From 9b6c6c88092be00fba585d8caef0e683bc9f92c8 Mon Sep 17 00:00:00 2001 From: Tim Yates Date: Thu, 3 Apr 2025 17:21:04 +0100 Subject: [PATCH 1/5] author setup & policy simulator blog --- _data/authors.yml | 8 +- ...-automated-iam-policy-simulator-testing.md | 399 ++++++++++++++++++ tyates/assets/awsiam.png | Bin 0 -> 43459 bytes tyates/atom.xml | 5 + tyates/feed.xml | 5 + tyates/index.html | 6 + tyates/picture.png | Bin 0 -> 58629 bytes 7 files changed, 422 insertions(+), 1 deletion(-) create mode 100644 _posts/2025-04-03-automated-iam-policy-simulator-testing.md create mode 100644 tyates/assets/awsiam.png create mode 100644 tyates/atom.xml create mode 100644 tyates/feed.xml create mode 100644 tyates/index.html create mode 100644 tyates/picture.png diff --git a/_data/authors.yml b/_data/authors.yml index daee9e11b5..ed6769d39b 100644 --- a/_data/authors.yml +++ b/_data/authors.yml @@ -144,6 +144,7 @@ active-authors: - tgilbert - thands - tjohnson + - tyates - vcisse - wboothclibborn - wduncan @@ -1556,4 +1557,9 @@ authors: mwalkerrose: name: "Mike Walker-Rose" author-summary: "A Test Engineer in the Bristol office, passionate about all things test!" - picture: picture.jpg \ No newline at end of file + picture: picture.jpg + tyates: + name: "Tim Yates" + email: tyates@scottlogic.com + author-summary: "Reformed folk musician turned Senior Developer based at the Leed office, prefers backend and data but will frontend if you make him." + picture: picture.png diff --git a/_posts/2025-04-03-automated-iam-policy-simulator-testing.md b/_posts/2025-04-03-automated-iam-policy-simulator-testing.md new file mode 100644 index 0000000000..1547528f87 --- /dev/null +++ b/_posts/2025-04-03-automated-iam-policy-simulator-testing.md @@ -0,0 +1,399 @@ +--- +title: Automated permissions testing with AWS IAM Policy Simulator +date: 2025-04-03 00:00:00 Z +categories: + - Cloud +tags: + - AWS + - Testing +author: tyates +summary: A quick guide to implementing a test framework for IAM permissions using the AWS IAM Policy Simulator API and a tiny hack. +image: tyates/assets/awsiam.png +--- + +On Scott Logic's DWP Analytics DataOps team, we're sharing a monorepo with another Scott Logic team, and exposing data in S3 for various other teams throughout DWP Analytics in both our and other AWS accounts. There are a lot of moving parts, so we wanted a way to detect and highlight changes in our role and bucket policies (either deliberate or inadvertent) to ensure data access is allowed or denied correctly, and all permission sets are as least-privilege as possible. + +The AWS IAM policy simulator allows theoretical evaluation of policies to determine if an action will be allowed or denied. It can be useful for ad-hoc testing of a user or role's access to resources such as S3 buckets and objects, but the console UI is clunky (if not downright infuriating) and the API imposes limitations when testing more complex, real-world situations involving both principal and resource policies. With only a small amount of shenanigans, it's possible to leverage the simulator API for more useful testing. + +### Why + +In the majority of cases where I've used the policy simulator console UI, I've been troubleshooting a role's access (or denial of access) to S3 objects at specific paths, which requires evaluating the result using both the role's policies and the S3 bucket policy. Adding a set of context values, test actions and S3 object ARNs (Amazon Resource Names, specify a resource unambiguously across all of AWS) is fine for a one off, but it's not something you want to repeat often and isn't feasible for ongoing verification. + +Policy simulator API methods are available via the AWS CLI and implementations such as the `boto3` Python package, but there are some limitations. The `simulate principal policy` method seems like it should do what we need by finding the policies of a user or role for us, but it doesn't work with resource policies unless you're testing a user entity as the principal, which I am not. + +There are other solutions around providing a friendly implementation for the policy simulator API, but I don't believe any provide the ability to test a role with a resource policy. + +### So... + +The other API simulation method is `simulate custom policy`, where we provide both principal and resource policies in the request. This, too, won't work with resource policies if using a role entity, but as it doesn't cause the simulator to go off and find the policies attached to a role, we can trick it by simply providing any old user ARN as the `CallerArn` in the request. + +As a little up-front disclaimer: this solution requires resource policies to identify applicable principals using conditions in statements (e.g. checking the role matches the `aws:PrincipalArn` context key) rather than declaring explicit roles in the `Principals` block itself. The reason for this is that our dummy user ARN needs to match the principal(s) that the permissions apply to, so if you're using something like `AWS: *` or `AWS: ` then that will match the dummy user, and the nitty-gritty bits in conditions will evaluate against our test role specified in `aws:PrincipalArn`. It might well be possible to adapt policies to specify the dummy user as a principal before including in the API request, but I haven't tried. + +I'll be using Python for this, but it should be applicable to the AWS CLI and other AWS API implementations such as the Java SDK. I'll keep the code as obvious as possible so it can (hopefully) be followed by readers with any programming background, rather than aiming for A-grade, production ready Python. + +To that end, we need to: + +- pull all inline (a policy directly tied to this role only) and managed (a policy entity that can be attached to multiple users or roles) policies for the role - these are the principal policies +- pull the bucket policy - this is the resource policy +- fudge the `CallerArn` in the request to a user entity to keep the simulator happy when using a role +- set the `aws:PrincipalArn` context key to the ARN of the role under test +- set any other context values to satisfy conditions for the action to be allowed, or to test denies trigger correctly when conditions are not met + +### Setup + +To start off, I've created a bucket and role with the following basic policies. + +`tims-fancy-bucket` + +~~~json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyInsecureTransport", + "Effect": "Deny", + "Principal": "*", + "Action": "*", + "Resource": [ + "arn:aws:s3:::tims-fancy-bucket/*", + "arn:aws:s3:::tims-fancy-bucket" + ], + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + } + }, + { + "Sid": "DenyTimDelete", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:DeleteObject", + "Resource": [ + "arn:aws:s3:::tims-fancy-bucket/*" + ], + "Condition": { + "ArnLike": { + "aws:PrincipalArn": "arn:aws:iam:::role/tims-test-role" + } + } + } + ] +} +~~~ + +`tims-test-role` - the policy can be either inline or managed: + +~~~json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "s3", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:DeleteObject" + ], + "Resource": [ + "arn:aws:s3:::tims-fancy-bucket/only-here/*" + ] + } + ] +} +~~~ + +From the above we can see that: + +* `tims-test-role` can only perform `GetObject` and `DeleteObject` for objects in `tims-fancy-bucket` in the pseudo-folder `only-here` +* but it will be denied `DeleteObject` by the bucket policy +* all other S3 actions would be implicitly denied, as no allows are granted +* the bucket policy will explicitly deny any actions where the `aws:SecureTransport` context value is `false`. A single deny overrules any number of allows, so in actual usage if we're not using https we won't be able to do anything + +### Running a test with the API + +Coding up a basic class to call the simulator with `boto3` could look something like this: + +~~~python +import boto3 +import json + +ACCOUNT_ID=112233445566 # your account id goes here +REGION="eu-west-2" +DUMMY_USER = f"arn:aws:iam::{ACCOUNT_ID}:user/dummy" + +iam_client = boto3.client("iam", region_name=REGION) +s3_client = boto3.client("s3", region_name=REGION) + +class S3PolicyTest: + """Simulates action authorisation for the configured role and bucket""" + + def __init__(self, role_arn: str, bucket_name: str): + self.role_arn = role_arn + self.role_name = role_arn.split("/")[-1] + self.bucket_name = bucket_name + + def _get_role_policies(self) -> list[str]: + """Get all policies for a role in JSON format""" + policies = self._get_inline_role_policies() + self._get_managed_role_policies() + return [json.dumps(policy) for policy in policies] + + def _get_inline_role_policies(self) -> list[str]: + """Get all inline policies for a role in JSON format""" + policies = [] + + for inline in iam_client.list_role_policies(RoleName=self.role_name)["PolicyNames"]: + policy = iam_client.get_role_policy(RoleName=self.role_name, PolicyName=inline) + policies.append(policy["PolicyDocument"]) + + return policies + + def _get_managed_role_policies(self) -> list[str]: + """Get all managed policies for a role in JSON format""" + policies = [] + + for managed in iam_client.list_attached_role_policies(RoleName=self.role_name)[ + "AttachedPolicies" + ]: + policy_version = iam_client.get_policy( + PolicyArn=managed["PolicyArn"] + )["Policy"]["DefaultVersionId"] + + policy = iam_client.get_policy_version( + PolicyArn=managed["PolicyArn"], VersionId=policy_version + ) + + policies.append(policy["PolicyVersion"]["Document"]) + + return [json.dumps(policy) for policy in policies] + + def _get_bucket_policy(self) -> list[str]: + """Get JSON format S3 bucket policy""" + return s3_client.get_bucket_policy(Bucket=self.bucket_name)["Policy"] + + def simulate(self, actions: list[str], resource_arn: str): + """Calls the simulator API""" + response = iam_client.simulate_custom_policy( + PolicyInputList=self._get_role_policies(), + CallerArn=DUMMY_USER, + ActionNames=actions, + ResourceArns=[resource_arn], + ResourcePolicy=self._get_bucket_policy(), + ContextEntries=[ + { + "ContextKeyName": "aws:principalarn", + "ContextKeyValues": [self.role_arn], + "ContextKeyType": "string", + }, + { + "ContextKeyName": "aws:SecureTransport", + "ContextKeyValues": ["true"], + "ContextKeyType": "boolean", + } + ] + ) + + # just return the results for now + return response["EvaluationResults"] +~~~ + +We can run the test as follows: + +~~~python +role = f"arn:aws:iam::{ACCOUNT_ID}:role/tims-test-role" +bucket="tims-fancy-bucket" + +results = S3PolicyTest(role, bucket).simulate( + actions=["s3:GetObject", "s3:PutObject", "s3:DeleteObject"], + resource_arn=f"arn:aws:s3:::{bucket}/only-here/some-obj" +) + +print(results) +~~~ + + +Slightly truncating the output for clarity, we get: + +~~~json +[ + { + "EvalActionName": "s3:GetObject", + "EvalResourceName": "arn:aws:s3:::tims-fancy-bucket/only-here/some-obj", + "EvalDecision": "allowed", + "MatchedStatements": [ + { + "SourcePolicyId": "PolicyInputList.1", + "SourcePolicyType": "IAM Policy", + "StartPosition": { "Line": 1, "Column": 41 }, + "EndPosition": { "Line": 1, "Column": 180 } + } + ] + }, + { + "EvalActionName": "s3:PutObject", + "EvalResourceName": "arn:aws:s3:::tims-fancy-bucket/only-here/some-obj", + "EvalDecision": "implicitDeny", + "MatchedStatements": [] + }, + { + "EvalActionName": "s3:DeleteObject", + "EvalResourceName": "arn:aws:s3:::tims-fancy-bucket/only-here/some-obj", + "EvalDecision": "explicitDeny", + "MatchedStatements": [ + { + "SourcePolicyId": "ResourcePolicy", + "SourcePolicyType": "Resource Policy", + "StartPosition": { "Line": 1, "Column": 248 }, + "EndPosition": { "Line": 1, "Column": 448 } + }, + { + "SourcePolicyId": "PolicyInputList.1", + "SourcePolicyType": "IAM Policy", + "StartPosition": { "Line": 1, "Column": 41 }, + "EndPosition": { "Line": 1, "Column": 180 } + } + ] + } +] +~~~ + +We can see that `GetObject` is allowed, and the start and end characters of the statement in the role policy json string that awards the allow are indicated; as we've fetched the policy we can use this information to show the relevant sections to aid in debugging (as you get in the simulator console). `PutObject` is an implicit deny, so there are no matching statements to show here as neither allow or deny policy statements are in effect. `DeleteObject` is explicitly denied, and the matched statements indicate both the deny in the resource policy and the allow in the role policy. + +If we change the `aws:SecureTransport` context value to `false`, then the `DenyInsecureTransport` section of the bucket policy kicks in and `GetObject` is also now explicitly denied. + +~~~json +{ + "EvalActionName": "s3:GetObject", + "EvalResourceName": "arn:aws:s3:::tims-fancy-bucket/only-here/some-obj", + "EvalDecision": "explicitDeny", + "MatchedStatements": [ + { + "SourcePolicyId": "ResourcePolicy", + "SourcePolicyType": "Resource Policy" + } + ] +} +~~~ + +### Gettin' configgy wit' it + +We can build on this basic hard-coded functionality to create a suite of config-driven tests for a whole set of roles and resources. + +We'll add a yaml config file defining the role, resource and key/value pairs of actions and expected results for two tests, including a template placeholder for the AWS account id + +~~~yaml +testValidPath: + role: arn:aws:iam::{ACCOUNT_ID}:role/tims-test-role # we'll replace {ACCOUNT_ID} with our actual value + resource: tims-fancy-bucket/only-here/some-obj + actions: + s3:GetObject: allow + s3:PutObject: deny # we're only interested in the action being denied, explicit or implicit doesn't matter + s3:DeleteObject: deny +testInvalidPath: + role: arn:aws:iam::{ACCOUNT_ID}:role/tims-test-role + resource: tims-fancy-bucket/not-allowed-here/some-obj + actions: + s3:GetObject: deny + s3:PutObject: allow # this will be implicitly denied, but we want to see the test fail + s3:DeleteObject: deny +~~~ + +and extend our class to check the simulator responses against our expected results, rather than just returning the API response as before + +~~~python +class S3PolicyTest: + # ... + # other methods unchanged + + def simulate(self, actions: dict[str, str], resource_arn: str): # actions is now a dictionary + """Calls the simulator API""" + response = iam_client.simulate_custom_policy( + PolicyInputList=self._get_role_policies(), + CallerArn=DUMMY_USER, + ActionNames=list(actions), # creates a list from the dict keys which are our action names to test + ResourceArns=[resource_arn], + ResourcePolicy=self._get_bucket_policy(), + ContextEntries=[ + { + "ContextKeyName": "aws:principalarn", + "ContextKeyValues": [self.role_arn], + "ContextKeyType": "string", + }, + { + "ContextKeyName": "aws:SecureTransport", + "ContextKeyValues": ["true"], + "ContextKeyType": "boolean", + } + ] + ) + + # check the simulated authorisation decisions against our expected config + self._evaluate_response(actions, response["EvaluationResults"]) + + def _evaluate_response(self, expected_results: dict[str, str], results: list[dict]): + """ iterate through simulator response and compare with expected reults """ + for result in results: + action = result["EvalActionName"] + decision = result["EvalDecision"] + + expected_allowed = expected_results[action] == "allow" + actual_allowed = decision == "allowed" + + if expected_allowed == actual_allowed: + print(f"{action} - {decision} ✅") + else: + print(f"{action} - expected {expected_results[action]} but was {decision} ❌") + + # we can use the `MatchedStatements` response elements here to indicate + # sections of the policies that have caused the unexpected result +~~~ + +We can then load the yaml file which will give us a Python dictionary containing our test definitions, and feed each set of parameters into the runner class + +~~~python +import yaml + +with open("config.yml") as file: + tests = yaml.safe_load(file) + +for name, params in tests.items(): + print(f"Running {name}") + + # swap in the actual account id in the templated config + role = params["role"].replace("{ACCOUNT_ID}", str(ACCOUNT_ID)) + bucket_name = params["resource"].split("/")[0] + + S3PolicyTest(role, bucket_name).simulate( + actions=params["actions"], + resource_arn=f'arn:aws:s3:::{params["resource"]}' + ) + +~~~ + +Running the above we get the following console output, which is as expected given our contrived failing `PutObject` test + +~~~ +Running testValidPath +s3:GetObject - allowed ✅ +s3:PutObject - implicitDeny ✅ +s3:DeleteObject - explicitDeny ✅ +Running testInvalidPath +s3:GetObject - implicitDeny ✅ +s3:PutObject - expected allow but was implicitDeny ❌ +s3:DeleteObject - explicitDeny ✅ +~~~ + + +### Taking it further + +We can extend this basic setup as much as necessary depending on the nature of the role and resource policies being tested. Likely upgrades include testing resource types other than S3, per-test context keys, argument parsing and extended templating to allow e.g. environment specific role names. These can then run be run locally or in pipelines as infrastructure smoke tests to alert when permissions change, or flag up potential access issues before and without executing anything tangible on AWS. + +It is likely that multiple tests will run on the same buckets and roles, so adding a caching layer to reduce the number of API calls to obtain role and bucket policies will significantly speed up a larger test suite. + +In many situations there will be required conditions for access such as requests originating from a specific source VPC (Amazon Virtual Private Cloud, a logically isolated virtual network) which may differ per environment; values for these can be determined via API calls at test runtime and patched into the context entries for specific tests via templating. + +In addition to testing with the actual policies of deployed entities to verify role access, using a principal policy granting full access (e.g. allowing `s3:*`) enables us to check denies in the bucket policy function correctly to prevent a role accessing prohibited objects should it be given carte blanche allow permissions. We use this extensively to ensure our bucket policies correctly limit access for roles controlled by other teams in the same AWS account. + +Similarly, testing with a role policy granting no permissions lets us verify cross-account access, where any allows will come from the bucket policy. + +Resources such as S3 objects and SNS (AWS Simple Notification Service) topics typically require access to encryption keys in order to read or write data; this obviously forms a crucial aspect of the ability to successfully perform an action in practice, but isn't taken into consideration by the simulator. To cover more bases, you could add additional tests to verify your roles can also perform any necessary key related actions. diff --git a/tyates/assets/awsiam.png b/tyates/assets/awsiam.png new file mode 100644 index 0000000000000000000000000000000000000000..ab894ca76d162e66277d3468391d167fc31fbbe3 GIT binary patch literal 43459 zcmeFZWn5I>*FFrx00V+BfOHPs-QC^Y(%lWBAl+R+?@GXa+08ciV zm6?GHqL-Gu6hh4;=@IZF+{QrBR#g>&3Al$KAS2=+AU!4l{tys}5s?46M?g?QB>C^X z79zvHX+Q`FQ4R>;f72KN*T;_n@C9=JdqpZl{GSpFLH|jO*j|YA-}~~%Y};N-_P_g{7O1w zTc`*K5(tVik~;o~r=6(j)8y%GYOF`U__(okkms7MLgPAJYJYg{=$qW zuke0+qr8x?m)z{6qaP2ByfBWe77Q)4K$;qn#-550hn$jl!-s#R{rEED{Lk7w?4|X? zXw9)_&ca=TtGC@tg8fek)gS+K`a_}2)DR>nB}gU&f*p!4N4e4GW3>>C@b?KJSi$!f z6*eMF0vs(dMlDhAbVp~49P{_B_0Z9xVE?6U~*O+g;MO? z4oQF)nSe=aTDh$Dv&M!v*#*{6r6^=uaiyeFJY1W76G|F>CcMdzi|Q8_4DzCj#y*Yq z&%8A;DkFkp+{%I%As`;Bnv_Ue-r|T5Y5{qT${E4;YEGV)^Na!B7r~eBDPG7ur4XYG z+L&ezUPt2k>=SCzxpS}=`(%^m$huVPsNNj^_rYtN0_OhpofJqT7ij*}sMW`?Wf)dy z{cgwYyj&(Ltku)|v@wrdluljbccI9yUD3;)9Y1APTO$X zoypo{+E!5B)q0U#Du%1%F2+O@+>S>Wr*fYZf45SZ!S@8+T5Q% zhF5ETW_O&y&9j^>+PAZf_C>E8`-=#IsKoQMqqX>%!D?UIV0Ee3oQjUbF~*rA!hEcW>8oq)bR_zM z^i+OoR5ekilOVQqQDfKSnnbhoih^8@ob5NG*yKxbZ1D6vNL~WM$hotMe-wm=6tQf^ zL9*b0C`yr52-9WRSJ3k``^E8h@vJiQmr`0^xtF^vlCFKF?GK;>*6LAFEG4NdiAB%f$aII4sw1eLT8GR z*)zQYSyDteC-p`Mp12T1;B|xbJNU9Q*4Xb_^5l#4AG87f7fIGHj??ij#Tq$HsY)Qn zio_G@PF1#YSy`xmUk~}n+4?oxpsSEPv-t9|w`}(V{VS#);(=Kr-4|#v z^rA->#F;AfWbd-8vkCego<%p@2<^4?+|fvkLW|8Rb383=b)M!6(aBGdhAb}8;kFiM zzwt}C_H~xZIgu=l#1ET4ZguFCV&?ak0>h#ac-tX-#IlJ`L5cR)_M$ADd?*tvp-GWD z^hqP8ey_A2j+A*x zS}C1V3lfedH_{s*8p-^vr~k)TS@%O({l&CdHvQFX&N>A1X{oe|phg*#V4ph6k?4R< zI4g;~$^o>kU8_oKYJyJ{re82<(uLOQx^%yrko7|0yK{Rp+~hs{OUH_c%1=j@0%&Nd zY>4f6sS7bWz7IIwuQ>5lC{1j{>r?Sxu^o-CYCEov=f2jxz*l3qFEP+LNC$V&d+_W_ z8=r8*giq!CZehHEs4|-Vl7k4&#e7*wK*21zCmka z?_s=j(RWNo;$EZ1P%s1MsoCG+Vd$)}u`(*|H)uhw?x zw$+9cFnpX?C~-8x6yYafa1%Y5>{#S`)Qo4}?auV0L#S!xeVfQLqY_CoDSq$fdj7HU z8_oIFKm9eGa+ENMxzKvy5TDO*lGd_m?Ncsi|J`9D=(jn^={3?GAK7ZyQwU7W>L#Ng z@y7EE`68pruT!^e_1>9_!B;4Yos?K{e#_He4V)PZ2v7-Z@K%O0JjD0h5#5_OUknb1 zC*zhSjr10?kIb=)&|&>PB@fsyk^hwDaOAK_>5`+iW8n}?UA0nJig{4Hlz?ubU7EQy z%xzMz=;XYgj;9jXxmeU2=ITw$_j!$#wOQHUT6rVBeN*5sD@U(By0^MP<<@l?<~gTJ;coa@ zFobgGD?E4Xy)mtJ0d}YmOrpMuI(xj*2dW`8{YA)~R**I<);7#;^KOfO_s@MFg%$a# z;<&eR&sqzjt(ZVT2>9CEg`9b2yAs^wSEM>o;5WVGaqmEP4m$;z|@*&nOKeHPKAXFL) zg{SY_8N9w~u@LkBsyOlp`0^oWPucHR)7p>E!S${j)FeOsaz5qh=3X)FD+!k#T*hkL zFk1zvt!gjlAJ__u@T(_Lr2nQbNY3f|xaNH%Ppc14Rc`5iYLYdu|G~k&@6dAm6h*jf zY7dugo?%PUus9AdH8U>4N*k15QpVOqL$t|wS>(OW>(Q~xy;lz;cSCM}O5QaTV0dFG zyB*Z!kk;V#s=>`!QBM_(KKWFfI&RDg(%3{dk<6LFLWeP~pP$7qOCr%;i|pGz;#1FUYEH@~)D zWqS5yolp8MbJUTLbqUp!^VtczqZ&{PdrlaKr6xJ1-i_3o+%zLPBZoVkref253>@3K ztP))bG`3{5xXIwwt{pv`_rP9%8gS6`r@iB-(mb;((PuxRXPO(L-eed;$?`-yq z4s;_MVy$m3l4Bf>?T%YjMONe6@9V5s^_JQH_m>UfU2gN=-MhELaizuQCmWW7h4VYp ztm)MrrsNhyGxs;>7M>mfj)p>vqT**GP8$u9S`{Awx%{S-iNR}TK%Nz)+&x=7rk=F* zyhA6f^Dh0?GXg52_PnjHJC%g}ANVR)9mjE^hE2MY!D?%yS**)#VrB-jW%Z^sP;2T^g%xUQH?45 z>ZVp@wzXTM*5`8>Jq_(zo-V>V)zo8{V(<&pCV?s|I98P56OwaL#wYV1kE=u=P?Xb6n>tG|Hy#M|#i7p(jrJF2S}OmMR8-zZ$e zvto*=*+;r|)Fu4XMiL0fGG6mjxAU9F!D(r8k2ogT*hG2TnIc81umH4i97gRGLkaSg zcjdkLv|AF)KH_)r0Dp1G{D)poigEPkL;h^a5$7E0DQrT>yvDJ{`(WQTziXcw!#I=G zIHo3Cl7y;oX)Tr+p5iwgohBGkaKu9Q5gH7krr2hkS+wK`5MkV6k9Cj^af_qkM(zs_m6iuW==A~(Z!NKCB#)OFI_25Z+lnpqx!=q_2yl zRpcePleflCEq_VafFxP7nUiuu&^R)k8Ba6IXqBjoqow8{ouP)GC4bh`-aTKe^i1n3 zMyb*Z2Nmt6PPEX?I^siE@j=ZB4gqD-Ig?MAsoj}=GaM|2e#b81rIv6{JWHs(aQ z@^8J5p7~k`?2J6YQX5vrQdc5T$&==AGjq3z^1d!jK#CLkn66{x937)wMqnU#ZEQ2= zIcj4cAfQew*(Vz2u5&ab(xJl(n~Ijmhf*#t5NX&FsDgF+=LDUa=y=YO^>OxL)bdPQ z9SH$AiFCBZ3BB{EJ_(n3Flr`9$*(;Wh3f*=ob3c3{*EB9` zJ7O>Mdi~6eCk>ItVpwdF9=hc7&%E0hou z4W9cH^*B8g#v`yNVpSSm!DaD)!#X3B>bbnM&udP^)?hPnwm{s?`CfOe;B7-IwX@QplZlZnxZ5`L; zb40PzTnow#97qQ#&L%?loLeNjnLXg|o*Jl5fz|sIlfrovQ!x_UQ~+sIx>(4PBG;1= z=ldYk+a5i#sbo*9a=U2LS$*|n7>u4b>E}hIBEp6htQS;scl_WU`GrFiW}clXEpMKj zM%~t3pn%oE9`$oc`PEeNa)3k`!R=Rp4{6))ucF50pap5Y`|2(d^|gUoi%7m~%dNH;4*kHZ5ObNrm`5@}(@G=# z5Qe>&tuy8rw!hfT7`LFp5h}FPd-Z{ad&jX)2TO&-J1{ggHuCF!-9B-%RB)+Gn5Gyb zo>HnxNlA;HMBu$Q$keR)=|!er_YRWhdQ)vi%_MmMxs2bRF!4cdf8#_7X*j9e_6lv* zkkojk*|DeT$KpAH^sM}GBQxG|B5huU>dB&=07x5M`6#ETUMkx7?~~Q!L9h>tglI&R zF7m>_9s$%|5Ae1oR=Coc;gG_sC0*tDInAuI6@LrV4hkPv(#)@LhLO)6r#HSl>}6X& z#XagFc1hVWS&m`N1lh<|N=mmXQ}JUA3Mb>`g9NR|D>s)lxv!)*uAX$$)CNx^*ll^; zmFP#me8@_A=-Rct^xO>d8zb`zmhSp`rapRD4#AToI=vV&dx4Z1sZ59e6%@hPx>Y<- zCAdwfoGw|-siL&BH^gCv+PeKw@AbHL4K8)4 z)^z`rYyA#CiPy_g^iiNo>y4#H&L+BZ{v> zfthHdc|qV$kASZ!sJkhh;+fh*ScVNpA!IjfNYH3Jpw$Yz1Q9NQ;B;hCTmk%9r*bK@YD-IeCqCR34@|9D`3Ta*gYafN z^>Ts|)jUOdj*UgelPJEC?=A!*pW18s8kTz#dl`QaijIl!?1X$&Df_U1C6-Udr>bw) ztrD+37RTNRnyAsHqm#!}%=~~PNy7}*tU*E+k}RX+M~%+s?Q#z{QGeVN;TeT4&ZlDUYAS8Xe`}3kJ;|Nck5byA@d;B<+sVdm%G_&TCn+t@_XtWr-U_% z>Lkk(M_(O?O^rIz0m(#KC`1MdGyu;yfvXmRC=cdKtJG^OQXxn&K(o?Y{=%X=>K%_| zrxkKn-w7~*C~bDod|Q`c6ki#NfrykwM+e=#u{E!EyNQ8wI0dRZldBd_&(2SI$qRD4 z%f5BY+Xz(27~U*a<1dysXaq~i5^mFtL}G6pDFJKqJy^6ffd=$!0x~O1>%hz4Rx`Pp zN}-ZX$x*A5>P?`>a#Zh{?E51E8yfO?TZobDPoK4Kjhws9v1URk`FN%x%TlV6P2pKn zuIT>wfH*74=yL(LtnVgwOD8$o=49s>3$13z9B+7&5Jp@l{(u)z5NdW7iybxF^z+-6 z+BxgrB^nbk5X%QOfo*Kix3Cbs8QIodhfwI>j1rf-EBQNmnpnFZUE4Pb<@>$o_&nQG3ZNy_TI+Q6*D-nRkxT7%exas+Dg#yr~V5rV6HQ$~-&{M-Kh; zXMrbfAUzDif`quVe4?pOIfJ$os8fIcAnMo0`^scxHBjR9F-^UYqzzi+VkL6X&YR!z zM6fo;YMcCtS^Jd!Q_swdy;xkvC10DRF>TcIw6gD;c9+VQy2s$?spe-ZW8?R8zD_7H z`X)BE?giL|wtfX6b{`UCpEuJH#2ZVd<>usM&U}ChzW5bFDtuE(D)=q7EFeF)Hb> z{@GR0kN}%o?jD0oyTQ>q4m}RHgnY*x;K`I8 zS;;r`cDJncLAOGNOYO*BpfC@S=)vy}Cijh&lQivm&bo^guX~1X9Rl_v-i(m>y^e zw96e2QmvLAEFz4mHaJ4_`&KGpn?49=jUTcao8C zMj9n&C2i6NVZAi35&GqO=Xdc({&x1*)5aHLs$?q#!V(TF2CDE|kyOaX8jf6te$eo5 z1B3wTM(_f0X#(9A)1Hu#sH405kG!ElszP?^pPR@__?1V7Fc$a`DjAVLWuu)<`2mO^ z!&+bRHGP~c<+Zl4GtMA2Xhu>Z>oZpzM-?6RIA>hqwUhkpSLI0IrDBgho;1XnmrZG) zrKcj*4rG9g>Z4-k$X)|ztx}0xEXhpONZHcm$--%+q$$S@l6>Z|DnNJAQcFy@jwEv; zLMcHBGS9oRuo!c#4s*a;KgFtOVtII*1t?<_TjmZr# zeV%RCdoL3<5u8vxxe)86(f4C*vgDzJ&Btt6W1l~)l4mIyu)PPpJ@BQT_v$ISFP+`+ zdKz-eQ2EF}uXv`n??D+(Hr6N^`ZY_N1I_Te<4xOxX(gajS6{!;<|J+jxr!0flPiBI zhMRrurAk!it!>@9`atcU=giM9&_Ut=fR7YcG4xFwNI73g-aEu!rCG!{-@-+6cJ6Oy zv^@_$zYI9dx!?U1JT=l2fxOJqXxfZvMtA1&8(2P$N2iB^%r;!NaZB4Kf*JK5Qx1ua ze3+cTj&N~a4$BC|puYW4`0nF2oN=tHRw?ES>jk-HP#MLlCPXHaxyq9=HNkwSFw@l^cbV|vHy7wq{d&TZQDBjiUH zD=cB_{Q|DZGAz^t=I-x3nXX&H2euWz#ZD7iw8g*Wcjro7Q^EaO6#*EWCJn24Ce_Fu zDL(0Fk}FPp0%m0{v<7QZlmTm#*__4-1wJ&nxvrnSK5H@dqcZDGi5f;#~6)b zDc(#}XE|c_VTw7E_gV~Z5bvIqXb`3qWg+F#mar}}_akMETz?7Y3@+6+^)CohJdvvZ={V=_%9I@f0l6Zw5K+fw9)1$D)EI%tuEzw>V$9&{-Co>9GOE+`f?>b zvM0Y+CC*5_sixT2GG?>nmZHVRc9(;*%b@TQhLWSC#bjxMO;aA8r7%d7At|b3yT)bp zN`MPHlmYNa;F{^aW`&!cZ#K_tXV~_q_RW^P%LQe9VQLSvr4O#WrWYxXPIL;CEX9=gJ zkX?22Oav!#_@fG#C9eZ=z7EfIPuX!)Xt1 z^xST_*N^J`Oj(iQh;5_2Zz5Hk_+A21Cu6Fig?21QpDd(xwP`z z57-@QYC zaf{a5Qi5(|0D@DUCua#R*WSk@hsm3lYgD0=0ZRs61A-9a1 zbu?zq;hMO46pWJqmdJ=_-TnzS=6?l4fV?vs6OSKG- z&QH^7zKe~#6P|V`mGn@o<^o+v`IHUKL>;^hB!qkL*@%HfG=uAS-#U~UZ6VX7D2;rs zc&(Dh){}Rne4!C#y^@ydpsd);9lCg&p6K1(Sk}&zTGhgA`=DDBAO*&k0@!41sTbsm z;Q1hp{{0){Js0d|Hq~abjPbmZ$qMlNub8FM@j(^U6Uc%bzEztT4epBzd6S#9; z%XW)V6@gGEXO&MbNT)9LLMBl(%;6P@Ol06s>+)Asr)}CMnL8;0#7`pgtA*fva8Y zc|FW{cl_hQ$V}{`{?9i4?be%5wNb4#nqOLfI^=t1_xmkONE7~u&CO7U8@fhCrJ1+C ziRrUwwf+)Z@Acbh_w|;j?LwA!o9V0pCtXZNmG%)$BAWfa%WT0}k2fyEBjvQ$c9g@`qkDs8x3XN8- zud`1-1}3ffFR#`a+)N89&+*ZYO#=cOG*{S0&T&Y(U(Fd#RMBbHTOR zK1;qn&i7vPX8-_#-U>$+3vSOX{O-r?JX6U3{dDLczzRC;fw##XdhL#Ki;LFYk<*+M z|9)Ykvu`dkua1i3b_ijRqOdLPXJI<$212iCIM&VH7zbVnc0#j@_6EajJ2_cg=^=|`9ms|_7 z=CtOYZRDe(y$mdKWmuy|IXdDVEn!AP%$~4d5pME_Ueoy4a z$Yyh@mE5=CRZ(4F)r*@CNgO?{ql?xlJW-?6omc?7QNBd}XPK^Y$ zrvZ8(S2Wf^9TIYu?laY%^EyhcjWWWL+!&GegL1P?(@KV}GrjqHxY?>1`ERl2Crl^J zP73hRFQhT~e1{5+a4sV|B_qXCetu4^^cZc~h6@uITD?+X>g^kq*L~NdKI$O@c=)E< z%sKT3&ywAz`YqQuWxm#>x%R#RYckm@j7flr0We-8*~7JJPxU20kkL|6?$i_YHIv0i zC5F)Hmno#qdfycrQ!|Y5Qj%^*`Na2MyO4^+eXbzR-?etcDn|Xg} zdnnD=ghqA74*D4|FCgdcd;@<+Ak8Y4{}K1*D5c_C$L`f!A&bq+6p`DmSxQorHI&5_y#hhnKM z4OBUY>`CmWqIYwQ_OHwN&uzGnQa{z~h>GSXO|ZkW2zPOjgzQm z%eSNhio+22-4fJ{HD`sWzX)CKSsOFmc{=Vk?%L9Qpjb^;QCA%snMq6Sr~7bcV)&Fa zK$1LgpN-K!jj}J5sKr=K@T$b4oPnyzhgGw(d{CCR z-**K&yE4Ixo)0bUL1Hsg0pcByYeDKuDyRVr*e}b35Ei$ffVR}u78Qn4_bYQdD>jc~ z%8iUwvJRq(=H}Kd#Pr%5b~G!u9EQ4ov<~eJ4_{qwza1($?9HLxcd$aZa@ic=RQ zOX(ePpRKl67(mRb0l4=VOw$k}1Uht`AwvEA-7teQ|HJp8xL`1R|q7jJ1&f@@E)->mBxMI^6b(0 zQYzQ;;FxP9gD(Hq*_3&119VF-l0qBzZ@?!QP`0v#DGV^cg$49vH3ncrM!#A){#CZo z2ta)h9voSkzq&XB04T;pFI80kmIehjh6zIDilYB&*gCF9t=OMb@i%ys5(HEQn^wR} z`Rn-VMFMWU%`GSI->PH~5ZMUu|H)mLgWYo;EJupfE|~r7tv(B>Z)(rembTMuHro9~ zYEzHq@eoKj(9npUFN{FuCzK&BRBfv$D(_UPc_d;8sRx11 z^iXPKes|7V>--USxt${aA@1I~PJVrMYew|kThc+afH=r(BjBt%<4II)R${Z7qpxyQ z8Y6xv&_*aFCpy%i3L?-@R3WYspCc315x8v_a6TR8dm-*@*}jG?{gN|zy=&)wFZS#r z<^4$wk9Eu1uk6IfK!Viu*6A&7SluABoJ^eAY7@q5_1(7`iHmu2fFaW5wbEXmH`SDk z$cMoh+Z&P?K)0qGa=F2{J!h2R^?yW4*yfdi162u@3kf5k`u_!-Sl z`HB9o7)3z8pff$O8XyExvp^9kPD}>Bxp^>`RKJisqKzFobixMWF`VjV3~gZ3?qK{6 z#M$RIWq&?YdQ&F0+JCfXdF}!Oh!>Y;VJB5Eab(CURWF%tfB*L#xw$89Pw@DSe-6;( zs3?!;U9GoUB=p5cSPxM=QZzoYJubJEL#gKJFD#@kKPi55KhLuG!V<*5PDkrzH2Rt8 zaQ8M|WioH@D#MLLXDODWArru=OIi~nqu8NWNg;EGBDD-7GD?eBrcW(%Q*^kHkg*NHQj*+iCMB3tnw8N{#{HOHRwBHlLzq&J@)4f`q@H*3#U%;)tT?bj(qV#pM30ONd|z;Hzkl0mTYR?J~c7<=w%VCFS5 zmAgJXS5eJt(U)#`dFieeN?@xZ$~h)L^Zau>QIQv%%7W&G{+c zutK%zHfJ`w(;8SOEsm(K3M4;K6N@}`9EEU(eAAyQ2#5s7lTbo$KH>aA9j0u0rI4*8 zoP0BG>`*y?;;NZ}aKD1p*+R=FbK@cgw;Xv}R!(@I5HN3O06_!1cxJY0f2Cj|1dwMU zqfjpFe?&||8sM}3zkj`m0&)#j_G@hNWwxrp#4s4!mkV*S;`6)L5Q0tXKp1k4j4~S( zCt~f-k50VmYP?8=Ne{(PfvF$@R1U8+vjz}m2nCbQOtkxRM^6%{chu9%zEVQpNUt#T zQ9O*+Nw;h!1>`%^NlPyp!a@=1<>1=jrF)~gAh4cBx>|Ew;JqJa+_ow(IktyWfTzl} zzLXdW$x{b(jkVeikR2f?vu5%m{%NA9 zR8mB<IEk0hAfzJzhQKhyiRN&hu7@@t|usVEfgK0dXkS}4=9iEz_ z`-jSJ1sulHK6t96j_?s3t}*>KJt=AN3cL1ssuZfZeg*kUN z*!tD+_b#)U=P47vv&JGH$m%Ozl{u4tre4qgX~HciJh1I6e_7e=?@PKt1rVjcno{u2 z;fLCDf%}Z|FR~>4r#F7R-c<$`5C!kjCoROhtaLGZJEZk?>#Hy1%O4)JTHWVvxaJ!) z+k~o{^^AEZl&^FuG0M3qwZ}rX>Ye5;;Se5TKzkKKZ66+YRNdkEGsl!!j=o1K6ywRc z&tE&Ioi|e{mNjt5HY@AjCpVS^zT;lSdha4p|MB8ZkTJ7<`h3=1LX-ZPvNb$u0l}rf zCb_`Tt0@$2$_nc+V+E$FDuQQ>3Zxn?L8Oh8UZ_Q=Z@lCc>U_M;Y8>ecMD*#8P&T$$ zU#?y4j1IQfE7^Wu(bKqEINDWfcPet!PUnpW%nByISXGxEG+J7kS&46znE1{mTh3WJ!`*ZXA?cI7%yUr?yVYB@cthk{`TGUB;eSJ4GiJE+EQgW9lt4IhPD+dZNAFRN}3Lr(_(KtJ&tWg zIye(^?ktcnT4Ej$UfE7$MscVC3aBm4A7dr|-0|yam3T&0q6i!Jonkgm+Vo{)9o@d| za+_-z#x+J5p%3RFT#BQytm>VB>J%9-ep4rLwf{06FplsdA_g#201I;1h!nqiq$fg_ zV>a?!RHb2%Rz{FJz(9`9tZ66kLpaguiGw-&Sq>WueY2v_YEa#kWLb0B9n-$=Y)n(-R;g5zMa3tj(&buccXk#gSR&WQVUL=q0YFC!dKoo=ZgS&?Ufn zWNF035wP-%gO?Z7MQW&*FIdGy#VdwH(LIU#C<$PZI9kv|NJufvPiMQq$k1d(!o7{J zbbVb7*uWv=>5}&RGGHbhAL9>dr@>HQ=W{pZ+cC(7m@OoaQeuiJdvQH)y-`+?nsW0;gH})_ zqb+OrF`fHcX*F@o=Kg?<^m>ljTWqR^V*zVYX8>ps7$EyiiTg7x zRZ{S|`}woy6W1jT@AXSPt!6hnHTf`K%vZPP^xRS+K?Tf#F`p#3WXXc?P=PY%ZG&`} zzUhvr5B;cH#+q*vAl0A!JiuFEpC!XbYsF3N>3JPON){lgrq;6-a4C7}{_?}GwI&K= zw7|i+2DB=b6yOjGO*`-GbTu8+00X3})ev4b7R87N$0}tW;N+FmH)9M8$YxI(9^Ta? z%Afzx(LdOreQ)Xe2Apqz*LdWqICQjoelBQT_0YwhD)9Yx5avYNd8OjHMM@{ z;_}WRH&`9~ah2k_WXgi!7@;9?5^_Sp2QY*>)b=s5du7%0jO6a)*oSrA%p@ zox3QlZ1?lQlXOB{PHgJIGw)+b8#%J4P&mp{eeih>`;9TKf@CjoQA| zkSY8CVTh?%+8q{H>U>sEhABRX}H#(xR z<^>BBw42k)`$fsau*rbeGY-s3O5o$yA=IpXdF*o$1yfmxKY-XNmjtilEb7`D$Ntoi(SZ zrI}$Y7i+{eUNZ>JsaujraD$)J^^39Tra;R_m!(Nrm2q2V+nuc{&?E~Ln8{);0N2*%4oGX>r+wF@|5+qZm)@U zCR!bMV#SijUJoFSybH4V_{X#LF4lN2m8>=`A&h_$tGdZhE%)Ou80g^9r@E6W z*lQL5wH?266q(^I5GcxZscf|JBFB$pOIPdH5u{%BZgD2-Ffwbu$0s^oPn_agp7(o; z@!dHSk1u2)f67PtGlyog|4u`oYBV4NXe1G^CJ<;ks4lGqCt_W)XK^Iw4{6Hbx)GP) znB zO~by+qLRnmTkorS&#I&lpHB>UPq>7{VDf5R3^_Vc)hFvzZBB{7Mr2o>mx8GtOI1GJ zdyA>Y8Ob`_xOU#}$M2`yXl$StKBSAf)uk`VIV9nwAfZEKAQM2pmYPh}q;4omu@bKZ8qe94X#tZa*3Rzkf> zf94YWnWjnlhV~Tw9ND%{;oiSB(Z{l6h^~!)Z|R=j|t2;1uKtZV*LA5XD`=+Mmz)m($uwJt@?zo$Dv>%B&_iJu)c?A?}Y=0*7(}f+|E0-YF2MtTVEXH z+WgpORyEZjNyzZoofOJ1f0D?l8|mNR2r|W0om7$oKOS70)xhH>hK$cTR?E&o3P!B= zicGVV&CR<_f|q?RFW{EN zhZ0)?BUMWUfUJ{s;k_xL)f((1$Zz{2=Kg4cKZ*;x4#mR$e1AQTePy*oZ`%GNe$G3S zs({6YP&0}~hT%xNskhvnZUlVjP~D(T68~MkcJ)QPKRqXEXGk&oNebxK)?L9jPw#+v zZEf_iGOi;5rL#u}htOyDQ znP|nJN)jtiN}=Jxg11W6O_vcidxFqtCQ!ofxL78p^jrwAA5#WBn#pgs6v6mBv0FCL z!MAhEnTuuGC`5jvzR6FXjXZU(g3yIDquV4vZ}-012k*5ZG*nj_;6xlX8Yp2LB%vHJ z<#c5`{)0)~TQd3?(lO6yb4iSqy{V zC%mTvfEoJ{ky!u6nEc)D;6lrBK{jY<$rtxNBYwVO zd{h4AljbDvhB?B&s zLYS}Y?eg(lmR%Ydnb8Nl=1vv0M8&r}R*j+yL)+g7A#TkNy!Xeaj{0b|ESz;Y2M09y z&RJUz>$9u8G{#G&unHL=1%)o)V9KURRF@I{{a*k@(IF3LgXuA^ z-7l}vT7RFs$*g_x=TFL9adG{JSJaJNJ~&}9bIch7>_J5ih1H77Nh9O`ON}mk6J6M~ zOywXp9T`)u5ul|B|;9nZn9|yU4Gjge}b5 z+QSDn-rMOS-{z4ne+ONpU;MuIwSUeD90H_V&!-ei&aeGbc(ms@JeiUQXMXZYQIPXn zEQZfTa$J;K>XNx{ob%~AUcD%m=(Kt zm;jy)MZ&Y4zgw;u!;EQ_--ML_)0}=;<-VFJB7M~GM}Q>Q2o0bK-_OIVm93%fMj7NT z8gsUN@eQp?qHRAcTCbwa)7>_&#NSb`(=R(`(O4OdsNZ=mtfJCnC@Oq7qzY670!@_l zhXPw2SA%xR^k2zD{^W0Uj+f(KI*h;p!f)+$AD7`ueYHLfv^+H*mttRuY%Z*VGbNk~ zWvF5;{MXlli(xXqO*(P^FK=wh?KEnF?rj-|%kj{WTXDcY_Qy8a3EVn0SL(?q`Ll(; zrFd3z@hLQv^k)qzfkspU@?@p&gQUGOf(Hlz0NS8 z16H36XvkXTIWIIj_ZDpBEjzO3m8#M^jy8mE`V5)-k}3QEqGnS<*8*o9tp9ItJr!`K z0-H`){`monoxr>S{moPguNyR!_mM6*tR)Ppz&K6?|rIx)FYHlHvYIL|&1!7!* z>Y8RIt7#wA+jCWF3Ab@QrqK}o< zq!n>jPe)j|te~laziH+A0sJ2YK=J<5GCF5kX@){db46KRrgoO!hP(Uf>WX)}xLRU2 zg}1n?Su1w0Q*1$ zzq5sdU=*&SKNIh%&x?Qj2O`rW;*W#aa?swC#B>3C5Si#^oQW(nuncrTWlX1`X%5iX zlt6ve{H8H086VsdT|YRD)j2wc@L4ah;h&S_?hi6^y zseGGsMmq!f=~3m=v^w^O?P65(i*LA8;urm9vlFxAAn8@0{*;j!sYAA#1FlURGFBrb-wcm2PSc-Iz_ z+KlO;>^Rc+apZviG;P)Z%S$3a1kM`*B)e6HeiqTeYf^Wn*5DV*QhMM&iTC*bE9IQ- z*)k+?>_!cjNf1rJXiXI_NJDH(B(>2>-Tv=93jp+Qt=c=c9Pkv5{KluYGj~x@~ z7?e16q1G`oRgVlgYKDPn(JF2YCOR$81xI?g4imM+(wLn9Qik_utOL7bzwXZ@an0`- zUC`Fg%?DJfq?Ttu;1>}f0_P0@lHF=RAJUH0+!uq%QVoRu>3veT>m%YHybq2b-4f4Y zOip)|#vC`*jNk=QmF~Q1NY*S_C0un#(Q!IxozOgeOmmQ_)9~E9R#G>AS`r)J!Kw9g znro>3)e7;92oM1xuzCoP>>7!6(8()Fs4nLFMVzM0sGIlLUrX`se~WVvTjzF=oE^KX zXiut9X*jPWXGJ*cTV)G0O_kD;9yHd;eemG)CGq+{lhloW7-)H_p<>(-095LBR))Mm z1c(3;XeqCmT6~fbMM6te220z6i0z_bO2$1X+htrZ`&C=-5p&O!m{@c*#Zo%B| zG&~o#!fdG?mOAbg5S)^RJ6}?1O%gef-)gaNPQeN;{`5hKp`NLCd|8s0{xS)#Nt%jc z5P`LbKm=8Z=5D4c(Rqf*6yVa&J|~55f#}i$Ai8ZZTk7J>c4q-Fo~=-niB4;v@*B-f zPoddiGJ3pylay24QuwF$OX;ysnlZc>;#DxRHRm@GAOb|7;RsN(t0TmfPTX|*_C2ET z*r&w%!S6`9V?E~0bp+#c!8=Bv4b@SE=Ey3jm&F5f^FVw)#_`f`|L>B#?teX7!;3o6 zHwWsJf(Q_Sb084(y61?&M~gzBN_22E2|Dl6QuyJ=rS$0EoUP$077Rpy2oQk=B0$Zq4&W-$saetlygulXS*2&bEX6y1 zP0H;7(V1xnc-ZPB7sfNFYgNO;Let~NCH-@sk>u4M4KzF*w^TJSPG~fC$tJ z0cv(DMA8zS9jDUOl9lMZgZD`BP7qximi$tUZY>g>;;O%{fW#C7Npy&Guam;}Zk5st z-w9q1>^h$-Yz8JL0z`laoD%_RcISj=p@+KKi4q;0E`rrUd@SUg|A+0EBc3rUqWE6H zJP#r+lwoT=4{LZj7cX}bUYdEye0ZC(#*rmAsV5%u7KY*sQ~P(mv)KzRQ?06+2x<%{*U0 zdoU>xAOb{SJ_Ja1^C7dqeK*Erw&)4A=P7*mx3Giw6WI1ySQ4xSetLXN1c<;g5Ma-;4A5K>(>Y_IECo>=QoJWWEAj5_m@uwm zce?x+f~tSkIA<=`?iWxBG&}%=|ImKBw*j+%z|v`74#w|*74UN7plcT^)|?0sfqEmr zF}r0TYP33Z&$=R{*`a%ST=JjU2{R^0F4Kq3TGzTn=Wgws%P66RlLVMp%{XOtOo+uj z$^6bKtfPr-gN!-T?s{I)j2#?Gguq>2F7y?`hU%FmQQVCMp0UA82E9EURy-1cwTpoE z8w^W9Ks#$gbT|a&%i@oIPs-Eith0k8x`nU|UIOgPfR1er0J{k({@}N5%D|lIUKWg& zrzD4^)s*Oz=6t+VnEn1@I&DEWigh3Cu7L5s>NTQ6gH-1sB|?*jX+M1rv09`pl;1>v z2(&r^)a;hn!d4@xdS7}6e^hA7bO%pGtY;X(>;hkn#++ z6)KF1%wv9I*F}&lO(slSz?JQ_35@sy7BC6!qZYndJbzIi9jnM zK(bpxYZ}v+cEvG_&7q?#J@X~F&wo(j{X3zJ=r|oZXjMX})h!Oyfbfha3{B1-+b8K; z{--4O{37zM3NY3*ES`0*>B@rOmEumQ**{L?5 z9dPc`dobQ~1WqYK&`<)W6w7u?$aO78HE#xBGS%|ntdctc56vx-`K@OR87aozqkj#O z`vj&bya>_)nPC@&c)Anuvv{g(hgfiGv2PhTn1K7{g#$#WYzOl5iy*(!1XOXf)A|b~ z`Ig$C$hPA_7DpstAzm7TI#OV|AsczAObS31&B8)ovNV zX)5-L--|&YAQwYU7?1NupxwRiixTUUYfTQ zeXK7gmK2rv^b{K8%ps9!Y(X@9wWQwqKP0jF2J@)03XYb6|0FyE3%`g!OCUh9TVylV zYIXT9T#vCjOd#*H`_q|`9-1!~iRRhS?8^jJQYns0ES`ZDb_$M^7_aNvYMn}SZB2k| z-X}D=x5tLC0y9|H9ai_v-g0|D|`>3FL5pr$)CJ5YG|E;Tw>PovaT&OJFa& za;Zu>CZ6WAOaiJYM`Fm|$6kA*hb6xG8p-_1zep_8Y0A?wNO~$5kp{^y+*`p zxk7POE6@&D-Q?9^S$h7PW~c~*b+%(PZ~q#LVOa=RRxw(X)uwb8cirv0U|uBLoIArl z%OyG$EL09MM*eVQQIE`iEJl6wG0A`aQV<`;U`=~^YRR-gNs@sG5P?V|K+SG3&4d~Foy`Dkdfmu@r@O*e|#=9=SyuD-Cx#IO$-n0}D z9gdL0j@i~-5N1dOh`=f#5cDvsR9a+$1B)jo1NeS2sZg+Z9mh7`qF}z8V^$vdM^;~`R|JN*xy*;%}OpXW%I?R$s3d6 z5rO#;Alc22jd^0670moDC;|KLlk&tE=0A7inQ8AmP(FAjNzCH%w1B ziPds+j-HO$(wx~c?ahj;IRw~WFVN)H4c?k6y<>O6K?NRy$u_*@W4w-9-2&)E=&`nC zFox%2?p-|HC*^!eivRNOY$d|GF+`|Z6qN`N0gC|1?i{}aXSRxCZk>7GKlzMVeo>Pc z;Aqx52YL~F6cCl^cWxB_x!c4${-kYhY%OGd6KwYgHZDb8>j+erlV9sd%u#=9 zwo;EvopOL}XpTRJ^%;Ai0qFi{2z*trIJDZgF;`;RL9!b=0v(molYb}ioBtZ#na){7 zmmrIFsJzIbuBB2*Je_8tWIs>P_z6tING25nYw0*w{CTpO_qOJ#`KcT#&tmh|bSjg| z=JJ@gkYzk@dFoN+id8lSUVLVnR@0@iIk5(p=i+miJEqHLC9-MG<#O3zsF=Gv=PohY zcRA1Q9PMXJn7aG8c5L8_hXci?l zb6m0?ACp+R1D%1s{OF|j`H7*~s~46}JG!NG;7g4kE^EGX*TK5ueDTh8-^sO-Jm$;a z>4@xS9 zokx)GO5|E<*{d0!WVayNwqq-gVWoV-Z}vxqUj+$oLF^(LL0@Eo&II-ySg}(eyH8oN zLx*Apa3kLS+A%tU`J+GjBf0CYyB2J$cfRwTa>pHam<~}*hxH2D`D-Vu9rf@2?(fPs zzlr7emJp5{IU;}fhkq!ALP0Vaoda9H;5z>U2M)+bKJt+jWvqm$rc9UTN-}fpr^NKo zLl4QX{_3x;Bs;nB#v5hVu3dGJZAF4KFfrAWbAqdHV3zFskyiq;3ldPXJ126He~9)q zuQj?$LJC^L=rh=n0VZwCx3o6w=xcYbjkavrVop^%QWDcQeD~37y{}<-c-S24`K2Ad z1}#s+op;`8j!Fu(vN)OasKn@q?e^PmucUFrX>Qc zJY1buDxT92zwm`Gn5^2{+YK%Y$rOIB@@a7OGZ!uTRlnD>76r&vt2}uEZ}_1%e)oXK zmPNq63Bs(C!cGX2V^W4!rfj}iNA$(VL;F1X)mO(04XPQbwpSZmr#jcO+PF)-Rt-hV z*ADpp`|me0=slHXq2T0s`st@-WMoA8`}>XjjWEMGg3>ZwxeLkXp1Zny>QkSRU;p)A zub2s!tKn%n#Yi#J;K)wRrTT2C@@XEfjrF`$L#zC~HmrTzA5MAlFqAy|<7!x8%(w{= zfaZaDl~S0J@;IiRn1Bi9dQ`2CVc7^c0&yAq-QWG4Idy+??*6%sPBXdfw%bfJ?dX*V z>K#^+r>p1Pci(NqQkflLEk{n3#Sz+zFTN-zPo6Z{xN?@0=UPZZvRgzen=WkzWT(z4 z*0{BZRE!dN1k{wNgcgI#xGFr8FWD-YJ@#}9AYDStE*oc$)+87CdaqIi9Dz6uX^(WH(pq z!4y#Y$5Jj&Bc|2teB+irS3=%vDFpC4Fn=KEtON%Ca(>2CFAhylr=#eWPf#Q90N%O5 zOHi2fYJWp5g-x9*Q^fpL4fox5U&Vy!2y8J$IEgi}oMlqN~iK(lfYf(|lEn zT5DcACnO&oa<&UQ)ZZ_qr#~;=E8oJZDo=@@%NwrK6?T;PjQLG>t`9Umy*8aOep3vy z5l~!|kQ^y3$Asx}bXwErKKD6u%MqY^-V8@4)AzpjJtK}YWxD%|mC=#8#y@`ixTu$? zhNb3X60NZ>lAZmfm>-M&U|hGPlZkBymazVq+4aF2e4WMvTnDJf#e4!e=ly*yB|npi zt7&bHfjq9fg=9NtUU+!Epl;Mx!tehZm?@lQXAt$%(~^0&Va zpX;UYkC#c|t8b9PJ%1$Lv1iSU1ohU`ZGr5TLF)K{iRt;upVY zFqo^;c7!+|NKQlg%x6AhqJ&o}nJ-Pf@2iX#UwrYr*{Y1L9^d`$cTGI4>r%!iHIe4w zF#7!GKX3AJWN$7)UsqoZXDWsY0&AY^OeX|5?2isahBtHVsN$GgrSIt8@yDci-=D(u z{8^DSmI^b2Hx>MrccPuHd+S&2VG*ANyXeK{2Z`+;i#Ginx$3QY<)!E>DKC>izh(zR zQue26WH)%hga}f>ip}<;+b+3JaLhh`f-pIywHSEfTk2ZPQko*9t%;2w!@ z#7a7C1L9Ag5bprAy$AnP3SYQH@}Ic~#P^@XA9>MarKV215{rUrCt;i4TSb;ROI#B- zwbOQ9plZT&OK~~k3WG4$z3_AUdlq^5<(G{qQ=hG5Oe~!DV$W5^TW`JfoY5Vzx$#Af ztm&Nm=S+-;8c*Z97X;^&GZ#J`9UaE=Q}c8ryHNhE{@nH;tzOGH>u2BmFzemEuqS2z%L08v-<)m3E$W4Vs^7jPre!1M#Xp0O9w%`lp9Zg3|&52kddu|Xtl`NvmmbiHq4r+ zr77fz@mn=pW(FnRvm2kCQf?bYnJ1<6z<-qdKY;kYd5d@lA297^#`ch2P2#S@TXgxg z^0eUfLMBX|Qm{~m?X;WoVajx}z2z-$F%z@3iQK(#b2(CTljfDQ^xj-?!|B|)#&hv? zMVq~Q_nJp8U%ha@uQ$EvO>*UxSDNSUp1D}VUwHLgg8@GgOBcL_o6(l% zza_={|3LgxSo9fvV!V4hzTlWrM(2uj=7*ylrFMeL2|-$;DZu3A7biq={p%){o`=iP{5AZ>Z~TUtly5HhWe`| zu3s1b#qXoj?8MvpHgv8a1(00a%bCsziEJn5I=|)oh>+I)z|rYqf#LYzMUuGk55c9A zL2mZPYA--4AmLbXMoLfoImqV>I0hTXR(4&0JQ~a&4C+w8#$fcy{W7PE@ zZFxq{0Lz*@W?v$Xi&nu3H!8m=ln4ufz8uASu=J8Q4ejo3@&5sBeEDxn@-3f$Hi(x4 zWNNiMJKxH-pUZf5iLH309kO=NN@fo~{BXsb=?Kf!*_k;%^q~*QzJ2=)*=gslzl+-7 z?m1KDrcIkn8BXJ?jo*lCU1L(06jQQu^3;~2zi+L(PB6derkg5{&2L?QQ}YCUuDChk zcG_@lbVq!;)}@=~P#b5hUau*#b3Z^sbZWNLF%^W;-oKaP-5-Z*IZTxU7oZQ+&bWlm zDu*8z&hL*1kHs*iy@FP&F5#ZAsU4w;4^Q%GCV6fQ5k zOkgEkiC_ADN$&ckIrAz#S%N|~171{Q(2?2yMk7?5)GQeTL8ab(nmMd4wv5o#kRs@M{KHzX{gmu z%-<+5*|B4Xd49_+x5yv=@gIwus$g!`e7QW-l&RXCBh;E`4ZA#b>Xf|kjc+vhhqbtH zfvykw@|V9XI!8{mTNgJRul8JtPSa`~^(ElJ2Ol(19J%R*!)$O6)&+#qr%#(Bzbpc# z-(3q}m>(HxYl+To+k>u2^56NG6z;qgKe!A`mb>hmxgR!JYAl3$c0|a_FHK7<1Fdq) z`%L!QA!_G$)~BHJ`_OR@-C#&SN!X4b)xO5JOSt@ZrqZ@xk;v3!|nOpZsG9WrFUo|6Rf;P=lgN1es$j{Ds zLp+S{A$Ljadaq>u)ic

0*qp?FWv~z=CoS88KE8%#W**f$ey3i8hF%gNpZFC}q?) z|Fw5Z;qL!n@x#lOsRv|m9aSZR7CmvDy)$7tCkuDqRoj{4KK8MXnOnN!f{xv3aL>#| z=&P1MbuOCTtIa!rVpKB)m&KtW{w~1N+7ab zDsnGD3&XfVe8=l-cItScT2Sz@o_x4Y;XXoQ`z_FJu-yzynuuiXo%N;TXz19>XI{0B zKwL4CA6(&sG_iG;*s?1G!pOTL48WAUuMKx-b3*M84tHxizHOer#A_>x}H>{5pOX3?|Bbi^j z7v{fq+{ep+X+MyZrU!vr?^(#E@&zA5l)4Y08N@`*%^0P2dU#QQ88Q9ApMrch!!&xz z%Hd=+0@mRx_|2Ht34;MNHzhr2?N0Th&&*8<^bhwQYG#~yo3 zrl;-8oFgiSzKiqW4}aL*s_Z&27l~*j_jm40nR-w2aU`JEjSQ}wTNmk->6~daoqnAB zwKBTC>lZ<$9dOc6C*+Osx9kA_4v;zdu<)`3fd4>2#(TNU1 zn?uiCHN&Bku6O6>;M7jsoa0*wWy8;#?%kT=tRshEVP#?s#zd#If~Kn`UPMnxu@ zuRe+OZbLovBq$~50kW5`lXomQBpM|hk98;1aTTCA82ng@RFRFg!ZI3D#1Z(GBP^^kS~bb5FQ*^ zQg8WhBGWMEYUTmSns&ER*5^AQItY#bz#A_jsyWB|FBJdSLz4geMVQ+1w0WjKjI}~| zj@WeEN<;0qn(L%DZ{94rBZKSg9f`P3eXd4wc{w6kO|o-xzxTcGHKNT|wyTetF*P_- zrn#8o%MqcgTX>$Hi|&ZFv$Ip&{5luk#aZh|{Y!7@pnbUMXjCIGL^mq=+hE2zxfgHQ z=ya4kl!RQzq`i)wHzK%vReLHFCAlXUTQeStmIPD|BQH8?BNOD%PFsm8zVU4!J2g=v zj>;Dhxyoz)fY6aDF?mPs(x(Wh7s$oLH61^?^?s113DAl(IGHpLd&im`dv{wR#+$JT zK|HH1Spqf$)(*7|ju=(^5IZE7dUM8lHw46~IYD;FK^oUc{_iivJh#iBF@u^dtKM{RTpD+DMC!%@SJRZ~ z$VJ;(ry*#tzh@_%Jvtd@W@hAp2Ocmt=Oad!(qZJbK+^iVd^Cn!%m>U7p56=B4 z;&-)E3_2L&2%tmHnGy_9AnWM?k{H1|_X!Lu##3OlJKEzf&dowj<}#Mnn?<&kXO zd7-p`4nubrcK~n?&=rA`dcm#IywehJ;t)gBAdRaFEwo3DGH9*h4=t%4kyoia7~h>r zG!?U6x9I78`pe8`TNC;p`8536Kzq^ZN(Vx9-}=!1=%>SxyVv4)bWdz`NkAh$!e=@I z8uJrJ%I98(c86IQK3K5&<7v}>3-6eLw#=HdRzh=o==thZq5tRi#b-$4rmKc0f$UnD zOqkkbT%jnmb?s@^ty`x{)BGIpd;?V%?v|kN zc`#%qB0uw)&)BWT_Ita%gD_nFlR3U9$EFn@Ol(T%+89rqL)ZPqYXQ0)I12!D^0buD zE(oDvxh80aZm`c$$H~!674p6S84YNb+w#PU;BNZPT=uM=USeQS6p$0XU)e34otuo-caKNT>6V(0y6d5d+vR2s6O`{ zG`h3QyU;W`(IR0o5rU50KBz@WC9<;@fjFb3+DhC0YrnztNn3IR{OR(@TeQjf-!m;z8j zv$DVkq?bfIb-pUzwWBa+bzL@FS#@3_T$tcpYOjRKLI=Cp4sugMJn!F$a|%u)2H+}K zzzj>;&U%fm;&nW$|Morj0en+v>&#Qhrul@>tZ5YXhbJxITb{iNjgR?>k9)^K^hZY! z2YyYfD0R-T_n{89^;*X31a68)@Kb`_Oqw{Z2)KK`{(3rN8;Eb?b_8c}s>t{8qH4U$ z^)|TBb|LTaUcZByYjv*CIe^KOIa;qw-(kQfn0p=Lee9;Asolvhz4TJ6%4sjw>!7cd zP#%B$al0j8^!9sNy(7*8d2fne4sOLXI@k0J1(`>4IGO{~4($Bni9JLFJ#FrL;;%4m z{RJA`=?G6e@}wRmfn&#``7#bMQMj3RVtYAMR$kvwM-=|m%|8zPJAQ5oTv;9>GGPjo zI0_TXtFPp3M!-uTssyzo1qsN2MiUNohuWTpJvNyQ5t_+-7iOKB97_`TNa)rJ!Nk`# z2MsVz6>w1U+d4+=D8`iLU1;izpn!6%|**Fea(Dw0B!lRVZ#PXG8B*umA4sjJ{jHtd$=+k1YHAd zz2xUJ(^Tz|TG$30=FxuQa>)uZUWw zv@C+g*p$xrn&P~y%FwB&qGiDW zK}~m|ucfdQ9Q^E};m0*dAL9}Yp1&b!(=VOon{Q@}o!|i8SdsI?H?4J=onLq2ev@_l~aaGik0`cJlNlMBPRXS22554>65E z=LleH3rR{#@$M|68QBJ=vHZwd&H>Xfhw(Gg73){g3bn0IM$k1%i7=^79)VPBuB96U zP8OpQ3vIW!^g|hu52BHG0PU!TO00LG1~2SLULB2E&2OB{klw>`SteEhZvkfZjrWG$ z2mT;ZWk9F4PVAV|c(BBU_OVQuuDJ=!B+T_EU~mw*?6S+ktXZ)$G#r3A0Jt{frpzKx zj7J+)rsx#CGPj<8KHmqyI+b=d@Z+@X+_^KXU%%dNh;C0?1TvXAhjQrgv{zq!^-=i; zYRYHgz%UYHYBEPJk3W31p#R5rhpODVnd4>707_Twx>zh{Tsd?(@5&u?f9rl3znOAqm8-M1v^POw-hpEb}V8g6}%h;N*2%# z5EylUT5>KR!?nO@&?`U*AVuZWWOlT?2|C!eMq{29%xNUiGiPZCjGe(?ZXu8r9kWnA zTH3-(QXciJBMZFF{^$RhQySYC{5dto>)NWNU0$E!)Ojg{NE!505Qx2dL*GBVgMH|3 z#tG!cfxo}!{OiANro)h?Jrs(V*i)mQ=co5TX7)MDnRxz(tgHDwnk%MB1LrtJLs4jt z#)Nst9d}qu9prSO?^@Tc&G{-J#qYhy9tV=mn>UAz8#mf50g1|(h|ox<19fBF9)H(e zciAn`EuhpSC zTTrWMM8r5sFiuEI4FO=aKmxg3KKr!|)kb06zwsV3>j^xn8~)xXjzTV)GBqJupK58z zHI#!EsInvkO;~cnKmyIK4bAAl792D%;iV8wf$>8x&65J1m>CT* z8Z0m1e&m3n>cP#JHg2id`D?k4w<+~lRcg2KAZ4=mK<|Ur9c01kXa6?z|LlwGLh#jr zzh}N0`kwhb$}5_yR%=my<6phni92!n6WyT=kjAUF_ukv%J7Dw;^!O)^uoJJzg|?gQ zhBIM02x%WSEe)pN8j@3?GCbW_yfP=sl<8x2qSry#S2J<&^S1cW`EpO1VD1~ws-3#$ z*A8~Bv3h>Le(PJ`YEcfJem@@vIAF43;Bso870qjX53rNKKBgI%^FtD3lOfRRLYVQF zZs=KlIb%|2LKYGPYnd-XZ4b^GGT*UMN^SpRbn@NINKeneB_d4Q`M<`ZB?1Tu_ZX-A z4th4WC9K)@ghlJeJG3$6`1ljcukB>+UiaPbhVBAq!o;NxoQhM3;8{Cz2!#c&($x0&BI-HK#BpVBq3x6bIO-o? zzm?E_*&i@H0p4iByLm1upUjsD^q?ztd^j>;ygWyH&M`&7_MX#u`kQl39q3FrrS@1Q z6aA9_&*;{q^HWx`@WE4|_xpbwDUp*B^f}Kbn!FRKPeR)@lHp944h}xf}ywE-G3|Qj)Gl&Dz1MHG;GYw8cp=)#K|H&tD1X+fFbO8|s;-J<~#DxiA zDw0sgCAfU%l?FC(ypDM2Gv(|M6QXxMj|p=jFR_q{p55k05`|I7JGteRjH$KB3q@u~ z4ic0Kb~GphFfoBJZ>t#WLr8#8TKQVEF*GO#D9uUeWr?oEOo`B*Y!=XZ(*0T&&LsOc zCrv|MqDm0yDlfmtoGGm#iZ;QGib#`73)U#cLd+8L)V5)=?S_7>UXscYI+oEmYuf4i zAiPizz5K<6&m!gd>(LY9dieZ{UY>h>O0)Dh zPm_-W9I)?d;Bso7>C-o@j$Xb(-@_kaA2T!!CK}sXh$ejP)&&1RnF~`na3HrUD}E`` zkW7-UtWf76bK$gfYcFfO-p+%J|pJ$oq`#`vL!*an0+p?}La(csWv+7J*Lf3s&qnRizw)0 z{`PA>9@;MduK>Xo<`u4oKV)iS{7?BQOVk-p5`Y*_bUxHyEL^{nAM_kWBkzayF06GQ zz**&Y6I~j^sXxfcr}Y>VxTfJ?a4Zw1=BCN{M8N@|ScRUy%5s5zyr#@znawzNdK}cf zOb2TB9&Nnu={)}KyYIFrU*b$h1=oh1j~2;~=W}h?`Q!KVaWDsx^c);H^{&+8Pa4wU zeQ0%`pjV9PKpU@`mXrj@gg4CDi|{|fMy*TMgwm=vM=FwMpnyoBf6GG=JIszq9J0IC z_2Zb9kKBb^6$b|8D4+Q%v>!})TJTt@Bp^K~g5|er`yMqo(!$6CAqva#!gB#ZVjU!v z2JkB_I5TOULc)PiL+k6`{R*Eq<^n6L$@!CHLo$q`oRL;1bWx_U~ z(Lc*r?SAf{k!mauI^68T+Y#Gp?KO^(t_6em2aQIdX?Kj@uKzr|e+Jfak2oE@T`kyx zK_p2)J8-$sZlv8o;Vo}@i{*9Atx>q^rs7<~IbKty%4wuQamO2+P6s_N$LZ8W__=fE zT6AL?MLI3dKmUB#wr!iGbFFau_U+->XZcnN>2&TqTfKU9Shj4LqUwCHi~MsG2Ta@? z6+49@^r9G`CDo+%@*KtL@pGo+e&i zc9y{BlvQY5(tMfRYeJN}WGl~E8Pkh~1jIEKTozp=qG~TbpUN9Jlx8kr39>UFrHe>` znc7SCrD-u~32m!Z9g;XDq@VRkLp$vSVbu(U*fi3h-B!2$DD*$`Pw@s@E7TW%CXuh{ zDM+ZSx-4|u^o`KD?%_~**>A-u9s4%25(%czDrRFjdtgE~R;AL6zQo6RR4bi8Yy>oT z(}r1>6*>AJ{aB>X0Q_k4UMrFBv`DbK_A!zP(}lfjY61`Cb%E~X6^{;xZXz5mt(QIC zrpzL3I(JZWI^X{Gw_B3o=yYIo?arNDd=8%9_j>%=*9sLls!p%h)8*p;2VBk!#7w!f zXxh=1E)wR|XYN6W&g5+aR3y+`{!dc7?BzB$c|Ks*>P%o8a@DD-ZTl8L)e{*P%X3+lOhN69XZBk=fCI|TU)cC$oI*e}fU7k2%(S;%=bX^{9oDw&WlT=volKLk zaXHc{P2?-*%%f9vm1UQN&ewk|%(!z`==hZ{h01wvW;pL~sP0$~kG6>fctW`;zm67Z z6t&t3s6lRNVQ-$MO8W)9D~u1pCG`o;DvN2kd*Avdoas z)5mWUnh^mT?nAgejYHp3i?hZ}Vhi1IM05OvQEh9ZdobOvG|4)0-n=HYr&|S(c0r~& zVgN>M2j)!+67qs`j&f@0?1&qzvLcI_>y$!^hOZ3VD{_r42wY5p41=B%Ophs`-9%<(lb z)ha^LzH4mCTHCk9#-uc+S_~3qHu;}ts5Cu)dxdpk45;V?L>~Cq6?~8xmv(E)iA_zQ zU2SV`3LS6$yD)RzlcD4Kj{~~2^T2bVdTO%c^O_+_K*4R2GwsO^JdYaMd6%t&M|TY=-$p|(m$Qb($_v^g9K=l|1yWs z`QP{tCdV~irI!OyNbDpvk@^wav3?2vc^8M$>}4X8fWVcOm4tu)#&09gC4^%;jAEJo z7TwQ_)llExeXGJ&B0 zSRa0Q{>spH$$LZREsuxJo4(8Z!B;T0w-IfTEtG8c^7wr8+mgXRSncJHiSK<+-4)49 z+I>rcbYi50wVN=1^rIgQyB4Mk=y$y19hOt(IB6|fOnJCJPjlb^)(C>{Fi`&nEOy|> zf#QW1UI@=TgL#`E+J*zift)9H=52E=%*P~$qti9ed(xb{FMQz(Mu5jVHBNVNr5W98 zEZ5U{zLWi!q|DT0LwvXhM+BX4qyHD*WsVpF!5YW1hd+s8Oak0wDIjxrZ>X%f-pp;j zY?f&#iTkxJe+RW7lZ3npI4(7<08hs1rU%l)kzh~SSrT@Yb8oVFadBPBl*~X@`2oZk zIH}lpo9-!pgnwNrl;;CRqCv}sY5mCAXD1p3CfrJ<;o5=cWeXxgPA_R;dWx;CA!>qojX$VTE&YYbzWNMvD7xun7$WTIC@4ME*^cDN%zAw#7 zo`@s;DUEjJR`|pxa7ZIKxY|X-k87Bp{NyL?j?>nVtf`lc;B)J(w_5r2Z@i&4r^(H& zK9Rg3S-qX^jDb!{X>=0FK*nIe<3Ms42<(QO{NX830UpL}wz*!L7Wd2c~0#Jdy;uF2K(buG2~HRs~f;?UlRH??ssrA(*Ra-zkmo_mFBT-C4d;Dc|v4;X)meE00~sv zxL@r6jwf1}Ss;rBs4=(FY{nPWwgh^mg_u*cU5*x#?gOZ2&bC{1XBfbe>PV zEp8z+R6FL(kxaZ7GohL$U`NkI1a6}M^%hUWQ4&@` zV?#Ym)Mg%9Y4Iy#951;{m~re$bhA>*-c5i5^U;`AU^(prlv$JfG_SgWO+8=wmYBcc zx4is1G}^yK3j{nARJWl7N9LWCSX{b>TYgAhmL~YAU!kPw2Y_9*7qFx5%Bh!Hyr~Xm zA11ns`F~x{M3bVlMJBG+cK#GC@N#ZKoKGb<1#n|~q1qwF0HsaMJ};J~wxAWp4;JB! zd9t?mVZc*bpR^N-h$#nt{n)WtAk};!F|_bIuZG0*_iRV==p*uu@F=awg{xE0_6pW)dy2TD^7w zSKvm%O}ngagBBHC9G|p1L;R$+h#%3B1?@~L%+PtL(Z=2%-W7Vkc3tSc>&(#e?cWRi zc#2xlXmD|QLIgK6i3%_b{8UyyJ3pKo+OPgIcA3~~&n4C|iSNu1&9^AgZ6~yhO?9ig z3ws^XS{LHOWuJ_A31=73pZe6NjD(Ru#kD|z!SVc!RCclbDqF$LgyNm*9#0;|Z+U=< z+itsU;9`Wc2OdD44H2AH-|tUJ)P|vgryc6v$ru;Eqp93-_2>z;J&*C!<;{oyP=o~K zWCatf)Gu)3e`)!Z1_p68m-u4JVMKzte=BrLzm_*4gXUGn&iqetwoT2Bd+S16C)P4) zRfO`=my@3Y7$>tfQ+K`XI%lKU{!Kr$w91*X0YDL;N^{Y`H0=Nfh>|w9^^o}5-}OTD ztW-t=D9YUX15Y*RSYGi4=s3)}olN|#@0^gv6H>+f%%8I@mkf9YWgq%NjTJw2Pztom zDx1P;E?#-jd8{G10&S0-4Icdvjw~01?!Wrw(D%bXVTv8Qm8%Yo{iWv-kK(^^FjQXt zo1uK_MNCc5M0o(x%C}l{)*2y_O1m))cP?NI7IVE8%C-=-hSnf7QsDyDf#r)|{G#3P z_@QVOFiJx?-oKGFq+)%Z&X?cPxSxY^G2M8aJLtJHjngt*T|)tw;+)=VuDQmts$7p7 zuB;p%IpCktl;wv^f+qG4Kc_B^wWC~AB_^R|QCuQq0g=+o8KH94dm|QExQ&vh@1N|w71Sw2SrJXQ?i}w0YaT%!W7NC zF*Q~y(Y?BdC+7;~eU8rfNxFc`^gs!z?8lb@MP)~8`@s-TeP2v^$PkLCbN@d zL^S@0C*M#5}G_YuJ5-d0bCkreR+}+)R6Wnb>&;+s@T!Op%23cTnNbuu%@4dg_ zzT9-xR83D$S5JSKn))Vbxx^)E*}mUbWH`t?b{=|RcIlnUtEn3;k#Rj&I$Tt z8I?bZr~C>6=r=+<;;NZ0;L8CGb9Nf!nlak_-EV~!GXhR)dabwAL{&#fPriNe-Q~v# zRfA2Qa3{;FxeKJsM@VDj`6Mc4Xa>@R^ouQUhH%Cnma23z6Aeua^q!mb3oM^%3u9>C zzy0|KLm0ag@;kEOU)1{2*UBxQBH}ijIL}wR2OC}=$}48ZJj3+BI!0cLz95th!BqG+ zLeT8Rl3D+)Fk#rMm^l!0tmu%41!K`u5t@ZuG-g&k9+%zg1i6V!+l?3&Y5J9+AkX8n z&y4PGNxJ=|F>&PsYQzEji?=FlL}nB(ei>QnTRYrQOO?d$Dg&y$d;r$pxQ)YGpI5nT z9FaX`yv1MEA%OWjJKwMfi{T4YWnJv@?l_5}h+eVY%j0->Uf=ACmDy16i7HA(@nw z<#5t`0acl`ytBOY`0qt{6D_8A6S9Ge-{g|v!pS0n5F3b@n?|fi8EnQsWPA9Er3zh* z);cadZ^rv*eI0OsK+*uK7O9MG@*r8(MkxKKp(QP^qmqeRsOJdO zpYf2qql8V@WB(QZytwW8&7d%KTg7K%uD$%mt2c#=1y_QOT}9r;UFz9q0lFzEOk5nM zO^-@bnQ_f(&73+g*QEgDx6OZo!M9Qj@%)h04V8gW_oZ#FbV#@NE48fwfW z!QuG$`W<&Q4R$b$XH;Sp%MLu5BhZ~^H-#+Nm0P?a{w-MpJN%(_fYTg+U!YsV@Jc;% zrz!2GTWG74n7HP5wVFC%HEKDb#Zx+!4{b9mWE_piooo3xJ!ekK>_!mXBBQi41B~#CuiO6>{iqrG7QG&>^+B?Ln$9p`!jS}!EWPN!l`^Ye_} zDq#t^oyZof5zaHFX7>WH-%Zton=2Q4Klt_?f3?A@4GNA?prx}-+YQP(Z!myr6?q@- z8ETq40LoJ1twIf$#LCAhv`J%?3uSq}u$MSyzk=&4)4x`m-Hg!&-3K)Djs#PZ;<}iv zj?qi~>igk-FY+a)z!Gzs9 z(=kKW9~B)Fufv@8+RPiWc1GOVcPdjl?)(Q)C2ny{tHu*c`!&Q^Qmx>v#k!Aag)wz9R|cAtvaB5LnT6fcuS{}~sRnEMX+!(5v^ z)FV9*j}hz%__$V?@wqb_Xe_cmuJRm(fta*eY9Y_?0@86(ghpSkQBOOM(D{c~&|u_p z)dnmP7T+u==e+(d_RJ4GKZC%0!L+C~xRw*!jY|MJAwu`Qb;qDsXmtABjx-pxe#K$2 zBc(aifVOu!r|a$9T#HMe_Y79P$Sa-9I*`5h>G{s2q(uIuGk_VDNcM{KB9)HIXzL$K zeNRt_sD&-rjMFg7R57{(I6as0tG=Z%LRP!Iyrwr8?OvX&;^%Blqm7Kx5D6+iG3g<>C?lpK`mfz+{V`Anhs-y{a9 zOQ3<(cbH6`%loxkK^_egxCEf}fo9y|v^+)F+lTV0sE-;WK@x992ByKxdmsYU#PkIYy*Qz->LTd_~@^$zd%6)Rnbz;}Qz zWRR$Rs!j-A!*@8!sdcmZmk=P|}%0cz4FSZCbAWq0sA3ty2oemBUx zLNiB}Azf&JqRr#*oD=9(9lFnx)8@$W+|Q9sSR_&n{3B{P0;SiH8MD~*PwA6oZ%gNC8DIN7(f=@@J~aE~6vhXX&!4A!NLX#X&3FRJ;meauiX zURI^5yr4@oCrWm-O~&(Mdp9rfZI7?M8sT=j8dH$@Xcj>A-{)WXcZrsawAH)Vbs}-V>H{{5$@E0Afl2T8a&~X)9VMu1}(6ObRJq=`Pvy z;WaB%${L~ZqmJa6ZYBhlk6@=QuQJRlw33}E1E=A6p}-Se=W5DFbva<_E6%Qc3fu;W zJ>*Ec0&63#-hwtBi?iajch~xZ{1?pnONL>gi`Nd>GON}H`9@+zFqdQs+fF&x)6G8f zwi^SD4oYRX`buYleV9P524|T)Bc>a;`eC>l?M_wWJY6c@hneI&9X|cMyW)E6mF=Egw ze981RMD);fo!D-8c$PO>6!-dZ$ARf_B44dn%Rf&r}#aO8kL>>p2^M$?;HuUmX z#8l%D51CSlt}*B(w6Xob_R=Tx^BL7JS1!K82SZF<^%hw5r*UYz=T~3+3nTlV1p=c} zY*2q%PiirKesKPzB7dZ4|7CXTo4KxW35dUFgZ%jv5QV>u@7$z4V#)T4*NkheSZ!tA zEKC$0b`vjaq$!faKIRX?S^`yLlDPunT|T7re1_krsTM(~`BIbxE!)}LZc*Rq;I#GH zdH9cHkO<6*HjinaJsEkQNKcB3&Xr&wxN#7q9VeXv@M+k=EP z3Ii>kac_IhtMMZxJ}tm$f-5A`eLyAHhayv;XK@Tc*FiSCT`J%*_4@OOb4Izr^JYi@ z#ov3ZkC}#GZ#050TUU|+Mhyf(eO!<6w7O+F1!=8386*BUQU$C@(9>b1Hkp`IJZ7oB zBJ1|~4&-vcmFzWiC71=^av$H3ayegLgrt{7G%nUPw&|+&aYcA`e-m|ree;CA zrRUfyVg6|+Se=C*On&7jKy_R!V}CAM0kJmZ-)r8(SILNY)GquHmq71}c|#k&oPnG> z^IQt-vPQKCHbHs_BmW!J#%Atkd=JgiQp^&}_d=1a;bHTCkGwmUHI%oKr}xs<;e=-W zKJ@uxlVOe1d&c=N@h`J)sFSZ++;X0vwTxK$g4VDJGhb};hZD|$+oWLK+zXR#L<7v& zT7z@Ol`nVeM)V;bVjP}MfOlv4Q0FM5SQ6^=s1Mf)O_S;@gJkH#mqdA>Uf!u}a};Df z*{#>v3`|kV8ft=z@lF&*Onme9I`#}uk46rYYZ|v$E+ReW&RZ1xZ{oL5;G4iGH zB_YWDz&be`O^dW;rK&wED|GHDU~}rPp6qid9#4ztHH>rmr?Nil^mVsAT1!aB67xc&O_+ z7Ao;(u0A#2?3<-z{$5t~O$eP$I;@|z@+2hB>x{k7Eq>}vKjY-TMX{`-Qh$@Ei{}bs zyL~|Y)m}6nQk~}hY{8x{xBPC6#%ApoXS3;P^kGa8%?>7EI8?*MADR%B3AFQ>EEam54 zTbnV;NtgJll&!lj^d1M~BFW!jl?XcazLy#*<1I_=(D(5qZ@k(Z~Ub}*DUF%ga8Y+u$CP} z*P532fk;KO>X(V%%;(Gq&ldR)J`M;&LlzZ!y;_;)Y5~R=wZU{`@SlVA%)}cOs-(E- z`XdtCG42%DZO5r zl(OC#(`~CkuF;g+U@*bKD!fi@Ot{6So_;Iaz~uayVqr*ZjF3 zcocGriK2_9)aYaPRE)F$m5O$r6V!=#?vf(pa5^BdRbnz>QdxCdj*Fmrj&tC_2b8Lk zujq-^eftmZ{3E|R*`WYYT43|qycBJX4sCEOHW%rv)2N z_irwZ1?ylLCr%?re9-o?E3E;`_W{v9VIeWg7$mnsFQ$1%idy*cG#8WxB+)3GwtH`D z8VHEzfW?cRQdBIQ;{$Aj*#vv^hrg2b@i+v*U1xp*eJtDW0+xmJKG^W%-#^}bc*-L9 zTTPpxWC3;}%aNjBpF$BOYs(niStM$hkWN_YqXzD89qOYVpkg(GN>xb_rwd|6 zW%h34D0qotiTYaQJN}mP8LM5@ySTf2o)-*%R_=BkEd5~9+ugpG`?HqFsd7pwGupT{ zrut*gdjI@cR=+srJrCrbG4f-!U_S6QxLxwxr^D>~r+npY1fEMsz1=iCXp#KjrsMy zlL5~f6AObQ`F^~@RYKLv_tlW^#}$Yr2M~Me{AA}k($u79gVxT4 z|K8gn`pk)_iFLv#-2knfWY6t}?Xb$0&##wXB*T=OE9<2)ofLN@+vLH_K#WS?)+pW)(@?DNdaulgKZH6^?F*VdJe{)7wSPrNbu0zZ_TY4 z`j+Zc(el4V{)yN3YlcZ?%B}(LVfu?}G!xf)2BzRXznjUqO<}6S!f9yfclmAKr`Ws{ z#k4x)+w{Pvu<@OS)37n4?vg>ZKhm%dnwsC!WL3H?O$t){K38u@t7X@Itsei|it_$L zjvi=Ss(pWAJU>49@FK>r^^C*r{MjGqf&l-8jCY3~2QTZx`(OQKxHm6{ci}?0?jqnf z^EdCeZERLarw3#E&xRo^_pDA$t#Dkn?^p3n-B6GruFMyx)>srQ_kl<>^{cobj zD;Bi%Xp?SK!%ZtlWz?SnX}RfEn~gf{T+9tP=px`axvmbR31vk8L85}LpGHxJB)k-* zc`OCa{4Gt6J{mVAu8}B2+Z)5#YksHT7UarEh0GaoN1!`R-whn)dsvMTWHi?T5l*+_Ys^}VotVkX$i!B^{lq0B|IQpXA~q`GsXPdRs3 znj#}Y8By|VEZ8}V3C{3Vh;k_-h%1WYdF6}kSR1kewr^Gn%is>C8qG%$eHqF5=8~9* zqRm(=Wzv~Z$NC}tHn#-y82gsC;z#VvDZkVPc>vakE$c|o>{s(5Japhr9%=qdrFU;L zKp|*o4x-lJ@u*+y9ps~77@fG!>2pk#7FjD8d)uL#4bLD>4DJG}0{WMOm8VOR`KO{0 zCizONEK;|}mr{{ei{fbq7pIihY_GJnp)i?Rp$n&fK>ykXbz-v=@(Kyg82wKDwN(Ft za#$aE;gSi@c-rmzzw{?%o(&S-Es1`NcZE-B4w_Lzk={|Q`0GhH!I>f-&?KsihpKzf zt{wafqYTXPXD4$ar2^1?|hus)Z_7~_~^CwRE3tCY&8vG*|sVt0igM}%+H7fV1rjQ+ux0essA}00E#ZDZBpZ8I=i`y{9ZuM36YhmOiG8HFtvswuKI3(TnAzul zklLWJpWbiK*c4o6!5xL~lspUKD9e6NU|Qps*6`1kCM)n=p?mv(DLn$$66YUC99oD_ zcCs21u#lLofAa-w+s;yo$5u(wP7aDX@Yg4LiC0|}DSBh(X6hq#T-s;Wvx`NC9qIg= z3O@FhN=vuQ{=-7}wCbrp9Cg)_t?==RNu*Qdk9*10qTlEElr+{nlY8+^F~#Xkv$swa z$_Gp504Q`{!&1U9s<`{!+9Q#WKJ{Dd4^C9fj>FX5n>h^=4?YdCLt|s@Eso z_~H!e@zr|K5#>HzfwRS003hDr<{6iz{KKH|Dm8BGQRr38NU`1fOfoxnIO8#O732Nn zFEiQt==-UFDlI+E7=rtjQv$TRMrc9_-B$R&&qHs)2O7gzc5(G~_E>ebNB(>sYyY56 zza8UF$s;v$XL&MQCI_QLBwc+piz<@5u4!l7;zzG~jCXt7Wm2o*_`%bTR8SSdaJnWT z)n{uPxd%c0p_VB)rv8nyDqSEM{><(aUlk4^{9A@pREG4=8bVGlW-6#U=mFR8h2msIv^bA`DnDUgy^=EC=q^GY z-SXRJ&xPB9=9Hobp1U<%<#Nw1J0|}v^vT=+Mo?Bto7PoPNzuC`;iaH33m$|IET4e; zBSz4ESaLPzY@iH&M$2)WY-PK^;?lVT1_PIJ*8!bV>VNL2%w@|1QRdq9Ir8;aPMb$M zN+yXMH%$3o7aSQ1bKTp8!CA_r^nDY-;!>s1N`c^7b4{{Qjc%T+g?o;`lHFQog8Pnt zY(GthX+i~HFD1nxm%E>lba9wbhLS&DRz<&c)6J7{U$xubEm*QS=1-EFm0!;0kP-4& zYehfkb<8Dj8D8x7bz#b5D?y@Ga*6{Cpp>|YjHjL>AyAB);4^N)9db$*X* znf4!@6euz0Fa||s_<>2ic~Obe+NV-T^BX+d5QzJXvG51`%@g@AC+(7?psznAnoTbl zS!!`TPANu?HzH)}O*WgK>;*_jwV-$QG!ZUZ4x2D6F!((jKOxuMn02ThVHu)^_@6I% zO^2H_et5{ETL5z~2YN!4QgmpeZ{)A&hlL0&-z#MAtDq9>m_F0_i^d6(*KXAKfV%Hx z-($STZ`4BapvS*4HhDTtjc%FbB&-LwfpZ-*%fH>cJ#EQn)7IM>TqG(->BZOp8o+Pw z9IG6B+BFUcmXNLNa>q}7$!A9$<3R37C|t(Bw$q@@K?YX0jdOPf_d)t9ciE6W?BiIt zZCo-xkQq?q*%Tup@iS|O-p6z^>8~(N^HZ;1x?7ltxoC&xi`iLw)0Ym| z7>C6=O#fwk7@oN8A!^)R!9PqN&CN9qelNkfkj=PM^i0cTV;Fusn4ETP0Dm5Np`idn zs85PY*0r0Xz(it_A@3?j2s7f3a8U+<3uc_)-!|`DpGS{`#%^}10=)Y5vC{Eb6DK1{ zWo`T;o`?9|%B{07;om3U(fCiH`=K0}gsh*ZT`njm-7nOjlU0H5dG zF@vdDyy-D>N<&B06qdR^1h@&D?Q8@~3`2xQOHeM3HHT6AxCwI;ID9~(vN5|p2 zlw+39f{J>-sp%C#EjS_0ekR~<5g_iO9iHDLnk%~c25p)xY}l)lEwoqrvh6tffzbTf zY~eanjRa%zK0WtT^s`{cx5oX6dC*kVY8gBsfQ*KFHXA)L53=nnNTp{!X>-Zf)aGqw zvHT`cIV)AfP_9AbkdZUd_H4a?iY}s7WSnx>(( zOG15y&B(Ji+(#oO*7zjpnHCi$u!I`dh%@O@}w)hWcJIaInN2()rp z5#_LP6-)az-Db{m!gaB)e!}@lOhCLQ&b>r+J4802==tmW1$TX{@fi^4!4c7LWSTR8 z=q;lc1Q^FXDbcua9XyP65#m?-Siob5+38&pxqAogK_6KlX8A`}^?S2d4ySc6`tFPP z#1{Ra#rzf#M_QJ6%KsymEqWK_9x{H;tp8sBXPzkek5mZ}TUy5dmzt0Se*EUZ$nUP2 zgZbaYI}}Rb#d~8RX!JjvQG_hc&z)1jtn~jm^nYspSA269On4U2(z*jQLwg#kiW&-E I5f)Wl14)&Mg{-?XtFYrYX4}$ztV{a|L^F7@7W9hz?j=gNT|q4 zNPtw_oULpfECB%eWY6Rt`5_hD5oLQZFdlAxnZy`6;|Rvb;o>?S+(=9+oe>Jf1s$1F zDp>|k%;C*1SFD%@1{=6y+FuaFj(L5-?kLW3Ad=3z)0a#{ATOJ#Vz{=lIA3J@N^kq zArf)_9W7zy>X`1COf(96<3eE~A^ic1K5H*$uRaJ{&@CGsW1X6Sv5#7Y_#=Oeh8x?& zqxGnVxfHfQo=Pz*Mr^*t3NIet5;bd6YA{ky|pQ zR*H%M#(z8_-~$Xc0PY_L^KS>h5CcB^4-Wvy!I1nfuLeW^Ukoe&5NQhl{uiV7kN#(q z`B(mF|ChoR!Tv8Ip$P7O`Og19jV3z0{}Ch?8C`b(00rki1qP6lNBGZzuC0cShmN8G zzqzv`i>ZaPnI(&lqsxD^0D?aJ|5!&$4^xnjql1$>zmE{*{~-AP@&6ICQiA>m;$bgD zsiUX@l5lpj1bt>55es2>*QhT!|dcv^?!~0KXxQ7-Ob%>T|8`^ok0JwYij1~=^;c( z`5#CByZzsKde~b1zn+}j|J$s84P^b#6;^f@HrD^O{ZCc!KT>{WH(Sepp8sQCm|gIH zkpDl~fBguu{>S5AW6`scXrcS< z$eV+Tk`vYE5?y^4#qgU8ZPbYh z0qeprKN^@jtc&~1kBDBx|58K zzRargE2E+Peg7-i+Ui|qV9r8HMpn_>tY^o26v_JW>8tP)xZDn$U+6lcYp}AqDno*1 z>*K@Q`r}81crk;cvvXy9eEflPwAatyaxI4S8XXlG0khmkfB)neu#9;=dHAU*p~a(B z*L*5;nwhEKaoSW6AjySx1wJ-F0v{6tQ{Echk3`CfcjayE1GqigJj>>bi@6^5EOS1R z%XwdJDXcUYD)nrVLTeQStkXT(e`L1tEUWqJ>+=hM=UtA9H8^lYh&Un88!tCdr_k)s&UQU~tWWkIM|h$A z^(Wkb5whYgT$ooNS$NQVdoPsPP{y;}oBng@)#J~yhn|j(qPzPaTQ@Ug{(RAuk(TDJ z^a|RB%7TK6+r8g^JkEc{r=6ZT^jO1zfFKPbN&B37jB(o*jo~Kz0mYoHAUSDi zgnU~$Jj72fXH_OQuU9T2{B*&VQ*UqIq`2Vc#`}hb&L213!>2|f3B%5{Yl4y=zV=eo zIoDQDAimDz8q2!R8kc2HF1U^q{tXn7hwC|q-X7C?j!Rw$Ep8W%N+Up4k5!1n=F@L% z!LWa*@)uCPjtzvyho(^zQ0% z*zP29nB&8WouLk#oWT1I75d?_T9?FU3YU8f^o83gmFG1cr^@=Rul)S{=-=Yw;s#FB zyxK6-jW0#lHiaV+fB4kG;u#>}| zsN!QqdijXQRBI{K5cDLoFK1ah!<_Q={;pEM`vU0tqpc0{c^{9E4}M`P3quZ}TFvzA zFB~JLw}_{=XTM3*EMJdMwj?8`KOE3s;I9_YrQD;RnvWsf3|k{fa6OjmhRXCUbds`dIGR)jJq<6eL(B@ZuKn7G9(ivM@ zVDl~Co-d5})jAmo}AYQuCO7FFUD=>&6Gqql?Rs z2@n<>3xw#eKdEgb>p0@g5V-+?Zf>y63F0Be z?h@&;v&avaOdKmOxJlx2Vq*;+YK+ye&YPXdy?;l~HAGJ$G%8pX=W6;NV*%|=#SxOV zbF*r%-U2OOvx8y(}mUEBF~$-lO)ZvF>zkfE%<3@Q?QfT;$V zRbIr&&jnk}{1oN%rJp)Kcz9r@obp8YKa&NeeqIZu>Gujd5tLfXhs|@hvB-`0rPT-u z?Q{P{ol3^BNR_B~)B$@`?AhqxCC(m($eSV*H_@R^l2}>~WPL>ca$qbfo;uRZpiECwCa%G5|AV(F6)d4{{&a zktn#n^|av!oyY{{|#7EeXV}@k;KafKfks1^O0C$uuA-A6|N&0jWiNoS@X^#x7i&cdZfnDB9L=tKTZtA$p5ZcHrH-iEG;}YEKLXVWWq0%ASuWo{KMm7iDF zwnRy%!#x(U7}+m`si%>w#Gqv%#ody|&_HvX7TcIV$a4n%pH_Zpc3VrpkXXa=r0#MU zfn>AbqdxI+)D$)lIS}{-Iyf*n5Cx`UtqFM*Ag)rT+}hn3K(74RvORtgs(>a;GUlF=&<~jHX=b>n=S!q8ATwV-D%{o+Jy7mR2qs} z?bJG^qRIS#8~!A2ZU;Y55HN!jztIi*^DZtz1<&68QxP6UtVEgpQ45HLCgqtwX?hAG z{B#D7s&^@_;^}o)wmY!p(b9)E`oJ3aB<9!Jp6#^JUO*=Dg1c1a3jaq14P5$mF|&xi zfPnDKwgZouUWsX+=^{oV>JV|9ZGB`t(tSU+b>T%g3oCWiDux@px~yl>R>Thz-?n-< z>c?gZ#Nz=jOFg)FcT6TJj!7e zEp1wl;j%ZS3^t1ka1>krxrXl{N8^YJvy{mHFA9+-t@=u5izFf7z;ax}zkrW3elL%7 zd}QUbvb7vWCo2OJ6mV<7*UD*2oE&2vMf$W?CMdYEFI4^unjQO@?c!P{|6t7{HB~)~ zQg7#o;oKAQO?_=s$izYJr-Dl!+kBc{x}5BUyaD{?B+)=OCBzg%$Vf;cQ%fESDeoFK zYde-fTlCABF2bU?*=Rnh4zh5)qD#kFoBtsZK3Hf{rQR^Ij&3^iOsDLk;KWqfFMA?CiFIBi5 z$}N)Zk%c^C0uEw_%Y3#se+5T7nnoU@-LX-$Bm?7{?+*wQBXu|6OV#0;ur2};7IbSY z8}dmFmZ*Y8oaOcr`nqPrY~(g&zN7C61cagKK@*D@ZUSH$k&dOJD*T4WL__{1`sEnX zXb~5e$oKh0lh^ZNE$cCM^?L~<%()6&MVS7cO}b^1Lx`JL7^0A>nqhx*=ZpYNOxL#0N8@(AVfIY+@>S4#S; z?nfRu#U*dICCx}~VF&(4=M7~W@wuE2Ik|X-I%mhMa8ewmHa2XAy?&%S26C4@4>*!~ z1O)aDF#71$@;E#UZ6?DdN)~AfDk8+GQQJg2S64D@&l7ayGgw>u)%U`J1RvY!07;el<42Fw34fA`{|G(PF+ z^BY~de3gC*g~T9ZJd?C2zVnLobkDO0N9r}&I9|l-Z!(Rp7+05^pUd}z)#kq)zgkSq zDGfIREBw4htx#cBm5uL}tLtOdhI>~0PbJfBvCrHw1{P5_Pa&?D+TTKWHz0!sYvJ(u z3QWGAqH>c5mB~b8S&xj0D%J)oAW6p7dw99_?N7N^s^+~E)U){LVd6!*1~C>^@6+GL1oL2M3Z#z8gO++py*u_{CC%Ww3Ccun9b(XkK zy@;A#YW)9lvu#nJQpIK9`;o0%3uiob-ui}tBHZwYoS1l9e`_H$oGE@GepzXRbxVs=1`D;3=x|Cm(J0q z6xDs*iGwG+3#$J6Xr@y;vi<`xgGWlBR|OF?!xwBr1I3yWwlcGs48INawYS$Fwn~7B zOum=&U*%cS;~$*E-DW&F9115SF z;1#a;`@v?uzBXj_(Ih7)8&%PqTyv!Ei^G>NiQl-=N2ohjO3LY2a7vB@$p}V z$)3|1yEt`(v}?})MXG-U#O5AEd$s z5TE0*?*v8Gl?*o>eaPUTm{O}S=7cj-R`Bx@AFYDhVZe?%MC(lGdR9|m8OGC~CQwlKa8Q-X==V-ONxtN)M!sRkb31Ev?~ zl*Qv2G&_Li-2_PMFudL{hgcwccvQ_GiRX~FLQbD}iya(QBSW8Z8Io6mjaZpEc!w}k zRA*k|SN6}eGC*g1dn|gHH1l&rG%K5*9UKa>)NZYKAHpJ2W!Gn4kUNFS%FOwz^D6JA zHxYp>EUY)LFoH}7Y!~A1Clg|;?v+<%D4uJOHT2oFA{r@n^M(S`u@d$O>8^!Ui@?=V z@G^JFxpuvQbqd;EltXgLocv;_lBxM&g_YlB`sA^XQ&I7+co_kKb!F}P-ejkZ?u>75 ze~hu+jKsd+5}{t_v!wwO>JNQ8-5<10$d65>?4zwmEs+j!OvGSYK+94-bkY*To(QgW zeyThq7p&0*7T&U!Z=UuXXzq;^M+u<{L96*7Qh*-7}h+krnG~y{w1@9B`A0dQH9u zsBj}8J2v2)C4{E5A%G*ZHy75)gOIBwEe!mn)7g-CyP_%TnEOC1-vN}5WVY!NcD6dF zKQqTikcM5Bl4;qo%9+enz&7hhWSg$sK|!j()1x8D)CiSy_Av*@V(OtmvxNbYxxYPJ+QnxQ`kieBG+L{}ak|0U z?kE7B$OB=sl6=T46JD8aO4rw(2O}PZ9zRF?byKc83~v*SB^mrJD|{SspZ9>M%1_nr z&I$vP)c68$;vMD5?1UO~0xm__r(O!HMiMPC!%5j)U8lBRL)uia{B&sf6fM9~!X59Y zi@(r#0p~Y2ax%n@Nu+1l>nqL`MD_Nds}*D$h1fJUGc@uR7bVWADn5yMtj;!}s$yYO zbHiVhahI3p^6LBMWk^ZXn1-0#H@%^xZdxq6ZQf;*oSZ=pfLSZ5I+ypQbUdc_<}2EG zStu+CF5kd!7EKZeOY`+(Q4T+QjAge}xyjN@)G(b#hnwZ+fb-Ms!QaNE40PG`0h^ zBlwp<#C$?Ijfh;g1?|oY&51a#2f~fLqdzz3dq%}#q-_lx3n4JXnylsvLs@a zH7-ty_|G-8=|AQ0&6$-L+i`;CN1OWO2$t9#etTnQ%cv_xzrK=|2~N?Nt^s(rUY=$b zUNOkaXdXR15Lw;CqXf} z*4duZw`fh^0pF)JjZQyzCeMexWwN@^EqUnZIT3toDAx%buRoxK;jE~x4o_o=LM=+; z17}4;4Nuv?%?Y|$0K+DQamj<*AXA^$Z#TcY0|o$vU9_AAbA-&1BS01s6vIDQQw2jE zzvqOi60dho0MpvYR#+e$5Z9hR^vw^iDR<<_cX7dvuv;pkCJeKMl*yCu<3|e!ms&l$ zxI-mte~D`CFz+BfKQ9*`a&2%%Z7>TPt2^fMv)~8=wRXa{Zl5bLVi-ZWmCp_p8a4=7 ztXU0`!_b-(#n#`$T-)V!yI6L}MI?x~g7JT^9tq7!QW+=P_L*#yJRWvhTHt!A%2fOn zfMOdVY1^XTKklyaz~vPeuAn-+v7Pl31J34?^WqtQNNp#!U$8>kfz5`jr7B!ZKBTVrP*!4oT)z6$ENx z4CdGiCi$PEqvahz`vfy-N~mV%WapV=QS}ycPHgQAp^*SZ6zpM4Npi{gByPI$9vUI9 zHt*2KHDoQ+Dn`vEIWA3cp8FiJ(UonG)=iyrF@76Nq!Mfj30_xBZeJv>-4sqK3~mK_ zr~h+1IR#8mg6OWln|>U3WY}U2`(@=ivuG{#T)ML*svI3oRkEI`!7@Jd$+k=PXG!PA zKo5&~v)7Iz9vj}&OoM}y$x+tUfW*i~6g5+-3c~M^NneL{9EF&Gyy9?7eCFwV=!iMx zFRSsZGX=00NA#sZp`xYW&IVK#x>cHZ1d;CZ4{2&qSoTTJ4%ZQuN-W^M-lUWnG7(sC zk)Wn<%zNrBRP9@U1b3}^{ETBG4{btj(_5czyeu=b4<-`KG75bC42^a*BbARD6Gr`g zpXInu=;LcO%16|~;0V%C$C%&3@BKu6Ucus~lp(X21UmPD%N(TzNJ{u!pD{o`^!KCw zX-wM%4EdV}&WnD|s+BMkh-q zjD%^Ihzgh^+f($*=-i_m`~3Gzu{B>X&&2Aut7-nPqcsAaSz}5QGbYZ0M`NT62jCo@~%6!hk0(B*_E*#YFN zZ$_y|NOY-hWwg9lDzIuo(VKtbMqH4P8`#l6*lFjA?qM@2RH~NokN7x^XvIHJFL{Uh zyp?Sss*vv_EH7&=z93QY0uy=#rEwRuG( zTgUb?M!i!Y7uIjL&$QoHIX->SID_UBw;JjjO3Td^UI>Q-`gf~)+Vt^xv~mt*v4faN z6J34t;T>_%OlW8&EZp)rv8sec&9Vz77ApS@Q3C?Wcjl{vIW$CbPe0XACp$;b*;@G6 zNBWW4bo;xYuA|-)qjEEDj`QI_*Ot~-zfV@RGLhj2k5OGZ`iMd|f=*bH>j{5v=+ctO z?p|!Q`RkpJqH+yO`rtVaV#}lLG&Qlq_wDjF@5AzfnGtfGDFnxkyNw*X1iQmtDRuMWSx-q98TDdTvZm^hfms**Jw4qhWU7BzateL1H=Vz<}04 zrUjS~754Kf2pQWCtSxCPk_yaE%12o}o>SNw>_0=TnD*e!L61(PW7cJd?7fYM8+%(t`u7=wJ)S zJa|NlG`m}R2r)tsmpm>%`a-hQe*8CmK&3_M)A{X0P%#ZH7^`$$DT0MI6kDrdUUZ9* zoq22}_#8*pGB0Z4ntk!zXX9vhp`#`8M2Om|C76qGh>E6O)c@WLZuUDSyuY`%zXCjs z1w#ERjAdy#)s1Tv!}a_xRfXKLNT==I{NC$$=Zb$3<{u%fid)2v6S}{j4MO;g8Z$j2mXE29hZdshX z!C;boKfrPMo5|ksteaw3Aj)x`J_*GymbY2wE<-MD)a=Sb-7l6;AA| z5PC2|7WKNoDxv!<02YkmhYM2K^YWfG2SFX~n92yQzHS@XEa1$t1zUlN7wwUnCyy>>>WP3yt z-bjE5%xEKA7IajPNj2cj4Lzvj#$>Hret)=iExFS^Ik2STahgNrw0fGL4km?4NOi4w zQ4C{zg%-Y=0ZttqwkX}J)?L?7l37#;5w{=}EUR3NX1;Nw12mHPQ$F&gj4s*!k%FEZ zK}$sfq6*cHpo0tnYasH`HEZIH*i%%`%3WX1riIKDBZ2zU=&0(Mbrd2Al70{Nmzc6E z)S!@QAUGp>!DKtGxK~T-GbErJ>=g5cW~md|659Ff{eH16o|%z$dOSs)pn$1c?A=ie zw?boV^fj97BORC@fA9Gzm0*fq0}(Yg$0Dgn)ib6%P-@F!cf`*R&0J@GBbdk1!7>!a zej`I35U!(Q%!9S|@wl?>$7T6v{Qt}!P68r`bOv-*u?=#%8f`Rd~s z88nXlVV{XZZRg?sw$h5SAy-C3TO3yfN6tvIyD8sOuqznX^1lC0Z3A{Jr-lX1Ib-^( zO<#3kkR5*zRo7sCU@Ro9416661O~C?oc1^UxyyY1Rg@aXZU;Uf8pRBgMkRKH2ZNo~*4HT#}krfW?nX|_}N^)@Iwcx4cE)nHpHN98Nf2h|oswEZJU&rnC% zklE0-k-#;vCQIU{j+d!%34VkyA)&qKFtIr}63XcxI>@}%l=K`V3?;qWHF{C=^u!cv za~hKi$Q;0p_NBK)JfCMZ7alQ5vXh9A5j-cgugK?G^XpY8*N`>Pb4#Hcw*{zDPRdNm zwcNoLv6Y7)um9R8>w^@3no%G8m!|l5GR1z1HPt6#@`OE>b3X<2V6W4BA>IYk9%49R z9*5EXTD?91)CJV*i2w9$gLW09&`@iA^vRcyN%NmRfE~-wT6utC(3r9l;I(Li|4>$ASB!c|wUpB>E4*N)A z3$9_8=#ty)8cv{`t4`G*R}^0en+<{v_`y)4UVMiy{O#d#Tlw<+@MtxJIxJff-Z8(5 zOkY1O!J!^5?|x6H11lf<-u0N)%Bk2gW{n2_z9kt^-!Kp5I>6T|qk9asqpZo};oja9 zN}iggG3+JEB!od^NNdOzC3zfTdvyGQgDA|;mBKiNu*%-*@iKZo&fY3EtRoH!(?Wh0 z&1&do9Si;`PA|5ww)W*CkU^ZQE4njfKy`6r71$=DZ%5@ckC>I9ni~fzmC{73P&BC z1yHbgOnk`)4@Vd2HMeOa?M}6ACf&}x#6~vdNQfiFulhfI#mYGr&g~1iY#+ZX=h8f8 zwkf*feNR_O0)MK%4H;)8aB3w5KFS=l`Q@k|D*MZmweu#gu(63rfxZO(JwubzM z2#4E~E(dUW$vbh9>4-1PpyYUYwQa;Ed@|b`-{NeTKt$r)fH8k0KD@jnk^AG$8ae?h zNpfKC+?W3CGM@+Tnsy6(n2rb_o7+7F44KuIK;Y;Nhzn&n+rRTPOoIZF0H}l70WkSA zH5{|YwQ=G5VkSf>WBX8Q5+`zc$7h~jIA>Ur3v;h%P z!gCUH0Z7eO{gW_Urjnn35kUpCXt%G$fk8fjW9wU4TRLo+5n^3jLOgrLa*KN-(ZIw+ zb#%+fK`_Z}b|Wko*X!QoH`Qzva=lybEYFAwTwY36>}ZeL=u~Egs-%VvF^}6dO*dJ0 zR>W~31$X7Z$(ytlnKMP4&GLlIgI}(;jNIL?=u?hJn_Hs_j$h8wq22w*WvPnCsx@yG z2@shOA{ws?C`0?b^vloEnx05l+ZzeOOyZ&VW8W_hFpY~Kzg5weOKbbk7l1j=1F!g$ zez8u&#fnYa7r31aOH_4@wyrOCM(~-dm#@rs#!Jvr?Qhi=LCkf>7uJpKhes(S(Z=C~(BGDjf z1RC|Vw-bV=DLs4m7D(Xjrhj;)VO@gP<3Np1}d%;Px*9Wl@B{Aa6>wp#xrM}sOB$N5SaZt z!bEx1k`=Rx4)Lo7iZXc7(pRZb=pC$R!^BWyu$uIPAWDlFPI&wfauQo7r~cTfMcxCp zN(6CP=)8ki`E|}6imdE*>wM4-!1>=01>2(PzkMJ%5;Pz z{=S#!aJh7{{E7@UfCj%ESYZWmT33J`l}Cq6HVk-HgT^l1atyDpg^` ztKMY*GmF2H#@+mjmlRT!I5ZcJ!6cv59CFzf4YhhE9vk(On0h}6r*Dl4pVT0pFrd+d zbFF;PnkL%usOwdmw}%yE6HF!i6@#$8Xar#saoK~RFApXW^7+WQ{Bb4sY?GFjwujkL zlfP!>W1&(=xQDuW>cKRv8rGc%R|u}On~3i-Wx(Gp=Y=lgK)QIdz8ThD%DrtOslK-2 zwoET9lpDPZSws@e#MIlkvlC*n1wbb=kxhrpP+J2Otw`K-XMCcFuE?VpFn2hHRACsVV zT|6xE><|2jbVA?R;sz>ns+J6S5x+~GvxFw>`HO(OB30_-a@rwWsF43NF5b)`;+*5J z6hqq1eUO2{bV@Oko~B*tkE;<48Lp2RV;b-S$Hm-hB@`Kk;( zz3fh{4_Q40*n0V;Y((q+{@8}}1v>QV;RR~F;#1Z?_wc}ESey~f&DKR@yNVJ!!&F!K zu84&|%%+NPZ75wr!6PUrMN-N(gUW7;yeN()MX&g=y+k|N7ac}Jgj@2S2zVqtOl*W( z*pYO1xGEA2);Z1t<|p`DJ*<&sQhj}9`spu3XQ>1CVhk2Bq75=g z<_4qP$u#IhoSe2){T2%FWToBNFr=;Q8%%$OKT6h!aa1fVK+Hjj?q=`S)INwN4Ir~cmy4&{9eRY$4lvWWfG@&5sCJM~bh+BwOtLQC=nE=a}$0$ne zbQ6XnHhC*e)26hHOQvMD(=J%BzaKp0_oOzZAqY!TxvdzH70`kVCr}zV!{~@&9cZ{n zm0YI;z|jxxz$R8 zQTclumY=M$W|l26T&ed~R{T=oX)Mq)n|Is=B2p#1Xkr_QhGg{a_B{QX=%N+H#u@#V z`Fd_XCBb^@V-#8a4cDM|gB3I{2G31u%Gv_>w+7c5r;W01=O1_QCVw#NQw=z{Tx zoa*8OnmXrwQou5E2Te;rDL94C6Apd*eq*?ei!)-D3_ZMK_YU0OAHVj=7cF|_ixxPu z&C7+eP1&y4w@grir!Eh{Wu_#bQzmwt9D0vt36ex7as7%T2o<{Q3JF(FjRW#=;p``* zX<-d6ad0<=s(O7-(d-f~$~L@vy-o}6@I!I&ZEJYdTb1*EFt_h>a%QTNw8a81K2+mV zGJpy2GsQLZO}4@j{$Qc?m2j!6)^`c93rAo@tkP%|jZx~<{`9^&UF;*~JTCg z;u7QAvHK5oj#+v|NTLY+e6vMlDu^OPkT`8MN);$d{Ne}O^EiJYf*Sw*Wt@Q+x~WX(j#S!l_Flcv;=#i zL@=n^F2u1qdB`sT<&%OO^79c!Q3l5~OilM7!|@;wneIXMDCpec!Fo2R#7MA^j4_xtBO(Gdek)d4QYrK1Bsx+*||ir{jJi#ox7 z08y!e0G{J=N|KNKAiVwV1!5C-jZ0<7s`N}^*2pyo%Gyu7Q4|}OSN<7Q+bNtoL7cWm z`7|CF?j3ylJ;1sfTN2aP+}`24cfM~~M2Z@B#pZ9qZiLs?*^<#_V8r>@(`~hq_3W<4 zGtlResvk}*PAOLz+kw_-Y?N+K*qv1vel3Tp_4n^JU0C5t)sx8(Dbq!;k(RR=Y6o6UK_WK=v2M+&z6Ur+dWjshv9^&Q znp;Q+N9{`s36ZBz>NVjxp<|G`AdZMVr=%6hkh85V-{J6G0_*o{%;W{FdsG3BbyCNz`}!DJBIydRAP&pSigREWwFheKH6$MBbp2d z_0rkT99)&l#kT>f!M}!ju!U|3@5U`W6as?wn0Wfit!e*E#h@UTE|-X6GH6m4Kxj** z{bJ_QaCm7_rS3E$9R;9g&BO!O?E@)C#ILO_o}uaVoVCM?MMnC*BOQwvuJyFRJM;LT z=Cz@;KKS(9P5d|A$&c8@uqcBW1$E`l-TpiQm&UL1Il{`9fmixk(zQ+DTk%zt8zwa4 zbF1Y#aG5XC+fNXoyQ*)mXJ>dElS9c=zt(idj0W(+RqFSp{Mk8MZD$swMFPT{zRK`X zB8IVP<)NvVSa=rLH@3P`+l-tNm9exF{a$sB48HxupDa%P_g*;nj_G@pBk`thB+O1e zFnMkkQ$$iE6c>n12n;6{H&G`K^9Jg~bZ*^>dD56u*GJUAH{~)iD7NT2NGM+KncVz z_k<}nH_sM6l;Z_Vaz8}k-_C_eer8*S8kMxuZ!lKKWbz)8N zd^6<>_R{BskChj)YyTSpq<|G`IRzp{P_<>631P_GIn-j#k>Iv_USD>BR1LpsZH^6N zB4SbQY;M1WNis%5YQt|Qkrz?mJe+L2|SP28!U+?~{ z+WGdk`N8aHA(K@%P`GdWskR94w@}zO??U7`=_d2%Pob4PCZ?Hk0#KgXbX?bTz=Yn6x1eOwG7>_qK?qtLQo|b;{n7;(M-aKFF~NoO7>9;cFow>LZ)y zh#^3x&qzJmktG-$#CRueS1(8XQXOsTEGar z4ZWp%zkXLjsKkvgR&^Wx;lXvYnuFsrd;z(Bc|Rzu+z@a!?mK$(jQ17at4m|0Bsyy^ zN~T9&u9GmMsH_?4!g_GZJTX4$flk-|aP+qFaBZQ#YE!Dv_Vs^Su!^@QadB} ziNlIxA4bpe&rrS zDg5}w3)%QnQ%P9Zi!aq>Xzjt}s7`#R98yhDwsa4@Y2M$%w%US4mac#!bVkN?`t_!7 z&(O-+ZzknH#;+%kr9}Z5UDniEDc#F|%RUNALF0ApKc;*KZV_q8bu_H35=#Fc>@j0dG%w7X~}()@Zqvo&gu_-)tcL zjYuzpi_`6!xi=XL>yAsXBwQS9H+zuuUZVFOt zvGw}E`;-%wx?Jva@xaHZ;dR$iszAn7z99EQYKp&(@pB*&4QBIICui2(Iu^APj`01V z8=K?e+m%>u={v-JE~X|s*ybVd_{Y=^_|yp9UX6iM2O7-P`NiZLyt7`Zl#%vFs`F5$ z)?a1<`g^?OLRo!0T(qXr3yZg!2A!Wg28nkyvrc0|mZNZ`8)KBbKzmluIA8i68s=w( z7FbHelMA%isxs~@i(xgDi7U-ocWrcjPP~O>B>g!@uu(2J+Dqb90u`yAmmtdXa^RN^ z!TM1Zbq&lXz&as>D3Fzvse1?LW$vv>p z1m=X{CxJ<4xZxTvMKFsfRl7#49Hl&Kn(*CFA9uK-qmR*W7@)*%TS9hhd=NmuRj`l6 znEhZgd4J+K+EvJ@7xoASnxwP}lD7r_c5ttNQAk+AqPYo#^W9gqv;Qe+QY6 z$#!wXOyBa4Z_BQ4)z5v@y>pu)+=P=h>1v$*ns7SLX-;HLvUJjcl@wc@xCo=L{GhkK zM=K#mA+myY#N=Z=4tv9iep(hD145D=@d3s*JbUkfI9>CZh-3mDG(~zJy}uqQQ*O7h z8d38$r8D{0b4 zLRiJK@33BC=H&Wjc{b}mF3$Of_Ts@>u^waIMLq>X9LRk$f^-?1&v;y6Kbb zZJ0QaQwQlJE)8aer95p)6?H;Vww$?GX@&Ij_u8D~Wa4131Q8UQaOi|M-ZOfjyiD#H za|A4sQ8gz`6BE&7G)iQjpcfql4sp25@<~@fDhBPpN+VEqO$#|1Dl1Lk*dkYQy|%Pf zv@&=7kdIIt_49GOFZd<&i_V8i^l|^lH{o>F2QJ1{J$>LXAnAXcJy4f&O(URq z19qDgWVE0ATH~vNJbKatBeP zqutaCoAWv&3$H<&WwJAA0u_QG*-V5O=yM6PNY{apQRGNMPV3y^PXeg~_wKu|*{UThq3%W{L^a$W9@S@7#&UbuO4h zwyNh+rBQ<(iOIiHHlfJ9`}L`N?v_11K92MlO;?D`46_8rWfhi8xH1vGAyIZPNJ(B2 zL2Sk_b?bTeOX(xSI*P$uXOfX)!}zXo*0wN)V~6!{bie!hFvfb=-v-g@`g5bGk+ZO7tlTGxyh}L*8%6VdyE-s8%BqER@*?{bWGP!fBELFeJa2w}KE$@FYM2Fa78mKY zXpgus%s4|oD+INLtn}9l(0+1NrUQ4CrX-Qj&g_ghQVG-}O#&1SoXDnbrQVBiohE?k zVE`_qzN@z_002M$Nkl%1lpIL$%H$N&c4 z2Ot1@eL~nr$Kv64o-30~dTI+qPK)sf;L6Q6opg-^_p`FoW_ZS$FB}^NN}_Wv4I?x< zkv?%>`V=99MkW#A1K1IZ{}7;H#BJ$9@lWQB5yXfmW4Gmpeg}TMCbN5 z`+||%EYRBpSWT#!2OoWc%RA3vxJ!Xpjl%}?XxIw0XR=dQP?uPn#(-HPR(msRpF+%I zh>7$wi;y6?GhB2#0B1(bW(J~ElmIe9gU>2KK>^PJkoyV}F^1O1coJ63d0*90Jviuh zN-FIm2QM(Rb2O+0k!-3nOF)Eugd}ksN)nltMX*tlTr0p#CHS4!**D`!F&6r$?yv^Q zVlekYthX(L1y96dxN99AnWXp}6!r5x*O!OiDXr><*VNB*2K&$1;ajs*#Abpk=mIH9b4niW_!+nI@{29i6v^wGHe01RH0QZ0g$lE6ybXIesZr zn*gzTZiqVNIx{4=-}`E(4AVLmS4Cv;3<<^H8MG#6ok+$!>e5HxD4{}4AvKgF9_n*d zipflgr(tT&ri(DU2E4N_mfghJoDc28t3X<*-!+mWQcQbjUTzm;kF&KgY%>EM@ff}p zNRGu+o}rt;rI3Nd1+iDpZ#!g_}v!|&-c5({k_r|YSE86 zXySJOqe|pt{}=ZSFA>lx&9xC7v+7ElOVIdqJtNd^Oer8Y)`{Z*CEaw>A zL2=r(gf=8Gzvs>HnsT24Fm5#9sy#c^0C*Y!N@Mi<`fr}= z=lb#4_k88w@#05mlpXw_B;qY=hqerwMyL6kN$Ii{JxBwSW%pUE5PpDm9eFovLc%~h zw=&t=IY=$%EI~d$Olv$LZ@;vcI!QTAO-&Iy!(>3s8v-H!rr7ccEIHiqS44N8qo$@H zid`a>a?bC#;!Py#DyR@QKvJ-qNE{?t*2K*;D1Gu=FNU&9UVJp)^XJdQ812CjwjJF= zpQGu+K$I4a(tk3hYyggS9H-1uT?KggLbc*yW?Q3KW=HcK+7<;H{Kq-XKuo6WanNzrGq@~hun=fw&16?OF;AxYTl1v(J|5~r(}Qu z6BPBhUfBlS6(WoznX{{(p!AT)uj`>uTgur5GgTiPWe=yMoF zbARuDb?IY&>e2K1cX2W_%-Rr!*~@dSIdZFCfp4VTyrFic>6i!?KucAalTit)B(@4P z=mZd3Feyd{Cdp5haefw1ZFr(?Rz;h6ql~-E(D?;+<3@~EEAEiaEXlFa5o@Q6C?0U~ z#tzvkA2)+o>t%Mo_S)T4X1gzEx-PNLM|k|?X-J|c4rJ z5X4GG*HbG=EbVa3yMWOa^MJ3>h74Afc8+BAL;^2LNIi)gc}>Qg>~AHB{b&XVVF&Tq zema?~VX9(~R_U;N1bbQ;ns+rhz+qSeTDDXr@0MREQ0B^ryXAmQlBj z?D|In;UL?EGczRXpow8K7zbv3tGO--;;gl>$|XDXLvPC8bl>4r zX14&gpfzGku;rS4ln-ms5y75Y0XWVq4RiPZd$q7YA`^9^eFR|Y%<{dySB-yb%o&wIO)DOWH-*TG$bP_p!Y3!E0P6WMY9|Wg|Sz!nDY+}?1 z2C}r8f2#E(q)G*zGA|?}zJ!)IGFirjnvmEqL>t=gl{^tg;qS8NF>6#?;h9}{6lb{M zN*Ply)f!R^9=mILt|0}#w_KtFb?9t!<3<-7nqe1sXY6|io`(;wF?s^L{N+)RBF$JI;pg=&{>DQfI7@z*Go9y)g5dMzz31jx~JFgG$ z+6KoL?U*`f{64P#!u#L)Ehv1^0Oy$Kbq_!b$8kc$sZe*)^0o z4siBid<(msvyB^GQ@fRWlo1~9QQVD@=`8SB2WHciN=>c3Jk9p2@tsC@KS3x{7mZZY z_p^b33~_>GQCJuPvA;+tPPjOnQF=6)hb3`69H0Ry-y`yj>Jj{z8=NI6HGb9C?hoVc zr3U(x3LegS0pi*sH>9i~K|N2YrS$S|r3Gw?e#$I^n)W&F4Or?DjxQLE5+QmT0P%eL z9KlKcw%dY6LtT5Qz6G2Ysg!K{I>lyZRB{Vf{nA*Uxi;TS)KD z79?|#z8O-@sRY_;HD9JqwxFKhHKctJ_T`^{MO9OM9Nk2m3vOP zlVkP=X1iJF36XthRtbZ*hag}FAi~guK}uO`Gdd~q$q}8@dlIdxpltj3_Vgx2&&Dt| zwl~??@{$TTYFTqUL}Y{|F#g8>&{7bL&O5}=9rcczDJyhb|kJu-DYBBWujRbhW3&K5;OwI`_-jbNEU1ZnI!Y-fVJIt@r&;g z*7Z_RLP~#7M350M$R)?fH%j*t?NQy?gg2>xpw|ZI10z0n8x# z)aZE`w=fvz#zpGK@$vCs)E*MX%D<&0$`@rO%y9-fa69ZXmn4+TsY@IGb|$zxsLV5m zqX(5e{6kfiWp|~IvsYqjCuzJ|*W;`?Cx@b3Ia6X|;HqqDJd4%|wP z_!Z+3G`1~`vTL~~{|uq{>?$XeX25GakE{Ww;|Cx9XZk-#!Q4jr-GivPDzKHs^Ki*V zMo~qbs3%G+M#g&6;*u3|xY6jhqg`S$L?5rSd(%MgK)U~nU&kyR9UZ4rZLzvRS8a_{ zgtaP)MpOG5W=51VS3H|Zv0A}dd!gqYtVHptIIsq<{-`!1re9 zO?oz5fX?>Jf;+R%A&dYF0Q0*lOy*|H%A`u2LEhg(`^sxoX&rSV884{*kTLt>Q|gp( zMz8rZX0)Ww9+}7t2QpcfyCS68$Byb;yG~$H(1Kf&y&T z7Q0w~maRuDqj0y;hzP^HL3Xb6CUU|UfD7B*CDUgXDE6|-f2z+kzyM3Aj2Mi}yBMxL z<*@S}ic<%t$Dwy*qR>M-Ce(rF115=K8xcQ2y{Iw+U@%GG*j}~_2Axe`Wu#If2rO{` zc-S{w>;1e|(QWhgJ&Z>B;`esd_ATUBJz3$GwTJxz3an(b-~JXWD7^~}8ME?t?Xrj- zI}iW^7C2~>e%ZJb2zoGPsS*=|vJ=&aSh7!94$t$laVs{x2ZRWK#JHj*8n8j%xWD~! z*tX@eC$)o;+Sr;453(mMTcWZ-QJiI@cw8x`e$&cmjTd0YB9(Nr0JpYbY)^X?XUA#V`4Pg7?)>fVf z+BvtM*XV6U7m98fZA4gG!tXCg5`@WybwMmX$Q)-l-$=)hGN(vB$6t?)Si9rzo)Dnm zn($h@0D}8nNR42Y3+||?fiam1v?WGV#|R=V z@!f^6iqCj(9%9JW!ef;rhUI+^I%Vs?oVo%)h zcD4?9+;@fNtP-WiG|2Ce$U5As67a&Eg)f!rMjC0uR^bLlTP+Fbpz(3Mqb(i=Qa!?$ zLNFM|(P*}oSAe+a%O~@4A*zcgC3;>jOA%{F!w8Jw3ykdLFtgd5%~nSl7+}0Uk;caX zIFJIm)?}yPiy7ug96?a16;eV~f-2GolqL0hNDQx$5Vo&9qV6^&peyPPWr&i&Eo`;f zqR1(J&y4QuK7g2e*k1vsR8e}_hR>|9I!+aAyTM=?#%I+NtYj?MHJq=MvL^v%{<2>( zv)*6r4F7pJUT3@?wVOmn{WqH8;0M~HS1}I1iGzCzsGwE6$H{RI`RYr+D|PA<&p3~( zY7L#ZlD2YIW<9z)RIsdxErEvzMhFCVr9c0(U#04w{wn1+)~MBBcC@xNP*O3;g)`g` z;v)u)!xXVGCN7P}AY5KC#)7Qf^Nln#F%~f#2`ze^bsAh}Tj)6j0UjmQcpmu<-40x(J+J?~rBd(z@0>M7jqrLpW ze;FWr7XtRf?M+;9AxmkH_s@@v!P)1UR{O;v^FbWg;N3ri=@*j=u=q6{iuSl8E%T3a z>P^^gT+3zIxDJ2BVRmO}!$tl6IHil4A!{-C8csLf@{h`;hB z9=v;V(zeVKoyB6h0TPx6`$!-FqSnxx&^vN7q;A&OjK9X>IdWA;WV*Fo%z2pSirO2> z!@|IWxCRUzh`A6|mVRelUDU@aV-So176*lV47a#mVS7NJO!XLIrxcFs=~UP__A>*Gy`vx6F#xN`$KV;@h{(5} z1rGPr2-e-MOOfak|C3ox02vcrC+EUSK&tel&wxyD3SbqF{rDnqIQg?ffO>Fu&J4K~ zZ3l|@-jN9mqwN=`G9)D*lto+Afo2;XPGWa&mlqxxU9-r&4@{HpKC(&a;{t#@rK3)= z9e77TL3RVKv?V_yL7Z?ElZ>4GUDLpYwoMi=~RV z=$$+W?S%bsZPX%mXZ<#fn&9+#166i4&_&kxYG5!*6kTUM83*A|{TJSll9zuj$#`2g0;puHeC z7rU>Y>3lom$X(EXR@Kg+&m2K4K17i^=LHxTtZueNWyWM&#aVVqF5=yy_K5B>Fc-j= z$<)V2NDx~f*lsKVh5>O42!{4UwPA-qEO$*;%}Hb#Dd5!Yo-47vUMb?c21!T+K4_bH zzClmloeVOVGviz(jlA&yUUUNB@RC`!TjSp5e~iA$AZ;Pf=a-NMMT+C(u`ks`^n?Fp z{i2zA<22~VGBut7)pO(E9Kq(r-t&uxU5oM2PmOFtA4(D@vB6p;iRHCw2irD$63z?~ zzl)8?T~cjl@}wyUJP{0Jb8?o`96^Iz6GFj#_k5bj3C{|czBI$dZAhDm@MN@Cs_ZsC zkFC?)(nFr=1POz|ByyQH&V0LTCuD{j7YQ6V5n@``+a)p$))hlYk02`6wKXBeGpsLG z4Y_%olXJ7_~8FI?Cxjy2xvfmzEDNS%X1tT zH}Vjb{N$Kz%a?yUCTZpKJ(c(Z$VupTX417;_t^VTkQK;TQnv+vDTHeyri58jV*x?_ z7i{O{T5cb}qjXI5Lxg)L2&8K;uEjiLVl&)UCfs0;C4$%w&yg7d%E+-ZJ(%NY_&x@~*fol+$MM+gR7GjlqIIHR&lVz<+MyuL<5UpNMwz~v?piPPACX}i+i6j_u z*ap!jCQD2h!K6A7*ckJw!%ztsFM>G%9L@>w$SlFb??z^$#FT4KncY^*bwE=K?gcHC zK9rUE^gN%RMa;}_2F9n!S5-=YlRjyS_!0<$Q6xwOAyYr3X(p4Ts{rDcz!d-UBW-$V z)Igacp+9-9aZf-c_rad~A^CJX7BoUP4^`GWix-Z_01U84at}*?-T#`^;Gmq`B;IoV zyz2J*q~39%D-iiNzj}cBv9s(gx3iHZM<>{xJ*AJAew&(k7ImJL4VPH4dE@4d^wCEy z>R*LWbdd8c*X-oM9BVv(+-E#Fq08K`i3ROv6#rPR=x7{_@eFmbYpMi|j|i0P{#L27 zK%ST)kGX(x*jIEowvVOKKG)2Qt+K-xv&A?>wymrn)g!`fXC_1CjQHHMk?JF7skVpe zMy7ZehiO!@aTo|xs(5eka{&<4g6&|}2#iQsaB1dZ%NbRe1LqIG;I$skT)me7Bk?fH z7DDXvGjla2imK6im^{X)Tei3hhhC`>M-EOa}M;IY;$4dGuy=ER{5F)#n&o>RTo-I7p!P1T9cG=Rv#F z=``d|*{hK!=8dt19nw8-4USu`?QHRsy9>8k>)U4>wKVmx!vhH}QB6_R!>99UdSr}! z^foCO9Y{0NY(Bu?L;o|FBQ}PtqVgCUNmCP!K~uz=1Y@lPkhLy2&t5!ADtAG*)bpIB zt8T}8L;}@yTZd&tDw6xk)yu?&mPv^`;nB=%F(Yaa*FjeZojW_td@GqWsIB5x!U-Hf z>r8Yk7Ew8KGrNWF1PSU=U`VWU0A*pfm~uN3F)h3VOBwr5X%^uGzm+Kh3C!tPaSLvj ziT|*bXs3}aLfmLkh96Pvy~Fd|cc>=NV2_js^z=cpCnOzp2>SaeibFLtu<><)38-2P z^+>-Qqhd_EPif`{B^o5)$fUZeCqNUwGHUwZ;k&9*RVctB=LY@5dHKRQ-YZ)ukd?3a zdtYCFEUG*%Q}uvDG&IhGYR?8(F3l!d&3cJcvnds$MxuDS|H^9dRu$z5pg`F&c%RS8I+&$-qA&&dMAisoHL?k$m#AsnAQ9sm3 z;!S3TX8@<0FydSS>;Wt;ycxY3#suTtt59QA+oMIj&h=+ulmarY371yg4|gSGq%oMu z0>hcBiyMY01lPb<<%L(rhf@HieP@-UzsVCw3(T~AjO1#^Y+yfFAI(mw-0|@61rzlo zY(002(8*|IFPe)RA_=hVlzy&ur5)p1KI`1IW_qv!h5rJ`s;fG1yxxBv_CwG(=Hn9m z07Nb!Qbl-3dov}AkNBxeYnhQb4FZSR zjT%%H$Z&z?uI|T&j1TbIZ^2RX8Q;+)j zpGqz80Gvn%vCJh?*DzD4VrJx&nle&TfIpPbd;8c_M?3|ObL^iUmeN@}Q8libcfx2K zTkvL|4Yw$PtqN@B>A$rCD!It+U#+x1da3Q)e1(YrydfI{FO14SlJBh$|AgY@%UuoW zdw=lz0ER_;=)=1=u15j%qfbAAi0rGgMQv;6WGa=BWT#Z-o$3))(;gD0yuK2HFOJB$jP8a9$MJz^>_+Qgwmh}a2##{pyO zGbtnzz>ml@6jX}ne(IG;{77U*_#m4cKJq9}2kP~~0xyt4-`sWF`+86N;@{3@4R^)7 zOK>uA4{#ANf-Iy@^oPFjuBuSY)TKfu8IVn=an*w;67;H6oeRSd1|CmI7M_yosj|0U z*GLCXeCdsl$jDF|k{+NjmXK^ruy}X55vd}YiOHiXEm1?PN31!a1QHmQSkSHLudaAF z4fdNciUlhK^?t)%LKx;+01VQ;$@lT;4tBL?T5?G65P@*aog_>>D8g#YbQ^BPeID#& zab9UBed9~-q!D%&y>sIl+46;0Uh{m8;Lt7x6@J4WTYmX?L*%kk6ktL)2wDbRCBoR+ z6~z{6mqD{D3fb@}vmLnKDg3H(Z)Zc9K^yC_KDP=%G7;@iE+V&x)+VPF=hg=v<(mw? zzJk%QW%@p=t*IwVonZzeC*XATwXg{q;wxH)fv+?VHvoG->*^Sv#lz$;nre3SnVyXtaE}>7MZ)d zf={q-{MFvgTZ1loe&FbkIl%}(cpjU&Hk_zKxP}^p>fJ*2lqwT@H_vbJs0|C6Wb*(1Qv-4`RFIdZM^EmlkN2M;TjV$ zPb9xUi40rp`LI@EW0*&@#WS^J-h;UgSF}L)WS7+(*sj`iDC1g(pIf?U=J6NXXw+ye(H|b|YDwy$46T>GI4a7~jt$ z`d*ST)%VxCsis#iR_GAhp&U_Ug^}vg3IlOxNGl&%=mR9&9%GoN(Tm)3~3%1t_^! zBn0^_Vj;o3thG8og6Z`;aD8w|>d=nA3CeJdZ5x%YWbjs^&v+JkDF6{JyeJZQ(HHt* zU*d1TCg9>T_mBHi+0f|5{ALP?xd{WCa&$ZI^j5=S4Cg1`fNSm@iGg1u%qUcE|&=qZ-00n&t zKzMUsPH~v$muE~nUE}!YH5bGeEMDWO9(qSI&+qsnn(>_YoBs>H>RxYuZ)gDfw1?rVk&ao+Q=5^jctiyN zRK%s;!&Lb2{>MmoY(f@DN-rgj64|Oi?^}Ngpi;*N%=xq&H`vyN_gSj)GwP&}JbB9= z?6@k*vBrR4fJIb>m!TDnSdxIj)WmxOi??_bP%9hvJZ2~M*^!CV$s(;_jNSo_W3?a! z9Nz!W*PHcNmR)y#J8s;V=P@%Q=ggXmLs7+IkrF9NEy`+%5?b92yWy9H4fw%t{m?M{ zXc>O+S1{m@V8DQ3cz}%tx-F=!$r8z;ima-fBIn4M=NmU}-00u$zvE;T+p9 zWqgEBX012#@hcSPmx^jm_?!f(Db24CUY*U}04VEo+|>{*KRFNLd;y2ec$WkiF2mnV zY{+ZPef-SvC4tnxHM-?&imCM1j&S&n|F6R~<-AVZ+Ar^9Oc#&nXk4bc>jq(hHA

!<{^mt)XqHm|**D3)bn7d2{8xK$@kqXWJLe@j z5y7XnTp$1Hoxk$C5m^@}tB!TST|D>qHR3t?p}tmivo8lMw{cQxaHzi>SpkhPsCPMm z)g^`XILhui^$(X>#_R5QCx=+K^xaSg&CW5*d@hVB{?JMfx-Liq=J4Ecm&^!I% z>x50ub>Nx1fx=4#Pd%gK$X(4_`gp-*V27|obp`o=nQyP*CG6Uogri-KUhvA)cE>rH;6A4pJvg&YAkE*v=3qu+f1k<|j;$vt(s z5ACEOp0Ay%ue2Gi{JjSv!MFJypGgn+R%F!E^xo$D=XKuAe}SFWls+k~H?O4)9?EaN zHDs)AzxwcT77nCTTP6z6(<9-p1*T4`6I3Y^tCRB@fxbvdbEX9c#f{;wF>iYUU(OXO z@GnuJb`&OXOyIfgz6_dzHqz)H=AHPr3Y2!f=WU=vC5s6n>5KD|tXd#_0#0PLgC4B1 zH3*RTEI=g2zB&*DPE77W<7atITa$=R4=9r0Bo<#bq!G9WNc17#{`)~5A_3TP#|BUV zEa!a9Ya;WH9DzjrqEec92rb~K$CO`eQQ`aaL&8C%wCmt0KnJ~-3+05Linf` zWB~r(2h_DVoOb^GC2oC(H&kNq9xtX1zS9r>=NRR6Qr%ZPD9M`STBPDll z`-F0D)8%-No%DEK{WZ`~*84!irh*VV4ZAaWSs#drJ`VJNc+x&u??-4~rru0LffM~J zEDxqm&L|1%YwN@}76~a341;RTbTGJ!V_Gfw|rV72Wu3ldIGsE*E>IW1Y^ zYfi=BMV-iA^GpZbr=HTsToS_vtvnz^a1?{?h}<+Lgdm-><_7lY_-aHwpljn>#|tg`?BG9 zE$NKD82VS?=K%PV|MEWvB&!x+L9<8)iT>U6t@-v5k1ta%x%c9qkWtp>I_(Kp`JBq# z2(xk-Pweu-Lb-GIc384|L%0jgDSAT}huba|hscvI__}zvy^|x_YHizAtIp!JdWcld z*K3t%yytblx#aI4MxvpAxh5d&rDJCj%O!nT61%h}Pyw7uD$Lv>it8k|lMs(vKRIT% z$Shb*uuqLYrv zj`E6%&}d8PWgU=%BzfHxe#2ej7f2o#Y#9eRKw&l~>N;ki8;2b1S;5rW$hCTThuoQ0 z8*7Ov&ENue*OLj}+sBz@DGivTf!uVQmoXGN6NJ|HE8KW}`jIOFPDIrIyyAGZV^TB3bB|U|A)U{KKS^f^6J6k^6+QBD39SbJ&?Bn zt3Es-XX)bI_M^%Hzx}HsIN$!sCvf%h#UV5GLL*j$cO?$ara?Fih)%)Dj3E!yr-h3X z`(kX0H4iOUTHzM}%wzzcY9LHnCB%@yWOUOVJjU%ZPhK}WGEbtfkl|@Qw|bM#!~^_r zI{aJ>VsjFvI*>;=4euT&IK5BxlHM_~$B9WZ0JWrQOvhQ^MjRr>j%tQySqcNvP38i< zaTMf3QUM&aIVFdr5}xDed;jhC<7_%udqU??uKJY5&rC2kn0#gIfAjp@DQ1ZFN10hY zd@2%+W}~G9_!%&08akJB@+nq4uYRp~@xAUnF0ce`z{~#xW`6ta^t(8MoczvJ?r}Ez z9ylxa4MP}{%(Nf<{_nDV_4|}!WpYra{u&j+(`a!(p;elu1T4Gy`4t4ZWIatNdUr*Qp? zs~9M7i^)M!K?(bi3pLGZl__F`2S^9VisyL~FH-zyZQ*pok5kP9Ia%6AN?3qPx5^ND z&KX-1;rx_H0E65qz!s>Lx?KiqxW7xhNgc-knSYy(Aj{KdFhFYO;v8G`Q77)+!}|~! zx&nm@hFZu^uA8PH+m$SiyF0YSCLyflI%nyLR+);}v4kt|;6jj51rhIKOhPf#-w;o- z?<6UZofQ(Y^7^ot| zgPFvb@las_EaL0B!kV+^8#{1QGWDSJhZax4$eol)bl#n{{&E>1!9DVT)`epUc^y85(Sxx?Bz0;z3@#gEx# zn%?GV80^xl^EdhvGLP*8VQ1DWwgQ({mYq$MmZYO`s8|`CB^HRXE=skz$A=UlJcUh! za6*}_L}eGLfN_}=0N0$m_>aP2`8LbYtP}%;Dt>~ghxhtaB5@Gl6OduyEA#oKo)dIs z?63bPp`^y|#hIW~g5rEQmjq9LM=|-%8QV>CuOI#PZzW-A$a=_#FCAz-uAdMQcB^Kq zt6n0C`wYTqU2tcCZVnLx3}+POb-fhmrTrd?sJv+?69?rIN1A)7OJFLS4dGNmWZeD( zp;3JKZqu#^lp|=O^Jl$>{_BlrIF;bI76PPYZs#{To0cq-+{CYW@a81lp;DRKBh2E( zch7eBV5j%tRAb=$gf!Vqc0^R8QwlLReYajjs zq%Wax%C+3%%Iy%{?r$B$n5wZ)EDX$%2}g{CnV`7SNC#Z}V<;Cya0)jwy~FH)4OMJ&J=eLdX3_wy95b+)@I!p+qNA$qcCX$>=(XN2V-AE<%12GFGTh^Ytz&g!H;1EzzQ7CDAbitV?ECD@rR3BsU@2Z%St$=5KFDUc zQkc<#De$6*H;J85MFBQJUh$Vbw}55*chmyBd~LbBI>g;Vns9qc6OEC%l2Tp9N||x^ zp|mB>;~KmW&1%Fu!} z1T8$^dTa_W!)c7VUWRzA&*!pJS@gAKlhyZ00K@yt(u{Q!QkNw65n%=){R|*lLnLxZ z+mu*2ynd!2d z6V?-{PR;aEuoLY94k_ym&odij&;7}BJkJEc0LnhI;U2T&^Phi~ z2<-3MYS)0P!!5$Z@frhQ_tDGZqodfk(BmA3hVKKMgm;LQf9FTZ$D{_sb? zN%q_{L03X2%6`UiLLp5HWIMh}G;UtcZh$DAvrLSk);fK`T48e(xl;9eT@We=(Yvbk zW(Y%$BT{Si4XqaQx+#H&^4)^)odlAHefM|$$+r^|j#_hexXd%PI+^#FQ7PfT^~lu3 z96~I?Wq@s$s_0!jyc!>4b{pbxBhYcS z9NxnrM%76cx$W<~p!0|ih{`-q!|ra=HwJ+{UtcZnz43LDxnTPPg#96$=c`o27$uz% zr7NXd>GT@9l75q0*RCUuG$GXwV6R7*_xOEew|C#TP1JXZB|2;6i_h*Sg+cv70!k3> z9Je|I5lVL2158sUTAHH#9Z|r$D%k6+%ru3&4uRO!vROX-778)S-Wg+aqpvf#-wA7s zEX*yiyDZh|p&Y7jnLRkq7EH^Odfj8ihtctK%CeoFIy)f{-Z@0(fMP=TzILcwfx$s5 zOg!{OD|Lifv0_#|D~d1oNlf-rPVVoV2?h=J(vFir3lri(QmF+aikL)(Z7y^kxgvL< z&Y%te$9a~th@0~PiIw;vTuujP2h;qB&MZ&1%N$l?2UWpIF~P)96v`CLU^H%dN*TDj z>?SnFg1s!X%ms2%WPI zZchY2RO&x9IhrJA)&>nvwaeGPdAt1V|GtO8*Fm3vECAR9c_5<>XBulpLa^YrS%^RT$tT>0xyU)|VVpWRfOZOz>6tzwZJ?`2VkYZS zaDa-&T4qF!fPMfW8OQI!^}bu?%Gck1izeY70Im;VxK#PfVgrmhtO{gVtTHu}dEYp? z*W%Pz*&vJVm^~_y2@nK29`1ugm+70^MGuhct6~f(+YOK>A;OW#!?s{}xF2J7MrQ*t zh)%*(e{$waw8~WpDT*e=I|!joU=G^vt-5S2CcQkItVm!;uX$1be!%f3NNzKnIOATQ9fkVLkIn6cL&{s_|@#C z%P3Cs<*m1Fl&jZ>($1}wcfQ8T&R=|5daOGh!znmA#B61mjdRN6=`ZfzPv+TmR)=2U zd3SI#MN;o2V8tryvw6s+^26C5qypGq{N-Pidlc^;qeOglv5Q(a50L@ri_KWN8F4%(moOIw=I7^KU zxig9 z%kGB)X%^t=v(T+R!Dbz1ySuzrYsNfP-PX!GlbB5kGWBzOVxHe@1i!Y0=(4o!48cvU z237#hP#+fyWeViZv)=qK7JtED$e<_Ex{N7!jH0D7E@ItTPo+$b<07!zw{Mq42uJf@ zk0mdU z99|dX+i#IP0-WS>j#K1GL@qZvBLDi}fXb{)5(#RU_nxs}?i}u@CwFiCMRX$G%plOo zc+$Q&DpNb;LarDwY%>g(l5jkyAI!y-5{^O28FUkC8w(GwI|d$u3t=_!J zR0!$fNp|_m2J5sASx$ZZ=8dF@dZS6}?bc*=b3O)sx@y`Y-|eDh|1v{E>iLk9kr#%= zxdjc#<{<$=7sAS=-uW5R5SIhcDX3IW^V+KyW$(!vqKO4$5Yz4Vmdj`VW~1y(@06R@ zmgq?J7dhL!U+ZG^(P}J&Pe1*X*w=JAXRVxJX2%3(@U5G-KlpzRiBLhs`X#r<=q>YU0%th!`kr?TCny^EeEHlv-ge z5Ule1t#PVty!8h997w<-QZXKzUMNF|)d9rh+!d-)bsv*1xsSd@cm+7%{TjmFwtwI#=;`Eg_aSsSH1lDQ$%gxxP4Jkl{30l}i6jI6pdKy*EUtwKY!>B&K-$ zQtp_O5D75m72HDy6}x;r!6((l{c!cxwQ^1c+B;vnTLw`6oxu9#Ub3ORvB}#g(#ExT zJPf9-Ge;uvBge5*vUxky_(A&Cm!ZRc?DWEK%q4viWSY zeB-UJmw)(=f1~{O|Ly<4!u9K{`FT;Uq6i<6mf=7&`=Y!`M9ip$ko`6(K;&y;EB{4U ze};Gp2(UcK1{|gZg4f|vhAPI8?UKA^tDI7RDf7?K&F~_X^R>hB{XhP#va-yUNB}Tp z<3Q4|`;X#Qmw*QleP?h7Loaj;CAQ68pL6JLv*nY&`+59Qu4Xi)askCr-Ea>p^ArT> z*sEd$aY9e@Q;h;AE4M0oCkXJak@st{1#nrg*8l)O07*naRL`IALS7MgJ5XV4xtOP` zq<BDj0Rs%0saXhNH`?4 z!gIpm+EupDMg;!y^9Mk|0HWf`{knM{pFIqXLD>5UM5So-dAYIw?_XVPcy)8fohU+z<{az{UxC@Gp8n{5kwEiotm4yzZA=-Uzgr4N4aK6qeX z&7J{S{W4)t`Bp6Ec_yVH7DE&xIQ{zgum-SF_wba<*;@*kD`_0IrMhZ(v?XXH4}QWm!JUSl{zn5cS8PjJ~EkVwBn#fl@o(chBjehy#< z06ruO(D_CWO5_<}0wqpkSON?M_8Evgg%b?oJDEifSb{rThpUXy#wj`(FQV@#zp(j9 zb`BQEef%SblxuMntBhHNR57k^#2}xRj8=)hAQf6`LC=z^xqzZP3DFO6pIZdz=u|E3 zF%J}#`lWPM3Par*(31Lk};;>g)1Qk>-uSfY~RB^0T)EATl^ zWSbC{NcGJEFw1Oz+tt2u!%)oR(^`IJ)jO-&khkihe^ufhqdOAErx~3_{NR&-CH#e$Q}h}lJ*B7bwr337K? z?+kHBC@#F6gy_#FDCJArNA%4#V`yjei7_%c)R6}9(uzE2t$=c7IRuQ}(&;F690kPB z2NcF{15hED3sLPvpg(A1a5O7O$W_S!Cp7cu5rzjA+1BcI`RMn)L2fan*G>K&FbeIk!9a^Uo5IJMVvww~cZxF7-#TYw=BwSEw@h4%wv%g8ZtdKD6;-CDZ z5C0_k49#oSnSJJ~Tw|4j(#+b7hap9`p#cY=lF3A3_Mq7Dw===9OH^&dkcraj5pz>) zPYof>!k*ET%GH%i<>TM^o$~5YOo@?!Yzfdjbh8Hs|LGrp_$Q4BvO~=$B8!==qNfYoz^9cz zwNB(VHD_lkBFg6{aGa^vF#MRt6DnR174wBzigL-e(GsMhZ4R;U@wY!N-~IOY%G1rq z<*)wo&m)#xJ3cDQCx686S-hKbi)hhplRAb{Mo( zG|ZVjzzXQYWyToC4B}*o0N)&}dtUK;~HQ|NXUjj&+VAm%#6 z?2bxbnsejqDv?%=&OC@EJlQ;#Z7h%1N>_)qx7v%k$UE=8#RT{;DHt0#Q9rwPzx?^1{#!)gM7e>#V;B8uM}ko_D&`;# z*JI6}OQ<9={Fj-^EnV^blIAVjPPI7;0?S&`)AlxwBH6CJCB zq*YemLMJ7f%1y$WL5Q==4y(+mJbT`62W!efP56NVG1<)FFl5k1CmM8+5LBbgX<@X9 zfcv~M7C{FUA7MhT;jnvFF0+O?*cvu~y1Tsw&@BD0OA(@jl7i-Hj09 zDJHP#3C?bnPVdo^uH~d}sIN;H3#5&2V|x#_k0_cz2YBoHN_qSCt@5>Z-Y);s|MI_) z7Sb(?dcaYF=YY>4hJblUid`q0;!577aU#KlK!A%!EkgipfQjrsWGZ;A zmUAELQvXo!#x+n2C#?oWTZf)Vmebg%9|w~KXi^%;u7j(79!)>ls{?f%xG^m6wNyrC z5kWR8u_?L%KC2xhI`jo+iltv&2j~D=a37yD-E?S_&D3zzaTrahY^XmJ5@T2nWk3K*jSVuu;)he?bw^V#D znwC8(qUzx6xsIA~tFuTj!b7XlY=D&J=NVyPrLBP;FoJ`a0JVn?ga?>`xFwjOqhvz< z8i`^5_AmdM4xz9U2Qpouhe_MR59D)+=-WPAELAs{w6#o&q@-w9z{y`2C4Gu-h{-yJ zz?(wj_ zBp_jhc*rIdOSKp_%#|Dw<+y}sTUsh2#3U|a2Mn573~{wtlKc(a=i9HI;TL&^xWj)k zMEr$!b?K*Rtm-u*7z90&w;+IH#Mq(w3`CRVA|e-YCKlw*#=i8d_&moo``iar`=p=!hPgXekfBi^_xk<1Pi?~$JJflK-2WvOk5v{k$9@CYK114v+zGi1Mrcb`DV_^#a0FG$;1NER!IEV5hAgK=@j$>r(=0`n9_d z?{iiUpq(ceIgSy~Mo%!aPSFHehah~mv5w@{63Aa8V%lN=Quiq{x}Bt@$~A05(G#Bw#2|;6Wo91WOS*lV+z*1E z60C5wonvxV=xYEd5MZw8DWsbA$YR5?(3hgw=>y;)Km$ae3I!Iz7&B83kE`q1_bC8= zZ*{diqo(rJH{UF~=yM6w!X4`@tg~Fv&;%XrrwFm1s-|%S@)`rDUbDRKFNx-_{ql3z z`#8BP

p!e8%VSMKPo7KaZk!agI*<$qENxCbthT{eR8_dkKOE0Re6BD8wF|@Et

qjej+!q z&n`0=N5&6O5Zh?#2>3jr?PX@*FbZ3u#%@m4!{ z1_z|_?&urnIbM^?oZ>JOl@faeSrvoMF0VL~+;IIAD`0J7x7NXfYmCg!mrsB8NqM-& zURx`qspCmjfAXWk8SiY~EjQuA`^CCW&~OPj!Z|uXhq11&ZQ+=268xDp6s=0DGyqf|MR*Xr|J$ba^Qrt4uBc^e(f zb8?sZH$SgM3iB;JV#evGIFOY5esk#l^g_kM+y=GzQiHTWW+%7MlKc^FPz)nN4R=8vd z0W*R$QK+*$O^yi)+W`8=8F3Nt<7nVe+ipfL-I-xrU;FfV$BKeXS^1cv|W2uA@#9#atzx6zQNq?9WT$7l13!lnS@(jO)fs-o# zStJ5@=L3G!*|MSmLQ+4Sq+-RWaVosV35zfxPfl~E!DZw$7eu3nSYocJ z0uqb>l-oc!^u}ewD!`i1uMknQR0DTe%_y5$Op$ZbBQ3Vm-!4Dzak!o`SSJCxmI2!g6=JEP zMr137wMOyC%Dpq`6kUoVulqI*iRS<3sF%IR4`UOk5T9`Hx2@&|!=~?^zUE z*-BtC-cma1qgq4y-@14!n9>F4SVSJkIkBJG{ zU$osMYnkUVkN;_zG0tf$FbTWPY(Ca%w)C#VBMjARDlEk%dIsl(xx^32@DDx-!Pg6t zl>DXs-{-uaDUt6e>k@?CUEknEzjLmVyG?n>ko|Z$)-VJlXC1;qGb)ZsNnfpS53cM3 z IuzB=R{Yb9GiVvyXWQ{edM(ND|6hd(Lp9bC{;uv^VGXS{>)(3z(lFH7{y6mEYH zS+35y`x~oN)q=1%CzACGY~j-wz;irAPp5JBkAp1tNziH{(nW_bxg9>bjgjK&D?-j1 z{t*X$rOmWl}O%BvrtT2GpR5GEX|<^bC(`&&7V9N9J8&g7el1=l;LSfXiL;-KDZgxcS}XXWa(G7C|=62a1LlURjQ ztnwIvPz^WG^$@*IMmhq4VTMCw;V85ttc0)g7=J*B?~|lQPOjeI`mWgHseZa~*UJkYaxFA;lt%k)Jk%dk!n z?LITlm$u_g4&p9`P5ZVZw;ds|yGz@yyijk^_tb)rvZMw$NH|UmWLpTw=NjjoT-`&| z*2!3rEV3Mf4nUDAH>j=1g}f&%(yHg{GYzNlTwp1o@?S+f_wmCkgTTzRRk^6aR)d*Z zY$l;8qO4@^TK5y;Q~HD21LkHq3G^Kq%ohLXtAsMNK!;d~>$z#&B#kdYq)NfgZVARt zm{hI~q~e%bIQGv$B0^@T=fb6QJk4UlX_-K_a2qss=)nryZDzQM(dOWKeGr|-@rOl2 zP*pV5YwbI;sVNqvo<0DL23N zy?5UrXXP26CvZps3dn6B&<2=zvfEfpAy7D3HJ_d5a6t7i(Aa~ZBP@a#P%2kaF9SiM zSKWX{VC!%?2qpQz5)X)Q+;-S6|5pj=VgOE{j1mS({{ao0ool`gLX9G9UpxD`9BWaj1WP;t1}}4lc}OrSunyFZX1WfylsSPb>0x%Y;5N=Vt1F>NlyMWR zKz^T;O83w-6rZ^f05Ka-R9(!cxT@A1gaD9|-Ntj(W2=Zl$H9|Zxs4_x2n{NEmYH$^ z69(i+K?Vp_w7AsO3^=3aD_3UO{`x9K1+L+yXYnBU!TW3~)?uZigc}Ia4{W`>r=>Ng z!YH65DhQ*_a73#s5QJY|3~;zEl1=mAbhr#Z)28kRi7)HI6(_#RPD(W(!=`iOyYdsc zr0Jdx$9vA51m2i#^38t^^`=M3Cg$6$RNa@eR6zFq}xEY%Zl9k z^q3uLcr_Wag;%*qIax;J0E; zq}pIsMes6{wC$YPY?|6GHJKfsK?j0WGN@r9*t+Qrk~)*!DQ^^yrIBjIje$*_kIZ9; zihX7$FT%u%ahdNJ!d82%=8$`YOXSz9{!0{EQ5h^ z`|g$U{0U2BSPNz~O%d)gluRhhS73zxBAezt{1=4em2wvP!Wduc7jhB~CSpiJjD^+H zsA>mY37JbgA}_>{C*V)?DKGHJ`l@;bczP>mfeFuNyb_x4V)})uyy}M|*XvLFC3nvA z3`pF>o90*$SDM*(&qhsfEpdIKsbY_)On2K1X+yp=yWtW?E*iNcqRw~ZN*=YlwL^N#1Ng*t@`saR^NODtLqn(8Xa z=WRj^z*&c#TO_OB$jvn0FRfhTJ#aEK_;V;6CJf>92_z}?|FL;lI=!y=QD zsh&%G=F#{*S0=b~oEww4)7utX;ehM%{s-S6-}Vhm#zzncOLH(Yd-PNPOm^c%hG*3% zot&UD>KwT~vh5?P#fO{0CAEb5d?15hBzs=TWgt>I&Pln7SApuq5&7?L5sL!Zw}KUj zYLPZ7B4Y(|e?xF`MNWpm>a(>i3mwRrylne9mx$KfD^YTX)-4a# zw&^$2pL=~?yedKTtOuS<$~LBzs(};!y@+2IAstzH<6lV+L6h9;tbp}V?9tq`-pFCw3V$JAQ zx&79i^7h+rq~yG-A6*M%JZqM6A{`b18d0`ASA8mStKxk?Aats%x*iD~=S+geve4XB z{(w6Ak8T5-m*cqstjP4^nCl^Og6SYk5i0CVSQFuBU2xvYRm3x$$o1fs!TBw+yrv?o zneR!@N9Xf?yF(kz@tOd0f{XN2IH}5~>NyH}EI0a5Emz+`pCke;WhOqc{aBO36D?L} zAcDcCxlg`J<46YLVLpzQm6Nv1BzGdaP_JE;Vq`oWt3DGIAlR6!ibEC`8OKOcd;sF1 z7rADKZK#Tuv-oS~i2pcX7s<6u0Egnoa5hVjzsgCQXHL>+v z@8CWVcp^P&DyW0t9kb)FS&?*rF*=q?Ao0!Eu}TSmLFHZ| zams-7oaeH{!;E%PgzEs~Af3CC(@lSLhsf4onYq0IucEe{z1UN$dGZA_BxQ zR9(mWE2m+K)^@nd7+~n^qKi#`QeA{e-(u}ln+$=DiRkAn+ote@B3i1^0#sD#YjXi% z3Py20t9ivMund!N0l9;*gB~J7F?1~PAjUjzN2Nezpxh(A9|*x~h9E?UGcdoIWyc_p z{XS8InQd%6d}>lT_gX^bfcTLB*8|U=A9CaI+qOyClM;gj(7|~>SKXRKxFpc$tzC6 z8SMbi+A9s7F}QGcBj)~;Ux7>N1hkO0)k@+hrQi11j795PCkL9>yRbo{C!$JX5unvd zBD_wt*YaOACS{6(vYqM%td*9#ID4f$iO!Ch8xt-Ca-_^LUVcWEuMX)F`ihy#>6o)d zuj7!h5&bb|gaXiSc35{cgc5rKAa&4bk=3vQx)w7rvlDJJ4mZ<>PzT>4M6gocefK?_ zcC2`ySda?t=H^DZLC#Heq=7UBn;8Ni6|rmN&d50>z9R}VO>xdO(eHipBdo3G6oFdh zooMmVQ-ZF{awm!GKmFo#1eKQoZnzYpO&=hgadgJ*xH5c(ID5O-5TkZXt^IXL}IQt`7YtxA(4NM za05ClMuf4!1HwHz-&_+XgHUIc+t^o`hwIStJlKwYlevmyIEc^j=z79c<%#;^kJtE@DVi&dXa+Fzs&P;G-cF5MVeOFLgtIip_OJdpcwN*r;Zt&sq@yFjm zF*m7-G)|B$Cv(Z_l`AVbFY(A}ROV~dctQtL)8%XLy+>mENO^w$K|HIXDKi{mi8GLK zDvDHKbw^0h5~Xpn#L7gFAI~eAfT8T)QzBR~6h|IdRJ_O$gkdmC_?LJv z;u%D`1UWPsD&cur6y96@MO}OyhZ^L5-g@&^HoRBs-(k~x^K*UPcUskJ-Ap|Y zISMybu}@^bWfZ<&9^SiGUXUg-ku(VvRA>OsX`cWA76;r!j6u{U>4TSWpAe2t8^)Wu z%c7NMQ(gtm*;GOeBZ8>hlHd^C&+!Rc4`C*ZTP(|vSp6rmosiyVUUf~7Q^EB)U%)## zFM{QGDQ&0!i~Fme>4IBvUHI_?T*OI8b^spa7VG5|cP@NXuS&T%I3q)gRjg!@gX&>c zLP+FVunhsVW!pkm(W7HXAB=vLVQLr4ss!*XR!poMID-#Plf6HM*lKi!hT{Yba0w~% zjPy{ehr*!Y9tK$!?;y*3^~w$aRGo>=R1&XXnR08Lf+EYBGmu(PW$SiC^|UrvT<(mal)~o8{hp60Dd-%ap1cqaA~o0$Xm_IY6EhC703f zvQpvdwVP%2-eblK(0R93Roy9AhH)uGuR~nKLIs%;k%v;i!?6nAN;nV_&&6Wm+<;MTr3FB8BIyPZ z;np`+7fDM@w)m5{$3As17A`F=mj!A8p0ELZ%HhE@4D*;@Y}HhAw#_c!!PLVsgrlV; zH?n{Bsjc23l9Xw#IB>C?irp@?Vf5}AuZjbW#+B2WnbbCdKQRuhn8zl3S-GhvMKw&o4v^cx|)6h;$@W?n!rg$_%8x z?z!Y|``;sQ>N|I~o&v;y@_+pA|BCIbKV#ASRk#inr-*nf)+~B$%7pu8^@xbuzB)^H z|4Axm$l(kb#|>aWkHXza=4Xbd)S$=Ow4C{N$R&2XtWSu5dHe zLt=NMh<Y$0JNXC5q~Ep+69WT-asUa$+q{vlP?^ zUB9K?tge)%Ab>bhFO+-XU{;A(P$F7 zK$tVv>^&Eci3Cf@?e4B&eq$CwJ?$0*iK9*~cZ_nqt3^bc9?m>FZ-4DeI2-2<;UIg& zpM;Wwm2+Iad>0cR;(T^cwjWw?OdW{zS6F&uqo#{s1u{O7Vrq#Kr*ENeEDUv;76e~) z5@tB@zCT2A=6KZh)>$# z{0wX7Aun=;Xcr?u?l(EkvTH^)>{bb!SL}`8473ltFn=GixX`3LzyL==GKmBS9;J#G ztWmbh86i>lpfau@kY)ymL_1PNlx8qXcQIpC2xX}PZ;T`<{V<1nQ?SSLED@e$nXqjB zfZ4aTE<#$d(A3sX!Sc-P0@V_*bS4(Ef5QFkM?qfVLlO<`+uz1(ZGW`f_ID{T0KoJU zjqsV`Jtmo*vth;gJd~fgZ?sEwwLk`P=)>aOuaqMLaAbGUZ2JJ7d>6J=q!>29VVm6$5^IPL&}X zgz-8dEq0mAKnWG%pwrPwz%K`cWH%U><4c)ZaCVN)7}fxihlT32x}Z^0>^Wj>c>Y^(Bz*oT-Mvh31{7y6YAY%FL4HIg15WoxzK(Sy+Y*a zNQ((eFC&*>N9Lu>5ZT_Ov__BYJxy%Q!9^;9oft0zU>1h9>?;rPZWThWaoxF%=DLdMj8JA`9qQdFah4q=0Gi677%itXPBp6ONfPbH`x5dyh~J+`4ecyk9sM3?zNfKc%P^ zNq*8Nh$a*DwfLc*4xF~U?zcoj=jpLvvOo3OAZ;jeJ)Pju< z`MB&^{V{-I;d82?kQG@1Ldpi^5E=u9dicpFk!Y?bxXUdPiB;a|TosqEy+MmmuYmcEUx3v7SOT5|4f!;N@kAFac892w_Ps5*p)FaF~l^%0#$|hzG6?Mg*CS zp!kw-J;HS)6t2O`AV@e7zx_DDyzaeze9oAcx{pzCT`j^}(iuV$jDrvR;Jy_Su}hj9 zuM;S>n0=uj01k?MpH+E>&VeUPhTq)|x~N+Jptk%j4l!7#%A%g*#f7C5FRb~k)oL-t zViMhDsD*jSi#?>u1T7%|*<=9Wc?Q40I^#YyXS&F8xmIQXz?#P4Rv>yUG-bLbwgj{U z2iiLTc<2DHTsllVWsY5i*Iqtl3GW`Gp+EpSjdD4a6i|Y-!rE9;ioj90kp!cnJ3=tl zq69)A{vtp(ftBZsJ;lFt9_t3=q5n8$zuRzy5Db5-#0x;j)PjSF5S3%c(UfU(#wH<( z^Sa?Pu_P=R2$VQL&aneq94DcE$OJt^=Mb3#61_{4#Ia!t9t$zabz}0! zJ%ZInU*v{58im90Arn(hJ&B5i4{c> zd!amu8G%{^R?Y07>`oZX?yNhsivdx*2dA97(CAdsI zO$bM%s{x?1fQaY{_SJtP3;~7A5e|J1inXT(Y3Fo?G*@ zZ}XqrT8W0fz#CzVIx8pNKapL?9|lQW|pGX__Ycuc|29B&Py^FTNwh$naGjjU$ybRqzA zwpfwf$_~?T(n-@KL5>OZgR*CCbz_b!ixttdMkD-?0Qgpd0N{{@vt7}{KMyN`<(sRi zn!$PQparhmhD79ld}JPdSdp8wc{*Df+7=UxY&zalCufq$yqUxQOQz9LfPc(wC$YrL zJ;Gnyh;09Eh{$Jsv3OKRkujXYacnRvO00!U%*y>$HD2@~DdvqwJ zUW?^JJ>r$;=s5EW^C?K}?Ek92#@XqMeb}QR7Jo}bRsP!9>Wyuv-9c(r`nMZ{=-xMv zrE^+?kYI@*C`AcS^wv?Hw>BkM5D(`N@q+#G<(1^$=n9y@E9}b69&CP!T%1w-J^Mt} zogr?lb_U=~P`6?yqqL*-V@Emsv+3K$`Z~a_$!U|6@^I#Du5Y4jLWuaDD&7 zWE8QeXh#N->;oo-?WzOm6f^_yoc*c>khOy!d~NnmWZTx@H9b_;REb0fkW^Zu<~AU8 z`>jGIwHp$Uz+8Oq-%Y0#cOD|wj6ubOx==?^17IwDYI3{FVO*O$PT5*3l{zzq5q;Kw zQC8b${WNuB5Eldz%D~fX#R?HQNG_^tnAAIT1@I#uqr%`c<46HYM4gUJ3EnM^R8n0$ zFMTQnQkK$SOtSHyfCj0hKG4)sSXLz3+E*6;Ymdl8l9RKg{JjqKHO^O@W zob~wd2gs@I>Zpuonl==0=S;p{`hJo3M1LE?2~z9Jf)^3r;K*e#I_w;i+;wbrh`qz8 z<-C9)0>_r9OrU!qfdrGlUHi?O`OowU z6fP|rsNc|oCiXFr^kYm!m#VlI3TXvbyF>VZeVT0+vYlz=2usEKooj|mw+5^%PE5{sXP zz#AgcSP0$NmtKqgsKss3c!`z(#o7!tQWCk!$f#2vU6-}Z8t_?c~M zp>-)4<31C1v#q6+=rfcjg&m?eTB&IXzlj}8XBdb zEl)?(`~(Qv`S=_iV`r0{XD>+>2kAKQ^z^y`n5@veW)}IdTip_7;0V-jtc)!dN#5Fm zJLz3k7jZ(EgyfQ79<0FUj4e%Keg$?R%}#jKtBL@P}6~j&M&2qKX^|LQdn3E$V9L zjI)IZXlwCQd@&BkhB%{tmHSqLkx)Fui^%okB#spXK}cK?b$~}PWR~CgD3f`9xa^TB z+1{pZAlzn`^w~qwXs4+rVw>Vxeb>Xlx43rSDktj*W;{p)*R<6#xj&Y<5mt7GfnXFp zP1fHeR*!XrGgt`1+~X>Vz4ehJMDS>pkUNiryDB#h!3*>}B4#X_yNI?UD znXm<%CNrORRjyJwfz(uq3gllPS^`VnjQxa5x&SfU1j3Nm-HdFM6jsHJf5!v|hPK}z zw&6B%)XEWn0i41k!A35*1l`?O3iViZs%y@iBNlfLezEQWxuIlUl--M3IZEu(RwQo2NgfX7DDu zR(vq%IcoMI-xZw_&?&^zh#UJWu`8m?s*AtE&Y+jLNk`^Bf7ZB?D6Ba&7IBiu6{oh* z9KL7BU1LD9th=sygz!Ox3lkeJvIEu%jG_!2^d!sHMQ&{kg3j9{Y>>_$Ui0u<#PlhJ zH$W;z*gg78a(kFt5laxUxk-vbIfwmeKK9p7`WgqJqP}{~oy<|_;m9UwDRKlt*G+a& zy%w)5;1ZEgSgJ&uUguUgtPWE5fG`qXEhvdw4rZ})!yX2P^>NwfGm4lWAMY}un4rop zKL*?+kVIs8Kn`Oznihqg;ZgE)Wc$7#b$lTLiDZhD1!bu~a;I6woMo&gjYrw!d`h6G z;L+(Bkavos&Dl1CiCpC>;tg)rQTza4m(0Y(eYg&m z5^*Xz7oba>J}1^h;b5hj$!L@NNTR@5HmV$BANP)aUvNs z#CS2=n}vZn`TBpANc(_`Z0FnT(!MYf_&vMK)zd;0`0ePJBmCqlY0J-f2I4 ze{+abxsCmnh-%-sPCp%evh}!rPMh%Sq=$}ULCRsZ5Vf-W_IU}<@i~48+qONtCV@47 zi(l`P$W3ptq+Y6yN;o%f-YUQR<)`pGhQ+A$HJEqYCnX?&RvyD$R0eJE($X@s4etY@ z#674)qy#3n(J81b5eRlbZlNfVfQArppDcNCX(23l02Xcg z0$)NjpOwp3W=xF1Wj#nO zJ(SQB?}j5uD4{xuM?D96RmbtDoKKDi@o^yt4pBSdXcN4MpXfxy$}BG6jxd&MOB{jK&{W($&q(Gl5v2eQf&%Wj!xklv-j^E#~Oui8n5H~+?KGFun zBeH}6Gp;yZ>X7Sd`P2rhb z5fM~pmV^=*Ui6_7jwg*_%@h1IWTEA!?xJIF8m0Z}3hTx3!MwsrI7bPO5dye+sfB2Y z3ut*kM~WtwuGA`HjG6bkiTpIX7&{9s*;?~>+27L27v>hhg|!?r+0eBDn`pod7I}^T zL_A}yaI1*VdAJX9I7Hz(E%Z)GCh9eYoPlGI1`;)=g`0Yq$ZT|xhHyf(0*7nD+bxRB zsWE@}5F-SQgo(parE|FZ30roOJOTE(QIqHK<`1f+*@t@!i3+=8-9>L}4+CE)~Vq;4TJ$HpS- zcv0suSyjH(J&b2*&DmKwQhXZ#<rc5Nn5t5%U!TqK9aWbp;%q5E%rWPAZ20Wdv4@ z(9){bmVt-dmG(162kA&dbdVVcYPdkS4Clp@(P>y5*YiLuqg;m@^xzI1;6+pqy_5B7 zk1+Y4cgvNlqpUR}L7g(RqvI&UaOWOdULMhR_$~#bSOUZIa$=7zYQxDMD;ntgFcZ>T zDmj*(|9vc9@j3XrKYZg)RBW9ku4Is+bOgq>SLX7tRA-umif(iTU?IXZnFVfU3iqm< zsl7)z0|@#EngE(eH%K|^?0~2w4g+rPG}}cyym(N0lydXd4Z;{3B!)jx7)7s{Wi^IdAJ@pToKZ2#L;*hW`GAC6M|9|U)(m$u zGdYb^Z5U!0YBQFkr&V3RBy$x_t*T_;(Ys0zUvilsonC}EE=1D+URTx`(-&aOxFt+_ zVMjtF!qCHK#f673`>MDKA<<|1qpsq0aie}?#jOr)^~iVHx2i;cylkC~mKXa2<@5X9 z@^_!E<0(emp1~>2>&CL(KBQ9Y{4xfHdt7L3st4kSrOi?NJd@M&+>aW90i@n&_+%cs?=qSIeAg!YTJ9xPDMWfNX9!9BbsiS<1TcQ>UH8x;Qn_dqR$Edkvay2s=Men zk@Y$_XFYm<{uVH{bxeHBt%bUKtaI8R)j_}lLvpUQAli40MEfx7d9SQ2uPVM zr|}toYf(V~@u`@!WFl9VxB}}l&bR6CJWeXN(h-P#>g}G=r&9oJB2m>#U*R24Y=w0Z1da+y*xV^PVXx%g-%Ll`X{jBo>>9H-c~8wK@#EpmG^0Un>ma zFi7bVU9B<+N^(`D_V7D|QU9#xfTf4$<+2h_bEx~NV>%INkoU5G6=KEMo~3!+nyE#W z!N~@t_vkmpNJWoQLOd;Z8QcPI=s)yB(d80gCve+RX%a+IKzlfe0EEh+R3!(II0TeQ=%yTu(Gfk4 zckbS1Jg#p#CN*L+qRWBGCHkz4RAG~dwkRB6`zE%}(AKLLFRR|fpj{>-V4R&Tb}+eg z=W5w`x>*j^sQkrP-L}v|jdHLA0U;cT)I;6O{t4jw_wVtWtUul-Fy~RuUs2WK(&c5d z9f`afL{t&R^^R_}g>tyDzLETsL-3*(dy|dOM93yZQ`P(shNOU0}e={BrVd+@? zRIAcH)Ig-tz%Yy4rh~x1|h9O_0+K*aA9{+Lk| z@eoZHQ>1OtR*UjV$>_*9Bh-3zY0vD#_-IpbBLhr0Df-7@gZz+CtT1uox(V=9NTo`6EES04<;&*~9q}8K;uDtSSccb_%+se& z%AGrJgo9WZQ%~-*N2^Q-Qd@z;C6eh6S)DOMviH)`Jcz>KDCLlgQgt8lH=wViT(@vOXc zcec!;SWk@Zva24&C`^ZO#MXne^NN&t%xaMtD+y8XlfV5Nlqr|$Rzz!NyNXhR$igf< zzs=yZ!q(Si=@e2T^6a{z1uV5;#F6c}jq@4G+c|oI%Q2jVu9r5{AeTB|P~+@W(qBOg zjIc-$@iT*=HG9Kz~H0m$aoI%vSJ19#lmSPx88d^br$D-k(=sQH5 znwk=Q2w2Ev-M%{&LU}$uCE()Z7?g1E+sF-7)%B49uKIEO{Nek=sjGDd4^X(7Fhg)) z8OQM0VtMpxue=~r;oBd~l{>gPPLA1&oDbn1*dGoBy^gXqy`-ARQg==O1anjzh~i9> zT3y4zCT_%alfTCB9xt<QO$*~1UBYrPx*Iz-9$ z^NCyK*}y!q1DVQ>b;Eu3BxmNdJC?pxPoQ}YMVA1wzmd0m>(6lp8>bq>47aky23sEY zy6jSi^1h43Wrm|sVe7-}VpjV6@sXK{=A5+IV-p7`do(7I5Cb<>FTONX7z$008nCF-`|8ZB!zVIJJ_`Am$d6$>QJ&PHbaF3peCBiASNT z#t68$U&kVxA7XR6CdK+-pE1G3rdYCl+!-l<_P3j5ZD+XLxJFsO=}T}N4vEAHQ0g^y zaFC8sn*7|LlTTuQl-+GtLize3w=QDg=v{I>-jCRuw51?TQdxyOddgx8L=WL z3aqO(r@FJ{(G%(ljxCqN(aU99tYONtB(&>w)oZlz_|Pyz(4Pr+Gh`4gZG z=jA%KyW&utNe5nsWH9rLS0COl?KkdVC7`^+-qTmu^bu>lHrLl;0WDs-lH4B`>9-JT zn)6GEIg$5NQjj?6 zZ*!Pia$ox8k*$nqQv#JBQ{l_sTno;nAlfn=W`IK4ClI-bYwe-=_|BZHYwHA^*@9>R zi>xhsch*j#jhm*R?3424B7VCL=Y%Zy5EXw*{aQ=aGg=d-HP2J^f@^wQ1)cKVrgLgJ#O2)K1vH?^r!U35Y?!$=&Zj_EYx~e?BV0` z!PV(9jUvAJ^a=SuuvAQAdPE=UY;o|;8VPEbkiT0f3&>dzZ^G0W-eX*4<&bNRPtUj8 z1#ly6ZNTcs%C#$(%If3C5avnwg0ZpL~%mBVW9D zk!x*MM-Je_k>i=K|&uw;A4DdFh94^kqTpTPto_^d9(ca zU;GsgLaLL&nceSOt3(2oppJ0I>&o!Ga+q4mr4qMUQAcOmCfb$kS7%(A>S*_b-7=jywk+jvQ_x4V3njOUNVkgw79fX^Cxi|J6&OmdH zH8ow)r%9;7XIT>0IW14la~%R94rG$JCF&1xZ66Y3I~pNDYmj<35Xk8Ou5D)iDTH(i zhmj8t@P1iw-71>oDp+J2F?sM}t?a$pD6>4bPln*V`;W>SH?Fa9{oV5D-e={E@*$aQ zjMhGjlp($WBZSgMQD4MbJ19@^0>Ag(JLQ=Dv#c;`AXE!Xr1)IT_+$M#*ZkX$k>Nwe zJP1p;LXmBgqwan78GU7Acdf7WmrNFF^N=E9@KfJUmmr`yKu%;6;F8|T_~g)v8POmz zglj|+*X(PQdCIgtp9Nna>!xT9;FeT{=L$EvGyFRVg4efBpYR* z%y3<2b+;IFUady$ocxE;8xgfqifohUj2 zJ3MP;u8j>!u|Pa>S}SWfi#xpg`SX_$4XGBuY@g>h;EJgl3PEM<7?VH;Wky)3=k@O@ zPAYE@+3`m)kr+C^<(wi^!jPv_GCJezP`2udcSd)Kn(lYo<>@Yw?US+ch|g!IgeOL?m6KsS%4}a4Gg06{ zJgywHgSCH+OjWt7?)WSc1Ig2*I*g;6wb)yH40HD?N~z^eobfmByqV3@1>(|`%cKje zz#W7$g9J7vW-Z}Mvg*YN%Wqb$-i9M+#>AU{&S^16cevIf|juFtlyt0B7!)iZj;;BSVV3zC5)BG|C zTo$*D4ELRyt$M9@D4n*2pR0rNd&-j90nF-?0XPn&OwmFsad02Qr4xuG<>;3TFhjP} z&StqylHKXU8Q$sBy-gzJ8$`{w%6H%_*2U?o+0%~$#0YF4VG#XBZWVCz_FeX%!eIwj z(DI89h%&1d+144jM%9byNr~wMKg154m93}MJJ^_g1pRA_-QP@9-`m}cqcF}h`tBt0 zS;dt4j0FmG9$H>kBHO~5sX469H;QT8Vsaegbd)$^ax)$eePoVR0&1)$kt6b}Wh22? z9j2LB5}8LBhDcY$aE}GC8?GfMa0v|RYw%)wUa$x;)%zQWw zAmYRA0K+(svfY@?33|dAs}+tnUzWYK$ECOR0_X8bS%G_4Q@F4G0SP|-{FCzjH{M}& z=yX}fM0R1>t=qRi&R{k$vy!^AzQw9q^#v_MOXBbD944UYvW`La)Y7B9wF4*OUM;`9 z{aT~v3@7LbOGQqoS!lXPlV;))Tvt?VtZ&j51uqGg>{BuRc+f@vaAF*wYcCL4h$)e- zTS6i*Z>EYQJ=ztC74a2uBHQaB82<2@z-hQn6<8|3RpHm7^qo1g3xKwC}=XCt_t<5Y%^9cX*wXfgrB~C~*=!=gYJT3p=hd(O+!4JP5 z3)1vl-4yL!mzWZw3ALDnDmFah^XduNfaGwv=&ai#P>9>PGf23;HHjWWngpix5cYhE z451I`w=p$Cu3~A7IIwuJ`U*o$$E@0^n0CO8XO*7;wz|t9MU-}*u9m@LiU82Lo4Efi z2UiLDyxe)?HXhv%%iHh1oecdpmeDXei=u9pG*W#iyIY$8nRP-~I_fM2`p$7UzI^#A z;sk*egpVu|phUd5%sGgKl^V3v0x{}txmK--=qgOo4x-8`@~>EhYTk=nEqgndq{%qt zm?yO7A@V~2{8p*0gaX1Y2&55XqFqy3e0%LRVeye;+-e_wk_YsN1>{6Eq5}$xccxx`N8+TQ~u%a{5Bj$ z&TPslM9Xy&xiCqYH3Or|*!@#wU(1N}hck*A_1W!yfDi+LBwWyN4+w^5pmWSdmxRLZ zjBB~N(b?eOvh7W}E7jU-Iznetc=R)t1NW;`eikZ$OS} zoJup>!j%?h^4VG}2&BRZHFfoV+b74UnJ$urtDfdT{7#CDV?>r^SkwbWsvJ%e__cTe z0SzGt20+5!a@!h;uuc2!IZ(*iN;J*$5{)m_>XUH7wfS4Hd3c{h#s4D8Y#~JFB;i>( zi#7j-A)F8{E(CQWulZ&Q`OHWj66*J84c3kWKuC04p*6Sz^IR06COEMtB z!8Ve0h;{IW#6@v%nn1^j~;~t@^~tuG<41mOSscJ=TmBaaC1^$nx&(kZ}Zv1x;cBiX7X=vkEz)}Y!SbLyDd(K z77+M&RE^RkX(7XFc=IY_&L$F#$?MEUqFpiig%*j~;jrI(83yS>2_yZyMyE?)2*e0h zFc{8^Z~+bbQ0gT(yz~T|&nVUuf(3MRocu?*A!(<4om7BZ587#_qxv zoOwC^+dQ1Iiu>zZx5~TtJCn`Fbjm;d&H@lIIm#<*11_Sp_&I!`d*u{Yph9$~Oe zXNVlmd^5CT$@-m#2jySPz1T0Spzmk~m6neoJ;O>iN487R;~_3?Z8^r()sjaGO+Hxe zA^9?J$7Tt*Bj-FT1D zM$06H2q{=n$`GC5VuAvZB{(6j|0qDz!Yyi(rg2{JqkJi}%_|MDn|aB>)S8}*&KoVF zdNqM@!1k3KO;3xzm0fdo_Vy5x!G1Y=iA#N*5@o1tduvl59qV?X75p3l7MWc*NwYP2 zGs-b*Z>VieF$d?RjCwY}##hTX%RP&ohTM69buV4&Hff{v`f2OD!_^g30!qK$B$IpA6QEw>s1Giya$b z7w**|9|{3F2@aS?nJM)Wo)7@Ba1^xCU2cWJ2k*as_{u+gCs^SzGO=(mXlPVrj%TS; z6@c8bS5}Kv(6k`PcP*g^Py&RQm8DLNuxK|MWP9RtLChMLDuZeS5~lrD4ootCab#aPJ$9sRC>s zwDJ4h(=`Q)fZ*qZ(xA^4i0!OH3*8c0J};+qTWG}XJm8?&n(tcLoS?DOhV~L*qT*5(Z3!KR=D}=fYWc8vfPFf7*n6TA+rB6We#AE3oC)1xj<0lg%Ed zX_d57^%)IJ5NWl97d;3DSm-$2%D`RaFL=wzH#i(=DIXkW{ZVGX;F8cNSoh0RIn(kVctY>laxX|z;VqM~(W3_1O%^Nj7Ux}3k{G>`S? zzWn;(>wovHv_#Iq7E{$fE&QtZ#*-uOB)fV61K#6LoEbp*qD1Lg-n1;=&l5!GvE4q;;zu3XH(_ zFpfujV~0>v1X_c#0Bi!)6+OVlirsaI+jJctYo=aeyk>SE_oZnvx{zZ=JNLwz5b`42DlR>EVx%nD0%@lMl7SEZ)Q z5D!0|XaaN|Q>4LR@Ck+nm+q+TEzKuh8554Tfmwum?Qva4T#iYm9C^HNzKjsAT+hEt zBS_cpH5~rGJ^26igC88e`_KQB@$I0gW)E_Zo8jp7d;4(v_FK(_=RYVf zjb-FAr*T%s#><`XFbHSqLc(HwkQsb}@Vo4&KcC6yVm;aU);Zc_{q;dJp9es*)$$=c%980LVpp&4FVO6KnUd;My2Kj&(iGYEihAP zc~o?K0Fc*8vkz>WeG(&|WeCq{;t|dPieGBB{d%J*OnKwl)x*su(+DTk_)1Q<01X~P zpb8vRO~F-H<+{KjRJ6zJjjv%4&anr}!#>*dRZo|C%+D`X z2jB1jEms{0Qg{@%X+9P0AAE2D7m3VpL|kOC`?9IXti!%fx^OxsUOzkC2LjYJPwO_% zpm}{-eZE*v@V)PU|L~vx{vU_4J9pz*qpDqjjnICFxN8#wG&>x&PK6r|*_hp6f;$RWXFkg*b!w%S*J}BPw4%j?rVe`7)fnYDwW8Y?l1a>%BC`taI0~Dtp=!{iY^C!SEXB4A zl1jzkMpo`dZ2_Bd8IJ52wTBhEYEC`xj((n%ugl#IKk?&$lM9!-quCOSXjKeBUv|$6 zt+u~oq@n-fPjA5+DB-=ZSi(Br=gZ>H&?zAvVU}{T^-tHQk*Gl^smExiVn+O=>jS&# z;|3C+Y5C3j@Bg@+yd7A@4(;RUn1$dPVQ489K|#Xz9X#(=F-+_`gDik!c&d`} z*&a?;Kj~=N3k_x2Df63BA^&l+;x}*J$hJ5=eB;~SXhUENq<+(AD}xhrK1pzBgiWY@ zubxx(*jjxzZ)Ob&-;U)P>uyIQ0@ZT0`0ljdFe6n=P!LoXOxV~{c79p`=pb+K;%#NC z=h8CrDiampGR*9K?3eDA9L&D7o*AZCVqR-Te#-CSvcM>?z}PhP?z=d5K^z!E$%%`t zeczWfJAmo0kL#)Q)3A=lHz>6Fq}iEp=qMzzDhuo#*rC+boU&S_fB4>y+Je+U4qKzR zLv{ThK8bO`r{e2}P^-7Mw2OV4cg$}5+d{w?xsj1;GYqU&Ee#DrK$h6+Y1m|J` zGwXe8RkWY2t-6BKmU|9<*%DiD5Qm?nA!dIKnXAt*tOEUh`PeLq?Ai?74zVLSmLV=* z0&3WB>W9u^0J_54{xpX6__`AE=b=X}9IpuIrmK3rVBiuIiR7HCf6sA&n0JDw-AdO1h~(2H`{SB}f;%@ba~asBYt&71AZ=k1TNE{V0i-H$Fcnz31H zf#6!TzckD)OuP!xNLy&;u7XFkYRu18AT)d{Dun>FzwNANcW=+c<*nvLXtjs`_rLv? zLt9bGhk+lp)bq{O8zYwWyKymHktS@VePkM8fy0S9RE9k8nYiLj?pS%FYF?)-EDrbG~Yw7qjC(qn` zoT9xA-aadCghu_3uo>07_}8*M-}&2jhW0=G;Df`T0p8VYQ(EuAg8%>k07*qoM6N<$ Eg5A2QJpcdz literal 0 HcmV?d00001 From a7a8c7c94ae01d9546763e3770c1c524ac5c4ca1 Mon Sep 17 00:00:00 2001 From: Tim Yates Date: Tue, 15 Apr 2025 07:33:59 +0100 Subject: [PATCH 2/5] PR feedback and add sign off --- ...-automated-iam-policy-simulator-testing.md | 35 +++++++++++-------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/_posts/2025-04-03-automated-iam-policy-simulator-testing.md b/_posts/2025-04-03-automated-iam-policy-simulator-testing.md index 1547528f87..fe38484863 100644 --- a/_posts/2025-04-03-automated-iam-policy-simulator-testing.md +++ b/_posts/2025-04-03-automated-iam-policy-simulator-testing.md @@ -11,35 +11,35 @@ summary: A quick guide to implementing a test framework for IAM permissions usin image: tyates/assets/awsiam.png --- -On Scott Logic's DWP Analytics DataOps team, we're sharing a monorepo with another Scott Logic team, and exposing data in S3 for various other teams throughout DWP Analytics in both our and other AWS accounts. There are a lot of moving parts, so we wanted a way to detect and highlight changes in our role and bucket policies (either deliberate or inadvertent) to ensure data access is allowed or denied correctly, and all permission sets are as least-privilege as possible. +On Scott Logic's DWP Analytics DataOps team, we're sharing a monorepo with another Scott Logic team, and exposing data in S3 for various other teams throughout DWP Analytics in both our and other AWS accounts. There are a lot of moving parts and shared Terraform modules, so we wanted a way to detect and highlight changes in our role and bucket policies (either deliberate or inadvertent) to ensure data access is allowed or denied correctly, and all permission sets are as least-privilege as possible. The AWS IAM policy simulator allows theoretical evaluation of policies to determine if an action will be allowed or denied. It can be useful for ad-hoc testing of a user or role's access to resources such as S3 buckets and objects, but the console UI is clunky (if not downright infuriating) and the API imposes limitations when testing more complex, real-world situations involving both principal and resource policies. With only a small amount of shenanigans, it's possible to leverage the simulator API for more useful testing. -### Why +## Why -In the majority of cases where I've used the policy simulator console UI, I've been troubleshooting a role's access (or denial of access) to S3 objects at specific paths, which requires evaluating the result using both the role's policies and the S3 bucket policy. Adding a set of context values, test actions and S3 object ARNs (Amazon Resource Names, specify a resource unambiguously across all of AWS) is fine for a one off, but it's not something you want to repeat often and isn't feasible for ongoing verification. +In the majority of cases where I've used the policy simulator console UI, I've been troubleshooting a role's access (or denial of access) to S3 objects at specific paths, which requires evaluating the result using both the role's policies and the S3 bucket policy. Adding a set of context values, test actions and S3 object ARNs (Amazon Resource Names, which specify a resource unambiguously across all of AWS) is fine for a one off, but it's not something you want to repeat often and isn't feasible for ongoing verification. Policy simulator API methods are available via the AWS CLI and implementations such as the `boto3` Python package, but there are some limitations. The `simulate principal policy` method seems like it should do what we need by finding the policies of a user or role for us, but it doesn't work with resource policies unless you're testing a user entity as the principal, which I am not. There are other solutions around providing a friendly implementation for the policy simulator API, but I don't believe any provide the ability to test a role with a resource policy. -### So... +## So... The other API simulation method is `simulate custom policy`, where we provide both principal and resource policies in the request. This, too, won't work with resource policies if using a role entity, but as it doesn't cause the simulator to go off and find the policies attached to a role, we can trick it by simply providing any old user ARN as the `CallerArn` in the request. -As a little up-front disclaimer: this solution requires resource policies to identify applicable principals using conditions in statements (e.g. checking the role matches the `aws:PrincipalArn` context key) rather than declaring explicit roles in the `Principals` block itself. The reason for this is that our dummy user ARN needs to match the principal(s) that the permissions apply to, so if you're using something like `AWS: *` or `AWS: ` then that will match the dummy user, and the nitty-gritty bits in conditions will evaluate against our test role specified in `aws:PrincipalArn`. It might well be possible to adapt policies to specify the dummy user as a principal before including in the API request, but I haven't tried. +As a little up-front disclaimer: this solution requires resource policies to identify applicable principals using conditions in statements (e.g. checking the role matches the `aws:PrincipalArn` context key), rather than declaring explicit roles in the `Principals` element itself. The reason for this is that our dummy user ARN needs to match the principal(s) that the permissions apply to, so if you're using something like `AWS: *` or `AWS: ` then that will match the dummy user, and the nitty-gritty bits in conditions will evaluate against our test role specified in `aws:PrincipalArn`. It might well be possible to adapt policies to specify the dummy user as a principal before including in the API request, but I haven't tried. I'll be using Python for this, but it should be applicable to the AWS CLI and other AWS API implementations such as the Java SDK. I'll keep the code as obvious as possible so it can (hopefully) be followed by readers with any programming background, rather than aiming for A-grade, production ready Python. To that end, we need to: -- pull all inline (a policy directly tied to this role only) and managed (a policy entity that can be attached to multiple users or roles) policies for the role - these are the principal policies -- pull the bucket policy - this is the resource policy -- fudge the `CallerArn` in the request to a user entity to keep the simulator happy when using a role -- set the `aws:PrincipalArn` context key to the ARN of the role under test -- set any other context values to satisfy conditions for the action to be allowed, or to test denies trigger correctly when conditions are not met +* Pull all Inline (a policy directly tied to this role only) and Managed (a policy entity that can be attached to multiple users or roles) policies for the role - these are the principal policies. +* Pull the bucket policy - this is the resource policy. +* Fudge the `CallerArn` in the request to a user entity to keep the simulator happy when using a role. +* Set the `aws:PrincipalArn` context key to the ARN of the role under test. +* Set any other context values to satisfy conditions for the action to be allowed, or to test denies trigger correctly when conditions are not met. -### Setup +## Setup To start off, I've created a bucket and role with the following basic policies. @@ -110,7 +110,7 @@ From the above we can see that: * all other S3 actions would be implicitly denied, as no allows are granted * the bucket policy will explicitly deny any actions where the `aws:SecureTransport` context value is `false`. A single deny overrules any number of allows, so in actual usage if we're not using https we won't be able to do anything -### Running a test with the API +## Running a test with the API Coding up a basic class to call the simulator with `boto3` could look something like this: @@ -275,7 +275,7 @@ If we change the `aws:SecureTransport` context value to `false`, then the `DenyI } ~~~ -### Gettin' configgy wit' it +## Gettin' configgy wit' it We can build on this basic hard-coded functionality to create a suite of config-driven tests for a whole set of roles and resources. @@ -384,7 +384,7 @@ s3:DeleteObject - explicitDeny ✅ ~~~ -### Taking it further +## Taking it further We can extend this basic setup as much as necessary depending on the nature of the role and resource policies being tested. Likely upgrades include testing resource types other than S3, per-test context keys, argument parsing and extended templating to allow e.g. environment specific role names. These can then run be run locally or in pipelines as infrastructure smoke tests to alert when permissions change, or flag up potential access issues before and without executing anything tangible on AWS. @@ -397,3 +397,10 @@ In addition to testing with the actual policies of deployed entities to verify r Similarly, testing with a role policy granting no permissions lets us verify cross-account access, where any allows will come from the bucket policy. Resources such as S3 objects and SNS (AWS Simple Notification Service) topics typically require access to encryption keys in order to read or write data; this obviously forms a crucial aspect of the ability to successfully perform an action in practice, but isn't taken into consideration by the simulator. To cover more bases, you could add additional tests to verify your roles can also perform any necessary key related actions. + + +## Final note + +We've found this approach effective as a way to keep tabs on evolving permission sets and to provide ongoing verification that our bucket policies do what they need to do. It's particularly handy for roles we don't own and therefore don't feature in our day-to-day testing, as it gives us confidence that the other teams will be able to successfully read the data they need in production, while being denied access to other areas. You do need to know and understand the actions required by your roles for defining the tests, but even the initial configuration process can indicate areas where unnecessary permissions are granted. + +I hope you might also find it a useful little workaround. From 7f2bb64970b06fc3651d408d34224fae4b44a00d Mon Sep 17 00:00:00 2001 From: Tim Yates Date: Tue, 15 Apr 2025 07:43:47 +0100 Subject: [PATCH 3/5] lil tweak --- _posts/2025-04-03-automated-iam-policy-simulator-testing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-04-03-automated-iam-policy-simulator-testing.md b/_posts/2025-04-03-automated-iam-policy-simulator-testing.md index fe38484863..019cf95eb0 100644 --- a/_posts/2025-04-03-automated-iam-policy-simulator-testing.md +++ b/_posts/2025-04-03-automated-iam-policy-simulator-testing.md @@ -401,6 +401,6 @@ Resources such as S3 objects and SNS (AWS Simple Notification Service) topics ty ## Final note -We've found this approach effective as a way to keep tabs on evolving permission sets and to provide ongoing verification that our bucket policies do what they need to do. It's particularly handy for roles we don't own and therefore don't feature in our day-to-day testing, as it gives us confidence that the other teams will be able to successfully read the data they need in production, while being denied access to other areas. You do need to know and understand the actions required by your roles for defining the tests, but even the initial configuration process can indicate areas where unnecessary permissions are granted. +We've found this approach effective as a way to keep tabs on evolving permission sets and to provide ongoing verification that our bucket policies do what they need to do. It's particularly handy for roles we don't own and therefore don't feature in our day-to-day testing, as it gives us confidence that other teams will be able to successfully read the data they need in production (subject to correct permissions on their end), while being denied access to other areas. You do need to know and understand the actions required by your roles for defining the tests, but even the initial configuration process can indicate areas where unnecessary permissions are granted. I hope you might also find it a useful little workaround. From 5e0ec0b7580c78d69cbe799eb422c5d97f478670 Mon Sep 17 00:00:00 2001 From: "tim.yates1" Date: Tue, 15 Apr 2025 08:55:08 +0100 Subject: [PATCH 4/5] final tweaks --- ...-automated-iam-policy-simulator-testing.md | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/_posts/2025-04-03-automated-iam-policy-simulator-testing.md b/_posts/2025-04-03-automated-iam-policy-simulator-testing.md index 019cf95eb0..2097143816 100644 --- a/_posts/2025-04-03-automated-iam-policy-simulator-testing.md +++ b/_posts/2025-04-03-automated-iam-policy-simulator-testing.md @@ -11,7 +11,7 @@ summary: A quick guide to implementing a test framework for IAM permissions usin image: tyates/assets/awsiam.png --- -On Scott Logic's DWP Analytics DataOps team, we're sharing a monorepo with another Scott Logic team, and exposing data in S3 for various other teams throughout DWP Analytics in both our and other AWS accounts. There are a lot of moving parts and shared Terraform modules, so we wanted a way to detect and highlight changes in our role and bucket policies (either deliberate or inadvertent) to ensure data access is allowed or denied correctly, and all permission sets are as least-privilege as possible. +On Scott Logic's DWP Analytics DataOps team, we're sharing a monorepo with another Scott Logic team, and exposing data in S3 for various other teams throughout DWP Analytics in both our and other AWS accounts. There are a lot of moving parts and permissions derived from shared Terraform modules, so we wanted a way to detect and highlight changes in our role and bucket policies (either deliberate or inadvertent) to ensure data access is allowed or denied correctly, and all permission sets are as least-privilege as possible. The AWS IAM policy simulator allows theoretical evaluation of policies to determine if an action will be allowed or denied. It can be useful for ad-hoc testing of a user or role's access to resources such as S3 buckets and objects, but the console UI is clunky (if not downright infuriating) and the API imposes limitations when testing more complex, real-world situations involving both principal and resource policies. With only a small amount of shenanigans, it's possible to leverage the simulator API for more useful testing. @@ -21,6 +21,10 @@ In the majority of cases where I've used the policy simulator console UI, I've b Policy simulator API methods are available via the AWS CLI and implementations such as the `boto3` Python package, but there are some limitations. The `simulate principal policy` method seems like it should do what we need by finding the policies of a user or role for us, but it doesn't work with resource policies unless you're testing a user entity as the principal, which I am not. +~~~ +An error occurred (InvalidInput) when calling the SimulatePrincipalPolicy operation: Invalid caller - Caller must be an IAM user in this context. +~~~ + There are other solutions around providing a friendly implementation for the policy simulator API, but I don't believe any provide the ability to test a role with a resource policy. ## So... @@ -74,7 +78,7 @@ To start off, I've created a bucket and role with the following basic policies. ], "Condition": { "ArnLike": { - "aws:PrincipalArn": "arn:aws:iam:::role/tims-test-role" + "aws:PrincipalArn": "arn:aws:iam:::role/tims-test-role" } } } @@ -165,7 +169,7 @@ class S3PolicyTest: policies.append(policy["PolicyVersion"]["Document"]) - return [json.dumps(policy) for policy in policies] + return policies def _get_bucket_policy(self) -> list[str]: """Get JSON format S3 bucket policy""" @@ -244,7 +248,7 @@ Slightly truncating the output for clarity, we get: "SourcePolicyId": "ResourcePolicy", "SourcePolicyType": "Resource Policy", "StartPosition": { "Line": 1, "Column": 248 }, - "EndPosition": { "Line": 1, "Column": 448 } + "EndPosition": { "Line": 1, "Column": 470 } }, { "SourcePolicyId": "PolicyInputList.1", @@ -257,9 +261,9 @@ Slightly truncating the output for clarity, we get: ] ~~~ -We can see that `GetObject` is allowed, and the start and end characters of the statement in the role policy json string that awards the allow are indicated; as we've fetched the policy we can use this information to show the relevant sections to aid in debugging (as you get in the simulator console). `PutObject` is an implicit deny, so there are no matching statements to show here as neither allow or deny policy statements are in effect. `DeleteObject` is explicitly denied, and the matched statements indicate both the deny in the resource policy and the allow in the role policy. +We can see that `GetObject` is allowed, and the start and end characters of the statement in the role policy json string that awards the allow are indicated; as we've fetched the policy we can use this information to show the relevant sections to aid in debugging (as you get in the simulator console). `PutObject` is an implicit deny as neither the role nor bucket policy grant it, so there are no `MatchedStatements` to show as no statements are in effect. `DeleteObject` is explicitly denied, and the matched statements indicate both the `DenyTimDelete` statement in the resource policy, and the allow in the role policy. -If we change the `aws:SecureTransport` context value to `false`, then the `DenyInsecureTransport` section of the bucket policy kicks in and `GetObject` is also now explicitly denied. +If we change the `aws:SecureTransport` context value to `false`, then the `DenyInsecureTransport` statement of the bucket policy kicks in and `GetObject` is now explicitly denied, with the character indexes of this statement indicated. ~~~json { @@ -269,7 +273,9 @@ If we change the `aws:SecureTransport` context value to `false`, then the `DenyI "MatchedStatements": [ { "SourcePolicyId": "ResourcePolicy", - "SourcePolicyType": "Resource Policy" + "SourcePolicyType": "Resource Policy", + "StartPosition": {"Line": 1, "Column": 38}, + "EndPosition": {"Line": 1, "Column": 248} } ] } From 56e5a221aca1ba9d41e1be26582b191d45906e31 Mon Sep 17 00:00:00 2001 From: "tim.yates1" Date: Thu, 17 Apr 2025 10:49:03 +0100 Subject: [PATCH 5/5] putting the s in Leeds --- _data/authors.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_data/authors.yml b/_data/authors.yml index ed6769d39b..a3521e65fc 100644 --- a/_data/authors.yml +++ b/_data/authors.yml @@ -1561,5 +1561,5 @@ authors: tyates: name: "Tim Yates" email: tyates@scottlogic.com - author-summary: "Reformed folk musician turned Senior Developer based at the Leed office, prefers backend and data but will frontend if you make him." + author-summary: "Reformed folk musician turned Senior Developer based at the Leeds office, prefers backend and data but will frontend if you make him." picture: picture.png