@
zMoBX-{xQb_y0^C8tkHKBsFphwU6<(tgrIbaf&O$RgCdot!s)oBlRB$WZCH}Mo~I7N
z3}e7&-o#Idp~1H}xOtG~RT+N`x0tsZTq@jeUuV4f>v|jm
z2}T1mt|Qccnmf!gs1{)PvRv!3Jm*%ysG*9Y45QYg
z$`$mdD+Deo6ahoY$O6r%s9a`F2N)-AwVL-Tt8Q87T{NO{qt+a#>3Y`H`b+2%ARQ|c
z+Lkx(jZ)Pybcb@4Juq5yM3-8Nv8MaEq`nKTu7R^$$T2!Ek4g#pu`a%j7+IGnEki%a%w<4-Dba0UV?@#e#K<+5WVq(
zsQB-ix@iAc9tXLzKX&NuuZiNks#i3nzO0wIUlAWZT-!lO#o*h@;G+A6e&
zT99ioE)PLI0InE$iCq{Z5?}^-(t7m9CDCyp+jy6v==-kvL#SkUHazwJpLyRL5jq+y`
z%I*-)T|QS4#Lzd7AHQw&l-~>Nq?b!oe2Og>x*ABb3z>-xsK(T#Fl#P}>+)!4TEl2_
z{IUrl7xM8CSDZA1;fC>Ts?F;1CrfwXqv`1Ej<7d96b#DHa_8MA%_+v+&_wAa_?IdB*
zHbctzF*Y=!95G{C>UKl&*ka*%BxZf^={Xf9bGYTlstFP$#)M>gGn**EUU(@p6ke=z
zw-Q-AO4`FXJ@+ti=#Iex(%21ROAV=7_xB)vSz$1Z#IMKs+W5
zwrBM>Rph8DXj-8BRv#hKwKRu%QG
z{&S)IRc!dkQuJpJZS(UP`s5cI-N2(kl8@Xw|0#(^jU#jP`{!WFcT!WvTY&(qi*mR%
zahw?2^yrEWbcx!5&2o=pDB_S02JU!@$VUy
zDl~rZzY^OvJ<+?}N1WpV`9+3bC3ElU25UxwL*h|fH`w9q*JBuB;HzGmt`p6aTR*Pui#8~tz(kH!E?d{yhJCfrUrT?It!Rau4r
z)`GX>xIE?K9*{bJw)o&qh=Qil7S
z5Hd&h^utA8fW$AOqIp?!D9xlJ4ja-5jC5&j6l9V_JiJGTbU0GErQ?txZMMltDQ>CDBsHBEOIHyEGzw&C)9kiG^L4j=&&kZ*EjFMpAFVvCvNSmOTjsFi+!2KUl+h6
zxdPcI$g=$1Gy>o3DZv|m;qTGNfZ%u-c0wERj$1w@Hu*W5y2DV$*pt%QExV+#a*heU8Lkr
z%Qa6}q<)1YAN`m@#^mS=sz|tp&%2Iy$aNeAP~)23LN1-s;0h0^XqTEVj34*las8AErYFT~
z6HYDGNCE^7zmNis+0F{g3>rb}a=L1$?yJl|E=g4$$-st&We}ReWBWZgc*^n~>}CR2
zvszc#UDw1|UpV+{)%Kr(6T`MZ!+PeF
zPh>TF6kgA?dGh+nx4c24-T!3#1#Dbe30`YxJk7{$zs;y`q>Pk}rmGvDdCtAbXlNv#
z_>^#|GQFb`tM9aqgVM@fZ?7T-sVa%Y)E}_G1{J7bC0j3$D>+kGc;?%l0>n&WtyfRvc*9wQsBe7zU}(k8ETlJHT90pzE`U
z43t==4l9wm8AfW`2DT_!wr5CG8tvIESvY0OPvi1CZs9gbTe2+eSscExwABVw;36Wz
zaxP_3d{R=80UKgogGJEd|uwh
zUf=zj<8i<{;OGDzvG2*vsedBN;#B&vKI&*d9<_^h@*AHw$Yy
z0xtJ#Vrfm(CNp?{Mio|K`^@?jPx^IT?6_y($$%Ly3H!~~?0X3j(~epH8^iXs6Pu(f
zEwCjK*p3Ja2}h6JPx1DqB1AGRM_N&^)lO7gyCS}TBh^Zb`9gw~b8Z^m)eQp;VVbD)
z^y}jfP%Cv%`@VnjyvK42;F?nN!C)((f3pE%0~F}~@?St5N80ovv7(MYV+5`rIQcO*
zD{7Ct40wrHSxY#b|F>%Co^oK0UIhQZc|Mm#<#hVH#05{2`&>kRYQEM&D~ScRIwy8H
zf06^ia4SK`GscIzW1xN}_b$g5{_ncoX4`#l-*Wj;ktD*z&&6U$<9)FGWx&{Wt7!3o
zTPS12D@Pr*U1T65l_m}Rxa-1GkPj`F1#~MmRKPnJjBHT}_=80WtySS4`2taYM#k;{
zNvV-V>IXpq|3^V$MJo`{vQK`S=88}KuNjM?X0TadywW)Kv@L7uYZFi6_R9DfsZRkT
zZ(fc9hRdS1^+`w*eG@JU49BSA;0UuYI~X3~M8n(RoA3^>0X-xR5fD7ojRuzCPv7`V
zuo)Dxu)NC+wIFE8tV{uY^3v=PZbC6JE+<+SlNtarf3;gUunAU|}m)*0xX6KV9l*y_Q>v{m$P?0Lh+xCX^r
z%2?mOb-NUqbC7r_Z(&%m_F0ke~P(B*HyzrONc5wu5
zLcF$oT_H&mWPl5}QMxf%)Fyjs(M38X6ezobRZzJdb>NOH73F}bm
zilK#?SOVzJ_{|Y0EUm#*$EFRVbp!k&(mvG#oR$Y7wbVV|Dq`;X33(!3GSN!&&PJjQ
z@k_}_8jUSwRf}c$#R?rKx5Bf-DXwh0Q-Viv(JAta#WHublx->gyD7+sjP_>%^-6rN
z>5be1fcwlE(f%^=I#rxN2b>ig4LMEO4P6EC$MI|8Bb)@tgvHVv_PXloosz1+_us#t
zB39X2zh$q>uHA)N$>r%$iHo%C=G326`jr(sf=aFxW;n$&poAf7X0qyY#Q}}!B
zZhpj?>`jhSPHN2j`*SX17W#MgYAk)F9M#65c9%U4Tm+CqMetFcP!gu8xB^<+bF(Lj
zGJ79M)BJkktfUcOl^*I<(!-MN*=npjUP9%k#E8qeD%E44ic{I8iH;=9q^w$Kohp(S
zVSIKhS^KR)^V86lm})4@tB~iYWa3Dbsm`D>srUO5>g~
zd=92}~$u&AMga6A|xT_0G$rV2d_LkX-qQx;R^j&jtFV^gKn_
zT%u?Gy?exB-2dj{DWrtOUsRI;U086R(mh?1z#(rU8Cm2o+toxPmVN%&bCVWSA>ZyW2Y
z++{EWxemz&L@d!J3X^A<9oIujZH<`aq#yfqd~Uu+(TKLD{B-OIup_vf;}`c5q*JWs
zv;DJn>q6&LpJ|H6qXG{<`J7siuQkJcDs4=i3S7Jh5Y9X}A9uufzAp)gOf<4+v+m60
zgF*7fl!7+0G0vwHq!Jt5U;E+!(QO8Zq}7j}_O)yjHmPY%k$oF?KY6^G9O%e)E2s6I
ztHsrB>q@eba&}CW`_^!5)6CMZ3$z>(Kvv#Zlk;W>2AfT#PIm3aVOX?~zRmCvGykVF
zUaZoXS!JjaZd0|3rQwAeL0hPus%hc)Agl;#Zit6p*@tGA;*OMKs+mVlyonQX?v>l7
z3kEzqv?^&7{2D0%miO}-E@Z+@!!@}NMqsv`w9876D0K^LLyJ|*frq8E^Q09Og7ei7@R~<
z^gu(*)0HFpM-9S@ktC9$*`QEv$O1XN{Ds6Dw~9iIzt@M--Ug^J;p)!}3{TTj9R?aN
zjgPF0Bn1$N7ugi}>|rQkH$ufuHph$N@vr4c$bYlv{}5#UF+MqqY0pOg2P83V<%S9~
zyv&Dxo)^V02KogS`|Of563?EE`A_Ir{fvQ@E^Am09-l50jWUxy5(yXC)bHEK2&;jA
z{9=th%)uqv9}fzM8A)57!uF=N((zdZhn@oE!)iaka+uT-9Y?B3$&q%Bfc@++HqJ>*
z2yH>221Vgc3-7|q_ovpdjsX8-F$D&p@(y9?;5KPFP=XSWpPdXbfjhPV2s|7bx48ld9DK&q
z713ThkBFJfXD0#?`UILC_I5tG+=yp7Mw#-+3KOnlDkNNa<%lPChDNyi{DAsxI)O2E
z@*!OwfBPc@dwQq?U8+f8WM08l%Z>#2(n~D5e5~B+;<`yHE=`jB7)?+X%E*Y6D=Y!q
zz4P)E5I{GqvaK_9x;rzz>U%(gdvGSYA>tMlXQO`7=o97q1b)S=?Wl<@#@SSWGeHwA
z;mn`w{o>KgXd6ow^XVnuiibD6RKl|{$lETSO{H>?Lw0t4u0v6bkz0#+YCFmwZj7xn
zC#l-MYY6ob;sx-N58Wflw+&7-Je6LdF#W;3gCA(ZG6?By}U2NNDUjYG@g
zxdZX`jPA8H&Yhp^U=nNyQqNL-Te@mz*d%l~l0PdUIist$5q#s~9mD_V<_&Anu8}Xb
zcm`vik(F(iM!9l*M5uEUiY+2eDQd{fg6nfn_JQo>oUKP%;tp@Zo|9(MSuk)3v92w{
zgJ>NrvwD*PcSW`CK39alo$M70K575+dQE?_RL)4T!mK7655@Os;|WcF+VvLuz)vl
zJ<%CM`Mq;2WE)Kp%+Q}_qiFO_7HXKx>J?t);k^cBA5)&kwgtv~cv&H%Vsfk`2VIo|
zW1VB8X|$OD<1Du&3;z+(EM2p*yK{5AW>n3^-6#|_0&~Ht!G)Mue|wSt<3-Biz|`r=
zoD$G|walUQZ+L`Q;5--yMuRAkUMOh>Z97P*M+7aPmHc7Ej?*AIvH^4C((Ow}
z@?Nm#-X3uM&d40*D@?D#=Bh#~F{`x^JI|^?9v+#R2U(wv8~r`B){ULr;+lcOl6=t0t
zl&F0hYTsV)eO$aUkj
zVYa;LrPE*UGq&p15g$dMk0Y(D;!3lefs+3yTx}e4>vv98<+Q0`Mf*?|+~}`r*natEHoIBKP+8
zRK|PQSFYR+pF#3E%mR4ktspWT-HqG23mdE~3s*25O#wcl*r_YRE5_(?s1irxhW+k`
z`5PkCnZ%a(3lH?B*#*mIhO0aaxN18lY(|3c^#GDNN$1v7o7b41ZEIA_B*ZFicvqId
zFAURRSIt@lNMiNRY*V4NlG^@2G7$6FFO-tJ^He+*FRWd#!=amq8rJd;nRk&$_$bF~
zye4S|n?ZWoD2|7nS_!_j!Tc^hi-b5D-fvjw5iGW}(!1tH^Vz;xUxpKbgHu;}pDSch
zjEDG*x=Ut%ZYfUuZ7u}A5udi)3o{EYe61mTxKPkiAo`;3k)_eHuWy$x@JDYt5=#}3
z!}QqUn%4;Y>;woBAXgUlYV-npLXF|!#y<^(hL1MhF#xMP4Q8huQaOgUp-E*V78+(>hnmC_;Kv-zP
z8G4=otFw^CB_G0~`Gt4kmm1$?aQg3S{ueg+I7X69jhum~KYey1a<1q)3vn_8uHyu9
z*al1{e)8zW=R)q$xo2ns?*4DD@nY~`h-}fBEU95JWPzy
z=@9nw!3WyZbd)w(e{W!IAXuK~3aQ0bDT-4yjhJa4^^IK8N!TPH4WP?EO9QHe_#|Kq
z)SsxnuIUnEPblIG9P4D7CylFUrqGMtQ-N`+v-e#_yFgF96;q{FYV$`E$SN3cO^@u(VZCR7+WsiQc&iZ#reAV(vi=+^%Td%R
zZugz)KGlE92=Fa)eM`8SNUTpSip=*oHl!=li62qU99nlIKzi3*J4%`^RQE~`CI@^p4|IVJ`U)?3HC=rC>VP*8$n47x3T%G7Z-6}CutsBFB9=zG?97;l*!qm6LOe;NZC2esmN72_#Q}O$XqX>d
zegJm@6`Vxg4+43rh(7w(my<6CoslJ~^K0_ldD5ep-pwkIId6Dd7j7|NjC#rRMDoz7
zHzQx^)HF~25fqR$R`J5YH!XK{MjY!!JmTMuuL2R6T4b5P5p#$W8Lu*!y-Pv8oGq$E
zP!-lex+)c3laE%|#TaSMnSl|)AcKJXKjhbh(yQ`Xg`M#dFHTA3c}|7U$pC^EtXwc8
zBMHk{1}h=YiY0jE3J3e-hemvi8b0oC5Y@@2<-YD?odf~Wz4K(Cf#e_>M8V=4CyB9y
z$L0qe-hH944^}-ustaMrcV48$S}bFm92w!oLo-?
zz)hXZD_7C{rmS?JqdA?)tC8L(Op(-$^pY-GTOUr;Gg2oWGykXibX>E>z9`~6snW-%
zgH%1CmzB#YGY;qKwzB;E#2
zcWbqdh%2_?k0%ubAB=5(!)a}O6EW5oxl)jMD?+4Gng|Dw6ozKvRitBZaEA)1wiuk7Qs^XaQhH9V1CdT<=Wt!6O$KR@#
zwbkZ39+ZrzS@7I|f6MFdQMm&~Z8zz4je);^Iu^t2`kFKNJTQIhzyyRK3f&$=o`~wocX15O_dftRK*qn2NIPFiUC2!nFG%Z$XtBQa{xWS&RC^#R
zh$LR=g7tw|Ss{22wc5pl2B%7;cHt}C6OY>FS1ONHfRfT*0x{K@4^g5%gqifAeXe!7
zb;0Bh8r9R)U^rE!@$C4DBbZ7;t@BG64-l16-{h*D&-mIWsHv%r$--OX%BDw
z{67Y+-hBxY#O36c=z5mqDg%%!yTmm<;SF+;1p%Dijt3yX>XSyfC+MGfK11#APg$9M
z(y#7Wt^xkqe`Ww10s$qs;$V6Hsh|>j0n#}ob4Yod
zGY`?x<1+)@ZE%vrI1=hOW-2-L@BGH6!N&aOY?vG5M*SuzKGix12r!LB^W;3PH|caQ
z@S2d|l2@QhDI;B8OO#Rjy_N1^8LTEFJY!M_RIBhsb@DTs>g0Cg!DEvmaTVaLQE6US8O7EPM-4kBlda
z;Ka%s-tD!l`$OAkZ(Byrv-3Fd2~EfW{3W_Z3W3l}W)_jVlclt74z~kM)P?iK(TTw{
z%}c3ZCK~ACcLJPv#PMSr$aP7N_+d5=f^kE(Qz3?l=@DLgS
zUC{4nP=T(XYJ?9eu(9jZ6HEdE1LP4fcfb~7;txu%wqeBT$b4SBo+<-&FV*9#-Bk4
zB@Uk)6+y@1&YbBKeeY8MxIvP}`J;AEy=wwAFbr`5=t}}_FQJkWisWWS2Q>6Kjz~Q<
zW|6QLnCMOaFT6;EoUkb_S0C!W6izDWXozQAwGMZt{53otq7_XMOw-;;u77E2N%cXP
zqPB(cM#xU{;f}T*kU3l&N*m|J4vU*Y$)*C%D`dHjHfQeU$GLlOQQ^|J5kn+YP5Zmq
z{o2%-XA#FvWNlozWg~igW=Oy*wUg3pvgy2ACCKE12F~wSPNyO-
z>wA0Q)#T(tndxsn7liW252bTAXk5!MKI=U*z+DO?@`G-P`Ln**UL5=ib#?>-dZCq|
zX}Zv5`#~CS(H23-D*=G9?^Wmp?+A=mi!2rkkP)r225o>iKe^Z65?h4_;8AB>*Q)^B
z^pBZ<23aT)AqwT{@Q-}#JrDFel0s2^Ci1ORPts*Xm>UG*Q8ue?L(tSIHoOrvrFyqA
zr&DrJQVMC|W+DvpxDJI$7z=V!{UFSbQV_^qs0W-L#&da
zlzWrMG70s9N~>$=!j1bILrNuMFF(vO94-sYdF&LZRe^su8Tjv3ZvyA$2=*mo?qQvj
zSNB_?wz8lk1S=Dd;g}=TEwytmMi4qq4{r%06+nH_^e1CzN3Ng!Hv0FVZ;a&sMi-i7YRm;AKYME2I^P^i6(@ej10!`t`mVbNi^l$D
z6&tk-0l|8~?&G_A=+=}X47Yv2U4*h3wgX!!aJX9TQ7=9xc)#d8M&B)T%)G`tC3ZYu
zV2a2fP(g!}>3MDEf%F0FWEEG|W+7pirj0<7C8Yz9Osi&txtUnYddXy+)JW@lcU-PO
zr>2@b9q)yPQgmxTbrU59ijtF>$`MKd3viYlXIT}Z1ZTWpSE)8|N>whi7qR_hZY@Ksa5VRFpGX^dVKP9@~I&K(az+>gMeE7eEC*x
zD~CxAI`w%e@IGw0mO9FGZ(!wK71z2+zpq
z@LWG=Ez3HYv`aPgM#nH1oiYednux!yS{+CiJX9?x97_bhUZ;~2!Y|%ZN
zLk7|(wyDgy*yvfJkf>RHNYgfi8&Uq+$n^RNa)fSkHL(JddXONwTGc_h##~34vZx)q
zpSOR;pb@`(kRKhFd9rbFKTm=;67Vr*lcBaVbFA@rNAI~ynjCRcZoUa_@ze3^oeHvJ
zN656}$sf1Q7q9xT?|RpRcEG+tSY{>qx_TewqipY9(VO9v^ovDMI&ao2UU)mRqTYVL
zHl+4fGwa~H0aaLJm&jtzr_d~jt%f1AJCC~Jf*@JU!00`Y%_^I=m>Ze4BgV9v{pyTC
zfpOBiJ)OrhDKPxc5Wz~2qFR-R`AG`Q?F}K!)x%^TqsF?q?FKyiQxBZG5GA0#X!S!6
z{<4<#&p*V)eYOU^matkNR}8CiMN8U+SM(B^W&0&wBdE;lWLk@6AllxBxwto!V~i#W
za)(*ZOFbSr&#|c%8N3k`uuFv5@uhukBgxYNg>%+AuKxyU{61b>=c}~YlXL^YUcAwm
zcAhp-R-YBdn3*4%qn^ueg;Zw-Cr}kJipq=ZvYgs6(v_ARbKSHroCwsKtvS^~W|(__$9-N}^g`!aB^;-x`I^dq}E4YMy;
zO2@Gab(x0i)fq?W8BHfmlQx4D5C;f5uZW~}V%kk+LaW|Zgy#vzIy%6{_4$~vd9>wPJuEmd{PGBKRe@1CqgZvWo(+_;Enb7lNA=T^fk
z)BEPG3&o9jiIWOJ^g!wbO_#6WrMHzbKaC}~8~^Wh%@S0l^8}0(_vl0_+u>yrmJR{a
z&>K$nsmXH)uKK0
zayXKq@E~R!(;m
zp*|LWCl~F{L0`WYzs^vQxEw9YJ|mia)HUo|{f(V*aKrL&cq}ZO<;he^Y$R?&FFuSA
zmQ0}rqO;iCoii|P&FWBV*RmuYFaUFiozbH(!
zM6+&Zv0kZR$J>MVhAh?7l5+?dxHaJ|!Lo}Ht(pXI2pI(PGp#Q^g|3S_IFTC8p^-fl
zb67eB$(;T2ME@p@U=Xr^$N|;XUR_^5NsG`{
z&`q^x{{RHA)|eJWcuDq!?I>ZYGtR*0rdn>Y2^rdxDU{`VQb^tGBC^6Wu4>2kG5MVJ
zTv0PqB5$DT<0x%P;G5NFQSDxf4BTkR5ci^HIidIgVro%nYnXk{os4(n`X~j)eLNOk
zZ(pN~W9WBX;Up%&83Pu30R2>RVgf1zyP`WklvCTS2H8qCKTkY#9%JlH;)lQ0Dp`@X
zG8vATT;2g?IC{Ih2Plc*x&J;jlsE7j`Wl!~4M$0ZZcBHnZ3dtQzBw#(10$}VJCi8D
z@1z#ido?+i-V;aI{`5AbIi@5+R@rq~Ur!di)|!2Y^0MYdjKbNI8!~%VC^rSMA%WB@
z4Up?G30iYU!glC%>MH{7oj_dRytcBf8F6`Y4ql@k;TGP9+0RN2t)>zlso+Mzm4Ii9D92hTnZ#OE7m4)1gb;UErr
zQ*+97$;A|x8*@uYa>^wW6f&j(wBFRH>nqRGuYXcP;oXn(w6C8gV+jTA`ts^yo>%kN
z-Hur#}^|JuZWy5e4Lz(!JHpI}ZZBJT<*XmBbs24U=~f5uKP
zg3N)rLjoBeOy;^evHJ?;%j^NM%K1ewvUjm^BV3m%X}3mUk4IwUOJEV2We6>Tu#EYu
zqccHEdG<>LJ736^t(OW*Z_l6Yr_|Mx{#^+{7D@A}?OBmLJB4GGu(5ulq86jY*bq`6&ST;h`1PoQSVL?am>ulo%inb
z=zwT_1b48v_?#i5@vNb=N1-DPyBdggZ7%0(vf128b~`PMeqtVsp3CN2bz3jAD&5~M
zftlIzUdXMGW2coXP`6Xmz`Jd;z+SGp{dHiE45X#KE~Z^|s>5?#?4nE#%AUkXEM@c?
z+@yF}(DX>w-ck_P@)}@eM^GQ*>n2?oC`V#`BIJOHURE^C6|iv&|5J(uz>eBzbh57p
zRum2(hcL^(2l~PGwc9tbfqy6`dQx{;JHyIxxgt!$FF3n7Siw;)q8OeTDEm8
zWT<6VtQ4qxsg?}0Xe`94u91B=WW*w!zZVf46*JUKos!mDUbI`7Q8~{}igJeN0`>@7
zSg&s3)-ydKwv``g56%fU#6sVqr}agDWlB92#%c3<8>Ox6My6NFDG;gsHZT6G^)3c!
zlcN<%P=XPVwLT1={MiFa^@q910Mezs{xsI5BbZXL#sj%O2(INB#SCA8w7S}w+#*JK
z21_SPDTbI$fpF{5YM
z@_S;{uiEVnZ61t2#xFxL7YF?OPz+1Cyy6bQi|Nluj;O9fmp@b$T~`0pAP#GD}>Ag++_@WK5~~gw|8zYB{1VR)EwKad@x8&`ot(Ruf$&
zQkhsr2x?S*S_tDuXwb)vT|6?k+@C9l47l;GgD=!Ha=P7)+X
z(Ltn+c)`*|#bk5j3{2`~C8#nE(6kIbZvKo|C%e^8dfe^l!x9X^%%mveDjieKJ~%<6
z4yt=HO2W<>@^L8>_5iNE5*|(BhPA5Iuv&>FgqO%8M5z&0!V6-)l4=syX)96E)KXuL
zh89_dkrtD5W#j{j1$x_|Xi;F7KCfSUpdwNC;!wlkkc|Gz5qS&zSMvzg_B9_LjcOwc
zmvQoMFK<-?k#a}kx@T=HQ`}UNP9sdu*>Fs+i!tVC%1>w-&@^=Te>Qe-p!9Uc1ONQa
zA!2b%&wS>h|HFm`$>(EF4wNotI;D4f?tgkLI2}5#p@#cv`L^kny^@O_DK)Qp6sZ!)
zH21=Ynq&Z8NO%qG?JS53VjdVGWKX@EG4ZyS;-*vzSwikWMc+37Z?Ejv1S;%40J
z8wBF9PA|poQ|HHYH4p2?xs|(|Z;#AZ|CH5i`z5!&ZPOUNoX>t$?INp{Pv5^|)4Fc^
zRbzYh96|HJXvU%Lr`0^K-Lv);f9v76cgiiQ`OA=v#iElZ(x30Ee9fJ?<#n9z>;KIG
zdlW6HK-z61toWFEHi4h_ssL6Jv%M;5j7wuWR%s~j{g5Gdj(gyr^387}1@EphqTiPI
z^LGEb!`nY`5sdQxziW2g2is?i?+UXQmVi7z#UK3E`ghGv+x^IBLLSJNFHU`no1bZ!
zXa78P?)#$m*JLT-hxJ!
zKK_rCArkj@yv4oMp8WL%i&aT(u{?dubrnT5>NC0$w#wwU
zZxgS-`^KC-tvQF+b?k9iJbBcaTfMuj&tIIvdF
z)Icb=mv%5do_a8{xZfU!HmxYCLIPdyW17ys8n5Yfk7VXtPp#*iKxIk1~T>
z45_?$XKbnNP-E9+q?95{4;(Q6X<+a2-XzAP3O&T)
zoLa$_);Q~$TyIhm^Cf<2BY2YKm*9DG1q)rT2TUIkiUAe*v9>+GN_NTfnhm?+qgNl#
z34R9-mqG--9X;uLCBphcrb26Nr8y(*_uUv6JJ{QjUNd~6w%3j$7u%p@Xxxr?Cm3*w
z&TsO#Ug%o`40%-4a7gJSGG%zcj#T`aD0+pH)Bc&??K*aQ0
zpRDHps7*h1oR+3GpX>&w-OO>DKhC_A%7W#mgJXAHMM{{3kfs$=9yhqgh+{SuJ7=ho
z1jF(igb#|jAFkbadbi$8Asy?zJyB3?>O!z%bR|XGk?&J6ixo_`TPBGjWl+U35K*4>
zQW0HUtgDrz!BQ_p;`U?MZ~!;{-tQ&@-v{vp9q$(2{?C!Y|5m8q&S^-?i+>a7N>9+?
zrdZxP8^!+|k5b`mM6gIdWWJ9dGppjgjT*S@Af1aY8lj
z61Q=N5%29}A9R$R)~h9U{mY|T{M(L@wOYtFJ%Ow7YN3V`K`x_)+uz&Cw)7U`5r3aW
zKlEuolUl?r;8eMx2hj=A*J{mN^WT3#Q3&6ey{(DD9Pd+TAc+i-`;c)E%CI-CP6|2cOh9QJ}52Pr4`ey$qM>d_jFk!
z-I>ozySz2VnBOok-9m&HPucX@+EVtfAUpCdRT`509I&xHh>mC&&#{%AU9H_!E!LkH
zsyIf@Y(B3q8^j%HlsMjH)q3yh;1J}GNMS$t2(cP1Hp-Wvi`1$@q)-^aDmCaRPXsTL
zsUsLbIU|nD|B)5WXdCFrYPQI87%ksN;dL-{x=w~Kgh-Avy|c`9Dkzj?%`^*mnFce{1e7&d
zh8JqDS)k7RE+>{;^Enz$5s)!fMw&Oo7+FZjlt(gBGK?YKOe3)Mrgk9pm}<<%2!%ct
zsh#rWMYg1^6%K11nE>8qn<2cdtrTGOTvpIoVO%wY%XG5X#qErtLT<1y)nsTSYwd)_
zP^h_5&ae_yY>Jk105PfN+-~1r^*{Yb503Ocw+U#xV5ioe)e*f9tO5Wu5&454LG~I|
z(IxYUq$5UQYSHKHKc;QT#RMaJlS%geknXI5M0aMD&bX*?W{rkfmvz`89v@q*)fEy1
z{3t=A!xr;-*dmQCisu&UyII=o88sTu5Dav)_4?dkp!tyucC&z!D8s7#@FY>nS>&*s
z0DDoZ38#m16|LD#c2;&6JJz;|Dt7W(G_t%BRbfk2KnuS#q5tFks1&=6>SVy~3`91h
ze4t4K1S(Ry9J7B-T8DT}bWAxdXm
zjBuDaCdi9E*!$uew{z21ZjruI@(P&yh1Kg~qOt)xRGY_Fa@JCObe3HbTk0laYBihx
zk||SfQMxiT{*9}|c{?e3`?dVANPz_hRiww1v8V1MmmRi9H*Qo^S}d1}HVieW*4raw
zV`#`aB%m%JLRt@jW65iP?D)SucQXz@)Q1c&eD)k?!v6yH>eVoC13Y%s;pF{k`|I{A
zl*cxCr-u2z*MIt~s%9=vXzO#0DIHLbN!?nXbjq_}TZ;P5*jl%>zk8$hE%dp`!2f9A
zq;6i#?XmhbQXT!*H>%>?dRju4paxFLvq$K64xexBZcgUKl%W4mc!H#n1L
z#tTEl2nGIgn(C$BVFYxEV>NFYP91$nTR9`VtW|VrY_INrmXzawOldpzH~T);FvpF1
zYVeTXX#!36>iNn
z^42`oTZ!=1&IG>w{sK(>sC?x)r;Ok1y6@|>GPWNFO8xvbR=&kf%2ttVn>KaiRH;+8
zmiyXetmgWpR-q;`Qq<588w~2UK_zxMuDoNbV+-la!G7Fjyw9|L8bFxqXh-KqhjlA;
zkFOt}s+_Vmc@@}t7F|IwmphZ%QrJQc$?Bo}B|^#QP#yQ8vY?d+iU$-tRue0XQF6*)
zu*Izjj;#e-NWhcvZkFWYkP7b>2*vokC?t_vwj(z;eaF4giMZ?^clcCQ5S(?p@hNse
z=Q7(k;M<*_?Qi~eZ#vtkG={}aW+oeSJJtNuRU7t)=!j{U1+*tX{DD<2WjFBmVbcZK
zZ<=+gF`t!6O~4xeX+q1Z#T6II9)I{!1+>4z@6#x1_Gcd=|!MO
zz7K?hO+DTm&)XE9OI0z7z+r?Bj4gmouXq7SK45<`rMqPQddjVR!FOw)Ds{`6Lu=ym
zdu^Z}?EvvEIl#j8bIFH3eADj!re+Z=Bfgp6DLJy{rGcPo_lK`5OTL%f0^5jh=Xc-y
zQSvhW@1(WdtK&j@hwptKm}H|$f2dwaI#dbH5kY0r#g9Pp+?M%nuZm5F5`12b>?^D?&Q(?dwCpmf#|+7jAOvqNIy)ss&6Bx?qNtlb(znC#
zs|}e$j7bo+vjTl7-$ajkEb6CX)(EL7j}E^c7oA9;{Tu-s272T3XBtVf&t^|G4$cE5
z!*7>OrX%p}(nzeBcfI^6@^W}}xz;abcy?EJf+EkDOkw7G
zl*%IPuQ;_aXh3{vZXr2|X?>)##lPwox70&cI8X$xWfPG$m9!WmlX-|WM$-^SrnkRR
zRWn=!mbT~aGAVZ&qC?#oV~%pBbexGQ-ej=hD4~8H7ZFxy3yHsO#vq;g=c>l6M~Ax;
z@2aX@#?w>sk5D`l(ys#Eb9@{P?vcqOSSeYP-n{-NtbCuvmZapiC%X8(wsCK!{pRoW
z;%FTFTMuH+b&tlQ;r{O!r)q#x#zodCRueNe?rE&I*0Z*A;k|(@-CHH8A7d^MJO||=
z9}Ax8v;zli_MPf!afhY0f1#X6(`Vja1PGWh#`s`3MVnqSTt_*{4hRm9yGfT_*&NDo
z9#tO>e~OLNTD2@KAU;OllGzoU+)^TCU>bHymCL487ooo1*yBcLfACvdT&7~F6~G%~
z53__uO(908ZxH@$!HvACs=}yC%qs!6{US`7(7qA`2`0ZTP~EECp;J^0r8dHnR;*)@
z)Ono(ouUM*)e=j#t7(#)6^TJM;JT=Y@UkHE`?ojZmHGzxZ|zl>uby-h`TZ9!1Yv~R
zVAg#h@wOoB`=2l4725jW?{U+rF`r{HOq8#GycUEKUj`!9rL^$=Il({Z4}zc2|D>m9
zwqkrt<>yE7JgH(FIho$8b{*5d_O3Sk#Or(Q&57)lPgLt6E+bPC?IoLiumP5BG5Le>
zu;LHUU&j?khQhr14+`!De75)zb(fWq+0F^5(yIAV`9xwWFGvR}6VH#<&eP+|#vWEP
zN}n$eLiWn*0)aYtFH&88-da0Cn*+IcCgNuY8#8lN_T3Y-_QIgH&Bcrng2BX`(oSik
zTDIFpA1`cc4=Ua~Mu+1km1YMTGjsfnw6ze|zPaeD!pCQoc1RnBws+w8y*m}v>Wv9W>s!#
z$1R?s*epF9l(X+$TT({V#QS>eP31wYlZ$LkhnD8LAC6tOsm`3#yO&+Hxed3--v)5G
z`ySem(yPbcJGh^>F&&P}b3GirVN-P0tC2pc+J`l2G2f_jY;dpH0p8a(-F9~U>@*-9
zb~e4L$pTKvH58n9a-yJq_2DOn3jnF=^J!pCdQoUS
zcK33uADvFkbMAPh234K~uAnx}7rNw)`PfXLJU;B2B537_OeN%8S3jiZd8+z~09zQZ
zvSGNWqMC3NzC<7ScoNJOZJ`GkRGYCRYCa!hEE~NYalo`NVUXYg%ZC)}fdLj1<($o6
zHYcp+A27=8!P=I!>?@?IOF{=O%aNj^x@d}sIPt%<1)iuWni7$X6Qbm9`L+IX_R>;a
zIME#0lqjW3aqaK27@gKS6d05d$!skw1i5w~2#l`FZUqpDpFjFYHOK;M4(5-KQ%z3!2%{0O6#)?h_{>+u!#@+|gVjwebUqBGd*Yze!T
zOJdQa559(h!)?g+=}WpEuj^c2H#)IZf=(KTLV_~riDXLFdh7Jsm5C04npWqrtR|Su
zT?DU1k*d*&3QBlQz2B^leaxY6z$+AWc)Q-7CWITn<#mgz{LW*cy6E9Akk8ZWJ5j_q
z8l-94G0*if!!4$$hNz(pCD*r+omO&{gpCOZ9eNXH-Cz?<6#)>_a@}NH%h8MmmW8gC
zXfR`H6lUfCPteDvF};~4%rAS$3D@6YbTau5`Ob2gkj+*qx!)|3V`O{>N{`1=A{%^$
z2Hu}#)R6RgRFGb%tyboma}6bKIibFwpp$CXRU&Lkeo3aHmNLKe&&Z@Z(UjbV7v9qi
z@RDOEgTUq~Bz~qwo_>)u@2~w*ApGK+Po(l>e8GgB?PRpfeN@v%w+q3IYHGDfP3iQ6
zx;Zvu8{O_Db{g0z0f?92-qH6sJO)X83p}mqM9L{#Z}=;ZXcc5x-oA9L1RvDo^llBj
z;sUbe(QplJR(IEj0p|lI4RV~ySk|J02sZX?YoNU3H7<7nFyaK-~3|1OhB)fvn>kxb6a
zcG6{;mz`W8?3WUYqI5`M;yY6-GlgwHpLrw6JlNF7%k9^EoT7B@RC
zKQ!^dl12cQ6sUFLnFwUR5Dl2~$s?K=V(s9owjxl3O-X;Al}nb+jtpu-wVTe=h=giG
zM5y;%xC{OEpKL(zENjLcGSgyp0jq46MFYXKXcU2RL@ChcF@a!sVf}~iHcB7>Vr4c?
znW=>7(E(Ufrg2slo9Tv|&{nu7lRI15**0zCnR0m=uU(f%E{vgn7G3qcVSnY1N3p-v
zkSQbnp0L06*MsPS4HX{7T&`IqS3dvVML=^>7h8f>DBvO9QCA_4SHwE%X%tc@iqT6s
z1V^b7h!To{(n2oId~8{vK=>b8W&>0;kO>`9)QOH?P7p5A@dZrg|F?#!(X!@Ixfrj^
zi}-;Bw2u5~_Jd0we{YZn-NU3Vinvm5ynXDPfKs1wy=7_2;mxbw&ET@`u@zUAZ~muI
zaaNHMEy%kGv4d1}(f((HwCG9gOG;;?UVr;om&>vGiW4
zhAhY>rTmJ>=jJYl5u*qfF$CfgI+VInm6!KOdf#$~t%^J%JPC=F<_Y}HZR4DHn&Wb;
zyiA2YpYG+P0Z*1F+fKnx64+$z!ac{nDMip|X^>-i{y;J@ddUH-WebQ!8V;o0{8xOC
z3#xf&0J#;{T`|AxS|e=Nfuxo&>tCkXIvV1|Bd?$grXjb7eQOya;5TV3C^EUEM<-Fh
zh6gcp6|kdvyc-zOyRCbue@DWWs**@qS)^w9y@G%fUg<@wkuZ2j0Rq@uU)nKw-lAQ~
zX6&civYJiX8n!PB1;B&nPo9kTdOQ?h1+AF^=t`H%WCS1>-)4@|<1rbo-?S1R=W>+;
z?aPLeG)vH`Z%fZyT$wG6v&Qzh*~3K)h;rLWkg=C1242lzBF$S5Aw91fI5}ezuV#Ha
zNoDNS$zx81{U_>PAynyr)F^WQlu`bie4)Pn1Q@0_q78?NuEcN$zi@P<8{
ze;xY{sBiD-Y{>fSWhesS@`dS{tWee^D;m@d(1S8T21K2&D<19Q^Z}~!OsBG%)Vc%8
z5PTRN1ysjAaYT6Mc=zXzkZLns$K_3?S4HX%QP;bP0Lzu0`l~(Z#Q`D5&tyI}UJy9x!68d?
z-dh!PAA#ZOpm@E|&94~vO*Su#
zSa!b0RVbG+P!A)tvr~UM9#?hb7mB$zlWFN=^CHXvY9OY@V6G+Vulk$M5Iee;W4HA3e1)_gt(Deb
z)cO(loDU*4q)%Lb;L42Hd`NpkR;=8+7&&pkdEkTYz79*Ls#pe<%MdD{uOtRgX;#s%%G
z_*1PXmtnCbS=NpDGBwrwU)yp)V~2e7mr-eKXLCUd>npe~D|bu>w5+GIvc=0gx}*zQ
zI=_MPlgV|eo4TMQ`re4NtnAFTYgwPmQuN%y|w?cAX&4-kthGoKxi@{FQuW}eP9{`;8g0xIYJ_M
z4A3C3sVCv^d`TxJQynx-y_;AIXFGc!jle-pEguT^p&tw&L)|%sQ0-_70@gaFMZ((V
zhCz;PCx$C1Og(taHPLrDQgR5Qi8s0=;q=k_i&MmT1YAh*3Sa
z%!{`qOZqYy{JdAGZb<+ppv|~wUd-DgfTnL6ek#S0UlBov`mdWgNMjH+6RpJH!Ky+F
zn9eH#|8DA!0FTcnv#^z#m$gq-PI?zs52(J=29LO5oU>5|G_VsumwPNo7J$6hC`*t=
zpC`fZzWzfDE1}#s>k~o74zx>6DUn?f`N^y}Tk^-q<9Pd0m!bnco=s(z%5vPLN%Ne3
zZ{J})=$-^HXq;O2X$86OpDd!7Uv7NWoU-XBj|#L
zp2nf)Q{>7v4KOmf^0}Yj4(JCo-VQ76j&7p0~fB|_J
z4rr`5H&X0
z{pK~bUms9{&Y>r^{}=%l-0O!u_PllfvuER50(Z*);b_8@=QmL83p4(BKE6WKJ;X=4
z-YZ-cjilT?TQt_l0kV}9y~zUSTEKiFz1R;0*!ZmF3z&pb`Y0nmdVXiYl3%)}C--}4
zXZ#0p;=3N_=#&PGQHc(5>2R}w+XnIMZL;>UqM&;y5P&ZdW&KwG;@lnfkB2-Uv9)SV
z`NwBBfTQEvFc#Nw;**6Ru&A+_G>ab-k}5KP!+ixKR^iy(xy%lif%+frst#e?A-l6u
z2*Zx~Nw;Or3jRlVy6*Jsb0;buk><{~)aW$pjQX!Df6Zsdoc0|?-d|{*Y4RiauhAtD
z*rF4A?x@OTwSp1foxmRT*mDc-abg_@vRzH}{WPtj?4+xIg;RR&j>0Cbl6eVFThHUw
zIU5zSO-Vz3FJ&i+~=l`CQkDF$tx$}Yerov3^_#5y*d
zb6i}xmKBjg5S-ks4RavUo4*`MjH#q>p^8@^HF2?hv
z&b|rmBkEYfMQ^i^BKd1#FYg@sjjhl_D;l@To@x40!xE^cC0K5&$aaQLsO88;QY@6n
zb2mM^%oY*=*|FvKWe8_{jHD3dQ$7p(O++d*o649+@_Zb$^}zlSY?|Zaru39VeYlP4
zTrVvV^Y%?u>P!RTx;PLRbq~yNfkR;(bR!YqGmk7p>adSZBP8sUgh`JqocE|hi
zh3}`$OStGrBK6k;%*P99K8zi^$qm|O_>L9Ql|=X@*9fawvD~^j`O+O)gwBF?QW?_z;SoRsMWmsQw{K!BSwT#V0AhU6VA`Y{bJ$eo2c|ga{lK
z3uw|v+-p?azKop%JlKcp`&~CybYoQae5i1dTx^%|oKQyG3VYeJ{U*X$g^m9^9$uvze;Pf0XO^7`j
zwadd8osz1?g;JOHg6g`R;K$R%9Hhmdt*HJ5aJ3N02)GEpeQtTbSA?}b5}}lpTs7={CW1*k=xx-R?n1FC=2^aF>f2WV
zPeT&*pm%2{)XiOOJQ|+E=w5wdNdI5=sK@)|XNz-HX-a
zA_4-)hE-Q40i#l}g}F(G*8e82VAXYR^KeV_D9+O5cGfc~I19>m(XjOxm9q3WDFYD4
zv*Gj4B*TmJ9C9gEkg$I#9;Z#SO?zdP9AAn0BVU93XQ#hb+S?ArbLc!Z%1
z-D&W^qL?w@T%Fhbwz6{J<$Jmc2X7==A(XJz(>X{dhG^D`#?L>ii@`9p(%%rw;$t1AC1`U
z{H;I2;w^zgdG3{SG(!D>-+BCS&-3umngHe=+Ni#`a!M9+HaZ7X{VRE6NXJ9&rP3}$
zbtihg=Zzq4oqNyQ-befjwBWgh*EG*C(9RD+biD>q6(@Q~A{H+BFX}n0LRW)X>kf
zX_{tM;*++8(y7aBnWA+w_uA}>>P6>58+Y{3hh2J{b!wubCJ5OS-QO>on^x3FeD1-Z
z8#m0(pM#&6Z7?M3K5~7_OBX47t|f2y<6cJMo@QT*#`3Bay2zW)xA=qd-Ia)7AN3bNHDFD!|2g@2d#0>nNGiY
zHB3(8*0kDk+;0k(TEXAFtHyDuC8FIqn%&f)wn^TVEH26AR0KDw;rd&1;?an>w*QH<
zzwt><)j{mbpI3k2BKBeTfAoUVxu(mXk5^`J6)k&qL^6XDX9+{Z)%6`#o>zFMFgQrq
zW#l)IwmBO{{rE@A8<(|H{5cymLsJzHw|^nsb~72>_GJ+nu85Wu-SEbQw@G@u{r~p@
zi`vjk%a{N≶M9Zv|5`G?V+t`dH%WEMXqpk;_3Hk#c)5bow}^>GHdOg=@5pYx=49b13Ly
zrJynzDRebu8rnRSaDCBo@|9g53n?-Toj%;)7@=UY|Noy}Ma{<^CTZW`I9PGat{6t2
zaDw4J3oUfqrNwG{*q4kXjQO#)d%E?I`6unq0@g?R`EPa45Y|xpiRX?D^@^QqfPjrp
z`1!tA9;wNGs_VH%HtUBo8*1_;v~g)avtfdTTKYQ+w|_T@R1|@!z4MWbhw@XQ#{r8n
zFBZwGL~*S&Epds65DN=S9LDmC%OD``N?Ja3mq@-KYHmwkg<5GJXlu`C1U~hF;}GUt
zEV_svDDRB0pxY;h0iVB6!+t9MoPjoUN2{tnNvmp71!_;3|F6OefCDX3EgVYSHa&Y~
zU}M_~aPglu-?Am;VW9ar%IVbGkq@`{Tq5wAt!;iU^4x0?c1udN{X&%ux4V&|KJ4W8
z^-G%6%-Mk6r|NGgPt?6Gz6|&!zRxhaV4(F`GZ8rK4j__!PX?Q7^;*CQ1mh5%DvR6C
z?e!IxGMT8~xw^^9NiPO6=pQ@SRODn~Fsq8jD|VmScW#=CFmzog>dWa9ISWyD>bX6*
zxnZ#2TwN0;af`pj^X|5h-UR+^#wtJ!B@tKiK!pf5VjK5!fZLt
zzX!?qwZ#;g@k9fI%Zc#zkaZg@VAO57d!5O3Ue&0UhOx8iALeb!OI
zRvYFgz{G^aMMxIXA9Q8%Ks(ns{Ng8LwsDMRXV9_!HbeTZg#-D*^A&&kWc>8s7s|rI
z=ynSoO>Z_is~m>%blt}gX#It_>e2=$ntV|mjceXzzfgYM^uWLH4|qn@T1Vx$y+(mB
zr_oTl_0pJ8ZR}4L)pN;gX0*r7gHMr7oprWF%6?*dA?da-61JtJNHWwP^#36TIN#Kl
zHX65H`VqI9GB?_ee-?H!Yb?FpyYadu!+UaImNKBnpF_sZf6ay)B7}^R1hodXNP?eK
z4UhCNG=>^Ra(w)t-DekO(;#W^pCZ0-I00f84I3?O?7O
zB%x)J$UIIl{lRxlFHDbkes}4Xh27aeZ@lufb-e26$_f|NxU&YtVUJG#2x>BxrM_VU
z1LCx!(BL?8gDF{Vq$J)xNc>yL)$=)7I*g|%)(&0-;j8CsUSvGa_^S6DVMpH
zb8v0T>G{!ohHICj*>1fftNM+zZtws0KCZLv(IK>C_QT1EH@fD(8$2iPv~!>Y4cV!P
zSZxtr!>L43HPE+4<>ftO;-5eywKK$aj&E__@NZF$Ub2O545&GURXRcHZf+@4Q*sxY
zWp376swn?@b?YH5czxG41HZOjt)n5ymnfWVn}~l0v!W9f09Qb$zl@4>j!2BD$PIWy
zG%tHq1co&qIS~ddbB3;u@9Dn~xdsYnr5s8^`W*i3m@VDEnOB&F?o#)Rs5v1eUah$w>#9
z(>0sd(bH1S1!0KMO_Fm9-(30B*tAvEi!I8bj@kN6Z10~`=5`eh*Oh@TSgc~GARo=W
z<9@k$y19A1xpq3jbDRG4LD38!4XW&4?>FThiiaoIiVSTRo?|YzPPb-muv!>myEIOW
zt#-bt4&U((ZdDWewL`sy(~|m2`BN@QF+Q{|G9ZCrd6ta$KC*E*TQ_G)_3NXw*H*CY
zbEL^@$wN>XGaLNe4bu&0*GJMUg5zS=CN)LQyqHShcMq=mcw_4h9+%ozHC=V~`$%?N
z`DWW#&TppMgR}4%!g!nK9J8-_y1Mk=F&oUrC@E68`W@5@I(HpHbiw(p1ld9~Keub^
z`qq-^lE(GMES@?`16xSt_yAA?b$A0;omip
zd;&xiYAZP+=TTDO@|)ZHN*1!_{_wQ@i@zy5-UG{`HCbB7dqN5AgmRL@R~5
z-KAmZe7J3gow^U;9@e_R+QBj&j{H=={FCM3!&hwmwI9#NDh>OjBmRdo%0A!wRKaXY
zbuUwpVCIg-{dzkrjjQ8pNL>HpYAi|XN#kSQd4ykQvE)e`+)FFE<}jMLyY|V|AnYCx
zC+xXrSnN5`U5RSpm2-UeeXHm-H>h}SKrB6FW-egyq$71QyHCe-$COfBK3#rRZEW#G
zF)vL$H8*V?-iF|5Y9#BVeO=G32P;?ztcA|&_azD#1Kjlo=2HHOV$EqYO?6Jy&P_Zjir
zSdU~Vo!0G#WNhdh*fC9kX!bmpEigT3bCmsT^V+Og{llt8`p6Fh+R_24Vk8CUe^Wjh7e|u`=lR
zCR5v7KdxbaP+|1~gU5n3ZBhfJ43hx3ubK?1htyj%2W@aOypyz5c}TfBm`#{%2?&l1
zZZmYR##n&F%-Qfx&sY;4a$xlRz#dZN+7h5ijee`#r1GmqH4-ylG$FAT_I;^i1HQ~2
zJG;n>lwSl@tAq%N=HRD}vJUEBW6Iqp&!ox26MMF1RE<$|1g>ZF_515YMLmDRzD*nN
z^mG!YT)lBFM(;6*iW;P+uLea~R6%W
zla;~AQz^3wrCk}9YR#oOvEY(#dm7uNdN(2T(O<;NYTQeo>VEBFU=lPQknB(Lf)A85
zj;zF-jU#8q%^)|r7$FVpjF|~4a_ap{o%zuB1wymd&9i%nd>ZTlZZkpUvFK;uOEifT
zzuP{nXj0I)Z{e)f;F_(RtMhn1Qk@oONX^N0X-j$rYFiUaYRta
zhs7&gd}`D`d3sP^M>uhaDRg@}EK~y{1`HC3a%H%v_W0Ux9aBW>c>X%ai@s1A3tk#H
zf~(H=G5PWSa4)F>bw7UVjfuuF}szWvDi%FGNcf``VoAsr{>^YC=
zxDx5wKj+;I5(2jpzB#BMK_GFD2#y^T5h{7Y-($R)ZI;v7w&rSu>o9~L!GWrT^))5l
zlG?|bHe39tvt_N<5pA~S`m*Djmbp`XHmUkNW;vzctXK7f9J@?!Pc>VG)3N=s?Q=Mf
z`c~_7?$^YrK7PLl`Ez!WhZQoR-FGaj@1u$u+TB@_R!QVIF0ilwc7WqhsU`Q1gY8ugrk?Ec!ur_1
zC~)NA{gs$vPweo2I@9@V*yDrpSTy4aZ2_{b%&~PfU-6^Hf=->RR7b!L!21o=yJhRV
zzZ05#JH}&i&O&r5ie8D_&ixzz`J#P?p{}1
zv=uW_4ySGUXe6rE=P~UX*oO-+>YRizT!B$s>7{{d;nRd1xNu%PWZBliJm&x@VN)aC
z*85lCh(&Tq+9_Oh4!*7PHHMd+oL_j6g2rJY5?7K6N={KKaV`C{WLPdq4B@eZY$?I>gMjY{35q9M-=AE$Vg^3hRH
zUMeKud~}B1xQjqX*!LjV5BR(PVD&&w{s=pFTmk4>$2S28!Zfj&Dk>nx?@_5yj8gKVe(t*m`yQbo(4Lo+}Y;YoXO9=FMKS
z0nDydZfjENPaM}L&X*Of!F2^TOg6KpZKe7m1^q7TV2Mmr~2jDhK
zfd*xVG?pwB{&ILLF$yoVCiXbdh(1i1LKGIXE1P`dK_34tYLx_2@~Jz74ckbx^Of2i
z+!A&)fSd(JNpgwA^Nsw>eM{|b)+(np-eo>Xg|ZbobaYAve`x~W5c)mrYYugE0HI%*m9=blCCU~)E^6utf-
zQ~WN?lTJSACGf&MgqvaGA_*QhVHajuOnc$2(P$TvAVrTl;|
zA&XK#2u10n^D}DhWGyLOi)(QQ0)iN=TrDSrs09SCdBX!xfEWS*LswM!Il(A5%E1zL
zsTcs|@OGDQAAevRlUCAX_BEokjiR+pC0gWBP}X>tS(D|uJcVsO>@H})%-?6{2K%x9
zG}xcSD#Xh6&Km1+VTMRpxu~3|wDKPk59**S`PPVqaG@R$~r{NHkq1k
z$1bA&KAK(b^vs9K{nj#kzp)0>gmqM@#H8AWYXaZ$u|Dsp3;+6TH}-H@SrZtd
zIwq(d-CG8LdM$!ax{kT=m}xX3jY@1xrJac_Hxe`B>6|ZauWE5ncHT`s$zihPCYh`b
zU`;lMWV>zbbf%FYAJDyBn1)W+U&IgJF4K34-*Juo(U|k5P}L{GfAOo&rv_YyYEDxv
zRCo7AKKB>Q41)P}EN_*Opn6+qTPJvQ)oQ%SHNL{(H~ACk@w*rN!;k$*-THe|w?Xu{
z4f{5-Ip%hosBr3WCN`(%qPCwCvnCtoM|RGgzICnjvU$tE2{?>!1jkXED03>_GH`<3
z2%XItMM4X0bev%Hf@{2aKdZLFu}`Lbk@%hCPt<!8g2Y
z%uUv_gM5^f-psHm_O!Qo_Facm{{naabgx)qV{7`ChODfRNJ@@<`zk42Fyt6p9ml_m
z@q(C&0|xE`K%A$5!fX6|U{BCvD#5awUGvKHk|Kg!zIVNA$miHZzhK=KpG$krCLWEg
z(Ryu!A|^R{y)Td65aydVh3?$Ed3_jIYdU9H!TH^^BT!;~=O;hDM5L#PV%Ry
zM7!<+V*UmU+PfM_$aH}KuS)ywniTN7);P;w?AiNhdXUN@r0qi`dq)_oib|RRx@we>
zY9IWbsL^|!xaELpywU;VnZC%=#|2ov1BlU7Pvy}JV#~~5ljKiw32Lm!u1R`5D3PwbbtY>YCj`YbI6+c0!*aYB)?e}JNA~3tc7rV-Fc)@Tj
z?qio}(T1c0MVB6Z286C@M9#td4;n;4i{`*X)Uz^G+?Y=VJpQNh#QBGD^%3bC05|T*-z6;5$
zDyG9~y}YTbPi@KK6}8N$#XbUVt-yCRnN>B#%ZGQ>sco^>e@j%A&NKt|UW5)>Jw7xn
zsyR#*xSZ>O`EiUN1qLi!0CWHIiBxPv5)~SB*ou9T5{DvvFnjoqmSn|z&*>7+*?PY7
zir@G}O8Pg}b-#z*pWw2)S}F9PkI2h8$e#_<(a!V3FvRQ4mKrFNq5CEJLey&7rtX>t
z>WTWzh}y0Jt`V*wE)vlB#ykD^UbQ?W9UC3pxsh;xJ&2KTuj%OG>49vB;Y0s}QEg9C
z<6(CA;jmCi%nzWzK#ev%XRffogMk<2VM{XJAMG;ZpvzISQ%Tsxpje1%5r!f77SEka
z!f`)AvVu+acG<)Ztj)pwSz&z1oxors<~^ih!*?jqpu;wge=F>-B;@?(an8-117F*^
zTCpveGSi&qdt4QAX9ef+8^1`&aHb~SmWKT;Q#ZBrFZ)H5XQO)uR%wEy^iHf1P3xDY
zZZ#Ox6SeETYv2!z=$t09zR=KFDU4L>iV(}nz9QtA&uX<|yAaiyX_`sQeOH8MGtQ89_P*V4iI40COTuNhUmWV=>hV*e!lSLGwvFDC=foz0f4hDdNmpynIX}0l-H@xH9`{LH>+lHL|y7OOC
zSQf$QKYPi)YlwV(OW9hMe)(j$^y8g`eouPZQOe5wsC}G@x>bRCqJBL@ZPy^=8sQq^
zBKcK1E6lv^W!RrgAO?5-vbza?1Z^Ho*eDW~Jf7sxXqPDnJ3H9=$43l_T}V`NkVsiO
zoQ>{sddijcRQ8W$?|4iZS)|H7jw*W4yX2h_BFYH1pNK-9q7svY9IEBLmE$N+s&^^s
zrA~&NM7cy>la&h1{b#f39bdVECfNn91!?~}*Pud!4%;o`=PqzoGH0UoZxw~wPWxP)
z*$Te%;5UAel8#Mvmu@2pe@l&9Rw~EH?!QK-kea~WzU<#>O8LT8%a!e<@M===n$no0
zzo~8V{yTwbqU|+Zb&RN6y{IQ@FP3ZIyGFRk(9LvK@$M3RDOgUy)a+%bW*j*&0mWps
zxxcQ&39*;8khm3Tge3Idmiqpdg_a{#U2#tGYgP><=6ZuG?JY}3+z#w}L~MAP7cC`C
zcNd~+s7RFXHnVu!W~<$On+qV0l*))-pS`9Hrbgt|P)u@cmq!N%2@kDp2GWFm3sh*(
zVJr6KwlnTav2Dej4)J0&sh%CBigUDniJ875cI2%hmLA`VfwBow>@G|ao`jXqLXz4k
zZ79Ph@sunXk>fG(Tp~@ZPXwvhXeyd<)RevLN)n1f>hBb0Eel3b$h6Lnf>dlcgJztw
zWvA=cXYZwxdRd;JT^{y4QLh`Zg(};pE
z7NY7(<1~ItGT*X$m**$|D0Tmzc)~MY@|w52kMss`13~g*!#o0Tz-bvU;|5s<_Sotx7DszbhT=&xZUo6fLqXJ+cg2e=u
zsf8faBgtpBV)riR8k&TiAVVGmS6fmT#~Ix6NE^L)ln;q@oY;Xq%q5%7BE_10NRS~%
zjTSwIP1Y6Kk~vIsiUWZ3obi3<1i$hNlni5P;w`4Gx5>!4l|vIG2hU}#j*9pJcSo0o
zEaQK0+*A|eJVTkNk_l4b_3}8zL`6`X>QuxWvM)=Ra1l@TZkRF?q^%b%4ta0PbLyQk
zSz%qioIF5blOMe213%(9Pni8+K42K_jQ&7|0X=dgfn^1v@V-J2#(8>J=Jo8-1BTj%<)yMte7GpKFa=0|2XQT1eDNQf@-I2n
zsrzUPFW$6Ti|FycB=q^0j4lMfFZHekeFi1>k3`uJ}#L>
z>3qMs1W-=FyNXTf9aKo(Pj*%!NZJPHOTAqVdk4lk$8|qpHBBPZ2ExOV?WYl|WgiDQ
zN-=J_n8A{Y>(c>88xMZ5T&NMiKbNH2CphS(G
z1CP%wKI}`_cP%k-t~Z;gn1&ckMpM*9J=8{nO&ZN_#?{%ASirlzq|y7V&+IRa1r*Zl
zao!LXt{CU$)unS@;MM*}kCE*g=!Wb_mE0f4?5qCQj~>u~VUL|&+Vvf1c*gTcs%Zsp
zujENg-=xf*1?CqwE5zb{88r=?FT6_g<^f+xJ^tyT-3tN*K4ks1cN*E{od@<0t$^8~
zJVW+S&-DNXqOrciLjDexphf9=c)pS}PD#V^|1_>#S~Bk>^l9BWU8xugc(<3uv~g;4
zsfj+Cs_!uIcM#W>pme?1JhYgkZyl98$V&CQNIJjX=cLD})JRlJB7@pbJ$o-mkfBD4
zo_cTXP`iAy5=l8EsVMO1+i9wYHfL
zB*;L=RT0Q`_()%zVhdQGz-D`)YUACE&6x!#g{q${JNyE76Vx?3aRHl4-Ola0hz
zmH?_e;}NCLH$Hgq#*@z(^tKJ}T&>Hp)qlt^t9L&KNu^sB8zOn!wehcE2(vJTWthUs
zj6P!oJv`gJm~VYV8S{+~-gwTC-_&DX9K69KxoQ}D9j-sbMkNM=2ujyVMC!ye;$>(n
zI)AF~lWXpu$tda2=;%(3=#Gu(&W%jBntBi;dLScV`k8pjw4d~#M)bfXK6nN&%I`C4
z1Cw#a*f0=iNX*TuF%EHr1s$p{OW^Yh)W2@D1eQN&X3haMOvV{w!$6=RF;O_cA&#)1
zLygM@o_&QZzj4OcFc4@+OcWM$toP6Qm69HfPIwECaD-bp!!umrCETB@HtC}8;FW3T
z<50El3uv<&)BTh^0V)0u)l?!Q@H<5s*ZE{%Lp>@w^rM2M!KpY((R9a0%4z;5?UUM3U6k&IDehve?Z2PpD02I>nq2JkfT}6X@>_+FX$PQh%t85YKgtt=jE~*{`i(|J^b(6x_xWOrvA5hrHtc5QHZ<7x%QhwIXjjg
z4I>c0y#`g8>@{UZ!ahR6UQWXLK%!DFQPC&dR=a|3G&Vuql+lYeU=hoFAZH~7tq*ft
zsY(L5)Ajx|go5O)*Ns60?|c=blV3*tY~Zn$Jc#9YVx#`g4F(_p%+lhwobZuYz(xAX
zpQggN0K9wAXdlD>Y|UkcVcrc-K~sAISqNs)0|fsZf|w+xt;}{;at_wMNd)|2Lpk
z`eQP0WcZ&D`1OCW%vU~}KV`|#{h5({DJU!8)cvWUAJe98RzLOEANtWieaHP5KAjVOb|c;b7(a|Z
z0iYN#zs&^V@U@^G(@nb90QRqWi%;Zp4L4y12J4o~uoGDenEx)gO+Y`b(bB`&ou?Bt
zwjHJk=Bz56_h=wkHltRbRV&vEGe?-BZOQze+FXXx&aSLOL&Rl$_~_cpK6%>vv}da9
z^|584MN|OdyeVh(^o&XY=F|NIcJ6L!JGcJ);VA8g&~s;%J4x~gVRBdTwSVZ{lDmVC
z$C2y&zArnHAFxe_$a}cRkb3S7nrfCS{x^87sRio~hVB6;&yD&v1Br8oh7HC}ZWD{g
zS`GhT3;AfNvr*S7-UME0dN>y+H!Wet2d7y-q}~{AW{%d>nU?1E
zuRogDJ9U=jGj`ief+Nq~_8&a-iMC!LY0veF7s6;%yYDpVbgzJLB(&P|#hd-&y+f0Qw@Op;e5V@~$ozDK*B-J@d&u>QCAUAq
zgc9~gaeqW_Y)AKoA(te&`P^)n&NLe8M^i0jkr^#g7bah9&kH9$VGj#RrXXfwF4VJ2
z8II0P_kvb+b>h4hwvC!*|%we}5N0OG-`9r$^n6#Xn7wBh$?)qeQ>7`xXH^4%EDtel
z&xvq0h-k6O(L9B%dPSMs6IUDG6PfEnqJAQ~ZS+$gZXxbuz60#pFg0?tK1{N!GJly{
zf!(~0kf6taL6#3wU{1?{FQ<+y^c13BOsSetg!MX^F^Q))OL^q#-8FcH!+CGYT=sP2
z#bMx>0CRg!3q7hiWsp04d}!wyd(ZY|&|>=tqq*aUcjeY35g2EQ9aJb>d9B2#j{Pf}_*T^vFWWOuT=s;frYkUHkLE@1mwn@s(6NqO?x(Q4Hf^vZ*5+%J
zqJC=CRehRTR`Nw>ttCynClH%LTaut1-|2|Nv5H5!wULLY85#RU;A?zKU@^3GjN5s=
zOF%7U3+##$$~)J;kvXL*NT_BN#?JI5xQp#hXlZ(WZ288%WuMy7xsxq>6dBv2f9?;H
zUGZ#DRrINObkEPv3_Uo?r~95>L}s)29yOvKA#)`4h?
zyDmqER|V*Zhj<9~-NlYe)o$VDa_mtd?s_mezkI&;q62}f>@WS@lHFh(!Z%pe6Lu
z1Oz|Cmwqh_M$KRZJ|_@BEvYMgL4j+Ow|d$aDJtWLioZ88iwfc?_*)-jyn+en^hiGX
zK_<%wfKqZXsWYU{AWZP6Ot6Iu(CLvj%p$G=i03Xo6f|tv>7|eQyfrU$3id2S%SQr&
zXhFX0`WV5O5b|s5M@oTx(e1&{MyOcOD(ip@=fTwy)A=YQcAnsMEPZ9!T~rp`9-Pp-
zy~Qfa&m^K}UjR1ji9tiYOilu3q3>CebW|7A=A(h_-B$3N5+w1DWQn-&RAy#Ke1dCI
zGB6!t2iyQ*;M5_iIWudCf_cA@(nU?QJN~Mig=e^>^&hg#rHAac2{ku|FTd6aW@uMd
zXM62yMk6axU8?5qU9=;ZPb>IxYQin;^n03HW3U@{q6shXCFhwo8k)meBjY!b?}b?H
z_fCG>c=GN;=6J4H(TJ2w(tEzLxIG}jtJcuL@7cjb;=fnIe-F$4D~>R4IBV(nIRaDg
zBkyjQW2%?hD<_@U!oJx@fw@1AeslscE
zcTl`rQ$`jT20iDrEmXP1od^*qR=xRj6bP(Xm!{_`mmJy8naOEdkXiwR9xhA2CxU)O
za`b&&mMPS6G*6E>tHA8VhEfIy(b5WTBvLveImBE{B(cpNjnJ68y1q!>!d1T{&I7Ng
zC`@G5Qof{TN7{qlq5%%HgkG9};HSzrY6RoeQXy)PS^4!-g{k!-STjs-jmJ__3-{Qe
z>gcZG+&yNc3UNy;IsqK$HH5`-6?icLs%0JO>HX1;1Q!kP2KwBKBaC7h3COCVE|R!t0A7VqBN+B9&tH?CwUlyFAaW1Npit$I
zBma$cF@h-#OkY@SURtjfld0CT5j2=i==CVCA>Ecp>vJq5;whAiQcpGB6Yq6bn`%ZX
zwheD@UZ(-GLrgUtMD<`~8TW%xV_0ka3fuybCE>kso98)2Bqwg1AB-9!5!OhFWpLNg
zuk_R4BKo?Zn)
ze`V`U)j}itmo$4vpUKqFI|m0v8J_J=hO>|>>w)-`6k+@!N;i^T1@r<@zYq7R_nAIg
zv|3VdF7|Y)!nmqVfG8YhFX{yFs&UH!V(d`tD~IwFoRvVtm{+D>4RIptrr{Kx*L+k3
z=JR}{_NDjH2M0G#mcSloM1IU9+tA|94nnp_<*hy
z^J_b<4#+p-!1xc_Eiu-rMA_D$dcd=)jfhI*C@|JsK@>)zk`4{>=oP0GiQ9m=Cn{18)`)l3`q*@+17i?W_(
zzMkWZ=iYp_DWT-B&>Wh+n&+eVxdM+e6dvc0^XSg{`Cul)ZVSI{c|(gYS??DsN5OkF
zsLkbe@0kGwrQAF$SL6JE)|xa6A!{?`Bgk**k)aOCvP8e@WVU
z^hMSwF6F30nQlp_m15i}zvPJJl7>Km@v4=Q<13X(@hNBuZ73WRTM0s@k0K6fdbug8
z#GvGaeE*TQ{oX2ItQoFiE4t!xH@#p3y2Et4=uXh>Wf6q#I3@=DvZFH0O?95hrY0c3
z8`WV?9~d226mv!}r5U5pAzhfj3!U0fn6wg^UaCrJNFxySK`NE*@k~BIxG7^?Ec#Ca
zqOw>uh#TOcP#d>c(c-jO
z_?`g1YTO#ZpiFemntZ}n3zpWsP?v2vy*m+CFxUI{2S3$a;?r>gOnEM!UH@Ef@1(O=
z-3ey$fgT5Ix`4UfZ^JC&Dww)Cb_R&oXM}itmZT>yl3|kc8bE?F;eduW5=;kX*RF_N
zi`fj5;^kB%g0fe|l65*W-kC{WayChoX&zPUNGHancgQe_m*X{f&0Lul91goOD#1!c
zuv8K+ry}vGGVSfjgJQkKTU^4vjmNtK%;&zumfq2LvYWL2g76w_&$UZ;#h}nn#)O?I*QZ%22s)VH5n?i4!vTi43Rla*F4;Bd_F&;ikI%A`h}n
zE1eKaJINr!%c(%L0wck6#@MwgVwWNE~HF`MO
z3N@^|VoWFntEF>#*aHMqvHi6);kBU0g>d@US~0*L*g6<2W0CT3*}2I74!Akq
z_gfu?s2m8c96VMpq&U2Fk5Z>*IY$nF2oAV60a)*Ff&k3k*Msiz=+&&|(l6xzw(Sr{
zcK(taV5c7%2Ay5SH2c!|)KgRKM_H+eV#SmoxcQ1oXrlLc_WI%eR1rx7ghq=qxrZn4
z!p6;wQ}#Sj^cfgOWW>b)JDs1P)g}<%V(EeRywq
zM$6y24|j810Q3jk3*(^jM=w;5%9Z}VAOLFK{iQ}->(KkC|AG2z0>G*7uB`p}d(WpY
zPrZyz&fNup4`VZ${r!C(gY*Oc`OyElTk4-uHk-TTo!F){Z=(GMxZ#oO7xB6lx)SKx
zh?bfN!4A;7(R&+>et=|7_Xsa^l%}UzRumcXzNfZII%-x2C7baQqK_cLjCl&q9U_|9
zV3uB6BBc%+kzox+AkKT5es<(RU8h60hKlN9x{49g4fUxO3b8iY5`Z!Z?$Hpp4sl(|
zw-Vr~F+)(GK!JquL>~6YpwHCTb>h_&Tf2fL;M1i_GY!cvZLBrVXl*qt^|g-xTH;lX
zJnyDhP&b+JW>FltmYnjuQI+RtIyq;CD`Ioul*xTI5Y9`)j;84ZqUJPnN}7
zfgg?^^ivs59NQow%tmH?m$ZnW74%EzC~gQ+{M4z?=_Wg+TYTeq;b7!wv5t0dJt~JT
z(z$bvKtYAg;!rt4Xs2;J@*&v_Xo?+^I>ZcBEjQ&t#1s`8!zBz)+3;e5O1Vy1Te=pI
z%7)Zy=)eZx1RRH>&<}5tJqVwL=fP7Azr=%|fmhk$c4hHxfv!{~UwP^qF-sx~O%%Dv
zu{Eq4C$rAF(^h-;eTgv`Cvsu;9o_ww;Z3>9J#mATCX=$gxlWi)R5G
zlez8mX}uR!r_fdMe>6AzUgcZ_`n5Yj?0$m2?^oJOjhCW4H%IrRthVTFhiNO0pX$5q
z(mwjUEVaDXyC`2JV~*f`Wdcs5NG2+JN^8IjHn47UX+z|$BX22fBp`&jf#V+F$?UT-
z5khPX`L3i@5cMPL4_1!RSnxF=+$pekCX!(Fh6|xPXX~U?ZM#sw|3zn7MuJuaW@Z*-
zmd5bu6v;~)iXvlrT6qod2(3@13eG}73RcM`dM=Z?EB}VuvK)*X*4MhLkj-*bW=C5j
z1ZC+|$egp3S?;XiYuQ>p7)dwp%XWyj@E92yEs)zlnTKFErMh9(`iQ^_
zIO?KB5D>>}KqXY+($VO(TTlB+#eK0h<;{x?g%gG`zJUs@gOV71Ru(POv@rc0@
zQVDux;^^FDOv5=5RvlS!lsiN8{ej_m!un079nvY=j?HKP-+gkC^YhL3T<2lAi{+G+
z%v+wat%~bQ7N56({eYx#{IwToj?^__IKFhgi!Oo6tmO?oL+{y*a$D59S(b914XQ3v
zXoLC$^CA-7qi3OtCU{hMKRS}f@FuU2Icycqb5~GkGrAW%dYxDv+f8G5mXtU|^@c(A
za`sEH9u#I%Y*Gl-5>91MAp7!YtQFu2HoZ}Qb80Y36vt})3+8b)`8%+OW2N^P<;FOq
z`sx)OgL?h$ik1wFNg(8u3;>Sr4cymYCGb_03bWX>ao;fK7XLBIJ@--3RhG}1-bW~F
z-MS+=PI7uCsc<8b46CPfCCsd!nwz)s^NC$9Yb45kJ0aoiwgG+DIeRzxBAfyA>+V>NK1cY2k9bx~NHJ
zG&d9K{39L-t=6En0%{rX;MH8T0zwpoB`!X-n1B*>)Vf-K(CiJ&LwQpQ+j@5A@#i~P
z9>c~Z{>brsH?&R)Hx}CHsFhmeAzHQ9%gMW<+}grjrIez`
z^`k}e0?OaMe3;JJPS0-1GaIynrytX1LTlOtVqi4Fcvv;65X5|pZPw#}YF@!v8uT-D
z6jAu=_lH>+gZ(I&$H=Jh9_P9-@~J7M27La@3~@a{+$L$K5ya6V>pA&$eP<%MFIU^%
z$QZc~^F@eG0N)ixT1%cVVek}h9BLt^!geU)f6j-awXOPp!Ug9Ea98of>BCP?3GXf(@6%Yg_OQ3%74cBdDCO1)vVgt$~<
zOG_r0NGOx3!^oCE2SV*dEs0W&
zRJB%-{zjbd^x0!lo+5KM11dvVOEC1z?g=LdM@PdZglc^FMpJNN
zbWUng`zb*JgJ*UQI+tP!$(8f^#|VwmvU9rDo^E>QDv1g-3ri=7Vehg@9U`8qOq%&?
z8>q36MX5%HNH`y6#8~MP-ktGs=bY9**?OGbD!i=Qp0i4Qj-vK2~7!w
zajp
z?eNM((?MJXh#Q9yp0BZWVn|Gst7y+EBGwfbMtzN9XzE$W%wBIm8bN)nBOMSKJ#_Yv
zH4(#Y)tV`~wXj7{d9h{T*D!m9%sYP)EPV?n<%nHSnjUb_Yd*mXZomv0ppGc3a6yD$edWlJ&OM%r_KI~)F2Tul;rQm@+V$x48v*ZJ4bSA1
zv+PsSmmx|Q^G0&N)chseM|Y}o>djafIzhVXnRpxYBu>+&S&A<*&Uj`KYXU+f$Cy99
zf`Fq1ZXey(BXqx!QA%l`ck&x+r!t*nHLqPo5Ny=jS0;Z%S7@T)s3fPdE|G@B4{L9+
zAE~}y!pjR=enI2m0F^8#?9{h@>dl>eIlzW6S~_^|Uhdy9u7`aNYz9oPKek??60oZ0
z9Ozv(-Z8=Ui@FOU&J=lNA`18md+O7HReQt5qU37a=_h)(amR_m7#|yslJJbKIqYsR
zAthQmp&YlQ<9Z4!33xM~*qSgsF_@=fDb`c5EX_vdnmynu>&Tf;Tk7?@^npytgrU(zdAjq
zvL6H?86r-5=&>O|Xi2c+l4ed?Ur!f<(8kMvjS1J*I~hM#zrYQMbxwC
zIPD#6cy!Wax(Lj7V9V7lpX)xy#lS9Nea`^S0Kjx0MwXdYa5_ouuL5_vHfFvA;74cb
zp}bAm3ks@@?3-*5J<1vCu;&}?rmq!(9-COB3g#y*0%hL{5yxd1R)6TBq4dncSyOXtVt%I`{$vvWx(d{Z}@MzZz*U!N(RA(XBoyY6Y`7M(q|K>>_
z;OhZKE(^Z(jL%z77k(~C#fja6cR-|N)~!Xe;a=tGN@jtRCzy-eS_n%yr(&fsYN;f$
zR?MyZYzc-~qkcs9#FgO^3CP;NqoB~1#e6mT-K`9l@%>Ma3w6Yu^Ctz
z%0T8Tklh8cTR?CJ2ZmJL6Tl43gb_(ON`>>tsTfAI;@wU#WP_OtCDE`F2juMI!y=7R
zKwRTwF>@lw+V>KEiCfGP>Aevj&Wu1_cgXb}7Md!0XE3~pj1nPlA|!m?L`ZnOiI5ob
zrGJz;1UmXJ0t!^)e|)5JQBLwOa+*EmLXNItzd~y~LT3V6Y
ziN3H@UnQ`K+#A+`OlJ>ea*zP}aUj#cTx;URu8GWLGxa~tRD*Rzf;uqsA
z={QE(mZ;F0Y>S>guL!k)m5xy2_QZeh+mN_5{4Zr(_(ucQ!}ioIg58R#Xd1$H1api+4kg}Z7IhJ>}I!ls1Q{txnOX97;U6<*`@?;MAP3(IyE7)(?KE_;W
zRy4zxzkZCa@>#U4j>!nH*M0RZ!@|1d;(@EiS&}TTBgGq^G2Dvx3;}OP4^95K_Uwg)
zA6!rUW+Q6ar^zahMG-Koo=gD+cAzdoE-L0Z-(v+rIBH$IeE)ILP%G=oGF?m&l)_FE
zB)-Af4j+e@$|+6~S_&-mNnyWR%w`x87H*q^
zu_@hr!^(Iy8FJw<^_f~5Ol7KtXn~%%iahO;45edt-{KJzRFYojKy$U{_$cojrzn12
z96XE+3ug(EaY-8Ft0yzooI6<*;2=d?sb(wZyoPS=32DVuFOwFg{DexsU32z4L9s%F
z1n1qacq>6F{wXH&sX21iOT-w(C+0wR+>{|9mzK2yA(>XFD(#_Xb2F@;9b$E>+=R1v
z-GWLPlxq>SS3L6UWt5g5Q`K#xMD+a`qLLlC4J-q!tHPGZ*@CI5F2z#HA4;IClfS&K
za-!Cv@&%a@5F@eie@8;d$dQ(Q>_x~`KsHN_G*d-Ml?3Yvy$AGWWLK)DQs~*Uq!QAY
z=n3`I=(Ncu
z*ZFZZGza}`Rwp&eeN4-=L(9*rOQgGwCRc}hq8V3hL=!Jt2i4i(7*eHduRSdyQc%EF
zVp=d}2uM$4I=~jVM1N{oP6PX)t#q!^E+c0sd{j7FJkVrKP1O$DpkZ$pxj7i*ty;)!
zx)67(7La9UP^4|T+)hdrT|;b*7KjHf&^v*!c}+l1L)nTWgy3n;V>G#e!^sdibDJUg
z>?W6vK{GQrDxty%#m6e`Ra@o+$?G?olyQ~hc9bRHftP(2bO=Y-xz5PCXi%-D&13kq
zg)5*9r|Q@&Eg-by-UBr536I7Av;la~JAjn;yaQzRSN;V+18YqbXJ-j7T3SANC%~fs
zCEL(eg^k^%04aJ8ko|KjMnHQt0hvJedq8Hd`!yg_D@s85TU#W0G*;D{fb-<
zLk=Z$L)pfe$j0eRLs-H(z_ke+VYQ;qt}&wV_r)%?cl`7(W<5*L<}>i!woxokk$k2+
z76dQkfp|v$e_udEA9OO7BIK}DQNg#Jq%7cXW!!*xG?v7uD`<#)=15q2wjAo{@DSM{l
z_cX)7FrAR&;kt%cNre1OaS?D+VOdZ{>n}NAX%4w(ANHsFK)DxP^w5vRW$Z1|5uD;~
z;qvHtx7|!{sr;trUEN}ZpbOA3^qj*9o!}twZ?SMHsA+7mgWe%>YUJ!LJzXuv66|_A
zr=lzAZRmBk3(X-nZ5S(5RsfCt_hj{Z$spL86>8EUawoW++q|y@0RICkU5qy_iT84>|&h5lKN-
zQQGp1C3rcJmy9D5Aq4M6Ot+0FA4gyNBocWE((_1#IYe5hj$mTu7x2#q78%ElZG_`CreF#Vg~gm9-#(
zCx?6rMJb}BJS+EeyK}+!@EVRdocA-j9t80Sh*J)6jv4BP3m7^IHWt>QeGY1f7D7HKHIyO3X79dvqzm|n(ttPYP7-liUm&Bx&#$`a7C@srw;yegS
zELxe|J>SELo(Z`!|C+~%^xP?dyK|>~IR8L^-q^|>xG%ywWGF#naCicVOrg@~3?_@sS*4&=
ziAY1PxVd}GXT3{~n1B2`|Eu@J-z!j|@M1IXjlFeT9y_ow{NV2HPI31_p=fb;FYZop
zx8knFwYa-`ad#+CoKoEFd!X$(=e_s-@y!o*v)Lp&$w($Md3N*LcJvdE4MH+{y5Mri
zp(Ol?rKqMwpO1c#CSTJWjE&OeUrEq1hQ#7iA^0(6OW{58@?o6oL`{t-m{-&~W4+vo
z4|=V0OzPtF=`ZkKTsIXrx=EQCf0Kd2OCPz^8~Jg&rOJ7jipJ+eR|Ma&0A+u$RMqMWanp&ji>A
z8wfQ801&MpL7fktQL(Hse41<#@>R(Vsj{TgAajI03gw-o$9ZNKS6S6z{lrqa&v>oL
za=q2dpR<}Ht{@`Aq*IAHKmO%G
zuLt~EKLdk%)AC^A-)(FjFTZvqmOMr2Pjmh5OEQdL18_NPXEwSmKA-BHR*VxB-18Iu
zpJtQx;9pv>{r;GFxsvcXBqSscqZkOQ%ufrtEe=e%b2u*gHjJORRoaIMA`_PJN<5Q}
z?M)2oj&U0<9Xfnt@Wq}!bv_TwO0kQ
z!dyU#ld}X$fccU8qM+xpCev|#X{OI;;Fv4n9~ui$(r&+dOb$aFJVKBE%0tEuH*H&I
zWhizhV_*wTPMP;jf#oy{o*SA%{z2*p_hXZ8a0d9(yqcKAuOZ8`cug0sj|9`^hZyA<
zPEkt+bMJ&d<1ohBij&CCgw({6(laF-@P>^B)ClXuUNxo^RXdEJ_G*coJ@tTM#?jDQ
zs4SL+%uXr4waH0*)}SCPv5B>Ih!Y*E-SXT~2@aJ4iP$M1_fI5zCVg6OG~T>h5NFv2
z0lsqOjcJOLBu@VE1;};!soR6(#^r@tQzTqtr70r5A54ou9OeawopsIO?8o3m$zFRa
zi%%AN%@IS|OwKMC6wNu-tl921~Q14(o`Emv`LvMeaQdMm;@c+%9fe4~OU3G1(a+xyC{c-2>)(f&<#&
zat4w5B3IsPpF6SA!g>0!b4(-hk25>SdNxi5sVwawQpb%m&2xCJbRCm=V&3zfL^B-9;^P
z7@6rb|B>%x`F7&K%__eO)J_M}IZUwi9%Hi=9MIn$BfN!vJ;{Cd?$>SFiTf?SQyJhJ
zjc&>0a$H*s7$VQF07aRKxBaCp5A$GXYe~_T^gzFc=sZ
zYJ3H*JljDOohbPyetOm)!70a6j3=HN@3(%cGLP2*-^6ob@UX)2S?lW9ALr5&Yd5nc
zz&punsL6v3Rq%yYow6#|-e2aLTl0`0p$;X?(v$2B?;VQ=O2W>5%=iJdK}g8ca%2Cv
zkq78@Oim)SI)LtK-tQD!1#JqxPp8uv>VS46)>tQ(!+0qN1d
zgEeNOFd&OKMfolZ9Y+%T6@4R`z|Mn&9m>=}U`D{pVZ%RcJ%+OBSSY1%cPgFZxB8Ai
z+;fJE5GBHDQH>>MXZyp0QWDy8^-ppNCX5GA&)MN<)*G2TXrtbnM7n1%jERh5rdjAZ
zUQD(jBJXJ7cVW;drIJsS4P`K}d1Em#=<&f8gzHTu?Xm)5wrbtn@I|9d3i9V7*ci#a
zv+O_hmG!N8X}}H0u|ZWCf@7QNkoEYEkvB_z5>9Bm20#TA2_F#7NuGz
zs}zR4xV4@FU;{GT-|J>YWnQ6V3-EbMfIetXOzR>=*>D|1OzYXEJ2l`t%o$kg?
z5p2XWl3MiIRJH-1E(&J(sYYyK>3GaV=`T>esA2KneyaC;z6#Jvndgm4dA~IGoS-@H!9exx#+&ReUGdYv;VzpUA+KsZLdSoO
zFW7&?f!lK7LEU3>m2Gm-fnZ{iHvsDE|j$nKNOR
zce5E4FBKHef*6y&yTu&e=RS0}Q{4f-8ihS8IeIlZvDx)ve0-OiXS7sCri?e+_GMRo
zofcn5#RuhwhZjp5HkS@^eoWM=ZGp>x$0gG+r_javI)r>ISpNH$I=R==I~9`D2rm<^
zeYs-uABfD9^*O3hPF0sUN>I^3rr?&t1=kl$;kdgkD`Zay0D{M(RNwLifW6UhZ7p-zUHJoR(AH=GK%~I^35(ZHr*E*ZnC;F893g6NNTkkk6jZ~W
z2AI@Q>^`@y!Z?|*dD45-Vt#HL#FRj#iKze8ui!oS=~xUPYat}-ZORxm%OwCUOB}1=
zJW$;a>X(Nuk&tQ(_$&ksq{5pIp~h;F-^XO)4Mm)qS3Vv6JoC$-wMBlx%FQ2Tp=aOT
z-P+;9xLMQc`-$uh6RWj_6kt53JatPlT1q!NrQ*ISj5%6o
zEle6gN)~DeI(uIr?4M{n!WzjBiyLR0a)o^Wy7Yz5$BFgeQD$DbX?3<@^-!(J97L9G
z2@0_*t~RT@@5mYBi=5O2HPMFOd9($mcQ$KAm`Qok!1rBufbL?32HYz@jO4zafQJby
z+~t9*Rt>eqzd3)-DjWbk!$0ZHAxPTgA)u{SSq%aJFp&dj@m}tfS^~nC1c^ejvN$h3
z*IMKT@fS!>WoO{wu%Lpg1(XP)7*OM*h%2GfCv$De>*;@l*dL*5B=lYZy_qi~@JAQm
zz41viH*7CVzz9aMv{Pi&UYE<44m9WJmi#CyE8Ze0V6&GXm30@(>4sNBhx1ALMwgNm
zgPA}`MBtp?fFq*)*TvL)`i4{KjkvErMHfj?rMt`&;~d9^s`&%Ws#M?r;lSsB7
zAe<+0YRHz%bppGRvEb*pL)d;+YbAPYd_DzxuM+|jq3zMn&9TX
z^E=d<*g9Bw-Z_}2t7_uL6o);`3CMj*Sx$J3l+;fAfoGb;5wWe9qh05A9|#t=ToN`d
zpWgg~;YeF!m#iX|?i*}wiX!uS#DzAl^{VnbOkd7JpMhpa12nbGWn_JHXklsRBXnE;
z`EyLy$wCMSfOS5cBHT1M7$^X_57dY2bd#VE@Tq-Rk1)APm^9`Cc{dXP5^`rSO_sr9
zd&(S&>{ZNYGj>m>d?qw~jI8WkXTLYd;#)AYc)q|n$Fz*mqSdLP4S_FW
z8(cm%K|alp@wXnwJ`~j-9cJyjV!rHvNK{Y#k5akaZTo&(n{x2(MN!p0&Yll-G^t1}
zrm{#X0`=Qp^`!E+efumW&p$U8|EIR^6frc~Q0)QZanCLDtKP!Bec0!%Os~1z!8@7_
zrWz?ZUus1JoFgI!QVaW13E01^mZ*_|x=y9Opb`?j2PSrEavR46Z(HtwPqz{%3P9ky
z3Ss@tC;wI1&;J7F_U(_0hB{2m7485k@JQkiR=eTjXR=}7VuxA|U1X9?dOC6Y)t>L!
zIO(}Y=y+FteW$WZl=`D^!ect7lQ3Uux^I?|QiT3S+r}ECZ-$J0bD#Ud8k`b^w4SFrkP0_v)YX0x(yTWyay-
zO>EI#V=)yZa7L8mZ#}U4r^Nr8@Udx1m}XaXnD(@8nbpmZ+me5FU3h+)_f#byMY