From 08508ce60aad341fc71f2111c4e60b0f2b13280e Mon Sep 17 00:00:00 2001 From: dutt0 <147828743+dutt0@users.noreply.github.com> Date: Fri, 13 Dec 2024 11:46:13 -0500 Subject: [PATCH] [Fix] GR1 V6 and GR7 V3 Added appropriate messaging for uploaded file with incorrect extension and a few misc. update (#309) * comments for incorrect file extension * comments for incorrect file extension * update * template update * template update * template update * update * update * update * update * update * update * update * update * update * update * update * update * update --- .github/ISSUE_TEMPLATE/bug_report.md | 18 +- .github/ISSUE_TEMPLATE/feature_request.md | 6 + psmodules/Check-AllUserMFARequired.zip | Bin 26674 -> 3483 bytes ...-ApplicationGatewayCertificateValidity.zip | Bin 4338 -> 4698 bytes psmodules/Check-DedicatedAdminAccounts.zip | Bin 4437 -> 4858 bytes setup/IaC/modules/automationaccount.bicep | 6 +- .../Audit/Check-AllUserMFARequired.psd1 | 2 +- .../Audit/Check-AllUserMFARequired.psm1 | 12 +- .../Audit/Check-DedicatedAdminAccounts.psd1 | 2 +- .../Audit/Check-DedicatedAdminAccounts.psm1 | 187 +++++++++++------- ...ApplicationGatewayCertificateValidity.psd1 | 2 +- ...ApplicationGatewayCertificateValidity.psm1 | 80 ++++++-- .../fr-CA/GR-ComplianceChecks-Msgs.psd1 | 5 +- 13 files changed, 208 insertions(+), 112 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 6469fa00..7f5f6569 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -10,6 +10,9 @@ assignees: '' **Describe the bug** A clear and concise description of what the bug is. +**Azure CaC version** +A version tag e.g. v2.1.2 + **To Reproduce** Steps to reproduce the behavior: 1. Go to '...' @@ -23,20 +26,23 @@ A clear and concise description of what you expected to happen. **Screenshots** If applicable, add screenshots to help explain your problem. -**Desktop (please complete the following information):** +**Additional context** +Add any other context about the problem here + + +**Other configuration (If applicable)** + +***Desktop (please complete the following information):*** - OS: [e.g. iOS] - Browser [e.g. chrome, safari] - Version [e.g. 22] -**Smartphone (please complete the following information if applicable):** +***Smartphone (please complete the following information if applicable):*** - Device: [e.g. iPhone6] - OS: [e.g. iOS8.1] - Browser [e.g. stock browser, safari] - Version [e.g. 22] -**Software versions used:** +***Software versions used:*** - E.g. Azure CLI version [e.g. v2.23.0] - Azure Bicep version [e.g. v0.4.613] - -**Additional context** -Add any other context about the problem here. \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index cf79077a..73ae1af1 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -7,9 +7,15 @@ assignees: '' --- +**Azure CaC current version** +A version tag e.g. v2.1.2 + **Is your feature request related to a problem? Please describe.** A clear and concise description of what the problem is. E.g. I'm always frustrated when [...] +**screenshot** +If applicable, add screenshots/visualization to help explain the feature. + **Describe the solution you'd like** A clear and concise description of what you want to happen. diff --git a/psmodules/Check-AllUserMFARequired.zip b/psmodules/Check-AllUserMFARequired.zip index 7117a5271a0a7f63a5f957f42dcc1328d07f400f..b0aebb422aade986ed114f8c8afab6ea14b5d2e2 100644 GIT binary patch delta 3366 zcmV+>4cYRt&;gqp8&FFF1QY-O00;mQOpRI9IaM6E1pol}5C8xjld)$Yf6Z5IPa8Q9 z{*J_du*6BUCz1kEjGWA9mH2^+mB$1lyz1kDHsSfZ8?#}|W7w=e&9)&uR`iYgy(N%-8>1DDDCwcb(KJgW!U#U(sVOOg z218Cvv>kEE?wNAd#1br=A`fknR%WtlyKa=VjaL8adoS~mR;!k^Gu6EIM!X@`#YP$f7`ZwH!oz{@>8y1+_t=XoJzCZ zGt%FTd>&`)f5EO0HlsJ0P&$qWV}P%8vq7fYI@zK}wVRm>B%n3=DtKaG*t*doq` zL^w|kIog#^(eBvUyv_U|*3yXfnL@g_X<*hIu*@=J0}Voqah(b7GS9fl>KB>R5*0~| zajtHDe-K5vVKOh!{kd}-Q!~1Rw4l^5wwVwuLOAk<=AAvONTP)PtOrz{!O(Bxfmo#j z{)yry_FuSD9E-+}`0wsCQkx+9nEqb=HUZ$PbP#|9 zf4zRwl*x zq2NH=;~72)z5R$j=#YGZBq^|SRvYljM8-9O0lKKzBnp}G!eZtlTjJcMC2bPBKSoD) ze}NvcksKGF2kiABqBr;KqC{FcuC(7@Cemm3x1Z{uYHY3srdL+e7B-!0l(~1R8Npl7 za*FVy9L1fYfyBc44@USB=1ukNCzvQ1g@Z$)V_WfbQCJ&m3$05?ZpOPsJ)(}TZK$U~ zD-pMdt)tw~!W1R2(mP_Z9jYa}4s@>he}njP)h>@6aWAK2mlaFjakXid;Y-&005U600146v1cBCZ85!A+in{- z5Pc7jf0(QUSWYapaNiObsA9;efyhxUJ1GzZ1-(m2jH%^@GBKok437b;Ac4J;PGBgHC;c^1=DI7i{ue5 zRz$5dx#ASPtkv?ue0>6tbD9aMFW8f!Ibl-iw~~_Ucbq77IXk6?*#SdC;eBoLoxo zH{zNO-$|0K{>&*F4!xJs-O$E5E|g)eMOL}$fuSqmfpcUOF?jtVn2S_n5aA@mFJi(c zw=~X;*YLNN10S^cumuckCSaISXF5a{Lt}7sLpTyTjJn8wkjaX1UKznZFsEj-{1zIU z8E!z#GGe6(kRD8BoNTPhz>?k2wD_uWnc6QbIe;}`K_Y$@U)`UWAU$iFKuuDoYH4=s z1ZN_(k$jjH4pSCOp~OOi-4{5Y%r9U(I|ZWQ^87vQ`K{S|1Ck<(Q=Dx5!I~;lcdw!U zcN9i$K4EQtc=nFQNirz0>{lkAB-6Cmd5G*E^y%%QGB(dgdtg+AgauB+bHfpn6bA_^ zhfTgU8MX3U7#9owA&}ouI4>4CRti(lAB6spUO2uVl~8){a@(iZYuLb)uCJ)Hm|=^} z4nO_1oo=91aUq{Rt*E4)PCsxf+OZ;4h34#tGEj}20#|ikKq3>9$0Y5B|#yVk*Gy-gt30n+aIL)Nrns{r$ zp$waUgYn34(%%Tjxn7;7SmSGA4~3yCNDHFjtTRuBS8qvz3gMI03lds zUTRnfx2|sJyrp%m*)7Q~Pl}I(GXuru4ok5PwejoLJ?ipQY?Ljmpm-ZP*D*2LMS&ox z-9)GiLOR^7cU{UkxkWfB;Sbf$Kt1WLew=iFwso_al+tyW2tQZ_zjd1334*u7a9RtA zchM*&KOy90A?Y+snqLKPFVsk~)AuknUQS9}4^sD_d=DQ|zro^dNL`hC_`uRVd|K@u z-c`Ik-1hYqGqH(cQP&+iB{cU{@hF9l0YI34)u2Dxp^*f!JQN5|Pq> z=pjP0T}^!X?;>&#i@j@i9~_lc?f9rO!)|J)V!i63n9DN7rx8NijSMfG+tO?2{Q4+Z zTM=|xTM*mz_I^0FWube+w-7DAC(9ZxLfvb)Fqap&=2uWbSqtDyRFCQ^ z7eOFUJZnsn@&1k(PZw;7U4#TODKaYgrtoU`QbV3+>D<2R5kxb!sOl#|PDs3}9enoY zhk5xbSPFXwuy?OS7}ry#DrA;K^h_UViIH6(LBP<5cFc_;0eH+mKZ#}xP+PXzJft4Sttg1F#WmSy@=bP&r zhTi;G`;F|0h7{WXNfP_0a&0MCFv=6SBBsZMN3!`TY*7VImu-!$daY3GZk&gA_laqD z*z?{mIqYcEbv5sX^=@3VJ6CUi&%6j$9?e%G=ZRan-H);11m-2MrAD1>TG!|`>L5^L z>UW&saBMOZ?U;@=hc}9$d;hz?7n_V44KR^mF>9o_B~;{aMKJtmTSgt2?||w{$U>wp z9|;W0?KhW$meYN!G8x`Oa5`YIwKt~`2`CG3Y>XSwdur2uEet6~MKOdfY-X49vRs;pK& zVPvk%0}rji8qA`LSI245Tlx4GP)h*<6aW+e000O85=@O*)j3rhxCHCWG--XWHHUW>5k*bk}mlF0OuV7=mENWbgINfl&A(S(A*c1l(;YdxQY8B zE+WOjefM!u5s{Hundem9J2RL7G9!X?H{ZL% zHr-qGdiL*B8i&PiL|K}B+{rAV#kVo*;^^N&$7f$IuH()h;^-}S{MQ>*He>Xr$Klvz z!{d!=s%af)zyGi2|Nr); zhh5eVA2R@R39{Pn9v=^`8Tild`zFj*SyMKoZ$p~(pL_QE-~XmH&G5dH|Kp$T+jBrG z?)vAt>#+*r?yb4Li(C5xVJ|@+t$;lEcj$NYy|X^HZPPs`a?zP6dv0L=+SsZE+ZmMc zx96bmfB(mSzWNFD+t`C%L-RJ)&#fyTZ&?)ALw0?99slot<4n*NjOvGY7$5iWZ&w6~ ze%nF*;kTn7Lci@IG`Jq);||?j-zPw@JJNB# zD#LT%*9m~*AM5b>yI(#h-geC$?AlY|znAuX-)|D-tj?;j0;_tR=DXBOGsT^r#%1{y z*GX2#Z{53&{6zA%#$R;eUH-Zse-xTFz?A=#NFKEO*wjBg=f5WYkF);C2yzy7P2XIH zx8D`Ucw;*-r>W_RUk&s7oALam?c%jT4;;fA`27yfDSAKb@1_inrx=>{Eq>Vsa0%t( z_x0SGL5YXY@&43gpR$2(s=#lhUnjsBfdd?YErEUf4@%Ph^Z)f(Q)TzZnO?dE*g_A) z_+6L++2JsDU`9$)$NzY9@clpDh$`CeemTAGgb-h4eA$k*We>Xfz-f*^5dyG=>fI@2 zHE=M`MI>bt_)qP=XI)dTCfIh_bA`=&>#R(2f0N%E&HMI#9ou-c z@z;^(s{GHVv~R1M(zyQh%AWmyE}301_J2qAOTy2ke`>RuK>xp4LHOfz!2I8*__NttewX>d`^o=e z{(t}5XRDuyAOQOJ|5U*LryJn^I32J7?^FEQ>}j0>9<*=9F8mjp0NVDU_R;ioBdJ5rOWPsExkql;6E4D0@C~T z?#=(2{l24I1$Npmd!S!W(hqw0fV0w1>8anR!&5n4lk=k&y!jtn@K(ixzs_UjtN^6G zVInx1_nEGuzyekt{|3I^rGI_&`~n`*Pk@rNfOEbW@DGR#!iYB@x_!;&eF{<5hYi5| z$8)U!cb_CJS-n4ij^DpYUu6U3;Lg+=3W42w^l#h<)Uxxlvj6w*CqlfLn)I=$C19>K z82Sfl`uo=o(yNWxWuFlI3u)DJho?ALImM?)Kv;7C;or%;yq^6FnZRT+aBx7;0bA*x zfx;hP?OQJawEVd|4cH^FBc&NW(BO+A{-W6*rCgqbX>9>0efONnuSI=n`$s`+=_e~- z)ln8cwH?6U(-nNx@^^C7Kg}APQMP&;z^TG8Zih9XeQs}7gW#epw_^(wHQx6A{f7mu zLf+4h_}2G-y!{_nU={KA^J3;9?w$q^#VrVco~+_K2>t0wKRUh4kACkNen)MdE&u1U zEpU-Q(vJrCZ1VN>7t8vt&A+|zz(Af+JJ1i|4|DqV`uX;2Ky~%U^2w0mYc{X@_T&$pCz@wvfQ9-!eVu@g79b(S3EVIklsUuP(!K#&x(bj< zP{^cA(jp-}Rc45UVF{YV$fW6>GRTBs2vc}Sf*Txm>7Z}RF%i4 zgUgl@#q3d0k+`RflXF;1RUirChkrCN%LK$xHpS@#TN0BB=428iMFzp$*(8 zl;N}95z8^gs^x?Uq^Lv!gOp@r?q*XvQ54$>QJxM5!)qsVc`zqGc|OEt4uoz$QbbvZC1-6xP-fQB$&RxsByg z&NN`nuQs!MH4&>6_y~<2SQ*sXBXSf-s<1Mmj=g6`X+Xh{=ZHhNFxYx7bokMCI&pF< z(846sMe=p5b)1YC1kSsM8JR|o)&!{7#+9|6t-xE0r<3=fnlae`{fTuAH1jCgk2wge zcn?rDQ4#AAab@M(N(#Q;gN!7fGCpKRe33{x$;&wrvlBF(4FUyooRvj@6+`pEvqc7y zU(d|-*>msKwfu$s``O+-W&D->``O;T_Vmy1-_Q1LrG$TB|Ngjl6t!|fU6^R~tIaVa zsSS-PokzYnb)I;^~l+hj!2aAWD`<-rrUc~ymk*ru$ zE7E;1@N|#afSg)=!ON}?vD;NtuG~SP0@0Q7MV6Q~U=3}#L>tb3G+MncPC=0zg5%v} zw30gRaQ?ov36cOs_Kngl->Gz8#Z}4E;_!ZK;3byS-u|7J!~GBMHsDNK?$6@ zcUgtRNV3(H)<0$jgC_QAE)-IrH z!O1`z(5r}<7;-zQtW3xxam6QIUE7{lUr4$P%e4=&?o@s}9tsv z2OmT1fS*%Ite%n8kIkKjT^=VTJ)U`D(h|QKeW|R(aOQgT$ivKbqn!0Sfp_pF6dtX# zX`GoD%z99RvQ3tiP8L@q$}ETWB0 z=uxtLrQ5U_?+fc%Sd%$n5B@qg=!M@6t=74)P{xlA=`Z%;2L9Hsy&hE=zu;mo$$TD6 z(SujFd)&pk)4Cs_5I(|K*)F|q6L~e{Xdh?ud9yp)OETfU8=2u=Tc-B1H8rYdEtNzr z6WhC0dPVisZmXhpPzF0>MS9O52LTwsq5$JaIZlWP?0+JtMnM+}Yz$a45zj9(I-A!O z`-2yJ5e`wc7npK< z%5WdM`9u@dt4(k4uu=j)gGOjLdY`@t8$Cz82b@*A_B2GC^#~k!e)`-O-oEY=P8Fa+;yM=ObH|78w53Op@KZ*Jm`Q+OeQZ2^HnFY&AZ`22KazTY zfa7A6GOV@MtIFJUv^GF?i3;Scc)QBfFoA*+Z4o9u4HY?OCgq6@h6%}w3fs?T3y{1% zbLaJ0PPR`>Sn>8(xR6Xg!3Fkdo3FV}6ZU++uH`jfIzY5iV3pQGur{c|#H^0@=W~Dy zkZ*gfi?HDPaTFL9jyT|Xs}hQJVpy?~Q4F;dW}p|8kiX9S+j#@NL!1Fuz=`L3Dmj6l z8KT{Bm*cFlLnW>{h7Z{YJ*-$~j@li!jx|h#O2pgOin*0!Ie=LdZQ4dhSkwH5$mUyG zMJ8+}I3V%lxN@muITZZ~83YNqG05uzRjM@~gOAPrG#bK~9a5BMMJ0CAYil&_!y@|f z5f1lbLtJfT`;>85q+V;H90C4zf}2#S?^tzoP7Q}Wq|1`x9yS?jYP0r6y=@0!>}qFn z#a(KfnC3~tXowwG`tZuna*x=eCBw)cFe=EdPcErndbVt%GmaJaihT=prAktm1R zUGMt#R;yQC2WGu!%iS&D$>;|1>?w=SmuVlIq$VpRSt}Fb(#e>{4iADR+Cghmz_{!lpS47gC3DeSZh;JlXRaN9VVzL2;)` zz72QsDuWUfd>`$Q_OgH>E~Abw^Bw0e?0%y~@{6bYK;QKq@MWf!iQS5O^b7Zx7gh>n zniKld7xCJPgADcbBLFXfZIChvt$jpQU2U48dhpI9LNSW*pX(C@Iy(FsPO zSAWIE7E?gy#A_uR$T*+}Csv`cqE$2!ThDCs#O4F5p%s4{Vqb7owCY z`P*C;V&%AL8Z{BGP3H{12Z*wS)DQA#VtTC;XHEuD%aol6dm>HK@bfVfMsZ->zv(()sKzrR>NDLbnH?WFN`1nk|RvpE;~k>4Cf4g+s$r0xOt|qXVOVkj+ zj#PnS_~VK%Z3rcB>YiZz!Z4OMG!FA)44?oaHW|y$ImI{J|0A#Xo>RyM4}HD|amld& z{KD|c`;_s^_JTk*zrt{L#c(nM7{2;3mm#tyKk*yq5^sX|K`)ls3RFtd zavHZdqfEtRKBU*E8VAA#9v5L4_zZlt7;@Ei<=PKz7+rC{8}-Wc(-A?ZG1j7#o(s|! zlPi7R5`1AC)V)ceO5$}r!^DUj9O}Rvv;ASeR)GRW)ud~>xmWhK-yE%F*Y>r2I@~Cp ztg%OHxjCikwa2M>ogfT!YOug-4(S=qhI3%7zA!q>x1-d-(uO@@sr`sX%p~f_U(QMo z3CVO*Pl*R*BZiQ>XlQayq!g!7_TG*=Ti6=ET-*e@`c)-rEdm+?$dDKOA)8T1>RQoXe+-OqOCQz?Qiw$qX+Nw1418KbQxLROjq; zRJYk7HXmuRrGnXqH^;%S1j{eBnk+fYVbzbCxG*UQ{GuN6=4^w`SHY5ZZnG7|xLg4F z=coHMrz4`Skt9Dye3dv?^d_0n7Pl;8jb9YNcUn&x9wnfe>_8Iv7wSk2i!( zX`E)Z*KJC;>8yoL(o&ejEIbRNXH;Be_&#*av3;m;SH}3VJ#d`ko5H)O96N+AwgOMtGs$iI7RLNN>6LtS(1PZQ^^;s1IXw7fPGIH_Ck6;;@_XZzQ+gtuJcgCiD=yF1A`@m zZC(8j_N4n>2mB-O0g-cWiXG;Z=up7IEOoWrL)EDx(` z#oPC_C+pgCLLd{bPSlAciJ$saI!Qo`NBSMb;H{CnE50m(NZfDa$kYVg9Q~`c#ETYt z{J9;>HX>kk-_T^WJrEiz3Yl1_(OeG)KkiA!m@;eklz~kE5j?0Xv-{3J%Vm6ME~Q*? zu)Ny^cZ&Ae$yH|gbQ>glJRHi4Y5IHA@gVA?@e#k~3)Op0@il23PFs2c9;1f+=BcVQQp{yxJck`eFjXs%Ow=Kn;DS4|eOoTGB4DGB%8kD+`L@UnuBu6#g z!W#>6{4Ekp4nBk_HXj4O^8HdN)8n0+{jh+dl{*ZSx10HV3R5E{qrjR4`Yy-kWJ6P@ zVs}23ie8j(K~ZSLog}p`HwPUx`TDF}ueQXl{jnhaHHaNWU3#r!^~K+6}?}noNf_4+KZc z#fuixE#3{`;FBTFAG>ye8f-@7P-X+^b)_PoO%l6P!@wi$VN)G%8l8_`u-p`KyP<$j z;sA@LNH+V-WrXq3icUCe$%?;X16LyfG<1vcBQ8SETz>mcbF?59UwP10hidDatz?8ltmvpzxW1d5)B=lc`U2!IPxapkxU*J3t1rMV<3>z*bE$H`|Bg2?5x$zJ- zB4PH{Q7U}h+_nG%AUA8Ie8J>s(vljx84+1^iWHE?6&u2v%pY@Gk4Ux%?ga&hlwMvr z$98tg;U<)L&03>4Dt8LsLQf zH04nEK&LmMKhO;0ROPk+rXbWRbv>dNecDu4(v8*{j^JKwYJ+MEkzIEeo_$!^-h{Vi zdf+76&vmDVTZlgFXSxu(gAO0!5Z`1c9s>Nre5A{wStl67R-e2>Jh`{HDACW-L-5ePb9?0>PJ$}X zgi4UjP9UXc?Lto`=9N1)Ub*uG#LmnbXK$yqo)^8i%#L9b)jVLEeH@Sro|$nhPPExh zfw?o{JccIzh4DE_CKKDdVxXk!?2C6j*Z6VXivrqhk!7$8*uwGuC*%G3Gv3dMMyC8k zJP}!%k$)oIR~EMxW~l-^h9=HG@;1VCSKju{gMP~0H1(a^(7Wlf<{q?XZUppBCh<$# z7iKdySEW$I6MN}#{AnIJtbsQq5{|55k|r32_<{jz&hY~W)*L58IQKJG84el8hlx3D zouattX+#D)F-vwlt35PBGQ~EbJAx65YV|?OrrK9imLi1`!5p49UAWu^ zJMD10!?qU;@_Mhp>f-1pN@^7Sb)m>?jm0LxJ#d%dS~J_SYb2*iGH)|oCq-b{%Afn2 zaofta)$Aa>z1qrQ?vurIwhWy)FD6*zuz;!NxcyIcLKVp@Z-jFE~#>?oqkmR3`TP+hqUcZ$rPl83^z zO_B?tw_ydU>*LLV+E3zTgBgXvy=<=3m|JHZWqRrbY-uig#oZT#!0zS5K|6w0#@lw1 zZDN8Uk2?7!yPFipHIC6G-ED|fKORGU)7+G+S;Jz^(jq4%F^o~jF4AT>ZMz^mCKujW z4&|JvtQibebq_P8F}xWl#iXt>{G)2`L&ZxrHs;-|9Ytl_Kuw1{73-|6>z1v z99({igCehodViOvP!HqH@hPJ;#?8&Wm}-rn?P562&esP2XxmC_UA6d#92Ui67%Mke zjVv~h)SaY@w=71ixCH#lDRn}=GxPbZL#`-l^_Gp}x?~>$d0ih2+<3%KhpA#Z&Z{Xmv_H^@kZ}sb&Eg*ck?u`k#6O$z27;{djwhe?L z$otE(mFn#^9~MNp>i6=d9i2lD?No%M1~P)D2G-3o*z(2qYv%1>~&te0tEIt zSnA^lKXRI(x^{{ZOAnOtY@3DyulUlOL`M@0N0hK~LEUy2Wf4;)f^gK+AX2aSaT^>h ziGtkPJ>4oP+jA5rLsOFG;veo9O)@FFf;$=%#YyH@{o;umcy@9@zbped25bOda{;d4 zt@c9LCQT9o^~|#-SHKG%pM6CJ;9?{2IVtdoEb!5@hVglaDG+Ajox{j9^C|OP-t+DT zBb+-bcH&c`a)LkWOlWW&tYD&IvL|k1Cc%=4xXY~PQlck?NL8FRy4XA8!Z9tvLGbP1 zf{`U&7$6wAfLQ0D0Pi9j#jMcJSV!|4{#1lCIsPOE%d0tK$RzWTgFP8GJGw|(hNxDC zIpfNt`*GjqVj|W$kB9?)>OsoB4Yv_z6|zB0(uZGrM22T8AU=Br9VF~lbL&1x6SRHC zb&zYr(`P>U73Y;v*o=DdW3!=+kuiT!->6*YRA#dkvTrSP)OX?l^({f7Y$dNd_EDrpfh= zlVT8%Y^V=;F)_s`eVN;RV#unePaG*CO4j6wdCgs5rWSa6EcZFU$vEpFYk_0;{!w4e$m9e#{|XaW?Y4AC>i3 z*88Llk2aVVk-UzwO?Fm772zy7GWqi%!5}aE3GKnWWB6zcDoaw`p@*q3|&y94r-SzWs zBl5#t31fcTZX+(XD(n&!{sU!(jl1&X;mAycL-rALxl|MsjyFYA!m|K5^^`LkWaAZh z;E&dVW!=H$mqS(N7+GBpHm-~KYWwPRMg+Ryd6wGk<4dxM8>Q)bNbM--V%O({j^)DM zCzV7FHal7*AfE5Tts7jl7Ym_cu)4yd3}DGf)RsKhEH8ex68M{a~=o%7M0 z@6}+-HQWlUW!^pb(Om>9aM!vR>>Fi-)LoTgyB#s6=m5a~v9-$)aQBiQ2r;>{Q)l%j zC&%N09U!CfFA`Mpca@2;buD}_Uegf5$~!egQ*b5AEkbCzF+SiPrxNyC{+>IpwV(X^ z{QDYLlG@ci!?Nt$GS@sQW<%|JgmXAwcvQ>xF{^*x6mn6vLn-X|xTVkfvgV~&?iSO6 z`IEb20rBKmU+#`kGT?0Nt6lkO_sVO39}6avp1j9`j6A6Z0fSKZ8zw#P%YrtdLF7N= z=%00RXU(be@-r@6K70&_OYebxq)k?yKrqUAJ4Ob)kCK^YogY7GYiuer%yiik$A%uc zv;7%gKJ)Km`0jUu2bKp2bpPiG1hbW!GFpx z|H+YrM2Ave?~TQivuukz%&m2p(+iK`=egT%n7Z@wR#@wmch^{uak~W4=DLuFGUzT< zi8Gp?pRHhw{CYn_xCm>qLmyM}aoaqYYkP;e&4RR5{qpOWGlo~zxl>EUdqyZs#zX-q}y0k7zk$c
B@I#Z z(-Spv(c{Dl?3KCt1+`Nge{-MQouIY5W4Wjosd?S`9RI~1$^PsG)5-XKv#Qb;dpO z@~Qf~6M%oa6VT+{&>FtyUWzc;I2U7$)pra2BThf{Y_fjHYip1&KmFEcUi+OJthx^P zfx(r7?`Wk*GowsRA9wr8Pg{AAYGjMOZ_9}V+CFpK-`UIK{q7$tKp$KPaKlB;h3~mg z{(Q!K<3g;ta-nZ`6+XDoulddg*O6%A_Q7=ou%4%kKf`xah)JHd{j-|?inl+h`#)>` ziap(};8I2^MVy zOT$b#cG2w&sLCvbx;52jL##~hO2}%pi=A`XquC2@uYSw0_IU2yiaa?NMQk`m zu?Nif92a5|`H=A`4+EXWkgc~vTwm1si{oOiS|fw1#6>}>nNFdz)GTSnC9VO_L+)5t zW^qZYx~jf_sS=8X20(>gBw8HPHYcJ#U)Qshj^06H>pTj_OX1mh-^+}_3S-RgkKG)w zXOrIVxJ_p^hnW>3jTmX=Zj=2T0;+uB))-ksYOi#W-LPO+L3azdzqq?3>yAg?A-K9} zpu2;fi+I|}efA)0%&SdWJ}qXbcCF>Fbs)|UJE5p(ciaZy+0@|5A_Wg}4wqeUx}vzq z9_02gxTwUk+w_p$NgWvy!*xpfVAR5z54v>o!=bJu_E2vq%QlYY$mo{7-_%{7HkQq9 zt7%$}bE6d_gk^2oBFNRa<|hppXti5wudIRW#8clgt&CT!e~gXfWZTsJ8)sm{r{36q ztl1+G(yjM{E?bCXwz%Ec55TpzDwRVfz~t{Zg9GP-L9_d&VyWCZ5o4#MWQ`??4F zN6x@;GAVrJ41!F!&pa~lA%Cp>KV^L74a`RlnP{fxy}ZvHGBbVPJS#srg->i78sW}J zx^kGmiu2!LJS?tf8=#u5fRkPCyz$eQyMG|=0J95nlK&2a8~5_+8HGh5HOi6R&z6 z*moU9`=nEMuuVMT1nj?kfn|VoP=`mEnDK~ZY3+PtxwQ5IpWUqIq8>!T;KJCj&-$iF zYMEF#S6kW&&xJ5Abrlzf@b;)qX)?q8K4d*ozuvEL^T-kw&(``rSMnR((i@cLyCbf| zZLYJTVPYp;JDoOYZRxgK=$4v@Wx}PXdhAL##0yD+ic|kyIYSm z@#EVpT>?_L-S?q<*eUl%1J6odmJB6|-TB^kqFVU5wd`hbTJH$pK}kdoHdf2TUW>zN z3!Ttwnt=wWq zV<(7YbJwQoX8Ttj3WW>f971LobZj#?U7`(go*U`2N z$A0#h3^M6ZHl_(<%bj&^xIpHRrm05}S-SOJ$2Uub{MF|eK0d?n z?XH3RkaObw^J2vFUIBP6?_`>p&-8lN06tsIpW zBKPLOquY3loD4jp!zE0Gd)~i!3lp4yI=h)M@6pF(H1!VM`OfolW;!3}c_)x-9+zmw zL#lB7DQg7s^1wJ*Ih?A*t;TV8JtF<-ln3*zNlpEl7jPw(L_VYmd*JhVcfUWZmrv&U z2s`_7MP*LK5qL{bZ*DRqBYbrU!TFFPZA6w z@i~zYxm^yi7j(f^w4Ll6Dhu7JeKm3FULPiWFsR#QtWrt41P8ZRWPJOI=W3frjU!c7 zA@FAiA~6rqRcwmy)SEj7N_=X{U_{AN1|cyb%XS|CSA>1=fjOlm(NB zKKewd9zW!Cj&*cHjqQ=pE-!z2V|!pfcZg_?EcLUT4)@E?1OD^+{y*VnEb+n3M41U! z{m^`pZWxZcAm8U;B4_ny?{^kfeq?>~d75rQ?0V1Ym81W5*Xpa!d%vRqf1is{TbT+c zQT_g&!IL|2_K)1jTApLP-!)isB|p!TylRaEvEO(mKlqHk!+f5FNsh;)@F2QNcO5!` z#rOfau=IR7vFC8u`V+y}39rf)-;_u1br(v7K(W^Xwg45I@}SkRRh%0U|V5N{fcdq*E4e4S3*d?EYGR!$6t%Bu7b zJ56<$D`?AIW(OJ5i3B*(FoppP7rLT0kN z9j{V%jd6kOiCx;XQ%~i1YK+s#dCCw=-RQjVqFH(vUa;(F0 zsSGvRobaMpl1feWDtv#4t@W=nI1G*9k`uvnu{ZBNk=`rYb(&0Cb|Qf#7cyK9A_~K! zpU%`2D>Jj1=UGDw1F}yGvDT3rjN4uwbiC{pJ`&6m88c{3UwVW9U`G`qtmoP8asrVL zw3S_fDV}vM0eXJcX7UZv`bB;2r?snJ)vaDU`Onp^KI>LL)Y#Ts&U>BhRb%`5Hyi|( zI02q;EhaAc@$LZhSsQ(if!6xylaGC=w~C~}TwZmu@9UH@jepl}<%NKmkuCz*Qo*Ll6R((ip3$3fM=19i=L&BKAaL?1{{4~ByRu7)xWD( z{x5R%Cr^LM_}}5`Pt00<;a}kDL`oo2M;)(ZzsL6H1vOsxq#use{Nm0DMUbr8+5Th( zi!PA6Vrl9@;N`AluDhU7?)z?7xpwN5NBVKx5P$$-cGS7jPBe(IjEW}dDT>-Q`$^i@ zmReC%augMMqhG!5Q54$|+Xw8LqpzyHPu?E~w(3pYmgV6g$*02+Mbom4;Vo)LF++5O z2gS**BL%}#g4RXZxlXTgN4@?=#3t4km6LpDb3RiC4cn=Kszg0i`V zThk#)m?V)i;$e6gtY>>6&G2kz#m>T$CWG--XZ85#Pd5`PHk|+BA z0P`JcYy*AWY+IrzN@5Q#Fx(fB6nBao3wkHfeoCiuvX{TT zEI*G&^Uwd3=I22ZRDTnk+;^Iy8vg!EQ?ZoztG?=7hb*RmM{wEYsg0iR@E&flfhKj4Y!K%Qy(y3F| zx+MNdVJ}}vQv9`AlNsZjWB`u_T#c(IEcFZ!Sbna_J6v}qGB3cc&{^NSdCFPFe++A4Utq)zy6 zFMe=wrjajA@p5s}I(W$W^}qg?#~=SwQt`HKitOYjf!9n5l2uhyd|Wrv(k5}gJwA9* zhkEkH-|-?%gC&&e-_fdahI!#?$PqRM9N0tS7Gn?<1yiLWJrh&h`NqHCd+p<>lfedO>l;1@C{4%?%lRgQbJj$8%eVgR>Imo9)Jij#QUwBSR z_JP;VQlCHjPQcru=b!lU^0&njFTdr%>(JjOFMj#-@b|luP7eLN>W779tIWc`4SM;% zFKRGv*4q}&W29*Vyts50XnL94Bd*KT85Wdz3FCW^KmM%SDqsGH{eOGOocPHQ|MB?q z^_S;N?)hO8g4w7-9nQN&O>a)FJvpB@@2L=bRZ$n0=4IKJ7ll-{7gSE}5%-n{pB)c61PuFJ3AhL}~{1dpA6 z`Dyv}@85L(>3wZ){Xn#;apGk3=#d$71|t$nW3T`7!u0F;h(b{nPV% zUeQjG64x)k{OwuZ!}w{n5|QKYtqYA_SQmREy3pKN#}|a(>B{*Y!82 zdMy3_zL-%^1#j;3f2OVYeyx+M7EKyogO{KF^=I;|{rs;#J)4sbnwRXGZuQH&)bA#J zg`W><{6lYk_S2tV$lgm^KX_@P;KiLGKAa)`#ql2IUMzp9ifkE>zJu5jhaVOBYK>Fk zXq-5&ze-8JJ_o}et!a7kXN?+sHPxqB{L9LJkpcfd)BcOOKB@m4AfM)Wj*(9b{1hhf zAt~dI&duLp-FI()2ifnL!f?`fR%Nl>6p9~J{q*S% z_vkB0kBwRa>nV6Y;oKK5{`5yK@MP4l9pT%6XLtC=c=r`@lKrGk?xcSeJD<=q=$n5I zI={!w&qjF{{cMQ0hu;?e!`GIba3*&6{MvV#yovY}Om8nd`{e`DgJ+|?%`&l7)JZGe1ZJz*jEzYUN-mjV9IpShI<6{>Z$`JL`W+tsiRe<>*C; zALH$x)8j{0_RAX4%@jgR#rtBRO#@LI{VAZ2l&^b>76c~guB5k-(N~3KXBVH z{Lspn-R!H~``&rJ?d5BkrWP|yOwwlkx~iD|aO#&&Tl^3f+*&8CU)H}r6f4@MY@3%l zD%x~fWS$OFu9}PUU}nqBoRnvoPX1bEmPOg7Q|_2%_$dCTF9G?pIUcTG=IYYunD*uK zlBYyR6&2}t(FZQDkm1Qyk|NGu{^j3Z{^gU%AN$8FUWn^&8@7b&x2KtZSC_DRo%#E&)v}zY;qQut%>)RaM}Kgy-@kC6pJtRp%jvN< zTj-}hczp`PiFf_>+9i4Ytqo-`BjvoZ3G$lB#TSSA=~b_vUVbx{#@ZJ;{{vOuLTFJj zc(sTB^4t6N|MHa~eqFG*oY-10=fC{r`_1{Z$p82fkrs76GR{Zm>!t9#wwh7Ci)Jle zHJhQUd{yiXSQgLu>DN!wJpsp;Gk?OK{~yf%v8C|VSy~+SwB&-XaOveMV0z53Ak&-P z--a#btN;GZs^31ER`wd^PZGX+_(9D_uk)jxi}wHVAhJKds4P7}2o_8!^`(x({DBN^ zT6ov_V}WIdqO-VTVYAWQ6H(d2i|JWP;J8qtI4YApF`^bUlCe^gIx73r9N=MNwI14&C0OQXVIF5GV5VEaQ0IkGjla zDEjFif%XErrg0OeRg_B6PM&nqQ4A*>O3~|Vpmf6avRMXMYEdTaOV{$RkRp=snW=U0 zxUDVftlw~)D%ma!Wnfw}!QCdwA&H}*a@4n7G0!o}z||YAvMxl(B!+i7DzG#l$aROy z7GcOTO?I52kEAJJGL3>diARE{nDE-mjnT)ua51?FCwxK{)0!V+df}pPjFe@3$RFU; z&6UAFi)%iEQy)ia+w>zB2iNwQYrK(!mwh3;w|BcEEtD+5b^>t?pXXZUiP46o?YkFa zk$+YS7vjnwGnTz&8Dq3n?CxegENIjF=&}Za98&5{2bSXQE+mKY#u$7$%^XvVrr&or z#;{q&n@pd%hP;X~LV^ZVx9(0F3Qaop;>d!cra05HQJ5q@p6Sc8*>=lX{(}9!vfV7> zuh{P^+dXXh=k52E?PeK&#eU!04##I1sLFPP{2X&6hRG-qhNOf}afiwUKK+fM{EcjK z-p#|l+Ln1KpmgrH#W2fgIRm5X+_7}n^6C|U6dZhq#0U#-DTl=484)Qh>Id+;9S-^N zNUQ>a_OV;YqNt+m7JKwS;M{xe%=JU!;D=+h2X9UX2lhqqeB`W07TB?_Itp#T7mZ1u z}dR8kz-9+>;e(9UoNAedLfSypQa zCs_IA)&NP`j_P5SL0fH`Q%v4KJ5b+~BikCy2%!i1Ud7oa*n}%pEFC1)NGLRq{Z+(R z0^l7nrG;zBkdJ+t@yQYK3E?^-ocvW;OQ_7OFjStgf)*xmlVAB{M`Ei^rUX>L(95A? z!9vU;DY_iEypov~LEy0|bzi9y8<5G&sTM5zgfZxL!Z{g(^L}G4`%>AkG#teU zIWcIbgih8ve424yPuDWSfaD4gPwE{#RG{RsL&*chxknp4Z)7(u!*P}&9plEjv8aD* zY{%Tv%z00?x+-SJg9_4&i$^J~tfUIrNR#UsXz3pzgf|_r0?L?i*kvu0P9EWbx%34j zG25n8Dhp)OV5l~=WR8~Wtc(L>Nu$=XC;aHU+{x*Q%_@wVRN7h6EaU7{2iRqep)#Ak z>X0?76}!+LYH|$=dAyP$+QWCMpT*30;A&oA61VdQMqcd>7F-<{dw8rjc!9VYYt=-P ztVy6ci2D<;J(*+J9URNoy`3_4rL@u&yrv8p+ejT%TUm60)Fp1SYkr1EcpqP*d%Qkx zrW`;)BaUN25Te~=|B#inD{&P;t$~XUoqu%yq+gcYcfHLrqH9be-Fn)qddhz|c27uN zK(7ndV3B|uhR{<9s$-#OU}&Kcy3zU!2YQfPvt-)NGOS_S9|<&jjHxvS6w?W3ARqEt z`yHF$);`O3mo{?C>>8go2KOxVGv+?>?c-emkCLN`PMC|rEctP+X`UH#G8bY)>ujtY z8X25(nc6r8&N94>9=aR24zwAw(Pa%&rY*nWBc{5WX}d@<^>U?seN|8#Ow=Vof)DQQ z5?ls%4er66;4=7N!Gi@0Zb5>(5AHf>aCZnccn0|(oBwI|VRyS9y1J_CR@bfSuD-YL zIj5yrpm9d!)UB;Zd?MFQ+?JguzFyAGR*d;po{mloG=rVfORPvHaAJSJ2nK(CfHot4 zILT``+@Lv%YIvdN*796g zzD-T@brMtym6VS+QH*h#)7HKd04uA1z<@u8r7T^hn4V0eI~ycpUb0hnoJk(p1!9Z; z2y)M8BsXdI)RpygwzKx zR@#%1_mq51KYT~ozv($cFNe%_HDRDp7l=+%KS*?#N`R-H+rK&XpKmZ)%CMxCan=pY;TX}z?n+fRnA_C-*Njizn zu`^Z0P+F0or>fdBV0ujBRZ5j}cq_BjCKdq@`zUeh$&y#^pR?TnZFJn798iRNx8~2n zWv2J);-<{Y(GNIWOMH~}mYu%9{hu})r5oKD)lhKGV3Gr1hz((mvKt9@d6G`kZQCF{ zlKsfg%#NFiV_sRZ@dM8vI1+=lnDk8)s-_?Fmrv)h+}}Gw-7>qC#BZse#?v{7nJPqW z@Jcwq$;0-P*|$f86j`CQnSR1X=GNq6=coMngUrP7QF|s^(pF7MYFC#eBJ3)0!{PS# zX@UR6R(a#pU{$X)3Rf8>4zW5XvBH|MsGm~_0NatQvi6N*GdYm-88u!tPlg-}$hCSV zo|&*4;ZxKs>lT~j=GHgifJYWE^18$_m^O(#2NOcpBqk6?Zwq$M;O%pk(M5!AgCIWq zHq-9i1MA6`|E=Y!$7lh0UD%l@FhAmSLD6_e_GvzPSah(=%_rOm7iWG|M^0td;vY`S zCE4f_Z0oZ?biX1^fHmbpi4K}Jk~|j^jQC>tXcMfu<@_PVH)*_lWxeMbL!!U+&hyOM zZ8Oc(O$KJ!dUwCJotkKj9DN`y8dhkh$Z;2ON-9xwD4aJQRWC$fsqbLiHi*M{9ua-K zb+9=9R+=B^deeA2C4DS?6HJDH>nG_yWo#u+7anvUpyTC4M67X2_d>f0Gqt_i3adtB z1BAuP=Bpk0WPpYUv#t`9HB%>3k+-a9d%4`y$JnS7Oj!P5a6U8TTTU7T45`x#;WxMP z4sVqvT}_AEaJK3IN+a^8^^O=*?O0NWe5=_NgJ>n^a+<3GKDgK9hjpEP4ouW$J*#KI z+|<$5&3YTu3@e&--yl*IkcW-&dePrw=Ij#L&Ld3Q$sEZ_Q|&0Y?h}v%$B|8N&#@)i z60?xmPH>mD0|v%L!>i;|qqhj{Z@sW-HRNj+M(agJ+PnWs)IW~1A%8RK`y#o-H14xc zl4J9X`PV~D_=hJI@WchX1^rdR9oi$^pj*ojK|cUc-PX8gb8kL4Z+4s97$SL~q;vlH zUmV_{d?250M6d})xhzF1*fITL+I#QX)K z|EuQL#~7J({KTxLA^AP(1k?M#=Zg;ymTRTOaO_nYFqfTtfF%>aTq7}AMclWt+&i}o z)RU(~^Yk%Ns33ZX^8=_-9#5ncN&iL$#bb?y;R)p3QmC-#a&dg#*^8;X4x9{h2rvH8 zU?yzNxQvBjb6UjubCCS;5I+Z$s;)#YY18F93uiLr|JBcS4OCJP93$t%_uDs@({yi~ z9sg?A%Qgyf5wkmWs}$39p&#;pOgk@|vi~v}+>GTld@=iUrFq!9$N85lVBGvGvB95= zh$n1)<1@b}ILv;Zb=Z<`#OZX@gT*aUBiSO5b@DlUZzOdC(-eDc5TkE`02SU0xVqgP zhITUT^wvq3E*BJX5U+z-{YaxjVyopzH3X@T^@PE!t;5E*&~eY-uhIWrTKFjYrU|^H z>HVKI>`F2vF($jh`cBuvH4nf`ougw=z(9go!AvQm% zGZSbn#&3_Xm6u_0QOc^6Z$2x4s`UF+pRK%jYzKd|USp4%+1GHQDYG*&3`cLjA4;a; zOq!^DTW~RAas1U0`@2^sDw36D#P@^xF(u~u)oB}N-9468<7K@?Y%C+6mQ#-IBK;+) zP^6^NXf11IXPgdvPvj01Jdz+9$HJ9aisSh(s;kaFB(S;NKW+A@Gx045cV;E_v0b=% zvZ4J+E0?EPac6=k^}>Ls`;^Q(!qw{JnM0NvPhPOoz=C*2yGr~HQp_PmWc*_@_g(cy zzdr?_Y5tsQ2?e{;7{qlaHq+KDZH71FbF1x3be%b}vLS|OC&jpf&6w0k9A@j_@IS9Uwx~Jc*-5VdsW)Iw7YI@F?&Xr}Xy-XCs zGkNzI`SE_Z7?cpV6G&zrO8Rz#Kpy^^qa$oa2-aDtc`|umq6y0Q=uZi{mm8ixzcTtZ`J`^egr~f8U#{!t1^2=~SQ>6l3bunJ!`zJWe$PGKF&H-xkPJs$xa6PW11q^y{54En$lV-t zNRJ$y7a+KBVQn)x^_ZEC?py3CV)XezS|Y1<;Dqa|nCb-k_95Jj!Fa1u^Tm!+$0Y5@ z&PxFJX+Nv}0Z-Ds^X+i^W%|9ishU?=Voeas2{4<}?|5!u*)ud_`B_Fj<)e2sTfJcdYHJr3%-TnlB z>7!$;j3BjiXQe@^G>L-lqCjfPC>z@L!!;ERuf>?A_HvJHjF@h@qB%MSy3nywv#OG` zKfyyrWNUC*&L}!yzjKpX%1DcO|a@(m}TUrr~U>hG!jhG%^R2X3~|r zVpZl$Y7V%LYZ{**;zzB~%HOfLR_!J-dq-pXSyiW~=E};F z1hVQM^FX^RD$6bQX~#(hzeemh<$wSSQ>@B=QQAsBJ2hD32=(U=ba~e`c!GQ_2VL%>Z zK<|&=YGO7r4Oim_XF)wGPKP$IjQAl=Ikt%68_`eE@=>Xqf+jo;$W3O;BlE}X&$PkH zaqK&j;j=Y$&R7;>P2S4l<*Dz27vo=u#Mn&^Mh_)Ln^q@1k4jg{WsKhKXc!Ij+ommi z;B)$RJtY_El~Ke2xoA9gs?ECSyI2)TOxnKPZAEU)Ehiq16O8--{@wMJRpdN*ZMf8duROTQq zxrCqHME1;8AxtDXLOD|*tDyi}i^F{BUBj3k70bH@-=*J5Q>7T-YAku$&YY+*+4b0E zSX|Sh2HLDv6uxz!iBEW}@9z3&l7@<_*o}*047Y*_g4usI4!6113f>xy@4@>@bZYZu z4-!s?VKXd)xzeZ4+Efg~;r(lfaoc<{jbp z!nl76nYv2_nsI>wv79-|FgKl3g`Qws-UVkU2z*fGR$_=zD%S}`1!e0U_?-1yL{^z0 zISG?A@I|}j<1b|am4UkcochFW+oTfW7-9^`02QKKmxrHHmCo@8X+a7oG6g9HfuQOQ zVqBbR{r3xP=#NYKSf<1)>9@ij2peWmk_kEgJ@iI6PYeIFij}4g2$Jtmg0%|>2nxtF ziedy`s(SCfh;S#_dgL8#wFA^BEme>2^0hea!$g00@wSCCNJd!bnxuKa1`*f+t zN}o-zudry{A_?IR$L_1=MT;HAkeKt8pouLnvRG%bAfv*T>z0SDLi)H`NrixDVfSBO zN-G^ys+BE7JCBVV)YLd<*3tSuM5Dv!=Ost5bkEK?c5-p~`)`j4wW<{qN%)dEWu9L5 z&4Ah_YvjcG&STtM|LrYz=>-t#i=#xy_0xQ1bK^p9F#CAK?y?d`jlRT!-Izdik_o zb~B|B<}a5-6mJt5w5cykp&t=h{;^FZkvyXBuThSPtRDx){jmaH#uy?^LtHdH`M{a#8%AeetqK#l~l)*9M9>tMx zgj8a5ER#-IoKKhvl~bRY(Ez7GDl=@I3~v2C?!=}5H0O{C-ZFVGuGx(E0YePKR^$(C zL!HW2`?hm6Nb3{!`$2KOqCHY(gc5n>it}G1-4_md#BFAzOk-CtQXfQS!#VU4@x z<}bXzT?2gY%i#OAlQz0olo{rsBkR!K!ZHm@*7(`r~Em|Y-(dhi(&tn{7rPXcp+zhJQPYlX}LGL0N-B!ts z{@tt1jY{+*m=vqEeg-In`0w>1gYdEc|I5P@r6lWyX9t5~;w;PJ`NC!EF zUcLX+)T|XyY9EE!6-8SNj86{_7I--Rs`~MwcIAW1$`ve%sZ;iRf$QYGE^N=#THcEO z_~(*CctuEYe}NzaJL@9X^fF7pcHggw3 zv#K-RAKrg?owiG5SQv6~uG}iB&8ojNP8{!A$60~xHbXgeDED9$CeZ}Pz}#L+PojFG8qtdW!gHO9Y9}2 z+=$Shtn~Nl(T6!(NwD*2x<>tE`6*9_rX}qLPhI&(!14{W2O(jgHmubeHc$19q~3_^ z{V-FZGrvWvt|pK^lYeCHeldEof$15$hUYAocfGGGO4)KGiG^qViA!}36B^HZNp?tz zxZzX(qRkxu09;i0{8DLb@*CqPxV-wHJfYjQM4MZeTVQePstDtb3)RVoJ`SUO#U9$h z*B2vbR31QW%ghPlXKvd-P%OaPIrMDqrU`CJzopot zgwumB$Pqcl5To!DoiMpzrsb#f`{d#HxrQCmkjRe1Xutz*mG-b%WNAs<01PrxMRZcVRPVD z&mL{fh27?U;1yb@f2SEQ)3HV@uj>0q-9OF=;LXZYp_iaQV$HSt_-IsIi@W`s{6_5B>g11;V&MMBE=wK47y>8#AwS48*O%3l#4gBbl zcd$+{ALe%JZw4cy&GLi}g*^wEC;D=11%p3Z_7tRWA7reO%24+)zWNKLO+SJvV4B|px_E4h9Gz06|1dDWiv*kI*Bav#jz^IpoSXIYN5 z=lI2T;0+-oqA{UvDSdo4=jIl4f9u~u_hM0#Bc~2}aX%!oPkW1!p-61zsB#bfh%BVzy31 zs9$dJq|om{?%ZiNfI&E=hlGnj8-&4!UHxM2SHQ09;*1j!sOwv+36F9G@bFzF?CW&H zB#s$EZWkUGH>o4BjT6kP8QIBVFxaf5Go2~0J&=l5j6@qI=-CV{Ew@D)m9!WAXagAX zzZg8Ia1tGIhzZ0hdmPe1Z+1ZO+V9*LL;jZuA!7 zuiplvOtQ^zgrs&p%2CR*XI0bfP^AZSEdYLViH82h*-ir(`-iD@I8`*z&#u4`Y zbW8^Qm@$lmweO6G6u*A~SINFLz4eb&*H+jeMNqChzfKKvcBW)(KSq)S*V7Vt0t~l2 zghuJqT{X{*$1s>AmF-yOmt7{6s^N z)=)CoE=pts8DKbO4w3#->Rjf$krpT^bKbrUwC{fLso+<<_~kgL^RIxZ%1CM$`m!aW z&sYNw3?3W@&~zjVN}d0JB;Snm^k!qeCSP@XQMH~YUYRN_QlGqh3BQ_>06WE9lC9(? z!K+AS{)V*YglyKf9d|9=+a`W%&ED>D^?k%66+Y{xVbRP1eE!r+AaBIbugtj3Iy zvkGGdpg>U3LJ^btY*N-M6!8u1fgQrh-wBxyD{->}HvOqC2%%!(hsMlQs($k}fkau; z>H`Vvl@45b3!p`JYEB!#c4pWLt2f~hOY0r}M@zZ@DwMZif*3NYbFO!8#1=RjaS+AW zd2VO$Il+y_s;|-4dHi(KdSr^ig4J<#B z*cDGEW9b||9&T!18c`Fg*`!jSmLE;6)I^?LF2c?N#w7Y<^BschIsEdfC80@3V^I`u zy&cK6;5c z!wSc*L0kKd!+_rK{}qYC3%irw@iK&LO{oVZSt6Ewm|QHFs% z=MfYn6DYzm2d*tHvs|eqFXP-hplGR13n38d-epKWk5@F)aRK-rp;wlFL=a&Hb+^Kd zgk4&HWV?91!|E{GZ>{wrR-R-;_=26&1bXR)K0y}@@2nw=rNlAd#@iH zy6q3&reLA?GE2R}GLIJ3O&dI;jEjxx^%r7Yvl^GYI7c-bn>M(emFuv#&I=~DZJN#g zkY#$s1pQVqXaBRk`Rby-p&=yQ10GZZg)|`VNE~Icoj*~ByUA)>W|sQlDV8>MmOZOq zylkDx=D9D6>iAs$G_Q9Ga<|mdgPO1 z@{QIU3X*<*S;LtN%aiXS%YDSRs8@`TiHkY4TB+j`Gqv`H&1D>FW)HRt~637wp0k)FHh!Q|CIEgzOJR+ zw=0)+Il(|2gBL!@!jo1ljwpDa{Opyh^Dki}^{ub~;*3r+JO(eBI+yHJeD8Gw`<{+t zO_1YhG72D%QET8*PyY;50JqhaD7b^$d!hr&2oIJ(aeKg3jvaNhymQzn?eBLu;{-03SRoj8+%_!V;Q zI8z{FQ$-zKzF70G3}jrjyRFa7Tr|XQRS4KZm|by6cH9$roH3jSa0NP4ulSdhXkTMzItk8O*+?D zBMNq5TLuD>%}w2@0?eo#56O}6d-=zqtH4W*Xv5hy?zI3jI%1WK>RN)~pnKs3(LX^H zR7rp{XzaeJ!Mp})kvubYGSmlq))IHh>Lg?*PP&*pA14bYL!$8j#38ren-DTI$G*pf zmh)7W5|#g+FqRe^uIj$H_{UdO1oGwOR3=R#8{h5mb3QQb>JVhrOzhgkCPW6u;Nf7S zU@E1Sph{cTG$zt)y=v97EdGM6TEv?HqU3I5N3%xezn{NuYG%dArq%0mXJRz z9ohelPU~Tt%($cc!aAY?PDcfu4Uirr*w>%@hba{>DlS3P_#{^OFFboQKYMtpTPh)8 zn4}5hO}Y{eIv?SXD2);;{n0`2dm3JEaV0fHd4n39I%eifCb7kjw2_OqRxniow_`%o z`z??)2v`?GB4!PgIz5UYS2CWl01C!wqqH%z+KriIbjp~mJlWaf-!r>-Jg54OZZ*#U z$4VFN#-)p6!fL(ge#-Uyabrt)$_$hAk(FCuX#ci$f%n2NY^@O*O4pt7b<*QQ&)jmh z1~j4CpRk+z*X^J@UnP)%@`@hjcAeJfgak&a8vM1Qs2JevMvlc8n4<(}{35xlUF*Zu zNX}BD6yJna=sl*-u%aC7$&*}lJ(rgWe3Xgqx?@mUE7)*-xm?YA%As}#QhdOpjG(Q^ z4je_8FU!c^dKJH*{he6C6=0oTGFCDYw*-H%Uhr;sICt}6UXCu{N4DI;zM1(okcB2@ z%GQH^`-z2~E0+OxGxk6)kjC#Jc`Q3hgudBq+4F}=*EDffoKd4yQG}Slb$X9d{{U}! z))IYbH;qodn5Yim@?Csmp6VXG3giT}R;LyP6Sb?qNrPA4(-~&XHt>fk(}Ss5rto2) zH)E{C!rX?4cjUPV1F@&$gZ@xz<0S9?JDH5Y#KIPJzk~UTR~2`eGc2d-W&P^TdX7Yd zLd-+Tp{=W>@+YTo;#+}O|7g?PKQ4nu#4cLj*HKYNS{~VJJ2JiADgbiOTm?Qj5}%aBE$jz*#>fkkM7_+d~(_>`5AWX8<*PH)OH-T#CNK}PY!9$+Wji^`os(a8Ci1>9Z81iKpUNCF^W%29FFx(@R zEwzeGaIEcTH3=8^FNfolZ{G5*FXPBrjG#+P!)|eW479kMU2DR|QU_wA4UGk(o4|2~nxb&@AFMxz${XM7*x9~!%Uh`|@%fBaUH+5B@aIUI1a1P@uP z^c}+x-qPC?t#Cxe#Si)y;WvWt#EB}Zd3mc!g?jsNu%>1#Xm#k7bmcS~DYDjN&P(LB zR#bF~&tdHO_c6|FFqIDRAk=JO<`T+yKy;HwmbQX>s7C+W7EX_0AEm?mcNgN&gjc4W zIs~=O%i^s>SW08k#U=q(gpvyRr+rU8YRDs-i-*w0En*N(Ey7G?`bNxVGl7fV&>VtE z6%m&iPC0WSmE%4{ZiXBTFd*&XGGhm%N8O=zy{zu-WtbkJ2lVEkh0x->V9pR^xmR2Q zod&m6>^?Q6^PUC88@wL>p^!af+E9k6NtyHfF}U^qdAvq(0Ti!)II&xosoPIYRutAMO9E%JYAk`oF=Q{P} z{ktqQm|12>sD1ZIgCN@#ZrZ@a!D9-_s4|L&mNy{mD2uCAQ``01)_53pwda}M} zg-1)t0WIGGdf(=oN_|vjlw)V<9gsGh84tLnF$yfSwcN5A{8H1F68UVSNnc=xN&(?1 zGMh_2ZDS|AL;&;&`t))2tZ)aq-7?f0VY11}anl0G5KHI<53)1wLTHK~txYKgQk^$h zcF-gkhT$5LscXy!DHBay^_%!qqs>i7LvB`3dsjyO{gqW4kK|mJKlWgI5M%d?W2^gD zA))&{3U??D!l7M}5r&9i1E$^5Mk0%#VYVf2 zSNn!s=#Ue6%y9CZ(c@NMkUnzkWM{M zt@w;QdB*!9Pfz`$NgebN&3CuK3$u_By@d<`5>}*yG5LU8t{a(IT5Fox*^M1Lb2TvK z`)oqTjt+6cmwIp1Agxm@PhgY`MqP z8V}|Sd%GR~xp`8}w6jt=kK}woK7~p5`8Yvt!wb;U@VX`lOcqM-v8mdfd~ZQeXhD0I z&Z?m7vo*u*`~KM-@4h&ryz6H5Hw0_D`P*-6OOex2{(<>3etqDF=gew2$+m3Ax1V&t z1fh{4-M;j0Jms}yejmdYlDr#N6O<80T8==bf0dne)_KA=G`JRDvsU`)vHB8%4}rh2 zOEn^>fG5o>I2_QzJOCtSC~`7Wyovih#23jOq88xOk-ChlS(h~FqmgkY$u+6L2kNGL zL0iG&5=Gdfp6Dx+QSj$-!IDO&-Y*Z_q-B+Vf;`MubuC5wLWe9H3y+*5x0bYP`^y}@ zMOYoX2zWhQuBm-HBNB9#a~6GS#bBmkvnADL^YFN*-4_}LbxjXlZ1*hVY!+8|B9*b2 ze&tV1U#JfYzxM-YW9ef@|0ZC>UyT%hZlgwYGb?YVuvu`<^nPSTf zshJ?Xmg&UX6>J))Glp|`0eE5L@->(&c%NsmZxgT4N#D_ofhmacHF7&QO#q{u=XSx4 zC@@GJfiigePotjmCVeSVz04ld(j9fCp88cRO)Du1Q~%MafH-f6FvRd*M2w z+H*g))aUu#7u&N{;)j>;s&E_Jee@FWZ&$iN)lrC~}^DO={c8eX<}I_H`#VfX#0=>KNV7H^P`yu=n9<+6(v} zC<_81qmewP35N-WdpA)Wy+pN^r)25vEgcC^?|!V4`0S+D7Zdr|M6jk5>;`wuxZd*< z{UGs$?qHRO@n>OCWN-J4g!&ckmOu7@KIb_wsgrH8p(g0Z^XkOr>k1vs+WzlKaz*f3 zx15(zX6zo65Vf|g7#?lAlE4v1Q4^g2DBX^1_PS)f?vpwv+51+yrbbz?M$SocSjBY1 zqFtF$!Vu+A>w&GiSK9!_-1MVriMj2vAdptc=q?1)c+|(jVL}kSxb`+V@+rNdI;VhQ zhbe#JM03^{`LE5uJiW@8U$LCfdVVWVN)~B~+Cm*9vzfJ#L%vAyiaq(R)p}LT7CP#= zNMD&+?X#TXT+D*_8|0~uhA-Cy{@iStr+Z}(NPbz(km*K+IDL9Q-0I~wCEgL0vu=YL zpIvJeMCRS7_3RKqv84aA@Pn0!mOj#S6#}FHz@ca=gBa9Z_@7m{=i*P`16mQ?WBP(s zimdtUO-~lPB3++eVs8ai+i1kd!1GhbhSH#g6K6}C(?6G?aM@GMParG3cCzO*y(cKy z%MSFPQ6$J9RdX(AEXvih$@-_^%JhKmtCLLhGvA6LVA9E}JIO~J%}x*Zr=+o-yE@P= z!fU}Zlnk_tsRxrkdep2t<98C+s2)@o8pZp`-RL)8~-k+>jbx8&t9&1F*3&{P&iaBJb+?k*#>t(l**CR_82Awq=NC^ zNfEe?m*l7k>*F+D+8lj#J;^0*Y_+z4AQMc4`qS2<&o=pCro~G6eb);JLG-|bZ%`h* z4>xOWfNlyELH=0%`rX#0 z9@)^~a8XR6nt6-6kRkF+{_LgXE-SR@IJc5I3l5rT}2OJ{$5%)Pd z`nWIeCuB~Plm;^FM070BveM0+mq3sV^ld?ayi?p!C_$k3o-dDCb=g;Wr%2PjL`C?A#J-5*7muBBgr|B`r24 z{F_>52}>NsGL26=Uc|-;KNX z%+m;wsAns~r>~rUrH%trh8*fGbwIz8IgWgV{LK6`*gG3<<&!8Cl)IXwok36+Zm)IjJ6k6UN&x?A zBV}6pKhBgS{nTI{4#yQM1|eNtMisA&%)E}wUFar}_{uDak056BYxWiC9$>ZSsFI6^V48m+?-jVhFDBoF3ZY1WV8VqB z>mgU!)A5)P`PwkAUB)8Xg6uR_y;YzAZ9^vQpy{-NvyN-7-XG}oRojf;o{9)4wLv9a zeQ(_?f`ybdqDK`&rGv*fH2>L>W1 zLo*`2e0Yn+WCNF7I5p(4i8n?sH8__F(45}j;+=HsH&BrZhc|PcYMo0s41pd@_k`;h z9eT~**+h}0x$a4gg)59z_hC=mN+0Ss6!@kGWo1JlxYM?mhEdvO(hBI*mX@8hbV zj5aG28tUi?{1mH+>=Zj{_7IxqrWvokmloZ~rFD{d^g>0uv}N(UCgrVr6`fcOXtD1& zpw`A4WmOmK;qKWrw)+r}^Gaj~=_nH1S6xLgieGsl)#1hwGclLx3vq^iojEmafJ@bi zxPh28ie20STw#@PKhWz+~EL@CyPl>6P5NyQHvyvvi56Q@@v6?_TkP%4=sf*Za9CiJA@XPqC_h zBU`<9yj17Uxx3rXEZEVD=cAFHeC2`4_Cf7m z*c}b1(6DI8Q)^8W4(aa37HaY9yIjTrs0yeW0TlQ)@nhXhv7KP~6j6h_e4xh5-R+s3 zs%mE4P~!tC!O~iKarYzZ(&zV#4vr$iJrk+OdD zt_+vBxzE$;<^|aMM##NUsl>HKMH#j{-gro2=EE#MSS zNMNc!4xwy{l4ILx%>h9;$4E(<()chcEq$zQ{K7e}ZL)-VLYC8_s^9b);k-ZPh|XY% z=)b9lka-+yxT>tg?vgQhidZhW>@(X8@K{K4{jfJ6 zx{?1KLb`YQZl;UYFzE)8QqBV1X5M7}oD&-2@8_2utSznCUrrQO!WM?CwpA*EHoc{`S z4ATXy^)kVWsgv%$*S{W44P>2D%AB^SzFFz(>${GAiCxK?{zqdTA7wtEvEpJT3rFp% zRv&M9IDQW`pO?|l%9kJQ(tVr}k|^j@aV5@IeRtgxdsbXXq&S^HtXl0GDIckG>ml9j z>TiF+lQ2h5-WvGaNx{Pu`XcQHa{R#A0L|8@WuIz_g~PQ4PQSHxuk8&lN5CY`u7j@B ziA}4lTh3h$d&govJHB6%bP|=ZS0sBJ$bCVcb@)%F#ia4vxW(rUp9Y|eO?=69;VRH0 z*KM{*f8F85-9kq}4ZCmSM{|b^tl7kiHp4cpqxrCG!+Guet1YX1=!Lq@l-0b4inKS# zE-P{;ZXkbt@*LiT!8&h$pY*sa`g5rIeL3#%2Wic&);F1nhl<;A?fSqrp4}jwsm<78 z1EI^&_@5q5pC-Qp1ILLlWFk7ehxZdwGdUi=<7<(puVrYwWD1OXazHU$ z0{&IyLXNY66uha+gsLWhKbz?fcKkrls*Zb`|@{ommKKIi`zd`y`7R49Fc MlA17{>c8s#0|NBW>;M1& delta 4168 zcmZ9Pc{J1y+lL3qzBbm#ZZJX&Sx0tRvu4Y_jC~uG#Mi!OAG;y@S`t~aWyUfwV~r$~ z$r@5&NS@z&&ikJCd7jVT*ZKT&pL5^$^-=gpfb*Uq#T76J1fmA1`KQ_nl^da3C_$h? z=4?(S!1R+MI12x=b;KZ#EjI+}1GU;gbb(XMM+iPnY8hTwL)W@D6zSF%2j{$_iBiAQp`I3`kEh|DFiZfD7_S{K5nm06x(ej#3-Gp4b?iw!*F`q(9xo5$ zF`S<9^SZ|o>E#txHy5kz>$Ci~%!-$FLS?K@F=cX^l!a8p&G&eeZ)Ab!ZS3h50Wf`u z44VG{7Ak#F4ij1SrK2Jt1t&ghWw{HN=tzxu{{r}*+^1U2uyKfbZHH77A1Si&$!`S z&S%7kF*`Q7VM6rZsEn+xwcz z3SWx7R5ej_O`f6n(xgs02dU~05_Uoq%@tvS5A-QRLS>$<-M1si4O0%+$e$d7JxH{3 zjXo47R^C>Ylu{OYQksq>RNkYZMVm%DMKd|Jq}S#TdH2lUT>A^UQF;glf&=bNNDrNp z4`H*V-OnZV;H&b7PN-IFQG?g^{Ps) zqK`i387;6ypW!*gF%zfIZTnDZXM@2l4N7##3onE+wOvAN%;o2FslbPS{U@qE9eX?4 z$5lTXT(f>pCi&DuV{-xlbmRU$2KsP`IuD<=XWMhQEhZp%Sw?t}ial-#Yo>$!$qahl zznCi3ag*^DQmas3q*%v{L{CY|i~;^hVxV9RR(rW5acbN(r>TGGQ&3|s2gRcxyS>HD zhH{l-(VHuOP5iI;#}B7K=d-_sOMQP6fkDl%e_koxny*=3))DUoJo(a|CROC0JSjAM z`@^KVpYd4IXbJ#1P&CH{Xsv$Ypvdx0SH8pk<3V$pqR0brN>6)z`ZqjDfxGH0G&>Gt z-|lYUUF#ThiEc8=9kp8_pBd!ko`==sDflsR-sqK-GrDeS!7!_YztUOc=HNA%X7r5} zrH5oO>|JE2bda;n0}#8P>@rw5_v0)pkc3+Q3tmm{nYKRpI(a=y+`;en;<7fRRRTw( zvNtOiyykD5JqB`X?fMv`gz@eXjmi`C#^L?%1LD@7y2M3^PR&shcmE%pd{W zOAhts(Ja1ddaTp>bI&De81G;S|$XA2huHXNvXtgvX15y?cJh~Vdq%st>VJUcF##or%`=< z`$Nz(2gOSTz%?o2aC!LEPujbP?unI$1(>YJfo{Lj6pW+K;`i@)-gZ*-|^o{=YPkE_Kb zucjM(_k<--W1LssqIDldB$smy{eObXiq#U#@XDwvb~*s4On`)RE(`Y(_lYs!6w1?+kqs58|W z5=t1L`2U3->XT}FVsBLRfd&N1gl2QX0RLN)+{+=$UB4p-$WdxS;tWej=`sagd~@Yu zir3fX(W3z6uTRXA0{KC^R>R{K>Yx!JoxVkTj9PSsAS5nq+$yh2O8<&38$7t5USKn~H zq|Mx-E2cvyM0U!B!M3)je_U?5Oahe}?=;(byE9ApC?Z=u zx54(-CW~RncIjqd`TP0Fn`=)1!zx!}2{nQ8tLAni>cNC9k*YLd5gr-Fey+Y>gN}qQ zeP6|EuDQtwO6IyEWLBCWTZ(403)|Ky^!M&*sp&TNFq79m6C4zW5NY2Vda}{Qh3w?r znt%&C#D0GNhKF3BbOt6OQ5>%5LLW#x`+iat+)e3PG9AHc3Ymv@SLOp51mO%b6D8AV zV_{pZ4UMdHLkD7jgrl^)ip#V3?9Qydk8)0+od|Z--EvFvp1B zPaZ3KIsIdEs7n`Ooel&L*4iDOu*$~S+EbZW#!aoVB(#)b=aB?jIn#~j6%GgpEm-Uu z#6uwZ_aD%AWAALNSQYsv(KIs**Gw}*W_a3XW)UveK|ZKpY<`YLw42mBEp3i1K6w|5 zIMx<#(&N+nNK>1(#aN}*XufI;O*jax6nn*N*v~u0`V?JJ3bcj|8xBzRiU?}g-B1Bs zQ}}CY34xH`mnKIORE--j)9pX>tr%+`b6>B#GS|cG>081SL{okQ)G3{TPgyg2Pk}&g zNuwk#7(7HByAo1Yy^%_IT<$;&f8Q%RhA8A5qfw0r&>%><4uj#S~{N6Tdg zi1_8OSvBSWU!Rf*LZgh9K7P#c7_)Ymr?z9%0wa5e>@% zdBQ$We|^w%ihLddx>kplaD5W9_?TF8g;%cAEJ?R~s zO+2%k9SqP|$)5{8#UA@o9=iz~4F>}4@5m~8LF*_g1dF7;2>ER<6Z&qRs10Xru;gnc z*{YxVwQTXTbB&2sfj-9aMTEkZM$WxX*Gdy$a+Eo8KBhp$!=y#4M$qHg>(p10NcP~~ zi5OCeB-8e_wyv{IXCqO)(7NekgU`G1zMZ|_G7eP}Eoq8r;S*6G_@VM1JR8~UMs2+X z{S7I0sPDdH5dL)IdyJ>V^?CYiIjPmP(++O7xH__%eZb?5!rZS5PqSBCLBCgbV^ zI1K)P`!esGZL~~|{x(mVJ4hH)w+tE!wRQdHwhe}#4e`6)`vt}XVJ+e!!0v=zT<$Xq zaw5W5tfX+G-E3^&qizG~=ZBi~DSB;VGaq3Fds64C&TByrS!DI9&!LZo#@;@GF;-gH z=vEGGN(p2#mzr~BG!DYRlJ+;-oslho^_1Jdosc96jl>Hc3k~N)IcD4RM1V6RFjoEZ z8xb*El5TI)_-JGp?oCNlQe2P8?Dxtu{rZHX9Ls)Tfnl60KnOG-0SqN$cr=jy~C@aM|FW-JNX#=P!#PXiaLv=ub@0E5i3XD&5Q(iO_mfm zkmEu99}|J|{duSNBkLwlSDe-2;|`zRRLL?EI=ex3Bihd+kZOLiX}Qc^C0N4Er%wP@ zl$(&%ASr?nj-;J4z&^-tDf$VaJIaF4KUvhZH6E^iSF`irT$nk{{nEWM3G%4$D|KX( z5Hr~As>?9WGFqV3W9ZNB|>veW0Z>5=)|@+ z4Ioa`(!c$*!156rO)m9Q!94sN->cP({Z`yJKhah7pm%be2mI(+6&CPX5zG&A9P_C! z=G}^!8{(!fbhCDnU8Fj`F$ZGGk`*@gi{BKPp61zMhh77l;GpPzddTRtVO_>1y=KzH zr`=>YTp+280~!+x>lQ*B4)gzTjV8aBbhkaxM}TvH^HiT*5zc|+O)zX}X8A}t(#5a4Gb{aDA>)Tq| z6R*Eg`i(-eV6?~%6S zHY=Hq|M>h8Qfmg*h1(L%?d;RNdctFLKWJ+s&_Gh|*~p6zz>71$pAR(IRwRKQVz10Uph7B!oK99Z3RIX01T;dtL!~+AV*lq{OCh*uX zZxH8zpFx2~wt%B3NeD$-;eCgD=#?p%+iyyvDe40JT>@W+@wEO{OD(a$YsXNGq`Xj# z7N$tT28Uw?x2~3setaBintQr%!P)RfIZ1aX0jgVqI?HJZ5kjmV8F26Bzdyxp2J5l? zF{b}XJ-&7So*@}InBqUwp7Vd*9t4v4$N2v*)iI##>vEF+&j07<_}}@6aWAK2molei&-*hY!|o%0000HlMn_ae`GPuS6gcvITU^m zw!zxYg%V$hwQhPO;we@drUED(!TDdqB^4%Z%ozcNT);Zea?>Z-3>~)TY$HUQy zJUKo*5{Xo=fASNvY{~XkdQ4u~lphHou-7w+z*OpN4OWu4=0$MxV8Sh|8Av--LORyx znrFO0D`!@XC!RTvAQZ4NB-#>SEd;o9@Km~x5ajnj04Y#uLBDxU#7k?Y@ERrkBHH5F zIpSxfRZ$hNDn>J*-k3*e2NRj+OzN@Hl3Dq!Qg$u!e_Xhg6A3@~V-<8_P}0wW`~=C` zsn6#8GWb>2YczaT!Ww5ro^`L!?%25nr$=KSHmT{dJNi*t83Y`f1H4fT(Z z)Pe&Hf45=+Y~d>lM%PBmUG~?X$GfaoWXDGv=`Dct+88Z&1WAWu9F4O=A`D?ek(!dy zXfR~NI5$I1**#U(=um>CRb-(_(n^n)b>AjhwT@Q*>NzKiVXl@n=Y~@~J|DXU)Phfg zfEvDIue+t&e-rhf%}{7zSd2Q)b7^0>7Z}!^f8)D5lib_ZeK#v*Tk}(qL%C^L_c)Py zvt@LCJ@R>&v;PG>Mjja0}JHlLes~V5BVUn+;$re~EBx157OUAA+2#Rfrp_rr4HP#yuyaN-Vzg z_vQ7Qrd$C}^V}i7Xz|Ahj-BC2btKe?LY? zca9#gksKFa`s{EI-kUjgQ6ViYS9x6d=R|t!{`RVNYL3lSL-o>X+QO!|2AO-Sni0GK ztsoCS%3;_k8b~axe`AC%VBW-MKfy%FCJfExZG1fq zT8X$pY!&5(7N#J9mEIDQ%}_1be^sFKoR7o6((!^u<9MS2vq^$w)okTmzD}3lO--dv{fvO z(6yG}3sU0>7N_JwN1 ztDH6@IZ{u-Z?rd~UkC5TopHHscG(xyoy9#XL?v6qs2qj=GAtaObnosU=6DzP`6!P2 zBB_Zl8b;sg>t9ey0|XQR000O88mf$0s!R-C5DWkSd^M901}T4SZ`(K${=UHe2cB)f z2^zV(xNj{2teYljfTr~&=@y5g$jTCJYb%R7Qc9X_``>S7NJ$h$*-q2#E^wy;O(G44 z^YYAaIOL+tq9PF)J6iGRL-3r(NfZ`5p2q7Wn?{i+vqG^?KmNer$wL{g*`EFbpLa8S z!wW9=&ciGY3n72+*dZGgvgG^kEjm@mBwM~`qe~zOm)vlE1%nSB!tO|9MVMq<5-0W$ zRu^1}Qbzn#iZXw&V3*}wMKa0Jwr9_`Np`qJMJdu9B-+H~tl;YhvPcTGj70nuELNdf z72!PPz-6tLSNQ7#1i9e3ki}K`A)A3TJZ7O{A=6`h@}G;i zOzYu047^Q>Xw{P9I77FdmuZoZK(#DG_KM%K1rLi-a<)jr(}$&c~pRa$5IOUGEoJn2J8a;fnDAy0QTfaq$&Ifv8EJ^Nq4HO)GJRY?Ulm=^e{uasxUo!7djf}a*^T(XgHsvitACXo2!o1U%{L&|O!X=P={;{)4H*V%m|DyM{2`jRngm>z6(FuX zXvlw35rygTM;?{P)&ACDP#FiGWWn~xaV*HVAq^nlnDcUS6Q&S(w$@s6w8}-LKF-om zH>6+mujU7=meHzZKaTb|S4*_`NeF(85$2#!%FdHW3MCc=Ba^a=;#CrJvqjgZ+5lops7nwXtE-xf3E;g&Z(v$rcQc@_Ad zzz&l*QF$8PVSurK|7TkazWeDt3qXdi82R)2%HInCNgh1DNAj^G+oZ<6g$o_Mbp(Hs zB^0t_#1G?`K~`P$m@!12EQ}(+fsJ_*W7>p$+dDPISzMWPlElt8vO@LMvWzYJaTezy zf!qmDUVL1lA5GX=84aV?XHoyk&<--UMES+zEfaXH z$HduL>?fyK?2@;`v3f9Pc=%fywt~HS?Bv%o%$o(OXARhJ-#O!v#4j&o$t+6pkTx{k zfgO@wIQK43j}E&I^R3?1`bEVQf}BbzPt`>4|6eRQrU#3m*;PCHz&d@&u@--?7V56g zq55yob-{?^QFn-cljD2O48+;EvJ?!YgQVX!)O zMd2SoXy~heltgnUO127bILoc`Cvfq6$ohis3|+cGldgjtqnD zXGj;+O=_oKt-oMeaiT%*Kt7s$ZfzTIr%Dq+h3a36h9EylS8pY=ZuYx{rXFGj_cKMK zmCAXPEE0I(IId@%ZNP^+LYlRe=l=$gM?yUWb{p4sXa8c2Xk&jAD$=^|J;|krcnqyj z0;DK39)m^ON6@P{=p1i&l4dJKasafQAQ8aSzc7u{I#Mjeer6{^9>dnCt_7SrugwHi zxt_EObE_yHtuaeOHx-qmlA}G`Q+KccON`FaZZX9Ga5zuQiUTd=pPAid(J>I=VHS=H zvpWi7f<18nsW5*uV4)^})HQ~qwVg4%dbn1D7`>icLW8;38&Agj;J?hY|{b>>pDK>7x5Ov;OMPEAJKBtG+-^lRI4Jj~H zQ2Pr=28x^vwJMYk@E;gv4UGUy0~r7(%pn+|u7)IN>ePP_K32)zMTD(Q+bHeLNwt`~ zF|$5tmX8{Wi30f~HpbW-kO&84>{g0w>Ee+**)dVOt>{nqv77LBP4-XOO5Ad=-9Z%~ zC@p4rBk=>$+*^?GNOP$R^>3H@w6Q8TwT*-;6m3UvfkM5|6;3kz#;Z3Ah(RZ{Ip-BP zbMJCa!ViDV+KO7WKRI=JOB>V0q?`hOPR{654n>+g7q=NA@(QHf+yBgf6#QMBfNg>! zb>jq{zgyU;2K44OHmo60175TQWOGts+%d-3S!?gv3*5f9cB#AeZG~<1c#5vdpmc=L zdXWIh_|@a-xcA$1>~H682%sc`hDrkGx?Exib;5r{L&^13Uosvt0%PS8i0B-OtxlJl zgtGSe5Hhs-*(!BM_@)B`K0B>)Nf5NI{x>;J&*7Ona6_O1>=9P~K;tvyW=&yHy&`-GUv(@r>-XjBESu zvTuJsbL8p&{KW$Yr(!T!t-%NSFf0nLijXRMYXA80p=%p0C#Frm5F3vBJEZP@(h5NZ z3s=ME5gWk2M;5_+37|X1?ZsIJ#`R0=QQj%kTjH#8-~{Ipe7UW5B64s)(a)wkkrQ`V z%;Dz1X38O>^aCZs6H`vVn3=}o>sK%Ttv7#A@JgRc(pji=`M}S!a|q*$U2iP-%GK)W z|DrbzyLB&vNH6ZH9YAVK9aCWh0+SxwdH5i@IbH0KHa0}dj*-)cUXvi3wFrxR?5LkkA9r2U16}*Et^j{f z@Oe?}Nz1$V=K-+Q!t6RpU-H<^ku8UAh`@Vzb_bFTpErEk0W$g!u)bx1K8*!e*%-HG z5YKg3Z)W3U*X^d<5)VB}^}Oz@c=p_Q-2{<)ESwKrJY)B+G0@XmdM~Z@#&6Gs^4~;9 zkO~xg5vmt(9n#)#?x@*4wAhTcjY@y)<|R|<+)D@Wj2#slz0%nWxuQTuB#`ulp+|-< z{Y@nEv(rVe3*!>)>qs03m~-KHH7tPZS@@5=eE|oS{;k3de=}jx5pc*=AG4?G1q_HZEn>& z$B;wRBu;Sa0w?Tubd-${Fjt^qJHz3i1lxEqgWV0apRDW9R;#b?5_N0aHsVm+z`-hB zpw=y`W4wDoTc>Kuz;h|wcTqfO-~4uOg138B|FCABTtW{$jm^y6D^sM7MP3U=-Dhtz zq=MJP1E2xGpG|Xk9ifGM9ix95ouA>(X&ju>1w&AfeqP<>oB9H-bU!xJZ_zB;?pP3Jkh8&+PQazk~UGefH6s0Qk8F0#Hi<0u%rg000080BE<1Su$yC7r2wQ z5Jn&xs*G8xOblKS3;+OpH2?r10000000000000000QUux%@84zJrNQHMiKx3006A! B|Aqhn delta 4294 zcmV;%5IOJqCDkGrP)h>@6aWAK2mmf*iCK&Bfql6J0000HlMei2jtyXFt0+~7f z&Ufy|d%HV(?4!x*Lb8%;l}qPYZY(R~vuDGp6!*O|nJK}&%m!Jh^gswxYww=nFrB}Y zT3UL`#`8C9SeQCve;OMw_aN0XO46k>0-u*-0 zdu$}Es(ix$T*gXsJ8vH33SZngBUHe8P=3n%RJqn~{oS2ge`9>|=G!0oj+B0p){*VH zF2~X`lPAc40l)~>NCES(f6zZlhevf)8B1htM(3F#C%Wj|vVu#;g}%h#B*0? ztado%4XZV|ub4BHN$piW@9N*(x%>=SXyxLSkgxwZ?Bz#CS?~COzwVuKanL&+pN#WU zd3y5dSR_(|f7(yYswKNS=`nd_TYe;fz+TTO0yC+z4OmIynwP=NqbawrW+d%Q3F+97 zYo75It(sdknR@0tf>6TBkZ3D_jS%3{!87SXLXh7B0i-~!1^wm)5wEP7!E2QC%V^7I z7l9Zh9XFsUa>OJ?QQTG@@re+%JGP9*%`k9E+gK}kOe@;xLQ zr#_kU&%v*=-k{;564p4Ad)B``zhf5`oF0t5-=?O|?&wElWe{*^4h+9%h*Oq=y+j$| zx%Z}GD9jjMUCjF-ZpL3r-|Bl3S;9ttD)Fn}dV+?80HVSb{P=wM;r7M<&U#qbb*4Ag zpcWipf4CJ>U<+ScFuFEc?z6xCJlSW1GCMimN^c2d(8cJuBS<Bh@9wTLG-)sS6e@TR6TVP_je;4FJtwY>cHN&>VGVVDURbla^ zzdv8UY08!GG%p}~DAW16hoN)tQnaH?GFhEz4O`?z~Ck$pjvL(!2TGA$=fBR!} z^cUy>8_99`X~c>(M4fxtSwGmL2@(RE$R_Q^`bQ|nc zLdeR8OD(xqXYSQRPd=XDbE;kQBec;_O@YTaK!La98~N(MwAOkjV-cAlfRH zM(9RMn?teu&eBP-wAzs5HJ~v^y}c=xHGP{%|82ty0f@vg{Wl97`3DDUxkIEm+sv?#2oM9J|D$# zUnDj0Ma$?LefefF%Ua@w$tJe1UXvb?y}K}dn9GYP4eGwW=KhtMD1?tpgG`91)4QA z91dr`8O{tfFN@SlRj`w#NIxXcMJ7{jMK;Y=vY4i+Dhq4ar|-XG@T|G!D|X=iz~}7@ zM}!sn;DQ$!w@N>Muw%Awbtw+t1$4%0SuEbM{c9lM3*k9m!sMgJusczO<+2c(II+jD zx)Mf}Iu&PHmFq_fc3s|@RLeE$_Wb!a$&R;dQLB6hi8gULw_^237SftUsV-VZf;Ee3ze05 zJ$;9X_tK`zmK3K2n)Ra0tt5eJS@zhaxMy?0ZK(yD=X`O*GBM{s$*f{?o*Uu#9De_u z`|);meNq~Kt5&aXe-o(%0Z+A7`js>mwg&7H_kvwN7y$OU2TObNA>L&Wu8~!?6ETevMvS7Q35q*XH!-hp$$8jp4^=O zatdlPa#7H1*aa!1)cK6tCEDU?CN;f^#JP~$H+U@t>_!G>~nAyci4np;LHWml)yH*7jPXWX(kSFhN(((3pprUd}C zfXT#`jPFwAB95W6T-g&=wzB@2em974EX%2r4`O-Y()P6&x&qT@6DrUxuzrd z4WO((hL73L2epr&xn9T|f(jvXDHqH9fvvTFyn~%DKzy1H0%?pl3{}j|pI6+8dR7w? zEn<@_+_J`J_Ulq;QF+`a(8DB?W}Wi~j7=;N|7N4JT;1}#z2t}`ux^aHS(nk8ooU{{ za|PiPOng8BFqG2(}g%OHL&2lU2~C*x@fh7UnbVoV!9Z=0ik zrZ~?k9ZqD{c}FU!-Uez3Wj`&lwUQ8}0J{s=$4abjG15TPL3wd%z;!stJoVB%^$a}1 zeBkMM;8%-1@%Xc24B8flc8En^As&Seh`QVwneg$b?fmRTsc#;sc8pfLMl8SI=8wj0 zgAj(^8`Eg~C}=xbHyQXjVlD4@t;hR+*?ATxCtvK7x81RNFlI#f2Rm#zd-a5oZ(v$9 z3RKSuu+bgs%tw;AybvXeRIWLd4*iKel0i5Ro<~oP`v!|0*VTbV*%N}Ca;Hd|MC1R@ zjykFbjiK62JNm%Ed@V5Rtxo2?%^}Zj&~?NX@=g@)r-8UZKV)`9DEr^cvg!s>_0n zz5h&qHv#vt(;7jB;240*F15O^VfClDbr9IC0o(mCP&=fu$kGjSKb-WMRgwM`OWcco z%WWuq8}#{(8c$T2XW%Lp&;yQBp{Nbr0-f%E$~?w2_g~G* zp(>GYh=L5F$eqw~{s4A?2!q*iR}}FPgoX|VNJ%sgs$@%kC)ir(l{5~%U_fan>@>7^ z&*p#Kp1<9`yESO)`ytd)=~kaun^4%nfP*q%B=Hk(p&YES>+$yt$CA2X+v(l9H|Y2s zyiV$XKn(hksf}fjp|JUX15T1fm7=@<2SouCp(G=upYelc51L-IiMmcK`l0O}dSeI( zELNapj@BkytVJs45(YX}88}26WT8rF)m9MyFK{ao>M@wwczAb;lh%RXh9D%Ibpv^_ z)+!Yl^c3+lx>WWBC?#XbylthoKfF8Y-4jG&Vk-g)Xby$}uoI`vNSRoS3^H-`b%@bm>gySwgdtrG8~X3YllzbB%Gw z0AH>0Yg?;pvsN`2ak@%r)E#OKNFW(sKAnyS-%ZE;ig5!(WC5wNgxhMv}`9B6fSioXu#a7K<|H`j1TP zoPYHmw@MPZdD&5v$jqoly1K?&n>f`i^6J0(!Zw!HdwYR@?a@x$T45}w;7sXx-}YoB zFB2YOk^a^2g-465d&UROV<4zDJf5%-{P!dvxLp94PVrPYFF<*HDLWfQ?}~TYU^euH z#KMK}4bp-+iFP*KN=jVeRE4XWVX8ew0RoQiA6bew;Oynh7k#fUU;WdaZ!qL~!qkTj zZhHFsdd;tYnBPV595%4SCq9by-?dsyQg`^7dcx3JP9wB|de3lo3)r;KI>1XW@T=Lh ztA}A`F8W7{C?U$B5(|!;5vnzD2mKTxZGxgN5IhuvdaR0L(ae5SS_Osc+-y7+wywg)xhu; zD7a>6eH(@L%9Jq0*t(chyW}v7P6XVnstuTqY#=fe%OnoE{xxLk9S^I=9#~oT>n5P5 z^J}LaqQ!7e9T#_G-y*aB<5s#KPWYsmddVjmbIB&yPRgE=N%{NyKRWlaUd;TM_kXtp@YrccjnZz^~y5$el zmd0wwe>eoGuYkVDEyu5rAQPq*Q}7W{(9{`!`t+!k&hHC2SfNRZpB=f@)G6MhP?}vW znM6LNihW*{w7-|?em~VNfBzP&Jh@(Cx5uyCzy74{1mv|~3(J0p-&0rcnnVCJ0<^Q~ z8irHUP^TBrM(1bv3?oY}=wkucApLvuuoet>;Lf1SV*%m>sF9ZoKJoa4?xG?xZxOYB zav>5?czruS54Pnb>A(C3P)h+40u%rg0000804`*SS&Q+3eYulc5=I{wWQkd2 oYCv{s3IG7IEC2u@0000000000000000Qi%@5;O*(5C8xG0F5wA2LJ#7 diff --git a/setup/IaC/modules/automationaccount.bicep b/setup/IaC/modules/automationaccount.bicep index 4ec7f5d2..84d9d75d 100644 --- a/setup/IaC/modules/automationaccount.bicep +++ b/setup/IaC/modules/automationaccount.bicep @@ -294,7 +294,7 @@ resource guardrailsAC 'Microsoft.Automation/automationAccounts@2021-06-22' = if properties: { contentLink: { uri: '${ModuleBaseURL}/Check-AllUserMFARequired.zip' - version: '1.0.3' + version: '1.0.4' } } } @@ -349,7 +349,7 @@ resource guardrailsAC 'Microsoft.Automation/automationAccounts@2021-06-22' = if properties: { contentLink: { uri: '${ModuleBaseURL}/Check-ApplicationGatewayCertificateValidity.zip' - version: '1.0.2' + version: '1.0.3' } } } @@ -369,7 +369,7 @@ resource guardrailsAC 'Microsoft.Automation/automationAccounts@2021-06-22' = if properties: { contentLink: { uri: '${ModuleBaseURL}/Check-DedicatedAdminAccounts.zip' - version: '1.0.2' + version: '1.0.3' } } } diff --git a/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psd1 b/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psd1 index f24ce82b..654b70ff 100644 --- a/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psd1 +++ b/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psd1 @@ -14,7 +14,7 @@ RootModule = 'Check-AllUserMFARequired' # Version number of this module. -ModuleVersion = '1.0.3' +ModuleVersion = '1.0.4' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psm1 b/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psm1 index 4b97f093..20150007 100644 --- a/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psm1 +++ b/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psm1 @@ -117,15 +117,9 @@ function Check-AllUserMFARequired { } # Condition: Not all user UPNs are MFA enabled or MFA is not configured properly else { - # This will be used for debugging - if($userUPNsBadMFA.Count -eq 0){ - Write-Error "Something is wrong as userUPNsBadMFA Count equals 0. This output should only execute if there is an error populating userUPNsBadMFA" - } - else { - $upnString = ($userUPNsBadMFA | ForEach-Object { $_.UPN }) -join ', ' - $commentsArray = $msgTable.userMisconfiguredMFA -f $upnString - $IsCompliant = $false - } + $upnString = ($userUPNsBadMFA | ForEach-Object { $_.UPN }) -join ', ' + $commentsArray = $msgTable.userMisconfiguredMFA -f $upnString + $IsCompliant = $false } $Comments = $commentsArray -join ";" diff --git a/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psd1 b/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psd1 index 63cfef9d..0c30dbf3 100644 --- a/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psd1 +++ b/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psd1 @@ -14,7 +14,7 @@ RootModule = 'Check-DedicatedAdminAccounts' # Version number of this module. -ModuleVersion = '1.0.2' +ModuleVersion = '1.0.3' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psm1 b/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psm1 index 99a237e1..050f42e1 100644 --- a/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psm1 +++ b/src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psm1 @@ -35,6 +35,9 @@ function Check-DedicatedAdminAccounts { [bool] $IsCompliant = $false [string] $Comments = $null + # highly privileged Role names + $highlyPrivilegedAdminRoleNames = @("Global Administrator","Privileged Role Administrator") + # Get the list of GA users (ACTIVE assignments) $urlPath = "/directoryRoles" try { @@ -57,7 +60,7 @@ function Check-DedicatedAdminAccounts { $hpAdminUserAccounts = @() # # Filter the highly privileged Administrator role ID - $highlyPrivilegedAdminRole = $rolesResponse | Where-Object { $_.displayName -eq "Global Administrator" -or $_.displayName -eq "Privileged Role Administrator" } + $highlyPrivilegedAdminRole = $rolesResponse | Where-Object { $_.displayName -eq $highlyPrivilegedAdminRoleNames[0] -or $_.displayName -eq $highlyPrivilegedAdminRoleNames[1] } foreach ($role in $highlyPrivilegedAdminRole){ # Get directory roles for each user with the highly privileged admin access @@ -143,95 +146,137 @@ function Check-DedicatedAdminAccounts { } $commentsArray = @() - - # get UPN from the file - $blob = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context -Blob $DocumentName_new -ErrorAction SilentlyContinue + $blobFound = $false + $baseFileNameFound = $false - if ($null -eq $blob) { + # Get a list of filenames uploaded in the blob storage + $blobs = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context + if ($null -eq $blobs) { # a blob with the name $DocumentName was not located in the specified storage account $errorMsg = "Could not get blob from storage account '$storageAccountName' in resoruce group '$resourceGroupName' of ` subscription '$subscriptionId'; verify that the blob exists and that you have permissions to it. Error: $_" $ErrorList.Add($errorMsg) - + $commentsArray += $msgTable.procedureFileNotFound -f $DocumentName[0], $ContainerName, $StorageAccountName } - else { - try { - $blobContent = $blob.ICloudBlob.DownloadText()| ConvertFrom-Csv - } catch { - $errorMsg = "Error downloading content from blob '$DocumentName_new': $_" - $ErrorList.Add($errorMsg) - Write-Error "Error: $errorMsg" + else{ + $fileNamesList = @() + $blobs | ForEach-Object { + $fileNamesList += $_.Name } - - if ($null -eq $blobContent -or $blobContent -ieq 'N/A' -or $blobContent -ieq 'NA') { - $commentsArray += $msgTable.invalidUserFile -f $DocumentName_new - } else { - # Blob content is present - $UserAccountUPNs = $blobContent + $matchingFiles = $fileNamesList | Where-Object { $_ -in $DocumentName_new } + if ( $matchingFiles.count -lt 1 ){ + # check if any fileName matches without the extension + $baseFileNames = $fileNamesList | ForEach-Object { ($_.Split('.')[0]) } - # if BG accounts present in the UPN list - $BGfound = $false - foreach ($user in $UserAccountUPNs) { - if ($user.HP_admin_account_UPN -like $FirstBreakGlassUPN -or $user.regular_account_UPN -like $FirstBreakGlassUPN -or ` - $user.HP_admin_account_UPN -like $SecondBreakGlassUPN -or $user.regular_account_UPN -like $SecondBreakGlassUPN) { - $BGfound = $true - break - } + $BaseFileNamesMatch = $baseFileNames | Where-Object { $_ -in $DocumentName } + if ($BaseFileNamesMatch.Count -gt 0){ + $baseFileNameFound = $true } - ## BG account in attestation file list - if ($BGfound) { - $IsCompliant = $false - $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.bgAccExistInUPNlist + else { + $blobFound = $false + $baseFileNameFound = $false } - else{ - $hpUPNinRegFound = $false - $regUPNinPAFound = $false - $hpUPNnotGA = $false - # validate: check HP users ONLY have HP admin role assignments - foreach ($hpAdmin in $UserAccountUPNs.HP_admin_account_UPN){ - - if ( $hpAdminUserAccounts.userPrincipalName -contains $hpAdmin){ - # each HP admin has active GA or PA role assignment - if ($nonHPAdminUserAccounts.userPrincipalName -contains $hpAdmin){ - # not dedicated user UPN for admin - $hpUPNinRegFound = $true - break - } - else{ - # validate: regular accounts are non-GA/PA role assignments - foreach ($regUPN in $UserAccountUPNs.regular_account_UPN){ - if ( $hpAdminUserAccounts.userPrincipalName -contains $regUPN){ - $regUPNinPAFound = $true - break + } + else { + # also covers the use case if more than 1 appropriate files are uploaded + $blobFound = $true + } + } + + # Use case: uploaded fileName is correct but has wrong extension + if ($baseFileNameFound){ + # a blob with the name $documentName was located in the specified storage account; however, the ext is not correct + $commentsArray += $msgTable.procedureFileNotFoundWithCorrectExtension -f $DocumentName[0], $ContainerName, $StorageAccountName + } + elseif ($blobFound){ + # get UPN from the file + $blob = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context -Blob $DocumentName_new + if ($blob) { + ## blob found + try { + $blobContent = $blob.ICloudBlob.DownloadText()| ConvertFrom-Csv + } catch { + $errorMsg = "Error downloading content from blob '$DocumentName_new': $_" + $ErrorList.Add($errorMsg) + Write-Error "Error: $errorMsg" + } + + if ($null -eq $blobContent -or $blobContent -ieq 'N/A' -or $blobContent -ieq 'NA') { + $commentsArray += $msgTable.invalidUserFile -f $DocumentName_new + + } else { + # Blob content is present + $UserAccountUPNs = $blobContent + + # if BG accounts present in the UPN list + $BGfound = $false + foreach ($user in $UserAccountUPNs) { + if ($user.HP_admin_account_UPN -like $FirstBreakGlassUPN -or $user.regular_account_UPN -like $FirstBreakGlassUPN -or ` + $user.HP_admin_account_UPN -like $SecondBreakGlassUPN -or $user.regular_account_UPN -like $SecondBreakGlassUPN) { + $BGfound = $true + break + } + } + ## BG account in attestation file list + if ($BGfound) { + $IsCompliant = $false + $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.bgAccExistInUPNlist + } + else{ + $hpUPNinRegFound = $false + $regUPNinPAFound = $false + $hpUPNnotGA = $false + # validate: check HP users ONLY have HP admin role assignments + foreach ($hpAdmin in $UserAccountUPNs.HP_admin_account_UPN){ + + if ( $hpAdminUserAccounts.userPrincipalName -contains $hpAdmin){ + # each HP admin has active GA or PA role assignment + if ($nonHPAdminUserAccounts.userPrincipalName -contains $hpAdmin){ + # not dedicated user UPN for admin + $hpUPNinRegFound = $true + break + } + else{ + # validate: regular accounts are non-GA/PA role assignments + foreach ($regUPN in $UserAccountUPNs.regular_account_UPN){ + if ( $hpAdminUserAccounts.userPrincipalName -contains $regUPN){ + $regUPNinPAFound = $true + break + } } } } + else{ + # listed admin UPN doesn't have active GA + $hpUPNnotGA = $true + break + } + } + + if($hpUPNinRegFound){ + $IsCompliant = $false + $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.dedicatedAdminAccNotExist + } + elseif($regUPNinPAFound){ + $IsCompliant = $false + $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.regAccHasHProle } else{ - # listed admin UPN doesn't have active GA - $hpUPNnotGA = $true - break + $IsCompliant = $true + $commentsArray = $msgTable.isCompliant + " " + $msgTable.dedicatedAccExist + } + if( $hpUPNnotGA){ + $commentsArray += " " + $msgTable.hpAccNotGA } - } - - if($hpUPNinRegFound){ - $IsCompliant = $false - $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.dedicatedAdminAccNotExist - } - elseif($regUPNinPAFound){ - $IsCompliant = $false - $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.regAccHasHProle - } - else{ - $IsCompliant = $true - $commentsArray = $msgTable.isCompliant + " " + $msgTable.dedicatedAccExist - } - if( $hpUPNnotGA){ - $commentsArray += $msgTable.hpAccNotGA } } - } + } + } + else { + # a blob with the name $DocumentName was not located in the specified storage account + $commentsArray += $msgTable.procedureFileNotFound -f $DocumentName[0], $ContainerName, $StorageAccountName + } $Comments = $commentsArray -join ";" diff --git a/src/GUARDRAIL 7 PROTECTION OF DATA-IN-TRANSIT/Audit/Check-ApplicationGatewayCertificateValidity.psd1 b/src/GUARDRAIL 7 PROTECTION OF DATA-IN-TRANSIT/Audit/Check-ApplicationGatewayCertificateValidity.psd1 index 2b485b63..cb48b932 100644 --- a/src/GUARDRAIL 7 PROTECTION OF DATA-IN-TRANSIT/Audit/Check-ApplicationGatewayCertificateValidity.psd1 +++ b/src/GUARDRAIL 7 PROTECTION OF DATA-IN-TRANSIT/Audit/Check-ApplicationGatewayCertificateValidity.psd1 @@ -14,7 +14,7 @@ RootModule = 'Check-ApplicationGatewayCertificateValidity' # Version number of this module. -ModuleVersion = '1.0.2' +ModuleVersion = '1.0.3' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/src/GUARDRAIL 7 PROTECTION OF DATA-IN-TRANSIT/Audit/Check-ApplicationGatewayCertificateValidity.psm1 b/src/GUARDRAIL 7 PROTECTION OF DATA-IN-TRANSIT/Audit/Check-ApplicationGatewayCertificateValidity.psm1 index e5b5e1b7..10cbdabf 100644 --- a/src/GUARDRAIL 7 PROTECTION OF DATA-IN-TRANSIT/Audit/Check-ApplicationGatewayCertificateValidity.psm1 +++ b/src/GUARDRAIL 7 PROTECTION OF DATA-IN-TRANSIT/Audit/Check-ApplicationGatewayCertificateValidity.psm1 @@ -50,28 +50,72 @@ function Check-ApplicationGatewayCertificateValidity { subscription '$subscriptionId'; verify that the storage account exists and that you have permissions to it. Error: $_" } - + $baseFileNameFound = $false $blobFound = $false - - ForEach ($docName in $DocumentName_new) { + + # Get a list of filenames uploaded in the blob storage + $blobs = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context + + $fileNamesList = @() + $blobs | ForEach-Object { + $fileNamesList += $_.Name + } + $matchingFiles = $fileNamesList | Where-Object { $_ -in $DocumentName_new } + if ( $matchingFiles.count -lt 1 ){ + # check if any fileName matches without the extension + $baseFileNames = $fileNamesList | ForEach-Object { ($_.Split('.')[0]) } + + $BaseFileNamesMatch = $baseFileNames | Where-Object { $_ -in $DocumentName } + if ($BaseFileNamesMatch.Count -gt 0){ + $baseFileNameFound = $true + } + } + else { + # also covers the use case if more than 1 appropriate files are uploaded + # check for procedure doc in blob storage account - $blobs = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context -Blob $docName -ErrorAction SilentlyContinue + $blobs = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context -Blob $DocumentName_new If ($blobs) { $blobFound = $true # Read the content of the blob and save CA names into array - $blobContent = Get-AzStorageBlobContent -Container $ContainerName -Blob $docName -Context $StorageAccount.Context -Force + $blobContent = Get-AzStorageBlobContent -Container $ContainerName -Blob $DocumentName_new -Context $StorageAccount.Context -Force $ApprovedCAList = Get-Content $blobContent.Name | Where-Object { $_ -match '\S' } | ForEach-Object { $_.Trim() } - Remove-Item $blobContent.Name -Force - break + } } - if ($blobFound){ - $Comments += $msgTable.approvedCAFileFound -f $docName + # Use case: uploaded fileName is correct but has wrong extension + if ($baseFileNameFound){ + # a blob with the name $documentName was located in the specified storage account; however, the ext is not correct + $Comments += $msgTable.procedureFileNotFoundWithCorrectExtension -f $DocumentName[0], $ContainerName, $StorageAccountName + $IsCompliant = $false + + $PsObject = [PSCustomObject]@{ + ComplianceStatus = $IsCompliant + ControlName = $ControlName + Comments = $Comments + ItemName = $ItemName + ReportTime = $ReportTime + itsgcode = $itsgcode + } + + if ($EnableMultiCloudProfiles) { + Set-ProfileEvaluation -PsObject $PsObject -ErrorList $ErrorList -CloudUsageProfiles $CloudUsageProfiles -ModuleProfiles $ModuleProfiles + } + + $moduleOutput = [PSCustomObject]@{ + ComplianceResults = $PsObject + Errors = $ErrorList + } + return $moduleOutput + + } + elseif ($blobFound){ + $Comments += $msgTable.approvedCAFileFound -f $DocumentName } else { - $Comments += $msgTable.approvedCAFileNotFound -f $docName, $ContainerName, $StorageAccountName + $Comments += $msgTable.approvedCAFileNotFound -f $DocumentName[0], $ContainerName, $StorageAccountName $IsCompliant = $false $PsObject = [PSCustomObject]@{ @@ -115,7 +159,7 @@ function Check-ApplicationGatewayCertificateValidity { $sslListeners = $listeners | Where-Object { $_.SslCertificate -ne $null } if ($sslListeners.Count -eq 0) { - $Comments += $msgTable.noSslListenersFound -f $appGateway.Name + $Comments += " " + $msgTable.noSslListenersFound -f $appGateway.Name $allCompliant = $false continue } @@ -134,7 +178,7 @@ function Check-ApplicationGatewayCertificateValidity { $x509cert = $certCollection[0] if ($x509cert.NotAfter -le (Get-Date)) { - $Comments += $msgTable.expiredCertificateFound -f $listener.Name, $appGateway.Name + $Comments += " " +$msgTable.expiredCertificateFound -f $listener.Name, $appGateway.Name $allCompliant = $false } @@ -160,17 +204,17 @@ function Check-ApplicationGatewayCertificateValidity { } if (-not $isApprovedCA) { - $Comments += $msgTable.unapprovedCAFound -f $listener.Name, $appGateway.Name, $x509cert.Issuer + $Comments += " " + $msgTable.unapprovedCAFound -f $listener.Name, $appGateway.Name, $x509cert.Issuer $allCompliant = $false } } catch { - $Comments += $msgTable.unableToProcessCertData -f $listener.Name, $appGateway.Name, $_.Exception.Message + $Comments += " " + $msgTable.unableToProcessCertData -f $listener.Name, $appGateway.Name, $_.Exception.Message $allCompliant = $false } } else { - $Comments += $msgTable.unableToRetrieveCertData -f $listener.Name, $appGateway.Name + $Comments += " " + $msgTable.unableToRetrieveCertData -f $listener.Name, $appGateway.Name $allCompliant = $false } } @@ -180,18 +224,18 @@ function Check-ApplicationGatewayCertificateValidity { Where-Object { $_.Protocol -eq 'Https' } if ($httpsBackendSettings.Count -eq 0) { - $Comments += $msgTable.noHttpsBackendSettingsFound -f $appGateway.Name + $Comments += " " + $msgTable.noHttpsBackendSettingsFound -f $appGateway.Name } else { $allWellKnownCA = $true foreach ($backendSetting in $httpsBackendSettings) { if ($backendSetting.TrustedRootCertificates.Count -gt 0) { - $Comments += $msgTable.manualTrustedRootCertsFound -f $appGateway.Name, $backendSetting.Name + $Comments += " " + $msgTable.manualTrustedRootCertsFound -f $appGateway.Name, $backendSetting.Name $allWellKnownCA = $false } } if ($allWellKnownCA) { - $Comments += $msgTable.allBackendSettingsUseWellKnownCA -f $appGateway.Name + $Comments += " " + $msgTable.allBackendSettingsUseWellKnownCA -f $appGateway.Name } else { $allCompliant = $false } diff --git a/src/GuardRails-Localization/fr-CA/GR-ComplianceChecks-Msgs.psd1 b/src/GuardRails-Localization/fr-CA/GR-ComplianceChecks-Msgs.psd1 index a7aa64cf..b64b6f82 100644 --- a/src/GuardRails-Localization/fr-CA/GR-ComplianceChecks-Msgs.psd1 +++ b/src/GuardRails-Localization/fr-CA/GR-ComplianceChecks-Msgs.psd1 @@ -172,7 +172,7 @@ managementGroup = Groupes de gestion notAllowedLocation = L'emplacement est en dehors des emplacements autorisés. allowLocationPolicy = Politique de localisation autorisée dataAtRest = PROTECTION DES DONNÉES-AU-REPOS -dataInTransit = PROTECTION DES DONNÉES-EN-TRANSIT + # GuardRail #6 pbmmApplied = L'initiative PBMM a été appliquée. @@ -201,8 +201,9 @@ allBackendSettingsUseWellKnownCA = Tous les paramètres principaux de la passere noAppGatewayFound = Aucune passerelle d'application trouvée dans aucun abonnement. allCertificatesValid = Tous les certificats sont valides et provenant d'autorités de certification (AC) approuvées. approvedCAFileFound = Approved Certificate Authority (CA) file '{0}' not found in container '{1}' of storage account '{2}'. Unable to verify certificate authorities. -approvedCAFileNotFound = Le fichier des Autorités de certification (AC) approuvées '{0}' n'a pas été trouvé dans le conteneur '{1}' du compte de stockage '{2}'. Incapable de vérifier les autorités de certification +approvedCAFileNotFound = Le fichier des Autorités de certification (AC) approuvées '{0}' n'a pas été trouvé dans le conteneur '{1}' du compte de stockage '{2}'. Incapable de vérifier les autorités de certification. appServiceHttpsConfig = « Azure App Service » : Configuration d'application HTTPS +dataInTransit = PROTECTION DES DONNÉES-EN-TRANSIT storageAccTLS12 = Comptes de stockage TLS 1.2 storageAccValidTLS = Tous les comptes de stockage utilisent TLS1.2 ou version ultérieure.