From a938efc1e57e5c96e0d4be16fcfb39953f72e7f6 Mon Sep 17 00:00:00 2001
From: AngusWarren <angus@warren.bz>
Date: Wed, 1 Jun 2016 13:03:49 +0800
Subject: [PATCH] Initial port to Confluence

---
 README.md                                     |  27 +++++--
 RemoteUserConfluenceAuth/LICENSE              |  19 +++++
 RemoteUserConfluenceAuth/pom.xml              |  71 ++++++++++++++++++
 .../confluence/RemoteUserConfluenceAuth.java  |  68 +++++++++++++++++
 .../src/main/resources/atlassian-plugin.xml   |   7 ++
 builds/RemoteUserConfluenceAuth-1.1.jar       | Bin 0 -> 2149 bytes
 builds/RemoteUserConfluenceAuth-1.1.tar.gz    | Bin 0 -> 2287 bytes
 7 files changed, 187 insertions(+), 5 deletions(-)
 create mode 100644 RemoteUserConfluenceAuth/LICENSE
 create mode 100644 RemoteUserConfluenceAuth/pom.xml
 create mode 100644 RemoteUserConfluenceAuth/src/main/java/anguswarren/confluence/RemoteUserConfluenceAuth.java
 create mode 100644 RemoteUserConfluenceAuth/src/main/resources/atlassian-plugin.xml
 create mode 100644 builds/RemoteUserConfluenceAuth-1.1.jar
 create mode 100644 builds/RemoteUserConfluenceAuth-1.1.tar.gz

diff --git a/README.md b/README.md
index dcb3200..192ab05 100644
--- a/README.md
+++ b/README.md
@@ -1,21 +1,23 @@
-JIRA 4.3+ with mod_auth_kerb SSO
+JIRA/Confluence with Kerberos SSO
 ================================
 Goal
 ----
-Users should transparently log in to JIRA with AD domain credentials.
+Users should transparently log in to JIRA/Confluence with AD domain credentials. 
 
 Overview
 --------
-Apache authenticates users using mod_auth_kerb and passes the authenticated username to JIRA through an AJP proxy. JIRA uses a custom Seraph filter which checks for the remote_user variable set by Apache and logs the user in automatically.
+Apache authenticates users using mod_auth_kerb and passes the authenticated username to JIRA/Confluence through an AJP proxy. JIRA/Confluence uses a custom Seraph filter which checks for the remote_user variable set by Apache and logs the user in automatically.
 
 Installation
-------------
+-----------
+### JIRA
 1. Install Jira using the standard install, listening on port 8080
    * Allow port 8080 through the firewall
 2. Setup LDAP user directory
    * Test logging in using your AD credentials
 3. Setup apache to act as a proxy to Jira using AJP
-   * Add this line to the server.xml (/opt/atlassian/jira/conf/server.xml) file, around line 64. It should end up below the existing "Connector" entry. 
+   * Add this line to the server.xml (/opt/atlassian/jira/conf/server.xml) file, around line 64. It should end up below the existing "Connector" entry.
+     
      ```xml
      <Connector port="8009" redirectPort="8443" enableLookups="false" protocol="AJP/1.3" URIEncoding="UTF-8" tomcatAuthentication="false"/>
      ```
@@ -26,6 +28,7 @@ Installation
 5. Add the jar file (RemoteUserJiraAuth-X.Y.jar) to the WEB-INF/lib/ directory (by default it's /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/)
    * Ensure that you've removed any older versions which may exist.
 6. Edit WEB-INF/classes/seraph-config.xml and replace the existing authenticator with the custom one: 
+   
    ```xml
    Comment this out:
    <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>
@@ -35,6 +38,20 @@ Installation
 7. Restart JIRA and Apache
 8. Check to see if it is now working.
 
+### Confluence
+Use the JIRA instructions above with the following changes:
+
+1. Use the base path of your Confluence installation rather than JIRA. (/opt/atlassian/confluence by default) 
+2. If you're running both JIRA and Confluence on the same host, you'll need to use a different port for the AJP connector created in the server.xml file.
+3. When you're replacing the authenticator classname in WEB-INF/classes/seraph-config.xml, use these details instead:
+   
+   ```xml
+   Comment this out:
+   <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
+   Add this below it:
+   <authenticator class="anguswarren.confluence.RemoteUserConfluenceAuth"/>
+   ```
+
 Notes
 -----
 ### Kerberos
diff --git a/RemoteUserConfluenceAuth/LICENSE b/RemoteUserConfluenceAuth/LICENSE
new file mode 100644
index 0000000..87c9b70
--- /dev/null
+++ b/RemoteUserConfluenceAuth/LICENSE
@@ -0,0 +1,19 @@
+To avoid future confusion, we recommend that you include a license with your plugin.
+This file is simply a reminder.
+
+For a template license you can have a look at: http://www.opensource.org/licenses/
+
+Atlassian releases most of its modules under the Apache2 license: http://opensource.org/licenses/Apache-2.0
+Copyright 2011 Angus Warren
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/RemoteUserConfluenceAuth/pom.xml b/RemoteUserConfluenceAuth/pom.xml
new file mode 100644
index 0000000..c5aef92
--- /dev/null
+++ b/RemoteUserConfluenceAuth/pom.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>anguswarren.confluence</groupId>
+    <artifactId>RemoteUserConfluenceAuth</artifactId>
+    <version>1.1</version>
+
+    <organization>
+        <name>Angus Warren</name>
+        <url>http://wiki.warren.bz</url>
+    </organization>
+
+    <name>anguswarren.confluence.RemoteUserConfluenceAuth</name>
+    <description>This is a custom Seraph filter developed by Angus Warren to authenticate based on the remote_user variable set by Apache</description>
+    <packaging>atlassian-plugin</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.10</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.atlassian.confluence</groupId>
+            <artifactId>confluence</artifactId>
+            <version>${confluence.version}</version>
+            <scope>provided</scope>
+        </dependency>
+            <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+            <version>2.4</version>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>com.atlassian.maven.plugins</groupId>
+                <artifactId>maven-confluence-plugin</artifactId>
+                <version>${amps.version}</version>
+                <extensions>true</extensions>
+                <configuration>
+                    <productVersion>${confluence.version}</productVersion>
+                    <productDataVersion>${confluence.data.version}</productDataVersion>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <properties>
+        <confluence.version>5.7</confluence.version>
+        <confluence.data.version>5.7</confluence.data.version>
+        <amps.version>5.0.13</amps.version>
+        <plugin.testrunner.version>1.2.3</plugin.testrunner.version>
+    </properties>
+
+</project>
diff --git a/RemoteUserConfluenceAuth/src/main/java/anguswarren/confluence/RemoteUserConfluenceAuth.java b/RemoteUserConfluenceAuth/src/main/java/anguswarren/confluence/RemoteUserConfluenceAuth.java
new file mode 100644
index 0000000..b32f066
--- /dev/null
+++ b/RemoteUserConfluenceAuth/src/main/java/anguswarren/confluence/RemoteUserConfluenceAuth.java
@@ -0,0 +1,68 @@
+/**
+ * Copyright 2011 Angus Warren
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package anguswarren.confluence;
+
+import org.apache.log4j.Category;
+import java.security.Principal;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import com.atlassian.confluence.user.ConfluenceAuthenticator;
+
+public class RemoteUserConfluenceAuth extends ConfluenceAuthenticator
+{
+    private static final Category log = Category.getInstance(RemoteUserConfluenceAuth.class);
+	
+    public Principal getUser(HttpServletRequest request, HttpServletResponse response)
+    {
+        Principal user = null;
+        try
+        {
+            if(request.getSession() != null && request.getSession().getAttribute(ConfluenceAuthenticator.LOGGED_IN_KEY) != null)
+            {
+                log.debug("Session found; user already logged in");
+                user = (Principal) request.getSession().getAttribute(ConfluenceAuthenticator.LOGGED_IN_KEY);
+                String username = user.getName();
+                user = getUser(username);
+            }
+            else
+            {
+                    log.debug("Trying RemoteUserConfluenceAuth SSO");
+                    String remoteuser = request.getRemoteUser();
+                    log.debug("remote_user set to: " + remoteuser);
+                    if(remoteuser != null)
+                    {
+			String[] username = remoteuser.split("@");
+                        user = getUser(username[0]);
+                        log.debug("Logging in with username: " + user);
+                        request.getSession().setAttribute(ConfluenceAuthenticator.LOGGED_IN_KEY, user);
+                        request.getSession().setAttribute(ConfluenceAuthenticator.LOGGED_OUT_KEY, null);
+                    }
+                    else 
+                    {
+                        log.warn("remote_user is null");
+                        return null;
+                    }
+            }
+        }
+        catch (Exception e)
+        {
+            log.warn("Exception: " + e, e);
+        }
+        return user;
+    }
+
+}
diff --git a/RemoteUserConfluenceAuth/src/main/resources/atlassian-plugin.xml b/RemoteUserConfluenceAuth/src/main/resources/atlassian-plugin.xml
new file mode 100644
index 0000000..31ae603
--- /dev/null
+++ b/RemoteUserConfluenceAuth/src/main/resources/atlassian-plugin.xml
@@ -0,0 +1,7 @@
+<atlassian-plugin key="${project.groupId}.${project.artifactId}" name="${project.name}" plugins-version="1">
+    <plugin-info>
+        <description>${project.description}</description>
+        <version>${project.version}</version>
+        <vendor name="${project.organization.name}" url="${project.organization.url}" />
+    </plugin-info>
+</atlassian-plugin>
diff --git a/builds/RemoteUserConfluenceAuth-1.1.jar b/builds/RemoteUserConfluenceAuth-1.1.jar
new file mode 100644
index 0000000000000000000000000000000000000000..8bdc353adbc1ca2be2c7d12dc197e08c91719e58
GIT binary patch
literal 2149
zcmbW2c`)1S8pmS~QbJ>krM0B0DyXaWp0TBf5Nd6E+~P#6i7lw2M-gJHeW}pK);6}F
zIIYH3Z4W|`TI(uPJw#h--+H)m=H6C2_x^L9cYZVP@15uQ{+{>yn|VHHBo{XX00aU7
z!$x!j;7ITTxB)102V*r$8-)6PF95&=KqL8p><rHTq@n+BG2}4gYca~$#u8zE$pMZ+
ztf3fv)<`w@&@rUinE}SDMthCdS~Ks1;Z~@#mZ%{Dm7CvXL8@E2@QnAi1nks&`5E1L
z39&f|SRNqPZ#8%&nB%V|a7Cm_)5A}g9X{Wh==|XZ>?Yhp{oO-CeB5zrf&K)n4-Os?
z;9s1H!gZenCDeJ;+oGGrjG-I6f7<2eni_IJIf2#)CNtk_*mn{G!$$~5+zm+hSPx00
zAlpi={;Ku!#n@SgKAw=u!6M1@w!_|k8WJsZ6MX;j#0q*s0QlSBPbL34hitKj!-;kv
zld7We$APJr`yH&qNJUlutX3Tq=zQH36pQUGI4e_(?bTpfT{v~e{YlrXAkXx9@fqOw
z>S>zR@7%}p!c@;c6P-(2qMtW((KH|%8p}_|SbCpTxo%4db1_<v%X*twN!0rz8ob5g
z^xZ6@F<8dEDF&@ECx+JL%bix8+gF!O)|J`6%ND!)XyMR@GLEB8b^qX$Hrpv2mJkx|
z9vqCpse9saUj76O&J&|<j|sqsVjM#-!KPmijR~RNa8I_exlXPj(&pg(7kN(`o<5$F
zIX$m`f6i>0oH3qG3h)rkcz;cg2u{*+ORFG^w)QSn3(G~sw|8Ede!xwIa6&#q(o0tv
zc#9Rm2N3gDRzl}8i_z3OEEa32u8uW=zj<?y>sRKs5-AKsm_=P3)*yFSNFY|6lsDf6
zb9!1nO;d%|hEa|$E0K0^oY!H7wUmr*FAz+Fvgzl0T|Kr(DY?LE=83+o>Xl{X&&HfO
zITga%Q`R$z<}uZ?d6QVlN!dCEO?i0-lkNQ2QRGz6z(7&i)#QfxI*>*vXtGu<(Ly)7
z*efY564ptB;af|=aE8Fm<X8ILmhX*H446|bBab^%dy-`}$h{#gGQ7yCtpvZzB?j~H
zT}|<ND&mGJwR~MCq6cJzFbRQ84H=8K+%II`oll9HC})-`mb+#)__|RlT(H*3trXx~
z2lDwX>O8N<NooEpve<6(Rn5AcX1@u?C9uDO5+PsROvKznXa^?_>&aoY?Rlx<hHrE7
zE8di1EqP}>dFoH1J~DDPe?JzD(cMfo&P2vM3nJ!YOGOka+Lo*%<6LyaU@c3jYrYO@
zi`vIp9@+wf27{rFw&L``mhOU@-p6=)<c11ZmM_SH>r*35a=>-^R!_yVxQ;*ksI`V#
zV^DDIBQ?0u>iE4YZZ(XYZW&?Oo+3Ophf2&6iq(_ljg(A>@W@BhYR)I%d^*qyyx~!u
zNLAjZ5Z4^gn-TP=U2H$iuQ-08;H9jrt1c+9@{1U?y58+6qF$Hc$r0|<uif;_!rK6r
zyZdRQGAXL^Ub#Fy#xzmT_M+p%bCFvugee~W<$>(`0>fcxup+S29<5e%Ap<Ctj?W=S
z(zM)8V;7$<<2E~lKsuqP8RoeOOX7d_3~rE}Xellp8VB>tk@{3IV$A_cP;4<5T5>tv
zEvBpz#HTf}apOW31u@-T&mCuTDiOA$DQ&g*uB=evL{KwHThl=O?8f@=2O9)2!jeIR
zjHWYE?)chMIh>Msdp50`M+PN*SkJ54pt;vKh<#^5sw(aU^;bF0=1B&tlY&r<R24<~
zh{^Lfs%MqRNUvGnPQG7m+_8@JYbc}398EU9snE>Di8q{eBrV4kI!v3XPz<*ka@5Hn
zH@p}etJbHkT9?!waF_{4N4{a*K-oI<OP5ZPDlIR5aMv$<q&4}DF5D>x9wI6}3NvH;
zBYl`U#uErC{2eV$Ctx=Dq&}RSzFQsmMPyP^&hvpyxyNlVzAWUe^MZwsw$kY5n<iNK
zEubZF-vzJlWa>OCci~cL<j<kmPbh2Q<5BPAo6DO=X{ernDtU8J*0^Wteb0wW(B`d|
zH<&A%%w9xxmrz#!2(1y`E?`s8Iyt0Ee^JUb^0)6`LBksNwgww{!|`0s6Lx!TQ_;!v
zW9>8HA1MotwK#W)8os0(84-ypO&0_6&goc4Nmr25W_1O0V}0hl12^TnEu)ezZIk!S
zqGPqTv&!3F>U~LC+m@2}tP0QENQp2x$Sd*CrFJTb{$i_$R0b=4k}nN*$oAp>#crkK
zn!4DUlAXhCL=A+HjCL_AmM5RzHG)--^=#=RwH{x=N-_iYrSi0|ZVMJGLU*@BCOg)|
zS)}#Yf!F)^z!|?#!=%ZXx92BJKU{mQFLA)Z9-w_OWAW460DznTdw_CqLIB_6^1m!(
z<MR9X%0D(de=I#pFgB;Yh0)>mYv~bm9#vqI?&xIyUZLwy;eT=Or~;b+N3X^vz_<8#
ZNQ=M412mF{mo3A6xD*aW)cDwM{{|g+d%FMt

literal 0
HcmV?d00001

diff --git a/builds/RemoteUserConfluenceAuth-1.1.tar.gz b/builds/RemoteUserConfluenceAuth-1.1.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..355857a10440f31c6f358d878edf219e681c00a0
GIT binary patch
literal 2287
zcmV<L2oU!liwFRjQm9n`1MM1XZ`(MsU#nliGm3@NOJvE<L+W_Xm!`YMW|KvnZm(D@
z0!E@8wz8xnDJR|{|NVy4+qP^6dF&pJgSM8);c(s@j>?(Sc=gO+0rYwu`D^z&R`EB5
zS9Y`0vMsx1OFY}^cI{WF^W2O{h`7KEp;y?SMtlR_w)y{2;9&n5rv7s}!2|4X+g%v9
z?GB)8`@aBW_Wy$C_?evG;r4HK?5?)|OF-HFO2}Kx7<tNs@NoNgtWHzg|0ST>{!ZXe
zyomS?d8{k!Z2w-fY1>V(f3Ioj^Z!L)C;MNJSs=(qPS|laIE=)NDHm<uLmIf-ZdchK
zg1wi-f2-B**{`f-yVryGx1L}8|9ks4-o7=^TXY<R3r43m0zu^2Xefn6pOhoWY5Dh*
zI>hJ1MUn3khQtj)!w@_0lg#X+UkT$h@KMvWP+cO_lBwF>J4s>@L}-Q=$PWaHH~|`z
zqY3p0B6ki61)@H3f?4QM3?7DVskl-5BvedE<8wkIxEA2H2*ZL9-X=vvghk4=gc~8k
z!$#xw_SVFTV>4jWh8N@V#_8zz<ZOI$09>c5KKdTv95M2rh%ylQdVz2VY&rNEnDy{2
z3K+suMqo|^lI>eY1@))<hzAn^5kw>zmvX`AbtFn!OPK`OiwK}M?4#Onj7H-c`qywg
z8t+RYpGKEIo`1YVpN1C~!?VlL$rznqpyTti_oK_v`5C-@K*O`o=%>-y`+Y<}XRr^s
z3z?Jv*rZaQ#8t{06H;Pf62vU=kT`Tg9S{vHkEaApgE?V7NQ6SdW|T|2a$wMvWIQ^f
z0t+>?BA48#VHlw3uaZz9rI>k2d1n~FSHJ{tI8CkM1=IEy^B4;<4cOvciXoGX$%zwz
ziWlZDjQS1@u~(YE0|Ykrh%lwG%^%^PaXfGVHY8l^jLk!kie%{EjwTi!1_j`v04De^
zGt23a_yRmc1Pr7Lqib*%<j9q%Du05R1o2&tD(D#B4C%iiqjOLS;!@`h1dNY8l&T4V
z*3eP*YEFq5`G5(u>Xmt0u>~>tI;J1<nrRjR4Y{bkszwzO@Vk%JC=Dj#hdo6$W?n*0
zS!xZq^&=1Lmre_|$e!~>66mC!Y$)X#6Xk~WJ@mJj1p4kfv~FI$3`G)I^$O*hr{_QX
zaPt0YbawUA$>)sbUWtJ+I}$+Mrc17)X}y;02T=q;@Gh1OdyHULS!D`AO?{R6mLSnW
zJ=4qHlZmmq*%$~w7|T6<JR`8La$TT(2CwyM_EIlMS1w`Rm)?lS$rjBmY44IPBwv-W
zF&>|<(_KL%rj{n$78ID1TqoTU8!?e9MTHXq>HHAY(BBKhD`+U+%otefJ-IGkzkVGv
z{oC(FOXLJh4p~~%YyYg0Swe+jezShxu&5yGDLAE6oIJ1O*_slFCEg&bgtZ>ZAMBy~
z&%O^Fmhnc)AnP}}Upp$D7*$wslX~HJ^UIzDXS>{elQ9_)5%ZT)VKtBWTmA%MJ2$9)
zqKYS(iO60>BF(wXkYl4m)m9AboOZ&VlqR0OH;jAZ&n{OrJTYYVKRCOCh&fOXKlvWJ
z_kWt*UZ(~3|5mrD`@b&&YwVwuy9c2c!Fgfc&AdnLq3-|P%KN|7X{YypyV-4aW&fw!
z)c5}vf&Q|!(O0rKs=fIZvfvAG;235>6pq|`GatfC&<S<~jMk8>ABy<$9fo6K{9qop
z1deKUZJ>^kemrwP{Yfy$PMf|<xWlMAm<Bnq!sva!QN+ntCOZ^XB_psRohxGdE?jz-
zxrSRP_URw$PMeAlF|QH@<^ZFSh}0;_)L)69!C&{>Oqw6hy2qCIw>zyo{#%wUzyDdi
zmX80IfXe{kc|ct>iJ;yiNOm|P88iFnR$l0xU^au0LE;7r)xU!qs~5QhVU#q`;;RHq
zu_WkC<1*{(!7rB$s0H9deN1Ju$TW-(vVDdGff?D@NGVDB4))Ovo~sRl;48x7u-L#0
zLcml9Rk?|07{fH^U?Y!U7(}yx3)vc^LO#2ZNBBzjvYGClZBw;HjIY{+o7$zuV;iN9
z?vn1>B2~%j0nJh4DcYis?}<KHL-Z-Sp<7y^e|C6pg)o>sy1v^6Tk?O$vfJtRzqZ|#
z|NqBs+dZBCUjq8ygY{8frI}U@5#I@1aQ36x$IA}~|EPUGFpPdu1|dNA`B5!N8#Bn%
zelc<Ua{hCpZCXGk??0#|hj*N2%Vf5>ZK(xKaE8Xee?A=pg&BqtD(+numvef^)$D2D
zs8HKsdsKy?1`g)!E9=TK@3;$PX<Wp?0YSVZF%J}texo!Nqb2q5VEuQEej}ZavGY=S
zP}S&!axq6TN+qpr+Jzc6o-3B2g}PSOtb^h?)NiPv90N+$L8^ZGm6{3f*MIaIaw@50
z%jAum_Ii2EYN_(=OU1pa4d4%)N)UR%42=oH;f*}t1Y}Q_%!vmlusU3d^2h@P=j}d%
zt}%~K2$^t;y|+1LR2@jNohzv*<FC0s^y6<-;OT?qiXBS&Y|co9fV#j1`6%I~i%T-R
z7?e70nWKD(d@7dwB10;eKEYddhLw9x+qA7UHyee+;iM-6K{ybKpL0eV>p0!ce$@xC
z9V99uZx!p!w}Mw~xWN_Vgp@R=E^&91bw_g*zYp#pWP*8sL%M^MO|$)EG8IOYOU8rO
z5%mhYC)aJhv{`yDMN3d&_Be|sq$-rMte7~_=0?pTt4c{FMZNikXCdF_2x^J?h^i{G
zfnX8%T47)nTQWqa5nD>2W$iGyEI8uV&91qGwUN|&Ebv-#E=;V_ETXT9(AXeD+KbrL
z-fIjt3*oN8b~D#5+Klf~aF}($spIGMh){@4iHH%C=f?`4j_@>OlJH3KKZ6hh@k$AO
z)z*WK+3PpfjIUi(wCKvp(qz88=<Be?GVK;9zBsrX(56iCEb@K0Pv_-A(`=;@uR}<?
zRRysP^(rg7zi^XEg9Z&6G-%MEL4yVj8Z>Coph1HM4H`6P(4aws1`QfCXwa|`{tLk2
J($N4=004H{df5N~

literal 0
HcmV?d00001