From bbc2c5b198a117b1770700e5b0f5f9bc7c71661e Mon Sep 17 00:00:00 2001
From: AngusWarren <angus@warren.bz>
Date: Fri, 23 Sep 2016 17:48:09 +0800
Subject: [PATCH] Updated RemoteUserJiraAuth to 1.2

---
 .../RemoteUserJiraAuth.properties             |  17 ++++
 RemoteUserJiraAuth/pom.xml                    |   7 +-
 .../anguswarren/jira/RemoteUserJiraAuth.java  |  84 +++++++++++-------
 builds/RemoteUserJiraAuth-1.2.jar             | Bin 0 -> 2853 bytes
 builds/RemoteUserJiraAuth-1.2.tar.gz          | Bin 0 -> 5690 bytes
 5 files changed, 73 insertions(+), 35 deletions(-)
 create mode 100644 RemoteUserJiraAuth/RemoteUserJiraAuth.properties
 create mode 100644 builds/RemoteUserJiraAuth-1.2.jar
 create mode 100644 builds/RemoteUserJiraAuth-1.2.tar.gz

diff --git a/RemoteUserJiraAuth/RemoteUserJiraAuth.properties b/RemoteUserJiraAuth/RemoteUserJiraAuth.properties
new file mode 100644
index 0000000..c0b4026
--- /dev/null
+++ b/RemoteUserJiraAuth/RemoteUserJiraAuth.properties
@@ -0,0 +1,17 @@
+## This file can override some default behaviour if saved in 
+##  WEB-INF/classes/RemoteUserConfluenceAuth.properties
+
+## If you're passing the username in an HTTP header, set the name here in 
+## lowercase. Leave blank to use the special REMOTE_USER header. 
+#header=x-proxy-username
+#header=
+header=x-forward-name
+
+## Use trustedhosts to specify specific hosts which are allowed to authenticate
+##  via HTTP headers. Leave blank to allow all hosts. It supports a comma
+##  separated list of IP addresses. It does not support subnets or ranges.
+#trustedhosts=192.168.0.1,192.168.0.2
+#trustedhosts=192.168.0.1
+#trustedhosts=192.168.0.1,127.0.0.1
+#trustedhosts=
+trustedhosts=10.1.1.100,127.0.0.1
diff --git a/RemoteUserJiraAuth/pom.xml b/RemoteUserJiraAuth/pom.xml
index 26c0e22..21af933 100644
--- a/RemoteUserJiraAuth/pom.xml
+++ b/RemoteUserJiraAuth/pom.xml
@@ -7,7 +7,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>anguswarren.jira</groupId>
     <artifactId>RemoteUserJiraAuth</artifactId>
-    <version>1.1</version>
+    <version>1.2</version>
 
     <organization>
         <name>Angus Warren</name>
@@ -15,7 +15,7 @@
     </organization>
 
     <name>anguswarren.jira.RemoteUserJiraAuth</name>
-    <description>This is a custom Seraph filter developed by Angus Warren to authenticate based on the remote_user variable set by Apache</description>
+    <description>This is a custom Seraph filter which authenticates based on the remote_user variable set by Apache or an aribitrary HTTP header set by any web proxy.</description>
     <packaging>atlassian-plugin</packaging>
 
     <dependencies>
@@ -50,7 +50,7 @@
             <plugin>
                 <groupId>com.atlassian.maven.plugins</groupId>
                 <artifactId>maven-jira-plugin</artifactId>
-                <version>3.4</version>
+                <version>${amps.version}</version>
                 <extensions>true</extensions>
                 <configuration>
                     <productVersion>${jira.version}</productVersion>
@@ -69,6 +69,7 @@
 
     <properties>
         <jira.version>4.3.2</jira.version>
+        <amps.version>5.0.13</amps.version>
         <jira.data.version>4.3</jira.data.version>
     </properties>
 
diff --git a/RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java b/RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java
index 08ea161..997a34f 100644
--- a/RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java
+++ b/RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2011 Angus Warren
+ * Copyright 2016 Angus Warren
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,50 +17,70 @@
 package anguswarren.jira;
 
 import org.apache.log4j.Category;
+import java.io.InputStream;
+import java.util.Arrays;
+import java.util.Properties;
 import java.security.Principal;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import com.atlassian.core.util.ClassLoaderUtils;
 import com.atlassian.jira.security.login.JiraSeraphAuthenticator;
 
-public class RemoteUserJiraAuth extends JiraSeraphAuthenticator
-{
+public class RemoteUserJiraAuth extends JiraSeraphAuthenticator {
     private static final Category log = Category.getInstance(RemoteUserJiraAuth.class);
 	
-    public Principal getUser(HttpServletRequest request, HttpServletResponse response)
-    {
+    public Principal getUser(HttpServletRequest request, HttpServletResponse response) {
         Principal user = null;
-        try
-        {
-            if(request.getSession() != null && request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY) != null)
-            {
+        try {
+            if (request.getSession() != null && request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY) != null) {
                 log.debug("Session found; user already logged in");
                 user = (Principal) request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY);
-            }
-            else
-            {
-                    log.debug("Trying RemoteUserJiraAuth SSO");
-                    String remoteuser = request.getRemoteUser();
-                    log.debug("remote_user set to: " + remoteuser);
-                    if(remoteuser != null)
-                    {
-			String[] username = remoteuser.split("@");
-                        user = getUser(username[0]);
-                        log.debug("Logging in with username: " + user);
-                        request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY, user);
-                        request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_OUT_KEY, null);
-                    }
-                    else 
-                    {
-                        log.warn("remote_user is null");
-                        return null;
+            } else {
+                Properties p = new Properties();
+                try {
+                    InputStream iStream = ClassLoaderUtils.getResourceAsStream("RemoteUserJiraAuth.properties", this.getClass());
+                    p.load(iStream);
+                } catch (Exception e) {
+                    log.debug("Exception loading propertie. The properties file is optional anyway, so this may not be an issues: " + e, e);
+                }
+
+                String trustedhosts = p.getProperty("trustedhosts");
+                if (trustedhosts != null) {
+                    String ipAddress = request.getRemoteAddr();
+                    if (Arrays.asList(trustedhosts.split(",")).contains(ipAddress)) {
+                        log.debug("IP found in trustedhosts.");
+                    } else {
+                        log.debug("IP not found in trustedhosts: " + ipAddress);
+                        return null; 
                     }
+                } else {
+                    log.debug("trustedhosts not configured. If you're using http headers, this may be a security issue.");
+                }
+
+                String remoteuser = null;
+                String header = p.getProperty("header");
+                if (header == null) {
+                    log.debug("Trying REMOTE_USER for SSO");
+                    remoteuser = request.getRemoteUser();
+                } else {
+                    log.debug("Trying HTTP header '" + header + "' for SSO");
+                    remoteuser = request.getHeader(header);
+                }
+
+                if (remoteuser != null) {
+                    String[] username = remoteuser.split("@");
+                    user = getUser(username[0]);
+                    log.debug("Logging in with username: " + user);
+                    request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY, user);
+                    request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_OUT_KEY, null);
+                } else {
+                    log.debug("remote_user is null");
+                    return null;
+                }
             }
-        }
-        catch (Exception e)
-        {
-            log.warn("Exception: " + e, e);
+        } catch (Exception e) {
+            log.error("Exception: " + e, e);
         }
         return user;
     }
-
 }
diff --git a/builds/RemoteUserJiraAuth-1.2.jar b/builds/RemoteUserJiraAuth-1.2.jar
new file mode 100644
index 0000000000000000000000000000000000000000..472acaf4b3d26773f94be2c448fcb50895ab660e
GIT binary patch
literal 2853
zcma);c{J2}AIHa*wJbv>Yp#T0?4qQsV;N&j2#sm7OqQ4-`*cUv7$SR?TgH~Ccw#J(
z#&#_UVMtl0QK1=Ya`BkwJkPzl=XuU~KELxl=l4D5^ZtB4pZE8V@5>g(#x4xt;^G2)
zb7?gP913m#I{<Ea$q-^;4OQLi1pwFpwlGdEW(MoO(`^5zSok30Pchuk+5&3oa7hIY
zU4!@cS-~JGLq}l{@SFa@I(xNunln_4iX~jx0zMS-n4Q~s@kEEK7})2#sN8895v)rS
z6<H9K%LZimu3{J%mVY&|y~(?4d~k%x!TPHS1LvP7U^ama_CsQ^Xk-8+&@aRr9iS5C
z??*^Cv>~hU#qHnCiWDcv_JTL!b!9+viBn^){gcGn`&p}Bx!>RW6=<)5!-Yp|&#4hA
zdO?rF`#FyV5<`5|Bx+R@j2_}p?LX4Xau;1JR{AKP7LKwPEEbQ!>MzR+Q9<=yD6vpM
zrDHo368;~eMGg~Z^agpTC)ZsZ3TBenz4;@hfZWPOk^Igvil<i8(~S}=**XBG>}Pet
z21;2AY(dTG28xCaMtUfOvK@de)4kim_A=@HveYZ!G3uMqyU4h>bGdS@PhZqsRBHMP
z%ZEqLFKyYrQ_EcB&D%`oYbh84^=JeTY|vw_zM>Z}(Q#wZp!d2v$?>~8kO6t-C9-ID
z?C%}8Q^|7JKjXjor^xg#z&ivRio{?%15|IIF-TQ=Pyd_2o{m^gjOD@BFeKPV1;w<O
zaM>joIDTTU27>Nd%@shJ3umVozgm5)Oho%xs@Jdpk%|5%@%1atVy>u#6Q0Kn&`m_R
zXcI9qzYN|)tVTB(4vR@dL_|zVV5|`l)`*?q?iN}lEFTvNt@l)Bqb*J~ZcXp+<MwZF
zjPJi>m;v}__${>NE@@s!NmKY<aW}~;iVq50ArtRL3324|lnGnOr*|ldbe>Y~KNTb<
zXOZXVp%j=wa@Xiv-66WUHHO)La0)W8JTlyULd5&NZi1zd&FuU@m{_qb!$PFko`Du2
zgNxGbi|rULB7?olv`bMJe)nkoZ7x}(b`9K0oa+O({^Ebzu^qd*qmA#%(1biYOCycA
zl=v+qdu3<3Yfc!Fb;>0hhE?xT{3o*85?<$}&a*x@Ecf7<%C7Unp2{uM`VfSwHL(QK
z76`*Z<QEH#mMPn&eLzaO=F;a^dcLF@w70kNcu#76UFuD#HLERwG&VefsOmYnE@$C!
z`u+p;Hy~Q=`9j4!T>at>b;(c#C5U_%rJ<(ZwqJJb>cn&Xx;9y1qT7W)NLz;fmn*kE
zg2m-NkBP0hkK~F_Ko&06w<s!{IFqtiwVW`yvJA;{IXZo<RLX+33l(qFuB~r#9O)9@
zo2?IL(e?<gSBHs<TaN+-Jn?WrS$ee)3fo)u)wRs5>{BzI_8{)j{Pz02VDf7YWR{TW
zh(Zrx4oVg9Y3poKS8li>j(;H9e8u#m&%)X0JDB>EZRp-QvP2^0q+cveILf_UhaxDm
z-e&Qwd94)uECXdd^J!o=+oWHz3O}Uej;6#V_?VI#=>B-K)i-`)bXYvi1u9|>YZoAA
z7iN7)nN|=j6&%^DZkg3fao;lfV$xoq5tDKA9Y+3o1W#+pY<QFts_LTodMYCzeEdfy
zkP?S;zq<%cdaH0L_(%R3-loncSKre0TY7}Y6bJ^sFZGU7uE^6?g%Isq+J6946~kP}
z{0!Nn7rSh@O3(SYt-G^5jmA6j$YdZguJuFl%F(}@J-u*MD<`e!LTB?^h)t*wM+s5<
z7WIkU=P`Y=97y$`n8=4)QPIPvk~5?XN6US~I4)-O4Ql-%fvuGi)%t_=>5cDlpSaco
zKE8}c%#QQmN@g2K6*C#}<MeZa+EH3yHQ&ndYpqTm;^D)t?zmzVdKg4TctCG6Q(Kbc
z_0UPWXjsYm?Mi;jxx9wh2B{aR<1Y)+`b`ln^$PMoT79Rg%}a+KlFhmjPNx!%5;TrE
zNsH?}nhn*c8hhN)&R~={)<x*ijCN|LzA?ac(^U_p*R=9veTYXi&-!kgMh6-6@LcT@
z!PkfzYQ;>&0>1<8Gy@X7jKVS+yg21zs>46OE}h_T6QJODQO;y>lI7d!VUQpt-1ok*
z$L>bY^?B@+QzUGr$f|qNK_PS2XW|x$+ZvWHK}X-#pnneb_S$G!u8@(;D^Op<fXc?B
zSUKi6uo@mDam^}i>V48)1h`zB49X-Y<=n3f0SSFpt;67`lH)0#j1=x+PbH=@l#f~^
zc=CBK{Mzu{eq;1^zpUa^?V`He0sw2M*OygKYwi-aGyc8nQ^XjhGOPWN)nwBqe9ITT
z<UpT+C&!5<-jd1MnT$tY3$pm(pis?ZN6G4}2Z;TQwCrbHwIT}+Z<Mxr<zTI48+`Ag
z$>XYNn=Iqn;G!oFbLy_AE%g*!sZ)3uFI++hQBqVsR-Sv)xxV4Zck3~z)Nas?xowXP
zMElW|niX<&xKe)k)zuBXlL1XNQ7)bv3I2mROXoKtHA4W6n+W(n7^=Rq`v|N-Z$eHp
zbY*)98!c_)g5zjoyy+9jA)#N9-GDMdN*@OuliBH9Ka7lbDUymh$A+AN7OIKqH5^)8
zZpLROiPv}&b?8xBzUIWt@Cv2H+eRZj1t8Mh1z^t5lqd{cxaQLs6B5k`R+cR8_Q(2s
zO?KD<2b7zGUm&HbGoA-YJy_UE4OR}JogcoGh#;#~Pj~LYiSv~MYZMHJ>qruZpYIH+
z(Ha`4Bb&>6$3?3Gc86O<%e;)Fo8YB5ahhLC81_MSKnYES_+_Ll+X-!1>R=aZ)L$6q
zUrVj7EQD<~4fnE6ieEQR^3^S{CTgTq*(_UC5%~K{P()~PW5cFN<*4vuZx(k#MNyM!
zSiW&GUun5mpey1@m(^1~*~<{Ywuz$Tmg1M7PW30WmwToK^IP!Qgy}AN5dx|=eg@Nk
z(p;f7-C4hNBV@)d*uEiQ(p?uH5XRm&5<8+vlBRK&<#3hrvJV$0#pxtvHYDC_6BNJQ
z%}M89YQM-ZY=OhRc@&!?ZT;GDL-A~nfSjFoK*!HY2+1=l6n>Gno_|JH`-L?{y{Wsy
z0VFbrI^Qu}=Yv${sa}!cvGL$tUZJj>PuKl5+WhUD6yKb&?Q^H|u`)|$Dd~H>oIM21
zBBwyxUiHVK>ivaAJLy@uCO1VUFrkS>CZxVuwW{G)3edpV(Q}q~l+U)R)MYv)(vLuj
zvExATbXnN;0C`exMvFEJ7tDN{rcC|TlDs^mxF(&_(tR~)6wI<i<RRmtDy84Q_F~Jo
z-*Ru?eJUHIxYS53n(Ep}dS+v@C(V5JjSC^wzi|Qpdi>01pM_Nz@H6`ThwGT=_jCNo
za!e5XyYw)PF`4VH&_DS7Q+fyk4_9DP+hHF0xx(v%3jdAa4p(4u%i+<O-11kj9!&Lr
WQ;aQ);|NpAe()VXfTL}0=I)>48{W47

literal 0
HcmV?d00001

diff --git a/builds/RemoteUserJiraAuth-1.2.tar.gz b/builds/RemoteUserJiraAuth-1.2.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..27d12c40903ca6d4869268f875d87169ec1b5025
GIT binary patch
literal 5690
zcmV-A7RBiwiwFP*u}fC~1MFJ~Toc#U$Av0!7pYX#j&TbRvIndz8W1G1%A!)GI3z<D
z2}zup08ydEs;G!o+%3gtMO?A1yb9u0i(B2rR?ynILD5zz;DXkw-<?T9781qh^7{QA
z_Xj3(@44rmbN=U^bM76)F$vq|4L1&G9zr4c$@LI&j6e0whRgHdfgg@L&)tT@<+!_h
z*g(QJEg0F<I00i2WCJT?YWz8LFB<=U+Hin>GK?zTq!YY6{#<u1zYYJl(VFp}2B*Mp
z$O&E^f1Z#pXv6<)G*kR3B~xJxLtbY<czOJV91l(#{%@mM$A21%y{3Th68O85-#J|H
zA#B6{ZL}BQAAuw*2_zavuyNo~q$UzsB;m`gK?3Y95Lm<CgYPcT<1Y}n^K3Xgo`CCa
z199Gr%BJmq9DlZp3k`CC{FEvUhRPBNhzE8bBqEiCCQ^<-4wJvZs02~qh!j#QqzDEP
zi3lW8!4mMH8(~5d5DZ6^3W&$zKn#+At{b8|dy*_PN;Q-WYaoS^fYdkwc%V3xfXWdF
zNs}Nd0zws#M47CTqp(7PK&dE^NUfve!XkOZ=y)jO3E;L63?`_+Q-U!e1QU9x$(BeE
zs*!AVYHBJArX*%5F&SH~rN!C7Vn6@TNPjmVwSHE#LXO}#gdx+_C<auH*Fdleh$VsJ
zfv|Eo6;fglEW;2mMkq<KQ!$i46*4A-D-#H?gAkI96vYV)jaL&UR?`a!bT=jdc7qiV
zT@(q4Bk7Q@C{i5BB$-SUM+JsOM?n)s5fP%$D6xMe6cz#bg@uk0M~TBi!BYSv3XOq+
z#GzxD5CUul)<M!#7^wje6D945NGan*B8Z6y2}-R<xC)V=38)0929Sqk2qaUcAeaJZ
z1gQ`#8O2FlaUh_SWFtqDQ358Yt`>Tc3$bZ5VCW>0kx@utks-yCMgtNlF#^aY)8ipm
z$^_F`elUT^l$gd-PeFzn7OG^46)H6mNni+^Y&xbUP&rG4VXy|bFc6L@f$#*1m<{5H
zL=E8500LAYK~=EaWIPQJU@3BhV3Cf)3IzW|YC9r;KOi{KYHC~sEQB<Z1J`E3gd7IO
zgcU4_5<|3d`jK71N*EY28a(4xCXm)M$PP?~Dp+Jx2Ft;!L^3ub3Iez&p~QfZRqA-)
zuaJbC4Yds8z(WW`A;lpp9H5yra_gutGzFjn;UwG=uvZnZ9Ma<i0U03g=0}zcA;bzm
z3HC0-LgJuA0fE3y%ULU5GXxNrO_DQO+MC*k;FAeiur3(XesR``Of~~o5N0qSqe3kQ
zAnS(-AiIH>Y-j?+(5*tM5s6R^&v1qYY3D-2hC!Cb$p;ak+rtbiwqyl|jUDShCQck0
z7vvw)%+uLS2C@N*vZP47TE?L3)&P4HY%x!*BCs6n0V!p883-Auf(oo=O{X%W*$B?B
zO?1=6(ji0+0BEU&VdFt6()dWKQ5VC4$SncUH>0f&p}J4ta%MY*)CD+%QjJLv5w0a;
z&@K3&s#y#=lS)72Oo|)B*@9e@qk^plOBuSwEfA$cz*Le%h~ZBqF%mPx61Hae8mLMB
zRHW4l$AY3jJT=Iw&5<BqD5(j+tzm^G71og1Mw>+SSv8&vxPTG|aF2xOkShezGGa++
zT8l2AASnfbfszQ3CMt0P2c}k$7Sf@oVbG07Ejb^#kxV!|$Jvb*MO7lHl*(A%#?Gom
zkQ}n)HTw0m34jIT!62QQtj@wg?jsm<Cf(T?1Y8AKGT@Bn#hk54Wd@ZvT)PX&L~p|0
zk_9O1TH6_xnUly_TtEw<L0-$Nkqtu#HKx$UImoh17996EQW{BUf+r~}uw()%Q-jKg
z1&I^LvTitrfVe{<NoGMP5h1rG&NMhD>6nl{d1)QgqV=r%B}Vyz#dvN;sa?IL?`r$4
zd98ld^ZnJxEK!(-TrI*sBrM85E;`abf~uz?Bg3q@g^3C++?>jO7UN6nVA9DG7!?(+
zH^FeyeRSVlA^PzDRKP%rh0a8+Lrt4eo7uH03`~xtl9vKbMyU1mv-R6}v^BYP66;F{
zJ(J0tSSu5Z%oYrCDHVbg+5?AvvUcy0Pgad(A*tdoom81`bPaHF&@Mt*|37ywEf{f>
zp~03WxmkB2LnyM~DVCpFlSD~z5DZgdM#<A+k~6T?$wG>)9ZsjE)Bf9M?tfBizW>2=
z<rDt;Ujn@R{V(60*LMH+R+<I;n@^l>D!H0GWTqv{UulgO-2ZWe0uM9%J>2=6w)?-g
z(Y(yjhLRACH+{%VaQc{rNI>Snlxme&n$9wG!QfDm080qaONYo*X-rQ(gKjM|+$}|W
zCFo7((tW4^?4=!XLlp^1pXNC2B}H%vhEgHj$H2^}H{FYEOk<d-Tfu0St_RG}j~P=d
zq@V^ems*L*U<EpZy3^9DpvL4@Nx&GOVCz(3o9N`#Vh8#Bb5oA)^7D<Z@q+!&<p{av
z@Bg_RUfceE8_ne6pKE&YPkYrX|5v{6Z|!A2wGCh5nxFPMF8E*lcK@|q?Z1wD{TE#7
z|F<2rt-X<^QYOE0efOgFg7`1wa{0~g|G7dQ8UF=bVO#uv8_jDJKp!$xX)F#MLKG4u
zc_HmhkB$m(8$loCL!)`=${+}kD{ybRF4!i+prA4ix8Y$SYypb{*cguP)Rd8FINCgo
zjM1rlY61^91A9_Pa3tW641*F%`vS>$I*yLSsnKAigbGltSRS%QL3OyL2;w+#999}G
z1!bwWh)Y&V5xFj%`A|H(*d~2iGF?6FWBy*#i>)8g(iw_mpO)_-K#6D=rkRwnTo%u$
zZq<$%m!3woELo@e7-wuRHq~XI0A;EVX$YLOIhusBbOOiE@M4o=y7JYOKh410TuGKC
zRSavIRPj+{vIjpPX@fncOop_#RAl}qKypb<L?ww3Y`C*Ra3~(ewW*TKJjORpDKLgo
znHfh2GFR)W5Hd%Dyb5wGN?<UiF}eHHk-`cMl#0ZYZ&T7VEDMJSFYTLZ;O{=>bvr2R
zo5yH+4OQR-0d@$A;3mfxUAM-^<jShqU0S}%HFKEe8AhIAkViYg+-WSFfhd%oa{!{q
zaZpAfKENU=s1%WUv9-?zZP-TY=sRCR*J)}6O0+^f9o-AH60qE#uL<xS;`v&<X{1Op
zw*<99;zr7Xziy~np`e|KW_ET4G>rd9!AKQAVkD$)+znQtrosa<y<|L=z(`CmV8xH@
zTAJRdhuS#W&UiH{H?oiJY5+Ggf&L5)nKdhjX(PUll@;jB;nOAs3Pk<Rw+5gYh;XtB
ze-Vh(6zcCSsA}7Xz|@Er+o+=@wf+s8S;#lF3#OE+CBy`44rMm}Tqa{+0ybkL1zjz<
z856b?oBbTQ^|vIgMYjb!<Vg{n9kJFy)EWzFZ#+TD1@T4q-7+C45oHLWCDeU?Rps?P
zxPF7^HiIrFHNX2enqiDD2#S2NQZVT=kQ%$Cj}R0yTt2Xuai<wuW3)-$I?g8D`pYgO
z*=W=wSs4C<@3`8U_13bWa|0D9YZ{EbzBQ=xpS$(*pFkkgo&We8E{_k+e*$+Nx9$A*
zHd=U4hmL)0I(P1D^JmQdK;scRn~pXi{!t<~acBVh>2VvI4uH5*XL6|h3n%vhzs-|F
zM4{pU|Hvp-NWk5YlP7|M+*s$j1-ZGLK6$1%g7YK)Y7NF37s3>WoKtV@XgBHRdxs|X
zb4h&Icj&O%0+$iBeI2U%4qa)pBB>E;z}itlJbKXOi62;EjENAVC$$v9(#x!zrJ}HM
zPS?557Ot4-lr#9a%l&yH2031zfBC}Xla~s1E?d#~huzPgePSQM%E-{ncyyhUv-!B=
zR?W#y-BktZBu@XGEQas;49UU2mKLtQ86&PcQT1DOw~l!?*IfwOHDP$~8pmA;l76YZ
zT)RK6D$V?N-~7mn?w)68HPF47$h@lyI?8&?9B6OH%%9m~(ro7;b=;-CS>rk!vhnZu
zfk)b@jqUTo9rr99?JO$s^_0Xh$J=yR9(z<AKB4sII|IM7?_P8Ir-ks`xg%E(-T&3M
z#iLxy{s>wdl78cMQ}~aZ<u|*md63<8Z{9h_V?0Gp7<yrHQePh|eeQ*H$Dc<$&Yt(=
zvD>NPr2X0n4?TMdth1$^vHkqa?B{HwbNd(kj{xcqJ98$)5cZYtJ>B7k9%)?N6AtXN
za*^M6ja!)osC*oEM>~6XelnD~t8P-i$&%{#katI;Wd$L9%L-<$Eet6uC_>9b75)0p
zm@(s0e=Ia^MrhpQilcjLw*;-tNDbJ9Fgw)Vyu7>V%Clz~&py6i`D|aqSeqVKdx!<s
zqxe3HmM|V}UbrA(R@VUgy7GdBvwGXErWN)H9=`ODv%}#b%#%Z=_Zuo+6Ft>cm0KFi
zJJI;KV9J!;X%W9noIZNoI~7OYbC4|?ku|P&*tHv{()z6nZxB1Ii)cU{%3bo8Mywm(
z5aV#>_?_CQSw25Z-T$xa*}R>1UG^7TKjE^Up8Rq2LA>#?F!M+*-|g!UYD>?@Y>-!H
zC#+l^%fBcp_t-R`q=NlfRr1A^2eQ6jv-n2)Z$z7>(k`zomg7TKe<Ao~x@6~=aW1vh
zITh2(zpdUqZqXzE6ZTb0`L}O<=b2Qx1C_~`mB$vZEnch~csIDI=aLSYaRqGT(!HVL
zsl%3i&OPl|yVL6n=QSC-Za%KLEn-P}!9UL8al8*aD~$i>;y2#K2L|^knBt>yJCN)B
z`-dsNx;PEJb)nzg*z>C$svN~Jp($0YP8nkg=Wte~4K2(aFmjd0iTyQI)xwyXOy7e-
z@342_n0d!ndWW<VP9=76gPfc~f3ok1WQOz_Twl~%f*&vZV{+lx!r%5})_y+s%NvjG
zeMXdjZws&J?SGzeEa!SaP0z#whs(Ikk`J9SKkvKeL;qhBt3OEp6x+4vQNYuC@P_`g
zA^DuzKC@yEdQ|lqbnk%p&pmfHx_q503BCH;sV6JPoE)$%^PFoeS~WK-(Z9T;J~?x2
z<7xSY`k;BWF#!${K?i%5ul!=g?~AT5`fluX{z1{+Yo3c@n|yyCb1;uLJ6HK5He5P`
zwtvGl&8&%%ZKDG3EpAX~D*sw;Uo|%)cHzx{1!oyi#9wROyObT?{?XZb@4d(RTwvsk
zPTJ@BZq<jwYa4sV9c&W*ZNqj>iz)BXFu2>OBVnC4j!c|#FSf&1>6y{ALAi0c@h1Z^
zndv`_{mSPf!Kx+sK8N?5bqh=NwcSwQlv1;O{H+V#V^_Hqo$2TBOUkVDiXqv#14Tb=
zN=maGwc^AX!QcJyodf#{{%-%(w1-1~>wHh~>%Mt$*D7fl8?Kd<ZoZm3ud;q*FX1eK
z3nytyW&Hk$Q=K#wlVda1vFg*@2K71R`Cz$lKxxAIiSOrExQ3psTf2AUnvyvs1HWBd
zxi4?YN&mRLyBNd&+Mjf}C~)Js_2pxaWDQ%K(=CVBed7C0o?l)|<!!sL_0YkFh7Hlh
zGdyd3AMd>UXM;=em2K<azbjZXII-Xz{s&2q{L`n8K1TcKh(qQMCy`+G<vI2b?Z@*K
z^Amj2a!V3A4V_)2x%K_Vi?&mGR%LXNOe%LO9e4Ihg=4QOP0}*IsZZ`7lit8DPn;Qa
zH9z?1rAWr|Yl#<ABzB=eYx~!uAM@&O5we8)d+%%>G+<30_b%pGSUIb`?R8t6H?`D>
zzfD-Ptn}#&mrYLPj?2pztXj53?b!PkyBN!;8Bn?CH($nQ_>lRF8<^dKvyiT`>Q71@
zM%@4D2l<M1i-q~ctMhEyrzZT~h=kg0nBty%{NCk)*{+4b&(w|C{$-hafA`E*C7#;;
zZowGYfNbINhA;ofThSxLF_oVkJ)mgC=W)++m#qBy$WDjq$kVP($A<>(FTCIN$Mo__
z_L2wfDupij+t;rumM*z{Ebqf&#`<}EHsq*XotfP?tyWIjRr1cm&<g<rpG=>2{n6C>
zaR<BA?Wij+(zveO^ikt|Pe@U=V^$1uKP&l+$8E3sGx=(p-4EhI{@uV%8vHB{AALM)
z)t-R5N4N3x_rqc`Y!5V?KGAbkDf(Uc6#GHbU4K0jo!zm%^IyJxPpSqudvrfH$zIH!
zzjTMKpz{<z_e%xwUFLh#&uU5vELg7D?0WNK-}A@v97`8g+pjuzxo;5q#off+v(@Ph
z1arW;qse&UAK8&jE{aWoF5kifi*mo2KJfGEro{wPUF%g5H9xMLQ*`C<(~yE2TTb1r
z!fYp>UtlXwx+>Wn8ldtRyt>P$F@nuOpW3kmfrX_bvJ#vx4(lQ46ZFgAQ?6)@n>=^X
zo$<Y!#(Cg3cW}S;TN}T)Xv-Ht56UWzx4+~h4P1~kA}_Rnw`g0~o#1UbJx*?r6a=i>
zUGiYemY@1;m9>k_*_>bIpSIR7yX(eH{Zy0VwjT-ps_WnhZoLj%%+KDtZlB{}?)KV!
zPyO?5G=*Htx^kpGKQ6$t(j6<2@at;IKE0PRO?`Dd5mAzLDRxArBCX?z^K;JgOW&`x
zD_qriQ<shv>lV!QSg^cg{$~ezIemPzQ+<!y2S+uC_J#!gIdxqi94<eYac*9RFYP-W
z{?zf^5Bm2W-msZLA0B$+>v|5o{UUDJ(L<4r4re4@hprSS!c1CG-5^@n)Gl}GYU;d}
zj`$=!@a*-0U9bCve>2f*&Y;_47cG6-rPHw-e*Q#N_;K#m|C_ksnYm8CCr+K=k}rC*
zsJvsI%Z}3z4OU+|py5`~a@ESKF*)O>zFgRc8`U|zJDLJnlevz02AmM)>dUVc-z_rd
z!Tb9+?kw2T{q~~fXZfBz$KyJ$YBBy^!gaW=W~Kb?Lut&jg1*Nd{JUPcQ1i{sr}OR{
z``Wp|-~XRHsM>d)tGjjqI|G9?Kd9PgWD;ROZN0(Tb)cpnDnMxnqH9HNjftRWv&GR2
zL^c7`YC~?1pqg+9M;i{=1W>yL*=w38CNMFP(25E0W@Q6uVgW)ipksb=qBod_8Nj<o
zf=YG}=>HiSnIYDH8G-wMrsgK2{Xe<@Wo3mB_^OQL#5@Ji`hcR$lvIV{{M=N9l+?7u
z(j3sfl8nT%%>2?K(7Nv8#4_;aBLyy?ZiR4HCvf%#=bzMKq^#wfpO=<XnwpoKik7ap
zKpGJn2MR#B8?^HzBNeg!I}^NM0%<}=2Rx$#QUjLHNG(c*xgjUNJhdn}u{c#v!6y~y
zIEAE~#Jp_K!VSo(6X-&S#2l2x`VeFFfF?j#wiUYINg`dC8{iULa0O}kMZjVtMHeg$
zvN{xG0rLI`prw#i7nO+B7Z4ffj2F<^i8&w_gIAUyPk@1gvn(?a+1JGwUIJ?dkq~3`
z6g*25ic1SX8wSCXZTY#miC~k8QwtJ{5<!bkax#lcK&xgv0~8V=J4sR@`cm>!Av-#t
z1_0@#ywno#;*ug@iU%s=QbzWkt)Zono}rlqXhcy5!8XFJ3ZH%>bI>#^h8iwZ9Y6&j
gXkdV(VW6|kC>RB!U=)mkQ81(d0AF=X5&%#D0P-60IRF3v

literal 0
HcmV?d00001